why-2.34/0000755000175000017500000000000012311670312010615 5ustar rtuserswhy-2.34/LICENSE0000644000175000017500000006342312311670312011632 0ustar rtusersThis software is distributed under the terms of the GNU Library General Public License version 2 (included below). As a special exception to the GNU Library General Public License, you may link, statically or dynamically, a "work that uses the Library" with a publicly distributed version of the Library to produce an executable file containing portions of the Library, and distribute that executable file under terms of your choice, without any of the additional requirements listed in clause 6 of the GNU Library General Public License. By "a publicly distributed version of the Library", we mean either the unmodified Library as distributed, or a modified version of the Library that is distributed under the conditions defined in clause 3 of the GNU Library General Public License. This exception does not however invalidate any other reasons why the executable file might be covered by the GNU Library General Public License. ====================================================================== GNU LIBRARY GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1991 Free Software Foundation, Inc. 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. [This is the first released version of the library GPL. It is numbered 2 because it goes with version 2 of the ordinary GPL.] Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This license, the Library General Public License, applies to some specially designated Free Software Foundation software, and to any other libraries whose authors decide to use it. You can use it for your libraries, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library, or if you modify it. For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link a program with the library, you must provide complete object files to the recipients so that they can relink them with the library, after making changes to the library and recompiling it. And you must show them these terms so they know their rights. Our method of protecting your rights has two steps: (1) copyright the library, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the library. Also, for each distributor's protection, we want to make certain that everyone understands that there is no warranty for this free library. If the library is modified by someone else and passed on, we want its recipients to know that what they have is not the original version, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that companies distributing free software will individually obtain patent licenses, thus in effect transforming the program into proprietary software. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. Most GNU software, including some libraries, is covered by the ordinary GNU General Public License, which was designed for utility programs. This license, the GNU Library General Public License, applies to certain designated libraries. This license is quite different from the ordinary one; be sure to read it in full, and don't assume that anything in it is the same as in the ordinary license. The reason we have a separate public license for some libraries is that they blur the distinction we usually make between modifying or adding to a program and simply using it. Linking a program with a library, without changing the library, is in some sense simply using the library, and is analogous to running a utility program or application program. However, in a textual and legal sense, the linked executable is a combined work, a derivative of the original library, and the ordinary General Public License treats it as such. Because of this blurred distinction, using the ordinary General Public License for libraries did not effectively promote software sharing, because most developers did not use the libraries. We concluded that weaker conditions might promote sharing better. However, unrestricted linking of non-free programs would deprive the users of those programs of all benefit from the free status of the libraries themselves. This Library General Public License is intended to permit developers of non-free programs to use free libraries, while preserving your freedom as a user of such programs to change the free libraries that are incorporated in them. (We have not seen how to achieve this as regards changes in header files, but we have achieved it as regards changes in the actual functions of the Library.) The hope is that this will lead to faster development of free libraries. The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, while the latter only works together with the library. Note that it is possible for a library to be covered by the ordinary General Public License rather than by this special one. GNU LIBRARY GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License Agreement applies to any software library which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Library General Public License (also called "this License"). Each licensee is addressed as "you". A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".) "Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library. Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does. 1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) The modified work must itself be a software library. b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License. d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful. (For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. 4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. 5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. 6. As an exception to the Sections above, you may also compile or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things: a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) b) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. c) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place. d) Verify that the user has already received a copy of these materials or that you have already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. 7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things: a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it. 10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 13. The Free Software Foundation may publish revised and/or new versions of the Library General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. 14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS Appendix: How to Apply These Terms to Your New Libraries If you develop a new library, and you want it to be of the greatest possible use to the public, we recommend making it free software that everyone can redistribute and change. You can do so by permitting redistribution under these terms (or, alternatively, under the terms of the ordinary General Public License). To apply these terms, attach the following notices to the library. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This library is free software; you can redistribute it and/or modify it under the terms of the GNU Library General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public License for more details. You should have received a copy of the GNU Library General Public License along with this library; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA Also add information on how to contact you by electronic and paper mail. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the library, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the library `Frob' (a library for tweaking knobs) written by James Random Hacker. , 1 April 1990 Ty Coon, President of Vice That's all there is to it! why-2.34/CHANGES0000644000175000017500000010157312311670312011617 0ustar rtusersversion 2.34, March 16, 2014 ========================== o [Jessie/Frama-C plugin] Compatible with release Neon of Frama-C o [Jessie] Fixed some issues with labels (partly contributed by Mikhail Mandrykin) o [Jessie] Fixed various issues with Why3 output (contributed by Mikhail Mandrykin) o [Krakatoa] Fixed a bug in the order of logic definitions o [Jessie] Synchronized with Why3 0.83, to benefit from all Why3 recent improvements, in particular regarding efficiency, both in term of execution time and memory comsumption. version 2.33, April 20, 2013 ========================== o [Jessie/Frama-C plugin] Compatible with release Fluorine of Frama-C version 2.32, Mar 27, 2013 ========================== o [Jessie/Why3ML output] Compatible with release 0.81 of Why3 o [Jessie/Frama-C plugin] support for "allocates" clause in contracts o [Jessie/Frama-C plugin] support for built-in construct \fresh o [Jessie/Frama-C plugin] support for ACSL model fields o [Jessie memory model] added an axiom for sub_pointer o [Jessie memory model] fixed bug in Why3 version (free_parameter) see Frama-C BTS 1251 o [Jessie/Frama-C plugin] added new -jessie-atp=why3replay to replay Why3 proofs o [Jessie] fixed Frama-C BTS 1265 version 2.31, Jul 19, 2011 ========================== o [Jessie/Why3ML output] Compatible with release 0.73 of Why3 o [Jessie/Why3ML output] Fixed bug with translation of the if expression, which expect a prop in Why3, instead of a term o [Jessie and Krakatoa] support for "allocates" clause in contracts o [Jessie and Krakatoa] support for built-in construct \fresh o [Jessie/Why3ML output] avoid Why3 keywords, fixed Frama-C BTS 1004 o new option -extra-switch for why-dp (pass additional option to prover) version 2.30, Oct 24, 2011 ========================= o [Jessie and Krakatoa] manuals have been extensively updated to adopt the Why3 back-ends o [Jessie/Frama-C plugin] the default back-end is now to call Why3 VC generator, and then the Why3 IDE. The former behavior can be obtained using option -jessie-atp=gui o [Krakatoa] new option -gen-only whichs stops after generation of jessie file. The default is now to start jessie and then Why3 IDE. the old usage "gwhy file.java" continues to use the Why2 backend. o [Krakatoa/Jessie/Frama-C plugin] fixed traceability issues o [Krakatoa/Jessie/Frama-C plugin] new backend using Why3 VC generator o [Jessie] add extensionality axiom to integer range type. allows to prove valid properties that were unprovable before. o [Caduceus] support discontinued, not distributed anymore o [Why3 output] support for syntax changes of Why3 0.70 o [Why3 output] better explanations o [Why] fix encoding to multi-sorted logic with finite type o [Why] option -default-locs o [Why] added support for Vampire (based on simplify output) o [Why] option --delete-old-vcs erases previous files when using --multi-why or --multi-altergo o [Why] option --multi-altergo outputs VCs in separate files, like --multi-why but in Alt-Ergo's syntax instead of the general Why's syntax (e.g. algebraic types are encoded for Alt-Ergo) o [Jessie] fixed bug with region analysis, case of pointer comparison in annotations. fixes Frama-C BTS 0814 o [Krakatoa] fixed a problem with scope of labels o [Krakatoa] fixed support for string constants o [Jessie] order of lemmas now kept the same as in the input. Fixes Frama-C BTS 0024 o [Why lib] completed axiomatization of floats version 2.29, Mar 1, 2011 ========================= o [Krakatoa] Documentation: many errors fixed o [Jessie] plugin synchronized with Frama-C Carbon stable o [Why] fixed typing for division in programs o [Why] accepts "lemma" has keyword in input. outputs them accordingly for provers o [Why] Why3 output: avoids Why3 keywords o [Why] improved Gappa output version 2.28, Dec 17, 2010 ========================== o [Why] support for Coq 8.3 o [Why] support for Alt-Ergo 0.92.2 o [Coq output] removed dependencies on Float and Gappa libraries, added dependency on Flocq library o [Jessie] emit a warning when generating a dummy variant for recursive functions and loops (Frama-C bug 512) o [Jessie] preliminary support for \at in region computation o [Why] added --smtlib-v1 option (default smtlib format is v2.0) o [Why] added support for verit prover o [Why] improved support for integer division (better triggers) version 2.27, Oct 14, 2010 ========================== o [Why] fixed compilation with Ocaml 3.12 o [Why] support for Alt-Ergo 0.92.1 o [Why] fixed compilation with Ocaml 3.12 o [Why] emacs mode distributed and installed o [Why] fixed bug 10851: wrong Coq output for if then else o [Why] distinction between computer division and math division Fixes Frama-C BTS 0539 o [Why] added support for Why3 output syntax o [Jessie] improved translation of successive assignments on the same memory block. As a side effect, translation of array initializers from C is much better for provers. Fixes Frama-C BTS0377 feature request o [Jessie] disabled the experimental support for unions and pointer casts, since it is too buggy for public release o [Jessie] fixed bug with division by zero in expressions evaluated at compile-time (fixes Frama-C BTS0473) o [Krakatoa] error message when a comment starts with /*(extra space)@ o [WhyConfig] bug fix when detecting a prover which was removed version 2.26, May 10, 2010 ========================== o [Why] fixed detection of Alt-Ergo o [GWhy] fixed some assert failure raised when .gwhyrc is absent o [Why] fixed mistakes with files extensions, which were introduced by the former fix for GWhy temporary files version 2.24, April 19, 2010 ============================ o [Frama-C plugin] synchronized with Frama-C Boron 20100412 o [Gwhy] better handling of temporary files o [Jessie] fixed bug 0443 (assigns \nothing and separation analysis) o [Jessie] fixed bug with assertions attached to behaviors o [Why] support for truncate_real_to_int in Gappa output o [Frama-C plugin] logic functions do not accept struct or union as parameters o [Jessie, Frama-C plugin] make the right difference between "reads \nothing" and no reads clause at all o [Jessie, Frama-C plugin] the "defensive" model for floating-point computations is now the default o [Jessie] fixed bug 0370: missing coercion on decreasing measures o [Jessie] support for "let x = t in a" when a is an assertion o [Frama-C plugin] support for statement contracts, fixes bug 0399 o [Jessie] fixed bugs 0391 and 0401 (avoid name clash with axiom names and inductive case names) o [Jessie/Krakatoa/Frama-C plugin] fixed bug with labels inside \old and \at. Moreover, label Pre is now allowed in function contracts, as specified in ACSL. o [Why] improved detection of external provers o [Frama-C plugin] option "-jessie-adhoc-normalization" triggers a code normalization suited for jessie without launching the analysis (fixes bts 332) o [Why] option "-output -" outputs the generated files (.why, .smt, .mlw) on stdout o [Why-dp] with the option "-simple" output only one line by goal o [Why-dp] option "-timeout 0" disables the time limit. o [Why-dp] option "-prover" allows to select the prover to use independently from the extension o [Why-dp] reads the file to send to the prover from stdin if no files are provided. In that case the option "-prover" is mandatory. o [Jessie] interpretation of floating-point parameters does not forget anymore the format of origin, which then provides proper bounds for them. o [Frama-C plugin] bts 0361 fixed: free allows NULL as argument o [PVS output] fixed problems with idents starting with underscore o [Krakatoa & Frama-C plugin] new pragma TerminationPolicy to allow the user to prevent generation of VCs for termination version 2.23, December 4, 2009 ============================== o [Why] fixed bug with let construct in logic o [Simplify output] fixed bug with function definitions o [GWhy] VC explanation when using --fast-wp option version 2.22, November 30, 2009 =============================== o [Jessie] fixed bug when return type is a logic type o [Krakatoa] fixed bug with final fields o [Frama-C plugin] fixed bug 0341 o [Frama-C plugin] fixed bug 0034 o [GWhy] Fixed pb default prover selection (BTS Frama-C 0037) o [Jessie] fixed problem with axiomatization of address operator o [Jessie/Krakatoa/Frama-C plugin] support for the 'for' modifier in decreases clauses and loop variants o [Alt-Ergo output] avoid empty list of arguments o [GWhy] added alternative "boomy" icon set o [Alt-Ergo+Simplify output] well_founded() translated by false instead of true, for soundness o [Jessie/Krakatoa/Frama-C plugin] support for decreases clauses, even for mutually recursive functions o [Frama-C plugin] bug fix 0284 o [Frama-C plugin] support for "complete behaviors" and "disjoint behaviors" clauses. fixes bug 0026. o [Jessie][Frama-C] bug fix: 0103. Loops without variant are given a default unprovable variant. o [Frama-C plugin] bug fix: 0112 (partially fixes bts0039 and bts0080) o [Frama-C plugin] bug fix: 0306 o [Frama-C plugin] bugs closed: 0041, 0063, 0073, 0094, 0102, 0199, 0273 o [Jessie] Polymorphic logic types added (use < >) version 2.21, October 15, 2009 ============================== o [GWhy] Fixed 'Not_found' exception if .whyrc absent o [Frama-C plugin] Fixed installation problems. o [Frama-C plugin] predicates for finiteness of floats (\is_finite, \is_infinite, etc.) do not fail in mode JessieFloatModel(real) but give the expected truth value. o [Jessie] do not fail anymore on pointer casts over floats or reals. Fixes bug 273 of Frama-C BTS version 2.20, October 2nd, 2009 =============================== o [Jessie][Frama-C] Integration of the Jessie plugin for Frama-C Compatible with Frama-C release Beryllium 2 (20090902) o [Why][Jessie] add a new assertion check which is used like assert. It try to prove the assertion but do not use it as hypothesis. o [Why] fixed some bugs with Coq output o [GWhy] new column gappa+hypotheses selection version 2.19, June 23rd, 2009 ============================= o This version is synchronized with Frama-C Beryllium beta 1 200906xx (http://frama-c.cea.fr/) o [Jessie] support for label 'Post' in assigns clauses o [Jessie] support for loop_assigns clauses o [Why] added a let/in construct in logic (let x = term in term / let x = term in predicate) o [Krakatoa/Jessie] "reads" clauses on logic functions and predicates, which disappeared in version 2.16, have been resurected. Beware that the semantics is slightly different from Caduceus one: it has to precisely give the memory footprint of the function, and not only an under-approximation. It is use to automatically generate footprint axioms. o [GWhy] improved prover column configuration, improved config saving incompatibility warning: old .gwhyrc files will be ignored and overwritten o [Why] deprecated options -no-prelude, -no-arrays, -fp o [Why] new declaration [include "file"] in Why input language o [Why] prelude is split into smaller files: bool.why integer.why real.why o [Jessie] added several builtin functions on reals: \exp, \log, \cos, \sin, etc. o [Why] added several functions on reals in prelude: exp, log, cos, sin, etc. (see prelude.why) o [Jessie] syntax change for loops: can have behaviors with assigns clauses o [Why] fixed typing bug with polymorphic function symbols and comparisons o [GWhy] new column for Gappa prover (http://lipforge.ens-lyon.fr/www/gappa/) o [Coq output] improved output of -e when e is an integer constant o [Jessie] fix incompleteness bug with "assigns \nothing" clauses o [GWhy] columns can be added/removed interactively version 2.18, January 22th, 2009 ================================ o Jessie: bug fix related to assignment to the null pointer o Krakatoa: several bug fixes related to constructors (class invariant not anymore assumed true at entrance, object fields initialized to their default values) o Krakatoa/Jessie: support for "for" sections (associated to various behaviors) in code annotations (assert and loop invariants). See e.g tests/java/BinarySearch.java o Caduceus: fixed 'pvs' target in generated makefile o Why: min and max functions in the prelude, with appropriate axiomatization version 2.17, December 17th, 2008 ================================ o This version is synchronized with Frama-C Lithium 20081201 (http://frama-c.cea.fr/) o why-cpulimit: specific implementation for Cygwin (contributed by Dillon Pariente) o jessie: bug fix: inductive predicates and multiple labels o jessie: new support for floating-point computations o krakatoa/jessie: bug fix: axiomatic and multiple labels o New prover column in GWhy for Alt-Ergo with selection of hypotheses (see option -select of Alt-Ergo) version 2.16, October 29th, 2008 ================================ o This version is synchronized with Frama-C Lithium beta 1 (http://frama-c.cea.fr/) o GWhy: improved display of VCs o Krakatoa/Jessie: changed syntax for axiomatic definitions. 'reads' clauses are now obsolete. o Krakatoa/Jessie: support for inductive definitions o Why: Improved support for inductive definitions. For automatic provers, an inversion axiom is generated. o New option -alt-ergo to output VCs in Alt-Ergo syntax. Beware that because of inductive definition, -alt-ergo is now different from -why output: inductive definitions are expansed. o License changed to GNU LGPL 2, with a special exception on linking (see enclosed file LICENSE) version 2.15, September 9th, 2008 ================================= o Why: preliminary support for inductive definitions o Krakatoa/Jessie: new syntax for axiomatic definitions o Coq support for floats requires Coq version 8.1 at least o Jessie bug fix: 'simplify' entry of the generated makefile was ignoring prelude axioms version 2.14, July 28th, 2008 ============================= o tools `dp' and `cpulimit' renamed into `why-dp' and `why-cpulimit' o krakatoa/jessie: preliminary support for statement contracts o krakatoa/jessie/why: new builtin logic symbols \int_max, \int_min, \real_max, \real_min o Zenon: fixed syntax for Zenon 0.5.0 (missing $hyp) o WP: no more duplication of VCs when operators &&, || and not are applied to pure boolean expressions; command line option -split-bool-op to revert to the old behavior o krakatoa: loop annotations: 'decreases' keyword replaced by 'loop_variant' o WP: universal quantification forall b:bool. P(b) no more turned into P(true) and P(false) when there is a possible size increasing o SMT-lib output: fixed bug with variants (when -split-user-conj not set); predicate zwf_zero added to prelude.why o SMT-lib output: fixed bug with if_then_else o krakatoa/jessie: support for ( ? : ) operator in terms and propositions o configuration: detection of Alt-ergo executable name (ergo/alt-ergo) o jessie/why: reorganization of PVS output o krakatoa/jessie: version number, and CHANGES files are now those of why o krakatoa/jessie: added support for bitwise operator on booleans o krakatoa/jessie/why/provers: better support of real numbers o CVC3: no more options +arith-new +quant-polarity -quant-new o fixed HOL4 output; contribution by Vladimir Timashov (vladimir.timashov@gmail.com) o gwhy: fixed efficiency issue with large comments o jessie: fixed coq entry in jessie-generated makefile o why typing safely fails when duplicate parameter names in logic definitions version 2.13, May 27th, 2008 ============================ o krakatoa: bug fix: method lookup in class Object o krakatoa: if possible, avoid failure in constant expression evaluation o gwhy: better support of non-ascii input characters in GWhy o fixed parsing of float constants with exponents version 2.12, May 23rd, 2008 ============================ o krakatoa: assigns clause now correctly typed in the post-state o krakatoa: array ranges in assigns clause: now correctly parse [..], [..n] and [n..] o krakatoa: support for model fields (in interfaces) o krakatoa: support for user-defined logic types o krakatoa: partial support for Strings o fixed typing bug with polymorphic logic constants/functions used in programs (resulted in bugs in -encoding sstrat) version 2.11, March 17th, 2008 ============================== o krakatoa: documentation is now is reasonable shape, although still incomplete o krakatoa: loop annotations: having an invariant but no decreases clause is allowed o krakatoa: bug fix: value axiom for logic constants o krakatoa: many improvements in generation of memory safety VCs o fixed bug with --prune-hyp version 2.10b, January 31st, 2008 ================================= o krakatoa: first release officially replacing version 0.67 o CVC3: now called with options +arith-new +quant-polarity -quant-new (requires version 1.2.1) o SMT-lib output: fixed bug with reals o gwhy: benchmark (Ctrl-B) does not verify all functions in parallel anymore version 2.10a, January 14th, 2008 ================================= o configuration: fixed detection of ocamldep when ocamldep.opt is not installed / fixed detection of local ocamlgraph version 2.10, December 20th, 2007 ================================= o the Krakatoa front-end for Java programs is now distributed with Why o dp: new option -smt-solver to set the SMT solver (Yices, Z3, CVC3) o new option --fast-wp to use quadratic WP algorithm o localization of VC wrt source code (options --locs and --explain) and visualization in gwhy o gwhy: added prover Z3 (http://research.microsoft.com/projects/z3/) o SMT-lib output: integer division (/) is now translated into an uninterpreted function symbol div_int o simplify2why: fixed bugs version 2.04, August 2nd, 2007 ============================== o gwhy: Ctrl-B successively tries all provers on all proof obligations o new option -load-file to read an input file without generating output for the prover o new prover interface Graph which iteratively allows to select more and more hypotheses and to discharge POs in Simplify o new option -prune-hyp to select relevant hypotheses in the goal o fixed Isabelle output (contribution by Yasuhiko Minamide) version 2.03, April 20th, 2007 ============================== o fixed PVS output o gwhy: added prover CVC3 (http://www.cs.nyu.edu/acsys/cvc3/) o fixed bug with polymorphic exceptions (not accepted anymore) o fixed bug in generalization test o Coq output: renaming of Coq's reserved keywords version 2.02, February 23rd, 2007 ================================= o new tool why-stat to display statistics regarding symbols used in goals o new options -why and -multi-why to get verification conditions in Why syntax (useful when computing VCs takes much time) o gwhy: font size can be changed dynamically using Ctrl-+ and Ctrl-- o WP: the invariant at loop entry does not appear anymore in the verification condition related to the invariant preservation o option -no-simplify-triggers changed to -simplify-triggers, defaulting to false, because Caduceus bench shows it is good in general, and moreover generated triggers with Krakatoa and jessie make Simplify fail o Simplify output: fixed bug with leading underscores in identifiers o compatibility with Coq development version (ring syntax has changed) o option --encoding sstrat automatically added when --smtlib or --cvcl is selected and no encoding specified o new option --exp to expand the predicate definitions o Coq output: the command "Implicit Arguments id" is automatically inserted for polymorphic symbols version 2.01, November 29th, 2006 ================================= o new predicate distinct(t1,t2,...,tn) with n terms of the same type mapped to the primitive DISTINCT in Simplify and SMTlib outputs, expanded for other provers o fixed bug in CVC Lite output (BOOLEAN now reserved for predicates; new type BOOL introduced for term booleans) o dp now displays times for searching proofs o no using anymore the external command 'timeout', but use our own command 'cpulimit' for the same purpose. Time limit is now user CPU time instead of wall clock time. o fixed bugs in smtlib output: all variables are "?" prefixed, brackets around constants are removed, validity question is turned into a sat question, Boolean sort with Boolean_false and Boolean_true constants are introduced, Unit sort is introduced o fixed bugs into the harvey (rv-fol) output (principally the command lines) o triggers added to axioms of the caduceus model version 2.00, June 12th, 2006 ============================= o quantifiers triggers can be given with the following syntax forall x,y:int [f(x),g(y) | h(x,y)]. p(x,y) currently, the triggers are only meaningful for the Simplify prover o new encodings of Why logic into first-order monosorted logic for untyped provers (like Simplify or Zenon) : there are three possible encodings that can be selected through the command line --encoding option o better naming of type variables in Coq output (A1, A2, etc. instead of A718, etc.) o fixed bugs with polymorphic logic constants used in programs o a missing function postcondition is now given the default value "true" (and a warning is emitted for local functions) o Zenon output (--zenon option); see focal.inria.fr/zenon o new option --split-user-conj to split user conjunctions in goals (resulting in more numerous proof obligations) o Mizar output updated for Mizar 7.6.01 o new behavior w.r.t. termination proofs: variants can be omitted in loops and recursive functions; new command line options --partial and --total to specify respectively partial correctness (i.e. variants are not considered even when present) or total correctness (i.e. variants are mandatory) o fixed bug with polymorphic parameters that should not be generalized o new construct "e {{ Q }}" (opaque sub-expression) o new construct "assert {P}; e" o any logic term can be used in programs o types must be declared (new declaration "type foo") o fixed bug with missing exceptional postconditions (false in now inserted and a warning is emitted) o array types now accepted in logic/predicate arguments o --coq now selects the Coq version determined at compiled time version 1.82, September 1st, 2005 ================================= o fixed variable capture issue in haRVey output o fixed bugs in Isabelle output (Yasuhiko Minamide) o support for declaration "function" with Isabelle/CVC/harvey/PVS o new declaration "goal" to declare a proof obligation e.g. goal foo : forall x:int. x = x+0 version 1.81, June 20th, 2005 ============================= o support for CVC Lite syntax 2.0.0, old syntax not supported anymore o support for haRVey 0.5.6 o a predicate label can be a string (e.g. :"bla bla":pred) o a missing exceptional postcondition is now given the default value "false" instead of "true" (i.e. the corresponding exception cannot be raised) o new declaration "function" to define a logic function e.g. function f(x:int, y:int) : int = x+y version 1.80, June 3rd, 2005 ============================ o Isabelle/HOL output (--isabelle option) contribution by Yasuhiko Minamide o HOL 4 output (--hol4 option) contribution by Seungkeol Choe o SMT-LIB format output (--smtlib option) version 1.75, March 15th, 2005 ============================== o fixed installation issue with Coq 8.0pl2 o new option -where to print Why's library path version 1.71, February 3rd, 2005 ================================ o Simplify output: axioms are also printed with universal quantifiers moved inside as much as possible (forall x y, P x => Q x y becomes forall x, P x => forall y, Q x y) version 1.69, January 4th, 2005 =============================== o labeled predicates with syntax ":id: predicate" and lowest precedence version 1.64, October 13th, 2004 ================================ o Coq output now in V8 syntax when Coq V8 is detected at configuration version 1.63, August 26th, 2004 =============================== o WP completely redesigned: side-effects free expressions are now given an adequate specification, so that the WP calculus does not enter them. It results in significantly simpler proof obligations. o new tool `dp' to call decision procedures Simplify and CVC Lite (calls the DP once for each goal with a timeout and displays stats) o CVC Lite output (option --cvcl; see http://chicory.stanford.edu/CVCL/) o Coq: parameters no more generated when -valid is not set o PVS: support for Why polymorphic symbols and/or axioms version 1.62, June 24th, 2004 ============================= o new option --all-vc to get all verification conditions (no more automatic discharging of the most trivial conditions) version 1.61, May 27th, 2004 ============================ o Simplify output: do not fail on floats anymore (now uninterpreted symbols) o added primitive int_of_real: real -> int (in both logic and programs) version 1.60, May 18th, 2004 ============================ o fixed WP for while loops (may break Coq proofs) o new connective <-> version 1.55, May 3rd, 2004 =========================== o type `float' is renamed into `real' o absurd and raise now polymorphic version 1.51, April 6th, 2004 ============================= o Simplify typing constraints only with --simplify-typing option o fixed bug in automatic annotation of x := e when e has a postcondition version 1.50, March 26th, 2004 ============================== o first release of Caduceus o added ``typing'' contraints in Simplify output (using predicates ISxxx) o new declaration "predicate" to define a predicate o new option --dir to output files into a given directory version 1.42, March 16th, 2004 ============================== o new option --pvs-preamble o change in syntax: "external" is now a modifier for "parameter" and "logic" (see the manual for explainations); to be conservative, the following substitutions have to be made: "external" -> "external parameter" "logic" -> "external logic" o new command "axiom : " to declare an axiom version 1.40, December 19th, 2003 ================================ o disabled C support: C is now supported by an external tool, Caduceus (to be released soon with Why) o support for polymorphism (contribution by C. Marché) o syntax of haRVey output now uses integer constants, predefined arithmetic operators, and does not change capitalization of variables, to be conform with the syntax of the next version of haRVey (presumably 0.4) Also added option --no-harvey-prelude version 1.32 ============ o output for Coq version 8 with --coq-v8 (--coq is now equivalent to --coq-v7, and is still the default output) examples in V7 syntax now in examples-v7/ and in V8 syntax in examples/ o Mizar output (with option --mizar) Mizar article in lib/mizar/why.miz (installed by "make install") version 1.3, September 17th, 2003 ================================= o new tool why2html to convert Why input files to HTML o Simplify output (with option --simplify) o fixed bug with WP of constants false/true (simplification added) o better automatic annotation of tests (in particular || and && are given postconditions whenever possible) version 1.22, June 21th, 2003 ============================= o fixed lost of annotation in C function calls o C: /*W external/parameter ...*/ correctly added to C environment o Coq: added Hints Unfold Zwf o (almost) conservative change in renaming strategy; a reference x1 is now renamed into x1 x1_0 x1_1 etc. instead of x1 x2 x3 etc. version 1.2, May 12th, 2003 =========================== o true used as default postcondition for exceptions instead of false (necessary for a correct translation of C programs) o C: fixed bug in translation from ints to booleans o better names given to local references in proof obligations o improved automatic proof (both completeness and performance) version 1.10, April 4th, 2003 ============================== o C: added label statement and alternate syntax /*@ label id */ o fixed bug in ocaml code generation version 1.08, March 28th, 2003 ============================== o C: local variables can be uninitialized o examples: C programs for exact string matching (in string-matching) o fixed bug in WP (not collecting some intermediate assertions) o C: added statement /*@ assert p */ o new construct "absurd" to denote unreachable code version 1.07, March 25th, 2003 ============================== o arbitrary side-effects now allowed in tests (if / while) o label "init" suppressed; new syntax label:expression to insert labels o syntax: logic may introduce several identifiers in a single declaration o linear proof search restricted to WP obligations o PVS: change in array type (warray) to get better TCCs o fixed ocaml output (array_length) version 1.04, March 5th, 2003 ============================= o C: logic declarations with syntax /*W ... */ o improved automatic proof (thus less obligations) o validation in a separate file f_valid.v version 1.02, February 7th, 2003 ================================ o PVS: fixed integer division and modulo, fixed output o haRVey: no more restriction to first-order obligations o Coq: the validation is now given a type o distinction between preconditions and obligations version 1.0, January 31st, 2003 ================================ o syntax: pre- and postconditions brackets now come by pairs (but, inside, the predicates may be omitted) o fixed WP bug in a sequence of calls with before-after annotations o no more "pvs" declaration (the user can now edit the _why.pvs file) o fixed bug in type-checking of recursive functions with exceptions o fixed bug in loop tests automatic annotation; now a warning when a loop test cannot be given a postcondition o fixed bug in interpretation of @init o doc: C programs, Coq and PVS libraries documented o logic: if-then-else construct on terms o PVS: arrays defined in Why prelude and fixed pretty-print; installation version 0.92, January 13th, 2003 ================================ o C: fixed bug in array/reference passing o fixed check for exceptions in external declarations o HOL Light output (with option --hol-light) o fixed compatibility with Coq 7.3 o C: recursive functions, arrays, pointers version 0.8, December 6th, 2002 =============================== o haRVey output (option --harvey; see http://www.loria.fr/~ranise/haRVey/) o C input (incomplete: no arrays, no pointers, no recursive functions) o Coq: helper tactics (AccessSame, AccessOther, ...) o fixed bug in application typing o major change: arrays do not have a dependent type anymore; array_length introduced o Emacs mode for editing Why ML source (in lib/emacs) o automatic discharge of ...|-(well_founded (Zwf 0)) and of ...,v=t,...,I and (Zwf 0 t' t),...|-(Zwf 0 t' v) o fixed bug in local recursive functions version 0.72, November 12th, 2002 ================================= o caml code generation with option --ocaml (beta test) (customized with --ocaml-annot, --ocaml-ext, --output) o quantifier "exists" added to the logic syntax o manual: added lexical conventions o examples: added maximum sort (by Sylvain Boulmé) o new feature: exceptions (beta test) version 0.71, October 15th, 2002 (bug fix release) ================================ o better WP for the if-then-else (when the test is annotated) o reference masking now forbidden o fixed bug in automatic annotations => some postconditions names may change o fixed Coq 7.3 compatibility module version 0.7, October 2nd, 2002 ============================== o Why library compatible with Coq 7.3 (released version) and with Coq development version (determined at configuration) o code ported to ocaml 3.06 o examples: quicksort (2 versions) o more obligations automatically discharged (True / A and B |- A / A,B |- A and B) o Coq: fixed associativity in pretty-print for /\ and \/ (right) right associativity adopted in Why o fixed typing and Coq output for primitive float_of_int version 0.6, July 19th, 2002 ============================ o examples: find o doc: predefined functions and predicates o floats: predefined functions and predicates, Coq pretty-print o fixed bug: x@ reference in a loop post-condition incorrectly translated o the variant relation is now necessarily an identifier o terms and predicates are now typed; new declaration "logic" (terms and predicates syntax are mixed; fixes a parsing bug) version 0.5, July 2nd, 2002 ============================ o first (beta) release Local Variables: mode: text End: why-2.34/src/0000755000175000017500000000000012311670312011404 5ustar rtuserswhy-2.34/src/mlize.mli0000644000175000017500000000467412311670312013242 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (*s translation of imperative programs into intermediate functional programs *) open Ast open Cc open Env open Logic val trad : typed_expr -> Rename.t -> cc_functional_program why-2.34/src/whyweb.ml0000644000175000017500000005525112311670312013253 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) open Format open Project (*prover*) let provers = [Ergo ; Simplify ; Z3 ; Yices ; Cvc3] (*color*) let valid_color = "#00FF00" let invalid_color = "#FF8093" let failed_color = "#FF0000" let unknown_color = "#FFFF80" let cannotdecide_color = "#FF80FF" let running_color = "#8080FF" let timeout_color = "#FF8093" (* toggle *) let toggle_lemma l = l.lemma_tags <- List.map (fun (key,value) -> if key = "ww_open" then if value = "true" then (key,"false") else (key,"true") else (key,value)) l.lemma_tags let toggle_function f = f.function_tags <- List.map (fun (key,value) -> if key = "ww_open" then if value = "true" then (key,"false") else (key,"true") else assert false) f.function_tags let toggle_behavior b = b.behavior_tags <- List.map (fun (key,value) -> if key = "ww_open" then if value = "true" then (key,"false") else (key,"true") else (key,value)) b.behavior_tags let toggle_goal g = g.goal_tags <- List.map (fun (key,value) -> if key = "ww_open" then if value = "true" then (key,"false") else (key,"true") else (key,value)) g.goal_tags let use_prover p = match p with | Ergo -> ("--why",".why","",67) | Simplify -> ("--simplify", ".sx","",66) | Z3 -> ("--smtlib",".smt","z3",67) | Yices -> ("--smtlib",".smt","",67) | Cvc3 -> ("--smtlib",".smt","cvc3",67) | Other -> assert false open Wserver let launch_goal prover context g = let (option,endoffile,opt,size) = use_prover prover in let (reademe,writeme) = Unix.pipe () in eprintf "why -no-prelude %s %s %s@." option context g.goal_file; let _ = Unix.create_process "why" [| "why"; "-no-prelude"; option; context; g.goal_file |] Unix.stdin Unix.stdout Unix.stderr in let _ = Unix.wait() in eprintf "why-dp %s -timeout 10 %s@." opt ((String.sub g.goal_file 0 (String.length g.goal_file - 4))^"_why"^endoffile) ; let _ = if opt = "" then Unix.create_process "why-dp" [| "why-dp" ; "-timeout" ; "10" ; (String.sub g.goal_file 0 (String.length g.goal_file - 4))^"_why"^endoffile |] Unix.stdin writeme Unix.stderr else Unix.create_process "why-dp" [| "why-dp" ; "-smt-solver" ; opt ;"-timeout" ; "10" ; (String.sub g.goal_file 0 (String.length g.goal_file - 4))^"_why"^endoffile |] Unix.stdin writeme Unix.stderr in let _ = Unix.wait() in let size = size+(String.length g.goal_file) in let buff = String.make size '!' in let _ = Unix.read reademe buff 0 size in eprintf "%s@." buff; (* let buff = String.make size '?' in let _ = Unix.read reademe buff 0 size in eprintf "%s@." buff;*) Unix.close writeme; Unix.close reademe; let proof = List.filter (fun (s,_) -> s!=prover) g.proof in (g.proof <- match String.get buff ((String.length buff)-1) with | '.' -> (prover,("valid","10","",""))::proof | '*' -> (prover,("invalid","10","",""))::proof | '?' -> (prover,("cannotdecide","10","",""))::proof | '#' -> (prover,("timeout","10","",""))::proof | '!' -> (prover,("failure","10","",""))::proof | c -> Format.eprintf "erreur : %c@." c; assert false) let version () = printf "This is WhyWeb version %s, compiled on %s Copyright (c) 2008 - Claude Marché This is free software with ABSOLUTELY NO WARRANTY (use option -warranty) " Version.version Version.date; exit 0 let port = ref 2372 let spec = [ "-version", Arg.Unit version, " prints version and exit" ; "-port", Arg.Int ((:=) port), " set server port (default " ^ string_of_int !port ^ ")" ; ] let file = ref None let add_file f = if not (Sys.file_exists f) then begin eprintf "whyweb: %s: no such file@." f; exit 1 end; file := Some f let usage = "whyweb [options]" let () = Arg.parse spec add_file usage let file = match !file with | None -> () | Some f -> Arg.usage spec usage; exit 1 let proj = ref (Project.create "") let proj_file = ref "" let coms = Hashtbl.create 1023 let file = ref "" let line = ref 0 let beginning = ref 0 let ending = ref 0 let current_line = ref 0 let current_page = ref "" let launch_goal prover g = let proof = g.proof in g.proof <- (prover,("running","10","",""))::proof; launch_goal prover !proj.project_context_file g let launch_lemmas prover lemmas = List.iter (fun l -> launch_goal prover l.lemma_goal) lemmas let launch_behavior prover b = List.iter (launch_goal prover) b.behavior_goals let launch_function prover f = List.iter (launch_behavior prover) f.function_behaviors let launch_functions prover functions = List.iter (launch_function prover) functions let interp_com c = try let (c,loc) = Hashtbl.find coms c in begin match c with | `ToggleFunction f ->() | `ToggleLemma l -> () | `ToggleBehavior b -> () | `ToggleGoal g -> () | `OpenFunction f -> toggle_function f | `OpenLemma l -> toggle_lemma l | `OpenBehavior b -> toggle_behavior b | `OpenGoal g -> toggle_goal g | `LaunchErgo g -> let _ = Thread.create (launch_goal Ergo) g in () | `LaunchErgoLemma -> let _ = Thread.create (launch_lemmas Ergo) !proj.project_lemmas in () | `LaunchErgoFunctions -> let _ = Thread.create (launch_functions Ergo) !proj.project_functions in () | `LaunchErgoBehavior b -> let _ = Thread.create (launch_behavior Ergo) b in () | `LaunchErgoFunction f -> let _ = Thread.create (launch_function Ergo) f in () | `LaunchSimplify g -> let _ = Thread.create (launch_goal Simplify) g in () | `LaunchSimplifyLemma -> let _ = Thread.create (launch_lemmas Simplify) !proj.project_lemmas in () | `LaunchSimplifyFunctions -> let _ = Thread.create (launch_functions Simplify) !proj.project_functions in () | `LaunchSimplifyBehavior b -> let _ = Thread.create (launch_behavior Simplify) b in () | `LaunchSimplifyFunction f -> let _ = Thread.create (launch_function Simplify) f in () | `LaunchZ3 g -> let _ = Thread.create (launch_goal Z3) g in () | `LaunchZ3Lemma -> let _ = Thread.create (launch_lemmas Z3) !proj.project_lemmas in () | `LaunchZ3Functions -> let _ = Thread.create (launch_functions Z3) !proj.project_functions in () | `LaunchZ3Behavior b -> let _ = Thread.create (launch_behavior Z3) b in () | `LaunchZ3Function f -> let _ = Thread.create (launch_function Z3) f in () | `LaunchYices g -> let _ = Thread.create (launch_goal Yices) g in () | `LaunchYicesLemma -> let _ = Thread.create (launch_lemmas Yices) !proj.project_lemmas in () | `LaunchYicesFunctions -> let _ = Thread.create (launch_functions Yices) !proj.project_functions in () | `LaunchYicesBehavior b -> let _ = Thread.create (launch_behavior Yices) b in () | `LaunchYicesFunction f -> let _ = Thread.create (launch_function Yices) f in () | `LaunchCvc3 g -> let _ = Thread.create (launch_goal Cvc3) g in () | `LaunchCvc3Lemma -> let _ = Thread.create (launch_lemmas Cvc3) !proj.project_lemmas in () | `LaunchCvc3Functions -> let _ = Thread.create (launch_functions Cvc3) !proj.project_functions in () | `LaunchCvc3Behavior b -> let _ = Thread.create (launch_behavior Cvc3) b in () | `LaunchCvc3Function f -> let _ = Thread.create (launch_function Cvc3) f in () | `Save -> Project.save !proj !proj.project_name end; loc with Not_found -> ("",0,0,0) let com_count = ref 0 let reg_com c = incr com_count; let loc = match c with | `ToggleFunction f -> let (_,lin,_,_) = f.function_loc in current_line := lin; f.function_loc | `ToggleLemma l -> let (_,lin,_,_) = l.lemma_loc in current_line := lin; l.lemma_loc | `ToggleBehavior b -> let (_,lin,_,_) = b.behavior_loc in current_line := lin; b.behavior_loc | `ToggleGoal g -> let (_,lin,_,_) = g.goal_expl.Logic_decl.vc_loc in current_line := lin; g.goal_expl.Logic_decl.vc_loc | `OpenFunction _ | `OpenLemma _ | `OpenBehavior _ | `OpenGoal _ -> (!file,!line,!beginning,!ending) | `LaunchErgo _ -> (!file,!line,!beginning,!ending) | `LaunchErgoLemma -> (!file,!line,!beginning,!ending) | `LaunchErgoFunctions -> (!file,!line,!beginning,!ending) | `LaunchErgoBehavior _ -> (!file,!line,!beginning,!ending) | `LaunchErgoFunction _ -> (!file,!line,!beginning,!ending) | `LaunchSimplify _ -> (!file,!line,!beginning,!ending) | `LaunchSimplifyLemma -> (!file,!line,!beginning,!ending) | `LaunchSimplifyFunctions -> (!file,!line,!beginning,!ending) | `LaunchSimplifyBehavior _ -> (!file,!line,!beginning,!ending) | `LaunchSimplifyFunction _ -> (!file,!line,!beginning,!ending) | `LaunchZ3 _ -> (!file,!line,!beginning,!ending) | `LaunchZ3Lemma -> (!file,!line,!beginning,!ending) | `LaunchZ3Functions -> (!file,!line,!beginning,!ending) | `LaunchZ3Behavior _ -> (!file,!line,!beginning,!ending) | `LaunchZ3Function _ -> (!file,!line,!beginning,!ending) | `LaunchYices _ -> (!file,!line,!beginning,!ending) | `LaunchYicesLemma -> (!file,!line,!beginning,!ending) | `LaunchYicesFunctions -> (!file,!line,!beginning,!ending) | `LaunchYicesBehavior _ -> (!file,!line,!beginning,!ending) | `LaunchYicesFunction _ -> (!file,!line,!beginning,!ending) | `LaunchCvc3 _ -> (!file,!line,!beginning,!ending) | `LaunchCvc3Lemma -> (!file,!line,!beginning,!ending) | `LaunchCvc3Functions -> (!file,!line,!beginning,!ending) | `LaunchCvc3Behavior _ -> (!file,!line,!beginning,!ending) | `LaunchCvc3Function _ -> (!file,!line,!beginning,!ending) | `Save -> (!file,!line,!beginning,!ending) in let n = string_of_int !com_count in Hashtbl.add coms n (c,loc); !proj.project_name ^ "?" ^ n (* main *) open Wserver open Format let main_page msg = wprint "

Welcome to the World-Why-Web

"; wprint "

List of current projects

"; wprint "
    "; wprint "
  1. test"; wprint "
  2. Gcd"; wprint "
  3. Lesson1"; wprint "
"; if msg <> "" then begin wprint "
%s" msg; end let load_prj file = eprintf "Reading file %s@." file; try proj := Project.load file; proj_file := file; with Sys_error _ -> let msg = "Cannot open file " ^ file in eprintf "%s@." msg; main_page msg; raise Exit let toogletooltip b s = (if b then "close" else "open") ^ s let rec find_prover l = match l with | (prover,(status,_,_,_))::l -> (prover,status)::(find_prover l) | [] -> [] let validity nl valid = let(valid,color) = match valid with | "valid" -> "Valid", valid_color | "timeout" -> "TimeOut", timeout_color | "cannotdecide" -> "Unknown", cannotdecide_color | "invalid" -> "Invalid", invalid_color | "failure"-> "Failed", failed_color | "running" -> "Running", running_color | _ -> assert false in wprint "%s" color nl valid let goal_validity_bool prover g = let list_prover = find_prover g.proof in let valid = try List.assoc prover list_prover with Not_found -> "invalid" in valid let goal_validity prover g nl = validity nl (goal_validity_bool prover g) let goal_is_valid prover g = let (v,_,_,_) = try List.assoc prover g.proof with Not_found -> ("invalid","","","") in v = "valid" let behavior_validity prover b = List.for_all (goal_is_valid prover) b.behavior_goals let function_validity prover f = List.for_all (behavior_validity prover) f.function_behaviors let goal g indice indent = let s =fprintf str_formatter "%s" (Explain.msg_of_kind g.goal_expl.Logic_decl.vc_kind); flush_str_formatter () in let nt = reg_com (`ToggleGoal g) in let no = reg_com (`OpenGoal g) in let call_provers = List.map (fun prover -> (prover, match prover with | Ergo -> reg_com (`LaunchErgo g) | Simplify -> reg_com (`LaunchSimplify g) | Z3 -> reg_com (`LaunchZ3 g) | Yices -> reg_com (`LaunchYices g) | Cvc3 -> reg_com (`LaunchCvc3 g) | _ -> assert false)) provers in let op = List.assoc "ww_open" g.goal_tags = "true" in if op then wprint "    %s-" indent no !current_line else wprint "    %s+" indent no !current_line; wprint "%d : %s " indice nt !current_line s; if op then begin try wprint "
";
	let fi = open_in g.goal_file in
	begin
	  try 
	    while true do  
	      wprint "%s
" (input_line fi);
	    done
	  with End_of_file -> close_in fi
	end;
	wprint "
"; with Sys_error _ -> wprint "File %s don't exist" g.goal_file; end; List.iter (fun (prover,launcher) -> goal_validity prover g launcher ) call_provers; wprint " " let string_of_addr addr = match addr with | Unix.ADDR_UNIX s -> s | Unix.ADDR_INET (ie,i) -> (Unix.string_of_inet_addr ie)^":"^string_of_int(i) let () = Wserver.f None !port 60 None (fun (addr,req) script cont -> eprintf "add : %s@." (string_of_addr addr); eprintf "request: %a@." (Pp.print_list Pp.comma pp_print_string) req; eprintf "script: `%s'@." script; eprintf "cont: `%s'@." cont; http ""; current_page := "http://localhost:2372/" ^ script; wprint " WhyWeb " !current_page; try if script = "" then begin if cont = "" then (main_page ""; raise Exit); load_prj cont; end else if !proj.project_name <> script then begin eprintf "Previous project: `%s'@." !proj.project_name; eprintf "TODO: save previous project@."; main_page "Argument is not the currently opened project"; raise Exit end; let (loc_file,loc_line,loc_beginning,loc_ending) = interp_com cont in file := loc_file; line := loc_line; beginning := loc_beginning; ending := loc_ending; Hashtbl.clear coms; com_count := 0; wprint "

Project name: %s

" !proj.project_name; let ns = reg_com (`Save) in wprint "
Save Project
" ns; wprint ""; List.iter (fun prover -> wprint "" (Project.provers_name prover)) provers; wprint " "; wprint ""; let call_provers = List.map (fun prover -> (prover, match prover with | Ergo -> reg_com (`LaunchErgoLemma) | Simplify -> reg_com (`LaunchSimplifyLemma) | Z3 -> reg_com (`LaunchZ3Lemma) | Yices -> reg_com (`LaunchYicesLemma) | Cvc3 -> reg_com (`LaunchCvc3Lemma) | Other -> assert false)) provers in List.iter (fun (prover,launch) -> if (List.for_all (fun l -> "valid" = (goal_validity_bool prover l.lemma_goal)) !proj.project_lemmas) then validity launch "valid" else validity launch "invalid" ) call_provers; wprint " "; let indice = ref 1 in List.iter (fun l -> let nt = reg_com (`ToggleLemma l) in let no = reg_com (`OpenLemma l) in let op = List.assoc "ww_open" l.lemma_tags = "true" in if op then begin wprint "" !indice nt !current_line l.lemma_name; wprint " "; indice := !indice +1; if op then begin goal l.lemma_goal 1 ""; end ) !proj.project_lemmas; wprint " "; wprint " "; let call_provers = List.map (fun prover -> (prover, match prover with | Ergo -> reg_com(`LaunchErgoFunctions) | Simplify -> reg_com(`LaunchSimplifyFunctions) | Z3 -> reg_com(`LaunchZ3Functions) | Yices -> reg_com(`LaunchYicesFunctions) | Cvc3 -> reg_com(`LaunchCvc3Functions) | Other -> assert false)) provers in List.iter (fun (prover,launch) -> if (List.for_all (function_validity prover) !proj.project_functions) then validity launch "valid" else validity launch "invalid") call_provers; wprint " "; let indice = ref 1 in List.iter (fun f -> let nt = reg_com (`ToggleFunction f) in let no = reg_com (`OpenFunction f) in let call_provers = List.map (fun prover -> (prover, match prover with | Ergo -> reg_com (`LaunchErgoFunction f) | Simplify -> reg_com (`LaunchSimplifyFunction f) | Z3 -> reg_com (`LaunchZ3Function f) | Yices -> reg_com (`LaunchYicesFunction f) | Cvc3 -> reg_com (`LaunchCvc3Function f) | Other -> assert false)) provers in let op = List.assoc "ww_open" f.function_tags = "true" in if op then wprint "" !indice nt !current_line f.function_name; List.iter (fun (prover,launch) -> if (function_validity prover f) then validity launch "valid" else validity launch "invalid") call_provers; wprint " "; indice := !indice +1; if op then begin let indice = ref 1 in List.iter (fun b -> let nt = reg_com (`ToggleBehavior b) in let no = reg_com (`OpenBehavior b) in let call_provers = List.map (fun prover -> (prover, match prover with | Ergo -> reg_com (`LaunchErgoBehavior b) | Simplify -> reg_com (`LaunchSimplifyBehavior b) | Z3 -> reg_com (`LaunchZ3Behavior b) | Yices -> reg_com (`LaunchYicesBehavior b) | Cvc3 -> reg_com (`LaunchCvc3Behavior b) | Other -> assert false)) provers in let op = List.assoc "ww_open" b.behavior_tags = "true" in if op then wprint "" !indice nt !current_line b.behavior_name; List.iter (fun (prover,launch) -> if (behavior_validity prover b) then validity launch "valid" else validity launch "invalid") call_provers; wprint " "; indice := !indice +1; if op then begin let indice = ref 0 in List.iter(fun x -> indice := !indice +1;goal x !indice "   ") b.behavior_goals; end) f.function_behaviors; end) !proj.project_functions; raise Exit with Exit -> begin wprint "
%s
Lemmas
-" no !current_line; end else wprint "
+" no !current_line; wprint "%d : %s
Functions
-" no !current_line else wprint "
+" no !current_line; wprint "%d : %s
   -" no !current_line else wprint "
   +" no !current_line; wprint "%d : %s
";
	       if !file = "" then ()
	       else 
		 let fi = open_in !file in
		 begin
		   try 
		     let l = ref 1 in
		     let c = ref 1 in
		     let in_select = ref false in
		     wprint "" !l;
		     while true do  
		       let char = input_char fi in
		       if char = '\n'
		       then
			 begin
			   l := !l+1;
			   if not !in_select then c := 0 else ();
			   wprint "" !l
			 end
		       else ();
		       if (!l = !line && !c = !beginning)
		       then
			 begin
			   wprint "";
			   in_select := true
			 end
		       else ();
		       wprint "%c" char;
		       if (!c = !ending) then wprint "" else ();
		       c := !c+1
		     done
		   with End_of_file -> close_in fi
		 end;
		 wprint "
" end) why-2.34/src/effect.mli0000644000175000017500000000631312311670312013346 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (*s The abstract type of effects. *) type t val bottom : t val add_read : Ident.t -> t -> t val add_reads : Ident.set -> t -> t val add_write : Ident.t -> t -> t val add_writes : Ident.set -> t -> t val add_exn : Ident.t -> t -> t val add_exns : Ident.set -> t -> t val add_nontermination : t -> t val get_reads : t -> Ident.t list val get_writes : t -> Ident.t list val get_exns : t -> Ident.t list val get_repr : t -> Ident.t list * Ident.t list * Ident.t list * bool val is_read : t -> Ident.t -> bool (* read-only *) val is_write : t -> Ident.t -> bool (* read-write *) val is_exn : t -> Ident.t -> bool val is_nonterminating : t -> bool val union : t -> t -> t val remove : Ident.t -> t -> t val remove_exn : Ident.t -> t -> t val remove_nontermination : t -> t val keep_writes : t -> t val erase_exns : t -> t val occur : Ident.t -> t -> bool val subst : Logic.var_substitution -> t -> t open Format val print : formatter -> t -> unit why-2.34/src/unionfind.ml0000644000175000017500000001137012311670312013731 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (* * Graph: generic graph library * Copyright (C) 2004 * Sylvain Conchon, Jean-Christophe Filliatre and Julien Signoles * * This software is free software; you can redistribute it and/or * modify it under the terms of the GNU Library General Public * License version 2, as published by the Free Software Foundation. * * This software is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * * See the GNU Library General Public License version 2 for more details * (enclosed in the file LGPL). *) module type HashedOrderedType = sig type t val equal : t -> t -> bool val hash : t -> int val compare : t -> t -> int end module type S = sig type elt type t val init : unit -> t val find : elt -> t -> elt val union : elt -> elt -> t -> unit end module Make(X:HashedOrderedType) = struct type elt = X.t module H = Hashtbl.Make(X) type cell = { mutable c : int; data : elt; mutable father : cell } type t = cell H.t (* a forest *) let cell h x = try H.find h x with Not_found -> let rec cell = { c = 0; data = x; father = cell } in H.add h x cell; cell let init () = H.create 997 let rec find_aux cell = if cell.father == cell then cell else let r = find_aux cell.father in cell.father <- r; r let find x h = (find_aux (cell h x)).data let union x y h = let rx = find_aux (cell h x) in let ry = find_aux (cell h y) in if rx != ry then begin if rx.c > ry.c then ry.father <- rx else if rx.c < ry.c then rx.father <- ry else begin rx.c <- rx.c + 1; ry.father <- rx end end end (*** test ***) (*** module M = Make (struct type t = int let hash = Hashtbl.hash let compare = compare let equal = (=) end) open Printf let saisir s = printf "%s = " s; flush stdout; let x = read_int () in x let h = M.init [0;1;2;3;4;5;6;7;8;9] let () = if not !Sys.interactive then while true do printf "1) find\n2) union\n"; match read_int () with 1 -> begin let x = saisir "x" in printf "%d\n" (M.find x h) end | 2 -> begin let x, y = saisir "x", saisir "y" in M.union x y h end | _ -> () done ***) why-2.34/src/log.mli0000644000175000017500000000462312311670312012675 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (* Exported type for the why-viewer: (position, predicate, is automatically dicharged) *) type t = (int * string * string option) list why-2.34/src/encoding_pred.mli0000644000175000017500000000456612311670312014722 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) open Cc val reset : unit -> unit val push : Logic_decl.t -> unit val iter : (Logic_decl.t -> unit) -> unit why-2.34/src/report.mli0000644000175000017500000000504412311670312013425 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) open Format exception Error of Error.t val report : formatter -> Error.t -> unit val raise_located : Loc.position -> Error.t -> 'a val raise_unlocated : Error.t -> 'a val raise_locop : Loc.position option -> Error.t -> 'a val explain_exception : Format.formatter -> exn -> unit why-2.34/src/types.mli0000644000175000017500000000547012311670312013261 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (*s Types for programs. Types of values ([type_v]) and computations ([type_c]) *) open Logic type assertion = predicate type precondition = assertion type postcondition = assertion * (Ident.t * assertion) list type 'a binder = Ident.t * 'a type type_v = | PureType of pure_type | Ref of pure_type | Arrow of type_v binder list * type_c and type_c = { c_result_name : Ident.t; c_result_type : type_v; c_effect : Effect.t; c_pre : precondition list; c_post : postcondition option } type transp = Transparent | Opaque why-2.34/src/cvcl.mli0000644000175000017500000000464212311670312013044 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) open Cc val reset : unit -> unit val push_decl : Logic_decl.t -> unit val output_file : allowedit:bool -> string -> unit val prelude_done : bool ref why-2.34/src/theory_filtering.ml0000644000175000017500000002716712311670312015330 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (*s Harvey's output *) open Ident open Options open Misc open Error open Logic open Logic_decl open Env open Cc open Format open Pp open Hashtbl open Set open Unionfind let threshold = 1 let axiomCounter = ref 0 let reducedQueue = Queue.create() module Int_map = Map.Make(struct type t=int let compare= compare end) module Int_set = Set.Make(struct type t=int let compare= compare end) module Theory_container = struct let m = ref Int_map.empty let uniqueNumberGenerator () = incr axiomCounter; !axiomCounter (** @param f is the formula we want to store @return n is the index where the formula has been stored **) let add (logic,d) = let n = uniqueNumberGenerator () in m := Int_map.add n (logic,Int_set.empty,d) !m ; n let reset () = m := Int_map.empty ; Queue.clear reducedQueue ; axiomCounter := 0 let depends_on n = try let (_,_,d) = Int_map.find n !m in d with Not_found -> Printf.printf "Number %d not found \n" n; raise Exit let produces n = try let (_,p,_) = Int_map.find n !m in p with Not_found -> Printf.printf "Number %d not found \n" n; raise Exit let axiom n = try let (l,_,_) = Int_map.find n !m in l with Not_found -> Printf.printf "Number %d not found \n" n; raise Exit let set_produce n s = let l = axiom n in let d = depends_on n in m := Int_map.add n (l,s,d) !m end module Symbol_container = struct module Id_map = Map.Make(struct type t=string let compare= compare end) let m = ref Id_map.empty let add logic n= m := Id_map.add logic n !m let reset () = m := Id_map.empty let index_of logic = try Id_map.find logic !m with Not_found -> Printf.printf "Symbol %s not found \n" logic; raise Exit end (** collects the functionnal symbols of the term given in parameter @paramater f : the formula we are parsing @returns the StringSet that contains all the symbols of the formula **) let functional_symbols f = (*: Logic_decl.t -> StringSet*) (** symbols the result **) let symbolsSet = ref Int_set.empty in let rec collect formula = match formula with | Tconst (ConstInt _n) -> () | Tconst (ConstBool _) -> () | Tconst ConstUnit -> () | Tconst (ConstFloat _) -> () | Tderef _ -> () | Tapp (id, [a; b; c], _) when id == if_then_else -> collect a; collect b; collect c | Tapp (id, tl, _) when is_relation id || is_arith id -> symbolsSet := Int_set.add (Symbol_container.index_of (Ident.string id)) !symbolsSet ; List.iter collect tl | Tapp (id, [], _i) -> symbolsSet := Int_set.add (Symbol_container.index_of (Ident.string id)) !symbolsSet | Tapp (id, tl, _i) -> symbolsSet := Int_set.add (Symbol_container.index_of (Ident.string id)) !symbolsSet; List.iter collect tl | _ -> () in collect f ; !symbolsSet let symbols f = (** symbols the result **) let symbolsSet = ref Int_set.empty in let rec collect formula = (* dead code let rec collectIntoAList l = match l with [] -> () | p :: r -> collect p ; collectIntoAList r in *) match formula with | Papp (id, [a; b], _) when is_eq id || is_neq id || id == t_zwf_zero-> symbolsSet := Int_set.union (functional_symbols a) !symbolsSet ; symbolsSet := Int_set.union (functional_symbols b) !symbolsSet | Pand (_, _, a, b) | Forallb (_, a, b) | Por (a, b) | Piff (a, b) | Pimplies (_, a, b) -> collect a; collect b | Papp (id, tl, _i) -> let rec functional_symbolsFromList l = match l with [] -> Int_set.empty | t :: q -> Int_set.union (functional_symbols t) (functional_symbolsFromList q) in symbolsSet := Int_set.union (functional_symbolsFromList tl) !symbolsSet ; symbolsSet := Int_set.add (Symbol_container.index_of (Ident.string id)) !symbolsSet | Pif (a, b, c) -> symbolsSet := Int_set.union (functional_symbols a) !symbolsSet ; collect b; collect c | Pnot a -> collect a; | Forall (_,_id,_n,_t,_,p) | Exists (_id,_n,_t,p) -> collect p | Pnamed (_, p) -> (* TODO: print name *) collect p |_ -> () in collect f ; !symbolsSet let rec add_relevant_in elt s = if Int_set.mem elt s then s else Int_set.add elt (Int_set.fold add_relevant_in (Theory_container.depends_on elt) s) let rank n s = let s1 = Theory_container.produces n in let r = if Int_set.subset s1 s then 1 else 0 in (*Printf.printf "rank %d \n" r ;*) r let filter rs selectedAx notYetSelectedAx = let irrelevant = ref notYetSelectedAx in let relevant = ref selectedAx in let new_rs = ref rs in let f ax = let r = rank ax rs in if r >= threshold then begin relevant := add_relevant_in ax !relevant ; irrelevant := Int_set.remove ax !irrelevant; new_rs := Int_set.union rs (Theory_container.produces ax) end ; if debug then begin Printf.printf "ax (%d) has rank %d \n" ax r end in Int_set.iter f notYetSelectedAx ; (!new_rs,!relevant,!irrelevant) let display_symb_of set = Int_set.iter (fun s -> Printf.printf "%d " s) set let display (q,s) n = let di = function | Dtype (_, id, _) -> Printf.printf "type %s (%d) : " (Ident.string id) | Dalgtype _ -> failwith "Theory filtering: algebraic types are not supported" | Dlogic (_, id, _t) -> Printf.printf "arit %s (%d) : " (Ident.string id) | Dpredicate_def (_, id, _d) -> let id = Ident.string id in Printf.printf "def_pred %s (%d): " id | Dinductive_def(_loc, _ident, _inddef) -> failwith "Theory filtering: inductive def not yet supported" | Dfunction_def (_, id, _d) -> let id = Ident.string id in Printf.printf "def_func %s (%d): " id | Daxiom (_, id, _p) -> Printf.printf "axiom %s (%d): " id | Dgoal (_, is_lemma,_expl, id, _s) -> Printf.printf "%s %s (%d):" (if is_lemma then "lemma" else "goal") id in if debug then begin (di q) n; display_symb_of s; Printf.printf "\n" end let managesGoal _id ax (hyps,concl) = let rec symb_of_seq = function | [] -> symbols concl | Svar (_id, _v) :: q -> symb_of_seq q | Spred (_,p) :: q -> Int_set.union (symbols p) (symb_of_seq q) in let setOfSymbols = ref (symb_of_seq hyps) in let n = Theory_container.add (ax,!setOfSymbols) in display (ax,!setOfSymbols) n ; (*Theory_container.set_produce n setOfSymbols ; *) let allax = ref Int_set.empty in for i= 1 to n-1 do allax := Int_set.add i !allax done; let rel = ref Int_set.empty in let irrel = allax in for i=1 to 2 do (* include predicates/functions and their properties *) let (rs,r,ir) = filter !setOfSymbols !rel !irrel in rel := r ; setOfSymbols := rs ; irrel := ir (*Printf.printf "Relevant of %d : " n; Int_set.iter (fun t-> Printf.printf "%d " t) rel ; Printf.printf " \n " *) done; Int_set.iter (fun t-> Queue.add (Theory_container.axiom t) reducedQueue) !rel let declare_axiom _id ax p = let setOfSymbols = symbols p in let n = Theory_container.add (ax,setOfSymbols) in Theory_container.set_produce n setOfSymbols ; display (ax,setOfSymbols) n let declare_function id ax (_,_,e) = let setOfSymbols = functional_symbols e in let n = Theory_container.add (ax,setOfSymbols) in Theory_container.set_produce n (Int_set.singleton n) ; Symbol_container.add id n; display (ax,setOfSymbols) n let declare_predicate id ax (_,p) = let setOfSymbols = symbols p in let n = Theory_container.add (ax,setOfSymbols) in Theory_container.set_produce n (Int_set.singleton n) ; Symbol_container.add id n; display (ax,setOfSymbols) n let declare_arity id ax = let n = Theory_container.add (ax,Int_set.empty) in Symbol_container.add id n ; display (ax,Int_set.empty) n let declare_type id ax = let n = Theory_container.add (ax,Int_set.empty) in Symbol_container.add id n ; display (ax,Int_set.empty) n let launcher decl = match decl with | Dtype (_, id, _) as ax -> (*Printf.printf "Dtype %s \n" id ;*) declare_type (Ident.string id) ax | Dalgtype _ -> failwith "Theory filtering: algebraic types are not supported" | Dlogic (_, id, _t) as ax -> (* Printf.printf "Dlogic %s \n" id ;*) declare_arity (Ident.string id) ax | Dpredicate_def (_, id, d) as ax -> (*Printf.printf "Dpredicate_def %s \n" *) let id = Ident.string id in declare_predicate id ax d.scheme_type | Dinductive_def(_loc, _ident, _inddef) -> failwith "Theory filtering: inductive def not yet supported" | Dfunction_def (_, id, d) as ax -> (*Printf.printf "Dfunction_def %s \n" id ;*) let id = Ident.string id in declare_function id ax d.scheme_type | Daxiom (_, id, p) as ax -> (*Printf.printf "Daxiom %s \n" id ; *) declare_axiom id ax p.scheme_type | Dgoal (_, _is_lemma, _expl, id, s) as ax -> (*Printf.printf "Dgoal %s \n" id ; *) managesGoal id ax s.Env.scheme_type (** @param q is a logic_decl Queue @returns the pruned theory **) let reduce q = Theory_container.reset(); Symbol_container.reset(); Queue.iter launcher q ; reducedQueue why-2.34/src/smtlib.ml0000644000175000017500000003440012311670312013231 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) open Ident open Options open Misc open Error open Logic open Logic_decl open Env open Cc open Format open Pp (*s Pretty print *) let int2U = "int2U" let u2Int = "u2Int" let prefix id = if id == t_lt then assert false else if id == t_le then assert false else if id == t_gt then assert false else if id == t_ge then assert false (* int cmp *) else if id == t_lt_int then "<" else if id == t_le_int then "<=" else if id == t_gt_int then ">" else if id == t_ge_int then ">=" (* int ops *) else if id == t_add_int then "+" else if id == t_sub_int then "-" else if id == t_mul_int then "*" (* else if id == t_div_int then "div_int" else if id == t_mod_int then if Options.modulo then "%" else "modulo" *) else if id == t_neg_int then "-" (* real ops *) else if id == t_add_real then "+" else if id == t_sub_real then "-" else if id == t_mul_real then "*" else if id == t_neg_real then "-" else if id == t_lt_real then "<" else if id == t_le_real then "<=" else if id == t_gt_real then ">" else if id == t_ge_real then ">=" else if id == t_div_real || id == t_sqrt_real || id == t_real_of_int then Ident.string id else (eprintf "%a@." Ident.print id; assert false) let is_smtlib_keyword = let ht = Hashtbl.create 50 in List.iter (fun kw -> Hashtbl.add ht kw ()) ["and";" benchmark";" distinct";"exists";"false";"flet";"forall"; "if then else";"iff";"implies";"ite";"let";"logic";"not";"or"; "sat";"theory";"true";"unknown";"unsat";"xor"; "assumption";"axioms";"defintion";"extensions";"formula"; "funs";"extrafuns";"extrasorts";"extrapreds";"language"; "notes";"preds";"sorts";"status";"theory";"Int";"Real";"Bool"; "Array";"U";"select";"store"]; Hashtbl.mem ht let leading_underscore s = s <> "" && s.[0] = '_' let removeChar = let lc = ('\'','p')::('_','u')::('-','t')::[] in function s -> for i=0 to (String.length s)-1 do let c = (String.get s i) in try let c' = List.assoc c lc in String.set s i c' with Not_found -> () done; s let idents fmt s = (* Yices does not expect names to begin with an underscore. *) if is_smtlib_keyword s || leading_underscore s then fprintf fmt "smtlib__%s" s else fprintf fmt "%s" s let ident fmt id = idents fmt (Ident.string id) let print_bvar fmt id = fprintf fmt "?%a" ident id let rec print_term fmt = function | Tvar id -> print_bvar fmt id | Tconst (ConstInt n) -> fprintf fmt "%s" n | Tconst (ConstBool b) -> fprintf fmt "c_Boolean_%b" b | Tconst ConstUnit -> fprintf fmt "tt" | Tconst (ConstFloat c) -> Print_real.print_no_exponent fmt ~prefix_div:true c (* "(real_of_int %s)" "(real_of_int ( * %s %s))" "(div_real (real_of_int %s) (real_of_int %s))" fmt c *) | Tderef _ -> assert false | Tapp (id, [a; b; c], _) when id == if_then_else -> if (Options.get_types_encoding() = SortedStratified) then fprintf fmt "@[(smtlib__ite@ %a @ %a@ %a)@]" print_term a print_term b print_term c else fprintf fmt "@[(ite@ (= %a c_Boolean_true) @ %a@ %a)@]" print_term a print_term b print_term c (* | Tapp (id, [a], _) when id = t_real_of_int -> print_term fmt a *) | Tapp (id, tl, _) when is_relation id || is_arith id -> fprintf fmt "@[(%s %a)@]" (prefix id) print_terms tl | Tapp (id, [], i) -> fprintf fmt "%a" idents (Encoding.symbol (id, i)) | Tapp (id, tl, i) -> fprintf fmt "@[(%a@ %a)@]" idents (Encoding.symbol (id, i)) (print_list space print_term) tl | Tnamed (_, t) -> (* TODO: print name *) print_term fmt t and print_terms fmt tl = print_list space print_term fmt tl let rec print_pure_type fmt = function | PTint -> fprintf fmt "Int" | PTbool -> fprintf fmt "c_Boolean" | PTreal -> fprintf fmt "Real" | PTunit -> fprintf fmt "Unit" | PTexternal(_,id) when id==farray -> fprintf fmt "Array" | PTvar {type_val=Some pt} -> print_pure_type fmt pt | PTvar v -> fprintf fmt "A%d" v.tag | PTexternal (i,id) -> idents fmt (Encoding.symbol (id, i)) and instance fmt = function | [] -> () | ptl -> fprintf fmt "_%a" (print_list underscore print_pure_type) ptl let bound_variable = let count = ref 0 in function n -> count := !count+1 ; Ident.create ((removeChar (completeString n))^"_"^ (string_of_int !count)) let rec print_predicate fmt = function | Ptrue -> fprintf fmt "true" | Pvar id when id == Ident.default_post -> fprintf fmt "true" | Pfalse -> fprintf fmt "false" | Pvar id -> fprintf fmt "%a" ident id | Papp (id, [_t], _) when id == well_founded -> fprintf fmt "true;; was well founded @\n" | Papp (id, [a; b], _) when is_eq id -> fprintf fmt "@[(= %a@ %a)@]" print_term a print_term b | Papp (id, [a; b], _) when is_neq id -> fprintf fmt "@[(not (= %a@ %a))@]" print_term a print_term b | Papp (id, tl, _) when is_relation id || is_arith id -> fprintf fmt "@[(%s %a)@]" (prefix id) print_terms tl | Papp (id, [a;b], _) when id == t_zwf_zero -> (** TODO : DIRTY WAY TO translate such predicate; may be previously dispatched into an inequality **) fprintf fmt "@[(and (<= 0 %a)@ (< %a %a))@]" print_term b print_term a print_term b | Papp (id, tl, _) when id == t_distinct -> fprintf fmt "@[(distinct@ %a)@]" print_terms tl | Papp (id, tl, i) -> fprintf fmt "@[(%a@ %a)@]" idents (Encoding.symbol (id, i)) print_terms tl | Pimplies (_, a, b) -> fprintf fmt "@[(implies@ %a@ %a)@]" print_predicate a print_predicate b | Pif (a, b, c) -> if (Options.get_types_encoding() = SortedStratified) then fprintf fmt "@[(if_then_else@ (= %a c_Boolean_true)@ %a@ %a)@]" print_term a print_predicate b print_predicate c else fprintf fmt "@[(if_then_else@ (= %a c_Boolean_true)@ %a@ %a)@]" print_term a print_predicate b print_predicate c | Pand (_, _, a, b) | Forallb (_, a, b) -> fprintf fmt "@[(and@ %a@ %a)@]" print_predicate a print_predicate b | Por (a, b) -> fprintf fmt "@[(or@ %a@ %a)@]" print_predicate a print_predicate b | Piff (a, b) -> fprintf fmt "@[(iff@ %a@ %a)@]" print_predicate a print_predicate b | Pnot a -> fprintf fmt "@[(not@ %a)@]" print_predicate a | Forall (_,_id,n,t,_,p) -> (*Printf.printf "Forall : %s\n" (Ident.string id); *) (*let id' = next_away id (predicate_vars p) in*) let id' = (bound_variable n) in (***Format.printf " Forall : %a , " Ident.dbprint n ; Format.printf " %a" Ident.dbprint id' ;**) let p' = subst_in_predicate (subst_onev n id') p in fprintf fmt "@[(forall (%a %a)@ %a)@]" print_bvar id' print_pure_type t print_predicate p' | Exists (_id,n,t,p) -> (*let id' = next_away id (predicate_vars p) in*) let id' = bound_variable n in let p' = subst_in_predicate (subst_onev n id') p in fprintf fmt "@[(exists (%a %a) %a)@]" print_bvar id' print_pure_type t print_predicate p' | Pnamed (_, p) -> (* TODO: print name *) print_predicate fmt p | Plet (_, n, _, t, p) -> let id' = bound_variable n in let s = subst_onev n id' in let t' = subst_in_term s t in let p' = subst_in_predicate s p in fprintf fmt "@[(let (%a %a)@ %a)@]" print_bvar id' print_term t' print_predicate p' let print_axiom fmt id p = fprintf fmt "@[;; Why axiom %s@]@\n" id; fprintf fmt " @[:assumption@ %a@]" print_predicate p; fprintf fmt "@]@\n@\n" let print_quantifiers = let print_quantifier fmt (x,t) = fprintf fmt "(%a %a)" print_bvar x print_pure_type t in print_list space print_quantifier let pure_type_list = print_list space print_pure_type (* Function and predicate definitions are handled in Encoding *) (* let print_predicate_def fmt id (bl,p) = let tl = List.map snd bl in fprintf fmt "@[:extrapreds ((%a %a))@]@\n@\n" idents id pure_type_list tl; fprintf fmt "@[:assumption@ (forall %a@ (iff (%a %a)@ @[%a@]))@]@\n@\n" print_quantifiers bl idents id (print_list space (fun fmt (x,_) -> print_bvar fmt x)) bl print_predicate p let print_function_def fmt id (bl,pt,e) = let tl = List.map snd bl in fprintf fmt "@[:extrafuns ((%a %a %a))@]@\n@\n" idents id pure_type_list tl print_pure_type pt; fprintf fmt "@[:assumption@ (forall %a@ (= (%a %a)@ @[%a@]))@]@\n@\n" print_quantifiers bl idents id (print_list space (fun fmt (x,_) -> print_bvar fmt x)) bl print_term e *) let output_sequent fmt (hyps,concl) = let rec print_seq fmt = function | [] -> print_predicate fmt concl | Svar (id, v) :: hyps -> fprintf fmt "@[(forall (%a %a)@ %a)@]" print_bvar id print_pure_type v print_seq hyps (* TODO : update this for renaming each variable *) | Spred (_,p) :: hyps -> fprintf fmt "@[(implies@ %a@ %a)@]" print_predicate p print_seq hyps in print_seq fmt hyps let print_obligation fmt loc _is_lemma _o s = fprintf fmt "@[:formula@\n"; fprintf fmt " @[;; %a@]@\n" Loc.gen_report_line loc; fprintf fmt " @[(not@ %a)@]" output_sequent s; fprintf fmt "@]@\n@\n" (* useless since goals are split (moreover, may trigger a bug with Z3: proves the lemma using the aussmption given after) if is_lemma then begin fprintf fmt "@[;; %s as axiom@]@\n" o; fprintf fmt " @[:assumption@ %a@]" output_sequent s; fprintf fmt "@]@\n@\n" end *) let push_decl d = Encoding.push d let iter = Encoding.iter let reset () = Encoding.reset () let declare_type fmt id = fprintf fmt ":extrasorts (%a)@\n" ident id let print_logic fmt id t = fprintf fmt ";;;; Why logic %s@\n" id; match t with | Predicate tl -> fprintf fmt "@[:extrapreds ((%a %a))@]@\n@\n" idents id pure_type_list tl | Function (tl, pt) -> fprintf fmt "@[:extrafuns ((%a %a %a))@]@\n@\n" idents id pure_type_list tl print_pure_type pt let output_elem fmt = function | Dtype (_loc, id, []) -> declare_type fmt id | Dtype (_, id, _) -> fprintf fmt ";; polymorphic type %s@\n@\n" (Ident.string id) | Dalgtype _ -> assert false (* failwith "SMTLIB output: algebraic types are not supported" *) | Dlogic (_, id, t) when not (Ident.is_simplify_arith id) -> print_logic fmt (Ident.string id) t.scheme_type | Dlogic (_, _, _) -> fprintf fmt "" | Dpredicate_def (_loc, _id, _d) -> assert false (* print_predicate_def fmt (Ident.string id) d.scheme_type *) | Dinductive_def(_loc, _ident, _inddef) -> assert false (* failwith "SMTLIB output: inductive def not yet supported" *) | Dfunction_def (_loc, _id, _d) -> assert false (* print_function_def fmt (Ident.string id) d.scheme_type *) | Daxiom (_loc, id, p) -> print_axiom fmt id p.scheme_type | Dgoal (loc, is_lemma, _expl, id, s) -> print_obligation fmt loc is_lemma id s.Env.scheme_type let output_file ?logic fname = let cout = Options.open_out_file fname in let fmt = formatter_of_out_channel cout in fprintf fmt "(benchmark %a@\n" idents (removeChar (Filename.basename fname)); fprintf fmt " :status unknown@\n"; begin match logic with | None -> () | Some l -> fprintf fmt " :logic %s@\n" l; end; (* if (Options.get_types_encoding() != SortedStratified) then *) begin fprintf fmt " :extrasorts (c_Boolean)@\n"; fprintf fmt " :extrafuns ((c_Boolean_true c_Boolean))@\n"; fprintf fmt " :extrafuns ((c_Boolean_false c_Boolean))@\n"; fprintf fmt " :assumption (forall (?bcd c_Boolean) (or (= ?bcd c_Boolean_true) (= ?bcd c_Boolean_false)))@\n"; fprintf fmt " :assumption (not (= c_Boolean_true c_Boolean_false))@\n"; end; fprintf fmt " :extrasorts (Unit)@\n"; fprintf fmt " :extrafuns ((tt Unit))@\n"; (* fprintf fmt " :extrafuns ((div_int Int Int Int))@\n"; if not modulo then begin fprintf fmt " :extrafuns ((modulo Int Int Int))@\n"; end; *) iter (output_elem fmt); (* end of smtlib file *) fprintf fmt "@\n)@\n"; pp_print_flush fmt (); Options.close_out_file cout (* Local Variables: compile-command: "unset LANG; nice make -j -C .. bin/why.byte" End: *) why-2.34/src/fastwp.ml0000644000175000017500000004506412311670312013253 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (* Fast weakest preconditions *) open Ident open Logic open Types open Effect open Misc open Util open Ast open Env let idmap_union m1 m2 = Idmap.fold (fun x2 v m1 -> if Idmap.mem x2 m1 then begin assert (Idmap.find x2 m1 = v); m1 end else Idmap.add x2 v m1) m2 m1 module Subst = struct type t = { current : Ident.t Idmap.t; (* current name for each variable *) sigma : Ident.t Idmap.t; (* substitution for all variables *) types : pure_type Idmap.t; (* types, for quantifiers *) all_vars : Idset.t; (* all names already used *) } let empty = { current = Idmap.empty; sigma = Idmap.empty; types = Idmap.empty; all_vars = Idset.empty } let add x pt s = { current = Idmap.add x x s.sigma; sigma = Idmap.add x x s.sigma; types = Idmap.add x pt s.types; all_vars = Idset.add x s.all_vars } let add_aux x pt s = { s with types = Idmap.add x pt s.types; all_vars = Idset.add x s.all_vars } let frame env ef s = let r,w,_,_ = Effect.get_repr ef in List.fold_left (fun s x -> try begin match Env.type_in_env env x with | Ref pt -> add x pt s | _ -> assert false end with Not_found -> assert false) s (r @ w) let find x s = Idmap.find x s.current let global_names = ref Idset.empty let next_away x s = let x' = next_away x (Idset.union !global_names s) in global_names := Idset.add x' !global_names; x' let fresh x s = assert (Idmap.mem x s.types); let x' = next_away x s.all_vars in x', { current = Idmap.add x x' s.current; sigma = Idmap.add x x' s.sigma; types = Idmap.add x' (Idmap.find x s.types) s.types; all_vars = Idset.add x' s.all_vars } let fresh_pure x pt s = let x' = next_away x s.all_vars in x', { current = Idmap.add x x' s.current; sigma = Idmap.add x x' s.sigma; types = Idmap.add x' pt s.types; all_vars = Idset.add x' s.all_vars } let write x s = let _,s = fresh x s in s let writes = List.fold_right write let term s = Misc.subst_in_term s.sigma let predicate s = Misc.subst_in_predicate s.sigma (* we cross the label l => the values at label l are mapped to the current values of references *) let label l s = { s with sigma = Idmap.fold (fun x x' m -> if not (is_at x) then Idmap.add (at_id x l) x' m else m) s.current s.sigma } let add_vars s1 s2 = { s1 with types = idmap_union s1.types s2.types; all_vars = Idset.union s1.all_vars s2.all_vars } (* debug *) open Format let print fmt s = let print_map fmt m = Idmap.iter (fun x x' -> fprintf fmt "(%a->%a)" Ident.lprint x Ident.lprint x') m in let print_keys fmt m = Idmap.iter (fun x _ -> fprintf fmt "(%a)" Ident.lprint x) m in fprintf fmt "@[current=%a,@ sigma=%a,@ types=%a@]" print_map s.current print_map s.sigma print_keys s.types end open Subst let all_quantifiers ((_,s),ee) = let s = List.fold_left (fun s (_,(_,sx)) -> idmap_union s sx.types) s.types ee in let l = Idmap.fold (fun x pt acc -> (x, PureType pt) :: acc) s [] in List.rev l let merge s1 s2 = (* d = { x | s1(x) <> s2(x) } *) let d = Idmap.fold (fun x x1 d -> try let x2 = Subst.find x s2 in if x1 != x2 then Idset.add x d else d with Not_found -> d) s1.current Idset.empty in let s12 = { s1 with types = idmap_union s1.types s2.types; all_vars = Idset.union s1.all_vars s2.all_vars } in Idset.fold (fun x (s',r1,r2) -> let x',s' = Subst.fresh x s' in let ty = PureType (Idmap.find x s'.types) in s', wpand r1 (tequality ty (Tvar x') (Tvar (Subst.find x s1))), wpand r2 (tequality ty (Tvar x') (Tvar (Subst.find x s2)))) d (s12, Ptrue, Ptrue) let wpforall = pforall ~is_wp:true let wpforalls = foralls_many ~is_wp:true let ssubst_in_predicate s p = simplify (tsubst_in_predicate s p) let norm (p,_) = p let exn x pl s = try List.assoc x pl with Not_found -> Pfalse, s let exns e ee = List.map (fun x -> x, ee x) (get_exns e.info.t_effect) let with_exception_type e v f x = match find_exception e, v with | None, None -> x | Some pt, Some v -> f v pt x | _ -> assert false (* INPUT - e : program - s : Subst.t OUTPUT - ok : predicate = correctness of e - (n,el) : predicate * (Ident.t * predicate) list, such that * if e terminates normally then n holds * if e raises exception E then List.assoc E el holds - s' : Subst.t *) let rec wp e s = let _,(_,ee) as r = wp0 e.info e s in assert (List.length ee = List.length (get_exns e.info.t_effect)); r and wp0 info e s = (*Format.eprintf "@[wp avec %a@]@." Subst.print s;*) let v = result_type e in match e.desc with | Expression t -> (* OK: true NE: result=t *) let t = Subst.term s (unref_term t) in let p = match e.info.t_result_type with | PureType PTunit -> Ptrue | _ -> tequality v tresult t in Ptrue, ((p, s), []) | If (e1, e2, e3) -> (* OK: ok(e1) /\ (ne(e1,true) => ok(e2)) /\ (ne(e1,false) => ok(e3)) NE: (ne(e1,true) /\ ne(e2,result)) \/ (ne(e1,false) /\ ne(e3,result)) *) let ok1,((ne1,s1),ee1) = wp e1 s in let ok2,((ne2,s2),ee2) = wp e2 s1 in let ok3,((ne3,s3),ee3) = wp e3 s1 in let ne1true = ssubst_in_predicate (subst_one result ttrue) ne1 in let ne1false = ssubst_in_predicate (subst_one result tfalse) ne1 in let ok = wpands [ok1; wpimplies ne1true ok2; wpimplies ne1false ok3] in let ne = let s',r2,r3 = merge s2 s3 in por (wpands [ne1true; ne2; r2]) (wpands [ne1false; ne3; r3]), s' in let ee x = let ee2,s2 = exn x ee2 s1 and ee3,s3 = exn x ee3 s1 in let s23,r2,r3 = merge s2 s3 in let ee1,s1 = exn x ee1 s in let s',q1,q23 = merge s1 s23 in pors [wpand ee1 q1; wpands [ne1true;ee2;r2;q23]; wpands [ne1false;ee3;r3;q23]], s' in ok, (ne, exns e ee) | Seq (e1, e2) -> (* OK: ok(e1) /\ (ne(e1,void) => ok(e2)) NE: ne(e1,void) /\ ne(e2,result) *) let ok1,((ne1,s1),ee1) = wp e1 s in let ok2,((ne2,s2),ee2) = wp e2 s1 in let ne1void = tsubst_in_predicate (subst_one result tvoid) ne1 in let ok = wpand ok1 (wpimplies ne1void ok2) in let ne = wpand ne1void ne2 in let ee x = let ee1,sx1 = exn x ee1 s and ee2,sx2 = exn x ee2 s1 in let s',r1,r2 = merge sx1 sx2 in por (wpand ee1 r1) (wpands [ne1void; ee2; r2]), s' in ok, ((ne, s2), exns e ee) | LetIn (x, e1, e2) -> let ok1,((ne1,s1),ee1) = wp e1 s in let x',s1 = match e1.info.t_result_type with | PureType pt -> Subst.fresh_pure x pt s1 | _ -> x, s1 in let ok2,((ne2,s2),ee2) = wp e2 s1 in begin match e1.info.t_result_type with | PureType _pt -> let ne1x = subst_in_predicate (subst_onev result x') ne1 in let subst = subst_in_predicate (subst_onev x x') in let ok = wpand ok1 (wpimplies ne1x (subst ok2)) in let ne = wpand ne1x (subst ne2) in let ee x = let ee1,sx1 = exn x ee1 s and ee2,sx2 = exn x ee2 s1 in let s',r1,r2 = merge sx1 sx2 in por (wpand ee1 r1) (wpands [ne1x; ee2; r2]), s' in ok, ((ne, s2), exns e ee) | Arrow _ -> assert (not (occur_predicate result ne1)); assert (not (occur_predicate x ne2)); let ok = wpand ok1 (wpimplies ne1 ok2) in (* ok1 /\ ok2 ? *) let ne = wpand ne1 ne2 in let ee x = let ee1,sx1 = exn x ee1 s and ee2,sx2 = exn x ee2 s1 in let s',r1,r2 = merge sx1 sx2 in por (wpand ee1 r1) (wpands [ne1; ee2; r2]), s' in ok, ((ne, s2), exns e ee) | Ref _ -> assert false end | LetRef (x, e1, e2) -> begin match e1.info.t_result_type with | PureType pt -> let ok1,((ne1,s1),ee1) = wp e1 s in let s1 = Subst.add x pt s1 in let ok2,((ne2,s2),ee2) = wp e2 s1 in let ne1x = subst_in_predicate (subst_onev result x) ne1 in let ok = wpand ok1 ((*wpforall x ty1*) (wpimplies ne1x ok2)) in let ne = (*exists x ty1*) (wpand ne1x ne2) in let ee x = let ee1,sx1 = exn x ee1 s and ee2,sx2 = exn x ee2 s1 in let s',r1,r2 = merge sx1 sx2 in por (wpand ee1 r1) (wpands [ne1x; ee2; r2]), s' in let s2 = Subst.add_aux x pt s2 in ok, ((ne, s2), exns e ee) | Arrow _ | Ref _ -> assert false end | Assertion (k, al, e1) -> (* OK: al /\ ok(e1) NE: al /\ ne(e1, result) *) let ok, ((ne1, s'), ee1) = wp e1 s in let pl = List.map (fun a -> subst_in_predicate s.sigma a.a_value) al in let ee x = let ee, sx = exn x ee1 s in wpands (pl @ [ee]), sx in (* wpands (pl@[ok]), ((wpands (pl@[ne1]), s'), exns e ee) *) let expl = match k with | `ABSURD -> Cc.VCEabsurd | #Cc.assert_kind as k -> (* ASSERT and CHECK *) Cc.VCEassert (k, List.map (fun a -> (a.a_loc, a.a_value)) al) | `PRE -> let lab = info.t_userlabel in let loc = info.t_loc in Cc.VCEpre (lab, loc, List.map (fun a -> (a.a_loc, a.a_value)) al) in let id = reg_explanation expl in Pnamed (id, wpands (pl@[ok])), ((wpands (pl@[ne1]), s'), exns e ee) | Post (e1, q, _) -> (* TODO: what to do with the transparency here? *) let lab = e1.info.t_label in let s = Subst.label lab s in let ok, ((ne1, s'), ee1) = wp e1 s in let q, ql = post_app (asst_app (change_label "" lab)) q in let q = let id = reg_explanation (Cc.VCEpost (q.a_loc, q.a_value)) in { q with a_value = Pnamed (id, q.a_value) } in let ql = List.map (fun (x, q) -> let id = reg_explanation (Cc.VCEpost (q.a_loc, q.a_value)) in x, { q with a_value = Pnamed (id, q.a_value) }) ql in let subst p s = subst_in_predicate s.sigma p.a_value in let q = subst q s' in let ql = List.map2 (fun (_, (_,sx)) (x, qx) -> x, subst qx sx) ee1 ql in let post_exn (x, (ex, _)) (x', qx) = assert (x = x'); let p = wpimplies ex qx in match find_exception x with | Some pt -> wpforall result (PureType pt) p | None -> p in let ok = wpands (ok :: wpforall result e1.info.t_result_type (wpimplies ne1 q) :: List.map2 post_exn ee1 ql) in let ne = wpand ne1 q, s' in let ee x = let ee, sx = exn x ee1 s in wpand ee (List.assoc x ql), sx in ok, (ne, exns e ee) | Label (l, e) -> wp e (Subst.label l s) | Var _ -> (* this must be an impure function, thus OK = NE = true *) Ptrue, ((Ptrue, s), []) | Absurd -> (* OK = NE = false *) Pfalse, ((Pfalse, s), []) | Loop (inv, var, e1) -> (* OK: I /\ forall w. (I => (ok(e1) /\ (ne(e1,void) => I /\ var let lab = info.t_userlabel in let id = reg_explanation (Cc.VCEinvinit (lab, (inv.a_loc, inv.a_value))) in { inv with a_value = Pnamed (id, inv.a_value) }) inv in let inv2 = option_app (fun inv -> let lab = info.t_userlabel in let id = reg_explanation (Cc.VCEinvpreserv (lab, (inv.a_loc, inv.a_value))) in { inv with a_value = Pnamed (id, inv.a_value) }) inv in let subst_inv inv s = match inv with | None -> Ptrue | Some { a_value = i } -> Subst.predicate s i in let i0 = subst_inv inv1 s0 in let i1 = subst_inv inv2 s0 in let decphi = match var with | None -> Ptrue | Some (loc, phi, _, r) -> let id = reg_explanation (Cc.VCEvardecr (loc, phi)) in Pnamed (id, Papp (r, [Subst.term s1 phi; Subst.term s0 phi], [])) in let ok = wpands [Wp.well_founded_rel var; subst_inv inv1 s; wpimplies i1 (wpand ok1 (wpimplies ne1void (wpand (subst_inv inv2 s1) decphi)))] in let ee x = let ee,sx = exn x ee1 s0 in wpand i0 ee, sx in ok, ((Pfalse, s1), exns e ee) | Raise (id, None) -> (* OK: true N : false E : true *) Ptrue, ((Pfalse, s), [id, (Ptrue, s)]) | Raise (id, Some e1) -> (* OK: ok(e1) N : false E : ne(e1) \/ E(e1) if E=id, E(e1) otherwise *) let ok1,((ne1,s1),ee1) = wp e1 s in let ee x = if x == id then try let ee1,sx = List.assoc x ee1 in por ne1 ee1, sx with Not_found -> ne1, s1 else try List.assoc x ee1 with Not_found -> assert false in ok1, ((Pfalse, s1), exns e ee) | Try (e1, hl) -> let ok1,((ne1,s1),ee1) = wp e1 s in let hl = List.map (fun ((x,v),ei) -> let _,sx = exn x ee1 s in ((x,v), wp ei sx)) hl in let bind_result v p = match v with | None -> p | Some x -> subst_in_predicate (subst_onev result x) p in let handler_ok ((x,v), (oki,_)) = let e1x,_ = exn x ee1 s in let e1x = bind_result v e1x in let p = wpimplies e1x oki in with_exception_type x v (fun v pt -> wpforall v (PureType pt)) p in let ok = wpands (ok1 :: List.map handler_ok hl) in let ne = List.fold_left (fun (ne,s) ((x,v), (_,((nei,si),_))) -> let e1x,_ = exn x ee1 s in let e1x = bind_result v e1x in let si = with_exception_type x v Subst.add_aux si in let s',r1,r2 = merge s si in por (wpand ne r1) (wpands [e1x; nei; r2]), s') (ne1,s1) hl in let ee x = let eex,sx = if List.exists (fun ((xi,_),_) -> x == xi) hl then Pfalse, s else exn x ee1 s in List.fold_left (fun (nex,sx) ((xi,vi),(_,(_,eei))) -> let e1xi,sxi = exn xi ee1 s in let eeix,sxi = exn x eei sxi in let eeix = bind_result vi eeix in let sxi = with_exception_type xi vi Subst.add_aux sxi in let sx,r1,r2 = merge sx sxi in por (wpand nex r1) (wpands [e1xi; eeix; r2]), sx) (eex, sx) hl in ok, (ne, exns e ee) | Lam (bl, pl, e) -> (* OK: forall bl. pl => ok(e) NE: forall bl. pl /\ ne(e, result) *) let s = Subst.frame e.info.t_env e.info.t_effect s in let ok,r = wp e s in let qr = all_quantifiers r in let pl = List.map (fun a -> subst_in_predicate s.sigma a.a_value) pl in let q = List.filter (function (_,PureType _) -> true | _ -> false) bl in wpforalls (q @ qr) (wpimplies (wpands pl) ok), ((Ptrue, s), []) | Rec (_f, bl, _v, var, pl, e) -> (* OK: well_founded(R) /\ forall bl. pl => ok(e) NE: forall bl. pl /\ ne(e, result) *) let wfr = Wp.well_founded_rel var in let s = Subst.frame e.info.t_env e.info.t_effect s in let ok,r = wp e s in let qr = all_quantifiers r in let pl = List.map (fun a -> subst_in_predicate s.sigma a.a_value) pl in let q = List.filter (function (_,PureType _) -> true | _ -> false) bl in pand wfr (wpforalls (q @ qr) (wpimplies (wpands pl) ok)), ((Ptrue, s), []) | AppRef (e1, _, k) | AppTerm (e1, _, k) -> let lab = e1.info.t_label in let s = Subst.label lab s in let q = optpost_app (asst_app (change_label "" lab)) k.t_post in let ok,(((ne,s'),ee) as nee) = wp e1 s in assert (not (occur_predicate result ne)); let wr s = Subst.writes (Effect.get_writes k.t_effect) s in let nee = match q with | Some (q', qe) -> (let s' = wr s' in wpand ne (Subst.predicate s' q'.a_value), s'), (let ee x = let q' = List.assoc x qe in let ee,s' = exn x ee s in let s' = wr s' in por ee (wpand ne (Subst.predicate s' q'.a_value)), s' in exns e ee) | None -> nee in ok, nee | Any k -> let lab = e.info.t_label in let s = Subst.label lab s in let q = optpost_app (post_named e.info.t_loc) k.c_post in let q = optpost_app (asst_app (change_label "" lab)) q in let s' = Subst.writes (Effect.get_writes k.c_effect) s in let nee = match q with | Some (q', qe) -> (Subst.predicate s' q'.a_value, s'), (let ee x = let q' = List.assoc x qe in Subst.predicate s' q'.a_value, s' in exns e ee) | None -> let ee _x = Ptrue, s' in (Ptrue, s'), exns e ee in Ptrue, nee let wp e = let s = Subst.frame e.info.t_env e.info.t_effect Subst.empty in let ok, _ = wp e s in ok (* Local Variables: compile-command: "unset LANG; make -C .. byte" End: *) why-2.34/src/linenum.mll0000644000175000017500000000643512311670312013571 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (*i $Id: linenum.mll,v 1.9 2008-11-05 14:03:17 filliatr Exp $ i*) (* code from Ocaml sources *) { open Lexing let bol = ref 0 (* beginning of line, in chars *) let line = ref 1 (* current line number *) let file = ref "" } rule one_line = parse | '#' [' ' '\t']* (['0'-'9']+ as l) [' ' '\t']* ("\"" ([^ '\n' '\r' '"' (* '"' *) ]* as f) "\"")? [^ '\n' '\r']* ('\n' | '\r' | "\r\n") { line := int_of_string l; begin match f with Some f -> file := f | None -> () end; bol := lexeme_start lexbuf; lexeme_end lexbuf } | [^ '\n' '\r']* ('\n' | '\r' | "\r\n") { incr line; bol := lexeme_start lexbuf; lexeme_end lexbuf } | [^ '\n' '\r'] * eof { incr line; bol := lexeme_start lexbuf; raise End_of_file } { let from_char f c = let cin = open_in_bin f in let lb = from_channel cin in file := f; line := 1; bol := 0; begin try while one_line lb <= c do () done with End_of_file -> () end; close_in cin; (!file, !line - 1, c - !bol) } why-2.34/src/predDefExpansor.ml0000644000175000017500000002767612311670312015051 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) open Env open Ident open Misc open Logic open Cc open Options open Logic_decl let pred_def = Hashtbl.create 97 let rec subst_in_pure_type st = function | PTvar ({ type_val = None } as v) as t -> (try Vmap.find v st with Not_found -> t) | PTvar { type_val = Some t } -> subst_in_pure_type st t | PTexternal(l, id) -> PTexternal(List.map (subst_in_pure_type st) l, id) | PTint | PTreal | PTbool | PTunit as t -> t let subst_in_instance st = List.map (subst_in_pure_type st) let rec subst_in_term s st = function | Tvar x as t -> (try Idmap.find x s with Not_found -> t) | Tapp (x,l,i) -> Tapp (x, List.map (subst_in_term s st) l, subst_in_instance st i) | Tconst _ | Tderef _ as t -> t | Tnamed(lab,t) -> Tnamed(lab,subst_in_term s st t) let rec subst_in_predicate s st = function | Papp (id, l, i) -> Papp (id, List.map (subst_in_term s st) l, subst_in_instance st i) | Pif (a, b ,c) -> Pif (subst_in_term s st a, subst_in_predicate s st b, subst_in_predicate s st c) | Forall (w, id, b, v, tl, p) -> Forall (w, id, b, subst_in_pure_type st v, List.map (List.map (subst_in_pattern s st)) tl, subst_in_predicate s st p) | Exists (id, b, v, p) -> Exists (id, b, subst_in_pure_type st v, subst_in_predicate s st p) | p -> map_predicate (subst_in_predicate s st) p and subst_in_pattern s st = function | TPat t -> TPat (subst_in_term s st t) | PPat p -> PPat (subst_in_predicate s st p) let rec expand = function | Papp (id, tl, i) as p -> begin try let tvars,argl,p = Hashtbl.find pred_def id in (* Format.eprintf "predDefExpansor: expanding def of %s@." (Ident.string id); *) let st = subst_many argl tl in let sty = List.fold_left2 (fun s v t -> Vmap.add v t s) Vmap.empty tvars i in subst_in_predicate st sty p with Not_found -> (* Format.eprintf "predDefExpansor: NOT expanding def of %s@." (Ident.string id); *) p end | p -> map_predicate expand p let expand_inductive_def (t,l) = (t,List.map (fun (id,p) -> (id,expand p)) l) let expand_sequent ~recursive_expand (ctx,p) = let expand_hyp = function | Svar _ as h -> h | Spred (id, p) -> Spred (id, if recursive_expand then expand p else p) in (List.map expand_hyp ctx, expand p) let push ~recursive_expand decl = match decl with | Dpredicate_def (loc, ident, def) -> let argl,p = def.scheme_type in (*let rootexp = (Papp (Ident.create ident, List.map (fun (i,_) -> Tvar i) argl, [])) in*) let p = expand p in let vars = Vset.fold (fun v l -> v :: l) def.scheme_vars [] in Hashtbl.add pred_def ident (vars, List.map fst argl, p); if recursive_expand then Dlogic (loc, ident, Env.generalize_logic_type (Predicate (List.map snd argl))) else decl | Dinductive_def(loc, ident, def) when recursive_expand -> Dinductive_def(loc,ident, Env.generalize_inductive_def (expand_inductive_def def.scheme_type)) | Daxiom (loc, ident, ps) when recursive_expand -> Daxiom (loc, ident, Env.generalize_predicate(expand ps.scheme_type)) | Dgoal (loc, is_lemma, expl, ident, ps) -> Dgoal (loc, is_lemma, expl, ident, Env.generalize_sequent (expand_sequent ~recursive_expand ps.scheme_type)) | Dfunction_def _ | Dinductive_def _ | Daxiom _ | Dtype _ | Dalgtype _ | Dlogic _ -> decl (*************** ad-hoc utilities **************) let ah_equal t l r = Papp (t_eq, [l;r], [t]) let ah_exists = List.fold_right (fun (y,t) f -> Util.exists y (Types.PureType t) f) let ah_forall yv tl f = let fall (y,t) (l,f) = ([], Util.forall y (Types.PureType t) ~triggers:l f) in snd (List.fold_right fall yv (tl,f)) (*************** function and predicate definitions **************) let function_def loc id d = let (vars,(yv,tr,e)) = Env.specialize_function_def d in let zv = Ltyping.instance id vars in let ts = List.map (fun (_,t) -> t) yv in let yt = List.map (fun (y,_) -> Tvar y) yv in let lhs = Tapp (id,yt,zv) in let body = ah_equal tr lhs e in let axiom = ah_forall yv [[TPat lhs]] body in let t = Env.generalize_logic_type (Function (ts,tr)) in let name = Ident.string id in [ Dlogic (loc, id, t); Daxiom (loc, name ^ "_def", Env.generalize_predicate axiom) ] let predicate_def loc id d = let (vars,(yv,e)) = Env.specialize_predicate_def d in let zv = Ltyping.instance id vars in let ts = List.map (fun (_,t) -> t) yv in let yt = List.map (fun (y,_) -> Tvar y) yv in let lhs = Papp (id,yt,zv) in let body = Piff (lhs, e) in let axiom = ah_forall yv [[PPat lhs]] body in let t = Env.generalize_logic_type (Predicate ts) in let name = Ident.string id in [ Dlogic (loc, id, t); Daxiom (loc, name ^ "_def", Env.generalize_predicate axiom) ] (*************** inductive definitions **************) (* inductive id : t1 -> .. -> tn -> prop { c_1 : forall x_1,..,x_k : H1 -> .. Hi -> id(e_1,..,e_n) | ... | c_j } gives (j+1) axioms : j direct axioms a_1 : forall x_1,..,x_k : H1 -> .. Hi -> id(e_1,..,e_n) .. a_j : ... and one inversion axiom : forall y_1:t_1,..,y_n:t_n, id(y_1,..,y_n) -> exists x_1,..,x_k: H1 /\ ... /\ Hi /\ y_1 = e1 /\ .. /\ y_n = e_n \/ ... *) let inductive_inverse_body id yv cases = let eq_and (y,t) e = Misc.pand (ah_equal t (Tvar y) e) in let rec invert = function | Forall(_w,id,n,t,_trig,p) -> Exists(id,n,t,invert p) | Pimplies(_w,h,p) -> Misc.pand h (invert p) | Papp(f,l,_) when f == id -> List.fold_right2 eq_and yv l Ptrue | _ -> assert false (* ill-formed, should have been catch by typing *) in List.fold_right (fun (_,c) -> Misc.por (invert c)) cases Pfalse let inversion_axiom id zv bl cases = let yv = List.map (fun t -> (fresh_var(),t)) bl in let yt = List.map (fun (y,_) -> Tvar y) yv in let lhs = Papp (id,yt,zv) in let body = inductive_inverse_body id yv cases in ah_forall yv [[PPat lhs]] (Pimplies (false, lhs, body)) let inductive_def loc id d = let (vars,(bl,cases)) = Env.specialize_inductive_def d in let zv = Ltyping.instance id vars in let t = Env.generalize_logic_type (Predicate bl) in let name = Ident.string id in Dlogic(loc,id,t):: (Daxiom(loc,name ^ "_inversion", Env.generalize_predicate (inversion_axiom id zv bl cases))):: (List.map (fun (id,p) -> let p = Env.generalize_predicate p in Daxiom(loc,Ident.string id,p)) cases) (*************** algebraic types **************) let fresh_cons zv id pl = let yv = List.map (fun t -> (fresh_var (),t)) pl in let yt = List.map (fun (y,_) -> Tvar y) yv in (yv, Tapp (id,yt,zv)) let find_global_logic_gen id = let _,t = find_global_logic id in generalize_logic_type t let alg_proj_fun loc zv (id,pl) = let r = ref 1 in let yv,ct = fresh_cons zv id pl in let proj (v,t) = let nm = Ident.proj_id id !r in let head = Tapp (nm, [ct], zv) in let body = ah_equal t head (Tvar v) in let body = ah_forall yv [[TPat ct]] body in let pred = Env.generalize_predicate body in let () = incr r in Dlogic (loc, nm, find_global_logic_gen nm) :: Daxiom (loc, Ident.string nm ^ "_def", pred) :: [] in List.concat (List.map proj yv) let alg_inversion_axiom loc id zv th cs = let x = fresh_var () in let inv_cons acc (id,pl) = let r = ref 1 in let targ _ = let nm = Ident.proj_id id !r in let () = incr r in Tapp (nm, [Tvar x], zv) in let ct = Tapp (id, List.map targ pl, zv) in Misc.por acc (ah_equal th (Tvar x) ct) in let body = List.fold_left inv_cons Pfalse cs in let body = Util.forall x (Types.PureType th) body in let pred = Env.generalize_predicate body in Daxiom (loc, Ident.string id ^ "_inversion", pred) let alg_match_fun_axiom loc id zv cs = let nm = Ident.match_id id in let nt = PTvar (new_type_var ()) in let vs = List.map (fun _ -> (fresh_var (), nt)) cs in let ts = List.map (fun (v,_) -> Tvar v) vs in let axiom (id,pl) v = let yv,ct = fresh_cons zv id pl in let head = Tapp (nm, ct::ts, nt::zv) in let body = ah_equal nt head v in let body = ah_forall (vs @ yv) [[TPat head]] body in let pred = Env.generalize_predicate body in Daxiom (loc, Ident.string nm ^ "_" ^ Ident.string id, pred) in Dlogic (loc, nm, find_global_logic_gen nm) :: List.map2 axiom cs ts let alg_to_int_fun_axiom loc id zv th cs = let cpt = ref 0 in let ty = Function ([th], PTint) in let nm = Ident.create (Ident.string id ^ "_to_int") in let axiom (id,pl) = let yv,ct = fresh_cons zv id pl in let lst = Tapp (nm, [ct], zv) in let rst = Tconst (ConstInt (string_of_int !cpt)) in let body = Papp (t_eq_int,[lst;rst],[]) in let body = ah_forall yv [[TPat ct]] body in let pred = Env.generalize_predicate body in incr cpt; Daxiom (loc, Ident.string nm ^ "_" ^ Ident.string id, pred) in Dlogic (loc, nm, Env.generalize_logic_type ty) :: List.map axiom cs let algebraic_type_single (loc,id,d) = let vars,(vs,cs) = Env.specialize_alg_type d in let zv = Ltyping.instance id vars in let th = PTexternal (vs, id) in List.map (fun (c,_) -> Dlogic (loc, c, find_global_logic_gen c)) cs @ alg_match_fun_axiom loc id zv cs @ List.concat (List.map (alg_proj_fun loc zv) cs) @ alg_inversion_axiom loc id zv th cs :: alg_to_int_fun_axiom loc id zv th cs (* List.map (alg_cons_injective_axiom loc zv th) (List.filter (fun (_,pl) -> pl <> []) cs) *) let algebraic_type_decl (loc,id,d) = let string_of_var = function | PTvar v -> "a" ^ (string_of_int v.tag) | _ -> assert false in let vs, _ = d.Env.scheme_type in Dtype (loc, id, List.map string_of_var vs) let algebraic_type ls = List.map algebraic_type_decl ls @ List.concat (List.map algebraic_type_single ls) why-2.34/src/xml.mll0000644000175000017500000001377612311670312012730 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) { open Lexing open Rc type element = { name : string; attributes : (string * rc_value) list; elements : element list; } let buf = Buffer.create 17 let rec pop_all group_stack element_stack = match group_stack with | [] -> element_stack | (elem,att,elems)::g -> let e = { name = elem; attributes = att; elements = List.rev element_stack; } in pop_all g (e::elems) } let space = [' ' '\t' '\r' '\n'] let digit = ['0'-'9'] let letter = ['a'-'z' 'A'-'Z'] let ident = (letter | digit | '_') + let sign = '-' | '+' let integer = sign? digit+ let mantissa = ['e''E'] sign? digit+ let real = sign? digit* '.' digit* mantissa? let escape = ['\\''"''n''t''r'] rule elements group_stack element_stack = parse | space+ { elements group_stack element_stack lexbuf } | '<' (ident as elem) { attributes group_stack element_stack elem [] lexbuf } | "' { match group_stack with | [] -> Format.eprintf "Xml: warning unexpected closing Xml element `%s'@." celem; elements group_stack element_stack lexbuf | (elem,att,stack)::g -> if celem <> elem then Format.eprintf "Xml: warning Xml element `%s' closed by `%s'@." elem celem; let e = { name = elem; attributes = att; elements = List.rev element_stack; } in elements g (e::stack) lexbuf } | '<' { Format.eprintf "Xml: warning unexpected '<'@."; elements group_stack element_stack lexbuf } | eof { match group_stack with | [] -> element_stack | (elem,_,_)::_ -> Format.eprintf "Xml: warning unclosed Xml element `%s'@." elem; pop_all group_stack element_stack } | _ as c { failwith ("Xml: invalid element starting with " ^ String.make 1 c) } and attributes groupe_stack element_stack elem acc = parse | space+ { attributes groupe_stack element_stack elem acc lexbuf } | (ident as key) space* '=' { let v = value lexbuf in attributes groupe_stack element_stack elem ((key,v)::acc) lexbuf } | '>' { elements ((elem,acc,element_stack)::groupe_stack) [] lexbuf } | "/>" { let e = { name = elem ; attributes = acc; elements = [] } in elements groupe_stack (e::element_stack) lexbuf } | _ as c { failwith ("Xml: `>' expected, got " ^ String.make 1 c) } | eof { failwith ("Xml: unclosed element, `>' expected") } and value = parse | space+ { value lexbuf } | integer as i { RCint (int_of_string i) } | real as r { RCfloat (float_of_string r) } | '"' { Buffer.clear buf; string_val lexbuf } | "true" { RCbool true } | "false" { RCbool false } | ident as id { RCident id } | _ as c { failwith ("Xml: invalid value starting with " ^ String.make 1 c) } | eof { failwith "Xml: unterminated keyval pair" } and string_val = parse | '"' { RCstring (Buffer.contents buf) } | [^ '\\' '"'] as c { Buffer.add_char buf c; string_val lexbuf } | '\\' (['\\''\"'] as c) { Buffer.add_char buf c; string_val lexbuf } | '\\' 'n' { Buffer.add_char buf '\n'; string_val lexbuf } | '\\' (_ as c) { Buffer.add_char buf '\\'; Buffer.add_char buf c; string_val lexbuf } | eof { failwith "Xml: unterminated string" } { let from_file f = let c = (* try *) open_in f (* with Sys_error _ -> Format.eprintf "Cannot open file %s@." f; exit 1 *) in let lb = from_channel c in let l = elements [] [] lb in close_in c; List.rev l } why-2.34/src/lib.ml0000644000175000017500000001004412311670312012503 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) module Sset = Set.Make(String) (* small library common to Why and Caduceus *) let mkdir_p dir = if Sys.file_exists dir then begin if (Unix.stat dir).Unix.st_kind <> Unix.S_DIR then failwith ("failed to create directory " ^ dir) end else Unix.mkdir dir 0o777 let file ~dir ~file = mkdir_p dir; Filename.concat dir (Filename.basename file) let file_subdir ~dir ~file = let d = Filename.dirname file in let d = Filename.concat d dir in mkdir_p d; Filename.concat d (Filename.basename file) let file_copy src dest = let cin = open_in src and cout = open_out dest and buff = String.make 1024 ' ' and n = ref 0 in while n := input cin buff 0 1024; !n <> 0 do output cout buff 0 !n done; close_in cin; close_out cout let file_copy_if_different src dst = if not (Sys.file_exists dst) || Digest.file dst <> Digest.file src then file_copy src dst let channel_contents_buf cin = let buf = Buffer.create 1024 and buff = String.make 1024 ' ' in let n = ref 0 in while n := input cin buff 0 1024; !n <> 0 do Buffer.add_substring buf buff 0 !n done; buf let channel_contents cin = Buffer.contents (channel_contents_buf cin) let file_contents f = try let cin = open_in f in let s = channel_contents cin in close_in cin; s with _ -> invalid_arg (Printf.sprintf "(cannot open %s)" f) let file_contents_buf f = try let cin = open_in f in let buf = channel_contents_buf cin in close_in cin; buf with _ -> invalid_arg (Printf.sprintf "(cannot open %s)" f) let remove_file ~debug f = if debug then Format.eprintf "Debug: not removing temporary file '%s'@." f else try Sys.remove f; with _ -> Format.eprintf "Warning: could not remove temporary file '%s'@." f why-2.34/src/pretty.ml0000644000175000017500000003474312311670312013300 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) open Format open Pp open Ident open Options open Misc open Logic open Logic_decl let reset = Encoding.reset let ergo = ref false let push_decl ?(ergo=false) d = if ergo then Encoding.push ~encode_preds:false ~encode_funs:false d else Encoding.push ~encode_preds:false ~encode_funs:false ~encode_inductive:false ~encode_algtype:false d let iter = Encoding.iter let ident fmt id = let s = Ident.string id in let s = if s = "farray" then "why__farray" else s in (* Alt-ergo keyword *) pp_print_string fmt s let type_vars = Hashtbl.create 17 let type_var fmt n = try fprintf fmt "'a%d" (Hashtbl.find type_vars n) with Not_found -> assert false let specialize s = Hashtbl.clear type_vars; let n = ref 0 in Env.Vset.iter (fun tv -> incr n; Hashtbl.add type_vars tv.tag !n) s.Env.scheme_vars; s.Env.scheme_type let rec pure_type fmt = function | PTint -> fprintf fmt "int" | PTbool -> fprintf fmt "bool" | PTunit -> fprintf fmt "unit" | PTreal -> fprintf fmt "real" | PTexternal ([],id) -> fprintf fmt "%a" ident id | PTvar {tag=t; type_val=None} -> type_var fmt t | PTvar {tag=_t; type_val=Some pt} -> pure_type fmt pt | PTexternal ([t],id) -> fprintf fmt "%a %a" pure_type t ident id | PTexternal (l,id) -> fprintf fmt "(%a) %a" (print_list comma pure_type) l ident id let rec term fmt = function | Tconst (ConstInt n) -> fprintf fmt "%s" n | Tconst (ConstBool b) -> fprintf fmt "%b" b | Tconst ConstUnit -> fprintf fmt "void" | Tconst (ConstFloat c) -> Print_real.print fmt c | Tvar id | Tderef id | Tapp (id, [], _) -> ident fmt id | Tapp (id, [t1; t2], _) when id == t_add_int || id == t_add_real -> fprintf fmt "(%a + %a)" term t1 term t2 | Tapp (id, [t1; t2], _) when id == t_sub_int || id == t_sub_real -> fprintf fmt "(%a - %a)" term t1 term t2 | Tapp (id, [t1; t2], _) when id == t_mul_int || id == t_mul_real -> fprintf fmt "(%a * %a)" term t1 term t2 (* | Tapp (id, [t1; t2], _) when id == t_div_int -> if !ergo then fprintf fmt "computer_div(%a,%a)" term t1 term t2 else fprintf fmt "(%a / %a)" term t1 term t2 *) (* | Tapp (id, [t1; t2], _) when id == t_mod_int -> if !ergo then fprintf fmt "computer_mod(%a,%a)" term t1 term t2 else fprintf fmt "(%a %% %a)" term t1 term t2 *) | Tapp (id, [t1], _) when id == t_neg_int || id == t_neg_real -> fprintf fmt "(-%a)" term t1 | Tapp (id, tl, _) -> fprintf fmt "%a(%a)" ident id (print_list comma term) tl | Tnamed (User n, t) -> fprintf fmt "@[(%S:@ %a)@]" n term t | Tnamed (_, t) -> term fmt t let int_relation_string id = if id == t_lt_int then "<" else if id == t_le_int then "<=" else if id == t_gt_int then ">" else if id == t_ge_int then ">=" else assert false let real_relation_string id = if id == t_lt_real then "<" else if id == t_le_real then "<=" else if id == t_gt_real then ">" else if id == t_ge_real then ">=" else assert false let rec predicate fmt = function | Pvar id | Papp (id, [], _) -> ident fmt id | Papp (id, [t1; t2], _) when is_eq id -> fprintf fmt "(%a = %a)" term t1 term t2 | Papp (id, [t1; t2], _) when is_neq id -> fprintf fmt "(%a <> %a)" term t1 term t2 | Papp (id, [t1; t2], _) when is_int_comparison id -> fprintf fmt "(%a %s %a)" term t1 (int_relation_string id) term t2 | Papp (id, [t1; t2], _) when is_real_comparison id -> fprintf fmt "(%a %s %a)" term t1 (real_relation_string id) term t2 | Papp (id, [a;b], _) when id == t_zwf_zero -> fprintf fmt "@[((0 <= %a) and@ (%a < %a))@]" term b term a term b | Papp (id, [_t], _) when id == well_founded -> fprintf fmt "@[false (* was well_founded(...) *)@]" | Papp (id, l, _) -> fprintf fmt "%s(%a)" (Ident.string id) (print_list comma term) l | Ptrue -> fprintf fmt "true" | Pfalse -> fprintf fmt "false" | Pimplies (_, a, b) -> fprintf fmt "(@[%a ->@ %a@])" predicate a predicate b | Piff (a, b) -> fprintf fmt "(@[%a <->@ %a@])" predicate a predicate b | Pif (a, b, c) -> fprintf fmt "(@[if %a then@ %a else@ %a@])" term a predicate b predicate c | Pand (_, _, a, b) -> fprintf fmt "(@[%a and@ %a@])" predicate a predicate b | Forallb (_, ptrue, pfalse) -> fprintf fmt "(@[forallb(%a,@ %a)@])" predicate ptrue predicate pfalse | Por (a, b) -> fprintf fmt "(@[%a or@ %a@])" predicate a predicate b | Pnot a -> fprintf fmt "(not %a)" predicate a | Forall (_,id,n,v,tl,p) -> let id = next_away id (predicate_vars p) in let s = subst_onev n id in let p = subst_in_predicate s p in let tl = List.map (List.map (subst_in_pattern s)) tl in fprintf fmt "@[(forall %a:%a%a.@ %a)@]" ident id pure_type v print_triggers tl predicate p | Exists (id,n,v,p) -> let id = next_away id (predicate_vars p) in let p = subst_in_predicate (subst_onev n id) p in fprintf fmt "@[(exists %a:%a.@ %a)@]" ident id pure_type v predicate p | Plet (id, n, _, t, p) -> if false then (* TODO: alt-ergo has no let support yet. *) let id = next_away id (predicate_vars p) in let p = subst_in_predicate (subst_onev n id) p in fprintf fmt "@[(let %a = %a in@ %a)@]" ident id term t predicate p else let p = tsubst_in_predicate (subst_one n t) p in fprintf fmt "@[%a@]" predicate p | Pnamed (User n, p) -> fprintf fmt "@[(%S:@ %a)@]" n predicate p | Pnamed (_, p) -> predicate fmt p and print_pattern fmt = function | TPat t -> term fmt t | PPat p -> predicate fmt p and print_triggers fmt l = let l = if !ergo then List.rev (List.fold_left (fun acc pl -> let pl = List.fold_left (fun acc p -> match p with | PPat(Papp (id, _, _)) when is_eq id -> acc | _ -> p::acc) [] pl in match pl with [] -> acc | _ -> (List.rev pl)::acc) [] l) else l in match l with | [] -> () | _ -> fprintf fmt " [%a]" (print_list alt (print_list comma print_pattern)) l let sequent fmt (ctx, p) = let context fmt = function | Cc.Svar (id, pt) -> fprintf fmt "forall %a:%a." ident id pure_type pt | Cc.Spred (_, p) -> fprintf fmt "@[%a ->@]" predicate p in print_list newline context fmt ctx; if ctx <> [] then fprintf fmt "@\n"; predicate fmt p let logic_binder fmt (id, pt) = fprintf fmt "%a: %a" ident id pure_type pt let logic_type fmt = function | Predicate [] -> fprintf fmt "prop" | Function ([], pt) -> fprintf fmt "%a" pure_type pt | Predicate ptl -> fprintf fmt "%a -> prop" (print_list comma pure_type) ptl | Function (ptl, pt) -> fprintf fmt "%a -> %a" (print_list comma pure_type) ptl pure_type pt let type_parameters fmt l = let type_var fmt id = fprintf fmt "'%s" id in match l with | [] -> () | [id] -> fprintf fmt "%a " type_var id | l -> fprintf fmt "(%a) " (print_list comma type_var) l let alg_type_parameters fmt = function | [] -> () | [id] -> fprintf fmt "%a " pure_type id | l -> fprintf fmt "(%a) " (print_list comma pure_type) l let alg_type_constructor fmt (c,pl) = match pl with | [] -> fprintf fmt "| %a" ident c | _ -> fprintf fmt "| %a (@[%a@])" ident c (print_list comma pure_type) pl let alg_type_single fmt (_, id, d) = let vs,cs = specialize d in fprintf fmt "@[%a%a@] =@\n @[%a@]" alg_type_parameters vs ident id (print_list newline alg_type_constructor) cs let decl fmt d = match d with | Dtype (_, id, pl) -> fprintf fmt "@[type %a%a@]" type_parameters pl ident id | Dalgtype ls -> let andsep fmt () = fprintf fmt "@\n and " in fprintf fmt "@[type %a@]" (print_list andsep alg_type_single) ls | Dlogic (_, id, lt) -> let lt = specialize lt in fprintf fmt "@[logic %a : %a@]" ident id logic_type lt | Dpredicate_def (_, id, def) -> let bl,p = specialize def in fprintf fmt "@[predicate %a(%a) =@ %a@]" ident id (print_list comma logic_binder) bl predicate p | Dinductive_def (_, id, indcases) -> let bl,l = specialize indcases in fprintf fmt "@[inductive %a: @[%a -> prop@] =@\n @[%a@]@\n@\n@]" ident id (print_list comma pure_type) bl (print_list newline (fun fmt (id,p) -> fprintf fmt "@[| %a: %a@]" ident id predicate p)) l | Dfunction_def (_, id, def) -> let bl,pt,t = specialize def in fprintf fmt "@[function %a(%a) : %a =@ %a@]" ident id (print_list comma logic_binder) bl pure_type pt term t | Daxiom (_, id, p) -> let p = specialize p in fprintf fmt "@[axiom %s:@ %a@]" id predicate p | Dgoal (_, is_lemma, _, id, sq) -> let sq = specialize sq in if !ergo then begin fprintf fmt "@[goal %s:@\n%a@]" id sequent sq; if is_lemma then fprintf fmt "@\n@\n@[axiom %s_as_axiom:@\n%a@]" id sequent sq end else fprintf fmt "@[%s %s:@\n%a@]" (if is_lemma then "lemma" else "goal") id sequent sq let decl fmt d = fprintf fmt "@[%a@]@\n@\n" decl d let print_file ~ergo:b fmt = ergo := b; iter (decl fmt); ergo := false let print_trace fmt id expl = fprintf fmt "[%s]@\n" id; Explain.print fmt expl; fprintf fmt "@\n" let print_traces fmt = iter (function | Dgoal (_loc, _, expl, id, _) -> print_trace fmt id ((*loc,*)expl) | _ -> ()) let output_file ~ergo f = print_in_file (print_file ~ergo) (Options.out_file f) (* cannot work as is, pb with temp files if explain_vc && not ergo then print_in_file print_traces (Options.out_file (f ^ ".xpl")) *) let output_files f = eprintf "Starting Multi-Why output with basename %s@." f; let po = ref 0 in print_in_file (fun ctxfmt -> iter (function | Dgoal (_loc,_,expl,id,_) as d -> incr po; let fpo = f ^ "_po" ^ string_of_int !po ^ ".why" in print_in_file (fun fmt -> decl fmt d) fpo; if explain_vc then let ftr = f ^ "_po" ^ string_of_int !po ^ ".xpl" in print_in_file (fun fmt -> print_trace fmt id ((*loc,*)expl)) ftr | d -> decl ctxfmt d)) (f ^ "_ctx.why"); eprintf "Multi-Why output done@." let push_or_output_decl = let po = ref 0 in function d -> match d with | Dgoal (_loc,_is_lemma,expl,id,_) as d -> incr po; let fpo = Options.out_file (id ^ ".why") in print_in_file (fun fmt -> decl fmt d) fpo; if explain_vc then let ftr = Options.out_file (id ^ ".xpl") in print_in_file (fun fmt -> print_trace fmt id ((*loc,*)expl)) ftr | d -> push_decl d module SMap = Map.Make(String) let output_project f = let po = ref 0 in let lemmas = ref [] in let functions = ref SMap.empty in print_in_file (fun ctxfmt -> iter (function | Dgoal (_,_is_lemma,e,_id,_) as d -> incr po; let fpo = f ^ "_po" ^ string_of_int !po ^ ".why" in print_in_file (fun fmt -> decl fmt d) fpo; begin match e.vc_kind with | EKLemma -> lemmas := (e,fpo) :: !lemmas; | _ -> let fn = e.lemma_or_fun_name in let behs = try SMap.find fn !functions with Not_found -> SMap.empty in let vcs = try SMap.find e.behavior behs with Not_found -> [] in let behs = SMap.add e.behavior ((e,fpo)::vcs) behs in functions := SMap.add fn behs !functions; end | d -> decl ctxfmt d)) (f ^ "_ctx.why"); Hashtbl.iter (fun _key (fn,_beh,_loc) -> try let _ = SMap.find fn !functions in () with Not_found -> functions := SMap.add fn SMap.empty !functions) Util.program_locs ; let p = Project.create (Filename.basename f) in Project.set_project_context_file p (f ^ "_ctx.why"); List.iter (fun (expl,fpo) -> let n = expl.lemma_or_fun_name in let _ = Project.add_lemma p n expl fpo in ()) !lemmas; SMap.iter (fun fname behs -> let floc = try let (_,_,floc) = Hashtbl.find Util.program_locs fname in floc with Not_found -> Loc.dummy_floc in let f = Project.add_function p fname floc in SMap.iter (fun beh vcs -> let be = Project.add_behavior f beh floc in List.iter (fun (expl,fpo) -> let _ = Project.add_goal be expl fpo in ()) vcs) behs) !functions; Project.save p f; p why-2.34/src/pretty.mli0000644000175000017500000000606112311670312013441 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (* Why pretty-printer *) val push_decl : ?ergo:bool -> Logic_decl.t -> unit (* [push_or_output_decl d] either pushes the goal in a queue like [push_decl] for declarations other than goals, and produces a file for goal declarations much as what [output_files] does. *) val push_or_output_decl : Logic_decl.t -> unit val reset : unit -> unit val output_file : ergo:bool -> string -> unit (* [output_files f] produces the context in file [f_ctx.why] and each goal in a seaparate file [f_po.why] for i=1,2,... *) val output_files : string -> unit (* [output_project f] produces a whole project description, in a file [f.wpr], together with other needed files [f_ctx.why], [f_lemmas.why], and each goal in a separate file [f_po.why] for i=1,2,... *) val output_project : string -> Project.t why-2.34/src/fpi.ml0000644000175000017500000001012612311670312012514 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) open Format open Pp open Misc open Logic open Cc let oblig = Queue.create () let split_one (loc,n,o) = (* normal oblig *) let cn = ref 0 in let l = ref [] in let push_normal o = incr cn; l := (loc,n ^ "_" ^ string_of_int !cn,o) :: !l in (* fpi oblig *) let cf = ref 0 in let push_fpi o = incr cf; Queue.add (loc, n ^ "_" ^ string_of_int !cf, o) in let rec split_rec = function | _ -> assert false in split_rec o; List.rev !l let split ol = List.flatten (List.map split_one ol) let print_real fmt = function | (i,f,"") -> fprintf fmt "%s.%s" i f | (i,f,e) -> fprintf fmt "%s.%se%s" i f e let rec print_term fmt = function | Tconst (ConstFloat f) -> print_real fmt f | Tconst _ -> assert false | Tvar id -> Ident.print fmt id | Tapp (id, tl, _) -> fprintf fmt "(%s %a)" (Ident.string id) (print_list space print_term) tl | Tderef _ -> assert false let rec print_pred fmt = function | Pfpi (t,f1,f2) -> fprintf fmt "(fpi %a %a %a)" print_term t print_real f1 print_real f2 | Papp (id, tl, _) -> fprintf fmt "(%s %a)" (Ident.string id) (print_list space print_term) tl | _ -> assert false let print_hyp fmt = function | Svar _ -> assert false | Spred (_, p) -> print_pred fmt p let print_hyps = print_list space print_hyp let print_obligation fmt (loc,s,o) = fprintf fmt "%% %s from %a@\n" s Loc.report_position loc; begin match o with | [], p -> fprintf fmt "(@[%a@])" print_pred p | [h], p -> fprintf fmt "(@[IMPLIES %a@ %a@])" print_hyp h print_pred p | hl, p -> fprintf fmt "(@[IMPLIES (AND %a)@ %a@])" print_hyps hl print_pred p end; fprintf fmt "@.@." let print_obligations fmt = Queue.iter (print_obligation fmt) oblig; fprintf fmt "@." let output f = print_in_file ~margin:78 print_obligations (f ^ ".fpi") let reset () = Queue.clear oblig why-2.34/src/red.ml0000644000175000017500000002356012311670312012516 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) open Ast open Logic open Ident open Misc open Util open Cc (*s Reductions of interpretations. *) (*s We proceed in two phases (simpler without de Bruijn indices). (1) first we rename bound variables, so that successive binders have different names; (2) then we reduce, performing substitutions without possible captures *) (*s Phase 1: Renaming of bound variables. Argument [fv] is the set of already traversed binders (a set of identifiers) *) let rec uniq_list f fv s = function | [] -> [], fv, s | x :: l -> let x',fv',s' = f fv s x in let l',fv'',s'' = uniq_list f fv' s' l in x' :: l', fv'', s'' let rec uniq_tt fv s = function | TTarray tt -> TTarray (uniq_tt fv s tt) | TTlambda (b, tt) -> let b',fv',s' = uniq_binder fv s b in TTlambda (b', uniq_tt fv' s' tt) | TTarrow (b, tt) -> let b',fv',s' = uniq_binder fv s b in TTarrow (b', uniq_tt fv' s' tt) | TTtuple (bl, p) -> let bl',fv',s' = uniq_binders fv s bl in TTtuple (bl', option_app (uniq_tt fv' s') p) | TTpred p -> TTpred (tsubst_in_predicate s p) | TTpure _ | TTSet as t -> t | TTapp (tt, l) -> TTapp (uniq_tt fv s tt, List.map (uniq_tt fv s) l) | TTterm t -> TTterm (tsubst_in_term s t) and uniq_binder fv s (id,b) = let b' = match b with | CC_var_binder c -> CC_var_binder (uniq_tt fv s c) | CC_pred_binder c -> CC_pred_binder (tsubst_in_predicate s c) | CC_untyped_binder -> CC_untyped_binder in let id' = next_away id fv in if id' <> id then (id',b'), Idset.add id' fv, Idmap.add id (Tvar id') s else (id,b'), Idset.add id fv, s and uniq_binders fv s bl = uniq_list uniq_binder fv s bl and uniq_pattern fv s = function | PPvariable b -> let b',fv',s' = uniq_binder fv s b in PPvariable b',fv',s' | PPcons (id, pl) -> let pl',fv',s' = uniq_list uniq_pattern fv s pl in PPcons (id,pl'),fv',s' let rec uniq_cc fv s = function | CC_var x | CC_term (Tvar x) -> CC_term (try Idmap.find x s with Not_found -> Tvar x) | CC_letin (dep, bl, e1, e2) -> let bl',fv',s' = uniq_binders fv s bl in CC_letin (dep, bl', uniq_cc fv s e1, uniq_cc fv' s' e2) | CC_lam (b, e) -> let b',fv',s' = uniq_binder fv s b in CC_lam (b', uniq_cc fv' s' e) | CC_app (f, a) -> CC_app (uniq_cc fv s f, uniq_cc fv s a) | CC_if (a,b,c) -> CC_if (uniq_cc fv s a, uniq_cc fv s b, uniq_cc fv s c) | CC_tuple (al, po) -> CC_tuple (List.map (uniq_cc fv s) al, option_app (uniq_tt fv s) po) | CC_case (e, pl) -> let uniq_branch (p,e) = let p',fv',s' = uniq_pattern fv s p in (p', uniq_cc fv' s' e) in CC_case (uniq_cc fv s e, List.map uniq_branch pl) | CC_term c -> CC_term (tsubst_in_term s c) | CC_hole (x, ty) -> CC_hole (x, tsubst_in_predicate s ty) | CC_type t -> CC_type (uniq_tt fv s t) | CC_any t -> CC_any (uniq_tt fv s t) (*s Phase 2: we reduce. *) (*s Occurrence in the range of a substitution *) let in_rng id s = try Idmap.iter (fun _ t -> if occur_term id t then raise Exit) s; false with Exit -> true (*s Traversing binders and substitution within CC types *) let rec cc_subst_list f s = function | [] -> [], s | x :: l -> let x',s' = f s x in let l',s'' = cc_subst_list f s' l in x' :: l', s'' let rec cc_subst_binder_type s = function | CC_var_binder c -> CC_var_binder (cc_type_subst s c) | CC_pred_binder c -> CC_pred_binder (tsubst_in_predicate s c) | CC_untyped_binder -> CC_untyped_binder and cc_subst_binder s (id,b) = (id, cc_subst_binder_type s b), Idmap.remove id s and cc_subst_binders s = cc_subst_list cc_subst_binder s and cc_type_subst s = function | TTarray tt -> TTarray (cc_type_subst s tt) | TTlambda (b, tt) -> let b',s' = cc_subst_binder s b in TTlambda (b', cc_type_subst s' tt) | TTarrow (b, tt) -> let b',s' = cc_subst_binder s b in TTarrow (b', cc_type_subst s' tt) | TTtuple (bl, p) -> let bl',s' = cc_subst_binders s bl in TTtuple (bl', option_app (cc_type_subst s') p) | TTpred p -> TTpred (tsubst_in_predicate s p) | TTpure _ | TTSet as t -> t | TTapp (tt, l) -> TTapp (cc_type_subst s tt, List.map (cc_type_subst s) l) | TTterm t -> TTterm (tsubst_in_term s t) let rec cc_subst_pat s = function | PPvariable b -> let b',s' = cc_subst_binder s b in PPvariable b', s' | PPcons (id, pl) -> let pl', s' = cc_subst_list cc_subst_pat s pl in PPcons (id, pl'), s' (*s copy of term [c] under binders [bl], with the necessary renamings *) let copy_under_binders bl c = let vars = List.map fst bl in let fv = List.fold_right Idset.add vars Idset.empty in uniq_cc fv Idmap.empty c (*s Eta and iota redexes. *) let is_eta_redex bl al = try List.for_all2 (fun (id,_) t -> match t with CC_var id' -> id = id' | _ -> false) bl al with Invalid_argument "List.for_all2" -> false let is_term = function CC_term _ -> true | CC_var _ -> true | _ -> false let is_iota_redex l1 l2 = (List.length l1 = List.length l2) && List.for_all is_term l2 let rec iota_subst s = function | [], [] -> s | (id,_) :: l1, CC_term t :: l2 -> iota_subst (Idmap.add id t s) (l1, l2) | _ -> assert false (*s Reduction. Substitution is done at the same time for greater efficiency *) let rm_binders sp = List.fold_left (fun sp (id,_) -> Idmap.remove id sp) sp let rec rm_pat_binders sp = function | PPvariable (id, _) -> Idmap.remove id sp | PPcons (_, pl) -> List.fold_left rm_pat_binders sp pl let rec red sp s cct = match cct with | CC_var x | CC_term (Tvar x) -> (try Idmap.find x sp with Not_found -> CC_term (try Idmap.find x s with Not_found -> Tvar x)) | CC_letin (dep, bl, e1, e2) -> (match red sp s e1 with (* [let x = t1 in e2] *) | CC_term t1 when List.length bl = 1 -> red sp (Idmap.add (fst (List.hd bl)) t1 s) e2 (* [let x = [_]_ in e2] *) | CC_lam _ as re1 when List.length bl = 1 -> red (Idmap.add (fst (List.hd bl)) re1 sp) s e2 (* [let (x1,...,xn) = (t1,...,tn) in e2] *) | CC_tuple (al,_) when is_iota_redex bl al -> red sp (iota_subst s (bl, al)) e2 | re1 -> let bl',s' = cc_subst_binders s bl in let sp' = rm_binders sp bl in (match red sp' s' e2 with (* [let (x1,...,xn) = e1 in (x1,...,xn)] *) | CC_tuple (al,_) when is_eta_redex bl al -> red sp s e1 | re2 -> CC_letin (dep, bl', re1, copy_under_binders bl' re2))) | CC_lam (b, e) -> let b',s' = cc_subst_binder s b in let sp' = rm_binders sp [b] in let e' = red sp' s' e in CC_lam (b', copy_under_binders [b'] e') | CC_app (f, a) -> (match red sp s f, red sp s a with (* two terms *) | CC_term tf, CC_term ta -> CC_term (applist tf [ta]) (* beta-redex *) | CC_lam ((x,_),e), CC_term ta -> red sp (Idmap.add x ta s) e | CC_lam ((x,_),e), ra -> red (Idmap.add x ra sp) s e | rf, ra -> CC_app (rf, ra)) | CC_if (a, b, c) -> CC_if (red sp s a, red sp s b, red sp s c) | CC_case (e, pl) -> let red_branch (p,e) = let p',s' = cc_subst_pat s p in let sp' = rm_pat_binders sp p in p', red sp' s' e in CC_case (red sp s e, List.map red_branch pl) | CC_tuple (al, po) -> CC_tuple (List.map (red sp s) al, option_app (cc_type_subst s) po) | CC_term c -> CC_term (tsubst_in_term s c) | CC_hole (x, ty) -> CC_hole (x, tsubst_in_predicate s ty) | CC_type t -> CC_type (cc_type_subst s t) | CC_any t -> CC_any (cc_type_subst s t) let red c = let c' = uniq_cc Idset.empty Idmap.empty c in red Idmap.empty Idmap.empty c' why-2.34/src/why.ml0000644000175000017500000000464412311670312012555 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) open Format open Main let _ = try main () with e -> Report.explain_exception err_formatter e; pp_print_newline err_formatter (); exit 1 why-2.34/src/harvey.ml0000644000175000017500000002553112311670312013242 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (*s Harvey's output *) open Ident open Misc open Error open Logic open Logic_decl open Cc open Format open Pp type elem = | Axiom of string * predicate Env.scheme | Predicate of string * predicate_def Env.scheme | FunctionDef of string * function_def Env.scheme let theory = Queue.create () let oblig = Queue.create () let reset () = Queue.clear theory; Queue.clear oblig let push_decl d = Encoding.push ~encode_preds:false ~encode_funs:false d (*let push_decl = function | Dgoal (loc,id,s) -> Queue.add (loc,id,s.Env.scheme_type) oblig | Daxiom (_, id, p) -> Queue.add (Axiom (id, p)) theory | Dpredicate_def (_, id, p) -> Queue.add (Predicate (id, p)) theory | Dfunction_def (_, id, p) -> Queue.add (FunctionDef (id, p)) theory | Dtype _ -> () | Dlogic _ -> () *) (*s Pretty print *) let prefix id = if id == t_lt then assert false else if id == t_le then assert false else if id == t_gt then assert false else if id == t_ge then assert false (* int cmp *) else if id == t_lt_int then "<" else if id == t_le_int then "<=" else if id == t_gt_int then ">" else if id == t_ge_int then ">=" (* int ops *) else if id == t_add_int then "+" else if id == t_sub_int then "-" else if id == t_mul_int then "*" (* else if id == t_div_int then "int_div" else if id == t_mod_int then "int_mod" *) else if id == t_neg_int then assert false (* real ops *) else if id == t_add_real then "add_real" else if id == t_sub_real then "sub_real" else if id == t_mul_real then "mul_real" else if id == t_div_real then "div_real" else if id == t_neg_real then "neg_real" else if id == t_sqrt_real then "sqrt_real" else if id == t_real_of_int then "real_of_int" else if id == t_int_of_real then "int_of_real" else if id == t_lt_real then "lt_real" else if id == t_le_real then "le_real" else if id == t_gt_real then "gt_real" else if id == t_ge_real then "ge_real" else (print_endline (Ident.string id); assert false) (* we need to rename a few identifiers *) let is_harvey_keyword = let ht = Hashtbl.create 17 in List.iter (fun kw -> Hashtbl.add ht kw ()) ["true"; "false"; "le"; "lt"]; Hashtbl.mem ht let is_harvey_ident s = let is_harvey_char = function | 'a'..'z' | 'A'..'Z' | '0'..'9' | '_' -> true | _ -> false in let is_harvey_first_char = function | 'a'..'z' | 'A'..'Z' | '0'..'9' -> true | _ -> false in String.length s > 0 && is_harvey_first_char s.[0] && (try String.iter (fun c -> if not (is_harvey_char c) then raise Exit) s; true with Exit -> false) let renamings = Hashtbl.create 17 let fresh_name = let r = ref 0 in fun () -> incr r; "harvey__" ^ string_of_int !r let ident fmt id = let s = Ident.string id in if is_harvey_keyword s then fprintf fmt "harvey__%s" s else if not (is_harvey_ident s) then let s' = try Hashtbl.find renamings s with Not_found -> let s' = fresh_name () in Hashtbl.add renamings s s'; s' in fprintf fmt "%s" s' else Ident.print fmt id let rec print_term fmt = function | Tvar id | Tapp (id, [], _) -> fprintf fmt "%a" ident id | Tconst (ConstInt n) -> fprintf fmt "%s" n | Tconst (ConstBool b) -> fprintf fmt "harvey__%b" b | Tconst ConstUnit -> fprintf fmt "tt" | Tconst (ConstFloat c) -> Print_real.print_with_integers "(real_of_int %s)" "(real_of_int (* %s %s))" "(div_real (real_of_int %s) (real_of_int %s))" fmt c | Tderef _ -> assert false | Tapp (id, [a; b; c], _) when id == if_then_else -> fprintf fmt "@[(why__ite@ %a@ %a@ %a)@]" print_term a print_term b print_term c | Tapp (id, [a], _) when id == t_neg_int -> fprintf fmt "@[(- 0 %a)@]" print_term a | Tapp (id, tl, _) when is_relation id || is_arith id -> fprintf fmt "@[(%s %a)@]" (prefix id) print_terms tl | Tapp (id, tl, _) -> fprintf fmt "@[(%a@ %a)@]" ident id (print_list space print_term) tl | Tnamed (_, t) -> (* TODO: print name *) print_term fmt t and print_terms fmt tl = print_list space print_term fmt tl let rec print_predicate fmt = function | Ptrue -> fprintf fmt "true" | Pvar id when id == Ident.default_post -> fprintf fmt "true" | Pfalse -> fprintf fmt "false" | Pvar id -> fprintf fmt "%a" ident id | Papp (id, tl, _) when id == t_distinct -> fprintf fmt "@[(%a)@]" print_predicate (Util.distinct tl) | Papp (id, [a; b], _) when is_eq id -> fprintf fmt "@[(= %a@ %a)@]" print_term a print_term b | Papp (id, [a; b], _) when is_neq id -> fprintf fmt "@[(not (= %a@ %a))@]" print_term a print_term b | Papp (id, tl, _) when is_relation id || is_arith id -> fprintf fmt "@[(%s %a)@]" (prefix id) print_terms tl | Papp (id, [a;b], _) when id == t_zwf_zero -> fprintf fmt "@[(and (<= 0 %a)@ (< %a %a))@]" print_term b print_term a print_term b | Papp (id, tl, _) -> fprintf fmt "@[(%a@ %a)@]" ident id print_terms tl | Pimplies (_, a, b) -> fprintf fmt "@[(->@ %a@ %a)@]" print_predicate a print_predicate b | Pif (a, b, c) -> fprintf fmt "@[(ite@ %a@ %a@ %a)@]" print_term a print_predicate b print_predicate c | Pand (_, _, a, b) | Forallb (_, a, b) -> fprintf fmt "@[(and@ %a@ %a)@]" print_predicate a print_predicate b | Por (a, b) -> fprintf fmt "@[(or@ %a@ %a)@]" print_predicate a print_predicate b | Piff (a, b) -> fprintf fmt "@[(<->@ %a@ %a)@]" print_predicate a print_predicate b | Pnot a -> fprintf fmt "@[(not@ %a)@]" print_predicate a | Forall (_,id,n,_,_,p) -> let id' = next_away id (predicate_vars p) in let p' = subst_in_predicate (subst_onev n id') p in fprintf fmt "@[(forall %a@ %a)@]" ident id' print_predicate p' | Exists (id,n,_t,p) -> let id' = next_away id (predicate_vars p) in let p' = subst_in_predicate (subst_onev n id') p in fprintf fmt "@[(exists %a@ %a)@]" ident id' print_predicate p' | Pnamed (_, p) -> (* TODO: print name *) print_predicate fmt p | Plet (_, n, _, t, p) -> print_predicate fmt (subst_term_in_predicate n t p) let print_axiom fmt id p = fprintf fmt "@[;; Why axiom %s@]@\n" id; let p = p.Env.scheme_type in fprintf fmt " @[%a@]" print_predicate p; fprintf fmt "@]@\n@\n" let print_predicate_def fmt id p = let (bl,p) = p.Env.scheme_type in fprintf fmt "@[;; Why predicate %s@\n" id; fprintf fmt "@[(forall %a@ @[(<-> (%s %a)@ @[%a@])@])@]@]@\n@\n" (print_list space (fun fmt (x,_) -> ident fmt x)) bl id (print_list space (fun fmt (x,_) -> ident fmt x)) bl print_predicate p let print_function_def fmt id p = let (bl,_,e) = p.Env.scheme_type in fprintf fmt "@[;; Why function %s@\n" id; fprintf fmt "@[(forall %a@ @[(= (%s %a)@ @[%a@])@])@]@]@\n@\n" (print_list space (fun fmt (x,_) -> ident fmt x)) bl id (print_list space (fun fmt (x,_) -> ident fmt x)) bl print_term e let print_elem fmt = function | Axiom (id, p) -> print_axiom fmt id p | Predicate (id, p) -> print_predicate_def fmt id p | FunctionDef (id, f) -> print_function_def fmt id f let output_theory fmt f = fprintf fmt "(@\n@["; fprintf fmt "(theory %s_why@\n(extends)@\n(axioms@\n" f; Queue.iter (print_elem fmt) theory; fprintf fmt "))@\n"; fprintf fmt "@]@\n) ;; END THEORY@\n" let output_sequent fmt (ctx, concl) = let rec print_seq fmt = function | [] -> fprintf fmt "@[%a@]" print_predicate concl | Svar (id, _ty) :: ctx -> fprintf fmt "@[(forall %a@ %a)@]" Ident.print id print_seq ctx | Spred (_, p) :: ctx -> fprintf fmt "@[(->@ @[%a@]@ %a)@]" print_predicate p print_seq ctx in print_seq fmt ctx let output_obligation fmt (loc, _is_lemma, _expl, _o, s) = fprintf fmt "@\n@[;; %a@]@\n" Loc.gen_report_line loc; fprintf fmt "@[%a@]@\n" output_sequent s let decl_to_elem = function | Dgoal (loc,is_lemma,expl,id,s) -> Queue.add (loc,is_lemma,expl,id,s.Env.scheme_type) oblig | Daxiom (_, id, p) -> Queue.add (Axiom (id, p)) theory | Dpredicate_def (_, id, p) -> Queue.add (Predicate (Ident.string id, p)) theory | Dfunction_def (_, id, p) -> Queue.add (FunctionDef (Ident.string id, p)) theory | Dinductive_def (_, _, _) -> failwith "Harvey output: inductive def not yet supported" | Dlogic _ -> () | Dtype _ -> () | Dalgtype _ -> () let output_file fname = let cout = Options.open_out_file fname in let fmt = formatter_of_out_channel cout in Encoding.iter decl_to_elem ; if Options.no_harvey_prelude then fprintf fmt "()@\n" else output_theory fmt (Filename.basename fname); Queue.iter (output_obligation fmt) oblig; pp_print_flush fmt (); Options.close_out_file cout why-2.34/src/ident.mli0000644000175000017500000001477012311670312013223 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (*s Identifiers. *) module I : sig type t val compare : t -> t -> int end type t = I.t (* from : - string inform which creates the fresh ident - t list gives the arguments *) val create : ?from:(string * t list) -> string -> t val string : t -> string val completeString : t -> string val fresh_from : t -> (string * t list) option module Idset : Set.S with type elt = t type set = Idset.t module Idmap : Map.S with type key = t type 'a map = 'a Idmap.t val next_away : t -> set -> t val print : Format.formatter -> t -> unit val lprint : Format.formatter -> t -> unit val dbprint : Format.formatter -> t -> unit (*s Possibly anonymous names *) type name = Anonymous | Name of t val print_name : Format.formatter -> name -> unit (*s Qualified identifiers with labels. *) val at_id : t -> string -> t val un_at : t -> t * string val is_at : t -> bool (*s Bound variables. *) val bound : t -> t (*s Exceptions names and constructors *) val exn_type : t val exn_val : t val exn_exn : t val exn_post : t val exn_qval : t val exn_qexn : t val exist : t val decomp : int -> t val exit_exn : t val is_index : string -> bool (*s Non termination monad. *) val non_termination_monad : t val nt_unit : t val nt_bind : t val nt_fix : t val nt_lift : t (*s Identifiers for the functional validation. *) val fun_id : t -> t (*s Identifiers for algebraic-typed term matching *) val match_id : t -> t val proj_id : t -> int -> t (*s Some pre-defined identifiers. *) val t_bool_and : t val t_bool_or : t val t_bool_xor : t val t_bool_not : t val anonymous : t val implicit : t val default_post : t val t_add : t val t_sub : t val t_mul : t val t_div : t val t_neg : t val t_add_int : t val t_sub_int : t val t_mul_int : t (* disabled (confusion math_div / computer_div) val t_div_int : t val t_mod_int : t *) val t_neg_int : t val t_abs_int : t val t_add_real : t val t_sub_real : t val t_mul_real : t val t_div_real : t val t_neg_real : t val t_sqrt_real : t val t_abs_real : t val t_pow_real : t val t_cos : t val t_sin : t val t_tan : t val t_atan : t val t_int_max : t val t_int_min : t val t_real_max : t val t_real_min : t val t_div_real_ : t (* disabled (confusion math_div / computer_div) val t_div_int_ : t val t_mod_int_ : t *) val t_sqrt_real_ : t val t_real_of_int : t val t_int_of_real : t val t_lt : t val t_le : t val t_gt : t val t_ge : t val t_eq : t val t_neq : t val t_eq_int : t val t_eq_bool : t val t_eq_real : t val t_eq_unit : t val t_neq_int : t val t_neq_bool : t val t_neq_real : t val t_neq_unit : t val t_lt_int : t val t_le_int : t val t_gt_int : t val t_ge_int : t val t_lt_real : t val t_le_real : t val t_gt_real : t val t_ge_real : t val t_lt_int_bool : t val t_le_int_bool : t val t_gt_int_bool : t val t_ge_int_bool : t val t_lt_real_bool : t val t_le_real_bool : t val t_gt_real_bool : t val t_ge_real_bool : t val t_eq_int_bool : t val t_eq_real_bool : t val t_neq_int_bool : t val t_neq_real_bool : t val t_eq_int_ : t val t_eq_bool_ : t val t_eq_real_ : t val t_eq_unit_ : t val t_neq_int_ : t val t_neq_bool_ : t val t_neq_real_ : t val t_neq_unit_ : t val t_lt_int_ : t val t_le_int_ : t val t_gt_int_ : t val t_ge_int_ : t val t_lt_real_ : t val t_le_real_ : t val t_gt_real_ : t val t_ge_real_ : t val t_distinct : t val t_zwf_zero : t val result : t val default : t val farray : t val array_length : t val if_then_else : t val ref_set : t val array_get : t val array_set : t val access : t val store : t val annot_bool : t val well_founded : t val well_founded_induction : t val wfix : t val false_rec : t val any_int : t val any_unit : t val any_real : t (*s Category tests *) val is_wp : t -> bool val is_variant : t -> bool val is_poly : t -> bool val is_comparison : t -> bool val is_int_comparison : t -> bool val is_real_comparison : t -> bool val is_relation : t -> bool val is_relation_ : t -> bool val is_eq : t -> bool val is_neq : t -> bool val is_eq_ : t -> bool val is_neq_ : t -> bool val is_int_arith_binop : t -> bool val is_int_arith_unop : t -> bool val is_int_arith : t -> bool val is_real_arith_binop : t -> bool val is_real_arith : t -> bool val is_arith_binop : t -> bool val is_arith : t -> bool val is_simplify_arith : t -> bool val strict_bool_and_ : t val strict_bool_or_ : t val bool_not_ : t why-2.34/src/lexer.mll0000644000175000017500000001670712311670312013244 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (* $Id: lexer.mll,v 1.24 2009-11-26 16:07:54 andrei Exp $ *) { open Lexing open Logic open Parser let keywords = Hashtbl.create 97 let () = List.iter (fun (x,y) -> Hashtbl.add keywords x y) [ "absurd", ABSURD; "and", AND; "array", ARRAY; "as", AS; "assert", ASSERT; "axiom", AXIOM; "begin", BEGIN; "bool", BOOL; "check", CHECK; "do", DO; "done", DONE; "else", ELSE; "end", END; "exception", EXCEPTION; "exists", EXISTS; "external", EXTERNAL; "false", FALSE; "for", FOR; "forall", FORALL; "fun", FUN; "function", FUNCTION; "goal", GOAL; "if", IF; "in", IN; "include", INCLUDE; "inductive", INDUCTIVE; "int", INT; "invariant", INVARIANT; "lemma", LEMMA; "let", LET; "logic", LOGIC; "match", MATCH; "not", NOT; "of", OF; "or", OR; "parameter", PARAMETER; "predicate", PREDICATE; "prop", PROP; "raise", RAISE; "raises", RAISES; "reads", READS; "real", REAL; "rec", REC; "ref", REF; "returns", RETURNS; "then", THEN; "true", TRUE; "try", TRY; "type", TYPE; "unit", UNIT; "variant", VARIANT; "void", VOID; "while", WHILE; "with", WITH; "writes", WRITES ] let newline lexbuf = let pos = lexbuf.lex_curr_p in lexbuf.lex_curr_p <- { pos with pos_lnum = pos.pos_lnum + 1; pos_bol = pos.pos_cnum } let string_buf = Buffer.create 1024 exception Lexical_error of string let char_for_backslash = function | 'n' -> '\n' | 't' -> '\t' | c -> c let update_loc lexbuf file line chars = let pos = lexbuf.lex_curr_p in let new_file = match file with None -> pos.pos_fname | Some s -> s in lexbuf.lex_curr_p <- { pos with pos_fname = new_file; pos_lnum = int_of_string line; pos_bol = pos.pos_cnum - int_of_string chars; } let remove_leading_plus s = let n = String.length s in if n > 0 && s.[0] = '+' then String.sub s 1 (n-1) else s let option_app f = function None -> None | Some x -> Some (f x) } let newline = '\n' let space = [' ' '\t' '\r'] let alpha = ['a'-'z' 'A'-'Z'] let letter = alpha | '_' let digit = ['0'-'9'] let ident = letter (letter | digit | '\'')* let hexadigit = ['0'-'9' 'a'-'f' 'A'-'F'] (* let hexafloat = '0' ['x' 'X'] (hexadigit* '.' hexadigit+ | hexadigit+ '.' hexadigit* ) ['p' 'P'] ['-' '+']? digit+ *) rule token = parse | "#" space* ("\"" ([^ '\010' '\013' '"' ]* as file) "\"")? space* (digit+ as line) space* (digit+ as char) space* "#" { update_loc lexbuf file line char; token lexbuf } | newline { newline lexbuf; token lexbuf } | space+ { token lexbuf } | ident as id { try Hashtbl.find keywords id with Not_found -> IDENT id } | digit+ as s { INTEGER s } | (digit+ as i) ("" as f) ['e' 'E'] (['-' '+']? digit+ as e) | (digit+ as i) '.' (digit* as f) (['e' 'E'] (['-' '+']? digit+ as e))? | (digit* as i) '.' (digit+ as f) (['e' 'E'] (['-' '+']? digit+ as e))? { FLOAT (RConstDecimal (i, f, option_app remove_leading_plus e)) } | '0' ['x' 'X'] ((hexadigit* as i) '.' (hexadigit+ as f) |(hexadigit+ as i) '.' (hexadigit* as f) |(hexadigit+ as i) ("" as f)) ['p' 'P'] (['-' '+']? digit+ as e) { FLOAT (RConstHexa (i, f, remove_leading_plus e)) } | "(*" { comment lexbuf; token lexbuf } | "'" { QUOTE } | "," { COMMA } | "(" { LEFTPAR } | ")" { RIGHTPAR } | "!" { BANG } | ":" { COLON } | ";" { SEMICOLON } | ":=" { COLONEQUAL } | "->" { ARROW } | "<->" { LRARROW } | "=" { EQUAL } | "<" { LT } | "<=" { LE } | ">" { GT } | ">=" { GE } | "<>" { NOTEQ } | "+" { PLUS } | "-" { MINUS } | "*" { TIMES } | "/" { SLASH } | "@" { AT } | "." { DOT } | "[" { LEFTSQ } | "]" { RIGHTSQ } | "{" { LEFTB } | "}" { RIGHTB } | "{{" { LEFTBLEFTB } | "}}" { RIGHTBRIGHTB } | "|" { BAR } | "||" { BARBAR } | "&&" { AMPAMP } | "=>" { BIGARROW } | "\"" { Buffer.clear string_buf; string lexbuf } | eof { EOF } | _ as c { raise (Lexical_error ("illegal character: " ^ String.make 1 c)) } and comment = parse | "*)" { () } | "(*" { comment lexbuf; comment lexbuf } | newline { newline lexbuf; comment lexbuf } | eof { raise (Lexical_error "unterminated comment") } | _ { comment lexbuf } and string = parse | "\"" { STRING (Buffer.contents string_buf) } | "\\" (_ as c) { Buffer.add_char string_buf (char_for_backslash c); string lexbuf } | newline { newline lexbuf; Buffer.add_char string_buf '\n'; string lexbuf } | eof { raise (Lexical_error "unterminated string") } | _ as c { Buffer.add_char string_buf c; string lexbuf } { let loc lb = (lexeme_start_p lb, lexeme_end_p lb) let with_location f lb = try f lb with e -> raise (Loc.Located (loc lb, e)) let parse_lexpr = with_location (lexpr token) let parse_file = with_location (file token) let lexpr_of_string s = parse_lexpr (from_string s) } (* Local Variables: compile-command: "unset LANG; make -j -C .. bin/why.byte" End: *) why-2.34/src/z3.mli0000644000175000017500000000461512311670312012451 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (* Z3 native syntax *) open Cc val reset : unit -> unit val push_decl : Logic_decl.t -> unit val output_file : string -> unit why-2.34/src/mlize.ml0000644000175000017500000002076112311670312013064 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (*s Translation of imperative programs into functional ones. *) open Ident open Logic open Misc open Types open Ast open Cc open Util open Rename open Env module Make (Monad : MonadSig.S) = struct open Monad let new_label info = { info with t_label = label_name () } let make_info info k = { info with t_label = label_name (); t_post = k.t_post; t_effect = k.t_effect } (*s [ren] is the current renamings of variables, [e] is the imperative program to translate, annotated with type+effects. We return the translated program in type [predicate cc_term] *) let rec trad e = cross_label e.info.t_label (trad_desc e.info e.desc) and trad_desc info d ren = match d with | Expression t -> Monad.unit info (Value (unref_term t)) ren | Var id -> assert (not (is_reference info.t_env id)); if is_rec id then find_rec id ren else CC_var id | If (e1, e2, e3) -> trad_conditional info e1.info (trad e1) e2.info (trad e2) e3.info (trad e3) ren | LetIn (x, e1, e2) -> let info1 = { e1.info with t_result_name = x } in Monad.compose info1 (trad e1) info (fun v1 ren' -> let te2 = Monad.compose e2.info (trad e2) info (fun v2 -> Monad.unit info (Value (Tvar v2))) ren' in if v1 <> x then let ty1 = trad_type_v ren info.t_env (result_type e1) in CC_letin (false, [x, CC_var_binder ty1], CC_var v1, te2) else te2) ren | Seq (e1, e2) -> Monad.compose e1.info (trad e1) info (fun _ ren' -> Monad.compose e2.info (trad e2) info (fun v2 -> Monad.unit info (Value (Tvar v2))) ren') ren | LetRef (x, e1, e2) -> let info1 = { e1.info with t_result_name = x } in Monad.compose info1 (trad e1) info (fun v1 ren' -> let t1 = trad_type_v ren info.t_env (result_type e1) in let ren'' = next ren' [x] in let x' = current_var ren'' x in CC_letin (false, [x', CC_var_binder t1], CC_var v1, Monad.compose e2.info (trad e2) info (fun v2 -> Monad.unit info (Value (Tvar v2))) ren'')) ren | AppTerm (e1, t, kapp) -> let infoapp = make_info info kapp in Monad.compose e1.info (trad e1) info (fun v1 -> Monad.apply infoapp (fun ren -> let t = apply_term ren info.t_env (unref_term t) in CC_app (CC_var v1, CC_term t)) info (fun v -> Monad.unit info (Value (Tvar v)))) ren | AppRef (e1, _, kapp) -> let infoapp = make_info info kapp in Monad.compose e1.info (trad e1) info (fun v1 -> Monad.apply infoapp (fun _ -> CC_var v1) info (fun v -> Monad.unit info (Value (Tvar v)))) ren | Lam (bl, p, e) -> let bl',env' = trad_binders ren info.t_env bl in let ren' = initial_renaming env' in let te = trans (p,e) ren' in cc_lam bl' te | Loop (_, None, _) -> assert false | Loop (inv, Some var, e) -> let p = match inv with Some a -> [a] | None -> [] in let infoc = new_label info in Monad.wfrec var p info (fun w -> Monad.compose e.info (trad e) infoc (fun _ -> w)) ren | Rec (_, _, _, None, _, _) -> assert false | Rec (f, bl, _v, Some var, p, e) -> let bl',env' = trad_binders ren info.t_env bl in let ren' = push_date (initial_renaming env') e.info.t_label in let recf w ren = cc_lam bl' (abstraction e.info p w ren) in cc_lam bl' (abstraction e.info p (Monad.wfrec_with_binders bl' var p e.info (fun w -> with_rec f (recf w) (trad e))) ren') | Raise (id, None) -> Monad.exn info id None ren | Raise (id, Some e) -> Monad.compose e.info (trad e) info (fun v -> Monad.exn info id (Some (Tvar v))) ren | Try (e, hl) -> let handler ((x,a) as p, h) = let hi = Monad.compose h.info (trad h) info (fun v -> Monad.unit info (Value (Tvar v))) in p, (fun res ren -> match a with | None -> hi ren | Some a -> let ta = exn_arg_type x in CC_letin (false, [a, CC_var_binder ta], CC_var res, hi ren)) in Monad.handle e.info (trad e) info (List.map handler hl) ren | Assertion (_k, al, e) -> insert_many_pre info.t_env al (trad e) ren | Ast.Absurd -> let v = info.t_result_type in let ainfo = { info with t_label = label_name (); t_result_type = v; t_post = None } in let tv = trad_type_v ren info.t_env v in Monad.compose ainfo (fun _ -> cc_applist (cc_var false_rec) [CC_type tv; CC_hole (info.t_loc, Pfalse)]) info (fun v -> Monad.unit info (Value (Tvar v))) ren (** | Any c when info.obligations = [] && info.kappa = c -> CC_any (Monad.trad_type_c ren info.env c) **) | Any c -> let info_c = Typing.typing_info_of_type_c info.t_loc info.t_env info.t_label c in Monad.compose info_c (fun ren -> CC_any (Monad.trad_type_c ren info.t_env c)) info (fun v -> Monad.unit info (Value (Tvar v))) ren | Label (s, e) -> cross_label s (trad e) ren | Post (e, _q, _) -> (* TODO *) trad e ren and trad_binders ren env = function | [] -> [], env | (id, (Ref _ as v)) :: bl -> trad_binders ren (Env.add id v env) bl | (id, v) :: bl -> let tt = trad_type_v ren env v in let env' = Env.add id v env in let bl',env'' = trad_binders ren env' bl in (id, CC_var_binder tt) :: bl', env'' (* to be used for both [if] and [while] *) and trad_conditional info info1 te1 info2 te2 info3 te3 = Monad.compose info1 te1 info (fun resb ren' -> let q1 = option_app (a_apply_post info1.t_label ren' info.t_env) info1.t_post in let branch infob eb tb = (*** let info = { info with loc = infob.loc; kappa = force_type_c_loc infob.loc info.kappa } in ***) let t = Monad.compose infob eb info (fun r -> Monad.unit info (Value (Tvar r))) ren' in match q1 with | Some (q,_) -> let n = if is_wp q.a_name then q.a_name else test_name () in let q = tsubst_in_predicate (subst_one result tb) q.a_value in CC_lam ((n, CC_pred_binder (simplify q)), t) | None -> t in CC_if (CC_var resb, branch info2 te2 ttrue, branch info3 te3 tfalse)) and trans (p,e) = cross_label e.info.t_label (abstraction e.info p (trad e)) end module MLwithLogicTerms = Make (Monad) let trad = MLwithLogicTerms.trad why-2.34/src/env.mli0000644000175000017500000001736112311670312012707 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (*s Environment for imperative programs. Here we manage the global environment, which is imperative, and we provide a functional local environment. The most important functions, [is_in_env], [type_in_env] and [fold_all] first look in the local environment then in the global one. *) open Cc open Logic open Types open Ast module StringMap : Map.S with type key = string module StringSet : Set.S with type elt = string (*s type schemes *) module Vset : Set.S with type elt = type_var module Vmap : Map.S with type key = type_var type 'a scheme = private { scheme_vars : Vset.t; scheme_type : 'a } val empty_scheme : 'a -> 'a scheme (*s AST for typed programs are decorated with local environments *) type local_env type typing_info = { t_loc : Loc.position; t_env : local_env; t_label : label; mutable t_userlabel : label; t_result_name : Ident.t; t_result_type : type_v; t_effect : Effect.t; t_post : postcondition option } type typed_expr = typing_info Ast.t (*s global environment *) val add_global : Ident.t -> type_v -> typed_expr option -> unit val add_global_gen : Ident.t -> type_v scheme -> typed_expr option -> unit val is_global : Ident.t -> bool val iter_global : (Ident.t * Types.type_v scheme -> unit) -> unit val lookup_global : Ident.t -> type_v (*s types (only global) *) val add_type : Loc.position -> Ident.t list -> Ident.t -> unit val is_type : Ident.t -> bool val type_arity : Ident.t -> int val iter_type : (Ident.t -> int -> unit) -> unit val fold_type : (Ident.t -> int -> 'a -> 'a) -> 'a -> 'a (*s algebraic types (only global) *) val set_constructors : Ident.t -> Ident.t list -> unit val is_alg_type : Ident.t -> bool val alg_type_constructors : Ident.t -> Ident.t list (*s exceptions (only global) *) val add_exception : Ident.t -> pure_type option -> unit val is_exception : Ident.t -> bool val find_exception : Ident.t -> pure_type option (*s logical elements *) type var_subst = type_var Vmap.t val add_global_logic : Ident.t -> logic_type scheme -> unit val find_global_logic : Ident.t -> var_subst * logic_type val iter_global_logic : (Ident.t -> logic_type scheme -> unit) -> unit val fold_global_logic : (Ident.t -> logic_type scheme -> 'a -> 'a) -> 'a -> 'a val is_global_logic : Ident.t -> bool val is_logic_function : Ident.t -> bool (*s a table keeps the program (for extraction) *) val find_pgm : Ident.t -> typed_expr option (*s local environments *) val empty_progs : unit -> local_env val empty_logic : unit -> local_env val add : ?generalize:bool -> Ident.t -> type_v -> local_env -> local_env val is_local : local_env -> Ident.t -> bool val find_type_var : Ident.t -> local_env -> type_var (*s access in env (local then global) *) val type_in_env : local_env -> Ident.t -> type_v val is_in_env : local_env -> Ident.t -> bool val is_ref : local_env -> Ident.t -> bool val fold_all : (Ident.t * type_v -> 'a -> 'a) -> local_env -> 'a -> 'a val add_rec : Ident.t -> local_env -> local_env val is_rec : Ident.t -> local_env -> bool (*s logical elements *) val add_logic : Ident.t -> pure_type -> local_env -> local_env val find_logic : Ident.t -> local_env -> pure_type val type_v_of_logic : pure_type list -> pure_type -> type_v (* type variables and generalization/specialization *) val new_type_var : ?user:bool -> unit -> type_var val type_var_name : type_var -> string (* for error messages only *) val generalize_logic_type : logic_type -> logic_type scheme val generalize_alg_type : alg_type_def -> alg_type_def scheme val generalize_type_v : type_v -> type_v scheme val generalize_predicate : predicate -> predicate scheme val generalize_predicate_def : predicate_def -> predicate_def scheme val generalize_inductive_def : inductive_def -> inductive_def scheme val generalize_function_def : function_def -> function_def scheme val generalize_sequent : sequent -> sequent scheme val specialize_type_scheme : type_v scheme -> var_subst * type_v val specialize_logic_type : logic_type scheme -> var_subst * logic_type val specialize_alg_type : alg_type_def scheme -> var_subst * alg_type_def val specialize_predicate : predicate scheme -> var_subst * predicate val specialize_predicate_def : predicate_def scheme -> var_subst * predicate_def val specialize_inductive_def : inductive_def scheme -> var_subst * inductive_def val specialize_function_def : function_def scheme -> var_subst * function_def val specialize_sequent : sequent scheme -> var_subst * sequent val subst_sequent : var_subst -> sequent -> sequent val specialize_cc_type : Cc.cc_type -> var_subst * Cc.cc_type val specialize_validation : Cc.cc_type -> Cc.validation -> var_subst * Cc.cc_type * Cc.validation val specialize_cc_functional_program : Cc.cc_type -> Cc.cc_functional_program -> var_subst * Cc.cc_type * Cc.cc_functional_program val instantiate_specialized : var_subst -> instance -> unit val instantiate_logic_type : logic_type scheme -> instance -> logic_type val instantiate_predicate : predicate scheme -> instance -> predicate val instantiate_predicate_def : predicate_def scheme -> instance -> predicate_def val instantiate_inductive_def : inductive_def scheme -> instance -> inductive_def val instantiate_function_def : function_def scheme -> instance -> function_def val instantiate_sequent : sequent scheme -> instance -> sequent (*s Labels *) module Label : sig type t val empty : t val add : string -> t -> t val mem : string -> t -> bool end (* debug *) val dump_type_var : (type_var -> unit) ref (* misc *) val bad_arity : Ident.t list -> bool why-2.34/src/vcg.ml0000644000175000017500000007240712311670312012527 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (*s Verification Conditions Generator. *) open Format open Ident open Misc open Util open Options open Logic open Types open Cc (*s Log for the why-viewer *) let logs = ref ([] : Log.t) let log_print_function = ref (fun fmt (_,p) -> fprintf fmt "@[%a@]@?" print_predicate p) let log l sq lemma_name = let (_,l,_,_) = l in if wol then let s = let buf = Buffer.create 1024 in let fmt = formatter_of_buffer buf in !log_print_function fmt sq; Buffer.contents buf in if_debug (fun () -> eprintf "at %d, %b, %s@\n" l (lemma_name = None) s) (); logs := (l, s, lemma_name) :: !logs (*s We automatically prove the trivial obligations *) let (===) = eq_predicate let rec strip_name = function | Pnamed (_, p) -> strip_name p | p -> p let rec eval_term t = match t with | Tconst (ConstInt a) -> Num.num_of_string a | Tapp(id,[Tconst (ConstInt a)], _ ) when id == t_neg_int -> Num.minus_num (Num.num_of_string a) | _ -> raise Exit let rec eval p = match p with | Pnamed (_, p) -> eval p | Papp (id, [a; b], _) when is_int_comparison id -> begin try let a = eval_term a in let b = eval_term b in if (id == t_eq_int && Num.eq_num a b) || (id == t_neq_int && not (Num.eq_num a b)) || (id == t_lt_int && Num.lt_num a b) || (id == t_le_int && Num.le_num a b) || (id == t_gt_int && Num.gt_num a b) || (id == t_ge_int && Num.ge_num a b) then Ptrue else p with Exit -> p end | Papp (_, _, _) | Exists (_, _, _, _) | Forallb (_, _, _) | Forall (_, _, _, _, _, _) | Pnot _ | Piff (_, _) | Por (_, _) | Pand (_, _, _, _) | Pif (_, _, _) | Pimplies (_, _, _) | Pvar _ | Pfalse | Ptrue | Plet _ -> p (* ... |- true *) let rec ptrue = function | Ptrue -> True | Pnamed(_,p) -> ptrue p | Pvar id when id == Ident.default_post -> True | _ -> raise Exit (* ... |- a=a *) let reflexivity = function | Papp (id, [a;b], _) when is_eq id && a = b -> Reflexivity a | _ -> raise Exit (* ..., h:P, ...|- P and ..., h:P and Q, ...|- P *) let assumption concl = function | Spred (id, p) when p === concl -> Assumption id | Spred (id, Pand (_, _, a, _)) when a === concl -> Proj1 id | Spred (id, Pand (_, _, _, b)) when b === concl -> Proj2 id | _ -> raise Exit (* alpha-equivalence ? *) let lookup_hyp a = let test = function Spred (id, b) when a === b -> id | _ -> raise Exit in list_first test (* ..., h:False, ... |- C *) let absurd ctx = Absurd (lookup_hyp Pfalse ctx) (* ..., h:false=true, ... |- C *) let discriminate_lemma = Ident.create "why_boolean_discriminate" let discriminate ctx concl = let false_eq_true = equality (Tconst (ConstBool false)) (Tconst (ConstBool true)) in let h = lookup_hyp false_eq_true ctx in ProofTerm (cc_applist (CC_var discriminate_lemma) [CC_var h; CC_type (TTpred concl)]) let boolean_destruct_1 = Ident.create "why_boolean_destruct_1" let boolean_destruct_2 = Ident.create "why_boolean_destruct_2" let boolean_destruct ctx concl = let test_1 = function | Spred (id, Pand (_, _, Pimplies (_, Papp (eq1, [Tconst (ConstBool b1); t1], _), c1), Pimplies (_, Papp (eq2, [Tconst (ConstBool b2); t2], _), c2))) when eq_term t1 t2 && c1 === c2 && c1 === concl && is_eq eq1 && is_eq eq2 && b1 = not b2 -> id, t1, b1 | _ -> raise Exit in let h,t,b = list_first test_1 ctx in ProofTerm (cc_applist (CC_var (if b then boolean_destruct_1 else boolean_destruct_2)) [CC_term t; CC_type (TTpred concl); CC_var h]) (* ..., h:A, ..., h':B, ... |- A and B *) let conjunction ctx = function | Pand (_, _, a, b) -> Conjunction (lookup_hyp a ctx, lookup_hyp b ctx) | _ -> raise Exit (* ... |- (well_founded (Zwf 0)) *) let wf_zwf = function | Papp (id, [Tvar id'], _) when id == well_founded && id' == t_zwf_zero -> WfZwf (Tconst (ConstInt "0")) | _ -> raise Exit (* ..., h:v=phi0, ..., h':I and (Zwf c phi1 phi0), ... |- (Zwf c phi1 v) *) let loop_variant_1 hyps concl = let lookup_h v = function | Spred (h, Papp (id, [Tvar id';phi0], _)) when is_eq id && id' == v -> h,phi0 | _ -> raise Exit in let rec lookup_h' phi1 phi0 = function | Spred (h', Pand (_, _, _, Papp (id, [t1; t0], _))) when id == t_zwf_zero && eq_term t1 phi1 && eq_term t0 phi0 -> h' | _ -> raise Exit in match concl with | Papp (id, [phi1; Tvar v], _) when id == t_zwf_zero -> let h, phi0 = list_first (lookup_h v) hyps in let h' = list_first (lookup_h' phi1 phi0) hyps in Loop_variant_1 (h, h') | _ -> raise Exit (* unification of terms *) let rec unif_term u = function | Tconst c, Tconst c' when c = c' -> u | Tvar id, Tvar id' when id == id' -> u | Tderef _, _ | _, Tderef _ -> assert false | Tvar id, t' -> (try (match Idmap.find id u with | None -> Idmap.add id (Some t') u | Some t'' -> if t' = t'' then u else raise Exit) with Not_found -> raise Exit) | Tapp (id, tl, _), Tapp (id', tl', _) when id == id' -> unif_terms u (tl, tl') | _ -> raise Exit and unif_terms u = function | [], [] -> u | t :: tl, t' :: tl' -> unif_terms (unif_term u (t, t')) (tl, tl') | _ -> raise Exit (* unification of predicates *) let rec unif_pred u = function | Pvar id, Pvar id' when id == id' -> u | Papp (id, tl, _), Papp (id', tl', _) when id == id' -> unif_terms u (tl, tl') | Ptrue, Ptrue | Pfalse, Pfalse -> u | Forallb (_, a, b), Forallb (_, a', b') | Pimplies (_, a, b), Pimplies (_, a', b') | Pand (_, _, a, b), Pand (_, _, a', b') | Piff (a, b), Piff (a', b') | Por (a, b), Por (a', b') -> unif_pred (unif_pred u (a, a')) (b, b') | Pif (a, b, c), Pif (a', b', c') -> unif_pred (unif_pred (unif_term u (a, a')) (b, b')) (c, c') | Pif (Tvar x, b, c), p' -> (try match Idmap.find x u with | None -> (try unif_pred (Idmap.add x (Some ttrue) u) (b, p') with Exit -> unif_pred (Idmap.add x (Some tfalse) u) (c, p')) | Some (Tconst (ConstBool true)) -> unif_pred u (b, p') | Some (Tconst (ConstBool false)) -> unif_pred u (c, p') | _ -> raise Exit with Not_found -> raise Exit) | Pnot a, Pnot a' -> unif_pred u (a, a') | Forall (_, _, n, _, _, p), Forall (_, _, n', _, _, p') | Exists (_, n, _, p), Exists (_, n', _, p') -> let p'n = subst_in_predicate (subst_onev n' n) p' in unif_pred u (p, p'n) | Plet (_, n, _, t, p), Plet (_, n', _, t', p') -> let u = unif_term u (t, t') in let p'n = subst_in_predicate (subst_onev n' n) p' in unif_pred u (p, p'n) | Pnamed (_, p), p' | p, Pnamed (_, p') -> unif_pred u (p, p') (* outside of the diagonal -> false *) | (Forall _ | Exists _ | Forallb _ | Pnot _ | Piff _ | Por _ | Pand _ | Pif _ | Pimplies _ | Papp _ | Pvar _ | Pfalse | Ptrue | Plet _), (Forall _ | Exists _ | Forallb _ | Pnot _ | Piff _ | Por _ | Pand _ | Pif _ | Pimplies _ | Papp _ | Pvar _ | Pfalse | Ptrue | Plet _) -> raise Exit (* [lookup_instance]. [id] is a proof of [forall v1...vn . p => q] where [bvars = v1...vn]. we look for an hypothesis matching [p], as an instance [p(a1...ak)], and we return [forall vi. q(a1...ak)] (together with a proof of it) where the [vi]s not in the [aj]s. *) let first_hyp f = list_first (function Svar _ -> raise Exit | Spred (h, p) -> f h p) let lookup_instance id bvars p q hpx p' = let u0 = List.fold_right (fun (_,n,_) -> Idmap.add n None) bvars Idmap.empty in let u = unif_pred u0 (p, p') in let bvars',vars,s = List.fold_right (fun ((x,n,_) as b) (bv,vl,s) -> match Idmap.find n u with | None -> b :: bv, (Tvar x) :: vl, s | Some x' -> bv, x' :: vl, Idmap.add n x' s) bvars ([], [], Idmap.empty) in List.fold_right (fun (x, n, ty) p -> Forall (true, x, n, ty, [], p)) bvars' (simplify (tsubst_in_predicate s q)), cc_lam (List.map (fun (x, _, ty) -> x, CC_var_binder (TTpure ty)) bvars') (cc_applist id (List.map cc_term (vars @ [Tvar hpx]))) (* checks whether [p] is an instance of [c] and returns the instance *) let unify bvars p c = let u0 = List.fold_right (fun (_,n,_) -> Idmap.add n None) bvars Idmap.empty in let u = unif_pred u0 (p, c) in List.map (fun (_,n,_) -> match Idmap.find n u with | None -> raise Exit (* does not instanciate all variables *) | Some x -> x) bvars (* alpha-equivalence over predicates *) let alpha_eq a b = try let _ = unif_pred Idmap.empty (a, b) in true with Exit -> false let lookup_boolean_instance a b = let rec lookup = function | Svar (x, PTbool) :: Spred (h, Pif (Tvar x1, c, d)) :: _ when x == x1 && a === c && b === d -> x, h | _ :: ctx -> lookup ctx | [] -> raise Exit in lookup let boolean_wp_lemma = Ident.create "why_boolean_wp" (* [qe_forall (forall x1...forall xn. p) = [x1;...;xn],p] *) let rec qe_forall = function | Forall (_, id, n, ty, _, p) -> let vl, p = qe_forall p in (id, n, ty) :: vl, p | Forallb (_, ptrue, pfalse) -> let id = fresh_var () in let n = Ident.bound id in let p = Pif (Tvar n, ptrue, pfalse) in [(id, n, PTbool)], p | p -> [], p let add_ctx_vars = List.fold_left (fun acc -> function Svar (id,_) -> Idset.add id acc | _ -> acc) (* introduction of universal quantifiers and implications; return the new goal (context-conclusion), together with a proof-term modifier to apply to the proof-term found for the new goal. *) let rec intros ctx = function (* | Forall (_, id, n, t, _, p) -> let id' = next_away id (add_ctx_vars (predicate_vars p) ctx) in let p' = subst_in_predicate (subst_onev n id') p in let ctx', concl', f = intros (Svar (id', t) :: ctx) p' in ctx', concl', (fun pr -> ProofTerm (cc_lam [id', CC_var_binder (TTpure t)] (CC_hole (f pr)))) *) | Forall _ as p -> let ids = add_ctx_vars Idset.empty ctx in let bv, p' = decomp_forall ~ids p in let ctx = List.fold_left (fun ctx (id', t) -> Svar (id', t) :: ctx) ctx bv in let ctx', concl', f = intros ctx p' in ctx', concl', (fun pr -> let bvars = List.map (fun (x, t) -> x, CC_var_binder (TTpure t)) bv in ProofTerm (cc_lam bvars (CC_hole (f pr)))) | Pimplies (_, a, b) -> let h = fresh_hyp () in let ctx', concl', f = intros (Spred (h, a) :: ctx) b in ctx', concl', (fun pr -> ProofTerm (cc_lam [h, CC_pred_binder a] (CC_hole (f pr)))) | Pnamed (n, p) -> let ctx,p,v = intros ctx p in ctx, Pnamed (n, p), v | c -> ctx, c, (fun pr -> pr) let boolean_forall_lemma = Ident.create "why_boolean_forall" let make_forall_proof id = function | Forall _ -> CC_var id | Forallb (_, qtrue, qfalse) -> let x = fresh_var () in let n = Ident.bound x in let q = Pif (Tvar n, qtrue, qfalse) in cc_applist (CC_var boolean_forall_lemma) [cc_lam [n, CC_var_binder (TTpure PTbool)] (CC_type (TTpred q)); CC_var id] | _ -> assert false let should_be_a_wp ctx = if debug then raise Exit; first_hyp (fun id _ -> if not (is_wp id) then raise Exit) ctx; ShouldBeAWp (* Tautologies in linear minimal first-order logic. Context [ctx] is given in reverse order ([ctx = xk:tk, ..., x1:t1]). First, we introduce universal quantifiers and implications with [intros]. Then, we cut the context at the last [WP] and reverse it at the same time, with [cut_context]. Then we apply the linear rules: assumption, and-elimination, forall-elimination and implication-elimination. Regarding forall-elimination, there are two cases: (1) the hypothesis is [forall x. P] and the goal matches [P], and (2) the hypothesis is [forall x. P => Q] and there is another hypothesis matching [P]. *) let linear ctx concl = let ctx, concl, pr_intros = intros ctx concl in (* we cut the context at the last WP (and reverse it) *) let rec cut_context acc = function | [] -> raise Exit | Spred (id, _) as h :: _ when is_wp id -> h :: acc | h :: ctx -> cut_context (h :: acc) ctx in let ctx = cut_context [] ctx in let rec search = function | [] -> raise Exit (* assumption *) | Spred (id, p) :: _ when alpha_eq p concl -> Assumption id (* and-elimination *) | Spred (id, Pand (true, _, a, b)) :: ctx -> begin try search ctx with Exit -> let h1 = fresh_hyp () in let h2 = fresh_hyp () in let ctx' = (Spred (h1, a)) :: (Spred (h2, b)) :: ctx in ProofTerm (CC_letin (false, [h1, CC_pred_binder a; h2, CC_pred_binder b], CC_var id, CC_hole (search ctx'))) end (* forall-elimination *) | Spred (id, (Forall (true,_,_,_,_,_) | Forallb (true,_,_) as a)) :: ctx -> let id = make_forall_proof id a in begin try search ctx with Exit -> let bvars,p = qe_forall a in try (* 1. try to unify [p] and [concl] *) let vars = unify bvars p concl in ProofTerm (cc_applist id (List.map cc_term vars)) with Exit -> match p with | Pimplies (true, p, q) -> (* 2. we have [p => q]: try to unify [p] and an hypothesis *) first_hyp (fun h ph -> let qx,pr_qx = lookup_instance id bvars p q h ph in let h1 = fresh_hyp () in let ctx' = Spred (h1, qx) :: ctx in ProofTerm (CC_letin (false, [h1, CC_pred_binder qx], pr_qx, CC_hole (search ctx')))) ctx | Pand (true, _, p1, p2) -> (* 3. we have [a and b]: split under the quantifiers *) let h1 = fresh_hyp () in let h2 = fresh_hyp () in let qpi pi = List.fold_right (fun (x, n, ty) p -> Forall (true, x, n, ty, [], p)) bvars pi in let qp1 = qpi p1 in let qp2 = qpi p2 in let ctx' = Spred (h1, qp1) :: Spred (h2, qp2) :: ctx in let pr = search ctx' in let pr_qpi hi = cc_lam (List.map (fun (x,_,ty) -> x, CC_var_binder (TTpure ty)) bvars) (CC_letin (false, [h1, CC_pred_binder p1; h2, CC_pred_binder p2], cc_applist id (List.map (fun (_,x,_) -> CC_var x) bvars), CC_var hi)) in ProofTerm (CC_letin (false, [h1, CC_pred_binder qp1], pr_qpi h1, CC_letin (false, [h2, CC_pred_binder qp2], pr_qpi h2, CC_hole pr))) | _ -> raise Exit end (* implication-elimination *) | Spred (id, Pimplies (true, p, q)) :: ctx -> begin try search ctx with Exit -> let hp = lookup_hyp p ctx in (* alpha-equivalence ? *) let hq = fresh_hyp () in let ctx' = Spred (hq, q) :: ctx in ProofTerm (CC_letin (false, [hq, CC_pred_binder q], CC_app (CC_var id, CC_var hp), CC_hole (search ctx'))) end (* skip this hypothesis (or variable) *) | _ :: ctx -> search ctx in pr_intros (search ctx) let rewrite_var_lemma = Ident.create "why_rewrite_var" let rewrite_var_left_lemma = Ident.create "why_rewrite_var_left" let rewrite_var ctx concl = match ctx, concl with (* ..., v=t, p(v) |- p(t) *) | Spred (h1, p1) :: Svar (_id'1, PTbool) :: Spred (h2, Papp (ide, [Tvar v; t], _)) :: Svar (v', ty) :: _, p when is_eq ide && v == v' -> if not (tsubst_in_predicate (subst_one v t) p1 === p) then raise Exit; ProofTerm (cc_applist (CC_var rewrite_var_lemma) [CC_var h2; CC_type (TTlambda ((v, CC_var_binder (TTpure ty)), TTpred p1)); CC_var h1]) (* ..., v=t, p(t) |- p(v) *) | _ :: Spred (h1, p1) :: Spred (h2, Papp (ide, [Tvar v; t], _)) :: Svar (v', ty) :: _, p when is_eq ide && v == v' -> if not (tsubst_in_predicate (subst_one v t) p === p1) then raise Exit; ProofTerm (cc_applist (CC_var rewrite_var_left_lemma) [CC_var h2; CC_type (TTlambda ((v, CC_var_binder (TTpure ty)), TTpred p)); CC_var h1]) | _ -> raise Exit (* ..., x:bool, if x then a else b |- if x then c else d *) let boolean_case_lemma = Ident.create "why_boolean_case" let boolean_case ctx concl = match ctx, concl with | Spred (h1, Pif (Tvar x1, a, b)) :: Svar (x, PTbool) :: ctx, Pif (Tvar x2, c, d) when x1 == x && x2 == x -> let h2 = fresh_hyp () in let branch h p = let pr = linear (Spred (h2, h) :: ctx) p in CC_lam ((h2, CC_pred_binder h), CC_hole pr) in ProofTerm (cc_applist (CC_var boolean_case_lemma) [CC_var h1; branch a c; branch b d]) | _ -> raise Exit (* we try the automatic proofs successively, starting with the simplest ones *) let discharge_methods ctx concl = let ctx,concl,pr = intros ctx concl in let concl = (if Options.eval_goals then eval else strip_name) concl in let ctx = List.map (function | Spred (h,p) -> Spred (h, strip_name p) | Svar _ as v -> v) ctx in pr begin try ptrue concl with Exit -> try wf_zwf concl with Exit -> try reflexivity concl with Exit -> try absurd ctx with Exit -> try list_first (assumption concl) ctx with Exit -> try conjunction ctx concl with Exit -> try loop_variant_1 ctx concl with Exit -> try rewrite_var ctx concl with Exit -> try discriminate ctx concl with Exit -> try boolean_destruct ctx concl with Exit -> try if fast_wp then raise Exit; linear ctx concl with Exit -> boolean_case ctx concl end (* DEBUG *) open Pp let print_sequent fmt (ctx, concl) = let print_hyp fmt = function | Svar (id, _) -> Ident.print fmt id | Spred (id, p) -> fprintf fmt "%a: %a" Ident.print id print_predicate p in fprintf fmt "@[[@\n%a@\n----@\n%a@\n]@]" (print_list newline print_hyp) ctx print_predicate concl let count = ref 0 let discharge loc ctx concl = let pr = (if all_vc then raise Exit else discharge_methods) ctx concl in log loc (ctx, concl) None; incr count; if_verbose_2 eprintf "one obligation trivially discharged [%d]@." !count; pr (*s Cleaning the sequents *) let occur_in_hyp id = function | Spred (_,p) -> occur_predicate id p | Svar _ -> false let occur_as_var id = function | Svar (id',_) -> id = id' | Spred _ -> false let clean_sequent hyps concl = (* if a variable appears twice, we remove the first and its dependencies *) (* dead code let rec filter_up_to x = function | [] -> [] | Svar (y, _) :: _ as hl when x = y -> hl | Spred (_, p) :: hl when occur_predicate x p -> filter_up_to x hl | h :: hl -> h :: filter_up_to x hl in *) (* we remove variables not occuring at all in hypotheses or conclusion *) let rec clean = function | [] -> [] | Svar (x, _v) as h :: hl -> if List.exists (occur_in_hyp x) hl || occur_predicate x concl then h :: clean hl else clean hl | Spred (_, p1) :: ((Spred (_, p2) :: _) as hl) when p1 = p2 -> clean hl | Spred (_, Ptrue) :: hl -> clean hl | Spred (id, _) :: hl when not debug && is_wp id -> clean hl | h :: hl -> h :: clean hl in clean hyps let hyps_names = let hyp_name = function Svar (id,_) | Spred (id,_) -> id in List.map hyp_name let rec cut_last_binders = function | [] | [_] | [_; _] -> [] | b :: bl -> b :: cut_last_binders bl let rec annotated_if id = function | [id', CC_var_binder (TTpure PTbool); _, CC_pred_binder _] -> id == id' | [] -> false | _ :: bl -> annotated_if id bl let rec annotation_if = function | [qb, CC_pred_binder q] -> qb, q | _ :: bl -> annotation_if bl | [] -> assert false (*** let simplify_sequent ctx p = let simplify_hyp = function | Svar _ as h -> h | Spred (id, p) -> Spred (id, simplify p) in List.map simplify_hyp ctx, simplify p ***) (*s Splitting verification conditions on WP connectives [split: sequent -> sequent list * (proof list -> proof)] *) let rec split_list n1 l2 = if n1 = 0 then [], l2 else match l2 with | [] -> assert false | x :: r2 -> let l1,r2 = split_list (n1 - 1) r2 in x :: l1, r2 let conj = match prover () with | Coq V7 -> Ident.create "conj ? ?" | _ -> Ident.create "conj" let asym_conj = Ident.create "why_asym_conj" let split_iff = Ident.create "why_split_iff" let rec split lvl ctx = function | Pand (wp, true, p1, p2) when (wp || Options.split_user_conj) -> let o1,pr1 = split lvl ctx p1 in let n1 = List.length o1 in let o2,pr2 = split lvl ctx p2 in o1 @ o2, (fun pl -> let l1,l2 = split_list n1 pl in ProofTerm (cc_applist (cc_var conj) [CC_hole (pr1 l1); CC_hole (pr2 l2)])) (* asymetric conjunction *) | Pand (wp, false, p1, p2) when (wp || Options.split_user_conj) -> let o1,pr1 = split lvl ctx p1 in let n1 = List.length o1 in let p2 = Pimplies (true, p1, p2) in let o2,pr2 = split lvl ctx p2 in o1 @ o2, (fun pl -> let l1,l2 = split_list n1 pl in ProofTerm (cc_applist (cc_var asym_conj) [CC_hole (pr1 l1); CC_hole (pr2 l2)])) (* splits Zwf if splitting user conjunctions required *) | Papp (id, [a;b], inst) when id == t_zwf_zero && Options.split_user_conj -> (* 0 <= b and a < b *) split lvl ctx (Pand(true, true, Papp(t_le_int, [Tconst (ConstInt "0") ; b ], inst) , Papp(t_lt_int, [a ; b ], inst))) | Piff (p1, p2) when Options.split_user_conj -> let o1,pr1 = split lvl ctx (pimplies p1 p2) in let n1 = List.length o1 in let o2,pr2 = split lvl ctx (pimplies p2 p1) in o1 @ o2, (fun pl -> let l1,l2 = split_list n1 pl in ProofTerm (cc_applist (cc_var split_iff) [CC_hole (pr1 l1); CC_hole (pr2 l2)])) | Pimplies (wp, _, _) | Forall (wp, _, _, _, _, _) as concl when (wp || Options.split_user_conj) && lvl < lvlmax -> let ctx',concl',pr_intros = intros ctx concl in let ol,prl = split (succ lvl) ctx' concl' in ol, (fun pl -> pr_intros (prl pl)) | Pnamed (n, p1) as _concl -> begin match split lvl ctx p1 with (* | [_],_ -> [ctx,Pnamed(n,concl)], (function [pr] -> pr | _ -> assert false) *) | gl,v -> List.map (fun (ctx,c) -> ctx, Pnamed(n,c)) gl, v end | concl -> [ctx,concl], (function [pr] -> pr | _ -> assert false) (*s The VCG; it's trivial, we just traverse the CC term and push a new obligation on each hole. *) (*** let vcg base t = let po = ref [] in let cpt = ref 0 in let push_one loc ctx concl = incr cpt; let id = base ^ "_po_" ^ string_of_int !cpt in let ctx' = clean_sequent (List.rev ctx) concl in let sq = (ctx', concl) in po := (loc, id, sq) :: !po; log (snd loc) sq (Some id); Lemma (id, hyps_names ctx') in let push loc ctx concl = if false(*Options.split*) then let ol,pr = split 0 ctx concl in pr (List.map (fun (ctx,c) -> push_one loc ctx c) ol) else push_one loc ctx concl in let rec traverse ctx = function | CC_var _ | CC_term _ | CC_type _ | CC_any _ as cc -> cc | CC_hole (loc, p) -> CC_hole (try discharge loc ctx p with Exit -> push loc ctx p) (* special treatment for the if-then-else *) | CC_letin (dep, bl1, e1, CC_if (CC_term (Tvar idb), (CC_lam ((_, CC_pred_binder _), _) as br1), (CC_lam ((_, CC_pred_binder _), _) as br2))) when annotated_if idb bl1 -> let e'1 = traverse ctx e1 in let ctx = traverse_binders ctx (cut_last_binders bl1) in let br'1 = traverse ctx br1 in let br'2 = traverse ctx br2 in CC_letin (dep, bl1, e'1, CC_if (CC_var idb, br'1, br'2)) (* special treatment for the composition of exceptions *) | CC_letin (dep, bl, e1, CC_case (CC_term (Tvar _) as e2, br)) -> let e'1 = traverse ctx e1 in let ctx = traverse_binders ctx bl in let br' = List.map (traverse_case ctx) br in CC_letin (dep, bl, e'1, CC_case (e2, br')) | CC_letin (dep, bl, e1, CC_case (e2, br)) -> let e'1 = traverse ctx e1 in let ctx = traverse_binders ctx (cut_last_binders bl) in let e'2 = traverse ctx e2 in let br' = List.map (traverse_case ctx) br in CC_letin (dep, bl, e'1, CC_case (e'2, br')) | CC_letin (dep, bl, e1, e2) -> let e'1 = traverse ctx e1 in let e'2 = traverse (traverse_binders ctx bl) e2 in CC_letin (dep, bl, e'1, e'2) | CC_lam (b, e) -> let e' = traverse (traverse_binders ctx [b]) e in CC_lam (b, e') | CC_app (f, a) -> let f' = traverse ctx f in let a' = traverse ctx a in CC_app (f', a') | CC_case (e, pl) -> let e' = traverse ctx e in let pl' = List.map (traverse_case ctx) pl in CC_case (e', pl') | CC_tuple (el,p) -> let el' = List.map (traverse ctx) el in CC_tuple (el',p) | CC_if (a, b, c) -> let a' = traverse ctx a in let b' = traverse ctx b in let c' = traverse ctx c in CC_if (a', b', c') and traverse_case ctx (p,e) = p, traverse (traverse_pattern ctx p) e and traverse_pattern ctx = function | PPvariable (id,b) -> traverse_binder ctx (id,b) | PPcons (_, pl) -> List.fold_left traverse_pattern ctx pl and traverse_binder ctx = function | id, CC_var_binder v -> (Svar (id,v)) :: ctx | id, CC_pred_binder p -> (Spred (id,p)) :: ctx | id, CC_untyped_binder -> assert false and traverse_binders ctx = List.fold_left traverse_binder ctx in let cc' = traverse [] t in List.rev !po, cc' ***) (* let rec loc_for_pred = function | Pnamed (User s, _) -> begin try Loc.parse s with _ -> Loc.dummy_position end | Forall (_,_,_,_,_,p) | Pimplies (_,_,p) -> loc_for_pred p | _ -> Loc.dummy_position *) let rec explain_for_pred internal user = function | Forall (_,_,_,_,_,p) | Pimplies (_,_,p) -> explain_for_pred internal user p | Pnamed(Internal n,p) -> explain_for_pred (Some n) user p | Pnamed(User n,p) -> explain_for_pred internal (Some n) p | _p -> (if debug then eprintf "User label for explanation: `%a'@." (Pp.print_option pp_print_string)user; user) , (match internal with | Some n -> begin if debug then Format.eprintf "looking for internal explanation '%d'@." n; try let e = Hashtbl.find Util.explanation_table n in if debug then Format.eprintf "found@."; e with Not_found -> if debug then Format.eprintf "not found@."; assert false end | None -> fprintf str_formatter "unexplained assertion"; VCEexternal(flush_str_formatter())) (* Proof obligations from the WP *) let vcg_from_wp _loc ids name beh w = let po = ref [] in let cpt = ref 0 in let push_one (ctx, concl) = let formula_userlab, raw_explain = explain_for_pred None None concl in let kind,loc, lab = Util.cook_explanation formula_userlab raw_explain in (* if formula_userlab = None then Format.printf "formula_userlab unset: %s@." name; *) let explain = (*Logic_decl.ExplVC*) { Logic_decl.lemma_or_fun_name = name ; Logic_decl.behavior = beh; Logic_decl.vc_loc = loc ; Logic_decl.vc_kind = kind ; Logic_decl.vc_label = lab; } in try discharge loc ctx concl with Exit -> begin incr cpt; let id = ids (* name ^ "_" ^ beh *) ^ "_po_" ^ string_of_int !cpt in let ctx' = clean_sequent (List.rev ctx) concl in let sq = (ctx', concl) in log loc sq (Some id); (*Format.eprintf "Vcg.push_one: %a@." Loc.report_position loc;*) po := (loc, false, explain, id, sq) :: !po; Lemma (id, hyps_names ctx') end in let w = w.Ast.a_value in let ol,pr = split 0 [] w in let prl = List.map push_one ol in List.rev !po, pr prl (* Local Variables: compile-command: "make -C .. bin/why.byte" End: *) why-2.34/src/rc.mli0000644000175000017500000000535412311670312012522 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) type rc_value = | RCint of int | RCbool of bool | RCfloat of float | RCstring of string | RCident of string val int : rc_value -> int (** raise Failure "Rc.int" if not a int value *) val bool : rc_value -> bool (** raise Failure "Rc.bool" if not a int value *) val string : rc_value -> string (** raise Failure "Rc.string" if not a string or an ident value *) val from_file : string -> (string * (string * rc_value) list) list val get_home_dir : unit -> string why-2.34/src/why3_kw.mli0000644000175000017500000000445512311670312013512 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) val is_why3_keyword : string -> bool why-2.34/src/project.ml0000644000175000017500000002677312311670312013423 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) type goal = { goal_expl : Logic_decl.vc_expl; goal_file : string; sub_goal : goal list; proof : (string*string*string*string*string) list ; mutable goal_tags : (string*string) list; } type lemma = { lemma_name : string; lemma_loc : Loc.floc; lemma_goal : goal; mutable lemma_tags : (string*string) list; } type behavior = { behavior_name : string; behavior_loc : Loc.floc; mutable behavior_goals : goal list; mutable behavior_tags : (string*string) list; } type funct = { function_name : string; function_loc : Loc.floc; mutable function_behaviors : behavior list; mutable function_tags : (string*string) list; } type t = { project_name : string; mutable project_context_file : string; mutable project_lemmas : lemma list; mutable project_functions : funct list; } let create n = { project_name = n; project_context_file = ""; project_lemmas = []; project_functions = []; } let set_project_context_file p f = p.project_context_file <- f let add_lemma p n e f = let g = { goal_expl = e; goal_file = f; sub_goal = []; proof = []; goal_tags = []; } in let l = { lemma_name = n; lemma_loc = Loc.dummy_floc; lemma_goal = g; lemma_tags = []; } in p.project_lemmas <- l :: p.project_lemmas; l let add_goal b e f = let g = { goal_expl = e; goal_file = f; sub_goal = []; proof = []; goal_tags = []; } in b.behavior_goals <- g :: b.behavior_goals; g let add_behavior f be floc = let b = { behavior_name = be; behavior_loc = floc; behavior_goals = []; behavior_tags = []; } in f.function_behaviors <- b :: f.function_behaviors; b let add_function p fname floc = let f = { function_name = fname; function_loc = floc; function_behaviors = []; function_tags = []; } in p.project_functions <- f :: p.project_functions; f (* toggle *) let toggle_lemma l = l.lemma_tags <- List.map (fun (key,value) -> if key = "ww_open" then if value = "true" then (key,"false") else (key,"true") else (key,value)) l.lemma_tags let toggle_function f = f.function_tags <- List.map (fun (key,value) -> if key = "ww_open" then if value = "true" then (key,"false") else (key,"true") else (key,value)) f.function_tags let toggle_behavior b = b.behavior_tags <- List.map (fun (key,value) -> if key = "ww_open" then if value = "true" then (key,"false") else (key,"true") else (key,value)) b.behavior_tags let toggle_goal g = g.goal_tags <- List.map (fun (key,value) -> if key = "ww_open" then if value = "true" then (key,"false") else (key,"true") else (key,value)) g.goal_tags (* saving *) open Format open Logic open Logic_decl let pr_goal fmt g = fprintf fmt " @." g.goal_file; fprintf fmt " @." (fun fmt -> Explain.raw_loc ~quote:true fmt) (g.goal_expl.vc_loc); fprintf fmt " @." (fun fmt -> Explain.print ~quote:true fmt) (g.goal_expl); fprintf fmt " @." let save p file = let ch = open_out (file ^ ".wpr") in let fpr = formatter_of_out_channel ch in fprintf fpr "@." p.project_name p.project_context_file; List.iter (fun l -> (* name (floc,loc,expl,fpo) -> *) fprintf fpr " @." l.lemma_name; fprintf fpr " @." (fun fmt -> Explain.raw_loc ~quote:true fmt) l.lemma_loc; pr_goal fpr l.lemma_goal; fprintf fpr " @.") p.project_lemmas; List.iter (fun f -> (* name (floc,behs) -> *) fprintf fpr " @." f.function_name; fprintf fpr " @." (fun fmt -> Explain.raw_loc ~quote:true fmt) f.function_loc; List.iter (fun b -> (*vcs -> *) fprintf fpr " @." b.behavior_name; List.iter (pr_goal fpr) b.behavior_goals; fprintf fpr " @." ) f.function_behaviors; fprintf fpr " @.") p.project_functions; fprintf fpr "@."; close_out ch (* loading *) let get_string_attr a e = try match List.assoc a e.Xml.attributes with | Rc.RCstring s -> s | Rc.RCident n -> n | _ -> raise Not_found with Not_found -> eprintf "Warning: attribute `%s' not found@." a; "" let get_name_attr = get_string_attr "name" let get_int_attr a e = match List.assoc a e.Xml.attributes with | Rc.RCstring s -> int_of_string s | Rc.RCint n -> n | _ -> raise Not_found let get_bool_attr a e = try match List.assoc a e.Xml.attributes with | Rc.RCstring "true" -> true | Rc.RCstring "false" -> false | Rc.RCint n -> n <> 0 | Rc.RCbool b -> b | _ -> false with Not_found -> false let get_tags l = let ww_open = ref false in let rec get_tag tags l = match l with | e::l when e.Xml.name = "tag" -> let key = get_string_attr "key" e in let value = get_string_attr "value" e in if key = "ww_open" then ww_open := true else (); get_tag ((key,value)::tags) l | _ -> tags,l in let (tags,l) = get_tag [] l in if !ww_open then tags,l else (("ww_open","false")::tags,l) let get_loc e = let file = get_string_attr "file" e in let line = get_int_attr "line" e in let be = get_int_attr "begin" e in let en = get_int_attr "end" e in (file,line,be,en) let get_kind e = let k = get_string_attr "kind" e in match k with | "Lemma" -> Logic_decl.EKLemma | "Other" -> Logic_decl.EKOther (get_string_attr "text" e) | "Absurd" -> Logic_decl.EKAbsurd | "Assert" -> Logic_decl.EKAssert | "Check" -> Logic_decl.EKCheck | "Pre" -> Logic_decl.EKPre (get_string_attr "text" e) | "Post" -> Logic_decl.EKPost | "WfRel" -> Logic_decl.EKWfRel | "VarDecr" -> Logic_decl.EKVarDecr | "LoopInvInit" -> let f = try get_string_attr "formula" e with Not_found -> "" in Logic_decl.EKLoopInvInit f | "LoopInvPreserv" -> let f = try get_string_attr "formula" e with Not_found -> "" in Logic_decl.EKLoopInvPreserv f | _ -> Logic_decl.EKOther ("Project: unrecognized kind " ^ k) let get_proof elements = let rec get_proofs proofs l = match l with | e::l when e.Xml.name = "proof" -> let prover = get_string_attr "prover" e in let status = get_string_attr "status" e in let timelimit = try get_string_attr "timelimit" e with Not_found -> "no timeout" in let date = try get_string_attr "date" e with Not_found -> "no date" in let scriptfile = try get_string_attr "scriptfile" e with Not_found -> "no script" in get_proofs ((prover,status,timelimit,date,scriptfile)::proofs) l | _ -> proofs,l in (get_proofs [] elements) let rec get_goal lf beh e = match e.Xml.name with | "goal" -> let (tags, elements) = get_tags e.Xml.elements in let loc = List.hd elements in let elements = List.tl elements in let loc = get_loc loc in let k = get_kind (List.hd elements) in let expl = { Logic_decl.lemma_or_fun_name = lf; Logic_decl.behavior = beh; Logic_decl.vc_loc = loc; Logic_decl.vc_kind = k; Logic_decl.vc_label = None; } in let (proofs,elements) = get_proof (List.tl elements) in let sub_goals = List.map (get_goal lf beh) elements in { goal_expl = expl; goal_file = get_string_attr "why_file" e; sub_goal = sub_goals; proof = proofs; goal_tags = tags; } | _ -> assert false let get_behavior lf loc e = match e.Xml.name with | "behavior" -> let n = get_name_attr e in let (tags,elements) = get_tags e.Xml.elements in { behavior_name = n; behavior_loc = loc; behavior_goals = List.map (get_goal lf n) elements; behavior_tags = tags; } | _ -> assert false let lemmas = ref [] let functions = ref [] let get_lemma_or_function e = match e.Xml.name with | "lemma" -> let n = get_name_attr e in let (tags,elements) = get_tags e.Xml.elements in let loc = get_loc (List.hd elements) in let g = List.map (get_goal n "") (List.tl elements) in begin match g with | [g] -> let l = { lemma_name = n; lemma_loc = loc; lemma_goal = g; lemma_tags = tags; } in lemmas := l :: !lemmas | _ -> failwith "lemma should have exactly one goal element" end | "function" -> let n = get_name_attr e in let (tags,elements) = get_tags e.Xml.elements in let loc = get_loc (List.hd elements) in let behs = List.map (get_behavior n loc) (List.tl elements) in let f = { function_name = n; function_loc = loc; function_behaviors = behs; function_tags = tags; } in functions := f :: !functions | "tags" -> () | _ -> assert false (* read XML file *) let load f = let xml = Xml.from_file f in match xml with | [p] when p.Xml.name = "project" -> let name = get_name_attr p in (* if name <> f then eprintf "Warning! project name `%s' does match file name `%s'@." !project_name f; *) lemmas := []; functions := []; List.iter get_lemma_or_function p.Xml.elements; { project_name = name; project_context_file = get_string_attr "context" p; project_lemmas = !lemmas; project_functions = !functions; } | _ -> failwith "unique element expected" why-2.34/src/monadSig.mli0000644000175000017500000001123112311670312013646 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) open Logic open Types open Ast open Cc open Env module type S = sig (*s Translation of types *) val trad_scheme_v : Rename.t -> local_env -> type_v scheme -> cc_type val trad_type_v : Rename.t -> local_env -> type_v -> cc_type val trad_type_c : Rename.t -> local_env -> type_c -> cc_type val trad_imp_type : Rename.t -> local_env -> type_v -> cc_type val trad_type_in_env : Rename.t -> local_env -> Ident.t -> cc_type val exn_arg_type : Ident.t -> cc_type (*s Basic monadic operators. They operate over values of type [interp] i.e. functions building a [cc_term] given a renaming structure. *) type interp = Rename.t -> (Loc.position * predicate) cc_term (*s The [unit] operator encapsulates a term in a computation. *) type result = | Value of term | Exn of Ident.t * term option val unit : typing_info -> result -> interp (*s [compose k1 e1 e2] evaluates computation [e1] of type [k1] and passes its result (actually, a variable naming this result) to a second computation [e2]. [apply] is a variant of [compose] where [e2] is abstracted (typically, a function) and thus must be applied to its input. *) val compose : typing_info -> interp -> typing_info -> (Ident.t -> interp) -> interp val apply : typing_info -> interp -> typing_info -> (Ident.t -> interp) -> interp (*s Monadic operator to raise and handle exceptions *) val exn : typing_info -> Ident.t -> term option -> interp val handle : typing_info -> interp -> typing_info -> (exn_pattern * (Ident.t -> interp)) list -> interp (*s Other monadic operators. *) val cross_label : string -> interp -> interp val insert_pre : local_env -> precondition -> interp -> interp val insert_many_pre : local_env -> precondition list -> interp -> interp val abstraction : typing_info -> precondition list -> interp -> interp val fresh : Ident.t -> (Ident.t -> interp) -> interp (*s Well-founded recursion. *) val wfrec : variant -> precondition list -> typing_info -> (interp -> interp) -> interp val wfrec_with_binders : cc_binder list -> variant -> precondition list -> typing_info -> (interp -> interp) -> interp (*s Table for recursive functions' interpretation *) val is_rec : Ident.t -> bool val find_rec : Ident.t -> interp val with_rec : Ident.t -> interp -> ('a -> 'b) -> 'a -> 'b end why-2.34/src/option_misc.ml0000644000175000017500000000505312311670312014264 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) let map f = function None -> None | Some x -> Some (f x) let map_default f d = function None -> d | Some x -> f x let iter f = function None -> () | Some x -> f x let fold f x c = match x with None -> c | Some x -> f x c let fold_left f c x = match x with None -> c | Some x -> f c x why-2.34/src/fpi.mli0000644000175000017500000000521412311670312012667 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (* realing-point intervals *) (* [split ol] extracts realing-point obligations (predicate `fpi') from a list of obligations and return the remaining ones *) val split : Cc.obligation list -> Cc.obligation list (* [output f] outputs the current realing-point obligations in file [f] *) val output : string -> unit (* clear the current set of obligations *) val reset : unit -> unit why-2.34/src/encoding_rec.ml0000644000175000017500000003725012311670312014364 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) open Options open Cc open Logic open Logic_decl let loc = Loc.dummy_floc let prefix = "c_" let suffix = "_c" let var = "x" let tvar = "t" let cpt = ref 0 let axiom c = c ^ "_to_" ^ (c^suffix) let def c = "def_"^c (* The unique type for all terms *) let ut = PTexternal ([], Ident.create (prefix^"unique")) let unify ptl = List.map (fun _ -> ut) ptl let prelude = (Dtype (loc, Ident.create (prefix^"unique"), [])):: (* The unique sort *) (Dlogic (loc, Ident.create (prefix^"sort"), Env.empty_scheme (Function ([ut; ut], ut)))):: (* The "sort" symbol *) (Dlogic (loc, Ident.create (prefix^"int"), Env.empty_scheme (Function ([], ut)))):: (* One synbol for each prefedined type *) (Dlogic (loc, Ident.create (prefix^"bool"), Env.empty_scheme (Function ([], ut)))):: (Dlogic (loc, Ident.create (prefix^"real"), Env.empty_scheme (Function ([], ut)))):: (Dlogic (loc, Ident.create (prefix^"unit"), Env.empty_scheme (Function ([], ut)))):: (Dlogic (loc, Ident.create ("equal"^suffix), Env.empty_scheme (Predicate ([ut; ut])))):: (* One 'untyped' predicate of equality *) (* (Daxiom (loc, axiom "equal", *) (* let t = Ident.create "t" *) (* and x = Ident.create "x" *) (* and y = Ident.create "y" in *) (* Env.empty_scheme *) (* (Forall (false, t, t, ut, *) (* Forall (false, x, x, ut, *) (* Forall (false, y, y, ut, *) (* (Pimplies *) (* (false, *) (* (Papp (Ident.create ("equal"^suffix), *) (* [Tapp (Ident.create (prefix^"sort"), *) (* [Tvar t; Tvar x], []); *) (* Tapp (Ident.create (prefix^"sort"), *) (* [Tvar t; Tvar y], [])], [])), *) (* (Papp (Ident.t_eq, [Tvar x; Tvar y], [])))) *) (* )))))):: (\* and the corresponding axiom to link it with the built-in = predicate *\) *) [] (* A list of polymorphic constants *) let poly_consts = ref [] let type_vars t = let rec aux acc t = match t with | PTvar ({type_val = None} as var) -> var::acc | PTvar {type_val = Some pt} -> aux acc pt | PTexternal (ptl, _id) -> List.fold_left aux acc ptl | _ -> [] in aux [] t let is_poly_cons ptl rt = let largs = List.fold_left List.append [] (List.map type_vars ptl) and lres = type_vars rt in List.exists (fun t -> not (List.mem t largs)) lres let i_ex id = (* Big big HACK... *) match Ident.string id with "nil" -> Ident.create "list" | "null" -> Ident.create "pointer" | "pset_empty" -> Ident.create "pset" | _ -> Ident.create "unknown poly-const" (* Function that plunges a term under its type information. *) (* Uses an assoc. list of tags -> idents for type variables *) let plunge fv term pt = let rec leftt pt = match pt with PTint -> Tapp (Ident.create (prefix^"int"), [], []) | PTbool -> Tapp (Ident.create (prefix^"bool"), [], []) | PTreal -> Tapp (Ident.create (prefix^"real"), [], []) | PTunit -> Tapp (Ident.create (prefix^"unit"), [], []) | PTvar ({type_val = None} as var) -> let t = try (List.assoc var.tag fv) with _ -> let s = string_of_int var.tag in (if debug then print_endline ("unknown vartype : "^s); s) in Tvar (Ident.create t) | PTvar {type_val = Some pt} -> leftt pt | PTexternal (ptl, id) -> Tapp (id, List.map (fun pt -> leftt pt) ptl, []) in Tapp (Ident.create (prefix^"sort"), [leftt pt; term], []) (* The core *) let queue = Queue.create () let reset () = poly_consts := []; Queue.clear queue let rec push d = match d with (* Dans le cas type on déclare la fonction correspondante, *) (* d'arité correspondant à la taille du schéma de ce type *) | Dtype (loc, ident, vars) -> Queue.add (Dlogic (loc, ident, Env.empty_scheme (Function (unify vars, ut)))) queue | Dalgtype _ -> assert false (* failwith "encoding rec: algebraic types are not supported" *) (* Dans le cas logique, on redéfinit le prédicat/la fonction *) (* avec le type u, et on fait un prédicat/une fonction qui *) (* l'appelle avec les informations de type *) | Dlogic (loc, ident, arity) -> let cpt = ref 0 in let fv = Env.Vset.fold (fun tv acc -> cpt := !cpt + 1; (tv.tag, tvar^(string_of_int !cpt))::acc) (arity.Env.scheme_vars) [] in let name = Ident.string ident in (match arity.Env.scheme_type with | Predicate ptl -> let args = List.map (fun t -> Ident.create (let _ = cpt := !cpt + 1 in var^(string_of_int !cpt)), t) ptl in let terml = Papp (Ident.create (name^suffix), List.map (fun (id, t) -> plunge fv (Tvar id) t) args, []) and termr = Papp (ident, List.map (fun (t, _) -> Tvar t) args, []) in let rec lifted l p = match l with [] -> p | a::q -> lifted q (Forall(false, a, a, ut, [], p)) in let ax = Env.empty_scheme (lifted ((fst (List.split args))@(List.map (fun i -> Ident.create i) (snd (List.split fv)))) (Piff (terml, termr))) in (Queue.add (Dlogic (loc, Ident.create (name^suffix), Env.empty_scheme (Predicate (unify ptl)))) queue; Queue.add (Dlogic (loc, ident, Env.empty_scheme (Predicate (unify ptl)))) queue; Queue.add (Daxiom (loc, axiom name, ax)) queue) | Function (ptl, rt) -> let _ = if is_poly_cons ptl rt then (if debug then print_endline ("Constante polymorphe détectée : "^name); poly_consts := name :: !poly_consts) else () in let args = List.map (fun t -> Ident.create (let _ = cpt := !cpt + 1 in var^(string_of_int !cpt)), t) ptl in let terml = Tapp (Ident.create (name^suffix), List.map (fun (id, t) -> plunge fv (Tvar id) t) args, []) and termr = plunge fv (Tapp (ident, List.map (fun (t, _) -> Tvar t) args, [])) rt in let rec lifted l p = match l with [] -> p | a::q -> lifted q (Forall(false, a, a, ut, [], p)) in let ax = Env.empty_scheme (lifted ((fst (List.split args))@(List.map (fun i -> Ident.create i) (snd (List.split fv)))) (Papp (Ident.t_eq, [terml;termr], []))) in (Queue.add (Dlogic (loc, Ident.create (name^suffix), Env.empty_scheme (Function (unify ptl, ut)))) queue; Queue.add (Dlogic (loc, ident, Env.empty_scheme (Function (unify ptl, ut)))) queue; Queue.add (Daxiom (loc, axiom name, ax)) queue)) (* A predicate definition can be handled as a predicate logic definition + an axiom *) | Dpredicate_def (_loc, _ident, _pred_def_sch) -> assert false (* let p = pred_def_sch.Env.scheme_type in let rec lifted_t l p = match l with [] -> p | (a,t)::q -> lifted_t q (Forall(false, a, a, t, [], p)) in let name = Ident.string ident in push (Dlogic (loc, ident, (Env.generalize_logic_type (Predicate (snd (List.split (fst p))))))); push (Daxiom (loc, def name, (Env.generalize_predicate (lifted_t (fst p) (Piff ((Papp (ident, List.map (fun (i,_) -> Tvar i) (fst p), [])), (snd p))))))) *) | Dinductive_def _ -> assert false (* failwith "encoding rec: inductive def not yet supported" *) (* A function definition can be handled as a function logic definition + an axiom *) | Dfunction_def (_loc, _ident, _fun_def_sch) -> assert false (* let f = fun_def_sch.Env.scheme_type in let rec lifted_t l p = match l with | [] -> p | (a,t)::q -> lifted_t q (Forall(false, a, a, t, [], p)) in let (ptl, rt, t) = f in let name = Ident.string ident in push (Dlogic (loc, ident, (Env.generalize_logic_type (Function (snd (List.split ptl), rt))))); push (Daxiom (loc, def name, (Env.generalize_predicate (lifted_t ptl (Papp (Ident.t_eq, [(Tapp (ident, List.map (fun (i,_) -> Tvar i) ptl, [])); t], [])))))) *) | Daxiom (loc, name, pred_sch) -> let cpt = ref 0 in let fv = Env.Vset.fold (fun tv acc -> cpt := !cpt + 1; (tv.tag, tvar^(string_of_int !cpt))::acc) (pred_sch.Env.scheme_vars) [] in let rec translate_eq lv = function | Papp (id, tl, inst) when Ident.is_eq id -> Papp (id, List.map (translate_term lv) tl, inst) (* Papp (Ident.create (prefix^"equal"), List.map (translate_term lv) tl, inst) *) | Papp (id, tl, inst) -> Papp (Ident.create (Ident.string id^suffix), List.map (translate_term lv) tl, inst) | Pimplies (iswp, p1, p2) -> Pimplies (iswp, translate_eq lv p1, translate_eq lv p2) | Pif (t, p1, p2) -> Pif (translate_term lv t, translate_eq lv p1, translate_eq lv p2) | Pand (iswp, issym, p1, p2) -> Pand (iswp, issym, translate_eq lv p1, translate_eq lv p2) | Por (p1, p2) -> Por (translate_eq lv p1, translate_eq lv p2) | Piff (p1, p2) -> Piff (translate_eq lv p1, translate_eq lv p2) | Pnot p -> Pnot (translate_eq lv p) | Forall (iswp, id, n, pt, tl, p) -> let lv' = (n,pt)::lv in let tl' = List.map (List.map (translate_pattern lv')) tl in Forall (iswp, id, n, ut, tl', translate_eq lv' p) | Forallb (iswp, p1, p2) -> Forallb (iswp, translate_eq lv p1, translate_eq lv p2) | Exists (id, n, pt, p) -> Exists (id, n, ut, translate_eq ((n,pt)::lv) p) | Pnamed (s, p) -> Pnamed (s, translate_eq lv p) | _ as d -> d and translate_pattern lv = function | TPat t -> TPat (translate_term lv t) | PPat p -> PPat (translate_eq lv p) and translate_term lv = function | Tvar id -> plunge fv (Tvar id) (List.assoc id lv) | Tapp (id, tl, inst) when List.mem (Ident.string id) !poly_consts -> if inst = [] then (print_string "probleme probleme"; Tapp (Ident.create (Ident.string id ^suffix), List.map (translate_term lv) tl, inst)) else plunge fv (Tapp (id, List.map (translate_term lv) tl, inst)) (PTexternal (inst, i_ex id)) (* HACK !! *) | Tapp (id, tl, inst) -> Tapp (Ident.create (Ident.string id ^suffix), List.map (translate_term lv) tl, inst) | Tconst (ConstInt _) as t -> plunge fv t PTint | Tconst (ConstBool _) as t -> plunge fv t PTbool | Tconst (ConstUnit) as t -> plunge fv t PTunit | Tconst (ConstFloat _) as t -> plunge fv t PTreal | _ as t -> t in let rec lifted l p = match l with [] -> p | (_,a)::q -> lifted q (Forall(false, Ident.create a, Ident.create a, ut, [], p)) in Queue.add (Daxiom (loc, name, Env.empty_scheme (lifted fv (translate_eq [] pred_sch.Env.scheme_type)))) queue | Dgoal (loc, is_lemma, expl, name, s_sch) -> let cpt = ref 0 in let (cel, pred) = s_sch.Env.scheme_type in let fv = Env.Vset.fold (fun tv acc -> cpt := !cpt + 1; (tv.tag, tvar^(string_of_int !cpt))::acc) (s_sch.Env.scheme_vars) [] in let lookup id = let rec aux = function | [] -> raise Not_found | (Svar (i, pt))::_q when id = i -> pt | (Spred (_, _))::q | (Svar (_,_))::q -> aux q in aux cel in let rec translate_eq lv = function | Papp (id, tl, inst) when Ident.is_eq id -> Papp (id, List.map (translate_term lv) tl, inst) (* Papp (Ident.create (prefix^"equal"), List.map (translate_term lv) tl, inst) *) | Papp (id, tl, inst) -> Papp (Ident.create (Ident.string id^suffix), List.map (translate_term lv) tl, inst) | Pimplies (iswp, p1, p2) -> Pimplies (iswp, translate_eq lv p1, translate_eq lv p2) | Pif (t, p1, p2) -> Pif (translate_term lv t, translate_eq lv p1, translate_eq lv p2) | Pand (iswp, issym, p1, p2) -> Pand (iswp, issym, translate_eq lv p1, translate_eq lv p2) | Por (p1, p2) -> Por (translate_eq lv p1, translate_eq lv p2) | Piff (p1, p2) -> Piff (translate_eq lv p1, translate_eq lv p2) | Pnot p -> Pnot (translate_eq lv p) | Forall (iswp, id, n, pt, tl, p) -> let lv' = (n,pt)::lv in let tl' = List.map (List.map (translate_pattern lv')) tl in Forall (iswp, id, n, ut, tl', translate_eq lv' p) | Forallb (iswp, p1, p2) -> Forallb (iswp, translate_eq lv p1, translate_eq lv p2) | Exists (id, n, pt, p) -> Exists (id, n, ut, translate_eq ((n,pt)::lv) p) | Pnamed (s, p) -> Pnamed (s, translate_eq lv p) | _ as d -> d and translate_pattern lv = function | TPat t -> TPat (translate_term lv t) | PPat p -> PPat (translate_eq lv p) and translate_term lv = function | Tvar id -> (try (plunge fv (Tvar id) (List.assoc id lv)) with Not_found -> plunge fv (Tvar id) (lookup id)) | Tapp (id, tl, inst) when List.mem (Ident.string id) !poly_consts -> if inst = [] then (print_string "probleme probleme"; Tapp (Ident.create (Ident.string id ^suffix), List.map (translate_term lv) tl, inst)) else plunge fv (Tapp (id, List.map (translate_term lv) tl, inst)) (PTexternal (inst, i_ex id)) (* HACK !! *) | Tapp (id, tl, inst) -> Tapp (Ident.create (Ident.string id ^suffix), List.map (translate_term lv) tl, inst) | Tconst (ConstInt _) as t -> plunge fv t PTint | Tconst (ConstBool _) as t -> plunge fv t PTbool | Tconst (ConstUnit) as t -> plunge fv t PTunit | Tconst (ConstFloat _) as t -> plunge fv t PTreal | _ as t -> t in (* dead code let rec lifted l p = match l with [] -> p | (_,a)::q -> lifted q (Forall(false, Ident.create a, Ident.create a, ut, [], p)) in *) Queue.add (Dgoal (loc, is_lemma, expl, name, Env.empty_scheme (List.map (fun s -> match s with Spred (id, p) -> Spred (id, translate_eq [] p) | s -> s) cel, translate_eq [] pred))) queue let iter f = (* first the prelude *) List.iter f prelude; (* then the queue *) Queue.iter f queue why-2.34/src/wserver.ml0000644000175000017500000003224212311670312013436 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (* Copyright (c) 1998-2005 INRIA *) let sock_in = ref "wserver.sin" let sock_out = ref "wserver.sou" let noproc = ref false let wserver_oc = set_binary_mode_out stdout true; ref stdout let wprint fmt = Printf.fprintf !wserver_oc fmt let wflush () = flush !wserver_oc let hexa_digit x = if x >= 10 then Char.chr (Char.code 'A' + x - 10) else Char.chr (Char.code '0' + x) let hexa_val conf = match conf with '0'..'9' -> Char.code conf - Char.code '0' | 'a'..'f' -> Char.code conf - Char.code 'a' + 10 | 'A'..'F' -> Char.code conf - Char.code 'A' + 10 | _ -> 0 let decode s = let rec need_decode i = if i < String.length s then match s.[i] with '%' | '+' -> true | _ -> need_decode (succ i) else false in let rec compute_len i i1 = if i < String.length s then let i = match s.[i] with '%' when i + 2 < String.length s -> i + 3 | _ -> succ i in compute_len i (succ i1) else i1 in let rec copy_decode_in s1 i i1 = if i < String.length s then let i = match s.[i] with '%' when i + 2 < String.length s -> let v = hexa_val s.[i + 1] * 16 + hexa_val s.[i + 2] in s1.[i1] <- Char.chr v; i + 3 | '+' -> s1.[i1] <- ' '; succ i | x -> s1.[i1] <- x; succ i in copy_decode_in s1 i (succ i1) else s1 in let rec strip_heading_and_trailing_spaces s = if String.length s > 0 then if s.[0] == ' ' then strip_heading_and_trailing_spaces (String.sub s 1 (String.length s - 1)) else if s.[String.length s - 1] == ' ' then strip_heading_and_trailing_spaces (String.sub s 0 (String.length s - 1)) else s else s in if need_decode 0 then let len = compute_len 0 0 in let s1 = String.create len in strip_heading_and_trailing_spaces (copy_decode_in s1 0 0) else s let special = function '\000'..'\031' | '\127'..'\255' | '<' | '>' | '\"' | '#' | '%' | '{' | '}' | '|' | '\\' | '^' | '~' | '[' | ']' | '`' | ';' | '/' | '?' | ':' | '@' | '=' | '&' -> true | _ -> false let encode s = let rec need_code i = if i < String.length s then match s.[i] with ' ' -> true | x -> if special x then true else need_code (succ i) else false in let rec compute_len i i1 = if i < String.length s then let i1 = if special s.[i] then i1 + 3 else succ i1 in compute_len (succ i) i1 else i1 in let rec copy_code_in s1 i i1 = if i < String.length s then let i1 = match s.[i] with ' ' -> s1.[i1] <- '+'; succ i1 | c -> if special c then begin s1.[i1] <- '%'; s1.[i1 + 1] <- hexa_digit (Char.code c / 16); s1.[i1 + 2] <- hexa_digit (Char.code c mod 16); i1 + 3 end else begin s1.[i1] <- c; succ i1 end in copy_code_in s1 (succ i) i1 else s1 in if need_code 0 then let len = compute_len 0 0 in copy_code_in (String.create len) 0 0 else s let nl () = wprint "\013\010" let http answer = let answer = if answer = "" then "200 OK" else answer in wprint "HTTP/1.0 %s" answer; nl () let print_exc exc = match exc with Unix.Unix_error (err, fun_name, arg) -> prerr_string "\""; prerr_string fun_name; prerr_string "\" failed"; if String.length arg > 0 then begin prerr_string " on \""; prerr_string arg; prerr_string "\"" end; prerr_string ": "; prerr_endline (Unix.error_message err) | Out_of_memory -> prerr_string "Out of memory\n" | Match_failure (file, first_char, last_char) -> prerr_string "Pattern matching failed, file "; prerr_string file; prerr_string ", chars "; prerr_int first_char; prerr_char '-'; prerr_int last_char; prerr_char '\n' | Assert_failure (file, first_char, last_char) -> prerr_string "Assertion failed, file "; prerr_string file; prerr_string ", chars "; prerr_int first_char; prerr_char '-'; prerr_int last_char; prerr_char '\n' | x -> prerr_string "Uncaught exception: "; prerr_string (Obj.magic (Obj.field (Obj.field (Obj.repr x) 0) 0)); if Obj.size (Obj.repr x) > 1 then begin prerr_char '('; for i = 1 to Obj.size (Obj.repr x) - 1 do if i > 1 then prerr_string ", "; let arg = Obj.field (Obj.repr x) i in if not (Obj.is_block arg) then prerr_int (Obj.magic arg : int) else if Obj.tag arg = 252 then begin prerr_char '\"'; prerr_string (Obj.magic arg : string); prerr_char '\"' end else prerr_char '_' done; prerr_char ')' end; prerr_char '\n' let print_err_exc exc = print_exc exc; flush stderr let case_unsensitive_eq s1 s2 = String.lowercase s1 = String.lowercase s2 let rec extract_param name stop_char = function x :: l -> if String.length x >= String.length name && case_unsensitive_eq (String.sub x 0 (String.length name)) name then let i = let rec loop i = if i = String.length x then i else if x.[i] = stop_char then i else loop (i + 1) in loop (String.length name) in String.sub x (String.length name) (i - String.length name) else extract_param name stop_char l | [] -> "" let buff = ref (String.create 80) let store len x = if len >= String.length !buff then buff := !buff ^ String.create (String.length !buff); !buff.[len] <- x; succ len let get_buff len = String.sub !buff 0 len let get_request strm = let rec loop len (strm__ : _ Stream.t) = match Stream.peek strm__ with Some '\010' -> Stream.junk strm__; let s = strm__ in if len == 0 then [] else let str = get_buff len in str :: loop 0 s | Some '\013' -> Stream.junk strm__; loop len strm__ | Some c -> Stream.junk strm__; loop (store len c) strm__ | _ -> if len == 0 then [] else [get_buff len] in loop 0 strm let timeout tmout spid _ = Unix.kill spid Sys.sigkill; http ""; wprint "Content-type: text/html; charset=iso-8859-1"; nl (); nl (); wprint "Time out\n"; wprint "

Time out

\n"; wprint "Computation time > %d second(s)\n" tmout; wprint "\n"; wflush (); exit 2 let get_request_and_content strm = let request = get_request strm in let content = match extract_param "content-length: " ' ' request with "" -> "" | x -> let str = String.create (int_of_string x) in for i = 0 to String.length str - 1 do str.[i] <- let (strm__ : _ Stream.t) = strm in match Stream.peek strm__ with Some x -> Stream.junk strm__; x | _ -> ' ' done; str in request, content let string_of_sockaddr = function Unix.ADDR_UNIX s -> s | Unix.ADDR_INET (a, _) -> Unix.string_of_inet_addr a let sockaddr_of_string s = Unix.ADDR_UNIX s let treat_connection tmout callback addr fd = (); let (request, script_name, contents__) = let (request, contents__) = let strm = let c = " " in Stream.from (fun _ -> if Unix.read fd c 0 1 = 1 then Some c.[0] else None) in get_request_and_content strm in let (script_name, contents__) = match extract_param "GET /" ' ' request with "" -> extract_param "POST /" ' ' request, contents__ | str -> try let i = String.index str '?' in String.sub str 0 i, String.sub str (i + 1) (String.length str - i - 1) with Not_found -> str, "" in request, script_name, contents__ in if script_name = "robots.txt" then begin http ""; wprint "Content-type: text/plain"; nl (); nl (); wprint "User-Agent: *"; nl (); wprint "Disallow: /"; nl (); wflush (); Printf.eprintf "Robot request\n"; flush stderr end else begin begin try callback (addr, request) script_name contents__ with Unix.Unix_error (Unix.EPIPE, "write", _) -> () | exc -> print_err_exc exc end; begin try wflush () with _ -> () end; try flush stderr with _ -> () end let buff = String.create 1024 (* *) let rec list_remove x = function [] -> failwith "list_remove" | y :: l -> if x = y then l else y :: list_remove x l (* *) (* *) (* *) (* *) let wait_and_compact s = if Unix.select [s] [] [] 15.0 = ([], [], []) then begin Printf.eprintf "Compacting... "; flush stderr; Gc.compact (); Printf.eprintf "Ok\n"; flush stderr end let skip_possible_remaining_chars fd = let b = "..." in try let rec loop () = match Unix.select [fd] [] [] 5.0 with [_], [], [] -> let len = Unix.read fd b 0 (String.length b) in if len = String.length b then loop () | _ -> () in loop () with Unix.Unix_error (Unix.ECONNRESET, _, _) -> () let accept_connection tmout max_clients callback s = wait_and_compact s; let (t, addr) = Unix.accept s in Unix.setsockopt t Unix.SO_KEEPALIVE true; let cleanup () = begin try Unix.shutdown t Unix.SHUTDOWN_SEND with _ -> () end; begin try Unix.shutdown t Unix.SHUTDOWN_RECEIVE with _ -> () end; try Unix.close t with _ -> () in wserver_oc := Unix.out_channel_of_descr t; treat_connection tmout callback addr t; cleanup () let f addr_opt port tmout max_clients g = match None with Some s -> () | None -> let addr = match addr_opt with Some addr -> begin try Unix.inet_addr_of_string addr with Failure _ -> (Unix.gethostbyname addr).Unix.h_addr_list.(0) end | None -> Unix.inet_addr_any in let s = Unix.socket Unix.PF_INET Unix.SOCK_STREAM 0 in Unix.setsockopt s Unix.SO_REUSEADDR true; Unix.bind s (Unix.ADDR_INET (addr, port)); Unix.listen s 4; Sys.set_signal Sys.sigpipe Sys.Signal_ignore; let tm = Unix.localtime (Unix.time ()) in Printf.eprintf "Ready %4d-%02d-%02d %02d:%02d port" (1900 + tm.Unix.tm_year) (succ tm.Unix.tm_mon) tm.Unix.tm_mday tm.Unix.tm_hour tm.Unix.tm_min; Printf.eprintf " %d" port; Printf.eprintf "...\n"; flush stderr; while true do begin try accept_connection tmout max_clients g s with Unix.Unix_error (Unix.ECONNRESET, "accept", _) -> () | Unix.Unix_error ((Unix.EBADF | Unix.ENOTSOCK), "accept", _) as x -> raise x | exc -> print_err_exc exc end; begin try wflush () with Sys_error _ -> () end; begin try flush stdout with Sys_error _ -> () end; flush stderr done why-2.34/src/wp.mli0000644000175000017500000000477612311670312012553 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (*s Weakest preconditions *) open Env val wp : typed_expr -> typed_expr * Ast.assertion option (** val wp : typed_expr -> Ast.assertion option * (Cc.proof_term -> typed_expr) ***) val well_founded_rel : Ast.variant option -> Logic.predicate why-2.34/src/zenon.ml0000644000175000017500000003237712311670312013103 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (*s Zenon output *) open Pp open Ident open Options open Misc open Error open Logic open Logic_decl open Vcg open Format open Cc open Ltyping open Env open Report (*s Pretty print *) let is_zenon_keyword = let ht = Hashtbl.create 17 in List.iter (fun kw -> Hashtbl.add ht kw ()) ["True"; "False"]; Hashtbl.mem ht let is_zenon_ident s = let is_zenon_char = function | 'a'..'z' | 'A'..'Z' | '0'..'9' | '_' -> true | _ -> false in try String.iter (fun c -> if not (is_zenon_char c) then raise Exit) s; true with Exit -> false let renamings = Hashtbl.create 17 let fresh_name = let r = ref 0 in fun () -> incr r; "zenon__" ^ string_of_int !r let rename s = if is_zenon_keyword s then "zenon__" ^ s else if not (is_zenon_ident s) then begin try Hashtbl.find renamings s with Not_found -> let s' = fresh_name () in Hashtbl.add renamings s s'; s' end else s let ident fmt id = fprintf fmt "%s" (rename (string id)) let idents fmt s = fprintf fmt "%s" (rename s) let symbol fmt (id,_i) = ident fmt id (* Monomorph.symbol fmt (id, i) *) let infix id = if id == t_lt then "why__lt" else if id == t_le then "why__le" else if id == t_gt then "why__gt" else if id == t_ge then "why__ge" (* int cmp *) else if id == t_lt_int then "why__lt_int" else if id == t_le_int then "why__le_int" else if id == t_gt_int then "why__gt_int" else if id == t_ge_int then "why__ge_int" (* int ops *) else if id == t_add_int then "why__add_int" else if id == t_sub_int then "why__sub_int" else if id == t_mul_int then "why__mul_int" (* else if id == t_div_int then "why__div_int" *) (* real ops *) else if id == t_add_real then "why__add_real" else if id == t_sub_real then "why__sub_real" else if id == t_mul_real then "why__mul_real" else if id == t_div_real then "why__div_real" else if id == t_lt_real then "why__lt_real" else if id == t_le_real then "why__le_real" else if id == t_gt_real then "why__gt_real" else if id == t_ge_real then "why__ge_real" else assert false let external_type = function | PTexternal _ -> true | _ -> false let rec print_pure_type fmt = function | PTint -> fprintf fmt "INT" | PTbool -> fprintf fmt "BOOLEAN" | PTreal -> fprintf fmt "REAL" | PTunit -> fprintf fmt "UNIT" | PTvar {type_val=Some pt} -> print_pure_type fmt pt | PTvar {type_val=None; tag=t} -> fprintf fmt "'a%d" t | PTexternal (i ,id) -> symbol fmt (id,i) let rec print_term fmt = function | Tvar id -> fprintf fmt "%a" ident id | Tconst (ConstInt n) -> fprintf fmt "why__int_const_%s" n | Tconst (ConstBool true) -> fprintf fmt "true" | Tconst (ConstBool false) -> fprintf fmt "false" | Tconst ConstUnit -> fprintf fmt "tt" (* TODO: CORRECT? *) | Tconst (ConstFloat c) -> Print_real.print_with_integers "why__real_const_%s" "(why__mul_real why__real_const_%s why__real_const_%s)" "(why_div_real why__real_const_%s why__real_const_%s)" fmt c | Tderef _ -> assert false (* | Tapp (id, ([_;_] as tl), _) when id == t_mod_int -> fprintf fmt "@[(%a %a)@]" ident id print_terms tl *) | Tapp (id, [a], _) when id == t_sqrt_real || id == t_int_of_real -> fprintf fmt "@[(%a %a)@]" ident id print_term a | Tapp (id, [a], _) when id == t_real_of_int -> fprintf fmt "@[(%a %a)@]" ident id print_term a (** | Tapp (id, [a; b], _) when id == access -> fprintf fmt "@[(access@ %a@ %a)@]" print_term a print_term b | Tapp (id, [a; b; c], _) when id == store -> fprintf fmt "@[(update@ %a@ %a@ %a)@]" print_term a print_term b print_term c **) | Tapp (id, [t], _) when id == t_neg_int -> fprintf fmt "@[(why__sub_int why__int_const_0 %a)@]" print_term t | Tapp (id, [t], _) when id == t_neg_real -> fprintf fmt "@[(why__sub_real why__real_const_0 %a)@]" print_term t | Tapp (id, [a;b], _) when is_relation id || is_arith id -> fprintf fmt "@[(%s %a %a)@]" (infix id) print_term a print_term b | Tapp (id, [], i) -> symbol fmt (id,i) | Tapp (id, tl, i) -> fprintf fmt "@[(%a %a)@]" symbol (id,i) print_terms tl | Tnamed (_, t) -> (* TODO: print name *) print_term fmt t and print_terms fmt tl = print_list space print_term fmt tl let rec print_predicate fmt = function | Ptrue -> fprintf fmt "True" | Pvar id when id == Ident.default_post -> fprintf fmt "True" | Pfalse -> fprintf fmt "False" | Pvar id -> fprintf fmt "%a" ident id | Papp (id, tl, _) when id == t_distinct -> fprintf fmt "@[(%a)@]" print_predicate (Util.distinct tl) | Papp (id, [_t], _) when id == well_founded -> fprintf fmt "True ;; was well_founded@\n" | Papp (id, [a; b], _) when id == t_eq_bool -> fprintf fmt "@[(= %a@ %a)@]" print_term a print_term b | Papp (id, [a; b], _) when id == t_neq_bool -> fprintf fmt "@[(-. (= %a@ %a))@]" print_term a print_term b | Papp (id, [a; b], _) when is_eq id -> fprintf fmt "@[(= %a@ %a)@]" print_term a print_term b | Papp (id, [a; b], _) when is_neq id -> fprintf fmt "@[(-. (= %a@ %a))@]" print_term a print_term b | Papp (id, [a;b], _) when is_int_comparison id || is_real_comparison id -> fprintf fmt "@[(%s %a %a)@]" (infix id) print_term a print_term b | Papp (id, [a;b], _) when id == t_zwf_zero -> fprintf fmt "@[(/\\ (why__le_int why__int_const_0 %a)@ (why__lt_int %a %a))@]" print_term b print_term a print_term b | Papp (id, tl, i) -> fprintf fmt "@[(%a@ %a)@]" symbol (id, i) print_terms tl | Pimplies (_, a, b) -> fprintf fmt "@[(=> %a@ %a)@]" print_predicate a print_predicate b | Piff (a, b) -> fprintf fmt "@[(<=> %a@ %a)@]" print_predicate a print_predicate b | Pif (a, b, c) -> fprintf fmt "@[(/\\ (=> (= %a true) %a)@ (=> (= %a false) %a))@]" print_term a print_predicate b print_term a print_predicate c | Pand (_, _, a, b) | Forallb (_, a, b) -> fprintf fmt "@[(/\\ %a@ %a)@]" print_predicate a print_predicate b | Por (a, b) -> fprintf fmt "@[(\\/ %a@ %a)@]" print_predicate a print_predicate b | Pnot a -> fprintf fmt "@[(-.@ %a)@]" print_predicate a | Forall (_,id,n,t,_,p) -> let id' = next_away id (predicate_vars p) in let p' = subst_in_predicate (subst_onev n id') p in fprintf fmt "@[(A. ((%a \"%a\")@ %a))@]" ident id' print_pure_type t print_predicate p' | Exists (id,n,t,p) -> let id' = next_away id (predicate_vars p) in let p' = subst_in_predicate (subst_onev n id') p in fprintf fmt "@[(E. ((%a \"%a\")@ %a))@]" ident id' print_pure_type t print_predicate p' | Pnamed (_, p) -> (* TODO: print name *) print_predicate fmt p | Plet (_, n, _, t, p) -> print_predicate fmt (subst_term_in_predicate n t p) let cc_external_type = function | Cc.TTpure ty -> external_type ty | Cc.TTarray (Cc.TTpure (PTexternal _)) -> true | _ -> false let rec print_cc_type fmt = function | TTpure pt -> print_pure_type fmt pt | TTarray v -> fprintf fmt "(@[ARRAY_%a@])" print_cc_type v | _ -> assert false let print_sequent fmt (hyps,concl) = let rec print_seq fmt = function | [] -> print_predicate fmt concl | Svar (id, v) :: hyps -> fprintf fmt "@[(A. ((%a \"%a\")@ %a))@]" ident id print_pure_type v print_seq hyps | Spred (_,p) :: hyps -> fprintf fmt "@[(=> %a@ %a)@]" print_predicate p print_seq hyps in print_seq fmt hyps let rec print_logic_type fmt = function | Predicate [] -> fprintf fmt "prop" | Predicate pl -> fprintf fmt "%a -> prop" (print_list comma print_pure_type) pl | Function ([], pt) -> print_pure_type fmt pt | Function (pl, pt) -> fprintf fmt "%a -> %a" (print_list comma print_pure_type) pl print_pure_type pt let declare_type fmt id = fprintf fmt "@[;; type %s@]@\n@\n" id let print_parameter fmt id c = fprintf fmt "@[;; Why parameter %a@]@\n" idents id; fprintf fmt "@[;; %a: %a@]@\n@\n" idents id print_cc_type c let print_logic fmt id _t = fprintf fmt ";; Why logic %a@\n@\n" idents id (* fprintf fmt "@[;; %a%a: %a@]@\n@\n" idents id instance i print_logic_type t *) (* Function and predicate definitions are handled in Encoding *) (* let print_predicate_def fmt id (bl,p) = fprintf fmt "@[;; Why predicate %a@]@\n" idents id; fprintf fmt "@[$hyp \"%a\" " idents id; List.iter (fun (x,_) -> fprintf fmt "(A. ((%a)@ " ident x) bl; fprintf fmt "(<=> (%a %a)@ %a)" idents id (print_list space (fun fmt (x,_) -> fprintf fmt "%a" ident x)) bl print_predicate p; List.iter (fun _ -> fprintf fmt "))") bl; fprintf fmt "@]@\n@\n" let print_function_def fmt id (bl,t,e) = fprintf fmt "@[;; Why function %a@]@\n" idents id; fprintf fmt "@[$hyp \"%a\" " idents id; List.iter (fun (x,_) -> fprintf fmt "(A. ((%a)@ " ident x) bl; fprintf fmt "(= (%a %a)@ %a)" idents id (print_list space (fun fmt (x,_) -> fprintf fmt "%a" ident x)) bl print_term e; List.iter (fun _ -> fprintf fmt "))@]@\n") bl; fprintf fmt "@]@\n" *) let print_axiom fmt id p = fprintf fmt "@[;; Why axiom %s@]@\n" id; fprintf fmt "@[$hyp \"%s\" %a@]@\n@\n" id print_predicate p let print_obligation fmt loc _is_lemma _expl o s = fprintf fmt "@[;; %s, %a@]@\n" o Loc.gen_report_line loc; fprintf fmt "@[$goal %a@]@\n\n" print_sequent s let push_decl d = Encoding.push d let iter = Encoding.iter (*Monomorph.iter*) let reset () = Encoding.reset (*Monomorph.reset*) () let output_elem fmt = function | Dtype (_loc, id, _) -> declare_type fmt (Ident.string id) | Dalgtype _ -> assert false (* failwith "Zenon output: alebraic types are not supported" *) | Dlogic (_loc, id, t) -> print_logic fmt (Ident.string id) t.scheme_type | Dpredicate_def (_loc, _id, _d) -> assert false (* let id = Ident.string id in print_predicate_def fmt id d.scheme_type *) | Dinductive_def _ -> assert false (* failwith "Zenon output: inductive def not yet supported" *) | Dfunction_def (_loc, _id, _d) -> assert false (* let id = Ident.string id in print_function_def fmt id d.scheme_type *) | Daxiom (_loc, id, p) -> print_axiom fmt id p.scheme_type | Dgoal (loc, is_lemma, expl, id, s) -> print_obligation fmt loc is_lemma expl id s.Env.scheme_type let prelude_done = ref false let prelude fmt = if not !prelude_done && not no_zenon_prelude then begin prelude_done := true; fprintf fmt " ;; Zenon prelude $hyp \"why__prelude_1\" ; x+0=x (A. ((x \"INT\") (= (why__add_int x why__int_const_0) x))) $hyp \"why__prelude_2\" ; 0+x=x (A. ((x \"INT\") (= (why__add_int why__int_const_0 x) x))) $hyp \"why__prelude_3\" ; x+y=y+x (A. ((x \"INT\") (A. ((y \"INT\") (= (why__add_int x y) (why__add_int y x)))))) " end let print_file fmt = iter (output_elem fmt) let output_file ~allowedit file = if allowedit then begin let sep = ";; DO NOT EDIT BELOW THIS LINE" in do_not_edit_below ~file ~before:prelude ~sep ~after:print_file end else print_in_file print_file file why-2.34/src/hol4.mli0000644000175000017500000000470512311670312012763 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (*s HOL 4 output (contributed by Seungkeol Choe, University of Utah) *) open Vcg open Cc val reset : unit -> unit val push_decl : Logic_decl.t -> unit val output_file : string -> unit why-2.34/src/print_real.ml0000644000175000017500000001427412311670312014105 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) open Format open Big_int open Logic let print_decimal_no_exponent fmt ~prefix_div = function | "","0",_ | "0","",_ | "0","0",_ -> fprintf fmt "0.0" | "",f, None -> fprintf fmt "0.%s" f | i,"", None -> fprintf fmt "%s.0" i | i,f, None -> fprintf fmt "%s.%s" i f | i,f, Some e -> let e = (int_of_string e) - String.length f in if e = 0 then fprintf fmt "%s%s" i f else let op,s = if e > 0 then "*",(String.make e '0') else "/",(String.make (-e) '0') in if prefix_div then fprintf fmt "(%s %s%s.0 1%s.0)" op i f s else fprintf fmt "(%s%s %s.0 1%s.0)" i f op s let num0 = Num.Int 0 let num10 = Num.Int 10 let num16 = Num.Int 16 let decnumber s = let r = ref num0 in for i=0 to String.length s - 1 do r := Num.add_num (Num.mult_num num10 !r) (Num.num_of_int (Char.code s.[i] - Char.code '0')) done; !r let hexnumber s = let r = ref num0 in for i=0 to String.length s - 1 do let c = s.[i] in let v = match c with | '0'..'9' -> Char.code c - Char.code '0' | 'a'..'f' -> Char.code c - Char.code 'a' + 10 | 'A'..'F' -> Char.code c - Char.code 'A' + 10 | _ -> assert false in r := Num.add_num (Num.mult_num num16 !r) (Num.num_of_int v) done; !r let print_hexa fmt i f e = let mant = hexnumber (i^f) in let v = if e="" then mant else if String.get e 0 = '-' then Num.div_num mant (Num.power_num (Num.Int 2) (decnumber (String.sub e 1 (String.length e - 1)))) else Num.mult_num mant (Num.power_num (Num.Int 2) (decnumber e)) in let v = Num.div_num v (Num.power_num (Num.Int 16) (Num.num_of_int (String.length f))) in let i = Num.floor_num v in let f = ref (Num.sub_num v i) in if Num.eq_num !f num0 then fprintf fmt "%s.0" (Num.string_of_num i) else begin fprintf fmt "%s." (Num.string_of_num i); while not (Num.eq_num !f num0) do f := Num.mult_num !f num10; let i = Num.floor_num !f in fprintf fmt "%s" (Num.string_of_num i); f := Num.sub_num !f i done end (* Format.fprintf fmt ";;;; %s@\n" (Num.string_of_num v) *) let print_no_exponent fmt ~prefix_div = function | RConstDecimal (i, f, e) -> print_decimal_no_exponent fmt ~prefix_div (i,f,e) | RConstHexa (i, f, e) -> print_hexa fmt i f e let hexa_to_decimal s = let n = String.length s in let rec compute acc i = if i = n then acc else compute (add_int_big_int (match s.[i] with | '0'..'9' as c -> Char.code c - Char.code '0' | 'A'..'F' as c -> 10 + Char.code c - Char.code 'A' | 'a'..'f' as c -> 10 + Char.code c - Char.code 'a' | _ -> assert false) (mult_int_big_int 16 acc)) (i+1) in string_of_big_int (compute zero_big_int 0) let power2 n = string_of_big_int (power_int_positive_int 2 n) let print_with_integers exp0_fmt exp_pos_fmt exp_neg_fmt fmt = function | RConstDecimal (i, f, e) -> let f = if f = "0" then "" else f in let e = (match e with None -> 0 | Some e -> int_of_string e) - String.length f in if e = 0 then fprintf fmt exp0_fmt (i ^ f) else if e > 0 then fprintf fmt exp_pos_fmt (i ^ f) ("1" ^ String.make e '0') else fprintf fmt exp_neg_fmt (i ^ f) ("1" ^ String.make (-e) '0') | RConstHexa (i, f, e) -> let f = if f = "0" then "" else f in let dec = hexa_to_decimal (i ^ f) in let e = int_of_string e - 4 * String.length f in if e = 0 then fprintf fmt exp0_fmt dec else if e > 0 then fprintf fmt exp_pos_fmt dec (power2 e) else fprintf fmt exp_neg_fmt dec (power2 (-e)) let print fmt = function | RConstDecimal (i, f,None) -> fprintf fmt "%s.%s" i f | RConstDecimal (i, f, Some e) -> fprintf fmt "%s.%se%s" i f e | RConstHexa (i, f, e) -> fprintf fmt "0x%s.%sp%s" i f e (* Local Variables: compile-command: "unset LANG; nice make -j -C .. byte" End: *) why-2.34/src/wserver.mli0000644000175000017500000001276012311670312013612 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (* Copyright (c) 1998-2005 INRIA *) (* module [Wserver]: elementary web service *) val f : string option -> int -> int -> int option -> (Unix.sockaddr * string list -> string -> string -> unit) -> unit (* [Wserver.f addr port tmout maxc g] starts an elementary httpd server at port [port] in the current machine. The variable [addr] is [Some the-address-to-use] or [None] for any of the available addresses of the present machine. The port number is any number greater than 1024 (to create a client < 1024, you must be root). At each connection, the function [g] is called: [g (addr, request) scr cont] where [addr] is the client identification socket, [request] the browser request, [scr] the script name (extracted from [request]) and [cont] the stdin contents . The function [g] has [tmout] seconds to answer some text on standard output. If [maxc] is [Some n], maximum [n] clients can be treated at the same time; [None] means no limit. See the example below. *) val wprint : ('a, out_channel, unit) format -> 'a (* To be called to print page contents. *) val wflush : unit -> unit (* To flush page contents print. *) val http : string -> unit (* [Wserver.http answer] sends the http header where [answer] represents the answer status. If empty string, "200 OK" is assumed. *) val encode : string -> string (* [Wserver.encode s] encodes the string [s] in another string where spaces and special characters are coded. This allows to put such strings in html links . This is the same encoding done by Web browsers in forms. *) val decode : string -> string (* [Wserver.decode s] does the inverse job than [Wserver.code], restoring the initial string. *) val extract_param : string -> char -> string list -> string (* [extract_param name stopc request] can be used to extract some parameter from a browser [request] (list of strings); [name] is a string which should match the beginning of a request line, [stopc] is a character ending the request line. For example, the string request has been obtained by: [extract_param "GET /" ' ']. Answers the empty string if the parameter is not found. *) val get_request_and_content : char Stream.t -> string list * string val sock_in : string ref val sock_out : string ref val noproc : bool ref val wserver_oc : out_channel ref (* Example: - Source program "foo.ml": Wserver.f None 2371 60 None (fun _ s _ -> Wserver.html ""; Wserver.wprint "You said: %s...\n" s);; - Compilation: ocamlc -custom unix.cma -cclib -lunix wserver.cmo foo.ml - Run: ./a.out - Launch a Web browser and open the location: http://localhost:2368/hello (but see the remark below) - You should see a new page displaying the text: You said: hello... Possible problem: if the browser says that it cannot connect to "localhost:2368", try: "localhost.domain:2368" (the domain where your machine is) "127.0.0.1:2368" "machine:2368" (your machine name) "machine.domain:2368" (your machine name) "addr:2368" (your machine internet address) *) why-2.34/src/effect.ml0000644000175000017500000001541112311670312013174 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (*s Effects. *) open Ident (*s An effect is composed of three sets of variables. The first one is the set of all variables (the input), the second one is the set of possibly modified variables (the output), and the third one the set of possibly raised exceptions. INVARIANTS: 1. there are no duplicate elements in each list 2. output is contained in input REMARK: for most operations, sets will be more relevant than lists, but order must not change when a substitution is applied and thus lists are preferred *) type t = { input : Ident.set; output : Ident.set; exns : Ident.set; nt : bool } (*s the empty effect *) let bottom = { input = Idset.empty; output = Idset.empty; exns = Idset.empty; nt = false } (*s basic operations *) let list_add x l = if List.mem x l then l else x :: l let list_remove x l = let rec rem_rec = function | [] -> [] | y :: l -> if x = y then l else y :: rem_rec l in if List.mem x l then rem_rec l else l let mem x (r,w) = (List.mem x r) || (List.mem x w) (* [list_union] is a merge sort *) let list_union l1 l2 = let rec basic_union = function | [], s2 -> s2 | s1, [] -> s1 | ((v1 :: l1) as s1), ((v2 :: l2) as s2) -> if v1 < v2 then v1 :: basic_union (l1,s2) else if v1 > v2 then v2 :: basic_union (s1,l2) else v1 :: basic_union (l1,l2) in basic_union (List.sort compare l1, List.sort compare l2) (*s adds reads and writes variables *) let add_read x e = { e with input = Idset.add x e.input } let add_reads = Idset.fold add_read let add_write x e = { e with input = Idset.add x e.input; output = Idset.add x e.output } let add_writes = Idset.fold add_write let add_exn x e = { e with exns = Idset.add x e.exns } let add_exns = Idset.fold add_exn let add_nontermination e = { e with nt = true } (*s access *) let get_reads e = Idset.elements e.input let get_writes e = Idset.elements e.output let get_exns e = Idset.elements e.exns let get_repr e = Idset.elements e.input, Idset.elements e.output, Idset.elements e.exns, e.nt (*s tests *) let is_read e id = Idset.mem id e.input let is_write e id = Idset.mem id e.output let is_exn e id = Idset.mem id e.exns let is_nonterminating e = e.nt let keep_writes e = { e with input = e.output } (*s union and disjunction *) let union e1 e2 = { input = Idset.union e1.input e2.input; output = Idset.union e1.output e2.output; exns = Idset.union e1.exns e2.exns; nt = e1.nt || e2.nt } (*s comparison relation *) let le _e1 _e2 = failwith "effects: le: not yet implemented" let inf _e1 _e2 = failwith "effects: inf: not yet implemented" (*s remove *) let remove x e = { e with input = Idset.remove x e.input; output = Idset.remove x e.output } let remove_exn x e = { e with exns = Idset.remove x e.exns } let remove_nontermination e = { e with nt = false } let erase_exns e = { e with exns = Idset.empty } (*s occurrence *) let occur x e = Idset.mem x e.input || Idset.mem x e.output (*s substitution *) (*** let list_subst x x' l = let rec subst = function | [] -> [] | y :: r -> if y = x then x' :: r else y :: subst r in if List.mem x l then subst l else l let subst_one x x' e = { e with input = list_subst x x' e.input; output = list_subst x x' e.output } let subst = Idmap.fold subst_one ***) let subst subst e = let subst_set s = Idset.fold (fun x acc -> let x' = try Idmap.find x subst with Not_found -> x in Idset.add x' acc) s Idset.empty in { e with input = subst_set e.input; output = subst_set e.output } (*s pretty-print *) open Format (* copied to avoid circularity Effect <-> Misc *) let rec print_list sep print fmt = function | [] -> () | [x] -> print fmt x | x :: r -> print fmt x; sep fmt (); print_list sep print fmt r let print fmt { input = r; output = w; exns = e; nt = nt } = let r = Idset.elements r in let w = Idset.elements w in fprintf fmt "@["; if r <> [] then begin fprintf fmt "reads "; print_list (fun fmt () -> fprintf fmt ",@ ") Ident.print fmt r; end; if r <> [] && w <> [] then fprintf fmt "@ "; if w <> [] then begin fprintf fmt "writes "; print_list (fun fmt () -> fprintf fmt ",@ ") Ident.print fmt w; end; let e = Idset.elements e in if (r <> [] || w <> []) && e <> [] then fprintf fmt "@ "; if e <> [] then begin fprintf fmt "raises "; print_list (fun fmt () -> fprintf fmt ",@ ") Ident.print fmt e; end; if r <> [] || w <> [] || e <> [] then fprintf fmt "@ "; if nt then fprintf fmt ",@ nt"; fprintf fmt "@]" why-2.34/src/encoding_mono_inst.ml0000644000175000017500000011426112311670312015616 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) open Cc open Logic open Logic_decl open Format let map_product (f: 'a -> 'a list) (l:'a list) : 'a list list = List.fold_left (fun prev_acc e -> let lr = f e in List.fold_left (fun acc l -> List.fold_left (fun acc e -> (e::l)::acc) acc lr) [] prev_acc) [[]] l (*let map_times (f: 'a -> 'b -> 'c) (l1:'a list) (l2:'b list) : 'c list = List.fold_left (fun *) let loc = Loc.dummy_floc let debug = Options.debug let f2s (s,l,b,e) = Printf.sprintf "File %s, line %d, characters %d-%d" s l b e let prefix = fun s -> "c_"^s (* let suffix = "_c" *) (* let var = "x" *) let tvar = "_why_t" (* let cpt = ref 0 *) let injec c = c^"_injective" (* let axiom c = c ^ "_to_" ^ (c^suffix) *) let def c = "def_"^Ident.string c (* The names for the new function symbols *) let sort = Ident.create (prefix "sort") let is_const t = (* match Misc.normalize_pure_type t with *) match t with | PTint | PTbool | PTreal | PTunit -> true | _ -> false (*let cname t = match Misc.normalize_pure_type t with | PTint -> "int" | PTbool -> "bool" | PTreal -> "real" | PTunit -> "unit" (** TODO : better error handling here *) | _ -> failwith "this function should only be called on constant types" let c2u t = (cname t)^"2u" let s2c t = "s2"^(cname t)*) (* This is the list of constant types which is handled as such *) let htypes = [PTint; PTbool; PTreal]@(if Options.monoinstnounit then [] else [PTunit]) (* The monosorted stratified encoding introduces three new external types : a sort for syntactically unsorted terms, one for sorted terms and one for syntactic types *) let utname = Ident.create (prefix "unsorted") let stname = Ident.create (prefix "sorted") let ttname = Ident.create (prefix "type") let ut = PTexternal ([], utname) let st = PTexternal ([], stname) let tt = PTexternal ([], ttname) (* one dumb type *) let dtname = prefix "alpha" let dtnameid = Ident.create dtname let dt = PTexternal ([], dtnameid) (* The prelude is a set of declarations that must be added to the context every time the encoding is used :*) let eq_arity = (Ident.string Ident.t_eq, Env.empty_scheme (Predicate [st; st])) let neq_arity = (Ident.string Ident.t_neq, Env.empty_scheme (Predicate [st; st])) let builtin_poly = [Ident.t_eq;Ident.t_neq(*;Ident.if_then_else*)] let builtin_poly = List.fold_left (fun s x -> Ident.Idset.add x s) Ident.Idset.empty builtin_poly let builtin = [] (*[Ident.t_sub_int;Ident.t_add_int;Ident.t_mul_int;Ident.t_div_int; Ident.t_mod_int;Ident.t_neg_int;Ident.t_abs_int; Ident.t_gt_int;Ident.t_ge_int;Ident.t_eq_int;Ident.t_lt_int;Ident.t_le_int;Ident.t_neq_int; ]*) let builtin = List.fold_left (fun s x -> Ident.Idset.add x s) builtin_poly builtin let create_ident_id = "ident_of_close_type" let rec ident_of_close_type ?(from=false)t = (*let from = false && from in*) let rec aux fmt = function | PTint -> fprintf fmt "int" | PTbool -> fprintf fmt "bool" | PTunit -> fprintf fmt "unit" | PTreal -> fprintf fmt "real" | PTexternal ([],id) -> fprintf fmt "%a" Ident.print id | PTvar {tag=_t; type_val=None} -> assert false (* close type *) | PTvar {tag=_t; type_val=Some pt} -> aux fmt pt | PTexternal (l,id) -> fprintf fmt "%aI%a" (Pp.print_list (Pp.constant_string "I") aux) l Ident.print id in let b = Buffer.create 10 in Format.bprintf b "%a@?" aux t; let from = match from,t with | true,PTexternal (l,id) -> Some (create_ident_id,id::(List.map (ident_of_close_type ~from:false) l)) | _ -> None in Ident.create ?from (Buffer.contents b) module E = struct open Mapenv open Env module Idmap = Ident.Idmap module Idset = Ident.Idset type t = { (** assoc the name of a function and one instanciation with the name of the function coded *) instances : Ident.t Inst_Map.t; (** assoc the name of a function to its arities *) arities : logic_type scheme Idmap.t; (** assoc with each type to be monomorphised the name of the monomorphe type*) mono : Ident.t PT_Map.t; (** assoc with each type at the edge of the monomorph world the logic used in the encoding *) encode : Ident.t PT_Map.t; (** used for a .... *) def_logic : (Ident.t * Logic.logic_type Env.scheme) list Idmap.t; def_type : (Ident.t * int) list Idmap.t; } let print fmt env = Format.fprintf fmt "instances :%a@." (Pp.print_iter2 Inst_Map.iter Pp.semi Pp.comma (Pp.print_pair Ident.print (Pp.print_list Pp.comma Util.print_pure_type)) Ident.print) env.instances; Format.fprintf fmt "arities :%a@." (Pp.print_iter2 Idmap.iter Pp.semi Pp.comma Ident.print (Util.print_scheme Util.print_logic_type)) env.arities; Format.fprintf fmt "mono :%a@." (Pp.print_iter2 PT_Map.iter Pp.semi Pp.comma Util.print_pure_type Ident.print) env.mono; Format.fprintf fmt "encode :%a@." (Pp.print_iter2 PT_Map.iter Pp.semi Pp.comma Util.print_pure_type Ident.print) env.encode; Format.fprintf fmt "def_logic :%a@." (Pp.print_iter2 Idmap.iter Pp.semi Pp.comma Ident.print (Pp.print_list Pp.comma (Pp.print_pair Ident.print (Util.print_scheme Util.print_logic_type)))) env.def_logic; Format.fprintf fmt "def_type :%a@." (Pp.print_iter2 Idmap.iter Pp.semi Pp.comma Ident.print (Pp.print_list Pp.comma (Pp.print_pair Ident.print Pp.int))) env.def_type (** create the environnement from a list of close type to monomorphise *) let create l = let s = add_subtype_list PT_Set.empty l in let m = PT_Set.fold (fun e m -> PT_Map.add e (ident_of_close_type ~from:true e) m) s PT_Map.empty in {instances = Inst_Map.empty; mono = m; encode = PT_Map.empty; arities = Idmap.empty; def_logic = Idmap.empty; def_type = Idmap.empty} type w = | Mono of pure_type | Enco of term let print_w fmt = function | Mono ty -> Format.fprintf fmt "Mono %a" Util.print_pure_type ty | Enco t -> Format.fprintf fmt "Enco %a" Util.print_term t (** The encoded type are represented by tt *) let reduce_to_type = function | Mono x -> x | Enco _t -> dt (** The encoded term are represented by u *) let reduce_to_type_neg = function | Mono x -> x | Enco _t -> st (** The encoded term are represented by s *) let reduce_to_type_pos = function | Mono x -> x | Enco _t -> ut (** The instantiated types don't need encoding *) let reduce_to_term = function | Mono _x -> None | Enco t -> Some t (** Keep the builtin type for builtin type *) let name_of_mono v = function | PTint | PTbool | PTreal | PTunit as t -> t | _ -> PTexternal ([],v) let type_of_mono _v k = k let ident_of_mono v _k = v let trad_type env fv_t t = (*if debug then Format.eprintf "trad_type : %a@." Util.print_pure_type t;*) let rec normalize_pure_type = function | PTint | PTbool | PTreal | PTunit as t -> t | PTvar {type_val=Some t} -> normalize_pure_type t | PTvar ({type_val=None} as v) as t -> (try match Vmap.find v fv_t with | Mono ty -> ty | Enco _ -> t with Not_found -> assert false) (* term not closed *) | PTexternal (l,s) -> PTexternal (List.map normalize_pure_type l,s) in let rec aux t = try Mono (name_of_mono (PT_Map.find t env.mono) t) with Not_found -> match t with | PTint | PTbool | PTreal | PTunit -> (try Enco (Tapp (PT_Map.find t env.encode,[],[])) with Not_found -> assert false (* the builtin type must be in mono or encode *)) | PTvar {type_val=Some t} -> aux t | PTvar ({type_val=None} as v) -> (try Vmap.find v fv_t with Not_found -> assert false) (* term not closed *) | PTexternal ([],s) when s == dtnameid -> Enco (Tvar dtnameid) (*that case appear only when we instantiate a logic or type, dumb value *) | PTexternal (l,s) -> let l = List.map aux l in let l2 = List.map reduce_to_type l in try let s = PT_Map.find (PTexternal (l2,s)) env.encode in let l = List.rev (List.fold_left (fun l e -> match e with | Mono _ -> l | Enco t -> t::l) [] l) in Enco (Tapp(s,l,[])) with Not_found -> if debug then Format.eprintf "Notfound type = %a -> %a@." Util.print_pure_type t Util.print_pure_type (PTexternal (l2,s)); assert false (* There is an instanciation for any instanciation *) in aux (normalize_pure_type t) let trad_to_type env fv_t x = reduce_to_type (trad_type env fv_t x) let trad_to_type_pos env fv_t x = reduce_to_type_pos (trad_type env fv_t x) let trad_to_type_neg env fv_t x = reduce_to_type_neg (trad_type env fv_t x) let trad_to_term env fv_t x = reduce_to_term (trad_type env fv_t x) let rec all_possible which env acc l nargs = function | 0 -> (l,nargs)::acc | n -> let acc = PT_Map.fold (fun k v acc -> all_possible which env acc ((which v k)::l) nargs (n-1)) env.mono acc in all_possible which env acc ((which dtnameid dt)::l) (nargs+1) (n-1) (** add a polymorphe (or not, but make_world ensures it (not anymore ;))) type to take into account. *) let add_type env tid nargs = let allp = all_possible (fun v k -> (v,k)) env [] [] 0 nargs in let encode,l = List.fold_left (fun (encode,ll) (vk,nargs) -> let l = PTexternal (List.map snd vk,tid) in let encodell = if PT_Map.mem l env.mono then encode,ll else begin let l = List.map (fun (v,k) -> name_of_mono v k) vk in let l = PTexternal (l,tid) in let lid = ident_of_close_type l in PT_Map.add l lid encode,(lid,nargs)::ll end in encodell) (env.encode,[]) allp in {env with encode = encode; def_type = Idmap.add tid l env.def_type} let get_type env t = Idmap.find t env.def_type let add_logic_aux env tid arities = let nargs = Vset.cardinal arities.Env.scheme_vars in let allp = all_possible type_of_mono env [] [] 0 nargs in let _,instances,l = List.fold_left (fun (lidset,instances,l) (inst,_) -> let arities = instantiate_logic_type arities inst in (*if debug then Format.eprintf "add_logic : arities : %a@." Util.print_logic_type arities;*) let l_ty,arities = match arities with | Function(args,ret) -> let args,ret = List.map (trad_to_type_neg env Vmap.empty) args, (trad_to_type_pos env Vmap.empty) ret in ret::args,Function(args,ret) | Predicate(arg) -> let arg = List.map (trad_to_type_neg env Vmap.empty) arg in arg,Predicate(arg) in (*could we use builtin theory ? *) let from = List.for_all (fun e -> e<>st && e<>ut) l_ty in let l_ty = PTexternal (l_ty,tid) in (* If the identifier is polymorph then we keep its name *) let lid = if nargs = 0 then tid else ident_of_close_type ~from l_ty in let inst = List.map (trad_to_type env Vmap.empty) inst in let instances = Inst_Map.add (tid,inst) lid instances in let lidset,l = if Idset.mem lid lidset then lidset,l else Idset.add lid lidset,(lid,Env.empty_scheme arities)::l in lidset,instances,l) (Idset.empty,env.instances,[]) allp in {env with instances = instances; def_logic = Idmap.add tid l env.def_logic; arities = Idmap.add tid arities env.arities} let add_logic_poly env tid arities = let nargs = Vset.cardinal arities.Env.scheme_vars in let allp = all_possible type_of_mono env [] [] 0 nargs in let instances = List.fold_left (fun instances (inst,_) -> let instances = Inst_Map.add (tid,inst) tid instances in instances) env.instances allp in {env with instances = instances; def_logic = Idmap.add tid [tid,arities] env.def_logic; arities = Idmap.add tid arities env.arities} let add_logic env tid arities = if Idset.mem tid builtin_poly then add_logic_poly env tid arities else add_logic_aux env tid arities let get_logic env id = Idmap.find id env.def_logic let give_inst env scheme = let nargs = Vset.cardinal scheme.Env.scheme_vars in let vargs = Vset.elements scheme.Env.scheme_vars in let allp = all_possible type_of_mono env [] [] 0 nargs in let allp = List.map (fun (inst,_) -> let cpt = ref 0 in List.fold_left2 (fun m ty v -> let ty = if ty == dt then (incr cpt;Enco (Tvar (Ident.create (tvar^(string_of_int !cpt))))) else Mono ty in Vmap.add v ty m) Vmap.empty inst vargs) allp in allp,scheme.Env.scheme_type let instance_of env fv_t id inst = if Idset.mem id builtin_poly then id else let inst2 = List.map (trad_type env fv_t) inst in let inst3 = List.map reduce_to_type inst2 in try Inst_Map.find (id,inst3) env.instances with Not_found as e -> Format.eprintf "Not_found : instance_of : id=%a@.inst=%a@.inst2=%a@.inst3=%a@." Ident.print id Util.print_instance inst (Pp.print_list Pp.semi print_w) inst2 Util.print_instance inst3; raise e let type_of env id inst = try let ty = Idmap.find id env.arities in let ty = instantiate_logic_type ty inst in ty with Not_found as e -> Format.eprintf "type_of : unknown ident : %a" Ident.print id; raise e let rec get_fun env fv_t id inst = let id_inst = instance_of env fv_t id inst in let ty = type_of env id inst in match ty with | Function (arg,_ret) -> (id_inst,(List.map (fun x -> reduce_to_term (trad_type env fv_t x)) arg)) | Predicate _ -> assert false let rec get_pred env fv_t id inst = let id_inst = instance_of env fv_t id inst in let ty = type_of env id inst in match ty with | Function _ -> assert false | Predicate arg -> (id_inst,(List.map (fun x -> reduce_to_term (trad_type env fv_t x)) arg)) end let prelude env = (* first the three new types *) (Dtype (loc, utname, [])):: (Dtype (loc, stname, [])):: (Dtype (loc, ttname, [])):: (Dlogic (loc, sort, Env.empty_scheme (Function ([tt; ut], st)))):: (Mapenv.PT_Map.fold (fun k v acc -> if is_const k then acc else (Dtype (loc, v, []))::acc) env.E.mono []) (* the function symbols representing constant types *) (* @ (List.map (fun t -> (Dlogic (loc, prefix (cname t), Env.empty_scheme (Function ([], tt))))) htypes) (* the sorting and conversion functions *) @ (List.map (fun t -> (Dlogic (loc, c2u t, Env.empty_scheme (Function ([t], ut))))) htypes) @ (List.map (fun t -> (Dlogic (loc, s2c t, Env.empty_scheme (Function ([st], t))))) htypes)*) (* Functions that replace polymorphic types by S,T,U and constants *) (*let typify ptl = List.map (fun _ -> tt) ptl let sortify env t pt = match pt with | PTint | PTbool | PTreal | PTunit -> pt | PTvar _ -> t | PTexternal (_,_) -> t let monoify env = List.map (sortify st) *) let sort_of_c = function | ConstInt _ -> PTint | ConstBool _ -> PTbool | ConstUnit -> PTunit | ConstFloat _ -> PTreal (* Function that plunges a term under its type information. *) (* Uses an assoc. list of tags -> idents for type variables *) (*let plunge fv term pt = let rec leftt pt = match pt with | PTint | PTbool | PTreal | PTunit -> Tapp (Ident.create (prefix (cname pt)), [], []) | PTvar ({type_val = None} as var) -> let t = try List.assoc var.tag fv with Not_found -> let s = string_of_int var.tag in (print_endline ("[plunge] unknown vartype : "^s); Format.eprintf "term = %a@." Util.print_term term; s) in Tvar (Ident.create t) | PTvar {type_val = Some pt} -> leftt pt | PTexternal (ptl, id) -> Tapp (id, List.map (fun pt -> leftt pt) ptl, []) in Tapp (Ident.create sort,[leftt pt; term],[]) *) let plunge_if_needed term = function | None -> term | Some ty_term -> Tapp (sort,[ty_term; term],[]) (* Function that strips the top most sort application, for terms bound in let-ins *) (*let strip_topmost t = match t with | Tapp (symb, [encoded_ty; encoded_t], []) when symb = sort -> encoded_t | _ -> t *) (*let get_arity id = let arity = try List.assoc (Ident.string id) !arities with e -> (print_endline ("Encoding_mono.get_arity: unknown arity for "^(Ident.string id))); raise e in match arity.Env.scheme_type with Function (ptl, rt) -> ptl, rt | Predicate ptl -> ptl, PTbool (* ce PTbool est arbitraire et inutilisé *) (* Ground instanciation of an arity (to be plunged under) *) let instantiate_arity id inst = let arity = try List.assoc (Ident.string id) !arities with e -> (print_endline ("Encoding_mono.instantiate_arity: unknown arity for "^(Ident.string id))); raise e in let (vs, log_type) = Env.specialize_logic_type arity in if debug then (print_string "\t{"; Env.Vmap.iter (fun _ v -> Printf.printf "%d" v.tag) vs; print_endline "}"); match log_type with Function (ptl, rt) -> if debug then Printf.printf "Instantiate : %d vars - %d types\n" (Env.Vmap.fold (fun _ _ n -> n + 1) vs 0) (List.length inst); ignore (Env.Vmap.fold (fun _ v l -> (match l with [] -> [] | a::q -> (v.type_val <- Some a; q))) vs (List.rev inst)); rt | Predicate ptl -> ignore (Env.Vmap.fold (fun _ v l -> (match l with [] -> [] | a::q -> (v.type_val <- Some a; q))) vs (List.rev inst)); PTbool *) (* Translation of a term *) (* [fv] is a map for type variables, [lv] for term variables, and [rt] is the type of this term in the arity of its direct superterm. *) let rec translate_term env fv_t = function | Tvar _ | Tconst _ as t -> t | Tapp (id, tl, inst) -> let id,arg = E.get_fun env fv_t id inst in let tl = List.map (translate_term env fv_t) tl in let tl = List.map2 plunge_if_needed tl arg in Tapp (id, tl, []) | Tderef id as t -> print_endline ("id in Tderef : "^(Ident.string id)); t | Tnamed(_,t) -> translate_term env fv_t t (* Generalizing a predicate scheme with foralls (can add a trigger) *) (* This function is used to explicitely quantify over syntactic type variables that were implicitely quantified at first. *) let rec lifted l p t = let l = Env.Vmap.fold (fun _ e l -> match e with | E.Enco (Tvar e) -> e::l | E.Enco _ -> assert false | E.Mono _ -> l) l [] in let rec aux l = match l with [] -> p | s::[] -> Forall(false, s, s, tt, t, p) | s::q -> Forall(false, s, s, tt, [], aux q) in aux l let rec lifted_t l p tr = match l with [] -> p | (a,t)::[] -> (Forall(false, a, a, t, tr, p)) | (a,t)::q -> (Forall(false, a, a, t, [], lifted_t q p tr)) (* let rec lifted_ctxt l cel = (List.map (fun (_,s) -> Svar(Ident.create s, tt)) l)@cel *) (* Translation of a predicate *) let rec translate_pred env fv_t = function (* | Papp (id, [a; b], [t]) when Ident.is_eq id && is_const t -> *) (* Papp (id, [translate_term fv lv t a; translate_term fv lv t b], []) *) | Papp (id, tl, inst) -> let id,arg = E.get_pred env fv_t id inst in let tl = List.map (translate_term env fv_t) tl in let tl = List.map2 plunge_if_needed tl arg in Papp (id, tl, []) | Plet (id, n, pt, t, p) -> let t = translate_term env fv_t t in let pt = E.trad_to_type_pos env fv_t pt in let p = translate_pred env fv_t p in Plet (id, n, pt, t, p) | Pimplies (iswp, p1, p2) -> Pimplies (iswp, translate_pred env fv_t p1, translate_pred env fv_t p2) | Pif (t, p1, p2) -> (** Il faut que Bool soit dans l'ensemble S, sinon il faut redéfinir Pif dans une axiomatique *) Pif (translate_term env fv_t t, translate_pred env fv_t p1, translate_pred env fv_t p2) | Pand (iswp, issym, p1, p2) -> Pand (iswp, issym, translate_pred env fv_t p1, translate_pred env fv_t p2) | Por (p1, p2) -> Por (translate_pred env fv_t p1, translate_pred env fv_t p2) | Piff (p1, p2) -> Piff (translate_pred env fv_t p1, translate_pred env fv_t p2) | Pnot p -> Pnot (translate_pred env fv_t p) | Forall (iswp, id, n, pt, _tl, p) -> let pt = E.trad_to_type_pos env fv_t pt in let tl = (*translate_triggers env fv_t p tl*) [] in Forall (iswp, id, n, pt, tl, translate_pred env fv_t p) | Forallb (iswp, p1, p2) -> Forallb (iswp, translate_pred env fv_t p1, translate_pred env fv_t p2) | Exists (id, n, pt, p) -> let pt = E.trad_to_type_pos env fv_t pt in Exists (id, n, pt, translate_pred env fv_t p) | Pnamed (s, p) -> Pnamed (s, translate_pred env fv_t p) | _ as d -> d (* and translate_pattern env fv lv p = function | TPat t -> let rec lookfor_term fv lv acc rt = function | t2 when Misc.eq_term t t2 -> (translate_term fv lv rt t2)::acc | Tvar _ | Tconst _ | Tderef _ -> acc | Tapp (id, tl, inst) -> let ptl, pt = get_arity id in List.fold_left2 (lookfor_term fv lv) acc ptl tl | Tnamed(_,t2) -> lookfor_term fv lv acc rt t2 in let rec lookfor_term_in_predicate fv lv acc = function | Pif (t, p1, p2) -> let acc = lookfor_term fv lv acc PTbool t in let acc = lookfor_term_in_predicate fv lv acc p1 in let acc = lookfor_term_in_predicate fv lv acc p2 in acc | Papp (id, tl, inst) -> let arity,_ = get_arity id in List.fold_left2 (lookfor_term fv lv) acc arity tl | Plet (_, n, pt, t, p) -> let acc = lookfor_term fv lv acc pt t in lookfor_term_in_predicate fv ((n,pt)::lv) acc p | Forall (_, _, n, pt, _, p) | Exists (_, n, pt, p) -> lookfor_term_in_predicate fv ((n,pt)::lv) acc p | Pimplies (_, p1, p2) | Pand (_ , _, p1, p2) | Por (p1, p2) | Piff (p1, p2) | Forallb (_, p1, p2) -> lookfor_term_in_predicate fv lv (lookfor_term_in_predicate fv lv acc p2) p1 | Pnot p | Pnamed (_, p) -> lookfor_term_in_predicate fv lv acc p | Pvar _|Pfalse|Ptrue -> acc in let r = (lookfor_term_in_predicate fv lv [] p) in Format.printf "%a : %a@." Util.print_term t (Pp.print_list Pp.comma Util.print_term) r; List.map (fun x -> TPat x) r (* let rec translate_term_for_pattern fv lv = function (* mauvaise traduction des triggers mais ... Le type n'étant pas forcement le même les plunges internes peuvent ne pas être les même que dans le body de la quantification *) | Tvar _ as t -> t | Tapp (id, tl, inst) -> let ptl, pt = get_arity id in let trans_term = Tapp (id, List.map2 (translate_term fv lv) ptl tl, []) in let _ = instantiate_arity id inst in trans_term | Tconst (_) as t -> t | Tderef _ as t -> t | Tnamed(_,t) -> translate_term_for_pattern fv lv t in TPat (translate_term_for_pattern fv lv t) *) | PPat p -> [PPat (translate_pred fv lv p)] and translate_triggers fv lv p tl = List.fold_left (fun acc e -> List.rev_append (map_product (translate_pattern fv lv p) e) acc) [] tl *) (* The core *) let queue = Queue.create () let make_list x = let rec aux acc = function | 0 -> acc | n -> aux (x::acc) (n-1) in aux [] let rec translate_assertion env iter_fun d = let ta env d = translate_assertion env iter_fun d in try (match d with | Dalgtype _ -> assert false (* A type declaration is translated as new logical function, the arity of *) (* which depends on the number of type variables in the declaration *) | Dtype (loc, ident, _vars) -> let terms = E.get_type env ident in List.iter (fun (ident,nargs) -> let ty = Env.empty_scheme (Function (make_list tt nargs, tt)) in iter_fun (Dlogic (loc, ident, ty))) terms; env (* In the case of a logic definition, we redefine the logic symbol *) (* with types u and s, and its complete arity is stored for the encoding *) | Dlogic (loc, ident, _arity) -> (* Format.eprintf "Encoding_mono: adding %s in arities@." ident; *) let logics = E.get_logic env ident in List.iter (fun (ident,ty) -> iter_fun (Dlogic (loc,ident, ty))) logics; env (* A predicate definition can be handled as a predicate logic definition + an axiom *) | Dpredicate_def (loc,id,d) -> List.fold_left ta env (PredDefExpansor.predicate_def loc id d) (* let (argl, pred) = pred_def_sch.Env.scheme_type in (* Et l'ordre pour l'instantiation? *) let typevar = List.map (fun x -> PTvar x) (Env.Vset.elements pred_def_sch.Env.scheme_vars) in let rootexp = (Papp (ident, List.map (fun (i,_) -> Tvar i) argl, typevar)) in let env = ta env (Dlogic (loc, ident, (Env.generalize_logic_type (Predicate (snd (List.split argl)))))) in let env = ta env (Daxiom (loc, def ident, (Env.generalize_predicate (lifted_t argl (Piff (rootexp, pred)) [[PPat rootexp]])))) in env*) (* A function definition can be handled as a function logic definition + an axiom *) | Dinductive_def(_,id,d) -> List.fold_left ta env (PredDefExpansor.inductive_def loc id d) | Dfunction_def (loc, id, d) -> (* let _ = print_endline ident in *) (* let (argl, rt, term) = fun_def_sch.Env.scheme_type in let rootexp = (Tapp (ident, List.map (fun (i,_) -> Tvar i) argl, [])) in let env = ta env (Dlogic (loc, ident, (Env.generalize_logic_type (Function (snd (List.split argl), rt))))) in let env = ta env (Daxiom (loc, def ident, (Env.generalize_predicate (lifted_t argl (Papp (Ident.t_eq, [rootexp; term], [])) [[TPat rootexp]])))) in env*) List.fold_left ta env (PredDefExpansor.function_def loc id d) (* Axiom definitions *) | Daxiom (loc, ident, pred_sch) -> let insts,p_inst = E.give_inst env pred_sch in if debug then Format.eprintf "axiom : insts : %a@." (Pp.print_list Pp.comma (Pp.print_iter2 Env.Vmap.iter Pp.semi Pp.comma Util.print_type_var E.print_w)) insts; List.iter (fun fv_t -> let pred = translate_pred env fv_t p_inst in let new_axiom = Env.empty_scheme (lifted fv_t pred []) in iter_fun (Daxiom (loc, ident, new_axiom))) insts; env (* A goal is a sequent : a context and a predicate and both have to be translated *) | Dgoal (loc, is_lemma, expl, ident, s_sch) -> begin try let new_cel = List.map (fun s -> match s with Spred (id, p) -> Spred (id, translate_pred env Env.Vmap.empty p) | Svar (id, t) -> let t = E.trad_to_type_pos env Env.Vmap.empty t in Svar (id, t)) (fst (s_sch.Env.scheme_type)) in let new_sequent = Env.empty_scheme (new_cel, translate_pred env Env.Vmap.empty (snd (s_sch.Env.scheme_type))) in iter_fun (Dgoal (loc, is_lemma, expl, ident, new_sequent)) with Not_found -> Format.eprintf "Exception caught in : %a\n" Util.print_decl d; iter_fun (Dgoal (loc, is_lemma, expl, ident, Env.empty_scheme([],Pfalse))); end;env) with Not_found -> Format.eprintf "Exception caught in : %a\n" Util.print_decl d; raise Not_found (** We take the type monomorph and the type used in monomorph axioms : we want the traduction to be the identity on the monomorph fragment*) module PT_Set = Mapenv.PT_Set let _PT_Set_add = Mapenv._PT_Set_add_normalize let rec make_logic_type world id tl inst = try let (v,logic) = Env.find_global_logic id in Env.instantiate_specialized v inst; let world = match logic with | Function (arg,rt) -> List.fold_left (fun s x -> _PT_Set_add x s) world (rt::arg) | Predicate arg -> List.fold_left (fun s x -> _PT_Set_add x s) world arg in List.fold_left make_world_term world tl with Not_found as e -> Format.eprintf "Notfound : make_logic_type : %a@." Ident.print id; raise e and make_world_term world = function | Tvar _ | Tderef _ -> world | Tconst c -> _PT_Set_add (sort_of_c c) world | Tapp (id,tl,inst) -> make_logic_type world id tl inst | Tnamed (_,t) -> make_world_term world t let rec make_world_predicate world = function | Pvar _ | Ptrue | Pfalse -> world | Pnot p | Pnamed (_,p) -> make_world_predicate world p | Pimplies(_,p1,p2) | Pand(_,_,p1,p2) | Por(p1,p2) | Piff(p1,p2) | Forallb(_,p1,p2) -> make_world_predicate (make_world_predicate world p1) p2 | Pif(t,p1,p2) -> let world = make_world_term world t in let world = make_world_predicate (make_world_predicate world p1) p2 in world | Plet (_,_,ty,t,p) -> let world = make_world_term world t in let world = make_world_predicate world p in _PT_Set_add ty world | Forall(_,_,_,ty,_,p) | Exists(_,_,ty,p) -> let world = make_world_predicate world p in _PT_Set_add ty world | Papp(id,tl,inst) -> make_logic_type world id tl inst let make_world_context_element world = function | Svar (_,ty) -> _PT_Set_add ty world | Spred (_,p) -> make_world_predicate world p let make_world_sorted ~monotype ~monosig ~monodef world = function | Dalgtype _ -> assert false | Dtype(_,s,[]) -> if monotype then _PT_Set_add (PTexternal([],s)) world else world | Dlogic(_,_,sch) when Env.Vset.is_empty sch.Env.scheme_vars -> if monosig then (match sch.Env.scheme_type with | Function (arg,rt) -> List.fold_left (fun s x -> _PT_Set_add x s) world (rt::arg) | Predicate arg -> List.fold_left (fun s x -> _PT_Set_add x s) world arg) else world | Dpredicate_def(_,_,sch) when Env.Vset.is_empty sch.Env.scheme_vars -> let world = if monosig then List.fold_left (fun world (_,ty) -> _PT_Set_add ty world) world (fst sch.Env.scheme_type) else world in if monodef then make_world_predicate world (snd sch.Env.scheme_type) else world | Dinductive_def(_,_,sch) when Env.Vset.is_empty sch.Env.scheme_vars -> let world = if monosig then List.fold_left (fun s x -> _PT_Set_add x s) world (fst sch.Env.scheme_type) else world in if monodef then List.fold_left (fun world (_,p) -> make_world_predicate world p) world (snd sch.Env.scheme_type) else world | Dfunction_def(_,_,{Env.scheme_vars =v;scheme_type=(tyl,tyr,t)}) when Env.Vset.is_empty v -> let world = if monosig then List.fold_left (fun world (_,ty) -> _PT_Set_add ty world) world tyl else world in let world = if monosig then _PT_Set_add tyr world else world in if monodef then make_world_term world t else world | Daxiom(_,_,sch) when Env.Vset.is_empty sch.Env.scheme_vars -> make_world_predicate world sch.Env.scheme_type | Dgoal (_,_,_,_,{Env.scheme_vars =v;scheme_type=(con,p)}) when Env.Vset.is_empty v -> let world = make_world_predicate world p in List.fold_left make_world_context_element world con | Dgoal _ -> assert false (* Dgoal must have been monomorphised *) | _ -> world (* Polymorph case *) let make_world_just_goal world = function | Dgoal (_,_,_,_,{Env.scheme_vars =v;scheme_type=(con,p)}) when Env.Vset.is_empty v -> let world = make_world_predicate world p in List.fold_left make_world_context_element world con | Dgoal _ -> assert false (* Dgoal must have been monomorphised *) | _ -> world let make_world_none world _ = world let make_world = match Options.monoinstworldgen with | Options.MonoinstBuiltin -> make_world_none | Options.MonoinstSorted -> make_world_sorted ~monotype:true ~monodef:true ~monosig:true | Options.MonoinstGoal -> make_world_just_goal | Options.MonoinstPremises -> make_world_sorted ~monotype:false ~monodef:true ~monosig:false let monomorph_goal acc = function | Dgoal (loc,is_lemma,vc,id,sch) -> let cpt = ref 0 in let fv = Env.Vset.fold (fun _ acc -> cpt := !cpt + 1; (Ident.create (tvar^(string_of_int !cpt)))::acc) (sch.Env.scheme_vars) [] in let inst = List.map (fun x -> Env.add_type Loc.dummy_position [] x; PTexternal ([],x)) fv in let p = Env.instantiate_sequent sch inst in let acc = List.fold_left (fun acc x -> Dtype (loc,x,[])::acc) acc fv in Dgoal (loc,is_lemma,vc,id,Env.empty_scheme p)::acc | x -> x::acc let push_decl a = Queue.add a queue let output_world world env = let print_world fmt = PT_Set.iter (fprintf fmt "%a;@." Util.print_pure_type) in let print_map fmt = Mapenv.PT_Map.iter (fun k v -> fprintf fmt "%a \"%a\";@." Util.print_pure_type k Ident.print v) in Format.printf "{%t}{%a}{%a}{%a}@." (fun fmt -> Env.iter_type (fun id sch -> fprintf fmt "%a %i;@." Ident.print id sch)) print_world world print_map env.E.mono print_map env.E.encode; exit 0 let memory_arg_kv = lazy (Env.is_logic_function (Ident.create "select")) let pointer = Ident.create "pointer" let filter_world world = let world = if Options.monoinstonlymem then let world = PT_Set.filter (function PTexternal (_,mem) when Ident.string mem = "memory" -> true | _ -> false) world in PT_Set.fold (fun pt acc -> match (Lazy.force memory_arg_kv),pt with | (true,PTexternal ([key;_],mem)) | (false,PTexternal ([_;key],mem)) when Ident.string mem = "memory" -> PT_Set.add (PTexternal ([key],pointer)) acc | _ -> acc) world world else world in let world = if Options.monoinstonlyconst then PT_Set.filter (function PTexternal ([],_) -> true | _ -> false) world else world in world let iter f = (* monomorph the goal *) let decls = Queue.fold monomorph_goal [] queue in let decls = List.rev decls in if debug then Format.eprintf "Goal monomorphised@."; (* Find the type to monomorph *) let world = List.fold_left make_world PT_Set.empty decls in (* Filter if asked *) let world = filter_world world in let world = List.fold_left (fun s x -> _PT_Set_add x s) world htypes in if debug then Format.eprintf "world :%a@." (Pp.print_list Pp.comma Util.print_pure_type) (PT_Set.elements world); let env = E.create (PT_Set.elements world) in (* On ajoute toute les logics et type. Mais pas les types builtin *) let env = Env.fold_type (fun id sch env -> E.add_type env id sch) env in (* On ajoute unit in encode if asked *) let env = if Options.monoinstnounit then {env with E.encode = Mapenv.PT_Map.add PTunit (Ident.create "unit") env.E.encode} else env in if Options.monoinstoutput_world then output_world world env; let env = Env.fold_global_logic (fun id sch env -> try E.add_logic env id sch with e -> if debug then Format.eprintf "error in logic : %a,%a@." Ident.print id Util.print_logic_type sch.Env.scheme_type; raise e) env in if debug then Format.eprintf "env : %a" E.print env; (* first the prelude *) List.iter f (prelude env); (* then the queue *) ignore (List.fold_left (fun env x -> (translate_assertion env f x)) env decls); () let reset () = Queue.clear queue why-2.34/src/ast.mli0000644000175000017500000000740712311670312012706 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (*s Abstract syntax of imperative programs. *) open Logic open Types type variable = Ident.t type label = string type variant = Loc.position * term * pure_type * variable type exn_pattern = Ptree.exn_pattern type assertion = { a_name : Ident.t; a_value : predicate; a_loc : Loc.position; mutable a_proof : Cc.proof option; } type precondition = assertion type postcondition = assertion * (Ident.t * assertion) list type assert_kind = [ `ABSURD | `ASSERT | `PRE | `CHECK ] (* ['a] is the type of information associated to the nodes. It will be defined later in module [Env] *) type 'a t = { desc : 'a t_desc; info : 'a } and 'a t_desc = | Expression of term (* pure terms including !x *) | Var of variable (* only for impure functions *) | Seq of 'a t * 'a t | Loop of assertion option * variant option * 'a t (* infinite loop *) | If of 'a t * 'a t * 'a t | LetRef of variable * 'a t * 'a t | LetIn of variable * 'a t * 'a t | Absurd (* assertion *) | Label of label * 'a t | Assertion of assert_kind * assertion list * 'a t | Post of 'a t * postcondition * transp (* exceptions *) | Raise of variable * 'a t option | Try of 'a t * (exn_pattern * 'a t) list (* functions and applications *) | Lam of type_v binder list * precondition list * 'a t | Rec of variable * type_v binder list * type_v * variant option * precondition list * 'a t | AppRef of 'a t * variable * 'a | AppTerm of 'a t * term * 'a (* undeterministic expression *) | Any of type_c why-2.34/src/explain.ml0000644000175000017500000001250512311670312013401 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (* explanations *) let program_locs = Hashtbl.create 17 (* let read_in_file f l b e = let ch = open_in f in for i = 2 to l do ignore (input_line ch) done; for i = 1 to b do ignore (input_char ch) done; let buf = Buffer.create 17 in for i = b to e-1 do Buffer.add_char buf (input_char ch) done; Buffer.contents buf *) open Format open Logic open Logic_decl let raw_loc ?(quote=false) ?(pref="") fmt (f,l,b,e) = if quote then begin fprintf fmt "%sfile = \"%s\" " pref f; fprintf fmt "%sline = \"%d\" " pref l; fprintf fmt "%sbegin = \"%d\" " pref b; fprintf fmt "%send = \"%d\"" pref e end else begin fprintf fmt "%sfile = \"%s\"@\n" pref f; fprintf fmt "%sline = %d@\n" pref l; fprintf fmt "%sbegin = %d@\n" pref b; fprintf fmt "%send = %d@\n" pref e end let print_formula fmt s = if String.length s > 0 then fprintf fmt "formula = \"%s\"@\n" s let string_of_kind k = match k with | EKOther _ -> "Other" | EKAbsurd -> "Absurd" | EKAssert -> "Assert" | EKCheck -> "Check" | EKPre _ -> "Pre" | EKPost -> "Post" | EKWfRel -> "WfRel" | EKVarDecr -> "VarDecr" | EKLoopInvInit _ -> "LoopInvInit" | EKLoopInvPreserv _ -> "LoopInvPreserv" | EKLemma -> "Lemma" let print_kind ?(quote=false) fmt (loc,k,lab) = (* Option_misc.iter (fun lab -> fprintf fmt "label = %s@\n" lab) labopt; *) if not quote then begin raw_loc fmt loc; match lab with | None -> () | Some s -> fprintf fmt "source_label = \"%s\"@\n" s end; match k with | EKOther s | EKPre s -> fprintf fmt "kind = \"%s\"@\ntext = \"%s\"" (string_of_kind k) s | EKAbsurd | EKAssert | EKCheck | EKPost | EKWfRel | EKVarDecr | EKLemma -> fprintf fmt "kind = \"%s\"" (string_of_kind k) | EKLoopInvInit s | EKLoopInvPreserv s -> fprintf fmt "kind = \"%s\"" (string_of_kind k); print_formula fmt s let print ?(quote=false) fmt e = print_kind ~quote fmt (e.vc_loc,e.vc_kind,e.vc_label) let msg_of_loopinv = function | "" -> "loop invariant" | s -> "generated loop inv. '" ^ s ^"'" let msg_of_kind ?name = function | EKPre "PointerDeref" -> "pointer dereferencing" | EKPre "IndexBounds" -> "check index bounds" | EKPre "ArithOverflow" -> "check arithmetic overflow" | EKPre "FPOverflow" -> "check FP overflow" | EKPre "DivByZero" -> "check division by zero" | EKPre "AllocSize" -> "check allocation size" | EKPre "UserCall" -> "precondition for user call" | EKPre "" -> "precondition" | EKPre s -> "unclassified precondition `" ^ s ^ "'" | EKOther s -> "unclassified obligation `" ^ s ^ "'" | EKAbsurd -> "code unreachable" | EKAssert -> "assertion" | EKCheck -> "check" | EKPost -> "postcondition" | EKWfRel -> "relation is well-founded" | EKVarDecr -> "variant decreases" | EKLoopInvInit s -> msg_of_loopinv s ^ " initially holds" | EKLoopInvPreserv s -> msg_of_loopinv s ^ " preserved" | EKLemma -> "lemma" ^ (match name with None -> "" | Some s -> " " ^ s) why-2.34/src/monomorph.mli0000644000175000017500000000531412311670312014130 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (* make a monorphic output for provers not supporting polymorphism (e.g. PVS or CVC Lite) *) (* input... *) val push_decl : Logic_decl.t -> unit val add_external : Ident.t -> unit (* ...and output *) val iter : (Logic_decl.t -> unit) -> unit val reset : unit -> unit (* [symbol id i] prints the instance [i] of symbol [id] using the same conventions as in the monomorphization process *) val symbol : Ident.t * Logic.instance -> string why-2.34/src/why3.ml0000644000175000017500000004214612311670312012637 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) open Format open Pp open Ident open Options open Misc open Logic open Logic_decl let reset = Encoding.reset let push_decl d = Encoding.push ~encode_preds:false ~encode_funs:false ~encode_inductive:false ~encode_algtype:false d let iter = Encoding.iter (* let capitalize s = let is_alpha n = ('a' <= n && n <= 'z') || ('A' <= n && n <= 'Z') in let s = if not (is_alpha s.[0]) then "Un"^s else s in String.capitalize s *) let ident fmt s = let s = Ident.string s in let s = if Why3_kw.is_why3_keyword s then s ^ "_why3" else s in let s = if 'A' <= s.[0] && s.[0] <= 'Z' then "_" ^ s else s in if Why3_kw.is_why3_keyword s then fprintf fmt "why3__%s" s else pp_print_string fmt s let string_capitalize fmt s = let s = if s.[0] = '_' then "U"^s else if 'a' <= s.[0] && s.[0] <= 'z' then String.capitalize s else s in pp_print_string fmt s let ident_capitalize fmt s = string_capitalize fmt (Ident.string s) let type_vars = Hashtbl.create 17 let type_var fmt n = try fprintf fmt "'a%d" (Hashtbl.find type_vars n) with Not_found -> assert false let specialize s = Hashtbl.clear type_vars; let n = ref 0 in Env.Vset.iter (fun tv -> incr n; Hashtbl.add type_vars tv.tag !n) s.Env.scheme_vars; s.Env.scheme_type let t_single = Ident.create "single" let t_double = Ident.create "double" let t_mode = Ident.create "mode" let print_builtin_type fmt = function | id when id == t_single -> Pp.string fmt "Single.single" | id when id == t_double -> Pp.string fmt "Double.double" | id when id == t_mode -> Pp.string fmt "Rounding.mode" | id -> ident fmt id let rec pure_type fmt = function | PTint -> fprintf fmt "int" | PTbool -> fprintf fmt "Bool.bool" | PTunit -> fprintf fmt "()" | PTreal -> fprintf fmt "real" | PTexternal ([],id) -> print_builtin_type fmt id | PTvar {tag=t; type_val=None} -> type_var fmt t | PTvar {tag=_t; type_val=Some pt} -> pure_type fmt pt | PTexternal (l,id) -> fprintf fmt "(%a %a)" ident id (print_list space pure_type) l let t_computer_div = Ident.create "computer_div" let t_computer_mod = Ident.create "computer_mod" let builtins_table = [ t_add_int , "Int.(+)"; t_sub_int , "Int.(-)"; t_mul_int , "Int.(*)"; t_computer_div , "ComputerDivision.div"; t_computer_mod , "ComputerDivision.mod"; t_neg_int , "Int.(-_)"; t_add_real , "Real.(+)"; t_sub_real , "Real.(-)"; t_mul_real , "Real.(*)"; t_div_real , "Real.(/)"; t_neg_real , "Real.(-_)"; t_lt_int , "Int.(<)" ; t_le_int , "Int.(<=)"; t_gt_int , "Int.(>)"; t_ge_int , "Int.(>=)"; t_lt_real , "Real.(<)" ; t_le_real , "Real.(<=)"; t_gt_real , "Real.(>)"; t_real_of_int, "FromInt.from_int"; t_abs_int , "AbsInt.abs"; t_abs_real , "AbsReal.abs"; t_sqrt_real, "SquareReal.sqrt"; t_cos, "Trigonometry.cos" ; t_sin, "Trigonometry.sin" ; t_tan, "Trigonometry.tan" ; t_atan, "Trigonometry.atan" ; Ident.create "nearest_even", "Rounding.NearestTiesToEven" ; Ident.create "to_zero", "Rounding.ToZero" ; Ident.create "up", "Rounding.Up" ; Ident.create "down", "Rounding.Down" ; Ident.create "nearest_away", "Rounding.NearTiesToAway" ; Ident.create "round_single", "Single.round" ; Ident.create "round_double", "Double.round" ; Ident.create "single_value", "Single.value"; Ident.create "double_value", "Double.value"; ] let constructor_table = Hashtbl.create 17 let print_builtin fmt id = try let s = List.assq id builtins_table in Pp.string fmt s with Not_found -> if Hashtbl.mem constructor_table id then ident_capitalize fmt id else ident fmt id let rec term fmt = function | Tconst (ConstInt n) -> fprintf fmt "%s" n | Tconst (ConstBool b) -> if b then fprintf fmt "Bool.True" else fprintf fmt "Bool.False" | Tconst ConstUnit -> fprintf fmt "()" | Tconst (ConstFloat c) -> Print_real.print fmt c | Tvar id | Tderef id -> ident fmt id | Tapp (id, tl, instance) -> let ret_type = let var_subst,logic = Env.find_global_logic id in Env.instantiate_specialized var_subst instance; match logic with | Predicate _ -> assert false | Function (_,ret_type) -> ret_type in begin match tl with (* | [] -> fprintf fmt "(%a : %a)" ident id pure_type ret_type *) | _ -> fprintf fmt "(%a %a : %a)" print_builtin id (print_list space term) tl pure_type ret_type end | Tnamed (User n, t) -> fprintf fmt "@[(%S@ %a)@]" n term t | Tnamed (_, t) -> term fmt t let rec predicate fmt = function | Pvar id | Papp (id, [], _) -> ident fmt id | Papp (id, [t1; t2], _) when is_eq id -> fprintf fmt "(%a = %a)" term t1 term t2 | Papp (id, [t1; t2], _) when is_neq id -> fprintf fmt "(%a <> %a)" term t1 term t2 | Papp (id, [a;b], _) when id == t_zwf_zero -> fprintf fmt "@[((Int.(<=) 0 %a) /\\@ (Int.(<) %a %a))@]" term b term a term b | Papp (id, [_t], _) when id == well_founded -> fprintf fmt "@[false (* was well_founded(...) *)@]" | Papp (id, l, _) -> fprintf fmt "(%a %a)" print_builtin id (print_list space term) l | Ptrue -> fprintf fmt "true" | Pfalse -> fprintf fmt "false" | Pimplies (_, a, b) -> fprintf fmt "(@[%a ->@ %a@])" predicate a predicate b | Piff (a, b) -> fprintf fmt "(@[%a <->@ %a@])" predicate a predicate b | Pif (a, b, c) -> fprintf fmt "(@[if %a = Bool.True then@ %a else@ %a@])" term a predicate b predicate c | Pand (_is_wp, is_sym, a, b) -> if is_sym then fprintf fmt "(@[%a /\\@ %a@])" predicate a predicate b else fprintf fmt "(@[%a &&@ %a@])" predicate a predicate b | Forallb (_, _ptrue, _pfalse) -> assert false (* TODO What is it? *) (* fprintf fmt "(@[forallb(%a,@ %a)@])" *) (* predicate ptrue predicate pfalse *) | Por (a, b) -> fprintf fmt "(@[%a \\/@ %a@])" predicate a predicate b | Pnot a -> fprintf fmt "(not %a)" predicate a | Forall (_,id,n,v,tl,p) -> let id = next_away id (predicate_vars p) in let s = subst_onev n id in let p = subst_in_predicate s p in let tl = List.map (List.map (subst_in_pattern s)) tl in fprintf fmt "@[(forall %a:%a%a.@ %a)@]" ident id pure_type v print_triggers tl predicate p | Exists (id,n,v,p) -> let id = next_away id (predicate_vars p) in let p = subst_in_predicate (subst_onev n id) p in fprintf fmt "@[(exists %a:%a.@ %a)@]" ident id pure_type v predicate p | Plet (id, n, _, t, p) -> if false then (* TODO: alt-ergo has no let support yet. *) let id = next_away id (predicate_vars p) in let p = subst_in_predicate (subst_onev n id) p in fprintf fmt "@[(let %a = %a in@ %a)@]" ident id term t predicate p else let p = tsubst_in_predicate (subst_one n t) p in fprintf fmt "@[%a@]" predicate p | Pnamed (User n, p) -> fprintf fmt "@[(%S@ %a)@]" n predicate p | Pnamed (_, p) -> predicate fmt p and print_pattern fmt = function | TPat t -> term fmt t | PPat p -> predicate fmt p and print_triggers fmt = function | [] -> () | tl -> fprintf fmt " [%a]" (print_list alt (print_list comma print_pattern)) tl let sequent fmt (ctx, p) = let context fmt = function | Cc.Svar (id, pt) -> fprintf fmt "forall %a:%a." ident id pure_type pt | Cc.Spred (_, p) -> fprintf fmt "@[%a ->@]" predicate p in print_list newline context fmt ctx; if ctx <> [] then fprintf fmt "@\n"; predicate fmt p let logic_binder fmt (id, pt) = fprintf fmt "(%a : %a)" ident id pure_type pt let logic_type fmt id = function | Predicate [] -> fprintf fmt "@[predicate %a@]" ident id | Function ([], pt) -> fprintf fmt "@[function %a : %a@]" ident id pure_type pt | Predicate ptl -> fprintf fmt "@[predicate %a %a@]" ident id (print_list space pure_type) ptl | Function (ptl, pt) -> fprintf fmt "@[function %a %a : %a@]" ident id (print_list space pure_type) ptl pure_type pt let type_parameters fmt l = let type_var fmt id = fprintf fmt "'%s" id in match l with | [] -> () | l -> fprintf fmt " %a" (print_list space type_var) l let alg_type_parameters fmt = function | [] -> () | l -> fprintf fmt "%a " (print_list space pure_type) l let alg_type_constructor fmt (c,pl) = Hashtbl.add constructor_table c (); match pl with | [] -> fprintf fmt "| %a" ident_capitalize c | _ -> fprintf fmt "| %a (@[%a@])" ident_capitalize c (print_list space (* or comma ? *) pure_type) pl let alg_type_single fmt (_, id, d) = let vs,cs = specialize d in fprintf fmt "@[%a %a@] =@\n @[%a@]" ident id alg_type_parameters vs (print_list newline alg_type_constructor) cs let explanation fmt e = fprintf fmt "\"fun:%s\"@ " e.lemma_or_fun_name; fprintf fmt "\"beh:%s\"@ " e.behavior; fprintf fmt "\"expl:%s\"@ " (Explain.msg_of_kind ~name:e.lemma_or_fun_name e.vc_kind); let (f,l,b,e) = e.vc_loc in fprintf fmt "#\"%s\" %d %d %d#" f l (max b 0) (max e 0) let logic_kind fmt = function | Function _ -> fprintf fmt "function" | Predicate _ -> fprintf fmt "predicate" let decl fmt d = match d with | Dtype (_, id, pl) -> fprintf fmt "@[type %a%a@]" ident id type_parameters pl | Dalgtype ls -> let andsep fmt () = fprintf fmt "@\n" in fprintf fmt "@[type %a@]" (print_list andsep alg_type_single) ls | Dlogic (_, id, lt) -> let lt = specialize lt in logic_type fmt id lt | Dpredicate_def (_, id, def) -> let bl,p = specialize def in fprintf fmt "@[predicate %a %a =@ %a@]" ident id (print_list space logic_binder) bl predicate p | Dinductive_def (_, id, indcases) -> let bl,l = specialize indcases in begin match l with | [] -> fprintf fmt "@[inductive %a %a@]" ident id (print_list space pure_type) bl | _ -> fprintf fmt "@[inductive %a %a@] =@\n @[%a@]@\n@\n@]" ident id (print_list space pure_type) bl (print_list newline (fun fmt (id,p) -> fprintf fmt "@[| %a: %a@]" ident_capitalize id predicate p)) l end | Dfunction_def (_, id, def) -> let bl,pt,t = specialize def in fprintf fmt "@[function %a %a : %a =@ %a@]" ident id (print_list space logic_binder) bl pure_type pt term t | Daxiom (_, id, p) -> let p = specialize p in fprintf fmt "@[axiom %a:@ %a@]" string_capitalize id predicate p | Dgoal (_, is_lemma, expl, id, sq) -> let sq = specialize sq in fprintf fmt "@[%s %s %a:@\n%a@]" (if is_lemma then "lemma" else "goal") (String.capitalize id) explanation expl sequent sq let decl fmt d = fprintf fmt "@[%a@]@\n@\n" decl d (* let print_file fmt = fprintf fmt "@[theory Why2@\n"; fprintf fmt "use Tuple0@\n"; fprintf fmt "use int.Int@\n"; fprintf fmt "use int.Abs as AbsInt@\n"; fprintf fmt "use int.ComputerDivision@\n"; fprintf fmt "use real.Real@\n"; fprintf fmt "use real.Abs as AbsReal@\n"; fprintf fmt "use bool.Bool@\n"; iter (decl fmt); fprintf fmt "@]@\nend@?" let print_trace fmt id expl = fprintf fmt "[%s]@\n" id; Explain.print fmt expl; fprintf fmt "@\n" let print_traces fmt = iter (function | Dgoal (_loc, expl, id, _) -> print_trace fmt id ((*loc,*)expl) | _ -> ()) let output_file f = print_in_file print_file (Options.out_file (f ^ "_why3.why")) *) (* let output_files f = eprintf "Starting Multi-Why output with basename %s@." f; let po = ref 0 in print_in_file (fun ctxfmt -> iter (function | Dgoal (_loc,expl,id,_) as d -> incr po; let fpo = f ^ "_po" ^ string_of_int !po ^ ".why" in print_in_file (fun fmt -> decl fmt d) fpo; if explain_vc then let ftr = f ^ "_po" ^ string_of_int !po ^ ".xpl" in print_in_file (fun fmt -> print_trace fmt id ((*loc,*)expl)) ftr | d -> decl ctxfmt d)) (f ^ "_ctx.why"); eprintf "Multi-Why output done@." let push_or_output_decl = let po = ref 0 in function d -> match d with | Dgoal (_loc,expl,id,_) as d -> incr po; let fpo = Options.out_file (id ^ ".why") in print_in_file (fun fmt -> decl fmt d) fpo; if explain_vc then let ftr = Options.out_file (id ^ ".xpl") in print_in_file (fun fmt -> print_trace fmt id ((*loc,*)expl)) ftr | d -> push_decl d *) module SMap = Map.Make(String) let escape s = let s = String.copy s in for i = 0 to String.length s - 1 do match s.[i] with | ' ' | '\'' | '`' -> s.[i] <- '_' | _ -> () done; s let print_structured_file f fmt = fprintf fmt "@[theory %s_ctx@\n" f; fprintf fmt "use int.Int@\n"; fprintf fmt "use int.Abs as AbsInt@\n"; fprintf fmt "use int.ComputerDivision@\n"; fprintf fmt "use real.Real@\n"; fprintf fmt "use real.FromInt@\n"; fprintf fmt "use real.Abs as AbsReal@\n"; fprintf fmt "use real.Square as SquareReal@\n"; fprintf fmt "use real.Trigonometry@\n"; fprintf fmt "use bool.Bool@\n"; fprintf fmt "use floating_point.Rounding@\n"; fprintf fmt "use floating_point.Single@\n"; fprintf fmt "use floating_point.Double@\n"; let lemmas = ref [] in let functions = ref SMap.empty in iter (function | Dgoal (_,is_lemma, e,_id,_) as d -> begin if is_lemma then lemmas := d :: !lemmas else let fn = e.lemma_or_fun_name in let behs = try SMap.find fn !functions with Not_found -> SMap.empty in let vcs = try SMap.find e.behavior behs with Not_found -> [] in let behs = SMap.add e.behavior (d::vcs) behs in functions := SMap.add fn behs !functions; end | d -> decl fmt d); (* add any function which have no VC *) Hashtbl.iter (fun _key (fn,_beh,_loc) -> try let _ = SMap.find fn !functions in () with Not_found -> functions := SMap.add fn SMap.empty !functions) Util.program_locs ; (* outputs the lemmas and close the ctx theory*) List.iter (decl fmt) (List.rev !lemmas); fprintf fmt "@]@\nend@\n@."; (* outputs the VCs *) SMap.iter (fun fname behs -> (* let floc = try let (_,_,floc) = Hashtbl.find Util.program_locs fname in floc with Not_found -> Loc.dummy_floc in *) SMap.iter (fun beh vcs -> fprintf fmt "@[theory %a_%s@\n" string_capitalize (escape fname) (escape beh); fprintf fmt "use import %s_ctx@\n" f; List.iter (decl fmt) (List.rev vcs); fprintf fmt "@]@\nend@\n@.") behs) !functions let output_structured_file f = print_in_file (print_structured_file (String.capitalize (Filename.basename f))) (Options.out_file (f ^ "_why3.why")) let output_file = output_structured_file why-2.34/src/graphviz.ml0000644000175000017500000007260212311670312013577 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (** Interface with {i GraphViz} This module provides a basic interface with dot and neato, two programs of the GraphViz toolbox. These tools are available at the following URLs: http://www.graphviz.org/ http://www.research.att.com/sw/tools/graphviz/ *) open Format (***************************************************************************) (** {2 Common stuff} *) (** Because the neato and dot engines present a lot of common points - in particular in the graph description language, large parts of the code is shared. First, the [!CommonAttributes] module defines attributes of graphs, nodes and edges that are understood by the two engines. Second, given a module (of type [!ENGINE]) describing an engine the [!MakeEngine] functor provides suitable interface function for it. *) (*-------------------------------------------------------------------------*) (** {3 Common attributes} *) type color = int let fprint_color ppf color = fprintf ppf "\"#%06X\"" color let fprint_string ppf s = fprintf ppf "\"%s\"" s (* let s' = String.escaped s in if s' = s && s <> "" then fprintf ppf "%s" s else fprintf ppf "\"%s\"" s'*) let fprint_string_user ppf s = (* let s = String.escaped s in*) fprintf ppf "\"%s\"" s type arrow_style = [ `None | `Normal | `Inv | `Dot | `Odot | `Invdot | `Invodot ] let fprint_arrow_style ppf = function `None -> fprintf ppf "none" | `Normal -> fprintf ppf "normal" | `Inv -> fprintf ppf "inv" | `Dot -> fprintf ppf "dot" | `Odot -> fprintf ppf "odot" | `Invdot -> fprintf ppf "invdot" | `Invodot -> fprintf ppf "invodot" let fprint_dir ppf = function `TopToBottom -> fprintf ppf "TB" | `LeftToRight -> fprintf ppf "LR" (** The [CommonAttributes] module defines attributes for graphs, nodes and edges that are available in the two engines, dot and neato. *) module CommonAttributes = struct (** Attributes of graphs. *) type graph = [ `Center of bool (** Centers the drawing on the page. Default value is [false]. *) | `Fontcolor of color (** Sets the font color. Default value is [black]. *) | `Fontname of string (** Sets the font family name. Default value is ["Times-Roman"]. *) | `Fontsize of int (** Sets the type size (in points). Default value is [14]. *) | `Label of string (** Caption for graph drawing. *) | `Orientation of [ `Portrait | `Landscape ] (** Sets the page orientation. Default value is [`Portrait]. *) | `Page of float * float (** Sets the PostScript pagination unit, e.g [8.5, 11.0]. *) | `Pagedir of [ `TopToBottom | `LeftToRight ] (** Traversal order of pages. Default value is [`TopToBottom]. *) | `Size of float * float (** Sets the bounding box of drawing (in inches). *) | `OrderingOut (** Constrains order of out-edges in a subgraph according to their file sequence *) ] (** Attributes of nodes. *) type vertex = [ `Color of color (** Sets the color of the border of the node. Default value is [black] *) | `Fontcolor of color (** Sets the label font color. Default value is [black]. *) | `Fontname of string (** Sets the label font family name. Default value is ["Times-Roman"]. *) | `Fontsize of int (** Sets the label type size (in points). Default value is [14]. *) | `Height of float (** Sets the minimum height. Default value is [0.5]. *) | `Label of string (** Sets the label printed in the node. The string may include escaped newlines [\n], [\l], or [\r] for center, left, and right justified lines. Record labels may contain recursive box lists delimited by { | }. *) | `Orientation of float (** Node rotation angle, in degrees. Default value is [0.0]. *) | `Peripheries of int (** Sets the number of periphery lines drawn around the polygon. *) | `Regular of bool (** If [true], then the polygon is made regular, i.e. symmetric about the x and y axis, otherwise the polygon takes on the aspect ratio of the label. Default value is [false]. *) | `Shape of [`Ellipse | `Box | `Circle | `Doublecircle | `Diamond | `Plaintext | `Record | `Polygon of int * float] (** Sets the shape of the node. Default value is [`Ellipse]. [`Polygon (i, f)] draws a polygon with [n] sides and a skewing of [f]. *) | `Style of [ `Filled | `Solid | `Dashed | `Dotted | `Bold | `Invis ] (** Sets the layout style of the node. Several styles may be combined simultaneously. *) | `Width of float (** Sets the minimum width. Default value is [0.75]. *) ] (** Attributes of edges. *) type edge = [ `Color of color (** Sets the edge stroke color. Default value is [black]. *) | `Decorate of bool (** If [true], draws a line connecting labels with their edges. *) | `Dir of [ `Forward | `Back | `Both | `None ] (** Sets arrow direction. Default value is [`Forward]. *) | `Fontcolor of color (** Sets the label font color. Default value is [black]. *) | `Fontname of string (** Sets the label font family name. Default value is ["Times-Roman"]. *) | `Fontsize of int (** Sets the label type size (in points). Default value is [14]. *) | `Label of string (** Sets the label to be attached to the edge. The string may include escaped newlines [\n], [\l], or [\r] for centered, left, or right justified lines. *) | `Labelfontcolor of color (** Sets the font color for head and tail labels. Default value is [black]. *) | `Labelfontname of string (** Sets the font family name for head and tail labels. Default value is ["Times-Roman"]. *) | `Labelfontsize of int (** Sets the font size for head and tail labels (in points). Default value is [14]. *) | `Style of [ `Solid | `Dashed | `Dotted | `Bold | `Invis ] (** Sets the layout style of the edge. Several styles may be combined simultaneously. *) ] (** Pretty-print. *) let fprint_orientation ppf = function `Portrait -> fprintf ppf "portrait" | `Landscape -> fprintf ppf "landscape" let fprint_graph ppf = function `Center b -> fprintf ppf "center=%i" (if b then 1 else 0) | `Fontcolor a -> fprintf ppf "fontcolor=%a" fprint_color a | `Fontname s -> fprintf ppf "fontname=%a" fprint_string s | `Fontsize i -> fprintf ppf "fontsize=%i" i | `Label s -> fprintf ppf "label=%a" fprint_string_user s | `Orientation a -> fprintf ppf "orientation=%a" fprint_orientation a | `Page (x, y) -> fprintf ppf "page=\"%f,%f\"" x y | `Pagedir a -> fprintf ppf "pagedir=%a" fprint_dir a | `Size (x, y) -> fprintf ppf "size=\"%f,%f\"" x y | `OrderingOut -> fprintf ppf "ordering=out" let fprint_shape ppf = function | `Ellipse -> fprintf ppf "ellipse" | `Box -> fprintf ppf "box" | `Circle -> fprintf ppf "circle" | `Doublecircle -> fprintf ppf "doublecircle" | `Diamond -> fprintf ppf "diamond" | `Plaintext -> fprintf ppf "plaintext" | `Record -> fprintf ppf "record" | `Polygon (i, f) -> fprintf ppf "polygon, sides=%i, skew=%f" i f let fprint_node_style ppf = function `Filled -> fprintf ppf "filled" | `Solid -> fprintf ppf "solid" | `Dashed -> fprintf ppf "dashed" | `Dotted -> fprintf ppf "dotted" | `Bold -> fprintf ppf "bold" | `Invis -> fprintf ppf "invis" let fprint_vertex ppf = function `Color a -> fprintf ppf "color=%a" fprint_color a | `Fontcolor a -> fprintf ppf "fontcolor=%a" fprint_color a | `Fontname s -> fprintf ppf "fontname=%a" fprint_string s | `Fontsize i -> fprintf ppf "fontsize=%i" i | `Height f -> fprintf ppf "height=%f" f | `Label s -> fprintf ppf "label=%a" fprint_string_user s | `Orientation f -> fprintf ppf "orientation=%f" f | `Peripheries i -> fprintf ppf "peripheries=%i" i | `Regular b -> fprintf ppf "regular=%b" b | `Shape a -> fprintf ppf "shape=%a" fprint_shape a | `Style a -> fprintf ppf "style=%a" fprint_node_style a | `Width f -> fprintf ppf "width=%f" f let fprint_edge_style = fprint_node_style let fprint_arrow_direction ppf = function `Forward -> fprintf ppf "forward" | `Back -> fprintf ppf "back" | `Both -> fprintf ppf "both" | `None -> fprintf ppf "none" let fprint_edge ppf = function `Color a -> fprintf ppf "color=%a" fprint_color a | `Decorate b -> fprintf ppf "decorate=%b" b | `Dir a -> fprintf ppf "dir=%a" fprint_arrow_direction a | `Fontcolor a -> fprintf ppf "fontcolor=%a" fprint_color a | `Fontname s -> fprintf ppf "fontname=%a" fprint_string s | `Fontsize i -> fprintf ppf "fontsize=%i" i | `Label s -> fprintf ppf "label=%a" fprint_string_user s | `Labelfontcolor a -> fprintf ppf "labelfontcolor=%a" fprint_color a | `Labelfontname s -> fprintf ppf "labelfontname=\"%s\"" s (* (String.escaped s) *) | `Labelfontsize i -> fprintf ppf "labelfontsize=%i" i | `Style a -> fprintf ppf "style=%a" fprint_edge_style a end (*-------------------------------------------------------------------------*) (** {3 The [MakeEngine] functor} *) (** An engine is described by a module of the following signature. *) module type ENGINE = sig module Attributes : sig (** Attributes of graphs provided by the engine. *) type graph (** Attributes of nodes provided by the engine. *) type vertex (** Attribute of edges provided by the engine. *) type edge type subgraph = { sg_name : string; sg_attributes : vertex list; } val fprint_graph:formatter -> graph -> unit val fprint_vertex: formatter -> vertex -> unit val fprint_edge: formatter -> edge -> unit end (** The litteral name of the engine. *) val name: string (** The keyword for graphs ("digraph" for dot, "graph" for neato) *) val opening: string (** The litteral for edge arrows ("->" for dot, "--" for neato) *) val edge_arrow: string end module MakeEngine (EN: ENGINE) (X : sig type t module V : sig type t end module E : sig type t val src : t -> V.t val dst : t -> V.t end val iter_vertex : (V.t -> unit) -> t -> unit val iter_edges_e : (E.t -> unit) -> t -> unit val graph_attributes: t -> EN.Attributes.graph list val default_vertex_attributes: t -> EN.Attributes.vertex list val vertex_name : V.t -> string val vertex_attributes: V.t -> EN.Attributes.vertex list val default_edge_attributes: t -> EN.Attributes.edge list val edge_attributes: E.t -> EN.Attributes.edge list val get_subgraph : V.t -> EN.Attributes.subgraph option end) = struct let command = ref EN.name let set_command cmd = command := cmd exception Error of string let handle_error f arg = try f arg with Error msg -> Printf.eprintf "%s: %s failure\n %s\n" Sys.argv.(0) EN.name msg; flush stderr; exit 2 (** [fprint_graph_attributes ppf list] pretty prints a list of graph attributes on the formatter [ppf]. Attributes are separated by a ";". *) let fprint_graph_attributes ppf list = List.iter (function att -> fprintf ppf "%a;@ " EN.Attributes.fprint_graph att ) list (** [fprint_graph_attribute printer ppf list] pretty prints a list of attributes on the formatter [ppf], using the printer [printer] for each attribute. The list appears between brackets and attributes are speparated by ",". If the list is empty, nothing is printed. *) let fprint_attributes fprint_attribute ppf = function [] -> () | hd :: tl -> let rec fprint_attributes_rec ppf = function [] -> () | hd' :: tl' -> fprintf ppf ",@ %a%a" fprint_attribute hd' fprint_attributes_rec tl' in fprintf ppf " [@[%a%a@]]" fprint_attribute hd fprint_attributes_rec tl (** [fprint_graph_attributes ppf list] pretty prints a list of node attributes using the format of [fprint_attributes]. *) let fprint_node_attributes ppf list = fprint_attributes EN.Attributes.fprint_vertex ppf list (** [fprint_graph_attributes ppf list] pretty prints a list of edge attributes using the format of [fprint_attributes]. *) let fprint_edge_attributes ppf list = fprint_attributes EN.Attributes.fprint_edge ppf list (** [fprint_graph ppf graph] pretty prints the graph [graph] in the CGL language on the formatter [ppf]. *) let fprint_graph ppf graph = let subgraphs = Hashtbl.create 7 in (* Printing nodes. *) let print_nodes ppf = let default_node_attributes = X.default_vertex_attributes graph in if default_node_attributes <> [] then fprintf ppf "node%a;@ " fprint_node_attributes default_node_attributes; X.iter_vertex (function node -> begin match X.get_subgraph node with | None -> () | Some sg -> try let (sg,nodes) = Hashtbl.find subgraphs sg.EN.Attributes.sg_name in Hashtbl.replace subgraphs sg.EN.Attributes.sg_name (sg,node::nodes) with Not_found -> Hashtbl.add subgraphs sg.EN.Attributes.sg_name (sg,[node]) end; fprintf ppf "%s%a;@ " (X.vertex_name node) fprint_node_attributes (X.vertex_attributes node)) graph in (* Printing subgraphs *) let print_subgraphs ppf = Hashtbl.iter (fun name (sg,nodes) -> fprintf ppf "@[subgraph cluster_%s { %t%t };@]@\n" name (fun ppf -> (List.iter (fun n -> fprintf ppf "%a;@\n" EN.Attributes.fprint_vertex n) sg.EN.Attributes.sg_attributes)) (fun ppf -> (List.iter (fun n -> fprintf ppf "%s;" (X.vertex_name n)) nodes)) ) subgraphs in (* Printing edges *) let print_edges ppf = let default_edge_attributes = X.default_edge_attributes graph in if default_edge_attributes <> [] then fprintf ppf "edge%a;@ " fprint_edge_attributes default_edge_attributes; X.iter_edges_e (function edge -> fprintf ppf "%s %s %s%a;@ " (X.vertex_name (X.E.src edge)) EN.edge_arrow (X.vertex_name (X.E.dst edge)) fprint_edge_attributes (X.edge_attributes edge) ) graph in fprintf ppf "@[%s G {@ @[ %a" EN.opening fprint_graph_attributes (X.graph_attributes graph); fprintf ppf "%t@ " print_nodes; fprintf ppf "%t@ " print_subgraphs; fprintf ppf "%t@ " print_edges; fprintf ppf "@]}@]" (** [output_graph oc graph] pretty prints the graph [graph] in the dot language on the channel [oc]. *) let output_graph oc graph = let ppf = formatter_of_out_channel oc in fprint_graph ppf graph; pp_print_flush ppf () end (***************************************************************************) (** {2 Interface with the dot engine} *) (** The [DotAttributes] module defines attributes for graphs, nodes and edges that are available in the dot engine. *) module DotAttributes = struct (** Attributes of graphs. They include all common graph attributes and several specific ones. All attributes described in the "dot User's Manual, February 4, 2002" are handled, excepted: clusterank, color, compound, labeljust, labelloc, ordering, rank, remincross, rotate, searchsize and style. *) type graph = [ CommonAttributes.graph | `Bgcolor of color (** Sets the background color and the inital fill color. *) | `Comment of string (** Comment string. *) | `Concentrate of bool (** If [true], enables edge concentrators. Default value is [false]. *) | `Fontpath of string (** List of directories for fonts. *) | `Layers of string list (** List of layers. *) | `Margin of float (** Sets the page margin (included in the page size). Default value is [0.5]. *) | `Mclimit of float (** Scale factor for mincross iterations. Default value is [1.0]. *) | `Nodesep of float (** Sets the minimum separation between nodes, in inches. Default value is [0.25]. *) | `Nslimit of int (** If set of [f], bounds network simplex iterations by [f * ] when ranking nodes. *) | `Nslimit1 of int (** If set of [f], bounds network simplex iterations by [f * ] when setting x-coordinates. *) | `Ranksep of float (** Sets the minimum separation between ranks. *) | `Quantum of float (** If not [0.0], node label dimensions will be rounded to integral multiples of it. Default value is [0.0]. *) | `Rankdir of [ `TopToBottom | `LeftToRight ] (** Direction of rank ordering. Default value is [`TopToBottom]. *) | `Ratio of [ `Float of float | `Fill | `Compress| `Auto ] (** Sets the aspect ratio. *) | `Samplepoints of int (** Number of points used to represent ellipses and circles on output. Default value is [8]. *) | `Url of string (** URL associated with graph (format-dependent). *) ] (** Attributes of nodes. They include all common node attributes and several specific ones. All attributes described in the "dot User's Manual, February 4, 2002" are handled, excepted: bottomlabel, group, shapefile and toplabel. *) type vertex = [ CommonAttributes.vertex | `Comment of string (** Comment string. *) | `Distortion of float (* TEMPORARY *) | `Fillcolor of color (** Sets the fill color (used when `Style filled). Default value is [lightgrey]. *) | `Fixedsize of bool (** If [true], forces the given dimensions to be the actual ones. Default value is [false]. *) | `Layer of string (** Overlay. *) | `Url of string (** The default url for image map files; in PostScript files, the base URL for all relative URLs, as recognized by Acrobat Distiller 3.0 and up. *) | `Z of float (** z coordinate for VRML output. *) ] (** Attributes of edges. They include all common edge attributes and several specific ones. All attributes described in the "dot User's Manual, February 4, 2002" are handled, excepted: lhead and ltail. *) type edge = [ CommonAttributes.edge | `Arrowhead of arrow_style (** Sets the style of the head arrow. Default value is [`Normal]. *) | `Arrowsize of float (** Sets the scaling factor of arrowheads. Default value is [1.0]. *) | `Arrowtail of arrow_style (** Sets the style of the tail arrow. Default value is [`Normal]. *) | `Comment of string (** Comment string. *) | `Constraints of bool (** If [false], causes an edge to be ignored for rank assignment. Default value is [true]. *) | `Headlabel of string (** Sets the label attached to the head arrow. *) | `Headport of [ `N | `NE | `E | `SE | `S | `SW | `W | `NW ] (* TEMPORARY *) | `Headurl of string (** Url attached to head label if output format is ismap. *) | `Labelangle of float (** Angle in degrees which head or tail label is rotated off edge. Default value is [-25.0]. *) | `Labeldistance of float (** Scaling factor for distance of head or tail label from node. Default value is [1.0]. *) | `Labelfloat of bool (** If [true], lessen constraints on edge label placement. Default value is [false]. *) | `Layer of string (** Overlay. *) | `Minlen of int (** Minimum rank distance between head an tail. Default value is [1]. *) | `Samehead of string (** Tag for head node; edge heads with the same tag are merged onto the same port. *) | `Sametail of string (** Tag for tail node; edge tails with the same tag are merged onto the same port. *) | `Taillabel of string (** Sets the label attached to the tail arrow. *) | `Tailport of [ `N | `NE | `E | `SE | `S | `SW | `W | `NW ] (* TEMPORARY *) | `Tailurl of string (** Url attached to tail label if output format is ismap. *) | `Weight of int (** Sets the integer cost of stretching the edge. Default value is [1]. *) ] type subgraph = { sg_name : string; sg_attributes : vertex list; } (** {4 Pretty-print of attributes} *) let rec fprint_string_list ppf = function [] -> () | [hd] -> fprintf ppf "%s" hd | hd :: tl -> fprintf ppf "%s,%a" hd fprint_string_list tl let fprint_ratio ppf = function `Float f -> fprintf ppf "%f" f | `Fill -> fprintf ppf "fill" | `Compress -> fprintf ppf "compress" | `Auto -> fprintf ppf "auto" let fprint_graph ppf = function #CommonAttributes.graph as att -> CommonAttributes.fprint_graph ppf att | `Bgcolor a -> fprintf ppf "bgcolor=%a" fprint_color a | `Comment s -> fprintf ppf "comment=%a" fprint_string s | `Concentrate b -> fprintf ppf "concentrate=%b" b | `Fontpath s -> fprintf ppf "fontpath=%a" fprint_string s | `Layers s -> fprintf ppf "layers=%a" fprint_string_list s | `Margin f -> fprintf ppf "margin=%f" f | `Mclimit f -> fprintf ppf "mclimit=%f" f | `Nodesep f -> fprintf ppf "nodesep=%f" f | `Nslimit i -> fprintf ppf "nslimit=%i" i | `Nslimit1 i -> fprintf ppf "nslimit1=%i" i | `Ranksep f -> fprintf ppf "ranksep=%f" f | `Quantum f -> fprintf ppf "quantum=%f" f | `Rankdir a -> fprintf ppf "rankdir=%a" fprint_dir a | `Ratio a -> fprintf ppf "ratio=%a" fprint_ratio a | `Samplepoints i -> fprintf ppf "samplepoints=%i" i | `Url s -> fprintf ppf "URL=\"%s\"" s (*(String.escaped s)*) let fprint_vertex ppf = function #CommonAttributes.vertex as att -> CommonAttributes.fprint_vertex ppf att | `Comment s -> fprintf ppf "comment=%a" fprint_string s | `Distortion f -> fprintf ppf "distortion=%f" f | `Fillcolor a -> fprintf ppf "fillcolor=%a" fprint_color a | `Fixedsize b -> fprintf ppf "fixedsize=%b" b | `Layer s -> fprintf ppf "layer=%a" fprint_string s | `Url s -> fprintf ppf "URL=\"%s\"" s (*(String.escaped s)*) | `Z f -> fprintf ppf "z=%f" f let fprint_port ppf = function `N -> fprintf ppf "n" | `NE -> fprintf ppf "ne" | `E -> fprintf ppf "e" | `SE -> fprintf ppf "se" | `S -> fprintf ppf "s" | `SW -> fprintf ppf "sw" | `W -> fprintf ppf "w" | `NW -> fprintf ppf "nw" let fprint_edge ppf = function #CommonAttributes.edge as att -> CommonAttributes.fprint_edge ppf att | `Arrowhead a -> fprintf ppf "arrowhead=%a" fprint_arrow_style a | `Arrowsize f -> fprintf ppf "arrowsize=%f" f | `Arrowtail a -> fprintf ppf "arrowtail=%a" fprint_arrow_style a | `Comment s -> fprintf ppf "comment=%a" fprint_string s | `Constraints b -> fprintf ppf "constraints=%b" b | `Headlabel s -> fprintf ppf "headlabel=%a" fprint_string s | `Headport a -> fprintf ppf "headport=%a" fprint_port a | `Headurl s -> fprintf ppf "headURL=%a" fprint_string s | `Labelangle f -> fprintf ppf "labelangle=%f" f | `Labeldistance f -> fprintf ppf "labeldistance=%f" f | `Labelfloat b -> fprintf ppf "labelfloat=%b" b | `Layer s -> fprintf ppf "layer=%a" fprint_string s | `Minlen i -> fprintf ppf "minlen=%i" i | `Samehead s -> fprintf ppf "samehead=%a" fprint_string s | `Sametail s -> fprintf ppf "sametail=%a" fprint_string s | `Taillabel s -> fprintf ppf "taillabel=%a" fprint_string s | `Tailport a -> fprintf ppf "tailport=%a" fprint_port a | `Tailurl s -> fprintf ppf "tailURL=%a" fprint_string s | `Weight i -> fprintf ppf "weight=%i" i end module Dot = MakeEngine (struct module Attributes = DotAttributes let name = "dot" let opening = "digraph" let edge_arrow = "->" end) (***************************************************************************) (** {2 Interface with the neato engine} *) (** The [NeatoAttributes] module defines attributes for graphs, nodes and edges that are available in the neato engine. *) module NeatoAttributes = struct (** Attributes of graphs. They include all common graph attributes and several specific ones. All attributes described in the "Neato User's manual, April 10, 2002" are handled. *) type graph = [ CommonAttributes.graph | `Margin of float * float (** Sets the page margin (included in the page size). Default value is [0.5, 0.5]. *) | `Start of int (** Seed for random number generator. *) | `Overlap of bool (** Default value is [true]. *) | `Spline of bool (** [true] makes edge splines if nodes don't overlap. Default value is [false]. *) | `Sep of float (** Edge spline separation factor from nodes. Default value is [0.0]. *) ] (** Attributes of nodes. They include all common node attributes and several specific ones. All attributes described in the "Neato User's manual, April 10, 2002" are handled. *) type vertex = [ CommonAttributes.vertex | `Pos of float * float (** Initial coordinates of the node. *) ] (** Attributes of edges. They include all common edge attributes and several specific ones. All attributes described in the "Neato User's manual, April 10, 2002" are handled. *) type edge = [ CommonAttributes.edge | `Id of string (** Optional value to distinguish multiple edges. *) | `Len of float (** Preferred length of edge. Default value is [1.0]. *) | `Weight of float (** Strength of edge spring. Default value is [1.0]. *) ] type subgraph = { sg_name : string; sg_attributes : vertex list; } (** {4 Pretty-print of attributes} *) let fprint_graph ppf = function #CommonAttributes.graph as att -> CommonAttributes.fprint_graph ppf att | `Margin (f1, f2) -> fprintf ppf "margin=\"%f,%f\"" f1 f2 | `Start i -> fprintf ppf "start=%i" i | `Overlap b -> fprintf ppf "overlap=%b" b | `Spline b -> fprintf ppf "spline=%b" b | `Sep f -> fprintf ppf "sep=%f" f let fprint_vertex ppf = function #CommonAttributes.vertex as att -> CommonAttributes.fprint_vertex ppf att | `Pos (f1, f2) -> fprintf ppf "pos=\"%f,%f\"" f1 f2 let fprint_edge ppf = function #CommonAttributes.edge as att -> CommonAttributes.fprint_edge ppf att | `Id s -> fprintf ppf "id=%a" fprint_string s | `Len f -> fprintf ppf "len=%f" f | `Weight f -> fprintf ppf "weight=%f" f end module Neato = MakeEngine (struct module Attributes = NeatoAttributes let name = "neato" let opening = "graph" let edge_arrow = "--" end) why-2.34/src/encoding_mono2.ml0000644000175000017500000012200312311670312014634 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (** Such encoding aims at simulating polymorphism in multi-sorted logic. There are basically three cases 1- For a term that is not of sort INT and which is not used in a INT context, the translation of the outermost symbol is the same as in strat 2- For a term of sort INT and which is used in an INT context, the outermost term is not modified 3- For a term of sort INT in a polymorphic context and a term of an instantied sort which is used in an INT context a special treatment is provided. *) open Cc open Logic open Logic_decl open Util let loc = Loc.dummy_floc let prefix = "c_" let suffix = "_c" let var = "x" let tvar = "t" let cpt = ref 0 let axiomA c = (c^suffix)^ "_to_" ^ c let axiomR c = (c^suffix)^ "_to_" ^ (c^suffix) let def c = "def_"^c let int2U = "int2U" let ss2Int = "ss2Int" let real2U = "real2U" let ss2Real = "ss2Real" let bool2U = "bool2U" let ss2Bool = "ss2Bool" let unit2U = "unit2U" let ss2Unit = "ss2Unit" let arities = ref [] let prefixForTypeIdent ident = "type_"^ident let int = Tapp (Ident.create (prefix^"int"), [], []) let real = Tapp (Ident.create (prefix^"real"), [], []) let bool = Tapp (Ident.create (prefix^"bool"), [], []) let unit = Tapp (Ident.create (prefix^"unit"), [], []) (* Ground instanciation of an arity (to be plunged under) *) let instantiate_arity id inst = let arity = try List.assoc (Ident.string id) !arities with e -> (print_endline ("Encoding_mono2: unknown arity for "^(Ident.string id))); raise e in let (vs, log_type) = Env.specialize_logic_type arity in match log_type with Function (ptl, rt) -> ignore (Env.Vmap.fold (fun _ v l -> (match l with [] -> [] | _ -> (v.type_val <- Some (List.hd l); (List.tl l)))) vs (List.rev inst)); rt | _ -> assert false (** @return the list containing the type of the function/predicate parameters. This fucntion is called when we want to reduce the encoding of the function/predicate parameter according to the type of these ones. @param id is the function/predicate name for which we look for the parameters **) let getParamTypeList id = let arity = try List.assoc (Ident.string id) !arities with e -> (print_endline ("Encoding_mono2: unknown arity for "^(Ident.string id))); raise e in let (vs, log_type) = Env.specialize_logic_type arity in match log_type with Function (ptl, _) -> ptl | Predicate ptl -> ptl (** The unique type for all terms. this function is used everywhere we use a generic sort for the term **) let ut = PTexternal ([], Ident.create (prefix^"unique")) (** @param pt is the type we are going to translate. @return either the type if this one if a built in type (like int, float) or the type ssorted **) let ssortedButBuiltIn pt = match pt with PTint as k -> k | PTreal as k -> k | PTbool as k -> k | PTunit as k -> k | _ -> PTexternal ([], Ident.create (prefix^"ssorted")) (** @param pt is the type we are going to translate. @return either the type if this one if a built in type (like int, float) or the unique type define just above **) let utButBuiltIn pt = match pt with PTint as k -> k | PTreal as k -> k | PTbool as k -> k | PTunit as k -> k | _ -> ut (** @param pt is the type we are going to translate. @return either the type if this one if a built in type (like int, float) or the unique type define in the ut function. It is a shortcut since it allows to create quickly a PureType. **) let ssortedButBuiltInString pt = match pt with "PTint" -> PTint | "PTreal" -> PTreal | "PTbool" -> PTbool | "PTunit" -> PTunit | "type" -> PTexternal ([], Ident.create (prefix^"type")) | "ssorted" -> PTexternal ([], Ident.create (prefix^"ssorted")) | _ -> (*Printf.printf " type : %s \n" pt ; *) PTexternal ([], Ident.create (prefix^"type")) (** @param ptl is the list of pure type @return a list with the same size as ptl and whose only contains the the type unique **) let unify ptl = List.map (fun _ -> ut) ptl (** @param ptl is the list of pure type @return a list with the same size as ptl and whose only contains the the type unique, but for built in type that are preserved **) let unifyPureType ptl = List.map (fun pt -> ssortedButBuiltIn pt) ptl (** @param ptl is the list of pure type, described as string @return a list with the same size as ptl and whose only contains the the type unique, but for built in type that are preserved **) let unifyString ptl = List.map (fun pt -> ssortedButBuiltInString pt) ptl (** @return a forall predicate without trigger **) let newForallTriggerFree is_wp x t p = let n = Ident.bound x in let s = Misc.subst_onev x n in let p = Misc.subst_in_predicate s p in Forall (is_wp, x, n, t, [], p) (** @return a forall predicate with triggers aiming at helping the prover **) let newForall is_wp x ty tr p = let n = Ident.bound x in let sp = Misc.subst_onev x n in let pp = Misc.subst_in_predicate sp p in let tt = Misc.subst_in_triggers sp tr in Forall (is_wp, x , n, ty, tt, pp) (** Axiomatizes the theory used in this encoding. **) let prelude = (* The unique sort for not built-in types*) (Dtype (loc, [], prefix^"unique")):: (Dtype (loc, [], prefix^"ssorted")):: (Dtype (loc, [], prefix^"type")):: (Dtype (loc, [], prefix^"Boolean")):: (Dtype (loc, [], prefix^"Unit")):: (Dlogic (loc, prefix^"sort", Env.empty_scheme (Function ([ssortedButBuiltInString "type" ; ut], ssortedButBuiltInString "ssorted")))):: (Dlogic (loc, prefix^"Boolean_true", Env.empty_scheme (Function ([], ssortedButBuiltIn PTbool)))):: (Dlogic (loc, prefix^"Boolean_false", Env.empty_scheme (Function ([], ssortedButBuiltIn PTbool)))):: (** \forall b : bool b= true \lor b = false **) (Daxiom (loc, axiomR "either true_or_false", let b = Ident.create "b" in let boolTrue = Tapp (Ident.create (prefix^"Boolean_true"), [], []) in let boolFalse = Tapp (Ident.create (prefix^"Boolean_false"), [], []) in let eqTrue = Papp (Ident.t_eq, [boolTrue ; Tvar b], []) in let eqFalse = Papp (Ident.t_eq, [boolFalse ; Tvar b], []) in let eq = Por (eqTrue, eqFalse) in Env.empty_scheme (newForallTriggerFree false b PTbool eq ))):: (** true \neq false **) (Daxiom (loc, axiomR "true_neq_false", let boolTrue = Tapp (Ident.create (prefix^"Boolean_true"), [], []) in let boolFalse = Tapp (Ident.create (prefix^"Boolean_false"), [], []) in let neq = Papp (Ident.t_neq,[boolTrue;boolFalse], []) in Env.empty_scheme neq )):: (Dlogic (loc, int2U, Env.empty_scheme (Function ([ssortedButBuiltIn PTint], ut)))):: (Dlogic (loc, ss2Int, Env.empty_scheme (Function ([ssortedButBuiltInString "ssorted"], ssortedButBuiltIn PTint)))):: (Dlogic (loc, real2U, Env.empty_scheme (Function ([ssortedButBuiltIn PTreal], ut)))):: (Dlogic (loc, ss2Real, Env.empty_scheme (Function ([ssortedButBuiltInString "ssorted"], ssortedButBuiltIn PTreal)))):: (Dlogic (loc, bool2U, Env.empty_scheme (Function ([ssortedButBuiltIn PTbool], ut)))):: (Dlogic (loc, ss2Bool, Env.empty_scheme (Function ([ssortedButBuiltInString "ssorted"], ssortedButBuiltIn PTbool)))):: (Dlogic (loc, unit2U, Env.empty_scheme (Function ([ssortedButBuiltIn PTunit], ut)))):: (Dlogic (loc, ss2Unit, Env.empty_scheme (Function ([ssortedButBuiltInString "ssorted"], ssortedButBuiltIn PTunit)))):: (Dlogic (loc, prefix^"int", Env.empty_scheme (Function ([], ssortedButBuiltInString "type")))):: (Dlogic (loc, prefix^"bool", Env.empty_scheme (Function ([], ssortedButBuiltInString "type")))):: (Dlogic (loc, prefix^"real", Env.empty_scheme (Function ([], ssortedButBuiltInString "type")))):: (Dlogic (loc, prefix^"unit", Env.empty_scheme (Function ([], ssortedButBuiltInString "type")))):: (Dlogic (loc, prefix^"ref", Env.empty_scheme (Function ([ut], ut)))):: (** \forall x,y: U, t : Typ . sort(t,x) = sort(t,y) => x = y **) (Daxiom (loc, axiomR prefix^"sort_is_injective", let t = Ident.create "t" in let x = Ident.create "x" in let y = Ident.create "y" in let sort_t_x_ = Tapp (Ident.create (prefix^"sort"), [Tvar t;Tvar x], []) in let sort_t_y_ = Tapp (Ident.create (prefix^"sort"), [Tvar t;Tvar y], []) in let sort_t_x_Eq_sort_t_y = Papp (Ident.t_eq, [sort_t_x_; sort_t_y_], []) in let x_Eq_y = Papp (Ident.t_eq, [Tvar x; Tvar y], []) in let implication = Pimplies (false, sort_t_x_Eq_sort_t_y, x_Eq_y) in let innerForally = newForallTriggerFree false y ut implication in let innerForallx = newForallTriggerFree false x ut innerForally in let outerForall = newForallTriggerFree false t (ssortedButBuiltInString "type") innerForallx in Env.empty_scheme outerForall)):: (** \forall x: Int . ss2Int(sort(int, int2U(x))) = x (a) **) (Daxiom (loc, axiomR "eq_"^ss2Int^"_"^int2U, let x = Ident.create "x" in let int2u_x_ = Tapp (Ident.create int2U, [Tvar x], []) in let sort_int_int2U_x_ = Tapp (Ident.create (prefix^"sort"), [int; int2u_x_], []) in let ss2Intsort_int_int2U_x_ = Tapp (Ident.create ss2Int, [sort_int_int2U_x_], []) in let peq = Papp (Ident.t_eq,[ss2Intsort_int_int2U_x_;Tvar x], []) in Env.empty_scheme (newForall false x PTint [[TPat sort_int_int2U_x_]]peq ))):: (** \forall x,y: Int . int2U(x) = int2U(y) => x = y **) (Daxiom (loc, axiomR int2U^"_is_injective", let x = Ident.create "x" in let int2u_x_ = Tapp (Ident.create int2U, [Tvar x], []) in let y = Ident.create "y" in let int2u_y_ = Tapp (Ident.create int2U, [Tvar y], []) in let int2u_x_Eq_int2u_y_ = Papp (Ident.t_eq, [int2u_x_; int2u_y_], []) in let x_Eq_y = Papp (Ident.t_eq, [Tvar x; Tvar y], []) in let implication = Pimplies (false, int2u_x_Eq_int2u_y_, x_Eq_y) in let innerForall = newForallTriggerFree false y PTint implication in let outerForall = newForallTriggerFree false x PTint innerForall in Env.empty_scheme outerForall)):: (** \forall x,y: Real . real2U(x) = real2U(y) => x = y **) (Daxiom (loc, axiomR real2U^"_is_injective", let x = Ident.create "x" in let real2u_x_ = Tapp (Ident.create real2U, [Tvar x], []) in let y = Ident.create "y" in let real2u_y_ = Tapp (Ident.create real2U, [Tvar y], []) in let real2u_x_Eq_real2u_y_ = Papp (Ident.t_eq, [real2u_x_; real2u_y_], []) in let x_Eq_y = Papp (Ident.t_eq, [Tvar x; Tvar y], []) in let implication = Pimplies (false, real2u_x_Eq_real2u_y_, x_Eq_y) in let innerForall = newForallTriggerFree false y PTreal implication in let outerForall = newForallTriggerFree false x PTreal innerForall in Env.empty_scheme outerForall)):: (** \forall x,y: Bool . bool2U(x) = bool2U(y) => x = y **) (Daxiom (loc, axiomR bool2U^"_is_injective", let x = Ident.create "x" in let bool2u_x_ = Tapp (Ident.create bool2U, [Tvar x], []) in let y = Ident.create "y" in let bool2u_y_ = Tapp (Ident.create bool2U, [Tvar y], []) in let bool2u_x_Eq_bool2u_y_ = Papp (Ident.t_eq, [bool2u_x_; bool2u_y_], []) in let x_Eq_y = Papp (Ident.t_eq, [Tvar x; Tvar y], []) in let implication = Pimplies (false, bool2u_x_Eq_bool2u_y_, x_Eq_y) in let innerForall = newForallTriggerFree false y PTbool implication in let outerForall = newForallTriggerFree false x PTbool innerForall in Env.empty_scheme outerForall)):: (** \forall x,y: ssorted . ss2Int(x) = ss2Int(y) => x = y **) (Daxiom (loc, axiomR ss2Int^"_is_injective", let x = Ident.create "x" in let ss2int_x_ = Tapp (Ident.create ss2Int, [Tvar x], []) in let y = Ident.create "y" in let ss2int_y_ = Tapp (Ident.create ss2Int, [Tvar y], []) in let ss2int_x_Eq_ss2int_y_ = Papp (Ident.t_eq, [ss2int_x_; ss2int_y_], []) in let x_Eq_y = Papp (Ident.t_eq, [Tvar x; Tvar y], []) in let implication = Pimplies (false, ss2int_x_Eq_ss2int_y_, x_Eq_y) in let innerForall = newForallTriggerFree false y (ssortedButBuiltInString "ssorted") implication in let outerForall = newForallTriggerFree false x (ssortedButBuiltInString "ssorted") innerForall in Env.empty_scheme outerForall)):: (** \forall x,y: U . ss2Real(x) = ss2Real(y) => x = y **) (Daxiom (loc, axiomR ss2Real^"_is_injective", let x = Ident.create "x" in let ss2real_x_ = Tapp (Ident.create ss2Real, [Tvar x], []) in let y = Ident.create "y" in let ss2real_y_ = Tapp (Ident.create ss2Real, [Tvar y], []) in let ss2real_x_Eq_ss2real_y_ = Papp (Ident.t_eq, [ss2real_x_; ss2real_y_], []) in let x_Eq_y = Papp (Ident.t_eq, [Tvar x; Tvar y], []) in let implication = Pimplies (false, ss2real_x_Eq_ss2real_y_, x_Eq_y) in let innerForall = newForallTriggerFree false y (ssortedButBuiltInString "ssorted") implication in let outerForall = newForallTriggerFree false x (ssortedButBuiltInString "ssorted") innerForall in Env.empty_scheme outerForall)):: (** \forall x,y: U . ss2Bool(x) = ss2Bool(y) => x = y **) (Daxiom (loc, axiomR ss2Bool^"_is_injective", let x = Ident.create "x" in let ss2bool_x_ = Tapp (Ident.create ss2Bool, [Tvar x], []) in let y = Ident.create "y" in let ss2bool_y_ = Tapp (Ident.create ss2Bool, [Tvar y], []) in let ss2bool_x_Eq_ss2bool_y_ = Papp (Ident.t_eq, [ss2bool_x_; ss2bool_y_], []) in let x_Eq_y = Papp (Ident.t_eq, [Tvar x; Tvar y], []) in let implication = Pimplies (false, ss2bool_x_Eq_ss2bool_y_, x_Eq_y) in let innerForall = newForallTriggerFree false y (ssortedButBuiltInString "ssorted") implication in let outerForall = newForallTriggerFree false x (ssortedButBuiltInString "ssorted") innerForall in Env.empty_scheme outerForall)):: (** \forall x,y: U . ss2Unit(x) = ss2Unit(y) => x = y **) (Daxiom (loc, axiomR ss2Unit^"_is_injective", let x = Ident.create "x" in let ss2unit_x_ = Tapp (Ident.create ss2Unit, [Tvar x], []) in let y = Ident.create "y" in let ss2unit_y_ = Tapp (Ident.create ss2Unit, [Tvar y], []) in let ss2unit_x_Eq_ss2unit_y_ = Papp (Ident.t_eq, [ss2unit_x_; ss2unit_y_], []) in let x_Eq_y = Papp (Ident.t_eq, [Tvar x; Tvar y], []) in let implication = Pimplies (false, ss2unit_x_Eq_ss2unit_y_, x_Eq_y) in let innerForall = newForallTriggerFree false y (ssortedButBuiltInString "ssorted") implication in let outerForall = newForallTriggerFree false x (ssortedButBuiltInString "ssorted") innerForall in Env.empty_scheme outerForall)):: (** \forall x:Real . ss2Real(sort(real, real2U(x))) = x (b) **) (Daxiom (loc, axiomR "eq_"^ss2Real^"_"^real2U, let x = Ident.create "x" in let real2u_x_ = Tapp (Ident.create real2U, [Tvar x], []) in let sort_real_real2U_x_ = Tapp (Ident.create (prefix^"sort"), [real; real2u_x_], []) in let ss2Realsort_real_real2U_x_ = Tapp (Ident.create ss2Real, [sort_real_real2U_x_], []) in let peq = Papp (Ident.t_eq,[ss2Realsort_real_real2U_x_;Tvar x], []) in Env.empty_scheme (newForall false x PTreal [[TPat sort_real_real2U_x_]]peq ))):: (** \forall x:Bool . ss2Bool(sort(bool, bool2U(x))) = x **) (Daxiom (loc, axiomR "eq_"^ss2Bool^"_"^bool2U, let x = Ident.create "x" in let bool2u_x_ = Tapp (Ident.create bool2U, [Tvar x], []) in let sort_bool_bool2U_x_ = Tapp (Ident.create (prefix^"sort"), [bool; bool2u_x_], []) in let ss2Boolsort_bool_bool2U_x_ = Tapp (Ident.create ss2Bool, [sort_bool_bool2U_x_], []) in let peq = Papp (Ident.t_eq,[ss2Boolsort_bool_bool2U_x_;Tvar x], []) in Env.empty_scheme (newForall false x PTbool [[TPat sort_bool_bool2U_x_]]peq ))):: (** \forall x:Unit . ss2Unit(sort(unit, unit2U(x))) = x **) (Daxiom (loc, axiomR "eq_"^ss2Unit^"_"^unit2U, let x = Ident.create "x" in let unit2u_x_ = Tapp (Ident.create unit2U, [Tvar x], []) in let sort_unit_unit2U_x_ = Tapp (Ident.create (prefix^"sort"), [unit; unit2u_x_], []) in let ss2Unitsort_unit_unit2U_x_ = Tapp (Ident.create ss2Unit, [sort_unit_unit2U_x_], []) in let peq = Papp (Ident.t_eq,[ss2Unitsort_unit_unit2U_x_;Tvar x], []) in Env.empty_scheme (newForall false x PTunit [[TPat sort_unit_unit2U_x_]]peq ))):: (** \forall x. U int2U(ss2Int(sort(int,x))) = x **) (Daxiom (loc, axiomR "eq_"^int2U^"_"^ss2Int, let x = Ident.create "x" in let sort_int_x_ = Tapp (Ident.create (prefix^"sort"), [int; Tvar x], []) in let ss2Int_sort_int_x_ = Tapp (Ident.create ss2Int, [sort_int_x_], []) in let int2U_ss2Int_sort_int_x_ = Tapp (Ident.create int2U, [ss2Int_sort_int_x_], []) in let peq = Papp (Ident.t_eq, [int2U_ss2Int_sort_int_x_;Tvar x], []) in Env.empty_scheme (newForall false x ut [[TPat ss2Int_sort_int_x_]]peq ))):: (** \forall x. U real2U(ss2Real(sort(real,x))) = x **) (Daxiom (loc, axiomR "eq_"^real2U^"_"^ss2Real, let x = Ident.create "x" in let sort_real_x_ = Tapp (Ident.create (prefix^"sort"), [real; Tvar x], []) in let ss2Real_sort_real_x_ = Tapp (Ident.create ss2Real, [sort_real_x_], []) in let real2U_ss2Real_sort_real_x_ = Tapp (Ident.create real2U, [ss2Real_sort_real_x_], []) in let peq = Papp (Ident.t_eq, [real2U_ss2Real_sort_real_x_;Tvar x], []) in Env.empty_scheme (newForall false x ut [[TPat ss2Real_sort_real_x_]]peq ))):: (** \forall x. U bool2U(ss2Bool(sort(bool,x))) = sort(bool,x) **) (Daxiom (loc, axiomR "eq_"^bool2U^"_"^ss2Bool, let x = Ident.create "x" in let sort_bool_x_ = Tapp (Ident.create (prefix^"sort"), [bool; Tvar x], []) in let ss2Bool_sort_bool_x_ = Tapp (Ident.create ss2Bool, [sort_bool_x_], []) in let bool2U_ss2Bool_sort_bool_x_ = Tapp (Ident.create bool2U, [ss2Bool_sort_bool_x_], []) in let peq = Papp (Ident.t_eq, [bool2U_ss2Bool_sort_bool_x_;Tvar x], []) in Env.empty_scheme (newForall false x ut [[TPat bool2U_ss2Bool_sort_bool_x_]]peq ))):: (** \forall x. U unit2U(ss2Unit(sort(unit,x))) = sort(unit,x) **) (Daxiom (loc, axiomR "eq_"^unit2U^"_"^ss2Unit, let x = Ident.create "x" in let sort_unit_x_ = Tapp (Ident.create (prefix^"sort"), [unit; Tvar x], []) in let ss2Unit_sort_unit_x_ = Tapp (Ident.create ss2Unit, [sort_unit_x_], []) in let unit2U_ss2Unit_sort_unit_x_ = Tapp (Ident.create unit2U, [ss2Unit_sort_unit_x_], []) in let peq = Papp (Ident.t_eq, [unit2U_ss2Unit_sort_unit_x_;Tvar x], []) in Env.empty_scheme (newForall false x ut [[TPat unit2U_ss2Unit_sort_unit_x_]]peq ))):: [] (** internal function used in plunge and typedPlunge. it recursively translates the type given in parameter if it is a built-in type, a constant corresponding to this type is generated if it is a type variable, a variable corresponding to this type is generated @pt is the type @fv is list of (tag,typeVar) of the problem **) let rec leftt pt fv= match pt with PTint -> Tapp (Ident.create (prefix^"int"), [], []) | PTbool -> Tapp (Ident.create (prefix^"bool"), [], []) | PTreal -> Tapp (Ident.create (prefix^"real"), [], []) | PTunit -> Tapp (Ident.create (prefix^"unit"), [], []) | PTvar ({type_val = None} as var) -> (*let s = string_of_int var.tag in *) let t = try (List.assoc var.tag fv) with _ -> let s = string_of_int var.tag in (print_endline ("unknown vartype : "^s); Ident.create "dummy") in (*print_endline ("Vartype : "^s^" :"^(Ident.string t)); *) Tvar t | PTvar {type_val = Some pt} -> leftt pt fv | PTexternal (ptl, id) -> Tapp ( Ident.create (prefixForTypeIdent (Ident.string id)), List.map (fun pt -> leftt pt fv) ptl, []) (**@return a Tapp that encapsulates a term t with sort(..., t) by calling to lefft @param fv is the list of type variable of the problem @param term is the term we want to encapsulate @param pt is the type of the term **) let plunge fv term pt = Tapp (Ident.create (prefix^"sort"), [leftt pt fv; term], []) (**@return a Tapp that encapsulates a term t with sort(...,f(t)) where f is a casting function from built-in type to the unique sort sinc the second parameter of sort is of type unique. @param fv is the list of type variable of the problem @param term is the term we want to encapsulate @param pt is the type of the term **) let typedPlunge fv term pt = (** internal function that accomplish the casting task **) let cast pt term = match pt with PTint -> Tapp (Ident.create int2U, [term], []) | PTbool -> Tapp (Ident.create bool2U, [term], []) | PTreal -> Tapp (Ident.create real2U, [term], []) | PTunit -> Tapp (Ident.create unit2U, [term], []) | _ -> term in let l = Tapp (Ident.create (prefix^"sort"), [leftt pt fv; cast pt term], []) in l (** @return the type of a term given in parameter @param term is the term we want the type @param lv is the list of (var,type) of the problem **) let rec getTermType term lv = (*Format.eprintf "getTermType : %a \n List " Util.print_term term ; List.iter (fun (id,ty) -> Format.eprintf "(%s ,%a) " (Ident.string id) Util.print_pure_type ty ) lv; *) match term with | Tvar id -> (* let l = List.map (fun (id,x) -> Ident.string id,x) lv in let associatedType = (try List.assoc (Ident.string id) l with e -> Format.eprintf "Exception 2 Caught In getTermType : %s" (Ident.string id); raise e) in*) let associatedType = (try List.assoc id lv with e -> Format.eprintf "Exception Caught In getTermType : %s" (Ident.string id); raise e) in associatedType | Tapp (id, l, inst) when (Ident.is_int_arith id) -> PTint | Tapp (id, l, inst) when (Ident.is_real_arith id) -> PTreal | Tapp (id, l, inst) -> instantiate_arity id inst | Tconst (ConstInt _) -> PTint | Tconst (ConstBool _) -> PTbool | Tconst (ConstUnit) -> PTunit | Tconst (ConstFloat f) -> PTreal | Tderef _ -> assert false | Tnamed(_,t) -> getTermType t lv let isBuiltInType t= match t with PTint | PTreal | PTbool | PTunit -> true | _ -> false (** Translate of a term @param fv is the list of type variables of the problem @param lv is the list of free variables of the term @param term is the term we want to encapsulate @param pt is the type of the term **) let rec translate_term fv lv term doTheCast= let rec translate fv lv term = match term with | Tnamed(_,t) -> translate fv lv t | Tvar id as t -> let t = typedPlunge fv (Tvar id) (getTermType t lv) in t | Tapp (id, tl, inst) when Ident.is_simplify_arith id -> (** This function yields a numeric parameter we have to cast the result into the u type **) let outermostCast = if Ident.is_real_arith id then real2U else int2U in let inner = Tapp(Ident.create outermostCast, [Tapp(id, List.map (** each parameter of this function is a built-in We cast it to respect this constraint **) (fun t -> translateParam fv lv t true) tl, [])], []) in let innerCast = if ( outermostCast= real2U) then real else int in Tapp(Ident.create (prefix^"sort"), [innerCast; inner],[]) | Tapp (id, tl, inst) -> (** it is not a arithmetic function **) (** retrieves the function signature **) let paramList = ref (getParamTypeList id) in (** translates the parameter wrt the function signature **) let translateParameter t = match !paramList with pt::tl -> paramList := tl ; translateParam fv lv t (isBuiltInType pt) | [] -> assert false in (** eventually encapsulates the function **) let t = typedPlunge fv (Tapp (id, List.map (fun t -> translateParameter t) tl, [])) (instantiate_arity id inst) in (*Format.printf "term: %a\n" Util.print_term ter ; *) t | Tconst (ConstInt _) as t -> typedPlunge fv t PTint | Tconst (ConstBool _) as t -> typedPlunge fv t PTbool | Tconst (ConstUnit) as t -> typedPlunge [] t PTunit | Tconst (ConstFloat f) as t -> typedPlunge fv t PTreal | Tderef id as t -> print_endline ("id in Tderef : "^(Ident.string id)); t in if doTheCast then match (getTermType term lv) with PTint -> Tapp(Ident.create ss2Int, [translate fv lv term],[]) | PTreal -> Tapp(Ident.create ss2Real, [translate fv lv term],[]) | PTbool -> Tapp(Ident.create ss2Bool, [translate fv lv term],[]) | PTunit -> Tapp(Ident.create ss2Unit, [translate fv lv term],[]) | _ -> (** if the type is not pure, i.e. it is deduced syntactically **) let term'= translate fv lv term in match term' with Tapp (id, [sortTerm;_], _) when Ident.string id = prefix^"sort" -> begin match sortTerm with Tapp (k, [], []) when Ident.string k = prefix^"int" -> Tapp(Ident.create ss2Int, [term'],[]) | Tapp (k, [], []) when Ident.string k = prefix^"real" -> Tapp(Ident.create ss2Real, [term'],[]) | Tapp (k, [], []) when Ident.string k = prefix^"bool"-> Tapp(Ident.create ss2Bool, [term'],[]) | _ (* Tapp (k, [], []) when Ident.string k = prefix^"unit" *)-> Tapp(Ident.create ss2Unit, [term'],[]) (* | _ as t -> *) (* Format.printf ("tt : %a \n ") print_term t ; *) (* assert false *) end | _ -> assert false else translate fv lv term (** @return a term generated by a classical translation composed with a reduction that directly applies the axioms (a) and (b). @param fv is the list of type variables of the problem @param lv is the list of variables of the term @param t is the term we have to translate @param isArith the a boolean flag used in the clasical translate_term function **) and translateParam fv lv t doTheCast = let tp = translate_term fv lv t doTheCast in match tp with Tapp(id1, [ti],_) when Ident.string id1 = ss2Int -> begin match ti with Tapp(id2, [_;tk],_) when Ident.string id2 = prefix^"sort" -> begin match tk with Tapp(id3, [tl],_) when Ident.string id3 = int2U -> tl | _ -> tp end | _ -> tp end | Tapp(id1, [ti],_) when Ident.string id1 = ss2Real -> begin match ti with Tapp(id2, [_;tk],_) when Ident.string id2 = prefix^"sort" -> begin match tk with Tapp(id3, [tl],_) when Ident.string id3 = real2U -> tl | _ -> tp end | _ -> tp end | Tapp(id1, [ti],_) when Ident.string id1 = ss2Bool -> begin match ti with Tapp(id2, [_;tk],_) when Ident.string id2 = prefix^"sort" -> begin match tk with Tapp(id3, [tl],_) when Ident.string id3 = bool2U -> tl | _ -> tp end | _ -> tp end | _ -> tp (** @param fv is the list of type variables of the problem @param lv is the list of variables of the term @param t is the term we have to translate **) and literalParam fv lv t = let tp = translate_term fv lv t false in match tp with Tapp(id, [_;tk],_) when Ident.string id = prefix^"sort" -> tk | _ -> tp let rec reduceEquality t1 t2 = match (t1,t2) with (Tapp(id1, [tk1],_),Tapp(id2, [tk2],_)) when (Ident.string id1 = Ident.string id2 && (id1 = Ident.create ("int2U") || id1 = Ident.create ("ss2Int") || id1 = Ident.create ("bool2U") || id1 = Ident.create ("ss2Bool") || id1 = Ident.create ("real2U") || id1 = Ident.create ("ss2Real") ))-> reduceEquality tk1 tk2 | (Tapp(id1, [_;tk1],_),Tapp(id2, [_;tk2],_)) when (id1 = Ident.create (prefix^"sort") && Ident.string id1 = Ident.string id2) -> reduceEquality tk1 tk2 | _-> t1::t2::[] (** @return a predicate that is universally quantified with the top most variable present in the list l. These varaible are of sort type. When it is the last variable into the list, it adds trigger When the type variable list is empty, it returns only the predicate It is called when we build an axiom at the outermost position @param l is a list of type variables @param p is the predicate we want to add quantifiers @param t is the triggers **) let rec lifted l p t = match l with [] -> p | (_, s)::[] -> newForall false s (ssortedButBuiltInString "type") t p | (_, s)::q -> newForallTriggerFree false s (ssortedButBuiltInString "type") (lifted q p t) (** @return a predicate that is universally quantified with the top most variable present in the list l. When it is the last variable into the list, it adds trigger When the variable list is empty, it returns only the predicate It is called when we build an axiom to quantify the free variables @param l is a list of variables (a,t) where a is the variable identifier and t is its type. @param p is the predicate we want to add quantifiers @param t is the triggers **) let rec lifted_t l p tr = match l with [] -> p | (a,t)::[] -> newForall false a t tr p | (a,t)::q -> newForallTriggerFree false a t (lifted_t q p tr) let lifted_ctxt l cel = (List.map (fun (pt,s) -> Svar(s, PTexternal ([], Ident.create (prefix^"type")))) l)@cel (** @return true if all the element of tl are of sort Int or Real (and not sort (int,...) i.e. of sort u) @param tl is the list of terms we analyse @param lv is the list of free varaiables in the terms list **) let rec getEqualityType tl lv = let ret = ref PTbool in (fun tl -> match tl with [] -> !ret | hd::l -> begin match hd with Tapp (id, _, _) when Ident.is_int_arith id -> ret:= PTint ; getEqualityType l lv | Tapp (id, _, _) when Ident.is_real_arith id -> ret:= PTint ; getEqualityType l lv | Tapp (id, _, inst) -> begin let pt = (instantiate_arity id inst) in match pt with PTint -> ret:= PTint ; getEqualityType l lv | PTreal -> ret:= PTreal ; getEqualityType l lv | PTbool -> ret:= PTbool ; getEqualityType l lv | PTunit -> ret := PTunit ; getEqualityType l lv | _ -> pt end | Tconst (ConstInt _) -> ret:= PTint ; getEqualityType l lv | Tconst (ConstFloat _) -> ret:= PTreal ; getEqualityType l lv | Tconst (ConstBool _) -> ret:= PTbool ; getEqualityType l lv | Tconst ConstUnit -> ret:= PTunit ; getEqualityType l lv | Tvar id as t-> begin let pt = (try List.assoc id lv with e -> Format.eprintf "Exception Caught In getEqualityType : %a" Util.print_term t ; raise e) in match pt with PTint -> ret:= PTint ; getEqualityType l lv | PTreal -> ret:= PTreal ; getEqualityType l lv | PTbool -> ret:= PTbool ; getEqualityType l lv | PTunit -> ret:= PTunit ; getEqualityType l lv | _ -> pt end | _ -> assert false end) tl (** @param fv is the list of type variables of the problem @param p is the predicate we have to translate @param lv is the list of free variables in the predicate **) let rec translate_pred fv lv p = match p with | Papp (id, tl, inst) when (Ident.is_eq id && ( Ident.is_int_comparison id || Ident.is_real_comparison id ))-> let lt = List.map (fun t-> translateParam fv lv t true) tl in begin match lt with [t1;t2] -> Papp (id, reduceEquality t1 t2, []) | _ -> Papp (id,lt, []) end | Papp (id, tl, inst) when ( Ident.is_int_comparison id || Ident.is_real_comparison id )-> Papp (id,List.map (fun t-> translateParam fv lv t true) tl, []) | Papp (id, tl, inst) when (Ident.is_eq id || Ident.is_neq id) -> let lt = List.map (fun t-> literalParam fv lv t) tl in begin match lt with [t1;t2] -> Papp (id, reduceEquality t1 t2, []) | _ -> Papp (id,lt, []) end | Papp (id, [a;b], _) when id==Ident.t_zwf_zero -> (* 0 <= a *) let aLeftBound = (Papp (Ident.t_le_int, [Tconst(ConstInt("0")); (translateParam fv lv a true)],[PTint;PTint])) in (* a < b *) let aRightBound = Papp (Ident.t_lt_int, [(translateParam fv lv a true); (translateParam fv lv b true)],[PTint;PTint]) in (* 0 <= a & a < b *) Pand(false, false, aLeftBound,aRightBound) | Papp (id, tl, inst) -> (** retrieves the predicate signature **) let paramList = ref (getParamTypeList id) in let translateParameter t = match !paramList with pType::tl -> paramList := tl ; translateParam fv lv t (isBuiltInType pType) | [] -> assert false in Papp (id, List.map (fun t -> translateParameter t) tl, []) | Pimplies (iswp, p1, p2) -> Pimplies (iswp, translate_pred fv lv p1, translate_pred fv lv p2) | Pif (t, p1, p2) -> Pif (translate_term fv lv t true, translate_pred fv lv p1, translate_pred fv lv p2) | Pand (iswp, issym, p1, p2) -> Pand (iswp, issym, translate_pred fv lv p1, translate_pred fv lv p2) | Por (p1, p2) -> Por (translate_pred fv lv p1, translate_pred fv lv p2) | Piff (p1, p2) -> Piff (translate_pred fv lv p1, translate_pred fv lv p2) | Pnot p -> Pnot (translate_pred fv lv p) | Forall (iswp, id, n, pt, tl, p) -> let lv' = (n,pt)::lv in let tl' = List.map (List.map (translate_pattern fv lv')) tl in Forall (iswp, id, n, utButBuiltIn pt, tl', translate_pred fv lv' p) | Forallb (iswp, p1, p2) -> Forallb (iswp, translate_pred fv lv p1, translate_pred fv lv p2) | Exists (id, n, pt, p) -> Exists (id, n, utButBuiltIn pt, translate_pred fv ((n,pt)::lv) p) | Pnamed (s, p) -> Pnamed (s, translate_pred fv lv p) | _ as d -> d and translate_pattern fv lv = function | TPat t -> TPat (translate_term fv lv t false) | PPat p -> PPat (translate_pred fv lv p) (* The core *) let queue = Queue.create () let bound_variable = let count = ref 0 in function n -> count := !count+1 ; Ident.create (n^"_"^ (string_of_int !count)) let rec push d = try (match d with (* A type declaration is translated as new logical function, the arity of *) (* which depends on the number of type variables in the declaration *) | Dtype (loc, vars, ident) -> Queue.add (Dlogic (loc, (prefixForTypeIdent ident), Env.empty_scheme (Function (unifyString vars, ssortedButBuiltInString "type")))) queue (* For arithmetic symbols, another encoding is used (see encoding_rec.ml) *) | Dlogic (loc, ident, arity) when Ident.is_simplify_arith (Ident.create ident) -> arities := (ident, arity)::!arities; (* with type u, and its complete arity is stored for the encoding *) | Dlogic (loc, ident, arity) -> arities := (ident, arity)::!arities; let newarity = match arity.Env.scheme_type with Predicate ptl -> Predicate (unifyPureType ptl) | Function (ptl, rt) -> Function (unifyPureType ptl, utButBuiltIn rt) in Queue.add (Dlogic (loc, ident, Env.empty_scheme newarity)) queue (* A predicate definition can be handled as a predicate logic definition + an axiom *) | Dpredicate_def (loc, ident, pred_def_sch) -> let (argl, pred) = pred_def_sch.Env.scheme_type in let rootexp = (Papp (Ident.create ident, List.map (fun (i,_) -> Tvar i) argl, [])) in push (Dlogic (loc, ident, (Env.generalize_logic_type (Predicate (snd (List.split argl)))))); let pred_scheme = (lifted_t argl (Piff (rootexp, pred)) [[PPat rootexp]]) in push (Daxiom (loc, def ident, (Env.generalize_predicate pred_scheme))) (* A function definition can be handled as a function logic definition + an axiom *) | Dfunction_def (loc, ident, fun_def_sch) -> let _ = print_endline ident in let (argl, rt, term) = fun_def_sch.Env.scheme_type in let rootexp = (Tapp (Ident.create ident, List.map (fun (i,_) -> Tvar i) argl, [])) in push (Dlogic (loc, ident, (Env.generalize_logic_type (Function (snd (List.split argl), rt))))); let pred_scheme = (Env.generalize_predicate (lifted_t argl (Papp (Ident.t_eq, [rootexp; term], [])) [[TPat rootexp]])) in push (Daxiom (loc, def ident,pred_scheme)) (* Axiom definitions *) | Daxiom (loc, ident, pred_sch) -> let fv = Env.Vset.fold (fun tv acc -> (tv.tag, (bound_variable tvar) )::acc) (pred_sch.Env.scheme_vars) [] in let new_pred = (translate_pred fv [] pred_sch.Env.scheme_type) in let pred' = lifted fv new_pred [] in let new_axiom = Env.empty_scheme (pred') in Queue.add (Daxiom (loc, ident, new_axiom)) queue (* A goal is a sequent : a context and a predicate and both have to be translated *) | Dgoal (loc, expl, ident, s_sch) -> let fv = Env.Vset.fold (fun tv acc -> (tv.tag, (bound_variable tvar))::acc) (s_sch.Env.scheme_vars) [] in (* function for the following fold_left *) let f (acc_c, acc_new_cel) s = match s with Spred (id, p) -> (acc_c, (Spred (id, translate_pred fv acc_c p))::acc_new_cel) | Svar (id, t) -> ((id,t)::acc_c, (Svar (id, utButBuiltIn t))::acc_new_cel) in (* list of hyps for the following fold_left *) let l = fst s_sch.Env.scheme_type in let (context, new_cel) = List.fold_left f ([], []) l in let ctxt = lifted_ctxt fv (List.rev new_cel) in let pred' = translate_pred fv context (snd (s_sch.Env.scheme_type)) in (*Format.printf "%a" Util.print_predicate pred' ; *) let new_sequent = Env.empty_scheme (ctxt,pred' ) in let temp = Dgoal (loc, expl, ident, new_sequent) in Queue.add temp queue ) with Not_found -> Format.eprintf "Exception Caught In Push : %a\n" Util.print_decl d; raise Not_found let iter f = (* first the prelude *) List.iter f prelude; (* then the queue *) Queue.iter f queue let reset () = arities := []; Queue.clear queue; (*List.iter push arith_kernel*) why-2.34/src/logic.mli0000644000175000017500000001021112311670312013177 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (*s Logic. *) type real_constant = | RConstDecimal of string * string * string option (* int / frac / exp *) | RConstHexa of string * string * string type constant = | ConstInt of string | ConstBool of bool | ConstUnit | ConstFloat of real_constant (*s Pure types. *) type pure_type = | PTint | PTbool | PTreal | PTunit | PTvar of type_var | PTexternal of pure_type list * Ident.t and type_var = { tag : int; user : bool; mutable type_val : pure_type option } type instance = pure_type list type term_label = User of string | Internal of int type term = | Tconst of constant | Tvar of Ident.t | Tderef of Ident.t | Tapp of Ident.t * term list * instance | Tnamed of term_label * term type substitution = term Ident.map type var_substitution = Ident.t Ident.map type is_wp = bool type is_sym = bool type predicate = | Pvar of Ident.t | Papp of Ident.t * term list * instance | Ptrue | Pfalse | Pimplies of is_wp * predicate * predicate | Pif of term * predicate * predicate | Pand of is_wp * is_sym * predicate * predicate | Por of predicate * predicate | Piff of predicate * predicate | Pnot of predicate | Forall of is_wp * Ident.t * Ident.t * pure_type * triggers * predicate | Forallb of is_wp * predicate * predicate | Exists of Ident.t * Ident.t * pure_type * predicate | Pnamed of term_label * predicate | Plet of Ident.t * Ident.t * pure_type * term * predicate and pattern = TPat of term | PPat of predicate and trigger = pattern list and triggers = trigger list type logic_type = | Predicate of pure_type list | Function of pure_type list * pure_type type alg_type_def = pure_type list * (Ident.t * pure_type list) list type predicate_def = (Ident.t * pure_type) list * predicate type inductive_def = pure_type list * (Ident.t * predicate) list type function_def = (Ident.t * pure_type) list * pure_type * term why-2.34/src/xml.mli0000644000175000017500000000465312311670312012717 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) type element = { name : string; attributes : (string * Rc.rc_value) list; elements : element list; } val from_file : string -> element list why-2.34/src/z3.ml0000644000175000017500000004010112311670312012266 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) open Ident open Options open Misc open Error open Logic open Logic_decl open Env open Cc open Format open Pp (*s Pretty print *) let int2U = "int2U" let u2Int = "u2Int" let prefix id = if id == t_lt then assert false else if id == t_le then assert false else if id == t_gt then assert false else if id == t_ge then assert false (* int cmp *) else if id == t_lt_int then "<" else if id == t_le_int then "<=" else if id == t_gt_int then ">" else if id == t_ge_int then ">=" (* int ops *) else if id == t_add_int then "+" else if id == t_sub_int then "-" else if id == t_mul_int then "*" (* else if id == t_div_int then "div" else if id == t_mod_int then if Options.modulo then "%" else "modulo" *) else if id == t_neg_int then "-" (* real ops *) else if id == t_add_real then "+" else if id == t_sub_real then "-" else if id == t_mul_real then "*" else if id == t_neg_real then "-" else if id == t_lt_real then "<" else if id == t_le_real then "<=" else if id == t_gt_real then ">" else if id == t_ge_real then ">=" else if id == t_div_real || id == t_sqrt_real || id == t_real_of_int then Ident.string id else (eprintf "%a@." Ident.print id; assert false) let is_smtlib_keyword = let ht = Hashtbl.create 50 in List.iter (fun kw -> Hashtbl.add ht kw ()) ["and";" benchmark";" distinct";"exists";"false";"flet";"forall"; "if_then_else";"iff";"implies";"ite";"let";"logic";"not";"or"; "sat";"theory";"true";"unknown";"unsat";"xor"; "assumption";"axioms";"definition";"extensions";"formula"; "funs";"extrafuns";"extrasorts";"extrapreds";"language"; "notes";"preds";"sorts";"status";"theory";"Int";"Real";"Bool"; "Array";"U";"select";"store";"define_sorts";"datatypes";"const"; "map";"default";"div"]; Hashtbl.mem ht let leading_underscore s = s <> "" && s.[0] = '_' let removeChar = let lc = ('\'','p')::('_','u')::[] in function s -> for i=0 to (String.length s)-1 do let c = (String.get s i) in try let c' = List.assoc c lc in String.set s i c' with Not_found -> () done; s let idents fmt s = (* Yices does not expect names to begin with an underscore if Yices understand Z3 smtlib extended we can keep that. *) if is_smtlib_keyword s || leading_underscore s then fprintf fmt "smtlib__%s" s else fprintf fmt "%s" s let ident fmt id = idents fmt (Ident.string id) let print_bvar fmt id = fprintf fmt "?%a" ident id let rec print_term fmt = function | Tvar id -> print_bvar fmt id | Tconst (ConstInt n) -> fprintf fmt "%s" n | Tconst (ConstBool b) -> fprintf fmt "c_Boolean_%b" b | Tconst ConstUnit -> fprintf fmt "tt" | Tconst (ConstFloat c) -> Print_real.print_no_exponent fmt ~prefix_div:true c (* "(real_of_int %s)" "(real_of_int ( * %s %s))" "(div_real (real_of_int %s) (real_of_int %s))" fmt c *) | Tderef _ -> assert false | Tapp (id, [a; b; c], _) when id == if_then_else -> if (Options.get_types_encoding() = SortedStratified) then fprintf fmt "@[(smtlib__ite@ %a @ %a@ %a)@]" print_term a print_term b print_term c else fprintf fmt "@[(ite@ (= %a c_Boolean_true) @ %a@ %a)@]" print_term a print_term b print_term c (* | Tapp (id, [a], _) when id = t_real_of_int -> print_term fmt a *) | Tapp (id, tl, _) when is_relation id || is_arith id -> fprintf fmt "@[(%s %a)@]" (prefix id) print_terms tl | Tapp (id, [], i) -> fprintf fmt "%a" idents (Encoding.symbol (id, i)) | Tapp (id, tl, i) -> (match Ident.fresh_from id with | Some (s,logic_id::_) when s == Encoding_mono_inst.create_ident_id && (Ident.string logic_id = "acc" || Ident.string logic_id = "upd" || Ident.string logic_id = "select" || Ident.string logic_id = "store") -> (match tl,Ident.string logic_id with | [mem;key],("acc"|"select") -> fprintf fmt "@[(select %a %a)@]" print_term mem print_term key | [mem;key;value],("upd" |"store")-> fprintf fmt "@[(store %a %a %a)@]" print_term mem print_term key print_term value | _ -> assert false) | _ -> fprintf fmt "@[(%a@ %a)@]" idents (Encoding.symbol (id, i)) (print_list space print_term) tl) | Tnamed (_, t) -> (* TODO: print name *) print_term fmt t and print_terms fmt tl = print_list space print_term fmt tl let rec print_pure_type fmt = function | PTint -> fprintf fmt "Int" | PTbool -> fprintf fmt "c_Boolean" | PTreal -> fprintf fmt "Real" | PTunit -> fprintf fmt "Unit" | PTexternal(_,id) when id==farray -> fprintf fmt "Array" | PTvar {type_val=Some pt} -> print_pure_type fmt pt | PTvar _v -> assert false (* fprintf fmt "A%d" v.tag *) | PTexternal (i,id) -> idents fmt (Encoding.symbol (id, i)) and instance fmt = function | [] -> () | ptl -> fprintf fmt "_%a" (print_list underscore print_pure_type) ptl let bound_variable = let count = ref 0 in function n -> count := !count+1 ; Ident.create ((removeChar (completeString n))^"_"^ (string_of_int !count)) let rec print_pattern fmt = function | TPat t -> fprintf fmt "(%a)" print_term t | PPat p -> fprintf fmt "(%a)" print_predicate p and print_trigger fmt = print_list_delim (constant_string ":pat{") rbrace space print_pattern fmt and print_triggers fmt = print_list space print_trigger fmt and print_predicate fmt = function | Ptrue -> fprintf fmt "true" | Pvar id when id == Ident.default_post -> fprintf fmt "true" | Pfalse -> fprintf fmt "false" | Pvar id -> fprintf fmt "%a" ident id | Papp (id, [_t], _) when id == well_founded -> fprintf fmt "true;; was well founded @\n" | Papp (id, [a; b], _) when is_eq id -> fprintf fmt "@[(= %a@ %a)@]" print_term a print_term b | Papp (id, [a; b], _) when is_neq id -> fprintf fmt "@[(not (= %a@ %a))@]" print_term a print_term b | Papp (id, tl, _) when is_relation id || is_arith id -> fprintf fmt "@[(%s %a)@]" (prefix id) print_terms tl | Papp (id, [a;b], _) when id == t_zwf_zero -> (** TODO : DIRTY WAY TO translate such predicate; may be previously dispatched into an inequality **) fprintf fmt "@[(and (<= 0 %a)@ (< %a %a))@]" print_term b print_term a print_term b | Papp (id, tl, _) when id == t_distinct -> fprintf fmt "@[(distinct@ %a)@]" print_terms tl | Papp (id, tl, i) -> fprintf fmt "@[(%a@ %a)@]" idents (Encoding.symbol (id, i)) print_terms tl | Pimplies (_, a, b) -> fprintf fmt "@[(implies@ %a@ %a)@]" print_predicate a print_predicate b | Pif (a, b, c) -> if (Options.get_types_encoding() = SortedStratified) then fprintf fmt "@[(if_then_else@ (= %a c_Boolean_true)@ %a@ %a)@]" print_term a print_predicate b print_predicate c else fprintf fmt "@[(if_then_else@ (= %a c_Boolean_true)@ %a@ %a)@]" print_term a print_predicate b print_predicate c | Pand (_, _, a, b) | Forallb (_, a, b) -> fprintf fmt "@[(and@ %a@ %a)@]" print_predicate a print_predicate b | Por (a, b) -> fprintf fmt "@[(or@ %a@ %a)@]" print_predicate a print_predicate b | Piff (a, b) -> fprintf fmt "@[(iff@ %a@ %a)@]" print_predicate a print_predicate b | Pnot a -> fprintf fmt "@[(not@ %a)@]" print_predicate a | Forall (_,_id,n,t,trigs,p) -> (*Printf.printf "Forall : %s\n" (Ident.string id); *) (*let id' = next_away id (predicate_vars p) in*) let id' = (bound_variable n) in (***Format.printf " Forall : %a , " Ident.dbprint n ; Format.printf " %a" Ident.dbprint id' ;**) let p' = subst_in_predicate (subst_onev n id') p in let trigs = subst_in_triggers (subst_onev n id') trigs in fprintf fmt "@[(forall (%a %a)@ %a%a)@]" print_bvar id' print_pure_type t print_predicate p' print_triggers trigs | Exists (_id,n,t,p) -> (*let id' = next_away id (predicate_vars p) in*) let id' = bound_variable n in let p' = subst_in_predicate (subst_onev n id') p in fprintf fmt "@[(exists (%a %a) %a)@]" print_bvar id' print_pure_type t print_predicate p' | Pnamed (_, p) -> (* TODO: print name *) print_predicate fmt p | Plet (_, n, _, t, p) -> let id' = bound_variable n in let s = subst_onev n id' in let t' = subst_in_term s t in let p' = subst_in_predicate s p in fprintf fmt "@[(let (%a %a)@ %a)@]" print_bvar id' print_term t' print_predicate p' let print_axiom fmt id p = match id,p with | ("acc_upd" |"acc_upd_neq"|"select_store_eq"|"select_store_neq"), Forall (_,_,_,PTexternal (_,t),_,_) when (match Ident.fresh_from t with | Some (s,[mem;_;_]) when s == Encoding_mono_inst.create_ident_id && Ident.string mem = "memory" -> true | _ -> false) -> () | _ -> fprintf fmt "@[;; Why axiom %s@]@\n" id; fprintf fmt " @[:assumption@ %a@]" print_predicate p; fprintf fmt "@]@\n@\n" let print_quantifiers = let print_quantifier fmt (x,t) = fprintf fmt "(%a %a)" print_bvar x print_pure_type t in print_list space print_quantifier let pure_type_list = print_list space print_pure_type (* Function and predicate definitions are handled in Encoding *) (* let print_predicate_def fmt id (bl,p) = let tl = List.map snd bl in fprintf fmt "@[:extrapreds ((%a %a))@]@\n@\n" idents id pure_type_list tl; fprintf fmt "@[:assumption@ (forall %a@ (iff (%a %a)@ @[%a@]))@]@\n@\n" print_quantifiers bl idents id (print_list space (fun fmt (x,_) -> print_bvar fmt x)) bl print_predicate p let print_function_def fmt id (bl,pt,e) = let tl = List.map snd bl in fprintf fmt "@[:extrafuns ((%a %a %a))@]@\n@\n" idents id pure_type_list tl print_pure_type pt; fprintf fmt "@[:assumption@ (forall %a@ (= (%a %a)@ @[%a@]))@]@\n@\n" print_quantifiers bl idents id (print_list space (fun fmt (x,_) -> print_bvar fmt x)) bl print_term e *) let output_sequent fmt (hyps,concl) = let rec print_seq fmt = function | [] -> print_predicate fmt concl | Svar (id, v) :: hyps -> fprintf fmt "@[(forall (%a %a)@ %a)@]" print_bvar id print_pure_type v print_seq hyps (* TODO : update this for renaming each variable *) | Spred (_,p) :: hyps -> fprintf fmt "@[(implies@ %a@ %a)@]" print_predicate p print_seq hyps in print_seq fmt hyps let print_obligation fmt loc is_lemma o s = fprintf fmt "@[:formula@\n"; fprintf fmt " @[;; %a@]@\n" Loc.gen_report_line loc; fprintf fmt " @[(not@ %a)@]" output_sequent s; fprintf fmt "@]@\n@\n" ; if is_lemma then begin fprintf fmt "@[;; %s as axiom@]@\n" o; fprintf fmt " @[:assumption@ %a@]" output_sequent s; fprintf fmt "@]@\n@\n" end (* Inductive predicates are handled in Encoding *) (* let rec push_decl d = match d with | Dinductive_def (loc, id, d) -> List.iter push_decl (PredDefExpansor.inductive_def loc id d) | _ -> Encoding.push d *) let push_decl d = Encoding.push d let iter = Encoding.iter let reset () = Encoding.reset () let memory_arg_kv = lazy (is_logic_function (Ident.create "select")) let declare_type fmt id = match (Lazy.force memory_arg_kv), Ident.fresh_from id with | (false,Some (s,[mem;value;key])|true,Some (s,[mem;key;value])) when s == Encoding_mono_inst.create_ident_id && Ident.string mem = "memory" -> fprintf fmt ":define_sorts ((%a (array %aIpointer %s)))@." ident id ident key (let s = Ident.string value in if s = "int" then "Int" else s) | _ -> fprintf fmt ":extrasorts (%a)@\n" ident id (*let declare_type fmt id = fprintf fmt ":extrasorts (%a)@\n" ident id *) let print_logic fmt id t = fprintf fmt ";;;; Why logic %a@\n" ident id; match t with | Predicate tl -> fprintf fmt "@[:extrapreds ((%a %a))@]@\n@\n" ident id pure_type_list tl | Function (tl, pt) -> match Ident.fresh_from id with | Some (s,logic_id::_) when s == Encoding_mono_inst.create_ident_id && (Ident.string logic_id = "acc" || Ident.string logic_id = "upd") -> () | _ -> fprintf fmt "@[:extrafuns ((%a %a %a))@]@\n@\n" ident id pure_type_list tl print_pure_type pt let output_elem fmt = function | Dtype (_loc, id, []) -> declare_type fmt id | Dtype (_, id, _) -> fprintf fmt ";; polymorphic type %s@\n@\n" (Ident.string id) | Dalgtype _ -> assert false (* failwith "SMTLIB output: algebraic types are not supported" *) | Dlogic (_, id, t) when not (Ident.is_simplify_arith id) -> print_logic fmt id t.scheme_type | Dlogic (_, _, _) -> fprintf fmt "" | Dpredicate_def (_loc, _id, _d) -> assert false (* print_predicate_def fmt (Ident.string id) d.scheme_type *) | Dinductive_def(_loc, _ident, _inddef) -> assert false (* failwith "SMTLIB output: inductive def not yet supported" *) | Dfunction_def (_loc, _id, _d) -> assert false (* print_function_def fmt (Ident.string id) d.scheme_type *) | Daxiom (_loc, id, p) -> print_axiom fmt id p.scheme_type | Dgoal (loc, is_lemma, _expl, id, s) -> print_obligation fmt loc is_lemma id s.Env.scheme_type let output_file f = let fname = f ^ "_why.z3.smt" in let cout = Options.open_out_file fname in let fmt = formatter_of_out_channel cout in fprintf fmt "(benchmark %a@\n" idents (Filename.basename f); fprintf fmt " :status unknown@\n"; fprintf fmt " :datatypes ((c_Boolean c_Boolean_true c_Boolean_false))@."; (*fprintf fmt " :datatypes ((Unit tt))@.";*) fprintf fmt " :extrasorts (Unit)@\n"; fprintf fmt " :extrafuns ((tt Unit))@\n"; (* if not modulo then begin fprintf fmt " :extrafuns ((modulo Int Int Int))@\n"; end; *) iter (output_elem fmt); (* end of smtlib file *) fprintf fmt "@\n)@\n"; pp_print_flush fmt (); Options.close_out_file cout (* Local Variables: compile-command: "unset LANG; nice make -j -C .. bin/why.byte" End: *) why-2.34/src/linenum.mli0000644000175000017500000000465112311670312013564 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (* [from_char f n] gives the actual source file, line number, position of the beginning of the line. *) val from_char : string -> int -> string * int * int why-2.34/src/monad.ml0000644000175000017500000004170712311670312013045 0ustar rtusers(**************************************************************************) (* *) (* The Why platform for program certification *) (* *) (* Copyright (C) 2002-2014 *) (* *) (* Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud *) (* Claude MARCHE, INRIA & Univ. Paris-sud *) (* Yannick MOY, Univ. Paris-sud *) (* Romain BARDOU, Univ. Paris-sud *) (* *) (* Secondary contributors: *) (* *) (* Thierry HUBERT, Univ. Paris-sud (former Caduceus front-end) *) (* Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa) *) (* Ali AYAD, CNRS & CEA Saclay (floating-point support) *) (* Sylvie BOLDO, INRIA (floating-point support) *) (* Jean-Francois COUCHOT, INRIA (sort encodings, hyps pruning) *) (* Mehdi DOGGUY, Univ. Paris-sud (Why GUI) *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Lesser General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) open Format open Misc open Ident open Effect open Util open Logic open Types open Ast open Cc open Rename open Env open Typing (*s [product ren [y1,z1;...;yk,zk] q] constructs the (possibly dependent) tuple type $z1 \times ... \times zk$ if no postcondition or $\exists. y1:z1. ... yk:zk. (Q x1 ... xn)$ otherwise *) let make_bl = List.map (fun (id,t) -> (id, CC_var_binder t)) let product w q = match q, w with | None, [_, v] -> v | _ -> TTtuple (make_bl w, q) (*s [arrow_pred ren v pl] abstracts the term [v] over the pre-condition if any i.e. computes (P1 x1 ... xn) -> ... -> (Pk x1 ... xn) -> v where the [xi] are given by the renaming [ren]. *) let arrow_pred ren env v pl = List.fold_right (fun p t -> let p = apply_assert ren env p in TTarrow ((Ident.anonymous, CC_pred_binder p), t)) pl v let arrow_vars = List.fold_right (fun (id,v) t -> TTarrow ((id, CC_var_binder v), t)) let lambda_vars = List.fold_right (fun (id,v) t -> TTlambda ((id, CC_var_binder v), t)) (* type of the argument of an exception; unit if none *) let exn_arg_type x = TTpure (match find_exception x with None -> PTunit | Some pt -> pt) (* monadic type for exceptions: (EM E1 (EM E1 ... (EM Ek T))) *) let trad_exn_type = List.fold_right (fun id t -> TTapp (tt_var Ident.exn_type, [exn_arg_type id; t])) (*s Translation of effects types in CC types. [trad_type_v] and [trad_type_c] translate types with effects into CC types. *) let rec trad_type_c ren env k = let ((_,v),e,p,q) = decomp_type_c k in let i,o,x,_ = get_repr e in let before = label_name () in let ren' = next (push_date ren before) o in let lo = output ren' env (v,o,x) in let q = option_app (apply_post before ren' env) q in let ty = product lo (make_applied_post ren' env k q) in let ty = arrow_pred ren env ty p in let li = input ren env i in arrow_vars li ty and trad_type_v ren env = function | Ref _ -> assert false | Arrow (bl, c) -> let bl',ren',env' = List.fold_left (fun (bl,ren,env) b -> match b with | (id, (Ref _ as v)) -> let env' = Env.add id v env in let ren' = initial_renaming env' in (bl, ren', env') | (id, v) -> let tt = trad_type_v ren env v in let env' = Env.add id v env in let ren' = initial_renaming env' in (id,tt)::bl, ren', env') ([],ren,env) bl in arrow_vars (List.rev bl') (trad_type_c ren' env' c) | PureType c -> TTpure c and input ren env i = prod ren env i and output ren env (v,o,x) = let tv = trad_type_v ren env v in (prod ren env o) @ [result, trad_exn_type x tv] and prod ren env g = List.map (fun id -> (current_var ren id, trad_type_in_env ren env id)) g and trad_imp_type _ren _env = function | Ref v -> TTpure v | _ -> assert false and trad_type_in_env ren env id = let v = type_in_env env id in trad_imp_type ren env v (* builds (qcomb [r][Q1] (qcomb [r][Q2] (... (qcomb [r][Qn] [r]Q)))) *) and make_post ren env res k q = let q = post_app (subst_in_predicate (subst_onev result res)) q in let abs_pred v c = lambda_vars [res, trad_type_v ren env v] (TTpred c) in List.fold_right (fun x c -> let tx = match find_exception x with None -> PTunit | Some pt -> pt in let tx = PureType tx in let qx = post_exn x q in TTapp (tt_var exn_post, [abs_pred tx qx; c])) (get_exns k.c_effect) (abs_pred k.c_result_type (post_val q)) (* same, applied on [result] *) and make_applied_post ren env k = function | None -> None | Some (a, []) -> Some (TTpred a) | Some q -> let tt = make_post ren env result k q in Some (TTapp (tt, [tt_var result])) let a_make_post ren env r k q = make_post ren env r (type_c_of_typing_info [] k) (post_app a_value q) (* translation of type scheme *) let trad_scheme_v ren env s = let (l,v) = specialize_type_scheme s in Vmap.fold (fun _ v cc -> TTarrow((Ident.create ("A"^(string_of_int v.tag)), CC_var_binder TTSet),cc)) l (trad_type_v ren env v) (* builds [Val Ex] *) let make_valx x = CC_app (CC_term (Tvar Ident.exn_val), CC_type (exn_arg_type x)) (* builds [Val_e1 (Val_e2 ... (Val_en t))] *) let make_val t xs = List.fold_right (fun x cc -> CC_app (make_valx x, cc)) xs t (* builds [Val_e1 (Val_e2 ... (Exn_ei t))] *) let rec make_exn ty x v = function | [] -> assert false | y :: yl when x = y -> let v = match v with Some v -> v | None -> Tconst ConstUnit in CC_app (CC_app (CC_term (Tvar Ident.exn_exn), CC_type (trad_exn_type yl ty)), CC_term v) | y :: yl -> CC_app (make_valx y, make_exn ty x v yl) (*s The Monadic operators. They are operating on values of the following type [interp] (functions producing a [cc_term] when given a renaming data structure). *) type interp = Rename.t -> (Loc.position * predicate) cc_term type result = | Value of term | Exn of Ident.t * term option let apply_result ren env = function | Value t -> Value (apply_term ren env t) | Exn (x, Some t) -> Exn (x, Some (apply_term ren env t)) | Exn (_, None) as e -> e (*s [unit k t ren env] constructs the tuple (y1, ..., yn, t, ?::(q/ren y1 ... yn t)) where the [yi] are the values of the output of [k]. If there is no [yi] and no postcondition, it is simplified into [t] itself. *) let result_term ef v = function | Value t -> make_val (CC_term t) (Effect.get_exns ef) | Exn (x, t) -> make_exn v x t (Effect.get_exns ef) let unit info r ren = let env = info.t_env in let r = apply_result ren env r in let v = trad_type_v ren env info.t_result_type in let ef = info.t_effect in let t = result_term ef v r in let q = info.t_post in let ids = get_writes ef in if ids = [] && q = None then t else let hole, holet = match q with | None -> [], None | Some q -> (* proof obligation *) let h = let q = a_apply_post info.t_label ren env q in let a = match r with | Value _ -> post_val q | Exn (x,_) -> post_exn x q in match r with | Value t | Exn (_, Some t) -> a.a_loc, simplify (tsubst_in_predicate (subst_one result t) a.a_value) | Exn _ -> a.a_loc, a.a_value in (* type of the obligation: [y1]...[yn][res]Q *) let ht = let _,o,_xs,_ = get_repr ef in let ren' = Rename.next ren (result :: o) in let result' = current_var ren' result in let q = a_apply_post info.t_label ren' env q in let c = a_make_post ren' env result' info q in let bl = List.map (fun id -> (current_var ren' id, trad_type_in_env ren env id)) o in lambda_vars bl c in [ CC_hole h ], Some ht in CC_tuple ( (List.map (fun id -> let id' = current_var ren id in CC_var id') ids) @ t :: hole, holet) (*s \pagebreak Case patterns *) (* pattern for an exception: (Val (Val ... (Exn v))) *) let exn_pattern dep x res xs = let rec make = function | [] -> assert false | y :: _yl when x = y -> PPcons ((if dep then exn_qexn else exn_exn), res) | _y :: yl -> PPcons ((if dep then exn_qval else exn_val), [make yl]) in make xs (* pattern for a value: (Val (Val ... (Val v))) *) let val_pattern dep res xs = let t = if dep then [PPcons (exist, res)] else res in let id = if dep then exn_qval else exn_val in List.hd (List.fold_right (fun _x cc -> [PPcons (id, cc)]) xs t) (*s [compose k1 e1 e2 ren env] constructs the term [ let h1 = ?:P1 in ... let hn = ?:Pm in ] let y1,y2,...,yn, res1 [,q] = in where [ren' = next w1 ren] and [y1,...,yn = w1/ren] *) let binding_of_alist ren env = List.map (fun (id,id') -> (id', CC_var_binder (trad_type_in_env ren env id))) let make_pre env ren p = let p = a_apply_assert ren env p in p.a_name, (p.a_loc, p.a_value) let let_pre (id, h) cc = CC_letin (false, [id, CC_pred_binder (snd h)], CC_hole h, cc) let let_many_pre = List.fold_right let_pre let decomp x b v = let var id = CC_term (Tvar id) in match b with | [] -> var v | (id,_) :: _ -> CC_app (var (decomp (List.length x)), var id) (* [isapp] signals an application. [handler x res : interp] is the handler for exception [x] with value [res]. *) let gen_compose isapp handler info1 e1 _info2 e2 ren = let env = info1.t_env in let (res1,v1),ef1,q1 = decomp_kappa info1 in let ren = push_date ren info1.t_label in let r1,w1,x1,_ = get_repr ef1 in let ren' = next ren w1 in let res1,ren' = fresh ren' res1 in let tv1 = trad_type_v ren env v1 in let tres1 = trad_exn_type x1 tv1 in let b = [res1, CC_var_binder tres1] in let b',dep = match q1 with | None -> [], false | Some q1 -> if x1 = [] then let (q,_) = a_apply_post info1.t_label ren' env q1 in let hyp = subst_in_predicate (subst_onev result res1) q.a_value in [q.a_name, CC_pred_binder hyp], true else let tt = TTapp (a_make_post ren' env res1 info1 q1, [tt_var res1]) in [post_name (), CC_var_binder tt], true in let vo = current_vars ren' w1 in let bl = (binding_of_alist ren env vo) @ b @ b' in let cc1 = if isapp then let input = List.map (fun (_,id') -> CC_var id') (current_vars ren r1) in cc_applist (e1 ren) input else e1 ren in let cc2 = if x1 = [] then (* e1 does not raise any exception *) e2 res1 ren' else (* e1 may raise an exception *) let q1 = option_app (a_apply_post info1.t_label ren' env) q1 in let q1 = optpost_app (subst_in_assertion (subst_onev result res1)) q1 in let pat_post a = PPvariable (a.a_name, CC_pred_binder a.a_value) in let exn_branch x = let px = (match find_exception x with | Some pt1 -> PPvariable (res1, CC_var_binder (TTpure pt1)) | None -> PPvariable (anonymous, CC_var_binder (TTpure PTunit))) :: (match q1 with | Some q1 -> let a = post_exn x q1 in [pat_post a] | None -> []) in exn_pattern dep x px x1, handler x res1 ren' in let pres1 = (PPvariable (res1, CC_var_binder tv1)) :: (match q1 with Some (q,_) -> [pat_post q] | None -> []) in CC_case (decomp x1 b' res1, (val_pattern dep pres1 x1, e2 res1 ren') :: (List.map exn_branch x1)) in CC_letin (dep, bl, cc1, cc2) (* [compose], [apply] and [handle] are instances of [gen_compose]. [compose] and [apply] use the default handler [reraise]. *) let reraise info x res = let xt = find_exception x in let r = Exn (x, option_app (fun _ -> Tvar res) xt) in unit info r let compose info1 e1 info2 e2 = gen_compose false (reraise info2) info1 e1 info2 e2 let apply info1 e1 info2 e2 = gen_compose true (reraise info2) info1 e1 info2 e2 let lift x = fun _ -> CC_var x let handle info1 e1 info hl = let handler x res = let rec lookup = function | [] -> reraise info x res | ((y,_),h) :: _ when x = y -> h res | _ :: hl -> lookup hl in lookup hl in gen_compose false handler info1 e1 info (fun v -> unit info (Value (Tvar v))) (*s [exn] is the operator corresponding to [raise]. *) let exn info id t = unit info (Exn (id, t)) (*s [cross_label] is an operator to be used when a label is encountered *) let cross_label l e ren = e (push_date ren l) (*s Inserting assertions *) let insert_pre env p t ren = let_pre (make_pre env ren p) (t ren) let insert_many_pre env pl t = List.fold_left (fun t h -> insert_pre env h t) t pl (*s [abstraction env k e] abstracts a term [e] with respect to the list of read variables, to the preconditions/assertions, i.e. builds [x1]...[xk][h1:P1]...[hn:Pn]let h'1 = ?:P'1 in ... let H'm = ?:P'm in t *) let make_abs bl t = match bl with | [] -> t | _ -> cc_lam bl t let bind_pre ren env p = p.a_name, CC_pred_binder (a_apply_assert ren env p).a_value let abs_pre env pl t = List.fold_right (fun p t ren -> CC_lam (bind_pre ren env p, t ren)) pl t let abstraction info pl e ren = let env = info.t_env in let _,ef,_ = decomp_kappa info in let ids = get_reads ef in let al = current_vars ren ids in let bl = binding_of_alist ren env al in let c = abs_pre env pl e ren in make_abs bl c let fresh id e ren = let id',ren' = Rename.fresh ren id in e id' ren' (*s Well-founded recursion. \begin{verbatim} (well_founded_induction A R ?::(well_founded A R) [Phi:A] (bl) (x) Phi=phi(x) -> [Phi:A][w:(Phi0:A) Phi0 (bl) (x) Phi=phi(x) -> ] [bl][x][eq:Phi=phi(x)][h:
]

            )>

       phi(x) bl x ?::phi(x)=phi(x) ?::
)
    \end{verbatim}
*)

let wfrec_with_binders bl (_,phi,a,r) pre info f ren =
  let env = info.t_env in
  let vphi = variant_name () in
  let wr = get_writes info.t_effect in
  let info' = { info with t_effect = keep_writes info.t_effect } in
  let a = TTpure a in
  let w = wf_name () in
  let k = info' in
  let ren' = next ren (get_writes k.t_effect) in 
  let tphi = 
    tt_arrow bl (trad_type_c ren' env (type_c_of_typing_info pre k)) 
  in
  let vphi0 = variant_name () in
  let tphi0 = 
    let k0 = 
      type_c_subst (subst_onev vphi vphi0) (type_c_of_typing_info pre k) 
    in 
    tt_arrow bl (trad_type_c ren' env k0) 
  in
  let input ren =
    let args = List.map (fun (id,_) -> CC_var id) bl in
    let input = List.map (fun (_,id') -> CC_var id') (current_vars ren wr) in
    let pl = 
      (Misc.anonymous info.t_loc (equality phi phi)) :: pre
    in
    let holes = 
      List.map (fun p -> 
		  let p = a_apply_assert ren env p in
		  CC_hole (p.a_loc, p.a_value)) pl 
    in
    args @ input @ holes
  in
  let tw = 
    let r_phi0_phi = Papp (r, [Tvar vphi0; Tvar vphi], []) in
    TTarrow ((vphi0, CC_var_binder a),
	     TTarrow ((pre_name Anonymous, CC_pred_binder r_phi0_phi), tphi0))
  in
  let fw ren = 
    let tphi = apply_term ren env phi in
    let decphi = info.t_loc, Papp (r, [tphi; Tvar vphi], []) in
    cc_applist (CC_var w) ([CC_term tphi; CC_hole decphi] @ input ren) 
  in
  cc_applist (CC_var well_founded_induction)
    ([CC_type a; CC_term (Tvar r);
      CC_hole (info.t_loc, Papp (well_founded, [Tvar r], []));
      CC_type (TTlambda ((vphi, CC_var_binder a), tphi));
      cc_lam 
	([vphi, CC_var_binder a; w, CC_var_binder tw] @ bl)
	(abstraction info' pre (f fw) ren');
      CC_term (apply_term ren env phi)] @
     input ren)

let wfrec = wfrec_with_binders []


(*s Interpretations of recursive functions are stored in the following
    table. *)

let rec_table = Hashtbl.create 97

let is_rec = Hashtbl.mem rec_table
let find_rec = Hashtbl.find rec_table

let with_rec f tf e ren = 
  Hashtbl.add rec_table f tf; 
  let r = e ren in 
  Hashtbl.remove rec_table f; 
  r

why-2.34/src/purify.mli0000644000175000017500000000447212311670312013434 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Env

val purify : typed_expr -> typed_expr

why-2.34/src/pvs.mli0000644000175000017500000000457412311670312012731 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Vcg
open Cc

val reset : unit -> unit

val push_decl : Logic_decl.t -> unit

val output_file : string -> unit
why-2.34/src/lib.mli0000644000175000017500000000650612311670312012664 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



module Sset : Set.S with type elt = string

val mkdir_p : string -> unit

(* [file dir file] returns "dir/basename" if [file] is "dirname/basename", 
   creating [dir] if necessary. *)
val file : dir:string -> file:string -> string

(* [file_subdir dir file] returns "dirname/dir/basename" if [file] is "dirname/basename", 
   creating [dir] if necessary. *)
val file_subdir : dir:string -> file:string -> string

(* [file_copy f1 f2] copies [f1] into name [f2] *)
val file_copy : string -> string -> unit

(* [file_copy_if_different f1 f2] copies [f1] into name [f2], unless
   [f2] already exists and is identical to [f1] (thus keeping the same
   modification date) *)
val file_copy_if_different : string -> string -> unit

(* return the content of an in-channel *)
val channel_contents : in_channel -> string

(* return the content of a file *)
val file_contents : string -> string

(* return the content of a file *)
val file_contents_buf : string -> Buffer.t

(* remove file if debug not set, or display appropriate info message *)
val remove_file : debug:bool -> string -> unit
why-2.34/src/regen.mli0000644000175000017500000000767612311670312013227 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* files partly edited and partly regenerated *)

open Format
open Cc
open Logic
open Vcg

type element_kind = 
  | Param
  | Oblig
  | Prog
  | Valid (* obsolete but helps porting from old versions *)
  | Lg
  | Ax
  | Pr
  | Ind
  | Fun
  | Ty

type element_id = element_kind * string

type element = 
  | Parameter of string * cc_type
  | Program of string * cc_type * cc_functional_program
  | Obligation of Loc.floc * bool * Logic_decl.vc_expl * string * sequent Env.scheme
  | Logic of string * logic_type Env.scheme
  | Axiom of string * predicate Env.scheme
  | Predicate of string * predicate_def Env.scheme
  | Inductive of string * inductive_def Env.scheme
  | Function of string * function_def Env.scheme
  | AbstractType of string * string list
  | AlgebraicType of (string * alg_type_def Env.scheme) list

module type S = sig
 
  (* how to print and reprint elements *)
  val print_element : formatter -> element -> unit
  val reprint_element : formatter -> element -> unit

  (* regexp to recognize obligations locations (as comments) *)
  val re_oblig_loc : Str.regexp

  (* what to print at the beginning of file when first created *)
  val first_time : formatter -> unit

  (* what to print at the end of file when first created *)
  val first_time_trailer : formatter -> unit

  (* how to recognize the end of an element to erase / overwrite *)
  val not_end_of_element : element_id -> string -> bool

end

module Make(X : S) : sig 

  val add_elem : element_id -> element -> unit

  val add_regexp : string -> element_kind -> unit

  val reset : unit -> unit

  val regen : string -> formatter -> unit

  val first_time : formatter -> unit

  val output_file : ?margin:int -> string -> unit

end

why-2.34/src/gappa.mli0000644000175000017500000000465512311670312013211 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Cc

val reset : unit -> unit

val push_decl : Logic_decl.t -> unit

val output_one_file : allowedit:bool -> string -> unit

val output_file : string -> unit


why-2.34/src/loc.ml0000644000175000017500000001102012311670312012505 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



let join (b,_) (_,e) = (b,e)

(*s Error locations. *)

let finally ff f x =
  let y = try f x with e -> ff (); raise e in ff (); y

(***
let linenum f b =
  let cin = open_in f in
  let rec lookup n l cl =
    if n = b then 
      (l,cl)
    else 
      let c = input_char cin in
      lookup (succ n) (if c == '\n' then succ l else l) 
	(if c == '\n' then 0 else succ cl)
  in
  try let r = lookup 0 1 0 in close_in cin; r with e -> close_in cin; raise e

let safe_linenum f b = try linenum f b with _ -> (1,1)
***)

open Format
open Lexing

(*s Line number *)

let report_line fmt l = fprintf fmt "%s:%d:" l.pos_fname l.pos_lnum

(* Lexing positions *)

type position = Lexing.position * Lexing.position

exception Located of position * exn

let dummy_position = Lexing.dummy_pos, Lexing.dummy_pos

let gen_report_line fmt (f,l,b,e) = 
  fprintf fmt "File \"%s\", " f;
  fprintf fmt "line %d, characters %d-%d" l b e

type floc = string * int * int * int

let dummy_floc = ("",0,0,0)

let extract (b,e) = 
  let f = b.pos_fname in
  let l = b.pos_lnum in
  let fc = b.pos_cnum - b.pos_bol in
  let lc = e.pos_cnum - b.pos_bol in
  (f,l,fc,lc)

let gen_report_position fmt loc = 
  gen_report_line fmt (extract loc)

let report_position fmt pos = 
  fprintf fmt "%a:@\n" gen_report_position pos

let string =
  let buf = Buffer.create 1024 in
  fun loc ->
    let fmt = Format.formatter_of_buffer buf in
    Format.fprintf fmt "%a@?" gen_report_position loc;
    let s = Buffer.contents buf in
    Buffer.reset buf;
    s

let parse s =
  Scanf.sscanf s "File %S, line %d, characters %d-%d"
    (fun f l c1 c2 -> 
       (*Format.eprintf "Loc.parse %S %d %d %d@." f l c1 c2;*)
       let p = 
	 { Lexing.dummy_pos with pos_fname = f; pos_lnum = l; pos_bol = 0 }
       in
       { p with pos_cnum = c1 }, { p with pos_cnum = c2 })

let report_obligation_position ?(onlybasename=false) fmt loc =
  let (f,l,b,e) = loc in
  let f = if onlybasename then Filename.basename f else f in
  fprintf fmt "Why obligation from file \"%s\", " f;
  fprintf fmt "line %d, characters %d-%d:" l b e

let current_offset = ref 0
let reloc p = { p with pos_cnum = p.pos_cnum + !current_offset }

(* Identifiers localization *)

let ident_t = Hashtbl.create 97
let add_ident = Hashtbl.add ident_t
let ident = Hashtbl.find ident_t
why-2.34/src/encoding_pred.ml0000644000175000017500000002542212311670312014543 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Cc
open Logic
open Logic_decl

let loc = Loc.dummy_floc

let prefix = "c_"
let suffix = "_c"
let var = "x"
let tvar = "t"
let cpt = ref 0
let axiom c = c ^ "_to_" ^ (c^suffix)
let def c = "def_"^c

(* The unique type for all terms *)
let ut = PTexternal ([], Ident.create (prefix^"unique"))

let unify ptl = List.map (fun _ -> ut) ptl
    
let prelude =
  (Dtype (loc, Ident.create (prefix^"unique"), []))::	(* The unique sort *)
  (Dlogic (loc, Ident.create (prefix^"sort"),
	   Env.empty_scheme (Predicate ([ut; ut]))))::	(* The "sort" predicate*)
  (Dlogic (loc, Ident.create (prefix^"int"),
	   Env.empty_scheme (Function ([], ut)))):: (* One synbol for each prefedined type *)
  (Dlogic (loc, Ident.create (prefix^"bool"),
	   Env.empty_scheme (Function ([], ut))))::
  (Dlogic (loc, Ident.create (prefix^"real"),
	   Env.empty_scheme (Function ([], ut))))::
  (Dlogic (loc, Ident.create (prefix^"unit"),
	   Env.empty_scheme (Function ([], ut))))::
  []
    
(* Function that creates the predicate sort(pt,term) *)
(* Uses an assoc. list of tags -> idents for type variables *)
let plunge fv term pt =
  let rec leftt pt =
    match pt with
      PTint -> Tapp (Ident.create (prefix^"int"), [], [])
    | PTbool -> Tapp (Ident.create (prefix^"bool"), [], [])
    | PTreal -> Tapp (Ident.create (prefix^"real"), [], [])
    | PTunit -> Tapp (Ident.create (prefix^"unit"), [], [])
    | PTvar ({type_val = None} as var) -> 
	let t = try (List.assoc var.tag fv) 
	with _ -> 
	  let s = string_of_int var.tag in 
	  (print_endline ("unknown vartype : "^s); s)
	in
	Tvar (Ident.create t)
    | PTvar {type_val = Some pt} -> leftt pt
    | PTexternal (ptl, id) -> Tapp (id, List.map (fun pt -> leftt pt) ptl, [])
  in
  Papp (Ident.create (prefix^"sort"), [leftt pt; term], [])

(* Generalizing a predicate scheme with foralls (can add a trigger) *)
let rec lifted  l p t =
  match l with [] -> p
  | a::[] -> Forall(false, a, a, ut, t, p)
  | a::q -> Forall(false, a, a, ut, [], lifted q p t)

(* The core *)

let queue = Queue.create ()

let reset () = 
  Queue.clear queue
      
let rec push d = 
  match d with
(* A type declaration is translated as new logical function, the arity of *)
(* which depends on the number of type variables in the declaration *)
  | Dtype (loc, ident, vars) ->
      Queue.add (Dlogic (loc, ident, 
			 Env.empty_scheme (Function (unify vars, ut)))) queue
  | Dalgtype _ ->
      assert false
(*
      failwith "encoding rec: algebraic types are not supported"
*)
(* In the case of a declaration of a function or predicate symbol, the symbol *)
(* is redefined with 'unified' arity, and in the case of a function, an axiom *)
(* is added to type the result w.r.t the arguments *)
  | Dlogic (loc, ident, arity) -> 
      let cpt = ref 0 in
      let fv = Env.Vset.fold
	  (fun tv acc -> cpt := !cpt + 1; (tv.tag, tvar^(string_of_int !cpt))::acc)
	  (arity.Env.scheme_vars) [] in
      let name = Ident.string ident in
      (match arity.Env.scheme_type with 
      | Predicate ptl ->
	  Queue.add (Dlogic (loc, ident,
			     Env.empty_scheme (Predicate (unify ptl)))) queue
      | Function (ptl, rt) -> 
	  let args = 
	    List.map
	      (fun t -> 
		Ident.create (let _ = cpt := !cpt + 1 in var^(string_of_int !cpt)), t)
	      ptl in
	  let rec mult_conjunct l p =
	    match l with [] -> p
	    | a::q -> mult_conjunct q (Pand(false, false, a, p)) in
	  let prem = 
	    mult_conjunct (List.map (fun (id,t) -> plunge fv (Tvar id) t) args) Ptrue in
	  let pattern = (Tapp (ident, List.map (fun (t, _) -> Tvar t) args, [])) in
	  let ccl = plunge fv pattern rt in
	  let ax = Env.empty_scheme 
	      (lifted 
		 ((fst (List.split args))@(List.map (fun i -> Ident.create i) (snd (List.split fv))))
		 (Pimplies (false, prem, ccl)) []) in
	  (Queue.add (Dlogic (loc, ident,
			      Env.empty_scheme (Function (unify ptl, ut)))) queue;
	   Queue.add (Daxiom (loc, axiom name, ax)) queue))
(* A predicate definition can be handled as a predicate logic definition + an axiom *)
  | Dpredicate_def (_loc, _ident, _pred_def_sch) ->
      assert false
(*
      let p = pred_def_sch.Env.scheme_type in
      let rec lifted_t l p =
	match l with 
	  | [] -> p
	  | (a,t)::q -> lifted_t q (Forall(false, a, a, t, [], p)) 
      in
      let name = Ident.string ident in
      push (Dlogic (loc, ident,
		    (Env.generalize_logic_type 
		       (Predicate (snd (List.split (fst p)))))));
      push (Daxiom (loc, def name,
		    (Env.generalize_predicate
		       (lifted_t (fst p)
			  (Piff ((Papp (ident, 
					List.map (fun (i,_) -> Tvar i) (fst p),
					[])),
			         (snd p)))))))
*)
  | Dinductive_def(_loc, _ident, _inddef) ->
      assert false
(*
      failwith "encoding rec: inductive def not yet supported"
*)
(* A function definition can be handled as a function logic definition + an axiom *)
  | Dfunction_def (_loc, _ident, _fun_def_sch) ->
      assert false
(*
      let f = fun_def_sch.Env.scheme_type in
      let rec lifted_t l p =
	match l with 
	  | [] -> p
	  | (a,t)::q -> lifted_t q (Forall(false, a, a, t, [], p)) 
      in
      let (ptl, rt, t) = f in
      let name = Ident.string ident in
      push (Dlogic (loc, ident,
		    (Env.generalize_logic_type 
		       (Function (snd (List.split ptl), rt)))));
      push (Daxiom (loc, def name,
		    (Env.generalize_predicate
		       (lifted_t ptl
			  (Papp (Ident.t_eq,
				 [(Tapp (ident, 
					 List.map (fun (i,_) -> Tvar i) ptl,
					 []));
				  t], []))))))
*)
(* Goals and axioms are just translated straightworfardly *)
  | Daxiom (loc, name, pred_sch) ->
      let cpt = ref 0 in
      let fv = Env.Vset.fold
	  (fun tv acc -> cpt := !cpt + 1; (tv.tag, tvar^(string_of_int !cpt))::acc)
	  (pred_sch.Env.scheme_vars) [] in
      let rec translate_eq = function
	| Pimplies (iswp, p1, p2) ->
	    Pimplies (iswp, translate_eq p1, translate_eq p2)
	| Pif (t, p1, p2) ->
	    Pif (t, translate_eq p1, translate_eq p2)
	| Pand (iswp, issym, p1, p2) ->
	    Pand (iswp, issym, translate_eq p1, translate_eq p2)
	| Por (p1, p2) ->
	    Por (translate_eq p1, translate_eq p2)
	| Piff (p1, p2) ->
	    Piff (translate_eq p1, translate_eq p2)
	| Pnot p ->
	    Pnot (translate_eq p)
	| Forall (iswp, id, n, pt, tl, p) ->
	    Forall (iswp, id, n, ut, tl,
		    Pimplies(false, plunge fv (Tvar n) pt, translate_eq p))
	| Plet (id, n, pt, t, p) -> 
	    Plet (id, n, pt, t, 
		  Pimplies(false, plunge fv (Tvar n) pt, translate_eq p)) 
	| Forallb (iswp, p1, p2) ->
	    Forallb (iswp, translate_eq p1, translate_eq p2)
	| Exists (id, n, pt, p) ->
	    Exists (id, n, ut, Pand (false, false, plunge fv (Tvar n) pt, translate_eq p))
	| Pnamed (s, p) ->
	    Pnamed (s, translate_eq p)
	| p -> p in
      let rec lifted  l p =
	match l with [] -> p
	| (_,a)::q -> 
	    lifted q (Forall(false, Ident.create a, Ident.create a, ut, [], p))
      in
      Queue.add (Daxiom (loc, name,
			 Env.empty_scheme
 			   (lifted fv (translate_eq pred_sch.Env.scheme_type)))) queue
  | Dgoal (loc, is_lemma, expl, name, s_sch) ->
      let cpt = ref 0 in
      let (cel, pred) = s_sch.Env.scheme_type in
      let fv = Env.Vset.fold
	  (fun tv acc -> cpt := !cpt + 1; (tv.tag, tvar^(string_of_int !cpt))::acc)
	  (s_sch.Env.scheme_vars) [] in
      let rec translate_eq = function
	| Pimplies (iswp, p1, p2) ->
	    Pimplies (iswp, translate_eq p1, translate_eq p2)
	| Pif (t, p1, p2) ->
	    Pif (t, translate_eq p1, translate_eq p2)
	| Pand (iswp, issym, p1, p2) ->
	    Pand (iswp, issym, translate_eq p1, translate_eq p2)
	| Por (p1, p2) ->
	    Por (translate_eq p1, translate_eq p2)
	| Piff (p1, p2) ->
	    Piff (translate_eq p1, translate_eq p2)
	| Pnot p ->
	    Pnot (translate_eq p)
	| Forall (iswp, id, n, pt, tl, p) ->
	    Forall (iswp, id, n, ut, tl,
		    Pimplies(false, plunge fv (Tvar n) pt, translate_eq p))
	| Plet (id, n, pt, t, p) -> 
	    Plet (id, n, pt, t, 
		  Pimplies(false, plunge fv (Tvar n) pt, translate_eq p)) 
	| Forallb (iswp, p1, p2) ->
	    Forallb (iswp, translate_eq p1, translate_eq p2)
	| Exists (id, n, pt, p) ->
	    Exists (id, n, ut, Pand (false, false, plunge fv (Tvar n) pt, translate_eq p))
	| Pnamed (s, p) ->
	    Pnamed (s, translate_eq p) 
	| p -> p in
(* dead code
      let rec lifted  l p =
	match l with [] -> p
	| (_,a)::q -> 
	    lifted q (Forall(false, Ident.create a, Ident.create a, ut, [], p))
      in 
*)
      Queue.add (Dgoal
		   (loc, is_lemma, expl, name,
		    Env.empty_scheme
		      (List.map
			 (fun s -> match s with
			   Spred (id, p) -> Spred (id, translate_eq p)
			 | s -> s) cel,
		       translate_eq pred))) queue
	
let iter f =
  (* first the prelude *)
  List.iter f prelude;
  (* then the queue *)
  Queue.iter f queue
why-2.34/src/option_misc.mli0000644000175000017500000000501112311670312014427 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

val map : ('a -> 'b) -> 'a option -> 'b option
val map_default : ('a -> 'b) -> 'b -> 'a option -> 'b
val iter : ('a -> unit) -> 'a option -> unit
val fold : ('a -> 'b -> 'b) -> 'a option -> 'b -> 'b
val fold_left : ('b -> 'a -> 'b) -> 'b -> 'a option -> 'b 
why-2.34/src/dispatcher.mli0000644000175000017500000000507012311670312014237 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Cc

val push_decl : Logic_decl.t -> unit

val iter : 
    (Loc.floc * bool * Logic_decl.vc_expl * string * sequent Env.scheme -> unit) 
    -> unit


val call_prover : 
  ?debug:bool -> ?timeout:int -> ?encoding:Options.encoding ->
  obligation:string -> DpConfig.prover_id -> Calldp.prover_result
why-2.34/src/simplify.ml0000644000175000017500000003567512311670312013612 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*s Simplify's output *)

open Ident
open Options
open Misc
open Error
open Logic
open Logic_decl
open Cc
open Format
open Pp

type elem = 
  | Oblig of Loc.floc * bool * Logic_decl.vc_expl * string * sequent Env.scheme
  | Axiom of string * predicate Env.scheme
  | Predicate of string * predicate_def Env.scheme
(*
  | FunctionDef of string * function_def Env.scheme
*)

let queue = Queue.create ()

let reset () = 
  Queue.clear queue; 
  Encoding.reset ()

let rec decl_to_elem = function
  | Dgoal (loc, is_lemma, expl, id, s) -> 
      Queue.add (Oblig (loc, is_lemma, expl,id, s)) queue
  | Daxiom (_, id, p) -> 
      Queue.add (Axiom (id, p)) queue
  | Dpredicate_def (_, id, p) -> 
      Queue.add (Predicate (Ident.string id, p)) queue
  | Dfunction_def (_, _id, _p) -> 
      assert false
(*
      Queue.add (FunctionDef (Ident.string id, p)) queue
*)
  | Dinductive_def (loc, id, d) ->
      List.iter decl_to_elem (PredDefExpansor.inductive_def loc id d)
  | Dlogic _ -> ()
  | Dtype _ -> ()
  | Dalgtype _ ->  assert false


let push_decl d = Encoding.push ~encode_preds:false d

let defpred = Hashtbl.create 97

(*s Pretty print *)

let prefix_table = ref Idmap.empty

let () =
  List.iter (fun (id,s) -> prefix_table := Idmap.add id s !prefix_table)
    [ 
      (* booleans ops *)
      t_bool_and, "bool_and";
      t_bool_or, "bool_or";
      t_bool_xor, "bool_xor";
      t_bool_not, "bool_not";
      (* poly comps *)
      t_lt, "<";
      t_le, "<=";
      t_gt, ">";
      t_ge, ">=";
      (* int cmp *)
      t_lt_int, "<";
      t_le_int, "<=";
      t_gt_int, ">";
      t_ge_int, ">=";
      (* int ops *)
      t_add_int, "+";
      t_sub_int, "-";
      t_mul_int, "*";
(*
      t_div_int, "int_div";
      t_mod_int, "int_mod";
*)
      (* real ops *)
      t_add_real, "real_add";
      t_sub_real, "real_sub";
      t_mul_real, "real_mul";
      t_div_real, "real_div";
      t_neg_real, "real_neg";
      t_sqrt_real, "real_sqrt";
      t_real_of_int, "real_of_int";
      t_int_of_real, "int_of_real";
      t_lt_real, "real_lt";
      t_le_real, "real_le";
      t_gt_real, "real_gt";
      t_ge_real, "real_ge";
      t_abs_real, "real_abs";
      t_real_max, "real_max";
      t_real_min, "real_min";
      t_sqrt_real, "real_sqrt";
    ]

let is_prefix id = Idmap.mem id !prefix_table
	
let prefix id = 
  try
    Idmap.find id !prefix_table
  with Not_found -> assert false


let is_simplify_ident s =
  let is_simplify_char = function
    | 'a'..'z' | 'A'..'Z' | '0'..'9' | '_' -> true 
    | _ -> false
  in
  try 
    if String.length s >= 1 && s.[0] = '_' then raise Exit;
    String.iter (fun c -> if not (is_simplify_char c) then raise Exit) s; true
  with Exit ->
    false

let idents fmt s =
  if s = "store" then fprintf fmt "|why__store|" else
  if is_simplify_ident s then fprintf fmt "%s" s else fprintf fmt "|%s|" s

let ident fmt id = idents fmt (Ident.string id)

let sortp fmt id = idents fmt ("IS" ^ Ident.string id)

let simplify_max_int = Int64.of_string "2147483646"

let pp_exp fmt e =
  if e="" then () else
    if e.[0] = '-' then
      fprintf fmt "minus%s" (String.sub e 1 (String.length e - 1))
    else
      fprintf fmt "%s" e

let print_real fmt = function
  | RConstDecimal (i, f, e) -> 
      fprintf fmt "%s_%se%a" i f (Pp.print_option pp_exp) e
  | RConstHexa (i, f, e) -> 
      fprintf fmt "0x%s_%sp%a" i f pp_exp e

let rec print_term fmt = function
  | Tvar id -> 
      fprintf fmt "%a" ident id
  | Tconst (ConstInt n) ->
      begin try 
	let n64 = Int64.of_string n in
	if n64 < 0L || n64 > simplify_max_int then raise Exit;
	fprintf fmt "%s" n
      with _ -> (* the constant is too large for Simplify *)
	fprintf fmt "constant_too_large_%s" n
      end
  | Tconst (ConstBool b) -> 
      fprintf fmt "|@@%b|" b
  | Tconst ConstUnit -> 
      fprintf fmt "tt" (* TODO: CORRECT? *)
  | Tconst (ConstFloat c) ->
      fprintf fmt "real_constant_%a" print_real c 
(*
      Print_real.print_with_integers 
	"(real_of_int %s)" 
	"(real_of_int ( * %s %s))"
	"(div_real (real_of_int %s) (real_of_int %s))" 
	fmt c
*)
  | Tderef _ -> 
      assert false
(**
  | Tapp (id, [a; b], _) when id == access ->
      fprintf fmt "@[(select@ %a@ %a)@]" print_term a print_term b
  | Tapp (id, [a; b; c], _) when id == store ->
      fprintf fmt "@[(store@ %a@ %a@ %a)@]" 
	print_term a print_term b print_term c
**)
  | Tapp (id, [t], _) when id == t_neg_int ->
      fprintf fmt "@[(- 0 %a)@]" print_term t
  | Tapp (id, tl, _) when is_prefix id ->
      fprintf fmt "@[(%s %a)@]" (prefix id) print_terms tl
  | Tapp (id, [], _) ->
      ident fmt id
  | Tapp (id, tl, _) ->
      fprintf fmt "@[(%a@ %a)@]" 
	ident id (print_list space print_term) tl
  | Tnamed (_n, t) ->
      (*fprintf fmt "@[;;%s@\n%a@]" n pp p*) 
      print_term fmt t

and print_terms fmt tl = 
  print_list space print_term fmt tl

let rec print_pattern fmt = function
  | TPat t -> print_term fmt t
  | PPat (Papp (id, tl, inst)) -> print_term fmt (Tapp (id, tl, inst))
  | PPat _ -> Report.raise_unlocated Error.IllformedPattern
and print_patterns fmt pl =
  print_list space print_pattern fmt pl

let trigger fmt = function
  | [] -> ()
  | [TPat (Tvar _ as t)] -> fprintf fmt "(MPAT %a)" print_term t
  | [t] -> print_pattern fmt t
  | tl -> fprintf fmt "(MPAT %a)" print_patterns tl

let triggers fmt = function
  | [] -> ()
  | tl -> fprintf fmt "@ (PATS %a)" (print_list space trigger) tl

let external_type = function
  | PTexternal _ -> true
  | _ -> false

let has_type ty fmt id = match ty with
  | PTexternal([PTexternal (_,ty)], id) when id == farray ->
      fprintf fmt "(FORALL (k) (EQ (%a (select %a k)) |@@true|))" 
	sortp ty ident id
  | PTexternal(_, ty) ->
      fprintf fmt "(EQ (%a %a) |@@true|)" sortp ty ident id
  | _ -> 
      assert false

let rec print_predicate pos fmt p = 
  let pp = print_predicate pos in
  match p with
  | Ptrue ->
      fprintf fmt "TRUE"
  | Pvar id when id == Ident.default_post ->
      fprintf fmt "TRUE"
  | Pfalse ->
      fprintf fmt "FALSE"
  | Pvar id -> 
      fprintf fmt "%a" ident id
  | Papp (id, [], _) ->
      ident fmt id
  | Papp (id, tl, _) when id == t_distinct ->
      fprintf fmt "@[(DISTINCT@ %a)@]" print_terms tl
  | Papp (id, [_t], _) when id == well_founded ->
      fprintf fmt "FALSE ; was well_founded(...)@\n"
  | Papp (id, [a; b], _) when is_eq id ->
      fprintf fmt "@[(EQ %a@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when is_neq id ->
      fprintf fmt "@[(NEQ %a@ %a)@]" print_term a print_term b
  | Papp (id, tl, _) when is_int_comparison id ->
      fprintf fmt "@[(%s %a)@]" (prefix id) print_terms tl
  | Papp (id, [a;b], _) when id == t_zwf_zero ->
      (match get_types_encoding () with
	Stratified ->
	  fprintf fmt "@[(AND (EQ (le_int_c (c_sort c_int 0) %a) |@@true|)@ (EQ (lt_int_c %a %a) |@@true|))@]" 
	    print_term b print_term a print_term b
      | _ ->
	  fprintf fmt "@[(AND (<= 0 %a)@ (< %a %a))@]" 
	    print_term b print_term a print_term b)
  | Papp (id, tl, _) when Hashtbl.mem defpred id -> 
      fprintf fmt "@[(%a@ %a)@]" ident id print_terms tl
  | Papp (id, tl, _) -> 
      fprintf fmt "@[(EQ (%a@ %a) |@@true|)@]" ident id print_terms tl
  | Pimplies (_, a, b) ->
      fprintf fmt "@[(IMPLIES@ %a@ %a)@]" 
	(print_predicate (not pos)) a pp b
  | Piff (a, b) ->
      fprintf fmt "@[(IFF@ %a@ %a)@]" pp a pp b
  | Pif (a, b, c) ->
      fprintf fmt 
     "@[(AND@ (IMPLIES (EQ %a |@@true|) %a)@ (IMPLIES (NEQ %a |@@true|) %a))@]"
      print_term a pp b print_term a pp c
  | Pand (_, _, a, b) | Forallb (_, a, b) ->
      fprintf fmt "@[(AND@ %a@ %a)@]" pp a pp b
  | Por (a, b) ->
      fprintf fmt "@[(OR@ %a@ %a)@]" pp a pp b
  | Pnot a ->
      fprintf fmt "@[(NOT@ %a)@]" pp a
  | Forall (_,id,n,_,tl,p) 
      when simplify_triggers ||
	get_types_encoding () = Stratified ||
	get_types_encoding () = SortedStratified ->
      let id' = next_away id (predicate_vars p) in
      let s = subst_onev n id' in
      let p' = subst_in_predicate s p in
      let tl' = List.map (List.map (subst_in_pattern s)) tl in
      fprintf fmt "@[(FORALL (%a)%a@ %a)@]" ident id' triggers tl' pp p'
(*  | Forall (_,id,n,_,_,p) ->
      let id' = next_away id (predicate_vars p) in
      let p' = subst_in_predicate (subst_onev n id') p in
      fprintf fmt "@[(FORALL (%a)@ %a)@]" ident id' pp p'
*)
  | Forall _ as p ->
      let bv,p = Util.decomp_forall p in
      let var fmt (x,_) = ident fmt x in
      fprintf fmt "@[(FORALL (%a)@ %a)@]" (print_list space var) bv pp p
  | Exists (id,n,_t,p) -> 
      let id' = next_away id (predicate_vars p) in
      let p' = subst_in_predicate (subst_onev n id') p in
      fprintf fmt "@[(EXISTS (%a)@ %a)@]" ident id' pp p'
  | Pnamed (_n, p) ->
      (*fprintf fmt "@[;;%s@\n%a@]" n pp p*) 
      pp fmt p
  | Plet (_, n, _, t, p) ->
      pp fmt (subst_term_in_predicate n t p)
  (** BUG Simplify
  | Pnamed (n, p) when pos ->
      fprintf fmt "@[(LBLPOS@ |%s|@ %a)@]" n pp p
  | Pnamed (n, p) ->
      fprintf fmt "@[(LBLNEG@ |%s|@ %a)@]" n pp p
  **)

let cc_external_type = function
  | Cc.TTpure ty -> external_type ty
  | Cc.TTarray (Cc.TTpure (PTexternal _)) -> true
  | _ -> false

let cc_has_type ty fmt id = match ty with
  (*JFC :  where is it called ?*)
  | Cc.TTpure ty when external_type ty ->
      has_type ty fmt id
  | Cc.TTarray (Cc.TTpure (PTexternal(_,ty))) ->
      fprintf fmt "(FORALL (k) (EQ (%a (select %a k)) |@@true|))" 
	sortp ty ident id
  | _ -> 
      assert false

let print_sequent fmt (hyps,concl) =
  let rec print_seq fmt = function
    | [] ->
	print_predicate false fmt concl
    | Svar (id, _v) :: hyps -> 
	fprintf fmt "@[(FORALL (%a)@ %a)@]" ident id print_seq hyps
    | Spred (_,p) :: hyps -> 
	fprintf fmt "@[(IMPLIES %a@ %a)@]" 
	  (print_predicate true) p print_seq hyps
  in
  print_seq fmt hyps

let print_obligation fmt loc is_lemma _expl o s = 
  fprintf fmt "@[;; %s, %a@]@\n" o Loc.gen_report_line loc;
  fprintf fmt "@[%a@]@\n@\n" print_sequent s.Env.scheme_type;
  if is_lemma then begin
    fprintf fmt "@[(BG_PUSH@\n ;; lemma %s as axiom@\n" o;
    fprintf fmt "@[%a@])@]@\n@\n" print_sequent s.Env.scheme_type;
  end

let push_foralls p =
  let change = ref false in
  let split vars p =
    let vars_p = predicate_vars p in
    List.fold_left 
      (fun (in_p, out_p) ((_,_,b,_,_) as v) -> 
	 if Idset.mem b vars_p then v :: in_p, out_p else in_p, v :: out_p)
      ([],[]) vars
  in
  let quantify = 
    List.fold_right (fun (w,id,b,v,tl) p -> Forall (w,id,b,v,tl,p)) 
  in
  let rec push vars = function
    | Forall (w, id, b, v, tl, p) -> 
	push ((w,id,b,v,tl) :: vars) p
    | Pimplies (w, p1, p2) -> 
	let in_p1, out_p1 = split vars p1 in 
	if out_p1 <> [] then change := true;
	quantify in_p1 (Pimplies (w, p1, push out_p1 p2))
    | p ->
	quantify vars p
  in
  push [] p, !change


 let print_axiom fmt id p =
  fprintf fmt "@[(BG_PUSH@\n ;; Why axiom %s@\n" id;
  let p = p.Env.scheme_type in
  fprintf fmt " @[%a@]" (print_predicate true) p;
  let p,c = push_foralls p in
  if c then fprintf fmt "@\n@\n @[%a@]" (print_predicate true) p;
  fprintf fmt ")@]@\n@\n" 

let print_predicate fmt id p =
  let (bl,p) = p.Env.scheme_type in
  fprintf fmt "@[(DEFPRED @[(%a %a)@]@ @[%a@])@]@\n@\n" idents id
    (print_list space (fun fmt (x,_) -> ident fmt x)) bl
    (print_predicate false) p;
  Hashtbl.add defpred (Ident.create id) ()

let idents_plus_prefix fmt s  =
  match Ident.create s with
    id when id == t_neg_int -> (* hack *)
      fprintf fmt "@[- 0@]"
  | id when is_arith id || is_relation id ->
      fprintf fmt "%s" (prefix id)
  | _ when is_simplify_ident s ->
      fprintf fmt "%s" s
  | _ ->
      fprintf fmt "|%s|" s

(* TODO: should be handled in Encoding *)
let print_function fmt id p =
  let (bl,_pt,e) = p.Env.scheme_type in
  match bl with 
    [] -> 
      fprintf fmt "@[(BG_PUSH@\n ;; Why function %s@\n" id;
      fprintf fmt "  @[(EQ %a %a)@])@]@\n@\n" idents id	print_term e
  |_ -> 
      fprintf fmt "@[(BG_PUSH@\n ;; Why function %s@\n" id;
      fprintf fmt "  @[(FORALL (%a) (EQ (%a %a) %a))@])@]@\n@\n"
	(print_list space (fun fmt (x,_) -> ident fmt x)) bl
	idents_plus_prefix id
	(print_list space (fun fmt (x,_) -> ident fmt x)) bl 
	print_term e

let print_elem fmt = function
  | Oblig (loc, is_lemma, expl, id, s) -> 
      print_obligation fmt loc is_lemma expl id s
  | Axiom (id, p) -> print_axiom fmt id p
  | Predicate (id, p) -> print_predicate fmt id p
(*
  | FunctionDef (id, f) -> print_function fmt id f
*)

let print_file fmt =
  Encoding.iter decl_to_elem;
  fprintf fmt "(BG_PUSH (NEQ |@@true| |@@false|))@\n@\n";
  Queue.iter (print_elem fmt) queue

let output_file ~allowedit file =
  if allowedit then
    let sep = ";; DO NOT EDIT BELOW THIS LINE" in
    do_not_edit_below ~file
      ~before:(fun _fmt -> ())
      ~sep
      ~after:print_file
  else
    print_in_file print_file file

why-2.34/src/holl.mli0000644000175000017500000000462512311670312013054 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*s HOL Light output *)

open Vcg
open Cc

val reset : unit -> unit

val push_decl : Logic_decl.t -> unit

val output_file : string -> unit
why-2.34/src/fastwp.mli0000644000175000017500000000453512311670312013422 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*s Fast weakest preconditions *)

open Env

val wp : typed_expr -> Logic.predicate
why-2.34/src/monad.mli0000644000175000017500000000460712311670312013214 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*s Main part of the translation of imperative programs into functional ones
    (with module [Mlize]) *)

include MonadSig.S
why-2.34/src/misc.ml0000644000175000017500000005640712311670312012705 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Options
open Ident
open Logic
open Types 
open Ast
open Ptree
open Cc


(*s Utility functions. *)

let map_succeed f = 
  let rec map_f = function 
    | [] -> []
    | h :: t -> try let x = f h in x :: map_f t with Failure _ -> map_f t
  in 
  map_f 

let option_app = Option_misc.map

let option_iter = Option_misc.iter

let option_fold = Option_misc.fold

let a_value a = a.a_value
let a_values = List.map a_value

let list_of_some = function None -> [] | Some x -> [x]

let if_labelled f id = if is_at id then f (un_at id)

let difference l1 l2 =
  let rec diff = function
    | [] -> []
    | a::rem -> if List.mem a l2 then diff rem else a::(diff rem)
  in
  diff l1

let rec last = function
  | [] -> invalid_arg "last"
  | [x] -> x
  | _ :: l -> last l

let rec list_combine3 a b c = match a, b, c with
  | [], [], [] -> []
  | xa::ra, xb::rb, xc::rc -> (xa, xb, xc) :: list_combine3 ra rb rc
  | _ -> invalid_arg "list_combine3"

let rec list_first f = function
  | [] -> raise Exit
  | x :: l -> try f x with Exit -> list_first f l

let is_default_post a = match a.a_value with
  | Pvar id when id == Ident.default_post -> true
  | _ -> false

(*s Functions on names *)

type avoid = Ident.set

let renaming_of_ids avoid ids =
  let rec rename avoid = function
    | [] -> 
	[], avoid
    | x :: rem ->
	let al,avoid = rename avoid rem in
	let x' = Ident.next_away x avoid in
	(x,x')::al, Idset.add x' avoid
  in
  rename avoid ids

(*s hypotheses names *)

let next s r = function
  | Anonymous -> incr r; Ident.create (s ^ string_of_int !r)
  | Name id -> id

let reset_names_table = ref []
let reset_names () = List.iter (fun f -> f ()) !reset_names_table

let gen_sym_name s =
  let r = ref 0 in 
  reset_names_table := (fun () -> r := 0) :: !reset_names_table;
  next s r

let gen_sym s = let g = gen_sym_name s in fun () -> g Anonymous

let pre_name = gen_sym_name "Pre"
let post_name = gen_sym "Post"
let inv_name = gen_sym_name "Inv"
let test_name = gen_sym "Test"
let wp_name = gen_sym "WP"
let h_name = gen_sym_name "H_"
let bool_name = gen_sym "Bool"
let variant_name = gen_sym "variant"
let phi_name = gen_sym "rphi"
let for_name = gen_sym "for"
let label_name = let f = gen_sym "_label_" in fun () -> Ident.string (f ())
let fresh_hyp = gen_sym "HW_"
let fresh_axiom = gen_sym "AXIOM_"
let fresh_var = gen_sym "aux_"
let fresh_c_var = gen_sym "c_aux_"
let wf_name = gen_sym "wf"

let id_of_name = function Name id -> id | Anonymous -> default

let is_post id =
  let s = Ident.string id in
  String.length s >= 4 && String.sub s 0 4 = "Post"

let post_name_from = 
  let avoid = ref Idset.empty in
  reset_names_table := (fun () -> avoid := Idset.empty) :: !reset_names_table;
  function
    | Anonymous ->
	post_name ()
    | Name id when is_post id ->
	post_name ()
    | Name id -> 
	let id' = Ident.next_away id !avoid in
	avoid := Idset.add id' !avoid;
	id'

let warning s = Format.eprintf "warning: %s@\n" s
let wprintf loc f = 
  Format.eprintf "%awarning: " Loc.report_position loc; Format.eprintf f
let unlocated_wprintf f = 
  Format.eprintf "warning: "; Format.eprintf f

(*s Various utility functions. *)

let rec is_closed_pure_type = function
  | PTint | PTbool | PTreal | PTunit -> true
  | PTvar {type_val=None} -> false
  | PTvar {type_val=Some t} -> is_closed_pure_type t
  | PTexternal (ptl,_) -> List.for_all is_closed_pure_type ptl

let rec normalize_pure_type = function
  | PTvar { type_val = Some t } -> normalize_pure_type t
  | PTexternal (i, id) -> PTexternal (List.map normalize_pure_type i, id)
  | PTvar _ | PTint | PTbool | PTunit | PTreal as t -> t

let rationalize s =
  let n = String.length s in
  let i = String.index s '.' in
  let d = n - i - 1 in
  String.sub s 0 i ^ String.sub s (succ i) d, "1" ^ String.make d '0'

let is_mutable = function Ref _ -> true | _ -> false
let is_pure = function PureType _ -> true | _ -> false

let asst_app f x = { x with a_value = (f x.a_value); a_proof = None }

let post_app f (q,l) = (f q, List.map (fun (x,a) -> (x, f a)) l)

let optpost_app f = option_app (post_app f)

let asst_fold f x v = f x.a_value v
let post_fold f (q,l) v = 
  List.fold_right (fun (_,p) -> asst_fold f p) l (asst_fold f q v)
let optpost_fold f = option_fold (post_fold f)

let panonymous loc x = 
  { pa_name = Anonymous; pa_value = x; pa_loc = loc }
let anonymous loc x = 
  { a_name = Ident.anonymous; a_value = x; a_loc = loc; a_proof = None }
let wp_named loc x = 
  { a_name = wp_name (); a_value = x; a_loc = loc; a_proof = None }
let pre_named loc x = 
  { a_name = pre_name Anonymous; a_value = x; a_loc = loc; a_proof = None }
let post_named loc x = 
  { a_name = post_name (); a_value = x; a_loc = loc; a_proof = None }

let force_wp_name = option_app (fun a -> { a with a_name = wp_name () })

let force_name f a = { a with a_name = f a.a_name }

(***
    let force_post_name = option_app (fun (q,l) -> (force_name post_name q, l))

    let force_bool_name = 
    let f = function Name id -> id | Anonymous -> bool_name() in
    option_app (fun (q,l) -> (force_name f q, l))
***)

let force_loc l a = { a with a_loc = l }

let force_post_loc l (q,ql) = 
  (force_loc l q, List.map (fun (x,a) -> (x, force_loc l a)) ql)

(***
    let rec force_type_c_loc l c =
    { c with 
    c_result_type = force_type_v_loc l c.c_result_type;
    c_pre = List.map (force_loc l) c.c_pre;
    c_post = option_app (force_post_loc l) c.c_post }

    and force_type_v_loc l = function
    | Arrow (bl, c) -> Arrow (bl, force_type_c_loc l c)
    | (PureType _ | Ref _) as v -> v
***)

let default_post = anonymous Loc.dummy_position (Pvar Ident.default_post)

(* selection of postcondition's parts *)
let post_val = fst
let post_exn x (_,l) = List.assoc x l

let optpost_val = option_app post_val
let optpost_exn x = option_app (post_exn x)

(* substititution within some parts of postconditions *)
let val_app f (x,xl) = (asst_app f x, xl)
let exn_app _x f (x,xl) = (x, List.map (fun (x,a) -> x, asst_app f a) xl)

let optval_app f = option_app (val_app f)
let optexn_app x f = option_app (exn_app x f)

let optasst_app f = option_app (asst_app f)

(*s Functions on terms and predicates. *)

let rec applist f l = match (f,l) with
  | f, [] -> f
  | Tvar id, l -> Tapp (id, l, [])
  | Tapp (id, l, il), l' -> Tapp (id, l @ l', il)
  | (Tconst _ | Tderef _), _ -> assert false
  | Tnamed(lab,t),l -> Tnamed(lab,applist t l)

let papplist f l = match (f,l) with
  | f, [] -> f
  | Pvar id, l -> Papp (id, l, [])
  | Papp (id, l, il), l' -> assert (il = []); Papp (id, l @ l', [])
  | _ -> assert false

let rec predicate_of_term = function
  | Tvar x -> Pvar x
  | Tapp (id, l, i) -> Papp (id, l, i)
  | _ -> assert false

let rec collect_term s = function
  | Tvar id | Tderef id -> Idset.add id s
  | Tapp (_, l, _) -> List.fold_left collect_term s l
  | Tconst _ -> s
  | Tnamed(_,t) -> collect_term s t

let rec collect_pred s = function
  | Pvar _ | Ptrue | Pfalse -> s
  | Papp (_, l, _) -> List.fold_left collect_term s l
  | Pimplies (_, a, b) | Pand (_, _, a, b) | Por (a, b) | Piff (a, b)
  | Forallb (_, a, b) -> 
      collect_pred (collect_pred s a) b
  | Pif (a, b, c) -> collect_pred (collect_pred (collect_term s a) b) c
  | Pnot a -> collect_pred s a
  | Forall (_, _, _, _, _, p) -> collect_pred s p
  | Exists (_, _, _, p) -> collect_pred s p
  | Pnamed (_, p) -> collect_pred s p
  | Plet (_, _, _, t, p) -> collect_pred (collect_term s t) p

let term_vars = collect_term Idset.empty
let predicate_vars = collect_pred Idset.empty
let assertion_vars a = predicate_vars a.a_value

let gen_post_vars assertion_vars (q,al) = 
  List.fold_left 
    (fun s (_,a) -> Idset.union s (assertion_vars a))
    (assertion_vars q)
    al

let post_vars = gen_post_vars predicate_vars
let apost_vars = gen_post_vars assertion_vars

let rec map_predicate f = function
  | Pimplies (w, a, b) -> Pimplies (w, f a, f b)
  | Pif (a, b, c) -> Pif (a, f b, f c)
  | Pand (w, s, a, b) -> Pand (w, s, f a, f b)
  | Por (a, b) -> Por (f a, f b)
  | Piff (a, b) -> Piff (f a, f b)
  | Pnot a -> Pnot (f a)
  | Forall (w, id, b, v, tl, p) -> Forall (w, id, b, v, tl, f p)
  | Exists (id, b, v, p) -> Exists (id, b, v, f p)
  | Forallb (w, a, b) -> Forallb (w, f a, f b)
  | Pnamed (n, a) -> Pnamed (n, f a)
  | Plet (id, b, pt, t, p) -> Plet (id, b, pt, t, f p)
  | Ptrue | Pfalse | Pvar _ | Papp _ as p -> p

let rec tsubst_in_term s = function
  | Tvar x | Tderef x as t -> 
      (try Idmap.find x s with Not_found -> t)
  | Tapp (x,l,i) -> 
      Tapp (x, List.map (tsubst_in_term s) l, i)
  | Tconst _ as t -> 
      t
  | Tnamed(lab,t) -> Tnamed(lab,tsubst_in_term s t)

let rec tsubst_in_predicate s = function
  | Papp (id, l, i) -> Papp (id, List.map (tsubst_in_term s) l, i)
  | Pif (a, b ,c) -> Pif (tsubst_in_term s a, 
			  tsubst_in_predicate s b, 
			  tsubst_in_predicate s c)
  | Forall (w, id, b, v, tl, p) -> 
      Forall (w, id, b, v, List.map (List.map (tsubst_in_pattern s)) tl,
	      tsubst_in_predicate s p)
  | Plet (id, n, pt, t, p) ->
      Plet (id, n, pt, tsubst_in_term s t, tsubst_in_predicate s p)
  | p -> 
      map_predicate (tsubst_in_predicate s) p

and tsubst_in_pattern s = function
  | TPat t -> TPat (tsubst_in_term s t)
  | PPat p -> PPat (tsubst_in_predicate s p)

(***
    let subst_in_term s = 
    tsubst_in_term (Idmap.map (fun id -> Tvar id) s)
***)
let rec subst_in_term s = function
  | Tvar x | Tderef x as t ->
      (try Tvar (Idmap.find x s) with Not_found -> t)
  | Tapp (x,l,i) -> 
      Tapp (x, List.map (subst_in_term s) l, i)
  | Tconst _ as t -> 
      t
  | Tnamed(lab,t) -> Tnamed(lab,subst_in_term s t)
      

(***
    let subst_in_predicate s = 
    tsubst_in_predicate (Idmap.map (fun id -> Tvar id) s)
    let subst_in_pattern s =
    tsubst_in_pattern (Idmap.map (fun id -> Tvar id) s)
***)

let rec subst_in_predicate s = function
  | Papp (id, l, i) -> Papp (id, List.map (subst_in_term s) l, i)
  | Pif (a, b ,c) -> Pif (subst_in_term s a, 
			  subst_in_predicate s b, 
			  subst_in_predicate s c)
  | Forall (w, id, b, v, tl, p) -> 
      Forall (w, id, b, v, List.map (List.map (subst_in_pattern s)) tl,
	      subst_in_predicate s p)
  | Plet (id, n, pt, t, p) ->
      Plet (id, n, pt, subst_in_term s t, subst_in_predicate s p)
  | p -> 
      map_predicate (subst_in_predicate s) p

and subst_in_pattern s = function
  | TPat t -> TPat (subst_in_term s t)
  | PPat p -> PPat (subst_in_predicate s p)

let subst_in_triggers s =
  List.map (List.map (subst_in_pattern s))

let subst_in_assertion s = asst_app (subst_in_predicate s)

let subst_one x t = Idmap.add x t Idmap.empty

let subst_onev = subst_one

let rec subst_many vl1 vl2 = match vl1, vl2 with
  | [], [] -> Idmap.empty
  | x1 :: l1, x2 :: l2 -> Idmap.add x1 x2 (subst_many l1 l2)
  | _ -> invalid_arg "subst_many"

let rec subst_manyv  vl1 vl2 = match vl1, vl2 with
  | [], [] -> Idmap.empty
  | x1 :: l1, x2 :: l2 -> Idmap.add x1 x2 (subst_manyv l1 l2)
  | _ -> invalid_arg "subst_manyv"

let subst_term_in_predicate x t p =
  tsubst_in_predicate (subst_one x t) p

let rec unref_term = function
  | Tderef id -> Tvar id
  | Tapp (id, tl, i) -> Tapp (id, List.map unref_term tl, i)
  | Tvar _ | Tconst _ as t -> t
  | Tnamed(lab,t) -> Tnamed(lab,unref_term t)

let equals_true = function
  | Tapp (id, _, _) as t when is_relation id -> t
  | t -> Tapp (t_eq, [t; Tconst (ConstBool true)], [])

let negate id =
  if id == t_lt then t_ge
  else if id == t_le then t_gt 
  else if id == t_gt then t_le
  else if id == t_ge then t_lt
  else if id == t_eq then t_neq
  else if id == t_neq then t_eq
  else if id == t_lt_int then t_ge_int
  else if id == t_le_int then t_gt_int
  else if id == t_gt_int then t_le_int
  else if id == t_ge_int then t_lt_int
  else if id == t_eq_int then t_neq_int
  else if id == t_neq_int then t_eq_int
  else if id == t_lt_real then t_ge_real
  else if id == t_le_real then t_gt_real
  else if id == t_gt_real then t_le_real
  else if id == t_ge_real then t_lt_real
  else if id == t_eq_real then t_neq_real
  else if id == t_neq_real then t_eq_real
  else if id == t_eq_bool then t_neq_bool
  else if id == t_neq_bool then t_eq_bool 
  else if id == t_eq_unit then t_neq_unit
  else if id == t_neq_unit then t_eq_unit 
  else assert false

let make_int_relation id =
  if id == t_lt then t_lt_int
  else if id == t_le then t_le_int
  else if id == t_gt then t_gt_int
  else if id == t_ge then t_ge_int
  else id

let equals_false = function
  | Tapp (id, l, i) when is_relation id -> Tapp (negate id, l, i)
  | t -> Tapp (t_eq, [t; Tconst (ConstBool false)], [])

let rec mlize_type = function
  | PureType pt | Ref pt -> pt
  | Arrow _ -> assert false

(*s Substitutions *)

let rec type_c_subst s c =
  let {c_result_name=id; c_result_type=t; c_effect=e; c_pre=p; c_post=q} = c in
  let s' = Idmap.fold (fun x x' -> Idmap.add (at_id x "") (at_id x' "")) s s in
  { c_result_name = id;
    c_result_type = type_v_subst s t;
    c_effect = Effect.subst s e;
    c_pre = List.map (subst_in_predicate s) p;
    c_post = option_app (post_app (subst_in_predicate s')) q }

and type_v_subst s = function
  | Ref _ | PureType _ as v -> v
  | Arrow (bl,c) -> Arrow (List.map (binder_subst s) bl, type_c_subst s c)

and binder_subst s (n,v) = (n, type_v_subst s v)

(*s substitution of term for variables *)

let rec type_c_rsubst s c =
  { c_result_name = c.c_result_name;
    c_result_type = type_v_rsubst s c.c_result_type;
    c_effect = c.c_effect;
    c_pre = List.map (tsubst_in_predicate s) c.c_pre;
    c_post = option_app (post_app (tsubst_in_predicate s)) c.c_post }

and type_v_rsubst s = function
  | Ref _ | PureType _ as v -> v
  | Arrow (bl,c) -> Arrow(List.map (binder_rsubst s) bl, type_c_rsubst s c)

and binder_rsubst s (n,v) = (n, type_v_rsubst s v)

let type_c_of_v v =
  { c_result_name = Ident.result;
    c_result_type = v;
    c_effect = Effect.bottom; c_pre = []; c_post = None }

(* make_arrow bl c = (x1:V1)...(xn:Vn)c *)

let make_arrow bl c = match bl with
  | [] -> 
      invalid_arg "make_arrow: no binder"
  | _ -> 
      let rename (id,v) (bl,s) = 
	let id' = Ident.bound id in 
	(id',v) :: bl, 
	Idmap.add id id' (Idmap.add (at_id id "") (at_id id' "") s)
      in
      let bl',s = List.fold_right rename bl ([], Idmap.empty) in
      Arrow (bl', type_c_subst s c)

let rec make_binders_type_c s c =
  let {c_result_name=id; c_result_type=t; c_effect=e; c_pre=p; c_post=q} = c in
  { c_result_name = id;
    c_result_type = make_binders_type_v s t;
    c_effect = Effect.subst s e;
    c_pre = List.map (subst_in_predicate s) p;
    c_post = option_app (post_app (subst_in_predicate s)) q }

and make_binders_type_v s = function
  | Ref _ | PureType _ as v -> v
  | Arrow (bl,c) -> 
      let rename (id,v) (bl,s) = 
	let id' = Ident.bound id in 
	(id',v) :: bl, 
	Idmap.add id id' (Idmap.add (at_id id "") (at_id id' "") s)
      in
      let bl',s = List.fold_right rename bl ([], s) in
      Arrow (bl', make_binders_type_c s c)

let make_binders_type_v = make_binders_type_v Idmap.empty
let make_binders_type_c = make_binders_type_c Idmap.empty

(*s Smart constructors. *)

let ttrue = Tconst (ConstBool true)
let tfalse = Tconst (ConstBool false)
let tresult = Tvar Ident.result
let tvoid = Tconst ConstUnit

let relation op t1 t2 = Papp (op, [t1; t2], [])
let not_relation op = relation (negate op)
let lt = relation t_lt
let le = relation t_le
let gt = relation t_gt
let ge = relation t_ge
let ge_real = relation t_ge_real
let eq = relation t_eq
let neq = relation t_neq

let array_length id i = Tapp (array_length, [Tderef id], [i])

let lt_int = relation t_lt_int
let le_int = relation t_le_int

let pif a b c =
  if a = ttrue then b else if a = tfalse then c else Pif (a, b ,c)

let pand ?(is_wp=false) ?(is_sym=true) a b = 
  if a = Ptrue then b else if b = Ptrue then a else
    if a = Pfalse || b = Pfalse then Pfalse else
      Pand (is_wp, is_sym, a, b)

let wpand = pand ~is_wp:true

let pands ?(is_wp=false) ?(is_sym=true) = 
  List.fold_left (pand ~is_wp ~is_sym) Ptrue

let wpands = pands ~is_wp:true

let por a b =
  if a = Ptrue || b = Ptrue then Ptrue else
    if a = Pfalse then b else if b = Pfalse then a else
      Por (a, b)

let pors = List.fold_left por Pfalse

let pnot a =
  if a = Ptrue then Pfalse else if a = Pfalse then Ptrue else Pnot a

let pimplies ?(is_wp=false) p1 p2 = 
  if p2 = Ptrue then Ptrue 
  else if p1 = Ptrue then p2 
  else Pimplies (is_wp, p1, p2)

let wpimplies = pimplies ~is_wp:true

(*s [simplify] only performs simplications which are Coq reductions.
  Currently: only [if true] and [if false] *)

let rec simplify = function
  | Pif (Tconst (ConstBool true), a, _) -> simplify a
  | Pif (Tconst (ConstBool false), _, b) -> simplify b
  | p -> map_predicate simplify p

(*s Equalities *)

let rec eq_pure_type t1 t2 = match t1, t2 with
  | PTvar { type_val = Some t1 }, _ ->
      eq_pure_type t1 t2
  | _, PTvar { type_val = Some t2 } ->
      eq_pure_type t1 t2
  | PTexternal (l1, id1), PTexternal (l2, id2) ->
      id1 == id2 && List.for_all2 eq_pure_type l1 l2
  | _ ->
      t1 = t2

let rec eq_term t1 t2 = match t1, t2 with
  | Tapp (id1, tl1, _i1), Tapp (id2, tl2, _i2) ->
      id1 == id2 && List.for_all2 eq_term tl1 tl2 
	(* && List.for_all2 eq_pure_type i1 i2 ??? *)
  | _ -> 
      t1 = t2

let rec eq_predicate p1 p2 = match p1, p2 with
  | Papp (id1, tl1, _i1), Papp (id2, tl2, _i2) ->
      id1 == id2 && List.for_all2 eq_term tl1 tl2 
	(* && List.for_all2 eq_pure_type i1 i2 ??? *)
  | Pvar id1, Pvar id2 ->
      id1 == id2
  | Ptrue, Ptrue 
  | Pfalse, Pfalse ->
      true
  | Pand (_, _, a1, b1), Pand (_, _, a2, b2)
  | Por (a1, b1), Por (a2, b2)
  | Piff (a1, b1), Piff (a2, b2)
  | Forallb (_, a1, b1), Forallb (_, a2, b2)
  | Pimplies (_, a1, b1), Pimplies (_, a2, b2) ->
      eq_predicate a1 a2 && eq_predicate b1 b2
  | Pnot a1, Pnot a2 ->
      eq_predicate a1 a2
  | Pif (t1, a1, b1), Pif (t2, a2, b2) ->
      eq_term t1 t2 && eq_predicate a1 a2 && eq_predicate b1 b2
  | (Forall _ | Exists _ | Plet _), _
  | _, (Forall _ | Exists _ | Plet _) ->
      false
	(* equality up to names *)
  | Pnamed (_, p1), _ ->
      eq_predicate p1 p2
  | _, Pnamed (_, p2) ->
      eq_predicate p1 p2
	(* outside of the diagonal -> false *)
  | (Forallb _ | Pnot _ | Piff _ | Por _ |
	 Pand _ | Pif _ | Pimplies _ | Papp _ | Pvar _ | Pfalse | Ptrue),
      (Forallb _ | Pnot _ | Piff _ | Por _ |
	   Pand _ | Pif _ | Pimplies _ | Papp _ | Pvar _ | Pfalse | Ptrue) ->
      false

(*s Debug functions *)

module Size = struct

  let rec term = function
    | Tconst _ | Tvar _ | Tderef _ -> 1 
    | Tapp (_, tl, _) -> List.fold_left (fun s t -> s + term t) 1 tl
    | Tnamed(_,t) -> term t

  let rec predicate = function
    | Pvar _ | Ptrue | Pfalse -> 1
    | Papp (_, tl, _) -> List.fold_left (fun s t -> s + term t) 1 tl
    | Pand (_, _, p1, p2) 
    | Por (p1, p2) 
    | Piff (p1, p2) 
    | Pimplies (_, p1, p2) -> 1 + predicate p1 + predicate p2
    | Pif (t, p1, p2) -> 1 + term t + predicate p1 + predicate p2
    | Pnot p -> 1 + predicate p
    | Forall (_,_,_,_,_,p) -> 1 + predicate p
    | Exists (_,_,_,p) -> 1 + predicate p
    | Forallb (_,p1,p2) -> 1+ predicate p1 + predicate p2
    | Plet (_, _, _, t, p) -> 1 + term t + predicate p
    | Pnamed (_,p) -> predicate p

  let assertion a = predicate a.a_value

  let postcondition (q,ql) = 
    assertion q + List.fold_left (fun s (_,q) -> s + assertion q) 0 ql

  let postcondition_opt = function None -> 0 | Some q -> postcondition q

end

(*s functions over CC terms *)

let cc_var x = CC_var x

let cc_term t = CC_term t

let rec cc_applist f l = match (f, l) with
  | f, [] -> f
  | f, x :: l -> cc_applist (CC_app (f, x)) l

let cc_lam bl = List.fold_right (fun b c -> CC_lam (b, c)) bl

let tt_var x = TTterm (Tvar x)

let tt_arrow = List.fold_right (fun b t -> TTarrow (b, t))

open Format

let file_formatter f cout =
  let fmt = formatter_of_out_channel cout in
  f fmt;
  pp_print_flush fmt ()

let do_not_edit_below ~file ~before ~sep ~after =
  let cout = 
    if not (out_file_exists file) then begin
      let cout = open_out_file file in
      file_formatter before cout;
      output_string cout ("\n" ^ sep ^ "\n\n");
      cout
    end 
    else 
      begin
	let file = out_file file in
	let file_bak = file ^ ".bak" in
	Sys.rename file file_bak;
	let cin = open_in file_bak in
	let cout = open_out file in
	begin try 
	  while true do 
	    let s = input_line cin in
	    output_string cout (s ^ "\n");
	    if s = sep then raise Exit
	  done
	with
	  | End_of_file -> output_string cout (sep ^ "\n\n")
	  | Exit -> output_string cout "\n"
	end;
	cout
      end
  in
  file_formatter after cout;
  close_out_file cout

let do_not_edit_above ~file ~before ~sep ~after =
  if not (out_file_exists file) then begin
    let cout = open_out_file file in
    file_formatter before cout;
    output_string cout ("\n" ^ sep ^ "\n\n");
    file_formatter after cout;
    close_out_file cout
  end else begin
    let file = out_file file in
    let file_bak = file ^ ".bak" in
    Sys.rename file file_bak;
    let cout = open_out file in
    file_formatter before cout;
    output_string cout ("\n" ^ sep ^ "\n\n");
    let cin = open_in file_bak in
    begin try 
      while input_line cin <> sep do () done;
      while true do 
	let s = input_line cin in output_string cout (s ^ "\n")
      done
    with End_of_file -> 
      ()
    end;
    close_out_file cout
  end

why-2.34/src/zenon.mli0000644000175000017500000000464312311670312013247 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Cc

val reset : unit -> unit

val push_decl : Logic_decl.t -> unit

val prelude_done : bool ref

val output_file : allowedit:bool -> string -> unit

why-2.34/src/pp.mli0000644000175000017500000001210512311670312012525 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Format

val print_option : (formatter -> 'a -> unit) -> formatter -> 'a option -> unit
val print_option_or_default :
  string -> (formatter -> 'a -> unit) -> formatter -> 'a option -> unit
val print_list : 
  (formatter -> unit -> unit) -> 
  (formatter -> 'a -> unit) -> formatter -> 'a list -> unit
val print_list_or_default :
  string -> (formatter -> unit -> unit) -> 
  (formatter -> 'a -> unit) -> formatter -> 'a list -> unit
val print_list_par :
  (Format.formatter -> unit -> 'a) ->
  (Format.formatter -> 'b -> unit) -> Format.formatter -> 'b list -> unit
val print_list_delim :
  (Format.formatter -> unit -> unit) ->
  (Format.formatter -> unit -> unit) ->
  (Format.formatter -> unit -> unit) ->
  (Format.formatter -> 'b -> unit) -> Format.formatter -> 'b list -> unit

val print_iter1 : 
  (('a -> unit) -> 'b -> unit) ->
  (Format.formatter -> unit -> unit) -> 
  (Format.formatter -> 'a -> unit) -> 
  Format.formatter -> 'b -> unit

val print_iter2: 
  (('a -> 'b -> unit) -> 'c -> unit) ->
  (Format.formatter -> unit -> unit) ->
  (Format.formatter -> unit -> unit) ->
  (Format.formatter -> 'a -> unit) -> 
  (Format.formatter -> 'b -> unit) -> 
  Format.formatter -> 'c -> unit

val print_pair_delim :
  (Format.formatter -> unit -> unit) ->
  (Format.formatter -> unit -> unit) ->
  (Format.formatter -> unit -> unit) ->
  (Format.formatter -> 'a -> unit) -> 
  (Format.formatter -> 'b -> unit) -> Format.formatter -> 'a * 'b -> unit

val print_pair :
  (Format.formatter -> 'a -> unit) -> 
  (Format.formatter -> 'b -> unit) -> Format.formatter -> 'a * 'b -> unit

val space : formatter -> unit -> unit
val alt : formatter -> unit -> unit
val newline : formatter -> unit -> unit
val comma : formatter -> unit -> unit
val simple_comma : formatter -> unit -> unit
val semi : formatter -> unit -> unit
val underscore : formatter -> unit -> unit
val arrow : formatter -> unit -> unit
val lbrace : formatter -> unit -> unit
val rbrace : formatter -> unit -> unit
val lsquare : formatter -> unit -> unit
val rsquare : formatter -> unit -> unit
val lparen : formatter -> unit -> unit
val rparen : formatter -> unit -> unit
val lchevron : formatter -> unit -> unit
val rchevron : formatter -> unit -> unit
val nothing : formatter -> 'a -> unit
val string : formatter -> string -> unit
val int : formatter -> int -> unit
val constant_string : string -> formatter -> unit -> unit
val hov : int -> formatter -> ('a -> unit) -> 'a -> unit

val open_formatter : ?margin:int -> out_channel -> formatter
val close_formatter : formatter -> unit
val open_file_and_formatter : ?margin:int -> string -> out_channel * formatter
val close_file_and_formatter : out_channel * formatter -> unit
val print_in_file_no_close : ?margin:int -> (Format.formatter -> unit) -> string -> out_channel
val print_in_file : ?margin:int -> (Format.formatter -> unit) -> string -> unit
why-2.34/src/typing.mli0000644000175000017500000000574712311670312013436 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*s This module realizes type and effect inference *)

open Types
open Ptree
open Ast
open Env

val typef : Label.t -> local_env -> parsed_program -> typed_expr

val check_for_not_mutable : Loc.position -> type_v -> unit

val is_pure_type : type_v -> bool
val is_pure_type_v : type_v -> bool

val type_c_of_typing_info : assertion list -> typing_info -> type_c
val typing_info_of_type_c : 
  Loc.position -> local_env -> label -> type_c -> typing_info

(*
val gmake_node : 
  Loc.position ->
    local_env ->
    label -> (* userlabel *)
    label ->
    ?post:postcondition option ->
    typing_info t_desc ->
    type_v -> Effect.t -> typed_expr
*)

val conj : postcondition option -> postcondition option -> postcondition option


why-2.34/src/pvs.ml0000644000175000017500000005115212311670312012552 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Logic
open Logic_decl
open Types
open Cc
open Misc
open Util
open Ident
open Env
open Format
open Vcg
open Pp


let infix_table = ref Idmap.empty

let () =
  List.iter (fun (id,s) -> infix_table := Idmap.add id s !infix_table)
    [ t_lt, "<" ;
      t_le, "<=";
      t_gt, ">";
      t_ge, ">=";
      t_eq, "=";
      t_neq, "/=";
      t_bool_and, "AND";
      t_bool_or, "OR";
      t_bool_xor, "/=" ;
      t_gt_int_bool, ">";
      t_gt_real_bool, ">";
      t_ge_int_bool, ">=";
      t_ge_real_bool, ">=";
      t_le_int_bool, "<=";
      t_le_real_bool, "<=";
      t_lt_int_bool, "<";
      t_lt_real_bool, "<";
      t_eq_int_bool, "=";
      t_eq_real_bool, "=";
      t_neq_int_bool, "/=";
      t_neq_real_bool, "/=";
      t_lt_int, "<" ;
      t_le_int, "<=";
      t_gt_int, ">";
      t_ge_int, ">=";
      t_eq_int, "=";
      t_neq_int, "/=";
      t_lt_real, "<" ;
      t_le_real, "<=";
      t_gt_real, ">";
      t_ge_real, ">=";
      t_eq_real, "=";
      t_neq_real, "/=";
    ]

let is_infix id = Idmap.mem id !infix_table
	
let infix id = 
  try
    Idmap.find id !infix_table
  with Not_found -> assert false



let prefix_table = ref Idmap.empty

let () =
  List.iter (fun (id,s) -> prefix_table := Idmap.add id s !prefix_table)
    [ t_abs_real, "abs";
      t_real_max, "max";
      t_real_min, "min";
      t_sqrt_real, "sqrt";
    ]

let is_prefix id = Idmap.mem id !prefix_table
	
let prefix id = 
  try
    Idmap.find id !prefix_table
  with Not_found -> assert false


let is_pvs_keyword =
  let ht = Hashtbl.create 50  in
  List.iter (fun kw -> Hashtbl.add ht kw ()) 
    [];
  Hashtbl.mem ht

let leading_underscore s = s <> "" && s.[0] = '_'

let idents fmt s = 
  (* PVS does not expect names to begin with an underscore. *)
  if is_pvs_keyword s || leading_underscore s then
    fprintf fmt "why__%s" s
  else 
    fprintf fmt "%s" s

let ident fmt id = idents fmt (Ident.string id)

let rec filter_phantom_type = function
  | PTexternal (_, id) ->
      not (Hashtbl.mem Options.phantom_types (Ident.string id))
  | PTvar { type_val = Some t} -> filter_phantom_type t   
  | _ -> true

let rec print_pure_type fmt = function
  | PTint -> fprintf fmt "int"
  | PTbool -> fprintf fmt "bool"
  | PTunit -> fprintf fmt "unit"
  | PTreal -> fprintf fmt "real"
  | PTexternal ([pt], id) when id == farray -> 
      fprintf fmt "warray[%a]" print_pure_type pt
  | PTvar { type_val = Some t} -> fprintf fmt "%a" print_pure_type t      
  | PTvar v -> fprintf fmt "A%d" v.tag
  | PTexternal (i, id) -> 
      fprintf fmt "%a%a" ident id print_instance i

and print_instance fmt l = 
  match List.filter filter_phantom_type l with
    | [] -> ()
    | i -> fprintf fmt "[%a]" (print_list comma print_pure_type) i

let print_real = Print_real.print_no_exponent 

let print_term fmt t = 
  let rec print0 fmt = function
    | Tapp (id, [a;b], _) when is_infix id ->
	fprintf fmt "@[(%a %s@ %a)@]" print1 a (infix id) print1 b
    | t -> 
	print1 fmt t
  and print1 fmt = function
    | Tapp (id, [a;b], _) when id == t_add_int || id == t_sub_int ->
	fprintf fmt "@[%a %s@ %a@]" 
	  print1 a (if id == t_add_int then "+" else "-") print2 b
    | Tapp (id, [a;b], _) when id == t_add_real || id == t_sub_real ->
	fprintf fmt "@[%a %s@ %a@]" 
	  print1 a (if id == t_add_real then "+" else "-") print2 b
    | t ->
	print2 fmt t
  and print2 fmt = function
    | Tapp (id, [a;b], _) when id == t_mul_int || id == t_mul_real ->
	fprintf fmt "@[%a *@ %a@]" print2 a print3 b
    | Tapp (id, [a;b], _) when id == t_div_real ->
	fprintf fmt "@[%a /@ %a@]" print2 a print3 b
(*
    | Tapp (id, [a;b], _) when id == t_div_int ->
	fprintf fmt "(@[div(%a,%a)@])" print0 a print0 b
    | Tapp (id, [a;b], _) when id == t_mod_int ->
	fprintf fmt "(@[mod(%a,%a)@])" print0 a print0 b
*)
    | t ->
	print3 fmt t
  and print3 fmt = function
    | Tconst (ConstInt n) -> 
	fprintf fmt "%s" n
    | Tconst (ConstBool b) -> 
	fprintf fmt "%b" b
    | Tconst ConstUnit -> 
	fprintf fmt "unit" 
    | Tconst (ConstFloat f) -> 
	print_real fmt ~prefix_div:false f
    | Tapp (id, [t], _) when id == t_real_of_int ->
	fprintf fmt "%a" print3 t
    | Tderef _ ->
	assert false
    | Tvar id when id == implicit ->
	assert false
    | Tvar id when id == t_zwf_zero ->
	fprintf fmt "zwf_zero"
    | Tvar id ->
	ident fmt id
    | Tapp (id, [a; Tapp (id', [b], _)], _) 
      when id == t_pow_real && id' == t_real_of_int ->
	fprintf fmt "(@[%a@ ^ %a@])" print3 a print3 b
    | Tapp (id, [a;b], _) when id == t_pow_real ->
	fprintf fmt "(@[%a@ ^ %a@])" print3 a print3 b
    | Tapp (id, tl, i) when is_prefix id -> 
	fprintf fmt "%s%a(@[%a@])" 
	  (prefix id) print_instance (List.rev i) (print_list comma print0) tl
    | Tapp (id, [t], _) when id == t_neg_int || id == t_neg_real ->
	fprintf fmt "-%a" print3 t
    | Tapp (id, [t], _) when id == t_bool_not ->
	fprintf fmt "(NOT(%a))" print3 t
    | Tapp (id, [a; b; c], _) when id == if_then_else -> 
	fprintf fmt "(@[IF %a@ THEN %a@ ELSE %a@ ENDIF@])" print0 a print0 b print0 c
    | Tapp (id, _l, _) as t when is_infix id ->
	fprintf fmt "@[%a@]" print0 t
    | Tapp (id, _l, _) as t when is_arith_binop id ->
	fprintf fmt "@[(%a)@]" print0 t
    | Tapp (id, [], i) -> 
	fprintf fmt "%a%a" ident id print_instance (List.rev i)
    | Tapp (id, tl, i) -> 
	fprintf fmt "%a%a(@[%a@])" 
	  ident id print_instance (List.rev i) (print_list comma print0) tl
    | Tnamed(_lab,t) -> print3 fmt t
  in
  print0 fmt t

let print_logic_binder fmt (id,pt) =
  fprintf fmt "%a:%a" ident id print_pure_type pt


let print_predicate fmt p =
  let rec print0 fmt = function
    | Pif (a, b, c) -> 
	fprintf fmt "@[IF "; print_term fmt a; fprintf fmt "@ THEN ";
	print0 fmt b; fprintf fmt "@ ELSE "; print0 fmt c; 
	fprintf fmt " ENDIF@]"
    | Pimplies (_, a, b) -> 
	fprintf fmt "@[("; print1 fmt a; fprintf fmt " IMPLIES@ "; 
	print0 fmt b; fprintf fmt ")@]"
    | Piff (a, b) -> 
	fprintf fmt "@[("; print1 fmt a; fprintf fmt " IFF@ "; 
	print0 fmt b; fprintf fmt ")@]"
    | p -> print1 fmt p
  and print1 fmt = function
    | Por (a, b) -> print1 fmt a; fprintf fmt " OR@ "; print2 fmt b
    | p -> print2 fmt p
  and print2 fmt = function
    | Pand (_, _, a, b) | Forallb (_, a, b) -> 
        print2 fmt a; fprintf fmt " AND@ "; print3 fmt b
    | p -> print3 fmt p
  and print3 fmt = function
    | Ptrue ->
	fprintf fmt "True"
    | Pvar id when id == default_post ->
	fprintf fmt "True"
    | Pfalse ->
	fprintf fmt "False"
    | Pvar id -> 
	ident fmt id
    | Papp (id, tl, _) when id == t_distinct ->
	fprintf fmt "@[(%a)@]" print0 (Util.distinct tl)
    | Papp (id, [t], _) when id == well_founded ->
	fprintf fmt "well_founded?(%a)" print_term t
    | Papp (id, [a;b], _) when id == t_zwf_zero ->
	fprintf fmt "zwf_zero(%a, %a)" print_term a print_term b
    | Papp (id, [a;b], _) when is_int_comparison id || is_real_comparison id ->
	fprintf fmt "@[%a %s@ %a@]" 
	  print_term a (infix id) print_term b
    | Papp (id, [a;b], _) when is_eq id ->
	fprintf fmt "@[%a =@ %a@]" print_term a print_term b
    | Papp (id, [a;b], _) when is_neq id ->
	fprintf fmt "%a /=@ %a" print_term a print_term b
    | Papp (id, l, i) -> 	
	fprintf fmt "%a%a(@[" ident id print_instance (List.rev i);
	print_list (fun fmt () -> fprintf fmt ",@ ") print_term fmt l;
	fprintf fmt "@])"
    | Pnot p -> 
	fprintf fmt "NOT "; print3 fmt p
    | Forall (_,id,n,t,_,p) -> 
	let id' = next_away id (predicate_vars p) in
	let p' = subst_in_predicate (subst_onev n id') p in
	fprintf fmt "@[(FORALL (%a: " ident id';
	print_pure_type fmt t; fprintf fmt "):@ ";
	print0 fmt p'; fprintf fmt ")@]"
    | Exists (id,n,t,p) -> 
	let id' = next_away id (predicate_vars p) in
	let p' = subst_in_predicate (subst_onev n id') p in
	fprintf fmt "(@[EXISTS (%a: " ident id';
	print_pure_type fmt t; fprintf fmt "):@ ";
	print0 fmt p'; fprintf fmt "@])"
    | Pnamed (_, p) -> (* TODO: print name *)
	print3 fmt p
    | Plet (_, n, _, t, p) ->
	print3 fmt (subst_term_in_predicate n t p)
    | (Por _ | Piff _ | Pand _ | Pif _ | Pimplies _ | Forallb _) as p -> 
	fprintf fmt "(%a)" print0 p
  in
  print0 fmt p

let print_sequent fmt (hyps,concl) =
  let rec print_seq = function
    | [] ->
	print_predicate fmt concl
    | Svar (id, v) :: hyps -> 
	fprintf fmt "FORALL (%a: %a) :@\n" ident id print_pure_type v;
	print_seq hyps
    | Spred (_,p) :: hyps -> 
	print_predicate fmt p; fprintf fmt " IMPLIES@\n";
	print_seq hyps
  in
  print_seq hyps

let last_theory = ref None

let import_last_theory fmt = match !last_theory with
  | None -> ()
  | Some t -> fprintf fmt "  IMPORTING %s@\n@\n" t

let begin_theory fmt th =
  fprintf fmt "%s: THEORY@\nBEGIN@\n@\n" th;
  fprintf fmt "  %s@\n" Options.pvs_preamble;
  import_last_theory fmt

let begin_sub_theory fmt n th =
  fprintf fmt "%s" th;
  if n > 0 then begin
    fprintf fmt "[";
    for i = 1 to n do fprintf fmt "A%d" i; if i < n then fprintf fmt "," done;
    fprintf fmt ": TYPE]"
  end;
  fprintf fmt ": THEORY@\nBEGIN@\n@\n";
  fprintf fmt "  %s@\n" Options.pvs_preamble;
  import_last_theory fmt
    
let end_theory fmt th =
  fprintf fmt "END %s@\n@\n" th

let print_logic_type fmt = function
  | Predicate [] ->
      fprintf fmt "bool"
  | Predicate pl -> 
      fprintf fmt "[%a -> bool]"
	(print_list comma print_pure_type) pl
  | Function ([], pt) ->
      print_pure_type fmt pt
  | Function (pl, t) -> 
      fprintf fmt "[%a -> %a]"
	(print_list comma print_pure_type) pl print_pure_type t

let declare_type fmt id = 
  fprintf fmt "  @[%a: TYPE+;@]@\n@\n" idents id

let declare_alg_type fmt id cs =
  let print_cargs c fmt pl =
    let cpt = ref 0 in
    let print_carg fmt t =
      incr cpt; fprintf fmt "%s_proj_%i : %a" c !cpt print_pure_type t
    in
    match pl with
    | [] -> ()
    | _  -> fprintf fmt "@[(%a)@]" (print_list comma print_carg) pl
  in
  let cons fmt (c,pl) =
    let c = Ident.string c in
    fprintf fmt "%s%a : %s?" c (print_cargs c) pl c
  in
  fprintf fmt "  @[%s: DATATYPE@\n@[BEGIN@\n%a@]@\nEND %s@]@\n@\n"
    id (print_list newline cons) cs id

let print_logic fmt id t = 
  fprintf fmt "  %%%% Why logic %s@\n" id;
  fprintf fmt "  %a: @[%a@]@\n@\n" idents id print_logic_type t
    
let print_axiom fmt id p =
  fprintf fmt "  @[%%%% Why axiom %s@]@\n" id;
  fprintf fmt "  @[%a: AXIOM@ @[%a@]@]@\n@\n" idents id print_predicate p
    
let print_predicate_def fmt id (bl,p) =
  fprintf fmt "  @[%a(@[%a@]) : bool =@ @[%a@]@]@\n@\n"
    ident id (print_list comma print_logic_binder) bl print_predicate p
    
let print_inductive_def fmt id inddef =
  let (_vars,(bl,cases)) = Env.specialize_inductive_def inddef in
  let newvars = List.map (fun t -> (fresh_var(),t)) bl in
  let body = PredDefExpansor.inductive_inverse_body id newvars cases in
  fprintf fmt "  @[INDUCTIVE %a(@[%a@]) : bool =@ @[%a@]@]@\n@\n"
    ident id (print_list comma print_logic_binder) newvars print_predicate body
    
let print_function_def fmt id (bl,t,e) =
  fprintf fmt "  @[%a(@[%a@]) : %a =@ @[%a@]@]@\n@\n"
    ident id (print_list comma print_logic_binder) bl 
    print_pure_type t print_term e
    
let print_obligation fmt (loc,_is_lemma,_expl,id,s) =
  fprintf fmt "  @[%% %a @]@\n" (Loc.report_obligation_position ~onlybasename:true) loc;
  fprintf fmt "  @[%a: LEMMA@\n" idents id;
  print_sequent fmt s;
  fprintf fmt "@]@\n@\n"
  (*;
  fprintf fmt "@[%% %a @]@\n@\n" Util.print_explanation expl
  *)

(* polymorphism *)

let print_scheme l =
  let r = ref 0 in
  Env.Vmap.iter
    (fun _ x -> 
       incr r;
       x.type_val <- Some (PTvar { tag = !r; user = false; type_val = None }))
    l

let tvar_so_far = ref 0

let print_goal fmt (loc, is_lemma, expl, id, s) =
  let n = Vset.cardinal s.scheme_vars in
  if n > !tvar_so_far then begin
    fprintf fmt "  ";
    for i = !tvar_so_far + 1 to n do
      fprintf fmt "A%d" i; if i < n then fprintf fmt ", "
    done;
    fprintf fmt ": TYPE+;@\n@\n";
    tvar_so_far := n
  end;
  let l,s = Env.specialize_sequent s in
  print_scheme l;
  print_obligation fmt (loc,is_lemma,expl,id,s)

let print_logic_scheme fmt id s =
  let l,t = Env.specialize_logic_type s in
  print_scheme l;
  print_logic fmt id t

let print_axiom_scheme fmt id s =
  let l,a = Env.specialize_predicate s in
  print_scheme l;
  print_axiom fmt id a

type def =
  | DefFunction of function_def scheme
  | DefPredicate of predicate_def scheme
  | DefInductive of inductive_def scheme

let print_def_scheme fmt id = function
  | DefFunction s -> 
      let l,d = Env.specialize_function_def s in
      print_scheme l;
      print_function_def fmt id d
  | DefPredicate s ->
      let l,d = Env.specialize_predicate_def s in
      print_scheme l;
      print_predicate_def fmt id d
  | DefInductive s ->
      let l,_d = Env.specialize_inductive_def s in
      print_scheme l;      
      print_inductive_def fmt id s

let queue = Queue.create ()

let push_decl d = Queue.add d queue

let iter f = Queue.iter f queue

let reset () = Queue.clear queue

let output_elem fmt = function
  | Dtype (_loc, id, []) -> declare_type fmt (Ident.string id)
  | Dtype _ -> assert false
  | Dalgtype [(_loc, id, {scheme_type=([],cs)})] ->
      declare_alg_type fmt (Ident.string id) cs
  | Dalgtype _ -> assert false
  | Dlogic (_loc, id, t) -> print_logic fmt (Ident.string id) t.scheme_type
  | Dpredicate_def (_loc, id, d) -> print_predicate_def fmt id d.scheme_type
  | Dinductive_def(_loc, ident, inddef) -> print_inductive_def fmt ident inddef
  | Dfunction_def (_loc, id, d) -> print_function_def fmt id d.scheme_type
  | Daxiom (_loc, id, p) -> print_axiom fmt id p.scheme_type
  | Dgoal (loc, is_lemma, expl, id, s) -> print_goal fmt (loc, is_lemma, expl, id, s)

module ArMap = struct

  module S = Set.Make(struct type t = int let compare = compare end)

  type 'a t = { mutable keys : S.t; vals : (int, 'a Queue.t) Hashtbl.t }

  let create () = { keys = S.empty; vals = Hashtbl.create 17 }

  let add n x m =
    try 
      Queue.add x (Hashtbl.find m.vals n)
    with Not_found -> 
      let q = Queue.create () in 
      Queue.add x q;
      Hashtbl.add m.vals n q; 
      m.keys <- S.add n m.keys

  let add_scheme s = add (Vset.cardinal s.scheme_vars)

  let importing fmt s m =
    let one fmt n = fprintf fmt "%s%d" s n in
    if not (S.is_empty m.keys) then
      fprintf fmt "  @[IMPORTING %a@]@\n@\n" 
	(print_list comma one) (S.elements m.keys)

  let iter f m = Hashtbl.iter f m.vals

  let print_theories fmt prefix preamble f m =
    Hashtbl.iter
      (fun n q -> 
	let tn = prefix ^ string_of_int n in
	begin_sub_theory fmt n tn;
	preamble ();
	Queue.iter f q;
	end_theory fmt tn) 
      m.vals

end

type pvs_theories = {
  types : (string list * string * (Ident.t * pure_type list) list) ArMap.t;
  decls : (string * logic_type scheme) ArMap.t;
  defs : (string * def) Queue.t;
  axioms : (string * predicate scheme) ArMap.t;
  goals : (loc * bool * Logic_decl.vc_expl * string * sequent scheme) Queue.t;
  mutable poly : bool;
}

let sort_theory () =
  let th = 
    { types = ArMap.create ();
      decls = ArMap.create ();
      defs = Queue.create ();
      axioms = ArMap.create ();
      goals = Queue.create ();
      poly = false }
  in
  let poly s = if not (Vset.is_empty s.scheme_vars) then th.poly <- true in
  let sort = function
    | Dtype (_, id, l) ->
	let n = List.length l in
	if n > 0 then th.poly <- true;
        ArMap.add n (l, Ident.string id, []) th.types
    | Dalgtype [(_, id, { scheme_type = ([], cs) })] ->
        ArMap.add 0 ([], Ident.string id, cs) th.types
    | Dalgtype _ ->
        failwith "PVS: polymorphic algebraic datatypes are not supported"
    | Dlogic (_, id, s) -> 
	poly s; ArMap.add_scheme s (Ident.string id, s) th.decls
    | Dpredicate_def (_, id, s) -> 
	poly s; Queue.add (Ident.string id, DefPredicate s) th.defs
    | Dinductive_def(_loc, ident, inddef) ->
	poly inddef; Queue.add (Ident.string ident, DefInductive inddef) th.defs
    | Dfunction_def (_, id, s) -> 
	poly s; Queue.add (Ident.string id, DefFunction s) th.defs
    | Daxiom (_, id, s) -> 
	poly s; ArMap.add_scheme s (id,s) th.axioms
    | Dgoal (loc, is_lemma, expl, id, s) -> 
	Queue.add (loc,is_lemma,expl,id,s) th.goals
  in
  Queue.iter sort queue;
  th

let output_theory fmt th_name =
  tvar_so_far := 0;
  let th = sort_theory () in
  if th.poly then begin
    (* complex case: there are some polymorphic elements -> several theories *)
    let import_types () = ArMap.importing fmt (th_name ^ "_types") th.types in
    let import_decls () = ArMap.importing fmt (th_name ^ "_decls") th.decls in
    let importing l = 
      if l <> [] then 
	fprintf fmt "  @[IMPORTING %a@]@\n@\n" 
	  (print_list comma pp_print_string) l
    in
    let all_defs = 
      Queue.fold (fun l (id,_) -> (th_name ^ "_" ^ id) :: l) [] th.defs
    in
    let import_defs () = importing all_defs in
    let import_axioms () = ArMap.importing fmt (th_name^"_axioms") th.axioms in
    import_types ();
    import_decls ();
    import_defs ();
    import_axioms ();
    (* goals *)
    Queue.iter (print_goal fmt) th.goals;
    end_theory fmt th_name;
    (* axioms *)
    ArMap.print_theories fmt (th_name ^ "_axioms") 
      (fun () -> import_types (); import_decls (); import_defs ())
      (fun (id,a) -> print_axiom_scheme fmt id a) th.axioms;
    (* defs *)
    let defs_so_far = ref [] in
    Queue.iter 
      (fun (id,def) -> 
	let n = 
	  let vars = match def with 
	    | DefFunction s -> s.scheme_vars
	    | DefInductive s -> s.scheme_vars
	    | DefPredicate s -> s.scheme_vars
	  in
	  Vset.cardinal vars
	in
	let name = th_name ^ "_" ^ id in
	begin_sub_theory fmt n name;
	import_types ();
	import_decls ();
	importing !defs_so_far;
	print_def_scheme fmt (Ident.create id) def;
	end_theory fmt name;
        defs_so_far := name :: !defs_so_far)
      th.defs;
    (* decls *)
    ArMap.print_theories fmt (th_name ^ "_decls") 
      import_types
      (fun (id,t) -> print_logic_scheme fmt id t) th.decls;
    (* types *)
    ArMap.print_theories fmt (th_name ^ "_types") 
      (fun () -> ())
      (function
        | (_,id,[]) -> declare_type fmt id
        | (_,id,cs) -> declare_alg_type fmt id cs) th.types
  end else begin 
    (* simple case: no polymorphism at all -> a single theory *)
    iter (output_elem fmt);
    end_theory fmt th_name
  end

let output_file fwe =
  let sep = "  %% DO NOT EDIT BELOW THIS LINE" in
  let file = fwe ^ "_why.pvs" in
  let th_name = (Filename.basename fwe) ^ "_why" in
  do_not_edit_below ~file
    ~before:(fun fmt -> begin_theory fmt th_name)
    ~sep
    ~after:(fun fmt -> output_theory fmt th_name);
  last_theory := Some th_name
    

why-2.34/src/ltyping.ml0000644000175000017500000004672012311670312013435 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*s Typing on the logical side *)

open Format
open Options
open Ident
open Logic
open Types
open Ptree
open Ast
open Misc
open Util
open Env
open Error
open Report

let expected_real loc =
  raise_located loc (ExpectedType (fun fmt -> fprintf fmt "real"))

let expected_num loc =
  raise_located loc (ExpectedType (fun fmt -> fprintf fmt "int or real"))

let expected_type loc et =
  raise_located loc (ExpectedType (fun fmt -> print_type_v fmt et))

let rec pure_type env = function
  | PPTint -> PTint
  | PPTbool -> PTbool
  | PPTreal -> PTreal
  | PPTunit -> PTunit
  | PPTvarid (x, _) -> PTvar (find_type_var x env)
  | PPTexternal (p, id, loc) ->
      if not (is_type id) then raise_located loc (UnboundType id);
      let np = List.length p in
      let a = type_arity id in
      if np <> a then raise_located loc (TypeArity (id, a, np));
      PTexternal (List.map (pure_type env) p, id)

(*s Typing predicates *)

let int_cmp = function
  | PPlt -> t_lt_int
  | PPle -> t_le_int
  | PPgt -> t_gt_int
  | PPge -> t_ge_int
  | PPeq -> t_eq_int
  | PPneq -> t_neq_int
  | _ -> assert false

let real_cmp = function
  | PPlt -> t_lt_real
  | PPle -> t_le_real
  | PPgt -> t_gt_real
  | PPge -> t_ge_real
  | PPeq -> t_eq_real
  | PPneq -> t_neq_real
  | _ -> assert false

let other_cmp = function
  | PTbool, PPeq -> t_eq_bool
  | PTbool, PPneq -> t_neq_bool
  | PTunit, PPeq -> t_eq_unit
  | PTunit, PPneq -> t_neq_unit
  | _, PPeq -> t_eq
  | _, PPneq -> t_neq
  | _ -> assert false

let rec occurs v = function
  | PTvar { type_val = Some t } -> occurs v t
  | PTvar { tag = t; type_val = None } -> v.tag = t
  | PTexternal (l, _) -> List.exists (occurs v) l
  | PTint | PTbool | PTunit | PTreal -> false

(* destructive type unification *)
let rec unify t1 t2 = match (t1,t2) with
  | PTvar { type_val = Some t1 }, _ ->
      unify t1 t2
  | _, PTvar { type_val = Some t2 } ->
      unify t1 t2
  | PTvar v1, PTvar v2 when v1.tag = v2.tag ->
      true
  (* instantiable variables *)
  | (PTvar ({user=false} as v), t)
  | (t, PTvar ({user=false} as v)) ->
      not (occurs v t) && (v.type_val <- Some t; true)
  (* recursive types *)
  | (PTexternal(l1,i1), PTexternal(l2,i2)) ->
      i1 = i2 && List.length l1 = List.length l2 &&
      List.for_all2 unify l1 l2
  | (PTexternal _), _
  | _, (PTexternal _) ->
      false
  (* other cases *)
  | (PTunit | PTreal | PTbool | PTint | PTvar {user=true}),
    (PTunit | PTreal | PTbool | PTint | PTvar {user=true}) ->
      t1 = t2

let make_comparison loc (a,ta) r (b,tb) =
  if not (unify ta tb) then
    raise_located loc
      (ExpectedType2
	 ((fun f -> Util.print_pure_type f (normalize_pure_type ta)),
	  (fun f -> Util.print_pure_type f (normalize_pure_type tb))));
  match normalize_pure_type ta, r, normalize_pure_type tb with
  | PTint, (PPlt|PPle|PPgt|PPge|PPeq|PPneq), PTint ->
      Papp (int_cmp r, [a; b], [])
  | PTreal, (PPlt|PPle|PPgt|PPge|PPeq|PPneq), PTreal ->
      Papp (real_cmp r, [a; b], [])
  | (PTbool | PTunit as ta), (PPeq|PPneq), (PTbool | PTunit) ->
      Papp (other_cmp (ta,r), [a; b], [])
  | ta, (PPeq|PPneq), tb ->
      begin match ta, tb with
	| PTint, PTint -> Papp (int_cmp r, [a;b], [])
	| PTreal, PTreal -> Papp (real_cmp r, [a;b], [])
	| _ -> Papp (other_cmp (ta,r), [a; b], [ta])
      end
  | ta, _, _ ->
      raise_located loc (IllegalComparison (fun fmt -> print_pure_type fmt ta))

let int_arith = function
  | PPadd -> t_add_int
  | PPsub -> t_sub_int
  | PPmul -> t_mul_int
  | _ -> assert false

let real_arith = function
  | PPadd -> t_add_real
  | PPsub -> t_sub_real
  | PPmul -> t_mul_real
  | PPdiv -> t_div_real
  | _ -> assert false

let make_arith loc = function
  | (a,t1), (PPadd|PPsub|PPmul as r), (b,t2)
    when unify t1 PTint && unify t2 PTint ->
      Tapp (int_arith r, [a; b], []), PTint
  | (a,t1), (PPadd|PPsub|PPmul|PPdiv as r), (b,t2)
    when unify t1 PTreal && unify t2 PTreal ->
      Tapp (real_arith r, [a; b], []), PTreal
  | _,PPdiv,_ ->
      expected_real loc
  | (_,_t1),_op,(_,_t2) ->
      expected_num loc

let predicate_expected loc =
  raise_located loc (AnyMessage "syntax error: predicate expected")

let term_expected loc =
  raise_located loc (AnyMessage "syntax error: term expected")

let instance _x i =
  let l =
    Vmap.fold
      (fun _ v l ->
	 (match v.type_val with
	    | None -> PTvar v
	    | Some pt -> normalize_pure_type pt) :: l)
      i []
  in
  (*
    eprintf "instance %a[@[%a@]]@."
    Ident.print x (Pp.print_list Pp.comma print_pure_type) l;
  *)
  l

(* match expression handling *)

let match_branches prop gloc loc x ty l =
  let id = match ty with
    | PTexternal (_,id) when Env.is_alg_type id -> id
    | _ -> raise_located loc ShouldBeAlgebraic
  in
  let cs = Env.alg_type_constructors id in
  let check cm ((c,vs,loc),r) =
    if not (List.mem c cs) then raise_located loc
      (ExpectedType (fun f -> print_pure_type f ty));
    if Idmap.mem c cm then raise_located loc (ClashParam c);
    let () = match find_global_logic c with
      | _, Function (pl,_)
        when List.length pl = List.length vs -> ()
      | _, _ -> raise_located loc PartialApp
    in
    if bad_arity vs then raise_located loc PatternBadArity;
    let expr ex = { pp_loc = loc; pp_desc = ex } in
    let r = if not prop then r else
      let al = List.map (fun v -> expr (PPvar v)) vs in
      let hd = PPinfix (x, PPeq, expr (PPapp (c,al))) in
      expr (PPinfix (expr hd, PPand, r))
    in
    let i = ref 1 in
    let proj acc v =
      let pt = PPapp (proj_id c !i, [x]) in
      incr i ; expr (PPlet (v, expr pt, acc))
    in
    Idmap.add c (List.fold_left proj r vs) cm
  in
  let cm = List.fold_left check Idmap.empty l in
  let pick c = try Idmap.find c cm with
    | Not_found -> raise_located gloc (NonExhaustive c)
  in
  let bs = List.map pick cs in
  if not prop then
    { pp_loc = gloc; pp_desc = PPapp (match_id id, x::bs) }
  else
    let rec join = function
      | [b] -> b
      | b::bs -> { pp_loc = gloc; pp_desc = PPinfix (b, PPor, join bs) }
      | _ -> assert false
    in
    join bs

(* typing predicates *)

let rec predicate lab env p =
  desc_predicate p.pp_loc lab env p.pp_desc

and desc_predicate loc lab env = function
  | PPvar x ->
      type_pvar loc env x
  | PPapp (x, pl) when x == t_distinct ->
      let ty = PTvar (Env.new_type_var ()) in
      let each_term a =
	let t,tt = term lab env a in
	if not (unify tt ty) then expected_type a.pp_loc (PureType ty);
	t,tt
      in
      let tl = List.map each_term pl in
      Papp (x, List.map fst tl, [ty])
  | PPapp (x, pl) ->
      type_papp loc env x (List.map (term lab env) pl)
  | PPtrue ->
      Ptrue
  | PPfalse ->
      Pfalse
  | PPconst _ ->
      predicate_expected loc
  | PPinfix (a, PPand, b) ->
      Pand (false, true, predicate lab env a, predicate lab env b)
  | PPinfix (a, PPiff, b) ->
      Piff (predicate lab env a, predicate lab env b)
  | PPinfix (a, PPor, b) ->
      Por (predicate lab env a, predicate lab env b)
  | PPinfix (a, PPimplies, b) ->
      Pimplies (false, predicate lab env a, predicate lab env b)
  | PPinfix
      ({pp_desc = PPinfix (_, (PPlt|PPle|PPgt|PPge|PPeq|PPneq), a)} as p,
       (PPlt | PPle | PPgt | PPge | PPeq | PPneq as r), b) ->
      let q = { pp_desc = PPinfix (a, r, b); pp_loc = loc } in
      Pand (false, true, predicate lab env p, predicate lab env q)
  | PPinfix (a, (PPlt | PPle | PPgt | PPge | PPeq | PPneq as r), b) ->
      make_comparison a.pp_loc (term lab env a) r (term lab env b)
  | PPinfix (_, (PPadd | PPsub | PPmul | PPdiv), _) ->
      predicate_expected loc
  | PPprefix (PPneg, _) ->
      predicate_expected loc
  | PPprefix (PPnot, a) ->
      Pnot (predicate lab env a)
  | PPif (a, b, c) ->
      let ta,tya = term lab env a in
      (match normalize_pure_type tya with
	 | PTbool ->
	     Pif (ta, predicate lab env b, predicate lab env c)
	 | _ ->
	     raise_located a.pp_loc ShouldBeBoolean)
  | PPforall (id, pt, tl, a) ->
      let v = pure_type env pt in
      let env' = Env.add_logic id v env in
      let tl' = triggers lab env' tl in
      let p' = predicate lab env' a in
      forall id (PureType v) ~triggers:tl' p'
  | PPexists (id, pt, a) ->
      let v = pure_type env pt in
      let p = predicate lab (Env.add_logic id v env) a in
      exists id (PureType v) p
  | PPnamed (n, a) ->
      Pnamed (User n, predicate lab env a)
  | PPlet (x, e1, e2) ->
      let t1, ty = term lab env e1 in
      let env = Env.add_logic x ty env in
      plet x ty t1 (predicate lab env e2)
  | PPmatch (e, l) ->
      let t, ty = term lab env e in
      let x = fresh_var () in
      let v = { pp_loc = loc ; pp_desc = PPvar x } in
      let f = match_branches true loc e.pp_loc v ty l in
      let env = Env.add_logic x ty env in
      plet x ty t (predicate lab env f)

and type_pvar loc _env x =
  if is_at x then
    raise_located loc (AnyMessage "predicates cannot be labelled");
  try match snd (find_global_logic x) with
    | Predicate [] -> Pvar x
    | Function _ -> predicate_expected loc
    | _ -> raise_located loc PartialApp
  with Not_found ->
    raise_located loc (UnboundVariable x)

and type_papp loc _env x tl =
  try match find_global_logic x with
    | vars, Predicate at ->
	check_type_args loc at tl;
	Papp (x, List.map fst tl, instance x vars)
    | _ ->
	predicate_expected loc
  with Not_found ->
    raise_located loc (UnboundVariable x)


and term lab env t =
    desc_term t.pp_loc lab env t.pp_desc

and desc_term loc lab env = function
  | PPvar x | PPapp (x, []) ->
      type_tvar loc lab env x
  | PPif (a, b, c) ->
      term lab env { pp_loc = loc; pp_desc = PPapp (if_then_else, [a;b;c]) }
  | PPapp (x, tl) ->
      let tl = List.map (term lab env) tl in
      let ty, i = type_tapp loc env x tl in
      Tapp (x, List.map fst tl, i), ty
  | PPtrue ->
      ttrue, PTbool
  | PPfalse ->
      tfalse, PTbool
  | PPconst c ->
      Tconst c, type_const c
  | PPinfix (a, (PPadd|PPsub|PPmul|PPdiv as r), b) ->
	make_arith loc (term lab env a, r, term lab env b)
  | PPinfix (_, (PPand|PPor|PPiff|PPimplies
		|PPlt|PPle|PPgt|PPge|PPeq|PPneq), _) ->
      term_expected loc
  | PPprefix (PPneg, a) ->
      (match term lab env a with
	 | ta, ty when unify ty PTint -> Tapp (t_neg_int, [ta], []), PTint
	 | ta, ty when unify ty PTreal -> Tapp (t_neg_real, [ta], []), PTreal
	 | _ -> expected_num loc)
  | PPnamed(n, t) ->
      let tt,ty = term lab env t in Tnamed(User n, tt), ty
  | PPlet (x, e1, e2) ->
      let t1, ty1 = term lab env e1 in
      let env = Env.add_logic x ty1 env in
      let t2, ty2 = term lab env e2 in
      tsubst_in_term (subst_one x t1) t2, ty2
  | PPmatch (e, l) ->
      let t, ty = term lab env e in
      let x = fresh_var () in
      let v = { pp_loc = e.pp_loc; pp_desc = PPvar x } in
      let f = match_branches false loc e.pp_loc v ty l in
      let env = Env.add_logic x ty env in
      let f, ty = term lab env f in
      tsubst_in_term (subst_one x t) f, ty
  | PPprefix (PPnot, _) | PPforall _ | PPexists _ ->
      term_expected loc

(* (* dead code *)
and type_if lab env a b c =
  match term lab env a, term lab env b, term lab env c with
    | (ta, PTbool), (tb, tyb), (tc, tyc) ->
	if tyb <> tyc then
	  raise_located c.pp_loc
	    (ExpectedType (fun f -> print_pure_type f tyb));
	Tapp (if_then_else, [ta; tb; tc], []), tyb
    | _ -> raise_located a.pp_loc ShouldBeBoolean
*)

and type_tvar loc lab env x =
  let x,xu =
    if is_at x then begin
      let xu,l = un_at x in
      if not (Label.mem l lab) then raise_located loc (UnboundLabel l);
      if not (is_reference env xu) then
	xu,xu
      else
	x,xu
    end else
      x,x
  in
  try
    let t = find_logic xu env in Tvar x, t
    (*
    let vars,t = find_logic xu env in
    if Vmap.is_empty vars then Tvar x, t else Tapp (x, [], instance x vars), t
    *)
  with Not_found -> try
    match find_global_logic xu with
      | vars, Function ([], t) -> Tapp (x, [], instance x vars), t
      | _ -> raise_located loc MustBePure
  with Not_found ->
    raise_located loc (UnboundVariable xu)


and type_tapp loc _env x tl =
  try match find_global_logic x with
    | vars, Function (at, t) ->
	check_type_args loc at tl; normalize_pure_type t, instance x vars
    | _ ->
	raise_located loc AppNonFunction
  with Not_found ->
    raise_located loc (UnboundVariable x)

and check_type_args loc at tl =
  let rec check_arg = function
    | [], [] ->
	()
    | a :: al, (tb,b) :: bl ->
	if unify a b then
	  check_arg (al, bl)
	else
	  raise_located loc (TermExpectedType ((fun f -> print_term f tb),
					       fun f -> print_pure_type f a))
    | [], _ ->
	raise_located loc TooManyArguments
    | _, [] ->
	raise_located loc PartialApp
  in
  check_arg (at, tl)

and type_const = function
  | ConstInt _ -> PTint
  | ConstBool _ -> PTbool
  | ConstUnit -> PTunit
  | ConstFloat _ -> PTreal

and pattern lab env t =
  match t.pp_desc with
  | PPapp (x, _) ->
      (try match find_global_logic x with
      | _, Function (_, _) ->
	  TPat (fst (term lab env t))
      | _ ->
	  PPat (predicate lab env t)
      with Not_found ->
	raise_located t.pp_loc (UnboundVariable x))
  | PPvar _ | PPinfix (_, (PPadd|PPsub|PPmul|PPdiv), _) ->
      TPat (fst (term lab env t))
  | _ ->
      Report.raise_located t.pp_loc Error.IllformedPattern

and triggers lab env = List.map (List.map (pattern lab env))

(*s Checking types *)

let add_logic_if_pure x v env =  match v with
  | PureType pt | Ref pt -> Env.add_logic x pt env
  | Arrow _ -> env

let type_assert ?(namer=h_name) lab env a =
  { a_value = predicate lab env a.pa_value;
    a_name = namer a.pa_name;
    a_loc = a.pa_loc;
    a_proof = None }

let type_post lab env id v ef (a,al) =
  let lab' = Label.add "" lab in
  let a' =
    let env' = add_logic_if_pure id v env in type_assert lab' env' a
  in
  let xs = Effect.get_exns ef in
  let check_exn (x,a) =
    let loc = a.pa_value.pp_loc in
    if not (is_exception x) then raise_located loc (UnboundException x);
    if not (List.mem x xs) then raise_located loc (CannotBeRaised x)
  in
  List.iter check_exn al;
  let loc = a.pa_value.pp_loc in
  let type_exn_post x =
    try
      let a = List.assoc x al in
      let env' = match find_exception x with
	| None -> env
	| Some pt -> Env.add_logic result pt env
      in
      (x, type_assert lab' env' a)
    with Not_found ->
      wprintf loc "no postcondition for exception %a; false inserted@\n"
	Ident.print x;
      (x, anonymous loc Pfalse)
  in
  (a', List.map type_exn_post xs)

let check_effect loc env e =
  let check_ref id =
    if not (Env.is_ref env id) then raise_located loc (UnboundReference id)
  in
  let check_exn id =
    if not (Env.is_exception id) then raise_located loc (UnboundException id)
  in
  let r,w,x,_ = Effect.get_repr e in
  List.iter check_ref r;
  List.iter check_ref w;
  List.iter check_exn x


(* warns if a ref occuring in a predicate is not mentioned in the effect,
   and adds it as read to the effect *)
let warn_refs loc env p =
  Idset.fold
    (fun id ef ->
       if not (Effect.is_read ef id) then begin
	 wprintf loc "mutable %a is not declared in effect; added as read\n"
	   Ident.print id;
	 if werror then exit 1;
	 Effect.add_read id ef
       end else
	 ef)
    (predicate_refs env p)

let effect e =
  let ef =
    List.fold_left (fun e x -> Effect.add_write x e) Effect.bottom e.pe_writes
  in
  let ef = List.fold_left (fun e x -> Effect.add_read x e ) ef e.pe_reads in
  List.fold_left (fun e x -> Effect.add_exn x e) ef e.pe_raises


let rec type_v loc lab env = function
  | PVpure pt ->
      PureType (pure_type env pt)
  | PVref v ->
      Ref (pure_type env v)
  | PVarrow (bl, c) ->
      let bl',env' = binders loc lab env bl in
      Arrow (bl', type_c loc lab env' c)

and type_c loc lab env c =
  let ef = effect c.pc_effect in
  check_effect loc env ef;
  let v = type_v loc lab env c.pc_result_type in
  let id = c.pc_result_name in
  let p = List.map (type_assert lab env) c.pc_pre in
  let q = option_app (type_post lab env id v ef) c.pc_post in
  let ef = List.fold_right (asst_fold (warn_refs loc env)) p ef in
  let ef = optpost_fold (warn_refs loc env) q ef in
  let s = subst_onev id Ident.result in
  let p = List.map (fun a -> a.a_value) p in
  let q = optpost_app (fun a -> subst_in_predicate s a.a_value) q in
  { c_result_name = c.pc_result_name; c_effect = ef;
    c_result_type = v; c_pre = p; c_post = q }

and binders loc lab env = function
  | [] ->
      [], env
  | (id, v) :: bl ->
      let v = type_v loc lab env v in
      let bl',env' =
	binders loc lab
	  (Env.add id v (add_logic_if_pure id v env)) bl
      in
      (id, v) :: bl', env'

let type_v loc lab env v = make_binders_type_v (type_v loc lab env v)

let type_c loc lab env c = make_binders_type_c (type_c loc lab env c)

let logic_type lt =
  let env = Env.empty_logic () in
  match lt with
  | PPredicate pl ->
      Predicate (List.map (pure_type env) pl)
  | PFunction (pl, t) ->
      Function (List.map (pure_type env) pl, pure_type env t)

let alg_type _id vl td =
  let vls = List.rev_map Ident.string vl in
  let bound x = List.mem (Ident.string x) vls in
  let rec check = function
    | PPTvarid (x, loc) -> if bound x then ()
        else raise_located loc (UnboundType x)
    | PPTexternal (p,_,_) -> List.iter check p
    | _ -> ()
  in
  let () = List.iter (fun (_,_,pl) -> List.iter check pl) td in
  let env = Env.empty_logic () in
  let vs = List.map (fun v -> PTvar (find_type_var v env)) vl in
  let cons (_,c,pl) = (c, List.map (pure_type env) pl) in
  (vs, List.map cons td)

why-2.34/src/ltyping.mli0000644000175000017500000000755112311670312013605 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*s Typing on the logical side *)

open Logic
open Types
open Ptree
open Ast
open Env

val unify : Logic.pure_type -> Logic.pure_type -> bool

val pure_type : local_env -> ppure_type -> pure_type

val type_v : 
  Loc.position -> Label.t -> local_env -> ptype_v -> type_v

val type_c :
  Loc.position -> Label.t -> local_env -> ptype_c -> type_c

val logic_type : plogic_type -> logic_type

val alg_type : Ident.t -> Ident.t list ->
  (Loc.position * Ident.t * ppure_type list) list ->
    alg_type_def

val predicate : Label.t -> local_env -> lexpr -> predicate

val term : Label.t -> local_env -> lexpr -> term * pure_type

val type_assert : 
  ?namer:(Ident.name -> Ident.t) ->
  Label.t -> local_env -> Ptree.assertion -> assertion

val type_post : 
  Label.t -> local_env -> Ident.t -> type_v -> Effect.t -> 
  Ptree.postcondition -> postcondition

val binders : 
  Loc.position -> Label.t -> local_env -> 
  ptype_v binder list -> 
  type_v binder list * local_env

val instance : Ident.t -> var_subst -> pure_type list

(* errors *)

val expected_real : Loc.position -> 'a

val expected_num : Loc.position -> 'a

val expected_type : Loc.position -> type_v -> 'a

(* instances: the following table contains all closed instances of logical
   symbols that have been used so far. 
   It is later used to generate all monomorphic
   instances of symbols/predicates/axioms in the CVC Lite output. *)
(*
module Instances : Set.S with type elt = pure_type list

val add_instance_if_closed : Ident.t -> pure_type list -> unit
val instances : Ident.t -> Instances.t

val iter_instances : (Ident.t -> pure_type list -> unit) -> unit
*)
why-2.34/src/ocaml.mli0000644000175000017500000000471412311670312013210 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*s Ocaml code output *)

open Format
open Types
open Env

val push_parameters : Ident.t list -> type_v -> unit

val push_program : Ident.t -> typed_expr -> unit

val output : formatter -> unit

why-2.34/src/mizar.mli0000644000175000017500000000461012311670312013232 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*s Mizar output *)

open Cc

val reset : unit -> unit

val push_decl : Logic_decl.t -> unit

val output_file : string -> unit
why-2.34/src/typing.ml0000644000175000017500000007330612311670312013261 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*s Typing. *)

open Format
open Options
open Ident
open Misc
open Ltyping
open Util
open Logic
open Rename
open Types
open Ptree
open Error
open Report
open Ast
open Env 
open Effect

(*s Typing of terms (used to type pure expressions). *)

let type_v_int = PureType PTint
let type_v_bool = PureType PTbool
let type_v_unit = PureType PTunit
let type_v_real = PureType PTreal

let typing_const = function
  | ConstInt _ -> type_v_int
  | ConstBool _ -> type_v_bool
  | ConstUnit -> type_v_unit
  | ConstFloat _ -> type_v_real

(*s Utility functions for typing *)

let expected_cmp loc =
  raise_located loc 
    (ExpectedType (fun fmt -> fprintf fmt "unit, bool, int or real"))

let just_reads e = difference (get_reads e) (get_writes e)

let rec unify_type_v v1 v2 = match (v1,v2) with
  | PureType c1, PureType c2 -> 
      Ltyping.unify c1 c2
  | Ref v1, Ref v2 -> 
      Ltyping.unify v1 v2
  | Arrow (bl1, k1), Arrow (bl2, k2) ->
      let rec unify_bl = function
	| [], [] -> unify_type_v k1.c_result_type k2.c_result_type
	| (_,t1)::bl1, (_,t2)::bl2 -> unify_type_v t1 t2 && unify_bl (bl1,bl2)
	| [], bl2 -> unify_type_v k1.c_result_type (Arrow (bl2, k2))
	| bl1, [] -> unify_type_v (Arrow (bl1, k1)) k2.c_result_type
      in
      unify_bl (bl1,bl2)
  | _ -> 
      false

let type_v_sup loc t1 t2 =
  if not(unify_type_v t1 t2) then raise_located loc BranchesSameType;
  t1

let union3effects x y z = Effect.union x (Effect.union y z)

let decomp_fun_type loc = function
  | Arrow ([x, v], k) ->
      x, v, k
  | Arrow ((x, v) :: bl, k) ->
      x, v, type_c_of_v (Arrow (bl, k))
  | Arrow ([], _) ->
      assert false
  | ty -> 
      Format.eprintf "decomp_fun_type=%a@." print_type_v ty;
      raise_located loc AppNonFunction

let expected_type loc t et =
  if not (unify_type_v t et) then 
    raise_located loc 
      (ExpectedType2 
	  ((fun fmt -> print_type_v fmt t), (fun fmt -> print_type_v fmt et)))

let check_for_alias loc id v = 
  if occur_type_v id v then raise_located loc (Alias id)

let check_for_let_ref loc v =
  if not (is_pure v) then raise_located loc Error.LetRef

let check_for_not_mutable loc v = 
  if is_mutable v then raise_located loc CannotBeMutable

let check_unbound_exn loc =
  let check (x,_) =
    if not (Env.is_exception x) then raise_located loc (UnboundException x)
  in
  List.iter check

(*s Instantiation of polymorphic functions *)

let type_prim idint idreal idbool idunit loc = function
  | PureType pt -> begin match normalize_pure_type pt with
      | PTint -> idint
      | PTbool -> idbool
      | PTreal -> idreal
      | PTunit -> idunit
      | _ -> expected_cmp loc
    end
  | _ -> expected_cmp loc

let type_eq = type_prim t_eq_int_ t_eq_real_ t_eq_bool_ t_eq_unit_
let type_neq = type_prim t_neq_int_ t_neq_real_ t_neq_bool_ t_neq_unit_

let type_num idint idreal loc = function
  | PureType pt -> begin match normalize_pure_type pt with
      | PTint -> 
          if idint == t_div_real_ then
            expected_real loc
          else idint
      | PTreal -> idreal
      | _ -> expected_num loc
    end
  | _ -> expected_num loc

let type_lt = type_num t_lt_int_ t_lt_real_
let type_le = type_num t_le_int_ t_le_real_
let type_gt = type_num t_gt_int_ t_gt_real_
let type_ge = type_num t_ge_int_ t_ge_real_
let type_add = type_num t_add_int t_add_real
let type_sub = type_num t_sub_int t_sub_real
let type_mul = type_num t_mul_int t_mul_real
let type_div = type_num t_div_real_ t_div_real_
let type_neg = type_num t_neg_int t_neg_real

let type_poly id =
  if id == t_eq then type_eq 
  else if id == t_neq then type_neq
  else if id == t_lt then type_lt
  else if id == t_le then type_le 
  else if id == t_gt then type_gt
  else if id == t_ge then type_ge
  else if id == t_add then type_add 
  else if id == t_sub then type_sub
  else if id == t_mul then type_mul
  else if id == t_div then type_div
  else if id == t_neg then type_neg 
  else assert false

let type_un_poly id =
  if id == t_neg then type_neg else assert false

(*s Making nodes *)

let gmake_node loc env userlabel l ?(post=None) p rt e = 
  { desc = p; 
    info = { t_loc = loc; t_env = env; t_label = l; 
	     t_userlabel = userlabel;
	     t_result_name = result; 
	     t_result_type = rt; t_effect = e; t_post = post } }


let bool_constant b loc env =
  gmake_node loc env "" (label_name ()) (Expression (Tconst (ConstBool b)))
    type_v_bool Effect.bottom

let make_arrow_type lab bl k =
  let k = 
    let q = optpost_app (change_label lab "") k.c_post in
    { k with c_post = q }
  in
  make_arrow bl k

let k_add_effects k e = { k with t_effect = Effect.union k.t_effect e }

let type_c_of_typing_info pre ti =
  { c_result_name = ti.t_result_name;
    c_result_type = ti.t_result_type;
    c_effect = ti.t_effect;
    c_pre = a_values pre;
    c_post = optpost_app a_value ti.t_post }

let typing_info_of_type_c loc env l k =
  { t_loc = loc;
    t_env = env;
    t_label = l;
    t_userlabel = "";
    t_result_name = k.c_result_name;
    t_result_type = k.c_result_type;
    t_effect = k.c_effect;
    t_post = optpost_app (post_named loc) k.c_post }

let assume loc env ef p =
  let k = { c_result_name = result; c_result_type = type_v_unit;
	    c_effect = ef; c_pre = []; c_post = Some (p,[]) } in
  gmake_node loc env "" (label_name ()) (Any k) type_v_unit ef

let seq loc env e1 e2 =
  gmake_node loc env "" (label_name ()) (Seq (e1, e2)) (result_type e2)
    (Effect.union (effect e1) (effect e2))

(*s Typing variants. 
    Return the effect i.e. variables appearing in the variant. *)

let state_var loc lab env = function
  | None when termination = Total ->
      raise_located loc 
	(AnyMessage "a variant is required here (since -total is set)")
  | None -> 
      None, Effect.bottom
  | Some (pphi,r) ->
      let phi,tphi = Ltyping.term lab env pphi in
      let ids = term_refs env phi in
      (if termination = Partial then None else Some (pphi.pp_loc,phi,tphi,r)), 
      Effect.add_reads ids Effect.bottom
	
(*s Typing preconditions.
    Return the effect i.e. variables appearing in the precondition. 
    Check existence of labels. *)

let predicates_effect lab env loc pl =
  let state e p =
    let ids = predicate_vars p in
    Idset.fold
      (fun id e ->
	 if is_reference env id then
	   Effect.add_read id e
	 else if is_at id then begin
	   let uid,l = un_at id in
	   if not (Label.mem l lab) then raise_located loc (UnboundLabel l);
	   if is_reference env uid then
	     Effect.add_read uid e
	   else
	     e
	 end else
	   e)
      ids e 
  in
  List.fold_left state Effect.bottom pl

let state_pre lab env loc pl =
  let pl = List.map (type_assert lab env) pl in
  predicates_effect lab env loc (List.map (fun x -> x.a_value) pl), pl

let state_assert lab env loc a =
  let a = type_assert lab env a in
  predicates_effect lab env loc [a.a_value], a

let state_inv lab env loc = function
  | None -> 
      Effect.bottom, None
  | Some i -> 
      let i = type_assert lab env i in
      predicates_effect lab env loc [i.a_value], Some i
	

(*s Typing postconditions.
    Return the effect i.e. variables appearing in the postcondition,
    together with the normalized postcondition (i.e. [x] replaced by [x@]
    whenever [x] is not modified by the program).
    Check existence of labels. *)

let state_post lab env (id,v,ef) loc q =
  check_unbound_exn loc (snd q);
  let q = type_post lab env id v ef q in
  let ids = apost_vars q in
  let ef,q = 
    Idset.fold
      (fun id (e,q) ->
	 if is_reference env id then
	   if is_write ef id then
	     Effect.add_write id e, q
	   else
	     Effect.add_read id e,
	     (let s = subst_in_predicate (subst_onev id (at_id id "")) in
	      post_app (asst_app s) q)
	 else if is_at id then begin
	   let uid,l = un_at id in
	   if l <> "" && not (Label.mem l lab) then 
	     raise_located loc (UnboundLabel l);
	   if is_reference env uid then
	     Effect.add_read uid e, q
	   else
	     raise_located loc (UnboundReference uid)
	 end else
	   e,q)
      ids (Effect.bottom, q)
  in
  ef, q
    
let state_post_option lab env res loc = function
  | None -> 
      Effect.bottom, None
  | Some q ->
      let ef,q = state_post lab env res loc q in
      ef, Some q

(*s Detection of pure functions. *)

let rec is_pure_type_v = function
  | PureType _ -> true
  | Arrow (bl,c) -> List.for_all is_pure_arg bl && is_pure_type_c c
  | Ref _ -> false
and is_pure_arg (_,v) = 
  is_pure_type_v v
and is_pure_type_c c =
  is_pure_type_v c.c_result_type && c.c_effect = Effect.bottom &&
  c.c_pre = [] && c.c_post = None

(*s Types of references and arrays *)

let check_ref_type loc env id =
  try
    deref_type (type_in_env env id)
  with 
    | Not_found -> raise_located loc (UnboundReference id)
    | Invalid_argument _ -> raise_located loc (NotAReference id)
      
let check_array_type loc env id =
  try
    PureType (dearray_type (type_in_env env id))
  with 
    | Not_found -> raise_located loc (UnboundArray id)
    | Invalid_argument _ -> raise_located loc (NotAnArray id)
      
let is_pure_type = function
  | PureType _ -> true
  | _ -> false

let pure_type loc = function
  | PureType pt -> pt
  | _ -> raise_located loc MustBePure

let decompose_app e =
  let rec loop args e = match e.pdesc with
    | Sapp (e1, e2) -> loop (e2 :: args) e1
    | _ -> e, args
  in
  loop [] e

let pdesc loc p = { pdesc = p; ploc = loc }
let sapp loc e1 e2 = { pdesc = Sapp (e1, e2); ploc = loc }
let svar loc v = { pdesc = Svar v; ploc = loc }
let sassume loc p = 
  let a = { pa_name = Anonymous; pa_value = p; pa_loc = loc } in
  let k = { pc_result_name = result; pc_result_type = PVpure PPTunit;
	    pc_effect = { pe_reads = []; pe_writes = []; pe_raises = [] };
	    pc_pre = []; pc_post = Some (a, []) } in
  { pdesc = Sany k; ploc = loc }
let sletin loc v e1 e2 = { pdesc = Sletin (v, e1, e2); ploc = loc }
let sseq loc e1 e2 = { pdesc = Sseq (e1, e2); ploc = loc }

let ppinfix loc l1 i l2 = { pp_loc = loc; pp_desc = PPinfix (l1, i, l2) }
let ppvar loc v = { pp_loc = loc; pp_desc = PPvar v }
let ppconst loc c = { pp_loc = loc; pp_desc = PPconst c }
    
(*s Saturation of postconditions: a postcondition must be set for
    any possibly raised exception *)

let warning_no_post loc x = 
  if not !c_file then begin
    wprintf loc "no postcondition for exception %a; false inserted@\n" 
      Ident.print x;
    if werror then exit 1
  end

let saturation loc e (a,al) =
  let xs = Effect.get_exns e in
  let check (x,_) =
    if not (List.mem x xs) then raise_located loc (CannotBeRaised x);
  in
  List.iter check al;
  let set_post x = 
    try 
      x, List.assoc x al 
    with Not_found -> 
      warning_no_post loc x;
      x, anonymous Loc.dummy_position Pfalse (* default_post *)
  in
  (a, List.map set_post xs)

let conj_assert ({a_value=pa} as a) ({a_value=pb} as b) =
  let loc = Loc.join a.a_loc b.a_loc in
  { a with a_value = pand ~is_wp:true pa pb; a_loc = loc }

let conj q q' = match q, q' with
  | None, _ ->
      q'
  | _, None ->
      q
  | Some (q, ql), Some (q', ql') ->
      assert (List.length ql = List.length ql');
      let conjx (x,a) (x',a') =
	assert (x = x');
	x, 
	if is_default_post a then a' 
	else if is_default_post a' then a 
	else conj_assert a a'
      in
      Some (conj_assert q q', List.map2 conjx ql ql') 

(*s The following flag indicates whether exceptions must be checked 
    as possibly raised in try-with constructs; indeed, this must be disabled
    when computing the effects of a recursive function. *)

let exn_check = ref true
let without_exn_check f x =
  if !exn_check then begin
    exn_check := false; 
    try let y = f x in exn_check := true; y 
    with e -> exn_check := true; raise e
  end else
    f x

(*s Pure expressions. Used in [Slazy_and] and [Slazy_or] to decide
    whether to use [strict_bool_and_] and [strict_bool_or_] or not. *)

let has_no_effect e = 
  let ef = effect e in get_writes ef = [] && get_exns ef = []

let rec is_pure_expr e = 
  has_no_effect e &&
  match e.desc with
  | Var _ | Expression _ -> true
  | If (e1, e2, e3) -> is_pure_expr e1 && is_pure_expr e2 && is_pure_expr e3
  | LetIn (_, e1, e2) -> is_pure_expr e1 && is_pure_expr e2
  | Label (_, e1) | Assertion (_, [], e1) -> is_pure_expr e1
  | AppRef (e1, _, _) | AppTerm (e1, _, _) -> is_pure_expr e1
  | Any _ | Rec _ | Lam _ | Try _ 
  | Raise _ | Post _ | Assertion _ | LetRef _ 
  | Loop _ | Seq _ | Absurd -> false

(*s Typing programs. We infer here the type with effects. 
    [lab] is the set of labels, [env] the environment 
    and [expr] the program. [pre] indicates whether preconditions are true 
    preconditions or obligations *)

let rec typef ?(userlabel="") lab env expr =
  let toplabel = label_name () in
  let loc = expr.ploc in
  let make_node = gmake_node loc env userlabel in
  match expr.pdesc with
  | Sconst c ->
      make_node toplabel (Expression (Tconst c)) (typing_const c) Effect.bottom

  | Svar id ->
      let v = 
	try type_in_env env id 
	with Not_found -> raise_located loc (UnboundVariable id)
      in
      let ef = Effect.bottom in
      if not (is_local env id) &&
	 is_logic_function id && 
	 not (is_pure_type v) 
      then 
	raise_located loc 
	  (AnyMessage "a logic function cannot be partially applied");
      if is_pure_type_v v && not (is_rec id env) then 
	let t,v = 
	  try 
	    let lid = { pp_loc = loc; pp_desc = PPvar id } in
	    let t,v = Ltyping.term lab env lid in
	    t, PureType v
	  with _ -> 
	    Tvar id, v
	in
	make_node toplabel (Expression t) v ef
      else 
	make_node toplabel (Var id) v ef

  | Sderef id ->
      let v = check_ref_type loc env id in
      let ef = Effect.add_read id Effect.bottom in
      make_node toplabel (Expression (Tderef id)) (PureType v) ef

  | Sseq (e1, e2) ->
      let t_e1 = typef lab env e1 in
      expected_type e1.ploc (result_type t_e1) type_v_unit;
      let t_e2 = typef lab env e2 in
      let ef = Effect.union (effect t_e1) (effect t_e2) in
      make_node toplabel (Seq (t_e1, t_e2)) (result_type t_e2) ef
	      
  | Sloop (invopt, var, e) ->
      let var,efphi = state_var loc lab env var in
      let t_e = typef lab env e in
      let efe = t_e.info.t_effect in
      let efinv,invopt = state_inv lab env loc invopt in
      let ef = Effect.union efe (Effect.union efinv efphi) in
      let v = type_v_unit in
      make_node toplabel (Loop (invopt,var,t_e)) v ef
      
  | Slam ([], _, _) ->
      assert false

  | Slam (bl, p, e) ->
      let bl',env' = binders loc lab env bl in
      let (ep,p') = state_pre lab env' loc p in
      let t_e = typef lab env' e in
      check_for_not_mutable e.ploc t_e.info.t_result_type;
      let info = k_add_effects t_e.info ep in
      let t_e = { t_e with info = info } in
      let k = type_c_of_typing_info p' info in
      let v = make_arrow_type t_e.info.t_label bl' k in
      let ef = Effect.bottom in
      make_node toplabel (Lam (bl',p',t_e)) v ef

  | Sapp _ ->
      let f,args = decompose_app expr in
      (* 1. if f is a polymorphic symbol, find its type using first arg. *)
      let f = match f.pdesc with
	| Svar x when is_poly x ->
	    begin match args with
	      | a :: _ ->
		  let t_a = typef lab env a in
		  let eq = type_poly x a.ploc (result_type t_a) in
		  { f with pdesc = Svar eq }
	      | [] ->
		  assert false
		  (* the parser ensures the presence of an argument *)
	    end
	| _ ->
	    f
      in
      (* 2. typing the function f *)
      let t_f, tyf = match f.pdesc with
	| Svar x when is_logic_function x && not (is_local env x) ->
	    begin match find_global_logic x with
	      | vars, Function (tl,tr) ->
		  (* TODO: check number of args *)
		  let v = type_v_of_logic tl tr in
		  let i = instance x vars in
		  make_node 
		    toplabel (Expression (Tapp (x, [], i))) v Effect.bottom, v
	      | _, Predicate _ ->
		  assert false
	    end
	| _ ->
	    let tf = typef lab env f in
	    tf, result_type tf
      in
      (* 3. typing the arguments *)
      let rec loop_args t_f tyf = function
	| [] ->
	    t_f
	| a :: ra ->
	    let x,tx,kapp = decomp_fun_type loc tyf in
	    begin match tx with
   	    (* the function expects a mutable; it must be a variable *)
            | Ref _ -> begin match a.pdesc with
		| Svar r ->
		    let v = 
		      try 
			type_in_env env r 
		      with Not_found -> 
			raise_located a.ploc (UnboundVariable r)
		    in
		    expected_type a.ploc v tx;
		    check_for_alias a.ploc r tyf;
		    let kapp = type_c_subst (subst_onev x r) kapp in
		    let (_,tapp),eapp,papp,_ = decomp_type_c kapp in
		    let kapp = typing_info_of_type_c loc env toplabel kapp in
		    let ef = Effect.union (effect t_f) eapp in
		    let t_f = 
		      let make ?post n = 
			make_node (label_name ()) ?post n tapp ef 
		      in
		      make (Assertion
			      (`PRE, 
			       List.map (pre_named loc) papp,
			       make ~post:kapp.t_post (AppRef (t_f, r, kapp))))
		    in
		    loop_args t_f (result_type t_f) ra
		| _ ->
		    raise_located a.ploc ShouldBeVariable
	      end
	    (* otherwise (the argument is not a reference) *)
	    | _ -> 
		let t_a = typef lab env a in
		expected_type a.ploc (result_type t_a) tx;
		begin match t_a with
		(* argument is pure: it is substituted *)
(***
   	        | { desc = Expression ta } when post t_a = None ->
		    let kapp = type_c_subst_oldify env x ta kapp in
		    let _,_,papp,_ = decomp_type_c kapp in
		    let kapp = typing_info_of_type_c loc env toplabel kapp in
		    let (_,tapp),eapp,_ = decomp_kappa kapp in
		    let ef = union3effects (effect t_a) (effect t_f) eapp in
		    let t_f = match t_f with
		      (* collapse: (term(tf) term(ta)) --> term(tf ta) *)
		      | { desc = Expression tf } when post t_f = None -> 
			  let l = label_name () in
			  make_node l (Expression (applist tf [ta])) tapp ef
		      | _ -> 
			  let make ?post n = 
			    make_node (label_name ()) ?post n tapp ef 
			  in
			  make 
			    (Assertion 
			       (`PRE,
				List.map (pre_named loc) papp,
				make 
				  ~post:kapp.t_post (AppTerm (t_f, ta, kapp))))
		    in
		    loop_args t_f (result_type t_f) ra
***)
 	        (* otherwise we transform into [let v = arg in (f v)] *)
		| _ ->
		    let _,eapp,_,_ = decomp_type_c kapp in
		    let v = fresh_var () in
		    let kapp = type_c_subst (subst_onev x v) kapp in
		    let _,_,papp,_ = decomp_type_c kapp in
		    let label_f_v = label_name () in
		    let kapp = typing_info_of_type_c loc env label_f_v kapp in
		    let env' = Env.add v tx env in
		    let app_f_v = match t_f with
		      | { desc = Expression tf } when post t_f = None -> 
			  Expression (applist tf [Tvar v])
		      | _ -> 
			  AppTerm (t_f, Tvar v, kapp) 
		    in
		    let kfv = k_add_effects kapp (effect t_f) in
		    let app_f_v = 
		      gmake_node loc env' userlabel label_f_v app_f_v  
			~post:kfv.t_post kfv.t_result_type kfv.t_effect
		    in
		    let app = loop_args app_f_v (result_type app_f_v) ra in
		    let tapp = result_type app in
		    if occur_type_v v tapp then
		      raise_located a.ploc TooComplexArgument;
		    let ef = union3effects (effect app) (effect t_f) eapp in
		    let ef' = Effect.union ef (effect t_a) in
		    let make n = make_node (label_name ()) n tapp ef' in
		    make 
		      (LetIn (v, t_a, 
			      let make n = 
				gmake_node loc env' userlabel (label_name ()) n tapp ef
			      in
			      make (Assertion 
				      (`PRE,
				       List.map (pre_named loc) papp, 
				       app))))
		end
	    end
      in
      loop_args t_f tyf args
     
  | Sletref (x, e1, e2) ->
      if is_ref env x then raise_located loc (ClashRef x);
      let t_e1 = typef lab env e1 in
      let ef1 = t_e1.info.t_effect in
      let v1 = pure_type loc t_e1.info.t_result_type in
      let env' = add x (Ref v1) env in
      let t_e2 = typef lab env' e2 in
      let ef2 = t_e2.info.t_effect in
      let v2 = t_e2.info.t_result_type in
      check_for_let_ref loc v2;
      let ef = Effect.union ef1 (Effect.remove x ef2) in
      make_node toplabel (LetRef (x, t_e1, t_e2)) v2 ef
	
  | Sletin (x, e1, e2) ->
      let t_e1 = typef lab env e1 in
      let ef1 = t_e1.info.t_effect in
      let v1 = t_e1.info.t_result_type in
      check_for_not_mutable e1.ploc v1;
      let env' = add ~generalize:true x v1 env in
      let t_e2 = typef lab env' e2 in
      let ef2 = t_e2.info.t_effect in
      let v2 = t_e2.info.t_result_type in
      let ef = Effect.union ef1 ef2 in
      make_node toplabel (LetIn (x, t_e1, t_e2)) v2 ef
	    
  | Sif (b, e1, e2) ->
      let t_b = typef lab env b in
      expected_type b.ploc (result_type t_b) type_v_bool;
      let t_e1 = typef lab env e1
      and t_e2 = typef lab env e2 in
      let t1 = t_e1.info.t_result_type in
      let t2 = t_e2.info.t_result_type in
      let ef = union3effects (effect t_b) (effect t_e1) (effect t_e2) in
      let v = type_v_sup loc t1 t2 in
      make_node toplabel (If (t_b, t_e1, t_e2)) v ef

  | Slazy_and (e1, e2) ->
      let t_e1 = typef lab env e1 in
      expected_type e1.ploc (result_type t_e1) type_v_bool;
      let t_e2 = typef lab env e2 in
      expected_type e2.ploc (result_type t_e2) type_v_bool;
      if not split_bool_op && is_pure_expr t_e2 then
	(* we build strict_bool_and_(e1, e2)
	   TODO:  avoid typing e1 and e2 twice *)
	let d = sapp loc (sapp loc (svar loc strict_bool_and_) e1) e2 in
	(* we build let v = e1 in strict_bool_and_ v1 (assume v1=true; e2)
	let v = fresh_var () in
	let p = 
	  ppinfix loc (ppvar loc v) PPeq (ppconst loc (ConstBool true)) 
	in
	let d = 
	  sletin loc v e1 
	    (sapp loc (sapp loc (svar loc strict_bool_and_) (svar loc v)) 
		(sseq loc (sassume loc p) e2))
	in
	*)
	typef lab env d
      else
	let ef = union (effect t_e1) (effect t_e2) in
	let bool_false = bool_constant false loc env in
	make_node toplabel (If (t_e1, t_e2, bool_false)) type_v_bool ef

  | Slazy_or (e1, e2) ->
      let t_e1 = typef lab env e1 in
      expected_type e1.ploc (result_type t_e1) type_v_bool;
      let t_e2 = typef lab env e2 in
      expected_type e2.ploc (result_type t_e2) type_v_bool;
      if not split_bool_op && is_pure_expr t_e2 then
	(* we build strict_bool_or_(e1, e2)
	   TODO:  avoid typing e1 and e2 twice *)
	let d = sapp loc (sapp loc (svar loc strict_bool_or_) e1) e2 in
	typef lab env d
      else
	let ef = union (effect t_e1) (effect t_e2) in
	let bool_true = bool_constant true loc env in
	make_node toplabel (If (t_e1, bool_true, t_e2)) type_v_bool ef

  | Snot e1 -> 
      let t_e1 = typef lab env e1 in
      expected_type e1.ploc (result_type t_e1) type_v_bool;
      if not split_bool_op then
	let d = sapp loc (svar loc bool_not_) e1 in
	typef lab env d
      else
	let bool_false = bool_constant false loc env in
	let bool_true = bool_constant true loc env in
	let d = If (t_e1, bool_false, bool_true) in
	make_node toplabel d type_v_bool (effect t_e1)

  | Srec (f,bl,v,var,p,e) ->
      let loc_e = e.ploc in
      let bl',env' = binders loc lab env bl in
      let (ep,p') = state_pre lab env' loc p in
      let v = type_v loc lab env' v in
      let var, efvar = state_var loc lab env' var in
      (* e --> let vphi0 = phi in e *)
      let varinfo,env' = match var with
	| None -> 
	    None, env'
	| Some (_loc,phi,tphi,r) ->
	    let vphi0 = variant_name () in
	    let tphi = PureType tphi in
	    let env' = Env.add vphi0 tphi env' in
	    let decphi = Papp (r, [phi; Tvar vphi0], []) in
	    Some (vphi0,phi,tphi,decphi), env'
      in
      (* effects for a let/rec construct are computed as a fixpoint *)
      let type_body c =
	let c = match varinfo with
	  | None -> c
	  | Some (_,_,_,decphi) -> { c with c_pre = decphi :: c.c_pre } 
	in
	let tf = make_arrow bl' c in
	let env'' = add_rec f (add f tf env') in
	typef lab env'' e
      in
      let fixpoint_reached c1 c2 =
	c1.c_effect = c2.c_effect && 
        List.length c1.c_pre = List.length c2.c_pre &&
        (match c1.c_post, c2.c_post with 
         | None, None | Some _, Some _ -> true | _ -> false)
      in
      let rec fixpoint c =
	let t_e = type_body c in
	let info = k_add_effects t_e.info ep in
	let k_e = type_c_of_typing_info p' info in
	if fixpoint_reached k_e c then
	  t_e
      	else begin
	  if_debug_3 
	    eprintf "  (rec => %a)@\n@?" print_typing_info t_e.info;
	  fixpoint k_e
      	end
      in 
      let c0 = { c_result_name = result; c_result_type = v;
		 c_effect = efvar; c_pre = []; c_post = None } in
      (* fixpoint, without check *)
      let t_e = without_exn_check fixpoint c0 in
      (* once again, with checks *)
      let info = k_add_effects t_e.info ep in
      let t_e = type_body (type_c_of_typing_info p' info) in
      let tf = make_arrow bl' (type_c_of_typing_info p' t_e.info) in
      let t_e = match varinfo with
	| Some (vphi0,phi,tphi,_) ->
	    let mk_node_e = gmake_node loc_e env' "" in
	    mk_node_e (label_name ()) 
	      (LetIn 
		 (vphi0,
		  mk_node_e (label_name ()) (Expression phi) tphi efvar,
		  t_e))
	      (result_type t_e) (Effect.union efvar (effect t_e))
	| None ->
	    t_e
      in
      make_node toplabel (Rec (f,bl',v,var,p',t_e)) tf Effect.bottom

  | Sraise (id, e, ct) ->
      if not (is_exception id) then raise_located loc (UnboundException id);
      let t_e, ef = match find_exception id , e with
	| None, Some _ -> 
	    raise_located loc (ExceptionArgument (id, false))
	| Some _, None ->
	    raise_located loc (ExceptionArgument (id, true))
	| Some xt, Some e ->
	    let t_e = typef lab env e in
	    expected_type e.ploc (result_type t_e) (PureType xt);
	    Some t_e, effect t_e
	| None, None -> 
	    None, Effect.bottom
      in
      let v = match ct with 
	| None -> PureType (PTvar (new_type_var ()))
	| Some v -> type_v loc lab env v
      in
      make_node toplabel (Raise (id, t_e)) v (Effect.add_exn id ef)

  | Stry (e, hl) ->
      let te = typef lab env e in
      let v = result_type te in
      let ef = effect te in
      let xs = get_exns ef in
      let ef = List.fold_left (fun e ((x,_),_) -> remove_exn x e) ef hl in
      let type_handler ((x,a),h) =
	if not (is_exception x) then raise_located loc (UnboundException x);
	if not (List.mem x xs) && !exn_check then 
	  raise_located e.ploc (CannotBeRaised x);
	let env' = match a, find_exception x with 
	  | None, None -> env 
	  | Some v, Some tv -> Env.add v (PureType tv) env
	  | None, Some _ -> raise_located loc (ExceptionArgument (x, true))
	  | Some _, None -> raise_located loc (ExceptionArgument (x, false))
	in
	let th = typef lab env' h in
	expected_type h.ploc (result_type th) v;
	((x,a), th)
      in
      let thl = List.map type_handler hl in
      let ef = List.fold_left (fun e (_,th) -> union e (effect th)) ef thl in
      make_node toplabel (Try (te, thl)) v ef

  | Sabsurd ct -> 	    
      let v = match ct with 
	| None -> PureType (PTvar (new_type_var ()))
	| Some v -> type_v loc lab env v
      in
      let absurd = make_node (label_name ()) Absurd v Effect.bottom in
      make_node toplabel 
	(Assertion (`ABSURD,[anonymous loc Pfalse], absurd)) v Effect.bottom

  | Sany c ->
      let c = type_c loc lab env c in
      make_node toplabel (Any c) c.c_result_type c.c_effect

  | Spost (e, q, tr) ->
      let t_e = typef lab env e in
      let v = t_e.info.t_result_type in
      let e = t_e.info.t_effect in
      let (eq,q) = state_post lab env (result,v,e) loc q in
      let q = saturation loc e q in
      let e' = Effect.union e eq in
      let d = Post (t_e, q, tr) in
      gmake_node loc env userlabel toplabel d v e' ~post:(Some q)

  | Sassert (kind,p, e) ->
      let ep,p = state_pre lab env loc p in
      let t_e = typef lab env e in
      let ef = Effect.union (effect t_e) ep in
      make_node toplabel (Assertion ((kind :> Ast.assert_kind),p, t_e)) (result_type t_e) ef

  | Slabel (s, e) ->
      if (Label.mem s lab) then raise_located loc (ReboundLabel s);
      let lab' = Label.add s lab in
      let t_e = typef ~userlabel:s lab' env e in
      make_node toplabel (Label (s, t_e)) (result_type t_e) (effect t_e)

let typef = typef ~userlabel:""
why-2.34/src/pp.ml0000644000175000017500000001202012311670312012350 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*s Pretty-print library *)

open Format

let print_option f fmt = function
  | None -> ()
  | Some x -> f fmt x

let print_option_or_default default f fmt = function
  | None -> fprintf fmt "%s" default
  | Some x -> f fmt x

let rec print_list sep print fmt = function
  | [] -> ()
  | [x] -> print fmt x
  | x :: r -> print fmt x; sep fmt (); print_list sep print fmt r

let print_list_or_default default sep print fmt = function
  | [] -> fprintf fmt "%s" default
  | l -> print_list sep print fmt l

let print_list_par sep pr fmt l =
  print_list sep (fun fmt x -> fprintf fmt "(%a)" pr x) fmt l

let print_iter1 iter sep print fmt l =
  let first = ref true in
  iter (fun x -> 
          if !first
          then first := false
          else sep fmt (); 
          print fmt x ) l

let print_iter2 iter sep1 sep2 print1 print2 fmt l =
  let first = ref true in
  iter (fun x y -> 
          if !first
          then first := false
          else sep1 fmt (); 
          print1 fmt x;sep2 fmt (); print2 fmt y) l


let print_list_delim start stop sep pr fmt = function
  | [] -> ()
  | l -> fprintf fmt "%a%a%a" start () (print_list sep pr) l stop ()

let print_pair_delim start sep stop pr1 pr2 fmt (a,b) =
  fprintf fmt "%a%a%a%a%a" start () pr1 a sep () pr2 b stop ()

let comma fmt () = fprintf fmt ",@ "
let simple_comma fmt () = fprintf fmt ", "
let underscore fmt () = fprintf fmt "_"
let semi fmt () = fprintf fmt ";@ "
let space fmt () = fprintf fmt " "
let alt fmt () = fprintf fmt "|@ "
let newline fmt () = fprintf fmt "@\n"
let arrow fmt () = fprintf fmt "@ -> "
let lbrace fmt () = fprintf fmt "{"
let rbrace fmt () = fprintf fmt "}"
let lsquare fmt () = fprintf fmt "["
let rsquare fmt () = fprintf fmt "]"
let lparen fmt () = fprintf fmt "("
let rparen fmt () = fprintf fmt ")"
let lchevron fmt () = fprintf fmt "<"
let rchevron fmt () = fprintf fmt ">"
let nothing _fmt _ = ()
let string fmt s = fprintf fmt "%s" s
let int fmt i = fprintf fmt "%d" i
let constant_string s fmt () = string fmt s

let print_pair pr1 = print_pair_delim lparen comma rparen pr1

let hov n fmt f x = pp_open_hovbox fmt n; f x; pp_close_box fmt ()

let open_formatter ?(margin=78) cout =
  let fmt = formatter_of_out_channel cout in
  pp_set_margin fmt margin;
  pp_open_box fmt 0; 
  fmt

let close_formatter fmt = 
  pp_close_box fmt ();
  pp_print_flush fmt ()

let open_file_and_formatter ?(margin=78) f =
  let cout = open_out f in
  let fmt = open_formatter ~margin cout in
  cout,fmt

let close_file_and_formatter (cout,fmt) =
  close_formatter fmt;
  close_out cout

let print_in_file_no_close ?(margin=78) p f =
  let cout,fmt = open_file_and_formatter ~margin f in
  p fmt;
  close_formatter fmt;
  cout

let print_in_file ?(margin=78) p f =
  let cout = print_in_file_no_close ~margin p f in
  close_out cout


why-2.34/src/logic_decl.mli0000644000175000017500000000701312311670312014174 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*s Logical declarations. 
    This is what is sent to the various provers (see main.ml and the provers
    interfaces). *)

open Cc
open Logic

type loc = Loc.floc
type 'a scheme = 'a Env.scheme

type expl_kind = 
  | EKAbsurd
  | EKAssert
  | EKCheck
  | EKLoopInvInit of string
  | EKLoopInvPreserv of string
  | EKPost
  | EKPre of string
  | EKOther of string
  | EKVarDecr
  | EKWfRel 
  | EKLemma
      
type vc_expl =
    { lemma_or_fun_name : string;
      behavior : string;
      vc_loc : Loc.floc;
      vc_kind : expl_kind;
      vc_label : string option
    }

type obligation = Loc.floc * bool * vc_expl * string * sequent
    (* loc, is_lemma, explanation, id, sequent *) 

type t =
  | Dtype          of loc * Ident.t * string list
  | Dalgtype       of (loc * Ident.t * alg_type_def scheme) list
  | Dlogic         of loc * Ident.t * logic_type scheme
  | Dpredicate_def of loc * Ident.t * predicate_def scheme
  | Dinductive_def of loc * Ident.t * inductive_def scheme
  | Dfunction_def  of loc * Ident.t * function_def scheme
  | Daxiom         of loc * string * predicate scheme
  | Dgoal          of loc * bool * vc_expl * string * sequent scheme
      (* bool is true when goal is a lemma, that is it must be present
      in the context of the next goals *)
why-2.34/src/regen.ml0000644000175000017500000001510012311670312013033 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* files partly edited and partly regenerated *)

open Format
open Options
open Cc
open Logic
open Vcg
open Misc

type element_kind = 
  | Param
  | Oblig
  | Prog
  | Valid (* obsolete but helps porting from old versions *)
  | Lg
  | Ax
  | Pr
  | Ind
  | Fun
  | Ty

type element_id = element_kind * string

type element = 
  | Parameter of string * cc_type
  | Program of string * cc_type * cc_functional_program
  | Obligation of Loc.floc * bool * Logic_decl.vc_expl * string * sequent Env.scheme
  | Logic of string * logic_type Env.scheme
  | Axiom of string * predicate Env.scheme
  | Predicate of string * predicate_def Env.scheme
  | Inductive of string * inductive_def Env.scheme
  | Function of string * function_def Env.scheme
  | AbstractType of string * string list
  | AlgebraicType of (string * alg_type_def Env.scheme) list

module type S = sig
 
  (* how to print and reprint elements *)
  val print_element : formatter -> element -> unit
  val reprint_element : formatter -> element -> unit

  (* regexp to recognize obligations locations (as comments) *)
  val re_oblig_loc : Str.regexp

  (* what to print at the beginning of file when first created *)
  val first_time : formatter -> unit

  (* what to print at the end of file when first created *)
  val first_time_trailer : formatter -> unit

  (* how to recognize the end of an element to erase / overwrite *)
  val not_end_of_element : element_id -> string -> bool

end

module Make(X : S) = struct

  let print_element_kind fmt = function
    | Param, s -> fprintf fmt "parameter %s" s
    | Prog, s -> fprintf fmt "program %s" s
    | Oblig, s -> fprintf fmt "obligation %s" s
    | Valid, s -> fprintf fmt "validation %s" s
    | Lg, s -> fprintf fmt "logic %s" s
    | Ax, s -> fprintf fmt "axiom %s" s
    | Pr, s -> fprintf fmt "predicate %s" s
    | Ind, s -> fprintf fmt "inductive %s" s
    | Fun, s -> fprintf fmt "function %s" s
    | Ty, s -> fprintf fmt "type %s" s

  let elem_t = Hashtbl.create 97 (* maps [element_id] to [element] *)
  let elem_q = Queue.create ()   (* queue of [element_id * element] *)
		 
  let add_elem ek e = Queue.add (ek,e) elem_q; Hashtbl.add elem_t ek e
    
  let reset () = Queue.clear elem_q; Hashtbl.clear elem_t

  let regexps = ref []
		  
  let add_regexp r k = regexps := (Str.regexp r, k) :: !regexps

  type line_kind =
    | Obligation_location
    | Element of (element_kind * string)
    | Other

  let check_line s =
    let rec test = function
      | [] -> 
	  Other
      | (r, k) :: l ->
	  if Str.string_match r s 0 then 
	    Element (k, Str.matched_group 1 s) 
	  else 
	    test l
    in
    if Str.string_match X.re_oblig_loc s 0 then 
      Obligation_location
    else
      test !regexps
	
  let regen oldf fmt =
    let cin = open_in oldf in
    let rec scan () =
      let s = input_line cin in
      match check_line s with
	| Other -> 
	    fprintf fmt "%s@\n" s;
	    scan ()
	| Obligation_location ->
	    scan ()
	| Element e ->
	    if Hashtbl.mem elem_t e then begin
	      if verbose then eprintf "overwriting %a@." print_element_kind e;
	      print_up_to e
	    end else
	      if verbose then eprintf "erasing %a@." print_element_kind e;
	    if X.not_end_of_element e s then skip_element e;
	    scan ()
    and skip_element e =
      let s = input_line cin in
      if X.not_end_of_element e s then skip_element e
    and tail () = 
      fprintf fmt "%c" (input_char cin); tail () 
    and print_up_to e =
      let (e',ee) = Queue.take elem_q in
      Hashtbl.remove elem_t e'; 
      if e = e' then 
	X.reprint_element fmt ee 
      else begin
	X.print_element fmt ee; print_up_to e
      end
    in
    begin
      try scan () with End_of_file -> 
      try tail () with End_of_file -> close_in cin
    end;
    Queue.iter (fun (_,e) -> X.print_element fmt e) elem_q

  let first_time fmt =
    X.first_time fmt;
    Queue.iter (fun (_,e) -> X.print_element fmt e) elem_q;
    X.first_time_trailer fmt

  let output_file ?(margin=78) f =
    if Sys.file_exists f then begin
      let fbak = f ^ ".bak" in
      if Sys.file_exists fbak then Sys.remove fbak;
      Sys.rename f fbak; 
      if_verbose_3 eprintf "*** re-generating file %s (backup in %s)@." f fbak;
      Pp.print_in_file ~margin (regen fbak) f
    end else begin
      if_verbose_2 eprintf "*** generating file %s@." f;
      Pp.print_in_file ~margin first_time f
    end

end
why-2.34/src/loc.mli0000644000175000017500000000622712311670312012673 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Format

(*s Line number for an absolute position *)

val report_line : formatter -> Lexing.position -> unit

(* Lexing positions *)

type position = Lexing.position * Lexing.position

exception Located of position * exn

val string : position -> string
val parse : string -> position

val dummy_position : position

type floc = string * int * int * int

val dummy_floc : floc

val extract :  position -> floc
val gen_report_line : formatter -> floc -> unit
val gen_report_position : formatter -> position -> unit
val report_position : formatter -> position -> unit
val report_obligation_position : ?onlybasename:bool -> formatter -> floc -> unit


(* for both type [t] and [position] *)

val join : 'a * 'b -> 'a * 'b -> 'a * 'b

val current_offset : int ref
val reloc : Lexing.position -> Lexing.position

(* Identifiers localization *)

val add_ident : string -> floc -> unit
val ident : string -> floc
why-2.34/src/env.ml0000644000175000017500000005672512311670312012545 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Ident
open Misc
open Types
open Ast
open Logic
open Error
open Report
open Cc

module StringMap = Map.Make(String)
module StringSet = Set.Make(String)

(* generalization *)

module TypeVar = struct
  type t = type_var
  let compare v1 v2 = compare v1.tag v2.tag 
end
module Vset = Set.Make(TypeVar)
module Vmap = Map.Make(TypeVar)
type var_subst = type_var Vmap.t

type 'a scheme = { scheme_vars : Vset.t; scheme_type : 'a }

let empty_scheme t = { scheme_vars = Vset.empty ; scheme_type = t }

let rec find_pure_type_vars env t =
  match t with
    | PTvar ({ type_val = None } as v) -> 
	Vset.add v env
    | PTvar { type_val = Some t } ->
	find_pure_type_vars env t
    | PTexternal(l,_id) ->
	List.fold_left find_pure_type_vars env l
    | PTint | PTreal | PTbool | PTunit -> 
	env

let find_logic_type_vars t =
  match t with
    | Function(tl,tr) ->
	let env = find_pure_type_vars Vset.empty tr in
	List.fold_left find_pure_type_vars env tl
    | Predicate(tl) ->
	List.fold_left find_pure_type_vars Vset.empty tl

let rec find_type_v_vars acc t =
  match t with
    | Ref t | PureType t -> find_pure_type_vars acc t
    | Arrow(bl,c) ->
	let acc = find_type_c_vars acc c in
	List.fold_left find_binder_vars acc bl
and find_type_c_vars acc c = find_type_v_vars acc c.c_result_type
and find_binder_vars acc (_,t) = find_type_v_vars acc t


let generalize_logic_type t =
  let l = find_logic_type_vars t in
  { scheme_vars = l ; scheme_type = t }

let generalize_alg_type t =
  let vs,cs = t in
  let pls = List.map (fun (_,pl) -> pl) cs in
  let act = List.fold_left find_pure_type_vars in
  let l = List.fold_left act Vset.empty (vs::pls) in
  { scheme_vars = l ; scheme_type = t }

let rec find_term_vars acc = function
  | Tconst _
  | Tvar _
  | Tderef _ ->
      acc
  | Tapp (_, tl, i) ->
      List.fold_left find_term_vars 
	(List.fold_left find_pure_type_vars acc i) tl
  | Tnamed(_,t) -> find_term_vars acc t

let rec find_pattern_vars acc = function
  | TPat t -> find_term_vars acc t
  | PPat p -> find_predicate_vars acc p

and find_predicate_vars acc p =
  match p with
    | Pvar _
    | Ptrue
    | Pfalse -> 
	acc
    | Papp (_, tl, i) ->
	List.fold_left find_term_vars 
	  (List.fold_left find_pure_type_vars acc i) tl
    | Pimplies (_,p1,p2) 
    | Pif (_,p1,p2)
    | Pand (_,_,p1,p2)
    | Piff (p1,p2)
    | Por (p1,p2) ->
	find_predicate_vars (find_predicate_vars acc p1) p2
    | Pnot p -> find_predicate_vars acc p
    | Forall (_,_,_,t,tl,p) ->
	List.fold_left (List.fold_left find_pattern_vars)
	  (find_predicate_vars (find_pure_type_vars acc t) p) tl
    | Exists (_,_,t,p) ->
	find_predicate_vars (find_pure_type_vars acc t) p
    | Forallb (_,p1,p2) ->
	find_predicate_vars (find_predicate_vars acc p1) p2
    | Pnamed (_,p) ->
	find_predicate_vars acc p
    | Plet (_, _, _, _, p) ->
	find_predicate_vars acc p

let generalize_predicate p =
  let l = find_predicate_vars Vset.empty p in
  { scheme_vars = l ; scheme_type = p }

let generalize_predicate_def (bl,p) = 
  let l = 
    List.fold_left (fun acc (_,pt) -> find_pure_type_vars acc pt) Vset.empty bl
  in
  let l = find_predicate_vars l p in
  { scheme_vars = l; scheme_type = (bl,p) }

let generalize_inductive_def (bl,l) =
  let vars = List.fold_left find_pure_type_vars Vset.empty bl in
  let vars =
    List.fold_left (fun acc (_,p) -> find_predicate_vars acc p) vars l
  in
  { scheme_vars = vars ; scheme_type = (bl,l) }

let generalize_function_def (bl,t,e) = 
  let l = 
    List.fold_left (fun acc (_,pt) -> find_pure_type_vars acc pt) Vset.empty bl 
  in
  let l = find_pure_type_vars l t in
  { scheme_vars = l; scheme_type = (bl,t,e) }

(* specialization *)

let dump_type_var = ref (fun (_v:type_var) -> ())

let new_type_var =
  let c = ref 0 in
  fun ?(user=false) () -> 
    incr c; 
    let v = { tag = !c; user=user; type_val = None } in 
    v

let rec subst_pure_type s t =
  match t with
    | PTvar ({ type_val = None } as v) ->
	(try PTvar (Vmap.find v s) with Not_found -> t)
    | PTvar { type_val = Some t } ->
	subst_pure_type s t
    | PTexternal(l,id) ->
	PTexternal(List.map (subst_pure_type s) l,id)
    | PTint | PTreal | PTbool | PTunit -> t


let subst_logic_type s = function
  | Function (tl,tr) -> 
      Function (List.map (subst_pure_type s) tl, subst_pure_type s tr)
  | Predicate (tl) -> 
      Predicate (List.map (subst_pure_type s) tl)

let subst_alg_type s (vs,cs) =
  (List.map (subst_pure_type s) vs,
    List.map (fun (c,pl) -> (c, List.map (subst_pure_type s) pl)) cs)

let rec subst_term s = function
  | Tapp (id, tl, i) -> 
      Tapp (id, List.map (subst_term s) tl, List.map (subst_pure_type s) i)
  | Tconst _ | Tvar _ | Tderef _ as t -> 
      t
  | Tnamed (lab,t) -> Tnamed(lab,subst_term s t)

let rec subst_pattern s = function
  | TPat t -> TPat (subst_term s t)
  | PPat p -> PPat (subst_predicate s p)

and subst_trigger s = List.map (subst_pattern s)

and subst_triggers s = List.map (subst_trigger s)

and subst_predicate s p =
  let f = subst_predicate s in
  match p with
  | Pimplies (w, a, b) -> Pimplies (w, f a, f b)
  | Pif (a, b, c) -> Pif (subst_term s a, f b, f c)
  | Pand (w, s, a, b) -> Pand (w, s, f a, f b)
  | Por (a, b) -> Por (f a, f b)
  | Piff (a, b) -> Piff (f a, f b)
  | Pnot a -> Pnot (f a)
  | Forall (w, id, b, v, tl, p) -> 
      Forall (w, id, b, subst_pure_type s v, subst_triggers s tl, f p)
  | Exists (id, b, v, p) -> Exists (id, b, subst_pure_type s v, f p)
  | Forallb (w, a, b) -> Forallb (w, f a, f b)
  | Papp (id, tl, i) -> 
      Papp (id, List.map (subst_term s) tl, List.map (subst_pure_type s) i)
  | Pnamed (n, a) -> Pnamed (n, f a)
  | Plet (x, b, pt, t, p) -> Plet (x, b, pt, subst_term s t, f p)
  | Ptrue | Pfalse | Pvar _ as p -> p

let rec subst_type_v s = function
  | Ref t -> Ref (subst_pure_type s t)
  | PureType t -> PureType (subst_pure_type s t)
  | Arrow (bl,c) -> Arrow (List.map (subst_binder s) bl,subst_type_c s c)
and subst_binder s (id,t) = 
  (id, subst_type_v s t)
and subst_type_c s c =
  { c with 
    c_result_type = subst_type_v s c.c_result_type;
    c_pre = List.map (subst_predicate s) c.c_pre;
    c_post = option_app (post_app (subst_predicate s)) c.c_post }

let subst_predicate_def s (bl,p) =
  let bl = List.map (fun (x,pt) -> (x, subst_pure_type s pt)) bl in
  bl, subst_predicate s p


let specialize_scheme subst s =
  let env =
    Vset.fold
      (fun x s -> Vmap.add x (new_type_var()) s)
      s.scheme_vars Vmap.empty
  in 
  (env, subst env s.scheme_type)

let specialize_logic_type = specialize_scheme subst_logic_type

let specialize_alg_type = specialize_scheme subst_alg_type

let specialize_type_v = specialize_scheme subst_type_v

let specialize_predicate = specialize_scheme subst_predicate

let specialize_predicate_def = specialize_scheme subst_predicate_def

let subst_inductive_def s (bl,p) =
  let bl = List.map (subst_pure_type s) bl in
  bl, List.map (fun (id,p) -> (id,subst_predicate s p)) p

let specialize_inductive_def = specialize_scheme subst_inductive_def

let subst_function_def s (bl,t,e) =
  let bl = List.map (fun (x,pt) -> (x, subst_pure_type s pt)) bl in
  bl, subst_pure_type s t, subst_term s e

let specialize_function_def = specialize_scheme subst_function_def

let instantiate_specialized env inst =
  let r = Vmap.fold (fun _ v l -> 
		      (match l with 
                         | [] -> 
                            invalid_arg ("instantiate_specialized : too many var type to instantiate")
			 | a::q -> (v.type_val <- Some a; q)))
    env (List.rev inst) in (* Pourquoi List.rev? *)
  match r with
    | [] -> ()
    | _ -> invalid_arg ("instantiate_specialized : not enough var type to instantiate")

let instantiate_scheme subst s inst =
  let (env,x) = specialize_scheme subst s in
  instantiate_specialized env inst;
  x

let instantiate_logic_type = instantiate_scheme subst_logic_type

let instantiate_type_v = instantiate_scheme subst_type_v

let instantiate_predicate = instantiate_scheme subst_predicate

let instantiate_predicate_def = instantiate_scheme subst_predicate_def

let instantiate_inductive_def = instantiate_scheme subst_inductive_def

let instantiate_function_def = instantiate_scheme subst_function_def

let rec find_cc_type_vars acc = function
  | TTpure pt -> find_pure_type_vars acc pt
  | TTarray cc -> find_cc_type_vars acc cc
  | TTlambda (b, cc) -> find_cc_binder_vars (find_cc_type_vars acc cc) b
  | TTarrow (b, cc) -> find_cc_binder_vars (find_cc_type_vars acc cc) b
  | TTtuple (bl, cco) -> 
      List.fold_left find_cc_binder_vars 
	(match cco with None -> acc | Some cc -> find_cc_type_vars acc cc) bl
  | TTpred p -> find_predicate_vars acc p
  | TTapp (cc, l) -> 
      find_cc_type_vars (List.fold_left find_cc_type_vars acc l) cc
  | TTterm _ 
  | TTSet -> acc

and find_cc_bind_type_vars acc = function
  | CC_var_binder cc -> find_cc_type_vars acc cc
  | CC_pred_binder p -> find_predicate_vars acc p
  | CC_untyped_binder -> acc

and find_cc_binder_vars acc (_, bt) = find_cc_bind_type_vars acc bt

let rec subst_cc_type s = function
  | TTpure pt -> TTpure (subst_pure_type s pt)
  | TTarray cc -> TTarray (subst_cc_type s cc)
  | TTlambda (b, cc) -> TTlambda (subst_cc_binder s b, subst_cc_type s cc)
  | TTarrow (b, cc) -> TTarrow (subst_cc_binder s b, subst_cc_type s cc)
  | TTtuple (bl, cco) -> 
      TTtuple (List.map (subst_cc_binder s) bl, 
	       option_app (subst_cc_type s) cco)
  | TTpred p -> TTpred (subst_predicate s p)
  | TTapp (cc, l) -> TTapp (subst_cc_type s cc, List.map (subst_cc_type s) l)
  | TTterm t -> TTterm (subst_term s t)
  | TTSet -> TTSet

and subst_cc_bind_type s = function
  | CC_var_binder cc -> CC_var_binder (subst_cc_type s cc)
  | CC_pred_binder p -> CC_pred_binder (subst_predicate s p)
  | CC_untyped_binder -> CC_untyped_binder

and subst_cc_binder s (id, bt) = (id, subst_cc_bind_type s bt)

let subst_sequent s (h, p) = 
  let subst_hyp = function
    | Svar (id, t) -> Svar (id, subst_pure_type s t)
    | Spred (id, p) -> Spred (id, subst_predicate s p)
  in
  (List.map subst_hyp h, subst_predicate s p)

let find_sequent_vars (h, p) =
  let find_hyp_vars acc = function
    | Svar (_, t) -> find_pure_type_vars acc t
    | Spred (_, p) -> find_predicate_vars acc p
  in
  let l = List.fold_left find_hyp_vars Vset.empty h in
  find_predicate_vars l p

let generalize_sequent s =
  let l = find_sequent_vars s in
  { scheme_vars = l; scheme_type = s }

let specialize_sequent = specialize_scheme subst_sequent
let instantiate_sequent = instantiate_scheme subst_sequent

let rec find_gen_cc_term_vars hole_fun acc t = 
  let find_cc_term_vars = find_gen_cc_term_vars hole_fun in
    match t with
      | CC_var _ ->
	  acc
      | CC_letin (_, bl, t1, t2) ->
	  List.fold_left find_cc_binder_vars
	    (find_cc_term_vars (find_cc_term_vars acc t1) t2) bl
      | CC_lam (b, t) ->
	  find_cc_binder_vars (find_cc_term_vars acc t) b
      | CC_app (t1, t2) ->
	  find_cc_term_vars (find_cc_term_vars acc t1) t2
      | CC_tuple (tl, top) ->
	  List.fold_left find_cc_term_vars
	    (match top with None -> acc | Some t -> find_cc_type_vars acc t) tl
      | CC_if (t1, t2, t3) ->
	  find_cc_term_vars (find_cc_term_vars (find_cc_term_vars acc t1) t2) t3
      | CC_case (t, pl) ->
	  let find_case_vars acc (p, t) =
	    find_cc_pattern_vars (find_cc_term_vars acc t) p
	  in
	    List.fold_left find_case_vars (find_cc_term_vars acc t) pl
      | CC_term t ->
	  find_term_vars acc t
      | CC_hole pr ->
	  hole_fun acc pr
      | CC_type cc
      | CC_any cc ->
	  find_cc_type_vars acc cc

and find_cc_pattern_vars acc = function
  | PPvariable b -> find_cc_binder_vars acc b
  | PPcons (_, pl) -> List.fold_left find_cc_pattern_vars acc pl

let rec find_proof_vars acc = function
  | Lemma _
  | True
  | Proj1 _
  | Proj2 _
  | Assumption _
  | Conjunction _
  | Loop_variant_1 _
  | Absurd _
  | ShouldBeAWp ->
      acc
  | Reflexivity t
  | WfZwf t ->
      find_term_vars acc t
  | ProofTerm cc ->
      find_cc_term_vars acc cc

and find_cc_term_vars x = find_gen_cc_term_vars find_proof_vars x

and find_cc_functional_program_vars = 
  find_gen_cc_term_vars (fun accu (_loc, pred) -> find_predicate_vars accu pred)

let rec subst_gen_cc_term subst_hole s t = 
  let subst_cc_term = subst_gen_cc_term subst_hole in
    match t with
      | CC_var _ as cc -> cc
      | CC_letin (b, bl, t1, t2) -> 
	  CC_letin (b, List.map (subst_cc_binder s) bl, 
		    subst_cc_term s t1, subst_cc_term s t2)
      | CC_lam (b, t) -> CC_lam (subst_cc_binder s b, subst_cc_term s t)
      | CC_app (t1, t2) -> CC_app (subst_cc_term s t1, subst_cc_term s t2)
      | CC_tuple (tl, top) -> CC_tuple (List.map (subst_cc_term s) tl,
					option_app (subst_cc_type s) top)
      | CC_if (t1, t2, t3) ->
	  CC_if (subst_cc_term s t1, subst_cc_term s t2, subst_cc_term s t3)
      | CC_case (t, cl) ->
	  let subst_case (p, t) = subst_cc_pattern s p, subst_cc_term s t in
	    CC_case (subst_cc_term s t, List.map subst_case cl)
      | CC_term t -> CC_term (subst_term s t)
      | CC_hole pr -> CC_hole (subst_hole s pr)
      | CC_type t -> CC_type (subst_cc_type s t)
      | CC_any t -> CC_any (subst_cc_type s t)

and subst_cc_pattern s = function
  | PPvariable b -> PPvariable (subst_cc_binder s b)
  | PPcons (id, pl) -> PPcons (id, List.map (subst_cc_pattern s) pl)

let rec subst_proof s = function
  | Lemma _
  | True
  | Proj1 _
  | Proj2 _
  | Assumption _
  | Conjunction _
  | Loop_variant_1 _
  | Absurd _
  | ShouldBeAWp as pr ->
      pr
  | Reflexivity t -> Reflexivity (subst_term s t)
  | WfZwf t -> WfZwf (subst_term s t)
  | ProofTerm cc -> ProofTerm (subst_cc_term s cc)

and subst_cc_term x = subst_gen_cc_term subst_proof x

let subst_cc_functional_program = 
  subst_gen_cc_term (fun s (loc, pred) -> (loc, subst_predicate s pred))

let specialize_cc_type tt = 
  let l = find_cc_type_vars Vset.empty tt in
  specialize_scheme subst_cc_type {scheme_vars=l; scheme_type=tt}

let specialize_validation tt cc =
  let l = find_cc_term_vars (find_cc_type_vars Vset.empty tt) cc in
  if Vset.is_empty l then
    Vmap.empty, tt, cc
  else
    let env = 
      Vset.fold (fun x l -> Vmap.add x (new_type_var()) l) l Vmap.empty 
    in 
    (env, subst_cc_type env tt, subst_cc_term env cc)

let specialize_cc_functional_program tt cc =
  let l = find_cc_functional_program_vars (find_cc_type_vars Vset.empty tt) cc in
  if Vset.is_empty l then
    Vmap.empty, tt, cc
  else
    let env = 
      Vset.fold (fun x l -> Vmap.add x (new_type_var()) l) l Vmap.empty 
    in 
    (env, subst_cc_type env tt, subst_cc_functional_program env cc)

let type_var_names = Hashtbl.create 97
let type_var_name v = Hashtbl.find type_var_names v.tag


(* Environments for imperative programs.
 *
 * An environment of programs is an association tables
 * from identifiers (Ident.t) to types of values with effects
 * (ProgAst.ml_type_v), together with a list of these associations, since
 * the order is relevant (we have dependent types e.g. [x:nat; t:(array x T)])
 *)

module Penv = struct
  type 'a t = {
    map : 'a Idmap.t;
    elements: (Ident.t * 'a) list;
    rec_funs : Idset.t;
    type_vars : (string, type_var) Hashtbl.t
  }
  let empty () = 
    { map = Idmap.empty; elements = []; rec_funs = Idset.empty;
      type_vars = Hashtbl.create 17 }
  let add id v e = 
    { e with map = Idmap.add id v e.map; elements = (id,v)::e.elements }
  let find id e = Idmap.find id e.map
  let mem id e = Idmap.mem id e.map
  let fold f e x0 = List.fold_right f e.elements x0
  let iter f e = List.iter f e.elements
  let add_rec x e = { e with rec_funs = Idset.add x e.rec_funs }
  let is_rec x e = Idset.mem x e.rec_funs
  let find_type_var id e =
    let s = Ident.string id in
    try
      Hashtbl.find e.type_vars s
    with Not_found ->
      let v = new_type_var ~user:true () in
      Hashtbl.add type_var_names v.tag s;
      Hashtbl.add e.type_vars s v;
      v
end

(* The global environment.
 *
 * We have a global typing environment env
 * We also keep a table of programs for extraction purposes
 * and a table of initializations (still for extraction)
 *)

let (env : type_v scheme Penv.t ref) = ref (Penv.empty ())
let (global_refs : pure_type Idmap.t ref) = ref Idmap.empty

(* Local environments *)

type local_env = {
  progs: type_v scheme Penv.t;
  logic: pure_type Idmap.t 
}

(* logical variables *)

let is_logic x env = Idmap.mem x env.logic

let find_logic x env = Idmap.find x env.logic

let add_logic x pt env = 
  { env with logic = Idmap.add x pt env.logic }

(* empty local environment: contains the references as *)

let add_logic_ref id v env = match v with
  | Ref pt -> Idmap.add id pt env
  | PureType _ | Arrow _ -> env

let empty_progs () = 
  { progs = Penv.empty (); logic = !global_refs }

let empty_logic () =
  { progs = Penv.empty (); logic = Idmap.empty }

let add_logic_pure_or_ref id v env = match v with
  | Ref pt | PureType pt -> Idmap.add id pt env
  | Arrow _ -> env

let generalize_type_v t =
  let l = find_type_v_vars Vset.empty t in
  { scheme_vars = l ; scheme_type = t }

let add ?(generalize=false) id v env = 
  let v' = if generalize then generalize_type_v v else empty_scheme v in
  { progs = Penv.add id v' env.progs;
    logic = add_logic_pure_or_ref id v env.logic }

let find_type_var x env = Penv.find_type_var x env.progs

let specialize_type_scheme = specialize_type_v

let find id env =
  let s = Penv.find id env.progs in
  snd (specialize_type_scheme s)

let is_local env id = Penv.mem id env.progs


(* typed programs *)

type typing_info = { 
  t_loc : Loc.position;
  t_env : local_env;
  t_label : label;
  mutable t_userlabel : label;
  t_result_name : Ident.t;
  t_result_type : type_v;
  t_effect : Effect.t;
  t_post : postcondition option 
}
  
type typed_expr = typing_info Ast.t

let (pgm_table : (typed_expr option) Idmap.t ref) = ref Idmap.empty

(* Operations on the global environment. *)

let add_global_gen id v p =
  try
    let _ = Penv.find id !env in
    raise_unlocated (Clash id)
  with Not_found -> begin
    env := Penv.add id v !env; 
    global_refs := add_logic_ref id v.scheme_type !global_refs;
    pgm_table := Idmap.add id p !pgm_table
  end

let add_global id v p =
  let v = generalize_type_v v in
  add_global_gen id v p

let is_global id = Penv.mem id !env

let lookup_global id = 
  let s = Penv.find id !env in
  snd (specialize_type_scheme s)

let iter_global id =  Penv.iter id !env

let find_pgm id = Idmap.find id !pgm_table

(* exceptions *)

let exn_table = Hashtbl.create 97

let add_exception = Hashtbl.add exn_table
let is_exception = Hashtbl.mem exn_table
let find_exception = Hashtbl.find exn_table

(* predefined exception [Exit] *)
let _ = add_exception exit_exn None

(* Logic types with their arities *) 

let types = Hashtbl.create 97

let is_type = Hashtbl.mem types

let bad_arity =
  let rec check s = function
    | [] -> false
    | v :: l -> Idset.mem v s || check (Idset.add v s) l
  in
  check Idset.empty

let add_type loc v id = 
  if is_type id then raise_located loc (ClashType id);
  if bad_arity v then raise_located loc TypeBadArity;
  Hashtbl.add types id (List.length v)

let type_arity = Hashtbl.find types

let iter_type f = Hashtbl.iter f types
let fold_type f = Hashtbl.fold f types

(* Algebraic types with their constructors *)

let alg_types = Hashtbl.create 97

let is_alg_type = Hashtbl.mem alg_types

let alg_type_constructors = Hashtbl.find alg_types

let set_constructors = Hashtbl.add alg_types

(* access in env, local then global *)

let type_in_env env id =
  try find id env with Not_found -> lookup_global id

let is_in_env env id =
  (is_global id) || (is_local env id)

let is_ref env id =
  try is_mutable (type_in_env env id) with Not_found -> false

let fold_all f lenv x0 =
  let f (id,s) = f (id,s.scheme_type) in
  let x1 = Penv.fold f !env x0 in
  Penv.fold f lenv.progs x1

let add_rec x env = { env with progs = Penv.add_rec x env.progs }
let is_rec x env = Penv.is_rec x env.progs


let type_v_of_logic tl tr = match tl with
  | [] -> 
      PureType tr
  | _ ->
      let binder pt = Ident.anonymous, PureType pt in
      Arrow (List.map binder tl, type_c_of_v (PureType tr))

(* Logical environment *)

let logic_table = ref (Idmap.empty : logic_type scheme Idmap.t)

let add_global_logic x t = 
  logic_table := Idmap.add x t !logic_table;
  match t.scheme_type with
    | Function (tl, tr) ->
	let v = type_v_of_logic tl tr in
	let v = { scheme_vars = t.scheme_vars ; scheme_type = v } in
	add_global_gen x v None
    | Predicate _ ->
	()

let is_global_logic x = Idmap.mem x !logic_table

let find_global_logic x =
  let t = Idmap.find x !logic_table in
  specialize_logic_type t

let is_global_logic x = Idmap.mem x !logic_table

let is_logic_function x =
  try 
    (match (Idmap.find x !logic_table).scheme_type with 
       | Function _ -> true 
       | _ -> false)
  with Not_found -> 
    false

let iter_global_logic f = Idmap.iter f !logic_table
let fold_global_logic f = Idmap.fold f !logic_table

let add_global_logic_gen x t =
  add_global_logic x (generalize_logic_type t)


let global_builtin = [(t_eq,
                      let v = PTvar (new_type_var()) in 
                      Predicate [v;v]);
                      (t_neq,
                      let v = PTvar (new_type_var()) in 
                      Predicate [v;v])]

let () = 
  List.iter (fun (id,t) -> add_global_logic_gen id t) global_builtin

(*s Labels *)

module Label = struct

  module LabelSet = Set.Make(struct type t = string let compare = compare end)

  type t = LabelSet.t

  let empty = LabelSet.empty

  let add = LabelSet.add

  let mem = LabelSet.mem

end
why-2.34/src/rc.mll0000644000175000017500000001227612311670312012526 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

{

  open Lexing

  let get_home_dir () =
    try Sys.getenv "HOME"
    with Not_found -> 
      (* try windows env var *)
      try Sys.getenv "USERPROFILE"
      with Not_found -> ""

type rc_value =
  | RCint of int
  | RCbool of bool
  | RCfloat of float
  | RCstring of string
  | RCident of string

let int = function
  | RCint n -> n
  | _ -> failwith "Rc.int"

let bool = function
  | RCbool b -> b
  | _ -> failwith "Rc.bool"

let string = function
  | RCident s | RCstring s -> s
  | _ -> failwith "Rc.string"

let buf = Buffer.create 17

let current_rec = ref ""
let current_list = ref []
let current = ref []

let push_field key value =
  current_list := (key,value) :: !current_list

let push_record () =
  if !current_list <> [] then
    current := (!current_rec,List.rev !current_list) :: !current;
  current_rec := "";
  current_list := []

}

let space = [' ' '\t' '\r' '\n']+
let digit = ['0'-'9']
let letter = ['a'-'z' 'A'-'Z']
let ident = (letter | '_') (letter | digit | '_' | '-' | '(' | ')') * 
let sign = '-' | '+' 
let integer = sign? digit+
let mantissa = ['e''E'] sign? digit+
let real = sign? digit* '.' digit* mantissa?
let escape = ['\\''"''n''t''r']

rule record = parse
  | space 
      { record lexbuf }
  | '[' (ident as key) ']'  
      { push_record();
	current_rec := key;
	record lexbuf 
      }
  | eof 
      { push_record () }
  | (ident as key) space* '=' space* 
      { value key lexbuf }
  | _ as c
      { failwith ("Rc: invalid keyval pair starting with " ^ String.make 1 c) }

and value key = parse
  | integer as i
      { push_field key (RCint (int_of_string i));
        record lexbuf }
  | real as r
      { push_field key (RCfloat (float_of_string r));
        record lexbuf }
  | '"' 
      { Buffer.clear buf;
	string_val key lexbuf } 
  | "true"
      { push_field key (RCbool true);
        record lexbuf }
  | "false"
      { push_field key (RCbool false);
        record lexbuf }
  | ident as id
      { push_field key (RCident (*kind_of_ident*) id);
        record lexbuf }
  | _ as c
      { failwith ("Rc: invalid value starting with " ^ String.make 1 c) }
  | eof
      { failwith "Rc: unterminated keyval pair" }

and string_val key = parse 
  | '"' 
      { push_field key (RCstring (Buffer.contents buf));
	record lexbuf
      }
  | [^ '\\' '"'] as c
      { Buffer.add_char buf c;
        string_val key lexbuf }
  | '\\' (['\\''\"'] as c)   
      { Buffer.add_char buf c;
        string_val key lexbuf }
  | '\\' 'n'
      { Buffer.add_char buf '\n';
        string_val key lexbuf }
  | '\\' (_ as c)
      { Buffer.add_char buf '\\';
        Buffer.add_char buf c;
        string_val key lexbuf }
  | eof
      { failwith "Rc: unterminated string" }


{

  let from_file f =
      let c = 
	try open_in f 
	with Sys_error _ -> raise Not_found
(*
	  Format.eprintf "Cannot open file %s@." f;
	  exit 1
*)
      in
      current := [];
      let lb = from_channel c in
      record lb;
      close_in c;
      List.rev !current

}
why-2.34/src/options.mli0000644000175000017500000001421212311670312013602 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)


(*s General options *)

val verbose : bool

val if_verbose : ('a -> unit) -> 'a -> unit
val if_verbose_2 : ('a -> 'b -> unit) -> 'a -> 'b -> unit
val if_verbose_3 : ('a -> 'b -> 'c -> unit) -> 'a -> 'b -> 'c -> unit

val debug : bool

val if_debug : ('a -> unit) -> 'a -> unit
val if_debug_2 : ('a -> 'b -> unit) -> 'a -> 'b -> unit
val if_debug_3 : ('a -> 'b -> 'c -> unit) -> 'a -> 'b -> 'c -> unit

val ocaml : bool
val ocaml_annot : bool
val ocaml_externals : bool

val explain_vc : bool
val locs_table :
  (string, (string * int * int * int * (string * Rc.rc_value) list))
     Hashtbl.t

val wol : bool

val c_file : bool ref

val werror : bool

val parse_only : bool
val type_only : bool
val wp_only : bool

val fast_wp : bool
(*
val black : bool
val white : bool
val wbb : bool
*)
val split_user_conj : bool
val split_bool_op : bool
val lvlmax : int
val all_vc : bool
val eval_goals : bool
val pruning : bool
val pruning_hyp_v : int
val pruning_hyp_p : int
(* Heuristiques en test *)
val prune_coarse_pred_comp : bool
val pruning_hyp_CompInGraph : bool
val pruning_hyp_CompInFiltering : bool
val pruning_hyp_LinkVarsQuantif : bool
val pruning_hyp_keep_single_comparison_representation : bool
val pruning_hyp_comparison_eqOnly : bool
val pruning_hyp_suffixed_comparison : bool
val pruning_hyp_equalities_linked : bool
val pruning_hyp_arithmetic_tactic : bool
val pruning_hyp_var_tactic : int
val pruning_hyp_polarized_preds : bool
val prune_context : bool
val prune_get_depths : bool
val pruning_hyp_considere_arith_comparison_as_special_predicate : bool
(* FIN de Heuristiques en test *)
(*
val modulo : bool
*)

val phantom_types : (string,unit) Hashtbl.t

type expanding = All | Goal | NoExpanding
val defExpanding : expanding
val get_type_expanding : unit -> expanding

type encoding =
  | NoEncoding | Predicates | Stratified | Recursive | Monomorph
  | SortedStratified |MonoInst
val get_types_encoding : unit -> encoding
val set_types_encoding : encoding -> unit

type monoinstWorldGen =
  | MonoinstSorted
  | MonoinstBuiltin
  | MonoinstGoal
  | MonoinstPremises
val monoinstworldgen : monoinstWorldGen
val monoinstoutput_world : bool
val monoinstonlymem : bool
val monoinstnounit : bool
val monoinstonlyconst : bool

type termination = UseVariant | Partial | Total
val termination : termination

(*s Prover options *)

type coq_version = V7 | V8 | V81

type prover =
  | Coq of coq_version | Pvs | HolLight | Mizar | Harvey | Simplify | CVCLite
  | SmtLib | Isabelle | Hol4 | Gappa | Zenon | Z3 | Vampire
  | Ergo | Why | MultiWhy | MultiAltergo | Why3 | Dispatcher | WhyProject

val prover : (* ?ignore_gui:bool  -> *) unit -> prover

val valid : bool
val coq_tactic : string option
val coq_preamble : string
val coq_use_dp: bool

val pvs_preamble : string

val mizar_environ : string option

val isabelle_base_theory : string

val no_simplify_prelude : bool
val simplify_triggers : bool
val no_harvey_prelude : bool
val no_zenon_prelude : bool
val no_cvcl_prelude : bool
val delete_old_vcs : bool

val floats : bool
val show_time : bool

(*s [file f] appends [f] to the directory specified with [-dir], if any *)

val file : string -> string

(* [out_file f] returns the file specified with option -o, or [file f]
   otherwise. This function musn't be used if you want to be able to
   output on stdout *)

val out_file : string -> string

(* If you want to be able to print to stdout transparently you must
   use this function instead of the standard one. *)

val open_out_file : string -> out_channel
val close_out_file : out_channel -> unit
val out_file_exists :  string -> bool

(* [lib_file f] appends [f] to the lib directory *)

val lib_file : string -> string

val lib_dir : string

(*s Files given on the command line *)

val files : string list

(*s GUI? *)

val gui : bool ref
val gui_project : Project.t option ref
val lib_files_to_load : string list

(*
Local Variables:
compile-command: "unset LANG; make -j -C .. bin/why.byte"
End:
*)
why-2.34/src/simplify.mli0000644000175000017500000000460512311670312013750 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Cc

val reset : unit -> unit

val push_decl : Logic_decl.t -> unit

val output_file : allowedit:bool -> string -> unit
why-2.34/src/ptree.mli0000644000175000017500000001320012311670312013222 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*s Parse trees. *)

open Logic
open Types

type loc = Loc.position

(*s Logical expressions (for both terms and predicates) *)

type pp_infix = 
  PPand | PPor | PPimplies | PPiff |
  PPlt | PPle | PPgt | PPge | PPeq | PPneq |
  PPadd | PPsub | PPmul | PPdiv 

type pp_prefix = 
  PPneg | PPnot

type ppure_type =
  | PPTint
  | PPTbool
  | PPTreal
  | PPTunit
  | PPTvarid of Ident.t * Loc.position
  | PPTexternal of ppure_type list * Ident.t * Loc.position

type lexpr = 
  { pp_loc : loc; pp_desc : pp_desc }

and pp_desc =
  | PPvar of Ident.t
  | PPapp of Ident.t * lexpr list
  | PPtrue
  | PPfalse
  | PPconst of constant
  | PPinfix of lexpr * pp_infix * lexpr
  | PPprefix of pp_prefix * lexpr
  | PPif of lexpr * lexpr * lexpr
  | PPforall of Ident.t * ppure_type * lexpr list list * lexpr
  | PPexists of Ident.t * ppure_type * lexpr
  | PPnamed of string * lexpr
  | PPlet of Ident.t * lexpr * lexpr
  | PPmatch of lexpr * ((Ident.t * Ident.t list * loc) * lexpr) list

type assertion = { 
  pa_name : Ident.name; 
  pa_value : lexpr; 
  pa_loc : Loc.position;
}

type postcondition = assertion * (Ident.t * assertion) list

(*s Parsed types *)

type peffect = { 
  pe_reads : Ident.t list;
  pe_writes : Ident.t list;
  pe_raises : Ident.t list
}

type ptype_v =
  | PVpure  of ppure_type
  | PVref   of ppure_type
  | PVarrow of ptype_v binder list * ptype_c

and ptype_c =
  { pc_result_name : Ident.t;
    pc_result_type : ptype_v;
    pc_effect : peffect;
    pc_pre    : assertion list;
    pc_post   : postcondition option }

(*s Parsed program. *)

type variable = Ident.t

type label = string

type variant = lexpr * variable

type exn_pattern = variable * variable option

type assert_kind = [`ASSERT | `CHECK]

type t = 
  { pdesc : t_desc;
    ploc : loc }

and t_desc =
  | Svar of variable
  | Sderef of variable
  | Sloop of assertion option * variant option * t
  | Sif of t * t * t
  | Slazy_and of t * t
  | Slazy_or of t * t
  | Snot of t
  | Sapp of t * t
  | Sletref of variable * t * t
  | Sletin of variable * t * t
  | Sseq of t * t
  | Slam of ptype_v binder list * assertion list * t
  | Srec of 
      variable * ptype_v binder list * ptype_v * variant option * 
	assertion list * t
  | Sraise of variable * t option * ptype_v option
  | Stry of t * (exn_pattern * t) list
  | Sconst of constant
  | Sabsurd of ptype_v option
  | Sany of ptype_c
  | Slabel of label * t
  | Sassert of assert_kind * assertion list * t
  | Spost of t * postcondition * transp

type parsed_program = t

(*s Declarations. *)

type external_ = bool

type plogic_type =
  | PPredicate of ppure_type list
  | PFunction of ppure_type list * ppure_type

type goal_kind = KLemma | KAxiom | KGoal

type decl = 
  | Include of loc * string
  | Program of loc * Ident.t * parsed_program
  | Parameter of loc * external_ * Ident.t list * ptype_v
  | Exception of loc * Ident.t * ppure_type option
  | Logic of loc * external_ * Ident.t list * plogic_type
  | Predicate_def of loc * Ident.t * (loc * Ident.t * ppure_type) list * lexpr
  | Inductive_def of loc * Ident.t * plogic_type * (loc * Ident.t * lexpr) list
  | Function_def 
      of loc * Ident.t * (loc * Ident.t * ppure_type) list * ppure_type * lexpr
  | Goal of loc * goal_kind * Ident.t * lexpr
  | TypeDecl of loc * external_ * Ident.t list * Ident.t
  | AlgType of (loc * Ident.t list * Ident.t
      * (loc * Ident.t * ppure_type list) list) list

type file = decl list
why-2.34/src/red.mli0000644000175000017500000000471612311670312012671 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Cc
open Logic 

(* reduction on intermediate programs 
 * get rid of redexes of the kind let (x1,...,xn) = e in (x1,...,xn) *)

val red : ('a * predicate) cc_term -> ('a * predicate) cc_term

why-2.34/src/report.ml0000644000175000017500000002140312311670312013251 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Ident
open Logic
open Types
open Ast
open Format
open Error
open Misc

exception Error of Error.t

let report fmt = function
  | AnyMessage s ->
      fprintf fmt "Error: %s" s
  | UnboundVariable id ->
      fprintf fmt "Unbound variable %s" (Ident.string id)
  | UnboundReference id ->
      fprintf fmt "Unbound reference %s" (Ident.string id)
  | UnboundArray id ->
      fprintf fmt "Unbound array %s" (Ident.string id)
  | UnboundLabel s ->
      fprintf fmt "Unbound label '%s'" s
  | ReboundLabel s ->
      fprintf fmt "Rebound label '%s'" s
  | UnboundException id ->
      fprintf fmt "Unbound exception '%s'" (Ident.string id)
  | UnboundType id ->
      fprintf fmt "Unbound type '%a'" Ident.print id
  | Clash id ->
      fprintf fmt "Clash with previous constant %s" (Ident.string id)
  | ClashParam id ->
      fprintf fmt "Clash with previous parameter %s" (Ident.string id)
  | ClashExn id ->
      fprintf fmt "Clash with previous exception %s" (Ident.string id)
  | ClashRef id ->
      fprintf fmt "Clash with previous reference %s" (Ident.string id)
  | ClashType id ->
      fprintf fmt "Clash with previous type %s" (Ident.string id)
  | Undefined id ->
      fprintf fmt "The object %s is undefined" (Ident.string id)
  | NotAReference id ->
      fprintf fmt "%s is not a reference" (Ident.string id)
  | NotAnArray id ->
      fprintf fmt "%s is not an array" (Ident.string id)
  | NotAnIndex ->
      fprintf fmt "@[This expression is an index@ and should have type int@]"
  | HasSideEffects ->
      fprintf fmt "This expression should not have side effects"
  | ShouldBeBoolean ->
      fprintf fmt "This expression should have type bool"
  | ShouldBeAlgebraic ->
      fprintf fmt "This expression should have an algebraic type"
  | ShouldBeAnnotated ->
      fprintf fmt "This test should be annotated"
  | CannotBeMutable ->
      fprintf fmt "This expression cannot be a mutable"
  | MustBePure ->
      fprintf fmt "@[This expression must be pure@ ";
      fprintf fmt "(i.e. neither a mutable nor a function)@]"
  | BranchesSameType ->
      fprintf fmt "@[The two branches of an `if' expression@ ";
      fprintf fmt "should have the same type@ ";
      fprintf fmt "(or the `else' branch has been omitted in a non-unit `if')";
      fprintf fmt "@]"
  | LetRef ->
      fprintf fmt "References can only be bound in pure terms"
  | VariantInformative ->
      fprintf fmt "A variant should be informative"
  | ShouldBeInformative ->
      fprintf fmt "This term should be informative"
  | AppNonFunction ->
      fprintf fmt "@[This term cannot be applied@ ";
      fprintf fmt "(either it is not a function@ ";
      fprintf fmt "or it is applied to non pure arguments)@]"
  | TooManyArguments ->
      fprintf fmt "@[Too many arguments@]"
  | TooComplexArgument ->
      fprintf fmt 
	"@[This argument is too complex; application cannot be given a type@]"
  | Alias id ->
      fprintf fmt "@[Application to %a creates an alias@]" Ident.print id
  | PartialApp ->
      fprintf fmt "@[This function does not have@ ";
      fprintf fmt "the right number of arguments@]"
  | ExpectedType v ->
      fprintf fmt "@[This term is expected to have type@ ";
      v fmt; fprintf fmt "@]"
  | ExpectedType2 (v1, v2) ->
      fprintf fmt "@[This term has type %a but is expected to have type@ %a@]"
	(fun fmt () -> v1 fmt) () (fun fmt () -> v2 fmt) () 
  | TermExpectedType (t,v) ->
      fprintf fmt "@[Term "; t fmt; fprintf fmt "@ is expected to have type@ ";
      v fmt; fprintf fmt "@]"
  | ExpectsAType id ->
      fprintf fmt "@[The argument %s@ " (Ident.string id);
      fprintf fmt "in this application is supposed to be a type@]"
  | ExpectsATerm id ->
      fprintf fmt "@[The argument %s@ " (Ident.string id);
      fprintf fmt "in this application is supposed to be a term@]"
  | ShouldBeVariable ->
      fprintf fmt "@[This argument should be a variable@]"
  | ShouldBeReference id ->
      fprintf fmt "@[The argument %a@ " Ident.print id;
      fprintf fmt "in this application should be a reference@]"
  | ShouldNotBeReference ->
      fprintf fmt "@[This argument should not be a reference@]"
  | IllTypedArgument f ->
      fprintf fmt "@[This argument should have type@ "; f fmt; fprintf fmt "@]"
  | NoVariableAtDate (id, d) ->
      fprintf fmt "Variable %a is unknown at date %s" Ident.print id d
  | MutableExternal ->
      fprintf fmt "@[An external value cannot be mutable;@ ";
      fprintf fmt "use parameter instead@]"
  | ExceptionArgument (id, true) ->
      fprintf fmt "Exception %a needs an argument" Ident.print id
  | ExceptionArgument (id, false) ->
      fprintf fmt "Exception %a has no argument" Ident.print id
  | CannotBeRaised id ->
      fprintf fmt "Exception %a cannot be raised" 
	Ident.print id
  | MutableMutable ->
      fprintf fmt 
	"A mutable type cannot contain another mutable type or a function"
  | PolymorphicGoal ->
      fprintf fmt "A goal cannot be polymorphic"
  | NonExhaustive id ->
      fprintf fmt "Non-exhausitive pattern matching, missing constructor %a"
        Ident.print id
  | PatternBadArity ->
      fprintf fmt "A pattern variable occurs several times"
  | TypeBadArity ->
      fprintf fmt "A type parameter occurs several times"
  | TypeArity (id, a, n) ->
      fprintf fmt "@[The type %a expects %d argument(s),@ " Ident.print id a;
      fprintf fmt "but is applied to %d argument(s)@]" n
  | GlobalWithEffects (id, e) ->
      fprintf fmt "@[Global %a has effects (@[%a@]).@\n" 
	Ident.print id Effect.print e;
      fprintf fmt "A global declaration cannot have effects@]"
  | CannotGeneralize ->
      fprintf fmt "Cannot generalize"
  | IllformedPattern ->
      fprintf fmt "Ill-formed pattern found in trigger: predicates pattern should be atoms"
  | IllegalComparison f ->
      fprintf fmt "comparison on type "; f fmt; fprintf fmt " is not allowed"

let is_mutable = function Ref _ -> true | _ -> false
let is_pure = function PureType _ -> true | _ -> false

let raise_located loc e = raise (Loc.Located (loc, Error e))
let raise_unlocated e = raise (Error e)
let raise_locop locop e = match locop with
  | None -> raise (Error e)
  | Some l -> raise (Loc.Located (l, Error e))


let rec explain_exception fmt = function
  | Lexer.Lexical_error s -> 
      fprintf fmt "Lexical error: %s" s
  | Parsing.Parse_error -> 
      fprintf fmt "Syntax error"
  | Stream.Error s -> 
      fprintf fmt "Syntax error: %s" s
  | Loc.Located (loc, e) ->
      fprintf fmt "%a%a" Loc.report_position loc explain_exception e
  | Error e ->
      report fmt e
  | e ->
      fprintf fmt "Anomaly: %s" (Printexc.to_string e); raise e

why-2.34/src/coq.mli0000644000175000017500000000600612311670312012673 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Cc
open Vcg

val reset : unit -> unit

val push_decl : Logic_decl.t -> unit

val push_validation : string -> cc_type -> validation -> unit

val push_program : string -> cc_type -> cc_functional_program -> unit

val push_parameter : string -> cc_type -> unit

val output_file : bool -> string -> unit

(* exported for the GUI *)

val prefix_id : Ident.t -> string
val pprefix_id : Ident.t -> string
val infix_relation : Ident.t -> string


val print_predicate_v8 : Format.formatter -> Logic.predicate -> unit
val print_cc_type_v8 : Format.formatter -> Cc.cc_type -> unit
val print_binder_v8 : Format.formatter -> Cc.cc_binder -> unit
val print_binder_type_v8 : Format.formatter -> Cc.cc_binder -> unit
val print_term_v8 : Format.formatter -> Logic.term -> unit
why-2.34/src/mizar.ml0000644000175000017500000003514312311670312013066 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*s Mizar output *)

open Options
open Ident
open Misc
open Error
open Logic
open Logic_decl
open Vcg
open Format
open Cc
open Pp

type elem = 
  | Obligation of obligation
  | Logic of string * logic_type Env.scheme
  | Axiom of string * predicate Env.scheme
  | Predicate of string * predicate_def Env.scheme

let elem_q = Queue.create ()

let reset () = Queue.clear elem_q

let push_decl = function
  | Dgoal (loc, is_lemma, expl, id, s) -> 
      Queue.add (Obligation (loc, is_lemma, expl, id, s.Env.scheme_type)) elem_q
  | Dlogic (_, id, t) -> Queue.add (Logic (Ident.string id, t)) elem_q
  | Daxiom (_, id, p) -> Queue.add (Axiom (id, p)) elem_q
  | Dpredicate_def (_, id, p) -> 
      Queue.add (Predicate (Ident.string id, p)) elem_q
  | Dinductive_def(_loc, _ident, _inddef) ->
      failwith "Mizar output: inductive def not yet supported"
  | Dfunction_def _ -> () (*TODO*)
  | Dtype _ -> () (*TODO*)
  | Dalgtype _ -> () (*TODO*)

(*s Pretty print *)

let rec print_pure_type fmt = function
  | PTint -> fprintf fmt "Integer"
  | PTbool -> fprintf fmt "Element of BOOLEAN"
  | PTunit -> fprintf fmt "Element of {0}"
  | PTreal -> fprintf fmt "Real"
  | PTexternal([],id) -> Ident.print fmt id
  | PTexternal([v],id) when id == farray ->
      begin match v with
	| PTunit -> fprintf fmt "XFinSequence of {0}"
	| PTbool -> fprintf fmt "XFinSequence of BOOLEAN"
	| PTint -> fprintf fmt "XFinSequence of INT"
	| PTreal -> fprintf fmt "XFinSequence of REAL"
	| PTexternal _ as ty ->
	    fprintf fmt "XFinSequence of %a" print_pure_type ty
	| PTvar _ -> failwith "no polymorphism with Mizar yet"
      end
  | PTexternal _ | PTvar _ ->  failwith "no polymorphism with Mizar yet"

let prefix_id id =
  (* int cmp *)
  if id == t_lt_int then "int_lt" 
  else if id == t_le_int then "int_le"
  else if id == t_gt_int then "int_gt"
  else if id == t_ge_int then "int_ge"
  else if id == t_eq_int then assert false (* TODO *)
  else if id == t_neq_int then assert false (* TODO *)
  (* real cmp *)
  else if id == t_lt_real then "real_lt" 
  else if id == t_le_real then "real_le"
  else if id == t_gt_real then "real_gt"
  else if id == t_ge_real then "real_ge"
  else if id == t_eq_real then assert false (* TODO *)
  else if id == t_neq_real then assert false (* TODO *)
  (* bool cmp *)
  else if id == t_eq_bool then assert false (* TODO *)
  else if id == t_neq_bool then assert false (* TODO *)
  (* unit cmp *)
  else if id == t_eq_unit then assert false (* TODO *)
  else if id == t_neq_unit then assert false (* TODO *)
  (* int ops *)
  else if id == t_add_int then "int_add"
  else if id == t_sub_int then "int_sub"
  else if id == t_mul_int then "int_mul"
(*
  else if id == t_div_int then assert false (* TODO *)
  else if id == t_mod_int then assert false (* TODO *)
*)
  else if id == t_neg_int then "int_neg"
  (* real ops *)
  else if id == t_add_real then "real_add"
  else if id == t_sub_real then "real_sub"
  else if id == t_mul_real then "real_mul"
  else if id == t_div_real then "real_div"
  else if id == t_neg_real then "real_neg"
  else if id == t_sqrt_real then assert false (* TODO *)
  else if id == t_real_of_int then assert false (* TODO *)
  else assert false

let rec print_term fmt t = 
  let rec print0 fmt = function
    | Tapp (id, [a; b], _) when is_relation id -> 
	fprintf fmt "@[%s(@[%a,@ %a@])@]" 
	  (prefix_id id) print0 a print0 b
    | t ->
	print1 fmt t
  and print1 fmt = function
    | Tapp (id, [a; b], _) when id == t_add_int || id == t_add_real ->
	fprintf fmt "%a +@ %a" print1 a print2 b
    | Tapp (id, [a; b], _) when id == t_sub_int || id == t_sub_real ->
	fprintf fmt "%a -@ %a" print1 a print2 b
    | t ->
	print2 fmt t
  and print2 fmt = function
    | Tapp (id, [a; b], _) when id == t_mul_int || id == t_mul_real ->
	fprintf fmt "%a *@ %a" print2 a print3 b
    | Tapp (id, [a; b], _) when (* id == t_div_int || *) id == t_div_real ->
	fprintf fmt "%a /@ %a" print2 a print3 b
(*
    | Tapp (id, [a; b], _) when id == t_mod_int ->
	fprintf fmt "%a mod %a" print2 a print3 b
*)
    | t -> 
	print3 fmt t
  and print3 fmt = function
    | Tvar id -> 
	Ident.print fmt id
    | Tconst (ConstInt n) -> 
	fprintf fmt "%s" n
    | Tconst (ConstBool true) -> 
	fprintf fmt "TRUE" 
    | Tconst (ConstBool false) -> 
	fprintf fmt "FALSE" 
    | Tconst ConstUnit -> 
	fprintf fmt "(Extract 0)" 
    | Tconst (ConstFloat (RConstDecimal (i,f,None))) ->
	fprintf fmt "%s.%s" i f
    | Tconst (ConstFloat (RConstDecimal (i,f,Some e))) ->
	fprintf fmt "%s.%se%s" i f e
    | Tconst (ConstFloat (RConstHexa _)) ->
	failwith "hexadecimal real constants not supported in Mizar"
    | Tderef _ -> 
	assert false
    (* arithmetic *)
    | Tapp (id, [a], _) when id == t_neg_int || id == t_neg_real ->
	fprintf fmt "(@[-%a@])" print3 a
    | Tapp (id, [_;_], _) as t when is_relation id || is_int_arith_binop id ->
	fprintf fmt "(@[%a@])" print0 t
    (* arrays *)
    | Tapp (id, [a; b], _) when id == access ->
	fprintf fmt "(@[%a.%a@])" print0 a print0 b
    | Tapp (id, [a; b; c], _) when id == store ->
	fprintf fmt "(@[%a+*(%a,@ %a)@])" 
	print3 b print0 a print0 c
    | Tapp (id, [a], _) when id == Ident.array_length ->
	fprintf fmt "(@[len %a@])" print0 a
    (* any other application *)
    | Tapp (id, tl, _) when is_relation id || is_arith id -> 
	fprintf fmt "%s(@[%a@])" (prefix_id id) print_terms tl
    | Tapp (id, tl, _) ->
	fprintf fmt "%a(@[%a@])" Ident.print id print_terms tl
    | Tnamed (_, t) -> (* TODO: print name *)
	print3 fmt t
  in
  print0 fmt t

and print_terms fmt tl = 
  print_list comma print_term fmt tl

let infix_relation id =
       if id == t_lt_int || id == t_lt_real then "<" 
  else if id == t_le_int || id == t_le_real then "<="
  else if id == t_gt_int || id == t_gt_real then ">"
  else if id == t_ge_int || id == t_ge_real then ">="
  else if is_eq id then "="
  else if is_neq id then "<>"
  else assert false

let print_predicate fmt p = 
  let rec print0 fmt = function
    | Pimplies (_, a, b) ->
	fprintf fmt "(@[%a implies@ %a@])" print1 a print0 b
    | Piff ( a, b) ->
	fprintf fmt "(@[%a iff@ %a@])" print1 a print0 b
    | Pif (a, b, c) ->
	fprintf fmt "(@[(%a = TRUE implies %a) &@ (%a = FALSE implies %a)@])" 
	print_term a print0 b print_term a print0 c
    | p -> 
	print1 fmt p
  and print1 fmt = function
    | Por (a, b) ->
	fprintf fmt "@[%a or@ %a@]" print2 a print1 b
    | p ->
	print2 fmt p
  and print2 fmt = function
    | Pand (_, _, a, b) | Forallb (_, a, b) ->
	fprintf fmt "@[%a &@ %a@]" print3 a print2 b
    | p ->
	print3 fmt p
  and print3 fmt = function
    | Ptrue ->
	fprintf fmt "not contradiction"
    | Pvar id when id == Ident.default_post ->
	fprintf fmt "not contradiction"
    | Pfalse ->
	fprintf fmt "contradiction"
    | Pvar id -> 
	fprintf fmt "%a" Ident.print id
    | Papp (id, tl, _) when id == t_distinct ->
	fprintf fmt "@[(%a)@]" print0 (Util.distinct tl)
    | Papp (id, [a; b], _) when is_relation id ->
	fprintf fmt "@[%a %s@ %a@]" 
	print_term a (infix_relation id) print_term b
    | Papp (id, [a; b], _) when id == t_zwf_zero ->
	fprintf fmt "@[(0 <= %a &@ %a < %a)@]" 
	print_term b print_term a print_term b
    | Papp (id, tl, _) when is_relation id || is_arith id ->
	fprintf fmt "@[%s(%a)@]" (prefix_id id) print_terms tl
    | Papp (id, tl, _) -> 
	fprintf fmt "@[%a(%a)@]" Ident.print id print_terms tl
    | Pnot a ->
	fprintf fmt "@[not %a@]" print3 a
    | Forall (_,id,n,t,_,p) -> 
	let id' = next_away id (predicate_vars p) in
	let p' = subst_in_predicate (subst_onev n id') p in
	fprintf fmt "(@[for %s@ being %a holds@ %a@])" (Ident.string id')
	  print_pure_type t print0 p'
    | Exists (id,n,t,p) -> 
	let id' = next_away id (predicate_vars p) in
	let p' = subst_in_predicate (subst_onev n id') p in
	fprintf fmt "(@[ex %s being %a st@ %a@])" (Ident.string id')
	  print_pure_type t print0 p'
    | Pnamed (_, p) -> (* TODO: print name *)
	print3 fmt p
    | Plet (_, n, _, t, p) ->
	print3 fmt (subst_term_in_predicate n t p)
    | (Por _ | Piff _ | Pand _ | Pif _ | Pimplies _ | Forallb _) as p -> 
	fprintf fmt "(%a)" print0 p
  in
  print0 fmt p

let print_sequent fmt (hyps,concl) =
  let rec print_seq fmt = function
    | [] ->
	print_predicate fmt concl
    | Svar (id, v) :: hyps -> 
	fprintf fmt "@[for %a being @[%a@] holds@]@\n" 
	  Ident.print id print_pure_type v;
	print_seq fmt hyps
    | Spred (_, p) :: hyps -> 
	fprintf fmt "@[(@[%a@]) %s@]@\n" print_predicate p
	  (match hyps with Spred _ :: _ -> "&" | _ -> "implies");
	print_seq fmt hyps
  in
  let print_intro fmt = function
    | Svar (id, v) -> 
	fprintf fmt "let %a be @[%a@];@\n" Ident.print id print_pure_type v
    | Spred (id, p) -> 
	fprintf fmt "assume %a: @[%a@];@\n" Ident.print id print_predicate p
  in
  let print_intros fmt = List.iter (print_intro fmt) in
  fprintf fmt "@[ @[%a@]@\nproof@\n @[%a@]:: EDIT BELOW THIS LINE@]" 
    print_seq hyps print_intros hyps

let rec print_thesis fmt = function
  | Pand (_, _, t1, t2) -> fprintf fmt "%a@ %a" print_thesis t1 print_thesis t2
  | t -> fprintf fmt "@[thus %a@];" print_predicate t

let reprint_obligation fmt loc _is_lemma _expl id s =
  let s = s.Env.scheme_type in
  fprintf fmt "@[ :: %a @]@\n" (Loc.report_obligation_position ~onlybasename:true) loc;
  fprintf fmt "@[ (*Why goal*) theorem %s:@\n @[%a@]@]@\n" id print_sequent s
  (*;
  fprintf fmt "@[ :: %a @]@\n@\n" Util.print_explanation expl
  *)

let print_obligation fmt loc is_lemma expl id s =
  reprint_obligation fmt loc is_lemma expl id s;
  let t = snd s.Env.scheme_type in
  fprintf fmt "@[  :: FILL PROOF HERE@\n  @[%a@]@]@\n end;@\n" print_thesis t

let print_logic _fmt _id t = 
  let _ = Env.specialize_logic_type t in
  assert false (*TODO*)

let reprint_logic fmt id t = print_logic fmt id t

let reprint_axiom _fmt _id p =
  let _ = Env.specialize_predicate p in
  assert false (*TODO*)
  (*
  fprintf fmt "@[ :: Why Axiom @]@\n";
  fprintf fmt "@[ theorem %s:@\n @[%a@];@]@\n" id print_predicate p *)

let print_axiom = reprint_axiom

open Regen

module Gen = Regen.Make(
struct

  let print_element fmt e = 
    begin match e with
      | Parameter _ -> assert false
      | Program _ -> assert false
      | Obligation (loc, is_lemma, expl, id, s) -> 
	  print_obligation fmt loc is_lemma expl id s
      | Logic (id, t) -> print_logic fmt id t
      | Axiom (id, p) -> print_axiom fmt id p
      | Predicate _ -> assert false (*TODO*)
      | Inductive _ -> assert false (*TODO*)
      | Function _ -> assert false (*TODO*)
      | AbstractType _ -> assert false (*TODO*)
      | AlgebraicType _ -> assert false (*TODO*)
    end;
    fprintf fmt "@\n"
      
  let reprint_element fmt = function
    | Parameter _ -> assert false
    | Program _ -> assert false
    | Obligation (loc, is_lemma, expl, id, s) -> 
	reprint_obligation fmt loc is_lemma expl id s
    | Logic (id, t) -> reprint_logic fmt id t
    | Axiom (id, p) -> reprint_axiom fmt id p
    | Predicate _ -> assert false (*TODO*)
    | Inductive _ -> assert false (*TODO*)
    | Function _ -> assert false (*TODO*)
    | AbstractType _ -> assert false (*TODO*)
    | AlgebraicType _ -> assert false (*TODO*)

  let re_oblig_loc = Str.regexp " :: Why obligation from .*"

  let environ = " vocabularies INT_1, ARYTM_1, MARGREL1, ALGSTR_1, FUNCT_1, FUNCT_4, FINSEQ_1,
  AFINSQ_1, WHY;
 notations TARSKI, SUBSET_1, ARYTM_0, XCMPLX_0, XREAL_0, REAL_1, INT_1,
  MARGREL1, ALGSTR_1, AFINSQ_1, WHY;
 constructors NAT_1, ALGSTR_1, AFINSQ_1, WHY;
 clusters XREAL_0, INT_1, WHY;
 requirements BOOLE, SUBSET, ARITHM, REAL, NUMERALS;
 theorems AXIOMS, XCMPLX_1, SQUARE_1, REAL_1, INT_1, WHY;"

  let first_time fmt =
    fprintf fmt "\
:: This file was originally generated by why.
:: It can be modified; only the generated parts will be overwritten. 

environ
%s

begin :: proof obligations start here
" (match mizar_environ with None -> environ | Some s -> s)

  let first_time_trailer _fmt = ()

  let edit_below = Str.regexp "[ ]*:: EDIT BELOW THIS LINE[ ]*"
  let not_end_of_element _ s = not (Str.string_match edit_below s 0)

end)

let reset = Gen.reset

let push_obligations = 
  List.iter (fun (loc,expl,l,s) -> Gen.add_elem (Oblig, l) 
	       (Obligation (loc,false,expl,l,s)))

let push_parameter id v =
  Gen.add_elem (Param, id) (Parameter (id,v))

let _ = 
  Gen.add_regexp 
    " theorem[ ]+\\(.*_po_[0-9]+\\)[ ]*:[ ]*" Oblig;
  Gen.add_regexp 
    "(\\*Why goal\\*) theorem[ ]+\\([^ ]*\\)[ ]*:[ ]*" Oblig;
  Gen.add_regexp 
    "(\\*Why\\*) Parameter[ ]+\\([^ ]*\\)[ ]*:[ ]*" Param

let output_file fwe =
  let f = fwe ^ "_why.miz" in
  Gen.output_file ~margin:75 f
why-2.34/src/error.mli0000644000175000017500000000740512311670312013246 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*s Errors. *)

open Format

type t = 
  | UnboundVariable of Ident.t
  | UnboundReference of Ident.t
  | UnboundArray of Ident.t
  | UnboundLabel of string
  | ReboundLabel of string
  | UnboundException of Ident.t
  | UnboundType of Ident.t
  | Clash of Ident.t
  | ClashParam of Ident.t
  | ClashExn of Ident.t
  | ClashRef of Ident.t
  | ClashType of Ident.t
  | Undefined of Ident.t
  | NotAReference of Ident.t
  | NotAnArray of Ident.t
  | NotAnIndex
  | HasSideEffects
  | ShouldBeBoolean
  | ShouldBeAlgebraic
  | ShouldBeAnnotated
  | CannotBeMutable
  | MustBePure
  | BranchesSameType
  | LetRef
  | VariantInformative
  | ShouldBeInformative
  | AppNonFunction
  | TooManyArguments
  | TooComplexArgument
  | Alias of Ident.t
  | PartialApp
  | TermExpectedType of (formatter -> unit) * (formatter -> unit)
  | ExpectedType of (formatter -> unit)
  | ExpectedType2 of (formatter -> unit) * (formatter -> unit)
  | ExpectsAType of Ident.t
  | ExpectsATerm of Ident.t
  | ShouldBeVariable
  | ShouldBeReference of Ident.t
  | ShouldNotBeReference
  | IllTypedArgument of (formatter -> unit)
  | NoVariableAtDate of Ident.t * string
  | MutableExternal
  | AnyMessage of string
  | ExceptionArgument of Ident.t * bool
  | CannotBeRaised of Ident.t
  | MutableMutable
  | PolymorphicGoal
  | NonExhaustive of Ident.t
  | PatternBadArity
  | TypeBadArity
  | TypeArity of Ident.t * int * int
  | GlobalWithEffects of Ident.t * Effect.t
  | IllformedPattern
  | CannotGeneralize
  | IllegalComparison of (formatter -> unit)

why-2.34/src/project.mli0000644000175000017500000000723012311670312013557 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)


type goal = private {
  goal_expl : Logic_decl.vc_expl;
  goal_file : string;
  sub_goal : goal list;
  proof : (string*string*string*string*string) list;
  mutable goal_tags : (string*string) list;
}

type lemma = private {
  lemma_name : string;
  lemma_loc : Loc.floc;
  lemma_goal : goal; 
  mutable lemma_tags : (string*string) list; 
}

type behavior = {
  behavior_name : string;
  behavior_loc : Loc.floc;
  mutable behavior_goals : goal list;
  mutable behavior_tags : (string*string) list; 
}

type funct = private {
  function_name : string;
  function_loc : Loc.floc;
  mutable function_behaviors : behavior list;
  mutable function_tags : (string*string) list; 
}
  

type t = private {
  project_name : string;
  mutable project_context_file : string;
  mutable project_lemmas : lemma list;
  mutable project_functions : funct list;
}

(* creations *)
val create : string -> t
val set_project_context_file : t -> string -> unit
val add_lemma : t -> string -> Logic_decl.vc_expl -> string -> lemma
val add_function : t -> string -> Loc.floc -> funct
val add_behavior : funct -> string -> Loc.floc -> behavior
val add_goal : behavior -> Logic_decl.vc_expl -> string -> goal

(* toggle visibility *)

val toggle_lemma : lemma -> unit
val toggle_function : funct -> unit
val toggle_behavior : behavior -> unit
val toggle_goal : goal -> unit

(* save/load *)

val save : t -> string -> unit

val load : string -> t
why-2.34/src/coq.ml0000644000175000017500000012360112311670312012523 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Options
open Logic
open Logic_decl
open Types
open Vcg
open Cc
open Ident
open Util
open Format
open Misc
open Cc
open Pp

(* common to V7 and V8 *)

let is_coq_keyword =
  let ht = Hashtbl.create 50  in
  List.iter (fun kw -> Hashtbl.add ht kw ())
    ["at"; "cofix"; "exists2"; "fix"; "IF"; "mod"; "Prop";
     "return"; "Set"; "Type"; "using"; "where"];
  Hashtbl.mem ht

let rename s = if is_coq_keyword s then "why__" ^ s else s
let idents fmt s = fprintf fmt "%s" (rename s)
let ident fmt id = fprintf fmt "%s" (rename (Ident.string id))

let rec print_pure_type fmt = function
  | PTint -> fprintf fmt "Z"
  | PTbool -> fprintf fmt "bool"
  | PTunit -> fprintf fmt "unit"
  | PTreal -> fprintf fmt "R"
  | PTexternal ([v], id) when id == farray ->
      fprintf fmt "(array %a)" print_pure_type v
  | PTexternal([],id) -> ident fmt id
  | PTexternal(l,id) ->
      fprintf fmt "(%a %a)"
      ident id (print_list space print_pure_type) l
  | PTvar { type_val = Some t} ->
      fprintf fmt "%a" print_pure_type t
  | PTvar v ->
      fprintf fmt "A%d" v.tag

let instance = print_list space print_pure_type

let prefix_id id =
  (* int cmp *)
  if id == t_lt_int then "Z_lt_ge_bool"
  else if id == t_le_int then "Z_le_gt_bool"
  else if id == t_gt_int then "Z_gt_le_bool"
  else if id == t_ge_int then "Z_ge_lt_bool"
  else if id == t_eq_int then "Z_eq_bool"
  else if id == t_neq_int then "Z_noteq_bool"
  (* real cmp *)
  else if id == t_lt_real then "R_lt_ge_bool"
  else if id == t_le_real then "R_le_gt_bool"
  else if id == t_gt_real then "R_gt_le_bool"
  else if id == t_ge_real then "R_ge_lt_bool"
  else if id == t_eq_real then "R_eq_bool"
  else if id == t_neq_real then "R_noteq_bool"
  (* bool cmp *)
  else if id == t_eq_bool then "B_eq_bool"
  else if id == t_neq_bool then "B_noteq_bool"
  (* unit cmp *)
  else if id == t_eq_unit then "U_eq_bool"
  else if id == t_neq_unit then "U_noteq_bool"
  (* int ops *)
  else if id == t_add_int then "Zplus"
  else if id == t_sub_int then "Zminus"
  else if id == t_mul_int then "Zmult"
(*
  else if id == t_div_int then "Zdiv"
  else if id == t_mod_int then "Zmod"
*)
  else if id == t_neg_int then "Zopp"
  (* real ops *)
  else if id == t_add_real then "Rplus"
  else if id == t_sub_real then "Rminus"
  else if id == t_mul_real then "Rmult"
  else if id == t_div_real then "Rdiv"
  else if id == t_neg_real then "Ropp"
  else if id == t_sqrt_real then "sqrt"
  else if id == t_real_of_int then "IZR"
  else if id == t_int_of_real then "int_of_real"
  else assert false

let infix_relation id =
       if id == t_lt_int then "<"
  else if id == t_le_int then "<="
  else if id == t_gt_int then ">"
  else if id == t_ge_int then ">="
  else if id == t_eq_int then "="
  else if id == t_neq_int then "<>"
  else assert false

let pprefix_id id =
  if id == t_lt_real then "Rlt"
  else if id == t_le_real then "Rle"
  else if id == t_gt_real then "Rgt"
  else if id == t_ge_real then "Rge"
  else assert false

let rec collect_app l = function
  | CC_app (e1, e2) -> collect_app (e2 :: l) e1
  | p -> p :: l

let print_binder_id fmt (id,_) = ident fmt id

let collect_lambdas x =
  let rec collect bl = function
    | CC_lam (b,c) -> collect (b :: bl) c
    | c -> List.rev bl, c
  in
  collect [] x

(* printers for Coq V7 *)

let inz = ref 0
let openz fmt = if !inz == 0 then fprintf fmt "`@["; incr inz
let closez fmt = decr inz; if !inz == 0 then fprintf fmt "@]`"

let print_term_v7 fmt t =
  let rec print0 fmt = function
    | Tapp (id, [a;b], _) when is_relation id ->
	fprintf fmt "(@[%s@ %a@ %a@])" (prefix_id id)
	print1 a print1 b
    | t ->
	print1 fmt t
  and print1 fmt = function
    | Tapp (id, [a;b], _) when id == t_add_int ->
	openz fmt; fprintf fmt "%a +@ %a" print1 a print2 b; closez fmt
    | Tapp (id, [a;b], _) when id == t_sub_int ->
	openz fmt; fprintf fmt "%a -@ %a" print1 a print2 b; closez fmt
    | t ->
	print2 fmt t
  and print2 fmt = function
    | Tapp (id, [a;b], _) when id == t_mul_int ->
	openz fmt; fprintf fmt "%a *@ %a" print2 a print3 b; closez fmt
(*
    | Tapp (id, [a;b], _) when id == t_div_int ->
	fprintf fmt "(@[Zdiv %a@ %a@])" print3 a print3 b
    | Tapp (id, [a;b], _) when id == t_mod_int ->
	fprintf fmt "(@[Zmod %a@ %a@])" print3 a print3 b
*)
    | t ->
	print3 fmt t
  and print3 fmt = function
    | Tconst (ConstInt n) ->
	openz fmt; fprintf fmt "%s" n; closez fmt
    | Tconst (ConstBool b) ->
	fprintf fmt "%b" b
    | Tconst ConstUnit ->
	fprintf fmt "tt"
    | Tconst (ConstFloat _) ->
	assert (!inz == 0); (* TODO: reals inside integer expressions *)
	failwith "real constants not supported with Coq V7"
    | Tvar id when id == implicit ->
	fprintf fmt "?"
    | Tvar id when id == t_zwf_zero ->
	fprintf fmt "(Zwf ZERO)"
    | Tvar id | Tapp (id, [], []) ->
	ident fmt id
    | Tapp (id, [], i) ->
	fprintf fmt "(@[@@%a %a@])" ident id instance i
    | Tderef _ ->
	assert false
    | Tapp (id, [t], _) when id == t_neg_int ->
	openz fmt; fprintf fmt "(-%a)" print3 t; closez fmt
    | Tapp (id, [_;_], _) as t when is_relation id || is_int_arith_binop id ->
	fprintf fmt "@[(%a)@]" print0 t
    | Tapp (id, [a; b; c], _) when id == if_then_else ->
	(* was print0 instead of print3, was wrong because printed
	     if_then_else (x < y) y-x x-y
	   missing parentheses
	*)
	fprintf fmt "(@[if_then_else %a@ %a@ %a@])" print3 a print3 b print3 c
    | Tapp (id, tl, _) when id == t_zwf_zero ->
	fprintf fmt "(@[Zwf 0 %a@])" print_terms tl
    | Tapp (id, tl, _) when is_relation id || is_arith id ->
	fprintf fmt "(@[%s@ %a@])" (prefix_id id) print_terms tl
    | Tapp (id, tl, _) ->
	fprintf fmt "(@[%a@ %a@])" ident id print_terms tl
    | Tnamed (User n, t) ->
	fprintf fmt "@[((* %s *)@ %a)@]" n print3 t
    | Tnamed (_, t) -> print3 fmt t
  and print_terms fmt tl =
    print_list space print0 fmt tl
  in
  print0 fmt t

let print_predicate_v7 fmt p =
  let rec print0 fmt = function
    | Pif (a, b, c) ->
	fprintf fmt "(@[if %a@ then %a@ else %a@])"
	  print_term_v7 a print0 b print0 c
    | Pimplies (_, a, b) ->
	fprintf fmt "(@[%a ->@ %a@])" print1 a print0 b
    | Piff (a, b) ->
	fprintf fmt "(@[%a <->@ %a@])" print1 a print0 b
    | p -> print1 fmt p
  and print1 fmt = function
    | Por (a, b) -> fprintf fmt "%a \\/@ %a" print2 a print1 b
    | p -> print2 fmt p
  and print2 fmt = function
    | Pand (_, _, a, b) | Forallb (_, a, b) ->
        fprintf fmt "%a /\\@ %a" print3 a print2 b
    | p -> print3 fmt p
  and print3 fmt = function
    | Ptrue ->
	fprintf fmt "True"
    | Pvar id when id == Ident.default_post ->
	fprintf fmt "True"
    | Pfalse ->
	fprintf fmt "False"
    | Pvar id ->
	ident fmt id
    | Papp (id, tl, _) when id == t_distinct ->
	fprintf fmt "@[(%a)@]" print0 (Util.distinct tl)
    | Papp (id, [t], _) when id == well_founded ->
	fprintf fmt "@[(well_founded %a)@]" print_term_v7 t
    | Papp (id, [a;b], _) when id == t_zwf_zero ->
	fprintf fmt "(Zwf `0` %a %a)" print_term_v7 a print_term_v7 b
    | Papp (id, [a;b], _) when is_int_comparison id ->
	openz fmt;
	fprintf fmt "%a %s@ %a"
	  print_term_v7 a (infix_relation id) print_term_v7 b;
	closez fmt
    | Papp (id, [a;b], _) when id == t_eq_real ->
	fprintf fmt "(@[eqT R %a %a@])" print_term_v7 a print_term_v7 b
    | Papp (id, [a;b], _) when id == t_neq_real ->
	fprintf fmt "~(@[eqT R %a %a@])" print_term_v7 a print_term_v7 b
    | Papp (id, [a;b], _) when is_eq id ->
	fprintf fmt "@[%a =@ %a@]" print_term_v7 a print_term_v7 b
    | Papp (id, [a;b], _) when is_neq id ->
	fprintf fmt "@[~(%a =@ %a)@]" print_term_v7 a print_term_v7 b
    | Papp (id, [a;b], _) when is_real_comparison id ->
	fprintf fmt "(@[%s %a %a@])"
	(pprefix_id id) print_term_v7 a print_term_v7 b
    | Papp (id, l, _) ->
	fprintf fmt "(@[%a %a@])" ident id
	  (print_list space print_term_v7) l
    | Pnot p ->
	fprintf fmt "~%a" print3 p
    | Forall (_,id,n,t,_,p) ->
	let id' = next_away id (predicate_vars p) in
	let p' = subst_in_predicate (subst_onev n id') p in
	fprintf fmt "(@[(%a:%a)@ %a@])" ident id'
	  print_pure_type t print0 p'
    | Exists (id,n,t,p) ->
	let id' = next_away id (predicate_vars p) in
	let p' = subst_in_predicate (subst_onev n id') p in
	fprintf fmt "(@[EX %a:%a |@ %a@])" ident id'
	  print_pure_type t print0 p'
    | Pnamed (User n, p) ->
	fprintf fmt "@[((* %s *)@ %a)@]" n print3 p
    | Pnamed (_, p) -> print3 fmt p
    | Plet (_, x, _, t, p) -> print3 fmt (subst_term_in_predicate x t p)
    | (Por _ | Piff _ | Pand _ | Pif _ | Pimplies _ | Forallb _) as p ->
	fprintf fmt "(%a)" print0 p
  in
  print0 fmt p

let rec print_cc_type_v7 fmt = function
  | TTpure pt ->
      print_pure_type fmt pt
  | TTarray v ->
      fprintf fmt "(@[array@ %a@])" print_cc_type_v7 v
  | TTlambda (b, t) ->
      fprintf fmt "[%a]@,%a" print_binder_v7 b print_cc_type_v7 t
(*i***
  | TTarrow ((id, CC_var_binder t1), t2) when not (occur_cc_type id t2) ->
      fprintf fmt "%a -> %a" print_cc_type t1 print_cc_type t2
***i*)
  | TTarrow (b, t) ->
      fprintf fmt "(%a)@,%a" print_binder_v7 b print_cc_type_v7 t
  | TTtuple ([_,CC_var_binder t], None) ->
      print_cc_type_v7 fmt t
  | TTtuple (bl, None) ->
      fprintf fmt "(@[tuple_%d@ %a@])" (List.length bl)
	(print_list space print_binder_type_v7) bl
  | TTtuple (bl, Some q) ->
      fprintf fmt "(@[sig_%d@ %a@ %a(%a)@])" (List.length bl)
	(print_list space print_binder_type_v7) bl
	(print_list nothing
	   (fun fmt b -> fprintf fmt "[%a]@," print_binder_v7 b)) bl
	print_cc_type_v7 q
  | TTpred p ->
      print_predicate_v7 fmt p
  | TTapp (tt, l) ->
      fprintf fmt "(@[%a@ %a@])" print_cc_type_v7 tt
	(print_list space print_cc_type_v7) l
  | TTterm t ->
      print_term_v7 fmt t
  | TTSet ->
      fprintf fmt "Set"

and print_binder_v7 fmt (id,b) =
  ident fmt id;
  match b with
    | CC_pred_binder p -> fprintf fmt ": %a" print_predicate_v7 p
    | CC_var_binder t -> fprintf fmt ": %a" print_cc_type_v7 t
    | CC_untyped_binder -> ()

and print_binder_type_v7 fmt = function
  | _, CC_var_binder t -> print_cc_type_v7 fmt t
  | _ -> assert false


let print_sequent_v7 fmt (hyps,concl) =
  let rec print_seq fmt = function
    | [] ->
	print_predicate_v7 fmt concl
    | Svar (id, v) :: hyps ->
	fprintf fmt "(%a: @[%a@])@\n" ident id print_pure_type v;
	print_seq fmt hyps
    | Spred (id, p) :: hyps ->
	fprintf fmt "(%a: @[%a@])@\n" ident id print_predicate_v7 p;
	print_seq fmt hyps
  in
  fprintf fmt "@[%a@]@?" print_seq hyps

let print_lambdas_v7 = print_list semi print_binder_v7

let rec print_gen_cc_term_v7 print_hole fmt t =
  let print_cc_term_v7 = print_gen_cc_term_v7 print_hole in
    match t with
      | CC_var id ->
 	  ident fmt id
      | CC_lam _ as t ->
	  let bl,c = collect_lambdas t in
	    fprintf fmt "@[[@[%a@]]@,%a@]"
	      print_lambdas_v7 bl print_cc_term_v7 c
      | CC_app (f,a) ->
	  let tl = collect_app [a] f in
	    fprintf fmt "@[(%a)@]" (print_list space print_cc_term_v7) tl
      | CC_tuple (cl, None) ->
	  fprintf fmt "(Build_tuple_%d %a)" (List.length cl)
	    (print_list space print_cc_term_v7) cl
      | CC_tuple (cl, Some q) ->
	  fprintf fmt "(exist_%d %a %a)" (List.length cl - 1)
	    print_cc_type_v7 q (print_list space print_cc_term_v7) cl
	    (* special treatment for the if-then-else *)
      | CC_letin (_, bl, e1,
		  CC_if (CC_var idb,
			 CC_lam ((idt, CC_pred_binder _), brt),
			 CC_lam ((idf, CC_pred_binder _), brf)))
	  when annotated_if idb bl ->
	  let qb, q = annotation_if bl in
	    fprintf fmt "@[@[let (%a) =@ %a in@]@\n@[Cases@ (@[btest@ @[[%a:bool]@,%a@] %a@ %a@]) of@]@\n| @[(left %a) =>@ %a@]@\n| @[(right %a) =>@ %a@] end@]"
	      (print_list comma print_binder_id) bl print_cc_term_v7 e1
	      ident idb print_predicate_v7 q ident idb ident qb
	      ident idt print_cc_term_v7 brt
	      ident idf print_cc_term_v7 brf
	      (* non-dependent boolean if-then-else (probably not of use) *)
      | CC_if (b,e1,e2) ->
	  fprintf fmt "@[if "; print_cc_term_v7 fmt b; fprintf fmt " then@\n  ";
	  hov 0 fmt (print_cc_term_v7 fmt) e1;
	  fprintf fmt "@\nelse@\n  ";
	  hov 0 fmt (print_cc_term_v7 fmt) e2;
	  fprintf fmt "@]"
      | CC_case (e, pl) ->
	  let print_case_v7 fmt (p,e) =
	    fprintf fmt "@[| %a =>@ %a@]"
	      print_cc_pattern p print_cc_term_v7 e
	  in
	    fprintf fmt "@[Cases %a of@\n%a@\nend@]" print_cc_term_v7 e
	      (print_list newline print_case_v7) pl
      | CC_letin (_,[id,_],c,c1) ->
	  fprintf fmt "@[@[let %a =@ %a in@]@\n%a@]"
	    ident id print_cc_term_v7 c print_cc_term_v7 c1
      | CC_letin (_,bl,c,c1) ->
	  fprintf fmt "@[@[let (%a) =@ %a in@]@\n%a@]"
	    (print_list comma print_binder_id) bl
	    print_cc_term_v7 c print_cc_term_v7 c1
      | CC_term c ->
	  fprintf fmt "@[%a@]" print_term_v7 c
       | CC_hole pr ->
 	  print_hole fmt pr
      | CC_type t ->
	  print_cc_type_v7 fmt t
      | CC_any _ ->
	  Report.raise_unlocated
	    (Error.AnyMessage "can't produce a validation for an incomplete program")

let rec print_proof_v7 fmt = function
  | Lemma (s, []) ->
      fprintf fmt "%s" s
  | Lemma (s, vl) ->
      fprintf fmt "@[(%s %a)@]" s (print_list space ident) vl
  | True ->
      fprintf fmt "I"
  | Reflexivity t ->
      fprintf fmt "@[(refl_equal ? %a)@]" print_term_v7 t
  | Assumption id ->
      ident fmt id
  | Proj1 id ->
      fprintf fmt "@[(proj1 ? ? %a)@]" ident id
  | Proj2 id ->
      fprintf fmt "@[(proj2 ? ? %a)@]" ident id
  | Conjunction (id1, id2) ->
      fprintf fmt "@[(conj ? ? %a %a)@]" ident id1 ident id2
  | WfZwf t ->
      fprintf fmt "(Zwf_well_founded %a)" print_term_v7 t
  | Loop_variant_1 (h, h') ->
      fprintf fmt "(loop_variant_1 %a %a)" ident h ident h'
  | Absurd h ->
      fprintf fmt "(False_ind ? %a)" ident h
  | ProofTerm t ->
      fprintf fmt "@[%a@]" print_cc_term_v7 t
  | ShouldBeAWp ->
      Report.raise_unlocated
	(Error.AnyMessage "can't produce a validation for an incomplete program")

and print_cc_term_v7 x = print_gen_cc_term_v7 print_proof_v7 x

let print_cc_functional_program_v7 =
  print_gen_cc_term_v7 (fun fmt (_loc, p) -> print_predicate_v7 fmt p)

(* printers for Coq V8 *)

let print_term_v8 fmt t =
  let rec print0 fmt = function
    | Tapp (id, [a;b], _) when is_relation id ->
	fprintf fmt "(@[%s@ %a@ %a@])" (prefix_id id)
	print3 a print3 b
    | t ->
	print1 fmt t
  and print1 fmt = function
    | Tapp (id, [a;b], _) when id == t_add_int ->
	fprintf fmt "%a +@ %a" print1 a print2 b
    | Tapp (id, [a;b], _) when id == t_sub_int ->
	fprintf fmt "%a -@ %a" print1 a print2 b
    | t ->
	print2 fmt t
  and print2 fmt = function
    | Tapp (id, [a;b], _) when id == t_mul_int ->
	fprintf fmt "%a *@ %a" print2 a print3 b
(*
    | Tapp (id, [a;b], _) when id == t_div_int ->
	fprintf fmt "(@[Zdiv %a@ %a@])" print3 a print3 b
    | Tapp (id, [a;b], _) when id == t_mod_int ->
	fprintf fmt "(@[Zmod %a@ %a@])" print3 a print3 b
*)
    | t ->
	print3 fmt t
  and print3 fmt = function
    | Tconst (ConstInt n) ->
	fprintf fmt "%s" n
    | Tconst (ConstBool b) ->
	fprintf fmt "%b" b
    | Tconst ConstUnit ->
	fprintf fmt "tt"
    | Tconst (ConstFloat c) ->
	Print_real.print_with_integers
	  "(%s)%%R" "(%s * %s)%%R" "(%s / %s)%%R" fmt c
    | Tvar id when id == implicit ->
	fprintf fmt "?"
    | Tvar id when id == t_zwf_zero ->
	fprintf fmt "(Zwf Z0)"
    | Tvar id | Tapp (id, [], []) ->
	ident fmt id
    | Tapp (id, [], i) ->
	fprintf fmt "(@[@@%a %a@])" ident id instance i
    | Tderef _ ->
	assert false
    | Tapp (id, [a; Tapp (id', [b], _)], _)
      when id == t_pow_real && id' == t_real_of_int ->
	fprintf fmt "(@[powerRZ@ %a@ %a@])" print3 a print3 b
    | Tapp (id, [a;b], _) when id == t_pow_real ->
	fprintf fmt "(@[Rpower@ %a@ %a@])" print3 a print3 b
    | Tapp (id, [a], _) when id == t_abs_real ->
	fprintf fmt "(@[Rabs@ %a@])" print3 a
    | Tapp (id, [t], _) when id == t_neg_int ->
	begin
	  (* special case for -constant to avoid extra "simpl" *)
	  match t with
	    | Tconst (ConstInt n) -> fprintf fmt "(-%s)" n
	    | _ -> fprintf fmt "(Zopp@ %a)" print3 t
	end
    | Tapp (id, [_;_], _) as t when is_relation id || is_int_arith_binop id ->
	fprintf fmt "@[(%a)@]" print0 t
    | Tapp (id, [a; b; c], _) when id == if_then_else ->
	fprintf fmt "(@[if_then_else %a@ %a@ %a@])" print0 a print0 b print0 c
    | Tapp (id, tl, _) when id == t_zwf_zero ->
	fprintf fmt "(@[Zwf 0 %a@])" print_terms tl
    | Tapp (id, tl, _) when is_relation id || is_arith id ->
	fprintf fmt "(@[%s@ %a@])" (prefix_id id) print_terms tl
    | Tapp (id, tl, _) ->
	fprintf fmt "(@[%a@ %a@])" ident id print_terms tl
    | Tnamed (User n, t) ->
	fprintf fmt "@[((* %s *)@ %a)@]" n print3 t
    | Tnamed (_, t) -> print3 fmt t
  and print_terms fmt tl =
    print_list space print3 fmt tl
  in
  print3 fmt t

let print_predicate_v8 fmt p =
  let rec print0 fmt = function
    | Pif (a, b, c) ->
	fprintf fmt "(@[if %a@ then %a@ else %a@])"
	  print_term_v8 a print0 b print0 c
    | Pimplies (_, a, b) ->
	fprintf fmt "(@[%a ->@ %a@])" print1 a print0 b
    | Piff (a, b) ->
	fprintf fmt "(@[%a <->@ %a@])" print1 a print0 b
    | p -> print1 fmt p
  and print1 fmt = function
    | Por (a, b) -> fprintf fmt "%a \\/@ %a" print2 a print1 b
    | p -> print2 fmt p
  and print2 fmt = function
    | Pand (_, _, a, b) | Forallb (_, a, b) ->
        fprintf fmt "%a /\\@ %a" print3 a print2 b
    | p -> print3 fmt p
  and print3 fmt = function
    | Ptrue ->
	fprintf fmt "True"
    | Pvar id when id == Ident.default_post ->
	fprintf fmt "True"
    | Pfalse ->
	fprintf fmt "False"
    | Pvar id ->
	ident fmt id
    | Papp (id, tl, _) when id == t_distinct ->
	fprintf fmt "@[(%a)@]" print0 (Util.distinct tl)
    | Papp (id, [t], _) when id == well_founded ->
	fprintf fmt "@[(well_founded %a)@]" print_term_v8 t
    | Papp (id, [a;b], _) when id == t_zwf_zero ->
	fprintf fmt "(Zwf 0 %a %a)" print_term_v8 a print_term_v8 b
    | Papp (id, [a;b], _) when is_int_comparison id ->
	fprintf fmt "%a %s@ %a"
	  print_term_v8 a (infix_relation id) print_term_v8 b
    | Papp (id, [a;b], _) when id == t_eq_real ->
	fprintf fmt "(@[eq %a %a@])" print_term_v8 a print_term_v8 b
    | Papp (id, [a;b], _) when id == t_neq_real ->
	fprintf fmt "~(@[eq %a %a@])" print_term_v8 a print_term_v8 b
    | Papp (id, [a;b], _) when is_eq id ->
	fprintf fmt "@[%a =@ %a@]" print_term_v8 a print_term_v8 b
    | Papp (id, [a;b], _) when is_neq id ->
	fprintf fmt "@[~(%a =@ %a)@]" print_term_v8 a print_term_v8 b
    | Papp (id, [a;b], _) when is_real_comparison id ->
	fprintf fmt "(@[%s@ %a@ %a@])"
	(pprefix_id id) print_term_v8 a print_term_v8 b
    | Papp (id, l, _) ->
	fprintf fmt "(@[%a@ %a@])" ident id
	  (print_list space print_term_v8) l
    | Pnot p ->
	fprintf fmt "~%a" print3 p
    | Forall (_,id,n,t,_,p) ->
	let id' = next_away id (predicate_vars p) in
	let p' = subst_in_predicate (subst_onev n id') p in
	fprintf fmt "(@[forall (%a:%a),@ %a@])" ident id'
	  print_pure_type t print0 p'
    | Exists (id,n,t,p) ->
	let id' = next_away id (predicate_vars p) in
	let p' = subst_in_predicate (subst_onev n id') p in
	fprintf fmt "(@[exists %a:%a,@ %a@])" ident id'
	  print_pure_type t print0 p'
    | Pnamed (User n, p) ->
	fprintf fmt "@[(* %s *)@ %a@]" n print3 p
    | Pnamed (_, p) -> print3 fmt p
    | Plet (id, n, _pt, t, p) ->
	let id' = next_away id (predicate_vars p) in
	let p' = subst_in_predicate (subst_onev n id') p in
	fprintf fmt "@[@[let %a :=@ %a in@]@\n%a@]"
	  ident id' print_term_v8 t print0 p'
    | (Por _ | Piff _ | Pand _ | Pif _ | Pimplies _ | Forallb _) as p -> 
	fprintf fmt "(%a)" print0 p
  in
  print0 fmt p

let rec print_cc_type_v8 fmt = function
  | TTpure pt -> 
      print_pure_type fmt pt
  | TTarray v -> 
      fprintf fmt "(@[array@ %a@])" print_cc_type_v8 v
  | TTlambda (b, t) ->
      fprintf fmt "(@[fun %a =>@ %a@])" print_binder_v8 b print_cc_type_v8 t
(*i***
  | TTarrow ((id, CC_var_binder t1), t2) when not (occur_cc_type id t2) -> 
      fprintf fmt "%a -> %a" print_cc_type t1 print_cc_type t2
***i*)
  | TTarrow (b, t) -> 
      fprintf fmt "forall %a,@ %a" print_binder_v8 b print_cc_type_v8 t
  | TTtuple ([_,CC_var_binder t], None) -> 
      print_cc_type_v8 fmt t
  | TTtuple (bl, None) ->
      fprintf fmt "(@[tuple_%d@ %a@])" (List.length bl) 
	(print_list space print_binder_type_v8) bl
  | TTtuple (bl, Some q) -> 
      fprintf fmt "(@[sig_%d@ %a@ (@[fun %a =>@ (%a)@])@])" (List.length bl)
	(print_list space print_binder_type_v8) bl 
	(print_list nothing 
	   (fun fmt b -> fprintf fmt "%a@ " print_binder_v8 b)) bl
	print_cc_type_v8 q
  | TTpred p ->
      print_predicate_v8 fmt p
  | TTapp (tt, l) ->
      fprintf fmt "(@[%a@ %a@])" print_cc_type_v8 tt
	(print_list space print_cc_type_v8) l
  | TTterm t ->
      print_term_v8 fmt t
  | TTSet ->
      fprintf fmt "Set"

and print_binder_v8 fmt (id,b) = match b with
  | CC_pred_binder p ->
      fprintf fmt "(%a: %a)" ident id print_predicate_v8 p
  | CC_var_binder t ->
      fprintf fmt "(%a: %a)" ident id print_cc_type_v8 t
  | CC_untyped_binder ->
      ident fmt id

and print_binder_type_v8 fmt = function
  | _, CC_var_binder t -> print_cc_type_v8 fmt t
  | _ -> assert false


let print_sequent_v8 fmt (hyps,concl) =
  let rec print_seq fmt = function
    | [] ->
	print_predicate_v8 fmt concl
    | Svar (id, v) :: hyps ->
	fprintf fmt "forall (%a: @[%a@]),@\n"
	ident id print_pure_type v;
	print_seq fmt hyps
    | Spred (id, p) :: hyps ->
	fprintf fmt "forall (%a: @[%a@]),@\n"
	ident id print_predicate_v8 p;
	print_seq fmt hyps
  in
  fprintf fmt "@[%a@]@?" print_seq hyps

let print_lambdas_v8 = print_list space print_binder_v8

let rec print_gen_cc_term_v8 print_hole fmt t =
  let print_cc_term_v8 = print_gen_cc_term_v8 print_hole in
    match t with
      | CC_var id ->
	  ident fmt id
      | CC_lam _ as t ->
	  let bl,c = collect_lambdas t in
	    fprintf fmt "(@[fun @[%a@] =>@ %a@])"
	      print_lambdas_v8 bl print_cc_term_v8 c
      | CC_app (f,a) ->
	  let tl = collect_app [a] f in
	    (match tl with
	       | [CC_term (Tapp (f, [t], _)); CC_lam (x, u)] when f = nt_bind ->
		   fprintf fmt "@[@[do %s <- @[(%a);@] @ @] @\n %a @]"
		     (Ident.string (fst x)) print_cc_term_v8
		     (CC_term t) print_cc_term_v8 u
	       | [CC_term (Tvar f); t; CC_lam (x, u) ]
	       | [CC_var f; t; CC_lam (x, u) ] when f = nt_bind ->
		   fprintf fmt "@[@[do %s <- @[(%a);@] @ @] @\n %a @]"
		     (Ident.string (fst x)) print_cc_term_v8
		     t print_cc_term_v8 u
	       | tl ->
		   fprintf fmt "@[(%a)@]"
		     (print_list_par space print_cc_term_v8) tl)
      | CC_tuple (cl, None) ->
	  fprintf fmt "(Build_tuple_%d %a)" (List.length cl)
	    (print_list_par space print_cc_term_v8) cl
      | CC_tuple (cl, Some q) ->
	  fprintf fmt "(exist_%d %a %a)" (List.length cl - 1)
	    print_cc_type_v8 q (print_list_par space print_cc_term_v8) cl
	    (* special treatment for the if-then-else *)
      | CC_letin (_, bl, e1,
		  CC_if (CC_var idb,
			 CC_lam ((idt, CC_pred_binder _), brt),
			 CC_lam ((idf, CC_pred_binder _), brf)))
	  when annotated_if idb bl ->
	  let qb, q = annotation_if bl in
	    fprintf fmt "@[@[let (%a) :=@ %a in@]@\n@[match@ (@[btest@ (@[fun (%a:bool) =>@ %a@]) %a@ %a@]) with@]@\n| @[(left %a) =>@ %a@]@\n| @[(right %a) =>@ %a@] end@]"
	      (print_list comma print_binder_id) bl print_cc_term_v8 e1
	      ident idb print_predicate_v8 q ident idb ident qb
	      ident idt print_cc_term_v8 brt
	      ident idf print_cc_term_v8 brf
	      (* non-dependent boolean if-then-else (probably not of use) *)
      | CC_if (b,e1,e2) ->
	  fprintf fmt "@[if "; print_cc_term_v8 fmt b; fprintf fmt " then@\n  ";
	  hov 0 fmt (print_cc_term_v8 fmt) e1;
	  fprintf fmt "@\nelse@\n  ";
	  hov 0 fmt (print_cc_term_v8 fmt) e2;
	  fprintf fmt "@]"
      | CC_case (e, pl) ->
	  let print_case_v8 fmt (p,e) =
	    fprintf fmt "@[| %a =>@ %a@]"
	      print_cc_pattern p print_cc_term_v8 e
	  in
	    fprintf fmt "@[match %a with@\n%a@\nend@]" print_cc_term_v8 e
	      (print_list newline print_case_v8) pl
      | CC_letin (_,[id,_],c,c1) ->
	  fprintf fmt "@[@[let %a :=@ %a in@]@\n%a@]"
	    ident id print_cc_term_v8 c print_cc_term_v8 c1
      | CC_letin (_,bl,c,c1) ->
	  fprintf fmt "@[@[let (%a) :=@ %a in@]@\n%a@]"
	    (print_list comma print_binder_id) bl
	    print_cc_term_v8 c print_cc_term_v8 c1
      | CC_term c ->
	  fprintf fmt "@[%a@]" print_term_v8 c
      | CC_hole pr ->
	  print_hole fmt pr
      | CC_type t ->
	  print_cc_type_v8 fmt t
      | CC_any _ ->
	  Report.raise_unlocated
	    (Error.AnyMessage "can't produce a validation for an incomplete program")

let rec print_proof_v8 fmt = function
  | Lemma (s, []) ->
      fprintf fmt "%s" s
  | Lemma (s, vl) ->
      fprintf fmt "@[(%s %a)@]" s (print_list space ident) vl
  | True ->
      fprintf fmt "I"
  | Reflexivity t ->
      fprintf fmt "@[(refl_equal %a)@]" print_term_v8 t
  | Assumption id ->
      ident fmt id
  | Proj1 id ->
      fprintf fmt "@[(proj1 %a)@]" ident id
  | Proj2 id ->
      fprintf fmt "@[(proj2 %a)@]" ident id
  | Conjunction (id1, id2) ->
      fprintf fmt "@[(conj %a %a)@]" ident id1 ident id2
  | WfZwf t ->
      fprintf fmt "(Zwf_well_founded %a)" print_term_v8 t
  | Loop_variant_1 (h, h') ->
      fprintf fmt "(loop_variant_1 %a %a)" ident h ident h'
  | Absurd h ->
      fprintf fmt "(False_ind _ %a)" ident h
  | ProofTerm t ->
      fprintf fmt "@[%a@]" print_cc_term_v8 t
  | ShouldBeAWp ->
      if debug then Report.raise_unlocated (Error.AnyMessage "should be a WP");
      Report.raise_unlocated
	(Error.AnyMessage "can't produce a validation for an incomplete program")

and print_cc_term_v8 x = print_gen_cc_term_v8 print_proof_v8 x

let print_cc_functional_program_v8 =
  print_gen_cc_term_v8 (fun fmt (_loc, p) -> print_predicate_v8 fmt p)

(* printers selection *)

let v8 = match prover () with Coq V8 | Coq V81 -> true | _ -> false

let v81 = match prover () with Coq V81 -> true | _ -> false

(* totally ugly. To improve if the hack of Dp_hint makes it in official why*)
(* workaround against the fact that coq seems to not export
   Dp_hints when a Require Export is made... *)
let is_last_file = ref false
let library_hints = ref []
let add_library_hints id = library_hints:= id :: !library_hints

let print_term = if v8 then print_term_v8 else print_term_v7
let print_predicate = if v8 then print_predicate_v8 else print_predicate_v7
let print_sequent = if v8 then print_sequent_v8 else print_sequent_v7
let print_cc_type = if v8 then print_cc_type_v8 else print_cc_type_v7
let print_cc_term = if v8 then print_cc_term_v8 else print_cc_term_v7
let print_cc_functional_program =
  if v8 then print_cc_functional_program_v8 else print_cc_functional_program_v7

(* while printing scheme, we rename type variables (for more stability
   of the Coq source); this is safe only because we throw away the types
   as soon as they are printed *)
let print_scheme fmt l =
  let r = ref 0 in
  Env.Vmap.iter
    (fun _ x ->
       incr r;
       x.type_val <- Some (PTvar { tag = !r; user = false; type_val = None });
       if v8 then fprintf fmt "forall (A%d:Set),@ " !r
       else fprintf fmt "(A%d:Set)@ " !r)
    l

let print_sequent fmt s =
  let (l,s) = Env.specialize_sequent s in
  print_scheme fmt l;
  print_sequent fmt s

(*let _ = Vcg.log_print_function := print_sequent*)

let reprint_obligation fmt loc _is_lemma _expl id s =
  fprintf fmt "@[(* %a *)@]@\n" (Loc.report_obligation_position  ~onlybasename:true) loc;
  fprintf fmt "@[(*Why goal*) Lemma %s : @\n%a.@]@\n" id print_sequent s
  (*;
  fprintf fmt "@[(* %a *)@]@\n" Util.print_explanation expl
  *)
 

let print_obligation fmt loc is_lemma expl id s =
  reprint_obligation fmt loc is_lemma expl id s;
  fprintf fmt "Proof.@\n";
  option_iter (fun t -> fprintf fmt "%s.@\n" t) coq_tactic;
  fprintf fmt "(* FILL PROOF HERE *)@\nSave.@\n";
  if is_lemma && v81 && coq_use_dp then 
    fprintf fmt "@[Dp_hint %s.@]@\n" id

let reprint_parameter fmt id c =
  let (l,c) = Env.specialize_cc_type c in
  fprintf fmt
    "@[(*Why*) Parameter %a :@ @[%a%a@].@]@\n" idents id
    print_scheme l print_cc_type c

let print_parameter = reprint_parameter

let print_logic_type fmt s =
  let (l,t) = Env.specialize_logic_type s in
  print_scheme fmt l;
  match t with
  | Function ([], t) ->
      print_pure_type fmt t
  | Function (pl, t) ->
      fprintf fmt "%a -> %a"
	(print_list arrow print_pure_type) pl print_pure_type t
  | Predicate [] ->
      fprintf fmt "Prop"
  | Predicate pl ->
      fprintf fmt "%a -> Prop" (print_list arrow print_pure_type) pl

let reprint_logic fmt id t =
  fprintf fmt
    "@[(*Why logic*) Definition %a :@ @[%a@].@]@\n"
    idents id print_logic_type t

let polymorphic t = not (Env.Vset.is_empty t.Env.scheme_vars)

let implicits_for_logic_type t = match t.Env.scheme_type with
  | Predicate [] -> false
  | Function _ | Predicate _ -> polymorphic t

let implicits_for_predicate t = 
  let (bl,_) = t.Env.scheme_type in bl <> [] && polymorphic t

let is_logic_constant t = match t.Env.scheme_type with
  | Function ([],_) -> true
  | Function _ | Predicate _ -> false

let print_logic fmt id t =
  reprint_logic fmt id t;
  fprintf fmt "Admitted.@\n";
  if implicits_for_logic_type t then
    begin
      let b = is_logic_constant t in
      if b then fprintf fmt "Set Contextual Implicit.@\n";
      fprintf fmt "Implicit Arguments %a.@\n" idents id;
      if b then fprintf fmt "Unset Contextual Implicit.@\n";
    end

let print_predicate_scheme fmt p =
  let (l,p) = Env.specialize_predicate p in
  print_scheme fmt l;
  print_predicate fmt p

let reprint_axiom fmt id p =
  fprintf fmt
    "@[(*Why axiom*) Lemma %a :@ @[%a@].@]@\n"
    idents id print_predicate_scheme p

let print_axiom fmt id p =
  reprint_axiom fmt id p;
  fprintf fmt "Admitted.@\n";
  if v81 && coq_use_dp then 
    fprintf fmt "@[Dp_hint %a.@]@\n" idents id;
  if not !is_last_file then add_library_hints id
  (* if is_polymorphic p then fprintf fmt "Implicit Arguments %s.@\n" id *)

let print_poly fmt x =
  if v8 then fprintf fmt "(A%d:Set)" x.tag else fprintf fmt "[A%d:Set]" x.tag

let reprint_predicate_def fmt id p =
  let (l,(bl,p)) = Env.specialize_predicate_def p in
  let l = Env.Vmap.fold (fun _ t acc -> t :: acc) l [] in
  let print_binder fmt (x,pt) =
    if v8 then
      fprintf fmt "(%a:%a)" ident x print_pure_type pt
    else
      fprintf fmt "[%a:%a]" ident x print_pure_type pt
  in
  fprintf fmt
     "@[(*Why predicate*) Definition %a %a %a@ := @[%a@].@]@\n"
    idents id
    (print_list space print_poly) l
    (print_list space print_binder) bl
    print_predicate p

let print_predicate_def fmt id p =
  reprint_predicate_def fmt id p;
  if implicits_for_predicate p then
    fprintf fmt "Implicit Arguments %a.@\n" idents id

let reprint_inductive fmt id d =
  let (l,(bl,cases)) = Env.specialize_inductive_def d in
  let l = Env.Vmap.fold (fun _ t acc -> t :: acc) l [] in
  fprintf fmt
     "@[(*Why inductive*) Inductive %s %a : %a -> Prop @ := @[%a@].@]@\n"
    id
    (print_list space print_poly) l
    (print_list arrow print_pure_type) bl
    (print_list newline
       (fun fmt (id,p) ->
	  fprintf fmt "| %a : %a@\n" ident id print_predicate p)) cases

let print_inductive fmt id d =
  reprint_inductive fmt id d
(*
  if implicits_for_predicate p then
    fprintf fmt "Implicit Arguments %a.@\n" idents id
*)

let reprint_alg_type_single fmt (id,d) =
  let cpt = ref 0 in
  let print_binder fmt = function
    | PTvar v ->
        incr cpt;
        let x = { tag = !cpt; user = false; type_val = None } in
        v.type_val <- Some (PTvar x);
        print_poly fmt x
    | _ -> assert false
  in
  let _,(vs,cs) = Env.specialize_alg_type d in
  let th = PTexternal (vs, Ident.create id) in
  let print_constructor fmt (c,pl) =
    fprintf fmt "| %a : @[%a@]" idents (Ident.string c)
      (print_list arrow print_pure_type) (pl@[th])
  in
  fprintf fmt "%a @[%a: Set@] :=@\n  @[%a@]"
    idents id (print_list nothing print_binder) vs
    (print_list newline print_constructor) cs

let reprint_alg_type fmt ls =
  let andsep fmt () = fprintf fmt "@\n with " in
  fprintf fmt "@[(*Why type*) Inductive %a.@]@\n"
    (print_list andsep reprint_alg_type_single) ls

let print_alg_type_single fmt (_id,d) =
  let print_implicit (c,pl) =
    match pl with
    | [] -> fprintf fmt "Set Contextual Implicit.@\n";
            fprintf fmt "Implicit Arguments %a.@\n" idents (Ident.string c);
            fprintf fmt "Unset Contextual Implicit.@\n"
    | _  -> fprintf fmt "Implicit Arguments %a.@\n" idents (Ident.string c)
  in
  let vs,cs = d.Env.scheme_type in
  match vs with
  | [] -> ()
  | _ -> List.iter print_implicit cs

let print_alg_type fmt ls =
  reprint_alg_type fmt ls;
  print_list nothing print_alg_type_single fmt ls

let reprint_type fmt id vl =
  fprintf fmt "@[(*Why type*) Definition %a: @[%aSet@].@]@\n"
    idents id (print_list space (fun fmt _ -> fprintf fmt "Set ->")) vl

let print_type fmt id vl =
  reprint_type fmt id vl;
  fprintf fmt "Admitted.@\n"

let reprint_function fmt id p =
  let (l,(bl,_t,e)) = Env.specialize_function_def p in
  let l = Env.Vmap.fold (fun _ t acc -> t :: acc) l [] in
  let print_poly fmt x =
    if v8 then fprintf fmt "(A%d:Set)" x.tag else fprintf fmt "[A%d:Set]" x.tag
  in
  let print_binder fmt (x,pt) =
    if v8 then
      fprintf fmt "(%a:%a)" ident x print_pure_type pt
    else
      fprintf fmt "[%a:%a]" ident x print_pure_type pt
  in
  fprintf fmt
     "@[(*Why function*) Definition %a %a %a@ := @[%a@].@]@\n"
    idents id
    (print_list space print_poly) l
    (print_list space print_binder) bl
    print_term e

let print_function fmt id p =
  reprint_function fmt id p;
  if polymorphic p then
    begin
      let b = let (bl,_,_) = p.Env.scheme_type in bl = [] in
      if b then fprintf fmt "Set Contextual Implicit.@\n";
      fprintf fmt "Implicit Arguments %a.@\n" idents id;
      if b then fprintf fmt "Unset Contextual Implicit.@\n";
    end

let print_lam_scheme fmt l =
  List.iter
    (fun v -> match v with
       | {type_val=Some (PTvar {type_val=None; tag=x})} ->
	   if v8 then fprintf fmt "fun (A%d:Set) =>@ " x
	   else fprintf fmt "[A%d:Set]@ " x
       | _ ->
	   assert false)
    l

let print_validation fmt (id, tt, v) =
  let (l,tt,v) = Env.specialize_validation tt v in
  let print_cc_type fmt t = print_scheme fmt l; print_cc_type fmt t in
  let l = Env.Vmap.fold (fun _ t acc -> t :: acc) l [] in
  let print_cc_term fmt c = print_lam_scheme fmt l; print_cc_term fmt c in
  fprintf fmt
    "@[Definition %a (* validation *)@\n  : @[%a@]@\n  := @[%a@].@]@\n@\n"
    idents id print_cc_type tt print_cc_term v

let print_cc_functional_program fmt (id, tt, v) =
  let (l,tt,v) = Env.specialize_cc_functional_program tt v in
  let print_cc_type fmt t = print_scheme fmt l; print_cc_type fmt t in
  let l = Env.Vmap.fold (fun _ t acc -> t :: acc) l [] in
  let print_cc_functional_program fmt c =
    print_lam_scheme fmt l; print_cc_functional_program fmt c
  in
  fprintf fmt
    "@[Definition %a (* validation *)@\n  : @[%a@]@\n  := @[%a@].@]@\n@\n"
    idents id print_cc_type tt print_cc_functional_program v

open Regen

module Gen = Regen.Make(
struct

  let print_element fmt e =
    begin match e with
      | Parameter (id, c) -> print_parameter fmt id c
      | Program (id, tt, v) -> print_cc_functional_program fmt (id, tt, v)
      | Obligation (loc, is_lemma, expl, id, s) -> 
	  print_obligation fmt loc is_lemma expl id s
      | Logic (id, t) -> print_logic fmt id t
      | Axiom (id, p) -> print_axiom fmt id p
      | Predicate (id, p) -> print_predicate_def fmt id p
      | Inductive(id,d) -> print_inductive fmt id d
      | Function (id, f) -> print_function fmt id f
      | AbstractType (id, vl) -> print_type fmt id vl
      | AlgebraicType ls -> print_alg_type fmt ls
    end;
    fprintf fmt "@\n"

  let reprint_element fmt = function
    | Parameter (id, c) -> reprint_parameter fmt id c
    | Program (id, tt, v) -> print_cc_functional_program fmt (id, tt, v)
    | Obligation (loc, is_lemma, expl, id, s) -> 
	reprint_obligation fmt loc is_lemma expl id s
    | Logic (id, t) -> reprint_logic fmt id t
    | Axiom (id, p) -> reprint_axiom fmt id p
    | Predicate (id, p) -> reprint_predicate_def fmt id p
    | Inductive(id, d) -> reprint_inductive fmt id d
    | Function (id, f) -> reprint_function fmt id f
    | AbstractType (id, vl) -> reprint_type fmt id vl
    | AlgebraicType ls -> reprint_alg_type fmt ls

  let re_oblig_loc = Str.regexp "(\\* Why obligation from .*\\*)"

  let first_time fmt =
    fprintf fmt "\
(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)@\n";
    if floats then fprintf fmt "Require Export WhyFloats.@\n";
    fprintf fmt "%s@\n" coq_preamble;
    if !is_last_file && v81 then
      List.iter (fun x -> fprintf fmt "Dp_hint %a.@\n" idents x) !library_hints;
    fprintf fmt "@\n"

  let first_time_trailer _fmt = ()

  let not_end_of_element _ s =
    let n = String.length s in n = 0 || s.[n-1] <> '.'

end)

let reset = Gen.reset

let push_decl = function
  | Dgoal (loc,is_lemma,expl,l,s) ->
      Gen.add_elem (Oblig, l) (Obligation (loc,is_lemma,expl,l,s))
  | Dlogic (_, id, t) ->
      let id = Ident.string id in
      Gen.add_elem (Lg, rename id) (Logic (id, t))
  | Daxiom (_, id, p) ->
      Gen.add_elem (Ax, rename id) (Axiom (id, p))
  | Dpredicate_def (_,id,p) -> 
      let id = Ident.string id in
      Gen.add_elem (Pr, rename id) (Predicate (id, p))
  | Dinductive_def(_loc, id, d) ->
      let id = Ident.string id in
      Gen.add_elem (Ind, rename id) (Inductive(id, d))
  | Dfunction_def (_,id,f) -> 
      let id = Ident.string id in
      Gen.add_elem (Fun, rename id) (Function (id, f))
  | Dtype (_, id, vl) ->
      let id = Ident.string id in
      Gen.add_elem (Ty, rename id) (AbstractType (id, vl))
  | Dalgtype ls ->
      let id = match ls with (_,id,_)::_ -> id | _ -> assert false in
      let at = List.map (fun (_,id,d) -> (Ident.string id,d)) ls in
      Gen.add_elem (Ty, rename (Ident.string id)) (AlgebraicType at)

let push_parameter id v =
  Gen.add_elem (Param, id) (Parameter (id,v))

let push_program id tt v =
  Gen.add_elem (Prog, id) (Program (id, tt, v))

let _ =
  Gen.add_regexp
    "Lemma[ ]+\\(.*_po_[0-9]+\\)[ ]*:[ ]*" Oblig;
  Gen.add_regexp
    "(\\*Why goal\\*) Lemma[ ]+\\([^ ]*\\)[ ]*:[ ]*" Oblig;
  Gen.add_regexp
    "Definition[ ]+\\([^ ]*\\)[ ]*:=[ ]*(\\* validation \\*)[ ]*" Valid;
  Gen.add_regexp
    "Definition[ ]+\\([^ ]*\\)[ ]*(\\* validation \\*)[ ]*" Valid;
  Gen.add_regexp
    "(\\*Why\\*) Parameter[ ]+\\([^ ]*\\)[ ]*:[ ]*" Param;
  Gen.add_regexp
    "(\\*Why axiom\\*) Lemma[ ]+\\([^ ]*\\)[ ]*:[ ]*" Ax;
  Gen.add_regexp
    "(\\*Why logic\\*) Definition[ ]+\\([^ ]*\\)[ ]*:[ ]*" Lg;
  Gen.add_regexp
    "(\\*Why predicate\\*) Definition[ ]+\\([^ ]*\\) " Pr;
  Gen.add_regexp
    "(\\*Why inductive\\*) Inductive[ ]+\\([^ ]*\\) " Ind;
  Gen.add_regexp
    "(\\*Why function\\*) Definition[ ]+\\([^ ]*\\) " Fun;
  Gen.add_regexp
    "(\\*Why program\\*) Definition[ ]+\\([^ ]*\\) " Fun;
  Gen.add_regexp
    "(\\*Why type\\*) Parameter[ ]+\\([^ ]*\\):" Ty;
  Gen.add_regexp
    "(\\*Why type\\*) Inductive[ ]+\\([^ ]*\\) " Ty;
  Gen.add_regexp 
    "(\\*Why type\\*) Definition[ ]+\\([^ ]*\\):" Ty

(* validations *)

let valid_q = Queue.create ()

let deps_q = Queue.create ()
let add_dep f = Queue.add f deps_q

let push_validation id tt v = Queue.add (id,tt,v) valid_q

let print_validations fwe fmt =
  fprintf fmt "(* This file is generated by Why; do not edit *)@\n@\n";
  fprintf fmt "Require Import Why.@\n";
  Queue.iter (fun m -> fprintf fmt "Require Export %s_valid.@\n" m) deps_q;
  fprintf fmt "Require Export %s_why.@\n@\n" fwe;
  Queue.iter (print_validation fmt) valid_q;
  Queue.clear valid_q

let output_validations fwe =
  let f = fwe ^ "_valid.v" in
  let m = Filename.basename fwe in
  print_in_file (print_validations m) f;
  add_dep m

(* output file. *)

let output_file is_last fwe =
  let fwe = Options.out_file fwe 
    (* because not done anymore in main.ml *)
  in
  let f = fwe ^ "_why.v" in
  is_last_file:=is_last;
  Gen.output_file f;
  if valid then begin
    output_validations fwe
  end
why-2.34/src/rename.ml0000644000175000017500000001253112311670312013207 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Ident
open Misc
open Report
open Error

(* Variables names management *)

type date = string

(* The following data structure keeps the successive names of the variables
 * as we traverse the program. A each step a ``date'' and a
 * collection of new names is (possibly) given, and updates the
 * previous renaming.
 * 
 * Then, we can ask for the name of a variable, at current date or
 * at a given date.
 *
 * It is easily represented by a list of date x assoc list, most recent coming 
 * first i.e. as follows:
 *
 *   [ date (= current), [ (x,xi); ... ];
 *     date            , [ (z,zk); ... ];
 *     ...
 *     date (= initial), [ (x,xj); (y,yi); ... ]
 *
 * We also keep a list of all names already introduced, in order to
 * quickly get fresh names.
 *)

type t =
  { levels : (date * (Ident.t * Ident.t) list) list;
    avoid  : Ident.set;
    cpt    : int }
    

let empty_ren = { levels = []; avoid = Idset.empty; cpt = 0 }

let update r d ids =
  let al,av = renaming_of_ids r.avoid ids in
  { levels = (d,al) :: r.levels; avoid = av; cpt = r.cpt }

let push_date r d = update r d []

let next r ids =
  let al,av = renaming_of_ids r.avoid ids in
  let n = succ r.cpt in
  let d = string_of_int n in
  { levels = (d,al) :: r.levels; avoid = av; cpt = n }


let find r x =
  let rec find_in_one = function
    | []           -> raise Not_found
    | (y,v) :: rem -> if y = x then v else find_in_one rem
  in
  let rec find_in_all = function
    | []           -> raise Not_found
    | (_,l) :: rem -> try find_in_one l with Not_found -> find_in_all rem
  in
  find_in_all r.levels


let current_var = find

let current_vars r ids = List.map (fun id -> id,current_var r id) ids


let avoid r ids = 
  { levels = r.levels; avoid = Idset.union r.avoid ids; cpt = r.cpt }

let fresh r id =
  match renaming_of_ids r.avoid [id] with
    | [_,id'], av -> id', { r with avoid = av }
    | _ -> assert false

let fresh_many r ids = 
  let ids',av = renaming_of_ids r.avoid ids in
  ids', { r with avoid = av }


let current_date r =
  match r.levels with
    | [] -> invalid_arg "Renamings.current_date"
    | (d,_) :: _ -> d

let all_dates r = List.map fst r.levels

let rec valid_date da r = 
  let rec valid = function
    | [] -> false
    | (d,_) :: rem -> (d = da) || (valid rem)
  in
  valid r.levels

(* [until d r] selects the part of the renaming [r] starting from date [d] *)
let rec until da r =
  let rec cut = function
    | [] -> failwith ("unknown label " ^ da)
    | (d,_) :: rem as r -> if d = da then r else cut rem
  in
  { avoid = r.avoid; levels = cut r.levels; cpt = r.cpt }

let var_at_date r d id =
  try
    find (until d r) id
  with Not_found ->
    raise_unlocated (NoVariableAtDate (id, d))

let vars_at_date r d ids =
  let r' = until d r in List.map (fun id -> id,find r' id) ids


(* pretty-printers *)

open Format
open Pp

let print fmt r = 
  fprintf fmt "@[";
  print_list pp_print_newline
    (fun fmt (d,l) -> 
       fprintf fmt "%s: " d;
       print_list pp_print_space 
	 (fun fmt (id,id') -> 
	    fprintf fmt "(%s,%s)" (Ident.string id) (Ident.string id'))
	 fmt l)
    fmt r.levels


 
why-2.34/src/theoryreducer.ml0000644000175000017500000004131712311670312014630 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*s Harvey's output *)

open Ident
open Options
open Misc
open Error
open Logic
open Logic_decl
open Env
open Cc
open Format
open Pp
open Hashtbl
open Set
open Unionfind 



module FormulaContainer = 
struct 
  (**
     sContainer is the unique hash table that 
     memorizes all the elements of the theory and the goal **)  
  let fContainer :(int, 'a) Hashtbl.t = Hashtbl.create 20

  (**
     @returns a unique integer that is used to index the 
     fContainerainer hash table
  **)    
  let uniqueNumberGenerator = 
    let x = ref 1 in
    fun () -> incr x; !x
      
  (**
     @param f is the formula we want to store
     @return n is the index where the formula has been stored
  **)
  let add f = 
    let n  = uniqueNumberGenerator () in 
    Hashtbl.add fContainer n f ;
    n
  let reset ()=
    Hashtbl.clear fContainer

end 
  
module  SymbolContainer = 
struct 

  (**
     sContainer is the unique hash table that stores 
     all the symbol (predicative or functional) of the 
     theory and the goal **)  
  let sContainer :(string, int) Hashtbl.t = Hashtbl.create 20
    
  let outputSymbolList  e =
    Printf.printf "%s \t \n" e ; 
    let myPrint k _v = 
      (Printf.printf "%s \t \n" k)
    in
    (Hashtbl.iter myPrint sContainer)


  (**
     @param e the element which we are looking for the number 
     @param n the default number that is returned if the element 
     does not belongs to the table
     @return either the number  corresponding to s or the number n otherwise
  **)
  let getClassNumberOfSymbol e n   = 
    try 
      Hashtbl.find sContainer e
    with Not_found -> n

  (**
     @param e the element we want to add 
     @param n the number that is associated to the element
     The function adds into the hashtable the (e,n) tuple 
  **)
  let addSymbol e n= 
    Hashtbl.add sContainer e n


  let reset ()=
    Hashtbl.clear sContainer


  module StringSet = Set.Make(struct type t=string let compare= compare end)


  (**
     collects the functionnal  symbols
     of the term given in parameter 
     @paramater f : the formula we are parsing   
     @returns the StringSet that contains all the symbols 
     of the formula
  **)	
  let functionalSymbolsCollect  f  = (*: Logic_decl.t -> StringSet*) 
    (** symbols the result **)
    let symbolsSet  = ref StringSet.empty  in 
    let rec collect formula  = 
      let rec collectIntoAList  l = match l with 
	  [] -> () 
	|  p :: r -> 
	     collect p ;
	     collectIntoAList r in 
      match formula with 
	| Tconst (ConstInt n) -> 
	    symbolsSet  := StringSet.add n !symbolsSet 
	| Tconst (ConstBool _b) -> () 
	| Tconst ConstUnit -> ()
	| Tconst (ConstFloat (RConstDecimal (i,f,None))) ->
	    symbolsSet  :=  StringSet.add  (i^"."^f) !symbolsSet
	| Tconst (ConstFloat (RConstDecimal (i,f, Some e))) ->
	    symbolsSet  :=  StringSet.add  (i^"."^f^"E"^e) !symbolsSet
	| Tconst (ConstFloat (RConstHexa (i,f,e))) ->
	    symbolsSet  :=  StringSet.add  (i^"."^f^"P"^e) !symbolsSet
	| Tderef _ -> ()
	| Tapp (id, [a; b; c], _) when id == if_then_else -> 
	    collect a; 
	    collect b;
	    collect c  
	| Tapp (id, tl, _) when is_relation id || is_arith id ->
	    symbolsSet  := StringSet.add (Ident.string id)  !symbolsSet ;
	    collectIntoAList tl 
	| Tapp (id, [], _i) -> 
	    symbolsSet  := StringSet.add (Ident.string id) !symbolsSet
	| Tapp (id, tl, _i) ->
	    symbolsSet  := StringSet.add (Ident.string id) !symbolsSet;
	    collectIntoAList tl 
	| _ -> ()
    in
    collect f ; 
    !symbolsSet

  (**
     collects the functionnal and predicative 
     symbols of the formula given in parameter 
     @paramater f : the formula we are parsing   
     @returns the String set that contains all the symbols 
     of the formula
  **)	
  let rec functionalSymbolsCollectFromList  l  =  
    match l with 
	[] -> StringSet.empty
      | t :: q ->  StringSet.union  (functionalSymbolsCollect t)
	  (functionalSymbolsCollectFromList q)
	    

  (**
     collects the functionnal and predicative 
     symbols of the formula given in parameter 
     @paramater f : the formula we are parsing   
     @returns the String set that contains all the symbols 
     of the formula
  **)	
  let getAllSymbols  f  =
    (** symbols the result **)
    let symbolsSet  = ref StringSet.empty  in 
    let rec collect formula  = 
(* dead code
      let rec collectIntoAList  l = match l with 
	  [] -> () 
	|  p :: r -> 
	     collect p ;
	     collectIntoAList r in 
*)
      match formula with 
	| Papp (id, [a; b], _) when is_eq id || is_neq id || id == t_zwf_zero->
	    symbolsSet  := StringSet.union (functionalSymbolsCollect a) 
	      !symbolsSet ;
	    symbolsSet  := StringSet.union (functionalSymbolsCollect b) 
	      !symbolsSet 
	| Pand (_, _, a, b) | Forallb (_, a, b)  | Por (a, b) | Piff (a, b) | 
	      Pimplies (_, a, b) ->
	    collect a;
		collect b
(*	| Papp (id, tl, _) when is_relation id || is_arith id ->
	    symbolsSet  := StringSet.union (functionalSymbolsCollectFromList tl)
	      !symbolsSet  *) 
	| Papp (id, tl, _i) -> 
	    symbolsSet  := StringSet.union (functionalSymbolsCollectFromList tl) 
	      !symbolsSet ;   
	    symbolsSet  := StringSet.add  (Ident.string id)  !symbolsSet 
	| Pif (a, b, c) ->
	    symbolsSet  := StringSet.union (functionalSymbolsCollect a) 
	      !symbolsSet ;
	    collect b;
	    collect c
	| Pnot a ->
	    collect a;
	| Forall (_,_id,_n,_t,_,p) | Exists (_id,_n,_t,p) ->    
	    collect p
	| Pnamed (_, p) -> (* TODO: print name *)
	    collect p 
	|_ -> ()
    in
    collect f ; 
    !symbolsSet
      
 

end






module  EquivClass = 
struct 
  
  module IntSet = Set.Make(struct type t=int let compare= compare end)
  let firstGoalNumber = ref 0 
  let firstTypeDefinitionNumber = ref 0

    
  
  (** the union find module for using classes **)
  module UnionFindInt = Unionfind.Make (struct 
					  type t = int let 
					      hash = Hashtbl.hash 
						       let compare = compare 
						       let equal = (=) 
					end)


  (** the data structure that stores the equivalence classes 
      for the axioms number **)
  let partition : UnionFindInt.t ref =  ref (UnionFindInt.init ())

  let reinit p =
    p := UnionFindInt.init ()

  let reset () =
    reinit partition
    

(** 
    @param m, n : class number that are equivalent.    
**)
  let merge (m:int)  (n:int) = 
    UnionFindInt.union m n !partition 
    (*Printf.printf  " merge %d ,  %d \n" m n *)

      (**
	 @param n is the number of the goal
	If there are many goal in the same file, 
	such goals has to be equivalent. To do so, we store 
	the number of the first formula and each time we 
	add a goal, we say it is equivalent to this one. **) 
  let addFormula n =
    let mergeFormulaNumber num =  
      if !firstGoalNumber = 0 then
	firstGoalNumber := num 
      else merge !firstGoalNumber num in
    mergeFormulaNumber n
	
  
  let addTypeDefinition n =
    let mergeTypeDefinitionNumber num =  
      if !firstTypeDefinitionNumber = 0 then
	begin
	  firstTypeDefinitionNumber := num ;
	end
      else 
	begin 
	  merge !firstTypeDefinitionNumber num ;
	end
    in 
    mergeTypeDefinitionNumber n
  

  let getReducedTheory _t=
    let localSet = ref IntSet.empty in 
    if !firstGoalNumber = 0  then 
      Queue.create () 
    else
      begin
      (**the type declarations, if they exist, 
	 are pushed into the formula classe **)
	if !firstTypeDefinitionNumber <> 0  then
	  merge !firstTypeDefinitionNumber !firstGoalNumber ;
	
      (** computes the declarations corresponding to the formula classe**)
	let goalClassNumber = UnionFindInt.find !firstGoalNumber !partition in 
	let addToSet k _v = 
	  if ((UnionFindInt.find k !partition) = goalClassNumber) then
	    localSet := IntSet.add k !localSet
	in
	Hashtbl.iter addToSet FormulaContainer.fContainer ;


	(** computes the ordered queue of elements **)
	let axiomQueue = Queue.create() in 
	let rec addToQueue l = match l with  
	    [] -> ()
	  | q :: t -> 
	      Queue.push (Hashtbl.find  FormulaContainer.fContainer q)  axiomQueue ;
	      addToQueue t
	in 
	addToQueue  (IntSet.elements !localSet) ;
	
	axiomQueue
	
      end
	
end
  



(**given a list of symbols associated 
   to a number n, this recursive function updates the 
   SymbolContainer and the EquivClass according to 
   the presence of this symbols in other classes
   @param symbolsList : the symbolist associated to n
   @param n : the class number (that is the number of the formula)
   @returns Unit
**)
let manageSymbols symbolsList n = 
  let rec manageS  l = match l  with 
      []     -> ()
    | s ::l  -> 
	(**Check wether s is already  present in the table **)
	let m = SymbolContainer.getClassNumberOfSymbol s n in 
	begin 
	  if m = n then 
	    (** m is not yet present in the table of symbols 
		associate n to s and add it into the symbol container **)
	    SymbolContainer.addSymbol s n 
	      
	  else
	    (** m already exists in the symbole table; we have to merge 
		the class identified by m with 
		the class identified by n **)
	    EquivClass.merge m n 
	end ;
	(** recursive call over the reduced lsit **) 
	manageS l in
  manageS symbolsList 
  
	  

let managesGoal _id ax (hyps,concl) = 
  let n = FormulaContainer.add  ax in
  (* Retrieve the list symbolList of symbols in hyps *)
  let rec managesHypotheses = function
    | [] -> SymbolContainer.getAllSymbols  concl
    | Svar (_id, _v) :: q ->  managesHypotheses  q 
    | Spred (_,p) :: q -> 
	SymbolContainer.StringSet.union 
	  (SymbolContainer.getAllSymbols p) 
	  (managesHypotheses q)
  in
  let symbolList =  SymbolContainer.StringSet.elements 
    (managesHypotheses hyps) in 
  (*Printf.printf "Formula %s :" id ;
  List.iter (fun x-> Printf.printf "%s " x) symbolList; *)
  manageSymbols symbolList n ;
  (** add the formula number into the list of known goal **)
  EquivClass.addFormula n 
    
    







(** manages the  axioms
    @ax ax is the typing predicate
    @p is is the predicative part of the definition of 
    the predicate
**) 
let managesAxiom _id ax p =
  let n = FormulaContainer.add  ax in 
  (* Retrieve the list symbolList of symbols in such predicate
     and we add into it the symbol id *)
  let symbolList =  SymbolContainer.StringSet.elements 
    (SymbolContainer.getAllSymbols p) in 
  (*Printf.printf "Axiom %s :" id ;
  List.iter (fun x-> Printf.printf "%s " x) symbolList; *)
  manageSymbols symbolList n
    





(** manages the  definitions of prediactes
    @param id is the symbol name
    @ax ax is the typing predicate
    @(_,_,p) is is the predicative part of the definition of 
    the predicate
**) 
let managesPredicate id ax (_,p) = 
  let n = FormulaContainer.add  ax in 
  (* Retrieve the list symbolList of symbols in such predicate
     and we add into it the symbol id *)
  let symbolList =  SymbolContainer.StringSet.elements 
    (SymbolContainer.StringSet.add id (SymbolContainer.getAllSymbols p)) in 
(*  Printf.printf "Predicate %s :" id ;
    List.iter (fun x-> Printf.printf "%s " x) symbolList; 
  Printf.printf "\n"; *)
  manageSymbols symbolList n




(** manages the definitions of  function 
    @param id is the symbol name
    @ax ax is the typing predicate
    @(_,_,e) is is the predicative part of the definition of 
    the function
**) 
let managesFunction id ax (_,_,e) = 
  let n = FormulaContainer.add  ax in 
  (* Retrieve the list symbolList of symbols in such function
     and we add into it the symbol id *)
  let symbolList =  SymbolContainer.StringSet.elements 
    (SymbolContainer.StringSet.add id (SymbolContainer.functionalSymbolsCollect e)) in 
(*  Printf.printf "Function %s :" id ;
  List.iter (fun x-> Printf.printf "%s " x) symbolList; 
  Printf.printf "\n"  ; *)
  manageSymbols symbolList n


(**
   such function treats the special case of typing  definition for
   new axioms or new function. The sol itroduced symbol is 
   the predicate name  or the function name 
   @param id it the symbol name 
   @ax is the complete node**)
    
let typingPredicate id ax = 
  let n = FormulaContainer.add  ax in 
  (*Printf.printf  " %s : %d \n" id n ;*)
  (*Retrieve the list l of symbols in such predicate *)
  let symbolList =  SymbolContainer.StringSet.elements 
    (SymbolContainer.StringSet.add 
       id 
       SymbolContainer.StringSet.empty) in   
  manageSymbols symbolList n  
  
    
(**
   such function treats the  definition of  new types
   @param id it the type name 
   @param ax is the complete node**)
let declareType _id ax = 
  let n = FormulaContainer.add ax in 
    EquivClass.addTypeDefinition n 
  

    
    
let launcher decl = match decl with   
  | Dtype (_, id, _) as ax ->
      (*Printf.printf  "Dtype %s \n"  id ;*) 
      declareType (Ident.string id) ax
  | Dalgtype _ ->
      failwith "Theory reducer: algebraic types are not supported"
  | Dlogic (_, id, _t) as ax -> 
      (* Printf.printf  "Dlogic %s \n"  id ;*) 
      typingPredicate (Ident.string id) ax
  | Dpredicate_def (_, id, d) as ax -> 
      (*Printf.printf  "Dpredicate_def %s \n"  id ; *)
      let id = Ident.string id in
      managesPredicate id ax d.scheme_type
  | Dinductive_def(_loc, _ident, _inddef) ->
      failwith "Theory reducer: inductive def not yet supported"
  | Dfunction_def (_, id, d)  as ax -> 
      (*Printf.printf  "Dfunction_def %s \n"  id ; *)
      let id = Ident.string id in
      managesFunction  id ax d.scheme_type
  | Daxiom (_, id, p) as ax -> 
      (*Printf.printf  "Daxiom %s \n"  id ; *)
      managesAxiom  id ax p.scheme_type
  | Dgoal (_, _is_lemma, _expl, id, s)  as ax -> 
      (*Printf.printf  "Dgoal %s \n"  id ; *)
      managesGoal id ax s.Env.scheme_type 



let display q = 
  let displayMatch e  = match e with   
  | Dtype (_, id, _) -> Printf.printf  "%s \n" (Ident.string id)
  | Dalgtype _ ->
      failwith "Theory reducer: algebraic types are not supported"
  | Dlogic (_, id, _t) -> Printf.printf  "%s \n" (Ident.string id)
  | Dpredicate_def (_, id, _d) -> 
      let id = Ident.string id in
      Printf.printf  "%s \n" id
  | Dinductive_def(_loc, _ident, _inddef) ->
      failwith "Theory reducer: inductive def not yet supported"
  | Dfunction_def (_, id, _d) -> 
      let id = Ident.string id in
      Printf.printf  "%s \n" id
  | Daxiom (_, id, _p)          -> Printf.printf  "%s \n"  id
  | Dgoal (_, _is_lemma,_expl, id, _s)   -> Printf.printf  "%s \n"  id
  in
  Queue.iter displayMatch q 


(**
   @param q is a logic_decl Queue 
   @returns the pruned theory 
**)
let reduce q     = 
  (*Printf.printf " PENDANT \n"; 
  display q ;*)
  FormulaContainer.reset ();
  SymbolContainer.reset();
  EquivClass.reset();
  
  Queue.iter launcher q ;
  let q = EquivClass.getReducedTheory "" in
  (*display q ;*)
  q 
    

    

why-2.34/src/ident.ml0000644000175000017500000002662212311670312013051 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



type t = { stamp : int; name : string; label : string option; fresh_from : (string * t list) option }

let hashcons = 
  let h = Hashtbl.create 97 in
  fun id -> try Hashtbl.find h id with Not_found -> Hashtbl.add h id id; id 

let create ?from s = hashcons { stamp = 0; name = s; label = None; fresh_from = from }
let string s = s.name
let fresh_from s = s.fresh_from

let completeString s = s.name^"_"^(string_of_int s.stamp)  

module I = struct type t_ = t type t = t_ let compare = compare end

module Idset = Set.Make(I)
type set = Idset.t

module Idmap = Map.Make(I)
type 'a map = 'a Idmap.t

let is_index s = 
  let n = String.length s in
  (n > 0) && (match s.[n-1] with '0'..'9' -> true | _ -> false)

let rec next id n s =
  let id' = create (id ^ string_of_int n) in
  if Idset.mem id' s then
    next id (succ n) s
  else
    id'

let next_away id s = 
  if id.name <> "_" && Idset.mem id s then 
    let id0 = id.name in
    let id0 = if is_index id0 then id0 ^ "_" else id0 in
    next id0 0 s 
  else 
    id

let print fmt s = Format.fprintf fmt "%s" s.name

let lprint fmt s = match s.label with
  | None -> Format.fprintf fmt "%s" s.name
  | Some l -> Format.fprintf fmt "%s@@%s" s.name l

let dbprint fmt s = Format.fprintf fmt "%a#%d" lprint s s.stamp

(*s Possibly anonymous names *)

type name = Anonymous | Name of t

let print_name fmt = function
  | Name id -> print fmt id
  | Anonymous -> Format.fprintf fmt "_"

(*s Labelled identifiers. *)

let at_id id d = hashcons { id with label = Some d }

let is_at id = id.label <> None

let un_at = function
  | { label = Some d } as id -> hashcons { id with label = None }, d
  | _ -> invalid_arg "Ident.un_at"

(*s Bound variables. *)

let bound =
  let n = ref 0 in
  fun s -> incr n; hashcons { s with stamp = !n }

(*s Exceptions names and constructors *)

let exn_type = create "EM"
let exn_val = create "Val"
let exn_exn = create "Exn"
let exn_post = create "qcomb"
let exn_qval = create "Qval"
let exn_qexn = create "Qexn"
let exist = create "exist"
let decomp n = create ("decomp" ^ string_of_int n)

let exit_exn = create "Exit"

(*s Non termination monad. *)

let non_termination_monad = create "nt_m"
let nt_unit : t = create "nt_unit"
let nt_bind : t = create "nt_bind"
let nt_fix : t = create "nt_fix"
let nt_lift : t = create "nt_lift"

(*s Identifiers for the functional validation. *)

let fun_id x = create (string x ^ "_fun")

(*s Identifiers for algebraic-typed term matching *)

let match_id x = create (string x ^ "_match")
let proj_id x i = create (string x ^ "_proj_" ^ string_of_int i)

(*s Pre-defined. *)

let t_bool_and = create "bool_and"
let t_bool_or = create "bool_or"
let t_bool_xor = create "bool_xor"
let t_bool_not = create "bool_not"

let anonymous = create "_"
let implicit = create "?"
let default_post = create "%default_post"

let t_add = create "%add"
let t_sub = create "%sub"
let t_mul = create "%mul"
let t_div = create "%div"
let t_neg = create "%neg"

let t_add_int = create "add_int"
let t_sub_int = create "sub_int"
let t_mul_int = create "mul_int"
(*
let t_div_int = create "div_int"
let t_mod_int = create "mod_int"
*)
let t_neg_int = create "neg_int"
let t_abs_int = create "abs_int"

let t_add_real = create "add_real"
let t_sub_real = create "sub_real"
let t_mul_real = create "mul_real"
let t_div_real = create "div_real"
let t_neg_real = create "neg_real"
let t_abs_real = create "abs_real"
let t_pow_real = create "pow_real"
let t_sqrt_real = create "sqrt_real"

let t_cos = create "cos"
let t_sin = create "sin"
let t_tan = create "tan"
let t_atan = create "atan"

let t_int_max = create "int_max"
let t_int_min = create "int_min"
let t_real_max = create "real_max"
let t_real_min = create "real_min"

let t_real_of_int = create "real_of_int"
let t_int_of_real = create "int_of_real"

let t_div_real_ = create "div_real_"
(*
let t_div_int_ = create "div_int_"
let t_mod_int_ = create "mod_int_"
*)
let t_sqrt_real_ = create "sqrt_real_"

let t_distinct = create "distinct"

let t_lt = create "%lt"
let t_le = create "%le"
let t_gt = create "%gt"
let t_ge = create "%ge"
let t_eq = create "%eq"
let t_neq = create "%neq"

let t_eq_int = create "eq_int"
let t_eq_bool = create "eq_bool"
let t_eq_real = create "eq_real"
let t_eq_unit = create "eq_unit"

let t_neq_int = create "neq_int"
let t_neq_bool = create "neq_bool"
let t_neq_real = create "neq_real"
let t_neq_unit = create "neq_unit"

let t_lt_int = create "lt_int"
let t_le_int = create "le_int"
let t_gt_int = create "gt_int"
let t_ge_int = create "ge_int"

let t_lt_real = create "lt_real"
let t_le_real = create "le_real"
let t_gt_real = create "gt_real"
let t_ge_real = create "ge_real"

let t_eq_int_ = create "eq_int_"
let t_eq_bool_ = create "eq_bool_"
let t_eq_real_ = create "eq_real_"
let t_eq_unit_ = create "eq_unit_"

let t_neq_int_ = create "neq_int_"
let t_neq_bool_ = create "neq_bool_"
let t_neq_real_ = create "neq_real_"
let t_neq_unit_ = create "neq_unit_"

let t_lt_int_ = create "lt_int_"
let t_le_int_ = create "le_int_"
let t_gt_int_ = create "gt_int_"
let t_ge_int_ = create "ge_int_"

let t_lt_int_bool = create "lt_int_bool"
let t_le_int_bool = create "le_int_bool"
let t_gt_int_bool = create "gt_int_bool"
let t_ge_int_bool = create "ge_int_bool"

let t_lt_real_ = create "lt_real_"
let t_le_real_ = create "le_real_"
let t_gt_real_ = create "gt_real_"
let t_ge_real_ = create "ge_real_"

let t_lt_real_bool = create "lt_real_bool"
let t_le_real_bool = create "le_real_bool"
let t_gt_real_bool = create "gt_real_bool"
let t_ge_real_bool = create "ge_real_bool"

let t_eq_int_bool = create "t_eq_int_bool"
let t_eq_real_bool = create "t_eq_real_bool"
let t_neq_int_bool = create "t_neq_int_bool"
let t_neq_real_bool = create "t_neq_real_bool"

let t_zwf_zero = create "zwf_zero"
let result = create "result"
let default = create "H"
let farray = create "farray"
let array_length = create "array_length"
let ref_set = create "ref_set"
let array_get = create "array_get"
let array_set = create "array_set"
let access = create "access"
let store = create "store"
let annot_bool = create "annot_bool"
let well_founded = create "well_founded"
let well_founded_induction = create "well_founded_induction"
let if_then_else = create "ite"
let false_rec = create "False_rec"
let wfix = create "wfix"

let any_int = create "why_any_int"
let any_unit = create "why_any_unit"
let any_real = create "why_any_real"

(*s tests *)

let is_wp id =
  String.length id.name >= 2 && id.name.[0] == 'W' && id.name.[1] == 'P'

let is_variant id =
  String.length id.name >= 7 && String.sub id.name 0 7 = "Variant"

let is_comparison id = 
  id == t_lt || id == t_le || id == t_gt || id == t_ge || 
  id == t_eq || id == t_neq 

let is_poly id =
  is_comparison id || 
  id == t_add || id == t_sub || id == t_mul || id == t_div || id == t_neg

let is_int_comparison id =
  id == t_eq_int || id == t_neq_int ||
  id == t_lt_int || id == t_le_int || id == t_gt_int || id == t_ge_int 

let is_int_comparison_ id =
  id == t_eq_int_ || id == t_neq_int_ ||
  id == t_lt_int_ || id == t_le_int_ || id == t_gt_int_ || id == t_ge_int_ 

let is_real_comparison id = 
  id == t_eq_real || id == t_neq_real ||
  id == t_lt_real || id == t_le_real || id == t_gt_real || id == t_ge_real 

let is_real_comparison_ id = 
  id == t_eq_real_ || id == t_neq_real_ ||
  id == t_lt_real_ || id == t_le_real_ || id == t_gt_real_ || id == t_ge_real_ 

let is_bool_comparison id = id == t_eq_bool || id == t_neq_bool
let is_bool_comparison_ id = id == t_eq_bool_ || id == t_neq_bool_

let is_unit_comparison id = id == t_eq_unit || id == t_neq_unit
let is_unit_comparison_ id = id == t_eq_unit_ || id == t_neq_unit_

let is_eq id = 
  id == t_eq || 
  id == t_eq_int || id == t_eq_real || id == t_eq_bool || id == t_eq_unit

let is_eq_ id = 
  id == t_eq_int_ || id == t_eq_real_ || id == t_eq_bool_ || id == t_eq_unit_

let is_neq id = 
  id == t_neq || id == t_neq_int || id == t_neq_real || 
  id == t_neq_bool || id == t_neq_unit

let is_neq_ id = 
  id == t_neq_int_ || id == t_neq_real_ || 
  id == t_neq_bool_ || id == t_neq_unit_

let is_relation id = 
  is_comparison id || is_int_comparison id || is_real_comparison id ||
  is_bool_comparison id || is_unit_comparison id

let is_relation_ id = 
  is_comparison id || is_int_comparison_ id || is_real_comparison_ id ||
  is_bool_comparison_ id || is_unit_comparison_ id

let is_int_arith_binop id =
  id == t_add_int || id == t_sub_int || id == t_mul_int 
(* disabled (confusion math_div / computer_div
  || id == t_div_int || id == t_mod_int
*)

let is_real_arith_binop id =
  id == t_add_real || id == t_sub_real || id == t_mul_real || 
  id == t_div_real 

let is_arith_binop id =
  is_int_arith_binop id || is_real_arith_binop id

let is_int_arith_unop id = 
  id == t_neg_int

let is_real_arith_unop id =
  id == t_neg_real || id == t_sqrt_real

let is_int_arith id = 
  is_int_arith_binop id || is_int_arith_unop id

let is_real_arith id =
  is_real_arith_binop id || is_real_arith_unop id

let is_arith id =
  is_int_arith id || is_real_arith id || id == t_real_of_int

let is_simplify_arith id =
  is_int_arith id || id == t_lt_int || id == t_le_int || id == t_gt_int || id == t_ge_int

let strict_bool_and_ = create "strict_bool_and_"
let strict_bool_or_ = create "strict_bool_or_"
let bool_not_ = create "bool_not_"

why-2.34/src/encoding_strat.mli0000644000175000017500000000456612311670312015125 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Cc

val reset : unit -> unit

val push : Logic_decl.t -> unit
val iter : (Logic_decl.t -> unit) -> unit
why-2.34/src/annot.ml0000644000175000017500000003333012311670312013057 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Options
open Ident
open Misc
open Logic
open Util
open Ast
open Env
open Types

(* Automatic annotations *)

let is_default_post a = match a.a_value with
  | Pvar id when id == Ident.default_post -> true
  | _ -> false

(* maximum *)

let sup q q' = match q, q' with
  | None, _ ->
      q'
  | _, None ->
      q
  | Some (q, ql), Some (_, ql') ->
      assert (List.length ql = List.length ql');
      let supx (x,a) (x',a') =
	assert (x = x');
	x, if is_default_post a then a' else a
      in
      Some (q, List.map2 supx ql ql') 

(* force a post-condition *)

let post_if_none env q p = match post p with
  | None -> force_post env q p 
  | _ -> p

(* post-condition of [while b do inv I done] i.e. [I and not B] *)

let default_exns_post e =
  let xs = Effect.get_exns e in
  List.map (fun x -> x, default_post) xs
 
let while_post loc info b inv = 
  let ql = default_exns_post info.kappa.c_effect in
  match post b, inv with
    | None, None -> 
	None
    | None, Some i ->
	Some ({ a_value = i.a_value; 
		a_name = Name (post_name_from i.a_name);
		a_loc = loc }, ql)
    | Some qb, inv ->
	let _,s = decomp_boolean qb in
	let s = change_label b.info.label info.label s in
	match inv with
	  | None -> Some (anonymous loc s, ql)
	  | Some i -> Some ({ a_value = pand i.a_value s; 
			      a_name = Name (post_name_from i.a_name);
			      a_loc = loc }, ql)

let while_post_block env inv (phi,_,r) e = 
  let lab = e.info.label in
  let decphi = Papp (r, [phi; put_label_term env lab phi], []) in
  let ql = default_exns_post (effect e) in
  match inv with
    | None -> 
	anonymous e.info.loc decphi, ql
    | Some i -> 
	{ a_value = pand ~is_wp:true i.a_value decphi; 
	  a_name = Name (post_name_from i.a_name);
	  a_loc = e.info.loc }, ql

let check_while_test b =
  if post b = None then begin
    wprintf b.info.loc 
      "couldn't give this test a postcondition (possible incompleteness)\n";
    if werror then exit 1
  end

(* misc. *)

let is_conditional p = match p.desc with If _ -> true | _ -> false

(* BUG: use is_eq and not t_eq
let is_equality = function
  | Some ({ a_value = Papp (id, [Tvar t1; t2]) }, []) -> 
      id == t_eq && t1 == result
  | _ -> false
*)

let get_equality_rhs = function
  | Some ({ a_value = Papp (id, [Tvar t1; t2], _) }, []) 
    when id == t_eq && t1 == result -> t2
  | _ -> assert false

(* [extract_pre p] erase the pre-condition of [p] and returns it *)

let extract_oblig pr =
  let k = pr.info.kappa in
  { pr with info = { pr.info with 
		       obligations = []; 
		       kappa = { k with c_pre = [] } } },
  pr.info.obligations @ k.c_pre

(* adds some pre-conditions *)

let add_oblig p1 pr =
  let o = pr.info.obligations in
  { pr with info = { pr.info with obligations = o @ p1 } }

  
(* change the statement *)

let is_bool = function
  | PureType PTbool -> true
  | _ -> false

let is_pure e = 
  let ef = effect e in 
  Effect.get_writes ef = [] && Effect.get_exns ef = []

(*s Normalization. In this first pass, we
    (2) annotate [x := E] with [{ x = E }]
    (3) give tests the right postconditions
    (4) lift obligations up in assignements *)

let rec normalize p =
  let env = p.info.env in
  let k = p.info.kappa in
  match p.desc with
    (***
    | Expression t ->
	let t = put_label_term env p.info.label (unref_term t) in
	change_desc p (Expression t)
    ***)
    | If (e1, e2, e3) ->
	change_desc p (If (normalize_boolean false env e1, e2, e3))
(****
    | While (b, invopt, var, e) ->
	let b' = normalize_boolean true env b in
	let p = match post b' with

           (* test is not annotated -> translation using an exception *)
	   | None ->
	       let effect_and_exit k = 
		 let ef = Effect.add_exn exit_exn k.c_effect in
		 let k' = type_c_of_v k.c_result_type in
		 { k' with c_effect = ef }
	       in
	       let bloc = b.info.loc in
	       let praise_exit = 
		 make_raise bloc exit_exn (PureType PTunit) env
	       in
	       let body = 
		 (* if b then e else raise Exit *)
		 make_lnode e.info.loc (If (b', e, praise_exit))
		   env [] (effect_and_exit k)
	       in
	       let d = 
		 Try 
		   (make_lnode p.info.loc
		      (While (make_annot_bool bloc true env, 
			      invopt, var, body))
		      env [] (effect_and_exit k),
		    [ (exit_exn, None), make_void p.info.loc env])
	       in
	       change_desc p d

	   (* test is annotated -> postcondition is [inv and not test] *)
	   | Some _ ->
	       (***
	       let p = change_desc p (While (b', invopt, var, e)) in
	       if post p = None then
		 let q = while_post p.info.loc p.info b' invopt in
		 force_post env q p
	       else
	       ***)
		 p
	in
	let q = optpost_app (change_label "" p.info.label) (post p) in
	force_post env q p
***)
    | LetRef (x, ({ desc = Expression t } as e1), e2) when post e1 = None ->
	let q = create_post (equality (Tvar Ident.result) (unref_term t)) in
	change_desc p (LetRef (x, post_if_none env q e1, e2))
    | LetIn (x, ({ desc = Expression t } as e1), e2) when post e1 = None ->
	let q = create_post (equality (Tvar Ident.result) (unref_term t)) in
	change_desc p (LetIn (x, post_if_none env q e1, e2))
    | Expression _ | Var _ 
    | Seq _ | Lam _ | LetIn _ | LetRef _ | Rec _ | App _ 
    | Raise _ | Try _ | Absurd | Any _ | Loop _ ->
	p

(* [normalize_boolean b] checks if the boolean expression [b] (of type
   [bool]) is annotated; if not, tries to give it an annotation. 
   [force] indicates whether annotating is mandatory. *)

and normalize_boolean force env b =
  let k = b.info.kappa in
  let give_post b q =
    let q = option_app (force_post_loc b.info.loc) q in
    { b with info = { b.info with kappa = { k with c_post = q } } }
  in
  let q = k.c_post in
  match q with
    | Some _ ->
	(* a postcondition; nothing to do *)
	give_post b (force_bool_name q)
    | None -> begin
	match b.desc with
	  | Expression c when force ->
	      (* expression E -> result=E *)
	      let c = equality (Tvar Ident.result) (unref_term c) in
	      give_post b (create_post c)
	  | If (e1, e2, e3) ->
	      let ne1 = normalize_boolean force env e1 in
	      let ne2 = normalize_boolean force env e2 in
	      let ne3 = normalize_boolean force env e3 in
	      if is_pure e1 && is_pure e2 && is_pure e3 then
		let q1 = post ne1 in
		let q2 = post ne2 in
		let q3 = post ne3 in
		match q1, (e2.desc, q2), (e3.desc, q3) with
		  (* [a && b] *)
		  | Some q1, (_,Some q2), 
		    (Expression (Tconst (ConstBool false)),_) ->
		      let q1t,q1f = decomp_boolean q1 in
		      let q2t,q2f = decomp_boolean q2 in
		      let c = 
			Pif (Tvar Ident.result,
			     pand q1t q2t,
			     por q1f (pand q1t q2f))
		      in
		      let b' = change_desc b (If (ne1,ne2,ne3)) in
		      give_post b' (create_post c)
		  (* [a || b] *)
		  | Some q1, (Expression (Tconst (ConstBool true)),_), 
		    (_,Some q3) ->
		      let q1t,q1f = decomp_boolean q1 in
		      let q3t,q3f = decomp_boolean q3 in
		      let c = 
			Pif (Tvar Ident.result,
			     por q1t (pand q1f q3t),
			     pand q1f q3f)
		      in
		      let b' = change_desc b (If (ne1,ne2,ne3)) in
		      give_post b' (create_post c)
                  (* generic case *)
		  | Some q1, (_,Some q2), (_,Some q3) -> 
		      let q1t,q1f = decomp_boolean q1 in
		      let q2t,q2f = decomp_boolean q2 in
		      let q3t,q3f = decomp_boolean q3 in
		      let c = 
			Pif (Tvar Ident.result,
			     por (pand q1t q2t) (pand q1f q3t),
			     por (pand q1t q2f) (pand q1f q3f)) 
		      in
		      let b' = change_desc b (If (ne1,ne2,ne3)) in
		      give_post b' (create_post c)
		  | _ ->
		      b
		else 
		  b
	  | _ -> 
	      b
      end

let map_desc f p =
  let d = match p.desc with
    | Var _ 
    | Expression _
    | Absurd
    | Any _ as d -> 
	d
    | Seq bl -> 
	let block_st = function
	  | Label _ | Assert _ as s -> s
	  | Statement e -> Statement (f e)
	in
	Seq (List.map block_st bl)
    | Loop (inv, var, e2) ->
	Loop (inv, var, f e2)
    | If (e1, e2, e3) ->
	If (f e1, f e2, f e3)
    | Lam (bl, e) ->
	Lam (bl, f e)
    | App (e1, Term e2, k) ->
	App (f e1, Term (f e2), k)
    | App (e1, a, k) ->
	App (f e1, a, k)
    | LetRef (x, e1, e2) ->
	LetRef (x, f e1, f e2)
    | LetIn (x, e1, e2) ->
	LetIn (x, f e1, f e2)
    | Rec (x, bl, v, var, e) ->
	Rec (x, bl, v, var, f e)
    | Raise (x, Some e) ->
	Raise (x, Some (f e))
    | Raise _ as d ->
	d
    | Try (e1, eql) ->
	Try (f e1, List.map (fun (p, e) -> (p, f e)) eql)
  in
  { p with desc = d }

type pure = 
  | PureTerm of term (* result = term *)
  | PurePred of postcondition (* q(result) *)

let q_true_false q =
  let ctrue = tsubst_in_predicate (subst_one Ident.result ttrue) q in
  let cfalse = tsubst_in_predicate (subst_one Ident.result tfalse) q in
  simplify ctrue, simplify cfalse

let is_result_eq = function
  | Papp (id, [Tvar id'; t], _) when is_eq id && id' == result -> Some t
  | _ -> None

let rec purify p =
  try
    if not (is_pure p) then raise Exit;
    (* [pure p] computes pre, obligations and post for [p] *)
    let rec pure p = match p.desc with
      | Expression t when post p = None -> 
	  a_values (pre p), 
	  a_values p.info.obligations,
	  tequality (result_type p) (Tvar Ident.result) (unref_term t)
      | LetIn (x, e1, e2) when post p = None -> 
	  let pre1,o1,post1 = pure e1 in
	  let pre2,o2,post2 = pure e2 in
	  begin match is_result_eq post1 with
	    | Some t1 -> (* optimized when [post1] is [result=t1] *)
		let s = tsubst_in_predicate (subst_one x t1) in
		a_values (pre p), pre1 @ o1 @ (List.map s (pre2 @ o2)), s post2
	    | None ->
		let tyx = result_type e1 in
		let post1_x = subst_in_predicate (subst_onev result x) post1 in
		a_values (pre p),
		(* pre1 and (forall x. post1(x) => pre2) *)
		(pre1 @ o1 @ [(*pimplies (pands pre1)*)
		   (pforall x tyx (pimplies post1_x (pands (pre2 @ o2))))]),
		(* exists x. post1(x) and post2 *)
		pexists x tyx (pand post1_x post2)
	  end
      | If (e1, e2, e3) when post p = None -> 
	  let p1,o1,q1 = pure e1 in
	  let p2,o2,q2 = pure e2 in
	  let p3,o3,q3 = pure e3 in
	  let q1t,q1f = q_true_false q1 in
	  begin match e2.desc, e3.desc with
	    | _, Expression (Tconst (ConstBool false)) (* e1 && e2 *) ->
		let q2t,q2f = q_true_false q2 in
		a_values (pre p),
		p1 @ o1 @ [pimplies q1t (pands (p2 @ o2))],
		Pif (Tvar Ident.result, pand q1t q2t, por q1f (pand q1t q2f))
	    | Expression (Tconst (ConstBool true)), _ (* e1 || e2 *) ->
		let q3t,q3f = q_true_false q3 in
		a_values (pre p),
		p1 @ o1 @ [pimplies q1f (pands (p3 @ o3))],
		Pif (Tvar Ident.result, por q1t (pand q1f q3t), pand q1f q3f)
	    | Expression (Tconst (ConstBool false)),
	      Expression (Tconst (ConstBool true)) (* not e1 *) ->
		a_values (pre p), p1 @ o1, Pif (Tvar Ident.result, q1f, q1t)
	    | _ -> 
		a_values (pre p),
		(* p1 and (q1(true) => p2) and (q1(false) => p3) *)
		p1 @ o1 @ [pimplies q1t (pands (p2 @ o2)); 
			   pimplies q1f (pands (p3 @ o3))],
		(* q1(true) and q2 or q1(false) and q3 *)
		por (pand q1t q2) (pand q1f q3)
	  end
      | App ({desc=Var x}, _, _) when is_rec x p.info.env ->
	  raise Exit
      | App (e1, Term e2, k) when post p = None || post p = k.c_post ->
	  begin match k.c_post with
	    | Some (q,_) -> 
		a_values (pre p),
		a_values (k.c_pre @ e1.info.obligations @ pre e1 @ 
			  e2.info.obligations @ pre e2), 
		q.a_value
	    | None -> 
		raise Exit
	  end
      | _ -> 
	  raise Exit (* we give up *)
    in
    let pre,o,post = pure p in
    let pre = List.map (anonymous p.info.loc) pre in
    let o = List.map (anonymous p.info.loc) o in
    let c = { p.info.kappa with c_pre = pre; c_post = create_post post } in
    { p with 
	desc = Any c; 
	info = { p.info with obligations = o; kappa = c } }
  with Exit -> 
    map_desc purify p
why-2.34/src/encoding_strat.ml0000644000175000017500000004204712311670312014750 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Cc
open Logic
open Logic_decl

let loc = Loc.dummy_floc

let prefix = "c_"
let suffix = "_c"
let var = "x"
let tvar = "t"
let cpt = ref 0
let axiom c = c ^ "_to_" ^ (c^suffix)
let def c = "def_"^c

let arities = ref []

(* The unique type for all terms *)
let ut = PTexternal ([], Ident.create (prefix^"unique"))

let unify ptl = List.map (fun _ -> ut) ptl
    
let prelude =
  (Dtype (loc, Ident.create (prefix^"unique"), []))::	(* The unique sort *)
  (Dlogic (loc, Ident.create (prefix^"sort"),
	   Env.empty_scheme (Function ([ut; ut], ut)))):: (* The "sort" symbol *)
  (Dlogic (loc, Ident.create (prefix^"int"),
	   Env.empty_scheme (Function ([], ut)))):: (* One synbol for each prefedined type *)
  (Dlogic (loc, Ident.create (prefix^"bool"),
	   Env.empty_scheme (Function ([], ut))))::
  (Dlogic (loc, Ident.create (prefix^"real"),
	   Env.empty_scheme (Function ([], ut))))::
  (Dlogic (loc, Ident.create (prefix^"unit"),
	   Env.empty_scheme (Function ([], ut))))::
  (Dlogic (loc, Ident.create (prefix^"ref"),
	   Env.empty_scheme (Function ([ut], ut))))::
(*   (Dlogic (loc, "neq"^suffix, *)
(* 	   Env.empty_scheme (Predicate ([ut; ut])))):: *)
  (Daxiom (loc, axiom "eq",
	   let x = Ident.create "x"
	   and y = Ident.create "y" 
	   and int = Tapp (Ident.create (prefix^"int"), [], []) in
	   Env.empty_scheme
             (Forall (false, x, x, ut, [],
	      Forall (false, y, y, ut, [],
	      (Piff
		 (Papp (Ident.t_eq,
			[Tapp (Ident.create (prefix^"sort"),
			       [int; Tvar x], []);
			 Tapp (Ident.create (prefix^"sort"),
			       [int; Tvar y], [])], []),
		  (Papp (Ident.t_eq, [Tvar x; Tvar y], []))))
		     )))))::
  []

(* Special axioms for arithmetic *)
let arith_kernel =
  (Dlogic (loc, Ident.t_add_int,
	   Env.empty_scheme (Function ([PTint; PTint], PTint))))::
  (Dlogic (loc, Ident.t_sub_int,
	   Env.empty_scheme (Function ([PTint; PTint], PTint))))::
  (Dlogic (loc, Ident.t_mul_int,
	   Env.empty_scheme (Function ([PTint; PTint], PTint))))::
(*
  (Dlogic (loc, Ident.t_div_int,
	   Env.empty_scheme (Function ([PTint; PTint], PTint))))::
  (Dlogic (loc, Ident.t_mod_int,
	   Env.empty_scheme (Function ([PTint; PTint], PTint))))::
*)
  (Dlogic (loc, Ident.t_neg_int,
	   Env.empty_scheme (Function ([PTint], PTint))))::
  (Dlogic (loc, Ident.t_lt_int,
	   Env.empty_scheme (Predicate ([PTint; PTint]))))::
  (Dlogic (loc, Ident.t_le_int,
	   Env.empty_scheme (Predicate ([PTint; PTint]))))::
  (Dlogic (loc, Ident.t_gt_int,
	   Env.empty_scheme (Predicate ([PTint; PTint]))))::
  (Dlogic (loc, Ident.t_ge_int,
	   Env.empty_scheme (Predicate ([PTint; PTint]))))::
  []

(* Function that plunges a term under its type information.  *)
(* Uses an assoc. list of tags -> idents for type variables *)
let plunge fv term pt =
  let rec leftt pt =
    match pt with
      PTint -> Tapp (Ident.create (prefix^"int"), [], [])
    | PTbool -> Tapp (Ident.create (prefix^"bool"), [], [])
    | PTreal -> Tapp (Ident.create (prefix^"real"), [], [])
    | PTunit -> Tapp (Ident.create (prefix^"unit"), [], [])
    | PTvar ({type_val = None} as var) -> 
	let t = 
	  try 
	    List.assoc var.tag fv
	  with Not_found ->
	    let s = string_of_int var.tag in
	    (print_endline ("unknown vartype : "^s); s) 
	in
	Tvar (Ident.create t)
    | PTvar {type_val = Some pt} -> leftt pt
    | PTexternal (ptl, id) -> Tapp (id, List.map (fun pt -> leftt pt) ptl, [])
  in
  Tapp (Ident.create (prefix^"sort"),
	[leftt pt; term],
	[])

(* Function that strips the top most sort application, for terms bound
   in let-ins *)
let strip_topmost t =
  match t with
    | Tapp (symb, [_encoded_ty; encoded_t], []) 
	when symb = Ident.create (prefix^"sort") ->
	encoded_t
    | _ -> t

(* Ground instanciation of an arity (to be plunged under) *)
let instantiate_arity id inst =
  let arity = 
    try List.assoc (Ident.string id) !arities
    with e -> 
      (print_endline ("unknown arity for symbol "^(Ident.string id))); raise e in
  let (vs, log_type) = Env.specialize_logic_type arity in
  match log_type with 
    Function (_ptl, rt) ->
      ignore (Env.Vmap.fold (fun _ v l ->
	(match l with [] -> [] 
	| _ -> (v.type_val <- Some (List.hd l); (List.tl l))))
		vs (List.rev inst));
      rt
  | _ -> assert false

(* Translation of a term *)
let rec translate_term fv lv = function
  | Tvar id -> 
      plunge fv (Tvar id)
	(try List.assoc id lv
	with e -> (* (print_endline ("unknown variable :"^(pp id)); *)
(* 		   print_endline "=== in ==="; *)
(* 		   ignore (List.iter (fun (n, _) -> print_endline (pp n)) lv); *)
	  raise e)
  | Tapp (id, tl, _inst) when Ident.is_simplify_arith id ->
      Tapp(Ident.create (Ident.string id ^ suffix),
	   List.map (translate_term fv lv) tl, [])
  | Tapp (id, tl, inst) ->
      plunge fv (Tapp (id, List.map (translate_term fv lv) tl, []))
	(instantiate_arity id inst)
  | Tconst (ConstInt _) as t -> plunge [] t PTint
  | Tconst (ConstBool _) as t -> plunge [] t PTbool
  | Tconst (ConstUnit) as t -> plunge [] t PTunit
  | Tconst (ConstFloat _f) as t -> plunge [] t PTreal
  | Tderef id as t -> print_endline ("id in Tderef : "^(Ident.string id)); t
  | Tnamed(_,t) -> translate_term fv lv t

(* Generalizing a predicate scheme with foralls (can add a trigger) *)
let rec lifted  l p t =
  match l with [] -> p
  | (_, s)::[] ->
      Forall(false, Ident.create s, Ident.create s, ut, t, p)
  | (_, s)::q -> 
      Forall(false, Ident.create s, Ident.create s, ut, [], lifted q p t)
	
let rec lifted_t l p tr =
  match l with [] -> p
  | (a,t)::[] -> (Forall(false, a, a, t, tr, p))
  | (a,t)::q ->  (Forall(false, a, a, t, [], lifted_t q p tr))

let rec lifted_ctxt l cel =
  (List.map (fun (_,s) -> Svar(Ident.create s, ut)) l)@cel

(* Translation of a predicate *)
let rec translate_pred fv lv = function
  | Papp (id, tl, _inst) when Ident.is_simplify_arith id ->
      Papp (Ident.create ((Ident.string id)^suffix), 
	    List.map (translate_term fv lv) tl, [])
(*   | Papp (id, [a; b], inst) when Ident.is_neq id -> *)
(*       Papp (Ident.create ("neq"^suffix), [translate_term fv lv a; translate_term fv lv b], []) *)
  | Papp (id, tl, _inst) ->
      Papp (id, List.map (translate_term fv lv) tl, [])
  | Plet (id, n, pt, t, p) -> 
      let t' = strip_topmost (translate_term fv lv t) in
	Plet (id, n, ut, t', translate_pred fv ((n,pt)::lv) p)
  | Pimplies (iswp, p1, p2) ->
      Pimplies (iswp, translate_pred fv lv p1, translate_pred fv lv p2)
  | Pif (t, p1, p2) ->
      Pif (translate_term fv lv t, translate_pred fv lv p1, translate_pred fv lv p2)
  | Pand (iswp, issym, p1, p2) ->
      Pand (iswp, issym, translate_pred fv lv p1, translate_pred fv lv p2)
  | Por (p1, p2) ->
      Por (translate_pred fv lv p1, translate_pred fv lv p2)
  | Piff (p1, p2) ->
      Piff (translate_pred fv lv p1, translate_pred fv lv p2)
(*   | Pnot (Papp (id, [a; b], inst)) when Ident.is_eq id -> *)
(*       Papp (Ident.create ("neq"^suffix), [translate_term fv lv a; translate_term fv lv b], []) *)
  | Pnot p ->
      Pnot (translate_pred fv lv p)
  | Forall (iswp, id, n, pt, tl, p) ->
      let lv' = (n,pt)::lv in
(*       print_endline "----"; *)
(*       ignore (List.iter (fun (n, _) -> print_endline (Ident.string n)) lv'); *)
      let tl' = List.map (List.map (translate_pattern fv lv')) tl in
      Forall (iswp, id, n, ut, tl', translate_pred fv lv' p)
  | Forallb (iswp, p1, p2) ->
      Forallb (iswp, translate_pred fv lv p1, translate_pred fv lv p2)
  | Exists (id, n, pt, p) ->
      Exists (id, n, ut, translate_pred fv ((n,pt)::lv) p)
  | Pnamed (s, p) ->
      Pnamed (s, translate_pred fv lv p)
  | _ as d -> d 

and translate_pattern fv lv = function
  | TPat t -> TPat (translate_term fv lv t)
  | PPat p -> PPat (translate_pred fv lv p)

(* Identity for now (Could translate built-in equality into customized equality) *)
let rec translate_eq = (fun d -> d) (* function *)
(*   | Papp (id, tl, inst) when Ident.is_eq id -> *)
(*       Papp (Ident.create ("equal"^suffix), tl, inst) *)
(*   | Papp (id, tl, inst) when Ident.is_neq id -> *)
(*       Pnot (Papp (Ident.create ("equal"^suffix), tl, inst)) *)
(*   | Pimplies (iswp, p1, p2) -> *)
(*       Pimplies (iswp, translate_eq p1, translate_eq p2) *)
(*   | Pif (t, p1, p2) -> *)
(*       Pif (t, translate_eq p1, translate_eq p2) *)
(*   | Pand (iswp, issym, p1, p2) -> *)
(*       Pand (iswp, issym, translate_eq p1, translate_eq p2) *)
(*   | Por (p1, p2) -> *)
(*       Por (translate_eq p1, translate_eq p2) *)
(*   | Piff (p1, p2) -> *)
(*       Piff (translate_eq p1, translate_eq p2) *)
(*   | Pnot p -> *)
(*       Pnot (translate_eq p) *)
(*   | Forall (iswp, id, n, pt, p) -> *)
(*       Forall (iswp, id, n, pt, translate_eq p) *)
(*   | Forallb (iswp, p1, p2) -> *)
(*       Forallb (iswp, translate_eq p1, translate_eq p2) *)
(*   | Exists (id, n, pt, p) -> *)
(*       Exists (id, n, pt, translate_eq p) *)
(*   | Pnamed (s, p) -> *)
(*       Pnamed (s, translate_eq p) *)
(*   | _ as d -> d  *)

(* The core *)
let queue = Queue.create ()

let rec push d = 
  try (match d with
(* A type declaration is translated as new logical function, the arity of *)
(* which depends on the number of type variables in the declaration *)
  | Dtype (loc, ident, vars) ->
      Queue.add (Dlogic (loc, ident, 
			 Env.empty_scheme (Function (unify vars, ut)))) queue
  | Dalgtype _ ->
      assert false
(*
      failwith "encoding rec: algebraic types are not supported"
*)
(* For arithmetic symbols, another encoding is used (see encoding_rec.ml) *)
  | Dlogic (loc, ident, arity) when Ident.is_simplify_arith ident ->
      let cpt = ref 0 in
      let fv = Env.Vset.fold
	  (fun tv acc -> cpt := !cpt + 1; (tv.tag, tvar^(string_of_int !cpt))::acc)
	  (arity.Env.scheme_vars) [] in
      let name = Ident.string ident in
      (match arity.Env.scheme_type with 
      | Predicate ptl ->
	  let args = 
	    List.map
	      (fun t -> Ident.create (let _ = cpt := !cpt + 1 in var^(string_of_int !cpt)), t)
	      ptl in
	  let terml = 
	    Papp (Ident.create (name^suffix),
		  List.map (fun (id, t) -> plunge fv (Tvar id) t) args, [])
	  and termr =
	    Papp (ident, List.map (fun (t, _) -> Tvar t) args, []) in
	  let ax = Env.empty_scheme 
	      (lifted ((List.map (fun (id,_) -> (0, Ident.string id)) args)@fv)
		 (Piff (terml, termr)) [[PPat terml]]) in
	  (Queue.add (Dlogic (loc, Ident.create (name^suffix),
			      Env.empty_scheme (Predicate (unify ptl)))) queue;
	   Queue.add (Dlogic (loc, ident,
			      Env.empty_scheme (Predicate (unify ptl)))) queue;
	   Queue.add (Daxiom (loc, axiom name, ax)) queue)
      | Function (ptl, rt) ->
	  let args = 
	    List.map
	      (fun t -> 
		Ident.create (let _ = cpt := !cpt + 1 in var^(string_of_int !cpt)), t)
	      ptl in
	  let terml = 
	    Tapp (Ident.create (name^suffix),
		  List.map (fun (id, t) -> plunge fv (Tvar id) t) args, []) 
	  and termr =
	    plunge fv 
	      (Tapp (ident, List.map (fun (t, _) -> Tvar t) args, []))
	      rt in
	  let ax = Env.empty_scheme 
	      (lifted 
		 ((List.map (fun (id,_) -> (0,Ident.string id)) args)@fv)
		 (Papp (Ident.t_eq, [terml;termr], [])) [[TPat terml]]) in
	  (Queue.add (Dlogic (loc, Ident.create (name^suffix),
			      Env.empty_scheme (Function (unify ptl, ut)))) queue;
	   Queue.add (Dlogic (loc, ident,
			      Env.empty_scheme (Function (unify ptl, ut)))) queue;
	   Queue.add (Daxiom (loc, axiom name, ax)) queue))
(* In the case of a logic definition, we redefine the logic symbol  *)
(* with type u, and its complete arity is stored for the encoding *)
  | Dlogic (loc, ident, arity) -> 
      arities := (Ident.string ident, arity)::!arities;
      let newarity = match arity.Env.scheme_type with
	Predicate ptl -> Predicate (unify ptl)
      | Function (ptl, _) -> Function (unify ptl, ut) in
      Queue.add (Dlogic (loc, ident,
			 Env.empty_scheme newarity)) queue
(* A predicate definition can be handled as a predicate logic definition + an axiom *)
  | Dpredicate_def (_loc, _ident, _pred_def_sch) ->
      assert false
(*
      let (argl, pred) = pred_def_sch.Env.scheme_type in
      let rootexp = (Papp (ident, List.map (fun (i,_) -> Tvar i) argl, [])) in
      let name = Ident.string ident in
      push (Dlogic (loc, ident, (Env.generalize_logic_type (Predicate (snd (List.split argl))))));
      push (Daxiom (loc, def name, (Env.generalize_predicate 
				       (lifted_t argl (Piff (rootexp, pred)) [[PPat rootexp]]))))
*)
  | Dinductive_def(_loc, _ident, _inddef) ->
      assert false
(*
      failwith "encoding strat: inductive def not yet supported"
*)
(* A function definition can be handled as a function logic definition + an axiom *)
  | Dfunction_def (_loc, _ident, _fun_def_sch) ->
      assert false
(*
(* ?????
      let _ = print_endline ident in
*)
      let (argl, rt, term) = fun_def_sch.Env.scheme_type in
      let rootexp = (Tapp (ident, List.map (fun (i,_) -> Tvar i) argl, [])) in
      let name = Ident.string ident in
      push (Dlogic (loc, ident, (Env.generalize_logic_type (Function (snd (List.split argl), rt)))));
      push (Daxiom (loc, def name,
		    (Env.generalize_predicate
		       (lifted_t argl (Papp (Ident.t_eq, [rootexp; term], [])) [[TPat rootexp]]))))
*)
(* Axiom definitions *)
  | Daxiom (loc, name, pred_sch) ->
      let cpt = ref 0 in
      let fv = Env.Vset.fold
	  (fun tv acc -> cpt := !cpt + 1; (tv.tag, tvar^(string_of_int !cpt))::acc)
	  (pred_sch.Env.scheme_vars) [] in
      let new_axiom =
	Env.empty_scheme (lifted fv (translate_pred fv [] pred_sch.Env.scheme_type) []) in
      Queue.add (Daxiom (loc, name, new_axiom)) queue
(* A goal is a sequent : a context and a predicate and both have to be translated *)
  | Dgoal (loc, is_lemma, expl, name, s_sch) ->
      begin try
	let cpt = ref 0 in
	let fv = Env.Vset.fold
	  (fun tv acc -> cpt := !cpt + 1; (tv.tag, tvar^(string_of_int !cpt))::acc)
	  (s_sch.Env.scheme_vars) [] in
	let (context, new_cel) = 
	  List.fold_left 
	    (fun (acc_c, acc_new_cel) s -> match s with
		 Spred (id, p) -> (acc_c, 
				   (Spred (id, translate_eq (translate_pred fv acc_c p)))::acc_new_cel)
	       | Svar (id, t) -> ((id,t)::acc_c, (Svar (id, ut))::acc_new_cel))
	    ([], [])
	    (fst (s_sch.Env.scheme_type)) in
	let new_sequent =
	  Env.empty_scheme
	    (lifted_ctxt fv (List.rev new_cel),
	     translate_eq (translate_pred fv context (snd (s_sch.Env.scheme_type)))) in
	Queue.add (Dgoal (loc, is_lemma, expl, name, new_sequent)) queue
      with Not_found -> 
	Format.eprintf "Exception Not_found caught in : %a\n" Util.print_decl d;
	Queue.add (Dgoal (loc, is_lemma, expl, name, Env.empty_scheme([],Pfalse))) queue
      end)
  with
    Not_found -> 
      Format.eprintf "Exception Not_found caught in : %a\n" Util.print_decl d;
      raise Not_found

let iter f =
  (* first the prelude *)
  List.iter f prelude;
  (* then the queue *)
  Queue.iter f queue

let reset () = 
  arities := [];
  Queue.clear queue;
  List.iter push arith_kernel;
(*
  Env.iter_global_logic (fun id _ -> print_endline (Ident.string id));
  Env.iter_global_logic 
    (fun id lts -> push (Dlogic (loc, Ident.string id, lts)))
*)
why-2.34/src/util.ml0000644000175000017500000012272012311670312012717 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Logic
open Ident
open Misc
open Types
open Cc
open Logic_decl
open Ast
open Env
open Rename
open Options


(*s Pretty printers (for debugging purposes) *)

open Format
open Pp

let rec print_type_var fmt = function
  | ({user=true; type_val=None} as v) -> 
      fprintf fmt "'%s" (type_var_name v)
  | {user=true; type_val=Some _} -> assert false
  | {tag=t; type_val=None} -> fprintf fmt "'a%d" t
  | {tag=t; type_val=Some pt} -> 
      if debug then
	fprintf fmt "'a%d(=%a)" t print_pure_type pt
      else
	print_pure_type fmt pt

and print_pure_type fmt = function
  | PTint -> fprintf fmt "int"
  | PTbool -> fprintf fmt "bool"
  | PTunit -> fprintf fmt "unit"
  | PTreal -> fprintf fmt "real"
  | PTexternal([],id) -> fprintf fmt "%a" Ident.print id
  | PTvar var -> print_type_var fmt var
  | PTexternal([t],id) -> 
      fprintf fmt "%a %a" print_pure_type t Ident.print id
  | PTexternal(l,id) -> fprintf fmt "(%a) %a" 
      (print_list comma print_pure_type) l
      Ident.print id

let print_instance = Pp.print_list Pp.semi print_pure_type


let print_scheme pr fmt x =
  fprintf fmt "[%a]%a" (Pp.print_iter1 Vset.iter Pp.comma print_type_var) x.scheme_vars
    pr x.scheme_type

let rec print_logic_type fmt lt =
  let print_args = print_list comma print_pure_type in
  match lt with
    | Predicate l -> fprintf fmt "%a -> prop" print_args l
    | Function (l, pt) -> 
	fprintf fmt "%a -> %a" print_args l print_pure_type pt

let rec print_term fmt = function
  | Tconst (ConstInt n) -> 
      fprintf fmt "%s" n
  | Tconst (ConstBool b) -> 
      fprintf fmt "%b" b
  | Tconst ConstUnit -> 
      fprintf fmt "void" 
  | Tconst (ConstFloat c) -> 
      Print_real.print fmt c
  | Tvar id -> 
      (if debug then Ident.dbprint else Ident.print) fmt id
  | Tderef id ->
      fprintf fmt "!%a" Ident.lprint id
  | Tapp (id, tl, []) -> 
      fprintf fmt "%s(%a)" (Ident.string id) (print_list comma print_term) tl
  | Tapp (id, tl, i) -> 
      fprintf fmt "%s(%a)[%a]" 
	(Ident.string id) (print_list comma print_term) tl
	(print_list comma print_pure_type) i
  | Tnamed(User lab,t) ->
      fprintf fmt "(%s : %a)" lab print_term t
  | Tnamed(Internal n,t) ->
      fprintf fmt "((%d) : %a)" n print_term t

let relation_string id =
  if id == t_lt || id == t_lt_int || id == t_lt_real then "<" 
  else if id == t_le || id == t_le_int || id == t_le_real then "<="
  else if id == t_gt || id == t_gt_int || id == t_gt_real then ">"
  else if id == t_ge || id == t_ge_int || id == t_ge_real then ">="
  else if is_eq id then "="
  else if is_neq id then "<>"
  else assert false


let rec print_pattern fmt = function
  | TPat t -> print_term fmt t
  | PPat p -> print_predicate fmt p

and print_triggers fmt = function
  | [] -> ()
  | tl -> fprintf fmt " [%a]" (print_list alt (print_list comma print_pattern))tl

and print_predicate fmt = function
  | Pvar id -> 
      (if debug then Ident.dbprint else Ident.print) fmt id
(*
  | Papp (id, [t1; t2]) when is_relation id ->
      fprintf fmt "%a %s %a" print_term t1 (relation_string id) print_term t2
*)
  | Papp (id, l, []) ->
      fprintf fmt "%s(%a)" (Ident.string id) (print_list comma print_term) l
  | Papp (id, l, i) ->
      fprintf fmt "%s(%a)[%a]" 
	(Ident.string id) (print_list comma print_term) l
	(print_list comma print_pure_type) i
  | Ptrue ->
      fprintf fmt "true"
  | Pfalse ->
      fprintf fmt "false"
  | Pimplies (_, a, b) -> 
      fprintf fmt "(@[%a ->@ %a@])" print_predicate a print_predicate b
  | Piff (a, b) -> 
      fprintf fmt "(@[%a <->@ %a@])" print_predicate a print_predicate b
  | Pif (a, b, c) -> 
      fprintf fmt "(@[if %a then@ %a else@ %a@])" 
	print_term a print_predicate b print_predicate c
  | Pand (_, _, a, b) ->
      fprintf fmt "(@[%a and@ %a@])" print_predicate a print_predicate b
  | Forallb (_, ptrue, pfalse) ->
      fprintf fmt "(@[forallb(%a,@ %a)@])" 
	print_predicate ptrue print_predicate pfalse
  | Por (a, b) ->
      fprintf fmt "(@[%a or@ %a@])" print_predicate a print_predicate b
  | Pnot a ->
      fprintf fmt "(not %a)" print_predicate a
  | Forall (_,_,b,v,tl,p) ->
      fprintf fmt "@[(forall %a:%a%a.@ %a)@]"
	(if debug then Ident.dbprint else Ident.print) b 
	print_pure_type v print_triggers tl print_predicate p
  | Exists (_,b,v,p) ->
      fprintf fmt "@[(exists %a:%a @ %a)@]" 
	(if debug then Ident.dbprint else Ident.print) b 
	print_pure_type v print_predicate p
  | Pnamed (User n, p) ->
      fprintf fmt "@[%s:@ %a@]" n print_predicate p
  | Pnamed (Internal n, p) ->
      fprintf fmt "@[(%d):@ %a@]" n print_predicate p
  | Plet (_, x, _, t, p) ->
      fprintf fmt "@[(let %a = %a in@ %a)@]" Ident.print x print_term t
	print_predicate p

let print_assertion fmt a = 
  fprintf fmt "%a: %a" Ident.print a.a_name print_predicate a.a_value

let print_wp fmt = function
  | None -> fprintf fmt ""
  | Some {a_value=p} -> print_predicate fmt p

let print_pre print_assertion fmt l = 
  if l <> [] then begin
    fprintf fmt "@[ ";
    print_list semi print_assertion fmt l;
    fprintf fmt " @]"
  end

let print_assertion fmt a = print_predicate fmt a.a_value

let print_exn print_assertion fmt (x,c) = 
  fprintf fmt "| %a => @[%a@]@," Ident.print x print_assertion c

let print_post print_assertion fmt = function
  | None -> 
      ()
  | Some (c,[]) -> 
      fprintf fmt "@[ %a @]" print_assertion c
  | Some (c, l) -> 
      fprintf fmt "@[ %a@ %a @]" print_assertion c 
	(print_list space (print_exn print_assertion)) l

let rec print_type_v fmt = function
  | Arrow (b,c) ->
      fprintf fmt "@[%a ->@ %a@]" 
	(print_list arrow pp_binder) b print_type_c c
  | v -> 
      print_type_v2 fmt v

and pp_binder fmt = function
  | id, v when id == Ident.anonymous -> 
      print_type_v2 fmt v
  | id, v ->
      fprintf fmt "@[%a:%a@]" Ident.print id print_type_v v

and print_type_v2 fmt = function
  | Ref v -> 
      fprintf fmt "@[%a@ ref@]" print_pure_type v
  | PureType pt -> 
      print_pure_type fmt pt
  | Arrow _ as v ->
      fprintf fmt "(%a)" print_type_v v

and print_type_c fmt c =
  let id = c.c_result_name in
  let v = c.c_result_type in
  let p = c.c_pre in
  let q = c.c_post in
  let e = c.c_effect in
  if e = Effect.bottom && p = [] && q = None then
    print_type_v fmt v
  else
    fprintf fmt "@[{%a}@ returns %a: %a@ %a@,{%a}@]" 
      (print_pre print_predicate) p
      Ident.print id 
      print_type_v v 
      Effect.print e
      (print_post print_predicate) q

let print_typing_info fmt c =
  let id = c.t_result_name in
  let v = c.t_result_type in
  let q = c.t_post in
  let e = c.t_effect in
  if e = Effect.bottom && q = None then
    print_type_v fmt v
  else
    fprintf fmt "@[{}@ returns %a: %a@ %a@,{%a}@]" 
      Ident.print id 
      print_type_v v 
      Effect.print e
      (print_post print_assertion) q

(*s Pretty-print of typed programs *)

let rec print_prog fmt (pre,p) = 
  let i = p.info in
  fprintf fmt "@[%s:@,@[{%a}@]@ @[%a@]@ @[{%a}@]@]" 
    i.t_label (print_pre print_assertion) pre 
    print_desc p.desc (print_post print_assertion) i.t_post

and print_expr fmt p =
  let i = p.info in
  if i.t_post = None then
    fprintf fmt "@[%s:@,%a@]" i.t_label print_desc p.desc
  else
    fprintf fmt "@[%s:@,{}@ @[%a@]@ @[{%a}@]@]" i.t_label
      print_desc p.desc (print_post print_assertion) i.t_post

and print_desc fmt = function
  | Var id -> 
      Ident.print fmt id
  | Seq (e1, e2) -> 
      fprintf fmt "@[%a@ %a@]" print_expr e1 print_expr e2
  | Loop (i, _var, e) ->
      fprintf fmt 
	"loop @\n { invariant @[%a@] variant _ }@\n  @[%a@]@\ndone" 
	(print_option print_assertion) i print_expr e
  | If (p1, p2, p3) ->
      fprintf fmt "@[if %a then@ %a else@ %a@]" 
	print_expr p1 print_expr p2 print_expr p3
  | Lam (_bl, p, e) -> 
      fprintf fmt "@[fun  ->@ @[%a@]@\n  %a@]" 
	(print_pre print_assertion) p print_expr e
  | AppRef (p, x, k) -> 
      fprintf fmt "(@[%a %a ::@ %a@])" 
	print_expr p Ident.print x print_typing_info k
  | AppTerm (p, t, k) -> 
      fprintf fmt "(@[%a %a ::@ %a@])" 
	print_expr p print_term t print_typing_info k
  | LetRef (id, p1, p2) ->
      fprintf fmt "@[@[let %a =@ ref %a@ in@]@ %a@]" 
	Ident.print id print_expr p1 print_expr p2
  | LetIn (id, p1, p2) ->
      fprintf fmt "@[@[let %a =@ %a in@]@ %a@]" 
	Ident.print id print_expr p1 print_expr p2
  | Rec (id, _bl, v, _var, p, e) ->
      fprintf fmt "rec %a :  %a { variant _ } =@ %a@\n%a" 
	Ident.print id print_type_v v 
	(print_pre print_assertion) p print_expr e
  | Raise (id, None) ->
      fprintf fmt "raise %a" Ident.print id
  | Raise (id, Some p) ->
      fprintf fmt "@[raise@ (@[%a@ %a@])@]" 
	Ident.print id print_expr p
  | Try (p, hl) ->
      fprintf fmt "@[try@ %a@ with %a@ end@]" print_expr p 
	(print_list alt print_handler) hl
  | Expression t -> 
      print_term fmt t
  | Absurd ->
      fprintf fmt "absurd"
  | Any k ->
      fprintf fmt "[%a]" print_type_c k
  | Assertion (_b, l, p) ->
      fprintf fmt "@[{%a}@ %a@]" 
	(print_pre print_assertion) l print_expr p
  | Post (e, q, Transparent) ->
      fprintf fmt "@[(%a@ { %a })@]" 
	print_expr e (print_post print_assertion) (Some q)
  | Post (e, q, Opaque) ->
      fprintf fmt "@[(%a@ {{ %a }})@]" 
	print_expr e (print_post print_assertion) (Some q)
  | Label (s, e) ->
      fprintf fmt "@[%s:@ %a@]" s print_expr e

and print_handler fmt ((id, a), e) = match a with
  | None -> 
      fprintf fmt "%a ->@ %a" Ident.print id print_expr e
  | Some a -> 
      fprintf fmt "%a %a ->@ %a" Ident.print id Ident.print a print_expr e

and print_cast fmt = function
  | None -> ()
  | Some v -> fprintf fmt ": %a" print_type_v v

(*s Pretty-print of cc-terms (intermediate terms) *)

let print_pred_binders = ref true
let print_var_binders = ref false

let rec print_cc_type fmt = function
  | TTpure pt -> 
      print_pure_type fmt pt
  | TTarray t -> 
      fprintf fmt "(array %a)" print_cc_type t
  | TTlambda (b, t) ->
      fprintf fmt "[%a]%a" print_binder b print_cc_type t
  | TTarrow (b, t) -> 
      fprintf fmt "(%a)%a" print_binder b print_cc_type t
  | TTtuple (bl, None) -> 
      fprintf fmt "{%a}" print_tuple bl
  | TTtuple (bl, Some q) -> 
      fprintf fmt "{%a | %a}" print_tuple bl print_cc_type q
  | TTpred p ->
      print_predicate fmt p
  | TTapp (tt, l) ->
      fprintf fmt "(%a %a)" print_cc_type tt (print_list space print_cc_type) l
  | TTterm t ->
      print_term fmt t
  | TTSet -> 
      fprintf fmt "Set"

and print_tuple fmt = print_list comma print_binder fmt

and print_binder fmt (id,b) = 
  Ident.print fmt id;
  match b with
    | CC_pred_binder p -> 
	if !print_pred_binders then fprintf fmt ": %a" print_predicate p
    | CC_var_binder t -> 
	if !print_var_binders then fprintf fmt ": %a" print_cc_type t
    | CC_untyped_binder -> 
	()

let rec print_cc_pattern fmt = function
  | PPvariable (id, _) -> 
      Ident.print fmt id
  | PPcons (id, pl) -> 
      fprintf fmt "(%a %a)" 
	Ident.print id (print_list space print_cc_pattern) pl

let print_case_pred fmt (x,_) = Ident.print fmt x

let rec print_cc_term fmt = function
  | CC_var id -> 
      fprintf fmt "%s" (Ident.string id)
  | CC_letin (_,bl,c,c1) ->
      fprintf fmt "@[@[let %a =@ %a in@]@\n%a@]"
      (print_list comma print_binder) bl
      print_cc_term c print_cc_term c1
  | CC_lam (b,c) ->
      fprintf fmt "@[[%a]@,%a@]" print_binder b print_cc_term c
  | CC_app (f,a) ->
      fprintf fmt "@[(%a@ %a)@]" print_cc_term f print_cc_term a
  | CC_tuple (cl,_) ->
      fprintf fmt "@[(%a)@]" (print_list comma print_cc_term) cl
  | CC_if (b,e1,e2) ->
      fprintf fmt "@[if "; print_cc_term fmt b; fprintf fmt " then@\n  ";
      hov 0 fmt (print_cc_term fmt) e1;
      fprintf fmt "@\nelse@\n  ";
      hov 0 fmt (print_cc_term fmt) e2;
      fprintf fmt "@]"
  | CC_case (e,pl) ->
      fprintf fmt "@[match %a with@\n  @[%a@]@\nend@]" 
	print_cc_term e (print_list newline print_case) pl
  | CC_term c ->
      fprintf fmt "@["; print_term fmt c; fprintf fmt "@]"
  | CC_hole (_, c) ->
      fprintf fmt "@[(?:@ "; print_predicate fmt c; fprintf fmt ")@]"
  | CC_type t ->
      print_cc_type fmt t
  | CC_any t ->
      fprintf fmt "@[(any(%a))@]" print_cc_type t

and print_binders fmt bl =
  print_list nothing (fun fmt b -> fprintf fmt "[%a]" print_binder b) fmt bl

and print_case fmt (p,e) =
  fprintf fmt "@[| %a =>@ %a@]" print_cc_pattern p print_cc_term e

let print_subst fmt =
  Idmap.iter
    (fun id t -> fprintf fmt "%a -> %a@\n" Ident.print id print_term t)

let print_cc_subst fmt =
  Idmap.iter
    (fun id t -> fprintf fmt "%a -> %a@\n" Ident.print id print_cc_term t)


let print_env fmt e =
  fold_all (fun (id, v) () -> fprintf fmt "%a:%a, " Ident.dbprint id 
		print_type_v v) e ()



(*s References mentioned by a predicate *)

let is_reference env id =
  (is_in_env env id) && (is_mutable (type_in_env env id))

let predicate_now_refs env c =
  Idset.filter (is_reference env) (predicate_vars c)

let term_now_refs env c =
  Idset.filter (is_reference env) (term_vars c)


let labelled_reference env id =
  if is_reference env id then
    id
  else if is_at id then
    let uid,_ = Ident.un_at id in 
    if is_reference env uid then uid else failwith "caught"
  else
    failwith "caught"

let set_map_succeed f s = 
  Idset.fold 
    (fun x e -> try Idset.add (f x) e with Failure _ -> e) 
    s Idset.empty

let predicate_refs env c =
  set_map_succeed (labelled_reference env) (predicate_vars c)

let term_refs env c =
  set_map_succeed (labelled_reference env) (term_vars c)

let post_refs env q =
  set_map_succeed (labelled_reference env) (apost_vars q)

(*s Labels management *)

let gen_change_label f c =
  let ids = Idset.elements (predicate_vars c) in
  let s = 
    List.fold_left 
      (fun s id -> 
	 if is_at id then 
	   try Idmap.add id (f (un_at id)) s with Failure _ -> s
	 else s)
      Idmap.empty ids
  in
  subst_in_predicate s c

let erase_label l c =
  gen_change_label 
    (function (uid,l') when l = l' -> uid | _ -> failwith "caught") c

let change_label l1 l2 c =
  gen_change_label 
    (function (uid,l) when l = l1 -> at_id uid l2 | _ -> failwith "caught") c

let put_label_term env l t =
  let ids = term_refs env t in
  let s = 
    Idset.fold (fun id s -> Idmap.add id (at_id id l) s) ids Idmap.empty 
  in
  subst_in_term s t

let put_label_predicate env l p =
  let ids = predicate_refs env p in
  let s = 
    Idset.fold (fun id s -> Idmap.add id (at_id id l) s) ids Idmap.empty 
  in
  subst_in_predicate s p

let oldify env ef t =
  let ids = term_refs env t in
  let s =
    Idset.fold 
      (fun id s -> 
	 if Effect.is_write ef id then Idmap.add id (at_id id "") s else s)
      ids Idmap.empty
  in
  subst_in_term s t

let type_c_subst_oldify env x t k =
  let s = subst_one x t in 
  let s_old = subst_one x (oldify env k.c_effect t) in
  { c_result_name = k.c_result_name;
    c_result_type = type_v_rsubst s k.c_result_type;
    c_effect = k.c_effect;
    c_pre = List.map (tsubst_in_predicate s) k.c_pre;
    c_post = option_app (post_app (tsubst_in_predicate s_old)) k.c_post }

(*s shortcuts for typing information *)

let effect p = p.info.t_effect
let post p = p.info.t_post
let result_type p = p.info.t_result_type
let result_name p = p.t_result_name

let erase_exns ti = 
  { ti with t_effect = Effect.erase_exns ti.t_effect }

(*s [apply_pre] and [apply_post] instantiate pre- and post- conditions
    according to a given renaming of variables (and a date that means
    `before' in the case of the post-condition). *)

let make_subst before ren env ids =
  Idset.fold
    (fun id s ->
       if is_reference env id then
	 Idmap.add id (current_var ren id) s
       else if is_at id then
	 let uid,d = un_at id in
	 if is_reference env uid then begin
	   let d' = match d, before with
	     | "", None -> assert false
	     | "", Some l -> l
	     | _ -> d
	   in
	   Idmap.add id (var_at_date ren d' uid) s
	 end else
	   s
       else
	 s) 
    ids Idmap.empty

let apply_term ren env t =
  let ids = term_vars t in
  let s = make_subst None ren env ids in
  subst_in_term s t

let apply_assert ren env c =
  let ids = predicate_vars c in
  let s = make_subst None ren env ids in
  subst_in_predicate s c
 
let a_apply_assert ren env c =
  let ids = predicate_vars c.a_value in
  let s = make_subst None ren env ids in
  asst_app (subst_in_predicate s) c
 
let apply_post before ren env q =
  let ids = post_vars q in
  let s = make_subst (Some before) ren env ids in
  post_app (subst_in_predicate s) q
  
let a_apply_post before ren env q =
  let ids = apost_vars q in
  let s = make_subst (Some before) ren env ids in
  post_app (asst_app (subst_in_predicate s)) q
  
(*s [traverse_binder ren env bl] updates renaming [ren] and environment [env]
    as we cross the binders [bl]. *)

let rec traverse_binders env = function
  | [] -> 
      env
  | (id, v) :: rem ->
      traverse_binders (Env.add id v env) rem
	  
let initial_renaming env =
  let ids = Env.fold_all (fun (id,_) l -> id::l) env [] in
  update empty_ren "%init" ids


(*s Occurrences *)

let rec occur_term id = function
  | Tvar id' | Tderef id' -> id = id'
  | Tapp (_, l, _) -> List.exists (occur_term id) l
  | Tconst _ -> false
  | Tnamed(_,t) -> occur_term id t

let rec occur_pattern id = function
  | TPat t -> occur_term id t
  | PPat p -> occur_predicate id p

and occur_trigger id = List.exists (occur_pattern id)
and occur_triggers id = List.exists (occur_trigger id)

and occur_predicate id = function
  | Pvar _ | Ptrue | Pfalse -> false
  | Papp (_, l, _) -> List.exists (occur_term id) l
  | Pif (a, b, c) -> 
      occur_term id a || occur_predicate id b || occur_predicate id c
  | Forallb (_, a, b) 
  | Pimplies (_, a, b) 
  | Pand (_, _, a, b) 
  | Piff (a, b) 
  | Por (a, b) -> occur_predicate id a || occur_predicate id b
  | Pnot a -> occur_predicate id a
  | Forall (_,_,_,_,tl,a) -> occur_triggers id tl || occur_predicate id a
  | Exists (_,_,_,a) -> occur_predicate id a
  | Pnamed (_, a) -> occur_predicate id a
  | Plet (_, _, _, t, a) -> occur_term id t || occur_predicate id a

let occur_assertion id a = occur_predicate id a.a_value

let gen_occur_post occur_assertion id = function 
  | None -> 
      false 
  | Some (q,l) -> 
      occur_assertion id q || 
      List.exists (fun (_,a) -> occur_assertion id a) l

let occur_post = gen_occur_post occur_assertion

let rec occur_type_v id = function
  | PureType _ | Ref _ -> false
  | Arrow (bl, c) -> occur_arrow id bl c

and occur_type_c id c =
  occur_type_v id c.c_result_type ||
  List.exists (occur_predicate id) c.c_pre ||
  Effect.occur id c.c_effect ||
  gen_occur_post occur_predicate id c.c_post 

and occur_arrow id bl c = match bl with
  | [] -> 
      occur_type_c id c
  | (id', v) :: bl' -> 
      occur_type_v id v || (id <> id' && occur_arrow id bl' c)

let rec noPnamed = function
  | Pnamed(_, p) -> noPnamed p
  | p -> p

(* [quant_boolean_as_conj] checks whether p is either (if result ...)
   or (if result ... -> if result ...) i.e. if forall b. p(b) can be
   simplified into p(true) and p(false) *)
let quant_boolean_as_conj x p = 
  not fast_wp &&
  match noPnamed p with
    | Pif (Tvar id, _, _) -> id == x
    | Pimplies(_, p1, p2) ->
	begin
	  match noPnamed p1, noPnamed p2 with
	    | Pif (Tvar id1, _, _), Pif (Tvar id2, _, _) -> 
		id1 == x && id2 == x
	    | _ -> false
	end
    | _ -> false

(* [mk_bool_forall x p] simplifies (forall x. (if x then pt else pf) -> q)
   into q[x=true <- pt; x=false <- pf] when the only occurrences of x in p
   are x=true or x=false *)
let mk_bool_forall x p = match noPnamed p with
  | Pimplies (_, p1, q) -> begin match noPnamed p1 with
      | Pif (Tvar y, pt, pf) when y == x ->
	  let rec subst = function
	    | Papp (id, [Tvar y; c], _) as p when id == t_eq_bool && y == x ->
		begin match c with
		  | Tconst (ConstBool true) -> pt
		  | Tconst (ConstBool false) -> pf
		  | _ -> if occur_term x c then raise Exit; p
		end
	    | Papp (_, tl, _) as p ->
		if List.exists (occur_term x) tl then raise Exit; p
	    | Pif (t, _, _) when occur_term x t -> 
		raise Exit
	    | p ->
		map_predicate subst p
	  in
	  subst q
      | _ -> raise Exit 
    end
  | _ -> raise Exit

let mk_forall is_wp x v triggers p =
  let n = Ident.bound x in
  let s = subst_onev x n in
  let p = subst_in_predicate s p in
  let subst_in_pattern s = function
    | TPat t -> TPat (subst_in_term s t)
    | PPat p -> PPat (subst_in_predicate s p) in
  let triggers = List.map (List.map (subst_in_pattern s)) triggers in
  Forall (is_wp, x, n, mlize_type v, triggers, p)

let forall ?(is_wp=false) x v ?(triggers=[]) p = match v with
  (* particular case: $\forall b:bool. Q(b) = Q(true) and Q(false)$ *)
  | PureType PTbool when quant_boolean_as_conj x p ->
      let ptrue = tsubst_in_predicate (subst_one x ttrue) p in
      let pfalse = tsubst_in_predicate (subst_one x tfalse) p in
      Pand (true, true, simplify ptrue, simplify pfalse)
  | PureType PTbool ->
      (try mk_bool_forall x p with Exit -> mk_forall is_wp x v triggers p)
  | _ ->
      mk_forall is_wp x v triggers p

let pforall ?(is_wp=false) x v p =
  if p = Ptrue then Ptrue else forall ~is_wp x v p

let foralls ?(is_wp=false) =
  List.fold_right
    (fun (x,v) p -> if occur_predicate x p then forall ~is_wp x v p else p)

let foralls_many ?(is_wp=false) bl p =
  let l1,l2 = 
    List.fold_right 
      (fun ((x,_v) as xv) (l1,l2) ->
	if occur_predicate x p then 
	  let n = Ident.bound x in xv::l1, n::l2
	else
	  l1,l2)
      bl ([],[])
  in
  let s = subst_manyv (List.map fst l1) l2 in
  let p = subst_in_predicate s p in
  List.fold_right2 
    (fun (x,v) n p -> Forall (is_wp, x, n, mlize_type v, [], p))
    l1 l2 p

let exists x v p =
  let n = Ident.bound x in
  let p = subst_in_predicate (subst_onev x n) p in
  Exists (x, n, mlize_type v, p)

let pexists x v p = 
  if p = Ptrue then Ptrue else exists x v p

let plet x pt t p =
  let n = Ident.bound x in
  let s = subst_onev x n in
  (* warning: do not subst in t *)
  let p = subst_in_predicate s p in
  Plet (x, n, pt, t, p)

(* decomposing universal quantifiers, renaming variables on the fly *)

let decomp_forall ?(ids=Idset.empty) p = 
  let rec decomp bv = function
    | Forall (_,id,n,pt,_,p) ->
	decomp ((id,n,pt) :: bv) p
    | p ->
	let s,_,bv = 
	  List.fold_left 
	    (fun (s,ids,bv) (id,n,pt) -> 
	      let id' = next_away id ids in
	      let s = Idmap.add n id' s in
	      let ids = Idset.add id' ids in
	      s, ids, (id',pt) :: bv)
	    (Idmap.empty, Idset.union ids (predicate_vars p), []) bv
	in
	bv, subst_in_predicate s p
  in
  decomp [] p


(* misc. functions *)

let deref_type = function
  | Ref v -> v
  | _ -> invalid_arg "deref_type"

let dearray_type = function
  | PureType (PTexternal ([pt], id)) when id == Ident.farray -> pt
  | _ -> invalid_arg "dearray_type"

let decomp_type_c c = 
  ((c.c_result_name, c.c_result_type), c.c_effect, c.c_pre, c.c_post)

let decomp_kappa c = 
  ((c.t_result_name, c.t_result_type), c.t_effect, c.t_post)

let id_from_name = function Name id -> id | Anonymous -> (Ident.create "X")

(* [decomp_boolean c] returns the specs R and S of a boolean expression *)

let equality t1 t2 = Papp (t_eq, [t1; t2], [])
let nequality t1 t2 = Papp (t_neq, [t1; t2], [])

let tequality v t1 t2 = match v with
  | PureType PTint -> Papp (t_eq_int, [t1; t2], [])
  | PureType PTbool -> Papp (t_eq_bool, [t1; t2], [])
  | PureType PTreal -> Papp (t_eq_real, [t1; t2], [])
  | PureType PTunit -> Papp (t_eq_unit, [t1; t2], [])
  | _ -> Papp (t_eq, [t1; t2], [])

let distinct tl = 
  let rec make acc = function
    | [] | [_] -> 
	acc
    | t :: tl -> 
	let p = List.fold_left (fun p t' -> pand (nequality t t') p) acc tl in
	make p tl
  in
  make Ptrue tl

let decomp_boolean ({ a_value = c }, _) =
  (* q -> if result then q(true) else q(false) *)
  let ctrue = tsubst_in_predicate (subst_one Ident.result ttrue) c in
  let cfalse = tsubst_in_predicate (subst_one Ident.result tfalse) c in
  simplify ctrue, simplify cfalse

(*s [make_access env id c] Access in array id.
    Constructs [t:(array s T)](access_g s T t c ?::(lt c s)). *)

let add_ctx_vars =
  List.fold_left 
    (fun acc -> function Svar (id,_) -> Idset.add id acc | _ -> acc)












(**
   split : split predicate into a list of smaller predicates
   @param ctx : list of already split hypothesis (empty at first call)
   @param pol : polarity of the current predicate (1 at first call)
   @param matched : predicate to split
   @result l : l : list of split predicates 
**)
let rec split_one ctx pol = function
  | Pimplies (i, Por(h1,h2), c) when pol > 0-> (* split(h1 \/ h2 -> c) ~~~> split(h1->c) U split(h2->) *)
      let imp1=(split_one ctx pol (Pimplies (i, h1, c))) in 
      let imp2=(split_one imp1 pol (Pimplies (i, h2, c))) in 
      (*(List.append (List.append imp1 imp2) ctx)*)
      imp2
	
  | Pimplies (i, a, c) when pol > 0->          (* split( h -> c) ~~~> U_c':split(c) {h->c'}  *)
      let lc=split_one [] pol c in
      List.fold_left (fun ct c' -> Pimplies(i,a,c')::ct)  ctx lc
	
  | Pand (_,_, a, b) when pol > 0->            (* split(c1 /\ c2)  ~~~> split(c1) U split(c2)  *)
      let l1 = split_one ctx pol a in   
      (split_one l1 pol b)
	
  | Forall (a, id, n, t, b, c) when pol>0 ->   (* split(forall x.c)  ~~~>  U_c':split(c) {forall x.c'}   *)
      let lc'=split_one [] pol c in
      List.fold_left (fun ct c' -> Forall (a, id, n, t, b, c')::ct)  ctx lc'
	
  | Exists (a, b, t, c) when pol>0 ->          (* split(exists x.c)  ~~~> U_c':split-(c) {exists x.c'} *)
      let lc'=split_one [] (-pol) c in
      List.fold_left (fun ct c' -> Exists (a, b, t, c')::ct)  ctx lc'
	
  | Por (a, b) when pol < 0->                  (* split-(c1 \/ c2)  ~~~> split-(c1) U split-(c2)  *)
      let l1 = split_one ctx pol a in   
      (split_one l1 pol b)
	
  | c ->                                       (* split(c)  ~~~> {c}  *)
      c::ctx
	  

(**
   split : split each predicate of a list into a smaller predicates
   @param ctx : list of already split hypothesis
   @param pol : polarity of the current predicate
   @param matched : list of CC_context predicates to split
   @result l : l : list of split hypothesis 
**)
let rec split ctx my_fresh_hyp =
  function
    | [] -> ctx
    | Spred (_h,p):: l -> split (List.fold_left (fun lp p -> Spred(my_fresh_hyp (),p)::lp ) ctx (split_one [] 1 p)) my_fresh_hyp l
    | c :: l -> c :: (split (c::ctx) my_fresh_hyp l)



(**
   intro : split a predicate into a list of hypothesis and a goal
   @param ctx : empty list
   @param p : predicate to split
   @param my_fresh_hyp : function that provide a fresh name of variable
   @result (l,g) : l : list of hypothesis / g : goal
**)
let intros ctx p my_fresh_hyp split_res =   
  (**
     introb : split a predicate into a list of hypothesis and a goal
     @param ctx : list of already split hypothesis
     @param pol : polarity of the current predicate
     @param matched : predicate
     @result (l,g) : l : list of hypothesis / g : goal
  **)
  let rec introb ctx pol = function
    | Forall (_, id, n, t, _, p) when pol>0 ->
	let id' =  Ident.bound id  in
	let sp  =  Misc.subst_onev  n  id' in
	let pp  =  Misc.subst_in_predicate sp p in
	introb (Svar (id', t) :: ctx) pol pp
    | Pimplies (_, a, b) when pol > 0-> 
	let h = my_fresh_hyp () in
	let (l,p) = introb [] (-pol) a in 
	let l' =  Spred(h, p)::ctx in 
	introb (List.append l l') pol b
    | Pand (_,_, a, b) when pol < 0-> 
       let (l1,p1) = introb ctx pol a in
       let h1 = my_fresh_hyp () in
       let l' = Spred(h1, p1)::l1 in
       let (l2,p2) = introb l' pol b in
       l2, p2 
    | Pnamed (_, p) ->
	introb ctx pol p
    | c -> 
	 ctx, c 
  in 
  let l,g = introb ctx 1 p in 
  if split_res then
    (split [] my_fresh_hyp l ), g
  else
    List.rev l, g   



let array_info env id =
  let ty = type_in_env env id in
  let v = dearray_type ty in
  (*i let ty_elem = trad_ml_type_v ren env v in
  let ty_array = trad_imp_type ren env ty in i*)
  v

let make_raw_access env (id,id') c =
  let pt = array_info env id in
  Tapp (Ident.access, [Tvar id'; c], [pt])

let make_pre_access env id c =
  let pt = array_info env id in
  let c = unref_term c in
  Pand (false, true, 
	le_int (Tconst (ConstInt "0")) c, lt_int c (array_length id pt))
      
let make_raw_store env (id,id') c1 c2 =
  let pt = array_info env id in
  Tapp (Ident.store, [Tvar id'; c1; c2], [pt])

(*s to build AST *)

let make_lnode loc p env k = 
  { desc = p; 
    info = { t_loc = loc; t_env = env; t_label = label_name ();
	     t_userlabel = "";
	     t_result_name = k.c_result_name; t_result_type = k.c_result_type;
	     t_effect = k.c_effect; 
	     t_post = optpost_app (anonymous loc) k.c_post } }

let make_var loc x t env =
  make_lnode loc (Expression (Tvar x)) env (type_c_of_v t)

let make_expression loc e t env =
  make_lnode loc (Expression e) env (type_c_of_v t)
    
let make_annot_bool loc b env =
  let k = type_c_of_v (PureType PTbool) in
  let b = Tconst (ConstBool b) in
  let q = equality (Tvar result) b in
  make_lnode loc (Expression b) env { k with c_post = Some (q, []) }

let make_void loc env = 
  make_expression loc (Tconst ConstUnit) (PureType PTunit) env 

let make_raise loc x v env =
  let k = type_c_of_v v in
  let ef = Effect.add_exn exit_exn Effect.bottom in
  make_lnode loc (Raise (x, None)) env { k with c_effect = ef }

let change_desc p d = { p with desc = d }

let force_post env q e = match q with
  | None -> 
      e
  | Some c ->
      let c = force_post_loc e.info.t_loc c in
      let ids = post_refs env c in
      let ef = Effect.add_reads ids e.info.t_effect in
      let i = { e.info with t_post = Some c; t_effect = ef } in
      { e with info = i }

let post_named c = 
  { a_value = c; a_name = post_name (); 
    a_loc = Loc.dummy_position; a_proof = None }

let create_postval c = Some (post_named c)

let create_post c = Some (post_named c, [])

(*s For debugging purposes *)

open Ptree

let rec print_ptree fmt p = match p.pdesc with
  | Svar x -> Ident.print fmt x
  | Sderef x -> fprintf fmt "!%a" Ident.print x
  | Sseq (p1, p2) ->
      fprintf fmt "@[%a;@ %a@]" print_ptree p1 print_ptree p2
  | Sloop ( _, _, p2) ->
      fprintf fmt "loop@\n  @[%a@]@\ndone" print_ptree p2
  | Sif (p1, p2, p3) ->
      fprintf fmt "@[if %a then@ %a else@ %a@]" 
	print_ptree p1 print_ptree p2 print_ptree p3
  | Slazy_and (p1, p2) ->
      fprintf fmt "@[(%a &&@ %a)@]" print_ptree p1 print_ptree p2
  | Slazy_or (p1, p2) ->
      fprintf fmt "@[(%a ||@ %a)@]" print_ptree p1 print_ptree p2
  | Snot p1 ->
      fprintf fmt "@[(not %a)@]" print_ptree p1
  | Slam (_bl, _pre, p) ->
      fprintf fmt "@[fun <...> ->@ %a@]" print_ptree p
  | Sapp (p, a) ->
      fprintf fmt "(%a %a)" print_ptree p print_ptree a
  | Sletref (id, e1, e2) -> 
      fprintf fmt "@[let %a = ref %a in@ %a@]" 
	Ident.print id print_ptree e1 print_ptree e2
  | Sletin (id, e1, e2) ->
      fprintf fmt "@[let %a = %a in@ %a@]"
	Ident.print id print_ptree e1 print_ptree e2
  | Srec _ ->
      fprintf fmt ""
  | Sraise (x, None, _) -> 
      fprintf fmt "raise %a" Ident.print x
  | Sraise (x, Some e, _) -> 
      fprintf fmt "raise (%a %a)" Ident.print x print_ptree e
  | Stry (e, hl) ->
      fprintf fmt "@[try %a with@\n  @[%a@]@\nend@]" 
	print_ptree e (print_list newline print_phandler) hl
  | Sconst c -> print_term fmt (Tconst c)
  | Sabsurd _ -> fprintf fmt ""
  | Sany _ -> fprintf fmt ""
  | Spost (e,_q,Transparent) -> fprintf fmt "@[%a@ {...}@]" print_ptree e
  | Spost (e,_q,Opaque) -> fprintf fmt "@[%a@ {{...}}@]" print_ptree e
  | Sassert (`ASSERT,_p,e) -> fprintf fmt "@[{...}@ %a@]" print_ptree e
  | Sassert (`CHECK,_p,e) -> fprintf fmt "@[{{...}}@ %a@]" print_ptree e
  | Slabel (l,e) -> fprintf fmt "@[%s: %a@]" l print_ptree e

and print_phandler fmt = function
  | (x, None), e -> 
      fprintf fmt "| %a => %a" Ident.print x print_ptree e
  | (x, Some y), e -> 
      fprintf fmt "| %a %a => %a" Ident.print x Ident.print y print_ptree e

let print_external fmt b = if b then fprintf fmt "external "

let str_of_goal_kind = function
  | KAxiom -> "axiom"
  | KLemma -> "lemma"
  | KGoal -> "goal"

let print_decl fmt = function
  | Include (_,s) -> fprintf fmt "include \"%S\"" s 
  | Program (_,id, p) -> fprintf fmt "let %a = %a" Ident.print id print_ptree p
  | Parameter (_, e, _ids, _v) -> 
      fprintf fmt "%aparameter <...>" print_external e
  | Exception (_, id, _pto) -> fprintf fmt "exception %a <...>" Ident.print id
  | Logic (_, e, ids, _lt) -> 
      fprintf fmt "%alogic %a : <...>" print_external e 
	(print_list comma Ident.print) ids
  | Goal (_, k, id, _p) ->
      fprintf fmt "%s %a : <...>" (str_of_goal_kind k) Ident.print id
  | Predicate_def (_, id, _, _) ->
      fprintf fmt "predicate %a <...>" Ident.print id
  | Inductive_def (_, id, _, _) ->
      fprintf fmt "inductive %a <...>" Ident.print id
  | Function_def (_, id, _, _, _) ->
      fprintf fmt "function %a <...>" Ident.print id
  | TypeDecl (_, e, _, id) ->
      fprintf fmt "%atype %a" print_external e Ident.print id
  | AlgType ls ->
      List.iter (fun (_, _, id, _) ->
        fprintf fmt "type %a" Ident.print id) ls

let print_pfile = print_list newline print_decl


(*s explanation *)

let program_locs = Hashtbl.create 17

let read_in_file f l b e = 
  let ch = open_in f in
  for i = 2 to l do
    ignore (input_line ch)
  done;
  for i = 1 to b do
    ignore (input_char ch)
  done;
  let buf = Buffer.create 17 in
  for i = b to e-1 do
    Buffer.add_char buf (input_char ch)
  done;
  Buffer.contents buf
 

let loc_of_label n =
  let (f,l,b,e,_) = Hashtbl.find locs_table n in
  (f,l,b,e)
    
let reloc_xpl_term (loc,t) = 
  match t with
    | Tnamed(User n,_p) ->     
	begin
	  try loc_of_label n
	  with Not_found -> Loc.extract loc
	end
    | _ -> Loc.extract loc

let reloc_xpl (loc,p) = 
  match p with
    | Pnamed(User n,_p) -> 
	begin
	  try loc_of_label n
	  with Not_found -> Loc.extract loc
	end
    | _ -> Loc.extract loc

let dummy_reloc = Loc.dummy_floc

(* [cook_loop_invariant internal_lab userlab] checks whether the loop invariant
   labelled with [userlab] is associated to a formula in the locs file
   given on the command line. If yes, the formula is returned as a
   string, followed by the location in the source file where the loop
   is.
*)
let cook_loop_invariant _internal_lab (userlab : string option) p =
  match userlab with
    | None -> "", reloc_xpl p
    | Some lab ->
	try 
	  let (f,l,b,e,o) = Hashtbl.find locs_table lab in
	  try
	    let k = 
	      match List.assoc "formula" o with
		| Rc.RCident s | Rc.RCstring s -> s
		| _ -> raise Not_found		  
	    in
	    if debug then eprintf "Util: formula for '%s' is '%s'@." lab k;
	    k, (f,l,b,e)
	  with Not_found ->
	    if debug then eprintf "Util: cannot find a formula for '%s'@." lab;
	    "", (f,l,b,e)
	with Not_found -> 
	  if debug then eprintf "Util: cannot find a loc for '%s'@." lab;
	  "", reloc_xpl p

(* [cook_explanation userlab raw_exp] processes the raw explanation
   [raw_exp] for the formula labelled [userlab] generated by the WP
   calculus. 

   Location(s) of [raw_exp] refers to the Why file.  A better
   explanation is cooked, depending on the locs file given on the
   command line and the [userlab]: it is check
   whether this label is present in the locs file, and if it is the
   case, replaces the location in [raw_exp] by the location given
   there, and also if a precise kind of VC is given, produces a
   refined explanation.
*)
let cook_explanation (userlab : string option) e =
  let e,l, maylab =
    match e with
      | VCEexternal s -> EKOther s, dummy_reloc, None
      | VCEabsurd -> EKAbsurd, dummy_reloc, None
      | VCEassert (k,p) -> 
          (match k with 
            | `ASSERT -> EKAssert
            | `CHECK -> EKCheck), (reloc_xpl (List.hd p)), None
      | VCEpre(lab,loc,_p) -> 
	  begin
	    if debug then eprintf "Util.cook_explanation: label,loc for pre = %s,%a@." lab
	      Loc.gen_report_position loc;
	    try 
	      let (f,l,b,e,o) = Hashtbl.find locs_table lab in
	      try
		let k = 
		  match List.assoc "kind" o with
		    | Rc.RCident s | Rc.RCstring s -> s
		    | _ -> raise Not_found		  
		in
		if debug then eprintf "Util: kind for '%s' is '%s'@." lab k;
		EKPre k, (f,l,b,e), Some lab
	      with Not_found ->
		if debug then eprintf "Util: cannot find a kind for '%s'@." lab;
		EKPre "", (f,l,b,e), Some lab
	    with Not_found -> 
	      if debug then eprintf "Util: cannot find a loc for '%s'@." lab;
	      EKPre "", Loc.extract loc, Some lab
	  end

      | VCEpost p -> EKPost, (reloc_xpl p), None
      | VCEwfrel -> EKWfRel, dummy_reloc, None
      | VCEvardecr p -> EKVarDecr, (reloc_xpl_term p), None
      | VCEinvinit(internal_lab,p) -> 
	  let s,loc  = cook_loop_invariant internal_lab userlab p in
	  EKLoopInvInit s, loc, None
      | VCEinvpreserv(internal_lab,p) -> 
	  let s,loc  = cook_loop_invariant internal_lab userlab p in
	  EKLoopInvPreserv s, loc, None
  in
  let new_lab = if userlab = None then maylab else userlab in
  match e with
    | EKPre _ -> 
	(* for pre-conditions, we want to focus on the call, not an the formula to prove *)
	e,l, new_lab
    | _ -> e, 
	(match new_lab with
	  | None -> l
	  | Some lab -> 
	      try loc_of_label lab with Not_found -> 
		if debug then
		  eprintf "Warning: no loc found for user label %s@." lab;
		l),
         new_lab

    
let explanation_table = Hashtbl.create 97
let explanation_counter = ref 0

let reg_explanation e =
  incr explanation_counter;
  let id = !explanation_counter in
  if debug then Format.eprintf "registering internal explanation '%d'@." id;
  Hashtbl.add explanation_table id e;
  Internal id

(*
let print_loc_predicate fmt (loc,p) =
  match p with
    | Pnamed(User s,p) -> 
	begin
	  try 
	    let (f,l,b,e,o) = Hashtbl.find locs_table s in
	    let s = read_in_file f l b e in
	    fprintf fmt "(relocated from %a) %s"
	      Loc.gen_report_line (f,l,b,e) s 
	  with Not_found ->
	    fprintf fmt "(named %s) %a" s print_predicate p
	end
    | _ -> 
	fprintf fmt "(located %a) %a" 
	  Loc.gen_report_position loc print_predicate p
*)
  
let print_decl fmt = function
  | Dtype (_, s, _) ->
      fprintf fmt "type %s" (Ident.string s)
  | Dalgtype ls ->
      print_list newline (fun fmt (_, s, _) ->
        fprintf fmt "type %s" (Ident.string s)) fmt ls
  | Dlogic (_, _s, log_type_sch) -> 
      fprintf fmt "logic %a" print_logic_type log_type_sch.Env.scheme_type
  | Dpredicate_def (_, s, pred_def_sch) ->
      let (args, pred) = pred_def_sch.Env.scheme_type in
      fprintf fmt "defpred %s (%a) = %a" (Ident.string s)
	(print_list comma (fun fmt t -> print_pure_type fmt (snd t))) args
	print_predicate pred
  | Dinductive_def _ -> assert false (* TODO *)
  | Dfunction_def (_, s, fun_def_sch) ->
      let (args, rt, exp) = fun_def_sch.Env.scheme_type in
      fprintf fmt "deffun %s (%a) : %a = %a" (Ident.string s)
	(print_list comma (fun fmt t -> print_pure_type fmt (snd t))) args
	print_pure_type rt
	print_term exp
  | Daxiom (_, s, pred_sch) ->
      fprintf fmt "axiom %s : %a" s 
	print_predicate pred_sch.Env.scheme_type
  | Dgoal (_loc, is_lemma, expl, s, seq_sch) -> 
      let (cel, pred) = seq_sch.Env.scheme_type in
      fprintf fmt "%s %s (%a) : %a" 
	(if is_lemma then "lemma" else "goal") s
	(print_list comma 
	   (fun fmt t -> match t with 
	     Cc.Svar (id, pt) -> 
	       fprintf fmt "%a : %a" Ident.print id print_pure_type pt
	   | Cc.Spred (id, pred) -> 
	       fprintf fmt "%a <=> %a" Ident.print id print_predicate pred)) cel
	print_predicate pred;
      fprintf fmt "(* %a *)@\n" (fun fmt -> Explain.print fmt) ((*loc,*)expl)

(* debug *)

(**
let () = 
  Env.dump_type_var := 
    (fun v -> eprintf "@[type_var %d = %a@]@." v.tag print_pure_type (PTvar v))
**)
why-2.34/src/why3_kw.ml0000644000175000017500000000656312311670312013343 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

let is_why3_keyword =
  let ht = Hashtbl.create 43 in
  List.iter (fun kw -> Hashtbl.add ht kw ())
    [
        "as";
        "axiom";
        "clone";
        "else";
        "end";
        "epsilon";
        "exists";
        "export";
        "false";
        "forall";
        "function";
        "goal";
        "if";
        "import";
        "in";
        "inductive";
        "lemma";
        "let";
        "match";
        "meta";
        "namespace";
        "not";
        "predicate";
        "prop";
        "then";
        "theory";
        "true";
        "type";
        "use";
        "with";
        "abstract";
        "absurd";
        "any";
        "assert";
        "assume";
        "begin";
        "check";
        "do";
        "done";
        "downto";
        "exception";
        "for";
        "fun";
        "invariant";
        "label";
        "loop";
        "model";
        "module";
        "mutable";
        "raise";
        "raises";
        "reads";
        "rec";
        "to";
        "try";
        "val";
        "variant";
        "while";
        "writes";
    ];
  Hashtbl.mem ht

why-2.34/src/options.ml0000644000175000017500000007501312311670312013437 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Format


(*s Local refs to set the options *)

let verbose_ = ref false
let debug_ = ref false
let parse_only_ = ref false
let type_only_ = ref false
let wp_only_ = ref false
let valid_ = ref false
let coq_tactic_ = ref None
let coq_preamble_ = ref None
let coq_use_dp = ref true
let pvs_preamble_ = ref None
let mizar_environ_ = ref None
let isabelle_base_theory_ = ref "Main"
let no_simplify_prelude_ = ref false
let simplify_triggers_ = ref false
let no_cvcl_prelude_ = ref false
let no_harvey_prelude_ = ref false
let no_zenon_prelude_ = ref false
let werror_ = ref false
let dir_ = ref ""
let fast_wp_ = ref false
let white_ = ref false
let black_ = ref true
let wbb_ = ref false
let split_user_conj_ = ref false
let split_bool_op_ = ref false
let lvlmax_ = ref max_int
let all_vc_ = ref false
let eval_goals_ = ref false
let pruning_ = ref false
let pruning_hyp_v_ = {contents = -1}
let pruning_hyp_p_ = {contents = -1}
(* Heuristiques en test *)
let pruning_hyp_CompInGraph_ = ref false
let pruning_hyp_CompInFiltering_ = ref false
let pruning_hyp_LinkVarsQuantif_ = ref false
let pruning_hyp_keep_single_comparison_representation_ = ref false
let pruning_hyp_comparison_eqOnly_ = ref false
let pruning_hyp_suffixed_comparison_ = ref false
let pruning_hyp_equalities_linked_ = ref false
let pruning_hyp_arithmetic_tactic_ = ref false
let pruning_hyp_var_tactic_ = ref 0
let pruning_hyp_polarized_preds_ = ref false
let prune_context_ = ref false
let prune_coarse_pred_comp_ = ref false
let prune_get_depths_ = ref false
let pruning_hyp_considere_arith_comparison_as_special_predicate_ = ref true
(* FIN de Heuristiques en test *)
(*
let modulo_ = ref false
*)

let phantom_types = Hashtbl.create 17

let lib_files_to_load_ = ref []
let no_pervasives = ref false
let files_to_load_ = ref []
let show_time_ = ref false
let locs_files = ref []
let default_locs = ref false
let delete_old_vcs = ref false
let explain_vc = ref false
let locs_table = Hashtbl.create 97

type encoding =
  | NoEncoding | Predicates | Stratified | Recursive | Monomorph
  | SortedStratified | MonoInst

type expanding = All | Goal | NoExpanding


let types_encoding_ = ref NoEncoding (* ne pas changer svp! *)
(* let types_encoding_ = ref Stratified *)

type monoinstWorldGen =
  | MonoinstSorted
  | MonoinstBuiltin
  | MonoinstGoal
  | MonoinstPremises

let monoinstworldgen = ref MonoinstGoal
let monoinstoutput_world = ref false
let monoinstonlymem = ref false
let monoinstnounit = ref false
let monoinstonlyconst = ref false

let defExpanding_ = ref NoExpanding

type termination = UseVariant | Partial | Total
let termination_ = ref UseVariant

let ocaml_ = ref false
let ocaml_annot_ = ref false
let ocaml_externals_ = ref false
let output_ = ref None
let wol_ = ref false

let c_file = ref false

type coq_version = V7 | V8 | V81
let coq_version =
  match Version.coqversion with "v8" -> V8 | "v8.1" -> V81 | _ -> V7

type prover =
  | Coq of coq_version | Pvs | HolLight | Mizar | Harvey | Simplify | CVCLite
  | SmtLib | Isabelle | Hol4 | Gappa | Zenon | Z3 | Vampire
  | Ergo | Why | MultiWhy | MultiAltergo | Why3 | Dispatcher | WhyProject

let prover_ = ref (Coq coq_version)

(*s extracting the Mizar environ from a file *)

let environ_re = Str.regexp "[ ]*environ\\([ \t]\\|$\\)"
let begin_re = Str.regexp "[ ]*begin[ \n]"
let mizar_environ_from f =
  let buf = Buffer.create 1024 in
  let c = open_in f in
  let rec look_for_environ () =
    let s = input_line c in
    if Str.string_match environ_re s 0 then
      read_environ ()
    else
      look_for_environ ()
  and read_environ () =
    let s = input_line c in
    if Str.string_match begin_re s 0 then raise Exit;
    Buffer.add_string buf s;
    Buffer.add_char buf '\n';
    read_environ ()
  in
  try
    look_for_environ ()
  with End_of_file | Exit ->
    close_in c;
    Buffer.contents buf

(*s GUI settings *)

(* Are we the GUI? (set in intf/stat.ml) *)
let gui = ref false

(* GUI project (set in src/main.ml) *)
let gui_project = ref None


(*s Parsing the command-line *)

let copying () =
  eprintf "\
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License version 2, as
published by the Free Software Foundation.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

See the GNU General Public License version 2 for more details
(enclosed in the file GPL).
";
  flush stderr

let banner () =
  eprintf "\
This is why version %s, compiled on %s
Copyright (c) 2002-2014 CNRS/INRIA/Univ Paris-Sud
This is free software with ABSOLUTELY NO WARRANTY (use option -warranty)
" Version.version Version.date;
  flush stderr

let usage () =
  eprintf "\
Usage: why [options] [files...]

If no file is given, the source is read on standard input and
output is written in file `out...'

Generic Options:
  -h, --help     prints this message
  -V, --verbose  verbose mode
  -q, --quiet    quiet mode (default)
  -d, --debug    debugging mode (implies verbose mode)
  --werror       treat warnings as errors
  -v, --version  prints version and exits
  --warranty     prints license and exits
  --where        prints library path and exits
  --show-time    prints execution time

Typing/Annotations/VCG options:
  -p,  --parse-only  exits after parsing
  -tc, --type-only   exits after type-checking
  -wp, --wp-only     exits after annotation
  --fast-wp          use WP quadratic algorithm
  --white            white boxes: WP calculus enters pure expressions
  --black            black boxes: WP calculus does not enter pure expressions
  --wbb              while loops as black boxes (careful: incomplete WP)
  --split-user-conj  splits also user conjunctions in goals
  --split-bool-op    splits VCs for boolean operations &&, || and not
  --split n          splits conditions into several pieces up to n levels
  --partial          partial correctness
  --total            total correctness
  --explain          outputs explanations for VCs in file.xpl
  --locs f           reads source locations from file f
  --default-locs     reads source locations from file basename.loc
  --delete-old-vcs   delete files that originate from a previous call to Why on
                     the same file; active only when option --multi-why or
                     --multi-altergo is given
  --phantom    declare  as a phantom type

VC transformation options:
  --all-vc           outputs all verification conditions (no auto discharge)
  --eval-goals       evaluate constant expressions in goals
  --prune-theory     prunes the theory
  --prune-hyp P V    prunes the hypotheses according to the depths P and V
  --exp all          expands the predicate definitions in both theory and goal
  --exp goal         expands the predicate definitions only in goal

Heuristics UNDER TEST of pruning (needs --prun-hyp to be used) :
  --prune-with-comp            uses comparisons as predicates
  --prune-without-arith        does not considere as particular predicates
  --prune-with-comp-filter     as previous and uses also comparisons as filters
  --prune-keep-local-links     insert quantified variables in variables graph
  --prune-comp-single-encoding do not inverse negative comparisons
  --prune-eq-only              consider only equality comparison as a predicate
  --prune-suffixed-comp        suffixes comparison predicates
  --prune-link-eqs             link each suffixed equalitie to the unsuffixed
  --prune-arith-tactic         statically link arithmetic operators (=, < & <=)
  --prune-vars-filter T        T in {All, One-var, One-branch, Split-hyps, CNF}
  --prune-polarized-preds      Consider polarity on predicates
  --prune-context              Filter axioms with Pred depth
  --prune-coarse-pred-comp     abstract weights in predicate predecessors
  --prune-get-depths           get minimum depths to reach reachable vars/preds

Prelude files:
  --lib-file f   load file f from the library

Encoding for types in untyped logic:
  --encoding none    does not encode types into terms for untyped provers
  --encoding pred    encodes types with predicates
  --encoding strat   encodes types into terms
  --encoding rec     encodes types with typing axioms
  --encoding mono    encodes types using monomorphisation
  --encoding sstrat  encodes types using some types  + strat
  --encoding monoinst  encodes types using some types  + monomorphisation

Prover selection:
  --alt-ergo  selects Alt-Ergo prover
  --coq       selects COQ prover (default)
  --cvcl      selects CVC Lite prover
  --gappa     selects the Gappa prover
  --harvey    selects haRVey prover
  --hol-light selects HOL Light prover
  --hol4      selects HOL4 prover
  --isabelle  selects Isabelle prover
  --mizar     selects Mizar prover
  --pvs       selects PVS prover
  --simplify  selects Simplify prover
  --smtlib    selects the SMT-LIB format
  --z3        selects the Z3 prover (native syntax)
  --zenon     selects the Zenon prover
 or generic Why outputs formats:
  --why       selects the Why pretty-printer
  --why3       selects the Why3 pretty-printer
  --multi-why selects the Why pretty-printer, with one file per goal
  --multi-altergo selects the Alt-Ergo pretty-printer, with one file per goal
  --project   selects the Why project format, with one file per goal

Coq-specific options:
  --valid,
  --no-valid  set/unset the functional validation (default is no)
  --coq-tactic 
              gives a default tactic for new proof obligations
  --coq-preamble 
              gives some Coq preamble to be substituted to \"Require Why\"
  --coq-fp-model 
              sets the Coq model for floating-point arithmetic
  --coq-use-dp
  --no-coq-use-dp
              tells Coq to generate or not Dp_hint annotations to use external
              provers. Doesn't have any effect for Coq version < 8.1 (no 
              external provers support). Default is yes.

Monoinst-specific options
  --monoinstworldgen 

PVS-specific options:
  --pvs-preamble 
              gives some PVS preamble to be substituted to \"importing why@@why\"

Simplify-specific options:
  --no-simplify-prelude
              suppress the Simplify prelude (BG_PUSHs for Why's symbols)
  --simplify-triggers
	      pass user-defined triggers when writing Simplify output

Zenon-specific options:
  --no-zenon-prelude
              suppress the Zenon prelude

Mizar-specific options:
  --mizar-environ 
              sets the Mizar `environ'
  --mizar-environ-from 
              gets Mizar `environ' from 

Isabelle/HOL-specific options:
  --isabelle-base-theory 
              sets the Isabelle/HOL base theory

Gappa options:
  --gappa-rnd 
              sets the Gappa rounding mode (e.g. float)

Misc options:
  --ocaml        Ocaml code output
  --ocaml-annot  Show all annotations in ocaml code
  --ocaml-ext    Consider \"external\"s as parameters in ocaml code
  --output f     Redirect output to file f ( - for stdout)
  --dir d        Output files in directory d
  --int-is-ident
                 Consider `int' as a normal identifier, and use
                 built-in name `integer' instead for integers
";
  flush stderr

(*

SMT-lib-specific options:
  --modulo           uses %% in SMT-lib output (instead of uninterpreted symb)
*)


let files =
  let filesq = ref [] in
  let rec parse = function
    | [] -> List.rev !filesq
    | ("-h" | "-help" | "--help") :: _ -> usage (); exit 0
    | ("-alt-ergo" | "--alt-ergo") :: args -> prover_ := Ergo; parse args
    | ("-pvs" | "--pvs") :: args -> prover_ := Pvs; parse args
    | ("-coq-v7" | "--coq-v7") :: args -> prover_ := Coq V7; parse args
    | ("-coq-v8" | "--coq-v8") :: args -> prover_ := Coq V8; parse args
    | ("-coq-v81" | "--coq-v81" | "--coq-v8.1") :: args -> prover_ := Coq V81; parse args
    | ("-coq" | "--coq") :: args -> prover_ := Coq coq_version; parse args
    | ("-hol-light" | "--hol-light") :: args -> prover_ := HolLight; parse args
    | ("-mizar" | "--mizar") :: args -> prover_ := Mizar; parse args
    | ("-harvey" | "--harvey") :: args -> prover_ := Harvey; parse args
    | ("-simplify" | "--simplify") :: args -> prover_ := Simplify; parse args
    | ("-vampire" | "--vampire") :: args -> prover_ := Vampire; parse args
    | ("-isabelle" | "--isabelle") :: args -> prover_ := Isabelle; parse args
    | ("-hol4" | "--hol4") :: args -> prover_ := Hol4; parse args
    | ("-cvcl" | "--cvcl") :: args -> prover_ := CVCLite; parse args
    | ("-smtlib" | "--smtlib") :: args -> prover_ := SmtLib; parse args
    | ("-z3" | "--z3") :: args -> prover_ := Z3; parse args
    | ("-zenon" | "--zenon") :: args -> prover_ := Zenon; parse args
    | ("-why" | "--why") :: args -> prover_ := Why; parse args
    | ("-why3" | "--why3") :: args -> prover_ := Why3; parse args
    | ("-multi-why" | "--multi-why") :: args -> prover_ := MultiWhy; parse args
    | ("-multi-altergo" | "--multi-altergo") :: args ->
          prover_ := MultiAltergo; parse args
    | ("-project" | "--project") :: args -> prover_ := WhyProject; parse args
    | ("-gappa" | "--gappa") :: args -> prover_ := Gappa; parse args
    | ("-show-time" | "--show-time") :: args -> show_time_ := true; parse args
    | ("-no-prelude" | "--no-prelude" | "-no-arrays" | "--no-arrays"
      | "-fp" | "--fp" as o) :: _ ->
	Printf.eprintf "%s: deprecated\n" o; exit 1
    | "--no-pervasives" :: args ->
	no_pervasives := true; parse args
    | ("-lib-file" | "--lib-file") :: f :: args ->
	lib_files_to_load_ := f :: !lib_files_to_load_; parse args
    | ("-lib-file" | "--lib-file") :: [] -> usage (); exit 1
    | ("-load-file" | "--load-file") :: f :: args ->
	files_to_load_ := f :: !files_to_load_; parse args
    | ("-load-file" | "--load-file") :: [] -> usage (); exit 1
    | ("-d"|"--debug") :: args -> verbose_ := true; debug_ := true; parse args
    | ("-p" | "--parse-only") :: args -> parse_only_ := true; parse args
    | ("-tc" | "--type-only") :: args -> type_only_ := true; parse args
    | ("-wp" | "--wp-only") :: args -> wp_only_ := true; parse args
    | ("-q" | "--quiet") :: args -> verbose_ := false; parse args
    | ("-v" | "-version" | "--version") :: _ -> banner (); exit 0
    | ("-warranty" | "--warranty") :: _ -> copying (); exit 0
    | ("-where" | "--where") :: _ -> printf "%s\n" Version.libdir; exit 0
    | ("-V" | "--verbose") :: args -> verbose_ := true; parse args
    | ("-valid" | "--valid") :: args -> valid_ := true; parse args
    | ("-novalid" | "--no-valid") :: args -> valid_ := false; parse args
    | ("-coqtactic" | "--coqtactic" | "-coq-tactic" | "--coq-tactic")
      :: s :: args -> coq_tactic_ := Some s; parse args
    | ("-coq-use-dp" | "--coq-use-dp") :: args -> coq_use_dp := true; parse args
    | ("-no-coq-use-dp" | "--no-coq-use-dp") :: args -> 
      coq_use_dp := false; parse args
    | ("-coqtactic" | "--coqtactic" | "-coq-tactic" | "--coq-tactic") :: [] ->
	usage (); exit 1
    | ("-coqpreamble" | "--coqpreamble" | "-coq-preamble" | "--coq-preamble")
      :: s :: args -> coq_preamble_ := Some s; parse args
    | ("-coqpreamble"|"--coqpreamble"|"-coq-preamble"|"--coq-preamble")::[] ->
	usage (); exit 1
    | ("-pvspreamble" | "--pvspreamble" | "-pvs-preamble" | "--pvs-preamble")
      :: s :: args -> pvs_preamble_ := Some s; parse args
    | ("-pvspreamble"|"--pvspreamble"|"-pvs-preamble"|"--pvs-preamble")::[] ->
	usage (); exit 1
    | ("-mizarenviron" | "--mizarenviron" |
       "-mizar-environ" | "--mizar-environ")
      :: s :: args -> mizar_environ_ := Some s; parse args
    | ("-mizarenviron" | "--mizarenviron" |
       "-mizar-environ"|"--mizar-environ") :: [] ->
	usage (); exit 1
    | ("-mizarenvironfrom" | "--mizarenvironfrom" |
       "-mizar-environ-from" | "--mizar-environ-from")
      :: f :: args -> mizar_environ_ := Some (mizar_environ_from f); parse args
    | ("-mizarenvironfrom" | "--mizarenvironfrom" |
       "-mizar-environ-from"|"--mizar-environ-from") :: [] ->
	usage (); exit 1
    | ("-isabelle-base-theory" | "--isabelle-base-theory")
      :: s :: args -> isabelle_base_theory_ := s; parse args
    | ("-isabelle-base-theory" | "--isabelle-base-theory")::[] ->
	usage (); exit 1
    | ("--no-simplify-prelude" | "-no-simplify-prelude") :: args ->
	no_simplify_prelude_ := true; parse args
    | ("--simplify-triggers" | "-simplify-triggers") :: args ->
	simplify_triggers_ := true; parse args
    | ("--no-cvcl-prelude" | "-no-cvcl-prelude") :: args ->
	no_cvcl_prelude_ := true; parse args
    | ("--no-harvey-prelude" | "-no-harvey-prelude") :: args ->
	no_harvey_prelude_ := true; parse args
    | ("--no-zenon-prelude" | "-no-zenon-prelude") :: args ->
	no_zenon_prelude_ := true; parse args
    | ("--ocaml" | "-ocaml") :: args -> ocaml_ := true; parse args
    | ("--ocaml-annot" | "-ocaml-annot") :: args ->
	ocaml_annot_ := true; parse args
    | ("--ocaml-ext" | "-ocaml-ext") :: args ->
	ocaml_externals_ := true; parse args
    | ("-o" | "-output" | "--output") :: f :: args ->
	output_ := Some f; parse args
    | ("-o" | "-output" | "--output") :: [] ->
	usage (); exit 1
    | ("--wol") :: args ->
	wol_ := true; parse args
    | ("-werror" | "--werror") :: args ->
	werror_ := true; parse args
    | ("-dir" | "--dir") :: d :: args ->
	dir_ := d; parse args
    | ("-dir" | "--dir") :: [] ->
	usage (); exit 1
    | ("-fast-wp" | "--fast-wp") :: args ->
	fast_wp_ := true; parse args
    | ("-white" | "--white") :: args ->
	white_ := true; black_ := false; parse args
    | ("-black" | "--black") :: args ->
	black_ := true; white_ := false; parse args
    | ("-wbb" | "--wbb") :: args ->
        wbb_ := true; parse args
    | ("-split-user-conj" | "--split-user-conj") :: args ->
	split_user_conj_ := true; parse args
    | ("-split-bool-op" | "--split-bool-op") :: args ->
	split_bool_op_ := true; parse args
    | ("-split" | "--split") :: n :: args ->
	begin try lvlmax_ := int_of_string n with _ -> usage (); exit 1 end;
	parse args
    | ("-split" | "--split") :: [] ->
	usage (); exit 1
    | ("-all-vc" | "--all-vc" | "--allvc") :: args ->
	all_vc_ := true; parse args
    | ("-partial" | "--partial") :: args ->
	termination_ := Partial; parse args
    | ("-total" | "--total") :: args ->
	termination_ := Total; parse args
    | ("--eval-goals" | "-eval-goals") :: args ->
	 eval_goals_ := true ; parse args
    | ("--prune-theory" | "-prune-theory") :: args ->
	 pruning_ := true ; parse args
    | ("--prune-hyp" | "-prune-hyp"):: tp :: tv :: args ->
	pruning_hyp_p_ := int_of_string tp ;
	pruning_hyp_v_ := int_of_string tv ;
	parse args
(* Heuristiques en test *)
    | ("--prune-with-comp" | "-prune-with-comp"):: args ->
	pruning_hyp_CompInGraph_ := true ;
	parse args
    | ("--prune-with-comp-filter" | "-prune-with-comp-filter"):: args ->
	pruning_hyp_CompInGraph_ := true ;
	pruning_hyp_CompInFiltering_ := true ;
	parse args
    | ("--prune-keep-local-links" | "-prune-keep-local-links"):: args ->
	pruning_hyp_LinkVarsQuantif_ := true ;
	parse args
    | ("--prune-comp-single-encoding" | "-prune-comp-single-encoding"):: args ->
	pruning_hyp_keep_single_comparison_representation_ := true ;
	parse args
    | ("--prune-eq-only" | "-prune-eq-only"):: args ->
	pruning_hyp_CompInGraph_ := true ;
	pruning_hyp_comparison_eqOnly_ := true ;
	parse args
    | ("--prune-suffixed-comp" | "-prune-suffixed-comp"):: args ->
	pruning_hyp_CompInGraph_ := true ;
	pruning_hyp_suffixed_comparison_ := true ;
	parse args
    | ("--prune-link-eqs" | "-prune-link-eqs"):: args ->
	pruning_hyp_CompInGraph_ := true ;
	pruning_hyp_suffixed_comparison_ := true ;
	pruning_hyp_equalities_linked_ := true ;
	parse args
    | ("--prune-arith-tactic" | "-prune-arith-tactic"):: args ->
	pruning_hyp_CompInGraph_ := true ;
	pruning_hyp_arithmetic_tactic_ := true ;
	parse args

    | ("--prune-vars-filter" | "-prune-vars-filter"):: t :: args ->
	(match t with
	  "All" -> pruning_hyp_var_tactic_:=0; parse args
	| "One-var" -> pruning_hyp_var_tactic_:=1; parse args
	| "One-branch" -> pruning_hyp_var_tactic_:=2; parse args
	| "Split-hyps" -> pruning_hyp_var_tactic_:=3; parse args
	| "CNF" ->  pruning_hyp_var_tactic_:=4; parse args
	| _ -> usage (); exit 1);

    | ("--prune-polarized-preds" | "-prune-polarized-preds"):: args ->
	pruning_hyp_polarized_preds_ := true ; parse args

    | ("--prune-context" | "-prune-context") :: args ->
	prune_context_ := true ; parse args
    | ("--prune-coarse-pred-comp" | "-prune-coarse-pred-comp") :: args ->
	prune_coarse_pred_comp_ := true ; parse args

    | ("--prune-get-depths" | "-prune-get-depths") :: args ->
	prune_get_depths_ := true ; parse args

    | ("--prune-without-arith" | "-prune-without-arith") :: args ->
	pruning_hyp_considere_arith_comparison_as_special_predicate_ := false ; parse args
(* FIN de Heuristiques en test *)

(*
    | ("-modulo" | "--modulo") :: args ->
	 modulo_ := true ; parse args
*)
    | ("-exp" | "--exp") :: s :: args ->
	(match s with
	     "goal" -> defExpanding_ := Goal
	   | "all"  -> defExpanding_:= All
	   | _ -> usage (); exit 1);
	parse args
    | ("-encoding" | "--encoding") :: s :: args ->
	(match s with
	  "none" -> types_encoding_ := NoEncoding
	| "pred" -> types_encoding_ := Predicates
	| "strat" -> types_encoding_ := Stratified
	| "rec" -> types_encoding_ := Recursive
	| "mono" -> types_encoding_ := Monomorph
	| "sstrat" -> types_encoding_ := SortedStratified
	| "monoinst" -> types_encoding_ := MonoInst
	| _ -> usage (); exit 1);
	parse args
    | ("-monoinstworldgen" | "--monoinstworldgen") :: s :: args ->
	(match s with
	  "sorted" -> monoinstworldgen := MonoinstSorted
	| "builtin" -> monoinstworldgen := MonoinstBuiltin
	| "goal" -> monoinstworldgen := MonoinstGoal
        | "premises" -> monoinstworldgen := MonoinstPremises
	| _ -> usage (); exit 1);
        types_encoding_ := MonoInst;
	parse args
    | ("-monoinstoutput_world" | "--monoinstoutput_world")::args ->
        monoinstoutput_world := true;
        types_encoding_ := MonoInst;
        parse args
    | ("-monoinstonlymem" | "--monoinstonlymem")::args ->
        monoinstonlymem := true;
        monoinstonlyconst := false;
        parse args
    | ("-monoinstnounit" | "--monoinstnounit")::args ->
        (*monoinstnounit := true;*)
        parse args
    | ("-monoinstonlyconst" | "--monoinstonlyconst")::args ->
        monoinstonlyconst := true;
        monoinstonlymem := false;
        parse args
    | ("-explain" | "--explain") :: args ->
	explain_vc := true; parse args
    | ("-locs" | "--locs") :: s :: args ->
	locs_files := s :: !locs_files;
	parse args
    | ("-default-locs" | "--default-locs" ) :: args ->
          default_locs := true;
          parse args
    | ("-delete-old-vcs" | "--delete-old-vcs" ) :: args ->
          delete_old_vcs := true;
          parse args
    | ("-phantom" | "--phantom") :: s :: args ->
	Hashtbl.add phantom_types s ();
	parse args
    | f :: args ->
	filesq := f :: !filesq; parse args
  in
  parse (List.tl (Array.to_list Sys.argv))

(*s Finally, we dereference all the refs *)

let verbose = !verbose_
let debug = !debug_
let parse_only = !parse_only_
let type_only = !type_only_
let wp_only = !wp_only_
let prover (* ?(ignore_gui=false) *) () =
  if (* not ignore_gui &&*) !gui then Dispatcher else !prover_
let delete_old_vcs =
   !delete_old_vcs && (let p = prover () in p = MultiWhy || p = MultiAltergo)
let valid = !valid_
let coq_tactic = !coq_tactic_
let coq_preamble = match !coq_preamble_ with
  | None when prover () = Coq V7 -> "Require Why."
  | None -> "Require Export Why."
  | Some s -> s
let coq_use_dp = !coq_use_dp

let pvs_preamble = match !pvs_preamble_ with
  | None -> "IMPORTING why@why"
  | Some s -> s

let mizar_environ = !mizar_environ_
let isabelle_base_theory = !isabelle_base_theory_
let no_simplify_prelude = !no_simplify_prelude_
let simplify_triggers = !simplify_triggers_
let no_cvcl_prelude = !no_cvcl_prelude_
let no_harvey_prelude = !no_harvey_prelude_
let no_zenon_prelude = !no_zenon_prelude_
let wol = !wol_
let werror = !werror_
let dir = !dir_
let fast_wp = !fast_wp_
let white = !white_
let black = !black_
let wbb = !wbb_
let split_user_conj = !split_user_conj_
let split_bool_op = !split_bool_op_
let lvlmax = !lvlmax_
let all_vc = !all_vc_
let termination = !termination_
let eval_goals = !eval_goals_
let pruning = !pruning_
let pruning_hyp_p = !pruning_hyp_p_
let pruning_hyp_v = !pruning_hyp_v_
(* Heuristiques en test *)
let pruning_hyp_CompInGraph = !pruning_hyp_CompInGraph_
let pruning_hyp_CompInFiltering = !pruning_hyp_CompInFiltering_
let pruning_hyp_LinkVarsQuantif = !pruning_hyp_LinkVarsQuantif_
let pruning_hyp_keep_single_comparison_representation = !pruning_hyp_keep_single_comparison_representation_
let pruning_hyp_comparison_eqOnly = !pruning_hyp_comparison_eqOnly_
let pruning_hyp_suffixed_comparison = !pruning_hyp_suffixed_comparison_
let pruning_hyp_equalities_linked = !pruning_hyp_equalities_linked_
let pruning_hyp_arithmetic_tactic = !pruning_hyp_arithmetic_tactic_
let pruning_hyp_var_tactic = !pruning_hyp_var_tactic_
let pruning_hyp_polarized_preds = !pruning_hyp_polarized_preds_
let prune_context = !prune_context_
let prune_coarse_pred_comp = !prune_coarse_pred_comp_
let prune_get_depths = !prune_get_depths_
let pruning_hyp_considere_arith_comparison_as_special_predicate= !pruning_hyp_considere_arith_comparison_as_special_predicate_
(* FIN de Heuristiques en test *)
(*
let modulo = !modulo_
*)

let defExpanding = !defExpanding_
let explain_vc = !explain_vc

(* encoding checks *)
let () =
  if (prover () = SmtLib || prover () = CVCLite || prover () = Z3) &&
     !types_encoding_ = NoEncoding
  then
    types_encoding_ := SortedStratified

let get_types_encoding () = !types_encoding_
let set_types_encoding ec = types_encoding_ := ec

let monoinstworldgen = !monoinstworldgen
let monoinstoutput_world = !monoinstoutput_world
let monoinstonlymem = !monoinstonlymem
let monoinstnounit = !monoinstnounit
let monoinstonlyconst = !monoinstonlyconst

let get_type_expanding () = !defExpanding_

let show_time = !show_time_

let file f =
  (*Format.printf "Options.file: dir = %s, f = %s@." dir f;*)
  if dir = "" then f else Lib.file ~dir ~file:f

let ocaml = !ocaml_
let ocaml_annot = !ocaml_annot_
let ocaml_externals = !ocaml_externals_

let out_file f = match !output_ with
  | None -> file f
  | Some "-" -> invalid_arg "I can't use stdout for that output";
  | Some f -> f

let open_out_file f = match !output_ with
  | Some "-" -> stdout
  | _ -> open_out (out_file f)
let close_out_file cout = match !output_ with
  | Some "-" -> ()
  | _ -> close_out cout
let out_file_exists f =
  match !output_ with
    | Some "-" -> false
    | _ -> Sys.file_exists (out_file f)

let if_verbose f x = if verbose then f x
let if_verbose_2 f x y = if verbose then f x y
let if_verbose_3 f x y z = if verbose then f x y z

let if_debug f x = if debug then f x
let if_debug_2 f x y = if debug then f x y
let if_debug_3 f x y z = if debug then f x y z

let () =
  if !default_locs then
    locs_files :=
       (List.map (fun s ->
          Filename.chop_extension s ^ ".loc" ) files) @ !locs_files;

  List.iter
    (fun f ->
       let l = Rc.from_file f in
       List.iter
	 (fun (id,fs) ->
	    let (f,l,b,e,o) =
	      List.fold_left
		(fun (f,l,b,e,o) v ->
		   match v with
		     | "file", Rc.RCstring f -> (f,l,b,e,o)
		     | "line", Rc.RCint l -> (f,l,b,e,o)
		     | "begin", Rc.RCint b -> (f,l,b,e,o)
		     | "end", Rc.RCint e -> (f,l,b,e,o)
		     | _ -> (f,l,b,e,v::o))
		("",0,0,0,[]) fs
	    in
	    Hashtbl.add locs_table id (f,l,b,e,o))
	 l)
    !locs_files

(* compatibility checks *)
let () = if prover () = Gappa && valid then begin
  Printf.eprintf "options -gappa and -valid are not compatible\n";
  exit 1
end
let () = if white && black then begin
  Printf.eprintf "options -white and -black are not compatible\n";
  exit 1
end

(* prelude *)

let lib_dir =
  try Sys.getenv "WHYLIB"
  with Not_found -> Version.libdir

let lib_file f = Filename.concat lib_dir (Filename.concat "why" f)

let prelude_file = lib_file "prelude.why"

let lib_files_to_load =
  (if !no_pervasives then [] else [prelude_file]) @
  List.rev_map lib_file !lib_files_to_load_ @
  List.rev !files_to_load_

let floats = List.mem "floats.why" !lib_files_to_load_

let () =
  if not (Sys.file_exists prelude_file) then begin
    Printf.eprintf "cannot find prelude file %s\n" prelude_file;
    begin
      try
	let s = Sys.getenv "WHYLIB" in
	Printf.eprintf "(WHYLIB is set to %s)\n" s
      with Not_found ->
	Printf.eprintf "(WHYLIB is not set, libdir is %s)\n" Version.libdir
    end;
    exit 1
  end

(*
Local Variables:
compile-command: "unset LANG; make -j -C .. bin/why.byte"
End:
*)
why-2.34/src/vcg.mli0000644000175000017500000000556412311670312012700 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(*s Verification Conditions Generator. *)

open Types
open Logic
open Cc

(***
val vcg : 
  string -> (Loc.position * predicate) cc_term -> obligation list * validation
***)

val logs : Log.t ref
val log_print_function : (Format.formatter -> sequent -> unit) ref

(* obligations from the WP *)

val vcg_from_wp : 
  (* fun loc, fun ids fun name, fun behavior, wp *)
  Loc.floc -> string -> string -> string -> Ast.assertion -> Logic_decl.obligation list * proof

(* functions to be reused in module [Coq] *)

val annotated_if : Ident.t -> cc_binder list -> bool
val annotation_if : cc_binder list -> Ident.t * predicate

why-2.34/src/isabelle.ml0000644000175000017500000005036212311670312013524 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(*s Isabelle/HOL output *)

open Ident
open Misc
open Error
open Logic
open Logic_decl
open Vcg
open Format
open Cc
open Pp

let is_isabelle_keyword =
  let ht = Hashtbl.create 300  in
  List.iter (fun kw -> Hashtbl.add ht kw ()) 
    ["also"; "apply"; "apply_end"; "arities"; "assume"; "automaton";
    "ax_specification"; "axclass"; "axioms"; "back"; "by"; "cannot_undo";
    "case"; "cd"; "chapter"; "classes"; "classrel"; "clear_undos"; 
    "code_library"; "code_module"; "coinductive"; "commit"; "constdefs";
    "consts"; "consts_code"; "context"; "corollary"; "cpodef"; "datatype";
    "declare"; "def"; "defaultsort"; "defer"; "defer_recdef"; "defs"; 
     "disable_pr"; "display_drafts"; "domain"; "done"; "enable_pr"; 
    "end"; "exit"; "extract"; "extract_type"; "finalconsts"; "finally"; 
    "find_theorems"; "fix"; "fixpat"; "fixrec"; "from"; "full_prf";
    "global"; "have"; "header"; "hence"; "hide"; "inductive"; "inductive_cases";
    "init_toplevel"; "instance"; "interpret"; "interpretation"; "judgment"; 
    "kill"; "kill_thy"; "lemma"; "lemmas"; "let"; "local"; "locale"; 
    "method_setup"; "moreover"; "next"; "no_syntax"; "nonterminals"; "note";
    "obtain"; "oops"; "oracle"; "parse_ast_translation"; "parse_translation";
    "pcpodef"; "pr"; "prefer"; "presume"; "pretty_setmargin"; "prf"; "primrec";
    "print_antiquotations"; "print_ast_translation"; "print_attributes";
    "print_binds"; "print_cases"; "print_claset"; "print_commands"; 
    "print_context"; "print_drafts"; "print_facts"; "print_induct_rules";
    "print_interps"; "print_locale"; "print_locales"; "print_methods";
    "print_rules"; "print_simpset"; "print_syntax"; "print_theorems"; 
    "print_theory"; "print_trans_rules"; "print_translation"; "proof";
    "prop"; "pwd"; "qed"; "quickcheck"; "quickcheck_params"; "quit"; 
    "realizability"; "realizers"; "recdef"; "recdef_tc"; "record"; "redo";
    "refute"; "refute_params"; "remove_thy"; "rep_datatype"; "sect";
    "section"; "setup"; "show"; "sorry"; "specification"; "subsect";
    "subsection"; "subsubsect"; "subsubsection"; "syntax"; "term"; "text";
    "text_raw"; "then"; "theorem"; "theorems"; "theory"; "thm"; "thm_deps";
    "thus"; "token_translation"; "touch_all_thys"; "touch_child_thys";
    "touch_thy"; "translations"; "txt"; "txt_raw"; "typ"; 
    "typed_print_translation";  "typedecl"; "typedef"; "types"; "types_code";
    "ultimately"; "undo"; "undos_proof"; "update_thy"; "update_thy_only"; 
    "use"; "use_thy"; "use_thy_only"; "using"; "value"; "welcome"; "with";
    "actions"; "advanced"; "and"; "assumes"; "attach"; "begin"; "binder";
    "compose"; "concl"; "congs"; "constrains"; "contains"; "defines"; 
    "distinct"; "file"; "files"; "fixes"; "hide_action"; "hints"; 
    "imports"; "in"; "includes"; "induction"; "infix"; "infixl"; "infixr";
    "initially"; "inject"; "inputs"; "internals"; "intros"; "is"; "lazy";
    "monos"; "morphisms"; "notes"; "open"; "output"; "outputs"; "overloaded";
    "permissive"; "post"; "pre"; "rename"; "restrict"; "shows"; "signature";
    "states"; "structure"; "to"; "transitions"; "transrel"; "uses"; "where"];
  Hashtbl.mem ht

let rename s = if is_isabelle_keyword s then "why__" ^ s else s
let idents fmt s = fprintf fmt "%s" (rename s)
let ident fmt id = fprintf fmt "%s" (rename (Ident.string id))

(*s Pretty print *)

let rec print_pure_type fmt = function
  | PTint -> fprintf fmt "int"
  | PTbool -> fprintf fmt "bool"
  | PTunit -> fprintf fmt "unit"
  | PTreal -> fprintf fmt "real"
  | PTexternal ([v], id) when id == farray -> 
      fprintf fmt "(%a list)" print_pure_type v (* TODO *)
  | PTexternal([],id) -> ident fmt id
  | PTexternal([t],id) -> 
      fprintf fmt "(%a %a)"
      print_pure_type t
      ident id 
  | PTexternal(l,id) -> 
      fprintf fmt "((@[%a@]) %a)"
      (print_list comma print_pure_type) l
      ident id
  | PTvar { type_val = Some t} -> 
      fprintf fmt "%a" print_pure_type t      
  | PTvar v -> fprintf fmt "'a%d" v.tag

let prefix_id id =
  (* int cmp *)
  if id == t_lt_int then "(op <)" 
  else if id == t_le_int then "(op <=)"
  else if id == t_gt_int then "(%x y. y < x)"
  else if id == t_ge_int then "(%x y. y <= x)"
  else if id == t_eq_int then "(op =)"
  else if id == t_neq_int then "(%x y. x ~= y)"
  (* real cmp *)
  else if id == t_lt_real then "(op <)" 
  else if id == t_le_real then "(op <=)"
  else if id == t_gt_real then "(%x y. y < x)"
  else if id == t_ge_real then "(%x y. y <= x)"
  else if id == t_eq_real then "(op =)"
  else if id == t_neq_real then "(%x y. x ~= y)"
  (* bool cmp *)
  else if id == t_eq_bool then "(op =)"
  else if id == t_neq_bool then "(%x y. x ~= y)"
  (* unit cmp *)
  else if id == t_eq_unit then "(op =)"
  else if id == t_neq_unit then "(%x y. x ~= y)"
  (* int ops *)
  else if id == t_add_int then "(op +)"
  else if id == t_sub_int then "(op -)"
  else if id == t_mul_int then "(op *)"
(*
  else if id == t_div_int then "(op div)"
  else if id == t_mod_int then "(op mod)"
*)
  else if id == t_neg_int then "(%x. - x)"
  (* real ops *)
  else if id == t_add_real then "(op +)"
  else if id == t_sub_real then "(op -)"
  else if id == t_mul_real then "(op *)"
  else if id == t_div_real then "(op /)"
  else if id == t_neg_real then "(%x. - x)"
  else if id == t_sqrt_real then assert false (* TODO *)
  else if id == t_real_of_int then "real"
  else if id == t_int_of_real then assert false (* TODO *)
  else assert false

let rec print_term fmt = function
  | Tvar id -> 
      ident fmt id
  | Tconst (ConstInt n) -> 
      fprintf fmt "(%s::int)" n
  | Tconst (ConstBool true) -> 
      fprintf fmt "True" 
  | Tconst (ConstBool false) -> 
      fprintf fmt "False" 
  | Tconst ConstUnit -> 
      fprintf fmt "()" 
  | Tconst (ConstFloat c) ->
      Print_real.print_with_integers
	"(real (%s::int))" 
	"(real (%s::int * %s))"
	"(real (%s::int) / real (%s::int))" 
	fmt c
  | Tderef _ -> 
      assert false
  (* arithmetic *)
  | Tapp (id, [a; b], _) when id == t_add_int || id == t_add_real ->
      fprintf fmt "(@[%a +@ %a@])" print_term a print_term b
  | Tapp (id, [a; b], _ ) when id == t_sub_int || id == t_sub_real ->
      fprintf fmt "(@[%a -@ %a@])" print_term a print_term b
  | Tapp (id, [a; b], _) when id == t_mul_int || id == t_mul_real ->
      fprintf fmt "(@[%a *@ %a@])" print_term a print_term b
  | Tapp (id, [a; b], _) when id == t_div_real ->
      fprintf fmt "(@[%a /@ %a@])" print_term a print_term b
(*
  | Tapp (id, [a; b], _) when id == t_mod_int ->
      fprintf fmt "(@[%a mod@ %a@])" print_term a print_term b
  | Tapp (id, [a; b], _) when id == t_div_int ->
      fprintf fmt "(@[%a div@ %a@])" print_term a print_term b
*)
  | Tapp (id, [a], _) when id == t_neg_int || id == t_neg_real ->
      fprintf fmt "(@[-%a@])" print_term a
  | Tapp (id, [a; b; c], _) when id == if_then_else -> 
      fprintf fmt "(@[if %a@ then %a@ else %a@])" 
	print_term a print_term b print_term c
  | Tapp (id, tl, _) when is_relation id || is_arith id -> 
      fprintf fmt "(@[%s %a@])" (prefix_id id) print_terms tl
  (* arrays *)
  | Tapp (id, [a; b], _) when id == access ->
      fprintf fmt "(@[%a !(nat %a) @])" print_term a print_term b
  | Tapp (id, [a], _) when id == Ident.array_length ->
      fprintf fmt "(@[int (length %a)@])" print_term a
  (* any other application *)
  | Tapp (id, tl, _) ->
      fprintf fmt "@[(%a@ %a)@]" 
	ident id (print_list space print_term) tl
  | Tnamed (User n, t) ->
      fprintf fmt "@[(* %s: *)@ %a@]" (String.escaped n) print_term t
  | Tnamed (_, t) -> print_term fmt t

and print_terms fmt tl = 
  print_list space print_term fmt tl

let rec print_predicate fmt = function
  | Ptrue ->
      fprintf fmt "True"
  | Pvar id when id == Ident.default_post ->
      fprintf fmt "True"
  | Pfalse ->
      fprintf fmt "False"
  | Pvar id -> 
      fprintf fmt "%a" ident id
  | Papp (id, tl, _) when id == t_distinct ->
      fprintf fmt "@[(%a)@]" print_predicate (Util.distinct tl)
  | Papp (id, [a; b], _) when is_eq id ->
      fprintf fmt "(@[%a =@ %a@])" print_term a print_term b
  | Papp (id, [a; b], _) when is_neq id ->
      fprintf fmt "(@[%a ~=@ %a@])" print_term a print_term b
  | Papp (id, [a; b], _) when id == t_lt_int || id == t_lt_real ->
      fprintf fmt "(@[%a <@ %a@])" print_term a print_term b
  | Papp (id, [a; b], _) when id == t_le_int || id == t_le_real ->
      fprintf fmt "(@[%a <=@ %a@])" print_term a print_term b
  | Papp (id, [a; b], _) when id == t_gt_int || id == t_gt_real ->
      fprintf fmt "(@[%a <@ %a@])" print_term b print_term a
  | Papp (id, [a; b], _) when id == t_ge_int || id == t_ge_real ->
      fprintf fmt "(@[%a <=@ %a@])" print_term b print_term a
  | Papp (id, [a; b], _) when id == t_zwf_zero ->
      fprintf fmt "(@[(0 <= %a) &@ (%a < %a)@])" 
	print_term b print_term a print_term b
  | Papp (id, tl, _) when is_relation id || is_arith id ->
      fprintf fmt "(@[%s %a@])" (prefix_id id) print_terms tl
  | Papp (id, tl, _) -> 
      fprintf fmt "(@[%a@ %a@])" ident id print_terms tl
  | Pimplies (_, a, b) ->
      fprintf fmt "(@[%a -->@ %a@])" print_predicate a print_predicate b
  | Piff (a, b) ->
      fprintf fmt "(@[%a =@ %a@])" 
	print_predicate a print_predicate b
  | Pif (a, b, c) ->
      fprintf fmt "(@[if %a@ then %a@ else %a@])" 
	print_term a print_predicate b print_predicate c
  | Pand (_, _, a, b) | Forallb (_, a, b) ->
      fprintf fmt "(@[%a &@ %a@])" print_predicate a print_predicate b
  | Por (a, b) ->
      fprintf fmt "(@[%a |@ %a@])" print_predicate a print_predicate b
  | Pnot a ->
      fprintf fmt "~%a" print_predicate a
  | Forall (_,id,n,t,_,p) -> 
      let id' = next_away id (predicate_vars p) in
      let p' = subst_in_predicate (subst_onev n id') p in
      fprintf fmt "(@[!%a::%a.@ %a@])" ident id'
	print_pure_type t print_predicate p'
  | Exists (id,n,t,p) -> 
      let id' = next_away id (predicate_vars p) in
      let p' = subst_in_predicate (subst_onev n id') p in
      fprintf fmt "(@[? %a::%a.@ %a@])" ident id'
	print_pure_type t print_predicate p'
  | Pnamed (User n, p) ->
      fprintf fmt "@[(* %s: *)@ %a@]" (String.escaped n) print_predicate p
  | Pnamed (_, p) -> print_predicate fmt p
  | Plet (_, n, _, t, p) ->
      print_predicate fmt (subst_term_in_predicate n t p)
  
let print_sequent fmt (hyps,concl) =
  let rec print_seq fmt = function
    | [] ->
	fprintf fmt "shows \"@[%a@]\"@\n" print_predicate concl
    | Svar (id, v) :: hyps -> 
	fprintf fmt "fixes %a::\"%a\"@\n" ident id print_pure_type v;
	print_seq fmt hyps
    | Spred (id, p) :: hyps -> 
	fprintf fmt "assumes %a: \"@[%a@]\"@\n" ident id print_predicate p;
	print_seq fmt hyps
  in
  fprintf fmt "@[%a@]@?" print_seq hyps

let print_predicate_scheme fmt p =
  let (_l,p) = Env.specialize_predicate p in
  print_predicate fmt p

let print_logic_type fmt s = 
  let (_l,t) = Env.specialize_logic_type s in
  match t with
  | Logic.Function ([], t) ->
      print_pure_type fmt t
  | Logic.Function (pl, t) ->
      fprintf fmt "[@[%a@]] => %a" 
	(print_list comma print_pure_type) pl print_pure_type t
  | Logic.Predicate [] ->
      fprintf fmt "bool"
  | Logic.Predicate pl ->
      fprintf fmt "[@[%a@]] => bool" (print_list comma print_pure_type) pl

let reprint_logic fmt id t =
  fprintf fmt 
    "@[(*Why logic*) consts %a ::@ @[\"%a\"@]@];@\n" 
    idents id print_logic_type t

let print_logic fmt id t = reprint_logic fmt id t

let reprint_axiom fmt id p =
  fprintf fmt "@[(*Why axiom*) axioms %a:@ \"%a\";@]@\n" idents id print_predicate_scheme p

let print_axiom fmt id p = 
  reprint_axiom fmt id p

let reprint_obligation fmt loc _is_lemma _expl id s =
  fprintf fmt "@[(* %a *)@]@\n" (Loc.report_obligation_position ~onlybasename:true) loc;
  fprintf fmt "@[(*Why goal*) lemma %a:@\n%a;@]@\n" idents id print_sequent s
(*;
  fprintf fmt "@[(* %a *)@]@\n" Util.print_explanation expl
*)

let print_obligation fmt loc is_lemma expl id s = 
  reprint_obligation fmt loc is_lemma expl id s;
  fprintf fmt "(* FILL PROOF HERE *)@\n@\n"

let reprint_predicate fmt id p =
  let (_l,(bl,p)) = Env.specialize_predicate_def p in
  let print_binder_type fmt (_x,pt) = 
      fprintf fmt "%a" print_pure_type pt in
  let print_binder fmt (x,_pt) = 
      fprintf fmt "%a" ident x in
  fprintf fmt
     "@[(*Why predicate*) constdefs %a :: @[\"[@[%a@]] => bool\"@]@]@\n" 
    idents id 
    (print_list comma print_binder_type) bl;
  fprintf fmt
     "@[     \"%a == @[%%@[%a@]. @[%a@]@]\"@];@\n" 
    idents id 
    (print_list space print_binder) bl
    print_predicate p 

let print_predicate fmt id p = reprint_predicate fmt id p

let reprint_function fmt id p =
  let (_l,(bl,t,e)) = Env.specialize_function_def p in
  let print_binder_type fmt (_x,pt) = 
      fprintf fmt "%a" print_pure_type pt in
  let print_binder fmt (x,_pt) = 
      fprintf fmt "%a" ident x in
  fprintf fmt
     "@[(*Why function*) constdefs %a :: @[\"[%a] => %a\"@]@]@\n" 
    idents id 
    (print_list comma print_binder_type) bl print_pure_type t;
  fprintf fmt
     "@[    \"%a ==@ %%%a. @[%a@]\"@];@\n" 
    idents id 
    (print_list space print_binder) bl
    print_term e 

let print_function fmt id p = reprint_function fmt id p

let type_parameters fmt l = 
  let one fmt x = fprintf fmt "'%s " x in
  match l with
    | [] -> ()
    | [x] -> one fmt x
    | l -> fprintf fmt "(%a) " (print_list comma one) l

let reprint_type fmt id vl =
  fprintf fmt "@[(*Why type*) typedecl %a%a;@]@\n"
    type_parameters vl idents id

let print_type fmt id vl = reprint_type fmt id vl

let print_alg_type_parameters fmt = function
  | [] -> ()
  | [id] -> fprintf fmt "%a " print_pure_type id
  | l -> fprintf fmt "(%a) " (print_list comma print_pure_type) l

let print_alg_type_constructor fmt (c,pl) =
  match pl with
  | [] -> fprintf fmt "%a" idents (Ident.string c)
  | _  -> fprintf fmt "%a @[%a@]" idents (Ident.string c)
            (print_list space print_pure_type) pl

let reprint_alg_type_single fmt (id,d) =
  let _,(vs,cs) = Env.specialize_alg_type d in
  let newline fmt () = fprintf fmt "@\n| " in
  fprintf fmt "@[%a%a@] =@\n  @[  %a@]"
    print_alg_type_parameters vs idents id
    (print_list newline print_alg_type_constructor) cs

let reprint_alg_type fmt ls =
  let andsep fmt () = fprintf fmt "@\n and " in
  fprintf fmt "@[(*Why type*) datatype %a;@]@\n"
    (print_list andsep reprint_alg_type_single) ls

let print_alg_type fmt ls = reprint_alg_type fmt ls

let theory_name = ref ""

open Regen

module Gen = Regen.Make(
struct

  let print_element fmt e = 
    begin match e with
      | Parameter _-> assert false
      | Program _ -> assert false
      | Obligation (loc, is_lemma, expl, id, s) -> 
	  print_obligation fmt loc is_lemma expl id s.Env.scheme_type
      | Logic (id, t) -> print_logic fmt id t
      | Axiom (id, p) -> print_axiom fmt id p
      | Predicate (id, p) -> print_predicate fmt id p
      | Inductive(_id, _p) -> assert false
      | Function (id, f) -> print_function fmt id f
      | AbstractType (id, vl) -> print_type fmt id vl
      | AlgebraicType ls -> print_alg_type fmt ls
    end;
    fprintf fmt "@\n"
      
  let reprint_element fmt = function
    | Parameter _ -> assert false
    | Program _ -> assert false
    | Obligation (loc, is_lemma, expl, id, s) -> 
	reprint_obligation fmt loc is_lemma expl id s.Env.scheme_type
    | Logic (id, t) -> reprint_logic fmt id t
    | Axiom (id, p) -> reprint_axiom fmt id p
    | Predicate (id, p) -> reprint_predicate fmt id p
    | Inductive(_id, _p) -> assert false
    | Function (id, f) -> reprint_function fmt id f
    | AbstractType (id, vl) -> reprint_type fmt id vl
    | AlgebraicType ls -> reprint_alg_type fmt ls

  let re_oblig_loc = Str.regexp "(\\* Why obligation from .*\\*)"

  let first_time fmt =
    fprintf fmt "\
(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)@\n
theory %s@\nimports %s@\nbegin@\n@\n" (!theory_name) Options.isabelle_base_theory

  let first_time_trailer fmt = fprintf fmt "end@\n"

  let not_end_of_element _ s =
    let n = String.length s in n = 0 || s.[n-1] <> ';'

end)


let reset = Gen.reset

let push_decl = function
  | Dgoal (loc,is_lemma,expl,l,s) ->
      Gen.add_elem (Oblig, l) (Obligation (loc,is_lemma,expl,l,s))
  | Dlogic (_, id, t) ->
      let id = Ident.string id in
      Gen.add_elem (Lg, rename id) (Logic (id, t))
  | Daxiom (_, id, p) -> Gen.add_elem (Ax, rename id) (Axiom (id, p))
  | Dpredicate_def (_, id, p) -> 
      let id = Ident.string id in
      Gen.add_elem (Pr, rename id) (Predicate (id, p))
  | Dinductive_def(_loc, _ident, _inddef) ->
      failwith "Isabelle output: inductive def not yet supported"
  | Dfunction_def (_, id, p) -> 
      let id = Ident.string id in
      Gen.add_elem (Fun, rename id) (Function (id, p))
  | Dtype (_, id, vl) ->
      let id = Ident.string id in
      Gen.add_elem (Ty, rename id) (AbstractType (id, vl))
  | Dalgtype ls ->
      let id = match ls with (_,id,_)::_ -> id | _ -> assert false in
      let at = List.map (fun (_,id,d) -> (Ident.string id,d)) ls in
      Gen.add_elem (Ty, rename (Ident.string id)) (AlgebraicType at)

let _ = 
  Gen.add_regexp 
    "lemma[ ]+\\(.*_po_[0-9]+\\)[ ]*:[ ]*" Oblig;
  Gen.add_regexp 
    "(\\*Why goal\\*) lemma[ ]+\\([^ ]*\\)[ ]*:[ ]*" Oblig;
  Gen.add_regexp 
    "(\\*Why\\*) consts[ ]+\\([^ ]*\\)[ ]*::[ ]*" Param;
  Gen.add_regexp 
    "(\\*Why axiom\\*) axioms[ ]+\\([^ ]*\\):[ ]*" Ax;
  Gen.add_regexp 
    "(\\*Why logic\\*) consts[ ]+\\([^ ]*\\)[ ]*::[ ]*" Lg;
  Gen.add_regexp 
    "(\\*Why predicate\\*) constdefs[ ]+\\([^ ]*\\)[ ]*::[ ]*" Pr;
  Gen.add_regexp 
    "(\\*Why function\\*) constdefs[ ]+\\([^ ]*\\)[ ]*::[ ]*" Fun;
  Gen.add_regexp
    "(\\*Why type\\*) datatype[ ]+\\([^ ]*\\) =" Ty;
  Gen.add_regexp
    "(\\*Why type\\*) datatype[ ]+[^ ]*[ ]+\\([^ ]*\\) =" Ty;
  Gen.add_regexp
    "(\\*Why type\\*) datatype[ ]+(.*)[ ]+\\([^ ]*\\) =" Ty;
  Gen.add_regexp 
    "(\\*Why type\\*) typedecl[ ]+\\([^ ]*\\);" Ty;
  Gen.add_regexp 
    "(\\*Why type\\*) typedecl[ ]+[^ ]*[ ]+\\([^ ]*\\);" Ty;
  Gen.add_regexp 
    "(\\*Why type\\*) typedecl[ ]+(.*)[ ]+\\([^ ]*\\);" Ty

let output_file fwe =
  let f = fwe ^ "_why.thy" in
  theory_name := Filename.basename fwe ^ "_why";
  Gen.output_file f
why-2.34/src/annot.mli0000644000175000017500000000603512311670312013232 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Env
open Types
open Logic
open Ast

(*s Maximum of two postconditions. [sup q q'] is made of postconditions
    from [q], when not the default postcondition, and from [q'] otherwise. *)

val sup : postcondition option -> postcondition option -> postcondition option

(*s automatic postcondition for a loop body, i.e. [I and var < var@L] *)

val while_post_block :
  local_env -> predicate asst option -> variant -> typed_program -> 
  postcondition

(*s [normalise p] inserts some automatic annotation on the outermost
    construct of [p] *)

val normalize : typed_program -> typed_program


(*s Useful functions to change the program tree or its annotations,
    to be reused in [Wp] *)




val purify : typed_program -> typed_program

val is_result_eq : predicate -> term option

why-2.34/src/graphviz.mli0000644000175000017500000004246012311670312013747 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(** Interface with {i GraphViz}

    This module provides a basic interface with dot and neato,
    two programs of the GraphViz toolbox.
    These tools are available at the following URLs:

    {v http://www.graphviz.org/ v}

    {v http://www.research.att.com/sw/tools/graphviz/ v}

 *)

open Format



(***************************************************************************)
(** {2 Common stuff} *)

(** Because the neato and dot engines present a lot of common points -
    in particular in the graph description language, large parts of
    the code is shared.  The [CommonAttributes] module defines
    attributes of graphs, vertices and edges that are understood by the
    two engines.  Then module [DotAttributes] and [NeatoAttributes]
    define attributes specific to dot and neato respectively. *)

(*-------------------------------------------------------------------------*)
(** {3 Common attributes} *)

type color = int

type arrow_style =
  [ `None | `Normal | `Inv | `Dot | `Odot | `Invdot | `Invodot ] 



(** The [CommonAttributes] module defines attributes for graphs, 
    vertices and edges that are available in the two engines, dot and neato. *)
module CommonAttributes : sig

  (** Attributes of graphs. *)
  type graph =
    [ `Center of bool
        (** Centers the drawing on the page.  Default value is [false]. *)
    | `Fontcolor of color
        (** Sets the font color.  Default value is [black]. *)
    | `Fontname of string
        (** Sets the font family name.  Default value is ["Times-Roman"]. *)
    | `Fontsize of int
        (** Sets the type size (in points).  Default value is [14]. *)
    | `Label of string
        (** Caption for graph drawing. *)
    | `Orientation of [ `Portrait | `Landscape ]
        (** Sets the page orientation.  Default value is [`Portrait]. *)
    | `Page of float * float
        (** Sets the PostScript pagination unit, e.g [8.5, 11.0]. *)
    | `Pagedir of [ `TopToBottom | `LeftToRight ]
        (** Traversal order of pages.  Default value is [`TopToBottom]. *)
    | `Size of float * float
        (** Sets the bounding box of drawing (in inches). *)
    | `OrderingOut
        (** Constrains  order of out-edges in a subgraph according to
          their file sequence *)
    ] 

  (** Attributes of vertices.
   *)
  type vertex =
    [ `Color of color
        (** Sets the color of the border of the vertex. 
	  Default value is [black] *)
    | `Fontcolor of color
        (** Sets the label font color.  Default value is [black]. *)
    | `Fontname of string
        (** Sets the label font family name.  Default value is
            ["Times-Roman"]. *)
    | `Fontsize of int
        (** Sets the label type size (in points).  Default value is [14].
         *)
    | `Height of float
        (** Sets the minimum height.  Default value is [0.5]. *)
    | `Label of string
        (** Sets the label printed in the vertex. 
	    The string may include escaped
            newlines [\n], [\l], or [\r] for center, left, and right justified
	    lines.
            Record labels may contain recursive box lists delimited by { | }. 
	*)
    | `Orientation of float
        (** Vertex rotation angle, in degrees.  Default value is [0.0]. *)
    | `Peripheries of int
        (** Sets  the  number  of periphery lines drawn around the polygon. *)
    | `Regular of bool
        (** If [true], then the polygon is made regular, i.e. symmetric about
	    the x and y axis, otherwise  the polygon   takes   on   the  aspect
	    ratio of the label.  Default value is [false]. *)
    | `Shape of
        [`Ellipse | `Box | `Circle | `Doublecircle | `Diamond
        | `Plaintext | `Record | `Polygon of int * float]
        (** Sets the shape of the vertex.  Default value is [`Ellipse].
            [`Polygon (i, f)] draws a polygon with [n] sides and a skewing
            of [f]. *)
    | `Style of [ `Filled | `Solid | `Dashed | `Dotted | `Bold | `Invis ]
        (** Sets the layout style of the vertex.  
	    Several styles may be combined simultaneously. *)
    | `Width of float
        (** Sets the minimum width.  Default value is [0.75]. *)
    ]     

  (** Attributes of edges.
   *)
  type edge =
    [ `Color of color
        (** Sets the edge stroke color.  Default value is [black]. *)
    | `Decorate of bool
        (** If [true], draws a line connecting labels with their edges. *)
    | `Dir of [ `Forward | `Back | `Both | `None ] 
        (** Sets arrow direction.  Default value is [`Forward]. *)
    | `Fontcolor of color
        (** Sets the label font color.  Default value is [black]. *)
    | `Fontname of string
        (** Sets the label font family name.  Default value is
	    ["Times-Roman"]. *)
    | `Fontsize of int
        (** Sets the label type size (in points).  Default value is [14]. *)
    | `Label of string
        (** Sets the label to be attached to the edge.  The string may include
	    escaped newlines [\n], [\l], or [\r] for centered, left, or right
	    justified lines. *)
    | `Labelfontcolor of color
        (** Sets the font color for head and tail labels.  Default value is
            [black]. *)
    | `Labelfontname of string
        (** Sets the font family name for head and tail labels.  Default
            value is ["Times-Roman"]. *)
    | `Labelfontsize of int
        (** Sets the font size for head and tail labels (in points). 
            Default value is [14]. *)
    | `Style of [ `Solid | `Dashed | `Dotted | `Bold | `Invis ]
        (** Sets the layout style of the edge.  Several styles may be combined
            simultaneously. *)
    ]     

end



(***************************************************************************)
(** {2 Interface with the dot engine} *)

module DotAttributes : sig

  (** Attributes of graphs.  They include all common graph attributes and
      several specific ones.  All attributes described in the "dot User's
      Manual, February 4, 2002" are handled, excepted: clusterank, color,
      compound, labeljust, labelloc, ordering, rank, remincross, rotate,
      searchsize and style.
   *)
  type graph =
    [ CommonAttributes.graph
    | `Bgcolor of color
        (** Sets the background color and the inital fill color. *)
    | `Comment of string
        (** Comment string. *)
    | `Concentrate of bool
        (** If [true], enables edge concentrators.  Default value is [false]. *)
    | `Fontpath of string
        (** List of directories for fonts. *)
    | `Layers of string list
        (** List of layers. *)
    | `Margin of float
        (** Sets the page margin (included in the page size).  Default value is
            [0.5]. *)
    | `Mclimit of float
        (** Scale factor for mincross iterations.  Default value is [1.0]. *)
    | `Nodesep of float
        (** Sets the minimum separation between nodes, in inches.  Default
            value is [0.25]. *)
    | `Nslimit of int
        (** If set of [f], bounds network simplex iterations by [f *
            ] when ranking nodes. *)
    | `Nslimit1 of int
        (** If set of [f], bounds network simplex iterations by [f *
            ] when setting x-coordinates. *)
    | `Ranksep of float
        (** Sets the minimum separation between ranks. *)
    | `Quantum of float
        (** If not [0.0], node label dimensions will be rounded to integral
	    multiples of it.  Default value is [0.0]. *)
    | `Rankdir of [ `TopToBottom | `LeftToRight ]
        (** Direction of rank ordering.  Default value is [`TopToBottom]. *)
    | `Ratio of [ `Float of float | `Fill | `Compress| `Auto ]
        (** Sets the aspect ratio. *)
    | `Samplepoints of int
        (** Number of points used to represent ellipses and circles on output.
	    Default value is [8]. *)
    | `Url of string
        (** URL associated with graph (format-dependent). *)
    ] 

  (** Attributes of nodes.  They include all common node attributes and
      several specific ones.  All attributes described in the "dot User's
      Manual, February 4, 2002" are handled, excepted: bottomlabel, group,
      shapefile and toplabel.
   *)
  type vertex =
    [ CommonAttributes.vertex
    | `Comment of string
        (** Comment string. *)
    | `Distortion of float
        (* TEMPORARY *)
    | `Fillcolor of color
        (** Sets the fill color (used when `Style filled).  Default value
            is [lightgrey]. *)
    | `Fixedsize of bool
        (** If [true], forces the given dimensions to be the actual ones.
            Default value is [false]. *)
    | `Layer of string
        (** Overlay. *)
    | `Url of string
        (** The  default  url  for  image  map  files; in PostScript files,
            the base URL for all relative URLs, as recognized by Acrobat
	    Distiller 3.0 and up. *)
    | `Z of float
        (** z coordinate for VRML output. *)
    ] 

  (** Attributes of edges.  They include all common edge attributes and
      several specific ones.  All attributes described in the "dot User's
      Manual, February 4, 2002" are handled, excepted: lhead and ltail.
   *)
  type edge =
    [ CommonAttributes.edge
    | `Arrowhead of arrow_style
        (** Sets the style of the head arrow.  Default value is [`Normal]. *)
    | `Arrowsize of float
        (** Sets the scaling factor of arrowheads.  Default value is [1.0]. *)
    | `Arrowtail of arrow_style
        (** Sets the style of the tail arrow.  Default value is [`Normal]. *)
    | `Comment of string
        (** Comment string. *)
    | `Constraints of bool
        (** If [false], causes an edge to be ignored for rank assignment. 
            Default value is [true]. *)
    | `Headlabel of string
        (** Sets the label attached to the head arrow. *)
    | `Headport of [ `N | `NE | `E | `SE | `S | `SW | `W | `NW ]
        (* TEMPORARY *)
    | `Headurl of string
        (** Url attached to head label if output format is ismap. *)
    | `Labelangle of float
        (** Angle in degrees which head or tail label is rotated off edge. 
            Default value is [-25.0]. *)
    | `Labeldistance of float
        (** Scaling factor for distance of head or tail label from node. 
            Default value is [1.0]. *)
    | `Labelfloat of bool
        (** If [true], lessen constraints on edge label placement. 
            Default value is [false]. *)
    | `Layer of string
        (** Overlay. *)
    | `Minlen of int
        (** Minimum rank distance between head an tail.  Default value is [1]. *)
    | `Samehead of string
        (** Tag for head node; edge heads with the same tag are merged onto the
	    same port. *)
    | `Sametail of string
        (** Tag for tail node; edge tails with the same tag are merged onto the
	    same port. *)
    | `Taillabel of string
        (** Sets the label attached to the tail arrow. *)
    | `Tailport of [ `N | `NE | `E | `SE | `S | `SW | `W | `NW ]
        (* TEMPORARY *)
    | `Tailurl of string
        (** Url attached to tail label if output format is ismap. *)
    | `Weight of int
        (** Sets the integer cost of stretching the edge.  Default value is
            [1]. *)
    ] 

    type subgraph = {
      sg_name : string;
      sg_attributes : vertex list;
    }

end

module Dot
  (X : sig
     type t
     module V : sig type t end
     module E : sig type t val src : t -> V.t val dst : t -> V.t end
       
     val iter_vertex : (V.t -> unit) -> t -> unit
     val iter_edges_e : (E.t -> unit) -> t -> unit

     val graph_attributes: t -> DotAttributes.graph list

     val default_vertex_attributes: t -> DotAttributes.vertex list
     val vertex_name : V.t -> string
     val vertex_attributes: V.t -> DotAttributes.vertex list

     val default_edge_attributes: t -> DotAttributes.edge list
     val edge_attributes: E.t -> DotAttributes.edge list
     val get_subgraph : V.t -> DotAttributes.subgraph option
   end) : 
sig

  (** [fprint_graph ppf graph] pretty prints the graph [graph] in
    the CGL language on the formatter [ppf]. 
  *)
  val fprint_graph: formatter -> X.t -> unit

  (** [output_graph oc graph] pretty prints the graph [graph] in the dot
    language on the channel [oc].
  *)
  val output_graph: out_channel -> X.t -> unit

end


(***************************************************************************)
(** {2 The neato engine} *)


module NeatoAttributes : sig

  (** Attributes of graphs.  They include all common graph attributes and
      several specific ones.  All attributes described in the "Neato User's
      manual, April 10, 2002" are handled.
   *)
  type graph =
    [ CommonAttributes.graph
    | `Margin of float * float
        (** Sets the page margin (included in the page size).  Default value is
            [0.5, 0.5]. *)
    | `Start of int
        (** Seed for random number generator. *)
    | `Overlap of bool
	(** Default value is [true]. *)
    | `Spline of bool
	(** [true] makes edge splines if nodes don't overlap.
	    Default value is [false]. *)
    | `Sep of float
	(** Edge spline separation factor from nodes.  Default value 
	    is [0.0]. *)
    ] 

  (** Attributes of nodes.  They include all common node attributes and
      several specific ones.  All attributes described in the "Neato User's
      manual, April 10, 2002" are handled.
   *)
  type vertex =
    [ CommonAttributes.vertex
    | `Pos of float * float
        (** Initial coordinates of the vertex. *)
    ] 

  (** Attributes of edges.  They include all common edge attributes and
      several specific ones.  All attributes described in the "Neato User's
      manual, April 10, 2002" are handled.
   *)
  type edge =
    [ CommonAttributes.edge
    | `Id of string
        (** Optional value to distinguish multiple edges. *)
    | `Len of float
        (** Preferred length of edge.  Default value is [1.0]. *)
    | `Weight of float
        (** Strength of edge spring.  Default value is [1.0]. *)
    ] 

  type subgraph = {
    sg_name : string;
    sg_attributes : vertex list;
  }

end

module Neato 
  (X : sig
     type t
     module V : sig type t end
     module E : sig type t val src : t -> V.t val dst : t -> V.t end
       
     val iter_vertex : (V.t -> unit) -> t -> unit
     val iter_edges_e : (E.t -> unit) -> t -> unit

     val graph_attributes: t -> NeatoAttributes.graph list

     val default_vertex_attributes: t -> NeatoAttributes.vertex list
     val vertex_name : V.t -> string
     val vertex_attributes: V.t -> NeatoAttributes.vertex list

     val default_edge_attributes: t -> NeatoAttributes.edge list
     val edge_attributes: E.t -> NeatoAttributes.edge list

     val get_subgraph : V.t -> NeatoAttributes.subgraph option

   end) : 
sig

  (** Several functions provided by this module run the external program
      {i neato}.  By default, this command is supposed to be in the default
      path and is invoked by {i neato}.  The function
      [set_command] allows to set an alternative path at run time.
   *)
  val set_command: string -> unit

  exception Error of string
  val handle_error: ('a -> 'b) -> 'a -> 'b

  (** [fprint_graph ppf graph] pretty prints the graph [graph] in
    the CGL language on the formatter [ppf]. 
  *)
  val fprint_graph: formatter -> X.t -> unit

  (** [output_graph oc graph] pretty prints the graph [graph] in the dot
    language on the channel [oc].
  *)
  val output_graph: out_channel -> X.t -> unit

end
why-2.34/src/wp.ml0000644000175000017500000004062312311670312012371 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*s Weakest preconditions *)

open Ident
open Error
open Logic
open Misc
open Types
open Ast
open Util
open Env
open Effect
open Options

(*s to quantify over all the variables read/modified by [p] *)

let input_info info = 
  let w = Effect.get_reads info.t_effect in
  let env = info.t_env in
  List.map (fun id -> (id, type_in_env env id)) w

let input p = input_info p.info

let output_info info = 
  let w = Effect.get_writes info.t_effect in
  let env = info.t_env in
  List.map (fun id -> (id, type_in_env env id)) w

let output p = output_info p.info

(* maximum *)

let sup q q' = match q, q' with
  | None, _ ->
      q'
  | _, None ->
      q
  | Some (q, ql), Some (_, ql') ->
      assert (List.length ql = List.length ql');
      let supx (x,a) (x',a') =
	assert (x = x');
	x, if is_default_post a then a' else a
      in
      Some (q, List.map2 supx ql ql') 

(*s [filter_post k q] removes exc. postconditions from [q] which do not
    appear in typing info [k] *)

let filter_post k =
  let ef = k.t_effect in
  let keep (x,_) = is_exn ef x in
  option_app (fun (q, ql) -> (q, List.filter keep ql))




(*s post-condition for a loop body *)

let default_exns_post e =
  let xs = Effect.get_exns e in
  List.map (fun x -> x, default_post) xs
 
let while_post_block env inv var e = 
  let lab = e.info.t_label in
  let decphi = match var with
    | None -> Ptrue
    | Some (loc,phi,_,r) -> 
	if debug then 
	  Format.eprintf "Loc for variant = %a@." Loc.gen_report_position loc;
	let id = Util.reg_explanation (Cc.VCEvardecr(loc,phi)) in
	Pnamed(id, Papp (r, [phi; put_label_term env lab phi], [])) 
  in
  let ql = default_exns_post (effect e) in
  match inv with
    | None -> 
	anonymous e.info.t_loc decphi, ql
    | Some i -> 
	if debug then 
	  Format.eprintf 
	    "Loc for invariant = %a@." Loc.gen_report_position i.a_loc;
	let id = reg_explanation (Cc.VCEinvpreserv("",(i.a_loc,i.a_value))) in
	(* Claude: pand -> wpand to split the conjunct *)
	{ a_value = wpand (Pnamed(id,i.a_value)) decphi; 
	  a_name = post_name_from (Name i.a_name);
	  a_loc = e.info.t_loc;
	  a_proof = None }, ql

let well_founded_rel = function
  | None -> Ptrue
  | Some (_,_,_,r) -> Papp (well_founded, [Tvar r], [])

(*s [saturate_post k a q] makes a postcondition for a program of type [k]
    out of a normal postcondition [a] and the exc. postconditions from [q] *)

let saturate_post k a q = 
  let ql = match q with Some (_,l) -> l | None -> [] in
  let set_post x = x, try List.assoc x ql with Not_found -> default_post in
  let xs = get_exns k.t_effect in
  let saturate a = (a, List.map set_post xs) in
  option_app saturate a

(*s Misc. test functions *)

let need_a_post p = 
  match p.desc with Lam _ | Rec _ -> false | _ -> true

let is_while p = 
  match p.desc with Loop _ -> true | _ -> false

(*s Weakest precondition of an annotated program:
    \begin{verbatim}
    wp(e{Q'}, Q) = forall y,v. Q' => Q
    \end{verbatim}
    When [e] may raise exceptions:
    \begin{verbatim}
    wp(e{Q'|Q'1|...Q'k}, Q|Q1|...Qk) =
    (forall y,v. Q' => Q) and ... and (forall y,x. Q'k => Qk)
    \end{verbatim} *)


let abstract_wp _loc (q',ql') (q,ql) res out =
  assert (List.length ql' = List.length ql);
  let quantify a' a res =
    let vars = match res with Some b -> b :: out | None -> out in
    let a' = (*loc_name loc*) a'.a_value in
    foralls ~is_wp:true vars (Pimplies (true, a', a.a_value)) 
  in
  let quantify_h (x',a') (x,a) =
    assert (x' = x);
    let pt = find_exception x in
    quantify a' a (option_app (fun t -> (result, PureType t)) pt)
  in
  wpands (quantify q' q (Some res) :: List.map2 quantify_h ql' ql)

(* simple version when [q'] is absent *)
let abstract_wp_0 (q,ql) res out =
  let quantify a res =
    let vars = match res with Some b -> b :: out | None -> out in
    foralls ~is_wp:true vars a.a_value
  in
  let quantify_h (x,a) =
    let pt = find_exception x in
    quantify a (option_app (fun t -> (result, PureType t)) pt)
  in
  wpands (quantify q (Some res) :: List.map quantify_h ql)

let opaque_wp q' q info = match q', q with
  | Some q', Some q ->
      let res = (result, info.t_result_type) in
      let p = abstract_wp info.t_loc q' q res (output_info info) in
      let p = erase_label info.t_label (erase_label "" p) in
      Some (wp_named info.t_loc p)
  | None, Some q ->
      let res = (result, info.t_result_type) in
      let p = abstract_wp_0 q res (output_info info) in
      let p = erase_label info.t_label (erase_label "" p) in
      Some (wp_named info.t_loc p)
  | _ ->
      None

let pand_wp info w1 w2 = match w1, w2 with
  | Some w1, Some w2 -> 
      Some (wp_named info.t_loc (wpand w1.a_value w2.a_value))
  | Some _, None -> w1
  | None, Some _ -> w2
  | None, None -> None

(* explanations *)

let explain_assertion e a = 
  let id = reg_explanation e in 
  { a with a_value = Pnamed(id, a.a_value) }

let explain_wp e = Option_misc.map (explain_assertion e)

(* subtyping: a VC expressing that a specification is stronger than another *)

(*** EN COURS NE PAS EFFACER SVP
let rec subtyping env v1 v2 = match v1, v2 with
  | PureType _, PureType _
  | Ref _, Ref _ -> 
      Ptrue
  | Arrow ((x1,t1) :: bl1, k1), Arrow ((x2,t2) :: bl2, k2) ->
      let p = subtyping env (Arrow (bl1,k1)) (Arrow (bl2,k2)) in
      let p = subst_in_predicate (subst_onev x2 x1) p in
      if Typing.is_pure_type t1 then pforall ~is_wp:true x1 t1 p else p
  | Arrow ([], k1), Arrow ([], k2) ->
      subtyping_k env k1 k2
  | Arrow _, Arrow ([], k2) ->
      subtyping_k env (type_c_of_v v1) k2
  | Arrow ([], k1), Arrow _ ->
      subtyping_k env k1 (type_c_of_v v2)
  | _ ->
      assert false

and subtyping_k env k1 k2 =
  let p = wpimplies (wpands k2.c_pre) (wpands k1.c_pre) in
  let res = k1.c_result_name, k1.c_result_type in
  let out = 
    List.map (fun id -> (id, type_in_env env id)) (get_writes k1.c_effect)
  in
  let q = match k1.c_post, k2.c_post with
    | _, None -> Ptrue
    | None, Some q2 -> abstract_wp_0 q2 res out 
    | Some q1, Some q2 -> abstract_wp Loc.dummy q1 q2 res out
  in
  pforall (input k1.c_effect) (wpand p q)
***)

(*s function binders *)

let abstract_binders =
  List.fold_right
    (fun (x,v) p -> match v with
       | PureType _ -> forall ~is_wp:true x v p
       | _ -> p)

(*s Adding precondition and obligations to the wp *)

let add_to_wp ?(is_sym=false) loc explain_id al w =
  let al = List.map (fun p -> (*loc_name loc*) p.a_value) al in
  if al = [] then
    w
  else match w with
    | Some w -> 
	Some (asst_app 
		(fun w -> 
		   Pnamed(explain_id,
			  List.fold_right (wpand ~is_sym) al w))
		w)
    | None -> 
	Some (wp_named loc (Pnamed(explain_id,wpands ~is_sym al)))

(*s WP. [wp p q] computes the weakest precondition [wp(p,q)]
    and gives postcondition [q] to [p] if necessary.

    [wp: typed_program -> postcondition option -> assertion option] *)

let rec wp p q =
  (* Format.eprintf "wp with size(q) = %d@." (Size.postcondition_opt q); *)
  let q = option_app (force_post_loc p.info.t_loc) q in
  let lab = p.info.t_label in
  let q0_ = optpost_app (asst_app (change_label "" lab)) q in
  let d,w = wp_desc p.info p.desc q0_ in
  let p = change_desc p d in
  let w = option_app (asst_app (erase_label lab)) w in
  p, w

and wp_desc info d q = 
  let result = info.t_result_name in
  match d with
    (* TODO: check if likely *)
    | Var x ->
	let w = optpost_val q in
	d, optasst_app (tsubst_in_predicate (subst_one result (Tvar x))) w
    (* $wp(E,q) = q[result \leftarrow E]$ *)
    | Expression t ->
	let w = optpost_val q in
	let t = unref_term t in
	let s = subst_one result t in
	d, optasst_app (fun p -> simplify (tsubst_in_predicate s p)) w
    | If (p1, p2, p3) ->
	let p'2,w2 = wp p2 (filter_post p2.info q) in
	let p'3,w3 = wp p3 (filter_post p3.info q) in
	let q1 = match w2, w3 with
	  | None, None ->
	      None
	  | _ -> 
	      let p_or_true = function Some {a_value=q} -> q | None -> Ptrue in
	      let q2 = p_or_true w2 in
	      let q3 = p_or_true w3 in
	      (* $wp(if p1 then p2 else p3, q) =$ *)
	      (* $wp(p1, if result then wp(p2, q) else wp(p3, q))$ *)
	      let result1 = p1.info.t_result_name in
	      let q1 = create_postval (Pif (Tvar result1, q2, q3)) in
	      let q1 = force_wp_name q1 in
	      saturate_post p1.info q1 q
	in
	let p'1,w1 = wp p1 q1 in
	If (p'1, p'2, p'3), w1
    | AppTerm (p1, t, k) ->
	let p'1,w1 = wp p1 None in
	let wapp = opaque_wp k.t_post q k in
	let w = pand_wp info w1 wapp in
	AppTerm (p'1, t, k), w
    | AppRef (p1, x, k) ->
	let p'1,w1 = wp p1 None in
	let wapp = opaque_wp k.t_post q k in
	let w = pand_wp info w1 wapp in
	AppRef (p'1, x, k), w
    | Lam (bl, p, e) ->
	let e',w = wp_prog (p, e) None in
	let wf = optasst_app (abstract_binders bl) w in
	Lam (bl, p, e'), pand_wp info (optpost_val q) wf
    | LetIn (x, _, _) | LetRef (x, _, _) when occur_post x q ->
        Report.raise_located info.t_loc
	  (AnyMessage ("cannot compute wp due to capture variable;\n" ^
                       "please rename variable " ^ Ident.string x))
    | LetIn (x, e1, e2) ->
	let e'2, w2 = wp e2 (filter_post e2.info q) in
	let q1 = optasst_app (subst_in_predicate (subst_onev x result)) w2 in
	let q1 = saturate_post e1.info q1 q in
	let e'1,w = wp e1 q1 in
	LetIn (x, e'1, e'2), w
    | Seq (e1, e2) -> 
	let e'2, w2 = wp e2 (filter_post e2.info q) in
	let q1 = saturate_post e1.info w2 q in
	let e'1,w = wp e1 q1 in
	Seq (e'1, e'2), w
    | LetRef (x, e1, e2) ->
	(* same as LetIn: correct? *)
	let e'2, w2 = wp e2 (filter_post e2.info q) in
	let q1 = optasst_app (subst_in_predicate (subst_onev x result)) w2 in
	let q1 = saturate_post e1.info q1 q in
	let e'1,w = wp e1 q1 in
	LetRef (x, e'1, e'2), w
    | Rec (f, bl, v, var, p, e) ->
	(* wp = well_founded(R) /\ forall bl. wp(e, True) *)
	let wfr = well_founded_rel var in
	let e',we = wp_prog (p, e) None in
	let w = match we with
	  | None -> wfr
	  | Some {a_value=we} -> wpand wfr (abstract_binders bl we)
	in
	let w = Some (wp_named info.t_loc w) in
	Rec (f, bl, v, var, p, e'), pand_wp info (optpost_val q) w
    | Loop (inv, var, e) ->
        (* wp = well_founded(R) /\ I /\ forall w. I => wp(e, I/\var
	      wfr
	  | Some i, None ->
	      let id = reg_explanation (Cc.VCEinvinit(lab,(i.a_loc,i.a_value)))
	      in wpand wfr (Pnamed(id,i.a_value))
	  | None, Some {a_value=we} ->
	      let vars = output_info info in
	      wpand wfr (foralls ~is_wp:true vars we)
	  | Some i, Some {a_value=we} ->
	      let vars = output_info info in
	      let id = reg_explanation (Cc.VCEinvinit(lab,(i.a_loc,i.a_value))) 
	      in wpand wfr
		(wpand ~is_sym:true
		   (Pnamed(id,i.a_value))
		   (foralls ~is_wp:true vars (Pimplies (true, i.a_value, we))))
	in
	let w = Some (wp_named info.t_loc w) in
	Loop (inv, var, e'), w
    | Raise (id, None) ->
	(* $wp(raise E, _, R) = R$ *)
	d, option_app (fun (_,ql) -> List.assoc id ql) q
    | Raise (id, Some e) ->
        (* $wp(raise (E e), _, R) = wp(e, R, R)$ *)
	let make_post (_,ql) = let r = List.assoc id ql in (r, ql) in
	let qe = filter_post e.info (option_app make_post q) in
	let e',w = wp e qe in
	Raise (id, Some e'), w

    | Try (e, hl) ->
        (* $wp(try e1 with E -> e2, Q, R) = wp(e1, Q, wp(e2, Q, R))$ *)
	let subst w = function
	  | None -> w
	  | Some x -> optasst_app (subst_in_predicate (subst_onev x result)) w
	in
	let hl' = 
	  List.map (fun ((x,v) as p, h) -> 
		      let h',w = wp h (filter_post h.info q) in
		      (p,h'), (x, subst w v)) hl 
	in
	let hl',hwl = List.split hl' in
	let make_post (q,ql) = 
	  let hpost (x,r) =
	    x, 
	    try (match List.assoc x hwl with None -> r | Some w -> w)
	    with Not_found -> r
	  in
	  (q, List.map hpost ql)
	in
	let q = saturate_post e.info (option_app fst q) q in
	let qe = filter_post e.info (option_app make_post q) in
	let e',w = wp e qe in
	Try (e', hl'), w
    | Assertion (k, l, e) ->
	let e',w = wp e q in
	let expl =  
	  match k with
	    | `ABSURD ->
		Cc.VCEabsurd
	    | #Cc.assert_kind as k -> (*ASSERT et CHECK*)
		Cc.VCEassert (k,List.map (fun a -> (a.a_loc,a.a_value)) l) 
	    | `PRE ->
		let lab = info.t_userlabel in
		let loc = info.t_loc in
		if debug then 
		  Format.eprintf 
		    "wp: `PRE explanation: lab=`%s', loc=%a@." lab
		    Loc.gen_report_position loc;
		Cc.VCEpre (lab,loc,List.map (fun a -> (a.a_loc,a.a_value)) l) 
	in
	let id = reg_explanation expl in
        let is_sym = match k with
          | `CHECK -> true
          | `ASSERT | `PRE | `ABSURD -> false in
	Assertion (k, l, e'), add_to_wp ~is_sym info.t_loc id l w
    | Absurd ->
	Absurd, Some (anonymous info.t_loc Pfalse)
    | Any k as d ->
	let q' = optpost_app (post_named info.t_loc) k.c_post in
	let w = opaque_wp q' q info in
	(* BUG! k.c_pre should already contain, as pre and post, Ast.assertion and not Types.assertion *)
	(* we thus add a approximate location for them, as the loc for the whole Any *)
	(* but this breaks the localization of VCs ... *)
	let pre = List.map (pre_named info.t_loc) k.c_pre in
	let l = List.map (fun a -> (a.a_loc,a.a_value)) pre in
	let lab = info.t_userlabel in
	let loc = info.t_loc in
	let id = reg_explanation (Cc.VCEpre(lab,loc,l)) in
	let w = add_to_wp info.t_loc id pre w in
	d, w
    | Post (e, qe, Transparent) ->
	let lab = e.info.t_label in
	let qe' = Typing.conj (Some qe) q in
	let qe' = 
	  optpost_app (fun a -> 
			 explain_assertion
			   (Cc.VCEpost(a.a_loc,a.a_value))
			   (asst_app (change_label "" lab) a))
	    qe' 
	in
	let e',w = wp e qe' in
	Post (e', qe, Transparent), w
    | Post (e, qe, Opaque) ->
	let lab = e.info.t_label in
	let qe' = Some (post_app (asst_app (change_label "" lab)) qe) in
	let e',we = wp e qe' in
	let w' = opaque_wp qe' q e.info in
	let w = pand_wp e.info we w' in
	Post (e', qe, Opaque), w
    | Label (l, e) ->
	let e,w = wp e q in
	Label (l, e), optasst_app (erase_label l) w

and wp_prog (l,e) q =
  let loc = e.info.t_loc in
  let e,w = wp e q in
  let abstract {a_value=w} =
    let w = 
      List.fold_left (fun w p -> pimplies ~is_wp:true p.a_value w) w l 
    in
    wp_named loc (foralls ~is_wp:true (input e) w)
  in
  e, option_app abstract w

let wp p = wp p None
why-2.34/src/gappa.ml0000644000175000017500000005755112311670312013043 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*s Gappa's output *)

open Ident
open Options
open Misc
open Error
open Logic
open Cc
open Format
open Pp

module HashedTerm = struct
  type t = term

  let rec equal t1 t2 =
    match t1, t2 with
      | Tconst c1, Tconst c2 -> c1 = c2
      | Tvar v1, Tvar v2 -> v1 == v2
      | Tderef d1, Tderef d2 -> d1 == d2
      | Tapp (a1, l1, _), Tapp (a2, l2, _) ->
          a1 == a2 &&
          (try List.for_all2 equal l1 l2 with _ -> false)
      | Tnamed (_, t1), Tnamed (_, t2) -> equal t1 t2
      | _ -> false

  let combine n acc = acc * 65599 + n

  let rec hash = function
    | Tconst c -> combine 1 (Hashtbl.hash c)
    | Tvar v -> combine 2 (Hashtbl.hash v)
    | Tderef d -> combine 3 (Hashtbl.hash d)
    | Tapp (a, l, _) ->
        combine (Hashtbl.hash a) (List.fold_left
          (fun acc i -> combine (hash i) acc) 4 l)
    | Tnamed (_, t) -> combine 5 (hash t)
end

module Termtbl = Hashtbl.Make(HashedTerm)

(* Gappa terms and formulas *)

(* fields of the float model *)
type float_field = Rounded | Exact | Model
(* formats of the float model *)
type float_fmt = Int | Single | Double | Binary80
(* modes of the float model *)
type mode = RndNE | RndZR | RndUP | RndDN | RndNA

type gterm =
  | Gvar of string
  | Gfld of float_field * string
  | Grnd of float_fmt * mode * gterm
  | Gcst of string
  | Gsqrt of gterm
  | Gneg of gterm
  | Gadd of gterm * gterm
  | Gsub of gterm * gterm
  | Gmul of gterm * gterm
  | Gdiv of gterm * gterm
  | Gabs of gterm

type gpred =
  | Gle of gterm * string
  | Gge of gterm * string
  | Gin of gterm * string * string
  | Grel of gterm * gterm * string
  | Gimplies of gpred * gpred
  | Gand of gpred * gpred
  | Gor of gpred * gpred
  | Gnot of gpred

type gobligation = (string * gterm) list * gpred

exception NotGappa

(* compilation to Gappa formulas *)

let real_of_int = Ident.create "real_of_int"
let truncate_real_to_int = Ident.create "truncate_real_to_int"

let rnd_ne = Ident.create "nearest_even"
let rnd_zr = Ident.create "to_zero"
let rnd_up = Ident.create "up"
let rnd_dn = Ident.create "down"
let rnd_na = Ident.create "nearest_away"

let single_type = Ident.create "single"
let double_type = Ident.create "double"

let max_single = Ident.create "max_single"
let max_double = Ident.create "max_double"
let round_single = Ident.create "round_single"
let round_double = Ident.create "round_double"
let single_round_error = Ident.create "single_round_error"
let double_round_error = Ident.create "double_round_error"
let round_single_logic = Ident.create "round_single_logic"
let round_double_logic = Ident.create "round_double_logic"
let single_to_double = Ident.create "single_to_double"
let double_to_single = Ident.create "double_to_single"

let single_value = Ident.create "single_value"
let double_value = Ident.create "double_value"
let single_exact = Ident.create "single_exact"
let double_exact = Ident.create "double_exact"
let single_model = Ident.create "single_model"
let double_model = Ident.create "double_model"

let is_int_constant = function
  | Tconst (ConstInt _) -> true
  | Tapp (id, [Tconst (ConstInt _)], _) when id == t_neg_int -> true
  | _ -> false

let eval_int_constant = function
  | Tconst (ConstInt n) -> n
  | Tapp (id, [Tconst (ConstInt n)], _) when id == t_neg_int -> "-"^n
  | _ -> assert false

let is_pos_constant = function
  | Tconst (ConstInt _) -> true
  | Tconst (ConstFloat _) -> true
  | Tapp (id, [Tconst (ConstInt _)], _) when id == real_of_int -> true
  | Tapp (id,_,_) when id == max_single -> true
  | Tapp (id,_,_) when id == max_double -> true
  | _ -> false

let is_constant = function
  | t when is_int_constant t -> true
  | t when is_pos_constant t -> true
  | Tapp (id, [t], _) when id == real_of_int && is_int_constant t -> true
  | Tapp (id, [t], _) when id == t_neg_real  && is_pos_constant t -> true
  | _ -> false

let eval_rconst = function
  | RConstDecimal (i, f, None)   -> Printf.sprintf "%s.%s"      i f
  | RConstDecimal (i, f, Some e) -> Printf.sprintf "%s.%se%s"   i f e
  | RConstHexa (i, f, e)         -> Printf.sprintf "0x%s.%sp%s" i f e

let eval_pos_constant = function
  | Tconst (ConstInt n) -> n
  | Tconst (ConstFloat f) -> eval_rconst f
  | Tapp (id, [Tconst (ConstInt n)], _) when id == real_of_int -> n
  | Tapp (id,_,_) when id == max_single -> "0x1.FFFFFEp127"
  | Tapp (id,_,_) when id == max_double -> "0x1.FFFFFFFFFFFFFp1023"
  | _ -> raise NotGappa

let eval_constant = function
  | t when is_int_constant t -> eval_int_constant t
  | t when is_pos_constant t -> eval_pos_constant t
  | Tapp (id, [t], _) when id == real_of_int && is_int_constant t
      -> eval_int_constant t
  | Tapp (id, [t], _) when id == t_neg_real  && is_pos_constant t
      -> "-" ^ (eval_pos_constant t)
  | _ -> raise NotGappa

let field_of_id s =
  if s == single_value || s == double_value then Rounded else
  if s == single_exact || s == double_exact then Exact else
  if s == single_model || s == double_model then Model else
  assert false

let mode_of_id s =
  if s == rnd_ne then RndNE else
  if s == rnd_zr then RndZR else
  if s == rnd_up then RndUP else
  if s == rnd_dn then RndDN else
  if s == rnd_na then RndNA else
  raise NotGappa

(* contains all the terms that have been generalized away,
   because they were not recognized *)
let gen_table = Termtbl.create 10

(* contains the terms associated to variables, especially gen_float variables *)
let var_table = Hashtbl.create 10

(* contains the roundings used *)
let rnd_table = Hashtbl.create 10

(* contains the names already defined,
   so new definitions should be as equalities *)
let def_table = Hashtbl.create 10

(* contains the reverted list of aliases from def_table *)
let def_list = ref []

(* contains the list of format-implied bounds on float variables *)
let bnd_list = ref []

let rec subst_var = function
  | Tvar id as t ->
    begin
      try
        Hashtbl.find var_table id
      with Not_found ->
        t
    end
  | Tnamed (_, t) -> subst_var t
  | Tapp (id, l1, l2) -> Tapp (id, List.map subst_var l1, l2)
  | t -> t

let rec create_var = function
  | Tvar v -> Ident.string v
  | Tnamed (_, t) -> create_var t
  | _ as t ->
      try
        Termtbl.find gen_table t
      with Not_found ->
        let n = Ident.string (fresh_var ()) in
(*
        Format.eprintf "creating var for %a {%i}@." Util.print_term t (HashedTerm.hash t);
*)
        Termtbl.replace gen_table t n;
        n

let rec term = function
  | t when is_constant t ->
      Gcst (eval_constant t)
  | Tconst _ ->
      raise NotGappa
  | Tvar id ->
      Gvar (Ident.string id)
  | Tderef id ->
      Gvar (Ident.string id)
  (* int and real ops *)
  | Tapp (id, [t], _) when id == t_neg_real || id = t_neg_int ->
      Gneg (term t)
  | Tapp (id, [t], _) when id == t_abs_real || id == t_abs_int ->
      Gabs (term t)
  | Tapp (id, [t], _) when id == t_sqrt_real ->
      Gsqrt (term t)
  | Tapp (id, [t1; t2], _) when id == t_add_real || id = t_add_int ->
      Gadd (term t1, term t2)
  | Tapp (id, [t1; t2], _) when id == t_sub_real || id = t_sub_int ->
      Gsub (term t1, term t2)
  | Tapp (id, [t1; t2], _) when id == t_mul_real || id = t_mul_int ->
      Gmul (term t1, term t2)
  | Tapp (id, [t1; t2], _) when id == t_div_real ->
      Gdiv (term t1, term t2)
  (* conversion int -> real *)
  | Tapp (id, [t], _) when id == real_of_int ->
      term t
  (* conversion real -> int by truncate, i.e. towards zero *)
  | Tapp (id, [t], _) when id == truncate_real_to_int ->
      let mode = RndZR in
      Hashtbl.replace rnd_table (Int, mode) ();
      Grnd (Int, mode, term t)

  (* [Jessie] rounding *)
  | Tapp (id, [Tapp (m, [], _); t], _)
      when id == round_single ->
      let mode = mode_of_id m in
      Hashtbl.replace rnd_table (Single, mode) ();
      Grnd (Single, mode, term t)
  | Tapp (id, [Tapp (m, [], _); t], _)
      when id == round_double ->
      let mode = mode_of_id m in
      Hashtbl.replace rnd_table (Double, mode) ();
      Grnd (Double, mode, term t)

  | Tapp (id1, [Tapp (id2, l1, l2)], _)
      when id1 == single_value && id2 == round_single_logic ->
      term (Tapp (round_single, l1, l2))
  | Tapp (id1, [Tapp (id2, l1, l2)], _)
      when id1 == double_value && id2 == round_double_logic ->
      term (Tapp (round_double, l1, l2))

  (* casts *)
  | Tapp (id1, [Tapp (id2,[Tapp (m, [], _); t] , l2)], _)  
      when id1 == single_value && id2 == double_to_single ->
      let mode = mode_of_id m in
      Hashtbl.replace rnd_table (Single, mode) ();
      Grnd (Single, mode, term (Tapp (double_value,[t],l2)))

  | Tapp (id1, [Tapp (id2,[Tapp (_m, [], _); t] , l2)], _)  
      when id1 == double_value && id2 == single_to_double ->
        term (Tapp (single_value,[t],l2))


  | Tapp (id, [t], _)
      when (id == single_value || id == double_value || id == single_exact 
         || id == double_exact || id == single_model || id == double_model) ->
      let v = create_var t in
      let f = field_of_id id in
      let add_def fmt =
        if not (Hashtbl.mem def_table (f, v)) then begin
          Hashtbl.add def_table (f, v) ();
          Hashtbl.replace rnd_table (fmt, RndNE) ();
          def_list := (f, v, Grnd (fmt, RndNE, Gvar ("dummy_float_" ^ v))) :: !def_list;
          let b =
            if fmt = Single then "0x1.FFFFFEp127" else
            if fmt = Double then "0x1.FFFFFFFFFFFFFp1023" else
            assert false in
          bnd_list := Gin (Gfld (f, v), "-"^b, b) :: !bnd_list
        end in
      if id == single_value then add_def Single else
      if id == double_value then add_def Double;
      Gfld (f, v)

  | Tapp (id, [t], _) 
    when id == single_round_error || id == double_round_error ->
    let v = create_var t in
    Gabs (Gsub (Gfld (Rounded, v), Gfld (Exact, v)))

  | Tnamed(_,t) -> term t

  (* anything else is generalized as a fresh variable *)
  | Tapp _ as t ->
      Gvar (create_var t)


let termo t = try Some (term (subst_var t)) with NotGappa -> None

(* recognition of a Gappa predicate *)

let rec is_float_type = function
  | PTexternal ([], id) when id == single_type || id == double_type 
      -> true
  | PTvar {type_val=Some t} -> is_float_type t
  | PTexternal _ 
  | PTvar _
  | PTunit
  | PTreal
  | PTbool
  | PTint -> false


let rec gpred def = function
  | Papp (id, [t1; t2], _) when id == t_le_real || id == t_le_int ->
      begin match termo t1, termo t2 with
	| Some (Gcst c1), Some t2 -> Some (Gge (t2, c1))
	| Some t1, Some (Gcst c2) -> Some (Gle (t1, c2))
        | Some t1, Some t2 ->
            begin match t1, t2 with
              | Gabs (Gsub (t1, t2)), Gmul (Gcst c, Gabs t3) when t2 = t3 ->
                  Some (Grel (t1, t2, c))
              | Gabs (Gsub (t2, t1)), Gmul (Gcst c, Gabs t3) when t2 = t3 ->
                  Some (Grel (t1, t2, c))
              | Gabs (Gsub (t1, t2)), Gmul (Gabs t3, Gcst c) when t2 = t3 ->
                  Some (Grel (t1, t2, c))
              | Gabs (Gsub (t2, t1)), Gmul (Gabs t3, Gcst c) when t2 = t3 ->
                  Some (Grel (t1, t2, c))
              | _ -> Some (Gle (Gsub (t1, t2), "0"))
            end
        | _ -> None
      end
  | Papp (id, [t1; t2], _) when id == t_ge_real || id == t_ge_int ->
      begin match termo t1, termo t2 with
	| Some (Gcst c1), Some t2 -> Some (Gle (t2, c1))
	| Some t1, Some (Gcst c2) -> Some (Gge (t1, c2))
        | Some t1, Some t2 -> Some (Gge (Gsub (t1, t2), "0"))
	| _ -> None
      end
  | Papp (id, [t1; t2], _) when id == t_lt_real || id == t_lt_int ->
      begin match termo t1, termo t2 with
        | Some (Gcst c1), Some t2 -> Some (Gnot (Gle (t2, c1)))
        | Some t1, Some (Gcst c2) -> Some (Gnot (Gge (t1, c2)))
        | Some t1, Some t2 -> Some (Gnot (Gge (Gsub (t1, t2), "0")))
        | _ -> None
      end
  | Papp (id, [t1; t2], _) when id == t_gt_real || id == t_gt_int ->
      begin match termo t1, termo t2 with
        | Some (Gcst c1), Some t2 -> Some (Gnot (Gge (t2, c1)))
        | Some t1, Some (Gcst c2) -> Some (Gnot (Gle (t1, c2)))
        | Some t1, Some t2 -> Some (Gnot (Gle (Gsub (t1, t2), "0")))
        | _ -> None
      end
  | Pand (_, _, Papp (id1, [f1; t1], _), Papp (id2, [t2; f2], _))
    when (id1 == t_le_real || id1 == t_le_int) && (id2 == t_le_real || id2 == t_le_int)
    && t1 = t2 && is_constant f1 && is_constant f2 ->
    begin 
      try Some (Gin (term t1, eval_constant f1, eval_constant f2))
      with NotGappa -> None
    end
  | Papp (id, [t1; t2], _) when (* is_eq id *) id == t_eq_int || id == t_eq_real  ->
      begin match termo t1, termo t2 with
        | Some (Gcst c1), Some t2 -> Some (Gin (t2, c1, c1))
        | Some t1, Some (Gcst c2) -> Some (Gin (t1, c2, c2))
        | Some t1, Some t2 -> Some (Gin (Gsub (t1, t2), "0", "0"))
        | _ -> None
      end
  | Papp (id, [t1; t2], [ty]) when id == t_eq && is_float_type ty ->
      begin
(*        try*)
          let v1 = create_var t1 in
          let v2 = create_var t2 in
          Some (Gin (Gsub (Gfld(Rounded,v1), (Gfld(Rounded,v2))), "0", "0"))
(*
          List.iter
            (fun f -> 
               if not (Hashtbl.mem def_table (f, vx)) then
                 begin
                   Hashtbl.add def_table (f, vx) ();
                   def_list := (f, vx, Gfld(f,v)) :: !def_list
                 end
               else raise Exit)
            [Rounded; Exact; Model];
          None
        with Exit -> 
          gpred true p
*)
      end

  | Papp (id, [t1; t2], _) when is_neq id ->
      begin match termo t1, termo t2 with
        | Some (Gcst c1), Some t2 -> Some (Gnot (Gin (t2, c1, c1)))
        | Some t1, Some (Gcst c2) -> Some (Gnot (Gin (t1, c2, c2)))
        | Some t1, Some t2 -> Some (Gnot (Gin (Gsub (t1, t2), "0", "0")))
        | _ -> None
      end
  | Pand (_, _, p1, p2) ->
      begin match gpred def p1, gpred def p2 with
        | Some p1, Some p2 -> Some (Gand (p1, p2))
        | (Some _ as p1), None when def = true -> p1
        | None, (Some _ as p2) when def = true -> p2
        | _-> None
      end
  | Por (p1, p2) ->
      begin match gpred def p1, gpred def p2 with
        | Some p1, Some p2 -> Some (Gor (p1, p2))
        | (Some _ as p1), None when def = false -> p1
        | None, (Some _ as p2) when def = false -> p2
        | _ -> None
      end
  | Pimplies (_, Papp (id, [Tconst (ConstBool true); Tconst (ConstBool true)], _), p)
      when id == t_eq_bool ->
      gpred def p
  | Pimplies (_, p1, p2) ->
      begin match gpred (not def) p1, gpred def p2 with
        | Some p1, Some p2 -> Some (Gimplies (p1, p2))
        | Some p1, None        when def = false -> Some (Gnot p1)
        | None, (Some _ as p2) when def = false -> p2
        | _ -> None
      end
  | Pnamed (_, p) ->
      gpred def p
  | Plet (_, n, _, t, p) ->
      gpred def (subst_term_in_predicate n t p)
  | Pnot p ->
      begin match gpred (not def) p with
        | Some p -> Some (Gnot p)
        | _ -> None
      end
  | Forall _ 
  | Papp _
  | Pif _
  | Piff _
  | Forallb _
  | Exists _
  | Ptrue | Pfalse | Pvar _ -> (* discarded *)
      None

(*
let gpred def p =
  Format.printf "gpred %a@." Util.print_predicate p;
  gpred def p
*)

(* extraction of a list of equalities and possibly a Gappa predicate *)

let rec ghyp = function
  | Papp (id, [Tvar x; t], _) when id == t_eq_int || id == t_eq_real ->
    begin
      Hashtbl.replace var_table x (subst_var t);
      None
    end
  | Papp (id, [t; Tapp (id', [Tvar x], _)], _) 
  | Papp (id, [Tapp (id', [Tvar x], _); t], _) as p
      when id == t_eq_real &&
       (id' == single_value || id' == double_value || id' == single_exact ||
        id' == double_exact || id' == single_model || id' == double_model) ->
    begin
      match termo t with
      | Some t ->
          let f = field_of_id id' in
          let vx = Ident.string x in
          if not (Hashtbl.mem def_table (f, vx)) then
           (Hashtbl.add def_table (f, vx) ();
            def_list := (f, vx, t) :: !def_list;
            None)
          else
            gpred true p
      | None ->
          gpred true p
    end
  | Papp (id, [Tvar x; t], [ty]) | Papp (id, [t; Tvar x], [ty]) as p 
        when id == t_eq && is_float_type ty ->
      begin
        try
          let v = create_var t in
          let vx = Ident.string x in
          List.iter
            (fun f -> 
               if not (Hashtbl.mem def_table (f, vx)) then
                 begin
                   Hashtbl.add def_table (f, vx) ();
                   def_list := (f, vx, Gfld(f,v)) :: !def_list
                 end
               else raise Exit)
            [Rounded; Exact; Model];
          None
        with Exit -> 
          gpred true p
      end
(*
  | Papp (id, [t1; t2], [ty]) when id == t_eq->
      eprintf "t1 = %a@." Util.print_term t1;
      eprintf "t2 = %a@." Util.print_term t2;
      eprintf "ty = %a@." Util.print_pure_type ty;
      eprintf "is_float_type(ty) = %b@." (is_float_type ty);
      assert false
*)
  | p ->
      gpred true p

(* Processing obligations.
   One Why obligation can be split into several Gappa obligations *)

let queue = Queue.create ()

let reset () =
  Queue.clear queue;
  Termtbl.clear gen_table;
  Hashtbl.clear var_table;
  Hashtbl.clear rnd_table;
  Hashtbl.clear def_table;
  def_list := [];
  bnd_list := []

let add_ctx_vars =
  List.fold_left 
    (fun acc -> function Svar (id,_) -> Idset.add id acc | _ -> acc)

(* takes a reverted context and returns an augmented reverted context *)
let rec intros ctx = function
  | Forall (_, id, n, t, _, p) ->
      let id' = next_away id (add_ctx_vars (predicate_vars p) ctx) in
      let p' = subst_in_predicate (subst_onev n id') p in
      intros (Svar (id', t) :: ctx) p'
  | Pimplies (_, a, b) -> 
      let h = fresh_hyp () in 
      intros (Spred (h, a) :: ctx) b
  | Pnamed (_, p) ->
      intros ctx p
  | c -> 
      ctx, c

let rec handle_hyp p acc =
  match p with
    | Pnamed (_, p) -> handle_hyp p acc
    | Pand (_, _, p1, p2) -> handle_hyp p2 (handle_hyp p1 acc)
    | _ ->
        match ghyp p with
          | Some p -> p :: acc
          | None -> acc

let process_obligation (ctx, concl) =
  let ctx, concl = intros (List.rev ctx) concl in
  let ctx = List.rev ctx in
  let pl =
    List.fold_left
      (fun pl h ->
        match h with
          | Svar _ -> pl
          | Spred (_, p) -> handle_hyp p pl)
      [] ctx
    in
  let gconcl =
    match gpred false concl with
      | None -> Gle (Gcst "1", "0")
      | Some p -> p
    in
  let gconcl = List.fold_left (fun acc p -> Gimplies (p, acc)) gconcl pl in
  let gconcl = List.fold_left (fun acc p -> Gimplies (p, acc)) gconcl !bnd_list in
  Queue.add (List.rev !def_list, gconcl) queue

let push_decl d =
  let decl = PredDefExpansor.push ~recursive_expand:true d in
  match decl with
  | Logic_decl.Dgoal (_,_,_,_,s) -> process_obligation s.Env.scheme_type
  | _ -> ()

let get_format = function
  | Single -> "ieee_32"
  | Double -> "ieee_64"
  | Binary80 -> "x86_80"
  | Int -> "int"

let get_mode = function
  | RndNE -> "ne"
  | RndZR -> "zr"
  | RndUP -> "up"
  | RndDN -> "dn"
  | RndNA -> "na"

let rec print_term fmt = function
  | Gvar x -> fprintf fmt "%s" x
  | Gfld (Rounded, x) -> fprintf fmt "float_%s" x
  | Gfld (Exact,   x) -> fprintf fmt "exact_%s" x
  | Gfld (Model,   x) -> fprintf fmt "model_%s" x
  | Grnd (f, m, t) -> 
      fprintf fmt "rnd_%s%s(%a)" (get_format f) (get_mode m) print_term t
  | Gcst c -> fprintf fmt "%s" c
  | Gneg t -> fprintf fmt "(-%a)" print_term t
  | Gadd (t1, t2) -> fprintf fmt "(%a + %a)" print_term t1 print_term t2
  | Gsub (t1, t2) -> fprintf fmt "(%a - %a)" print_term t1 print_term t2
  | Gmul (t1, t2) -> fprintf fmt "(%a * %a)" print_term t1 print_term t2
  | Gdiv (t1, t2) -> fprintf fmt "(%a / %a)" print_term t1 print_term t2
  | Gabs t -> fprintf fmt "|%a|" print_term t
  | Gsqrt t -> fprintf fmt "sqrt(%a)" print_term t

let rec print_pred_atom fmt = function
  | Gle (t, r1) ->
      fprintf fmt "%a <= %s" print_term t r1
  | Gge (t, r1) ->
      fprintf fmt "%a >= %s" print_term t r1
  | Gin (t, r1, r2) ->
      fprintf fmt "%a in [%s, %s]" print_term t r1 r2
  | Grel (t1, t2, r1) ->
      fprintf fmt "|%a -/ %a| <= %s" print_term t1 print_term t2 r1
  | Gnot p ->
      fprintf fmt "not %a" print_pred_atom p
  | _ as p ->
      fprintf fmt "(%a)" print_pred p
and print_pred_left fmt = function
  | Gand (p1, p2) ->
      fprintf fmt "@[%a /\\@ %a@]" print_pred_atom p1 print_pred_atom p2
  | Gor (p1, p2) ->
      fprintf fmt "@[%a \\/@ %a@]" print_pred_atom p1 print_pred_atom p2
  | _ as p ->
      print_pred_atom fmt p
and print_pred fmt = function
  | Gimplies (p1, p2) ->
      fprintf fmt "@[%a ->@ %a@]" print_pred_left p1 print_pred p2
  | _ as p ->
      print_pred_left fmt p

let print_equation fmt (e, x, t) =
  let e =
    match e with
    | Rounded -> "float_"
    | Exact -> "exact_"
    | Model -> "model_" in
  fprintf fmt "@[%s%s = %a;@]" e x print_term t

let print_obligation fmt (eq,p) =
  Hashtbl.iter 
    (fun (f, m) () ->
       let m = get_mode m in
       match f with 
         | Int ->
             fprintf fmt "@@rnd_int%s = int<%s>;@\n" m m 
         | _ ->
             let f = get_format f in
             fprintf fmt "@@rnd_%s%s = float<%s, %s>;@\n" f m f m) 
    rnd_table;
  fprintf fmt "@\n%a@\n@\n" (print_list newline print_equation) eq;
  fprintf fmt "{ @[%a@] }@." print_pred p

let print_file fmt = Queue.iter (print_obligation fmt) queue

let output_one_file ~allowedit file =
  if allowedit then
    begin
      let sep = "### DO NOT EDIT ABOVE THIS LINE" in
      do_not_edit_above ~file
	~before:print_file
	~sep
	~after:(fun _fmt -> ())
    end
  else
      print_in_file print_file file

let output_file fwe =
  let sep = "### DO NOT EDIT ABOVE THIS LINE" in
  let i = ref 0 in
  Queue.iter
    (fun o ->
       incr i;
       if debug then eprintf "gappa obligation %d@." !i;
       let file = fwe ^ "_why_po_" ^ string_of_int !i ^ ".gappa" in
       do_not_edit_above ~file
	 ~before:(fun fmt -> print_obligation fmt o)
	 ~sep
	 ~after:(fun _fmt -> ()))
    queue
why-2.34/src/cvcl.ml0000644000175000017500000003222212311670312012666 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*s CVC Lite's output *)

open Ident
open Options
open Misc
open Error
open Logic
open Logic_decl
open Vcg
open Format
open Cc
open Pp
open Ltyping
open Env
open Report

(*s Pretty print *)

let infix id =
  if id == t_lt then "<"
  else if id == t_le then "<="
  else if id == t_gt then ">"
  else if id == t_ge then ">="
  (* int cmp *)
  else if id == t_lt_int then "<"
  else if id == t_le_int then "<="
  else if id == t_gt_int then ">"
  else if id == t_ge_int then ">="
  (* int ops *)
  else if id == t_add_int then "+"
  else if id == t_sub_int then "-"
  else if id == t_mul_int then "*"
(*
  else if id == t_div_int then "/"
*)
  (* real ops *)
  else if id == t_add_real then "+"
  else if id == t_sub_real then "-"
  else if id == t_mul_real then "*"
  else if id == t_div_real then "/"
  else if id == t_lt_real then "<"
  else if id == t_le_real then "<="
  else if id == t_gt_real then ">"
  else if id == t_ge_real then ">="
  else assert false

let external_type = function
  | PTexternal _ -> true
  | _ -> false

let rec print_pure_type fmt = function
  | PTint -> fprintf fmt "INT"
  | PTbool -> fprintf fmt "BOOL"
  | PTreal -> fprintf fmt "REAL"
  | PTunit -> fprintf fmt "UNIT"
  | PTexternal ([pt], id) when id == farray -> 
      fprintf fmt "(ARRAY INT OF %a)" print_pure_type pt
  | PTvar {type_val=Some pt} -> print_pure_type fmt pt
  | PTvar _ -> assert false
  | PTexternal (i ,id) -> fprintf fmt "%s" (Encoding.symbol (id, i))

let rec print_term fmt = function
  | Tvar id -> 
      fprintf fmt "%a" Ident.print id
  | Tconst (ConstInt n) -> 
      fprintf fmt "%s" n
  | Tconst (ConstBool true) -> 
      fprintf fmt "true"
  | Tconst (ConstBool false) -> 
      fprintf fmt "false"
  | Tconst ConstUnit -> 
      fprintf fmt "tt" (* TODO: CORRECT? *)
  | Tconst (ConstFloat c) ->
      Print_real.print_with_integers
	"%s" 
	"(%s * %s)"
	"(%s / %s)" fmt c
  | Tderef _ -> 
      assert false
(*
  | Tapp (id, ([_;_] as tl), _) when id == t_mod_int ->
      fprintf fmt "@[%a(%a)@]" Ident.print id print_terms tl
*)
  | Tapp (id, [a], _) when id == t_sqrt_real || id == t_int_of_real ->
      fprintf fmt "@[%a(%a)@]" Ident.print id print_term a
  | Tapp (id, [a], _) when id == t_real_of_int ->
      fprintf fmt "@[%a@]" print_term a
(**
  | Tapp (id, [a; b], _) when id == access ->
      fprintf fmt "@[%a[%a]@]" print_term a print_term b
  | Tapp (id, [a; b; c], _) when id == store ->
      fprintf fmt "@[(%a WITH@ [%a] := %a)@]" 
	print_term a print_term b print_term c
**)
  | Tapp (id, [t], _) when id == t_neg_int || id == t_neg_real ->
      fprintf fmt "@[(-%a)@]" print_term t
  | Tapp (id, [a;b], _) when is_relation id || is_arith id ->
      fprintf fmt "@[(%a %s %a)@]" print_term a (infix id) print_term b
  | Tapp (id, [], i) ->
      fprintf fmt "%s" (Encoding.symbol (id, i))
  | Tapp (id, tl, i) -> 
      (match Ident.fresh_from id with
        | Some (s,logic_id::_) when s == Encoding_mono_inst.create_ident_id
            && (Ident.string logic_id = "acc" || Ident.string logic_id = "upd" || Ident.string logic_id = "select" || Ident.string logic_id = "store" ) -> 
            (match tl,Ident.string logic_id with
              | [mem;key],("acc"|"select") -> fprintf fmt "@[(%a[%a])@]" print_term mem print_term key
              | [mem;key;value],("upd"|"store") -> fprintf fmt "@[(%a WITH [%a] := %a)@]" print_term mem
                  print_term key print_term value
              | _ -> assert false)
        | _ -> fprintf fmt "@[%s(%a)@]" (Encoding.symbol (id, i)) print_terms tl)
  | Tnamed (_, t) -> (* TODO: print name *)
      print_term fmt t

and print_terms fmt tl = 
  print_list comma print_term fmt tl

let rec print_predicate fmt = function
  | Ptrue ->
      fprintf fmt "TRUE"
  | Pvar id when id == Ident.default_post ->
      fprintf fmt "TRUE"
  | Pfalse ->
      fprintf fmt "FALSE"
  | Pvar id -> 
      fprintf fmt "%a" Ident.print id
  | Papp (id, tl, _) when id == t_distinct ->
      fprintf fmt "@[(%a)@]" print_predicate (Util.distinct tl)
  | Papp (id, [_t], _) when id == well_founded ->
      fprintf fmt "TRUE %% was well_founded@\n"
  | Papp (id, [a; b], _) when is_eq id ->
      fprintf fmt "@[(%a =@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when is_neq id ->
      fprintf fmt "@[(%a /=@ %a)@]" print_term a print_term b
  | Papp (id, [a;b], _) when is_int_comparison id || is_real_comparison id ->
      fprintf fmt "@[(%a %s %a)@]" print_term a (infix id) print_term b
  | Papp (id, [a;b], _) when id == t_zwf_zero ->
      fprintf fmt "@[((0 <= %a) AND@ (%a < %a))@]" 
	print_term b print_term a print_term b
  | Papp (id, tl, i) -> fprintf fmt "@[%s(%a)@]" (Encoding.symbol (id, i)) print_terms tl
  | Pimplies (_, a, b) ->
      fprintf fmt "@[(%a =>@ %a)@]" print_predicate a print_predicate b
  | Piff (a, b) ->
      fprintf fmt "@[(%a <=>@ %a)@]" print_predicate a print_predicate b
  | Pif (a, b, c) ->
      fprintf fmt 
     "@[((%a=true => %a) AND@ (%a=false => %a))@]"
      print_term a print_predicate b print_term a print_predicate c
  | Pand (_, _, a, b) | Forallb (_, a, b) ->
      fprintf fmt "@[(%a AND@ %a)@]" print_predicate a print_predicate b
  | Por (a, b) ->
      fprintf fmt "@[(%a OR@ %a)@]" print_predicate a print_predicate b
  | Pnot a ->
      fprintf fmt "@[(NOT@ %a)@]" print_predicate a
  | Forall (_,id,n,t,_,p) -> 
      let id' = next_away id (predicate_vars p) in
      let p' = subst_in_predicate (subst_onev n id') p in
      fprintf fmt "@[(FORALL (%a:%a):@ %a)@]" 
	Ident.print id' print_pure_type t print_predicate p'
  | Exists (id,n,t,p) -> 
      let id' = next_away id (predicate_vars p) in
      let p' = subst_in_predicate (subst_onev n id') p in
      fprintf fmt "@[(EXISTS (%a:%a):@ %a)@]" 
	Ident.print id' print_pure_type t print_predicate p'
  | Pnamed (_, p) -> (* TODO: print name *)
      print_predicate fmt p
  | Plet (_, n, _, t, p) ->
      print_predicate fmt (subst_term_in_predicate n t p)

let print_sequent fmt (hyps,concl) =
  let rec print_seq fmt = function
    | [] ->
	print_predicate fmt concl
    | Svar (id, v) :: hyps -> 
	fprintf fmt "@[(FORALL (%a:%a):@ %a)@]" 
	  Ident.print id print_pure_type v print_seq hyps
    | Spred (_,p) :: hyps -> 
	fprintf fmt "@[(%a =>@ %a)@]" print_predicate p print_seq hyps
  in
  print_seq fmt hyps

let rec print_logic_type fmt = function
  | Predicate [] ->
      fprintf fmt "BOOLEAN"
  | Predicate [pt] ->
      fprintf fmt "(%a -> BOOLEAN)" print_pure_type pt
  | Predicate pl ->
      fprintf fmt "((%a) -> BOOLEAN)" (print_list comma print_pure_type) pl
  | Function ([], pt) ->
      print_pure_type fmt pt
  | Function ([pt1], pt2) ->
      fprintf fmt "(%a -> %a)" print_pure_type pt1 print_pure_type pt2
  | Function (pl, pt) ->
      fprintf fmt "((%a) -> %a)" 
	(print_list comma print_pure_type) pl print_pure_type pt

(* we need to recognize array types after monomorphization *)

let is_array s = String.length s >= 6 && String.sub s 0 6 = "array_"

let memory_arg_kv = lazy (is_logic_function (Ident.create "select"))

let declare_type fmt id = 
  match (Lazy.force memory_arg_kv), Ident.fresh_from id with
    | (false,Some (s,[mem;value;key])|true,Some (s,[mem;key;value]))
        when s == Encoding_mono_inst.create_ident_id 
          && Ident.string mem = "memory" ->      
        fprintf fmt "@[%a: TYPE = ARRAY %aIpointer OF %s;@]@.@." 
          Ident.print id 
          Ident.print key 
          (let s = Ident.string value in if s = "int" then "INT" else s)
    | _ -> if not (is_array (Ident.string id)) then fprintf fmt "@[%a: TYPE;@]@\n@\n" Ident.print id
        

let print_logic fmt id t =
  match Ident.fresh_from id with
    | Some (s,logic_id::_) when s == Encoding_mono_inst.create_ident_id
        && (Ident.string logic_id = "acc" || Ident.string logic_id = "upd") -> ()
    | _ ->
        fprintf fmt "%%%% Why logic %a@\n" Ident.print id;
          fprintf fmt "@[%a: %a;@]@\n@\n" Ident.print id print_logic_type t

let print_predicate_def fmt id (bl,p) =
  fprintf fmt "@[%%%% Why predicate %s@]@\n" id;
  fprintf fmt "@[%s: %a =@ LAMBDA (%a):@ @[%a@];@]@\n@\n"
    id 
    print_logic_type (Predicate (List.map snd bl))
    (print_list comma 
       (fun fmt (x,pt) -> 
	  fprintf fmt "%a: %a" Ident.print x print_pure_type pt )) bl 
    print_predicate p
    
let print_function_def fmt id (bl,t,e) =
  fprintf fmt "@[%%%% Why function %s@]@\n" id;
  fprintf fmt "@[%s: %a =@ LAMBDA (%a):@ @[%a@];@]@\n@\n"
    id
    print_logic_type (Function (List.map snd bl, t))
    (print_list comma 
       (fun fmt (x,pt) -> 
	  fprintf fmt "%a: %a" Ident.print x print_pure_type pt )) bl 
    print_term e

let print_axiom fmt id p =
  match id,p with
    | ("acc_upd" |"acc_upd_neq"|"select_store_eq"|"select_store_neq"), 
      Forall (_,_,_,PTexternal (_,t),_,_) when   
        (match Ident.fresh_from t with
           | Some (s,[mem;_;_]) when s == Encoding_mono_inst.create_ident_id 
               && Ident.string mem = "memory" -> true
           | _ -> false) -> ()
    | _ ->
  fprintf fmt "@[%%%% Why axiom %s@]@\n" id;
  fprintf fmt "@[ASSERT %a;@]@\n@\n" print_predicate p

let print_obligation fmt loc is_lemma _expl o s = 
  fprintf fmt "@[%%%% %s, %a@]@\n" o Loc.gen_report_line loc;
  fprintf fmt "PUSH;@\n@[QUERY %a;@]@\nPOP;@\n@\n" print_sequent s;
(*;
  fprintf fmt "@[%%%% %a@]@\n" Util.print_explanation expl;
*)
  if is_lemma then begin
    fprintf fmt "@[%%%%  %s as axiom@]@\n" o;
    fprintf fmt "@[ASSERT %a;@]@\n@\n" print_sequent s;
  end

let push_decl d = Encoding.push ~encode_preds:false ~encode_funs:false d

let iter = Encoding.iter

let reset () = Encoding.reset ()

let output_elem fmt = function
  | Dtype (_loc, id, []) -> declare_type fmt id
  | Dtype _ -> assert false
  | Dalgtype _ ->
      assert false
(*
      failwith "CVC light: algebraic types are not supported"
*)
  | Dlogic (_loc, id, t) ->
      print_logic fmt id t.scheme_type
  | Dpredicate_def (_loc, id, d) -> 
      let id = Ident.string id in
      print_predicate_def fmt id d.scheme_type
  | Dinductive_def _ ->
      assert false
(*
      failwith "CVC light: inductive def not yet supported"
*)
  | Dfunction_def (_loc, id, d) -> 
      let id = Ident.string id in
      print_function_def fmt id d.scheme_type
  | Daxiom (_loc, id, p) ->
      print_axiom fmt id p.scheme_type
  | Dgoal (loc, is_lemma, expl, id, s) ->
      print_obligation fmt loc is_lemma expl id s.Env.scheme_type

let prelude_done = ref false
let prelude fmt = 
  if not !prelude_done && not no_cvcl_prelude then begin
    prelude_done := true;
    fprintf fmt "
UNIT: TYPE;
tt: UNIT;
BOOL: TYPE;
true: BOOL;
false: BOOL;
ASSERT (FORALL (b:BOOL): (b=true OR b=false));
ASSERT (true /= false);
"
  end

let print_file fmt =
  (*if not no_cvcl_prelude then predefined_symbols fmt;*)
  iter (output_elem fmt)

let output_file ~allowedit file =
  if allowedit then
    begin
      let sep = "%%%% DO NOT EDIT BELOW THIS LINE" in
      do_not_edit_below ~file
	~before:prelude
	~sep
	~after:print_file
    end
  else
    print_in_file print_file file

why-2.34/src/lexer.mli0000644000175000017500000000507212311670312013232 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



exception Lexical_error of string

val token : Lexing.lexbuf -> Parser.token

val parse_file  : Lexing.lexbuf -> Ptree.file
val parse_lexpr : Lexing.lexbuf -> Ptree.lexpr

val lexpr_of_string : string -> Ptree.lexpr

(*
Local Variables: 
compile-command: "unset LANG; make -j -C .. bin/why.byte"
End: 
*)
why-2.34/src/mapenv.ml0000644000175000017500000001006212311670312013223 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Logic

let rec compare_list cmp l1 l2 =
  match l1,l2 with
    | [],[] -> 0
    | [],_ -> -1
    | _,[] -> 1
    | a1::l1,a2::l2 -> let c = cmp a1 a2 in
      if c<>0 then c
      else compare_list cmp l1 l2

let compare_pair cmp1 cmp2 (id1,l1) (id2,l2) = 
      let c = cmp1 id1 id2 in
      if c<>0 then c
      else cmp2 l1 l2

module PT = 
  struct
    type t = pure_type
    let to_int = function 
      | PTint -> 1
      | PTbool -> 2
      | PTreal -> 3
      | PTunit -> 4
      | PTvar _ -> 5
      | PTexternal _ -> 6

    let rec compare x y =
      let c = Pervasives.compare (to_int x) (to_int y) in
      if c<>0 then c
      else 
        match x,y with
          | PTint, _ | PTbool, _ | PTreal, _ | PTunit, _ -> 0
          | PTvar {tag = t1}, PTvar {tag = t2} -> Pervasives.compare t1 t2
          | PTexternal (l1,id1),PTexternal (l2,id2) -> 
              let c = Ident.I.compare id1 id2 in
              if c<>0 then c
              else compare_list compare l1 l2
          | _ -> assert false
  end

module PT_Map = Map.Make(PT)
module PT_Set = Set.Make(PT)

let rec add_subtype_list s l = 
  List.fold_left (fun s e -> add_subtype s e) s l
and add_subtype s = function
  | PTint | PTbool | PTreal | PTunit | PTvar _ as t -> PT_Set.add t s
  | PTexternal (l,_id) as t -> add_subtype_list (PT_Set.add t s) l

let _PT_Set_add_normalize x s = PT_Set.add (Misc.normalize_pure_type x) s

(* pair string,instance *)
module Inst =
  struct
    type t = Ident.t * instance
    let compare = compare_pair Ident.I.compare (compare_list PT.compare)
  end
        
module Inst_Map = Map.Make(Inst)
        
let fold_map f acc l =
  let acc,l = List.fold_left (fun (acc,l) e -> 
                                let acc,e = (f acc e) in
                                acc,e::l) (acc,[]) l in
  acc,List.rev l
  
     

why-2.34/src/hypotheses_filtering.ml0000644000175000017500000022301512311670312016177 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(**
   This module provides a quick way to filter hypotheses of 
   a goal. It is activated by the option 
   --prune-hyp vb pb 
   where vb an pb are integers that are positive or null. 
   vb is the bound of the max depth of the variable graph search 
   pb is the bound of the max depth of the predicate graph search 
   The number of selected hypotheses increases w.r.t. vb and pb. 
   
   The internal flow is:
   1) Hypotheses are expanded thanks to the intros tactic. 
   A short goal is then produced.
   2) Variables of hypothesis are stored into a graph where 
  - a variable is represented by a vertex
   - a predicate linking some variables is represented by 
   the complete graph with all the vertices 
   corresponding to the variables 
   3) A breadth-first search algorithm, bounded by the constant pb
   computes the set of relevant predicates P
   4) A breadth-first search algorithm, bounded by the constant k
   computes the set of relevant variables V
   5) An hypothesis is selected  by comparing its set of variables 
   with R and its set of predicates with P 
**)


open Ident
open Options
open Misc
open Error
open Logic
open Logic_decl
open Env
open Cc
open Format
open Pp
open Hashtbl
open Set
open Util
open Graph.Graphviz
open Graph.Path

(* Strategies with constants *)
type var_strat =
    AllVars
  | One
  | AllInABranch
  | SplitHyps
  | CNFHyps

let prune_context = Options.prune_context
let use_comparison_as_criteria_for_graph_construction =
  Options.pruning_hyp_CompInGraph
let use_comparison_as_criteria_for_hypothesis_filtering = 
	Options.pruning_hyp_CompInFiltering
let keep_quantification_link_beween_vars = 
	Options.pruning_hyp_LinkVarsQuantif
(* Setup of comparison management *)
let keep_single_comparison_representation = 
	Options.pruning_hyp_keep_single_comparison_representation
let considere_arith_comparison_as_special_predicate = 
	Options.pruning_hyp_considere_arith_comparison_as_special_predicate
let comparison_eqOnly = Options.pruning_hyp_comparison_eqOnly
let suffixed_comparison = Options.pruning_hyp_suffixed_comparison
let equalities_linked = Options.pruning_hyp_equalities_linked
let arith_tactic = Options.pruning_hyp_arithmetic_tactic
let var_filter_tactic = match Options.pruning_hyp_var_tactic with
  | 0 -> AllVars
  | 1 -> One
  | 2 -> AllInABranch
  | 3 -> SplitHyps
  | 4 -> CNFHyps
  | _ -> failwith "Heuristic failed."
let polarized_preds = Options.pruning_hyp_polarized_preds

let pb = ref Options.pruning_hyp_p
let vb = ref Options.pruning_hyp_v
let v_count = ref 0
let hyp_count = ref 0

let set_pb n =
  pb := n

let set_vb n =
  vb := n

let context = ref []
let predicateMaximumDepth = ref 0
let variablesMaximumDepth = ref 0


(**
***********************
VarStringSet module and miscenalous tools
***********************
**)

type var_string =
  | PureVar of string (*already present*)
  | FreshVar of string (*introduced by a flatening step*)

module VarStringSet = Set.Make(struct type t = var_string let compare = compare end)

let member_of str st =
  VarStringSet.mem (PureVar str) st || VarStringSet.mem (FreshVar str) st

let distinct_vars v1 v2 =
  match (v1, v2) with
    (PureVar (id1), PureVar (id2)) ->
      id1 <> id2
  | _ -> assert false

let string_of_var v =
  match v with
    PureVar(id) -> id
  | FreshVar(id) -> id

let display_var_set set =
  VarStringSet.iter
    (fun s ->
          Format.printf "%s " (string_of_var s)) set;
  Format.printf "@\n@."

(** returns the free variables of a term that are not outer quantified (in qvars) **)
let free_vars_of qvars t =
  let vars = ref VarStringSet.empty in
  let rec collect formula =
    match formula with
    | Tapp (_id, tl, _) ->
        List.iter collect tl
    | Tvar (id) ->
        if not (VarStringSet.mem (PureVar (Ident.string id)) qvars) then
          vars := VarStringSet.add (PureVar (Ident.string id)) !vars
    | _ -> () in
  collect t;
  !vars

(** returns the free variables of a predicate that are not inner quantified **)
let free_vars_of p =
  let vars = ref VarStringSet.empty in
  let rec collect qvars formula =
    match formula with
    | Papp (_, tl, _) ->
        List.iter
          (fun t ->
                let v' = free_vars_of qvars t in
                vars := VarStringSet.union v' !vars) tl
    | Pand (_, _, a, b) | Forallb (_, a, b) | Por (a, b) | Piff (a, b) 
    | Pimplies (_, a, b) ->
        collect qvars a;
        collect qvars b
    | Pif (a, b, c) ->
        let v' = free_vars_of qvars a in
        vars := VarStringSet.union v' !vars;
        collect qvars b;
        collect qvars c
    | Pnot a -> collect qvars a;
    | Forall (_, id, _, _, _, p) | Exists (id, _, _, p) ->
        collect (VarStringSet.add (PureVar (Ident.string id)) qvars) p
    | Plet (_, n, _, t, p)  ->
        collect qvars (subst_term_in_predicate n t p) (* FIXME? *)
    | Pnamed (_, p) -> collect qvars p
    | Pvar _ | Pfalse | Ptrue -> ()
  in
  collect VarStringSet.empty p;
  !vars

(** returns the nnf of a formula **)
let rec nnf fm =
  let boolTrue = Tconst (ConstBool true) in
  match fm with
  | Pand (p1, p2, p, q) -> Pand(p1, p2, nnf p, nnf q)
  | Forallb (p1, p, q) -> Pand(p1, false, nnf p, nnf q)
  | Por (p, q) -> Por(nnf p, nnf q)
  | Pimplies (_, p, q)
  -> Por (nnf (Pnot p), nnf q)
  | Piff (p, q) ->
      Pand(false, false, Por(nnf (Pnot p), nnf q), Por(nnf p, nnf(Pnot q)))
  | Pif (a, b, c) ->
      Pand (false, false,
        Por (Papp (t_neq_bool, [boolTrue; a], []),
          nnf b),
        Por (Papp (t_eq_bool, [boolTrue; a], []), nnf c))
  | Forall (t1, t2, p3, p4, p5, p) ->
      Forall(t1, t2, p3, p4, p5, nnf p)
  | Exists (t1, t2, pt, p) ->
      Exists (t1, t2, pt, nnf p)
  | Pnot (Pnot p) -> nnf p
  | Pnot (Pand (_, _, p, q)) -> Por(nnf (Pnot p), nnf(Pnot q))
  | Pnot (Por (p, q)) -> Pand(false, false, nnf (Pnot p), nnf (Pnot q))
  | Pnot (Pimplies (pwp, p, q)) -> Pand(pwp, false, nnf p, nnf (Pnot q))
  | Pnot (Piff (p, q)) -> Por( Pand(false, false, nnf p, nnf(Pnot q)),
        Pand(false, false, nnf (Pnot p), nnf q))
  | Pnot(Forall(_, t1, t2, ty, _, p)) ->
      Exists(t1, t2, ty, (nnf (Pnot p)))
  | Pnot(Forallb (_, p, q)) -> Por(nnf (Pnot p), nnf(Pnot q))
  | Pnot(Exists (t1, t2, pt, p)) ->
      Forall(false, t1, t2, pt,[], (nnf (Pnot p)))
  | Pnot(Pif (a, b, c)) ->
      Por (
        Pand (false, false, Papp (t_eq_bool, [boolTrue; a], []),
          nnf (Pnot b)),
        Pand (false, false, Papp (t_neq_bool, [boolTrue; a], []),
          nnf (Pnot c)))
  | _ -> fm

(** reduces as possible the scope of quantifier
@param pr is the concerned predicate **)
let miniscoping pr =
  let rec mq q fm =
    match q with
    | Forall (t1, t2, p3, p4, p5, _) ->
        begin
          if not (member_of
                (Ident.string t2)
                (free_vars_of fm)) then
            fm
          else
            begin
              match fm with
              | Pand (p1, p2, p, q) ->
                  if not (member_of
                        (Ident.string t2)
                        (free_vars_of p)) then
                    let q' = mq (Forall(t1, t2, p3, p4, p5, q)) q in
                    Pand (p1, p2, p, q')
                  else
                  if not (member_of
                        (Ident.string t2)
                        (free_vars_of q)) then
                    let p' = mq (Forall(t1, t2, p3, p4, p5, p)) p in
                    Pand (p1, p2, p', q)
                  else
                    Pand (p1, p2,
                      mq (Forall (t1, t2, p3, p4, p5, p)) p,
                      mq (Forall (t1, t2, p3, p4, p5, q)) q)
              | Por (p, q) ->
                  if not (member_of
                        (Ident.string t2)
                        (free_vars_of p)) then
                    let q' = mq (Forall(t1, t2, p3, p4, p5, q)) q in
                    Por (p, q')
                  else
                  if not (member_of
                        (Ident.string t2)
                        (free_vars_of q)) then
                    let p' = mq (Forall (t1, t2, p3, p4, p5, p)) p in
                    Por (p', q)
                  else
                    Forall (t1, t2, p3, p4, p5, fm)
              | _ -> Forall (t1, t2, p3, p4, p5, fm)
            end
        end
    | Exists (t1, t2, pt, _p) ->
        begin
          if not (member_of
                (Ident.string t1)
                (free_vars_of fm)) then
            fm
          else
            match fm with
            | Pand (p1, p2, p, q) ->
                if not (member_of
                      (Ident.string t1)
                      (free_vars_of p)) then
                  let q' = mq (Exists(t1, t2, pt, q)) q in
                  Pand (p1, p2, p, q')
                else
                if not (member_of
                      (Ident.string t1)
                      (free_vars_of q)) then
                  let p' = mq (Exists(t1, t2, pt, p)) p in
                  Pand (p1, p2, p', q)
                else
                  Exists(t1, t2, pt, fm)
            | Por (p, q) ->
                if not (member_of
                      (Ident.string t1)
                      (free_vars_of p)) then
                  let q' = mq (Exists(t1, t2, pt, q)) q in
                  Por (p, q')
                else
                if not (member_of
                      (Ident.string t1)
                      (free_vars_of q)) then
                  let p' = mq (Exists (t1, t2, pt, p)) p in
                  Por (p', q)
                else
                  Por(
                    mq (Exists (t1, t2, pt, p)) p,
                    mq (Exists (t1, t2, pt, q)) q)
            | _ -> Exists(t1, t2, pt, fm)
        end
    | _ -> assert false
  in
  (** rewrites Forallb into Forall and call mq to reduce scoping of quantifiers **)
  let rec minib fm =
    match fm with
    | Pand (p1, p2, p, q) -> Pand(p1, p2, minib p, minib q)
    | Forallb (p1, p, q) -> Pand(p1, false, minib p, minib q)
    | Por (p, q) -> Por(minib p, minib q)
    | Forall (_t1, _t2, _p3, _p4, _p5, p) as pi -> mq pi (minib p)
    | Exists (_t1, _t2, _pt, p) as pi -> mq pi (minib p)
    | _ -> fm
  in
  minib (nnf pr)

(** compute the cnf of a predicate **)
let cnf fm =
  let rec cnfp p = match p with
    | Pand (p1, p2, p, q) -> Pand(p1, p2, cnfp p, cnfp q)
    | Por (p1, p2) -> distr (cnfp p1, cnfp p2)
    | Forall (t1, t2, p3, p4, p5, p) -> Forall (t1, t2, p3, p4, p5, cnfp p)
    | Exists (t1, t2, pt, p) -> Exists (t1, t2, pt, cnfp p)
    | _ -> p
  and distr = function
    | (Exists (t1, t2, pt, p), y) -> Exists (t1, t2, pt, distr (p, y))
    | (y, Exists (t1, t2, pt, p)) -> Exists (t1, t2, pt, distr (y, p))
    | (Forall (t1, t2, p3, p4, p5, p), y) -> Forall (t1, t2, p3, p4, p5, distr(p, y))
    | (y, Forall (t1, t2, p3, p4, p5, p)) -> Forall (t1, t2, p3, p4, p5, distr(y, p))
    | (Pand (p1, p2, x2, x3), y) -> Pand (p1, p2, distr (x2, y), distr (x3, y))
    | (x, Pand (p1, p2, y2, y3)) -> Pand (p1, p2, distr (x, y2), distr (x, y3))
    | (x, y) -> Por(x, y)
  
  (* all hypothesis functions are defined without Pnamed case. It is then    *)
  (* removed before selection. It does not have any implication on produced  *)
  (* code.                                                                   *)
  and rm_pnamed par = match par with
    | Pnamed(_, p) -> rm_pnamed p
    | Exists (a, b, c, d) -> Exists (a, b, c, (rm_pnamed d))
    | Forallb (a, b, c) -> Forallb (a, (rm_pnamed b), (rm_pnamed c))
    | Forall (a, b, c, d, e, f) -> Forall (a, b, c, d, e, (rm_pnamed f))
    | Plet (id, x, pt, t, p) -> Plet (id, x, pt, t, rm_pnamed p)
    | Pnot a -> rm_pnamed a
    | Piff (a, b) -> Piff (rm_pnamed a, rm_pnamed b)
    | Por (c, d) -> Por (rm_pnamed c, rm_pnamed d)
    | Pand (a, b, c, d) -> Pand (a, b, rm_pnamed c, rm_pnamed d)
    | Pif (a, b, c) -> Pif (a, rm_pnamed b, rm_pnamed c)
    | Pimplies (a, b, c) -> Pimplies (a, rm_pnamed b, rm_pnamed c)
    | Papp (a, b, c) -> Papp (a, b, c)
    | Pvar a -> Pvar a
    | Pfalse -> Pfalse
    | Ptrue -> Ptrue
  in
  cnfp (miniscoping (rm_pnamed fm))

(** avoided vars **)
let avoided_vars = VarStringSet.singleton (PureVar "alloc")

(** a variable name will be associated to each hypothesis **)
let hash_hyp_vars : (predicate,'a) Hashtbl.t = Hashtbl.create 20

let display_str str set =
  Format.printf "%s : " str;
  display_var_set set;
  Format.printf "@\n@."

module SS_set = Set.Make(struct type t = VarStringSet.t let compare = compare end)

(* Provide a fresh variable identifier from an identifier *)
let bound_variable id =
  v_count := !v_count + 1;
  Ident.create ((Ident.string id)^"_"^ (string_of_int !v_count))

let my_fresh_hyp_str () =
  hyp_count := !hyp_count + 1;
  (string_of_int !hyp_count)

let my_fresh_hyp () =
  hyp_count := !hyp_count + 1;
  Ident.create (string_of_int !hyp_count)

let get_flaged_var v ac_fv_set =
  if not (member_of (Ident.string v) ac_fv_set)
  then
    (PureVar (Ident.string v))
  else
    (FreshVar (Ident.string v))

(**
@return vars which is a set of sets of variables
(either pure or fresh) contained in tl
@param qvars is a set of quantified variables
@tl is the list of terms
@param ac : accumulateur des variables fraiches de l'appelant
**)
let vars_of_list qvars tl ac =
  let vars = ref SS_set.empty in
  let rec collect l ac_fv_set =
    let lp = ref l in
    let inner_vars = ref VarStringSet.empty in
    let f t =
      match t with
      | Tapp (id, tl, _) when is_arith_binop id ->
          lp := !lp@tl
      | Tapp (id, tl, _) ->
          let id' = (bound_variable id) in
          let bv = (FreshVar (Ident.string id')) in
          inner_vars := VarStringSet.add bv !inner_vars;
          let l' = Tvar(id'):: tl in
          collect l' (VarStringSet.add bv ac_fv_set)
      | Tvar (id) ->
          if not (member_of (Ident.string id) qvars) then
            inner_vars := VarStringSet.add (get_flaged_var id (VarStringSet.union ac_fv_set ac)) !inner_vars
      (* if not (member_of (Ident.string id) ac_fv_set) then inner_vars :=       *)
      (* VarStringSet.add (PureVar (Ident.string id)) !inner_vars else           *)
      (* inner_vars := VarStringSet.add (FreshVar (Ident.string id)) !inner_vars *)
      | _ -> ()
    in
    List.iter f !lp;
    vars := SS_set.add (VarStringSet.diff !inner_vars avoided_vars) !vars
  in
  collect tl VarStringSet.empty;
  !vars

(**
@return vars which is a set of sets of variables
@param f the formula to be analyzed
**)
let sets_of_vars f =
  
  let rec local_subst_in_term id1 id2 = function
    | Tvar x as t ->
    (* if debug then begin Format.printf "\nTvar found : %s Tvar seeked : %s   *)
    (* to substitute with %s status = " (Ident.string x) (Ident.string id1)    *)
    (* (Ident.string id2); if id1==x then Format.printf "OK\n" else            *)
    (* Format.printf "KO\n" end;                                               *)
        if (Ident.string id1) == (Ident.string x) then (Tvar id2) else t
    | Tderef x as t ->
        if (Ident.string id1) == (Ident.string x) then (Tderef id2) else t
    | Tapp (x, l, i) ->
        Tapp (x, List.map (local_subst_in_term id1 id2) l, i)
    | Tconst _ as t ->
        t
    | Tnamed(lab, t) -> Tnamed(lab, local_subst_in_term id1 id2 t)
  
  in let rec local_subst_in_predicate id1 id2 = function
    | Papp (id, l, i) -> Papp (id, List.map (local_subst_in_term id1 id2) l, i)
    | Pif (a, b, c) -> Pif (local_subst_in_term id1 id2 a,
          local_subst_in_predicate id1 id2 b,
          local_subst_in_predicate id1 id2 c)
    | Forall (w, id, b, v, tl, p) ->
        Forall (w, id, b, v, List.map (List.map (
                  (fun id1 id2 -> function
                        | TPat t -> TPat (local_subst_in_term id1 id2 t)
                        | PPat p -> PPat (local_subst_in_predicate id1 id2 p) ) id1 id2)) tl,
          local_subst_in_predicate id1 id2 p)
    | p -> map_predicate (local_subst_in_predicate id1 id2) p
  in
  
  let vars = ref SS_set.empty in
  let ac_fv_set = ref VarStringSet.empty in
  let rec collect qvars formula =
    match formula with
    | Papp (id, [el1; el2], _) when is_eq id ->
        begin
          match (el1, el2) with
          |	(Tvar (v1), Tvar(_v2)) ->
              vars := SS_set.add
                ((VarStringSet.add (get_flaged_var v1 !ac_fv_set)) (* (PureVar (Ident.string v1))  *)
                    (VarStringSet.singleton (get_flaged_var v1 !ac_fv_set)))    (* (PureVar (Ident.string v2))) )*)
                !vars
          | (Tvar (v1), Tapp (_, tl, _)) ->
              let l' = Tvar(v1):: tl in
              let v = vars_of_list qvars l' !ac_fv_set in
              (** TODO modifier mettre pure var ? **)
              vars := SS_set.union v !vars
          | (Tapp (_, tl, _), Tvar(v1)) ->
              let l' = Tvar(v1):: tl in
              let v = vars_of_list qvars l' !ac_fv_set in
              vars := SS_set.union v !vars
          | (Tapp (id, tl, _), Tapp (_, tl', _)) ->
              let id' = bound_variable id in
              let tl = Tvar(id'):: tl in
              let tl' = Tvar(id'):: tl' in
              let v = vars_of_list qvars tl !ac_fv_set in
              let v' = vars_of_list qvars tl' !ac_fv_set in
              vars := SS_set.union v !vars;
              vars := SS_set.union v' !vars;
          | (Tapp (_, tl, _), _) ->
              let v = vars_of_list qvars tl !ac_fv_set in
              vars := SS_set.union v !vars;
          | (Tvar(v1), _) ->
              vars := SS_set.add
                (VarStringSet.singleton (get_flaged_var v1 !ac_fv_set) (*(PureVar (Ident.string v1))*) )
                !vars;
          | (_, Tapp (_, tl, _)) ->
              let v = vars_of_list qvars tl !ac_fv_set in
              vars := SS_set.union v !vars
          | (_, Tvar(v1)) ->
              vars := SS_set.add
                (VarStringSet.singleton (get_flaged_var v1 !ac_fv_set) (*(PureVar (Ident.string v1))*) )
                !vars
          | _ -> ()
        end
    | Papp (_, tl, _) ->
        let v = vars_of_list qvars tl !ac_fv_set in
        vars := SS_set.union v !vars
    | Pand (_, _, a, b) | Forallb (_, a, b) | Por (a, b) | Piff (a, b)
    | Pimplies (_, a, b) ->
        collect qvars a;
        collect qvars b
    | Pif (a, b, c) ->
        let l = a::[] in
        let v' = vars_of_list qvars l !ac_fv_set in
        vars := SS_set.union v' !vars;
        collect qvars b;
        collect qvars c
    | Pnot a ->
        collect qvars a;
    | Forall (_, id, _, _, _, p) | Exists (id, _, _, p) ->
        if (keep_quantification_link_beween_vars) then
          begin
            (* The quantified variable id is modified as a fresh one and is    *)
            (* substituted in P, before collecting                             *)
            let id' = (bound_variable id) in
            let bv = (FreshVar (Ident.string id')) in
            (* inner_vars := VarStringSet.add bv !inner_vars; let l' = Tvar(id')::tl   *)
            (* in                                                                      *)
            ac_fv_set:= (VarStringSet.add bv !ac_fv_set);  (* Fresh var. list update *)
            let p'= (local_subst_in_predicate id id' p) in   (*  substitutes id with id' in P *)
            (* let p'= (subst_in_predicate (subst_onev id id') p) in if debug    *)
            (* then begin Format.printf "\nVar : %s subst by %s\n" (Ident.string *)
            (* id) (Ident.string id'); Format.printf "Predicate : %a \n          *)
            (* Substituted in : %a \n\n" Util.print_predicate p                  *)
            (* Util.print_predicate p' end;                                      *)
            collect qvars p'
          end
        else
          collect (VarStringSet.add (PureVar (Ident.string id)) qvars) p
    | Pnamed (_, p) ->
        collect qvars p
    | Plet (_, n, _, t, p) ->
	collect qvars (subst_term_in_predicate n t p)
    | Pvar _ | Pfalse | Ptrue -> ()
  in
  collect VarStringSet.empty f;
  !vars

(** end of  VarStringSet module  **)

(**
***********************
basic strategy type
***********************
**)

(** Abstract clauses. 

An abstract clause only stores atome numbers,
the set of positive predicates symbols
and the set of negative symbols.
Each predicate is represented as a string.
The set of positive predicates is stored as a StringSet.t
**)
module StringSet = Set.Make(struct type t = string let compare = compare end)
(* A type for Ident pairs *)
type identPair = Pair of Ident.t * Ident.t
(* A type for sets of ident pairs *)
module IdentPairSet = Set.Make(struct type t = identPair let compare = compare end)
(* Type of an abstract clause *)	
type abstractClause = { 
	num : int; 
	pos : StringSet.t; 
	neg : StringSet.t;
	cmp : IdentPairSet.t }

let mk_empty_clause () = { num = 0 ; 
			   pos = StringSet.empty ; 
			   neg = StringSet.empty ; 
			   cmp = IdentPairSet.empty }


module AbstractClauseSet = Set.Make(
	struct type t = abstractClause let compare = compare end)

let display_cl cl =
  let display_set_pr =
    StringSet.fold
      (fun x1 a -> x1^" "^a);
  in
  Format.printf "[num: %d, pos: {%s}, neg :{%s}]"
    cl.num
    (display_set_pr cl.pos "")
    (display_set_pr cl.neg "")

let display_cl_set set =
  Format.printf "{ ";
  AbstractClauseSet.iter
    (fun c ->
          display_cl c) set;
  Format.printf "}\n"

(**
********************************
Graph of variables
********************************
**)
module Var_node =
struct
  type t = var_string
  let hash = Hashtbl.hash
  let compare n1 n2 = Pervasives.compare n1 n2
  let equal = (=)
end

module Var_graph = Graph.Imperative.Graph.Concrete(Var_node)
let vg = ref (Var_graph.create())

module DisplayVarGraph = struct
  let vertex_name v = string_of_var v
  let graph_attributes _ = []
  let default_vertex_attributes _ = []
  let vertex_attributes _ = []
  let default_edge_attributes _ = []
  let get_subgraph _ = None
  let edge_attributes _ = []
  include Var_graph
end

module DotVG = Graph.Graphviz.Dot(DisplayVarGraph)

(**
updates the graph_of_variables
**)
let update_v_g vars =
  (** computes the vertex **)
  VarStringSet.iter (fun n -> Var_graph.add_vertex !vg n) vars;
  let rec updateb n v =
    (** adds the edges n<->n2 for all n2 in v **)
    VarStringSet.iter (
        fun n2 -> Var_graph.add_edge !vg n n2) v;
    (** choose another variable and computes the other edges **)
    if not (VarStringSet.is_empty v) then
      let n' = VarStringSet.choose v in
      updateb n' (VarStringSet.remove n' v)
  in
  if not (VarStringSet.is_empty vars) then
    let n' = (VarStringSet.choose vars) in
    updateb
      n'
      (VarStringSet.remove n' vars)

(**
@param l list of variable declaration or predicates (hypotheses)
@param c is the conclusion
Update the hashtables
- symbs which associates to each hypothesis its symbols (as a triple)
and class_of_hyp
- class_of_hyp which associates to each hypothesis its representative
variable
**)
let build_var_graph (l, c) =
  
  (** retrieves the variables of the conclusion **)
  let v = (sets_of_vars c) in
  let _ = SS_set.fold (fun s t ->
        (** update the graph of variables **)
            update_v_g s;
            VarStringSet.union s t) v VarStringSet.empty in
  let rec mem = function
    | [] -> ()
    | Svar (_id, _v) :: q -> mem q
    | Spred (_, p) :: q ->
        let v = sets_of_vars p in
        (** for each set of variables, build the SCC
        of the set and computes the union of all the variables **)
        let v' =
          SS_set.fold (fun s t ->
                  update_v_g s;
                  VarStringSet.union s t) v VarStringSet.empty in
        (** v' is the union of all the variables **)
        let v' = VarStringSet.diff v' avoided_vars in
        (** associates v' to the hypothesis **)
        Hashtbl.add hash_hyp_vars p v';
        if debug then
          begin
          (* Format.printf " In hyps %a" Util.print_predicate p ; display_str "vars  *)
          (* " v';                                                                   *)
          end;
        mem q
  in
  mem l

(** **)
let removes_fresh_vars vs =
  VarStringSet.fold
    (fun el s ->
          match el with
            PureVar _ as x -> VarStringSet.add x s
          | FreshVar _ -> s)
    vs
    VarStringSet.empty

(** returns the set of all the successors of a node **)
let succs_of vs =
  VarStringSet.fold
    (fun el l ->
          let succ_set =
            try
              let succ_list = Var_graph.succ !vg el in
              List.fold_right
                (fun el s ->
                      VarStringSet.add el s) succ_list VarStringSet.empty
            with _ -> VarStringSet.empty in
          VarStringSet.union l succ_set
    )
    vs
    VarStringSet.empty








(**
   @param v the initial set of variables
   @param n the depth of the tree of variables
   @return the list of variables reachable in n steps
**)
let get_n_depth_vars v n =
  (**
     @param v the initial, or newly reached, set of variables
     @param n the depth of the tree of variables
     @param acc acumumulates the variables that have already been visited
     @return the list of variables reachable in n steps
  **)
  let rec get_vars_in_tree_b v n acc =
    let vret =
      if n > 0 then
	let succ_set = succs_of v in
	let newly_reached = VarStringSet.diff succ_set acc in
	(*VarStringSet.union v
          ( *)
	get_vars_in_tree_b 
          newly_reached
          (n - 1) 
          (VarStringSet.union v succ_set)
          (* ) *)
      else
	v 
    in
    (** Some variables have to not be consider in the graph **)
    VarStringSet.diff vret avoided_vars 


  in
  VarStringSet.diff (get_vars_in_tree_b v n VarStringSet.empty) v


(**
   @param v the initial set of variables
   @return the minimum depth needed to reach all reachable variables
**)
let get_depth_of_reachable_vars v =
  
  let rec get_depth nrvars depth acc =
    let succ_set = succs_of nrvars in
    let treated_vars = VarStringSet.union nrvars acc in
    let newly_reached = VarStringSet.diff succ_set treated_vars in

    if (VarStringSet.cardinal newly_reached) > 0 then
      get_depth
        newly_reached
        (depth + 1) 
        treated_vars
    else
      depth
	
  in
  get_depth v 0 VarStringSet.empty
    







(** End of graph of variables **)

(**
********************************
Graph of predicates
********************************
**)
type positivity = Pos | Neg

let oposite = function
    Pos -> Neg
  | Neg -> Pos

let string_value_of t =
  match t with
    Pos -> ""
  | Neg -> "_C"

type vertexLabel = { l: string; pol: positivity }

module Vrtx =
struct
  type t = vertexLabel
  let hash = Hashtbl.hash
  let compare n1 n2 = Pervasives.compare n1 n2
  let equal = (=)
end




module Edg =
struct
  type t = int
  let compare = Pervasives.compare
  let default = 1
end

module PdlGraph =
  Graph.Imperative.Digraph.ConcreteLabeled(Vrtx)(Edg)
let pdlg = ref (PdlGraph.create())

(**
**************
PdlSet
**************
**)
module PdlSet = Set.Make(struct type t = vertexLabel
    let compare = compare end)
let abstr_mem_of el pdl_set =
  PdlSet.mem { l = el.l; pol = Pos } pdl_set ||
  PdlSet.mem { l = el.l; pol = Neg } pdl_set

let is_positive el =
  el.pol == Pos
let is_negative el =
  el.pol == Neg

let mem_of el pdl_set =
  (PdlSet.mem { l = el.l; pol = el.pol } pdl_set )

let mem_of_or_pos el pdl_set =
  (PdlSet.mem { l = el.l; pol = el.pol } pdl_set ) || el.pol == Pos

let mem_of_or_neg el pdl_set =
  (PdlSet.mem { l = el.l; pol = el.pol } pdl_set ) || el.pol == Neg

let abstr_subset_of_pdl set1 set2 =
  if polarized_preds then
    let test_pos = PdlSet.exists(fun el -> is_positive el) set2 in
    let test_neg = PdlSet.exists(fun el -> is_negative el) set2 in
    begin
      if test_pos && test_neg then
        PdlSet.for_all (fun el -> mem_of el set2) set1
      else
        begin
          if test_pos then
            (PdlSet.for_all (fun el -> mem_of_or_neg el set2) set1)
          else
            PdlSet.for_all (fun el -> mem_of_or_pos el set2) set1
        end
    end
  else
    PdlSet.for_all
      (fun el -> abstr_mem_of el set2) set1



let display_symb_of_pdl_set set =
  PdlSet.iter
    (fun el ->
          Format.printf "(%s,%s)" el.l (string_value_of el.pol)) set;
  Format.printf "@\n@."

let vSet = ref PdlSet.empty 


(** end of PdlSet **)


(** Computes arcs from a pair of literals.
    Let l1 and l2 be two literals.
		l1 or l2 is memorized by the edges ~ l1 -> l2 and ~ l2 -> l1 
		with ~ ~ p = p for each predicate p.
		  
		Warning: different from Table 1 from [CGS08] where p is v with
		polarity lp and q is v' with polarity rp.
		 
    @param lp : positivity, left-hand-side polarity.
		@param rp : positivity, right-hand-side polarity.
		@param we : int, Weight to add.
		@param v : string, left-hand-side name.
		@param v' : string, right-hand-side name.
		assigns !pdlg. 
**)
let add_edge lp rp we v v'=
  (* reverse the left polarity since starts from a disjunction *)
  let lp = oposite lp in
	(* Construction of vertices: *)
	(*   type vertexLabel = { l: string; pol: positivity } *)
  let le = { l = v; pol = lp } in
  let re = { l = v'; pol = rp } in
  let lep = { l = v'; pol = oposite rp } in
  let rep = { l = v; pol = oposite lp } in

  try    
    let (_, w, _) = PdlGraph.find_edge !pdlg le re in
		(* edge already exists ... *)
    if w > we then
      begin
				(* ... and its weight is bigger. Its weight is reduced. *)
        PdlGraph.remove_edge !pdlg le re;
        PdlGraph.add_edge_e !pdlg (le, we, re);
        PdlGraph.remove_edge !pdlg lep rep;
        PdlGraph.add_edge_e !pdlg (lep, we, rep);
      end
  with Not_found -> 
		(* New edge. Two arcs. *)
    PdlGraph.add_edge_e !pdlg (le, we, re);
    PdlGraph.add_edge_e !pdlg (lep, we, rep);
    vSet := PdlSet.add 
	       rep 
	       (PdlSet.add 
		  lep
		  (PdlSet.add 
		     re
		     (PdlSet.add le !vSet)  
		  ) 
	       ) 
	       
      
    

module DisplayPdlGraph = struct
  let vertex_name v =
    let v' = PdlGraph.V.label v in
    v'.l^(string_value_of v'.pol)
  let graph_attributes _ = []
  let default_vertex_attributes _ = []
  let vertex_attributes _ = []
  let default_edge_attributes _ = []
  let get_subgraph _ = None
  let edge_attributes e =
    let l = string_of_int (PdlGraph.E.label e) in
    [`Label l]
  include PdlGraph
end

module DotPdlGraph = Graph.Graphviz.Dot(DisplayPdlGraph)

(**
updates the graph_of_predicates
**)
let update_pdlg acs =
  (** Updates the graph from a set of clauses.
      @param a_clause: Input abstract clauses set.
      assigns !pdlg. **)
  let update_pdlg_c a_clause =
    let nlab = a_clause.num - 1 in
    if (StringSet.cardinal (StringSet.union a_clause.pos a_clause.neg))
      <= 1 then ()
    else
      begin
	(* Implements Table 1 from [CGS08]. n is p and n' is q. *)
	let neg = ref a_clause.neg in
	StringSet.iter
	  (fun p ->
	     (* From (neg p or neg q) adds p -> neg q (or equivalently q -> *)
	     (* neg p).                                                     *)
	     neg := StringSet.remove p !neg;
	     StringSet.iter (fun q ->
			       if not(p = q) then
				 add_edge Neg Neg nlab p q
			    ) !neg;
	     (* From (neg p or q) adds p -> q (or equivalently neg q -> *)
	     (* neg p)                                                  *)
	     StringSet.iter (fun q ->
			       if not(p = q) then
				 add_edge Neg Pos nlab p q;
			    ) a_clause.pos
	  ) a_clause.neg;
	let pos = ref a_clause.pos in
	StringSet.iter
	  (fun p ->  (* p' is q in Table 1. *)
	     (* From (p or p') add neg p-> p' (or equivalently neg p'-> p) *)
	     pos := StringSet.remove p !pos;
	     StringSet.iter (fun p' ->
			       if not(p = p') then
				 add_edge Pos Pos nlab p p'
			    ) !pos
	  ) a_clause.pos;
      end;

    if ((IdentPairSet.cardinal a_clause.cmp)<=0 
	|| (StringSet.cardinal (StringSet.union a_clause.pos a_clause.neg))<= 0)
    then ()
    else
      begin
	let suffixes cmp id = (cmp^"_"^(Ident.string id)) in
	(* Addition of arcs memorizing comparison predicates: *)
	let cmps = ref a_clause.cmp in 
	IdentPairSet.iter
	  (fun ip ->  (* ip is a pair of functional symbols. *)
	     cmps := IdentPairSet.remove ip !cmps;
	     match ip with
	       | Pair(f1, f2) ->
		   begin
		     StringSet.iter
		       (fun p ->
			  add_edge Neg Pos nlab (suffixes p f1) (suffixes p f2);
		       ) a_clause.neg;
		     (* Idem for positive literals *)
		     StringSet.iter
		       (fun p ->
			  add_edge Pos Pos nlab (suffixes p f1) (suffixes p f2);
		       ) a_clause.pos;
		   end
	  ) a_clause.cmp
      end
  in
  AbstractClauseSet.iter update_pdlg_c acs;
  if debug then
    begin
      let oc = open_out "/tmp/gwhy_pdlg_graph.dot" in
      DotPdlGraph.output_graph oc !pdlg
    end
      
let rec remove_percents s =
  try
    let i = String.index s '%' in
    (String.set s i '_');
    (remove_percents s)
  with Not_found -> s

let remove_percent_from_stringset sts =
  let r = ref StringSet.empty in
  (StringSet.iter
      (fun st -> r:= StringSet.add (remove_percents st) !r)
      sts);
  !r

let remove_percent_from_abstractclauseset cls =
  let r = ref AbstractClauseSet.empty in
  (AbstractClauseSet.iter
      (fun cl -> r:= AbstractClauseSet.add { 
				num = cl.num; 
				neg = remove_percent_from_stringset cl.neg; 
				pos = remove_percent_from_stringset cl.pos;
				cmp = cl.cmp } !r)
      cls);
  !r 

(** To take comparison operators into account, we consider each operator 
    suffixed by each of its closed identifier **)
(** @params i1 : ident of the comparison **)
(** @params i2 : ident of the closed operator **)
(** @result : string i1 suffixed by i2 **)
(** assigns nothing; **)
let get_suffixed_ident i1 i2 =
  (* let s= *)
  if suffixed_comparison then
    ((Ident.string i1)^"_"^(Ident.string i2))
  else
    (Ident.string i1)
(* in (remove_percents s) *)

let is_comparison id =
    (is_int_comparison id || is_real_comparison id || is_comparison id)

let comparison_to_consider id =
  use_comparison_as_criteria_for_graph_construction && (
    ((not comparison_eqOnly) && (is_int_comparison id || is_real_comparison id))
    || (id == t_eq || id == t_neq || id == t_eq_int || id == t_neq_int || id == t_eq_real || id == t_neq_real )
  )

let is_negative_comparison id =
  (id == t_neq || id == t_neq_int || id == t_neq_real )
  || (id == t_gt || id == t_ge)
  || (id == t_gt_int || id == t_ge_int)
  || (id == t_gt_real || id == t_ge_real)

let inv_comparison id =
  if id == t_eq then t_neq
  else if id == t_neq then t_eq
  else if id == t_eq_int then t_neq_int
  else if id == t_neq_int then t_eq_int
  else if id == t_eq_real then t_neq_real
  else if id == t_neq_real then t_eq_real
  
  else if id == t_lt then t_ge
  else if id == t_le then t_gt
  else if id == t_gt then t_le
  else if id == t_ge then t_lt
  
  else if id == t_lt_int then t_ge_int
  else if id == t_le_int then t_gt_int
  else if id == t_gt_int then t_le_int
  else if id == t_ge_int then t_lt_int
  
  else if id == t_lt_real then t_ge_real
  else if id == t_le_real then t_gt_real
  else if id == t_gt_real then t_le_real
  else if id == t_ge_real then t_lt_real
  
  else assert false (* cases have to match with cases from comparison_to_consider *)

(** @param id a comparison identifier **)
(** @param ti a variable or function identifier **)
(** @return a string composed of id and ti **)
let get_positive_suffixed_ident id ti =
  if (is_negative_comparison id) && (keep_single_comparison_representation) then
    (get_suffixed_ident (inv_comparison id) ti)
  else
    (get_suffixed_ident id ti)

(** @param id a comparison identifier **)
(** @return a string composed with the positive version of id **)
let get_positive_ident id =
  if (is_negative_comparison id) && (keep_single_comparison_representation) then
    (Ident.string (inv_comparison id))
  else
    (Ident.string id)








    
    







(**
   Encodes the arithmetics transitivity throug 11 axioms. The resulting graphe is the following : 
   =_int  ~~1~~> <=_int
   =_int  ~~x~~> <_int
   <=_int ~~2~~> =_int
   <=_int ~~x~~> <_int
   <_int  ~~1~~> <=_int 
   <_int  ~~1~~> <>_int
   <>_int ~~2~~> <_int
   <=_int ~~x~~> <>_int

   =_int  ~~1~~> >=_int
   =_int  ~~x~~> >_int
   >=_int ~~2~~> =_int
   >=_int ~~x~~> >_int
   >_int  ~~1~~> >=_int 
   >_int  ~~1~~> <>_int
   <>_int ~~2~~> >_int
   >=_int ~~x~~> <>_int

   =_int  ~~x~~> <>_int
   <=_int ~~1~~> >=_int
   >=_int ~~1~~> <=_int
   <_int  ~~1~~> >_int
   >_int  ~~1~~> <_int
  
   Needed ? 
   <>_int ~~x~~> <=_int
   <>_int ~~x~~> >=_int
   <>_int ~~x~~> =_int
   <_int  ~~x~~> =_int
   >_int  ~~x~~> =_int


   where x=2 or more.
*)
let add_arith_transitivity oper suffix =
  if (considere_arith_comparison_as_special_predicate && use_comparison_as_criteria_for_graph_construction)
     
  then begin

    let one = 2 in
    let two = 3 in
    let x = 3 in
    let cls = ref AbstractClauseSet.empty in

    let add id1 n id2 =
      cls := AbstractClauseSet.add 
	{ num = n;
	  neg = id1;
	  pos = id2;
	  cmp = IdentPairSet.empty }
	!cls
    in

    let add_all eq neq ge gt le lt =
      (*    =_int  ~~1~~> <=_int *)
      add   eq      one   le;
      (*    =_int  ~~x~~> <_int *)
      add   eq       x    lt;
      (*    <=_int ~~2~~> =_int *)
      add   le      two   eq;
      (*    <=_int ~~x~~> <_int *)
      add   le       x    lt;
      (*    <_int  ~~1~~> <=_int  *)
      add   lt      one   le;
      (*    <_int  ~~1~~> <>_int *)
      add   lt      one   neq;
      (*    <>_int ~~2~~> <_int *)
      add   neq     two   lt;
      (*    <=_int ~~x~~> <>_int *)
      add   le       x    neq;
      
      (*    =_int  ~~1~~> >=_int *)
      add   eq      one   ge;
      (*    =_int  ~~x~~> >_int *)
      add   eq       x    gt;
      (*    >=_int ~~2~~> =_int *)
      add   ge      two   eq;
      (*    >=_int ~~x~~> >_int *)
      add   ge       x    gt;
      (*    >_int  ~~1~~> >=_int  *)
      add   gt      one   ge;
      (*    >_int  ~~1~~> <>_int *)
      add   gt      one   neq;
      (*    <>_int ~~2~~> >_int *)
      add   neq     two   gt;
      (*    >=_int ~~x~~> <>_int *)
      add   ge       x    neq;
      
      (*    =_int  ~~x~~> <>_int *)
      add   eq       x    neq;
      (*    <=_int ~~1~~> >=_int *)
      add   le      one   ge;
      (*    >=_int ~~1~~> <=_int *)
      add   ge      one   le;
      (*    <_int  ~~1~~> >_int *)
      add   lt      one   gt;
      (*    >_int  ~~1~~> <_int *)
      add   gt      one   lt;
      
      
      update_pdlg (remove_percent_from_abstractclauseset !cls)
    in

    let setIt id = match suffix with 
      | Some(s) -> StringSet.singleton (get_suffixed_ident id  s)
      | None -> StringSet.singleton (Ident.string id)
    in

    match oper with
      | Some(id) when is_int_comparison id -> 
	  add_all 
	    (setIt t_eq_int)
	    (setIt t_neq_int)
	    (setIt t_ge_int)
	    (setIt t_gt_int)
	    (setIt t_le_int)
	    (setIt t_lt_int)
	    
	    
      | Some(id) when is_real_comparison id -> 
	  add_all 
	    (setIt t_eq_real)
	    (setIt t_neq_real)
	    (setIt t_ge_real)
	    (setIt t_gt_real)
	    (setIt t_le_real)
	    (setIt t_lt_real)
	    
	    
      | _ -> 
	  add_all 
	    (setIt t_eq_int)
	    (setIt t_neq_int)
	    (setIt t_ge_int)
	    (setIt t_gt_int)
	    (setIt t_le_int)
	    (setIt t_lt_int);
	  
	  add_all 
	    (setIt t_eq_real)
	    (setIt t_neq_real)
	    (setIt t_ge_real)
	    (setIt t_gt_real)
	    (setIt t_le_real)
	    (setIt t_lt_real)
  end





let build_pred_graph decl =
  let eq_link = ref AbstractClauseSet.empty in
  let treated_suffixes = ref StringSet.empty in
  (* assigns eq_link. *)
  let add_suffixed_depends compId appId =
    if suffixed_comparison && not (StringSet.mem (Ident.string appId) !treated_suffixes) then
      begin (* CGS08. 1. *)
	if equalities_linked then
	  begin
	    (* Creation des liens =_f -> = et = -> =_f *)
	    eq_link:= AbstractClauseSet.add
	      ({ num = 1;
		 neg = StringSet.singleton (get_positive_suffixed_ident compId appId);
		 pos = StringSet.singleton (get_positive_ident compId);
		 cmp = IdentPairSet.empty })
	      (AbstractClauseSet.add
		 ({ num = 1;
		    neg = StringSet.singleton (get_positive_ident compId);
		    pos = StringSet.singleton
		      (get_positive_suffixed_ident compId appId);
		    cmp = IdentPairSet.empty })
		 !eq_link)
	  end;
	
	if arith_tactic then
	  begin
	    (* Creation du trio lt_f / le_f / =_f *)
	    let eq =
	      if is_int_comparison compId then (StringSet.singleton (get_suffixed_ident t_eq_int appId))
	      else if is_real_comparison compId then (StringSet.singleton (get_suffixed_ident t_eq_real appId))
	      else (StringSet.singleton (get_suffixed_ident t_eq appId)) in
	    let lt =
	      if is_int_comparison compId then (StringSet.singleton (get_suffixed_ident t_lt_int appId))
	      else if is_real_comparison compId then (StringSet.singleton (get_suffixed_ident t_lt_real appId))
	      else (StringSet.singleton (get_suffixed_ident t_lt appId)) in
	    let le =
	      if is_int_comparison compId then (StringSet.singleton (get_suffixed_ident t_le_int appId))
	      else if is_real_comparison compId then (StringSet.singleton (get_suffixed_ident t_le_real appId))
	      else (StringSet.singleton (get_suffixed_ident t_le appId)) in
	    
	    let trio = ref AbstractClauseSet.empty in
	    trio := AbstractClauseSet.add { num = 1; neg = eq; pos = le;
					    cmp = IdentPairSet.empty } !trio;
	    trio := AbstractClauseSet.add { num = 2; neg = le; pos = eq;
					    cmp = IdentPairSet.empty } !trio;
	    trio := AbstractClauseSet.add { num = 2; neg = le; pos = lt;
					    cmp = IdentPairSet.empty } !trio;
	    trio := AbstractClauseSet.add { num = 1; neg = lt; pos = le;
					    cmp = IdentPairSet.empty } !trio;
	    
	    eq_link:= AbstractClauseSet.union !trio !eq_link
	  end;
	

	add_arith_transitivity (Some(compId)) (Some(appId));

	treated_suffixes:= StringSet.add (Ident.string appId) !treated_suffixes
      end
  in
  
  (* Construction of the Preds dependence graph. Assumes that the clause   *)
  (* cl is in nnf.                                                         *)
  (** @param atome a predicate    **)
  (** @param cl a clause          **)
  (** @result : a set of clauses. **)
  let add_atom atome cl =  

    let oneCl cl = AbstractClauseSet.singleton cl in
    let twoCl cl1 cl2 =
      AbstractClauseSet.add cl1 (AbstractClauseSet.singleton cl2)
    in
    let add_neg ?(num=1) neg =
      { num = cl.num + num;
	neg = StringSet.add neg cl.neg;
	pos = cl.pos;
	cmp = cl.cmp }
    in
    let add_pos ?(num=1) pos =
      { num = cl.num + num;
	neg = cl.neg;
	pos = StringSet.add pos cl.pos;
	cmp = cl.cmp }
    in
    let add_cmp ?(num=1) id p1 p2 =
      { num = cl.num + num;
	neg = StringSet.add (Ident.string (inv_comparison id))cl.neg;
	pos = StringSet.add (Ident.string id) cl.pos;
	cmp = IdentPairSet.add (Pair (p1,p2)) cl.cmp }
    in
    let inc_oneCl () =
      oneCl
	{ num = cl.num +1;
	  neg = cl.neg;
	  pos = cl.pos;	
	  cmp = cl.cmp }
    in


    match atome with
      | Pnot (Papp (id, _, _)) 
      | Papp (id, _, _) 
	  when (is_comparison id) && not use_comparison_as_criteria_for_graph_construction ->
	  Format.printf "\n\nIgnore comparisons Pred : %a\n\n" Util.print_predicate atome ; 
	    inc_oneCl ()



	(* If it is not a comparison or 
	   it is a comparison, we considere comparison but we don't considere it as a special predicate *)
      | Pnot (Papp (id, _l, _i)) 
	  when ((not (is_comparison id))
		|| ((is_comparison id) && (comparison_to_consider id) && not considere_arith_comparison_as_special_predicate)) ->
(* 	  when not (considere_arith_comparison_as_special_predicate  *)
(* 		    && (comparison_to_consider id)) ->  *)
 	  oneCl (add_neg (Ident.string id)) 


	    
      | Papp (id, _l, _i) 
	  when ((not (is_comparison id))
		|| ((is_comparison id) && (comparison_to_consider id) && not considere_arith_comparison_as_special_predicate)) ->
(* 	  when not (considere_arith_comparison_as_special_predicate  *)
(* 		    && (comparison_to_consider id)) ->  *)
	  oneCl (add_pos (Ident.string id))


	    
      (* If it is a comparison, we considere comparison and considere it as a special predicate *)
      | Pnot (Papp (id, [el1; el2], _i)) 
	  when ((is_comparison id) && (comparison_to_consider id) && considere_arith_comparison_as_special_predicate) ->
	  begin 
	    match (el1, el2) with
	      | (Tapp(ti1, _, _), Tapp(ti2, _, _ )) when suffixed_comparison ->
		  (* Added for [CGS08] Sec. 4.3. *)
		  (add_suffixed_depends id ti1);
		  (add_suffixed_depends id ti2);

		  oneCl (add_cmp (inv_comparison id) ti1 ti2)
                  (* End of "Added for [CGS08] Sec. 4.3" *)


	      | (Tapp(ti, _, _), _ )
	      | ( _, Tapp(ti, _, _)) when suffixed_comparison ->
		  (add_suffixed_depends id ti);
		  if (keep_single_comparison_representation) then
		    twoCl
		      (add_neg (get_positive_suffixed_ident id ti))
		      (add_pos (get_positive_suffixed_ident id ti))
		  else
		    oneCl (add_neg (get_suffixed_ident id ti))


	      | ( _, _ ) when suffixed_comparison ->
		  (inc_oneCl ())
		      




	      | ( _, _ ) (* when not suffixed_comparison *) -> 
		  if (keep_single_comparison_representation) then
		    twoCl
		      (add_neg (get_positive_ident id))
		      (add_pos (get_positive_ident id)) 
		  else
		    oneCl (add_neg (Ident.string id))
		      

	  end
	    
      | Papp (id, [el1; el2], _i) 
	  when ((is_comparison id) && (comparison_to_consider id) && considere_arith_comparison_as_special_predicate) ->
	  begin
	    match (el1, el2) with
	      | (Tapp(ti1, _, _), Tapp(ti2, _, _ )) when suffixed_comparison ->
		  (* Added for [CGS08] Sec. 4.3 *)
		  (add_suffixed_depends id ti1);
		  (add_suffixed_depends id ti2);

		  oneCl (add_cmp id ti1 ti2)
                  (* End of "Added for [CGS08] Sec. 4.3" *)


	      | (Tapp(ti, _, _), _ )
	      | ( _, Tapp(ti, _, _)) when suffixed_comparison ->
		  (add_suffixed_depends id ti);
		  if keep_single_comparison_representation then
		    twoCl
		      (add_pos (get_positive_suffixed_ident id ti))
		      (add_neg (get_positive_suffixed_ident id ti))

		  else
		    oneCl (add_pos (get_suffixed_ident id ti))


	      | ( _, _ ) when suffixed_comparison ->  
		  (inc_oneCl ())




	      | ( _, _)  (* when not suffixed_comparison *) ->
		  if keep_single_comparison_representation then
		    twoCl
		      (add_pos (get_positive_ident id))
		      (add_neg (get_positive_ident id))
		      
		  else
		    oneCl (add_pos (Ident.string id))

	  end

      (* If it is a comparison and don't considere it *)
      | _ ->
(* 	  when ((is_comparison id) && not (comparison_to_consider id)) -> *)
	  inc_oneCl ()

  in 
  (** @param p a predicate 
      @return a set of abstract clauses associated to the given predicate
  *)
  let rec get_abstract_clauses p =
    let rec compute_clause p acs = 
    (*if (debug) then begin    
      Format.printf "@.Pred : %a@." Util.print_predicate p; 
      Format.printf "acs : "; display_cl_set acs;
      Format.printf "@."; 
    end;*)
      match p with
	| Forall (_, _, _, _, _, p) 
	| Exists (_, _, _, p) -> compute_clause p acs

	| Por (p1, p2) -> compute_clause p1 (compute_clause p2 acs)

	| _ as p ->
	    let r = ref AbstractClauseSet.empty in
	    (AbstractClauseSet.iter
	       (fun ac -> r:= AbstractClauseSet.union (add_atom p ac) !r)
	       acs);
	    !r
    in
    match p with
      | Forall (_, _, _, _, _, p) 
      | Exists (_, _, _, p) -> get_abstract_clauses p
      | Plet (_, n, _, t, p) ->
	  get_abstract_clauses (subst_term_in_predicate n t p)
      | Pand (_, _, p1, p2) ->
	  AbstractClauseSet.union
	    (get_abstract_clauses p1)
	    (get_abstract_clauses p2)

      | Por _ -> 
	  compute_clause p (AbstractClauseSet.singleton (mk_empty_clause ()))

      | Papp _ 
      | Pnot _  
      | Pfalse  
      | Ptrue  -> (add_atom p (mk_empty_clause ()))

      | Pnamed(_, _)
      | Forallb (_, _, _)
      | Piff (_, _)
      | Pif (_, _, _)
      | Pimplies (_, _, _)
      | Pvar _ -> assert false

  (* END of get_abstract_clauses *)
  in
  let compute_pred_graph = function 
    | Dpredicate_def (loc, ident, def) ->
	let bl, p = def.scheme_type in
	let rootexp = (Papp (
			 ident,
			 List.map (fun (i, _) -> Tvar i) bl, [])) in
	let piff = Piff (rootexp, p) in
	let pforall = List.fold_right
	  (fun (var, tvar) pred -> Forall(false, var, var, tvar,[], pred))
	  bl piff in
	let p' = cnf pforall in
	begin
	  (*if debug then
	    begin
	      Format.printf "p : %a@." Util.print_predicate p; 
	      Format.printf "p' : %a@." Util.print_predicate p';  
	    end;*)

	  context := (p', Dpredicate_def (loc, ident, def))::!context; 
	  let cls = get_abstract_clauses p' in
	  let cls = AbstractClauseSet.union cls !eq_link in
	  (*if debug then
	    begin
	      Format.printf "cls : "; display_cl_set cls
	    end;*)
	  update_pdlg (remove_percent_from_abstractclauseset cls )
	end 
    | Daxiom (loc, ident, ps) ->
	(* loc: , ident: , ps: *)
	let p = ps.scheme_type in
	let p' = cnf p in
	begin 
	  (*if debug then
	    begin
	      Format.printf "p : %a@." Util.print_predicate p; 
	      Format.printf "p' : %a@." Util.print_predicate p';  
	    end;*)

	  context := (p', Daxiom (loc, ident, ps))::!context; 
	  let cls = get_abstract_clauses p' in
	  (*if debug then
	    begin
	      Format.printf "cls : "; display_cl_set cls
	    end;*)
	   
	  let cls = AbstractClauseSet.union cls !eq_link in
	  (*if debug then
	    begin
	      Format.printf "cls + eq_link : %a" Util.print_predicate p; 
	      display_cl_set cls
	    end;*)
	  update_pdlg (remove_percent_from_abstractclauseset cls)
	end  
    | a -> 
	context := (Ptrue, a)::!context;
  in 
  if not suffixed_comparison then add_arith_transitivity None None; 
  Queue.iter compute_pred_graph decl
    
(** End of graph of predicates**)


let set_of_pred_p vs =
  PdlSet.fold
    (fun v s -> 
          let pred_set = 
            try 
              let pred_list = PdlGraph.pred !pdlg v in
              List.fold_right
                (fun el s ->
                      PdlSet.add el s) pred_list PdlSet.empty
            with
              _ -> PdlSet.empty in
          let s' = PdlSet.union s pred_set in
          let succ_set =
            try
              let succ_list = PdlGraph.succ !pdlg { l = v.l; pol = oposite v.pol } in
              List.fold_right
                (fun v s ->
                      PdlSet.add { l = v.l; pol = oposite v.pol } s)
                succ_list PdlSet.empty
            with
              _ -> PdlSet.empty in
          PdlSet.union s' succ_set
    )
    vs
    PdlSet.empty


(***************************************
*********
*******************)

module W = struct 
  type label = PdlGraph.E.label
  type t = int
  let weight x = x
  let zero = 0
  let add = (+)
  let compare = compare
end

  

module Dij = Dijkstra(PdlGraph)(W)

let compute_sequence_of_predicates concl_preds =
  (* compute the weight of the shortest path from the node elem and nodes of *)
  (* the conclusion                                                          *)
  let max = ref 0 in
  let dij elem =
    let dij_and_comp v2 acc =
      try
	(* Dijkstra from elem to node v2 of the conclusion *)
	let (_, d) = Dij.shortest_path !pdlg elem v2 in
	(* update max *)
	max := if d > !max then d else !max;
	(* memorizing the shortest path *)
	if (acc == (- 1)) || (d < acc) then
	  d
	else
	  acc
      with Not_found ->
	(- 1)
    in
    PdlSet.fold dij_and_comp concl_preds (- 1)
  in
  
  let hash_lits : (int,'a) Hashtbl.t = Hashtbl.create 10 in
  (* adds into L[dij] the node elem where dij is the dijkstra result. If dij *)
  (* is -1, then we set L[max+1]                                             *)
  PdlSet.iter
    (fun elem ->
       let w = dij elem in
       try
	 let l_i = Hashtbl.find hash_lits w in
	 if w != (- 1) then
	   Hashtbl.replace hash_lits w (PdlSet.add elem l_i)
	 else
	   Hashtbl.replace hash_lits (!max + 1) (PdlSet.add elem l_i)
       with Not_found ->
	 Hashtbl.add hash_lits w (PdlSet.singleton elem )
    ) !vSet;
  
  if debug then
    begin
      Format.printf "List of predicates \n";
      for i = 0 to 10 do
	Format.printf "L[%d] is " i;
	try
	  let l_i = Hashtbl.find hash_lits i in
	  display_symb_of_pdl_set l_i
	with _ ->
	  Format.printf " empty \n";
      done;
    end;
  predicateMaximumDepth:=!max;
  hash_lits
    




    
 
	   
	 
    
  





(* Use of the preds dependence graph to filter hypothesis *)
let get_preds_of p filter_comparison =
  let s = ref PdlSet.empty in
  
  (* @params i : ident of the comparison @params ref s : list of           *)
  (* predicates where i has to be added @params polarity : polarity to set *)
  (* up @aprams t : term to add as suffixe @result : s including i         *)
  (* suffixed with t                                                       *)
  let add_suffixed_comparison i polarity = function
    | Tapp (ti, _, _) ->
        if (is_negative_comparison i) && (keep_single_comparison_representation) then (* negative comparaisons are traducted as negative in the graph *)
        s:= (PdlSet.add { l = remove_percents (get_suffixed_ident (inv_comparison i) ti);
              pol = if polarity == 1 then Neg else Pos } !s)
        else
          s:= (PdlSet.add { l = remove_percents (get_suffixed_ident i ti);
                pol = if polarity == 1 then Pos else Neg } !s)
    
    | Tvar (_)
    | Tderef (_)
    | Tconst (_) ->
        () (* We do not consider cases with literal constants in the suffix *)
    | Tnamed (_, _) ->
        assert false (* Currently, no label is present close to a comparison predicate *)
  in
  let rec get polarity = function
    (* Treatment of each predicates cases, expect comparison predicates *)
    | Papp (id, _l, _i) when not (comparison_to_consider id) ->
        s := PdlSet.add { l = remove_percents (Ident.string id);
            pol = if polarity == 1 then Pos else Neg } !s
    
    (* | Papp (id, l, i) when use_arith_comp_as_direct_criteria -> s :=        *)
    (* PdlSet.add {l=Ident.string id ; pol= if polarity == 1 then Pos else     *)
    (* Neg} !s                                                                 *)
    
    (* Particular treatment for comparison predicates (only equality at    *)
    (* this time). Each of them is added twice (with a suffix corresonding *)
    (* to each of parameters)                                              *)
    | Papp (id, l, _i) when (comparison_to_consider id) && filter_comparison ->
        (List.iter (add_suffixed_comparison id polarity) l)
    
    | Forall (_(*w*), _id, _b, _v, _(*tl*), p) 
    | Exists (_id, _b, _v, p) ->
        get polarity p 


    | Pimplies (_, p1, p2) ->
        get (- 1 * polarity) p1;
        get polarity p2

    | Pand (_, _, p1, p2) 
    | Por (p1, p2) ->
        get polarity p1;
        get polarity p2

    | Piff (p1, p2) ->
	(* get polarity Pimplies (_,p1,p2) ; *)
        get (- 1 * polarity) p1;
        get polarity p2;
        (* get polarity Pimplies (_,p2,p1) *)
        get (- 1 * polarity) p2;
        get polarity p1

    | Pnot p1 ->
        get (- 1 * polarity) p1;

    | _ -> 
	()
  in
  get 1 p;
  !s

let get_predecessor_pred p n =
  (** av stands for the already visited preds
  nyt stands for not yet treated preds **)
  let rec get_preds_in_graph nyv av n =
    if n > 0 then
      let new_preds = set_of_pred_p nyv in
      let nyv = PdlSet.diff new_preds av in
      PdlSet.union new_preds
        (get_preds_in_graph
            nyv
            (PdlSet.union new_preds av)
            (n - 1)
        )
    else
      av in
  get_preds_in_graph p p n

let get_relevant_preds hl n =
  let avs = ref PdlSet.empty in
  for i = 0 to n do
    try 
      let l_i = Hashtbl.find hl i in
      avs := PdlSet.union !avs l_i
    with Not_found -> 
      () (* TODO remove this *)
  done; 
  !avs
 
















(** 
    @param p the set of initial predicates
    @return the minimum depth needed to reach all reachable predicates from p
**)
let get_depth_of_reachable_preds p =
  (** 
      @param nyt stands for not yet treated preds 
      @param av stands for the already visited preds
      @param depth stands for the current visited depth
      @return the minimum depth needed to reach all reachable predicates from p
  **)
  let rec get_depth nyt av depth =
    let new_preds = set_of_pred_p nyt in
    let all_treated = PdlSet.union nyt av in
    let newly_reached = PdlSet.diff new_preds all_treated in
    if (PdlSet.cardinal newly_reached) > 0 then 
      get_depth
	newly_reached
	all_treated
	(depth + 1)
    else
      depth
  in
  get_depth p PdlSet.empty 0

















 


(**
functions for the main function: reduce
@param l' : liste d'hypotheses
@param g' : predicat du but
**)
let reduce_subst (l', g') =
  let many_substs_in_predicate sl p =
    List.fold_left (fun p s -> tsubst_in_predicate s p) p sl
  in
  let many_substs_in_term sl t =
    List.fold_left (fun t s -> tsubst_in_term s t) t sl
  in
  let many_substs_in_context sl = function
    | Papp (id, l, i) ->
        Papp (id, List.map (many_substs_in_term sl ) l, i)
    | Pif (a, b, c) ->
        Pif (many_substs_in_term sl a,
          many_substs_in_predicate sl b,
          many_substs_in_predicate sl c)
    | Forall (w, id, b, v, tl, p) ->
        Forall (w, id, b, v, tl,
          many_substs_in_predicate sl p)
    | Exists (id, b, v, p) ->
        Exists (id, b, v, many_substs_in_predicate sl p)
    | p ->
        map_predicate (many_substs_in_predicate sl) p
  in
  
  let compute_subst (sl, fl) f =
    match f with
    | Svar (_id, _v) as var_def -> (sl, var_def:: fl)
    | Spred (id, p) ->
        begin
          match p with
            Papp (id, [el1; el2], _) when is_eq id ->
              begin
                match (el1, el2) with
                  (Tvar (v1), t2) | (t2, Tvar (v1)) ->
                    let subst = subst_one v1 t2 in
                    begin
                      if debug then
                        Format.printf "Removed  pred %a\n" Util.print_predicate p;
                    end;
                    (subst:: sl, fl)
                
                | _ ->
                    (sl, Spred(id, (many_substs_in_context sl p)):: fl)
              end
          | _ as p -> (sl, Spred(id, (many_substs_in_context sl p)):: fl)
          
        end in
  let (sl, fl) = List.fold_left compute_subst ([],[]) l' in
  let l' = List.rev fl in
  let g' = many_substs_in_predicate sl g' in
  (l', g')

(**
@param concl_rep the representative variable of the conclusion
@param l the list of hypothesis
@return a list where the hypotheses have been filtered.
An hypothese is selected if
- it is a variable declaration
- it is an hypothese which has the same representant than
the conclusion
**)
let filter_acc_variables l concl_rep selection_strategy pred_symb =
  (** UPDATE THIS ACCORDING TO THE ARRTICLE **)
  
  let rec all_vars_from_term vars qvars = function
    | Tvar v | Tderef v ->
        let r = (member_of (Ident.string v) vars) || (List.mem (Ident.string v) qvars) in
        if debug then
          if r then
            Format.printf "   ->  Tvar %s OK\n" (Ident.string v)
          else
            begin
              Format.printf "   ->  Tvar %s NON PRESENTE\n" (Ident.string v);
              Format.printf "       qvars :";
              List.iter(fun v -> Format.printf ", %s" v) qvars;
              Format.printf "\n";
              
            end;
        r
    | Tapp (_, lt, _) ->
        begin
          if debug then Format.printf "      -> Tapp -->\n"
        end;
        List.for_all (all_vars_from_term vars qvars) lt
    | Tconst _ ->
        true
    | Tnamed(_lab, t) ->
        all_vars_from_term vars qvars t
  in
  
  let rec all_vars_in_one_branch lp vars =
    let rec all_v pred qvars =
      match pred with
      | Forall (_, id, _, _, _, p)
      | Exists (id, _, _, p) ->
          begin
            if debug then Format.printf "   -> Quantif %s \n" (Ident.string id)
          end;
          all_v p ((Ident.string id):: qvars)
      | Plet (_, n, _, t, p) ->
	  all_v (subst_term_in_predicate n t p) qvars
      | Piff (p1, p2)
      | Pand (_, _, p1, p2)
      | Por (p1, p2)
      | Pimplies (_, p1, p2) ->
          begin
            if debug then Format.printf "   -> And / Or / Implies %a %a \n" Util.print_predicate p1 Util.print_predicate p2
          end;
          if all_v p1 qvars then (all_v p2 qvars) else false
      
      | Pnot (p) ->
          begin
            if debug then Format.printf "   ->  Pnot %a \n" Util.print_predicate p
          end;
          all_v p qvars
      
      | Papp (_, lt, _) ->
          begin
            if debug then Format.printf "   ->  Papp --> \n"
          end;
          List.for_all (all_vars_from_term vars qvars) lt
      
      | Pvar (v) ->
          begin
            let r = (member_of (Ident.string v) vars) || (List.mem (Ident.string v) qvars) in
            if debug then
              if r then
                Format.printf "   ->  Pvar %s OK\n" (Ident.string v)
              else
                Format.printf "   ->  Pvar %s NON PRESENTE\n" (Ident.string v);
            r
          end;
      
      | Pfalse
      | Ptrue -> true
      | Pnamed (_, _) ->
          failwith "Pnamed has to be not found there (nnf has to remove it)"
      | Forallb (_, _, _) ->
          failwith "Forallb has to be not found there (nnf has to remove it)"
      | Pif (_a, _b, _c) ->
          failwith "Pif has to be not found there (nnf has to remove it)"
    
    in
    match lp with
    | [] -> false
    | p:: l ->
        if all_v p [] then
          begin
            if debug then Format.printf " Branche retenue : %a \n" Util.print_predicate p;
            true
          end
        else
          begin
            if debug then Format.printf " Branche rejetee : %a \n" Util.print_predicate p;
            (all_vars_in_one_branch l vars)
          end
  
  in
  
  let rec filter = function
    | [] -> []
    | Svar (id, v) :: q ->
        Svar (id, v) :: filter q
    | Spred (t, p) :: q ->
        let vars =
          try Hashtbl.find hash_hyp_vars p
          with Not_found -> assert false
        in
        let v' = (removes_fresh_vars vars) in
        let condition = match selection_strategy with
          | AllVars
          | SplitHyps
          | CNFHyps ->
              VarStringSet.subset
                v'
                concl_rep
          (*** TODO UPDATE THIS ***)
          
          | One -> not (VarStringSet.is_empty
                    (VarStringSet.inter
                        v'
                        concl_rep))
          
          | AllInABranch ->
              all_vars_in_one_branch (Util.split_one [] 1 p) concl_rep
        
        in
        if debug then begin
          Format.printf "\nHyp :\n %a \n\n" Util.print_predicate p;
          display_str "vars" vars;
          display_str "concl_rep" concl_rep;
        end;
        if (!variablesMaximumDepth< !vb) || condition then
          begin
            if debug then
	      begin
 		if (!predicateMaximumDepth< !pb) then
 		  Format.printf "Kept #1 (Vars - No filter due to VariableMaximumDepth ()
        
        | (p_cnf, Dpredicate_def (loc, ident, def)) :: l ->
            let preds_of_p_cnf = get_preds_of p_cnf use_comparison_as_criteria_for_hypothesis_filtering in
	    if (!predicateMaximumDepth< !pb) || (abstr_subset_of_pdl preds_of_p_cnf relevantPreds) then
	      begin
                (* On garde tout le predicat *)
                if debug then
		  begin
		    if (!predicateMaximumDepth< !pb) then
		      Format.printf "Ctx Kept (No filter due to MaxReachableDepth
                          let i = my_fresh_hyp_str () in
                          (p, Daxiom (loc, "axiom_from_"^name^"_part_"^i, generalize_predicate p))
                    ) p_list in
                
                List.iter filter_one_axiom ax_list;
                filter l
              end
        
        | (p_cnf, Daxiom (loc, ident, ps)) :: l ->
            let preds_of_p_cnf = get_preds_of p_cnf use_comparison_as_criteria_for_hypothesis_filtering in
            if (!predicateMaximumDepth< !pb) || (abstr_subset_of_pdl preds_of_p_cnf relevantPreds) then
              begin
                (* On garde tout l'axiome en forme originale *)
                if debug then
		  begin
		    if (!predicateMaximumDepth< !pb) then
		      Format.printf "Ctx Kept (No filter due to MaxReachableDepth
                          let i = my_fresh_hyp_str () in
                          (p, Daxiom (loc, ident^"_part_"^i, generalize_predicate p))
                    ) p_list in
                
                List.iter filter_one_axiom ax_list;
                filter l
              end
        
        | (_p_cnf, c) :: l ->
            if debug then
              begin
                Format.printf "Ctx (Autre): \n";
                Format.printf "%a \n" print_decl c
              end;
            Queue.push c decl;
            filter l
      in
      filter (List.rev !context) 
    end
(* Fin pruning des axiomes du context *)

let managesGoal ax (hyps, concl) decl =

  let (loc, expl, id, _) = ax in
  (** retrieves the list of predicates in the conclusion **)
  let concl_preds = get_preds_of concl true in

  (* if weights are not consider (as [FTP07] implementation)*)
  let relevant_preds = 
      if prune_coarse_pred_comp then 
	get_predecessor_pred concl_preds !pb 
      else
	begin 
	  (* WARNING  !!!! 
	     This branch seems to be KO since the coarse option has been haded, when --prune-with-comp and --prune-context are both set
	  *)
	  let hl = compute_sequence_of_predicates concl_preds in 
	  get_relevant_preds hl !pb 
	end 
  in
  if prune_coarse_pred_comp then predicateMaximumDepth:=(get_depth_of_reachable_preds concl_preds);



  (** retrieves the list of variables in the conclusion **)
  let vars_of_concl = VarStringSet.diff (free_vars_of concl) avoided_vars in
  let reachable_vars = VarStringSet.diff
      (get_n_depth_vars vars_of_concl !vb)
      avoided_vars in
  let relevant_vars = VarStringSet.union reachable_vars vars_of_concl in 
  (* Traitement fait 2 fois pour l'optimisation *)
  (* Calcul de la profondeur max atteignable dans le graph de variables *)
  variablesMaximumDepth:=(get_depth_of_reachable_vars vars_of_concl);

  let l' = filter_acc_variables hyps relevant_vars var_filter_tactic 
    (*All  AllInABranch*) relevant_preds in
  
  if debug then
    begin
      display_str "Concl_vars : " vars_of_concl ;
      display_str "Relevant vars : " relevant_vars;
      display_str "Reachable vars : " reachable_vars;
      
      if VarStringSet.subset relevant_vars reachable_vars then Format.printf "Relevant <: Reachable\n" else Format.printf "Relevant /<: Reachable\n";
      if VarStringSet.subset reachable_vars relevant_vars then Format.printf "Reachable <: Relevant\n" else Format.printf "Reachable /<: Relevant\n";
      
      Format.printf "Concl preds ";
      display_symb_of_pdl_set concl_preds;
      Format.printf "Relevant preds ";
      display_symb_of_pdl_set relevant_preds;
      let oc = open_out "/tmp/gwhy_var_graph.dot" in
      DotVG.output_graph oc !vg
    end;
  
  if Options.prune_get_depths then
    begin
      Format.printf 
	"Max depth of predicates: %d\nMax depth of variables: %d\n" 
	!predicateMaximumDepth
	!variablesMaximumDepth
    end;

  managesContext relevant_preds decl;
  
  (loc, expl, id, (l', concl))

let hyps_to_cnf lh =
  let lh_cnf =
    List.fold_left (fun l h ->
            match h with
            | Svar (_id, _v) as var_def -> var_def:: l
            | Spred (id, p) ->
                let p'= cnf p in 
		(* p' est une CNF de P mais on veut 1 hypothese par clause 
		   alors on coupe selon les and. 
		   On fera appelle au  split a la fin du traitement 
		   de toutes les hypotheses*) 
                Spred(id, p'):: l
        
      ) [] lh
  in
  Util.split [] my_fresh_hyp lh_cnf

let reset () =
  vg := Var_graph.create();
  pdlg := PdlGraph.create();
  Hashtbl.clear hash_hyp_vars;
  v_count := 0;
  hyp_count := 0

(* Module entry point. *)
(* @param q *)
(* @param decl *)
(* assigns ??? *)
let reduce q decl =
  reset();
  
  (** memorize the theory as a graph of predicate symbols **)
  build_pred_graph decl;
  
  (** manage goal **)
  let q' = match q with
      (_loc, _expl, _id, s) as ax ->
        let (l, g) = s in (* l : liste d'hypotheses (contexte local) et g : le but*)
        let (l', g') = Util.intros [] g my_fresh_hyp (var_filter_tactic == SplitHyps) in
        let l' = if (var_filter_tactic == CNFHyps) then hyps_to_cnf l' else l' in
        let l' = List.append l l' in
        let (l', g') = reduce_subst (l', g') in
        

        (** memorize hypotheses as a graph of variables **)
        build_var_graph (l', g');

        
        (** focus on goal **)
        managesGoal ax (l', g') decl
  in
  q'



(*
Local Variables:
compile-command: "LC_ALL=C make -C .."
End:
*)
why-2.34/src/wserver.ml40000644000175000017500000005307312311670312013527 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(* $Id: wserver.ml4,v 1.3 2008-11-05 14:03:18 filliatr Exp $ *)
(* Copyright (c) 1998-2005 INRIA *)

value sock_in = ref "wserver.sin";
value sock_out = ref "wserver.sou";
value noproc = ref False;

value wserver_oc =
  do { set_binary_mode_out stdout True; ref stdout }
;

value wprint fmt = Printf.fprintf wserver_oc.val fmt;
value wflush () = flush wserver_oc.val;

value hexa_digit x =
  if x >= 10 then Char.chr (Char.code 'A' + x - 10)
  else Char.chr (Char.code '0' + x)
;

value hexa_val conf =
  match conf with
  [ '0'..'9' -> Char.code conf - Char.code '0'
  | 'a'..'f' -> Char.code conf - Char.code 'a' + 10
  | 'A'..'F' -> Char.code conf - Char.code 'A' + 10
  | _ -> 0 ]
;

value decode s =
  let rec need_decode i =
    if i < String.length s then
      match s.[i] with
      [ '%' | '+' -> True
      | _ -> need_decode (succ i) ]
    else False
  in
  let rec compute_len i i1 =
    if i < String.length s then
      let i =
        match s.[i] with
        [ '%' when i + 2 < String.length s -> i + 3
        | _ -> succ i ]
      in
      compute_len i (succ i1)
    else i1
  in
  let rec copy_decode_in s1 i i1 =
    if i < String.length s then
      let i =
        match s.[i] with
        [ '%' when i + 2 < String.length s ->
            let v = hexa_val s.[i + 1] * 16 + hexa_val s.[i + 2] in
            do { s1.[i1] := Char.chr v; i + 3 }
        | '+' -> do { s1.[i1] := ' '; succ i }
        | x -> do { s1.[i1] := x; succ i } ]
      in
      copy_decode_in s1 i (succ i1)
    else s1
  in
  let rec strip_heading_and_trailing_spaces s =
    if String.length s > 0 then
      if s.[0] == ' ' then
        strip_heading_and_trailing_spaces
          (String.sub s 1 (String.length s - 1))
      else if s.[String.length s - 1] == ' ' then
        strip_heading_and_trailing_spaces
          (String.sub s 0 (String.length s - 1))
      else s
    else s
  in
  if need_decode 0 then
    let len = compute_len 0 0 in
    let s1 = String.create len in
    strip_heading_and_trailing_spaces (copy_decode_in s1 0 0)
  else s
;

value special =
  fun
  [ '\000'..'\031' | '\127'..'\255' | '<' | '>' | '"' | '#' | '%' |
    '{' | '}' | '|' | '\\' | '^' | '~' | '[' | ']' | '`' | ';' | '/' | '?' |
    ':' | '@' | '=' | '&' ->
      True
  | _ -> False ]
;

value encode s =
  let rec need_code i =
    if i < String.length s then
      match s.[i] with
      [ ' ' -> True
      | x -> if special x then True else need_code (succ i) ]
    else False
  in
  let rec compute_len i i1 =
    if i < String.length s then
      let i1 = if special s.[i] then i1 + 3 else succ i1 in
      compute_len (succ i) i1
    else i1
  in
  let rec copy_code_in s1 i i1 =
    if i < String.length s then
      let i1 =
        match s.[i] with
        [ ' ' -> do { s1.[i1] := '+'; succ i1 }
        | c ->
            if special c then do {
              s1.[i1] := '%';
              s1.[i1 + 1] := hexa_digit (Char.code c / 16);
              s1.[i1 + 2] := hexa_digit (Char.code c mod 16);
              i1 + 3
            }
            else do { s1.[i1] := c; succ i1 } ]
      in
      copy_code_in s1 (succ i) i1
    else s1
  in
  if need_code 0 then
    let len = compute_len 0 0 in copy_code_in (String.create len) 0 0
  else s
;

value nl () = wprint "\013\010";

value http answer =
  let answer = if answer = "" then "200 OK" else answer in
  do {
    wprint "HTTP/1.0 %s" answer; nl ();
  }
;

value print_exc exc =
  match exc with
  [ Unix.Unix_error err fun_name arg ->
      do {
        prerr_string "\"";
        prerr_string fun_name;
        prerr_string "\" failed";
        if String.length arg > 0 then do {
          prerr_string " on \""; prerr_string arg; prerr_string "\"";
        }
        else ();
        prerr_string ": ";
        prerr_endline (Unix.error_message err);
      }
  | Out_of_memory -> prerr_string "Out of memory\n"
  | Match_failure (file, first_char, last_char) ->
      do {
        prerr_string "Pattern matching failed, file ";
        prerr_string file;
        prerr_string ", chars ";
        prerr_int first_char;
        prerr_char '-';
        prerr_int last_char;
        prerr_char '\n';
      }
  | Assert_failure (file, first_char, last_char) ->
      do {
        prerr_string "Assertion failed, file ";
        prerr_string file;
        prerr_string ", chars ";
        prerr_int first_char;
        prerr_char '-';
        prerr_int last_char;
        prerr_char '\n';
      }
  | x ->
      do {
        prerr_string "Uncaught exception: ";
        prerr_string (Obj.magic (Obj.field (Obj.field (Obj.repr x) 0) 0));
        if Obj.size (Obj.repr x) > 1 then do {
          prerr_char '(';
          for i = 1 to Obj.size (Obj.repr x) - 1 do {
            if i > 1 then prerr_string ", " else ();
            let arg = Obj.field (Obj.repr x) i in
            if not (Obj.is_block arg) then
              prerr_int (Obj.magic arg : int)
            else if Obj.tag arg = 252 then do {
              prerr_char '"'; prerr_string (Obj.magic arg : string);
              prerr_char '"'
            }
            else prerr_char '_';
          };
          prerr_char ')';
        }
        else ();
        prerr_char '\n';
      } ]
;

value print_err_exc exc =
  do { print_exc exc; flush stderr; }
;

value case_unsensitive_eq s1 s2 =
  String.lowercase s1 = String.lowercase s2
;

value rec extract_param name stop_char =
  fun
  [ [x :: l] ->
      if String.length x >= String.length name
      && case_unsensitive_eq (String.sub x 0 (String.length name)) name then
        let i =
          loop (String.length name) where rec loop i =
            if i = String.length x then i
            else if x.[i] = stop_char then i
            else loop (i + 1)
        in
        String.sub x (String.length name) (i - String.length name)
      else extract_param name stop_char l
  | [] -> "" ]
;

value buff = ref (String.create 80);
value store len x =
  do {
    if len >= String.length buff.val then
      buff.val := buff.val ^ String.create (String.length buff.val)
    else ();
    buff.val.[len] := x;
    succ len
  }
;
value get_buff len = String.sub buff.val 0 len;

value get_request strm =
  let rec loop len =
    parser
    [ [: `'\010'; s :] ->
        if len == 0 then []
        else let str = get_buff len in [str :: loop 0 s]
    | [: `'\013'; s :] -> loop len s
    | [: `c; s :] -> loop (store len c) s
    | [: :] -> if len == 0 then [] else [get_buff len] ]
  in
  loop 0 strm
;

ifdef UNIX then
value timeout tmout spid _ =
  do {
    Unix.kill spid Sys.sigkill;
    http "";
    wprint "Content-type: text/html; charset=iso-8859-1"; nl (); nl ();
    wprint "Time out\n";
    wprint "
Time out
\n";
    wprint "Computation time > %d second(s)\n" tmout;
    wprint "\n";
    wflush ();
    exit 2
  }
;

value get_request_and_content strm =
  let request = get_request strm in
  let content =
    match extract_param "content-length: " ' ' request with
    [ "" -> ""
    | x ->
        let str = String.create (int_of_string x) in
        do {
          for i = 0 to String.length str - 1 do {
            str.[i] :=
              match strm with parser
              [ [: `x :] -> x
              | [: :] -> ' ' ];
          };
          str
        } ]
  in
  (request, content)
;

value string_of_sockaddr =
  fun
  [ Unix.ADDR_UNIX s -> s
  | Unix.ADDR_INET a _ -> Unix.string_of_inet_addr a ]
;
value sockaddr_of_string s = Unix.ADDR_UNIX s;

value treat_connection tmout callback addr fd =
  do {
    ifdef NOFORK then ()
    else ifdef UNIX then
      if tmout > 0 then
        let spid = Unix.fork () in
        if spid > 0 then do {
          let _ (* : Sys.signal_behavior *) =
             Sys.signal Sys.sigalrm
               (Sys.Signal_handle (timeout tmout spid))
          in ();
          let _ = Unix.alarm tmout in ();
          let _ = Unix.waitpid [] spid in ();
          let _ (* : Sys.signal_behavior *) =
            Sys.signal Sys.sigalrm Sys.Signal_default
          in ();
          exit 0;
        }
        else ()
      else ()
    else ();
    let (request, script_name, contents) =
      let (request, contents) =
        let strm =
          let c = " " in
          Stream.from
            (fun _ -> if Unix.read fd c 0 1 = 1 then Some c.[0] else None)
        in
        get_request_and_content strm
      in
      let (script_name, contents) =
        match extract_param "GET /" ' ' request with
        [ "" -> (extract_param "POST /" ' ' request, contents)
        | str ->
            try
              let i = String.index str '?' in
              (String.sub str 0 i,
               String.sub str (i + 1) (String.length str - i - 1))
            with
            [ Not_found -> (str, "") ] ]
      in
      (request, script_name, contents)
    in
    if script_name = "robots.txt" then do {
      http "";
      wprint "Content-type: text/plain"; nl (); nl ();
      wprint "User-Agent: *"; nl ();
      wprint "Disallow: /"; nl ();
      wflush ();
      Printf.eprintf "Robot request\n";
      flush stderr;
    }
    else do {
      try callback (addr, request) script_name contents with
      [ Unix.Unix_error Unix.EPIPE "write" _ -> ()
      | exc -> print_err_exc exc ];
      try wflush () with _ -> ();
      try flush stderr with _ -> ();
    };
  }
;

value buff = String.create 1024;

ifdef WIN95 then
value copy_what_necessary t oc =
  let strm =
    let len = ref 0 in
    let i = ref 0 in
    Stream.from
      (fun _ ->
	 do {
           if i.val >= len.val then do {
             len.val := Unix.read t buff 0 (String.length buff);
	     i.val := 0;
	     if len.val > 0 then output oc buff 0 len.val else ();
           }
	   else ();
           if len.val == 0 then None
	   else do { incr i; Some buff.[i.val - 1] }
         })
  in
  let _ = get_request_and_content strm in
  ()
;

value rec list_remove x =
  fun
  [ [] -> failwith "list_remove"
  | [y :: l] -> if x = y then l else [y :: list_remove x l] ]
;

ifdef NOFORK then declare end else
value pids = ref [];
ifdef NOFORK then declare end else
value cleanup_verbose = ref True;
ifdef NOFORK then declare end else
value cleanup_sons () =
  List.iter
    (fun p ->
       let pid =
         try fst (Unix.waitpid [Unix.WNOHANG] p) with
         [ Unix.Unix_error _ _ _ as exc ->
             do {
               if cleanup_verbose.val then do {
                 Printf.eprintf "*** Why error on waitpid %d?\n" p;
                 flush stderr;
                 print_exc exc;
                 Printf.eprintf "[";
                 List.iter (fun p -> Printf.eprintf " %d" p) pids.val;
                 Printf.eprintf "]\n";
                 flush stderr;
                 cleanup_verbose.val := False;
               }
               else ();
               p
             } ]
       in
       if pid = 0 then ()
       else pids.val := list_remove pid pids.val)
     pids.val
;

ifdef NOFORK then declare end else
value wait_available max_clients s =
  match max_clients with
  [ Some m ->
      do {
        if List.length pids.val >= m then
(*
let tm = Unix.localtime (Unix.time ()) in
let _ = do { Printf.eprintf "*** %02d/%02d/%4d %02d:%02d:%02d " tm.Unix.tm_mday (succ tm.Unix.tm_mon) (1900 + tm.Unix.tm_year) tm.Unix.tm_hour tm.Unix.tm_min tm.Unix.tm_sec; Printf.eprintf "%d clients running; waiting...\n" m; flush stderr; } in
*)
          let (pid, _) = Unix.wait () in
(*
let tm = Unix.localtime (Unix.time ()) in
let _ = do { Printf.eprintf "*** %02d/%02d/%4d %02d:%02d:%02d " tm.Unix.tm_mday (succ tm.Unix.tm_mon) (1900 + tm.Unix.tm_year) tm.Unix.tm_hour tm.Unix.tm_min tm.Unix.tm_sec; Printf.eprintf "ok: place for another client\n"; flush stderr; } in
*)
          pids.val := list_remove pid pids.val
        else ();
        if pids.val <> [] then cleanup_sons () else ();
        let stop_verbose = ref False in
        while pids.val <> [] && Unix.select [s] [] [] 15.0 = ([], [], []) do {
          cleanup_sons ();
          if pids.val <> [] && not stop_verbose.val then do {
            stop_verbose.val := True;
            let tm = Unix.localtime (Unix.time ()) in
Printf.eprintf "*** %02d/%02d/%4d %02d:%02d:%02d %d process(es) remaining after cleanup (%d)\n" tm.Unix.tm_mday (succ tm.Unix.tm_mon) (1900 + tm.Unix.tm_year) tm.Unix.tm_hour tm.Unix.tm_min tm.Unix.tm_sec (List.length pids.val) (List.hd pids.val); flush stderr; ()
          }
          else ();
        };
      }
  | None -> () ]
;

value wait_and_compact s =
  if Unix.select [s] [] [] 15.0 = ([], [], []) then do {
    Printf.eprintf "Compacting... "; flush stderr;
    Gc.compact ();
    Printf.eprintf "Ok\n"; flush stderr;
  }
  else ()
;

value skip_possible_remaining_chars fd =
  do {
    let b = "..." in
    try
      loop () where rec loop () =
        match Unix.select [fd] [] [] 5.0 with
        [ ([_], [], []) ->
            let len = Unix.read fd b 0 (String.length b) in
            if len = String.length b then loop () else ()
        | _ -> () ]
    with
    [ Unix.Unix_error Unix.ECONNRESET _ _ -> () ]
  }
;

value accept_connection tmout max_clients callback s =
  do {
    ifdef NOFORK then wait_and_compact s
    else if noproc.val then wait_and_compact s
    else wait_available max_clients s;
    let (t, addr) = Unix.accept s in
    Unix.setsockopt t Unix.SO_KEEPALIVE True;
    ifdef NOFORK then
      let cleanup () =
        do {
          try Unix.shutdown t Unix.SHUTDOWN_SEND with _ -> ();
          try Unix.shutdown t Unix.SHUTDOWN_RECEIVE with _ -> ();
          try Unix.close t with _ -> ();
        }
      in
      do {
        wserver_oc.val := Unix.out_channel_of_descr t;
        treat_connection tmout callback addr t;
        cleanup ();
      }
    else ifdef UNIX then
      match try Some (Unix.fork ()) with _ -> None with
      [ Some 0 ->
          do {
            try do {
              if max_clients = None && Unix.fork () <> 0 then exit 0 else ();
              Unix.close s;
              Unix.dup2 t Unix.stdout;
              Unix.dup2 t Unix.stdin;
(*  
   j'ai l'impression que cette fermeture fait parfois bloquer le serveur...
              try Unix.close t with _ -> ();
*)
              treat_connection tmout callback addr t;
            }
            with
            [ Unix.Unix_error Unix.ECONNRESET "read" _ -> ()
            | exc ->
                try do { print_err_exc exc; flush stderr; }
                with _ -> () ];
            try Unix.shutdown t Unix.SHUTDOWN_SEND with _ -> ();
            try Unix.shutdown Unix.stdout Unix.SHUTDOWN_SEND with _ -> ();
            skip_possible_remaining_chars t;
            try Unix.shutdown t Unix.SHUTDOWN_RECEIVE with _ -> ();
            try Unix.shutdown Unix.stdin Unix.SHUTDOWN_RECEIVE with _ -> ();
            exit 0
          }
      | Some id ->
          do {
            Unix.close t;
            if max_clients = None then let _ = Unix.waitpid [] id in ()
            else pids.val := [id :: pids.val];
          }
      | None ->
          do { Unix.close t; Printf.eprintf "Fork failed\n"; flush stderr } ]
    else do {
      let oc = open_out_bin sock_in.val in
      let cleanup () = try close_out oc with _ -> () in
      try copy_what_necessary t oc with
      [ Unix.Unix_error _ _ _ -> ()
      | exc -> do { cleanup (); raise exc } ];
      cleanup ();
      ifdef SYS_COMMAND then
        let comm =
          let stringify_if_spaces s =
            try let _ = String.index s ' ' in "\"" ^ s ^ "\"" with
            [ Not_found -> s ]
          in
          List.fold_left (fun s a -> s ^ stringify_if_spaces a ^ " ") ""
            (Array.to_list Sys.argv) ^
          "-wserver " ^ string_of_sockaddr addr
        in
        let _ = Sys.command comm in ()
      else if noproc.val then do {
        let fd = Unix.openfile sock_in.val [Unix.O_RDONLY] 0 in
        let oc = open_out_bin sock_out.val in
        wserver_oc.val := oc;
        treat_connection tmout callback addr fd;
        flush oc;
        close_out oc;
        Unix.close fd;
      }
      else
        let pid =
          let env =
            Array.append (Unix.environment ())
              [| "WSERVER=" ^ string_of_sockaddr addr |]
          in
(*
          let args = Array.map (fun x -> "\"" ^ x ^ "\"") Sys.argv in
*)
let args = Sys.argv in
(**)
          Unix.create_process_env Sys.argv.(0) args env Unix.stdin
            Unix.stdout Unix.stderr
        in
        let _ = Unix.waitpid [] pid in
        let ic = open_in_bin sock_in.val in
        let request = get_request (Stream.of_channel ic) in
        close_in ic
      ;
      let cleanup () =
        do {
          try Unix.shutdown t Unix.SHUTDOWN_SEND with _ -> ();
          skip_possible_remaining_chars t;
          try Unix.shutdown t Unix.SHUTDOWN_RECEIVE with _ -> ();
          try Unix.close t with _ -> ();
        }
      in
      try
        let ic = open_in_bin sock_out.val in
        let cleanup () = try close_in ic with _ -> () in
        do {
          try
            loop () where rec loop () =
              let len = input ic buff 0 (String.length buff) in
              if len == 0 then ()
              else do {
                loop_write 0 where rec loop_write i =
                  let olen = Unix.write t buff i (len - i) in
                  if i + olen < len then loop_write (i + olen) else ();
                loop ()
              }
          with
          [ Unix.Unix_error _ _ _ -> ()
          | exc -> do { cleanup (); raise exc } ];
          cleanup ();
        }
      with
      [ Unix.Unix_error _ _ _ -> ()
      | exc -> do { cleanup (); raise exc } ];
      cleanup ();
    }
  }
;

value f addr_opt port tmout max_clients g =
  match
    ifdef NOFORK then None
    else ifdef WIN95 then
      ifdef SYS_COMMAND then
        let len = Array.length Sys.argv in
        if len > 2 && Sys.argv.(len - 2) = "-wserver" then
          Some Sys.argv.(len - 1)
        else None
      else
        try Some (Sys.getenv "WSERVER") with [ Not_found -> None ]
    else None
  with
  [ Some s ->
      ifdef NOFORK then ()
      else ifdef WIN95 then do {
        let addr = sockaddr_of_string s in
        let fd = Unix.openfile sock_in.val [Unix.O_RDONLY] 0 in
        let oc = open_out_bin sock_out.val in
        wserver_oc.val := oc;
        ignore (treat_connection tmout g addr fd);
        exit 0
      }
      else ()
  | None ->
      let addr =
        match addr_opt with
        [ Some addr ->
            try Unix.inet_addr_of_string addr with
            [ Failure _ -> (Unix.gethostbyname addr).Unix.h_addr_list.(0) ]
        | None -> Unix.inet_addr_any ]
      in
      let s = Unix.socket Unix.PF_INET Unix.SOCK_STREAM 0 in
      do {
        Unix.setsockopt s Unix.SO_REUSEADDR True;
        Unix.bind s (Unix.ADDR_INET addr port);
        Unix.listen s 4;
        ifdef NOFORK then Sys.set_signal Sys.sigpipe Sys.Signal_ignore
        else ifdef UNIX then let _ = Unix.nice 1 in ()
        else ();
        let tm = Unix.localtime (Unix.time ()) in
        Printf.eprintf "Ready %4d-%02d-%02d %02d:%02d port"
          (1900 + tm.Unix.tm_year) (succ tm.Unix.tm_mon) tm.Unix.tm_mday
          tm.Unix.tm_hour tm.Unix.tm_min;
        Printf.eprintf " %d" port;
        Printf.eprintf "...\n";
        flush stderr;
        while True do {
          try accept_connection tmout max_clients g s with
          [ Unix.Unix_error Unix.ECONNRESET "accept" _ -> ()
          | Unix.Unix_error (Unix.EBADF | Unix.ENOTSOCK) "accept" _ as x ->
              (* oops! *) raise x
          | exc -> print_err_exc exc ];
          try wflush () with [ Sys_error _ -> () ];
          try flush stdout with [ Sys_error _ -> () ];
          flush stderr;
        };
      } ]
;
why-2.34/src/predDefExpansor.mli0000644000175000017500000000573212311670312015207 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)


val inductive_inverse_body : 
    Ident.t ->  (* predicate name *)
    (Ident.t * Logic.pure_type) list -> (* binders *)
    (Ident.t * Logic.predicate) list -> (* inductive cases *) 
      Logic.predicate (* predicate body *)

val function_def :
  Logic_decl.loc -> Ident.t -> Logic.function_def Env.scheme
  -> Logic_decl.t list

val predicate_def :
  Logic_decl.loc -> Ident.t -> Logic.predicate_def Env.scheme
  -> Logic_decl.t list

val inductive_def : 
  Logic_decl.loc -> Ident.t -> Logic.inductive_def Env.scheme 
  -> Logic_decl.t list

val algebraic_type :
  (Logic_decl.loc * Ident.t * Logic.alg_type_def Env.scheme) list
  -> Logic_decl.t list

val push: recursive_expand:bool -> Logic_decl.t -> Logic_decl.t

why-2.34/src/main.ml0000644000175000017500000005673412311670312012701 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Options
open Ptree
open Ast
open Cc
open Types
open Env
open Typing
open Format
open Error
open Report
open Misc
open Util
open Logic
open Logic_decl


(*s Prover dependent functions. *)


let declarationQueue = Queue.create ()

let reset () =
  (*Queue.clear declarationQueue ;*)
  Vcg.logs := []; 
  match prover () with
    | Pvs -> Pvs.reset ()
    | Coq _ -> Coq.reset ()
    | HolLight -> Holl.reset ()
    | Mizar -> Mizar.reset ()
    | Isabelle -> Isabelle.reset ()
    | Hol4 -> Hol4.reset ()
    | SmtLib ->  ()
    | Harvey | Simplify | Zenon | Z3 | CVCLite  | Gappa | Vampire
    | Ergo | Why | MultiWhy | MultiAltergo | Why3 | Dispatcher 
    | WhyProject -> ()

let add_loc = function
  | Dtype (loc, s, _)
  | Dlogic (loc, s, _) -> Loc.add_ident (Ident.string s) loc
  | Dalgtype ls ->
      List.iter (fun (loc, s, _) -> Loc.add_ident (Ident.string s) loc) ls
  | Daxiom (loc, s, _) (* useful? *) -> Loc.add_ident s loc
  | Dpredicate_def (_loc, _s, _)
  | Dfunction_def (_loc, _s, _) 
  | Dinductive_def (_loc, _s , _) -> () (* TODO ? *)
  | Dgoal _ -> ()

let store_decl_into_a_queue d  = 
  Queue.push d declarationQueue


(** push the declarations  in the corresponding 
    prover and stores them (or their expansed version) into 
    declarationQueue **)
let push_decl _vloc d = 
  add_loc d;
  if (not pruning) && (Options.pruning_hyp_v = -1) then
    begin 
      let pushing = 
	match prover () with
	  | Pvs -> Pvs.push_decl
	  | Coq _ -> Coq.push_decl 
	  | HolLight -> Holl.push_decl 
	  | Mizar -> Mizar.push_decl
	  | Isabelle -> Isabelle.push_decl
	  | Hol4 -> Hol4.push_decl
	  | Gappa -> Gappa.push_decl 
	  | MultiWhy (* // Moy -> Marche NO destroy eclipse plugin
			-> Pretty.push_or_output_decl *)
	  | Why | WhyProject -> Pretty.push_decl ~ergo:false
          | Why3 -> Why3.push_decl
	  | Ergo | MultiAltergo -> Pretty.push_decl ~ergo:true
	  | Dispatcher -> 
(*
	      (fun d ->
		 (* push for Dispatcher, used by Gwhy *)
*)
	      Dispatcher.push_decl
(*
		 if prover ~ignore_gui:true () = WhyProject then
		   (* also push for project, used by GWhy/Coq column *)
		   Pretty.push_decl ~ergo:false d)
*)
	  | Harvey -> Harvey.push_decl
	  | Simplify | Vampire -> Simplify.push_decl
	  | Zenon -> Zenon.push_decl
	  | Z3 -> Z3.push_decl
	  | CVCLite -> Cvcl.push_decl
	  | SmtLib -> Smtlib.push_decl 
      in
      let decl =
	match defExpanding with
	  | NoExpanding -> d
	  | Options.Goal -> PredDefExpansor.push ~recursive_expand:false d 
	  | All -> PredDefExpansor.push ~recursive_expand:true d 
      in
      pushing decl ;
      store_decl_into_a_queue decl 
    end
  else
      let decl =
	match defExpanding with
	  | NoExpanding -> d
	  | Options.Goal -> PredDefExpansor.push ~recursive_expand:false d 
	  | All -> PredDefExpansor.push ~recursive_expand:true d 
      in
      store_decl_into_a_queue decl
	
	
let push_obligations vloc = 
  List.iter 
    (fun (loc,_is_lemma,expl,id,s) -> 
      let (loc,expl,id,s) = 
	if pruning_hyp_v != -1 then 
	  Hypotheses_filtering.reduce (loc, expl, id, s) declarationQueue
	else
	  (loc, expl, id, s)
      in
      push_decl vloc (Dgoal(loc, false, expl, id, generalize_sequent s))
    ) 



let prover_is_coq = match prover () with Coq _ -> true | _ -> false

let push_validation id tt v = 
  if valid && prover_is_coq then Coq.push_validation id tt v

let is_pure_type_scheme s = is_pure_type_v s.scheme_type

let push_parameter id _v tv = match prover () with
  | Coq _ -> 
      if valid then Coq.push_parameter id tv
  | Pvs | HolLight | Isabelle | Hol4 | Mizar
  | Harvey | Simplify | Vampire | Zenon | Z3 | SmtLib | Gappa 
  | CVCLite | Ergo | Why | MultiWhy | MultiAltergo
  | Dispatcher | WhyProject | Why3 ->
      ()

let output is_last fwe =
  if wol then begin
    let cout = Options.open_out_file (fwe ^ ".wol") in
    output_value cout !Vcg.logs;
    Options.close_out_file cout
  end else if ocaml then 
    Pp.print_in_file Ocaml.output (Options.out_file "out")
  else begin match prover () with
    | Pvs -> Pvs.output_file fwe
    | Coq _ -> Coq.output_file is_last fwe
    | HolLight -> Holl.output_file fwe
    | Mizar -> Mizar.output_file fwe    
    | Harvey -> Harvey.output_file fwe
    | Simplify -> Simplify.output_file ~allowedit:true (fwe ^ "_why.sx")
    | Vampire -> Simplify.output_file ~allowedit:true (fwe ^ "_why.vp")
    | CVCLite -> Cvcl.output_file ~allowedit:true (fwe ^ "_why.cvc")
    | Zenon -> Zenon.output_file ~allowedit:true (fwe ^ "_why.znn")
    | Z3 ->  Z3.output_file fwe
    | SmtLib ->  Smtlib.output_file (fwe ^ "_why.smt")
    | Isabelle -> Isabelle.output_file fwe
    | Hol4 -> Hol4.output_file fwe
    | Gappa -> Gappa.output_file (fwe ^ "_why.gappa")
    | Dispatcher -> ()
(*
	if prover (* ~ignore_gui:true*)  () = WhyProject then
	  (* output project, used by GWhy/Coq column *)
	  Options.gui_project := Some(Pretty.output_project fwe)
*)
    | Ergo -> Pretty.output_file ~ergo:true (fwe ^ "_why.why")  
    | Why -> Pretty.output_file ~ergo:false (fwe ^ "_why.why") 
    | Why3 -> Why3.output_file fwe
    | MultiWhy | MultiAltergo -> Pretty.output_files fwe
    | WhyProject -> ignore(Pretty.output_project fwe)
  end



(** This method aims at translating the theory  according to
    the selected encoding  
    @q is the queue of  theory that will be modified
**)
let encode q = 
  let callEncoding d =  match prover () with
    | Pvs -> Pvs.push_decl d
    | Coq _ -> Coq.push_decl d
    | HolLight -> Holl.push_decl d
    | Mizar -> Mizar.push_decl d
    | Isabelle -> Isabelle.push_decl d
    | Hol4 -> Hol4.push_decl d
    | Gappa -> Gappa.push_decl d  
    | Why | MultiWhy | WhyProject -> Pretty.push_decl d
    | Ergo | MultiAltergo -> Pretty.push_decl ~ergo:true d
    | Dispatcher -> Dispatcher.push_decl d      
    | Harvey -> Harvey.push_decl d
    | Simplify -> Simplify.push_decl d
    | Vampire -> Simplify.push_decl d
    | Zenon -> Zenon.push_decl d
    | Z3 -> Z3.push_decl d
    | CVCLite -> Cvcl.push_decl d
    | SmtLib -> Smtlib.push_decl d
    | Why3 -> Why3.push_decl d
  in
  Queue.iter callEncoding q 
 
(*s Processing of a single declaration [let id = p]. *)

let print_if_debug p x = if_debug_3 eprintf "  @[%a@]@." p x

let interp_program loc id p =
  reset_names ();
  let ploc = p.ploc in
  if_verbose_3 eprintf "*** interpreting program %a@." Ident.print id;

  if_debug eprintf "* typing with effects@.";
  let env = Env.empty_progs () in
  let p = Typing.typef Label.empty env p in
  if effect p <> Effect.bottom then
    raise_located ploc (GlobalWithEffects (id, effect p));
  let c = type_c_of_typing_info [] p.info in
  let c = 
    { c with c_post = optpost_app (change_label p.info.t_label "") c.c_post }
  in
  let v = c.c_result_type in
  check_for_not_mutable ploc v;
  Env.add_global id v None;
  print_if_debug print_type_c c;
  print_if_debug print_expr p;
  if type_only then raise Exit;

  if_debug eprintf "* weakest preconditions@.";
  let p,wp = 
    if fast_wp then
      let w = Fastwp.wp p in
      p, Some (wp_named p.info.t_loc w)
    else
      Wp.wp p 
  in
  print_if_debug print_wp wp;

  if wp_only then raise Exit;

  if ocaml then begin Ocaml.push_program id p; raise Exit end;

  (***
      if_debug eprintf "* functionalization@.";
      let ren = initial_renaming env in
      let cc = Mlize.trad p ren in
      if_debug_3 eprintf "  %a@\n  -----@." print_cc_term cc;
      let cc = Red.red cc in
      print_if_debug print_cc_term cc;
  ***)

  if_debug eprintf "* generating obligations@.";
  let ids = Ident.string id in

  let (name,beh,loc) as vloc =
    try 
      let (f,l,b,e,o) = 
	Hashtbl.find locs_table ids 
      in 
      let name = 
	match List.assoc "name" o with
	  | Rc.RCident s -> s
	  | Rc.RCstring s -> s
	  | _ -> raise Not_found		  
      in
      let beh = 
	match List.assoc "behavior" o with
	  | Rc.RCstring s -> s
	  | _ -> raise Not_found		  
      in
      (name,beh,(f,l,b,e))
    with Not_found -> ("function "^ids,"Correctness", Loc.extract loc)
      
  in
  Hashtbl.add program_locs ids vloc;

  (*let ol,v = Vcg.vcg ids cc in*)
  begin match wp with
    | None -> 
	if_debug eprintf "no WP => no obligation@."
    | Some wp -> 
	if_debug eprintf "VCs from WP...@?";
	let ol,pr = Vcg.vcg_from_wp loc ids name beh wp in
	if_debug eprintf "done@.";
	push_obligations vloc ol;
	push_validation (ids ^ "_wp") (TTpred wp.a_value) (CC_hole pr)
  end;

  if valid then
    let ren = initial_renaming env in
    let tt = Monad.trad_type_c ren env c in
    let ren = initial_renaming env in
    let _cc = Red.red (Mlize.trad p ren) in
      Coq.push_parameter (ids ^ "_valid") tt;
(*      Coq.push_program (ids ^ "_functional") tt cc; *)
    (*** TODO
	 push_validation ids tt v;
	 if_verbose_2 eprintf "%d proof obligation(s)@\n@." (List.length ol);
    ***)
    flush stderr

(*s Processing of a program. *)

let add_external loc v id =
  if Env.is_global id then raise_located loc (Clash id);
  Env.add_global_gen id v None

let add_parameter v tv id =
  push_parameter (Ident.string id) v tv

let rec is_a_type_var = function
  | PTvar { type_val = None } -> true
  | PTvar { type_val = Some t } -> is_a_type_var t
  | _ -> false

let rec polymorphic_pure_type = function
  | PTvar { type_val = None } -> true
  | PTexternal (l,_) -> List.exists polymorphic_pure_type l
  | PTint | PTbool | PTreal | PTunit | PTvar _ -> false

let cannot_be_generalized = function
  | Ref _ -> true
  | PureType pt -> is_a_type_var pt
  | Arrow _ -> false

let logic_type_is_var = function
  | Function ([], pt) -> is_a_type_var pt
  | Function _ | Predicate _ -> false

let check_duplicate_params l =
  let rec loop l acc =
    match l with
      | [] -> ()
      | (loc,x,_)::rem ->
	  if Ident.Idset.mem x acc then
	    raise_located loc (ClashParam x)
	  else loop rem (Ident.Idset.add x acc)
  in
  loop l Ident.Idset.empty

let check_duplicate_binders loc ty =
  let rec check acc = function
    | PVpure _ | PVref _ -> ()
    | PVarrow (l, ty) ->
	let rec loop l acc =
	  match l with
	    | [] -> acc
	    | (x,_)::rem when x = Ident.anonymous ->
		loop rem acc
	    | (x,_)::rem ->
		if Ident.Idset.mem x acc then
		  raise_located loc (ClashParam x)
		else loop rem (Ident.Idset.add x acc)
	in
	check (loop l acc) ty.pc_result_type
  in
  check Ident.Idset.empty ty


(** [check_clausal_form loc pi a] checks whether the assertion [a] 
    has a valid clausal form 
      \forall x_1,.., x_k. P1 -> ... -> P_n -> P
    where P is headed by pi and pi has only positive occurrences in P1 .. Pn
*)

let rec occurrences pi a =
  match a with
  | Ptrue | Pfalse -> (0,0)
  | Papp (id, _, _) -> ((if id == pi then 1 else 0),0)
  | Pimplies (_, p1, p2) -> 
      let (pos1,neg1) = occurrences pi p1 in
      let (pos2,neg2) = occurrences pi p2 in
      (neg1+pos2,pos1+neg2)
  | Pand (_, _, p1, p2) -> 
      let (pos1,neg1) = occurrences pi p1 in
      let (pos2,neg2) = occurrences pi p2 in
      (pos1+pos2,neg1+neg2)
  | Pnot p1 -> 
      let (pos1,neg1) = occurrences pi p1 in (neg1,pos1)
  | Forall (_is_wp, _id1, _id2, _typ, _triggers, _p) -> 
      assert false (* TODO *)
      (* occurrences pi p *)
  | Pnamed (_, _) -> assert false (* TODO *)
  | Exists (_, _, _, _)  -> assert false (* TODO *)
  | Forallb (_, _, _)  -> assert false (* TODO *)
  | Piff (_, _) -> assert false (* TODO *)
  | Por (_, _) -> assert false (* TODO *)
  | Pif (_, _, _) -> assert false (* TODO *)
  | Pvar _ -> assert false (* TODO *)
  | Plet _ -> assert false (* TODO *)

let rec check_unquantified_clausal_form loc id a =
  match a with
    | Pimplies (_, p1, p2) -> 
	check_unquantified_clausal_form loc id p2;
	let (_pos1,neg1) = occurrences id p1 in
	if neg1 > 0 then 
	  raise_located loc 
	    (AnyMessage 
               "inductive predicate has a negative occurrence in this case")
    | Papp(pi,_,_) -> 
	if pi != id then
	  raise_located loc 
	    (AnyMessage 
               "head of clause does not contain the inductive predicate")
    | _ -> 
	  raise_located loc 
	    (AnyMessage "this case is not in clausal form")
	

let rec check_clausal_form loc id a =
  match a with
    | Forall (_is_wp, _id1, _id2, _typ, _triggers, p) -> 
	check_clausal_form loc id p
    | _ -> check_unquantified_clausal_form loc id a

let loaded_files = Hashtbl.create 17

let rec interp_decl ?(_prelude=false) d = 
  let lab = Label.empty in
  match d with 
    | Include (loc,s) ->
	let file =
	  if Sys.file_exists s then s else lib_file s
	in
	begin
	  try
	    if Hashtbl.find loaded_files file then ()
	    else raise_located loc 
	      (AnyMessage "circular inclusion")
	  with Not_found ->
	    Hashtbl.add loaded_files file false;
	    load_file file;
	    Hashtbl.add loaded_files file true;	    
	  end
    | Program (loc,id, p) ->
	if Env.is_global id then raise_located p.ploc (Clash id);
	(try interp_program loc id p with Exit -> ())
    | Parameter (loc, ext, ids, v) ->
	let env = Env.empty_progs () in
	check_duplicate_binders loc v;
	let v = Ltyping.type_v loc lab env v in
	if ext && is_mutable v then raise_located loc MutableExternal;
	let gv = Env.generalize_type_v v in
	let v_spec = snd (specialize_type_scheme gv) in
	if not (Vset.is_empty gv.scheme_vars) && cannot_be_generalized v_spec 
	then
	  raise_located loc CannotGeneralize;
	List.iter (add_external loc gv) ids;
	if ext && ocaml_externals || ocaml then 
	  Ocaml.push_parameters ids v_spec;
	if valid && not ext && not (is_mutable v_spec) then begin
	  let tv = Monad.trad_scheme_v (initial_renaming env) env gv in
	  List.iter (add_parameter gv tv) ids
	end
    | Exception (loc, id, v) ->
	let env = Env.empty_progs () in
	if is_exception id then raise_located loc (ClashExn id);
	let v = option_app (Ltyping.pure_type env) v in
	begin match v with
	  | Some pt when polymorphic_pure_type pt ->
	      raise_located loc CannotGeneralize
	  | _ -> () 
	end;
	add_exception id v
    | Logic (loc, ext, ids, t) ->
	let add id =
	  if is_global_logic id then raise_located loc (Clash id);
	  let t = Ltyping.logic_type t in
	  if logic_type_is_var t then raise_located loc CannotGeneralize;
	  let t = generalize_logic_type t in
	  add_global_logic id t;
	  if ext then 
	    begin 
	      Monomorph.add_external id ;
	    end
	  else
	    begin
	      push_decl ("","",Loc.dummy_floc) 
                (Dlogic (Loc.extract loc, id, t));
	    end 
	in
	List.iter add ids
    | Predicate_def (loc, id, pl, p) ->
	let env = Env.empty_logic () in
	if is_global_logic id then raise_located loc (Clash id);
	check_duplicate_params pl;
	let pl = List.map (fun (_,x,t) -> (x, Ltyping.pure_type env t)) pl in
	let t = Predicate (List.map snd pl) in
	let env' = List.fold_right (fun (x,pt) -> add_logic x pt) pl env in
	let p = Ltyping.predicate lab env' p in
	add_global_logic id (generalize_logic_type t);
	let p = generalize_predicate_def (pl,p) in
	push_decl ("","",Loc.dummy_floc) (
	  Dpredicate_def (Loc.extract loc, id, p))
    | Inductive_def(loc,id,t,indcases) ->
	let env = Env.empty_logic () in
	if is_global_logic id then raise_located loc (Clash id);
	let pl = 
	  match Ltyping.logic_type t with
	    | Function _ -> raise_located loc 
                (AnyMessage "only predicates can be inductively defined")
	    | Predicate l -> l
	in
	(* add id first because indcases contain id, without generalization *)
	add_global_logic id (empty_scheme (Predicate pl));
	let l =
	  List.map (fun (loc,i,p) ->
		      let p = Ltyping.predicate lab env p in
		      if is_global_logic i then raise_located loc (Clash i);
		      check_clausal_form loc id p;
		      (i,p))
	    indcases
	in
	let d = generalize_inductive_def (pl,l) in
	push_decl ("","",Loc.dummy_floc) 
	  (Dinductive_def (Loc.extract loc, id, d))
    | Function_def (loc, id, pl, ty, e) ->
	let env = Env.empty_logic () in
	if is_global_logic id then raise_located loc (Clash id);
	check_duplicate_params pl;
	let pl = List.map (fun (_,x,t) -> (x, Ltyping.pure_type env t)) pl in
	let ty = Ltyping.pure_type env ty in
	let t = Function (List.map snd pl, ty) in
	let env' = List.fold_right (fun (x,pt) -> add_logic x pt) pl env in
	let e,ty' = Ltyping.term lab env' e in
	if not (Ltyping.unify ty ty') then 
	  Ltyping.expected_type loc (PureType ty);
	add_global_logic id (generalize_logic_type t);
	let f = generalize_function_def (pl,ty,e) in
	push_decl ("","",Loc.dummy_floc) 
	  (Dfunction_def (Loc.extract loc, id, f))
    | Goal(loc, KAxiom, id, p) ->
	let env = Env.empty_logic () in
	let p = Ltyping.predicate lab env p in
	let p = generalize_predicate p in
	push_decl ("","",Loc.dummy_floc) 
          (Daxiom (Loc.extract loc, Ident.string id, p))

    | Goal(loc, kind, id, p) ->
	let env = Env.empty_logic () in
	let p = Ltyping.predicate lab env p in
	let s = ([], p) in
	let l = 
	  try
	    Util.loc_of_label (Ident.string id)
	  with Not_found -> Loc.extract loc
	in
	let xpl =
	  { lemma_or_fun_name = Ident.string id;
	    behavior = "";
	    vc_loc = l;
	    vc_kind = if kind = KLemma then EKLemma else EKCheck;
            vc_label = None;
	  }
	in
	let (l,xpl,id,s) = 
	  if Options.pruning_hyp_v != -1 then
	    (Hypotheses_filtering.reduce (l, xpl, Ident.string id, s) 
               declarationQueue)
	  else	  
	    (l, xpl, Ident.string id, s) 
	in
	let s= generalize_sequent s in 
	let dg = 
	    Dgoal (l, kind = KLemma, xpl, id, s) 
	in
	let ids = id in
	let vloc =
	  try 
	    let (f,l,b,e,o) = Hashtbl.find locs_table ids in 
	    let name = 
	      match List.assoc "name" o with
		| Rc.RCident s -> s
		| Rc.RCstring s -> s
		| _ -> raise Not_found		  
	    in
	    (name,"Validity",(f,l,b,e))
	  with Not_found -> ("goal "^ids,"Validity", Loc.extract loc)
	in
	Hashtbl.add program_locs ids vloc;
	push_decl ("","",Loc.dummy_floc) dg

    | TypeDecl (loc, ext, vl, id) ->
	Env.add_type loc vl id;
	let vl = List.map Ident.string vl in
	if not ext then 
	  push_decl ("","",Loc.dummy_floc) (Dtype (Loc.extract loc, id, vl))

    | AlgType ls ->
      let ats (loc, vl, id, td) =
        let d = Env.generalize_alg_type (Ltyping.alg_type id vl td) in
        let vs,cs = d.Env.scheme_type in
        let th = PTexternal (vs, id) in
        let add_constructor (c, pl) =
          if is_global_logic c then raise_located loc (Clash c);
          let t = Env.generalize_logic_type (Function (pl,th)) in
          Env.add_global_logic c t;
          let r = ref 1 in
          let add_proj t =
            let pr = Ident.proj_id c !r in
            let pt = Env.generalize_logic_type (Function ([th],t)) in
            if is_global_logic pr then raise_located loc (Clash pr);
            Env.add_global_logic pr pt; incr r
          in
          List.iter add_proj pl;
          c
        in
        Env.set_constructors id (List.map add_constructor cs);
        let mt = Ident.match_id id in
        let nt = PTvar (Env.new_type_var()) in
        let ns = List.map (fun _ -> nt) cs in
        let tm = Env.generalize_logic_type (Function (th::ns,nt)) in
        if is_global_logic mt then raise_located loc (Clash mt);
        Env.add_global_logic mt tm;
        (Loc.extract loc, id, d)
      in
        List.iter (fun (loc, vl, id, _td) -> Env.add_type loc vl id) ls;
        push_decl ("","",Loc.dummy_floc) (Dalgtype (List.map ats ls))

(*s Prelude *)

and load_file ?(_prelude=false) f =
  let c = open_in f in
  let p = Lexer.parse_file (Lexing.from_channel c) in
  List.iter (interp_decl ~_prelude) p;
  close_in c

let load_prelude () =
  try
    List.iter (load_file ~_prelude:true) lib_files_to_load;
    begin match prover () with
      | Simplify | Vampire when no_simplify_prelude -> Simplify.reset ()
      | _ -> ()
    end
  with e ->
    eprintf "anomaly while reading prelude: %a@." Report.explain_exception e;
    exit 1

(*s Processing of a channel / a file. *)

let why_parser f c = 
  let lb = Lexing.from_channel c in
  lb.Lexing.lex_curr_p <- { lb.Lexing.lex_curr_p with Lexing.pos_fname = f };
  Lexer.parse_file lb
    
let deal_channel parsef cin =
  let p = parsef cin in
  if not parse_only then List.iter interp_decl p

let single_file () = match prover () with
  | Simplify | Vampire | Harvey | Zenon | Z3 | CVCLite | Gappa | Dispatcher 
  | SmtLib | Ergo | Why | MultiWhy | MultiAltergo | WhyProject | Why3 -> true
  | Coq _ | Pvs | Mizar | Hol4 | HolLight | Isabelle -> false

let deal_file is_last f =
  reset ();
  let cin = open_in f in 
  deal_channel (why_parser f) cin;
  close_in cin;
  if not type_only then
    let fwe = Filename.chop_extension f in
    if not (single_file ()) then output is_last fwe

let rec iter_with_last f = function
  | [] -> ()
  | [x] -> f true x
  | x::l -> f false x; iter_with_last f l

let delete_old_vcs files =
   let base_name = Filename.chop_extension (last files) in
   let cnt = ref 1 in
   try
      while true do
         let po_name = base_name ^ "_po" ^ string_of_int !cnt ^ ".why" in
         if Sys.file_exists po_name then Sys.remove po_name
         else raise Exit;
         incr cnt;
      done;
   with Exit -> ()


let main () =
  let t0 = Unix.times () in
  load_prelude ();
  if files = [] then 
    begin
      deal_channel (why_parser "standard input") stdin;
      output false "out"
    end 
  else 
    begin
      if Options.delete_old_vcs then delete_old_vcs files;
      iter_with_last deal_file files;
      if type_only then exit 0;
      if (pruning) || (Options.pruning_hyp_v != -1) then
	begin
	  let q =  declarationQueue in 
	  encode q 
	end;
      if single_file () then 
	let lf = Filename.chop_extension (last files) in
	output false lf
    end;
  if show_time then
    let t1 = Unix.times () in
    printf "Why execution time : %3.2f@." 
      (t1.Unix.tms_utime -. t0.Unix.tms_utime)
why-2.34/src/misc.mli0000644000175000017500000002504412311670312013047 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* Some misc. functions *)

open Logic
open Types
open Ptree
open Ast
open Cc


val is_mutable : type_v -> bool
val is_pure : type_v -> bool
val is_closed_pure_type : pure_type -> bool
val normalize_pure_type : pure_type -> pure_type

val is_default_post : assertion -> bool

(* Substitution within assertions and pre/post-conditions *)
val asst_app : (predicate -> predicate) -> assertion -> assertion
val optasst_app : 
  (predicate -> predicate) -> assertion option -> assertion option
val post_app : ('a -> 'b) -> 'a * ('c * 'a) list -> 'b * ('c * 'b) list
val optpost_app :
  ('a -> 'b) -> ('a * ('c * 'a) list) option -> ('b * ('c * 'b) list) option
val optpost_fold :
  (predicate -> 'a -> 'a) ->
  (assertion * ('b * assertion) list) option -> 'a -> 'a
(***
val post_app : (predicate -> predicate) -> postcondition -> postcondition
val optpost_app : 
  (predicate -> predicate) -> postcondition option -> postcondition option
val optpost_fold : (predicate -> 'a -> 'a) -> postcondition option -> 'a -> 'a
***)

val asst_fold : (predicate -> 'a -> 'a) -> assertion -> 'a -> 'a

(* Substitution within some parts of postconditions (value or exns) *)
val val_app : (predicate -> predicate) -> postcondition -> postcondition
val exn_app : Ident.t -> 
              (predicate -> predicate) -> postcondition -> postcondition
val optval_app : 
  (predicate -> predicate) -> postcondition option -> postcondition option
val optexn_app : 
  Ident.t -> 
  (predicate -> predicate) -> postcondition option -> postcondition option

val a_value : assertion -> predicate
val a_values : assertion list -> predicate list

val anonymous : Loc.position -> predicate -> assertion
val pre_named  : Loc.position -> predicate -> assertion
val post_named  : Loc.position -> predicate -> assertion
val wp_named : Loc.position -> predicate -> assertion

(*s Default exceptional postcondition (inserted when not given) *)
val default_post : assertion

(***
val force_post_name : postcondition option -> postcondition option
val force_bool_name : postcondition option -> postcondition option
***)
val force_wp_name : assertion option -> assertion option

val force_loc : Loc.position -> assertion -> assertion
val force_post_loc : Loc.position -> postcondition -> postcondition
(***
val force_type_c_loc : Loc.position -> type_c -> type_c
***)

val post_val : 'a * 'b -> 'a
val post_exn : Ident.t -> 'a * (Ident.t * 'b) list -> 'b
val optpost_val : postcondition option -> assertion option
val optpost_exn : Ident.t -> postcondition option -> assertion option

val map_succeed : ('a -> 'b) -> 'a list -> 'b list

val option_app : ('a -> 'b) -> 'a option -> 'b option
val option_iter : ('a -> unit) -> 'a option -> unit
val option_fold : ('a -> 'b -> 'b) -> 'a option -> 'b -> 'b

val list_of_some : 'a option -> 'a list
val difference : 'a list -> 'a list -> 'a list
val last : 'a list -> 'a

val list_combine3 : 'a list -> 'b list -> 'c list -> ('a * 'b * 'c) list

val list_first : ('a -> 'b) -> 'a list -> 'b

val if_labelled : (Ident.t * string -> unit) -> Ident.t -> unit

type avoid = Ident.set
val renaming_of_ids : avoid -> Ident.t list -> (Ident.t * Ident.t) list * avoid

val pre_name    : Ident.name -> Ident.t
val post_name   : unit -> Ident.t
val inv_name    : Ident.name -> Ident.t
val test_name   : unit -> Ident.t
val wp_name     : unit -> Ident.t
val h_name      : Ident.name -> Ident.t

val bool_name   : unit -> Ident.t
val variant_name : unit -> Ident.t
val phi_name    : unit -> Ident.t
val for_name    : unit -> Ident.t
val label_name  : unit -> string
val wf_name     : unit -> Ident.t
val fresh_var   : unit -> Ident.t
val fresh_c_var : unit -> Ident.t
val fresh_hyp   : unit -> Ident.t
val fresh_axiom : unit -> Ident.t

val post_name_from : Ident.name -> Ident.t

val reset_names : unit -> unit

val id_of_name : Ident.name -> Ident.t

val rationalize : string -> string * string

(*s Functions over terms and predicates. *)

val applist : term -> term list -> term
val papplist : predicate -> term list -> predicate

val predicate_of_term : term -> predicate

val term_vars : term -> Ident.set
val predicate_vars : predicate -> Ident.set
val post_vars : Types.postcondition -> Ident.set
val apost_vars : postcondition -> Ident.set

val subst_in_term : var_substitution -> term -> term
val tsubst_in_term : substitution -> term -> term

val subst_in_assertion : var_substitution -> assertion -> assertion

val subst_in_predicate : var_substitution -> predicate -> predicate
val tsubst_in_predicate : substitution -> predicate -> predicate

val subst_in_pattern : var_substitution -> pattern -> pattern
val tsubst_in_pattern : substitution -> pattern -> pattern

val subst_in_triggers : var_substitution -> triggers -> triggers

val subst_one : Ident.t -> term -> substitution
val subst_onev : Ident.t -> Ident.t -> var_substitution
val subst_many : Ident.t list -> term list -> substitution
val subst_manyv : Ident.t list -> Ident.t list -> var_substitution

val subst_term_in_predicate : Ident.t -> term -> predicate -> predicate

val map_predicate : (predicate -> predicate) -> predicate -> predicate

val type_v_subst : var_substitution -> type_v -> type_v
val type_c_subst : var_substitution -> type_c -> type_c

val type_v_rsubst : substitution -> type_v -> type_v
val type_c_rsubst : substitution -> type_c -> type_c

val type_c_of_v : type_v -> type_c
val make_arrow : type_v binder list -> type_c -> type_v

val make_binders_type_v : type_v -> type_v
val make_binders_type_c : type_c -> type_c

val unref_term : term -> term

val equals_true : term -> term
val equals_false : term -> term

val mlize_type : type_v -> pure_type

(*s Smart constructors for terms and predicates. *)

val ttrue : term
val tfalse : term
val tresult : term
val tvoid : term

val relation : Ident.t -> term -> term -> predicate
val not_relation : Ident.t -> term -> term -> predicate
val make_int_relation : Ident.t -> Ident.t

val lt : term -> term -> predicate
val le : term -> term -> predicate
val lt_int : term -> term -> predicate
val le_int : term -> term -> predicate
val gt : term -> term -> predicate
val ge : term -> term -> predicate
val ge_real : term -> term -> predicate
val eq : term -> term -> predicate
val neq : term -> term -> predicate

val array_length : Ident.t -> pure_type -> term

val pif : term -> predicate -> predicate -> predicate
val pand : ?is_wp:is_wp -> ?is_sym:bool -> predicate -> predicate -> predicate
val pands : ?is_wp:is_wp -> ?is_sym:bool -> predicate list -> predicate
val por : predicate -> predicate -> predicate
val pors : predicate list -> predicate
val pnot : predicate -> predicate
val pimplies : ?is_wp:is_wp -> predicate -> predicate -> predicate

(* WP connectives *)
val wpand : ?is_sym:bool -> predicate -> predicate -> predicate
val wpands : ?is_sym:bool -> predicate list -> predicate
val wpimplies : predicate -> predicate -> predicate

val simplify : predicate -> predicate

(*s Equalities *)

val eq_pure_type : pure_type -> pure_type -> bool
val eq_term : term -> term -> bool
val eq_predicate : predicate -> predicate -> bool (* no alpha-equivalence *)

(*s Debug functions *)

module Size : sig
  val predicate : predicate -> int
  val term : term -> int
  val postcondition : postcondition -> int
  val postcondition_opt : postcondition option -> int
end 

(*s functions over CC terms *)

val cc_var : Ident.t -> 'a cc_term
val cc_term : term -> 'a cc_term
val cc_applist : 'a cc_term -> 'a cc_term list -> 'a cc_term
val cc_lam : cc_binder list -> 'a cc_term -> 'a cc_term

val tt_var : Ident.t -> cc_type
val tt_arrow : cc_binder list -> cc_type -> cc_type

(*s Pretty-print *)

open Format

val warning : string -> unit
val wprintf : Loc.position -> ('a, Format.formatter, unit) format -> 'a
val unlocated_wprintf : ('a, Format.formatter, unit) format -> 'a

(* [do_not_edit f before sep after] updates the part of file [f] following a
   line matching [sep] exactly (e.g. \verb!(* DO NOT EDIT BELOW THIS LINE *)!);
   a backup of the original file is done in [f.bak].
   when [f] does not exists, it is created by calling [before], inserting
   [sep] and then calling [after]. *)

val do_not_edit_below : 
  file:string -> 
  before:(formatter -> unit) -> 
  sep:string -> 
  after:(formatter -> unit) -> unit

val do_not_edit_above : 
  file:string -> 
  before:(formatter -> unit) -> 
  sep:string -> 
  after:(formatter -> unit) -> unit

val file_formatter : (Format.formatter -> unit) -> (out_channel -> unit)

why-2.34/src/encoding_mono_inst.mli0000644000175000017500000000502712311670312015766 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* make a monorphic output for provers not supporting polymorphism
   (e.g. PVS or CVC Lite) *)

(* input... *)

val push_decl : Logic_decl.t -> unit

(* ...and output *)

val iter : (Logic_decl.t -> unit) -> unit

val reset : unit -> unit

val create_ident_id : string
why-2.34/src/harvey.mli0000644000175000017500000000457512311670312013420 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Vcg
open Cc

val reset : unit -> unit

val push_decl : Logic_decl.t -> unit

val output_file : string -> unit

why-2.34/src/util.mli0000644000175000017500000002062512311670312013071 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Cc
open Logic
open Misc
open Types
open Ast
open Env

val erase_label : string -> predicate -> predicate
val change_label : string -> string -> predicate -> predicate
val put_label_term : local_env -> string -> term -> term
val put_label_predicate : local_env -> string -> predicate -> predicate

val traverse_binders : local_env -> (type_v binder) list -> local_env
val initial_renaming : local_env -> Rename.t

val apply_term : 
  Rename.t -> local_env -> term -> term
val apply_assert : 
  Rename.t -> local_env -> Types.assertion -> Types.assertion
val a_apply_assert : 
  Rename.t -> local_env -> assertion -> assertion
val apply_post : 
  label -> Rename.t -> local_env -> Types.postcondition -> Types.postcondition
val a_apply_post : 
  label -> Rename.t -> local_env -> postcondition -> postcondition

val oldify : local_env -> Effect.t -> term -> term
val type_c_subst_oldify : local_env -> Ident.t -> term -> type_c -> type_c

val is_reference : local_env -> Ident.t -> bool
val predicate_now_refs : local_env -> predicate -> Ident.set
val predicate_refs : local_env -> predicate -> Ident.set
val term_now_refs : local_env -> term -> Ident.set
val term_refs : local_env -> term -> Ident.set
val post_refs : local_env -> postcondition -> Ident.set

val deref_type : type_v -> pure_type
val dearray_type : type_v -> pure_type

val decomp_type_c : type_c -> 
  (Ident.t * type_v) * Effect.t * 
  Types.precondition list * Types.postcondition option
val decomp_kappa : typing_info -> 
  (Ident.t * type_v) * Effect.t * Ast.postcondition option

val equality : term -> term -> predicate
val tequality : type_v -> term -> term -> predicate

val distinct : term list -> predicate


val  split_one : Logic.predicate list ->
  int -> Logic.predicate -> Logic.predicate list
val  split : context_element list ->
  (unit -> Ident.t) -> context_element list -> context_element list
val  intros : context_element list ->
  predicate -> (unit -> Ident.t) -> bool -> context_element list * Logic.predicate
  
val decomp_boolean : postcondition -> predicate * predicate

val effect : typed_expr -> Effect.t
val post : typed_expr -> postcondition option
val result_type : typed_expr -> type_v
val result_name : typing_info -> Ident.t

val erase_exns : typing_info -> typing_info

val forall : 
  ?is_wp:is_wp -> Ident.t -> type_v -> ?triggers:triggers 
  -> predicate -> predicate
val foralls : ?is_wp:is_wp -> (Ident.t * type_v) list -> predicate -> predicate
val exists : Ident.t -> type_v -> predicate -> predicate

(* more efficient version when there are many variables *)
val foralls_many : 
  ?is_wp:is_wp -> (Ident.t * type_v) list -> predicate -> predicate

val plet : Ident.t -> pure_type -> term -> predicate -> predicate

(* versions performing simplifcations *)
val pforall : ?is_wp:is_wp -> Ident.t -> type_v -> predicate -> predicate
val pexists : Ident.t -> type_v -> predicate -> predicate

(* decomposing universal quantifiers, renaming variables on the fly *)

val decomp_forall : 
  ?ids:Ident.set -> predicate -> (Ident.t * pure_type) list * predicate

(*s Occurrences *)

val occur_term : Ident.t -> term -> bool
val occur_predicate : Ident.t -> predicate -> bool
val occur_assertion : Ident.t -> assertion -> bool
val occur_post : Ident.t -> postcondition option -> bool
val occur_type_v : Ident.t -> type_v -> bool
val occur_type_c : Ident.t -> type_c -> bool

(*s Functions to translate array operations *)

val array_info : 
  local_env -> Ident.t -> pure_type

val make_raw_access :
  local_env -> Ident.t * Ident.t -> term -> term

val make_raw_store :
  local_env -> Ident.t * Ident.t -> term -> term -> term

val make_pre_access :
  local_env -> Ident.t -> term -> predicate

(*s AST builders for program transformation *)

val make_lnode : 
  Loc.position -> typing_info Ast.t_desc ->
  local_env -> type_c -> typed_expr
val make_var : 
  Loc.position -> Ident.t -> type_v -> local_env -> typed_expr
val make_expression :
  Loc.position -> term -> type_v -> local_env -> typed_expr
val make_annot_bool :
  Loc.position -> bool -> local_env -> typed_expr
val make_void :
  Loc.position -> local_env -> typed_expr
val make_raise :
  Loc.position -> Ident.t -> type_v -> local_env -> typed_expr

val change_desc : 'a Ast.t -> 'a Ast.t_desc -> 'a Ast.t

val force_post :
  local_env -> postcondition option -> typed_expr -> typed_expr

val create_postval : predicate -> assertion option

val create_post : predicate -> (assertion * 'b list) option

(* explanations *)

val loc_of_label: string -> Loc.floc

val cook_explanation : 
    string option -> raw_vc_explain ->
       Logic_decl.expl_kind * Loc.floc * string option

val program_locs : (string,(string * string * Loc.floc)) Hashtbl.t

val explanation_table : (int,Cc.raw_vc_explain) Hashtbl.t

val reg_explanation : Cc.raw_vc_explain -> Logic.term_label

(*s Pretty printers. *)

open Format

val print_pred_binders : bool ref

val print_scheme : (formatter -> 'a -> unit) -> formatter -> 'a scheme -> unit

val print_type_var : formatter -> type_var -> unit
val print_pure_type : formatter -> pure_type -> unit
val print_instance : formatter -> instance -> unit
val print_logic_type : formatter -> logic_type -> unit

val print_term : formatter -> term -> unit
val print_predicate : formatter -> predicate -> unit
(*
val raw_loc : ?pref:string -> formatter -> Loc.floc -> unit
val print_explanation : formatter -> ((*Loc.floc * *) Logic_decl.vc_expl) -> unit
*)
val print_assertion : formatter -> assertion -> unit
val print_wp : formatter -> assertion option -> unit

val print_type_v : formatter -> type_v -> unit
val print_type_c : formatter -> type_c -> unit
val print_typing_info : formatter -> typing_info -> unit
val print_expr : formatter -> typed_expr -> unit

val print_cc_type : formatter -> Cc.cc_type -> unit
val print_cc_term : formatter -> ('a * predicate) Cc.cc_term -> unit
val print_cc_pattern : formatter -> Cc.cc_pattern -> unit

val print_subst : formatter -> substitution -> unit
val print_cc_subst : formatter -> ('a * predicate) Cc.cc_term Ident.map -> unit

val print_env : formatter -> local_env -> unit

val print_ptree : formatter -> Ptree.parsed_program -> unit
val print_pfile : formatter -> Ptree.decl list -> unit

val print_decl : formatter -> Logic_decl.t -> unit

why-2.34/src/encoding.ml0000644000175000017500000000775712311670312013544 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Options

let queue = Queue.create ()

let reset () = match get_types_encoding () with
  | NoEncoding -> Queue.clear queue
  | Predicates -> Encoding_pred.reset ()
  | Stratified -> Encoding_strat.reset ()
  | SortedStratified -> Encoding_mono.reset ()
  | Recursive -> Encoding_rec.reset ()
  | Monomorph -> Monomorph.reset ()
  | MonoInst -> Encoding_mono_inst.reset ()

let push d = match get_types_encoding () with
  | NoEncoding -> Queue.add d queue
  | Predicates -> Encoding_pred.push d
  | SortedStratified -> Encoding_mono.push d
  | Stratified -> Encoding_strat.push d
  | Recursive -> Encoding_rec.push d
  | Monomorph -> Monomorph.push_decl d
  | MonoInst -> Encoding_mono_inst.push_decl d

let push ?(encode_inductive=true) ?(encode_algtype=true) 
    ?(encode_preds=true) ?(encode_funs=true) = function
  | Logic_decl.Dfunction_def (loc, id, d) when encode_funs ->
      List.iter push (PredDefExpansor.function_def loc id d)
  | Logic_decl.Dpredicate_def (loc, id, d) when encode_preds ->
      List.iter push (PredDefExpansor.predicate_def loc id d)
  | Logic_decl.Dinductive_def (loc, id, d) when encode_inductive ->
      List.iter push (PredDefExpansor.inductive_def loc id d)
  | Logic_decl.Dalgtype ls when encode_algtype ->
      List.iter push (PredDefExpansor.algebraic_type ls)
  | d -> push d

let iter f = match get_types_encoding () with
  | NoEncoding -> Queue.iter f queue
  | Predicates -> Encoding_pred.iter f
  | Stratified -> Encoding_strat.iter f
  | SortedStratified -> Encoding_mono.iter f
  | Recursive -> Encoding_rec.iter f
  | Monomorph -> Monomorph.iter f
  | MonoInst -> Encoding_mono_inst.iter f

let symbol ((id,_) as s) = match get_types_encoding () with
  | Monomorph -> Monomorph.symbol s
  | _ -> Ident.string id
why-2.34/src/encoding_rec.mli0000644000175000017500000000456612311670312014541 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Cc

val reset : unit -> unit

val push : Logic_decl.t -> unit
val iter : (Logic_decl.t -> unit) -> unit
why-2.34/src/monomorph.ml0000644000175000017500000004347112311670312013765 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* monomorphic output *)

open Ident
open Options
open Misc
open Logic
open Logic_decl
open Cc
open Vcg
open Env
open Format
open Pp

(* output queue *)
let queue = Queue.create ()

let push d = Queue.add d queue

let iter f = Queue.iter f queue

(* the name for a closed instance: name id [t1;...;tn] = id_t1_..._tn *)
let rec print_pure_type fmt = function
  | PTint -> fprintf fmt "int"
  | PTbool -> fprintf fmt "bool"
  | PTunit -> fprintf fmt "unit"
  | PTreal -> fprintf fmt "real"
  | PTexternal ([v], id) when id == farray -> 
      fprintf fmt "array_%a" print_pure_type v
  | PTexternal([], id) -> fprintf fmt "%a" Ident.print id
  | PTexternal(i, id) -> fprintf fmt "%a%a" Ident.print id print_instance i
  | PTvar { type_val = Some t} -> fprintf fmt "%a" print_pure_type t      
  | PTvar _ -> assert false

and print_instance fmt = function
  | [] -> ()
  | ptl -> fprintf fmt "_%a" (print_list underscore print_pure_type) ptl

let name id i =
  fprintf str_formatter "%s%a" id print_instance i;
  flush_str_formatter ()

let external_logic = Hashtbl.create 97
let add_external id = Hashtbl.add external_logic id ()


let symbol (id, i) =
  let n = Ident.string id in
  let nn =
  if Hashtbl.mem external_logic id then
    n
  else
    name n i
  in
(*
  if n="upd" then eprintf "Monomorph : i=%a, rename %s(%a) -> %s@." print_instance i n dbprint id nn;
*)
  nn

(* iteration over instances (function [f]) and types (function [g]) *)
module IterIT = struct

  let rec term f = function
    | Tapp (x, tl, i) -> f x i; List.iter (term f) tl
    | _ -> ()

  let rec predicate f g = function
    | Pand (_, _, a, b)
    | Por (a, b)
    | Piff (a, b)
    | Forallb (_, a, b)
    | Pimplies (_, a, b) -> predicate f g a; predicate f g b
    | Pif (a, b, c) -> term f a; predicate f g b; predicate f g c
    | Pnot a -> predicate f g a
    | Exists (_, _, v, p) -> g v; predicate f g p
    | Forall (_, _, _, v, tl, p) -> 
	g v; List.iter (List.iter (pattern f g)) tl; predicate f g p
    | Pnamed (_, a) -> predicate f g a
    | Ptrue | Pfalse | Pvar _ -> ()
    | Papp (id, tl, i) -> f id i; List.iter (term f) tl
    | Plet (_, _, _, t, p) -> term f t; predicate f g p

  and pattern f g = function
    | TPat t -> term f t
    | PPat p -> predicate f g p

  let predicate_def f g (bl,p) =
    List.iter (fun (_,pt) -> g pt) bl;
    predicate f g p

  let function_def f g (bl,t,e) =
    List.iter (fun (_,pt) -> g pt) bl;
    g t;
    term f e
	
  let logic_type g = function
    | Function (l, pt) -> List.iter g l; g pt
    | Predicate l -> List.iter g l

  let rec cc_type f g = function
    | TTpure pt -> g pt
    | TTarray cc -> cc_type f g cc
    | TTarrow (b, cc)
    | TTlambda (b, cc) -> cc_binder f g b; cc_type f g cc
    | TTtuple (bl, ccopt) -> 
	List.iter (cc_binder f g) bl; 
	option_iter (cc_type f g) ccopt
    | TTpred p ->
	predicate f g p
    | TTapp (cc, ccl) ->
	cc_type f g cc; List.iter (cc_type f g) ccl
    | TTterm t ->
	term f t
    | TTSet ->
	()
	
  and cc_binder f g = function
    | _, CC_var_binder cc -> cc_type f g cc
    | _, CC_pred_binder p -> predicate f g p
    | _, CC_untyped_binder -> ()

  let sequent f g (ctx,p) =
    List.iter 
      (function 
	 | Svar (_,pt) -> g pt | Spred (_,p) -> predicate f g p)
      ctx;
    predicate f g p
	
end

module PureType = struct

  type t = pure_type

  let rec normalize = function
    | PTvar { type_val = Some t } -> normalize t
    | PTexternal (i, id) -> PTexternal (List.map normalize i, id)
    | PTvar _ | PTint | PTbool | PTunit | PTreal as t -> t

  let equal t1 t2 = normalize t1 = normalize t2

  let hash t = Hashtbl.hash (normalize t)

end	  

module Htypes = Hashtbl.Make(PureType)


(* generic substitution parameterized by a substitution over [pure_type] *)
module type Substitution = sig
  type t
  val pure_type : t -> pure_type -> pure_type
end

module GenSubst(S : Substitution) = struct

  include S

  let logic_type s = function
    | Function (tl, tr) -> 
	Function (List.map (pure_type s) tl, pure_type s tr)
    | Predicate tl -> 
	Predicate (List.map (pure_type s) tl)

  let binder s (id,pt) = (id, pure_type s pt)

  let binders s = List.map (binder s)

  let rec term s = function
    | Tapp (x, tl, i) -> 
	Tapp (x, List.map (term s) tl, List.map (pure_type s) i)
    | t -> 
	t

  let rec predicate s = function
    | Papp (x, tl, i) ->
	Papp (x, List.map (term s) tl, List.map (pure_type s) i)
    | Pimplies (w, a, b) -> Pimplies (w, predicate s a, predicate s b)
    | Pif (a, b, c) -> Pif (a, predicate s b, predicate s c)
    | Pand (w, sym, a, b) -> Pand (w, sym, predicate s a, predicate s b)
    | Por (a, b) -> Por (predicate s a, predicate s b)
    | Piff (a, b) -> Piff (predicate s a, predicate s b)
    | Pnot a -> Pnot (predicate s a)
    | Forall (w, id, b, v, tl, p) -> 
	let tl' = List.map (List.map (pattern s)) tl in
	Forall (w, id, b, pure_type s v, tl', predicate s p)
    | Exists (id, b, v, p) -> 
	Exists (id, b, pure_type s v, predicate s p)
    | Forallb (w, a, b) -> Forallb (w, predicate s a, predicate s b)
    | Pnamed (n, a) -> Pnamed (n, predicate s a)
    | Plet (x, b, pt, t, p) -> Plet (x, b, pure_type s pt, term s t, predicate s p)
    | Ptrue | Pfalse | Pvar _ as p -> p

  and pattern s = function
    | TPat t -> TPat (term s t)
    | PPat p -> PPat (predicate s p)

  let predicate_def s (bl,p) = 
    List.map (fun (x,pt) -> (x, pure_type s pt)) bl, predicate s p

  let function_def s (bl,t,e) = 
    List.map (fun (x,pt) -> (x, pure_type s pt)) bl, 
    pure_type s t,
    term s e

end

(* substitution of type variables ([PTvarid]) by pure types *)
module SV = struct

  type t = pure_type Vmap.t

  let list_of s = 
    Vmap.fold (fun x pt acc -> (x, PureType.normalize pt)::acc) s []

  let equal s1 s2 = list_of s1 = list_of s2
      
  let hash s = Hashtbl.hash (list_of s)

  let rec pure_type s = function
    | PTvar ({type_val = None} as v) ->
	(try Vmap.find v s with Not_found -> assert false (*t?*))
    | PTvar {type_val = Some pt} ->
	pure_type s pt
    | PTexternal (l, id) ->
	PTexternal (List.map (pure_type s) l, id)
    | PTint | PTreal | PTbool | PTunit as t -> t

end
module SubstV = GenSubst(SV)

(* sets of symbols instances *)
module Instance = struct 
  type t = Ident.t * pure_type list 
  let normalize (id, i) = (id, List.map PureType.normalize i)
  let equal (id1, i1) (id2, i2) = id1=id2 && List.for_all2 PureType.equal i1 i2
  let hash i = Hashtbl.hash (normalize i)
  let compare (id1, i1) (id2, i2) = 
    let c = compare id1 id2 in
    if c <> 0 then 
      c 
    else 
      compare (List.map PureType.normalize i1) (List.map PureType.normalize i2)
end

module SymbolsI = Set.Make(Instance)

(* the following module collects instances (within [Tapp] and [Papp]) *)
module OpenInstances = struct

  module S = SymbolsI

  let add ((_,i) as e) s =
    let is_open pt = not (is_closed_pure_type pt) in
    if List.exists is_open i then S.add e s else s

  let rec term s = function
    | Tvar _ | Tderef _ | Tconst _ -> s
    | Tapp (id, l, i) -> List.fold_left term (add (id,i) s) l
    | Tnamed(_,t) -> term s t

  let rec pattern s = function
    | TPat t -> term s t
    | PPat p -> predicate s p

(*   and triggers = List.fold_left (List.fold_left pattern) *)
      
  and predicate s = function
    | Pvar _ | Ptrue | Pfalse -> s
    | Papp (id, l, i) -> List.fold_left term (add (id,i) s) l
    | Pimplies (_, a, b) | Pand (_, _, a, b) | Por (a, b) | Piff (a, b)
    | Forallb (_, a, b) -> predicate (predicate s a) b
    | Pif (a, b, c) -> predicate (predicate (term s a) b) c
    | Pnot a -> predicate s a
    | Forall (_, _, _, _, tl, p) -> 
	List.fold_left (List.fold_left pattern) (predicate s p) tl
    | Exists (_, _, _, p) -> predicate s p
    | Plet (_, _, _, t, p) -> predicate (term s t) p
    | Pnamed (_, p) -> predicate s p
	  
end

(* unification of an open instance [t1] with a closed instance [t2];
   raises [Exit] if unification fails *)
let rec unify s t1 t2 = match (t1,t2) with
  | (PTexternal(l1,i1), PTexternal(l2,i2)) ->
      if i1 <> i2 || List.length l1 <> List.length l2 then raise Exit;
      List.fold_left2 unify s l1 l2
  | (_, PTvar {type_val=None}) ->
      unify s t2 t1
  | (_, PTvar {type_val=Some v2}) ->
      unify s t1 v2
  | (PTvar {type_val=Some v1}, _) ->
      unify s v1 t2
  | (PTvar ({type_val=None} as v1), _) ->
      begin
	try
	  let t1 = Vmap.find v1 s in
	  if t1 <> t2 then raise Exit;
	  s
	with Not_found ->
	  Vmap.add v1 t2 s
      end
  | PTint, PTint
  | PTbool, PTbool
  | PTreal, PTreal
  | PTunit, PTunit -> s
  | _ -> raise Exit

let unify_i = List.fold_left2 unify



(* main algorithm *)

(* declaration of abstract types *)
let declared_types = Htypes.create 97
let declare_type loc = function
  | PTexternal (i,x) as pt 
      when is_closed_pure_type pt && not (Htypes.mem declared_types pt) ->
      Htypes.add declared_types pt ();
      push (Dtype (loc, Ident.create (name (Ident.string x) i), []))
  | _ -> 
      ()

let push_logic_instance loc id i t =
  IterIT.logic_type (declare_type loc) t;
  let id = Ident.create (name (Ident.string id) i) in
  push (Dlogic (loc, id, empty_scheme t))

(* logic symbols (functions and predicates) *)

type logic_symbol = 
  | Uninterp of logic_type scheme
  | PredicateDef of predicate_def scheme
  | FunctionDef of function_def scheme
      
let logic_symbols = Hashtbl.create 97
			
let push_logic loc id t = 
  if Vset.is_empty t.scheme_vars then
    push_logic_instance loc id [] t.scheme_type
  else
    (* nothing to do until we encounter closed instances of [id] *)
    (* we only remember the type of [id] *)
    Hashtbl.add logic_symbols id (Uninterp t)
	
module Hinstance = Hashtbl.Make(Instance)
let declared_logic = Hinstance.create 97

let vset_elements s = Vset.fold (fun x l -> x :: l) s []
  
let rec declare_logic loc id i =
  if not (Hashtbl.mem external_logic id) &&
     i <> [] && 
     not (Hinstance.mem declared_logic (id,i)) 
  then begin
    Hinstance.add declared_logic (id,i) ();
    if debug then eprintf "Monomorph.declare_logic %a@." Ident.print id;
    assert (Hashtbl.mem logic_symbols id);
    match Hashtbl.find logic_symbols id with
      | Uninterp t ->
	  assert (Vset.cardinal t.scheme_vars = List.length i);
	  let s = 
	    List.fold_right2 Vmap.add 
	      (vset_elements t.scheme_vars) i Vmap.empty
	  in
	  let t = SubstV.logic_type s t.scheme_type in
	  (*
	    eprintf "Monomorph.declare_logic i=[%a] t=%a@."
	    (Pp.print_list Pp.comma Util.print_pure_type) i
	    Util.print_logic_type t;
	  *)
	  push_logic_instance loc id i t
      | PredicateDef p ->
	  assert (Vset.cardinal p.scheme_vars = List.length i);
	  let s = 
	    List.fold_right2 Vmap.add 
	      (vset_elements p.scheme_vars) i Vmap.empty
	  in
	  let p = SubstV.predicate_def s p.scheme_type in
 	  push_predicate_def_instance loc (Ident.string id) i p
      | FunctionDef p ->
	  assert (Vset.cardinal p.scheme_vars = List.length i);
	  let s = 
	    List.fold_right2 Vmap.add 
	      (vset_elements p.scheme_vars) i Vmap.empty
	  in
	  let p = SubstV.function_def s p.scheme_type in
 	  push_function_def_instance loc (Ident.string id) i p
  end
    
(* predicates definitions *)

and push_predicate_def_instance loc id i ((_bl,_p) as d) =
  IterIT.predicate_def (declare_logic loc) (declare_type loc) d;
  push (Dpredicate_def (loc,Ident.create (name id i), empty_scheme d))

and push_function_def_instance loc id i ((_bl,_t,_e) as d) =
  IterIT.function_def (declare_logic loc) (declare_type loc) d;
  push (Dfunction_def (loc, Ident.create (name id i), empty_scheme d))
      
let push_predicate_def loc id p0 =
  let (bl,_) = p0.scheme_type in
  assert (bl <> []);
  if Vset.is_empty p0.scheme_vars then
    push_predicate_def_instance loc (Ident.string id) [] p0.scheme_type
  else 
    Hashtbl.add logic_symbols id (PredicateDef p0)

let push_function_def loc id p0 =
  let (bl,_,_) = p0.scheme_type in
  assert (bl <> []);
  if Vset.is_empty p0.scheme_vars then
    push_function_def_instance loc (Ident.string id) [] p0.scheme_type
  else 
    Hashtbl.add logic_symbols id (FunctionDef p0)

  (* axioms *)

let push_axiom_instance loc id i p =
  IterIT.predicate (declare_logic loc) (declare_type loc) p;
  push (Daxiom (loc, name id i, empty_scheme p))

module Hsubst = Hashtbl.Make(SV)
		    
type axiom = {
  ax_pred : predicate scheme;
  ax_symbols : Ident.set;
  ax_symbols_i : SymbolsI.elt list;
  mutable ax_symbols_instances : SymbolsI.t; (*already considered instances*)
  ax_instances : unit Hsubst.t;
}
		 
let axioms = Hashtbl.create 97
		 
let push_axiom loc id p =
  if Vset.is_empty p.scheme_vars then
    push_axiom_instance loc id [] p.scheme_type
  else
    let oi = OpenInstances.predicate SymbolsI.empty p.scheme_type in
    let os = SymbolsI.fold (fun (id,_) -> Idset.add id) oi Idset.empty in
    let a = 
      { ax_pred = p; ax_symbols_i = SymbolsI.elements oi; 
	ax_symbols = os; ax_symbols_instances = SymbolsI.empty;
	ax_instances = Hsubst.create 97 } 
    in
    Hashtbl.add axioms id a

(* instantiating axioms may generate new instances, so we have to repeat it
   again until the fixpint is reached *)
	
let fixpoint = ref false
		   
(* instantiate a polymorphic axiom according to new symbols instances *)
let instantiate_axiom loc id a =
  (* first pass: we look at all (closed) instances encountered so far
     appearing in axiom [a] *)
  let all_ci = 
    Hinstance.fold
      (fun ((id,_) as i) () s -> 
	 if Idset.mem id a.ax_symbols then SymbolsI.add i s else s)
      declared_logic SymbolsI.empty
  in
  (* second pass: 
     if this set has not been already considered we instantiate *)
  if not (SymbolsI.subset all_ci a.ax_symbols_instances) then begin
    a.ax_symbols_instances <- all_ci;
    fixpoint := false;
    let p = a.ax_pred in
    let rec iter s l = 
      match l with
      | [] ->
	  if Vset.for_all 
	    (fun x -> 
	       try is_closed_pure_type (Vmap.find x s) 
	       with Not_found -> false)
	    p.scheme_vars 
	  then
	    if not (Hsubst.mem a.ax_instances s) then begin
	      Hsubst.add a.ax_instances s ();
	      let ps = SubstV.predicate s p.scheme_type in
	      let i = Vmap.fold (fun _ t acc -> t :: acc) s [] in
	      push_axiom_instance loc id i ps
	    end
      | (x,oi) :: oil ->
	  SymbolsI.iter 
	    (fun (y,ci) -> 
	       if x = y then
		 try let s = unify_i s oi ci in iter s oil
		 with Exit -> ()) 
	    all_ci;
	  iter s oil
    in
    iter Vmap.empty a.ax_symbols_i;
  end

let instantiate_axioms loc = 
  fixpoint := false;
  while not !fixpoint do
    fixpoint := true;
    Hashtbl.iter (instantiate_axiom loc) axioms;
  done

(* Obligations *)
    
let new_type = let r = ref 0 in fun () -> incr r; "type_" ^ string_of_int !r

let push_obligation loc is_lemma expl o s = 
  let vs, s = specialize_sequent s in
  Vmap.iter
    (fun _ tv -> 
       let pt = Ident.create (new_type ()) in
       push (Dtype (loc, pt, []));
       tv.type_val <- Some (PTexternal ([], pt)))
      vs;
  IterIT.sequent (declare_logic loc) (declare_type loc) s;
  instantiate_axioms loc;
  push (Dgoal (loc, is_lemma, expl, o, empty_scheme s))

let push_decl = function
  | Dtype (loc, id, []) -> declare_type loc (PTexternal ([], id))
  | Dtype _ -> ()
  | Dalgtype _ ->
      failwith "encoding rec: algebraic types are not supported"
  | Dlogic (loc, x, t) -> push_logic loc x t
  | Dpredicate_def (loc, x, d) -> push_predicate_def loc x d
  | Dinductive_def(_loc, _ident, _inddef) ->
      failwith "monomorph: inductive def not supported"
  | Dfunction_def (loc, x, d) -> push_function_def loc x d
  | Daxiom (loc, x, p) -> push_axiom loc x p
  | Dgoal (loc, is_lemma, expl, x, s) -> push_obligation loc is_lemma expl x s

let reset () =
  Queue.clear queue;
  Htypes.clear declared_types;
  Hinstance.clear declared_logic;
  Hashtbl.clear logic_symbols;
  Hashtbl.clear axioms

why-2.34/src/cc.mli0000644000175000017500000001116012311670312012473 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*s Intermediate CC terms. *)

open Logic

type variable = Ident.t

type cc_type =
  | TTpure of pure_type
  | TTarray of cc_type
  | TTlambda of cc_binder * cc_type
  | TTarrow of cc_binder * cc_type
  | TTtuple of cc_binder list * cc_type option
  | TTpred of predicate
  | TTapp of cc_type * cc_type list
  | TTterm of term
  | TTSet

and cc_bind_type = 
  | CC_var_binder of cc_type
  | CC_pred_binder of predicate
  | CC_untyped_binder

and cc_binder = variable * cc_bind_type

type cc_pattern = 
  | PPvariable of cc_binder
  | PPcons of Ident.t * cc_pattern list

(* ['a] is the type of holes *)

type 'a cc_term =
  | CC_var of variable
  | CC_letin of bool * cc_binder list * 'a cc_term * 'a cc_term
  | CC_lam of cc_binder * 'a cc_term
  | CC_app of 'a cc_term * 'a cc_term
  | CC_tuple of 'a cc_term list * cc_type option
  | CC_if of 'a cc_term * 'a cc_term * 'a cc_term
  | CC_case of 'a cc_term * (cc_pattern * 'a cc_term) list
  | CC_term of term
  | CC_hole of 'a
  | CC_type of cc_type
  | CC_any of cc_type

(* Proofs *)

type proof = 
  | Lemma of string * Ident.t list
  | True
  | Reflexivity of term
  | Assumption of Ident.t
  | Proj1 of Ident.t
  | Proj2 of Ident.t
  | Conjunction of Ident.t * Ident.t
  | WfZwf of term
  | Loop_variant_1 of Ident.t * Ident.t
  | Absurd of Ident.t
  | ProofTerm of proof cc_term
  | ShouldBeAWp

type proof_term = proof cc_term

type validation = proof cc_term

(* Functional programs. *)

type cc_functional_program = (Loc.position * predicate) cc_term

(*s Sequents and obligations. *)

type context_element =
  | Svar of Ident.t * pure_type
  | Spred of Ident.t * predicate

type sequent = context_element list * predicate

type loc_term = Loc.position * term
type loc_predicate = Loc.position * predicate

type assert_kind = [`ASSERT | `CHECK]

type raw_vc_explain =
  | VCEexternal of string
  | VCEabsurd
  | VCEassert of assert_kind * loc_predicate list
  | VCEpre of string * Loc.position * loc_predicate list 
      (*r label and loc for the call, then preconditions *)
  | VCEpost of loc_predicate
  | VCEwfrel
  | VCEvardecr of loc_term
  | VCEinvinit of string * loc_predicate
      (*r label for the loop, then loop invariant *)
  | VCEinvpreserv of string * loc_predicate 
      (*r label for the loop, then loop invariant *)

(*
type obligation = Loc.floc * vc_explain * string * sequent
    (* loc, explanation, id, sequent *) 
*)

why-2.34/src/smtlib.mli0000644000175000017500000000460612311670312013407 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Cc

val reset : unit -> unit

val push_decl : Logic_decl.t -> unit

val output_file : ?logic:string -> string -> unit


why-2.34/src/dispatcher.ml0000644000175000017500000002242312311670312014067 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Options
open Vcg
open Logic
open Logic_decl

type elem = Logic_decl.t

let stack = ref []

let add_elem e = stack := e :: !stack

let oblig = Queue.create ()
let oblig_h = Hashtbl.create 97

let add_oblig ((_,_,_,id,_) as o) =
  let so = (List.rev !stack, o) in
  Queue.add so oblig ;
  Hashtbl.add oblig_h id so

let rec f_of_seq ctx g = 
  match ctx with
    | [] -> g
    | Cc.Svar (id, v) :: hyps -> Forall(false,id,id,v,[],f_of_seq hyps g)
    | Cc.Spred (_id, p) :: hyps -> Pimplies(false,p,f_of_seq hyps g)

let push_decl d =
  match d with
  | Dgoal (loc, is_lemma, expl, id, s) -> 
      add_oblig (loc, is_lemma, expl, id, s);
      if is_lemma then 
        let (_l,(ctx,g)) = Env.specialize_sequent s in
        add_elem (Daxiom(loc,id,Env.generalize_predicate (f_of_seq ctx g)))
  | d -> add_elem d

let iter f = Queue.iter (fun (_,o) -> f o) oblig

(* calling prover *)

open DpConfig

let push_elem p e =
  if not pruning then
    assert (match e with Dgoal _ -> false | _ -> true);
  match p with
  | Simplify | Vampire -> Simplify.push_decl e
  | Harvey -> Harvey.push_decl e
  | Cvcl -> Cvcl.push_decl e
  | Zenon -> Zenon.push_decl e
  | Rvsat | Yices | Cvc3 | Z3 | VeriT -> Smtlib.push_decl e
  | Ergo | ErgoSelect | SimplifySelect
  | GappaSelect -> Pretty.push_decl ~ergo:true e
  | Coq -> Coq.push_decl e
  | PVS -> Pvs.push_decl e
  | Gappa -> Gappa.push_decl e

let push_obligation p (loc, is_lemma, expl, id, s) =
  let g = Dgoal (loc, is_lemma, expl, id, s) in
  match p with
  | Simplify | Vampire -> Simplify.push_decl g
  | Harvey -> Harvey.push_decl g
  | Cvcl -> Cvcl.push_decl g
  | Zenon -> Zenon.push_decl g
  | Rvsat | Yices | Cvc3 | Z3 | VeriT -> Smtlib.push_decl g
  | Ergo | ErgoSelect | SimplifySelect
  | GappaSelect -> Pretty.push_decl g
  | Coq -> Coq.push_decl g
  | PVS -> Pvs.push_decl g
  | Gappa -> Gappa.push_decl g

(* output_file is a CRITICAL SECTION *)
(** @parama elems is the List that stores the theory
    @parama o is the proof obligation
**)

let get_project () =
  match !Options.gui_project with
    | Some p -> p
    | None ->
	failwith "For interactive provers, option --project must be set"


let output_file ?encoding p (elems,o) =
  begin match encoding with
      Some e -> set_types_encoding e
    | None -> () end;
  begin match p with
    | Simplify | Vampire -> Simplify.reset ()
    | Harvey -> Harvey.reset ()
    | Cvcl -> Cvcl.prelude_done := false; Cvcl.reset ()
    | Zenon -> Zenon.prelude_done := false; Zenon.reset ()
    | Rvsat | Yices | Cvc3 | Z3 | VeriT -> Smtlib.reset ()
    | Ergo | ErgoSelect | SimplifySelect
    | GappaSelect -> Pretty.reset ()
    | Coq -> () (* Coq.reset () *)
    | PVS -> Pvs.reset()
    | Gappa -> Gappa.reset ()
  end;

  if pruning then
    begin
      (**stores into the declarationQueue
	 all the elements of the elems list and th obligation**)
      let declQ = Queue.create () in
      List.iter (fun p -> Queue.add p declQ) elems ;
      let (loc, is_lemma, expl, id, s) = o in
      let g = Dgoal (loc, is_lemma, expl, id, s) in
      Queue.add g declQ;
      if debug then
	Format.printf "Before the pruning dedicated to the PO: %d @."
	  (Queue.length declQ);
      (** reduce the theory **)
      let q = Theory_filtering.reduce declQ in
      if debug then
	Format.printf "After the pruning dedicated to the PO: %d @."
	  (Queue.length q);
      Queue.iter (push_elem p) q ;
      push_obligation p o
    end
  else
    begin
      List.iter (push_elem p) elems;
      push_obligation p o
    end;
  match p with
    | Simplify ->
	let f = Filename.temp_file "gwhy" "_why.sx" in
	Simplify.output_file ~allowedit:false f; f
    | Vampire ->
        let f = Filename.temp_file "gwhy" "_why.vp" in
        Simplify.output_file ~allowedit:false f; f
    | Harvey ->
	let f = Filename.temp_file "gwhy" "_why.rv" in
	Harvey.output_file f; f
    | Cvcl ->
	let f = Filename.temp_file "gwhy" "_why.cvc" in
	Cvcl.output_file ~allowedit:false f; f
    | Zenon ->
	let f = Filename.temp_file "gwhy" "_why.znn" in
	Zenon.output_file ~allowedit:false f; f
    | Rvsat | Yices | Cvc3 ->
	let f = Filename.temp_file "gwhy" "_why.smt" in
	Smtlib.output_file ~logic:"AUFLIRA" f; f
    | VeriT ->
        let f = Filename.temp_file "gwhy" "_why.smt" in
        Smtlib.output_file ~logic:"AUFLIRA" f; f
    | Z3 ->
	let f = Filename.temp_file "gwhy" "_why.smt" in
	Smtlib.output_file f; f
    | Ergo
    | ErgoSelect ->
	let f = Filename.temp_file "gwhy" "_why.why" in
	Pretty.output_file ~ergo:true f; f
    | SimplifySelect
    | GappaSelect ->
	let f = Filename.temp_file "gwhy" "_why.why" in
	Pretty.output_file ~ergo:false f; f
    | Gappa ->
	let f = Filename.temp_file "gwhy" "_why.gappa" in
	Gappa.output_one_file ~allowedit:false f; f
    | Coq ->
	let (_, _, _, f, _) = o in
	let _p = get_project () in
	(* if necessary, Pretty.output_project "name ?"; *)
	(* file should already be generated ?? *)
	(* Coq.output_file f; *)
	if debug then Format.printf "Reusing coq file %s_why.v@." f;
	f ^ "_why.v"
    | PVS ->
	assert false (* no PVS in Gwhy *)
(*
	let f = Filename.temp_file "gwhy" "_why.pvs" in
        Pvs.output_file ~allowedit:false f; f
*)



open Format

let prover_name p =
  try
    let (info,_) = List.assoc p DpConfig.prover_list in
    info.name
  with
      Not_found -> "(unnamed)"
(*
  | Simplify -> "Simplify"
  | Harvey -> "haRVey"
  | Cvcl -> "CVC Lite"
  | Zenon -> "Zenon"
  | Rvsat -> "rv-sat"
  | Yices -> "Yices"
  | Ergo ->
      DpConfig.alt_ergo.DpConfig.name ^ " " ^
      DpConfig.alt_ergo.DpConfig.version
  | Cvc3 -> "CVC3"
  | Graph -> "Graph"
  | Z3 -> "Z3"
  | Coq -> DpConfig.coq.DpConfig.name
*)

let call_prover ?(debug=false) ?timeout ?encoding ~obligation:o p =
  let so = try Hashtbl.find oblig_h o with Not_found -> assert false in
  let filename = output_file ?encoding p so in
  if debug then eprintf "calling %s on %s@." (prover_name p) filename;
  let r = match p with
    | Simplify ->
	Calldp.simplify ~debug ?timeout ~filename ()
    | Vampire ->
        Calldp.vampire ~debug ?timeout ~filename ()
    | Harvey ->
	Calldp.harvey ~debug ?timeout ~filename ()
    | Cvcl ->
	Calldp.cvcl ~debug ?timeout ~filename ()
    | Zenon ->
	Calldp.zenon ~debug ?timeout ~filename ()
    | Rvsat ->
	Calldp.rvsat ~debug ?timeout ~filename ()
    | Yices ->
	Calldp.yices ~debug ?timeout ~filename ()
    | Ergo ->
	Calldp.ergo ~select_hypotheses:false ~debug ?timeout ~filename ()
    | ErgoSelect ->
	Calldp.ergo ~select_hypotheses:true ~debug ?timeout ~filename ()
    | Cvc3 ->
	Calldp.cvc3 ~debug ?timeout ~filename ()
    | Z3 ->
	Calldp.z3 ~debug ?timeout ~filename ()
    | VeriT ->
        Calldp.verit ~debug ?timeout ~filename ()
    | SimplifySelect ->
	Calldp.generic_hypotheses_selection ~debug ?timeout ~filename
	  DpConfig.Simplify ()
    | Coq ->
	Calldp.coq ~debug ?timeout ~filename ()
    | PVS ->
	Calldp.pvs ~debug ?timeout ~filename ()
    | Gappa ->
	Calldp.gappa ~debug ?timeout ~filename ()
    | GappaSelect ->
	Calldp.generic_hypotheses_selection ~debug ?timeout ~filename
	  DpConfig.Gappa ()
  in
  begin match p with
    | Coq -> ()
    | _ -> Lib.remove_file ~debug filename
  end;
  r
why-2.34/src/why3.mli0000644000175000017500000000520212311670312013000 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* Why3 pretty-printer *)

val push_decl : Logic_decl.t -> unit

(* [push_or_output_decl d] either pushes the goal in a queue like [push_decl]
   for declarations other than goals, and produces a file for goal 
   declarations much as what [output_files] does. *)
(*
val push_or_output_decl : Logic_decl.t -> unit
*)

val reset : unit -> unit

val output_file : string -> unit
why-2.34/src/holl.ml0000644000175000017500000002700612311670312012701 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*s HOL Light output *)

open Ident
open Misc
open Error
open Logic
open Logic_decl
open Vcg
open Format
open Cc
open Pp

type elem = 
  | Obligation of obligation
  | Logic of string * logic_type Env.scheme
  | Axiom of string * predicate Env.scheme
  | Predicate of string * predicate_def Env.scheme

let elem_q = Queue.create ()

let reset () = Queue.clear elem_q

let push_decl = function
  | Dlogic (_, id, t) -> Queue.add (Logic (Ident.string id, t)) elem_q
  | Daxiom (_, id, p) -> Queue.add (Axiom (id, p)) elem_q
  | Dpredicate_def (_, id, p) -> Queue.add (Predicate (Ident.string id, p)) elem_q
  | Dinductive_def(_loc, _ident, _inddef) ->
      failwith "HOL light output: inductive def not yet supported"
  | Dgoal (loc,is_lemma,expl,id,s) -> 
      Queue.add (Obligation (loc,is_lemma,expl,id,s.Env.scheme_type)) elem_q
  | Dfunction_def _ -> () (*TODO*)
  | Dtype _ -> () (*TODO*)
  | Dalgtype _ -> () (*TODO*)

(*s Pretty print *)

let rec print_pure_type fmt = function
  | PTint -> fprintf fmt "int"
  | PTbool -> fprintf fmt "bool"
  | PTunit -> fprintf fmt "one"
  | PTreal -> fprintf fmt "real"
  | PTexternal ([v], id) when id == farray -> 
      fprintf fmt "list(%a)" print_pure_type v (* TODO *)
  | PTexternal([],id) -> Ident.print fmt id
  | PTvar { type_val = Some t} -> fprintf fmt "%a" print_pure_type t
  | PTexternal _
  | PTvar _ -> failwith "no polymorphism with HOL-light yet"

let prefix_id id =
  (* int cmp *)
  if id == t_lt_int then "int_lt" 
  else if id == t_le_int then "int_le"
  else if id == t_gt_int then "int_gt"
  else if id == t_ge_int then "int_ge"
  else if id == t_eq_int then assert false
  else if id == t_neq_int then assert false
  (* real cmp *)
  else if id == t_lt_real then "real_lt" 
  else if id == t_le_real then "real_le"
  else if id == t_gt_real then "real_gt"
  else if id == t_ge_real then "real_ge"
  else if id == t_eq_real then assert false
  else if id == t_neq_real then assert false
  (* bool cmp *)
  else if id == t_eq_bool then assert false
  else if id == t_neq_bool then assert false
  (* unit cmp *)
  else if id == t_eq_unit then assert false
  else if id == t_neq_unit then assert false
  (* int ops *)
  else if id == t_add_int then "int_add"
  else if id == t_sub_int then "int_sub"
  else if id == t_mul_int then "int_mul"
(*
  else if id == t_div_int then assert false (* TODO *)
  else if id == t_mod_int then assert false (* TODO *)
*)
  else if id == t_neg_int then "int_neg"
  (* real ops *)
  else if id == t_add_real then "real_add"
  else if id == t_sub_real then "real_sub"
  else if id == t_mul_real then "real_mul"
  else if id == t_div_real then "real_div"
  else if id == t_neg_real then "real_neg"
  else if id == t_sqrt_real then "root(2)"
  else if id == t_real_of_int then assert false (* TODO *)
  else assert false

let rec print_term fmt = function
  | Tvar id -> 
      Ident.print fmt id
  | Tconst (ConstInt n) -> 
      fprintf fmt "&%s" n
  | Tconst (ConstBool true) -> 
      fprintf fmt "T" 
  | Tconst (ConstBool false) -> 
      fprintf fmt "F" 
  | Tconst ConstUnit -> 
      fprintf fmt "one" 
  | Tconst (ConstFloat c) ->
      Print_real.print_with_integers 
	"(real_of_num %s)" 
	"(real_of_num (%s * %s))"
	"(real_of_num %s / real_of_num %s)" 
	fmt c
  | Tderef _ -> 
      assert false
  (* arithmetic *)
  | Tapp (id, [a; b], _) when id == t_add_int || id == t_add_real ->
      fprintf fmt "(@[%a +@ %a@])" print_term a print_term b
  | Tapp (id, [a; b], _) when id == t_sub_int || id == t_sub_real ->
      fprintf fmt "(@[%a -@ %a@])" print_term a print_term b
  | Tapp (id, [a; b], _) when id == t_mul_int || id == t_mul_real ->
      fprintf fmt "(@[%a *@ %a@])" print_term a print_term b
  | Tapp (id, [a; b], _) when id == t_div_real ->
      fprintf fmt "(@[%a /@ %a@])" print_term a print_term b
  | Tapp (id, [a], _) when id == t_neg_int || id == t_neg_real ->
      fprintf fmt "(@[--%a@])" print_term a
  | Tapp (id, [a; b; c], _) when id == if_then_else -> 
      fprintf fmt "(@[if %a@ then %a@ else %a@])" 
	print_term a print_term b print_term c
  | Tapp (id, tl, _) when is_relation id || is_arith id -> 
      fprintf fmt "(@[%s %a@])" (prefix_id id) print_terms tl
  (* arrays *)
  | Tapp (id, [a; b], _) when id == access ->
      fprintf fmt "(@[EL (num_of_int %a) %a@])" print_term b print_term a
  | Tapp (id, [a], _) when id == Ident.array_length ->
      fprintf fmt "&(@[LENGTH %a@])" print_term a
  (* any other application *)
  | Tapp (id, tl, _) ->
      fprintf fmt "@[(%a@ %a)@]" 
	Ident.print id (print_list space print_term) tl
  | Tnamed (User n, t) ->
      fprintf fmt "@[(* %s: *) %a@]" n print_term t
  | Tnamed (_, t) -> print_term fmt t

and print_terms fmt tl = 
  print_list space print_term fmt tl

let rec print_predicate fmt = function
  | Ptrue ->
      fprintf fmt "T"
  | Pvar id when id == Ident.default_post ->
      fprintf fmt "T"
  | Pfalse ->
      fprintf fmt "F"
  | Pvar id -> 
      fprintf fmt "%a" Ident.print id
  | Papp (id, tl, _) when id == t_distinct ->
      fprintf fmt "@[(%a)@]" print_predicate (Util.distinct tl)
  | Papp (id, [a; b], _) when is_eq id ->
      fprintf fmt "@[(%a =@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when is_neq id ->
      fprintf fmt "@[~(%a =@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when id == t_lt_int || id == t_lt_real ->
      fprintf fmt "@[(%a <@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when id == t_le_int || id == t_le_real ->
      fprintf fmt "@[(%a <=@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when id == t_gt_int || id == t_gt_real ->
      fprintf fmt "@[(%a >@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when id == t_ge_int || id == t_ge_real ->
      fprintf fmt "@[(%a >=@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when id == t_zwf_zero ->
      fprintf fmt "@[((&0 <= %a) /\\@ (%a < %a))@]" 
	print_term b print_term a print_term b
  | Papp (id, tl, _) when is_relation id || is_arith id ->
      fprintf fmt "@[(%s %a)@]" (prefix_id id) print_terms tl
  | Papp (id, tl, _) -> 
      fprintf fmt "@[(%a@ %a)@]" Ident.print id print_terms tl
  | Pimplies (_, a, b) ->
      fprintf fmt "(@[%a ==>@ %a@])" print_predicate a print_predicate b
  | Piff (a, b) ->
      fprintf fmt "(@[(@[%a ==>@ %a@]) /\\@ (@[%a ==>@ %a@])@])" 
	print_predicate a print_predicate b
	print_predicate b print_predicate a
  | Pif (a, b, c) ->
      fprintf fmt "(@[if %a@ then %a@ else %a@])" 
	print_term a print_predicate b print_predicate c
  | Pand (_, _, a, b) | Forallb (_, a, b) ->
      fprintf fmt "@[(%a /\\@ %a)@]" print_predicate a print_predicate b
  | Por (a, b) ->
      fprintf fmt "@[(%a \\/@ %a)@]" print_predicate a print_predicate b
  | Pnot a ->
      fprintf fmt "@[~(%a)@]" print_predicate a
  | Forall (_,id,n,t,_,p) -> 
      let id' = next_away id (predicate_vars p) in
      let p' = subst_in_predicate (subst_onev n id') p in
      fprintf fmt "(@[!%s:%a.@ %a@])" (Ident.string id')
	print_pure_type t print_predicate p'
  | Exists (id,n,t,p) -> 
      let id' = next_away id (predicate_vars p) in
      let p' = subst_in_predicate (subst_onev n id') p in
      fprintf fmt "(@[?%s:%a.@ %a@])" (Ident.string id')
	print_pure_type t print_predicate p'
  | Pnamed (User n, p) ->
      fprintf fmt "@[(* %s: *) %a@]" n print_predicate p
  | Pnamed (_, p) -> print_predicate fmt p
  | Plet (_, n, _, t, p) ->
      print_predicate fmt (subst_term_in_predicate n t p)

let print_sequent fmt (hyps,concl) =
  let rec print_seq fmt = function
    | [] ->
	print_predicate fmt concl
    | Svar (id, v) :: hyps -> 
	fprintf fmt "!%a:%a.@\n" Ident.print id print_pure_type v;
	print_seq fmt hyps
    | Spred (_, p) :: hyps -> 
	fprintf fmt "@[%a@] ==>@\n" print_predicate p;
	print_seq fmt hyps
  in
  fprintf fmt "@[%a@]@?" print_seq hyps

(* TODO *)
let print_logic fmt id _t =
  fprintf fmt "@[(* logic %s *);;@\n@\n@]" id

let print_axiom fmt id p =
  let (_l,p) = Env.specialize_predicate p in
  fprintf fmt "@[let %s = new_axiom@ `%a`;;@\n@\n@]" 
    id print_predicate p

let print_predicate fmt id p =
  let (_l,(bl,p)) = Env.specialize_predicate_def p in
  fprintf fmt "@[let %s = new_definition@ `%s %a = %a`;;@\n@\n@]" 
    id id (print_list space Ident.print) (List.map fst bl) print_predicate p

let print_obligation fmt _loc _is_lemma id sq =
(*
  fprintf fmt "@[(* %a *)@]@\n" Loc.report_obligation_position loc;
*)
  fprintf fmt "@[let %s =@ `%a`;;@\n@\n@]" id print_sequent sq

let print_elem fmt = function
  | Obligation (loc, is_lemma, _expl, s, sq) -> print_obligation fmt loc is_lemma s sq
  | Logic (id, t) -> print_logic fmt id t
  | Axiom (id, p) -> print_axiom fmt id p
  | Predicate (id, p) -> print_predicate fmt id p

let print_obl_list fmt = 
  let comma = ref false in
  let print = function
    | Obligation (_,_,_,id,_) -> 
	if !comma then fprintf fmt "; "; fprintf fmt "%s" id; comma := true
    | Axiom _ | Logic _ | Predicate _ -> 
	()
  in
  fprintf fmt "let all = ["; 
  Queue.iter print elem_q;
  fprintf fmt "]@\n"

let output_file fwe =
  let sep = "(* DO NOT EDIT BELOW THIS LINE *)" in
  let file = fwe ^ "_why.ml" in
  do_not_edit_below ~file 
    ~before:(fun _ -> ())
    ~sep 
    ~after:(fun fmt ->
	      fprintf fmt "@[";
	      fprintf fmt "prioritize_int();;@\n@\n";
	      Queue.iter (print_elem fmt) elem_q;
	      print_obl_list fmt;
	      fprintf fmt "@]@.")
why-2.34/src/rename.mli0000644000175000017500000000713412311670312013363 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* Abstract type for renamings 
 * 
 * Records the names of the mutables objets (ref, arrays) at the different
 * moments of the evaluation, called dates
 *)

type t

type date = string


val empty_ren : t
val update    : t -> date -> Ident.t list -> t
    (* assign new names for the given variables, associated to a new date *)
val next      : t -> Ident.t list -> t
    (* assign new names for the given variables, associated to a new
     * date which is generated from an internal counter *)
val push_date : t -> date -> t
    (* put a new date on top of the stack *)

val valid_date   : date -> t -> bool
val current_date : t -> date
val all_dates    : t -> date list

val current_var  : t -> Ident.t      -> Ident.t
val current_vars : t -> Ident.t list -> (Ident.t * Ident.t) list
    (* gives the current names of some variables *)

val avoid : t -> Ident.set -> t
val fresh : t -> Ident.t -> Ident.t * t
val fresh_many : t -> Ident.t list -> (Ident.t * Ident.t) list * t
    (* introduces new names to avoid and renames some given variables *)

val var_at_date  : t -> date -> Ident.t -> Ident.t
    (* gives the name of a variable at a given date *)
val vars_at_date : t -> date -> Ident.t list
                 -> (Ident.t * Ident.t) list
    (* idem for a list of variables *)  

(* pretty-printers *)

open Format

val print : formatter -> t -> unit
why-2.34/src/hol4.ml0000644000175000017500000002666412311670312012622 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*s HOL 4 output (contributed by Seungkeol Choe, University of Utah) *)

open Ident
open Misc
open Error
open Logic
open Logic_decl
open Vcg
open Format
open Cc
open Pp

type elem = 
  | Obligation of obligation
  | Logic of string * logic_type Env.scheme
  | Axiom of string * predicate Env.scheme
  | Predicate of string * predicate_def Env.scheme

let elem_q = Queue.create ()

let reset () = Queue.clear elem_q

let push_decl = function
  | Dlogic (_, id, t) -> Queue.add (Logic (Ident.string id, t)) elem_q
  | Daxiom (_, id, p) -> Queue.add (Axiom (id, p)) elem_q
  | Dpredicate_def (_, id, p) -> Queue.add (Predicate (Ident.string id, p)) elem_q
  | Dinductive_def(_loc, _ident, _inddef) ->
      failwith "HOL4 output: inductive def not yet supported"
  | Dfunction_def _ -> assert false (*TODO*)
  | Dgoal (loc,is_lemma, expl,id,s) -> 
      Queue.add (Obligation (loc,is_lemma,expl,id,s.Env.scheme_type)) elem_q
  | Dtype _ -> () (* assert false *)
  | Dalgtype _ -> () (* assert false *)

(*s Pretty print *)

let rec print_pure_type fmt = function
  | PTint -> fprintf fmt "int"
  | PTbool -> fprintf fmt "bool"
  | PTunit -> fprintf fmt "one"
  | PTreal -> fprintf fmt "real"
  | PTexternal([v],id) when id==farray -> 
      fprintf fmt "%a warray" print_pure_type v
  | PTexternal([],id) -> Ident.print fmt id
  | PTvar { type_val = Some t} -> fprintf fmt "%a" print_pure_type t
  | PTexternal(_,_)
  | PTvar _ -> failwith "no polymorphism with HOL4 yet"

let prefix_id id =
  (* int cmp *)
  if id == t_lt_int then "int_lt" 
  else if id == t_le_int then "int_le"
  else if id == t_gt_int then "int_gt"
  else if id == t_ge_int then "int_ge"
  else if id == t_eq_int then assert false (* TODO *)
  else if id == t_neq_int then assert false (* TODO *)
  (* real cmp *)
  else if id == t_lt_real then "real_lt" 
  else if id == t_le_real then "real_le"
  else if id == t_gt_real then "real_gt"
  else if id == t_ge_real then "real_ge"
  else if id == t_eq_real then assert false (* TODO *)
  else if id == t_neq_real then assert false (* TODO *)
  (* bool cmp *)
  else if id == t_eq_bool then assert false (* TODO *)
  else if id == t_neq_bool then assert false (* TODO *)
  (* unit cmp *)
  else if id == t_eq_unit then assert false (* TODO *)
  else if id == t_neq_unit then assert false (* TODO *)
  (* int ops *)
  else if id == t_add_int then "int_add"
  else if id == t_sub_int then "int_sub"
  else if id == t_mul_int then "int_mul"
(*
  else if id == t_div_int then assert false (* TODO *)
  else if id == t_mod_int then assert false (* TODO *)
*)
  else if id == t_neg_int then "int_neg"
  (* real ops *)
  else if id == t_add_real then "real_add"
  else if id == t_sub_real then "real_sub"
  else if id == t_mul_real then "real_mul"
  else if id == t_div_real then "real_div"
  else if id == t_neg_real then "real_neg"
  else if id == t_sqrt_real then assert false (* TODO *)
  else if id == t_real_of_int then assert false (* TODO *)
  else assert false

let rec print_term fmt = function
  | Tvar id -> 
      Ident.print fmt id
  | Tconst (ConstInt n) -> 
      fprintf fmt "%s" n
  | Tconst (ConstBool true) -> 
      fprintf fmt "T" 
  | Tconst (ConstBool false) -> 
      fprintf fmt "F" 
  | Tconst ConstUnit -> 
      fprintf fmt "one" 
  | Tconst (ConstFloat c) ->
      Print_real.print_with_integers 
	"(real_of_num %s)" 
	"(real_of_num (%s * %s))"
	"(real_of_num %s / real_of_num %s)" 
	fmt c
  | Tderef _ -> 
      assert false
  (* arithmetic *)
  | Tapp (id, [a; b], _) when id == t_add_int || id == t_add_real ->
      fprintf fmt "(@[%a +@ %a@])" print_term a print_term b
  | Tapp (id, [a; b], _) when id == t_sub_int || id == t_sub_real ->
      fprintf fmt "(@[%a -@ %a@])" print_term a print_term b
  | Tapp (id, [a; b], _) when id == t_mul_int || id == t_mul_real ->
      fprintf fmt "(@[%a *@ %a@])" print_term a print_term b
  | Tapp (id, [a; b], _) when id == t_div_real ->
      fprintf fmt "(@[%a /@ %a@])" print_term a print_term b
  | Tapp (id, [a], _) when id == t_neg_int || id == t_neg_real ->
      fprintf fmt "(@[--%a@])" print_term a
  | Tapp (id, [a; b; c], _) when id == if_then_else -> 
      fprintf fmt "(@[if %a@ then %a@ else %a@])" 
	print_term a print_term b print_term c
  | Tapp (id, tl, _) when is_relation id || is_arith id -> 
      fprintf fmt "(@[%s %a@])" (prefix_id id) print_terms tl
  (* arrays *)
  | Tapp (id, [a; b], _) when id == access ->
      fprintf fmt "(@[access %a (num_of_int %a)@])" print_term a print_term b
  | Tapp (id, [a], _) when id == Ident.array_length ->
      fprintf fmt "(@[%a.length@])" print_term a
  (* any other application *)
  | Tapp (id, tl, _) ->
      fprintf fmt "@[(%a@ %a)@]"
	Ident.print id (print_list space print_term) tl
  | Tnamed (User n, t) ->
      fprintf fmt "@[(* %s: *) %a@]" n print_term t
  | Tnamed (_, t) -> print_term fmt t

and print_terms fmt tl = 
  print_list space print_term fmt tl

let rec print_predicate fmt = function
  | Ptrue ->
      fprintf fmt "T"
  | Pvar id when id == Ident.default_post ->
      fprintf fmt "T"
  | Pfalse ->
      fprintf fmt "F"
  | Pvar id -> 
      fprintf fmt "%a" Ident.print id
  | Papp (id, tl, _) when id == t_distinct ->
      fprintf fmt "@[(%a)@]" print_predicate (Util.distinct tl)
  | Papp (id, [a; b], _) when is_eq id ->
      fprintf fmt "@[(%a =@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when is_neq id ->
      fprintf fmt "@[~(%a =@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when id == t_lt_int || id == t_lt_real ->
      fprintf fmt "@[(%a <@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when id == t_le_int || id == t_le_real ->
      fprintf fmt "@[(%a <=@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when id == t_gt_int || id == t_gt_real ->
      fprintf fmt "@[(%a >@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when id == t_ge_int || id == t_ge_real ->
      fprintf fmt "@[(%a >=@ %a)@]" print_term a print_term b
  | Papp (id, [a; b], _) when id == t_zwf_zero ->
      fprintf fmt "@[((0 <= %a) /\\@ (%a < %a))@]" 
	print_term b print_term a print_term b
  | Papp (id, tl, _) when is_relation id || is_arith id ->
      fprintf fmt "@[(%s %a)@]" (prefix_id id) print_terms tl
  | Papp (id, tl, _) -> 
      fprintf fmt "@[(%a@ %a)@]" Ident.print id print_terms tl
  | Pimplies (_, a, b) ->
      fprintf fmt "(@[%a ==>@ %a@])" print_predicate a print_predicate b
  | Piff (a, b) ->
      fprintf fmt "(@[(@[%a ==>@ %a@]) /\\@ (@[%a ==>@ %a@])@])" 
	print_predicate a print_predicate b
	print_predicate b print_predicate a
  | Pif (a, b, c) ->
      fprintf fmt "(@[if %a@ then %a@ else %a@])" 
	print_term a print_predicate b print_predicate c
  | Pand (_, _, a, b) | Forallb (_, a, b) ->
      fprintf fmt "@[(%a /\\@ %a)@]" print_predicate a print_predicate b
  | Por (a, b) ->
      fprintf fmt "@[(%a \\/@ %a)@]" print_predicate a print_predicate b
  | Pnot a ->
      fprintf fmt "@[~(%a)@]" print_predicate a
  | Forall (_,id,n,t,_,p) -> 
      let id' = next_away id (predicate_vars p) in
      let p' = subst_in_predicate (subst_onev n id') p in
      fprintf fmt "(@[!%s:%a.@ %a@])" (Ident.string id')
	print_pure_type t print_predicate p'
  | Exists (id,n,t,p) -> 
      let id' = next_away id (predicate_vars p) in
      let p' = subst_in_predicate (subst_onev n id') p in
      fprintf fmt "(@[?%s:%a.@ %a@])" (Ident.string id')
	print_pure_type t print_predicate p'
  | Pnamed (User n, p) ->
      fprintf fmt "@[(* %s: *) %a@]" n print_predicate p
  | Pnamed (_, p) -> print_predicate fmt p
  | Plet (_, n, _, t, p) ->
      print_predicate fmt (subst_term_in_predicate n t p)

let print_sequent fmt (hyps,concl) =
  let rec print_seq fmt = function
    | [] ->
	print_predicate fmt concl
    | Svar (id, v) :: hyps -> 
	fprintf fmt "!%a:%a.@\n" Ident.print id print_pure_type v;
	print_seq fmt hyps
    | Spred (_, p) :: hyps -> 
	fprintf fmt "@[%a@] ==>@\n" print_predicate p;
	print_seq fmt hyps
  in
  fprintf fmt "@[%a@]@?" print_seq hyps

(* TODO *)
let print_parameter fmt id _v =
  fprintf fmt "(* parameter %s *);;" id

(* TODO *)
let print_logic fmt id t =
  let _ = Env.specialize_logic_type t in
  fprintf fmt "(* logic %s *);;" id

(* TODO *)
let print_axiom fmt id _v =
  fprintf fmt "(* axiom %s *);;" id

let print_obligation fmt _loc _is_lemma id sq =
(*
  fprintf fmt "@[(* %a *)@]@\n" Loc.report_obligation_position loc;
*)
  fprintf fmt "val %s = Parse.Term `%a`;;@\n@\n" id print_sequent sq

let print_elem fmt = function
  | Obligation (loc, is_lemma, _expl, s, sq) -> 
      print_obligation fmt loc is_lemma s sq
  | Logic (id, t) -> print_logic fmt id t
  | Axiom (id, p) -> print_axiom fmt id p
  | Predicate _ -> assert false (*TODO*)

let print_obl_list fmt = 
  let comma = ref false in
  let print = function
    | Obligation (_,_,_,id,_) -> 
	if !comma then fprintf fmt "; "; fprintf fmt "%s" id; comma := true
    | Axiom _ | Logic _ | Predicate _ -> 
	()
  in
  fprintf fmt "val all = ["; 
  Queue.iter print elem_q;
  fprintf fmt "]@\n"

let output_file fwe =
  let sep = "(* DO NOT EDIT BELOW THIS LINE *)" in
  let file = fwe ^ "_why.ml" in
  do_not_edit_below ~file
    ~before:(fun _ -> ())
    ~sep 
    ~after:(fun fmt ->
	      fprintf fmt "load \"intLib\"; \n intLib.prefer_int();\n\n";
	      Queue.iter (print_elem fmt) elem_q;
	      print_obl_list fmt)
why-2.34/src/isabelle.mli0000644000175000017500000000461512311670312013675 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(*s Isabelle/HOL output *)

open Cc

val reset : unit -> unit

val push_decl : Logic_decl.t -> unit

val output_file : string -> unit
why-2.34/src/explain.mli0000644000175000017500000000477312311670312013562 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(* explanations *)

val raw_loc : ?quote:bool -> ?pref:string -> Format.formatter -> Loc.floc -> unit
val print:  ?quote:bool -> Format.formatter ->  Logic_decl.vc_expl -> unit

val msg_of_kind : ?name:string -> Logic_decl.expl_kind -> string

why-2.34/src/encoding.mli0000644000175000017500000000500712311670312013677 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Cc

val reset : unit -> unit

val push : ?encode_inductive:bool -> ?encode_algtype:bool -> 
  ?encode_preds:bool -> ?encode_funs:bool -> Logic_decl.t -> unit
val iter : (Logic_decl.t -> unit) -> unit

val symbol : Ident.t * Logic.instance -> string
why-2.34/src/encoding_mono.ml0000644000175000017500000004710612311670312014564 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Cc
open Logic
open Logic_decl

let map_product (f: 'a -> 'a list) (l:'a list) : 'a list list =
  List.fold_left 
    (fun prev_acc e ->
       let lr = f e in
       List.fold_left 
         (fun acc l -> List.fold_left (fun acc e -> (e::l)::acc) acc lr)
         [] prev_acc) [[]] l

let loc = Loc.dummy_floc
let debug = false
let f2s (s,l,b,e) = Printf.sprintf "File %s, line %d, characters %d-%d" s l b e

let prefix = fun s -> "c_"^s
(* let suffix = "_c" *)
(* let var = "x" *)
let tvar = "t"
(* let cpt = ref 0 *)
let injec c = c^"_injective"
(* let axiom c = c ^ "_to_" ^ (c^suffix) *)
let def c = "def_"^c

(* The names for the new function symbols *)
let sort =  prefix "sort"

let cname t =  match Misc.normalize_pure_type t with
  | PTint -> "int"
  | PTbool -> "bool"
  | PTreal -> "real"
  | PTunit -> "unit"
      (** TODO : better error handling here *)
  | _ -> failwith "this function should only be called on constant types"
let c2u t = (cname t)^"2u"
let s2c t = "s2"^(cname t)

(* This is the list of constant types which is handled as such *)
let htypes = [PTint; PTbool; PTreal; PTunit]

(* The monosorted stratified encoding introduces
   three new external types : a sort for syntactically 
   unsorted terms, one for sorted terms and one for 
   syntactic types *)
let utname = prefix "unsorted"
let stname = prefix "sorted"
let ttname = prefix "type"
let ut = PTexternal ([], Ident.create utname)
let st = PTexternal ([], Ident.create stname)
let tt = PTexternal ([], Ident.create ttname)

(* The prelude is a set of declarations that must be added
   to the context every time the encoding is used :*)
let eq_arity = (Ident.string Ident.t_eq, Env.empty_scheme (Predicate [st; st]))
let neq_arity = (Ident.string Ident.t_neq, Env.empty_scheme (Predicate [st; st]))
let arities = ref [eq_arity; neq_arity]

let prelude = [
  (* first the three new types *)
  (Dtype (loc, Ident.create utname, []));
  (Dtype (loc, Ident.create stname, []));
  (Dtype (loc, Ident.create ttname, []))]
  (* the function symbols representing constant types *)
  @
 (List.map (fun t -> (Dlogic (loc, Ident.create (prefix (cname t)),
			       Env.empty_scheme (Function ([], tt)))))
     htypes)
  (* the sorting and conversion functions *)
  @
  [(Dlogic (loc, Ident.create sort, Env.empty_scheme (Function ([tt; ut], st))))]
  @
  (List.map (fun t ->
	       (Dlogic (loc, Ident.create (c2u t),
			Env.empty_scheme (Function ([t], ut)))))
     htypes)
  @
  (List.map (fun t ->
	       (Dlogic (loc, Ident.create (s2c t),
			Env.empty_scheme (Function ([st], t)))))
     htypes)
  (* and the conversion axioms *)
  @
  (** \forall x: T .  s2T(sort(T, T2u(x))) = x  **)
  (List.map (fun t -> 
	       (Daxiom (loc, (s2c t)^"_inv_"^(c2u t),
	let x = Ident.create "x" in 
	let t_term = Tapp (Ident.create (prefix (cname t)), [], []) in
	let t2u_x = Tapp (Ident.create (c2u t), [Tvar x], []) in 
	let sort_t_t2u_x = Tapp (Ident.create sort, [t_term; t2u_x], []) in
	let lhs = Tapp (Ident.create (s2c t), [sort_t_t2u_x], []) in
	let peq = Papp (Ident.t_eq,[lhs;Tvar x], []) in
	let pat = [[TPat sort_t_t2u_x]] in
          Env.empty_scheme (Forall (false, x, x, t, pat, peq)))))
     htypes)
  @
  (** \forall x: U .  T2u(s2T(sort(T, x))) = x from CADE'08 paper
      but contradiction with one finite type and one infinite type protected.
      So use \forall x: U .  sort(T,T2u(s2T(sort(T, x)))) = sort(T,x)
      (see perhaps FROCOS'11)
  **)
  (List.map (fun t -> 
	       (Daxiom (loc, (c2u t)^"_inv_"^(s2c t),
	let x = Ident.create "x" in 
	let t_term = Tapp (Ident.create (prefix (cname t)), [], []) in
	let sort_t_x = Tapp (Ident.create sort, [t_term; Tvar x], []) in
	let s2t_sort_t_x = Tapp (Ident.create (s2c t), [sort_t_x], []) in 
	let lhs = Tapp (Ident.create (c2u t), [s2t_sort_t_x], []) in
	let lhs' = Tapp (Ident.create sort, [t_term; lhs], []) in
	let rhs = Tapp (Ident.create sort, [t_term; Tvar x], []) in
	let peq = Papp (Ident.t_eq,[lhs';rhs], []) in
          Env.empty_scheme (Forall (false, x, x, ut, [[TPat lhs]], peq)))))
     htypes)

(* Functions that replace polymorphic types by S,T,U and constants *)
let typify ptl = List.map (fun _ -> tt) ptl

let sortify t pt = 
  match pt with
    | PTint | PTbool | PTreal | PTunit -> pt
    | PTvar _ -> t
    | PTexternal (_,_) -> t

let monoify = List.map (sortify st)

let sort_of_c = function
  | ConstInt _ -> PTint
  | ConstBool _ -> PTbool
  | ConstUnit -> PTunit
  | ConstFloat _ -> PTreal

let is_const t = (* match Misc.normalize_pure_type t with *) match t with
  | PTint | PTbool | PTreal | PTunit -> true
  | _ -> false

(* Function that plunges a term under its type information. *)
(* Uses an assoc. list of tags -> idents for type variables *)
let plunge fv term pt =
  let rec leftt pt =
    match pt with
	PTint | PTbool | PTreal | PTunit ->
	  Tapp (Ident.create (prefix (cname pt)), [], [])
      | PTvar ({type_val = None} as var) -> 
	  let t = 
	    try List.assoc var.tag fv
	    with Not_found ->
	      let s = string_of_int var.tag in
		(print_endline ("[plunge] unknown vartype : "^s); 
		 Format.eprintf "term = %a@." Util.print_term term;
		 s)
	  in
	    Tvar (Ident.create t)
      | PTvar {type_val = Some pt} -> leftt pt
      | PTexternal (ptl, id) -> Tapp (id, List.map (fun pt -> leftt pt) ptl, [])
  in
    Tapp (Ident.create sort,[leftt pt; term],[])

(* Function that strips the top most sort application, for terms bound
   in let-ins *)
let strip_topmost t =
  match t with
    | Tapp (symb, [_encoded_ty; encoded_t], []) when symb = Ident.create sort ->
	encoded_t
    | _ -> t

let get_arity id =
  let arity =
    try List.assoc (Ident.string id) !arities
    with e -> (print_endline ("Encoding_mono.get_arity: unknown arity for "^(Ident.string id))); raise e in
    match arity.Env.scheme_type with
	Function (ptl, rt) -> ptl, rt
      | Predicate ptl -> ptl, PTbool (* ce PTbool est arbitraire et inutilisé *)

(* Ground instanciation of an arity (to be plunged under) *)
let instantiate_arity id inst =
  let arity =
    try List.assoc (Ident.string id) !arities
    with e -> (print_endline ("Encoding_mono.instantiate_arity: unknown arity for "^(Ident.string id))); raise e in
  let (vs, log_type) = Env.specialize_logic_type arity in
    if debug then 
      (print_string "\t{";
       Env.Vmap.iter (fun _ v -> Printf.printf "%d" v.tag) vs;
       print_endline "}");
    match log_type with
	Function (_ptl, rt) ->
	  if debug then Printf.printf "Instantiate : %d vars - %d types\n"
	    (Env.Vmap.fold (fun _ _ n -> n + 1) vs 0) (List.length inst);
	  ignore 
	    (Env.Vmap.fold (fun _ v l -> 
			      (match l with [] -> []
				 | a::q -> (v.type_val <- Some a; q)))
	       vs (List.rev inst));
	  rt
      | Predicate _ptl ->
	  ignore 
	    (Env.Vmap.fold (fun _ v l -> 
			      (match l with [] -> []
				 | a::q -> (v.type_val <- Some a; q)))
	       vs (List.rev inst));
	  PTbool

(* Translation of a term *)
(* [fv] is a map for type variables, [lv] for term variables,
   and [rt] is the type of this term in the arity of its
   direct superterm. *)
let rec translate_term fv lv rt = function
  | Tvar id as t ->
      let pt = try List.assoc id lv with e -> 
	(Printf.eprintf "variable %s\n" (Ident.string id); raise e) in
	(match is_const rt, is_const pt with
	     true, true -> t
	   | true, false -> Tapp (Ident.create (s2c rt), [plunge fv t pt], [])
	   | false, true -> plunge [] (Tapp (Ident.create (c2u pt), [t], [])) pt
	   | false, false -> plunge fv t pt
	)
  | Tapp (id, tl, inst) ->
      let ptl, pt = get_arity id in
      let trans_term = Tapp (id, List.map2 (translate_term fv lv) ptl tl, []) in
      let ground_type = instantiate_arity id inst in
	(match is_const rt, is_const pt with
	     true, true -> trans_term
	   | true, false -> Tapp (Ident.create (s2c rt), 
				  [plunge fv trans_term rt], [])
	   | false, true -> plunge [] 
	       (Tapp (Ident.create (c2u pt), [trans_term], [])) pt
	   | false, false -> plunge fv trans_term ground_type
	)
  | Tconst (_) as t when is_const rt -> t
  | Tconst (c) as t -> 
      let pt = sort_of_c c in
	plunge fv (Tapp (Ident.create (c2u pt), [t], [])) (sort_of_c c)
  | Tderef id as t -> print_endline ("id in Tderef : "^(Ident.string id)); t
  | Tnamed(_,t) -> translate_term fv lv rt t

(* Generalizing a predicate scheme with foralls (can add a trigger) *)
(* This function is used to explicitely quantify over syntactic type 
   variables that were implicitely quantified at first. *)
let rec lifted l p t =
  match l with [] -> p
    | (_, s)::[] ->
	Forall(false, Ident.create s, Ident.create s, tt, t, p)
    | (_, s)::q ->
	Forall(false, Ident.create s, Ident.create s, tt, [], lifted q p t)
	
let rec lifted_t l p tr =
  match l with [] -> p
    | (a,t)::[] -> (Forall(false, a, a, t, tr, p))
    | (a,t)::q ->  (Forall(false, a, a, t, [], lifted_t q p tr))

let rec lifted_ctxt l cel =
  (List.map (fun (_,s) -> Svar(Ident.create s, tt)) l)@cel

(* Translation of a predicate *)
let rec translate_pred fv lv = function
(*   | Papp (id, [a; b], [t]) when Ident.is_eq id && is_const t -> *)
(*       Papp (id, [translate_term fv lv t a; translate_term fv lv t b], []) *)
  | Papp (id, tl, inst) ->
      let _ = instantiate_arity id inst in
      let arity,_ = get_arity id in
	Papp (id, List.map2 (translate_term fv lv) arity tl, [])
  | Plet (id, n, pt, t, p) -> 
      let t' = strip_topmost (translate_term fv lv pt t) in
	Plet (id, n, sortify ut pt, t', translate_pred fv ((n,pt)::lv) p)
  | Pimplies (iswp, p1, p2) ->
      Pimplies (iswp, translate_pred fv lv p1, translate_pred fv lv p2)
  | Pif (t, p1, p2) ->
      Pif (translate_term fv lv PTbool t,
	   translate_pred fv lv p1, translate_pred fv lv p2)
  | Pand (iswp, issym, p1, p2) ->
      Pand (iswp, issym, translate_pred fv lv p1, translate_pred fv lv p2)
  | Por (p1, p2) ->
      Por (translate_pred fv lv p1, translate_pred fv lv p2)
  | Piff (p1, p2) ->
      Piff (translate_pred fv lv p1, translate_pred fv lv p2)
  | Pnot p ->
      Pnot (translate_pred fv lv p)
  | Forall (iswp, id, n, pt, _(*tl*), p) ->
      let lv' = (n,pt)::lv in
       let tl' = (*translate_triggers fv lv' p tl*) [] in
	Forall (iswp, id, n, sortify ut pt, tl', translate_pred fv lv' p)
  | Forallb (iswp, p1, p2) ->
      Forallb (iswp, translate_pred fv lv p1, translate_pred fv lv p2)
  | Exists (id, n, pt, p) ->
      Exists (id, n, sortify ut pt, translate_pred fv ((n,pt)::lv) p)
  | Pnamed (s, p) ->
      Pnamed (s, translate_pred fv lv p)
  | _ as d -> d

and translate_pattern fv lv p = function
  | TPat t -> 
      let rec lookfor_term fv lv acc rt = function
        | t2 when ((*Format.printf "%a = %a? %b@." Util.print_term t Util.print_term t2 (Misc.eq_term t t2);*) Misc.eq_term t t2) -> 
            (translate_term fv lv rt t2)::acc
        | Tvar _ | Tconst _ | Tderef _ -> acc
        | Tapp (id, tl, _inst) ->
            let ptl, _pt = get_arity id in
            List.fold_left2 (lookfor_term fv lv) acc ptl tl
        | Tnamed(_,t2) -> lookfor_term fv lv acc rt t2 in
      let rec lookfor_term_in_predicate fv lv acc = function
        | Pif (t, p1, p2) ->
            let acc = lookfor_term fv lv acc PTbool t in
            let acc =  lookfor_term_in_predicate fv lv acc p1 in
            let acc =  lookfor_term_in_predicate fv lv acc p2 in
            acc
        | Papp (id, tl, _inst) ->
            let arity,_ = get_arity id in
	    List.fold_left2 (lookfor_term fv lv) acc arity tl
        | Plet (_, n, pt, t, p) -> 
            let acc = lookfor_term fv lv acc pt t in
	    lookfor_term_in_predicate fv ((n,pt)::lv) acc p
        | Forall (_, _, n, pt, _, p) | Exists (_, n, pt, p) ->
            lookfor_term_in_predicate fv ((n,pt)::lv) acc p
        | Pimplies (_, p1, p2) | Pand (_ , _, p1, p2) | Por (p1, p2) 
        | Piff (p1, p2) | Forallb (_, p1, p2) ->
            lookfor_term_in_predicate fv lv (lookfor_term_in_predicate fv lv acc p2) p1
        | Pnot p | Pnamed (_, p) -> lookfor_term_in_predicate fv lv acc p 
        | Pvar _|Pfalse|Ptrue -> acc in
      let r = (lookfor_term_in_predicate fv lv [] p) in
      (*Format.printf "%a : %a@." Util.print_term t (Pp.print_list Pp.comma Util.print_term) r;*)
      List.map (fun x -> TPat x) r
(*
  let rec translate_term_for_pattern fv lv = function
      (* mauvaise traduction des triggers mais ...
         Le type n'étant pas forcement le même 
         les plunges internes peuvent ne pas être les 
         même que dans le body de la quantification *)
      | Tvar _ as t -> t
      | Tapp (id, tl, inst) ->
      let ptl, pt = get_arity id in
      let trans_term = Tapp (id, List.map2 (translate_term fv lv) ptl tl, []) in
      let _ = instantiate_arity id inst in
      trans_term
      | Tconst (_) as t -> t
      | Tderef _ as t -> t
      | Tnamed(_,t) -> translate_term_for_pattern fv lv t in
      TPat (translate_term_for_pattern fv lv t)
*)
  | PPat p -> [PPat (translate_pred fv lv p)]

and translate_triggers fv lv p tl =
  List.fold_left (fun acc e -> List.rev_append (map_product (translate_pattern fv lv p) e) acc) [] tl


(* The core *)
let queue = Queue.create ()

let rec push d = 
  try (match d with
(* A type declaration is translated as new logical function, the arity of *)
(* which depends on the number of type variables in the declaration *)
  | Dtype (loc, ident, vars) ->
      Queue.add (Dlogic (loc, ident,
			 Env.empty_scheme (Function (typify vars, tt)))) queue
  | Dalgtype _ ->
      assert false
(*
      failwith "encoding rec: algebraic types are not supported"
*)
(* In the case of a logic definition, we redefine the logic symbol  *)
(* with types u and s, and its complete arity is stored for the encoding *)
  | Dlogic (loc, ident, arity) -> 
(*
      Format.eprintf "Encoding_mono: adding %s in arities@." ident;
*)
      arities := (Ident.string ident, arity)::!arities;
      let newarity = match arity.Env.scheme_type with
	  Predicate ptl -> Predicate (monoify ptl)
	| Function (ptl, pt) -> Function (monoify ptl, sortify ut pt) in
	Queue.add (Dlogic (loc, ident, Env.empty_scheme newarity)) queue
(* A predicate definition can be handled as a predicate logic definition + an axiom *)
  | Dpredicate_def (loc,id,d) ->
      List.iter push (PredDefExpansor.predicate_def loc id d)
(*
      let (argl, pred) = pred_def_sch.Env.scheme_type in
      let rootexp = (Papp (ident, List.map (fun (i,_) -> Tvar i) argl, [])) in
      let name = Ident.string ident in
      push (Dlogic (loc, ident, (Env.generalize_logic_type (Predicate (snd (List.split argl))))));
      push (Daxiom (loc, def name, (Env.generalize_predicate
				      (lifted_t argl (Piff (rootexp, pred)) [[PPat rootexp]]))))
*)
  | Dinductive_def(_loc, _ident, _inddef) ->
      assert false
(*
      failwith "encoding mono: inductive def not yet supported"
*)
(* A function definition can be handled as a function logic definition + an axiom *)
  | Dfunction_def (_loc, _ident, _fun_def_sch) ->
      assert false
(*
(*       let _ = print_endline ident in *)
      let (argl, rt, term) = fun_def_sch.Env.scheme_type in
      let rootexp = (Tapp (ident, List.map (fun (i,_) -> Tvar i) argl, [])) in
      let name = Ident.string ident in
      push (Dlogic (loc, ident, (Env.generalize_logic_type (Function (snd (List.split argl), rt)))));
      push (Daxiom (loc, def name,
		    (Env.generalize_predicate
		       (lifted_t argl (Papp (Ident.t_eq, [rootexp; term], [])) [[TPat rootexp]]))))
*)
(* Axiom definitions *)
  | Daxiom (loc, name, pred_sch) ->
      let cpt = ref 0 in
      let fv = Env.Vset.fold
	(fun tv acc -> cpt := !cpt + 1; (tv.tag, tvar^(string_of_int !cpt))::acc)
	(pred_sch.Env.scheme_vars) [] in
      let new_axiom = Env.empty_scheme
	(lifted fv (translate_pred fv [] pred_sch.Env.scheme_type) []) in
	Queue.add (Daxiom (loc, name, new_axiom)) queue
(* A goal is a sequent : a context and a predicate and both have to be translated *)
  | Dgoal (loc, is_lemma, expl, name, s_sch) ->
      begin try
	if debug then Printf.printf "Encoding goal %s, %s...\n" name (f2s loc);
	let cpt = ref 0 in
	let fv = Env.Vset.fold
	  (fun tv acc -> 
	     cpt := !cpt + 1; 
	     (tv.tag, tvar^(string_of_int !cpt))::acc)
	  (s_sch.Env.scheme_vars) [] in
	if debug then
	  (Printf.printf "Goal environment :\n";
	   List.iter (fun (n,id) -> Printf.printf "\tIn env : %s tagged %d\n" id n) fv;
	   Printf.printf "=========\n");
	let (context, new_cel) =
	  List.fold_left
	    (fun (acc_c, acc_new_cel) s -> 
	       match s with
		   Spred (id, p) -> 
		     (acc_c, (Spred (id, translate_pred fv acc_c p))::acc_new_cel)
		 | Svar (id, t) -> ((id,t)::acc_c, (Svar (id, sortify ut t))::acc_new_cel))
	    ([], [])
	    (fst (s_sch.Env.scheme_type)) in
	if debug then
	  (Printf.printf "Goal context :\n";
	   List.iter (fun ce -> match ce with 
			| Svar (id, _pt) -> Printf.printf "\tvar %s : ??\n" (Ident.string id)
			| Spred(id, _) -> Printf.printf "\thyp %s : ...\n" (Ident.string id)
		     ) new_cel;
	   Printf.printf "=========\n");
	let new_sequent =
	  Env.empty_scheme
	    (lifted_ctxt fv (List.rev new_cel),
	     translate_pred fv context (snd (s_sch.Env.scheme_type))) in
	Queue.add (Dgoal (loc, is_lemma, expl, name, new_sequent)) queue
      with Not_found -> 
	Format.eprintf "Exception caught in : %a\n" Util.print_decl d;
	Queue.add (Dgoal (loc, is_lemma, expl, name, Env.empty_scheme([],Pfalse))) queue
      end)
  with Not_found -> 
    Format.eprintf "Exception caught in : %a\n" Util.print_decl d;
    raise Not_found

let iter f =
  (* first the prelude *)
  List.iter f prelude;
  (* then the queue *)
  Queue.iter f queue

let reset () = 
  arities := [eq_arity; neq_arity];
  Queue.clear queue
why-2.34/src/ocaml.ml0000644000175000017500000002352312311670312013036 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*s Ocaml code output *)

open Format
open Options
open Ident
open Logic
open Misc
open Types
open Env
open Ast
open Pp

(*s pre- and postconditions *)

let pre print_assertion = 
  let print fmt p = fprintf fmt "(* @[%a@] *)" print_assertion p in
  print_list newline print

let post print_assertion fmt q = 
  let exn fmt (x,a) = fprintf fmt "%a => %a" Ident.print x print_assertion a in
  match q with
    | (a, []) -> 
	fprintf fmt "(* @[%a@] *)" print_assertion a 
    | (a, al) -> 
	fprintf fmt "(* @[%a@ | %a@] *)" 
	  print_assertion a (print_list alt exn) al

(*s types and constants *)

let identifiers = print_list comma Ident.print

let print_predicate = Util.print_predicate
let print_assertion = Util.print_assertion

let rec typev fmt = function
  | PureType PTreal -> 
      fprintf fmt "float"
  | PureType pt -> 
      Util.print_pure_type fmt pt
  | Ref (PTexternal ([t], id)) when id == farray  -> 
      fprintf fmt "(%a array)" Util.print_pure_type t
  | Ref v -> 
      fprintf fmt "(%a ref)" Util.print_pure_type v
  | Arrow (bl, c) -> 
      fprintf fmt "%a ->@ %a" (print_list arrow binder_type) bl typec c

and typec fmt c = match c.c_pre, c.c_post with
  | [], None ->
      fprintf fmt "%a" typev c.c_result_type
  | [], Some q ->
      fprintf fmt "%a@ %a" typev c.c_result_type (post print_predicate) q
  | p, None ->
      fprintf fmt "%a@ %a" (pre print_predicate) p typev c.c_result_type
  | p, Some q ->
      fprintf fmt "%a@ %a@ %a" 
	(pre print_predicate) p typev c.c_result_type (post print_predicate) q

and binder_type fmt = function
  | id, v when id == Ident.anonymous -> typev fmt v
  | id, v -> fprintf fmt "(*%a:*)%a" Ident.print id typev v

let binder_id fmt (id, v) =
  fprintf fmt "%a (*:%a*)" Ident.print id typev v

let binder_ids = print_list space binder_id

let constant fmt = function
  | ConstInt n -> fprintf fmt "%s" n
  | ConstBool b -> fprintf fmt "%b" b
  | ConstUnit -> fprintf fmt "()"
  | ConstFloat (RConstDecimal (i,f,None)) -> fprintf fmt "%s.%s" i f
  | ConstFloat (RConstDecimal (i,f,Some e)) -> fprintf fmt "%s.%se%s" i f e
  | ConstFloat (RConstHexa (i,f,e)) -> 
      fprintf fmt "(float_of_string \"0x%s.%sp%s\")" i f e

(*s logical expressions *)

let caml_infix id = is_arith_binop id || is_relation_ id

let infix id = 
  if id == t_add_int then "+" 
  else if id == t_sub_int then "-" 
  else if id == t_mul_int then "*"
(*
  else if id == t_div_int then "/"
  else if id == t_mod_int then "mod"
*)
  else if id == t_add_real then "+." 
  else if id == t_sub_real then "-." 
  else if id == t_mul_real then "*."
  else if id == t_div_real then "/."
  else if is_eq id || is_eq_ id then "="
  else if is_neq id || is_neq_ id then "<>"
  else if id == t_lt_int_ || id == t_lt_real_ then "<"
  else if id == t_le_int_ || id == t_le_real_ then "<="
  else if id == t_gt_int_ || id == t_gt_real_ then ">"
  else if id == t_ge_int_ || id == t_ge_real_ then ">="
  else begin eprintf "infix id = %a@." Ident.print id; assert false end

let prefix fmt id = fprintf fmt "( %s )" (infix id)

let rec expression fmt = function
  | Tvar id -> 
      Ident.print fmt id
  | Tconst c -> 
      constant fmt c
  | Tderef id ->
      fprintf fmt "!%a" Ident.print id
  | Tapp (id, [Tderef t], _) when id == Ident.array_length ->
      fprintf fmt "(Array.length %a)" Ident.print t
  | Tapp (id, [t], _) when id == t_neg_int ->
      fprintf fmt "(-%a)" expression t
  | Tapp (id, [t], _) when id == t_neg_real ->
      fprintf fmt "(-. %a)" expression t
  | Tapp (id, [t], _) when id == t_sqrt_real ->
      fprintf fmt "(sqrt %a)" expression t
  | Tapp (id, [t], _) when id == t_real_of_int ->
      fprintf fmt "(real %a)" expression t
  | Tapp (id, [a; b], _) when id == access ->
      fprintf fmt "%a.(%a)" expression a expression b
  | Tapp (id, [a; b], _) when caml_infix id ->
      fprintf fmt "(%a %s %a)" expression a (infix id) expression b
  | Tapp (id, tl, _) -> 
      fprintf fmt "(%a %a)" Ident.print id (print_list space expression) tl
  | Tnamed (User n, t) ->
      fprintf fmt "@[(* %s: *)@ %a@]" (String.escaped n) expression t
  | Tnamed (_, t) -> expression fmt t

(*s program expressions *)

let rec expr fmt e = 
  let k = e.info in
  let q = k.t_post in
  if not ocaml_annot || q = None then
    fprintf fmt "@[%a@]" exprd e.desc
  else match q with
    | Some q -> 
	fprintf fmt "@[%a@ %a@]" exprd e.desc (post print_assertion) q
    | None ->
	fprintf fmt "@[%a@]" exprd e.desc

and exprd fmt = function
  | Var id when caml_infix id ->
      fprintf fmt "%a" prefix id
  | Var id ->
      Ident.print fmt id
  | Seq (e1, e2) ->
      fprintf fmt "@[begin@;<1 2>%a;@ %a end@]" expr e1 expr e2
  | Loop (_inv, _var, e2) ->
      fprintf fmt "@[while true do@;<1 2>%a@ done@]" expr e2
  | If (e1, e2, e3) ->
      fprintf fmt "(@[if %a then@;<1 2>%a@ else@;<1 2>%a@])" 
	expr e1 expr e2 expr e3
  | Lam (bl, p, e) ->
      fprintf fmt "@[(fun %a ->@ %a)@]" binder_ids bl expr_pre (p,e)
  | AppTerm ({desc=AppTerm ({desc=Var id}, t1, _)}, t2, _) 
    when is_poly id (* || id == t_mod_int *) ->
      fprintf fmt "@[(%a %s@ %a)@]" 
      expression t1 (infix id) expression t2
  | AppTerm (e, t, _) ->
      fprintf fmt "@[(%a@ %a)@]" expr e expression t
  | AppRef (e, a, _) ->
      fprintf fmt "@[(%a@ %a)@]" expr e Ident.print a
  | LetRef (id, e1, e2) ->
      fprintf fmt "@[(@[let %a =@ ref %a in@]@\n%a)@]" 
	Ident.print id expr e1 expr e2
  | LetIn (id, e1, e2) ->
      fprintf fmt "@[(@[let %a =@ %a in@]@\n%a)@]" 
	Ident.print id expr e1 expr e2
  | Rec (id, bl, _v, _var, p, e) ->
      fprintf fmt "@[(let rec %a %a =@ %a in@ %a)@]" 
	Ident.print id binder_ids bl expr_pre (p,e) Ident.print id
  | Raise (id, None) ->
      fprintf fmt "@[(raise %a)@]" Ident.print id
  | Raise (id, Some e) ->
      fprintf fmt "@[(raise@ (%a %a))@]" Ident.print id expr e
  | Try (e, hl) ->
      fprintf fmt "(@[try@;<1 2>%a@ with@ @[%a@]@])" 
	expr e (print_list newline handler) hl
  | Expression t -> 
      expression fmt t
  | Absurd ->
      fprintf fmt "@[assert false@]"
  | Any _ ->
      fprintf fmt "@[assert false (* code not given *)@]"
  | Assertion (_k, p,e) ->
      expr_pre fmt (p,e)
  | Post (e, q, _) ->
      let q = post_app a_value q in
      fprintf fmt "@[(%a@ %a)@]" expr e (post print_predicate) q
  | Label (l, e) -> 
      fprintf fmt "@[(* label %s *)@ %a@]" l expr e

and expr_pre fmt (p,e) =
  fprintf fmt "@[%a@ %a@]" (pre print_assertion) p expr e

and handler fmt = function
  | (id, None), e -> 
      fprintf fmt "| %a -> %a" Ident.print id expr e
  | (id, Some id'), e -> 
      fprintf fmt "| %a %a -> %a" Ident.print id Ident.print id' expr e

let decl fmt (id, e) =
  fprintf fmt "@[let %a =@ %a@]@\n@\n" Ident.print id expr e

(*s Parameters (collected to make a functor) *)

let params = Queue.create ()

let push_parameters ids v = List.iter (fun id -> Queue.add (id, v) params) ids

(*s We make a functor if some parameters are present *)

let parameter fmt (id, v) =
  fprintf fmt "@\n@[val %a : %a@]@\n" Ident.print id typev v 

let progs = Queue.create ()

let push_program id p = Queue.add (id, p) progs

let output fmt = 
  fprintf fmt "(* code generated by why --ocaml *)@\n@\n";
  let print_decls fmt () = Queue.iter (decl fmt) progs in
  if Queue.is_empty params then
    fprintf fmt "@[%a@]" print_decls ()
  else begin
    fprintf fmt "@[module type Parameters = sig@\n  @[";
    Queue.iter (parameter fmt) params;
    fprintf fmt "@]@\nend@\n@\n@]";
    fprintf fmt "@[module Make(P : Parameters) = struct@\n";
    fprintf fmt "  open P@\n@\n";
    fprintf fmt "  @[%a@]@\nend@\n@]" print_decls ()
  end



why-2.34/src/parser.mly0000644000175000017500000004754612311670312013443 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


%{

  open Ident
  open Types
  open Logic
  open Ptree
  open Error
  open Parsing

  let loc () = (symbol_start_pos (), symbol_end_pos ())
  let loc_i i = (rhs_start_pos i, rhs_end_pos i)
  let loc_ij i j = (rhs_start_pos i, rhs_end_pos j)

  let mk_ppl loc d = { pp_loc = loc; pp_desc = d }
  let mk_pp d = mk_ppl (loc ()) d
  let mk_pp_i i d = mk_ppl (loc_i i) d
		    
  let infix_ppl loc a i b = mk_ppl loc (PPinfix (a, i, b))
  let infix_pp a i b = infix_ppl (loc ()) a i b

  let prefix_ppl loc p a = mk_ppl loc (PPprefix (p, a))
  let prefix_pp p a = prefix_ppl (loc ()) p a

  let with_loc loc d = { pdesc = d; ploc = loc }
  let locate d = with_loc (loc ()) d
  let locate_i i d = with_loc (loc_i i) d

  let rec_name = function Srec (x,_,_,_,_,_) -> x | _ -> assert false

  let join (b,_) (_,e) = (b,e)

  let rec app f = function
    | [] -> 
	assert false
    | [a] -> 
	Sapp (f, a)
    | a :: l -> 
	let loc = join f.ploc a.ploc in 
	app (with_loc loc (Sapp (f, a))) l

  let bin_op (loc_op,op) e1 e2 =
    let f = with_loc loc_op (Svar op) in
    let f_e1 = with_loc (join e1.ploc loc_op) (Sapp (f, e1)) in
    locate (Sapp (f_e1, e2))
      
  let un_op (loc_op,op) e =
    locate (app (with_loc loc_op (Svar op)) [e])

  let ptype_c_of_v v =
    { pc_result_name = Ident.result;
      pc_result_type = v;
      pc_effect = { pe_reads = []; pe_writes = []; pe_raises = [] };
      pc_pre = []; 
      pc_post = None }

  let list_of_some = function None -> [] | Some x -> [x]

  (*s ensures a postcondition for a function body *)

  let force_function_post ?(warn=false) e = match e.pdesc with
    | Spost _ -> 
	e
    | _ -> 
       if warn then 
	 Format.eprintf 
	   "%ano postcondition for this function; true inserted@\n"
	   Loc.report_position e.ploc; 
       let q = 
	 { pa_name = Anonymous; pa_value = mk_pp PPtrue; pa_loc = loc () }
       in
       { e with pdesc = Spost (e, (q, []), Transparent) }

%}

/* Tokens */ 

%token  IDENT
%token  INTEGER
%token  FLOAT
%token  STRING
%token ABSURD AMPAMP AND ARRAY ARROW AS ASSERT AT AXIOM 
%token BANG BAR BARBAR BEGIN 
%token BIGARROW BOOL CHECK COLON COLONEQUAL COMMA DO DONE DOT ELSE END EOF EQUAL
%token EXCEPTION EXISTS EXTERNAL FALSE FOR FORALL FPI FUN FUNCTION GE GOAL GT
%token IF IN INCLUDE INDUCTIVE INT INVARIANT
%token LE LEMMA LEFTB LEFTBLEFTB LEFTPAR LEFTSQ LET LOGIC LRARROW LT MATCH MINUS
%token NOT NOTEQ OF OR PARAMETER PERCENT PLUS PREDICATE PROP 
%token QUOTE RAISE RAISES READS REAL REC REF RETURNS RIGHTB RIGHTBRIGHTB
%token RIGHTPAR RIGHTSQ 
%token SEMICOLON SLASH 
%token THEN TIMES TRUE TRY TYPE UNIT VARIANT VOID WHILE WITH WRITES

/* Precedences */

%nonassoc prec_recfun
%nonassoc prec_fun
%left LEFTB LEFTBLEFTB
%left prec_simple

%left COLON 

%left prec_letrec
%left IN

%right SEMICOLON

%left prec_no_else
%left ELSE

%right prec_named
%left COLONEQUAL
%right prec_forall prec_exists
%right ARROW LRARROW
%right OR BARBAR
%right AND AMPAMP
%right NOT
%right prec_if
%left prec_relation EQUAL NOTEQ LT LE GT GE
%left PLUS MINUS
%left TIMES SLASH 
%right uminus
%left prec_app
%left prec_ident
%left LEFTSQ

/* Entry points */

%type  lexpr
%start lexpr
%type  file
%start file
%%

file:
| list1_decl EOF 
   { $1 }
| EOF 
   { [] }
;

list1_decl:
| decl 
   { [$1] }
| decl list1_decl 
   { $1 :: $2 }
;

decl:
| INCLUDE STRING
   { Include (loc_i 2,$2) }
| LET ident EQUAL expr
   { Program (loc_i 2,$2, $4) }
| LET ident binders EQUAL list0_bracket_assertion expr
   { Program (loc_i 2,$2, locate (Slam ($3, $5, force_function_post $6))) }
| LET REC recfun
   { let (loc,p) = $3 in Program (loc,rec_name p, locate p) }
| EXCEPTION ident
   { Exception (loc (), $2, None) }
| EXCEPTION ident OF primitive_type
   { Exception (loc (), $2, Some $4) }
| external_ PARAMETER list1_ident_sep_comma COLON type_v
   { Parameter (loc_i 3, $1, $3, $5) }
| external_ LOGIC list1_ident_sep_comma COLON logic_type
   { Logic (loc_i 3, $1, $3, $5) }
| PREDICATE ident LEFTPAR list0_logic_binder_sep_comma RIGHTPAR EQUAL lexpr
   { Predicate_def (loc (), $2, $4, $7) }
| INDUCTIVE ident COLON logic_type inddefn
   { Inductive_def (loc (), $2, $4, $5) }
| FUNCTION ident LEFTPAR list0_logic_binder_sep_comma RIGHTPAR COLON 
  primitive_type EQUAL lexpr
   { Function_def (loc (), $2, $4, $7, $9) }
| GOAL ident COLON lexpr
   { Goal (loc (), KGoal, $2, $4) }
| AXIOM ident COLON lexpr
   { Goal (loc (), KAxiom, $2, $4) }
| LEMMA ident COLON lexpr
   { Goal (loc (), KLemma, $2, $4) }
| EXTERNAL TYPE typedecl
   { let loc, vl, id = $3 in TypeDecl (loc, true, vl, id) }
| TYPE typedecl typedefn
   { let loc, vl, id = $2 in $3 loc vl id }
;

typedecl:
| ident
    { (loc_i 1, [], $1) }
| type_var ident
    { (loc_i 2, [$1], $2) }
| LEFTPAR type_var COMMA list1_type_var_sep_comma RIGHTPAR ident
    { (loc_i 6, $2 :: $4, $6) }
;

typedefn:
| /* epsilon */
    { fun loc vl id -> TypeDecl (loc, false, vl, id) }
| EQUAL bar_ typecases typecont
    { fun loc vl id -> AlgType ((loc, vl, id, $3) :: $4) }
;

typecont:
| /* epsilon */
    { [] }
| AND typedecl EQUAL bar_ typecases typecont
    { let loc, vl, id = $2 in (loc, vl, id, $5) :: $6 }
;

typecases:
| typecase                { [$1] }
| typecase BAR typecases  { $1::$3 }
;

typecase:
| ident
    { (loc_i 1,$1,[]) }
| ident LEFTPAR list1_primitive_type_sep_comma RIGHTPAR
    { (loc_i 1,$1,$3) }
;

inddefn:
| /* epsilon */       { [] }
| EQUAL bar_ indcases { $3 }
;

indcases:
| indcase               { [$1] }
| indcase BAR indcases  { $1::$3 }
;

indcase:
| ident COLON lexpr { (loc_i 1,$1,$3) }
;

type_v:
| simple_type_v ARROW type_c
   { PVarrow ([Ident.anonymous, $1], $3) }
| ident COLON simple_type_v ARROW type_c
   { PVarrow ([($1, $3)], $5) }
| simple_type_v
   { $1 }
;

simple_type_v:
| primitive_type ARRAY    { PVref (PPTexternal ([$1], Ident.farray, loc_i 2)) }
| primitive_type REF      { PVref $1 }
| primitive_type          { PVpure $1 }
| LEFTPAR type_v RIGHTPAR { $2 }
;

primitive_type:
| INT 
   { PPTint }
| BOOL 
   { PPTbool }
| REAL 
   { PPTreal }
| UNIT 
   { PPTunit }
| type_var 
   { PPTvarid ($1, loc ()) }
| ident 
   { PPTexternal ([], $1, loc ()) }
| primitive_type ident
   { PPTexternal ([$1], $2, loc_i 2) }
| LEFTPAR primitive_type COMMA list1_primitive_type_sep_comma RIGHTPAR ident
   { PPTexternal ($2 :: $4, $6, loc_i 6) }
/*
| LEFTPAR list1_primitive_type_sep_comma RIGHTPAR
   { match $2 with [p] -> p | _ -> raise Parse_error }
*/
;

type_c:
| LEFTB opt_assertion RIGHTB result effects LEFTB opt_post_condition RIGHTB
   { let id,v = $4 in
     { pc_result_name = id; pc_result_type = v;
       pc_effect = $5; pc_pre = list_of_some $2; pc_post = $7 } }
| type_v
   { ptype_c_of_v $1 }
;

result:
| RETURNS ident COLON type_v { $2, $4 }
| type_v                     { Ident.result, $1 }
;

effects:
| opt_reads opt_writes opt_raises
    { { pe_reads = $1; pe_writes = $2; pe_raises = $3 } }
;

opt_reads:
| /* epsilon */               { [] }
| READS list0_ident_sep_comma { $2 }
;

opt_writes:
| /* epsilon */                { [] }
| WRITES list0_ident_sep_comma { $2 }
;

opt_raises:
| /* epsilon */                { [] }
| RAISES list0_ident_sep_comma { $2 }
;

opt_assertion:
| /* epsilon */  { None }
| assertion      { Some $1 }
;

assertion:
| lexpr          
    { { pa_name = Anonymous; pa_value = $1; pa_loc = loc () } }
| lexpr AS ident 
    { { pa_name = Name $3; pa_value = $1; pa_loc = loc () } }
;

opt_post_condition:
| /* epsilon */  { None }
| post_condition { Some $1 }
;

post_condition:
| assertion 
   { $1, [] }
| assertion BAR list1_exn_condition_sep_bar
   { $1, $3 }
| BAR list1_exn_condition_sep_bar
   { Format.eprintf "%awarning: no postcondition; false inserted@\n" 
       Loc.report_position (loc ());
     (* if Options.werror then exit 1; *)
     ({ pa_name = Anonymous; pa_value = mk_pp PPfalse; pa_loc = loc () }, $2) }
;

bracket_assertion:
| LEFTB assertion RIGHTB { $2 }
;

list1_bracket_assertion:
| bracket_assertion                         { [$1] }
| bracket_assertion list1_bracket_assertion { $1 :: $2 }
;

list0_bracket_assertion:
| /* epsilon */           { [] }
| LEFTB RIGHTB            { [] }
| list1_bracket_assertion { $1 }
;

list1_exn_condition_sep_bar:
| exn_condition                                 { [$1] }
| exn_condition BAR list1_exn_condition_sep_bar { $1 :: $3 }
;

exn_condition:
| ident BIGARROW assertion { $1,$3 }
;

logic_type:
| list0_primitive_type_sep_comma ARROW PROP
   { PPredicate $1 }
| PROP
   { PPredicate [] }
| list0_primitive_type_sep_comma ARROW primitive_type
   { PFunction ($1, $3) }
| primitive_type
   { PFunction ([], $1) }
;

list0_primitive_type_sep_comma:
| /* epsilon */                  { [] }
| list1_primitive_type_sep_comma { $1 }
;

list1_primitive_type_sep_comma:
| primitive_type                                      { [$1] }
| primitive_type COMMA list1_primitive_type_sep_comma { $1 :: $3 }
;

list0_logic_binder_sep_comma:
| /* epsilon */                { [] }
| list1_logic_binder_sep_comma { $1 }
;

list1_logic_binder_sep_comma:
| logic_binder                                    { [$1] }
| logic_binder COMMA list1_logic_binder_sep_comma { $1 :: $3 }
;

logic_binder:
| ident COLON primitive_type       
    { (loc_i 1, $1, $3) }
| ident COLON primitive_type ARRAY 
    { (loc_i 1, $1, PPTexternal ([$3], Ident.farray, loc_i 3)) }
;

external_:
| /* epsilon */ { false }
| EXTERNAL      { true  }
;

lexpr:
| lexpr ARROW lexpr 
   { infix_pp $1 PPimplies $3 }
| lexpr LRARROW lexpr 
   { infix_pp $1 PPiff $3 }
| lexpr OR lexpr 
   { infix_pp $1 PPor $3 }
| lexpr AND lexpr 
   { infix_pp $1 PPand $3 }
| NOT lexpr 
   { prefix_pp PPnot $2 }
| lexpr relation lexpr %prec prec_relation
   { infix_pp $1 $2 $3 }
| lexpr PLUS lexpr
   { infix_pp $1 PPadd $3 }
| lexpr MINUS lexpr
   { infix_pp $1 PPsub $3 }
| lexpr TIMES lexpr
   { infix_pp $1 PPmul $3 }
| lexpr SLASH lexpr
   { infix_pp $1 PPdiv $3 }
| MINUS lexpr %prec uminus
   { prefix_pp PPneg $2 }
| qualid_ident
   { mk_pp (PPvar $1) }
| qualid_ident LEFTPAR list1_lexpr_sep_comma RIGHTPAR
   { mk_pp (PPapp ($1, $3)) }
| qualid_ident LEFTSQ lexpr RIGHTSQ
   { mk_pp (PPapp (Ident.access, [mk_pp_i 1 (PPvar $1); $3])) }
| IF lexpr THEN lexpr ELSE lexpr %prec prec_if 
   { mk_pp (PPif ($2, $4, $6)) }
| FORALL list1_ident_sep_comma COLON primitive_type triggers 
  DOT lexpr %prec prec_forall
   { let rec mk = function
       | [] -> assert false
       | [id] -> mk_pp (PPforall (id, $4, $5, $7))
       | id :: l -> mk_pp (PPforall (id, $4, [], mk l))
     in
     mk $2 }
| EXISTS ident COLON primitive_type DOT lexpr %prec prec_exists
   { mk_pp (PPexists ($2, $4, $6)) }
| INTEGER
   { mk_pp (PPconst (ConstInt $1)) }
| FLOAT
   { mk_pp (PPconst (ConstFloat $1)) }
| TRUE
   { mk_pp PPtrue }
| FALSE
   { mk_pp PPfalse }    
| VOID
   { mk_pp (PPconst ConstUnit) }
| LEFTPAR lexpr RIGHTPAR
   { $2 }
| ident_or_string COLON lexpr %prec prec_named
   { mk_pp (PPnamed ($1, $3)) }
| LET ident EQUAL lexpr IN lexpr 
   { mk_pp (PPlet ($2, $4, $6)) }
| MATCH lexpr WITH bar_ match_cases END
   { mk_pp (PPmatch ($2, $5)) }
;

match_cases:
| match_case                  { [$1] }
| match_case BAR match_cases  { $1::$3 }
;

match_case:
| pattern ARROW lexpr { ($1,$3) }
;

pattern:
| ident                                         { ($1, [], loc ()) }
| ident LEFTPAR list1_ident_sep_comma RIGHTPAR  { ($1, $3, loc ()) }
;

triggers:
| /* epsilon */                         { [] }
| LEFTSQ list1_trigger_sep_bar RIGHTSQ  { $2 }
;

list1_trigger_sep_bar:
| trigger                           { [$1] }
| trigger BAR list1_trigger_sep_bar { $1 :: $3 }
;

trigger:
  list1_lexpr_sep_comma { $1 }
;

list1_lexpr_sep_comma:
| lexpr                             { [$1] }
| lexpr COMMA list1_lexpr_sep_comma { $1 :: $3 }
;

relation:
| LT { PPlt }
| LE { PPle }
| GT { PPgt }
| GE { PPge }
| EQUAL { PPeq }
| NOTEQ { PPneq }
;

type_var:
| QUOTE ident { $2 }
;

list1_type_var_sep_comma:
| type_var                                { [$1] }
| type_var COMMA list1_type_var_sep_comma { $1 :: $3 }
;

expr:
| simple_expr %prec prec_simple 
   { $1 }
| ident COLONEQUAL expr
   { locate 
       (Sapp (locate (Sapp (locate (Svar Ident.ref_set), 
			    locate_i 1 (Svar $1))),
	      $3)) }
| ident LEFTSQ expr RIGHTSQ COLONEQUAL expr
   { locate 
       (Sapp (locate 
		(Sapp (locate 
			 (Sapp (locate (Svar Ident.array_set), 
				locate_i 1 (Svar $1))),
			 $3)),
		$6)) }
| IF expr THEN expr ELSE expr
   { locate (Sif ($2, $4, $6)) }
| IF expr THEN expr %prec prec_no_else
   { locate (Sif ($2, $4, locate (Sconst ConstUnit))) }
| WHILE expr DO invariant_variant expr DONE
   { (* syntactic suget for
        try loop { invariant variant } if b then e else raise Exit
        with Exit -> void end *)
     let inv,var = $4 in
     locate 
       (Stry
	  (locate 
	     (Sloop (inv, var, 
		     locate 
		       (Sif ($2, $5,
			     locate (Sraise (exit_exn, None, None)))))),
	     [((exit_exn, None), locate (Sconst ConstUnit))])) }
| IDENT COLON expr
   { locate (Slabel ($1, $3)) }
| LET ident EQUAL expr IN expr
   { locate (Sletin ($2, $4, $6)) }
| LET ident EQUAL REF expr IN expr
   { locate (Sletref ($2, $5, $7)) }
| FUN binders ARROW list0_bracket_assertion expr %prec prec_fun
   { locate (Slam ($2, $4, force_function_post $5)) }
| LET ident binders EQUAL list0_bracket_assertion expr IN expr
   { let b =  force_function_post ~warn:true $6 in
     locate (Sletin ($2, locate (Slam ($3, $5, b)), $8)) }
| LET REC recfun %prec prec_letrec
   { let _loc,p = $3 in locate p }
| LET REC recfun IN expr
   { let _loc,p = $3 in locate (Sletin (rec_name p, locate p, $5)) }
| RAISE ident opt_cast
   { locate (Sraise ($2, None, $3)) }
| RAISE LEFTPAR ident expr RIGHTPAR opt_cast
   { locate (Sraise ($3, Some $4 , $6)) }
| TRY expr WITH bar_ list1_handler_sep_bar END
   { locate (Stry ($2, $5)) }
| ABSURD opt_cast
   { locate (Sabsurd $2) }
| simple_expr list1_simple_expr %prec prec_app
   { locate (app $1 $2) }
| expr BARBAR expr
   { locate (Slazy_or ($1, $3))
     (* let ptrue = locate (Sconst (ConstBool true)) in
     locate (Sif ($1, ptrue, $3)) *) }
| expr AMPAMP expr
   { locate (Slazy_and ($1, $3))
     (* let pf = locate (Sconst (ConstBool false)) in
     locate (Sif ($1, $3, pf)) *) }
| NOT expr
   { locate (Snot $2)
     (* let pf = locate (Sconst (ConstBool false)) in
     let pt = locate (Sconst (ConstBool true)) in
     locate (Sif ($2, pf, pt)) *) }
| expr relation_id expr %prec prec_relation
   { bin_op $2 $1 $3 }
| expr PLUS expr
   { bin_op (loc_i 2, Ident.t_add) $1 $3 }
| expr MINUS expr
   { bin_op (loc_i 2, Ident.t_sub) $1 $3 }
| expr TIMES expr
   { bin_op (loc_i 2, Ident.t_mul) $1 $3 }
| expr SLASH expr
   { bin_op (loc_i 2, Ident.t_div) $1 $3 }
/* disabled (confusion math_div / computer_div
| expr PERCENT expr
   { bin_op (loc_i 2, Ident.t_mod_int) $1 $3 }
*/
| MINUS expr %prec uminus
   { un_op (loc_i 1, Ident.t_neg) $2 }
| expr SEMICOLON expr
   { locate (Sseq ($1, $3)) }
| ASSERT list1_bracket_assertion SEMICOLON expr 
   { locate (Sassert (`ASSERT,$2, $4)) }
| CHECK list1_bracket_assertion SEMICOLON expr 
   { locate (Sassert (`CHECK,$2, $4)) }
| expr LEFTB post_condition RIGHTB
   { locate (Spost ($1, $3, Transparent)) }
| expr LEFTBLEFTB post_condition RIGHTBRIGHTB
   { locate (Spost ($1, $3, Opaque)) }
;

simple_expr:
| ident %prec prec_ident
   { locate (Svar $1) }
| INTEGER
   { locate (Sconst (ConstInt $1)) }
| FLOAT
   { let f = $1 in locate (Sconst (ConstFloat f)) }
| VOID
   { locate (Sconst ConstUnit) }
| TRUE
   { locate (Sconst (ConstBool true)) }
| FALSE
   { locate (Sconst (ConstBool false)) }
| BANG ident
   { locate (Sderef $2) }
| ident LEFTSQ expr RIGHTSQ
   { locate 
       (Sapp (locate (Sapp (locate (Svar Ident.array_get), 
			    locate_i 1 (Svar $1))),
	      $3)) }
| LEFTSQ type_c RIGHTSQ
   { locate (Sany $2) }
| LEFTPAR expr RIGHTPAR
   { $2 }
| BEGIN expr END
   { $2 }
;

list1_simple_expr:
| simple_expr %prec prec_simple { [$1] }
| simple_expr list1_simple_expr { $1 :: $2 }
;

list1_handler_sep_bar:
| handler                           { [$1] }
| handler BAR list1_handler_sep_bar { $1 :: $3 }
;

handler:
| ident ARROW expr       { (($1, None), $3) }
| ident ident ARROW expr { (($1, Some $2), $4) }
;

opt_cast:
| /* epsilon */ { None }
| COLON type_v  { Some $2 }
;

invariant_variant:
| /* epsilon */ { None, None }
| LEFTB opt_invariant RIGHTB { $2, None }
| LEFTB opt_invariant VARIANT variant RIGHTB { $2, Some $4 }
;

opt_invariant:
| /* epsilon */       { None }
| INVARIANT assertion { Some $2 }
;

recfun:
| ident binders COLON type_v opt_variant EQUAL 
  list0_bracket_assertion expr %prec prec_recfun
   { (loc_i 1),Srec ($1, $2, $4, $5, $7, force_function_post $8) }
;

opt_variant:
| LEFTB VARIANT variant RIGHTB { Some $3 } 
| /* epsilon */                { None }
;

variant:
| lexpr FOR ident { ($1, $3) }
| lexpr           { ($1, Ident.t_zwf_zero) }
;

binders:
| list1_binder { List.flatten $1 }
;

list1_binder:
| binder              { [$1] }
| binder list1_binder { $1 :: $2 }
;

binder:
| LEFTPAR RIGHTPAR
   { [Ident.anonymous, PVpure PPTunit] }
| LEFTPAR list1_ident_sep_comma COLON type_v RIGHTPAR 
   { List.map (fun s -> (s, $4)) $2 }
;

relation_id:
| LT    { loc (), Ident.t_lt }
| LE    { loc (), Ident.t_le }
| GT    { loc (), Ident.t_gt }
| GE    { loc (), Ident.t_ge }
| EQUAL { loc (), Ident.t_eq }
| NOTEQ { loc (), Ident.t_neq }
;

ident:
| IDENT { Ident.create $1 }
;

qualid_ident:
| IDENT          { Ident.create $1 }
| IDENT AT       { Ident.at_id (Ident.create $1) "" }
| IDENT AT IDENT { Ident.at_id (Ident.create $1) $3 }
;

list0_ident_sep_comma:
| /* epsilon */         { [] }
| list1_ident_sep_comma { $1 }
;

list1_ident_sep_comma:
| ident                             { [$1] }
| ident COMMA list1_ident_sep_comma { $1 :: $3 }
;

ident_or_string:
| IDENT  { $1 }
| STRING { $1 }
;

bar_:
| /* epsilon */ { () }
| BAR           { () }
;

why-2.34/README0000644000175000017500000000620612311670312011501 0ustar  rtusers**************************************************************************
*                                                                        *
*  The Why platform for program certification                            *
*                                                                        *
*  Copyright (C) 2002-2014                                               *
*                                                                        *
*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *
*    Claude MARCHE, INRIA & Univ. Paris-sud                              *
*    Yannick MOY, Univ. Paris-sud                                        *
*    Romain BARDOU, Univ. Paris-sud                                      *
*                                                                        *
*  Secondary contributors:                                               *
*                                                                        *
*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *
*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *
*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *
*    Sylvie BOLDO, INRIA              (floating-point support)           *
*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *
*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *
*                                                                        *
*  This software is free software; you can redistribute it and/or        *
*  modify it under the terms of the GNU Lesser General Public            *
*  License version 2.1, with the special exception on linking            *
*  described in file LICENSE.                                            *
*                                                                        *
*  This software is distributed in the hope that it will be useful,      *
*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *
*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *
*                                                                        *
**************************************************************************

Why is a certification tool.  It takes annotated programs as input and
outputs proof obligations for the proof assistants PVS and Coq.


DOCUMENTATION
=============

The documentation (a  tutorial and a reference manual)  is enclosed in
the subdirectory doc/.

Various examples can be found in the subdirectory examples/.

Mailing lists: there exist two mailing lists for Why and Caduceus
respectively. To subscribe, you need to send an email to

	why-request@serveur-listes.lri.fr
or	caduceus-request@serveur-listes.lri.fr

with "subscribe your@email" in the mail body. These lists are mainly
used to announce the releases of Why and Caduceus. Emails can be sent
to the list at why@serveur-listes.lri.fr and caduceus@serveur-listes.lri.fr. 
Only the lists members can send emails to the list.

COPYRIGHT
=========

This program is distributed under the GNU GPL. 
See the enclosed file COPYING.


INSTALLATION
============

See the enclosed file INSTALL.
why-2.34/Version0000644000175000017500000000014112311670312012161 0ustar  rtusers# Why/Jessie/Krakatoa version
VERSION=2.34
# Caduceus version (no more maintained)
CVERSION=1.29
why-2.34/examples/0000755000175000017500000000000012311670312012433 5ustar  rtuserswhy-2.34/examples/Makefile0000644000175000017500000000073612311670312014101 0ustar  rtusers
DIRS = misc binary-search bresenham quicksort edit-distance heapsort sqrt kmp \
       selectionsort find quicksort2 maximumsort algo-63-64-65 dijkstra \
       mergesort queens

check: 
	for d in $(DIRS); do make -C $$d check; done

all: 
	for d in $(DIRS); do make -C $$d; done

simplify:
	for d in $(DIRS); do make -C $$d simplify; done

ergo:
	for d in $(DIRS); do make -C $$d ergo; done

clean::
	rm -f */*~ */*.vo

depend::
	for d in $(DIRS); do make -C $$d depend; done
why-2.34/examples/selectionsort/0000755000175000017500000000000012311670312015330 5ustar  rtuserswhy-2.34/examples/selectionsort/Makefile0000644000175000017500000000010012311670312016757 0ustar  rtusers
VO=selection_valid.vo

all: $(VO)

include ../Makefile.common

why-2.34/examples/selectionsort/selection_why.sx0000644000175000017500000005021412311670312020562 0ustar  rtusers(BG_PUSH (FORALL (t i v) (EQ (array_length (store t i v)) (array_length t))))

(BG_PUSH
  ; permut
  (FORALL (t) (EQ (permut t t) |@true|))
  (FORALL (t1 t2) (IMPLIES (EQ (permut t1 t2) |@true|)
			   (EQ (permut t2 t1) |@true|)))
  (FORALL (t1 t2 t3) (IMPLIES (AND (EQ (permut t1 t2) |@true|)
				   (EQ (permut t2 t3) |@true|))
			      (EQ (permut t1 t3) |@true|)))
  (FORALL 
   (t i j) 
   (EQ (permut t (store (store t i (select t j)) j (select t i))) |@true|))
  ; sorted_array
  (FORALL 
   (t i j) 
   (IFF (EQ (sorted_array t i j) |@true|)
	(IMPLIES (<= i j)
		 (FORALL (k) (IMPLIES (AND (<= i k) (< k j))
				      (<= (select t k) (select t (+ k 1))))))))
)

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom access_update
 (FORALL (a i v) (EQ (access (update a i v) i) v)))

(BG_PUSH
 ;; Why axiom access_update_neq
 (FORALL (a i j v)
 (IMPLIES (NEQ i j) (EQ (access (update a i v) j) (access a j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j)
 (FORALL (a v) (EQ (access (update a i v) j) (access a j))))))

(DEFPRED (sorted_array t i j)
  (FORALL (k1 k2)
  (IMPLIES (AND (AND (<= i k1) (<= k1 k2)) (<= k2 j))
  (<= (access t k1) (access t k2)))))

(DEFPRED (exchange a1 a2 i j)
  (AND (EQ (array_length a1) (array_length a2))
  (AND (EQ (access a1 i) (access a2 j))
  (AND (EQ (access a2 i) (access a1 j))
  (FORALL (k)
  (IMPLIES (AND (NEQ k i) (NEQ k j)) (EQ (access a1 k) (access a2 k))))))))

(BG_PUSH
 ;; Why axiom permut_refl
 (FORALL (t l u) (EQ (permut t t l u) |@true|)))

(BG_PUSH
 ;; Why axiom permut_sym
 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|) (EQ (permut t2 t1 l u) |@true|))))

(BG_PUSH
 ;; Why axiom permut_trans
 (FORALL (t1 t2 t3 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))

 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_exchange
 (FORALL (a1 a2 l u i j)
 (IMPLIES (AND (<= l i) (<= i u))
 (IMPLIES (AND (<= l j) (<= j u))
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|)))))

 (FORALL (l u i)
 (IMPLIES (AND (<= l i) (<= i u))
 (FORALL (j)
 (IMPLIES (AND (<= l j) (<= j u))
 (FORALL (a1 a2)
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|))))))))

(BG_PUSH
 ;; Why axiom exchange_upd
 (FORALL (a i j)
 (exchange a (update (update a i (access a j)) j (access a i)) i j)))

(BG_PUSH
 ;; Why axiom permut_weakening
 (FORALL (a1 a2 l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))

 (FORALL (l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_eq
 (FORALL (a1 a2 l u)
 (IMPLIES (<= l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))

 (FORALL (l u)
 (IMPLIES (<= l u)
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))))

(DEFPRED (permutation a1 a2)
  (EQ (permut a1 a2 0 (- (array_length a1) 1)) |@true|))

(BG_PUSH
 ;; Why axiom array_length_update
 (FORALL (a i v) (EQ (array_length (update a i v)) (array_length a))))

(BG_PUSH
 ;; Why axiom permut_array_length
 (FORALL (a1 a2 l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (EQ (array_length a1) (array_length a2)))))

;; selection_po_1, File "selection.mlw", line 13, characters 18-203
(FORALL (t)
(IMPLIES (>= (array_length t) 1)
(AND (AND (<= 0 0) (<= 0 (- (array_length t) 1)))
(AND (sorted_array t 0 (- 0 1))
(AND (permutation t t)
(FORALL (k l)
(IMPLIES (AND (<= 0 k) (< k 0))
(IMPLIES (AND (<= 0 l) (< l (array_length t)))
(<= (access t k) (access t l))))))))))

;; selection_po_2, File "selection.mlw", line 23, characters 15-151
(FORALL (t)
(IMPLIES (>= (array_length t) 1)
(FORALL (i)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i) (<= i (- (array_length t0) 1)))
         (AND (sorted_array t0 0 (- i 1))
         (AND (permutation t0 t)
         (FORALL (k l)
         (IMPLIES (AND (<= 0 k) (< k i))
         (IMPLIES (AND (<= i l) (< l (array_length t0)))
         (<= (access t0 k) (access t0 l))))))))
(FORALL (result)
(IMPLIES (EQ result (array_length t0))
(IMPLIES (< i (- result 1))
(AND (AND (<= (+ i 1) (+ i 1)) (<= (+ i 1) (array_length t0)))
(AND (AND (<= i i) (< i (array_length t0)))
(FORALL (k)
(IMPLIES (AND (<= i k) (< k (+ i 1))) (<= (access t0 i) (access t0 k))))))))))))))

;; selection_po_3, File "selection.mlw", line 27, characters 6-11
(FORALL (t)
(IMPLIES (>= (array_length t) 1)
(FORALL (i)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i) (<= i (- (array_length t0) 1)))
         (AND (sorted_array t0 0 (- i 1))
         (AND (permutation t0 t)
         (FORALL (k l)
         (IMPLIES (AND (<= 0 k) (< k i))
         (IMPLIES (AND (<= i l) (< l (array_length t0)))
         (<= (access t0 k) (access t0 l))))))))
(FORALL (result)
(IMPLIES (EQ result (array_length t0))
(IMPLIES (< i (- result 1))
(FORALL (j)
(FORALL (min)
(IMPLIES (AND (AND (<= (+ i 1) j) (<= j (array_length t0)))
         (AND (AND (<= i min) (< min (array_length t0)))
         (FORALL (k)
         (IMPLIES (AND (<= i k) (< k j)) (<= (access t0 min) (access t0 k))))))
(FORALL (result0)
(IMPLIES (EQ result0 (array_length t0))
(IMPLIES (< j result0) (AND (<= 0 j) (< j (array_length t0)))))))))))))))))

;; selection_po_4, File "selection.mlw", line 27, characters 14-21
(FORALL (t)
(IMPLIES (>= (array_length t) 1)
(FORALL (i)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i) (<= i (- (array_length t0) 1)))
         (AND (sorted_array t0 0 (- i 1))
         (AND (permutation t0 t)
         (FORALL (k l)
         (IMPLIES (AND (<= 0 k) (< k i))
         (IMPLIES (AND (<= i l) (< l (array_length t0)))
         (<= (access t0 k) (access t0 l))))))))
(FORALL (result)
(IMPLIES (EQ result (array_length t0))
(IMPLIES (< i (- result 1))
(FORALL (j)
(FORALL (min)
(IMPLIES (AND (AND (<= (+ i 1) j) (<= j (array_length t0)))
         (AND (AND (<= i min) (< min (array_length t0)))
         (FORALL (k)
         (IMPLIES (AND (<= i k) (< k j)) (<= (access t0 min) (access t0 k))))))
(FORALL (result0)
(IMPLIES (EQ result0 (array_length t0))
(IMPLIES (< j result0)
(IMPLIES (AND (<= 0 j) (< j (array_length t0)))
(FORALL (result1)
(IMPLIES (EQ result1 (access t0 j))
(AND (<= 0 min) (< min (array_length t0))))))))))))))))))))

;; selection_po_5, File "selection.mlw", line 23, characters 15-151
(FORALL (t)
(IMPLIES (>= (array_length t) 1)
(FORALL (i)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i) (<= i (- (array_length t0) 1)))
         (AND (sorted_array t0 0 (- i 1))
         (AND (permutation t0 t)
         (FORALL (k l)
         (IMPLIES (AND (<= 0 k) (< k i))
         (IMPLIES (AND (<= i l) (< l (array_length t0)))
         (<= (access t0 k) (access t0 l))))))))
(FORALL (result)
(IMPLIES (EQ result (array_length t0))
(IMPLIES (< i (- result 1))
(FORALL (j)
(FORALL (min)
(IMPLIES (AND (AND (<= (+ i 1) j) (<= j (array_length t0)))
         (AND (AND (<= i min) (< min (array_length t0)))
         (FORALL (k)
         (IMPLIES (AND (<= i k) (< k j)) (<= (access t0 min) (access t0 k))))))
(FORALL (result0)
(IMPLIES (EQ result0 (array_length t0))
(IMPLIES (< j result0)
(IMPLIES (AND (<= 0 j) (< j (array_length t0)))
(FORALL (result1)
(IMPLIES (EQ result1 (access t0 j))
(IMPLIES (AND (<= 0 min) (< min (array_length t0)))
(FORALL (result2)
(IMPLIES (EQ result2 (access t0 min))
(IMPLIES (< result1 result2)
(FORALL (min0)
(IMPLIES (EQ min0 j)
(FORALL (j0)
(IMPLIES (EQ j0 (+ j 1))
(AND (AND (<= (+ i 1) j0) (<= j0 (array_length t0)))
(AND (AND (<= i min0) (< min0 (array_length t0)))
(FORALL (k)
(IMPLIES (AND (<= i k) (< k j0)) (<= (access t0 min0) (access t0 k)))))))))))))))))))))))))))))))

;; selection_po_6, File "selection.mlw", line 26, characters 20-39
(FORALL (t)
(IMPLIES (>= (array_length t) 1)
(FORALL (i)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i) (<= i (- (array_length t0) 1)))
         (AND (sorted_array t0 0 (- i 1))
         (AND (permutation t0 t)
         (FORALL (k l)
         (IMPLIES (AND (<= 0 k) (< k i))
         (IMPLIES (AND (<= i l) (< l (array_length t0)))
         (<= (access t0 k) (access t0 l))))))))
(FORALL (result)
(IMPLIES (EQ result (array_length t0))
(IMPLIES (< i (- result 1))
(FORALL (j)
(FORALL (min)
(IMPLIES (AND (AND (<= (+ i 1) j) (<= j (array_length t0)))
         (AND (AND (<= i min) (< min (array_length t0)))
         (FORALL (k)
         (IMPLIES (AND (<= i k) (< k j)) (<= (access t0 min) (access t0 k))))))
(FORALL (result0)
(IMPLIES (EQ result0 (array_length t0))
(IMPLIES (< j result0)
(IMPLIES (AND (<= 0 j) (< j (array_length t0)))
(FORALL (result1)
(IMPLIES (EQ result1 (access t0 j))
(IMPLIES (AND (<= 0 min) (< min (array_length t0)))
(FORALL (result2)
(IMPLIES (EQ result2 (access t0 min))
(IMPLIES (< result1 result2)
(FORALL (min0)
(IMPLIES (EQ min0 j)
(FORALL (j0)
(IMPLIES (EQ j0 (+ j 1))
(AND (<= 0 (- (array_length t0) j))
(< (- (array_length t0) j0) (- (array_length t0) j))))))))))))))))))))))))))))

;; selection_po_7, File "selection.mlw", line 23, characters 15-151
(FORALL (t)
(IMPLIES (>= (array_length t) 1)
(FORALL (i)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i) (<= i (- (array_length t0) 1)))
         (AND (sorted_array t0 0 (- i 1))
         (AND (permutation t0 t)
         (FORALL (k l)
         (IMPLIES (AND (<= 0 k) (< k i))
         (IMPLIES (AND (<= i l) (< l (array_length t0)))
         (<= (access t0 k) (access t0 l))))))))
(FORALL (result)
(IMPLIES (EQ result (array_length t0))
(IMPLIES (< i (- result 1))
(FORALL (j)
(FORALL (min)
(IMPLIES (AND (AND (<= (+ i 1) j) (<= j (array_length t0)))
         (AND (AND (<= i min) (< min (array_length t0)))
         (FORALL (k)
         (IMPLIES (AND (<= i k) (< k j)) (<= (access t0 min) (access t0 k))))))
(FORALL (result0)
(IMPLIES (EQ result0 (array_length t0))
(IMPLIES (< j result0)
(IMPLIES (AND (<= 0 j) (< j (array_length t0)))
(FORALL (result1)
(IMPLIES (EQ result1 (access t0 j))
(IMPLIES (AND (<= 0 min) (< min (array_length t0)))
(FORALL (result2)
(IMPLIES (EQ result2 (access t0 min))
(IMPLIES (>= result1 result2)
(FORALL (j0)
(IMPLIES (EQ j0 (+ j 1))
(AND (AND (<= (+ i 1) j0) (<= j0 (array_length t0)))
(AND (AND (<= i min) (< min (array_length t0)))
(FORALL (k)
(IMPLIES (AND (<= i k) (< k j0)) (<= (access t0 min) (access t0 k)))))))))))))))))))))))))))))

;; selection_po_8, File "selection.mlw", line 26, characters 20-39
(FORALL (t)
(IMPLIES (>= (array_length t) 1)
(FORALL (i)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i) (<= i (- (array_length t0) 1)))
         (AND (sorted_array t0 0 (- i 1))
         (AND (permutation t0 t)
         (FORALL (k l)
         (IMPLIES (AND (<= 0 k) (< k i))
         (IMPLIES (AND (<= i l) (< l (array_length t0)))
         (<= (access t0 k) (access t0 l))))))))
(FORALL (result)
(IMPLIES (EQ result (array_length t0))
(IMPLIES (< i (- result 1))
(FORALL (j)
(FORALL (min)
(IMPLIES (AND (AND (<= (+ i 1) j) (<= j (array_length t0)))
         (AND (AND (<= i min) (< min (array_length t0)))
         (FORALL (k)
         (IMPLIES (AND (<= i k) (< k j)) (<= (access t0 min) (access t0 k))))))
(FORALL (result0)
(IMPLIES (EQ result0 (array_length t0))
(IMPLIES (< j result0)
(IMPLIES (AND (<= 0 j) (< j (array_length t0)))
(FORALL (result1)
(IMPLIES (EQ result1 (access t0 j))
(IMPLIES (AND (<= 0 min) (< min (array_length t0)))
(FORALL (result2)
(IMPLIES (EQ result2 (access t0 min))
(IMPLIES (>= result1 result2)
(FORALL (j0)
(IMPLIES (EQ j0 (+ j 1))
(AND (<= 0 (- (array_length t0) j))
(< (- (array_length t0) j0) (- (array_length t0) j))))))))))))))))))))))))))

;; selection_po_9, File "selection.mlw", line 31, characters 9-16
(FORALL (t)
(IMPLIES (>= (array_length t) 1)
(FORALL (i)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i) (<= i (- (array_length t0) 1)))
         (AND (sorted_array t0 0 (- i 1))
         (AND (permutation t0 t)
         (FORALL (k l)
         (IMPLIES (AND (<= 0 k) (< k i))
         (IMPLIES (AND (<= i l) (< l (array_length t0)))
         (<= (access t0 k) (access t0 l))))))))
(FORALL (result)
(IMPLIES (EQ result (array_length t0))
(IMPLIES (< i (- result 1))
(FORALL (j)
(FORALL (min)
(IMPLIES (AND (AND (<= (+ i 1) j) (<= j (array_length t0)))
         (AND (AND (<= i min) (< min (array_length t0)))
         (FORALL (k)
         (IMPLIES (AND (<= i k) (< k j)) (<= (access t0 min) (access t0 k))))))
(FORALL (result0)
(IMPLIES (EQ result0 (array_length t0))
(IMPLIES (>= j result0) (AND (<= 0 min) (< min (array_length t0)))))))))))))))))

;; selection_po_10, File "selection.mlw", line 31, characters 37-42
(FORALL (t)
(IMPLIES (>= (array_length t) 1)
(FORALL (i)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i) (<= i (- (array_length t0) 1)))
         (AND (sorted_array t0 0 (- i 1))
         (AND (permutation t0 t)
         (FORALL (k l)
         (IMPLIES (AND (<= 0 k) (< k i))
         (IMPLIES (AND (<= i l) (< l (array_length t0)))
         (<= (access t0 k) (access t0 l))))))))
(FORALL (result)
(IMPLIES (EQ result (array_length t0))
(IMPLIES (< i (- result 1))
(FORALL (j)
(FORALL (min)
(IMPLIES (AND (AND (<= (+ i 1) j) (<= j (array_length t0)))
         (AND (AND (<= i min) (< min (array_length t0)))
         (FORALL (k)
         (IMPLIES (AND (<= i k) (< k j)) (<= (access t0 min) (access t0 k))))))
(FORALL (result0)
(IMPLIES (EQ result0 (array_length t0))
(IMPLIES (>= j result0)
(IMPLIES (AND (<= 0 min) (< min (array_length t0)))
(FORALL (result1)
(IMPLIES (EQ result1 (access t0 min)) (AND (<= 0 i) (< i (array_length t0))))))))))))))))))))

;; selection_po_11, File "selection.mlw", line 31, characters 44-54
(FORALL (t)
(IMPLIES (>= (array_length t) 1)
(FORALL (i)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i) (<= i (- (array_length t0) 1)))
         (AND (sorted_array t0 0 (- i 1))
         (AND (permutation t0 t)
         (FORALL (k l)
         (IMPLIES (AND (<= 0 k) (< k i))
         (IMPLIES (AND (<= i l) (< l (array_length t0)))
         (<= (access t0 k) (access t0 l))))))))
(FORALL (result)
(IMPLIES (EQ result (array_length t0))
(IMPLIES (< i (- result 1))
(FORALL (j)
(FORALL (min)
(IMPLIES (AND (AND (<= (+ i 1) j) (<= j (array_length t0)))
         (AND (AND (<= i min) (< min (array_length t0)))
         (FORALL (k)
         (IMPLIES (AND (<= i k) (< k j)) (<= (access t0 min) (access t0 k))))))
(FORALL (result0)
(IMPLIES (EQ result0 (array_length t0))
(IMPLIES (>= j result0)
(IMPLIES (AND (<= 0 min) (< min (array_length t0)))
(FORALL (result1)
(IMPLIES (EQ result1 (access t0 min))
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result2)
(IMPLIES (EQ result2 (access t0 i))
(IMPLIES (AND (<= 0 min) (< min (array_length t0)))
(FORALL (t1)
(IMPLIES (EQ t1 (update t0 min result2))
(AND (<= 0 i) (< i (array_length t1))))))))))))))))))))))))))

;; selection_po_12, File "selection.mlw", line 13, characters 18-203
(FORALL (t)
(IMPLIES (>= (array_length t) 1)
(FORALL (i)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i) (<= i (- (array_length t0) 1)))
         (AND (sorted_array t0 0 (- i 1))
         (AND (permutation t0 t)
         (FORALL (k l)
         (IMPLIES (AND (<= 0 k) (< k i))
         (IMPLIES (AND (<= i l) (< l (array_length t0)))
         (<= (access t0 k) (access t0 l))))))))
(FORALL (result)
(IMPLIES (EQ result (array_length t0))
(IMPLIES (< i (- result 1))
(FORALL (j)
(FORALL (min)
(IMPLIES (AND (AND (<= (+ i 1) j) (<= j (array_length t0)))
         (AND (AND (<= i min) (< min (array_length t0)))
         (FORALL (k)
         (IMPLIES (AND (<= i k) (< k j)) (<= (access t0 min) (access t0 k))))))
(FORALL (result0)
(IMPLIES (EQ result0 (array_length t0))
(IMPLIES (>= j result0)
(IMPLIES (AND (<= 0 min) (< min (array_length t0)))
(FORALL (result1)
(IMPLIES (EQ result1 (access t0 min))
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result2)
(IMPLIES (EQ result2 (access t0 i))
(IMPLIES (AND (<= 0 min) (< min (array_length t0)))
(FORALL (t1)
(IMPLIES (EQ t1 (update t0 min result2))
(IMPLIES (AND (<= 0 i) (< i (array_length t1)))
(FORALL (t2)
(IMPLIES (EQ t2 (update t1 i result1))
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(AND (AND (<= 0 i0) (<= i0 (- (array_length t2) 1)))
(AND (sorted_array t2 0 (- i0 1))
(AND (permutation t2 t)
(FORALL (k l)
(IMPLIES (AND (<= 0 k) (< k i0))
(IMPLIES (AND (<= i0 l) (< l (array_length t2)))
(<= (access t2 k) (access t2 l))))))))))))))))))))))))))))))))))))

;; selection_po_13, File "selection.mlw", line 17, characters 9-28
(FORALL (t)
(IMPLIES (>= (array_length t) 1)
(FORALL (i)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i) (<= i (- (array_length t0) 1)))
         (AND (sorted_array t0 0 (- i 1))
         (AND (permutation t0 t)
         (FORALL (k l)
         (IMPLIES (AND (<= 0 k) (< k i))
         (IMPLIES (AND (<= i l) (< l (array_length t0)))
         (<= (access t0 k) (access t0 l))))))))
(FORALL (result)
(IMPLIES (EQ result (array_length t0))
(IMPLIES (< i (- result 1))
(FORALL (j)
(FORALL (min)
(IMPLIES (AND (AND (<= (+ i 1) j) (<= j (array_length t0)))
         (AND (AND (<= i min) (< min (array_length t0)))
         (FORALL (k)
         (IMPLIES (AND (<= i k) (< k j)) (<= (access t0 min) (access t0 k))))))
(FORALL (result0)
(IMPLIES (EQ result0 (array_length t0))
(IMPLIES (>= j result0)
(IMPLIES (AND (<= 0 min) (< min (array_length t0)))
(FORALL (result1)
(IMPLIES (EQ result1 (access t0 min))
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result2)
(IMPLIES (EQ result2 (access t0 i))
(IMPLIES (AND (<= 0 min) (< min (array_length t0)))
(FORALL (t1)
(IMPLIES (EQ t1 (update t0 min result2))
(IMPLIES (AND (<= 0 i) (< i (array_length t1)))
(FORALL (t2)
(IMPLIES (EQ t2 (update t1 i result1))
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(AND (<= 0 (- (array_length t0) i))
(< (- (array_length t2) i0) (- (array_length t0) i)))))))))))))))))))))))))))))))

;; selection_po_14, File "selection.mlw", line 36, characters 4-64
(FORALL (t)
(IMPLIES (>= (array_length t) 1)
(FORALL (i)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i) (<= i (- (array_length t0) 1)))
         (AND (sorted_array t0 0 (- i 1))
         (AND (permutation t0 t)
         (FORALL (k l)
         (IMPLIES (AND (<= 0 k) (< k i))
         (IMPLIES (AND (<= i l) (< l (array_length t0)))
         (<= (access t0 k) (access t0 l))))))))
(FORALL (result)
(IMPLIES (EQ result (array_length t0))
(IMPLIES (>= i (- result 1))
(AND (sorted_array t0 0 (- (array_length t0) 1)) (permutation t0 t))))))))))

why-2.34/examples/selectionsort/selection.mlw0000644000175000017500000000221312311670312020034 0ustar  rtusers
include "arrays.why"

(** Selection sort *)

parameter t : int array

let selection () =
  { array_length(t) >= 1 }
  begin
    init:
    let i = ref 0 in
    while !i < (array_length_ t)-1 do
      (* t[0..i-1] is already sorted *)
      { invariant 0 <= i <= array_length(t)-1 and
	          sorted_array(t, 0, i-1) and permutation(t, t@init) and
	          forall k,l:int. 0 <= k < i ->
		    i <= l < array_length(t) -> t[k] <= t[l]
	variant array_length(t) - i }
      (* we look for the minimum of t[i..n-1] *)
      let min = ref !i in 
      let j = ref !i + 1 in
      begin
	while !j < (array_length_ t) do
	  { invariant i+1 <= j <= array_length(t) and 
	              i <= min < array_length(t) and
	              forall k:int. i <= k < j -> t[min] <= t[k]
            variant array_length(t) - j }
	  if t[!j] < t[!min] then min := !j;
	  j := !j + 1
	done;
	(* we swap t[i] and t[min] *)
	let w = t[!min] in begin t[!min] := t[!i]; t[!i] := w end
      end;
      i := !i + 1
    done
  end
  { sorted_array(t, 0, array_length(t)-1) and permutation(t, t@) }

(*
Local Variables: 
compile-command: "gwhy-bin -split-user-conj selection.mlw"
End: 
*)
why-2.34/examples/selectionsort/.depend0000644000175000017500000000020512311670312016565 0ustar  rtusersselection_valid.vo: selection_valid.v ../../lib/coq/Why.vo ./selection_why.vo
selection_why.vo: selection_why.v ../../lib/coq/Why.vo
why-2.34/examples/selectionsort/selection_why.v0000644000175000017500000001437312311670312020403 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Import Why.
Require Import Omega.

Proof.
unfold sorted_array; intuition.
Save.

Proof.
intuition.
assert (h: k = i).
 omega.
subst result k; omega.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
assert (h: (k < j) \/ k = j).
 omega.
 intuition.
apply Zle_trans with (access t0 min).
subst min0; omega.
auto with *.
subst min0 k; omega.
Save.

Proof.
intuition.
assert (h: (k < j) \/ k = j).
 omega.
 intuition.
subst k; omega.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
ArraySubst t1.
Save.

Proof.
intuition.
ArraySubst t2.
ArraySubst t1.
assert (h: i = 0%Z \/ (0 < i)).
 omega.
 intuition.
replace (i0 - 1)%Z with 0%Z.
unfold sorted_array; intros; omega.
omega.
replace (i0 - 1)%Z with (i - 1 + 1)%Z.
apply right_extension.
omega.
ArraySubst t2.
ArraySubst t1.
apply sorted_array_id with t0.
assumption.
unfold array_id; intros.
subst t2; do 2 AccessOther.
replace (i - 1 + 1)%Z with i.
subst t2 t1; do 2 AccessOther.
subst result1.
auto with *.
omega.
omega.
apply permut_trans with t0.
subst t2; subst t1; subst result1 result2.
apply exchange_is_permut with min i; auto with *.
assumption.
assert (h: k = i \/ (k < i)).
 omega.
 intuition.
subst k.
subst t2.
AccessSame.
AccessOther.
subst t1.
assert (h: l = min \/ min <> l).
 omega.
 intuition.
subst l; AccessSame.
subst result1 result2; auto with *.
assert (h: l < array_length (update (update t0 min result2) i result1)).
assumption.
do 2 rewrite array_length_update in h.
AccessOther.
subst.
auto with *.
ArraySubst t1.
assert (h: i < array_length (update t0 min result2)). assumption.
rewrite array_length_update in h.
assert (h': l < array_length (update (update t0 min result2) i result1)). assumption.
do 2 rewrite array_length_update in h'.
omega.
subst.
AccessOther.
AccessOther.
AccessOther.
assert (h: l < array_length (update (update t0 min (access t0 i)) i (access t0 min))). assumption.
do 2 rewrite array_length_update in h.
assert (l = min \/ min <> l).
 omega.
 intuition.
subst l; AccessSame.
auto with *.
AccessOther.
auto with *.
assert (h: l < array_length (update (update t0 min (access t0 i)) i (access t0 min))). assumption.
do 2 rewrite array_length_update in h.
omega.
subst t2 t1; simpl; unfold Zwf; omega.
Save.

Proof.
intuition.
assert (i=0 \/ 0Set.
Admitted.

(*Why logic*) Definition access : forall (A1:Set), (array A1) -> Z -> A1.
Admitted.
Implicit Arguments access.

(*Why logic*) Definition update :
  forall (A1:Set), (array A1) -> Z -> A1 -> (array A1).
Admitted.
Implicit Arguments update.

(*Why axiom*) Lemma access_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z), (forall (v:A1), (access (update a i v) i) = v))).
Admitted.

(*Why axiom*) Lemma access_update_neq :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (forall (v:A1), (i <> j -> (access (update a i v) j) = (access a j)))))).
Admitted.

(*Why logic*) Definition array_length : forall (A1:Set), (array A1) -> Z.
Admitted.
Implicit Arguments array_length.

(*Why predicate*) Definition sorted_array  (t:(array Z)) (i:Z) (j:Z)
  := (forall (k1:Z),
      (forall (k2:Z),
       ((i <= k1 /\ k1 <= k2) /\ k2 <= j -> (access t k1) <= (access t k2)))).

(*Why predicate*) Definition exchange (A106:Set) (a1:(array A106)) (a2:(array A106)) (i:Z) (j:Z)
  := (array_length a1) = (array_length a2) /\
     (access a1 i) = (access a2 j) /\ (access a2 i) = (access a1 j) /\
     (forall (k:Z), (k <> i /\ k <> j -> (access a1 k) = (access a2 k))).
Implicit Arguments exchange.

(*Why logic*) Definition permut :
  forall (A1:Set), (array A1) -> (array A1) -> Z -> Z -> Prop.
Admitted.
Implicit Arguments permut.

(*Why axiom*) Lemma permut_refl :
  forall (A1:Set),
  (forall (t:(array A1)), (forall (l:Z), (forall (u:Z), (permut t t l u)))).
Admitted.

(*Why axiom*) Lemma permut_sym :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (l:Z), (forall (u:Z), ((permut t1 t2 l u) -> (permut t2 t1 l u)))))).
Admitted.

(*Why axiom*) Lemma permut_trans :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (t3:(array A1)),
     (forall (l:Z),
      (forall (u:Z),
       ((permut t1 t2 l u) -> ((permut t2 t3 l u) -> (permut t1 t3 l u)))))))).
Admitted.

(*Why axiom*) Lemma permut_exchange :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (forall (i:Z),
       (forall (j:Z),
        (l <= i /\ i <= u ->
         (l <= j /\ j <= u -> ((exchange a1 a2 i j) -> (permut a1 a2 l u)))))))))).
Admitted.

(*Why axiom*) Lemma exchange_upd :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (exchange a (update (update a i (access a j)) j (access a i)) i j)))).
Admitted.

(*Why axiom*) Lemma permut_weakening :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l1:Z),
     (forall (r1:Z),
      (forall (l2:Z),
       (forall (r2:Z),
        ((l1 <= l2 /\ l2 <= r2) /\ r2 <= r1 ->
         ((permut a1 a2 l2 r2) -> (permut a1 a2 l1 r1))))))))).
Admitted.

(*Why axiom*) Lemma permut_eq :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (l <= u ->
       ((permut a1 a2 l u) ->
        (forall (i:Z), (i < l \/ u < i -> (access a2 i) = (access a1 i))))))))).
Admitted.

(*Why predicate*) Definition permutation (A115:Set) (a1:(array A115)) (a2:(array A115))
  := (permut a1 a2 0 ((array_length a1) - 1)).
Implicit Arguments permutation.

(*Why axiom*) Lemma array_length_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (v:A1), (array_length (update a i v)) = (array_length a)))).
Admitted.

(*Why axiom*) Lemma permut_array_length :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      ((permut a1 a2 l u) -> (array_length a1) = (array_length a2)))))).
Admitted.

why-2.34/examples/dijkstra/0000755000175000017500000000000012311670312014246 5ustar  rtuserswhy-2.34/examples/dijkstra/Makefile0000644000175000017500000000020712311670312015705 0ustar  rtusersWHY=../../bin/why.opt
VO=dijkstra_valid.vo

dijkstra_why.v: dijkstra.why
	$(WHY) --coq -split-user-conj $^

include ../Makefile.common
why-2.34/examples/dijkstra/dijkstra_why.v0000644000175000017500000002544112311670312017145 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)
Require Export Why.

(*Why type*) Definition set: Set ->Set.
Admitted.

(*Why logic*) Definition set_empty : forall (A1:Set), (set A1).
Admitted.
Set Contextual Implicit.
Implicit Arguments set_empty.
Unset Contextual Implicit.

(*Why logic*) Definition set_add :
  forall (A1:Set), A1 -> (set A1) -> (set A1).
Admitted.
Implicit Arguments set_add.

(*Why logic*) Definition set_rmv :
  forall (A1:Set), A1 -> (set A1) -> (set A1).
Admitted.
Implicit Arguments set_rmv.

(*Why logic*) Definition In : forall (A1:Set), A1 -> (set A1) -> Prop.
Admitted.
Implicit Arguments In.

(*Why predicate*) Definition Is_empty (A158:Set) (s:(set A158))
  := (forall (x:A158), ~(In x s)).
Implicit Arguments Is_empty.

(*Why predicate*) Definition Incl (A159:Set) (s1:(set A159)) (s2:(set A159))
  := (forall (x:A159), ((In x s1) -> (In x s2))).
Implicit Arguments Incl.

(*Why axiom*) Lemma set_empty_def :
  forall (A1:Set), (Is_empty (@set_empty A1)).
Admitted.

(*Why axiom*) Lemma set_add_def :
  forall (A1:Set),
  (forall (x:A1),
   (forall (y:A1),
    (forall (s:(set A1)), ((In x (set_add y s)) <-> x = y \/ (In x s))))).
Admitted.

(*Why axiom*) Lemma set_rmv_def :
  forall (A1:Set),
  (forall (x:A1),
   (forall (y:A1),
    (forall (s:(set A1)), ((In x (set_rmv y s)) <-> ~(x = y) /\ (In x s))))).
Admitted.

(*Why logic*) Definition set_card : forall (A1:Set), (set A1) -> Z.
Admitted.
Implicit Arguments set_card.

(*Why axiom*) Lemma card_nonneg :
  forall (A1:Set), (forall (s:(set A1)), (set_card s) >= 0).
Admitted.

(*Why axiom*) Lemma card_set_add :
  forall (A1:Set),
  (forall (x:A1),
   (forall (s:(set A1)),
    (~(In x s) -> (set_card (set_add x s)) = (1 + (set_card s))))).
Admitted.

(*Why axiom*) Lemma card_set_rmv :
  forall (A1:Set),
  (forall (x:A1),
   (forall (s:(set A1)),
    ((In x s) -> (set_card s) = (1 + (set_card (set_rmv x s)))))).
Admitted.


(*Why axiom*) Lemma card_Incl :
  forall (A1:Set),
  (forall (s1:(set A1)),
   (forall (s2:(set A1)), ((Incl s1 s2) -> (set_card s1) <= (set_card s2)))).
Admitted.

(*Why type*) Definition map: Set -> Set ->Set.
Admitted.

(*Why logic*) Definition map_get :
  forall (A1:Set), forall (A2:Set), (map A2 A1) -> A2 -> A1.
Admitted.
Implicit Arguments map_get.

(*Why logic*) Definition map_set :
  forall (A1:Set), forall (A2:Set), (map A1 A2) -> A1 -> A2 -> (map A1 A2).
Admitted.
Implicit Arguments map_set.

(*Why axiom*) Lemma map_get_set_eq :
  forall (A1:Set), forall (A2:Set),
  (forall (m:(map A1 A2)),
   (forall (i:A1), (forall (v:A2), (map_get (map_set m i v) i) = v))).
Admitted.

(*Why axiom*) Lemma map_get_set_neq :
  forall (A1:Set), forall (A2:Set),
  (forall (m:(map A1 A2)),
   (forall (i:A1),
    (forall (j:A1),
     (forall (v:A2),
      (~(i = j) -> (map_get (map_set m i v) j) = (map_get m j)))))).
Admitted.

(*Why type*) Definition vertex: Set.
Admitted.

Axiom vertex_eq_dec : forall x y : vertex, {x=y}+{~x=y}.

(*Why logic*) Definition V : (set vertex).
Admitted.

(*Why logic*) Definition g_succ : vertex -> (set vertex).
Admitted.

(*Why axiom*) Lemma g_succ_sound : (forall (x:vertex), (Incl (g_succ x) V)).
Admitted.

(*Why logic*) Definition weight : vertex -> vertex -> Z.
Admitted.

(*Why axiom*) Lemma weight_nonneg :
  (forall (x:vertex), (forall (y:vertex), (weight x y) >= 0)).
Admitted.

(*Why predicate*) Definition Min  (m:vertex) (Q:(set vertex)) (d:(map vertex Z))
  := (In m Q) /\
     (forall (x:vertex), ((In x Q) -> (map_get d x) <= (map_get d m))).

(*Why logic*) Definition path : vertex -> vertex -> Z -> Prop.
Admitted.

(*Why axiom*) Lemma path_nil : (forall (x:vertex), (path x x 0)).
Admitted.

(*Why axiom*) Lemma path_cons :
  (forall (x:vertex),
   (forall (y:vertex),
    (forall (z:vertex),
     (forall (d:Z),
      ((path x y d) -> ((In z (g_succ y)) -> (path x z (d + (weight y z))))))))).
Admitted.

(*Why axiom*) Lemma length_nonneg :
  (forall (x:vertex),
   (forall (y:vertex), (forall (d:Z), ((path x y d) -> d >= 0)))).
Admitted.

(*Why predicate*) Definition shortest_path  (x:vertex) (y:vertex) (d:Z)
  := (path x y d) /\ (forall (d':Z), ((path x y d') -> d <= d')).

(*Why axiom*) Lemma path_inversion :
  (forall (src:vertex),
   (forall (v:vertex),
    (forall (d:Z),
     ((path src v d) -> v = src /\ d = 0 \/
      (exists v':vertex, (path src v' (d - (weight v' v))) /\
       (In v (g_succ v'))))))).
Admitted.

(*Why axiom*) Lemma path_shortest_path :
  (forall (src:vertex),
   (forall (v:vertex),
    (forall (d:Z),
     ((path src v d) -> (exists d':Z, (shortest_path src v d') /\ d' <= d))))).
Admitted.

(*Why axiom*) Lemma main_lemma :
  (forall (src:vertex),
   (forall (v:vertex),
    (forall (d:Z),
     ((path src v d) ->
      (~(shortest_path src v d) ->
       (exists v':vertex,
        (exists d':Z, (shortest_path src v' d') /\ (In v (g_succ v')) /\
         (d' + (weight v' v)) < d))))))).
Admitted.

(*Why axiom*) Lemma completeness_lemma :
  (forall (s:(set vertex)),
   (forall (src:vertex),
    (forall (dst:vertex),
     (forall (d:Z),
      ((forall (v:vertex),
        ((In v s) -> (forall (w:vertex), ((In w (g_succ v)) -> (In w s))))) ->
       ((In src s) -> ((path src dst d) -> (In dst s)))))))).
Admitted.



(*Why predicate*) Definition Inv_src  (src:vertex) (S:(set vertex)) (Q:(set vertex))
  := (In src S) \/ (In src Q).

(*Why predicate*) Definition Inv  (src:vertex) (S:(set vertex)) (Q:(set vertex)) (d:(map vertex Z))
  := (Inv_src src S Q) /\ (Incl S V) /\ (Incl Q V) /\
     (forall (v:vertex), ((In v Q) -> ((In v S) -> False))) /\
     (forall (v:vertex), ((In v S) -> (shortest_path src v (map_get d v)))) /\
     (forall (v:vertex), ((In v Q) -> (path src v (map_get d v)))) /\
     (forall (m:vertex),
      ((Min m Q d) ->
       (forall (x:vertex),
        (forall (dx:Z),
         ((shortest_path src x dx) -> (dx < (map_get d m) -> (In x S))))))).

(*Why predicate*) Definition InvSucc  (src:vertex) (S:(set vertex)) (Q:(set vertex))
  := (forall (x:vertex),
      ((In x S) ->
       (forall (y:vertex), ((In y (g_succ x)) -> (In y S) \/ (In y Q))))).


(*Why predicate*) Definition InvSucc2  (src:vertex) (S:(set vertex)) (Q:(set vertex)) (u:vertex) (su:(set vertex))
  := (forall (x:vertex),
      ((In x S) ->
       (forall (y:vertex),
        ((In y (g_succ x)) ->
         (~(x = u) \/ x = u /\ ~(In y su) -> (In y S) \/ (In y Q)))))).

Proof.
unfold Inv,Inv_src; intuition.
right; subst Q.
generalize (set_add_def _ src src set_empty); intuition.
unfold Incl; intros.
subst S; generalize (set_empty_def _ x); unfold Is_empty; intuition.
unfold Incl; intros.
subst Q; generalize (set_add_def _ x src set_empty); intuition.
subst x; auto.
generalize (set_empty_def _ x); unfold Is_empty; intuition.
subst S; generalize (set_empty_def _ v); unfold Is_empty; intuition.
(* sp *)
subst d0.
assert (v = src).
subst S; generalize (set_add_def _ v src set_empty); intuition.
generalize (set_empty_def _ v); unfold Is_empty; intuition.
subst v; rewrite map_get_set_eq.
unfold shortest_path; intuition.
apply path_nil.
apply Zge_le.
apply length_nonneg with src src; auto.
subst Q; generalize (set_add_def _ v src set_empty); intuition.
subst d0 v; rewrite map_get_set_eq.
apply path_nil.
generalize (set_empty_def _ v); unfold Is_empty; intuition.
unfold Min in H2; destruct H2.
(* In x S *)
assert (m = src).
subst Q; generalize (set_add_def _ m src set_empty); intuition.
generalize (set_empty_def _ m); unfold Is_empty; intuition.
subst m.
assert (dx >= 0).
apply length_nonneg with src x.
red in H5; intuition.
subst d0; rewrite map_get_set_eq in H6.
absurd (dx < 0); omega.
Qed.

Proof.
(* FILL PROOF HERE *)
Admitted.

Proof.
(* FILL PROOF HERE *)
Admitted.

Proof.
intros; red; intro hv.
assert (In v S0).
apply (completeness_lemma S0 src v dv).
unfold Inv,InvSucc in *|-*; intuition.
destruct (H4 v0 H11 w H13).
auto.
unfold Is_empty in HW_4; absurd (In w Q0); intuition.
eauto.
unfold Inv,Inv_src in *|-*; intuition.
unfold Is_empty in HW_4; absurd (In src Q0); intuition.
eauto.
auto.
intuition.
Qed.

Proof.
(****
  unfold Inv; intuition.
  generalize (H8 result H9); clear H8.
  unfold Min in H9; red; intuition.
  assert (case : fst result = src \/ fst result <> src). omega.  destruct case.
  destruct result as (v,d).
  subst src.
  generalize (H7 d H12); clear H7; destruct 1.
  elim (HW_9 H7).
  simpl; subst d.
  apply Zge_le. apply length_nonneg with v v; assumption.
 (* v <> src *)
 destruct result as (v,d); simpl in *|-*.
  destruct (path_inversion _ _ _ H9); intuition.
  destruct H15 as (v',(hv'1,hv'2)).
  assert (case : d' < d \/ d <= d'). omega. intuition.
  generalize (path_shortest_path _ _ _ hv'1); intros (d'',(h''1,h''2)).
  assert (In v' visited0).
  apply H8 with d''; auto.
  assert (weight v' v >= 0).
  apply weight_nonneg.
 omega.
  generalize (H10 v' v H16 hv'2); intuition.
  assert (h := H18 d'' h''1).
  pose (H13 _ h).
  simpl in z. omega.
Save.
***)
Admitted.

Proof.
(***
  unfold Inv; intuition; subst dst.
  assumption.
Save.
***)
Admitted.

Proof.
  unfold InvSucc,InvSucc2; intuition.
  assert (In x S0).
  generalize (set_add_def _ x result S0); subst S1; intuition.
  destruct (H5 x H10 y H9); intuition.
  left; subst S1; generalize (set_add_def _ y result S0); intuition.
  destruct (vertex_eq_dec y result).
  subst y S1; left.
  generalize (set_add_def _ result result S0); intuition.
  right; generalize (set_rmv_def _ y result Q0); subst Q1; intuition.
  


(*********
  unfold Inv, Min, MinNotVisited; intuition.
  unfold Inv_src in *|-*; intuition.
  destruct (vertex_eq_dec (fst result) src); intuition.  
  subst src; intuition.
  assert (pair src 0 <> result).
  red; intros; apply n.
  subst result; auto.
  right. generalize (set_rmv_def _ (pair src 0) result pq1); subst pq2; intuition.

  assert (In e pq1). generalize (set_rmv_def _ e result pq1); subst pq2; intuition. 
  intuition.

  assert (m <> result). intuition.
  subst m; intuition.
  assert (In m pq1). generalize (set_rmv_def _ m result pq1); subst pq2; intuition.
  apply (H8 m) with d; intuition.
  apply H14; intuition.
  assert (x0 <> result).
  intuition. subst x0; intuition.
  generalize (set_rmv_def _ x0 result pq1); subst pq2; intuition.
Save.
***************)


Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

why-2.34/examples/dijkstra/dijkstra.why0000644000175000017500000001555612311670312016626 0ustar  rtusers
(* finite sets *)

type 'a set
logic set_empty : 'a set
logic set_add : 'a, 'a set -> 'a set
logic set_rmv : 'a, 'a set -> 'a set

logic In : 'a, 'a set -> prop
predicate Is_empty(s : 'a set) = forall x:'a. not In(x, s)
predicate Incl(s1 : 'a set, s2 : 'a set) = forall x:'a. In(x, s1) -> In(x, s2)

axiom set_empty_def : Is_empty(set_empty)

axiom set_add_def : 
  forall x:'a. forall y:'a. forall s:'a set. 
  In(x, set_add(y,s)) <-> (x = y or In(x, s))
axiom set_rmv_def :
  forall x:'a. forall y:'a. forall s:'a set. 
  In(x, set_rmv(y,s)) <-> (x <> y and In(x, s))

logic set_card : 'a set -> int

axiom card_nonneg : 
  forall s:'a set. set_card(s) >= 0

axiom card_set_add : 
  forall x:'a. forall s:'a set. 
  not In(x,s) -> set_card(set_add(x,s)) = 1 + set_card(s)

axiom card_set_rmv : 
  forall x:'a. forall s:'a set. 
  In(x,s) -> set_card(s) = 1 + set_card(set_rmv(x, s))

axiom card_Incl :
  forall s1,s2 : 'a set. Incl(s1,s2) -> set_card(s1) <= set_card(s2)

(* iteration on a set *)

parameter set_has_next : 
  s:'a set ref -> 
    {} bool reads s { if result then Is_empty(s) else not Is_empty(s) }

parameter set_next :
  s:'a set ref -> 
  { not Is_empty(s) } 'a writes s { In(result,s@) and s = set_rmv(result,s@) }

(* maps *)

type ('a, 'b) map

logic map_get : ('a,'b) map, 'a -> 'b
logic map_set : ('a,'b) map, 'a, 'b -> ('a, 'b) map

axiom map_get_set_eq :
  forall m : ('a,'b) map . forall i : 'a. forall v : 'b.
  map_get(map_set(m,i,v), i) = v

axiom map_get_set_neq : 
  forall m : ('a, 'b) map. forall i : 'a. forall j : 'a. forall v : 'b.
  i <> j -> map_get(map_set(m,i,v), j) = map_get(m,j)

(* graph *)

type vertex

logic V : vertex set

logic g_succ : vertex -> vertex set

axiom g_succ_sound : 
  forall x:vertex. Incl(g_succ(x), V)

logic weight : vertex, vertex -> int (* edge weight, if there is an edge *)

axiom weight_nonneg : forall x,y:vertex. weight(x,y) >= 0

parameter eq_vertex : 
  x:vertex -> y:vertex -> {} bool { if result then x=y else x<>y }

(* visited vertices *)

parameter S : vertex set ref

parameter S_add : 
  x:vertex -> {} unit writes S { S = set_add(x, S@) }

(* current distances *)

parameter d : (vertex, int) map ref

(* priority queue *)

parameter Q : vertex set ref

parameter Q_is_empty : 
  unit -> 
    {} bool reads Q { if result then Is_empty(Q) else not Is_empty(Q) }

parameter init :
  src:vertex ->
    {} 
    unit writes S,Q,d 
    { Is_empty(S) and 
      Q = set_add(src, set_empty) and 
      d = map_set(d@, src, 0)  }

parameter relax :
  u:vertex -> v:vertex -> 
    {} 
    unit reads S writes d,Q 
    { (In(v,S) and Q = Q@ and d = d@) 
      or
      (In(v,Q) and map_get(d,u) + weight(u,v) >= map_get(d,v) and 
        Q = Q@ and d = d@) 
      or	
      (In(v,Q) and map_get(d,u) + weight(u,v) < map_get(d,v) and 
        Q = Q@ and d = map_set(d@, v, map_get(d,u) + weight(u,v)))
      or
      (not In(v,S) and not In(v,Q) and Q = set_add(v,Q@) and
        d = map_set(d@, v, map_get(d,u) + weight(u,v))) }	

predicate Min(m:vertex, Q:vertex set, d:(vertex, int) map) =
  In(m, Q) and forall x:vertex. In(x, Q) -> map_get(d,x) <= map_get(d,m)

parameter Q_extract_min :
  unit ->
    { not Is_empty(Q) } 
    vertex reads d writes Q 
    { Min(result, Q@, d) and Q = set_rmv(result, Q@) }

(* paths and shortest paths 
   path(x,y,d) = 
	there is a path from x to y of length d
   shortest_path(x,y,d) = 
	there is a path from x to y of length d, and no shorter path *)

logic path : vertex, vertex, int -> prop 

axiom path_nil : 
  forall x:vertex. path(x,x,0)

axiom path_cons : 
  forall x,y,z:vertex. forall d:int. 
    path(x,y,d) -> In(z,g_succ(y)) -> path(x,z,d+weight(y,z))

axiom length_nonneg : forall x,y:vertex. forall d:int. path(x,y,d) -> d >= 0

predicate shortest_path(x:vertex, y:vertex, d:int) =
  path(x,y,d) and forall d':int. path(x,y,d') -> d <= d'

axiom path_inversion :
  forall src,v:vertex. forall d:int. path(src,v,d) ->
    (v = src and d = 0) or
    (exists v':vertex. path(src,v',d - weight(v',v)) and In(v,g_succ(v')))

axiom path_shortest_path :
  forall src,v:vertex. forall d:int. path(src,v,d) ->
    exists d':int. shortest_path(src,v,d') and d' <= d

(* lemmas (those requiring induction) *)

axiom main_lemma :
  forall src,v:vertex. forall d:int. 
  path(src,v,d) -> not shortest_path(src,v,d) ->
    exists v':vertex. exists d':int. 
      shortest_path(src,v',d') and In(v,g_succ(v')) and d' + weight(v',v) < d

axiom completeness_lemma :
  forall s:vertex set. forall src:vertex. forall dst:vertex. forall d:int. 
    (* if s is closed under g_succ *)
    (forall v:vertex. In(v,s) -> forall w:vertex. In(w,g_succ(v)) -> In(w,s))
    ->
    (* and if s contains src *)
    In(src, s) -> 
    (* then any vertex reachable from s is also in s *)
    path(src, dst, d) -> In(dst, s)

(* definitions used in loop invariants *)

predicate Inv_src(src:vertex, S:vertex set, Q:vertex set) =
  In(src,S) or In(src,Q)

predicate Inv(src:vertex, S:vertex set, Q:vertex set, d:(vertex,int) map) =
  Inv_src(src, S, Q)
  (* S,Q are contained in V *)
  and Incl(S,V) and Incl(Q,V)
  (* S and Q are disjoint *)
  and 
  (forall v:vertex. In(v,Q) -> In(v,S) -> false)
  (* we already found the shortest paths for vertices in S *)
  and
  (forall v:vertex. In(v,S) -> shortest_path(src,v,map_get(d,v)))
  (* there are paths for vertices in Q *)
  and
  (forall v:vertex. In(v,Q) -> path(src,v,map_get(d,v)))
  (* vertices at distance < min(Q) are already in S *)
  and
  (forall m:vertex. Min(m,Q,d) -> 
     forall x:vertex. forall dx:int. shortest_path(src,x,dx) -> 
       dx < map_get(d,m) -> In(x,S)) 

predicate InvSucc(src:vertex, S:vertex set, Q: vertex set) =
  (* successors of vertices in S are either in S or in Q *)
  (forall x:vertex. In(x, S) -> 
     forall y:vertex. In(y,g_succ(x)) -> In(y, S) or In(y, Q))

predicate InvSucc2(src:vertex, S:vertex set, Q: vertex set,
	           u:vertex, su:vertex set) =
  (* successors of vertices in S are either in S or in Q,
     unless they are successors of u still in su *)
  (forall x:vertex. In(x, S) -> 
     forall y:vertex. In(y,g_succ(x)) -> 
       (x<>u or (x=u and not In(y,su))) -> In(y, S) or In(y, Q))

(* code *)

let shortest_path (src:vertex) (dst:vertex) =
  { In(src,V) and In(dst,V) }
  init src;
  while not (Q_is_empty void) do
    { invariant 
	Inv(src, S, Q, d) and InvSucc(src, S, Q)
      variant 
	set_card(V) - set_card(S) }
    let u = Q_extract_min void in
    assert { shortest_path(src, u, map_get(d,u)) };
    S_add u;
    let su = ref (g_succ u) in
    while not (set_has_next su) do 
      { invariant 
	  Incl(su,g_succ(u)) and 
	  Inv(src, S, Q, d) and InvSucc2(src, S, Q, u, su)
        variant 
	  set_card(su) }
      let v = set_next su in
      relax u v
    done
  done
  { (forall v:vertex. In(v,S) -> shortest_path(src,v,map_get(d,v))) 
    and
    (forall v:vertex. not In(v,S) -> forall dv:int. not path(src,v,dv)) }
    
(*
Local Variables: 
compile-command: "gwhy dijkstra.why"
End: 
*)
why-2.34/examples/dijkstra/.depend0000644000175000017500000000000012311670312015474 0ustar  rtuserswhy-2.34/examples/algo-63-64-65/0000755000175000017500000000000012311670312014262 5ustar  rtuserswhy-2.34/examples/algo-63-64-65/Makefile0000644000175000017500000000014712311670312015724 0ustar  rtusers
VO=algo64_valid.vo algo65_valid.vo

all: algo64_valid.vo algo65_valid.vo

include ../Makefile.common

why-2.34/examples/algo-63-64-65/algo63.mlw0000644000175000017500000000110412311670312016072 0ustar  rtusers
include "arrays.why"

(***
   	
C. A. R. Hoare 	 
Elliott Brothers Ltd., Hertfordshire, England, U.K.

Communications of the ACM  archive
Volume 4 ,  Issue 7  (July 1961) table of contents
Pages: 321 - 322   

***)

(* Algorithm 63 *)

parameter partition : 
  a : int array -> m:int -> n:int -> i:int ref -> j:int ref ->
  { m < n } 
  unit writes a,i,j
  { m <= j and j < i and i <= n and permut(a@,a,m,n) and
    exists x:int.
      (forall r:int. m <= r <= j -> a[r] <= x) and
      (forall r:int. j < r < i -> a[r] = x) and
      (forall r:int. i <= r <= n -> a[r] >= x) }

why-2.34/examples/algo-63-64-65/algo65.mlw0000644000175000017500000000175212311670312016105 0ustar  rtusers
(***
   	
C. A. R. Hoare 	 
Elliott Brothers Ltd., Hertfordshire, England, U.K.

Communications of the ACM  archive
Volume 4 ,  Issue 7  (July 1961) table of contents
Pages: 321 - 322   

***)

include "arrays.why"

(* Algorithm 63 *)

parameter partition : 
  a : int array -> m:int -> n:int -> i:int ref -> j:int ref ->
  { m < n } 
  unit writes a,i,j
  { m <= j and j < i and i <= n and permut(a@,a,m,n) and
    exists x:int.
      (forall r:int. m <= r <= j -> a[r] <= x) and
      (forall r:int. j < r < i -> a[r] = x) and
      (forall r:int. i <= r <= n -> a[r] >= x) }

(* Algorithm 65 (fixed version) *)

let rec find (a:int array) (m:int) (n:int) (k:int) : unit { variant n-m } =
  { m <= k <= n }
  if m < n then begin
    let i = ref 0 in
    let j = ref 0 in
    partition a m n i j;
    if k <= !j then find a m !j k;
    if !i <= k then find a !i n k
  end
  { permut(a@,a,m,n) and 
    (forall r:int. m <= r <= k -> a[r] <= a[k]) and
    (forall r:int. k <= r <= n -> a[k] <= a[r]) }
why-2.34/examples/algo-63-64-65/algo64.mlw0000644000175000017500000000155112311670312016101 0ustar  rtusers
(***
   	
C. A. R. Hoare 	 
Elliott Brothers Ltd., Hertfordshire, England, U.K.

Communications of the ACM  archive
Volume 4 ,  Issue 7  (July 1961) table of contents
Pages: 321 - 322   

***)

include "arrays.why"

(* Algorithm 63 *)

parameter partition : 
  a : int array -> m:int -> n:int -> i:int ref -> j:int ref ->
  { m < n } 
  unit writes a,i,j
  { m <= j and j < i and i <= n and permut(a@,a,m,n) and
    exists x:int.

      (forall r:int. m <= r <= j -> a[r] <= x) and
      (forall r:int. j < r < i -> a[r] = x) and
      (forall r:int. i <= r <= n -> a[r] >= x) }

(* Algorithm 64 *)

let rec quicksort (a:int array) (m:int) (n:int) : unit { variant n-m } =
  { m <= n }
  if m < n then begin
    let i = ref 0 in
    let j = ref 0 in
    partition a m n i j;
    quicksort a m !j;
    quicksort a !i n
  end
  { permut(a@,a,m,n) and sorted_array(a,m,n) }

why-2.34/examples/algo-63-64-65/.depend0000644000175000017500000000000012311670312015510 0ustar  rtuserswhy-2.34/examples/algo-63-64-65/algo64_why.v0000644000175000017500000001006612311670312016437 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Export Why.


Proof.
Admitted.

Proof.
Admitted.

Proof.
Admitted.

Proof.
Admitted.

Proof.
Admitted.

Proof.
Admitted.

Proof.
intuition.
unfold sorted_array.
simplify.

Proof.
intuition.
(* FILL PROOF HERE *)
Save.

Proof.
intuition.
(* FILL PROOF HERE *)
Save.

(*Why type*) Definition farray: Set ->Set.
Admitted.

(*Why logic*) Definition access : forall (A1:Set), (array A1) -> Z -> A1.
Admitted.
Implicit Arguments access.

(*Why logic*) Definition update :
  forall (A1:Set), (array A1) -> Z -> A1 -> (array A1).
Admitted.
Implicit Arguments update.

(*Why axiom*) Lemma access_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z), (forall (v:A1), (access (update a i v) i) = v))).
Admitted.

(*Why axiom*) Lemma access_update_neq :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (forall (v:A1), (i <> j -> (access (update a i v) j) = (access a j)))))).
Admitted.

(*Why logic*) Definition array_length : forall (A1:Set), (array A1) -> Z.
Admitted.
Implicit Arguments array_length.

(*Why predicate*) Definition sorted_array  (t:(array Z)) (i:Z) (j:Z)
  := (forall (k1:Z),
      (forall (k2:Z),
       ((i <= k1 /\ k1 <= k2) /\ k2 <= j -> (access t k1) <= (access t k2)))).

(*Why predicate*) Definition exchange (A84:Set) (a1:(array A84)) (a2:(array A84)) (i:Z) (j:Z)
  := (array_length a1) = (array_length a2) /\
     (access a1 i) = (access a2 j) /\ (access a2 i) = (access a1 j) /\
     (forall (k:Z), (k <> i /\ k <> j -> (access a1 k) = (access a2 k))).
Implicit Arguments exchange.

(*Why logic*) Definition permut :
  forall (A1:Set), (array A1) -> (array A1) -> Z -> Z -> Prop.
Admitted.
Implicit Arguments permut.

(*Why axiom*) Lemma permut_refl :
  forall (A1:Set),
  (forall (t:(array A1)), (forall (l:Z), (forall (u:Z), (permut t t l u)))).
Admitted.

(*Why axiom*) Lemma permut_sym :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (l:Z), (forall (u:Z), ((permut t1 t2 l u) -> (permut t2 t1 l u)))))).
Admitted.

(*Why axiom*) Lemma permut_trans :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (t3:(array A1)),
     (forall (l:Z),
      (forall (u:Z),
       ((permut t1 t2 l u) -> ((permut t2 t3 l u) -> (permut t1 t3 l u)))))))).
Admitted.

(*Why axiom*) Lemma permut_exchange :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (forall (i:Z),
       (forall (j:Z),
        (l <= i /\ i <= u ->
         (l <= j /\ j <= u -> ((exchange a1 a2 i j) -> (permut a1 a2 l u)))))))))).
Admitted.

(*Why axiom*) Lemma exchange_upd :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (exchange a (update (update a i (access a j)) j (access a i)) i j)))).
Admitted.

(*Why axiom*) Lemma permut_weakening :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l1:Z),
     (forall (r1:Z),
      (forall (l2:Z),
       (forall (r2:Z),
        ((l1 <= l2 /\ l2 <= r2) /\ r2 <= r1 ->
         ((permut a1 a2 l2 r2) -> (permut a1 a2 l1 r1))))))))).
Admitted.

(*Why axiom*) Lemma permut_eq :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (l <= u ->
       ((permut a1 a2 l u) ->
        (forall (i:Z), (i < l \/ u < i -> (access a2 i) = (access a1 i))))))))).
Admitted.

(*Why predicate*) Definition permutation (A93:Set) (a1:(array A93)) (a2:(array A93))
  := (permut a1 a2 0 ((array_length a1) - 1)).
Implicit Arguments permutation.

(*Why axiom*) Lemma array_length_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (v:A1), (array_length (update a i v)) = (array_length a)))).
Admitted.

(*Why axiom*) Lemma permut_array_length :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      ((permut a1 a2 l u) -> (array_length a1) = (array_length a2)))))).
Admitted.

why-2.34/examples/sqrt/0000755000175000017500000000000012311670312013424 5ustar  rtuserswhy-2.34/examples/sqrt/sqrt.mlw0000644000175000017500000000153012311670312015135 0ustar  rtusers(********************************************************************

  A simple algorithm for computing the square root of a non-negative
  integer.

  See file [sqrt_why.v] for the proofs of obligations generated by Why.

  (c) Claude Marché 2002

**********************************************************************)

let sqrt = fun (x : int) ->
  { x >= 0 }
  begin
    if x = 0 then 0 else
    if x <= 3 then 1 else	
    let y = ref x in 
    let z = ref (x+1)/2 in
    begin
      while !z < !y do 
	{ invariant 
	      z > 0 
	  and y > 0 
	  and z = (x/y+y)/2
	  and x < (y+1)*(y+1) 
	  and x < (z+1)*(z+1)
	      variant y} 
	  y := !z;
	  z := (x / !z + !z) / 2
      done;
      !y
    end
  end		
  { result * result <= x and x < (result+1)*(result+1) }
     
(*
Local Variables: 
mode: tuareg
compile-command: "why sqrt.mlw"
End: 
*)
     
why-2.34/examples/sqrt/Makefile0000644000175000017500000000007212311670312015063 0ustar  rtusers
VO=sqrt_valid.vo

all: $(VO)

include ../Makefile.common
why-2.34/examples/sqrt/sqrt_why.sx0000644000175000017500000002415512311670312015667 0ustar  rtusers(BG_PUSH 
  ; array_length
  (FORALL (t i v) (EQ (array_length (store t i v)) (array_length t)))
  ; booleans
  (DISTINCT |@true| |@false|)
  ; exchange
  (FORALL (t1 t2 i j)
	  (IFF (EQ (exchange t1 t2 i j) |@true|)
	       (AND (EQ (array_length t1) (array_length t2))
		    (EQ (select t1 i) (select t2 j))
		    (EQ (select t1 j) (select t2 i))
		    (FORALL (k) (IMPLIES (AND (NEQ k i) (NEQ k j))
					 (EQ (select t1 k) (select t2 k)))))))
  (FORALL (t1 t2 i j)
	  (IMPLIES (EQ (exchange t1 t2 i j) |@true|)
		   (EQ (array_length t1) (array_length t2))))
  ; permut
  (FORALL (t) (EQ (permut t t) |@true|))
  (FORALL (t1 t2) (IMPLIES (EQ (permut t1 t2) |@true|)
			   (EQ (permut t2 t1) |@true|)))
  (FORALL (t1 t2 t3) (IMPLIES (AND (EQ (permut t1 t2) |@true|)
				   (EQ (permut t2 t3) |@true|))
			      (EQ (permut t1 t3) |@true|)))
  (FORALL 
   (t i j) 
   (EQ (permut t (store (store t i (select t j)) j (select t i))) |@true|))
  (FORALL (t1 t2)
	  (IMPLIES (EQ (permut t1 t2) |@true|)
		   (EQ (array_length t1) (array_length t2))))
  ; sub_permut
  (FORALL (t g d) (EQ (sub_permut g d t t) |@true|))
  (FORALL (t1 t2 g d) (IMPLIES (EQ (sub_permut g d t1 t2) |@true|)
			   (EQ (sub_permut g d t2 t1) |@true|)))
  (FORALL (t1 t2 t3 g d) (IMPLIES (AND (EQ (sub_permut g d t1 t2) |@true|)
				       (EQ (sub_permut g d t2 t3) |@true|))
				  (EQ (sub_permut g d t1 t3) |@true|)))
  (FORALL 
   (t g d i j) 
   (IMPLIES (AND (<= g i) (<= i d) (<= g j) (<= j d))
	    (EQ (sub_permut g d t 
			    (store (store t i (select t j)) j (select t i))) 
		|@true|)))
  (FORALL 
   (t1 t2 g d i j)
   (IMPLIES (AND (EQ (exchange t1 t2 i j) |@true|)
		 (<= g i) (<= i d) (<= g j) (<= j d))
	    (EQ (sub_permut g d t1 t2) |@true|)))
  (FORALL (t1 t2 i j) 
	  (IMPLIES (EQ (sub_permut i j t1 t2) |@true|)
		   (EQ (permut t1 t2) |@true|)))
  (FORALL (t1 t2 i j)
	  (IMPLIES (EQ (sub_permut i j t1 t2) |@true|)
		   (EQ (array_length t1) (array_length t2))))
  ; sorted_array
  (FORALL 
   (t i j) 
   (IFF (EQ (sorted_array t i j) |@true|)
	(IMPLIES (<= i j)
		 (FORALL (k) (IMPLIES (AND (<= i k) (< k j))
				      (<= (select t k) (select t (+ k 1))))))))
)

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom access_update
 (FORALL (a i v) (EQ (access (update a i v) i) v)))

(BG_PUSH
 ;; Why axiom access_update_neq
 (FORALL (a i j v)
 (IMPLIES (NEQ i j) (EQ (access (update a i v) j) (access a j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j)
 (FORALL (a v) (EQ (access (update a i v) j) (access a j))))))

(DEFPRED (sorted_array t i j)
  (FORALL (k1 k2)
  (IMPLIES (AND (AND (<= i k1) (<= k1 k2)) (<= k2 j))
  (<= (access t k1) (access t k2)))))

(DEFPRED (exchange a1 a2 i j)
  (AND (EQ (array_length a1) (array_length a2))
  (AND (EQ (access a1 i) (access a2 j))
  (AND (EQ (access a2 i) (access a1 j))
  (FORALL (k)
  (IMPLIES (AND (NEQ k i) (NEQ k j)) (EQ (access a1 k) (access a2 k))))))))

(BG_PUSH
 ;; Why axiom permut_refl
 (FORALL (t l u) (EQ (permut t t l u) |@true|)))

(BG_PUSH
 ;; Why axiom permut_sym
 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|) (EQ (permut t2 t1 l u) |@true|))))

(BG_PUSH
 ;; Why axiom permut_trans
 (FORALL (t1 t2 t3 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))

 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_exchange
 (FORALL (a1 a2 l u i j)
 (IMPLIES (AND (<= l i) (<= i u))
 (IMPLIES (AND (<= l j) (<= j u))
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|)))))

 (FORALL (l u i)
 (IMPLIES (AND (<= l i) (<= i u))
 (FORALL (j)
 (IMPLIES (AND (<= l j) (<= j u))
 (FORALL (a1 a2)
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|))))))))

(BG_PUSH
 ;; Why axiom exchange_upd
 (FORALL (a i j)
 (exchange a (update (update a i (access a j)) j (access a i)) i j)))

(BG_PUSH
 ;; Why axiom permut_weakening
 (FORALL (a1 a2 l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))

 (FORALL (l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_eq
 (FORALL (a1 a2 l u)
 (IMPLIES (<= l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))

 (FORALL (l u)
 (IMPLIES (<= l u)
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))))

(DEFPRED (permutation a1 a2)
  (EQ (permut a1 a2 0 (- (array_length a1) 1)) |@true|))

(BG_PUSH
 ;; Why axiom array_length_update
 (FORALL (a i v) (EQ (array_length (update a i v)) (array_length a))))

(BG_PUSH
 ;; Why axiom permut_array_length
 (FORALL (a1 a2 l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (EQ (array_length a1) (array_length a2)))))

;; sqrt_po_1, File "sqrt.mlw", line 34, characters 4-54
(FORALL (x)
(IMPLIES (>= x 0)
(IMPLIES (EQ x 0) (AND (<= (* 0 0) x) (< x (* (+ 0 1) (+ 0 1)))))))

;; sqrt_po_2, File "sqrt.mlw", line 34, characters 4-54
(FORALL (x)
(IMPLIES (>= x 0)
(IMPLIES (NEQ x 0)
(IMPLIES (<= x 3) (AND (<= (* 1 1) x) (< x (* (+ 1 1) (+ 1 1))))))))

;; sqrt_po_3, File "sqrt.mlw", line 18, characters 16-23
(FORALL (x)
(IMPLIES (>= x 0) (IMPLIES (NEQ x 0) (IMPLIES (> x 3) (NEQ 2 0)))))

;; sqrt_po_4, File "sqrt.mlw", line 22, characters 7-95
(FORALL (x)
(IMPLIES (>= x 0)
(IMPLIES (NEQ x 0)
(IMPLIES (> x 3)
(IMPLIES (NEQ 2 0)
(FORALL (result)
(IMPLIES (EQ result (int_div (+ x 1) 2))
(AND (> result 0)
(AND (> x 0)
(AND (EQ result (int_div (+ (int_div x x) x) 2))
(AND (< x (* (+ x 1) (+ x 1))) (< x (* (+ result 1) (+ result 1))))))))))))))

;; sqrt_po_5, File "sqrt.mlw", line 29, characters 9-15
(FORALL (x)
(IMPLIES (>= x 0)
(IMPLIES (NEQ x 0)
(IMPLIES (> x 3)
(IMPLIES (NEQ 2 0)
(FORALL (result)
(IMPLIES (EQ result (int_div (+ x 1) 2))
(FORALL (y)
(FORALL (z)
(IMPLIES (AND (> z 0)
         (AND (> y 0)
         (AND (EQ z (int_div (+ (int_div x y) y) 2))
         (AND (< x (* (+ y 1) (+ y 1))) (< x (* (+ z 1) (+ z 1)))))))
(IMPLIES (< z y) (FORALL (y0) (IMPLIES (EQ y0 z) (NEQ z 0))))))))))))))

;; sqrt_po_6, File "sqrt.mlw", line 22, characters 7-95
(FORALL (x)
(IMPLIES (>= x 0)
(IMPLIES (NEQ x 0)
(IMPLIES (> x 3)
(IMPLIES (NEQ 2 0)
(FORALL (result)
(IMPLIES (EQ result (int_div (+ x 1) 2))
(FORALL (y)
(FORALL (z)
(IMPLIES (AND (> z 0)
         (AND (> y 0)
         (AND (EQ z (int_div (+ (int_div x y) y) 2))
         (AND (< x (* (+ y 1) (+ y 1))) (< x (* (+ z 1) (+ z 1)))))))
(IMPLIES (< z y)
(FORALL (y0)
(IMPLIES (EQ y0 z)
(IMPLIES (NEQ z 0)
(FORALL (result0)
(IMPLIES (EQ result0 (int_div x z))
(IMPLIES (NEQ 2 0)
(FORALL (result1)
(IMPLIES (EQ result1 (int_div (+ result0 z) 2))
(FORALL (z0)
(IMPLIES (EQ z0 result1)
(AND (> z0 0)
(AND (> y0 0)
(AND (EQ z0 (int_div (+ (int_div x y0) y0) 2))
(AND (< x (* (+ y0 1) (+ y0 1))) (< x (* (+ z0 1) (+ z0 1))))))))))))))))))))))))))))

;; sqrt_po_7, File "sqrt.mlw", line 27, characters 15-16
(FORALL (x)
(IMPLIES (>= x 0)
(IMPLIES (NEQ x 0)
(IMPLIES (> x 3)
(IMPLIES (NEQ 2 0)
(FORALL (result)
(IMPLIES (EQ result (int_div (+ x 1) 2))
(FORALL (y)
(FORALL (z)
(IMPLIES (AND (> z 0)
         (AND (> y 0)
         (AND (EQ z (int_div (+ (int_div x y) y) 2))
         (AND (< x (* (+ y 1) (+ y 1))) (< x (* (+ z 1) (+ z 1)))))))
(IMPLIES (< z y)
(FORALL (y0)
(IMPLIES (EQ y0 z)
(IMPLIES (NEQ z 0)
(FORALL (result0)
(IMPLIES (EQ result0 (int_div x z))
(IMPLIES (NEQ 2 0)
(FORALL (result1)
(IMPLIES (EQ result1 (int_div (+ result0 z) 2))
(FORALL (z0) (IMPLIES (EQ z0 result1) (AND (<= 0 y) (< y0 y)))))))))))))))))))))))

;; sqrt_po_8, File "sqrt.mlw", line 34, characters 4-54
(FORALL (x)
(IMPLIES (>= x 0)
(IMPLIES (NEQ x 0)
(IMPLIES (> x 3)
(IMPLIES (NEQ 2 0)
(FORALL (result)
(IMPLIES (EQ result (int_div (+ x 1) 2))
(FORALL (y)
(FORALL (z)
(IMPLIES (AND (> z 0)
         (AND (> y 0)
         (AND (EQ z (int_div (+ (int_div x y) y) 2))
         (AND (< x (* (+ y 1) (+ y 1))) (< x (* (+ z 1) (+ z 1)))))))
(IMPLIES (>= z y) (AND (<= (* y y) x) (< x (* (+ y 1) (+ y 1)))))))))))))))

why-2.34/examples/sqrt/simple.mlw0000644000175000017500000000055012311670312015436 0ustar  rtuserslet sqrt (n:int) =
  { n >= 0 } 
  let count = ref 0 in
  let sum = ref 1 in
  while !sum <= n do
    { invariant count >= 0 and n >= count*count 
            and sum = (count+1)*(count+1)
      variant n - sum }
    count := !count + 1;
    sum := !sum + 2 * !count + 1
  done;
  !count
  { result >= 0 and 
    result * result <= n < (result+1)*(result+1) }
why-2.34/examples/sqrt/.depend0000644000175000017500000000015412311670312014664 0ustar  rtuserssqrt_valid.vo: sqrt_valid.v ../../lib/coq/Why.vo ./sqrt_why.vo
sqrt_why.vo: sqrt_why.v ../../lib/coq/Why.vo
why-2.34/examples/sqrt/sqrt_why.v0000644000175000017500000001441512311670312015500 0ustar  rtusers(********************************************************************

  A simple algorithm for computing the square root of a non-negative
  integer.

  Proofs of obligations generated by Why.

  (c) Claude Marché, may 2002

**********************************************************************)

(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)


Require Import ZArith.
Require Import Zcomplements.
Require Import ZArithRing.
Require Import Zdiv.
Require Import Omega.
Require Import Why.

(* some basic arithmetic lemmas *)

Lemma sqr_gt :
 forall x y:Z, (x > y)%Z -> (y > 0)%Z -> (x * x > y * y)%Z.
Proof.
intros.
assert (x * y > y * y)%Z.
apply Zmult_gt_compat_r; omega.
assert (x * x > x * y)%Z.
apply Zmult_gt_compat_l; omega.
omega.
Qed.

Lemma Z_mod_same : forall a:Z, (a > 0)%Z -> (a mod a)%Z = 0%Z.
Proof.
intros a aPos.
generalize (Z_mod_plus 0 1 a aPos).
replace (0 + 1 * a)%Z with a.
intros.
rewrite H.
compute.
trivial.
ring.
Qed.

Lemma Z_div_same : forall a:Z, (a > 0)%Z -> (a / a)%Z = 1%Z.
Proof.
intros a aPos.
generalize (Z_div_plus 0 1 a aPos).
replace (0 + 1 * a)%Z with a.
intros.
rewrite H.
compute.
trivial.
ring.
Qed.

(* some general lemmas for invariants *)

Lemma iter_sqrt_pos :
 forall x z:Z, (x > 0)%Z -> (z > 0)%Z -> ((x / z + z) / 2 > 0)%Z.
Proof.
intros x z xPos zPos.
assert (x / z + z >= 2)%Z.
assert (x + z * z >= z + z)%Z.
assert (x + (z - 1) * (z - 1) >= 1)%Z.
generalize (sqr_pos (z - 1)).
intros.
omega.
replace (z * z)%Z with ((z - 1) * (z - 1) + z + z - 1)%Z.
omega.
ring.
generalize (Z_div_ge (x + z * z) (z + z) z zPos H).
intro.
generalize (Z_div_plus x z z zPos).
intro H1.
rewrite H1 in H0.
clear H1.
generalize (Z_div_plus z 1 z zPos).
replace (1 * z)%Z with z.
intro H2.
rewrite H2 in H0.
clear H2.
generalize (Z_div_plus 0 1 z zPos).
replace (1 * z)%Z with z.
replace (0 + z)%Z with z.
intro.
rewrite H1 in H0.
simpl in H0.
trivial.
trivial.
ring.
ring.
assert (2 > 0)%Z.
omega.
generalize (Z_div_ge (x / z + z) 2 2 H0 H).
replace (2 / 2)%Z with 1%Z.
intro; omega.
compute.
trivial.
Qed.

Lemma iter_sqrt_pos2 : forall x:Z, (x > 0)%Z -> ((x + 1) / 2 > 0)%Z.
Proof.
intros.
assert (x + 1 >= 2)%Z.
 omega.
assert ((x + 1) / 2 >= 2 / 2)%Z.
apply Z_div_ge; try omega.
assert (2 / 2 > 0)%Z; try omega.
compute; trivial.
Qed.

Lemma iter_sqrt_invar1 :
 forall x y z:Z,
   (x > 0)%Z ->
   (y > 0)%Z -> z = ((x / y + y) / 2)%Z -> (2 * y * z <= x + y * y)%Z.
Proof.
intros x y z xPos yPos zVal.
assert (2 * z <= x / y + y)%Z.
rewrite zVal.
apply Z_mult_div_ge; omega.
assert (2 * y * z <= y * (x / y + y))%Z.
replace (2 * y * z)%Z with (y * (2 * z))%Z; try ring.
apply Zmult_le_compat_l; trivial || omega.
assert (y * (x / y + y) <= x + y * y)%Z.
assert ((y * (x / y + y))%Z = (y * (x / y) + y * y)%Z); try ring.
 assert (y * (x / y) <= x)%Z.
apply Z_mult_div_ge; omega.
omega.
omega.
Qed.

Lemma iter_sqrt_invar2 :
 forall x y z:Z,
   (x > 0)%Z ->
   (y > 0)%Z ->
   z = ((x / y + y) / 2)%Z -> (2 * y * (z + 1) > x + y * y)%Z.
Proof.
intros x y z xPos yPos zVal.
assert (TwoPos: (2 > 0)); try omega.
generalize (Z_div_mod_eq x y yPos).
generalize (Z_mod_lt x y yPos).
generalize (Z_div_mod_eq (x / y + y) 2 TwoPos).
generalize (Z_mod_lt (x / y + y) 2 TwoPos).
intros.
rewrite zVal.
replace (2 * y * ((x / y + y) / 2 + 1))%Z with
 (y * (2 * ((x / y + y) / 2)) + y + y)%Z; try ring.
replace (2 * ((x / y + y) / 2))%Z with
 (x / y + y - (x / y + y) mod 2)%Z.
replace (y * (x / y + y - (x / y + y) mod 2))%Z with
 (y * (x / y) + y * y - y * ((x / y + y) mod 2))%Z.
replace (y * (x / y))%Z with (x - x mod y)%Z.
assert (y >= y * ((x / y + y) mod 2))%Z.
pattern y at 1; replace y with (y * 1)%Z.
apply Zmult_ge_compat_l.
omega.
omega.
ring.
omega.
omega.
ring.
omega.
Qed.

Lemma iter_sqrt_invar3 :
 forall x y z:Z,
   (x > 0)%Z ->
   (y > 0)%Z -> z = ((x / y + y) / 2)%Z -> (x < (z + 1) * (z + 1))%Z.
Proof.
intros x y z xPos yPos zVal.
cut ((z + 1) * (z + 1) - x > 0)%Z; try omega.
assert (4 * y * y * ((z + 1) * (z + 1) - x) >= 1)%Z.
replace (4 * y * y * ((z + 1) * (z + 1) - x))%Z with
 (2 * y * (z + 1) * (2 * y * (z + 1)) - 4 * y * y * x)%Z; try ring.
generalize (iter_sqrt_invar2 x y z xPos yPos zVal).
intro.
assert
 (2 * y * (z + 1) * (2 * y * (z + 1)) > (x + y * y) * (x + y * y))%Z.
assert (2 * y * (z + 1) * (x + y * y) > (x + y * y) * (x + y * y))%Z.
apply Zmult_gt_compat_r.
generalize (sqr_pos y).
omega.
assumption.
assert
 (2 * y * (z + 1) * (2 * y * (z + 1)) > 2 * y * (z + 1) * (x + y * y))%Z;
 try omega.
apply Zmult_gt_compat_l; try assumption.
apply Zmult_gt_0_compat; try omega.
assert (z >= 0)%Z; try omega.
rewrite zVal.
apply Z_div_ge0; try omega.
assert (x / y >= 0)%Z; try omega.
apply Z_div_ge0; try omega.
assert ((x + y * y) * (x + y * y) - 4 * y * y * x >= 0)%Z; try omega.
replace ((x + y * y) * (x + y * y) - 4 * y * y * x)%Z with
 ((x - y * y) * (x - y * y))%Z; try ring.
apply sqr_pos.
apply (Zmult_gt_0_reg_l (4 * y * y)).
apply Zmult_gt_0_compat; try omega.
omega.
Qed.




Lemma iter_sqrt_invar4 :
 forall x y z:Z,
   (x > 0)%Z ->
   (y > 0)%Z -> z = ((x / y + y) / 2)%Z -> (z >= y)%Z -> (y * y <= x)%Z.
Proof.
intros x y z xPos yPos zVal zGey.
generalize (iter_sqrt_invar1 x y z xPos yPos zVal); intros.
assert (y * y <= y * z)%Z.
apply Zmult_le_compat_l; try omega.
assert ((2 * y * z)%Z = (y * z + y * z)%Z); try ring.
omega.
Qed.

(* beginning of proof obligations *)

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
subst result.
assert ((x + 1) / 2 >= 1)%Z.
pattern 1%Z at 2; replace 1%Z with (2 / 2)%Z; trivial.
apply Z_div_ge; try omega.
omega.

subst result.
assert ((x / x + x)%Z = (x + 1)%Z).
assert (xPos: (x > 0)); try omega.
generalize (Z_div_same x xPos).
 intro.
rewrite H; omega.
rewrite H; trivial.

subst result.
assert ((x + 1) * (x + 1) >= (x + 1) * 1)%Z.
apply Zmult_ge_compat_l; try omega.
assert (((x + 1) * 1)%Z = (x + 1)%Z); try ring.
omega.

subst result.
apply (iter_sqrt_invar3 x x); try omega.
assert ((x / x + x)%Z = (x + 1)%Z).
assert (xPos: (x > 0)); try omega.
generalize (Z_div_same x xPos).
 intro.
rewrite H; omega.
rewrite H; trivial.
Save.

Proof.
intuition.
Save.

Proof.
unfold Zwf; intuition.
subst.
apply iter_sqrt_pos; omega.
subst; auto.
subst; auto.
apply (iter_sqrt_invar3 x z); auto.
subst; auto.
Save.

Proof.
intuition.
apply (iter_sqrt_invar4 x y z); try omega.
Qed.


why-2.34/examples/sqrt/simple_why.v0000644000175000017500000001046612311670312016002 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Export Why.
Require Export ZArithRing.

(* Why obligation from file "", line 0, characters 0-0: *)
(*Why goal*) Lemma sqrt_po_1 : 
  forall (n: Z),
  forall (HW_1: n >= 0),
  0 >= 0.
Proof.
intuition.
Save.

(* Why obligation from file "", line 0, characters 0-0: *)
(*Why goal*) Lemma sqrt_po_2 : 
  forall (n: Z),
  forall (HW_1: n >= 0),
  n >= (0 * 0).
Proof.
intuition.
Save.

(* Why obligation from file "", line 0, characters 0-0: *)
(*Why goal*) Lemma sqrt_po_3 : 
  forall (n: Z),
  forall (HW_1: n >= 0),
  1 = ((0 + 1) * (0 + 1)).
Proof.
intuition.
Save.

(* Why obligation from file "", line 0, characters 0-0: *)
(*Why goal*) Lemma sqrt_po_4 : 
  forall (n: Z),
  forall (HW_1: n >= 0),
  forall (HW_2: 0 >= 0 /\ n >= (0 * 0) /\ 1 = ((0 + 1) * (0 + 1))),
  forall (count: Z),
  forall (sum: Z),
  forall (HW_3: count >= 0 /\ n >= (count * count) /\ sum =
                ((count + 1) * (count + 1))),
  forall (HW_4: sum <= n),
  forall (count0: Z),
  forall (HW_5: count0 = (count + 1)),
  forall (sum0: Z),
  forall (HW_6: sum0 = (sum + 2 * count0 + 1)),
  count0 >= 0.
Proof.
intuition.
Save.

(* Why obligation from file "", line 0, characters 0-0: *)
(*Why goal*) Lemma sqrt_po_5 : 
  forall (n: Z),
  forall (HW_1: n >= 0),
  forall (HW_2: 0 >= 0 /\ n >= (0 * 0) /\ 1 = ((0 + 1) * (0 + 1))),
  forall (count: Z),
  forall (sum: Z),
  forall (HW_3: count >= 0 /\ n >= (count * count) /\ sum =
                ((count + 1) * (count + 1))),
  forall (HW_4: sum <= n),
  forall (count0: Z),
  forall (HW_5: count0 = (count + 1)),
  forall (sum0: Z),
  forall (HW_6: sum0 = (sum + 2 * count0 + 1)),
  n >= (count0 * count0).
Proof.
intuition.
apply Zge_trans with sum; intuition.
subst count0; intuition.
Save.

(* Why obligation from file "", line 0, characters 0-0: *)
(*Why goal*) Lemma sqrt_po_6 : 
  forall (n: Z),
  forall (HW_1: n >= 0),
  forall (HW_2: 0 >= 0 /\ n >= (0 * 0) /\ 1 = ((0 + 1) * (0 + 1))),
  forall (count: Z),
  forall (sum: Z),
  forall (HW_3: count >= 0 /\ n >= (count * count) /\ sum =
                ((count + 1) * (count + 1))),
  forall (HW_4: sum <= n),
  forall (count0: Z),
  forall (HW_5: count0 = (count + 1)),
  forall (sum0: Z),
  forall (HW_6: sum0 = (sum + 2 * count0 + 1)),
  sum0 = ((count0 + 1) * (count0 + 1)).
Proof.
intuition.
subst sum0 count0 sum; ring.
Save.

(* Why obligation from file "", line 0, characters 0-0: *)
(*Why goal*) Lemma sqrt_po_7 : 
  forall (n: Z),
  forall (HW_1: n >= 0),
  forall (HW_2: 0 >= 0 /\ n >= (0 * 0) /\ 1 = ((0 + 1) * (0 + 1))),
  forall (count: Z),
  forall (sum: Z),
  forall (HW_3: count >= 0 /\ n >= (count * count) /\ sum =
                ((count + 1) * (count + 1))),
  forall (HW_4: sum <= n),
  forall (count0: Z),
  forall (HW_5: count0 = (count + 1)),
  forall (sum0: Z),
  forall (HW_6: sum0 = (sum + 2 * count0 + 1)),
  0 <= (n - sum).
Proof.
intuition.
Save.

(* Why obligation from file "", line 0, characters 0-0: *)
(*Why goal*) Lemma sqrt_po_8 : 
  forall (n: Z),
  forall (HW_1: n >= 0),
  forall (HW_2: 0 >= 0 /\ n >= (0 * 0) /\ 1 = ((0 + 1) * (0 + 1))),
  forall (count: Z),
  forall (sum: Z),
  forall (HW_3: count >= 0 /\ n >= (count * count) /\ sum =
                ((count + 1) * (count + 1))),
  forall (HW_4: sum <= n),
  forall (count0: Z),
  forall (HW_5: count0 = (count + 1)),
  forall (sum0: Z),
  forall (HW_6: sum0 = (sum + 2 * count0 + 1)),
  (n - sum0) < (n - sum).
Proof.
intuition.
Save.

(* Why obligation from file "", line 0, characters 0-0: *)
(*Why goal*) Lemma sqrt_po_9 : 
  forall (n: Z),
  forall (HW_1: n >= 0),
  forall (HW_2: 0 >= 0 /\ n >= (0 * 0) /\ 1 = ((0 + 1) * (0 + 1))),
  forall (count: Z),
  forall (sum: Z),
  forall (HW_3: count >= 0 /\ n >= (count * count) /\ sum =
                ((count + 1) * (count + 1))),
  forall (HW_7: sum > n),
  (count * count) <= n.
Proof.
intuition.
Save.

(* Why obligation from file "", line 0, characters 0-0: *)
(*Why goal*) Lemma sqrt_po_10 : 
  forall (n: Z),
  forall (HW_1: n >= 0),
  forall (HW_2: 0 >= 0 /\ n >= (0 * 0) /\ 1 = ((0 + 1) * (0 + 1))),
  forall (count: Z),
  forall (sum: Z),
  forall (HW_3: count >= 0 /\ n >= (count * count) /\ sum =
                ((count + 1) * (count + 1))),
  forall (HW_7: sum > n),
  n < ((count + 1) * (count + 1)).
Proof.
intuition.
Save.

why-2.34/examples/find/0000755000175000017500000000000012311670312013353 5ustar  rtuserswhy-2.34/examples/find/Makefile0000644000175000017500000000014012311670312015006 0ustar  rtusers
VO=find_valid.vo

all: find_lemmas.vo find_proofs.vo find_spec.vo 

include ../Makefile.common
why-2.34/examples/find/find_spec.v0000644000175000017500000000457312311670312015505 0ustar  rtusers(* Load Programs. *)(**********************************************************************)
(*                                                                    *)
(* FIND, an historical example.                                       *)
(*                                                                    *)
(* The proof of this program was originally done by C. A. R. Hoare    *)
(* and fully detailed in the following paper:                         *)
(*                                                                    *)
(* C. A. R. Hoare, , Communications of the  *)
(* ACM, 14(1), 39--45, January 1971.                                  *)
(*                                                                    *)
(**********************************************************************)
(* Jean-Christophe FILLIATRE, February 98                             *)
(**********************************************************************)
(* find_spec.v                                                        *)
(**********************************************************************)

Require Export WhyArrays.

(* parameters = globals of the program *)

Parameter N : Z.
   (* size of the array *)
Parameter f : Z.
   (* the `pivot' *)

Axiom le_1_f : (1 <= f)%Z.
Axiom le_f_N : (f <= N)%Z.

(* Specification part *)

Definition n_invariant (n:Z) (A:array Z) :=
  (f <= n)%Z /\
  (forall p q:Z,
     (1 <= p)%Z ->
     (p <= n)%Z ->
     (n < q)%Z -> (q <= N)%Z -> (access A p <= access A q)%Z).

Definition m_invariant (m:Z) (A:array Z) :=
  (m <= f)%Z /\
  (forall p q:Z,
     (1 <= p)%Z ->
     (p < m)%Z ->
     (m <= q)%Z -> (q <= N)%Z -> (access A p <= access A q)%Z).

Definition i_invariant (m n i r:Z) (A:array Z) :=
  (m <= i)%Z /\
  (forall p:Z, (1 <= p)%Z -> (p < i)%Z -> (access A p <= r)%Z) /\
  ((i <= n)%Z ->
    exists p : Z, (i <= p)%Z /\ (p <= n)%Z /\ (r <= access A p)%Z).
  
Definition j_invariant (m n j r:Z) (A:array Z) :=
  (j <= n)%Z /\
  (forall q:Z, (j < q)%Z -> (q <= N)%Z -> (r <= access A q)%Z) /\
  ((m <= j)%Z ->
    exists q : Z, (m <= q)%Z /\ (q <= j)%Z /\ (access A q <= r)%Z).

Definition termination (i j i0 j0 r:Z) (A:array Z) :=
  (i > i0)%Z /\ (j < j0)%Z \/ (i <= f <= j)%Z /\ access A f = r.

Definition found (A:array Z) :=
  forall p q:Z,
    (1 <= p)%Z ->
    (p <= f)%Z ->
    (f <= q)%Z ->
    (q <= N)%Z ->
    (access A p <= access A f)%Z /\ (access A f <= access A q)%Z.

why-2.34/examples/find/find_proofs.v0000644000175000017500000002665712311670312016072 0ustar  rtusers(* Load Programs. *)(**********************************************************************)
(*                                                                    *)
(* FIND, an historical example.                                       *)
(*                                                                    *)
(* The proof of this program was originally done by C. A. R. Hoare    *)
(* and fully detailed in the following paper:                         *)
(*                                                                    *)
(* C. A. R. Hoare, , Communications of the  *)
(* ACM, 14(1), 39--45, January 1971.                                  *)
(*                                                                    *)
(**********************************************************************)
(* Jean-Christophe FILLIATRE, February 98                             *)
(**********************************************************************)
(* find_proofs.v                                                      *)
(**********************************************************************)

Require Import find_spec.
Require Import find_lemmas.
Require Import Why.
Require Import Omega.

Lemma zero_f_SN : (0 <= f < Zsucc N)%Z.
Proof.
generalize le_1_f; generalize le_f_N; intros; omega.
Qed.

(* Lemmas to prove arrays bounds obligations. *)

Lemma bound_3 :
 forall (m n i r:Z) (A:array Z),
   i_invariant m n i r A ->
   (i <= n)%Z -> (access A i < r)%Z -> (Zsucc i <= n)%Z.
Proof.
unfold i_invariant.
intros m n i r A Hi le_i_n lt_Ai_r.
decompose [and] Hi.
case (Z_le_lt_eq_dec i n le_i_n).
intro.
 abstract omega.
intro eq_i_n.
 elim (H2 le_i_n).
 intros.
absurd (access A i < r)%Z.
cut (x = i).
 intro eq_x_i.
 rewrite eq_x_i in H0.
 abstract omega.
abstract omega.
assumption.
Qed.


Lemma bound_4 :
 forall (m n j r:Z) (A:array Z),
   j_invariant m n j r A ->
   (m <= j)%Z -> (r < access A j)%Z -> (m <= Zpred j)%Z.
Proof.
unfold j_invariant.
intros m n j r A Hj le_m_j lt_r_Aj.
decompose [and] Hj.
case (Z_le_lt_eq_dec m j le_m_j).
intro.
 unfold Zpred.
 abstract omega.
intro eq_m_j.
 elim (H2 le_m_j).
 intros.
absurd (r < access A j)%Z.
cut (x = j).
 intro eq_x_j.
 rewrite eq_x_j in H0.
 abstract omega.
abstract omega.
assumption.
Qed.


(* Some subgoals of the main proof *)

Lemma subgoal_1 :
 forall (m1 n1 i2 j2 i3:Z) (A A0 A1:array Z),
   m_invariant m1 A0 /\
   n_invariant n1 A0 /\ permut A0 A /\ (1 <= m1)%Z /\ (n1 <= N)%Z ->
   (m1 < n1)%Z ->
   (0 <= f < Zsucc N)%Z ->
   i_invariant m1 n1 i2 (access A0 f) A1 /\
   j_invariant m1 n1 j2 (access A0 f) A1 /\
   m_invariant m1 A1 /\
   n_invariant n1 A1 /\
   (0 <= j2)%Z /\
   (i2 <= N + 1)%Z /\
   termination i2 j2 m1 n1 (access A0 f) A1 /\ permut A1 A ->
   (i2 <= j2)%Z ->
   i_invariant m1 n1 i3 (access A0 f) A1 /\
   (i2 <= i3)%Z /\
   (i3 <= n1)%Z /\ termination i3 j2 m1 n1 (access A0 f) A1 ->
   (access A1 i3 < access A0 f)%Z ->
   i_invariant m1 n1 (Zsucc i3) (access A0 f) A1 /\
   (i2 <= Zsucc i3)%Z /\
   (Zsucc i3 <= n1)%Z /\ termination (Zsucc i3) j2 m1 n1 (access A0 f) A1.

Proof.
intros m1 n1 i2 j2 i3 A A0 A1 HH_43 HH_42 HH_40 HH_28 HH_27 HH_4 HH_2.
split.
apply Lemma_8_15.
 elim HH_4; auto.
decompose [and] HH_4.
 elim H.
 intros.
 abstract omega.
split; [ abstract omega | split ].
cut (Zsucc i3 <= n1)%Z.
 abstract omega.
apply bound_3 with (m := m1) (r := access A0 f) (A := A1); auto.
elim HH_4; auto.
 abstract omega.
(* term. *)
unfold termination.
 decompose [and] HH_4.
 elim H3.
intro.
 left.
 abstract omega.
intro.
 right.
 decompose [and] H2.
case (Z_le_lt_eq_dec i3 f H6).
  intro.
 abstract omega.
  intro eq_i3_f.
 absurd (access A1 i3 < access A0 f)%Z; auto.
  rewrite eq_i3_f.
 abstract omega.
Qed.


Lemma subgoal_2 :
 forall (m1 n1 i2 j2 i3 j3:Z) (A A0 A1:array Z),
   m_invariant m1 A0 /\
   n_invariant n1 A0 /\ permut A0 A /\ (1 <= m1)%Z /\ (n1 <= N)%Z ->
   (m1 < n1)%Z ->
   (0 <= f < Zsucc N)%Z ->
   i_invariant m1 n1 i2 (access A0 f) A1 /\
   j_invariant m1 n1 j2 (access A0 f) A1 /\
   m_invariant m1 A1 /\
   n_invariant n1 A1 /\
   (0 <= j2)%Z /\
   (i2 <= N + 1)%Z /\
   termination i2 j2 m1 n1 (access A0 f) A1 /\ permut A1 A ->
   (i2 <= j2)%Z ->
   (i_invariant m1 n1 i3 (access A0 f) A1 /\
    (i2 <= i3)%Z /\
    (i3 <= n1)%Z /\ termination i3 j2 m1 n1 (access A0 f) A1) /\
   (access A1 i3 >= access A0 f)%Z ->
   j_invariant m1 n1 j3 (access A0 f) A1 /\
   (j3 <= j2)%Z /\
   (m1 <= j3)%Z /\ termination i3 j3 m1 n1 (access A0 f) A1 ->
   (access A0 f < access A1 j3)%Z ->
   j_invariant m1 n1 (Zpred j3) (access A0 f) A1 /\
   (Zpred j3 <= j2)%Z /\
   (m1 <= Zpred j3)%Z /\
   termination i3 (Zpred j3) m1 n1 (access A0 f) A1.

Proof.
intros m1 n1 i2 j2 i3 j3 A A0 A1 HH_43 HH_42 HH_40 HH_28 HH_27 HH_25
 HH_9 HH_7.
split.
apply Lemma_9_17.
 elim HH_9; auto.
unfold j_invariant in HH_9.
 decompose [and] HH_9.
 elim H3.
 intros.
 abstract omega.
assumption.
cut (m1 <= Zpred j3)%Z.
 unfold Zpred.
  split; [ abstract omega | split; [ abstract omega | idtac ] ].
(* term. *)
unfold termination.
decompose [and] HH_9.
 elim H4.
intro.
 left.
 abstract omega.
intro.
 right.
 decompose [and] H3.
case (Z_le_lt_eq_dec f j3 H8).
  intro.
 abstract omega.
  intro eq_f_j3.
 absurd (access A0 f < access A1 j3)%Z; auto.
  rewrite <- eq_f_j3.
 abstract omega.
(* *)
apply bound_4 with (n := n1) (r := access A0 f) (A := A1); auto.
elim HH_9; auto.
 abstract omega.
Qed.


Lemma subgoal_3 :
 forall (m0 n0 i0 j0 i1 j1:Z) (A A0 A1 A2:array Z),
   array_length A = (N + 1)%Z ->
   m_invariant m0 A0 /\
   n_invariant n0 A0 /\ permut A0 A /\ (1 <= m0)%Z /\ (n0 <= N)%Z ->
   (m0 < n0)%Z ->
   (0 <= f < Zsucc N)%Z ->
   i_invariant m0 n0 i0 (access A0 f) A1 /\
   j_invariant m0 n0 j0 (access A0 f) A1 /\
   m_invariant m0 A1 /\
   n_invariant n0 A1 /\
   (0 <= j0)%Z /\
   (i0 <= N + 1)%Z /\
   termination i0 j0 m0 n0 (access A0 f) A1 /\ permut A1 A ->
   (i0 <= j0)%Z ->
   (i_invariant m0 n0 i1 (access A0 f) A1 /\
    (i0 <= i1)%Z /\
    (i1 <= n0)%Z /\ termination i1 j0 m0 n0 (access A0 f) A1) /\
   (access A1 i1 >= access A0 f)%Z ->
   (j_invariant m0 n0 j1 (access A0 f) A1 /\
    (j1 <= j0)%Z /\
    (m0 <= j1)%Z /\ termination i1 j1 m0 n0 (access A0 f) A1) /\
   (access A0 f >= access A1 j1)%Z ->
   (access A1 j1 <= access A0 f <= access A1 i1)%Z ->
   (i1 <= j1)%Z ->
   exchange A2 A1 i1 j1 ->
   (access A2 i1 <= access A0 f)%Z ->
   (access A0 f <= access A2 j1)%Z ->
   Zwf 0 (N + 2 + Zpred j1 - Zsucc i1) (N + 2 + j0 - i0) /\
   i_invariant m0 n0 (Zsucc i1) (access A0 f) A2 /\
   j_invariant m0 n0 (Zpred j1) (access A0 f) A2 /\
   m_invariant m0 A2 /\
   n_invariant n0 A2 /\
   (0 <= Zpred j1)%Z /\
   (Zsucc i1 <= N + 1)%Z /\
   termination (Zsucc i1) (Zpred j1) m0 n0 (access A0 f) A2 /\ permut A2 A.
Proof.
intros m0 n0 i0 j0 i1 j1 A A0 A1 A2 HN Inv_mn Test7 Pre12 Inv_ij Test4
 Inv_i Inv_j Pre10 Test3 Post7 Pre8 Pre7.
split.
(* [Zwf] *)
  unfold Zwf.
  decompose [and] Inv_i.
 decompose [and] Inv_j.
 unfold Zpred.
   abstract omega.
split.
(* [i_invariant] *)
  apply Lemma_8_10 with (j := j1) (A' := A1); try assumption.
  SameLength A2 A1.
 intuition; SameLength A1 A.
 omega.
  decompose [and] Inv_i.
 elim H1.
 abstract omega.
  abstract omega.
 abstract omega.
    decompose [and] Inv_i.
 assumption.
  decompose [and] Inv_j.
 assumption.
split.
(* [j_invariant] *)
  apply Lemma_9_11 with (i := i1) (A' := A1); try assumption.
  SameLength A2 A1.
 intuition; SameLength A1 A.
 omega.
  decompose [and] Inv_j.
 elim H1.
 abstract omega.
   decompose [and] Inv_i.
 elim H1.
 abstract omega.
   decompose [and] Inv_mn.
 assumption.
  decompose [and] Inv_j.
 assumption.
  decompose [and] Inv_i.
 assumption.
split.
(* [m_invariant] *)
  apply Lemma_12' with (i := i1) (j := j1) (A := A1).
  intuition; SameLength A1 A; omega.
  decompose [and] Inv_i.
 elim H1.
 abstract omega.
  auto with datatypes.
  decompose [and] Inv_ij.
 assumption.
split.
(* [n_invariant] *)
  apply Lemma_13' with (i := i1) (j := j1) (A := A1).
  intuition; SameLength A1 A.
 omega.
  decompose [and] Inv_i.
 elim H1.
 abstract omega.
  decompose [and] Inv_j.
 elim H1.
 abstract omega.
  auto with datatypes.
  decompose [and] Inv_ij.
 assumption.
split.
(* [0<=j-1] *)
  unfold Zpred.
 abstract omega.
split.
(* [i+1<=N+1] *)
  abstract omega.
split.
(* [termination] *)
  unfold termination.
   left.
 unfold Zpred.
   decompose [and] Inv_i.
 elim H1.
 intros.
   decompose [and] Inv_j.
 elim H8.
 intros.
   abstract omega.
(* [permut] *)
  decompose [and] Inv_ij.
 eauto with datatypes.
Qed.


Lemma subgoal_5 :
 forall (m1 n1 i2 j2:Z) (A A0 A1:array Z),
   m_invariant m1 A0 /\
   n_invariant n1 A0 /\ permut A0 A /\ (1 <= m1)%Z /\ (n1 <= N)%Z ->
   (m1 < n1)%Z ->
   (0 <= f < Zsucc N)%Z ->
   (i_invariant m1 n1 i2 (access A0 f) A1 /\
    j_invariant m1 n1 j2 (access A0 f) A1 /\
    m_invariant m1 A1 /\
    n_invariant n1 A1 /\
    (0 <= j2)%Z /\
    (i2 <= N + 1)%Z /\
    termination i2 j2 m1 n1 (access A0 f) A1 /\ permut A1 A) /\
   (i2 > j2)%Z ->
   (m1 < i2)%Z /\ (j2 < n1)%Z ->
   (f <= j2)%Z ->
   Zwf 0 (j2 - m1) (n1 - m1) /\
   m_invariant m1 A1 /\
   n_invariant j2 A1 /\ permut A1 A /\ (1 <= m1)%Z /\ (j2 <= N)%Z.

Proof.
intros m1 n1 i2 j2 A A0 A1 HH_44 HH_43 HH_41 HH_40 HH_39 HH_37.
decompose [and] HH_40.
split;
 [ idtac
 | split;
    [ assumption | split; [ idtac | split; [ assumption | idtac ] ] ] ].
abstract (unfold Zwf; elim H; elim H0; elim H1; elim H2; intros; omega).
apply Lemma_6_a with (m := m1) (n := n1) (i := i2) (r := access A0 f);
 auto.
abstract omega.
Qed.


Lemma subgoal_6 :
 forall (m1 n1 i2 j2:Z) (A A0 A1:array Z),
   m_invariant m1 A0 /\
   n_invariant n1 A0 /\ permut A0 A /\ (1 <= m1)%Z /\ (n1 <= N)%Z ->
   (m1 < n1)%Z ->
   (0 <= f < Zsucc N)%Z ->
   (i_invariant m1 n1 i2 (access A0 f) A1 /\
    j_invariant m1 n1 j2 (access A0 f) A1 /\
    m_invariant m1 A1 /\
    n_invariant n1 A1 /\
    (0 <= j2)%Z /\
    (i2 <= N + 1)%Z /\
    termination i2 j2 m1 n1 (access A0 f) A1 /\ permut A1 A) /\
   (i2 > j2)%Z ->
   (m1 < i2)%Z /\ (j2 < n1)%Z ->
   (f > j2)%Z ->
   (i2 <= f)%Z ->
   Zwf 0 (n1 - i2) (n1 - m1) /\
   m_invariant i2 A1 /\
   n_invariant n1 A1 /\ permut A1 A /\ (1 <= i2)%Z /\ (n1 <= N)%Z.
Proof.
intros m1 n1 i2 j2 A A0 A1 HH_44 HH_43 HH_41 HH_40 HH_39 HH_36 HH_33.
decompose [and] HH_40.
split;
 [ idtac
 | split;
    [ idtac | split; [ assumption | split; [ assumption | idtac ] ] ] ].
abstract (unfold Zwf; elim H; elim H1; elim H2; elim H3; intros; omega).
apply Lemma_6_b with (m := m1) (n := n1) (j := j2) (r := access A0 f);
 auto.
abstract omega.
Qed.


Lemma subgoal_7 :
 forall (m1 n1 i2 j2:Z) (A A0 A1:array Z),
   m_invariant m1 A0 /\
   n_invariant n1 A0 /\ permut A0 A /\ (1 <= m1)%Z /\ (n1 <= N)%Z ->
   (m1 < n1)%Z ->
   (0 <= f < Zsucc N)%Z ->
   (i_invariant m1 n1 i2 (access A0 f) A1 /\
    j_invariant m1 n1 j2 (access A0 f) A1 /\
    m_invariant m1 A1 /\
    n_invariant n1 A1 /\
    (0 <= j2)%Z /\
    (i2 <= N + 1)%Z /\
    termination i2 j2 m1 n1 (access A0 f) A1 /\ permut A1 A) /\
   (i2 > j2)%Z ->
   (m1 < i2)%Z /\ (j2 < n1)%Z ->
   (f > j2)%Z ->
   (i2 > f)%Z ->
   Zwf 0 (f - f) (n1 - m1) /\
   m_invariant f A1 /\
   n_invariant f A1 /\ permut A1 A /\ (1 <= f <= N)%Z.

Proof.
intros m1 n1 i2 j2 A A0 A1 HH_44 HH_43 HH_41 HH_40 HH_39 HH_36 HH_32.
decompose [and] HH_40.
split;
 [ idtac
 | split; [ idtac | split; [ idtac | split; [ assumption | idtac ] ] ] ].
abstract (unfold Zwf; elim H; elim H0; elim H1; elim H2; intros; omega).
apply Lemma_6_c1 with
 (m := m1) (n := n1) (i := i2) (j := j2) (r := access A0 f); auto.
abstract omega.
apply Lemma_6_c2 with
 (m := m1) (n := n1) (i := i2) (j := j2) (r := access A0 f); auto.
abstract omega.
abstract omega.
Qed.
why-2.34/examples/find/find.mlw0000644000175000017500000000672112311670312015022 0ustar  rtusers(**********************************************************************)
(*                                                                    *)
(* FIND, an historical example.                                       *)
(*                                                                    *)
(* The proof of this program was originally done by C. A. R. Hoare    *)
(* and fully detailed in the following paper:                         *)
(*                                                                    *)
(* C. A. R. Hoare, "Proof of a Program: FIND", Communications of the  *)
(* ACM, 14(1), 39--45, January 1971.                                  *)
(*                                                                    *)
(**********************************************************************)
(* Jean-Christophe FILLIATRE, February 98                             *)
(**********************************************************************)

include "arrays.why"

(* specification *)

logic N : int
logic f : int

axiom f_N_range : 1 <= f <= N

predicate found(A : int farray) =
  forall p,q:int. 1 <= p <= f <= q <= N -> A[p] <= A[f] <= A[q]

predicate m_invariant(m : int, A : int farray) =
  m <= f and forall p,q:int. 1 <= p < m <= q <= N -> A[p] <= A[q]

predicate n_invariant(n : int, A : int farray) =
  f <= n and forall p,q:int. 1 <= p <= n < q <= N -> A[p] <= A[q]

predicate i_invariant(m : int, n : int, i : int, r : int, A : int farray) =
  m <= i and (forall p:int. 1 <= p < i -> A[p] <= r) and
  (i <= n -> exists p:int. i <= p <= n and r <= A[p])

predicate j_invariant(m : int, n : int, j : int, r : int, A : int farray) =
  j <= n and (forall q:int. j < q <= N -> r <= A[q]) and
  (m <= j -> exists q:int. m <= q <= j and A[q] <= r)

predicate termination(i:int, j:int, i0:int, j0:int, r:int, A:int farray) =
  (i > i0 and j < j0) or (i <= f <= j and A[f] = r)

(* Implementation part *)

parameter A : int array (* the array *)

let find () =
  { array_length(A) = N+1 }
  init:
  let m = ref 1 in let n = ref N in
  while !m < !n do
    { invariant m_invariant(m,A) and n_invariant(n,A) and permutation(A,A@init) 
             and 1 <= m and n <= N as Inv_mn
      variant n-m }
    let r = A[f] in let i = ref !m in let j = ref !n in 
    begin
      while !i <= !j do
        { invariant i_invariant(m,n,i,r,A) and j_invariant(m,n,j,r,A)
      	         and m_invariant(m,A) and n_invariant(n,A)
		 and 0 <= j and i <= N+1
		 and termination(i,j,m,n,r,A)
      	       	 and permutation(A,A@init) as Inv_ij
          variant N+2+j-i }
        L:

        while A[!i] < r do
          { invariant i_invariant(m, n, i, r, A) 
      	       	   and i@L <= i and i <= n
		   and termination(i, j, m, n, r, A) as Inv_i
      	    variant N+1-i }
          i := !i + 1
        done;
      	
        while r < A[!j] do
          { invariant j_invariant(m, n, j, r, A) 
      	       	   and j <= j@L and m <= j
		   and termination(i, j, m, n, r, A) as Inv_j
            variant j }
       	  j := !j - 1
        done;

        assert { A[j] <= r and r <= A[i] };

        if !i <= !j then begin
          let w = A[!i] in begin A[!i] := A[!j]; A[!j] := w end;
	  assert { exchange(A, A@L, i, j) };
	  assert { A[i] <= r }; assert { r <= A[j] };
	  i := !i + 1;
	  j := !j - 1
        end
      done;

      assert { m < i and j < n };

      if f <= !j then
        n := !j
      else if !i <= f then
        m := !i
      else
        begin n := f; m := f end
    end
  done
  { found(A) and permutation(A,A@) }
why-2.34/examples/find/find_lemmas.v0000644000175000017500000003766612311670312016042 0ustar  rtusers(* Load Programs. *)(**********************************************************************)
(*                                                                    *)
(* FIND, an historical example.                                       *)
(*                                                                    *)
(* The proof of this program was originally done by C. A. R. Hoare    *)
(* and fully detailed in the following paper:                         *)
(*                                                                    *)
(* C. A. R. Hoare, , Communications of the  *)
(* ACM, 14(1), 39--45, January 1971.                                  *)
(*                                                                    *)
(**********************************************************************)
(* Jean-Christophe FILLIATRE, February 98                             *)
(**********************************************************************)
(* find_lemmas.v                                                      *)
(**********************************************************************)

Require Import find_spec.
Require Import Why.
Require Import Omega.

(* Lemmas *)

Lemma Lemma_1 : forall A:array Z, m_invariant 1 A.
Proof.
intro A.
 unfold m_invariant.
split; [ exact le_1_f | intros ].
absurd (1 <= p)%Z; abstract omega.
Qed.

Lemma Lemma_2 : forall A:array Z, n_invariant N A.
Proof.
intro A.
 unfold n_invariant.
split; [ exact le_f_N | intros ].
absurd (q <= N)%Z; abstract omega.
Qed.

Lemma Lemma_3 :
 forall (m n:Z) (A:array Z),
   m_invariant m A -> n_invariant n A -> (m >= n)%Z -> found A.
Proof.
unfold m_invariant, n_invariant, found.
intros m n A H_m H_n le_n_m p q H1 H2 H3 H4.
cut (m = f).
 cut (n = f).
 intros eq_m_f eq_n_f.
decompose [and] H_m.
 decompose [and] H_n.
split.
case (Z_le_lt_eq_dec p f H2).
  intro lt_p_f.
 generalize (H0 p f).
 intros.
 abstract omega.
  intro eq_p_f.
 rewrite eq_p_f.
 abstract omega.
case (Z_le_lt_eq_dec f q H3).
  intro lt_f_q.
 generalize (H6 f q).
 intros.
 abstract omega.
  intro eq_f_q.
 rewrite eq_f_q.
 abstract omega.
abstract omega.
abstract omega.
Qed.

Lemma Lemma_4 :
 forall (m:Z) (A:array Z),
   m_invariant m A ->
   forall p:Z, (1 <= p < m)%Z -> (access A p <= access A f)%Z.
Proof.
unfold m_invariant.
 intros m A H_m p H_p.
decompose [and] H_m.
generalize (H0 p f).
intros.
 generalize le_f_N.
 abstract omega.
Qed.

Lemma Lemma_5 :
 forall (n:Z) (A:array Z),
   n_invariant n A ->
   forall q:Z, (n < q <= N)%Z -> (access A f <= access A q)%Z.
Proof.
unfold n_invariant.
 intros n A H_n q H_q.
decompose [and] H_n.
generalize (H0 f q).
intros.
 generalize le_1_f.
 abstract omega.
Qed.

Lemma Lemma_6_a :
 forall (m n i j r:Z) (A:array Z),
   (i > j)%Z ->
   m_invariant m A ->
   n_invariant n A ->
   i_invariant m n i r A ->
   j_invariant m n j r A -> (f <= j)%Z -> n_invariant j A.
Proof.
unfold m_invariant, n_invariant, i_invariant, j_invariant.
intros m n i j r A lt_i_j H_m H_n H_i H_j le_f_j.
decompose [and] H_m.
 decompose [and] H_n.
 decompose [and] H_i.
 decompose [and] H_j.
 clear H_m H_n H_i H_j.
split.
assumption.
intros.
 generalize (H5 p).
 generalize (H8 q).
abstract omega.
Qed.

Lemma Lemma_6_b :
 forall (m n i j r:Z) (A:array Z),
   (i > j)%Z ->
   m_invariant m A ->
   n_invariant n A ->
   i_invariant m n i r A ->
   j_invariant m n j r A -> (i <= f)%Z -> m_invariant i A.
Proof.
unfold m_invariant, n_invariant, i_invariant, j_invariant.
intros m n i j r A lt_j_i H_m H_n H_i H_j le_i_f.
decompose [and] H_m.
 decompose [and] H_n.
 decompose [and] H_i.
 decompose [and] H_j.
 clear H_m H_n H_i H_j.
split.
assumption.
intros.
 generalize (H5 p).
 generalize (H8 q).
abstract omega.
Qed.

Lemma Lemma_6_c1 :
 forall (m n i j r:Z) (A:array Z),
   (i > j)%Z ->
   m_invariant m A ->
   n_invariant n A ->
   i_invariant m n i r A ->
   j_invariant m n j r A -> (j < f < i)%Z -> m_invariant f A.
Proof.
unfold m_invariant, n_invariant, i_invariant, j_invariant.
intros m n i j r A lt_j_i H_m H_n H_i H_j lt_j_f_i.
decompose [and] H_m.
 decompose [and] H_n.
 decompose [and] H_i.
 decompose [and] H_j.
 clear H_m H_n H_i H_j.
split.
abstract omega.
intros.
generalize (H5 p).
 generalize (H8 q).
abstract omega.
Qed.

Lemma Lemma_6_c2 :
 forall (m n i j r:Z) (A:array Z),
   (i > j)%Z ->
   m_invariant m A ->
   n_invariant n A ->
   i_invariant m n i r A ->
   j_invariant m n j r A -> (j < f < i)%Z -> n_invariant f A.
Proof.
unfold m_invariant, n_invariant, i_invariant, j_invariant.
intros m n i j r A lt_j_i H_m H_n H_i H_j lt_j_f_i.
decompose [and] H_m.
 decompose [and] H_n.
 decompose [and] H_i.
 decompose [and] H_j.
 clear H_m H_n H_i H_j.
split.
abstract omega.
intros.
generalize (H5 p).
 generalize (H8 q).
abstract omega.
Qed.

(* Lemma 7 is not useful because we don't do a \verb statement
   to exit the loop. Actually, we do \verb and [Lemma_6_c1]
   and [Lemma_6_c2] are what we need *)

Lemma Lemma_8 :
 forall (i m r:Z) (A:array Z),
   (access A i <= r)%Z ->
   (m <= i)%Z /\
   (forall p:Z, (1 <= p)%Z -> (p < i)%Z -> (access A p <= r)%Z) ->
   (m <= Zsucc i)%Z /\
   (forall p:Z, (1 <= p)%Z -> (p < Zsucc i)%Z -> (access A p <= r)%Z).
Proof.
intros i m r A H H0.
decompose [and] H0.
split.
abstract omega.
intros.
elim (Z_le_lt_eq_dec p i); [ auto | idtac | abstract omega ].
intro Heq.
 rewrite Heq.
 auto.
Qed.

Lemma Lemma_9 :
 forall (j n r:Z) (A:array Z),
   (r <= access A j)%Z ->
   (j <= n)%Z /\
   (forall q:Z, (j < q)%Z -> (q <= N)%Z -> (r <= access A q)%Z) ->
   (Zpred j <= n)%Z /\
   (forall q:Z, (Zpred j < q)%Z -> (q <= N)%Z -> (r <= access A q)%Z).
Proof.
intros j n r A H H0.
decompose [and] H0.
split.
unfold Zpred.
 abstract omega.
intros.
elim (Z_le_lt_eq_dec j q).
auto.
intro Heq.
 rewrite <- Heq.
 auto.
unfold Zpred in H3.
 abstract omega.
Qed.

Lemma Lemma_10 :
 forall (m i j r:Z) (A A':array Z),
   (m <= i <= j)%Z ->
   exchange A A' i j ->
   (forall p:Z, (1 <= p)%Z -> (p < i)%Z -> (access A p <= r)%Z) ->
   (m <= i)%Z /\
   (forall p:Z, (1 <= p)%Z -> (p < i)%Z -> (access A' p <= r)%Z).
Proof.
intros m i j r A A' H_i_j H_ex H_A.
elim H_ex.
 intros H_l H_i H_j H_Ai H_Aj H_Ak.
split; [ abstract omega | intros p H1 H2 ].
generalize (H_Ak p).
 intros.
generalize (H_A p).
 intros.
 abstract omega.
Qed.

Lemma Lemma_8_10_1 :
 forall (m n i j r:Z) (A A':array Z),
   (m <= i <= j)%Z ->
   (n <= N)%Z ->
   (1 <= m)%Z ->
   exchange A A' i j ->
   (access A i <= r)%Z ->
   (r <= access A j)%Z ->
   i_invariant m n i r A' ->
   j_invariant m n j r A' -> i_invariant m n i r A.
Proof.
intros m n i j r A A' H_i_j le_n_N le_1_m H_ex H_i_r H_r_j H_i H_j.
unfold i_invariant.
 unfold i_invariant in H_i.
 decompose [and] H_i.
split; [ abstract omega | split ].
intros p H1' H2'.
 cut (exchange A' A i j).
 intro H_ex'.
elim (Lemma_10 m i j r A' A H_i_j H_ex' H1).
auto.
 auto with datatypes.
intro.
 exists j.
   unfold j_invariant in H_j.
 decompose [and] H_j.
  abstract omega.
Qed.

Lemma Lemma_8_10 :
 forall (m n i j r:Z) (A A':array Z),
   array_length A = (N + 1)%Z ->
   (m <= i <= j)%Z ->
   (n <= N)%Z ->
   (1 <= m)%Z ->
   exchange A A' i j ->
   (access A i <= r)%Z ->
   (r <= access A j)%Z ->
   i_invariant m n i r A' ->
   j_invariant m n j r A' -> i_invariant m n (Zsucc i) r A.
Proof.
intros m n i j r A A' Hl H_i_j le_n_N le_1_m H_ex H_i_r H_r_j H_i H_j.
cut (i_invariant m n i r A).
 intro H_int.
 unfold i_invariant.
 unfold i_invariant in H_int.
 decompose [and] H_int.
split; [ abstract omega | split ].
intros p H1' H2'.
 elim (Lemma_8 i m r A H_i_r (conj H H1)); auto.
unfold j_invariant in H_j.
 decompose [and] H_j.
cut (i <= j)%Z.
 intro le_i_j.
 case (Z_le_lt_eq_dec i j le_i_j).
   intros.
 exists j.
 abstract omega.
intros eq_i_j lt_i_n.
  exists (Zsucc i).
  split; [ abstract omega | split; [ assumption | idtac ] ].
  generalize (exchange_id H_ex eq_i_j).
 intro Hk.
  cut (access A (Zsucc i) = access A' (Zsucc i)).
 intro Hr.
 rewrite Hr.
  apply (H4 (Zsucc i)); abstract omega.
  apply (Hk (Zsucc i)); try omega.
omega.
apply Lemma_8_10_1 with (j := j) (A' := A'); assumption.
Qed.

Lemma Lemma_11 :
 forall (n i j r:Z) (A A':array Z),
   array_length A = (N + 1)%Z ->
   (i <= j <= n)%Z ->
   exchange A A' i j ->
   (forall q:Z, (j < q)%Z -> (q <= N)%Z -> (r <= access A q)%Z) ->
   (j <= n)%Z /\
   (forall q:Z, (j < q)%Z -> (q <= N)%Z -> (r <= access A' q)%Z).
Proof.
intros n i j r A A' HN H_i_j H_ex H_A.
elim H_ex.
 intros Hl H_i H_j H_Ai H_Aj H_Ak.
split; [ abstract omega | intros q H1 H2 ].
generalize (H_Ak q).
 intros.
generalize (H_A q).
 intros.
 abstract omega.
Qed.

Lemma Lemma_9_11_1 :
 forall (m n i j r:Z) (A A':array Z),
   array_length A = (N + 1)%Z ->
   (i <= j <= n)%Z ->
   (n <= N)%Z ->
   (1 <= m)%Z ->
   exchange A A' i j ->
   (access A i <= r)%Z ->
   (r <= access A j)%Z ->
   j_invariant m n j r A' ->
   i_invariant m n i r A' -> j_invariant m n j r A.
Proof.
intros m n i j r A A' HN H_i_j le_n_N le_1_m H_ex H_i_r H_r_j H_j H_i.
unfold j_invariant.
 unfold j_invariant in H_j.
 decompose [and] H_j.
split; [ abstract omega | split ].
intros q H1' H2'.
 cut (exchange A' A i j).
 intro H_ex'.
SameLength A A'.
 rewrite H0 in HN.
elim (Lemma_11 n i j r A' A HN H_i_j H_ex' H1).
auto.
 auto with datatypes.
intro.
 exists i.
   unfold i_invariant in H_i.
 decompose [and] H_i.
  abstract omega.
Qed.

Lemma Lemma_9_11 :
 forall (m n i j r:Z) (A A':array Z),
   array_length A = (N + 1)%Z ->
   (i <= j <= n)%Z ->
   (n <= N)%Z ->
   (1 <= m)%Z ->
   exchange A A' i j ->
   (access A i <= r)%Z ->
   (r <= access A j)%Z ->
   j_invariant m n j r A' ->
   i_invariant m n i r A' -> j_invariant m n (Zpred j) r A.
Proof.
intros m n i j r A A' HN H_i_j le_n_N le_1_m H_ex H_i_r H_r_j H_j H_i.
cut (j_invariant m n j r A).
 intro H_int.
 unfold j_invariant.
 unfold j_invariant in H_int.
 decompose [and] H_int.
split; [ unfold Zpred; abstract omega | split ].
intros q H1' H2'.
 elim (Lemma_9 j n r A H_r_j (conj H H1)); auto.
unfold i_invariant in H_i.
 decompose [and] H_i.
cut (i <= j)%Z.
 intro le_i_j.
 case (Z_le_lt_eq_dec i j le_i_j).
   intros.
 exists i.
 unfold Zpred.
 abstract omega.
intros eq_i_j lt_m_j.
  exists (Zpred j).
   split;
    [ unfold Zpred; unfold Zpred in lt_m_j; abstract omega
    | split;
       [ unfold Zpred; unfold Zpred in lt_m_j; abstract omega | idtac ] ].
  generalize (exchange_id H_ex eq_i_j).
 intro Hk.
  cut (access A (Zpred j) = access A' (Zpred j)).
 intro Hr.
 rewrite Hr.
  apply (H4 (Zpred j)); unfold Zpred; unfold Zpred in lt_m_j;
   abstract omega.
  apply (Hk (Zpred j)); unfold Zpred; abstract omega.
abstract omega.
apply Lemma_9_11_1 with (i := i) (A' := A'); assumption.
Qed.

Lemma Lemma_12 :
 forall (m i j:Z) (A A':array Z),
   array_length A = (N + 1)%Z ->
   (m <= i <= j)%Z ->
   exchange A A' i j ->
   (forall p q:Z,
      (1 <= p)%Z ->
      (p < m)%Z ->
      (m <= q)%Z -> (q <= N)%Z -> (access A p <= access A q)%Z) ->
   forall p q:Z,
     (1 <= p)%Z ->
     (p < m)%Z ->
     (m <= q)%Z -> (q <= N)%Z -> (access A' p <= access A' q)%Z.
Proof.
intros m i j A A' HN H_m_i_j H_ex H_A p q H1 H2 H3 H4.
elim H_ex.
 intros Hl H_i H_j H_ij H_ji H_k.
cut (access A' p = access A p).
 intro H_A'p_Ap.
case (Z_eq_dec q i).
  intro eq_q_i.
  generalize (H_A p j H1 H2).
 intro H6.
  rewrite eq_q_i.
 abstract omega.
intro not_eq_q_i.
 case (Z_eq_dec q j).
  intro eq_q_j.
  generalize (H_A p i H1 H2).
 intro H6.
  rewrite eq_q_j.
 abstract omega.
intro not_eq_q_j.
  generalize (H_k q).
 intros.
  generalize (H_A p q).
 intros.
  abstract omega.
generalize (H_k p).
 intros.
 abstract omega.
Qed.

Lemma Lemma_12' :
 forall (m i j:Z) (A A':array Z),
   array_length A = (N + 1)%Z ->
   (m <= i <= j)%Z ->
   exchange A A' i j -> m_invariant m A -> m_invariant m A'.
Proof.
unfold m_invariant.
intros m i j A A' HN H_m_i_j H_ex H_m.
decompose [and] H_m.
split; [ assumption | idtac ].
exact (Lemma_12 m i j A A' HN H_m_i_j H_ex H0).
Qed.

Lemma Lemma_13 :
 forall (n i j:Z) (A A':array Z),
   array_length A = (N + 1)%Z ->
   (1 <= i)%Z ->
   (i <= j <= n)%Z ->
   exchange A A' i j ->
   (forall p q:Z,
      (1 <= p)%Z ->
      (p <= n)%Z ->
      (n < q)%Z -> (q <= N)%Z -> (access A p <= access A q)%Z) ->
   forall p q:Z,
     (1 <= p)%Z ->
     (p <= n)%Z ->
     (n < q)%Z -> (q <= N)%Z -> (access A' p <= access A' q)%Z.
Proof.
intros n i j A A' HN le_1_i H_n_i_j H_ex H_A p q H1 H2 H3 H4.
elim H_ex.
 intros Hl H_i H_j H_ij H_ji H_k.
cut (access A' q = access A q).
 intro H_A'q_Aq.
case (Z_eq_dec p i).
  intro eq_p_i.
  generalize (H_A j q).
 intro H6.
  rewrite eq_p_i.
 abstract omega.
intro not_eq_p_i.
 case (Z_eq_dec p j).
  intro eq_p_j.
  generalize (H_A i q).
 intro H6.
  rewrite eq_p_j.
 abstract omega.
intro not_eq_p_j.
  generalize (H_k p).
 intros.
  generalize (H_A p q).
 intros.
  abstract omega.
generalize (H_k q).
 intros.
 abstract omega.
Qed.

Lemma Lemma_13' :
 forall (n i j:Z) (A A':array Z),
   array_length A = (N + 1)%Z ->
   (1 <= i)%Z ->
   (i <= j <= n)%Z ->
   exchange A A' i j -> n_invariant n A -> n_invariant n A'.
Proof.
unfold n_invariant.
intros n i j A A' HN le_1_i H_i_j_n H_ex H_n.
decompose [and] H_n.
split; [ assumption | idtac ].
exact (Lemma_13 n i j A A' HN le_1_i H_i_j_n H_ex H0).
Qed.

Lemma Lemma_14 :
 forall (m n:Z) (A:array Z),
   (m <= f <= n)%Z ->
    exists p : Z, (m <= p)%Z /\ (p <= n)%Z /\ (access A f <= access A p)%Z.
Proof.
intros m n A H_m_f_n.
exists f.
 abstract omega.
Qed.

Lemma Lemma_4_14 :
 forall (m n:Z) (A:array Z),
   (m <= f <= n)%Z ->
   m_invariant m A -> i_invariant m n m (access A f) A.
Proof.
intros m n A H_f H_m.
unfold i_invariant.
split; [ abstract omega | split ].
intros.
 eapply Lemma_4; eauto.
intro.
 apply Lemma_14; auto.
Qed.

Lemma Lemma_14' :
 forall (m n:Z) (A:array Z),
   (m <= f <= n)%Z ->
    exists q : Z, (m <= q)%Z /\ (q <= n)%Z /\ (access A q <= access A f)%Z.
Proof.
intros m n A H_m_f_n.
exists f.
 abstract omega.
Qed.

Lemma Lemma_5_14' :
 forall (m n:Z) (A:array Z),
   (m <= f <= n)%Z ->
   n_invariant n A -> j_invariant m n n (access A f) A.
Proof.
intros m n A H_f H_n.
unfold j_invariant.
split; [ abstract omega | split ].
intros.
 eapply Lemma_5; eauto.
intro.
 apply Lemma_14'; auto.
Qed.

Lemma Lemma_15 :
 forall (n i r:Z) (A:array Z),
   (access A i < r)%Z ->
   ( exists p : Z, (i <= p)%Z /\ (p <= n)%Z /\ (r <= access A p)%Z) ->
    exists p : Z, (Zsucc i <= p)%Z /\ (p <= n)%Z /\ (r <= access A p)%Z.
Proof.
intros n i r A H H0.
elim H0.
 intros p Hp.
 decompose [and] Hp.
case (Z_le_lt_eq_dec i p H1).
intro.
 exists p.
 abstract omega.
intro eq_i_p.
 absurd (r <= access A p)%Z.
 rewrite <- eq_i_p.
 abstract omega.
 assumption.
Qed.

Lemma Lemma_8_15 :
 forall (i m n r:Z) (A:array Z),
   i_invariant m n i r A ->
   (access A i < r)%Z -> i_invariant m n (Zsucc i) r A.
Proof.
unfold i_invariant.
intros i m n r A H H0.
decompose [and] H.
split.
abstract omega.
split.
elim (Lemma_8 i m r A); [ auto | abstract omega | auto ].
intro.
 apply Lemma_15; auto.
 apply H4; abstract omega.
Qed.


Lemma Lemma_17' :
 forall (j m n r:Z) (A:array Z),
   j_invariant m n j r A ->
   (1 <= m)%Z -> (m <= j)%Z -> (r < access A j)%Z -> (0 < j)%Z.
Proof.
unfold j_invariant.
intros j m n r A H Hm le_m_j H0.
decompose [and] H.
elim (H4 le_m_j).
 intros q Hq.
 decompose [and] Hq.
  case (Z_le_lt_eq_dec q j H6).
    intro.
 abstract omega.
    intro eq_q_j.
 absurd (access A q <= r)%Z.
 rewrite eq_q_j.
     abstract omega.
 assumption.
Qed.

Lemma Lemma_17 :
 forall (m j r:Z) (A:array Z),
   (r < access A j)%Z ->
   ( exists q : Z, (m <= q)%Z /\ (q <= j)%Z /\ (access A q <= r)%Z) ->
    exists q : Z, (m <= q)%Z /\ (q <= Zpred j)%Z /\ (access A q <= r)%Z.
Proof.
intros m j r A H H0.
elim H0.
 intros q Hq.
 decompose [and] Hq.
case (Z_le_lt_eq_dec q j H3).
intro.
 exists q.
 unfold Zpred.
 abstract omega.
intro eq_q_j.
 absurd (access A q <= r)%Z.
 rewrite eq_q_j.
 abstract omega.
 assumption.
Qed.

Lemma Lemma_9_17 :
 forall (j m n r:Z) (A:array Z),
   j_invariant m n j r A ->
   (r < access A j)%Z -> j_invariant m n (Zpred j) r A.
Proof.
unfold j_invariant.
intros j m n r A H H0.
decompose [and] H.
split.
unfold Zpred.
 abstract omega.
split.
elim (Lemma_9 j n r A); [ auto | abstract omega | auto ].
intro.
 apply Lemma_17; auto.
 apply H4.
unfold Zpred in H2; abstract omega.
Qed.
why-2.34/examples/find/.depend0000644000175000017500000000054712311670312014621 0ustar  rtusersfind_lemmas.vo: find_lemmas.v ./find_spec.vo ../../lib/coq/Why.vo
find_proofs.vo: find_proofs.v ./find_spec.vo ./find_lemmas.vo ../../lib/coq/Why.vo
find_spec.vo: find_spec.v ../../lib/coq/WhyArrays.vo
find_valid.vo: find_valid.v ../../lib/coq/Why.vo ./find_why.vo
find_why.vo: find_why.v ./find_spec.vo ./find_lemmas.vo ./find_proofs.vo ../../lib/coq/Why.vo
why-2.34/examples/find/find_why.v0000644000175000017500000002156312311670312015360 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Export find_spec.
Require Import find_lemmas.
Require Import find_proofs.

Require Import Why.
Require Import Omega.


Proof.
intros; generalize le_f_N; generalize le_1_f.
intuition; SameLength A0 A; omega.
Qed.

Proof.
intuition SameLength A1 A.
unfold i_invariant in H13; omega.
omega.
Qed.

Proof.
intros.
 subst r.
subst i3.
generalize
 (subgoal_1 m1 n1 i1 j1 i2 A A0 A1 Inv_mn Test14 zero_f_SN Inv_ij Test9
    Inv_i Test4).
intuition.
Qed.

Proof.
intuition.
unfold j_invariant in H8; unfold termination in H12; omega.
Qed.

Proof.
intuition SameLength A1 A.
unfold j_invariant in H8; unfold termination in H12; omega.
unfold j_invariant in H8; unfold termination in H12; omega.
Qed.

Proof.
intros.
 subst r.
subst j3.
generalize
 (subgoal_2 m1 n1 i1 j1 i2 j2 A A0 A1 Inv_mn Test14 zero_f_SN Inv_ij
    Test9 Inv_i Inv_j Test6).
intuition.
Qed.

Proof.
intuition.
unfold m_invariant in H7.
unfold termination in H12.
omega.
Qed.

Proof.
intuition.
Qed.

Proof.
intuition SameLength A1 A.
unfold i_invariant in H16; omega.
unfold i_invariant in H16; omega.
Qed.

Proof.
intuition SameLength A1 A.
unfold termination in H28; unfold j_invariant in H25; omega.
unfold termination in H28; unfold j_invariant in H25; omega.
Qed.

Proof.
intuition WhyArrays.
ArraySubst A2; omega.
Qed.

Proof.
intros.
subst r.
assert (H: exchange A3 A1 i2 j2).
subst A3.
 subst A2.
 subst w.
auto with datatypes.

assert (H0: (access A3 i2 <= access A0 f)).
elim H; intros; rewrite H3; omega.
assert (H1: (access A0 f <= access A3 j2)).
elim H; intros; rewrite H5; omega.
generalize
 (subgoal_3 m1 n1 i1 j1 i2 j2 A A0 A1 A3 Pre27 Inv_mn Test14 zero_f_SN
    Inv_ij Test9 Inv_i Inv_j Pre22 Test8 H H0 H1).
intuition subst; intuition.
Qed.

Proof.
intuition.
 Qed.

Proof.
intros; subst r i j; intuition.
apply Lemma_4_14; auto.
elim H; elim H3; omega.
apply Lemma_5_14'; auto.
elim H; elim H3; omega.
unfold termination; right; elim H; elim H3; intros; split.
omega.
auto.
Qed.

Proof.
intuition elim H13; omega.
Qed.

Proof.
intros; subst n2 r.
assert (array_length A0 = array_length A).
intuition; ProveSameLength A0 A.
rewrite H in Pre25; rewrite Pre27 in Pre25.
generalize
 (subgoal_5 m1 n1 i1 j1 A A0 A1 Inv_mn Test14 Pre25 Inv_ij Pre24 Test13).
intuition.
Qed.

Proof.
intros; subst m2 r.
assert (array_length A0 = array_length A).
intuition; ProveSameLength A0 A.
rewrite H in Pre25; rewrite Pre27 in Pre25.
generalize
 (subgoal_6 m1 n1 i1 j1 A A0 A1 Inv_mn Test14 Pre25 Inv_ij Pre24 Test12
    Test11).
intuition.
Qed.

Proof.
intros; subst n2 m2 r.
assert (array_length A0 = array_length A).
intuition; ProveSameLength A0 A.
rewrite H in Pre25; rewrite Pre27 in Pre25.
generalize
 (subgoal_7 m1 n1 i1 j1 A A0 A1 Inv_mn Test14 Pre25 Inv_ij Pre24 Test12
    Test10).
intuition.
Qed.

Proof.
intuition.
subst m; exact (Lemma_1 A).
subst n; exact (Lemma_2 A).
Qed.

Proof.
intuition.
apply Lemma_3 with (m := m1) (n := n1); auto.
Qed.


Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

(*Why type*) Definition farray: Set ->Set.
Admitted.

(*Why logic*) Definition access : forall (A1:Set), (array A1) -> Z -> A1.
Admitted.
Implicit Arguments access.

(*Why logic*) Definition update :
  forall (A1:Set), (array A1) -> Z -> A1 -> (array A1).
Admitted.
Implicit Arguments update.

(*Why axiom*) Lemma access_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z), (forall (v:A1), (access (update a i v) i) = v))).
Admitted.

(*Why axiom*) Lemma access_update_neq :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (forall (v:A1), (i <> j -> (access (update a i v) j) = (access a j)))))).
Admitted.

(*Why logic*) Definition array_length : forall (A1:Set), (array A1) -> Z.
Admitted.
Implicit Arguments array_length.

(*Why predicate*) Definition sorted_array  (t:(array Z)) (i:Z) (j:Z)
  := (forall (k1:Z),
      (forall (k2:Z),
       ((i <= k1 /\ k1 <= k2) /\ k2 <= j -> (access t k1) <= (access t k2)))).

(*Why predicate*) Definition exchange (A119:Set) (a1:(array A119)) (a2:(array A119)) (i:Z) (j:Z)
  := (array_length a1) = (array_length a2) /\
     (access a1 i) = (access a2 j) /\ (access a2 i) = (access a1 j) /\
     (forall (k:Z), (k <> i /\ k <> j -> (access a1 k) = (access a2 k))).
Implicit Arguments exchange.

(*Why logic*) Definition permut :
  forall (A1:Set), (array A1) -> (array A1) -> Z -> Z -> Prop.
Admitted.
Implicit Arguments permut.

(*Why axiom*) Lemma permut_refl :
  forall (A1:Set),
  (forall (t:(array A1)), (forall (l:Z), (forall (u:Z), (permut t t l u)))).
Admitted.

(*Why axiom*) Lemma permut_sym :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (l:Z), (forall (u:Z), ((permut t1 t2 l u) -> (permut t2 t1 l u)))))).
Admitted.

(*Why axiom*) Lemma permut_trans :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (t3:(array A1)),
     (forall (l:Z),
      (forall (u:Z),
       ((permut t1 t2 l u) -> ((permut t2 t3 l u) -> (permut t1 t3 l u)))))))).
Admitted.

(*Why axiom*) Lemma permut_exchange :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (forall (i:Z),
       (forall (j:Z),
        (l <= i /\ i <= u ->
         (l <= j /\ j <= u -> ((exchange a1 a2 i j) -> (permut a1 a2 l u)))))))))).
Admitted.

(*Why axiom*) Lemma exchange_upd :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (exchange a (update (update a i (access a j)) j (access a i)) i j)))).
Admitted.

(*Why axiom*) Lemma permut_weakening :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l1:Z),
     (forall (r1:Z),
      (forall (l2:Z),
       (forall (r2:Z),
        ((l1 <= l2 /\ l2 <= r2) /\ r2 <= r1 ->
         ((permut a1 a2 l2 r2) -> (permut a1 a2 l1 r1))))))))).
Admitted.

(*Why axiom*) Lemma permut_eq :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (l <= u ->
       ((permut a1 a2 l u) ->
        (forall (i:Z), (i < l \/ u < i -> (access a2 i) = (access a1 i))))))))).
Admitted.

(*Why predicate*) Definition permutation (A128:Set) (a1:(array A128)) (a2:(array A128))
  := (permut a1 a2 0 ((array_length a1) - 1)).
Implicit Arguments permutation.

(*Why axiom*) Lemma array_length_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (v:A1), (array_length (update a i v)) = (array_length a)))).
Admitted.

(*Why axiom*) Lemma permut_array_length :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      ((permut a1 a2 l u) -> (array_length a1) = (array_length a2)))))).
Admitted.

(*Why logic*) Definition N : Z.
Admitted.

(*Why logic*) Definition f : Z.
Admitted.

(*Why axiom*) Lemma f_N_range : 1 <= f /\ f <= N.
Admitted.

(*Why predicate*) Definition found  (A:(array Z))
  := (forall (p:Z),
      (forall (q:Z),
       (((1 <= p /\ p <= f) /\ f <= q) /\ q <= N -> (access A p) <=
        (access A f) /\ (access A f) <= (access A q)))).

(*Why predicate*) Definition m_invariant  (m:Z) (A:(array Z))
  := m <= f /\
     (forall (p:Z),
      (forall (q:Z),
       (((1 <= p /\ p < m) /\ m <= q) /\ q <= N -> (access A p) <=
        (access A q)))).

(*Why predicate*) Definition n_invariant  (n:Z) (A:(array Z))
  := f <= n /\
     (forall (p:Z),
      (forall (q:Z),
       (((1 <= p /\ p <= n) /\ n < q) /\ q <= N -> (access A p) <=
        (access A q)))).

(*Why predicate*) Definition i_invariant  (m:Z) (n:Z) (i:Z) (r:Z) (A:(array Z))
  := m <= i /\ (forall (p:Z), (1 <= p /\ p < i -> (access A p) <= r)) /\
     ((i <= n -> (exists p:Z, (i <= p /\ p <= n) /\ r <= (access A p)))).

(*Why predicate*) Definition j_invariant  (m:Z) (n:Z) (j:Z) (r:Z) (A:(array Z))
  := j <= n /\ (forall (q:Z), (j < q /\ q <= N -> r <= (access A q))) /\
     ((m <= j -> (exists q:Z, (m <= q /\ q <= j) /\ (access A q) <= r))).

(*Why predicate*) Definition termination  (i:Z) (j:Z) (i0:Z) (j0:Z) (r:Z) (A:(array Z))
  := i > i0 /\ j < j0 \/ (i <= f /\ f <= j) /\ (access A f) = r.

why-2.34/examples/maximumsort/0000755000175000017500000000000012311670312015020 5ustar  rtuserswhy-2.34/examples/maximumsort/Makefile0000644000175000017500000000012312311670312016454 0ustar  rtusers
VO = maximumsort_valid.vo

all: maximumsort_valid.vo

include ../Makefile.common

why-2.34/examples/maximumsort/maximumsort.mlw0000644000175000017500000000257512311670312020137 0ustar  rtusers
include "arrays.why"

(* maxisort: Maximum sort *)

(* swapping two elements of an array *)
let swap (t:int array)(i,j:int) =
  { 0 <= i < array_length(t) and 0 <= j < array_length(t) }
  (let v = t[i] in
   begin
     t[i] := t[j];
     t[j] := v
   end)
  { exchange(t,t@,i,j) }

(* Maximize(t,n,x,k) is
   forall i, k <= i <= n implies t[k]<= x *) 
(*external logic Maximize: int farray, int, int, int -> prop*)
predicate Maximize(t:int array, n:int, x:int, k:int) =
  forall i:int. k <= i <= n -> t[k]<= x

(* returns the index of the maximum element of t[0..n] *)
let rec maximum (t:int array)(n,k,i:int): int { variant k } =
  { 0 <= k <= i and i <= n and n < array_length(t) and 
    Maximize(t,n,t[i],k) }
  (if k=0
   then i
   else
    let nk=k-1
    in if t[nk]>t[i]
   then (maximum t n nk nk)
   else (maximum t n nk i))
  { 0 <= result <= n and Maximize(t,n,t[result],0) }

(* Maximum sort *)
let maxisort (t:int array) =
  { 0 <= array_length(t) }
  init:
  (let i = ref ((array_length_ t)-1) in
   while !i >= 0 do
      { invariant 0 <= i+1 <= array_length(t)
            and sorted_array(t,i+1,array_length(t)-1) 
	    and permutation(t,t@init) 
            and (i+1 < array_length(t) -> Maximize(t,i,t[i+1],0))
        variant i+1 }
      (let r = (maximum t !i !i !i) in 
       (swap t !i r));
      i:=!i-1
    done)
  { sorted_array(t,0,array_length(t)-1) and permutation(t,t@) } 
why-2.34/examples/maximumsort/maximumsort_why.v0000644000175000017500000002064012311670312020465 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Import Why.


(* ----------- PRELIMINAIRES ------------- *)
(* définition et propriétés de    *)
Require Import Omega.
Require Import ZArithRing.

Ltac omega' := abstract omega.

Set Implicit Arguments.
Unset Strict Implicit.

(* Induction pour vérifier qu'on est le maximum *)
Inductive Maximize (t:array Z) (n m:Z) : Z -> Prop :=
    Maxim_cons :
      forall k:Z,
        ((k <= n)%Z -> (access t k <= m)%Z) ->
        ((k < n)%Z -> Maximize t n m (k + 1)%Z) -> Maximize t n m k.

(* Signification  de ce prédicat: *)
Lemma Maximize_ext1 :
 forall (t:array Z) (n m k i:Z),
   Maximize t n m k -> (k <= i <= n)%Z -> (access t i <= m)%Z.
  Proof.
  intros t n m k i H1; elim H1; auto.
  intros k0 H2 H3 HR H4; case (Z_eq_dec k0 i).
   intros H; rewrite <- H; apply H2; omega'.
   intros; apply HR; omega'.
Qed.

Lemma Maximize_ext2 :
 forall (t:array Z) (n m k:Z),
   (forall i:Z, (k <= i <= n)%Z -> (access t i <= m)%Z) ->
   Maximize t n m k.
  Proof.
  intros t n m k.
     refine
      (well_founded_ind (Zwf_up_well_founded n)
         (fun k:Z =>
            (forall i:Z, (k <= i <= n)%Z -> (access t i <= m)%Z) ->
            Maximize t n m k) _ _).
     clear k; intros k HR H.
     constructor 1.
       intros; apply H; omega'.
       intros; apply HR.
         unfold Zwf_up; omega'.
         intros; apply H; omega'.
Qed.

(* compatibilité de  avec  *)
Lemma Maximize_Zle :
 forall (t:array Z) (n m1 m2 k:Z),
   Maximize t n m1 k -> (k <= n)%Z -> (m1 <= m2)%Z -> Maximize t n m2 k.
  Proof.
  intros t n m1 m2 k H0; elim H0.
  intros k0 H1 H2 H3 H4 H5; constructor 1.
  omega'.
 intros; apply H3; omega'.
Qed.

Set Strict Implicit.
Unset Implicit Arguments.
(* ----------- FIN PRELIMINAIRES ----------- *)


Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
ArraySubst t0.
Save.

Proof.
intuition.
subst; auto with *.
Save.


(*Why type*) Definition farray: Set ->Set.
Admitted.

(*Why logic*) Definition access : forall (A1:Set), (array A1) -> Z -> A1.
Admitted.
Implicit Arguments access.

(*Why logic*) Definition update :
  forall (A1:Set), (array A1) -> Z -> A1 -> (array A1).
Admitted.
Implicit Arguments update.

(*Why axiom*) Lemma access_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z), (forall (v:A1), (access (update a i v) i) = v))).
Admitted.

(*Why axiom*) Lemma access_update_neq :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (forall (v:A1), (i <> j -> (access (update a i v) j) = (access a j)))))).
Admitted.

(*Why logic*) Definition array_length : forall (A1:Set), (array A1) -> Z.
Admitted.
Implicit Arguments array_length.

(*Why predicate*) Definition sorted_array  (t:(array Z)) (i:Z) (j:Z)
  := (forall (k1:Z),
      (forall (k2:Z),
       ((i <= k1 /\ k1 <= k2) /\ k2 <= j -> (access t k1) <= (access t k2)))).

(*Why predicate*) Definition exchange (A111:Set) (a1:(array A111)) (a2:(array A111)) (i:Z) (j:Z)
  := (array_length a1) = (array_length a2) /\
     (access a1 i) = (access a2 j) /\ (access a2 i) = (access a1 j) /\
     (forall (k:Z), (k <> i /\ k <> j -> (access a1 k) = (access a2 k))).
Implicit Arguments exchange.

(*Why logic*) Definition permut :
  forall (A1:Set), (array A1) -> (array A1) -> Z -> Z -> Prop.
Admitted.
Implicit Arguments permut.

(*Why axiom*) Lemma permut_refl :
  forall (A1:Set),
  (forall (t:(array A1)), (forall (l:Z), (forall (u:Z), (permut t t l u)))).
Admitted.

(*Why axiom*) Lemma permut_sym :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (l:Z), (forall (u:Z), ((permut t1 t2 l u) -> (permut t2 t1 l u)))))).
Admitted.

(*Why axiom*) Lemma permut_trans :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (t3:(array A1)),
     (forall (l:Z),
      (forall (u:Z),
       ((permut t1 t2 l u) -> ((permut t2 t3 l u) -> (permut t1 t3 l u)))))))).
Admitted.

(*Why axiom*) Lemma permut_exchange :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (forall (i:Z),
       (forall (j:Z),
        (l <= i /\ i <= u ->
         (l <= j /\ j <= u -> ((exchange a1 a2 i j) -> (permut a1 a2 l u)))))))))).
Admitted.

(*Why axiom*) Lemma exchange_upd :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (exchange a (update (update a i (access a j)) j (access a i)) i j)))).
Admitted.

(*Why axiom*) Lemma permut_weakening :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l1:Z),
     (forall (r1:Z),
      (forall (l2:Z),
       (forall (r2:Z),
        ((l1 <= l2 /\ l2 <= r2) /\ r2 <= r1 ->
         ((permut a1 a2 l2 r2) -> (permut a1 a2 l1 r1))))))))).
Admitted.

(*Why axiom*) Lemma permut_eq :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (l <= u ->
       ((permut a1 a2 l u) ->
        (forall (i:Z), (i < l \/ u < i -> (access a2 i) = (access a1 i))))))))).
Admitted.

(*Why predicate*) Definition permutation (A120:Set) (a1:(array A120)) (a2:(array A120))
  := (permut a1 a2 0 ((array_length a1) - 1)).
Implicit Arguments permutation.

(*Why axiom*) Lemma array_length_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (v:A1), (array_length (update a i v)) = (array_length a)))).
Admitted.

(*Why axiom*) Lemma permut_array_length :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      ((permut a1 a2 l u) -> (array_length a1) = (array_length a2)))))).
Admitted.

(*Why predicate*) Definition Maximize  (t:(array Z)) (n:Z) (x:Z) (k:Z)
  := (forall (i:Z), (k <= i /\ i <= n -> (access t k) <= x)).

Proof.
intuition.
subst; auto.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition; subst.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.


Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

(* Début: preuve de  *)

  Proof.
  intros; split.
  Omega'.
  rewrite Test4 in Pre18; tauto.
Qed.

   Proof.
   intros; Omega'.
Qed.

  Proof.
  intros; Omega'.
Qed.

Proof.
repeat (split; [ Omega' | auto ]).
subst nk.
ring (k0 - 1 + 1)%Z; intros;
 apply Maximize_Zle with (m1 := access t i0); Omega' || tauto.
Qed.

  Proof.
  intros; subst nk; unfold Zwf; Omega'.
  Qed.

  Proof.
  intros; subst nk.
  repeat (split; [ Omega' | auto ]); ring (k0 - 1 + 1)%Z; tauto.
Qed.

  Proof.
  intros; subst nk.
  unfold Zwf; Omega'.
  Qed.


(* fin preuve de maximum *)

  Proof.
  intros; split.
 Omega'.
 split.
 Omega'.
 split.
 Omega'.
  constructor 1.
 Omega'.
  intros H; absurd (i1 < i1)%Z; Omega'.
Qed.

  Proof.
  intros; Omega'.
Qed.

 Proof.
 intros; decompose [and] Pre8; clear Pre8; split.
   ArrayLength.
   split.
   omega.
   split.
   (* post-condition 1 *)
   unfold sorted_array in H0; unfold sorted_array.
   intros C1 k C2 C3; case Post9.
    intros Clength C4 C5 C6 C7 C8.
     case (Z_eq_dec k i1).
       intros C9; rewrite C9; rewrite C6; rewrite C8; try Omega'.
       apply Maximize_ext1 with (n := i1) (k := 0%Z); try Omega'.
         apply H5; Omega'.
       intros C9; rewrite C8; try Omega'.
 rewrite C8; try Omega'.
       apply H0; try Omega'.
   (* post-condition 2 *)
   split.
 apply permut_trans with (t' := t0); auto.
   eapply exchange_is_permut; eauto.
   (* post-condition 3 *)
   decompose [and] Post7; clear Post7.
 case Post9; clear Post9.
   intros Clength C1 C2 C3 C4 C5 C5a; replace (i0 + 1)%Z with i1.
 rewrite C3.
     apply Maximize_ext2; intros i' C6.
     case (Z_eq_dec i' r).
       intros C7; rewrite C7; rewrite C4.
         apply Maximize_ext1 with (n := i1) (k := 0%Z); try Omega';
          auto.
       intros; rewrite C5; try Omega'.
         apply Maximize_ext1 with (n := i1) (k := 0%Z); try Omega';
          auto.
   omega.
   unfold Zwf; omega.
Qed.

  Proof.
  intros; subst i; ring (array_length t - 1 + 1)%Z; split.
   Omega'.
  split.
 unfold sorted_array; intros H;
  absurd (array_length t <= array_length t - 1)%Z; [ Omega' | auto ].
  split.
 apply permut_refl.
  intros H; absurd (array_length t < array_length t)%Z;
   [ Omega' | auto ].
Qed.

  Proof.
  intros; cut ((i1 + 1)%Z = 0%Z);
   [ intros H; rewrite H in Post2; split; tauto | Omega' ].
Qed.



Proof.
(* FILL PROOF HERE *)
Save.

why-2.34/examples/maximumsort/.depend0000644000175000017500000000021712311670312016260 0ustar  rtusersmaximumsort_valid.vo: maximumsort_valid.v ../../lib/coq/Why.vo ./maximumsort_why.vo
maximumsort_why.vo: maximumsort_why.v ../../lib/coq/Why.vo
why-2.34/examples/maximumsort/maximumsort_why.sx0000644000175000017500000004053012311670312020652 0ustar  rtusers(BG_PUSH 
  ; array_length
  (FORALL (t i v) (EQ (array_length (store t i v)) (array_length t)))
  ; booleans
  (DISTINCT |@true| |@false|)
  ; exchange
  (FORALL (t1 t2 i j)
	  (IFF (EQ (exchange t1 t2 i j) |@true|)
	       (AND (EQ (array_length t1) (array_length t2))
		    (EQ (select t1 i) (select t2 j))
		    (EQ (select t1 j) (select t2 i))
		    (FORALL (k) (IMPLIES (AND (NEQ k i) (NEQ k j))
					 (EQ (select t1 k) (select t2 k)))))))
  (FORALL (t1 t2 i j)
	  (IMPLIES (EQ (exchange t1 t2 i j) |@true|)
		   (EQ (array_length t1) (array_length t2))))
  ; permut
  (FORALL (t) (EQ (permut t t) |@true|))
  (FORALL (t1 t2) (IMPLIES (EQ (permut t1 t2) |@true|)
			   (EQ (permut t2 t1) |@true|)))
  (FORALL (t1 t2 t3) (IMPLIES (AND (EQ (permut t1 t2) |@true|)
				   (EQ (permut t2 t3) |@true|))
			      (EQ (permut t1 t3) |@true|)))
  (FORALL 
   (t i j) 
   (EQ (permut t (store (store t i (select t j)) j (select t i))) |@true|))
  (FORALL (t1 t2)
	  (IMPLIES (EQ (permut t1 t2) |@true|)
		   (EQ (array_length t1) (array_length t2))))
  ; sub_permut
  (FORALL (t g d) (EQ (sub_permut g d t t) |@true|))
  (FORALL (t1 t2 g d) (IMPLIES (EQ (sub_permut g d t1 t2) |@true|)
			   (EQ (sub_permut g d t2 t1) |@true|)))
  (FORALL (t1 t2 t3 g d) (IMPLIES (AND (EQ (sub_permut g d t1 t2) |@true|)
				       (EQ (sub_permut g d t2 t3) |@true|))
				  (EQ (sub_permut g d t1 t3) |@true|)))
  (FORALL 
   (t g d i j) 
   (IMPLIES (AND (<= g i) (<= i d) (<= g j) (<= j d))
	    (EQ (sub_permut g d t 
			    (store (store t i (select t j)) j (select t i))) 
		|@true|)))
  (FORALL 
   (t1 t2 g d i j)
   (IMPLIES (AND (EQ (exchange t1 t2 i j) |@true|)
		 (<= g i) (<= i d) (<= g j) (<= j d))
	    (EQ (sub_permut g d t1 t2) |@true|)))
  (FORALL (t1 t2 i j) 
	  (IMPLIES (EQ (sub_permut i j t1 t2) |@true|)
		   (EQ (permut t1 t2) |@true|)))
  (FORALL (t1 t2 i j)
	  (IMPLIES (EQ (sub_permut i j t1 t2) |@true|)
		   (EQ (array_length t1) (array_length t2))))
  ; sorted_array
  (FORALL 
   (t i j) 
   (IFF (EQ (sorted_array t i j) |@true|)
	(IMPLIES (<= i j)
		 (FORALL (k) (IMPLIES (AND (<= i k) (< k j))
				      (<= (select t k) (select t (+ k 1))))))))
)

(BG_PUSH
 ;; Why axiom Maximize_def
 (FORALL (t)
 (FORALL (n)
 (FORALL (x)
 (FORALL (k)
 (IFF (EQ (Maximize t n x k) |@true|)
 (FORALL (i) (IMPLIES (AND (<= k i) (<= i n)) (<= (select t k) x)))))))))

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom access_update
 (FORALL (a i v) (EQ (access (update a i v) i) v)))

(BG_PUSH
 ;; Why axiom access_update_neq
 (FORALL (a i j v)
 (IMPLIES (NEQ i j) (EQ (access (update a i v) j) (access a j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j)
 (FORALL (a v) (EQ (access (update a i v) j) (access a j))))))

(DEFPRED (sorted_array t i j)
  (FORALL (k1 k2)
  (IMPLIES (AND (AND (<= i k1) (<= k1 k2)) (<= k2 j))
  (<= (access t k1) (access t k2)))))

(DEFPRED (exchange a1 a2 i j)
  (AND (EQ (array_length a1) (array_length a2))
  (AND (EQ (access a1 i) (access a2 j))
  (AND (EQ (access a2 i) (access a1 j))
  (FORALL (k)
  (IMPLIES (AND (NEQ k i) (NEQ k j)) (EQ (access a1 k) (access a2 k))))))))

(BG_PUSH
 ;; Why axiom permut_refl
 (FORALL (t l u) (EQ (permut t t l u) |@true|)))

(BG_PUSH
 ;; Why axiom permut_sym
 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|) (EQ (permut t2 t1 l u) |@true|))))

(BG_PUSH
 ;; Why axiom permut_trans
 (FORALL (t1 t2 t3 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))

 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_exchange
 (FORALL (a1 a2 l u i j)
 (IMPLIES (AND (<= l i) (<= i u))
 (IMPLIES (AND (<= l j) (<= j u))
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|)))))

 (FORALL (l u i)
 (IMPLIES (AND (<= l i) (<= i u))
 (FORALL (j)
 (IMPLIES (AND (<= l j) (<= j u))
 (FORALL (a1 a2)
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|))))))))

(BG_PUSH
 ;; Why axiom exchange_upd
 (FORALL (a i j)
 (exchange a (update (update a i (access a j)) j (access a i)) i j)))

(BG_PUSH
 ;; Why axiom permut_weakening
 (FORALL (a1 a2 l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))

 (FORALL (l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_eq
 (FORALL (a1 a2 l u)
 (IMPLIES (<= l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))

 (FORALL (l u)
 (IMPLIES (<= l u)
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))))

(DEFPRED (permutation a1 a2)
  (EQ (permut a1 a2 0 (- (array_length a1) 1)) |@true|))

(BG_PUSH
 ;; Why axiom array_length_update
 (FORALL (a i v) (EQ (array_length (update a i v)) (array_length a))))

(BG_PUSH
 ;; Why axiom permut_array_length
 (FORALL (a1 a2 l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (EQ (array_length a1) (array_length a2)))))

;; swap_po_1, File "maximumsort.mlw", line 10, characters 5-14
(FORALL (i)
(FORALL (j)
(FORALL (t)
(IMPLIES (AND (AND (<= 0 i) (< i (array_length t)))
         (AND (<= 0 j) (< j (array_length t))))
(IMPLIES (AND (<= 0 i) (< i (array_length t)))
(FORALL (result)
(IMPLIES (EQ result (access t i))
(IMPLIES (AND (<= 0 j) (< j (array_length t)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t j))
(IMPLIES (AND (<= 0 i) (< i (array_length t)))
(FORALL (t0)
(IMPLIES (EQ t0 (update t i result0)) (AND (<= 0 j) (< j (array_length t0))))))))))))))))

;; swap_po_2, File "maximumsort.mlw", line 12, characters 4-22
(FORALL (i)
(FORALL (j)
(FORALL (t)
(IMPLIES (AND (AND (<= 0 i) (< i (array_length t)))
         (AND (<= 0 j) (< j (array_length t))))
(IMPLIES (AND (<= 0 i) (< i (array_length t)))
(FORALL (result)
(IMPLIES (EQ result (access t i))
(IMPLIES (AND (<= 0 j) (< j (array_length t)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t j))
(IMPLIES (AND (<= 0 i) (< i (array_length t)))
(FORALL (t0)
(IMPLIES (EQ t0 (update t i result0))
(IMPLIES (AND (<= 0 j) (< j (array_length t0)))
(FORALL (t1) (IMPLIES (EQ t1 (update t0 j result)) (exchange t1 t i j)))))))))))))))))

(DEFPRED (Maximize t n x k)
  (FORALL (i) (IMPLIES (AND (<= k i) (<= i n)) (<= (access t k) x))))

;; maximum_po_1, File "maximumsort.mlw", line 31, characters 4-50
(FORALL (n)
(FORALL (k)
(FORALL (i)
(FORALL (t)
(IMPLIES (AND (AND (<= 0 k) (<= k i))
         (AND (<= i n)
         (AND (< n (array_length t)) (Maximize t n (access t i) k))))
(IMPLIES (EQ k 0)
(AND (AND (<= 0 i) (<= i n)) (Maximize t n (access t i) 0))))))))

;; maximum_po_2, File "maximumsort.mlw", line 28, characters 10-15
(FORALL (n)
(FORALL (k)
(FORALL (i)
(FORALL (t)
(IMPLIES (AND (AND (<= 0 k) (<= k i))
         (AND (<= i n)
         (AND (< n (array_length t)) (Maximize t n (access t i) k))))
(IMPLIES (NEQ k 0) (AND (<= 0 (- k 1)) (< (- k 1) (array_length t)))))))))

;; maximum_po_3, File "maximumsort.mlw", line 28, characters 16-20
(FORALL (n)
(FORALL (k)
(FORALL (i)
(FORALL (t)
(IMPLIES (AND (AND (<= 0 k) (<= k i))
         (AND (<= i n)
         (AND (< n (array_length t)) (Maximize t n (access t i) k))))
(IMPLIES (NEQ k 0)
(IMPLIES (AND (<= 0 (- k 1)) (< (- k 1) (array_length t)))
(FORALL (result)
(IMPLIES (EQ result (access t (- k 1)))
(AND (<= 0 i) (< i (array_length t))))))))))))

;; maximum_po_4, File "maximumsort.mlw", line 29, characters 9-26
(FORALL (n)
(FORALL (k)
(FORALL (i)
(FORALL (t)
(IMPLIES (AND (AND (<= 0 k) (<= k i))
         (AND (<= i n)
         (AND (< n (array_length t)) (Maximize t n (access t i) k))))
(IMPLIES (NEQ k 0)
(IMPLIES (AND (<= 0 (- k 1)) (< (- k 1) (array_length t)))
(FORALL (result)
(IMPLIES (EQ result (access t (- k 1)))
(IMPLIES (AND (<= 0 i) (< i (array_length t)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t i))
(IMPLIES (> result result0) (AND (<= 0 k) (< (- k 1) k)))))))))))))))

;; maximum_po_5, File "maximumsort.mlw", line 29, characters 9-26
(FORALL (n)
(FORALL (k)
(FORALL (i)
(FORALL (t)
(IMPLIES (AND (AND (<= 0 k) (<= k i))
         (AND (<= i n)
         (AND (< n (array_length t)) (Maximize t n (access t i) k))))
(IMPLIES (NEQ k 0)
(IMPLIES (AND (<= 0 (- k 1)) (< (- k 1) (array_length t)))
(FORALL (result)
(IMPLIES (EQ result (access t (- k 1)))
(IMPLIES (AND (<= 0 i) (< i (array_length t)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t i))
(IMPLIES (> result result0)
(IMPLIES (AND (<= 0 k) (< (- k 1) k))
(AND (AND (<= 0 (- k 1)) (<= (- k 1) (- k 1)))
(AND (<= (- k 1) n)
(AND (< n (array_length t)) (Maximize t n (access t (- k 1)) (- k 1)))))))))))))))))))

;; maximum_po_6, File "maximumsort.mlw", line 30, characters 9-25
(FORALL (n)
(FORALL (k)
(FORALL (i)
(FORALL (t)
(IMPLIES (AND (AND (<= 0 k) (<= k i))
         (AND (<= i n)
         (AND (< n (array_length t)) (Maximize t n (access t i) k))))
(IMPLIES (NEQ k 0)
(IMPLIES (AND (<= 0 (- k 1)) (< (- k 1) (array_length t)))
(FORALL (result)
(IMPLIES (EQ result (access t (- k 1)))
(IMPLIES (AND (<= 0 i) (< i (array_length t)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t i))
(IMPLIES (<= result result0) (AND (<= 0 k) (< (- k 1) k)))))))))))))))

;; maximum_po_7, File "maximumsort.mlw", line 30, characters 9-25
(FORALL (n)
(FORALL (k)
(FORALL (i)
(FORALL (t)
(IMPLIES (AND (AND (<= 0 k) (<= k i))
         (AND (<= i n)
         (AND (< n (array_length t)) (Maximize t n (access t i) k))))
(IMPLIES (NEQ k 0)
(IMPLIES (AND (<= 0 (- k 1)) (< (- k 1) (array_length t)))
(FORALL (result)
(IMPLIES (EQ result (access t (- k 1)))
(IMPLIES (AND (<= 0 i) (< i (array_length t)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t i))
(IMPLIES (<= result result0)
(IMPLIES (AND (<= 0 k) (< (- k 1) k))
(AND (AND (<= 0 (- k 1)) (<= (- k 1) i))
(AND (<= i n)
(AND (< n (array_length t)) (Maximize t n (access t i) (- k 1)))))))))))))))))))

;; maxisort_po_1, File "maximumsort.mlw", line 39, characters 18-198
(FORALL (t)
(IMPLIES (<= 0 (array_length t))
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(AND (AND (<= 0 (+ (- result 1) 1)) (<= (+ (- result 1) 1) (array_length t)))
(AND (sorted_array t (+ (- result 1) 1) (- (array_length t) 1))
(AND (permutation t t)
(IMPLIES (< (+ (- result 1) 1) (array_length t))
(Maximize t (- result 1) (access t (+ (- result 1) 1)) 0)))))))))

;; maxisort_po_2, File "maximumsort.mlw", line 44, characters 16-34
(FORALL (t)
(IMPLIES (<= 0 (array_length t))
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(FORALL (i)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 (+ i 1)) (<= (+ i 1) (array_length t0)))
         (AND (sorted_array t0 (+ i 1) (- (array_length t0) 1))
         (AND (permutation t0 t)
         (IMPLIES (< (+ i 1) (array_length t0))
         (Maximize t0 i (access t0 (+ i 1)) 0)))))
(IMPLIES (>= i 0)
(AND (AND (<= 0 i) (<= i i))
(AND (<= i i) (AND (< i (array_length t0)) (Maximize t0 i (access t0 i) i))))))))))))

;; maxisort_po_3, File "maximumsort.mlw", line 45, characters 8-19
(FORALL (t)
(IMPLIES (<= 0 (array_length t))
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(FORALL (i)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 (+ i 1)) (<= (+ i 1) (array_length t0)))
         (AND (sorted_array t0 (+ i 1) (- (array_length t0) 1))
         (AND (permutation t0 t)
         (IMPLIES (< (+ i 1) (array_length t0))
         (Maximize t0 i (access t0 (+ i 1)) 0)))))
(IMPLIES (>= i 0)
(IMPLIES (AND (AND (<= 0 i) (<= i i))
         (AND (<= i i)
         (AND (< i (array_length t0)) (Maximize t0 i (access t0 i) i))))
(FORALL (result0)
(IMPLIES (AND (AND (<= 0 result0) (<= result0 i))
         (Maximize t0 i (access t0 result0) 0))
(AND (AND (<= 0 i) (< i (array_length t0)))
(AND (<= 0 result0) (< result0 (array_length t0)))))))))))))))

;; maxisort_po_4, File "maximumsort.mlw", line 39, characters 18-198
(FORALL (t)
(IMPLIES (<= 0 (array_length t))
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(FORALL (i)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 (+ i 1)) (<= (+ i 1) (array_length t0)))
         (AND (sorted_array t0 (+ i 1) (- (array_length t0) 1))
         (AND (permutation t0 t)
         (IMPLIES (< (+ i 1) (array_length t0))
         (Maximize t0 i (access t0 (+ i 1)) 0)))))
(IMPLIES (>= i 0)
(IMPLIES (AND (AND (<= 0 i) (<= i i))
         (AND (<= i i)
         (AND (< i (array_length t0)) (Maximize t0 i (access t0 i) i))))
(FORALL (result0)
(IMPLIES (AND (AND (<= 0 result0) (<= result0 i))
         (Maximize t0 i (access t0 result0) 0))
(IMPLIES (AND (AND (<= 0 i) (< i (array_length t0)))
         (AND (<= 0 result0) (< result0 (array_length t0))))
(FORALL (t1)
(IMPLIES (exchange t1 t0 i result0)
(FORALL (i0)
(IMPLIES (EQ i0 (- i 1))
(AND (AND (<= 0 (+ i0 1)) (<= (+ i0 1) (array_length t1)))
(AND (sorted_array t1 (+ i0 1) (- (array_length t1) 1))
(AND (permutation t1 t)
(IMPLIES (< (+ i0 1) (array_length t1))
(Maximize t1 i0 (access t1 (+ i0 1)) 0)))))))))))))))))))))

;; maxisort_po_5, File "maximumsort.mlw", line 43, characters 16-19
(FORALL (t)
(IMPLIES (<= 0 (array_length t))
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(FORALL (i)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 (+ i 1)) (<= (+ i 1) (array_length t0)))
         (AND (sorted_array t0 (+ i 1) (- (array_length t0) 1))
         (AND (permutation t0 t)
         (IMPLIES (< (+ i 1) (array_length t0))
         (Maximize t0 i (access t0 (+ i 1)) 0)))))
(IMPLIES (>= i 0)
(IMPLIES (AND (AND (<= 0 i) (<= i i))
         (AND (<= i i)
         (AND (< i (array_length t0)) (Maximize t0 i (access t0 i) i))))
(FORALL (result0)
(IMPLIES (AND (AND (<= 0 result0) (<= result0 i))
         (Maximize t0 i (access t0 result0) 0))
(IMPLIES (AND (AND (<= 0 i) (< i (array_length t0)))
         (AND (<= 0 result0) (< result0 (array_length t0))))
(FORALL (t1)
(IMPLIES (exchange t1 t0 i result0)
(FORALL (i0)
(IMPLIES (EQ i0 (- i 1)) (AND (<= 0 (+ i 1)) (< (+ i0 1) (+ i 1)))))))))))))))))))

;; maxisort_po_6, File "maximumsort.mlw", line 48, characters 4-61
(FORALL (t)
(IMPLIES (<= 0 (array_length t))
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(FORALL (i)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 (+ i 1)) (<= (+ i 1) (array_length t0)))
         (AND (sorted_array t0 (+ i 1) (- (array_length t0) 1))
         (AND (permutation t0 t)
         (IMPLIES (< (+ i 1) (array_length t0))
         (Maximize t0 i (access t0 (+ i 1)) 0)))))
(IMPLIES (< i 0)
(AND (sorted_array t0 0 (- (array_length t0) 1)) (permutation t0 t))))))))))

why-2.34/examples/kmp/0000755000175000017500000000000012311670312013222 5ustar  rtuserswhy-2.34/examples/kmp/kmp_why.v0000644000175000017500000003553412311670312015101 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Import Why.
Require Import Sumbool.

Require Export Match.
Require Export Next.
Require Import ZArithRing.
Require Import Omega.
Require Export Lex.

Ltac Omega' := abstract omega.

Parameter A : Set.
Axiom A_eq_dec : forall x y:A, {x = y} + {x <> y}.
Definition A_eq_bool (x y:A) := bool_of_sumbool (A_eq_dec x y).

Axiom M_positive : (0 <= M)%Z.

Proof.
intuition.
Qed.

Proof.
intros; exact lexZ_well_founded.
Qed.

Proof.
intuition.
Qed.

Proof.
intuition.
Qed.

Proof.
intuition.
Qed.

Proof.
intuition.
subst i2 j2.
apply match_right_extension.
replace (i1 + 1 - (j1 + 1))%Z with (i1 - j1)%Z.
 assumption.
 Omega'.
  Omega'.
 Omega'.
  ring (i1 + 1 - (j1 + 1) + j1)%Z.
 ring (0 + j1)%Z.
 assumption.
  absurd (match_ p (i1 + 1 - (z - 1)) p 0 (z - 1)).
  red; apply H11; Omega'.
  apply match_right_weakening with (n := z).
  replace (i1 + 1 - (z - 1))%Z with (i1 + 1 + 1 - z)%Z.
  subst i2; assumption.
 Omega'.
 Omega'.
  elim (Z_lt_ge_dec k (i1 + 1)); intro Hk'.
    subst next2; rewrite store_def_2.
  apply H13; Omega'.
 Omega'.
 Omega'.
 Omega'.
  cut ((i1 + 1)%Z = k).
 intro Heq.
   subst next2 i2; rewrite Heq.
 rewrite store_def_1.
  rewrite <- Heq.
 apply Next_cons.
 Omega'.
  subst j2; replace (i1 + 1 - (j1 + 1))%Z with (i1 - j1)%Z.
  apply match_right_extension; Omega' || (try assumption).
  ring (i1 - j1 + j1)%Z; ring (0 + j1)%Z; assumption.
 Omega'.
  intros z Hz.
   red; apply H11; Omega'.
  Omega'.
 Omega'.
  ArraySubst next2.
unfold lexZ, lex, Zwf, pairZ; left; Omega'.
Qed.

Proof.
intuition.
Qed.

Proof.
intuition.
  rewrite Test4.
  apply match_empty.
 Omega'.
 Omega'.
  elim (Z_lt_ge_dec (j1 + 2) z); intro.
  absurd (match_ p (i1 + 1 - (z - 1)) p 0 (z - 1)).
  red; apply H11; Omega'.
  apply match_right_weakening with (n := z).
  subst i2.
  replace (i1 + 1 - (z - 1))%Z with (i1 + 1 + 1 - z)%Z;
   [ assumption | Omega' ].
 Omega'.
  absurd (access p i1 = access p j1); [ assumption | idtac ].
  decompose [match_] H18.
  replace i1 with (i1 + 1 + 1 - 2 + j1)%Z; [ idtac | Omega' ].
  replace (access p j1) with (access p (0 + j1));
   [ idtac | ring (0 + j1)%Z; reflexivity ].
  cut (z = 2%Z); [ intro Heq | Omega' ].
  rewrite <- Heq.
 rewrite <- Post5; apply H22; Omega'.
  elim (Z_lt_ge_dec k (i1 + 1)); intro.
  subst next2.
 AccessOther.
  apply H13; Omega'.
   cut ((i1 + 1)%Z = k); [ intro Heq | Omega' ].
  rewrite Post6; rewrite Post5; rewrite Heq.
 AccessSame.
  rewrite <- Heq.
 apply Next_cons.
 Omega'.
  apply match_empty; Omega'.
  intros z Hz.
  elim (Z_lt_ge_dec 1 z); intro.
  (* 1 < z  *)
  red; apply H11; Omega'.
  (* z = 1 *)
  red; intro.
  absurd (access p i1 = access p j1); [ assumption | rewrite Test4 ].
  decompose [match_] H17.
  replace 0%Z with (0 + 0)%Z; [ idtac | Omega' ].
  replace i1 with (i1 + 1 - z + 0)%Z; [ idtac | Omega' ].
  apply H22; Omega'.
  ArraySubst next2.
unfold lexZ, lex, Zwf, pairZ.
 left; Omega'.
Qed.

Proof.
intuition.
Qed.

Proof.
intuition cut (j1 <> 0%Z); [ clear Test3; intro Test3 | assumption ].
  subst j2.
  elim (H15 j1); Omega'.
  elim (H15 j1); Omega'.
  elim (H15 j1); Omega'.
  subst j2.
  apply match_trans with (t2 := p) (i2 := (j1 - access next1 j1)%Z).
  apply match_left_weakening with (n := j1).
  replace (i1 - access next1 j1 - (j1 - access next1 j1))%Z with
   (i1 - j1)%Z; [ idtac | Omega' ].
  replace (j1 - access next1 j1 - (j1 - access next1 j1))%Z with 0%Z;
   [ assumption | Omega' ].
  elim (H15 j1); Omega'.
 elim (H15 j1); auto; Omega'.

  elim (Z_lt_ge_dec (j1 + 1) z); intro.
  (* j0+1 < z < i0+1 *)
  apply (H13 z); assumption || Omega'.
  elim (Z_ge_lt_dec z (j1 + 1)); intro.
  (* z = j0+1 *)
  absurd (access p i1 = access p j1); [ assumption | idtac ].
  decompose [match_] H18.
  replace i1 with (i1 + 1 - z + j1)%Z; [ idtac | Omega' ].
  replace j1 with (0 + j1)%Z; [ idtac | Omega' ].
  apply H22; Omega'.
  (* next[j0]+1 < z < j0+1 *)
  absurd (match_ p (j1 - (z - 1)) p 0 (z - 1)).
  decompose [match_] H18.
  elim (H15 j1); Omega' || intros.
  apply H25; Omega'.
  apply match_trans with (t2 := p) (i2 := (i1 - (z - 1))%Z).
  apply match_sym.
  apply match_left_weakening with (n := j1).
  replace (i1 - (z - 1) - (j1 - (z - 1)))%Z with (i1 - j1)%Z;
   [ idtac | Omega' ].
  ring (j1 - (z - 1) - (j1 - (z - 1)))%Z.
 assumption.
  Omega'.
  apply match_right_weakening with (n := z).
  replace (i1 - (z - 1))%Z with (i1 + 1 - z)%Z; [ assumption | Omega' ].
  Omega'.
unfold lexZ, lex, Zwf, pairZ.
 elim (H15 j1); [ intros | Omega' ].
right.
 Omega'.
Qed.

Proof.
intuition.
rewrite Pre13; assumption.
Qed.

Proof.
intuition.
subst i j.
apply match_empty; Omega'.
replace k with 1%Z; [ subst next0; rewrite store_def_1 | Omega' ].
apply next_1_0; Omega'.
Omega'.
ArraySubst next0.
Qed.

Proof.
intuition.
Qed.

Proof.
intuition.
absurd (0 < j)%Z; Omega'.
Qed.


(*Why type*) Definition farray: Set ->Set.
Admitted.

(*Why logic*) Definition access : forall (A1:Set), (array A1) -> Z -> A1.
Admitted.
Implicit Arguments access.

(*Why logic*) Definition update :
  forall (A1:Set), (array A1) -> Z -> A1 -> (array A1).
Admitted.
Implicit Arguments update.

(*Why axiom*) Lemma access_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z), (forall (v:A1), (access (update a i v) i) = v))).
Admitted.

(*Why axiom*) Lemma access_update_neq :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (forall (v:A1), (i <> j -> (access (update a i v) j) = (access a j)))))).
Admitted.

(*Why logic*) Definition array_length : forall (A1:Set), (array A1) -> Z.
Admitted.
Implicit Arguments array_length.

(*Why predicate*) Definition sorted_array  (t:(array Z)) (i:Z) (j:Z)
  := (forall (k1:Z),
      (forall (k2:Z),
       ((i <= k1 /\ k1 <= k2) /\ k2 <= j -> (access t k1) <= (access t k2)))).

(*Why predicate*) Definition exchange (A105:Set) (a1:(array A105)) (a2:(array A105)) (i:Z) (j:Z)
  := (array_length a1) = (array_length a2) /\
     (access a1 i) = (access a2 j) /\ (access a2 i) = (access a1 j) /\
     (forall (k:Z), (k <> i /\ k <> j -> (access a1 k) = (access a2 k))).
Implicit Arguments exchange.

(*Why logic*) Definition permut :
  forall (A1:Set), (array A1) -> (array A1) -> Z -> Z -> Prop.
Admitted.
Implicit Arguments permut.

(*Why axiom*) Lemma permut_refl :
  forall (A1:Set),
  (forall (t:(array A1)), (forall (l:Z), (forall (u:Z), (permut t t l u)))).
Admitted.

(*Why axiom*) Lemma permut_sym :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (l:Z), (forall (u:Z), ((permut t1 t2 l u) -> (permut t2 t1 l u)))))).
Admitted.

(*Why axiom*) Lemma permut_trans :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (t3:(array A1)),
     (forall (l:Z),
      (forall (u:Z),
       ((permut t1 t2 l u) -> ((permut t2 t3 l u) -> (permut t1 t3 l u)))))))).
Admitted.

(*Why axiom*) Lemma permut_exchange :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (forall (i:Z),
       (forall (j:Z),
        (l <= i /\ i <= u ->
         (l <= j /\ j <= u -> ((exchange a1 a2 i j) -> (permut a1 a2 l u)))))))))).
Admitted.

(*Why axiom*) Lemma exchange_upd :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (exchange a (update (update a i (access a j)) j (access a i)) i j)))).
Admitted.

(*Why axiom*) Lemma permut_weakening :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l1:Z),
     (forall (r1:Z),
      (forall (l2:Z),
       (forall (r2:Z),
        ((l1 <= l2 /\ l2 <= r2) /\ r2 <= r1 ->
         ((permut a1 a2 l2 r2) -> (permut a1 a2 l1 r1))))))))).
Admitted.

(*Why axiom*) Lemma permut_eq :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (l <= u ->
       ((permut a1 a2 l u) ->
        (forall (i:Z), (i < l \/ u < i -> (access a2 i) = (access a1 i))))))))).
Admitted.

(*Why predicate*) Definition permutation (A114:Set) (a1:(array A114)) (a2:(array A114))
  := (permut a1 a2 0 ((array_length a1) - 1)).
Implicit Arguments permutation.

(*Why axiom*) Lemma array_length_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (v:A1), (array_length (update a i v)) = (array_length a)))).
Admitted.

(*Why axiom*) Lemma permut_array_length :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      ((permut a1 a2 l u) -> (array_length a1) = (array_length a2)))))).
Admitted.

(*Why type*) Definition A: Set.
Admitted.

(*Why logic*) Definition M : Z.
Admitted.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Axiom N_positive : (0 <= N)%Z.


Proof.
intuition.
Qed.

Proof.
intros; exact lexZ_well_founded.
Qed.

Proof.
intuition simple induction result1; tauto.
Qed.

Proof.
simple induction result1; intuition; discriminate Post5.
Qed.

Proof.
intuition.
Qed.

Proof.
intuition.
Qed.

Proof.
intuition discriminate H18 || auto with *.
subst j2 i2.
  apply match_right_extension.
  replace (i1 + 1 - (j1 + 1))%Z with (i1 - j1)%Z.
 assumption.
 Omega'.
  Omega'.
 Omega'.
  ring (i1 + 1 - (j1 + 1) + j1)%Z.
 ring (0 + j1)%Z.
 assumption.
  replace (i1 + 1 - (j1 + 1))%Z with (i1 - j1)%Z.
   apply (H18 k); assumption || Omega'.
  Omega'.
  unfold lexZ, lex, Zwf, pairZ.
 left; Omega'.
Qed.

Proof.
intuition discriminate H18 || auto with *.
  subst j1.
  apply match_empty.
 Omega'.
 Omega'.
  elim (Z_le_lt_eq_dec k (i1 - j1)).
  intro.
 apply (H18 k); assumption || Omega'.
  intro.
 generalize H19.
 apply match_contradiction_at_first.
 Omega'.
  rewrite b.
 subst j1.
 ring (i1 - 0)%Z.
 assumption.
  Omega'.
unfold lexZ, lex, Zwf, pairZ.
 left; Omega'.
Qed.

Proof.
intuition.
Qed.

Proof.
intuition assert (j1 <> 0%Z); auto with *.
  (* invariant *)
  elim (H5 j1); intros.
 Omega'.
  Omega'.
  elim (H5 j1); intros; Omega'.
  elim (H5 j1); intros; Omega'.
  apply next_iteration with (j := j1).
  Omega'.
  Omega'.
  assumption.
  subst j2; apply (H5 j1); Omega'.
  (* ~(match a k p `0` M) *)
  elim (Z_lt_ge_dec k (i1 - j1)); intro Hck.
  (* k < i0-j0 *)
  apply (H20 k); assumption || Omega'.
  elim (Z_ge_lt_dec (i1 - j1) k); intro Hck'.
  (* k = i0-j0 *)
  generalize H21.
 replace k with (i1 - j1)%Z.
  apply match_contradiction_at_i with (i := j1).
  Omega'.
 Omega'.
 ring (i1 - j1 + j1)%Z.
 ring (0 + j1)%Z.
 assumption.
 Omega'.
   (* i0-j0 < k *)
  generalize H21.
 rewrite <- H.
  apply next_is_maximal with (i := i1) (j := j1) (n := access next0 j1).
   Omega'.
 Omega'.
 Omega'.
  assumption.
  apply (H5 j1); Omega'.
  unfold lexZ, lex, Zwf, pairZ.
   elim (H5 j1).
 intros.
  right.
 Omega'.
 Omega'.
Qed.

Proof.
intuition; rewrite Pre13; assumption.
Qed.

Definition first_occur (p a:array A) (r:Z) :=
  ((0 <= r < array_length a)%Z -> match_ a r p 0 (array_length p)) /\
  (forall k:Z, (0 <= k < r)%Z -> ~ match_ a k p 0 (array_length p)).

Proof.
intuition.
generalize M_positive; Omega'.
generalize N_positive; Omega'.
subst i j.
apply match_empty.
generalize N_positive; Omega'.
 generalize M_positive; Omega'.
Qed.

Proof.
intros.
decompose [and] Inv.
unfold first_occur.
 split.
 intro.
 rewrite <- Test10.
  replace (array_length p) with j1.
 assumption.
 Omega'.
replace (i1 - M)%Z with (i1 - j1)%Z.
 replace (array_length p) with M.
 assumption.
 Omega'.
Omega'.
Qed.

Proof.
intros.
 unfold first_occur.
 decompose [and] Inv.
split.
 intro.
 absurd (i1 < N)%Z; Omega'.
intros k Hk.
 elim (Z_lt_ge_dec k (i1 - j1)); intro Hk'.
replace (array_length p) with M.
apply H6; Omega'.
 Omega'.
red; intro.
 decompose [match_] H4.
absurd (k <= N - M)%Z; Omega'.
Qed.


Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.



(*Why type*) Definition prodZZ: Set.
Admitted.

(*Why logic*) Definition match_ :
  (array A) -> Z -> (array A) -> Z -> Z -> Prop.
Admitted.

(*Why logic*) Definition Next : (array A) -> Z -> Z -> Prop.
Admitted.

(*Why logic*) Definition pairZ : Z -> Z -> prodZZ.
Admitted.

(*Why logic*) Definition N : Z.
Admitted.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.



(*Why logic*) Definition first_occur : (array A) -> (array A) -> Z -> Prop.
Admitted.

why-2.34/examples/kmp/Makefile0000644000175000017500000000012112311670312014654 0ustar  rtusers
VO=kmp_valid.vo

all: Lex.vo Next.vo Match.vo $(VO)

include ../Makefile.common
why-2.34/examples/kmp/Lex.v0000644000175000017500000000276612311670312014154 0ustar  rtusers(* Load Programs. *)(**************************************************************************)
(*                                                                        *)
(* Proof of the Knuth-Morris-Pratt Algorithm.                             *)
(*                                                                        *)
(* Jean-Christophe Filliâtre (LRI, Université Paris Sud)                  *)
(* November 1998                                                          *)
(*                                                                        *)
(**************************************************************************)

(* The terminations of both initnext and kmp involve a lexicographic
 * order relation. *)

Require Export Relation_Operators.
Require Import Lexicographic_Product.

Set Implicit Arguments.
Unset Strict Implicit.

Section lexico.

Variables A B : Set.

Variable Ra : A -> A -> Prop.
Variable Rb : B -> B -> Prop.

Definition lex := lexprod A (fun _:A => B) Ra (fun _:A => Rb).

Lemma lex_well_founded :
 well_founded Ra -> well_founded Rb -> well_founded lex.
Proof.
intros wfa wfb.
exact
 (wf_lexprod A (fun _:A => B) Ra (fun _:A => Rb) wfa (fun _ => wfb)).
Qed.

End lexico.

(* Instantiation on Z x Z *)

Require Import ZArith.
Require Import Zwf.

Definition prodZZ := {x_ : Z &  Z}.

Definition pairZ (x y:Z) : prodZZ := existS (fun _:Z => Z) x y.

Definition lexZ := lex (Zwf 0) (Zwf 0).

Definition lexZ_well_founded :=
  lex_well_founded (Zwf_well_founded 0) (Zwf_well_founded 0).
why-2.34/examples/kmp/kmp.mlw0000644000175000017500000000542512311670312014540 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(* Proof of the Knuth-Morris-Pratt Algorithm.                             *)
(*                                                                        *)
(* Jean-Christophe Filliâtre (LRI, Université Paris Sud)                  *)
(* November 1998                                                          *)
(*                                                                        *)
(**************************************************************************)

include "arrays.why"

type A

parameter A_eq_bool : x:A -> y:A -> {} bool { if result then x=y else not x=y }

(* The pattern p is an array of length M. *)

logic M : int

parameter p : A array

(* We first compute a global table next with the procedure initnext.
 * That table only depends on p. *)

parameter next : int array

type prodZZ

logic match_ : A farray, int, A farray, int, int -> prop
logic Next : A farray, int, int -> prop
logic pairZ : int,int -> prodZZ

let initnext =
  fun (u:unit) ->
    { array_length(p) = M and array_length(next) = M }
   (let i = ref 1 in
    let j = ref 0 in
    if 1 < M then begin
      next[1] := 0;
      while !i < M-1 do
        { invariant 0 <= j <= M  and  j < i <= M
            and match_(p, i-j, p, 0, j)
  	    and (forall z:int. j+1 < z < i+1 -> not match_(p, i+1-z, p, 0, z))
            and (forall k:int. 0 < k <= i -> Next(p, k, next[k]))
	    and array_length(next) = M     as Inv
          variant pairZ(M-i, j) for lexZ }
        if (A_eq_bool p[!i] p[!j]) then begin
          i := !i+1; j := !j+1; next[!i] := !j
        end else
          if !j = 0 then begin i := !i+1; next[!i] := 0 end else j := next[!j]
      done
    end)
   { array_length(next) = M and
     forall j:int. 0 < j < M -> Next(p, j, next[j]) }


(* The algorithm looks for an occurrence of the pattern p in a text a 
 * which is an array of length N. 
 * The function kmp returns an index i within 0..N-1 if there is an occurrence
 * at the position i and N otherwise. *)
  
logic N : int

parameter a : A array

logic first_occur : A farray, A farray, int -> prop

let kmp () =
  { array_length(p) = M and array_length(next) = M and 
    array_length(a) = N }
 (let i = ref 0 in
  let j = ref 0 in
  begin
    (initnext void);
    while !j < M && !i < N do
      { invariant 0 <= j <= M and j <= i <= N
           and match_(a, i-j, p, 0, j)
           and forall k:int. 0 <= k < i-j -> not match_(a, k, p, 0, M) as Inv
        variant pairZ(N-i, j) for lexZ }
      if (A_eq_bool a[!i] p[!j]) then begin
        i := !i+1; j := !j+1
      end else
        if !j = 0 then i := !i+1 else j := next[!j]
    done;	
    if !j = M then !i-M else !i
  end)
  { first_occur(p, a, result) }
why-2.34/examples/kmp/.depend0000644000175000017500000000033312311670312014461 0ustar  rtusersLex.vo: Lex.v
Match.vo: Match.v ../../lib/coq/WhyArrays.vo
Next.vo: Next.v ./Match.vo
kmp_valid.vo: kmp_valid.v ../../lib/coq/Why.vo ./kmp_why.vo
kmp_why.vo: kmp_why.v ../../lib/coq/Why.vo ./Match.vo ./Next.vo ./Lex.vo
why-2.34/examples/kmp/Match.v0000644000175000017500000000757012311670312014456 0ustar  rtusers(* Load Programs. *)(**************************************************************************)
(*                                                                        *)
(* Proof of the Knuth-Morris-Pratt Algorithm.                             *)
(*                                                                        *)
(* Jean-Christophe Filliâtre (LRI, Université Paris Sud)                  *)
(* November 1998                                                          *)
(*                                                                        *)
(**************************************************************************)

Require Export WhyArrays.

Set Implicit Arguments.
Unset Strict Implicit.


(* Here we define the property (match t1 i1 t2 i2 n) which expresses
 * that the two segments [i1...i1+n-1] of t1 and [i2...i2+n-1] of t2
 * are equal.
 *)

Inductive match_ (A:Set) (t1:array A) (i1:Z) (t2:array A) (i2 n:Z) :
Prop :=
    match_cons :
      (0 <= i1 <= array_length t1 - n)%Z ->
      (0 <= i2 <= array_length t2 - n)%Z ->
      (forall i:Z,
         (0 <= i < n)%Z -> access t1 (i1 + i) = access t2 (i2 + i)) ->
      match_ t1 i1 t2 i2 n.


(* Lemmas about match *)

Require Import Omega.

Section match_lemmas.

Variable A : Set.
Variable t1 : array A.
Variable t2 : array A.

Lemma match_empty :
 forall i1 i2:Z,
   (0 <= i1 <= array_length t1)%Z ->
   (0 <= i2 <= array_length t2)%Z -> match_ t1 i1 t2 i2 0.
Proof.
intros i1 i2 Hi1 Hi2.
apply match_cons.
 omega.
 omega.
intros.
 absurd (i < 0)%Z; omega.
Qed.

Lemma match_right_extension :
 forall i1 i2 n:Z,
   match_ t1 i1 t2 i2 n ->
   (i1 <= array_length t1 - n - 1)%Z ->
   (i2 <= array_length t2 - n - 1)%Z ->
   access t1 (i1 + n) = access t2 (i2 + n) ->
   match_ t1 i1 t2 i2 (n + 1).
Proof.
intros i1 i2 n Hmatch Hi1 Hi2 Hn.
elim Hmatch; intros Hi1' Hi2' Heq.
apply match_cons.
omega.
omega.
intros i Hi.
elim (Z_le_lt_eq_dec i n).
intro.
 apply Heq.
 omega.
intro H.
 rewrite H.
 auto.
omega.
Qed.

Lemma match_contradiction_at_first :
 forall i1 i2 n:Z,
   (0 < n)%Z -> access t1 i1 <> access t2 i2 -> ~ match_ t1 i1 t2 i2 n.
Proof.
intros i1 i2 n Hn Heq.
red.
 intro Hmatch.
 elim Hmatch; intros.
absurd (access t1 i1 = access t2 i2); [ assumption | idtac ].
replace i1 with (i1 + 0)%Z.
 replace i2 with (i2 + 0)%Z.
apply (H1 0%Z).
omega.
omega.
omega.
Qed.

Lemma match_contradiction_at_i :
 forall i1 i2 i n:Z,
   (0 < n)%Z ->
   (0 <= i < n)%Z ->
   access t1 (i1 + i) <> access t2 (i2 + i) -> ~ match_ t1 i1 t2 i2 n.
Proof.
intros i1 i2 i n Hn Hi Heq.
red.
 intro Hmatch.
 elim Hmatch; intros.
absurd (access t1 (i1 + i) = access t2 (i2 + i));
 [ assumption | idtac ].
apply (H1 i); omega.
Qed.
  
Lemma match_right_weakening :
 forall i1 i2 n n':Z,
   match_ t1 i1 t2 i2 n -> (n' < n)%Z -> match_ t1 i1 t2 i2 n'.
Proof.
intros i1 i2 n n' Hmatch Hn.
elim Hmatch; intros.
apply match_cons.
 omega.
 omega.
intros i Hi.
 apply H1; omega.
Qed.

Lemma match_left_weakening :
 forall i1 i2 n n':Z,
   match_ t1 (i1 - (n - n')) t2 (i2 - (n - n')) n ->
   (n' < n)%Z -> match_ t1 i1 t2 i2 n'.
Proof.
intros i1 i2 n n' Hmatch Hn.
decompose [match_] Hmatch.
apply match_cons.
 omega.
 omega.
intros i Hi.
replace (i1 + i)%Z with (i1 - (n - n') + (i + (n - n')))%Z.
replace (i2 + i)%Z with (i2 - (n - n') + (i + (n - n')))%Z.
apply H1.
omega.
 omega.
 omega.
Qed.

Lemma match_sym :
 forall i1 i2 n:Z, match_ t1 i1 t2 i2 n -> match_ t2 i2 t1 i1 n.
Proof.
intros i1 i2 n Hmatch.
decompose [match_] Hmatch.
apply match_cons.
 omega.
 omega.
intros i Hi.
 symmetry.
apply H1; omega.
Qed.

Variable t3 : array A.

Lemma match_trans :
 forall i1 i2 i3 n:Z,
   match_ t1 i1 t2 i2 n -> match_ t2 i2 t3 i3 n -> match_ t1 i1 t3 i3 n.
Proof.
intros i1 i2 i3 n H12 H23.
decompose [match_] H12.
 decompose [match_] H23.
apply match_cons.
 omega.
 omega.
intros i Hi.
 apply trans_equal with (y := access t2 (i2 + i)).
apply H1; omega.
apply H4; omega.
Qed.

End match_lemmas.


  
why-2.34/examples/kmp/Next.v0000644000175000017500000000533712311670312014337 0ustar  rtusers(* Load Programs. *)(**************************************************************************)
(*                                                                        *)
(* Proof of the Knuth-Morris-Pratt Algorithm.                             *)
(*                                                                        *)
(* Jean-Christophe Filliâtre (LRI, Université Paris Sud)                  *)
(* November 1998                                                          *)
(*                                                                        *)
(**************************************************************************)

Require Import Match.
Require Import ZArithRing.
Require Import Omega.

Set Implicit Arguments.
Unset Strict Implicit.

(* next[j] is the maximal n < j such that the n first elements of p
 * match the n last elemnts of p[0..j-1]
 *
 *          _______ ____ j____
 *     p = |_______|abcd|_____|
 *                  ____ n___________
 *                 |abcd|____________|
 *
 * This property is expressed by the predicate (Next p j n).
 *)

Section next_prop.

Variable A : Set.
Variable p : array A.

(* Definition *)
 
(* n is maximal *)
Inductive Next (j n:Z) : Prop :=
    Next_cons :
      (0 <= n < j)%Z ->
      match_ p (j - n) p 0 n ->
      (forall z:Z, (n < z < j)%Z -> ~ match_ p (j - z) p 0 z) ->
      Next j n.


(* Some properties of the predicate Next *)

Variable a : array A.

Lemma next_iteration :
 forall i j n:Z,
   (0 < j < array_length p)%Z ->
   (j <= i <= array_length a)%Z ->
   match_ a (i - j) p 0 j -> Next j n -> match_ a (i - n) p 0 n.
Proof.
intros i j n Hj Hi Hmatch Hnext.
elim Hnext; intros.
apply match_cons.
 omega.
 omega.
intros i0 Hi0.
apply trans_equal with (y := access p (j - n + i0)).
elim Hmatch; intros.
replace (i - n + i0)%Z with (i - j + (j - n + i0))%Z.
replace (j - n + i0)%Z with (0 + (j - n + i0))%Z.
apply H4.
omega.
 omega.
 omega.
elim H0; intros.
apply H4.
omega.
Qed.


Lemma next_is_maximal :
 forall i j n k:Z,
   (0 < j < array_length p)%Z ->
   (j <= i <= array_length a)%Z ->
   (i - j < k < i - n)%Z ->
   match_ a (i - j) p 0 j ->
   Next j n -> ~ match_ a k p 0 (array_length p).
Proof.
intros i j n k Hj Hi Hk Hmatch Hnext.
red.
 intro Hmax.
elim Hnext; intros.
absurd (match_ p (j - (i - k)) p 0 (i - k)).
apply H1; omega.
apply match_trans with (t2 := a) (i2 := k).
apply match_sym.
apply match_left_weakening with (n := j).
ring (k - (j - (i - k)))%Z.
 ring (j - (i - k) - (j - (i - k)))%Z.
 assumption.
omega.
apply match_right_weakening with (n := array_length p).
assumption.
omega.
Qed.

Lemma next_1_0 : (1 <= array_length p)%Z -> Next 1 0.
Proof.
intro HM.
apply Next_cons.
 omega.
apply match_empty; omega.
intros z Hz.
 absurd (0 < z)%Z; omega.
Qed.

End next_prop.
why-2.34/examples/quicksort/0000755000175000017500000000000012311670312014457 5ustar  rtuserswhy-2.34/examples/quicksort/partition_why.v0000644000175000017500000002734012311670312017554 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Import Why.
Require Export Partition.
Require Import Omega.
Require Import ZArithRing.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
ArraySubst t0.
Save.

Proof.
intuition.
subst; auto with *.
Save.




Admitted.

Admitted.

Proof.
intuition.
Save.

Proof.
intuition.
apply array_le_empty; omega.
apply array_ge_empty; omega.
Save.

Proof.
intuition.
Save.

Proof.
intuition ArrayLength; omega.
Save.

Proof.
intuition; subst.
replace (i0+1-1) with ((i0-1)+1).
apply array_le_right_extension; intuition.
ring (i0-1+1); auto.
omega.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition; subst.
apply array_ge_cons.
 intros j1 Hj1.
 elim (Z_le_gt_dec (j0 + 1) j1); intro.
assert (h: array_ge t0 (j + 1) r (access t l)). assumption.
elim h; intros.
auto with *.
cut (j0 = j1); [ intro | omega ].
subst.
 omega.
Save.

Proof.
intuition.
Save.

Ltac elimh p :=  match goal with
  | h:p |- _ => elim h
end.

Proof.
intuition.
replace (i1 - 1)%Z with (i0 - 1 + 1)%Z.
apply array_le_right_extension.
apply array_le_exchange with (t := t0) (x := i0) (y := j0).
omega.
 omega.
 assumption.
omega.
 apply exchange_sym; assumption.
ring (i0 - 1 + 1)%Z.
 elimh (exchange t1 t0 i0 j0); intros.
 replace (access t1 i0) with (access t0 j0); auto.
omega.
omega.
replace (j1 + 1)%Z with (j0 + 1 - 1)%Z.
apply array_ge_left_extension.
apply array_ge_exchange with (t := t0) (x := i0) (y := j0).
omega.
  SameLength t t0.
 omega.
assumption.
omega.
 apply exchange_sym; assumption.
ring (j0 + 1 - 1)%Z.
 elimh (exchange t1 t0 i0 j0); intros.
 replace (access t1 j0) with (access t0 i0); auto.
omega.
omega.
apply sub_permut_trans with (t' := t0).
apply exchange_is_sub_permut with (i := i0) (j := j0);
 [ omega | omega | assumption ].
assumption.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
replace (i1 - 1)%Z with (i0 - 1 + 1)%Z.
apply array_le_right_extension.
apply array_le_exchange with (t := t0) (x := i0) (y := j0).
omega.
 omega.
 assumption.
omega.
 apply exchange_sym; assumption.
ring (i0 - 1 + 1)%Z.
  elimh (exchange t1 t0 i0 j0); intros.
  replace (access t1 i0) with (access t0 j0); auto.
omega.
omega.
replace (j1 + 1)%Z with (j0 + 1 - 1)%Z.
apply array_ge_left_extension.
apply array_ge_exchange with (t := t0) (x := i0) (y := j0).
omega.
 SameLength t t0.
 omega.
assumption.
 omega.
 apply exchange_sym; assumption.
ring (j0 + 1 - 1)%Z.
  elimh (exchange t1 t0 i0 j0); intros.
  replace (access t1 j0) with (access t0 i0); auto.
omega.
omega.
apply sub_permut_trans with (t' := t0).
apply exchange_is_sub_permut with (i := i0) (j := j0);
 [ omega | omega | assumption ].
assumption.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
SameLength t t0.
omega.
Save.

Proof.
intuition.
apply array_ge_cons.
 intros j' Hj'.
 elim (Z_le_gt_dec (j0 + 1) j'); intro.
 elimh (array_ge t0 (j0 + 1) r result); intros.
  auto with *.
cut (j' = j0); [ intro | omega ].
subst; omega.
Save.

Proof.
intuition.
Save.

Proof.
intros; absurd (i0 < j0); omega.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
apply array_le_cons.
intros i' Hi'.
 elim (Z_le_lt_eq_dec l i'); intros.
(* case l < i' *)
elimh (exchange t1 t0 i0 j0); intros h1 h2 h3 h4 h5 h6.
assert (i' < i0 \/ i'=i0). omega. intuition.
rewrite h6; try omega.
elimh (array_le t0 (l + 1) (i0 - 1) result); auto with *.
subst i'; rewrite h4; omega.
(* case l = i' *)
elimh (exchange t1 t0 i0 j0); intros h1 h2 h3 h4 h5 h6.
omega.
omega.
(* array_ge *)
apply array_ge_cons.
intros j' Hj'.
elimh (exchange t1 t0 i0 j0); intros h1 h2 h3 h4 h5 h6.
assert (j0 < j' \/ j'=j0). omega. intuition.
rewrite h6; try omega.
elimh (array_ge t0 (j0 + 1) r result); auto with *.
SameLength t0 t; omega.
subst j'; rewrite h5; omega.
(* (sub_permut l r t1 t) *)
apply sub_permut_trans with (t' := t0); auto.
apply exchange_is_sub_permut with (i := i0) (j := j0).
omega.
omega.
assumption.
elimh (exchange t1 t0 i0 j0); intros h1 h2 h3 h4 h5 h6.
rewrite (h6 l); try omega.
unfold Zwf; intuition.
SameLength t1 t0; omega.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
SameLength t0 t; omega.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
apply piv.
omega.
omega.
(* array_le *)
apply array_le_cons.
intros i' Hi'.
 elim (Z_le_lt_eq_dec l i'); intros.
(* case l < i *)
elimh (exchange t1 t0 l i); intros h1 h2 h3 h4 h5 h6.
rewrite h6.
rewrite h5.
subst.
replace (access t0 l) with (access t l); auto.
elimh (array_le t0 (l + 1) (i - 1) (access t l)); auto with *.
omega.
omega.
omega.
(* case l = i *)
subst.
elimh (exchange t1 t0 i' i); intros h1 h2 h3 h4 h5 h6.
rewrite h4.
rewrite h5.
omega.
omega.
(* array_ge *)
apply array_ge_cons.
intros i' Hi'.
subst.
 ring (i1 - 1 + 1)%Z.
 intro Hj.
 elim Post30; intros.
rewrite H22.
 rewrite (H23 j0).
rewrite H18.
elim H15; intros.
 elim (Z_le_lt_eq_dec i1 j0); intros.
(* case i0 < j *)
rewrite <- Post11.
 apply H24; omega.
(* case i0 = j *)
rewrite <- b.
 omega.
omega.
SameLength t1 t0; SameLength t0 t; omega.
omega.
omega.
(* (sub_permut t1 t l r) *)
apply sub_permut_trans with (t' := t0).
apply exchange_is_sub_permut with (i := l) (j := Zpred i1).
omega.
unfold Zpred; omega.
assumption.
assumption.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition ArrayLength; omega.
Qed.

 Proof.
 intuition.
induction result2; auto.
induction result2; auto.
Qed.

Proof.
intuition.
induction result2; auto || discriminate Post5.
induction result2; auto || discriminate Post5.
Qed.

Proof.
intuition.
Qed.

Proof.
intuition.
rewrite <- H23.
elim Post25; intros.
apply H28; omega.
absurd (i2 < j2)%Z; omega.
replace (j3 + 1)%Z with (j2 + 1 - 1)%Z.
apply array_ge_left_extension.
apply array_ge_exchange with (t := t0) (x := i2) (y := j2).
omega.
 intuition; generalize (sub_permut_length H21); intro; omega.
assumption.
 omega.
 apply exchange_sym; assumption.
ring (j2 + 1 - 1)%Z.
 elim Post25; intros.
 rewrite H28.
omega.
omega.
apply sub_permut_trans with (t' := t0).
apply exchange_is_sub_permut with (i := i2) (j := j2);
 [ omega | omega | assumption ].
assumption.
absurd (i2 < j2)%Z; omega.
Qed.

Proof.
intuition ArrayLength; omega.
Qed.

Proof.
intros.
decompose [and or] Invj; clear Invj.
 intuition unfold Zwf; ArrayLength; try omega.
Qed.

Proof.
intuition unfold Zwf; SameLength t t0; omega.
rewrite <- H23.
elim Post25; intros.
apply H28; omega.
absurd (i2 < j2)%Z; omega.
replace (j3 + 1)%Z with (j2 + 1 - 1)%Z.
apply array_ge_left_extension.
apply array_ge_exchange with (t := t0) (x := i2) (y := j2).
omega.
 intuition; generalize (sub_permut_length H21); intro; omega.
assumption.
 omega.
 apply exchange_sym; assumption.
ring (j2 + 1 - 1)%Z.
 elim Post25; intros.
 rewrite H28.
omega.
omega.
apply sub_permut_trans with (t' := t0).
apply exchange_is_sub_permut with (i := i2) (j := j2);
 [ omega | omega | assumption ].
assumption.
absurd (i2 < j2)%Z; omega.
Qed.

Proof.
intuition.
apply array_le_empty; omega.
apply array_ge_empty; omega.
Qed.

Proof.
intuition SameLength t t0; omega.
Qed.

Proof.
intuition SameLength t t0; auto with *.
Qed.

Proof.
intuition.
apply piv.
omega.
omega.
Qed.

Proof.
intuition SameLength t0 t; omega.
Qed.

Proof.
intuition.
Qed.


Proof.
intuition.
Save.


Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.



(*Why type*) Definition farray: Set ->Set.
Admitted.

(*Why logic*) Definition access : forall (A1:Set), (array A1) -> Z -> A1.
Admitted.
Implicit Arguments access.

(*Why logic*) Definition update :
  forall (A1:Set), (array A1) -> Z -> A1 -> (array A1).
Admitted.
Implicit Arguments update.

(*Why axiom*) Lemma access_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z), (forall (v:A1), (access (update a i v) i) = v))).
Admitted.

(*Why axiom*) Lemma access_update_neq :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (forall (v:A1), (i <> j -> (access (update a i v) j) = (access a j)))))).
Admitted.

(*Why logic*) Definition array_length : forall (A1:Set), (array A1) -> Z.
Admitted.
Implicit Arguments array_length.

(*Why predicate*) Definition sorted_array  (t:(array Z)) (i:Z) (j:Z)
  := (forall (k1:Z),
      (forall (k2:Z),
       ((i <= k1 /\ k1 <= k2) /\ k2 <= j -> (access t k1) <= (access t k2)))).

(*Why predicate*) Definition exchange (A112:Set) (a1:(array A112)) (a2:(array A112)) (i:Z) (j:Z)
  := (array_length a1) = (array_length a2) /\
     (access a1 i) = (access a2 j) /\ (access a2 i) = (access a1 j) /\
     (forall (k:Z), (k <> i /\ k <> j -> (access a1 k) = (access a2 k))).
Implicit Arguments exchange.

(*Why logic*) Definition permut :
  forall (A1:Set), (array A1) -> (array A1) -> Z -> Z -> Prop.
Admitted.
Implicit Arguments permut.

(*Why axiom*) Lemma permut_refl :
  forall (A1:Set),
  (forall (t:(array A1)), (forall (l:Z), (forall (u:Z), (permut t t l u)))).
Admitted.

(*Why axiom*) Lemma permut_sym :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (l:Z), (forall (u:Z), ((permut t1 t2 l u) -> (permut t2 t1 l u)))))).
Admitted.

(*Why axiom*) Lemma permut_trans :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (t3:(array A1)),
     (forall (l:Z),
      (forall (u:Z),
       ((permut t1 t2 l u) -> ((permut t2 t3 l u) -> (permut t1 t3 l u)))))))).
Admitted.

(*Why axiom*) Lemma permut_exchange :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (forall (i:Z),
       (forall (j:Z),
        (l <= i /\ i <= u ->
         (l <= j /\ j <= u -> ((exchange a1 a2 i j) -> (permut a1 a2 l u)))))))))).
Admitted.

(*Why axiom*) Lemma exchange_upd :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (exchange a (update (update a i (access a j)) j (access a i)) i j)))).
Admitted.

(*Why axiom*) Lemma permut_weakening :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l1:Z),
     (forall (r1:Z),
      (forall (l2:Z),
       (forall (r2:Z),
        ((l1 <= l2 /\ l2 <= r2) /\ r2 <= r1 ->
         ((permut a1 a2 l2 r2) -> (permut a1 a2 l1 r1))))))))).
Admitted.

(*Why axiom*) Lemma permut_eq :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (l <= u ->
       ((permut a1 a2 l u) ->
        (forall (i:Z), (i < l \/ u < i -> (access a2 i) = (access a1 i))))))))).
Admitted.

(*Why predicate*) Definition permutation (A121:Set) (a1:(array A121)) (a2:(array A121))
  := (permut a1 a2 0 ((array_length a1) - 1)).
Implicit Arguments permutation.

(*Why axiom*) Lemma array_length_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (v:A1), (array_length (update a i v)) = (array_length a)))).
Admitted.

(*Why axiom*) Lemma permut_array_length :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      ((permut a1 a2 l u) -> (array_length a1) = (array_length a2)))))).
Admitted.

(*Why predicate*) Definition array_le  (a:(array Z)) (l:Z) (r:Z) (v:Z)
  := (forall (i:Z), (l <= i /\ i <= r -> (access a i) <= v)).

(*Why predicate*) Definition array_ge  (a:(array Z)) (l:Z) (r:Z) (v:Z)
  := (forall (i:Z), (l <= i /\ i <= r -> v <= (access a i))).

(*Why predicate*) Definition partition_p  (a:(array Z)) (l:Z) (r:Z) (p:Z)
  := (l <= p /\ p <= r) /\ (array_le a l (p - 1) (access a p)) /\
     (array_ge a (p + 1) r (access a p)).

why-2.34/examples/quicksort/Makefile0000644000175000017500000000106312311670312016117 0ustar  rtusers
VO=quicksort_valid.vo

all: Partition.vo Quicksort.vo $(VO)

partition_why.v partition_valid.v quicksort_why.v quicksort_valid.v: partition.mlw quicksort.mlw $(WHY)
	$(WHY) $(WHYOPTIONS) partition.mlw quicksort.mlw

partition.check quicksort.check: partition.mlw quicksort.mlw $(WHYBIN)
	$(WHYBIN) -tc partition.mlw quicksort.mlw

quicksort_why.sx: partition.mlw quicksort.mlw $(WHYBIN)
	$(WHY) --simplify partition.mlw quicksort.mlw

quicksort_why.why: partition.mlw quicksort.mlw $(WHYBIN)
	$(WHY) --why partition.mlw quicksort.mlw

include ../Makefile.common
why-2.34/examples/quicksort/quicksort_why.v0000644000175000017500000000201312311670312017555 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Import Why.
Require Import Omega.
Require Import Partition.
Require Import Quicksort.

Require Import partition_why.

Proof.
intros; omega.
Qed.

  Proof.
  intuition SameLength t1 t0; omega.
Qed.

Proof.
intuition.
Qed.

Proof.
intuition; SameLength t2 t1; SameLength t1 t0; omega.
Qed.

Proof.
intros; unfold Zwf; omega.
Qed.

Proof.
intros.
apply quicksort_lemma with (t1 := t1) (t2 := t2) (p := p); intuition.
 Qed.

Proof.
intros; apply quicksort_trivial; intuition.
Qed.


Proof.
intuition omega.
Qed.

Proof.
intuition eauto.
SameLength t0 t; rewrite H3; trivial.
Qed.


Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.




Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.




why-2.34/examples/quicksort/quicksort.mlw0000644000175000017500000000370112311670312017225 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(* Proof of the Quicksort Algorithm.                                      *)
(*                                                                        *)
(*  This formal proof is detailed in this paper:                          *)
(*                                                                        *)
(*  J.-C. Filliâtre and N. Magaud. Certification of sorting algorithms    *)
(*  in  the system  Coq. In  Theorem Proving  in Higher  Order Logics:    *)
(*  Emerging Trends, 1999.                                                *)
(*  (http://www.lri.fr/~filliatr/ftp/publis/Filliatre-Magaud.ps.gz)       *)
(*                                                                        *)
(* Jean-Christophe Filliâtre (LRI, Université Paris Sud)                  *)
(* August 1998                                                            *)
(*                                                                        *)
(**************************************************************************)

(* The first part of the program that re-arrange elements in the array
   and returns the position of the "partition" is defined in the module
   [Partition_prog]. *)

(* The recursive part of the quicksort algorithm:
   a recursive function to sort between [l] and [r] *)

let quick_rec =
  let rec quick_rec (t:int array)(l,r:int) : unit 
  { variant r-l } =
    { 0 <= l and r < array_length(t) (*as Pre*) }
    (if l < r then
       let p = (partition t l r) in
       begin
       	 (quick_rec t l (p-1));
	 (quick_rec t (p+1) r)
       end)
    { sorted_array(t, l, r) and permut(t, t@, l, r) }

(* At last, the main program, which is just a call to [quick_rec] *)

let quicksort =
  fun (t:int array) ->
    {}
    (quick_rec t 0 ((array_length_ t)-1))
    { sorted_array(t, 0, array_length(t)-1) and permutation(t, t@) }
why-2.34/examples/quicksort/Partition.v0000644000175000017500000001204512311670312016621 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(* Proof of the Quicksort Algorithm.                                      *)
(*                                                                        *)
(* Jean-Christophe Filliâtre (LRI, Université Paris Sud)                  *)
(* August 1998                                                            *)
(*                                                                        *)
(**************************************************************************)

Require Import Why.

Require Import Omega.

Set Implicit Arguments.
Unset Strict Implicit.


(* Here we define the property  which expresses that,
 * on the segment [g,d] of the array t, all elements on the left of p
 * are lesser or equal than t[p] and all elements on the right of p
 * are greater or equal than t[p].
 *
 * So we introduce the properties array_le and array_ge which express
 * that all elements of a segment [g,d] are <= (resp. >=) than a given value
 *)

Inductive array_le (t:array Z) (g d v:Z) : Prop :=
    array_le_cons :
      (forall i:Z, (g <= i <= d)%Z -> (access t i <= v)%Z) ->
      array_le t g d v.

Inductive array_ge (t:array Z) (g d v:Z) : Prop :=
    array_ge_cons :
      (forall i:Z, (g <= i <= d)%Z -> (v <= access t i)%Z) ->
      array_ge t g d v.

Inductive partition_p (t:array Z) (g d p:Z) : Prop :=
    piv :
      (g <= p)%Z ->
      (p <= d)%Z ->
      array_le t g (p - 1) (access t p) ->
      array_ge t (p + 1) d (access t p) -> partition_p t g d p.


(* Lemmas about array_le *)

Lemma array_le_empty :
 forall (t:array Z) (g d v:Z), (d < g)%Z -> array_le t g d v.
Proof.
intros t g d v H.
constructor.
 intros.
absurd (g <= d)%Z; omega.
Qed.

Lemma array_le_right_extension :
 forall (t:array Z) (g d v:Z),
   array_le t g d v ->
   (access t (d + 1) <= v)%Z -> array_le t g (d + 1) v.
Proof.
intros t g d v H_le Hv.
elim H_le; intros.
constructor.
 intros.
elim (Z_eq_dec i (d + 1)); intro.
rewrite a; assumption.
apply H; omega.
Qed.

Lemma array_le_exchange :
 forall (t t':array Z) (g d v x y:Z),
   (0 <= g)%Z ->
   (d < array_length t)%Z ->
   array_le t g d v ->
   (d < x <= y)%Z -> exchange t t' x y -> array_le t' g d v.
Proof.
intros t t' g d v x y Hg Hd Hle Hxy Hex.
elim Hle; intros.
 elim Hex; intros.
constructor.
 intros.
rewrite <- H5; try omega.
apply H; assumption.
Qed.

(* Lemmas about array_ge *)

Lemma array_ge_empty :
 forall (t:array Z) (g d v:Z), (d < g)%Z -> array_ge t g d v.
Proof.
intros t g d v H.
constructor.
 intros.
absurd (g <= d)%Z; omega.
Qed.

Lemma array_ge_left_extension :
 forall (t:array Z) (g d v:Z),
   array_ge t g d v ->
   (v <= access t (g - 1))%Z -> array_ge t (g - 1) d v.
Proof.
intros t g d v H_ge Hv.
elim H_ge; intros.
constructor.
 intros.
elim (Z_eq_dec i (g - 1)); intro.
rewrite a; assumption.
apply H; omega.
Qed.

Lemma array_ge_exchange :
 forall (t t':array Z) (g d v x y:Z),
   (0 <= g)%Z ->
   (d < array_length t)%Z ->
   array_ge t g d v ->
   (x <= y < g)%Z -> exchange t t' x y -> array_ge t' g d v.
Proof.
intros t t' g d v x y Hg Hd Hge Hxy Hex.
elim Hge; intros.
 elim Hex; intros.
constructor.
 intros.
rewrite <- H5; try omega.
apply H; assumption.
Qed.


(* Lemmas about partition_p and sub_permut *)

Lemma partition_p_permut_left :
 forall (t t':array Z) (g d p:Z),
   (0 <= g)%Z ->
   (g < d)%Z ->
   (d < array_length t)%Z ->
   (g <= p <= d)%Z ->
   partition_p t g d p ->
   sub_permut g (Zpred p) t t' -> partition_p t' g d p.
Proof.
intros t t' g d p hyp1 hyp2 hyp3 hyp4 piv_t perm.
elim piv_t; intros.
cut (Zpred p < array_length t)%Z; [ intro | unfold Zpred; omega ].
generalize (sub_permut_function perm hyp1 H3).
 intro.
constructor; try assumption.
(* array_le *)
constructor.
 intros.
rewrite <- (sub_permut_eq perm (i:=p)).
elim H1; intros.
elim (H4 i); try (unfold Zpred; omega).
 intros.
elim H8; intros.
elim H9; intros.
 rewrite H11.
apply H6; unfold Zpred in H10; omega.
unfold Zpred; omega.
(* array_ge *)
constructor.
 intros.
rewrite <- (sub_permut_eq perm (i:=p)).
rewrite <- (sub_permut_eq perm (i:=i)).
elim H2; intros.
apply H6; omega.
unfold Zpred; omega.
unfold Zpred; omega.
Qed.


Lemma partition_p_permut_right :
 forall (t t':array Z) (g d p:Z),
   (0 <= g)%Z ->
   (g < d)%Z ->
   (d < array_length t)%Z ->
   (g <= p <= d)%Z ->
   partition_p t g d p ->
   sub_permut (Zsucc p) d t t' -> partition_p t' g d p.
Proof.
intros t t' g d p hyp1 hyp2 hyp3 hyp4 piv_t perm.
elim piv_t; intros.
cut (0 <= Zsucc p)%Z; [ intro | unfold Zpred; omega ].
generalize (sub_permut_function perm H3 hyp3).
 intro.
constructor; try assumption.
(* array_le *)
constructor.
 intros.
rewrite <- (sub_permut_eq perm (i:=p)).
rewrite <- (sub_permut_eq perm (i:=i)).
elim H1; intros.
apply H6; omega.
unfold Zsucc; omega.
unfold Zsucc; omega.
(* array_ge *)
constructor.
 intros.
rewrite <- (sub_permut_eq perm (i:=p)).
elim H2; intros.
elim (H4 i); try (unfold Zsucc; omega).
 intros.
elim H8; intros.
elim H9; intros.
 rewrite H11.
apply H6; unfold Zsucc in H10; omega.
unfold Zsucc; omega.
Qed.
why-2.34/examples/quicksort/partition.mlw0000644000175000017500000000545012311670312017215 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(* Proof of the Quicksort Algorithm.                                      *)
(*                                                                        *)
(*  This formal proof is detailed in this paper:                          *)
(*                                                                        *)
(*  J.-C. Filliâtre and N. Magaud. Certification of sorting algorithms    *)
(*  in  the system  Coq. In  Theorem Proving  in Higher  Order Logics:    *)
(*  Emerging Trends, 1999.                                                *)
(*  (http://www.lri.fr/~filliatr/ftp/publis/Filliatre-Magaud.ps.gz)       *)
(*                                                                        *)
(* Jean-Christophe Filliâtre (LRI, Université Paris Sud)                  *)
(* August 1998                                                            *)
(*                                                                        *)
(**************************************************************************)

include "arrays.why"

(* exchange of two elements *)

let swap =
  fun (t:int array)(i,j:int) ->
    { 0 <= i < array_length(t) and 0 <= j < array_length(t) }
    (let v = t[i] in
     begin
       t[i] := t[j];
       t[j] := v
     end)
    { exchange(t, t@, i, j) }

(* partition *)

predicate array_le(a:int farray, l:int, r:int, v:int) =
  forall i:int. l <= i <= r -> a[i] <= v

predicate array_ge(a:int farray, l:int, r:int, v:int) =
  forall i:int. l <= i <= r -> v <= a[i] 

predicate partition_p(a:int farray, l:int, r:int, p:int) =
  l <= p <= r and array_le(a, l, p-1, a[p]) and array_ge(a, p+1, r, a[p])

let partition (t:int array)(l,r:int) =
    { 0 <= l < r and r < array_length(t) }
   (let pv = t[l] in
    let i = ref (l+1) in
    let j = ref r in
    begin
      init:
      while !i < !j do
      	{ invariant l+1 <= i <= r and j <= r
                 and array_le(t, l+1, i-1, pv)
		 and array_ge(t, j+1, r, pv)
		 and permut(t, t@init, l, r)
                 and t[l]=t@init[l] as Inv
          variant array_length(t)+2+j-i }
        L:
	while t[!i] <= pv && !i < !j do
      	  { invariant i@L <= i <= r and array_le(t, l+1, i-1, pv) as Invi
            variant r-i }
	  i := !i + 1
	done;
	while t[!j] >= pv && !i < !j do
	  { invariant l <= j <= j@L and array_ge(t, j+1, r, pv) as Invj
            variant j }
	  j := !j - 1
	done;
	if !i < !j then begin
      	  (swap t !i !j);
	  i := !i + 1;
	  j := !j - 1
	end
      done;
      (if t[!i] < pv then begin
      	 (swap t l !i);
         !i
       end else begin
      	 (swap t l (!i - 1));
      	 !i - 1
       end) 
    end)
    { l <= result <= r and 
      partition_p(t, l, r, result) and permut(t, t@, l, r) }

why-2.34/examples/quicksort/Quicksort.v0000644000175000017500000000754012311670312016640 0ustar  rtusers(* Load Programs. *)(**************************************************************************)
(*                                                                        *)
(* Proof of the Quicksort Algorithm.                                      *)
(*                                                                        *)
(* Jean-Christophe Filliâtre (LRI, Université Paris Sud)                  *)
(* August 1998                                                            *)
(*                                                                        *)
(**************************************************************************)

Require Import Why.
Require Import Partition.

Require Import Omega.

(* Here we prove the main lemma of quicksort:
 *
 * We have four arrays t0, t1, t2 and t3, and some indexes g,d,p
 * with the following properties
 *
 *                  g           p             d
 *   t0 :  |        |                         |        |
 *   t1 :  |  = t0  |  <= v    |v|    >=v     |  = t0  |
 *   t2 :  |  = t1  |  sorted  |v|    = t1    |  = t1  |
 *   t3 :  |  = t2  |  = t2    |v|   sorted   |  = t2  |
 *
 * and we have to prove that t3 is sorted and is a permutation of t0 
 *)

Lemma quicksort_lemma :
 forall (t0 t1 t2 t3:array Z) (g d p:Z),
   (0 <= g)%Z ->
   (g < d)%Z ->
   (d < array_length t0)%Z ->
   (g <= p <= d)%Z ->
   partition_p t1 g d p ->
   sub_permut g d t1 t0 ->
   sorted_array t2 g (Zpred p) ->
   sub_permut g (Zpred p) t2 t1 ->
   sorted_array t3 (Zsucc p) d ->
   sub_permut (Zsucc p) d t3 t2 ->
   sorted_array t3 g d /\ sub_permut g d t3 t0.
Proof.
intros t0 t1 t2 t3 g d p H1 H2 H3 H4 piv_t1 perm_t1 sort_t2 perm_t2
 sort_t3 perm_t3.
generalize (sub_permut_length perm_t1); intro HL1.
 generalize (sub_permut_length perm_t2); intro HL2.
 generalize (sub_permut_length perm_t3); intro HL3.
 rewrite <- HL1 in H3.
generalize
 (partition_p_permut_left H1 H2 H3 H4 piv_t1 (sub_permut_sym perm_t2)).
  intro piv_t2.
rewrite <- HL2 in H3.
generalize
 (partition_p_permut_right H1 H2 H3 H4 piv_t2 (sub_permut_sym perm_t3)).
  intro piv_t3.
generalize (sub_permut_is_permut perm_t1); intro.
  elim (sub_permut_id perm_t1); intros.
generalize (sub_permut_is_permut perm_t2); intro.
  elim (sub_permut_id perm_t2); intros.
generalize (sub_permut_is_permut perm_t3); intro.
  elim (sub_permut_id perm_t3); intros.
split.
(* sorted_array *)
unfold sorted_array.
 intros.
elim (Z_lt_ge_dec x (p - 1)); intros.
(* x < p-1 *)
unfold array_id in H10.
rewrite (H10 x); try omega.
 rewrite (H10 (x + 1)%Z); try omega.
unfold sorted_array in sort_t2.
apply sort_t2; unfold Zpred; omega.
elim (Z_lt_ge_dec x p); intros.
(* x = p-1 *)
elim piv_t3; intros.
elim H17; intros.
cut ((x + 1)%Z = p).
 intro Heq.
 rewrite Heq.
apply H19; omega.
omega.
elim (Z_lt_ge_dec x (p + 1)); intros.
(* x = p *)
elim piv_t3; intros.
elim H18; intros.
cut (x = p).
 intro Heq.
 rewrite Heq.
apply H19; omega.
omega.
(* x > p *)
unfold sorted_array in sort_t3.
apply sort_t3; unfold Zsucc; omega.

(* sub_permut *)
apply sub_permut_trans with (t' := t2).
elim (Z_le_gt_dec (Zsucc p) d); intro.
apply sub_permut_extension with (g := Zsucc p) (d := d); try omega.
assumption.
apply sub_permut_void with (g := Zsucc p) (d := d); try omega.
assumption.
apply sub_permut_trans with (t' := t1).
elim (Z_le_gt_dec g (Zpred p)); intro.
apply sub_permut_extension with (g := g) (d := Zpred p);
 try (unfold Zpred; omega).
assumption.
apply sub_permut_void with (g := g) (d := Zpred p);
 try (unfold Zpred; omega).
omega.
assumption.
assumption.
Qed.


(* The trivial case, when the segment of the array contains at most
 * one element.
 *)

Lemma quicksort_trivial :
 forall (t:array Z) (g d:Z),
   (0 <= g)%Z ->
   (g >= d)%Z ->
   (d < array_length t)%Z -> sorted_array t g d /\ sub_permut g d t t.
Proof.
intros t g d H1 H2 H3.
split.
unfold sorted_array.
intros.
absurd (x < d)%Z; omega.
auto with datatypes.
Qed.

    
why-2.34/examples/quicksort/.depend0000644000175000017500000000071412311670312015721 0ustar  rtusersPartition.vo: Partition.v ../../lib/coq/Why.vo
Quicksort.vo: Quicksort.v ../../lib/coq/Why.vo ./Partition.vo
partition_valid.vo: partition_valid.v ../../lib/coq/Why.vo ./partition_why.vo
partition_why.vo: partition_why.v ../../lib/coq/Why.vo ./Partition.vo
quicksort_valid.vo: quicksort_valid.v ../../lib/coq/Why.vo ./partition_valid.vo ./quicksort_why.vo
quicksort_why.vo: quicksort_why.v ../../lib/coq/Why.vo ./Partition.vo ./Quicksort.vo ./partition_why.vo
why-2.34/examples/Makefile.common0000644000175000017500000000427512311670312015372 0ustar  rtusers# Generated automatically from Makefile.common.in by configure.

WHYBIN=../../bin/why.opt 
WHY=WHYLIB=../../lib $(WHYBIN) -split-user-conj
GWHY=WHYLIB=../../lib ../../bin/gwhy.opt -split-user-conj --lib-file arrays.why
CADUCEUS=WHYLIB=../../lib ../../bin/caduceus.opt
# WHYOPTIONS=--coq-v8
WHYOPTIONS=--coq-v8 --valid
DP=../../bin/why-dp.opt

dp: simplify cvcl

coq: $(VO:_valid.vo=_why.vo)

simplify: $(VO:_valid.vo=_why.sx)
	$(DP) -timeout 10 $^  2>/dev/null

yices: $(VO:_valid.vo=_why.smt)
	$(DP) -smt-solver yices -timeout 10 $^  2>/dev/null

z3: $(VO:_valid.vo=_why.z3.smt)
	$(DP) -smt-solver z3 -timeout 10 $^  2>/dev/null

z3smt: $(VO:_valid.vo=_why.smt)
	$(DP) -smt-solver z3 -timeout 10 $^  2>/dev/null

zenon: $(VO:_valid.vo=_why.znn)
	$(DP) -timeout 10 $^ 2>/dev/null

cvcl: $(VO:_valid.vo=_why.cvc)
	$(DP) -timeout 10 $^  2>/dev/null

ergo: $(VO:_valid.vo=_why.why)
	$(DP) -timeout 10 $^  2>/dev/null

.PHONY: check

check: $(VO:_valid.vo=.check)

harvey: $(VO:_valid.vo=_why.rv)
	$(DP) -timeout 10 $^  2>/dev/null

%_valid.v %_why.v: %.mlw $(WHYBIN)
	$(WHY) $(WHYOPTIONS) $<

%_valid.v %_why.v: %.c $(CADUCEUS)
	$(CADUCEUS) $<

%_why.vo: %_why.v
	coqc -I ../../lib/coq $(OPT) $<

%_valid.vo: %_valid.v %_why.vo
	coqc -I ../../lib/coq $(OPT) $<

%.vo: %.v
	coqc -I ../../lib/coq $(OPT) $<

%_why.pvs: %.mlw $(WHYBIN)
	$(WHY) --pvs $<

%_why.sx: %.mlw $(WHYBIN)
	$(WHY) --simplify $<

%_why.smt: %.mlw $(WHYBIN)
	$(WHY) --smtlib --encoding sstrat $<

%_why.z3.smt: %.mlw $(WHYBIN)
	$(WHY) --z3 --encoding sstrat $<

%_why.znn: %.mlw $(WHYBIN)
	$(WHY) --zenon $<

%_why.cvc: %.mlw $(WHYBIN)
	$(WHY) --cvcl $<

%_why.why: %.mlw $(WHYBIN)
	$(WHY) --why $<

%_why.why: %.why $(WHYBIN)
	$(WHY) --why $<

%.check: %.mlw $(WHYBIN)
	$(WHYBIN) -tc $<

%.check: %.why $(WHYBIN)
	$(WHYBIN) -tc $<

%_why.rv: %.mlw $(WHYBIN)
	$(WHY) --harvey $<

%_why.miz: %.mlw $(WHYBIN)
	$(WHY) --mizar $<

%_why.miz: %.c $(WHYBIN)
	$(WHY) --mizar $<

%.ml: %.mlw
	$(WHY) -ocaml $< > $@
	ocamlc -c -i $@

%.wol: %.mlw
	$(WHY) --wol $<

%.gui: %.mlw
	$(GWHY) $<

%.gui: %.why
	$(GWHY) $<

%.fastwp: %.mlw
	$(GWHY) -fast-wp $<

clean::
	rm -f *~ *.vo *.wol
	rm -f *_valid.v

depend:: $(VO:.vo=.v)
	coqdep -I ../../lib/coq *.v > .depend

include .depend
why-2.34/examples/misc/0000755000175000017500000000000012311670312013366 5ustar  rtuserswhy-2.34/examples/misc/peano_why.v0000644000175000017500000000165412311670312015554 0ustar  rtusers
Require Import Why.
Require Import Omega.
Require Import ZArithRing.

 Proof.
 unfold Zwf; intros; omega.
Qed.

Proof.
unfold Zwf; intros; omega.
Qed.

Proof.
intuition.
Qed.



 Proof.
 intros; omega.
 Qed.

 Proof.
 intros; omega.
 Qed.



Proof.
intros; unfold Zwf; omega.
Qed.

Proof.
intros; omega.
Qed.

Proof.
intros; omega.
Qed.

Proof.
intros; omega.
Qed.



Proof.
intros; omega.
Qed.

Proof.
intros; omega.
Qed.



Proof.
ergo.
Qed.

Proof.
simpl; intros.
repeat split; unfold Zwf; try omega.
subst x2 z0.
intuition.
subst.
ring.
Qed.

Proof.
simpl; intros.
assert (z = 0%Z). omega.
intuition; subst.
ring.
Qed.


Proof.
 intros; omega.
Qed.

Proof.
 intros; omega.
Qed.



Proof.
intros; subst; intuition.
Save.

Proof.
intuition; subst; ring.
Save.

Proof.
unfold Zwf; intuition.
Save.

Proof.
intuition.
subst; ring.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.


why-2.34/examples/misc/Makefile0000644000175000017500000000112612311670312015026 0ustar  rtusers
# VO=swap0_valid.vo loop0_valid.vo peano_valid.vo power_valid.vo \
#      arith_valid.vo mac_carthy_valid.vo fib_valid.vo gcd_valid.vo \
#      flag_valid.vo search_valid.vo sqrt_dicho_valid.vo \
#      max_valid.vo
VO=swap0_valid.vo loop0_valid.vo peano_valid.vo power_valid.vo \
     arith_valid.vo mac_carthy_valid.vo fib_valid.vo gcd_valid.vo \
     search_valid.vo sqrt_dicho_valid.vo \
     max_valid.vo flag_ax_valid.vo sum_valid.vo matrix_mult_valid.vo

# csearch_valid.vo copy_valid.vo 

all: $(VO)

include ../Makefile.common

flag_ax_why.why: flag_ax.mlw
	$(WHY) --why --no-arrays $^


why-2.34/examples/misc/fib_why.v0000644000175000017500000001402512311670312015206 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Import Why.

Parameter F : Z -> Z.
Axiom F_0 : F 0 = 1%Z.
Axiom F_1 : F 1 = 1%Z.
Axiom F_n : forall n:Z, (n >= 2)%Z -> F n = (F (n - 1) + F (n - 2))%Z.
Hint Resolve F_0 F_1 F_n .

Proof.
intuition.
assert (n=0 \/ n=1). omega. intuition; subst; auto.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
subst; symmetry; auto with *.
Save.


Proof.
intuition.
subst; auto.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
subst; symmetry.
cut (1 <= x).
 replace x with (x + 1 - 1)%Z.
 generalize (x + 1)%Z.
intros; ring (z - 1 + 1)%Z; replace (z - 1 - 1)%Z with (z - 2)%Z.
 auto with *.
omega.
omega.
assumption.
subst; ring (x + 1 - 1)%Z; trivial.
Save.


Proof.
intuition.
assert (n=0 \/ n=1). omega. intuition; subst; auto.
Save.

Proof.
intuition.
Save.


Proof.
intuition.
Save.

Proof.
intuition.
subst; symmetry.
cut (1 <= k).
 replace k with (k + 1 - 1)%Z.
 generalize (k + 1)%Z.
intros; ring (z - 1 + 1)%Z; replace (z - 1 - 1)%Z with (z - 2)%Z.
 auto with *.
omega.
omega.
assumption.
subst; ring (k + 1 - 1)%Z; trivial.
Save.

Proof.
intuition.
subst.
assert (k=n). omega. subst; auto.
Save.

Proof.
intuition.
assert (n=0 \/ n=1). omega. intuition; subst; auto.
Save.


Proof.
intuition.
assert (n=0 \/ n=1). omega. intuition; subst; auto.
Save.

Proof.
intuition.
Save.

Proof.
intuition; ArraySubst t0.
Save.

Proof.
intuition.
subst; repeat rewrite array_length_update; trivial.
subst. assert (i=0 \/ i=1). omega. intuition; subst.
AccessOther; auto with *.
AccessSame; auto with *.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition; subst.
repeat rewrite array_length_update; assumption.
assert (i Z.
Admitted.

(*Why axiom*) Lemma F_0 : (F 0) = 1.
Admitted.

(*Why axiom*) Lemma F_1 : (F 1) = 1.
Admitted.

(*Why axiom*) Lemma F_n :
  (forall (n:Z), (n >= 2 -> (F n) = ((F (n - 1)) + (F (n - 2))))).
Admitted.

(*Why type*) Definition farray: Set ->Set.
Admitted.

(*Why logic*) Definition access : forall (A1:Set), (array A1) -> Z -> A1.
Admitted.
Implicit Arguments access.

(*Why logic*) Definition update :
  forall (A1:Set), (array A1) -> Z -> A1 -> (array A1).
Admitted.
Implicit Arguments update.

(*Why axiom*) Lemma access_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z), (forall (v:A1), (access (update a i v) i) = v))).
Admitted.

(*Why axiom*) Lemma access_update_neq :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (forall (v:A1), (i <> j -> (access (update a i v) j) = (access a j)))))).
Admitted.

(*Why logic*) Definition array_length : forall (A1:Set), (array A1) -> Z.
Admitted.
Implicit Arguments array_length.

(*Why predicate*) Definition sorted_array  (t:(array Z)) (i:Z) (j:Z)
  := (forall (k1:Z),
      (forall (k2:Z),
       ((i <= k1 /\ k1 <= k2) /\ k2 <= j -> (access t k1) <= (access t k2)))).

(*Why predicate*) Definition exchange (A94:Set) (a1:(array A94)) (a2:(array A94)) (i:Z) (j:Z)
  := (array_length a1) = (array_length a2) /\
     (access a1 i) = (access a2 j) /\ (access a2 i) = (access a1 j) /\
     (forall (k:Z), (k <> i /\ k <> j -> (access a1 k) = (access a2 k))).
Implicit Arguments exchange.

(*Why logic*) Definition permut :
  forall (A1:Set), (array A1) -> (array A1) -> Z -> Z -> Prop.
Admitted.
Implicit Arguments permut.

(*Why axiom*) Lemma permut_refl :
  forall (A1:Set),
  (forall (t:(array A1)), (forall (l:Z), (forall (u:Z), (permut t t l u)))).
Admitted.

(*Why axiom*) Lemma permut_sym :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (l:Z), (forall (u:Z), ((permut t1 t2 l u) -> (permut t2 t1 l u)))))).
Admitted.

(*Why axiom*) Lemma permut_trans :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (t3:(array A1)),
     (forall (l:Z),
      (forall (u:Z),
       ((permut t1 t2 l u) -> ((permut t2 t3 l u) -> (permut t1 t3 l u)))))))).
Admitted.

(*Why axiom*) Lemma permut_exchange :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (forall (i:Z),
       (forall (j:Z),
        (l <= i /\ i <= u ->
         (l <= j /\ j <= u -> ((exchange a1 a2 i j) -> (permut a1 a2 l u)))))))))).
Admitted.

(*Why axiom*) Lemma exchange_upd :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (exchange a (update (update a i (access a j)) j (access a i)) i j)))).
Admitted.

(*Why axiom*) Lemma permut_weakening :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l1:Z),
     (forall (r1:Z),
      (forall (l2:Z),
       (forall (r2:Z),
        ((l1 <= l2 /\ l2 <= r2) /\ r2 <= r1 ->
         ((permut a1 a2 l2 r2) -> (permut a1 a2 l1 r1))))))))).
Admitted.

(*Why axiom*) Lemma permut_eq :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (l <= u ->
       ((permut a1 a2 l u) ->
        (forall (i:Z), (i < l \/ u < i -> (access a2 i) = (access a1 i))))))))).
Admitted.

(*Why predicate*) Definition permutation (A103:Set) (a1:(array A103)) (a2:(array A103))
  := (permut a1 a2 0 ((array_length a1) - 1)).
Implicit Arguments permutation.

(*Why axiom*) Lemma array_length_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (v:A1), (array_length (update a i v)) = (array_length a)))).
Admitted.

(*Why axiom*) Lemma permut_array_length :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      ((permut a1 a2 l u) -> (array_length a1) = (array_length a2)))))).
Admitted.

why-2.34/examples/misc/csearch_why.v0000644000175000017500000001110212311670312016047 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Import Why.

(* Why obligation from file "csearch.c", characters 233-237 *)
Lemma index_po_1 : 
  forall (n: Z),
  forall (v: Z),
  forall (t: (array Z)),
  forall (Pre5: (array_length t) = n),
  forall (i: Z),
  forall (Post4: i = 0),
  forall (Variant1: Z),
  forall (i1: Z),
  forall (Pre4: Variant1 = (n - i1)),
  forall (Pre3: 0 <= i1 /\
                (forall (k:Z), (0 <= k /\ k < i1 -> (access t k) <> v))),
  forall (Test2: i1 < n),
  0 <= i1 /\ i1 < (array_length t).
Proof.
intuition.
Qed.

(* Why obligation from file "csearch.c", characters 233-242 *)
Lemma index_po_2 : 
  forall (n: Z),
  forall (v: Z),
  forall (t: (array Z)),
  forall (Pre5: (array_length t) = n),
  forall (i: Z),
  forall (Post4: i = 0),
  forall (Variant1: Z),
  forall (i1: Z),
  forall (Pre4: Variant1 = (n - i1)),
  forall (Pre3: 0 <= i1 /\
                (forall (k:Z), (0 <= k /\ k < i1 -> (access t k) <> v))),
  forall (Test2: i1 < n),
  forall (Pre2: 0 <= i1 /\ i1 < (array_length t)),
  forall (c_aux_1: Z),
  forall (Post1: c_aux_1 = (access t i1)),
  forall (result0: bool),
  forall (Post14: (if result0 then c_aux_1 = v else c_aux_1 <> v)),
  (if result0 then (0 <= i1 /\ i1 < n -> (access t i1) = v)
   else (forall (i:Z),
         (i = (i1 + 1) -> (0 <= i /\
          (forall (k:Z), (0 <= k /\ k < i -> (access t k) <> v))) /\
          (Zwf 0 (n - i) (n - i1))))).
Proof.
simple_destruct result0; intuition.
assert (k = i1 \/ (k < i1)%Z).
 omega.
 intuition.
subst k c_aux_1; auto.
apply (H0 k); auto with *.
Qed.

(* Why obligation from file "csearch.c", characters 150-198 *)
Lemma index_po_3 : 
  forall (n: Z),
  forall (v: Z),
  forall (t: (array Z)),
  forall (Pre5: (array_length t) = n),
  forall (i: Z),
  forall (Post4: i = 0),
  0 <= i /\ (forall (k:Z), (0 <= k /\ k < i -> (access t k) <> v)).
Proof.
intuition.
Qed.

(* Why obligation from file "csearch.c", characters 116-263 *)
Lemma index_po_4 : 
  forall (n: Z),
  forall (v: Z),
  forall (t: (array Z)),
  forall (Pre5: (array_length t) = n),
  forall (i: Z),
  forall (Post4: i = 0),
  forall (i1: Z),
  forall (Post3: (0 <= i1 /\
                 (forall (k:Z), (0 <= k /\ k < i1 -> (access t k) <> v))) /\
                 i1 >= n),
  (0 <= i1 /\ i1 < n -> (access t i1) = v).
Proof.
intuition.
Qed.


(* Why obligation from file "csearch.c", characters 566-570 *)
Lemma index2_po_1 : 
  forall (n: Z),
  forall (v: Z),
  forall (t: (array Z)),
  forall (Pre5: (array_length t) = n),
  forall (i: Z),
  forall (Post4: i = 0),
  forall (Variant1: Z),
  forall (i1: Z),
  forall (Pre4: Variant1 = (n - i1)),
  forall (Pre3: 0 <= i1 /\
                (forall (k:Z), (0 <= k /\ k < i1 -> (access t k) <> v))),
  forall (Test2: i1 < n),
  0 <= i1 /\ i1 < (array_length t).
Proof.
intuition.
Qed.

(* Why obligation from file "csearch.c", characters 566-575 *)
Lemma index2_po_2 : 
  forall (n: Z),
  forall (v: Z),
  forall (t: (array Z)),
  forall (Pre5: (array_length t) = n),
  forall (i: Z),
  forall (Post4: i = 0),
  forall (Variant1: Z),
  forall (i1: Z),
  forall (Pre4: Variant1 = (n - i1)),
  forall (Pre3: 0 <= i1 /\
                (forall (k:Z), (0 <= k /\ k < i1 -> (access t k) <> v))),
  forall (Test2: i1 < n),
  forall (Pre2: 0 <= i1 /\ i1 < (array_length t)),
  forall (c_aux_2: Z),
  forall (Post1: c_aux_2 = (access t i1)),
  forall (result0: bool),
  forall (Post15: (if result0 then c_aux_2 = v else c_aux_2 <> v)),
  (if result0 then (0 <= i1 /\ i1 < n -> (access t i1) = v)
   else (forall (i:Z),
         (i = (i1 + 1) -> (0 <= i /\
          (forall (k:Z), (0 <= k /\ k < i -> (access t k) <> v))) /\
          (Zwf 0 (n - i) (n - i1))))).
Proof.
simple_destruct result0; intuition.
assert (k = i1 \/ (k < i1)%Z).
 omega.
 intuition.
subst k c_aux_2; auto.
apply (H0 k); auto with *.
Qed.

(* Why obligation from file "csearch.c", characters 483-531 *)
Lemma index2_po_3 : 
  forall (n: Z),
  forall (v: Z),
  forall (t: (array Z)),
  forall (Pre5: (array_length t) = n),
  forall (i: Z),
  forall (Post4: i = 0),
  0 <= i /\ (forall (k:Z), (0 <= k /\ k < i -> (access t k) <> v)).
Proof.
intuition.
Qed.

(* Why obligation from file "csearch.c", characters 609-610 *)
Lemma index2_po_4 : 
  forall (n: Z),
  forall (v: Z),
  forall (t: (array Z)),
  forall (Pre5: (array_length t) = n),
  forall (i: Z),
  forall (Post4: i = 0),
  forall (i1: Z),
  forall (Post3: (0 <= i1 /\
                 (forall (k:Z), (0 <= k /\ k < i1 -> (access t k) <> v))) /\
                 i1 >= n),
  (0 <= n /\ n < n -> (access t n) = v).
Proof.
intuition.
Qed.

why-2.34/examples/misc/copy_why.sx0000644000175000017500000000276312311670312015613 0ustar  rtusers(BG_PUSH (FORALL (t i v) (EQ (array_length (store t i v)) (array_length t))))

;; DO NOT EDIT BELOW THIS LINE

;; copy_po_1, Why obligation from file "copy.c", characters 156-159
(FORALL (n)
(FORALL (t1)
(FORALL (t2)
(IMPLIES (AND (>= (array_length t1) n) (>= (array_length t2) n))
(FORALL (i)
(IMPLIES (EQ i n)
(FORALL (Variant1)
(FORALL (i1)
(FORALL (t2_0)
(IMPLIES (EQ Variant1 i1)
(IMPLIES (AND (>= (array_length t2_0) n)
         (AND (<= i1 n)
         (FORALL (k)
         (IMPLIES (AND (<= i1 k) (< k n)) (EQ (select t2_0 k) (select t1 k))))))
(IMPLIES (EQ |@true| |@true|)
(FORALL (c_aux_2)
(IMPLIES (EQ c_aux_2 i1)
(FORALL (i2)
(IMPLIES (EQ i2 (- i1 1))
(AND
(IMPLIES (> c_aux_2 0)
(FORALL (result)
(IMPLIES (EQ result i2)
(AND
(AND
(FORALL (t2)
(IMPLIES (EQ t2 (store t2_0 result (select t1 i2)))
(AND
(AND (>= (array_length t2) n)
(AND (<= i2 n)
(FORALL (k)
(IMPLIES (AND (<= i2 k) (< k n)) (EQ (select t2 k) (select t1 k))))))
(AND (<= 0 i1) (< i2 i1)))))
(AND (<= 0 result) (< result (array_length t2_0))))
(AND (<= 0 i2) (< i2 (array_length t1)))))))
(IMPLIES (<= c_aux_2 0)
(FORALL (k)
(IMPLIES (AND (<= 0 k) (< k n)) (EQ (select t2_0 k) (select t1 k))))))))))))))))))))))

;; copy_po_2, Why obligation from file "copy.c", characters 185-281
(FORALL (n)
(FORALL (t1)
(FORALL (t2)
(IMPLIES (AND (>= (array_length t1) n) (>= (array_length t2) n))
(FORALL (i)
(IMPLIES (EQ i n)
(AND (>= (array_length t2) n)
(AND (<= i n)
(FORALL (k)
(IMPLIES (AND (<= i k) (< k n)) (EQ (select t2 k) (select t1 k))))))))))))

why-2.34/examples/misc/gcd_why.sx0000644000175000017500000002515412311670312015375 0ustar  rtusers
;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom access_update
 (FORALL (a i v) (EQ (access (update a i v) i) v)))

(BG_PUSH
 ;; Why axiom access_update_neq
 (FORALL (a i j v)
 (IMPLIES (NEQ i j) (EQ (access (update a i v) j) (access a j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j)
 (FORALL (a v) (EQ (access (update a i v) j) (access a j))))))

(DEFPRED (sorted_array t i j)
  (FORALL (k1 k2)
  (IMPLIES (AND (AND (<= i k1) (<= k1 k2)) (<= k2 j))
  (<= (access t k1) (access t k2)))))

(DEFPRED (exchange a1 a2 i j)
  (AND (EQ (array_length a1) (array_length a2))
  (AND (EQ (access a1 i) (access a2 j))
  (AND (EQ (access a2 i) (access a1 j))
  (FORALL (k)
  (IMPLIES (AND (NEQ k i) (NEQ k j)) (EQ (access a1 k) (access a2 k))))))))

(BG_PUSH
 ;; Why axiom permut_refl
 (FORALL (t l u) (EQ (permut t t l u) |@true|)))

(BG_PUSH
 ;; Why axiom permut_sym
 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|) (EQ (permut t2 t1 l u) |@true|))))

(BG_PUSH
 ;; Why axiom permut_trans
 (FORALL (t1 t2 t3 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))

 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_exchange
 (FORALL (a1 a2 l u i j)
 (IMPLIES (AND (<= l i) (<= i u))
 (IMPLIES (AND (<= l j) (<= j u))
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|)))))

 (FORALL (l u i)
 (IMPLIES (AND (<= l i) (<= i u))
 (FORALL (j)
 (IMPLIES (AND (<= l j) (<= j u))
 (FORALL (a1 a2)
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|))))))))

(BG_PUSH
 ;; Why axiom exchange_upd
 (FORALL (a i j)
 (exchange a (update (update a i (access a j)) j (access a i)) i j)))

(BG_PUSH
 ;; Why axiom permut_weakening
 (FORALL (a1 a2 l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))

 (FORALL (l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_eq
 (FORALL (a1 a2 l u)
 (IMPLIES (<= l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))

 (FORALL (l u)
 (IMPLIES (<= l u)
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))))

(DEFPRED (permutation a1 a2)
  (EQ (permut a1 a2 0 (- (array_length a1) 1)) |@true|))

(BG_PUSH
 ;; Why axiom array_length_update
 (FORALL (a i v) (EQ (array_length (update a i v)) (array_length a))))

(BG_PUSH
 ;; Why axiom permut_array_length
 (FORALL (a1 a2 l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (EQ (array_length a1) (array_length a2)))))

(BG_PUSH
 ;; Why axiom gcd_asubb_b
 (FORALL (a b) (EQ (gcd a b) (gcd (- a b) b))))

(BG_PUSH
 ;; Why axiom gcd_a_bsuba
 (FORALL (a b) (EQ (gcd a b) (gcd a (- b a)))))

(BG_PUSH
 ;; Why axiom gcd_a_a
 (FORALL (a) (EQ (gcd a a) a)))

(BG_PUSH
 ;; Why axiom gcd_a_0
 (FORALL (a) (EQ (gcd a 0) a)))

(BG_PUSH
 ;; Why axiom max_def
 (FORALL (x y)
 (AND (OR (EQ (max x y) x) (EQ (max x y) y))
 (AND (>= (max x y) x) (>= (max x y) y)))))

;; gcd1_po_1, File "gcd.mlw", line 25, characters 19-58
(FORALL (a) (FORALL (b) (IMPLIES (AND (> a 0) (> b 0)) (< 0 a))))

;; gcd1_po_2, File "gcd.mlw", line 25, characters 19-58
(FORALL (a) (FORALL (b) (IMPLIES (AND (> a 0) (> b 0)) (< 0 b))))

;; gcd1_po_3, File "gcd.mlw", line 25, characters 19-58
(FORALL (a)
(FORALL (b)
(IMPLIES (AND (> a 0) (> b 0))
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (< 0 x) (AND (< 0 y) (EQ (gcd x y) (gcd a b))))
(IMPLIES (NEQ x y)
(IMPLIES (> x y) (FORALL (x0) (IMPLIES (EQ x0 (- x y)) (< 0 x0)))))))))))

;; gcd1_po_4, File "gcd.mlw", line 25, characters 19-58
(FORALL (a)
(FORALL (b)
(IMPLIES (AND (> a 0) (> b 0))
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (< 0 x) (AND (< 0 y) (EQ (gcd x y) (gcd a b))))
(IMPLIES (NEQ x y)
(IMPLIES (> x y) (FORALL (x0) (IMPLIES (EQ x0 (- x y)) (< 0 y)))))))))))

;; gcd1_po_5, File "gcd.mlw", line 25, characters 19-58
(FORALL (a)
(FORALL (b)
(IMPLIES (AND (> a 0) (> b 0))
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (< 0 x) (AND (< 0 y) (EQ (gcd x y) (gcd a b))))
(IMPLIES (NEQ x y)
(IMPLIES (> x y)
(FORALL (x0) (IMPLIES (EQ x0 (- x y)) (EQ (gcd x0 y) (gcd a b))))))))))))

;; gcd1_po_6, File "gcd.mlw", line 25, characters 68-76
(FORALL (a)
(FORALL (b)
(IMPLIES (AND (> a 0) (> b 0))
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (< 0 x) (AND (< 0 y) (EQ (gcd x y) (gcd a b))))
(IMPLIES (NEQ x y)
(IMPLIES (> x y) (FORALL (x0) (IMPLIES (EQ x0 (- x y)) (<= 0 (max x y))))))))))))

;; gcd1_po_7, File "gcd.mlw", line 25, characters 68-76
(FORALL (a)
(FORALL (b)
(IMPLIES (AND (> a 0) (> b 0))
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (< 0 x) (AND (< 0 y) (EQ (gcd x y) (gcd a b))))
(IMPLIES (NEQ x y)
(IMPLIES (> x y)
(FORALL (x0) (IMPLIES (EQ x0 (- x y)) (< (max x0 y) (max x y))))))))))))

;; gcd1_po_8, File "gcd.mlw", line 25, characters 19-58
(FORALL (a)
(FORALL (b)
(IMPLIES (AND (> a 0) (> b 0))
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (< 0 x) (AND (< 0 y) (EQ (gcd x y) (gcd a b))))
(IMPLIES (NEQ x y)
(IMPLIES (<= x y) (FORALL (y0) (IMPLIES (EQ y0 (- y x)) (< 0 y0)))))))))))

;; gcd1_po_9, File "gcd.mlw", line 25, characters 19-58
(FORALL (a)
(FORALL (b)
(IMPLIES (AND (> a 0) (> b 0))
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (< 0 x) (AND (< 0 y) (EQ (gcd x y) (gcd a b))))
(IMPLIES (NEQ x y)
(IMPLIES (<= x y)
(FORALL (y0) (IMPLIES (EQ y0 (- y x)) (EQ (gcd x y0) (gcd a b))))))))))))

;; gcd1_po_10, File "gcd.mlw", line 25, characters 68-76
(FORALL (a)
(FORALL (b)
(IMPLIES (AND (> a 0) (> b 0))
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (< 0 x) (AND (< 0 y) (EQ (gcd x y) (gcd a b))))
(IMPLIES (NEQ x y)
(IMPLIES (<= x y) (FORALL (y0) (IMPLIES (EQ y0 (- y x)) (<= 0 (max x y))))))))))))

;; gcd1_po_11, File "gcd.mlw", line 25, characters 68-76
(FORALL (a)
(FORALL (b)
(IMPLIES (AND (> a 0) (> b 0))
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (< 0 x) (AND (< 0 y) (EQ (gcd x y) (gcd a b))))
(IMPLIES (NEQ x y)
(IMPLIES (<= x y)
(FORALL (y0) (IMPLIES (EQ y0 (- y x)) (< (max x y0) (max x y))))))))))))

;; gcd1_po_12, File "gcd.mlw", line 33, characters 4-21
(FORALL (a)
(FORALL (b)
(IMPLIES (AND (> a 0) (> b 0))
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (< 0 x) (AND (< 0 y) (EQ (gcd x y) (gcd a b))))
(IMPLIES (EQ x y) (EQ x (gcd a b)))))))))

(BG_PUSH
 ;; Why axiom gcd_a_amodb
 (FORALL (a b) (EQ (gcd a b) (gcd b (int_mod a b)))))

(BG_PUSH
 ;; Why axiom mod_lt
 (FORALL (a b) (AND (<= 0 (int_mod a b)) (< (int_mod a b) b))))

;; gcd2_po_1, File "gcd.mlw", line 47, characters 19-60
(FORALL (a) (FORALL (b) (IMPLIES (AND (>= a 0) (>= b 0)) (<= 0 a))))

;; gcd2_po_2, File "gcd.mlw", line 47, characters 19-60
(FORALL (a) (FORALL (b) (IMPLIES (AND (>= a 0) (>= b 0)) (<= 0 b))))

;; gcd2_po_3, File "gcd.mlw", line 47, characters 19-60
(FORALL (a)
(FORALL (b)
(IMPLIES (AND (>= a 0) (>= b 0))
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (<= 0 x) (AND (<= 0 y) (EQ (gcd x y) (gcd a b))))
(IMPLIES (NEQ y 0)
(FORALL (x0)
(IMPLIES (EQ x0 y) (FORALL (y0) (IMPLIES (EQ y0 (int_mod x y)) (<= 0 x0))))))))))))

;; gcd2_po_4, File "gcd.mlw", line 47, characters 19-60
(FORALL (a)
(FORALL (b)
(IMPLIES (AND (>= a 0) (>= b 0))
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (<= 0 x) (AND (<= 0 y) (EQ (gcd x y) (gcd a b))))
(IMPLIES (NEQ y 0)
(FORALL (x0)
(IMPLIES (EQ x0 y) (FORALL (y0) (IMPLIES (EQ y0 (int_mod x y)) (<= 0 y0))))))))))))

;; gcd2_po_5, File "gcd.mlw", line 47, characters 19-60
(FORALL (a)
(FORALL (b)
(IMPLIES (AND (>= a 0) (>= b 0))
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (<= 0 x) (AND (<= 0 y) (EQ (gcd x y) (gcd a b))))
(IMPLIES (NEQ y 0)
(FORALL (x0)
(IMPLIES (EQ x0 y)
(FORALL (y0) (IMPLIES (EQ y0 (int_mod x y)) (EQ (gcd x0 y0) (gcd a b)))))))))))))

;; gcd2_po_6, File "gcd.mlw", line 47, characters 70-71
(FORALL (a)
(FORALL (b)
(IMPLIES (AND (>= a 0) (>= b 0))
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (<= 0 x) (AND (<= 0 y) (EQ (gcd x y) (gcd a b))))
(IMPLIES (NEQ y 0)
(FORALL (x0)
(IMPLIES (EQ x0 y) (FORALL (y0) (IMPLIES (EQ y0 (int_mod x y)) (<= 0 y))))))))))))

;; gcd2_po_7, File "gcd.mlw", line 47, characters 70-71
(FORALL (a)
(FORALL (b)
(IMPLIES (AND (>= a 0) (>= b 0))
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (<= 0 x) (AND (<= 0 y) (EQ (gcd x y) (gcd a b))))
(IMPLIES (NEQ y 0)
(FORALL (x0)
(IMPLIES (EQ x0 y) (FORALL (y0) (IMPLIES (EQ y0 (int_mod x y)) (< y0 y))))))))))))

;; gcd2_po_8, File "gcd.mlw", line 56, characters 4-21
(FORALL (a)
(FORALL (b)
(IMPLIES (AND (>= a 0) (>= b 0))
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (<= 0 x) (AND (<= 0 y) (EQ (gcd x y) (gcd a b))))
(IMPLIES (EQ y 0) (EQ x (gcd a b)))))))))

why-2.34/examples/misc/mix_max.mlw0000644000175000017500000000327312311670312015556 0ustar  rtusers
(* MIX program for the max of X[1..r1]
   TAOCP vol 1, Program M page 145 *)

(* model *)

parameter a,r1,r2,r3 : int ref

type mem
logic acc : mem, int -> int
logic upd : mem, int, int -> mem

axiom acc_upd_eq : 
  forall m:mem. forall i,v:int. acc(upd(m,i,v),i) = v
axiom acc_upd_neq : 
  forall m:mem. forall i,j,v:int. i<>j -> acc(upd(m,i,v),j) = acc(m,j)

parameter mem : mem ref

(* program M *)

logic X:int

predicate Inv(mem:mem, a:int, r1:int, r2:int, r3:int) =
  0 <= r3 <= r1 and 1 <= r2 <= r1 and a = acc(mem,X+r2) 
  and forall i:int. r3 < i <= r1 -> a >= acc(mem,X+i)

let init () =
  { r1 >= 1 }
  r3 := !r1;
  r2 := !r3;
  a  := acc !mem (X + !r3);
  r3 := !r3 - 1
  { Inv(mem,a,r1,r2,r3) }

let loop_1 () =
  { Inv(mem,a,r1,r2,r3) and r3 > 0 }
  [ {} unit { a >= acc(mem,X+r3) } ];
  r3 := !r3 - 1  
  { Inv(mem,a,r1,r2,r3) }

let loop_2 () =
  { Inv(mem,a,r1,r2,r3) and r3 > 0 }
  [ {} unit { a < acc(mem,X+r3) } ];
  r2 := !r3;
  a  := acc !mem (X + !r3);
  r3 := !r3 - 1  
  { Inv(mem,a,r1,r2,r3) }

let post () =
  { Inv(mem,a,r1,r2,r3) and r3 <= 0 }
  void
  { 1 <= r2 <= r1 and a = acc(mem, X+r2) and
    forall i:int. 1 <= i <= r1 -> a >= acc(mem,X+i) }




(*** test ***)
(* max_of(mem,v,i,j) = v = max(mem[i..j]) *)
(***
logic max_of : mem,int,int,int -> prop

axiom max_of_single : 
  forall mem:mem. forall i:int. max_of(mem, acc(mem,i), i, i)

axiom max_of_left_extension_1 : 
  forall mem:mem. forall v:int. forall i:int. forall j:int.
  max_of(mem, v, i, j) -> acc(mem, i-1) <= v -> max_of(mem, v, i-1, j)

axiom max_of_left_extension_2 : 
  forall mem:mem. forall v:int. forall i:int. forall j:int.
  max_of(mem, v, i, j) -> acc(mem, i-1) > v -> 
  max_of(mem, acc(mem,i-1), i-1, j)
***)

why-2.34/examples/misc/gcd.mlw0000644000175000017500000000234512311670312014650 0ustar  rtusers
(** Various implementations of the gcd. *)

logic gcd : int,int -> int

axiom gcd_asubb_b : forall a,b:int. gcd(a, b) = gcd(a - b, b)
axiom gcd_a_bsuba : forall a,b:int. gcd(a, b) = gcd(a, b - a)
axiom gcd_a_a : forall a:int. gcd(a, a) = a
axiom gcd_a_0 : forall a:int. gcd(a, 0) = a

logic max : int,int -> int

axiom max_def :  
  forall x:int. forall y:int. 
  (max(x,y) = x or max(x,y) = y) and max(x,y) >= x and max(x,y) >= y

(** Simple algorithm with difference *)

let gcd1 (a:int) (b:int) =
  { a > 0 and b > 0 }
  (let x = ref a in
   let y = ref b in
   begin
     while !x <> !y do
       { invariant 0 < x and 0 < y and gcd(x,y) = gcd(a,b)  variant max(x,y) }
       if !x > !y then
         x := !x - !y
       else 
	 y := !y - !x
     done;
     !x
   end)
  { result = gcd(a,b) }


(** Euclid's algorithm *)

axiom gcd_a_amodb : forall a,b:int. gcd(a, b) = gcd(b, a % b)
axiom mod_lt: forall a,b:int. 0 <= a % b < b

let gcd2 (a:int) (b:int) =
  { a >= 0 and b >= 0 }
  (let x = ref a in
   let y = ref b in
   begin
     while !y <> 0 do
       { invariant 0 <= x and 0 <= y and gcd(x,y) = gcd(a,b)  variant y }
       let r = !x % !y in
       begin
	 x := !y;
	 y := r
       end
     done;
     !x
   end)
  { result = gcd(a,b) }

why-2.34/examples/misc/sum_why.v0000644000175000017500000000112412311670312015246 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Import Why.

Proof.
intuition.
Save.

Proof.
intuition.
subst.
ring.
assert (h: 2 * s = i * (i + 1)). assumption.
rewrite h; ring.
Save.

Proof.
intuition.
assert (i=n). omega. subst; auto with arith.
Save.

(*Why axiom*) Lemma distr_left :
  (forall (a:Z),
   (forall (b:Z), (forall (c:Z), (a * (b + c)) = (a * b + a * c)))).
Admitted.

(*Why axiom*) Lemma distr_right :
  (forall (a:Z),
   (forall (b:Z), (forall (c:Z), ((b + c) * a) = (b * a + c * a)))).
Admitted.

why-2.34/examples/misc/matrix_mult.why0000644000175000017500000000160112311670312016462 0ustar  rtusers
logic m,n,p : int

type matrix

logic get : matrix, int, int -> int

parameter c : matrix ref

logic ab : int,int -> int


let test () =
  { 0 < m and 0 < n and 0 < p }
  let i = ref 0 in
  while !i < m do 
    { invariant i <= m and
      forall i',j':int. 
        0 <= i' < i -> 0 <= j' < p -> get(c,i',j') = ab(i',j') }
    L2:
    let j = ref 0 in
    while !j < p do 
      { invariant 0 <= j <= p and
  (forall j':int. 0 <= j' < j -> get(c,i,j') = ab(i,j')) and
  (forall i',j':int. 0 <= i' < i -> 0 <= j' < p 
	-> get(c,i',j') = get(c@L2,i',j')) }
      [ {} unit writes c 
        { get(c,i,j) = ab(i,j) and
  (forall j':int. 0 <= j' < j -> get(c,i,j') = ab(i,j')) and
  (forall i',j':int. 0 <= i' < i -> 0 <= j' < p -> get(c,i',j') = ab(i',j')) }
      ];
      j := !j + 1
    done;
    i := !i + 1
  done
  { forall i',j':int. 0 <= i' < m -> 0 <= j' < p -> get(c,i',j') = ab(i',j') }
why-2.34/examples/misc/mac_carthy_why.sx0000644000175000017500000001533512311670312016752 0ustar  rtusers
;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom access_update
 (FORALL (a i v) (EQ (access (update a i v) i) v)))

(BG_PUSH
 ;; Why axiom access_update_neq
 (FORALL (a i j v)
 (IMPLIES (NEQ i j) (EQ (access (update a i v) j) (access a j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j)
 (FORALL (a v) (EQ (access (update a i v) j) (access a j))))))

(DEFPRED (sorted_array t i j)
  (FORALL (k1 k2)
  (IMPLIES (AND (AND (<= i k1) (<= k1 k2)) (<= k2 j))
  (<= (access t k1) (access t k2)))))

(DEFPRED (exchange a1 a2 i j)
  (AND (EQ (array_length a1) (array_length a2))
  (AND (EQ (access a1 i) (access a2 j))
  (AND (EQ (access a2 i) (access a1 j))
  (FORALL (k)
  (IMPLIES (AND (NEQ k i) (NEQ k j)) (EQ (access a1 k) (access a2 k))))))))

(BG_PUSH
 ;; Why axiom permut_refl
 (FORALL (t l u) (EQ (permut t t l u) |@true|)))

(BG_PUSH
 ;; Why axiom permut_sym
 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|) (EQ (permut t2 t1 l u) |@true|))))

(BG_PUSH
 ;; Why axiom permut_trans
 (FORALL (t1 t2 t3 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))

 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_exchange
 (FORALL (a1 a2 l u i j)
 (IMPLIES (AND (<= l i) (<= i u))
 (IMPLIES (AND (<= l j) (<= j u))
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|)))))

 (FORALL (l u i)
 (IMPLIES (AND (<= l i) (<= i u))
 (FORALL (j)
 (IMPLIES (AND (<= l j) (<= j u))
 (FORALL (a1 a2)
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|))))))))

(BG_PUSH
 ;; Why axiom exchange_upd
 (FORALL (a i j)
 (exchange a (update (update a i (access a j)) j (access a i)) i j)))

(BG_PUSH
 ;; Why axiom permut_weakening
 (FORALL (a1 a2 l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))

 (FORALL (l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_eq
 (FORALL (a1 a2 l u)
 (IMPLIES (<= l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))

 (FORALL (l u)
 (IMPLIES (<= l u)
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))))

(DEFPRED (permutation a1 a2)
  (EQ (permut a1 a2 0 (- (array_length a1) 1)) |@true|))

(BG_PUSH
 ;; Why axiom array_length_update
 (FORALL (a i v) (EQ (array_length (update a i v)) (array_length a))))

(BG_PUSH
 ;; Why axiom permut_array_length
 (FORALL (a1 a2 l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (EQ (array_length a1) (array_length a2)))))

(BG_PUSH
 ;; Why axiom max_def
 (FORALL (x y)
 (AND (OR (EQ (max x y) x) (EQ (max x y) y))
 (AND (>= (max x y) x) (>= (max x y) y)))))

;; f91_po_1, File "mac_carthy.mlw", line 12, characters 10-22
(FORALL (n) (IMPLIES (<= n 100) (<= 0 (max 0 (- 101 n)))))

;; f91_po_2, File "mac_carthy.mlw", line 12, characters 10-22
(FORALL (n)
(IMPLIES (<= n 100) (< (max 0 (- 101 (+ n 11))) (max 0 (- 101 n)))))

;; f91_po_3, File "mac_carthy.mlw", line 12, characters 5-23
(FORALL (n)
(IMPLIES (<= n 100)
(IMPLIES (AND (<= 0 (max 0 (- 101 n)))
         (< (max 0 (- 101 (+ n 11))) (max 0 (- 101 n))))
(FORALL (result)
(IMPLIES (OR (AND (<= (+ n 11) 100) (EQ result 91))
         (AND (>= (+ n 11) 101) (EQ result (- (+ n 11) 10))))
(<= 0 (max 0 (- 101 n))))))))

;; f91_po_4, File "mac_carthy.mlw", line 12, characters 5-23
(FORALL (n)
(IMPLIES (<= n 100)
(IMPLIES (AND (<= 0 (max 0 (- 101 n)))
         (< (max 0 (- 101 (+ n 11))) (max 0 (- 101 n))))
(FORALL (result)
(IMPLIES (OR (AND (<= (+ n 11) 100) (EQ result 91))
         (AND (>= (+ n 11) 101) (EQ result (- (+ n 11) 10))))
(< (max 0 (- 101 result)) (max 0 (- 101 n))))))))

;; f91_po_5, File "mac_carthy.mlw", line 15, characters 4-64
(FORALL (n)
(IMPLIES (<= n 100)
(IMPLIES (AND (<= 0 (max 0 (- 101 n)))
         (< (max 0 (- 101 (+ n 11))) (max 0 (- 101 n))))
(FORALL (result)
(IMPLIES (OR (AND (<= (+ n 11) 100) (EQ result 91))
         (AND (>= (+ n 11) 101) (EQ result (- (+ n 11) 10))))
(IMPLIES (AND (<= 0 (max 0 (- 101 n)))
         (< (max 0 (- 101 result)) (max 0 (- 101 n))))
(FORALL (result0)
(IMPLIES (OR (AND (<= result 100) (EQ result0 91))
         (AND (>= result 101) (EQ result0 (- result 10))))
(OR (AND (<= n 100) (EQ result0 91)) (AND (>= n 101) (EQ result0 (- n 10))))))))))))

;; f91_po_6, File "mac_carthy.mlw", line 15, characters 4-64
(FORALL (n)
(IMPLIES (> n 100)
(OR (AND (<= n 100) (EQ (- n 10) 91))
(AND (>= n 101) (EQ (- n 10) (- n 10))))))

why-2.34/examples/misc/matrix.why0000644000175000017500000001324012311670312015423 0ustar  rtusers(* ########################################################################## *)
(*                             Definitions of matrices                        *)
(*                         Frédéric Gava (Université Paris 12)                *)
(* ########################################################################## *)

(* ************************** *)
(* Definition of the matrices *)
(* ************************** *)

type 'a fmatrice


(* ****************************** *)
(* access and update of a matrice *)
(* ****************************** *)

logic mat_access : 'a fmatrice, int,int -> 'a
logic mat_update : 'a fmatrice, int,int,'a -> 'a fmatrice


(* *************** *)
(* axiom of update *)
(* *************** *)

axiom mat_access_update : 
  forall m : 'a fmatrice. forall i : int. forall j : int. forall v : 'a.
  mat_access(mat_update(m,i,j,v), i,j) = v

axiom access_update_neq : 
  forall m : 'a fmatrice. forall i1 : int. forall j1 : int. 
                          forall i2 : int. forall j2 : int.
			  forall v : 'a.
  (i1 <> i2) or (j1<>j2) -> mat_access(mat_update(m,i1,j1,v),i2,j2) = mat_access(m,i2,j2)


(* ********************** *)
(* size of row and column *)
(* ********************** *)

logic mat_size_row : 'a fmatrice -> int
logic mat_size_column : 'a fmatrice -> int


(* ************************************ *)
(* effective size of the row and column *)
(* ************************************ *)

parameter mat_size_row_ : 
  m:'a fmatrice ref -> {} int reads m { result=mat_size_row(m) }

parameter mat_size_column_ : 
  m:'a fmatrice ref -> {} int reads m { result=mat_size_column(m) }


(* *************************** *)
(* effective access and update *)
(* *************************** *)

parameter mat_get :
  m:'a fmatrice ref -> i:int -> j:int -> 
    { 0 <= i < mat_size_row(m) 
  and 0 <= j < mat_size_column(m)} 'a reads m { result = mat_access(m,i,j) }

parameter mat_set : 
  m:'a fmatrice ref -> i:int -> j:int -> v:'a -> 
    { 0 <= i < mat_size_row(m) 
  and 0 <= j < mat_size_column(m) } unit writes m { m = mat_update(m@,i,j,v) }


(* *********************************** *)
(* axioms on row and column and update *)
(* *********************************** *)

axiom mat_size_row_update :
  forall m:'a fmatrice. forall i:int. forall j:int. forall v:'a.
  mat_size_row(mat_update(m,i,j,v)) = mat_size_row(m)

axiom mat_size_column_update :
  forall m:'a fmatrice. forall i:int. forall j:int. forall v:'a.
  mat_size_column(mat_update(m,i,j,v)) = mat_size_column(m)



(* ########################################################################## *)
(*                   Multiplication of square matrices C=A*B                  *)
(* ########################################################################## *)


(* ******************** *)
(* size of the matrices *)
(* ******************** *)

logic N : int

axiom N_range : 1 <= N


(* ****************** *)
(* Usefull Predicates *)
(* ****************** *)

(*  sigma_mat_mult A B mini maxi i j === sigma_{r=mini}^{maxi} A[i,r]*B[r,j] *)
logic sigma_mat_mult : real fmatrice,real fmatrice,int,int,int,int -> real

axiom sigma_mat_mult_def_1 :
  forall A,B:real fmatrice. forall mini,maxi,i,j:int.
  maxi > mini -> sigma_mat_mult(A,B,mini,maxi,i,j) = 0.

axiom sigma_mat_mult_def_2 :
  forall A,B:real fmatrice. forall mini,maxi,i,j:int.
  mini < maxi -> 
    sigma_mat_mult(A,B,mini,maxi,i,j) = 
    sigma_mat_mult(A,B,mini,maxi-1,i,j) + 
      mat_access(A,i,maxi) * mat_access(B,maxi,j)

(* Part of C that have been completly calulated *)
predicate mat_mult_done(A:real fmatrice, B:real fmatrice,C:real fmatrice,iu:int,id:int,jl:int,jr:int) =
 forall i,j:int.  (iu<=i mat_access(C,i,j)=sigma_mat_mult(A,B,0,N-1,i,j)

(* Part of C that need to be calculated *)
predicate mat_mult_todo(C:real fmatrice,C':real fmatrice,iu:int,id:int,jl:int,jr:int) =
  forall i,j:int.  (iu<=i mat_access(C,i,j)=mat_access(C',i,j)

(* C=A*B *)  
predicate mat_mult(A:real fmatrice, B:real fmatrice,C:real fmatrice) =
  mat_mult_done(A,B,C,0,N,0,N)

(* ******************************** *)
(* Definition of the multiplication *)
(* ******************************** *)

let mult (A : real fmatrice ref)
         (B : real fmatrice ref)
	 (C : real fmatrice ref) =
{
     mat_size_row(A) = N
 and mat_size_row(B) = N
 and mat_size_row(C) = N
 and mat_size_column(A) = N
 and mat_size_column(B) = N
 and mat_size_column(C) = N
 and (forall x,y:int. 0<=x mat_access(C,x,y)=0.)
}
 init:
 let i=ref 0 in
  while !i { n >= 0 } int { result = F(n) }

    where F is the Fibonacci function defined on the external logical side
    (with F(0) = F(1) = 1 and F(n+2) = F(n+1) + F(n)) *)

logic F : int -> int

axiom F_0 : F(0) = 1
axiom F_1 : F(1) = 1
axiom F_n : forall n:int. n>=2 -> F(n) = F(n-1) + F(n-2)

(** Naive and purely functional *)

let rec fib1 (n:int) : int { variant n } = 
  { n >= 0 }
  (if n <= 1 then
     1
   else 
     (fib1 (n - 1)) + (fib1 (n - 2)))
  { result = F(n) }

(** Still purely functional, but efficient *)

let rec fib2_aux (n:int) (x:int) (fx:int) (fx_1:int) : int { variant n-x } =
  { 1 <= x <= n and fx = F(x) and fx_1 = F(x-1) }
  (if x = n then
     fx 
   else 
     (fib2_aux n (x+1) (fx+fx_1) fx))
  { result = F(n) }

let fib2 = fun (n:int) ->
  { n >= 0 }
  (if n <= 1 then 1 else (fib2_aux n 1 1 1))
  { result = F(n) }

(** Recursive, but with a local function *)

let fib2b (n:int) =
  let rec helper (x:int) (fx:int) (fx_1:int) : int { variant x } =
    { 0 <= x < n and fx = F(n-x) and fx_1 = F(n-x-1) }
    if x = 0 then fx else helper (x-1) (fx+fx_1) fx
    { result = F(n) }
  in
  if n <= 1 then 1 else helper (n-1) 1 1

(** With a recursive without precondition *)

let rec fib2c_aux (n:int) (fx:int) (fx_1:int) : int { variant n } =
  { 0 <= n }
  if n = 0 then fx else fib2c_aux (n-1) (fx+fx_1) fx
  { forall x:int. 1 <= x -> fx=F(x) -> fx_1=F(x-1) -> result=F(x+n) }

let fib2c (n:int) =
  { n >= 0 }
  (if n <= 1 then 1 else fib2c_aux (n-1) 1 1)
  { result = F(n) } 

(** Imperative *)

let fib3 (n:int) =
 { n >= 0 }
 (let k = ref 1 in
  let x = ref 1 in
  let y = ref 1 in
  begin
    if n > 0 then
    while !k < n do
      { invariant 1 <= k <= n and x = F(k) and y = F(k-1)  variant n - k }
      let t = !y in
      begin
        y := !x;
        x := !x + t;
	k := !k + 1
      end
    done;
    !x
  end)
 { result = F(n) }

(** Imperative, in an array *)

include "arrays.why"

parameter t : int array

let fib4 (n:int) =
  { 0 <= n < array_length(t) }
  init:
  (if n <= 1 then
     1
   else begin
     t[0] := 1;
     t[1] := 1;
     let k = ref 2 in
     while !k <= n do
       { invariant 2 <= k <= n+1 and array_length(t) = array_length(t@init) and
	           forall i:int. 0 <= i < k -> t[i] = F(i)  
         variant n+1 - k }
       t[!k] := t[!k - 1] + t[!k - 2];
       k := !k + 1
     done;
     t[n]
   end)
  { result = F(n) }
why-2.34/examples/misc/max_why.sx0000644000175000017500000005017712311670312015430 0ustar  rtusers
;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom access_update
 (FORALL (a i v) (EQ (access (update a i v) i) v)))

(BG_PUSH
 ;; Why axiom access_update_neq
 (FORALL (a i j v)
 (IMPLIES (NEQ i j) (EQ (access (update a i v) j) (access a j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j)
 (FORALL (a v) (EQ (access (update a i v) j) (access a j))))))

(DEFPRED (sorted_array t i j)
  (FORALL (k1 k2)
  (IMPLIES (AND (AND (<= i k1) (<= k1 k2)) (<= k2 j))
  (<= (access t k1) (access t k2)))))

(DEFPRED (exchange a1 a2 i j)
  (AND (EQ (array_length a1) (array_length a2))
  (AND (EQ (access a1 i) (access a2 j))
  (AND (EQ (access a2 i) (access a1 j))
  (FORALL (k)
  (IMPLIES (AND (NEQ k i) (NEQ k j)) (EQ (access a1 k) (access a2 k))))))))

(BG_PUSH
 ;; Why axiom permut_refl
 (FORALL (t l u) (EQ (permut t t l u) |@true|)))

(BG_PUSH
 ;; Why axiom permut_sym
 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|) (EQ (permut t2 t1 l u) |@true|))))

(BG_PUSH
 ;; Why axiom permut_trans
 (FORALL (t1 t2 t3 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))

 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_exchange
 (FORALL (a1 a2 l u i j)
 (IMPLIES (AND (<= l i) (<= i u))
 (IMPLIES (AND (<= l j) (<= j u))
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|)))))

 (FORALL (l u i)
 (IMPLIES (AND (<= l i) (<= i u))
 (FORALL (j)
 (IMPLIES (AND (<= l j) (<= j u))
 (FORALL (a1 a2)
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|))))))))

(BG_PUSH
 ;; Why axiom exchange_upd
 (FORALL (a i j)
 (exchange a (update (update a i (access a j)) j (access a i)) i j)))

(BG_PUSH
 ;; Why axiom permut_weakening
 (FORALL (a1 a2 l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))

 (FORALL (l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_eq
 (FORALL (a1 a2 l u)
 (IMPLIES (<= l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))

 (FORALL (l u)
 (IMPLIES (<= l u)
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))))

(DEFPRED (permutation a1 a2)
  (EQ (permut a1 a2 0 (- (array_length a1) 1)) |@true|))

(BG_PUSH
 ;; Why axiom array_length_update
 (FORALL (a i v) (EQ (array_length (update a i v)) (array_length a))))

(BG_PUSH
 ;; Why axiom permut_array_length
 (FORALL (a1 a2 l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (EQ (array_length a1) (array_length a2)))))

(BG_PUSH
 ;; Why axiom l_pos
 (< 0 l))

;; pgm_max_end_po_1, File "max.mlw", line 24, characters 18-102
(FORALL (a)
(IMPLIES (EQ (array_length a) l)
(FORALL (x) (IMPLIES (EQ x 0) (FORALL (y) (IMPLIES (EQ y 1) (<= 0 y)))))))

;; pgm_max_end_po_2, File "max.mlw", line 24, characters 18-102
(FORALL (a)
(IMPLIES (EQ (array_length a) l)
(FORALL (x) (IMPLIES (EQ x 0) (FORALL (y) (IMPLIES (EQ y 1) (<= y l)))))))

;; pgm_max_end_po_3, File "max.mlw", line 24, characters 18-102
(FORALL (a)
(IMPLIES (EQ (array_length a) l)
(FORALL (x) (IMPLIES (EQ x 0) (FORALL (y) (IMPLIES (EQ y 1) (<= 0 x)))))))

;; pgm_max_end_po_4, File "max.mlw", line 24, characters 18-102
(FORALL (a)
(IMPLIES (EQ (array_length a) l)
(FORALL (x) (IMPLIES (EQ x 0) (FORALL (y) (IMPLIES (EQ y 1) (< x l)))))))

;; pgm_max_end_po_5, File "max.mlw", line 24, characters 18-102
(FORALL (a)
(IMPLIES (EQ (array_length a) l)
(FORALL (x)
(IMPLIES (EQ x 0)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (k) (IMPLIES (AND (<= 0 k) (< k y)) (<= (access a k) (access a x))))))))))

;; pgm_max_end_po_6, File "max.mlw", line 27, characters 9-14
(FORALL (a)
(IMPLIES (EQ (array_length a) l)
(FORALL (x)
(IMPLIES (EQ x 0)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (x0)
(FORALL (y0)
(IMPLIES (AND (AND (<= 0 y0) (<= y0 l))
         (AND (AND (<= 0 x0) (< x0 l))
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (< k y0)) (<= (access a k) (access a x0))))))
(IMPLIES (< y0 l) (<= 0 y0)))))))))))

;; pgm_max_end_po_7, File "max.mlw", line 27, characters 9-14
(FORALL (a)
(IMPLIES (EQ (array_length a) l)
(FORALL (x)
(IMPLIES (EQ x 0)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (x0)
(FORALL (y0)
(IMPLIES (AND (AND (<= 0 y0) (<= y0 l))
         (AND (AND (<= 0 x0) (< x0 l))
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (< k y0)) (<= (access a k) (access a x0))))))
(IMPLIES (< y0 l) (< y0 (array_length a))))))))))))

;; pgm_max_end_po_8, File "max.mlw", line 27, characters 17-22
(FORALL (a)
(IMPLIES (EQ (array_length a) l)
(FORALL (x)
(IMPLIES (EQ x 0)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (x0)
(FORALL (y0)
(IMPLIES (AND (AND (<= 0 y0) (<= y0 l))
         (AND (AND (<= 0 x0) (< x0 l))
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (< k y0)) (<= (access a k) (access a x0))))))
(IMPLIES (< y0 l)
(IMPLIES (AND (<= 0 y0) (< y0 (array_length a)))
(FORALL (result) (IMPLIES (EQ result (access a y0)) (<= 0 x0))))))))))))))

;; pgm_max_end_po_9, File "max.mlw", line 27, characters 17-22
(FORALL (a)
(IMPLIES (EQ (array_length a) l)
(FORALL (x)
(IMPLIES (EQ x 0)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (x0)
(FORALL (y0)
(IMPLIES (AND (AND (<= 0 y0) (<= y0 l))
         (AND (AND (<= 0 x0) (< x0 l))
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (< k y0)) (<= (access a k) (access a x0))))))
(IMPLIES (< y0 l)
(IMPLIES (AND (<= 0 y0) (< y0 (array_length a)))
(FORALL (result) (IMPLIES (EQ result (access a y0)) (< x0 (array_length a)))))))))))))))

;; pgm_max_end_po_10, File "max.mlw", line 24, characters 18-102
(FORALL (a)
(IMPLIES (EQ (array_length a) l)
(FORALL (x)
(IMPLIES (EQ x 0)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (x0)
(FORALL (y0)
(IMPLIES (AND (AND (<= 0 y0) (<= y0 l))
         (AND (AND (<= 0 x0) (< x0 l))
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (< k y0)) (<= (access a k) (access a x0))))))
(IMPLIES (< y0 l)
(IMPLIES (AND (<= 0 y0) (< y0 (array_length a)))
(FORALL (result)
(IMPLIES (EQ result (access a y0))
(IMPLIES (AND (<= 0 x0) (< x0 (array_length a)))
(FORALL (result0)
(IMPLIES (EQ result0 (access a x0))
(IMPLIES (> result result0)
(FORALL (x1)
(IMPLIES (EQ x1 y0) (FORALL (y1) (IMPLIES (EQ y1 (+ y0 1)) (<= 0 y1))))))))))))))))))))))

;; pgm_max_end_po_11, File "max.mlw", line 24, characters 18-102
(FORALL (a)
(IMPLIES (EQ (array_length a) l)
(FORALL (x)
(IMPLIES (EQ x 0)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (x0)
(FORALL (y0)
(IMPLIES (AND (AND (<= 0 y0) (<= y0 l))
         (AND (AND (<= 0 x0) (< x0 l))
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (< k y0)) (<= (access a k) (access a x0))))))
(IMPLIES (< y0 l)
(IMPLIES (AND (<= 0 y0) (< y0 (array_length a)))
(FORALL (result)
(IMPLIES (EQ result (access a y0))
(IMPLIES (AND (<= 0 x0) (< x0 (array_length a)))
(FORALL (result0)
(IMPLIES (EQ result0 (access a x0))
(IMPLIES (> result result0)
(FORALL (x1)
(IMPLIES (EQ x1 y0) (FORALL (y1) (IMPLIES (EQ y1 (+ y0 1)) (<= y1 l))))))))))))))))))))))

;; pgm_max_end_po_12, File "max.mlw", line 24, characters 18-102
(FORALL (a)
(IMPLIES (EQ (array_length a) l)
(FORALL (x)
(IMPLIES (EQ x 0)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (x0)
(FORALL (y0)
(IMPLIES (AND (AND (<= 0 y0) (<= y0 l))
         (AND (AND (<= 0 x0) (< x0 l))
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (< k y0)) (<= (access a k) (access a x0))))))
(IMPLIES (< y0 l)
(IMPLIES (AND (<= 0 y0) (< y0 (array_length a)))
(FORALL (result)
(IMPLIES (EQ result (access a y0))
(IMPLIES (AND (<= 0 x0) (< x0 (array_length a)))
(FORALL (result0)
(IMPLIES (EQ result0 (access a x0))
(IMPLIES (> result result0)
(FORALL (x1)
(IMPLIES (EQ x1 y0) (FORALL (y1) (IMPLIES (EQ y1 (+ y0 1)) (<= 0 x1))))))))))))))))))))))

;; pgm_max_end_po_13, File "max.mlw", line 24, characters 18-102
(FORALL (a)
(IMPLIES (EQ (array_length a) l)
(FORALL (x)
(IMPLIES (EQ x 0)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (x0)
(FORALL (y0)
(IMPLIES (AND (AND (<= 0 y0) (<= y0 l))
         (AND (AND (<= 0 x0) (< x0 l))
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (< k y0)) (<= (access a k) (access a x0))))))
(IMPLIES (< y0 l)
(IMPLIES (AND (<= 0 y0) (< y0 (array_length a)))
(FORALL (result)
(IMPLIES (EQ result (access a y0))
(IMPLIES (AND (<= 0 x0) (< x0 (array_length a)))
(FORALL (result0)
(IMPLIES (EQ result0 (access a x0))
(IMPLIES (> result result0)
(FORALL (x1)
(IMPLIES (EQ x1 y0) (FORALL (y1) (IMPLIES (EQ y1 (+ y0 1)) (< x1 l))))))))))))))))))))))

;; pgm_max_end_po_14, File "max.mlw", line 24, characters 18-102
(FORALL (a)
(IMPLIES (EQ (array_length a) l)
(FORALL (x)
(IMPLIES (EQ x 0)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (x0)
(FORALL (y0)
(IMPLIES (AND (AND (<= 0 y0) (<= y0 l))
         (AND (AND (<= 0 x0) (< x0 l))
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (< k y0)) (<= (access a k) (access a x0))))))
(IMPLIES (< y0 l)
(IMPLIES (AND (<= 0 y0) (< y0 (array_length a)))
(FORALL (result)
(IMPLIES (EQ result (access a y0))
(IMPLIES (AND (<= 0 x0) (< x0 (array_length a)))
(FORALL (result0)
(IMPLIES (EQ result0 (access a x0))
(IMPLIES (> result result0)
(FORALL (x1)
(IMPLIES (EQ x1 y0)
(FORALL (y1)
(IMPLIES (EQ y1 (+ y0 1))
(FORALL (k)
(IMPLIES (AND (<= 0 k) (< k y1)) (<= (access a k) (access a x1)))))))))))))))))))))))))

;; pgm_max_end_po_15, File "max.mlw", line 26, characters 16-19
(FORALL (a)
(IMPLIES (EQ (array_length a) l)
(FORALL (x)
(IMPLIES (EQ x 0)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (x0)
(FORALL (y0)
(IMPLIES (AND (AND (<= 0 y0) (<= y0 l))
         (AND (AND (<= 0 x0) (< x0 l))
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (< k y0)) (<= (access a k) (access a x0))))))
(IMPLIES (< y0 l)
(IMPLIES (AND (<= 0 y0) (< y0 (array_length a)))
(FORALL (result)
(IMPLIES (EQ result (access a y0))
(IMPLIES (AND (<= 0 x0) (< x0 (array_length a)))
(FORALL (result0)
(IMPLIES (EQ result0 (access a x0))
(IMPLIES (> result result0)
(FORALL (x1)
(IMPLIES (EQ x1 y0) (FORALL (y1) (IMPLIES (EQ y1 (+ y0 1)) (<= 0 (- l y0)))))))))))))))))))))))

;; pgm_max_end_po_16, File "max.mlw", line 26, characters 16-19
(FORALL (a)
(IMPLIES (EQ (array_length a) l)
(FORALL (x)
(IMPLIES (EQ x 0)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (x0)
(FORALL (y0)
(IMPLIES (AND (AND (<= 0 y0) (<= y0 l))
         (AND (AND (<= 0 x0) (< x0 l))
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (< k y0)) (<= (access a k) (access a x0))))))
(IMPLIES (< y0 l)
(IMPLIES (AND (<= 0 y0) (< y0 (array_length a)))
(FORALL (result)
(IMPLIES (EQ result (access a y0))
(IMPLIES (AND (<= 0 x0) (< x0 (array_length a)))
(FORALL (result0)
(IMPLIES (EQ result0 (access a x0))
(IMPLIES (> result result0)
(FORALL (x1)
(IMPLIES (EQ x1 y0)
(FORALL (y1) (IMPLIES (EQ y1 (+ y0 1)) (< (- l y1) (- l y0)))))))))))))))))))))))

;; pgm_max_end_po_17, File "max.mlw", line 24, characters 18-102
(FORALL (a)
(IMPLIES (EQ (array_length a) l)
(FORALL (x)
(IMPLIES (EQ x 0)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (x0)
(FORALL (y0)
(IMPLIES (AND (AND (<= 0 y0) (<= y0 l))
         (AND (AND (<= 0 x0) (< x0 l))
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (< k y0)) (<= (access a k) (access a x0))))))
(IMPLIES (< y0 l)
(IMPLIES (AND (<= 0 y0) (< y0 (array_length a)))
(FORALL (result)
(IMPLIES (EQ result (access a y0))
(IMPLIES (AND (<= 0 x0) (< x0 (array_length a)))
(FORALL (result0)
(IMPLIES (EQ result0 (access a x0))
(IMPLIES (<= result result0)
(FORALL (y1) (IMPLIES (EQ y1 (+ y0 1)) (<= 0 y1))))))))))))))))))))

;; pgm_max_end_po_18, File "max.mlw", line 24, characters 18-102
(FORALL (a)
(IMPLIES (EQ (array_length a) l)
(FORALL (x)
(IMPLIES (EQ x 0)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (x0)
(FORALL (y0)
(IMPLIES (AND (AND (<= 0 y0) (<= y0 l))
         (AND (AND (<= 0 x0) (< x0 l))
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (< k y0)) (<= (access a k) (access a x0))))))
(IMPLIES (< y0 l)
(IMPLIES (AND (<= 0 y0) (< y0 (array_length a)))
(FORALL (result)
(IMPLIES (EQ result (access a y0))
(IMPLIES (AND (<= 0 x0) (< x0 (array_length a)))
(FORALL (result0)
(IMPLIES (EQ result0 (access a x0))
(IMPLIES (<= result result0)
(FORALL (y1) (IMPLIES (EQ y1 (+ y0 1)) (<= y1 l))))))))))))))))))))

;; pgm_max_end_po_19, File "max.mlw", line 24, characters 18-102
(FORALL (a)
(IMPLIES (EQ (array_length a) l)
(FORALL (x)
(IMPLIES (EQ x 0)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (x0)
(FORALL (y0)
(IMPLIES (AND (AND (<= 0 y0) (<= y0 l))
         (AND (AND (<= 0 x0) (< x0 l))
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (< k y0)) (<= (access a k) (access a x0))))))
(IMPLIES (< y0 l)
(IMPLIES (AND (<= 0 y0) (< y0 (array_length a)))
(FORALL (result)
(IMPLIES (EQ result (access a y0))
(IMPLIES (AND (<= 0 x0) (< x0 (array_length a)))
(FORALL (result0)
(IMPLIES (EQ result0 (access a x0))
(IMPLIES (<= result result0)
(FORALL (y1) (IMPLIES (EQ y1 (+ y0 1)) (< x0 l))))))))))))))))))))

;; pgm_max_end_po_20, File "max.mlw", line 24, characters 18-102
(FORALL (a)
(IMPLIES (EQ (array_length a) l)
(FORALL (x)
(IMPLIES (EQ x 0)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (x0)
(FORALL (y0)
(IMPLIES (AND (AND (<= 0 y0) (<= y0 l))
         (AND (AND (<= 0 x0) (< x0 l))
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (< k y0)) (<= (access a k) (access a x0))))))
(IMPLIES (< y0 l)
(IMPLIES (AND (<= 0 y0) (< y0 (array_length a)))
(FORALL (result)
(IMPLIES (EQ result (access a y0))
(IMPLIES (AND (<= 0 x0) (< x0 (array_length a)))
(FORALL (result0)
(IMPLIES (EQ result0 (access a x0))
(IMPLIES (<= result result0)
(FORALL (y1)
(IMPLIES (EQ y1 (+ y0 1))
(FORALL (k)
(IMPLIES (AND (<= 0 k) (< k y1)) (<= (access a k) (access a x0)))))))))))))))))))))))

;; pgm_max_end_po_21, File "max.mlw", line 26, characters 16-19
(FORALL (a)
(IMPLIES (EQ (array_length a) l)
(FORALL (x)
(IMPLIES (EQ x 0)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (x0)
(FORALL (y0)
(IMPLIES (AND (AND (<= 0 y0) (<= y0 l))
         (AND (AND (<= 0 x0) (< x0 l))
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (< k y0)) (<= (access a k) (access a x0))))))
(IMPLIES (< y0 l)
(IMPLIES (AND (<= 0 y0) (< y0 (array_length a)))
(FORALL (result)
(IMPLIES (EQ result (access a y0))
(IMPLIES (AND (<= 0 x0) (< x0 (array_length a)))
(FORALL (result0)
(IMPLIES (EQ result0 (access a x0))
(IMPLIES (<= result result0)
(FORALL (y1) (IMPLIES (EQ y1 (+ y0 1)) (<= 0 (- l y0)))))))))))))))))))))

;; pgm_max_end_po_22, File "max.mlw", line 26, characters 16-19
(FORALL (a)
(IMPLIES (EQ (array_length a) l)
(FORALL (x)
(IMPLIES (EQ x 0)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (x0)
(FORALL (y0)
(IMPLIES (AND (AND (<= 0 y0) (<= y0 l))
         (AND (AND (<= 0 x0) (< x0 l))
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (< k y0)) (<= (access a k) (access a x0))))))
(IMPLIES (< y0 l)
(IMPLIES (AND (<= 0 y0) (< y0 (array_length a)))
(FORALL (result)
(IMPLIES (EQ result (access a y0))
(IMPLIES (AND (<= 0 x0) (< x0 (array_length a)))
(FORALL (result0)
(IMPLIES (EQ result0 (access a x0))
(IMPLIES (<= result result0)
(FORALL (y1) (IMPLIES (EQ y1 (+ y0 1)) (< (- l y1) (- l y0)))))))))))))))))))))

;; pgm_max_end_po_23, File "max.mlw", line 32, characters 4-155
(FORALL (a)
(IMPLIES (EQ (array_length a) l)
(FORALL (x)
(IMPLIES (EQ x 0)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (x0)
(FORALL (y0)
(IMPLIES (AND (AND (<= 0 y0) (<= y0 l))
         (AND (AND (<= 0 x0) (< x0 l))
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (< k y0)) (<= (access a k) (access a x0))))))
(IMPLIES (>= y0 l)
(IMPLIES (EQ (array_length a) l)
(FORALL (a0)
(IMPLIES (AND (EQ (array_length a0) l)
         (AND (EQ (access a0 x0) (access a (- l 1)))
         (AND (EQ (access a0 (- l 1)) (access a x0))
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (< k l))
         (IMPLIES (NEQ k x0)
         (IMPLIES (NEQ k (- l 1)) (EQ (access a0 k) (access a k)))))))))
(FORALL (k)
(IMPLIES (AND (<= 0 k) (< k (- l 1)))
(IMPLIES (NEQ k x0) (EQ (access a0 k) (access a k))))))))))))))))))

;; pgm_max_end_po_24, File "max.mlw", line 32, characters 4-155
(FORALL (a)
(IMPLIES (EQ (array_length a) l)
(FORALL (x)
(IMPLIES (EQ x 0)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (x0)
(FORALL (y0)
(IMPLIES (AND (AND (<= 0 y0) (<= y0 l))
         (AND (AND (<= 0 x0) (< x0 l))
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (< k y0)) (<= (access a k) (access a x0))))))
(IMPLIES (>= y0 l)
(IMPLIES (EQ (array_length a) l)
(FORALL (a0)
(IMPLIES (AND (EQ (array_length a0) l)
         (AND (EQ (access a0 x0) (access a (- l 1)))
         (AND (EQ (access a0 (- l 1)) (access a x0))
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (< k l))
         (IMPLIES (NEQ k x0)
         (IMPLIES (NEQ k (- l 1)) (EQ (access a0 k) (access a k)))))))))
(EQ (access a0 x0) (access a (- l 1))))))))))))))))

;; pgm_max_end_po_25, File "max.mlw", line 32, characters 4-155
(FORALL (a)
(IMPLIES (EQ (array_length a) l)
(FORALL (x)
(IMPLIES (EQ x 0)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (x0)
(FORALL (y0)
(IMPLIES (AND (AND (<= 0 y0) (<= y0 l))
         (AND (AND (<= 0 x0) (< x0 l))
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (< k y0)) (<= (access a k) (access a x0))))))
(IMPLIES (>= y0 l)
(IMPLIES (EQ (array_length a) l)
(FORALL (a0)
(IMPLIES (AND (EQ (array_length a0) l)
         (AND (EQ (access a0 x0) (access a (- l 1)))
         (AND (EQ (access a0 (- l 1)) (access a x0))
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (< k l))
         (IMPLIES (NEQ k x0)
         (IMPLIES (NEQ k (- l 1)) (EQ (access a0 k) (access a k)))))))))
(EQ (access a0 (- l 1)) (access a x0)))))))))))))))

;; pgm_max_end_po_26, File "max.mlw", line 32, characters 4-155
(FORALL (a)
(IMPLIES (EQ (array_length a) l)
(FORALL (x)
(IMPLIES (EQ x 0)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (x0)
(FORALL (y0)
(IMPLIES (AND (AND (<= 0 y0) (<= y0 l))
         (AND (AND (<= 0 x0) (< x0 l))
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (< k y0)) (<= (access a k) (access a x0))))))
(IMPLIES (>= y0 l)
(IMPLIES (EQ (array_length a) l)
(FORALL (a0)
(IMPLIES (AND (EQ (array_length a0) l)
         (AND (EQ (access a0 x0) (access a (- l 1)))
         (AND (EQ (access a0 (- l 1)) (access a x0))
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (< k l))
         (IMPLIES (NEQ k x0)
         (IMPLIES (NEQ k (- l 1)) (EQ (access a0 k) (access a k)))))))))
(FORALL (k)
(IMPLIES (AND (<= 0 k) (< k (- l 1))) (<= (access a0 k) (access a0 (- l 1))))))))))))))))))

why-2.34/examples/misc/power_why.v0000644000175000017500000000560612311670312015607 0ustar  rtusers
Require Import Sumbool.
Require Import Why.
Require Import Omega.
Require Import ZArithRing.

Require Import Zcomplements.
Require Import Zpower.

Definition square x := (x * x)%Z.
Definition double x := (2 * x)%Z.

Definition div2 := Zdiv2.

Definition is_odd x :=
  bool_of_sumbool (sumbool_not _ _ (Zeven_odd_dec x)).

(* Some auxiliary lemmas about Zdiv2 are necessary *)

Lemma Zdiv2_ge_0 : forall x:Z, (x >= 0)%Z -> (Zdiv2 x >= 0)%Z.
Proof.
simple destruct x; auto with zarith.
simple destruct p; auto with zarith.
simpl.
 omega.
intros.
 absurd (Zneg p >= 0)%Z; red; auto with zarith.
Qed.

Lemma Zdiv2_lt : forall x:Z, (x > 0)%Z -> (Zdiv2 x < x)%Z.
Proof.
simple destruct x.
intro.
 absurd (0 > 0)%Z; [ omega | assumption ].
simple destruct p; auto with zarith.

simpl.
intro p0.
replace (Zpos (xI p0)) with (2 * Zpos p0 + 1)%Z.
omega.
simpl.
 auto with zarith.

intro p0.
simpl.
replace (Zpos (xO p0)) with (2 * Zpos p0)%Z.
omega.
simpl.
 auto with zarith.

simpl.
 omega.

intros.
 absurd (Zneg p > 0)%Z; red; auto with zarith.
elim p; auto with zarith.
Qed.

(* A property of Zpower:  x^(2*n) = (x^2)^n *)

Lemma Zpower_2n :
 forall x n:Z, (n >= 0)%Z -> Zpower x (double n) = Zpower (square x) n.
Proof.
unfold double.
intros x0 n Hn.
replace (2 * n)%Z with (n + n)%Z.
rewrite Zpower_exp.
pattern n.
apply natlike_ind.

simpl.
 auto with zarith.

intros.
unfold Zsucc.
rewrite Zpower_exp.
rewrite Zpower_exp.
replace (Zpower x0 1) with x0.
replace (Zpower (square x0) 1) with (square x0).
rewrite <- H0.
unfold square.
ring.

unfold Zpower; unfold Zpower_pos; simpl.
 omega.

unfold Zpower; unfold Zpower_pos; simpl.
 omega.

omega.
omega.
omega.
omega.
omega.
assumption.
assumption.
omega.
Qed.

(* Obligations *)


(*Why logic*) Definition x : Z.
Admitted.

Proof.
intuition; subst.
ring; auto.
Qed.

Proof.
simpl; intros.
repeat split; try omega.
intuition.
assert (h: x ^ n = y0 * m0 ^ (2 * Zdiv2 n0 + 1)).
assert (hn0 : n0 >= 0). assumption.
rewrite <- (Zodd_div2 n0 hn0); auto.
rewrite h.
rewrite Zpower_exp.
replace (Zpower m0 1) with m0.
rewrite Zpower_2n.
unfold square.
subst m1 n1 y1; unfold div2.
ring.
generalize (Zdiv2_ge_0 n0); omega.
unfold Zpower; unfold Zpower_pos; simpl; ring.
generalize (Zdiv2_ge_0 n0); omega.
omega.
subst; apply Zdiv2_ge_0; omega.
subst; apply Zdiv2_lt; omega.
Qed.

Proof.
simpl; intuition.
assert (h: x ^ n = y0 * m0 ^ (2 * Zdiv2 n0)).
rewrite <- (Zeven_div2 n0); auto.
rewrite h.
rewrite Zpower_2n.
unfold square.
subst; unfold div2.
ring.
generalize (Zdiv2_ge_0 n0); omega.
subst; apply Zdiv2_ge_0; omega.
subst; unfold Zwf; intuition; apply Zdiv2_lt; omega.
Qed.

Proof.
intros.
intuition.
transitivity (y0 * m0 ^ n0); auto.
replace n0 with 0%Z.
simpl; ring.
omega.
Qed.



(*Why logic*) Definition div2 : Z -> Z.
Admitted.

(*Why logic*) Definition Zeven : Z -> Prop.
Admitted.

(*Why logic*) Definition Zodd : Z -> Prop.
Admitted.

(*Why logic*) Definition Zpower : Z -> Z -> Z.
Admitted.

why-2.34/examples/misc/loop0_why.sx0000644000175000017500000001345712311670312015674 0ustar  rtusers
;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom access_update
 (FORALL (a i v) (EQ (access (update a i v) i) v)))

(BG_PUSH
 ;; Why axiom access_update_neq
 (FORALL (a i j v)
 (IMPLIES (NEQ i j) (EQ (access (update a i v) j) (access a j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j)
 (FORALL (a v) (EQ (access (update a i v) j) (access a j))))))

(DEFPRED (sorted_array t i j)
  (FORALL (k1 k2)
  (IMPLIES (AND (AND (<= i k1) (<= k1 k2)) (<= k2 j))
  (<= (access t k1) (access t k2)))))

(DEFPRED (exchange a1 a2 i j)
  (AND (EQ (array_length a1) (array_length a2))
  (AND (EQ (access a1 i) (access a2 j))
  (AND (EQ (access a2 i) (access a1 j))
  (FORALL (k)
  (IMPLIES (AND (NEQ k i) (NEQ k j)) (EQ (access a1 k) (access a2 k))))))))

(BG_PUSH
 ;; Why axiom permut_refl
 (FORALL (t l u) (EQ (permut t t l u) |@true|)))

(BG_PUSH
 ;; Why axiom permut_sym
 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|) (EQ (permut t2 t1 l u) |@true|))))

(BG_PUSH
 ;; Why axiom permut_trans
 (FORALL (t1 t2 t3 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))

 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_exchange
 (FORALL (a1 a2 l u i j)
 (IMPLIES (AND (<= l i) (<= i u))
 (IMPLIES (AND (<= l j) (<= j u))
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|)))))

 (FORALL (l u i)
 (IMPLIES (AND (<= l i) (<= i u))
 (FORALL (j)
 (IMPLIES (AND (<= l j) (<= j u))
 (FORALL (a1 a2)
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|))))))))

(BG_PUSH
 ;; Why axiom exchange_upd
 (FORALL (a i j)
 (exchange a (update (update a i (access a j)) j (access a i)) i j)))

(BG_PUSH
 ;; Why axiom permut_weakening
 (FORALL (a1 a2 l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))

 (FORALL (l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_eq
 (FORALL (a1 a2 l u)
 (IMPLIES (<= l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))

 (FORALL (l u)
 (IMPLIES (<= l u)
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))))

(DEFPRED (permutation a1 a2)
  (EQ (permut a1 a2 0 (- (array_length a1) 1)) |@true|))

(BG_PUSH
 ;; Why axiom array_length_update
 (FORALL (a i v) (EQ (array_length (update a i v)) (array_length a))))

(BG_PUSH
 ;; Why axiom permut_array_length
 (FORALL (a1 a2 l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (EQ (array_length a1) (array_length a2)))))

;; p_po_1, File "loop0.mlw", line 14, characters 16-32
(FORALL (x) (IMPLIES (>= x 0) (<= 0 x)))

;; p_po_2, File "loop0.mlw", line 14, characters 16-32
(FORALL (x) (IMPLIES (>= x 0) (<= x x)))

;; p_po_3, File "loop0.mlw", line 14, characters 16-32
(FORALL (x)
(IMPLIES (>= x 0)
(FORALL (x0)
(IMPLIES (AND (<= 0 x0) (<= x0 x))
(IMPLIES (> x0 0) (FORALL (x1) (IMPLIES (EQ x1 (- x0 1)) (<= 0 x1))))))))

;; p_po_4, File "loop0.mlw", line 14, characters 16-32
(FORALL (x)
(IMPLIES (>= x 0)
(FORALL (x0)
(IMPLIES (AND (<= 0 x0) (<= x0 x))
(IMPLIES (> x0 0) (FORALL (x1) (IMPLIES (EQ x1 (- x0 1)) (<= x1 x))))))))

;; p_po_5, File "loop0.mlw", line 14, characters 42-43
(FORALL (x)
(IMPLIES (>= x 0)
(FORALL (x0)
(IMPLIES (AND (<= 0 x0) (<= x0 x))
(IMPLIES (> x0 0) (FORALL (x1) (IMPLIES (EQ x1 (- x0 1)) (< x1 x0))))))))

;; p_po_6, File "loop0.mlw", line 17, characters 4-9
(FORALL (x)
(IMPLIES (>= x 0)
(FORALL (x0)
(IMPLIES (AND (<= 0 x0) (<= x0 x)) (IMPLIES (<= x0 0) (EQ x0 0))))))

why-2.34/examples/misc/flag.mlw0000644000175000017500000000216012311670312015017 0ustar  rtusers
(** Dijkstra's "Dutch national flag" *)

external type color

external logic blue, white, red : color

external parameter eq_blue  : c:color -> {} bool { if result then c=blue else c<>blue }
external parameter eq_white : c:color -> {} bool { if result then c=white else c<>white }

logic N : int
parameter t : color array

external logic monochrome : color farray, int, int, color -> prop

let dutch_flag () = 
  { array_length(t) = N }
  let b = ref 0 in
  let i = ref 0 in
  let r = ref N in
  begin
  while !i < !r do
     { invariant 0 <= b <= i and i <= r <= N and
	         monochrome(t,0,b,blue) and 
	         monochrome(t,b,i,white) and 
	         monochrome(t,r,N,red) and
		 array_length(t) = N
       variant r - i }
     if (eq_blue t[!i]) then begin
       let u = t[!b] in begin t[!b] := t[!i]; t[!i] := u end;
       b := !b + 1;
       i := !i + 1
     end else if (eq_white t[!i]) then
       i := !i + 1
     else begin
       r := !r - 1;
       let u = t[!r] in begin t[!r] := t[!i]; t[!i] := u end
     end
  done
  { monochrome(t,0,b,blue) and 
    monochrome(t,b,r,white) and 
    monochrome(t,r,N,red) }
  end
why-2.34/examples/misc/swap0_why.v0000644000175000017500000000114612311670312015500 0ustar  rtusersRequire Import Why.
Require Import Omega.

Proof.
intuition.
Qed.


Proof.
intuition.
Qed.

Proof.
intuition.
Qed.


 (* call_swap3_y_x_po_1 *)
Proof.
intuition.
Qed.



Proof.
intuition.
Qed.


Proof.
intuition.
Qed.

Proof.
intuition.
Qed.


Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.


Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.


Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.





Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.



Proof.
(* FILL PROOF HERE *)
Save.


Proof.
(* FILL PROOF HERE *)
Save.


why-2.34/examples/misc/flag_ax_why.sx0000644000175000017500000015472512311670312016250 0ustar  rtusers
;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom access_update
 (FORALL (a i v) (EQ (access (update a i v) i) v)))

(BG_PUSH
 ;; Why axiom access_update_neq
 (FORALL (a i j v)
 (IMPLIES (NEQ i j) (EQ (access (update a i v) j) (access a j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j)
 (FORALL (a v) (EQ (access (update a i v) j) (access a j))))))

(DEFPRED (sorted_array t i j)
  (FORALL (k1 k2)
  (IMPLIES (AND (AND (<= i k1) (<= k1 k2)) (<= k2 j))
  (<= (access t k1) (access t k2)))))

(DEFPRED (exchange a1 a2 i j)
  (AND (EQ (array_length a1) (array_length a2))
  (AND (EQ (access a1 i) (access a2 j))
  (AND (EQ (access a2 i) (access a1 j))
  (FORALL (k)
  (IMPLIES (AND (NEQ k i) (NEQ k j)) (EQ (access a1 k) (access a2 k))))))))

(BG_PUSH
 ;; Why axiom permut_refl
 (FORALL (t l u) (EQ (permut t t l u) |@true|)))

(BG_PUSH
 ;; Why axiom permut_sym
 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|) (EQ (permut t2 t1 l u) |@true|))))

(BG_PUSH
 ;; Why axiom permut_trans
 (FORALL (t1 t2 t3 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))

 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_exchange
 (FORALL (a1 a2 l u i j)
 (IMPLIES (AND (<= l i) (<= i u))
 (IMPLIES (AND (<= l j) (<= j u))
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|)))))

 (FORALL (l u i)
 (IMPLIES (AND (<= l i) (<= i u))
 (FORALL (j)
 (IMPLIES (AND (<= l j) (<= j u))
 (FORALL (a1 a2)
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|))))))))

(BG_PUSH
 ;; Why axiom exchange_upd
 (FORALL (a i j)
 (exchange a (update (update a i (access a j)) j (access a i)) i j)))

(BG_PUSH
 ;; Why axiom permut_weakening
 (FORALL (a1 a2 l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))

 (FORALL (l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_eq
 (FORALL (a1 a2 l u)
 (IMPLIES (<= l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))

 (FORALL (l u)
 (IMPLIES (<= l u)
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))))

(DEFPRED (permutation a1 a2)
  (EQ (permut a1 a2 0 (- (array_length a1) 1)) |@true|))

(BG_PUSH
 ;; Why axiom array_length_update
 (FORALL (a i v) (EQ (array_length (update a i v)) (array_length a))))

(BG_PUSH
 ;; Why axiom permut_array_length
 (FORALL (a1 a2 l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (EQ (array_length a1) (array_length a2)))))

(DEFPRED (is_color c) (OR (EQ c blue) (OR (EQ c white) (EQ c red))))

(BG_PUSH
 ;; Why axiom acc_upd_eq
 (FORALL (a i c) (EQ (acc (upd a i c) i) c)))

(BG_PUSH
 ;; Why axiom acc_upd_neq
 (FORALL (a i j c) (IMPLIES (NEQ i j) (EQ (acc (upd a j c) i) (acc a i))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (a c) (EQ (acc (upd a j c) i) (acc a i))))))

(BG_PUSH
 ;; Why axiom length_update
 (FORALL (a i c) (EQ (length (upd a i c)) (length a))))

(DEFPRED (monochrome t i j c)
  (FORALL (k) (IMPLIES (AND (<= i k) (< k j)) (EQ (acc t k) c))))

(BG_PUSH
 ;; Why axiom permut_refl
 (FORALL (t l r) (EQ (Permutation t t l r) |@true|)))

(BG_PUSH
 ;; Why axiom permut_swap
 (FORALL (t l r i j)
 (IMPLIES (AND (<= l i) (<= i r))
 (IMPLIES (AND (<= l j) (<= j r))
 (EQ (Permutation t (upd (upd t i (acc t j)) j (acc t i)) l r) |@true|))))

 (FORALL (l r i)
 (IMPLIES (AND (<= l i) (<= i r))
 (FORALL (j)
 (IMPLIES (AND (<= l j) (<= j r))
 (FORALL (t)
 (EQ (Permutation t (upd (upd t i (acc t j)) j (acc t i)) l r) |@true|)))))))

(BG_PUSH
 ;; Why axiom permut_sym
 (FORALL (t1 t2 l r)
 (IMPLIES (EQ (Permutation t1 t2 l r) |@true|)
 (EQ (Permutation t2 t1 l r) |@true|))))

(BG_PUSH
 ;; Why axiom permut_trans
 (FORALL (t1 t2 t3 l r)
 (IMPLIES (EQ (Permutation t1 t2 l r) |@true|)
 (IMPLIES (EQ (Permutation t2 t3 l r) |@true|)
 (EQ (Permutation t1 t3 l r) |@true|))))

 (FORALL (t1 t2 l r)
 (IMPLIES (EQ (Permutation t1 t2 l r) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (Permutation t2 t3 l r) |@true|)
 (EQ (Permutation t1 t3 l r) |@true|))))))

;; swap_po_1, File "flag_ax.mlw", line 61, characters 10-17
(FORALL (i)
(FORALL (j)
(FORALL (t)
(IMPLIES (AND (AND (<= 0 i) (< i (length t)))
         (AND (<= 0 j) (< j (length t))))
(<= 0 i)))))

;; swap_po_2, File "flag_ax.mlw", line 61, characters 10-17
(FORALL (i)
(FORALL (j)
(FORALL (t)
(IMPLIES (AND (AND (<= 0 i) (< i (length t)))
         (AND (<= 0 j) (< j (length t))))
(< i (length t))))))

;; swap_po_3, File "flag_ax.mlw", line 62, characters 11-18
(FORALL (i)
(FORALL (j)
(FORALL (t)
(IMPLIES (AND (AND (<= 0 i) (< i (length t)))
         (AND (<= 0 j) (< j (length t))))
(IMPLIES (AND (<= 0 i) (< i (length t)))
(FORALL (result) (IMPLIES (EQ result (acc t i)) (<= 0 j))))))))

;; swap_po_4, File "flag_ax.mlw", line 62, characters 11-18
(FORALL (i)
(FORALL (j)
(FORALL (t)
(IMPLIES (AND (AND (<= 0 i) (< i (length t)))
         (AND (<= 0 j) (< j (length t))))
(IMPLIES (AND (<= 0 i) (< i (length t)))
(FORALL (result) (IMPLIES (EQ result (acc t i)) (< j (length t)))))))))

;; swap_po_5, File "flag_ax.mlw", line 63, characters 2-11
(FORALL (i)
(FORALL (j)
(FORALL (t)
(IMPLIES (AND (AND (<= 0 i) (< i (length t)))
         (AND (<= 0 j) (< j (length t))))
(IMPLIES (AND (<= 0 i) (< i (length t)))
(FORALL (result)
(IMPLIES (EQ result (acc t i))
(IMPLIES (AND (<= 0 j) (< j (length t)))
(FORALL (result0)
(IMPLIES (EQ result0 (acc t j))
(IMPLIES (AND (<= 0 i) (< i (length t)))
(FORALL (t0) (IMPLIES (EQ t0 (upd t i result0)) (< j (length t0)))))))))))))))

;; swap_po_6, File "flag_ax.mlw", line 64, characters 4-46
(FORALL (i)
(FORALL (j)
(FORALL (t)
(IMPLIES (AND (AND (<= 0 i) (< i (length t)))
         (AND (<= 0 j) (< j (length t))))
(IMPLIES (AND (<= 0 i) (< i (length t)))
(FORALL (result)
(IMPLIES (EQ result (acc t i))
(IMPLIES (AND (<= 0 j) (< j (length t)))
(FORALL (result0)
(IMPLIES (EQ result0 (acc t j))
(IMPLIES (AND (<= 0 i) (< i (length t)))
(FORALL (t0)
(IMPLIES (EQ t0 (upd t i result0))
(IMPLIES (AND (<= 0 j) (< j (length t0)))
(FORALL (t1)
(IMPLIES (EQ t1 (upd t0 j result))
(EQ t1 (upd (upd t i (acc t j)) j (acc t i)))))))))))))))))))

;; dutch_flag_po_1, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(<= 0 0))))

;; dutch_flag_po_2, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(<= 0 0))))

;; dutch_flag_po_3, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(<= n n))))

;; dutch_flag_po_4, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(monochrome t 0 0 blue))))

;; dutch_flag_po_5, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(monochrome t 0 0 white))))

;; dutch_flag_po_6, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(monochrome t n n red))))

;; dutch_flag_po_7, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(EQ (length t) n))))

;; dutch_flag_po_8, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k)))))))

;; dutch_flag_po_9, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(EQ (Permutation t t 0 (- n 1)) |@true|))))

;; dutch_flag_po_10, File "flag_ax.mlw", line 82, characters 18-26
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r) (<= 0 i))))))))))

;; dutch_flag_po_11, File "flag_ax.mlw", line 82, characters 18-26
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r) (< i (length t0)))))))))))

;; dutch_flag_po_12, File "flag_ax.mlw", line 83, characters 7-19
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i)) (IMPLIES (EQ result blue) (<= 0 b))))))))))))))

;; dutch_flag_po_13, File "flag_ax.mlw", line 83, characters 7-19
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i)) (IMPLIES (EQ result blue) (< b (length t0)))))))))))))))

;; dutch_flag_po_14, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (EQ result blue)
(IMPLIES (AND (AND (<= 0 b) (< b (length t0)))
         (AND (<= 0 i) (< i (length t0))))
(FORALL (t1)
(IMPLIES (EQ t1 (upd (upd t0 b (acc t0 i)) i (acc t0 b)))
(FORALL (b0)
(IMPLIES (EQ b0 (+ b 1)) (FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (<= 0 b0)))))))))))))))))))))

;; dutch_flag_po_15, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (EQ result blue)
(IMPLIES (AND (AND (<= 0 b) (< b (length t0)))
         (AND (<= 0 i) (< i (length t0))))
(FORALL (t1)
(IMPLIES (EQ t1 (upd (upd t0 b (acc t0 i)) i (acc t0 b)))
(FORALL (b0)
(IMPLIES (EQ b0 (+ b 1)) (FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (<= b0 i0)))))))))))))))))))))

;; dutch_flag_po_16, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (EQ result blue)
(IMPLIES (AND (AND (<= 0 b) (< b (length t0)))
         (AND (<= 0 i) (< i (length t0))))
(FORALL (t1)
(IMPLIES (EQ t1 (upd (upd t0 b (acc t0 i)) i (acc t0 b)))
(FORALL (b0)
(IMPLIES (EQ b0 (+ b 1)) (FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (<= i0 r)))))))))))))))))))))

;; dutch_flag_po_17, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (EQ result blue)
(IMPLIES (AND (AND (<= 0 b) (< b (length t0)))
         (AND (<= 0 i) (< i (length t0))))
(FORALL (t1)
(IMPLIES (EQ t1 (upd (upd t0 b (acc t0 i)) i (acc t0 b)))
(FORALL (b0)
(IMPLIES (EQ b0 (+ b 1)) (FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (<= r n)))))))))))))))))))))

;; dutch_flag_po_18, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (EQ result blue)
(IMPLIES (AND (AND (<= 0 b) (< b (length t0)))
         (AND (<= 0 i) (< i (length t0))))
(FORALL (t1)
(IMPLIES (EQ t1 (upd (upd t0 b (acc t0 i)) i (acc t0 b)))
(FORALL (b0)
(IMPLIES (EQ b0 (+ b 1))
(FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (monochrome t1 0 b0 blue)))))))))))))))))))))

;; dutch_flag_po_19, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (EQ result blue)
(IMPLIES (AND (AND (<= 0 b) (< b (length t0)))
         (AND (<= 0 i) (< i (length t0))))
(FORALL (t1)
(IMPLIES (EQ t1 (upd (upd t0 b (acc t0 i)) i (acc t0 b)))
(FORALL (b0)
(IMPLIES (EQ b0 (+ b 1))
(FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (monochrome t1 b0 i0 white)))))))))))))))))))))

;; dutch_flag_po_20, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (EQ result blue)
(IMPLIES (AND (AND (<= 0 b) (< b (length t0)))
         (AND (<= 0 i) (< i (length t0))))
(FORALL (t1)
(IMPLIES (EQ t1 (upd (upd t0 b (acc t0 i)) i (acc t0 b)))
(FORALL (b0)
(IMPLIES (EQ b0 (+ b 1))
(FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (monochrome t1 r n red)))))))))))))))))))))

;; dutch_flag_po_21, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (EQ result blue)
(IMPLIES (AND (AND (<= 0 b) (< b (length t0)))
         (AND (<= 0 i) (< i (length t0))))
(FORALL (t1)
(IMPLIES (EQ t1 (upd (upd t0 b (acc t0 i)) i (acc t0 b)))
(FORALL (b0)
(IMPLIES (EQ b0 (+ b 1))
(FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (EQ (length t1) n)))))))))))))))))))))

;; dutch_flag_po_22, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (EQ result blue)
(IMPLIES (AND (AND (<= 0 b) (< b (length t0)))
         (AND (<= 0 i) (< i (length t0))))
(FORALL (t1)
(IMPLIES (EQ t1 (upd (upd t0 b (acc t0 i)) i (acc t0 b)))
(FORALL (b0)
(IMPLIES (EQ b0 (+ b 1))
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t1 k))))))))))))))))))))))))

;; dutch_flag_po_23, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (EQ result blue)
(IMPLIES (AND (AND (<= 0 b) (< b (length t0)))
         (AND (<= 0 i) (< i (length t0))))
(FORALL (t1)
(IMPLIES (EQ t1 (upd (upd t0 b (acc t0 i)) i (acc t0 b)))
(FORALL (b0)
(IMPLIES (EQ b0 (+ b 1))
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1)) (EQ (Permutation t1 t 0 (- n 1)) |@true|)))))))))))))))))))))

;; dutch_flag_po_24, File "flag_ax.mlw", line 81, characters 15-20
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (EQ result blue)
(IMPLIES (AND (AND (<= 0 b) (< b (length t0)))
         (AND (<= 0 i) (< i (length t0))))
(FORALL (t1)
(IMPLIES (EQ t1 (upd (upd t0 b (acc t0 i)) i (acc t0 b)))
(FORALL (b0)
(IMPLIES (EQ b0 (+ b 1))
(FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (<= 0 (- r i))))))))))))))))))))))

;; dutch_flag_po_25, File "flag_ax.mlw", line 81, characters 15-20
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (EQ result blue)
(IMPLIES (AND (AND (<= 0 b) (< b (length t0)))
         (AND (<= 0 i) (< i (length t0))))
(FORALL (t1)
(IMPLIES (EQ t1 (upd (upd t0 b (acc t0 i)) i (acc t0 b)))
(FORALL (b0)
(IMPLIES (EQ b0 (+ b 1))
(FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (< (- r i0) (- r i))))))))))))))))))))))

;; dutch_flag_po_26, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (acc t0 i))
(IMPLIES (EQ result0 white) (FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (<= 0 b))))))))))))))))))))

;; dutch_flag_po_27, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (acc t0 i))
(IMPLIES (EQ result0 white)
(FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (<= b i0))))))))))))))))))))

;; dutch_flag_po_28, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (acc t0 i))
(IMPLIES (EQ result0 white)
(FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (<= i0 r))))))))))))))))))))

;; dutch_flag_po_29, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (acc t0 i))
(IMPLIES (EQ result0 white) (FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (<= r n))))))))))))))))))))

;; dutch_flag_po_30, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (acc t0 i))
(IMPLIES (EQ result0 white)
(FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (monochrome t0 0 b blue))))))))))))))))))))

;; dutch_flag_po_31, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (acc t0 i))
(IMPLIES (EQ result0 white)
(FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (monochrome t0 b i0 white))))))))))))))))))))

;; dutch_flag_po_32, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (acc t0 i))
(IMPLIES (EQ result0 white)
(FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (monochrome t0 r n red))))))))))))))))))))

;; dutch_flag_po_33, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (acc t0 i))
(IMPLIES (EQ result0 white)
(FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (EQ (length t0) n))))))))))))))))))))

;; dutch_flag_po_34, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (acc t0 i))
(IMPLIES (EQ result0 white)
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k)))))))))))))))))))))))

;; dutch_flag_po_35, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (acc t0 i))
(IMPLIES (EQ result0 white)
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1)) (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))))))))))))))

;; dutch_flag_po_36, File "flag_ax.mlw", line 81, characters 15-20
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (acc t0 i))
(IMPLIES (EQ result0 white)
(FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (<= 0 (- r i)))))))))))))))))))))

;; dutch_flag_po_37, File "flag_ax.mlw", line 81, characters 15-20
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (acc t0 i))
(IMPLIES (EQ result0 white)
(FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (< (- r i0) (- r i)))))))))))))))))))))

;; dutch_flag_po_38, File "flag_ax.mlw", line 90, characters 7-19
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (acc t0 i))
(IMPLIES (NEQ result0 white)
(FORALL (r0) (IMPLIES (EQ r0 (- r 1)) (<= 0 r0))))))))))))))))))))

;; dutch_flag_po_39, File "flag_ax.mlw", line 90, characters 7-19
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (acc t0 i))
(IMPLIES (NEQ result0 white)
(FORALL (r0) (IMPLIES (EQ r0 (- r 1)) (< r0 (length t0)))))))))))))))))))))

;; dutch_flag_po_40, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (acc t0 i))
(IMPLIES (NEQ result0 white)
(FORALL (r0)
(IMPLIES (EQ r0 (- r 1))
(IMPLIES (AND (AND (<= 0 r0) (< r0 (length t0)))
         (AND (<= 0 i) (< i (length t0))))
(FORALL (t1)
(IMPLIES (EQ t1 (upd (upd t0 r0 (acc t0 i)) i (acc t0 r0))) (<= 0 b)))))))))))))))))))))))

;; dutch_flag_po_41, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (acc t0 i))
(IMPLIES (NEQ result0 white)
(FORALL (r0)
(IMPLIES (EQ r0 (- r 1))
(IMPLIES (AND (AND (<= 0 r0) (< r0 (length t0)))
         (AND (<= 0 i) (< i (length t0))))
(FORALL (t1)
(IMPLIES (EQ t1 (upd (upd t0 r0 (acc t0 i)) i (acc t0 r0))) (<= b i)))))))))))))))))))))))

;; dutch_flag_po_42, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (acc t0 i))
(IMPLIES (NEQ result0 white)
(FORALL (r0)
(IMPLIES (EQ r0 (- r 1))
(IMPLIES (AND (AND (<= 0 r0) (< r0 (length t0)))
         (AND (<= 0 i) (< i (length t0))))
(FORALL (t1)
(IMPLIES (EQ t1 (upd (upd t0 r0 (acc t0 i)) i (acc t0 r0))) (<= i r0)))))))))))))))))))))))

;; dutch_flag_po_43, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (acc t0 i))
(IMPLIES (NEQ result0 white)
(FORALL (r0)
(IMPLIES (EQ r0 (- r 1))
(IMPLIES (AND (AND (<= 0 r0) (< r0 (length t0)))
         (AND (<= 0 i) (< i (length t0))))
(FORALL (t1)
(IMPLIES (EQ t1 (upd (upd t0 r0 (acc t0 i)) i (acc t0 r0))) (<= r0 n)))))))))))))))))))))))

;; dutch_flag_po_44, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (acc t0 i))
(IMPLIES (NEQ result0 white)
(FORALL (r0)
(IMPLIES (EQ r0 (- r 1))
(IMPLIES (AND (AND (<= 0 r0) (< r0 (length t0)))
         (AND (<= 0 i) (< i (length t0))))
(FORALL (t1)
(IMPLIES (EQ t1 (upd (upd t0 r0 (acc t0 i)) i (acc t0 r0)))
(monochrome t1 0 b blue)))))))))))))))))))))))

;; dutch_flag_po_45, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (acc t0 i))
(IMPLIES (NEQ result0 white)
(FORALL (r0)
(IMPLIES (EQ r0 (- r 1))
(IMPLIES (AND (AND (<= 0 r0) (< r0 (length t0)))
         (AND (<= 0 i) (< i (length t0))))
(FORALL (t1)
(IMPLIES (EQ t1 (upd (upd t0 r0 (acc t0 i)) i (acc t0 r0)))
(monochrome t1 b i white)))))))))))))))))))))))

;; dutch_flag_po_46, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (acc t0 i))
(IMPLIES (NEQ result0 white)
(FORALL (r0)
(IMPLIES (EQ r0 (- r 1))
(IMPLIES (AND (AND (<= 0 r0) (< r0 (length t0)))
         (AND (<= 0 i) (< i (length t0))))
(FORALL (t1)
(IMPLIES (EQ t1 (upd (upd t0 r0 (acc t0 i)) i (acc t0 r0)))
(monochrome t1 r0 n red)))))))))))))))))))))))

;; dutch_flag_po_47, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (acc t0 i))
(IMPLIES (NEQ result0 white)
(FORALL (r0)
(IMPLIES (EQ r0 (- r 1))
(IMPLIES (AND (AND (<= 0 r0) (< r0 (length t0)))
         (AND (<= 0 i) (< i (length t0))))
(FORALL (t1)
(IMPLIES (EQ t1 (upd (upd t0 r0 (acc t0 i)) i (acc t0 r0)))
(EQ (length t1) n)))))))))))))))))))))))

;; dutch_flag_po_48, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (acc t0 i))
(IMPLIES (NEQ result0 white)
(FORALL (r0)
(IMPLIES (EQ r0 (- r 1))
(IMPLIES (AND (AND (<= 0 r0) (< r0 (length t0)))
         (AND (<= 0 i) (< i (length t0))))
(FORALL (t1)
(IMPLIES (EQ t1 (upd (upd t0 r0 (acc t0 i)) i (acc t0 r0)))
(FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t1 k))))))))))))))))))))))))))

;; dutch_flag_po_49, File "flag_ax.mlw", line 74, characters 17-290
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (acc t0 i))
(IMPLIES (NEQ result0 white)
(FORALL (r0)
(IMPLIES (EQ r0 (- r 1))
(IMPLIES (AND (AND (<= 0 r0) (< r0 (length t0)))
         (AND (<= 0 i) (< i (length t0))))
(FORALL (t1)
(IMPLIES (EQ t1 (upd (upd t0 r0 (acc t0 i)) i (acc t0 r0)))
(EQ (Permutation t1 t 0 (- n 1)) |@true|)))))))))))))))))))))))

;; dutch_flag_po_50, File "flag_ax.mlw", line 81, characters 15-20
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (acc t0 i))
(IMPLIES (NEQ result0 white)
(FORALL (r0)
(IMPLIES (EQ r0 (- r 1))
(IMPLIES (AND (AND (<= 0 r0) (< r0 (length t0)))
         (AND (<= 0 i) (< i (length t0))))
(FORALL (t1)
(IMPLIES (EQ t1 (upd (upd t0 r0 (acc t0 i)) i (acc t0 r0))) (<= 0 (- r i))))))))))))))))))))))))

;; dutch_flag_po_51, File "flag_ax.mlw", line 81, characters 15-20
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result)
(IMPLIES (EQ result (acc t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (acc t0 i))
(IMPLIES (NEQ result0 white)
(FORALL (r0)
(IMPLIES (EQ r0 (- r 1))
(IMPLIES (AND (AND (<= 0 r0) (< r0 (length t0)))
         (AND (<= 0 i) (< i (length t0))))
(FORALL (t1)
(IMPLIES (EQ t1 (upd (upd t0 r0 (acc t0 i)) i (acc t0 r0)))
(< (- r0 i) (- r i))))))))))))))))))))))))

;; dutch_flag_po_52, File "flag_ax.mlw", line 93, characters 4-163
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (>= i r)
(EXISTS (b)
(EXISTS (r)
(AND (monochrome t0 0 b blue)
(AND (monochrome t0 b r white) (monochrome t0 r n red))))))))))))))

;; dutch_flag_po_53, File "flag_ax.mlw", line 93, characters 4-163
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n)
         (AND (EQ (length t) n)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t k))))))
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r n))
         (AND (monochrome t0 0 b blue)
         (AND (monochrome t0 b i white)
         (AND (monochrome t0 r n red)
         (AND (EQ (length t0) n)
         (AND
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k n)) (is_color (acc t0 k))))
         (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))
(IMPLIES (>= i r) (EQ (Permutation t0 t 0 (- n 1)) |@true|))))))))))

why-2.34/examples/misc/flag_why.v0000644000175000017500000003173712311670312015370 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Import Why.
Require Import Sumbool.


(*Why logic*) Definition N : Z.
Admitted.

Axiom N_non_negative : (0 <= N)%Z.

Inductive color : Set :=
  | blue : color
  | white : color
  | red : color.

Lemma eq_color_dec : forall c1 c2:color, {c1 = c2} + {c1 <> c2}.
 Proof.
 intros; decide equality c1 c2.
Qed.

Definition eq_blue c := bool_of_sumbool (eq_color_dec c blue).
Definition eq_white c := bool_of_sumbool (eq_color_dec c white).

Definition monochrome (t:array color) (i j:Z) (c:color) : Prop :=
  forall k:Z, (i <= k < j)%Z -> access t k = c.


(* Why obligation from file "", line 0, characters 0-0: *)
(*Why goal*) Lemma dutch_flag_po_1 : 
  forall (t: (array color)),
  forall (HW_1: (array_length t) = N),
  (0 <= 0 /\ 0 <= 0) /\ (0 <= N /\ N <= N) /\ (monochrome t 0 0 blue) /\
  (monochrome t 0 0 white) /\ (monochrome t N N red) /\ (array_length t) = N.
Proof.
unfold monochrome; intuition; try (elimtype False; omega).
exact N_non_negative.
Qed.

(* Why obligation from file "", line 0, characters 0-0: *)
(*Why goal*) Lemma dutch_flag_po_2 : 
  forall (t: (array color)),
  forall (HW_1: (array_length t) = N),
  forall (HW_2: (0 <= 0 /\ 0 <= 0) /\ (0 <= N /\ N <= N) /\
                (monochrome t 0 0 blue) /\ (monochrome t 0 0 white) /\
                (monochrome t N N red) /\ (array_length t) = N),
  forall (b: Z),
  forall (i: Z),
  forall (r: Z),
  forall (t0: (array color)),
  forall (HW_3: (0 <= b /\ b <= i) /\ (i <= r /\ r <= N) /\
                (monochrome t0 0 b blue) /\ (monochrome t0 b i white) /\
                (monochrome t0 r N red) /\ (array_length t0) = N),
  forall (HW_4: i < r),
  0 <= i /\ i < (array_length t0).
Proof.
intuition.
Qed.

(* Why obligation from file "", line 0, characters 0-0: *)
(*Why goal*) Lemma dutch_flag_po_3 : 
  forall (t: (array color)),
  forall (HW_1: (array_length t) = N),
  forall (HW_2: (0 <= 0 /\ 0 <= 0) /\ (0 <= N /\ N <= N) /\
                (monochrome t 0 0 blue) /\ (monochrome t 0 0 white) /\
                (monochrome t N N red) /\ (array_length t) = N),
  forall (b: Z),
  forall (i: Z),
  forall (r: Z),
  forall (t0: (array color)),
  forall (HW_3: (0 <= b /\ b <= i) /\ (i <= r /\ r <= N) /\
                (monochrome t0 0 b blue) /\ (monochrome t0 b i white) /\
                (monochrome t0 r N red) /\ (array_length t0) = N),
  forall (HW_4: i < r),
  forall (HW_5: 0 <= i /\ i < (array_length t0)),
  forall (result: color),
  forall (HW_6: result = (access t0 i)),
  forall (HW_7: result = blue),
  0 <= b /\ b < (array_length t0).
Proof.
intuition.
Qed.

(* Why obligation from file "", line 0, characters 0-0: *)
(*Why goal*) Lemma dutch_flag_po_4 : 
  forall (t: (array color)),
  forall (HW_1: (array_length t) = N),
  forall (HW_2: (0 <= 0 /\ 0 <= 0) /\ (0 <= N /\ N <= N) /\
                (monochrome t 0 0 blue) /\ (monochrome t 0 0 white) /\
                (monochrome t N N red) /\ (array_length t) = N),
  forall (b: Z),
  forall (i: Z),
  forall (r: Z),
  forall (t0: (array color)),
  forall (HW_3: (0 <= b /\ b <= i) /\ (i <= r /\ r <= N) /\
                (monochrome t0 0 b blue) /\ (monochrome t0 b i white) /\
                (monochrome t0 r N red) /\ (array_length t0) = N),
  forall (HW_4: i < r),
  forall (HW_5: 0 <= i /\ i < (array_length t0)),
  forall (result: color),
  forall (HW_6: result = (access t0 i)),
  forall (HW_7: result = blue),
  forall (HW_8: 0 <= b /\ b < (array_length t0)),
  forall (result0: color),
  forall (HW_9: result0 = (access t0 b)),
  forall (HW_10: 0 <= i /\ i < (array_length t0)),
  forall (result1: color),
  forall (HW_11: result1 = (access t0 i)),
  forall (HW_12: 0 <= b /\ b < (array_length t0)),
  forall (t1: (array color)),
  forall (HW_13: t1 = (update t0 b result1)),
  0 <= i /\ i < (array_length t1).
Proof.
intuition.
Qed.

(* Why obligation from file "", line 0, characters 0-0: *)
(*Why goal*) Lemma dutch_flag_po_5 : 
  forall (t: (array color)),
  forall (HW_1: (array_length t) = N),
  forall (HW_2: (0 <= 0 /\ 0 <= 0) /\ (0 <= N /\ N <= N) /\
                (monochrome t 0 0 blue) /\ (monochrome t 0 0 white) /\
                (monochrome t N N red) /\ (array_length t) = N),
  forall (b: Z),
  forall (i: Z),
  forall (r: Z),
  forall (t0: (array color)),
  forall (HW_3: (0 <= b /\ b <= i) /\ (i <= r /\ r <= N) /\
                (monochrome t0 0 b blue) /\ (monochrome t0 b i white) /\
                (monochrome t0 r N red) /\ (array_length t0) = N),
  forall (HW_4: i < r),
  forall (HW_5: 0 <= i /\ i < (array_length t0)),
  forall (result: color),
  forall (HW_6: result = (access t0 i)),
  forall (HW_7: result = blue),
  forall (HW_8: 0 <= b /\ b < (array_length t0)),
  forall (result0: color),
  forall (HW_9: result0 = (access t0 b)),
  forall (HW_10: 0 <= i /\ i < (array_length t0)),
  forall (result1: color),
  forall (HW_11: result1 = (access t0 i)),
  forall (HW_12: 0 <= b /\ b < (array_length t0)),
  forall (t1: (array color)),
  forall (HW_13: t1 = (update t0 b result1)),
  forall (HW_14: 0 <= i /\ i < (array_length t1)),
  forall (t2: (array color)),
  forall (HW_15: t2 = (update t1 i result0)),
  forall (b0: Z),
  forall (HW_16: b0 = (b + 1)),
  forall (i0: Z),
  forall (HW_17: i0 = (i + 1)),
  ((0 <= b0 /\ b0 <= i0) /\ (i0 <= r /\ r <= N) /\
  (monochrome t2 0 b0 blue) /\ (monochrome t2 b0 i0 white) /\
  (monochrome t2 r N red) /\ (array_length t2) = N) /\
  (Zwf 0 (r - i0) (r - i)).
Proof.
intuition; subst; auto.
Qed.

(* Why obligation from file "", line 0, characters 0-0: *)
(*Why goal*) Lemma dutch_flag_po_6 : 
  forall (t: (array color)),
  forall (HW_1: (array_length t) = N),
  forall (HW_2: (0 <= 0 /\ 0 <= 0) /\ (0 <= N /\ N <= N) /\
                (monochrome t 0 0 blue) /\ (monochrome t 0 0 white) /\
                (monochrome t N N red) /\ (array_length t) = N),
  forall (b: Z),
  forall (i: Z),
  forall (r: Z),
  forall (t0: (array color)),
  forall (HW_3: (0 <= b /\ b <= i) /\ (i <= r /\ r <= N) /\
                (monochrome t0 0 b blue) /\ (monochrome t0 b i white) /\
                (monochrome t0 r N red) /\ (array_length t0) = N),
  forall (HW_4: i < r),
  forall (HW_5: 0 <= i /\ i < (array_length t0)),
  forall (result: color),
  forall (HW_6: result = (access t0 i)),
  forall (HW_18: ~(result = blue)),
  forall (HW_19: 0 <= i /\ i < (array_length t0)),
  forall (result0: color),
  forall (HW_20: result0 = (access t0 i)),
  forall (HW_21: result0 = white),
  forall (i0: Z),
  forall (HW_22: i0 = (i + 1)),
  ((0 <= b /\ b <= i0) /\ (i0 <= r /\ r <= N) /\ (monochrome t0 0 b blue) /\
  (monochrome t0 b i0 white) /\ (monochrome t0 r N red) /\
  (array_length t0) = N) /\ (Zwf 0 (r - i0) (r - i)).
Proof.
intuition.
ArraySubst t1.
Qed.

(* Why obligation from file "", line 0, characters 0-0: *)
(*Why goal*) Lemma dutch_flag_po_7 : 
  forall (t: (array color)),
  forall (HW_1: (array_length t) = N),
  forall (HW_2: (0 <= 0 /\ 0 <= 0) /\ (0 <= N /\ N <= N) /\
                (monochrome t 0 0 blue) /\ (monochrome t 0 0 white) /\
                (monochrome t N N red) /\ (array_length t) = N),
  forall (b: Z),
  forall (i: Z),
  forall (r: Z),
  forall (t0: (array color)),
  forall (HW_3: (0 <= b /\ b <= i) /\ (i <= r /\ r <= N) /\
                (monochrome t0 0 b blue) /\ (monochrome t0 b i white) /\
                (monochrome t0 r N red) /\ (array_length t0) = N),
  forall (HW_4: i < r),
  forall (HW_5: 0 <= i /\ i < (array_length t0)),
  forall (result: color),
  forall (HW_6: result = (access t0 i)),
  forall (HW_18: ~(result = blue)),
  forall (HW_19: 0 <= i /\ i < (array_length t0)),
  forall (result0: color),
  forall (HW_20: result0 = (access t0 i)),
  forall (HW_23: ~(result0 = white)),
  forall (r0: Z),
  forall (HW_24: r0 = (r - 1)),
  0 <= r0 /\ r0 < (array_length t0).
Proof.
unfold monochrome, Zwf; intuition try omega.
assert (h: (k < b)%Z \/ k = b).
 omega.
 intuition.
subst t2; AccessOther.
subst t1; AccessOther.
auto.
subst.
assert (h: b = i \/ (b < i)).
 omega.
 intuition.
subst.
AccessSame.
assumption.
AccessOther.
assumption.
assert (h: k = i \/ (k < i)).
 omega.
 intuition.
subst; AccessSame.
auto with *.
subst t2; AccessOther.
subst; AccessOther.
auto with *.
subst t2; AccessOther.
subst; AccessOther.
auto with *.
ArraySubst t1.
subst t2 t1; simpl; auto.
Qed.

(* Why obligation from file "", line 0, characters 0-0: *)
(*Why goal*) Lemma dutch_flag_po_8 : 
  forall (t: (array color)),
  forall (HW_1: (array_length t) = N),
  forall (HW_2: (0 <= 0 /\ 0 <= 0) /\ (0 <= N /\ N <= N) /\
                (monochrome t 0 0 blue) /\ (monochrome t 0 0 white) /\
                (monochrome t N N red) /\ (array_length t) = N),
  forall (b: Z),
  forall (i: Z),
  forall (r: Z),
  forall (t0: (array color)),
  forall (HW_3: (0 <= b /\ b <= i) /\ (i <= r /\ r <= N) /\
                (monochrome t0 0 b blue) /\ (monochrome t0 b i white) /\
                (monochrome t0 r N red) /\ (array_length t0) = N),
  forall (HW_4: i < r),
  forall (HW_5: 0 <= i /\ i < (array_length t0)),
  forall (result: color),
  forall (HW_6: result = (access t0 i)),
  forall (HW_18: ~(result = blue)),
  forall (HW_19: 0 <= i /\ i < (array_length t0)),
  forall (result0: color),
  forall (HW_20: result0 = (access t0 i)),
  forall (HW_23: ~(result0 = white)),
  forall (r0: Z),
  forall (HW_24: r0 = (r - 1)),
  forall (HW_25: 0 <= r0 /\ r0 < (array_length t0)),
  forall (result1: color),
  forall (HW_26: result1 = (access t0 r0)),
  forall (HW_27: 0 <= i /\ i < (array_length t0)),
  forall (result2: color),
  forall (HW_28: result2 = (access t0 i)),
  forall (HW_29: 0 <= r0 /\ r0 < (array_length t0)),
  forall (t1: (array color)),
  forall (HW_30: t1 = (update t0 r0 result2)),
  0 <= i /\ i < (array_length t1).
Proof.
intuition.
Qed.

(* Why obligation from file "", line 0, characters 0-0: *)
(*Why goal*) Lemma dutch_flag_po_9 : 
  forall (t: (array color)),
  forall (HW_1: (array_length t) = N),
  forall (HW_2: (0 <= 0 /\ 0 <= 0) /\ (0 <= N /\ N <= N) /\
                (monochrome t 0 0 blue) /\ (monochrome t 0 0 white) /\
                (monochrome t N N red) /\ (array_length t) = N),
  forall (b: Z),
  forall (i: Z),
  forall (r: Z),
  forall (t0: (array color)),
  forall (HW_3: (0 <= b /\ b <= i) /\ (i <= r /\ r <= N) /\
                (monochrome t0 0 b blue) /\ (monochrome t0 b i white) /\
                (monochrome t0 r N red) /\ (array_length t0) = N),
  forall (HW_4: i < r),
  forall (HW_5: 0 <= i /\ i < (array_length t0)),
  forall (result: color),
  forall (HW_6: result = (access t0 i)),
  forall (HW_18: ~(result = blue)),
  forall (HW_19: 0 <= i /\ i < (array_length t0)),
  forall (result0: color),
  forall (HW_20: result0 = (access t0 i)),
  forall (HW_23: ~(result0 = white)),
  forall (r0: Z),
  forall (HW_24: r0 = (r - 1)),
  forall (HW_25: 0 <= r0 /\ r0 < (array_length t0)),
  forall (result1: color),
  forall (HW_26: result1 = (access t0 r0)),
  forall (HW_27: 0 <= i /\ i < (array_length t0)),
  forall (result2: color),
  forall (HW_28: result2 = (access t0 i)),
  forall (HW_29: 0 <= r0 /\ r0 < (array_length t0)),
  forall (t1: (array color)),
  forall (HW_30: t1 = (update t0 r0 result2)),
  forall (HW_31: 0 <= i /\ i < (array_length t1)),
  forall (t2: (array color)),
  forall (HW_32: t2 = (update t1 i result1)),
  ((0 <= b /\ b <= i) /\ (i <= r0 /\ r0 <= N) /\ (monochrome t2 0 b blue) /\
  (monochrome t2 b i white) /\ (monochrome t2 r0 N red) /\
  (array_length t2) = N) /\ (Zwf 0 (r0 - i) (r - i)).
Proof.
unfold monochrome, Zwf; intuition try omega.
assert (h: (k < i)%Z \/ k = i).
 omega.
 intuition.
subst; assumption.
Qed.

(* Why obligation from file "", line 0, characters 0-0: *)
(*Why goal*) Lemma dutch_flag_po_10 : 
  forall (t: (array color)),
  forall (HW_1: (array_length t) = N),
  forall (HW_2: (0 <= 0 /\ 0 <= 0) /\ (0 <= N /\ N <= N) /\
                (monochrome t 0 0 blue) /\ (monochrome t 0 0 white) /\
                (monochrome t N N red) /\ (array_length t) = N),
  forall (b: Z),
  forall (i: Z),
  forall (r: Z),
  forall (t0: (array color)),
  forall (HW_3: (0 <= b /\ b <= i) /\ (i <= r /\ r <= N) /\
                (monochrome t0 0 b blue) /\ (monochrome t0 b i white) /\
                (monochrome t0 r N red) /\ (array_length t0) = N),
  forall (HW_33: i >= r),
  (monochrome t0 0 b blue) /\ (monochrome t0 b r white) /\
  (monochrome t0 r N red).
Proof.
intuition.
Qed.


Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
ArraySubst t1.
Save.

Proof.
unfold monochrome, Zwf; intuition try omega.
subst t2 t1; do 2 AccessOther.
auto with *.
subst t2 t1; do 2 AccessOther.
 auto with *.
assert (h: k = r0 \/ (r0 < k)).
 omega.
 intuition.
assert (h': k = i \/ (i < k)).
 omega.
 intuition.
subst; subst i; AccessSame.
destruct (access t0 (r-1)); tauto.
subst; AccessOther.
destruct (access t0 i); tauto.
subst; do 2 AccessOther.
auto with *.
subst t2 t1; simpl; trivial.
Save.

Proof.
intuition.
replace r with i.
 trivial.
 omega.
Save.

(*Why*) Parameter dutch_flag_valid :
  forall (_: unit), forall (t: (array color)), forall (_: (array_length t) =
  N),
  (sig_2 (array color) unit
   (fun (t0: (array color)) (result: unit)  => (True))).

why-2.34/examples/misc/sqrt_dicho_why.sx0000644000175000017500000002312312311670312016771 0ustar  rtusers
;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom access_update
 (FORALL (a i v) (EQ (access (update a i v) i) v)))

(BG_PUSH
 ;; Why axiom access_update_neq
 (FORALL (a i j v)
 (IMPLIES (NEQ i j) (EQ (access (update a i v) j) (access a j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j)
 (FORALL (a v) (EQ (access (update a i v) j) (access a j))))))

(DEFPRED (sorted_array t i j)
  (FORALL (k1 k2)
  (IMPLIES (AND (AND (<= i k1) (<= k1 k2)) (<= k2 j))
  (<= (access t k1) (access t k2)))))

(DEFPRED (exchange a1 a2 i j)
  (AND (EQ (array_length a1) (array_length a2))
  (AND (EQ (access a1 i) (access a2 j))
  (AND (EQ (access a2 i) (access a1 j))
  (FORALL (k)
  (IMPLIES (AND (NEQ k i) (NEQ k j)) (EQ (access a1 k) (access a2 k))))))))

(BG_PUSH
 ;; Why axiom permut_refl
 (FORALL (t l u) (EQ (permut t t l u) |@true|)))

(BG_PUSH
 ;; Why axiom permut_sym
 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|) (EQ (permut t2 t1 l u) |@true|))))

(BG_PUSH
 ;; Why axiom permut_trans
 (FORALL (t1 t2 t3 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))

 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_exchange
 (FORALL (a1 a2 l u i j)
 (IMPLIES (AND (<= l i) (<= i u))
 (IMPLIES (AND (<= l j) (<= j u))
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|)))))

 (FORALL (l u i)
 (IMPLIES (AND (<= l i) (<= i u))
 (FORALL (j)
 (IMPLIES (AND (<= l j) (<= j u))
 (FORALL (a1 a2)
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|))))))))

(BG_PUSH
 ;; Why axiom exchange_upd
 (FORALL (a i j)
 (exchange a (update (update a i (access a j)) j (access a i)) i j)))

(BG_PUSH
 ;; Why axiom permut_weakening
 (FORALL (a1 a2 l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))

 (FORALL (l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_eq
 (FORALL (a1 a2 l u)
 (IMPLIES (<= l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))

 (FORALL (l u)
 (IMPLIES (<= l u)
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))))

(DEFPRED (permutation a1 a2)
  (EQ (permut a1 a2 0 (- (array_length a1) 1)) |@true|))

(BG_PUSH
 ;; Why axiom array_length_update
 (FORALL (a i v) (EQ (array_length (update a i v)) (array_length a))))

(BG_PUSH
 ;; Why axiom permut_array_length
 (FORALL (a1 a2 l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (EQ (array_length a1) (array_length a2)))))

;; sqrt_po_1, File "sqrt_dicho.mlw", line 11, characters 16-68
(FORALL (x) (IMPLIES (>= x 0) (<= (* 0 0) x)))

;; sqrt_po_2, File "sqrt_dicho.mlw", line 11, characters 16-68
(FORALL (x) (IMPLIES (>= x 0) (< x (* (+ x 1) (+ x 1)))))

;; sqrt_po_3, File "sqrt_dicho.mlw", line 11, characters 16-68
(FORALL (x) (IMPLIES (>= x 0) (< 0 (+ x 1))))

;; sqrt_po_4, File "sqrt_dicho.mlw", line 15, characters 10-30
(FORALL (x)
(IMPLIES (>= x 0)
(FORALL (inf)
(FORALL (sup)
(IMPLIES (AND (<= (* inf inf) x) (AND (< x (* sup sup)) (< inf sup)))
(IMPLIES (NEQ (+ inf 1) sup) (NEQ 2 0)))))))

;; sqrt_po_5, File "sqrt_dicho.mlw", line 11, characters 16-68
(FORALL (x)
(IMPLIES (>= x 0)
(FORALL (inf)
(FORALL (sup)
(IMPLIES (AND (<= (* inf inf) x) (AND (< x (* sup sup)) (< inf sup)))
(IMPLIES (NEQ (+ inf 1) sup)
(IMPLIES (NEQ 2 0)
(FORALL (result)
(IMPLIES (EQ result (int_div (+ (+ inf sup) 1) 2))
(FORALL (mil)
(IMPLIES (EQ mil result)
(IMPLIES (< x (* mil mil))
(FORALL (sup0) (IMPLIES (EQ sup0 mil) (< x (* sup0 sup0))))))))))))))))

;; sqrt_po_6, File "sqrt_dicho.mlw", line 11, characters 16-68
(FORALL (x)
(IMPLIES (>= x 0)
(FORALL (inf)
(FORALL (sup)
(IMPLIES (AND (<= (* inf inf) x) (AND (< x (* sup sup)) (< inf sup)))
(IMPLIES (NEQ (+ inf 1) sup)
(IMPLIES (NEQ 2 0)
(FORALL (result)
(IMPLIES (EQ result (int_div (+ (+ inf sup) 1) 2))
(FORALL (mil)
(IMPLIES (EQ mil result)
(IMPLIES (< x (* mil mil))
(FORALL (sup0) (IMPLIES (EQ sup0 mil) (< inf sup0)))))))))))))))

;; sqrt_po_7, File "sqrt_dicho.mlw", line 14, characters 16-25
(FORALL (x)
(IMPLIES (>= x 0)
(FORALL (inf)
(FORALL (sup)
(IMPLIES (AND (<= (* inf inf) x) (AND (< x (* sup sup)) (< inf sup)))
(IMPLIES (NEQ (+ inf 1) sup)
(IMPLIES (NEQ 2 0)
(FORALL (result)
(IMPLIES (EQ result (int_div (+ (+ inf sup) 1) 2))
(FORALL (mil)
(IMPLIES (EQ mil result)
(IMPLIES (< x (* mil mil))
(FORALL (sup0) (IMPLIES (EQ sup0 mil) (<= 0 (- sup inf))))))))))))))))

;; sqrt_po_8, File "sqrt_dicho.mlw", line 14, characters 16-25
(FORALL (x)
(IMPLIES (>= x 0)
(FORALL (inf)
(FORALL (sup)
(IMPLIES (AND (<= (* inf inf) x) (AND (< x (* sup sup)) (< inf sup)))
(IMPLIES (NEQ (+ inf 1) sup)
(IMPLIES (NEQ 2 0)
(FORALL (result)
(IMPLIES (EQ result (int_div (+ (+ inf sup) 1) 2))
(FORALL (mil)
(IMPLIES (EQ mil result)
(IMPLIES (< x (* mil mil))
(FORALL (sup0) (IMPLIES (EQ sup0 mil) (< (- sup0 inf) (- sup inf))))))))))))))))

;; sqrt_po_9, File "sqrt_dicho.mlw", line 11, characters 16-68
(FORALL (x)
(IMPLIES (>= x 0)
(FORALL (inf)
(FORALL (sup)
(IMPLIES (AND (<= (* inf inf) x) (AND (< x (* sup sup)) (< inf sup)))
(IMPLIES (NEQ (+ inf 1) sup)
(IMPLIES (NEQ 2 0)
(FORALL (result)
(IMPLIES (EQ result (int_div (+ (+ inf sup) 1) 2))
(FORALL (mil)
(IMPLIES (EQ mil result)
(IMPLIES (>= x (* mil mil))
(FORALL (inf0) (IMPLIES (EQ inf0 mil) (<= (* inf0 inf0) x)))))))))))))))

;; sqrt_po_10, File "sqrt_dicho.mlw", line 11, characters 16-68
(FORALL (x)
(IMPLIES (>= x 0)
(FORALL (inf)
(FORALL (sup)
(IMPLIES (AND (<= (* inf inf) x) (AND (< x (* sup sup)) (< inf sup)))
(IMPLIES (NEQ (+ inf 1) sup)
(IMPLIES (NEQ 2 0)
(FORALL (result)
(IMPLIES (EQ result (int_div (+ (+ inf sup) 1) 2))
(FORALL (mil)
(IMPLIES (EQ mil result)
(IMPLIES (>= x (* mil mil))
(FORALL (inf0) (IMPLIES (EQ inf0 mil) (< x (* sup sup))))))))))))))))

;; sqrt_po_11, File "sqrt_dicho.mlw", line 11, characters 16-68
(FORALL (x)
(IMPLIES (>= x 0)
(FORALL (inf)
(FORALL (sup)
(IMPLIES (AND (<= (* inf inf) x) (AND (< x (* sup sup)) (< inf sup)))
(IMPLIES (NEQ (+ inf 1) sup)
(IMPLIES (NEQ 2 0)
(FORALL (result)
(IMPLIES (EQ result (int_div (+ (+ inf sup) 1) 2))
(FORALL (mil)
(IMPLIES (EQ mil result)
(IMPLIES (>= x (* mil mil))
(FORALL (inf0) (IMPLIES (EQ inf0 mil) (< inf0 sup)))))))))))))))

;; sqrt_po_12, File "sqrt_dicho.mlw", line 14, characters 16-25
(FORALL (x)
(IMPLIES (>= x 0)
(FORALL (inf)
(FORALL (sup)
(IMPLIES (AND (<= (* inf inf) x) (AND (< x (* sup sup)) (< inf sup)))
(IMPLIES (NEQ (+ inf 1) sup)
(IMPLIES (NEQ 2 0)
(FORALL (result)
(IMPLIES (EQ result (int_div (+ (+ inf sup) 1) 2))
(FORALL (mil)
(IMPLIES (EQ mil result)
(IMPLIES (>= x (* mil mil))
(FORALL (inf0) (IMPLIES (EQ inf0 mil) (<= 0 (- sup inf))))))))))))))))

;; sqrt_po_13, File "sqrt_dicho.mlw", line 14, characters 16-25
(FORALL (x)
(IMPLIES (>= x 0)
(FORALL (inf)
(FORALL (sup)
(IMPLIES (AND (<= (* inf inf) x) (AND (< x (* sup sup)) (< inf sup)))
(IMPLIES (NEQ (+ inf 1) sup)
(IMPLIES (NEQ 2 0)
(FORALL (result)
(IMPLIES (EQ result (int_div (+ (+ inf sup) 1) 2))
(FORALL (mil)
(IMPLIES (EQ mil result)
(IMPLIES (>= x (* mil mil))
(FORALL (inf0) (IMPLIES (EQ inf0 mil) (< (- sup inf0) (- sup inf))))))))))))))))

;; sqrt_po_14, File "sqrt_dicho.mlw", line 21, characters 4-52
(FORALL (x)
(IMPLIES (>= x 0)
(FORALL (inf)
(FORALL (sup)
(IMPLIES (AND (<= (* inf inf) x) (AND (< x (* sup sup)) (< inf sup)))
(IMPLIES (EQ (+ inf 1) sup) (< x (* (+ inf 1) (+ inf 1)))))))))

why-2.34/examples/misc/gcd_why.v0000644000175000017500000000431212311670312015201 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Import Why.

Parameter gcd : Z -> Z -> Z.

Axiom gcd_asubb_b : forall a b:Z, gcd a b = gcd (a - b) b.
Axiom gcd_a_bsuba : forall a b:Z, gcd a b = gcd a (b - a).
Axiom gcd_a_a : forall a:Z, gcd a a = a.
Axiom gcd_a_0 : forall a:Z, gcd a 0 = a.
Axiom gcd_a_amodb : forall a b:Z, gcd a b = gcd b (a mod b).

Hint Resolve gcd_asubb_b gcd_a_bsuba gcd_a_a gcd_a_0 gcd_a_amodb .

Definition max (x y:Z) : Z :=
  match Z_le_gt_dec x y with
  | left _ => y
  | right _ => x
  end.

Proof.
intuition.
Save.

Proof.
intuition.
subst.
transitivity (gcd x y); auto.
unfold Zwf, max.
case (Z_le_gt_dec x0 y); case (Z_le_gt_dec x y); intros; omega.
Save.

Proof.
intuition.
subst.
transitivity (gcd x y); auto.
unfold Zwf, max.
assert (h: x <> y).
 assumption.
 case (Z_le_gt_dec x y0); case (Z_le_gt_dec x y); intros; omega.
Save.

Proof.
intuition; subst.
transitivity (gcd y y); auto.
Save.


Proof.
intuition.
Save.

Proof.
intuition.
assert (h_y0: y <> 0).
 assumption.
assert (h1_y0: (y > 0)).
 omega.
generalize (Z_mod_lt x y h1_y0); intro.
subst; tauto.
subst.
transitivity (gcd x y); auto.
unfold Zwf.
assert (h_y0: y <> 0).
 assumption.
assert (h1_y0: (y > 0)).
 omega.
generalize (Z_mod_lt x y h1_y0); omega.
Save.

Proof.
intuition; subst.
transitivity (gcd x 0); auto.
Save.


(*Why logic*) Definition gcd : Z -> Z -> Z.
Admitted.

(*Why axiom*) Lemma gcd_asubb_b :
  (forall (a:Z), (forall (b:Z), (gcd a b) = (gcd (a - b) b))).
Admitted.

(*Why axiom*) Lemma gcd_a_bsuba :
  (forall (a:Z), (forall (b:Z), (gcd a b) = (gcd a (b - a)))).
Admitted.

(*Why axiom*) Lemma gcd_a_a : (forall (a:Z), (gcd a a) = a).
Admitted.

(*Why axiom*) Lemma gcd_a_0 : (forall (a:Z), (gcd a 0) = a).
Admitted.

(*Why logic*) Definition max : Z -> Z -> Z.
Admitted.

(*Why axiom*) Lemma max_def :
  (forall (x:Z),
   (forall (y:Z), ((max x y) = x \/ (max x y) = y) /\ (max x y) >= x /\
    (max x y) >= y)).
Admitted.

(*Why axiom*) Lemma gcd_a_amodb :
  (forall (a:Z), (forall (b:Z), (gcd a b) = (gcd b ((Zmod a b))))).
Admitted.

(*Why axiom*) Lemma mod_lt :
  (forall (a:Z), (forall (b:Z), 0 <= ((Zmod a b)) /\ ((Zmod a b)) < b)).
Admitted.

why-2.34/examples/misc/arith_why.v0000644000175000017500000000175212311670312015560 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Import Why.
Require Import Omega.
Require Import Zdiv.
Require Import ZArithRing.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
subst; apply Z_div_ge0; omega.
assert (h: p + a * b = x * y). assumption.
rewrite (Z_div_mod_eq a 2) in h.
rewrite <- h.
subst.
replace (a mod 2) with 1. 
ring.
omega.
unfold Zwf.
 repeat split; try omega.
subst; apply Z_div_lt; try omega.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
subst; apply Z_div_ge0; try omega.
assert (h: p + a * b = x * y). assumption.
rewrite (Z_div_mod_eq a 2) in h.
rewrite <- h.
subst.
replace (a mod 2)%Z with 0%Z.
ring.
cut (2 > 0)%Z; [ intro h' | omega ].
generalize (Z_mod_lt a 2 h').
cut ((a mod 2)%Z <> 1%Z); intros; try omega.
omega.
unfold Zwf.
repeat split; try omega.
subst; apply Z_div_lt; try omega.
Save.

Proof.
intuition; subst.
transitivity (p + 0*b); auto.
ring.
Save.


why-2.34/examples/misc/copy_why.v0000644000175000017500000000361412311670312015422 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Import Why.
Require Import WhyFloat.

Axiom magic : False.
Ltac Magic := elim magic.

(* Why obligation from file "copy.c", characters 156-159 *)
Lemma copy_po_1 : 
  forall (n: Z),
  forall (t1: (array Z)),
  forall (t2: (array Z)),
  forall (Pre6: (array_length t1) >= n /\ (array_length t2) >= n),
  forall (i: Z),
  forall (Post5: i = n),
  forall (Variant1: Z),
  forall (i1: Z),
  forall (t2_0: (array Z)),
  forall (Pre5: Variant1 = i1),
  forall (Pre4: (array_length t2_0) >= n /\ i1 <= n /\
                (forall (k:Z),
                 (i1 <= k /\ k < n -> (access t2_0 k) = (access t1 k)))),
  forall (Test2: true = true),
  forall (c_aux_2: Z),
  forall (Post2: c_aux_2 = i1),
  forall (i2: Z),
  forall (Post1: i2 = (i1 - 1)),
  ((c_aux_2 > 0 ->
    (forall (result:Z),
     (result = i2 ->
      ((forall (t2:(array Z)),
        (t2 = (store t2_0 result (access t1 i2)) -> ((array_length t2) >=
         n /\ i2 <= n /\
         (forall (k:Z), (i2 <= k /\ k < n -> (access t2 k) = (access t1 k)))) /\
         (Zwf 0 i2 i1))) /\
      0 <= result /\ result < (array_length t2_0)) /\ 0 <= i2 /\ i2 <
      (array_length t1))))) /\
  ((c_aux_2 <= 0 ->
    (forall (k:Z), (0 <= k /\ k < n -> (access t2_0 k) = (access t1 k))))).
Proof.
intuition.
subst t0; trivial.
assert (k = i2 \/ (i2 < k)%Z).
 omega.
 intuition.
subst result k t0.
AccessSame.
subst result t0; AccessOther.
apply H4; omega.
Qed.

(* Why obligation from file "copy.c", characters 185-281 *)
Lemma copy_po_2 : 
  forall (n: Z),
  forall (t1: (array Z)),
  forall (t2: (array Z)),
  forall (Pre6: (array_length t1) >= n /\ (array_length t2) >= n),
  forall (i: Z),
  forall (Post5: i = n),
  (array_length t2) >= n /\ i <= n /\
  (forall (k:Z), (i <= k /\ k < n -> (access t2 k) = (access t1 k))).
Proof.
auto with *.
Qed.

why-2.34/examples/misc/swap0.mlw0000644000175000017500000000241112311670312015137 0ustar  rtusers
(**** Swapping the contents of two references *)


(**** 1. with global references *)

parameter x,y : int ref

let swap1 () = 
  {}
  (let t = !x in begin x := !y; y := t end)
  { x = y@ and y = x@ }

(* a different syntax, with begin...end instead of parentheses *)
let swap2 () = 
  {} 
  begin
    let t = !x in
    begin
      x := !y; 
      y := t
    end
  end
  { x = y@ and y = x@ } 


(**** 2. with a function taking references as argument *)

let swap3 = fun (a,b : int ref) ->
  {} 
  (let t = !a in begin a := !b; b := t end)
  { a = b@ and b = a@ }

(* test on some local references *)
let test_swap3 () =
  let c = ref 1 in
  let d = ref 2 in
  (swap3 c d { d = 1 })

(* calls on the globals x,y *)
let call_swap3_x_y () = {} (swap3 x y) { x = y@ and y = x@ }
let call_swap3_y_x () = {} (swap3 y x) { x = y@ and y = x@ }


(**** 3. with a function using a global reference *)

parameter tmp : int ref

let swap4 = fun (a,b : int ref) ->
  {} 
  begin tmp := !a; a := !b; b := !tmp end
  { a = b@ and b = a@ }

(* test on some local references *)
let test_swap4 () =
  let c = ref 1 in
  let d = ref 2 in
  (swap4 c d { d = 1 })

(* calls on the globals x,y *)
let call_swap4_x_y () = { x = 3 } (swap4 x y) { y = 3 }
let call_swap4_y_x () = { x = 3 } (swap4 y x) { y = 3 }
why-2.34/examples/misc/swap0_why.sx0000644000175000017500000001506312311670312015670 0ustar  rtusers
;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom access_update
 (FORALL (a i v) (EQ (access (update a i v) i) v)))

(BG_PUSH
 ;; Why axiom access_update_neq
 (FORALL (a i j v)
 (IMPLIES (NEQ i j) (EQ (access (update a i v) j) (access a j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j)
 (FORALL (a v) (EQ (access (update a i v) j) (access a j))))))

(DEFPRED (sorted_array t i j)
  (FORALL (k1 k2)
  (IMPLIES (AND (AND (<= i k1) (<= k1 k2)) (<= k2 j))
  (<= (access t k1) (access t k2)))))

(DEFPRED (exchange a1 a2 i j)
  (AND (EQ (array_length a1) (array_length a2))
  (AND (EQ (access a1 i) (access a2 j))
  (AND (EQ (access a2 i) (access a1 j))
  (FORALL (k)
  (IMPLIES (AND (NEQ k i) (NEQ k j)) (EQ (access a1 k) (access a2 k))))))))

(BG_PUSH
 ;; Why axiom permut_refl
 (FORALL (t l u) (EQ (permut t t l u) |@true|)))

(BG_PUSH
 ;; Why axiom permut_sym
 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|) (EQ (permut t2 t1 l u) |@true|))))

(BG_PUSH
 ;; Why axiom permut_trans
 (FORALL (t1 t2 t3 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))

 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_exchange
 (FORALL (a1 a2 l u i j)
 (IMPLIES (AND (<= l i) (<= i u))
 (IMPLIES (AND (<= l j) (<= j u))
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|)))))

 (FORALL (l u i)
 (IMPLIES (AND (<= l i) (<= i u))
 (FORALL (j)
 (IMPLIES (AND (<= l j) (<= j u))
 (FORALL (a1 a2)
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|))))))))

(BG_PUSH
 ;; Why axiom exchange_upd
 (FORALL (a i j)
 (exchange a (update (update a i (access a j)) j (access a i)) i j)))

(BG_PUSH
 ;; Why axiom permut_weakening
 (FORALL (a1 a2 l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))

 (FORALL (l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_eq
 (FORALL (a1 a2 l u)
 (IMPLIES (<= l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))

 (FORALL (l u)
 (IMPLIES (<= l u)
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))))

(DEFPRED (permutation a1 a2)
  (EQ (permut a1 a2 0 (- (array_length a1) 1)) |@true|))

(BG_PUSH
 ;; Why axiom array_length_update
 (FORALL (a i v) (EQ (array_length (update a i v)) (array_length a))))

(BG_PUSH
 ;; Why axiom permut_array_length
 (FORALL (a1 a2 l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (EQ (array_length a1) (array_length a2)))))

;; swap1_po_1, File "swap0.mlw", line 12, characters 4-21
(FORALL (x0)
(FORALL (y)
(FORALL (x) (IMPLIES (EQ x y) (FORALL (y0) (IMPLIES (EQ y0 x0) (EQ x y)))))))

;; swap1_po_2, File "swap0.mlw", line 12, characters 4-21
(FORALL (x0)
(FORALL (y)
(FORALL (x) (IMPLIES (EQ x y) (FORALL (y0) (IMPLIES (EQ y0 x0) (EQ y0 x0)))))))

;; swap2_po_1, File "swap0.mlw", line 24, characters 4-21
(FORALL (x0)
(FORALL (y)
(FORALL (x) (IMPLIES (EQ x y) (FORALL (y0) (IMPLIES (EQ y0 x0) (EQ x y)))))))

;; swap2_po_2, File "swap0.mlw", line 24, characters 4-21
(FORALL (x0)
(FORALL (y)
(FORALL (x) (IMPLIES (EQ x y) (FORALL (y0) (IMPLIES (EQ y0 x0) (EQ y0 x0)))))))

;; swap3_po_1, File "swap0.mlw", line 32, characters 4-21
(FORALL (a0)
(FORALL (b)
(FORALL (a) (IMPLIES (EQ a b) (FORALL (b0) (IMPLIES (EQ b0 a0) (EQ a b)))))))

;; swap3_po_2, File "swap0.mlw", line 32, characters 4-21
(FORALL (a0)
(FORALL (b)
(FORALL (a) (IMPLIES (EQ a b) (FORALL (b0) (IMPLIES (EQ b0 a0) (EQ b0 a0)))))))

;; swap4_po_1, File "swap0.mlw", line 52, characters 4-21
(FORALL (a)
(FORALL (b)
(FORALL (tmp)
(IMPLIES (EQ tmp a)
(FORALL (a0)
(IMPLIES (EQ a0 b) (FORALL (b0) (IMPLIES (EQ b0 tmp) (EQ a0 b)))))))))

;; swap4_po_2, File "swap0.mlw", line 52, characters 4-21
(FORALL (a)
(FORALL (b)
(FORALL (tmp)
(IMPLIES (EQ tmp a)
(FORALL (a0)
(IMPLIES (EQ a0 b) (FORALL (b0) (IMPLIES (EQ b0 tmp) (EQ b0 a)))))))))

;; call_swap4_x_y_po_1, File "swap0.mlw", line 61, characters 48-53
(FORALL (x)
(FORALL (y)
(IMPLIES (EQ x 3)
(FORALL (x0) (FORALL (y0) (IMPLIES (AND (EQ x0 y) (EQ y0 x)) (EQ y0 3)))))))

;; call_swap4_y_x_po_1, File "swap0.mlw", line 62, characters 48-53
(FORALL (x)
(FORALL (y)
(IMPLIES (EQ x 3)
(FORALL (x0) (FORALL (y0) (IMPLIES (AND (EQ y0 x) (EQ x0 y)) (EQ y0 3)))))))

why-2.34/examples/misc/matrix_why.v0000644000175000017500000007544612311670312015770 0ustar  rtusers(* ########################################################################## *)
(*                             Definitions of matrices                        *)
(*                         Frédéric Gava (Université Paris 12)                *)
(* ########################################################################## *)

(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)
Require Export Why.

(*Why type*) Definition fmatrice: Set ->Set.
Admitted.

(*Why logic*) Definition mat_access :
  forall (A1:Set), (fmatrice A1) -> Z -> Z -> A1.
Admitted.
Implicit Arguments mat_access.

(*Why logic*) Definition mat_update :
  forall (A1:Set), (fmatrice A1) -> Z -> Z -> A1 -> (fmatrice A1).
Admitted.
Implicit Arguments mat_update.

(*Why axiom*) Lemma mat_access_update :
  forall (A1:Set),
  (forall (m:(fmatrice A1)),
   (forall (i:Z),
    (forall (j:Z), (forall (v:A1), (mat_access (mat_update m i j v) i j) = v)))).
Admitted.

(*Why axiom*) Lemma access_update_neq :
  forall (A1:Set),
  (forall (m:(fmatrice A1)),
   (forall (i1:Z),
    (forall (j1:Z),
     (forall (i2:Z),
      (forall (j2:Z),
       (forall (v:A1),
        (i1 <> i2 \/ j1 <> j2 ->
         (mat_access (mat_update m i1 j1 v) i2 j2) = (mat_access m i2 j2)))))))).
Admitted.

Admitted.
Implicit Arguments matrice_size_row.

Admitted.
Implicit Arguments matrice_size_column.

(*Why logic*) Definition mat_size_row : forall (A1:Set), (fmatrice A1) -> Z.
Admitted.
Implicit Arguments mat_size_row.

(*Why logic*) Definition mat_size_column :
  forall (A1:Set), (fmatrice A1) -> Z.
Admitted.
Implicit Arguments mat_size_column.

Admitted.

(*Why axiom*) Lemma mat_size_row_update :
  forall (A1:Set),
  (forall (m:(fmatrice A1)),
   (forall (i:Z),
    (forall (j:Z),
     (forall (v:A1), (mat_size_row (mat_update m i j v)) = (mat_size_row m))))).
Admitted.

(*Why axiom*) Lemma mat_size_column_update :
  forall (A1:Set),
  (forall (m:(fmatrice A1)),
   (forall (i:Z),
    (forall (j:Z),
     (forall (v:A1), (mat_size_column (mat_update m i j v)) =
      (mat_size_column m))))).
Admitted.

(*Why logic*) Definition N : Z.
Admitted.

(*Why axiom*) Lemma N_range : 1 <= N.
Admitted.


Require Export Recdef.

Require Import ZArithRing.
Require Import Omega.
Require Export Rbase.

Function sigma_mat_mult (A:(fmatrice R)) (B:(fmatrice R)) 
                        (mini:Z) (maxi:Z) (i:Z) (j:Z) {wf (Zwf mini) maxi} : R :=
  if (Z_lt_dec maxi mini) then 0%R 
   else (((mat_access A i maxi)%R * (mat_access B maxi j)%R)%R + (sigma_mat_mult A B mini (maxi-1) i j)%R)%R.
Proof.
intros; unfold Zwf; omega.
intro;exact (Zwf_well_founded mini).
Qed.


Lemma sigma_mat_mult_zero: forall (A:(fmatrice R)), forall (B:(fmatrice R)), forall (i:Z), forall (j:Z), forall (r:Z),
r<0 -> sigma_mat_mult A B 0 r i j=0%R.
Proof.
intros.
generalize (sigma_mat_mult_equation A B 0 r i j);intro Heq;rewrite Heq.
case (Z_lt_dec r 0); intro;intuition.
Save.


Lemma sigma_mat_mult_plus: forall (A:(fmatrice R)), forall (B:(fmatrice R)), forall (i:Z), forall (j:Z), forall (r:Z), 0<=r ->
((sigma_mat_mult A B 0 (r-1) i j)%R+(mat_access A i r)%R * (mat_access B r j)%R)%R=(sigma_mat_mult A B 0 r i j)%R.
Proof.
intros.
generalize (sigma_mat_mult_equation A B 0 r i j);intro Heq;rewrite Heq.
case (Z_lt_dec r 0); intro;intuition.
absurd (0 <= r);omega.
Save.



(*Why predicate*) Definition mat_mult_done  (A:(fmatrice R)) (B:(fmatrice R)) (C:(fmatrice R)) (iu:Z) (id:Z) (jl:Z) (jr:Z)
  := (forall (i:Z),
      (forall (j:Z),
       ((iu <= i /\ i < id) /\ jl <= j /\ j < jr ->
        (eq (mat_access C i j) (sigma_mat_mult A B 0 (N - 1) i j))))).

(*Why predicate*) Definition mat_mult_todo  (C:(fmatrice R)) (C':(fmatrice R)) (iu:Z) (id:Z) (jl:Z) (jr:Z)
  := (forall (i:Z),
      (forall (j:Z),
       ((iu <= i /\ i < id) /\ jl <= j /\ j < jr ->
        (eq (mat_access C i j) (mat_access C' i j))))).

(*Why predicate*) Definition mat_mult  (A:(fmatrice R)) (B:(fmatrice R)) (C:(fmatrice R))
  := (mat_mult_done A B C 0 N 0 N).

(* Why obligation from file "matrice.why", line 136, characters 10-209: *)
(*Why goal*) Lemma mult_po_1 : 
  forall (A: (fmatrice R)),
  forall (B: (fmatrice R)),
  forall (C: (fmatrice R)),
  forall (HW_1: (mat_size_row A) = N /\ (mat_size_row B) = N /\
                (mat_size_row C) = N /\ (mat_size_column A) = N /\
                (mat_size_column B) = N /\ (mat_size_column C) = N /\
                (forall (x:Z),
                 (forall (y:Z),
                  ((0 <= x /\ x < N) /\ 0 <= y /\ y < N ->
                   (eq (mat_access C x y) (0)%R))))),
  ((0 <= 0 /\ 0 <= N) /\ (mat_mult_done A B C 0 0 0 N) /\
  (mat_mult_todo C C 0 N 0 N) /\ (mat_size_column C) = (mat_size_column C) /\
  (mat_size_row C) = (mat_size_row C)).
Proof.
intros.
split.
assert (1<=N).
apply N_range.
intuition.
split;intuition.
unfold mat_mult_done.
intros.
destruct H5;intuition.
absurd (i < 0);omega.
unfold mat_mult_todo.
intros.
auto.
Save.


(* Why obligation from file "matrice.why", line 146, characters 12-274: *)
(*Why goal*) Lemma mult_po_2 : 
  forall (A: (fmatrice R)),
  forall (B: (fmatrice R)),
  forall (C: (fmatrice R)),
  forall (HW_1: (mat_size_row A) = N /\ (mat_size_row B) = N /\
                (mat_size_row C) = N /\ (mat_size_column A) = N /\
                (mat_size_column B) = N /\ (mat_size_column C) = N /\
                (forall (x:Z),
                 (forall (y:Z),
                  ((0 <= x /\ x < N) /\ 0 <= y /\ y < N ->
                   (eq (mat_access C x y) (0)%R))))),
  forall (C0: (fmatrice R)),
  forall (i: Z),
  forall (HW_2: (0 <= i /\ i <= N) /\ (mat_mult_done A B C0 0 i 0 N) /\
                (mat_mult_todo C0 C i N 0 N) /\ (mat_size_column C0) =
                (mat_size_column C) /\ (mat_size_row C0) = (mat_size_row C)),
  forall (HW_3: i < N),
  ((0 <= 0 /\ 0 <= N) /\ (mat_mult_done A B C0 0 i 0 N) /\
  (mat_mult_todo C0 C (i + 1) N 0 N) /\
  (mat_mult_done A B C0 i (i + 1) 0 0) /\
  (mat_mult_todo C0 C i (i + 1) 0 N) /\ (mat_size_column C0) =
  (mat_size_column C) /\ (mat_size_row C0) = (mat_size_row C)).
Proof.
intros.
split;intuition.
generalize H4.
unfold mat_mult_todo;intros;intuition.
unfold mat_mult_done;intros;intuition.
unfold mat_mult_todo;intros;intuition.
Save.

(* Why obligation from file "matrice.why", line 157, characters 8-382: *)
(*Why goal*) Lemma mult_po_3 : 
  forall (A: (fmatrice R)),
  forall (B: (fmatrice R)),
  forall (C: (fmatrice R)),
  forall (HW_1: (mat_size_row A) = N /\ (mat_size_row B) = N /\
                (mat_size_row C) = N /\ (mat_size_column A) = N /\
                (mat_size_column B) = N /\ (mat_size_column C) = N /\
                (forall (x:Z),
                 (forall (y:Z),
                  ((0 <= x /\ x < N) /\ 0 <= y /\ y < N ->
                   (eq (mat_access C x y) (0)%R))))),
  forall (C0: (fmatrice R)),
  forall (i: Z),
  forall (HW_2: (0 <= i /\ i <= N) /\ (mat_mult_done A B C0 0 i 0 N) /\
                (mat_mult_todo C0 C i N 0 N) /\ (mat_size_column C0) =
                (mat_size_column C) /\ (mat_size_row C0) = (mat_size_row C)),
  forall (HW_3: i < N),
  forall (C1: (fmatrice R)),
  forall (j: Z),
  forall (HW_4: (0 <= j /\ j <= N) /\ (mat_mult_done A B C1 0 i 0 N) /\
                (mat_mult_todo C1 C (i + 1) N 0 N) /\
                (mat_mult_done A B C1 i (i + 1) 0 j) /\
                (mat_mult_todo C1 C i (i + 1) j N) /\ (mat_size_column C1) =
                (mat_size_column C) /\ (mat_size_row C1) = (mat_size_row C)),
  forall (HW_5: j < N),
  ((0 <= 0 /\ 0 <= N) /\ (mat_mult_done A B C1 0 i 0 N) /\
  (mat_mult_todo C1 C (i + 1) N 0 N) /\
  (mat_mult_done A B C1 i (i + 1) 0 j) /\
  (mat_mult_todo C1 C i (i + 1) (j + 1) N) /\
  (eq (mat_access C1 i j) (Rplus
                           (mat_access C i j) (sigma_mat_mult
                                               A B 0 (0 - 1) i j))) /\
  (mat_size_column C1) = (mat_size_column C) /\ (mat_size_row C1) =
  (mat_size_row C)).
Proof.
intros.
split.
omega.
decompose [and or] HW_1;clear HW_1.
decompose [and or] HW_2;clear HW_2.
decompose [and or] HW_4;clear HW_4.
intuition.
generalize  H17.
unfold  mat_mult_todo.
intros.
intuition.
rewrite sigma_mat_mult_zero;auto.
generalize H17.
unfold  mat_mult_todo.
intros.
rewrite (H19 i j).
ring.
omega.
omega.
Save.



(* Why obligation from file "matrice.why", line 166, characters 21-36: *)
(*Why goal*) Lemma mult_po_4 : 
  forall (A: (fmatrice R)),
  forall (B: (fmatrice R)),
  forall (C: (fmatrice R)),
  forall (HW_1: (mat_size_row A) = N /\ (mat_size_row B) = N /\
                (mat_size_row C) = N /\ (mat_size_column A) = N /\
                (mat_size_column B) = N /\ (mat_size_column C) = N /\
                (forall (x:Z),
                 (forall (y:Z),
                  ((0 <= x /\ x < N) /\ 0 <= y /\ y < N ->
                   (eq (mat_access C x y) (0)%R))))),
  forall (C0: (fmatrice R)),
  forall (i: Z),
  forall (HW_2: (0 <= i /\ i <= N) /\ (mat_mult_done A B C0 0 i 0 N) /\
                (mat_mult_todo C0 C i N 0 N) /\ (mat_size_column C0) =
                (mat_size_column C) /\ (mat_size_row C0) = (mat_size_row C)),
  forall (HW_3: i < N),
  forall (C1: (fmatrice R)),
  forall (j: Z),
  forall (HW_4: (0 <= j /\ j <= N) /\ (mat_mult_done A B C1 0 i 0 N) /\
                (mat_mult_todo C1 C (i + 1) N 0 N) /\
                (mat_mult_done A B C1 i (i + 1) 0 j) /\
                (mat_mult_todo C1 C i (i + 1) j N) /\ (mat_size_column C1) =
                (mat_size_column C) /\ (mat_size_row C1) = (mat_size_row C)),
  forall (HW_5: j < N),
  forall (C2: (fmatrice R)),
  forall (r: Z),
  forall (HW_6: (0 <= r /\ r <= N) /\ (mat_mult_done A B C2 0 i 0 N) /\
                (mat_mult_todo C2 C (i + 1) N 0 N) /\
                (mat_mult_done A B C2 i (i + 1) 0 j) /\
                (mat_mult_todo C2 C i (i + 1) (j + 1) N) /\
                (eq (mat_access C2 i j) (Rplus
                                         (mat_access C i j) (sigma_mat_mult
                                                             A B 0 (r - 1) i j))) /\
                (mat_size_column C2) = (mat_size_column C) /\
                (mat_size_row C2) = (mat_size_row C)),
  forall (HW_7: r < N),
  ((0 <= i /\ i < (mat_size_row C2)) /\ 0 <= j /\ j < (mat_size_column C2)).
Proof.
intros.
omega.
Save.


(* Why obligation from file "matrice.why", line 166, characters 42-57: *)
(*Why goal*) Lemma mult_po_5 : 
  forall (A: (fmatrice R)),
  forall (B: (fmatrice R)),
  forall (C: (fmatrice R)),
  forall (HW_1: (mat_size_row A) = N /\ (mat_size_row B) = N /\
                (mat_size_row C) = N /\ (mat_size_column A) = N /\
                (mat_size_column B) = N /\ (mat_size_column C) = N /\
                (forall (x:Z),
                 (forall (y:Z),
                  ((0 <= x /\ x < N) /\ 0 <= y /\ y < N ->
                   (eq (mat_access C x y) (0)%R))))),
  forall (C0: (fmatrice R)),
  forall (i: Z),
  forall (HW_2: (0 <= i /\ i <= N) /\ (mat_mult_done A B C0 0 i 0 N) /\
                (mat_mult_todo C0 C i N 0 N) /\ (mat_size_column C0) =
                (mat_size_column C) /\ (mat_size_row C0) = (mat_size_row C)),
  forall (HW_3: i < N),
  forall (C1: (fmatrice R)),
  forall (j: Z),
  forall (HW_4: (0 <= j /\ j <= N) /\ (mat_mult_done A B C1 0 i 0 N) /\
                (mat_mult_todo C1 C (i + 1) N 0 N) /\
                (mat_mult_done A B C1 i (i + 1) 0 j) /\
                (mat_mult_todo C1 C i (i + 1) j N) /\ (mat_size_column C1) =
                (mat_size_column C) /\ (mat_size_row C1) = (mat_size_row C)),
  forall (HW_5: j < N),
  forall (C2: (fmatrice R)),
  forall (r: Z),
  forall (HW_6: (0 <= r /\ r <= N) /\ (mat_mult_done A B C2 0 i 0 N) /\
                (mat_mult_todo C2 C (i + 1) N 0 N) /\
                (mat_mult_done A B C2 i (i + 1) 0 j) /\
                (mat_mult_todo C2 C i (i + 1) (j + 1) N) /\
                (eq (mat_access C2 i j) (Rplus
                                         (mat_access C i j) (sigma_mat_mult
                                                             A B 0 (r - 1) i j))) /\
                (mat_size_column C2) = (mat_size_column C) /\
                (mat_size_row C2) = (mat_size_row C)),
  forall (HW_7: r < N),
  forall (HW_8: (0 <= i /\ i < (mat_size_row C2)) /\ 0 <= j /\ j <
                (mat_size_column C2)),
  forall (result: R),
  forall (HW_9: result = (mat_access C2 i j)),
  ((0 <= i /\ i < (mat_size_row A)) /\ 0 <= r /\ r < (mat_size_column A)).
Proof.
intros.
omega.
Save.

(* Why obligation from file "matrice.why", line 166, characters 62-77: *)
(*Why goal*) Lemma mult_po_6 : 
  forall (A: (fmatrice R)),
  forall (B: (fmatrice R)),
  forall (C: (fmatrice R)),
  forall (HW_1: (mat_size_row A) = N /\ (mat_size_row B) = N /\
                (mat_size_row C) = N /\ (mat_size_column A) = N /\
                (mat_size_column B) = N /\ (mat_size_column C) = N /\
                (forall (x:Z),
                 (forall (y:Z),
                  ((0 <= x /\ x < N) /\ 0 <= y /\ y < N ->
                   (eq (mat_access C x y) (0)%R))))),
  forall (C0: (fmatrice R)),
  forall (i: Z),
  forall (HW_2: (0 <= i /\ i <= N) /\ (mat_mult_done A B C0 0 i 0 N) /\
                (mat_mult_todo C0 C i N 0 N) /\ (mat_size_column C0) =
                (mat_size_column C) /\ (mat_size_row C0) = (mat_size_row C)),
  forall (HW_3: i < N),
  forall (C1: (fmatrice R)),
  forall (j: Z),
  forall (HW_4: (0 <= j /\ j <= N) /\ (mat_mult_done A B C1 0 i 0 N) /\
                (mat_mult_todo C1 C (i + 1) N 0 N) /\
                (mat_mult_done A B C1 i (i + 1) 0 j) /\
                (mat_mult_todo C1 C i (i + 1) j N) /\ (mat_size_column C1) =
                (mat_size_column C) /\ (mat_size_row C1) = (mat_size_row C)),
  forall (HW_5: j < N),
  forall (C2: (fmatrice R)),
  forall (r: Z),
  forall (HW_6: (0 <= r /\ r <= N) /\ (mat_mult_done A B C2 0 i 0 N) /\
                (mat_mult_todo C2 C (i + 1) N 0 N) /\
                (mat_mult_done A B C2 i (i + 1) 0 j) /\
                (mat_mult_todo C2 C i (i + 1) (j + 1) N) /\
                (eq (mat_access C2 i j) (Rplus
                                         (mat_access C i j) (sigma_mat_mult
                                                             A B 0 (r - 1) i j))) /\
                (mat_size_column C2) = (mat_size_column C) /\
                (mat_size_row C2) = (mat_size_row C)),
  forall (HW_7: r < N),
  forall (HW_8: (0 <= i /\ i < (mat_size_row C2)) /\ 0 <= j /\ j <
                (mat_size_column C2)),
  forall (result: R),
  forall (HW_9: result = (mat_access C2 i j)),
  forall (HW_10: (0 <= i /\ i < (mat_size_row A)) /\ 0 <= r /\ r <
                 (mat_size_column A)),
  forall (result0: R),
  forall (HW_11: result0 = (mat_access A i r)),
  ((0 <= r /\ r < (mat_size_row B)) /\ 0 <= j /\ j < (mat_size_column B)).
Proof.
intros.
omega.
Save.

(* Why obligation from file "matrice.why", line 157, characters 8-382: *)
(*Why goal*) Lemma mult_po_7 : 
  forall (A: (fmatrice R)),
  forall (B: (fmatrice R)),
  forall (C: (fmatrice R)),
  forall (HW_1: (mat_size_row A) = N /\ (mat_size_row B) = N /\
                (mat_size_row C) = N /\ (mat_size_column A) = N /\
                (mat_size_column B) = N /\ (mat_size_column C) = N /\
                (forall (x:Z),
                 (forall (y:Z),
                  ((0 <= x /\ x < N) /\ 0 <= y /\ y < N ->
                   (eq (mat_access C x y) (0)%R))))),
  forall (C0: (fmatrice R)),
  forall (i: Z),
  forall (HW_2: (0 <= i /\ i <= N) /\ (mat_mult_done A B C0 0 i 0 N) /\
                (mat_mult_todo C0 C i N 0 N) /\ (mat_size_column C0) =
                (mat_size_column C) /\ (mat_size_row C0) = (mat_size_row C)),
  forall (HW_3: i < N),
  forall (C1: (fmatrice R)),
  forall (j: Z),
  forall (HW_4: (0 <= j /\ j <= N) /\ (mat_mult_done A B C1 0 i 0 N) /\
                (mat_mult_todo C1 C (i + 1) N 0 N) /\
                (mat_mult_done A B C1 i (i + 1) 0 j) /\
                (mat_mult_todo C1 C i (i + 1) j N) /\ (mat_size_column C1) =
                (mat_size_column C) /\ (mat_size_row C1) = (mat_size_row C)),
  forall (HW_5: j < N),
  forall (C2: (fmatrice R)),
  forall (r: Z),
  forall (HW_6: (0 <= r /\ r <= N) /\ (mat_mult_done A B C2 0 i 0 N) /\
                (mat_mult_todo C2 C (i + 1) N 0 N) /\
                (mat_mult_done A B C2 i (i + 1) 0 j) /\
                (mat_mult_todo C2 C i (i + 1) (j + 1) N) /\
                (eq (mat_access C2 i j) (Rplus
                                         (mat_access C i j) (sigma_mat_mult
                                                             A B 0 (r - 1) i j))) /\
                (mat_size_column C2) = (mat_size_column C) /\
                (mat_size_row C2) = (mat_size_row C)),
  forall (HW_7: r < N),
  forall (HW_8: (0 <= i /\ i < (mat_size_row C2)) /\ 0 <= j /\ j <
                (mat_size_column C2)),
  forall (result: R),
  forall (HW_9: result = (mat_access C2 i j)),
  forall (HW_10: (0 <= i /\ i < (mat_size_row A)) /\ 0 <= r /\ r <
                 (mat_size_column A)),
  forall (result0: R),
  forall (HW_11: result0 = (mat_access A i r)),
  forall (HW_12: (0 <= r /\ r < (mat_size_row B)) /\ 0 <= j /\ j <
                 (mat_size_column B)),
  forall (result1: R),
  forall (HW_13: result1 = (mat_access B r j)),
  forall (HW_14: (0 <= i /\ i < (mat_size_row C2)) /\ 0 <= j /\ j <
                 (mat_size_column C2)),
  forall (C3: (fmatrice R)),
  forall (HW_15: C3 =
                 (mat_update C2 i j (Rplus result (Rmult result0 result1)))),
  forall (r0: Z),
  forall (HW_16: r0 = (r + 1)),
  ((0 <= r0 /\ r0 <= N) /\ (mat_mult_done A B C3 0 i 0 N) /\
  (mat_mult_todo C3 C (i + 1) N 0 N) /\
  (mat_mult_done A B C3 i (i + 1) 0 j) /\
  (mat_mult_todo C3 C i (i + 1) (j + 1) N) /\
  (eq (mat_access C3 i j) (Rplus
                           (mat_access C i j) (sigma_mat_mult
                                               A B 0 (r0 - 1) i j))) /\
  (mat_size_column C3) = (mat_size_column C) /\ (mat_size_row C3) =
  (mat_size_row C)).
Proof.
intros.
split.
omega.
subst r0.
decompose [and or] HW_6;clear HW_6.

split.
generalize H.
unfold mat_mult_done;intros.
assert (i<>i0 \/ j<>j0).
omega.
generalize (access_update_neq R C2 i j i0 j0 (result + result0 * result1)%R H10).
rewrite (H7 i0 j0 H9).
rewrite HW_15.
intuition.

split.
generalize H0.
unfold mat_mult_todo;intros.
assert (i<>i0 \/ j<>j0).
omega.
generalize (access_update_neq R C2 i j i0 j0 (result + result0 * result1)%R H10).
rewrite (H7 i0 j0 H9).
rewrite HW_15.
intuition.

split.
generalize H3.
unfold mat_mult_done;intros.
assert (i<>i0 \/ j<>j0).
omega.
generalize (access_update_neq R C2 i j i0 j0 (result + result0 * result1)%R H10).
rewrite (H7 i0 j0 H9).
rewrite HW_15.
intuition.

split.
generalize H4.
unfold mat_mult_todo;intros.
assert (i<>i0 \/ j<>j0).
omega.
generalize (access_update_neq R C2 i j i0 j0 (result + result0 * result1)%R H10).
rewrite (H7 i0 j0 H9).
rewrite HW_15.
intuition.

split.
assert (r=r+1-1).
omega.
induction H7.
generalize (mat_access_update R C2 i j (result + result0 * result1)%R).
generalize HW_15.
rewrite HW_9.
rewrite HW_11.
rewrite HW_13.
intro.
rewrite HW_0.
assert (mat_update C2 i j (mat_access C2 i j + mat_access A i r * mat_access B r j)%R = C3).
auto.
rewrite H7.
rewrite H5.
generalize (sigma_mat_mult_plus A B i j r H1);intros.
rewrite H10.
assert (sigma_mat_mult A B 0 r i j = (sigma_mat_mult A B 0 (r - 1) i j + mat_access A i r * mat_access B r j)%R).
intuition.
rewrite H11.
intuition.


generalize (mat_size_row_update R C2 i j (result + result0 * result1)%R).
generalize (mat_size_column_update R C2 i j (result + result0 * result1)%R).
rewrite HW_15.
intros.
intuition.
Save.

(* Why obligation from file "matrice.why", line 165, characters 11-14: *)
(*Why goal*) Lemma mult_po_8 : 
  forall (A: (fmatrice R)),
  forall (B: (fmatrice R)),
  forall (C: (fmatrice R)),
  forall (HW_1: (mat_size_row A) = N /\ (mat_size_row B) = N /\
                (mat_size_row C) = N /\ (mat_size_column A) = N /\
                (mat_size_column B) = N /\ (mat_size_column C) = N /\
                (forall (x:Z),
                 (forall (y:Z),
                  ((0 <= x /\ x < N) /\ 0 <= y /\ y < N ->
                   (eq (mat_access C x y) (0)%R))))),
  forall (C0: (fmatrice R)),
  forall (i: Z),
  forall (HW_2: (0 <= i /\ i <= N) /\ (mat_mult_done A B C0 0 i 0 N) /\
                (mat_mult_todo C0 C i N 0 N) /\ (mat_size_column C0) =
                (mat_size_column C) /\ (mat_size_row C0) = (mat_size_row C)),
  forall (HW_3: i < N),
  forall (C1: (fmatrice R)),
  forall (j: Z),
  forall (HW_4: (0 <= j /\ j <= N) /\ (mat_mult_done A B C1 0 i 0 N) /\
                (mat_mult_todo C1 C (i + 1) N 0 N) /\
                (mat_mult_done A B C1 i (i + 1) 0 j) /\
                (mat_mult_todo C1 C i (i + 1) j N) /\ (mat_size_column C1) =
                (mat_size_column C) /\ (mat_size_row C1) = (mat_size_row C)),
  forall (HW_5: j < N),
  forall (C2: (fmatrice R)),
  forall (r: Z),
  forall (HW_6: (0 <= r /\ r <= N) /\ (mat_mult_done A B C2 0 i 0 N) /\
                (mat_mult_todo C2 C (i + 1) N 0 N) /\
                (mat_mult_done A B C2 i (i + 1) 0 j) /\
                (mat_mult_todo C2 C i (i + 1) (j + 1) N) /\
                (eq (mat_access C2 i j) (Rplus
                                         (mat_access C i j) (sigma_mat_mult
                                                             A B 0 (r - 1) i j))) /\
                (mat_size_column C2) = (mat_size_column C) /\
                (mat_size_row C2) = (mat_size_row C)),
  forall (HW_7: r < N),
  forall (HW_8: (0 <= i /\ i < (mat_size_row C2)) /\ 0 <= j /\ j <
                (mat_size_column C2)),
  forall (result: R),
  forall (HW_9: result = (mat_access C2 i j)),
  forall (HW_10: (0 <= i /\ i < (mat_size_row A)) /\ 0 <= r /\ r <
                 (mat_size_column A)),
  forall (result0: R),
  forall (HW_11: result0 = (mat_access A i r)),
  forall (HW_12: (0 <= r /\ r < (mat_size_row B)) /\ 0 <= j /\ j <
                 (mat_size_column B)),
  forall (result1: R),
  forall (HW_13: result1 = (mat_access B r j)),
  forall (HW_14: (0 <= i /\ i < (mat_size_row C2)) /\ 0 <= j /\ j <
                 (mat_size_column C2)),
  forall (C3: (fmatrice R)),
  forall (HW_15: C3 =
                 (mat_update C2 i j (Rplus result (Rmult result0 result1)))),
  forall (r0: Z),
  forall (HW_16: r0 = (r + 1)),
  (Zwf 0 (N - r0) (N - r)).
Proof.
intuition.
Save.

(* Why obligation from file "matrice.why", line 146, characters 12-274: *)
(*Why goal*) Lemma mult_po_9 : 
  forall (A: (fmatrice R)),
  forall (B: (fmatrice R)),
  forall (C: (fmatrice R)),
  forall (HW_1: (mat_size_row A) = N /\ (mat_size_row B) = N /\
                (mat_size_row C) = N /\ (mat_size_column A) = N /\
                (mat_size_column B) = N /\ (mat_size_column C) = N /\
                (forall (x:Z),
                 (forall (y:Z),
                  ((0 <= x /\ x < N) /\ 0 <= y /\ y < N ->
                   (eq (mat_access C x y) (0)%R))))),
  forall (C0: (fmatrice R)),
  forall (i: Z),
  forall (HW_2: (0 <= i /\ i <= N) /\ (mat_mult_done A B C0 0 i 0 N) /\
                (mat_mult_todo C0 C i N 0 N) /\ (mat_size_column C0) =
                (mat_size_column C) /\ (mat_size_row C0) = (mat_size_row C)),
  forall (HW_3: i < N),
  forall (C1: (fmatrice R)),
  forall (j: Z),
  forall (HW_4: (0 <= j /\ j <= N) /\ (mat_mult_done A B C1 0 i 0 N) /\
                (mat_mult_todo C1 C (i + 1) N 0 N) /\
                (mat_mult_done A B C1 i (i + 1) 0 j) /\
                (mat_mult_todo C1 C i (i + 1) j N) /\ (mat_size_column C1) =
                (mat_size_column C) /\ (mat_size_row C1) = (mat_size_row C)),
  forall (HW_5: j < N),
  forall (C2: (fmatrice R)),
  forall (r: Z),
  forall (HW_6: (0 <= r /\ r <= N) /\ (mat_mult_done A B C2 0 i 0 N) /\
                (mat_mult_todo C2 C (i + 1) N 0 N) /\
                (mat_mult_done A B C2 i (i + 1) 0 j) /\
                (mat_mult_todo C2 C i (i + 1) (j + 1) N) /\
                (eq (mat_access C2 i j) (Rplus
                                         (mat_access C i j) (sigma_mat_mult
                                                             A B 0 (r - 1) i j))) /\
                (mat_size_column C2) = (mat_size_column C) /\
                (mat_size_row C2) = (mat_size_row C)),
  forall (HW_17: r >= N),
  forall (j0: Z),
  forall (HW_18: j0 = (j + 1)),
  ((0 <= j0 /\ j0 <= N) /\ (mat_mult_done A B C2 0 i 0 N) /\
  (mat_mult_todo C2 C (i + 1) N 0 N) /\
  (mat_mult_done A B C2 i (i + 1) 0 j0) /\
  (mat_mult_todo C2 C i (i + 1) j0 N) /\ (mat_size_column C2) =
  (mat_size_column C) /\ (mat_size_row C2) = (mat_size_row C)).
Proof.
intros.
split.
omega.

split.
intuition.

split.
intuition.

split.
decompose [and or] HW_6;clear HW_6.


subst.
assert (r=N).
omega.
subst.
clear HW_17 H2 H1.
generalize H3.
unfold mat_mult_done;intros.
case (Z_lt_ge_dec j0 j); intro.
assert (i <= i0 < i + 1 /\ 0 <= j0 < j).
omega.
apply (H1 i0 j0 H7).
assert (i0=i).
omega.
subst i0.
assert (j0=j).
omega.
subst j0.
assert ((mat_access C i j = 0)%R).
intuition.
generalize H5.
rewrite H7.
intros.
rewrite H9.
intuition.

split.
subst.
assert (r=N).
omega.
subst.
intuition.
intuition.

Save.

(* Why obligation from file "matrice.why", line 153, characters 15-18: *)
(*Why goal*) Lemma mult_po_10 : 
  forall (A: (fmatrice R)),
  forall (B: (fmatrice R)),
  forall (C: (fmatrice R)),
  forall (HW_1: (mat_size_row A) = N /\ (mat_size_row B) = N /\
                (mat_size_row C) = N /\ (mat_size_column A) = N /\
                (mat_size_column B) = N /\ (mat_size_column C) = N /\
                (forall (x:Z),
                 (forall (y:Z),
                  ((0 <= x /\ x < N) /\ 0 <= y /\ y < N ->
                   (eq (mat_access C x y) (0)%R))))),
  forall (C0: (fmatrice R)),
  forall (i: Z),
  forall (HW_2: (0 <= i /\ i <= N) /\ (mat_mult_done A B C0 0 i 0 N) /\
                (mat_mult_todo C0 C i N 0 N) /\ (mat_size_column C0) =
                (mat_size_column C) /\ (mat_size_row C0) = (mat_size_row C)),
  forall (HW_3: i < N),
  forall (C1: (fmatrice R)),
  forall (j: Z),
  forall (HW_4: (0 <= j /\ j <= N) /\ (mat_mult_done A B C1 0 i 0 N) /\
                (mat_mult_todo C1 C (i + 1) N 0 N) /\
                (mat_mult_done A B C1 i (i + 1) 0 j) /\
                (mat_mult_todo C1 C i (i + 1) j N) /\ (mat_size_column C1) =
                (mat_size_column C) /\ (mat_size_row C1) = (mat_size_row C)),
  forall (HW_5: j < N),
  forall (C2: (fmatrice R)),
  forall (r: Z),
  forall (HW_6: (0 <= r /\ r <= N) /\ (mat_mult_done A B C2 0 i 0 N) /\
                (mat_mult_todo C2 C (i + 1) N 0 N) /\
                (mat_mult_done A B C2 i (i + 1) 0 j) /\
                (mat_mult_todo C2 C i (i + 1) (j + 1) N) /\
                (eq (mat_access C2 i j) (Rplus
                                         (mat_access C i j) (sigma_mat_mult
                                                             A B 0 (r - 1) i j))) /\
                (mat_size_column C2) = (mat_size_column C) /\
                (mat_size_row C2) = (mat_size_row C)),
  forall (HW_17: r >= N),
  forall (j0: Z),
  forall (HW_18: j0 = (j + 1)),
  (Zwf 0 (N - j0) (N - j)).
Proof.
intuition.
Save.

(* Why obligation from file "matrice.why", line 136, characters 10-209: *)
(*Why goal*) Lemma mult_po_11 : 
  forall (A: (fmatrice R)),
  forall (B: (fmatrice R)),
  forall (C: (fmatrice R)),
  forall (HW_1: (mat_size_row A) = N /\ (mat_size_row B) = N /\
                (mat_size_row C) = N /\ (mat_size_column A) = N /\
                (mat_size_column B) = N /\ (mat_size_column C) = N /\
                (forall (x:Z),
                 (forall (y:Z),
                  ((0 <= x /\ x < N) /\ 0 <= y /\ y < N ->
                   (eq (mat_access C x y) (0)%R))))),
  forall (C0: (fmatrice R)),
  forall (i: Z),
  forall (HW_2: (0 <= i /\ i <= N) /\ (mat_mult_done A B C0 0 i 0 N) /\
                (mat_mult_todo C0 C i N 0 N) /\ (mat_size_column C0) =
                (mat_size_column C) /\ (mat_size_row C0) = (mat_size_row C)),
  forall (HW_3: i < N),
  forall (C1: (fmatrice R)),
  forall (j: Z),
  forall (HW_4: (0 <= j /\ j <= N) /\ (mat_mult_done A B C1 0 i 0 N) /\
                (mat_mult_todo C1 C (i + 1) N 0 N) /\
                (mat_mult_done A B C1 i (i + 1) 0 j) /\
                (mat_mult_todo C1 C i (i + 1) j N) /\ (mat_size_column C1) =
                (mat_size_column C) /\ (mat_size_row C1) = (mat_size_row C)),
  forall (HW_19: j >= N),
  forall (i0: Z),
  forall (HW_20: i0 = (i + 1)),
  ((0 <= i0 /\ i0 <= N) /\ (mat_mult_done A B C1 0 i0 0 N) /\
  (mat_mult_todo C1 C i0 N 0 N) /\ (mat_size_column C1) =
  (mat_size_column C) /\ (mat_size_row C1) = (mat_size_row C)).
Proof.
intros.
split.
omega.


subst.
assert (j=N).
omega.
subst.
decompose [and or] HW_4;clear HW_4.
clear HW_19 H1 H2.

split.
generalize H.
generalize H3.
unfold mat_mult_done;intros.
case (Z_lt_ge_dec i0 i); intro.
assert (0 <= i0 < i /\ 0 <= j < N).
omega.
apply (H2 i0 j H8).
assert (i0=i).
omega.
subst i0.
assert (i <= i< i + 1 /\ 0 <= j < N).
omega.
apply (H1 i j H8).

intuition.
Save.

(* Why obligation from file "matrice.why", line 141, characters 13-16: *)
(*Why goal*) Lemma mult_po_12 : 
  forall (A: (fmatrice R)),
  forall (B: (fmatrice R)),
  forall (C: (fmatrice R)),
  forall (HW_1: (mat_size_row A) = N /\ (mat_size_row B) = N /\
                (mat_size_row C) = N /\ (mat_size_column A) = N /\
                (mat_size_column B) = N /\ (mat_size_column C) = N /\
                (forall (x:Z),
                 (forall (y:Z),
                  ((0 <= x /\ x < N) /\ 0 <= y /\ y < N ->
                   (eq (mat_access C x y) (0)%R))))),
  forall (C0: (fmatrice R)),
  forall (i: Z),
  forall (HW_2: (0 <= i /\ i <= N) /\ (mat_mult_done A B C0 0 i 0 N) /\
                (mat_mult_todo C0 C i N 0 N) /\ (mat_size_column C0) =
                (mat_size_column C) /\ (mat_size_row C0) = (mat_size_row C)),
  forall (HW_3: i < N),
  forall (C1: (fmatrice R)),
  forall (j: Z),
  forall (HW_4: (0 <= j /\ j <= N) /\ (mat_mult_done A B C1 0 i 0 N) /\
                (mat_mult_todo C1 C (i + 1) N 0 N) /\
                (mat_mult_done A B C1 i (i + 1) 0 j) /\
                (mat_mult_todo C1 C i (i + 1) j N) /\ (mat_size_column C1) =
                (mat_size_column C) /\ (mat_size_row C1) = (mat_size_row C)),
  forall (HW_19: j >= N),
  forall (i0: Z),
  forall (HW_20: i0 = (i + 1)),
  (Zwf 0 (N - i0) (N - i)).
Proof.
intuition.
Save.

(* Why obligation from file "matrice.why", line 174, characters 4-19: *)
(*Why goal*) Lemma mult_po_13 : 
  forall (A: (fmatrice R)),
  forall (B: (fmatrice R)),
  forall (C: (fmatrice R)),
  forall (HW_1: (mat_size_row A) = N /\ (mat_size_row B) = N /\
                (mat_size_row C) = N /\ (mat_size_column A) = N /\
                (mat_size_column B) = N /\ (mat_size_column C) = N /\
                (forall (x:Z),
                 (forall (y:Z),
                  ((0 <= x /\ x < N) /\ 0 <= y /\ y < N ->
                   (eq (mat_access C x y) (0)%R))))),
  forall (C0: (fmatrice R)),
  forall (i: Z),
  forall (HW_2: (0 <= i /\ i <= N) /\ (mat_mult_done A B C0 0 i 0 N) /\
                (mat_mult_todo C0 C i N 0 N) /\ (mat_size_column C0) =
                (mat_size_column C) /\ (mat_size_row C0) = (mat_size_row C)),
  forall (HW_21: i >= N),
  (mat_mult A B C0).
Proof.
intros.
assert (i=N).
omega.
decompose [and] HW_2;clear HW_2.
generalize H0.
rewrite H.
auto.
Save.
why-2.34/examples/misc/mac_carthy.mlw0000644000175000017500000000224112311670312016220 0ustar  rtusers
(**** McCarthy's ``91'' function. *)

let rec f91 (n:int) : int { variant 101-n } =
  if n <= 100 then
    (f91 (f91 (n + 11)))
  else
    n - 10
  { (n <= 100 and result = 91) or (n >= 101 and result = n - 10) }


(* non-recursive version *)

logic f : int -> int

axiom f_def1 : forall x:int. x >= 101 -> f(x) = x-10
axiom f_def2 : forall x:int. x <= 101 -> f(x) = 91

logic iter_f : int, int -> int (* iter_f(n,x) = f^n(x) *)

axiom iter_f_def1 : forall x:int. iter_f(0, x) = x
axiom iter_f_def2 : forall n,x:int. n > 0 -> iter_f(n, x) = iter_f(n-1,f(x))

type pair_type

logic pair : int, int -> pair_type

inductive lex : pair_type, pair_type -> prop =
| lex_1: forall x1,y1,x2,y2:int. 
     zwf_zero(x1,x2) -> lex(pair(x1,y1),pair(x2,y2)) 
| lex_2: forall x,y1,y2:int.
     zwf_zero(y1,y2) -> lex(pair(x,y1),pair(x,y2)) 

let f91_nonrec (n:int ref) (x:int ref) =
  { n >= 1 }
  L:
  while !n > 0 do
    { invariant n >= 0 and iter_f(n,x) = iter_f(n@L,x@L) 
      variant pair(101-x+10*n,n) for lex
    }
    if !x > 100 then begin
      x := !x - 10;
      n := !n - 1
    end else begin
      x := !x + 11;
      n := !n + 1
    end
  done;
  !x
  { result = iter_f(n@,x@) }


why-2.34/examples/misc/flag_ax_why.v0000644000175000017500000000435512311670312016054 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Export Why.

(*Why type*) Definition color: Set.
Admitted.

(*Why logic*) Definition blue : color.
Admitted.

(*Why logic*) Definition white : color.
Admitted.

(*Why logic*) Definition red : color.
Admitted.

(*Why predicate*) Definition is_color  (c:color)
  := c = blue \/ c = white \/ c = red.

(*Why type*) Definition color_array: Set.
Admitted.

(*Why logic*) Definition acc : color_array -> Z -> color.
Admitted.

(*Why logic*) Definition upd : color_array -> Z -> color -> color_array.
Admitted.

(*Why logic*) Definition length : color_array -> Z.
Admitted.

(*Why axiom*) Lemma acc_upd_eq :
  (forall (a:color_array),
   (forall (i:Z), (forall (c:color), (acc (upd a i c) i) = c))).
Admitted.

(*Why axiom*) Lemma acc_upd_neq :
  (forall (a:color_array),
   (forall (i:Z),
    (forall (j:Z),
     (forall (c:color), (i <> j -> (acc (upd a j c) i) = (acc a i)))))).
Admitted.

(*Why axiom*) Lemma length_update :
  (forall (a:color_array),
   (forall (i:Z), (forall (c:color), (length (upd a i c)) = (length a)))).
Admitted.

(*Why predicate*) Definition monochrome  (t:color_array) (i:Z) (j:Z) (c:color)
  := (forall (k:Z), (i <= k /\ k < j -> (acc t k) = c)).

(*Why logic*) Definition Permutation :
  color_array -> color_array -> Z -> Z -> Prop.
Admitted.

(*Why axiom*) Lemma permut_refl :
  (forall (t:color_array),
   (forall (l:Z), (forall (r:Z), (Permutation t t l r)))).
Admitted.

(*Why axiom*) Lemma permut_swap :
  (forall (t:color_array),
   (forall (l:Z),
    (forall (r:Z),
     (forall (i:Z),
      (forall (j:Z),
       (l <= i /\ i <= r ->
        (l <= j /\ j <= r ->
         (Permutation t (upd (upd t i (acc t j)) j (acc t i)) l r)))))))).
Admitted.

(*Why axiom*) Lemma permut_sym :
  (forall (t1:color_array),
   (forall (t2:color_array),
    (forall (l:Z),
     (forall (r:Z), ((Permutation t1 t2 l r) -> (Permutation t2 t1 l r)))))).
Admitted.

(*Why axiom*) Lemma permut_trans :
  (forall (t1:color_array),
   (forall (t2:color_array),
    (forall (t3:color_array),
     (forall (l:Z),
      (forall (r:Z),
       ((Permutation t1 t2 l r) ->
        ((Permutation t2 t3 l r) -> (Permutation t1 t3 l r)))))))).
Admitted.

why-2.34/examples/misc/peano.mlw0000644000175000017500000000255612311670312015221 0ustar  rtusers
(* Peano-like arithmetic with references. *)

(* [add1 x y] adds [y] to [x], modifying [x] *)

let add1 = fun (x:int ref) (y:int) ->
  { y >= 0 }
  init:
  (let z = ref y in
   while !z > 0 do
     { invariant 0 <= z and x = x@init + (y - z) as I
       variant z }
     x := !x + 1;
     z := !z - 1
   done)
  { x = x@ + y }

(* test *)

let u1 () = let r = ref 3 in (add1 r 7 { r = 10 })

(* recursive version *)

let rec rec_add1 (x:int ref) (y:int) : unit { variant y } =
  { y >= 0 }
  (if 0 < y then begin x := !x + 1; (rec_add1 x (y-1)) end)
  { x = x@ + y }

(* test *)

let u11 () = let r = ref 3 in (rec_add1 r 7 { r = 10 })

(* [mult1 x y] muliplies [x] by [y], modifiying [x] *)

let mult1 = fun (x:int ref) (y:int) ->
  { x >= 0 and y >= 0 }
  init:
  (let z = ref y in
   let savex = !x in
   begin
     x := 0;
     while !z > 0 do
       { invariant I: 0 <= z and x = x@init * (y - z)
         variant z }
       (add1 x savex);
       z := !z - 1
     done
   end)
  { x = x@ * y }

(* test *)

let u2 () = let r = ref 4 in (mult1 r 6 { r = 24 })

(* recursive multiplication with a local recursive addition *)

let rec mult2 (x:int) (y:int) : int {variant x} =
  { x>=0 and y >=0 } 
  let rec add2 (a:int) (b:int) : int {variant a} = 
    {a>=0} if a = 0 then b else (add2 (a-1) (b+1)) { result=a+b }
  in
  if x = 0 then 0 else (add2 y (mult2 (x-1) y)) 
  {result=x*y}
why-2.34/examples/misc/loop0.mlw0000644000175000017500000000054112311670312015140 0ustar  rtusers
(* Simple loop. 
 
   Decreases reference [x] down to [0].
   While not necessary to establish postcondition [x = 0] we add
   [x <= x@0] to the invariant to illustrate the use of labels. *)

parameter x : int ref

let p () = 
  { x >= 0 }
  init:
  while !x > 0 do 
    { invariant 0 <= x <= x@init  variant x } 
    x := !x - 1 
  done 
  { x = 0 }

why-2.34/examples/misc/mac_carthy_why.v0000644000175000017500000000131212311670312016553 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Import Why.

Definition max (x y:Z) : Z :=
  match Z_le_gt_dec x y with
  | left _ => y
  | right _ => x
  end.

Admitted.

Admitted.

Proof.
unfold Zwf, max; intuition.
case (Z_le_gt_dec 0 (101 - n)); intuition.
case (Z_le_gt_dec 0 (101 - n)); intuition.
case (Z_le_gt_dec 0 (101 - (n+11))); intuition.
Qed.

Proof.
intros n.
unfold Zwf, max. 
case (Z_le_gt_dec 0 (101 - n)); intuition.
subst result.
ring (101-91).
case (Z_le_gt_dec 0 10); intuition.
subst result.
case (Z_le_gt_dec 0 (101 - (n + 11 - 10))); intuition; omega.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.


why-2.34/examples/misc/flag_ax.mlw0000644000175000017500000000552512311670312015517 0ustar  rtusers(** Fully axiomatic version of Dijkstra's "Dutch national flag" 
    See also flag.mlw in the same directory *)

type color

logic blue : color
logic white : color
logic red : color

predicate is_color(c:color) = c=blue or c=white or c=red

parameter eq_color  : 
  c1:color -> c2:color -> {} bool { if result then c1=c2 else c1<>c2 }

type color_array

logic acc : color_array, int -> color
logic upd : color_array, int, color -> color_array
logic length : color_array -> int

axiom acc_upd_eq :
  forall a:color_array. forall i:int. forall c:color.
    acc(upd(a,i,c),i) = c

axiom acc_upd_neq :
  forall a:color_array. forall i,j:int. forall c:color.
    i <> j -> acc(upd(a,j,c),i) = acc(a,i)

axiom length_update : 
  forall a:color_array. forall i:int. forall c:color.
    length(upd(a,i,c)) = length(a)

parameter get : 
  t:color_array ref -> i:int -> 
    { 0<=i i:int -> c:color -> 
    { 0<=i acc(t,k)=c

logic Permutation : color_array, color_array, int, int -> prop

axiom permut_refl : forall t: color_array. forall l,r:int.
  Permutation(t,t,l,r)

axiom permut_swap : forall t:color_array. forall l,r,i,j:int.
  l <= i <= r -> l <= j <= r ->
  Permutation(t, upd(upd(t,i,acc(t,j)), j, acc(t,i)), l, r)

axiom permut_sym : forall t1,t2:color_array. forall l,r:int.
  Permutation(t1,t2,l,r) -> Permutation(t2,t1,l,r)

axiom permut_trans : forall t1,t2,t3: color_array. forall l,r:int.
  Permutation(t1,t2,l,r) -> Permutation(t2,t3,l,r) -> Permutation(t1,t3,l,r)

let swap (t:color_array ref) (i:int) (j:int) =
  { 0 <= i < length(t) and 0 <= j < length(t) }
  let u = get t i in
  set t i (get t j);
  set t j u
  { t = upd(upd(t@,i,acc(t@,j)), j, acc(t@,i)) }

let dutch_flag (t:color_array ref) (n:int) = 
  { 0 <= n and length(t) = n and 
    forall k:int. 0 <= k < n -> is_color(acc(t,k)) }
  let b = ref 0 in
  let i = ref 0 in
  let r = ref n in
  init:
  while !i < !r do
     { invariant 0 <= b <= i and i <= r <= n and
	         monochrome(t,0,b,blue) and 
	         monochrome(t,b,i,white) and 
	         monochrome(t,r,n,red) and
		 length(t) = n and
                 (forall k:int. 0 <= k < n -> is_color(acc(t,k))) and
	         Permutation(t,t@init,0,n-1)
       variant r - i }
     if eq_color (get t !i) blue then begin
       swap t !b !i;
       b := !b + 1;
       i := !i + 1
     end else if eq_color (get t !i) white then
       i := !i + 1
     else begin
       r := !r - 1;
       swap t !r !i
     end
  done
  { (exists b:int. exists r:int.	
      monochrome(t,0,b,blue) and 
      monochrome(t,b,r,white) and 
      monochrome(t,r,n,red))
    and Permutation(t,t@,0,n-1) }

(*
Local Variables: 
compile-command: "gwhy flag_ax.mlw"
End: 
*)
why-2.34/examples/misc/sqrt_dicho.mlw0000644000175000017500000000076212311670312016253 0ustar  rtusers
(* Integer square root by dichotomy (Michel Levy) *)

let sqrt = fun (x : int) ->
  {x >= 0 }
  begin
    let inf = ref 0 in let  sup = ref (x+1)in let mil = ref 0  in
    begin
      while (!inf +1 <> !sup) do
	  { invariant 
                inf*inf <= x
	    and x < sup*sup
	    and inf < sup
	      variant (sup - inf)}
	  mil := (!inf + !sup + 1)/ 2;
	  if x < !mil * !mil then sup := !mil else inf := !mil
	done;
	!inf
      end
  end
  { result*result <= x and x < (result+1)*(result+1) }
	why-2.34/examples/misc/loop0_why.v0000644000175000017500000000016712311670312015501 0ustar  rtusers
Require Import Why.
Require Import Omega.

 Proof.
 intuition.
 Qed.

Proof.
intuition.
Qed.

Proof.
intuition.
Qed.

why-2.34/examples/misc/power.mlw0000644000175000017500000000147012311670312015245 0ustar  rtusers
(* Fast exponentiation, using X^2n = (X^n)^2 and X^(2n+1) = X.(X^n)^2 *)

logic x : int

parameter n,m,y : int ref

predicate even(x : int) = x = 2 * (x/2)

predicate odd(x : int) = x = 2 * (x/2) + 1

parameter is_odd : n:int -> { } bool { if result then odd(n) else even(n) }

logic power : int,int -> int

axiom power_0 :
  forall x:int. power(x,0) = 1
axiom power_even : 
  forall x:int. forall n:int. n >= 0 -> power(x,2*n) = power(x*x,n)
axiom power_odd : 
  forall x:int. forall n:int. n >= 0 -> power(x,2*n+1) = x * power(x*x,n)

let power1 () =
  { n >= 0 }
  init:
  begin
    m := x; 
    y := 1;
    while !n > 0 do
      { invariant power(x,n@init) = y * power(m,n) and n >= 0
        variant n }
      if is_odd !n then y := !y * !m;
      m := !m * !m;
      n := !n / 2
    done
  end
  { y = power(x,n@) }

why-2.34/examples/misc/max_why.v0000644000175000017500000001106212311670312015231 0ustar  rtusers
Require Import Why.

Parameter l : Z.
Axiom l_pos : (0 < l)%Z.



Proof.
intuition; subst.
generalize l_pos; auto with *.
generalize l_pos; auto with *.
assert (k=0). omega. subst; auto with *.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
assert ((k < y0)%Z \/ k = y0).
 omega.
 intuition; subst.
assert (access a k <= access a x0); auto with *.
intuition.
Save.

Proof.
intuition.
assert ((k < y0)%Z \/ k = y0).
 omega.
 intuition.
subst; intuition.
Save.

Proof.
intuition.
assert (y0 = l). omega. subst.
replace (access a0 (l-1)) with (access a x0); auto with *.
assert (k = x0 \/ k <> x0).
 omega.
 intuition.
subst; intuition.
replace (access a0 x0) with (access a (l-1)); auto with *.
replace (access a0 k) with (access a k); auto with *.
symmetry; auto with *.
Qed.


(*Why type*) Definition farray: Set ->Set.
Admitted.

(*Why logic*) Definition access : forall (A1:Set), (array A1) -> Z -> A1.
Admitted.
Implicit Arguments access.

(*Why logic*) Definition update :
  forall (A1:Set), (array A1) -> Z -> A1 -> (array A1).
Admitted.
Implicit Arguments update.

(*Why axiom*) Lemma access_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z), (forall (v:A1), (access (update a i v) i) = v))).
Admitted.

(*Why axiom*) Lemma access_update_neq :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (forall (v:A1), (i <> j -> (access (update a i v) j) = (access a j)))))).
Admitted.

(*Why logic*) Definition array_length : forall (A1:Set), (array A1) -> Z.
Admitted.
Implicit Arguments array_length.

(*Why predicate*) Definition sorted_array  (t:(array Z)) (i:Z) (j:Z)
  := (forall (k1:Z),
      (forall (k2:Z),
       ((i <= k1 /\ k1 <= k2) /\ k2 <= j -> (access t k1) <= (access t k2)))).

(*Why predicate*) Definition exchange (A104:Set) (a1:(array A104)) (a2:(array A104)) (i:Z) (j:Z)
  := (array_length a1) = (array_length a2) /\
     (access a1 i) = (access a2 j) /\ (access a2 i) = (access a1 j) /\
     (forall (k:Z), (k <> i /\ k <> j -> (access a1 k) = (access a2 k))).
Implicit Arguments exchange.

(*Why logic*) Definition permut :
  forall (A1:Set), (array A1) -> (array A1) -> Z -> Z -> Prop.
Admitted.
Implicit Arguments permut.

(*Why axiom*) Lemma permut_refl :
  forall (A1:Set),
  (forall (t:(array A1)), (forall (l:Z), (forall (u:Z), (permut t t l u)))).
Admitted.

(*Why axiom*) Lemma permut_sym :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (l:Z), (forall (u:Z), ((permut t1 t2 l u) -> (permut t2 t1 l u)))))).
Admitted.

(*Why axiom*) Lemma permut_trans :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (t3:(array A1)),
     (forall (l:Z),
      (forall (u:Z),
       ((permut t1 t2 l u) -> ((permut t2 t3 l u) -> (permut t1 t3 l u)))))))).
Admitted.

(*Why axiom*) Lemma permut_exchange :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (forall (i:Z),
       (forall (j:Z),
        (l <= i /\ i <= u ->
         (l <= j /\ j <= u -> ((exchange a1 a2 i j) -> (permut a1 a2 l u)))))))))).
Admitted.

(*Why axiom*) Lemma exchange_upd :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (exchange a (update (update a i (access a j)) j (access a i)) i j)))).
Admitted.

(*Why axiom*) Lemma permut_weakening :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l1:Z),
     (forall (r1:Z),
      (forall (l2:Z),
       (forall (r2:Z),
        ((l1 <= l2 /\ l2 <= r2) /\ r2 <= r1 ->
         ((permut a1 a2 l2 r2) -> (permut a1 a2 l1 r1))))))))).
Admitted.

(*Why axiom*) Lemma permut_eq :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (l <= u ->
       ((permut a1 a2 l u) ->
        (forall (i:Z), (i < l \/ u < i -> (access a2 i) = (access a1 i))))))))).
Admitted.

(*Why predicate*) Definition permutation (A113:Set) (a1:(array A113)) (a2:(array A113))
  := (permut a1 a2 0 ((array_length a1) - 1)).
Implicit Arguments permutation.

(*Why axiom*) Lemma array_length_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (v:A1), (array_length (update a i v)) = (array_length a)))).
Admitted.

(*Why axiom*) Lemma permut_array_length :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      ((permut a1 a2 l u) -> (array_length a1) = (array_length a2)))))).
Admitted.

(*Why logic*) Definition l : Z.
Admitted.

(*Why axiom*) Lemma l_pos : 0 < l.
Admitted.

why-2.34/examples/misc/sum_why.sx0000644000175000017500000001505112311670312015437 0ustar  rtusers
;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom access_update
 (FORALL (a i v) (EQ (access (update a i v) i) v)))

(BG_PUSH
 ;; Why axiom access_update_neq
 (FORALL (a i j v)
 (IMPLIES (NEQ i j) (EQ (access (update a i v) j) (access a j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j)
 (FORALL (a v) (EQ (access (update a i v) j) (access a j))))))

(DEFPRED (sorted_array t i j)
  (FORALL (k1 k2)
  (IMPLIES (AND (AND (<= i k1) (<= k1 k2)) (<= k2 j))
  (<= (access t k1) (access t k2)))))

(DEFPRED (exchange a1 a2 i j)
  (AND (EQ (array_length a1) (array_length a2))
  (AND (EQ (access a1 i) (access a2 j))
  (AND (EQ (access a2 i) (access a1 j))
  (FORALL (k)
  (IMPLIES (AND (NEQ k i) (NEQ k j)) (EQ (access a1 k) (access a2 k))))))))

(BG_PUSH
 ;; Why axiom permut_refl
 (FORALL (t l u) (EQ (permut t t l u) |@true|)))

(BG_PUSH
 ;; Why axiom permut_sym
 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|) (EQ (permut t2 t1 l u) |@true|))))

(BG_PUSH
 ;; Why axiom permut_trans
 (FORALL (t1 t2 t3 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))

 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_exchange
 (FORALL (a1 a2 l u i j)
 (IMPLIES (AND (<= l i) (<= i u))
 (IMPLIES (AND (<= l j) (<= j u))
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|)))))

 (FORALL (l u i)
 (IMPLIES (AND (<= l i) (<= i u))
 (FORALL (j)
 (IMPLIES (AND (<= l j) (<= j u))
 (FORALL (a1 a2)
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|))))))))

(BG_PUSH
 ;; Why axiom exchange_upd
 (FORALL (a i j)
 (exchange a (update (update a i (access a j)) j (access a i)) i j)))

(BG_PUSH
 ;; Why axiom permut_weakening
 (FORALL (a1 a2 l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))

 (FORALL (l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_eq
 (FORALL (a1 a2 l u)
 (IMPLIES (<= l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))

 (FORALL (l u)
 (IMPLIES (<= l u)
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))))

(DEFPRED (permutation a1 a2)
  (EQ (permut a1 a2 0 (- (array_length a1) 1)) |@true|))

(BG_PUSH
 ;; Why axiom array_length_update
 (FORALL (a i v) (EQ (array_length (update a i v)) (array_length a))))

(BG_PUSH
 ;; Why axiom permut_array_length
 (FORALL (a1 a2 l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (EQ (array_length a1) (array_length a2)))))

(BG_PUSH
 ;; Why axiom distr_left
 (FORALL (a b c) (EQ (* a (+ b c)) (+ (* a b) (* a c)))))

(BG_PUSH
 ;; Why axiom distr_right
 (FORALL (a b c) (EQ (* (+ b c) a) (+ (* b a) (* c a)))))

;; sum_po_1, File "sum.mlw", line 11, characters 18-42
(FORALL (n) (IMPLIES (>= n 0) (EQ (* 2 0) (* 0 (+ 0 1)))))

;; sum_po_2, File "sum.mlw", line 11, characters 18-42
(FORALL (n) (IMPLIES (>= n 0) (<= 0 n)))

;; sum_po_3, File "sum.mlw", line 11, characters 18-42
(FORALL (n)
(IMPLIES (>= n 0)
(FORALL (i)
(FORALL (s)
(IMPLIES (AND (EQ (* 2 s) (* i (+ i 1))) (<= i n))
(IMPLIES (< i n)
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(FORALL (s0) (IMPLIES (EQ s0 (+ s i0)) (EQ (* 2 s0) (* i0 (+ i0 1)))))))))))))

;; sum_po_4, File "sum.mlw", line 11, characters 18-42
(FORALL (n)
(IMPLIES (>= n 0)
(FORALL (i)
(FORALL (s)
(IMPLIES (AND (EQ (* 2 s) (* i (+ i 1))) (<= i n))
(IMPLIES (< i n)
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1)) (FORALL (s0) (IMPLIES (EQ s0 (+ s i0)) (<= i0 n)))))))))))

;; sum_po_5, File "sum.mlw", line 12, characters 16-19
(FORALL (n)
(IMPLIES (>= n 0)
(FORALL (i)
(FORALL (s)
(IMPLIES (AND (EQ (* 2 s) (* i (+ i 1))) (<= i n))
(IMPLIES (< i n)
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(FORALL (s0) (IMPLIES (EQ s0 (+ s i0)) (<= 0 (- n i))))))))))))

;; sum_po_6, File "sum.mlw", line 12, characters 16-19
(FORALL (n)
(IMPLIES (>= n 0)
(FORALL (i)
(FORALL (s)
(IMPLIES (AND (EQ (* 2 s) (* i (+ i 1))) (<= i n))
(IMPLIES (< i n)
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(FORALL (s0) (IMPLIES (EQ s0 (+ s i0)) (< (- n i0) (- n i))))))))))))

;; sum_po_7, File "sum.mlw", line 18, characters 4-22
(FORALL (n)
(IMPLIES (>= n 0)
(FORALL (i)
(FORALL (s)
(IMPLIES (AND (EQ (* 2 s) (* i (+ i 1))) (<= i n))
(IMPLIES (>= i n) (EQ (* 2 s) (* n (+ n 1)))))))))

why-2.34/examples/misc/.depend0000644000175000017500000000324012311670312014625 0ustar  rtusersarith_valid.vo: arith_valid.v ../../lib/coq/Why.vo arith_why.vo
arith_why.vo: arith_why.v ../../lib/coq/Why.vo
copy_why.vo: copy_why.v ../../lib/coq/Why.vo ../../lib/coq/WhyFloat.vo
csearch_why.vo: csearch_why.v ../../lib/coq/Why.vo
fib_valid.vo: fib_valid.v ../../lib/coq/Why.vo fib_why.vo
fib_why.vo: fib_why.v ../../lib/coq/Why.vo
flag_ax_valid.vo: flag_ax_valid.v ../../lib/coq/Why.vo flag_ax_why.vo
flag_ax_why.vo: flag_ax_why.v ../../lib/coq/Why.vo
flag_valid.vo: flag_valid.v ../../lib/coq/Why.vo flag_why.vo
flag_why.vo: flag_why.v ../../lib/coq/Why.vo
gcd_valid.vo: gcd_valid.v ../../lib/coq/Why.vo gcd_why.vo
gcd_why.vo: gcd_why.v ../../lib/coq/Why.vo
loop0_valid.vo: loop0_valid.v ../../lib/coq/Why.vo loop0_why.vo
loop0_why.vo: loop0_why.v ../../lib/coq/Why.vo
mac_carthy_valid.vo: mac_carthy_valid.v ../../lib/coq/Why.vo mac_carthy_why.vo
mac_carthy_why.vo: mac_carthy_why.v ../../lib/coq/Why.vo
max_valid.vo: max_valid.v ../../lib/coq/Why.vo max_why.vo
max_why.vo: max_why.v ../../lib/coq/Why.vo
peano_valid.vo: peano_valid.v ../../lib/coq/Why.vo peano_why.vo
peano_why.vo: peano_why.v ../../lib/coq/Why.vo
power_valid.vo: power_valid.v ../../lib/coq/Why.vo power_why.vo
power_why.vo: power_why.v ../../lib/coq/Why.vo
search_valid.vo: search_valid.v ../../lib/coq/Why.vo search_why.vo
search_why.vo: search_why.v ../../lib/coq/Why.vo
sqrt_dicho_valid.vo: sqrt_dicho_valid.v ../../lib/coq/Why.vo sqrt_dicho_why.vo
sqrt_dicho_why.vo: sqrt_dicho_why.v ../../lib/coq/Why.vo
sum_valid.vo: sum_valid.v ../../lib/coq/Why.vo sum_why.vo
sum_why.vo: sum_why.v ../../lib/coq/Why.vo
swap0_valid.vo: swap0_valid.v ../../lib/coq/Why.vo swap0_why.vo
swap0_why.vo: swap0_why.v ../../lib/coq/Why.vo
why-2.34/examples/misc/power_why.sx0000644000175000017500000002141312311670312015766 0ustar  rtusers
;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom access_update
 (FORALL (a i v) (EQ (access (update a i v) i) v)))

(BG_PUSH
 ;; Why axiom access_update_neq
 (FORALL (a i j v)
 (IMPLIES (NEQ i j) (EQ (access (update a i v) j) (access a j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j)
 (FORALL (a v) (EQ (access (update a i v) j) (access a j))))))

(DEFPRED (sorted_array t i j)
  (FORALL (k1 k2)
  (IMPLIES (AND (AND (<= i k1) (<= k1 k2)) (<= k2 j))
  (<= (access t k1) (access t k2)))))

(DEFPRED (exchange a1 a2 i j)
  (AND (EQ (array_length a1) (array_length a2))
  (AND (EQ (access a1 i) (access a2 j))
  (AND (EQ (access a2 i) (access a1 j))
  (FORALL (k)
  (IMPLIES (AND (NEQ k i) (NEQ k j)) (EQ (access a1 k) (access a2 k))))))))

(BG_PUSH
 ;; Why axiom permut_refl
 (FORALL (t l u) (EQ (permut t t l u) |@true|)))

(BG_PUSH
 ;; Why axiom permut_sym
 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|) (EQ (permut t2 t1 l u) |@true|))))

(BG_PUSH
 ;; Why axiom permut_trans
 (FORALL (t1 t2 t3 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))

 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_exchange
 (FORALL (a1 a2 l u i j)
 (IMPLIES (AND (<= l i) (<= i u))
 (IMPLIES (AND (<= l j) (<= j u))
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|)))))

 (FORALL (l u i)
 (IMPLIES (AND (<= l i) (<= i u))
 (FORALL (j)
 (IMPLIES (AND (<= l j) (<= j u))
 (FORALL (a1 a2)
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|))))))))

(BG_PUSH
 ;; Why axiom exchange_upd
 (FORALL (a i j)
 (exchange a (update (update a i (access a j)) j (access a i)) i j)))

(BG_PUSH
 ;; Why axiom permut_weakening
 (FORALL (a1 a2 l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))

 (FORALL (l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_eq
 (FORALL (a1 a2 l u)
 (IMPLIES (<= l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))

 (FORALL (l u)
 (IMPLIES (<= l u)
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))))

(DEFPRED (permutation a1 a2)
  (EQ (permut a1 a2 0 (- (array_length a1) 1)) |@true|))

(BG_PUSH
 ;; Why axiom array_length_update
 (FORALL (a i v) (EQ (array_length (update a i v)) (array_length a))))

(BG_PUSH
 ;; Why axiom permut_array_length
 (FORALL (a1 a2 l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (EQ (array_length a1) (array_length a2)))))

;; power1_po_1, File "power.mlw", line 23, characters 18-63
(FORALL (n)
(IMPLIES (>= n 0)
(FORALL (m)
(IMPLIES (EQ m x)
(FORALL (y) (IMPLIES (EQ y 1) (EQ (Zpower x n) (* y (Zpower m n)))))))))

;; power1_po_2, File "power.mlw", line 23, characters 18-63
(FORALL (n)
(IMPLIES (>= n 0)
(FORALL (m)
(IMPLIES (EQ m x)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (m0)
(FORALL (n0)
(FORALL (y0)
(IMPLIES (AND (EQ (Zpower x n) (* y0 (Zpower m0 n0))) (>= n0 0))
(IMPLIES (> n0 0)
(IMPLIES (EQ (Zodd n0) |@true|)
(FORALL (y1)
(IMPLIES (EQ y1 (* y0 m0))
(FORALL (m1)
(IMPLIES (EQ m1 (* m0 m0))
(FORALL (n1)
(IMPLIES (EQ n1 (div2 n0)) (EQ (Zpower x n) (* y1 (Zpower m1 n1)))))))))))))))))))))

;; power1_po_3, File "power.mlw", line 23, characters 18-63
(FORALL (n)
(IMPLIES (>= n 0)
(FORALL (m)
(IMPLIES (EQ m x)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (m0)
(FORALL (n0)
(FORALL (y0)
(IMPLIES (AND (EQ (Zpower x n) (* y0 (Zpower m0 n0))) (>= n0 0))
(IMPLIES (> n0 0)
(IMPLIES (EQ (Zodd n0) |@true|)
(FORALL (y1)
(IMPLIES (EQ y1 (* y0 m0))
(FORALL (m1)
(IMPLIES (EQ m1 (* m0 m0))
(FORALL (n1) (IMPLIES (EQ n1 (div2 n0)) (>= n1 0)))))))))))))))))))

;; power1_po_4, File "power.mlw", line 24, characters 16-17
(FORALL (n)
(IMPLIES (>= n 0)
(FORALL (m)
(IMPLIES (EQ m x)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (m0)
(FORALL (n0)
(FORALL (y0)
(IMPLIES (AND (EQ (Zpower x n) (* y0 (Zpower m0 n0))) (>= n0 0))
(IMPLIES (> n0 0)
(IMPLIES (EQ (Zodd n0) |@true|)
(FORALL (y1)
(IMPLIES (EQ y1 (* y0 m0))
(FORALL (m1)
(IMPLIES (EQ m1 (* m0 m0))
(FORALL (n1) (IMPLIES (EQ n1 (div2 n0)) (<= 0 n0)))))))))))))))))))

;; power1_po_5, File "power.mlw", line 24, characters 16-17
(FORALL (n)
(IMPLIES (>= n 0)
(FORALL (m)
(IMPLIES (EQ m x)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (m0)
(FORALL (n0)
(FORALL (y0)
(IMPLIES (AND (EQ (Zpower x n) (* y0 (Zpower m0 n0))) (>= n0 0))
(IMPLIES (> n0 0)
(IMPLIES (EQ (Zodd n0) |@true|)
(FORALL (y1)
(IMPLIES (EQ y1 (* y0 m0))
(FORALL (m1)
(IMPLIES (EQ m1 (* m0 m0))
(FORALL (n1) (IMPLIES (EQ n1 (div2 n0)) (< n1 n0)))))))))))))))))))

;; power1_po_6, File "power.mlw", line 23, characters 18-63
(FORALL (n)
(IMPLIES (>= n 0)
(FORALL (m)
(IMPLIES (EQ m x)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (m0)
(FORALL (n0)
(FORALL (y0)
(IMPLIES (AND (EQ (Zpower x n) (* y0 (Zpower m0 n0))) (>= n0 0))
(IMPLIES (> n0 0)
(IMPLIES (EQ (Zeven n0) |@true|)
(FORALL (m1)
(IMPLIES (EQ m1 (* m0 m0))
(FORALL (n1)
(IMPLIES (EQ n1 (div2 n0)) (EQ (Zpower x n) (* y0 (Zpower m1 n1)))))))))))))))))))

;; power1_po_7, File "power.mlw", line 23, characters 18-63
(FORALL (n)
(IMPLIES (>= n 0)
(FORALL (m)
(IMPLIES (EQ m x)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (m0)
(FORALL (n0)
(FORALL (y0)
(IMPLIES (AND (EQ (Zpower x n) (* y0 (Zpower m0 n0))) (>= n0 0))
(IMPLIES (> n0 0)
(IMPLIES (EQ (Zeven n0) |@true|)
(FORALL (m1)
(IMPLIES (EQ m1 (* m0 m0))
(FORALL (n1) (IMPLIES (EQ n1 (div2 n0)) (>= n1 0)))))))))))))))))

;; power1_po_8, File "power.mlw", line 24, characters 16-17
(FORALL (n)
(IMPLIES (>= n 0)
(FORALL (m)
(IMPLIES (EQ m x)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (m0)
(FORALL (n0)
(FORALL (y0)
(IMPLIES (AND (EQ (Zpower x n) (* y0 (Zpower m0 n0))) (>= n0 0))
(IMPLIES (> n0 0)
(IMPLIES (EQ (Zeven n0) |@true|)
(FORALL (m1)
(IMPLIES (EQ m1 (* m0 m0))
(FORALL (n1) (IMPLIES (EQ n1 (div2 n0)) (<= 0 n0)))))))))))))))))

;; power1_po_9, File "power.mlw", line 24, characters 16-17
(FORALL (n)
(IMPLIES (>= n 0)
(FORALL (m)
(IMPLIES (EQ m x)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (m0)
(FORALL (n0)
(FORALL (y0)
(IMPLIES (AND (EQ (Zpower x n) (* y0 (Zpower m0 n0))) (>= n0 0))
(IMPLIES (> n0 0)
(IMPLIES (EQ (Zeven n0) |@true|)
(FORALL (m1)
(IMPLIES (EQ m1 (* m0 m0))
(FORALL (n1) (IMPLIES (EQ n1 (div2 n0)) (< n1 n0)))))))))))))))))

;; power1_po_10, File "power.mlw", line 30, characters 4-20
(FORALL (n)
(IMPLIES (>= n 0)
(FORALL (m)
(IMPLIES (EQ m x)
(FORALL (y)
(IMPLIES (EQ y 1)
(FORALL (m0)
(FORALL (n0)
(FORALL (y0)
(IMPLIES (AND (EQ (Zpower x n) (* y0 (Zpower m0 n0))) (>= n0 0))
(IMPLIES (<= n0 0) (EQ y0 (Zpower x n)))))))))))))

why-2.34/examples/misc/csearch_why.sx0000644000175000017500000001137212311670312016245 0ustar  rtusers(BG_PUSH (FORALL (t i v) (EQ (array_length (store t i v)) (array_length t))))

;; DO NOT EDIT BELOW THIS LINE

;; index_po_1, Why obligation from file "csearch.c", characters 234-238
(FORALL (n)
(FORALL (v)
(FORALL (t)
(IMPLIES (>= (array_length t) n)
(FORALL (i)
(IMPLIES (EQ i 0)
(FORALL (Variant1)
(FORALL (i1)
(IMPLIES (EQ Variant1 (- n i1))
(IMPLIES (AND (<= 0 i1)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k i1)) (NEQ (select t k) v))))
(IMPLIES (< i1 n) (AND (<= 0 i1) (< i1 (array_length t))))))))))))))

;; index_po_2, Why obligation from file "csearch.c", characters 234-243
(FORALL (n)
(FORALL (v)
(FORALL (t)
(IMPLIES (>= (array_length t) n)
(FORALL (i)
(IMPLIES (EQ i 0)
(FORALL (Variant1)
(FORALL (i1)
(IMPLIES (EQ Variant1 (- n i1))
(IMPLIES (AND (<= 0 i1)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k i1)) (NEQ (select t k) v))))
(IMPLIES (< i1 n)
(IMPLIES (AND (<= 0 i1) (< i1 (array_length t)))
(FORALL (c_aux_1)
(IMPLIES (EQ c_aux_1 (select t i1))
(FORALL (result0)
(IMPLIES (AND (IMPLIES (EQ result0 |@true|) (EQ c_aux_1 v))
         (IMPLIES (EQ result0 |@false|) (NEQ c_aux_1 v)))
(AND
(IMPLIES (EQ result0 |@true|) (AND
                              (IMPLIES (AND (<= 0 i1) (< i1 n))
                              (EQ (select t i1) v))
                              (IMPLIES (EQ i1 n)
                              (FORALL (i)
                              (IMPLIES (AND (<= 0 i) (< i n))
                              (NEQ (select t i) v))))))
(IMPLIES (EQ result0 |@false|) (FORALL (i)
                               (IMPLIES (EQ i (+ i1 1))
                               (AND
                               (AND (<= 0 i)
                               (FORALL (k)
                               (IMPLIES (AND (<= 0 k) (< k i))
                               (NEQ (select t k) v))))
                               (AND (<= 0 (- n i1)) (< (- n i) (- n i1))))))))))))))))))))))))

;; index_po_3, Why obligation from file "csearch.c", characters 151-199
(FORALL (n)
(FORALL (v)
(FORALL (t)
(IMPLIES (>= (array_length t) n)
(FORALL (i)
(IMPLIES (EQ i 0)
(AND (<= 0 i)
(FORALL (k) (IMPLIES (AND (<= 0 k) (< k i)) (NEQ (select t k) v))))))))))

;; index_po_4, Why obligation from file "csearch.c", characters 117-264
(FORALL (n)
(FORALL (v)
(FORALL (t)
(IMPLIES (>= (array_length t) n)
(FORALL (i)
(IMPLIES (EQ i 0)
(FORALL (i1)
(IMPLIES (AND
         (AND (<= 0 i1)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k i1)) (NEQ (select t k) v))))
         (>= i1 n))
(AND (IMPLIES (AND (<= 0 i1) (< i1 n)) (EQ (select t i1) v))
(IMPLIES (EQ i1 n)
(FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NEQ (select t i) v)))))))))))))

;; index2_po_1, Why obligation from file "csearch.c", characters 630-634
(FORALL (n)
(FORALL (v)
(FORALL (t)
(IMPLIES (EQ (array_length t) n)
(FORALL (i)
(IMPLIES (EQ i 0)
(FORALL (Variant1)
(FORALL (i1)
(IMPLIES (EQ Variant1 (- n i1))
(IMPLIES (AND (<= 0 i1)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k i1)) (NEQ (select t k) v))))
(IMPLIES (< i1 n) (AND (<= 0 i1) (< i1 (array_length t))))))))))))))

;; index2_po_2, Why obligation from file "csearch.c", characters 630-639
(FORALL (n)
(FORALL (v)
(FORALL (t)
(IMPLIES (EQ (array_length t) n)
(FORALL (i)
(IMPLIES (EQ i 0)
(FORALL (Variant1)
(FORALL (i1)
(IMPLIES (EQ Variant1 (- n i1))
(IMPLIES (AND (<= 0 i1)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k i1)) (NEQ (select t k) v))))
(IMPLIES (< i1 n)
(IMPLIES (AND (<= 0 i1) (< i1 (array_length t)))
(FORALL (c_aux_2)
(IMPLIES (EQ c_aux_2 (select t i1))
(FORALL (result0)
(IMPLIES (AND (IMPLIES (EQ result0 |@true|) (EQ c_aux_2 v))
         (IMPLIES (EQ result0 |@false|) (NEQ c_aux_2 v)))
(AND
(IMPLIES (EQ result0 |@true|) (IMPLIES (AND (<= 0 i1) (< i1 n))
                              (EQ (select t i1) v)))
(IMPLIES (EQ result0 |@false|) (FORALL (i)
                               (IMPLIES (EQ i (+ i1 1))
                               (AND
                               (AND (<= 0 i)
                               (FORALL (k)
                               (IMPLIES (AND (<= 0 k) (< k i))
                               (NEQ (select t k) v))))
                               (AND (<= 0 (- n i1)) (< (- n i) (- n i1))))))))))))))))))))))))

;; index2_po_3, Why obligation from file "csearch.c", characters 547-595
(FORALL (n)
(FORALL (v)
(FORALL (t)
(IMPLIES (EQ (array_length t) n)
(FORALL (i)
(IMPLIES (EQ i 0)
(AND (<= 0 i)
(FORALL (k) (IMPLIES (AND (<= 0 k) (< k i)) (NEQ (select t k) v))))))))))

;; index2_po_4, Why obligation from file "csearch.c", characters 673-674
(FORALL (n)
(FORALL (v)
(FORALL (t)
(IMPLIES (EQ (array_length t) n)
(FORALL (i)
(IMPLIES (EQ i 0)
(FORALL (i1)
(IMPLIES (AND
         (AND (<= 0 i1)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k i1)) (NEQ (select t k) v))))
         (>= i1 n))
(IMPLIES (AND (<= 0 n) (< n n)) (EQ (select t n) v))))))))))

why-2.34/examples/misc/search_why.sx0000644000175000017500000003637112311670312016110 0ustar  rtusers
;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom access_update
 (FORALL (a i v) (EQ (access (update a i v) i) v)))

(BG_PUSH
 ;; Why axiom access_update_neq
 (FORALL (a i j v)
 (IMPLIES (NEQ i j) (EQ (access (update a i v) j) (access a j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j)
 (FORALL (a v) (EQ (access (update a i v) j) (access a j))))))

(DEFPRED (sorted_array t i j)
  (FORALL (k1 k2)
  (IMPLIES (AND (AND (<= i k1) (<= k1 k2)) (<= k2 j))
  (<= (access t k1) (access t k2)))))

(DEFPRED (exchange a1 a2 i j)
  (AND (EQ (array_length a1) (array_length a2))
  (AND (EQ (access a1 i) (access a2 j))
  (AND (EQ (access a2 i) (access a1 j))
  (FORALL (k)
  (IMPLIES (AND (NEQ k i) (NEQ k j)) (EQ (access a1 k) (access a2 k))))))))

(BG_PUSH
 ;; Why axiom permut_refl
 (FORALL (t l u) (EQ (permut t t l u) |@true|)))

(BG_PUSH
 ;; Why axiom permut_sym
 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|) (EQ (permut t2 t1 l u) |@true|))))

(BG_PUSH
 ;; Why axiom permut_trans
 (FORALL (t1 t2 t3 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))

 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_exchange
 (FORALL (a1 a2 l u i j)
 (IMPLIES (AND (<= l i) (<= i u))
 (IMPLIES (AND (<= l j) (<= j u))
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|)))))

 (FORALL (l u i)
 (IMPLIES (AND (<= l i) (<= i u))
 (FORALL (j)
 (IMPLIES (AND (<= l j) (<= j u))
 (FORALL (a1 a2)
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|))))))))

(BG_PUSH
 ;; Why axiom exchange_upd
 (FORALL (a i j)
 (exchange a (update (update a i (access a j)) j (access a i)) i j)))

(BG_PUSH
 ;; Why axiom permut_weakening
 (FORALL (a1 a2 l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))

 (FORALL (l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_eq
 (FORALL (a1 a2 l u)
 (IMPLIES (<= l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))

 (FORALL (l u)
 (IMPLIES (<= l u)
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))))

(DEFPRED (permutation a1 a2)
  (EQ (permut a1 a2 0 (- (array_length a1) 1)) |@true|))

(BG_PUSH
 ;; Why axiom array_length_update
 (FORALL (a i v) (EQ (array_length (update a i v)) (array_length a))))

(BG_PUSH
 ;; Why axiom permut_array_length
 (FORALL (a1 a2 l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (EQ (array_length a1) (array_length a2)))))

;; search1_po_1, File "search.mlw", line 17, characters 18-66
(<= 0 0)

;; search1_po_2, File "search.mlw", line 17, characters 18-66
(FORALL (t)
(FORALL (k) (IMPLIES (AND (<= 0 k) (< k 0)) (NEQ (access t k) 0))))

;; search1_po_3, File "search.mlw", line 19, characters 9-14
(FORALL (t)
(FORALL (i)
(IMPLIES (AND (<= 0 i)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k i)) (NEQ (access t k) 0))))
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(IMPLIES (< i result) (< i (array_length t))))))))

;; search1_po_4, File "search.mlw", line 27, characters 4-17
(FORALL (t)
(FORALL (i)
(IMPLIES (AND (<= 0 i)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k i)) (NEQ (access t k) 0))))
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(IMPLIES (< i result)
(IMPLIES (AND (<= 0 i) (< i (array_length t)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t i))
(IMPLIES (EQ result0 0) (EQ (access t i) 0)))))))))))

;; search1_po_5, File "search.mlw", line 17, characters 18-66
(FORALL (t)
(FORALL (i)
(IMPLIES (AND (<= 0 i)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k i)) (NEQ (access t k) 0))))
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(IMPLIES (< i result)
(IMPLIES (AND (<= 0 i) (< i (array_length t)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t i))
(IMPLIES (NEQ result0 0) (FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (<= 0 i0)))))))))))))

;; search1_po_6, File "search.mlw", line 17, characters 18-66
(FORALL (t)
(FORALL (i)
(IMPLIES (AND (<= 0 i)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k i)) (NEQ (access t k) 0))))
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(IMPLIES (< i result)
(IMPLIES (AND (<= 0 i) (< i (array_length t)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t i))
(IMPLIES (NEQ result0 0)
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(FORALL (k) (IMPLIES (AND (<= 0 k) (< k i0)) (NEQ (access t k) 0)))))))))))))))

;; search1_po_7, File "search.mlw", line 18, characters 16-35
(FORALL (t)
(FORALL (i)
(IMPLIES (AND (<= 0 i)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k i)) (NEQ (access t k) 0))))
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(IMPLIES (< i result)
(IMPLIES (AND (<= 0 i) (< i (array_length t)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t i))
(IMPLIES (NEQ result0 0)
(FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (<= 0 (- (array_length t) i))))))))))))))

;; search1_po_8, File "search.mlw", line 18, characters 16-35
(FORALL (t)
(FORALL (i)
(IMPLIES (AND (<= 0 i)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k i)) (NEQ (access t k) 0))))
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(IMPLIES (< i result)
(IMPLIES (AND (<= 0 i) (< i (array_length t)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t i))
(IMPLIES (NEQ result0 0)
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1)) (< (- (array_length t) i0) (- (array_length t) i))))))))))))))

;; search1_po_9, File "search.mlw", line 28, characters 17-68
(FORALL (t)
(FORALL (i)
(IMPLIES (AND (<= 0 i)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k i)) (NEQ (access t k) 0))))
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(IMPLIES (>= i result)
(FORALL (k)
(IMPLIES (AND (<= 0 k) (< k (array_length t))) (NEQ (access t k) 0)))))))))

;; search2_po_1, File "search.mlw", line 41, characters 18-66
(<= 0 0)

;; search2_po_2, File "search.mlw", line 41, characters 18-66
(FORALL (t)
(FORALL (k) (IMPLIES (AND (<= 0 k) (< k 0)) (NEQ (access t k) 0))))

;; search2_po_3, File "search.mlw", line 43, characters 9-14
(FORALL (t)
(FORALL (i)
(IMPLIES (AND (<= 0 i)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k i)) (NEQ (access t k) 0))))
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(IMPLIES (< i result) (< i (array_length t))))))))

;; search2_po_4, File "search.mlw", line 51, characters 4-17
(FORALL (t)
(FORALL (i)
(IMPLIES (AND (<= 0 i)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k i)) (NEQ (access t k) 0))))
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(IMPLIES (< i result)
(IMPLIES (AND (<= 0 i) (< i (array_length t)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t i))
(IMPLIES (EQ result0 0) (EQ (access t i) 0)))))))))))

;; search2_po_5, File "search.mlw", line 41, characters 18-66
(FORALL (t)
(FORALL (i)
(IMPLIES (AND (<= 0 i)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k i)) (NEQ (access t k) 0))))
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(IMPLIES (< i result)
(IMPLIES (AND (<= 0 i) (< i (array_length t)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t i))
(IMPLIES (NEQ result0 0) (FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (<= 0 i0)))))))))))))

;; search2_po_6, File "search.mlw", line 41, characters 18-66
(FORALL (t)
(FORALL (i)
(IMPLIES (AND (<= 0 i)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k i)) (NEQ (access t k) 0))))
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(IMPLIES (< i result)
(IMPLIES (AND (<= 0 i) (< i (array_length t)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t i))
(IMPLIES (NEQ result0 0)
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(FORALL (k) (IMPLIES (AND (<= 0 k) (< k i0)) (NEQ (access t k) 0)))))))))))))))

;; search2_po_7, File "search.mlw", line 42, characters 16-35
(FORALL (t)
(FORALL (i)
(IMPLIES (AND (<= 0 i)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k i)) (NEQ (access t k) 0))))
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(IMPLIES (< i result)
(IMPLIES (AND (<= 0 i) (< i (array_length t)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t i))
(IMPLIES (NEQ result0 0)
(FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (<= 0 (- (array_length t) i))))))))))))))

;; search2_po_8, File "search.mlw", line 42, characters 16-35
(FORALL (t)
(FORALL (i)
(IMPLIES (AND (<= 0 i)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k i)) (NEQ (access t k) 0))))
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(IMPLIES (< i result)
(IMPLIES (AND (<= 0 i) (< i (array_length t)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t i))
(IMPLIES (NEQ result0 0)
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1)) (< (- (array_length t) i0) (- (array_length t) i))))))))))))))

;; search2_po_9, File "search.mlw", line 52, characters 17-68
(FORALL (t)
(FORALL (i)
(IMPLIES (AND (<= 0 i)
         (FORALL (k) (IMPLIES (AND (<= 0 k) (< k i)) (NEQ (access t k) 0))))
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(IMPLIES (>= i result)
(FORALL (k)
(IMPLIES (AND (<= 0 k) (< k (array_length t))) (NEQ (access t k) 0)))))))))

;; search3_po_1, File "search.mlw", line 67, characters 3-15
(FORALL (t) (IMPLIES (<= 0 (array_length t)) (<= 0 0)))

;; search3_po_2, File "search.mlw", line 69, characters 17-68
(FORALL (t)
(IMPLIES (<= 0 (array_length t))
(IMPLIES (AND (<= 0 0) (<= 0 (array_length t)))
(IMPLIES (FORALL (k)
         (IMPLIES (AND (<= 0 k) (< k (array_length t))) (NEQ (access t k) 0)))
(FORALL (k)
(IMPLIES (AND (<= 0 k) (< k (array_length t))) (NEQ (access t k) 0)))))))

;; search3_po_3, File "search.mlw", line 65, characters 20-71
(FORALL (t)
(IMPLIES (<= 0 (array_length t))
(FORALL (i)
(FORALL (t0)
(IMPLIES (AND (<= 0 i) (<= i (array_length t0)))
(FORALL (result)
(IMPLIES (EQ result (array_length t0))
(IMPLIES (EQ i result)
(FORALL (k)
(IMPLIES (AND (<= i k) (< k (array_length t0))) (NEQ (access t0 k) 0)))))))))))

;; search3_po_4, File "search.mlw", line 62, characters 14-18
(FORALL (t)
(IMPLIES (<= 0 (array_length t))
(FORALL (i)
(FORALL (t0)
(IMPLIES (AND (<= 0 i) (<= i (array_length t0)))
(FORALL (result)
(IMPLIES (EQ result (array_length t0))
(IMPLIES (NEQ i result) (< i (array_length t0))))))))))

;; search3_po_5, File "search.mlw", line 64, characters 7-20
(FORALL (t)
(IMPLIES (<= 0 (array_length t))
(FORALL (i)
(FORALL (t0)
(IMPLIES (AND (<= 0 i) (<= i (array_length t0)))
(FORALL (result)
(IMPLIES (EQ result (array_length t0))
(IMPLIES (NEQ i result)
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t0 i))
(IMPLIES (EQ result0 0) (EQ (access t0 i) 0)))))))))))))

;; search3_po_6, File "search.mlw", line 63, characters 12-30
(FORALL (t)
(IMPLIES (<= 0 (array_length t))
(FORALL (i)
(FORALL (t0)
(IMPLIES (AND (<= 0 i) (<= i (array_length t0)))
(FORALL (result)
(IMPLIES (EQ result (array_length t0))
(IMPLIES (NEQ i result)
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t0 i))
(IMPLIES (NEQ result0 0) (<= 0 (- (array_length t0) i))))))))))))))

;; search3_po_7, File "search.mlw", line 63, characters 12-30
(FORALL (t)
(IMPLIES (<= 0 (array_length t))
(FORALL (i)
(FORALL (t0)
(IMPLIES (AND (<= 0 i) (<= i (array_length t0)))
(FORALL (result)
(IMPLIES (EQ result (array_length t0))
(IMPLIES (NEQ i result)
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t0 i))
(IMPLIES (NEQ result0 0)
(< (- (array_length t0) (+ i 1)) (- (array_length t0) i))))))))))))))

;; search3_po_8, File "search.mlw", line 63, characters 12-30
(FORALL (t)
(IMPLIES (<= 0 (array_length t))
(FORALL (i)
(FORALL (t0)
(IMPLIES (AND (<= 0 i) (<= i (array_length t0)))
(FORALL (result)
(IMPLIES (EQ result (array_length t0))
(IMPLIES (NEQ i result)
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t0 i))
(IMPLIES (NEQ result0 0)
(IMPLIES (AND (<= 0 (- (array_length t0) i))
         (< (- (array_length t0) (+ i 1)) (- (array_length t0) i)))
(<= 0 (+ i 1)))))))))))))))

;; search3_po_9, File "search.mlw", line 63, characters 12-30
(FORALL (t)
(IMPLIES (<= 0 (array_length t))
(FORALL (i)
(FORALL (t0)
(IMPLIES (AND (<= 0 i) (<= i (array_length t0)))
(FORALL (result)
(IMPLIES (EQ result (array_length t0))
(IMPLIES (NEQ i result)
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t0 i))
(IMPLIES (NEQ result0 0)
(IMPLIES (AND (<= 0 (- (array_length t0) i))
         (< (- (array_length t0) (+ i 1)) (- (array_length t0) i)))
(<= (+ i 1) (array_length t0)))))))))))))))

;; search3_po_10, File "search.mlw", line 65, characters 20-71
(FORALL (t)
(IMPLIES (<= 0 (array_length t))
(FORALL (i)
(FORALL (t0)
(IMPLIES (AND (<= 0 i) (<= i (array_length t0)))
(FORALL (result)
(IMPLIES (EQ result (array_length t0))
(IMPLIES (NEQ i result)
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t0 i))
(IMPLIES (NEQ result0 0)
(IMPLIES (AND (<= 0 (- (array_length t0) i))
         (< (- (array_length t0) (+ i 1)) (- (array_length t0) i)))
(IMPLIES (AND (<= 0 (+ i 1)) (<= (+ i 1) (array_length t0)))
(IMPLIES (FORALL (k)
         (IMPLIES (AND (<= (+ i 1) k) (< k (array_length t0)))
         (NEQ (access t0 k) 0)))
(FORALL (k)
(IMPLIES (AND (<= i k) (< k (array_length t0))) (NEQ (access t0 k) 0))))))))))))))))))

why-2.34/examples/misc/sqrt_dicho_why.v0000644000175000017500000000314012311670312016601 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Import Why.

Lemma mean1 : forall x y:Z, (x <= y)%Z -> (x <= (x + y) / 2)%Z.
Proof.
intros.
assert ((x + y) / 2 >= (x + x) / 2)%Z.
apply Z_div_ge; omega.
assert (((x + x) / 2)%Z = x); auto with *.
replace (x + x)%Z with (0 + x * 2)%Z; auto with *.
rewrite (Z_div_plus 0 x 2); auto with *.
Qed.

Lemma mean2 : forall x y:Z, (x < y)%Z -> ((x + y) / 2 < y)%Z.
Proof.
intros.
apply (Zmult_lt_reg_r ((x + y) / 2) y) with (p:=2).
auto with *.
replace ((x + y) / 2 * 2)%Z with (2 * ((x + y) / 2))%Z; auto with *.
assert (2 * ((x + y) / 2) <= x + y)%Z.
apply (Z_mult_div_ge (x + y) 2).
auto with *.
omega.
Qed.

Hint Resolve mean1 mean2 .

Proof.
intuition.
ring ((x+1)*(x+1)).
assert (0 <= x*x); auto with *.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
subst sup0; trivial.
subst.
replace (inf + sup + 1)%Z with (inf + (sup - 1) + 1 * 2)%Z;
 try omega.
rewrite Z_div_plus; try omega.
assert (inf <= (inf + (sup - 1)) / 2)%Z.
apply mean1; omega.
omega.
unfold Zwf.
split; try omega.
subst.
 replace (inf + sup + 1)%Z with (inf + 1 + sup)%Z; try omega.
assert ((inf + 1 + sup) / 2 < sup)%Z.
apply mean2; omega.
omega.
Save.

Proof.
intuition.
subst; omega.
subst.
replace (inf + sup + 1)%Z with (inf + 1 + sup)%Z; try omega.
assert ((inf + 1 + sup) / 2 < sup)%Z.
apply mean2; omega.
omega.
unfold Zwf; split; try omega.
subst.
replace (inf + sup + 1)%Z with (inf + 1 + sup)%Z; try omega.
assert (inf + 1 <= (inf + 1 + sup) / 2)%Z.
apply mean1; omega.
omega.
Save.

Proof.
intuition.
subst sup; omega.
Qed.


why-2.34/examples/misc/max.mlw0000644000175000017500000000151012311670312014671 0ustar  rtusers
include "arrays.why"

(* exemple pour le Coq'Art *)

logic l : int
axiom l_pos : 0 < l

parameter a : int array
parameter x,y : int ref

parameter swap : 
  i:int -> j:int -> 
    { array_length(a) = l} 
    unit writes a 
    { array_length(a) = l and
      a[i] = a@[j] and a[j] = a@[i] and
      forall k:int. 0 <= k < l -> k <> i -> k <> j -> a[k] = a@[k] }

let pgm_max_end () =
  { array_length(a) = l }
  begin
    x := 0;
    y := 1;
    while !y < l do
      { invariant 0 <= y <= l and 0 <= x < l and
	          (forall k:int. 0 <= k < y -> a[k] <= a[x])
        variant l-y }
      if a[!y] > a[!x] then x := !y; 
      y := !y + 1
    done;
    (swap !x (l - 1))
  end
  { (forall k:int. 0 <= k < l-1 -> k <> x -> a[k] = a@[k]) and
    a[x] = a@[l-1] and a[l-1] = a@[x] and
    (forall k:int. 0 <= k < l-1 -> a[k] <= a[l-1]) }
why-2.34/examples/misc/arith_why.sx0000644000175000017500000002245512311670312015750 0ustar  rtusers
;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom access_update
 (FORALL (a i v) (EQ (access (update a i v) i) v)))

(BG_PUSH
 ;; Why axiom access_update_neq
 (FORALL (a i j v)
 (IMPLIES (NEQ i j) (EQ (access (update a i v) j) (access a j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j)
 (FORALL (a v) (EQ (access (update a i v) j) (access a j))))))

(DEFPRED (sorted_array t i j)
  (FORALL (k1 k2)
  (IMPLIES (AND (AND (<= i k1) (<= k1 k2)) (<= k2 j))
  (<= (access t k1) (access t k2)))))

(DEFPRED (exchange a1 a2 i j)
  (AND (EQ (array_length a1) (array_length a2))
  (AND (EQ (access a1 i) (access a2 j))
  (AND (EQ (access a2 i) (access a1 j))
  (FORALL (k)
  (IMPLIES (AND (NEQ k i) (NEQ k j)) (EQ (access a1 k) (access a2 k))))))))

(BG_PUSH
 ;; Why axiom permut_refl
 (FORALL (t l u) (EQ (permut t t l u) |@true|)))

(BG_PUSH
 ;; Why axiom permut_sym
 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|) (EQ (permut t2 t1 l u) |@true|))))

(BG_PUSH
 ;; Why axiom permut_trans
 (FORALL (t1 t2 t3 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))

 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_exchange
 (FORALL (a1 a2 l u i j)
 (IMPLIES (AND (<= l i) (<= i u))
 (IMPLIES (AND (<= l j) (<= j u))
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|)))))

 (FORALL (l u i)
 (IMPLIES (AND (<= l i) (<= i u))
 (FORALL (j)
 (IMPLIES (AND (<= l j) (<= j u))
 (FORALL (a1 a2)
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|))))))))

(BG_PUSH
 ;; Why axiom exchange_upd
 (FORALL (a i j)
 (exchange a (update (update a i (access a j)) j (access a i)) i j)))

(BG_PUSH
 ;; Why axiom permut_weakening
 (FORALL (a1 a2 l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))

 (FORALL (l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_eq
 (FORALL (a1 a2 l u)
 (IMPLIES (<= l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))

 (FORALL (l u)
 (IMPLIES (<= l u)
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))))

(DEFPRED (permutation a1 a2)
  (EQ (permut a1 a2 0 (- (array_length a1) 1)) |@true|))

(BG_PUSH
 ;; Why axiom array_length_update
 (FORALL (a i v) (EQ (array_length (update a i v)) (array_length a))))

(BG_PUSH
 ;; Why axiom permut_array_length
 (FORALL (a1 a2 l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (EQ (array_length a1) (array_length a2)))))

;; mult_po_1, File "arith.mlw", line 12, characters 19-48
(FORALL (x)
(FORALL (y) (IMPLIES (AND (>= x 0) (>= y 0)) (EQ (+ 0 (* x y)) (* x y)))))

;; mult_po_2, File "arith.mlw", line 14, characters 12-18
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (>= x 0) (>= y 0))
(FORALL (a)
(FORALL (b)
(FORALL (p)
(IMPLIES (AND (>= a 0) (EQ (+ p (* a b)) (* x y)))
(IMPLIES (NEQ a 0)
(IMPLIES (EQ (int_mod a 2) 1)
(FORALL (p0) (IMPLIES (EQ p0 (+ p b)) (NEQ 2 0))))))))))))

;; mult_po_3, File "arith.mlw", line 12, characters 19-48
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (>= x 0) (>= y 0))
(FORALL (a)
(FORALL (b)
(FORALL (p)
(IMPLIES (AND (>= a 0) (EQ (+ p (* a b)) (* x y)))
(IMPLIES (NEQ a 0)
(IMPLIES (EQ (int_mod a 2) 1)
(FORALL (p0)
(IMPLIES (EQ p0 (+ p b))
(IMPLIES (NEQ 2 0)
(FORALL (result)
(IMPLIES (EQ result (int_div a 2))
(FORALL (a0)
(IMPLIES (EQ a0 result) (FORALL (b0) (IMPLIES (EQ b0 (* 2 b)) (>= a0 0)))))))))))))))))))

;; mult_po_4, File "arith.mlw", line 12, characters 19-48
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (>= x 0) (>= y 0))
(FORALL (a)
(FORALL (b)
(FORALL (p)
(IMPLIES (AND (>= a 0) (EQ (+ p (* a b)) (* x y)))
(IMPLIES (NEQ a 0)
(IMPLIES (EQ (int_mod a 2) 1)
(FORALL (p0)
(IMPLIES (EQ p0 (+ p b))
(IMPLIES (NEQ 2 0)
(FORALL (result)
(IMPLIES (EQ result (int_div a 2))
(FORALL (a0)
(IMPLIES (EQ a0 result)
(FORALL (b0) (IMPLIES (EQ b0 (* 2 b)) (EQ (+ p0 (* a0 b0)) (* x y))))))))))))))))))))

;; mult_po_5, File "arith.mlw", line 12, characters 59-60
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (>= x 0) (>= y 0))
(FORALL (a)
(FORALL (b)
(FORALL (p)
(IMPLIES (AND (>= a 0) (EQ (+ p (* a b)) (* x y)))
(IMPLIES (NEQ a 0)
(IMPLIES (EQ (int_mod a 2) 1)
(FORALL (p0)
(IMPLIES (EQ p0 (+ p b))
(IMPLIES (NEQ 2 0)
(FORALL (result)
(IMPLIES (EQ result (int_div a 2))
(FORALL (a0)
(IMPLIES (EQ a0 result) (FORALL (b0) (IMPLIES (EQ b0 (* 2 b)) (<= 0 a)))))))))))))))))))

;; mult_po_6, File "arith.mlw", line 12, characters 59-60
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (>= x 0) (>= y 0))
(FORALL (a)
(FORALL (b)
(FORALL (p)
(IMPLIES (AND (>= a 0) (EQ (+ p (* a b)) (* x y)))
(IMPLIES (NEQ a 0)
(IMPLIES (EQ (int_mod a 2) 1)
(FORALL (p0)
(IMPLIES (EQ p0 (+ p b))
(IMPLIES (NEQ 2 0)
(FORALL (result)
(IMPLIES (EQ result (int_div a 2))
(FORALL (a0)
(IMPLIES (EQ a0 result) (FORALL (b0) (IMPLIES (EQ b0 (* 2 b)) (< a0 a)))))))))))))))))))

;; mult_po_7, File "arith.mlw", line 14, characters 12-18
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (>= x 0) (>= y 0))
(FORALL (a)
(FORALL (b)
(FORALL (p)
(IMPLIES (AND (>= a 0) (EQ (+ p (* a b)) (* x y)))
(IMPLIES (NEQ a 0) (IMPLIES (NEQ (int_mod a 2) 1) (NEQ 2 0))))))))))

;; mult_po_8, File "arith.mlw", line 12, characters 19-48
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (>= x 0) (>= y 0))
(FORALL (a)
(FORALL (b)
(FORALL (p)
(IMPLIES (AND (>= a 0) (EQ (+ p (* a b)) (* x y)))
(IMPLIES (NEQ a 0)
(IMPLIES (NEQ (int_mod a 2) 1)
(IMPLIES (NEQ 2 0)
(FORALL (result)
(IMPLIES (EQ result (int_div a 2))
(FORALL (a0)
(IMPLIES (EQ a0 result) (FORALL (b0) (IMPLIES (EQ b0 (* 2 b)) (>= a0 0)))))))))))))))))

;; mult_po_9, File "arith.mlw", line 12, characters 19-48
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (>= x 0) (>= y 0))
(FORALL (a)
(FORALL (b)
(FORALL (p)
(IMPLIES (AND (>= a 0) (EQ (+ p (* a b)) (* x y)))
(IMPLIES (NEQ a 0)
(IMPLIES (NEQ (int_mod a 2) 1)
(IMPLIES (NEQ 2 0)
(FORALL (result)
(IMPLIES (EQ result (int_div a 2))
(FORALL (a0)
(IMPLIES (EQ a0 result)
(FORALL (b0) (IMPLIES (EQ b0 (* 2 b)) (EQ (+ p (* a0 b0)) (* x y))))))))))))))))))

;; mult_po_10, File "arith.mlw", line 12, characters 59-60
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (>= x 0) (>= y 0))
(FORALL (a)
(FORALL (b)
(FORALL (p)
(IMPLIES (AND (>= a 0) (EQ (+ p (* a b)) (* x y)))
(IMPLIES (NEQ a 0)
(IMPLIES (NEQ (int_mod a 2) 1)
(IMPLIES (NEQ 2 0)
(FORALL (result)
(IMPLIES (EQ result (int_div a 2))
(FORALL (a0)
(IMPLIES (EQ a0 result) (FORALL (b0) (IMPLIES (EQ b0 (* 2 b)) (<= 0 a)))))))))))))))))

;; mult_po_11, File "arith.mlw", line 12, characters 59-60
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (>= x 0) (>= y 0))
(FORALL (a)
(FORALL (b)
(FORALL (p)
(IMPLIES (AND (>= a 0) (EQ (+ p (* a b)) (* x y)))
(IMPLIES (NEQ a 0)
(IMPLIES (NEQ (int_mod a 2) 1)
(IMPLIES (NEQ 2 0)
(FORALL (result)
(IMPLIES (EQ result (int_div a 2))
(FORALL (a0)
(IMPLIES (EQ a0 result) (FORALL (b0) (IMPLIES (EQ b0 (* 2 b)) (< a0 a)))))))))))))))))

;; mult_po_12, File "arith.mlw", line 19, characters 4-18
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (>= x 0) (>= y 0))
(FORALL (a)
(FORALL (b)
(FORALL (p)
(IMPLIES (AND (>= a 0) (EQ (+ p (* a b)) (* x y)))
(IMPLIES (EQ a 0) (EQ p (* x y))))))))))

why-2.34/examples/misc/fib_why.sx0000644000175000017500000007357312311670312015410 0ustar  rtusers
;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom access_update
 (FORALL (a i v) (EQ (access (update a i v) i) v)))

(BG_PUSH
 ;; Why axiom access_update_neq
 (FORALL (a i j v)
 (IMPLIES (NEQ i j) (EQ (access (update a i v) j) (access a j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j)
 (FORALL (a v) (EQ (access (update a i v) j) (access a j))))))

(DEFPRED (sorted_array t i j)
  (FORALL (k1 k2)
  (IMPLIES (AND (AND (<= i k1) (<= k1 k2)) (<= k2 j))
  (<= (access t k1) (access t k2)))))

(DEFPRED (exchange a1 a2 i j)
  (AND (EQ (array_length a1) (array_length a2))
  (AND (EQ (access a1 i) (access a2 j))
  (AND (EQ (access a2 i) (access a1 j))
  (FORALL (k)
  (IMPLIES (AND (NEQ k i) (NEQ k j)) (EQ (access a1 k) (access a2 k))))))))

(BG_PUSH
 ;; Why axiom permut_refl
 (FORALL (t l u) (EQ (permut t t l u) |@true|)))

(BG_PUSH
 ;; Why axiom permut_sym
 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|) (EQ (permut t2 t1 l u) |@true|))))

(BG_PUSH
 ;; Why axiom permut_trans
 (FORALL (t1 t2 t3 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))

 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_exchange
 (FORALL (a1 a2 l u i j)
 (IMPLIES (AND (<= l i) (<= i u))
 (IMPLIES (AND (<= l j) (<= j u))
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|)))))

 (FORALL (l u i)
 (IMPLIES (AND (<= l i) (<= i u))
 (FORALL (j)
 (IMPLIES (AND (<= l j) (<= j u))
 (FORALL (a1 a2)
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|))))))))

(BG_PUSH
 ;; Why axiom exchange_upd
 (FORALL (a i j)
 (exchange a (update (update a i (access a j)) j (access a i)) i j)))

(BG_PUSH
 ;; Why axiom permut_weakening
 (FORALL (a1 a2 l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))

 (FORALL (l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_eq
 (FORALL (a1 a2 l u)
 (IMPLIES (<= l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))

 (FORALL (l u)
 (IMPLIES (<= l u)
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))))

(DEFPRED (permutation a1 a2)
  (EQ (permut a1 a2 0 (- (array_length a1) 1)) |@true|))

(BG_PUSH
 ;; Why axiom array_length_update
 (FORALL (a i v) (EQ (array_length (update a i v)) (array_length a))))

(BG_PUSH
 ;; Why axiom permut_array_length
 (FORALL (a1 a2 l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (EQ (array_length a1) (array_length a2)))))

(BG_PUSH
 ;; Why axiom F_0
 (EQ (F 0) 1))

(BG_PUSH
 ;; Why axiom F_1
 (EQ (F 1) 1))

(BG_PUSH
 ;; Why axiom F_n
 (FORALL (n) (IMPLIES (>= n 2) (EQ (F n) (+ (F (- n 1)) (F (- n 2)))))))

;; fib1_po_1, File "fib.mlw", line 24, characters 4-17
(FORALL (n) (IMPLIES (>= n 0) (IMPLIES (<= n 1) (EQ 1 (F n)))))

;; fib1_po_2, File "fib.mlw", line 23, characters 6-18
(FORALL (n) (IMPLIES (>= n 0) (IMPLIES (> n 1) (<= 0 n))))

;; fib1_po_3, File "fib.mlw", line 23, characters 6-18
(FORALL (n) (IMPLIES (>= n 0) (IMPLIES (> n 1) (< (- n 1) n))))

;; fib1_po_4, File "fib.mlw", line 23, characters 6-18
(FORALL (n)
(IMPLIES (>= n 0)
(IMPLIES (> n 1) (IMPLIES (AND (<= 0 n) (< (- n 1) n)) (>= (- n 1) 0)))))

;; fib1_po_5, File "fib.mlw", line 23, characters 23-35
(FORALL (n)
(IMPLIES (>= n 0)
(IMPLIES (> n 1)
(IMPLIES (AND (<= 0 n) (< (- n 1) n))
(IMPLIES (>= (- n 1) 0)
(FORALL (result) (IMPLIES (EQ result (F (- n 1))) (<= 0 n))))))))

;; fib1_po_6, File "fib.mlw", line 23, characters 23-35
(FORALL (n)
(IMPLIES (>= n 0)
(IMPLIES (> n 1)
(IMPLIES (AND (<= 0 n) (< (- n 1) n))
(IMPLIES (>= (- n 1) 0)
(FORALL (result) (IMPLIES (EQ result (F (- n 1))) (< (- n 2) n))))))))

;; fib1_po_7, File "fib.mlw", line 23, characters 23-35
(FORALL (n)
(IMPLIES (>= n 0)
(IMPLIES (> n 1)
(IMPLIES (AND (<= 0 n) (< (- n 1) n))
(IMPLIES (>= (- n 1) 0)
(FORALL (result)
(IMPLIES (EQ result (F (- n 1)))
(IMPLIES (AND (<= 0 n) (< (- n 2) n)) (>= (- n 2) 0)))))))))

;; fib1_po_8, File "fib.mlw", line 24, characters 4-17
(FORALL (n)
(IMPLIES (>= n 0)
(IMPLIES (> n 1)
(IMPLIES (AND (<= 0 n) (< (- n 1) n))
(IMPLIES (>= (- n 1) 0)
(FORALL (result)
(IMPLIES (EQ result (F (- n 1)))
(IMPLIES (AND (<= 0 n) (< (- n 2) n))
(IMPLIES (>= (- n 2) 0)
(FORALL (result0)
(IMPLIES (EQ result0 (F (- n 2))) (EQ (+ result result0) (F n)))))))))))))

;; fib2_aux_po_1, File "fib.mlw", line 34, characters 4-17
(FORALL (n)
(FORALL (x)
(FORALL (fx)
(FORALL (fx_1)
(IMPLIES (AND (AND (<= 1 x) (<= x n))
         (AND (EQ fx (F x)) (EQ fx_1 (F (- x 1)))))
(IMPLIES (EQ x n) (EQ fx (F n))))))))

;; fib2_aux_po_2, File "fib.mlw", line 33, characters 6-35
(FORALL (n)
(FORALL (x)
(FORALL (fx)
(FORALL (fx_1)
(IMPLIES (AND (AND (<= 1 x) (<= x n))
         (AND (EQ fx (F x)) (EQ fx_1 (F (- x 1)))))
(IMPLIES (NEQ x n) (<= 0 (- n x))))))))

;; fib2_aux_po_3, File "fib.mlw", line 33, characters 6-35
(FORALL (n)
(FORALL (x)
(FORALL (fx)
(FORALL (fx_1)
(IMPLIES (AND (AND (<= 1 x) (<= x n))
         (AND (EQ fx (F x)) (EQ fx_1 (F (- x 1)))))
(IMPLIES (NEQ x n) (< (- n (+ x 1)) (- n x))))))))

;; fib2_aux_po_4, File "fib.mlw", line 33, characters 6-35
(FORALL (n)
(FORALL (x)
(FORALL (fx)
(FORALL (fx_1)
(IMPLIES (AND (AND (<= 1 x) (<= x n))
         (AND (EQ fx (F x)) (EQ fx_1 (F (- x 1)))))
(IMPLIES (NEQ x n)
(IMPLIES (AND (<= 0 (- n x)) (< (- n (+ x 1)) (- n x))) (<= 1 (+ x 1)))))))))

;; fib2_aux_po_5, File "fib.mlw", line 33, characters 6-35
(FORALL (n)
(FORALL (x)
(FORALL (fx)
(FORALL (fx_1)
(IMPLIES (AND (AND (<= 1 x) (<= x n))
         (AND (EQ fx (F x)) (EQ fx_1 (F (- x 1)))))
(IMPLIES (NEQ x n)
(IMPLIES (AND (<= 0 (- n x)) (< (- n (+ x 1)) (- n x))) (<= (+ x 1) n))))))))

;; fib2_aux_po_6, File "fib.mlw", line 33, characters 6-35
(FORALL (n)
(FORALL (x)
(FORALL (fx)
(FORALL (fx_1)
(IMPLIES (AND (AND (<= 1 x) (<= x n))
         (AND (EQ fx (F x)) (EQ fx_1 (F (- x 1)))))
(IMPLIES (NEQ x n)
(IMPLIES (AND (<= 0 (- n x)) (< (- n (+ x 1)) (- n x)))
(EQ (+ fx fx_1) (F (+ x 1))))))))))

;; fib2_aux_po_7, File "fib.mlw", line 33, characters 6-35
(FORALL (n)
(FORALL (x)
(FORALL (fx)
(FORALL (fx_1)
(IMPLIES (AND (AND (<= 1 x) (<= x n))
         (AND (EQ fx (F x)) (EQ fx_1 (F (- x 1)))))
(IMPLIES (NEQ x n)
(IMPLIES (AND (<= 0 (- n x)) (< (- n (+ x 1)) (- n x)))
(EQ fx (F (- (+ x 1) 1))))))))))

;; fib2_po_1, File "fib.mlw", line 39, characters 4-17
(FORALL (n) (IMPLIES (>= n 0) (IMPLIES (<= n 1) (EQ 1 (F n)))))

;; fib2_po_2, File "fib.mlw", line 38, characters 26-42
(FORALL (n) (IMPLIES (>= n 0) (IMPLIES (> n 1) (<= 1 1))))

;; fib2_po_3, File "fib.mlw", line 38, characters 26-42
(FORALL (n) (IMPLIES (>= n 0) (IMPLIES (> n 1) (<= 1 n))))

;; fib2_po_4, File "fib.mlw", line 38, characters 26-42
(FORALL (n) (IMPLIES (>= n 0) (IMPLIES (> n 1) (EQ 1 (F 1)))))

;; fib2_po_5, File "fib.mlw", line 38, characters 26-42
(FORALL (n) (IMPLIES (>= n 0) (IMPLIES (> n 1) (EQ 1 (F (- 1 1))))))

;; fib2b_po_1, File "fib.mlw", line 49, characters 24-40
(FORALL (n) (IMPLIES (> n 1) (<= 0 (- n 1))))

;; fib2b_po_2, File "fib.mlw", line 49, characters 24-40
(FORALL (n) (IMPLIES (> n 1) (< (- n 1) n)))

;; fib2b_po_3, File "fib.mlw", line 49, characters 24-40
(FORALL (n) (IMPLIES (> n 1) (EQ 1 (F (- n (- n 1))))))

;; fib2b_po_4, File "fib.mlw", line 49, characters 24-40
(FORALL (n) (IMPLIES (> n 1) (EQ 1 (F (- (- n (- n 1)) 1)))))

;; fib2b_po_5, File "fib.mlw", line 47, characters 6-19
(FORALL (n)
(FORALL (x)
(FORALL (fx)
(FORALL (fx_1)
(IMPLIES (AND (AND (<= 0 x) (< x n))
         (AND (EQ fx (F (- n x))) (EQ fx_1 (F (- (- n x) 1)))))
(IMPLIES (EQ x 0) (EQ fx (F n))))))))

;; fib2b_po_6, File "fib.mlw", line 46, characters 26-51
(FORALL (n)
(FORALL (x)
(FORALL (fx)
(FORALL (fx_1)
(IMPLIES (AND (AND (<= 0 x) (< x n))
         (AND (EQ fx (F (- n x))) (EQ fx_1 (F (- (- n x) 1)))))
(IMPLIES (NEQ x 0) (<= 0 x)))))))

;; fib2b_po_7, File "fib.mlw", line 46, characters 26-51
(FORALL (n)
(FORALL (x)
(FORALL (fx)
(FORALL (fx_1)
(IMPLIES (AND (AND (<= 0 x) (< x n))
         (AND (EQ fx (F (- n x))) (EQ fx_1 (F (- (- n x) 1)))))
(IMPLIES (NEQ x 0) (< (- x 1) x)))))))

;; fib2b_po_8, File "fib.mlw", line 46, characters 26-51
(FORALL (n)
(FORALL (x)
(FORALL (fx)
(FORALL (fx_1)
(IMPLIES (AND (AND (<= 0 x) (< x n))
         (AND (EQ fx (F (- n x))) (EQ fx_1 (F (- (- n x) 1)))))
(IMPLIES (NEQ x 0) (IMPLIES (AND (<= 0 x) (< (- x 1) x)) (<= 0 (- x 1)))))))))

;; fib2b_po_9, File "fib.mlw", line 46, characters 26-51
(FORALL (n)
(FORALL (x)
(FORALL (fx)
(FORALL (fx_1)
(IMPLIES (AND (AND (<= 0 x) (< x n))
         (AND (EQ fx (F (- n x))) (EQ fx_1 (F (- (- n x) 1)))))
(IMPLIES (NEQ x 0) (IMPLIES (AND (<= 0 x) (< (- x 1) x)) (< (- x 1) n))))))))

;; fib2b_po_10, File "fib.mlw", line 46, characters 26-51
(FORALL (n)
(FORALL (x)
(FORALL (fx)
(FORALL (fx_1)
(IMPLIES (AND (AND (<= 0 x) (< x n))
         (AND (EQ fx (F (- n x))) (EQ fx_1 (F (- (- n x) 1)))))
(IMPLIES (NEQ x 0)
(IMPLIES (AND (<= 0 x) (< (- x 1) x)) (EQ (+ fx fx_1) (F (- n (- x 1)))))))))))

;; fib2b_po_11, File "fib.mlw", line 46, characters 26-51
(FORALL (n)
(FORALL (x)
(FORALL (fx)
(FORALL (fx_1)
(IMPLIES (AND (AND (<= 0 x) (< x n))
         (AND (EQ fx (F (- n x))) (EQ fx_1 (F (- (- n x) 1)))))
(IMPLIES (NEQ x 0)
(IMPLIES (AND (<= 0 x) (< (- x 1) x)) (EQ fx (F (- (- n (- x 1)) 1))))))))))

;; fib2c_aux_po_1, File "fib.mlw", line 56, characters 4-67
(FORALL (n)
(FORALL (fx)
(FORALL (fx_1)
(IMPLIES (<= 0 n)
(IMPLIES (EQ n 0)
(FORALL (x)
(IMPLIES (<= 1 x)
(IMPLIES (EQ fx (F x)) (IMPLIES (EQ fx_1 (F (- x 1))) (EQ fx (F (+ x n))))))))))))

;; fib2c_aux_po_2, File "fib.mlw", line 55, characters 24-52
(FORALL (n) (IMPLIES (<= 0 n) (IMPLIES (NEQ n 0) (< (- n 1) n))))

;; fib2c_aux_po_3, File "fib.mlw", line 55, characters 24-52
(FORALL (n)
(IMPLIES (<= 0 n)
(IMPLIES (NEQ n 0) (IMPLIES (AND (<= 0 n) (< (- n 1) n)) (<= 0 (- n 1))))))

;; fib2c_aux_po_4, File "fib.mlw", line 56, characters 4-67
(FORALL (n)
(FORALL (fx)
(FORALL (fx_1)
(IMPLIES (<= 0 n)
(IMPLIES (NEQ n 0)
(IMPLIES (AND (<= 0 n) (< (- n 1) n))
(IMPLIES (<= 0 (- n 1))
(FORALL (result)
(IMPLIES (FORALL (x)
         (IMPLIES (<= 1 x)
         (IMPLIES (EQ (+ fx fx_1) (F x))
         (IMPLIES (EQ fx (F (- x 1))) (EQ result (F (+ x (- n 1))))))))
(FORALL (x)
(IMPLIES (<= 1 x)
(IMPLIES (EQ fx (F x))
(IMPLIES (EQ fx_1 (F (- x 1))) (EQ result (F (+ x n))))))))))))))))

;; fib2c_po_1, File "fib.mlw", line 61, characters 4-17
(FORALL (n) (IMPLIES (>= n 0) (IMPLIES (<= n 1) (EQ 1 (F n)))))

;; fib2c_po_2, File "fib.mlw", line 60, characters 25-44
(FORALL (n) (IMPLIES (>= n 0) (IMPLIES (> n 1) (<= 0 (- n 1)))))

;; fib2c_po_3, File "fib.mlw", line 61, characters 4-17
(FORALL (n)
(IMPLIES (>= n 0)
(IMPLIES (> n 1)
(IMPLIES (<= 0 (- n 1))
(FORALL (result)
(IMPLIES (FORALL (x)
         (IMPLIES (<= 1 x)
         (IMPLIES (EQ 1 (F x))
         (IMPLIES (EQ 1 (F (- x 1))) (EQ result (F (+ x (- n 1))))))))
(EQ result (F n))))))))

;; fib3_po_1, File "fib.mlw", line 73, characters 18-57
(FORALL (n) (IMPLIES (>= n 0) (IMPLIES (> n 0) (<= 1 1))))

;; fib3_po_2, File "fib.mlw", line 73, characters 18-57
(FORALL (n) (IMPLIES (>= n 0) (IMPLIES (> n 0) (<= 1 n))))

;; fib3_po_3, File "fib.mlw", line 73, characters 18-57
(FORALL (n) (IMPLIES (>= n 0) (IMPLIES (> n 0) (EQ 1 (F 1)))))

;; fib3_po_4, File "fib.mlw", line 73, characters 18-57
(FORALL (n) (IMPLIES (>= n 0) (IMPLIES (> n 0) (EQ 1 (F (- 1 1))))))

;; fib3_po_5, File "fib.mlw", line 73, characters 18-57
(FORALL (n)
(IMPLIES (>= n 0)
(IMPLIES (> n 0)
(FORALL (k)
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (AND (<= 1 k) (<= k n)) (AND (EQ x (F k)) (EQ y (F (- k 1)))))
(IMPLIES (< k n)
(FORALL (y0)
(IMPLIES (EQ y0 x)
(FORALL (x0)
(IMPLIES (EQ x0 (+ x y)) (FORALL (k0) (IMPLIES (EQ k0 (+ k 1)) (<= 1 k0)))))))))))))))

;; fib3_po_6, File "fib.mlw", line 73, characters 18-57
(FORALL (n)
(IMPLIES (>= n 0)
(IMPLIES (> n 0)
(FORALL (k)
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (AND (<= 1 k) (<= k n)) (AND (EQ x (F k)) (EQ y (F (- k 1)))))
(IMPLIES (< k n)
(FORALL (y0)
(IMPLIES (EQ y0 x)
(FORALL (x0)
(IMPLIES (EQ x0 (+ x y)) (FORALL (k0) (IMPLIES (EQ k0 (+ k 1)) (<= k0 n)))))))))))))))

;; fib3_po_7, File "fib.mlw", line 73, characters 18-57
(FORALL (n)
(IMPLIES (>= n 0)
(IMPLIES (> n 0)
(FORALL (k)
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (AND (<= 1 k) (<= k n)) (AND (EQ x (F k)) (EQ y (F (- k 1)))))
(IMPLIES (< k n)
(FORALL (y0)
(IMPLIES (EQ y0 x)
(FORALL (x0)
(IMPLIES (EQ x0 (+ x y))
(FORALL (k0) (IMPLIES (EQ k0 (+ k 1)) (EQ x0 (F k0))))))))))))))))

;; fib3_po_8, File "fib.mlw", line 73, characters 18-57
(FORALL (n)
(IMPLIES (>= n 0)
(IMPLIES (> n 0)
(FORALL (k)
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (AND (<= 1 k) (<= k n)) (AND (EQ x (F k)) (EQ y (F (- k 1)))))
(IMPLIES (< k n)
(FORALL (y0)
(IMPLIES (EQ y0 x)
(FORALL (x0)
(IMPLIES (EQ x0 (+ x y))
(FORALL (k0) (IMPLIES (EQ k0 (+ k 1)) (EQ y0 (F (- k0 1)))))))))))))))))

;; fib3_po_9, File "fib.mlw", line 73, characters 67-72
(FORALL (n)
(IMPLIES (>= n 0)
(IMPLIES (> n 0)
(FORALL (k)
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (AND (<= 1 k) (<= k n)) (AND (EQ x (F k)) (EQ y (F (- k 1)))))
(IMPLIES (< k n)
(FORALL (y0)
(IMPLIES (EQ y0 x)
(FORALL (x0)
(IMPLIES (EQ x0 (+ x y))
(FORALL (k0) (IMPLIES (EQ k0 (+ k 1)) (<= 0 (- n k))))))))))))))))

;; fib3_po_10, File "fib.mlw", line 73, characters 67-72
(FORALL (n)
(IMPLIES (>= n 0)
(IMPLIES (> n 0)
(FORALL (k)
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (AND (<= 1 k) (<= k n)) (AND (EQ x (F k)) (EQ y (F (- k 1)))))
(IMPLIES (< k n)
(FORALL (y0)
(IMPLIES (EQ y0 x)
(FORALL (x0)
(IMPLIES (EQ x0 (+ x y))
(FORALL (k0) (IMPLIES (EQ k0 (+ k 1)) (< (- n k0) (- n k))))))))))))))))

;; fib3_po_11, File "fib.mlw", line 83, characters 3-16
(FORALL (n)
(IMPLIES (>= n 0)
(IMPLIES (> n 0)
(FORALL (k)
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (AND (<= 1 k) (<= k n)) (AND (EQ x (F k)) (EQ y (F (- k 1)))))
(IMPLIES (>= k n) (EQ x (F n))))))))))

;; fib3_po_12, File "fib.mlw", line 83, characters 3-16
(FORALL (n) (IMPLIES (>= n 0) (IMPLIES (<= n 0) (EQ 1 (F n)))))

;; fib4_po_1, File "fib.mlw", line 107, characters 4-17
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n) (< n (array_length t)))
(IMPLIES (<= n 1) (EQ 1 (F n))))))

;; fib4_po_2, File "fib.mlw", line 95, characters 5-14
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n) (< n (array_length t))) (IMPLIES (> n 1) (<= 0 0)))))

;; fib4_po_3, File "fib.mlw", line 95, characters 5-14
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n) (< n (array_length t)))
(IMPLIES (> n 1) (< 0 (array_length t))))))

;; fib4_po_4, File "fib.mlw", line 96, characters 5-14
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n) (< n (array_length t)))
(IMPLIES (> n 1)
(IMPLIES (AND (<= 0 0) (< 0 (array_length t)))
(FORALL (t0) (IMPLIES (EQ t0 (update t 0 1)) (<= 0 1))))))))

;; fib4_po_5, File "fib.mlw", line 96, characters 5-14
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n) (< n (array_length t)))
(IMPLIES (> n 1)
(IMPLIES (AND (<= 0 0) (< 0 (array_length t)))
(FORALL (t0) (IMPLIES (EQ t0 (update t 0 1)) (< 1 (array_length t0)))))))))

;; fib4_po_6, File "fib.mlw", line 99, characters 19-131
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n) (< n (array_length t)))
(IMPLIES (> n 1)
(IMPLIES (AND (<= 0 0) (< 0 (array_length t)))
(FORALL (t0)
(IMPLIES (EQ t0 (update t 0 1))
(IMPLIES (AND (<= 0 1) (< 1 (array_length t0)))
(FORALL (t1) (IMPLIES (EQ t1 (update t0 1 1)) (<= 2 2)))))))))))

;; fib4_po_7, File "fib.mlw", line 99, characters 19-131
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n) (< n (array_length t)))
(IMPLIES (> n 1)
(IMPLIES (AND (<= 0 0) (< 0 (array_length t)))
(FORALL (t0)
(IMPLIES (EQ t0 (update t 0 1))
(IMPLIES (AND (<= 0 1) (< 1 (array_length t0)))
(FORALL (t1) (IMPLIES (EQ t1 (update t0 1 1)) (<= 2 (+ n 1))))))))))))

;; fib4_po_8, File "fib.mlw", line 99, characters 19-131
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n) (< n (array_length t)))
(IMPLIES (> n 1)
(IMPLIES (AND (<= 0 0) (< 0 (array_length t)))
(FORALL (t0)
(IMPLIES (EQ t0 (update t 0 1))
(IMPLIES (AND (<= 0 1) (< 1 (array_length t0)))
(FORALL (t1)
(IMPLIES (EQ t1 (update t0 1 1)) (EQ (array_length t1) (array_length t))))))))))))

;; fib4_po_9, File "fib.mlw", line 99, characters 19-131
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n) (< n (array_length t)))
(IMPLIES (> n 1)
(IMPLIES (AND (<= 0 0) (< 0 (array_length t)))
(FORALL (t0)
(IMPLIES (EQ t0 (update t 0 1))
(IMPLIES (AND (<= 0 1) (< 1 (array_length t0)))
(FORALL (t1)
(IMPLIES (EQ t1 (update t0 1 1))
(FORALL (i) (IMPLIES (AND (<= 0 i) (< i 2)) (EQ (access t1 i) (F i))))))))))))))

;; fib4_po_10, File "fib.mlw", line 102, characters 16-25
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n) (< n (array_length t)))
(IMPLIES (> n 1)
(IMPLIES (AND (<= 0 0) (< 0 (array_length t)))
(FORALL (t0)
(IMPLIES (EQ t0 (update t 0 1))
(IMPLIES (AND (<= 0 1) (< 1 (array_length t0)))
(FORALL (t1)
(IMPLIES (EQ t1 (update t0 1 1))
(FORALL (k)
(FORALL (t2)
(IMPLIES (AND (AND (<= 2 k) (<= k (+ n 1)))
         (AND (EQ (array_length t2) (array_length t))
         (FORALL (i)
         (IMPLIES (AND (<= 0 i) (< i k)) (EQ (access t2 i) (F i))))))
(IMPLIES (<= k n) (<= 0 (- k 1))))))))))))))))

;; fib4_po_11, File "fib.mlw", line 102, characters 16-25
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n) (< n (array_length t)))
(IMPLIES (> n 1)
(IMPLIES (AND (<= 0 0) (< 0 (array_length t)))
(FORALL (t0)
(IMPLIES (EQ t0 (update t 0 1))
(IMPLIES (AND (<= 0 1) (< 1 (array_length t0)))
(FORALL (t1)
(IMPLIES (EQ t1 (update t0 1 1))
(FORALL (k)
(FORALL (t2)
(IMPLIES (AND (AND (<= 2 k) (<= k (+ n 1)))
         (AND (EQ (array_length t2) (array_length t))
         (FORALL (i)
         (IMPLIES (AND (<= 0 i) (< i k)) (EQ (access t2 i) (F i))))))
(IMPLIES (<= k n) (< (- k 1) (array_length t2))))))))))))))))

;; fib4_po_12, File "fib.mlw", line 102, characters 28-37
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n) (< n (array_length t)))
(IMPLIES (> n 1)
(IMPLIES (AND (<= 0 0) (< 0 (array_length t)))
(FORALL (t0)
(IMPLIES (EQ t0 (update t 0 1))
(IMPLIES (AND (<= 0 1) (< 1 (array_length t0)))
(FORALL (t1)
(IMPLIES (EQ t1 (update t0 1 1))
(FORALL (k)
(FORALL (t2)
(IMPLIES (AND (AND (<= 2 k) (<= k (+ n 1)))
         (AND (EQ (array_length t2) (array_length t))
         (FORALL (i)
         (IMPLIES (AND (<= 0 i) (< i k)) (EQ (access t2 i) (F i))))))
(IMPLIES (<= k n)
(IMPLIES (AND (<= 0 (- k 1)) (< (- k 1) (array_length t2)))
(FORALL (result) (IMPLIES (EQ result (access t2 (- k 1))) (<= 0 (- k 2)))))))))))))))))))

;; fib4_po_13, File "fib.mlw", line 102, characters 28-37
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n) (< n (array_length t)))
(IMPLIES (> n 1)
(IMPLIES (AND (<= 0 0) (< 0 (array_length t)))
(FORALL (t0)
(IMPLIES (EQ t0 (update t 0 1))
(IMPLIES (AND (<= 0 1) (< 1 (array_length t0)))
(FORALL (t1)
(IMPLIES (EQ t1 (update t0 1 1))
(FORALL (k)
(FORALL (t2)
(IMPLIES (AND (AND (<= 2 k) (<= k (+ n 1)))
         (AND (EQ (array_length t2) (array_length t))
         (FORALL (i)
         (IMPLIES (AND (<= 0 i) (< i k)) (EQ (access t2 i) (F i))))))
(IMPLIES (<= k n)
(IMPLIES (AND (<= 0 (- k 1)) (< (- k 1) (array_length t2)))
(FORALL (result)
(IMPLIES (EQ result (access t2 (- k 1))) (< (- k 2) (array_length t2)))))))))))))))))))

;; fib4_po_14, File "fib.mlw", line 102, characters 7-37
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n) (< n (array_length t)))
(IMPLIES (> n 1)
(IMPLIES (AND (<= 0 0) (< 0 (array_length t)))
(FORALL (t0)
(IMPLIES (EQ t0 (update t 0 1))
(IMPLIES (AND (<= 0 1) (< 1 (array_length t0)))
(FORALL (t1)
(IMPLIES (EQ t1 (update t0 1 1))
(FORALL (k)
(FORALL (t2)
(IMPLIES (AND (AND (<= 2 k) (<= k (+ n 1)))
         (AND (EQ (array_length t2) (array_length t))
         (FORALL (i)
         (IMPLIES (AND (<= 0 i) (< i k)) (EQ (access t2 i) (F i))))))
(IMPLIES (<= k n)
(IMPLIES (AND (<= 0 (- k 1)) (< (- k 1) (array_length t2)))
(FORALL (result)
(IMPLIES (EQ result (access t2 (- k 1)))
(IMPLIES (AND (<= 0 (- k 2)) (< (- k 2) (array_length t2)))
(FORALL (result0) (IMPLIES (EQ result0 (access t2 (- k 2))) (<= 0 k)))))))))))))))))))))

;; fib4_po_15, File "fib.mlw", line 102, characters 7-37
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n) (< n (array_length t)))
(IMPLIES (> n 1)
(IMPLIES (AND (<= 0 0) (< 0 (array_length t)))
(FORALL (t0)
(IMPLIES (EQ t0 (update t 0 1))
(IMPLIES (AND (<= 0 1) (< 1 (array_length t0)))
(FORALL (t1)
(IMPLIES (EQ t1 (update t0 1 1))
(FORALL (k)
(FORALL (t2)
(IMPLIES (AND (AND (<= 2 k) (<= k (+ n 1)))
         (AND (EQ (array_length t2) (array_length t))
         (FORALL (i)
         (IMPLIES (AND (<= 0 i) (< i k)) (EQ (access t2 i) (F i))))))
(IMPLIES (<= k n)
(IMPLIES (AND (<= 0 (- k 1)) (< (- k 1) (array_length t2)))
(FORALL (result)
(IMPLIES (EQ result (access t2 (- k 1)))
(IMPLIES (AND (<= 0 (- k 2)) (< (- k 2) (array_length t2)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t2 (- k 2))) (< k (array_length t2))))))))))))))))))))))

;; fib4_po_16, File "fib.mlw", line 99, characters 19-131
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n) (< n (array_length t)))
(IMPLIES (> n 1)
(IMPLIES (AND (<= 0 0) (< 0 (array_length t)))
(FORALL (t0)
(IMPLIES (EQ t0 (update t 0 1))
(IMPLIES (AND (<= 0 1) (< 1 (array_length t0)))
(FORALL (t1)
(IMPLIES (EQ t1 (update t0 1 1))
(FORALL (k)
(FORALL (t2)
(IMPLIES (AND (AND (<= 2 k) (<= k (+ n 1)))
         (AND (EQ (array_length t2) (array_length t))
         (FORALL (i)
         (IMPLIES (AND (<= 0 i) (< i k)) (EQ (access t2 i) (F i))))))
(IMPLIES (<= k n)
(IMPLIES (AND (<= 0 (- k 1)) (< (- k 1) (array_length t2)))
(FORALL (result)
(IMPLIES (EQ result (access t2 (- k 1)))
(IMPLIES (AND (<= 0 (- k 2)) (< (- k 2) (array_length t2)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t2 (- k 2)))
(IMPLIES (AND (<= 0 k) (< k (array_length t2)))
(FORALL (t3)
(IMPLIES (EQ t3 (update t2 k (+ result result0)))
(FORALL (k0) (IMPLIES (EQ k0 (+ k 1)) (<= 2 k0))))))))))))))))))))))))))

;; fib4_po_17, File "fib.mlw", line 99, characters 19-131
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n) (< n (array_length t)))
(IMPLIES (> n 1)
(IMPLIES (AND (<= 0 0) (< 0 (array_length t)))
(FORALL (t0)
(IMPLIES (EQ t0 (update t 0 1))
(IMPLIES (AND (<= 0 1) (< 1 (array_length t0)))
(FORALL (t1)
(IMPLIES (EQ t1 (update t0 1 1))
(FORALL (k)
(FORALL (t2)
(IMPLIES (AND (AND (<= 2 k) (<= k (+ n 1)))
         (AND (EQ (array_length t2) (array_length t))
         (FORALL (i)
         (IMPLIES (AND (<= 0 i) (< i k)) (EQ (access t2 i) (F i))))))
(IMPLIES (<= k n)
(IMPLIES (AND (<= 0 (- k 1)) (< (- k 1) (array_length t2)))
(FORALL (result)
(IMPLIES (EQ result (access t2 (- k 1)))
(IMPLIES (AND (<= 0 (- k 2)) (< (- k 2) (array_length t2)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t2 (- k 2)))
(IMPLIES (AND (<= 0 k) (< k (array_length t2)))
(FORALL (t3)
(IMPLIES (EQ t3 (update t2 k (+ result result0)))
(FORALL (k0) (IMPLIES (EQ k0 (+ k 1)) (<= k0 (+ n 1)))))))))))))))))))))))))))

;; fib4_po_18, File "fib.mlw", line 99, characters 19-131
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n) (< n (array_length t)))
(IMPLIES (> n 1)
(IMPLIES (AND (<= 0 0) (< 0 (array_length t)))
(FORALL (t0)
(IMPLIES (EQ t0 (update t 0 1))
(IMPLIES (AND (<= 0 1) (< 1 (array_length t0)))
(FORALL (t1)
(IMPLIES (EQ t1 (update t0 1 1))
(FORALL (k)
(FORALL (t2)
(IMPLIES (AND (AND (<= 2 k) (<= k (+ n 1)))
         (AND (EQ (array_length t2) (array_length t))
         (FORALL (i)
         (IMPLIES (AND (<= 0 i) (< i k)) (EQ (access t2 i) (F i))))))
(IMPLIES (<= k n)
(IMPLIES (AND (<= 0 (- k 1)) (< (- k 1) (array_length t2)))
(FORALL (result)
(IMPLIES (EQ result (access t2 (- k 1)))
(IMPLIES (AND (<= 0 (- k 2)) (< (- k 2) (array_length t2)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t2 (- k 2)))
(IMPLIES (AND (<= 0 k) (< k (array_length t2)))
(FORALL (t3)
(IMPLIES (EQ t3 (update t2 k (+ result result0)))
(FORALL (k0)
(IMPLIES (EQ k0 (+ k 1)) (EQ (array_length t3) (array_length t)))))))))))))))))))))))))))

;; fib4_po_19, File "fib.mlw", line 99, characters 19-131
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n) (< n (array_length t)))
(IMPLIES (> n 1)
(IMPLIES (AND (<= 0 0) (< 0 (array_length t)))
(FORALL (t0)
(IMPLIES (EQ t0 (update t 0 1))
(IMPLIES (AND (<= 0 1) (< 1 (array_length t0)))
(FORALL (t1)
(IMPLIES (EQ t1 (update t0 1 1))
(FORALL (k)
(FORALL (t2)
(IMPLIES (AND (AND (<= 2 k) (<= k (+ n 1)))
         (AND (EQ (array_length t2) (array_length t))
         (FORALL (i)
         (IMPLIES (AND (<= 0 i) (< i k)) (EQ (access t2 i) (F i))))))
(IMPLIES (<= k n)
(IMPLIES (AND (<= 0 (- k 1)) (< (- k 1) (array_length t2)))
(FORALL (result)
(IMPLIES (EQ result (access t2 (- k 1)))
(IMPLIES (AND (<= 0 (- k 2)) (< (- k 2) (array_length t2)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t2 (- k 2)))
(IMPLIES (AND (<= 0 k) (< k (array_length t2)))
(FORALL (t3)
(IMPLIES (EQ t3 (update t2 k (+ result result0)))
(FORALL (k0)
(IMPLIES (EQ k0 (+ k 1))
(FORALL (i) (IMPLIES (AND (<= 0 i) (< i k0)) (EQ (access t3 i) (F i)))))))))))))))))))))))))))))

;; fib4_po_20, File "fib.mlw", line 101, characters 17-24
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n) (< n (array_length t)))
(IMPLIES (> n 1)
(IMPLIES (AND (<= 0 0) (< 0 (array_length t)))
(FORALL (t0)
(IMPLIES (EQ t0 (update t 0 1))
(IMPLIES (AND (<= 0 1) (< 1 (array_length t0)))
(FORALL (t1)
(IMPLIES (EQ t1 (update t0 1 1))
(FORALL (k)
(FORALL (t2)
(IMPLIES (AND (AND (<= 2 k) (<= k (+ n 1)))
         (AND (EQ (array_length t2) (array_length t))
         (FORALL (i)
         (IMPLIES (AND (<= 0 i) (< i k)) (EQ (access t2 i) (F i))))))
(IMPLIES (<= k n)
(IMPLIES (AND (<= 0 (- k 1)) (< (- k 1) (array_length t2)))
(FORALL (result)
(IMPLIES (EQ result (access t2 (- k 1)))
(IMPLIES (AND (<= 0 (- k 2)) (< (- k 2) (array_length t2)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t2 (- k 2)))
(IMPLIES (AND (<= 0 k) (< k (array_length t2)))
(FORALL (t3)
(IMPLIES (EQ t3 (update t2 k (+ result result0)))
(FORALL (k0) (IMPLIES (EQ k0 (+ k 1)) (<= 0 (- (+ n 1) k)))))))))))))))))))))))))))

;; fib4_po_21, File "fib.mlw", line 101, characters 17-24
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n) (< n (array_length t)))
(IMPLIES (> n 1)
(IMPLIES (AND (<= 0 0) (< 0 (array_length t)))
(FORALL (t0)
(IMPLIES (EQ t0 (update t 0 1))
(IMPLIES (AND (<= 0 1) (< 1 (array_length t0)))
(FORALL (t1)
(IMPLIES (EQ t1 (update t0 1 1))
(FORALL (k)
(FORALL (t2)
(IMPLIES (AND (AND (<= 2 k) (<= k (+ n 1)))
         (AND (EQ (array_length t2) (array_length t))
         (FORALL (i)
         (IMPLIES (AND (<= 0 i) (< i k)) (EQ (access t2 i) (F i))))))
(IMPLIES (<= k n)
(IMPLIES (AND (<= 0 (- k 1)) (< (- k 1) (array_length t2)))
(FORALL (result)
(IMPLIES (EQ result (access t2 (- k 1)))
(IMPLIES (AND (<= 0 (- k 2)) (< (- k 2) (array_length t2)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t2 (- k 2)))
(IMPLIES (AND (<= 0 k) (< k (array_length t2)))
(FORALL (t3)
(IMPLIES (EQ t3 (update t2 k (+ result result0)))
(FORALL (k0) (IMPLIES (EQ k0 (+ k 1)) (< (- (+ n 1) k0) (- (+ n 1) k)))))))))))))))))))))))))))

;; fib4_po_22, File "fib.mlw", line 105, characters 5-9
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n) (< n (array_length t)))
(IMPLIES (> n 1)
(IMPLIES (AND (<= 0 0) (< 0 (array_length t)))
(FORALL (t0)
(IMPLIES (EQ t0 (update t 0 1))
(IMPLIES (AND (<= 0 1) (< 1 (array_length t0)))
(FORALL (t1)
(IMPLIES (EQ t1 (update t0 1 1))
(FORALL (k)
(FORALL (t2)
(IMPLIES (AND (AND (<= 2 k) (<= k (+ n 1)))
         (AND (EQ (array_length t2) (array_length t))
         (FORALL (i)
         (IMPLIES (AND (<= 0 i) (< i k)) (EQ (access t2 i) (F i))))))
(IMPLIES (> k n) (< n (array_length t2))))))))))))))))

;; fib4_po_23, File "fib.mlw", line 107, characters 4-17
(FORALL (n)
(FORALL (t)
(IMPLIES (AND (<= 0 n) (< n (array_length t)))
(IMPLIES (> n 1)
(IMPLIES (AND (<= 0 0) (< 0 (array_length t)))
(FORALL (t0)
(IMPLIES (EQ t0 (update t 0 1))
(IMPLIES (AND (<= 0 1) (< 1 (array_length t0)))
(FORALL (t1)
(IMPLIES (EQ t1 (update t0 1 1))
(FORALL (k)
(FORALL (t2)
(IMPLIES (AND (AND (<= 2 k) (<= k (+ n 1)))
         (AND (EQ (array_length t2) (array_length t))
         (FORALL (i)
         (IMPLIES (AND (<= 0 i) (< i k)) (EQ (access t2 i) (F i))))))
(IMPLIES (> k n)
(IMPLIES (AND (<= 0 n) (< n (array_length t2)))
(FORALL (result) (IMPLIES (EQ result (access t2 n)) (EQ result (F n)))))))))))))))))))

why-2.34/examples/misc/arith.mlw0000644000175000017500000000073412311670312015222 0ustar  rtusers
(* Integer multiplication (follows the same principle---2n or 2n+1
   decomposition---that fast exponentiation (see file power.ml) *)

let mult = fun (x:int) (y:int) ->
  { x >= 0 and y >= 0 }
  (let a = ref x in
   let b = ref y in
   let p = ref 0 in
   begin
     while !a <> 0 do
       { invariant a >= 0 and p+a*b = x*y as Inv   variant a }
       if !a % 2 = 1 then p := !p + !b;
       a := !a / 2;
       b := 2 * !b
     done;
     !p
   end)
  { result = x * y }

why-2.34/examples/misc/search_why.v0000644000175000017500000001102212311670312015705 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Import Why.


Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
assert (k=i \/ kSet.
Admitted.

(*Why logic*) Definition access : forall (A1:Set), (array A1) -> Z -> A1.
Admitted.
Implicit Arguments access.

(*Why logic*) Definition update :
  forall (A1:Set), (array A1) -> Z -> A1 -> (array A1).
Admitted.
Implicit Arguments update.

(*Why axiom*) Lemma access_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z), (forall (v:A1), (access (update a i v) i) = v))).
Admitted.

(*Why axiom*) Lemma access_update_neq :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (forall (v:A1), (i <> j -> (access (update a i v) j) = (access a j)))))).
Admitted.

(*Why logic*) Definition array_length : forall (A1:Set), (array A1) -> Z.
Admitted.
Implicit Arguments array_length.

(*Why predicate*) Definition sorted_array  (t:(array Z)) (i:Z) (j:Z)
  := (forall (k1:Z),
      (forall (k2:Z),
       ((i <= k1 /\ k1 <= k2) /\ k2 <= j -> (access t k1) <= (access t k2)))).

(*Why predicate*) Definition exchange (A123:Set) (a1:(array A123)) (a2:(array A123)) (i:Z) (j:Z)
  := (array_length a1) = (array_length a2) /\
     (access a1 i) = (access a2 j) /\ (access a2 i) = (access a1 j) /\
     (forall (k:Z), (k <> i /\ k <> j -> (access a1 k) = (access a2 k))).
Implicit Arguments exchange.

(*Why logic*) Definition permut :
  forall (A1:Set), (array A1) -> (array A1) -> Z -> Z -> Prop.
Admitted.
Implicit Arguments permut.

(*Why axiom*) Lemma permut_refl :
  forall (A1:Set),
  (forall (t:(array A1)), (forall (l:Z), (forall (u:Z), (permut t t l u)))).
Admitted.

(*Why axiom*) Lemma permut_sym :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (l:Z), (forall (u:Z), ((permut t1 t2 l u) -> (permut t2 t1 l u)))))).
Admitted.

(*Why axiom*) Lemma permut_trans :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (t3:(array A1)),
     (forall (l:Z),
      (forall (u:Z),
       ((permut t1 t2 l u) -> ((permut t2 t3 l u) -> (permut t1 t3 l u)))))))).
Admitted.

(*Why axiom*) Lemma permut_exchange :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (forall (i:Z),
       (forall (j:Z),
        (l <= i /\ i <= u ->
         (l <= j /\ j <= u -> ((exchange a1 a2 i j) -> (permut a1 a2 l u)))))))))).
Admitted.

(*Why axiom*) Lemma exchange_upd :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (exchange a (update (update a i (access a j)) j (access a i)) i j)))).
Admitted.

(*Why axiom*) Lemma permut_weakening :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l1:Z),
     (forall (r1:Z),
      (forall (l2:Z),
       (forall (r2:Z),
        ((l1 <= l2 /\ l2 <= r2) /\ r2 <= r1 ->
         ((permut a1 a2 l2 r2) -> (permut a1 a2 l1 r1))))))))).
Admitted.

(*Why axiom*) Lemma permut_eq :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (l <= u ->
       ((permut a1 a2 l u) ->
        (forall (i:Z), (i < l \/ u < i -> (access a2 i) = (access a1 i))))))))).
Admitted.

(*Why predicate*) Definition permutation (A132:Set) (a1:(array A132)) (a2:(array A132))
  := (permut a1 a2 0 ((array_length a1) - 1)).
Implicit Arguments permutation.

(*Why axiom*) Lemma array_length_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (v:A1), (array_length (update a i v)) = (array_length a)))).
Admitted.

(*Why axiom*) Lemma permut_array_length :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      ((permut a1 a2 l u) -> (array_length a1) = (array_length a2)))))).
Admitted.

why-2.34/examples/misc/sum.mlw0000644000175000017500000000055612311670312014721 0ustar  rtusers
axiom distr_left : forall a,b,c:int. a * (b+c) = a*b + a*c
axiom distr_right: forall a,b,c:int. (b+c) * a = b*a + c*a

let sum (n:int) =
  { n>=0 }
  let i = ref 0 in
  let s = ref 0 in
  begin
    while !i < n do
      { invariant 2*s = i*(i+1)  and  i<=n
        variant n-i }
      i := !i + 1;
      s := !s + !i
    done;
    !s
  end
  { 2*result = n*(n+1) }
why-2.34/examples/misc/peano_why.sx0000644000175000017500000002673612311670312015751 0ustar  rtusers
;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom access_update
 (FORALL (a i v) (EQ (access (update a i v) i) v)))

(BG_PUSH
 ;; Why axiom access_update_neq
 (FORALL (a i j v)
 (IMPLIES (NEQ i j) (EQ (access (update a i v) j) (access a j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j)
 (FORALL (a v) (EQ (access (update a i v) j) (access a j))))))

(DEFPRED (sorted_array t i j)
  (FORALL (k1 k2)
  (IMPLIES (AND (AND (<= i k1) (<= k1 k2)) (<= k2 j))
  (<= (access t k1) (access t k2)))))

(DEFPRED (exchange a1 a2 i j)
  (AND (EQ (array_length a1) (array_length a2))
  (AND (EQ (access a1 i) (access a2 j))
  (AND (EQ (access a2 i) (access a1 j))
  (FORALL (k)
  (IMPLIES (AND (NEQ k i) (NEQ k j)) (EQ (access a1 k) (access a2 k))))))))

(BG_PUSH
 ;; Why axiom permut_refl
 (FORALL (t l u) (EQ (permut t t l u) |@true|)))

(BG_PUSH
 ;; Why axiom permut_sym
 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|) (EQ (permut t2 t1 l u) |@true|))))

(BG_PUSH
 ;; Why axiom permut_trans
 (FORALL (t1 t2 t3 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))

 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_exchange
 (FORALL (a1 a2 l u i j)
 (IMPLIES (AND (<= l i) (<= i u))
 (IMPLIES (AND (<= l j) (<= j u))
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|)))))

 (FORALL (l u i)
 (IMPLIES (AND (<= l i) (<= i u))
 (FORALL (j)
 (IMPLIES (AND (<= l j) (<= j u))
 (FORALL (a1 a2)
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|))))))))

(BG_PUSH
 ;; Why axiom exchange_upd
 (FORALL (a i j)
 (exchange a (update (update a i (access a j)) j (access a i)) i j)))

(BG_PUSH
 ;; Why axiom permut_weakening
 (FORALL (a1 a2 l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))

 (FORALL (l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_eq
 (FORALL (a1 a2 l u)
 (IMPLIES (<= l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))

 (FORALL (l u)
 (IMPLIES (<= l u)
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))))

(DEFPRED (permutation a1 a2)
  (EQ (permut a1 a2 0 (- (array_length a1) 1)) |@true|))

(BG_PUSH
 ;; Why axiom array_length_update
 (FORALL (a i v) (EQ (array_length (update a i v)) (array_length a))))

(BG_PUSH
 ;; Why axiom permut_array_length
 (FORALL (a1 a2 l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (EQ (array_length a1) (array_length a2)))))

;; add1_po_1, File "peano.mlw", line 11, characters 17-53
(FORALL (y) (IMPLIES (>= y 0) (<= 0 y)))

;; add1_po_2, File "peano.mlw", line 11, characters 17-53
(FORALL (y) (FORALL (x) (IMPLIES (>= y 0) (EQ x (+ x (- y y))))))

;; add1_po_3, File "peano.mlw", line 11, characters 17-53
(FORALL (y)
(FORALL (x)
(IMPLIES (>= y 0)
(FORALL (x0)
(FORALL (z)
(IMPLIES (AND (<= 0 z) (EQ x0 (+ x (- y z))))
(IMPLIES (> z 0)
(FORALL (x1)
(IMPLIES (EQ x1 (+ x0 1)) (FORALL (z0) (IMPLIES (EQ z0 (- z 1)) (<= 0 z0))))))))))))

;; add1_po_4, File "peano.mlw", line 11, characters 17-53
(FORALL (y)
(FORALL (x)
(IMPLIES (>= y 0)
(FORALL (x0)
(FORALL (z)
(IMPLIES (AND (<= 0 z) (EQ x0 (+ x (- y z))))
(IMPLIES (> z 0)
(FORALL (x1)
(IMPLIES (EQ x1 (+ x0 1))
(FORALL (z0) (IMPLIES (EQ z0 (- z 1)) (EQ x1 (+ x (- y z0))))))))))))))

;; add1_po_5, File "peano.mlw", line 12, characters 15-16
(FORALL (y)
(FORALL (x)
(IMPLIES (>= y 0)
(FORALL (x0)
(FORALL (z)
(IMPLIES (AND (<= 0 z) (EQ x0 (+ x (- y z))))
(IMPLIES (> z 0)
(FORALL (x1)
(IMPLIES (EQ x1 (+ x0 1)) (FORALL (z0) (IMPLIES (EQ z0 (- z 1)) (< z0 z))))))))))))

;; add1_po_6, File "peano.mlw", line 16, characters 4-14
(FORALL (y)
(FORALL (x)
(IMPLIES (>= y 0)
(FORALL (x0)
(FORALL (z)
(IMPLIES (AND (<= 0 z) (EQ x0 (+ x (- y z))))
(IMPLIES (<= z 0) (EQ x0 (+ x y)))))))))

;; u1_po_1, File "peano.mlw", line 20, characters 30-38
(>= 7 0)

;; u1_po_2, File "peano.mlw", line 20, characters 41-49
(IMPLIES (>= 7 0) (FORALL (r) (IMPLIES (EQ r (+ 3 7)) (EQ r 10))))

;; rec_add1_po_1, File "peano.mlw", line 26, characters 37-53
(FORALL (y)
(FORALL (x)
(IMPLIES (>= y 0)
(IMPLIES (< 0 y) (FORALL (x0) (IMPLIES (EQ x0 (+ x 1)) (<= 0 y)))))))

;; rec_add1_po_2, File "peano.mlw", line 26, characters 37-53
(FORALL (y)
(FORALL (x)
(IMPLIES (>= y 0)
(IMPLIES (< 0 y) (FORALL (x0) (IMPLIES (EQ x0 (+ x 1)) (< (- y 1) y)))))))

;; rec_add1_po_3, File "peano.mlw", line 26, characters 37-53
(FORALL (y)
(FORALL (x)
(IMPLIES (>= y 0)
(IMPLIES (< 0 y)
(FORALL (x0)
(IMPLIES (EQ x0 (+ x 1))
(IMPLIES (AND (<= 0 y) (< (- y 1) y)) (>= (- y 1) 0))))))))

;; rec_add1_po_4, File "peano.mlw", line 27, characters 4-14
(FORALL (y)
(FORALL (x)
(IMPLIES (>= y 0)
(IMPLIES (< 0 y)
(FORALL (x0)
(IMPLIES (EQ x0 (+ x 1))
(IMPLIES (AND (<= 0 y) (< (- y 1) y))
(IMPLIES (>= (- y 1) 0)
(FORALL (x1) (IMPLIES (EQ x1 (+ x0 (- y 1))) (EQ x1 (+ x y))))))))))))

;; rec_add1_po_5, File "peano.mlw", line 27, characters 4-14
(FORALL (y)
(FORALL (x) (IMPLIES (>= y 0) (IMPLIES (>= 0 y) (EQ x (+ x y))))))

;; u11_po_1, File "peano.mlw", line 31, characters 31-43
(>= 7 0)

;; u11_po_2, File "peano.mlw", line 31, characters 46-54
(IMPLIES (>= 7 0) (FORALL (r) (IMPLIES (EQ r (+ 3 7)) (EQ r 10))))

;; mult1_po_1, File "peano.mlw", line 43, characters 19-53
(FORALL (y)
(FORALL (x)
(IMPLIES (AND (>= x 0) (>= y 0)) (FORALL (x0) (IMPLIES (EQ x0 0) (<= 0 y))))))

;; mult1_po_2, File "peano.mlw", line 43, characters 19-53
(FORALL (y)
(FORALL (x)
(IMPLIES (AND (>= x 0) (>= y 0))
(FORALL (x0) (IMPLIES (EQ x0 0) (EQ x0 (* x (- y y))))))))

;; mult1_po_3, File "peano.mlw", line 43, characters 19-53
(FORALL (y)
(FORALL (x)
(IMPLIES (AND (>= x 0) (>= y 0))
(FORALL (x0)
(IMPLIES (EQ x0 0)
(FORALL (x1)
(FORALL (z)
(IMPLIES (AND (<= 0 z) (EQ x1 (* x (- y z))))
(IMPLIES (> z 0)
(IMPLIES (>= x 0)
(FORALL (x2)
(IMPLIES (EQ x2 (+ x1 x)) (FORALL (z0) (IMPLIES (EQ z0 (- z 1)) (<= 0 z0)))))))))))))))

;; mult1_po_4, File "peano.mlw", line 43, characters 19-53
(FORALL (y)
(FORALL (x)
(IMPLIES (AND (>= x 0) (>= y 0))
(FORALL (x0)
(IMPLIES (EQ x0 0)
(FORALL (x1)
(FORALL (z)
(IMPLIES (AND (<= 0 z) (EQ x1 (* x (- y z))))
(IMPLIES (> z 0)
(IMPLIES (>= x 0)
(FORALL (x2)
(IMPLIES (EQ x2 (+ x1 x))
(FORALL (z0) (IMPLIES (EQ z0 (- z 1)) (EQ x2 (* x (- y z0)))))))))))))))))

;; mult1_po_5, File "peano.mlw", line 44, characters 17-18
(FORALL (y)
(FORALL (x)
(IMPLIES (AND (>= x 0) (>= y 0))
(FORALL (x0)
(IMPLIES (EQ x0 0)
(FORALL (x1)
(FORALL (z)
(IMPLIES (AND (<= 0 z) (EQ x1 (* x (- y z))))
(IMPLIES (> z 0)
(IMPLIES (>= x 0)
(FORALL (x2)
(IMPLIES (EQ x2 (+ x1 x)) (FORALL (z0) (IMPLIES (EQ z0 (- z 1)) (< z0 z)))))))))))))))

;; mult1_po_6, File "peano.mlw", line 49, characters 4-14
(FORALL (y)
(FORALL (x)
(IMPLIES (AND (>= x 0) (>= y 0))
(FORALL (x0)
(IMPLIES (EQ x0 0)
(FORALL (x1)
(FORALL (z)
(IMPLIES (AND (<= 0 z) (EQ x1 (* x (- y z))))
(IMPLIES (<= z 0) (EQ x1 (* x y)))))))))))

;; u2_po_1, File "peano.mlw", line 53, characters 30-39
(>= 4 0)

;; u2_po_2, File "peano.mlw", line 53, characters 30-39
(>= 6 0)

;; u2_po_3, File "peano.mlw", line 53, characters 42-50
(IMPLIES (AND (>= 4 0) (>= 6 0))
(FORALL (r) (IMPLIES (EQ r (* 4 6)) (EQ r 24))))

;; mult2_po_1, File "peano.mlw", line 63, characters 3-13
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (>= x 0) (>= y 0)) (IMPLIES (EQ x 0) (EQ 0 (* x y))))))

;; mult2_po_2, File "peano.mlw", line 62, characters 32-45
(FORALL (x)
(FORALL (y) (IMPLIES (AND (>= x 0) (>= y 0)) (IMPLIES (NEQ x 0) (<= 0 x)))))

;; mult2_po_3, File "peano.mlw", line 62, characters 32-45
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (>= x 0) (>= y 0)) (IMPLIES (NEQ x 0) (< (- x 1) x)))))

;; mult2_po_4, File "peano.mlw", line 62, characters 32-45
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (>= x 0) (>= y 0))
(IMPLIES (NEQ x 0) (IMPLIES (AND (<= 0 x) (< (- x 1) x)) (>= (- x 1) 0))))))

;; mult2_po_5, File "peano.mlw", line 63, characters 3-13
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (>= x 0) (>= y 0))
(IMPLIES (NEQ x 0)
(IMPLIES (AND (<= 0 x) (< (- x 1) x))
(IMPLIES (AND (>= (- x 1) 0) (>= y 0))
(FORALL (result)
(IMPLIES (EQ result (* (- x 1) y))
(IMPLIES (>= y 0)
(FORALL (result0) (IMPLIES (EQ result0 (+ y result)) (EQ result0 (* x y)))))))))))))

;; mult2_po_6, File "peano.mlw", line 60, characters 53-63
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (>= x 0) (>= y 0))
(FORALL (a)
(FORALL (b) (IMPLIES (>= a 0) (IMPLIES (EQ a 0) (EQ b (+ a b)))))))))

;; mult2_po_7, File "peano.mlw", line 60, characters 33-49
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (>= x 0) (>= y 0))
(FORALL (a) (IMPLIES (>= a 0) (IMPLIES (NEQ a 0) (<= 0 a)))))))

;; mult2_po_8, File "peano.mlw", line 60, characters 33-49
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (>= x 0) (>= y 0))
(FORALL (a) (IMPLIES (>= a 0) (IMPLIES (NEQ a 0) (< (- a 1) a)))))))

;; mult2_po_9, File "peano.mlw", line 60, characters 33-49
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (>= x 0) (>= y 0))
(FORALL (a)
(IMPLIES (>= a 0)
(IMPLIES (NEQ a 0) (IMPLIES (AND (<= 0 a) (< (- a 1) a)) (>= (- a 1) 0))))))))

;; mult2_po_10, File "peano.mlw", line 60, characters 53-63
(FORALL (x)
(FORALL (y)
(IMPLIES (AND (>= x 0) (>= y 0))
(FORALL (a)
(FORALL (b)
(IMPLIES (>= a 0)
(IMPLIES (NEQ a 0)
(IMPLIES (AND (<= 0 a) (< (- a 1) a))
(IMPLIES (>= (- a 1) 0)
(FORALL (result)
(IMPLIES (EQ result (+ (- a 1) (+ b 1))) (EQ result (+ a b)))))))))))))

why-2.34/examples/misc/flag_why.sx0000644000175000017500000004025612311670312015551 0ustar  rtusers
;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom access_update
 (FORALL (a i v) (EQ (access (update a i v) i) v)))

(BG_PUSH
 ;; Why axiom access_update_neq
 (FORALL (a i j v)
 (IMPLIES (NEQ i j) (EQ (access (update a i v) j) (access a j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j)
 (FORALL (a v) (EQ (access (update a i v) j) (access a j))))))

(DEFPRED (sorted_array t i j)
  (FORALL (k1 k2)
  (IMPLIES (AND (AND (<= i k1) (<= k1 k2)) (<= k2 j))
  (<= (access t k1) (access t k2)))))

(DEFPRED (exchange a1 a2 i j)
  (AND (EQ (array_length a1) (array_length a2))
  (AND (EQ (access a1 i) (access a2 j))
  (AND (EQ (access a2 i) (access a1 j))
  (FORALL (k)
  (IMPLIES (AND (NEQ k i) (NEQ k j)) (EQ (access a1 k) (access a2 k))))))))

(BG_PUSH
 ;; Why axiom permut_refl
 (FORALL (t l u) (EQ (permut t t l u) |@true|)))

(BG_PUSH
 ;; Why axiom permut_sym
 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|) (EQ (permut t2 t1 l u) |@true|))))

(BG_PUSH
 ;; Why axiom permut_trans
 (FORALL (t1 t2 t3 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))

 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_exchange
 (FORALL (a1 a2 l u i j)
 (IMPLIES (AND (<= l i) (<= i u))
 (IMPLIES (AND (<= l j) (<= j u))
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|)))))

 (FORALL (l u i)
 (IMPLIES (AND (<= l i) (<= i u))
 (FORALL (j)
 (IMPLIES (AND (<= l j) (<= j u))
 (FORALL (a1 a2)
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|))))))))

(BG_PUSH
 ;; Why axiom exchange_upd
 (FORALL (a i j)
 (exchange a (update (update a i (access a j)) j (access a i)) i j)))

(BG_PUSH
 ;; Why axiom permut_weakening
 (FORALL (a1 a2 l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))

 (FORALL (l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_eq
 (FORALL (a1 a2 l u)
 (IMPLIES (<= l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))

 (FORALL (l u)
 (IMPLIES (<= l u)
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))))

(DEFPRED (permutation a1 a2)
  (EQ (permut a1 a2 0 (- (array_length a1) 1)) |@true|))

(BG_PUSH
 ;; Why axiom array_length_update
 (FORALL (a i v) (EQ (array_length (update a i v)) (array_length a))))

(BG_PUSH
 ;; Why axiom permut_array_length
 (FORALL (a1 a2 l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (EQ (array_length a1) (array_length a2)))))

;; dutch_flag_po_1, File "flag.mlw", line 23, characters 17-184
(FORALL (t)
(IMPLIES (EQ (array_length t) N)
(AND (AND (<= 0 0) (<= 0 0))
(AND (AND (<= 0 N) (<= N N))
(AND (EQ (monochrome t 0 0 blue) |@true|)
(AND (EQ (monochrome t 0 0 white) |@true|)
(AND (EQ (monochrome t N N red) |@true|) (EQ (array_length t) N))))))))

;; dutch_flag_po_2, File "flag.mlw", line 29, characters 17-22
(FORALL (t)
(IMPLIES (EQ (array_length t) N)
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r N))
         (AND (EQ (monochrome t0 0 b blue) |@true|)
         (AND (EQ (monochrome t0 b i white) |@true|)
         (AND (EQ (monochrome t0 r N red) |@true|) (EQ (array_length t0) N))))))
(IMPLIES (< i r) (AND (<= 0 i) (< i (array_length t0)))))))))))

;; dutch_flag_po_3, File "flag.mlw", line 30, characters 15-20
(FORALL (t)
(IMPLIES (EQ (array_length t) N)
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r N))
         (AND (EQ (monochrome t0 0 b blue) |@true|)
         (AND (EQ (monochrome t0 b i white) |@true|)
         (AND (EQ (monochrome t0 r N red) |@true|) (EQ (array_length t0) N))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result)
(IMPLIES (EQ result (access t0 i))
(IMPLIES (EQ result blue) (AND (<= 0 b) (< b (array_length t0)))))))))))))))

;; dutch_flag_po_4, File "flag.mlw", line 30, characters 46-56
(FORALL (t)
(IMPLIES (EQ (array_length t) N)
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r N))
         (AND (EQ (monochrome t0 0 b blue) |@true|)
         (AND (EQ (monochrome t0 b i white) |@true|)
         (AND (EQ (monochrome t0 r N red) |@true|) (EQ (array_length t0) N))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result)
(IMPLIES (EQ result (access t0 i))
(IMPLIES (EQ result blue)
(IMPLIES (AND (<= 0 b) (< b (array_length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t0 b))
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result1)
(IMPLIES (EQ result1 (access t0 i))
(IMPLIES (AND (<= 0 b) (< b (array_length t0)))
(FORALL (t1)
(IMPLIES (EQ t1 (update t0 b result1))
(AND (<= 0 i) (< i (array_length t1))))))))))))))))))))))))

;; dutch_flag_po_5, File "flag.mlw", line 23, characters 17-184
(FORALL (t)
(IMPLIES (EQ (array_length t) N)
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r N))
         (AND (EQ (monochrome t0 0 b blue) |@true|)
         (AND (EQ (monochrome t0 b i white) |@true|)
         (AND (EQ (monochrome t0 r N red) |@true|) (EQ (array_length t0) N))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result)
(IMPLIES (EQ result (access t0 i))
(IMPLIES (EQ result blue)
(IMPLIES (AND (<= 0 b) (< b (array_length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t0 b))
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result1)
(IMPLIES (EQ result1 (access t0 i))
(IMPLIES (AND (<= 0 b) (< b (array_length t0)))
(FORALL (t1)
(IMPLIES (EQ t1 (update t0 b result1))
(IMPLIES (AND (<= 0 i) (< i (array_length t1)))
(FORALL (t2)
(IMPLIES (EQ t2 (update t1 i result0))
(FORALL (b0)
(IMPLIES (EQ b0 (+ b 1))
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(AND (AND (<= 0 b0) (<= b0 i0))
(AND (AND (<= i0 r) (<= r N))
(AND (EQ (monochrome t2 0 b0 blue) |@true|)
(AND (EQ (monochrome t2 b0 i0 white) |@true|)
(AND (EQ (monochrome t2 r N red) |@true|) (EQ (array_length t2) N))))))))))))))))))))))))))))))))))

;; dutch_flag_po_6, File "flag.mlw", line 28, characters 15-20
(FORALL (t)
(IMPLIES (EQ (array_length t) N)
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r N))
         (AND (EQ (monochrome t0 0 b blue) |@true|)
         (AND (EQ (monochrome t0 b i white) |@true|)
         (AND (EQ (monochrome t0 r N red) |@true|) (EQ (array_length t0) N))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result)
(IMPLIES (EQ result (access t0 i))
(IMPLIES (EQ result blue)
(IMPLIES (AND (<= 0 b) (< b (array_length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t0 b))
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result1)
(IMPLIES (EQ result1 (access t0 i))
(IMPLIES (AND (<= 0 b) (< b (array_length t0)))
(FORALL (t1)
(IMPLIES (EQ t1 (update t0 b result1))
(IMPLIES (AND (<= 0 i) (< i (array_length t1)))
(FORALL (t2)
(IMPLIES (EQ t2 (update t1 i result0))
(FORALL (b0)
(IMPLIES (EQ b0 (+ b 1))
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1)) (AND (<= 0 (- r i)) (< (- r i0) (- r i)))))))))))))))))))))))))))))))

;; dutch_flag_po_7, File "flag.mlw", line 23, characters 17-184
(FORALL (t)
(IMPLIES (EQ (array_length t) N)
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r N))
         (AND (EQ (monochrome t0 0 b blue) |@true|)
         (AND (EQ (monochrome t0 b i white) |@true|)
         (AND (EQ (monochrome t0 r N red) |@true|) (EQ (array_length t0) N))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result)
(IMPLIES (EQ result (access t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t0 i))
(IMPLIES (EQ result0 white)
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(AND (AND (<= 0 b) (<= b i0))
(AND (AND (<= i0 r) (<= r N))
(AND (EQ (monochrome t0 0 b blue) |@true|)
(AND (EQ (monochrome t0 b i0 white) |@true|)
(AND (EQ (monochrome t0 r N red) |@true|) (EQ (array_length t0) N))))))))))))))))))))))))

;; dutch_flag_po_8, File "flag.mlw", line 28, characters 15-20
(FORALL (t)
(IMPLIES (EQ (array_length t) N)
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r N))
         (AND (EQ (monochrome t0 0 b blue) |@true|)
         (AND (EQ (monochrome t0 b i white) |@true|)
         (AND (EQ (monochrome t0 r N red) |@true|) (EQ (array_length t0) N))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result)
(IMPLIES (EQ result (access t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t0 i))
(IMPLIES (EQ result0 white)
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1)) (AND (<= 0 (- r i)) (< (- r i0) (- r i)))))))))))))))))))))

;; dutch_flag_po_9, File "flag.mlw", line 37, characters 15-20
(FORALL (t)
(IMPLIES (EQ (array_length t) N)
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r N))
         (AND (EQ (monochrome t0 0 b blue) |@true|)
         (AND (EQ (monochrome t0 b i white) |@true|)
         (AND (EQ (monochrome t0 r N red) |@true|) (EQ (array_length t0) N))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result)
(IMPLIES (EQ result (access t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t0 i))
(IMPLIES (NEQ result0 white)
(FORALL (r0)
(IMPLIES (EQ r0 (- r 1)) (AND (<= 0 r0) (< r0 (array_length t0)))))))))))))))))))))

;; dutch_flag_po_10, File "flag.mlw", line 37, characters 46-56
(FORALL (t)
(IMPLIES (EQ (array_length t) N)
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r N))
         (AND (EQ (monochrome t0 0 b blue) |@true|)
         (AND (EQ (monochrome t0 b i white) |@true|)
         (AND (EQ (monochrome t0 r N red) |@true|) (EQ (array_length t0) N))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result)
(IMPLIES (EQ result (access t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t0 i))
(IMPLIES (NEQ result0 white)
(FORALL (r0)
(IMPLIES (EQ r0 (- r 1))
(IMPLIES (AND (<= 0 r0) (< r0 (array_length t0)))
(FORALL (result1)
(IMPLIES (EQ result1 (access t0 r0))
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result2)
(IMPLIES (EQ result2 (access t0 i))
(IMPLIES (AND (<= 0 r0) (< r0 (array_length t0)))
(FORALL (t1)
(IMPLIES (EQ t1 (update t0 r0 result2))
(AND (<= 0 i) (< i (array_length t1))))))))))))))))))))))))))))))

;; dutch_flag_po_11, File "flag.mlw", line 23, characters 17-184
(FORALL (t)
(IMPLIES (EQ (array_length t) N)
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r N))
         (AND (EQ (monochrome t0 0 b blue) |@true|)
         (AND (EQ (monochrome t0 b i white) |@true|)
         (AND (EQ (monochrome t0 r N red) |@true|) (EQ (array_length t0) N))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result)
(IMPLIES (EQ result (access t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t0 i))
(IMPLIES (NEQ result0 white)
(FORALL (r0)
(IMPLIES (EQ r0 (- r 1))
(IMPLIES (AND (<= 0 r0) (< r0 (array_length t0)))
(FORALL (result1)
(IMPLIES (EQ result1 (access t0 r0))
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result2)
(IMPLIES (EQ result2 (access t0 i))
(IMPLIES (AND (<= 0 r0) (< r0 (array_length t0)))
(FORALL (t1)
(IMPLIES (EQ t1 (update t0 r0 result2))
(IMPLIES (AND (<= 0 i) (< i (array_length t1)))
(FORALL (t2)
(IMPLIES (EQ t2 (update t1 i result1))
(AND (AND (<= 0 b) (<= b i))
(AND (AND (<= i r0) (<= r0 N))
(AND (EQ (monochrome t2 0 b blue) |@true|)
(AND (EQ (monochrome t2 b i white) |@true|)
(AND (EQ (monochrome t2 r0 N red) |@true|) (EQ (array_length t2) N))))))))))))))))))))))))))))))))))))

;; dutch_flag_po_12, File "flag.mlw", line 28, characters 15-20
(FORALL (t)
(IMPLIES (EQ (array_length t) N)
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r N))
         (AND (EQ (monochrome t0 0 b blue) |@true|)
         (AND (EQ (monochrome t0 b i white) |@true|)
         (AND (EQ (monochrome t0 r N red) |@true|) (EQ (array_length t0) N))))))
(IMPLIES (< i r)
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result)
(IMPLIES (EQ result (access t0 i))
(IMPLIES (NEQ result blue)
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t0 i))
(IMPLIES (NEQ result0 white)
(FORALL (r0)
(IMPLIES (EQ r0 (- r 1))
(IMPLIES (AND (<= 0 r0) (< r0 (array_length t0)))
(FORALL (result1)
(IMPLIES (EQ result1 (access t0 r0))
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result2)
(IMPLIES (EQ result2 (access t0 i))
(IMPLIES (AND (<= 0 r0) (< r0 (array_length t0)))
(FORALL (t1)
(IMPLIES (EQ t1 (update t0 r0 result2))
(IMPLIES (AND (<= 0 i) (< i (array_length t1)))
(FORALL (t2)
(IMPLIES (EQ t2 (update t1 i result1))
(AND (<= 0 (- r i)) (< (- r0 i) (- r i)))))))))))))))))))))))))))))))))

;; dutch_flag_po_13, File "flag.mlw", line 40, characters 4-92
(FORALL (t)
(IMPLIES (EQ (array_length t) N)
(FORALL (b)
(FORALL (i)
(FORALL (r)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 b) (<= b i))
         (AND (AND (<= i r) (<= r N))
         (AND (EQ (monochrome t0 0 b blue) |@true|)
         (AND (EQ (monochrome t0 b i white) |@true|)
         (AND (EQ (monochrome t0 r N red) |@true|) (EQ (array_length t0) N))))))
(IMPLIES (>= i r)
(AND (EQ (monochrome t0 0 b blue) |@true|)
(AND (EQ (monochrome t0 b r white) |@true|)
(EQ (monochrome t0 r N red) |@true|)))))))))))

why-2.34/examples/misc/search.mlw0000644000175000017500000000315312311670312015356 0ustar  rtusers
include "arrays.why"

(* Search in an array for a null value *)

exception Not_found

parameter t : int array

(* 1. With a loop. As soon as we find it, we raise (Found i) *)

exception Found of int

let search1 () = 
  {} 
  try
    let i = ref 0 in begin
    while !i < (array_length_ t) do
      { invariant 0 <= i and forall k:int. 0 <= k < i -> t[k] <> 0
        variant array_length(t) - i } 
      if t[!i] = 0 then raise (Found !i);
      i := !i + 1
    done;
    raise Not_found : int
    end 
  with Found x ->
    x
  end
  { t[result] = 0 
  | Not_found => forall k:int. 0 <= k < array_length(t) -> t[k] <> 0 }


(* 1. With a loop. As soon as we find it, we raise Break *)

exception Break

let search2 () = 
  {} 
  let i = ref 0 in 
  try
    begin
    while !i < (array_length_ t) do
      { invariant 0 <= i and forall k:int. 0 <= k < i -> t[k] <> 0
        variant array_length(t) - i }
      if t[!i] = 0 then raise Break;
      i := !i + 1
    done;
    raise Not_found : int
    end 
  with Break ->
    !i
  end
  { t[result] = 0 
  | Not_found => forall k:int. 0 <= k < array_length(t) -> t[k] <> 0 }


(* 3. With a recursive function *)

let search3 () =
  { 0 <= array_length(t) }
  (let rec search_rec (i:int) : int { variant array_length(t) - i } =
     { 0 <= i <= array_length(t) }
     (if i = (array_length_ t) then raise Not_found : int
      else if t[i] = 0 then i
      else (search_rec (i + 1)))
     { t[result] = 0 
     | Not_found => forall k:int. i <= k < array_length(t) -> t[k] <> 0 }
   in
  (search_rec 0))
  { t[result] = 0 
  | Not_found => forall k:int. 0 <= k < array_length(t) -> t[k] <> 0 }
why-2.34/examples/bresenham/0000755000175000017500000000000012311670312014377 5ustar  rtuserswhy-2.34/examples/bresenham/Makefile0000644000175000017500000000010712311670312016035 0ustar  rtusers
VO=bresenham_valid.vo

all: zaux.vo $(VO)

include ../Makefile.common
why-2.34/examples/bresenham/zaux.v0000644000175000017500000001455012311670312015562 0ustar  rtusers(* Load Programs. *)(**************************************************************************)
(*                                                                        *)
(* Proof of the Bresenham line drawing algorithm.                         *)
(*                                                                        *)
(* Jean-Christophe Filliâtre (LRI, Université Paris Sud)                  *)
(* May 2001                                                               *)
(*                                                                        *)
(**************************************************************************)

(*s Some lemmas about absolute value (over type [Z]). *)

Require Import ZArith.
Require Import Omega.
Require Import ZArithRing.

(*s First a tactic [Case_Zabs] to do case split over [(Zabs x)]: 
    introduces two subgoals, one where [x] is assumed to be non negative
    and thus where [Zabs x] is replaced by [x]; and another where
    [x] is assumed to be non positive and thus where [Zabs x] is
    replaced by [-x]. *)

Lemma Z_gt_le : forall x y:Z, (x > y)%Z -> (y <= x)%Z.
Proof.
intros; omega.
Qed.

Ltac Case_Zabs a Ha :=
  elim (Z_le_gt_dec 0 a); intro Ha;
   [ rewrite (Zabs_eq a Ha)
   | rewrite (Zabs_non_eq a (Z_gt_le 0 a Ha)) ].

(*s A useful lemma to establish $|a| \le |b|$. *)

Lemma Zabs_le_Zabs :
 forall a b:Z,
   (b <= a <= 0)%Z \/ (0 <= a <= b)%Z -> (Zabs a <= Zabs b)%Z.
Proof.
intro a; Case_Zabs a Ha; intro b; Case_Zabs b Hb; omega.
Qed.

(*s A useful lemma to establish $|a| \le $. *)

Lemma Zabs_le :
 forall a b:Z, (0 <= b)%Z -> ((Zopp b <= a <= b)%Z <-> (Zabs a <= b)%Z).
Proof.
intros a b Hb.
 Case_Zabs a Ha; split; omega.
Qed.

(*s Two tactics. [ZCompare x y H] discriminates between [xy] ([H] is the hypothesis name). [RingSimpl x y] rewrites [x] by [y]
    using the [Ring] tactic. *)

Ltac ZCompare x y H :=
  elim (Z_gt_le_dec x y); intro H;
   [ idtac | elim (Z_le_lt_eq_dec x y H); clear H; intro H ].

Ltac RingSimpl x y := replace x with y; [ idtac | ring ].

(*s Key lemma for Bresenham's proof: if [b] is at distance less or equal 
    than [1/2] from the rational [c/a], then it is the closest such integer.
    We express this property in [Z], thus multiplying everything by [2a]. *)

Lemma closest :
 forall a b c:Z,
   (0 <= a)%Z ->
   (Zabs (2 * a * b - 2 * c) <= a)%Z ->
   forall b':Z, (Zabs (a * b - c) <= Zabs (a * b' - c))%Z.
Proof.
intros a b c Ha Hmin.
generalize (proj2 (Zabs_le (2 * a * b - 2 * c) a Ha) Hmin).
intros Hmin' b'.
elim (Z_le_gt_dec (2 * a * b) (2 * c)); intro Habc.
(* 2ab <= 2c *)
rewrite (Zabs_non_eq (a * b - c)).
ZCompare b b' Hbb'.
  (* b > b' *)
  rewrite (Zabs_non_eq (a * b' - c)).
  apply Zle_left_rev.
  RingSimpl (Zopp (a * b' - c) + Zopp (Zopp (a * b - c)))%Z
   (a * (b - b'))%Z.
  apply Zmult_le_0_compat; omega.
  apply Zge_le.
  apply Zge_trans with (m := (a * b - c)%Z).
  apply Zmult_ge_reg_r with (p := 2%Z).
 omega.
  RingSimpl (0 * 2)%Z 0%Z.
   RingSimpl ((a * b - c) * 2)%Z (2 * a * b - 2 * c)%Z.
 omega.
  RingSimpl (a * b' - c)%Z (a * b' + Zopp c)%Z.
  RingSimpl (a * b - c)%Z (a * b + Zopp c)%Z.
  apply Zle_ge.
    apply Zplus_le_compat_r.
  apply Zmult_le_compat_l; omega.
  (* b < b' *)
  rewrite (Zabs_eq (a * b' - c)).
  apply Zmult_le_reg_r with (p := 2%Z).
 omega.
  RingSimpl ((a * b' - c) * 2)%Z
   (2 * (a * b' - a * b) + 2 * (a * b - c))%Z.
  apply Zle_trans with a.
   RingSimpl (Zopp (a * b - c) * 2)%Z (Zopp (2 * a * b - 2 * c)).
 omega.
  apply Zle_trans with (2 * a + Zopp a)%Z.
 omega.
  apply Zplus_le_compat.
  RingSimpl (2 * a)%Z (2 * a * 1)%Z.
  RingSimpl (2 * (a * b' - a * b))%Z (2 * a * (b' - b))%Z.
  apply Zmult_le_compat_l; omega.
  RingSimpl (2 * (a * b - c))%Z (2 * a * b - 2 * c)%Z.
 omega.
    (* 0 <= ab'-c *)
    RingSimpl (a * b' - c)%Z (a * b' - a * b + (a * b - c))%Z.
    RingSimpl 0%Z (a + Zopp a)%Z.
    apply Zplus_le_compat.
    RingSimpl a (a * 1)%Z.
    RingSimpl (a * 1 * b' - a * 1 * b)%Z (a * (b' - b))%Z.
    apply Zmult_le_compat_l; omega.
    apply Zmult_le_reg_r with (p := 2%Z).
 omega.
    apply Zle_trans with (Zopp a).
 omega.
      RingSimpl ((a * b - c) * 2)%Z (2 * a * b - 2 * c)%Z.
 omega.
  (* b = b' *)
  rewrite <- Hbb'.
  rewrite (Zabs_non_eq (a * b - c)).
 omega.
  apply Zge_le.
  apply Zmult_ge_reg_r with (p := 2%Z).
 omega.
  RingSimpl (0 * 2)%Z 0%Z.
   RingSimpl ((a * b - c) * 2)%Z (2 * a * b - 2 * c)%Z.
 omega.
   apply Zge_le.
  apply Zmult_ge_reg_r with (p := 2%Z).
 omega.
  RingSimpl (0 * 2)%Z 0%Z.
   RingSimpl ((a * b - c) * 2)%Z (2 * a * b - 2 * c)%Z.
 omega.
 
(* 2ab > 2c *)
rewrite (Zabs_eq (a * b - c)).
ZCompare b b' Hbb'.
  (* b > b' *)
  rewrite (Zabs_non_eq (a * b' - c)).
  apply Zmult_le_reg_r with (p := 2%Z).
 omega.
  RingSimpl (Zopp (a * b' - c) * 2)%Z
   (2 * (c - a * b) + 2 * (a * b - a * b'))%Z.
  apply Zle_trans with a.
   RingSimpl ((a * b - c) * 2)%Z (2 * a * b - 2 * c)%Z.
 omega.
  apply Zle_trans with (Zopp a + 2 * a)%Z.
 omega.
  apply Zplus_le_compat.
  RingSimpl (2 * (c - a * b))%Z (2 * c - 2 * a * b)%Z.
 omega.
  RingSimpl (2 * a)%Z (2 * a * 1)%Z.
  RingSimpl (2 * (a * b - a * b'))%Z (2 * a * (b - b'))%Z.
  apply Zmult_le_compat_l; omega.
    (* 0 >= ab'-c *)
    RingSimpl (a * b' - c)%Z (a * b' - a * b + (a * b - c))%Z.
    RingSimpl 0%Z (Zopp a + a)%Z.
    apply Zplus_le_compat.
    RingSimpl (Zopp a) (a * (-1))%Z.
    RingSimpl (a * b' - a * b)%Z (a * (b' - b))%Z.
    apply Zmult_le_compat_l; omega.
    apply Zmult_le_reg_r with (p := 2%Z).
 omega.
    apply Zle_trans with a.
    RingSimpl ((a * b - c) * 2)%Z (2 * a * b - 2 * c)%Z.
    omega.
 omega.
  (* b < b' *)
  rewrite (Zabs_eq (a * b' - c)).
  apply Zle_left_rev.
  RingSimpl (a * b' - c + Zopp (a * b - c))%Z (a * (b' - b))%Z.
  apply Zmult_le_0_compat; omega.
  apply Zle_trans with (m := (a * b - c)%Z).
  apply Zmult_le_reg_r with (p := 2%Z).
 omega.
  RingSimpl (0 * 2)%Z 0%Z.
   RingSimpl ((a * b - c) * 2)%Z (2 * a * b - 2 * c)%Z.
 omega.
  RingSimpl (a * b' - c)%Z (a * b' + Zopp c)%Z.
  RingSimpl (a * b - c)%Z (a * b + Zopp c)%Z.
  apply Zplus_le_compat_r.
  apply Zmult_le_compat_l; omega.
  (* b = b' *)
  rewrite <- Hbb'.
    rewrite (Zabs_eq (a * b - c)).
 omega.
  apply Zmult_le_reg_r with (p := 2%Z).
 omega.
  RingSimpl (0 * 2)%Z 0%Z.
   RingSimpl ((a * b - c) * 2)%Z (2 * a * b - 2 * c)%Z.
 omega.
   apply Zmult_le_reg_r with (p := 2%Z).
 omega.
  RingSimpl (0 * 2)%Z 0%Z.
   RingSimpl ((a * b - c) * 2)%Z (2 * a * b - 2 * c)%Z.
 omega.
 Qed.
why-2.34/examples/bresenham/bresenham_coq.mlw0000644000175000017500000000337612311670312017737 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(* Proof of the Bresenham line drawing algorithm.                         *)
(*                                                                        *)
(* Jean-Christophe Filliâtre (LRI, Université Paris Sud)                  *)
(* May 2001                                                               *)
(*                                                                        *)
(**************************************************************************)

(*  Parameters. 
    Without loss of generality, we can take [x1=0] and [y1=0]. 
    Thus the line to draw joins [(0,0)] to [(x2,y2)]
    and we have [deltax = x2] and [deltay = y2]. 
    Moreover we assume being in the first octant, i.e.
    [0 <= y2 <= x2] (see the Coq file). The seven other cases can be easily
    deduced by symmetry. *)

logic x2,y2 : int

(*s Global variables of the program. *)

parameter x,y,e : int ref

(*s The code.
    [(best x y)] expresses that the point [(x,y)] is the best
    possible point i.e. the closest to the real line (see the Coq file).
    The invariant relates [x], [y] and [e] and
    gives lower and upper bound for [e] (see the Coq file). *)

external logic best : int, int -> prop
external logic Invariant : int, int, int -> prop

let bresenham () =
  begin
    x := 0;
    y := 0;
    e := 2 * y2 - x2;
    while !x <= x2 do
      { invariant 0 <= x <= x2 + 1 and Invariant(x, y, e)
        variant   x2 + 1 - x }
      (* here we would do (plot x y) *) 
      assert { best(x, y) };
      if !e < 0 then
	e := !e + 2 * y2
      else begin
	y := !y + 1;
	e := !e + 2 * (y2 - x2)
      end;
      x := !x + 1
    done
  end
why-2.34/examples/bresenham/bresenham_coq_why.v0000644000175000017500000001165212311670312020270 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(* Proof of the Bresenham line drawing algorithm.                         *)
(*                                                                        *)
(* Jean-Christophe Filliâtre (LRI, Université Paris Sud)                  *)
(* May 2001                                                               *)
(*                                                                        *)
(**************************************************************************)

Require Import zaux.
Require Import Why.
Require Import ZArith.
 Require Import Omega.
Require Import ZArithRing.

(*Why logic*) Definition x2 : Z.
Admitted.

(*Why logic*) Definition y2 : Z.
Admitted.

Axiom first_octant : (0 <= y2 <= x2)%Z.
Dp_hint first_octant.

Ltac omega' := generalize first_octant; omega.

(*s Specification of the correctness. 
    [(best x y)] expresses that the point [(x,y)] is the best
    possible point i.e. the closest to the real line. 
    This line has slope [y2/x2] thus the point on
    the line is [(x,x*y2/x2)]. *)

Definition best (x y:Z) :=
  forall y':Z, (Zabs (x2 * y - x * y2) <= Zabs (x2 * y' - x * y2))%Z.

(*s Invariant. The invariant relates [x], [y] and [e] and
    gives lower and upper bound for [e]. The key lemma 
    [invariant_is_ok] establishes that this invariant implies the
    expected property. *)

Definition Invariant (x y e:Z) :=
  e = (2 * (x + 1) * y2 - (2 * y + 1) * x2)%Z /\
  (2 * (y2 - x2) <= e <= 2 * y2)%Z.

Lemma invariant_is_ok : forall x y e:Z, Invariant x y e -> best x y.
Proof.
intros x y e.
unfold Invariant; unfold best; intros [E I'] y'.
cut (0 <= x2)%Z; [ intro Hx2 | idtac ].
apply closest.
assumption.
apply (proj1 (Zabs_le (2 * x2 * y - 2 * (x * y2)) x2 Hx2)).
rewrite E in I'.
split.
(* 0 <= x2 *)
generalize (proj2 I').
RingSimpl (2 * (x + 1) * y2 - (2 * y + 1) * x2)%Z
 (2 * x * y2 - 2 * x2 * y + 2 * y2 - x2)%Z.
intro.
RingSimpl (2 * (x * y2))%Z (2 * x * y2)%Z.
omega.
(* 0 <= x2 *)
generalize (proj1 I').
RingSimpl (2 * (x + 1) * y2 - (2 * y + 1) * x2)%Z
 (2 * x * y2 - 2 * x2 * y + 2 * y2 - x2)%Z.
RingSimpl (2 * (y2 - x2))%Z (2 * y2 - 2 * x2)%Z.
RingSimpl (2 * (x * y2))%Z (2 * x * y2)%Z.
omega.
omega.
Qed.

(*s Program correctness. *)

(* Why obligation from file "", line 0, characters 0-0: *)
(*Why goal*) Lemma bresenham_po_1 : 
  forall (x: Z),
  forall (HW_1: x = 0),
  forall (y: Z),
  forall (HW_2: y = 0),
  forall (e: Z),
  forall (HW_3: e = (2 * y2 - x2)),
  (0 <= x /\ x <= (x2 + 1)) /\ (Invariant x y e).
Proof.
intuition.
omega'.
subst; unfold Invariant; omega'.
Save.

(* Why obligation from file "", line 0, characters 0-0: *)
(*Why goal*) Lemma bresenham_po_2 : 
  forall (x: Z),
  forall (HW_1: x = 0),
  forall (y: Z),
  forall (HW_2: y = 0),
  forall (e: Z),
  forall (HW_3: e = (2 * y2 - x2)),
  forall (e0: Z),
  forall (x0: Z),
  forall (y0: Z),
  forall (HW_4: (0 <= x0 /\ x0 <= (x2 + 1)) /\ (Invariant x0 y0 e0)),
  forall (HW_5: x0 <= x2),
  (best x0 y0).
Proof.
intuition.
apply invariant_is_ok with e0; auto.
Save.

(* Why obligation from file "", line 0, characters 0-0: *)
(*Why goal*) Lemma bresenham_po_3 : 
  forall (x: Z),
  forall (HW_1: x = 0),
  forall (y: Z),
  forall (HW_2: y = 0),
  forall (e: Z),
  forall (HW_3: e = (2 * y2 - x2)),
  forall (e0: Z),
  forall (x0: Z),
  forall (y0: Z),
  forall (HW_4: (0 <= x0 /\ x0 <= (x2 + 1)) /\ (Invariant x0 y0 e0)),
  forall (HW_5: x0 <= x2),
  forall (HW_6: (best x0 y0)),
  forall (HW_7: e0 < 0),
  forall (e1: Z),
  forall (HW_8: e1 = (e0 + 2 * y2)),
  forall (x1: Z),
  forall (HW_9: x1 = (x0 + 1)),
  ((0 <= x1 /\ x1 <= (x2 + 1)) /\ (Invariant x1 y0 e1)) /\
  (Zwf 0 (x2 + 1 - x1) (x2 + 1 - x0)).
Proof.
unfold Invariant; intuition; subst.
replace (2 * (x0 + 1 + 1) * y2)%Z with (2 * (x0 + 1) * y2 + 2 * y2)%Z;
 [ omega' | ring ].
omega'.
Save.

(* Why obligation from file "", line 0, characters 0-0: *)
(*Why goal*) Lemma bresenham_po_4 : 
  forall (x: Z),
  forall (HW_1: x = 0),
  forall (y: Z),
  forall (HW_2: y = 0),
  forall (e: Z),
  forall (HW_3: e = (2 * y2 - x2)),
  forall (e0: Z),
  forall (x0: Z),
  forall (y0: Z),
  forall (HW_4: (0 <= x0 /\ x0 <= (x2 + 1)) /\ (Invariant x0 y0 e0)),
  forall (HW_5: x0 <= x2),
  forall (HW_6: (best x0 y0)),
  forall (HW_10: e0 >= 0),
  forall (y1: Z),
  forall (HW_11: y1 = (y0 + 1)),
  forall (e1: Z),
  forall (HW_12: e1 = (e0 + 2 * (y2 - x2))),
  forall (x1: Z),
  forall (HW_13: x1 = (x0 + 1)),
  ((0 <= x1 /\ x1 <= (x2 + 1)) /\ (Invariant x1 y1 e1)) /\
  (Zwf 0 (x2 + 1 - x1) (x2 + 1 - x0)).
Proof.
unfold Invariant; intuition; subst.
replace (2 * (x0 + 1 + 1) * y2 - (2 * (y0 + 1) + 1) * x2)%Z with
 (2 * (x0 + 1) * y2 + 2 * y2 - (2 * y0 + 1) * x2 - 2 * x2)%Z;
 [ omega' | ring ].
omega'.
Save.

(*Why*) Parameter bresenham_valid :
  forall (_: unit), forall (e: Z), forall (x: Z), forall (y: Z),
  (sig_4 Z Z Z unit (fun (e0: Z) (x0: Z) (y0: Z) (result: unit)  => (True))).

why-2.34/examples/bresenham/bresenham_inv.mlw0000644000175000017500000000327612311670312017750 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(* Proof of the Bresenham line drawing algorithm.                         *)
(*                                                                        *)
(* Jean-Christophe Filliâtre (LRI, Université Paris Sud)                  *)
(* May 2001                                                               *)
(*                                                                        *)
(**************************************************************************)

(*  Bresenham's algorithm draws a discrete line from (x1,y1) to (x2,y2).

    Without loss of generality, we can take [x1=0] and [y1=0]. 
    Thus the line to draw joins [(0,0)] to [(x2,y2)]
    and we have [deltax = x2] and [deltay = y2]. 
    Moreover we assume being in the first octant, i.e.
    [0 <= y2 <= x2]. The seven other cases can be easily
    deduced by symmetry. *)

logic x2,y2 : int

axiom first_octant : 0 <= y2 <= x2

parameter x,y,e : int ref

axiom z_ring_0 : forall a,b,c:int. a * (b+c) = a*b + a*c
axiom z_ring_1 : forall a,b,c:int. (b+c) * a = b*a + c*a

let bresenham () =
  x := 0;
  y := 0;
  e := 2 * y2 - x2;
  while !x <= x2 do
    { invariant 
        0 <= x <= x2 + 1 and 
        e = 2 * (x + 1) * y2 - (2 * y + 1) * x2 and
        2 * (y2 - x2) <= e <= 2 * y2
      variant   
        x2 + 1 - x }
    (* here we would do (plot x y) *) 
    if !e < 0 then
      e := !e + 2 * y2
    else begin
      y := !y + 1;
      e := !e + 2 * (y2 - x2)
    end;
    x := !x + 1
  done
    

(*
Local Variables: 
compile-command: "gwhy-bin -split-user-conj bresenham_inv.mlw"
End: 
*)

why-2.34/examples/bresenham/bresenham.mlw0000644000175000017500000000427212311670312017071 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(* Proof of the Bresenham line drawing algorithm.                         *)
(*                                                                        *)
(* Jean-Christophe Filliâtre (LRI, Université Paris Sud)                  *)
(* May 2001                                                               *)
(*                                                                        *)
(**************************************************************************)

(*  Parameters. 
    Without loss of generality, we can take [x1=0] and [y1=0]. 
    Thus the line to draw joins [(0,0)] to [(x2,y2)]
    and we have [deltax = x2] and [deltay = y2]. 
    Moreover we assume being in the first octant, i.e.
    [0 <= y2 <= x2] (see the Coq file). The seven other cases can be easily
    deduced by symmetry. *)

logic x2,y2 : int

axiom first_octant : 0 <= y2 <= x2

(*s Global variables of the program. *)

parameter x,y,e : int ref

(*s The code.
    [(best x y)] expresses that the point [(x,y)] is the best
    possible point i.e. the closest to the real line (see the Coq file).
    The invariant relates [x], [y] and [e] and
    gives lower and upper bound for [e] (see the Coq file). *)

logic abs : int -> int

axiom abs_def : 
  forall x:int. (x >= 0 and abs(x) = x) or (x <= 0 and abs(x) = -x)

predicate best(x:int, y:int) =
  forall y':int. abs (x2 * y - x * y2) <= abs (x2 * y' - x * y2)

predicate Invariant(x:int, y:int, e:int) =
  e = 2 * (x + 1) * y2 - (2 * y + 1) * x2 and
  2 * (y2 - x2) <= e <= 2 * y2

axiom invariant_is_ok : forall x,y,e:int. Invariant(x,y,e) -> best(x,y)

let bresenham () =
  begin
    x := 0;
    y := 0;
    e := 2 * y2 - x2;
    while !x <= x2 do
      { invariant 0 <= x <= x2 + 1 and Invariant(x, y, e)
        variant   x2 + 1 - x }
      (* here we would do (plot x y) *) 
      assert { best(x, y) };
      if !e < 0 then
	e := !e + 2 * y2
      else begin
	y := !y + 1;
	e := !e + 2 * (y2 - x2)
      end;
      x := !x + 1
    done
  end

    
(*
Local Variables: 
compile-command: "gwhy-bin -split-user-conj bresenham.mlw"
End: 
*)

why-2.34/examples/bresenham/.depend0000644000175000017500000000023312311670312015635 0ustar  rtusersbresenham_valid.vo: bresenham_valid.v ../../lib/coq/Why.vo bresenham_why.vo
bresenham_why.vo: bresenham_why.v zaux.vo ../../lib/coq/Why.vo
zaux.vo: zaux.v
why-2.34/examples/bresenham/bresenham_why.v0000644000175000017500000000757012311670312017432 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(* Proof of the Bresenham line drawing algorithm.                         *)
(*                                                                        *)
(* Jean-Christophe Filliâtre (LRI, Université Paris Sud)                  *)
(* May 2001                                                               *)
(*                                                                        *)
(**************************************************************************)

Require Import zaux.
Require Import Why.
Require Import ZArith.
 Require Import Omega.
Require Import ZArithRing.


Axiom first_octant : (0 <= y2 <= x2)%Z.

Ltac omega' := generalize first_octant; omega.

(*s Specification of the correctness. 
    [(best x y)] expresses that the point [(x,y)] is the best
    possible point i.e. the closest to the real line. 
    This line has slope [y2/x2] thus the point on
    the line is [(x,x*y2/x2)]. *)

Definition best (x y:Z) :=
  forall y':Z, (Zabs (x2 * y - x * y2) <= Zabs (x2 * y' - x * y2))%Z.

(*s Invariant. The invariant relates [x], [y] and [e] and
    gives lower and upper bound for [e]. The key lemma 
    [invariant_is_ok] establishes that this invariant implies the
    expected property. *)

Definition Invariant (x y e:Z) :=
  e = (2 * (x + 1) * y2 - (2 * y + 1) * x2)%Z /\
  (2 * (y2 - x2) <= e <= 2 * y2)%Z.

Lemma invariant_is_ok : forall x y e:Z, Invariant x y e -> best x y.
Proof.
intros x y e.
unfold Invariant; unfold best; intros [E I'] y'.
cut (0 <= x2)%Z; [ intro Hx2 | idtac ].
apply closest.
assumption.
apply (proj1 (Zabs_le (2 * x2 * y - 2 * (x * y2)) x2 Hx2)).
rewrite E in I'.
split.
(* 0 <= x2 *)
generalize (proj2 I').
RingSimpl (2 * (x + 1) * y2 - (2 * y + 1) * x2)%Z
 (2 * x * y2 - 2 * x2 * y + 2 * y2 - x2)%Z.
intro.
RingSimpl (2 * (x * y2))%Z (2 * x * y2)%Z.
omega.
(* 0 <= x2 *)
generalize (proj1 I').
RingSimpl (2 * (x + 1) * y2 - (2 * y + 1) * x2)%Z
 (2 * x * y2 - 2 * x2 * y + 2 * y2 - x2)%Z.
RingSimpl (2 * (y2 - x2))%Z (2 * y2 - 2 * x2)%Z.
RingSimpl (2 * (x * y2))%Z (2 * x * y2)%Z.
omega.
omega.
Qed.

(*s Program correctness. *)

(*Why logic*) Definition x2 : Z.
Admitted.

(*Why logic*) Definition y2 : Z.
Admitted.

Proof.
intuition.
omega'.
subst; unfold Invariant; omega'.
Save.

Proof.
intuition.
apply invariant_is_ok with e0; auto.
Save.

Proof.
unfold Invariant; intuition; subst.
replace (2 * (x0 + 1 + 1) * y2)%Z with (2 * (x0 + 1) * y2 + 2 * y2)%Z;
 [ omega' | ring ].
omega'.
Save.

Proof.
unfold Invariant; intuition; subst.
replace (2 * (x0 + 1 + 1) * y2 - (2 * (y0 + 1) + 1) * x2)%Z with
 (2 * (x0 + 1) * y2 + 2 * y2 - (2 * y0 + 1) * x2 - 2 * x2)%Z;
 [ omega' | ring ].
omega'.
Save.


(*Why axiom*) Lemma first_octant : 0 <= y2 /\ y2 <= x2.
Admitted.

(*Why logic*) Definition abs : Z -> Z.
Admitted.

(*Why axiom*) Lemma abs_def :
  (forall (x:Z), x >= 0 /\ (abs x) = x \/ x <= 0 /\ (abs x) = (Zopp x)).
Admitted.

(*Why predicate*) Definition best  (x:Z) (y:Z)
  := (forall (y':Z), (abs (x2 * y - x * y2)) <= (abs (x2 * y' - x * y2))).

(*Why predicate*) Definition Invariant  (x:Z) (y:Z) (e:Z)
  := e = (2 * (x + 1) * y2 - (2 * y + 1) * x2) /\ (2 * (y2 - x2)) <= e /\
     e <= (2 * y2).

(*Why axiom*) Lemma invariant_is_ok :
  (forall (x:Z),
   (forall (y:Z), (forall (e:Z), ((Invariant x y e) -> (best x y))))).
Admitted.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.


why-2.34/examples/linked-lists/0000755000175000017500000000000012311670312015035 5ustar  rtuserswhy-2.34/examples/linked-lists/Makefile0000644000175000017500000000013112311670312016470 0ustar  rtusers
VO=LinkedLists.vo length_valid.vo rev_valid.vo 

all: $(VO)

include ../Makefile.common
why-2.34/examples/linked-lists/rev.mlw0000644000175000017500000000357012311670312016357 0ustar  rtusers
external parameter null : pointer
external parameter eq_pointer : 
  p1:pointer -> p2:pointer -> {} bool { if result then p1=p2 else p1<>p2 }
external parameter ne_pointer : 
  p1:pointer -> p2:pointer -> {} bool { if result then p1<>p2 else p1=p2 }
external parameter is_null : p:pointer -> {} bool { if result then p=null else p<>null }

external parameter get_int : int_store -> pointer -> int
external parameter set_int : int_store -> pointer -> int -> int_store

external parameter pget : pointer_store -> pointer -> pointer
external parameter pset : pointer_store -> pointer -> pointer -> pointer_store

external logic is_valid_int : int_store, pointer -> prop
external logic is_valid_pointer : pointer_store, pointer -> prop

external logic llist : pointer_store, pointer, plist -> prop
external logic is_list : pointer_store, pointer -> prop

external logic store_pointer_pair : pointer_store, pointer -> StorePointerPair

(* global state = stores for fields hd and tl *)

parameter Lhd : int_store ref
parameter Ltl : pointer_store ref

(* in-place list reversal *)

external logic rev : plist -> plist
external logic app : plist, plist -> plist
external logic disjoint : plist, plist -> prop

let rev (p0:pointer) =
  { is_list(Ltl, p0) }
  init:
  let p = ref p0 in
  let r = ref !p in
  begin
    p := null;
    while (ne_pointer !r null) do
      { invariant  exists lp:plist. exists lr:plist.
                   llist(Ltl, p, lp) and llist(Ltl, r, lr) and
	           disjoint(lp, lr) and 
	           forall l:plist. 
	           llist(Ltl@init, p0, l) -> app(rev(lr), lp) = rev(l)
        variant store_pointer_pair(Ltl, r) for ll_order }
      let q = ref !r in
      begin
      r := (pget !Ltl !r);
      Ltl := (pset !Ltl !q !p);
      p := !q
      end
    done;
    !p
  end
  { exists l:plist. 
      llist(Ltl, result, l) and
      forall l0:plist. llist(Ltl@, p0, l0) -> l = rev(l0) }

why-2.34/examples/linked-lists/rev_why.v0000644000175000017500000001145612311670312016716 0ustar  rtusers
Require Import Why.

Require Export LinkedLists.

(* Why obligation from file , characters 1173-1631 *)
Lemma rev_po_1 :
 forall (p0:pointer) (Ltl:pointer_store) (Pre4:is_list Ltl p0)
   (p:pointer) (Post8:p = p0) (r:pointer) (Post7:r = p) (p2:pointer)
   (Post1:p2 = null), well_founded ll_order.
Proof.
auto.
Qed.

(* should go in PolyList *)
Lemma app_rev_cons :
 forall (A:Set) (l1 l2:list A) (x:A),
   app (rev l1) (cons x l2) = app (rev (cons x l1)) l2.
Proof.
intros; simpl.
rewrite app_ass; auto.
Qed.


(* Why obligation from file , characters 1534-1622 *)
Lemma rev_po_2 :
 forall (p0:pointer) (Ltl:pointer_store) (Pre4:is_list Ltl p0)
   (p:pointer) (Post8:p = p0) (r:pointer) (Post7:r = p) (p2:pointer)
   (Post1:p2 = null) (Variant1:StorePointerPair) (Ltl0:pointer_store)
   (p3 r1:pointer) (Pre3:Variant1 = store_pointer_pair Ltl0 r1)
   (Pre2: EX lp : plist
         | ( EX lr : plist
            | llist Ltl0 p3 lp /\
              llist Ltl0 r1 lr /\
              disjoint lp lr /\
              (forall l:plist,
                 llist Ltl p0 l -> app (rev lr) lp = rev l)))
   (Test2:r1 <> null) (q:pointer) (Post5:q = r1) (r2:pointer)
   (Post2:r2 = pget Ltl0 r1) (Ltl1:pointer_store)
   (Post3:Ltl1 = pset Ltl0 q p3) (p4:pointer) (Post4:p4 = q),
   ( EX lp : plist
    | ( EX lr : plist
       | llist Ltl1 p4 lp /\
         llist Ltl1 r2 lr /\
         disjoint lp lr /\
         (forall l:plist, llist Ltl p0 l -> app (rev lr) lp = rev l))) /\
   ll_order (store_pointer_pair Ltl1 r2) (store_pointer_pair Ltl0 r1).
Proof.
intuition.
elim Pre2; clear Pre2; intuition.
elim H; clear H; intuition.
subst.
inversion H.
absurd (r1 = null); intuition.
exists (cons r1 x); exists l; subst; intuition.
unfold llist; apply Path_cons; intuition.
 rewrite PointerStore.get_set_same; auto.
apply llist_pset_same; auto.
unfold disjoint in H1; intuition.
apply (H7 r1); auto.
rewrite <- H6; auto with *.
apply llist_pset_same; auto.
apply llist_not_starting with Ltl0; auto.
apply disjoint_cons.
rewrite H6; auto.
apply llist_not_starting with Ltl0; auto.
rewrite app_rev_cons.
rewrite H6; apply H3; auto.
unfold ll_order, store_pointer_pair.
elim Pre2; clear Pre2; intuition.
elim H; clear H; intuition.
subst.
inversion H; intuition.
exists l; exists x0; intuition.
apply llist_pset_same; auto.
apply llist_not_starting with Ltl0; auto.
rewrite <- H6; simpl; omega.
Qed.

(* Why obligation from file , characters 1173-1631 *)
Lemma rev_po_3 :
 forall (p0:pointer) (Ltl:pointer_store) (Pre4:is_list Ltl p0)
   (p:pointer) (Post8:p = p0) (r:pointer) (Post7:r = p) (p2:pointer)
   (Post1:p2 = null) (Variant1:StorePointerPair) (Ltl0:pointer_store)
   (p3 r1:pointer) (Pre3:Variant1 = store_pointer_pair Ltl0 r1)
   (Pre2: EX lp : plist
         | ( EX lr : plist
            | llist Ltl0 p3 lp /\
              llist Ltl0 r1 lr /\
              disjoint lp lr /\
              (forall l:plist,
                 llist Ltl p0 l -> app (rev lr) lp = rev l)))
   (Test2:r1 <> null) (Ltl1:pointer_store) (p4 r2:pointer)
   (Post9:( EX lp : plist
           | ( EX lr : plist
              | llist Ltl1 p4 lp /\
                llist Ltl1 r2 lr /\
                disjoint lp lr /\
                (forall l:plist,
                   llist Ltl p0 l -> app (rev lr) lp = rev l))) /\
          ll_order (store_pointer_pair Ltl1 r2)
            (store_pointer_pair Ltl0 r1)),
   ll_order (store_pointer_pair Ltl1 r2) Variant1.
Proof.
intros; subst Variant1; intuition.
Qed.

(* Why obligation from file , characters 1222-1445 *)
Lemma rev_po_4 :
 forall (p0:pointer) (Ltl:pointer_store) (Pre4:is_list Ltl p0)
   (p:pointer) (Post8:p = p0) (r:pointer) (Post7:r = p) (p2:pointer)
   (Post1:p2 = null),
    EX lp : plist
   | ( EX lr : plist
      | llist Ltl p2 lp /\
        llist Ltl r lr /\
        disjoint lp lr /\
        (forall l:plist, llist Ltl p0 l -> app (rev lr) lp = rev l)).
Proof.
intros; subst.
exists (nil (A:=pointer)).
elim (is_list_llist Ltl p0 Pre4); intros l Hl; exists l.
intuition.
rewrite (llist_function _ _ _ _ Hl H).
intuition.
Qed.

(* Why obligation from file , characters 1637-1639 *)
Lemma rev_po_5 :
 forall (p0:pointer) (Ltl:pointer_store) (Pre4:is_list Ltl p0)
   (p:pointer) (Post8:p = p0) (r:pointer) (Post7:r = p) (p2:pointer)
   (Post1:p2 = null) (Ltl0:pointer_store) (p3 r1:pointer)
   (Post6:( EX lp : plist
           | ( EX lr : plist
              | llist Ltl0 p3 lp /\
                llist Ltl0 r1 lr /\
                disjoint lp lr /\
                (forall l:plist,
                   llist Ltl p0 l -> app (rev lr) lp = rev l))) /\
          r1 = null),
    EX l : plist
   | llist Ltl0 p3 l /\
     (forall l0:plist, llist Ltl p0 l0 -> l = rev l0).
Proof.
intuition.
elim H; clear H; intros lp H; elim H; clear H; intro lr; intuition.
exists lp; intuition.
subst r1.
inversion H.
rewrite <- (H4 l0); auto.
rewrite <- H5; trivial.
subst.
inversion H0.
Qed.


why-2.34/examples/linked-lists/reverse.why0000644000175000017500000000661412311670312017250 0ustar  rtusers
(* in-place list reversal revisited with algebraic types *)


(* logical polymorphic lists *)

type 'a list = Nil | Cons('a, 'a list)

goal discr_test:
     forall x:'a. forall l:'a list. not(Nil = Cons(x,l))

(* append function *)
logic app : 'a list, 'a list -> 'a list

axiom app_def: forall l1,l2:'a list [app(l1,l2)].
  app(l1,l2) = match l1 with
    | Nil -> l2
    | Cons(x,l) -> Cons(x,app(l,l2))
  end

goal app_test0: 
     app(Nil,Nil) = Nil

goal app_test1: 
     app(Cons(1,Nil),Nil) = Cons(1,Nil)

goal app_test2: 
     app(Nil,Cons(1,Nil)) = Cons(1,Nil)

goal app_test3: 
     app(Cons(1,Nil),Cons(2,Nil)) = Cons(1,Cons(2,Nil))

(* rev2(l1,l2) produces rev(l1)@l2 *)
logic rev2 : 'a list, 'a list -> 'a list

axiom rev2_def: forall l1,l2:'a list [rev2(l1,l2)].
  rev2(l1,l2) = match l1 with 
     | Nil -> l2
     | Cons(x,l) -> rev2(l,Cons(x,l2))
  end

goal rev2_test: 
     forall l:'a list. rev2(Nil,l) = l

function rev(l:'a list):'a list = rev2(l,Nil)

goal rev_test0: 
     rev(Nil) = Nil

goal rev_test1: 
     rev(Cons(1,Nil)) = Cons(1,Nil)

goal rev_test2: 
     rev(Cons(1,Cons(2,Nil))) = Cons(2,Cons(1,Nil))

goal rev_test3: 
     rev(Cons(1,Cons(2,(Cons(3,Nil))))) = Cons(3,Cons(2,Cons(1,Nil)))

(* disjoint predicate *)
logic disjoint : 'a list, 'a list -> prop

axiom disjoint_nil_l: forall l:'a list. disjoint(Nil,l)
axiom disjoint_l_nil: forall l:'a list. disjoint(l,Nil)

(* modelisation of pointers *)

type pointer

logic null : pointer

parameter eq_pointer : 
  p1:pointer -> p2:pointer -> {} bool { if result then p1=p2 else p1<>p2 }

parameter ne_pointer : 
  p1:pointer -> p2:pointer -> {} bool { if result then p1<>p2 else p1=p2 }

parameter is_null : p:pointer -> {} bool { if result then p=null else p<>null }



(* modelisation of the memory heap *)

type pointer_store

logic pget : pointer_store, pointer -> pointer
logic pset : pointer_store, pointer, pointer -> pointer_store

logic is_valid_pointer : pointer -> prop

axiom null_not_valid: not is_valid_pointer(null)

parameter Ltl : pointer_store ref


(* null-terminated program lists *)
 
(*
inductive lpath : pointer_store, pointer, pointer list, pointer -> prop =
| lpath_nil: lpath(tl, p, Nil, p)
| lpath_cons: is_valid_pointer(tl,p) and lpath(tl, pget(tl,p), l, q) 
      -> lpath(tl, p, Cons(p,l), q)
*)

(* llist(tl,p,l) is true whenever p is a null-terminated list of pointers,
   and l is the list of pointers met on the path from p to null *)
inductive llist : pointer_store, pointer, pointer list -> prop =
| llist_nil: forall tl:pointer_store. llist(tl, null, Nil)
| llist_cons: forall tl:pointer_store. forall p:pointer. 
  forall l:pointer list. 
  is_valid_pointer(p) and llist(tl, pget(tl,p), l) 
      -> llist(tl, p, Cons(p,l))

goal null_model_is_Nil: 
     forall tl:pointer_store. forall l:pointer list. 
           llist(tl, null, l) -> l = Nil

(* in-place list reversal *)

let reverse (p0:pointer) (p0_model:pointer list) =
  { llist(Ltl, p0, p0_model) }
  init:
  let p = ref p0 in
  let r = ref !p in
  begin
    p := null;
    while (ne_pointer !r null) do
      { invariant exists lp:pointer list. exists lr:pointer list.
                  llist(Ltl, p, lp) and llist(Ltl, r, lr) 
		  and disjoint(lp, lr) and 
	           rev2(lr, lp) = rev(p0_model) }
      let q = ref !r in
      begin
      r := (pget !Ltl !r);
      Ltl := (pset !Ltl !q !p);
      p := !q
      end
    done;
    !p
  end
  { llist(Ltl, result, rev(p0_model)) }

why-2.34/examples/linked-lists/LinkedLists.v0000644000175000017500000001432112311670312017452 0ustar  rtusers(* Load Programs. *)
Require Import Why.
Require Export PolyList.

(** the Coq pointer list associated to a (finite) linked list *)

Definition plist := list pointer.


(** * Paths *)

(** [(lpath t p1 l p2)] :
    there is a path from pointer [p1] to pointer [p2] using links in store [t],
    and the list of pointers along this path is [l]. *)

Inductive lpath (t:pointer_store) :
pointer -> plist -> pointer -> Prop :=
  | Path_null : forall p:pointer, lpath t p nil p
  | Path_cons :
      forall p1 p2:pointer,
        is_valid_pointer t p1 ->
        forall l:list pointer,
          lpath t (pget t p1) l p2 -> lpath t p1 (cons p1 l) p2.

Hint lpath : core := Constructors lpath.


(** * Lists *)

(** [(llist t p l)]: there is a (finite) linked list starting from pointer [p]
    using links in store [t], and this list of pointers is [l] *)

Definition llist (t:pointer_store) (p:pointer) (l:plist) :=
  lpath t p l null.

Hints Unfold llist .

(** inductive characterization of [llist] (which could have been an
    inductive definition of [llist])  *)

Lemma llist_null :
 forall (t:pointer_store) (p:pointer), llist t p nil -> p = null.
Proof.
unfold llist; inversion 1; trivial.
Qed.

Lemma llist_cons :
 forall (t:pointer_store) (p1 p2:pointer) (l:plist),
   llist t p1 (cons p2 l) -> p1 = p2 /\ llist t (pget t p2) l.
Proof.
unfold llist; inversion 1; intuition.
Qed.

(** invariance of a list when updating a cell outside of this list *)

Lemma llist_pset_same :
 forall (t:pointer_store) (p:pointer) (l:plist),
   llist t p l ->
   forall p1 p2:pointer,
     is_valid_pointer t p1 -> ~ In p1 l -> llist (pset t p1 p2) p l.
Proof.
unfold llist; simple_induction 1; intuition.
apply Path_cons; auto.
 rewrite PointerStore.get_set_other; auto.
auto with *.
red; intro; apply H4; subst p0; auto with *.
Qed.
Hints Resolve llist_pset_same .

(** [llist] is a function *)

Lemma llist_function :
 forall (t:pointer_store) (l1 l2:plist) (p:pointer),
   llist t p l1 -> llist t p l2 -> l1 = l2.
Proof.
simple_induction l1; intuition.
inversion H; subst.
inversion H0; intuition.
inversion H1.
inversion H0; subst.
inversion H1; subst.
inversion H5.
apply (f_equal (cons a)).
apply H with (pget t a); auto.
Qed.

Lemma llist_append :
 forall (t:pointer_store) (l1 l2:plist) (p:pointer),
   llist t p (app l1 l2) ->
    EX p' : pointer | lpath t p l1 p' /\ llist t p' l2.
Proof.
simple_induction l1; simpl; intuition.
exists p; auto.
inversion H0; subst.
elim (H l2 (pget t a) H6); intuition.
exists x; auto.
Qed.

(** this should go in PolyList *)
Lemma In_app_cons :
 forall (A:Set) (l:list A) (x:A),
   In x l ->
    EX l1 : list A | ( EX l2 : list A | l = app l1 (cons x l2)).
Proof.
simple_induction l; simpl; intuition.
exists (nil (A:=A)); exists l0; simpl; subst; auto.
elim (H x H1); clear H; intros.
elim H; clear H; intuition.
exists (cons a x0); exists x1; simpl; subst; auto.
Qed.

Lemma list_length_absurd :
 forall (A:Set) (l1 l2:list A), length l1 <> length l2 -> l1 <> l2.
Proof.
simple_induction l1; simple_induction l2; simpl; intuition.
discriminate H1.
discriminate H1.
injection H2; intros.
apply (H l0); intuition.
Qed.

Lemma length_app :
 forall (A:Set) (l1 l2:list A),
   length (app l1 l2) = (length l1 + length l2)%N.
Proof.
simple_induction l1; simpl; intuition.
Qed.

(** a list starting with [p] does not contain [p] in its remaining elements *)

Lemma llist_not_starting :
 forall (t:pointer_store) (p:pointer) (l:plist),
   llist t (pget t p) l -> ~ In p l.
Proof.
red; intros.
elim (In_app_cons _ l p H0); intros.
elim H1; clear H1; intros.
subst l.
elim (llist_append t x (cons p x0) (pget t p) H); intuition.
inversion H3; subst.
generalize (llist_function t x0 (app x (cons p x0)) (pget t p) H8 H).
intro; apply (list_length_absurd _ x0 (app x (cons p x0))); auto.
rewrite length_app; simpl; omega.
Qed.


(** * Finite lists characterization *)

Inductive is_list (t:pointer_store) : pointer -> Prop :=
  | List_null : is_list t null
  | List_cons :
      forall p:pointer,
        is_valid_pointer t p -> is_list t (pget t p) -> is_list t p.

Hint is_list : core := Constructors is_list.

Lemma is_list_llist :
 forall (t:pointer_store) (p:pointer),
   is_list t p ->  EX l : plist | llist t p l.
Proof.
intros; simple_induction H.
exists (nil (A:=pointer)); intuition.
elim HrecH; intros.
exists (cons p x); intuition.
Qed.

Lemma llist_is_list :
 forall (t:pointer_store) (l:plist) (p:pointer),
   llist t p l -> is_list t p.
Proof.
simple_induction l; intuition.
inversion H; auto.
inversion H0; intuition.
Qed.


(** * WF relation over linked lists *)

Definition StorePointerPair := pointer_store * pointer.
Definition store_pointer_pair (t:pointer_store) (p:pointer) := (t, p).

Definition ll_order (c1 c2:pointer_store * pointer) : Prop :=
  let (t1, p1) := c1 in
  let (t2, p2) := c2 in
   EX l1 : plist
  | ( EX l2 : plist
     | llist t1 p1 l1 /\ llist t2 p2 l2 /\ (length l1 < length l2)%N).

Lemma ll_order_wf : well_founded ll_order.
Proof.
apply well_founded_inv_lt_rel_compat with
 (F := fun (x:StorePointerPair) n =>
         let (t, p) := x in  EX l : plist | llist t p l /\ length l = n).
unfold ll_order, inv_lt_rel.
simple_destruct x; simple_destruct y; intuition.
elim H; clear H; intros l1 H; elim H; clear H; intros l2 H.
intuition.
exists (length l1).
exists l1; intuition.
intuition.
elim H1; intros l2'; intuition.
generalize (llist_function _ _ _ _ H H4); intro; subst l2.
omega.
Qed.
Hints Resolve ll_order_wf .


(** * Disjointness *)

(** [disjoint l1 l2]: no common element between lists [l1] and [l2] *)

Definition disjoint (A:Set) (l1 l2:list A) : Prop :=
  (forall x:A, In x l1 -> ~ In x l2) /\
  (forall x:A, In x l2 -> ~ In x l1).
Implicit Arguments disjoint.

Section Disjointness.

Variable A : Set.
Variables l1 l2 : list A.
Variable x : A.

Lemma disjoint_cons :
 disjoint l1 (cons x l2) -> ~ In x l2 -> disjoint (cons x l1) l2.
Proof.
unfold disjoint; intuition.
elim (in_inv H); intuition.
subst x; intuition.
apply H1 with x0; intuition.
elim (in_inv H3); intuition.
subst x; intuition.
apply H1 with x0; intuition.
Qed.

Lemma disjoint_nil_l : disjoint nil l2.
Proof.
unfold disjoint; intuition.
Qed.

Lemma disjoint_l_nil : disjoint l1 nil.
Proof.
unfold disjoint; intuition.
Qed.

End Disjointness.
Hints Resolve disjoint_cons disjoint_nil_l disjoint_l_nil .

why-2.34/examples/linked-lists/length_why.v0000644000175000017500000000610612311670312017377 0ustar  rtusers
Require Import Why.

Require Import LinkedLists.

(* Why obligation from file , characters 1039-1200 *)
Lemma length_po_1 :
 forall (p0:pointer) (Ltl:pointer_store) (Pre4:is_list Ltl p0)
   (p:pointer) (Post8:p = p0) (n:Z) (Post7:n = 0%Z),
   well_founded ll_order.
Proof.
auto.
Qed.

(* Why obligation from file , characters 1061-1061 *)
Lemma length_po_2 :
 forall (p0:pointer) (Ltl:pointer_store) (Pre4:is_list Ltl p0)
   (p:pointer) (Post8:p = p0) (n:Z) (Post7:n = 0%Z)
   (Variant1:StorePointerPair) (p2:pointer)
   (Pre3:Variant1 = store_pointer_pair Ltl p2) (Pre2:is_list Ltl p2)
   (Test2:p2 = null) (result0:bool) (Post3:result0 = false),
   if result0
   then p2 = null /\ true = false \/ p2 <> null /\ true = true
   else p2 = null /\ false = false \/ p2 <> null /\ false = true.
Proof.
simple_destruct result0; intuition.
Qed.

(* Why obligation from file , characters 1061-1061 *)
Lemma length_po_3 :
 forall (p0:pointer) (Ltl:pointer_store) (Pre4:is_list Ltl p0)
   (p:pointer) (Post8:p = p0) (n:Z) (Post7:n = 0%Z)
   (Variant1:StorePointerPair) (p2:pointer)
   (Pre3:Variant1 = store_pointer_pair Ltl p2) (Pre2:is_list Ltl p2)
   (Test1:p2 <> null) (result0:bool) (Post4:result0 = true),
   if result0
   then p2 = null /\ true = false \/ p2 <> null /\ true = true
   else p2 = null /\ false = false \/ p2 <> null /\ false = true.
Proof.
simple_destruct result0; intuition.
Qed.

(* Why obligation from file , characters 1157-1193 *)
Lemma length_po_4 :
 forall (p0:pointer) (Ltl:pointer_store) (Pre4:is_list Ltl p0)
   (p:pointer) (Post8:p = p0) (n:Z) (Post7:n = 0%Z)
   (Variant1:StorePointerPair) (n1:Z) (p2:pointer)
   (Pre3:Variant1 = store_pointer_pair Ltl p2) (Pre2:is_list Ltl p2)
   (Test4:p2 = null /\ true = false \/ p2 <> null /\ true = true)
   (n2:Z) (Post1:n2 = (n1 + 1)%Z) (p3:pointer)
   (Post2:p3 = pget Ltl p2),
   is_list Ltl p3 /\
   ll_order (store_pointer_pair Ltl p3) (store_pointer_pair Ltl p2).
Proof.
intuition.
discriminate H1.
discriminate H1.
inversion Pre2.
rewrite H in H0; intuition.
case (eq_null_dec p3); intro.
clear Post2; subst p3; auto.
subst p3; auto.
unfold store_pointer_pair, ll_order.
generalize (is_list_llist _ _ Pre2).
intros [l Hl].
inversion Hl; intuition.
exists l0; exists l; subst; intuition.
rewrite <- H4; simpl; omega.
Qed.

(* Why obligation from file , characters 1039-1200 *)
Lemma length_po_5 :
 forall (p0:pointer) (Ltl:pointer_store) (Pre4:is_list Ltl p0)
   (p:pointer) (Post8:p = p0) (n:Z) (Post7:n = 0%Z)
   (Variant1:StorePointerPair) (p2:pointer)
   (Pre3:Variant1 = store_pointer_pair Ltl p2) (Pre2:is_list Ltl p2)
   (Test4:p2 = null /\ true = false \/ p2 <> null /\ true = true)
   (p3:pointer)
   (Post10:is_list Ltl p3 /\
           ll_order (store_pointer_pair Ltl p3)
             (store_pointer_pair Ltl p2)),
   ll_order (store_pointer_pair Ltl p3) Variant1.
Proof.
intros; rewrite Pre3; intuition.
Qed.

(* Why obligation from file , characters 1081-1096 *)
Lemma length_po_6 :
 forall (p0:pointer) (Ltl:pointer_store) (Pre4:is_list Ltl p0)
   (p:pointer) (Post8:p = p0) (n:Z) (Post7:n = 0%Z), is_list Ltl p.
Proof.
intros; subst p; intuition.
Qed.

why-2.34/examples/linked-lists/length.mlw0000644000175000017500000000250212311670312017036 0ustar  rtusers
external parameter null : pointer
external parameter eq_pointer : 
  p1:pointer -> p2:pointer -> {} bool { if result then p1=p2 else p1<>p2 }
external parameter ne_pointer : 
  p1:pointer -> p2:pointer -> {} bool { if result then p1<>p2 else p1=p2 }
external parameter is_null : p:pointer -> {} bool { if result then p=null else p<>null }

external parameter get_int : int_store -> pointer -> int
external parameter set_int : int_store -> pointer -> int -> int_store

external parameter pget : pointer_store -> pointer -> pointer
external parameter pset : pointer_store -> pointer -> pointer -> pointer_store

external logic is_valid_int : int_store, pointer -> prop
external logic is_valid_pointer : pointer_store, pointer -> prop

external logic llist : pointer_store, pointer, plist -> prop
external logic is_list : pointer_store, pointer -> prop

external logic store_pointer_pair : pointer_store, pointer -> StorePointerPair

(* global state = stores for fields hd and tl *)

parameter Lhd : int_store ref
parameter Ltl : pointer_store ref

(* list length *)

let length (p0:pointer) =
  { is_list(Ltl, p0) }
  let p = ref p0 in
  let n = ref 0 in
  begin
  while not (is_null !p) do
    { invariant is_list(Ltl, p)
      variant store_pointer_pair(Ltl, p) for ll_order }
    n := !n + 1;
    p := (pget !Ltl !p)
  done;
  !n
  end
  {} 

 why-2.34/examples/linked-lists/.depend0000644000175000017500000000046212311670312016277 0ustar  rtusersLinkedLists.vo: LinkedLists.v ../../lib/coq/Why.vo
length_valid.vo: length_valid.v ../../lib/coq/Why.vo ./length_why.vo
length_why.vo: length_why.v ../../lib/coq/Why.vo ./LinkedLists.vo
rev_valid.vo: rev_valid.v ../../lib/coq/Why.vo ./rev_why.vo
rev_why.vo: rev_why.v ../../lib/coq/Why.vo ./LinkedLists.vo
why-2.34/examples/mergesort/0000755000175000017500000000000012311670312014442 5ustar  rtuserswhy-2.34/examples/mergesort/Makefile0000644000175000017500000000006312311670312016101 0ustar  rtusers
VO=mergesort_valid.vo

include ../Makefile.common
why-2.34/examples/mergesort/mergesort.why0000644000175000017500000000116012311670312017200 0ustar  rtusers
include "arrays.why"

axiom mean : forall l,u:int. l < u -> l <= (l+u)/2 < u

parameter merge :
  a:int array -> l:int -> m:int -> u:int ->
  { l <= m < u and sorted_array(a,l,m) and sorted_array(a,m+1,u) }
  unit writes a
  { sorted_array(a, l, u) and permut(a@, a, l, u) }

let rec mergesort (a:int array) (l:int) (u:int) : unit =
  { }
  init:
  if l < u then begin
    let m = (l+u)/2 in
    mergesort a l m;
    assert {permut(a@init, a, l, u) };
    mergesort a (m+1) u;
    merge a l m u
  end
  { sorted_array(a, l, u) and permut(a@, a, l, u) }


(*
Local Variables: 
compile-command: "gwhy mergesort.why"
End: 
*)
why-2.34/examples/mergesort/mergesort.mlw0000644000175000017500000000116012311670312017170 0ustar  rtusers
include "arrays.why"

axiom mean : forall l,u:int. l < u -> l <= (l+u)/2 < u

parameter merge :
  a:int array -> l:int -> m:int -> u:int ->
  { l <= m < u and sorted_array(a,l,m) and sorted_array(a,m+1,u) }
  unit writes a
  { sorted_array(a, l, u) and permut(a@, a, l, u) }

let rec mergesort (a:int array) (l:int) (u:int) : unit =
  { }
  init:
  if l < u then begin
    let m = (l+u)/2 in
    mergesort a l m;
    assert {permut(a@init, a, l, u) };
    mergesort a (m+1) u;
    merge a l m u
  end
  { sorted_array(a, l, u) and permut(a@, a, l, u) }


(*
Local Variables: 
compile-command: "gwhy mergesort.why"
End: 
*)
why-2.34/examples/mergesort/.depend0000644000175000017500000000000012311670312015670 0ustar  rtuserswhy-2.34/examples/binary-search/0000755000175000017500000000000012311670312015162 5ustar  rtuserswhy-2.34/examples/binary-search/bsearch_why.sx0000644000175000017500000004251712311670312020045 0ustar  rtusers(BG_PUSH 
  ; array_length
  (FORALL (t i v) (EQ (array_length (store t i v)) (array_length t)))
  ; booleans
  (DISTINCT |@true| |@false|)
  ; exchange
  (FORALL (t1 t2 i j)
	  (IFF (EQ (exchange t1 t2 i j) |@true|)
	       (AND (EQ (array_length t1) (array_length t2))
		    (EQ (select t1 i) (select t2 j))
		    (EQ (select t1 j) (select t2 i))
		    (FORALL (k) (IMPLIES (AND (NEQ k i) (NEQ k j))
					 (EQ (select t1 k) (select t2 k)))))))
  (FORALL (t1 t2 i j)
	  (IMPLIES (EQ (exchange t1 t2 i j) |@true|)
		   (EQ (array_length t1) (array_length t2))))
  ; permut
  (FORALL (t) (EQ (permut t t) |@true|))
  (FORALL (t1 t2) (IMPLIES (EQ (permut t1 t2) |@true|)
			   (EQ (permut t2 t1) |@true|)))
  (FORALL (t1 t2 t3) (IMPLIES (AND (EQ (permut t1 t2) |@true|)
				   (EQ (permut t2 t3) |@true|))
			      (EQ (permut t1 t3) |@true|)))
  (FORALL 
   (t i j) 
   (EQ (permut t (store (store t i (select t j)) j (select t i))) |@true|))
  (FORALL (t1 t2)
	  (IMPLIES (EQ (permut t1 t2) |@true|)
		   (EQ (array_length t1) (array_length t2))))
  ; sub_permut
  (FORALL (t g d) (EQ (sub_permut g d t t) |@true|))
  (FORALL (t1 t2 g d) (IMPLIES (EQ (sub_permut g d t1 t2) |@true|)
			   (EQ (sub_permut g d t2 t1) |@true|)))
  (FORALL (t1 t2 t3 g d) (IMPLIES (AND (EQ (sub_permut g d t1 t2) |@true|)
				       (EQ (sub_permut g d t2 t3) |@true|))
				  (EQ (sub_permut g d t1 t3) |@true|)))
  (FORALL 
   (t g d i j) 
   (IMPLIES (AND (<= g i) (<= i d) (<= g j) (<= j d))
	    (EQ (sub_permut g d t 
			    (store (store t i (select t j)) j (select t i))) 
		|@true|)))
  (FORALL 
   (t1 t2 g d i j)
   (IMPLIES (AND (EQ (exchange t1 t2 i j) |@true|)
		 (<= g i) (<= i d) (<= g j) (<= j d))
	    (EQ (sub_permut g d t1 t2) |@true|)))
  (FORALL (t1 t2 i j) 
	  (IMPLIES (EQ (sub_permut i j t1 t2) |@true|)
		   (EQ (permut t1 t2) |@true|)))
  (FORALL (t1 t2 i j)
	  (IMPLIES (EQ (sub_permut i j t1 t2) |@true|)
		   (EQ (array_length t1) (array_length t2))))
  ; sorted_array
  (FORALL 
   (t i j) 
   (IFF (EQ (sorted_array t i j) |@true|)
	(IMPLIES (<= i j)
		 (FORALL (k) (IMPLIES (AND (<= i k) (< k j))
				      (<= (select t k) (select t (+ k 1))))))))
)

(BG_PUSH
  (FORALL (x y) (IMPLIES (<= x y) (<= x (mean x y))))
  (FORALL (x y) (IMPLIES (<= x y) (<= (mean x y) y)))
  (FORALL (t l u) 
	(IFF (EQ (In t l u) |@true|)
             (EXISTS (i) (AND (<= l i) (<= i u) (EQ (select t i) v)))))
)

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom access_update
 (FORALL (a i v) (EQ (access (update a i v) i) v)))

(BG_PUSH
 ;; Why axiom access_update_neq
 (FORALL (a i j v)
 (IMPLIES (NEQ i j) (EQ (access (update a i v) j) (access a j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j)
 (FORALL (a v) (EQ (access (update a i v) j) (access a j))))))

(DEFPRED (sorted_array t i j)
  (FORALL (k1 k2)
  (IMPLIES (AND (AND (<= i k1) (<= k1 k2)) (<= k2 j))
  (<= (access t k1) (access t k2)))))

(DEFPRED (exchange a1 a2 i j)
  (AND (EQ (array_length a1) (array_length a2))
  (AND (EQ (access a1 i) (access a2 j))
  (AND (EQ (access a2 i) (access a1 j))
  (FORALL (k)
  (IMPLIES (AND (NEQ k i) (NEQ k j)) (EQ (access a1 k) (access a2 k))))))))

(BG_PUSH
 ;; Why axiom permut_refl
 (FORALL (t l u) (EQ (permut t t l u) |@true|)))

(BG_PUSH
 ;; Why axiom permut_sym
 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|) (EQ (permut t2 t1 l u) |@true|))))

(BG_PUSH
 ;; Why axiom permut_trans
 (FORALL (t1 t2 t3 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))

 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_exchange
 (FORALL (a1 a2 l u i j)
 (IMPLIES (AND (<= l i) (<= i u))
 (IMPLIES (AND (<= l j) (<= j u))
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|)))))

 (FORALL (l u i)
 (IMPLIES (AND (<= l i) (<= i u))
 (FORALL (j)
 (IMPLIES (AND (<= l j) (<= j u))
 (FORALL (a1 a2)
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|))))))))

(BG_PUSH
 ;; Why axiom exchange_upd
 (FORALL (a i j)
 (exchange a (update (update a i (access a j)) j (access a i)) i j)))

(BG_PUSH
 ;; Why axiom permut_weakening
 (FORALL (a1 a2 l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))

 (FORALL (l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_eq
 (FORALL (a1 a2 l u)
 (IMPLIES (<= l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))

 (FORALL (l u)
 (IMPLIES (<= l u)
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))))

(DEFPRED (permutation a1 a2)
  (EQ (permut a1 a2 0 (- (array_length a1) 1)) |@true|))

(BG_PUSH
 ;; Why axiom array_length_update
 (FORALL (a i v) (EQ (array_length (update a i v)) (array_length a))))

(BG_PUSH
 ;; Why axiom permut_array_length
 (FORALL (a1 a2 l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (EQ (array_length a1) (array_length a2)))))

;; binary_search_po_1, File "bsearch.mlw", line 18, characters 3-164
(FORALL (t)
(IMPLIES (AND (>= (array_length t) 1)
         (sorted_array t 1 (- (array_length t) 1)))
(FORALL (l)
(IMPLIES (EQ l 1)
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(FORALL (u)
(IMPLIES (EQ u (- result 1))
(FORALL (p)
(IMPLIES (EQ p 0)
(AND (<= 1 l)
(AND (<= u (- (array_length t) 1))
(AND (AND (<= 0 p) (<= p (- (array_length t) 1)))
(AND
(IMPLIES (EQ p 0)
(IMPLIES (EQ (In t 1 (- (array_length t) 1)) |@true|)
(EQ (In t l u) |@true|))) (IMPLIES (> p 0) (EQ (access t p) v))))))))))))))))

;; binary_search_po_2, File "bsearch.mlw", line 23, characters 15-32
(FORALL (t)
(IMPLIES (AND (>= (array_length t) 1)
         (sorted_array t 1 (- (array_length t) 1)))
(FORALL (l)
(IMPLIES (EQ l 1)
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(FORALL (u)
(IMPLIES (EQ u (- result 1))
(FORALL (p)
(IMPLIES (EQ p 0)
(FORALL (l0)
(FORALL (p0)
(FORALL (u0)
(IMPLIES (AND (<= 1 l0)
         (AND (<= u0 (- (array_length t) 1))
         (AND (AND (<= 0 p0) (<= p0 (- (array_length t) 1)))
         (AND
         (IMPLIES (EQ p0 0)
         (IMPLIES (EQ (In t 1 (- (array_length t) 1)) |@true|)
         (EQ (In t l0 u0) |@true|))) (IMPLIES (> p0 0) (EQ (access t p0) v))))))
(IMPLIES (<= l0 u0)
(FORALL (m) (IMPLIES (EQ m (mean l0 u0)) (AND (<= l0 m) (<= m u0)))))))))))))))))))

;; binary_search_po_3, File "bsearch.mlw", line 24, characters 9-14
(FORALL (t)
(IMPLIES (AND (>= (array_length t) 1)
         (sorted_array t 1 (- (array_length t) 1)))
(FORALL (l)
(IMPLIES (EQ l 1)
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(FORALL (u)
(IMPLIES (EQ u (- result 1))
(FORALL (p)
(IMPLIES (EQ p 0)
(FORALL (l0)
(FORALL (p0)
(FORALL (u0)
(IMPLIES (AND (<= 1 l0)
         (AND (<= u0 (- (array_length t) 1))
         (AND (AND (<= 0 p0) (<= p0 (- (array_length t) 1)))
         (AND
         (IMPLIES (EQ p0 0)
         (IMPLIES (EQ (In t 1 (- (array_length t) 1)) |@true|)
         (EQ (In t l0 u0) |@true|))) (IMPLIES (> p0 0) (EQ (access t p0) v))))))
(IMPLIES (<= l0 u0)
(FORALL (m)
(IMPLIES (EQ m (mean l0 u0))
(IMPLIES (AND (<= l0 m) (<= m u0)) (AND (<= 0 m) (< m (array_length t)))))))))))))))))))))

;; binary_search_po_4, File "bsearch.mlw", line 18, characters 3-164
(FORALL (t)
(IMPLIES (AND (>= (array_length t) 1)
         (sorted_array t 1 (- (array_length t) 1)))
(FORALL (l)
(IMPLIES (EQ l 1)
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(FORALL (u)
(IMPLIES (EQ u (- result 1))
(FORALL (p)
(IMPLIES (EQ p 0)
(FORALL (l0)
(FORALL (p0)
(FORALL (u0)
(IMPLIES (AND (<= 1 l0)
         (AND (<= u0 (- (array_length t) 1))
         (AND (AND (<= 0 p0) (<= p0 (- (array_length t) 1)))
         (AND
         (IMPLIES (EQ p0 0)
         (IMPLIES (EQ (In t 1 (- (array_length t) 1)) |@true|)
         (EQ (In t l0 u0) |@true|))) (IMPLIES (> p0 0) (EQ (access t p0) v))))))
(IMPLIES (<= l0 u0)
(FORALL (m)
(IMPLIES (EQ m (mean l0 u0))
(IMPLIES (AND (<= l0 m) (<= m u0))
(IMPLIES (AND (<= 0 m) (< m (array_length t)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t m))
(IMPLIES (< result0 v)
(FORALL (l1)
(IMPLIES (EQ l1 (+ m 1))
(AND (<= 1 l1)
(AND (<= u0 (- (array_length t) 1))
(AND (AND (<= 0 p0) (<= p0 (- (array_length t) 1)))
(AND
(IMPLIES (EQ p0 0)
(IMPLIES (EQ (In t 1 (- (array_length t) 1)) |@true|)
(EQ (In t l1 u0) |@true|))) (IMPLIES (> p0 0) (EQ (access t p0) v))))))))))))))))))))))))))))))

;; binary_search_po_5, File "bsearch.mlw", line 21, characters 16-21
(FORALL (t)
(IMPLIES (AND (>= (array_length t) 1)
         (sorted_array t 1 (- (array_length t) 1)))
(FORALL (l)
(IMPLIES (EQ l 1)
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(FORALL (u)
(IMPLIES (EQ u (- result 1))
(FORALL (p)
(IMPLIES (EQ p 0)
(FORALL (l0)
(FORALL (p0)
(FORALL (u0)
(IMPLIES (AND (<= 1 l0)
         (AND (<= u0 (- (array_length t) 1))
         (AND (AND (<= 0 p0) (<= p0 (- (array_length t) 1)))
         (AND
         (IMPLIES (EQ p0 0)
         (IMPLIES (EQ (In t 1 (- (array_length t) 1)) |@true|)
         (EQ (In t l0 u0) |@true|))) (IMPLIES (> p0 0) (EQ (access t p0) v))))))
(IMPLIES (<= l0 u0)
(FORALL (m)
(IMPLIES (EQ m (mean l0 u0))
(IMPLIES (AND (<= l0 m) (<= m u0))
(IMPLIES (AND (<= 0 m) (< m (array_length t)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t m))
(IMPLIES (< result0 v)
(FORALL (l1)
(IMPLIES (EQ l1 (+ m 1))
(AND (<= 0 (- (+ 2 u0) l0)) (< (- (+ 2 u0) l1) (- (+ 2 u0) l0)))))))))))))))))))))))))))

;; binary_search_po_6, File "bsearch.mlw", line 18, characters 3-164
(FORALL (t)
(IMPLIES (AND (>= (array_length t) 1)
         (sorted_array t 1 (- (array_length t) 1)))
(FORALL (l)
(IMPLIES (EQ l 1)
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(FORALL (u)
(IMPLIES (EQ u (- result 1))
(FORALL (p)
(IMPLIES (EQ p 0)
(FORALL (l0)
(FORALL (p0)
(FORALL (u0)
(IMPLIES (AND (<= 1 l0)
         (AND (<= u0 (- (array_length t) 1))
         (AND (AND (<= 0 p0) (<= p0 (- (array_length t) 1)))
         (AND
         (IMPLIES (EQ p0 0)
         (IMPLIES (EQ (In t 1 (- (array_length t) 1)) |@true|)
         (EQ (In t l0 u0) |@true|))) (IMPLIES (> p0 0) (EQ (access t p0) v))))))
(IMPLIES (<= l0 u0)
(FORALL (m)
(IMPLIES (EQ m (mean l0 u0))
(IMPLIES (AND (<= l0 m) (<= m u0))
(IMPLIES (AND (<= 0 m) (< m (array_length t)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t m))
(IMPLIES (>= result0 v)
(IMPLIES (AND (<= 0 m) (< m (array_length t)))
(FORALL (result1)
(IMPLIES (EQ result1 (access t m))
(IMPLIES (> result1 v)
(FORALL (u1)
(IMPLIES (EQ u1 (- m 1))
(AND (<= 1 l0)
(AND (<= u1 (- (array_length t) 1))
(AND (AND (<= 0 p0) (<= p0 (- (array_length t) 1)))
(AND
(IMPLIES (EQ p0 0)
(IMPLIES (EQ (In t 1 (- (array_length t) 1)) |@true|)
(EQ (In t l0 u1) |@true|))) (IMPLIES (> p0 0) (EQ (access t p0) v))))))))))))))))))))))))))))))))))

;; binary_search_po_7, File "bsearch.mlw", line 21, characters 16-21
(FORALL (t)
(IMPLIES (AND (>= (array_length t) 1)
         (sorted_array t 1 (- (array_length t) 1)))
(FORALL (l)
(IMPLIES (EQ l 1)
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(FORALL (u)
(IMPLIES (EQ u (- result 1))
(FORALL (p)
(IMPLIES (EQ p 0)
(FORALL (l0)
(FORALL (p0)
(FORALL (u0)
(IMPLIES (AND (<= 1 l0)
         (AND (<= u0 (- (array_length t) 1))
         (AND (AND (<= 0 p0) (<= p0 (- (array_length t) 1)))
         (AND
         (IMPLIES (EQ p0 0)
         (IMPLIES (EQ (In t 1 (- (array_length t) 1)) |@true|)
         (EQ (In t l0 u0) |@true|))) (IMPLIES (> p0 0) (EQ (access t p0) v))))))
(IMPLIES (<= l0 u0)
(FORALL (m)
(IMPLIES (EQ m (mean l0 u0))
(IMPLIES (AND (<= l0 m) (<= m u0))
(IMPLIES (AND (<= 0 m) (< m (array_length t)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t m))
(IMPLIES (>= result0 v)
(IMPLIES (AND (<= 0 m) (< m (array_length t)))
(FORALL (result1)
(IMPLIES (EQ result1 (access t m))
(IMPLIES (> result1 v)
(FORALL (u1)
(IMPLIES (EQ u1 (- m 1))
(AND (<= 0 (- (+ 2 u0) l0)) (< (- (+ 2 u1) l0) (- (+ 2 u0) l0)))))))))))))))))))))))))))))))

;; binary_search_po_8, File "bsearch.mlw", line 18, characters 3-164
(FORALL (t)
(IMPLIES (AND (>= (array_length t) 1)
         (sorted_array t 1 (- (array_length t) 1)))
(FORALL (l)
(IMPLIES (EQ l 1)
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(FORALL (u)
(IMPLIES (EQ u (- result 1))
(FORALL (p)
(IMPLIES (EQ p 0)
(FORALL (l0)
(FORALL (p0)
(FORALL (u0)
(IMPLIES (AND (<= 1 l0)
         (AND (<= u0 (- (array_length t) 1))
         (AND (AND (<= 0 p0) (<= p0 (- (array_length t) 1)))
         (AND
         (IMPLIES (EQ p0 0)
         (IMPLIES (EQ (In t 1 (- (array_length t) 1)) |@true|)
         (EQ (In t l0 u0) |@true|))) (IMPLIES (> p0 0) (EQ (access t p0) v))))))
(IMPLIES (<= l0 u0)
(FORALL (m)
(IMPLIES (EQ m (mean l0 u0))
(IMPLIES (AND (<= l0 m) (<= m u0))
(IMPLIES (AND (<= 0 m) (< m (array_length t)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t m))
(IMPLIES (>= result0 v)
(IMPLIES (AND (<= 0 m) (< m (array_length t)))
(FORALL (result1)
(IMPLIES (EQ result1 (access t m))
(IMPLIES (<= result1 v)
(FORALL (p1)
(IMPLIES (EQ p1 m)
(FORALL (l1)
(IMPLIES (EQ l1 (+ u0 1))
(AND (<= 1 l1)
(AND (<= u0 (- (array_length t) 1))
(AND (AND (<= 0 p1) (<= p1 (- (array_length t) 1)))
(AND
(IMPLIES (EQ p1 0)
(IMPLIES (EQ (In t 1 (- (array_length t) 1)) |@true|)
(EQ (In t l1 u0) |@true|))) (IMPLIES (> p1 0) (EQ (access t p1) v))))))))))))))))))))))))))))))))))))

;; binary_search_po_9, File "bsearch.mlw", line 21, characters 16-21
(FORALL (t)
(IMPLIES (AND (>= (array_length t) 1)
         (sorted_array t 1 (- (array_length t) 1)))
(FORALL (l)
(IMPLIES (EQ l 1)
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(FORALL (u)
(IMPLIES (EQ u (- result 1))
(FORALL (p)
(IMPLIES (EQ p 0)
(FORALL (l0)
(FORALL (p0)
(FORALL (u0)
(IMPLIES (AND (<= 1 l0)
         (AND (<= u0 (- (array_length t) 1))
         (AND (AND (<= 0 p0) (<= p0 (- (array_length t) 1)))
         (AND
         (IMPLIES (EQ p0 0)
         (IMPLIES (EQ (In t 1 (- (array_length t) 1)) |@true|)
         (EQ (In t l0 u0) |@true|))) (IMPLIES (> p0 0) (EQ (access t p0) v))))))
(IMPLIES (<= l0 u0)
(FORALL (m)
(IMPLIES (EQ m (mean l0 u0))
(IMPLIES (AND (<= l0 m) (<= m u0))
(IMPLIES (AND (<= 0 m) (< m (array_length t)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t m))
(IMPLIES (>= result0 v)
(IMPLIES (AND (<= 0 m) (< m (array_length t)))
(FORALL (result1)
(IMPLIES (EQ result1 (access t m))
(IMPLIES (<= result1 v)
(FORALL (p1)
(IMPLIES (EQ p1 m)
(FORALL (l1)
(IMPLIES (EQ l1 (+ u0 1))
(AND (<= 0 (- (+ 2 u0) l0)) (< (- (+ 2 u0) l1) (- (+ 2 u0) l0)))))))))))))))))))))))))))))))))

;; binary_search_po_10, File "bsearch.mlw", line 33, characters 4-94
(FORALL (t)
(IMPLIES (AND (>= (array_length t) 1)
         (sorted_array t 1 (- (array_length t) 1)))
(FORALL (l)
(IMPLIES (EQ l 1)
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(FORALL (u)
(IMPLIES (EQ u (- result 1))
(FORALL (p)
(IMPLIES (EQ p 0)
(FORALL (l0)
(FORALL (p0)
(FORALL (u0)
(IMPLIES (AND (<= 1 l0)
         (AND (<= u0 (- (array_length t) 1))
         (AND (AND (<= 0 p0) (<= p0 (- (array_length t) 1)))
         (AND
         (IMPLIES (EQ p0 0)
         (IMPLIES (EQ (In t 1 (- (array_length t) 1)) |@true|)
         (EQ (In t l0 u0) |@true|))) (IMPLIES (> p0 0) (EQ (access t p0) v))))))
(IMPLIES (> l0 u0)
(OR (AND (AND (<= 1 p0) (<= p0 (- (array_length t) 1))) (EQ (access t p0) v))
(AND (EQ p0 0) (NOT (EQ (In t 1 (- (array_length t) 1)) |@true|)))))))))))))))))))

why-2.34/examples/binary-search/Makefile0000644000175000017500000000011112311670312016613 0ustar  rtusers
all: bsearch_valid.vo

VO=bsearch_valid.vo

include ../Makefile.common

why-2.34/examples/binary-search/bsearch.mlw0000644000175000017500000000177012311670312017317 0ustar  rtusers
include "arrays.why"

logic v : int

function mean(x : int, y : int) : int = (x + y) / 2

axiom mean : forall x,y:int. x <= y -> x <= mean(x,y) <= y

predicate In(t : int farray, l : int, u : int) =
   exists i:int. l <= i <= u and t[i] = v

parameter t : int array

parameter l,u,p,m : int ref

let binary_search () =
  { array_length(t) >= 1 and sorted_array(t,1,array_length(t)-1) }
  begin
    l := 1; u := (array_length_ t)-1; p := 0;
    while !l <= !u do
      { invariant 
	  1 <= l and u <= array_length(t)-1 and 0 <= p <= array_length(t)-1
          and (p = 0 -> In(t,1,array_length(t)-1) -> In(t,l,u))
          and (p > 0 -> t[p]=v)
        variant 2+u-l }
      m := (mean !l !u);
      assert { l <= m and m <= u };
      if t[!m] < v then
        l := !m + 1
      else if t[!m] > v then
        u := !m - 1
      else begin
        p := !m; (* break => *) l := !u + 1
      end       
    done
  end
  { (1 <= p <= array_length(t)-1 and t[p]=v) or 
    (p = 0 and not In(t,1,array_length(t)-1)) }

why-2.34/examples/binary-search/bsearch_why.v0000644000175000017500000002051212311670312017647 0ustar  rtusers
Require Import Why.
Require Import ZArith.
Require Import Zcomplements.
Require Import Omega.
 
Ltac Omega' := abstract omega.

(* Parameters and axioms *)

Parameter v : Z.

(* Specification *)

Inductive In (t:array Z) (l u:Z) : Prop :=
    In_cons : forall i:Z, (l <= i <= u)%Z -> access t i = v -> In t l u.

Definition mean (x y:Z) := Zdiv2 (x + y).

(* Lemmas *)

Lemma le_mean : forall x y:Z, (0 <= x <= y)%Z -> (x <= mean x y)%Z.
Proof.
intros.
apply Zmult_le_reg_r with (p := 2%Z).
omega.
rewrite Zmult_comm.
rewrite (Zmult_comm (mean x y) 2).
unfold mean.
elim (Zeven_odd_dec (x + y)); intro.
rewrite <- Zeven_div2 with (x + y)%Z.
omega.
assumption.
elim (Z_eq_dec x y); intro.
absurd (x = y); try assumption.
rewrite a in b.
absurd (Zodd (y + y)); try assumption.
absurd ((y + y)%Z = (2 * Zdiv2 (y + y) + 1)%Z).
omega.
apply Zodd_div2.
omega.
assumption.
cut ((x + y)%Z = (2 * Zdiv2 (x + y) + 1)%Z).
omega.
apply Zodd_div2.
omega.
assumption.
Qed.

Lemma ge_mean : forall x y:Z, (0 <= x <= y)%Z -> (mean x y <= y)%Z.
Proof.
intros.
apply Zmult_le_reg_r with (p := 2%Z).
omega.
rewrite Zmult_comm.
rewrite (Zmult_comm y 2).
unfold mean.
elim (Zeven_odd_dec (x + y)); intro.
rewrite <- Zeven_div2 with (x + y)%Z.
omega.
assumption.
cut ((x + y)%Z = (2 * Zdiv2 (x + y) + 1)%Z).
omega.
apply Zodd_div2.
omega.
assumption.
Qed.

Lemma In_right_side :
 forall t:array Z,
   sorted_array t 1 (array_length t - 1) ->
   forall l u:Z,
     (1 <= l)%Z ->
     (u <= array_length t - 1)%Z ->
     (l <= u)%Z ->
     (l <= mean l u <= u)%Z ->
     (In t 1 (array_length t - 1) -> In t l u) ->
     (access t (mean l u) < v)%Z ->
     In t 1 (array_length t - 1) -> In t (mean l u + 1) u.
     Proof.
     intros t Hsorted l u Hl Hu Hlu Hm Inv Hv H.
generalize (Inv H).
 intro.
decompose [In] H0.
apply In_cons with i.
elim (Z_gt_le_dec (mean l u + 1) i); intro.
absurd (access t i = v).
apply Zlt_not_eq.
apply Zle_lt_trans with (access t (mean l u)).
apply sorted_elements with (n := 1%Z) (m := (array_length t - 1)%Z).
assumption.
Omega'.
Omega'.
Omega'.
Omega'.
assumption.
assumption.
Omega'.
assumption.
Qed.

Lemma In_left_side :
 forall t:array Z,
   sorted_array t 1 (array_length t - 1) ->
   forall l u:Z,
     (1 <= l)%Z ->
     (u <= array_length t - 1)%Z ->
     (l <= u)%Z ->
     (l <= mean l u <= u)%Z ->
     (In t 1 (array_length t - 1) -> In t l u) ->
     (access t (mean l u) > v)%Z ->
     In t 1 (array_length t - 1) -> In t l (mean l u - 1).
     Proof.
     intros t Hsorted l u Hl Hu Hlu Hm Inv Hv H.
generalize (Inv H).
 intro.
decompose [In] H0.
apply In_cons with i.
elim (Z_gt_le_dec i (mean l u - 1)); intro.
absurd (access t i = v).
apply sym_not_eq.
apply Zlt_not_eq.
apply Zlt_le_trans with (access t (mean l u)).
Omega'.
apply sorted_elements with (n := 1%Z) (m := (array_length t - 1)%Z).
assumption.
Omega'.
Omega'.
Omega'.
Omega'.
assumption.
Omega'.
assumption.
Qed.

(* Obligations *)

(*Why type*) Definition farray: Set ->Set.
Admitted.

(*Why logic*) Definition access : forall (A1:Set), (array A1) -> Z -> A1.
Admitted.
Implicit Arguments access.

(*Why logic*) Definition update :
  forall (A1:Set), (array A1) -> Z -> A1 -> (array A1).
Admitted.
Implicit Arguments update.

(*Why axiom*) Lemma access_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z), (forall (v:A1), (access (update a i v) i) = v))).
Admitted.

(*Why axiom*) Lemma access_update_neq :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (forall (v:A1), (i <> j -> (access (update a i v) j) = (access a j)))))).
Admitted.

(*Why logic*) Definition array_length : forall (A1:Set), (array A1) -> Z.
Admitted.
Implicit Arguments array_length.

(*Why predicate*) Definition sorted_array  (t:(array Z)) (i:Z) (j:Z)
  := (forall (k1:Z),
      (forall (k2:Z),
       ((i <= k1 /\ k1 <= k2) /\ k2 <= j -> (access t k1) <= (access t k2)))).

(*Why predicate*) Definition exchange (A102:Set) (a1:(array A102)) (a2:(array A102)) (i:Z) (j:Z)
  := (array_length a1) = (array_length a2) /\
     (access a1 i) = (access a2 j) /\ (access a2 i) = (access a1 j) /\
     (forall (k:Z), (k <> i /\ k <> j -> (access a1 k) = (access a2 k))).
Implicit Arguments exchange.

(*Why logic*) Definition permut :
  forall (A1:Set), (array A1) -> (array A1) -> Z -> Z -> Prop.
Admitted.
Implicit Arguments permut.

(*Why axiom*) Lemma permut_refl :
  forall (A1:Set),
  (forall (t:(array A1)), (forall (l:Z), (forall (u:Z), (permut t t l u)))).
Admitted.

(*Why axiom*) Lemma permut_sym :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (l:Z), (forall (u:Z), ((permut t1 t2 l u) -> (permut t2 t1 l u)))))).
Admitted.

(*Why axiom*) Lemma permut_trans :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (t3:(array A1)),
     (forall (l:Z),
      (forall (u:Z),
       ((permut t1 t2 l u) -> ((permut t2 t3 l u) -> (permut t1 t3 l u)))))))).
Admitted.

(*Why axiom*) Lemma permut_exchange :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (forall (i:Z),
       (forall (j:Z),
        (l <= i /\ i <= u ->
         (l <= j /\ j <= u -> ((exchange a1 a2 i j) -> (permut a1 a2 l u)))))))))).
Admitted.

(*Why axiom*) Lemma exchange_upd :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (exchange a (update (update a i (access a j)) j (access a i)) i j)))).
Admitted.

(*Why axiom*) Lemma permut_weakening :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l1:Z),
     (forall (r1:Z),
      (forall (l2:Z),
       (forall (r2:Z),
        ((l1 <= l2 /\ l2 <= r2) /\ r2 <= r1 ->
         ((permut a1 a2 l2 r2) -> (permut a1 a2 l1 r1))))))))).
Admitted.

(*Why axiom*) Lemma permut_eq :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (l <= u ->
       ((permut a1 a2 l u) ->
        (forall (i:Z), (i < l \/ u < i -> (access a2 i) = (access a1 i))))))))).
Admitted.

(*Why predicate*) Definition permutation (A111:Set) (a1:(array A111)) (a2:(array A111))
  := (permut a1 a2 0 ((array_length a1) - 1)).
Implicit Arguments permutation.

(*Why axiom*) Lemma array_length_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (v:A1), (array_length (update a i v)) = (array_length a)))).
Admitted.

(*Why axiom*) Lemma permut_array_length :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      ((permut a1 a2 l u) -> (array_length a1) = (array_length a2)))))).
Admitted.

(*Why logic*) Definition v : Z.
Admitted.

(*Why function*) Definition mean  (x:Z) (y:Z) := ((Zdiv (x + y) 2)).

(*Why axiom*) Lemma mean :
  (forall (x:Z),
   (forall (y:Z), (x <= y -> x <= (mean x y) /\ (mean x y) <= y))).
Admitted.

(*Why predicate*) Definition In  (t:(array Z)) (l:Z) (u:Z)
  := (exists i:Z, (l <= i /\ i <= u) /\ (access t i) = v).

Proof.
intuition.
subst;auto.
Save.

Proof.
intuition; subst.
apply le_mean; intuition.
apply ge_mean; intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
subst; apply In_right_side; intuition.
Save.

Proof.
intuition.
subst; apply In_left_side; intuition.
Save.

Proof.
intuition; subst.
absurd (mean l0 u0 = 0); omega.
omega.
Save.

Proof.
intuition; subst.
assert (1 <= p0 \/ p0=0). omega. intuition.
subst; right; intuition.
assert (h: (In t l0 u0)). assumption.
inversion h; omega.
Save.


Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.



why-2.34/examples/binary-search/.depend0000644000175000017500000000017312311670312016423 0ustar  rtusersbsearch_valid.vo: bsearch_valid.v ../../lib/coq/Why.vo ./bsearch_why.vo
bsearch_why.vo: bsearch_why.v ../../lib/coq/Why.vo
why-2.34/examples/edit-distance/0000755000175000017500000000000012311670312015150 5ustar  rtuserswhy-2.34/examples/edit-distance/Makefile0000644000175000017500000000011012311670312016600 0ustar  rtusers
VO=distance_valid.vo

all: words.vo $(VO)

include ../Makefile.common

why-2.34/examples/edit-distance/words.v0000644000175000017500000002652312311670312016505 0ustar  rtusers(* Load Programs. *)
(*s Axiomatization of words over a alphabet [A]. *)

Require Import List.
Require Import ZArith.
Require Import ZArithRing.
Require Import WhyArrays.
Require Import Zwf.
Require Import Omega.

(*s Alphabet. This is an abstract type [A] where equality is decidable.*)

Parameter A : Set.
 
Axiom A_eq_dec : forall a b:A, {a = b} + {a <> b}.

(*s Words are list of characters. *)

Definition word := list A.
Definition eps := nil (A:=A).

Definition concat := app.
Implicit Arguments concat [A].


(*s Distance. It is axiomatized as a predicate [dist w1 w2 n] expressing that
    [w1] and [w2] are at distance at most [n] (i.e. there exists a path of 
    length [n] from [w1] to [w2]). *)

Inductive dist : word -> word -> Z -> Prop :=
  | dist_eps : dist eps eps 0%Z
  | dist_add_left :
      forall (w1 w2:word) (n:Z),
        dist w1 w2 n -> forall a:A, dist (cons a w1) w2 (n + 1)%Z
  | dist_add_right :
      forall (w1 w2:word) (n:Z),
        dist w1 w2 n -> forall a:A, dist w1 (cons a w2) (n + 1)%Z
  | dist_context :
      forall (w1 w2:word) (n:Z),
        dist w1 w2 n -> forall a:A, dist (cons a w1) (cons a w2) n.

(*s Then we introducve the minimal distance between two words. *)

Definition min_dist (w1 w2:word) (n:Z) :=
  dist w1 w2 n /\ (forall m:Z, dist w1 w2 m -> (n <= m)%Z).


(*s Length of a word (in type [Z]). *)

Fixpoint Zlength (w:word) : Z :=
  match w with
  | nil => 0%Z
  | cons _ w' => (Zlength w' + 1)%Z
  end.


(*s Auxiliary result on words:
    Any word [au] starting with a character can be written as a
    word [vb] ending with a character. *)

Fixpoint last_char (a:A) (u:word) {struct u} : A :=
  match u with
  | nil => a
  | cons c u' => last_char c u'
  end.

Fixpoint but_last (a:A) (u:word) {struct u} : word :=
  match u with
  | nil => eps
  | cons c u' => cons a (but_last c u')
  end.

Lemma first_last_explicit :
 forall (u:word) (a:A),
   concat (but_last a u) (cons (last_char a u) eps) = cons a u.
Proof.
simple induction u; simpl.
reflexivity.
intros.
rewrite (H a).
reflexivity.
Qed.

Lemma first_last :
 forall (a:A) (u:word),
    exists v, 
      exists b, 
        concat v (cons b eps) = cons a u /\
          Zlength v = Zlength u.
Proof.
intros a u.
exists (but_last a u).
exists (last_char a u).
split.
 exact (first_last_explicit u a).
generalize a; induction u; simpl; intros.
omega.
generalize (IHu a0); intros; omega.
Qed.


(*s Key lemma: if [dist w1 aw2 n] then there exists [u1], [v1],
    [k] such that [dist v1 w2 k], [w1=u1v1] and [k+(length u1)-1<=m]. *)

Lemma key_lemma_right :
 forall (w1 w'2:word) (m:Z) (a:A),
   dist w1 w'2 m ->
   forall w2:word,
     w'2 = cons a w2 ->
      exists u1,
       exists v1,
        exists k,
           w1 = concat u1 v1 /\
             dist v1 w2 k /\ (k + Zlength u1 <= m + 1)%Z.
Proof.
intros w1 w'2 m a H; elim H.
(* 1. [dist_eps]: absurd *)
intros; discriminate H0.
(* 2. [dist_add_left]: we use induction hypothesis. *)
intros w'1 w3 n Hdist Hrec b w2 Heq.
  elim (Hrec w2 Heq); intros u'1 Hex.
elim Hex; clear Hex; intros v'1 Hex.
elim Hex; clear Hex; intros k Hex.
decompose [and] Hex; clear Hex.
elim (first_last b u'1); intros u1 Hex.
elim Hex; intros c [Hc Hlength].
exists u1; exists (cons c v'1); exists (k + 1)%Z.
repeat split.
rewrite H0.
rewrite app_comm_cons.
rewrite <- Hc.
rewrite app_ass; reflexivity.
apply dist_add_left; assumption.
omega.
(* 3. [dist_add_right]: direct *)
intros.
exists eps; exists w0; exists n.
repeat split.
inversion H2.
rewrite <- H5; assumption.
simpl; omega.
(* 4. [dist_context]: direct *)
intros.
inversion H2.
exists (cons a eps); exists w0; exists n.
repeat split.
rewrite <- H5; assumption.
simpl; omega.
Qed.


(*s To get the symmetric key lemma, we use the symmetry of [dist]. *)

Lemma dist_symetry :
 forall (w1 w2:word) (n:Z), dist w1 w2 n -> dist w2 w1 n.
Proof.
simple induction 1; intros.
exact dist_eps.
apply dist_add_right; assumption.
apply dist_add_left; assumption.
apply dist_context; assumption.
Qed.

Lemma key_lemma_left :
 forall (w1 w2:word) (m:Z) (a:A),
   dist (cons a w1) w2 m ->
    exists u2,
      exists v2,
        exists k,
          w2 = concat u2 v2 /\
           dist w1 v2 k /\ (k + Zlength u2 <= m + 1)%Z.
Proof.
intros w1 w2 m a Hdist.
generalize (dist_symetry (cons a w1) w2 m Hdist); intro Hrev.

elim (key_lemma_right w2 (cons a w1) m a Hrev w1).
intros u2 Hex; elim Hex; clear Hex.
intros v2 Hex; elim Hex; clear Hex.
intros k Hex.
decompose [and] Hex; clear Hex.
exists u2.
exists v2.
exists k.
repeat split; try assumption.
apply dist_symetry; assumption.
reflexivity.
Qed.


(*s Concatenation to the left: if [dist w1 w2 n] then
    [dist uw1 w2 (|u|+n)] and [dist w1 uw2 (|u|+n)]. *)

Lemma dist_concat_left :
 forall (u v w:word) (n:Z),
   dist v w n -> dist (concat u v) w (Zlength u + n).
Proof.
simple induction u; simpl; intros.
auto.
replace (Zlength l + 1 + n)%Z with (Zlength l + n + 1)%Z;
 [ idtac | omega ].
apply dist_add_left; auto.
Qed.

Lemma dist_concat_right :
 forall (u v w:word) (n:Z),
   dist v w n -> dist v (concat u w) (Zlength u + n).
Proof.
simple induction u; simpl; intros.
auto.
replace (Zlength l + 1 + n)%Z with (Zlength l + n + 1)%Z;
 [ idtac | omega ].
apply dist_add_right; auto.
Qed.


(*s First main lemma for correctness: [d(aw1,aw2)=d(w1,w2)]. *)

Lemma min_dist_equal :
 forall (w1 w2:word) (a:A) (n:Z),
   min_dist w1 w2 n -> min_dist (cons a w1) (cons a w2) n.
Proof.
intros w1 w2 a n.
unfold min_dist.
generalize dist_context; intuition.

inversion H0.

elim (key_lemma_right w1 (cons a w2) n0 a H7 w2);
 [ idtac | reflexivity ].
intros u1 Hex; elim Hex; clear Hex.
intros v1 Hex; elim Hex; clear Hex.
intros k Hex.
 decompose [and] Hex; clear Hex.
generalize (dist_concat_left u1 v1 w2 k H10); intro.
apply Zle_trans with (Zlength u1 + k)%Z.
apply H2.
rewrite H8; assumption.
omega.
elim (key_lemma_left w1 w2 n0 a H7).
intros u2 Hex; elim Hex; clear Hex.
intros v2 Hex; elim Hex; clear Hex.
intros k Hex.
 decompose [and] Hex; clear Hex.
generalize (dist_concat_right u2 w1 v2 k H10); intro.
apply Zle_trans with (Zlength u2 + k)%Z.
apply H2.
rewrite H8; assumption.
omega.
auto.
Qed.


(*s Second main lemma for correctness: \par\noindent
    if [~a=b], then [d(aw1,bw2)=1+min(d(aw1,w2),d(w1,bw2))]. *)

Lemma min_dist_diff :
 forall (w1 w2:word) (a b:A) (m p:Z),
   a <> b ->
   min_dist (cons a w1) w2 p ->
   min_dist w1 (cons b w2) m ->
   min_dist (cons a w1) (cons b w2) (Zmin m p + 1).
 Proof.
intros w1 w2 a b m p.
 unfold min_dist; intuition.
unfold Zmin.
case (m ?= p)%Z; generalize dist_add_left dist_add_right; intuition.

generalize (Zle_min_l m p) (Zle_min_r m p) Zplus_le_compat_r Zle_trans.
inversion H1; intuition eauto.
Qed.

(*s Two trivial lemmas needed for correctness. *)

Lemma min_dist_eps :
 forall (w:word) (a:A) (n:Z),
   min_dist w eps n -> min_dist (cons a w) eps (n + 1).
 Proof.
unfold min_dist.
intros w a n [H1 H2].
 split.
apply dist_add_left.
assumption.
intros m Hm; inversion Hm.
generalize (H2 n0 H5).
intros; omega.
Qed.

Lemma min_dist_eps_length : forall w:word, min_dist eps w (Zlength w).
Proof.
intros w; unfold min_dist; intuition.
induction w; simpl; intros.
exact dist_eps.
apply dist_add_right; assumption.
generalize m H.
 clear m H.
induction w; intros m H; inversion H; simpl.
omega.
generalize (IHw n H4); intro; omega.
Qed.


(*s Suffixes of an array of characters. 
    Given an array [t] of length [n] of characters, we define
    [suffix t i] as the word [t(i)t(i+1)...t(n-1)],
    by well-founded recursion over [n-i]. *)

Section suffixes.

Variable n : Z.
Variable t : array A.

Definition F : forall i:Z, (forall j:Z, Zwf_up n j i -> word) -> word.
intros i f.
elim (Z_lt_ge_dec i 0); intro Hi.
exact eps.
elim (Z_lt_ge_dec i n); intro H1.
refine (cons (access t i) (f (i + 1)%Z _)).
unfold Zwf_up; omega.
exact eps.
Defined.

Definition suffix := Fix (Zwf_up_well_founded n) (fun i:Z => word) F.

(*s To use [Fix_eq], we need to establish extensionality of [F]. *)

Lemma extensionality :
 forall (x:Z) (f g:forall y:Z, Zwf_up n y x -> word),
   (forall (y:Z) (p:Zwf_up n y x), f y p = g y p) -> F x f = F x g.
Proof.
intros.
unfold F.
case (Z_lt_ge_dec x 0); simpl.
auto.
intro; case (Z_lt_ge_dec x n); simpl.
intro.
 apply (f_equal (cons (access t x))).
apply H.
auto.
Qed.

(*s Induction case for [suffix]. *)

Lemma suffix_is_cons :
 forall i:Z,
   (0 <= i < n)%Z -> suffix i = cons (access t i) (suffix (i + 1)).
Proof.
intros i Hi.
rewrite
 (Fix_eq (Zwf_up_well_founded n) (fun i:Z => word) F extensionality)
 .
unfold F.
case (Z_lt_ge_dec i 0).
intros; absurd (i < 0)%Z; omega.
case (Z_lt_ge_dec i n).
intros; simpl.
reflexivity.
intros; absurd (i >= n)%Z; omega.
Qed.

(*s Base case: the empty suffix. *)

Lemma suffix_n_is_eps : suffix n = eps.
 Proof.
rewrite
 (Fix_eq (Zwf_up_well_founded n) (fun i:Z => word) F extensionality)
 .
unfold F.
case (Z_lt_ge_dec n 0).
reflexivity.
case (Z_lt_ge_dec n n).
intros; absurd (n < n)%Z; omega.
reflexivity.
Qed.

(*s The whole array as a word. *)

Definition word_of_array := suffix 0.

(*s Length of a suffix. *)

Lemma suffix_length :
 forall i:Z, (0 <= i <= n)%Z -> Zlength (suffix i) = (n - i)%Z.
(* proof is by induction over [n-i] *)
Proof.
intros i Hi.
 generalize Hi.
 replace i with (n - (n - i))%Z.
replace (n - (n - (n - i)))%Z with (n - i)%Z.
pattern (n - i)%Z; apply natlike_ind.
(* base case *)
intros; replace (n - 0)%Z with n.
rewrite suffix_n_is_eps; reflexivity.
omega.
(* induction case *)
intros.
rewrite suffix_is_cons; [ idtac | omega ].
simpl.
unfold Zsucc; ring.
replace (n - (1 + x) + 1)%Z with (n - x)%Z; [ idtac | ring ].
apply H0; omega.
omega.
omega.
omega.
Qed.

End suffixes.


(*s Bonus: we show the equivalence with another definition of the
    distance. *)

Inductive dist' : word -> word -> Z -> Prop :=
  | dist'_eps : dist' eps eps 0%Z
  | dist'_add_left :
      forall (w1 w2:word) (n:Z),
        dist' w1 w2 n -> forall a:A, dist' (cons a w1) w2 (n + 1)%Z
  | dist'_add_right :
      forall (w1 w2:word) (n:Z),
        dist' w1 w2 n -> forall a:A, dist' w1 (cons a w2) (n + 1)%Z
  | dist'_context :
      forall (w1 w2 u v:word) (n:Z),
        dist' w1 w2 n ->
        dist' (concat u (concat w1 v)) (concat u (concat w2 v)) n.

Lemma cons_is_concat :
 forall (w:word) (a:A), cons a w = concat (cons a eps) (concat w eps).
Proof.
intros w a; simpl.
unfold concat; unfold eps; rewrite <- app_nil_end.
reflexivity.
Qed.

Lemma dist_is_dist' :
 forall (w1 w2:word) (n:Z), dist w1 w2 n -> dist' w1 w2 n.
Proof.
simple induction 1.
exact dist'_eps.
intros; apply dist'_add_left; assumption.
intros; apply dist'_add_right; assumption.
intros.
rewrite (cons_is_concat w0 a).
rewrite (cons_is_concat w3 a).
apply dist'_context; assumption.
Qed.

Lemma dist_concat_both_left :
 forall (n:Z) (u w1 w2:word),
   dist w1 w2 n -> dist (concat u w1) (concat u w2) n.
Proof.
simple induction u; simpl; intros.
auto.
apply dist_context; auto.
Qed.

Lemma dist_concat_both_right :
 forall (n:Z) (w1 w2:word),
   dist w1 w2 n -> forall u:word, dist (concat w1 u) (concat w2 u) n.
Proof.
simple induction 1; simpl; intros.
induction u; simpl.
exact dist_eps.
apply dist_context; assumption.
apply dist_add_left.
 exact (H1 u).
apply dist_add_right.
 exact (H1 u).
apply dist_context.
 exact (H1 u).
Qed.

Lemma dist'_is_dist :
 forall (w1 w2:word) (n:Z), dist' w1 w2 n -> dist w1 w2 n.
Proof.
simple induction 1.
exact dist_eps.
intros; apply dist_add_left; assumption.
intros; apply dist_add_right; assumption.
intros.
apply dist_concat_both_left.
apply dist_concat_both_right.
assumption.
Qed.
why-2.34/examples/edit-distance/distance.mlw0000644000175000017500000000535712311670312017475 0ustar  rtusers
(*s Correctness of a program computing the minimal distance between
    two words (code by Claude Marché).

    This program computes a variant of the Levenshtein distance. Given
    two strings [w1] and [w2] of respective lengths [n1] and [n2], it
    computes the minimal numbers of insertions and deletions to
    perform in one of the strings to get the other one.  (The
    traditional edit distance also includes substitutions.)

    The nice point about this algorithm, due to Claude March\'e, is to
    work in linear space, in an array of min(n1,n2) integers. Time
    complexity is O(n1 * n2), as usual.
*)

include "arrays.why"

(*s Parameters. Input of the program is composed of two arrays
    of characters, [w1] of size [n1] and [w2] of size [n2]. *)

logic n1 : int
logic n2 : int

type A

parameter w1 : A array
parameter w2 : A array

(*s Global variables of the program. The program uses an auxiliary
    array [t] of integers of size [n2+1] and three auxiliary
    integer variables [i], [j] and [old]. *)

parameter t : int array

parameter i,j,old : int ref

(*s Auxiliary definitions for the program and its specification. *)

parameter test_char : a:A -> b:A -> {} bool { if result then a=b else not a=b }

parameter Zmin : int -> int -> int

type word

logic min_suffix : A farray, A farray, int, int, int -> prop
logic word_of_array : int, A farray -> word
logic min_dist : word, word, int -> prop

(*s The program. *)

let distance () =
  { array_length(w1) = n1 and array_length(w2)=n2 and array_length(t)=n2+1 }
  begin
    (* initialization of t *)
      i := 0;
      while !i <= n2 do
        { invariant 0 <= i <= n2+1 and array_length(t)=n2+1
                and forall j:int. 0 <= j < i -> t[j] = n2-j
          variant n2+1-i }
        t[!i] := n2 - !i;
        i := !i + 1
      done;
    (* loop over w1 *)
      i := n1 - 1;
      while !i >= 0 do
        { invariant -1 <= i <= n1-1 and array_length(t)=n2+1
                and forall j:int. 0 <= j <= n2 -> min_suffix(w1,w2,i+1,j,t[j])
          variant i+1 }
        old := t[n2];
        t[n2] := t[n2] + 1;
        (* loop over w2 *)
        j := n2-1;
        while !j >= 0 do
          { invariant -1 <= j <= n2-1 and array_length(t)=n2+1
                and (forall k:int. j < k <= n2 -> min_suffix(w1,w2,i,k,t[k]))
                and (forall k:int. 0 <= k <= j -> min_suffix(w1,w2,i+1,k,t[k]))
                and min_suffix(w1,w2,i+1,j+1,old)
	    variant j+1 }
	 (let temp = !old in
          begin
            old := t[!j];
	    if (test_char w1[!i] w2[!j]) then
	      t[!j] := temp
	    else
	      t[!j] := (Zmin t[!j] t[!j+1]) + 1
          end);
          j := !j - 1
        done;
	i := !i - 1
      done;
      t[0]
  end
  { min_dist(word_of_array(n1,w1), word_of_array(n2,w2), result) }
why-2.34/examples/edit-distance/distance_why.sx0000644000175000017500000010772112311670312020215 0ustar  rtusers(BG_PUSH 
  ; array_length
  (FORALL (t i v) (EQ (array_length (store t i v)) (array_length t)))
  ; booleans
  (DISTINCT |@true| |@false|)
  ; exchange
  (FORALL (t1 t2 i j)
	  (IFF (EQ (exchange t1 t2 i j) |@true|)
	       (AND (EQ (array_length t1) (array_length t2))
		    (EQ (select t1 i) (select t2 j))
		    (EQ (select t1 j) (select t2 i))
		    (FORALL (k) (IMPLIES (AND (NEQ k i) (NEQ k j))
					 (EQ (select t1 k) (select t2 k)))))))
  (FORALL (t1 t2 i j)
	  (IMPLIES (EQ (exchange t1 t2 i j) |@true|)
		   (EQ (array_length t1) (array_length t2))))
  ; permut
  (FORALL (t) (EQ (permut t t) |@true|))
  (FORALL (t1 t2) (IMPLIES (EQ (permut t1 t2) |@true|)
			   (EQ (permut t2 t1) |@true|)))
  (FORALL (t1 t2 t3) (IMPLIES (AND (EQ (permut t1 t2) |@true|)
				   (EQ (permut t2 t3) |@true|))
			      (EQ (permut t1 t3) |@true|)))
  (FORALL 
   (t i j) 
   (EQ (permut t (store (store t i (select t j)) j (select t i))) |@true|))
  (FORALL (t1 t2)
	  (IMPLIES (EQ (permut t1 t2) |@true|)
		   (EQ (array_length t1) (array_length t2))))
  ; sub_permut
  (FORALL (t g d) (EQ (sub_permut g d t t) |@true|))
  (FORALL (t1 t2 g d) (IMPLIES (EQ (sub_permut g d t1 t2) |@true|)
			   (EQ (sub_permut g d t2 t1) |@true|)))
  (FORALL (t1 t2 t3 g d) (IMPLIES (AND (EQ (sub_permut g d t1 t2) |@true|)
				       (EQ (sub_permut g d t2 t3) |@true|))
				  (EQ (sub_permut g d t1 t3) |@true|)))
  (FORALL 
   (t g d i j) 
   (IMPLIES (AND (<= g i) (<= i d) (<= g j) (<= j d))
	    (EQ (sub_permut g d t 
			    (store (store t i (select t j)) j (select t i))) 
		|@true|)))
  (FORALL 
   (t1 t2 g d i j)
   (IMPLIES (AND (EQ (exchange t1 t2 i j) |@true|)
		 (<= g i) (<= i d) (<= g j) (<= j d))
	    (EQ (sub_permut g d t1 t2) |@true|)))
  (FORALL (t1 t2 i j) 
	  (IMPLIES (EQ (sub_permut i j t1 t2) |@true|)
		   (EQ (permut t1 t2) |@true|)))
  (FORALL (t1 t2 i j)
	  (IMPLIES (EQ (sub_permut i j t1 t2) |@true|)
		   (EQ (array_length t1) (array_length t2))))
  ; sorted_array
  (FORALL 
   (t i j) 
   (IFF (EQ (sorted_array t i j) |@true|)
	(IMPLIES (<= i j)
		 (FORALL (k) (IMPLIES (AND (<= i k) (< k j))
				      (<= (select t k) (select t (+ k 1))))))))
)

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom access_update
 (FORALL (a i v) (EQ (access (update a i v) i) v)))

(BG_PUSH
 ;; Why axiom access_update_neq
 (FORALL (a i j v)
 (IMPLIES (NEQ i j) (EQ (access (update a i v) j) (access a j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j)
 (FORALL (a v) (EQ (access (update a i v) j) (access a j))))))

(DEFPRED (sorted_array t i j)
  (FORALL (k1 k2)
  (IMPLIES (AND (AND (<= i k1) (<= k1 k2)) (<= k2 j))
  (<= (access t k1) (access t k2)))))

(DEFPRED (exchange a1 a2 i j)
  (AND (EQ (array_length a1) (array_length a2))
  (AND (EQ (access a1 i) (access a2 j))
  (AND (EQ (access a2 i) (access a1 j))
  (FORALL (k)
  (IMPLIES (AND (NEQ k i) (NEQ k j)) (EQ (access a1 k) (access a2 k))))))))

(BG_PUSH
 ;; Why axiom permut_refl
 (FORALL (t l u) (EQ (permut t t l u) |@true|)))

(BG_PUSH
 ;; Why axiom permut_sym
 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|) (EQ (permut t2 t1 l u) |@true|))))

(BG_PUSH
 ;; Why axiom permut_trans
 (FORALL (t1 t2 t3 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))

 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_exchange
 (FORALL (a1 a2 l u i j)
 (IMPLIES (AND (<= l i) (<= i u))
 (IMPLIES (AND (<= l j) (<= j u))
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|)))))

 (FORALL (l u i)
 (IMPLIES (AND (<= l i) (<= i u))
 (FORALL (j)
 (IMPLIES (AND (<= l j) (<= j u))
 (FORALL (a1 a2)
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|))))))))

(BG_PUSH
 ;; Why axiom exchange_upd
 (FORALL (a i j)
 (exchange a (update (update a i (access a j)) j (access a i)) i j)))

(BG_PUSH
 ;; Why axiom permut_weakening
 (FORALL (a1 a2 l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))

 (FORALL (l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_eq
 (FORALL (a1 a2 l u)
 (IMPLIES (<= l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))

 (FORALL (l u)
 (IMPLIES (<= l u)
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))))

(DEFPRED (permutation a1 a2)
  (EQ (permut a1 a2 0 (- (array_length a1) 1)) |@true|))

(BG_PUSH
 ;; Why axiom array_length_update
 (FORALL (a i v) (EQ (array_length (update a i v)) (array_length a))))

(BG_PUSH
 ;; Why axiom permut_array_length
 (FORALL (a1 a2 l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (EQ (array_length a1) (array_length a2)))))

;; distance_po_1, File "distance.mlw", line 55, characters 20-119
(FORALL (t)
(FORALL (w1)
(FORALL (w2)
(IMPLIES (AND (EQ (array_length w1) n1)
         (AND (EQ (array_length w2) n2) (EQ (array_length t) (+ n2 1))))
(FORALL (i)
(IMPLIES (EQ i 0)
(AND (AND (<= 0 i) (<= i (+ n2 1)))
(AND (EQ (array_length t) (+ n2 1))
(FORALL (j) (IMPLIES (AND (<= 0 j) (< j i)) (EQ (access t j) (- n2 j))))))))))))

;; distance_po_2, File "distance.mlw", line 58, characters 8-24
(FORALL (t)
(FORALL (w1)
(FORALL (w2)
(IMPLIES (AND (EQ (array_length w1) n1)
         (AND (EQ (array_length w2) n2) (EQ (array_length t) (+ n2 1))))
(FORALL (i)
(IMPLIES (EQ i 0)
(FORALL (i0)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i0) (<= i0 (+ n2 1)))
         (AND (EQ (array_length t0) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (< j i0)) (EQ (access t0 j) (- n2 j))))))
(IMPLIES (<= i0 n2) (AND (<= 0 i0) (< i0 (array_length t0)))))))))))))

;; distance_po_3, File "distance.mlw", line 55, characters 20-119
(FORALL (t)
(FORALL (w1)
(FORALL (w2)
(IMPLIES (AND (EQ (array_length w1) n1)
         (AND (EQ (array_length w2) n2) (EQ (array_length t) (+ n2 1))))
(FORALL (i)
(IMPLIES (EQ i 0)
(FORALL (i0)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i0) (<= i0 (+ n2 1)))
         (AND (EQ (array_length t0) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (< j i0)) (EQ (access t0 j) (- n2 j))))))
(IMPLIES (<= i0 n2)
(IMPLIES (AND (<= 0 i0) (< i0 (array_length t0)))
(FORALL (t1)
(IMPLIES (EQ t1 (update t0 i0 (- n2 i0)))
(FORALL (i1)
(IMPLIES (EQ i1 (+ i0 1))
(AND (AND (<= 0 i1) (<= i1 (+ n2 1)))
(AND (EQ (array_length t1) (+ n2 1))
(FORALL (j) (IMPLIES (AND (<= 0 j) (< j i1)) (EQ (access t1 j) (- n2 j)))))))))))))))))))))

;; distance_po_4, File "distance.mlw", line 57, characters 18-24
(FORALL (t)
(FORALL (w1)
(FORALL (w2)
(IMPLIES (AND (EQ (array_length w1) n1)
         (AND (EQ (array_length w2) n2) (EQ (array_length t) (+ n2 1))))
(FORALL (i)
(IMPLIES (EQ i 0)
(FORALL (i0)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i0) (<= i0 (+ n2 1)))
         (AND (EQ (array_length t0) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (< j i0)) (EQ (access t0 j) (- n2 j))))))
(IMPLIES (<= i0 n2)
(IMPLIES (AND (<= 0 i0) (< i0 (array_length t0)))
(FORALL (t1)
(IMPLIES (EQ t1 (update t0 i0 (- n2 i0)))
(FORALL (i1)
(IMPLIES (EQ i1 (+ i0 1))
(AND (<= 0 (- (+ n2 1) i0)) (< (- (+ n2 1) i1) (- (+ n2 1) i0))))))))))))))))))

;; distance_po_5, File "distance.mlw", line 64, characters 20-139
(FORALL (t)
(FORALL (w1)
(FORALL (w2)
(IMPLIES (AND (EQ (array_length w1) n1)
         (AND (EQ (array_length w2) n2) (EQ (array_length t) (+ n2 1))))
(FORALL (i)
(IMPLIES (EQ i 0)
(FORALL (i0)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i0) (<= i0 (+ n2 1)))
         (AND (EQ (array_length t0) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (< j i0)) (EQ (access t0 j) (- n2 j))))))
(IMPLIES (> i0 n2)
(FORALL (i1)
(IMPLIES (EQ i1 (- n1 1))
(AND (AND (<= (- 0 1) i1) (<= i1 (- n1 1)))
(AND (EQ (array_length t0) (+ n2 1))
(FORALL (j)
(IMPLIES (AND (<= 0 j) (<= j n2))
(EQ (min_suffix w1 w2 (+ i1 1) j (access t0 j)) |@true|)))))))))))))))))

;; distance_po_6, File "distance.mlw", line 67, characters 15-20
(FORALL (t)
(FORALL (w1)
(FORALL (w2)
(IMPLIES (AND (EQ (array_length w1) n1)
         (AND (EQ (array_length w2) n2) (EQ (array_length t) (+ n2 1))))
(FORALL (i)
(IMPLIES (EQ i 0)
(FORALL (i0)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i0) (<= i0 (+ n2 1)))
         (AND (EQ (array_length t0) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (< j i0)) (EQ (access t0 j) (- n2 j))))))
(IMPLIES (> i0 n2)
(FORALL (i1)
(IMPLIES (EQ i1 (- n1 1))
(FORALL (i2)
(FORALL (t1)
(IMPLIES (AND (AND (<= (- 0 1) i2) (<= i2 (- n1 1)))
         (AND (EQ (array_length t1) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (<= j n2))
         (EQ (min_suffix w1 w2 (+ i2 1) j (access t1 j)) |@true|)))))
(IMPLIES (>= i2 0) (AND (<= 0 n2) (< n2 (array_length t1)))))))))))))))))))

;; distance_po_7, File "distance.mlw", line 72, characters 22-270
(FORALL (t)
(FORALL (w1)
(FORALL (w2)
(IMPLIES (AND (EQ (array_length w1) n1)
         (AND (EQ (array_length w2) n2) (EQ (array_length t) (+ n2 1))))
(FORALL (i)
(IMPLIES (EQ i 0)
(FORALL (i0)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i0) (<= i0 (+ n2 1)))
         (AND (EQ (array_length t0) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (< j i0)) (EQ (access t0 j) (- n2 j))))))
(IMPLIES (> i0 n2)
(FORALL (i1)
(IMPLIES (EQ i1 (- n1 1))
(FORALL (i2)
(FORALL (t1)
(IMPLIES (AND (AND (<= (- 0 1) i2) (<= i2 (- n1 1)))
         (AND (EQ (array_length t1) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (<= j n2))
         (EQ (min_suffix w1 w2 (+ i2 1) j (access t1 j)) |@true|)))))
(IMPLIES (>= i2 0)
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (result)
(IMPLIES (EQ result (access t1 n2))
(FORALL (old)
(IMPLIES (EQ old result)
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t1 n2))
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (t2)
(IMPLIES (EQ t2 (update t1 n2 (+ result0 1)))
(FORALL (j)
(IMPLIES (EQ j (- n2 1))
(AND (AND (<= (- 0 1) j) (<= j (- n2 1)))
(AND (EQ (array_length t2) (+ n2 1))
(AND
(FORALL (k)
(IMPLIES (AND (< j k) (<= k n2))
(EQ (min_suffix w1 w2 i2 k (access t2 k)) |@true|)))
(AND
(FORALL (k)
(IMPLIES (AND (<= 0 k) (<= k j))
(EQ (min_suffix w1 w2 (+ i2 1) k (access t2 k)) |@true|)))
(EQ (min_suffix w1 w2 (+ i2 1) (+ j 1) old) |@true|))))))))))))))))))))))))))))))))))

;; distance_po_8, File "distance.mlw", line 79, characters 19-24
(FORALL (t)
(FORALL (w1)
(FORALL (w2)
(IMPLIES (AND (EQ (array_length w1) n1)
         (AND (EQ (array_length w2) n2) (EQ (array_length t) (+ n2 1))))
(FORALL (i)
(IMPLIES (EQ i 0)
(FORALL (i0)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i0) (<= i0 (+ n2 1)))
         (AND (EQ (array_length t0) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (< j i0)) (EQ (access t0 j) (- n2 j))))))
(IMPLIES (> i0 n2)
(FORALL (i1)
(IMPLIES (EQ i1 (- n1 1))
(FORALL (i2)
(FORALL (t1)
(IMPLIES (AND (AND (<= (- 0 1) i2) (<= i2 (- n1 1)))
         (AND (EQ (array_length t1) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (<= j n2))
         (EQ (min_suffix w1 w2 (+ i2 1) j (access t1 j)) |@true|)))))
(IMPLIES (>= i2 0)
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (result)
(IMPLIES (EQ result (access t1 n2))
(FORALL (old)
(IMPLIES (EQ old result)
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t1 n2))
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (t2)
(IMPLIES (EQ t2 (update t1 n2 (+ result0 1)))
(FORALL (j)
(IMPLIES (EQ j (- n2 1))
(FORALL (j0)
(FORALL (old0)
(FORALL (t3)
(IMPLIES (AND (AND (<= (- 0 1) j0) (<= j0 (- n2 1)))
         (AND (EQ (array_length t3) (+ n2 1))
         (AND
         (FORALL (k)
         (IMPLIES (AND (< j0 k) (<= k n2))
         (EQ (min_suffix w1 w2 i2 k (access t3 k)) |@true|)))
         (AND
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (<= k j0))
         (EQ (min_suffix w1 w2 (+ i2 1) k (access t3 k)) |@true|)))
         (EQ (min_suffix w1 w2 (+ i2 1) (+ j0 1) old0) |@true|)))))
(IMPLIES (>= j0 0) (AND (<= 0 j0) (< j0 (array_length t3)))))))))))))))))))))))))))))))))))))

;; distance_po_9, File "distance.mlw", line 80, characters 19-25
(FORALL (t)
(FORALL (w1)
(FORALL (w2)
(IMPLIES (AND (EQ (array_length w1) n1)
         (AND (EQ (array_length w2) n2) (EQ (array_length t) (+ n2 1))))
(FORALL (i)
(IMPLIES (EQ i 0)
(FORALL (i0)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i0) (<= i0 (+ n2 1)))
         (AND (EQ (array_length t0) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (< j i0)) (EQ (access t0 j) (- n2 j))))))
(IMPLIES (> i0 n2)
(FORALL (i1)
(IMPLIES (EQ i1 (- n1 1))
(FORALL (i2)
(FORALL (t1)
(IMPLIES (AND (AND (<= (- 0 1) i2) (<= i2 (- n1 1)))
         (AND (EQ (array_length t1) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (<= j n2))
         (EQ (min_suffix w1 w2 (+ i2 1) j (access t1 j)) |@true|)))))
(IMPLIES (>= i2 0)
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (result)
(IMPLIES (EQ result (access t1 n2))
(FORALL (old)
(IMPLIES (EQ old result)
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t1 n2))
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (t2)
(IMPLIES (EQ t2 (update t1 n2 (+ result0 1)))
(FORALL (j)
(IMPLIES (EQ j (- n2 1))
(FORALL (j0)
(FORALL (old0)
(FORALL (t3)
(IMPLIES (AND (AND (<= (- 0 1) j0) (<= j0 (- n2 1)))
         (AND (EQ (array_length t3) (+ n2 1))
         (AND
         (FORALL (k)
         (IMPLIES (AND (< j0 k) (<= k n2))
         (EQ (min_suffix w1 w2 i2 k (access t3 k)) |@true|)))
         (AND
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (<= k j0))
         (EQ (min_suffix w1 w2 (+ i2 1) k (access t3 k)) |@true|)))
         (EQ (min_suffix w1 w2 (+ i2 1) (+ j0 1) old0) |@true|)))))
(IMPLIES (>= j0 0)
(IMPLIES (AND (<= 0 j0) (< j0 (array_length t3)))
(FORALL (result1)
(IMPLIES (EQ result1 (access t3 j0))
(FORALL (old1)
(IMPLIES (EQ old1 result1) (AND (<= 0 i2) (< i2 (array_length w1))))))))))))))))))))))))))))))))))))))))))

;; distance_po_10, File "distance.mlw", line 80, characters 26-32
(FORALL (t)
(FORALL (w1)
(FORALL (w2)
(IMPLIES (AND (EQ (array_length w1) n1)
         (AND (EQ (array_length w2) n2) (EQ (array_length t) (+ n2 1))))
(FORALL (i)
(IMPLIES (EQ i 0)
(FORALL (i0)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i0) (<= i0 (+ n2 1)))
         (AND (EQ (array_length t0) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (< j i0)) (EQ (access t0 j) (- n2 j))))))
(IMPLIES (> i0 n2)
(FORALL (i1)
(IMPLIES (EQ i1 (- n1 1))
(FORALL (i2)
(FORALL (t1)
(IMPLIES (AND (AND (<= (- 0 1) i2) (<= i2 (- n1 1)))
         (AND (EQ (array_length t1) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (<= j n2))
         (EQ (min_suffix w1 w2 (+ i2 1) j (access t1 j)) |@true|)))))
(IMPLIES (>= i2 0)
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (result)
(IMPLIES (EQ result (access t1 n2))
(FORALL (old)
(IMPLIES (EQ old result)
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t1 n2))
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (t2)
(IMPLIES (EQ t2 (update t1 n2 (+ result0 1)))
(FORALL (j)
(IMPLIES (EQ j (- n2 1))
(FORALL (j0)
(FORALL (old0)
(FORALL (t3)
(IMPLIES (AND (AND (<= (- 0 1) j0) (<= j0 (- n2 1)))
         (AND (EQ (array_length t3) (+ n2 1))
         (AND
         (FORALL (k)
         (IMPLIES (AND (< j0 k) (<= k n2))
         (EQ (min_suffix w1 w2 i2 k (access t3 k)) |@true|)))
         (AND
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (<= k j0))
         (EQ (min_suffix w1 w2 (+ i2 1) k (access t3 k)) |@true|)))
         (EQ (min_suffix w1 w2 (+ i2 1) (+ j0 1) old0) |@true|)))))
(IMPLIES (>= j0 0)
(IMPLIES (AND (<= 0 j0) (< j0 (array_length t3)))
(FORALL (result1)
(IMPLIES (EQ result1 (access t3 j0))
(FORALL (old1)
(IMPLIES (EQ old1 result1)
(IMPLIES (AND (<= 0 i2) (< i2 (array_length w1)))
(FORALL (result2)
(IMPLIES (EQ result2 (access w1 i2))
(AND (<= 0 j0) (< j0 (array_length w2)))))))))))))))))))))))))))))))))))))))))))))

;; distance_po_11, File "distance.mlw", line 72, characters 22-270
(FORALL (t)
(FORALL (w1)
(FORALL (w2)
(IMPLIES (AND (EQ (array_length w1) n1)
         (AND (EQ (array_length w2) n2) (EQ (array_length t) (+ n2 1))))
(FORALL (i)
(IMPLIES (EQ i 0)
(FORALL (i0)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i0) (<= i0 (+ n2 1)))
         (AND (EQ (array_length t0) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (< j i0)) (EQ (access t0 j) (- n2 j))))))
(IMPLIES (> i0 n2)
(FORALL (i1)
(IMPLIES (EQ i1 (- n1 1))
(FORALL (i2)
(FORALL (t1)
(IMPLIES (AND (AND (<= (- 0 1) i2) (<= i2 (- n1 1)))
         (AND (EQ (array_length t1) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (<= j n2))
         (EQ (min_suffix w1 w2 (+ i2 1) j (access t1 j)) |@true|)))))
(IMPLIES (>= i2 0)
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (result)
(IMPLIES (EQ result (access t1 n2))
(FORALL (old)
(IMPLIES (EQ old result)
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t1 n2))
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (t2)
(IMPLIES (EQ t2 (update t1 n2 (+ result0 1)))
(FORALL (j)
(IMPLIES (EQ j (- n2 1))
(FORALL (j0)
(FORALL (old0)
(FORALL (t3)
(IMPLIES (AND (AND (<= (- 0 1) j0) (<= j0 (- n2 1)))
         (AND (EQ (array_length t3) (+ n2 1))
         (AND
         (FORALL (k)
         (IMPLIES (AND (< j0 k) (<= k n2))
         (EQ (min_suffix w1 w2 i2 k (access t3 k)) |@true|)))
         (AND
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (<= k j0))
         (EQ (min_suffix w1 w2 (+ i2 1) k (access t3 k)) |@true|)))
         (EQ (min_suffix w1 w2 (+ i2 1) (+ j0 1) old0) |@true|)))))
(IMPLIES (>= j0 0)
(IMPLIES (AND (<= 0 j0) (< j0 (array_length t3)))
(FORALL (result1)
(IMPLIES (EQ result1 (access t3 j0))
(FORALL (old1)
(IMPLIES (EQ old1 result1)
(IMPLIES (AND (<= 0 i2) (< i2 (array_length w1)))
(FORALL (result2)
(IMPLIES (EQ result2 (access w1 i2))
(IMPLIES (AND (<= 0 j0) (< j0 (array_length w2)))
(FORALL (result3)
(IMPLIES (EQ result3 (access w2 j0))
(IMPLIES (EQ result2 result3)
(IMPLIES (AND (<= 0 j0) (< j0 (array_length t3)))
(FORALL (t4)
(IMPLIES (EQ t4 (update t3 j0 old0))
(FORALL (j1)
(IMPLIES (EQ j1 (- j0 1))
(AND (AND (<= (- 0 1) j1) (<= j1 (- n2 1)))
(AND (EQ (array_length t4) (+ n2 1))
(AND
(FORALL (k)
(IMPLIES (AND (< j1 k) (<= k n2))
(EQ (min_suffix w1 w2 i2 k (access t4 k)) |@true|)))
(AND
(FORALL (k)
(IMPLIES (AND (<= 0 k) (<= k j1))
(EQ (min_suffix w1 w2 (+ i2 1) k (access t4 k)) |@true|)))
(EQ (min_suffix w1 w2 (+ i2 1) (+ j1 1) old1) |@true|))))))))))))))))))))))))))))))))))))))))))))))))))))))))

;; distance_po_12, File "distance.mlw", line 76, characters 13-16
(FORALL (t)
(FORALL (w1)
(FORALL (w2)
(IMPLIES (AND (EQ (array_length w1) n1)
         (AND (EQ (array_length w2) n2) (EQ (array_length t) (+ n2 1))))
(FORALL (i)
(IMPLIES (EQ i 0)
(FORALL (i0)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i0) (<= i0 (+ n2 1)))
         (AND (EQ (array_length t0) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (< j i0)) (EQ (access t0 j) (- n2 j))))))
(IMPLIES (> i0 n2)
(FORALL (i1)
(IMPLIES (EQ i1 (- n1 1))
(FORALL (i2)
(FORALL (t1)
(IMPLIES (AND (AND (<= (- 0 1) i2) (<= i2 (- n1 1)))
         (AND (EQ (array_length t1) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (<= j n2))
         (EQ (min_suffix w1 w2 (+ i2 1) j (access t1 j)) |@true|)))))
(IMPLIES (>= i2 0)
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (result)
(IMPLIES (EQ result (access t1 n2))
(FORALL (old)
(IMPLIES (EQ old result)
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t1 n2))
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (t2)
(IMPLIES (EQ t2 (update t1 n2 (+ result0 1)))
(FORALL (j)
(IMPLIES (EQ j (- n2 1))
(FORALL (j0)
(FORALL (old0)
(FORALL (t3)
(IMPLIES (AND (AND (<= (- 0 1) j0) (<= j0 (- n2 1)))
         (AND (EQ (array_length t3) (+ n2 1))
         (AND
         (FORALL (k)
         (IMPLIES (AND (< j0 k) (<= k n2))
         (EQ (min_suffix w1 w2 i2 k (access t3 k)) |@true|)))
         (AND
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (<= k j0))
         (EQ (min_suffix w1 w2 (+ i2 1) k (access t3 k)) |@true|)))
         (EQ (min_suffix w1 w2 (+ i2 1) (+ j0 1) old0) |@true|)))))
(IMPLIES (>= j0 0)
(IMPLIES (AND (<= 0 j0) (< j0 (array_length t3)))
(FORALL (result1)
(IMPLIES (EQ result1 (access t3 j0))
(FORALL (old1)
(IMPLIES (EQ old1 result1)
(IMPLIES (AND (<= 0 i2) (< i2 (array_length w1)))
(FORALL (result2)
(IMPLIES (EQ result2 (access w1 i2))
(IMPLIES (AND (<= 0 j0) (< j0 (array_length w2)))
(FORALL (result3)
(IMPLIES (EQ result3 (access w2 j0))
(IMPLIES (EQ result2 result3)
(IMPLIES (AND (<= 0 j0) (< j0 (array_length t3)))
(FORALL (t4)
(IMPLIES (EQ t4 (update t3 j0 old0))
(FORALL (j1)
(IMPLIES (EQ j1 (- j0 1)) (AND (<= 0 (+ j0 1)) (< (+ j1 1) (+ j0 1))))))))))))))))))))))))))))))))))))))))))))))))))))))

;; distance_po_13, File "distance.mlw", line 83, characters 28-35
(FORALL (t)
(FORALL (w1)
(FORALL (w2)
(IMPLIES (AND (EQ (array_length w1) n1)
         (AND (EQ (array_length w2) n2) (EQ (array_length t) (+ n2 1))))
(FORALL (i)
(IMPLIES (EQ i 0)
(FORALL (i0)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i0) (<= i0 (+ n2 1)))
         (AND (EQ (array_length t0) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (< j i0)) (EQ (access t0 j) (- n2 j))))))
(IMPLIES (> i0 n2)
(FORALL (i1)
(IMPLIES (EQ i1 (- n1 1))
(FORALL (i2)
(FORALL (t1)
(IMPLIES (AND (AND (<= (- 0 1) i2) (<= i2 (- n1 1)))
         (AND (EQ (array_length t1) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (<= j n2))
         (EQ (min_suffix w1 w2 (+ i2 1) j (access t1 j)) |@true|)))))
(IMPLIES (>= i2 0)
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (result)
(IMPLIES (EQ result (access t1 n2))
(FORALL (old)
(IMPLIES (EQ old result)
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t1 n2))
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (t2)
(IMPLIES (EQ t2 (update t1 n2 (+ result0 1)))
(FORALL (j)
(IMPLIES (EQ j (- n2 1))
(FORALL (j0)
(FORALL (old0)
(FORALL (t3)
(IMPLIES (AND (AND (<= (- 0 1) j0) (<= j0 (- n2 1)))
         (AND (EQ (array_length t3) (+ n2 1))
         (AND
         (FORALL (k)
         (IMPLIES (AND (< j0 k) (<= k n2))
         (EQ (min_suffix w1 w2 i2 k (access t3 k)) |@true|)))
         (AND
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (<= k j0))
         (EQ (min_suffix w1 w2 (+ i2 1) k (access t3 k)) |@true|)))
         (EQ (min_suffix w1 w2 (+ i2 1) (+ j0 1) old0) |@true|)))))
(IMPLIES (>= j0 0)
(IMPLIES (AND (<= 0 j0) (< j0 (array_length t3)))
(FORALL (result1)
(IMPLIES (EQ result1 (access t3 j0))
(FORALL (old1)
(IMPLIES (EQ old1 result1)
(IMPLIES (AND (<= 0 i2) (< i2 (array_length w1)))
(FORALL (result2)
(IMPLIES (EQ result2 (access w1 i2))
(IMPLIES (AND (<= 0 j0) (< j0 (array_length w2)))
(FORALL (result3)
(IMPLIES (EQ result3 (access w2 j0))
(IMPLIES (NOT (EQ result2 result3))
(IMPLIES (AND (<= 0 j0) (< j0 (array_length t3)))
(FORALL (result4)
(IMPLIES (EQ result4 (access t3 j0))
(AND (<= 0 (+ j0 1)) (< (+ j0 1) (array_length t3))))))))))))))))))))))))))))))))))))))))))))))))))))

;; distance_po_14, File "distance.mlw", line 72, characters 22-270
(FORALL (t)
(FORALL (w1)
(FORALL (w2)
(IMPLIES (AND (EQ (array_length w1) n1)
         (AND (EQ (array_length w2) n2) (EQ (array_length t) (+ n2 1))))
(FORALL (i)
(IMPLIES (EQ i 0)
(FORALL (i0)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i0) (<= i0 (+ n2 1)))
         (AND (EQ (array_length t0) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (< j i0)) (EQ (access t0 j) (- n2 j))))))
(IMPLIES (> i0 n2)
(FORALL (i1)
(IMPLIES (EQ i1 (- n1 1))
(FORALL (i2)
(FORALL (t1)
(IMPLIES (AND (AND (<= (- 0 1) i2) (<= i2 (- n1 1)))
         (AND (EQ (array_length t1) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (<= j n2))
         (EQ (min_suffix w1 w2 (+ i2 1) j (access t1 j)) |@true|)))))
(IMPLIES (>= i2 0)
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (result)
(IMPLIES (EQ result (access t1 n2))
(FORALL (old)
(IMPLIES (EQ old result)
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t1 n2))
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (t2)
(IMPLIES (EQ t2 (update t1 n2 (+ result0 1)))
(FORALL (j)
(IMPLIES (EQ j (- n2 1))
(FORALL (j0)
(FORALL (old0)
(FORALL (t3)
(IMPLIES (AND (AND (<= (- 0 1) j0) (<= j0 (- n2 1)))
         (AND (EQ (array_length t3) (+ n2 1))
         (AND
         (FORALL (k)
         (IMPLIES (AND (< j0 k) (<= k n2))
         (EQ (min_suffix w1 w2 i2 k (access t3 k)) |@true|)))
         (AND
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (<= k j0))
         (EQ (min_suffix w1 w2 (+ i2 1) k (access t3 k)) |@true|)))
         (EQ (min_suffix w1 w2 (+ i2 1) (+ j0 1) old0) |@true|)))))
(IMPLIES (>= j0 0)
(IMPLIES (AND (<= 0 j0) (< j0 (array_length t3)))
(FORALL (result1)
(IMPLIES (EQ result1 (access t3 j0))
(FORALL (old1)
(IMPLIES (EQ old1 result1)
(IMPLIES (AND (<= 0 i2) (< i2 (array_length w1)))
(FORALL (result2)
(IMPLIES (EQ result2 (access w1 i2))
(IMPLIES (AND (<= 0 j0) (< j0 (array_length w2)))
(FORALL (result3)
(IMPLIES (EQ result3 (access w2 j0))
(IMPLIES (NOT (EQ result2 result3))
(IMPLIES (AND (<= 0 j0) (< j0 (array_length t3)))
(FORALL (result4)
(IMPLIES (EQ result4 (access t3 j0))
(IMPLIES (AND (<= 0 (+ j0 1)) (< (+ j0 1) (array_length t3)))
(FORALL (result5)
(IMPLIES (EQ result5 (access t3 (+ j0 1)))
(IMPLIES (AND (<= 0 j0) (< j0 (array_length t3)))
(FORALL (t4)
(IMPLIES (EQ t4 (update t3 j0 (+ (Zmin result4 result5) 1)))
(FORALL (j1)
(IMPLIES (EQ j1 (- j0 1))
(AND (AND (<= (- 0 1) j1) (<= j1 (- n2 1)))
(AND (EQ (array_length t4) (+ n2 1))
(AND
(FORALL (k)
(IMPLIES (AND (< j1 k) (<= k n2))
(EQ (min_suffix w1 w2 i2 k (access t4 k)) |@true|)))
(AND
(FORALL (k)
(IMPLIES (AND (<= 0 k) (<= k j1))
(EQ (min_suffix w1 w2 (+ i2 1) k (access t4 k)) |@true|)))
(EQ (min_suffix w1 w2 (+ i2 1) (+ j1 1) old1) |@true|))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

;; distance_po_15, File "distance.mlw", line 76, characters 13-16
(FORALL (t)
(FORALL (w1)
(FORALL (w2)
(IMPLIES (AND (EQ (array_length w1) n1)
         (AND (EQ (array_length w2) n2) (EQ (array_length t) (+ n2 1))))
(FORALL (i)
(IMPLIES (EQ i 0)
(FORALL (i0)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i0) (<= i0 (+ n2 1)))
         (AND (EQ (array_length t0) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (< j i0)) (EQ (access t0 j) (- n2 j))))))
(IMPLIES (> i0 n2)
(FORALL (i1)
(IMPLIES (EQ i1 (- n1 1))
(FORALL (i2)
(FORALL (t1)
(IMPLIES (AND (AND (<= (- 0 1) i2) (<= i2 (- n1 1)))
         (AND (EQ (array_length t1) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (<= j n2))
         (EQ (min_suffix w1 w2 (+ i2 1) j (access t1 j)) |@true|)))))
(IMPLIES (>= i2 0)
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (result)
(IMPLIES (EQ result (access t1 n2))
(FORALL (old)
(IMPLIES (EQ old result)
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t1 n2))
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (t2)
(IMPLIES (EQ t2 (update t1 n2 (+ result0 1)))
(FORALL (j)
(IMPLIES (EQ j (- n2 1))
(FORALL (j0)
(FORALL (old0)
(FORALL (t3)
(IMPLIES (AND (AND (<= (- 0 1) j0) (<= j0 (- n2 1)))
         (AND (EQ (array_length t3) (+ n2 1))
         (AND
         (FORALL (k)
         (IMPLIES (AND (< j0 k) (<= k n2))
         (EQ (min_suffix w1 w2 i2 k (access t3 k)) |@true|)))
         (AND
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (<= k j0))
         (EQ (min_suffix w1 w2 (+ i2 1) k (access t3 k)) |@true|)))
         (EQ (min_suffix w1 w2 (+ i2 1) (+ j0 1) old0) |@true|)))))
(IMPLIES (>= j0 0)
(IMPLIES (AND (<= 0 j0) (< j0 (array_length t3)))
(FORALL (result1)
(IMPLIES (EQ result1 (access t3 j0))
(FORALL (old1)
(IMPLIES (EQ old1 result1)
(IMPLIES (AND (<= 0 i2) (< i2 (array_length w1)))
(FORALL (result2)
(IMPLIES (EQ result2 (access w1 i2))
(IMPLIES (AND (<= 0 j0) (< j0 (array_length w2)))
(FORALL (result3)
(IMPLIES (EQ result3 (access w2 j0))
(IMPLIES (NOT (EQ result2 result3))
(IMPLIES (AND (<= 0 j0) (< j0 (array_length t3)))
(FORALL (result4)
(IMPLIES (EQ result4 (access t3 j0))
(IMPLIES (AND (<= 0 (+ j0 1)) (< (+ j0 1) (array_length t3)))
(FORALL (result5)
(IMPLIES (EQ result5 (access t3 (+ j0 1)))
(IMPLIES (AND (<= 0 j0) (< j0 (array_length t3)))
(FORALL (t4)
(IMPLIES (EQ t4 (update t3 j0 (+ (Zmin result4 result5) 1)))
(FORALL (j1)
(IMPLIES (EQ j1 (- j0 1)) (AND (<= 0 (+ j0 1)) (< (+ j1 1) (+ j0 1))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

;; distance_po_16, File "distance.mlw", line 64, characters 20-139
(FORALL (t)
(FORALL (w1)
(FORALL (w2)
(IMPLIES (AND (EQ (array_length w1) n1)
         (AND (EQ (array_length w2) n2) (EQ (array_length t) (+ n2 1))))
(FORALL (i)
(IMPLIES (EQ i 0)
(FORALL (i0)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i0) (<= i0 (+ n2 1)))
         (AND (EQ (array_length t0) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (< j i0)) (EQ (access t0 j) (- n2 j))))))
(IMPLIES (> i0 n2)
(FORALL (i1)
(IMPLIES (EQ i1 (- n1 1))
(FORALL (i2)
(FORALL (t1)
(IMPLIES (AND (AND (<= (- 0 1) i2) (<= i2 (- n1 1)))
         (AND (EQ (array_length t1) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (<= j n2))
         (EQ (min_suffix w1 w2 (+ i2 1) j (access t1 j)) |@true|)))))
(IMPLIES (>= i2 0)
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (result)
(IMPLIES (EQ result (access t1 n2))
(FORALL (old)
(IMPLIES (EQ old result)
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t1 n2))
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (t2)
(IMPLIES (EQ t2 (update t1 n2 (+ result0 1)))
(FORALL (j)
(IMPLIES (EQ j (- n2 1))
(FORALL (j0)
(FORALL (old0)
(FORALL (t3)
(IMPLIES (AND (AND (<= (- 0 1) j0) (<= j0 (- n2 1)))
         (AND (EQ (array_length t3) (+ n2 1))
         (AND
         (FORALL (k)
         (IMPLIES (AND (< j0 k) (<= k n2))
         (EQ (min_suffix w1 w2 i2 k (access t3 k)) |@true|)))
         (AND
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (<= k j0))
         (EQ (min_suffix w1 w2 (+ i2 1) k (access t3 k)) |@true|)))
         (EQ (min_suffix w1 w2 (+ i2 1) (+ j0 1) old0) |@true|)))))
(IMPLIES (< j0 0)
(FORALL (i3)
(IMPLIES (EQ i3 (- i2 1))
(AND (AND (<= (- 0 1) i3) (<= i3 (- n1 1)))
(AND (EQ (array_length t3) (+ n2 1))
(FORALL (j)
(IMPLIES (AND (<= 0 j) (<= j n2))
(EQ (min_suffix w1 w2 (+ i3 1) j (access t3 j)) |@true|)))))))))))))))))))))))))))))))))))))))))

;; distance_po_17, File "distance.mlw", line 66, characters 18-21
(FORALL (t)
(FORALL (w1)
(FORALL (w2)
(IMPLIES (AND (EQ (array_length w1) n1)
         (AND (EQ (array_length w2) n2) (EQ (array_length t) (+ n2 1))))
(FORALL (i)
(IMPLIES (EQ i 0)
(FORALL (i0)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i0) (<= i0 (+ n2 1)))
         (AND (EQ (array_length t0) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (< j i0)) (EQ (access t0 j) (- n2 j))))))
(IMPLIES (> i0 n2)
(FORALL (i1)
(IMPLIES (EQ i1 (- n1 1))
(FORALL (i2)
(FORALL (t1)
(IMPLIES (AND (AND (<= (- 0 1) i2) (<= i2 (- n1 1)))
         (AND (EQ (array_length t1) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (<= j n2))
         (EQ (min_suffix w1 w2 (+ i2 1) j (access t1 j)) |@true|)))))
(IMPLIES (>= i2 0)
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (result)
(IMPLIES (EQ result (access t1 n2))
(FORALL (old)
(IMPLIES (EQ old result)
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t1 n2))
(IMPLIES (AND (<= 0 n2) (< n2 (array_length t1)))
(FORALL (t2)
(IMPLIES (EQ t2 (update t1 n2 (+ result0 1)))
(FORALL (j)
(IMPLIES (EQ j (- n2 1))
(FORALL (j0)
(FORALL (old0)
(FORALL (t3)
(IMPLIES (AND (AND (<= (- 0 1) j0) (<= j0 (- n2 1)))
         (AND (EQ (array_length t3) (+ n2 1))
         (AND
         (FORALL (k)
         (IMPLIES (AND (< j0 k) (<= k n2))
         (EQ (min_suffix w1 w2 i2 k (access t3 k)) |@true|)))
         (AND
         (FORALL (k)
         (IMPLIES (AND (<= 0 k) (<= k j0))
         (EQ (min_suffix w1 w2 (+ i2 1) k (access t3 k)) |@true|)))
         (EQ (min_suffix w1 w2 (+ i2 1) (+ j0 1) old0) |@true|)))))
(IMPLIES (< j0 0)
(FORALL (i3)
(IMPLIES (EQ i3 (- i2 1)) (AND (<= 0 (+ i2 1)) (< (+ i3 1) (+ i2 1)))))))))))))))))))))))))))))))))))))))

;; distance_po_18, File "distance.mlw", line 89, characters 6-10
(FORALL (t)
(FORALL (w1)
(FORALL (w2)
(IMPLIES (AND (EQ (array_length w1) n1)
         (AND (EQ (array_length w2) n2) (EQ (array_length t) (+ n2 1))))
(FORALL (i)
(IMPLIES (EQ i 0)
(FORALL (i0)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i0) (<= i0 (+ n2 1)))
         (AND (EQ (array_length t0) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (< j i0)) (EQ (access t0 j) (- n2 j))))))
(IMPLIES (> i0 n2)
(FORALL (i1)
(IMPLIES (EQ i1 (- n1 1))
(FORALL (i2)
(FORALL (t1)
(IMPLIES (AND (AND (<= (- 0 1) i2) (<= i2 (- n1 1)))
         (AND (EQ (array_length t1) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (<= j n2))
         (EQ (min_suffix w1 w2 (+ i2 1) j (access t1 j)) |@true|)))))
(IMPLIES (< i2 0) (AND (<= 0 0) (< 0 (array_length t1)))))))))))))))))))

;; distance_po_19, File "distance.mlw", line 91, characters 4-64
(FORALL (t)
(FORALL (w1)
(FORALL (w2)
(IMPLIES (AND (EQ (array_length w1) n1)
         (AND (EQ (array_length w2) n2) (EQ (array_length t) (+ n2 1))))
(FORALL (i)
(IMPLIES (EQ i 0)
(FORALL (i0)
(FORALL (t0)
(IMPLIES (AND (AND (<= 0 i0) (<= i0 (+ n2 1)))
         (AND (EQ (array_length t0) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (< j i0)) (EQ (access t0 j) (- n2 j))))))
(IMPLIES (> i0 n2)
(FORALL (i1)
(IMPLIES (EQ i1 (- n1 1))
(FORALL (i2)
(FORALL (t1)
(IMPLIES (AND (AND (<= (- 0 1) i2) (<= i2 (- n1 1)))
         (AND (EQ (array_length t1) (+ n2 1))
         (FORALL (j)
         (IMPLIES (AND (<= 0 j) (<= j n2))
         (EQ (min_suffix w1 w2 (+ i2 1) j (access t1 j)) |@true|)))))
(IMPLIES (< i2 0)
(IMPLIES (AND (<= 0 0) (< 0 (array_length t1)))
(FORALL (result)
(IMPLIES (EQ result (access t1 0))
(EQ (min_dist (word_of_array n1 w1) (word_of_array n2 w2) result) |@true|))))))))))))))))))))

why-2.34/examples/edit-distance/distance_why.v0000644000175000017500000001706312311670312020027 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Import Why.
Require Export words.
Require Import Omega.
Require Import Sumbool.

Axiom n1_non_negative : (0 <= n1)%Z.

Axiom n2_non_negative : (0 <= n2)%Z.

Ltac omega' :=
  generalize n1_non_negative; generalize n2_non_negative;
   abstract omega.

Definition min_suffix (w1 w2:array A) (i j n:Z) :=
  min_dist (suffix n1 w1 i) (suffix n2 w2 j) n.

Definition test_char (a b:A) := bool_of_sumbool (A_eq_dec a b).

(*Why type*) Definition farray: Set ->Set.
Admitted.

(*Why logic*) Definition access : forall (A1:Set), (array A1) -> Z -> A1.
Admitted.
Implicit Arguments access.

(*Why logic*) Definition update :
  forall (A1:Set), (array A1) -> Z -> A1 -> (array A1).
Admitted.
Implicit Arguments update.

(*Why axiom*) Lemma access_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z), (forall (v:A1), (access (update a i v) i) = v))).
Admitted.

(*Why axiom*) Lemma access_update_neq :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (forall (v:A1), (i <> j -> (access (update a i v) j) = (access a j)))))).
Admitted.

(*Why logic*) Definition array_length : forall (A1:Set), (array A1) -> Z.
Admitted.
Implicit Arguments array_length.

(*Why predicate*) Definition sorted_array  (t:(array Z)) (i:Z) (j:Z)
  := (forall (k1:Z),
      (forall (k2:Z),
       ((i <= k1 /\ k1 <= k2) /\ k2 <= j -> (access t k1) <= (access t k2)))).

(*Why predicate*) Definition exchange (A113:Set) (a1:(array A113)) (a2:(array A113)) (i:Z) (j:Z)
  := (array_length a1) = (array_length a2) /\
     (access a1 i) = (access a2 j) /\ (access a2 i) = (access a1 j) /\
     (forall (k:Z), (k <> i /\ k <> j -> (access a1 k) = (access a2 k))).
Implicit Arguments exchange.

(*Why logic*) Definition permut :
  forall (A1:Set), (array A1) -> (array A1) -> Z -> Z -> Prop.
Admitted.
Implicit Arguments permut.

(*Why axiom*) Lemma permut_refl :
  forall (A1:Set),
  (forall (t:(array A1)), (forall (l:Z), (forall (u:Z), (permut t t l u)))).
Admitted.

(*Why axiom*) Lemma permut_sym :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (l:Z), (forall (u:Z), ((permut t1 t2 l u) -> (permut t2 t1 l u)))))).
Admitted.

(*Why axiom*) Lemma permut_trans :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (t3:(array A1)),
     (forall (l:Z),
      (forall (u:Z),
       ((permut t1 t2 l u) -> ((permut t2 t3 l u) -> (permut t1 t3 l u)))))))).
Admitted.

(*Why axiom*) Lemma permut_exchange :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (forall (i:Z),
       (forall (j:Z),
        (l <= i /\ i <= u ->
         (l <= j /\ j <= u -> ((exchange a1 a2 i j) -> (permut a1 a2 l u)))))))))).
Admitted.

(*Why axiom*) Lemma exchange_upd :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (exchange a (update (update a i (access a j)) j (access a i)) i j)))).
Admitted.

(*Why axiom*) Lemma permut_weakening :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l1:Z),
     (forall (r1:Z),
      (forall (l2:Z),
       (forall (r2:Z),
        ((l1 <= l2 /\ l2 <= r2) /\ r2 <= r1 ->
         ((permut a1 a2 l2 r2) -> (permut a1 a2 l1 r1))))))))).
Admitted.

(*Why axiom*) Lemma permut_eq :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (l <= u ->
       ((permut a1 a2 l u) ->
        (forall (i:Z), (i < l \/ u < i -> (access a2 i) = (access a1 i))))))))).
Admitted.

(*Why predicate*) Definition permutation (A122:Set) (a1:(array A122)) (a2:(array A122))
  := (permut a1 a2 0 ((array_length a1) - 1)).
Implicit Arguments permutation.

(*Why axiom*) Lemma array_length_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (v:A1), (array_length (update a i v)) = (array_length a)))).
Admitted.

(*Why axiom*) Lemma permut_array_length :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      ((permut a1 a2 l u) -> (array_length a1) = (array_length a2)))))).
Admitted.

(*Why logic*) Definition n1 : Z.
Admitted.

(*Why logic*) Definition n2 : Z.
Admitted.

Proof.
intuition.
omega'.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
ArraySubst t1.
subst t1.
assert (j < i0 \/ j=i0). omega. intuition.
AccessOther; intuition.
subst; AccessSame; intuition.
Save.

Proof.
intuition.
omega'.
replace (i1 + 1)%Z with n1; [ idtac | omega' ].
unfold min_suffix.
rewrite suffix_n_is_eps.
replace (access t0 j) with (Zlength (suffix n2 w2 j)).
exact (min_dist_eps_length (suffix n2 w2 j)).
replace (access t0 j) with (n2-j).
apply suffix_length; omega'.
symmetry; auto with *.
Save.

Proof.
intuition.
omega'.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
ArraySubst t2.
subst t2.
subst result0.
replace k with n2; [ idtac | omega' ].
unfold min_suffix.
rewrite (suffix_is_cons n1 w1 i2).
rewrite suffix_n_is_eps.
AccessSame.
apply min_dist_eps.
rewrite <- suffix_n_is_eps with (n := n2) (t := w2).
apply H20; omega'.
omega'.
subst t2.
AccessOther.
apply H20; omega'.
subst old result.
replace n2 with (j + 1)%Z; [ idtac | omega' ].
apply H20; omega'.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
Save.

Proof.
intuition.
ArraySubst t4.
subst t4.
unfold min_suffix.
assert (j0=k \/ j0 < k). omega. intuition.
  (* j0=k *)
  subst j0.
  rewrite (suffix_is_cons n1 w1 i2); [ idtac | omega' ].
  rewrite (suffix_is_cons n2 w2 k); [ idtac | omega' ].
  subst.
  replace (access w1 i2) with (access w2 k).
  apply min_dist_equal.
  AccessSame.
  assumption.
  (* j0 (array A) -> Z -> Z -> Z -> Prop.
Admitted.

(*Why logic*) Definition word_of_array : Z -> (array A) -> word.
Admitted.

(*Why logic*) Definition min_dist : word -> word -> Z -> Prop.
Admitted.

why-2.34/examples/edit-distance/.depend0000644000175000017500000000027012311670312016407 0ustar  rtusersdistance_valid.vo: distance_valid.v ../../lib/coq/Why.vo ./distance_why.vo
distance_why.vo: distance_why.v ../../lib/coq/Why.vo ./words.vo
words.vo: words.v ../../lib/coq/WhyArrays.vo
why-2.34/examples/quicksort2/0000755000175000017500000000000012311670312014541 5ustar  rtuserswhy-2.34/examples/quicksort2/Makefile0000644000175000017500000000011712311670312016200 0ustar  rtusers
VO=quicksort2_valid.vo

all: quicksort2_valid.vo

include ../Makefile.common

why-2.34/examples/quicksort2/quicksort2_why.v0000644000175000017500000001076412311670312017735 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Export Why.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.




Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.


Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.



Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.




(*Why type*) Definition farray: Set ->Set.
Admitted.

(*Why logic*) Definition access : forall (A1:Set), (array A1) -> Z -> A1.
Admitted.
Implicit Arguments access.

(*Why logic*) Definition update :
  forall (A1:Set), (array A1) -> Z -> A1 -> (array A1).
Admitted.
Implicit Arguments update.

(*Why axiom*) Lemma access_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z), (forall (v:A1), (access (update a i v) i) = v))).
Admitted.

(*Why axiom*) Lemma access_update_neq :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (forall (v:A1), (i <> j -> (access (update a i v) j) = (access a j)))))).
Admitted.

(*Why logic*) Definition array_length : forall (A1:Set), (array A1) -> Z.
Admitted.
Implicit Arguments array_length.

(*Why predicate*) Definition sorted_array  (t:(array Z)) (i:Z) (j:Z)
  := (forall (k1:Z),
      (forall (k2:Z),
       ((i <= k1 /\ k1 <= k2) /\ k2 <= j -> (access t k1) <= (access t k2)))).

(*Why predicate*) Definition exchange (A122:Set) (a1:(array A122)) (a2:(array A122)) (i:Z) (j:Z)
  := (array_length a1) = (array_length a2) /\
     (access a1 i) = (access a2 j) /\ (access a2 i) = (access a1 j) /\
     (forall (k:Z), (k <> i /\ k <> j -> (access a1 k) = (access a2 k))).
Implicit Arguments exchange.

(*Why logic*) Definition permut :
  forall (A1:Set), (array A1) -> (array A1) -> Z -> Z -> Prop.
Admitted.
Implicit Arguments permut.

(*Why axiom*) Lemma permut_refl :
  forall (A1:Set),
  (forall (t:(array A1)), (forall (l:Z), (forall (u:Z), (permut t t l u)))).
Admitted.

(*Why axiom*) Lemma permut_sym :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (l:Z), (forall (u:Z), ((permut t1 t2 l u) -> (permut t2 t1 l u)))))).
Admitted.

(*Why axiom*) Lemma permut_trans :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (t3:(array A1)),
     (forall (l:Z),
      (forall (u:Z),
       ((permut t1 t2 l u) -> ((permut t2 t3 l u) -> (permut t1 t3 l u)))))))).
Admitted.

(*Why axiom*) Lemma permut_exchange :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (forall (i:Z),
       (forall (j:Z),
        (l <= i /\ i <= u ->
         (l <= j /\ j <= u -> ((exchange a1 a2 i j) -> (permut a1 a2 l u)))))))))).
Admitted.

(*Why axiom*) Lemma exchange_upd :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (exchange a (update (update a i (access a j)) j (access a i)) i j)))).
Admitted.

(*Why axiom*) Lemma permut_weakening :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l1:Z),
     (forall (r1:Z),
      (forall (l2:Z),
       (forall (r2:Z),
        ((l1 <= l2 /\ l2 <= r2) /\ r2 <= r1 ->
         ((permut a1 a2 l2 r2) -> (permut a1 a2 l1 r1))))))))).
Admitted.

(*Why axiom*) Lemma permut_eq :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (l <= u ->
       ((permut a1 a2 l u) ->
        (forall (i:Z), (i < l \/ u < i -> (access a2 i) = (access a1 i))))))))).
Admitted.

(*Why predicate*) Definition permutation (A131:Set) (a1:(array A131)) (a2:(array A131))
  := (permut a1 a2 0 ((array_length a1) - 1)).
Implicit Arguments permutation.

(*Why axiom*) Lemma array_length_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (v:A1), (array_length (update a i v)) = (array_length a)))).
Admitted.

(*Why axiom*) Lemma permut_array_length :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      ((permut a1 a2 l u) -> (array_length a1) = (array_length a2)))))).
Admitted.

why-2.34/examples/quicksort2/quicksort2_why.sx0000644000175000017500000004723312311670312020123 0ustar  rtusers
;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom access_update
 (FORALL (a i v) (EQ (access (update a i v) i) v)))

(BG_PUSH
 ;; Why axiom access_update_neq
 (FORALL (a i j v)
 (IMPLIES (NEQ i j) (EQ (access (update a i v) j) (access a j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j)
 (FORALL (a v) (EQ (access (update a i v) j) (access a j))))))

(DEFPRED (sorted_array t i j)
  (FORALL (k1 k2)
  (IMPLIES (AND (AND (<= i k1) (<= k1 k2)) (<= k2 j))
  (<= (access t k1) (access t k2)))))

(DEFPRED (exchange a1 a2 i j)
  (AND (EQ (array_length a1) (array_length a2))
  (AND (EQ (access a1 i) (access a2 j))
  (AND (EQ (access a2 i) (access a1 j))
  (FORALL (k)
  (IMPLIES (AND (NEQ k i) (NEQ k j)) (EQ (access a1 k) (access a2 k))))))))

(BG_PUSH
 ;; Why axiom permut_refl
 (FORALL (t l u) (EQ (permut t t l u) |@true|)))

(BG_PUSH
 ;; Why axiom permut_sym
 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|) (EQ (permut t2 t1 l u) |@true|))))

(BG_PUSH
 ;; Why axiom permut_trans
 (FORALL (t1 t2 t3 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))

 (FORALL (t1 t2 l u)
 (IMPLIES (EQ (permut t1 t2 l u) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (permut t2 t3 l u) |@true|) (EQ (permut t1 t3 l u) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_exchange
 (FORALL (a1 a2 l u i j)
 (IMPLIES (AND (<= l i) (<= i u))
 (IMPLIES (AND (<= l j) (<= j u))
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|)))))

 (FORALL (l u i)
 (IMPLIES (AND (<= l i) (<= i u))
 (FORALL (j)
 (IMPLIES (AND (<= l j) (<= j u))
 (FORALL (a1 a2)
 (IMPLIES (exchange a1 a2 i j) (EQ (permut a1 a2 l u) |@true|))))))))

(BG_PUSH
 ;; Why axiom exchange_upd
 (FORALL (a i j)
 (exchange a (update (update a i (access a j)) j (access a i)) i j)))

(BG_PUSH
 ;; Why axiom permut_weakening
 (FORALL (a1 a2 l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))

 (FORALL (l1 r1 l2 r2)
 (IMPLIES (AND (AND (<= l1 l2) (<= l2 r2)) (<= r2 r1))
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l2 r2) |@true|)
 (EQ (permut a1 a2 l1 r1) |@true|))))))

(BG_PUSH
 ;; Why axiom permut_eq
 (FORALL (a1 a2 l u)
 (IMPLIES (<= l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))

 (FORALL (l u)
 (IMPLIES (<= l u)
 (FORALL (a2 a1)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (FORALL (i) (IMPLIES (OR (< i l) (< u i)) (EQ (access a2 i) (access a1 i)))))))))

(DEFPRED (permutation a1 a2)
  (EQ (permut a1 a2 0 (- (array_length a1) 1)) |@true|))

(BG_PUSH
 ;; Why axiom array_length_update
 (FORALL (a i v) (EQ (array_length (update a i v)) (array_length a))))

(BG_PUSH
 ;; Why axiom permut_array_length
 (FORALL (a1 a2 l u)
 (IMPLIES (EQ (permut a1 a2 l u) |@true|)
 (EQ (array_length a1) (array_length a2)))))

;; swap_po_1, File "quicksort2.mlw", line 11, characters 4-13
(FORALL (i)
(FORALL (j)
(FORALL (t)
(IMPLIES (AND (AND (<= 0 i) (< i (array_length t)))
         (AND (<= 0 j) (< j (array_length t))))
(IMPLIES (AND (<= 0 i) (< i (array_length t)))
(FORALL (result)
(IMPLIES (EQ result (access t i))
(IMPLIES (AND (<= 0 j) (< j (array_length t)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t j))
(IMPLIES (AND (<= 0 i) (< i (array_length t)))
(FORALL (t0)
(IMPLIES (EQ t0 (update t i result0)) (AND (<= 0 j) (< j (array_length t0))))))))))))))))

;; swap_po_2, File "quicksort2.mlw", line 13, characters 4-25
(FORALL (i)
(FORALL (j)
(FORALL (t)
(IMPLIES (AND (AND (<= 0 i) (< i (array_length t)))
         (AND (<= 0 j) (< j (array_length t))))
(IMPLIES (AND (<= 0 i) (< i (array_length t)))
(FORALL (result)
(IMPLIES (EQ result (access t i))
(IMPLIES (AND (<= 0 j) (< j (array_length t)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t j))
(IMPLIES (AND (<= 0 i) (< i (array_length t)))
(FORALL (t0)
(IMPLIES (EQ t0 (update t i result0))
(IMPLIES (AND (<= 0 j) (< j (array_length t0)))
(FORALL (t1) (IMPLIES (EQ t1 (update t0 j result)) (exchange t1 t i j)))))))))))))))))

;; quick_rec_po_1, File "quicksort2.mlw", line 21, characters 12-16
(FORALL (l)
(FORALL (r)
(FORALL (t)
(IMPLIES (AND (<= 0 l) (< r (array_length t)))
(IMPLIES (< l r) (AND (<= 0 l) (< l (array_length t))))))))

;; quick_rec_po_2, File "quicksort2.mlw", line 27, characters 13-211
(FORALL (l)
(FORALL (r)
(FORALL (t)
(IMPLIES (AND (<= 0 l) (< r (array_length t)))
(IMPLIES (< l r)
(IMPLIES (AND (<= 0 l) (< l (array_length t)))
(FORALL (result)
(IMPLIES (EQ result (access t l))
(AND (FORALL (j) (IMPLIES (AND (< l j) (<= j l)) (< (access t j) result)))
(AND
(FORALL (j) (IMPLIES (AND (< l j) (< j (+ l 1))) (>= (access t j) result)))
(AND (EQ (permut t t l r) |@true|)
(AND (EQ (access t l) result)
(AND (AND (<= l l) (< l (+ l 1))) (<= (+ l 1) (+ r 1)))))))))))))))

;; quick_rec_po_3, File "quicksort2.mlw", line 32, characters 11-16
(FORALL (l)
(FORALL (r)
(FORALL (t)
(IMPLIES (AND (<= 0 l) (< r (array_length t)))
(IMPLIES (< l r)
(IMPLIES (AND (<= 0 l) (< l (array_length t)))
(FORALL (result)
(IMPLIES (EQ result (access t l))
(FORALL (i)
(FORALL (m)
(FORALL (t0)
(IMPLIES (AND
         (FORALL (j)
         (IMPLIES (AND (< l j) (<= j m)) (< (access t0 j) result)))
         (AND
         (FORALL (j)
         (IMPLIES (AND (< m j) (< j i)) (>= (access t0 j) result)))
         (AND (EQ (permut t0 t l r) |@true|)
         (AND (EQ (access t0 l) result)
         (AND (AND (<= l m) (< m i)) (<= i (+ r 1)))))))
(IMPLIES (<= i r) (AND (<= 0 i) (< i (array_length t0))))))))))))))))

;; quick_rec_po_4, File "quicksort2.mlw", line 32, characters 46-58
(FORALL (l)
(FORALL (r)
(FORALL (t)
(IMPLIES (AND (<= 0 l) (< r (array_length t)))
(IMPLIES (< l r)
(IMPLIES (AND (<= 0 l) (< l (array_length t)))
(FORALL (result)
(IMPLIES (EQ result (access t l))
(FORALL (i)
(FORALL (m)
(FORALL (t0)
(IMPLIES (AND
         (FORALL (j)
         (IMPLIES (AND (< l j) (<= j m)) (< (access t0 j) result)))
         (AND
         (FORALL (j)
         (IMPLIES (AND (< m j) (< j i)) (>= (access t0 j) result)))
         (AND (EQ (permut t0 t l r) |@true|)
         (AND (EQ (access t0 l) result)
         (AND (AND (<= l m) (< m i)) (<= i (+ r 1)))))))
(IMPLIES (<= i r)
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t0 i))
(IMPLIES (< result0 result)
(FORALL (m0)
(IMPLIES (EQ m0 (+ m 1))
(AND (AND (<= 0 i) (< i (array_length t0)))
(AND (<= 0 m0) (< m0 (array_length t0)))))))))))))))))))))))

;; quick_rec_po_5, File "quicksort2.mlw", line 27, characters 13-211
(FORALL (l)
(FORALL (r)
(FORALL (t)
(IMPLIES (AND (<= 0 l) (< r (array_length t)))
(IMPLIES (< l r)
(IMPLIES (AND (<= 0 l) (< l (array_length t)))
(FORALL (result)
(IMPLIES (EQ result (access t l))
(FORALL (i)
(FORALL (m)
(FORALL (t0)
(IMPLIES (AND
         (FORALL (j)
         (IMPLIES (AND (< l j) (<= j m)) (< (access t0 j) result)))
         (AND
         (FORALL (j)
         (IMPLIES (AND (< m j) (< j i)) (>= (access t0 j) result)))
         (AND (EQ (permut t0 t l r) |@true|)
         (AND (EQ (access t0 l) result)
         (AND (AND (<= l m) (< m i)) (<= i (+ r 1)))))))
(IMPLIES (<= i r)
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t0 i))
(IMPLIES (< result0 result)
(FORALL (m0)
(IMPLIES (EQ m0 (+ m 1))
(IMPLIES (AND (AND (<= 0 i) (< i (array_length t0)))
         (AND (<= 0 m0) (< m0 (array_length t0))))
(FORALL (t1)
(IMPLIES (exchange t1 t0 i m0)
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(AND (FORALL (j) (IMPLIES (AND (< l j) (<= j m0)) (< (access t1 j) result)))
(AND (FORALL (j) (IMPLIES (AND (< m0 j) (< j i0)) (>= (access t1 j) result)))
(AND (EQ (permut t1 t l r) |@true|)
(AND (EQ (access t1 l) result)
(AND (AND (<= l m0) (< m0 i0)) (<= i0 (+ r 1)))))))))))))))))))))))))))))))

;; quick_rec_po_6, File "quicksort2.mlw", line 31, characters 18-27
(FORALL (l)
(FORALL (r)
(FORALL (t)
(IMPLIES (AND (<= 0 l) (< r (array_length t)))
(IMPLIES (< l r)
(IMPLIES (AND (<= 0 l) (< l (array_length t)))
(FORALL (result)
(IMPLIES (EQ result (access t l))
(FORALL (i)
(FORALL (m)
(FORALL (t0)
(IMPLIES (AND
         (FORALL (j)
         (IMPLIES (AND (< l j) (<= j m)) (< (access t0 j) result)))
         (AND
         (FORALL (j)
         (IMPLIES (AND (< m j) (< j i)) (>= (access t0 j) result)))
         (AND (EQ (permut t0 t l r) |@true|)
         (AND (EQ (access t0 l) result)
         (AND (AND (<= l m) (< m i)) (<= i (+ r 1)))))))
(IMPLIES (<= i r)
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t0 i))
(IMPLIES (< result0 result)
(FORALL (m0)
(IMPLIES (EQ m0 (+ m 1))
(IMPLIES (AND (AND (<= 0 i) (< i (array_length t0)))
         (AND (<= 0 m0) (< m0 (array_length t0))))
(FORALL (t1)
(IMPLIES (exchange t1 t0 i m0)
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(AND (<= 0 (- (+ 1 r) i)) (< (- (+ 1 r) i0) (- (+ 1 r) i)))))))))))))))))))))))))))

;; quick_rec_po_7, File "quicksort2.mlw", line 27, characters 13-211
(FORALL (l)
(FORALL (r)
(FORALL (t)
(IMPLIES (AND (<= 0 l) (< r (array_length t)))
(IMPLIES (< l r)
(IMPLIES (AND (<= 0 l) (< l (array_length t)))
(FORALL (result)
(IMPLIES (EQ result (access t l))
(FORALL (i)
(FORALL (m)
(FORALL (t0)
(IMPLIES (AND
         (FORALL (j)
         (IMPLIES (AND (< l j) (<= j m)) (< (access t0 j) result)))
         (AND
         (FORALL (j)
         (IMPLIES (AND (< m j) (< j i)) (>= (access t0 j) result)))
         (AND (EQ (permut t0 t l r) |@true|)
         (AND (EQ (access t0 l) result)
         (AND (AND (<= l m) (< m i)) (<= i (+ r 1)))))))
(IMPLIES (<= i r)
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t0 i))
(IMPLIES (>= result0 result)
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(AND (FORALL (j) (IMPLIES (AND (< l j) (<= j m)) (< (access t0 j) result)))
(AND (FORALL (j) (IMPLIES (AND (< m j) (< j i0)) (>= (access t0 j) result)))
(AND (EQ (permut t0 t l r) |@true|)
(AND (EQ (access t0 l) result) (AND (AND (<= l m) (< m i0)) (<= i0 (+ r 1))))))))))))))))))))))))))

;; quick_rec_po_8, File "quicksort2.mlw", line 31, characters 18-27
(FORALL (l)
(FORALL (r)
(FORALL (t)
(IMPLIES (AND (<= 0 l) (< r (array_length t)))
(IMPLIES (< l r)
(IMPLIES (AND (<= 0 l) (< l (array_length t)))
(FORALL (result)
(IMPLIES (EQ result (access t l))
(FORALL (i)
(FORALL (m)
(FORALL (t0)
(IMPLIES (AND
         (FORALL (j)
         (IMPLIES (AND (< l j) (<= j m)) (< (access t0 j) result)))
         (AND
         (FORALL (j)
         (IMPLIES (AND (< m j) (< j i)) (>= (access t0 j) result)))
         (AND (EQ (permut t0 t l r) |@true|)
         (AND (EQ (access t0 l) result)
         (AND (AND (<= l m) (< m i)) (<= i (+ r 1)))))))
(IMPLIES (<= i r)
(IMPLIES (AND (<= 0 i) (< i (array_length t0)))
(FORALL (result0)
(IMPLIES (EQ result0 (access t0 i))
(IMPLIES (>= result0 result)
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(AND (<= 0 (- (+ 1 r) i)) (< (- (+ 1 r) i0) (- (+ 1 r) i))))))))))))))))))))))

;; quick_rec_po_9, File "quicksort2.mlw", line 35, characters 7-18
(FORALL (l)
(FORALL (r)
(FORALL (t)
(IMPLIES (AND (<= 0 l) (< r (array_length t)))
(IMPLIES (< l r)
(IMPLIES (AND (<= 0 l) (< l (array_length t)))
(FORALL (result)
(IMPLIES (EQ result (access t l))
(FORALL (i)
(FORALL (m)
(FORALL (t0)
(IMPLIES (AND
         (FORALL (j)
         (IMPLIES (AND (< l j) (<= j m)) (< (access t0 j) result)))
         (AND
         (FORALL (j)
         (IMPLIES (AND (< m j) (< j i)) (>= (access t0 j) result)))
         (AND (EQ (permut t0 t l r) |@true|)
         (AND (EQ (access t0 l) result)
         (AND (AND (<= l m) (< m i)) (<= i (+ r 1)))))))
(IMPLIES (> i r)
(AND (AND (<= 0 l) (< l (array_length t0)))
(AND (<= 0 m) (< m (array_length t0)))))))))))))))))

;; quick_rec_po_10, File "quicksort2.mlw", line 36, characters 7-29
(FORALL (l)
(FORALL (r)
(FORALL (t)
(IMPLIES (AND (<= 0 l) (< r (array_length t)))
(IMPLIES (< l r)
(IMPLIES (AND (<= 0 l) (< l (array_length t)))
(FORALL (result)
(IMPLIES (EQ result (access t l))
(FORALL (i)
(FORALL (m)
(FORALL (t0)
(IMPLIES (AND
         (FORALL (j)
         (IMPLIES (AND (< l j) (<= j m)) (< (access t0 j) result)))
         (AND
         (FORALL (j)
         (IMPLIES (AND (< m j) (< j i)) (>= (access t0 j) result)))
         (AND (EQ (permut t0 t l r) |@true|)
         (AND (EQ (access t0 l) result)
         (AND (AND (<= l m) (< m i)) (<= i (+ r 1)))))))
(IMPLIES (> i r)
(IMPLIES (AND (AND (<= 0 l) (< l (array_length t0)))
         (AND (<= 0 m) (< m (array_length t0))))
(FORALL (t1)
(IMPLIES (exchange t1 t0 l m)
(AND (<= 0 (- (+ 1 r) l)) (< (- (+ 1 (- m 1)) l) (- (+ 1 r) l)))))))))))))))))))

;; quick_rec_po_11, File "quicksort2.mlw", line 36, characters 7-29
(FORALL (l)
(FORALL (r)
(FORALL (t)
(IMPLIES (AND (<= 0 l) (< r (array_length t)))
(IMPLIES (< l r)
(IMPLIES (AND (<= 0 l) (< l (array_length t)))
(FORALL (result)
(IMPLIES (EQ result (access t l))
(FORALL (i)
(FORALL (m)
(FORALL (t0)
(IMPLIES (AND
         (FORALL (j)
         (IMPLIES (AND (< l j) (<= j m)) (< (access t0 j) result)))
         (AND
         (FORALL (j)
         (IMPLIES (AND (< m j) (< j i)) (>= (access t0 j) result)))
         (AND (EQ (permut t0 t l r) |@true|)
         (AND (EQ (access t0 l) result)
         (AND (AND (<= l m) (< m i)) (<= i (+ r 1)))))))
(IMPLIES (> i r)
(IMPLIES (AND (AND (<= 0 l) (< l (array_length t0)))
         (AND (<= 0 m) (< m (array_length t0))))
(FORALL (t1)
(IMPLIES (exchange t1 t0 l m)
(IMPLIES (AND (<= 0 (- (+ 1 r) l)) (< (- (+ 1 (- m 1)) l) (- (+ 1 r) l)))
(AND (<= 0 l) (< (- m 1) (array_length t1))))))))))))))))))))

;; quick_rec_po_12, File "quicksort2.mlw", line 37, characters 7-29
(FORALL (l)
(FORALL (r)
(FORALL (t)
(IMPLIES (AND (<= 0 l) (< r (array_length t)))
(IMPLIES (< l r)
(IMPLIES (AND (<= 0 l) (< l (array_length t)))
(FORALL (result)
(IMPLIES (EQ result (access t l))
(FORALL (i)
(FORALL (m)
(FORALL (t0)
(IMPLIES (AND
         (FORALL (j)
         (IMPLIES (AND (< l j) (<= j m)) (< (access t0 j) result)))
         (AND
         (FORALL (j)
         (IMPLIES (AND (< m j) (< j i)) (>= (access t0 j) result)))
         (AND (EQ (permut t0 t l r) |@true|)
         (AND (EQ (access t0 l) result)
         (AND (AND (<= l m) (< m i)) (<= i (+ r 1)))))))
(IMPLIES (> i r)
(IMPLIES (AND (AND (<= 0 l) (< l (array_length t0)))
         (AND (<= 0 m) (< m (array_length t0))))
(FORALL (t1)
(IMPLIES (exchange t1 t0 l m)
(IMPLIES (AND (<= 0 (- (+ 1 r) l)) (< (- (+ 1 (- m 1)) l) (- (+ 1 r) l)))
(IMPLIES (AND (<= 0 l) (< (- m 1) (array_length t1)))
(FORALL (t2)
(IMPLIES (AND (sorted_array t2 l (- m 1))
         (EQ (permut t2 t1 l (- m 1)) |@true|))
(AND (<= 0 (- (+ 1 r) l)) (< (- (+ 1 r) (+ m 1)) (- (+ 1 r) l)))))))))))))))))))))))

;; quick_rec_po_13, File "quicksort2.mlw", line 37, characters 7-29
(FORALL (l)
(FORALL (r)
(FORALL (t)
(IMPLIES (AND (<= 0 l) (< r (array_length t)))
(IMPLIES (< l r)
(IMPLIES (AND (<= 0 l) (< l (array_length t)))
(FORALL (result)
(IMPLIES (EQ result (access t l))
(FORALL (i)
(FORALL (m)
(FORALL (t0)
(IMPLIES (AND
         (FORALL (j)
         (IMPLIES (AND (< l j) (<= j m)) (< (access t0 j) result)))
         (AND
         (FORALL (j)
         (IMPLIES (AND (< m j) (< j i)) (>= (access t0 j) result)))
         (AND (EQ (permut t0 t l r) |@true|)
         (AND (EQ (access t0 l) result)
         (AND (AND (<= l m) (< m i)) (<= i (+ r 1)))))))
(IMPLIES (> i r)
(IMPLIES (AND (AND (<= 0 l) (< l (array_length t0)))
         (AND (<= 0 m) (< m (array_length t0))))
(FORALL (t1)
(IMPLIES (exchange t1 t0 l m)
(IMPLIES (AND (<= 0 (- (+ 1 r) l)) (< (- (+ 1 (- m 1)) l) (- (+ 1 r) l)))
(IMPLIES (AND (<= 0 l) (< (- m 1) (array_length t1)))
(FORALL (t2)
(IMPLIES (AND (sorted_array t2 l (- m 1))
         (EQ (permut t2 t1 l (- m 1)) |@true|))
(IMPLIES (AND (<= 0 (- (+ 1 r) l)) (< (- (+ 1 r) (+ m 1)) (- (+ 1 r) l)))
(AND (<= 0 (+ m 1)) (< r (array_length t2))))))))))))))))))))))))

;; quick_rec_po_14, File "quicksort2.mlw", line 39, characters 4-49
(FORALL (l)
(FORALL (r)
(FORALL (t)
(IMPLIES (AND (<= 0 l) (< r (array_length t)))
(IMPLIES (< l r)
(IMPLIES (AND (<= 0 l) (< l (array_length t)))
(FORALL (result)
(IMPLIES (EQ result (access t l))
(FORALL (i)
(FORALL (m)
(FORALL (t0)
(IMPLIES (AND
         (FORALL (j)
         (IMPLIES (AND (< l j) (<= j m)) (< (access t0 j) result)))
         (AND
         (FORALL (j)
         (IMPLIES (AND (< m j) (< j i)) (>= (access t0 j) result)))
         (AND (EQ (permut t0 t l r) |@true|)
         (AND (EQ (access t0 l) result)
         (AND (AND (<= l m) (< m i)) (<= i (+ r 1)))))))
(IMPLIES (> i r)
(IMPLIES (AND (AND (<= 0 l) (< l (array_length t0)))
         (AND (<= 0 m) (< m (array_length t0))))
(FORALL (t1)
(IMPLIES (exchange t1 t0 l m)
(IMPLIES (AND (<= 0 (- (+ 1 r) l)) (< (- (+ 1 (- m 1)) l) (- (+ 1 r) l)))
(IMPLIES (AND (<= 0 l) (< (- m 1) (array_length t1)))
(FORALL (t2)
(IMPLIES (AND (sorted_array t2 l (- m 1))
         (EQ (permut t2 t1 l (- m 1)) |@true|))
(IMPLIES (AND (<= 0 (- (+ 1 r) l)) (< (- (+ 1 r) (+ m 1)) (- (+ 1 r) l)))
(IMPLIES (AND (<= 0 (+ m 1)) (< r (array_length t2)))
(FORALL (t3)
(IMPLIES (AND (sorted_array t3 (+ m 1) r)
         (EQ (permut t3 t2 (+ m 1) r) |@true|))
(AND (sorted_array t3 l r) (EQ (permut t3 t l r) |@true|))))))))))))))))))))))))))

;; quick_rec_po_15, File "quicksort2.mlw", line 39, characters 4-49
(FORALL (l)
(FORALL (r)
(FORALL (t)
(IMPLIES (AND (<= 0 l) (< r (array_length t)))
(IMPLIES (>= l r) (AND (sorted_array t l r) (EQ (permut t t l r) |@true|)))))))

;; quicksort_po_1, File "quicksort2.mlw", line 45, characters 3-38
(FORALL (t)
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(AND (<= 0 0) (< (- result 1) (array_length t))))))

;; quicksort_po_2, File "quicksort2.mlw", line 46, characters 4-64
(FORALL (t)
(FORALL (result)
(IMPLIES (EQ result (array_length t))
(IMPLIES (AND (<= 0 0) (< (- result 1) (array_length t)))
(FORALL (t0)
(IMPLIES (AND (sorted_array t0 0 (- result 1))
         (EQ (permut t0 t 0 (- result 1)) |@true|))
(AND (sorted_array t0 0 (- (array_length t0) 1)) (permutation t0 t))))))))

why-2.34/examples/quicksort2/quicksort2.mlw0000644000175000017500000000260212311670312017370 0ustar  rtusers
include "arrays.why"

(* A variant of quicksort, with partitioning a la Bentley *)

(* exchange of two elements *)

let swap (t:int array)(i,j:int) =
  { 0 <= i < array_length(t) and 0 <= j < array_length(t) }
  let v = t[i] in
  begin
    t[i] := t[j];
    t[j] := v
  end
  { exchange(t, t@, i, j) }

(* The recursive part of the quicksort algorithm:
   a recursive function to sort between [l] and [r] *)

let rec quick_rec (t:int array) (l,r:int) : unit { variant 1+r-l } =
  { 0 <= l and r < array_length(t) }
  if l < r then 
    let v = t[l] in
    let m = ref l in
    let i = ref (l + 1) in
    begin
      L:
      while !i <= r do
	{ invariant (forall j:int. l < j <= m -> t[j] < v)
                and (forall j:int. m < j <  i -> t[j] >= v)
                and permut(t, t@L, l, r)
                and t[l] = v and l <= m < i and i <= r + 1
          variant 1 + r - i }
        if t[!i] < v then begin m := !m + 1; (swap t !i !m) end;
        i := !i + 1
      done;
      (swap t l !m);
      (quick_rec t l (!m - 1));
      (quick_rec t (!m + 1) r)
    end
  { sorted_array(t, l, r) and permut(t, t@, l, r) }

(* At last, the main program, which is just a call to [quick_rec] *)

let quicksort (t:int array) =
  {} 
  (quick_rec t 0 ((array_length_ t)-1))
  { sorted_array(t, 0, array_length(t)-1) and permutation(t, t@) }

(*
Local Variables: 
compile-command: "gwhy quicksort2.mlw"
End: 
*)
why-2.34/examples/quicksort2/.depend0000644000175000017500000000021212311670312015774 0ustar  rtusersquicksort2_valid.vo: quicksort2_valid.v ../../lib/coq/Why.vo ./quicksort2_why.vo
quicksort2_why.vo: quicksort2_why.v ../../lib/coq/Why.vo
why-2.34/examples/string-matching/0000755000175000017500000000000012311670312015531 5ustar  rtuserswhy-2.34/examples/string-matching/Makefile0000644000175000017500000000012612311670312017170 0ustar  rtusers
all: Match.vo brute_force_valid.vo not_so_naive_valid.vo

include ../Makefile.common
why-2.34/examples/string-matching/brute_force_why.v0000644000175000017500000001301712311670312021110 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Import Why.
Require Export Match.

(*Why*) Parameter OUTPUT : forall (j: Z), unit.

(* Why obligation from file "brute_force.c", characters 369-373 *)
Lemma BF_po_1 : 
  forall (m: Z),
  forall (n: Z),
  forall (x: (array Z)),
  forall (y: (array Z)),
  forall (Pre10: (array_length x) = m /\ (array_length y) = n /\ 0 <= n /\
                 0 <= m),
  forall (j1: Z),
  forall (Post1: j1 = 0),
  forall (Variant1: Z),
  forall (j2: Z),
  forall (Pre9: Variant1 = (n - m + 1 - j2)),
  forall (Pre8: 0 <= j2),
  forall (Test8: j2 <= (n - m)),
  forall (i2: Z),
  forall (Post2: i2 = 0),
  forall (Variant3: Z),
  forall (i3: Z),
  forall (Pre6: Variant3 = (m - i3)),
  forall (Pre5: (0 <= i3 /\ i3 <= m) /\ (match_ x 0 y j2 i3)),
  forall (Test5: true = true),
  forall (Test4: i3 < m),
  0 <= i3 /\ i3 < (array_length x).
Proof.
auto with *.
Qed.

(* Why obligation from file "brute_force.c", characters 377-385 *)
Lemma BF_po_2 : 
  forall (m: Z),
  forall (n: Z),
  forall (x: (array Z)),
  forall (y: (array Z)),
  forall (Pre10: (array_length x) = m /\ (array_length y) = n /\ 0 <= n /\
                 0 <= m),
  forall (j1: Z),
  forall (Post1: j1 = 0),
  forall (Variant1: Z),
  forall (j2: Z),
  forall (Pre9: Variant1 = (n - m + 1 - j2)),
  forall (Pre8: 0 <= j2),
  forall (Test8: j2 <= (n - m)),
  forall (i2: Z),
  forall (Post2: i2 = 0),
  forall (Variant3: Z),
  forall (i3: Z),
  forall (Pre6: Variant3 = (m - i3)),
  forall (Pre5: (0 <= i3 /\ i3 <= m) /\ (match_ x 0 y j2 i3)),
  forall (Test5: true = true),
  forall (Test4: i3 < m),
  forall (Pre4: 0 <= i3 /\ i3 < (array_length x)),
  forall (c_aux_1: Z),
  forall (Post4: c_aux_1 = (access x i3)),
  0 <= (i3 + j2) /\ (i3 + j2) < (array_length y).
Proof.
auto with *.
Qed.

(* Why obligation from file "brute_force.c", characters 369-385 *)
Lemma BF_po_3 : 
  forall (m: Z),
  forall (n: Z),
  forall (x: (array Z)),
  forall (y: (array Z)),
  forall (Pre10: (array_length x) = m /\ (array_length y) = n /\ 0 <= n /\
                 0 <= m),
  forall (j1: Z),
  forall (Post1: j1 = 0),
  forall (Variant1: Z),
  forall (j2: Z),
  forall (Pre9: Variant1 = (n - m + 1 - j2)),
  forall (Pre8: 0 <= j2),
  forall (Test8: j2 <= (n - m)),
  forall (i2: Z),
  forall (Post2: i2 = 0),
  forall (Variant3: Z),
  forall (i3: Z),
  forall (Pre6: Variant3 = (m - i3)),
  forall (Pre5: (0 <= i3 /\ i3 <= m) /\ (match_ x 0 y j2 i3)),
  forall (Test5: true = true),
  forall (Test4: i3 < m),
  forall (Pre4: 0 <= i3 /\ i3 < (array_length x)),
  forall (c_aux_1: Z),
  forall (Post4: c_aux_1 = (access x i3)),
  forall (Pre3: 0 <= (i3 + j2) /\ (i3 + j2) < (array_length y)),
  forall (c_aux_2: Z),
  forall (Post3: c_aux_2 = (access y (i3 + j2))),
  forall (result4: bool),
  forall (Post25: (if result4 then c_aux_1 = c_aux_2 else c_aux_1 <> c_aux_2)),
  (if result4
   then (forall (i:Z),
         (i = (i3 + 1) -> ((0 <= i /\ i <= m) /\ (match_ x 0 y j2 i)) /\
          (Zwf 0 (m - i) (m - i3))))
   else ((i3 >= m ->
          (forall (j:Z),
           (j = (j2 + 1) -> 0 <= j /\
            (Zwf 0 (n - m + 1 - j) (n - m + 1 - j2)))) /\
          (match_ x 0 y j2 (array_length x)))) /\
   ((i3 < m ->
     (forall (j:Z),
      (j = (j2 + 1) -> 0 <= j /\ (Zwf 0 (n - m + 1 - j) (n - m + 1 - j2))))))).
Proof.
simple_destruct result4; intuition.
subst i.
apply match_right_extension; auto with *.
subst c_aux_1 c_aux_2; ring (0 + i3)%Z; ring (j2 + i3)%Z; assumption.
assert (i3 = array_length x).
 omega.
 subst i3; assumption.
Qed.

(* Why obligation from file "brute_force.c", characters 360-385 *)
Lemma BF_po_4 : 
  forall (m: Z),
  forall (n: Z),
  forall (x: (array Z)),
  forall (y: (array Z)),
  forall (Pre10: (array_length x) = m /\ (array_length y) = n /\ 0 <= n /\
                 0 <= m),
  forall (j1: Z),
  forall (Post1: j1 = 0),
  forall (Variant1: Z),
  forall (j2: Z),
  forall (Pre9: Variant1 = (n - m + 1 - j2)),
  forall (Pre8: 0 <= j2),
  forall (Test8: j2 <= (n - m)),
  forall (i2: Z),
  forall (Post2: i2 = 0),
  forall (Variant3: Z),
  forall (i3: Z),
  forall (Pre6: Variant3 = (m - i3)),
  forall (Pre5: (0 <= i3 /\ i3 <= m) /\ (match_ x 0 y j2 i3)),
  forall (Test5: true = true),
  forall (Test3: i3 >= m),
  ((i3 >= m ->
    (forall (j:Z),
     (j = (j2 + 1) -> 0 <= j /\ (Zwf 0 (n - m + 1 - j) (n - m + 1 - j2)))) /\
    (match_ x 0 y j2 (array_length x)))) /\
  ((i3 < m ->
    (forall (j:Z),
     (j = (j2 + 1) -> 0 <= j /\ (Zwf 0 (n - m + 1 - j) (n - m + 1 - j2)))))).
Proof.
intuition.
assert (i3 = array_length x).
 omega.
 subst i3; assumption.
Qed.

(* Why obligation from file "brute_force.c", characters 412-445 *)
Lemma BF_po_5 : 
  forall (m: Z),
  forall (n: Z),
  forall (x: (array Z)),
  forall (y: (array Z)),
  forall (Pre10: (array_length x) = m /\ (array_length y) = n /\ 0 <= n /\
                 0 <= m),
  forall (j1: Z),
  forall (Post1: j1 = 0),
  forall (Variant1: Z),
  forall (j2: Z),
  forall (Pre9: Variant1 = (n - m + 1 - j2)),
  forall (Pre8: 0 <= j2),
  forall (Test8: j2 <= (n - m)),
  forall (i2: Z),
  forall (Post2: i2 = 0),
  (0 <= i2 /\ i2 <= m) /\ (match_ x 0 y j2 i2).
Proof.
intuition.
subst i2; apply match_empty; auto with *.
Qed.

(* Why obligation from file "brute_force.c", characters 308-314 *)
Lemma BF_po_6 : 
  forall (m: Z),
  forall (n: Z),
  forall (x: (array Z)),
  forall (y: (array Z)),
  forall (Pre10: (array_length x) = m /\ (array_length y) = n /\ 0 <= n /\
                 0 <= m),
  forall (j1: Z),
  forall (Post1: j1 = 0),
  0 <= j1.
Proof.
intuition.
Qed.

why-2.34/examples/string-matching/not_so_naive_why.v0000644000175000017500000001342012311670312021272 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Import Why.
Require Export Match.

(*Why*) Parameter OUTPUT : forall (j: Z), unit.

(*Why*) Parameter memcmp :
  forall (i: Z), forall (j: Z), forall (n: Z), forall (x: (array Z)),
  forall (y: (array Z)),
  (sig_1 Z
   (fun (result: Z)  => (((result = 0 -> (match_ x i y j n))) /\
    ((result <> 0 -> ~(match_ x i y j n)))))).

(* Why obligation from file "not_so_naive.c", characters 523-527 *)
Lemma NSN_po_1 : 
  forall (m: Z),
  forall (n: Z),
  forall (x: (array Z)),
  forall (y: (array Z)),
  forall (Pre12: (array_length x) = m /\ (array_length y) = n /\ 0 <= n /\
                 2 <= m),
  0 <= 0 /\ 0 < (array_length x).
Proof.
auto with *.
Qed.

(* Why obligation from file "not_so_naive.c", characters 531-535 *)
Lemma NSN_po_2 : 
  forall (m: Z),
  forall (n: Z),
  forall (x: (array Z)),
  forall (y: (array Z)),
  forall (Pre12: (array_length x) = m /\ (array_length y) = n /\ 0 <= n /\
                 2 <= m),
  forall (Pre2: 0 <= 0 /\ 0 < (array_length x)),
  forall (c_aux_1: Z),
  forall (Post2: c_aux_1 = (access x 0)),
  0 <= 1 /\ 1 < (array_length x).
Proof.
auto with *.
Qed.

(* Why obligation from file "not_so_naive.c", characters 523-535 *)
Lemma NSN_po_3 : 
  forall (m: Z),
  forall (n: Z),
  forall (x: (array Z)),
  forall (y: (array Z)),
  forall (Pre12: (array_length x) = m /\ (array_length y) = n /\ 0 <= n /\
                 2 <= m),
  forall (Pre2: 0 <= 0 /\ 0 < (array_length x)),
  forall (c_aux_1: Z),
  forall (Post2: c_aux_1 = (access x 0)),
  forall (Pre1: 0 <= 1 /\ 1 < (array_length x)),
  forall (c_aux_2: Z),
  forall (Post1: c_aux_2 = (access x 1)),
  forall (result: bool),
  forall (Post27: (if result then c_aux_1 = c_aux_2 else c_aux_1 <> c_aux_2)),
  (if result
   then (forall (k:Z),
         (k = 2 ->
          (forall (ell:Z),
           (ell = 1 -> (forall (j:Z), (j = 0 -> 0 <= j)) /\ k > 0 /\ ell > 0))))
   else (forall (k:Z),
         (k = 1 ->
          (forall (ell:Z),
           (ell = 2 -> (forall (j:Z), (j = 0 -> 0 <= j)) /\ k > 0 /\ ell > 0))))).
Proof.
simple_destruct result; intuition.
Qed.

(* Why obligation from file "not_so_naive.c", characters 760-764 *)
Lemma NSN_po_4 : 
  forall (m: Z),
  forall (n: Z),
  forall (x: (array Z)),
  forall (y: (array Z)),
  forall (Pre12: (array_length x) = m /\ (array_length y) = n /\ 0 <= n /\
                 2 <= m),
  forall (ell1: Z),
  forall (k1: Z),
  forall (Pre11: k1 > 0 /\ ell1 > 0),
  forall (j1: Z),
  forall (Post7: j1 = 0),
  forall (Variant1: Z),
  forall (j2: Z),
  forall (Pre10: Variant1 = (n - m - j2)),
  forall (Pre9: 0 <= j2),
  forall (Test2: j2 <= (n - m)),
  0 <= 1 /\ 1 < (array_length x).
Proof.
auto with *.
Qed.

(* Why obligation from file "not_so_naive.c", characters 768-776 *)
Lemma NSN_po_5 : 
  forall (m: Z),
  forall (n: Z),
  forall (x: (array Z)),
  forall (y: (array Z)),
  forall (Pre12: (array_length x) = m /\ (array_length y) = n /\ 0 <= n /\
                 2 <= m),
  forall (ell1: Z),
  forall (k1: Z),
  forall (Pre11: k1 > 0 /\ ell1 > 0),
  forall (j1: Z),
  forall (Post7: j1 = 0),
  forall (Variant1: Z),
  forall (j2: Z),
  forall (Pre10: Variant1 = (n - m - j2)),
  forall (Pre9: 0 <= j2),
  forall (Test2: j2 <= (n - m)),
  forall (Pre5: 0 <= 1 /\ 1 < (array_length x)),
  forall (c_aux_7: Z),
  forall (Post9: c_aux_7 = (access x 1)),
  0 <= (j2 + 1) /\ (j2 + 1) < (array_length y).
Proof.
intuition.
Qed.

(* Why obligation from file "not_so_naive.c", characters 760-776 *)
Lemma NSN_po_6 : 
  forall (m: Z),
  forall (n: Z),
  forall (x: (array Z)),
  forall (y: (array Z)),
  forall (Pre12: (array_length x) = m /\ (array_length y) = n /\ 0 <= n /\
                 2 <= m),
  forall (ell1: Z),
  forall (k1: Z),
  forall (Pre11: k1 > 0 /\ ell1 > 0),
  forall (j1: Z),
  forall (Post7: j1 = 0),
  forall (Variant1: Z),
  forall (j2: Z),
  forall (Pre10: Variant1 = (n - m - j2)),
  forall (Pre9: 0 <= j2),
  forall (Test2: j2 <= (n - m)),
  forall (Pre5: 0 <= 1 /\ 1 < (array_length x)),
  forall (c_aux_7: Z),
  forall (Post9: c_aux_7 = (access x 1)),
  forall (Pre4: 0 <= (j2 + 1) /\ (j2 + 1) < (array_length y)),
  forall (c_aux_8: Z),
  forall (Post8: c_aux_8 = (access y (j2 + 1))),
  forall (result3: bool),
  forall (Post30: (if result3 then c_aux_7 <> c_aux_8 else c_aux_7 = c_aux_8)),
  (if result3
   then (forall (j:Z),
         (j = (j2 + k1) -> 0 <= j /\ (Zwf 0 (n - m - j) (n - m - j2))))
   else (forall (result:Z),
         (result = (j2 + 2) ->
          (forall (result0:Z),
           (((result0 = 0 -> (match_ x 2 y result (m - 2)))) /\
            ((result0 <> 0 -> ~(match_ x 2 y result (m - 2)))) ->
            ((result0 = 0 ->
              (forall (result:Z),
               (result = (access x 0) ->
                (forall (result0:Z),
                 (result0 = (access y j2) ->
                  ((result = result0 ->
                    (forall (j:Z),
                     (j = (j2 + ell1) -> 0 <= j /\
                      (Zwf 0 (n - m - j) (n - m - j2)))) /\
                    (match_ x 0 y j2 (array_length x)))) /\
                  ((result <> result0 ->
                    (forall (j:Z),
                     (j = (j2 + ell1) -> 0 <= j /\
                      (Zwf 0 (n - m - j) (n - m - j2)))))))) /\
                0 <= j2 /\ j2 < (array_length y))) /\
              0 <= 0 /\ 0 < (array_length x))) /\
            ((result0 <> 0 ->
              (forall (j:Z),
               (j = (j2 + ell1) -> 0 <= j /\ (Zwf 0 (n - m - j) (n - m - j2))))))))))).
Proof.
simple_destruct result3; unfold Zwf; intuition.
subst.
apply match_left_extension; try omega.
apply match_left_extension; try omega.
assumption.
replace (j2 + 1 + 1)%Z with (j2 + 2)%Z; try omega.
replace (array_length x - 1 - 1)%Z with (array_length x - 2)%Z; try omega.
assumption.
Qed.

why-2.34/examples/string-matching/.depend0000644000175000017500000000054612311670312016776 0ustar  rtusersMatch.vo: Match.v ../../lib/coq/WhyArrays.vo
brute_force_valid.vo: brute_force_valid.v ../../lib/coq/Why.vo ./brute_force_why.vo
brute_force_why.vo: brute_force_why.v ../../lib/coq/Why.vo ./Match.vo
not_so_naive_valid.vo: not_so_naive_valid.v ../../lib/coq/Why.vo ./not_so_naive_why.vo
not_so_naive_why.vo: not_so_naive_why.v ../../lib/coq/Why.vo ./Match.vo
why-2.34/examples/string-matching/Match.v0000644000175000017500000001063012311670312016754 0ustar  rtusers(* Load Programs. *)(**************************************************************************)
(*                                                                        *)
(* Proof of the Knuth-Morris-Pratt Algorithm.                             *)
(*                                                                        *)
(* Jean-Christophe Filliâtre (LRI, Université Paris Sud)                  *)
(* November 1998                                                          *)
(*                                                                        *)
(**************************************************************************)

Require Export WhyArrays.

Set Implicit Arguments.
Unset Strict Implicit.


(* Here we define the property (match t1 i1 t2 i2 n) which expresses
 * that the two segments [i1...i1+n-1] of t1 and [i2...i2+n-1] of t2
 * are equal.
 *)

Inductive match_ (A:Set) (t1:array A) (i1:Z) (t2:array A) (i2 n:Z) :
Prop :=
    match_cons :
      (0 <= i1 <= array_length t1 - n)%Z ->
      (0 <= i2 <= array_length t2 - n)%Z ->
      (forall i:Z,
         (0 <= i < n)%Z -> access t1 (i1 + i) = access t2 (i2 + i)) ->
      match_ t1 i1 t2 i2 n.


(* Lemmas about match *)

Require Import Omega.

Section match_lemmas.

Variable A : Set.
Variable t1 : array A.
Variable t2 : array A.

Lemma match_empty :
 forall i1 i2:Z,
   (0 <= i1 <= array_length t1)%Z ->
   (0 <= i2 <= array_length t2)%Z -> match_ t1 i1 t2 i2 0.
Proof.
intros i1 i2 Hi1 Hi2.
apply match_cons.
 omega.
 omega.
intros.
 absurd (i < 0)%Z; omega.
Qed.

Lemma match_right_extension :
 forall i1 i2 n:Z,
   match_ t1 i1 t2 i2 n ->
   (i1 <= array_length t1 - n - 1)%Z ->
   (i2 <= array_length t2 - n - 1)%Z ->
   access t1 (i1 + n) = access t2 (i2 + n) ->
   match_ t1 i1 t2 i2 (n + 1).
Proof.
intros i1 i2 n Hmatch Hi1 Hi2 Hn.
elim Hmatch; intros Hi1' Hi2' Heq.
apply match_cons.
omega.
omega.
intros i Hi.
elim (Z_le_lt_eq_dec i n).
intro.
 apply Heq.
 omega.
intro H.
 rewrite H.
 auto.
omega.
Qed.

Lemma match_contradiction_at_first :
 forall i1 i2 n:Z,
   (0 < n)%Z -> access t1 i1 <> access t2 i2 -> ~ match_ t1 i1 t2 i2 n.
Proof.
intros i1 i2 n Hn Heq.
red.
 intro Hmatch.
 elim Hmatch; intros.
absurd (access t1 i1 = access t2 i2); [ assumption | idtac ].
replace i1 with (i1 + 0)%Z.
 replace i2 with (i2 + 0)%Z.
apply (H1 0%Z).
omega.
omega.
omega.
Qed.

Lemma match_contradiction_at_i :
 forall i1 i2 i n:Z,
   (0 < n)%Z ->
   (0 <= i < n)%Z ->
   access t1 (i1 + i) <> access t2 (i2 + i) -> ~ match_ t1 i1 t2 i2 n.
Proof.
intros i1 i2 i n Hn Hi Heq.
red.
 intro Hmatch.
 elim Hmatch; intros.
absurd (access t1 (i1 + i) = access t2 (i2 + i));
 [ assumption | idtac ].
apply (H1 i); omega.
Qed.
  
Lemma match_right_weakening :
 forall i1 i2 n n':Z,
   match_ t1 i1 t2 i2 n -> (n' < n)%Z -> match_ t1 i1 t2 i2 n'.
Proof.
intros i1 i2 n n' Hmatch Hn.
elim Hmatch; intros.
apply match_cons.
 omega.
 omega.
intros i Hi.
 apply H1; omega.
Qed.

Lemma match_left_weakening :
 forall i1 i2 n n':Z,
   match_ t1 (i1 - (n - n')) t2 (i2 - (n - n')) n ->
   (n' < n)%Z -> match_ t1 i1 t2 i2 n'.
Proof.
intros i1 i2 n n' Hmatch Hn.
decompose [match_] Hmatch.
apply match_cons.
 omega.
 omega.
intros i Hi.
replace (i1 + i)%Z with (i1 - (n - n') + (i + (n - n')))%Z.
replace (i2 + i)%Z with (i2 - (n - n') + (i + (n - n')))%Z.
apply H1.
omega.
 omega.
 omega.
Qed.

Lemma match_sym :
 forall i1 i2 n:Z, match_ t1 i1 t2 i2 n -> match_ t2 i2 t1 i1 n.
Proof.
intros i1 i2 n Hmatch.
decompose [match_] Hmatch.
apply match_cons.
 omega.
 omega.
intros i Hi.
 symmetry.
apply H1; omega.
Qed.

Variable t3 : array A.

Lemma match_trans :
 forall i1 i2 i3 n:Z,
   match_ t1 i1 t2 i2 n -> match_ t2 i2 t3 i3 n -> match_ t1 i1 t3 i3 n.
Proof.
intros i1 i2 i3 n H12 H23.
decompose [match_] H12.
 decompose [match_] H23.
apply match_cons.
 omega.
 omega.
intros i Hi.
 apply trans_equal with (y := access t2 (i2 + i)).
apply H1; omega.
apply H4; omega.
Qed.

Lemma match_left_extension :
 forall i j n:Z,
   (0 <= i)%Z ->
   (0 <= j)%Z ->
   (0 < n)%Z ->
   access t1 i = access t2 j ->
   match_ t1 (i + 1) t2 (j + 1) (n - 1) -> match_ t1 i t2 j n.
Proof.
intros i j n H1 H2 H3 H4 Hmatch.
decompose [match_] Hmatch.
apply match_cons.
 omega.
 omega.
intuition.
assert (i0 = 0%Z \/ (0 < i0)%Z).
 omega.
 intuition.
subst; ring (i + 0)%Z; ring (j + 0)%Z; assumption.
replace (i + i0)%Z with (i + 1 + (i0 - 1))%Z; try omega.
replace (j + i0)%Z with (j + 1 + (i0 - 1))%Z; try omega.
apply H5; omega.
Qed.

End match_lemmas.


  
why-2.34/examples/heapsort/0000755000175000017500000000000012311670312014260 5ustar  rtuserswhy-2.34/examples/heapsort/Makefile0000644000175000017500000000114112311670312015715 0ustar  rtusers
ML=heapsort.mlw
V=$(ML:.mlw=_why.v) $(ML:.mlw=_valid.v)
VO=$(ML:.mlw=_valid.vo)

all: heap.vo Inftree.vo $(VO)

gwhy: swap.mlw downheap.mlw heapsort.mlw $(WHYBIN)
	gwhy-bin $^

$(V): $(ML) $(WHY)
	$(WHY) $(WHYOPTIONS) $(ML)

heapsort_why.v: swap.mlw downheap.mlw heapsort.mlw $(WHYBIN)
	$(WHY) --coq-v8 $^

heapsort_why.sx: swap.mlw downheap.mlw heapsort.mlw $(WHYBIN)
	$(WHY) --simplify $^

swap.check downheap.check heapsort.check: swap.mlw downheap.mlw heapsort.mlw $(WHYBIN)
	$(WHYBIN) -tc $^

heapsort_why.why: swap.mlw downheap.mlw heapsort.mlw $(WHYBIN)
	$(WHY) --why $^

include ../Makefile.common


why-2.34/examples/heapsort/heapsort.mlw0000644000175000017500000000340612311670312016631 0ustar  rtusers
include "divisions.why"

(** Heapsort. 

    This formal proof is detailed in this paper:

    J.-C. Filliâtre and N. Magaud. Certification of sorting algorithms
    in  the system  Coq. In  Theorem Proving  in Higher  Order Logics:
    Emerging Trends, 1999.
    (http://www.lri.fr/~filliatr/ftp/publis/Filliatre-Magaud.ps.gz)    *)

(* should be useless given divisions.why
axiom div2_1 : forall n:int. 0 < n -> 0 <= n/2 < n
axiom div2_2 : forall n:int. n-1 <= 2*(n/2) <= n
*)

let heapsort =
  fun (t:int array) ->
    { 1 <= array_length(t) }
    init:
    begin
      (* first pass: we build the heap by calling downheap for 
	k=(array_length(t)-2)/2 to 0 *)
      let k = ref (computer_div (array_length_ t) 2 -1) in
      while !k >= 0 do
        { invariant -1 <= k <= array_length(t)-1 
                 and (forall i:int. k+1 <= i <= array_length(t)-1 -> 
	                            heap(t, array_length(t)-1, i))
		 and permutation(t, t@init)
          variant k+1 }
      	(downheap t !k ((array_length_ t)-1));
	k := !k-1
      done
      { heap(t, array_length(t)-1, 0) and permutation(t, t@init) };
      (* second pass: we sort by repeatedly swapping t[0] (the heap root) 
         and t[k] and restoring the heap with downheap, for k=N-1 to 0 *)
      let k = ref ((array_length_ t)-1) in
      while !k >= 1 do
        { invariant 0 <= k <= array_length(t)-1 
                 and (forall i:int. 0 <= i <= k -> heap(t, k, i))
		 and (k+1 <= array_length(t)-1 -> t[0] <= t[k+1])
		 and (k+1 <= array_length(t)-1 -> 
	              sorted_array(t, k+1, array_length(t)-1))
		 and permutation(t, t@init)	
          variant k }
        (swap t 0 !k);
        (downheap t 0 (!k-1));
	k := !k-1
      done
    end
    { sorted_array(t, 0, array_length(t)-1) and permutation(t, t@) }
why-2.34/examples/heapsort/heapsort_why.v0000644000175000017500000015763712311670312017206 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Import Why.
Require Import Omega.
Require Import heap.
Require Import Inftree.
Require Import ZArithRing.

Lemma double_div2 : forall x:Z, Zdiv2 (2 * x) = x.
Proof.
simple destruct x; auto.
Qed.

Lemma double_div2_bis : forall x:Z, (0 <= x)%Z -> Zdiv2 (2 * x + 1) = x.
Proof.
simple destruct x; auto.
intros.
simpl in H.
absurd (0 <= Zneg p)%Z.
simpl.
 compute.
 auto.
 assumption.
Qed.

Lemma lem_div2_0 :
 forall n:Z, (1 <= n)%Z -> (-1 <= Zdiv2 (n - 2) <= n - 1)%Z.
Proof.
intros.
elim (Z_lt_ge_dec 1 n); intro.
elim (Z_modulo_2 n).
intro H0; elim H0; clear H0; intros.
replace (n - 2)%Z with (2 * (x - 1))%Z.
rewrite double_div2.
omega.
 omega.
intro H0; elim H0; clear H0; intros.
replace (n - 2)%Z with (2 * (x - 1) + 1)%Z.
rewrite double_div2_bis.
omega.
 omega.
 omega.
 replace n with 1%Z.
simpl.
 omega.
 omega.
Qed.

Lemma lem_div2_1 : forall n:Z, (1 <= n)%Z -> (0 <= Zdiv2 (n - 2) + 1)%Z.
Proof.
intros n Hn.
 generalize (lem_div2_0 n Hn).
 omega.
Qed.

Lemma lem_div2_2 :
 forall n i:Z,
   (1 <= n)%Z ->
   (Zdiv2 (n - 2) + 1 <= i <= n - 1)%Z -> (2 * i >= n - 1)%Z.
Proof.
intros n i Hn.
elim (Z_lt_ge_dec 1 n); intro.
elim (Z_modulo_2 n).
intro H0; elim H0; clear H0; intros x Hx.
replace (n - 2)%Z with (2 * (x - 1))%Z.
rewrite double_div2.
omega.
 omega.
 intro H0; elim H0; clear H0; intros x Hx.
replace (n - 2)%Z with (2 * (x - 1) + 1)%Z.
rewrite double_div2_bis.
omega.
 omega.
 omega.
 replace n with 1%Z.
simpl.
 omega.
 omega.
Qed.


(* Obligations. *)

Proof.
intuition.
Qed.

Proof.
intuition SameLength t1 t0; try omega.
rewrite H10; auto with *.
apply permut_trans with (t' := t0); assumption.
unfold Zwf; Omega'.
Qed.

Proof.
intros.
generalize (lem_div2_0 (array_length t) Pre16); intuition try Omega'.
apply heap_leaf.
generalize (lem_div2_1 (array_length t) Pre16); Omega'.
apply (lem_div2_2 (array_length t) i); trivial || Omega'.
auto with datatypes.
Qed.

Proof.
intuition.
SameLength t0 t; auto with *.
Qed.

Proof.
intuition.
Qed.

Proof.
intuition.
SameLength t2 t1; omega.
apply heap_id with (t := t1).
apply heap_weakening.
 Omega'.
apply H1; Omega'.
 Omega'.
decompose [exchange] Post15; clear Post15.
unfold array_id.
intros i0 Hi0.
 symmetry.
 apply H18; Omega'.
Qed.

Proof.
intuition.
SameLength t3 t2; omega.
(* heap *)
subst k2; apply H17; Omega'.
(* t[0] <= t[k] *)
subst k2; ring (k1 - 1 + 1)%Z.
 rewrite (H16 k1); [ idtac | Omega' ].
decompose [exchange] Post15.
rewrite H24.
apply inftree_1 with (n := (k1 - 1)%Z).
apply H19.
apply inftree_weakening.
 Omega'.
apply inftree_exchange with (t1 := t1).
 Omega'.
apply inftree_3.
apply H1; Omega'.
assumption.
 Omega'.
(* sorted *)
subst k2; ring (k1 - 1 + 1)%Z.
  elim (Z_le_lt_eq_dec k1 (array_length t1 - 1) H6); intro.
  (* k0 < N-1 *)
  replace k1 with (k1 + 1 - 1)%Z; [ idtac | Omega' ].
  apply left_extension.
 Omega'.
 Omega'.
  apply sorted_array_id with (t1 := t2).
   apply sorted_array_id with (t1 := t1).
   SameLength t3 t2; SameLength t2 t1; SameLength t1 t.
  rewrite H20; rewrite H21.
 apply H7; Omega'.
  decompose [exchange] Post15.
  unfold array_id.
 intros i Hi.
 symmetry.
   SameLength t3 t2; apply H25; try Omega'.
  unfold array_id.
 intros i Hi.
 symmetry.
 apply H16; Omega'.
  (* t3[k0] <= t3[k0+1] *)
  ring (k1 + 1 - 1)%Z.
   rewrite (H16 k1); [ idtac | Omega' ].
  rewrite (H16 (k1 + 1)%Z);
   [ idtac | SameLength t3 t2; SameLength t2 t1; Omega' ].
  decompose [exchange] Post15.
  rewrite H24.
 rewrite (H25 (k1 + 1)%Z); [ idtac | Omega' | Omega' | Omega' ].
  apply H4; Omega'.
  (* k0 = N-1 *)
  rewrite b.
   unfold sorted_array.
  intros HN x HHx Hx.
   absurd (x >= array_length t3 - 1)%Z; SameLength t3 t2;
    SameLength t2 t1; Omega'.
(* (permut t3 t) *)
apply permut_trans with (t' := t2); try assumption.
 apply permut_trans with (t' := t1).
apply exchange_is_permut with (i := 0%Z) (j := k1).
 assumption.
 assumption.
 Qed.

Proof.
intuition SameLength t0 t; try omega.
apply heap_all.
subst k; assumption.
tauto.
intro; absurd (array_length t0 - 1 + 1 <= array_length t0 - 1)%Z;
 Omega'.
Qed.

Proof.
intuition.
elim (Z_le_lt_eq_dec 1 (array_length t) Pre16); intro.
  (* 1 < N *)
  replace 0%Z with (1 - 1)%Z; [ idtac | Omega' ].
  apply left_extension.
 Omega'.
 Omega'.
  replace 1%Z with (k1 + 1)%Z; [ idtac | Omega' ].
  replace (array_length t1 - (k1 + 1))%Z with (array_length t1 - 1)%Z;
   [ idtac | Omega' ].
  apply H6; SameLength t1 t; Omega'.
  replace (1 - 1)%Z with 0%Z; [ idtac | Omega' ].
 (* Ring `1-1`. *)
  replace 1%Z with (k1 + 1)%Z; [ idtac | Omega' ].
  apply H4; SameLength t1 t; Omega'.
  (* 1 = N *)
  unfold sorted_array.
   intros HN x HHx Hx.
   absurd (x >= array_length t - 1)%Z; SameLength t1 t; Omega'.
Qed.

Require Import swap_why.
Require Import downheap_why.


Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.


Admitted.

Admitted.

(*Why logic*) Definition lt_int_bool : Z -> Z -> bool.
Admitted.

(*Why logic*) Definition le_int_bool : Z -> Z -> bool.
Admitted.

(*Why logic*) Definition gt_int_bool : Z -> Z -> bool.
Admitted.

(*Why logic*) Definition ge_int_bool : Z -> Z -> bool.
Admitted.

(*Why logic*) Definition eq_int_bool : Z -> Z -> bool.
Admitted.

(*Why logic*) Definition neq_int_bool : Z -> Z -> bool.
Admitted.

(*Why axiom*) Lemma lt_int_bool_axiom :
  (forall (x:Z), (forall (y:Z), ((lt_int_bool x y) = true <-> x < y))).
Admitted.

(*Why axiom*) Lemma le_int_bool_axiom :
  (forall (x:Z), (forall (y:Z), ((le_int_bool x y) = true <-> x <= y))).
Admitted.

(*Why axiom*) Lemma gt_int_bool_axiom :
  (forall (x:Z), (forall (y:Z), ((gt_int_bool x y) = true <-> x > y))).
Admitted.

(*Why axiom*) Lemma ge_int_bool_axiom :
  (forall (x:Z), (forall (y:Z), ((ge_int_bool x y) = true <-> x >= y))).
Admitted.

(*Why axiom*) Lemma eq_int_bool_axiom :
  (forall (x:Z), (forall (y:Z), ((eq_int_bool x y) = true <-> x = y))).
Admitted.

(*Why axiom*) Lemma neq_int_bool_axiom :
  (forall (x:Z), (forall (y:Z), ((neq_int_bool x y) = true <-> x <> y))).
Admitted.

(*Why logic*) Definition abs_int : Z -> Z.
Admitted.

(*Why axiom*) Lemma abs_int_pos :
  (forall (x:Z), (x >= 0 -> (abs_int x) = x)).
Admitted.

(*Why axiom*) Lemma abs_int_neg :
  (forall (x:Z), (x <= 0 -> (abs_int x) = (Zopp x))).
Admitted.

(*Why logic*) Definition int_max : Z -> Z -> Z.
Admitted.

(*Why logic*) Definition int_min : Z -> Z -> Z.
Admitted.

(*Why axiom*) Lemma int_max_is_ge :
  (forall (x:Z), (forall (y:Z), (int_max x y) >= x /\ (int_max x y) >= y)).
Admitted.

(*Why axiom*) Lemma int_max_is_some :
  (forall (x:Z), (forall (y:Z), (int_max x y) = x \/ (int_max x y) = y)).
Admitted.

(*Why axiom*) Lemma int_min_is_le :
  (forall (x:Z), (forall (y:Z), (int_min x y) <= x /\ (int_min x y) <= y)).
Admitted.

(*Why axiom*) Lemma int_min_is_some :
  (forall (x:Z), (forall (y:Z), (int_min x y) = x \/ (int_min x y) = y)).
Admitted.

(*Why logic*) Definition computer_div : Z -> Z -> Z.
Admitted.

(*Why logic*) Definition computer_mod : Z -> Z -> Z.
Admitted.

(*Why logic*) Definition math_div : Z -> Z -> Z.
Admitted.

(*Why logic*) Definition math_mod : Z -> Z -> Z.
Admitted.

(*Why axiom*) Lemma math_div_mod :
  (forall (x:Z),
   (forall (y:Z), (y <> 0 -> x = (y * (math_div x y) + (math_mod x y))))).
Admitted.

(*Why axiom*) Lemma math_mod_bound :
  (forall (x:Z),
   (forall (y:Z),
    (y <> 0 -> 0 <= (math_mod x y) /\ (math_mod x y) < (abs_int y)))).
Admitted.

(*Why axiom*) Lemma computer_div_mod :
  (forall (x:Z),
   (forall (y:Z),
    (y <> 0 -> x = (y * (computer_div x y) + (computer_mod x y))))).
Admitted.

(*Why axiom*) Lemma computer_mod_bound :
  (forall (x:Z),
   (forall (y:Z), (y <> 0 -> (abs_int (computer_mod x y)) < (abs_int y)))).
Admitted.

(*Why axiom*) Lemma computer_mod_sign_pos :
  (forall (x:Z),
   (forall (y:Z), (x >= 0 /\ y <> 0 -> (computer_mod x y) >= 0))).
Admitted.

(*Why axiom*) Lemma computer_mod_sign_neg :
  (forall (x:Z),
   (forall (y:Z), (x <= 0 /\ y <> 0 -> (computer_mod x y) <= 0))).
Admitted.

(*Why axiom*) Lemma computer_rounds_toward_zero :
  (forall (x:Z),
   (forall (y:Z),
    (y <> 0 -> (abs_int ((computer_div x y) * y)) <= (abs_int x)))).
Admitted.

(* Why obligation from file "heapsort.mlw", line 27, characters 20-209: *)
(*Why goal*) Lemma heapsort_po_1 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  (-1) <= ((computer_div result 2) - 1).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 27, characters 20-209: *)
(*Why goal*) Lemma heapsort_po_2 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  ((computer_div result 2) - 1) <= ((array_length t) - 1).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 27, characters 20-209: *)
(*Why goal*) Lemma heapsort_po_3 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (i: Z),
  forall (HW_3: ((computer_div result 2) - 1 + 1) <= i /\ i <=
                ((array_length t) - 1)),
  (heap t ((array_length t) - 1) i).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 27, characters 20-209: *)
(*Why goal*) Lemma heapsort_po_4 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  (permutation t t).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 32, characters 8-43: *)
(*Why goal*) Lemma heapsort_po_5 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_5: k >= 0),
  forall (result0: Z),
  forall (HW_6: result0 = (array_length t0)),
  0 <= k.
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 32, characters 8-43: *)
(*Why goal*) Lemma heapsort_po_6 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_5: k >= 0),
  forall (result0: Z),
  forall (HW_6: result0 = (array_length t0)),
  k <= (result0 - 1).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 32, characters 8-43: *)
(*Why goal*) Lemma heapsort_po_7 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_5: k >= 0),
  forall (result0: Z),
  forall (HW_6: result0 = (array_length t0)),
  (result0 - 1) < (array_length t0).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 32, characters 8-43: *)
(*Why goal*) Lemma heapsort_po_8 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_5: k >= 0),
  forall (result0: Z),
  forall (HW_6: result0 = (array_length t0)),
  forall (i: Z),
  forall (HW_7: (k + 1) <= i /\ i <= (result0 - 1)),
  (heap t0 (result0 - 1) i).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 27, characters 20-209: *)
(*Why goal*) Lemma heapsort_po_9 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_5: k >= 0),
  forall (result0: Z),
  forall (HW_6: result0 = (array_length t0)),
  forall (HW_8: (0 <= k /\ k <= (result0 - 1)) /\ (result0 - 1) <
                (array_length t0) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= (result0 - 1) ->
                  (heap t0 (result0 - 1) i)))),
  forall (t1: (array Z)),
  forall (HW_9: (permutation t1 t0) /\
                (forall (i:Z),
                 (k <= i /\ i <= (result0 - 1) -> (heap t1 (result0 - 1) i))) /\
                (forall (i:Z),
                 (0 <= i /\ i < k \/ k < i /\ i < (2 * k + 1) \/
                  (result0 - 1) < i /\ i < (array_length t1) ->
                  (access t1 i) = (access t0 i))) /\
                (forall (v:Z),
                 ((inftree t0 (result0 - 1) v k) ->
                  (inftree t1 (result0 - 1) v k)))),
  forall (k0: Z),
  forall (HW_10: k0 = (k - 1)),
  (-1) <= k0.
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 27, characters 20-209: *)
(*Why goal*) Lemma heapsort_po_10 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_5: k >= 0),
  forall (result0: Z),
  forall (HW_6: result0 = (array_length t0)),
  forall (HW_8: (0 <= k /\ k <= (result0 - 1)) /\ (result0 - 1) <
                (array_length t0) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= (result0 - 1) ->
                  (heap t0 (result0 - 1) i)))),
  forall (t1: (array Z)),
  forall (HW_9: (permutation t1 t0) /\
                (forall (i:Z),
                 (k <= i /\ i <= (result0 - 1) -> (heap t1 (result0 - 1) i))) /\
                (forall (i:Z),
                 (0 <= i /\ i < k \/ k < i /\ i < (2 * k + 1) \/
                  (result0 - 1) < i /\ i < (array_length t1) ->
                  (access t1 i) = (access t0 i))) /\
                (forall (v:Z),
                 ((inftree t0 (result0 - 1) v k) ->
                  (inftree t1 (result0 - 1) v k)))),
  forall (k0: Z),
  forall (HW_10: k0 = (k - 1)),
  k0 <= ((array_length t1) - 1).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 27, characters 20-209: *)
(*Why goal*) Lemma heapsort_po_11 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_5: k >= 0),
  forall (result0: Z),
  forall (HW_6: result0 = (array_length t0)),
  forall (HW_8: (0 <= k /\ k <= (result0 - 1)) /\ (result0 - 1) <
                (array_length t0) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= (result0 - 1) ->
                  (heap t0 (result0 - 1) i)))),
  forall (t1: (array Z)),
  forall (HW_9: (permutation t1 t0) /\
                (forall (i:Z),
                 (k <= i /\ i <= (result0 - 1) -> (heap t1 (result0 - 1) i))) /\
                (forall (i:Z),
                 (0 <= i /\ i < k \/ k < i /\ i < (2 * k + 1) \/
                  (result0 - 1) < i /\ i < (array_length t1) ->
                  (access t1 i) = (access t0 i))) /\
                (forall (v:Z),
                 ((inftree t0 (result0 - 1) v k) ->
                  (inftree t1 (result0 - 1) v k)))),
  forall (k0: Z),
  forall (HW_10: k0 = (k - 1)),
  forall (i: Z),
  forall (HW_11: (k0 + 1) <= i /\ i <= ((array_length t1) - 1)),
  (heap t1 ((array_length t1) - 1) i).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 27, characters 20-209: *)
(*Why goal*) Lemma heapsort_po_12 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_5: k >= 0),
  forall (result0: Z),
  forall (HW_6: result0 = (array_length t0)),
  forall (HW_8: (0 <= k /\ k <= (result0 - 1)) /\ (result0 - 1) <
                (array_length t0) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= (result0 - 1) ->
                  (heap t0 (result0 - 1) i)))),
  forall (t1: (array Z)),
  forall (HW_9: (permutation t1 t0) /\
                (forall (i:Z),
                 (k <= i /\ i <= (result0 - 1) -> (heap t1 (result0 - 1) i))) /\
                (forall (i:Z),
                 (0 <= i /\ i < k \/ k < i /\ i < (2 * k + 1) \/
                  (result0 - 1) < i /\ i < (array_length t1) ->
                  (access t1 i) = (access t0 i))) /\
                (forall (v:Z),
                 ((inftree t0 (result0 - 1) v k) ->
                  (inftree t1 (result0 - 1) v k)))),
  forall (k0: Z),
  forall (HW_10: k0 = (k - 1)),
  (permutation t1 t).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 31, characters 18-21: *)
(*Why goal*) Lemma heapsort_po_13 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_5: k >= 0),
  forall (result0: Z),
  forall (HW_6: result0 = (array_length t0)),
  forall (HW_8: (0 <= k /\ k <= (result0 - 1)) /\ (result0 - 1) <
                (array_length t0) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= (result0 - 1) ->
                  (heap t0 (result0 - 1) i)))),
  forall (t1: (array Z)),
  forall (HW_9: (permutation t1 t0) /\
                (forall (i:Z),
                 (k <= i /\ i <= (result0 - 1) -> (heap t1 (result0 - 1) i))) /\
                (forall (i:Z),
                 (0 <= i /\ i < k \/ k < i /\ i < (2 * k + 1) \/
                  (result0 - 1) < i /\ i < (array_length t1) ->
                  (access t1 i) = (access t0 i))) /\
                (forall (v:Z),
                 ((inftree t0 (result0 - 1) v k) ->
                  (inftree t1 (result0 - 1) v k)))),
  forall (k0: Z),
  forall (HW_10: k0 = (k - 1)),
  0 <= (k + 1).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 31, characters 18-21: *)
(*Why goal*) Lemma heapsort_po_14 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_5: k >= 0),
  forall (result0: Z),
  forall (HW_6: result0 = (array_length t0)),
  forall (HW_8: (0 <= k /\ k <= (result0 - 1)) /\ (result0 - 1) <
                (array_length t0) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= (result0 - 1) ->
                  (heap t0 (result0 - 1) i)))),
  forall (t1: (array Z)),
  forall (HW_9: (permutation t1 t0) /\
                (forall (i:Z),
                 (k <= i /\ i <= (result0 - 1) -> (heap t1 (result0 - 1) i))) /\
                (forall (i:Z),
                 (0 <= i /\ i < k \/ k < i /\ i < (2 * k + 1) \/
                  (result0 - 1) < i /\ i < (array_length t1) ->
                  (access t1 i) = (access t0 i))) /\
                (forall (v:Z),
                 ((inftree t0 (result0 - 1) v k) ->
                  (inftree t1 (result0 - 1) v k)))),
  forall (k0: Z),
  forall (HW_10: k0 = (k - 1)),
  (k0 + 1) < (k + 1).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 35, characters 8-66: *)
(*Why goal*) Lemma heapsort_po_15 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_12: k < 0),
  (heap t0 ((array_length t0) - 1) 0).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 35, characters 8-66: *)
(*Why goal*) Lemma heapsort_po_16 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_12: k < 0),
  (permutation t0 t).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 40, characters 20-289: *)
(*Why goal*) Lemma heapsort_po_17 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_12: k < 0),
  forall (result0: Z),
  forall (HW_13: result0 = (array_length t0)),
  0 <= (result0 - 1).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 40, characters 20-289: *)
(*Why goal*) Lemma heapsort_po_18 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_12: k < 0),
  forall (result0: Z),
  forall (HW_13: result0 = (array_length t0)),
  (result0 - 1) <= ((array_length t0) - 1).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 40, characters 20-289: *)
(*Why goal*) Lemma heapsort_po_19 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_12: k < 0),
  forall (result0: Z),
  forall (HW_13: result0 = (array_length t0)),
  forall (i: Z),
  forall (HW_14: 0 <= i /\ i <= (result0 - 1)),
  (heap t0 (result0 - 1) i).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 40, characters 20-289: *)
(*Why goal*) Lemma heapsort_po_20 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_12: k < 0),
  forall (result0: Z),
  forall (HW_13: result0 = (array_length t0)),
  forall (HW_15: (result0 - 1 + 1) <= ((array_length t0) - 1)),
  (access t0 0) <= (access t0 (result0 - 1 + 1)).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 40, characters 20-289: *)
(*Why goal*) Lemma heapsort_po_21 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_12: k < 0),
  forall (result0: Z),
  forall (HW_13: result0 = (array_length t0)),
  forall (HW_16: (result0 - 1 + 1) <= ((array_length t0) - 1)),
  (sorted_array t0 (result0 - 1 + 1) ((array_length t0) - 1)).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 40, characters 20-289: *)
(*Why goal*) Lemma heapsort_po_22 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_12: k < 0),
  forall (result0: Z),
  forall (HW_13: result0 = (array_length t0)),
  (permutation t0 t).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 47, characters 9-20: *)
(*Why goal*) Lemma heapsort_po_23 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_12: k < 0),
  forall (result0: Z),
  forall (HW_13: result0 = (array_length t0)),
  forall (k0: Z),
  forall (t1: (array Z)),
  forall (HW_17: (0 <= k0 /\ k0 <= ((array_length t1) - 1)) /\
                 (forall (i:Z), (0 <= i /\ i <= k0 -> (heap t1 k0 i))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) -> (access t1 0) <=
                   (access t1 (k0 + 1)))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) ->
                   (sorted_array t1 (k0 + 1) ((array_length t1) - 1)))) /\
                 (permutation t1 t)),
  forall (HW_18: k0 >= 1),
  0 <= 0.
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 47, characters 9-20: *)
(*Why goal*) Lemma heapsort_po_24 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_12: k < 0),
  forall (result0: Z),
  forall (HW_13: result0 = (array_length t0)),
  forall (k0: Z),
  forall (t1: (array Z)),
  forall (HW_17: (0 <= k0 /\ k0 <= ((array_length t1) - 1)) /\
                 (forall (i:Z), (0 <= i /\ i <= k0 -> (heap t1 k0 i))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) -> (access t1 0) <=
                   (access t1 (k0 + 1)))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) ->
                   (sorted_array t1 (k0 + 1) ((array_length t1) - 1)))) /\
                 (permutation t1 t)),
  forall (HW_18: k0 >= 1),
  0 < (array_length t1).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 47, characters 9-20: *)
(*Why goal*) Lemma heapsort_po_25 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_12: k < 0),
  forall (result0: Z),
  forall (HW_13: result0 = (array_length t0)),
  forall (k0: Z),
  forall (t1: (array Z)),
  forall (HW_17: (0 <= k0 /\ k0 <= ((array_length t1) - 1)) /\
                 (forall (i:Z), (0 <= i /\ i <= k0 -> (heap t1 k0 i))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) -> (access t1 0) <=
                   (access t1 (k0 + 1)))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) ->
                   (sorted_array t1 (k0 + 1) ((array_length t1) - 1)))) /\
                 (permutation t1 t)),
  forall (HW_18: k0 >= 1),
  0 <= k0.
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 47, characters 9-20: *)
(*Why goal*) Lemma heapsort_po_26 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_12: k < 0),
  forall (result0: Z),
  forall (HW_13: result0 = (array_length t0)),
  forall (k0: Z),
  forall (t1: (array Z)),
  forall (HW_17: (0 <= k0 /\ k0 <= ((array_length t1) - 1)) /\
                 (forall (i:Z), (0 <= i /\ i <= k0 -> (heap t1 k0 i))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) -> (access t1 0) <=
                   (access t1 (k0 + 1)))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) ->
                   (sorted_array t1 (k0 + 1) ((array_length t1) - 1)))) /\
                 (permutation t1 t)),
  forall (HW_18: k0 >= 1),
  k0 < (array_length t1).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 48, characters 9-28: *)
(*Why goal*) Lemma heapsort_po_27 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_12: k < 0),
  forall (result0: Z),
  forall (HW_13: result0 = (array_length t0)),
  forall (k0: Z),
  forall (t1: (array Z)),
  forall (HW_17: (0 <= k0 /\ k0 <= ((array_length t1) - 1)) /\
                 (forall (i:Z), (0 <= i /\ i <= k0 -> (heap t1 k0 i))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) -> (access t1 0) <=
                   (access t1 (k0 + 1)))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) ->
                   (sorted_array t1 (k0 + 1) ((array_length t1) - 1)))) /\
                 (permutation t1 t)),
  forall (HW_18: k0 >= 1),
  forall (HW_19: (0 <= 0 /\ 0 < (array_length t1)) /\ 0 <= k0 /\ k0 <
                 (array_length t1)),
  forall (t2: (array Z)),
  forall (HW_20: (exchange t2 t1 0 k0)),
  0 <= 0.
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 48, characters 9-28: *)
(*Why goal*) Lemma heapsort_po_28 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_12: k < 0),
  forall (result0: Z),
  forall (HW_13: result0 = (array_length t0)),
  forall (k0: Z),
  forall (t1: (array Z)),
  forall (HW_17: (0 <= k0 /\ k0 <= ((array_length t1) - 1)) /\
                 (forall (i:Z), (0 <= i /\ i <= k0 -> (heap t1 k0 i))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) -> (access t1 0) <=
                   (access t1 (k0 + 1)))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) ->
                   (sorted_array t1 (k0 + 1) ((array_length t1) - 1)))) /\
                 (permutation t1 t)),
  forall (HW_18: k0 >= 1),
  forall (HW_19: (0 <= 0 /\ 0 < (array_length t1)) /\ 0 <= k0 /\ k0 <
                 (array_length t1)),
  forall (t2: (array Z)),
  forall (HW_20: (exchange t2 t1 0 k0)),
  0 <= (k0 - 1).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 48, characters 9-28: *)
(*Why goal*) Lemma heapsort_po_29 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_12: k < 0),
  forall (result0: Z),
  forall (HW_13: result0 = (array_length t0)),
  forall (k0: Z),
  forall (t1: (array Z)),
  forall (HW_17: (0 <= k0 /\ k0 <= ((array_length t1) - 1)) /\
                 (forall (i:Z), (0 <= i /\ i <= k0 -> (heap t1 k0 i))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) -> (access t1 0) <=
                   (access t1 (k0 + 1)))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) ->
                   (sorted_array t1 (k0 + 1) ((array_length t1) - 1)))) /\
                 (permutation t1 t)),
  forall (HW_18: k0 >= 1),
  forall (HW_19: (0 <= 0 /\ 0 < (array_length t1)) /\ 0 <= k0 /\ k0 <
                 (array_length t1)),
  forall (t2: (array Z)),
  forall (HW_20: (exchange t2 t1 0 k0)),
  (k0 - 1) < (array_length t2).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 48, characters 9-28: *)
(*Why goal*) Lemma heapsort_po_30 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_12: k < 0),
  forall (result0: Z),
  forall (HW_13: result0 = (array_length t0)),
  forall (k0: Z),
  forall (t1: (array Z)),
  forall (HW_17: (0 <= k0 /\ k0 <= ((array_length t1) - 1)) /\
                 (forall (i:Z), (0 <= i /\ i <= k0 -> (heap t1 k0 i))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) -> (access t1 0) <=
                   (access t1 (k0 + 1)))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) ->
                   (sorted_array t1 (k0 + 1) ((array_length t1) - 1)))) /\
                 (permutation t1 t)),
  forall (HW_18: k0 >= 1),
  forall (HW_19: (0 <= 0 /\ 0 < (array_length t1)) /\ 0 <= k0 /\ k0 <
                 (array_length t1)),
  forall (t2: (array Z)),
  forall (HW_20: (exchange t2 t1 0 k0)),
  forall (i: Z),
  forall (HW_21: (0 + 1) <= i /\ i <= (k0 - 1)),
  (heap t2 (k0 - 1) i).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 40, characters 20-289: *)
(*Why goal*) Lemma heapsort_po_31 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_12: k < 0),
  forall (result0: Z),
  forall (HW_13: result0 = (array_length t0)),
  forall (k0: Z),
  forall (t1: (array Z)),
  forall (HW_17: (0 <= k0 /\ k0 <= ((array_length t1) - 1)) /\
                 (forall (i:Z), (0 <= i /\ i <= k0 -> (heap t1 k0 i))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) -> (access t1 0) <=
                   (access t1 (k0 + 1)))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) ->
                   (sorted_array t1 (k0 + 1) ((array_length t1) - 1)))) /\
                 (permutation t1 t)),
  forall (HW_18: k0 >= 1),
  forall (HW_19: (0 <= 0 /\ 0 < (array_length t1)) /\ 0 <= k0 /\ k0 <
                 (array_length t1)),
  forall (t2: (array Z)),
  forall (HW_20: (exchange t2 t1 0 k0)),
  forall (HW_22: (0 <= 0 /\ 0 <= (k0 - 1)) /\ (k0 - 1) < (array_length t2) /\
                 (forall (i:Z),
                  ((0 + 1) <= i /\ i <= (k0 - 1) -> (heap t2 (k0 - 1) i)))),
  forall (t3: (array Z)),
  forall (HW_23: (permutation t3 t2) /\
                 (forall (i:Z),
                  (0 <= i /\ i <= (k0 - 1) -> (heap t3 (k0 - 1) i))) /\
                 (forall (i:Z),
                  (0 <= i /\ i < 0 \/ 0 < i /\ i < (2 * 0 + 1) \/ (k0 - 1) <
                   i /\ i < (array_length t3) -> (access t3 i) =
                   (access t2 i))) /\
                 (forall (v:Z),
                  ((inftree t2 (k0 - 1) v 0) -> (inftree t3 (k0 - 1) v 0)))),
  forall (k1: Z),
  forall (HW_24: k1 = (k0 - 1)),
  0 <= k1.
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 40, characters 20-289: *)
(*Why goal*) Lemma heapsort_po_32 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_12: k < 0),
  forall (result0: Z),
  forall (HW_13: result0 = (array_length t0)),
  forall (k0: Z),
  forall (t1: (array Z)),
  forall (HW_17: (0 <= k0 /\ k0 <= ((array_length t1) - 1)) /\
                 (forall (i:Z), (0 <= i /\ i <= k0 -> (heap t1 k0 i))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) -> (access t1 0) <=
                   (access t1 (k0 + 1)))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) ->
                   (sorted_array t1 (k0 + 1) ((array_length t1) - 1)))) /\
                 (permutation t1 t)),
  forall (HW_18: k0 >= 1),
  forall (HW_19: (0 <= 0 /\ 0 < (array_length t1)) /\ 0 <= k0 /\ k0 <
                 (array_length t1)),
  forall (t2: (array Z)),
  forall (HW_20: (exchange t2 t1 0 k0)),
  forall (HW_22: (0 <= 0 /\ 0 <= (k0 - 1)) /\ (k0 - 1) < (array_length t2) /\
                 (forall (i:Z),
                  ((0 + 1) <= i /\ i <= (k0 - 1) -> (heap t2 (k0 - 1) i)))),
  forall (t3: (array Z)),
  forall (HW_23: (permutation t3 t2) /\
                 (forall (i:Z),
                  (0 <= i /\ i <= (k0 - 1) -> (heap t3 (k0 - 1) i))) /\
                 (forall (i:Z),
                  (0 <= i /\ i < 0 \/ 0 < i /\ i < (2 * 0 + 1) \/ (k0 - 1) <
                   i /\ i < (array_length t3) -> (access t3 i) =
                   (access t2 i))) /\
                 (forall (v:Z),
                  ((inftree t2 (k0 - 1) v 0) -> (inftree t3 (k0 - 1) v 0)))),
  forall (k1: Z),
  forall (HW_24: k1 = (k0 - 1)),
  k1 <= ((array_length t3) - 1).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 40, characters 20-289: *)
(*Why goal*) Lemma heapsort_po_33 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_12: k < 0),
  forall (result0: Z),
  forall (HW_13: result0 = (array_length t0)),
  forall (k0: Z),
  forall (t1: (array Z)),
  forall (HW_17: (0 <= k0 /\ k0 <= ((array_length t1) - 1)) /\
                 (forall (i:Z), (0 <= i /\ i <= k0 -> (heap t1 k0 i))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) -> (access t1 0) <=
                   (access t1 (k0 + 1)))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) ->
                   (sorted_array t1 (k0 + 1) ((array_length t1) - 1)))) /\
                 (permutation t1 t)),
  forall (HW_18: k0 >= 1),
  forall (HW_19: (0 <= 0 /\ 0 < (array_length t1)) /\ 0 <= k0 /\ k0 <
                 (array_length t1)),
  forall (t2: (array Z)),
  forall (HW_20: (exchange t2 t1 0 k0)),
  forall (HW_22: (0 <= 0 /\ 0 <= (k0 - 1)) /\ (k0 - 1) < (array_length t2) /\
                 (forall (i:Z),
                  ((0 + 1) <= i /\ i <= (k0 - 1) -> (heap t2 (k0 - 1) i)))),
  forall (t3: (array Z)),
  forall (HW_23: (permutation t3 t2) /\
                 (forall (i:Z),
                  (0 <= i /\ i <= (k0 - 1) -> (heap t3 (k0 - 1) i))) /\
                 (forall (i:Z),
                  (0 <= i /\ i < 0 \/ 0 < i /\ i < (2 * 0 + 1) \/ (k0 - 1) <
                   i /\ i < (array_length t3) -> (access t3 i) =
                   (access t2 i))) /\
                 (forall (v:Z),
                  ((inftree t2 (k0 - 1) v 0) -> (inftree t3 (k0 - 1) v 0)))),
  forall (k1: Z),
  forall (HW_24: k1 = (k0 - 1)),
  forall (i: Z),
  forall (HW_25: 0 <= i /\ i <= k1),
  (heap t3 k1 i).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 40, characters 20-289: *)
(*Why goal*) Lemma heapsort_po_34 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_12: k < 0),
  forall (result0: Z),
  forall (HW_13: result0 = (array_length t0)),
  forall (k0: Z),
  forall (t1: (array Z)),
  forall (HW_17: (0 <= k0 /\ k0 <= ((array_length t1) - 1)) /\
                 (forall (i:Z), (0 <= i /\ i <= k0 -> (heap t1 k0 i))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) -> (access t1 0) <=
                   (access t1 (k0 + 1)))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) ->
                   (sorted_array t1 (k0 + 1) ((array_length t1) - 1)))) /\
                 (permutation t1 t)),
  forall (HW_18: k0 >= 1),
  forall (HW_19: (0 <= 0 /\ 0 < (array_length t1)) /\ 0 <= k0 /\ k0 <
                 (array_length t1)),
  forall (t2: (array Z)),
  forall (HW_20: (exchange t2 t1 0 k0)),
  forall (HW_22: (0 <= 0 /\ 0 <= (k0 - 1)) /\ (k0 - 1) < (array_length t2) /\
                 (forall (i:Z),
                  ((0 + 1) <= i /\ i <= (k0 - 1) -> (heap t2 (k0 - 1) i)))),
  forall (t3: (array Z)),
  forall (HW_23: (permutation t3 t2) /\
                 (forall (i:Z),
                  (0 <= i /\ i <= (k0 - 1) -> (heap t3 (k0 - 1) i))) /\
                 (forall (i:Z),
                  (0 <= i /\ i < 0 \/ 0 < i /\ i < (2 * 0 + 1) \/ (k0 - 1) <
                   i /\ i < (array_length t3) -> (access t3 i) =
                   (access t2 i))) /\
                 (forall (v:Z),
                  ((inftree t2 (k0 - 1) v 0) -> (inftree t3 (k0 - 1) v 0)))),
  forall (k1: Z),
  forall (HW_24: k1 = (k0 - 1)),
  forall (HW_26: (k1 + 1) <= ((array_length t3) - 1)),
  (access t3 0) <= (access t3 (k1 + 1)).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 40, characters 20-289: *)
(*Why goal*) Lemma heapsort_po_35 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_12: k < 0),
  forall (result0: Z),
  forall (HW_13: result0 = (array_length t0)),
  forall (k0: Z),
  forall (t1: (array Z)),
  forall (HW_17: (0 <= k0 /\ k0 <= ((array_length t1) - 1)) /\
                 (forall (i:Z), (0 <= i /\ i <= k0 -> (heap t1 k0 i))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) -> (access t1 0) <=
                   (access t1 (k0 + 1)))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) ->
                   (sorted_array t1 (k0 + 1) ((array_length t1) - 1)))) /\
                 (permutation t1 t)),
  forall (HW_18: k0 >= 1),
  forall (HW_19: (0 <= 0 /\ 0 < (array_length t1)) /\ 0 <= k0 /\ k0 <
                 (array_length t1)),
  forall (t2: (array Z)),
  forall (HW_20: (exchange t2 t1 0 k0)),
  forall (HW_22: (0 <= 0 /\ 0 <= (k0 - 1)) /\ (k0 - 1) < (array_length t2) /\
                 (forall (i:Z),
                  ((0 + 1) <= i /\ i <= (k0 - 1) -> (heap t2 (k0 - 1) i)))),
  forall (t3: (array Z)),
  forall (HW_23: (permutation t3 t2) /\
                 (forall (i:Z),
                  (0 <= i /\ i <= (k0 - 1) -> (heap t3 (k0 - 1) i))) /\
                 (forall (i:Z),
                  (0 <= i /\ i < 0 \/ 0 < i /\ i < (2 * 0 + 1) \/ (k0 - 1) <
                   i /\ i < (array_length t3) -> (access t3 i) =
                   (access t2 i))) /\
                 (forall (v:Z),
                  ((inftree t2 (k0 - 1) v 0) -> (inftree t3 (k0 - 1) v 0)))),
  forall (k1: Z),
  forall (HW_24: k1 = (k0 - 1)),
  forall (HW_27: (k1 + 1) <= ((array_length t3) - 1)),
  (sorted_array t3 (k1 + 1) ((array_length t3) - 1)).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 40, characters 20-289: *)
(*Why goal*) Lemma heapsort_po_36 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_12: k < 0),
  forall (result0: Z),
  forall (HW_13: result0 = (array_length t0)),
  forall (k0: Z),
  forall (t1: (array Z)),
  forall (HW_17: (0 <= k0 /\ k0 <= ((array_length t1) - 1)) /\
                 (forall (i:Z), (0 <= i /\ i <= k0 -> (heap t1 k0 i))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) -> (access t1 0) <=
                   (access t1 (k0 + 1)))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) ->
                   (sorted_array t1 (k0 + 1) ((array_length t1) - 1)))) /\
                 (permutation t1 t)),
  forall (HW_18: k0 >= 1),
  forall (HW_19: (0 <= 0 /\ 0 < (array_length t1)) /\ 0 <= k0 /\ k0 <
                 (array_length t1)),
  forall (t2: (array Z)),
  forall (HW_20: (exchange t2 t1 0 k0)),
  forall (HW_22: (0 <= 0 /\ 0 <= (k0 - 1)) /\ (k0 - 1) < (array_length t2) /\
                 (forall (i:Z),
                  ((0 + 1) <= i /\ i <= (k0 - 1) -> (heap t2 (k0 - 1) i)))),
  forall (t3: (array Z)),
  forall (HW_23: (permutation t3 t2) /\
                 (forall (i:Z),
                  (0 <= i /\ i <= (k0 - 1) -> (heap t3 (k0 - 1) i))) /\
                 (forall (i:Z),
                  (0 <= i /\ i < 0 \/ 0 < i /\ i < (2 * 0 + 1) \/ (k0 - 1) <
                   i /\ i < (array_length t3) -> (access t3 i) =
                   (access t2 i))) /\
                 (forall (v:Z),
                  ((inftree t2 (k0 - 1) v 0) -> (inftree t3 (k0 - 1) v 0)))),
  forall (k1: Z),
  forall (HW_24: k1 = (k0 - 1)),
  (permutation t3 t).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 46, characters 18-19: *)
(*Why goal*) Lemma heapsort_po_37 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_12: k < 0),
  forall (result0: Z),
  forall (HW_13: result0 = (array_length t0)),
  forall (k0: Z),
  forall (t1: (array Z)),
  forall (HW_17: (0 <= k0 /\ k0 <= ((array_length t1) - 1)) /\
                 (forall (i:Z), (0 <= i /\ i <= k0 -> (heap t1 k0 i))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) -> (access t1 0) <=
                   (access t1 (k0 + 1)))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) ->
                   (sorted_array t1 (k0 + 1) ((array_length t1) - 1)))) /\
                 (permutation t1 t)),
  forall (HW_18: k0 >= 1),
  forall (HW_19: (0 <= 0 /\ 0 < (array_length t1)) /\ 0 <= k0 /\ k0 <
                 (array_length t1)),
  forall (t2: (array Z)),
  forall (HW_20: (exchange t2 t1 0 k0)),
  forall (HW_22: (0 <= 0 /\ 0 <= (k0 - 1)) /\ (k0 - 1) < (array_length t2) /\
                 (forall (i:Z),
                  ((0 + 1) <= i /\ i <= (k0 - 1) -> (heap t2 (k0 - 1) i)))),
  forall (t3: (array Z)),
  forall (HW_23: (permutation t3 t2) /\
                 (forall (i:Z),
                  (0 <= i /\ i <= (k0 - 1) -> (heap t3 (k0 - 1) i))) /\
                 (forall (i:Z),
                  (0 <= i /\ i < 0 \/ 0 < i /\ i < (2 * 0 + 1) \/ (k0 - 1) <
                   i /\ i < (array_length t3) -> (access t3 i) =
                   (access t2 i))) /\
                 (forall (v:Z),
                  ((inftree t2 (k0 - 1) v 0) -> (inftree t3 (k0 - 1) v 0)))),
  forall (k1: Z),
  forall (HW_24: k1 = (k0 - 1)),
  0 <= k0.
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 46, characters 18-19: *)
(*Why goal*) Lemma heapsort_po_38 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_12: k < 0),
  forall (result0: Z),
  forall (HW_13: result0 = (array_length t0)),
  forall (k0: Z),
  forall (t1: (array Z)),
  forall (HW_17: (0 <= k0 /\ k0 <= ((array_length t1) - 1)) /\
                 (forall (i:Z), (0 <= i /\ i <= k0 -> (heap t1 k0 i))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) -> (access t1 0) <=
                   (access t1 (k0 + 1)))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) ->
                   (sorted_array t1 (k0 + 1) ((array_length t1) - 1)))) /\
                 (permutation t1 t)),
  forall (HW_18: k0 >= 1),
  forall (HW_19: (0 <= 0 /\ 0 < (array_length t1)) /\ 0 <= k0 /\ k0 <
                 (array_length t1)),
  forall (t2: (array Z)),
  forall (HW_20: (exchange t2 t1 0 k0)),
  forall (HW_22: (0 <= 0 /\ 0 <= (k0 - 1)) /\ (k0 - 1) < (array_length t2) /\
                 (forall (i:Z),
                  ((0 + 1) <= i /\ i <= (k0 - 1) -> (heap t2 (k0 - 1) i)))),
  forall (t3: (array Z)),
  forall (HW_23: (permutation t3 t2) /\
                 (forall (i:Z),
                  (0 <= i /\ i <= (k0 - 1) -> (heap t3 (k0 - 1) i))) /\
                 (forall (i:Z),
                  (0 <= i /\ i < 0 \/ 0 < i /\ i < (2 * 0 + 1) \/ (k0 - 1) <
                   i /\ i < (array_length t3) -> (access t3 i) =
                   (access t2 i))) /\
                 (forall (v:Z),
                  ((inftree t2 (k0 - 1) v 0) -> (inftree t3 (k0 - 1) v 0)))),
  forall (k1: Z),
  forall (HW_24: k1 = (k0 - 1)),
  k1 < k0.
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 52, characters 6-66: *)
(*Why goal*) Lemma heapsort_po_39 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_12: k < 0),
  forall (result0: Z),
  forall (HW_13: result0 = (array_length t0)),
  forall (k0: Z),
  forall (t1: (array Z)),
  forall (HW_17: (0 <= k0 /\ k0 <= ((array_length t1) - 1)) /\
                 (forall (i:Z), (0 <= i /\ i <= k0 -> (heap t1 k0 i))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) -> (access t1 0) <=
                   (access t1 (k0 + 1)))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) ->
                   (sorted_array t1 (k0 + 1) ((array_length t1) - 1)))) /\
                 (permutation t1 t)),
  forall (HW_28: k0 < 1),
  (sorted_array t1 0 ((array_length t1) - 1)).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "heapsort.mlw", line 52, characters 6-66: *)
(*Why goal*) Lemma heapsort_po_40 : 
  forall (t: (array Z)),
  forall (HW_1: 1 <= (array_length t)),
  forall (result: Z),
  forall (HW_2: result = (array_length t)),
  forall (k: Z),
  forall (t0: (array Z)),
  forall (HW_4: ((-1) <= k /\ k <= ((array_length t0) - 1)) /\
                (forall (i:Z),
                 ((k + 1) <= i /\ i <= ((array_length t0) - 1) ->
                  (heap t0 ((array_length t0) - 1) i))) /\
                (permutation t0 t)),
  forall (HW_12: k < 0),
  forall (result0: Z),
  forall (HW_13: result0 = (array_length t0)),
  forall (k0: Z),
  forall (t1: (array Z)),
  forall (HW_17: (0 <= k0 /\ k0 <= ((array_length t1) - 1)) /\
                 (forall (i:Z), (0 <= i /\ i <= k0 -> (heap t1 k0 i))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) -> (access t1 0) <=
                   (access t1 (k0 + 1)))) /\
                 (((k0 + 1) <= ((array_length t1) - 1) ->
                   (sorted_array t1 (k0 + 1) ((array_length t1) - 1)))) /\
                 (permutation t1 t)),
  forall (HW_28: k0 < 1),
  (permutation t1 t).
Proof.
(* FILL PROOF HERE *)
Save.

why-2.34/examples/heapsort/Inftree.v0000644000175000017500000001210212311670312016037 0ustar  rtusers(* Load Programs. *)(**************************************************************************)
(*                                                                        *)
(* Proof of the Heapsort Algorithm.                                       *)
(*                                                                        *)
(* Jean-Christophe Filliâtre (LRI, Université Paris Sud)                  *)
(* March 1999                                                             *)
(*                                                                        *)
(**************************************************************************)

Require Import ZArith.
Require Import Why.
Require Import Omega.

Require Import heap.

Set Implicit Arguments.
Unset Strict Implicit.

(* We will also need another property about a heap, which is to have
 * all his elements smaller or equal than a given value v.
 *
 * It is expressed by the predicate (inftree t n v k), inductively
 * defined as follows:
 *)

Inductive inftree (t:array Z) (n v:Z) : Z -> Prop :=
    inftree_cons :
      forall k:Z,
        (0 <= k <= n)%Z ->
        (access t k <= v)%Z ->
        ((2 * k + 1 <= n)%Z -> inftree t n v (2 * k + 1)%Z) ->
        ((2 * k + 2 <= n)%Z -> inftree t n v (2 * k + 2)%Z) ->
        inftree t n v k.

(* Some lemmas about inftree *)

Lemma inftree_1 :
 forall (t:array Z) (n v k:Z), inftree t n v k -> (access t k <= v)%Z.
Proof.
intros t n v k H.
 elim H; auto.
Qed.

Lemma inftree_id :
 forall (t1 t2:array Z) (n v k:Z),
   inftree t1 n v k ->
   (forall i:Z, (k <= i <= n)%Z -> access t1 i = access t2 i) ->
   inftree t2 n v k.
Proof.
intros t1 t2 n v k H.
 elim H; intros.
apply inftree_cons.
assumption.

rewrite <- (H6 k0).
 assumption.
 Omega'.

intro.
 apply H3.
 assumption.
intros i Hi.
 apply H6; Omega'.

intro.
 apply H5.
 assumption.
intros i Hi.
 apply H6; Omega'.
Qed.

Lemma inftree_2 :
 forall (t1 t2:array Z) (n v k j:Z),
   (n < array_length t1)%Z ->
   inftree t1 n v j ->
   exchange t2 t1 k j ->
   (k < j)%Z -> (access t1 k <= access t1 j)%Z -> inftree t2 n v j.
Proof.
intros t1 t2 n v k j Hn H.
 case H.
intros.
apply inftree_cons.
assumption.
decompose [exchange] H4.
 Omega'.

intro.
 apply inftree_id with (t1 := t1).
 auto.
decompose [exchange] H4.
intros i Hi.
 symmetry.
 apply H13.
Omega'.
 Omega'.
 Omega'.

intro.
 apply inftree_id with (t1 := t1).
 auto.
decompose [exchange] H4.
intros i Hi.
 symmetry.
 apply H13.
Omega'.
 Omega'.
 Omega'.
Qed.

Lemma inftree_trans :
 forall (t:array Z) (n k v v':Z),
   (v <= v')%Z -> inftree t n v k -> inftree t n v' k.
Proof.
intros t n k v v' Hvv' H.
elim H; intros.
apply inftree_cons.
assumption.
 Omega'.
 auto.
 auto.
Qed.

Lemma inftree_3 :
 forall (t:array Z) (n k:Z), heap t n k -> inftree t n (access t k) k.
Proof.
intros t n k H.
 elim H; intros.
apply inftree_cons.
assumption.
auto with zarith.
intro.
 apply inftree_trans with
  (v := access t (2 * k0 + 1)) (v' := access t k0).
  Omega'.
 auto.
intro.
 apply inftree_trans with
  (v := access t (2 * k0 + 2)) (v' := access t k0).
  Omega'.
 auto.
Qed.

Lemma inftree_all :
 forall (t:array Z) (n v:Z),
   inftree t n v 0 -> forall i:Z, (0 <= i <= n)%Z -> inftree t n v i.
Proof.
intros t n v H0 i H.
generalize H.
pattern i.
apply heap_induction.
auto.

intros.
elim (Z_le_gt_dec k n).
intro.
generalize H1 a.
case H2; intros.
intuition.

split.
intro; apply H5; omega.
intro; apply H6; omega.

intro.
 split; intro; absurd (k > n)%Z; omega.
intuition.
Qed.

Lemma inftree_0_right :
 forall (t:array Z) (n v:Z),
   inftree t n v 0 ->
   forall i:Z, (0 <= i <= n)%Z -> (access t i <= v)%Z.
Proof.
intros t n v H.
generalize (inftree_all H).
intros.
apply inftree_1 with (n := n).
exact (H0 i H1).
Qed.

Lemma inftree_0_left :
 forall (t:array Z) (n v:Z),
   (0 <= n)%Z ->
   (forall i:Z, (0 <= i <= n)%Z -> (access t i <= v)%Z) ->
   inftree t n v 0.
Proof.
intros.
cut (forall i:Z, (0 <= i <= n)%Z -> inftree t n v i).
intro.
apply H1; omega.

intros i Hi.
 generalize Hi.
replace i with (n - (n - i))%Z.
pattern (n - i)%Z.
apply Z_lt_induction.
intros.
apply inftree_cons.
assumption.

apply H0; omega.

intro.
replace (2 * (n - x) + 1)%Z with (n - (n - (2 * (n - x) + 1)))%Z.
apply H1; omega.
omega.

intro.
replace (2 * (n - x) + 2)%Z with (n - (n - (2 * (n - x) + 2)))%Z.
apply H1; omega.
omega.

omega.
 omega.
Qed.

Lemma inftree_exchange :
 forall (t1 t2:array Z) (n v:Z),
   (n < array_length t1)%Z ->
   inftree t1 n v 0 -> exchange t2 t1 0 n -> inftree t2 n v 0.
Proof.
intros.
apply inftree_0_left.
decompose [exchange] H1.
omega.

generalize (inftree_0_right H0).
intros.
decompose [exchange] H1.
elim (Z_lt_ge_dec 0 i); intro.
elim (Z_lt_ge_dec i n); intro.
rewrite (H9 i).
apply H2; omega.

omega.
 omega.
 omega.

replace i with n.
rewrite H8.
apply H2; omega.

omega.

replace i with 0%Z.
rewrite H7.
apply H2; omega.

omega.
Qed.

Lemma inftree_weakening :
 forall (t:array Z) (n v k:Z),
   (1 <= n < array_length t)%Z ->
   inftree t n v k -> (k <= n - 1)%Z -> inftree t (n - 1) v k.
Proof.
intros t n v k Hn Htree.
elim Htree; intros.
apply inftree_cons.
omega.
assumption.
intro; apply H2; omega.
intro; apply H4; omega.
Qed.
why-2.34/examples/heapsort/swap_why.v0000644000175000017500000001611612311670312016315 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Import Why.
Require Import Omega.


(*Why type*) Definition farray: Set ->Set.
Admitted.

(*Why logic*) Definition access : forall (A1:Set), (array A1) -> Z -> A1.
Admitted.
Implicit Arguments access.

(*Why logic*) Definition update :
  forall (A1:Set), (array A1) -> Z -> A1 -> (array A1).
Admitted.
Implicit Arguments update.

(*Why axiom*) Lemma access_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z), (forall (v:A1), (access (update a i v) i) = v))).
Admitted.

(*Why axiom*) Lemma access_update_neq :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (forall (v:A1), (i <> j -> (access (update a i v) j) = (access a j)))))).
Admitted.

(*Why logic*) Definition array_length : forall (A1:Set), (array A1) -> Z.
Admitted.
Implicit Arguments array_length.




(*Why predicate*) Definition sorted_array  (t:(array Z)) (i:Z) (j:Z)
  := (forall (k1:Z),
      (forall (k2:Z),
       ((i <= k1 /\ k1 <= k2) /\ k2 <= j -> (access t k1) <= (access t k2)))).

(*Why predicate*) Definition exchange (A86:Set) (a1:(array A86)) (a2:(array A86)) (i:Z) (j:Z)
  := (array_length a1) = (array_length a2) /\
     (access a1 i) = (access a2 j) /\ (access a2 i) = (access a1 j) /\
     (forall (k:Z), (k <> i /\ k <> j -> (access a1 k) = (access a2 k))).
Implicit Arguments exchange.

(*Why logic*) Definition permut :
  forall (A1:Set), (array A1) -> (array A1) -> Z -> Z -> Prop.
Admitted.
Implicit Arguments permut.

(*Why axiom*) Lemma permut_refl :
  forall (A1:Set),
  (forall (t:(array A1)), (forall (l:Z), (forall (u:Z), (permut t t l u)))).
Admitted.

(*Why axiom*) Lemma permut_sym :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (l:Z), (forall (u:Z), ((permut t1 t2 l u) -> (permut t2 t1 l u)))))).
Admitted.

(*Why axiom*) Lemma permut_trans :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (t3:(array A1)),
     (forall (l:Z),
      (forall (u:Z),
       ((permut t1 t2 l u) -> ((permut t2 t3 l u) -> (permut t1 t3 l u)))))))).
Admitted.

(*Why axiom*) Lemma permut_exchange :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (forall (i:Z),
       (forall (j:Z),
        (l <= i /\ i <= u ->
         (l <= j /\ j <= u -> ((exchange a1 a2 i j) -> (permut a1 a2 l u)))))))))).
Admitted.

(*Why axiom*) Lemma exchange_upd :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (exchange a (update (update a i (access a j)) j (access a i)) i j)))).
Admitted.

(*Why axiom*) Lemma permut_weakening :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l1:Z),
     (forall (r1:Z),
      (forall (l2:Z),
       (forall (r2:Z),
        ((l1 <= l2 /\ l2 <= r2) /\ r2 <= r1 ->
         ((permut a1 a2 l2 r2) -> (permut a1 a2 l1 r1))))))))).
Admitted.

(*Why axiom*) Lemma permut_eq :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (l <= u ->
       ((permut a1 a2 l u) ->
        (forall (i:Z), (i < l \/ u < i -> (access a2 i) = (access a1 i))))))))).
Admitted.

(*Why predicate*) Definition permutation (A95:Set) (a1:(array A95)) (a2:(array A95))
  := (permut a1 a2 0 ((array_length a1) - 1)).
Implicit Arguments permutation.

(*Why axiom*) Lemma array_length_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (v:A1), (array_length (update a i v)) = (array_length a)))).
Admitted.

(*Why axiom*) Lemma permut_array_length :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      ((permut a1 a2 l u) -> (array_length a1) = (array_length a2)))))).
Admitted.

(* Why obligation from file "swap.mlw", line 7, characters 13-17: *)
(*Why goal*) Lemma swap_po_1 : 
  forall (i: Z),
  forall (j: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= i /\ i < (array_length t)) /\ 0 <= j /\ j <
                (array_length t)),
  0 <= i.
Proof.
intuition.
Save.

(* Why obligation from file "swap.mlw", line 7, characters 13-17: *)
(*Why goal*) Lemma swap_po_2 : 
  forall (i: Z),
  forall (j: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= i /\ i < (array_length t)) /\ 0 <= j /\ j <
                (array_length t)),
  i < (array_length t).
Proof.
intuition.
Save.

(* Why obligation from file "swap.mlw", line 9, characters 15-19: *)
(*Why goal*) Lemma swap_po_3 : 
  forall (i: Z),
  forall (j: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= i /\ i < (array_length t)) /\ 0 <= j /\ j <
                (array_length t)),
  forall (HW_2: 0 <= i /\ i < (array_length t)),
  forall (result: Z),
  forall (HW_3: result = (access t i)),
  0 <= j.
Proof.
intuition.
Save.

(* Why obligation from file "swap.mlw", line 9, characters 15-19: *)
(*Why goal*) Lemma swap_po_4 : 
  forall (i: Z),
  forall (j: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= i /\ i < (array_length t)) /\ 0 <= j /\ j <
                (array_length t)),
  forall (HW_2: 0 <= i /\ i < (array_length t)),
  forall (result: Z),
  forall (HW_3: result = (access t i)),
  j < (array_length t).
Proof.
intuition.
Save.

(* Why obligation from file "swap.mlw", line 10, characters 7-16: *)
(*Why goal*) Lemma swap_po_5 : 
  forall (i: Z),
  forall (j: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= i /\ i < (array_length t)) /\ 0 <= j /\ j <
                (array_length t)),
  forall (HW_2: 0 <= i /\ i < (array_length t)),
  forall (result: Z),
  forall (HW_3: result = (access t i)),
  forall (HW_4: 0 <= j /\ j < (array_length t)),
  forall (result0: Z),
  forall (HW_5: result0 = (access t j)),
  forall (HW_6: 0 <= i /\ i < (array_length t)),
  forall (t0: (array Z)),
  forall (HW_7: t0 = (update t i result0)),
  j < (array_length t0).
Proof.
intuition; subst.
rewrite array_length_update; auto.
Save.

(* Why obligation from file "swap.mlw", line 12, characters 6-27: *)
(*Why goal*) Lemma swap_po_6 : 
  forall (i: Z),
  forall (j: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= i /\ i < (array_length t)) /\ 0 <= j /\ j <
                (array_length t)),
  forall (HW_2: 0 <= i /\ i < (array_length t)),
  forall (result: Z),
  forall (HW_3: result = (access t i)),
  forall (HW_4: 0 <= j /\ j < (array_length t)),
  forall (result0: Z),
  forall (HW_5: result0 = (access t j)),
  forall (HW_6: 0 <= i /\ i < (array_length t)),
  forall (t0: (array Z)),
  forall (HW_7: t0 = (update t i result0)),
  forall (HW_8: 0 <= j /\ j < (array_length t0)),
  forall (t1: (array Z)),
  forall (HW_9: t1 = (update t0 j result)),
  (exchange t1 t i j).
Proof.
unfold exchange; intros.
assert (h: i=j \/ i<>j) by omega.
destruct h.
(* case i=j *)
subst.
repeat rewrite array_length_update; auto.
repeat rewrite access_update; auto.
intuition.
repeat rewrite access_update_neq; auto.
(* case i <> j *)
subst.
repeat rewrite array_length_update; auto.
rewrite access_update; auto.
rewrite access_update_neq; auto.
rewrite access_update; auto.
intuition.
repeat rewrite access_update_neq; auto.
Save.


why-2.34/examples/heapsort/heap.v0000644000175000017500000001167012311670312015371 0ustar  rtusers(* Load Programs. *)(**************************************************************************)
(*                                                                        *)
(* Proof of the Heapsort Algorithm.                                       *)
(*                                                                        *)
(* Jean-Christophe Filliâtre (LRI, Université Paris Sud)                  *)
(* March 1999                                                             *)
(*                                                                        *)
(**************************************************************************)

Require Import ZArith.
Require Import Why.
Require Import Omega.

Ltac Omega' := abstract omega.

Set Implicit Arguments.
Unset Strict Implicit.

(* First we define the heap structure.
 * 
 * The heap is represented in an array[0..N-1] with the two sons
 * of the ``root'' i at indexes 2i+1 and 2i+2.
 * 
 * A sub_array t[k..n] is a heap if the following conditions are satisfied:
 *  - t[k] <= t[2k+1]             (if 2k+1 <= n)
 *  - t[2k+1..n] is itself a heap (     ''     )
 *  - t[k] <= t[2k+2]             (if 2k+2 <= n)
 *  - t[2k+2..n] is itself a heap (     ''     )
 *
 * It is expressed by the predicate (heap t n k), defined as follows:
 *)

Inductive heap (t:array Z) (n:Z) : Z -> Prop :=
    heap_cons :
      forall k:Z,
        (0 <= k <= n)%Z ->
        ((2 * k + 1 <= n)%Z -> (access t k >= access t (2 * k + 1))%Z) ->
        ((2 * k + 1 <= n)%Z -> heap t n (2 * k + 1)%Z) ->
        ((2 * k + 2 <= n)%Z -> (access t k >= access t (2 * k + 2))%Z) ->
        ((2 * k + 2 <= n)%Z -> heap t n (2 * k + 2)%Z) -> heap t n k.

(* Some lemmas about heaps *)

(* A tree reduce to one element is a heap *)

Lemma heap_leaf :
 forall (t:array Z) (n k:Z),
   (0 <= k <= n)%Z -> (2 * k >= n)%Z -> heap t n k.
Proof.
intros t n k H1k H2k.
apply heap_cons;
 [ Omega'
 | intro; absurd (2 * k >= n)%Z; [ Omega' | assumption ]
 | intro; absurd (2 * k >= n)%Z; [ Omega' | assumption ]
 | intro; absurd (2 * k >= n)%Z; [ Omega' | assumption ]
 | intro; absurd (2 * k >= n)%Z; [ Omega' | assumption ] ].
Qed.

(* The tree with only two elements (it is the case when 2k+1 is equal
 * to n, the greatest element) is a heap as soon as t[k] <= t[2k+1] *)

Lemma heap_son :
 forall (t:array Z) (n:Z),
   (n >= 0)%Z ->
   forall k:Z,
     (2 * k + 1)%Z = n ->
     (access t k >= access t (2 * k + 1))%Z -> heap t n k.
Proof.
intros t n Hn k Hk Ht.
apply heap_cons;
 [ Omega'
 | intro; assumption
 | intro; apply heap_leaf; Omega'
 | intro; absurd ((2 * k + 1)%Z = n); Omega'
 | intro; absurd ((2 * k + 1)%Z = n); Omega' ].
Qed.

(* If we have a heap t[k..n] and t[k..n]=t'[k..n] then we have a heap
 * in t'[k..n] *)

Lemma heap_id :
 forall (t t':array Z) (n k:Z),
   heap t n k -> array_id t t' k n -> heap t' n k.
Proof.
intros t t' n k H_heap.
unfold array_id.
elim H_heap; intros; clear H_heap.
apply heap_cons.
 assumption.
intro; rewrite <- (H6 k0);
 [ rewrite <- (H6 (2 * k0 + 1)%Z); [ auto | idtac ] | idtac ];
 clear H0 H1 H2 H3 H4 H5 H6; Omega'.
intro; apply H2;
 [ assumption
 | intros i Hi; apply (H6 i); clear H0 H1 H2 H3 H4 H5 H6; Omega' ].
intro; rewrite <- (H6 k0);
 [ rewrite <- (H6 (2 * k0 + 2)%Z); [ auto | idtac ] | idtac ];
 clear H0 H1 H2 H3 H4 H5 H6; Omega'.
intro; apply H5;
 [ assumption
 | intros i Hi; apply (H6 i); clear H0 H1 H2 H3 H4 H5 H6; Omega' ].
Qed.

(* If t[k..n] is a heap then t[k..n-1] is a heap *)

Lemma heap_weakening :
 forall (t:array Z) (n k:Z),
   (1 <= n)%Z -> heap t n k -> (k <= n - 1)%Z -> heap t (n - 1) k.
Proof.
intros t n k Hn H.
 elim H; intros.
apply heap_cons.
clear H1 H2 H3 H4 H5 H6; omega.
intro; apply H1; clear H2 H3 H4 H5 H6; omega.
intro; apply H3; clear H1 H2 H4 H5 H6; omega.
intro; apply H4; clear H1 H2 H3 H5 H6; omega.
intro; apply H6; clear H1 H2 H3 H4 H5; omega.
Qed.

(* To prove the lemma heap_all (see further), we need an induction principle
 * following the structure of heaps *)

Lemma heap_induction :
 forall P:Z -> Prop,
   P 0%Z ->
   (forall k:Z, (0 <= k)%Z -> P k -> P (2 * k + 1)%Z /\ P (2 * k + 2)%Z) ->
   forall k:Z, (0 <= k)%Z -> P k.
Proof.
intros P H H0 k Hk; generalize Hk; pattern k; apply Z_lt_induction.
intros.
elim (Z_modulo_2 x); intro.
(* x = 2y+2 *)
elim (Z_le_lt_eq_dec 0 x).
 (* 0 < x *)
intro.
elim a; intros.
replace x with (2 * (x0 - 1) + 2)%Z.
elim (H0 (x0 - 1)%Z).
auto.
 omega.
apply H1; omega.
 omega.
(* 0 = x *)
intro H3.
 rewrite <- H3.
 assumption.
 assumption.
(* x = 2y+1 *)
elim b; intros.
rewrite p.
elim (H0 x0).
auto.
 omega.
apply H1; omega.
assumption.
Qed.

(* If t[0..n] is a heap, then every sub-array t[k..n] is also a heap *)

Lemma heap_all :
 forall (t:array Z) (n:Z),
   heap t n 0 -> forall i:Z, (0 <= i <= n)%Z -> heap t n i.
Proof.
intros t n H0 i H.
 generalize H.
pattern i.
apply heap_induction.
 auto.

intros.
split.
intro.
 generalize H3.
elim H2.
 intros.
apply H6; intuition.

omega.

intro.
 generalize H3.
 elim H2.
 intros.
apply H9; intuition.

omega.
intuition.
Qed.

why-2.34/examples/heapsort/downheap_why.v0000644000175000017500000017723312311670312017160 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Import Why.
Require Import Omega.
Require Export heap.
Require Export Inftree.

Lemma R11 : forall k:Z, (2 * k + 1 + 1)%Z = (2 * k + 2)%Z.
Proof.
intro; omega.
Qed.

(* To annotate the recursive function downheap, it is convenient to
 * introduce the following predicate, which expresses that j is the
 * greatest son of k. *)

Set Implicit Arguments.
Unset Strict Implicit.

Inductive select_son (t:array Z) (k n j:Z) : Prop :=
  | select_left_son :
      j = (2 * k + 1)%Z ->
      ((2 * k + 2 <= n)%Z -> (access t j >= access t (2 * k + 2))%Z) ->
      select_son t k n j
  | select_right_son :
      j = (2 * k + 2)%Z ->
      (j <= n)%Z ->
      (access t j >= access t (2 * k + 1))%Z -> select_son t k n j.

Set Strict Implicit.
Unset Implicit Arguments.

(* The correctness of downheap requires the two following lemmas *)

Lemma Lemma_1 :
 forall (t0 t1 t2:array Z) (n0 k0 j':Z),
   (2 * k0 + 1 <= n0)%Z ->
   select_son t0 k0 n0 j' ->
   (access t0 k0 < access t0 j')%Z ->
   exchange t1 t0 k0 j' ->
   (0 <= k0 <= n0)%Z ->
   (n0 < array_length t0)%Z ->
   (forall i:Z, (k0 + 1 <= i <= n0)%Z -> heap t0 n0 i) ->
   (forall i:Z, (j' <= i <= n0)%Z -> heap t2 n0 i) ->
   (forall i:Z,
      (0 <= i < j')%Z \/
      (j' < i < 2 * j' + 1)%Z \/ (n0 < i < array_length t0)%Z ->
      access t2 i = access t1 i) ->
   (forall v:Z, inftree t1 n0 v j' -> inftree t2 n0 v j') ->
   forall i:Z, (k0 < i < j')%Z -> heap t2 n0 i.
Proof.
intros.
 apply heap_cons.
elim H0; Omega'.
(* branch 2i+1 *)
intro.
 rewrite (H7 i).
 rewrite (H7 (2 * i + 1)%Z).
decompose [exchange] H2.
 rewrite (H16 i).
 rewrite (H16 (2 * i + 1)%Z).
generalize H10.
 elim (H5 i); intros.
 exact (H18 H24).
Omega'.
 Omega'.
 Omega'.
elim H0; Omega'.
 Omega'.
 Omega'.
 Omega'.
elim H0; Omega'.
 elim H0; Omega'.
 intro.
 apply H6; elim H0; Omega'.
(* branch 2i+2 *)
intro.
 rewrite (H7 i).
 rewrite (H7 (2 * i + 2)%Z).
decompose [exchange] H2.
 rewrite (H16 i).
 rewrite (H16 (2 * i + 2)%Z).
generalize H10.
 elim (H5 i); intros.
 exact (H21 H24).
Omega'.
 Omega'.
 Omega'.
 elim H0; Omega'.
 Omega'.
 Omega'.
 Omega'.
elim H0; Omega'.
 elim H0; Omega'.
 intro.
 apply H6; elim H0; Omega'.
Qed.

Lemma Lemma_2 :
 forall (t0 t1 t2:array Z) (n0 k0 j':Z),
   (2 * k0 + 1 <= n0)%Z ->
   select_son t0 k0 n0 j' ->
   (access t0 k0 < access t0 j')%Z ->
   exchange t1 t0 k0 j' ->
   (0 <= k0 <= n0)%Z ->
   (n0 < array_length t0)%Z ->
   (forall i:Z, (k0 + 1 <= i <= n0)%Z -> heap t0 n0 i) ->
   (forall i:Z, (j' <= i <= n0)%Z -> heap t2 n0 i) ->
   (forall i:Z,
      (0 <= i < j')%Z \/
      (j' < i < 2 * j' + 1)%Z \/ (n0 < i < array_length t0)%Z ->
      access t2 i = access t1 i) ->
   (forall v:Z, inftree t1 n0 v j' -> inftree t2 n0 v j') ->
   forall i:Z, (k0 <= i <= n0)%Z -> heap t2 n0 i.
Proof.
intros.
elim (Z_lt_ge_dec i j'); intro HHi.
elim (Z_le_lt_eq_dec k0 i); [ intro HHHi | intro HHHi | intuition ].

(* 1. k0 < i < j' *)
apply (Lemma_1 t0 t1 t2 n0 k0 j'); assumption || Omega'.

(* 2. k0 = i *)
apply heap_cons.
Omega'.
(* branch 2i+1 *)
(* t[k] >= t[2k+1] *)
intro.
 elim H0; intros.
  (* j' = 2k+1 *)
  rewrite <- HHHi.
 rewrite <- H11.
  rewrite (H7 k0).
 decompose [exchange] H2.
 rewrite H16.
  apply Zle_ge.
 apply inftree_1 with (n := n0).
  apply H8.
  apply inftree_2 with (t1 := t0) (k := k0).
 Omega'.
   apply inftree_3.
  apply H5; Omega'.
 assumption.
 Omega'.
 Omega'.
 Omega'.
  (* j' = 2k+2 *)
  rewrite <- HHHi.
  rewrite (H7 k0).
 decompose [exchange] H2.
 rewrite H17.
  rewrite (H7 (2 * k0 + 1)%Z).
 rewrite (H19 (2 * k0 + 1)%Z).
  Omega'.
 Omega'.
 Omega'.
 Omega'.
 Omega'.
 Omega'.
 (* (heap t2 n (2k+1)) *)
intro.
 elim H0; intros.
  (* j' = 2k+1 *)
  apply H6; Omega'.
  (* j' = 2k+2 *)
  apply (Lemma_1 t0 t1 t2 n0 k0 j'); assumption || Omega'.
(* branch 2i+2 *)
(* t[k] >= t[2k+2] *)
intro.
 elim H0; intros.
  (* j' = 2k+1 *)
  rewrite <- HHHi.
  rewrite (H7 k0).
 decompose [exchange] H2.
 rewrite H16.
  rewrite (H7 (2 * k0 + 2)%Z).
 rewrite (H18 (2 * k0 + 2)%Z).
  Omega'.
 Omega'.
 Omega'.
 Omega'.
 Omega'.
 Omega'.
   (* j' = 2k+2 *)
  rewrite <- HHHi.
 rewrite <- H11.
  rewrite (H7 k0).
 decompose [exchange] H2.
 rewrite H17.
  apply Zle_ge.
 apply inftree_1 with (n := n0).
  apply H8.
  apply inftree_2 with (t1 := t0) (k := k0).
 Omega'.
   apply inftree_3.
  apply H5; Omega'.
 assumption.
 Omega'.
 Omega'.
 Omega'.
(* (heap t2 n (2k+2)) *)
intro.
 elim H0; intros.
  (* j' = 2k+1 *)
  apply H6; Omega'.
  (* j' = 2k+2 *)
  apply H6; Omega'.

(* 3. i >= j' *)
apply H6; Omega'.
Qed.


(*
(*Why predicate*) Definition select_son  (t:(array Z)) (k:Z) (n:Z) (j:Z)
  := j = (2 * k + 1) /\
     (((2 * k + 2) <= n -> (access t j) >= (access t (2 * k + 2)))) \/ j =
     (2 * k + 2) /\ j <= n /\ (access t j) >= (access t (2 * k + 1)).
*)

(*Why logic*) Definition inftree : (array Z) -> Z -> Z -> Z -> Prop.
Admitted.

(*Why axiom*) Lemma inftree_def :
  (forall (a:(array Z)),
   (forall (n:Z),
    (forall (v:Z),
     (forall (k:Z),
      ((inftree a n v k) <-> (0 <= k /\ k <= n) /\ (access a k) <= v /\
       (((2 * k + 1) <= n -> (inftree a n v (2 * k + 1)))) /\
       (((2 * k + 2) <= n -> (inftree a n v (2 * k + 2))))))))).
Admitted.

(*Why logic*) Definition heap : (array Z) -> Z -> Z -> Prop.
Admitted.

(*Why axiom*) Lemma heap_def :
  (forall (a:(array Z)),
   (forall (n:Z),
    (forall (k:Z),
     ((heap a n k) <-> (0 <= k /\ k <= n) /\
      (((2 * k + 1) <= n -> (access a k) >= (access a (2 * k + 1)))) /\
      (((2 * k + 1) <= n -> (heap a n (2 * k + 1)))) /\
      (((2 * k + 2) <= n -> (access a k) >= (access a (2 * k + 2)))) /\
      (((2 * k + 2) <= n -> (heap a n (2 * k + 2)))))))).
Admitted.

(* Why obligation from file "downheap.mlw", line 46, characters 35-39: *)
(*Why goal*) Lemma downheap_po_1 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_3: (2 * k + 1 + 1) <= n),
  0 <= (2 * k + 1).
Proof.
intros; Omega'.
Save.

(* Why obligation from file "downheap.mlw", line 46, characters 35-39: *)
(*Why goal*) Lemma downheap_po_2 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_3: (2 * k + 1 + 1) <= n),
  (2 * k + 1) < (array_length t).
Proof.
intros; Omega'.
Save.

(* Why obligation from file "downheap.mlw", line 46, characters 42-48: *)
(*Why goal*) Lemma downheap_po_3 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_3: (2 * k + 1 + 1) <= n),
  forall (HW_4: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result: Z),
  forall (HW_5: result = (access t (2 * k + 1))),
  0 <= (2 * k + 1 + 1).
Proof.
intros; Omega'.
Save.

(* Why obligation from file "downheap.mlw", line 46, characters 42-48: *)
(*Why goal*) Lemma downheap_po_4 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_3: (2 * k + 1 + 1) <= n),
  forall (HW_4: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result: Z),
  forall (HW_5: result = (access t (2 * k + 1))),
  (2 * k + 1 + 1) < (array_length t).
Proof.
intros; Omega'.
Save.

(* Why obligation from file "downheap.mlw", line 47, characters 16-45: *)
(*Why goal*) Lemma downheap_po_5 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_3: (2 * k + 1 + 1) <= n),
  forall (HW_4: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result: Z),
  forall (HW_5: result = (access t (2 * k + 1))),
  forall (HW_6: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_7: result0 = (access t (2 * k + 1 + 1))),
  forall (HW_8: result < result0),
  (select_son t k n (2 * k + 1 + 1)).
Proof.
intros.
subst j; rewrite (R11 k0).
apply select_right_son;
 [ reflexivity | Omega' | rewrite (R11 k0) in Test4; Omega' ].
Save.

(* Why obligation from file "downheap.mlw", line 49, characters 8-12: *)
(*Why goal*) Lemma downheap_po_6 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_3: (2 * k + 1 + 1) <= n),
  forall (HW_4: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result: Z),
  forall (HW_5: result = (access t (2 * k + 1))),
  forall (HW_6: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_7: result0 = (access t (2 * k + 1 + 1))),
  forall (HW_8: result < result0),
  0 <= k.
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 49, characters 8-12: *)
(*Why goal*) Lemma downheap_po_7 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_3: (2 * k + 1 + 1) <= n),
  forall (HW_4: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result: Z),
  forall (HW_5: result = (access t (2 * k + 1))),
  forall (HW_6: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_7: result0 = (access t (2 * k + 1 + 1))),
  forall (HW_8: result < result0),
  k < (array_length t).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 49, characters 48-63: *)
(*Why goal*) Lemma downheap_po_8 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_3: (2 * k + 1 + 1) <= n),
  forall (HW_4: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result: Z),
  forall (HW_5: result = (access t (2 * k + 1))),
  forall (HW_6: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_7: result0 = (access t (2 * k + 1 + 1))),
  forall (HW_8: result < result0),
  forall (HW_9: 0 <= k /\ k < (array_length t)),
  forall (result1: Z),
  forall (HW_10: result1 = (access t k)),
  forall (HW_11: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result2: Z),
  forall (HW_12: result2 = (access t (2 * k + 1 + 1))),
  forall (HW_13: result1 < result2),
  forall (HW_14: (0 <= k /\ k < (array_length t)) /\ 0 <= (2 * k + 1 + 1) /\
                 (2 * k + 1 + 1) < (array_length t)),
  forall (t0: (array Z)),
  forall (HW_15: (exchange t0 t k (2 * k + 1 + 1))),
  0 <= (n - k).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 49, characters 48-63: *)
(*Why goal*) Lemma downheap_po_9 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_3: (2 * k + 1 + 1) <= n),
  forall (HW_4: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result: Z),
  forall (HW_5: result = (access t (2 * k + 1))),
  forall (HW_6: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_7: result0 = (access t (2 * k + 1 + 1))),
  forall (HW_8: result < result0),
  forall (HW_9: 0 <= k /\ k < (array_length t)),
  forall (result1: Z),
  forall (HW_10: result1 = (access t k)),
  forall (HW_11: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result2: Z),
  forall (HW_12: result2 = (access t (2 * k + 1 + 1))),
  forall (HW_13: result1 < result2),
  forall (HW_14: (0 <= k /\ k < (array_length t)) /\ 0 <= (2 * k + 1 + 1) /\
                 (2 * k + 1 + 1) < (array_length t)),
  forall (t0: (array Z)),
  forall (HW_15: (exchange t0 t k (2 * k + 1 + 1))),
  (n - (2 * k + 1 + 1)) < (n - k).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 49, characters 48-63: *)
(*Why goal*) Lemma downheap_po_10 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_3: (2 * k + 1 + 1) <= n),
  forall (HW_4: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result: Z),
  forall (HW_5: result = (access t (2 * k + 1))),
  forall (HW_6: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_7: result0 = (access t (2 * k + 1 + 1))),
  forall (HW_8: result < result0),
  forall (HW_9: 0 <= k /\ k < (array_length t)),
  forall (result1: Z),
  forall (HW_10: result1 = (access t k)),
  forall (HW_11: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result2: Z),
  forall (HW_12: result2 = (access t (2 * k + 1 + 1))),
  forall (HW_13: result1 < result2),
  forall (HW_14: (0 <= k /\ k < (array_length t)) /\ 0 <= (2 * k + 1 + 1) /\
                 (2 * k + 1 + 1) < (array_length t)),
  forall (t0: (array Z)),
  forall (HW_15: (exchange t0 t k (2 * k + 1 + 1))),
  forall (HW_16: (Zwf 0 (n - (2 * k + 1 + 1)) (n - k))),
  n < (array_length t0).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 49, characters 48-63: *)
(*Why goal*) Lemma downheap_po_11 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_3: (2 * k + 1 + 1) <= n),
  forall (HW_4: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result: Z),
  forall (HW_5: result = (access t (2 * k + 1))),
  forall (HW_6: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_7: result0 = (access t (2 * k + 1 + 1))),
  forall (HW_8: result < result0),
  forall (HW_9: 0 <= k /\ k < (array_length t)),
  forall (result1: Z),
  forall (HW_10: result1 = (access t k)),
  forall (HW_11: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result2: Z),
  forall (HW_12: result2 = (access t (2 * k + 1 + 1))),
  forall (HW_13: result1 < result2),
  forall (HW_14: (0 <= k /\ k < (array_length t)) /\ 0 <= (2 * k + 1 + 1) /\
                 (2 * k + 1 + 1) < (array_length t)),
  forall (t0: (array Z)),
  forall (HW_15: (exchange t0 t k (2 * k + 1 + 1))),
  forall (HW_16: (Zwf 0 (n - (2 * k + 1 + 1)) (n - k))),
  forall (i: Z),
  forall (HW_17: (2 * k + 1 + 1 + 1) <= i /\ i <= n),
  (heap t0 n i).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 50, characters 8-230: *)
(*Why goal*) Lemma downheap_po_12 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_3: (2 * k + 1 + 1) <= n),
  forall (HW_4: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result: Z),
  forall (HW_5: result = (access t (2 * k + 1))),
  forall (HW_6: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_7: result0 = (access t (2 * k + 1 + 1))),
  forall (HW_8: result < result0),
  forall (HW_9: 0 <= k /\ k < (array_length t)),
  forall (result1: Z),
  forall (HW_10: result1 = (access t k)),
  forall (HW_11: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result2: Z),
  forall (HW_12: result2 = (access t (2 * k + 1 + 1))),
  forall (HW_13: result1 < result2),
  forall (HW_14: (0 <= k /\ k < (array_length t)) /\ 0 <= (2 * k + 1 + 1) /\
                 (2 * k + 1 + 1) < (array_length t)),
  forall (t0: (array Z)),
  forall (HW_15: (exchange t0 t k (2 * k + 1 + 1))),
  forall (HW_16: (Zwf 0 (n - (2 * k + 1 + 1)) (n - k))),
  forall (HW_18: (0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) <= n) /\ n <
                 (array_length t0) /\
                 (forall (i:Z),
                  ((2 * k + 1 + 1 + 1) <= i /\ i <= n -> (heap t0 n i)))),
  forall (t1: (array Z)),
  forall (HW_19: (permutation t1 t0) /\
                 (forall (i:Z),
                  ((2 * k + 1 + 1) <= i /\ i <= n -> (heap t1 n i))) /\
                 (forall (i:Z),
                  (0 <= i /\ i < (2 * k + 1 + 1) \/ (2 * k + 1 + 1) < i /\
                   i < (2 * (2 * k + 1 + 1) + 1) \/ n < i /\ i <
                   (array_length t1) -> (access t1 i) = (access t0 i))) /\
                 (forall (v:Z),
                  ((inftree t0 n v (2 * k + 1 + 1)) ->
                   (inftree t1 n v (2 * k + 1 + 1))))),
  (permutation t1 t).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 50, characters 8-230: *)
(*Why goal*) Lemma downheap_po_13 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_3: (2 * k + 1 + 1) <= n),
  forall (HW_4: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result: Z),
  forall (HW_5: result = (access t (2 * k + 1))),
  forall (HW_6: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_7: result0 = (access t (2 * k + 1 + 1))),
  forall (HW_8: result < result0),
  forall (HW_9: 0 <= k /\ k < (array_length t)),
  forall (result1: Z),
  forall (HW_10: result1 = (access t k)),
  forall (HW_11: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result2: Z),
  forall (HW_12: result2 = (access t (2 * k + 1 + 1))),
  forall (HW_13: result1 < result2),
  forall (HW_14: (0 <= k /\ k < (array_length t)) /\ 0 <= (2 * k + 1 + 1) /\
                 (2 * k + 1 + 1) < (array_length t)),
  forall (t0: (array Z)),
  forall (HW_15: (exchange t0 t k (2 * k + 1 + 1))),
  forall (HW_16: (Zwf 0 (n - (2 * k + 1 + 1)) (n - k))),
  forall (HW_18: (0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) <= n) /\ n <
                 (array_length t0) /\
                 (forall (i:Z),
                  ((2 * k + 1 + 1 + 1) <= i /\ i <= n -> (heap t0 n i)))),
  forall (t1: (array Z)),
  forall (HW_19: (permutation t1 t0) /\
                 (forall (i:Z),
                  ((2 * k + 1 + 1) <= i /\ i <= n -> (heap t1 n i))) /\
                 (forall (i:Z),
                  (0 <= i /\ i < (2 * k + 1 + 1) \/ (2 * k + 1 + 1) < i /\
                   i < (2 * (2 * k + 1 + 1) + 1) \/ n < i /\ i <
                   (array_length t1) -> (access t1 i) = (access t0 i))) /\
                 (forall (v:Z),
                  ((inftree t0 n v (2 * k + 1 + 1)) ->
                   (inftree t1 n v (2 * k + 1 + 1))))),
  forall (i: Z),
  forall (HW_20: k <= i /\ i <= n),
  (heap t1 n i).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 50, characters 8-230: *)
(*Why goal*) Lemma downheap_po_14 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_3: (2 * k + 1 + 1) <= n),
  forall (HW_4: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result: Z),
  forall (HW_5: result = (access t (2 * k + 1))),
  forall (HW_6: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_7: result0 = (access t (2 * k + 1 + 1))),
  forall (HW_8: result < result0),
  forall (HW_9: 0 <= k /\ k < (array_length t)),
  forall (result1: Z),
  forall (HW_10: result1 = (access t k)),
  forall (HW_11: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result2: Z),
  forall (HW_12: result2 = (access t (2 * k + 1 + 1))),
  forall (HW_13: result1 < result2),
  forall (HW_14: (0 <= k /\ k < (array_length t)) /\ 0 <= (2 * k + 1 + 1) /\
                 (2 * k + 1 + 1) < (array_length t)),
  forall (t0: (array Z)),
  forall (HW_15: (exchange t0 t k (2 * k + 1 + 1))),
  forall (HW_16: (Zwf 0 (n - (2 * k + 1 + 1)) (n - k))),
  forall (HW_18: (0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) <= n) /\ n <
                 (array_length t0) /\
                 (forall (i:Z),
                  ((2 * k + 1 + 1 + 1) <= i /\ i <= n -> (heap t0 n i)))),
  forall (t1: (array Z)),
  forall (HW_19: (permutation t1 t0) /\
                 (forall (i:Z),
                  ((2 * k + 1 + 1) <= i /\ i <= n -> (heap t1 n i))) /\
                 (forall (i:Z),
                  (0 <= i /\ i < (2 * k + 1 + 1) \/ (2 * k + 1 + 1) < i /\
                   i < (2 * (2 * k + 1 + 1) + 1) \/ n < i /\ i <
                   (array_length t1) -> (access t1 i) = (access t0 i))) /\
                 (forall (v:Z),
                  ((inftree t0 n v (2 * k + 1 + 1)) ->
                   (inftree t1 n v (2 * k + 1 + 1))))),
  forall (i: Z),
  forall (HW_21: 0 <= i /\ i < k \/ k < i /\ i < (2 * k + 1) \/ n < i /\ i <
                 (array_length t1)),
  (access t1 i) = (access t i).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 50, characters 8-230: *)
(*Why goal*) Lemma downheap_po_15 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_3: (2 * k + 1 + 1) <= n),
  forall (HW_4: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result: Z),
  forall (HW_5: result = (access t (2 * k + 1))),
  forall (HW_6: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_7: result0 = (access t (2 * k + 1 + 1))),
  forall (HW_8: result < result0),
  forall (HW_9: 0 <= k /\ k < (array_length t)),
  forall (result1: Z),
  forall (HW_10: result1 = (access t k)),
  forall (HW_11: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result2: Z),
  forall (HW_12: result2 = (access t (2 * k + 1 + 1))),
  forall (HW_13: result1 < result2),
  forall (HW_14: (0 <= k /\ k < (array_length t)) /\ 0 <= (2 * k + 1 + 1) /\
                 (2 * k + 1 + 1) < (array_length t)),
  forall (t0: (array Z)),
  forall (HW_15: (exchange t0 t k (2 * k + 1 + 1))),
  forall (HW_16: (Zwf 0 (n - (2 * k + 1 + 1)) (n - k))),
  forall (HW_18: (0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) <= n) /\ n <
                 (array_length t0) /\
                 (forall (i:Z),
                  ((2 * k + 1 + 1 + 1) <= i /\ i <= n -> (heap t0 n i)))),
  forall (t1: (array Z)),
  forall (HW_19: (permutation t1 t0) /\
                 (forall (i:Z),
                  ((2 * k + 1 + 1) <= i /\ i <= n -> (heap t1 n i))) /\
                 (forall (i:Z),
                  (0 <= i /\ i < (2 * k + 1 + 1) \/ (2 * k + 1 + 1) < i /\
                   i < (2 * (2 * k + 1 + 1) + 1) \/ n < i /\ i <
                   (array_length t1) -> (access t1 i) = (access t0 i))) /\
                 (forall (v:Z),
                  ((inftree t0 n v (2 * k + 1 + 1)) ->
                   (inftree t1 n v (2 * k + 1 + 1))))),
  forall (v: Z),
  forall (HW_22: (inftree t n v k)),
  (inftree t1 n v k).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 50, characters 8-230: *)
(*Why goal*) Lemma downheap_po_16 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_3: (2 * k + 1 + 1) <= n),
  forall (HW_4: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result: Z),
  forall (HW_5: result = (access t (2 * k + 1))),
  forall (HW_6: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_7: result0 = (access t (2 * k + 1 + 1))),
  forall (HW_8: result < result0),
  forall (HW_9: 0 <= k /\ k < (array_length t)),
  forall (result1: Z),
  forall (HW_10: result1 = (access t k)),
  forall (HW_11: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result2: Z),
  forall (HW_12: result2 = (access t (2 * k + 1 + 1))),
  forall (HW_23: result1 >= result2),
  (permutation t t).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 50, characters 8-230: *)
(*Why goal*) Lemma downheap_po_17 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_3: (2 * k + 1 + 1) <= n),
  forall (HW_4: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result: Z),
  forall (HW_5: result = (access t (2 * k + 1))),
  forall (HW_6: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_7: result0 = (access t (2 * k + 1 + 1))),
  forall (HW_8: result < result0),
  forall (HW_9: 0 <= k /\ k < (array_length t)),
  forall (result1: Z),
  forall (HW_10: result1 = (access t k)),
  forall (HW_11: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result2: Z),
  forall (HW_12: result2 = (access t (2 * k + 1 + 1))),
  forall (HW_23: result1 >= result2),
  forall (i: Z),
  forall (HW_24: k <= i /\ i <= n),
  (heap t n i).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 47, characters 16-45: *)
(*Why goal*) Lemma downheap_po_18 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_3: (2 * k + 1 + 1) <= n),
  forall (HW_4: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result: Z),
  forall (HW_5: result = (access t (2 * k + 1))),
  forall (HW_6: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_7: result0 = (access t (2 * k + 1 + 1))),
  forall (HW_27: result >= result0),
  (select_son t k n (2 * k + 1)).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 49, characters 8-12: *)
(*Why goal*) Lemma downheap_po_19 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_3: (2 * k + 1 + 1) <= n),
  forall (HW_4: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result: Z),
  forall (HW_5: result = (access t (2 * k + 1))),
  forall (HW_6: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_7: result0 = (access t (2 * k + 1 + 1))),
  forall (HW_27: result >= result0),
  0 <= k.
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 49, characters 8-12: *)
(*Why goal*) Lemma downheap_po_20 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_3: (2 * k + 1 + 1) <= n),
  forall (HW_4: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result: Z),
  forall (HW_5: result = (access t (2 * k + 1))),
  forall (HW_6: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_7: result0 = (access t (2 * k + 1 + 1))),
  forall (HW_27: result >= result0),
  k < (array_length t).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 49, characters 48-63: *)
(*Why goal*) Lemma downheap_po_21 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_3: (2 * k + 1 + 1) <= n),
  forall (HW_4: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result: Z),
  forall (HW_5: result = (access t (2 * k + 1))),
  forall (HW_6: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_7: result0 = (access t (2 * k + 1 + 1))),
  forall (HW_27: result >= result0),
  forall (HW_28: 0 <= k /\ k < (array_length t)),
  forall (result1: Z),
  forall (HW_29: result1 = (access t k)),
  forall (HW_30: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result2: Z),
  forall (HW_31: result2 = (access t (2 * k + 1))),
  forall (HW_32: result1 < result2),
  forall (HW_33: (0 <= k /\ k < (array_length t)) /\ 0 <= (2 * k + 1) /\
                 (2 * k + 1) < (array_length t)),
  forall (t0: (array Z)),
  forall (HW_34: (exchange t0 t k (2 * k + 1))),
  0 <= (n - k).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 49, characters 48-63: *)
(*Why goal*) Lemma downheap_po_22 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_3: (2 * k + 1 + 1) <= n),
  forall (HW_4: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result: Z),
  forall (HW_5: result = (access t (2 * k + 1))),
  forall (HW_6: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_7: result0 = (access t (2 * k + 1 + 1))),
  forall (HW_27: result >= result0),
  forall (HW_28: 0 <= k /\ k < (array_length t)),
  forall (result1: Z),
  forall (HW_29: result1 = (access t k)),
  forall (HW_30: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result2: Z),
  forall (HW_31: result2 = (access t (2 * k + 1))),
  forall (HW_32: result1 < result2),
  forall (HW_33: (0 <= k /\ k < (array_length t)) /\ 0 <= (2 * k + 1) /\
                 (2 * k + 1) < (array_length t)),
  forall (t0: (array Z)),
  forall (HW_34: (exchange t0 t k (2 * k + 1))),
  (n - (2 * k + 1)) < (n - k).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 49, characters 48-63: *)
(*Why goal*) Lemma downheap_po_23 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_3: (2 * k + 1 + 1) <= n),
  forall (HW_4: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result: Z),
  forall (HW_5: result = (access t (2 * k + 1))),
  forall (HW_6: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_7: result0 = (access t (2 * k + 1 + 1))),
  forall (HW_27: result >= result0),
  forall (HW_28: 0 <= k /\ k < (array_length t)),
  forall (result1: Z),
  forall (HW_29: result1 = (access t k)),
  forall (HW_30: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result2: Z),
  forall (HW_31: result2 = (access t (2 * k + 1))),
  forall (HW_32: result1 < result2),
  forall (HW_33: (0 <= k /\ k < (array_length t)) /\ 0 <= (2 * k + 1) /\
                 (2 * k + 1) < (array_length t)),
  forall (t0: (array Z)),
  forall (HW_34: (exchange t0 t k (2 * k + 1))),
  forall (HW_35: (Zwf 0 (n - (2 * k + 1)) (n - k))),
  n < (array_length t0).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 49, characters 48-63: *)
(*Why goal*) Lemma downheap_po_24 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_3: (2 * k + 1 + 1) <= n),
  forall (HW_4: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result: Z),
  forall (HW_5: result = (access t (2 * k + 1))),
  forall (HW_6: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_7: result0 = (access t (2 * k + 1 + 1))),
  forall (HW_27: result >= result0),
  forall (HW_28: 0 <= k /\ k < (array_length t)),
  forall (result1: Z),
  forall (HW_29: result1 = (access t k)),
  forall (HW_30: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result2: Z),
  forall (HW_31: result2 = (access t (2 * k + 1))),
  forall (HW_32: result1 < result2),
  forall (HW_33: (0 <= k /\ k < (array_length t)) /\ 0 <= (2 * k + 1) /\
                 (2 * k + 1) < (array_length t)),
  forall (t0: (array Z)),
  forall (HW_34: (exchange t0 t k (2 * k + 1))),
  forall (HW_35: (Zwf 0 (n - (2 * k + 1)) (n - k))),
  forall (i: Z),
  forall (HW_36: (2 * k + 1 + 1) <= i /\ i <= n),
  (heap t0 n i).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 50, characters 8-230: *)
(*Why goal*) Lemma downheap_po_25 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_3: (2 * k + 1 + 1) <= n),
  forall (HW_4: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result: Z),
  forall (HW_5: result = (access t (2 * k + 1))),
  forall (HW_6: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_7: result0 = (access t (2 * k + 1 + 1))),
  forall (HW_27: result >= result0),
  forall (HW_28: 0 <= k /\ k < (array_length t)),
  forall (result1: Z),
  forall (HW_29: result1 = (access t k)),
  forall (HW_30: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result2: Z),
  forall (HW_31: result2 = (access t (2 * k + 1))),
  forall (HW_32: result1 < result2),
  forall (HW_33: (0 <= k /\ k < (array_length t)) /\ 0 <= (2 * k + 1) /\
                 (2 * k + 1) < (array_length t)),
  forall (t0: (array Z)),
  forall (HW_34: (exchange t0 t k (2 * k + 1))),
  forall (HW_35: (Zwf 0 (n - (2 * k + 1)) (n - k))),
  forall (HW_37: (0 <= (2 * k + 1) /\ (2 * k + 1) <= n) /\ n <
                 (array_length t0) /\
                 (forall (i:Z),
                  ((2 * k + 1 + 1) <= i /\ i <= n -> (heap t0 n i)))),
  forall (t1: (array Z)),
  forall (HW_38: (permutation t1 t0) /\
                 (forall (i:Z), ((2 * k + 1) <= i /\ i <= n -> (heap t1 n i))) /\
                 (forall (i:Z),
                  (0 <= i /\ i < (2 * k + 1) \/ (2 * k + 1) < i /\ i <
                   (2 * (2 * k + 1) + 1) \/ n < i /\ i < (array_length t1) ->
                   (access t1 i) = (access t0 i))) /\
                 (forall (v:Z),
                  ((inftree t0 n v (2 * k + 1)) ->
                   (inftree t1 n v (2 * k + 1))))),
  (permutation t1 t).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 50, characters 8-230: *)
(*Why goal*) Lemma downheap_po_26 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_3: (2 * k + 1 + 1) <= n),
  forall (HW_4: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result: Z),
  forall (HW_5: result = (access t (2 * k + 1))),
  forall (HW_6: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_7: result0 = (access t (2 * k + 1 + 1))),
  forall (HW_27: result >= result0),
  forall (HW_28: 0 <= k /\ k < (array_length t)),
  forall (result1: Z),
  forall (HW_29: result1 = (access t k)),
  forall (HW_30: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result2: Z),
  forall (HW_31: result2 = (access t (2 * k + 1))),
  forall (HW_32: result1 < result2),
  forall (HW_33: (0 <= k /\ k < (array_length t)) /\ 0 <= (2 * k + 1) /\
                 (2 * k + 1) < (array_length t)),
  forall (t0: (array Z)),
  forall (HW_34: (exchange t0 t k (2 * k + 1))),
  forall (HW_35: (Zwf 0 (n - (2 * k + 1)) (n - k))),
  forall (HW_37: (0 <= (2 * k + 1) /\ (2 * k + 1) <= n) /\ n <
                 (array_length t0) /\
                 (forall (i:Z),
                  ((2 * k + 1 + 1) <= i /\ i <= n -> (heap t0 n i)))),
  forall (t1: (array Z)),
  forall (HW_38: (permutation t1 t0) /\
                 (forall (i:Z), ((2 * k + 1) <= i /\ i <= n -> (heap t1 n i))) /\
                 (forall (i:Z),
                  (0 <= i /\ i < (2 * k + 1) \/ (2 * k + 1) < i /\ i <
                   (2 * (2 * k + 1) + 1) \/ n < i /\ i < (array_length t1) ->
                   (access t1 i) = (access t0 i))) /\
                 (forall (v:Z),
                  ((inftree t0 n v (2 * k + 1)) ->
                   (inftree t1 n v (2 * k + 1))))),
  forall (i: Z),
  forall (HW_39: k <= i /\ i <= n),
  (heap t1 n i).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 50, characters 8-230: *)
(*Why goal*) Lemma downheap_po_27 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_3: (2 * k + 1 + 1) <= n),
  forall (HW_4: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result: Z),
  forall (HW_5: result = (access t (2 * k + 1))),
  forall (HW_6: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_7: result0 = (access t (2 * k + 1 + 1))),
  forall (HW_27: result >= result0),
  forall (HW_28: 0 <= k /\ k < (array_length t)),
  forall (result1: Z),
  forall (HW_29: result1 = (access t k)),
  forall (HW_30: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result2: Z),
  forall (HW_31: result2 = (access t (2 * k + 1))),
  forall (HW_32: result1 < result2),
  forall (HW_33: (0 <= k /\ k < (array_length t)) /\ 0 <= (2 * k + 1) /\
                 (2 * k + 1) < (array_length t)),
  forall (t0: (array Z)),
  forall (HW_34: (exchange t0 t k (2 * k + 1))),
  forall (HW_35: (Zwf 0 (n - (2 * k + 1)) (n - k))),
  forall (HW_37: (0 <= (2 * k + 1) /\ (2 * k + 1) <= n) /\ n <
                 (array_length t0) /\
                 (forall (i:Z),
                  ((2 * k + 1 + 1) <= i /\ i <= n -> (heap t0 n i)))),
  forall (t1: (array Z)),
  forall (HW_38: (permutation t1 t0) /\
                 (forall (i:Z), ((2 * k + 1) <= i /\ i <= n -> (heap t1 n i))) /\
                 (forall (i:Z),
                  (0 <= i /\ i < (2 * k + 1) \/ (2 * k + 1) < i /\ i <
                   (2 * (2 * k + 1) + 1) \/ n < i /\ i < (array_length t1) ->
                   (access t1 i) = (access t0 i))) /\
                 (forall (v:Z),
                  ((inftree t0 n v (2 * k + 1)) ->
                   (inftree t1 n v (2 * k + 1))))),
  forall (i: Z),
  forall (HW_40: 0 <= i /\ i < k \/ k < i /\ i < (2 * k + 1) \/ n < i /\ i <
                 (array_length t1)),
  (access t1 i) = (access t i).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 50, characters 8-230: *)
(*Why goal*) Lemma downheap_po_28 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_3: (2 * k + 1 + 1) <= n),
  forall (HW_4: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result: Z),
  forall (HW_5: result = (access t (2 * k + 1))),
  forall (HW_6: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_7: result0 = (access t (2 * k + 1 + 1))),
  forall (HW_27: result >= result0),
  forall (HW_28: 0 <= k /\ k < (array_length t)),
  forall (result1: Z),
  forall (HW_29: result1 = (access t k)),
  forall (HW_30: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result2: Z),
  forall (HW_31: result2 = (access t (2 * k + 1))),
  forall (HW_32: result1 < result2),
  forall (HW_33: (0 <= k /\ k < (array_length t)) /\ 0 <= (2 * k + 1) /\
                 (2 * k + 1) < (array_length t)),
  forall (t0: (array Z)),
  forall (HW_34: (exchange t0 t k (2 * k + 1))),
  forall (HW_35: (Zwf 0 (n - (2 * k + 1)) (n - k))),
  forall (HW_37: (0 <= (2 * k + 1) /\ (2 * k + 1) <= n) /\ n <
                 (array_length t0) /\
                 (forall (i:Z),
                  ((2 * k + 1 + 1) <= i /\ i <= n -> (heap t0 n i)))),
  forall (t1: (array Z)),
  forall (HW_38: (permutation t1 t0) /\
                 (forall (i:Z), ((2 * k + 1) <= i /\ i <= n -> (heap t1 n i))) /\
                 (forall (i:Z),
                  (0 <= i /\ i < (2 * k + 1) \/ (2 * k + 1) < i /\ i <
                   (2 * (2 * k + 1) + 1) \/ n < i /\ i < (array_length t1) ->
                   (access t1 i) = (access t0 i))) /\
                 (forall (v:Z),
                  ((inftree t0 n v (2 * k + 1)) ->
                   (inftree t1 n v (2 * k + 1))))),
  forall (v: Z),
  forall (HW_41: (inftree t n v k)),
  (inftree t1 n v k).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 50, characters 8-230: *)
(*Why goal*) Lemma downheap_po_29 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_3: (2 * k + 1 + 1) <= n),
  forall (HW_4: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result: Z),
  forall (HW_5: result = (access t (2 * k + 1))),
  forall (HW_6: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_7: result0 = (access t (2 * k + 1 + 1))),
  forall (HW_27: result >= result0),
  forall (HW_28: 0 <= k /\ k < (array_length t)),
  forall (result1: Z),
  forall (HW_29: result1 = (access t k)),
  forall (HW_30: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result2: Z),
  forall (HW_31: result2 = (access t (2 * k + 1))),
  forall (HW_42: result1 >= result2),
  (permutation t t).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 50, characters 8-230: *)
(*Why goal*) Lemma downheap_po_30 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_3: (2 * k + 1 + 1) <= n),
  forall (HW_4: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result: Z),
  forall (HW_5: result = (access t (2 * k + 1))),
  forall (HW_6: 0 <= (2 * k + 1 + 1) /\ (2 * k + 1 + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_7: result0 = (access t (2 * k + 1 + 1))),
  forall (HW_27: result >= result0),
  forall (HW_28: 0 <= k /\ k < (array_length t)),
  forall (result1: Z),
  forall (HW_29: result1 = (access t k)),
  forall (HW_30: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result2: Z),
  forall (HW_31: result2 = (access t (2 * k + 1))),
  forall (HW_42: result1 >= result2),
  forall (i: Z),
  forall (HW_43: k <= i /\ i <= n),
  (heap t n i).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 47, characters 16-45: *)
(*Why goal*) Lemma downheap_po_31 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_46: (2 * k + 1 + 1) > n),
  (select_son t k n (2 * k + 1)).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 49, characters 8-12: *)
(*Why goal*) Lemma downheap_po_32 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_46: (2 * k + 1 + 1) > n),
  0 <= k.
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 49, characters 8-12: *)
(*Why goal*) Lemma downheap_po_33 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_46: (2 * k + 1 + 1) > n),
  k < (array_length t).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 49, characters 15-20: *)
(*Why goal*) Lemma downheap_po_34 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_46: (2 * k + 1 + 1) > n),
  forall (HW_47: 0 <= k /\ k < (array_length t)),
  forall (result: Z),
  forall (HW_48: result = (access t k)),
  0 <= (2 * k + 1).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 49, characters 15-20: *)
(*Why goal*) Lemma downheap_po_35 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_46: (2 * k + 1 + 1) > n),
  forall (HW_47: 0 <= k /\ k < (array_length t)),
  forall (result: Z),
  forall (HW_48: result = (access t k)),
  (2 * k + 1) < (array_length t).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 49, characters 48-63: *)
(*Why goal*) Lemma downheap_po_36 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_46: (2 * k + 1 + 1) > n),
  forall (HW_47: 0 <= k /\ k < (array_length t)),
  forall (result: Z),
  forall (HW_48: result = (access t k)),
  forall (HW_49: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_50: result0 = (access t (2 * k + 1))),
  forall (HW_51: result < result0),
  forall (HW_52: (0 <= k /\ k < (array_length t)) /\ 0 <= (2 * k + 1) /\
                 (2 * k + 1) < (array_length t)),
  forall (t0: (array Z)),
  forall (HW_53: (exchange t0 t k (2 * k + 1))),
  0 <= (n - k).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 49, characters 48-63: *)
(*Why goal*) Lemma downheap_po_37 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_46: (2 * k + 1 + 1) > n),
  forall (HW_47: 0 <= k /\ k < (array_length t)),
  forall (result: Z),
  forall (HW_48: result = (access t k)),
  forall (HW_49: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_50: result0 = (access t (2 * k + 1))),
  forall (HW_51: result < result0),
  forall (HW_52: (0 <= k /\ k < (array_length t)) /\ 0 <= (2 * k + 1) /\
                 (2 * k + 1) < (array_length t)),
  forall (t0: (array Z)),
  forall (HW_53: (exchange t0 t k (2 * k + 1))),
  (n - (2 * k + 1)) < (n - k).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 49, characters 48-63: *)
(*Why goal*) Lemma downheap_po_38 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_46: (2 * k + 1 + 1) > n),
  forall (HW_47: 0 <= k /\ k < (array_length t)),
  forall (result: Z),
  forall (HW_48: result = (access t k)),
  forall (HW_49: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_50: result0 = (access t (2 * k + 1))),
  forall (HW_51: result < result0),
  forall (HW_52: (0 <= k /\ k < (array_length t)) /\ 0 <= (2 * k + 1) /\
                 (2 * k + 1) < (array_length t)),
  forall (t0: (array Z)),
  forall (HW_53: (exchange t0 t k (2 * k + 1))),
  forall (HW_54: (Zwf 0 (n - (2 * k + 1)) (n - k))),
  n < (array_length t0).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 49, characters 48-63: *)
(*Why goal*) Lemma downheap_po_39 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_46: (2 * k + 1 + 1) > n),
  forall (HW_47: 0 <= k /\ k < (array_length t)),
  forall (result: Z),
  forall (HW_48: result = (access t k)),
  forall (HW_49: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_50: result0 = (access t (2 * k + 1))),
  forall (HW_51: result < result0),
  forall (HW_52: (0 <= k /\ k < (array_length t)) /\ 0 <= (2 * k + 1) /\
                 (2 * k + 1) < (array_length t)),
  forall (t0: (array Z)),
  forall (HW_53: (exchange t0 t k (2 * k + 1))),
  forall (HW_54: (Zwf 0 (n - (2 * k + 1)) (n - k))),
  forall (i: Z),
  forall (HW_55: (2 * k + 1 + 1) <= i /\ i <= n),
  (heap t0 n i).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 50, characters 8-230: *)
(*Why goal*) Lemma downheap_po_40 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_46: (2 * k + 1 + 1) > n),
  forall (HW_47: 0 <= k /\ k < (array_length t)),
  forall (result: Z),
  forall (HW_48: result = (access t k)),
  forall (HW_49: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_50: result0 = (access t (2 * k + 1))),
  forall (HW_51: result < result0),
  forall (HW_52: (0 <= k /\ k < (array_length t)) /\ 0 <= (2 * k + 1) /\
                 (2 * k + 1) < (array_length t)),
  forall (t0: (array Z)),
  forall (HW_53: (exchange t0 t k (2 * k + 1))),
  forall (HW_54: (Zwf 0 (n - (2 * k + 1)) (n - k))),
  forall (HW_56: (0 <= (2 * k + 1) /\ (2 * k + 1) <= n) /\ n <
                 (array_length t0) /\
                 (forall (i:Z),
                  ((2 * k + 1 + 1) <= i /\ i <= n -> (heap t0 n i)))),
  forall (t1: (array Z)),
  forall (HW_57: (permutation t1 t0) /\
                 (forall (i:Z), ((2 * k + 1) <= i /\ i <= n -> (heap t1 n i))) /\
                 (forall (i:Z),
                  (0 <= i /\ i < (2 * k + 1) \/ (2 * k + 1) < i /\ i <
                   (2 * (2 * k + 1) + 1) \/ n < i /\ i < (array_length t1) ->
                   (access t1 i) = (access t0 i))) /\
                 (forall (v:Z),
                  ((inftree t0 n v (2 * k + 1)) ->
                   (inftree t1 n v (2 * k + 1))))),
  (permutation t1 t).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 50, characters 8-230: *)
(*Why goal*) Lemma downheap_po_41 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_46: (2 * k + 1 + 1) > n),
  forall (HW_47: 0 <= k /\ k < (array_length t)),
  forall (result: Z),
  forall (HW_48: result = (access t k)),
  forall (HW_49: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_50: result0 = (access t (2 * k + 1))),
  forall (HW_51: result < result0),
  forall (HW_52: (0 <= k /\ k < (array_length t)) /\ 0 <= (2 * k + 1) /\
                 (2 * k + 1) < (array_length t)),
  forall (t0: (array Z)),
  forall (HW_53: (exchange t0 t k (2 * k + 1))),
  forall (HW_54: (Zwf 0 (n - (2 * k + 1)) (n - k))),
  forall (HW_56: (0 <= (2 * k + 1) /\ (2 * k + 1) <= n) /\ n <
                 (array_length t0) /\
                 (forall (i:Z),
                  ((2 * k + 1 + 1) <= i /\ i <= n -> (heap t0 n i)))),
  forall (t1: (array Z)),
  forall (HW_57: (permutation t1 t0) /\
                 (forall (i:Z), ((2 * k + 1) <= i /\ i <= n -> (heap t1 n i))) /\
                 (forall (i:Z),
                  (0 <= i /\ i < (2 * k + 1) \/ (2 * k + 1) < i /\ i <
                   (2 * (2 * k + 1) + 1) \/ n < i /\ i < (array_length t1) ->
                   (access t1 i) = (access t0 i))) /\
                 (forall (v:Z),
                  ((inftree t0 n v (2 * k + 1)) ->
                   (inftree t1 n v (2 * k + 1))))),
  forall (i: Z),
  forall (HW_58: k <= i /\ i <= n),
  (heap t1 n i).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 50, characters 8-230: *)
(*Why goal*) Lemma downheap_po_42 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_46: (2 * k + 1 + 1) > n),
  forall (HW_47: 0 <= k /\ k < (array_length t)),
  forall (result: Z),
  forall (HW_48: result = (access t k)),
  forall (HW_49: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_50: result0 = (access t (2 * k + 1))),
  forall (HW_51: result < result0),
  forall (HW_52: (0 <= k /\ k < (array_length t)) /\ 0 <= (2 * k + 1) /\
                 (2 * k + 1) < (array_length t)),
  forall (t0: (array Z)),
  forall (HW_53: (exchange t0 t k (2 * k + 1))),
  forall (HW_54: (Zwf 0 (n - (2 * k + 1)) (n - k))),
  forall (HW_56: (0 <= (2 * k + 1) /\ (2 * k + 1) <= n) /\ n <
                 (array_length t0) /\
                 (forall (i:Z),
                  ((2 * k + 1 + 1) <= i /\ i <= n -> (heap t0 n i)))),
  forall (t1: (array Z)),
  forall (HW_57: (permutation t1 t0) /\
                 (forall (i:Z), ((2 * k + 1) <= i /\ i <= n -> (heap t1 n i))) /\
                 (forall (i:Z),
                  (0 <= i /\ i < (2 * k + 1) \/ (2 * k + 1) < i /\ i <
                   (2 * (2 * k + 1) + 1) \/ n < i /\ i < (array_length t1) ->
                   (access t1 i) = (access t0 i))) /\
                 (forall (v:Z),
                  ((inftree t0 n v (2 * k + 1)) ->
                   (inftree t1 n v (2 * k + 1))))),
  forall (i: Z),
  forall (HW_59: 0 <= i /\ i < k \/ k < i /\ i < (2 * k + 1) \/ n < i /\ i <
                 (array_length t1)),
  (access t1 i) = (access t i).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 50, characters 8-230: *)
(*Why goal*) Lemma downheap_po_43 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_46: (2 * k + 1 + 1) > n),
  forall (HW_47: 0 <= k /\ k < (array_length t)),
  forall (result: Z),
  forall (HW_48: result = (access t k)),
  forall (HW_49: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_50: result0 = (access t (2 * k + 1))),
  forall (HW_51: result < result0),
  forall (HW_52: (0 <= k /\ k < (array_length t)) /\ 0 <= (2 * k + 1) /\
                 (2 * k + 1) < (array_length t)),
  forall (t0: (array Z)),
  forall (HW_53: (exchange t0 t k (2 * k + 1))),
  forall (HW_54: (Zwf 0 (n - (2 * k + 1)) (n - k))),
  forall (HW_56: (0 <= (2 * k + 1) /\ (2 * k + 1) <= n) /\ n <
                 (array_length t0) /\
                 (forall (i:Z),
                  ((2 * k + 1 + 1) <= i /\ i <= n -> (heap t0 n i)))),
  forall (t1: (array Z)),
  forall (HW_57: (permutation t1 t0) /\
                 (forall (i:Z), ((2 * k + 1) <= i /\ i <= n -> (heap t1 n i))) /\
                 (forall (i:Z),
                  (0 <= i /\ i < (2 * k + 1) \/ (2 * k + 1) < i /\ i <
                   (2 * (2 * k + 1) + 1) \/ n < i /\ i < (array_length t1) ->
                   (access t1 i) = (access t0 i))) /\
                 (forall (v:Z),
                  ((inftree t0 n v (2 * k + 1)) ->
                   (inftree t1 n v (2 * k + 1))))),
  forall (v: Z),
  forall (HW_60: (inftree t n v k)),
  (inftree t1 n v k).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 50, characters 8-230: *)
(*Why goal*) Lemma downheap_po_44 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_46: (2 * k + 1 + 1) > n),
  forall (HW_47: 0 <= k /\ k < (array_length t)),
  forall (result: Z),
  forall (HW_48: result = (access t k)),
  forall (HW_49: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_50: result0 = (access t (2 * k + 1))),
  forall (HW_61: result >= result0),
  (permutation t t).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 50, characters 8-230: *)
(*Why goal*) Lemma downheap_po_45 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_2: (2 * k + 1) <= n),
  forall (HW_46: (2 * k + 1 + 1) > n),
  forall (HW_47: 0 <= k /\ k < (array_length t)),
  forall (result: Z),
  forall (HW_48: result = (access t k)),
  forall (HW_49: 0 <= (2 * k + 1) /\ (2 * k + 1) < (array_length t)),
  forall (result0: Z),
  forall (HW_50: result0 = (access t (2 * k + 1))),
  forall (HW_61: result >= result0),
  forall (i: Z),
  forall (HW_62: k <= i /\ i <= n),
  (heap t n i).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 50, characters 8-230: *)
(*Why goal*) Lemma downheap_po_46 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_65: (2 * k + 1) > n),
  (permutation t t).
Proof.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "downheap.mlw", line 50, characters 8-230: *)
(*Why goal*) Lemma downheap_po_47 : 
  forall (k: Z),
  forall (n: Z),
  forall (t: (array Z)),
  forall (HW_1: (0 <= k /\ k <= n) /\ n < (array_length t) /\
                (forall (i:Z), ((k + 1) <= i /\ i <= n -> (heap t n i)))),
  forall (HW_65: (2 * k + 1) > n),
  forall (i: Z),
  forall (HW_66: k <= i /\ i <= n),
  (heap t n i).
Proof.
(* FILL PROOF HERE *)
Save.






(* Obligations *)

Proof.
intros.
subst j.
apply select_left_son;
 [ reflexivity | rewrite (R11 k0) in Test3; intro; assumption ].
Qed.

Proof.
intros.
subst j.
apply select_left_son;
 [ reflexivity | intro; absurd (2 * k + 2 <= n)%Z; Omega' ].
Qed.

Proof.
intros; elim Post12; intros; Omega'.
Qed.

Proof.
intros; elim Post12; intros; Omega'.
Qed.

Proof.
intuition; try (elim Post12; SameLength t1 t0; Omega').
apply heap_id with (t := t0).
apply H7; elim Post12; Omega'.
unfold array_id.
 intros i' Hi'.
elim Post23; intros.
symmetry; apply (H22 i'); elim Post12; Omega'.
Qed.

Proof.
intros; unfold Zwf; decompose [select_son] Post12; Omega'.
Qed.

Proof.
trivial.
Qed.

Proof.
intuition.
(* permut *)
apply permut_trans with (t' := t1).
intuition.
 apply exchange_is_permut with (i := k0) (j := j'); assumption.
(* heap *)
apply (Lemma_2 t0 t1 t2 n0 k0 j'); assumption || (try Omega').
SameLength t2 t1.
 SameLength t1 t0.
rewrite <- H26; rewrite <- H22; assumption.
(* unchanged parts of the array *)
rewrite (H20 i); [ decompose [exchange] Post23; apply H30 | idtac ];
 decompose [select_son] Post12; Omega'.
rewrite (H20 i); [ decompose [exchange] Post23; apply H30 | idtac ];
 decompose [select_son] Post12; Omega'.
rewrite (H20 i); [ decompose [exchange] Post23; apply H30 | idtac ];
 decompose [select_son] Post12; SameLength t2 t1; Omega'.
(* inftree *)
apply inftree_cons.
split; assumption.
rewrite (H20 k0).
 decompose [exchange] Post23.
 rewrite H27.
 elim Post12; intros.
  (* j' = 2k+1 *)
  rewrite H30.
 generalize Test8; rewrite Post3.
 case H22; intros.
  apply inftree_1 with (n := n0).
 auto.
  (* j' = 2k+2 *)
  generalize H31.
 rewrite H30.
 case H22; intros.
  apply inftree_1 with (n := n0).
 auto.
elim Post12; intros; Omega'.
  (* branch 2k+1 *)
  intro.
 elim Post12; intros.
    (* j' = 2k+1 *)
    rewrite <- H25.
 apply H23.
     apply inftree_2 with (t1 := t0) (k := k0).
 Omega'.
     rewrite H25.
 generalize H24.
 case H22; auto.
    assumption.
 Omega'.
 Omega'.
    (* j' = 2k+2 *)
    apply inftree_trans with (v := access t2 (2 * k0 + 1)).
    rewrite (H20 (2 * k0 + 1)%Z).
    decompose [exchange] Post23.
 rewrite (H33 (2 * k0 + 1)%Z).
    generalize H24.
 case H22; intros.
    apply inftree_1 with (n := n0).
 auto.
    Omega'.
 Omega'.
 Omega'.
 Omega'.
    apply inftree_3.
    apply (Lemma_2 t0 t1 t2 n0 k0 j'); assumption || (try Omega').
    SameLength t2 t1.
 SameLength t1 t0.
    rewrite <- H29; rewrite <- H28; assumption.

  (* branch 2k+2 *)
  intro.
 elim Post12; intros.
    (* j' = 2k+1 *)
    apply inftree_trans with (v := access t2 (2 * k0 + 2)).
    rewrite (H20 (2 * k0 + 2)%Z).
    decompose [exchange] Post23.
 rewrite (H32 (2 * k0 + 2)%Z).
    generalize H24.
 case H22; intros.
    apply inftree_1 with (n := n0).
 auto.
    Omega'.
 Omega'.
 Omega'.
 Omega'.
    apply inftree_3.
    apply H21; Omega'.
    (* j' = 2k+2 *)
    rewrite <- H25.
 apply H23.
     apply inftree_2 with (t1 := t0) (k := k0).
 Omega'.
     rewrite H25.
 generalize H24.
 case H22; auto.
    assumption.
 Omega'.
 Omega'.
Qed.

Proof.
intuition.
elim (Z_le_lt_eq_dec k0 i); [ intro HHHi | intro HHHi | intuition ].
(* k0 < i *)
apply H7; Omega'.
(* k0 = i *)
rewrite <- HHHi.
 apply heap_cons.
Omega'.
intro.
 elim Post12; intros.
rewrite <- H14.
 assumption.
 Omega'.
intro.
 apply H7; Omega'.
intro.
 elim Post12; intros.
Omega'.
 rewrite <- H14.
 assumption.
intro.
 apply H7; Omega'.
Qed.


Proof.
intuition.
elim (Z_le_lt_eq_dec k0 i); [ intro HHHi | intro HHHi | intuition ].
apply H7; Omega'.
rewrite <- HHHi.
 apply heap_cons.
Omega'.
intro; absurd (2 * k0 + 1 > n0)%Z; Omega'.
intro; absurd (2 * k0 + 1 > n0)%Z; Omega'.
intro; absurd (2 * k0 + 2 > n0)%Z; Omega'.
intro; absurd (2 * k0 + 2 > n0)%Z; Omega'.
Qed.

Require Import swap_why.




Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.

Proof.
(* FILL PROOF HERE *)
Save.


why-2.34/examples/heapsort/downheap.mlw0000644000175000017500000000352612311670312016614 0ustar  rtusers
(** Heapsort. 

    This formal proof is detailed in this paper:

    J.-C. Filliâtre and N. Magaud. Certification of sorting algorithms
    in  the system  Coq. In  Theorem Proving  in Higher  Order Logics:
    Emerging Trends, 1999.
    (http://www.lri.fr/~filliatr/ftp/publis/Filliatre-Magaud.ps.gz)    **)

(* The recursive function downheap.
   [downheap N t k n] moves the element t[k] down in the heap encoded
   in t[j..n] *)

predicate select_son(t: int farray, k:int, n:int, j:int) =
  (j = 2 * k + 1 and (2 * k + 2 <= n -> t[j] >= t[2 * k + 2])) or
  (j = 2 * k + 2 and j <= n and t[j] >= t[2 * k + 1])

logic inftree : int farray, int, int, int -> prop

axiom inftree_def :
  forall a:int farray. forall n,v,k:int.
  inftree(a, n, v, k) <->
  (0 <= k <= n and
   a[k] <= v and
   (2 * k + 1 <= n -> inftree(a, n, v, 2 * k + 1)) and
   (2 * k + 2 <= n -> inftree(a, n, v, 2 * k + 2)))

logic heap : int farray, int, int -> prop 

axiom heap_def :
  forall a:int farray. forall n,k:int.
  heap(a,n,k) <->
  (0 <= k <= n and
   (2 * k + 1 <= n -> a[k] >= a[2 * k + 1]) and
   (2 * k + 1 <= n -> heap(a, n, 2 * k + 1)) and
   (2 * k + 2 <= n -> a[k] >= a[2 * k + 2]) and
   (2 * k + 2 <= n -> heap(a, n, 2 * k + 2)))

let downheap = 
  let rec downheap (t:int array)(k,n:int) : unit { variant n-k } =
  {     0 <= k <= n and n < array_length(t)
    and forall i:int. k+1 <= i <= n -> heap(t, n, i) }
  (let j = 2*k+1 in
   if j <= n then
     let j' = (if j+1 <= n then if t[j] < t[j+1] then j+1 else j else j)
              { select_son(t, k, n, result) } 
     in
     if t[k] < t[j'] then begin (swap t k j'); (downheap t j' n) end)
  {     permutation(t, t@)
    and (forall i:int. k <= i <= n -> heap(t, n, i))
    and (forall i:int. (0<=i t[i]=t@[i])
    and (forall v:int. inftree(t@, n, v, k) -> inftree(t, n, v, k)) }
why-2.34/examples/heapsort/.depend0000644000175000017500000000112612311670312015520 0ustar  rtusersInftree.vo: Inftree.v ../../lib/coq/Why.vo ./heap.vo
downheap_valid.vo: downheap_valid.v ../../lib/coq/Why.vo ./swap_valid.vo ./downheap_why.vo
downheap_why.vo: downheap_why.v ../../lib/coq/Why.vo ./heap.vo ./Inftree.vo ./swap_why.vo
heap.vo: heap.v ../../lib/coq/Why.vo
heapsort_valid.vo: heapsort_valid.v ../../lib/coq/Why.vo ./swap_valid.vo ./downheap_valid.vo ./heapsort_why.vo
heapsort_why.vo: heapsort_why.v ../../lib/coq/Why.vo ./heap.vo ./Inftree.vo ./swap_why.vo ./downheap_why.vo
swap_valid.vo: swap_valid.v ../../lib/coq/Why.vo ./swap_why.vo
swap_why.vo: swap_why.v ../../lib/coq/Why.vo
why-2.34/examples/heapsort/swap.mlw0000644000175000017500000000035612311670312015757 0ustar  rtusers
include "arrays.why"

let swap =
  fun (t:int array)(i,j:int) ->
    { 0 <= i < array_length(t) and 0 <= j < array_length(t) }
    (let v = t[i] in
     begin
       t[i] := t[j];
       t[j] := v
     end)
    { exchange(t, t@, i, j) }
why-2.34/examples/queens/0000755000175000017500000000000012311670312013733 5ustar  rtuserswhy-2.34/examples/queens/Makefile0000644000175000017500000000113012311670312015366 0ustar  rtusers
WHY=../../bin/why.opt
GWHY=../../bin/gwhy.opt
OPT=--no-arrays
VO=queens_valid.vo

gwhy:
	$(GWHY) $(OPT) queens.why

gwhy.split:
	$(GWHY) $(OPT) -split-user-conj queens.why

coq:
	$(WHY) $(OPT) --coq --coq-tactic "admit" queens.why
	coqide queens_why.v

coq.split:
	$(WHY) $(OPT) -split-user-conj --coq --coq-tactic "admit" queens.why
	coqide queens_why.v

FTP=$$HOME/WWW/why/queens/

export:
	why2html queens.why
	cp -f queens.why.html $(FTP)
	cp -f queens_why.v $(FTP)
	cp -f slides/slides-pp.pdf $(FTP)
	cp -f ../../bench/c/good/queens.c $(FTP)
	make -C report export


include ../Makefile.common
why-2.34/examples/queens/queens.why0000644000175000017500000001237712311670312015776 0ustar  rtusers
(* N queens on a NxN chessboard *)

logic N : int 

(* abstract sets of integers *)

type iset

logic in_ : int, iset -> prop

predicate included(a:iset, b:iset) = forall i:int. in_(i,a) -> in_(i,b)

logic card : iset -> int
axiom card_nonneg : forall s:iset. card(s) >= 0

logic empty : iset
axiom empty_def : forall i:int. not in_(i,empty)
axiom empty_card : forall s:iset. card(s)=0 <-> s=empty

logic diff : iset,iset -> iset
(*
axiom diff_def : 
  forall a,b:iset. forall i:int.
    in_(i,diff(a,b)) <-> (in_(i,a) and not in_(i,b))
*)
axiom diff_def_1 : 
  forall a,b:iset. forall i:int. 
    in_(i,diff(a,b)) -> (in_(i,a) and not in_(i,b))
axiom diff_def_2 : 
  forall a,b:iset. forall i:int.
    (in_(i,a) and not in_(i,b)) -> in_(i,diff(a,b)) 

logic add : int,iset -> iset
axiom add_def : 
  forall s:iset. forall x:int. forall i:int [in_(i,add(x,s))]. 
    in_(i,add(x,s))  <-> (i=x or in_(i,s))

logic remove : int,iset -> iset
axiom remove_def : 
  forall s:iset. forall x:int. forall i:int [in_(i,remove(x,s))]. 
    in_(i,remove(x,s))  <-> (in_(i,s) and i<>x)
axiom remove_card : 
  forall s:iset. forall i:int.
    in_(i,s) -> card(remove(i,s)) = card(s) - 1

logic min_elt : iset -> int
axiom min_elt_def_1 : 
  forall s:iset. card(s) > 0 -> in_(min_elt(s), s)
axiom min_elt_def_2 : 
  forall s:iset. card(s) > 0 ->
    forall i:int. in_(i,s) -> min_elt(s) <= i

logic succ : iset -> iset
axiom succ_def_1 :  
  forall s:iset. forall i:int. in_(i,s) -> in_(i+1,succ(s))
axiom succ_def_2 :  
  forall s:iset. forall i:int. in_(i,succ(s)) -> i>=1 and in_(i-1,s)

logic pred : iset -> iset
axiom pred_def_1 : 
  forall s:iset. forall i:int [in_(i,pred(s))]. 
  i>=0 -> in_(i+1,s) -> in_(i,pred(s))
axiom pred_def_2 : 
  forall s:iset. forall i:int. in_(i,pred(s)) -> in_(i+1,s)

(* logical arrays *)

type 'a arr

logic acc : 'a arr,int -> 'a
logic upd : 'a arr,int,'a -> 'a arr

axiom acc_upd_eq : 
  forall a:'a arr. forall i:int. forall v:'a. 
    acc(upd(a,i,v),i) = v
axiom acc_upd_neq : 
  forall a:'a arr. forall i,j:int. forall v:'a. 
    i<>j -> acc(upd(a,i,v),j) = acc(a,j)

predicate eq_prefix(t:'a arr, u:'a arr, i:int) =
  (* t and u have the same prefix [0..i[ *)
  forall k:int. 0 <= k < i -> acc(t,k)=acc(u,k)

(* solutions *)

predicate partial_solution(k:int, s:int arr) =
  forall i:int. 0 <= i < k ->
    0 <= acc(s,i) < N and
    forall j:int. 
      0 <= j < i -> acc(s,i) <> acc(s,j) and
                    acc(s,i) - acc(s,j) <> i - j and
	            acc(s,i) - acc(s,j) <> j - i

predicate solution(s:int arr) = partial_solution(N, s)

predicate eq_sol(t:int arr, u:int arr) = eq_prefix(t, u, N)

(*lemma*)axiom partial_solution_eq_prefix:
   forall t,u:int arr. forall k:int 
   [partial_solution(k,t), partial_solution(k,u)].
     partial_solution(k,t) -> eq_prefix(t,u,k) -> partial_solution(k,u)

predicate lt_sol(s1:int arr, s2:int arr) =
  exists i:int. 
     0 <= i < N and eq_prefix(s1, s2, i) and acc(s1,i) < acc(s2,i)

(* s[a..b[ is sorted for lt_sol *)
predicate sorted(s: int arr arr, a:int, b:int) = 
  forall i,j:int. a <= i < j < b -> lt_sol(acc(s,i), acc(s,j))

(* code *)

parameter sol : int arr arr ref
parameter s : int ref

parameter col : int arr ref
parameter k : int ref

parameter register_solution : unit -> 
  { solution(col) } 
  unit reads col writes s,sol 
  { s=s@+1 and eq_prefix(sol@,sol,s@) and acc(sol,s@)=col }

let rec count (a:iset) (b:iset) (c:iset) : int { variant card(a) } =
  { 0 <= k and k+card(a)=N and 0 <= s and
    pre_a: (forall i:int. 
	     in_(i,a) <-> 0<=i i<>acc(col,j)) and
    pre_b: (forall i:int. 0<=i ->  
             (in_(i,b) <-> exists j:int. 0<=j  
             (in_(i,c) <-> exists j:int. 0<=j 0 do
      { invariant 
	  included(e,e@L) and
	  f = s - s@L and f >= 0 and k = k@L and
	  (forall i,j:int. in_(i,diff(e@L,e)) -> in_(j,e) -> i 
             (exists i:int. s@L <= i < s and eq_sol(t, acc(sol,i)))) and
	  sorted(sol, s@L, s)
        variant card(e) }
      let d = min_elt !e in
      e := remove d !e;
      col := upd !col !k d;
      k := !k + 1;
      f := !f + count (remove d a) (succ (add d b)) (pred (add d c));
      k := !k - 1
    done;
    !f
  end
  { result = s-s@ and result >= 0 and k = k@ and
    eq_prefix(col@,col,k) and eq_prefix(sol@,sol,s@) and
    sorted(sol, s@, s) and
    forall t:int arr.
      (solution(t) and eq_prefix(col, t, k)) <-> 
      (exists i:int. s@ <= i < s and eq_sol(t, acc(sol,i)))
  }    

logic below_N : iset
axiom below_N_def : forall i:int. in_(i,below_N) <-> 0<=i (exists i:int. 0 <= i < s and eq_sol(t, acc(sol,i)))
  }
why-2.34/examples/queens/.depend0000644000175000017500000000000012311670312015161 0ustar  rtuserswhy-2.34/examples/queens/queens_why.v0000644000175000017500000015201512311670312016315 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Export Why.

(*Why logic*) Definition N : Z.
Admitted.

(*Why type*) Definition iset: Set.
Admitted.

(*Why logic*) Definition in_ : Z -> iset -> Prop.
Admitted.

(*Why predicate*) Definition included  (a:iset) (b:iset)
  := (forall (i:Z), ((in_ i a) -> (in_ i b))).

(*Why logic*) Definition card : iset -> Z.
Admitted.

(*Why axiom*) Lemma card_nonneg : (forall (s:iset), (card s) >= 0).
Admitted.
Dp_hint card_nonneg.

(*Why logic*) Definition empty : iset.
Admitted.

(*Why axiom*) Lemma empty_def : (forall (i:Z), ~(in_ i empty)).
Admitted.
Dp_hint empty_def.

(*Why axiom*) Lemma empty_card :
  (forall (s:iset), ((card s) = 0 <-> s = empty)).
Admitted.
Dp_hint empty_card.

(*Why logic*) Definition diff : iset -> iset -> iset.
Admitted.

(*Why axiom*) Lemma diff_def_1 :
  (forall (a:iset),
   (forall (b:iset),
    (forall (i:Z), ((in_ i (diff a b)) -> (in_ i a) /\ ~(in_ i b))))).
Admitted.
Dp_hint diff_def_1.

(*Why axiom*) Lemma diff_def_2 :
  (forall (a:iset),
   (forall (b:iset),
    (forall (i:Z), ((in_ i a) /\ ~(in_ i b) -> (in_ i (diff a b)))))).
Admitted.
Dp_hint diff_def_2.

(*Why logic*) Definition add : Z -> iset -> iset.
Admitted.

(*Why axiom*) Lemma add_def :
  (forall (s:iset),
   (forall (x:Z), (forall (i:Z), ((in_ i (add x s)) <-> i = x \/ (in_ i s))))).
Admitted.
Dp_hint add_def.

(*Why logic*) Definition remove : Z -> iset -> iset.
Admitted.

(*Why axiom*) Lemma remove_def :
  (forall (s:iset),
   (forall (x:Z),
    (forall (i:Z), ((in_ i (remove x s)) <-> (in_ i s) /\ i <> x)))).
Admitted.
Dp_hint remove_def.

(*Why axiom*) Lemma remove_card :
  (forall (s:iset),
   (forall (i:Z), ((in_ i s) -> (card (remove i s)) = ((card s) - 1)))).
Admitted.
Dp_hint remove_card.

(*Why logic*) Definition min_elt : iset -> Z.
Admitted.

(*Why axiom*) Lemma min_elt_def_1 :
  (forall (s:iset), ((card s) > 0 -> (in_ (min_elt s) s))).
Admitted.
Dp_hint min_elt_def_1.

(*Why axiom*) Lemma min_elt_def_2 :
  (forall (s:iset),
   ((card s) > 0 -> (forall (i:Z), ((in_ i s) -> (min_elt s) <= i)))).
Admitted.
Dp_hint min_elt_def_2.

(*Why logic*) Definition succ : iset -> iset.
Admitted.

(*Why axiom*) Lemma succ_def_1 :
  (forall (s:iset), (forall (i:Z), ((in_ i s) -> (in_ (i + 1) (succ s))))).
Admitted.
Dp_hint succ_def_1.

(*Why axiom*) Lemma succ_def_2 :
  (forall (s:iset),
   (forall (i:Z), ((in_ i (succ s)) -> i >= 1 /\ (in_ (i - 1) s)))).
Admitted.
Dp_hint succ_def_2.

(*Why logic*) Definition pred : iset -> iset.
Admitted.

(*Why axiom*) Lemma pred_def_1 :
  (forall (s:iset),
   (forall (i:Z), (i >= 0 -> ((in_ (i + 1) s) -> (in_ i (pred s)))))).
Admitted.
Dp_hint pred_def_1.

(*Why axiom*) Lemma pred_def_2 :
  (forall (s:iset), (forall (i:Z), ((in_ i (pred s)) -> (in_ (i + 1) s)))).
Admitted.
Dp_hint pred_def_2.

(*Why type*) Definition arr: Set ->Set.
Admitted.

(*Why logic*) Definition acc : forall (A1:Set), (arr A1) -> Z -> A1.
Admitted.
Implicit Arguments acc.

(*Why logic*) Definition upd :
  forall (A1:Set), (arr A1) -> Z -> A1 -> (arr A1).
Admitted.
Implicit Arguments upd.

(*Why axiom*) Lemma acc_upd_eq :
  forall (A1:Set),
  (forall (a:(arr A1)),
   (forall (i:Z), (forall (v:A1), (acc (upd a i v) i) = v))).
Admitted.
Implicit Arguments acc_upd_eq.
Dp_hint acc_upd_eq.

(*Why axiom*) Lemma acc_upd_neq :
  forall (A1:Set),
  (forall (a:(arr A1)),
   (forall (i:Z),
    (forall (j:Z),
     (forall (v:A1), (i <> j -> (acc (upd a i v) j) = (acc a j)))))).
Admitted.
Implicit Arguments acc_upd_neq.
Dp_hint acc_upd_neq.

(*Why predicate*) Definition eq_prefix (A104:Set) (t:(arr A104)) (u:(arr A104)) (i:Z)
  := (forall (k:Z), (0 <= k /\ k < i -> (acc t k) = (acc u k))).
Implicit Arguments eq_prefix.

(*Why predicate*) Definition partial_solution  (k:Z) (s:(arr Z))
  := (forall (i:Z),
      (0 <= i /\ i < k -> (0 <= (acc s i) /\ (acc s i) < N) /\
       (forall (j:Z),
        (0 <= j /\ j < i -> (acc s i) <> (acc s j) /\
         ((acc s i) - (acc s j)) <> (i - j) /\ ((acc s i) - (acc s j)) <>
         (j - i))))).

(*Why predicate*) Definition solution  (s:(arr Z)) := (partial_solution N s).

(*Why predicate*) Definition eq_sol  (t:(arr Z)) (u:(arr Z))
  := (eq_prefix t u N).
Implicit Arguments eq_sol.



(*Why axiom*) Lemma partial_solution_eq_prefix :
  (forall (t:(arr Z)),
   (forall (u:(arr Z)),
    (forall (k:Z),
     ((partial_solution k t) -> ((eq_prefix t u k) -> (partial_solution k u)))))).
Admitted.
Dp_hint partial_solution_eq_prefix.

Dp_debug.

(*Why predicate*) Definition lt_sol  (s1:(arr Z)) (s2:(arr Z))
  := (exists i:Z, (0 <= i /\ i < N) /\ (eq_prefix s1 s2 i) /\ (acc s1 i) <
      (acc s2 i)).

(*Why predicate*) Definition sorted  (s:(arr (arr Z))) (a:Z) (b:Z)
  := (forall (i:Z),
      (forall (j:Z),
       ((a <= i /\ i < j) /\ j < b -> (lt_sol (acc s i) (acc s j))))).

Proof.
ergo.
Save.

Proof.
ergo.
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
Save.

Lemma lemma_count_25 : 
  forall (a: iset),
  forall (b: iset),
  forall (c: iset),
  forall (col: ((arr) Z)),
  forall (k: Z),
  forall (s: Z),
  forall (sol: ((arr) ((arr) Z))),
  forall (HW_1: 0 <= k /\ (k + (card a)) = N /\ 0 <= s /\
                (* pre_a *)
                ((forall (i:Z),
                  ((in_ i a) <-> (0 <= i /\ i < N) /\
                   (forall (j:Z), (0 <= j /\ j < k -> i <> (acc col j))))) /\
                (* pre_b *)
                ((forall (i:Z),
                  (0 <= i ->
                   ((in_ i b) <->
                    (exists j:Z, (0 <= j /\ j < k) /\ (acc col j) =
                     (i + j - k))))) /\
                (* pre_c *)
                ((forall (i:Z),
                  (0 <= i ->
                   ((in_ i c) <->
                    (exists j:Z, (0 <= j /\ j < k) /\ (acc col j) =
                     (i + k - j))))) /\
                (partial_solution k col))))),
  forall (HW_7: (card a) <> 0),
  forall (HW_10: (included (diff (diff a b) c) (diff (diff a b) c)) /\ 0 =
                 (s - s) /\ 0 >= 0 /\ k = k /\ (partial_solution k col) /\
                 (eq_prefix col col k) /\ (eq_prefix sol sol s) /\
                 (forall (t:((arr) Z)),
                  ((solution t) /\
                   (exists di:Z,
                    (in_ di (diff (diff (diff a b) c) (diff (diff a b) c))) /\
                    (eq_prefix (upd col k di) t (k + 1))) <->
                   (exists i:Z, (s <= i /\ i < s) /\ (eq_sol t (acc sol i)))))),
  forall (col0: ((arr) Z)),
  forall (e: iset),
  forall (f: Z),
  forall (k0: Z),
  forall (s0: Z),
  forall (sol0: ((arr) ((arr) Z))),
  forall (HW_11: (included e (diff (diff a b) c)) /\ f = (s0 - s) /\ f >=
                 0 /\ k0 = k /\ (partial_solution k0 col0) /\
                 (eq_prefix col col0 k) /\ (eq_prefix sol sol0 s) /\
                 (forall (t:((arr) Z)),
                  ((solution t) /\
                   (exists di:Z, (in_ di (diff (diff (diff a b) c) e)) /\
                    (eq_prefix (upd col0 k0 di) t (k0 + 1))) <->
                   (exists i:Z, (s <= i /\ i < s0) /\ (eq_sol t (acc sol0 i)))))),
  forall (HW_12: (card e) > 0),
  forall (e0: iset),
  forall (HW_13: e0 = (remove (min_elt e) e)),
  forall (col1: ((arr) Z)),
  forall (HW_14: col1 = (upd col0 k0 (min_elt e))),
  forall (k1: Z),
  forall (HW_15: k1 = (k0 + 1)),
  forall (HW_16: (Zwf 0 (card (remove (min_elt e) a)) (card a))),
  forall (i: Z),
  forall (HW_17: (in_ i (remove (min_elt e) a))),
  forall (j: Z),
  forall (HW_18: 0 <= j /\ j < k1),
  (* pre_a *) i <> (acc col1 j).
Proof.
intros; clear HW_16.
assert (h:j (0 <= i /\ i < N) /\
                   (forall (j:Z), (0 <= j /\ j < k -> i <> (acc col j))))) /\
                (* pre_b *)
                ((forall (i:Z),
                  (0 <= i ->
                   ((in_ i b) <->
                    (exists j:Z, (0 <= j /\ j < k) /\ (acc col j) =
                     (i + j - k))))) /\
                (* pre_c *)
                ((forall (i:Z),
                  (0 <= i ->
                   ((in_ i c) <->
                    (exists j:Z, (0 <= j /\ j < k) /\ (acc col j) =
                     (i + k - j))))) /\
                (partial_solution k col))))),
  forall (HW_7: (card a) <> 0),
  forall (HW_10: (included (diff (diff a b) c) (diff (diff a b) c)) /\ 0 =
                 (s - s) /\ 0 >= 0 /\ k = k /\ (partial_solution k col) /\
                 (eq_prefix col col k) /\ (eq_prefix sol sol s) /\
                 (forall (t:((arr) Z)),
                  ((solution t) /\
                   (exists di:Z,
                    (in_ di (diff (diff (diff a b) c) (diff (diff a b) c))) /\
                    (eq_prefix (upd col k di) t (k + 1))) <->
                   (exists i:Z, (s <= i /\ i < s) /\ (eq_sol t (acc sol i)))))),
  forall (col0: ((arr) Z)),
  forall (e: iset),
  forall (f: Z),
  forall (k0: Z),
  forall (s0: Z),
  forall (sol0: ((arr) ((arr) Z))),
  forall (HW_11: (included e (diff (diff a b) c)) /\ f = (s0 - s) /\ f >=
                 0 /\ k0 = k /\ (partial_solution k0 col0) /\
                 (eq_prefix col col0 k) /\ (eq_prefix sol sol0 s) /\
                 (forall (t:((arr) Z)),
                  ((solution t) /\
                   (exists di:Z, (in_ di (diff (diff (diff a b) c) e)) /\
                    (eq_prefix (upd col0 k0 di) t (k0 + 1))) <->
                   (exists i:Z, (s <= i /\ i < s0) /\ (eq_sol t (acc sol0 i)))))),
  forall (HW_12: (card e) > 0),
  forall (e0: iset),
  forall (HW_13: e0 = (remove (min_elt e) e)),
  forall (col1: ((arr) Z)),
  forall (HW_14: col1 = (upd col0 k0 (min_elt e))),
  forall (k1: Z),
  forall (HW_15: k1 = (k0 + 1)),
  forall (HW_16: (Zwf 0 (card (remove (min_elt e) a)) (card a))),
  forall (i: Z),
  forall (HW_19: (0 <= i /\ i < N) /\
                 (forall (j:Z), (0 <= j /\ j < k1 -> i <> (acc col1 j)))),
  (* pre_a *) (in_ i (remove (min_elt e) a)).
Proof.
intros.
assert (i <> (min_elt e)). 
assert (acc col1 k0 = min_elt e). 
subst col1. rewrite acc_upd_eq; auto.
ergo.
assert (in_ i a).
clear HW_10; intuition.
clear H11 H13 H18.
generalize (H8 i); clear H8; intuition.
apply H13.
intros j Hj.
replace (acc col j) with (acc col0 j). 
replace (acc col0 j) with (acc col1 j).
ergo. ergo. ergo. ergo.
Save.

Lemma lemma_count_27 : 
  forall (a: iset),
  forall (b: iset),
  forall (c: iset),
  forall (col: ((arr) Z)),
  forall (k: Z),
  forall (s: Z),
  forall (sol: ((arr) ((arr) Z))),
  forall (HW_1: 0 <= k /\ (k + (card a)) = N /\ 0 <= s /\
                (* pre_a *)
                ((forall (i:Z),
                  ((in_ i a) <-> (0 <= i /\ i < N) /\
                   (forall (j:Z), (0 <= j /\ j < k -> i <> (acc col j))))) /\
                (* pre_b *)
                ((forall (i:Z),
                  (0 <= i ->
                   ((in_ i b) <->
                    (exists j:Z, (0 <= j /\ j < k) /\ (acc col j) =
                     (i + j - k))))) /\
                (* pre_c *)
                ((forall (i:Z),
                  (0 <= i ->
                   ((in_ i c) <->
                    (exists j:Z, (0 <= j /\ j < k) /\ (acc col j) =
                     (i + k - j))))) /\
                (partial_solution k col))))),
  forall (HW_7: (card a) <> 0),
  forall (HW_10: (included (diff (diff a b) c) (diff (diff a b) c)) /\ 0 =
                 (s - s) /\ 0 >= 0 /\ k = k /\ (partial_solution k col) /\
                 (eq_prefix col col k) /\ (eq_prefix sol sol s) /\
                 (forall (t:((arr) Z)),
                  ((solution t) /\
                   (exists di:Z,
                    (in_ di (diff (diff (diff a b) c) (diff (diff a b) c))) /\
                    (eq_prefix (upd col k di) t (k + 1))) <->
                   (exists i:Z, (s <= i /\ i < s) /\ (eq_sol t (acc sol i)))))),
  forall (col0: ((arr) Z)),
  forall (e: iset),
  forall (f: Z),
  forall (k0: Z),
  forall (s0: Z),
  forall (sol0: ((arr) ((arr) Z))),
  forall (HW_11: (included e (diff (diff a b) c)) /\ f = (s0 - s) /\ f >=
                 0 /\ k0 = k /\ (partial_solution k0 col0) /\
                 (eq_prefix col col0 k) /\ (eq_prefix sol sol0 s) /\
                 (forall (t:((arr) Z)),
                  ((solution t) /\
                   (exists di:Z, (in_ di (diff (diff (diff a b) c) e)) /\
                    (eq_prefix (upd col0 k0 di) t (k0 + 1))) <->
                   (exists i:Z, (s <= i /\ i < s0) /\ (eq_sol t (acc sol0 i)))))),
  forall (HW_12: (card e) > 0),
  forall (e0: iset),
  forall (HW_13: e0 = (remove (min_elt e) e)),
  forall (col1: ((arr) Z)),
  forall (HW_14: col1 = (upd col0 k0 (min_elt e))),
  forall (k1: Z),
  forall (HW_15: k1 = (k0 + 1)),
  forall (HW_16: (Zwf 0 (card (remove (min_elt e) a)) (card a))),
  forall (i: Z),
  forall (HW_20: 0 <= i),
  forall (HW_21: (in_ i (succ (add (min_elt e) b)))),
  (* pre_a *)
  (* pre_b *) (exists j:Z, (0 <= j /\ j < k1) /\ (acc col1 j) = (i + j - k1)).
Proof.
intros.
assert (h: i >= 1 /\ in_ (i-1) (add (min_elt e) b)). ergo. destruct h.
assert (h: i-1=min_elt e \/ in_ (i-1) b). ergo. destruct h.
ergo.
assert (h: exists j:Z, 0<=j (0 <= i /\ i < N) /\
                   (forall (j:Z), (0 <= j /\ j < k -> i <> (acc col j))))) /\
                (* pre_b *)
                ((forall (i:Z),
                  (0 <= i ->
                   ((in_ i b) <->
                    (exists j:Z, (0 <= j /\ j < k) /\ (acc col j) =
                     (i + j - k))))) /\
                (* pre_c *)
                ((forall (i:Z),
                  (0 <= i ->
                   ((in_ i c) <->
                    (exists j:Z, (0 <= j /\ j < k) /\ (acc col j) =
                     (i + k - j))))) /\
                (partial_solution k col))))),
  forall (HW_7: (card a) <> 0),
  forall (HW_10: (included (diff (diff a b) c) (diff (diff a b) c)) /\ 0 =
                 (s - s) /\ 0 >= 0 /\ k = k /\ (partial_solution k col) /\
                 (eq_prefix col col k) /\ (eq_prefix sol sol s) /\
                 (forall (t:((arr) Z)),
                  ((solution t) /\
                   (exists di:Z,
                    (in_ di (diff (diff (diff a b) c) (diff (diff a b) c))) /\
                    (eq_prefix (upd col k di) t (k + 1))) <->
                   (exists i:Z, (s <= i /\ i < s) /\ (eq_sol t (acc sol i)))))),
  forall (col0: ((arr) Z)),
  forall (e: iset),
  forall (f: Z),
  forall (k0: Z),
  forall (s0: Z),
  forall (sol0: ((arr) ((arr) Z))),
  forall (HW_11: (included e (diff (diff a b) c)) /\ f = (s0 - s) /\ f >=
                 0 /\ k0 = k /\ (partial_solution k0 col0) /\
                 (eq_prefix col col0 k) /\ (eq_prefix sol sol0 s) /\
                 (forall (t:((arr) Z)),
                  ((solution t) /\
                   (exists di:Z, (in_ di (diff (diff (diff a b) c) e)) /\
                    (eq_prefix (upd col0 k0 di) t (k0 + 1))) <->
                   (exists i:Z, (s <= i /\ i < s0) /\ (eq_sol t (acc sol0 i)))))),
  forall (HW_12: (card e) > 0),
  forall (e0: iset),
  forall (HW_13: e0 = (remove (min_elt e) e)),
  forall (col1: ((arr) Z)),
  forall (HW_14: col1 = (upd col0 k0 (min_elt e))),
  forall (k1: Z),
  forall (HW_15: k1 = (k0 + 1)),
  forall (HW_16: (Zwf 0 (card (remove (min_elt e) a)) (card a))),
  forall (i: Z),
  forall (HW_20: 0 <= i),
  forall (HW_22: (exists j:Z, (0 <= j /\ j < k1) /\ (acc col1 j) =
                  (i + j - k1))),
  (* pre_a *) (* pre_b *) (in_ i (succ (add (min_elt e) b))).
Proof.
intros.
destruct HW_22 as (j,(h1,h2)).
replace i with ((i-1)+1). apply succ_def_1.
assert (h: j (0 <= i /\ i < N) /\
                   (forall (j:Z), (0 <= j /\ j < k -> i <> (acc col j))))) /\
                (* pre_b *)
                ((forall (i:Z),
                  (0 <= i ->
                   ((in_ i b) <->
                    (exists j:Z, (0 <= j /\ j < k) /\ (acc col j) =
                     (i + j - k))))) /\
                (* pre_c *)
                ((forall (i:Z),
                  (0 <= i ->
                   ((in_ i c) <->
                    (exists j:Z, (0 <= j /\ j < k) /\ (acc col j) =
                     (i + k - j))))) /\
                (partial_solution k col))))),
  forall (HW_7: (card a) <> 0),
  forall (HW_10: (included (diff (diff a b) c) (diff (diff a b) c)) /\ 0 =
                 (s - s) /\ 0 >= 0 /\ k = k /\ (partial_solution k col) /\
                 (eq_prefix col col k) /\ (eq_prefix sol sol s) /\
                 (forall (t:((arr) Z)),
                  ((solution t) /\
                   (exists di:Z,
                    (in_ di (diff (diff (diff a b) c) (diff (diff a b) c))) /\
                    (eq_prefix (upd col k di) t (k + 1))) <->
                   (exists i:Z, (s <= i /\ i < s) /\ (eq_sol t (acc sol i)))))),
  forall (col0: ((arr) Z)),
  forall (e: iset),
  forall (f: Z),
  forall (k0: Z),
  forall (s0: Z),
  forall (sol0: ((arr) ((arr) Z))),
  forall (HW_11: (included e (diff (diff a b) c)) /\ f = (s0 - s) /\ f >=
                 0 /\ k0 = k /\ (partial_solution k0 col0) /\
                 (eq_prefix col col0 k) /\ (eq_prefix sol sol0 s) /\
                 (forall (t:((arr) Z)),
                  ((solution t) /\
                   (exists di:Z, (in_ di (diff (diff (diff a b) c) e)) /\
                    (eq_prefix (upd col0 k0 di) t (k0 + 1))) <->
                   (exists i:Z, (s <= i /\ i < s0) /\ (eq_sol t (acc sol0 i)))))),
  forall (HW_12: (card e) > 0),
  forall (e0: iset),
  forall (HW_13: e0 = (remove (min_elt e) e)),
  forall (col1: ((arr) Z)),
  forall (HW_14: col1 = (upd col0 k0 (min_elt e))),
  forall (k1: Z),
  forall (HW_15: k1 = (k0 + 1)),
  forall (HW_16: (Zwf 0 (card (remove (min_elt e) a)) (card a))),
  forall (i: Z),
  forall (HW_23: 0 <= i),
  forall (HW_25: (exists j:Z, (0 <= j /\ j < k1) /\ (acc col1 j) =
                  (i + k1 - j))),
  (* pre_a *) (* pre_b *) (* pre_c *) (in_ i (pred (add (min_elt e) c))).
Proof.
intros.
destruct HW_25 as (j,(h1,h2)).
assert (acc col1 j >= 1). omega.
replace i with ((i+1)-1). apply pred_def_1.
omega.
assert (h: j (0 <= i /\ i < N) /\
                   (forall (j:Z), (0 <= j /\ j < k -> i <> (acc col j))))) /\
                (* pre_b *)
                ((forall (i:Z),
                  (0 <= i ->
                   ((in_ i b) <->
                    (exists j:Z, (0 <= j /\ j < k) /\ (acc col j) =
                     (i + j - k))))) /\
                (* pre_c *)
                ((forall (i:Z),
                  (0 <= i ->
                   ((in_ i c) <->
                    (exists j:Z, (0 <= j /\ j < k) /\ (acc col j) =
                     (i + k - j))))) /\
                (partial_solution k col))))),
  forall (HW_7: (card a) <> 0),
  forall (HW_10: (included (diff (diff a b) c) (diff (diff a b) c)) /\ 0 =
                 (s - s) /\ 0 >= 0 /\ k = k /\ (partial_solution k col) /\
                 (eq_prefix col col k) /\ (eq_prefix sol sol s) /\
                 (forall (t:((arr) Z)),
                  ((solution t) /\
                   (exists di:Z,
                    (in_ di (diff (diff (diff a b) c) (diff (diff a b) c))) /\
                    (eq_prefix (upd col k di) t (k + 1))) <->
                   (exists i:Z, (s <= i /\ i < s) /\ (eq_sol t (acc sol i)))))),
  forall (col0: ((arr) Z)),
  forall (e: iset),
  forall (f: Z),
  forall (k0: Z),
  forall (s0: Z),
  forall (sol0: ((arr) ((arr) Z))),
  forall (HW_11: (included e (diff (diff a b) c)) /\ f = (s0 - s) /\ f >=
                 0 /\ k0 = k /\ (partial_solution k0 col0) /\
                 (eq_prefix col col0 k) /\ (eq_prefix sol sol0 s) /\
                 (forall (t:((arr) Z)),
                  ((solution t) /\
                   (exists di:Z, (in_ di (diff (diff (diff a b) c) e)) /\
                    (eq_prefix (upd col0 k0 di) t (k0 + 1))) <->
                   (exists i:Z, (s <= i /\ i < s0) /\ (eq_sol t (acc sol0 i)))))),
  forall (HW_12: (card e) > 0),
  forall (e0: iset),
  forall (HW_13: e0 = (remove (min_elt e) e)),
  forall (col1: ((arr) Z)),
  forall (HW_14: col1 = (upd col0 k0 (min_elt e))),
  forall (k1: Z),
  forall (HW_15: k1 = (k0 + 1)),
  forall (HW_16: (Zwf 0 (card (remove (min_elt e) a)) (card a))),
  (* pre_a *) (* pre_b *) (* pre_c *) (partial_solution k1 col1).
Proof.
intros.
unfold partial_solution.
intros i hi. split.
simplify. (* ERGO fauit timeout *)
intros j hj.
assert (k0=k). omega. subst k0.
assert (h: i (0 <= i /\ i < N) /\
                   (forall (j:Z), (0 <= j /\ j < k -> i <> (acc col j))))) /\
                (* pre_b *)
                ((forall (i:Z),
                  (0 <= i ->
                   ((in_ i b) <->
                    (exists j:Z, (0 <= j /\ j < k) /\ (acc col j) =
                     (i + j - k))))) /\
                (* pre_c *)
                ((forall (i:Z),
                  (0 <= i ->
                   ((in_ i c) <->
                    (exists j:Z, (0 <= j /\ j < k) /\ (acc col j) =
                     (i + k - j))))) /\
                (partial_solution k col))))),
  forall (HW_7: (card a) <> 0),
  forall (HW_10: (included (diff (diff a b) c) (diff (diff a b) c)) /\ 0 =
                 (s - s) /\ 0 >= 0 /\ k = k /\ (partial_solution k col) /\
                 (eq_prefix col col k) /\ (eq_prefix sol sol s) /\
                 (forall (t:((arr) Z)),
                  ((solution t) /\
                   (exists di:Z,
                    (in_ di (diff (diff (diff a b) c) (diff (diff a b) c))) /\
                    (eq_prefix (upd col k di) t (k + 1))) <->
                   (exists i:Z, (s <= i /\ i < s) /\ (eq_sol t (acc sol i)))))),
  forall (col0: ((arr) Z)),
  forall (e: iset),
  forall (f: Z),
  forall (k0: Z),
  forall (s0: Z),
  forall (sol0: ((arr) ((arr) Z))),
  forall (HW_11: (included e (diff (diff a b) c)) /\ f = (s0 - s) /\ f >=
                 0 /\ k0 = k /\ (partial_solution k0 col0) /\
                 (eq_prefix col col0 k) /\ (eq_prefix sol sol0 s) /\
                 (forall (t:((arr) Z)),
                  ((solution t) /\
                   (exists di:Z, (in_ di (diff (diff (diff a b) c) e)) /\
                    (eq_prefix (upd col0 k0 di) t (k0 + 1))) <->
                   (exists i:Z, (s <= i /\ i < s0) /\ (eq_sol t (acc sol0 i)))))),
  forall (HW_12: (card e) > 0),
  forall (e0: iset),
  forall (HW_13: e0 = (remove (min_elt e) e)),
  forall (col1: ((arr) Z)),
  forall (HW_14: col1 = (upd col0 k0 (min_elt e))),
  forall (k1: Z),
  forall (HW_15: k1 = (k0 + 1)),
  forall (HW_16: (Zwf 0 (card (remove (min_elt e) a)) (card a))),
  forall (HW_26: 0 <= k1 /\ (k1 + (card (remove (min_elt e) a))) = N /\ 0 <=
                 s0 /\
                 (* pre_a *)
                 ((forall (i:Z),
                   ((in_ i (remove (min_elt e) a)) <-> (0 <= i /\ i < N) /\
                    (forall (j:Z), (0 <= j /\ j < k1 -> i <> (acc col1 j))))) /\
                 (* pre_b *)
                 ((forall (i:Z),
                   (0 <= i ->
                    ((in_ i (succ (add (min_elt e) b))) <->
                     (exists j:Z, (0 <= j /\ j < k1) /\ (acc col1 j) =
                      (i + j - k1))))) /\
                 (* pre_c *)
                 ((forall (i:Z),
                   (0 <= i ->
                    ((in_ i (pred (add (min_elt e) c))) <->
                     (exists j:Z, (0 <= j /\ j < k1) /\ (acc col1 j) =
                      (i + k1 - j))))) /\
                 (partial_solution k1 col1))))),
  forall (result: Z),
  forall (col2: ((arr) Z)),
  forall (k2: Z),
  forall (s1: Z),
  forall (sol1: ((arr) ((arr) Z))),
  forall (HW_27: result = (s1 - s0) /\ result >= 0 /\ k2 = k1 /\
                 (eq_prefix col1 col2 k2) /\ (eq_prefix sol0 sol1 s0) /\
                 (forall (t:((arr) Z)),
                  ((solution t) /\ (eq_prefix col2 t k2) <->
                   (exists i:Z, (s0 <= i /\ i < s1) /\
                    (eq_sol t (acc sol1 i)))))),
  forall (f0: Z),
  forall (HW_28: f0 = (f + result)),
  forall (k3: Z),
  forall (HW_29: k3 = (k2 - 1)),
  forall (t: ((arr) Z)),
  forall (HW_30: (solution t) /\
                 (exists di:Z, (in_ di (diff (diff (diff a b) c) e0)) /\
                  (eq_prefix (upd col2 k3 di) t (k3 + 1)))),
  (exists i:Z, (s <= i /\ i < s1) /\ (eq_sol t (acc sol1 i))).
Proof.
intros.
destruct HW_30 as (h,(di,(h1,h2))).
assert (hdi: di=min_elt e \/ in_ di (diff (diff (diff a b) c) e)).
simplify. (*ERGO*)
destruct hdi.
subst di.
decompose [and] HW_27.
destruct (H5 t).
destruct H4.
split; auto.
simplify. (*ERGO*)
exists x; intuition.
assert (hs: 0<=s). omega.
clear HW_1 HW_10 HW_26.
intuition.
generalize (H14 t); clear H14. intuition.
clear H15. destruct H14.
exists di; intuition.
subst k3 k2 k1 k0.
assert 
  (eq_prefix_trans: forall (a b c:arr Z) k, eq_prefix a b k ->
      eq_prefix b c k -> eq_prefix a c k).
simplify. (*ERGO*)
apply eq_prefix_trans with (upd col1 k di).
simplify. (*ERGO*)
simplify. (*ERGO*)
exists x; intuition.
red in H9.
rewrite <- H9.
ergo.
omega.
Save.

Lemma lemma_count_41 : 
  forall (a: iset),
  forall (b: iset),
  forall (c: iset),
  forall (col: ((arr) Z)),
  forall (k: Z),
  forall (s: Z),
  forall (sol: ((arr) ((arr) Z))),
  forall (HW_1: 0 <= k /\ (k + (card a)) = N /\
                (* pre_a *)
                ((forall (i:Z),
                  ((in_ i a) <-> (0 <= i /\ i < N) /\
                   (forall (j:Z), (0 <= j /\ j < k -> i <> (acc col j))))) /\
                (* pre_b *)
                ((forall (i:Z),
                  (0 <= i ->
                   ((in_ i b) <->
                    (exists j:Z, (0 <= j /\ j < k) /\ (acc col j) =
                     (i + j - k))))) /\
                (* pre_c *)
                ((forall (i:Z),
                  (0 <= i ->
                   ((in_ i c) <->
                    (exists j:Z, (0 <= j /\ j < k) /\ (acc col j) =
                     (i + k - j))))) /\
                (partial_solution k col))))),
  forall (HW_7: (card a) <> 0),
  forall (HW_10: (included (diff (diff a b) c) (diff (diff a b) c)) /\ 0 =
                 (s - s) /\ 0 >= 0 /\ k = k /\ (partial_solution k col) /\
                 (eq_prefix col col k) /\ (eq_prefix sol sol s) /\
                 (forall (t:((arr) Z)),
                  ((solution t) /\
                   (exists di:Z,
                    (in_ di (diff (diff (diff a b) c) (diff (diff a b) c))) /\
                    (eq_prefix (upd col k di) t (k + 1))) <->
                   (exists i:Z, (s <= i /\ i < s) /\ (eq_sol t (acc sol i)))))),
  forall (col0: ((arr) Z)),
  forall (e: iset),
  forall (f: Z),
  forall (k0: Z),
  forall (s0: Z),
  forall (sol0: ((arr) ((arr) Z))),
  forall (HW_11: (included e (diff (diff a b) c)) /\ f = (s0 - s) /\ f >=
                 0 /\ k0 = k /\ (partial_solution k0 col0) /\
                 (eq_prefix col col0 k) /\ (eq_prefix sol sol0 s) /\
                 (forall (t:((arr) Z)),
                  ((solution t) /\
                   (exists di:Z, (in_ di (diff (diff (diff a b) c) e)) /\
                    (eq_prefix (upd col0 k0 di) t (k0 + 1))) <->
                   (exists i:Z, (s <= i /\ i < s0) /\ (eq_sol t (acc sol0 i)))))),
  forall (HW_12: (card e) > 0),
  forall (e0: iset),
  forall (HW_13: e0 = (remove (min_elt e) e)),
  forall (col1: ((arr) Z)),
  forall (HW_14: col1 = (upd col0 k0 (min_elt e))),
  forall (k1: Z),
  forall (HW_15: k1 = (k0 + 1)),
  forall (HW_16: (Zwf 0 (card (remove (min_elt e) a)) (card a))),
  forall (HW_26: 0 <= k1 /\ (k1 + (card (remove (min_elt e) a))) = N /\
                 (* pre_a *)
                 ((forall (i:Z),
                   ((in_ i (remove (min_elt e) a)) <-> (0 <= i /\ i < N) /\
                    (forall (j:Z), (0 <= j /\ j < k1 -> i <> (acc col1 j))))) /\
                 (* pre_b *)
                 ((forall (i:Z),
                   (0 <= i ->
                    ((in_ i (succ (add (min_elt e) b))) <->
                     (exists j:Z, (0 <= j /\ j < k1) /\ (acc col1 j) =
                      (i + j - k1))))) /\
                 (* pre_c *)
                 ((forall (i:Z),
                   (0 <= i ->
                    ((in_ i (pred (add (min_elt e) c))) <->
                     (exists j:Z, (0 <= j /\ j < k1) /\ (acc col1 j) =
                      (i + k1 - j))))) /\
                 (partial_solution k1 col1))))),
  forall (result: Z),
  forall (col2: ((arr) Z)),
  forall (k2: Z),
  forall (s1: Z),
  forall (sol1: ((arr) ((arr) Z))),
  forall (HW_27: result = (s1 - s0) /\ result >= 0 /\ k2 = k1 /\
                 (eq_prefix col1 col2 k2) /\ (eq_prefix sol0 sol1 s0) /\
                 (forall (t:((arr) Z)),
                  ((solution t) /\ (eq_prefix col2 t k2) <->
                   (exists i:Z, (s0 <= i /\ i < s1) /\
                    (eq_sol t (acc sol1 i)))))),
  forall (f0: Z),
  forall (HW_28: f0 = (f + result)),
  forall (k3: Z),
  forall (HW_29: k3 = (k2 - 1)),
  forall (t: ((arr) Z)),
  forall (HW_31: (exists i:Z, (s <= i /\ i < s1) /\ (eq_sol t (acc sol1 i)))),
  (exists di:Z, (in_ di (diff (diff (diff a b) c) e0)) /\
   (eq_prefix (upd col2 k3 di) t (k3 + 1))).
Proof.
intuition.
destruct HW_31 as (i,(hi,hsoli)).
assert (s <= i < s0 \/ s0 <= i < s1). omega. intuition.
clear H22 H24 H25 H33.
generalize (H21 t); intuition.
clear H22. destruct H25.
exists i; intuition.
unfold eq_prefix in H31.
rewrite H31; intuition.
admit. admit. admit.
Qed.

Lemma lemma_count_39_bis : 
  forall (a: iset),
  forall (b: iset),
  forall (c: iset),
  forall (col: ((arr) Z)),
  forall (k: Z),
  forall (s: Z),
  forall (sol: ((arr) ((arr) Z))),
  forall (HW_1: 0 <= k /\ (k + (card a)) = N /\ 0 <= s /\
                (* pre_a *)
                ((forall (i:Z),
                  ((in_ i a) <-> (0 <= i /\ i < N) /\
                   (forall (j:Z), (0 <= j /\ j < k -> i <> (acc col j))))) /\
                (* pre_b *)
                ((forall (i:Z),
                  (0 <= i ->
                   ((in_ i b) <->
                    (exists j:Z, (0 <= j /\ j < k) /\ (acc col j) =
                     (i + j - k))))) /\
                (* pre_c *)
                ((forall (i:Z),
                  (0 <= i ->
                   ((in_ i c) <->
                    (exists j:Z, (0 <= j /\ j < k) /\ (acc col j) =
                     (i + k - j))))) /\
                (partial_solution k col))))),
  forall (HW_7: (card a) <> 0),
  forall (HW_12: (included (diff (diff a b) c) (diff (diff a b) c)) /\ 0 =
                 (s - s) /\ 0 >= 0 /\ k = k /\
                 (forall (i:Z),
                  (forall (j:Z),
                   ((in_ i (diff (diff (diff a b) c) (diff (diff a b) c))) ->
                    ((in_ j (diff (diff a b) c)) -> i < j)))) /\
                 (partial_solution k col) /\ (eq_prefix col col k) /\
                 (eq_prefix sol sol s) /\
                 (forall (t:((arr) Z)),
                  ((solution t) /\
                   (exists di:Z,
                    (in_ di (diff (diff (diff a b) c) (diff (diff a b) c))) /\
                    (eq_prefix (upd col k di) t (k + 1))) <->
                   (exists i:Z, (s <= i /\ i < s) /\ (eq_sol t (acc sol i))))) /\
                 (sorted sol s s)),
  forall (col0: ((arr) Z)),
  forall (e: iset),
  forall (f: Z),
  forall (k0: Z),
  forall (s0: Z),
  forall (sol0: ((arr) ((arr) Z))),
  forall (HW_13: (included e (diff (diff a b) c)) /\ f = (s0 - s) /\ f >=
                 0 /\ k0 = k /\
                 (forall (i:Z),
                  (forall (j:Z),
                   ((in_ i (diff (diff (diff a b) c) e)) ->
                    ((in_ j e) -> i < j)))) /\
                 (partial_solution k0 col0) /\ (eq_prefix col col0 k) /\
                 (eq_prefix sol sol0 s) /\
                 (forall (t:((arr) Z)),
                  ((solution t) /\
                   (exists di:Z, (in_ di (diff (diff (diff a b) c) e)) /\
                    (eq_prefix (upd col0 k0 di) t (k0 + 1))) <->
                   (exists i:Z, (s <= i /\ i < s0) /\ (eq_sol t (acc sol0 i))))) /\
                 (sorted sol0 s s0)),
  forall (HW_14: (card e) > 0),
  forall (e0: iset),
  forall (HW_15: e0 = (remove (min_elt e) e)),
  forall (col1: ((arr) Z)),
  forall (HW_16: col1 = (upd col0 k0 (min_elt e))),
  forall (k1: Z),
  forall (HW_17: k1 = (k0 + 1)),
  forall (HW_18: (Zwf 0 (card (remove (min_elt e) a)) (card a))),
  forall (HW_28: 0 <= k1 /\ (k1 + (card (remove (min_elt e) a))) = N /\ 0 <=
                 s0 /\
                 (* pre_a *)
                 ((forall (i:Z),
                   ((in_ i (remove (min_elt e) a)) <-> (0 <= i /\ i < N) /\
                    (forall (j:Z), (0 <= j /\ j < k1 -> i <> (acc col1 j))))) /\
                 (* pre_b *)
                 ((forall (i:Z),
                   (0 <= i ->
                    ((in_ i (succ (add (min_elt e) b))) <->
                     (exists j:Z, (0 <= j /\ j < k1) /\ (acc col1 j) =
                      (i + j - k1))))) /\
                 (* pre_c *)
                 ((forall (i:Z),
                   (0 <= i ->
                    ((in_ i (pred (add (min_elt e) c))) <->
                     (exists j:Z, (0 <= j /\ j < k1) /\ (acc col1 j) =
                      (i + k1 - j))))) /\
                 (partial_solution k1 col1))))),
  forall (result: Z),
  forall (col2: ((arr) Z)),
  forall (k2: Z),
  forall (s1: Z),
  forall (sol1: ((arr) ((arr) Z))),
  forall (HW_29: result = (s1 - s0) /\ result >= 0 /\ k2 = k1 /\
                 (eq_prefix col1 col2 k2) /\ (eq_prefix sol0 sol1 s0) /\
                 (sorted sol1 s0 s1) /\
                 (forall (t:((arr) Z)),
                  ((solution t) /\ (eq_prefix col2 t k2) <->
                   (exists i:Z, (s0 <= i /\ i < s1) /\
                    (eq_sol t (acc sol1 i)))))),
  forall (f0: Z),
  forall (HW_30: f0 = (f + result)),
  forall (k3: Z),
  forall (HW_31: k3 = (k2 - 1)),
  forall (i: Z),
  forall (j: Z),
  forall (HW_32: (in_ i (diff (diff (diff a b) c) e0))),
  forall (HW_33: (in_ j e0)),
  i < j.
Proof.
intuition.
clear H5 H14 H24 H29 H30 H31 H40.
assert (hje: in_ j e). ergo.
assert (hi1: in_ i (diff (diff a b) c)). ergo.
assert (hi2: ~(in_ i e0)). ergo.
assert (hi: i=min_elt e \/ in_ i (diff (diff (diff a b) c) e)); ergo.
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Lemma lemma_count_46 : 
  forall (a: iset),
  forall (b: iset),
  forall (c: iset),
  forall (col: ((arr) Z)),
  forall (k: Z),
  forall (s: Z),
  forall (sol: ((arr) ((arr) Z))),
  forall (HW_1: 0 <= k /\ (k + (card a)) = N /\ 0 <= s /\
                (* pre_a *)
                ((forall (i:Z),
                  ((in_ i a) <-> (0 <= i /\ i < N) /\
                   (forall (j:Z), (0 <= j /\ j < k -> i <> (acc col j))))) /\
                (* pre_b *)
                ((forall (i:Z),
                  (0 <= i ->
                   ((in_ i b) <->
                    (exists j:Z, (0 <= j /\ j < k) /\ (acc col j) =
                     (i + j - k))))) /\
                (* pre_c *)
                ((forall (i:Z),
                  (0 <= i ->
                   ((in_ i c) <->
                    (exists j:Z, (0 <= j /\ j < k) /\ (acc col j) =
                     (i + k - j))))) /\
                (partial_solution k col))))),
  forall (HW_7: (card a) <> 0),
  forall (HW_12: (included (diff (diff a b) c) (diff (diff a b) c)) /\ 0 =
                 (s - s) /\ 0 >= 0 /\ k = k /\
                 (forall (i:Z),
                  (forall (j:Z),
                   ((in_ i (diff (diff (diff a b) c) (diff (diff a b) c))) ->
                    ((in_ j (diff (diff a b) c)) -> i < j)))) /\
                 (partial_solution k col) /\ (eq_prefix col col k) /\
                 (eq_prefix sol sol s) /\
                 (forall (t:((arr) Z)),
                  ((solution t) /\
                   (exists di:Z,
                    (in_ di (diff (diff (diff a b) c) (diff (diff a b) c))) /\
                    (eq_prefix (upd col k di) t (k + 1))) <->
                   (exists i:Z, (s <= i /\ i < s) /\ (eq_sol t (acc sol i))))) /\
                 (sorted sol s s)),
  forall (col0: ((arr) Z)),
  forall (e: iset),
  forall (f: Z),
  forall (k0: Z),
  forall (s0: Z),
  forall (sol0: ((arr) ((arr) Z))),
  forall (HW_13: (included e (diff (diff a b) c)) /\ f = (s0 - s) /\ f >=
                 0 /\ k0 = k /\
                 (forall (i:Z),
                  (forall (j:Z),
                   ((in_ i (diff (diff (diff a b) c) e)) ->
                    ((in_ j e) -> i < j)))) /\
                 (partial_solution k0 col0) /\ (eq_prefix col col0 k) /\
                 (eq_prefix sol sol0 s) /\
                 (forall (t:((arr) Z)),
                  ((solution t) /\
                   (exists di:Z, (in_ di (diff (diff (diff a b) c) e)) /\
                    (eq_prefix (upd col0 k0 di) t (k0 + 1))) <->
                   (exists i:Z, (s <= i /\ i < s0) /\ (eq_sol t (acc sol0 i))))) /\
                 (sorted sol0 s s0)),
  forall (HW_14: (card e) > 0),
  forall (e0: iset),
  forall (HW_15: e0 = (remove (min_elt e) e)),
  forall (col1: ((arr) Z)),
  forall (HW_16: col1 = (upd col0 k0 (min_elt e))),
  forall (k1: Z),
  forall (HW_17: k1 = (k0 + 1)),
  forall (HW_18: (Zwf 0 (card (remove (min_elt e) a)) (card a))),
  forall (HW_28: 0 <= k1 /\ (k1 + (card (remove (min_elt e) a))) = N /\ 0 <=
                 s0 /\
                 (* pre_a *)
                 ((forall (i:Z),
                   ((in_ i (remove (min_elt e) a)) <-> (0 <= i /\ i < N) /\
                    (forall (j:Z), (0 <= j /\ j < k1 -> i <> (acc col1 j))))) /\
                 (* pre_b *)
                 ((forall (i:Z),
                   (0 <= i ->
                    ((in_ i (succ (add (min_elt e) b))) <->
                     (exists j:Z, (0 <= j /\ j < k1) /\ (acc col1 j) =
                      (i + j - k1))))) /\
                 (* pre_c *)
                 ((forall (i:Z),
                   (0 <= i ->
                    ((in_ i (pred (add (min_elt e) c))) <->
                     (exists j:Z, (0 <= j /\ j < k1) /\ (acc col1 j) =
                      (i + k1 - j))))) /\
                 (partial_solution k1 col1))))),
  forall (result: Z),
  forall (col2: ((arr) Z)),
  forall (k2: Z),
  forall (s1: Z),
  forall (sol1: ((arr) ((arr) Z))),
  forall (HW_29: result = (s1 - s0) /\ result >= 0 /\ k2 = k1 /\
                 (eq_prefix col1 col2 k2) /\ (eq_prefix sol0 sol1 s0) /\
                 (sorted sol1 s0 s1) /\
                 (forall (t:((arr) Z)),
                  ((solution t) /\ (eq_prefix col2 t k2) <->
                   (exists i:Z, (s0 <= i /\ i < s1) /\
                    (eq_sol t (acc sol1 i)))))),
  forall (f0: Z),
  forall (HW_30: f0 = (f + result)),
  forall (k3: Z),
  forall (HW_31: k3 = (k2 - 1)),
  (sorted sol1 s s1).
Proof.
intuition. clear H29 H30 H31.
red; intros.
assert (h: s0 <= i \/ j (0 <= i /\ i < N) /\
                   (forall (j:Z), (0 <= j /\ j < k -> i <> (acc col j))))) /\
                (* pre_b *)
                ((forall (i:Z),
                  (0 <= i ->
                   ((in_ i b) <->
                    (exists j:Z, (0 <= j /\ j < k) /\ (acc col j) =
                     (i + j - k))))) /\
                (* pre_c *)
                ((forall (i:Z),
                  (0 <= i ->
                   ((in_ i c) <->
                    (exists j:Z, (0 <= j /\ j < k) /\ (acc col j) =
                     (i + k - j))))) /\
                (partial_solution k col))))),
  forall (HW_7: (card a) <> 0),
  forall (HW_10: (included (diff (diff a b) c) (diff (diff a b) c)) /\ 0 =
                 (s - s) /\ 0 >= 0 /\ k = k /\ (partial_solution k col) /\
                 (eq_prefix col col k) /\ (eq_prefix sol sol s) /\
                 (forall (t:((arr) Z)),
                  ((solution t) /\
                   (exists di:Z,
                    (in_ di (diff (diff (diff a b) c) (diff (diff a b) c))) /\
                    (eq_prefix (upd col k di) t (k + 1))) <->
                   (exists i:Z, (s <= i /\ i < s) /\ (eq_sol t (acc sol i)))))),
  forall (col0: ((arr) Z)),
  forall (e: iset),
  forall (f: Z),
  forall (k0: Z),
  forall (s0: Z),
  forall (sol0: ((arr) ((arr) Z))),
  forall (HW_11: (included e (diff (diff a b) c)) /\ f = (s0 - s) /\ f >=
                 0 /\ k0 = k /\ (partial_solution k0 col0) /\
                 (eq_prefix col col0 k) /\ (eq_prefix sol sol0 s) /\
                 (forall (t:((arr) Z)),
                  ((solution t) /\
                   (exists di:Z, (in_ di (diff (diff (diff a b) c) e)) /\
                    (eq_prefix (upd col0 k0 di) t (k0 + 1))) <->
                   (exists i:Z, (s <= i /\ i < s0) /\ (eq_sol t (acc sol0 i)))))),
  forall (HW_32: (card e) <= 0),
  forall (t: ((arr) Z)),
  forall (HW_33: (solution t) /\ (eq_prefix col0 t k0)),
  (exists i:Z, (s <= i /\ i < s0) /\ (eq_sol t (acc sol0 i))).
Proof.
intros.
clear HW_10; intuition.
generalize (H15 t); clear H15; intuition.
clear H16.
apply H15; clear H15.
exists (acc t k0).
assert (k0N: k0 (0 <= i /\ i < N) /\
                   (forall (j:Z), (0 <= j /\ j < k -> i <> (acc col j))))) /\
                (* pre_b *)
                ((forall (i:Z),
                  (0 <= i ->
                   ((in_ i b) <->
                    (exists j:Z, (0 <= j /\ j < k) /\ (acc col j) =
                     (i + j - k))))) /\
                (* pre_c *)
                ((forall (i:Z),
                  (0 <= i ->
                   ((in_ i c) <->
                    (exists j:Z, (0 <= j /\ j < k) /\ (acc col j) =
                     (i + k - j))))) /\
                (partial_solution k col))))),
  forall (HW_7: (card a) <> 0),
  forall (HW_10: (included (diff (diff a b) c) (diff (diff a b) c)) /\ 0 =
                 (s - s) /\ 0 >= 0 /\ k = k /\ (partial_solution k col) /\
                 (eq_prefix col col k) /\ (eq_prefix sol sol s) /\
                 (forall (t:((arr) Z)),
                  ((solution t) /\
                   (exists di:Z,
                    (in_ di (diff (diff (diff a b) c) (diff (diff a b) c))) /\
                    (eq_prefix (upd col k di) t (k + 1))) <->
                   (exists i:Z, (s <= i /\ i < s) /\ (eq_sol t (acc sol i)))))),
  forall (col0: ((arr) Z)),
  forall (e: iset),
  forall (f: Z),
  forall (k0: Z),
  forall (s0: Z),
  forall (sol0: ((arr) ((arr) Z))),
  forall (HW_11: (included e (diff (diff a b) c)) /\ f = (s0 - s) /\ f >=
                 0 /\ k0 = k /\ (partial_solution k0 col0) /\
                 (eq_prefix col col0 k) /\ (eq_prefix sol sol0 s) /\
                 (forall (t:((arr) Z)),
                  ((solution t) /\
                   (exists di:Z, (in_ di (diff (diff (diff a b) c) e)) /\
                    (eq_prefix (upd col0 k0 di) t (k0 + 1))) <->
                   (exists i:Z, (s <= i /\ i < s0) /\ (eq_sol t (acc sol0 i)))))),
  forall (HW_32: (card e) <= 0),
  forall (t: ((arr) Z)),
  forall (HW_34: (exists i:Z, (s <= i /\ i < s0) /\ (eq_sol t (acc sol0 i)))),
  (eq_prefix col0 t k0).
Proof.
intuition.
generalize (H21 t); clear H21; intuition.
destruct H23; intuition.
clear H2 H5 H7 H13.
unfold eq_prefix; unfold eq_prefix in H24.
intros; rewrite <- H24.
rewrite acc_upd_neq.
trivial.
omega.
omega.
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

(*Why logic*) Definition below_N : iset.
Admitted.

(*Why axiom*) Lemma below_N_def :
  (forall (i:Z), ((in_ i below_N) <-> 0 <= i /\ i < N)).
Admitted.

(*Why axiom*) Lemma below_N_card : (card below_N) = N.
Admitted.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Lemma lemma_queens_13:
  forall (col: ((arr) Z)),
  forall (k: Z),
  forall (s: Z),
  forall (sol: ((arr) ((arr) Z))),
  forall (HW_1: s = 0 /\ k = 0),
  forall (HW_11: 0 <= k /\ (k + (card below_N)) = N /\
                 (* pre_a *)
                 ((forall (i:Z),
                   ((in_ i below_N) <-> (0 <= i /\ i < N) /\
                    (forall (j:Z), (0 <= j /\ j < k -> i <> (acc col j))))) /\
                 (* pre_b *)
                 ((forall (i:Z),
                   (0 <= i ->
                    ((in_ i empty) <->
                     (exists j:Z, (0 <= j /\ j < k) /\ (acc col j) =
                      (i + j - k))))) /\
                 (* pre_c *)
                 ((forall (i:Z),
                   (0 <= i ->
                    ((in_ i empty) <->
                     (exists j:Z, (0 <= j /\ j < k) /\ (acc col j) =
                      (i + k - j))))) /\
                 (partial_solution k col))))),
  forall (result: Z),
  forall (col0: ((arr) Z)),
  forall (k0: Z),
  forall (s0: Z),
  forall (sol0: ((arr) ((arr) Z))),
  forall (HW_12: result = (s0 - s) /\ result >= 0 /\ k0 = k /\
                 (eq_prefix col col0 k0) /\ (eq_prefix sol sol0 s) /\
                 (forall (t:((arr) Z)),
                  ((solution t) /\ (eq_prefix col0 t k0) <->
                   (exists i:Z, (s <= i /\ i < s0) /\ (eq_sol t (acc sol0 i)))))),
  forall (t: ((arr) Z)),
  forall (HW_13: (solution t)),
  (exists i:Z, (0 <= i /\ i < s0) /\ (eq_sol t (acc sol0 i))).
Proof.
intuition.
assert (eq_prefix col0 t 0).
unfold eq_prefix.
admit.
admit.
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

Proof.
admit.
(* FILL PROOF HERE *)
Save.

why-2.34/frama-c-plugin/0000755000175000017500000000000012311670312013417 5ustar  rtuserswhy-2.34/frama-c-plugin/interp.ml0000644000175000017500000030773612311670312015272 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* Import from Cil *)
open Cil_types
open Cil
open Cil_datatype
open Ast_info
open Extlib

(* Import from Why *)
open Jc
open Jc_constructors
open Jc_ast
open Jc_env
open Jc_pervasives

(* Utility functions *)
open Common
open Jessie_integer

(*****************************************************************************)
(* Smart constructors.                                                       *)
(*****************************************************************************)

let mktype tnode = new ptype tnode

let mkexpr enode pos = new pexpr ~pos enode

(* VP: unused variable *)
(* let void_expr = mkexpr (JCPEconst JCCvoid) Loc.dummy_position *)
let null_expr = mkexpr (JCPEconst JCCnull) Loc.dummy_position
let true_expr = mkexpr (JCPEconst(JCCboolean true)) Loc.dummy_position
let false_expr = mkexpr (JCPEconst(JCCboolean false)) Loc.dummy_position
let zero_expr = mkexpr (JCPEconst(JCCinteger "0")) Loc.dummy_position
let one_expr = mkexpr (JCPEconst(JCCinteger "1")) Loc.dummy_position

let mktag tag_node pos = new ptag ~pos tag_node

let mkidentifier name pos = new identifier ~pos name

let rec mkconjunct elist pos =
  match elist with
    | [] -> true_expr
    | [e] -> e
    | e::el -> mkexpr (JCPEbinary(e,`Bland,mkconjunct el pos)) pos

let rec mkdisjunct elist pos =
  match elist with
    | [] -> false_expr
    | [e] -> e
    | e::el -> mkexpr (JCPEbinary(e,`Blor,mkdisjunct el pos)) pos

let mkimplies elist e pos =
  match elist with
    | [] -> e
    | _ -> mkexpr (JCPEbinary(e,`Bimplies,mkconjunct elist pos)) pos

let mkdecl dnode pos = new decl ~pos dnode


(*****************************************************************************)
(* Locate Jessie expressions on source program.                              *)
(*****************************************************************************)

let reg_position ?id ?kind ?name pos =
  Output.old_reg_pos "_C" ?id ?kind ?name (Loc.extract pos)

(* [locate] should be called on every Jessie expression which we would like to
 * locate in the original source program.
 *)
let locate ?pos e =
  (* Recursively label conjuncts so that splitting conjuncts in Why still
   * allows to locate the resulting VC.
   *)
  let rec dopos ~toplevel e =
    (* Generate (and store) a label associated to this source location *)
    let pos = match pos with
      | None -> e#pos
      | Some pos ->
          if is_unknown_location e#pos then pos else e#pos
    in
    let lab = reg_position pos in
    let e = match e#node with
      | JCPEbinary(e1,`Bland,e2) ->
          begin match e1#node,e2#node with
            | JCPElabel _,JCPElabel _ -> e (* already labelled *)
            | JCPElabel _,_ -> (* [e1] already labelled *)
                let e2 = dopos ~toplevel:false e2 in
                mkexpr (JCPEbinary(e1,`Bland,e2)) pos
            | _,JCPElabel _ -> (* [e2] already labelled *)
                let e1 = dopos ~toplevel:false e1 in
                mkexpr (JCPEbinary(e1,`Bland,e2)) pos
            | _,_ -> (* none already labelled *)
                let e1 = dopos ~toplevel:false e1 in
                let e2 = dopos ~toplevel:false e2 in
                mkexpr (JCPEbinary(e1,`Bland,e2)) pos
          end
      | _ -> e
    in
    (* Do not generate a label for every intermediate conjunct *)
    match e#node with
      | JCPEbinary(_e1,`Bland,_e2) when not toplevel -> e
      | _ ->
          (* Label the expression accordingly *)
          mkexpr (JCPElabel(lab,e)) pos
  in
  dopos ~toplevel:true e


(*****************************************************************************)
(* Cil to Jessie translation of operators                                    *)
(*****************************************************************************)

let unop = function
  | Neg -> `Uminus
  | BNot -> `Ubw_not
  | LNot -> `Unot

let binop = function
  | PlusA -> `Badd
  | PlusPI -> `Badd
  | IndexPI -> `Badd
  | MinusA -> `Bsub
  | MinusPI -> `Bsub
  | MinusPP -> `Bsub
  | Mult -> `Bmul
  | Div -> `Bdiv
  | Mod -> `Bmod
  | Shiftlt -> `Bshift_left
  | Shiftrt -> assert false (* Should be decided at point used *)
  | Lt -> `Blt
  | Gt -> `Bgt
  | Le -> `Ble
  | Ge -> `Bge
  | Eq -> `Beq
  | Ne -> `Bneq
  | BAnd -> `Bbw_and
  | BXor -> `Bbw_xor
  | BOr -> `Bbw_or
  | LAnd -> `Bland
  | LOr -> `Blor

let relation = function
  | Rlt -> `Blt
  | Rgt -> `Bgt
  | Rle -> `Ble
  | Rge -> `Bge
  | Req -> `Beq
  | Rneq -> `Bneq



let invariant_policy = ref Jc_env.InvArguments

let separation_policy_regions = ref true

type int_model = IMexact | IMbounded | IMmodulo

let int_model = ref IMbounded

let float_model = ref `Defensive

let rec name_with_profile s prof =
  match prof with
    | [] ->
(*
	Format.eprintf "producing new translated name ``%s''@." s;
*)
	s
    | v::rem ->
	let n = Common.logic_type_name v.lv_type in
(*
	Format.eprintf "type name ``%s''@." n;
*)
	name_with_profile (s^"_"^n) rem

let translated_names_table = Hashtbl.create 257

exception CtePredicate of bool


let full_model_function linfo name default =
  match !float_model with
    | `Math ->
	warning "\\%s always %b in mode JessieFloatModel(math)" name default;
	raise (CtePredicate default)
    | `Defensive | `Full | `Multirounding ->
	begin
	  match (List.hd linfo.l_profile).lv_type with
	    | Ctype x when x == doubleType -> "\\double_" ^ name
	    | Ctype x when x == floatType -> "\\single_" ^ name
	    | _ -> assert false
	end

let jessie_builtins = Hashtbl.create 17

let translated_name linfo largs =
(*
  Format.eprintf "Jessie.interp: linfo = %s(%a)(%d)@."
    linfo.l_name
    (fprintfList ~sep:",@ " d_logic_type)
    (List.map (fun v -> v.lv_type) linfo.l_profile)
    (Obj.magic linfo);
*)
  try
    let n = Hashtbl.find translated_names_table linfo.l_var_info.lv_id in
(*
    Format.eprintf "Jessie.interp: translated(%s) = %s" linfo.l_var_info.lv_name n;
*)
    n
  with Not_found ->
    let name =
      match linfo.l_var_info.lv_name with
	| "\\abs" ->
	    begin
	      match linfo.l_type with
		| Some Lreal -> "\\real_abs"
		| Some Linteger -> "\\integer_abs"
		| _ -> assert false
	    end
	| "\\min" ->
	    begin
	      match linfo.l_type with
		| Some Lreal -> "\\real_min"
		| Some Linteger -> "\\integer_min"
		| _ -> assert false
	    end
	| "\\max" ->
	    begin
	      match linfo.l_type with
		| Some Lreal -> "\\real_max"
		| Some Linteger -> "\\integer_max"
		| _ -> assert false
	    end
	| "\\exact" ->
	    begin
	      match (List.hd linfo.l_profile).lv_type with
		| Ctype x when x == doubleType -> "\\double_exact"
		| Ctype x when x == floatType -> "\\single_exact"
		| _ -> assert false
	    end
	| "\\model" ->
	    begin
	      match (List.hd linfo.l_profile).lv_type with
		| Ctype x when x == doubleType -> "\\double_model"
		| Ctype x when x == floatType -> "\\single_model"
		| _ -> assert false
	    end
	| "\\round_float" ->
	    begin
	      match (List.hd largs).term_node with
                | TDataCons(ctor,_args) ->
                    begin
                      match ctor.ctor_name with
		        | "\\Double" -> "\\round_double"
		        | "\\Single" -> "\\round_single"
		        | s ->
                            warning "first arg '%s' of \\round_float unsupported (should be \\Double or \\Single)" s;
                            assert false
                    end
                | _ ->    assert false
	    end
	| "\\round_error" ->
	    begin
	      match (List.hd linfo.l_profile).lv_type with
		| Ctype x when x == doubleType -> "\\double_round_error"
		| Ctype x when x == floatType -> "\\single_round_error"
		| _ -> assert false
	    end
	| "\\total_error" ->
	    begin
	      match (List.hd linfo.l_profile).lv_type with
		| Ctype x when x == doubleType -> "\\double_total_error"
		| Ctype x when x == floatType -> "\\single_total_error"
		| _ -> assert false
	    end
	| "\\relative_error" ->
	    begin
	      match (List.hd linfo.l_profile).lv_type with
		| Ctype x when x == doubleType -> "\\double_relative_error"
		| Ctype x when x == floatType -> "\\single_relative_error"
		| _ -> assert false
	    end
	| "\\pow" ->
	    begin
	      match linfo.l_type with
		| Some Lreal -> "\\real_pow"
		| _ -> assert false
	    end
	| "\\sqrt" ->
	    begin
	      match linfo.l_type with
		| Some Lreal -> "\\real_sqrt"
		| _ -> assert false
	    end
	| "\\sign" ->
	    begin
	      match (List.hd linfo.l_profile).lv_type with
		| Ctype x when x == doubleType -> "\\double_sign"
		| Ctype x when x == floatType -> "\\single_sign"
		| _ -> assert false
	    end
	| "\\is_finite" ->
            full_model_function linfo "is_finite" true
	| "\\is_infinite" ->
            full_model_function linfo "is_infinite" false
	| "\\is_NaN" ->
            full_model_function linfo "is_NaN" false
	| "\\is_minus_infinity" ->
            full_model_function linfo "is_minus_infinity" false
	| "\\is_plus_infinity" ->
            full_model_function linfo "is_plus_infinity" false
	| "\\le_float" ->
	    begin
	      match (List.hd linfo.l_profile).lv_type with
		| Ctype x when x == doubleType -> "\\le_double"
		| Ctype x when x == floatType -> "\\le_single"
		| _ -> assert false
	    end
	| "\\lt_float" ->
	    begin
	      match (List.hd linfo.l_profile).lv_type with
		| Ctype x when x == doubleType -> "\\lt_double"
		| Ctype x when x == floatType -> "\\lt_single"
		| _ -> assert false
	    end
	| "\\ge_float" ->
	    begin
	      match (List.hd linfo.l_profile).lv_type with
		| Ctype x when x == doubleType -> "\\ge_double"
		| Ctype x when x == floatType -> "\\ge_single"
		| _ -> assert false
	    end
	| "\\gt_float" ->
	    begin
	      match (List.hd linfo.l_profile).lv_type with
		| Ctype x when x == doubleType -> "\\gt_double"
		| Ctype x when x == floatType -> "\\gt_single"
		| _ -> assert false
	    end
	| "\\eq_float" ->
	    begin
	      match (List.hd linfo.l_profile).lv_type with
		| Ctype x when x == doubleType -> "\\eq_double"
		| Ctype x when x == floatType -> "\\eq_single"
		| _ -> assert false
	    end
	| "\\ne_float" ->
	    begin
	      match (List.hd linfo.l_profile).lv_type with
		| Ctype x when x == doubleType -> "\\ne_double"
		| Ctype x when x == floatType -> "\\ne_single"
		| _ -> assert false
	    end
	| s ->

          try
            Hashtbl.find jessie_builtins s
          with Not_found ->
	    try
(*
	      Format.eprintf "Jessie.interp: Checking if %s overloaded" s;
*)
	      let x = Hashtbl.find Rewrite.logic_names_overloading s in
	      if !x then
		let ns = name_with_profile s linfo.l_profile in
(*
		Format.eprintf "yes! -> %s@." ns;
*)
		ns
	      else
		begin
(*
		  Format.eprintf "no@.";
*)
		  s
		end
	    with Not_found ->
	      (* this happens with Jessie-generated predicates like valid_* etc *)
(*
	      Format.eprintf "Jessie.Interp: warning, logic id `%s' not present in overloading table@." s;
*)
	      s
    in
(*
    Format.eprintf "Jessie.interp: translated(%s) = %s" linfo.l_var_info.lv_name name;
*)
    Hashtbl.add translated_names_table linfo.l_var_info.lv_id name;
    name

(*****************************************************************************)
(* Cil to Jessie translation of types                                        *)
(*****************************************************************************)

let type_of_padding = mktype (JCPTidentifier (name_of_padding_type,[]))

let type_conversion_table = Hashtbl.create 0

(* VP: unused function *)
(* let type_conversion ty1 ty2 =
  let ty1 = typeRemoveAttributes ["const";"volatile"] (unrollType ty1) in
  let ty2 = typeRemoveAttributes ["const";"volatile"] (unrollType ty2) in
  let sig1 = typeSig ty1 and sig2 = typeSig ty2 in
  try
    let _,_,ty1_to_ty2,ty2_to_ty1 =
      Hashtbl.find type_conversion_table (sig1,sig2)
    in
    ty1_to_ty2,ty2_to_ty1
  with Not_found ->
    try
      let _,_,ty2_to_ty1,ty1_to_ty2 =
        Hashtbl.find type_conversion_table (sig2,sig1)
      in
      ty1_to_ty2,ty2_to_ty1
    with Not_found ->
      let n1 = type_name ty1 and n2 = type_name ty2 in
      let ty1_to_ty2 = unique_logic_name (n1 ^ "_to_" ^ n2) in
      let ty2_to_ty1 = unique_logic_name (n2 ^ "_to_" ^ n1) in
      Hashtbl.add
        type_conversion_table (sig1,sig2) (ty1,ty2,ty1_to_ty2,ty2_to_ty1);
      ty1_to_ty2,ty2_to_ty1
*)
(*
type float_rounding_mode = [ `Downward | `Nearest | `Upward | `Towardzero | `Towardawayzero ]

let float_rounding_mode : float_rounding_mode ref = ref `Nearest
*)

let ctype ?bitsize ty =
  let tnode = match unrollType ty with
    | TVoid _attr -> JCPTnative Tunit

    | TInt(_ik,_attr) ->
        if !int_model = IMexact then
          JCPTnative Tinteger
        else
          JCPTidentifier (name_of_integral_type ?bitsize ty,[])

    | TFloat(fk,_attr) ->
        begin
          match !float_model with
            | `Math ->
                (* Mode "math": floats interpreted as reals *)
                JCPTnative Treal
            | `Defensive | `Full | `Multirounding ->
                  begin
                    match fk with
                      | FFloat -> JCPTnative (Tgenfloat `Float)
                      | FDouble -> JCPTnative (Tgenfloat `Double)
                      | FLongDouble ->
                          unsupported "Jessie does not handle long double yet"
                  end
        end
    | TPtr(_elemty,_attr) ->
        if is_reference_type ty then
          (* Do not use [_elemty] directly but rather [pointed_type ty] in order
           * to get to the array element in references, i.e. pointers to arrays.
           *)
          begin match unrollType (pointed_type ty) with
            | TComp(compinfo,_,_) ->
                let min_bound = Num.Int 0 in
                let max_bound =
                  Num.num_of_string (Int64.to_string (reference_size ty - 1L))
                in
                JCPTpointer(compinfo.cname,[],Some min_bound,Some max_bound)
            | _ -> assert false
          end
        else
          begin match unrollType (pointed_type ty) with
            | TComp(compinfo,_,_) ->
                JCPTpointer(compinfo.cname,[],None,None)
            | _ -> assert false
          end

    | TArray _ -> assert false (* Removed by translation *)

    | TFun _ ->
	unsupported "Function pointer type %a not allowed"
	  Printer.pp_typ ty

    | TNamed _ -> assert false (* Removed by call to [unrollType] *)

    | TComp(compinfo,_,_) -> JCPTidentifier (compinfo.cname,[])

    | TEnum(enuminfo,_) -> JCPTidentifier (enuminfo.ename,[])

    | TBuiltin_va_list _ -> unsupported "Type builtin_va_list not allowed"
  in
  mktype tnode

let ltype t =
  (* Expand synonym types before translation. *)
  match Logic_utils.unroll_type t with
  | Ctype ty -> ctype ty
  | Ltype (s,[]) when s.lt_name = Utf8_logic.boolean ->
      mktype (JCPTidentifier ("boolean",[]))
  | Ltype (s,[]) -> mktype (JCPTidentifier (s.lt_name,[]))
  | Linteger -> mktype (JCPTnative Tinteger)
  | Lreal -> mktype (JCPTnative Treal)
  | Ltype(_,_)  -> unsupported "polymorphic logic type"
  | Lvar _  -> unsupported "logic type variable"
  | Larrow _ -> unsupported "function type in logic"


(*****************************************************************************)
(* Cil to Jessie translation of constants                                    *)
(*****************************************************************************)

let native_type_of_fkind x : Jc_env.native_type =
  match x with
    | FFloat -> Tgenfloat `Float
    | FDouble -> Tgenfloat `Double
    | FLongDouble -> failwith "Jessie does not handle long double yet"

let strip_float_suffix s =
  let l = pred(String.length s)  in
    match String.get s l with
      | 'f' | 'F' | 'l' | 'L' -> String.sub s 0 l
      | _ -> s


let logic_const pos = function
  | Integer(_,Some s) -> JCPEconst (JCCinteger s)
  | Integer(n,None) -> JCPEconst (JCCinteger (Integer.to_string n))
  | LStr _ | LWStr _ -> 
    Common.unsupported "string literals in logic"
  | LChr c -> JCPEconst (JCCinteger(string_of_int (Char.code c)))
  | LReal { r_literal = s } -> JCPEconst (JCCreal (strip_float_suffix s))
  | LEnum ei ->
      (match Cil.isInteger (ei.eival) with
        | Some n ->
            let e =
              mkexpr (JCPEconst (JCCinteger (Integer.to_string n))) pos
            in
            JCPEcast(e,ctype(TEnum(ei.eihost,[])))
        | None -> assert false)

let rec const pos = function
  | CInt64(_,_,Some s) ->
      (* Use the textual representation if available *)
      JCPEconst(JCCinteger s)

  | CInt64(i,_ik,None) ->
      JCPEconst(JCCinteger(Integer.to_string i))

  | CStr _ | CWStr _ -> assert false (* Should have been rewritten *)

  | CChr c -> JCPEconst(JCCinteger(string_of_int (Char.code c)))

  | CReal(_f,fk,Some s) ->
      (* Use the textual representation if available *)
      let s = strip_float_suffix s in
      begin match !float_model with
	| `Math -> JCPEconst(JCCreal s)
        | `Defensive | `Full | `Multirounding ->
            (* add a cast to float or double depending on the value of fk *)
            JCPEcast(mkexpr (JCPEconst(JCCreal s)) pos,
                     mktype (JCPTnative (native_type_of_fkind fk)))
      end
  | CReal(f,_fk,None) ->
      (* otherwise use the float value *)
      JCPEconst(JCCreal(string_of_float f))

  | CEnum item ->
      let e = mkexpr (const_of_expr pos item.eival) pos in
      JCPEcast(e,ctype (TEnum(item.eihost,[])))

and const_of_expr pos e =
  match (stripInfo e).enode with
      Const c -> const pos c
    | _ -> assert false

and boolean_const = function
  | CInt64(i,_ik,_text) ->
    if Integer.equal i Integer.zero then JCCboolean false
    else JCCboolean true

  | CStr _ | CWStr _ -> JCCboolean true

  | CChr c ->
      if Char.code c = 0 then JCCboolean false else JCCboolean true

  | CReal(f,_fk,_text) ->
      if f = 0.0 then JCCboolean false else JCCboolean true

  | CEnum {eival = e } -> boolean_const_of_expr e

and boolean_const_of_expr e =
  match (stripInfo e).enode with Const c -> boolean_const c | _ -> assert false


(*****************************************************************************)
(* Cil to Jessie translation of logic constructs                             *)
(*****************************************************************************)

let label = function
  | Label(lab,_,_) -> lab
  | Case _ | Default _ -> assert false

let logic_label lab =
  let label_name s =
    LabelName {
      label_info_name = s;
      label_info_final_name = s;
      times_used = 0;
    }
  in
  match lab with
    | LogicLabel(_,s) -> label_name s
    | StmtLabel sref ->
        let labels = filter_out is_case_label !sref.labels in
        assert (not (labels = []));
        label_name (label (List.hd labels))

let logic_labels = List.map logic_label

let logic_labels_assoc =
  List.map (fun (_,l) -> logic_label l)

let term_lhost pos = function
  | TVar v ->
      (try
         let li = Logic_env.find_logic_cons v in
         match
           li.l_labels with
             | [] -> mkexpr(JCPEvar v.lv_name) pos
             | [_] ->  mkexpr (JCPEapp (v.lv_name,[],[])) pos
             | _ ->
                 Jessie_options.fatal
                   "cannot handle logic constant %s with several labels"
                   v.lv_name
       with Not_found ->
         mkexpr (JCPEvar v.lv_name) pos)
  | TResult _ -> mkexpr (JCPEvar "\\result") pos
  | TMem t ->
      unsupported "this kind of memory access is not currently supported: *%a"
        Printer.pp_term t
(*
         Loc.report_position pos
*)

let product f t1 t2 =
  List.fold_right
    (fun x acc -> List.fold_right (fun y acc -> f x y :: acc) t2 acc) t1 []

let rec coerce_floats t =
  match !float_model with
    | `Math -> terms t
    | `Defensive | `Full | `Multirounding ->
        if isLogicFloatType t.term_type then
          List.map
            (fun e ->
              mkexpr (JCPEcast(e, mktype (JCPTnative Treal))) t.term_loc)
            (terms t)
        else terms t

and terms t =
  CurrentLoc.set t.term_loc;
  let enode = match constFoldTermNodeAtTop t.term_node with
    | TConst c -> [logic_const t.term_loc c]

    | TDataCons({ctor_type = {lt_name = name} } as d,_args)
        when name = Utf8_logic.boolean ->
        [JCPEconst (JCCboolean (d.ctor_name = "\\true"))]

    | TDataCons(ctor,args) ->
        let args = List.map terms args in
        let args =
          List.fold_right (product (fun x y -> x::y)) args [[]]
        in
        List.map (fun x -> JCPEapp(ctor.ctor_name,[],x)) args

    | TUpdate _ -> Common.unsupported "logic update"

    | Toffset _ -> Common.unsupported "logic offset"

    | TLval lv ->
        List.map (fun x -> x#node) (terms_lval t.term_loc lv)

    | TSizeOf _ | TSizeOfE _ | TSizeOfStr _ | TAlignOf _ | TAlignOfE _ ->
        assert false (* Should be removed by constant folding *)

    | TUnOp(op,t) ->
        List.map (fun x -> JCPEunary(unop op,x)) (coerce_floats t)

    | TBinOp((Lt | Gt | Le | Ge as op),t1,t2)
        when app_term_type isPointerType false t1.term_type ->
        (* Pointer comparison is translated as subtraction *)
        let t1 = terms t1 in
        let t2 = terms t2 in
        let expr x y =
          let sube = mkexpr (JCPEbinary(x,`Bsub,y)) t.term_loc in
          JCPEbinary(sube,binop op,zero_expr)
        in product expr t1 t2

    | TBinOp(Shiftrt,t1,t2) ->
        begin match possible_value_of_integral_term t2 with
          | Some i when Integer.ge i Integer.zero
              && Integer.lt i (Integer.of_int 63)  ->
              (* Right shift by constant is division by constant *)
              let pow = constant_term t2.term_loc (Integer.two_power i) in
              List.map (fun x ->JCPEbinary(x,`Bdiv,term pow)) (terms t1)
          | _ ->
              let op = match t1.term_type with
                | Ctype ty1 ->
                    if isSignedInteger ty1 then `Barith_shift_right
                    else `Blogical_shift_right
                | Linteger -> `Barith_shift_right
                | _ -> assert false
              in
              product (fun x y -> JCPEbinary(x,op,y)) (terms t1) (terms t2)
        end

    | TBinOp(Shiftlt as op,t1,t2) ->
        begin match possible_value_of_integral_term t2 with
          | Some i when Integer.ge i Integer.zero &&
              Integer.lt i (Integer.of_int 63) ->
              (* Left shift by constant is multiplication by constant *)
              let pow = constant_term t2.term_loc (Integer.two_power i) in
              List.map (fun x -> JCPEbinary(x,`Bmul,term pow)) (terms t1)
          | _ ->
              product (fun x y -> JCPEbinary(x,binop op,y))
                (terms t1) (terms t2)
        end

    | TBinOp((Lt | Gt | Le | Ge) as op,t1,t2) ->
        product (fun x y -> JCPEbinary(x,binop op,y)) (terms t1) (terms t2)

    | TBinOp(op,t1,t2) ->
        product
          (fun x y -> JCPEbinary(x,binop op,y))
          (coerce_floats t1)
          (coerce_floats t2)

    | TCastE(ty,t)
        when isIntegralType ty && isLogicRealType t.term_type ->
          List.map (fun x -> JCPEapp("\\truncate_real_to_int",[],[x])) (terms t)

    | TCastE(ty,t)
        when isIntegralType ty && isLogicArithmeticType t.term_type ->
        if !int_model = IMexact then
          List.map (fun x -> x#node) (terms t)
        else
          List.map (fun x -> JCPEcast(x,ctype ty)) (terms t)

    | TCastE(ty,t)
        when isFloatingType ty && isLogicArithmeticType t.term_type ->
          List.map (fun x -> JCPEcast(x,ctype ty)) (terms t)

    | TCastE(ty,t)
        when isIntegralType ty && app_term_type isPointerType false t.term_type ->
	unsupported "Casting from type %a to type %a not allowed"
          Printer.pp_logic_type t.term_type Printer.pp_typ ty

    | TCastE(ptrty,_t1) when isPointerType ptrty ->
        let t = stripTermCasts t in
        begin match t.term_node with
          | Tnull ->
              [JCPEconst JCCnull]
          | TConst c
              when is_integral_logic_const c &&
                Integer.equal
                (value_of_integral_logic_const c) Integer.zero ->
              [JCPEconst JCCnull]
          | _ ->
(*               if isLogicIntegralType t.term_type then *)
(*                 let addr = *)
(*                   mkexpr (JCPEaddress(Addr_absolute,term t)) t.term_loc *)
(*                 in *)
(*                 JCPEcast(addr,ctype ptrty) *)
(*               else if force_app_term_type isIntegralType t.term_type *)
(*                 && *)
(*                 force_app_term_type bits_sizeof t.term_type *)
(*                 = bits_sizeof ptrty *)
(*               then *)
(*                 let _,int_to_ptr = *)
(*                   force_app_term_type (type_conversion ptrty) t.term_type *)
(*                 in *)
(*                 JCPEapp(int_to_ptr,[],[term t]) *)
(*                else if force_app_term_type isPointerType t.term_type then *)
(*                 let destty = pointed_type ptrty in *)
(*                 let srcty = force_app_term_type pointed_type t.term_type in *)
(*                 if Retype.subtype srcty destty then *)
(*                   (term t)#node *)
(*                 else if Retype.TypeUnion.same_class destty srcty then *)
(*                   JCPEcast(term t,ctype ptrty) *)
(*                 else *)
                  (* bitwise cast *)
(*                   JCPEcast(term t,ctype ptrty) *)
(*                   let _,ptr_to_ptr = *)
(*                     force_app_term_type (type_conversion ptrty) t.term_type *)
(*                   in *)
(*                   JCPEapp(ptr_to_ptr,[],[term t]) *)
(*               else *)
              (* Only hierarchical types are available in Jessie. It
               * should have been encoded as the use of pointer types
               * on structure type.
               *)

(*               match unrollType ty with *)
(*                 | TComp(compinfo,_) -> *)
(*                     JCPEcast(term t,compinfo.cname) *)
(*                 | _ -> assert false *)
              unsupported "Casting from type %a to type %a not allowed in logic"
                Printer.pp_logic_type t.term_type Printer.pp_typ ptrty
        end

    | TCastE(ty,t) ->
        (* TODO: support other casts in Jessie as well, through low-level
         * memory model
         *)
	unsupported "Casting from type %a to type %a not allowed"
          Printer.pp_logic_type t.term_type Printer.pp_typ ty

    | TAddrOf _tlv -> assert false (* Should have been rewritten *)

    | TStartOf tlv ->
        List.map (fun x -> x#node) (terms_lval t.term_loc tlv)

    | Tapp(linfo,labels,tlist) ->
	begin
	  try
            let name = translated_name linfo tlist in
            let prof, tlist =
              if linfo.l_var_info.lv_name = "\\round_float" then
                List.tl linfo.l_profile, List.tl tlist
              else
                linfo.l_profile, tlist
            in
            let args =
	      List.map2
		(fun lv t ->
		   let t' = terms t in
		   if isLogicFloatType t.term_type && isLogicRealType lv.lv_type
		   then
		     List.map
		       (fun t' ->
			  mkexpr (JCPEcast(t', mktype (JCPTnative Treal))) t.term_loc)
		       t'
	       else t')
		prof
		tlist
	    in
            let all_args = List.fold_right (product (fun x y -> x::y)) args [[]] in
            List.map
              (fun x -> JCPEapp(name,logic_labels_assoc labels,x)) all_args
	  with (CtePredicate b)->
	   [JCPEconst (JCCboolean b)]
	end

    | Tif(t1,t2,t3) ->
        let t1 = terms t1 in let t2 = terms t2 in let t3 = terms t3 in
        product (fun f x -> f x)
          (product (fun x y z -> JCPEif(x,y,z)) t1 t2) t3

    | Tat(t,lab) -> List.map (fun x -> JCPEat(x,logic_label lab)) (terms t)

    | Tbase_addr (_lab,t) -> List.map (fun x -> JCPEbase_block x) (terms t)

    | Tblock_length (_lab,_t) -> Common.unsupported "\\block_length operator"

    | Tnull -> [JCPEconst JCCnull]

    | Tlet(def,body) ->
        begin
          let v = def.l_var_info in
          match def.l_body, def.l_profile with
            | LBterm t, [] ->
                let jc_def = term t in
                let jc_body = term body in
                let typ = ltype v.lv_type in
                [JCPElet(Some typ, v.lv_name, Some jc_def, jc_body)]
            | LBpred p, [] ->
                let jc_def = pred p in
                let jc_body = term body in
                [JCPElet(None,v.lv_name, Some jc_def, jc_body)]
            | (LBterm _ | LBpred _), _::_ ->
                Common.unsupported "local function definition"
            | (LBnone | LBreads _ | LBinductive _), _ ->
                Jessie_options.fatal "Unexpected definition for local variable"
        end
    | TCoerce(_t,_typ) -> Common.unsupported "term coercion"

    | TCoerceE(_t1,_t2) -> Common.unsupported "term coercion"

    | Tlambda _ ->
	unsupported "Jessie plugin does not support lambda abstraction"

    | Ttypeof _ | Ttype _ -> assert false (* Should have been treated *)

    | Trange(low,high) -> [JCPErange(opt_map term low,opt_map term high)]
    | Tunion l ->
        List.map (fun x -> x#node) (List.flatten (List.map terms l))
    | Tcomprehension _ -> Common.unsupported "sets by comprehension" 
    | Tinter _ -> Common.unsupported " set intersection" 
    | Tempty_set -> []
    | TLogic_coerce(Lreal,t) -> List.map (fun x -> x#node) (coerce_floats t)
    | TLogic_coerce(_,t) -> List.map (fun x -> x#node) (terms t)

  in
  List.map (swap mkexpr t.term_loc) enode

and tag t =
  let tag_node = match t.term_node with
    | Ttypeof t -> JCPTtypeof (term t)
    | Ttype ty ->
        let id = mkidentifier (get_struct_name (pointed_type ty)) t.term_loc in
        JCPTtag id
    | _ -> assert false (* Not a tag *)
  in
  mktag tag_node t.term_loc

and terms_lval pos lv =
  match lv with
    | lhost, TNoOffset -> [term_lhost pos lhost]

    | (TVar _ | TResult _), _off ->
        assert false (* Should have been rewritten *)

    | TMem t, TModel(mi, toff) ->
        assert (toff = TNoOffset); (* Others should have been rewritten *)
        let e = terms t in
          List.map (fun e -> mkexpr (JCPEderef(e,mi.mi_name)) pos) e

    | TMem t, TField(fi,toff) ->
        assert (toff = TNoOffset); (* Others should have been rewritten *)
        let e = terms t in
        if not fi.fcomp.cstruct then (* field of union *)
          List.map (fun e -> mkexpr (JCPEcast(e,ctype fi.ftype)) pos) e
        else
          let repfi = Retype.FieldUnion.repr fi in
          let e,fi =
            if Fieldinfo.equal fi repfi then
              e,fi
            else
              let caste =
                List.map
                  (fun e ->
                     mkexpr (
                       JCPEcast(e,
                                ctype (TPtr(TComp(repfi.fcomp,empty_size_cache (),[]),[])))) pos)
                  e
              in
              caste,repfi
          in
          List.map (fun e -> mkexpr (JCPEderef(e,fi.fname)) pos) e

    | TMem t, TIndex(it,TField(fi,toff)) ->
        assert (toff = TNoOffset); (* Others should have been rewritten *)
        (* Normalization made it equivalent to simple add *)
        let e = product
          (fun t it -> mkexpr (JCPEbinary(t,`Badd,it)) pos)
          (terms t) (terms it)
        in
        if not fi.fcomp.cstruct then (* field of union *)
          List.map (fun e -> mkexpr (JCPEcast(e,ctype fi.ftype)) pos) e
        else
          let repfi = Retype.FieldUnion.repr fi in
          let e,fi =
            if Fieldinfo.equal fi repfi then
              e,fi
            else
              let caste =
                List.map
                  (fun e ->
                     mkexpr
                       (JCPEcast(e,ctype
                                   (TPtr(TComp(repfi.fcomp,empty_size_cache (),[]),[])))) pos)
                  e
              in
              caste,repfi
          in
          List.map (fun e -> mkexpr (JCPEderef(e,fi.fname)) pos) e
    | TMem _e, TIndex _ ->
        unsupported "cannot interpret this lvalue: %a"
          Printer.pp_term_lval lv

and term t =
  match terms t with [ t ] -> t
    | _ ->
	unsupported "Expecting a single term, not a set:@ %a@."
          Printer.pp_term t

(* VP: unused function *)
(* and term_lval pos lv  =
  match terms_lval pos lv with [ lv ] -> lv
    | _ ->
	unsupported "Expecting a single lval, not a set:@ %a@."
          Printer.pp_term_lval lv
*)
and pred p =
  CurrentLoc.set p.loc;
  let enode = match p.content with
    | Pfalse -> JCPEconst(JCCboolean false)

    | Ptrue -> JCPEconst(JCCboolean true)

    | Papp(pinfo,labels,tl) ->
	begin
	  try
            let name = translated_name pinfo tl in
	(*
          JCPEapp(name,logic_labels_assoc labels,List.map term tl)
	*)
        let args =
	  List.map2
	    (fun lv t ->
	       let t' = term t in
	       if isLogicFloatType t.term_type && isLogicRealType lv.lv_type
	       then
		 mkexpr (JCPEcast(t', mktype (JCPTnative Treal))) t.term_loc
	       else t')
	    pinfo.l_profile
	    tl
	in
	JCPEapp(name,logic_labels_assoc labels, args)
	  with (CtePredicate b) -> JCPEconst(JCCboolean b)

	end
    | Prel((Rlt | Rgt | Rle | Rge as rel),t1,t2)
        when app_term_type isPointerType false t1.term_type ->
        (* Pointer comparison is translated as subtraction *)
        let sube = mkexpr (JCPEbinary(term t1,`Bsub,term t2)) p.loc in
        JCPEbinary(sube,relation rel,zero_expr)

(*     | Prel((Req | Rneq as rel),t1,t2)  *)
(*         when app_term_type isPointerType false t1.term_type *)
(*           && (not (is_null_term t1 || is_null_term t2)) *)
(*           && (not (is_base_addr t1 || is_base_addr t2)) -> *)
(*         (* Pointer (dis-)equality is translated as subtraction *) *)
(*         let sube = mkexpr (JCPEbinary(term t1,`Bsub,term t2)) p.loc in *)
(*         JCPEbinary(sube,relation rel,zero_expr) *)

    | Prel(Req,t1,t2) when isTypeTagType t1.term_type ->
        JCPEeqtype(tag t1,tag t2)

    | Prel(Rneq,t1,t2) when isTypeTagType t1.term_type ->
        let eq = mkexpr (JCPEeqtype(tag t1,tag t2)) p.loc in
        JCPEunary(`Unot,eq)

    | Prel(rel,t1,t2) ->
        let res =
          product (fun t1 t2 -> mkexpr (JCPEbinary(t1,relation rel,t2)) p.loc)
            (coerce_floats t1) (coerce_floats t2)
        in (mkconjunct res p.loc)#node
    | Pand(p1,p2) ->
        JCPEbinary(pred p1,`Bland,pred p2)

    | Por(p1,p2) ->
        JCPEbinary(pred p1,`Blor,pred p2)

    | Pxor(p1,p2) ->
        let notp2 = { p2 with content = Pnot p2; } in
        let p1notp2 = { p with content = Pand(p1,notp2); } in
        let notp1 = { p1 with content = Pnot p1; } in
        let p2notp1 = { p with content = Pand(p2,notp1); } in
        JCPEbinary(pred p1notp2,`Blor,pred p2notp1)

    | Pimplies(p1,p2) ->
        JCPEbinary(pred p1,`Bimplies,pred p2)

    | Piff(p1,p2) ->
        JCPEbinary(pred p1,`Biff,pred p2)

    | Pnot p -> JCPEunary(`Unot,pred p)

    | Pif(t,p1,p2) -> JCPEif(term t,pred p1,pred p2)

    | Plet(def,body) ->
	begin
          let v = def.l_var_info in
          match def.l_body, def.l_profile with
            | LBterm t, [] ->
                let jc_def = term t in
                let jc_body = pred body in
                let typ = ltype v.lv_type in
                JCPElet(Some typ, v.lv_name, Some jc_def, jc_body)
            | LBpred p, [] ->
                let jc_def = pred p in
                let jc_body = pred body in
                JCPElet(None,v.lv_name, Some jc_def, jc_body)
            | (LBterm _ | LBpred _), _::_ ->
                Common.unsupported "local function definition"
            | (LBnone | LBreads _ | LBinductive _), _ ->
                Jessie_options.fatal "Unexpected definition for local variable"
        end

    | Pforall([],p) -> (pred p)#node

    | Pforall([v],p) ->
        JCPEquantifier(Forall,ltype v.lv_type,
                       [new identifier v.lv_name], [],pred p)

    | Pforall(v::q,subp) ->
        let newp = { p with content = Pforall(q,subp) } in
        JCPEquantifier(Forall,ltype v.lv_type,
                       [new identifier v.lv_name], [],pred newp)

    | Pexists([],p) -> (pred p)#node

    | Pexists([v],p) ->
        JCPEquantifier(Exists,ltype v.lv_type,
                       [new identifier v.lv_name], [],pred p)

    | Pexists(v::q,subp) ->
        let newp = { p with content = Pexists(q,subp) } in
        JCPEquantifier(Exists,ltype v.lv_type,
                       [new identifier v.lv_name], [],pred newp)

    | Pat(p,lab) -> JCPEat(pred p,logic_label lab)

    | Pvalid(_lab,
             { term_node = TBinOp(PlusPI,t1,
                                  {term_node = Trange (t2,t3)})}) ->
        let e1 = terms t1 in
        let mk_one_pred e1 =
          match t2,t3 with
            | None,None -> true_expr
            | Some t2,None ->
                let e2 = term t2 in
                let eoffmin = mkexpr (JCPEoffset(Offset_min,e1)) p.loc in
                mkexpr (JCPEbinary(eoffmin,`Ble,e2)) p.loc
            | None, Some t3 ->
                let e3 = term t3 in
                let eoffmax = mkexpr (JCPEoffset(Offset_max,e1)) p.loc in
                mkexpr (JCPEbinary(eoffmax,`Bge,e3)) p.loc
            | Some t2,Some t3 ->
                let e2 = term t2 in
                let e3 = term t3 in
                let eoffmin = mkexpr (JCPEoffset(Offset_min,e1)) p.loc in
                let emin = mkexpr (JCPEbinary(eoffmin,`Ble,e2)) p.loc in
                let eoffmax = mkexpr (JCPEoffset(Offset_max,e1)) p.loc in
                let emax = mkexpr (JCPEbinary(eoffmax,`Bge,e3)) p.loc in
                mkconjunct [emin; emax] p.loc
        in (mkconjunct (List.map mk_one_pred e1) p.loc)#node

    | Pvalid(_lab,{ term_node = TBinOp(PlusPI,t1,t2)}) ->
        let e1 = terms t1 in
        let e2 = term t2 in
        (mkconjunct
           (List.flatten
              (List.map
                 (fun e1 ->
                    let eoffmin = mkexpr (JCPEoffset(Offset_min,e1)) p.loc in
                    let emin = mkexpr (JCPEbinary(eoffmin,`Ble,e2)) p.loc in
                    let eoffmax = mkexpr (JCPEoffset(Offset_max,e1)) p.loc in
                    let emax = mkexpr (JCPEbinary(eoffmax,`Bge,e2)) p.loc in
                    [emin; emax])
                 e1)) p.loc)#node
    | Pvalid (_lab,t) ->
        let elist =
          List.flatten (List.map (fun e ->
            let eoffmin = mkexpr (JCPEoffset(Offset_min,e)) p.loc in
            let emin = mkexpr (JCPEbinary(eoffmin,`Ble,zero_expr)) p.loc in
            let eoffmax = mkexpr (JCPEoffset(Offset_max,e)) p.loc in
            let emax = mkexpr (JCPEbinary(eoffmax,`Bge,zero_expr)) p.loc in
            [emin; emax]
          ) (terms t))
        in
        (mkconjunct elist p.loc)#node

    | Pvalid_read _ -> Common.unsupported "\\valid_read operator"

    | Pfresh (_lab1,_lab2,t,_) ->
      (* TODO: take into account size *)
      JCPEfresh(term t)

    | Pallocable _ -> Common.unsupported "\\allocable operator"

    | Pfreeable _ -> Common.unsupported "\\freeable operator"


    | Psubtype({term_node = Ttypeof t},{term_node = Ttype ty}) ->
        JCPEinstanceof(term t,get_struct_name (pointed_type ty))

    | Psubtype(_t1,_t2) -> Common.unsupported "subtype"

    | Pseparated(_seps) -> Common.unsupported "\\separated operator"

    | Pinitialized _ -> Common.unsupported "\\initialized operator"

  in
  mkexpr enode p.loc

(* Keep names associated to predicate *)
let named_pred p =
  List.fold_right
    (fun lab p -> mkexpr (JCPElabel(lab,p)) p#pos) p.name (pred p)

let conjunct pos pl =
  mkconjunct (List.map (pred $ Logic_const.pred_of_id_pred) pl) pos

let zone (tset,_) = terms tset.it_content

(* Distinguish between:
 * - no assign, which is the empty list in Cil and None in Jessie
 * - assigns nothing, which is [Nothing] in Cil and the Some[] in Jessie
 *)
let assigns = function
  | WritesAny -> None
  | Writes assign_list ->
    let assign_list =
      List.filter
        (function out,_ -> not (Logic_utils.is_result out.it_content))
        assign_list
    in
    let assign_list = List.flatten (List.map zone assign_list) in
    Some(Loc.dummy_position,assign_list)

let allocates a =
  match a with
    | FreeAllocAny ->
        None
    | FreeAlloc(alloc,frees) ->
      let assign_list =
        List.fold_left
          (fun acc out ->
             if false (* Logic_utils.is_result out.it_content *)
             then acc else (out,1)::acc)
          [] (alloc @ frees)
      in
      let assign_list = List.flatten (List.map zone assign_list) in
      Some(Loc.dummy_position,assign_list)

let spec _fname funspec =
  let is_normal_postcond =
    function (Normal,_) -> true
      | (Exits | Returns | Breaks | Continues),_ -> false
  in
  let behavior b =
    if List.exists (not $ is_normal_postcond) b.b_post_cond then
      warn_once "abrupt clause(s) ignored";
    let name =
      if b.b_name = Cil.default_behavior_name then
        name_of_default_behavior
      else if b.b_name = name_of_default_behavior then
        name_of_default_behavior ^ "_jessie"
      else b.b_name
    in
(*    Format.eprintf "[spec] function %s, producing behavior '%s' from behavior '%s'@." fname name b.b_name;
    Format.eprintf "b_allocation = ";
    begin
      match b.b_allocation with
        | FreeAllocAny ->
            Format.eprintf "FreeAllocAny@."
        | FreeAlloc(l1,l2) ->
            Format.eprintf "FreeAlloc(%d,%d)@." (List.length l1) (List.length l2)
    end;
*)
    JCCbehavior(
      Loc.dummy_position,
      name,
      None, (* throws *)
      Some(conjunct Loc.dummy_position b.b_assumes),
      None, (* requires *)
      assigns b.b_assigns,
      allocates b.b_allocation,
      locate
        (conjunct Loc.dummy_position
           (Extlib.filter_map
              (function (Normal,_) -> true
                 | (Exits | Returns | Breaks | Continues),_ -> false)
              snd b.b_post_cond)))
  in
  let behaviors = List.map behavior funspec.spec_behavior in
  let requires =
    List.fold_right
      (fun b acc ->
         let ass = List.map (pred $ Logic_const.pred_of_id_pred) b.b_assumes in
         List.fold_right
           (fun req acc ->
              let impl = mkimplies ass
                (pred (Logic_const.pred_of_id_pred req))
                  Loc.dummy_position in
              JCCrequires(locate impl) :: acc)
           b.b_requires
           acc
      )
      funspec.spec_behavior
      []
  in

  let complete_behaviors_assertions : Jc_ast.pexpr list =
    List.map
      (fun bnames ->
         (* inutile, car dans le contexte de la precondition
            let r = mkconjunct
            (List.map (function
            | JCCrequires p -> p
            | _ -> assert false)
            requires)
            Loc.dummy_position
            in
         *)
         let a = mkdisjunct
           (List.fold_left
              (fun acc b ->
                 match b with
                   | JCCbehavior(_,name,_,Some a,_,_,_,_) ->
                       if (bnames = [] && name <> Common.name_of_default_behavior)
                         || List.mem name bnames
                       then
                         a :: acc
                       else acc
                   | _ -> assert false)
              [] behaviors)
           Loc.dummy_position
         in
         (*
           Some(mkexpr (JCPEbinary(r,`Bimplies,a)) Loc.dummy_position)
         *)
         a)
      funspec.spec_complete_behaviors
  in
  let disjoint_behaviors_assertions  : Jc_ast.pexpr list =
    List.fold_left
      (fun acc bnames ->
         let all_assumes =
           List.fold_left
             (fun acc b ->
                match b with
                  | JCCbehavior(_,name,_,Some a,_,_,_,_) ->
(*
                      Format.eprintf "name = %s, len bnames = %d@."
                        name (List.length bnames);
*)
                      if (bnames = [] &&
                          name <> Common.name_of_default_behavior)
                        ||
                        List.mem name bnames
                      then
                        a :: acc
                      else acc
                  | _ -> assert false)
             [] behaviors
         in
         let rec aux assumes prevs acc =
           match assumes with
             | [] -> acc
             | b::rem ->
                 let acc =
                   List.fold_left
                     (fun acc a ->
                        (mkexpr (JCPEunary(`Unot,
                                           mkconjunct [b;a] Loc.dummy_position))
                           Loc.dummy_position)
                        :: acc)
                     acc prevs
                 in
                 aux rem (b::prevs) acc
         in
         aux all_assumes [] acc)
      [] funspec.spec_disjoint_behaviors
  in

  let decreases =
    match funspec.spec_variant with
      | None -> []
      | Some(t,None) ->
          [JCCdecreases(locate (term t),None)]
      | Some(t,Some id) ->
          [JCCdecreases(locate (term t),Some (new identifier id))]
  in

  (* TODO: translate terminates clauses *)
  if funspec.spec_terminates <> None then
    warn_once "Termination condition(s) ignored" ;

  (requires @ decreases @ behaviors),
  complete_behaviors_assertions,
  disjoint_behaviors_assertions

(* Depending on the argument status, an assertion with this status may
   not generate any PO but still be used as an hypothesis. *)
(*[VP] this is not in the AST anymore. Information needs to be retrieved from table*)
(*let assertion = function
  | { status = Checked { valid = True } } -> Aassume
  | _ -> Aassert
*)

let built_behavior_ids = function
    [] -> [ new identifier name_of_default_behavior ]
  | l ->
      List.map
        (fun i ->
           new identifier
             (if i = name_of_default_behavior then name_of_default_behavior ^ "_jessie"
              else i))
        l

let code_annot pos ((acc_assert_before,contract) as acc) a =
  let push s = s::acc_assert_before,contract in
  match a.annot_content with
    | AAssert (behav,p) ->
        let behav = built_behavior_ids behav in
        let asrt = Aassert in (* [VP] Needs to retrieve exact status *)
        push
          (mkexpr
             (JCPEassert (behav,asrt,locate ~pos (named_pred p))) pos)
    | AInvariant(_behav,is_loop_inv,_p) ->
        if is_loop_inv then acc (* should be handled elsewhere *)
        else unsupported "general code invariant"
            (*
              let behav = built_behavior_ids behav in
              push
              (mkexpr
              (JCPEassert
              (behav,Aassert,locate ~pos (named_pred p))) pos)
            *)
    | APragma _ -> acc (* just ignored *)
    | AAssigns (_, _) -> acc (* should be handled elsewhere *)
    | AAllocation _ -> acc (* should be handled elsewhere *)
    | AVariant _ -> acc (* should be handled elsewhere *)
    | AStmtSpec ([],s) -> (* TODO: handle case of for *)
        begin
          match contract with
            | None -> (acc_assert_before,Some s)
            | Some _ -> assert false
        end
    | AStmtSpec _ ->
        unsupported "statement contract for a specific behavior"

(*****************************************************************************)
(* Cil to Jessie translation of coding constructs                            *)
(*****************************************************************************)

let set_curFundec, get_curFundec =
  let cf = ref None in
  ((fun f -> cf := Some f),
   (fun () ->
      match !cf with
          None ->
            let res = emptyFunction "@empty@" in cf := Some res; res
        | Some res -> res))

let rec expr e =

  let enode =
    let e = stripInfo e in
    match e.enode with
    | Info _ -> assert false

    | Const c -> const e.eloc c

    | Lval lv -> (lval e.eloc lv)#node

    | SizeOf _ | SizeOfE _ | SizeOfStr _ | AlignOf _ | AlignOfE _ ->
        assert false (* Should be removed by constant folding *)

    | UnOp(_op,_e,ty) when isIntegralType ty ->
        (integral_expr e)#node

    | UnOp(op,e,_ty) ->
        let e =
          locate (mkexpr (JCPEunary(unop op,expr e)) e.eloc)
        in
        e#node

    | BinOp(_op,_e1,_e2,ty) when isIntegralType ty ->
        (integral_expr e)#node

    | BinOp(op,e1,e2,_ty) ->
        let e =
          locate (mkexpr (JCPEbinary(expr e1,binop op,expr e2)) e.eloc)
        in
        e#node

    | CastE(ty,e')
        when isIntegralType ty && isFloatingType (typeOf e') ->
        let e1 =
          locate (mkexpr (JCPEcast(expr e',mktype (JCPTnative Treal))) e.eloc)
        in
	let e =
	  locate (mkexpr (JCPEapp("\\truncate_real_to_int",[],[e1])) e.eloc)
	in e#node

    | CastE(ty,e') when isIntegralType ty && isArithmeticType (typeOf e') ->
        (integral_expr e)#node

    | CastE(ty,e') when isFloatingType ty && isArithmeticType (typeOf e') ->
        let e = locate (mkexpr (JCPEcast(expr e',ctype ty)) e.eloc) in
        e#node

    | CastE(ty,e') when isIntegralType ty && isPointerType (typeOf e') ->
(*         && bits_sizeof ty = bits_sizeof (typeOf e') -> *)
(*         let _,ptr_to_int = type_conversion ty (typeOf e') in *)
(*         JCPEapp(ptr_to_int,[],[expr e']) *)
        unsupported "Casting from type %a to type %a not allowed"
          Printer.pp_typ (typeOf e') Printer.pp_typ ty

    | CastE(ptrty,_e1) when isPointerType ptrty ->
        begin
          let e = stripCastsAndInfo e in
          match e.enode with
          | Const c
              when is_integral_const c
                && Integer.equal (value_of_integral_const c) Integer.zero ->
              JCPEconst JCCnull
          | _ ->
              let ety = typeOf e in
              if isIntegralType ety(*  && bits_sizeof ety = bits_sizeof ptrty *) then
(*                 let _,int_to_ptr = type_conversion ptrty ety in *)
(*                 JCPEapp(int_to_ptr,[],[integral_expr e]) *)
		unsupported "Casting from type %a to type %a not allowed"
                  Printer.pp_typ (typeOf e) Printer.pp_typ ptrty
              else if isPointerType ety then
(*                 let destty = pointed_type ptrty in *)
(*                 let srcty = pointed_type ety in *)
(*                 if Retype.subtype srcty destty then *)
(*                   (expr e)#node *)
(*                 else if Retype.TypeUnion.same_class destty srcty then *)
(*                   let enode = JCPEcast(expr e,ctype ptrty) in *)
(*                   let e = locate (mkexpr enode pos) in *)
(*                   e#node *)
(*                 else *)
                  (* bitwise cast *)
                  let enode = JCPEcast(expr e,ctype ptrty) in
                  let e = locate (mkexpr enode e.eloc) in
                  e#node
(*                   let _,ptr_to_ptr = type_conversion ptrty ety in *)
(*                   JCPEapp(ptr_to_ptr,[],[expr e]) *)
              else
                (* Only hierarchical types are available in Jessie. It
                 * should have been encoded as the use of pointer types
                 * on structure type.
                 *)
(*               match unrollType ty with *)
(*                 | TComp(compinfo,_) -> *)
(*                     JCPEcast(expr (stripCasts e),compinfo.cname) *)
(*                 | _ -> assert false *)
                unsupported "Casting from type %a to type %a not allowed"
                  Printer.pp_typ (typeOf e) Printer.pp_typ ptrty
        end

    | CastE(ty,e') ->
        (* TODO: support other casts in Jessie as well, through low-level
         * memory model
         *)
        unsupported "Casting from type %a to type %a not allowed in %a with size %Ld and %Ld"
          Printer.pp_typ (typeOf e') Printer.pp_typ ty Printer.pp_exp e
          ( bits_sizeof ty) ( bits_sizeof (typeOf e'))


    | AddrOf _lv -> assert false (* Should have been rewritten *)

    | StartOf lv -> (lval e.eloc lv)#node
  in
  mkexpr enode e.eloc

(* Function called when expecting a boolean in Jessie, i.e. when translating
   a test or a sub-expression of an "or" or "and".
*)
and boolean_expr e =
  let boolean_node_from_expr ty e =
    if isPointerType ty then JCPEbinary(e,`Bneq,null_expr)
    else if isArithmeticType ty then JCPEbinary (e,`Bneq,zero_expr)
    else assert false
  in

  let enode = match (stripInfo e).enode with
    | Info _ -> assert false

    | Const c -> JCPEconst(boolean_const c)

    | UnOp(LNot,e,_typ) -> JCPEunary(unop LNot,boolean_expr e)

    | BinOp((LAnd | LOr) as op,e1,e2,_typ) ->
        JCPEbinary(boolean_expr e1,binop op,boolean_expr e2)

    | BinOp((Eq | Ne) as op,e1,e2,_typ) ->
        JCPEbinary(expr e1,binop op,expr e2)

    | BinOp((Lt | Gt | Le | Ge) as op,e1,e2,_typ) ->
        let ty = typeOf e1 in
        if isArithmeticType ty then
          JCPEbinary(expr e1,binop op,expr e2)
        else
          (* Pointer comparison is translated as subtraction *)
          let sube = mkexpr (JCPEbinary(expr e1,`Bsub,expr e2)) e.eloc in
          JCPEbinary(sube,binop op,zero_expr)

    | _ -> boolean_node_from_expr (typeOf e) (expr e)
  in
  mkexpr enode e.eloc

(* Function called instead of plain [expr] when the evaluation result should
 * fit in a C integral type.
 *)
and integral_expr e =

  let rec int_expr e =
    let node_from_boolean_expr e = JCPEif(e,one_expr,zero_expr) in

    let enode = match e.enode with
      | UnOp(LNot,e',_ty) ->
          let e = mkexpr (JCPEunary(unop LNot,boolean_expr e')) e.eloc in
          node_from_boolean_expr e

      | UnOp(op,e',_ty) ->
          let e =
            locate (mkexpr (JCPEunary(unop op,expr e')) e.eloc)
          in
          e#node

      | BinOp((LAnd | LOr) as op,e1,e2,_ty) ->
          let e =
            mkexpr (JCPEbinary(boolean_expr e1,binop op,boolean_expr e2)) e.eloc
          in
          node_from_boolean_expr e

      | BinOp((Lt | Gt | Le | Ge as op),e1,e2,_ty)
          when isPointerType (typeOf e1) ->
          (* Pointer comparison is translated as subtraction *)
          let sube = mkexpr (JCPEbinary(expr e1,`Bsub,expr e2)) e.eloc in
          let e = mkexpr (JCPEbinary(sube,binop op,zero_expr)) e.eloc in
          node_from_boolean_expr e

(*       | BinOp((Eq | Ne as op),e1,e2,_ty) *)
(*           when isPointerType (typeOf e1) && *)
(*             not (is_null_expr e2 || is_null_expr e1) -> *)
(*           (\* Pointer (dis-)equality is translated as subtraction *\) *)
(*           let sube = mkexpr (JCPEbinary(expr e1,`Bsub,expr e2)) pos in *)
(*           let e = mkexpr (JCPEbinary(sube,binop op,zero_expr)) pos in *)
(*           node_from_boolean_expr e *)

      | BinOp((Eq | Ne) as op,e1,e2,_ty) ->
          let e = mkexpr (JCPEbinary(expr e1,binop op,expr e2)) e.eloc in
          node_from_boolean_expr e

      | BinOp((Lt | Gt | Le | Ge) as op,e1,e2,_ty) ->
          let e = mkexpr (JCPEbinary(expr e1,binop op,expr e2)) e.eloc in
          node_from_boolean_expr e

      | BinOp(Shiftrt,e1,e2,_ty) ->
          let e = match possible_value_of_integral_expr e2 with
            | Some i when Integer.ge i Integer.zero &&
                Integer.lt i (Integer.of_int 63) ->
                (* Right shift by constant is division by constant *)
                let pow = constant_expr (Integer.two_power i) in
                locate (mkexpr (JCPEbinary(expr e1,`Bdiv,expr pow)) e.eloc)
            | _ ->
                let op =
                  if isSignedInteger (typeOf e1) then `Barith_shift_right
                  else `Blogical_shift_right
                in
                locate (mkexpr (JCPEbinary(expr e1,op,expr e2)) e.eloc)
          in
          e#node

      | BinOp(Shiftlt as op,e1,e2,_ty) ->
          let e = match possible_value_of_integral_expr e2 with
            | Some i when Integer.ge i Integer.zero &&
                Integer.lt i (Integer.of_int 63) ->
                (* Left shift by constant is multiplication by constant *)
                let pow = constant_expr (Integer.two_power i) in
                locate (mkexpr (JCPEbinary(expr e1,`Bmul,expr pow)) e.eloc)
            | _ ->
                locate (mkexpr (JCPEbinary(expr e1,binop op,expr e2)) e.eloc)
          in
          e#node

      | BinOp(op,e1,e2,_ty) ->
          let e =
            locate (mkexpr (JCPEbinary(expr e1,binop op,expr e2)) e.eloc)
          in
          e#node

      | CastE(ty,e1) when isFloatingType (typeOf e1) ->
          let e1' = locate (mkexpr (JCPEcast(expr e1,ltype Linteger)) e.eloc) in
          if !int_model = IMexact then
            e1'#node
          else
            let e2' = locate (mkexpr (JCPEcast(e1',ctype ty)) e.eloc) in
            e2'#node

      | CastE(ty,e1) when isIntegralType (typeOf e1) ->
          if !int_model = IMexact then
            (int_expr e1)#node
          else
            let e = locate (mkexpr (JCPEcast(int_expr e1,ctype ty)) e.eloc) in
            e#node

      | _ -> (expr e)#node
    in
    mkexpr enode e.eloc
  in

  match e.enode with
    | CastE _ -> int_expr e
    | _ -> int_expr (new_exp ~loc:e.eloc (CastE(typeOf e,e)))

and lval pos = function
  | Var v, NoOffset -> mkexpr (JCPEvar v.vname) pos

  | Var _v, _off -> assert false (* Should have been rewritten *)

  | Mem _e, NoOffset -> assert false (* Should have been rewritten *)

  | Mem e, Field(fi,off) ->
      assert (off = NoOffset); (* Others should have been rewritten *)
      let e = expr e in
      if not fi.fcomp.cstruct then (* field of union *)
        locate (mkexpr (JCPEcast(e,ctype fi.ftype)) pos)
      else
        let repfi = Retype.FieldUnion.repr fi in
        let e,fi =
          if Fieldinfo.equal fi repfi then
            e,fi
          else
            let caste =
              locate
                (mkexpr
                   (JCPEcast(e,
                             ctype (TPtr(TComp(repfi.fcomp,
                                               empty_size_cache (),[]),[]))))
                   pos)
            in
            caste,repfi
        in
        locate (mkexpr (JCPEderef(e,fi.fname)) pos)

  | Mem e, Index(ie,Field(fi,off)) ->
      assert (off = NoOffset); (* Others should have been rewritten *)
      (* Normalization made it equivalent to simple add *)
      let e = mkexpr (JCPEbinary(expr e,`Badd,expr ie)) pos in
      if not fi.fcomp.cstruct then (* field of union *)
        locate (mkexpr (JCPEcast(e,ctype fi.ftype)) pos)
      else
        let repfi = Retype.FieldUnion.repr fi in
        let e,fi =
          if Fieldinfo.equal fi repfi then
            e,fi
          else
            let caste =
              locate
                (mkexpr
                   (JCPEcast(e,
                             ctype (TPtr(TComp(repfi.fcomp,
                                               empty_size_cache (),[]),[]))))
                   pos)
            in
            caste,repfi
        in
        locate (mkexpr (JCPEderef(e,fi.fname)) pos)

  | Mem _e, Index _ as lv ->
      Jessie_options.fatal
        ~current:true "Unexpected lval %a" Printer.pp_lval lv

let keep_only_declared_nb_of_arguments vi l =
  let _,args,is_variadic, _ = splitFunctionTypeVI vi in
  if args=None then
    (warning "skipping all arguments of implicit prototype %s" vi.vname;
     [])
  else if is_variadic then unsupported "unsupported variadic functions"
  else l

let instruction = function
  | Set(lv,e,pos) ->
      let enode = JCPEassign(lval pos lv,expr e) in
      (locate (mkexpr enode pos))#node

  | Call(None,{enode = Lval(Var v,NoOffset)},eargs,pos) ->
      if is_assert_function v then
        JCPEassert([new identifier name_of_default_behavior],
                   Aassert,locate (boolean_expr (as_singleton eargs)))
      else
        let enode =
          if is_free_function v then
            let arg = as_singleton eargs in
            let subarg = stripCasts arg in
            let arg = if isPointerType (typeOf subarg) then subarg else arg in
            JCPEfree(expr arg)
          else
            JCPEapp(v.vname,[],
                    keep_only_declared_nb_of_arguments
                      v
                      (List.map expr eargs))
        in
        (locate (mkexpr enode pos))#node

  | Call(Some lv,{enode = Lval(Var v,NoOffset)},eargs,pos) ->
      let enode =
        if is_malloc_function v || is_realloc_function v then
          let lvtyp = pointed_type (typeOfLval lv) in
          let lvsiz = Integer.of_int64 ((bits_sizeof lvtyp) lsr 3) in
          let arg =
            if is_malloc_function v then as_singleton eargs
            else (* realloc *)
              match eargs with [ _; arg ] -> arg | _ -> assert false
          in
          let arg = stripInfo arg in
          let loc = arg.eloc in
          let ty,arg = match arg.enode with
            | Info _ -> assert false
            | Const c when is_integral_const c ->
                let allocsiz = Integer.div (value_of_integral_expr arg) lvsiz
                in
                let siznode =
                  JCPEconst(JCCinteger(Integer.to_string allocsiz))
                in
                lvtyp, mkexpr siznode pos
            | BinOp(Mult,({enode = Const c} as arg),nelem,_ty)
            | BinOp(Mult,nelem,({enode = Const c} as arg),_ty)
                when is_integral_const c ->
                let factor = Integer.div (value_of_integral_expr arg) lvsiz in
                let siz =
                  if Integer.equal factor Integer.one then expr nelem
                  else
                    let factor = constant_expr factor in
                    expr
                      (new_exp ~loc (BinOp(Mult,nelem,factor,typeOf arg)))
                in
                lvtyp, siz
            | _ ->
                if Integer.equal lvsiz Integer.one then lvtyp, expr arg
                else
                  let esiz = constant_expr ~loc lvsiz in
                  lvtyp, expr (new_exp ~loc (BinOp(Div,arg,esiz,typeOf arg)))
          in
          let name_of_type = match unrollType ty with
            | TComp(compinfo,_,_) -> compinfo.cname
            | _ -> assert false
          in
          JCPEalloc(arg,name_of_type)
        else if is_calloc_function v then
          let nelem,elsize = match eargs with
            | [nelem;elsize] -> nelem,elsize
            | _ -> assert false
          in
          let arg = stripInfo elsize in
          let loc = arg.eloc in
          let ty,arg = match arg.enode with
            | Info _ -> assert false
            | Const c when is_integral_const c ->
                let lvtyp = pointed_type (typeOfLval lv) in
                let lvsiz = Integer.of_int64 ((bits_sizeof lvtyp) lsr 3) in
                let factor = Integer.div (value_of_integral_expr arg) lvsiz in
                let siz =
                  if Integer.equal factor Integer.one then
                    expr nelem
                  else
                    let factor = constant_expr ~loc factor in
                    expr (new_exp ~loc (BinOp(Mult,nelem,factor,typeOf arg)))
                in
                lvtyp, siz
            | _ ->
                let lvtyp = pointed_type (typeOfLval lv) in
                let lvsiz = Integer.of_int64 ((bits_sizeof lvtyp) lsr 3) in
                let esiz = constant_expr ~loc lvsiz in
                lvtyp,
                expr
                  (new_exp ~loc
                     (BinOp(Div,
                            new_exp ~loc (BinOp(Mult,nelem,elsize,typeOf arg)),
                            esiz,
                            typeOf arg)))
          in
          let name_of_type = match unrollType ty with
            | TComp(compinfo,_,_) -> compinfo.cname
            | _ -> assert false
          in
          JCPEalloc(arg,name_of_type)
        else
          JCPEapp(v.vname,[],
                  keep_only_declared_nb_of_arguments
                    v
                    (List.map expr eargs))
      in
      let lvty = typeOfLval lv in
      let call = locate (mkexpr enode pos) in
      let enode =
        if Typ.equal lvty (getReturnType v.vtype)
          || is_malloc_function v
          || is_realloc_function v
          || is_calloc_function v
        then
          JCPEassign(lval pos lv,call)
        else
          let tmpv = makeTempVar (get_curFundec()) (getReturnType v.vtype) in
          let tmplv = Var tmpv, NoOffset in
          let cast =
            new_exp ~loc:pos (CastE(lvty,new_exp ~loc:pos (Lval tmplv)))
          in
          let tmpassign = JCPEassign(lval pos lv,expr cast) in
          JCPElet(None,tmpv.vname,Some call,locate (mkexpr tmpassign pos))
      in
      (locate (mkexpr enode pos))#node

  | Call _ -> Common.unsupported ~current:true "function pointers"

  | Asm _ -> Common.unsupported ~current:true "inline assembly"

  | Skip _pos -> JCPEconst JCCvoid

  | Code_annot _ -> Common.unsupported ~current:true "code annotation"

let rec statement s =
  let pos = Stmt.loc s in
  CurrentLoc.set pos;
(*
  let assert_list =
    Annotations.get_filter Logic_utils.is_assert s
    @ Annotations.get_filter Logic_utils.is_stmt_invariant s
  in
  let assert_before,assert_after =
    List.partition (function Before _ -> true | After _ -> false) assert_list
  in
  let assert_before =
    List.flatten (List.map ((assert_ pos) $ before_after_content) assert_before)
  in
  let assert_after =
    List.flatten (List.map ((assert_ pos) $ before_after_content) assert_after)
  in
*)

  let assert_before, contract =
    Annotations.fold_code_annot
      (fun _ ca acc -> code_annot pos acc ca) s ([],None)
  in
  let snode = match s.skind with
    | Instr i -> instruction i

    | Return(Some e,_) -> JCPEreturn(expr e)

    | Return(None,_pos) ->
        JCPEreturn(mkexpr (JCPEconst JCCvoid) pos)

    | Goto(sref,_pos) ->
        (* Pick the first non-case label in the list of labels associated to
         * the target statement
         *)
        let labels = filter_out is_case_label !sref.labels in
        assert (not (labels = []));
        JCPEgoto(label (List.hd labels))

    | Break _pos ->
        assert false (* Should not occur after [prepareCFG] *)

    | Continue _pos ->
        assert false (* Should not occur after [prepareCFG] *)

    | If(e,bl1,bl2,_) ->
        JCPEif(boolean_expr e,block bl1,block bl2)

    | Switch(e,bl,slist,pos) ->
        let case_blocks stat_list case_list =
          let rec next_case curr_list final_list stat_list case_list =
            match stat_list,case_list with
              | curr_stat :: rest_stat, curr_case :: rest_case ->
                  if curr_case.sid = curr_stat.sid then
                    (* Beginning of a new case. Add previous case to list
                       if not empty. *)
                    let add_to_list cond e l = if cond e then e::l else l in
                    let not_empty_list = function [] -> false | _ -> true in
                    let final_list =
                      add_to_list not_empty_list (List.rev curr_list) final_list
                    in
                    let curr_list = [curr_stat] in
                    next_case curr_list final_list rest_stat rest_case
                  else
                    let curr_list = curr_stat :: curr_list in
                    next_case curr_list final_list rest_stat case_list
              | [], [] ->
                  if List.length curr_list <> 0 then
                    List.rev curr_list :: final_list
                  else
                    final_list
              | [], _ ->
                  (* More cases than available. *)
                  assert false
              | stat_list, [] ->
                  (List.rev_append curr_list stat_list) :: final_list
          in
          List.rev (next_case [] [] stat_list case_list)
        in
        let switch_label = function
          | Label _ -> assert false
          | Case(e,_) -> Some(expr e)
          | Default _ -> None
        in
        let case = function
          | [] -> assert false
          | case_stmt :: _ as slist ->
              let switch_labels = List.filter is_case_label case_stmt.labels in
              let labs = List.map switch_label switch_labels in
              let slist = mkexpr (JCPEblock(statement_list slist)) pos in
              labs, slist
        in
        let case_list = List.map case (case_blocks bl.bstmts slist) in
        JCPEswitch(expr e,case_list)

    | Loop (_,bl,_pos,_continue_stmt,_break_stmt) ->
	let treat_loop_annot _ annot (beh,var as acc) =
	  match annot.annot_content with
	    | AVariant(v,rel) ->
		begin
		  match var with
		    | None ->
			begin
			  match rel with
			    | Some r ->
				(beh, Some (locate (term v),
					    Some (new identifier r)) )
			    | None ->
				(beh,Some (locate (term v) ,None ))
			end
		    | Some _ -> assert false (* At most one variant *)
		end
	    | AInvariant(ids,true,inv) ->
		((ids,[locate (pred inv)],WritesAny)::beh,var)
	    | AAssigns(ids,assign) ->
		((ids,[],assign)::beh,var)
	    | APragma _ -> (* ignored *) acc
            | AAllocation _ -> (* Ignored *) acc
            (* No loop annotation. *)
	    | AAssert _ | AStmtSpec _ | AInvariant _ -> acc
        in
        let behs,variant =
	  Annotations.fold_code_annot treat_loop_annot s ([],None)
	in
        (* Locate the beginning of the loop, to serve as location for generated
         * invariants and variants.
         *)
	(*         let lab = reg_pos pos in *)
        (* TODO: add loop-assigns to Jessie *)
        (* PARTIALLY DONE: added them as new jessie loop behaviors *)
        let behs = List.map
          (fun (beh_names,invs,ass) ->
             let beh_names = built_behavior_ids beh_names in
	     let inv =
	       match invs with
		 | [] -> None
		 | _ -> Some (mkconjunct invs pos)
	     in
	     let ass = assigns ass in
             (beh_names,inv,ass))
          behs
        in
        JCPEwhile(true_expr,behs,variant,block bl)

    | Block bl ->
        JCPEblock(statement_list bl.bstmts)

    | UnspecifiedSequence seq ->
        (* [VP] TODO: take into account undefined behavior tied to the
          effects of the statements... *)
        JCPEblock(statement_list (List.map (fun (x,_,_,_,_) -> x) seq))

    | TryFinally _ | TryExcept _ -> assert false
  in
  (* Prefix statement by all non-case labels *)
  let labels = filter_out is_case_label s.labels in
  let s = mkexpr snode pos in
  let s =
    match contract with
      | None -> s
      | Some sp ->
          let sp,_cba,_dba = spec "statement contract" sp in
          let requires, decreases, behaviors =
            List.fold_left
              (fun (r,d,b) c ->
                 match c with
                   | JCCrequires p ->
                       begin match r with
                         | None -> (Some p,d,b)
                         | Some _ -> unsupported "multiple requires on statement contract"
                       end
                   | JCCdecreases(v,p) ->
                       begin match d with
                         | None -> (r,Some(v,p),b)
                         | Some _ -> unsupported "multiple decreases on statement contract"
                       end
                   | JCCbehavior be -> (r,d,be::b))
              (None,None,[])
              sp
          in
          mkexpr
            (JCPEcontract(requires, decreases, behaviors, s))
            pos
  in
  let s = match assert_before @ [s] with
    | [s] -> s
    | slist -> mkexpr (JCPEblock slist) pos
  in
  List.fold_left (fun s lab -> mkexpr (JCPElabel(label lab,s)) pos) s labels

and statement_list slist = List.rev (List.rev_map statement slist)

and block bl =
  match bl.bstmts with
    | [] -> mkexpr (JCPEconst JCCvoid) Loc.dummy_position
    | [s] -> statement s
    | slist -> mkexpr (JCPEblock(statement_list slist)) Loc.dummy_position


(*****************************************************************************)
(* Cil to Jessie translation of global declarations                          *)
(*****************************************************************************)

let drop_on_unsupported_feature = false

let logic_variable v =
  let name = Extlib.may_map (fun v -> v.vname) ~dft:v.lv_name v.lv_origin in
  ltype v.lv_type, name

let rec annotation is_axiomatic annot =
  match annot with
  | Dfun_or_pred (info,pos) ->
      CurrentLoc.set pos;
      begin
        try
        let params = List.map logic_variable info.l_profile in
        let body =
          match info.l_body with
            | LBnone -> JCnone
          | LBreads reads_tsets ->
              let reads =
                List.flatten
                  (List.map (fun x -> terms x.it_content) reads_tsets)
              in
              JCreads reads
          | LBpred p -> JCexpr(pred p)
          | LBinductive indcases ->
              let l = List.map
                (fun (id,labs,_poly,p) ->
                   (new identifier id,logic_labels labs,pred p)) indcases
              in
              JCinductive l
          | LBterm t -> JCexpr(term t)
        in
	let name =
          try
            let _ = Hashtbl.find jessie_builtins info.l_var_info.lv_name in
            info.l_var_info.lv_name
        with Not_found ->
          translated_name info []
        in
        (match info.l_type, info.l_labels, params with
             Some t, [], [] ->
               let def = match body with
                 | JCnone | JCreads _ | JCinductive _ -> None
                 | JCexpr t -> Some t
               in
               [JCDlogic_var (ltype t, name,def)]
           | _ ->
               [JCDlogic(Option_misc.map ltype info.l_type,
                         name,[],
                         logic_labels info.l_labels,
                         params,body)])
      with (Unsupported _ | Log.FeatureRequest _)
        when drop_on_unsupported_feature ->
	  warning "Dropping declaration of predicate %s@."
            info.l_var_info.lv_name ;
          []
      end

  | Dlemma(name,is_axiom,labels,_poly,property,pos) ->
      CurrentLoc.set pos;
      ignore
        (reg_position ~id:name
           ~name:("Lemma " ^ name) pos);
      begin try
        [JCDlemma(name,is_axiom,[],logic_labels labels,pred property)]
      with (Unsupported _ | Log.FeatureRequest _)
          when drop_on_unsupported_feature ->
            warning "Dropping lemma %s@." name; []
      end

  | Dinvariant (property,pos) ->
      begin try
        CurrentLoc.set pos;
	let n = translated_name property [] in
        [JCDglobal_inv(n,pred (Logic_utils.get_pred_body property))]
      with (Unsupported _ | Log.FeatureRequest _)
          when drop_on_unsupported_feature ->
            warning "Dropping invariant %s@." property.l_var_info.lv_name ;
            []
      end

  | Dtype_annot (annot,pos) ->
      begin try
        CurrentLoc.set pos;
	let n = translated_name annot [] in
        [JCDlogic(
           None,n, [],logic_labels annot.l_labels,
           List.map logic_variable annot.l_profile,
           JCexpr(pred (Logic_utils.get_pred_body annot)))]
      with (Unsupported _ | Log.FeatureRequest _)
          when drop_on_unsupported_feature ->
            warning "Dropping type invariant %s@." annot.l_var_info.lv_name;
            []
      end

  | Dtype (info,pos) when info.lt_params=[] ->
      CurrentLoc.set pos;
      let myself = mktype (JCPTidentifier (info.lt_name,[])) in
      let mydecl = JCDlogic_type (info.lt_name,[]) in
      let axiomatic ctors =
        let cons = List.map
          (fun x ->
             let prms = ref (-1) in
             let make_params t =
               incr prms;
               ltype t, Printf.sprintf "x%d" !prms  (*TODO: give unique name*)
             in
             match x.ctor_params with
               [] -> JCDlogic_var(myself,x.ctor_name,None)
             | l ->
                 let params = List.map make_params l in
                 JCDlogic(Some myself,x.ctor_name,[],[],params,
                          JCreads []
                            (*(List.map (fun (_,x) ->
                              mkexpr (JCPEvar x) pos) params)*)))
          ctors
        in
        let tag_fun = JCDlogic (Some (mktype (JCPTnative Tinteger)),
                                info.lt_name ^ "_tag",[],[],[myself,"x"],
                                JCreads[])
        in
        let tag_axiom cons (i,axioms) =
          let prms = ref(-1) in
          let param t =
            incr prms;
            let prms_name = Printf.sprintf "x%d" !prms in
            (* TODO: give unique name *)
            (fun x ->
               mkexpr (JCPEquantifier(Forall,ltype t,
                                      [new identifier prms_name], [],x)) pos),
            mkexpr (JCPEvar prms_name) pos
          in
	  let (quant,args) =
            List.fold_right
              (fun arg (quants,args) ->
                 let quant,arg = param arg in
                 ((fun x -> quant(quants x)), arg::args))
              cons.ctor_params ((fun x -> x),[])
          in
          let expr = match cons.ctor_params with
              [] -> JCPEvar cons.ctor_name
            | _ -> JCPEapp(cons.ctor_name,[],args)
          in
          let pred =
            quant
              (mkexpr
                 (JCPEbinary
                    (mkexpr (JCPEapp (info.lt_name ^ "_tag",[],
                                      [mkexpr expr pos])) pos,
                     `Beq,
                     mkexpr(JCPEconst(JCCinteger (Int64.to_string i))) pos))
                 pos)
          in
          (i+one,
           JCDlemma(cons.ctor_name ^ "_tag_val",true,[],[], pred)
           ::axioms)
        in
        let (_,axioms) = List.fold_right tag_axiom ctors (zero,[]) in
        let xvar = mkexpr (JCPEvar "x") pos in (* TODO: give unique name *)
        let one_case cons =
          let prms = ref(-1) in
          let param t =
            incr prms;
            let prms_name = Printf.sprintf "x%d" !prms in
            (* TODO: give unique name *)
            ((fun x ->
                mkexpr (JCPEquantifier(Exists,ltype t,
                                       [new identifier prms_name], [],x)) pos),
             mkexpr (JCPEvar prms_name) pos)
          in let (quant,args) =
            List.fold_right
              (fun arg (quants,args) ->
                 let quant,arg = param arg in
                 ((fun x -> quant(quants x)), arg::args))
              cons.ctor_params ((fun x -> x),[])
          in
          quant
            (mkexpr
               (JCPEbinary(xvar,`Beq,
                           mkexpr (JCPEapp(cons.ctor_name,[],args)) pos)) pos)
        in
        match ctors with
          [] -> cons
        | [x] ->
            cons @
              [JCDlemma(info.lt_name ^ "_inductive", true, [], [],
                        (mkexpr (JCPEquantifier
                                   (Forall,myself,
                                    [new identifier "x"], [],one_case x)) pos))]
        | x::l ->
            tag_fun :: cons @ axioms @
              [JCDlemma(info.lt_name ^ "_inductive", true, [], [],
                        mkexpr
                          (JCPEquantifier(
                             Forall,myself,
                             [new identifier "x"], [],
                             List.fold_right
                               (fun cons case ->
                                  mkexpr (JCPEbinary(case,`Blor,
                                                     one_case cons)) pos)
                               l (one_case x))) pos)]
      in
      (*NB: axioms stating that two values beginning with different
        symbols are different are not generated. *)
      let axiomatic = match info.lt_def with
          None -> [mydecl]
        | Some (LTsum cons) -> mydecl::axiomatic cons
        | Some (LTsyn _) -> [] (* We'll expand the type anyway *)
      in
      (match axiomatic with
           [] -> []
         | _ when is_axiomatic -> axiomatic
         | _ ->
             [JCDaxiomatic (info.lt_name ^ "_axiomatic",
                            List.map (fun x -> mkdecl x pos) axiomatic)])

  | Dtype _ -> unsupported "type definitions"
  | Dvolatile _ -> Common.unsupported "volatile variables"
  | Dmodel_annot _ ->
      (* already handled in norm.ml *)
      []
  | Dcustom_annot _ -> Common.unsupported "custom annotation"
  | Daxiomatic(id,l,pos) ->
      CurrentLoc.set pos;
      (*
	Format.eprintf "Translating axiomatic %s into jessie code@." id;
      *)
      let l = List.fold_left (fun acc d -> (annotation true d)@acc) [] l in
      [JCDaxiomatic(id,List.map (fun d -> mkdecl  d pos)
                      (List.rev l))]

let default_field_modifiers = (false,false)

let global vardefs g =
  let pos = Global.loc g in
  CurrentLoc.set pos;
  let dnodes = match g with
    | GType _ -> [] (* No typedef in Jessie *)

    | GCompTag(compinfo,pos) when compinfo.cstruct -> (* struct type *)
        let field fi =
          let this =
            default_field_modifiers,
            ctype ?bitsize:fi.fsize_in_bits fi.ftype,
            fi.fname, fi.fsize_in_bits
          in
          let padding_size =
            match fi.fpadding_in_bits with None -> assert false | Some i -> i
          in
          if padding_size = 0 then [this] else
            let padding =
              default_field_modifiers,
              type_of_padding, unique_name "padding", fi.fpadding_in_bits
            in
            [this;padding]
        in
        let model_field mi =
          default_field_modifiers,
            ltype mi.mi_field_type,
            mi.mi_name, None
        in
        let fields =
          List.fold_right
            (fun fi acc ->
               let repfi = Retype.FieldUnion.repr fi in
               if Fieldinfo.equal fi repfi then
                 field fi @ acc
               else acc)
            compinfo.cfields []
        in
        let fields =
          List.fold_right
            (fun mi acc -> model_field mi :: acc)
            (Norm.model_fields compinfo) fields
        in
        let _parent = None in
(*           find_or_none (Hashtbl.find Norm.type_to_parent_type) compinfo.cname *)
(*         in *)
        let ty = TComp(compinfo, empty_size_cache (), []) in
        begin try
          let parentty = Typ.Hashtbl.find Retype.type_to_parent_type ty in
          let parent = get_struct_name parentty in
          [
            JCDtag(compinfo.cname,[],Some (parent,[]),fields,[])
          ]
        with Not_found ->
          try
            ignore(Typ.Hashtbl.find Norm.generated_union_types ty);
            [JCDtag(compinfo.cname,[],None,fields,[])]
          with Not_found ->
            let id = mkidentifier compinfo.cname pos in
            [
              JCDtag(compinfo.cname,[],None,fields,[]);
              JCDvariant_type(compinfo.cname,[id])
            ]
        end

    | GCompTag(compinfo,pos) -> (* union type *)
        assert (not compinfo.cstruct);
        let field fi =
          let ty = pointed_type fi.ftype in
          mkidentifier (get_struct_name ty) pos
        in
(*           match pointed_type fi.ftype with *)
(*             | TComp(compinfo,_) -> *)
(*                 let field fi = false, ctype fi.ftype, fi.fname in *)
(*                 let fields = List.map field compinfo.cfields in *)
(* (\*                 let parent = *\) *)
(* (\*                   find_or_none (Hashtbl.find Norm.type_to_parent_type) *\) *)
(* (\*                     compinfo.cname *\) *)
(* (\*                 in *\) *)
(*                 mkidentifier fi.fname fi.floc,  *)
(*                 JCDtag(fi.fname,[],None,fields,[]) *)
(*             | _ ->  *)
(*                 assert false *)
(*         in *)
        let union_id = mkidentifier compinfo.cname pos in
        let union_size = match compinfo.cfields with
          | [] -> 0
          | fi::_ ->
              Pervasives.(+) (the fi.fsize_in_bits) (the fi.fpadding_in_bits)
        in
        let padding =
          if union_size = 0 then [] else
            [default_field_modifiers,
             type_of_padding, unique_name "padding", Some union_size]
        in
        let union_tag = JCDtag(compinfo.cname,[],None,padding,[]) in
        let fields = List.map field compinfo.cfields in
        let rec has_pointer ty =
          match unrollType ty with
            | TComp(compinfo,_,_) ->
                List.exists (fun fi -> has_pointer fi.ftype) compinfo.cfields
            | TPtr _ ->
                if is_reference_type ty then
                  (* Possibly skip intermediate array type *)
                  has_pointer (pointed_type ty)
                else true
            | TVoid _
            | TInt _
            | TFloat _
            | TEnum _ -> false
            | TArray _ -> assert false (* Removed by translation *)
            | TFun _ ->
                unsupported "Function pointer type %a not allowed"
                  Printer.pp_typ ty
            | TNamed _ -> assert false
            | TBuiltin_va_list _ -> assert false (* not supported *)
        in
        (* Union type with pointer as sub-field should be used as a
           discriminated union *)
        let discr = has_pointer (TComp(compinfo, empty_size_cache (),[])) in
        [JCDunion_type(compinfo.cname,discr,union_id :: fields); union_tag]

    | GCompTagDecl _ -> [] (* No struct/union declaration in Jessie *)

    | GEnumTag(enuminfo,_pos) ->
        assert (not (enuminfo.eitems = []));
        let enums =
          List.map
            (fun {eival = enum} -> value_of_integral_expr enum) enuminfo.eitems
        in
        let emin =
          List.fold_left (fun acc enum ->
                            if Integer.lt acc enum then acc else enum)
            (List.hd enums)
            enums
        in
        let min = Num.num_of_string (Integer.to_string emin) in
        let emax =
          List.fold_left (fun acc enum ->
                            if Integer.gt acc enum then acc else enum)
            (List.hd enums)
            enums
        in
        let max = Num.num_of_string (Integer.to_string emax) in
        [JCDenum_type(enuminfo.ename,min,max)]

    | GEnumTagDecl _ -> [] (* No enumeration declaration in Jessie *)

    | GVarDecl(_,v,pos) ->
        (* Keep only declarations for which there is no definition *)
        if List.mem v vardefs
          || (isFunctionType v.vtype &&
                (v.vname = name_of_assert
                    || v.vname = name_of_free
                    || v.vname = name_of_malloc))
        then []
        else if isFunctionType v.vtype then
          let rtyp = match unrollType v.vtype with
            | TFun(rt,_,_,_) -> rt
            | _ -> assert false
          in
          let id = mkidentifier v.vname pos in
          let kf = Globals.Functions.get v in
          Jessie_options.debug
            "Getting spec of %s" (Kernel_function.get_name kf);
          let funspec = Annotations.funspec kf in
          Jessie_options.debug "OK";
          let params = Globals.Functions.get_params kf in
          let formal v = true, ctype v.vtype, unique_name_if_empty v.vname in
          let formals = List.map formal params in
          let s,_cba,_dba = spec v.vname funspec in
          [JCDfun(ctype rtyp,id,formals,s,None)]
        else
          [JCDvar(ctype v.vtype,v.vname,None)]

    | GVar(v,{init=None},_pos) ->
        [JCDvar(ctype v.vtype,v.vname,None)]

    | GVar(_v,_iinfo,_pos) ->
        (* Initialization should have been rewritten as code in an
         * initialization function, that is called by the main function in
         * global analyses and ignored otherwise.
         *)
        assert false

    | GFun(f,pos) ->
        set_curFundec f;
        if f.svar.vname = name_of_assert
          || f.svar.vname = name_of_free then []
        else
          let rty = match unrollType f.svar.vtype with
            | TFun(ty,_,_,_) -> ty
            | _ -> assert false
          in
          let formal v = true, ctype v.vtype, v.vname in
          let formals = List.map formal f.sformals in
          let id = mkidentifier f.svar.vname f.svar.vdecl in
          let funspec =
            Annotations.funspec (Globals.Functions.get f.svar)
          in
          begin try
            let local v =
              mkexpr (JCPEdecl(ctype v.vtype,v.vname,None)) v.vdecl
            in
            let locals = List.rev (List.rev_map local f.slocals) in
            let body = mkexpr (JCPEblock(statement_list f.sbody.bstmts)) pos in
            let s,cba,dba = spec f.svar.vname funspec in
            let body =
              List.fold_left
                (fun acc a ->
                   (mkexpr
                      (JCPEassert([],
                                  Acheck,
                                  mkexpr
                                    (JCPElabel("complete_behaviors",a))
                                    a#pos))
                      a#pos)
                   :: acc)
                (locals @ [body]) cba
            in
            let body =
              List.fold_left
                (fun acc a ->
                   (mkexpr
                      (JCPEassert([],
                                  Acheck,
                                  mkexpr
                                    (JCPElabel("disjoint_behaviors",a))
                                    a#pos))
                      a#pos)
                   :: acc)
                body dba
            in
            let body = mkexpr (JCPEblock body) pos in
            ignore
              (reg_position ~id:f.svar.vname
                 ~name:("Function " ^ f.svar.vname) f.svar.vdecl);
            [JCDfun(ctype rty,id,formals,s,Some body)]
          with (Unsupported _ | Log.FeatureRequest _)
              when drop_on_unsupported_feature ->
                warning "Dropping definition of function %s@." f.svar.vname ;
                let s,_cba,_dba = spec f.svar.vname funspec in
                [JCDfun(ctype rty,id,formals,s,None)]
          end

    | GAsm _ ->
	unsupported "assembly code"

    | GPragma _ -> [] (* Pragmas treated separately *)

    | GText _ -> [] (* Ignore text in Jessie *)

    | GAnnot(la,_) -> annotation false la

  in
  List.map (fun dnode -> mkdecl dnode pos) dnodes

let integral_type name ty bitsize =
  let min = Integer.to_num (min_value_of_integral_type ~bitsize ty) in
  let max = Integer.to_num (max_value_of_integral_type ~bitsize ty) in
  mkdecl (JCDenum_type(name,min,max)) Loc.dummy_position

(* let all_integral_kinds = *)
(*   let rec all_ik = function *)
(*     | IBool -> IBool :: (all_ik IChar) *)
(*     | IChar -> IChar :: (all_ik ISChar) *)
(*     | ISChar -> ISChar :: (all_ik IUChar) *)
(*     | IUChar -> IUChar :: (all_ik IInt) *)
(*     | IInt -> IInt :: (all_ik IUInt) *)
(*     | IUInt -> IUInt :: (all_ik IShort) *)
(*     | IShort -> IShort :: (all_ik IUShort) *)
(*     | IUShort -> IUShort :: (all_ik ILong) *)
(*     | ILong -> ILong :: (all_ik IULong) *)
(*     | IULong -> IULong :: (all_ik ILongLong) *)
(*     | ILongLong -> ILongLong :: (all_ik IULongLong) *)
(*     | IULongLong -> IULongLong :: [] *)
(*   in *)
(*   all_ik IBool *)

let integral_types () =
  if !int_model = IMexact then
    []
  else
    Common.fold_integral_types
      (fun name ty bitsize acc -> integral_type name ty bitsize :: acc) []

let type_conversions () =
  let typconv_axiom ty1 ty1_to_ty2 ty2_to_ty1 =
    let x = PExpr.mkvar ~name:"x" () in
    let app1 = PExpr.mkapp ~fun_name:ty1_to_ty2 ~args:[x] () in
    let app2 = PExpr.mkapp ~fun_name:ty2_to_ty1 ~args:[app1] () in
    let eq = PExpr.mkeq ~expr1:x ~expr2:app2 () in
    let forall =
      PExpr.mkforall ~typ:(ctype ty1)
        ~vars:[new identifier "x"] ~body:eq ()
    in
    PDecl.mklemma_def ~name:(unique_logic_name (ty1_to_ty2 ^ "_axiom")) ~axiom:true
      ~body:forall ()
  in
  Hashtbl.fold
    (fun _ (ty1,ty2,ty1_to_ty2,ty2_to_ty1) acc ->
       [
         PDecl.mklogic_def ~typ:(ctype ty2) ~name:ty1_to_ty2
           ~params:[ctype ty1, "x"] ~reads:[] ();
         PDecl.mklogic_def ~typ:(ctype ty1) ~name:ty2_to_ty1
           ~params:[ctype ty2, "x"] ~reads:[] ();
         typconv_axiom ty1 ty1_to_ty2 ty2_to_ty1;
         typconv_axiom ty2 ty2_to_ty1 ty1_to_ty2
       ] @ acc
    ) type_conversion_table []

let file f =
  let filter_defined = function GFun _ | GVar _ -> true | _ -> false in
  let defined_var =
    function GFun(f,_) -> f.svar | GVar(vi,_,_) -> vi | _ -> assert false
  in
  let is_needed =
    function
      | GVarDecl(_,v,_) when Cil.hasAttribute "FC_BUILTIN" v.vattr ->
          v.vreferenced
      | _ -> true
  in
  let globals =
(* AVOID CHECKING THE GLOBAL INITIALIZATION FUNCTION, WHICH IS GUARANTEED *)
(*     if Globals.has_entry_point () then *)
(*       let gif = *)
(*         Kernel_function.get_definition (Globals.Functions.get_glob_init f) *)
(*       in *)
(*       f.globals @ [GFun(gif,Loc.dummy_position)] *)
(*     else  *)
    List.filter is_needed f.globals
  in
  let vardefs =
    List.rev (List.rev_map defined_var (List.filter filter_defined globals))
  in
  (* Compute translation of [globals] before [integral_types] so that types
     used are known *)
  let globals' =
    List.flatten (List.rev (List.rev_map (global vardefs) globals))
  in
  mkdecl (JCDaxiomatic("Padding",
                       [mkdecl (JCDlogic_type (name_of_padding_type, []))
                          Loc.dummy_position]))
    Loc.dummy_position
  (* Define all integral types as enumerated types in Jessie *)
  :: integral_types ()
  (* Define conversion functions and identity axiom for back
     and forth conversion *)
  @ type_conversions ()
  @ globals'

(* Translate pragmas separately as their is no declaration for pragmas in
 * the parsed AST of Jessie, only in its types AST.
 *)
let pragma = function
  | GPragma(Attr(name,[AStr arg]),_)
  | GPragma(Attr(name,[ACons(arg,[])]),_) ->
      begin match name with
        | "InvariantPolicy" ->
            begin match String.lowercase arg with
              | "none" -> invariant_policy := Jc_env.InvNone
              | "arguments" -> invariant_policy := Jc_env.InvArguments
              | "ownership" -> invariant_policy := Jc_env.InvOwnership
              | _ -> assert false
            end;
            []
        | "SeparationPolicy" ->
            begin match String.lowercase arg with
              | "none" -> separation_policy_regions := false
              | "regions" -> separation_policy_regions := true
              | _ -> assert false
            end;
            []
        | "AnnotationPolicy" ->
            begin match String.lowercase arg with
              | "none" -> [Jc_output.JCannotation_policy Jc_env.AnnotNone]
              | "invariants" ->
                  [Jc_output.JCannotation_policy Jc_env.AnnotInvariants]
              | "weakpre" ->
                  [Jc_output.JCannotation_policy Jc_env.AnnotWeakPre]
              | "strongpre" ->
                  [Jc_output.JCannotation_policy Jc_env.AnnotStrongPre]
              | _ -> assert false
            end
        | "AbstractDomain" ->
            begin match String.lowercase arg with
              | "none" -> [Jc_output.JCabstract_domain Jc_env.AbsNone]
              | "box" -> [Jc_output.JCabstract_domain Jc_env.AbsBox]
              | "oct" -> [Jc_output.JCabstract_domain Jc_env.AbsOct]
              | "pol" -> [Jc_output.JCabstract_domain Jc_env.AbsPol]
              | _ -> assert false
            end
        | "JessieFloatModel" ->
            begin match String.lowercase arg with
              | "math" -> float_model := `Math;
		  [Jc_output.JCfloat_model Jc_env.FMmath]
              | "defensive" ->
                  float_model := `Defensive;
		  [Jc_output.JCfloat_model Jc_env.FMdefensive]
              | "full" ->
                  float_model := `Full;
		  [Jc_output.JCfloat_model Jc_env.FMfull]
              | "multirounding" ->
                  float_model := `Multirounding;
		  [Jc_output.JCfloat_model Jc_env.FMmultirounding]
              | s ->
                  Jessie_options.warning ~current:true
                    "pragma %s: identifier %s is not a valid value (ignored)."
		    name s; []
            end;
        | "JessieFloatRoundingMode" ->
            begin match String.lowercase arg with
              | "nearesteven" ->
                  (* float_rounding_mode := `NearestEven; *)
                  [Jc_output.JCfloat_rounding_mode Jc_env.FRMNearestEven]
              | "down" ->
                  (* float_rounding_mode := `Downward; *)
                  [Jc_output.JCfloat_rounding_mode Jc_env.FRMDown]
              | "up" ->
                  (* float_rounding_mode := `Upward; *)
                  [Jc_output.JCfloat_rounding_mode Jc_env.FRMUp]
              | "tozero" ->
                  (* float_rounding_mode := `Towardzero; *)
                  [Jc_output.JCfloat_rounding_mode Jc_env.FRMToZero]
              | "nearestaway" ->
                  (* float_rounding_mode := `Towardawayzero; *)
                  [Jc_output.JCfloat_rounding_mode Jc_env.FRMNearestAway]
              | s ->
                  Jessie_options.warning ~current:true
		    "pragma %s: identifier %s is not a valid value (ignored)" name s; []
            end
	| "JessieFloatInstructionSet" ->
	    begin match String.lowercase arg with
              | "x87" ->
		  [Jc_output.JCfloat_instruction_set "x87"]
              | "ieee754" ->
		  [Jc_output.JCfloat_instruction_set "ieee754"]
	      | s ->
                  Jessie_options.warning ~current:true
		    "pragma %s: identifier %s is not a valid value (ignored)" name s; []
            end

        | "JessieIntegerModel" ->
            begin match String.lowercase arg with
              | "exact" | "math" -> int_model := IMexact
              | "strict" -> int_model := IMbounded
              | "modulo" -> int_model := IMmodulo
              | s ->
                  Jessie_options.warning ~current:true
		    "pragma %s: identifier %s is not a valid value (ignored)." name s
            end;
            []

	| "JessieTerminationPolicy" ->
	    begin match String.lowercase arg with
              | "always" ->
		  [Jc_output.JCtermination_policy TPalways]
              | "user" ->
		  [Jc_output.JCtermination_policy TPuser]
              | "never" ->
		  [Jc_output.JCtermination_policy TPnever]
	      | s ->
                  Jessie_options.warning ~current:true
		    "pragma %s: identifier %s is not a valid value (ignored)" name s; []
            end
        | _ ->
            Jessie_options.warning ~current:true
	      "pragma %s is ignored by Jessie." name;
            []
      end
  | GPragma(Attr("JessieBuiltin",[ACons(acsl,[]);AStr jessie]),_) ->
    Hashtbl.add jessie_builtins acsl jessie;
    []
  | GPragma _ -> []
  | _ -> []

let pragmas f =
  let l = List.flatten (List.rev (List.rev_map pragma f.globals)) in

  (match !int_model with
    | IMexact -> []
    | IMbounded -> [ Jc_output.JCint_model Jc_env.IMbounded ]
    | IMmodulo -> [ Jc_output.JCint_model Jc_env.IMmodulo ])
  @ Jc_output.JCinvariant_policy !invariant_policy
  :: (if !separation_policy_regions then
        Jc_output.JCseparation_policy Jc_env.SepRegions
      else
        Jc_output.JCseparation_policy Jc_env.SepNone)
  :: (match Jessie_options.InferAnnot.get () with
        | "" -> Jc_output.JCannotation_policy Jc_env.AnnotNone
        | "inv" -> Jc_output.JCannotation_policy Jc_env.AnnotInvariants
        | "pre" -> Jc_output.JCannotation_policy Jc_env.AnnotElimPre
        | "spre" -> Jc_output.JCannotation_policy Jc_env.AnnotStrongPre
        | "wpre" -> Jc_output.JCannotation_policy Jc_env.AnnotWeakPre
        | s ->
            Jessie_options.abort "unknown inference technique %s" s)
  :: (match Jessie_options.AbsDomain.get () with
        | "box" -> Jc_output.JCabstract_domain Jc_env.AbsBox
        | "oct" -> Jc_output.JCabstract_domain Jc_env.AbsOct
        | "poly" -> Jc_output.JCabstract_domain Jc_env.AbsPol
        | s ->
	    Jessie_options.abort "unknown abstract domain %s" s)
  :: l


(*
Local Variables:
compile-command: "make"
End:
*)
why-2.34/frama-c-plugin/Makefile0000644000175000017500000001051212311670312015056 0ustar  rtusers##########################################################################
#                                                                        #
#  This file is part of Frama-C.                                         #
#                                                                        #
#  Copyright (C) 2007-2010                                               #
#    INRIA (Institut National de Recherche en Informatique et en         #
#           Automatique)                                                 #
#                                                                        #
#  you can redistribute it and/or modify it under the terms of the GNU   #
#  Lesser General Public License as published by the Free Software       #
#  Foundation, version 2.1.                                              #
#                                                                        #
#  It is distributed in the hope that it will be useful,                 #
#  but WITHOUT ANY WARRANTY; without even the implied warranty of        #
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         #
#  GNU Lesser General Public License for more details.                   #
#                                                                        #
#  See the GNU Lesser General Public License version 2.1                 #
#  for more details (enclosed in the file licenses/LGPLv2.1).            #
#                                                                        #
##########################################################################

# Makefile for compiling Jessie independently of Frama-C.
#
# To be used independently of Frama-C, a version of Frama-C compatible with
# Jessie has to be properly installed as well as the Jessie-specific stuff.

# Do not use ?= to initialize both below variables
# (fixed efficiency issue, see GNU Make manual, Section 8.11)
ifndef FRAMAC_SHARE
FRAMAC_SHARE  :=$(shell frama-c -journal-disable -print-path)
endif
ifndef FRAMAC_LIBDIR
FRAMAC_LIBDIR :=$(shell frama-c -journal-disable -print-libpath)
endif

PLUGIN_DIR      ?= .
WHY_DISTRIB	?= $(PLUGIN_DIR)/..
JESSIE_INCLUDES	?= -I $(WHY_DISTRIB)/src -I $(WHY_DISTRIB)/jc
JCCMO		?= $(WHY_DISTRIB)/jc/jc.cmo
JCCMX		?= $(JCCMO:.cmo=.cmx)

PLUGIN_NAME:=Jessie
PLUGIN_CMO:= jessie_config jessie_options jessie_integer common rewrite \
             norm retype interp register
PLUGIN_HAS_MLI:=yes
PLUGIN_BFLAGS:=$(JESSIE_INCLUDES)
PLUGIN_OFLAGS:=$(JESSIE_INCLUDES)
PLUGIN_EXTRA_BYTE+=$(JCCMO)
PLUGIN_EXTRA_OPT+=$(JCCMX)
#PLUGIN_DEPFLAGS:=$(JESSIE_INCLUDES)
PLUGIN_DOCFLAGS:=$(JESSIE_INCLUDES)
PLUGIN_TESTS_DIRS:=jessie

ifeq ($(FRAMAC_MAKE),yes)
unexport $(FRAMAC_MAKE)

all::  $(WHY_DISTRIB)/Makefile $(WHY_DISTRIB)/.depend why_all

.PHONY: why_all $(WHY_DISTRIB)/depend $(WHY_DISTRIB)/clean
why_all: $(WHY_DISTRIB)/Makefile $(WHY_DISTRIB)/.depend $(PLUGIN_DIR)/interp.cmi
	$(MAKE) -C $(dir $<) -j 1 all-without-frama-c-plugin

$(WHY_DISTRIB)/depend: $(WHY_DISTRIB)/Makefile
	$(MAKE) -C $(dir $@) -j 1 depend FRAMAC=no

$(WHY_DISTRIB)/clean:
	$(MAKE) -C $(dir $@) -j 1 clean

$(PLUGIN_DIR)/.depend: $(WHY_DISTRIB)/.depend

depend:: $(WHY_DISTRIB)/depend

clean::$(WHY_DISTRIB)/clean

tests:: $(WHY_DISTRIB)/bin/jessie.$(OCAMLBEST) $(WHY_DISTRIB)/bin/why.$(OCAMLBEST)

endif

$(PLUGIN_DIR)/interp.cmo: $(PLUGIN_DIR)/interp.cmi $(WHY_DISTRIB)/jc/jc.cmo

$(PLUGIN_DIR)/interp.cmi: $(WHY_DISTRIB)/jc/jc.cmi

$(PLUGIN_DIR)/interp.cmx: $(PLUGIN_DIR)/interp.cmi $(WHY_DISTRIB)/jc/jc.cmx

$(WHY_DISTRIB)/jc/jc.cmo: $(WHY_DISTRIB)/jc/jc.cmi
$(WHY_DISTRIB)/jc/jc.cmx: $(WHY_DISTRIB)/jc/jc.cmi

$(PLUGIN_DIR)/jessie_config.ml:
	echo "let jessie_local = false" > $@

$(WHY_DISTRIB)/Makefile: $(WHY_DISTRIB)/Makefile.in $(WHY_DISTRIB)/config.status
	cd $(dir $@) && ./config.status

$(WHY_DISTRIB)/.depend: $(WHY_DISTRIB)/Makefile
	$(MAKE) -C $(dir $@) -j 1 .depend FRAMAC=no

$(WHY_DISTRIB)/config.status: $(WHY_DISTRIB)/configure
	if test -e $(dir $@)/config.status; then \
	  cd $(dir $@) && ./config.status -recheck; \
	else \
	 cd $(dir $@) && ./configure ; \
	fi

$(WHY_DISTRIB)/configure: $(WHY_DISTRIB)/configure.in
	cd $(dir $@) && autoconf

$(WHY_DISTRIB)/Makefile.in: ;
$(WHY_DISTRIB)/configure.in: ;

$(WHY_DISTRIB)/%: $(WHY_DISTRIB)/Makefile $(WHY_DISTRIB)/.depend
	$(MAKE) -C $(subst /$*,,$@) -j 1 $*

PLUGIN_GENERATED_LIST+=$(JESSIE_HOME_DIR)/jessie_config.ml

include $(FRAMAC_SHARE)/Makefile.dynamic
why-2.34/frama-c-plugin/jessie_integer.ml0000644000175000017500000000603112311670312016750 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



let zero = Int64.zero
let one = Int64.one
let minus_one = Int64.minus_one

let (+) = Int64.add
let (-) = Int64.sub
let ( * ) = Int64.mul
let (/) = Int64.div
let (mod) = Int64.rem
let (~-) = Int64.neg

let max_int = Int64.max_int
let min_int = Int64.min_int

let (land) = Int64.logand
let (lor) = Int64.logor
let (lxor) = Int64.logxor
let (lsl) = Int64.shift_left
let (asr) = Int64.shift_right
let (lsr) = Int64.shift_right_logical

let negative c = c < 0
let nonpositive c = c <= 0
let (<=) i1 i2 = nonpositive (Int64.compare i1 i2)
let (<) i1 i2 = negative (Int64.compare i1 i2)
let (>=) i1 i2 = i2 <= i1
let (>) i1 i2 = i2 < i1

let power_of_two i = 
  assert (i >= 0L && i < 63L);
  1L lsl (Int64.to_int i)

(*
Local Variables:
compile-command: "LC_ALL=C make -C ../.. -j"
End:
*)
why-2.34/frama-c-plugin/jessie_options.ml0000644000175000017500000001425712311670312017017 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

include
  Plugin.Register
    (struct
       let name = "jessie"
       let shortname = "jessie"
       let help = "translation to Why/Jessie"
     end)

module ProjectName =
  EmptyString
    (struct
       let option_name = "-jessie-project-name"
       let arg_name = ""
       let help = "specify project name for Jessie analysis"
     end)

module Behavior =
  EmptyString
    (struct
       let option_name = "-jessie-behavior"
       let arg_name = ""
       let help =
	 "restrict verification to a specific behavior (safety, default or a user-defined behavior)"
     end)

module Analysis =
  False(struct
	  let option_name = "-jessie"
	  let help = "perform C to Jessie translation"
	end)

module ForceAdHocNormalization =
  False(struct
          let option_name = "-jessie-adhoc-normalization"
          let help =
            "enforce code normalization in a mode suitable for Jessie plugin."
        end)

let () =
  (* [JS 2009/10/04]
     Preserve the behaviour of svn release <= r5012.
     However it works only if the int-model is set from the command line.
     [CM 2009/12/08]
     setting int-model on the command-line is obsolete, so what is this
     code for ?
  *)
  ForceAdHocNormalization.add_set_hook
    (fun _ b ->
       if b then begin
	 Kernel.SimplifyCfg.on ();
	 Kernel.KeepSwitch.on ();
	 Kernel.Constfold.on ();
	 Kernel.PreprocessAnnot.on ();
	 Cabs2cil.setDoTransformWhile ();
	 Cabs2cil.setDoAlternateConditional ();
       end);
  State_dependency_graph.add_dependencies
    ~from:ForceAdHocNormalization.self
    [ Kernel.SimplifyCfg.self;
      Kernel.KeepSwitch.self;
      Kernel.Constfold.self;
      Kernel.PreprocessAnnot.self ]

let () =
  Analysis.add_set_hook (fun _ b -> ForceAdHocNormalization.set b);
  State_dependency_graph.add_dependencies
    ~from:Analysis.self [ ForceAdHocNormalization.self ]

module JcOpt =
  StringSet(struct
	      let option_name = "-jessie-jc-opt"
	      let arg_name = ""
	      let help = "give an option to Jc (e.g., -jessie-jc-opt=\"-trust-ai\")"
	    end)

module WhyOpt =
  StringSet
    (struct
       let option_name = "-jessie-why-opt"
       let arg_name = ""
       let help = "give an option to Why (e.g., -jessie-why-opt=\"-fast-wp\")"
     end)

module Why3Opt =
  StringSet
    (struct
       let option_name = "-jessie-why3-opt"
       let arg_name = ""
       let help = "give an option to Why3 (e.g., -jessie-why3-opt=\"--debug fast-wp\")"
     end)

module GenOnly =
  False(struct
	  let option_name = "-jessie-gen-only"
	  let help = "only generates jessie code (for developer use)"
	end)

module InferAnnot =
  EmptyString
    (struct
       let option_name = "-jessie-infer-annot"
       let arg_name = ""
       let help = "infer function annotations (inv, pre, spre, wpre)"
     end)

(*
module Why3Backend =
  False
    (struct
       let option_name = "-jessie-why3"
       let module_name = "-jessie-why3"
       let help = "Use the Why3 VC generator and GUI backend"
       let kind = `Tuning
     end)
*)

module CpuLimit =
  Zero
    (struct
       let option_name = "-jessie-cpu-limit"
       let arg_name = ""
       let help = "set the time limit in sec. for the analysis"
     end)

module AbsDomain =
  String
    (struct
       let option_name = "-jessie-abstract-domain"
       let default = "poly"
       let arg_name = ""
       let help = "use specified abstract domain (box, oct or poly)"
     end)

module Atp =
  String
    (struct
       let option_name = "-jessie-atp"
       let default = "why3ide"
       let arg_name = ""
       let help = "use given automated theorem prover, among `alt-ergo', `cvc3', `simplify', `vampire', `yices' and `z3'. Use `goals' to simply generate goals in Why syntax."
     end)

module HintLevel =
  Zero
    (struct
       let option_name = "-jessie-hint-level"
       let arg_name = ""
       let help = "level of hints, i.e. assertions to help the proof (e.g. for string usage)"
     end)

(*
Local Variables:
compile-command: "make"
End:
*)
why-2.34/frama-c-plugin/common.mli0000644000175000017500000002074012311670312015415 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)


exception Unsupported of string

val jessie_emitter: Emitter.emitter

val fatal          : ('a,Format.formatter,unit,'b) format4 -> 'a
val unsupported    : ('a,Format.formatter,unit,'b) format4 -> 'a
val warning        : ('a,Format.formatter,unit) format -> 'a
val warn_general   : ('a,Format.formatter,unit) format -> 'a

(** warning for currently ignored feature which is only displayed once *)
val warn_once      : string -> unit

(* Jessie specific names *)

val name_of_default_behavior : string
val name_of_valid_wstring : string
val name_of_valid_string : string
val name_of_strlen : string
val name_of_wcslen : string

val name_of_hint_assertion : string
val name_of_string_declspec : string

val name_of_padding_type : string
val name_of_integral_type : ?bitsize:int -> Cil_types.typ -> string

val name_of_assert : string
val name_of_free : string
val name_of_malloc : string

val filter_alphanumeric : string -> (char * char) list -> char -> string

val type_name:  Cil_types.typ -> string

val logic_type_name:  Cil_types.logic_type -> string

(* unique names generation *)

val unique_name : string -> string

val unique_logic_name : string -> string

val unique_name_if_empty : string -> string


(* ????? *)

val checking : bool

val check_types : Cil_types.file -> unit

val integral_type_size_in_bits : Cil_types.typ -> int

val max_value_of_integral_type :
  ?bitsize:int -> Cil_types.typ -> Integer.t

val min_value_of_integral_type :
  ?bitsize:int -> Cil_types.typ -> Integer.t

(* iter over existing integral types in alphabetical order. *)
val iter_integral_types: (string -> Cil_types.typ -> int -> unit) -> unit

(* fold over existing integral types in alphabetical order. *)
val fold_integral_types:
  (string -> Cil_types.typ -> int -> 'a -> 'a) -> 'a -> 'a

val term_of_var : Cil_types.varinfo -> Cil_types.term

val mkterm :
  Cil_types.term_node ->
  Cil_types.logic_type ->
  Lexing.position * Lexing.position -> Cil_types.term

val mkInfo : Cil_types.exp -> Cil_types.exp

val lift_offset : Cil_types.typ -> Cil_types.offset -> Cil_types.offset

val mkTRef : Cil_types.typ -> string -> Cil_types.typ

val mkTRefArray :
  Cil_types.typ * Cil_types.exp * Cil_types.attributes ->
  Cil_types.typ

val mkalloc_statement : Cil_types.varinfo ->
           Cil_types.typ -> Cil_types.location -> Cil_types.stmt

val mkalloc_array_statement :
  Cil_types.varinfo ->
  Cil_types.typ -> int64 -> Cil_types.location -> Cil_types.stmt

val mkfree_statement :
  Cil_types.varinfo ->
  Cil_types.location -> Cil_types.stmt

val mkfree: Cil_types.varinfo -> Cil_types.location -> Cil_types.instr

val mkStructEmpty : string -> Cil_types.compinfo

val mkStructSingleton :
  ?padding:int ->
  string -> string -> Cil_types.typ -> Cil_types.compinfo

val malloc_function : unit -> Cil_types.varinfo
val free_function : unit -> Cil_types.varinfo

val flatten_multi_dim_array :  bool ref

val reference_of_array : Cil_types.typ -> Cil_types.typ

val get_struct_info : Cil_types.typ -> Cil_types.compinfo

val get_struct_name : Cil_types.typ -> string

val force_app_term_type : (Cil_types.typ -> 'a) -> Cil_types.logic_type -> 'a

val app_term_type : (Cil_types.typ -> 'a) -> 'a -> Cil_types.logic_type -> 'a

val is_base_addr : Cil_types.term -> bool

val is_reference_type : Cil_types.typ -> bool

val is_array_reference_type : Cil_types.typ -> bool

val is_assert_function : Cil_types.varinfo -> bool
val is_free_function : Cil_types.varinfo -> bool
val is_malloc_function : Cil_types.varinfo -> bool
val is_realloc_function : Cil_types.varinfo -> bool
val is_calloc_function : Cil_types.varinfo -> bool

val reference_size : Cil_types.typ -> int64

val bits_sizeof : Cil_types.typ -> int64

val is_unknown_location : Lexing.position * 'a -> bool

val get_unique_field : Cil_types.typ -> Cil_types.fieldinfo

val is_last_offset : Cil_types.offset -> bool

val struct_type_for_void : Cil_types.typ ref

val filter_alphanumeric : string -> (char * char) list -> char -> string

(*
val attach_globinit : Cil_types.stmt -> unit
*)

val attach_global : Cil_types.global -> unit

val attach_globaction : (unit -> unit) -> unit

val do_on_term :
  (Cil_types.exp -> Cil_types.exp) option *
  (Cil_types.exp -> Cil_types.exp) option ->
  Cil_types.term -> Cil_types.term Cil.visitAction

val do_on_term_offset :
  (Cil_types.offset -> Cil_types.offset) option *
  (Cil_types.offset -> Cil_types.offset) option ->
  Cil_types.term_offset -> Cil_types.term_offset Cil.visitAction

val do_on_term_lval :
  (Cil_types.lval -> Cil_types.lval) option *
  (Cil_types.lval -> Cil_types.lval) option ->
  Cil_types.term_lval -> Cil_types.term_lval Cil.visitAction

val do_and_update_globals  : (Cil_types.file -> 'a) -> Cil_types.file -> unit

val visit_and_update_globals :
  Visitor.frama_c_visitor -> Cil_types.file -> unit

val signal_change : unit -> unit

val almost_integer_type : Cil_types.typ

val add_pending_statement :  beginning:bool -> Cil_types.stmt -> unit

val visit_until_convergence :
  Visitor.frama_c_visitor -> Cil_types.file -> unit

class proxy_frama_c_visitor:  Visitor.frama_c_visitor -> Visitor.frama_c_visitor

val visit_and_push_statements_visitor :
  Visitor.frama_c_visitor -> proxy_frama_c_visitor

val visit_and_push_statements :
  (proxy_frama_c_visitor -> 'a -> 'b) ->
  Visitor.frama_c_visitor -> 'a -> 'b


val print_to_stdout : Cil_types.file -> unit

val constant_expr : ?loc:Cil_datatype.Location.t -> Integer.t -> Cil_types.exp


open Cil_types

type opaque_term_env = {
  term_lhosts: term_lhost Cil_datatype.Varinfo.Map.t;
  terms: term Cil_datatype.Varinfo.Map.t;
  vars: logic_var Cil_datatype.Varinfo.Map.t;
}

type opaque_exp_env = { exps: exp Cil_datatype.Varinfo.Map.t }

val force_term_to_exp: term -> exp * opaque_term_env
val force_back_exp_to_term: opaque_term_env -> exp -> term
val force_exp_to_term: exp -> term
val force_lval_to_term_lval: lval -> term_lval
val force_term_offset_to_offset: term_offset -> offset * opaque_term_env
val force_back_offset_to_term_offset: opaque_term_env -> offset -> term_offset
val force_exp_to_predicate: exp -> predicate named
val force_exp_to_assertion: exp -> code_annotation
val force_term_lval_to_lval: term_lval -> lval * opaque_term_env
val force_back_lval_to_term_lval: opaque_term_env -> lval -> term_lval

val predicate: location -> predicate -> predicate named
why-2.34/frama-c-plugin/jessie_options.mli0000644000175000017500000000543412311670312017165 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

include Plugin.S

module ProjectName: Parameter_sig.String
module Behavior: Parameter_sig.String
module Analysis: Parameter_sig.Bool
module WhyOpt: Parameter_sig.String_set
module Why3Opt: Parameter_sig.String_set
module JcOpt: Parameter_sig.String_set
module GenOnly: Parameter_sig.Bool
module InferAnnot: Parameter_sig.String
module AbsDomain: Parameter_sig.String
module Atp: Parameter_sig.String
module CpuLimit: Parameter_sig.Int
module HintLevel: Parameter_sig.Int

(*
Local Variables:
compile-command: "LC_ALL=C make"
End:
*)
why-2.34/frama-c-plugin/share/0000755000175000017500000000000012311670312014521 5ustar  rtuserswhy-2.34/frama-c-plugin/share/jessie/0000755000175000017500000000000012311670312016003 5ustar  rtuserswhy-2.34/frama-c-plugin/share/jessie/unistd.h0000644000175000017500000000442712311670312017471 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  This file is part of Frama-C.                                         */
/*                                                                        */
/*  Copyright (C) 2007-2009                                               */
/*    INRIA (Institut National de Recherche en Informatique et en         */
/*           Automatique)                                                 */
/*                                                                        */
/*  you can redistribute it and/or modify it under the terms of the GNU   */
/*  Lesser General Public License as published by the Free Software       */
/*  Foundation, version 2.1.                                              */
/*                                                                        */
/*  It is distributed in the hope that it will be useful,                 */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         */
/*  GNU Lesser General Public License for more details.                   */
/*                                                                        */
/*  See the GNU Lesser General Public License version 2.1                 */
/*  for more details (enclosed in the file licenses/LGPLv2.1).            */
/*                                                                        */
/**************************************************************************/

/* $Id: unistd.h,v 1.1 2009-09-08 11:11:43 monate Exp $ */

#ifndef _UNISTD_H_
#define _UNISTD_H_

extern char *FRAMA_C_STRING_OR_NULL optarg;
extern int optind, opterr, optopt;

/*@ assigns optarg, optind, opterr, optopt;
  @ ensures \result == -1 || valid_string(optarg);
  @*/
extern int getopt (int argc, char *FRAMA_C_STRING const argv[],           
		   const char *FRAMA_C_STRING_OR_NULL optstring);

/*@ assigns \nothing;
  @ ensures -1 <= \result <= 0;
  @*/
extern int chdir(const char *FRAMA_C_STRING path);

/*@ requires \valid(buf+(0..size-1));
  @ assigns buf[0..size-1];
  @ ensures \result == NULL || \result == buf;
  @*/
extern char *getcwd(char *buf, size_t size);

#endif /* _UNISTD_H_ */
why-2.34/frama-c-plugin/share/jessie/stdio.h0000644000175000017500000000533512311670312017304 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  This file is part of Frama-C.                                         */
/*                                                                        */
/*  Copyright (C) 2007-2009                                               */
/*    INRIA (Institut National de Recherche en Informatique et en         */
/*           Automatique)                                                 */
/*                                                                        */
/*  you can redistribute it and/or modify it under the terms of the GNU   */
/*  Lesser General Public License as published by the Free Software       */
/*  Foundation, version 2.1.                                              */
/*                                                                        */
/*  It is distributed in the hope that it will be useful,                 */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         */
/*  GNU Lesser General Public License for more details.                   */
/*                                                                        */
/*  See the GNU Lesser General Public License version 2.1                 */
/*  for more details (enclosed in the file licenses/LGPLv2.1).            */
/*                                                                        */
/**************************************************************************/

/* $Id: stdio.h,v 1.1 2009-09-08 11:11:43 monate Exp $ */

#ifndef _STDIO_H_
#define _STDIO_H_

#ifndef EOF
# define EOF (-1)
#endif

typedef void* FILE;

extern FILE *stdin;
extern FILE *stdout;
extern FILE *stderr;

/*@ requires valid_string(path) && valid_string(mode);
  @ assigns \nothing;
  @ ensures \result == NULL || \valid(\result);
  @*/
extern FILE *fopen(const char *path, const char *mode);

/*@ requires \valid(stream);
  @ assigns \nothing;
  @*/
extern int getc(FILE *stream);

/*@ requires \valid(stream);
  @ assigns \nothing;
  @*/
extern int fgetc(FILE *stream);

/*@ requires \valid(s+(0..size-1)) && \valid(stream);
  @ assigns s[0..size-1];
  @ ensures \result == NULL 
  @      || (\result == s && valid_string(s) && strlen(s) <= size-1);
  @*/
extern char *fgets(char *s, int size, FILE *stream);

/*@ requires \valid(fp);
  @ assigns \nothing;
  @*/
extern int fclose(FILE *fp);

#define printf(...)

/*@ requires \valid(stream) && buf == NULL;
  @ assigns \nothing;
  @*/
extern void setbuf(FILE *stream, char *buf);

/*@ requires valid_string(s);
  @ assigns \nothing;
  @*/
extern void perror(const char *s);

#endif /* _STDIO_H_ */
why-2.34/frama-c-plugin/share/jessie/jessie_prolog.h0000644000175000017500000000533712311670312021030 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  This file is part of Frama-C.                                         */
/*                                                                        */
/*  Copyright (C) 2007-2009                                               */
/*    INRIA (Institut National de Recherche en Informatique et en         */
/*           Automatique)                                                 */
/*                                                                        */
/*  you can redistribute it and/or modify it under the terms of the GNU   */
/*  Lesser General Public License as published by the Free Software       */
/*  Foundation, version 2.1.                                              */
/*                                                                        */
/*  It is distributed in the hope that it will be useful,                 */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         */
/*  GNU Lesser General Public License for more details.                   */
/*                                                                        */
/*  See the GNU Lesser General Public License version 2.1                 */
/*  for more details (enclosed in the file licenses/LGPLv2.1).            */
/*                                                                        */
/**************************************************************************/

/* $Id: jessie_prolog.h,v 1.1 2009-09-08 11:11:43 monate Exp $ */

#ifndef _JESSIE_PROLOG_H_
#define _JESSIE_PROLOG_H_

#ifdef JESSIE_NO_PROLOG
#else

#ifdef JESSIE_EXACT_INT_MODEL
# include "jessie_exact_prolog.h"
#else
# include "jessie_machine_prolog.h"
#endif

/*@ logic integer minimum(integer i, integer j) = i < j ? i : j;
  @ logic integer maximum(integer i, integer j) = i < j ? j : i;
  @*/

/*@ predicate valid_string{L}(char *s) =
  @   0 <= strlen(s) && \valid(s+(0..strlen(s)));
  @
  @ predicate valid_string_or_null{L}(char *s) =
  @   s == NULL || valid_string(s);
  @
  @ predicate valid_wstring{L}(wchar_t *s) =
  @   0 <= wcslen(s) && \valid(s+(0..wcslen(s)));
  @
  @ predicate valid_wstring_or_null{L}(wchar_t *s) =
  @   s == NULL || valid_wstring(s);
  @*/

#define FRAMA_C_PTR __declspec(valid)
#define FRAMA_C_ARRAY(n) __declspec(valid_range(0,n))
#define FRAMA_C_STRING __declspec(valid_string)
#define FRAMA_C_STRING_OR_NULL __declspec(valid_string_or_null)
#define FRAMA_C_WSTRING __declspec(valid_wstring)
#define FRAMA_C_WSTRING_OR_NULL __declspec(valid_wstring_or_null)

#endif /* JESSIE_NO_PROLOG */

#endif /* _JESSIE_PROLOG_H_ */
why-2.34/frama-c-plugin/share/jessie/jessie_machine_prolog.h0000644000175000017500000002073612311670312022514 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  This file is part of Frama-C.                                         */
/*                                                                        */
/*  Copyright (C) 2007-2009                                               */
/*    INRIA (Institut National de Recherche en Informatique et en         */
/*           Automatique)                                                 */
/*                                                                        */
/*  you can redistribute it and/or modify it under the terms of the GNU   */
/*  Lesser General Public License as published by the Free Software       */
/*  Foundation, version 2.1.                                              */
/*                                                                        */
/*  It is distributed in the hope that it will be useful,                 */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         */
/*  GNU Lesser General Public License for more details.                   */
/*                                                                        */
/*  See the GNU Lesser General Public License version 2.1                 */
/*  for more details (enclosed in the file licenses/LGPLv2.1).            */
/*                                                                        */
/**************************************************************************/

/* $Id: jessie_machine_prolog.h,v 1.1 2009-09-08 11:11:43 monate Exp $ */

#ifndef _JESSIE_MACHINE_PROLOG_H_
#define _JESSIE_MACHINE_PROLOG_H_

#include "stddef.h"
#include "limits.h"

/*@ axiomatic MemCmp {
  @
  @ logic integer memcmp{L}(char *s1, char *s2, integer n)
  @   reads s1[0..n - 1], s2[0..n - 1];
  @
  @ axiom memcmp_range{L}:
  @   \forall char *s1, *s2; \forall integer n;
  @      INT_MIN <= memcmp(s1,s2,n) <= INT_MAX;
  @
  @ axiom memcmp_zero{L}:
  @   \forall char *s1, *s2; \forall integer n;
  @      memcmp(s1,s2,n) == 0
  @      <==> \forall integer i; 0 <= i < n ==> s1[i] == s2[i];
  @
  @ }
  @*/

/*@ axiomatic MemChr {
  @ logic boolean memchr{L}(char *s, integer c, integer n)
  @   reads s[0..n - 1];
  @ // Returns [true] iff array [s] contains character [c]
  @
  @ axiom memchr_def{L}:
  @   \forall char *s; \forall integer c; \forall integer n;
  @      memchr(s,c,n) <==> \exists int i; 0 <= i < n && s[i] == c;
  @ }
  @*/

/*@ axiomatic MemSet {
  @ logic boolean memset{L}(char *s, integer c, integer n)
  @    reads s[0..n - 1];
  @ // Returns [true] iff array [s] contains only character [c]
  @
  @ axiom memset_def{L}:
  @   \forall char *s; \forall integer c; \forall integer n;
  @      memset(s,c,n) <==> \forall integer i; 0 <= i < n ==> s[i] == c;
  @ }
  @*/

/*@ axiomatic StrLen {
  @ logic integer strlen{L}(char *s)
  @    reads s[0..];
  @
  @ axiom strlen_pos_or_null{L}:
  @   \forall char* s; \forall integer i;
  @      (0 <= i <= INT_MAX
  @       && (\forall integer j; 0 <= j < i ==> s[j] != '\0')
  @       && s[i] == 0) ==> strlen(s) == i;
  @
  @ axiom strlen_neg{L}:
  @   \forall char* s;
  @      (\forall integer i; 0 <= i <= INT_MAX ==> s[i] != '\0')
  @      ==> strlen(s) < 0;
  @
  @ axiom strlen_range{L}:
  @   \forall char* s; strlen(s) <= INT_MAX;
  @
  @ axiom strlen_before_null{L}:
  @   \forall char* s; \forall integer i; 0 <= i < strlen(s) ==> s[i] != '\0';
  @
  @ axiom strlen_at_null{L}:
  @   \forall char* s; 0 <= strlen(s) ==> s[strlen(s)] == '\0';
  @
  @ axiom strlen_not_zero{L}:
  @   \forall char* s; \forall integer i;
  @      0 <= i <= strlen(s) && s[i] != '\0' ==> i < strlen(s);
  @
  @ axiom strlen_zero{L}:
  @   \forall char* s; \forall integer i;
  @      0 <= i <= strlen(s) && s[i] == '\0' ==> i == strlen(s);
  @
  @ axiom strlen_sup{L}:
  @   \forall char* s; \forall integer i;
  @      0 <= i && s[i] == '\0' ==> 0 <= strlen(s) <= i;
  @
  @ axiom strlen_shift{L}:
  @   \forall char* s; \forall integer i;
  @      0 <= i <= strlen(s) ==> strlen(s + i) == strlen(s) - i;
  @
  @ axiom strlen_create{L}:
  @   \forall char* s; \forall integer i;
  @      0 <= i <= INT_MAX && s[i] == '\0' ==> 0 <= strlen(s) <= i;
  @
  @ axiom strlen_create_shift{L}:
  @   \forall char* s; \forall integer i; \forall integer k;
  @      0 <= k <= i <= INT_MAX && s[i] == '\0' ==> 0 <= strlen(s+k) <= i - k;
  @
  @ axiom memcmp_strlen_left{L}:
  @   \forall char *s1, *s2; \forall integer n;
  @      memcmp(s1,s2,n) == 0 && strlen(s1) < n ==> strlen(s1) == strlen(s2);
  @      
  @ axiom memcmp_strlen_right{L}:
  @   \forall char *s1, *s2; \forall integer n;
  @      memcmp(s1,s2,n) == 0 && strlen(s2) < n ==> strlen(s1) == strlen(s2);
  @      
  @ axiom memcmp_strlen_shift_left{L}:
  @   \forall char *s1, *s2; \forall integer k, n;
  @      memcmp(s1,s2 + k,n) == 0 && 0 <= k && strlen(s1) < n ==> 
  @        0 <= strlen(s2) <= k + strlen(s1);
  @      
  @ axiom memcmp_strlen_shift_right{L}:
  @   \forall char *s1, *s2; \forall integer k, n;
  @      memcmp(s1 + k,s2,n) == 0 && 0 <= k && strlen(s2) < n ==> 
  @        0 <= strlen(s1) <= k + strlen(s2);
  @
  @ }
  @*/

/*@ axiomatic StrCmp {
  @ logic integer strcmp{L}(char *s1, char *s2)
  @    reads s1[0..strlen(s1)], s2[0..strlen(s2)];
  @
  @ axiom strcmp_range{L}:
  @   \forall char *s1, *s2; INT_MIN <= strcmp(s1,s2) <= INT_MAX;
  @
  @ axiom strcmp_zero{L}:
  @   \forall char *s1, *s2;
  @      strcmp(s1,s2) == 0 <==>
  @        (strlen(s1) == strlen(s2)
  @         && \forall integer i; 0 <= i <= strlen(s1) ==> s1[i] == s2[i]);
  @ }
  @*/

/*@ axiomatic StrNCmp {
  @ logic integer strncmp{L}(char *s1, char *s2, integer n)
  @    reads s1[0..n-1], s2[0..n-1];
  @
  @ axiom strncmp_zero{L}:
  @   \forall char *s1, *s2; \forall integer n;
  @      strncmp(s1,s2,n) == 0 <==>
  @        (strlen(s1) < n && strcmp(s1,s2) == 0
  @         || \forall integer i; 0 <= i < n ==> s1[i] == s2[i]);
  @ }
  @*/

/*@ axiomatic StrChr {
  @ logic boolean strchr{L}(char *s, integer c)
  @    reads s[0..strlen(s)];
  @ // Returns [true] iff string [s] contains character [c]
  @
  @ axiom strchr_def{L}:
  @   \forall char *s; \forall integer c;
  @      strchr(s,c) <==> \exists integer i; 0 <= i <= strlen(s) && s[i] == c;
  @ }
  @*/

/*@ axiomatic WcsLen {
  @ logic integer wcslen{L}(wchar_t *s) reads s[0..];
  @
  @ axiom wcslen_pos_or_null{L}:
  @   \forall wchar_t* s; \forall integer i;
  @      (0 <= i
  @       && (\forall integer j; 0 <= j < i ==> s[j] != L'\0')
  @       && s[i] == L'\0') ==> wcslen(s) == i;
  @
  @ axiom wcslen_neg{L}:
  @   \forall wchar_t* s;
  @      (\forall integer i; 0 <= i ==> s[i] != L'\0')
  @      ==> wcslen(s) < 0;
  @
  @ axiom wcslen_before_null{L}:
  @   \forall wchar_t* s; \forall int i; 0 <= i < wcslen(s) ==> s[i] != L'\0';
  @
  @ axiom wcslen_at_null{L}:
  @   \forall wchar_t* s; 0 <= wcslen(s) ==> s[wcslen(s)] == L'\0';
  @
  @ axiom wcslen_not_zero{L}:
  @   \forall wchar_t* s; \forall int i;
  @      0 <= i <= wcslen(s) && s[i] != L'\0' ==> i < wcslen(s);
  @
  @ axiom wcslen_zero{L}:
  @   \forall wchar_t* s; \forall int i;
  @      0 <= i <= wcslen(s) && s[i] == L'\0' ==> i == wcslen(s);
  @
  @ axiom wcslen_sup{L}:
  @   \forall wchar_t* s; \forall int i;
  @      0 <= i && s[i] == L'\0' ==> 0 <= wcslen(s) <= i;
  @
  @ axiom wcslen_shift{L}:
  @   \forall wchar_t* s; \forall int i;
  @      0 <= i <= wcslen(s) ==> wcslen(s+i) == wcslen(s)-i;
  @
  @ axiom wcslen_create{L}:
  @   \forall wchar_t* s; \forall int i;
  @      0 <= i && s[i] == L'\0' ==> 0 <= wcslen(s) <= i;
  @
  @ axiom wcslen_create_shift{L}:
  @   \forall wchar_t* s; \forall int i; \forall int k;
  @      0 <= k <= i && s[i] == L'\0' ==> 0 <= wcslen(s+k) <= i - k;
  @ }
  @*/

/*@ axiomatic WcsCmp {
  @ logic integer wcscmp{L}(wchar_t *s1, wchar_t *s2)
  @   reads s1[0..wcslen(s1)], s2[0..wcslen(s2)];
  @
  @ axiom wcscmp_zero{L}:
  @   \forall wchar_t *s1, *s2;
  @      wcscmp(s1,s2) == 0 <==>
  @        (wcslen(s1) == wcslen(s2)
  @         && \forall integer i; 0 <= i <= wcslen(s1) ==> s1[i] == s2[i]);
  @ }
  @*/

/*@ axiomatic WcsNCmp {
  @ logic integer wcsncmp{L}(wchar_t *s1, wchar_t *s2, integer n)
  @    reads s1[0..n-1], s2[0..n-1];
  @
  @ axiom wcsncmp_zero{L}:
  @   \forall wchar_t *s1, *s2; \forall integer n;
  @      wcsncmp(s1,s2,n) == 0 <==>
  @        (wcslen(s1) < n && wcscmp(s1,s2) == 0
  @         || \forall integer i; 0 <= i < n ==> s1[i] == s2[i]);
  @ }
  @*/

#endif /* _JESSIE_MACHINE_PROLOG_H_ */
why-2.34/frama-c-plugin/share/jessie/ctype.h0000644000175000017500000000443012311670312017301 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  This file is part of Frama-C.                                         */
/*                                                                        */
/*  Copyright (C) 2007-2009                                               */
/*    INRIA (Institut National de Recherche en Informatique et en         */
/*           Automatique)                                                 */
/*                                                                        */
/*  you can redistribute it and/or modify it under the terms of the GNU   */
/*  Lesser General Public License as published by the Free Software       */
/*  Foundation, version 2.1.                                              */
/*                                                                        */
/*  It is distributed in the hope that it will be useful,                 */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         */
/*  GNU Lesser General Public License for more details.                   */
/*                                                                        */
/*  See the GNU Lesser General Public License version 2.1                 */
/*  for more details (enclosed in the file licenses/LGPLv2.1).            */
/*                                                                        */
/**************************************************************************/

/* $Id: ctype.h,v 1.1 2009-09-08 11:11:43 monate Exp $ */

#ifndef _CTYPE_H_
#define _CTYPE_H_

//@ assigns \nothing;
extern int isalnum(int c);

//@ assigns \nothing;
extern int isalpha(int c);
int isascii(int c);

//@ assigns \nothing;
extern int isblank(int c);
int iscntrl(int c);

//@ assigns \nothing;
extern int isdigit(int c);

//@ assigns \nothing;
extern int isgraph(int c);

//@ assigns \nothing;
extern int islower(int c);

//@ assigns \nothing;
extern int isprint(int c);

//@ assigns \nothing;
extern int ispunct(int c);

//@ assigns \nothing;
extern int isspace(int c);

//@ assigns \nothing;
extern int isupper(int c);

//@ assigns \nothing;
extern int isxdigit(int c);

#endif /* _CTYPE_H_ */
why-2.34/frama-c-plugin/share/jessie/strings.h0000644000175000017500000000414312311670312017647 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  This file is part of Frama-C.                                         */
/*                                                                        */
/*  Copyright (C) 2007-2009                                               */
/*    INRIA (Institut National de Recherche en Informatique et en         */
/*           Automatique)                                                 */
/*                                                                        */
/*  you can redistribute it and/or modify it under the terms of the GNU   */
/*  Lesser General Public License as published by the Free Software       */
/*  Foundation, version 2.1.                                              */
/*                                                                        */
/*  It is distributed in the hope that it will be useful,                 */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         */
/*  GNU Lesser General Public License for more details.                   */
/*                                                                        */
/*  See the GNU Lesser General Public License version 2.1                 */
/*  for more details (enclosed in the file licenses/LGPLv2.1).            */
/*                                                                        */
/**************************************************************************/

/* $Id: strings.h,v 1.1 2009-09-08 11:11:43 monate Exp $ */

#ifndef _STRINGS_H_
#define _STRINGS_H_

/*@ requires valid_string(s1) && valid_string(s2);
  @ assigns \nothing;
  @ ensures \true;
  @*/
extern int strcasecmp(const char *s1, const char *s2);

/*@ requires \valid(((char*)dest)+(0..n - 1))
  @          && \valid(((char*)src)+(0..n - 1));
  @ assigns ((char*)dest)[0..n - 1];
  @ ensures memcmp((char*)dest,(char*)src,n) == 0;
  @*/
extern void bcopy(const void *src, void *dest, size_t n);

#endif /* _STRINGS_H_ */
why-2.34/frama-c-plugin/share/jessie/wchar.h0000644000175000017500000000721012311670312017260 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  This file is part of Frama-C.                                         */
/*                                                                        */
/*  Copyright (C) 2007-2009                                               */
/*    INRIA (Institut National de Recherche en Informatique et en         */
/*           Automatique)                                                 */
/*                                                                        */
/*  you can redistribute it and/or modify it under the terms of the GNU   */
/*  Lesser General Public License as published by the Free Software       */
/*  Foundation, version 2.1.                                              */
/*                                                                        */
/*  It is distributed in the hope that it will be useful,                 */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         */
/*  GNU Lesser General Public License for more details.                   */
/*                                                                        */
/*  See the GNU Lesser General Public License version 2.1                 */
/*  for more details (enclosed in the file licenses/LGPLv2.1).            */
/*                                                                        */
/**************************************************************************/

/* $Id: wchar.h,v 1.1 2009-09-08 11:11:43 monate Exp $ */

#ifndef _WCHAR_H_
#define _WCHAR_H_

#include 

/*@ requires valid_wstring(s);
  @ assigns \nothing;
  @ ensures \result == wcslen(s);
  @*/
size_t wcslen(const wchar_t *s);

/*@ requires \valid(dest+(0..wcslen(src))) && valid_wstring(src);
  @ assigns dest[0..wcslen(src)];
  @ ensures valid_wstring(dest) && wcscmp(dest,src) == 0 && \result == dest;
  @*/
extern wchar_t *wcscpy(wchar_t *dest, const wchar_t *src);

/*@ requires \valid(dest+(0..n - 1)) && valid_wstring(src);
  @ assigns dest[0..n - 1];
  @ ensures \result == dest;
  @ behavior complete:
  @   assumes wcslen(src) < n;
  @   assigns dest[0..n - 1];
  @   ensures valid_wstring(dest) && wcscmp(dest,src) == 0;
  @ behavior partial:
  @   assumes n <= wcslen(src);
  @   assigns dest[0..n - 1];
  @   //ensures memcmp(dest,src,n) == 0;
  @*/
extern wchar_t *wcsncpy(wchar_t *dest, const wchar_t *src, size_t n);

/*@ requires valid_wstring(wcs) && valid_wstring(reject);
  @ assigns \nothing;
  @ ensures 0 <= \result <= wcslen(wcs);
  @*/
extern size_t wcscspn(wchar_t *wcs, const wchar_t *reject);

/*@ requires valid_wstring(wcs) && valid_wstring(accept);
  @ assigns \nothing;
  @ ensures 0 <= \result <= wcslen(wcs);
  @*/
extern size_t wcsspn(const wchar_t *wcs, const wchar_t *accept);

extern wchar_t *wcspbrk(const wchar_t *wcs, const wchar_t *accept);

extern wchar_t *wcsstr(const wchar_t *haystack, const wchar_t *needle);

extern wchar_t *wcstok(wchar_t *restrict s, 
		       const wchar_t *restrict delim,
		       wchar_t **restrict ptr);

// Allocate wide strings

/*@ requires valid_wstring(wcs);
  @ assigns \nothing;
  @ ensures \valid(\result+(0..wcslen(wcs))) && wcscmp(\result,wcs) == 0;
  @*/
extern wchar_t *wcsdup(const wchar_t *wcs);

/*@ requires valid_wstring(wcs);
  @ assigns \nothing;
  @ ensures \valid(\result+(0..minimum(wcslen(wcs),n))) 
  @         && valid_wstring(\result) && wcslen(\result) <= n
  @         && wcsncmp(\result,wcs,n) == 0;
  @*/
extern wchar_t *wcsndup(const wchar_t *wcs, size_t n);

#endif /* _WCHAR_H_ */
why-2.34/frama-c-plugin/share/jessie/jessie_exact_prolog.h0000644000175000017500000002017612311670312022212 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  This file is part of Frama-C.                                         */
/*                                                                        */
/*  Copyright (C) 2007-2009                                               */
/*    INRIA (Institut National de Recherche en Informatique et en         */
/*           Automatique)                                                 */
/*                                                                        */
/*  you can redistribute it and/or modify it under the terms of the GNU   */
/*  Lesser General Public License as published by the Free Software       */
/*  Foundation, version 2.1.                                              */
/*                                                                        */
/*  It is distributed in the hope that it will be useful,                 */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         */
/*  GNU Lesser General Public License for more details.                   */
/*                                                                        */
/*  See the GNU Lesser General Public License version 2.1                 */
/*  for more details (enclosed in the file licenses/LGPLv2.1).            */
/*                                                                        */
/**************************************************************************/

/* $Id: jessie_exact_prolog.h,v 1.1 2009-09-08 11:11:43 monate Exp $ */

#ifndef _JESSIE_MACHINE_PROLOG_H_
#define _JESSIE_MACHINE_PROLOG_H_

#include "stddef.h"
#include "limits.h"

/*@ axiomatic MemCmp {
  @ logic integer memcmp{L}(char *s1, char *s2, integer n)
  @    reads s1[0..n - 1], s2[0..n - 1];
  @
  @ axiom memcmp_zero{L}:
  @   \forall char *s1, *s2; \forall integer n;
  @      memcmp(s1,s2,n) == 0
  @      <==> \forall integer i; 0 <= i < n ==> s1[i] == s2[i];
  @ 
  @ }
  @*/


/*@ axiomatic MemChr {
  @ logic boolean memchr{L}(char *s, integer c, integer n)
  @    reads s[0..n - 1];
  @ // Returns [true] iff array [s] contains character [c]
  @
  @ axiom memchr_def{L}:
  @   \forall char *s; \forall integer c; \forall integer n;
  @      memchr(s,c,n) <==> \exists int i; 0 <= i < n && s[i] == c;
  @ }
  @*/

/*@ axiomatic MemSet {
  @ logic boolean memset{L}(char *s, integer c, integer n)
  @    reads s[0..n - 1];
  @ // Returns [true] iff array [s] contains only character [c]
  @
  @ axiom memset_def{L}:
  @   \forall char *s; \forall integer c; \forall integer n;
  @      memset(s,c,n) <==> \forall integer i; 0 <= i < n ==> s[i] == c;
  @ }
  @*/

/*@ axiomatic StrLen {
  @ logic integer strlen{L}(char *s) reads s[0..];
  @
  @ axiom strlen_pos_or_null{L}:
  @   \forall char* s; \forall integer i;
  @      (0 <= i
  @       && (\forall integer j; 0 <= j < i ==> s[j] != '\0')
  @       && s[i] == '\0') ==> strlen(s) == i;
  @
  @ axiom strlen_neg{L}:
  @   \forall char* s;
  @      (\forall integer i; 0 <= i ==> s[i] != '\0')
  @      ==> strlen(s) < 0;
  @
  @ axiom strlen_before_null{L}:
  @   \forall char* s; \forall integer i; 0 <= i < strlen(s) ==> s[i] != '\0';
  @
  @ axiom strlen_at_null{L}:
  @   \forall char* s; 0 <= strlen(s) ==> s[strlen(s)] == '\0';
  @
  @ axiom strlen_not_zero{L}:
  @   \forall char* s; \forall integer i;
  @      0 <= i <= strlen(s) && s[i] != '\0' ==> i < strlen(s);
  @
  @ axiom strlen_zero{L}:
  @   \forall char* s; \forall integer i;
  @      0 <= i <= strlen(s) && s[i] == '\0' ==> i == strlen(s);
  @
  @ axiom strlen_sup{L}:
  @   \forall char* s; \forall integer i;
  @      0 <= i && s[i] == '\0' ==> 0 <= strlen(s) <= i;
  @
  @ axiom strlen_shift{L}:
  @   \forall char* s; \forall integer i;
  @      0 <= i <= strlen(s) ==> strlen(s + i) == strlen(s) - i;
  @
  @ axiom strlen_create{L}:
  @   \forall char* s; \forall integer i;
  @      0 <= i && s[i] == '\0' ==> 0 <= strlen(s) <= i;
  @
  @ axiom strlen_create_shift{L}:
  @   \forall char* s; \forall integer i; \forall integer k;
  @      0 <= k <= i && s[i] == '\0' ==> 0 <= strlen(s+k) <= i - k;
  @
  @ axiom memcmp_strlen_left{L}:
  @   \forall char *s1, *s2; \forall integer n;
  @      memcmp(s1,s2,n) == 0 && strlen(s1) < n ==> strlen(s1) == strlen(s2);
  @      
  @ axiom memcmp_strlen_right{L}:
  @   \forall char *s1, *s2; \forall integer n;
  @      memcmp(s1,s2,n) == 0 && strlen(s2) < n ==> strlen(s1) == strlen(s2);
  @      
  @ axiom memcmp_strlen_shift_left{L}:
  @   \forall char *s1, *s2; \forall integer k, n;
  @      memcmp(s1,s2 + k,n) == 0 && 0 <= k && strlen(s1) < n ==> 
  @        0 <= strlen(s2) <= k + strlen(s1);
  @      
  @ axiom memcmp_strlen_shift_right{L}:
  @   \forall char *s1, *s2; \forall integer k, n;
  @      memcmp(s1 + k,s2,n) == 0 && 0 <= k && strlen(s2) < n ==> 
  @        0 <= strlen(s1) <= k + strlen(s2);
  @ }
  @*/

/*@ axiomatic StrCmp {
  @ logic integer strcmp{L}(char *s1, char *s2)
  @   reads s1[0..strlen(s1)], s2[0..strlen(s2)];
  @
  @ axiom strcmp_zero{L}:
  @   \forall char *s1, *s2;
  @      strcmp(s1,s2) == 0 <==>
  @        (strlen(s1) == strlen(s2)
  @         && \forall integer i; 0 <= i <= strlen(s1) ==> s1[i] == s2[i]);
  @ }
  @*/

/*@ axiomatic StrNCmp {
  @ logic integer strncmp{L}(char *s1, char *s2, integer n)
  @   reads s1[0..n-1], s2[0..n-1];
  @
  @ axiom strncmp_zero{L}:
  @   \forall char *s1, *s2; \forall integer n;
  @      strncmp(s1,s2,n) == 0 <==>
  @        (strlen(s1) < n && strcmp(s1,s2) == 0
  @         || \forall integer i; 0 <= i < n ==> s1[i] == s2[i]);
  @ }
  @*/

/*@ axiomatic StrChr {
  @ logic boolean strchr{L}(char *s, integer c)
  @   reads s[0..strlen(s)];
  @ // Returns [true] iff string [s] contains character [c]
  @
  @ axiom strchr_def{L}:
  @   \forall char *s; \forall integer c;
  @      strchr(s,c) <==> \exists integer i; 0 <= i <= strlen(s) && s[i] == c;
  @ }
  @*/

/*@ axiomatic WcsLen {
  @ logic integer wcslen{L}(wchar_t *s)
  @   reads s[0..];
  @
  @ axiom wcslen_pos_or_null{L}:
  @   \forall wchar_t* s; \forall integer i;
  @      (0 <= i
  @       && (\forall integer j; 0 <= j < i ==> s[j] != L'\0')
  @       && s[i] == L'\0') ==> wcslen(s) == i;
  @
  @ axiom wcslen_neg{L}:
  @   \forall wchar_t* s;
  @      (\forall integer i; 0 <= i ==> s[i] != L'\0')
  @      ==> wcslen(s) < 0;
  @
  @ axiom wcslen_before_null{L}:
  @   \forall wchar_t* s; \forall int i; 0 <= i < wcslen(s) ==> s[i] != L'\0';
  @
  @ axiom wcslen_at_null{L}:
  @   \forall wchar_t* s; 0 <= wcslen(s) ==> s[wcslen(s)] == L'\0';
  @
  @ axiom wcslen_not_zero{L}:
  @   \forall wchar_t* s; \forall int i;
  @      0 <= i <= wcslen(s) && s[i] != L'\0' ==> i < wcslen(s);
  @
  @ axiom wcslen_zero{L}:
  @   \forall wchar_t* s; \forall int i;
  @      0 <= i <= wcslen(s) && s[i] == L'\0' ==> i == wcslen(s);
  @
  @ axiom wcslen_sup{L}:
  @   \forall wchar_t* s; \forall int i;
  @      0 <= i && s[i] == L'\0' ==> 0 <= wcslen(s) <= i;
  @
  @ axiom wcslen_shift{L}:
  @   \forall wchar_t* s; \forall int i;
  @      0 <= i <= wcslen(s) ==> wcslen(s+i) == wcslen(s)-i;
  @
  @ axiom wcslen_create{L}:
  @   \forall wchar_t* s; \forall int i;
  @      0 <= i && s[i] == L'\0' ==> 0 <= wcslen(s) <= i;
  @
  @ axiom wcslen_create_shift{L}:
  @   \forall wchar_t* s; \forall int i; \forall int k;
  @      0 <= k <= i && s[i] == L'\0' ==> 0 <= wcslen(s+k) <= i - k;
  @ }
  @*/

/*@ axiomatic WcsCmp {
  @ logic integer wcscmp{L}(wchar_t *s1, wchar_t *s2)
  @   reads s1[0..wcslen(s1)], s2[0..wcslen(s2)];
  @
  @ axiom wcscmp_zero{L}:
  @   \forall wchar_t *s1, *s2;
  @      wcscmp(s1,s2) == 0 <==>
  @        (wcslen(s1) == wcslen(s2)
  @         && \forall integer i; 0 <= i <= wcslen(s1) ==> s1[i] == s2[i]);
  @ }
  @*/

/*@ axiomatic WcsNCmp {
  @ logic integer wcsncmp{L}(wchar_t *s1, wchar_t *s2, integer n)
  @   reads s1[0..n-1], s2[0..n-1];
  @
  @ axiom wcsncmp_zero{L}:
  @   \forall wchar_t *s1, *s2; \forall integer n;
  @      wcsncmp(s1,s2,n) == 0 <==>
  @        (wcslen(s1) < n && wcscmp(s1,s2) == 0
  @         || \forall integer i; 0 <= i < n ==> s1[i] == s2[i]);
  @ }
  @*/

#endif /* _JESSIE_MACHINE_PROLOG_H_ */
why-2.34/frama-c-plugin/share/jessie/stdlib.h0000644000175000017500000000740712311670312017445 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  This file is part of Frama-C.                                         */
/*                                                                        */
/*  Copyright (C) 2007-2009                                               */
/*    INRIA (Institut National de Recherche en Informatique et en         */
/*           Automatique)                                                 */
/*                                                                        */
/*  you can redistribute it and/or modify it under the terms of the GNU   */
/*  Lesser General Public License as published by the Free Software       */
/*  Foundation, version 2.1.                                              */
/*                                                                        */
/*  It is distributed in the hope that it will be useful,                 */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         */
/*  GNU Lesser General Public License for more details.                   */
/*                                                                        */
/*  See the GNU Lesser General Public License version 2.1                 */
/*  for more details (enclosed in the file licenses/LGPLv2.1).            */
/*                                                                        */
/**************************************************************************/

/* $Id: stdlib.h,v 1.1 2009-09-08 11:11:43 monate Exp $ */

#ifndef _STDLIB_H_
#define _STDLIB_H_

#include 
#include 
#include 

// Conversion functions

/*@ requires valid_string(nptr);
  @ assigns \nothing;
  @*/
extern double atof(const char *nptr);

/*@ requires valid_string(nptr);
  @ assigns \nothing;
  @*/
extern int atoi(const char *nptr);

/*@ requires valid_string(nptr);
  @ assigns \nothing;
  @*/
extern long int atol(const char *nptr);

/*@ requires valid_string(nptr);
  @ assigns \nothing;
  @*/
extern long long int atoll(const char *nptr);

// Random numbers

extern int rand(void);

extern void srand(unsigned int seed);

// Memory management

/*@ assigns \nothing;
  @ ensures \valid(((char*)\result)+(0..size - 1));
  @*/
extern void *malloc (size_t size);

/*@ assigns \nothing;
  @ ensures \valid(((char*)\result)+(0..size * nmemb - 1));
  @*/
extern void *calloc (size_t nmemb, size_t size);

/*@ requires \valid((char*)ptr) || ptr == NULL;
  @ assigns \nothing;
  @ ensures \valid(((char*)\result)+(0..size - 1));
  @*/
extern void *realloc (void *ptr, size_t size);

// [free] treated specially

// Program termination

/*@ assigns \nothing;
  @ ensures \false;
  @*/
extern void abort(void);

extern int atexit(void (*func)(void));

/*@ assigns \nothing;
  @ ensures \false;
  @*/
extern void exit(int status);

// Multi-byte conversion functions

/*@ requires valid_string(mbstr) && \valid(wcstr+(0..n - 1));
  @ assigns wcstr[0..n - 1];
  @ ensures valid_wstring(wcstr) && wcslen(wcstr) < n;
  @*/
extern size_t mbstowcs (wchar_t *wcstr, const char *mbstr, size_t n);

/*@ requires valid_wstring(wcstr) && \valid(mbstr+(0..n - 1));
  @ assigns mbstr[0..n - 1];
  @ ensures valid_string(mbstr) && strlen(mbstr) < n;
  @*/
extern size_t wcstombs (char *mbstr, const wchar_t *wcstr, size_t n);

/*@ //requires \valid(s+(0..sizeof(wchar_t)-1)) || s == NULL;
  @ // Commented out due to bug that keeps sizeof
  @ requires \valid(s) || s == NULL;
  @ assigns s[..];
  @ behavior zero:
  @   assumes s == NULL;
  @   assigns \nothing;
  @ behavior non_null:
  @   assumes s != NULL;
  @   assigns s[..];
  @*/
extern int wctomb(char *s, wchar_t wc);

#endif /* _STDLIB_H_ */
why-2.34/frama-c-plugin/share/jessie/assert.h0000644000175000017500000000334212311670312017457 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  This file is part of Frama-C.                                         */
/*                                                                        */
/*  Copyright (C) 2007-2009                                               */
/*    INRIA (Institut National de Recherche en Informatique et en         */
/*           Automatique)                                                 */
/*                                                                        */
/*  you can redistribute it and/or modify it under the terms of the GNU   */
/*  Lesser General Public License as published by the Free Software       */
/*  Foundation, version 2.1.                                              */
/*                                                                        */
/*  It is distributed in the hope that it will be useful,                 */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         */
/*  GNU Lesser General Public License for more details.                   */
/*                                                                        */
/*  See the GNU Lesser General Public License version 2.1                 */
/*  for more details (enclosed in the file licenses/LGPLv2.1).            */
/*                                                                        */
/**************************************************************************/

/* $Id: assert.h,v 1.1 2009-09-08 11:11:43 monate Exp $ */

#ifndef _ASSERT_H_
#define _ASSERT_H_

void assert(int i);

#endif /* _ASSERT_H_ */
why-2.34/frama-c-plugin/share/jessie/string.h0000644000175000017500000002021412311670312017461 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  This file is part of Frama-C.                                         */
/*                                                                        */
/*  Copyright (C) 2007-2009                                               */
/*    INRIA (Institut National de Recherche en Informatique et en         */
/*           Automatique)                                                 */
/*                                                                        */
/*  you can redistribute it and/or modify it under the terms of the GNU   */
/*  Lesser General Public License as published by the Free Software       */
/*  Foundation, version 2.1.                                              */
/*                                                                        */
/*  It is distributed in the hope that it will be useful,                 */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         */
/*  GNU Lesser General Public License for more details.                   */
/*                                                                        */
/*  See the GNU Lesser General Public License version 2.1                 */
/*  for more details (enclosed in the file licenses/LGPLv2.1).            */
/*                                                                        */
/**************************************************************************/

/* $Id: string.h,v 1.1 2009-09-08 11:11:43 monate Exp $ */

#ifndef _STRING_H_
#define _STRING_H_

#include 
#include 
#include 

// Query memory

/*@ requires \valid(((char*)s1)+(0..n - 1)) 
  @          && \valid(((char*)s2)+(0..n - 1));
  @ assigns \nothing;
  @ ensures \result == memcmp((char*)s1,(char*)s2,n);
  @*/
extern int memcmp (const void *s1, const void *s2, size_t n);

/*@ requires \valid(((char*)s)+(0..n - 1));
  @ assigns \nothing;
  @ ensures \result == s;
  @ ensures \base_addr((char*)\result) == \base_addr((char*)s);
  @ behavior found:
  @   assumes memchr((char*)s,c,n);
  @   ensures *(char*)\result == c;
  @ behavior not_found:
  @   assumes ! memchr((char*)s,c,n);
  @   ensures \result == NULL;
  @*/
extern void *memchr(const void *s, int c, size_t n);

// Copy memory

/*@ requires \valid(((char*)dest)+(0..n - 1))
  @          && \valid(((char*)src)+(0..n - 1));
  @ assigns ((char*)dest)[0..n - 1];
  @ ensures memcmp((char*)dest,(char*)src,n) == 0 && \result == dest;
  @ ensures \base_addr((char*)\result) == \base_addr((char*)dest);
  @*/
extern void *memcpy(void *restrict dest,
		    const void *restrict src, size_t n);

/*@ requires \valid(((char*)dest)+(0..n - 1)) 
  @          && \valid(((char*)src)+(0..n - 1));
  @ assigns ((char*)dest)[0..n - 1];
  @ ensures memcmp((char*)dest,(char*)src,n) == 0 && \result == dest;
  @ ensures \base_addr((char*)\result) == \base_addr((char*)dest);
  @*/
extern void *memmove(void *dest, const void *src, size_t n);

// Set memory

/*@ requires \valid(((char*)s)+(0..n - 1));
  @ assigns ((char*)s)[0..n - 1];
  @ ensures memset((char*)s,c,n) && \result == s;
  @ ensures \base_addr((char*)\result) == \base_addr((char*)s);
  @*/
extern void *memset(void *s, int c, size_t n);

// Query strings

/*@ requires valid_string(s);
  @ assigns \nothing;
  @ ensures \result == strlen(s);
  @*/
extern size_t strlen (const char *s);

/*@ requires valid_string(s1) && valid_string(s2);
  @ assigns \nothing;
  @ ensures \result == strcmp(s1,s2);
  @*/
extern int strcmp (const char *s1, const char *s2);

/*@ requires valid_string(s1) && valid_string(s2);
  @ assigns \nothing;
  @ ensures \result == strncmp(s1,s2,n);
  @*/
extern int strncmp (const char *s1, const char *s2, size_t n);

/*@ requires valid_string(s1) && valid_string(s2);
  @ assigns \nothing;
  @*/
extern int strcoll (const char *s1, const char *s2);

/*@ requires valid_string(s);
  @ assigns \nothing;
  @ behavior found:
  @   assumes strchr(s,c);
  @   ensures *\result == c && \base_addr(\result) == \base_addr(s);
  @   ensures valid_string(\result);
  @ behavior not_found:
  @   assumes ! strchr(s,c);
  @   ensures \result == NULL;
  @*/
extern char *strchr(const char *s, int c);

/*@ requires valid_string(s);
  @ assigns \nothing;
  @ behavior found:
  @   assumes strchr(s,c);
  @   ensures *\result == c && \base_addr(\result) == \base_addr(s);
  @   ensures valid_string(\result);
  @ behavior not_found:
  @   assumes ! strchr(s,c);
  @   ensures \result == NULL;
  @*/
extern char *strrchr(const char *s, int c);

/*@ requires valid_string(s) && valid_string(reject);
  @ assigns \nothing;
  @ ensures 0 <= \result <= strlen(s);
  @*/
extern size_t strcspn(const char *s, const char *reject);

/*@ requires valid_string(s) && valid_string(accept);
  @ assigns \nothing;
  @ ensures 0 <= \result <= strlen(s);
  @*/
extern size_t strspn(const char *s, const char *accept);

/*@ requires valid_string(s) && valid_string(accept);
  @ assigns \nothing;
  @ ensures \result == 0 || \base_addr(\result) == \base_addr(s);
  @*/
extern char *strpbrk(const char *s, const char *accept);

/*@ requires valid_string(haystack) && valid_string(needle);
  @ assigns \nothing;
  @ ensures \result == 0 
  @      || (\base_addr(\result) == \base_addr(haystack)
  @          && memcmp(\result,needle,strlen(needle)) == 0);
  @*/
extern char *strstr(const char *haystack, const char *needle);

/*@ requires (valid_string(s) || s == NULL) && valid_string(delim);
  @ assigns \nothing;
  @*/
extern char *strtok(char *restrict s, const char *restrict delim);

/*@ assigns \nothing;
  @ ensures valid_string(\result);
  @*/
extern char *strerror(int errnum); 

// Copy strings

/*@ requires \valid(dest+(0..strlen(src))) && valid_string(src);
  @ assigns dest[0..strlen(src)];
  @ ensures strcmp(dest,src) == 0 && \result == dest;
  @ ensures \base_addr(\result) == \base_addr(dest);
  @*/
extern char *strcpy(char *restrict dest, const char *restrict src);

/*@ requires \valid(dest+(0..n - 1)) && valid_string(src);
  @ assigns dest[0..n - 1];
  @ ensures \result == dest;
  @ behavior complete:
  @   assumes strlen(src) < n;
  @   assigns dest[0..n - 1];
  @   ensures strcmp(dest,src) == 0;
  @   ensures \base_addr(\result) == \base_addr(dest);
  @ behavior partial:
  @   assumes n <= strlen(src);
  @   assigns dest[0..n - 1];
  @   ensures memcmp(dest,src,n) == 0;
  @*/
extern char *strncpy(char *restrict dest,
		     const char *restrict src, size_t n);

/*@ requires \valid(dest+(0..strlen(dest) + strlen(src))) 
  @          && valid_string(dest) && valid_string(src);
  @ assigns dest[0..strlen(dest) + strlen(src)];
  @ ensures strlen(dest) == \old(strlen(dest) + strlen(src))
  @         && \result == dest;
  @ ensures \base_addr(\result) == \base_addr(dest);
  @*/
extern char *strcat(char *restrict dest, const char *restrict src);

/*@ requires \valid(dest+(0..n - 1))
  @          && valid_string(dest) && valid_string(src);
  @ assigns dest[0..strlen(dest) + n - 1];
  @ ensures \result == dest;
  @ ensures \base_addr(\result) == \base_addr(dest);
  @ behavior complete:
  @   assumes strlen(src) <= n;
  @   assigns dest[0..strlen(dest) + strlen(src)];
  @   ensures strlen(dest) == \old(strlen(dest) + strlen(src));
  @ behavior partial:
  @   assumes n < strlen(src);
  @   assigns dest[0..strlen(dest) + n];
  @   ensures strlen(dest) == \old(strlen(dest)) + n;
  @*/
extern char *strncat(char *restrict dest, const char *restrict src, size_t n);

/*@ requires \valid(dest+(0..n - 1)) && valid_string(src);
  @ assigns dest[0..n - 1];
  @*/
extern size_t strxfrm (char *restrict dest,
		       const char *restrict src, size_t n);

// Allocate strings

/*@ requires valid_string(s);
  @ assigns \nothing;
  @ ensures \valid(\result+(0..strlen(s))) && strcmp(\result,s) == 0;
  @*/
extern char *strdup (const char *s);

/*@ requires valid_string(s);
  @ assigns \nothing;
  @ ensures \valid(\result+(0..minimum(strlen(s),n))) 
  @         && valid_string(\result) && strlen(\result) <= n
  @         && strncmp(\result,s,n) == 0;
  @*/
extern char *strndup (const char *s, size_t n);

#endif /* _STRING_H_ */
why-2.34/frama-c-plugin/share/jessie/stddef.h0000644000175000017500000000361412311670312017431 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  This file is part of Frama-C.                                         */
/*                                                                        */
/*  Copyright (C) 2007-2009                                               */
/*    INRIA (Institut National de Recherche en Informatique et en         */
/*           Automatique)                                                 */
/*                                                                        */
/*  you can redistribute it and/or modify it under the terms of the GNU   */
/*  Lesser General Public License as published by the Free Software       */
/*  Foundation, version 2.1.                                              */
/*                                                                        */
/*  It is distributed in the hope that it will be useful,                 */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         */
/*  GNU Lesser General Public License for more details.                   */
/*                                                                        */
/*  See the GNU Lesser General Public License version 2.1                 */
/*  for more details (enclosed in the file licenses/LGPLv2.1).            */
/*                                                                        */
/**************************************************************************/

/* $Id: stddef.h,v 1.1 2009-09-08 11:11:43 monate Exp $ */

#ifndef _STDDEF_H_
#define _STDDEF_H_

#ifndef NULL
# define NULL ((void*)0)
#endif

#ifndef _WCHAR_T
# define _WCHAR_T
typedef unsigned short wchar_t;
#endif

#ifndef _SIZE_T
# define _SIZE_T
typedef unsigned int size_t;
#endif

#endif /* _STDDEF_H_ */
why-2.34/frama-c-plugin/configure0000755000175000017500000000044512311670312015331 0ustar  rtusers#!/bin/sh
# Wrapper for the configure of why distribution, to be used when plugin
# configuration is driven by Frama-C's kernel
if test "$WHY_DISTRIB" = ""; then WHY_DISTRIB=..; fi
if test ! -e $WHY_DISTRIB/configure; then (cd $WHY_DISTRIB && autoconf); fi
(cd $WHY_DISTRIB && ./configure $*)
why-2.34/frama-c-plugin/register.ml0000644000175000017500000002734612311670312015611 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* Import from Cil *)
open Cil_types
open Cil
module FCAst = Ast
module FCProject = Project
(* Import from Why *)
open Jc

(* Utility functions *)
open Common

(*
let std_include = Filename.concat Version.datadir "jessie"

let prolog_h_name = Filename.concat std_include "jessie_prolog.h"

let treat_jessie_prolog () =
  Kernel.CppExtraArgs.add ("-include " ^ prolog_h_name)

let treat_jessie_std_headers () =
  Kernel.CppExtraArgs.add ("-I " ^ std_include)
*)

let treat_integer_model () =
  if !Interp.int_model = Interp.IMexact then
    Kernel.CppExtraArgs.add ("-D JESSIE_EXACT_INT_MODEL")

let () =
  (* [JS 2009/10/04]
     Preserve the behaviour of svn release <= r5012.
     However it works only if the int-model is set from the command line. *)
  Cmdline.run_after_configuring_stage treat_integer_model

(*
let treat_jessie_no_prolog () =
  Kernel.CppExtraArgs.add ("-D JESSIE_NO_PROLOG")
*)

let steal_globals () =
  let vis = object
    inherit Visitor.frama_c_inplace
    method! vglob_aux g =
      match g with
        | GAnnot (a,_) ->
            Annotations.remove_global (Annotations.emitter_of_global a) a;
            Annotations.unsafe_add_global Common.jessie_emitter a;
            (* SkipChildren is not good, as Annotations.remove_global has
               removed it from AST: we have to re-insert it...
            *)
            ChangeTo [g]
        | _ -> SkipChildren
  end 
  in
  Visitor.visitFramacFile vis (FCAst.get())

let steal_annots () =
  let emitter=Common.jessie_emitter in
  let l = 
    Annotations.fold_all_code_annot 
      (fun stmt e ca acc ->
        Annotations.remove_code_annot e stmt ca;
        (stmt,ca)::acc)
      []
  in
  List.iter (fun (stmt,ca) -> Annotations.add_code_annot emitter stmt ca) l;
  steal_globals ();
  Globals.Functions.iter (Annotations.register_funspec ~emitter ~force:true)

let apply_if_dir_exist name f =
  try
    let d = Unix.opendir name in
    Unix.closedir d;
    f name
  with Unix.Unix_error (Unix.ENOENT, "opendir",_) -> ()

let run () =
  if Jessie_config.jessie_local then begin
    let whylib = String.escaped (Filename.concat Config.datadir "why") in
    (try ignore (Unix.getenv "WHYLIB")
       (* don't mess needlessly with user settings *)
     with Not_found ->
       apply_if_dir_exist whylib (Unix.putenv "WHYLIB"));
  end;
  Jessie_options.feedback "Starting Jessie translation";
  (* Work in our own project, initialized by a copy of the main one. *)
  let prj =
    File.create_project_from_visitor "jessie" 
      (fun prj -> new Visitor.frama_c_copy prj)
  in
  Jessie_options.debug "Project created";
  FCProject.copy ~selection:(Parameter_state.get_selection ()) prj;
  FCProject.set_current prj;
  let file = FCAst.get () in
  try
    if file.globals = [] then
      Jessie_options.abort "Nothing to process. There was probably an error before.";
    (* Phase 1: various preprocessing steps before C to Jessie translation *)

    (* Enforce the prototype of malloc to exist before visiting anything.
     * It might be useful for allocation pointers from arrays
     *)
    ignore (Common.malloc_function ());
    ignore (Common.free_function ());
    Jessie_options.debug  "After malloc and free";
    if checking then check_types file;
    steal_annots ();
    Jessie_options.debug "After steal_annots";
    if checking then check_types file;
    (* Rewrite ranges in logic annotations by comprehesion *)
    Jessie_options.debug "from range to comprehension";
    Rewrite.from_range_to_comprehension
      (Cil.inplace_visit ()) file;
    if checking then check_types file;

    (* Phase 2: C-level rewriting to facilitate analysis *)

    Rewrite.rewrite file;
    if checking then check_types file;

    if Jessie_options.debug_atleast 1 then print_to_stdout file;

    (* Phase 3: Caduceus-like normalization that rewrites C-level AST into
     * Jessie-like AST, still in Cil (in order to use Cil visitors)
     *)

    Norm.normalize file;
    Retype.retype file;
    if checking then check_types file;

    (* Phase 4: various postprocessing steps, still on Cil AST *)

    (* Rewrite ranges back in logic annotations *)
    Rewrite.from_comprehension_to_range (Cil.inplace_visit ()) file;

    if Jessie_options.debug_atleast 1 then print_to_stdout file;

    (* Phase 5: C to Jessie translation, should be quite straighforward at this
     * stage (after normalization)
     *)
    Jessie_options.debug "Jessie pragmas";
    let pragmas = Interp.pragmas file in
    Jessie_options.debug "Jessie translation";
    let pfile = Interp.file file in
    Jessie_options.debug "Printing Jessie program";

    (* Phase 6: pretty-printing of Jessie program *)

    let sys_command cmd =
      if Sys.command cmd <> 0 then
	(Jessie_options.error "Jessie subprocess failed: %s" cmd; raise Exit)
    in

    let projname = Jessie_options.ProjectName.get () in
    let projname =
      if projname <> "" then projname else
	match Kernel.Files.get() with
	  | [f] ->
	      (try
		 Filename.chop_extension f
	       with Invalid_argument _ -> f)
	  | _ ->
	      "wholeprogram"
    in
    (* if called on 'path/file.c', projname is 'path/file' *)
    (* jessie_subdir is 'path/file.jessie' *)
    let jessie_subdir = projname ^ ".jessie" in
    Lib.mkdir_p jessie_subdir;
    Jessie_options.feedback "Producing Jessie files in subdir %s" jessie_subdir;

    (* basename is 'file' *)
    let basename = Filename.basename projname in

    (* filename is 'file.jc' *)
    let filename = basename ^ ".jc" in
    let () = Pp.print_in_file
      (fun fmt ->
	 Jc_output.print_decls fmt pragmas;
	 Format.fprintf fmt "%a" Jc_poutput.pdecls pfile)
      (Filename.concat jessie_subdir filename)
    in
    Jessie_options.feedback "File %s/%s written." jessie_subdir filename;

    (* Phase 7: produce source-to-source correspondance file *)

    (* locname is 'file.cloc' *)
    let locname = basename ^ ".cloc" in
    Pp.print_in_file Output.old_print_pos (Filename.concat jessie_subdir locname);
    Jessie_options.feedback "File %s/%s written." jessie_subdir locname;

    if Jessie_options.GenOnly.get () then () else

      (* Phase 8: call Jessie to Why translation *)

      let why_opt =
	let res = ref "" in
	Jessie_options.WhyOpt.iter
	  (fun s ->
	     res := Format.sprintf "%s%s-why-opt %S"
	       !res
	       (if !res = "" then "" else " ")
	       s);
	!res
      in
      let why3_opt =
	let res = ref "" in
	Jessie_options.Why3Opt.iter
	  (fun s ->
	     res := Format.sprintf "%s%s-why3-opt %S"
	       !res
	       (if !res = "" then "" else " ")
	       s);
	!res
      in
      let jc_opt = Jessie_options.JcOpt.get_set ~sep:" " () in
      let debug_opt = if Jessie_options.debug_atleast 1 then " -d " else " " in
      let behav_opt =
	if Jessie_options.Behavior.get () <> "" then
	  "-behavior " ^ Jessie_options.Behavior.get ()
	else ""
      in
      let verbose_opt =
	if Jessie_options.verbose_atleast 1 then " -v " else " "
      in
      let env_opt =
	if Jessie_options.debug_atleast 1 then
	  "OCAMLRUNPARAM=bt"
	else ""
      in
      let jessie_cmd =
	try Sys.getenv "JESSIEEXEC"
	with Not_found ->
          (* NdV: the test below might not be that useful, since ocaml
             has stack trace in native code since 3.10, even though -g
             is usually missing from native flags.  *)
          if Jessie_options.debug_atleast 1 then " jessie.byte "
          else " jessie "
      in
      let timeout =
	if Jessie_options.CpuLimit.get () <> 0 then
          if Jessie_options.Atp.get () = "gui" then
	    begin
              Jessie_options.error "Jessie: option -jessie-cpu-limit requires to set also -jessie-atp";
              raise Exit
            end
          else
	    ("TIMEOUT=" ^ (string_of_int (Jessie_options.CpuLimit.get ()))
             ^ " ")
	else ""
      in
      let rec make_command = function
	| [] -> ""
	| [ a ] -> a
	| a::cmd -> a ^ " " ^ make_command cmd
      in
      Jessie_options.feedback "Calling Jessie tool in subdir %s" jessie_subdir;
      Sys.chdir jessie_subdir;


      let atp = Jessie_options.Atp.get () in
      let jessie_opt =
	match atp with
	  | "why3" -> ""
          | "why3ml" | "why3ide" | "why3replay" -> "-why3ml"
	  | _ -> "-why-opt -split-user-conj"
      in
      let cmd =
	make_command
	  [ env_opt; jessie_cmd; jessie_opt ;
	    verbose_opt; why_opt; why3_opt; jc_opt; debug_opt; behav_opt;
	    "-locs"; locname; filename ]
      in
      (*      Format.eprintf "CMD=%S" cmd; *)
      sys_command cmd;

      (* Phase 9: call Why to VP translation *)

      let makefile = basename ^ ".makefile" in

      (* temporarily, we launch proving tools of the Why platform,
	 either graphic or script-based
      *)

      Jessie_options.feedback "Calling VCs generator.";
      sys_command (timeout ^ "make -f " ^ makefile ^ " " ^ atp);
      flush_all ()

  with Exit -> ()

(* ************************************************************************* *)
(* Plug Jessie to the Frama-C platform *)
(* ************************************************************************* *)

let run_and_catch_error () =
  try run ()
  with
    | Unsupported _ ->
	Jessie_options.error "Unsupported feature(s).@\n\
           Jessie plugin can not be used on your code."
    | Log.FeatureRequest (_,s) ->
	Jessie_options.error "Unimplemented feature: %s." s

let run_and_catch_error =
  Dynamic.register
    "run_analysis"
    (Datatype.func Datatype.unit Datatype.unit)
    ~plugin:"Jessie"
    ~journalize:true
    run_and_catch_error

let main () = if Jessie_options.Analysis.get () then run_and_catch_error ()
let () = Db.Main.extend main

(*
Local Variables:
compile-command: "LC_ALL=C make"
End:
*)
why-2.34/frama-c-plugin/jessie_config.ml0000644000175000017500000000444012311670312016562 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

let jessie_local = false
why-2.34/frama-c-plugin/retype.ml0000644000175000017500000003115312311670312015264 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* Import from Cil *)
open Cil_types
open Cil
open Cil_datatype
open Ast_info

open Visitor

(* Utility functions *)
open Common


(*****************************************************************************)
(* Retype int field used as pointer.                                         *)
(*****************************************************************************)

class collectIntField
  (cast_field_to_type : typ Cil_datatype.Fieldinfo.Hashtbl.t) =
object

  inherit Visitor.frama_c_inplace

  method! vexpr e = match e.enode with
    | CastE(ty,e) ->
	if isPointerType ty then
	  match (stripCastsAndInfo e).enode with
	    | Lval(_host,off) ->
		begin match lastOffset off with
		  | Field(fi,_) ->
		      if isIntegralType fi.ftype
			&& bits_sizeof ty = bits_sizeof fi.ftype then
			  Cil_datatype.Fieldinfo.Hashtbl.replace
			    cast_field_to_type fi fi.ftype
		      else ()
		  | _ -> ()
		end
	    | _ -> ()
	else ();
	DoChildren
    | _ -> DoChildren

end

class retypeIntField
  (cast_field_to_type : typ Cil_datatype.Fieldinfo.Hashtbl.t) =

  let postaction_expr e = match e.enode with
    | Lval(_host,off) ->
	begin match lastOffset off with
	  | Field(fi,_) ->
	      begin try
		new_exp ~loc:e.eloc
                  (CastE(Cil_datatype.Fieldinfo.Hashtbl.find cast_field_to_type fi,e))
	      with Not_found -> e end
	  | _ -> e
	end
    | _ -> e
  in
object

  inherit Visitor.frama_c_inplace

  method! vglob_aux = function
    | GCompTag (compinfo,_) ->
	let fields = compinfo.cfields in
	let field fi =
	  if Cil_datatype.Fieldinfo.Hashtbl.mem cast_field_to_type fi then
	    fi.ftype <- TPtr(!Common.struct_type_for_void,[])
	in
	List.iter field fields;
	DoChildren
    | _ -> DoChildren

  method! vterm =
    do_on_term (None,Some postaction_expr)

end

let retype_int_field file =
  let cast_field_to_type = Cil_datatype.Fieldinfo.Hashtbl.create 17 in
  let visitor = new collectIntField cast_field_to_type in
  visitFramacFile visitor file;
  let visitor = new retypeIntField cast_field_to_type in
  visitFramacFile visitor file


(*****************************************************************************)
(* Organize structure types in hierarchy.                                    *)
(*****************************************************************************)

(* By default, elements should become representant only if they are
 * "preferred" according to function [prefer]. Otherwise, decided by ranking.
 *)
module UnionFind
  (Elem :
    sig type t
	val equal : t -> t -> bool
	val prefer : t -> t -> int
    end)
  (ElemSet : Datatype.Set with type elt = Elem.t)
  (ElemTable : Datatype.Hashtbl with type key = Elem.t) =
struct

  let table = ElemTable.create 73
  let ranks = ElemTable.create 73

  let rec repr e =
    try
      let r = repr(ElemTable.find table e) in
      ElemTable.replace table e r;
      r
    with Not_found -> e

  let rank e =
    try ElemTable.find ranks e with Not_found -> 0

  let unify e1 e2 =
    let r1 = repr e1 and r2 = repr e2 in
    if Elem.equal r1 r2 then ()
    else
      (* Start with preference as defined by function [prefer]. *)
      let pref = Elem.prefer r1 r2 in
      let k1 = rank r1 and k2 = rank r2 in
      if pref < 0 then
	begin
	  ElemTable.replace table r2 r1;
	  if k1 <= k2 then ElemTable.replace ranks r1 (k2 + 1)
	end
      else if pref > 0 then
	begin
	  ElemTable.replace table r1 r2;
	  if k2 <= k1 then ElemTable.replace ranks r2 (k1 + 1)
	end
      else
	(* If no definite preference, resolve to classical ranking. *)
	if k1 < k2 then
	  ElemTable.replace table r1 r2
	else if k2 < k1 then
	  ElemTable.replace table r2 r1
	else
	  begin
	    ElemTable.replace table r1 r2;
	    ElemTable.replace ranks r2 (k2 + 1)
	  end

  (* Does not return singleton classes *)
  let classes () =
    let repr2class = ElemTable.create 17 in
    ElemTable.iter (fun e _ ->
		      let r = repr e in
		      try
			let c = ElemTable.find repr2class r in
			let c = ElemSet.add e c in
			ElemTable.replace repr2class r c
		      with Not_found ->
			ElemTable.add repr2class r (ElemSet.singleton e)
		   ) table;
    ElemTable.fold (fun r c ls -> ElemSet.add r c :: ls) repr2class []

  let one_class e =
    let r = repr e in
    ElemTable.fold (fun e _ ls ->
		      if Elem.equal r (repr e) then e::ls else ls
		   ) table []

  let same_class e1 e2 =
    Elem.equal (repr e1) (repr e2)

end

module FieldElem = struct include Cil_datatype.Fieldinfo let prefer _ _ = 1 end
module FieldUnion = UnionFind(FieldElem)(Cil_datatype.Fieldinfo.Set)(Cil_datatype.Fieldinfo.Hashtbl)

let add_field_representant fi1 fi2 =
  FieldUnion.unify fi1 fi2

module TypeElem = struct include Typ let prefer _ _ = 0 end
module TypeUnion = UnionFind(TypeElem)(Typ.Set)(Typ.Hashtbl)

let type_to_parent_type = Typ.Hashtbl.create 17

let add_inheritance_relation ty parentty =
  if Typ.equal ty parentty then () else
    begin
      Typ.Hashtbl.add type_to_parent_type ty parentty;
      TypeUnion.unify ty parentty
    end

let rec subtype ty parentty =
  Typ.equal ty parentty ||
    try
      subtype (Typ.Hashtbl.find type_to_parent_type ty) parentty
    with Not_found ->
      false

(* module Node = struct *)

(*   type t = NodeVar of varinfo | NodeField of fieldinfo | NodeType of typ *)

(*   let equal n1 n2 = match n1,n2 with *)
(*     | NodeVar v1,NodeVar v2 -> Cil_datatype.Varinfo.equal v1 v2 *)
(*     | NodeField f1,NodeField f2 -> Cil_datatype.Fieldinfo.equal f1 f2 *)
(*     | NodeType ty1,NodeType ty2 -> TypeComparable.equal ty1 ty2 *)

(*   let compare n1 n2 = match n1,n2 with *)
(*     | NodeVar v1,NodeVar v2 -> Cil_datatype.Varinfo.compare v1 v2 *)
(*     | NodeVar _,_ -> -1 *)
(*     | _,NodeVar _ -> 1 *)
(*     | NodeField f1,NodeField f2 -> Cil_datatype.Fieldinfo.compare f1 f2 *)
(*     | NodeField _,_ -> -1 *)
(*     | _,NodeField _ -> 1 *)
(*     | NodeType ty1,NodeType ty2 -> TypeComparable.compare ty1 ty2 *)

(*   let hash = function *)
(*     | NodeVar v -> 17 * Cil_datatype.Varinfo.hash v *)
(*     | NodeField f -> 43 * Cil_datatype.Fieldinfo.hash f *)
(*     | NodeType ty -> 73 * TypeComparable.hash ty *)
(* end *)

(* module NodeHashtbl = Hashtbl.Make(Node) *)
(* module NodeSet = Set.Make(Node) *)
(* module NodeUnion = UnionFind(Node)(NodeHashtbl)(NodeSet) *)

let sub_list l n =
  let rec aux acc n l =
    if n = 0 then acc else
      match l with [] -> assert false | x::r -> aux (x::acc) (n-1) r
  in
  List.rev (aux [] n l)

class createStructHierarchy =
  let unify_type_hierarchies ty1 ty2 =
    (* Extract info from types *)
    let compinfo1 = match unrollType (pointed_type ty1) with
      | TComp(compinfo,_,_) -> compinfo
      | _ -> assert false
    in
    let sty1 = TComp(compinfo1,empty_size_cache () ,[]) in
    let fields1 = compinfo1.cfields in
    let compinfo2 = match unrollType (pointed_type ty2) with
      | TComp(compinfo,_,_) -> compinfo
      | _ -> assert false
    in
    let fields2 = compinfo2.cfields in
    let sty2 = TComp(compinfo2, empty_size_cache () ,[]) in
    (* Compare types *)
    let minlen = min (List.length fields1) (List.length fields2) in
    let prefix,complete = List.fold_left2
      (fun (acc,compl) f1 f2 ->
	 if compl && Typ.equal f1.ftype f2.ftype then
	   f1::acc,compl
	 else acc,false
      )
      ([],true)
      (sub_list fields1 minlen) (sub_list fields2 minlen)
    in
    let prefix = List.rev prefix in
    if complete then
      if List.length prefix = List.length fields1 then
	(* [ty2] subtype of [ty1] *)
	add_inheritance_relation sty2 sty1
      else
	(* [ty1] subtype of [ty2] *)
	add_inheritance_relation sty1 sty2
    else
      begin
	(* Neither one is subtype of the other *)
(* 	add_inheritance_relation sty1 !Common.struct_type_for_void; *)
(* 	add_inheritance_relation sty2 !Common.struct_type_for_void *)
      end
  in
object

  inherit Visitor.frama_c_inplace

  method! vexpr e = match e.enode with
    | CastE(ty,e) when isPointerType ty ->
	let enocast = stripCastsAndInfo e in
	let ety = typeOf enocast in
	if isPointerType ety then
	  unify_type_hierarchies ty ety
	else ();
	DoChildren
    | _ -> DoChildren

end

class exploitStructHierarchy =
object

  inherit Visitor.frama_c_inplace

end

let create_struct_hierarchy file =
  let struct_fields ty =
    match unrollType ty with
    | TComp(compinfo,_,_) -> compinfo.cfields
    | _ -> assert false
  in
  let num_fields ty = List.length (struct_fields ty) in
  let compare_num_fields ty1 ty2 =
    Pervasives.compare (num_fields ty1) (num_fields ty2)
  in
  let subtype ty1 ty2 =
    let fields1 = struct_fields ty1 and fields2 = struct_fields ty2 in
    let len1 = List.length fields1 and len2 = List.length fields2 in
    if len1 > len2 then
      List.fold_left2
	(fun eq fi1 fi2 -> eq && Typ.equal fi1.ftype fi2.ftype)
	true
	(sub_list fields1 len2)
	fields2
    else
      false
  in
  let compute_hierarchy () =
    let classes = TypeUnion.classes () in
    List.iter (fun cls ->
      let types = Typ.Set.elements cls in
      let types = List.sort compare_num_fields types in
      let root,types =
	match types with [] -> assert false | a::r -> a,r
      in
      (* First element is new root *)
      Typ.Hashtbl.remove type_to_parent_type root;
      List.iter
	(fun ty ->
	  add_inheritance_relation ty root;
	  List.iter
	    (fun party ->
	      if subtype ty party then
		add_inheritance_relation ty party
	    ) types
	) types
    ) classes;
    Typ.Hashtbl.iter
      (fun ty party ->
	let fields1 = struct_fields ty in
	let fields2 = struct_fields party in
	let num2 = List.length fields2 in
	let subfields1 = sub_list fields1 num2 in
	List.iter2 add_field_representant subfields1 fields2)
      type_to_parent_type
  in
  let visitor = new createStructHierarchy in
  visitFramacFile visitor file;
  compute_hierarchy ();
  let visitor = new exploitStructHierarchy in
  visitFramacFile visitor file

(*****************************************************************************)
(* Retype the C file for Jessie translation.                                 *)
(*****************************************************************************)

let retype file =
  if checking then check_types file;
  (* Retype int field casted to pointer. *)
  Jessie_options.debug "Retype int field casted to pointer@.";
  retype_int_field file;
  if checking then check_types file;
  (* Organize structure types in hierarchy. *)
  Jessie_options.debug "Organize structure types in hierarchy@.";
  create_struct_hierarchy file;
  if checking then check_types file;

(*
Local Variables:
compile-command: "make"
End:
*)
why-2.34/frama-c-plugin/Jessie.mli0000644000175000017500000000457012311670312015352 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(** C to Jessie translation. *)

(** No function is directly exported: they are registered in {!Db.Jessie}. *)
why-2.34/frama-c-plugin/ptests_local_config.ml0000444000175000017500000000505712311670312017777 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

Ptests_config.default_suites:= [ "jessie"; ];;
Ptests_config.toplevel_path :="/usr/local/bin/frama-c";;
Ptests_config.framac_share :="/usr/local/share/frama-c";;
Ptests_config.framac_plugin :=".";;
Ptests_config.framac_plugin_gui :="./gui";;
Ptests_config.framac_lib :="/usr/local/lib/frama-c";;
why-2.34/frama-c-plugin/rewrite.ml0000644000175000017500000022345012311670312015440 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(* Import from Cil *)
open Cabs
open Cil_types
open Cil
open Cil_datatype
open Ast_info
open Extlib

open Visitor

(* Utility functions *)
open Common

(*****************************************************************************)
(* Adds a default behavior for all functions                                 *)
(*****************************************************************************)

class add_default_behavior =
  object(self)
    inherit Visitor.frama_c_inplace

    method! vspec s =
      if not (List.exists (fun x -> x.b_name = Cil.default_behavior_name)
                s.spec_behavior)
      then begin
        let bhv = Cil.mk_behavior ~name:Cil.default_behavior_name () in
        let kf = Extlib.the self#current_kf in
        let props = Property.ip_all_of_behavior kf Kglobal bhv in
        List.iter Property_status.register props;
        s.spec_behavior <- bhv :: s.spec_behavior
      end;
      SkipChildren

    method! vcode_annot _ = SkipChildren

  end

let add_default_behavior () =
  let treat_one_function kf =
    let bhvs = Annotations.behaviors kf in
    if not
      (List.exists (fun bhv -> bhv.b_name = Cil.default_behavior_name) bhvs)
    then begin
      Annotations.add_behaviors Common.jessie_emitter kf [Cil.mk_behavior()];
      (* ensures that default behavior will be correctly populated *)
      ignore (Annotations.behaviors kf)
    end
  in
  Globals.Functions.iter treat_one_function

(*****************************************************************************)
(* Rename entities to avoid conflicts with Jessie predefined names.          *)
(*****************************************************************************)

class renameEntities
  (add_variable : varinfo -> unit) (add_logic_variable : logic_var -> unit) =
  let types = Typ.Hashtbl.create 17 in
  let add_field fi =
    fi.fname <- unique_name fi.fname
  in
  let add_type ty =
    if Typ.Hashtbl.mem types ty then () else
      let compinfo = get_struct_info ty in
      compinfo.cname <- unique_name compinfo.cname;
      List.iter add_field compinfo.cfields;
      Typ.Hashtbl.add types ty ()
  in
object

  inherit Visitor.frama_c_inplace

  method! vfunc f =
    List.iter add_variable f.slocals;
    DoChildren

  method! vglob_aux = function
    | GCompTag(compinfo,_loc)
    | GCompTagDecl(compinfo,_loc) ->
	add_type (TComp(compinfo,empty_size_cache (),[]));
	SkipChildren
    | GVarDecl _ | GVar _ | GFun _ | GAnnot _ | GType _
    | GEnumTagDecl _ | GEnumTag _ | GAsm _ | GPragma _ | GText _ ->
	DoChildren

  method! vlogic_var_decl lv = add_logic_variable lv; DoChildren

  method! vlogic_var_use v =
    let postaction v =
      (* Restore consistency between C variable name and logical name *)
      Extlib.may (fun cv -> v.lv_name <- cv.vname) v.lv_origin; v
    in
    ChangeDoChildrenPost(v,postaction)
end

let logic_names_overloading = Hashtbl.create 257

let rename_entities file =
  let add_variable v =
    let s = unique_name v.vname in
(*
    Format.eprintf "Renaming variable %s into %s@." v.vname s;
*)
    v.vname <- s;
    match v.vlogic_var_assoc with
      | None -> ()
      | Some lv -> lv.lv_name <- v.vname
  in
  let add_logic_variable v =
    match v.lv_origin with
        None -> (* pure logic variable *)
          v.lv_name <- unique_logic_name v.lv_name
      | Some _ -> () (* we take care of that in the C world *)
  in
  Globals.Vars.iter (fun v _init -> add_variable v);
  Globals.Functions.iter
    (fun kf ->
       add_variable (Globals.Functions.get_vi kf);
       List.iter add_variable (Globals.Functions.get_params kf));
(* [VP 2011-08-22] replace_all has disappeared from kernel's API, but
   it appears that info in Globals.Annotations is not used by Jessie. *)
(*  Globals.Annotations.replace_all
    (fun annot gen ->
       let rec replace_annot annot = match annot with
	 | Dfun_or_pred _ -> annot
	 | Dvolatile _ -> annot
         | Daxiomatic(id, l, loc) ->
             Daxiomatic(id, List.map replace_annot l,loc)
	 | Dtype(infos,loc) ->
	     Dtype({ infos with
                       lt_name = unique_logic_name infos.lt_name;
                       lt_def =
                       opt_map
                         (function
                              | LTsum cons ->
                                  LTsum(
                                    List.map
                                      (fun x ->
                                         { x with ctor_name =
                                             unique_logic_name x.ctor_name})
                                      cons)
                              | (LTsyn _) as def -> def)
                         infos.lt_def;},
                   loc
                  )
	 | Dlemma(name,is_axiom,labels,poly,property,loc) ->
	     Dlemma(unique_logic_name name,is_axiom,labels,poly,property,loc)
         | Dmodel_annot _ -> annot
	 | Dtype_annot _ | Dinvariant _ ->
	     (* Useful ? harmless ?
		info.l_name <- unique_logic_name info.l_name;
	     *)
	     annot
       in replace_annot annot,gen
    );
*)
  (* preprocess of renaming logic functions  *)
  Logic_env.Logic_info.iter
    (fun name _li ->
       try
	 let x = Hashtbl.find logic_names_overloading name in
	 x := true
       with
	   Not_found ->
	     Hashtbl.add logic_names_overloading name (ref false)
    );

  let visitor = new renameEntities (add_variable) (add_logic_variable) in
  visitFramacFile visitor file


(*****************************************************************************)
(* Fill offset/size information in fields                                    *)
(*****************************************************************************)

class fillOffsetSizeInFields =
object

  inherit Visitor.frama_c_inplace

  method! vglob_aux = function
    | GCompTag(compinfo,_loc) ->
	let basety = TComp(compinfo,empty_size_cache () ,[]) in
	let field fi nextoff =
	  let size_in_bits =
	    match fi.fbitfield with
	      | Some siz -> siz
	      | None -> bitsSizeOf fi.ftype
	  in
	  let offset_in_bits = fst (bitsOffset basety (Field(fi,NoOffset))) in
	  let padding_in_bits = nextoff - (offset_in_bits + size_in_bits) in
	  assert (padding_in_bits >= 0);
	  fi.fsize_in_bits <- Some size_in_bits;
	  fi.foffset_in_bits <- Some offset_in_bits;
	  fi.fpadding_in_bits <- Some padding_in_bits;
	  if compinfo.cstruct then
	    offset_in_bits
	  else nextoff (* union type *)
	in
	ignore(List.fold_right field compinfo.cfields (bitsSizeOf basety));
	SkipChildren
    | _ -> SkipChildren

end

let fill_offset_size_in_fields file =
  let visitor = new fillOffsetSizeInFields in
  visitFramacFile visitor file


(*****************************************************************************)
(* Replace addrof array with startof.                                        *)
(*****************************************************************************)

class replaceAddrofArray =
object

  inherit Visitor.frama_c_inplace

  method! vexpr e = match e.enode with
    | AddrOf lv ->
	if isArrayType(typeOfLval lv) then
	  ChangeDoChildrenPost (new_exp ~loc:e.eloc (StartOf lv), fun x -> x)
	else DoChildren
    | _ -> DoChildren

  method! vterm t = match t.term_node with
    | TAddrOf tlv ->
	let ty = force_app_term_type pointed_type t.term_type in
	if isArrayType ty then
	  let t' = { t with
	    term_node = TStartOf tlv;
	    term_type = Ctype (element_type ty);
	  } in
	  ChangeDoChildrenPost (t', fun x -> x)
	else DoChildren
    | _ -> DoChildren

end

let replace_addrof_array file =
  let visitor = new replaceAddrofArray in
  visit_and_update_globals visitor file


(*****************************************************************************)
(* Replace string constants by global variables.                             *)
(*****************************************************************************)

class replaceStringConstants =

  let string_to_var = Datatype.String.Hashtbl.create 17 in
  let wstring_to_var = Cil_datatype.Wide_string.Hashtbl.create 17 in

  (* Use the Cil translation on initializers. First translate to primitive
   * AST to later apply translation in [blockInitializer].
   *)
  let string_cabs_init s =
    SINGLE_INIT(
      { expr_node = CONSTANT(CONST_STRING s); expr_loc = Cabshelper.cabslu }
    )
  in
  let wstring_cabs_init ws =
    SINGLE_INIT(
      { expr_node = CONSTANT(CONST_WSTRING ws); expr_loc = Cabshelper.cabslu }
    )
  in

  (* Name of variable should be as close as possible to the string it
   * represents. To that end, we just filter out characters not allowed
   * in C names, before we add a discriminating number if necessary.
   *)
  let string_var s =
    let name = unique_name ("__string_" ^ (filter_alphanumeric s [] '_')) in
    makeGlobalVar name (array_type charType)
  in
  let wstring_var () =
    let name = unique_name "__wstring_" in
    makeGlobalVar name (array_type theMachine.wcharType)
(*     makeGlobalVar name (array_type (TInt(IUShort,[]))) *)
  in

  let make_glob ~wstring v size inite =
    (* Apply translation from initializer in primitive AST to block of code,
     * simple initializer and type.
     *)
    let _b,init,ty =
      Cabs2cil.blockInitializer Cabs2cil.empty_local_env v inite in
    (* Precise the array type *)
    v.vtype <- ty;
    (* Attach global variable and code for global initialization *)
(* DISABLED because does not work and uses deprecated Cil.getGlobInit
   See bts0284.c
    List.iter attach_globinit b.bstmts;
*)
    attach_global (GVar(v,{init=Some init},CurrentLoc.get ()));
    (* Define a global string invariant *)
    begin try
    let validstring =
      match Logic_env.find_all_logic_functions
	(if wstring then
	   name_of_valid_wstring
	 else
	   name_of_valid_string)
      with
	| [i] -> i
	| _  -> raise Exit
    in
    let strlen =
      match Logic_env.find_all_logic_functions name_of_strlen
      with
	| [i] -> i
	| _  -> raise Exit
    in
    let strlen_type =
      match strlen.l_type with Some t -> t | None -> assert false
    in
    let wcslen =
      match Logic_env.find_all_logic_functions name_of_wcslen
      with
	| [i] -> i
	| _  -> raise Exit
    in
    let wcslen_type =
      match wcslen.l_type with Some t -> t | None -> assert false
    in
    let pstring =
      Papp(validstring,[],[variable_term v.vdecl (cvar_to_lvar v)])
    in
    let tv = term_of_var v in
    let strsize =
      if wstring then
	mkterm (Tapp(wcslen,[],[tv])) wcslen_type v.vdecl
      else
	mkterm (Tapp(strlen,[],[tv])) strlen_type v.vdecl
    in
    let size = constant_term v.vdecl (Integer.of_int size) in
    let psize = Prel(Req,strsize,size) in
    let p = Pand(predicate v.vdecl pstring,predicate v.vdecl psize) in
    let globinv =
      Cil_const.make_logic_info (unique_logic_name ("valid_" ^ v.vname)) in
    globinv.l_labels <- [ LogicLabel (None, "Here") ];
    globinv.l_body <- LBpred (predicate v.vdecl p);
    attach_globaction (fun () -> Logic_utils.add_logic_function globinv);
    attach_global (GAnnot(Dinvariant (globinv,v.vdecl),v.vdecl));
    with Exit -> ()
    end;
    v
  in
object

  inherit Visitor.frama_c_inplace

  method! vexpr e = match e.enode with
    | Const(CStr s) ->
	let v =
	  Datatype.String.Hashtbl.memo string_to_var s
	    (fun s ->
	       make_glob ~wstring:false (string_var s) (String.length s)
		 (string_cabs_init s))
	in
	ChangeTo (new_exp ~loc:e.eloc (StartOf(Var v,NoOffset)))
    | Const(CWStr ws) ->
	let v =
	  Cil_datatype.Wide_string.Hashtbl.memo wstring_to_var ws
	    (fun ws ->
	       make_glob ~wstring:true (wstring_var ()) (List.length ws - 1)
		 (wstring_cabs_init ws))
	in
	ChangeTo (new_exp ~loc:e.eloc (StartOf(Var v,NoOffset)))
    | _ -> DoChildren

  method! vglob_aux = function
    | GVar(v,{init=Some(SingleInit({enode = Const _}))},_) ->
	if isArrayType v.vtype then
	  (* Avoid creating an array for holding the initializer for another
	   * array. This initializer is later cut into individual
	   * initialization statements in [gather_initialization].
	   *)
	  SkipChildren
	else
	  DoChildren
    | _ -> DoChildren

end

let replace_string_constants file =
  let visitor = new replaceStringConstants in
  visit_and_update_globals visitor file


(*****************************************************************************)
(* Put all global initializations in the [globinit] file.                    *)
(* Replace global compound initializations by equivalent statements.         *)
(*****************************************************************************)

let gather_initialization file =
  do_and_update_globals
    (fun _ ->
      Globals.Vars.iter (fun v iinfo ->
	let _s = match iinfo.init with
	  | Some ie ->
	      let b =
                Cabs2cil.blockInit
                  ~ghost:v.vghost (Var v, NoOffset) ie v.vtype in
	      b.bstmts
	  | None ->
	      if bitsSizeOf v.vtype lsr 3 < 100 then
		(* Enforce zero-initialization of global variables *)
		let ie =
                  makeZeroInit ~loc:Cil_datatype.Location.unknown v.vtype
                in
		let b =
                  Cabs2cil.blockInit
                    ~ghost:v.vghost (Var v, NoOffset) ie v.vtype
                in
		b.bstmts
	      else
		(* FS#253: Big data structure, do not initialize individually.
		 * When casts to low-level are supported, call here [memset]
		 * or equivalent to zero the memory.
		 *)
		[]
	in
	(* Too big currently, postpone until useful *)
(*
	ignore s;
  	List.iter attach_globinit s;
*)
	iinfo.init <- None
      )) file

class copy_spec_specialize_memset =
object(self)
  inherit Visitor.frama_c_copy (Project.current())
  method private has_changed lv =
    (Cil.get_original_logic_var self#behavior lv) != lv

  method! vlogic_var_use lv =
    if self#has_changed lv then DoChildren (* Already visited *)
    else begin
      match lv.lv_origin with
        | Some v when not v.vglob -> (* Don't change global references *)
            let v' = Cil_const.copy_with_new_vid v in
            v'.vformal <- true;
            (match Cil.unrollType v.vtype with
              | TArray _ as t -> v'.vtype <- TPtr(t,[])
              | _ -> ());
            v'.vlogic_var_assoc <- None; (* reset association. *)
            let lv' = Cil.cvar_to_lvar v' in
            Cil.set_logic_var self#behavior lv lv';
            Cil.set_orig_logic_var self#behavior lv' lv;
            Cil.set_varinfo self#behavior v v';
            Cil.set_orig_varinfo self#behavior v' v;
            ChangeTo lv'
        | Some _ | None -> DoChildren
    end

  method! vterm t =
    let post_action t =
      let loc = t.term_loc in
      match t.term_node with
        | TStartOf (TVar lv, TNoOffset) ->
            if self#has_changed lv then begin
              (* Original was an array, and is now a pointer to an array.
                 Update term accordingly*)
              let base = Logic_const.tvar ~loc lv in
              let tmem = (TMem base,TNoOffset) in
              Logic_const.term
                ~loc (TStartOf tmem) (Cil.typeOfTermLval tmem)
            end else t
        | TLval (TVar lv, (TIndex _ as idx)) ->
            if self#has_changed lv then begin
                (* Change array access into pointer shift. *)
              let base = Logic_const.tvar ~loc lv in
              let tmem = TMem base, idx in
              Logic_const.term ~loc (TLval tmem) t.term_type
            end else t
        | _ -> t
    in ChangeDoChildrenPost(t,post_action)

  method! vspec s =
    let refresh_deps = function
      | FromAny -> FromAny
      | From locs -> From (List.map Logic_const.refresh_identified_term locs)
    in
    let refresh_froms (loc,deps) =
      (Logic_const.refresh_identified_term loc, refresh_deps deps)
    in
    let refresh_assigns = function
      | WritesAny -> WritesAny
      | Writes (writes) -> Writes (List.map refresh_froms writes)
    in
    let refresh_allocates = function
      | FreeAllocAny -> FreeAllocAny
      | FreeAlloc (free,alloc) ->
          FreeAlloc (List.map Logic_const.refresh_identified_term free,
                     List.map Logic_const.refresh_identified_term alloc)
    in
    let refresh_extended e =
      List.map (fun (s,i,p) -> (s,i,List.map Logic_const.refresh_predicate p)) e
    in
    let refresh_behavior b =
      let requires = List.map Logic_const.refresh_predicate b.b_requires in
      let assumes = List.map Logic_const.refresh_predicate b.b_assumes in
      let post_cond =
        List.map
          (fun (k,p) -> (k,Logic_const.refresh_predicate p)) b.b_post_cond
      in
      let assigns = refresh_assigns b.b_assigns in
      let allocation = Some (refresh_allocates b.b_allocation) in
      let extended = refresh_extended b.b_extended in
      Cil.mk_behavior
        ~assumes ~requires ~post_cond ~assigns ~allocation ~extended ()
    in
    let refresh s =
      let bhvs = List.map refresh_behavior s.spec_behavior in
      s.spec_behavior <- bhvs;
      s
    in
    ChangeDoChildrenPost(s,refresh)
end

let copy_spec_specialize_memset s =
  let vis = new copy_spec_specialize_memset in
  let s' = Visitor.visitFramacFunspec vis s in
  let args =
    Cil.fold_visitor_varinfo
      vis#behavior (fun oldv newv acc -> (oldv,newv)::acc) []
  in
  args,s'

class specialize_memset =
object
  inherit Visitor.frama_c_inplace
  val mutable my_globals = []
  method! vstmt_aux s =
    match Annotations.code_annot ~filter:Logic_utils.is_contract s with
      | [ annot ] ->
          (match annot.annot_content with
             | AStmtSpec
                (_,({ spec_behavior =
                    [ { b_name = "Frama_C_implicit_init" }]} as spec))
              ->
                let loc = Cil_datatype.Stmt.loc s in
                let mk_actual v =
                  match Cil.unrollType v.vtype with
                    | TArray _ ->
                        Cil.new_exp ~loc (StartOf (Cil.var v))
                    | _ -> Cil.evar ~loc v
                in
                let prms, spec = copy_spec_specialize_memset spec in
                let (actuals,formals) = List.split prms in
                let actuals = List.map mk_actual actuals in
                let arg_type =
                  List.map (fun v -> v.vname, v.vtype, []) formals in
                let f =
                  Cil.makeGlobalVar
                    (Common.unique_name "implicit_init")
                    (TFun (TVoid [], Some arg_type, false, []))
                in
                 Cil.unsafeSetFormalsDecl f formals;
                my_globals <-
                  GVarDecl(Cil.empty_funspec(),f,loc) :: my_globals;
                Globals.Functions.replace_by_declaration spec f loc;
                let kf = Globals.Functions.get f in
                Annotations.register_funspec ~emitter:Common.jessie_emitter kf;
                let my_instr = Call(None,Cil.evar ~loc f,actuals,loc) in
                s.skind <- Instr my_instr;
                SkipChildren
            | _ -> DoChildren)
      | _ -> DoChildren

  method! vglob_aux _ =
    let add_specialized g = let s = my_globals in my_globals <- []; s @ g in
    DoChildrenPost add_specialized
end

let specialize_memset file =
  visitFramacFile (new specialize_memset) file;
  (* We may have introduced new globals: clear the last_decl table. *)
  Ast.clear_last_decl ()

(*****************************************************************************)
(* Rewrite comparison of pointers into difference of pointers.               *)
(*****************************************************************************)

class rewritePointerCompare =
  let preaction_expr e = match e.enode with
    | BinOp((Lt | Gt | Le | Ge | Eq | Ne as op),e1,e2,ty)
	when isPointerType (typeOf e1) && not (is_null_expr e2) ->
	new_exp ~loc:e.eloc
          (BinOp(op,
                 new_exp ~loc:e.eloc
                   (BinOp(MinusPP,e1,e2,theMachine.ptrdiffType)),
	         constant_expr Integer.zero,ty))
    | _ -> e
  in
object

  inherit Visitor.frama_c_inplace

  method! vexpr e =
    ChangeDoChildrenPost (preaction_expr e, fun x -> x)

  method! vterm =
    do_on_term (Some preaction_expr,None)

  method! vpredicate = function
    | Prel(rel,t1,t2)
	when app_term_type isPointerType false t1.term_type
	  && not (is_null_term t1 || is_null_term t2
		  || is_base_addr t1 || is_base_addr t2) ->
	let loc = range_loc t1.term_loc t2.term_loc in
	let tsub = {
	  term_node = TBinOp(MinusPP,t1,t2);
	  term_type = Ctype theMachine.ptrdiffType;
	  term_loc = loc;
	  term_name = [];
	} in
	let p = Prel(rel,tsub,constant_term loc Integer.zero) in
	ChangeDoChildrenPost (p, fun x -> x)
    | _ -> DoChildren

end

let rewrite_pointer_compare file =
  let visitor = new rewritePointerCompare in
  visitFramacFile visitor file


(*****************************************************************************)
(* Rewrite cursor pointers into offsets from base pointers.                  *)
(*****************************************************************************)

(* Recognize the sum of a pointer variable and an integer offset *)
let rec destruct_pointer e = match (stripInfo e).enode with
  | Lval(Var v,NoOffset) | StartOf(Var v,NoOffset) | AddrOf(Var v,NoOffset) ->
      Some(v,None)
  | StartOf(Var v,Index(i,NoOffset)) | AddrOf(Var v,Index(i,NoOffset)) ->
      Some(v,Some i)
  | BinOp((PlusPI | IndexPI | MinusPI as op),e1,e2,_) ->
      begin match destruct_pointer e1 with
	| None -> None
	| Some(v,None) ->
	    begin match op with
	      | PlusPI | IndexPI -> Some(v,Some e2)
	      | MinusPI ->
                  Some(v,
                       Some(new_exp ~loc:e.eloc (UnOp(Neg,e2,typeOf e2))))
	      | _ -> assert false
	    end
	| Some(v,Some off) ->
	    begin match op with
	      | PlusPI | IndexPI ->
                  Some(v,
                       Some(new_exp ~loc:e.eloc
                              (BinOp(PlusA,off,e2,typeOf e2))))
	      | MinusPI ->
                  Some(v,
                       Some(new_exp ~loc:e.eloc
                              (BinOp(MinusA,off,e2,typeOf e2))))
	      | _ -> assert false
	    end
      end
  | CastE(ty,e) ->
      let ety = typeOf e in
      if isPointerType ty && isPointerType ety
	&&
          Cil_datatype.Typ.equal
          (Cil.typeDeepDropAttributes ["const"; "volatile"]
             (unrollType (pointed_type ty)))
          (Cil.typeDeepDropAttributes ["const"; "volatile"]
             (unrollType (pointed_type ety)))
      then
	destruct_pointer e
      else None
  | _ -> None

class collectCursorPointers
  (cursor_to_base : varinfo Cil_datatype.Varinfo.Hashtbl.t) (* local variable to base *)
  (formal_to_base : varinfo Cil_datatype.Varinfo.Hashtbl.t) (* formal variable to base *)
  (assigned_vars : Cil_datatype.Varinfo.Set.t ref) (* variable is assigned (for formals) *)
  (ignore_vars : Cil_datatype.Varinfo.Set.t ref) (* ignore info on these variables *) =

  let curFundec : fundec ref = ref (emptyFunction "@dummy@") in

  let candidate_var v =
    not v.vglob
    && ((isPointerType v.vtype && not v.vaddrof) || isArrayType v.vtype)
  in
  (* Variable should not be translated as base or cursor *)
  let add_ignore_vars v =
    if not (Cil_datatype.Varinfo.Set.mem v !ignore_vars) then
      begin
	ignore_vars := Cil_datatype.Varinfo.Set.add v !ignore_vars; signal_change ()
      end
  in
  (* Variable [v] used as cursor on base [vb] *)
  let add_cursor_to_base v vb =
    try
      let vb2 = Cil_datatype.Varinfo.Hashtbl.find cursor_to_base v in
      if not (Cil_datatype.Varinfo.equal vb vb2) then add_ignore_vars v
    with Not_found ->
      Cil_datatype.Varinfo.Hashtbl.add cursor_to_base v vb; signal_change ()
  in
  (* Variable [v] assigned *)
  let add_assigned_vars v =
    if not (Cil_datatype.Varinfo.Set.mem v !assigned_vars) then
      begin
	assigned_vars := Cil_datatype.Varinfo.Set.add v !assigned_vars; signal_change ()
      end
  in

  (* Interpret difference of pointers as a hint that one is an cursor
   * of the other. *)
  let preaction_expr x =
    begin match x.enode with
      | BinOp(MinusPP,e1,e2,_) when isPointerType (typeOf e1) ->
	  begin match destruct_pointer e1,destruct_pointer e2 with
	    | Some(v1,_),Some(v2,_) ->
		begin try
		  let vb1 = Cil_datatype.Varinfo.Hashtbl.find cursor_to_base v1 in
		  let vb2 = Cil_datatype.Varinfo.Hashtbl.find cursor_to_base v2 in
		  if not (Cil_datatype.Varinfo.equal vb1 vb2)
		    && vb1.vformal && vb2.vformal then
		      (* One formal is an offset from the other.
			 Choose the first one in the list of parameters
			 as base. *)
		      let vbbase,vboff =
			match
			  List.fold_left
			    (fun acc v ->
			       match acc with Some _ -> acc | None ->
		      		 if Cil_datatype.Varinfo.equal v vb1 then
				   Some(vb1,vb2)
				 else if Cil_datatype.Varinfo.equal v vb2 then
				   Some(vb2,vb1)
				 else None
			    ) None !curFundec.sformals
			with None -> assert false | Some pair -> pair
		      in
		      Cil_datatype.Varinfo.Hashtbl.add formal_to_base vboff vbbase
		  else ()
		with Not_found -> () end
	    | _ -> ()
	  end
      | _ -> ()
    end; x
  in
object

  inherit Visitor.frama_c_inplace

  method! vfunc f =
    curFundec := f;
    (* For simplicity, consider formals as self-cursors initially.
     * This is the way we declare bases (in the image of [cursor_to_base]).
     *)
    let formal v =
      if candidate_var v then add_cursor_to_base v v
    in
    let local v =
      (* Consider local arrays as candidate base pointers *)
      if isArrayType v.vtype then formal v
    in
    List.iter formal f.sformals;
    List.iter local f.slocals;
    DoChildren

  method! vinst = function
    | Set((Var v,NoOffset),e,_loc) ->
	if candidate_var v then
	  begin
	    add_assigned_vars v;
	    match destruct_pointer e with
	      | None -> add_ignore_vars v
	      | Some(v2,_offset) ->
		  if Cil_datatype.Varinfo.Set.mem v2 !ignore_vars then add_ignore_vars v
		  else try
		    let vb2 = Cil_datatype.Varinfo.Hashtbl.find cursor_to_base v2 in
		    try
		      let vb = Cil_datatype.Varinfo.Hashtbl.find cursor_to_base v in
		      if not (Cil_datatype.Varinfo.equal vb vb2) then
			add_ignore_vars v
		    with Not_found -> add_cursor_to_base v vb2
		  with Not_found -> add_ignore_vars v
	  end;
	DoChildren
    | Set _ -> DoChildren
    | Call(Some(Var v,NoOffset),_f,_args,_loc) ->
	if candidate_var v then
	  begin
	    add_assigned_vars v; add_ignore_vars v
	  end;
	DoChildren
    | Call _ -> DoChildren
    | Asm _ | Skip _ -> SkipChildren
    | Code_annot _ -> assert false

  method! vexpr e =
    ignore(preaction_expr e); DoChildren

  method! vterm = do_on_term (Some preaction_expr, None)

end

class rewriteCursorPointers
  (cursor_to_base : varinfo Cil_datatype.Varinfo.Hashtbl.t)
  (formal_to_base : varinfo Cil_datatype.Varinfo.Hashtbl.t)
  (assigned_vars : Cil_datatype.Varinfo.Set.t) =

  (* Correspondance between cursor variables and offset variables *)
  let cursor_to_offset : varinfo Cil_datatype.Varinfo.Hashtbl.t = Cil_datatype.Varinfo.Hashtbl.create 0 in

  (* Function [expr_offset] may raise exception [Not_found] if
   * no offset needed.
   *)
  let expr_offset v =
    let loc = Cil_const.CurrentLoc.get () in
    if v.vformal then
      let voff = Cil_datatype.Varinfo.Hashtbl.find cursor_to_offset v in
      new_exp ~loc (Lval(Var voff,NoOffset))
    else
      let voff = Cil_datatype.Varinfo.Hashtbl.find cursor_to_offset v in
      let vb = Cil_datatype.Varinfo.Hashtbl.find cursor_to_base v in
      if Cil_datatype.Varinfo.Hashtbl.mem formal_to_base vb then
	let voff2 = Cil_datatype.Varinfo.Hashtbl.find cursor_to_offset vb in
	new_exp ~loc
          (BinOp(PlusA,
                 new_exp ~loc (Lval(Var voff,NoOffset)),
                 new_exp ~loc (Lval(Var voff2,NoOffset)),
	         theMachine.ptrdiffType))
      else new_exp ~loc (Lval(Var voff,NoOffset))
  in
  (* Find basis for variable [v] *)
  let var_base v =
    if Cil_datatype.Varinfo.Hashtbl.mem cursor_to_offset v then
      if v.vformal then
	try Cil_datatype.Varinfo.Hashtbl.find formal_to_base v
	with Not_found -> v (* self-base *)
      else
	let vb = Cil_datatype.Varinfo.Hashtbl.find cursor_to_base v in
	try Cil_datatype.Varinfo.Hashtbl.find formal_to_base vb
	with Not_found -> vb
    else
      raise Not_found
  in
  let lval_base vb =
    let loc = Cil_const.CurrentLoc.get () in
    if isArrayType vb.vtype then
      new_exp ~loc (StartOf(Var vb,NoOffset))
    else
      new_exp ~loc (Lval(Var vb,NoOffset))
  in
  let preaction_expr e = match e.enode with
    | BinOp(MinusPP,e1,e2,_) ->
        begin try match destruct_pointer e1,destruct_pointer e2 with
          | None,_ | _,None -> e
          | Some(v1,offopt1),Some(v2,offopt2) ->
	      let vb1 = try var_base v1 with Not_found -> v1 in
	      let vb2 = try var_base v2 with Not_found -> v2 in
              if Cil_datatype.Varinfo.equal vb1 vb2 then
	        let v1offopt =
		  try Some(expr_offset v1) with Not_found -> None in
	        let v2offopt =
		  try Some(expr_offset v2) with Not_found -> None in
                let offopt1 = match v1offopt,offopt1 with
                  | None,None -> None
                  | Some off,None | None,Some off -> Some off
                  | Some off1,Some off2 ->
                      Some
                        (new_exp ~loc:e.eloc
                           (BinOp(PlusA,off1,off2,theMachine.ptrdiffType)))
                in
                let offopt2 = match v2offopt,offopt2 with
                  | None,None -> None
                  | Some off,None | None,Some off -> Some off
                  | Some off1,Some off2 ->
                      Some
                        (new_exp ~loc:e.eloc
                           (BinOp(PlusA,off1,off2,theMachine.ptrdiffType)))
                in
                match offopt1,offopt2 with
                  | Some off1,Some off2 ->
		      new_exp ~loc:e.eloc
                        (BinOp(MinusA,off1,off2,theMachine.ptrdiffType))
                  | Some off1,None ->
		      off1
                  | None,Some off2 ->
	              new_exp ~loc:e.eloc
                        (UnOp(Neg,off2,theMachine.ptrdiffType))
                  | None,None ->
		      constant_expr Integer.zero
              else e
	with Not_found -> e end
    | _ -> e
  in
  let postaction_expr e = match e.enode with
    | Lval(Var v,NoOffset) ->
	begin try
	  (* Both [var_base] and [expr_offset] can raise [Not_found],
	   * the second one only on local array variables.
	   *)
	  let vb = var_base v in
	  new_exp ~loc:e.eloc
            (BinOp(PlusPI,lval_base vb,expr_offset v,v.vtype))
	with Not_found -> e end
    | _ -> e
  in
object

  inherit Visitor.frama_c_inplace

  method! vfunc f =
    let local v =
      if Cil_datatype.Varinfo.Hashtbl.mem cursor_to_base v && not (isArrayType v.vtype) then
	let name = unique_name ("__jc_off_" ^ v.vname) in
	let voff = makeLocalVar f ~insert:true name almost_integer_type in
	Cil_datatype.Varinfo.Hashtbl.add cursor_to_offset v voff
    in
    let formal v =
      if Cil_datatype.Varinfo.Hashtbl.mem formal_to_base v then
	(* Formal is a cursor of another formal *)
	begin
	  local v; (* Create an offset variable for this formal *)
	  let voff = Cil_datatype.Varinfo.Hashtbl.find cursor_to_offset v in
	  let vb = Cil_datatype.Varinfo.Hashtbl.find formal_to_base v in
          let loc = CurrentLoc.get () in
	  let initst =
	    mkStmt(
	      Instr(
                Set((Var voff,NoOffset),
	            new_exp ~loc:(CurrentLoc.get())
                      (BinOp (MinusPP,
                              new_exp ~loc (Lval(Var v,NoOffset)),
                              lval_base vb,
		              theMachine.ptrdiffType)),
		    loc)))
	  in
	  add_pending_statement ~beginning:true initst
	end
      else if Cil_datatype.Varinfo.Hashtbl.mem cursor_to_base v
	&& Cil_datatype.Varinfo.Set.mem v assigned_vars then
	(* Formal is assigned and still a self-base, an offset is needed *)
	begin
	  local v; (* Create an offset variable for this formal *)
	  let voff = Cil_datatype.Varinfo.Hashtbl.find cursor_to_offset v in
	  let initst =
	    mkStmt(Instr(Set((Var voff,NoOffset),
			     constant_expr Integer.zero,
			     CurrentLoc.get ())))
	  in
	  add_pending_statement ~beginning:true initst
	end
      else ()
    in
    List.iter formal f.sformals;
    List.iter local f.slocals;
    DoChildren

  method! vinst = function
    | Set((Var v,NoOffset),e,loc) ->
	if v.vformal then
	  begin try
	    let voff = Cil_datatype.Varinfo.Hashtbl.find cursor_to_offset v in
	    (* At this point, [e] must be a pointer whose destruction through
	     * [destruct_pointer] does not return None.
	     *)
	    let eoff = match destruct_pointer e with
	      | None -> assert false
	      | Some(v2,Some e) ->
		  begin try
                    new_exp ~loc:e.eloc
                      (BinOp(PlusA,expr_offset v2,e,almost_integer_type))
		  with Not_found -> assert false end
	      | Some(v2,None) ->
		  begin try expr_offset v2
		  with Not_found -> assert false end
	    in
	    ChangeDoChildrenPost
	      ([Set((Var voff,NoOffset),eoff,loc)], fun x -> x)
	  with Not_found -> DoChildren end
	else
	  (* local variable *)
	  begin try
	    let voff = Cil_datatype.Varinfo.Hashtbl.find cursor_to_offset v in
	    (* At this point, [e] must be a pointer whose destruction through
	     * [destruct_pointer] does not return None.
	     *)
	    let eoff = match destruct_pointer e with
	      | None -> assert false
	      | Some(v2,Some e) ->
		  begin try
                    new_exp ~loc:e.eloc
                      (BinOp(PlusA,expr_offset v2,e,almost_integer_type))
		  with Not_found -> e end
	      | Some(v2,None) ->
		  begin try expr_offset v2
		  with Not_found -> constant_expr Integer.zero end
	    in
	    ChangeDoChildrenPost
	      ([Set((Var voff,NoOffset),eoff,loc)], fun x -> x)
	  with Not_found -> DoChildren end
    | _ -> DoChildren

  method! vexpr e =
    ChangeDoChildrenPost (preaction_expr e, postaction_expr)

  method! vterm =
    do_on_term (Some preaction_expr,Some postaction_expr)

  method! vspec _sp =
    (* Do not modify the function contract, where offset variables
     * are not known *)
    SkipChildren

end

let rewrite_cursor_pointers file =
  (* Variables to communicate between the collecting visitor and
   * the rewriting one. *)
  let cursor_to_base = Cil_datatype.Varinfo.Hashtbl.create 0 in
  let formal_to_base = Cil_datatype.Varinfo.Hashtbl.create 0 in
  let assigned_vars = ref Cil_datatype.Varinfo.Set.empty in
  let ignore_vars = ref Cil_datatype.Varinfo.Set.empty in

  (* Collect the cursor variables and their base *)
  let visitor =
    new collectCursorPointers
      cursor_to_base formal_to_base assigned_vars ignore_vars
  in
  visit_until_convergence visitor file;

  (* Normalize the information *)
  let rec transitive_basis v =
    try transitive_basis (Cil_datatype.Varinfo.Hashtbl.find formal_to_base v)
    with Not_found -> v
  in
  Cil_datatype.Varinfo.Hashtbl.iter
    (fun v _ -> Cil_datatype.Varinfo.Hashtbl.add formal_to_base v (transitive_basis v))
    formal_to_base;
  Cil_datatype.Varinfo.Set.iter
    (fun v -> Cil_datatype.Varinfo.Hashtbl.remove cursor_to_base v) !ignore_vars;
  Cil_datatype.Varinfo.Hashtbl.iter
    (fun v vb -> if Cil_datatype.Varinfo.Set.mem vb !ignore_vars then
      Cil_datatype.Varinfo.Hashtbl.remove cursor_to_base v) cursor_to_base;
  Cil_datatype.Varinfo.Hashtbl.iter
    (fun v vb -> if Cil_datatype.Varinfo.Set.mem vb !ignore_vars then
      Cil_datatype.Varinfo.Hashtbl.remove formal_to_base v) formal_to_base;

  (* Rewrite cursor variables as offsets from their base variable *)
  let visitor =
    new rewriteCursorPointers
      cursor_to_base formal_to_base !assigned_vars
  in
  visitFramacFile (visit_and_push_statements_visitor visitor) file


(*****************************************************************************)
(* Rewrite cursor integers into offsets from base integers.                  *)
(*****************************************************************************)

(* Recognize the sum of an integer variable and an integer offset *)
let rec destruct_integer e = match e.enode with
  | Lval(Var v,NoOffset) -> Some(v,None)
  | BinOp((PlusA | MinusA as op),e1,e2,_) ->
      begin match destruct_integer e1 with
	| None -> None
	| Some(v,None) ->
	    begin match op with
	      | PlusA -> Some(v,Some e2)
	      | MinusA ->
                  Some(v,
                       Some(new_exp ~loc:e.eloc
                              (UnOp(Neg,e2,almost_integer_type))))
	      | _ -> assert false
	    end
	| Some(v,Some off) ->
	    begin match op with
	      | PlusA ->
                  Some(v,
                       Some(new_exp ~loc:e.eloc
                              (BinOp(PlusA,off,e2,almost_integer_type))))
	      | MinusA ->
                  Some(v,
                       Some(new_exp ~loc:e.eloc
                              (BinOp(MinusA,off,e2,almost_integer_type))))
	      | _ -> assert false
	    end
      end
  | CastE(ty,e) ->
      let ety = typeOf e in
      if isIntegralType ty && isIntegralType ety then
	destruct_integer e
      else None
  | _ -> None

class collectCursorIntegers
  (cursor_to_base : varinfo Cil_datatype.Varinfo.Hashtbl.t) (* local variable to base *)
  (assigned_vars : Cil_datatype.Varinfo.Set.t ref) (* variable is assigned (for formals) *)
  (ignore_vars : Cil_datatype.Varinfo.Set.t ref) (* ignore info on these variables *) =

  let candidate_var v =
    not v.vglob && (isIntegralType v.vtype && not v.vaddrof)
  in
  (* Variable should not be translated as base or cursor *)
  let add_ignore_vars v =
    if not (Cil_datatype.Varinfo.Set.mem v !ignore_vars) then
      begin
	ignore_vars := Cil_datatype.Varinfo.Set.add v !ignore_vars; signal_change ()
      end
  in
  (* Variable [v] used as cursor on base [vb] *)
  let add_cursor_to_base v vb =
    try
      let vb2 = Cil_datatype.Varinfo.Hashtbl.find cursor_to_base v in
      if not (Cil_datatype.Varinfo.equal vb vb2) then add_ignore_vars v
    with Not_found ->
      Cil_datatype.Varinfo.Hashtbl.add cursor_to_base v vb; signal_change ()
  in
  (* Variable [v] assigned *)
  let add_assigned_vars v =
    if not (Cil_datatype.Varinfo.Set.mem v !assigned_vars) then
      begin
	assigned_vars := Cil_datatype.Varinfo.Set.add v !assigned_vars; signal_change ()
      end
  in
object

  inherit Visitor.frama_c_inplace

  method! vfunc f =
    (* For simplicity, consider formals as self-cursors initially.
     * This is the way we declare bases (in the image of [cursor_to_base]).
     *)
    let formal v =
      if candidate_var v then add_cursor_to_base v v
    in
    List.iter formal f.sformals;
    DoChildren

  method! vinst = function
    | Set((Var v,NoOffset),e,_loc) ->
	if candidate_var v then
	  begin
	    add_assigned_vars v;
	    match destruct_integer e with
	      | None -> add_ignore_vars v
	      | Some(v2,_offset) ->
		  if Cil_datatype.Varinfo.Set.mem v2 !ignore_vars then add_ignore_vars v
		  else try
		    let vb2 = Cil_datatype.Varinfo.Hashtbl.find cursor_to_base v2 in
		    try
		      let vb = Cil_datatype.Varinfo.Hashtbl.find cursor_to_base v in
		      if not (Cil_datatype.Varinfo.equal vb vb2) then
			add_ignore_vars v
		    with Not_found -> add_cursor_to_base v vb2
		  with Not_found -> add_ignore_vars v
	  end;
	SkipChildren
    | Set _ -> SkipChildren
    | Call(Some(Var v,NoOffset),_f,_args,_loc) ->
	if candidate_var v then
	  begin
	    add_assigned_vars v; add_ignore_vars v
	  end;
	SkipChildren
    | Call _ -> SkipChildren
    | Asm _ | Skip _ -> SkipChildren
    | Code_annot _ -> assert false

end

class rewriteCursorIntegers
  (cursor_to_base : varinfo Cil_datatype.Varinfo.Hashtbl.t)
  (assigned_vars : Cil_datatype.Varinfo.Set.t) =

  (* Correspondance between cursor variables and offset variables *)
  let cursor_to_offset : varinfo Cil_datatype.Varinfo.Hashtbl.t = Cil_datatype.Varinfo.Hashtbl.create 0 in

  let postaction_expr e = match e.enode with
    | Lval(Var v,NoOffset) ->
	begin try
	  let vb = Cil_datatype.Varinfo.Hashtbl.find cursor_to_base v in
	  let voff = Cil_datatype.Varinfo.Hashtbl.find cursor_to_offset v in
	  new_exp ~loc:e.eloc
            (BinOp(PlusA,
                   new_exp ~loc:e.eloc (Lval(Var vb,NoOffset)),
                   new_exp ~loc:e.eloc (Lval(Var voff,NoOffset)),
                   v.vtype))
	with Not_found -> e end
    | _ -> e
  in
  let postaction_term t = match t.term_node with
    | TLval(TVar { lv_origin = Some v },TNoOffset) ->
	begin try
	  let vb = Cil_datatype.Varinfo.Hashtbl.find cursor_to_base v in
	  let voff = Cil_datatype.Varinfo.Hashtbl.find cursor_to_offset v in
	  let vt1 = term_of_var vb in
	  let vt2 = term_of_var voff in
	  let addt =
	    mkterm (TBinOp(PlusA,vt1,vt2)) Linteger t.term_loc
	  in
	  mkterm (TCastE(v.vtype,addt)) t.term_type t.term_loc
	with Not_found -> t end
    | _ -> t
  in
object

  inherit Visitor.frama_c_inplace

  method! vfunc f =
    let local v =
      if Cil_datatype.Varinfo.Hashtbl.mem cursor_to_base v then
	let name = unique_name ("__jc_off_" ^ v.vname) in
	let voff = makeLocalVar f ~insert:true name almost_integer_type in
	Cil_datatype.Varinfo.Hashtbl.add cursor_to_offset v voff
    in
    let formal v =
      if Cil_datatype.Varinfo.Hashtbl.mem cursor_to_base v
	&& Cil_datatype.Varinfo.Set.mem v assigned_vars then
	  (* Formal is assigned and still a self-base, an offset is needed *)
	  begin
	  local v; (* Create an offset variable for this formal *)
	  let voff = Cil_datatype.Varinfo.Hashtbl.find cursor_to_offset v in
	  let initst =
	    mkStmt(Instr(Set((Var voff,NoOffset),
			     constant_expr Integer.zero,
			     CurrentLoc.get ())))
	  in
	  add_pending_statement ~beginning:true initst
	  end
      else ()
    in
    List.iter formal f.sformals;
    List.iter local f.slocals;
    DoChildren

  method! vinst = function
    | Set((Var v,NoOffset),e,loc) ->
	begin try
	  let voff = Cil_datatype.Varinfo.Hashtbl.find cursor_to_offset v in
	  (* At this point, [e] must be an integer whose destruction through
	   * [destruct_integer] does not return None.
	   *)
	  let eoff = match destruct_integer e with
	    | None -> assert false
	    | Some(v2,Some e) ->
		begin try
		  let voff2 = Cil_datatype.Varinfo.Hashtbl.find cursor_to_offset v2 in
		  new_exp ~loc:e.eloc
                    (BinOp(PlusA,
                           new_exp ~loc:e.eloc (Lval(Var voff2,NoOffset)),
                           e,
                           almost_integer_type))
		with Not_found -> e end
	    | Some(v2,None) ->
		begin try
		  let voff2 = Cil_datatype.Varinfo.Hashtbl.find cursor_to_offset v2 in
		  new_exp ~loc (Lval(Var voff2,NoOffset))
		with Not_found -> constant_expr Integer.zero end
	  in
	  ChangeDoChildrenPost
	    ([Set((Var voff,NoOffset),eoff,loc)], fun x -> x)
	with Not_found -> DoChildren end
    | _ -> DoChildren

  method! vexpr e =
    ChangeDoChildrenPost (e,postaction_expr)

  method! vterm t =
    ChangeDoChildrenPost (t,postaction_term)

  method! vspec _sp =
    (* Do not modify the function contract, where offset variables
     * are not known *)
    SkipChildren

end

let rewrite_cursor_integers file =
  (* Variables to communicate between the collecting visitor and
   * the rewriting one. *)
  let cursor_to_base = Cil_datatype.Varinfo.Hashtbl.create 0 in
  let assigned_vars = ref Cil_datatype.Varinfo.Set.empty in
  let ignore_vars = ref Cil_datatype.Varinfo.Set.empty in

  (* Collect the cursor variables and their base *)
  let visitor =
    new collectCursorIntegers
      cursor_to_base assigned_vars ignore_vars
  in
  visit_until_convergence visitor file;

  (* Normalize the information *)
  Cil_datatype.Varinfo.Set.iter
    (fun v -> Cil_datatype.Varinfo.Hashtbl.remove cursor_to_base v) !ignore_vars;
  Cil_datatype.Varinfo.Hashtbl.iter
    (fun v vb -> if Cil_datatype.Varinfo.Set.mem vb !ignore_vars then
      Cil_datatype.Varinfo.Hashtbl.remove cursor_to_base v) cursor_to_base;

  (* Rewrite cursor variables as offsets from their base variable *)
  let visitor =
    new rewriteCursorIntegers cursor_to_base !assigned_vars
  in
  visitFramacFile (visit_and_push_statements_visitor visitor) file


(*****************************************************************************)
(* Annotate code with strlen.                                                *)
(*****************************************************************************)

(* All annotations are added as hints, by no means they should be trusted
   blindly, but they can be used if they are also proved *)

class annotateCodeStrlen(strlen : logic_info) =

  (* Store correspondance from temporaries to the corresponding string access *)

  let temps = Cil_datatype.Varinfo.Hashtbl.create 17 in

  (* Recognize access or test of string *)

  (* TODO: extend applicability of [destruct_string_access]. *)
  let lval_destruct_string_access ~through_tmp = function
    | Mem e, NoOffset when isCharPtrType(typeOf e) ->
	begin match destruct_pointer e with
	  | None -> None
	  | Some(v,Some off) -> Some(v,off)
	  | Some(v,None) -> Some(v,constant_expr Integer.zero)
	end
    | Var v, off ->
	if isCharPtrType v.vtype then
	  match off with
	    | Index(i,NoOffset) -> Some (v,i)
	    | NoOffset
	    | Index _
	    | Field _ -> None
	else if isCharArrayType v.vtype then
	  match off with
	    | Index(i,NoOffset) -> Some (v,i)
	    | NoOffset
	    | Index _
	    | Field _ -> None
	else if through_tmp then
	  try Some(Cil_datatype.Varinfo.Hashtbl.find temps v) with Not_found -> None
	else None
    | _ -> None
  in
  let rec destruct_string_access ?(through_tmp=false) ?(through_cast=false) e =
    match e.enode with
      | Lval lv -> lval_destruct_string_access ~through_tmp lv
      | CastE(_,e) ->
	  if through_cast then
	    destruct_string_access ~through_tmp ~through_cast e
	  else None
      | _ -> None
  in
  let destruct_string_test ?(neg=false) e =
    let rec aux ~neg e = match e.enode with
      | UnOp(LNot,e,_) -> aux ~neg:(not neg) e
      | BinOp(Ne,e1,e2,_) when is_null_expr e2 -> aux ~neg e1
      | BinOp(Ne,e2,e1,_) when is_null_expr e2 -> aux ~neg e1
      | BinOp(Eq,e1,e2,_) when is_null_expr e2 -> aux ~neg:(not neg) e1
      | BinOp(Eq,e2,e1,_) when is_null_expr e2 -> aux ~neg:(not neg) e1
      | _ ->
	  match
            destruct_string_access ~through_tmp:true ~through_cast:true e
	  with
	    | Some(v,off) -> Some(neg,v,off)
	    | None -> None
    in match e.enode with
      | BinOp(Eq,e1,e2,_) when is_non_null_expr e2 -> false, aux ~neg e1
      | BinOp(Eq,e2,e1,_) when is_non_null_expr e2 -> false, aux ~neg e1
      | _ -> true, aux ~neg e
  in

  (* Generate appropriate assertion *)

  let strlen_type =
    match strlen.l_type with Some t -> t | None -> assert false
  in

  let within_bounds ~strict v off =
    let rel1 =
      Logic_const.new_predicate (Logic_const.prel (Rle,lzero(),off))
    in
    let tv = term_of_var v in
    let app2 = mkterm (Tapp(strlen,[],[tv])) strlen_type  v.vdecl in
    let op = if strict then Rlt else Rle in
    let rel2 =
      Logic_const.new_predicate (Logic_const.prel (op,off,app2))
    in
    let app =
      Logic_const.new_predicate
	(Logic_const.pand (Logic_const.pred_of_id_pred rel1,
			   Logic_const.pred_of_id_pred rel2))
    in
    Logic_const.pred_of_id_pred
      { app with ip_name = [ name_of_hint_assertion ] }
  in
  let reach_upper_bound ~loose v off =
    let tv = term_of_var v in
    let app = mkterm (Tapp(strlen,[],[tv])) strlen_type v.vdecl in
    let op = if loose then Rle else Req in
    let rel =
      Logic_const.new_predicate (Logic_const.prel (op,app,off))
    in
    Logic_const.pred_of_id_pred
      { rel with ip_name = [ name_of_hint_assertion ] }
  in
object(self)

  inherit Visitor.frama_c_inplace

  method! vexpr e =
    begin match destruct_string_access e with None -> () | Some(v,off) ->
      if hasAttribute name_of_string_declspec (typeAttrs v.vtype) then
	(* A string should be accessed within its bounds *)
	let off = Common.force_exp_to_term off in
	let app = within_bounds ~strict:false v off in
	let cur_stmt = the self#current_stmt in
        let kf = the self#current_kf in
	Annotations.add_assert Common.jessie_emitter ~kf cur_stmt app
    end;
    DoChildren

  method! vstmt_aux s =
    let preaction s = match s.skind with
      | If(e,tbl,fbl,_loc) ->
	  begin match destruct_string_test e with _,None -> ()
	    | test_to_null,Some(neg,v,off) ->
		if hasAttribute name_of_string_declspec (typeAttrs v.vtype)
		then
		  (* A string should be tested within its bounds, and
		     depending on the result, the offset is either before
		     or equal to the length of the string *)
		  let off = Common.force_exp_to_term off in
		  let rel1 = within_bounds ~strict:true v off in
		  let supst = mkStmt(Instr(Skip(CurrentLoc.get()))) in
                  let kf = the self#current_kf in
		  Annotations.add_assert Common.jessie_emitter ~kf supst rel1;
		  let rel2 = reach_upper_bound ~loose:false v off in
		  let eqst = mkStmt(Instr(Skip(CurrentLoc.get()))) in
		  Annotations.add_assert Common.jessie_emitter ~kf eqst rel2;

		  (* Rather add skip statement as blocks may be empty *)
		  if neg then
		    begin
		      fbl.bstmts <- supst :: fbl.bstmts;
		      if test_to_null then tbl.bstmts <- eqst :: tbl.bstmts
		    end
		  else
		    begin
		      tbl.bstmts <- supst :: tbl.bstmts;
		      if test_to_null then fbl.bstmts <- eqst :: fbl.bstmts
		    end
	  end; s
      | Instr(Set(lv,e,loc)) when is_null_expr e ->
	  if Jessie_options.HintLevel.get () > 1 then
	    match lval_destruct_string_access ~through_tmp:true lv with
	      | None -> ()
	      | Some(v,off) ->
		  let off = Common.force_exp_to_term off in
		  (* Help ATP with proving the bound on [strlen(v)] by
		     asserting the obvious equality *)
		  let lv' = Common.force_lval_to_term_lval lv in
		  let e' = Common.force_exp_to_term e in
		  let lvt = mkterm (TLval lv') strlen_type loc in
		  let rel =
		    Logic_const.new_predicate (Logic_const.prel (Req,lvt,e'))
		  in
		  let prel =
		    Logic_const.pred_of_id_pred
		      { rel with ip_name = [ name_of_hint_assertion ] }
		  in
                  let kf = the self#current_kf in
		  Annotations.add_assert Common.jessie_emitter ~kf s prel;
		  (* If setting a character to zero in a buffer, this should
		     be the new length of a string *)
		  let rel = reach_upper_bound ~loose:true v off in
		  Annotations.add_assert Common.jessie_emitter ~kf s rel
	  else ();
	  s
      | Instr(Set((Var v1,NoOffset),e,_loc)) ->
	  begin match
	    destruct_string_access ~through_tmp:true ~through_cast:true e
	  with
	    | None -> ()
	    | Some(v2,off) -> Cil_datatype.Varinfo.Hashtbl.add temps v1 (v2,off)
	  end; s
      | _ -> s
    in
    ChangeDoChildrenPost(preaction s,fun x -> x)

 end

let annotate_code_strlen file =
  try
    let strlen =
      match Logic_env.find_all_logic_functions name_of_strlen with
	| [i] -> i
	| _  -> assert false
    in
    let visitor = new annotateCodeStrlen strlen in
    visitFramacFile visitor file
  with Not_found -> assert false


(*****************************************************************************)
(* Annotate code with overflow checks.                                       *)
(*****************************************************************************)

class annotateOverflow =
object(self)

  inherit Visitor.frama_c_inplace

  method! vexpr e =
    match e.enode with
    | BinOp((Shiftlt | Shiftrt as op),e1,e2,_ty) ->
        let kf = the self#current_kf in
	let cur_stmt = the self#current_stmt in
	let is_left_shift = match op with Shiftlt -> true | _ -> false in
	let ty1 = typeOf e1 in
	(* Ideally, should strip only casts introduced by the compiler, not
	 * user casts. Since this information is not available, be
	 * conservative here.
	 *)
	let e1' = stripCastsButLastInfo e1 in
	let e2' = stripCastsButLastInfo e2 in
	(* Check that signed shift has a positive right operand *)
	if isSignedInteger ty1 then
	  begin match possible_value_of_integral_expr e2' with
	    | Some i when Integer.ge i Integer.zero -> ()
	    | _ ->
		let check =
                  new_exp ~loc:e.eloc (BinOp(Ge,e2',
                                             constant_expr Integer.zero,
                                             intType))
                in
		let check = Common.force_exp_to_predicate check in
		Annotations.add_assert Common.jessie_emitter ~kf cur_stmt check
	  end
	else ();
	(* Check that shift has not too big a right operand. *)
	let max_right = Integer.of_int (integral_type_size_in_bits ty1) in
	begin match possible_value_of_integral_expr e2' with
	  | Some i when Integer.lt i max_right -> ()
	  | _ ->
	      let max_right = constant_expr max_right in
	      let check =
                new_exp ~loc:e.eloc (BinOp(Lt,e2',max_right,intType)) in
	      let check = Common.force_exp_to_predicate check
	      in
	      Annotations.add_assert Common.jessie_emitter ~kf cur_stmt check
	end;
	(* Check that signed left shift has a positive left operand *)
	if is_left_shift && isSignedInteger ty1 then
	  begin match possible_value_of_integral_expr e1' with
	    | Some i when Integer.ge i Integer.zero -> ()
	    | _ ->
		let check =
                  new_exp ~loc:e.eloc
                    (BinOp(Ge,e1',constant_expr Integer.zero,intType)) in
		let check = Common.force_exp_to_predicate check
		in
		Annotations.add_assert Common.jessie_emitter ~kf cur_stmt check
	  end
	else ();
	(* Check that signed left shift has not a left operand that is bigger
	 * than the maximal value for the type right shifted by its right
	 * operand.
	 *)
	if is_left_shift && isSignedInteger ty1 then
	  let max_int = max_value_of_integral_type ty1 in
	  begin match possible_value_of_integral_expr e2' with
	    | Some i when Integer.ge i Integer.zero &&
                Integer.lt i (Integer.of_int 64) ->
		let max_left = constant_expr (Integer.shift_right max_int i)
                in
		let check =
                  new_exp ~loc:e.eloc (BinOp(Le,e1',max_left,intType))
                in
		let check = Common.force_exp_to_predicate check in
		Annotations.add_assert Common.jessie_emitter ~kf cur_stmt check
	    | _ ->
		let max_int = constant_expr max_int in
		let max_left =
                  new_exp ~loc:e.eloc (BinOp(Shiftrt,max_int,e2',intType))
                in
		let check = new_exp ~loc:e.eloc
                  (BinOp(Le,e1',max_left,intType))
                in
		let check = Common.force_exp_to_predicate check in
		Annotations.add_assert Common.jessie_emitter ~kf cur_stmt check
	  end
	else ();
	DoChildren
    | _ -> DoChildren

end

let annotate_overflow file =
  let visitor = new annotateOverflow in
  visitFramacFile visitor file


(*****************************************************************************)
(* Rewrite type void* into char*.                                            *)
(*****************************************************************************)

class rewriteVoidPointer =
object

  inherit Visitor.frama_c_inplace

  method! vtype ty =
    if isVoidPtrType ty then
      let attr = typeAttr ty in
      ChangeTo (typeAddAttributes attr charPtrType)
(*
    else if isCharType ty then
      (* Yannick: All (un)signed chars changed into char for now ...
	 Claude: why ????
      *)
      let attr = typeAttr ty in
      ChangeTo (typeAddAttributes attr charType)
*)
    else DoChildren

end

class debugVoid =
object
  inherit Visitor.frama_c_inplace
  method! vterm ts = match ts.term_node with
    | TLval(TResult _,_) -> DoChildren
    | _ ->
	assert (not (app_term_type isVoidPtrType false ts.term_type));
	DoChildren
end

let rewrite_void_pointer file =
  let visitor = new rewriteVoidPointer in
  visitFramacFile visitor file

(* Jessie/Why has trouble with Pre labels inside function contracts. *)
class rewritePreOld : Visitor.frama_c_visitor =
object(self)
  inherit Visitor.frama_c_inplace
  val mutable rep_lab = Logic_const.pre_label
    method! vbehavior b =
      rep_lab <- Logic_const.here_label;
      let requires =
        Visitor.visitFramacPredicates
          (self:>Visitor.frama_c_visitor) b.b_requires
      in
      let assumes =
        Visitor.visitFramacPredicates
          (self:>Visitor.frama_c_visitor) b.b_assumes
      in
      let allocation =
        match b.b_allocation with
          | FreeAllocAny -> FreeAllocAny
          | FreeAlloc(free,alloc) ->
              rep_lab <- Logic_const.here_label;
              let free =
                List.map
                  (Visitor.visitFramacIdTerm
                     (self:>Visitor.frama_c_visitor))
                  free
              in
              rep_lab <- Logic_const.old_label;
              let alloc =
                List.map
                  (Visitor.visitFramacIdTerm
                     (self:>Visitor.frama_c_visitor))
                  alloc
              in
              FreeAlloc(free,alloc)
      in
      (* VP: 2012-09-20: signature of Cil.mk_behavior is utterly broken.
         We'll have to live with that for Oxygen, but this will change as
         soon as possible. *)
      let allocation = Some allocation in
      rep_lab <- Logic_const.old_label;
      let assigns =
        Visitor.visitFramacAssigns
          (self:>Visitor.frama_c_visitor) b.b_assigns
      in
      let post_cond =
        Cil.mapNoCopy
          (fun (k,p as e) ->
            let p' =
              Visitor.visitFramacIdPredicate
                (self:>Visitor.frama_c_visitor) p
            in
            if p != p' then (k,p') else e)
          b.b_post_cond
      in
      rep_lab <- Logic_const.pre_label;
      let name = b.b_name in
      let b = Cil.mk_behavior
        ~name ~requires ~assumes ~assigns ~allocation ~post_cond () in
      ChangeTo b

  method! vlogic_label l =
    if Cil_datatype.Logic_label.equal l Logic_const.pre_label
       && self#current_kinstr = Kglobal (* Do not rewrite Pre in stmt annot. *)
    then
      ChangeTo rep_lab
    else
      if Cil_datatype.Logic_label.equal l Logic_const.post_label
      then
        ChangeTo Logic_const.here_label
      else
        DoChildren
end

let rewrite_pre_old file =
  let visitor = new rewritePreOld in
  visitFramacFile visitor file

class remove_unsupported: Visitor.frama_c_visitor =
object
  inherit Visitor.frama_c_inplace
  method! vpredicate =
    function
      | Pseparated _ ->
          Jessie_options.warning ~once:true
            "\\separated is not supported by Jessie. This predicate will be \
             ignored";
          ChangeTo Ptrue
      | _ -> DoChildren
end

let remove_unsupported file =
  let visitor = new remove_unsupported in
  visitFramacFile visitor file

(*****************************************************************************)
(* Rewrite comprehensions into ranges (and back)                             *)
(*****************************************************************************)

let rec add_range vi t1opt t2opt = ranges := (vi,t1opt,t2opt) :: !ranges
and no_range_offset = function
TNoOffset -> true
  | TField(_,offs) | TModel(_,offs) -> no_range_offset offs
  | TIndex({term_type = Ltype ({ lt_name = "set"},[_])},_) -> false
  | TIndex(_,offs) -> no_range_offset offs
and make_comprehension ts =
  let ts = match ts.term_node with
      TLval(ts',offs) when no_range_offset offs ->
        (match ts' with
        | TMem { term_type = Ltype ({lt_name = "set"},[_])} -> ts
        | TMem _ | TVar _ | TResult _ ->
          { ts with term_type = Logic_const.type_of_element ts.term_type}
        )
    | _ -> ts
  in
  let loc = ts.term_loc in
  let ts =
    List.fold_left
      (fun ts (v,t1opt,t2opt) ->
         let vt = variable_term loc v in
         let popt = match t1opt,t2opt with
           | None,None -> None
           | Some t1,None -> Some(predicate t1.term_loc (Prel(Rle,t1,vt)))
           | None,Some t2 -> Some(predicate t2.term_loc (Prel(Rle,vt,t2)))
           | Some t1,Some t2 ->
               let p1 = predicate t1.term_loc (Prel(Rle,t1,vt)) in
               let p2 = predicate t2.term_loc (Prel(Rle,vt,t2)) in
               let loc = (fst t1.term_loc, snd t2.term_loc) in
               Some(predicate loc (Pand(p1,p2)))
         in
         (* NB: no need to update the type, as it is already
            a set of terms (for well-formed terms at least) *)
         { ts with term_node = Tcomprehension(ts,[v],popt) }
      ) ts !ranges
  in
  ranges := [];
  ts
and ranges = ref []


class fromRangeToComprehension behavior = object

  inherit Visitor.generic_frama_c_visitor behavior

  method! vterm ts = match ts.term_type with
    | Ltype ({ lt_name = "set"},[_]) ->
      ChangeDoChildrenPost(ts, make_comprehension)
    | _ -> DoChildren

  method! vterm_offset tsoff = match tsoff with
    | TIndex ({ term_node =Trange(t1opt,t2opt)} as t,tsoff') ->
        let v = make_temp_logic_var Linteger in
        add_range v t1opt t2opt;
        let vt = variable_term t.term_loc v in
        ChangeDoChildrenPost (TIndex(vt,tsoff'), fun x -> x)
    | TNoOffset | TIndex _ | TField _ | TModel _ -> DoChildren

end

let from_range_to_comprehension behavior file =
  let visitor = new fromRangeToComprehension behavior in
  Visitor.visitFramacFile visitor file

let range_to_comprehension t =
  let visitor =
    new fromRangeToComprehension (Cil.copy_visit (Project.current ()))
  in
  Visitor.visitFramacTerm visitor t


class fromComprehensionToRange behavior =
  let ranges = Logic_var.Hashtbl.create 17 in
  let add_range vi t1opt t2opt =
    Logic_var.Hashtbl.add ranges vi (t1opt,t2opt)
  in
  let index_variables_of_term ts =
    let vars = ref Logic_var.Set.empty in
    ignore
      (visitCilTerm
         (object
           inherit nopCilVisitor
           method! vterm = function
           | { term_node =
               TBinOp(PlusPI,_ts,{term_node=TLval(TVar v,TNoOffset)})} ->
             vars := Logic_var.Set.add v !vars;
             DoChildren
           | _ -> DoChildren
           method! vterm_offset = function
           | TIndex({term_node=TLval(TVar v,TNoOffset)},_tsoff) ->
             vars := Logic_var.Set.add v !vars;
             DoChildren
           | _ -> DoChildren
          end)
        ts);
    !vars
  in
  let bounds_of_variable v popt =
    let error () =
      Kernel.fatal "Cannot identify bounds for variable %s" v.lv_name
    in
    let rec bounds p =
      match p.content with
      | Prel(Rle, {term_node = TLval(TVar v',TNoOffset)}, t)
          when Logic_var.equal v v' ->
        None, Some t
      | Prel(Rle, t, {term_node = TLval(TVar v',TNoOffset)})
          when Logic_var.equal v v' ->
        Some t, None
      | Pand(p1,p2) ->
        begin match bounds p1, bounds p2 with
        | (Some t1, None),(None, Some t2) | (None, Some t2),(Some t1, None) ->
          Some t1, Some t2
        | _ -> error ()
        end
      | _ -> error ()
    in
    match popt with None -> None, None | Some p -> bounds p
  in
object(self)

  inherit Visitor.generic_frama_c_visitor behavior

  val mutable has_set_type = false

  method private propagate_set_type t =
    if has_set_type then
      { t with term_type = Logic_const.make_set_type t.term_type }
    else t

  method! vterm t = match t.term_node with
    | Tcomprehension(ts,[v],popt) ->
        let index_vars = index_variables_of_term ts in
        (* Only accept for now comprehension on index variables *)
        if Logic_var.Set.mem v index_vars then begin
          let t1opt,t2opt = bounds_of_variable v popt in
          add_range v t1opt t2opt;
          has_set_type <- false;
          ChangeTo (visitCilTerm (self :> cilVisitor) ts)
        end else begin
          has_set_type <- false;
          DoChildren
        end
    | TBinOp(PlusPI,base,{term_node=TLval(TVar v,TNoOffset)}) ->
          begin try
            let low,high = Logic_var.Hashtbl.find ranges v in
            let range = Logic_const.trange (low,high) in
            let res =
            { t with
                term_node = TBinOp(PlusPI,base,range);
                term_type = Logic_const.make_set_type t.term_type }
            in
            ChangeDoChildrenPost (res, fun x -> has_set_type <- true; x)
          with Not_found -> DoChildren end

    | TBinOp(bop,t1,t2) ->
        has_set_type <- false;
        let t1' = visitCilTerm (self:>Cil.cilVisitor) t1 in
        let has_set_type1 = has_set_type in
        let t2' = visitCilTerm (self:>Cil.cilVisitor) t2 in
        has_set_type <- has_set_type || has_set_type1;
        if t1 != t1' || t2 != t2' || has_set_type then
          ChangeTo
            (self#propagate_set_type { t with term_node = TBinOp(bop,t1',t2')})
        else SkipChildren
    | Tapp(f,prms,args) ->
        has_set_type <- false;
        let visit t =
          let has_set_type1 = has_set_type in
          let res = visitCilTerm (self:>cilVisitor) t in
          has_set_type <- has_set_type || has_set_type1; res
        in
        let args' = mapNoCopy visit args in
        if args != args' || has_set_type then
          ChangeTo
            (self#propagate_set_type { t with term_node = Tapp(f,prms,args') })
        else SkipChildren
     | TDataCons(c,args) ->
        has_set_type <- false;
        let visit t =
          let has_set_type1 = has_set_type in
          let res = visitCilTerm (self:>cilVisitor) t in
          has_set_type <- has_set_type || has_set_type1; res
        in
        let args' = mapNoCopy visit args in
        if args != args' || has_set_type then
          ChangeTo
            (self#propagate_set_type { t with term_node = TDataCons(c,args') })
        else SkipChildren
     | Tif (t1,t2,t3) ->
        has_set_type <- false;
        let t1' = visitCilTerm (self:>Cil.cilVisitor) t1 in
        let has_set_type1 = has_set_type in
        let t2' = visitCilTerm (self:>Cil.cilVisitor) t2 in
        let has_set_type1 = has_set_type || has_set_type1 in
        let t3' = visitCilTerm (self:>Cil.cilVisitor) t3 in
        has_set_type <- has_set_type || has_set_type1;
        if t1 != t1' || t2 != t2' || t3!=t3' || has_set_type then
          ChangeTo
            (self#propagate_set_type { t with term_node = Tif(t1',t2',t3')})
        else SkipChildren
     | TCoerceE(t1,t2) ->
        has_set_type <- false;
        let t1' = visitCilTerm (self:>Cil.cilVisitor) t1 in
        let has_set_type1 = has_set_type in
        let t2' = visitCilTerm (self:>Cil.cilVisitor) t2 in
        has_set_type <- has_set_type || has_set_type1;
        if t1 != t1' || t2 != t2' || has_set_type then
          ChangeTo
            (self#propagate_set_type { t with term_node = TCoerceE(t1',t2')})
        else SkipChildren
     | Tunion l ->
       has_set_type <- false;
        let visit t =
          let has_set_type1 = has_set_type in
          let res = visitCilTerm (self:>cilVisitor) t in
          has_set_type <- has_set_type || has_set_type1; res
        in
        let l' = mapNoCopy visit l in
        if l != l' || has_set_type then
          ChangeTo
             (self#propagate_set_type { t with term_node = Tunion l' })
        else SkipChildren
     | Tinter l ->
       has_set_type <- false;
        let visit t =
          let has_set_type1 = has_set_type in
          let res = visitCilTerm (self:>cilVisitor) t in
          has_set_type <- has_set_type || has_set_type1; res
        in
        let l' = mapNoCopy visit l in
        if l != l' || has_set_type then
          ChangeTo
            (self#propagate_set_type { t with term_node = Tinter l' })
        else SkipChildren
     | Trange(t1,t2) ->
        has_set_type <- false;
        let t1' = optMapNoCopy (visitCilTerm (self:>Cil.cilVisitor)) t1 in
        let has_set_type1 = has_set_type in
        let t2' = optMapNoCopy (visitCilTerm (self:>Cil.cilVisitor)) t2 in
        has_set_type <- has_set_type || has_set_type1;
        if t1 != t1' || t2 != t2' || has_set_type then
          ChangeTo
            (self#propagate_set_type { t with term_node = Trange(t1',t2')})
        else SkipChildren
     | _ ->
         has_set_type <- false;
         ChangeDoChildrenPost (t,self#propagate_set_type)

  method! vterm_lval (lh,lo) =
    let lh' = visitCilTermLhost (self:>Cil.cilVisitor) lh in
    let has_set_type1 = has_set_type in
    let lo' = visitCilTermOffset (self :> Cil.cilVisitor) lo in
    has_set_type <- has_set_type || has_set_type1;
    if lh' != lh || lo' != lo then ChangeTo (lh',lo') else SkipChildren

  method! vterm_lhost = function
    | TVar v ->
        if Logic_var.Hashtbl.mem ranges v then begin
          Format.eprintf "vterm_lhost: Found: v = %s@." v.lv_name;
          assert false
        end;
        DoChildren
    | _ -> DoChildren

  method! vterm_offset off =
    match off with
      | TIndex({term_node=TLval(TVar v,TNoOffset)} as idx,off') ->
          begin try
            let t1opt,t2opt = Logic_var.Hashtbl.find ranges v in
            let trange = Trange(t1opt,t2opt) in
            let toff =
              TIndex
                ({ idx with
                  term_node = trange;
                  term_type = Logic_const.make_set_type idx.term_type },
                 off')
            in
            ChangeDoChildrenPost (toff, fun x -> x)
          with Not_found ->
            DoChildren end
      | TIndex _ | TNoOffset | TField _ | TModel _ ->
          DoChildren

end

let from_comprehension_to_range behavior file =
  let visitor = new fromComprehensionToRange behavior in
  Visitor.visitFramacFile visitor file


(*****************************************************************************)
(* Rewrite the C file for Jessie translation.                                *)
(*****************************************************************************)

let rewrite file =
  if checking then check_types file;
  (* adds a behavior named [name_of_default_behavior] to all functions if
     it does not already exist.
   *)
  Jessie_options.debug "Adding default behavior to all functions";
  add_default_behavior ();
  if checking then check_types file;
  (* Rename entities to avoid conflicts with Jessie predefined names.
     Should be performed before any call to [Cil.cvar_to_lvar] destroys
     sharing among logic variables.
  *)
  Jessie_options.debug "Rename entities";
  rename_entities file;
  if checking then check_types file;
  (* Fill offset/size information in fields *)
  Jessie_options.debug "Fill offset/size information in fields";
  fill_offset_size_in_fields file;
  if checking then check_types file;
  (* Replace addrof array with startof. *)
  Jessie_options.debug "Replace addrof array with startof";
  replace_addrof_array file;
  if checking then check_types file;
  (* Replace string constants by global variables. *)
  Jessie_options.debug "Replace string constants by global variables";
  replace_string_constants file;
  if checking then check_types file;
  (* Put all global initializations in the [globinit] file. *)
  (* Replace global compound initializations by equivalent statements. *)
  Jessie_options.debug "Put all global initializations in the [globinit] file";
  gather_initialization file;
  if checking then check_types file;
  Jessie_options.debug "Use specialized versions of Frama_C_memset";
  specialize_memset file;
  if checking then check_types file;
  (* Rewrite comparison of pointers into difference of pointers. *)
  if Jessie_options.InferAnnot.get () <> "" then
    begin
      Jessie_options.debug "Rewrite comparison of pointers into difference of pointers";
      rewrite_pointer_compare file;
      if checking then check_types file
    end;
  (* Rewrite type void* and (un)signed char* into char*. *)
  Jessie_options.debug "Rewrite type void* and (un)signed char* into char*";
  rewrite_void_pointer file;
  if checking then check_types file;
  Jessie_options.debug "Rewrite Pre as Old in funspec";
  rewrite_pre_old file;
  if checking then check_types file;
  (* Rewrite cursor pointers into offsets from base pointers. *)
  (* order: after [rewrite_pointer_compare] *)
  if Jessie_options.InferAnnot.get () <> "" then
    begin
      Jessie_options.debug "Rewrite cursor pointers into offsets from base pointers";
      rewrite_cursor_pointers file;
      if checking then check_types file
    end;
  (* Rewrite cursor integers into offsets from base integers. *)
  if Jessie_options.InferAnnot.get () <> "" then
    begin
      Jessie_options.debug "Rewrite cursor integers into offsets from base integers";
      rewrite_cursor_integers file;
      if checking then check_types file
    end;
  (* Annotate code with strlen. *)
  if Jessie_options.HintLevel.get () > 0 then
    begin
      Jessie_options.debug "Annotate code with strlen";
      annotate_code_strlen file;
      if checking then check_types file
    end;
  (* Annotate code with overflow checks. *)
  Jessie_options.debug "Annotate code with overflow checks";
  annotate_overflow file;
  if checking then check_types file;
  Jessie_options.debug "Checking if there are unsupported predicates";
  remove_unsupported file;
  if checking then check_types file

(*
Local Variables:
compile-command: "make -C ."
End:
*)
why-2.34/frama-c-plugin/norm.mli0000644000175000017500000000474612311670312015110 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

val generated_union_types : unit Cil_datatype.Typ.Hashtbl.t

val model_fields : Cil_types.compinfo -> Cil_types.model_info list

(* performs similar normalization tasks as Caduceus *)
val normalize : Cil_types.file -> unit
why-2.34/frama-c-plugin/norm.ml0000644000175000017500000021373512311670312014737 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* TODO:

   - In both retyping phases that add a level of indirection to locals:
       - Retype variables of structure type
       - Retype variables and fields whose address is taken
     If the returned value dereferences a local, take the returned value in
     a temporary before deallocating memory for the local variable and
     returning. Mostly an issue of consistency: since it is a local variable
     involved, it is retyped as a reference and no check is issued for
     validity of dereference.
     See ex roux3.c from Jessie test base.
     Thanks to Pierre Roux for noting this.

*)


(* Import from Cil *)
open Cil_types
open Cil
open Ast_info
open Extlib

open Visitor

(* Utility functions *)
open Common

let label_here = LogicLabel(None,"Here")

(*****************************************************************************)
(* Retype variables of array type.                                           *)
(*****************************************************************************)

(* TODO: retype predicate \valid_index and \valid_range
 * E.g. in example array.c, "\valid_index(t,1)" for "t" being typed as
 * "int t[3][3]", should be transformed into "\valid_range(t,3,5)".
 *)
class retypeArrayVariables =

  (* Variables originally of array type *)
  let varset = ref Cil_datatype.Varinfo.Set.empty in
  let lvarset = ref Cil_datatype.Logic_var.Set.empty in

  (* Correspondance between variables and "straw" variables, that are used to
   * replace the variable after some changes have been made on the AST,
   * so that further exploration does not change it anymore. The "straw"
   * variables are replaced by regular one before returning the modified AST.
   *)
  let var_to_strawvar = Cil_datatype.Varinfo.Hashtbl.create 17 in
  let strawvar_to_var = Cil_datatype.Varinfo.Hashtbl.create 17 in
  let lvar_to_strawlvar = Cil_datatype.Logic_var.Hashtbl.create 17 in
  let strawlvar_to_lvar = Cil_datatype.Logic_var.Hashtbl.create 17 in

  (* Variables to allocate *)
  let allocvarset = ref Cil_datatype.Varinfo.Set.empty in
  let alloclvarset = ref Cil_datatype.Logic_var.Set.empty in

  (* Remember original array type even after variable modified *)
  let var_to_array_type : typ Cil_datatype.Varinfo.Hashtbl.t = Cil_datatype.Varinfo.Hashtbl.create 0 in
  let lvar_to_array_type = Cil_datatype.Logic_var.Hashtbl.create 17 in

  (* As the rule would be reentrant, do not rely on the fact it is idempotent,
   * and rather change the variable into its "straw" counterpart, as it is
   * done in [preaction_expr]. Also make sure every top expression inside
   * a left-value is an [Info], so that terms that were converted to
   * expressions before treatment can be safely converted back.
   *)
  let preaction_lval (host,off as lv) =
    match host with
      | Var v ->
          if Cil_datatype.Varinfo.Set.mem v !varset then begin
            let strawv = Cil_datatype.Varinfo.Hashtbl.find var_to_strawvar v in
            let loc = Cil_const.CurrentLoc.get() in
            let host = Mem(mkInfo(new_exp ~loc (Lval(Var strawv,NoOffset)))) in
            let off =
              lift_offset (Cil_datatype.Varinfo.Hashtbl.find var_to_array_type v) off
            in
            host, off
          end else
            lv (* For terms, also corresponds to the case for Result *)
      | Mem _ -> lv
  in

  let postaction_lval (host,off as lv) =
    match host with
      | Var strawv ->
          begin try
            let v = Cil_datatype.Varinfo.Hashtbl.find strawvar_to_var strawv in
            Var v, off
          with Not_found -> lv end
      | Mem _ -> lv
  in

  let rec preaction_expr e =
    let loc = e.eloc in
    match e.enode with
    | StartOf(Var v,off) ->
        if Cil_datatype.Varinfo.Set.mem v !varset then begin
          let ty = Cil_datatype.Varinfo.Hashtbl.find var_to_array_type v in
          let strawv = Cil_datatype.Varinfo.Hashtbl.find var_to_strawvar v in
          match lift_offset ty off with
            | NoOffset -> new_exp ~loc (Lval(Var strawv,NoOffset))
            | Index(ie,NoOffset) ->
                let ptrty = TPtr(element_type ty,[]) in
                new_exp ~loc (BinOp(PlusPI,
                               new_exp ~loc (Lval(Var strawv,NoOffset)),
                               ie,ptrty))
            | Index _ | Field _ ->
                (* Field with address taken treated separately *)
                new_exp ~loc
                  (StartOf
                     (Mem(new_exp ~loc (Lval(Var strawv,NoOffset))),off))
        end else e
    | AddrOf(Var v,off) ->
        if Cil_datatype.Varinfo.Set.mem v !varset then 
          begin
            let ty = Cil_datatype.Varinfo.Hashtbl.find var_to_array_type v in
            let strawv = Cil_datatype.Varinfo.Hashtbl.find var_to_strawvar v in
            match lift_offset ty off with
              | Index(ie,NoOffset) ->
                  let ptrty = TPtr(element_type ty,[]) in
                  new_exp ~loc
                    (BinOp(PlusPI,
                           new_exp ~loc (Lval(Var strawv,NoOffset)), ie,ptrty))
              | NoOffset -> 
                  unsupported "this instance of the address operator cannot be handled"
              | Index _ | Field _ ->
                  (* Field with address taken treated separately *)
                  new_exp ~loc
                    (AddrOf(Mem(new_exp ~loc (Lval(Var strawv,NoOffset))),off))
          end 
        else e
    | BinOp(PlusPI,e1,e2,opty) ->
        begin match (stripInfo e1).enode with
          | StartOf(Var v,off) ->
              let rec findtype ty = function
                | NoOffset -> ty
                | Index(_, roff) ->
                    findtype (direct_element_type ty) roff
                | Field _ -> raise Not_found
              in
              if Cil_datatype.Varinfo.Set.mem v !varset then
                let ty = Cil_datatype.Varinfo.Hashtbl.find var_to_array_type v in
                (* Do not replace [v] by [strawv] here, as the sub-expression
                 * [e1] should be treated first. Do it right away so that
                 * the resulting AST is well-typed, which is crucial to apply
                 * this on expressions obtained from terms.
                 *)
                let e1 = preaction_expr e1 in
                let ty = findtype ty off in
                let subty = direct_element_type ty in
                if isArrayType subty then
                  let siz = array_size subty in
                  let e2 =
                    new_exp ~loc:e2.eloc
                      (BinOp(Mult,e2,constant_expr siz,intType)) in
                  new_exp ~loc (BinOp(PlusPI,e1,e2,opty))
                else e
              else e
          | _ -> e
        end
    | _ -> e
  in
object(self)

  inherit Visitor.frama_c_inplace

  method! vvdec v =
    if isArrayType v.vtype && not (Cil_datatype.Varinfo.Set.mem v !varset) then
      begin
        assert (not v.vformal);
        Cil_datatype.Varinfo.Hashtbl.add var_to_array_type v v.vtype;
        let elemty = element_type v.vtype in
        (* Store information that variable was originally of array type *)
        varset := Cil_datatype.Varinfo.Set.add v !varset;
        (* Change the variable type *)
        let newty =
          if Integer.gt (array_size v.vtype) Integer.zero then
            begin
              (* Change the type into "reference" type, that behaves almost like
               * a pointer, except validity is ensured.
               *)
              let size = constant_expr (array_size v.vtype) in
              (* Schedule for allocation *)
              allocvarset := Cil_datatype.Varinfo.Set.add v !allocvarset;
              mkTRefArray(elemty,size,[]);
            end
          else
            (* Plain pointer type to array with zero size *)
            TPtr(v.vtype,[]);
        in
        attach_globaction (fun () -> v.vtype <- newty);
        (* Create a "straw" variable for this variable, with the correct type *)
         let strawv = makePseudoVar newty in
        Cil_datatype.Varinfo.Hashtbl.add var_to_strawvar v strawv;
        Cil_datatype.Varinfo.Hashtbl.add strawvar_to_var strawv v;
      end;
    DoChildren

  method! vlogic_var_decl lv =
    if not (Cil_datatype.Logic_var.Hashtbl.mem lvar_to_strawlvar lv) &&
      app_term_type isArrayType false lv.lv_type then
      begin
        Cil_datatype.Logic_var.Hashtbl.add lvar_to_array_type lv
          (force_app_term_type (fun x -> x) lv.lv_type);
        let elemty = force_app_term_type element_type lv.lv_type in
        lvarset := Cil_datatype.Logic_var.Set.add lv !lvarset;
        let newty =
          if Integer.gt 
            (force_app_term_type array_size lv.lv_type) 
            Integer.zero 
          then
            begin
              let size =
                constant_expr (force_app_term_type array_size lv.lv_type)
              in alloclvarset := Cil_datatype.Logic_var.Set.add lv !alloclvarset;
              mkTRefArray(elemty,size,[])
            end
          else TPtr(elemty,[])
        in attach_globaction (fun () -> lv.lv_type <- Ctype newty);
        let strawlv = match lv.lv_origin with
            None -> make_temp_logic_var (Ctype newty)
          | Some v -> cvar_to_lvar (Cil_datatype.Varinfo.Hashtbl.find var_to_strawvar v)
        in
        Cil_datatype.Logic_var.Hashtbl.add lvar_to_strawlvar lv strawlv;
        Cil_datatype.Logic_var.Hashtbl.add strawlvar_to_lvar strawlv lv
      end;
      DoChildren

  method! vglob_aux g = match g with
    | GVar(v,_init,_loc) ->
        (* Make sure variable declaration is treated before definition *)
        ignore (Cil.visitCilVarDecl (self:>Cil.cilVisitor) v);
        if Cil_datatype.Varinfo.Set.mem v !allocvarset then
          (* Allocate memory for new reference variable *)
          let ty = Cil_datatype.Varinfo.Hashtbl.find var_to_array_type v in
          let size = array_size ty in
(* Disabled: anyway, it is useless to generate code for that,
   a post-condition should be generated instead (bts0284)
          let elemty = element_type ty in
          let ast = mkalloc_array_statement v elemty (array_size ty) loc in
          attach_globinit ast;
*)
          (* Define a global validity invariant *)
          let p =
            Logic_const.pvalid_range
              ~loc:v.vdecl
              (label_here,
               variable_term v.vdecl (cvar_to_lvar v),
               constant_term v.vdecl Integer.zero,
               constant_term v.vdecl (Integer.pred size))
          in
          let globinv =
	    Cil_const.make_logic_info (unique_logic_name ("valid_" ^ v.vname)) in
          globinv.l_labels <- [ label_here ];
          globinv.l_body <- LBpred p;
          attach_globaction (fun () -> Logic_utils.add_logic_function globinv);
          ChangeTo [g;GAnnot(Dinvariant (globinv,v.vdecl),v.vdecl)]
        else DoChildren
    | GVarDecl _ | GFun _ | GAnnot _ -> DoChildren
    | GCompTag _ | GType _ | GCompTagDecl _ | GEnumTagDecl _
    | GEnumTag _ | GAsm _ | GPragma _ | GText _ -> SkipChildren

  method! vfunc f =
    (* First change type of local array variables *)
    List.iter (ignore $ Cil.visitCilVarDecl (self:>Cil.cilVisitor)) f.slocals;
    List.iter (ignore $ Cil.visitCilVarDecl (self:>Cil.cilVisitor)) f.sformals;
    (* Then allocate/deallocate memory for those that need it *)
    List.iter (fun v ->
      if Cil_datatype.Varinfo.Set.mem v !allocvarset then
        let ty = Cil_datatype.Varinfo.Hashtbl.find var_to_array_type v in
        let elemty = element_type ty in
        let ast = mkalloc_array_statement v elemty 
          (Integer.to_int64 (array_size ty)) v.vdecl 
        in
        add_pending_statement ~beginning:true ast;
        let fst = mkfree_statement v v.vdecl in
        add_pending_statement ~beginning:false fst
    ) f.slocals;
    DoChildren

  method! vlval lv =
    ChangeDoChildrenPost (preaction_lval lv, postaction_lval)

  method! vterm_lval lv =
    do_on_term_lval (Some preaction_lval, Some postaction_lval) lv

  method! vexpr e =
    ChangeDoChildrenPost (preaction_expr e, fun x -> x)

  method! vterm =
    do_on_term (Some preaction_expr, None)

end

let retype_array_variables file =
  (* Enforce the prototype of malloc to exist before visiting anything.
     It might be useful for allocation pointers from arrays
  *)
  ignore (Common.malloc_function ());
  ignore (Common.free_function ());
  let visitor = new retypeArrayVariables in
  visit_and_push_statements visit_and_update_globals visitor file


(*****************************************************************************)
(* Retype logic functions/predicates with structure parameters or return.    *)
(*****************************************************************************)

let model_fields_table = Hashtbl.create 7

let model_fields compinfo =
  (* Format.eprintf "looking in model_fields_table for %s@." compinfo.cname; *)
  try
    Hashtbl.find model_fields_table compinfo.ckey
  with Not_found -> []


(* logic parameter:
 * - change parameter type to pointer to structure
 * - change uses of parameters in logical annotations
 * TODO: take care of logic variables introduced by let.
 *)
class retypeLogicFunctions =

  let varset = ref Cil_datatype.Logic_var.Set.empty in
  let this_name : string ref = ref "" in
  let change_this_type = ref false in  (* Should "this" change? *)
  let new_result_type = ref (Ctype voidType) in
  let change_result_type = ref false in (* Should Result change? *)

  let var lv =
    match lv.lv_type with
      | Ltype _ | Lvar _ | Linteger | Lreal | Larrow _ -> ()
      | Ctype ty ->
          if isStructOrUnionType ty then
            unsupported "Jessie plugin does not support struct or union as parameter to logic functions. Please use a pointer instead."
                      (*
          if isStructOrUnionType ty then
            begin
              varset := Cil_datatype.Logic_var.Set.add lv !varset;
              lv.lv_type <- Ctype(mkTRef ty);
              match lv.lv_origin with
                | None -> ()
                | Some v ->
                    (* For some obscure reason, logic function/predicate
                     * parameters are C variables.
                     *)
                    v.vtype <- mkTRef ty
            end
                      *)
  in

  let postaction_term_lval (host,off) =
    let host = match host with
      | TVar lv ->
          (* Oddly, "this" variable in type invariant is not declared
             before use. Change its type on the fly.
          *)
          if !change_this_type && lv.lv_name = !this_name then
            var lv;
          if Cil_datatype.Logic_var.Set.mem lv !varset then
            let tlval =
              mkterm (TLval(host,TNoOffset)) lv.lv_type
                (Cil_const.CurrentLoc.get())
            in
            TMem tlval
          else host
      | TResult _ ->
          if !change_result_type then
            match !new_result_type with
                Ctype typ ->
                  let tlval = Logic_const.tresult typ in TMem tlval
              | _ -> assert false (* result type of C function
                                     must be a C type*)
          else host
      | TMem _t -> host
    in
    host, off
  in
object

  inherit Visitor.frama_c_inplace

  method! vannotation =
    let return_type ty =
      change_result_type := false;
      match ty with
        | Ctype rt when isStructOrUnionType rt ->
            begin
              change_result_type := true;
              let ty = Ctype(mkTRef rt "Norm.vannotation") in
              new_result_type := ty;
              ty
            end
        | Ctype _ | Ltype _ | Lvar _ | Linteger | Lreal | Larrow _ -> ty
    in
    let annot = function
      | Dfun_or_pred (li,loc) ->
          List.iter var li.l_profile;
          begin
            match li.l_type with
              | None -> DoChildren
              | Some rt ->
                  let li' = { li with l_type = Some (return_type rt)}  in
                  ChangeDoChildrenPost (Dfun_or_pred (li',loc), fun x -> x)
          end
      | Dtype_annot (annot,loc) ->
          begin match (List.hd annot.l_profile).lv_type with
            | Ctype ty when isStructOrUnionType ty ->
                change_this_type := true;
                this_name := (List.hd annot.l_profile).lv_name;
                let annot = { annot with
                                l_profile = [{ (List.hd annot.l_profile) with
                                                 lv_type = Ctype(mkTRef ty "Norm.annot, Dtype_annot")}];
                }
                in
                ChangeDoChildrenPost
                  (Dtype_annot (annot,loc), fun x -> change_this_type := false; x)
            | Ctype _ | Ltype _ | Lvar _ | Linteger | Lreal | Larrow _ ->
                DoChildren
          end
      | Dtype _ | Dlemma _ | Dinvariant _ | Dvolatile _  -> DoChildren
      | Daxiomatic _ -> DoChildren (* FIXME: correct ? *)
      | Dmodel_annot (mi,_) -> 
          begin
            match unrollType mi.mi_base_type with
              | TComp (ci, _, _) ->
                  begin
                    let l = 
                      try Hashtbl.find model_fields_table ci.ckey
                      with Not_found -> []
                    in
                    (* Format.eprintf "filling model_fields_table for %s@." ci.cname; *)
                    Hashtbl.replace model_fields_table ci.ckey (mi::l)
                  end
              | _ -> 
              Common.unsupported "model field only on structures"
          end;
          DoChildren (* FIXME: correct ? *)
      | Dcustom_annot _ -> DoChildren (* FIXME: correct ? *)
    in annot

  method! vterm_lval tlv =
    ChangeDoChildrenPost (tlv, postaction_term_lval)

  method! vterm t =
    let preaction_term t =
      match t.term_node with
        | Tapp(callee,labels,args) ->
            let args = List.map (fun arg ->
              (* Type of [arg] has not been changed. *)
              match arg.term_type with
                | Ltype _ | Lvar _ | Linteger | Lreal | Larrow _ -> arg
                | Ctype ty ->
                    if isStructOrUnionType ty then
                      match arg.term_node with
                        | TLval lv ->
                            (* Arguments translated under address here may
                             * be translated back to dereference when treating
                             * left-values. This is why we add a normalization
                             * in [postaction_term]. *)
                            {
                              arg with
                                term_node = TAddrOf lv;
                                term_type = Ctype(mkTRef ty "Norm.vterm");
                            }
                        | _ -> assert false (* Should not be possible *)
                    else arg
            ) args in
            { t with term_node = Tapp(callee,labels,args); }
        | _ -> t
    in
    (* Renormalize the term tree. *)
    let postaction_term t =
      match t.term_node with
        | TAddrOf(TMem t,TNoOffset) -> t
        | _ -> t
    in
    ChangeDoChildrenPost (preaction_term t, postaction_term)

  method! vpredicate = function
    | Papp(callee,labels,args) ->
        let args = List.map (fun arg ->
          (* Type of [arg] has not been changed. *)
          match arg.term_type with
            | Ltype _ | Lvar _ | Linteger | Lreal | Larrow _ -> arg
            | Ctype ty ->
                if isStructOrUnionType ty then
                  match arg.term_node with
                    | TLval lv ->
                        {
                          arg with
                            term_node = TAddrOf lv;
                            term_type = Ctype(mkTRef ty "Norm.vpredicate");
                        }
                    | _ -> assert false (* Should not be possible *)
                else arg
        ) args in
        ChangeDoChildrenPost (Papp(callee,labels,args), fun x -> x)
    | _ -> DoChildren

end

let retype_logic_functions file =
  let visitor = new retypeLogicFunctions in
  visitFramacFile visitor file


(*****************************************************************************)
(* Expand structure copying through parameter, return or assignment.         *)
(*****************************************************************************)

let return_vars = Cil_datatype.Varinfo.Hashtbl.create 17

(* parameter:
 * - if function defined, add local copy variable of structure type
 * - change parameter type to pointer to structure
 * - change type at call-site to take address of structure arguments
 * - change uses of parameters in logical annotations
 * return:
 * - change return type to pointer to structure
 * - add temporary variable for call
 * - free allocated memory for return after call
 * assignment:
 * - recursively decompose into elementary assignments
 *)
class expandStructAssign () =

  let pairs = ref [] in
  let new_return_type = ref None in
  let return_var = ref None in

  let postaction_term_lval (host,off) =
    let host = match host with
      | TResult _ ->
          begin match !new_return_type with
              None -> host
            | Some rt ->
            let tlval = Logic_const.tresult rt in TMem tlval
          end
      | TVar v ->
          begin match v.lv_origin with
          | None -> host
              (* TODO: recognize \result variable, and change its use if
                 of reference type here. *)
          | Some cv ->
              try
                let newv = List.assoc cv !pairs in
                let newlv = cvar_to_lvar newv in
                (* Type of [newv] is set at that point. *)
                let tlval =
                  mkterm (TLval(TVar newlv,TNoOffset)) (Ctype newv.vtype)
                    (Cil_const.CurrentLoc.get())
                in
                TMem tlval
              with Not_found -> TVar v
          end
      | TMem _t -> host
    in
    host, off
  in

  let rec expand_assign lv e ty loc =
    match unrollType ty with
      | TComp(mcomp,_,_) ->
          let field fi =
            let newlv = addOffsetLval (Field(fi,NoOffset)) lv in
            let newe = match e.enode with
              | Lval elv ->
                  new_exp ~loc:e.eloc
                    (Lval(addOffsetLval (Field(fi,NoOffset)) elv))
              | _ ->
                  (* Other possibilities like [CastE] should have been
                     transformed at this point. *)
                  assert false
            in
            expand_assign newlv newe fi.ftype loc
          in
          List.flatten (List.map field mcomp.cfields)
      | TArray _ ->
          let elem i =
            let cste = constant_expr i in
            let newlv = addOffsetLval (Index(cste,NoOffset)) lv in
            let newe = match e.enode with
              | Lval elv ->
                  new_exp ~loc:e.eloc
                    (Lval (addOffsetLval (Index(cste,NoOffset)) elv))
              | _ ->
                  (* Other possibilities like [CastE] should have been
                     transformed at this point. *)
                  assert false
            in
            expand_assign newlv newe (direct_element_type ty) loc
          in
          let rec all_elem acc i =
            if Integer.ge i Integer.zero
            then all_elem (elem i @ acc) (Integer.pred i) 
            else acc
          in
          assert (not (is_reference_type ty));
          all_elem [] (Integer.pred (direct_array_size ty))
      | _ -> [Set (lv, e, loc)]
  in

  let rec expand lv ty loc =
    match unrollType ty with
      | TComp(mcomp,_,_) ->
          let field fi =
            let newlv = addOffsetLval (Field(fi,NoOffset)) lv in
            expand newlv fi.ftype loc
          in
          List.flatten (List.map field mcomp.cfields)
      | TArray _ ->
          let elem i =
            let cste = constant_expr i in
            let newlv = addOffsetLval (Index(cste,NoOffset)) lv in
            expand newlv (direct_element_type ty) loc
          in
          let rec all_elem acc i =
            if Integer.ge i Integer.zero then
              all_elem (elem i @ acc) (Integer.pred i)
            else acc
          in
          assert (not (is_reference_type ty));
          all_elem [] (Integer.pred (direct_array_size ty))
      | _ -> [ lv ]
  in

object(self)

  inherit Visitor.frama_c_inplace
  method! vglob_aux =
    let retype_func fvi =
      let formal (n,ty,a) =
        let ty = 
          if isStructOrUnionType ty then mkTRef ty "Norm.vglob_aux" else ty
        in
        n, ty, a
      in
      let rt,params,isva,a = splitFunctionTypeVI fvi in
      let params = match params with
        | None -> None
        | Some p -> Some(List.map formal p)
      in
      let rt = 
        if isStructOrUnionType rt then
          mkTRef rt "Norm.vglob_aux(2)" 
        else rt 
      in
      fvi.vtype <- TFun(rt,params,isva,a)
    in
    function
      | GVarDecl(_spec,v,_attr) ->
          if isFunctionType v.vtype && not v.vdefined then retype_func v;
          DoChildren
      | GFun _
      | GAnnot _ -> DoChildren
      | GVar _  | GCompTag _ | GType _ | GCompTagDecl _ | GEnumTagDecl _
      | GEnumTag _ | GAsm _ | GPragma _ | GText _ -> SkipChildren

  method! vfunc f =
    let var v =
      if isStructOrUnionType v.vtype then
        let newv = copyVarinfo v (unique_name ("v_" ^ v.vname)) in
        newv.vtype <- mkTRef newv.vtype "Norm.vfunc";
        v.vformal <- false;
        let rhs =
          new_exp ~loc:v.vdecl
            (Lval
               (mkMem
                  (new_exp ~loc:v.vdecl (Lval(Var newv,NoOffset))) NoOffset))
        in
        let copy = mkassign_statement (Var v,NoOffset) rhs v.vdecl in
        add_pending_statement ~beginning:true copy;
        pairs := (v,newv) :: !pairs;
        [v], newv
      else
        [], v
    in
    (* Insert copy statements. *)
    let locvl,formvl = List.split (List.map var f.sformals) in
    (* Set locals and formals. *)
    let locvl = List.flatten locvl in
    f.slocals <- locvl @ f.slocals;
    setFormals f formvl;
    (* Add local variable for return *)
    let rt = getReturnType f.svar.vtype in
    if isStructOrUnionType rt then
      let rv = makeTempVar (Extlib.the self#current_func) rt in
      return_var := Some rv;
      Cil_datatype.Varinfo.Hashtbl.add return_vars rv ()
    else
      return_var := None;
    (* Change return type. *)
    new_return_type :=
      if isStructOrUnionType rt then Some(mkTRef rt "Norm.vfunc(3)") else None;
    let rt = if isStructOrUnionType rt then mkTRef rt "Norm.vfunc(4)" else rt in
    setReturnType f rt;
    DoChildren

  method! vbehavior b =
    let lval loc lv = expand lv (typeOfLval lv) loc in
    let term t = match t.term_node with
      | TLval tlv ->
          let lv,env = Common.force_term_lval_to_lval tlv in
          let lvlist = lval t.term_loc lv in
          let tslvlist =
            List.map (Common.force_back_lval_to_term_lval env)
              lvlist
          in
          List.map (fun
                      tslv ->
                        Logic_const.term ~loc:t.term_loc (TLval tslv)
                          t.term_type
                   ) tslvlist
      | Tempty_set -> [ t ]
          (* most of the case below are still to do*)
      | TStartOf _
      | TConst _
      | TCastE _
      | TLogic_coerce _
      | Tat _
      | TAddrOf _
      | Tapp _
      | Trange _
      | Tunion _
      | Tinter _
      | Tcomprehension _
      | Tif _
      | Tnull -> [ t ]
        (* those cases can not appear as assigns *)
      | TSizeOf _ | TSizeOfE _ | TSizeOfStr _ | TAlignOf _ | TAlignOfE _
      | Tlambda _ | TDataCons _ | Tbase_addr _ | TBinOp _ | TUnOp _
      | Tblock_length _ | TCoerce _ | TCoerceE _ | TUpdate _
      | Ttypeof _ | Ttype _ | Tlet _ | Toffset _ -> assert false
    in
    let zone idts =
      List.map Logic_const.new_identified_term (term idts.it_content)
    in
    let assign (z,froms) =
      let zl = zone z in
      let froms = 
        match froms with
            FromAny -> froms
          | From l -> From (List.flatten (List.map zone l))
      in
      List.map (fun z -> z, froms) zl
    in
    let assigns = (* b.b_assigns *)
      (* the following may stop completely the execution of the plugin ??? *)
      (**)
      (match b.b_assigns with
          WritesAny -> WritesAny
        | Writes l -> Writes (List.flatten (List.map assign l)))
      (**)
    in
(*    Format.eprintf "[Norm.vbehavior] b_allocation = ";
    begin
      match b.b_allocation with
        | FreeAllocAny ->
            Format.eprintf "FreeAllocAny@."
        | FreeAlloc(l1,l2) ->
            Format.eprintf "FreeAlloc(%d,%d)@." (List.length l1) (List.length l2)
    end;
*)
    let new_bhv =
      Cil.mk_behavior
        ~name:b.b_name
        ~requires:b.b_requires
        ~assumes:b.b_assumes
        ~post_cond:b.b_post_cond
        ~assigns:assigns
        ~allocation:(Some b.b_allocation)
        ()
    in
    ChangeDoChildrenPost(new_bhv,fun x -> x)

  method! vstmt_aux s = match s.skind with
    | Return(Some e,loc) ->
        (* Type of [e] has not been changed by retyping formals and return. *)
        if isStructOrUnionType (typeOf e) then
(*           match e with *)
(*             | Lval lv -> *)
(*                 let skind = Return(Some(Cabs2cil.mkAddrOfAndMark lv),loc) in *)
(*                 ChangeTo { s with skind = skind; } *)
(*             | _ -> assert false (\* Should not be possible *\) *)
          let lv = Var(the !return_var),NoOffset in
          let ret =
            mkStmt (Return(Some(Cabs2cil.mkAddrOfAndMark loc lv),loc))
          in
          let assigns = expand_assign lv e (typeOf e) loc in
          let assigns = List.map (fun i -> mkStmt(Instr i)) assigns in
          let block = Block (mkBlock (assigns @ [ret])) in
          ChangeTo { s with skind = block }
        else SkipChildren
    | _ -> DoChildren

  method! vinst =
    function
      | Set(lv,e,loc) ->
          (* Type of [e] has not been changed by retyping formals and return. *)
          if isStructOrUnionType (typeOf e) then
            ChangeTo (expand_assign lv e (typeOf e) loc)
          else SkipChildren
      | Call(lvo,callee,args,loc) ->
          let args = List.map (fun arg ->
            (* Type of [arg] has not been changed. *)
            if isStructOrUnionType (typeOf arg) then
              match arg.enode with
              | Lval lv -> Cabs2cil.mkAddrOfAndMark loc lv
              | _ -> assert false (* Should not be possible *)
            else arg
          ) args in
          begin match lvo with
            | None ->
                (* TODO: free memory for structure return, even if not used.
                   Check that no temporary is added in every case, which would
                   make treatment here useless. *)
                let call = Call (lvo, callee, args, loc) in
                ChangeTo [call]
            | Some lv ->
                (* Type of [lv] has not been changed. *)
                let lvty = typeOfLval lv in
                if isStructOrUnionType lvty then
                  let tmpv = 
                    makeTempVar
                      (Extlib.the self#current_func) (mkTRef lvty "Norm.vinst")
                  in
                  let tmplv = Var tmpv, NoOffset in
                  let call = Call(Some tmplv,callee,args,loc) in
                  let deref =
                    new_exp ~loc
                      (Lval
                         (mkMem
                            (new_exp ~loc (Lval(Var tmpv,NoOffset))) NoOffset))
                  in
                  let assign = mkassign lv deref loc in
                  let free = mkfree tmpv loc in
                  ChangeTo [call;assign;free]
                else
                  let call = Call(lvo,callee,args,loc) in
                  ChangeTo [call]
          end
      | Asm _ | Skip _ -> SkipChildren
      | Code_annot _ -> assert false

  method! vterm_lval tlv =
    ChangeDoChildrenPost (tlv, postaction_term_lval)

  method! vterm t =
    (* Renormalize the term tree. *)
    let postaction t =
      match t.term_node with
        | TAddrOf(TMem t,TNoOffset) -> t
        | _ -> t
    in
    ChangeDoChildrenPost (t, postaction)

end

let expand_struct_assign file =
  let visitor = new expandStructAssign () in
  visitFramacFile (visit_and_push_statements_visitor visitor) file


(*****************************************************************************)
(* Retype variables of structure type.                                       *)
(*****************************************************************************)

(* DO NOT CHANGE neither formal parameters nor return type of functions.
 *
 * global variable:
 * - change type to reference to structure
 * - prepend allocation in [globinit] function
 * - changes left-values to reflect new type
 * local variable:
 * - change type to reference to structure
 * - prepend allocation at function entry
 * - TODO: postpend release at function exit
 * - changes left-values to reflect new type
 *)

class retypeStructVariables =

  let varset = ref Cil_datatype.Varinfo.Set.empty in
  let lvarset = ref Cil_datatype.Logic_var.Set.empty in

  let postaction_lval (host,off) =
    let host = match host with
      | Var v ->
          if Cil_datatype.Varinfo.Set.mem v !varset then
            Mem(mkInfo(new_exp ~loc:(Cil_const.CurrentLoc.get())
                         (Lval(Var v,NoOffset))))
          else
            Var v
      | Mem _e -> host
    in
    host, off
  in
  let postaction_tlval (host,off) =
    let add_deref host v =
      TMem(mkterm (TLval (host,TNoOffset)) v.lv_type
             (Cil_const.CurrentLoc.get()))
    in
    let host = match host with
      | TVar v ->
          if Cil_datatype.Logic_var.Set.mem v !lvarset then
            add_deref host v
          else
            Extlib.may_map
              (fun cv ->
                 if Cil_datatype.Varinfo.Set.mem cv !varset then
                   add_deref host v
                 else host
              ) ~dft:host v.lv_origin
      | TMem _ | TResult _ -> host
    in
    host, off
  in
object(self)

  inherit Visitor.frama_c_inplace

  method! vvdec v =
    if isStructOrUnionType v.vtype && not v.vformal then
      begin
        v.vtype <- mkTRef v.vtype "Norm.vvdec";
        varset := Cil_datatype.Varinfo.Set.add v !varset
      end;
    DoChildren

  method! vquantifiers vl =
    List.iter (fun v ->
                 (* Only iterate on logic variable with C type *)
                 if app_term_type (fun _ -> true) false v.lv_type then
                   match v.lv_origin with
                     | None -> ()
                     | Some v -> ignore (self#vvdec v)
                 else ()
              ) vl;
    DoChildren

  method! vlogic_var_decl v =
    let newty =
      app_term_type
        (fun ty ->
           Ctype (if isStructOrUnionType ty then mkTRef ty "Norm.vlogic_var_decl" else ty))
        v.lv_type v.lv_type
    in
    v.lv_type <- newty;
    DoChildren

  method! vglob_aux = function
    | GVar (_,_,_) as g ->
        let postaction = function
          | [GVar (v,_,_)] ->
              if Cil_datatype.Varinfo.Set.mem v !varset then
                (* Allocate memory for new reference variable *)
(* Disabled, see BTS 0284
                let ast = mkalloc_statement v (pointed_type v.vtype) v.vdecl in
                attach_globinit ast;
*)
                (* Define a global validity invariant *)
                let p =
                  Logic_const.pvalid_range
                    ~loc:v.vdecl
                    (label_here,
                     variable_term v.vdecl (cvar_to_lvar v),
                     constant_term v.vdecl Integer.zero,
                     constant_term v.vdecl Integer.zero)
                in
                let globinv =
		  Cil_const.make_logic_info (unique_logic_name ("valid_" ^ v.vname))
		in
                globinv.l_labels <- [ label_here ];
                globinv.l_body <- LBpred p;
                attach_globaction
		  (fun () -> Logic_utils.add_logic_function globinv);
                [g; GAnnot(Dinvariant (globinv,v.vdecl),v.vdecl)]
              else [g]
          | _ -> assert false
        in
        ChangeDoChildrenPost ([g], postaction)
    | GVarDecl _ | GFun _ | GAnnot _ -> DoChildren
    | GCompTag _ | GType _ | GCompTagDecl _ | GEnumTagDecl _
    | GEnumTag _ | GAsm _ | GPragma _ | GText _ -> SkipChildren

  method! vfunc f =
    (* First change type of local structure variables *)
    List.iter (ignore $ Cil.visitCilVarDecl (self:>Cil.cilVisitor)) f.slocals;
    List.iter (ignore $ Cil.visitCilVarDecl (self:>Cil.cilVisitor)) f.sformals;
    (* Then allocate/deallocate memory for those that need it *)
    List.iter (fun v ->
      if Cil_datatype.Varinfo.Set.mem v !varset then
        let ast = mkalloc_statement v (pointed_type v.vtype) v.vdecl in
        add_pending_statement ~beginning:true ast;
        (* do not deallocate variable used in returning a structure *)
        if not (Cil_datatype.Varinfo.Hashtbl.mem return_vars v) then
          let fst = mkfree_statement v v.vdecl in
          add_pending_statement ~beginning:false fst
    ) f.slocals;
    DoChildren

  method! vlval lv =
    ChangeDoChildrenPost (lv, postaction_lval)

  method! vterm_lval lv = ChangeDoChildrenPost(lv, postaction_tlval)

  method! vexpr e =
    (* Renormalize the expression tree. *)
    let postaction e = match e.enode with
      | AddrOf(Mem e,NoOffset) -> e
      | _ -> e
    in
    ChangeDoChildrenPost (e, postaction)

  method! vterm t =
    (* Renormalize the term tree. *)
    let postaction t =
      match t.term_node with
        | TAddrOf(TMem t,TNoOffset) -> t
        | _ -> t
    in
    ChangeDoChildrenPost (t, postaction)

end

let retype_struct_variables file =
  let visitor = new retypeStructVariables in
  visit_and_push_statements visit_and_update_globals visitor file


(*****************************************************************************)
(* Retype variables and fields whose address is taken.                       *)
(*****************************************************************************)

(* global variable:
 * - change type from [t] to [t*]
 * - prepend allocation in [globinit] function
 * local variable:
 * - change type from [t] to [t*]
 * - prepend allocation at function entry
 * - TODO: postpend release at function exit
 * formal parameter:
 * - make it a local variable, with previous treatment
 * - replace by a new parameter with same type
 * - prepend initialisation at function entry, after allocation
 * - TODO: decide whether formal parameter address can be taken in
 *   annotations. Currently, if address only taken in annotations,
 *   [vaddrof] would not be set. Plus there is no easy means of translating
 *   such annotation to Jessie.
 * field:
 * - change type from [t] to [t*]
 * - TODO: allocation/release
 *)
class retypeAddressTaken =

  let varset = ref Cil_datatype.Varinfo.Set.empty in
  let lvarset = ref Cil_datatype.Logic_var.Set.empty in
  let fieldset = ref Cil_datatype.Fieldinfo.Set.empty in

  let retypable_var v =
    v.vaddrof
    && not (isArrayType v.vtype)
    && not (is_reference_type v.vtype)
  in
  let retypable_lvar v =
    match v.lv_origin with None -> false | Some v -> retypable_var v
  in
  (* Only retype fields with base/pointer type, because fields of
   * struct/union type will be retyped in any case later on.
   *)
  let retypable_field fi =
    fi.faddrof
    && not (is_reference_type fi.ftype)
    && not (isArrayType fi.ftype)
    && not (isStructOrUnionType fi.ftype)
  in
  let retype_var v =
    if retypable_var v then
      begin
        v.vtype <- mkTRef v.vtype "Norm.retype_var";
        assert (isPointerType v.vtype);
        varset := Cil_datatype.Varinfo.Set.add v !varset
      end
  in
  let retype_lvar v =
    if retypable_lvar v then begin
      v.lv_type <- Ctype (force_app_term_type (fun x -> mkTRef x "Norm.retyp_lvar") v.lv_type);
      lvarset := Cil_datatype.Logic_var.Set.add v !lvarset
    end
  in
  let retype_field fi =
    if retypable_field fi then
      begin
        fi.ftype <- mkTRef fi.ftype "Norm.retype_field";
        assert (isPointerType fi.ftype);
        fieldset := Cil_datatype.Fieldinfo.Set.add fi !fieldset
      end
  in

  let postaction_lval (host,off) =
    let host = match host with
      | Var v ->
          if Cil_datatype.Varinfo.Set.mem v !varset then
            begin
              assert (isPointerType v.vtype);
              Mem(mkInfo
                    (new_exp ~loc:(Cil_const.CurrentLoc.get())
                       (Lval(Var v,NoOffset))))
            end
          else host
      | Mem _e -> host
    in
    (* Field retyped can only appear as the last offset, as it is of
     * base/pointer type.
     *)
    match lastOffset off with
    | Field(fi,_) ->
        if Cil_datatype.Fieldinfo.Set.mem fi !fieldset then
          (assert (isPointerType fi.ftype);
          mkMem
            (mkInfo
               (new_exp
                  ~loc:(Cil_const.CurrentLoc.get())
                  (Lval(host,off)))) NoOffset)
        else
          host,off
    | _ ->
        host,off
  in

  let postaction_tlval (host,off) =
    let add_deref host ty =
      force_app_term_type (fun ty -> assert (isPointerType ty)) ty;
      TMem(mkterm (TLval (host,TNoOffset)) ty (Cil_const.CurrentLoc.get()))
    in
    let host = match host with
      | TVar v ->
          if Cil_datatype.Logic_var.Set.mem v !lvarset then
            add_deref host v.lv_type
          else
            Extlib.may_map
              (fun cv ->
                 if Cil_datatype.Varinfo.Set.mem cv !varset then
                   add_deref host (Ctype cv.vtype)
                 else host
              ) ~dft:host v.lv_origin
      | TResult _ | TMem _ -> host
    in match Logic_const.lastTermOffset off with
      | TField (fi,_) ->
          if Cil_datatype.Fieldinfo.Set.mem fi !fieldset then
            (TMem
               (Logic_const.term (TLval(host,off)) (Ctype fi.ftype)),TNoOffset)
          else host,off
      | TModel _ | TIndex _ | TNoOffset -> host,off
  in
  let postaction_expr e = match e.enode with
    | AddrOf(Var _v,NoOffset) ->
        unsupported "cannot take address of a function"
          (* Host should have been turned into [Mem] *)
    | AddrOf(Mem e1,NoOffset) ->
        e1
    | AddrOf(_host,off) ->
        begin match lastOffset off with
          | Field(fi,_) ->
              if Cil_datatype.Fieldinfo.Set.mem fi !fieldset then
                (* Host should have been turned into [Mem], with NoOffset *)
                assert false
              else
                e
          | Index _ -> e
          | NoOffset -> assert false (* Should be unreachable *)
        end
    | _ -> e
  in
  let postaction_term t = match t.term_node with
    | TAddrOf((TVar _ | TResult _), TNoOffset) -> assert false
    | TAddrOf(TMem t1,TNoOffset) -> t1
    | TAddrOf(_,off) ->
        begin match Logic_const.lastTermOffset off with
          | TField(fi,_) ->
              if Cil_datatype.Fieldinfo.Set.mem fi !fieldset then assert false
              else t
          | TModel _ -> Common.unsupported "Model field"
          | TIndex _ -> t
          | TNoOffset -> assert false (*unreachable*)
        end
    | _ -> t
  in
  let varpairs : (varinfo * varinfo) list ref = ref [] in
  let in_funspec = ref false in
object

  inherit Visitor.frama_c_inplace

  method! vglob_aux = function
    | GVar(v,_,_) ->
        if retypable_var v then
          begin
            retype_var v;
(* Disabled, see BTS 0284
            let ast = mkalloc_statement v (pointed_type v.vtype) v.vdecl in
            attach_globinit ast
*)
          end;
        SkipChildren
    | GVarDecl (_,v,_) ->
        (* No problem with calling [retype_var] more than once, since
           subsequent calls do nothing on reference type. *)
        if not (isFunctionType v.vtype || v.vdefined) then retype_var v;
        SkipChildren
    | GFun _ -> DoChildren
    | GAnnot _ -> DoChildren
    | GCompTag(compinfo,_loc) ->
        List.iter retype_field compinfo.cfields;
        SkipChildren
    | GType _ | GCompTagDecl _ | GEnumTagDecl _ | GEnumTag _
    | GAsm _ | GPragma _ | GText _ -> SkipChildren

  method! vfunc f =
    (* Change types before code. *)
    let formals,locals,pairs =
      List.fold_right (fun v (fl,ll,pl) ->
        if retypable_var v then
          let newv = copyVarinfo v ("v_" ^ v.vname) in
          newv.vaddrof <- false;
          v.vformal <- false;
          (newv::fl,v::ll,(v,newv)::pl)
        else (v::fl,ll,pl)
      ) f.sformals ([],[],[])
    in

    varpairs := pairs;
    setFormals f formals;
    f.slocals <- locals @ f.slocals;
    List.iter retype_var f.slocals;

    List.iter (fun v ->
      (* allocate/deallocate locals *)
      if Cil_datatype.Varinfo.Set.mem v !varset then
        begin
          let ast = mkalloc_statement v (pointed_type v.vtype) v.vdecl in
          add_pending_statement ~beginning:true ast;
          (* do not deallocate variable used in returning a structure *)
          if not (Cil_datatype.Varinfo.Hashtbl.mem return_vars v) then
            let fst = mkfree_statement v v.vdecl in
            add_pending_statement ~beginning:false fst
        end;
      (* allocate/deallocate formals *)
      begin try
        let loc = v.vdecl in
        (* [varpairs] holds pairs of (local,formal) to initialize due to
         * the transformation for formals whose address is taken.
         *)
        let fv = List.assoc v !varpairs in
        let lhs = mkMem (new_exp ~loc (Lval(Var v,NoOffset))) NoOffset in
        let rhs = new_exp ~loc (Lval(Var fv,NoOffset)) in
        let assign = mkassign_statement lhs rhs loc in
        add_pending_statement ~beginning:true assign
      with Not_found -> () end
    ) f.slocals;
    DoChildren

  method! vspec _ =
    in_funspec := true;
    DoChildrenPost (fun x -> in_funspec := false; x)

  method! vlogic_var_use v =
    if !in_funspec then
      match v.lv_origin with
        | None -> SkipChildren
        | Some cv ->
            try
              let fv = List.assoc cv !varpairs in
              ChangeTo (cvar_to_lvar fv)
            with Not_found -> SkipChildren
    else
      begin
        if retypable_lvar v then retype_lvar v;
        DoChildren
      end

  method! vlogic_var_decl v = if retypable_lvar v then retype_lvar v; DoChildren

  method! vlval lv = ChangeDoChildrenPost (lv, postaction_lval)

  method! vterm_lval lv = ChangeDoChildrenPost (lv, postaction_tlval)

  method! vexpr e = ChangeDoChildrenPost(e, postaction_expr)

  method! vterm t = ChangeDoChildrenPost(t,postaction_term)

end

let retype_address_taken file =
  let visitor = new retypeAddressTaken in
  visit_and_push_statements visit_and_update_globals visitor file


(*****************************************************************************)
(* Retype fields of type structure and array.                                *)
(*****************************************************************************)

(* We translate C left-values so that they stick to the Jessie semantics for
 * left-values. E.g., a C left-value
 *     s.t.i
 * which is translated in CIL as
 *     Var s, Field(t, Field(i, NoOffset))
 * is translated as
 *     Mem (Mem s, Field(t, NoOffset)), Field(i, NoOffset)
 * so that it is the same as the C left-value
 *     s->t->i
 *
 * Introduce reference at each structure subfield.
 * Does not modify union fields on purpose : union should first be translated
 * into inheritance before [retypeFields] is called again.
 *)
class retypeFields =

  let field_to_array_type : typ Cil_datatype.Fieldinfo.Hashtbl.t = Cil_datatype.Fieldinfo.Hashtbl.create 0 in

  let postaction_lval (host,off) =
    let rec offset_list = function
      | NoOffset -> []
      | Field (fi,off) ->
          (Field (fi, NoOffset)) :: offset_list off
      | Index (e, Field (fi,off)) ->
          (Index (e, Field (fi, NoOffset))) :: offset_list off
      | Index (_idx, NoOffset) as off -> [off]
      | Index (idx, (Index _ as off)) ->
          assert (not !flatten_multi_dim_array);
          Index(idx,NoOffset) :: offset_list off
    in
    let rec apply_lift_offset = function
      | Field (fi,roff) ->
          begin try
            let ty = Cil_datatype.Fieldinfo.Hashtbl.find field_to_array_type fi in
            let roff = apply_lift_offset (lift_offset ty roff) in
            Field (fi,roff)
          with Not_found ->
            let roff = apply_lift_offset roff in
            Field (fi,roff)
          end
      | Index (idx,roff) ->
          let roff = apply_lift_offset roff in
          Index (idx,roff)
      | NoOffset -> NoOffset
    in
    let off =
      if !flatten_multi_dim_array then apply_lift_offset off else off
    in
    (* [initlv] : topmost lval
     * [initlist] : list of offsets to apply to topmost lval
     *)
    let initlv,initlist = match offset_list off with
      | [] -> (host, NoOffset), []
      | fstoff :: roff -> (host, fstoff), roff
    in
    List.fold_left
      (fun curlv -> function
         | NoOffset ->
             assert false (* should not occur *)
         | Field(_,_)
         | Index(_, Field (_,_))
         | Index(_, NoOffset) as nextoff ->
             Mem
               (mkInfo
                  (new_exp ~loc:(Cil_const.CurrentLoc.get()) (Lval curlv))),
             nextoff
         | Index (_, Index _) -> assert false
      ) initlv initlist
  in

  (* Renormalize the expression tree. *)
  let postaction_expr e = match e.enode with
    | AddrOf(Mem e,NoOffset) | StartOf(Mem e,NoOffset) -> e
    | AddrOf(Mem _e,Field(_fi,off) as lv)
    | StartOf(Mem _e,Field(_fi,off) as lv) ->
        assert (off = NoOffset);
        (* Only possibility is that field is of structure or union type,
         * otherwise [retype_address_taken] would have taken care of it.
         * Do not check it though, because type was modified in place.
         *)
        new_exp ~loc:e.eloc (Lval lv)
    | AddrOf(Mem e',Index(ie,NoOffset)) ->
        let ptrty = TPtr(typeOf e',[]) in
        new_exp ~loc:e.eloc (BinOp(PlusPI,e',ie,ptrty))
    | StartOf(Mem _e,Index(_ie,NoOffset) as lv) ->
        new_exp ~loc:e.eloc (Lval lv)
    | AddrOf(Mem _e,Index(_ie,Field(_,NoOffset)) as lv)
    | StartOf(Mem _e,Index(_ie,Field(_,NoOffset)) as lv) ->
        new_exp ~loc: e.eloc (Lval lv)
    | AddrOf(Mem _e,Index(_ie,_)) | StartOf(Mem _e,Index(_ie,_)) ->
        assert false
    | _ -> e
  in
object

  inherit Visitor.frama_c_inplace

  method! vglob_aux = function
    | GCompTag (compinfo,_) ->
        let field fi =
          if isStructOrUnionType fi.ftype then
            fi.ftype <- mkTRef fi.ftype "Norm.vglob_aux(2)"
          else if isArrayType fi.ftype then
            begin
              Cil_datatype.Fieldinfo.Hashtbl.replace field_to_array_type fi fi.ftype;
              if not !flatten_multi_dim_array then
                fi.ftype <- reference_of_array fi.ftype
              else
(*                 if array_size fi.ftype > 0L then *)
                  let size = constant_expr (array_size fi.ftype) in
                  fi.ftype <- mkTRefArray(element_type fi.ftype,size,[])
(*                 else *)
(*                   (\* Array of zero size, e.g. in struct array hack. *\) *)
(*                   fi.ftype <- TPtr(element_type fi.ftype,[]) *)
            end
        in
        List.iter field compinfo.cfields;
        SkipChildren
    | GFun _ | GAnnot _ | GVar _ | GVarDecl _ -> DoChildren
    | GType _ | GCompTagDecl _ | GEnumTagDecl _
    | GEnumTag _ | GAsm _ | GPragma _ | GText _ -> SkipChildren

  method! vlval lv =
    ChangeDoChildrenPost (lv, postaction_lval)

  method! vterm_lval =
    do_on_term_lval (None,Some postaction_lval)

  method! vexpr e =
    ChangeDoChildrenPost(e, postaction_expr)

  method! vterm =
    do_on_term (None,Some postaction_expr)

end

let retype_fields file =
  let visitor = new retypeFields in visitFramacFile visitor file


(*****************************************************************************)
(* Retype type tags.                                                         *)
(*****************************************************************************)

class retypeTypeTags =
object

  inherit Visitor.frama_c_inplace

  method! vterm t = match t.term_node with
    | Ttype ty -> ChangeTo ({ t with term_node = Ttype(TPtr(ty,[])) })
    | _ -> DoChildren

end

let retype_type_tags file =
  let visitor = new retypeTypeTags in visitFramacFile visitor file

(*****************************************************************************)
(* Retype pointers to base types.                                            *)
(*****************************************************************************)

(* Retype pointer to base type T to pointer to struct S with:
 * - if T is [TVoid], no field in S
 * - otherwise, a single field of type T in S
 *)
class retypeBasePointer =

  (* Correspondance between a base type and its wrapper structure type *)
  let type_wrappers = Cil_datatype.Typ.Hashtbl.create 17 in
  (* Store which types are wrapper types *)
  let auto_type_wrappers = ref Cil_datatype.Typ.Set.empty in

  let is_wrapper_type ty = Cil_datatype.Typ.Set.mem ty !auto_type_wrappers in

  let new_wrapper_for_type_no_sharing ty =
    (* Choose name t_P for the wrapper and t_M for the field *)
    let name = type_name ty in
    let wrapper_name = name ^ "P" in
    let field_name = name ^ "M" in
    let compinfo =
      if isVoidType ty then mkStructEmpty wrapper_name
      else mkStructSingleton wrapper_name field_name ty
    in
    let tdef = GCompTag(compinfo,Cil_datatype.Location.unknown) in
    let tdecl = TComp(compinfo,empty_size_cache () ,[]) in
    attach_global tdef;
    tdef, tdecl
  in
object(self)

  (* Helper methods called on the [self] object *)

  method new_wrapper_for_type ty =
    (* Currently, do not make any difference between a pointer to const T
     * or volatile T and a pointer to T.
     *)
    let ty = typeRemoveAttributes ["const";"volatile"] (unrollType ty) in
    try
      Cil_datatype.Typ.Hashtbl.find type_wrappers ty
    with Not_found ->
      (* Construct a new wrapper for this type *)
      let wrapper_def,wrapper_type = new_wrapper_for_type_no_sharing ty in
      Cil_datatype.Typ.Hashtbl.replace type_wrappers ty wrapper_type;
      auto_type_wrappers :=
        Cil_datatype.Typ.Set.add wrapper_type !auto_type_wrappers;
      (* Treat newly constructed type *)
      let store_current_global = !currentGlobal in
      ignore (Cil.visitCilGlobal (self:>Cil.cilVisitor) wrapper_def);
      currentGlobal := store_current_global;
      (* Return the wrapper type *)
      wrapper_type

  (* Performs the necessary in-place modifications to [ty] so that
   * the translation to Jessie is easy.
   * Returns [Some newty] if the modified type imposes adding a field
   * access to a dereference on an object of type [ty].
   * Returns [None] in all other cases, in particular for non-wrapper
   * types that are allowed as either type of variable or type of field.
   *)
  method private wrap_type_if_needed ty =
    match ty with
      | TPtr(_elemty,attr) ->
          (* Do not use [_elemty] directly but rather [pointed_type ty] in order
           * to get to the array element in references, i.e. pointers to arrays.
           *)
          let elemty = pointed_type ty in
          if is_wrapper_type elemty then
            Some ty
          else if isStructOrUnionType elemty then
            None (* Already in a suitable form for Jessie translation. *)
          else if is_array_reference_type ty then
            (* Do not lose the information that this type is a reference *)
            let size = constant_expr (Integer.of_int64 (reference_size ty)) in
            assert (not (!flatten_multi_dim_array && is_reference_type elemty));
            Some(mkTRefArray(self#new_wrapper_for_type elemty,size,[]))
          else if is_reference_type ty then
            (* Do not lose the information that this type is a reference *)
            Some(mkTRef(self#new_wrapper_for_type elemty)"Norm.private wrap_type_if_needed")
          else
            (* Here is the case where a transformation is needed *)
            Some(TPtr(self#new_wrapper_for_type elemty,attr))
      | TArray (_,len,size,attr) ->
          (*[VP-20100826] Can happen in case of logic term translation *)
          let elemty = element_type ty in
          if is_wrapper_type elemty then Some ty
          else if isStructOrUnionType elemty then None
          else Some (TArray(self#new_wrapper_for_type elemty,len,size,attr))
      | TFun _ -> None
      | TNamed(typeinfo,_attr) ->
          begin match self#wrap_type_if_needed typeinfo.ttype with
            | Some newtyp ->
                typeinfo.ttype <- newtyp;
                Some ty
            | None -> None
          end
      | TComp(compinfo,_,_) ->
          let field fi =
            match self#wrap_type_if_needed fi.ftype with
              | Some newtyp ->
                  fi.ftype <- newtyp
              | None -> ()
          in
          List.iter field compinfo.cfields;
          None
      | TVoid _ | TInt _ | TFloat _ | TEnum _ | TBuiltin_va_list _ -> None

  method private postaction_lval lv =
    match lv with
      | Var _, NoOffset -> lv
      | Var _, _ ->
          unsupported "cannot handle this lvalue: %a" Printer.pp_lval lv
      | Mem e, NoOffset ->
          begin match self#wrap_type_if_needed (typeOf e) with
            | Some newtyp ->
                let newfi = get_unique_field (pointed_type newtyp) in
                let newlv = Mem e, Field (newfi, NoOffset) in
                (* Check new left-value is well-typed. *)
(*                 begin try ignore (typeOfLval newlv) with _ -> assert false end; *)
                newlv
            | None -> lv
          end
      | Mem e, (Index(ie,_) as off) ->
          if is_last_offset off then
            match self#wrap_type_if_needed (typeOf e) with
              | Some newtyp ->
                  let newfi = get_unique_field (pointed_type newtyp) in
                  let newlv =
                    if Cil.isArrayType (direct_pointed_type newtyp) then
                      lv
                    else (* The array has been directly decayed into a pointer
                            Use pointer arithmetic instead of index. *)
                      (Mem
                         (new_exp ~loc:e.eloc
                            (BinOp(PlusPI,e,ie,newtyp))),
                       NoOffset)
                  in
                  let newlv = addOffsetLval (Field (newfi, NoOffset)) newlv in
                  newlv
              | None -> lv
          else lv
      | Mem _, Field _ -> lv

  (* Usual methods in visitor interface. *)

  inherit Visitor.frama_c_inplace

  method! vfile _ =
    Common.struct_type_for_void := self#new_wrapper_for_type voidType;
    DoChildren

  method! vtype ty =
    let ty = match self#wrap_type_if_needed ty with
      | Some newty -> newty
      | None -> ty
    in
    if isFunctionType ty then
      (* Applies changes in particular to parameter types in function types. *)
      ChangeDoChildrenPost (ty, fun x -> x)
    else
      ChangeTo ty

  method! vglob_aux =
    let retype_return v =
      let retyp = getReturnType v.vtype in
      let newtyp = Cil.visitCilType (self:>Cil.cilVisitor) retyp in
      if newtyp != retyp then setReturnTypeVI v newtyp
    in
    function
      | GType (typeinfo, _) ->
          ignore (self#wrap_type_if_needed (TNamed (typeinfo, [])));
          SkipChildren
      | GCompTag (compinfo, _) ->
          ignore (self#wrap_type_if_needed (TComp (compinfo, empty_size_cache (), [])));
          SkipChildren
      | GFun (f, _) ->
          retype_return f.svar;
          DoChildren
      | GVarDecl (_, v, _) ->
          if isFunctionType v.vtype && not v.vdefined then
            retype_return v;
          DoChildren
      | GVar _
      | GAnnot _ -> DoChildren
      | GCompTagDecl _ | GEnumTag _ | GEnumTagDecl _
      | GAsm _ | GPragma _ | GText _  -> SkipChildren

  method! vlval lv =
    ChangeDoChildrenPost (lv, self#postaction_lval)

  method! vterm_lval t =
    do_on_term_lval (None,Some self#postaction_lval) t

end

let retype_base_pointer file =
  let visitor = new retypeBasePointer in
  visit_and_update_globals (visitor :> frama_c_visitor) file


(*****************************************************************************)
(* Remove useless casts.                                                     *)
(*****************************************************************************)

class removeUselessCasts =
  let preaction_expr etop =
    match (stripInfo etop).enode with
      | CastE(ty,e) ->
          let ety = typeOf e in
          if isPointerType ty && isPointerType ety &&
            Cil_datatype.Typ.equal
              (Cil.typeDeepDropAttributes
                 ["const"; "volatile"] (pointed_type ty))
              (Cil.typeDeepDropAttributes
                 ["const"; "volatile"] (pointed_type ety))
          then e
          else etop
      | _ -> etop
  in
  let preaction_term term =
    match term.term_node with
      | TCastE(ty,t) ->
          if isPointerType ty && Logic_utils.isLogicPointer t then
            (* Ignore type qualifiers *)
            let pty = Cil.typeDeepDropAllAttributes (pointed_type ty) in
            let ptty =
              match t.term_type with
                  Ctype tty ->
                    if isPointerType tty then pointed_type tty 
                    else element_type tty
                | ty -> fatal "Not a pointer type '%a'"
                  Cil_datatype.Logic_type.pretty ty
            in
            if Cil_datatype.Typ.equal pty ptty then
              if Logic_utils.isLogicPointerType t.term_type then t
              else
                (match t.term_node with
                   | TLval lv -> Logic_const.term (TStartOf lv) (Ctype ty)
                   | TStartOf _ -> t
                   | _ ->
                       fatal
                         "Unexpected array expression casted into pointer: %a"
                         Cil_datatype.Term.pretty t
                )
            else term
          else term
      | _ -> term
  in
object

  inherit Visitor.frama_c_inplace

  method! vexpr e = ChangeDoChildrenPost (preaction_expr e, fun x -> x)

  method! vterm t = ChangeDoChildrenPost (preaction_term t, fun x -> x)

end

let remove_useless_casts file =
  let visitor = new removeUselessCasts in visitFramacFile visitor file


(*****************************************************************************)
(* Translate union fields into structures                                    *)
(*****************************************************************************)

let generated_union_types = Cil_datatype.Typ.Hashtbl.create 0

class translateUnions =
  let field_to_equiv_type : typ Cil_datatype.Fieldinfo.Hashtbl.t
      = Cil_datatype.Fieldinfo.Hashtbl.create 0
  in
  let new_field_type fi =
    let tname = unique_name (fi.fname ^ "P") in
    let fname = unique_name (fi.fname ^ "M") in
    let padding = the fi.fpadding_in_bits in
    let mcomp =
      mkStructSingleton ~padding tname fname fi.ftype in
    let tdef = GCompTag (mcomp, CurrentLoc.get ()) in
    let tdecl = TComp (mcomp, empty_size_cache (), []) in
    Cil_datatype.Typ.Hashtbl.add generated_union_types tdecl ();
    Cil_datatype.Fieldinfo.Hashtbl.add field_to_equiv_type fi tdecl;
    fi.ftype <- tdecl;
    tdef
  in

  let postaction_offset = function
    | Field(fi,off) as off' ->
        begin try
          let ty = Cil_datatype.Fieldinfo.Hashtbl.find field_to_equiv_type fi in
          let newfi = get_unique_field ty in
          Field(fi,Field(newfi,off))
        with Not_found -> off' end
    | off -> off
  in
object

  inherit Visitor.frama_c_inplace

  method! vglob_aux = function
    | GCompTag (compinfo,_) as g when not compinfo.cstruct ->
        let fields = compinfo.cfields in
        let field fi = new_field_type fi in
        let fty = List.map field fields in
        ChangeTo (g::fty)
    | GFun _ | GAnnot _ | GVar _ | GVarDecl _ -> DoChildren
    | GCompTag _ | GType _ | GCompTagDecl _ | GEnumTagDecl _
    | GEnumTag _ | GAsm _ | GPragma _ | GText _ -> SkipChildren

  method! voffs off =
    ChangeDoChildrenPost(off,postaction_offset)

  method! vterm_offset =
    do_on_term_offset (None, Some postaction_offset)

end

let translate_unions file =
  let visitor = new translateUnions in visitFramacFile visitor file

(*****************************************************************************)
(* Remove array address.                                                     *)
(*****************************************************************************)

class removeArrayAddress =
object

  inherit Visitor.frama_c_inplace

  method! vexpr e =
    let preaction e = match e.enode with
      | AddrOf(Mem ptre,Index(ie,NoOffset)) ->
          let ptrty = typeOf e in
          new_exp ~loc:e.eloc (BinOp (PlusPI, ptre, ie, ptrty))
      | _ -> e
    in
    ChangeDoChildrenPost (preaction e, fun x -> x)

  method! vterm t =
    let preaction t = match t.term_node with
      | TAddrOf(TMem ptrt,TIndex(it,TNoOffset)) ->
          { t with term_node = TBinOp (PlusPI, ptrt, it); }
      | _ -> t
    in
    ChangeDoChildrenPost (preaction t, fun x -> x)

  (* TODO: translate to add tsets easily *)

end

let remove_array_address file =
  let visitor = new removeArrayAddress in
  visitFramacFile visitor file


(*****************************************************************************)
(* Normalize the C file for Jessie translation.                              *)
(*****************************************************************************)

let normalize file =
  if checking then check_types file;
  (* Retype variables of array type. *)
  (* order: before [expand_struct_assign] and any other pass which calls
     [typeOf], because "t[i]" with [StartOf] if type of "t" is "int t[a][b]"
     is not typed correctly by Cil (raises error StartOf on non-array type).
     See, e.g., example array_addr.c. *)
  Jessie_options.debug "Retype variables of array type";
  retype_array_variables file;
  if checking then check_types file;
  (* Retype logic functions/predicates with structure parameters or return. *)
  Jessie_options.debug "Retype logic functions/predicates";
  retype_logic_functions file;
  if checking then check_types file;
  (* Expand structure copying through parameter, return or assignment. *)
  (* order: before [retype_address_taken], before [retype_struct_variables] *)
  Jessie_options.debug "Expand structure copying";
  expand_struct_assign file;
  if checking then check_types file;
  (* Retype variables of structure type. *)
  Jessie_options.debug "Retype variables of structure type";
  retype_struct_variables file;
  if checking then check_types file;
  (* Retype variables and fields whose address is taken. *)
  (* order: after [retype_struct_variables] *)
  Jessie_options.debug "Retype variables and fields whose address is taken";
  retype_address_taken file;
  if checking then check_types file;
  (* Expand structure copying through assignment. *)
  (* Needed because sequence [expand_struct_assign; retype_struct_variables;
     retype_address_taken] may recreate structure assignments. *)
  (* order: after [retype_address_taken] *)
  Jessie_options.debug "Expand structure copying through assignment";
  expand_struct_assign file;
  if checking then check_types file;
  (* Translate union fields into structures. *)
  Jessie_options.debug "Translate union fields into structures";
  translate_unions file;
  if checking then check_types file;
  (* Retype fields of type structure and array. *)
  (* order: after [expand_struct_assign] and [retype_address_taken]
   * before [translate_unions] *)
  Jessie_options.debug "Retype fields of type structure and array";
  retype_fields file;
  if checking then check_types file;
  (* Retype fields of type structure and array. *)
  (* order: after [translate_unions] *)
  Jessie_options.debug "Retype fields of type structure and array";
  retype_fields file;
  if checking then check_types file;
  (* Remove array address. *)
  (* order: before [retype_base_pointer] *)
  Jessie_options.debug "Remove array address";
  remove_array_address file;
  if checking then check_types file;
  (* Retype type tags. *)
  (* order: before [retype_base_pointer] *)
  Jessie_options.debug "Retype type tags";
  retype_type_tags file;
  if checking then check_types file;
  (* Retype pointers to base types. *)
  (* order: after [retype_fields] *)
  Jessie_options.debug "Retype pointers to base types";
  retype_base_pointer file;
  if checking then check_types file;
  (* Remove useless casts. *)
  Jessie_options.debug "Remove useless casts";
  remove_useless_casts file;
  if checking then check_types file;

(*
Local Variables:
compile-command: "make -C .."
End:
*)
why-2.34/frama-c-plugin/common.ml0000644000175000017500000014742712311670312015260 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(* Import from Cil *)
open Cil_types
open Cil
open Ast_info
open Extlib
open Visitor
open Cil_datatype

(* Utility functions *)
open Format

let jessie_emitter =
  Emitter.create
    "jessie"
    [ Emitter.Funspec; Emitter.Code_annot ]
    ~correctness:
    [Jessie_options.Behavior.parameter; Jessie_options.InferAnnot.parameter]
    ~tuning:[]

let constant_expr ?(loc=Cil_datatype.Location.unknown) e =
  Ast_info.constant_expr ~loc e

exception Unsupported of string

let fatal fmt = Jessie_options.fatal ~current:true fmt

let unsupported fmt =
  Jessie_options.with_failure
    (fun evt ->
       raise (Unsupported evt.Log.evt_message)
    ) ~current:true fmt

let warning fmt = Jessie_options.warning ~current:true fmt
let warn_general fmt = Jessie_options.warning ~current:false fmt

let warn_once =
  let known_warns = Hashtbl.create 7 in
  fun s ->
    if not (Hashtbl.mem known_warns s) then begin
      Hashtbl.add known_warns s ();
      warn_general "%s" s
    end

(*****************************************************************************)
(* Options                                                                   *)
(*****************************************************************************)

let flatten_multi_dim_array = ref false


(*****************************************************************************)
(* Source locations                                                         *)
(*****************************************************************************)

let is_unknown_location loc =
  (fst loc).Lexing.pos_lnum = 0


(*****************************************************************************)
(* Types                                                                     *)
(*****************************************************************************)

(* type for ghost variables until integer is a valid type for ghosts *)
let almost_integer_type = TInt(ILongLong,[])

let struct_type_for_void = ref voidType

(* Query functions on types *)

let rec app_term_type f default = function
  | Ctype typ -> f typ
  | Ltype ({lt_name = "set"},[t]) -> app_term_type f default t
  | Ltype _ | Lvar _ | Linteger | Lreal | Larrow _ -> default

let rec force_app_term_type f = function
  | Ctype typ -> f typ
  | Ltype ({ lt_name = "set"},[t]) -> force_app_term_type f t
  | Ltype _ | Lvar _ | Linteger | Lreal | Larrow _ as ty ->
      Jessie_options.fatal "Unexpected non-C type %a" Printer.pp_logic_type ty

let get_unique_field ty = match unrollType ty with
  | TComp(compinfo,_,_) ->
      begin match compinfo.cfields with
	| [content_fi] -> content_fi
	| _ ->
	    Jessie_options.fatal "Type %a has no unique field" Printer.pp_typ ty
      end
  | _ -> Jessie_options.fatal "non-struct (unique field)"

let get_struct_name = function
  | TComp(compinfo,_,_) -> compinfo.cname
  | _ -> Jessie_options.fatal "non-struct (name)"

let get_struct_info = function
  | TComp(compinfo,_,_) -> compinfo
  | _ -> Jessie_options.fatal "non-struct (info)"

(* Integral types *)

let size_in_bytes ik =
  let size = function
    | IBool -> assert false
    | IChar | ISChar | IUChar -> 1 (* Cil assumes char is one byte *)
    | IInt | IUInt -> theMachine.theMachine.sizeof_int
    | IShort | IUShort -> theMachine.theMachine.sizeof_short
    | ILong | IULong -> theMachine.theMachine.sizeof_long
    | ILongLong | IULongLong -> theMachine.theMachine.sizeof_longlong
  in
  size ik

let integral_type_size_in_bytes ty =
  match unrollType ty with
  | TInt(IBool,_attr) -> (* TODO *)
      unsupported "Common.integral_type_size_in_bytes IBool"
  | TInt(ik,_attr) -> size_in_bytes ik
  | TEnum ({ekind = IBool},_) ->
      unsupported "Common.integral_type_size_in_bytes IBool"
  | TEnum (ei,_) -> size_in_bytes ei.ekind
  | _ -> assert false

let integral_type_size_in_bits ty =
  integral_type_size_in_bytes ty * 8

let min_value_of_integral_type ?bitsize ty =
  let min_of signed size_in_bytes =
    let numbits =
      match bitsize with Some siz -> siz | None -> size_in_bytes * 8
    in
    if signed then
      Integer.neg
	(Integer.power_int_positive_int 2
	  (numbits - 1))
    else Integer.zero
  in
  match unrollType ty with
    | TInt(IBool,_attr) -> Integer.zero
    | TInt(ik,_attr) ->
	min_of (isSigned ik) (size_in_bytes ik)
    | TEnum (e,_) when e.ekind = IBool -> Integer.zero
    | TEnum (e,_) -> 
      let ik = e.ekind in
      min_of (isSigned ik) (size_in_bytes ik)
    | _ -> assert false

let max_value_of_integral_type ?bitsize ty =
  let max_of signed size_in_bytes =
    let numbits =
      match bitsize with Some siz -> siz | None -> size_in_bytes * 8
    in
    if signed then
      Integer.pred
	(Integer.power_int_positive_int 2
	  (numbits - 1))
    else
      Integer.pred
	(Integer.power_int_positive_int 2
	  numbits)
  in
  match unrollType ty with
    | TInt(IBool,_attr) -> Integer.one
    | TInt(ik,_attr) ->
	max_of (isSigned ik) (size_in_bytes ik)
    | TEnum (e,_) when e.ekind=IBool -> Integer.one
    | TEnum (e,_) -> 
      let ik = e.ekind in
      max_of (isSigned ik) (size_in_bytes ik)
    | _ -> assert false

(*TODO: projectify this *)
let all_integral_types = Hashtbl.create 5

module Integral_types_iterator =
  State_builder.Set_ref
    (Datatype.String.Set)
    (struct
       let name = "Jessie.Common.Integral_types_iterator"
       let dependencies = [Ast.self ]
     end
     )

let name_of_integral_type ?bitsize ty =
  let name_it signed size_in_bytes =
    let numbits =
      match bitsize with Some siz -> siz | None -> size_in_bytes * 8
    in
    let name = (if signed then "" else "u") ^ "int" ^ (string_of_int numbits) in
    Hashtbl.replace all_integral_types name (ty,numbits);
    Integral_types_iterator.add name;
    name
  in
  match unrollType ty with
    | TInt(IBool,_attr) -> "_bool"
    | TInt(ik,_attr) ->
	name_it (isSigned ik) (size_in_bytes ik)
    | TEnum ({ekind= IBool},_) -> "_bool"
    | TEnum ({ekind = ik},_) -> name_it (isSigned ik) (size_in_bytes ik)
    | _ -> assert false

let iter_integral_types f =
  let apply s =
    try
      let (ty,size) = Hashtbl.find all_integral_types s in f s ty size
    with Not_found ->
      Jessie_options.fatal
        "Integral type %s is referenced but does not have a definition" s
  in Integral_types_iterator.iter apply

let fold_integral_types f init =
  let apply s acc =
    try
      let (ty,size) = Hashtbl.find all_integral_types s in f s ty size acc
    with Not_found ->
      Jessie_options.fatal
        "Integral type %s is referenced but does not have a definition" s
  in Integral_types_iterator.fold apply init

(* Reference type *)

(* We introduce a reference type, that is different from the C pointer or
 * array type. It is a direct translation in C of the Jessie bounded pointer
 * type, where the lower/upper bounds that can be safely accessed are
 * statically known. To avoid introducing a new type, we reuse the existing
 * C pointer type, with an attribute "arrlen" to give the size.
 * Then, we use it as a regular pointer type. E.g., we allow dynamic allocation
 * of such references:
 *     r = (TRef(T)) (malloc (sizeof(T)));
 * and usual dereference:
 *     T t = *r;
 * Another advantage is it should be working fine with [typeOf], [typeOfLval],
 * [pointed_type] and similar functions.
 *
 * As a result of this transformation, all allocation/releases of memory
 * on a reference type do implicitly allocate/release the fields of reference
 * type. It will be translated in Jessie in various alloc/free statements.
 *)

let arraylen_attr_name = "arraylen"

let mkTRef elemty _msg =
  (* Define the same arguments as for [mkTRefArray] *)
(*
  Format.eprintf "mkTRef, coming from %s@." msg;
*)
  let size = constant_expr Integer.one and attr = [] in
  (* Do the same as in [mkTRefArray] *)
  let siz = expToAttrParam size in
  let attr = addAttribute (Attr(arraylen_attr_name,[siz])) attr in
  (* Avoid creating an array for single pointed elements that do not
   * originate in a C array, to avoid having to access to the first
   * element everywhere.
   *)
  TPtr(elemty,attr)

let mkTRefArray (elemty,size,attr) =
  (* Check the array size is of a correct form *)
  ignore (lenOfArray64 (Some size));
  let siz = expToAttrParam size in
  let attr = addAttribute (Attr(arraylen_attr_name,[siz])) attr in
  (* Make the underlying type an array so that indexing it is still valid C. *)
  TPtr(TArray(elemty,Some size,empty_size_cache (),[]),attr)

let reference_size ty =
  match findAttribute arraylen_attr_name (typeAttrs ty) with
    | [AInt i] -> Integer.to_int64 i
    | _ -> assert false

let is_reference_type ty =
  isPointerType ty && hasAttribute arraylen_attr_name (typeAttrs ty)

let is_array_reference_type ty =
  is_reference_type ty && isArrayType (Cil.unrollType (direct_pointed_type ty))

let reference_of_array ty =
  let rec reftype ty =
    if isArrayType ty then
      let elty = reftype (direct_element_type ty) in
(*       if array_size ty > 0L then *)
	let size = constant_expr (direct_array_size ty) in
	mkTRefArray(elty,size,[])
(*       else *)
(* 	(\* Array of zero size, e.g. in struct array hack. *\) *)
(* 	TPtr(elty,[]) *)
    else ty
  in
  assert (isArrayType ty);
  reftype ty

(* Wrappers on [mkCompInfo] that update size/offset of fields *)

let mkStructEmpty stname =
  mkCompInfo true stname (fun _ -> []) []

let mkStructSingleton ?(padding=0) stname finame fitype =
  let compinfo =
    mkCompInfo true stname
      (fun _ -> [finame,fitype,None,[],CurrentLoc.get ()]) []
  in
  let fi = get_unique_field (TComp(compinfo,empty_size_cache (),[])) in
  fi.fsize_in_bits <- Some (bitsSizeOf fitype);
  fi.foffset_in_bits <- Some 0;
  fi.fpadding_in_bits <- Some padding;
  compinfo

(* Locally use 64 bits integers *)
open Jessie_integer

let bits_sizeof ty =
  let rec rec_size ?(top_size=false) ty =
    match unrollType ty with
      | TPtr _ ->
	  if is_reference_type ty && not top_size then
            rec_size (pointed_type ty) * (reference_size ty)
	  else
	    Int64.of_int (bitsSizeOf ty)
      | TArray _ -> assert false (* Removed by translation *)
      | TFun _ -> unsupported "Function pointer type %a not allowed" Printer.pp_typ ty
      | TNamed _ -> assert false (* Removed by call to [unrollType] *)
      | TComp(compinfo,_,_) ->
	  let size_from_field fi =
	    match
	      fi.foffset_in_bits, fi.fsize_in_bits, fi.fpadding_in_bits
	    with
	      | Some off, Some siz, Some padd ->
		  Int64.of_int off + Int64.of_int siz + Int64.of_int padd
	      | _ -> assert false
	  in
	  if compinfo.cstruct then
	    match List.rev compinfo.cfields with
	      | [] -> 0L
	      | fi :: _ -> size_from_field fi
	  else
	    List.fold_left max 0L (List.map size_from_field compinfo.cfields)
      | TEnum _ | TVoid _ | TInt _ | TFloat _ | TBuiltin_va_list _ ->
	  Int64.of_int (bitsSizeOf ty)
  in
  rec_size ~top_size:true ty

(* Come back to normal 31 bits integers *)
open Pervasives


(*****************************************************************************)
(* Names                                                                     *)
(*****************************************************************************)

(* Predefined entities *)

let name_of_valid_string = "valid_string"
let name_of_valid_wstring = "valid_wstring"
let name_of_strlen = "strlen"
let name_of_wcslen = "wcslen"
let name_of_assert = "assert"
let name_of_free = "free"
let name_of_malloc = "malloc"
let name_of_calloc = "calloc"
let name_of_realloc = "realloc"

let predefined_name =
  [ (* coding functions *)
    name_of_assert;
    name_of_malloc;
    name_of_calloc;
    name_of_realloc;
    name_of_free;
  ]

let is_predefined_name s = List.mem s predefined_name

let is_assert_function v = isFunctionType v.vtype && v.vname = name_of_assert
let is_free_function v = isFunctionType v.vtype && v.vname = name_of_free
let is_malloc_function v = isFunctionType v.vtype && v.vname = name_of_malloc
let is_calloc_function v = isFunctionType v.vtype && v.vname = name_of_calloc
let is_realloc_function v = isFunctionType v.vtype && v.vname = name_of_realloc

(* Name management *)

let unique_name_generator is_exception =
  let unique_names = Hashtbl.create 127 in
  let rec aux s =
    if is_exception s then s else
      try
	let s = if s = "" then "unnamed" else s in
	let count = Hashtbl.find unique_names s in
	let s = s ^ "_" ^ (string_of_int !count) in
	if Hashtbl.mem unique_names s then
	  aux s
	else
	  (Hashtbl.add unique_names s (ref 0);
	   incr count; s)
      with Not_found ->
	Hashtbl.add unique_names s (ref 0); s
  in
  let add s = Hashtbl.add unique_names s (ref 0) in
  aux, add

let unique_name, add_unique_name =
(*  let u = *)unique_name_generator is_predefined_name
(* in (fun s -> let s' = u s in s') *)

let unique_logic_name, add_unique_logic_name =
(*  let u = *) unique_name_generator (fun _ -> false)
(* in (fun s -> let s' = u s in s')*)

let unique_name_if_empty s =
  if s = "" then unique_name "unnamed" else s

(* Jessie reserved names *)

let jessie_reserved_names =
  [
    (* a *) "abstract"; "allocates"; "and"; "as"; "assert";
            "assigns"; "assumes"; "axiom"; "axiomatic";
    (* b *) "behavior"; "boolean"; "break";
    (* c *) "case"; "catch"; "check"; "continue";
    (* d *) "decreases"; "default"; "do"; "double";
    (* e *) "else"; "end"; "ensures"; "exception";
    (* f *) "false"; "finally"; "float"; "for"; "free";
    (* g *) "goto";
    (* h *) "hint";
    (* i *) "if"; "in"; "integer"; "invariant";
    (* l *) "lemma"; "let"; "logic"; "loop";
    (* m *) "match";
    (* n *) "new"; "null";
    (* o *) "of";
    (* p *) "pack"; "predicate";
    (* r *) "reads"; "real"; "rep"; "requires"; "return";
    (* s *) "switch";
    (* t *) "tag"; "then"; "throw"; "throws"; "true"; "try"; "type";
    (* u *) "unit"; "unpack";
    (* v *) "var"; "variant";
    (* w *) "while"; "with";
  ]

let () = List.iter add_unique_name jessie_reserved_names
let () = List.iter add_unique_logic_name jessie_reserved_names

(*
let reserved_name name =
  if List.mem name jessie_reserved_names then name else unique_name name

let reserved_logic_name name =
  if List.mem name jessie_reserved_names then name else unique_logic_name name
*)

(* Type name *)

let string_explode s =
  let rec next acc i =
    if i >= 0 then next (s.[i] :: acc) (i-1) else acc
  in
  next [] (String.length s - 1)

let string_implode ls =
  let s = String.create (List.length ls) in
  ignore (List.fold_left (fun i c -> s.[i] <- c; i + 1) 0 ls);
  s

let filter_alphanumeric s assoc default =
  let is_alphanum c =
    String.contains "abcdefghijklmnopqrstuvwxyz" c
    || String.contains "ABCDEFGHIJKLMNOPQRSTUVWXYZ" c
    || String.contains "123456789" c
    || c = '_'
  in
  let alphanum_or_default c =
    if is_alphanum c then c
    else try List.assoc c assoc with Not_found -> default
  in
  string_implode (List.map alphanum_or_default (string_explode s))

let type_name ty =
  ignore (flush_str_formatter ());
  fprintf str_formatter "%a" Printer.pp_typ ty;
  let name = flush_str_formatter () in
  filter_alphanumeric name [('*','x')] '_'

let logic_type_name ty =
  ignore (flush_str_formatter ());
  let old_mode = Kernel.Unicode.get() in
  Kernel.Unicode.set false;
  fprintf str_formatter "%a" Printer.pp_logic_type ty;
  let name = flush_str_formatter () in
  Kernel.Unicode.set old_mode;
  filter_alphanumeric name [('*','x')] '_'

let name_of_padding_type = (*reserved_logic_name*) "padding"

let name_of_string_declspec = "valid_string"

let name_of_hint_assertion = "hint"

(* VP: unused variable *)
(* let name_of_safety_behavior = "safety" *)

let name_of_default_behavior = "default"

(*****************************************************************************)
(* Visitors                                                                  *)
(*****************************************************************************)

(* Visitor for adding globals and global initializations (for global
 * variables). It delays updates to the file until after the visitor has
 * completed its work, to avoid visiting a newly created global or
 * initialization.
 *)

let attach_detach_mode = ref false
let globinits : stmt list ref = ref []
let globals : global list ref = ref []
let globactions : (unit -> unit) list ref = ref []

(*
let attach_globinit init =
  assert (!attach_detach_mode);
  globinits := init :: !globinits
*)

let attach_global g =
  assert (!attach_detach_mode);
  globals := g :: !globals

let attach_globaction action =
  assert (!attach_detach_mode);
  globactions := action :: !globactions

(*
let detach_globinits file =
  let gif =
    Kernel_function.get_definition (Globals.Functions.get_glob_init file)
  in
  Format.eprintf "Common.detach_globinits: len(globinits) = %d@."
    (List.length !globinits);
  gif.sbody.bstmts <- List.rev_append !globinits gif.sbody.bstmts;
  globinits := []
*)

let detach_globals file =
  file.globals <- !globals @ file.globals;
  List.iter
    (function GVar(v,init,_) -> Globals.Vars.add v init | _ -> ()) !globals;
  globals := []

let detach_globactions () =
  List.iter (fun f -> f ()) !globactions;
  globactions := []

let do_and_update_globals action file =
  attach_detach_mode := true;
  assert (!globinits = [] && !globals = [] && !globactions = []);
  action file;
 (*
 detach_globinits file;
 *)
  detach_globals file;
  detach_globactions ();
  attach_detach_mode := false

let visit_and_update_globals visitor file =
  do_and_update_globals (visitFramacFile visitor) file

(* Visitor for adding statements in front of the body *)

let adding_statement_mode = ref false
let pending_statements_at_beginning : stmt list ref = ref []
let pending_statements_at_end : stmt list ref = ref []

let add_pending_statement ~beginning s =
  assert (!adding_statement_mode);
  if beginning then
    pending_statements_at_beginning := s :: !pending_statements_at_beginning
  else
    pending_statements_at_end := s :: !pending_statements_at_end

let insert_pending_statements f =
  f.sbody.bstmts <-
    List.rev_append !pending_statements_at_beginning f.sbody.bstmts;
  pending_statements_at_beginning := [];
  match !pending_statements_at_end with [] -> () | slist ->
    (* Insert pending statements before return statement *)
    let return_stat =
      Kernel_function.find_return (Globals.Functions.get f.svar)
    in
    (* Remove labels from the single return statement. Leave them on the most
     * external block with cleanup code instead.
     *)
    let s = { return_stat with labels = []; } in
    let block = mkBlock (List.rev_append (s :: slist) []) in
    return_stat.skind <- Block block;
    pending_statements_at_end := []

class proxy_frama_c_visitor (visitor : Visitor.frama_c_visitor) =
object
  (* [VP 2011-08-24] Do not inherit from Visitor.frama_c_visitor: all methods
     that are not overloaded have to come from visitor. Otherwise, proxy will
     fail to delegate some of its actions. *)

  method set_current_kf kf = visitor#set_current_kf kf

  method set_current_func f = visitor#set_current_func f

  method current_kf = visitor#current_kf

  method current_func = visitor#current_func

  method push_stmt s = visitor#push_stmt s
  method pop_stmt s = visitor#pop_stmt s

  method current_stmt = visitor#current_stmt
  method current_kinstr = visitor#current_kinstr

  method get_filling_actions = visitor#get_filling_actions
  method fill_global_tables = visitor#fill_global_tables

  method videntified_term = visitor#videntified_term
  method videntified_predicate = visitor#videntified_predicate

  method vlogic_label = visitor#vlogic_label

  (* Modify visitor on functions so that it prepends/postpends statements *)
  method vfunc f =
    adding_statement_mode := true;
    assert (!pending_statements_at_beginning = []);
    assert (!pending_statements_at_end = []);
    let change c = fun f -> adding_statement_mode:=false; c f in
    let postaction_func f =
      insert_pending_statements f;
      adding_statement_mode := false;
      f
    in
    match visitor#vfunc f with
      | SkipChildren -> ChangeToPost(f, change (fun x -> x))
      | JustCopy -> JustCopyPost (change (fun x -> x))
      | JustCopyPost f -> JustCopyPost (change f)
      | ChangeTo f' -> ChangeToPost (f', change (fun x -> x))
      | ChangeToPost(f',action) -> ChangeToPost(f', change action)
      | DoChildren -> DoChildrenPost postaction_func
      | DoChildrenPost f -> DoChildrenPost (f $ postaction_func)
      | ChangeDoChildrenPost (f', action) ->
	  let postaction_func f =
	    let f = action f in
	    insert_pending_statements f;
	    adding_statement_mode := false;
	    f
	  in
	  ChangeDoChildrenPost (f', postaction_func)

  (* Inherit all other visitors *)

  (* Methods introduced by the Frama-C visitor *)
  method vfile = visitor#vfile
  method vglob_aux = visitor#vglob_aux
  method vstmt_aux = visitor#vstmt_aux

  (* Methods from Cil visitor for coding constructs *)
  method vblock = visitor#vblock
  method vvrbl = visitor#vvrbl
  method vvdec = visitor#vvdec
  method vexpr = visitor#vexpr
  method vlval = visitor#vlval
  method voffs = visitor#voffs
  method vinitoffs = visitor#vinitoffs
  method vinst = visitor#vinst
  method vinit = visitor#vinit
  method vtype = visitor#vtype
  method vattr = visitor#vattr
  method vattrparam = visitor#vattrparam

  (* Methods from Cil visitor for logic constructs *)
  method vlogic_type = visitor#vlogic_type
  method vterm = visitor#vterm
  method vterm_node = visitor#vterm_node
  method vterm_lval = visitor#vterm_lval
  method vterm_lhost = visitor#vterm_lhost
  method vterm_offset = visitor#vterm_offset
  method vlogic_info_decl = visitor#vlogic_info_decl
  method vlogic_info_use = visitor#vlogic_info_use
  method vlogic_var_decl = visitor#vlogic_var_decl
  method vlogic_var_use = visitor#vlogic_var_use
  method vquantifiers = visitor#vquantifiers
  method vpredicate = visitor#vpredicate
  method vpredicate_named = visitor#vpredicate_named
  method vmodel_info = visitor#vmodel_info
  method vbehavior = visitor#vbehavior
  method vspec = visitor#vspec
  method vassigns = visitor#vassigns
  method vloop_pragma = visitor#vloop_pragma
  method vslice_pragma = visitor#vslice_pragma
  method vdeps = visitor#vdeps
  method vcode_annot = visitor#vcode_annot
  method vannotation = visitor#vannotation

  method behavior = visitor#behavior
  method project = visitor#project
  method frama_c_plain_copy = visitor#frama_c_plain_copy
  method plain_copy_visitor = visitor#plain_copy_visitor
  method queueInstr = visitor#queueInstr
  method reset_current_func = visitor#reset_current_func
  method reset_current_kf = visitor#reset_current_kf
  method unqueueInstr = visitor#unqueueInstr
  method vcompinfo = visitor#vcompinfo
  method venuminfo = visitor#venuminfo
  method venumitem = visitor#venumitem
  method vfieldinfo = visitor#vfieldinfo
  method vfrom = visitor#vfrom
  method vglob = visitor#vglob
  method vimpact_pragma = visitor#vimpact_pragma
  method vlogic_ctor_info_decl = visitor#vlogic_ctor_info_decl
  method vlogic_ctor_info_use = visitor#vlogic_ctor_info_use
  method vlogic_type_def = visitor#vlogic_type_def
  method vlogic_type_info_decl = visitor#vlogic_type_info_decl
  method vlogic_type_info_use = visitor#vlogic_type_info_use
  method vstmt = visitor#vstmt

  method vallocates = visitor#vallocates
  method vallocation = visitor#vallocation
  method vfrees = visitor#vfrees

end

let visit_and_push_statements_visitor visitor =
  new proxy_frama_c_visitor visitor

let visit_and_push_statements visit visitor file =
  let visitor = new proxy_frama_c_visitor visitor in
  visit visitor file

(* Visitor for tracing computation *)
(* VP: unused *)
(* class trace_frama_c_visitor (visitor : Visitor.frama_c_visitor) =
object

  inherit Visitor.frama_c_inplace

  (* Inherit all visitors, printing visited item on the way *)

  (* Methods introduced by the Frama-C visitor *)
  method vfile = visitor#vfile
  method vglob_aux g =
    Jessie_options.feedback "%a" Printer.pp_global g;
    visitor#vglob_aux g
  method vstmt_aux s =
    Jessie_options.feedback "%a" Printer.pp_stmt s;
    visitor#vstmt_aux s

  (* Methods from Cil visitor for coding constructs *)
  method vfunc = visitor#vfunc
  method vblock b =
    Jessie_options.feedback "%a" Printer.pp_block b;
    visitor#vblock b
  method vvrbl v =
    Jessie_options.feedback "%s" v.vname;
    visitor#vvrbl v
  method vvdec v =
    Jessie_options.feedback "%s" v.vname;
    visitor#vvdec v
  method vexpr e =
    Jessie_options.feedback "%a" Printer.pp_exp e;
    visitor#vexpr e
  method vlval lv =
    Jessie_options.feedback "%a" Printer.pp_lval lv;
    visitor#vlval lv
  method voffs off =
    Jessie_options.feedback "%a" !Ast_printer.d_offset off;
    visitor#voffs off
  method vinitoffs off =
    Jessie_options.feedback "%a" !Ast_printer.d_offset off;
    visitor#vinitoffs off
  method vinst i =
    Jessie_options.feedback "%a" Printer.pp_instr i;
    visitor#vinst i
  method vinit = visitor#vinit
  method vtype ty =
    Jessie_options.feedback "%a" Printer.pp_typ ty;
    visitor#vtype ty
  method vattr attr =
    Jessie_options.feedback "%a" !Ast_printer.d_attr attr;
    visitor#vattr attr
  method vattrparam pattr =
    Jessie_options.feedback "%a" !Ast_printer.d_attrparam pattr;
    visitor#vattrparam pattr

  (* Methods from Cil visitor for logic constructs *)
  method vlogic_type lty =
    Jessie_options.feedback "%a" Printer.pp_logic_type lty;
    visitor#vlogic_type lty
  method vterm t =
    Jessie_options.feedback "%a" Printer.pp_term t;
    visitor#vterm t
  method vterm_node = visitor#vterm_node
  method vterm_lval tlv =
    Jessie_options.feedback "%a" Printer.pp_term_lval tlv;
    visitor#vterm_lval tlv
  method vterm_lhost = visitor#vterm_lhost
  method vterm_offset = visitor#vterm_offset
  method vlogic_info_decl = visitor#vlogic_info_decl
  method vlogic_info_use = visitor#vlogic_info_use
  method vlogic_var_decl lv =
    Jessie_options.feedback "%a" Printer.pp_logic_var lv;
    visitor#vlogic_var_decl lv
  method vlogic_var_use lv =
    Jessie_options.feedback "%a" Printer.pp_logic_var lv;
    visitor#vlogic_var_use lv
  method vquantifiers = visitor#vquantifiers
  method vpredicate = visitor#vpredicate
  method vpredicate_named p =
    Jessie_options.feedback "%a" Printer.pp_predicate_named p;
    visitor#vpredicate_named p
(*
  method vpredicate_info_decl = visitor#vpredicate_info_decl
  method vpredicate_info_use = visitor#vpredicate_info_use
*)
  method vbehavior = visitor#vbehavior
  method vspec funspec =
    Jessie_options.feedback "%a" Printer.pp_funspec funspec;
    visitor#vspec funspec
  method vassigns = visitor#vassigns
  method vloop_pragma = visitor#vloop_pragma
  method vslice_pragma = visitor#vslice_pragma
  method vdeps = visitor#vdeps
  method vcode_annot annot =
    Jessie_options.feedback "%a" Printer.pp_code_annotation annot;
    visitor#vcode_annot annot
  method vannotation annot =
    Jessie_options.feedback "%a" !Ast_printer.d_annotation annot;
    visitor#vannotation annot

end

 let visit_and_trace_framac visit visitor file =
  let visitor = new trace_frama_c_visitor visitor in
  visit visitor file

let visit_and_trace_cil visit visitor file =
  let visitor = new trace_frama_c_visitor visitor in
  visit (visitor :> cilVisitor) file
*)
(* Visitor for fixpoint computation *)

let change = ref false

let signal_change () = change := true

let visit_until_convergence visitor file =
  change := true;
  while !change do
    change := false;
    visitFramacFile visitor file;
  done

(* Force conversion from terms to expressions by returning, along with
 * the result, a map of the sub-terms that could not be converted as
 * a map from fresh variables to terms or term left-values. *)

let rec logic_type_to_typ = function
  | Ctype typ -> typ
  | Linteger -> TInt(ILongLong,[]) (*TODO: to have an unlimited integer type
                                    in the logic interpretation*)
  | Lreal -> TFloat(FLongDouble,[]) (* TODO: handle reals, not floats... *)
  | Ltype({lt_name = name},[]) when name = Utf8_logic.boolean  ->
      TInt(ILongLong,[])
  | Ltype({lt_name = "set"},[t]) -> logic_type_to_typ t
  | Ltype _ | Lvar _ | Larrow _ -> invalid_arg "logic_type_to_typ"


type opaque_term_env = {
  term_lhosts: term_lhost Cil_datatype.Varinfo.Map.t;
  terms: term Cil_datatype.Varinfo.Map.t;
  vars: logic_var Cil_datatype.Varinfo.Map.t;
}
type opaque_exp_env = { exps: exp Cil_datatype.Varinfo.Map.t }

let empty_term_env =
  { term_lhosts = Varinfo.Map.empty;
    terms = Varinfo.Map.empty;
    vars = Varinfo.Map.empty }

let merge_term_env env1 env2 =
  { term_lhosts = Varinfo.Map.fold Varinfo.Map.add env1.term_lhosts 
	env2.term_lhosts;
    terms = Varinfo.Map.fold Varinfo.Map.add env1.terms env2.terms;
    vars = Varinfo.Map.fold Varinfo.Map.add env1.vars env2.vars }

let add_opaque_term t env =
  (* Precise the type when possible *)
  let ty = match t.term_type with Ctype ty -> ty | _ -> voidType in
  let v = makePseudoVar ty in
  let env = { env with terms = Varinfo.Map.add v t env.terms; } in
  Lval(Var v,NoOffset), env

let add_opaque_var v env =
  let ty = match v.lv_type with Ctype ty -> ty | _ -> assert false in
  let pv = makePseudoVar ty in
  let env = { env with vars = Varinfo.Map.add pv v env.vars; } in
  Var pv, env

let add_opaque_term_lhost lhost env =
  let v = makePseudoVar voidType in
  let env =
    { env with term_lhosts = Varinfo.Map.add v lhost env.term_lhosts; }
  in
  Var v, env

let add_opaque_result ty env =
  let pv = makePseudoVar ty in
  let env =
    { env with term_lhosts = 
	Varinfo.Map.add pv (TResult ty) env.term_lhosts; }
  in
  Var pv, env

let rec force_term_to_exp t =
  let loc = t.term_loc in
  let e,env = match t.term_node with
    | TLval tlv ->
        (match Logic_utils.unroll_type t.term_type with
           | Ctype (TArray _) -> add_opaque_term t empty_term_env
           | _ -> let lv,env = force_term_lval_to_lval tlv in Lval lv, env)
    | TAddrOf tlv ->
        let lv,env = force_term_lval_to_lval tlv in AddrOf lv, env
    | TStartOf tlv ->
        let lv,env = force_term_lval_to_lval tlv in StartOf lv, env
    | TSizeOfE t' ->
        let e,env = force_term_to_exp t' in SizeOfE e, env
    | TAlignOfE t' ->
        let e,env = force_term_to_exp t' in AlignOfE e, env
    | TUnOp(unop,t') ->
        let e,env = force_term_to_exp t' in
        UnOp(unop,e,logic_type_to_typ t.term_type), env
    | TBinOp(binop,t1,t2) ->
        let e1,env1 = force_term_to_exp t1 in
        let e2,env2 = force_term_to_exp t2 in
        let env = merge_term_env env1 env2 in
        BinOp(binop,e1,e2,logic_type_to_typ t.term_type), env
    | TSizeOfStr string -> SizeOfStr string, empty_term_env
(*    | TConst constant -> Const constant, empty_term_env*)
    | TLogic_coerce(Linteger,t) ->
        let e, env = force_term_to_exp t in
        CastE(TInt(IInt,[Attr ("integer",[])]),e), env
    | TLogic_coerce(Lreal,t) ->
        let e, env = force_term_to_exp t in
        CastE(TFloat(FFloat,[Attr("real",[])]),e), env
    | TCastE(ty,t') ->
        let e,env = force_term_to_exp t' in CastE(ty,e), env
    | TAlignOf ty -> AlignOf ty, empty_term_env
    | TSizeOf ty -> SizeOf ty, empty_term_env
    | Tapp _ | TDataCons _ | Tif _ | Tat _ | Tbase_addr _ | Toffset _
    | Tblock_length _ | Tnull | TCoerce _ | TCoerceE _ | TUpdate _
    | Tlambda _ | Ttypeof _ | Ttype _ | Tcomprehension _
    | Tunion _ | Tinter _ | Tempty_set | Trange _ | Tlet _
    | TConst _ | TLogic_coerce _
        ->
        add_opaque_term t empty_term_env
  in
  new_exp ~loc (Info(new_exp ~loc e,exp_info_of_term t)), env

and force_term_lval_to_lval (lhost,toff) =
  let lhost,env1 = force_term_lhost_to_lhost lhost in
  let off,env2 = force_term_offset_to_offset toff in
  let env = merge_term_env env1 env2 in
  (lhost,off), env

and force_term_lhost_to_lhost lhost = match lhost with
  | TVar v ->
      begin match v.lv_origin with
        | Some v -> Var v, empty_term_env
        | None ->
            begin match v.lv_type with
              | Ctype _ty -> add_opaque_var v empty_term_env
              | _ -> add_opaque_term_lhost lhost empty_term_env
            end
      end
  | TMem t ->
      let e,env = force_term_to_exp t in
      Mem e, env
  | TResult ty -> add_opaque_result ty empty_term_env

and force_term_offset_to_offset = function
  | TNoOffset -> NoOffset, empty_term_env
  | TField(fi,toff) ->
      let off,env = force_term_offset_to_offset toff in
      Field(fi,off), env
  | TModel _ ->
      (*
        Kernel.fatal 
        "Logic_interp.force_term_offset_to_offset \
        does not support model fields"
      *)
      raise Exit
  | TIndex(t,toff) ->
      let e,env1 = force_term_to_exp t in
      let off,env2 = force_term_offset_to_offset toff in
      let env = merge_term_env env1 env2 in
      Index(e,off), env

(* Force back conversion from expression to term, using the environment
 * constructed during the conversion from term to expression. It expects
 * the top-level expression to be wrapped into an Info, as well as every
 * top-level expression that appears under a left-value. *)

let rec force_back_exp_to_term env e =
  let rec internal_force_back env e =
    let einfo = match e.enode with
      | Info(_e,einfo) -> einfo
      | _ -> { exp_type = Ctype(typeOf e); exp_name = []; }
    in
    let tnode = match (stripInfo e).enode with
      | Info _ -> assert false
      | Const c -> TConst (Logic_utils.constant_to_lconstant c)
      | Lval(Var v,NoOffset as lv) ->
        begin try (Varinfo.Map.find v env.terms).term_node
          with Not_found ->
            TLval(force_back_lval_to_term_lval env lv)
        end
      | Lval lv -> TLval(force_back_lval_to_term_lval env lv)
      | SizeOf ty -> TSizeOf ty
      | SizeOfE e -> TSizeOfE(internal_force_back env e)
      | SizeOfStr s -> TSizeOfStr s
      | AlignOf ty -> TAlignOf ty
      | AlignOfE e -> TAlignOfE(internal_force_back env e)
      | UnOp(op,e,_) -> TUnOp(op,internal_force_back env e)
      | BinOp(op,e1,e2,_) ->
          TBinOp(op,
                 internal_force_back env e1, internal_force_back env e2)
      | CastE(TInt(IInt,[Attr("integer",[])]),e) ->
          TLogic_coerce(Linteger, internal_force_back env e)
      | CastE(TFloat(FFloat,[Attr("real",[])]),e) ->
          TLogic_coerce(Lreal, internal_force_back env e)
      | CastE(ty,e) -> TCastE(ty,internal_force_back env e)
      | AddrOf lv -> TAddrOf(force_back_lval_to_term_lval env lv)
      | StartOf lv -> TStartOf(force_back_lval_to_term_lval env lv)
    in
    term_of_exp_info e.eloc tnode einfo
  in
  internal_force_back env e

and force_back_offset_to_term_offset env = function
  | NoOffset -> TNoOffset
  | Field(fi,off) ->
    TField(fi,force_back_offset_to_term_offset env off)
  | Index(idx,off) ->
    TIndex(
      force_back_exp_to_term env idx,
      force_back_offset_to_term_offset env off)

and force_back_lhost_to_term_lhost env = function
  | Var v ->
    begin try
            let logv = Varinfo.Map.find v env.vars in
            logv.lv_type <- Ctype v.vtype;
            TVar logv
      with Not_found ->
        try Varinfo.Map.find v env.term_lhosts
        with Not_found -> TVar(cvar_to_lvar v)
    end
  | Mem e -> TMem(force_back_exp_to_term env e)

and force_back_lval_to_term_lval env (host,off) =
  force_back_lhost_to_term_lhost env host,
  force_back_offset_to_term_offset env off

(* Force conversion from expr to term *)

let rec force_exp_to_term e =
  let tnode = match (stripInfo e).enode with
    | Info _ -> assert false
    | Const c -> TConst (Logic_utils.constant_to_lconstant c)
    | Lval lv -> TLval(force_lval_to_term_lval lv)
    | SizeOf ty -> TSizeOf ty
    | SizeOfE e -> TSizeOfE(force_exp_to_term e)
    | SizeOfStr s -> TSizeOfStr s
    | AlignOf ty -> TAlignOf ty
    | AlignOfE e -> TAlignOfE(force_exp_to_term e)
    | UnOp(op,e,_) -> TUnOp(op,force_exp_to_term e)
    | BinOp(op,e1,e2,_) ->
        TBinOp(op, force_exp_to_term e1, force_exp_to_term e2)
    | CastE(ty,e) -> TCastE(ty,force_exp_to_term e)
    | AddrOf lv -> TAddrOf(force_lval_to_term_lval lv)
    | StartOf lv -> TStartOf(force_lval_to_term_lval lv)
  in
  {
    term_node = tnode;
    term_loc = e.eloc;
    term_type = Ctype(typeOf e);
    term_name = [];
  }

and force_offset_to_term_offset = function
  | NoOffset -> TNoOffset
  | Field(fi,off) ->
      TField(fi,force_offset_to_term_offset off)
  | Index(idx,off) ->
      TIndex(
        force_exp_to_term idx,
        force_offset_to_term_offset off)

and force_lhost_to_term_lhost = function
  | Var v -> TVar(cvar_to_lvar v)
  | Mem e -> TMem(force_exp_to_term e)

and force_lval_to_term_lval (host,off) =
  force_lhost_to_term_lhost host,
  force_offset_to_term_offset off

(* Force conversion from expr to predicate *)

let rec force_exp_to_predicate e =
  let pnode = match (stripInfo e).enode with
    | Info _ -> assert false
    | Const c ->
        begin match possible_value_of_integral_const c with
          | Some i -> if Integer.equal i Integer.zero then Pfalse else Ptrue
          | None -> assert false
        end
    | UnOp(LNot,e',_) -> Pnot(force_exp_to_predicate e')
    | BinOp(LAnd,e1,e2,_) ->
        Pand(force_exp_to_predicate e1,force_exp_to_predicate e2)
    | BinOp(LOr,e1,e2,_) ->
        Por(force_exp_to_predicate e1,force_exp_to_predicate e2)
    | BinOp(op,e1,e2,_) ->
        let rel = match op with
          | Lt -> Rlt
          | Gt -> Rgt
          | Le -> Rle
          | Ge -> Rge
          | Eq -> Req
          | Ne -> Rneq
          | _ -> assert false
        in
        Prel(rel,force_exp_to_term e1,force_exp_to_term e2)
    | Lval _ | CastE _ | AddrOf _ | StartOf _ | UnOp _
    | SizeOf _ | SizeOfE _ | SizeOfStr _ | AlignOf _ | AlignOfE _ ->
        assert false
  in
  { name = []; loc = e.eloc; content = pnode; }

let force_exp_to_assertion e =
  Logic_const.new_code_annotation (AAssert([], force_exp_to_predicate e))


(* Visitor methods for sharing preaction/postaction between exp/term/tsets *)

let do_on_term_offset (preaction_offset,postaction_offset) tlv =
  let preaction_toffset tlv =
    match preaction_offset with None -> tlv | Some preaction_offset ->
      try
        let lv,env = force_term_offset_to_offset tlv in
        let lv = preaction_offset lv in
        force_back_offset_to_term_offset env lv
      with Exit -> tlv
  in
  let postaction_toffset tlv =
    match postaction_offset with None -> tlv | Some postaction_offset ->
      try
        let lv,env = force_term_offset_to_offset tlv in
        let lv = postaction_offset lv in
        force_back_offset_to_term_offset env lv
      with Exit -> tlv
  in
  ChangeDoChildrenPost (preaction_toffset tlv, postaction_toffset)

let do_on_term_lval (preaction_lval,postaction_lval) tlv =
  let preaction_tlval tlv =
    match preaction_lval with None -> tlv | Some preaction_lval ->
      try
        let lv,env = force_term_lval_to_lval tlv in
        let lv = preaction_lval lv in
        force_back_lval_to_term_lval env lv
      with Exit -> tlv
  in
  let postaction_tlval tlv =
    match postaction_lval with None -> tlv | Some postaction_lval ->
      try
        let lv,env = force_term_lval_to_lval tlv in
        let lv = postaction_lval lv in
        force_back_lval_to_term_lval env lv
      with Exit -> tlv
  in
  ChangeDoChildrenPost (preaction_tlval tlv, postaction_tlval)

let do_on_term (preaction_expr,postaction_expr) t =
  let preaction_term t =
    match preaction_expr with None -> t | Some preaction_expr ->
      try
        let e,env = force_term_to_exp t in
        let e = map_under_info preaction_expr e in
        force_back_exp_to_term env e
      with Exit -> t
  in
  let postaction_term t =
    match postaction_expr with None -> t | Some postaction_expr ->
      try
        let e,env = force_term_to_exp t in
        let e = map_under_info postaction_expr e in
        force_back_exp_to_term env e
      with Exit -> t
  in
  ChangeDoChildrenPost (preaction_term t, postaction_term)

(*****************************************************************************)
(* Debugging                                                                 *)
(*****************************************************************************)

let checking = true

let print_to_stdout file =
  Log.print_on_output (Extlib.swap Printer.pp_file file)

class checkTypes =
  let preaction_expr e = ignore (typeOf e); e in
object

  inherit Visitor.frama_c_inplace

  method! vexpr e =
    ChangeDoChildrenPost (preaction_expr e, fun x -> x)

(* I comment on purpose additional verifications, because they cause some tests
   to fail, see e.g. [copy_struct], because term-lhost TResult does not have
   a type for a proper conversion to expression. *)

(*   method vterm = *)
(*     do_on_term (Some preaction_expr,None) *)

end

let check_types file =
  (* check types *)
  let visitor = new checkTypes in
  visitFramacFile visitor file;
  Jessie_options.debug ~level:2 "%a@." Printer.pp_file file
  (* check general consistency *)
(*   Cil.visitCilFile (new File.check_file :> Cil.cilVisitor) file *)

(* VP: unused function *)
(*
class check_file: Visitor.frama_c_visitor  =
object(self)

  inherit Visitor.generic_frama_c_visitor
    (Project.current ()) (Cil.inplace_visit ()) as super

  val known_fields = Cil_datatype.Fieldinfo.Hashtbl.create 7

  method vterm t =
    match t.term_node with
      | TLval _ ->
	  begin match t.term_type with
	    | Ctype ty when isVoidType ty ->
		Jessie_options.fatal
                  ~current:true "Term %a has void type" Printer.pp_term t
	    | _ -> DoChildren
	  end
      | _ -> DoChildren

  method voffs = function
      NoOffset -> SkipChildren
    | Index _ -> DoChildren
    | Field(fi,_) ->
        begin
          try
            if not (fi == Cil_datatype.Fieldinfo.Hashtbl.find known_fields fi)
            then
	      Jessie_options.warning ~current:true
		"Field %s of type %s is not shared between declaration and use"
                fi.fname fi.fcomp.cname
          with Not_found ->
	    Jessie_options.warning ~current:true
	      "Field %s of type %s is unbound in the AST"
              fi.fname fi.fcomp.cname
        end;
        DoChildren

  method vterm_offset = function
    | TNoOffset -> SkipChildren
    | TIndex _ -> DoChildren
    | TModel _ -> DoChildren
    | TField(fi,_) ->
        begin
          try
            if not (fi == Cil_datatype.Fieldinfo.Hashtbl.find known_fields fi)
            then
              Jessie_options.warning ~current:true
		"Field %s of type %s is not shared between declaration and use"
                fi.fname fi.fcomp.cname
	  with Not_found ->
	    Jessie_options.warning ~current:true
	      "Field %s of type %s is unbound in the AST"
               fi.fname fi.fcomp.cname
        end;
        DoChildren

  method vinitoffs = self#voffs

  method vglob_aux = function
      GCompTag(c,_) ->
        List.iter
          (fun x -> Cil_datatype.Fieldinfo.Hashtbl.add known_fields x x) c.cfields;
        DoChildren
    | _ -> DoChildren

end
*)

(*****************************************************************************)
(* Miscellaneous                                                             *)
(*****************************************************************************)

(* Queries *)

let is_base_addr t = match (stripTermCasts t).term_node with
  | Tbase_addr _ -> true
  | _ -> false

(* Smart constructors *)

(* Redefine statement constructor of CIL to create them with valid sid *)
let mkStmt = mkStmt ~valid_sid:true

let mkterm tnode ty loc =
  {
    term_node = tnode;
    term_loc = loc;
    term_type = ty;
    term_name = []
  }

let term_of_var v =
  let lv = cvar_to_lvar v in
  if app_term_type isArrayType false lv.lv_type then
    let ptrty =
      TPtr(force_app_term_type element_type lv.lv_type,[])
    in
    mkterm (TStartOf(TVar lv,TNoOffset)) (Ctype ptrty) v.vdecl
  else
    mkterm (TLval(TVar lv,TNoOffset)) lv.lv_type v.vdecl

let mkInfo e =
  match e.enode with
      Info _ -> e
    | _ ->
        let einfo = { exp_type = Ctype voidType; exp_name = [] } in
        (* In many cases, the correct type may not be available, as
         * the expression may result from a conversion from a term or a tset.
         * Calling [typeOf] on such an expression may raise an error.
         * Therefore, put here a dummy type until tsets correctly typed.
         *)
        new_exp ~loc:e.eloc (Info(e,einfo))

(* Manipulation of offsets *)
(* VP: unused function *)
(*
let rec offset_list = function
  | NoOffset -> []
  | Field (fi,off) -> (Field (fi, NoOffset)) :: offset_list off
  | Index (e,off) -> (Index (e, NoOffset)) :: offset_list off
*)
let is_last_offset = function
  | NoOffset -> true
  | Field (_fi,NoOffset) -> true
  | Field (_fi,_) -> false
  | Index (_e,NoOffset) -> true
  | Index (_e,_) -> false

(* Transform an index on a multi-dimensional array into an index on the
 * same array that would be flattened to a single dimensional array.
 *)
let rec lift_offset ty = function
  | Index(idx1,(Index(idx2, _off) as suboff)) ->
      let subty = direct_element_type ty in
      let siz = array_size subty in
      begin match lift_offset subty suboff with
	| Index(idx, off) ->
	    let mulidx =
              new_exp ~loc:idx2.eloc
                (BinOp(Mult,idx1,constant_expr siz,intType)) in
	    (* Keep info at top-level for visitors on terms that where
	     * translated to expressions. Those expect these info when
	     * translating back to term.
	     *)
	    let addidx =
	      map_under_info
                (fun e ->
                   new_exp ~loc:e.eloc (BinOp(PlusA,mulidx,idx,intType))) idx1
	    in
	    Index(addidx,off)
	| _ -> assert false
      end
  | Index(idx1,NoOffset) as off ->
      let subty = direct_element_type ty in
      if isArrayType subty then
	let siz = array_size subty in
	(* Keep info at top-level *)
	let mulidx =
	  map_under_info
	    (fun e ->
               new_exp ~loc:e.eloc
                 (BinOp(Mult,idx1,constant_expr siz,intType)))
            idx1
	in
	Index(mulidx,NoOffset)
      else off
  | off -> off

(* VP: unused function *)
(* let change_idx idx1 idx siz =
  let boff =
    Logic_utils.mk_dummy_term (TBinOp(Mult,idx1,constant_term Cil_datatype.Location.unknown siz))
      intType
  in
  Logic_utils.mk_dummy_term (TBinOp(PlusA,boff,idx)) intType

 let rec lift_toffset ty off =
  match off with
      TIndex(idx1,(TIndex _ as suboff)) ->
        let subty = direct_element_type ty in
        let siz = array_size subty in
        begin match lift_toffset subty suboff with
            | TIndex(idx,off) -> TIndex(change_idx idx1 idx siz,off)
            | TModel _ | TField _ | TNoOffset -> assert false
        end
    | TIndex(idx1,TNoOffset) ->
        let subty = direct_element_type ty in
        if isArrayType subty then
          let siz = array_size subty in
          TIndex(change_idx
                   idx1
                   (constant_term Cil_datatype.Location.unknown Integer.zero)
                   siz,
                 TNoOffset)
        else off
    | TIndex _ | TField _ | TModel _ | TNoOffset -> off
*)
(* Allocation/deallocation *)

let malloc_function () =
  try
    Kernel_function.get_vi (Globals.Functions.find_by_name "malloc")
  with Not_found ->
    let params = Some ["size",uintType,[]] in
    let f =
      findOrCreateFunc
	(Ast.get ()) "malloc" (TFun(voidPtrType,params,false,[]))
    in
    let prm =
      try
        List.hd (Cil.getFormalsDecl f)
      with Not_found | Invalid_argument _ ->
        fatal "unexpected prototype for malloc"
    in
    let range =
      Logic_const.trange
        (Some (Cil.lzero ()),
         Some (Logic_const.tvar (Cil.cvar_to_lvar prm)))
    in
    let typ = Ctype Cil.charPtrType in
    let base =
      Logic_const.term
        (TCastE(Cil.charPtrType,Logic_const.tresult Cil.charPtrType)) typ
    in
    let alloc =
      Logic_const.new_identified_term
        (Logic_const.term (TBinOp(PlusPI,base,range)) typ)
    in
    let behav = {
      b_name = Cil.default_behavior_name;
      b_assumes = [];
      b_requires = [];
      b_extended = [];
      b_assigns = Writes [];
      b_allocation = FreeAlloc([],[alloc]);
      b_post_cond = [];
    } in
    let spec = { (empty_funspec ()) with spec_behavior = [behav]; } in
    Globals.Functions.replace_by_declaration
      spec f Cil_datatype.Location.unknown;
    let kf = Globals.Functions.get f in
    Annotations.register_funspec ~emitter:jessie_emitter kf;
    f

let free_function () =
  try
    Kernel_function.get_vi (Globals.Functions.find_by_name "free")
  with Not_found ->
    let params = Some ["ptr",voidPtrType,[]] in
    let f =
      findOrCreateFunc
	(Ast.get ()) "free" (TFun(voidType,params,false,[]))
    in
    let prm =
      try
        List.hd (Cil.getFormalsDecl f)
      with Not_found | Invalid_argument _ ->
        fatal "unexpected prototype for free"
    in
    let frees =
      Logic_const.new_identified_term
        (Logic_const.tvar (Cil.cvar_to_lvar prm))
    in
    let behav = {
      b_name = Cil.default_behavior_name;
      b_assumes = [];
      b_post_cond = [];
      b_requires = [];
      b_extended = [];
      b_allocation = FreeAlloc([frees],[]);
      b_assigns = Writes [];
    }
    in
    let spec = { (empty_funspec ()) with spec_behavior = [behav]; } in
    Globals.Functions.replace_by_declaration
      spec f Cil_datatype.Location.unknown;
    let kf = Globals.Functions.get f in
    Annotations.register_funspec ~emitter:jessie_emitter kf;
    f

let mkalloc v ty loc =
  let callee = new_exp ~loc (Lval(Var(malloc_function ()),NoOffset)) in
  let arg = sizeOf ~loc ty in
  Call(Some(Var v,NoOffset),callee,[arg],loc)

let mkalloc_statement v ty loc = mkStmt (Instr(mkalloc v ty loc))

let mkalloc_array v ty num loc =
  let callee = new_exp ~loc (Lval(Var(malloc_function ()),NoOffset)) in
  let arg = constant_expr
    (Integer.of_int64 (Int64.mul num (Int64.of_int (bytesSizeOf ty))))
  in
  Call(Some(Var v,NoOffset),callee,[arg],loc)

let mkalloc_array_statement v ty num loc =
  mkStmt (Instr(mkalloc_array v ty num loc))

let mkfree v loc =
  let callee = new_exp ~loc (Lval(Var(free_function ()),NoOffset)) in
  let arg = new_exp ~loc (Lval(Var v,NoOffset)) in
  Call(None,callee,[arg],loc)

let mkfree_statement v loc = mkStmt (Instr(mkfree v loc))

let predicate loc p =
  {
    name = [];
    loc = loc;
    content = p;
  }

(*
Local Variables:
compile-command: "LC_ALL=C make -C .. -j byte"
End:
*)
why-2.34/frama-c-plugin/interp.mli0000644000175000017500000000501312311670312015422 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* import from JC *)
open Jc

type int_model = IMexact | IMbounded | IMmodulo

val int_model : int_model ref

(* transforms a CIL AST into a Jessie AST *)
val file : Cil_types.file -> Jc_ast.pdecl list

val pragmas : Cil_types.file -> Jc_output.jc_decl list
why-2.34/java/0000755000175000017500000000000012311670312011536 5ustar  rtuserswhy-2.34/java/java_analysis.ml0000644000175000017500000002375312311670312014726 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(*

  Performs several analyses after Java typing and before interpretation into Jessie code.

  1) determines which structure type to introduce for arrays
  2) disambiguates names:
     . different constructors for the same class are named
         Class_typearg1_..._typeargn
     . methods
         * with same names in different classes or interfaces
             Class_or_Interface_method_name
         * with same names in same class or interface
             Class_or_Interface_method_name_typearg1_..._typeargn

*)

open Java_pervasives
open Java_env
open Java_tast
open Format

let array_struct_table = Hashtbl.create 17

let name_base_type t =
  match t with
    | Tboolean -> "boolean"
    | Tchar -> "char"
    | Tbyte -> "byte"
    | Tinteger -> "integer" 
    | Tshort -> "short"
    | Tlong -> "long"
    | Tint -> "int" 
    | Tunit -> "unit"
    | Tfloat -> "float"
    | Treal -> "real"
    | Tdouble -> "double"
    | Tstring -> "string"

let rec name_type t =
  match t with
    | JTYbase t -> name_base_type t
    | JTYclass(_,c) -> c.class_info_name
    | JTYinterface i -> i.interface_info_name
    | JTYarray (_, ty) -> name_type ty ^ "A"
    | JTYnull -> assert false
    | JTYlogic _ -> assert false

let rec intro_array_struct t =
  let n = name_type t in 
  try
    let _ = Hashtbl.find array_struct_table n in ()
  with Not_found ->
    Java_options.lprintf "Adding array struct for type %a under name %s@." 
      Java_typing.print_type t n;
      (* array structs indexed by name rather than by type,
	 to void generation of two structs for nullable and non_null types
	 of the same name.
	 - Nicolas R. *)
      Hashtbl.add array_struct_table n (t, n ^ "M", n ^ "P")

let term _t = () (* TODO *)

let assertion _a = () (* TODO *)

let rec expr e = 
  match e.java_expr_node with
    | JElit _l -> ()
    | JEincr_local_var(_op,_v) -> ()
    | JEincr_field(_op,e1,_fi) -> expr e1
    | JEun (_, e1) -> expr e1
    | JEbin (e1, _, e2) | JEincr_array (_, e1, e2) -> expr e1; expr e2 
    | JEvar _vi -> ()
    | JEstatic_field_access(_ci,_fi) -> ()
    | JEfield_access(e1,_fi) -> expr e1
    | JEarray_length e -> 
	begin
	  match e.java_expr_type with
	    | JTYarray (_, ty) -> intro_array_struct ty 
	    | _ -> assert false
	end
    | JEarray_access(e1,e2) -> 
	expr e1; expr e2;
	begin
	  match e1.java_expr_type with
	    | JTYarray (_, ty) -> intro_array_struct ty
	    | _ -> assert false
	end
    | JEassign_local_var (_, e)
    | JEassign_local_var_op (_, _, e)
    | JEassign_static_field (_, e) 
    | JEassign_static_field_op (_, _, e) -> expr e
    | JEassign_field(e1,_fi,e2) -> expr e1; expr e2
    | JEassign_field_op(e1,_fi,_op,e2) -> expr e1; expr e2
    | JEif(e1,e2,e3) -> expr e1; expr e2; expr e3
    | JEassign_array(e1,e2,e3) 
    | JEassign_array_op(e1,e2,_,e3) -> 
	expr e1; expr e2; expr e3;
	begin
	  match e1.java_expr_type with
	    | JTYarray (_, ty) -> intro_array_struct ty
	    | _ -> 
		eprintf "unexpected type: e1:%a e2:%a e3:%a@." 
		  Java_typing.print_type e1.java_expr_type
		  Java_typing.print_type e2.java_expr_type
		  Java_typing.print_type e3.java_expr_type;
		assert false
	end
    | JEcall(e,_mi,args) ->
	expr e;	List.iter expr args
    | JEconstr_call (e, _, args) ->
	expr e; List.iter expr args
    | JEstatic_call(_mi,args) ->
	List.iter expr args
    | JEnew_array(_ty,dims) ->
	List.iter expr dims
	(* intro_array_struct ty ??? *)
    | JEnew_object(_ci,args) ->
	List.iter expr args
    | JEinstanceof(e,_)
    | JEcast(_,e) -> expr e

let do_initializer i = 
  match i with
    | JIexpr e -> expr e
    | _ -> assert false (* TODO *)

let switch_label = function
  | Java_ast.Default -> ()
  | Java_ast.Case e -> expr e
  
let behavior (_id,assumes,_throws,assigns,allocates,ensures) =
  Option_misc.iter assertion assumes;
  Option_misc.iter (fun (_,l) -> List.iter term l) assigns;
  Option_misc.iter (fun (_,l) -> List.iter term l) allocates;
  assertion ensures

let loop_annot annot =
  assertion annot.loop_inv;
  List.iter (fun (_,a) -> assertion a) annot.behs_loop_inv;
  Option_misc.iter term annot.loop_var

let rec statement s =
  match s.java_statement_node with
    | JSskip 
    | JSreturn_void
    | JSbreak _ | JScontinue _ -> ()
    | JSlabel(_lab,s) -> statement s
    | JSblock l -> List.iter statement l	  
    | JSvar_decl (_vi, init, s) ->
	Option_misc.iter do_initializer init;
	statement s
    | JSif (e, s1, s2) -> expr e; statement s1; statement s2
    | JSdo (s, annot, e) ->
	statement s; loop_annot annot; expr e
    | JSwhile(e,annot,s) ->
	  expr e; loop_annot annot; statement s
    | JSfor (el1, e, annot, el2, body) ->
	List.iter expr el1;
	expr e;
	loop_annot annot;
	List.iter expr el2;
	statement body
    | JSfor_decl(decls,e,annot,sl,body) ->
	List.iter 
	  (fun (_,init) -> Option_misc.iter do_initializer init) decls;
	expr e;
	loop_annot annot;
	List.iter expr sl;
	statement body
    | JSthrow e
    | JSreturn e 
    | JSexpr e -> expr e
    | JSassert(_,_,e) -> assertion e
    | JSswitch(e,l) -> 
	expr e;
	List.iter (fun (labels,b) ->
		     List.iter switch_label labels;
		     List.iter statement b)
	  l
    | JStry(s, catches, finally) ->
	List.iter statement s;
	List.iter (fun (_,s) -> List.iter statement s) catches;
	Option_misc.iter (List.iter statement) finally
    | JSstatement_spec(req,dec,behs,s) ->
	Option_misc.iter assertion req;
	Option_misc.iter term dec;
	List.iter behavior behs;
	statement s

let param vi =
  match vi.java_var_info_type with
    | JTYarray (_, ty) -> intro_array_struct ty
    | _ -> ()

let string_of_parameters vil =
  (List.fold_right
     (fun (vi, _) acc -> "_" ^ name_type vi.java_var_info_type ^ acc) vil "")

let disambiguates_method_names () =
  let methods_list =
    Hashtbl.fold (fun _ mt acc -> mt :: acc) Java_typing.methods_table []
  in
  let methods_list =
    List.sort 
      (fun mt1 mt2 -> 
	 let mi1 = mt1.Java_typing.mt_method_info in
	 let mi2 = mt2.Java_typing.mt_method_info in
	   String.compare mi1.method_info_trans_name mi2.method_info_trans_name)
      methods_list 
  in
  let rec disambiguates methods_list =
    match methods_list with
      | [] | [_] -> ()
      | mt1::(mt2::_ as tl) ->
	  let mi1 = mt1.Java_typing.mt_method_info in
	  let mi2 = mt2.Java_typing.mt_method_info in
	    if mi1.method_info_trans_name = mi2.method_info_trans_name then
	      begin
		mi1.method_info_trans_name <-
		  mi1.method_info_trans_name ^
		  string_of_parameters mi1.method_info_parameters;
		mi2.method_info_trans_name <-
		  mi2.method_info_trans_name ^
		  string_of_parameters mi2.method_info_parameters;
	      end;
	    disambiguates tl
  in
    disambiguates methods_list;
    List.iter
      (fun mt -> Hashtbl.replace Java_typing.methods_table
	 mt.Java_typing.mt_method_info.method_info_tag mt)
      methods_list

let do_method mi _req _behs body =
(*
  Option_misc.iter assertion req;
  ... behs
*)
  mi.method_info_trans_name <-
    (get_method_info_class_or_interface_name mi) ^ "_" ^
    mi.method_info_name;
  disambiguates_method_names ();
  List.iter param (List.map fst mi.method_info_parameters);
  Option_misc.iter (List.iter statement) body;
  Option_misc.iter param mi.method_info_result


let do_constructor ci _req _behs body =
(*
  let l = ci.constr_info_class.class_info_constructors in
  if List.length l >= 2 then
    begin
*)
      ci.constr_info_trans_name <-
	"cons_" ^ ci.constr_info_class.class_info_name ^
	string_of_parameters ci.constr_info_parameters;
(*
    end;
*)
  List.iter statement body

let do_field fi =
  match fi.java_field_info_type with
    | JTYarray (_, ty) -> intro_array_struct ty
    | _ -> ()

let do_type ty =
  match ty with
    | TypeClass ci -> 
	List.iter do_field ci.class_info_fields
    | TypeInterface ii -> 
	List.iter do_field ii.interface_info_fields


(*
Local Variables: 
compile-command: "make -j -C .. bin/krakatoa.byte"
End: 
*)

why-2.34/java/java_pervasives.ml0000644000175000017500000001561712311670312015272 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*** Utility functions ***)


open Java_env

(* for method_info types *)

let get_method_info_class_or_interface_name mi =
  match mi.method_info_class_or_interface with
    | TypeClass ci -> ci.class_info_name
    | TypeInterface ii -> ii.interface_info_name
(*
    | TypeLogic _ -> assert false
*)

open Java_ast

(* for parsed exprs *)

let expr_no_loc e = 
  { java_pexpr_loc = Loc.dummy_position ; java_pexpr_node = e }

let expr_node_true = JPElit(Bool true)

let expr_true = expr_no_loc expr_node_true

let expr_zero = expr_no_loc (JPElit(Integer "0"))


open Java_tast

(* for typed statements *)

let make_statement_no_loc node = 
  { java_statement_loc = Loc.dummy_position ; java_statement_node = node }
    
(* for typed exprs *)

let make_expr_no_loc t node = 
  { java_expr_loc = Loc.dummy_position ;
    java_expr_type = t ;
    java_expr_node = node }
    
    
(*
let default_loop_annotation =
  { kml_loop_invariant = expr_true;
    kml_loop_assigns = None;
    kml_loop_variant = expr_zero;
  }

let default_method_specification =
  { kml_requires = expr_true;
  }
*)

open Java_env

let null_type = JTYnull
let unit_type = JTYbase Tunit
let boolean_type = JTYbase Tboolean
let integer_type = JTYbase Tinteger
let int_type = JTYbase Tint
let real_type = JTYbase Treal
let double_type = JTYbase Tdouble
let float_type = JTYbase Tfloat
let logic_string_type = JTYbase Tstring

let min_byte = Num.num_of_string "-128"
let max_byte = Num.num_of_string "127"
let min_short = Num.num_of_string "-32768"
let max_short = Num.num_of_string "32767"
let min_int = Num.num_of_string "-2147483648"
let max_int = Num.num_of_string "2147483647"
let min_long = Num.num_of_string "-9223372036854775808"
let max_long = Num.num_of_string "9223372036854775807"
let min_char = Num.num_of_string "0"
let max_char = Num.num_of_string "65535"

let in_byte_range n = Num.le_num min_byte n && Num.le_num n max_byte
let in_short_range n = Num.le_num min_short n && Num.le_num n max_short
let in_char_range n = Num.le_num min_char n && Num.le_num n max_char

(* variables *)

module StringSet = Set.Make(String)

(* used names (in order to rename identifiers when necessary) *)
let used_names = Hashtbl.create 97

let mark_as_used x = 
  Hashtbl.add used_names x ()

let () = 
  List.iter mark_as_used 
    (* Jessie reserved names *)
    [ "tag"; "type" ; "end" ; "begin" ; "let" ; "in"]

let is_used_name n = Hashtbl.mem used_names n

let use_name ?local_names n = 
  if is_used_name n then raise Exit; 
  begin match local_names with 
    | Some h -> if StringSet.mem n h then raise Exit 
    | None -> () 
  end;
  mark_as_used n;
  n

let rec next_name ?local_names n i = 
  let n_i = n ^ "_" ^ string_of_int i in
  try use_name ?local_names n_i 
  with Exit -> next_name ?local_names n (succ i)

let get_unique_name ?local_names n = 
  try use_name ?local_names n 
  with Exit -> next_name ?local_names n 0

let get_final_name id =
  if id = "\\result" then id else
    get_unique_name id


let new_var =
  let var_tag_counter = ref 0 in
  fun loc ty id ->
    incr var_tag_counter;
    let vi = {
      java_var_info_tag = !var_tag_counter;
      java_var_info_name = id;
      java_var_info_decl_loc = loc;
      java_var_info_final_name = get_final_name id;
      java_var_info_type = ty;
      java_var_info_assigned = false;
    }
    in vi

(* logic functions *)

let logic_info = 
  let logic_tag_counter = ref 0 in
  fun id ty labels pars ->
    incr logic_tag_counter;
    { java_logic_info_tag = !logic_tag_counter;
      java_logic_info_name = id;
      java_logic_info_labels = labels;
      java_logic_info_parameters = pars;
      java_logic_info_result_type = ty;
      java_logic_info_calls = [];
    }

(*
let real_max_fi = 
  let x = new_var Loc.dummy_position real_type "x" in
  let y = new_var Loc.dummy_position real_type "y" in
  logic_info "\\real_max" (Some real_type) [] [x;y] 
*)

let builtin_logic_symbols =
  [ (Some real_type, "\\cos", [real_type]) ;
    (Some real_type, "\\real_abs", [real_type]) ;
    (Some real_type, "\\real_max", [real_type; real_type]) ;
    (Some real_type, "\\real_min", [real_type; real_type]) ;
    (Some integer_type, "\\int_max", [integer_type; integer_type]) ;
    (Some integer_type, "\\int_min", [integer_type; integer_type]) ;
  ]


(* AG, 08/13/2009. 
   For (Java_typing.get_type_decl ... JPTimport(...)). *)
(* From a qualified identifier qid to a string.
  Can be used to implement Java_???.print_qualified_ident. *)
let rec qualified_ident2string qid separator = 
  match qid with
    | [] -> ""
    | [(_,id)] -> id
    | (_,id)::r ->
        (qualified_ident2string r separator) ^ separator ^ id

(*
Local Variables: 
compile-command: "make -C .. bin/krakatoa.byte"
End: 
*)
why-2.34/java/java_ast.mli0000644000175000017500000002477012311670312014043 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(***************************************************************************

Abstract syntax trees for Java source files

$Id: java_ast.mli,v 1.49 2009-11-12 16:55:27 marche Exp $

***************************************************************************)

open Java_env

(*s Qualified identifiers *)

type identifier = Loc.position * string

type qualified_ident = identifier list

(*s Modifiers *)

type modifier =
  | Static | Final  | Public | Private | Protected | Native
  | Synchronized | Abstract | Transient (* "threadsafe" ? *) | Volatile
  | Strictfp
  | Ghost | Model
  | Non_null | Nullable | Annot_modifier of Lexing.position * string

type modifiers = modifier list

(*s type expressions *)

type type_expr =
    | Base_type of base_type
    | Type_name of qualified_ident
    | Array_type_expr of type_expr

(*s expressions *)

type quantifier = Forall | Exists

type variable_id =
  | Simple_id of identifier
  | Array_id of variable_id


type incr_decr_op = Preincr | Predecr | Postincr | Postdecr

type bin_op =
    | Badd | Bsub | Bmul | Bdiv | Bmod
    | Band | Bor | Bimpl | Biff
    | Bbwand | Bbwor | Bbwxor
    | Blsl | Blsr | Basr
    | Beq | Bne | Bgt | Blt | Ble | Bge
    | Bconcat (* + for Strings *)

type un_op = Uplus | Uminus | Unot | Ucompl

type java_field_access =
  | Super_access of identifier
  | Primary_access of pexpr * identifier

and pexpr =
  { java_pexpr_loc : Loc.position ;
    java_pexpr_node : pexpr_node }

and pexpr_node =
  | JPElit of literal
  | JPEbin of pexpr * bin_op * pexpr         (*r binary operations *)
  | JPEun of un_op * pexpr                 (*r (pure) unary operations *)
  | JPEincr of incr_decr_op * pexpr (*r pre-post incr/decr operations *)
(*
  | JPEvar of identifier
*)
  | JPEname of qualified_ident
  | JPEassign_name of qualified_ident * bin_op * pexpr
  | JPEassign_field of java_field_access * bin_op * pexpr
  | JPEassign_array of pexpr * pexpr * bin_op * pexpr
      (*r [Assign_array(e1,e2,op,e3)] is [e1[e2] op e3] *)
      (*r assignment op is =, +=, etc. *)
  | JPEif of pexpr * pexpr * pexpr
  | JPEthis
  | JPEfield_access of java_field_access
  | JPEcall_name of qualified_ident * identifier list * pexpr list
  | JPEcall_expr of pexpr * identifier * pexpr list
  | JPEsuper_call of identifier * pexpr list
  | JPEnew of qualified_ident * pexpr list
  | JPEnew_array of type_expr * pexpr list
      (*r type, explicit dimensions *)
  | JPEarray_access of pexpr * pexpr
  | JPEarray_range of pexpr * pexpr option * pexpr option
  | JPEcast of type_expr * pexpr
  | JPEinstanceof of pexpr * type_expr
      (* in annotations only *)
  | JPEresult
  | JPEfresh of pexpr
  | JPEold of pexpr
  | JPEat of pexpr * identifier
(*
  | Type of type_expr
  | Typeof of expr
*)
  | JPEquantifier of quantifier * (type_expr * variable_id list) list * pexpr


(*
and set_ref =
  | Set_array_index of expr
      (*r e[e] *)
  | Set_array_interval of expr * expr
      (*r e[e..e] *)
  | Set_array
      (*r e[*] *)
  | Set_field of instance_variable_entry
      (* e.f *)
  | Set_fieldraw of identifier
*)

(*s variable declarations *)

type variable_initializer =
  | Simple_initializer of pexpr
  | Array_initializer of variable_initializer list

type variable_declarator =
    { variable_id : variable_id ;
      variable_initializer : variable_initializer option }


type variable_declaration =
    { variable_modifiers : modifiers ;
      variable_type : type_expr ;
      variable_decls : variable_declarator list }


(*s statements *)

type pbehavior =
    { java_pbehavior_assumes : pexpr option;
      java_pbehavior_assigns : (Loc.position * pexpr list) option;
      java_pbehavior_allocates : (Loc.position * pexpr list) option;
      java_pbehavior_throws : (qualified_ident * identifier option) option;
      java_pbehavior_ensures : pexpr
    }

type 'a switch_label =
  | Case of 'a
  | Default

type parameter =
  | Simple_parameter of modifier option * type_expr * identifier
  | Array_parameter of parameter

type pstatement =
  { java_pstatement_loc : Loc.position ;
    java_pstatement_node : pstatement_node }

and pstatement_node =
  | JPSskip                  (*r empty statement *)
  | JPSexpr of pexpr
  | JPSvar_decl of variable_declaration
  | JPSthrow of pexpr
  | JPSreturn of pexpr option
  | JPSbreak of identifier option
  | JPScontinue of identifier option
  | JPSlabel of identifier * pstatement
  | JPSif of pexpr * pstatement * pstatement
  | JPSwhile of pexpr * pstatement
  | JPSdo of pstatement * pexpr
  | JPSfor of pexpr list * pexpr * pexpr list * pstatement
  | JPSfor_decl of variable_declaration * pexpr * pexpr list * pstatement
  | JPStry of block * (parameter * block) list * block option
  | JPSswitch of pexpr * (pexpr switch_label list * block) list
  | JPSblock of block
  | JPSsynchronized of pexpr * block
  | JPSassert of identifier option * identifier option * pexpr
      (* for id1: assert id2 : e *)
  | JPSghost_local_decls of variable_declaration
  | JPSghost_statement of pexpr
  | JPSannot of Lexing.position * string
  | JPSloop_annot of pexpr * (identifier * pexpr) list *
      (pexpr * identifier option) option
      (* inv, beh invs, variant *)
  | JPSstatement_spec of
      pexpr option * (pexpr * identifier option) option
      * (identifier * pbehavior) list
      (* requires, decreases, behaviors *)

and block = pstatement list

;;

(*s method declarations *)

type method_declarator =
  | Simple_method_declarator of identifier * parameter list
  | Array_method_declarator of method_declarator
;;

type method_declaration =
    { method_modifiers : modifiers ;
      method_return_type : type_expr option ;
      method_declarator : method_declarator ;
      method_throws : qualified_ident list ;
    }
;;

(*s constructor declarations *)


type explicit_constructor_invocation =
  | Invoke_none
  | Invoke_this of pexpr list
  | Invoke_super of pexpr list

type constructor_declaration =
    { constr_modifiers : modifiers ;
      constr_name : identifier ;
      constr_parameters : parameter list ;
      constr_throws : qualified_ident list }
;;




(*s class declarations *)

type field_declaration =
  | JPFmethod of method_declaration * block option
  | JPFconstructor of constructor_declaration *
      explicit_constructor_invocation * block
  | JPFvariable of variable_declaration
  | JPFstatic_initializer of block
  | JPFannot of Lexing.position * string
  | JPFinvariant of identifier * pexpr
  | JPFstatic_invariant of identifier * pexpr
  | JPFmethod_spec of
      pexpr option * (pexpr * identifier option) option
      * (identifier * pbehavior) list
        (* requires, decreases, behaviors *)
  | JPFclass of class_declaration
  | JPFinterface of interface_declaration

and class_declaration =
    {
      class_modifiers : modifiers;
      class_name : identifier;
      class_extends : qualified_ident option;
      class_implements : qualified_ident list;
      class_fields : field_declaration list
    }

(*s interface declarations *)

and interface_declaration =
    { interface_modifiers : modifiers;
      interface_name : identifier;
      interface_extends : qualified_ident list;
      interface_members : field_declaration list
    }



(* my 30.07*)

type poly_theory_id =
 | PolyTheoryId of qualified_ident * identifier list (* type type_parameter_list *)

(*s compilation units *)

type type_declaration =
  | JPTclass of class_declaration
  | JPTinterface of interface_declaration
  | JPTannot of Lexing.position * string
  | JPTlemma of identifier * bool * identifier list * pexpr
  | JPTlogic_type_decl of identifier
  | JPTlogic_reads of identifier * type_expr option * identifier list * parameter list * pexpr list option
  | JPTlogic_def of identifier * type_expr option * identifier list * parameter list * pexpr
  | JPTinductive of identifier * identifier list * parameter list * (identifier * identifier list * pexpr) list
  | JPTaxiomatic of identifier * type_declaration list
  | JPTimport of  poly_theory_id


type theory =
 | JPTtheory of poly_theory_id * type_declaration list


type import_statement =
  | Import_package of qualified_ident
  | Import_class_or_interface of qualified_ident

type compilation_unit =
    {
      cu_package : qualified_ident;
      cu_imports : import_statement list;
      cu_type_decls : type_declaration list
    }

(*
Local Variables:
compile-command: "make -C .. bin/krakatoa.byte"
End:
*)
why-2.34/java/java_tast.mli0000644000175000017500000001731212311670312014221 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Java_env

type bin_op = Java_ast.bin_op
type un_op = Java_ast.un_op
type incr_decr_op = Java_ast.incr_decr_op

type label_assoc = (logic_label * logic_label) list

type term_node =
    | JTlit of literal
    | JTvar of java_var_info
    | JTat of term * logic_label
    | JTbin of term * base_type * bin_op * term
    | JTbin_obj of term * bin_op * term
    | JTun of base_type * un_op * term
    | JTapp of java_logic_info * label_assoc * term list
    | JTfield_access of term * java_field_info
    | JTstatic_field_access of java_type_info * java_field_info
    | JTarray_length of term
    | JTarray_access of term * term
    | JTarray_range of term * term option * term option
    | JTcast of java_type * term
    | JTif of term * term * term

and term =
    { java_term_node : term_node;
      java_term_type : java_type;
      java_term_loc : Loc.position;
    }


type quantifier = Java_ast.quantifier

type assertion_node =
  | JAtrue
  | JAfalse
  | JAat of assertion * logic_label
  | JAnot of assertion
  | JAand of assertion * assertion
  | JAor of assertion * assertion
  | JAimpl of assertion * assertion
  | JAiff of assertion * assertion
  | JAquantifier of quantifier * java_var_info * assertion
  | JAbool_expr of term
  | JAbin of term * base_type * bin_op * term
  | JAbin_obj of term * bin_op * term
  | JAapp of java_logic_info * label_assoc * term list
  | JAinstanceof of term * logic_label * java_type
  | JAif of term * assertion * assertion
  | JAfresh of term

and assertion =
    { java_assertion_node : assertion_node;
      java_assertion_loc : Loc.position;
    }

(* expressions *)

type expr =
  { java_expr_loc : Loc.position ;
    java_expr_type : java_type;
    java_expr_node : expr_node }

and expr_node =
  | JElit of literal
  | JEvar of java_var_info
  | JEbin of expr * bin_op * expr         (*r binary operations *)
  | JEun of un_op * expr                 (*r (pure) unary operations *)
  | JEif of expr * expr * expr
      (*r pre-post incr/decr operations *)
  | JEincr_local_var of incr_decr_op * java_var_info
  | JEincr_field of incr_decr_op * expr * java_field_info
  | JEincr_array of incr_decr_op * expr * expr
  | JEstatic_field_access of java_type_info * java_field_info
  | JEfield_access of expr * java_field_info
  | JEarray_length of expr
  | JEarray_access of expr * expr
  | JEassign_local_var of java_var_info * expr
  | JEassign_local_var_op of java_var_info * bin_op * expr
  | JEassign_field of expr * java_field_info * expr
  | JEassign_field_op of expr * java_field_info * bin_op * expr
  | JEassign_static_field of java_field_info * expr
  | JEassign_static_field_op of java_field_info * bin_op * expr
  | JEassign_array of expr * expr * expr
  | JEassign_array_op of expr * expr * bin_op * expr
  | JEcall of expr * method_info * expr list
  | JEconstr_call of expr * constructor_info * expr list
  | JEstatic_call of method_info * expr list
  | JEnew_array of java_type * expr list
      (*r elements type, dimensions *)
  | JEnew_object of constructor_info * expr list
      (*r constr, args *)
  | JEcast of java_type * expr
  | JEinstanceof of expr * java_type
(*
  | Static_class of class_entry
  | Static_interface of interface_entry
  | Super_method_call of identifier * pexpr list
  | Instanceof of pexpr * type_expr
      (* in annotations only *)
  | Type of type_expr
  | Typeof of expr
*)

(* statements *)

type initialiser =
  | JIexpr of expr
  | JIlist of initialiser list

type 'a switch_label = 'a Java_ast.switch_label

type behavior =
    Java_ast.identifier * (* behavior name *)
      assertion option * (* assumes *)
      java_class_info option * (* throws *)
      (Loc.position * term list) option * (* assigns *)
      (Loc.position * term list) option * (* allocates *)
      assertion (* ensures *)

type loop_annot =
    { loop_inv : assertion;
      behs_loop_inv : (Java_ast.identifier * assertion) list;
      loop_var : (term * java_logic_info option) option;
    }

type statement =
  { java_statement_loc : Loc.position ;
    java_statement_node : statement_node }

and statement_node =
  | JSskip                  (*r empty statement *)
  | JSif of expr * statement * statement
  | JSreturn_void
  | JSreturn of expr
  | JSvar_decl of java_var_info * initialiser option * statement
  | JSblock of block
  | JSdo of statement * loop_annot * expr
      (*r loop body, annot, condition *)
  | JSwhile of expr * loop_annot * statement
      (*r condition, annot, loop body *)
  | JSfor of expr list * expr * loop_annot * expr list * statement
      (*r init, condition, annot, steps, loop body *)
  | JSfor_decl of (java_var_info * initialiser option) list *
      expr * loop_annot * expr list * statement
      (*r decls, condition, annot, steps, loop body *)
  | JSexpr of expr
  | JSassert of string option * string option * assertion
  | JSswitch of expr * (expr switch_label list * block) list
  | JSbreak of string option
  | JScontinue of string option
  | JSthrow of expr
  | JStry of block * (java_var_info * block) list * block option
  | JSstatement_spec of
      assertion option * (term * java_logic_info option) option
      * behavior list * statement
	(*r requires, decreases, behaviors, statement *)
  | JSlabel of string * statement
(*
  | JPSsynchronized of pexpr * block
*)
(*
  | Kml_annot_statement of jml_annotation_statement
  | Kml_ghost_var_decl of jml_declaration list
  | Annotated of statement_specification * statement
*)

and block = statement list
;;

(*
Local Variables:
compile-command: "make -C .. bin/krakatoa.byte"
End:
*)
why-2.34/java/java_lexer.mll0000644000175000017500000003635712311670312014402 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(**************************************************************************

Lexer for JavaCard source files

VerifiCard Project - Démons research team - LRI - Université Paris XI

$Id: java_lexer.mll,v 1.42 2009-12-08 16:38:49 marche Exp $

***************************************************************************)


{

  open Java_parser
  open Lexing
  open Java_ast

  type location = position * position

  let loc lexbuf : location =
    (lexeme_start_p lexbuf, lexeme_end_p lexbuf)

  exception Lexical_error of location * string
  exception Syntax_error of location
  exception Dotdot of string


  let lex_error lexbuf s = raise (Lexical_error(loc lexbuf,s))

  let buf = Buffer.create 97

  let kw_table =
    let table = Hashtbl.create 17 in
    let _ =
      List.iter
	(fun (s,t) -> Hashtbl.add table s t)
	[ "abstract", ABSTRACT;
          "allocates", ALLOCATES;
	  "assert", ASSERT;
	  "assigns", ASSIGNS;
	  "assumes", ASSUMES;
	  "axiom", AXIOM;
	  "axiomatic", AXIOMATIC;
	  "behavior", BEHAVIOR;
	  "boolean", BOOLEAN;
	  "break", BREAK;
	  "byte", BYTE;
	  (* "byvalue", BYVALUE; ??? *)
	  "case", CASE;
	  (* "cast", CAST; ??? *)
	  "catch", CATCH;
	  "char", CHAR;
	  "class", CLASS;
	  "const", CONST;
	  "continue", CONTINUE;
	  "decreases", DECREASES;
	  "default", DEFAULT;
	  "do", DO;
	  "double", DOUBLE;
	  "else", ELSE;
	  "ensures", ENSURES;
	  "extends", EXTENDS;
	  "false", FALSE;
	  "final", FINAL;
	  "finally", FINALLY;
	  "float", FLOAT;
	  "for", FOR;
	  (* "future", FUTURE; ?? *)
	  (* "generic", GENERIC; ?? *)
	  "ghost", GHOST;
	  "goto", GOTO;
	  "if", IF;
	  "implements", IMPLEMENTS;
	  "import", IMPORT;
	  "inductive", INDUCTIVE;
	  (* "inner", INNER; ?? *)
	  "instanceof", INSTANCEOF;
	  "int", INT;
	  "integer", INTEGER;
	  "interface", INTERFACE;
	  "invariant", INVARIANT;
	  "lemma", LEMMA;
	  "logic", LOGIC;
	  "long", LONG;
	  "loop_invariant", LOOP_INVARIANT;
	  "loop_variant", LOOP_VARIANT;
	  "model", MODEL;
	  "native", NATIVE;
	  "new", NEW;
	  "non_null", NON_NULL;
	  "null", NULL;
	  "nullable", NULLABLE;
	  (* "operator", OPERATOR; ?? *)
	  (* "outer", OUTER; ?? *)
	  "package", PACKAGE;
	  "predicate", PREDICATE;
	  "private", PRIVATE;
	  "protected", PROTECTED;
	  "public", PUBLIC;
	  "reads", READS;
	  "real", REAL;
	  "requires", REQUIRES;
	  (* "rest", REST; ?? *)
	  "return", RETURN;
	  "short", SHORT;
	  "signals", SIGNALS;
	  "static", STATIC;
	  "strictfp", STRICTFP;
	  "super", SUPER;
	  "switch", SWITCH;
	  "synchronized", SYNCHRONIZED;
	  "theory", THEORY;
	  "this", THIS;
	  (* "threadsafe" ? *)
	  "throw", THROW;
	  "throws", THROWS;
	  "transient", TRANSIENT;
	  "true", TRUE;
	  "try", TRY;
	  "type", TYPE;
	  (* "var", VAR; ??? *)
	  "void", VOID;
	  "volatile", VOLATILE;
	  "while", WHILE;
	]
    in table

  let id_or_kw s =
    try
      let k = Hashtbl.find kw_table s in
      (*i
	prerr_string "Keyword ";
	prerr_endline s;
	i*)
      k
    with
	Not_found ->
	  (*i
	    prerr_string "Ident ";
	    prerr_endline s;
	    i*)
	  (ID s)

  let special_kw_table =
    let table = Hashtbl.create 17 in
    let _ =
      List.iter
	(fun (s,t) -> Hashtbl.add table s t)
	[ "\\at", BSAT;
	  "\\exists", BSEXISTS ;
	  "\\fresh", BSFRESH ;
	  "\\forall", BSFORALL ;
	  "\\nothing", BSNOTHING;
	  (*
	  "fields_of", BSFIELDSOF;
          "not_conditionally_updated", BSNOTCONDITIONALLYUPDATED;
	  *)
	  "\\old", BSOLD;
	  "\\result", BSRESULT;
	  (*"type", BSTYPE;
	  "typeof", BSTYPEOF;
	  "fpi", BSFPI; *)
	]
    in table

  let builtins_table =
    let table = Hashtbl.create 17 in
    let _ =
      List.iter
	(fun (_ty,id,_params) -> Hashtbl.add table id ())
	Java_pervasives.builtin_logic_symbols
    in table

  let special_id lexbuf s =
    try
      Hashtbl.find special_kw_table s
    with
	Not_found ->
	  try
	    let () = Hashtbl.find builtins_table s in
	    ID s
	  with
	      Not_found ->
		lex_error lexbuf ("unknown special keyword "^s)

(*

  let jml_spec_token base jml_string =
(*i
    Format.fprintf Config.log "In file %s, parsing JML Spec: %s@."
      (Location.base_filename base) jml_string;
i*)
    match Jml_syntax.parse_jml_specification base jml_string with
    | Ast_types.Jml_declaration d -> JML_DECLARATIONS(d)
    | Ast_types.Jml_method_specification s -> JML_METHOD_SPECIFICATION(s)
    | Ast_types.Jml_loop_annotation la -> JML_LOOP_ANNOTATION(la)
    | Ast_types.Jml_assertion a -> JML_ASSERTION(a)
    | Ast_types.Jml_annotation_statement Ast_types.Set_statement s -> JML_ANNOTATION_STATEMENT(Ast_types.Set_statement(s))
    | Ast_types.Jml_axiom(id,e) -> JML_AXIOM(id,e)
    | Ast_types.Jml_type(id) -> JML_TYPE(id)
    | Ast_types.Jml_logic_reads(id,t,p,r) -> JML_LOGIC_READS(id,t,p,r)
    | Ast_types.Jml_logic_def(id,t,p,e) -> JML_LOGIC_DEF(id,t,p,e)
    assert false

*)
  let newline lexbuf =
    let pos = lexbuf.lex_curr_p in
    lexbuf.lex_curr_p <-
      { pos with pos_lnum = pos.pos_lnum + 1;
	  pos_bol = pos.pos_cnum }

  let pragma lexbuf id v =
    match id with
      | "TerminationPolicy" ->
	  begin
	    Java_options.termination_policy :=
	      match v with
		| "always" -> Jc_env.TPalways
		| "user" -> Jc_env.TPuser
		| "never" -> Jc_env.TPnever
		| _ -> lex_error lexbuf ("unknown termination policy " ^ v)
	  end

      | "AbstractDomain" ->
	  begin
	    Java_options.ai_domain :=
	      match v with
		| "None" -> Jc_env.AbsNone
		| "Box" -> Jc_env.AbsBox
		| "Oct" -> Jc_env.AbsOct
		| "Pol" -> Jc_env.AbsPol
		| _ -> lex_error lexbuf ("unknown abstract domain " ^ v)
	  end
      | "AnnotationPolicy" ->
	  begin
	    Java_options.annotation_sem :=
	      match v with
		| "None" -> Jc_env.AnnotNone
		| "Invariants" -> Jc_env.AnnotInvariants
		| "WeakPre" -> Jc_env.AnnotWeakPre
		| "StrongPre" -> Jc_env.AnnotStrongPre
		| _ -> lex_error lexbuf ("unknown annotation policy " ^ v)
	  end
      | "CheckArithOverflow" ->
	  begin
	    match String.lowercase v with
	      | "yes" -> Java_options.ignore_overflow := false
	      | "no" -> Java_options.ignore_overflow := true
	      | _ -> lex_error lexbuf "yes or no expected"
	  end
      | "InvariantPolicy" ->
	  begin
	    Java_options.inv_sem :=
	      match v with
		| "None" -> Jc_env.InvNone
		| "Arguments" -> Jc_env.InvArguments
		| "Ownership" -> Jc_env.InvOwnership
		| _ -> lex_error lexbuf ("unknown invariant policy " ^ v)
	  end
      | "SeparationPolicy" ->
	  begin
	    Java_options.separation_policy :=
	      match v with
		| "None" -> Jc_env.SepNone
		| "Regions" -> Jc_env.SepRegions
		| _ -> lex_error lexbuf ("unknown separation policy " ^ v)
	  end
      | "NonNullByDefault" ->
	  begin
	    Java_options.nonnull_sem :=
	    match v with
	      | "none" -> Java_env.NonNullNone
	      | "fields" -> Java_env.NonNullFields
	      | "all" -> Java_env.NonNullAll
	      | "alllocal" -> Java_env.NonNullAllLocal
	      | _ -> lex_error lexbuf ("unknown nonnull policy " ^ v)
	  end
      | "MinimalClassHierarchy" ->
	  begin
	    match String.lowercase v with
	      | "yes" -> Java_options.minimal_class_hierarchy := true
	      | "no" -> Java_options.minimal_class_hierarchy := false
	      | _ -> lex_error lexbuf "yes or no expected"
	  end
      | _ -> lex_error lexbuf ("unknown pragma " ^ id)

}

let space = [' ' '\t' '\r' '']
let backslash_escapes =
  ['\\' '"' '\'' 'n' 't' 'b' 'r' 'f' ]
let rD = ['0'-'9']
let rL = ['a'-'z' 'A'-'Z' '_']
let rH = ['a'-'f' 'A'-'F' '0'-'9']
let rE = ['E''e']['+''-']? rD+
let rP = ['P''p']['+''-']? rD+
let rFS	= ('f'|'F'|'l'|'L')
let rIS = ('u'|'U'|'l'|'L')*


rule token = parse
  | space+
      { token lexbuf }
  | '\n'
      { newline lexbuf; token lexbuf }
  | ("/*" | "//") space+ "@"
      { lex_error lexbuf "no space allowed between /* and @" }
  | "//@+" space* ((rL | rD)+ as id) space* "="
        space* ((rL | rD)+ as v) space* '\n'
      { pragma lexbuf id v; newline lexbuf; token lexbuf }
  | "/*@"
      { let loc = lexeme_start_p lexbuf in
	Buffer.clear buf; ANNOT(loc, annot lexbuf) }
  | "//@" ([^ '\n']* as a) '\n'
      { let loc = lexeme_start_p lexbuf in
	newline lexbuf;	ANNOT(loc,a) }
  | "/*"
      { comment lexbuf; token lexbuf }
  | "//" ([^'\n''@'][^'\n']*)? '\n'
      { newline lexbuf; token lexbuf }
  | "\\" rL (rL | rD)* as id
      { special_id lexbuf id }
  | rL (rL | rD)* as id
      { id_or_kw id }
  | ';'
      { SEMICOLON }
  | ','
      { COMMA }
  | '.'
      { DOT }
  | ".."
      { DOTDOT }
  | '+'
      { PLUS }
  | '-'
      { MINUS }
  | "++"
      { PLUSPLUS }
  | "--"
      { MINUSMINUS }
  | '*'
      { STAR }
  | '/'
      { SLASH }
  | '%'
      { PERCENT }
  | "&"
      { AMPERSAND }
  | "|"
      { VERTICALBAR }
  | "&&"
      { AMPERSANDAMPERSAND }
  | "||"
      { VERTICALBARVERTICALBAR }
  | "==>"
      { EQEQGT }
  | "<==>"
      { LTEQEQGT }
  | "!"
      { BANG }
  | "~"
      { TILDA }
  | "^"
      { CARET }
  | "?"
      { QUESTIONMARK }
  | ":"
      { COLON }
  | "<<"
      { SHIFT Blsl }
  | ">>"
      { SHIFT Blsr }
  | ">>>"
      { SHIFT Basr }
  | "="
      { EQ }
  | "*="
      { ASSIGNOP Bmul }
  | "/="
      { ASSIGNOP Bdiv }
  | "%="
      { ASSIGNOP Bmod }
  | "+="
      { ASSIGNOP Badd }
  | "-="
      { ASSIGNOP Bsub }
  | "<<="
      { ASSIGNOP Blsl }
  | ">>="
      { ASSIGNOP Blsr }
  | ">>>="
      { ASSIGNOP Basr }
  | "&="
      { ASSIGNOP Bbwand }
  | "^="
      { ASSIGNOP Bbwxor }
  | "|="
      { ASSIGNOP Bbwor }
  | ">"
      { GT }
  | "<"
      { LT }
  | "<="
      { LE }
  | ">="
      { GE }
  | "=="
      { EQOP Beq }
  | "!="
      { EQOP Bne }


      (* decimal constants *)

  | ('0' | ['1'-'9']rD*) ['l''L']? as n
      { INTCONSTANT n }

      (* octal constants *)

  | '0'['0'-'7']+ ['l''L']? as n
      { INTCONSTANT n }

      (* hexadecimal constants *)

  | '0'['x''X']rH+['l''L']? as n
    { INTCONSTANT n }

      (* trick to deal with intervals like 0..10 *)

  | (rD+ as n) ".."         { raise (Dotdot n) }

      (* floating-point constants *)

  | (rD+ '.' rD* (['e''E']['-''+']?rD+)?) as pre (['f''F''d''D'] as suf) ?
      { REALCONSTANT (pre,suf) }

  | ('.' rD+ (['e''E']['-''+']?rD+)?) as pre (['f''F''d''D'] as suf) ?
      { REALCONSTANT (pre,suf) }

  | (rD+ ['e''E'] ['-''+']?rD+) as pre (['f''F''d''D'] as suf) ?
      { REALCONSTANT (pre,suf) }

  | ('0'['x''X'] rH+ '.' rH* rP) as pre (['f''F''d''D'] as suf) ?
  | ('0'['x''X'] rH* '.' rH+ rP) as pre (['f''F''d''D'] as suf) ?
  | ('0'['x''X'] rH+ rP) as pre (['f''F''d''D'] as suf) ?
      { REALCONSTANT (pre,suf) }

      (* character constants *)

  | "'" _ "'" as s
      { CHARACTER s }

  | "'\\" backslash_escapes "'" as s
      { CHARACTER s }

  | "'\\" ['0'-'3'] ['0'-'7'] ['0'-'7'] "'" as s
      { CHARACTER s }

  | "'\\" ['0'-'7'] ['0'-'7'] "'" as s
      { CHARACTER s }

  | "'\\" ['0'-'7'] "'" as s
      { CHARACTER s }

  | "'\\u" rH rH rH rH "'" as s
      { CHARACTER s }

  | '('
      { LEFTPAR }
  | ')'
      { RIGHTPAR }
  | '{'
      { LEFTBRACE }
  | '}'
      { RIGHTBRACE }
  | '['
      { LEFTBRACKET }
  | ']'
      { RIGHTBRACKET }
  | '"'
      { Buffer.clear buf; STRING(string lexbuf) }
  | _
      { lex_error lexbuf ("unexpected char `" ^ lexeme lexbuf ^ "'") }
  | eof
      { EOF }

and string = parse
  | '"'
      { Buffer.contents buf }
  | '\\' backslash_escapes
      { Buffer.add_string buf (lexeme lexbuf);
	string lexbuf }
  | '\\' _
      { lex_error lexbuf "unknown escape sequence in string" }
  | ['\n' '\r']
      { (* no \n anymore in strings since java 1.4 *)
	lex_error lexbuf "string not terminated"; }
  | [^ '\n' '\\' '"']+
      { Buffer.add_string buf (lexeme lexbuf); string lexbuf }
  | eof
      { lex_error lexbuf "string not terminated" }

and comment = parse
  | "*/"
      { () }
  | '\n'
      { newline lexbuf; comment lexbuf }
  | [^'*''\n']+
      { comment lexbuf }
  | _
      { comment lexbuf }
  | eof
      { lex_error lexbuf "comment not terminated" }

and annot = parse
  | "*/"
      { Buffer.contents buf }
  | '\n'
      { newline lexbuf;
	Buffer.add_string buf (lexeme lexbuf);
	annot lexbuf }
  | ('\n' space* as s) '@'
      { newline lexbuf;
	Buffer.add_string buf s;
	Buffer.add_char buf ' ';
	annot lexbuf }
  | [^'@''*''\n''/']+
      { Buffer.add_string buf (lexeme lexbuf);
	annot lexbuf }
  | '@'
      { annot lexbuf }
  | _
      { Buffer.add_string buf (lexeme lexbuf);
	annot lexbuf }
  | eof
      { lex_error lexbuf "annotation not terminated" }

{

let dotdot_mem = ref false

let next_token lexbuf =
  if !dotdot_mem then
    begin
      dotdot_mem := false;
      Format.eprintf "DOTDOT@.";
      DOTDOT
    end
  else
    begin
      try
	token lexbuf
      with
	Dotdot(n) ->
	  dotdot_mem := true;
	  INTCONSTANT n
    end

  let parse f c =
    let lb = from_channel c in
    lb.lex_curr_p <- { lb.lex_curr_p with pos_fname = f };
    try
      Java_parser.compilation_unit next_token lb
    with Parsing.Parse_error ->
      Java_options.parsing_error (loc lb) ""

  let parse_spec f c =
    let lb = from_channel c in
    lb.lex_curr_p <- { lb.lex_curr_p with pos_fname = f };
    try
      Java_parser.kml_spec_eof next_token lb
    with Parsing.Parse_error ->
      Java_options.parsing_error (loc lb) ""

}

(*
Local Variables:
compile-command: "make -j -C .. bin/krakatoa.byte"
End:
*)
why-2.34/java/java_callgraph.mli0000644000175000017500000000555312311670312015207 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

val compute_logic_calls : Java_env.java_logic_info -> [< Java_typing.logic_decl_body] -> unit

val compute_calls : Java_env.method_info -> 'a -> Java_tast.statement list -> unit

val compute_constr_calls : Java_env.constructor_info -> 'a -> Java_tast.statement list -> unit

val compute_logic_components : 
  (int, (Java_env.java_logic_info * Java_typing.logic_def_body)) Hashtbl.t -> 
  Java_env.java_logic_info list array

val compute_components : 
  (int, Java_typing.method_table_info) Hashtbl.t -> 
  (int, Java_typing.constructor_table_info) Hashtbl.t -> 
  Java_env.method_or_constructor_info list array

why-2.34/java/java_callgraph.ml0000644000175000017500000003000312311670312015022 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Java_env
open Java_tast

let rec term acc t =
  match t.java_term_node with
    | JTlit _ | JTvar _
    | JTstatic_field_access _ -> acc
    | JTapp (f,_labs,lt) -> f::(List.fold_left term acc lt)
    | JTat(t,_) -> term acc t
    | JTbin (t1,_,_,t2) -> term (term acc t1) t2
    | JTbin_obj (t1,_,t2) -> term (term acc t1) t2
    | JTun (_,_,t1) -> term acc t1
    | JTif(t1,t2,t3) -> term (term (term acc t1) t2) t3
(*
    | JTinstanceof(t,_)
    | JTunary (_,t)
*)
    | JTcast(_,t) -> term acc t
    | JTarray_access (t1, t2) -> term (term acc t1) t2
    | JTarray_range (t1, t2, t3) ->
	Option_misc.fold_left term
	  (Option_misc.fold_left term (term acc t1) t2) t3
    | JTarray_length t1
    | JTfield_access (t1, _) -> term acc t1

let rec assertion acc p =
  match p.java_assertion_node with
  | JAtrue
  | JAfalse -> acc
  | JAat(a,_lab) -> assertion acc a
  | JAnot a -> assertion acc a
  | JAbin_obj(t1,_,t2)
  | JAbin(t1,_,_,t2) -> term (term acc t1) t2
  | JAapp(f,_labs,lt) -> f::(List.fold_left term acc lt)
  | JAand(p1,p2) | JAor(p1,p2)
  | JAimpl (p1,p2) | JAiff(p1,p2) ->
      assertion (assertion acc p1) p2
  | JAif(t1,p2,p3) ->
      assertion (assertion (term acc t1) p2) p3
  | JAquantifier (_,_,p) -> assertion acc p
  | JAfresh t | JAbool_expr t | JAinstanceof (t, _, _) -> term acc t


let rec expr acc e : 'a list =
  match e.java_expr_node with
    | JElit _
    | JEvar _
    | JEincr_local_var _
    | JEstatic_field_access _ -> acc
    | JEcall (e, mi, args) ->
	List.fold_left expr (expr (MethodInfo mi::acc) e) args
    | JEconstr_call (e, ci, args) ->
	List.fold_left expr (expr (ConstructorInfo ci::acc) e) args
    | JEstatic_call (mi, args) ->
	List.fold_left expr (MethodInfo mi::acc) args
    | JEnew_array(_ty, dims) ->
	List.fold_left expr acc dims
    | JEnew_object(ci,args) ->
	List.fold_left expr (ConstructorInfo ci::acc) args
    | JEif(e1,e2,e3)
    | JEassign_array (e1, e2, e3)
    | JEassign_array_op (e1, e2, _, e3)->
	expr (expr (expr acc e1) e2) e3
    | JEassign_local_var_op (_, _, e)
    | JEassign_local_var (_, e)
    | JEassign_static_field ( _, e)
    | JEassign_static_field_op ( _, _, e)
    | JEarray_length e
    | JEfield_access (e, _)
    | JEincr_field (_,e,_)
    | JEun (_, e) -> expr acc e
    | JEassign_field (e1, _, e2)
    | JEassign_field_op (e1, _, _, e2)
    | JEarray_access (e1, e2)
    | JEbin (e1, _, e2) | JEincr_array (_, e1, e2) ->
	expr (expr acc e1) e2
    | JEinstanceof(e,_)
    | JEcast (_,e) -> expr acc e

let initialiser acc i =
  match i with
    | JIexpr e -> expr acc e
    | _ -> assert false (* TODO *)

(*
let loop_annot acc la =
  term (assertion acc la.java_loop_invariant) la.java_loop_variant
*)

let behavior acc (_id,assumes,_throws,assigns,allocates,ensures) =
  let acc = Option_misc.fold_left assertion acc assumes in
  let acc =
    match assigns with
      | None -> acc
      | Some(_,l) -> List.fold_left term acc l
  in
  let acc =
    match allocates with
      | None -> acc
      | Some(_,l) -> List.fold_left term acc l
  in
  assertion acc ensures

let variant acc v =
  match v with
    | None -> acc
    | Some(dec,None) -> term acc dec
    | Some(dec,Some fi) -> term (fi::acc) dec

let loop_annot acc annot =
  let acc = assertion acc annot.loop_inv in
  let acc =
    List.fold_left (fun acc (_,a) -> assertion acc a) acc annot.behs_loop_inv
  in
  variant acc annot.loop_var

let rec statement acc s : ('a list * 'b list) =
  match s.java_statement_node with
    | JSif(e, s1, s2) ->
	let (a,b) = acc in
	let b = expr b e in
	  statement (statement (a,b) s1) s2
    | JSblock sl ->
	List.fold_left statement acc sl
    | JStry (s, catches, finally) ->
	let acc = List.fold_left statement acc s in
	let acc =
	  List.fold_left
	    (fun acc (_,s) -> List.fold_left statement acc s)
	    acc catches
	in
	  Option_misc.fold
	    (fun b acc -> List.fold_left statement acc b) finally acc
    | JSassert(_,_,t) -> let (a,b) = acc in (assertion a t,b)
    | JSreturn_void
    | JSbreak _ -> acc
    | JScontinue _ -> acc
    | JSlabel(_lab,s) ->	statement acc s
    | JSswitch (e, l)->
	let (a,b) = acc in
	let b = expr b e in
	  List.fold_left
	    (fun acc (_cases,body) -> statements acc body)
	    (a,b) l
    | JSthrow e
    | JSreturn e
    | JSexpr e -> let (a, b) = acc in (a, expr b e)
    | JSfor (inits, cond, annot, updates, body)->
	let (a, b) = acc in
	let b = List.fold_left expr
	  (List.fold_left expr (expr b cond) updates)
	  inits
	in
	let a = loop_annot a annot in
	statement (a, b) body
    | JSfor_decl (inits, cond, annot, updates, body)->
	let (a,b) = acc in
	let b = List.fold_left
	  (fun acc (_vi,i) -> Option_misc.fold_left initialiser acc i)
	  (List.fold_left expr (expr b cond) updates)
	  inits
	in
	let a = loop_annot a annot in
	statement (a,b) body
    | JSdo (body, annot, cond)->
	let a, b = acc in
	let a, b = statement (a, b) body in
	let a = loop_annot a annot in
	let b = expr b cond in
	a, b
    | JSwhile (cond, annot, body)->
	let (a,b) = acc in
	let b = expr b cond in
	let a = loop_annot a annot in
	statement (a,b) body
    | JSvar_decl (_vi, init, s)->
	let (a,b)=acc in
	statement (a,Option_misc.fold_left initialiser b init) s
    | JSskip -> acc
    | JSstatement_spec(req,dec,behs,s) ->
	let (a,b) = acc in
	let a = Option_misc.fold_left assertion a req in
	let a = variant a dec in
	let a = List.fold_left behavior a behs in
	statement (a,b) s

and statements acc l = List.fold_left statement acc l

let compute_logic_calls f (t : [< Java_typing.logic_decl_body]) =
  let calls =
    match t with
      | `Term t -> term [] t
      | `Assertion a -> assertion [] a
      | `None -> []
      | `Reads r -> List.fold_left term [] r
      | `Inductive l ->
	  List.fold_left
	    (fun acc (_,_,a) -> assertion acc a) [] l
      | `Builtin -> []
  in
  f.java_logic_info_calls <- calls

let compute_calls f _req body =
  let (_a, b) = List.fold_left statement ([], []) body in
    f.method_info_calls <- b

let compute_constr_calls f _req body =
  let (_a, b) = List.fold_left statement ([], []) body in
    f.constr_info_calls <- b

module LogicCallGraph = struct
  type t = (int, (java_logic_info * Java_typing.logic_def_body)) Hashtbl.t
  module V = struct
    type t = java_logic_info
    let compare f1 f2 = Pervasives.compare f1.java_logic_info_tag f2.java_logic_info_tag
    let hash f = f.java_logic_info_tag
    let equal f1 f2 = f1 == f2
  end
  let iter_vertex iter =
    Hashtbl.iter (fun _ (f,_a) -> iter f)
  let iter_succ iter _ f =
    List.iter iter f.java_logic_info_calls
  end

module LogicCallComponents = Graph.Components.Make(LogicCallGraph)

open Format
open Pp


type method_or_constructor_data =
  | MethodData of Java_typing.method_table_info
  | ConstructorData of Java_typing.constructor_table_info

let method_or_constructor_tag x =
  match x with
    | MethodInfo mi -> mi.method_info_tag
    | ConstructorInfo ci -> ci.constr_info_tag

let method_or_constructor_info mt =
  match mt with
    | MethodData mti -> MethodInfo mti.Java_typing.mt_method_info
    | ConstructorData cti -> ConstructorInfo cti.Java_typing.ct_constr_info

let print_method_or_constr fmt f =
  match f with
    | MethodInfo fi ->
	fprintf fmt "%a.%s" Java_typing.print_type_name
	  fi.method_info_class_or_interface fi.method_info_name
    | ConstructorInfo ci -> fprintf fmt "%s" ci.constr_info_trans_name

let method_or_constr_calls f =
  match f with
    | MethodInfo fi -> fi.method_info_calls
    | ConstructorInfo ci -> ci.constr_info_calls


module CallGraph = struct
  type t = (int, method_or_constructor_data) Hashtbl.t
  module V = struct
    type t = method_or_constructor_info

    let compare f1 f2 =
      Pervasives.compare
	(method_or_constructor_tag f1) (method_or_constructor_tag f2)

    let hash f = method_or_constructor_tag f
    let equal f1 f2 = method_or_constructor_tag f1 == method_or_constructor_tag f2
  end
  let iter_vertex iter g =
    Hashtbl.iter
      (fun _i mti ->
	 let f = method_or_constructor_info mti in
	 iter f) g
  let iter_succ iter _ f =
    List.iter iter
      (match f with
	 | MethodInfo fi -> fi.method_info_calls
	 | ConstructorInfo ci -> ci.constr_info_calls)
  end
module CallComponents = Graph.Components.Make(CallGraph)

let compute_logic_components ltable =
  let tab_comp = LogicCallComponents.scc_array ltable in
  Java_options.lprintf "***********************************\n";
  Java_options.lprintf "Logic call graph: has %d components\n"
    (Array.length tab_comp);
  Java_options.lprintf "***********************************\n";
  Array.iteri
    (fun i l ->
       Java_options.lprintf "Component %d:\n%a@." i
	 (print_list newline
	    (fun fmt f -> fprintf fmt " %s calls: %a\n" f.java_logic_info_name
		 (print_list comma
		    (fun fmt f -> fprintf fmt "%s" f.java_logic_info_name))
		 f.java_logic_info_calls))
	 l)
    tab_comp;
  tab_comp


let compute_components methods constrs =
  let h = Hashtbl.create 97 in
  Hashtbl.iter
    (fun _ mti ->
       Hashtbl.add h
	 mti.Java_typing.mt_method_info.method_info_tag (MethodData mti))
    methods;
  Hashtbl.iter
    (fun _ cti ->
       Hashtbl.add h
	 cti.Java_typing.ct_constr_info.constr_info_tag (ConstructorData cti))
    constrs;
  let _n,comp = CallComponents.scc h in
  let tab_comp = CallComponents.scc_array h in
  Java_options.lprintf "******************************@\n";
  Java_options.lprintf "Call graph: has %d components@\n" (Array.length tab_comp);
  Java_options.lprintf "******************************@\n";
  Array.iteri
    (fun i l ->
       Java_options.lprintf "Component %d:@\n%a@." i
	 (print_list newline
	    (fun fmt f -> fprintf fmt " - %a calls: %a@\n"
	       print_method_or_constr f
	       (print_list comma
		  (fun fmt f -> fprintf fmt "%a(%d)"
		     print_method_or_constr f (comp f)))
	       (method_or_constr_calls f)))
	 l)
    tab_comp;
  tab_comp




(*
Local Variables:
compile-command: "make -j -C .. bin/krakatoa.byte"
End:
*)
why-2.34/java/java_options.ml0000644000175000017500000001417412311670312014573 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Format

(*s The log file *)

let c = ref stdout

let log =
  c := open_out "krakatoa.log";
  Format.formatter_of_out_channel !c

let lprintf s = Format.fprintf log s

let close_log () =
  lprintf "End of log.@.";
  close_out !c;
  c := stdout

(*s environment variables *)

let libdir =
  try
    let v = Sys.getenv "KRAKATOALIB" in
    lprintf "KRAKATOALIB is set to %s@." v;
    v
  with Not_found ->
    let p = Version.libdir in
    lprintf "KRAKATOALIB is not set, using %s as default@." p;
    p

let rec split ch s =
  try
    let i = String.index s ch in
    let h = String.sub s 0 i
    and t = String.sub s (i+1) (String.length s - i - 1)
    in
    h::(split ch t)
  with
    Not_found -> [s]


let libfile = "krakatoa.why"

let javacard = ref false


(*s command-line options *)

let parse_only = ref false
let type_only = ref false
let gen_only = ref false
let abstract = ref ""
let print_graph = ref false
let debug = ref false
let verbose = ref false
let werror = ref false
let why_opt = ref ""
let ignore_overflow = ref false
let nonnull_sem = ref Java_env.NonNullNone
let minimal_class_hierarchy = ref false
let termination_policy = ref Jc_env.TPalways

(* Jessie options *)
let inv_sem = ref Jc_env.InvArguments
let separation_policy = ref Jc_env.SepNone
let annotation_sem = ref Jc_env.AnnotNone
let ai_domain = ref Jc_env.AbsNone

let add_why_opt s = why_opt := !why_opt ^ " " ^ s

let files_ = ref []
let add_file f = files_ := f :: !files_
let files () = List.rev !files_

let version () =
  Printf.printf "This is Krakatoa version %s, compiled on %s
Copyright (c) 2006-2014 - CNRS/INRIA/Univ Paris-Sud
This is free software with ABSOLUTELY NO WARRANTY (use option -warranty)
" Version.version Version.date;
  exit 0

let usage = "krakatoa [options] files"

let _ =
  Arg.parse
      [ "-parse-only", Arg.Set parse_only,
	  "  stops after parsing";
        "-type-only", Arg.Set type_only,
	  "  stops after typing";
	"-abstract", Arg.String ((:=) abstract),
	  "  stops after typing and output abstract view to " ;
	"-gen-only", Arg.Set gen_only,
	  "  stops after producing .jc" ;
        "-print-call-graph", Arg.Set print_graph,
	  "  stops after call graph and print call graph";
        "-d", Arg.Set debug,
          "  debugging mode";
        "-why-opt", Arg.String add_why_opt,
	  "   passes options to Why";
	"-v", Arg.Set verbose,
          "  verbose mode";
	"-q", Arg.Clear verbose,
          "  quiet mode (default)";
	"-werror", Arg.Set werror,
          "  treats warnings as errors";
	"-version", Arg.Unit version,
          "  prints version and exit";
	"-javacard", Arg.Set javacard,
	  "  source is Java Card";
	"-nonnull-sem", Arg.String
	  (function
	     | "none" -> nonnull_sem := Java_env.NonNullNone
	     | "fields" -> nonnull_sem := Java_env.NonNullFields
	     | "all" -> nonnull_sem := Java_env.NonNullAll
	     | s -> raise (Arg.Bad ("Unknown nonnull_sem: " ^ s))),
	"   nonnull-by-default semantics: none (default), fields, all";
      ]
      add_file usage

let usage () =
  eprintf "usage: %s@." usage;
  exit 2

let parse_only = !parse_only
let type_only = !type_only
let print_graph = !print_graph
let debug = !debug
let verbose = !verbose
let werror = !werror
let why_opt = !why_opt

let classpath =
  let p =
    try
      let v = Sys.getenv "KRAKATOACLASSPATH" in
	lprintf "KRAKATOACLASSPATH is set to %s@." v;
	split ':' v
    with Not_found ->
      let p = Filename.concat libdir
	(if !javacard then "javacard_api" else "java_api")
      in
	lprintf "KRAKATOACLASSPATH is not set, using %s as default@." p;
	[p]
  in
    "." :: p


(*s error handling *)

exception Java_error of Loc.position * string

let parsing_error l f =
  Format.ksprintf
    (fun s ->
       let s = if s="" then s else " ("^s^")" in
       raise (Java_error(l, "syntax error" ^ s))) f


(*
Local Variables:
compile-command: "make -j -C .. bin/krakatoa.byte"
End:
*)

why-2.34/java/java_abstract.ml0000644000175000017500000002574012311670312014704 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Format
open Pp
open Java_env
open Java_ast

let ident fmt (_,id) = fprintf fmt "%s" id

let rec qualified_ident fmt qid =
  match qid with
    | [id] -> fprintf fmt "%a" ident id
    | id::l -> fprintf fmt "%a.%a" ident id qualified_ident l
    | [] -> assert false


let base_type fmt b =
  match b with
    | Tshort -> fprintf fmt "short"
    | Tboolean -> fprintf fmt "boolean"
    | Tbyte -> fprintf fmt "byte"
    | Tchar -> fprintf fmt "char"
    | Tint -> fprintf fmt "int"
    | Tfloat -> fprintf fmt "float"
    | Tlong -> fprintf fmt "long"
    | Tdouble -> fprintf fmt "double"
	  (* native logic types *)
    | Tinteger | Treal | Tunit | Tstring ->  assert false (* TODO *)

let modifier fmt m =
  match m with
  | Static -> fprintf fmt "static "
  | Final -> fprintf fmt "final "
  | Public -> fprintf fmt "public "
  | Private -> fprintf fmt "private "
  | Protected -> fprintf fmt "protected "
  | Native -> fprintf fmt "native "
  | Synchronized -> fprintf fmt "synchronized "
  | Abstract -> assert false (* TODO *)
  | Transient (* "threadsafe" ? *) -> assert false (* TODO *)
  | Volatile-> assert false (* TODO *)
  | Strictfp -> assert false (* TODO *)
  | Ghost -> assert false (* TODO *)
  | Model-> assert false (* TODO *)
  | Non_null -> assert false (* TODO *)
  | Nullable -> assert false (* TODO *)
  | Annot_modifier(_loc,_id) -> assert false (* TODO *)

let modifiers fmt = List.iter (modifier fmt)

let type_expr fmt t =
  match t with
    | Base_type b -> base_type fmt b
    | Type_name id -> fprintf fmt "%a" qualified_ident id;
    | Array_type_expr _typ ->  assert false (* TODO *)

let float_suffix fmt = function
  | `Single -> fprintf fmt "f"
  | `Double -> fprintf fmt "d"
  | `Real -> ()

let literal fmt l =
  match l with
    | Null -> fprintf fmt "null"
    | Integer _s -> assert false (* TODO *)
    | Float(s,suf) -> fprintf fmt "%s%a" s float_suffix suf
    | Bool _b -> assert false (* TODO *)
    | String _s -> assert false (* TODO *)
    | Char _s -> assert false (* TODO *)

let bin_op fmt op =
  match op with
    | Badd -> fprintf fmt "+"
    | Bsub | Bmul | Bdiv | Bmod -> assert false (* TODO *)
    | Band | Bor | Bimpl | Biff -> assert false (* TODO *)
    | Bbwand | Bbwor | Bbwxor -> assert false (* TODO *)
    | Blsl | Blsr | Basr -> assert false (* TODO *)
    | Beq -> assert false (* TODO *)
    | Bne -> fprintf fmt "!="
    | Bgt -> fprintf fmt ">"
    | Blt -> fprintf fmt "<"
    | Ble -> fprintf fmt "<="
    | Bge -> fprintf fmt ">="
    | Bconcat -> assert false (* TODO *) (* + for Strings *)


let rec expr fmt e =
  match e.java_pexpr_node with
    | JPElit l -> literal fmt l
    | JPEbin(e1,op,e2) ->
	fprintf fmt "(%a %a %a)" expr e1 bin_op op expr e2
    | JPEname qid -> qualified_ident fmt qid
	
	
    | _ -> assert false (* TODO *)
(*
    | JPEun of un_op * pexpr                 (*r (pure) unary operations *)
    | JPEincr of incr_decr_op * pexpr (*r pre-post incr/decr operations *)
    | JPEassign_name of qualified_ident * bin_op * pexpr  
    | JPEassign_field of java_field_access * bin_op * pexpr  
    | JPEassign_array of pexpr * pexpr * bin_op * pexpr  
	(*r [Assign_array(e1,e2,op,e3)] is [e1[e2] op e3] *)
	(*r assignment op is =, +=, etc. *)
    | JPEif of pexpr * pexpr * pexpr
    | JPEthis
    | JPEfield_access of java_field_access
    | JPEcall_name of qualified_ident * pexpr list
    | JPEcall_expr of pexpr * identifier * pexpr list
    | JPEsuper_call of identifier * pexpr list
    | JPEnew of qualified_ident * pexpr list
    | JPEnew_array of type_expr * pexpr list 
	(*r type, explicit dimensions *)
    | JPEarray_access of pexpr * pexpr
    | JPEarray_range of pexpr * pexpr option * pexpr option
    | JPEcast of type_expr * pexpr
    | JPEinstanceof of pexpr * type_expr
	(* in annotations only *)
    | JPEresult  
    | JPEold of pexpr 
    | JPEat of pexpr * identifier 
    | JPEquantifier of quantifier * (type_expr * variable_id list) list * pexpr   
*)

let rec param fmt p =
  match p with
    | Simple_parameter(_modifier, typ, id) ->
	fprintf fmt "%a %a" type_expr typ ident id
    | Array_parameter p -> 
	fprintf fmt "%a[]" param p

let method_declarator fmt d =
  match d with
    | Simple_method_declarator(id,params) ->
	fprintf fmt "%a(@[%a@]);@\n@\n" ident id (print_list comma param) params
    | Array_method_declarator _md ->
	assert false (* TODO *)


let method_declaration fmt md =
  (*
    method_modifiers : modifiers ;
    method_return_type : type_expr option ;
    method_declarator : method_declarator ;
    method_throws : qualified_ident list ;
  *)
  modifiers fmt md.method_modifiers;
  begin
    match md.method_return_type with
      | None -> fprintf fmt "void "
      | Some t -> fprintf fmt "%a " type_expr t;
  end;
  assert (md.method_throws = []);
  method_declarator fmt md.method_declarator
  
let constructor_declaration fmt cd =
  (* constr_modifiers : modifiers ;
     constr_name : identifier ;
     constr_parameters : parameter list ;
     constr_throws : qualified_ident list 
  *)
  modifiers fmt cd.constr_modifiers;
  assert (cd.constr_throws = []);
  fprintf fmt "%a(%a);@\n@\n" ident cd.constr_name 
    (print_list comma param) cd.constr_parameters
  
let rec variable_id fmt = function 
    | Simple_id(id) ->
	fprintf fmt "%a" ident id
    | Array_id vd -> 
	fprintf fmt "%a[]" variable_id vd

let rec initialize fmt = function
  | Simple_initializer e -> expr fmt e
  | Array_initializer _l -> assert false (* TODO *)
      

let variable_declarator ~is_final fmt vd =
  fprintf fmt "%a" variable_id vd.variable_id;
  match vd.variable_initializer with
    | Some init when is_final ->
	fprintf fmt " = %a" initialize init
    | _ -> ()

let variable_declaration fmt vd =
  (*
     variable_modifiers : modifiers ;
    variable_type : type_expr ;
    variable_decls : variable_declarator list 
  *)
  modifiers fmt vd.variable_modifiers;
  fprintf fmt "%a " type_expr vd.variable_type;
  let is_final = List.mem Final vd.variable_modifiers in
  List.iter (variable_declarator ~is_final fmt) vd.variable_decls;
  fprintf fmt ";@\n@\n"

  
  

let field_declaration fmt f =
(*
  | JPFmethod of method_declaration * block option
  | JPFconstructor of constructor_declaration *
      explicit_constructor_invocation * block
  | JPFvariable of variable_declaration
  | JPFstatic_initializer of block
  | JPFannot of Lexing.position * string
  | JPFinvariant of identifier * pexpr
  | JPFstatic_invariant of identifier * pexpr
  | JPFmethod_spec of 
      pexpr option * pexpr option * (identifier * pbehavior) list
  | JPFclass of class_declaration
  | JPFinterface of interface_declaration
*)
  match f with
    | JPFmethod(md,_block) -> method_declaration fmt md      
    | JPFmethod_spec(req, _dec, _behs ) -> 
	fprintf fmt "@[/*@@";
	print_option (fun fmt e -> fprintf fmt " requires %a;@\n  @@" expr e) fmt req;
	(* TODO *)
	fprintf fmt "*/@\n@]"
    | JPFinterface _ -> assert false (* TODO *)
    | JPFclass _ -> assert false (* TODO *)
    | JPFstatic_invariant (_, _) -> assert false (* TODO *)
    | JPFinvariant (_, _) -> assert false (* TODO *)
    | JPFannot (_, _) -> assert false (* TODO *)
    | JPFstatic_initializer _block -> ()	
    | JPFvariable vd -> variable_declaration fmt vd
    | JPFconstructor(cd, _invoke, _block) -> 
	constructor_declaration fmt cd

let class_declaration fmt cd =
  fprintf fmt "@[%a class %a " 
    modifiers cd.class_modifiers ident cd.class_name;
  begin
    match cd.class_extends with
      | None -> ()
      | Some id -> fprintf fmt "extends %a " qualified_ident id
  end;
  assert (cd.class_implements = []);
  fprintf fmt "{@\n@\n  @[";
  List.iter (field_declaration fmt) cd.class_fields;
  fprintf fmt "@]@\n}@\n@]"

let interface_declaration fmt id =
  (*
    { interface_modifiers : modifiers;
    interface_name : identifier;
    interface_extends : qualified_ident list;
    interface_members : field_declaration list
  *)
  fprintf fmt "@[%a interface %a {@\n@\n  @[" 
    modifiers id.interface_modifiers ident id.interface_name;
  assert (id.interface_extends = []);
  List.iter (field_declaration fmt) id.interface_members;
  fprintf fmt "@]@\n}@\n@]"

let type_declaration fmt d =
  match d with
    | JPTclass cd -> class_declaration fmt cd
    | JPTinterface id -> interface_declaration fmt id
    | JPTannot _ -> assert false
    | JPTlemma (_id,_is_axiom,_labels,_p) -> assert false
    | JPTlogic_type_decl _id -> assert false
    | JPTlogic_reads(_id,_rettype,_labels,_params,_reads) -> assert false
    | JPTlogic_def(_id,_rettype,_labels,_param,_e) -> assert false
    | JPTinductive(_id,_labels,_param,_e) -> assert false
    | JPTaxiomatic _ -> assert false
    | JPTimport _ -> assert false	

let compilation_unit fmt cu =
  (*
    cu_package : qualified_ident;
    cu_imports : import_statement list;
  *)
  List.iter (type_declaration fmt) cu.cu_type_decls

why-2.34/java/java_interp.ml0000644000175000017500000021450612311670312014402 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Format
open Jc_output
open Jc_env
open Jc_fenv
open Jc_ast
open Jc_constructors
open Jc_constructors.PExpr
open Jc_constructors.PDecl
open Jc_pervasives
open Java_env
open Java_ast
open Java_tast
open Java_pervasives
open Java_typing

let exn_name e = new identifier e.jc_exception_info_name
let var_name v = v.jc_var_info_name
let var_id v = new identifier v.jc_var_info_name
let fi_name f = f.jc_field_info_name

let reg_pos ?id ?kind ?name pos = Output.old_reg_pos "K" ?id ?kind ?name pos

let reg_position ?id ?kind ?name pos =
  Output.old_reg_pos "K" ?id ?kind ?name (Loc.extract pos)

let locate ?id ?kind ?name pos e =
  let lab = reg_position ?id ?kind ?name pos in
  new pexpr ~pos (JCPElabel(lab,e))

(*s loop tags *)

let get_loop_counter =
  let counter = ref 0 in
  function () -> let tag = !counter in incr counter; tag

(*s range types *)

(* byte = int8 *)
let byte_range =
  {
    jc_enum_info_name = "byte";
    jc_enum_info_min = min_byte;
    jc_enum_info_max = max_byte;
  }

(* short = int16 *)
let short_range =
  {
    jc_enum_info_name = "short";
    jc_enum_info_min = min_short;
    jc_enum_info_max = max_short;
  }

(* int = int32 *)
let int_range =
  {
    jc_enum_info_name = "int32";
    jc_enum_info_min = min_int;
    jc_enum_info_max = max_int;
  }

(* long = int64 *)
let long_range =
  {
    jc_enum_info_name = "long";
    jc_enum_info_min = min_long;
    jc_enum_info_max = max_long;
  }

(* char = uint16 *)
let char_range =
  {
    jc_enum_info_name = "char";
    jc_enum_info_min = min_char;
    jc_enum_info_max = max_char;
  }

let range_types acc =
  if !Java_options.ignore_overflow then acc else
  List.fold_left
    (fun acc ri ->
       (mkenum_type_def
          ~name: ri.jc_enum_info_name
          ~left: ri.jc_enum_info_min
          ~right: ri.jc_enum_info_max
          ())::acc)
    acc [ byte_range ; short_range ; int_range ; long_range ; char_range ]


let byte_type = JCTenum byte_range
let short_type = JCTenum short_range
let int_type = JCTenum int_range
let long_type = JCTenum long_range
let char_type = JCTenum char_range

let get_enum_info t =
  match t with
    | Tshort -> short_range
    | Tint -> int_range
    | Tlong -> long_range
    | Tchar -> char_range
    | Tbyte -> byte_range
    | _ -> assert false

let tr_base_type t =
  match t with
    | Tstring -> Jc_pervasives.string_type
    | Tunit -> Jc_pervasives.unit_type
    | Tboolean -> Jc_pervasives.boolean_type
    | Tinteger -> Jc_pervasives.integer_type
    | Tshort ->
	if !Java_options.ignore_overflow then Jc_pervasives.integer_type else
	short_type
    | Tint ->
	if !Java_options.ignore_overflow then Jc_pervasives.integer_type else
	int_type
    | Tlong ->
	if !Java_options.ignore_overflow then Jc_pervasives.integer_type else
	long_type
    | Tchar ->
	if !Java_options.ignore_overflow then Jc_pervasives.integer_type else
	char_type
    | Tbyte  ->
	if !Java_options.ignore_overflow then Jc_pervasives.integer_type else
	byte_type
    | Treal -> Jc_pervasives.real_type
    | Tfloat -> Jc_pervasives.real_type (* TODO *)
    | Tdouble -> Jc_pervasives.real_type (* TODO *)

(*s class types *)

let rec object_variant = {
  jc_root_info_name = "Object";
  jc_root_info_hroots = [ object_root ];
  jc_root_info_kind = Rvariant;
  jc_root_info_union_size_in_bytes = 0;
}

and object_root = {
  jc_struct_info_params = [];
  jc_struct_info_name = "Object";
  jc_struct_info_parent = None;
  jc_struct_info_hroot = object_root;
  jc_struct_info_fields = [];
  jc_struct_info_root = Some object_variant;
}

let get_class name =
  {
  jc_struct_info_params = [];
    jc_struct_info_name = name;
    jc_struct_info_parent = None;
    jc_struct_info_hroot = object_root;
    jc_struct_info_fields = [];
    jc_struct_info_root = Some object_variant;
  }

(*
let get_interface ii =
  {
    jc_struct_info_name = ii.interface_info_name;
    jc_struct_info_parent = None;
    jc_struct_info_root = ii.interface_info_name;
    jc_struct_info_fields = [];
  }
*)

(*
let rec interface_root = {
  jc_struct_info_name = "interface";
  jc_struct_info_parent = None;
  jc_struct_info_root = interface_root;
  jc_struct_info_fields = [];
  jc_struct_info_variant = Some object_variant;
}
*)

let st_interface =
  {
    jc_struct_info_params = [];
    jc_struct_info_name = "Object/*interface*/";
    jc_struct_info_parent = None;
    jc_struct_info_hroot = object_root ; (* a la place de interface_root; *)
    jc_struct_info_fields = [];
    jc_struct_info_root = Some object_variant;
  }

(*s array types *)

let num_zero = Num.Int 0
let num_minus_one = Num.Int (-1)

let array_struct_table = Hashtbl.create 17

let rec get_array_struct pos t =
  let n = Java_analysis.name_type t in
  try
    (Hashtbl.find array_struct_table n : struct_info)
  with Not_found ->
    eprintf "Array struct for type %a (name : %s) not found: %a@."
      Java_typing.print_type t n Loc.report_position pos;
    raise Not_found

and tr_type pos t =
  match t with
    | JTYbase t -> tr_base_type t
    | JTYnull -> JCTnull
    | JTYclass (non_null, ci) ->
	let st = get_class ci.class_info_name in
	  JCTpointer
	    (JCtag(st, []), Some num_zero, if non_null then Some num_zero else None)
    | JTYinterface _ii ->
	JCTpointer(JCtag(st_interface, []), Some num_zero,None)
(*
	let st = get_interface ii in
	JCTpointer(st,Some num_zero,
	           (* if non_null then Some num_zero else *) None)
*)

    | JTYarray (non_null, t) ->
	let st = get_array_struct pos t in
	  JCTpointer (JCtag(st, []), Some num_zero, if non_null then Some num_minus_one else None)
    | JTYlogic i -> JCTlogic (i,[])

let ptype_node_of_type = function
  | JCTnative n -> JCPTnative n
  | JCTlogic (s,[]) -> JCPTidentifier (s,[])
  | JCTlogic (_s,_) -> failwith ("Java_interp.ptype_node_of_type : \
The case of logic type with argument is left undone")
  | JCTenum e -> JCPTidentifier (e.jc_enum_info_name,[])
  | JCTpointer(JCtag(st, _), l, r) -> JCPTpointer(st.jc_struct_info_name,[], l, r)
  | JCTpointer(JCroot v, l, r) ->
      JCPTpointer(v.jc_root_info_name,[], l, r)
  | JCTnull
  | JCTany | JCTtype_var _ -> assert false

let ptype_of_type t = new ptype (ptype_node_of_type t)


(*s structure fields *)

let fi_table = Hashtbl.create 97

let get_field fi =
  try
    Hashtbl.find fi_table fi.java_field_info_tag
  with
      Not_found ->
	eprintf "Internal error: field '%s' not found@."
	  fi.java_field_info_name;
	assert false

let create_field pos fi =
  Java_options.lprintf "Creating JC field '%s'@." fi.java_field_info_name;
  let ty = tr_type pos fi.java_field_info_type in
  let ci =
    match fi.java_field_info_class_or_interface with
      | TypeClass ci -> get_class ci.class_info_name
      | TypeInterface ii -> get_class ii.interface_info_name
  in
  let nfi =
    { jc_field_info_name = fi.java_field_info_name;
      jc_field_info_final_name = fi.java_field_info_name;
      jc_field_info_tag  = fi.java_field_info_tag;
      jc_field_info_type = ty;
      jc_field_info_hroot = ci.jc_struct_info_hroot;
      jc_field_info_struct = ci;
      jc_field_info_rep = false;
      jc_field_info_abstract = false;
      jc_field_info_bitsize = None;
      (*
	jc_field_info_final_name = vi.java_field_info_name;
	jc_var_info_assigned = vi.java_var_info_assigned;
	jc_var_info_type = tr_type vi.java_var_info_type;
	jc_var_info_tag = vi.java_var_info_tag;
      *)
    }
  in Hashtbl.add fi_table fi.java_field_info_tag nfi;
  nfi

let static_fields_table = Hashtbl.create 97

let get_static_var fi =
  try
    Hashtbl.find static_fields_table fi.java_field_info_tag
  with
      Not_found ->
	eprintf "Java_interp.get_static_var->Not_found: %s@." fi.java_field_info_name;
	raise Not_found


(* local variables and parameters *)

let vi_table = Hashtbl.create 97

let get_var vi =
  try
    Hashtbl.find vi_table vi.java_var_info_tag
  with
      Not_found ->
	eprintf "Java_interp.get_var->Not_found: '%s', %a@."
	  vi.java_var_info_final_name
	  Loc.report_position vi.java_var_info_decl_loc
	;
	raise Not_found

let create_var ?(formal=false) pos vi =
  let ty = tr_type pos vi.java_var_info_type in
  let nvi = Jc_pervasives.var ~formal ty vi.java_var_info_final_name in
  nvi.jc_var_info_assigned <- vi.java_var_info_assigned;
  Hashtbl.add vi_table vi.java_var_info_tag nvi;
  nvi

(*s logic types *)

let tr_logic_type id acc =
  mklogic_type ~name:id () :: acc

(*s logic funs *)

let logics_table = Hashtbl.create 97

let get_logic_fun fi =
  try
    Hashtbl.find logics_table fi.java_logic_info_tag
  with
      Not_found ->
	eprintf "Anomaly: cannot find logic symbol `%s'@." fi.java_logic_info_name;
	eprintf "[";
	Hashtbl.iter
	  (fun _ d -> eprintf "%s;" d.jc_logic_info_name) logics_table;
	eprintf "]@.";
	assert false

let tr_logic_label = function
  | LabelPre -> Jc_env.LabelPre
  | LabelHere -> Jc_env.LabelHere
  | LabelOld -> Jc_env.LabelOld
  | LabelName s ->
      Jc_env.LabelName {
	label_info_name = s;
	label_info_final_name = s;
	times_used = 0;
      }

let create_logic_fun pos fi =
  let nfi =
    match fi.java_logic_info_result_type with
      | None ->
	  Jc_pervasives.make_pred fi.java_logic_info_name
      | Some t ->
	  Jc_pervasives.make_logic_fun fi.java_logic_info_name
	    (tr_type pos t)
  in
  nfi.jc_logic_info_parameters <-
    List.map (create_var pos) fi.java_logic_info_parameters;
  nfi.jc_logic_info_labels <-
    List.map tr_logic_label fi.java_logic_info_labels;
  (* eprintf "adding symbol %s in logics_table@." fi.java_logic_info_name; *)
  Hashtbl.add logics_table fi.java_logic_info_tag nfi;
  nfi

let () =
  List.iter
    (fun fi -> let _ = create_logic_fun Loc.dummy_position fi in ())
    !Java_typing.builtin_logic_symbols

(*s program funs *)

let funs_table = Hashtbl.create 97

let get_fun pos tag =
  try
    Hashtbl.find funs_table tag
  with
      Not_found ->
	eprintf "Java_interp.get_fun->Not_found: %a@." Loc.report_position pos;
	raise Not_found

let create_fun pos tag result name params =
  let nfi =
    match result with
      | None ->
	  Jc_pervasives.make_fun_info name
	    Jc_pervasives.unit_type
      | Some vi ->
	  Jc_pervasives.make_fun_info name
	    (tr_type pos vi.java_var_info_type)
  in
  nfi.jc_fun_info_parameters <-
    List.map (fun (vi, _) -> (true,create_var pos vi)) params;
  Hashtbl.add funs_table tag nfi;
  nfi

(*s exceptions *)

let exceptions_table = Hashtbl.create 17

let get_exception ty =
  match ty with
    | JTYclass(_,ci) ->
	begin
	  try
	    Hashtbl.find exceptions_table ci.class_info_name
	  with
	      Not_found ->
		eprintf "exception %s not found@." ci.class_info_name;
		assert false
	end
    | _ -> assert false

let exceptions_tag = ref 0

let create_exception ty n =
  incr exceptions_tag;
  let ei =
    { jc_exception_info_name = n;
      jc_exception_info_tag = !exceptions_tag;
      jc_exception_info_type = ty
    }
  in
  Hashtbl.add exceptions_table n ei;
  ei

(*s terms *)


let any_string =
  mkapp
    ~fun_name: "any_string"
    ~args: []
    ()


(**)
let any_string_decl =
  mkfun_def
    ~result_type: (new ptype (JCPTpointer("String",[],Some num_zero,None)))
    ~name: (new identifier "any_string")
    ~params: []
    ~clauses: []
    ()
(**)

let decl_any_string =
  if !Java_options.javacard then [] else
    [ any_string_decl ]

let lit l =
  match l with
  | Integer s | Char s -> JCCinteger s
  | Float(s,_suf) -> JCCreal s (* TODO: support for true floating point numbers *)
  | Bool b -> JCCboolean b
  | String s -> JCCstring s
  | Null  -> JCCnull

let lun_op t op: [> Jc_ast.unary_op] =
  match op with
    | Unot -> `Unot
    | Uminus when (t = Tinteger || t = Tint || t = Treal) -> `Uminus
    | Uminus ->
	begin match t with
	  | Tstring -> assert false
	  | Tshort  -> assert false (* TODO *)
	  | Tboolean  -> assert false (* TODO *)
	  | Tbyte  -> assert false (* TODO *)
	  | Tchar  -> assert false (* TODO *)
	  | Tint  -> assert false (* should never happen *)
	  | Tfloat  -> assert false (* TODO *)
	  | Tlong  -> assert false (* TODO *)
	  | Tdouble  -> assert false (* TODO *)
	  | Treal  -> assert false (*  should never happen *)
	  | Tunit -> assert false (* TODO *)
	  | Tinteger -> assert false (* should never happen *)
	end
    | Uplus -> assert false
    | Ucompl -> `Ubw_not

let lbin_op _t op: [> Jc_ast.bin_op] =
  match op with
    | Bgt -> `Bgt
    | Bge -> `Bge
    | Ble -> `Ble
    | Blt -> `Blt
    | Bne -> `Bneq
    | Beq -> `Beq
    | Basr -> `Barith_shift_right
    | Blsr -> `Blogical_shift_right
    | Blsl -> `Bshift_left
    | Bbwxor -> `Bbw_xor
    | Bbwor -> `Bbw_or
    | Bbwand -> `Bbw_and
    | Biff -> `Biff
    | Bimpl -> `Bimplies
    | Bor -> `Blor
    | Band -> `Bland
    | Bmod -> `Bmod
    | Bdiv -> `Bdiv
    | Bmul -> `Bmul
    | Bsub -> `Bsub
    | Badd -> `Badd
    | Bconcat -> `Bconcat

let lobj_op op: [> comparison_op] =
  match op with
    | Bne -> `Bneq
    | Beq -> `Beq
    | _ -> assert false

(* non_null funs & preds *)

let non_null_funs = Hashtbl.create 17
let non_null_preds = Hashtbl.create 17

let non_null_fun si =
  try
    Hashtbl.find non_null_funs si.jc_struct_info_name
  with
      Not_found -> assert false

let non_null_pred name =
  try
    Hashtbl.find non_null_preds name
  with
      Not_found ->
	Format.eprintf "Java_interp: non_null_pred(%s)@." name;
	assert false

let create_non_null_fun si =
  let fi =
    Jc_pervasives.make_fun_info
      ("non_null_" ^ si.jc_struct_info_name)
      Jc_pervasives.boolean_type
  in
    Hashtbl.add non_null_funs si.jc_struct_info_name fi;
    fi

let create_non_null_pred si =
  let li =
    Jc_pervasives.make_pred
      ("Non_null_" ^ si.jc_struct_info_name)
  in
    Hashtbl.add non_null_preds si.jc_struct_info_name li;
    li
(*
let dummy_pos_term ty t =
  new term ~typ:ty t

let term_zero =
  dummy_loc_term Jc_pervasives.integer_type
    (JCTconst (JCCinteger "0"))

let term_maxint =
  dummy_loc_term Jc_pervasives.integer_type
    (JCTconst (JCCinteger "2147483647"))

let term_plus_one t =
  JCTbinary (t, `Badd_int, { t with jc_term_node = JCTconst (JCCinteger "1") })
*)

let zero = mkint ~value:0 ()
let maxint = mkint ~valuestr:"2147483647" ()
let plus_one e =
  let pos = e#pos in
  mkadd ~pos ~expr1:e ~expr2:(mkint ~pos ~value:1 ()) ()

let rec term t =
  let t' =
    match t.java_term_node with
      | JTlit (String _s) -> any_string
      | JTlit l -> mkconst ~const:(lit l) ()
      | JTun (t,op,e1) ->
          mkunary
            ~op:(lun_op t op)
            ~expr:(term e1)
            ()
      | JTbin(e1,t,op,e2) ->
          mkbinary
            ~expr1:(term e1)
            ~op:(lbin_op t op)
            ~expr2:(term e2)
            ()
      | JTbin_obj (e1, op, e2) -> (* case e1 != null *)
	  if op = Bne && e2.java_term_node = JTlit Null then
	    let t1 = term e1 in
	      match e1.java_term_type with
		| JTYbase _ | JTYnull | JTYlogic _ -> assert false
		| JTYclass (_, _ci) ->
                    mkapp
                      ~fun_name: (non_null_pred "Object").jc_logic_info_name
                      ~args: [t1]
                      ()
		| JTYinterface _ii ->
                    mkeq
                      ~expr1: (mkoffset_max ~expr:t1 ())
                      ~expr2: zero
                      ()
		| JTYarray (_, t) ->
		    let si = get_array_struct Loc.dummy_position t in
                    let li = non_null_pred si.jc_struct_info_name in
                    mkapp
                      ~fun_name: li.jc_logic_info_name
                      ~args: [t1]
                      ()
	  else mkbinary
            ~expr1: (term e1)
            ~op: (lobj_op op)
            ~expr2: (term e2)
            ()
      | JTapp (fi, labels, el) ->
          mkapp
            ~fun_name: (get_logic_fun fi).jc_logic_info_name
	    ~labels:(List.map (fun (_,l) -> tr_logic_label l) labels)
            ~args: (List.map term el)
            ()
      | JTvar vi ->
          mkvar ~name:(var_name (get_var vi)) ()
      | JTfield_access(t,fi) ->
          mkderef
            ~expr: (term t)
            ~field: (fi_name (get_field fi))
            ()
      | JTstatic_field_access(_ci,fi) ->
	  mkvar ~name:(var_name (get_static_var fi)) ()
      | JTarray_length(t) ->
	  begin
	    match t.java_term_type with
	      | JTYarray (_, ty) ->
		  let _st = get_array_struct t.java_term_loc ty in
		  let t = term t in
		  plus_one (mkoffset_max ~pos:t#pos ~expr:t ())
	      | _ -> assert false
	  end
      | JTarray_access(t1,t2) ->
	  begin
	    match t1.java_term_type with
	      | JTYarray (_, ty) ->
		  let st = get_array_struct t.java_term_loc ty in
		  let t1' = term t1 in
                  mkderef
                    ~expr:
                    (mkshift
                       ~pos: t.java_term_loc
                       ~expr: t1'
                       ~offset: (term t2)
                       ())
                    ~field: (fi_name (List.hd st.jc_struct_info_fields))
                    ()
	      | _ -> assert false
	  end
      | JTarray_range _ -> assert false
      | JTat(t,lab) ->
          mkat
            ~expr: (term t)
            ~label: (tr_logic_label lab)
            ()
      | JTcast(ty,t') ->
	  begin
(*
	    match ty with
	      | JTYbase _ -> term t'
	      | JTYclass _ ->
*)
                  mkcast
                    ~expr: (term t')
                    ~typ:(ptype_of_type (tr_type t.java_term_loc ty))
                    ()
(*
	      | _ -> assert false (* TODO *)
*)
	  end
      | JTif(t1,t2,t3) ->
	  mkif
	    ~condition: (term t1)
	    ~expr_then: (term t2)
	    ~expr_else: (term t3)
	    ()
  in
  let _ = tr_type t.java_term_loc t.java_term_type in
  new pexpr ~pos: t.java_term_loc t'#node

let quantifier = function
  | Forall -> Jc_ast.Forall
  | Exists -> Jc_ast.Exists

let rec assertion ?(reg=false) a =
  let a' =
    match a.java_assertion_node with
      | JAtrue ->
          mkboolean ~value:true ()
      | JAfalse ->
          mkboolean ~value:false ()
      | JAat(a,lab) ->
	  mkat
	    ~expr:(assertion a)
	    ~label:(tr_logic_label lab)
	    ()
      | JAnot a ->
          mknot ~expr:(assertion a) ()
      | JAbin (e1, t, op, e2) ->
          mkbinary
            ~expr1: (term e1)
            ~op: (lbin_op t op)
            ~expr2: (term e2)
            ()
      | JAbin_obj (e1, op, e2) -> (* case e1 != null *)
	  if op = Bne && e2.java_term_node = JTlit Null then
	    let t1 = term e1 in
	      match e1.java_term_type with
		| JTYbase _ | JTYnull | JTYlogic _ -> assert false
		| JTYclass (_, _ci) ->
                    mkapp
                      ~fun_name: (non_null_pred "Object").jc_logic_info_name
                      ~args: [t1]
                      ()
		| JTYinterface _ii ->
                    mkeq
                      ~expr1: (mkoffset_max ~expr:t1 ())
                      ~expr2: zero
                      ()
		| JTYarray (_, t) ->
		    let si = get_array_struct Loc.dummy_position t in
                    let li = non_null_pred si.jc_struct_info_name in
                    mkapp
                      ~fun_name: li.jc_logic_info_name
                      ~args: [t1]
                      ()
	  else mkbinary
            ~expr1: (term e1)
            ~op: (lobj_op op)
            ~expr2: (term e2)
            ()
      | JAapp (fi, labels, el)->
          mkapp
            ~fun_name: (get_logic_fun fi).jc_logic_info_name
	    ~labels:(List.map (fun (_,l) -> tr_logic_label l) labels)
            ~args: (List.map term el)
            ()
      | JAquantifier (q, vi, a)->
	  let vi = create_var a.java_assertion_loc vi in
          mkquantifier
            ~quantifier: (quantifier q)
            ~typ: (ptype_of_type vi.jc_var_info_type)
            ~vars: [var_id vi]
            ~body: (assertion a)
            ()
      | JAimpl (a1, a2)->
          mkimplies
            ~expr1: (assertion a1)
            ~expr2: (assertion a2)
            ()
      | JAiff (a1, a2)->
          mkiff
            ~expr1: (assertion a1)
            ~expr2: (assertion a2)
            ()
      | JAor (a1, a2)->
          mkor
            ~expr1: (assertion a1)
            ~expr2: (assertion a2)
            ()
      | JAand (a1, a2)->
	  mkand
            ~expr1: (assertion ~reg a1)
            ~expr2: (assertion ~reg a2)
            ()
      | JAbool_expr t ->
          term t
      | JAinstanceof (t, _lab, ty) ->
	  let ty = tr_type Loc.dummy_position ty in
	  begin
	    match ty with
	      | JCTpointer (JCtag(si, []), _, _) ->
                  mkinstanceof
                    ~expr: (term t)
                    ~typ: si.jc_struct_info_name
                    ()
	      | _ -> assert false
	  end
      | JAif(t,a1,a2) ->
	  mkif
	    ~condition: (term t)
	    ~expr_then: (assertion a1)
	    ~expr_else: (assertion a2)
	    ()
      | JAfresh t -> mkfresh (term t) ()
  in
  let a' = new pexpr ~pos:a.java_assertion_loc a'#node in
  if reg then locate a.java_assertion_loc a' else a'

(*let dummy_loc_assertion a =
  { jc_assertion_loc = Loc.dummy_position;
    jc_assertion_label = "";
    jc_assertion_node = a }
*)

let create_static_var pos type_name fi =
  let ty = tr_type pos fi.java_field_info_type in
  let name = type_name ^ "_" ^ fi.java_field_info_name in
  let vi = Jc_pervasives.var ~static:true ty name in
  Hashtbl.add static_fields_table fi.java_field_info_tag vi;
  vi

(*s translation of structure types *)

let rec term_of_expr e =
  let t =
    match e.java_expr_node with
      | JElit l -> JTlit l
      | JEvar vi -> JTvar vi
      | JEbin (e1, op, e2) ->
	  JTbin (term_of_expr e1, Tinteger, op, term_of_expr e2)
      | JEun (op, e) -> JTun (Tinteger, op, term_of_expr e)
      | JEfield_access (e, fi) -> JTfield_access (term_of_expr e, fi)
      | JEstatic_field_access (ty, fi) -> JTstatic_field_access (ty, fi)
      | JEarray_access (e1, e2) ->
	  JTarray_access (term_of_expr e1, term_of_expr e2)
      | JEcast (t, e) -> JTcast (t, term_of_expr e)
      | _ -> assert false
  in
    { java_term_loc = e.java_expr_loc;
      java_term_type = e.java_expr_type;
      java_term_node = t }

(* exceptions *)

let tr_exception ei acc =
  (mkexception_def
     ~name:ei.jc_exception_info_name
     ?arg_type:(Option_misc.map ptype_of_type ei.jc_exception_info_type)
     ()) :: acc

(* array_length funs *)

let java_array_length_funs = Hashtbl.create 17

let java_array_length_fun st =
  try
    Hashtbl.find java_array_length_funs st.jc_struct_info_name
  with
      Not_found -> assert false

let create_java_array_length_fun st =
  let fi =
    Jc_pervasives.make_fun_info
      ("java_array_length_" ^ st.jc_struct_info_name)
      Jc_pervasives.integer_type
  in
  Hashtbl.add java_array_length_funs st.jc_struct_info_name fi;
  fi

let array_types decls =
  Java_options.lprintf "(**********************)@.";
  Java_options.lprintf "(* array types        *)@.";
  Java_options.lprintf "(**********************)@.";
  Hashtbl.fold
    (fun n (t, s, f) (acc0, acc, decls) ->
       let st = {
         jc_struct_info_params = [];
	 jc_struct_info_name = s;
	 jc_struct_info_parent = None;
	 jc_struct_info_hroot = object_root;
	 jc_struct_info_fields = [];
	 jc_struct_info_root = Some object_variant;
       }
       in
       let fi = {
	 jc_field_info_name = f;
	 jc_field_info_final_name = f;
	 jc_field_info_tag = 0 (* TODO *);
	 jc_field_info_type = tr_type Loc.dummy_position t;
	 jc_field_info_hroot = object_root;
	 jc_field_info_struct = st;
	 jc_field_info_rep = false;
	 jc_field_info_abstract = false;
	 jc_field_info_bitsize = None;
       }
       in
       st.jc_struct_info_fields <- [fi];
       Java_options.lprintf "%s@." st.jc_struct_info_name;
       Hashtbl.add array_struct_table n st;

       (* predicate non_null *)
       let non_null_pred = create_non_null_pred st in

       (* java_array_length fun *)
       let fi = create_java_array_length_fun st in
       let vi =
	 (* type is T[0..-1] here
	    (i.e. access to array length has meaning for non null arrays only) *)
         Jc_pervasives.var
	   (JCTpointer (JCtag (st, []), Some num_zero, Some num_minus_one)) "x"
       in
       let vie = mkvar ~name:(var_name vi) () in
       let result_var = mkvar ~name:"\\result" () in
       let spec = [
         mkbehavior_clause
           ~name: "default"
	   ~assigns:(Loc.dummy_position,[])
           ~ensures:
           (mkand ~list:[
              mkeq
                ~expr1: result_var
                ~expr2: (plus_one (mkoffset_max ~expr: vie ()))
                ();
              mkbinary ~op:`Bge
                ~expr1: result_var
                ~expr2: zero
                ();
              mkbinary ~op:`Ble
                ~expr1: result_var
                ~expr2: maxint
                ();
            ] ())
           ();
       ] in
       let args = [false, ptype_of_type vi.jc_var_info_type, var_name vi] in
       let array_length_fun =
	 (mkfun_def
            ~result_type: (ptype_of_type fi.jc_fun_info_result.jc_var_info_type)
	    ~name: (new identifier fi.jc_fun_info_name)
            ~params: args
            ~clauses: spec
            ())
       in
       (* non_null fun & pred *)
       let non_null_fi = create_non_null_fun st in
       let non_null_spec = [
         mkbehavior_clause
           ~name: "default"
	   ~assigns:(Loc.dummy_position,[])
           ~ensures:
           (mkif
              ~condition: result_var
              ~expr_then:
              (mkbinary ~op:`Bge
                 ~expr1: (mkoffset_max ~expr:vie ())
                 ~expr2: (mkint ~value:(-1) ())
                 ())
              ~expr_else: (mkeq ~expr1:vie ~expr2:(mknull ()) ())
              ())
           ();
       ] in
       let vi =
	 (* type is T[0..] here *)
         Jc_pervasives.var
	   (JCTpointer (JCtag (st, []), Some num_zero, None)) "x"
       in
       let args = [false, ptype_of_type vi.jc_var_info_type, var_name vi] in
       let largs = [ptype_of_type vi.jc_var_info_type, var_name vi] in
       let non_null_fun =
	 mkfun_def
            ~result_type:
            (ptype_of_type non_null_fi.jc_fun_info_result.jc_var_info_type)
            ~name: (new identifier non_null_fi.jc_fun_info_name)
            ~params: args
            ~clauses: non_null_spec
            ()
       in
       (mklogic_def
          ~name: non_null_pred.jc_logic_info_name
          ~labels: [Jc_env.LabelHere]
	  ~params: largs
          ~body:
          (mkbinary
             ~expr1: (mkoffset_max ~expr:vie ())
             ~op:`Bge
             ~expr2: (mkint ~value:(-1) ())
             ())
          ()) :: acc0,
       (mktag_def
          ~name:st.jc_struct_info_name
          ~super:("Object", [])
	  ~fields:
          (List.map begin fun fi ->
             (fi.jc_field_info_rep,fi.jc_field_info_abstract),
             ptype_of_type fi.jc_field_info_type,
             fi_name fi,
	     None
           end st.jc_struct_info_fields)
          ()) :: acc,
       array_length_fun ::
	 non_null_fun :: decls)
    Java_analysis.array_struct_table
    ([],
     ((mktag_def ~name:"interface" ()) ::
	(mkvariant_type_def
           ~name:"interface"
           ~tags:[ new identifier "interface" ]
           ())
      ::if !Java_options.minimal_class_hierarchy then []
      else [ mkvariant_type_def
               ~name:"Object"
               ~tags:[ new identifier "Object" ]
               () ]
     ), decls)


(*****************

 locations

***************)

let rec location_set logic_label t =
  match t.java_term_node with
      | JTlit _l -> assert false (* TODO *)
      | JTun(_t,_op,_e1) -> assert false (* TODO *)
      | JTbin(_e1,_t,_op,_e2) -> assert false (* TODO *)
      | JTbin_obj(_e1,_op,_e2) -> assert false (* TODO *)
      | JTapp (_, _, _) -> assert false (* TODO *)
      | JTvar vi ->
          mkvar ~name:(var_name (get_var vi)) ()
      | JTfield_access(t,fi) ->
	  begin match logic_label with
	    | None -> assert false
	    | Some lab ->
                let _ = tr_logic_label lab in
                mkderef
                  ~expr: (location_set logic_label t)
                  ~field: (fi_name (get_field fi))
                  ()
	  end
      | JTstatic_field_access(_ci,fi) ->
	  mkvar ~name:(var_name (get_static_var fi)) ()
      | JTarray_length(_t) -> assert false (* TODO *)
      | JTarray_access(t1,t2) ->
	  begin
	    match t1.java_term_type with
	      | JTYarray (_, ty) ->
		  let st = get_array_struct t1.java_term_loc ty in
		  let t1' = location_set logic_label t1 in
		  let t2' = term t2 in
		  let shift = mkrange ~locations:t1' ~left:t2' ~right:t2' () in
		  begin match logic_label with
		    | None -> assert false
		    | Some lab ->
                        let _ = tr_logic_label lab in
                        let fi = List.hd st.jc_struct_info_fields in
                        mkderef
                          ~expr: shift
                          ~field: (fi_name fi)
                          ()
		  end
	      | _ -> assert false
	  end
      | JTarray_range(t1,t2,t3) ->
	  begin
	    match t1.java_term_type with
	      | JTYarray (_, ty) ->
		  let st = get_array_struct t1.java_term_loc ty in
		  let t1' = location_set logic_label t1 in
		  let t2' = Option_misc.map term t2 in
		  let t3' = Option_misc.map term t3 in
		  let shift = mkrange ~locations:t1' ?left:t2' ?right:t3' () in
		  begin match logic_label with
		    | None -> assert false
		    | Some _lab ->
                        let fi = List.hd st.jc_struct_info_fields in
                        mkderef
                          ~expr: shift
                          ~field: (fi_name fi)
                          ()
		  end
	      | _ -> assert false
	  end
      | JTat _ -> assert false (* TODO, maybe change logic_label ? *)
      | JTcast(_ty,_t) -> assert false (* TODO *)
      | JTif _ -> assert false (* TODO *)


let location logic_label t =
  match t.java_term_node with
      | JTlit _l -> assert false (* TODO *)
      | JTun(_t,_op,_e1) -> assert false (* TODO *)
      | JTbin(_e1,_t,_op,_e2) -> assert false (* TODO *)
      | JTbin_obj(_e1,_op,_e2) -> assert false (* TODO *)
      | JTapp (_, _, _) -> assert false (* TODO *)
      | JTvar vi ->
          mkvar ~name:(var_name (get_var vi)) ()
      | JTfield_access(t,fi) ->
	  begin match logic_label with
	    | None -> assert false
	    | Some lab ->
                let _ = tr_logic_label lab in
                mkderef
                  ~expr: (location_set logic_label t)
                  ~field: (fi_name (get_field fi))
                  ()
	  end
      | JTstatic_field_access(_ci,fi) ->
	  mkvar ~name:(var_name (get_static_var fi)) ()
      | JTarray_length(_t) -> assert false (* TODO *)
      | JTarray_access(t1,t2) ->
	  begin
	    match t1.java_term_type with
	      | JTYarray (_, ty) ->
		  let st = get_array_struct t1.java_term_loc ty in
		  let t1' = location_set logic_label t1 in
		  let t2' = term t2 in
		  let shift = mkrange ~locations:t1' ~left:t2' ~right:t2' () in
		  begin match logic_label with
		    | None -> assert false
		    | Some lab ->
                        let _ = tr_logic_label lab in
                        let fi = List.hd st.jc_struct_info_fields in
                        mkderef
                          ~expr: shift
                          ~field: (fi_name fi)
                          ()
		  end
	      | _ -> assert false
	  end
      | JTarray_range(t1,t2,t3) ->
	  begin
	    match t1.java_term_type with
	      | JTYarray (_, ty) ->
		  let st = get_array_struct t1.java_term_loc ty in
		  let t1' = location_set logic_label t1 in
		  let t2' = Option_misc.map term t2 in
		  let t3' = Option_misc.map term t3 in
		  let shift = mkrange ~locations:t1' ?left:t2' ?right:t3' () in
		  begin match logic_label with
		    | None -> assert false
		    | Some lab ->
                        let _ = tr_logic_label lab in
                        let fi = List.hd st.jc_struct_info_fields in
                        mkderef
                          ~expr: shift
                          ~field: (fi_name fi)
                          ()
		  end
	      | _ -> assert false
	  end
      | JTat _ -> assert false (* TODO, maybe change logic_label ? *)
      | JTcast(_ty,_t) -> assert false (* TODO *)
      | JTif _ -> assert false (* TODO *)


let un_op op: [> Jc_ast.unary_op] =
  match op with
    | Uminus -> `Uminus
    | Ucompl -> `Ubw_not
    | Unot -> `Unot
    | Uplus -> assert false (* TODO *)

let bin_op op: [> Jc_ast.bin_op] =
  match op with
    | Badd -> `Badd
    | Bmod -> `Bmod
    | Bdiv -> `Bdiv
    | Bmul -> `Bmul
    | Bsub -> `Bsub
    | Biff -> assert false
    | Bor -> `Blor
    | Band -> `Bland
    | Bimpl -> assert false
    | Bgt -> `Bgt
    | Bne -> `Bneq
    | Beq -> `Beq
    | Bge -> `Bge
    | Ble -> `Ble
    | Blt -> `Blt
    | Basr -> `Barith_shift_right
    | Blsr -> `Blogical_shift_right
    | Blsl -> `Bshift_left
    | Bbwxor -> `Bbw_xor
    | Bbwor -> `Bbw_or
    | Bbwand -> `Bbw_and
    | Bconcat -> `Bconcat

let incr_op op: [> pm_unary_op] =
  match op with
    | Preincr -> `Uprefix_inc
    | Predecr -> `Uprefix_dec
    | Postincr -> `Upostfix_inc
    | Postdecr -> `Upostfix_dec

let int_cast pos t e =
  if !Java_options.ignore_overflow ||
    match t with
      | JTYbase Tint -> false
      | _ -> true
  then e else
    mkcast
      ~pos
      ~expr: e
      ~typ: (ptype_of_type (tr_type pos t))
      ()

let rec expr ?(reg=false) e =
  let reg = ref reg in
  let e' =
    match e.java_expr_node with
      | JElit (String _s) -> any_string
      | JElit l ->
          mkconst ~const:(lit l) ()
      | JEincr_local_var(op,v) ->
	  reg := true;
          mkunary
            ~op: (incr_op op)
            ~expr: (mkvar ~name:(var_name (get_var v)) ())
            ()
      | JEincr_field(op,e1,fi) ->
	  reg := true;
          mkincr_heap
            ~op: (incr_op op)
            ~expr: (expr e1)
            ~field: (fi_name (get_field fi))
            ()
      | JEincr_array (op, e1, e2) ->
	  begin
	    match e1.java_expr_type with
	      | JTYarray (_, ty) ->
		  let st = get_array_struct e1.java_expr_loc ty in
		  let e1' = expr e1 in
		  let shift = mkshift
                    ~pos:e.java_expr_loc
                    ~expr:e1'
                    ~offset:(expr e2)
                    ()
                  in
		  let fi = (List.hd st.jc_struct_info_fields) in
                  mkincr_heap
                    ~op: (incr_op op)
                    ~expr: shift
                    ~field: (fi_name fi)
                    ()
	      | _ -> assert false
	  end
      | JEun (op, e1) ->
	  let e1 = expr e1 in
	  reg := true;
	  int_cast e.java_expr_loc e.java_expr_type
            (mkunary ~op:(un_op op) ~expr:e1 ())
      | JEbin (e1, op, e2) (* case e1 == null *)
	  when op = Beq && e2.java_expr_node = JElit Null ->
	  let e = expr e1 in
	  begin
            let st = match e1.java_expr_type with
	      | JTYclass _ | JTYinterface _ -> object_root
	      | JTYarray (_,t) -> get_array_struct e1.java_expr_loc t
	      | _ -> assert false
            in
            mknot
              ~expr:
              (mkapp
                 (* Romain: pourquoi non_null_fun et pas null_fun ?
		    Claude: parce que mknot au-dessus *)
                 ~fun_name: (non_null_fun st).jc_fun_info_name
                 ~args: [e]
                 ())
              ()
	  end
      | JEbin (e1, op, e2) (* case e1 != null *)
	  when op = Bne && e2.java_expr_node = JElit Null ->
	  let e = expr e1 in
	  begin
            let st = match e1.java_expr_type with
	      | JTYclass _ | JTYinterface _ -> object_root
	      | JTYarray (_,t) -> get_array_struct e1.java_expr_loc t
	      | _ -> assert false
            in
            mkapp
              ~fun_name: (non_null_fun st).jc_fun_info_name
              ~args: [e]
              ()
	  end
      | JEbin (e1, op, e2) ->
	  let e1 = expr e1 and e2 = expr e2 in
	  reg := true;
	  int_cast e.java_expr_loc e.java_expr_type
            (mkbinary ~expr1:e1 ~op:(bin_op op) ~expr2:e2 ())
      | JEif (e1,e2,e3) ->
          mkif
            ~condition: (expr e1)
            ~expr_then: (expr e2)
            ~expr_else: (expr e3)
            ()
      | JEvar vi ->
          mkvar ~name:(var_name (get_var vi)) ()
      | JEstatic_field_access(_ci,fi) ->
	  mkvar ~name:(var_name (get_static_var fi)) ()
      | JEfield_access(e1,fi) ->
	  reg := true;
	  mkderef ~expr:(expr e1) ~field:(fi_name (get_field fi)) ()
      | JEarray_length e ->
	  begin
	    match e.java_expr_type with
	      | JTYarray (_, ty) ->
		  let st = get_array_struct e.java_expr_loc ty in
		  reg := true;
		  mkapp
                    ~fun_name:(java_array_length_fun st).jc_fun_info_name
                    ~args:[expr e]
                    ()
	      | _ -> assert false
	  end
      | JEarray_access(e1,e2) ->
	  begin
	    match e1.java_expr_type with
	      | JTYarray (_, ty) ->
		  let st = get_array_struct e1.java_expr_loc ty in
		  let e1' = expr e1 in
		  let shift =
                    mkshift
                      ~pos: e.java_expr_loc
                      ~expr: e1'
                      ~offset: (expr e2)
                      ()
		  in
		  reg := true;
                  mkderef
                    ~expr: shift
                    ~field: (fi_name (List.hd st.jc_struct_info_fields))
                    ()
	      | _ -> assert false
	  end
      | JEassign_local_var(vi,e) ->
          mkassign
            ~location: (mkvar ~name:(var_name (get_var vi)) ())
            ~value: (expr e)
            ()
      | JEassign_local_var_op(vi,op,e) ->
	  reg := true;
          mkassign
            ~location: (mkvar ~name:(var_name (get_var vi)) ())
            ~op: (bin_op op)
            ~value: (expr e)
            ()
      | JEassign_field(e1,fi,e2) ->
	  reg := true;
          mkassign
            ~location: (expr e1)
            ~field: (fi_name (get_field fi))
            ~value: (expr e2)
            ()
      | JEassign_field_op(e1,fi,op,e2) ->
	  reg := true;
          mkassign
            ~location: (expr e1)
            ~field: (fi_name (get_field fi))
            ~op: (bin_op op)
            ~value: (expr e2)
            ()
      | JEassign_static_field (fi, e) ->
          mkassign
            ~location: (mkvar ~name:(var_name (get_static_var fi)) ())
            ~value: (expr e)
            ()
      | JEassign_static_field_op (fi, op, e) ->
	  reg := true;
          mkassign
            ~location: (mkvar ~name:(var_name (get_static_var fi)) ())
            ~op: (bin_op op)
            ~value: (expr e)
            ()
      | JEassign_array(e1,e2,e3) ->
	  reg := true;
	  begin
	    match e1.java_expr_type with
	      | JTYarray (_, ty) ->
		  let st = get_array_struct e1.java_expr_loc ty in
		  let e1' = expr e1 in
		  let shift =
                    mkshift
                      ~pos: e.java_expr_loc
                      ~expr: e1'
                      ~offset: (expr e2)
                      ()
		  in
		  let fi = (List.hd st.jc_struct_info_fields) in
		  let e3' = expr e3 in
                  mkassign
                    ~location: shift
                    ~field: (fi_name fi)
                    ~value: e3'
                    ()
	      | _ -> assert false
	  end
      | JEassign_array_op(e1,e2,op,e3) ->
	  begin
	    match e1.java_expr_type with
	      | JTYarray (_, ty) ->
		  let st = get_array_struct e1.java_expr_loc ty in
		  let e1' = expr e1 in
		  let shift =
                    mkshift
                      ~pos: e.java_expr_loc
                      ~expr: e1'
                      ~offset: (expr e2)
                      ()
		  in
		  let fi = (List.hd st.jc_struct_info_fields) in
		  let e3' = expr e3 in
                  mkassign
                    ~location: shift
                    ~field: (fi_name fi)
                    ~op: (bin_op op)
                    ~value: e3'
                    ()
	      | _ -> assert false
	  end
      | JEcall(e1,mi,args) ->
	  reg := true;
          mkapp
            ~fun_name:
            (get_fun e.java_expr_loc mi.method_info_tag).jc_fun_info_name
            ~args: (List.map expr (e1 :: args))
            ()
      | JEconstr_call (e1, ci, args) ->
	  reg := true;
          mkapp
            ~fun_name:
            (get_fun e.java_expr_loc ci.constr_info_tag).jc_fun_info_name
            ~args: (List.map expr (e1 :: args))
            ()
      | JEstatic_call(mi,args) ->
	  reg := true;
          mkapp
            ~fun_name:
            (get_fun e.java_expr_loc mi.method_info_tag).jc_fun_info_name
            ~args: (List.map expr args)
            ()
      | JEnew_array(ty,[e1]) ->
	  let si = get_array_struct e.java_expr_loc ty in
          mkalloc
            ~count: (expr e1)
            ~typ: si.jc_struct_info_name
            ()
      | JEnew_array(_ty,_) ->
	  assert false (* TODO *)
      | JEnew_object(ci,args) ->
	  let si = get_class ci.constr_info_class.class_info_name in
	  let ty = JCTpointer(JCtag(si, []), Some num_zero, Some num_zero) in
	  let this = Jc_pervasives.var ~formal:true ty "this" in
	  let tt = Jc_pervasives.var ~formal:true
            Jc_pervasives.unit_type "_tt" in
	  let args =
            (mkvar ~name:(var_name this) ()) :: List.map expr args in
          mklet
            ~var: (var_name this)
            ~typ: (ptype_of_type this.jc_var_info_type)
            ~init: (mkalloc ~typ:si.jc_struct_info_name ())
            ~body:
            (mklet
               ~var: (var_name tt)
               ~typ: (ptype_of_type tt.jc_var_info_type)
               ~init:
               (mkapp
                  ~fun_name:
                  (get_fun e.java_expr_loc ci.constr_info_tag).jc_fun_info_name
                  ~args: args
                  ())
               ~body: (mkvar ~name:(var_name this) ())
               ())
            ()
      | JEcast(ty,e1) ->
	  begin
	    match ty with
	      | JTYbase _t ->
		  if !Java_options.ignore_overflow then expr e1 else begin
                    reg := true;
                    mkcast
                      ~expr: (expr e1)
                      ~typ: (ptype_of_type (tr_type e.java_expr_loc ty))
                      ()
                  end
	      | JTYclass(_,_ci) ->
		  reg := true;
                  mkcast ~expr:(expr e1)
		    ~typ: (ptype_of_type (tr_type e.java_expr_loc ty))
		    ()
	      | JTYinterface _ii ->
		  begin
		    match e1.java_expr_type with
		      | JTYclass _ -> expr e1 (* TODO *)
		      | JTYinterface _ -> expr e1
		      | _ -> assert false (* TODO *)
(*
		  eprintf "Warning: cast to interface '%s' ignored.@."
		    ii.interface_info_name;
		    (expr e1).jc_texpr_node
*)
		  end
	      | JTYarray (_, ty) ->
		  reg := true;
                  mkcast ~expr:(expr e1)
		    ~typ: (ptype_of_type (tr_type e.java_expr_loc ty))
		    ()
	      | JTYnull | JTYlogic _ -> assert false
	  end
      | JEinstanceof(e,ty) ->
	  begin
	    match ty with
	      | JTYclass(_,ci) ->
		  let st = get_class ci.class_info_name in
                  mkinstanceof ~expr:(expr e) ~typ:st.jc_struct_info_name ()
	      | _ -> assert false (* TODO *)
	  end

  in
  let pos = e.java_expr_loc in
  let e = new pexpr ~pos: e.java_expr_loc e'#node in
  if !reg then locate pos e else e

let tr_initializer ty e =
  match e with
    | JIexpr e -> expr ~reg:true e
    | JIlist il ->
	begin match ty with
	  | JTYarray (_, ty) ->
	      let si = get_array_struct Loc.dummy_position ty in
		mkalloc
		  ~count: (mkint ~value:(List.length il) ())
		  ~typ: si.jc_struct_info_name
		  ()
		  (* TO COMPLETE ? *)
	  | _ -> assert false (* should never happen *)
	end

(*
let dummy_loc_statement s =
  { jc_tstatement_loc = Loc.dummy_position;
    jc_tstatement_node = s }

let make_block l =
  match l with
    | [s] -> s
    | _ -> dummy_loc_statement (JCTSblock l)
*)

let rec reg_and_subexpr a =
  match a#node with
    | JAand(_a1,_a2) -> a
    | _ -> a

let reg_assertion a = assertion ~reg:true a

let reg_assertion_option a =
  match a with
    | None -> mkboolean ~value:true ()
    | Some a -> reg_assertion a

let reg_term t =
  let t' = term t in
  locate t.java_term_loc t'

let variant v =
  match v with
    | None -> None
    | Some(t,None) -> Some(reg_term t,None)
    | Some(t,Some fi) ->
        Some(reg_term t,Some (new identifier fi.java_logic_info_name))

let loop_annot annot =
  let invariant = reg_assertion annot.loop_inv in
  let behs_inv =
    List.map
      (fun ((loc,id),a) ->
	 ([new identifier ~pos:loc id],Some (reg_assertion a), None))
      annot.behs_loop_inv
  in
  let v = variant annot.loop_var in
  ([new identifier "default"],Some invariant,None)::behs_inv, v

let behavior (id,assumes,throws,assigns,allocates,ensures) =
  mkbehavior
    ~pos: (fst id)
    ~name: (snd id)
    ?throws:
    (Option_misc.map
       (fun ci -> exn_name (get_exception (JTYclass(false,ci))))
       throws)
    ?assigns:
    (Option_misc.map
       (fun (pos,a) ->
          mkassigns
            ~pos
            ~locations:(List.map (location (Some LabelPre)) a)
            ())
       assigns)
    ?allocates:
    (Option_misc.map
       (fun (pos,a) ->
          mkassigns
            ~pos
            ~locations:(List.map (location (Some LabelHere)) a)
            ())
       allocates)
    ?assumes: (Option_misc.map assertion assumes)
    ~ensures: (reg_assertion ensures)
    ()


let rec statement s =
  let s' =
    match s.java_statement_node with
      | JSskip ->
          mkvoid ()
      | JSlabel(lab,s) ->
	  mklabel lab (statement s) ()
      | JSbreak label ->
          mkbreak ?label ()
      | JScontinue label ->
          mkcontinue ?label ()
      | JSreturn_void ->
          mkreturn ()
      | JSreturn e ->
          let _ = tr_type e.java_expr_loc e.java_expr_type in
	  mkreturn ~expr:(expr e) ()
      | JSthrow e ->
	  (* insert a check that e is not null *)
	  let e' = expr e in
	  let t = get_exception e.java_expr_type in
	  let li = non_null_pred "Object" in
	  let tmp_name = "java_thrown_exception" in
	  let tmp_var = mkvar ~name:"java_thrown_exception" () in
          let ass =
	    mkassert
	      ~expr:(mkapp ~fun_name:li.jc_logic_info_name
		       ~args:[tmp_var] ()) ()
	  in
          let th =
	    mkthrow
              ~exn: (exn_name t)
              ~argument: tmp_var
              ()
	  in
	  mklet
            ~typ: (new ptype (JCPTpointer(t.jc_exception_info_name,[],None,None)))
            ~var: tmp_name
            ~init: e'
            ~body: (mkblock [ass; th] ())
            ()
      | JSblock l ->
          mkblock ~exprs:(List.map statement l)	()
      | JSvar_decl (vi, init, s) ->
	  let ty = vi.java_var_info_type in
	  let vi = create_var s.java_statement_loc vi in
          mklet
            ~typ: (ptype_of_type vi.jc_var_info_type)
            ~var: (var_name vi)
            ?init: (Option_misc.map (tr_initializer ty) init)
            ~body: (statement s)
            ()
      | JSif (e, s1, s2) ->
          mkif
            ~condition: (expr e)
            ~expr_then: (statement s1)
            ~expr_else: (statement s2)
            ()
      | JSdo (s, annot, e) ->
	  let (behaviors, variant) = loop_annot annot in
	  let while_expr =
	    mkwhile ~behaviors
	      ?variant ~condition:(expr e) ~body:(statement s) ()
	  in
            mkblock [statement s; while_expr] ()
      | JSwhile(e,annot,s) ->
	  let (behaviors, variant) = loop_annot annot in
          mkwhile ~behaviors
	    ?variant ~condition:(expr e) ~body:(statement s) ()
      | JSfor (el1, e, annot, el2, body) ->
	  let (behaviors, variant) = loop_annot annot in
          mkfor
            ~inits: (List.map expr el1)
            ~condition: (expr e)
            ~updates: (List.map expr el2)
            ~body: (statement body)
            ~behaviors
            ?variant
            ~pos: s.java_statement_loc
            ()
      | JSfor_decl(decls,e,annot,sl,body) ->
	  let decls = List.map begin fun (vi, init) ->
	    create_var s.java_statement_loc vi,
            Option_misc.map (tr_initializer vi.java_var_info_type) init
          end decls in
	  let (behaviors, variant) = loop_annot annot in
          (* TODO: Now that we produce parsed AST we could put inits in ~init *)
	  let res =
	    List.fold_right
	      (fun (vi,init) acc ->
                 mklet
                   ~typ: (ptype_of_type vi.jc_var_info_type)
                   ~var: (var_name vi)
                   ?init
                   ~body: acc
                   ())
	      decls
              (mkfor
                 ~pos: s.java_statement_loc
                 ~condition: (expr e)
                 ~updates: (List.map expr sl)
                 ~behaviors
                 ?variant
                 ~body: (statement body)
                 ())
	  in mkblock ~exprs:[res] ()
      | JSexpr e -> expr e
      | JSassert(forid,id,e) ->
	  let pos = e.java_assertion_loc in
	  let e' = reg_assertion e in
	  let behs =
	    Option_misc.fold_left
	      (fun acc id ->
		 (new identifier id)::acc)
	      [] forid
	  in
          let e = mkassert ~behs:behs ~expr:e' () in
	  locate ?id pos e
      | JSswitch(e,l) ->
          mkswitch ~expr:(expr e) ~cases:(List.map switch_case l) ()
      | JStry(s1, catches, finally) ->
          mktry
            ~expr: (block s1)
            ~catches:
            (List.map
	       (fun (vi,s2) ->
		  let e = get_exception vi.java_var_info_type in
		  let vti = create_var s.java_statement_loc vi in
                  mkcatch
                    ~exn: (exn_name e)
                    ~name: (var_name vti)
                    ~body: (block s2)
                    ())
	       catches)
            ~finally:
            (mkblock
               ~exprs:
               (Option_misc.fold (fun s _acc -> List.map statement s) finally [])
               ())
            ()
      | JSstatement_spec(req,dec,behs,s) ->
	  mkcontract
	    ~requires:(Option_misc.map assertion req)
	    ~decreases:(variant dec)
	    ~behaviors:(List.map behavior behs)
	    ~expr:(statement s)
	    ()

  in new pexpr ~pos:s.java_statement_loc s'#node

and statements l = List.map statement l

and block l = mkblock ~exprs:(statements l) ()

and switch_case (labels, b) =
  (List.map switch_label labels, block b)

and switch_label = function
  | Java_ast.Default -> None
  | Java_ast.Case e -> Some (expr e)

let true_assertion = mkboolean ~value:true ()

(*
let tr_method mi req dec behs b acc =
  let java_params = mi.method_info_parameters in
  let params =
    List.map (fun (p, _) -> create_var Loc.dummy_position p) java_params in
  let params =
    match mi.method_info_has_this with
      | None -> params
      | Some vi -> (create_var Loc.dummy_position vi) :: params
  in
  let params = List.map
    (fun vi -> (true, ptype_of_type vi.jc_var_info_type, (var_name vi)))
    params
  in
  let return_type =
    Option_misc.map
      (fun vi ->
 	 let _nvi = create_var Loc.dummy_position vi in
 	 vi.java_var_info_type)
      mi.method_info_result
  in
  let behaviors =
    List.map (fun beh -> Jc_ast.JCCbehavior (behavior beh)) behs
  in
  let nfi =
    create_fun Loc.dummy_position
      mi.method_info_tag mi.method_info_result
      mi.method_info_trans_name mi.method_info_parameters
  in
  let body = Option_misc.map block b in
  let _ =
    reg_pos ~id:nfi.jc_fun_info_name
      ~name:("Method " ^ mi.method_info_name)
      mi.method_info_loc
  in
  let requires = mkrequires_clause (reg_assertion_option req) in
  let clauses =
    match variant dec with
      | None -> requires :: behaviors
      | Some(t,m) ->
	  requires :: (mkdecreases_clause ?measure:m t) :: behaviors
  in
  let result_type = (* need the option monad... *)
    Option_misc.map
      ptype_of_type
      (Option_misc.map
         (tr_type Loc.dummy_position)
         return_type)
  in
  let def = mkfun_def
    ?result_type
    ~name: (new identifier nfi.jc_fun_info_name)
    ~params
    ~clauses
    ?body
    ()
  in def::acc
     *)

let tr_method_spec mi req dec behs b acc =
  let java_params = mi.method_info_parameters in
  let params =
    List.map (fun (p, _) -> create_var Loc.dummy_position p) java_params in
  let params =
    match mi.method_info_has_this with
      | None -> params
      | Some vi -> (create_var Loc.dummy_position vi) :: params
  in
  let params = List.map
    (fun vi -> (true, ptype_of_type vi.jc_var_info_type, (var_name vi)))
    params
  in
  let return_type =
    Option_misc.map
      (fun vi ->
 	 let _nvi = create_var Loc.dummy_position vi in
 	 vi.java_var_info_type)
      mi.method_info_result
  in
  let behaviors =
    List.map (fun beh -> Jc_ast.JCCbehavior (behavior beh)) behs
  in
  let nfi =
    create_fun Loc.dummy_position
      mi.method_info_tag mi.method_info_result
      mi.method_info_trans_name mi.method_info_parameters
  in
  let _ =
    reg_position ~id:nfi.jc_fun_info_name
      ~name:("Method " ^ mi.method_info_name)
      mi.method_info_loc
  in
  let requires = mkrequires_clause (reg_assertion_option req) in
  let clauses =
    match variant dec with
      | None -> requires :: behaviors
      | Some(t,m) ->
	  requires :: (mkdecreases_clause ?measure:m t) :: behaviors
  in
  let result_type = (* need the option monad... *)
    Option_misc.map
      ptype_of_type
      (Option_misc.map
         (tr_type Loc.dummy_position)
         return_type)
  in
  (result_type, nfi, params, clauses, b)::acc

let tr_method_body (result_type,nfi,params,clauses,b) acc =
  let body = Option_misc.map block b in
  let def = mkfun_def
    ?result_type
    ~name: (new identifier nfi.jc_fun_info_name)
    ~params
    ~clauses
    ?body
    ()
  in def::acc

let default_base_value t =
  match t with
    | Tshort | Tbyte | Tchar | Tint | Tlong ->
	JCCinteger "0"
    | Tboolean -> JCCboolean false
    | Tfloat | Tdouble -> JCCreal "0.0"
    | Tinteger | Treal -> assert false
    | Tunit  -> assert false
    | Tstring -> JCCnull

let default_value ty =
  match ty with
    | JTYbase t -> default_base_value t
    | JTYarray _ | JTYclass _ | JTYinterface _ -> JCCnull
    | JTYlogic _ -> eprintf "ICI@."; assert false
    | JTYnull -> assert false

let init_field this fi =
  mkassign
    ~location: this
    ~field: (fi_name (get_field fi))
    ~value: (mkconst ~const:(default_value fi.java_field_info_type) ())
    ()

(*
let tr_constr ci req behs b acc =
  let params = List.map
    (fun (vi, _) -> create_var Loc.dummy_position vi)
    ci.constr_info_parameters
  in
  let this =
    match ci.constr_info_this with
      | None -> assert false
      | Some vi -> (create_var Loc.dummy_position vi)
  in
  let nfi =
    create_fun Loc.dummy_position ci.constr_info_tag None
      ci.constr_info_trans_name ci.constr_info_parameters
  in
  let body = statements b
(*
@
    [dummy_loc_statement (JCTSreturn(this.jc_var_info_type,
				     dummy_loc_expr
				       this.jc_var_info_type
				       (JCTEvar this)))]
*)
  in
(* NO: TODO
  let body =
    dummy_loc_statement (JCTSdecl(this,None,make_block body))
  in
  *)
  let fields = ci.constr_info_class.class_info_fields in
  let body =
    List.fold_right
      (fun fi acc ->
	 if fi.java_field_info_is_static then acc else
	 try
	   init_field (mkvar ~name:(var_name this) ()) fi::acc
	 with Assert_failure _ -> acc)
	fields body
  in
  let _ =
    reg_pos ~id:nfi.jc_fun_info_name
      ~name:("Constructor of class "^ci.constr_info_class.class_info_name)
      ci.constr_info_loc
  in
  let params =
    (* false because this not yet valid *)
    (false, ptype_of_type this.jc_var_info_type, var_name this)
    ::
      List.map
      (fun vi -> (true,ptype_of_type vi.jc_var_info_type, var_name vi))
      params
  in
  let requires = mkrequires_clause (reg_assertion_option req) in
  let behaviors =
    List.map (fun beh -> Jc_ast.JCCbehavior (behavior beh)) behs
  in
  let def = mkfun_def
    ~name: (new identifier nfi.jc_fun_info_name)
    ~params
    ~body:(mkblock ~exprs:body ())
    ~clauses: (requires::behaviors)
    ()
  in def :: acc
*)

let tr_constr_spec ci req behs b acc =
  let params = List.map
    (fun (vi, _) -> create_var Loc.dummy_position vi)
    ci.constr_info_parameters
  in
  let this =
    match ci.constr_info_this with
      | None -> assert false
      | Some vi -> (create_var Loc.dummy_position vi)
  in
  let nfi =
    create_fun Loc.dummy_position ci.constr_info_tag None
      ci.constr_info_trans_name ci.constr_info_parameters
  in
  let _ =
    reg_position ~id:nfi.jc_fun_info_name
      ~name:("Constructor of class "^ci.constr_info_class.class_info_name)
      ci.constr_info_loc
  in
  let params =
    (* false because this not yet valid *)
    (false, ptype_of_type this.jc_var_info_type, var_name this)
    ::
      List.map
      (fun vi -> (true,ptype_of_type vi.jc_var_info_type, var_name vi))
      params
  in
  let requires = mkrequires_clause (reg_assertion_option req) in
  let behaviors =
    List.map (fun beh -> Jc_ast.JCCbehavior (behavior beh)) behs
  in
  (ci,this,nfi,params,requires::behaviors,b) :: acc

let tr_constr_body (ci,this,nfi,params,clauses,b) acc =
  let body = statements b
    (*
      @
      [dummy_loc_statement (JCTSreturn(this.jc_var_info_type,
      dummy_loc_expr
      this.jc_var_info_type
      (JCTEvar this)))]
    *)
  in
  (* NO: TODO
     let body =
     dummy_loc_statement (JCTSdecl(this,None,make_block body))
     in
  *)
  let fields = ci.constr_info_class.class_info_fields in
  let body =
    List.fold_right
      (fun fi acc ->
	 if fi.java_field_info_is_static then acc else
	   try
	     init_field (mkvar ~name:(var_name this) ()) fi::acc
	   with Assert_failure _ -> acc)
      fields body
  in
  let def = mkfun_def
    ~name: (new identifier nfi.jc_fun_info_name)
    ~params
    ~body:(mkblock ~exprs:body ())
    ~clauses
    ()
  in def :: acc

let default_label l =
  match l with
    | [l] -> Some l
    | _ -> None

let tr_non_null_logic_fun () =
  let si = get_class "Object" in
  let vi = Jc_pervasives.var
    (JCTpointer (JCtag(si, []), Some num_zero, None)) "x" in
  let vit = mkvar ~name:(var_name vi) () in
  let offset_maxt = mkoffset_max ~expr:vit () in
  let offset_maxa = mkbinary ~op:`Bge ~expr1:offset_maxt ~expr2:zero () in
  let non_null_pred = create_non_null_pred si in
  mklogic_def
    ~name: non_null_pred.jc_logic_info_name
    ~labels: [Jc_env.LabelHere]
    ~params: [ptype_of_type vi.jc_var_info_type, var_name vi]
    ~body: offset_maxa
    ()

let tr_logic_fun fi (b : logic_decl_body) acc =
  if b = `Builtin then acc else
  let nfi = create_logic_fun Loc.dummy_position fi in
  let def_ =
    mklogic_def
      ?typ: (Option_misc.map ptype_of_type nfi.jc_logic_info_result_type)
      ~name: nfi.jc_logic_info_name
      ~labels: nfi.jc_logic_info_labels
      ~params:
      (List.map
         (fun vi -> ptype_of_type vi.jc_var_info_type, var_name vi)
         nfi.jc_logic_info_parameters)
  in
  let def = match b with
    | `Assertion a -> def_ ~body:(assertion a) ()
    | `Inductive l ->
	def_ ~inductive:
	  (List.map
	     (fun ((loc,id),labels,a) ->
		(new identifier ~pos:loc id,
		 List.map tr_logic_label labels,
		 assertion a)) l)
	  ()
    | `Term t -> def_ ~body:(term t) ()
    | `None -> def_ ()
    | `Reads l ->
	let logic_label = default_label fi.java_logic_info_labels in
        def_ ~reads:(List.map (location logic_label) l) ()
    | `Builtin -> assert false
  in (def::acc)

(*s axioms *)

let tr_axiom id is_axiom loc lab p acc =
  let (_ : string) =
    reg_pos ~id
      ~name:("Lemma " ^ id)
      loc
  in
  let def = mklemma_def
    ~name: id
    ~axiom:is_axiom
    ~labels: (List.map tr_logic_label lab)
    ~body: (assertion p)
    ()
  in def::acc

(*
let tr_axiomatic_decl acc d =
  match d with
    | Aaxiom(id,is_axiom,labels,a) -> acc
    | Atype _ -> assert false
    | Areads (fi, r) -> tr_logic_fun fi (JReads r)
    | Aind_def (_, _) -> assert false
    | Afun_def (_, _) -> assert false
    | Apred_def (_, _) -> assert false

let tr_axiomatic_decls id l acc =
  let l = List.fold_left tr_axiomatic_decl acc l in
  assert false (* TODO *)

let tr_axiomatic_axiom acc d =
  match d with
    | Aaxiom(id,is_axiom,labels,a) -> tr_axiom id is_axiom labels a acc
    | Atype _|Areads (_, _)|Aind_def (_, _)|Afun_def (_, _)
    | Apred_def (_, _) -> acc

let tr_axiomatic_axioms id l acc =
  let l = List.fold_left tr_axiomatic_axiom acc l in
  assert false (* TODO *)
*)

let tr_axiomatic_decl acc d =
  match d with
    | Aaxiom(_id,_is_axiom,_labels,_a) -> acc
    | Atype s ->
	Java_options.lprintf "translating logic type %s@." s;
	tr_logic_type s acc
    | Adecl(fi, b) ->
	Java_options.lprintf "translating axiomatic function %s@." fi.java_logic_info_name;
	tr_logic_fun fi b acc

let tr_axiomatic_axiom acc d =
  match d with
    | Aaxiom(id,is_axiom,labels,a) ->
	Java_options.lprintf "translating axiom %s@." id;
	tr_axiom id is_axiom Loc.dummy_floc labels a acc
    | Atype _s -> acc
    | Adecl(_fi, _b) -> acc

let tr_axiomatic id l acc =
  Java_options.lprintf "translating axiomatic %s@." id;
  let acc1 = List.fold_left tr_axiomatic_decl [] l in
  let acc2 = List.fold_left tr_axiomatic_axiom acc1 l in
  (mkaxiomatic ~name:id ~decls:(List.rev acc2) ())::acc

let tr_field type_name acc fi =
  let vi = create_static_var Loc.dummy_position type_name fi in
  let vi_ty = vi.jc_var_info_type in
  let fi_ty = fi.java_field_info_type in
  if fi.java_field_info_is_final then
    let logic_body, axiom_body =
      try
	let e =
	  Hashtbl.find Java_typing.field_initializer_table fi.java_field_info_tag
	in
	let values =
	  Hashtbl.find Java_typing.final_field_values_table fi.java_field_info_tag
	in
	let get_value value = match fi_ty with
	  | JTYarray (_,JTYbase t) | JTYbase t ->
	      begin match t with
		| Tshort | Tbyte | Tchar | Tint
		| Tlong | Tdouble | Tinteger ->
		    JCCinteger (Num.string_of_num value)
		| Tboolean ->
		    let b = match Num.string_of_num value with
		      | "0" -> false
		      | "1" -> true
		      | _ -> assert false (* should never happen *)
		    in JCCboolean b
		| Tfloat | Treal -> assert false (* TODO *)
		| Tstring -> assert false (* TODO *)
		| Tunit -> assert false
	      end
	  | JTYnull | JTYclass _ | JTYinterface _ | JTYarray _ | JTYlogic _ ->
	      assert false
	in
	match e with
	  | None ->
              None, None
	  | Some (JIexpr e) ->
	      assert (List.length values = 1);
	      (* evaluated constant expressions are translated *)
              let t = term (term_of_expr e) in
	      Some (mkconst ~const:(get_value (List.hd values)) ~pos:t#pos ()),
	      None
	  | Some (JIlist il) ->
	      let n = List.length il in
	      assert (List.length values = n);
	      let si = match vi_ty with
		| JCTpointer (JCtag(si, []), _, _) -> si
		| _ -> assert false
	      in
	      let vit = mkvar ~name:(var_name vi) () in
	      let a =
		mkapp
                  ~fun_name:
                  (non_null_pred si.jc_struct_info_name).jc_logic_info_name
                  ~args: [vit]
                  ()
	      in
	      let a =
		mkand
                  ~expr1: a
                  ~expr2:
                  (mkeq
                     ~expr1: (mkoffset_max ~expr:vit ())
                     ~expr2: (mkint ~value:(n-1) ())
                     ())
                  ()
	      in
	      let fi' = List.hd si.jc_struct_info_fields in
	      let a, _ = List.fold_left2 begin fun (acc, cpt) init n ->
		match init with
		  | JIexpr e ->
		      let _ = term (term_of_expr e) in (* Why not used? *)
                      mkand
			~expr1: acc
			~expr2:
			(mkeq
                           ~expr1:
                           (mkderef
                              ~expr:
                              (mkshift
				 ~expr: vit
				 ~offset: (mkint ~value:cpt ())
				 ())
                              ~field: (fi_name fi')
                              ())
                           ~expr2: (mkconst ~const:(get_value n) ())
                           ())
			(),
		      cpt + 1
		  | JIlist _ -> assert false (* TODO / Not supported *)
              end (a, 0) il values in
	      None, Some a
      with Not_found ->
	Java_options.lprintf
          "Warning: final field '%s' of %a has no known value@."
	  fi.java_field_info_name
	  Java_typing.print_type_name
	  fi.java_field_info_class_or_interface;
	None, None
    in
    let def1 =
      mklogic_var_def
        ~typ: (ptype_of_type vi_ty)
        ~name: (var_name vi)
	?body:logic_body
	()
    in
    match logic_body,axiom_body with
      | (Some _,None) ->
	  def1 :: acc
      | (None, _ (* Some a *)) ->
	  let ax =
          mkaxiomatic
	    ~name: (fi.java_field_info_name^"_theory")
	    ~decls:[def1 ;
		    (* disabled because should be an invariant instead
		       of an axiom *)
		    (*
		    mklemma_def
		      ~name: (fi.java_field_info_name^"_values")
		      ~axiom: true
		      ~labels: [Jc_env.LabelHere]
		      ~body: a
		      () *)]
	    ()
	  in
	  ax :: acc
      | _ -> assert false
  else
    let e =
      try match Hashtbl.find Java_typing.field_initializer_table
	fi.java_field_info_tag with
	  | None -> None
	  | Some e -> Some (tr_initializer fi_ty e)
      with Not_found -> None
    in
    let acc =
      (mkvar_def
         ~typ: (ptype_of_type vi_ty)
         ~name: (var_name vi)
         ?init: e
         ())::acc
    in
    acc

(* class *)

let tr_class ci acc0 acc =
  let non_final_fields =
    List.filter
      (fun fi -> not fi.java_field_info_is_final)
      ci.class_info_fields
  in
  let (static_fields, fields) =
    List.partition
      (fun fi -> fi.java_field_info_is_static)
      non_final_fields
  in
  let super =
    let superclass = Option_misc.map (fun ci -> ci.class_info_name, [])
      ci.class_info_extends
    in
    match superclass with
      | None ->
	  if ci.class_info_name = "Object"
	  then None
          else Some ("Object", [])
      | _ -> superclass
  in
  let acc = List.fold_left (tr_field ci.class_info_name) acc static_fields in
    (* create exceptions if subclass of Exception *)
    begin
      if ci.class_info_is_exception then
	ignore (create_exception
		  (Some (tr_type Loc.dummy_position (JTYclass (false, ci))))
		  ci.class_info_name);
    end;
    let jc_fields = List.map (create_field Loc.dummy_position) fields in
      (* non_null fun & pred *)
    let si = get_class ci.class_info_name in
    let acc =
      if ci.class_info_name = "Object" then
	let non_null_fi = create_non_null_fun si in
	let vi = Jc_pervasives.var
	  (JCTpointer (JCtag(si, []), Some num_zero, None)) "x" in
	let result = Jc_pervasives.var Jc_pervasives.boolean_type "\\result" in
	let vit = mkvar ~name:(var_name vi) () in
	let offset_maxt = mkoffset_max ~expr:vit () in
	let offset_maxa = mkeq ~expr1:offset_maxt ~expr2:zero () in
        let non_null_spec = [
          mkbehavior_clause
            ~name: "normal"
            ~ensures:
            (mkif
               ~condition: (mkvar ~name:(var_name result) ())
               ~expr_then: offset_maxa
               ~expr_else: (mkeq ~expr1:vit ~expr2:(mknull ()) ())
               ())
            ()
        ] in
        (mkfun_def
           ~result_type: (ptype_of_type Jc_pervasives.boolean_type)
           ~name: (new identifier non_null_fi.jc_fun_info_name)
           ~params: [false,ptype_of_type vi.jc_var_info_type, var_name vi]
           ~clauses: non_null_spec
           ()):: acc
      else acc
    in
    let fields = List.map begin function fi ->
      (fi.jc_field_info_rep,fi.jc_field_info_abstract),
      ptype_of_type fi.jc_field_info_type,
      fi_name fi,
      None
    end jc_fields in
    (mktag_def
       ~name: ci.class_info_name
       ?super:(if !Java_options.minimal_class_hierarchy then None else super)
       ~fields
       ())::
      (if !Java_options.minimal_class_hierarchy then
	 (mkvariant_type_def
            ~name:ci.class_info_name
            ~tags:[ new identifier ci.class_info_name ]
            ())::acc0 else acc0)
      , acc

(* interfaces *)

let tr_interface ii acc =
  let fields =
    List.filter
      (fun fi -> not fi.java_field_info_is_static)
      ii.interface_info_fields
  in
  let (* model_fields *) _ = List.map (create_field Loc.dummy_position) fields in
  acc

let tr_class_or_interface ti acc0 acc =
  match ti with
    | TypeClass ci ->
	Java_options.lprintf "Creating JC structure for class '%s'@."
          ci.class_info_name;
	tr_class ci acc0 acc
    | TypeInterface ii ->
	Java_options.lprintf "Handling interface '%s'@." ii.interface_info_name;
	(acc0, tr_interface ii acc)

let tr_final_static_fields ti acc =
    match ti with
      | TypeClass ci ->
	  let final_static_fields =
	    List.filter
	      (fun fi ->
		 fi.java_field_info_is_final && fi.java_field_info_is_static)
	      ci.class_info_fields
	  in
	    List.fold_left (tr_field ci.class_info_name) acc final_static_fields
      | TypeInterface ii ->
	  List.fold_left
	    (tr_field ii.interface_info_name)
	    acc ii.interface_info_final_fields

let tr_invariants ci id invs decls =
  let invs =
    List.map
      (fun ((_, s), a) ->
	 let vi = create_var Loc.dummy_position id in
	 new identifier s, var_name vi, assertion a)
      invs
  in
  List.map begin fun d -> match d#node with
    | JCDtag (s, params, so, fil, struct_invs) when s = ci.class_info_name ->
	mktag_def
          ~name:s
          ~params
          ?super:so
          ~fields:fil
          ~invariants:(struct_invs @ invs)
          ()
    | _ -> d
  end decls

(* static invariants *)

let tr_static_invariant (s, a) =
  mkglobal_inv_def ~name:s ~body:(assertion a) ()

(*
Local Variables:
compile-command: "LC_ALL=C make -C .. byte"
End:
*)

why-2.34/java/java_typing.ml0000644000175000017500000044614712311670312014423 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Java_env
open Java_ast
open Java_tast
open Format
open Java_pervasives
open Graph


(************************

Pretty-printing of types

*************************)

let rec print_qualified_ident fmt id =
  match id with
    | [] -> assert false
    | [(_,id)] -> fprintf fmt "%s" id
    | (_,id)::r ->
        print_qualified_ident fmt r;
        fprintf fmt ".%s" id

let print_type_name fmt t =
  match t with
    | TypeClass ci -> fprintf fmt "%s" ci.class_info_name
    | TypeInterface ii -> fprintf fmt "%s" ii.interface_info_name
(*
    | TypeLogic s -> fprintf fmt "logic type %s" s
*)

let string_of_base_type t =
  match t with
    | Tunit -> "unit"
    | Tinteger -> "integer"
    | Treal -> "real"
    | Tboolean -> "boolean"
    | Tdouble -> "double"
    | Tlong -> "long"
    | Tfloat -> "float"
    | Tint -> "int"
    | Tchar -> "char"
    | Tbyte -> "byte"
    | Tshort -> "short"
    | Tstring -> "string"


let rec print_type fmt t =
  match t with
    | JTYbase t -> fprintf fmt "%s" (string_of_base_type t)
    | JTYnull -> fprintf fmt "(nulltype)"
    | JTYarray (non_null, t) ->
        fprintf fmt "%s%a[]" (if non_null then "" else "!") print_type t
    | JTYclass (non_null, c) ->
        fprintf fmt "%s%s" (if non_null then "" else "!") c.class_info_name
    | JTYinterface ii -> fprintf fmt "%s" ii.interface_info_name
    | JTYlogic i ->fprintf fmt "%s" i

(***********************

Typing error handling

************************)

exception Typing_error of Loc.position * string

let typing_error l =
  Format.kfprintf
    (fun _fmt -> raise (Typing_error(l, flush_str_formatter())))
    str_formatter

let integer_expected l t =
  typing_error l "integer type expected, got %a" print_type t

let array_expected l t =
  typing_error l "array type expected, got %a" print_type t

let int_expected l t =
  typing_error l "int expected, got %a" print_type t

let class_or_interface_expected l t =
  typing_error l "class or interface expected, got %a" print_type t



let catch_typing_errors f a =
 try
   f a
 with
   | Typing_error(l,s) ->
       eprintf "%a: typing error: %s@." Loc.gen_report_position l s;
       exit 1
   | Java_options.Java_error(l,s) ->
       eprintf "%a: %s@." Loc.gen_report_position l s;
       exit 1
   | Assert_failure(f,l,c) as exn ->
       eprintf "%a:@." Loc.gen_report_line (f,l,c,c);
       raise exn
   | Match_failure(f,l,c) as exn ->
       eprintf "%a:@." Loc.gen_report_line (f,l,c,c);
       raise exn


(**********************

Name classification
(JLS 2nd ed., pp. 93-104)

***********************)

let split_extension filename =
  try
    let dotindex = String.rindex filename '.' in
    (String.sub filename 0 dotindex,
     String.sub filename (dotindex+1) (String.length filename - dotindex - 1))
  with Not_found -> filename,""

let read_dir d =
  let l =
    try
      Sys.readdir d
    with
        Sys_error _ ->
          eprintf "Cannot open directory %s@." d;
          exit 2
  in
  Array.fold_left
    (fun (dirs,files) name ->
       let fullname = Filename.concat d name in
       let s = Unix.lstat fullname in
       match s.Unix.st_kind with
         | Unix.S_DIR when name <> "CVS" ->
             begin
               Java_options.lprintf "got sub-directory %s@." name;
               ((name,fullname)::dirs,files)
             end
         | Unix.S_REG ->
             begin
               let base,ext = split_extension name in
               match ext with
                 | "java" ->
                     Java_options.lprintf "got Java file %s@." base;
                     (dirs,(base,fullname)::files)
                 | _ ->
                   Java_options.lprintf "file %s ignored@." name;
                     (dirs,files)
             end
         | _ ->
             begin
               Java_options.lprintf "skipping special file %s@." name;
               (dirs,files)
             end)
    ([],[]) l


let toplevel_packages_table = (Hashtbl.create 17 : (string, package_info) Hashtbl.t)

let package_counter = ref 0

let new_package_info name fullname =
  incr package_counter;
  let pi =
    { package_info_tag = !package_counter;
      package_info_name = name;
      package_info_directories = [fullname];
    }
  in
    pi

(* [package_contents] maps each internal package id to its contents *)
type package_member =
  | Subpackage of package_info
  | File of string
  | Type of java_type_info

let package_contents =
  (Hashtbl.create 17 : (int, (string, package_member) Hashtbl.t) Hashtbl.t)


let anonymous_package = new_package_info "" "."

let is_anonymous_package pi =
  pi.package_info_tag = anonymous_package.package_info_tag

let javalang_qid = [(Loc.dummy_position,"lang"); (Loc.dummy_position,"java")]

let rec read_dir_contents ~is_toplevel dir =
  Java_options.lprintf "reading directory '%s'@." dir;
  let d, f = read_dir dir in
  let h = Hashtbl.create 17 in
    List.iter
      (fun (name, fullname) ->
	 begin
	   if is_toplevel then
	     try
	       let pi = Hashtbl.find toplevel_packages_table name in
		 pi.package_info_directories <- fullname :: pi.package_info_directories
	     with Not_found ->
	       let pi = new_package_info name fullname in
		 Java_options.lprintf "adding subpackage %s@." name;
		 Hashtbl.add h name (Subpackage pi)
	   else
	     let pi = new_package_info name fullname in
	       Java_options.lprintf "adding subpackage %s@." name;
	       Hashtbl.add h name (Subpackage pi)
	 end)
      d;
    List.iter
      (fun (name, fullname) ->
	 Java_options.lprintf "adding java file %s (fullname %s)@." name fullname;
	 Hashtbl.add h name (File fullname))
      f;
    h

let get_package_contents pi =
  try
    Hashtbl.find package_contents pi.package_info_tag
  with
      Not_found ->
	let h = Hashtbl.create 17 in
	  List.iter
	    (fun dir ->
	       let is_top_level = is_anonymous_package pi in
	       let h' = read_dir_contents ~is_toplevel:is_top_level dir in
		 Hashtbl.iter
		   (fun name x ->
		      try
			let x' = Hashtbl.find h name in
			  match x, x' with
			    | Subpackage pi, Subpackage pi' ->
				pi'.package_info_directories <-
				  pi.package_info_directories @ pi'.package_info_directories
			    | _ -> assert false (* TODO : error message ? *)
		      with Not_found ->
			Hashtbl.add h name x)
		   h')
	    pi.package_info_directories;
          Hashtbl.add package_contents pi.package_info_tag h;
          h

let toplevel_packages =
  Java_options.lprintf "Reading toplevel packages@.";
  let h = Hashtbl.create 17 in
    List.iter
      (fun dir ->
	 let h' = read_dir_contents ~is_toplevel:true dir in
	   Hashtbl.iter
	     (fun name x ->
		begin
		  Hashtbl.add h name x;
		  match x with
		    | Subpackage pi ->
			Hashtbl.add toplevel_packages_table name pi
		    | _ ->
			Format.eprintf "Warning: %s is not a subpackage of %s@." name dir;
			()
		end)
	     h')
      Java_options.classpath;
    h

let type_table : (int, java_type_info) Hashtbl.t = Hashtbl.create 97

(* A GROUPER *)
let class_type_env_table :
    (int, (string * java_type_info) list) Hashtbl.t
    = Hashtbl.create 97
and interface_type_env_table :
    (int, (string * java_type_info) list) Hashtbl.t
    = Hashtbl.create 97



let class_decl_table :
    (int, (package_info list *
             Java_ast.class_declaration)) Hashtbl.t
    = Hashtbl.create 97


let interface_decl_table :
    (int, (package_info list *
             Java_ast.interface_declaration)) Hashtbl.t
    = Hashtbl.create 97

let invariants_env :
    (int, (* class tag *)
     Java_env.java_type_info (* class or interface *)
     * (string * Java_env.java_var_info) list (* env [this,this_info]*)
     * Java_env.java_var_info (* this_info *)
     * (Java_ast.identifier * Java_ast.pexpr) list (* (inv_name,inv_pred) list *)
    ) Hashtbl.t
    = Hashtbl.create 97
let invariants_table :
    ( int, (* class tag *)
      Java_env.java_class_info (* class_info *)
      * Java_env.java_var_info (* this_info *)
      * (Java_ast.identifier * Java_tast.assertion) list (* (inv_name, typed pred) list *)
      ) Hashtbl.t
    = Hashtbl.create 97

let static_invariants_env = Hashtbl.create 97
let static_invariants_table = Hashtbl.create 97




let rec var_type_and_id non_null ty id =
  match id with
    | Simple_id id -> ty, id
    | Array_id id ->
        let ty, id = var_type_and_id non_null ty id in
          JTYarray (non_null, ty), id


(* fields *)

let field_prototypes_table : (int, variable_initializer option) Hashtbl.t
    = Hashtbl.create 97

let field_tag_counter = ref 0

let new_field ~is_static ~is_final ~is_nullable ~is_model ~is_ghost ti ty id =
  incr field_tag_counter;
  let fi = {
    java_field_info_tag = !field_tag_counter;
    java_field_info_name = id;
    java_field_info_type = ty;
    java_field_info_class_or_interface = ti;
    java_field_info_is_static = is_static;
    java_field_info_is_final = is_final;
    java_field_info_is_nullable = is_nullable;
    java_field_info_is_model = is_model;
    java_field_info_is_ghost = is_ghost;
  } in fi


let new_model_field ii ty id =
  new_field ~is_static:false ~is_final:false ~is_nullable:false
    ~is_model:true (TypeInterface ii) ty id

(* methods *)

let methods_env = Hashtbl.create 97

let method_or_constr_tag_counter = ref 0

let new_method_info ~is_static ~result_is_nullable loc id ti ty pars =
  incr method_or_constr_tag_counter;
  let result =
      Option_misc.map (fun t -> new_var Loc.dummy_position t "\\result") ty
  in
  {
    method_info_tag = !method_or_constr_tag_counter;
    method_info_loc = loc;
    method_info_name = id;
    method_info_class_or_interface = ti;
    method_info_trans_name = id;
    method_info_has_this = None;
    method_info_parameters = pars;
    method_info_result = result;
    method_info_result_is_nullable = result_is_nullable;
    method_info_calls = [];
    method_info_is_static = is_static;
  }

let constructors_env = Hashtbl.create 97

let new_constructor_info ci loc pars =
  incr method_or_constr_tag_counter;
  {
    constr_info_tag = !method_or_constr_tag_counter;
    constr_info_loc = loc;
    constr_info_class = ci;
    constr_info_trans_name = ci.class_info_name;
    constr_info_this = None;
    constr_info_result = None;
    constr_info_parameters = pars;
    constr_info_calls = [];
  }

let rec list_assoc_name f id l =
  match l with
    | [] -> raise Not_found
    | fi::r ->
        if (f fi) = id then fi
        else list_assoc_name f id r


(******************************

Typing level 0: extract types (logic, Java classes, Java interfaces)

**********************************)


let type_counter = ref 0

(* adds an interface named [id] in package [p] *)
let new_interface_info (p:package_info) (id:string) i =
  incr type_counter;
  let ii =
    { interface_info_tag = !type_counter;
      interface_info_name = id;
      interface_info_package_env = (fst i);
      interface_info_incomplete = true;
      interface_info_extends = [];
      interface_info_fields = [];
      interface_info_final_fields = [];
      interface_info_methods = [];
    }
  in
  Hashtbl.add type_table !type_counter (TypeInterface ii);
  Hashtbl.add interface_decl_table !type_counter i;
  Java_options.lprintf "adding interface %s in package '%s'@." id p.package_info_name;
  let h = get_package_contents p in
  Hashtbl.replace h id (Type (TypeInterface ii));
  ii

let new_class_info ~is_final:_ (p:package_info) (id:string) c =
  incr type_counter;
  let ci =
    { class_info_tag = !type_counter;
      class_info_name = id;
      class_info_package_env = (fst c);
      class_info_incomplete = true;
      class_info_is_final = false;
      class_info_extends = None;
      class_info_is_exception = false;
      class_info_implements = [];
      class_info_fields = [];
      class_info_final_fields = [];
      class_info_methods = [];
      class_info_constructors = [];
    }
  in
    Hashtbl.add type_table !type_counter (TypeClass ci);
    Hashtbl.add class_decl_table !type_counter c;
    Java_options.lprintf
    "adding class %s in package %s@." id p.package_info_name;
    let h = get_package_contents p in
      Hashtbl.replace h id (Type (TypeClass ci));
      ci


let logic_types_table = Hashtbl.create 97

let import_spec_table = Hashtbl.create 17

let new_logic_type id = id

let rec get_type_decl package package_env acc d =
    match d with
    | JPTclass cd ->
        (*
          class_modifiers : modifiers;
          class_name : identifier;
          class_extends : qualified_ident option;
          class_implements : qualified_ident list;
          class_fields : field_declaration list
        *)
        let _, id = cd.class_name in
	let is_final = List.mem Final cd.class_modifiers in
        let ci = new_class_info ~is_final:is_final package id (package_env, cd) in
        (id, TypeClass ci) :: acc
    | JPTinterface i ->
        let (_,id) = i.interface_name in
        let ii = new_interface_info package id (package_env,i) in
        (id,TypeInterface ii)::acc
    | JPTannot(_loc,_s) -> assert false
    | JPTlemma((_loc,_id),_is_axiom, _labels,_e) -> acc
    | JPTlogic_type_decl (loc,id) ->
        begin
          try
            let _ = Hashtbl.find logic_types_table id in
            typing_error loc "logic type already defined"
          with
              Not_found ->
                let i = new_logic_type id in
                Hashtbl.add logic_types_table id i;
                acc
        end
    | JPTlogic_reads((_loc,_id),_ret_type,_labels,_params,_reads) -> acc
    | JPTlogic_def((_loc,_id),_ret_type,_labels,_params,_body) -> acc
    | JPTinductive((_loc,_id),_labels,_params,_body) -> acc
    | JPTaxiomatic(_,body) ->
	List.fold_left (get_type_decl package package_env) acc body
    | JPTimport(PolyTheoryId(qid,_params))  ->
        let
          id = Java_pervasives.qualified_ident2string
                 qid "."
        in
	(* we look if id is already in the import table *)
	try
	  let _ = Hashtbl.find import_spec_table id in
	  Java_options.lprintf "importing %s: was already imported@." id;
	  acc
	with Not_found ->
	  Java_options.lprintf "importing spec %s@." id;
	  let
            spec_body = Java_syntax.spec_file
              ((Java_pervasives.qualified_ident2string qid "/")
               ^ ".spec")
          in
	  Hashtbl.add import_spec_table id spec_body;
	  List.fold_left (get_type_decl package package_env) acc spec_body


type classified_name =
  | TermName of term
  | TypeName of java_type_info
  | LogicTypeName of logic_type_info
  | PackageName of package_info

let rec add_in_package_list pi l =
  match l with
    | [] -> [pi]
    | qi::_ when pi.package_info_tag = qi.package_info_tag -> l
    | qi::r -> qi::add_in_package_list pi r

let is_boolean t =
  match t with
    | JTYbase Tboolean -> true
    | _ -> false

let is_reference_type t =
  match t with
    | JTYbase _t -> false
    | _ -> true

(* logic funs *)

type logic_def_body =
  [ `Assertion of Java_tast.assertion
  | `Term of Java_tast.term
  | `Inductive of
      (Java_ast.identifier * Java_env.logic_label list * Java_tast.assertion)
	list
  | `Builtin ]

type logic_decl_body =
  [ logic_def_body | `None | `Reads of Java_tast.term list ]

type axiomatic_defs =
  | Adecl of  Java_env.java_logic_info * logic_decl_body
  | Aaxiom of string * bool * Java_env.logic_label list * Java_tast.assertion
  | Atype of string

let logics_env = Hashtbl.create 97
let logic_defs_table = Hashtbl.create 97
let axiomatics_table = Hashtbl.create 97

let builtin_logic_symbols = ref []

let () =
  List.iter
    (fun (ty,id,pl) ->
       let l =
	 List.map
	   (fun ty -> new_var Loc.dummy_position ty "_")
	   pl
       in
       let fi = logic_info id ty [] l in
       builtin_logic_symbols := fi :: !builtin_logic_symbols;
       Hashtbl.add logics_env fi.java_logic_info_name fi;
       Hashtbl.add logic_defs_table fi.java_logic_info_tag (fi,`Builtin)
    )
    Java_pervasives.builtin_logic_symbols

(* JLS 5.1.1: Identity Conversion *)
let rec is_identity_convertible tfrom tto =
  match tfrom, tto with
    | JTYbase t1, JTYbase t2 -> t1=t2
    | JTYclass(_,c1), JTYclass(_,c2) -> c1 == c2
    | JTYinterface i1, JTYinterface i2 -> i1 == i2
    | JTYarray (_, t1), JTYarray (_, t2) -> is_identity_convertible t1 t2
    | JTYnull, JTYnull -> true
    | _ -> false

(* JLS 5.1.2: Widening Primitive Conversion *)
let is_widening_primitive_convertible tfrom tto =
  match tfrom,tto with
    | Tbyte, (Tshort | Tint | Tlong | Tfloat | Tdouble) -> true
    | Tshort, (Tint | Tlong | Tfloat | Tdouble) -> true
    | Tchar, (Tint | Tlong | Tfloat | Tdouble) -> true
    | Tint, (Tlong | Tfloat | Tdouble) -> true
    | Tlong, (Tfloat | Tdouble) -> true
    | Tfloat, Tdouble -> true
    | _ -> false

let is_logic_widening_primitive_convertible tfrom tto =
  match tfrom,tto with
    | Tbyte, (Tshort | Tint | Tlong | Tinteger | Tfloat | Tdouble | Treal)
        -> true
    | Tshort, (Tint | Tlong | Tinteger | Tfloat | Tdouble | Treal) -> true
    | Tchar, (Tint | Tlong | Tinteger | Tfloat | Tdouble | Treal) -> true
    | Tint, (Tlong | Tinteger | Tfloat | Tdouble | Treal) -> true
    | Tlong, (Tinteger | Tfloat | Tdouble | Treal) -> true
    | Tfloat, (Tdouble | Treal) -> true
    | Tinteger, Treal -> true
    | Tdouble, Treal -> true
    | _ -> false

let logic_unary_numeric_promotion ty =
  match ty with
    | JTYbase t ->
        begin
          match t with
            | Treal | Tdouble | Tfloat -> Treal
            | _ -> Tinteger
        end
    | _ -> assert false

let logic_binary_numeric_promotion t1 t2 =
  match t1,t2 with
    | JTYbase t1,JTYbase t2 ->
        begin
          match t1,t2 with
            | (Tboolean | Tunit),_
            | _, (Tboolean | Tunit) -> raise Not_found
            | (Treal | Tdouble | Tfloat),_
            | _, (Treal | Tdouble | Tfloat) -> Treal
            | _ -> Tinteger
        end
    | _ -> raise Not_found

let make_logic_bin_op loc op t1 e1 t2 e2 =
  match op with
    | Bconcat -> assert false
    | Bgt | Blt | Bge | Ble ->
        begin
          try
            let t = logic_binary_numeric_promotion t1 t2 in
            boolean_type,JTbin(e1,t,op,e2)
          with Not_found ->
            typing_error loc "numeric types expected for >,<,>= and <="
        end
    | Beq | Bne ->
        begin
          try
            let t = logic_binary_numeric_promotion t1 t2 in
            boolean_type,JTbin(e1,t,op,e2)
          with Not_found ->
            if is_boolean t1 && is_boolean t2 then
              boolean_type,JTbin(e1,Tboolean,op,e2)
            else
              if is_reference_type t1 && is_reference_type t2 then
                boolean_type,JTbin_obj(e1,op,e2)
              else
                typing_error loc "numeric, boolean or object types expected for == and !="
        end

    | Basr | Blsr | Blsl ->
        begin
          try
            match logic_unary_numeric_promotion t1 with
              | Tinteger as t1 ->
                  begin
                    try
                      match logic_unary_numeric_promotion t2 with
                        | Tinteger ->
                            JTYbase t1, JTbin (e1, t1, op, e2)
                        | _ -> raise Not_found
                    with Not_found -> int_expected loc t2
                  end
              | _ -> raise Not_found
          with Not_found -> int_expected loc t1
        end
    | Bimpl | Bor | Band | Biff ->
        if is_boolean t1 && is_boolean t2 then
          boolean_type, JTbin (e1, Tboolean, op, e2)
        else
          typing_error loc "booleans expected"
    | Bbwxor | Bbwor | Bbwand ->
        if is_boolean t1 && is_boolean t2 then
          boolean_type, JTbin (e1, Tboolean, op, e2)
        else
          begin
            try
              let t1 = logic_unary_numeric_promotion t1 in
              let t2 = logic_unary_numeric_promotion t2 in
                assert (t1 = t2);
                JTYbase t1, JTbin (e1, t1, op, e2)
            with Not_found ->
              typing_error loc "booleans or integers expected"
          end
    | Bsub | Badd | Bmod | Bdiv | Bmul ->
        try
          let t = logic_binary_numeric_promotion t1 t2 in
            JTYbase t, JTbin (e1, t, op, e2)
        with Not_found ->
          typing_error loc "numeric types expected for +,-,*, / and %%"

let make_logic_un_op loc op e =
  let ty = e.java_term_type in
    match op with
      | Uplus ->
          begin
            try
              let t = logic_unary_numeric_promotion ty in
		JTYbase t, e.java_term_node
            with Not_found ->
              typing_error loc "numeric type expected for unary +"
          end
      | Uminus ->
          begin
            try
              let t = logic_unary_numeric_promotion ty in
		JTYbase t, JTun (t, op, e)
            with Not_found ->
              typing_error loc "numeric type expected for unary -"
          end
      | Ucompl ->
          begin
            try
              match logic_unary_numeric_promotion ty with
		| Tinteger -> JTYbase Tinteger, JTun (Tinteger, op, e)
		| _ -> raise Not_found
            with Not_found ->
              typing_error loc "integer type expected for ~"
          end
      | Unot ->
          if is_boolean ty then ty, JTun (Tboolean, op, e) else
	    typing_error loc "boolean type expected for unary !"

let make_predicate_bin_op loc op t1 e1 t2 e2 =
  match op with
    | Bconcat -> assert false
    | Bgt | Blt | Bge | Ble ->
        begin
          try
            let t = logic_binary_numeric_promotion t1 t2 in
            JAbin(e1,t,op,e2)
          with Not_found ->
            typing_error loc "numeric types expected for >, <, >= and <="
        end
    | Beq | Bne ->
        begin
          try
            let t = logic_binary_numeric_promotion t1 t2 in
            JAbin(e1,t,op,e2)
          with Not_found ->
            if is_boolean t1 && is_boolean t2 then
              JAbin(e1,Tboolean,op,e2)
            else
              if is_reference_type t1 && is_reference_type t2 then
                JAbin_obj(e1,op,e2)
              else
                typing_error loc "numeric, boolean or object types expected for == and !="
        end
    | Basr|Blsr|Blsl|Bbwxor|Bbwor|Bbwand|Bimpl|Bor|Band|Biff ->
        assert false (* TODO *)
    | Bsub | Badd | Bmod | Bdiv | Bmul ->
        typing_error loc "operator +,-,*, / and %% is not a predicate"

let connective a1 op a2 =
  match op with
    | Band -> JAand(a1,a2)
    | Bor -> JAor(a1,a2)
    | Bimpl -> JAimpl(a1,a2)
    | Biff -> JAiff(a1,a2)
    | _ -> assert false

let dummy_class =
  { class_info_tag = (-1);
    class_info_name = "";
    class_info_package_env = [];
    class_info_incomplete = false;
    class_info_is_final = false;
    class_info_extends = None;
    class_info_is_exception = false;
    class_info_implements = [];
    class_info_fields = [];
    class_info_final_fields = [];
    class_info_methods = [];
    class_info_constructors = [];
  }

let object_class = ref dummy_class

let rec is_subclass c1 c2 =
  c1 == c2 ||
    (check_if_class_complete c1;
     match c1.class_info_extends with
      | None -> c2 == !object_class
      | Some c -> is_subclass c c2)

and is_subinterface i1 i2 =
  i1 == i2 ||
    (check_if_interface_complete i1;
     List.exists
        (fun i' ->
(*
           eprintf "checking if interface '%s' is subinterface of '%s'@."
                i'.interface_info_name i2.interface_info_name;
*)
       is_subinterface i' i2)
    i1.interface_info_extends)

and implements c i =
  List.exists
    (fun i' -> is_subinterface i' i)
    c.class_info_implements ||
    match c.class_info_extends with
      | None -> false
      | Some c -> implements c i

and get_this loc env =
  try
    List.assoc "this" env
  with Not_found ->
    typing_error loc "this undefined in this context"

and get_import (packages, types) imp =
  match imp with
    | Import_package qid ->
        Java_options.lprintf "importing package %a@." print_qualified_ident qid;
        begin
          match classify_name [] [] None [] qid with
            | PackageName pi -> (add_in_package_list pi packages,types)
            | _ -> typing_error (fst (List.hd qid))
                "package name expected"
        end
    | Import_class_or_interface qid ->
        Java_options.lprintf "importing %a@." print_qualified_ident qid;
        begin
          match classify_name [] [] None [] qid with
            | TypeName ti -> (packages, (snd (List.hd qid), ti)::types)
            | _ -> typing_error (fst (List.hd qid))
                "type name expected"
        end

and get_types package_env cus =
  let pil =
    List.map
      (fun cu ->
         match cu.cu_package with
           | [] -> anonymous_package
           | qid ->
               match classify_name package_env [] None [] qid with
                 | PackageName pi -> pi
                 | _ -> assert false)
      cus
  in
  let package_env, type_env =
    let imports = List.flatten (List.map (fun cu -> cu.cu_imports) cus) in
    List.fold_left get_import ([],[])
      (Import_package javalang_qid::imports)
  in
  let package_env =
    List.fold_left (fun _acc pi -> add_in_package_list pi package_env)
      package_env pil
  in
  let local_type_env =
    List.flatten
    (List.map
      (fun (pi, cu) ->
         List.fold_left (get_type_decl pi package_env)
           [] cu.cu_type_decls)
      (List.combine pil cus))
  in
  let full_type_env = local_type_env @ type_env in
  List.iter
    (fun (_,ti) ->
       match ti with
         | TypeClass ci ->
(*
             eprintf "setting type env for class '%s' as:@\n" ci.class_info_name;
             List.iter
               (fun (id,_) -> eprintf "  %s@\n" id)
               full_type_env;
*)
             Hashtbl.add class_type_env_table ci.class_info_tag
               full_type_env
         | TypeInterface ii ->
             Hashtbl.add interface_type_env_table ii.interface_info_tag
               full_type_env)
    local_type_env;
  package_env,local_type_env


(* corresponds to JLS 2nd ed., par. 6.5.2, pp. 96--97 *)
and classify_name
    (package_env : package_info list)
    (type_env : (string * java_type_info) list)
    (current_type : java_type_info option)
    (local_env : (string * java_var_info) list)
    (name : qualified_ident) =
  match name with
    | [] -> assert false
    | [(loc, id)] ->
        (* case of a simple name (JLS p 96) *)
(*
	Format.eprintf "classify_name for %s@." id;
*)
        begin
          (* look for a local var of that name *)
          try
            let vi = List.assoc id local_env in
              TermName {
                java_term_node = JTvar vi;
                java_term_type = vi.java_var_info_type;
                java_term_loc = loc
              }
          with Not_found ->
            (* look for a field of that name in current class *)
            try
              match current_type with
                | None -> raise Not_found
                | Some ti ->
                    let fi = lookup_field ti id in
                    let facc =
                      if fi.java_field_info_is_static then
                        JTstatic_field_access (ti, fi)
                      else
                        let vi =
                          try
                            List.assoc "this" local_env
                          with Not_found -> assert false
                        in
                        let this =
                          { java_term_node = JTvar vi;
                            java_term_type = vi.java_var_info_type;
                            java_term_loc = loc }
                        in
                        JTfield_access (this, fi)
                    in
                    TermName {
                      java_term_node = facc;
                      java_term_type = fi.java_field_info_type;
                      java_term_loc = loc
                    }
            with Not_found ->
              try
                (* TODO: look for a local class of member type of that name *)
                raise Not_found
              with
                  Not_found ->
                    try
                      (* look for a type of that name
                         in the current compilation unit, or
                         in another compilation unit of the current package *)
(*
                      eprintf "lookup id '%s' in type_env:@\n" id;
                      List.iter
                        (fun (id,_) -> eprintf "  %s@\n" id)
                        type_env;
*)
                      let ti = List.assoc id type_env in
                        TypeName ti
                    with Not_found ->
                      (* look for a type of that name
                         declared by a type-import-on-demand declaration
                         (fail if two of them are visible) *)
                      let l =
                        List.fold_left
                          (fun acc pi ->
                             let h = get_package_contents pi in
                               try
                                 (pi, h, (Hashtbl.find h id)) :: acc
                               with Not_found -> acc)
                          [] package_env
                      in
(*
		      eprintf "list l has length %d@." (List.length l);
*)
                      match l with
                        | [(_pi, h, x)] ->
                            begin
                              match x with
                                | Subpackage pi -> PackageName pi
                                | Type ti -> TypeName ti
                                | File f ->
                                    let ast = Java_syntax.file f in
                                    let (_, t) = get_types package_env [ast] in
                                    try
                                      let ti = List.assoc id t in
                                      Hashtbl.replace h id (Type ti);
                                      TypeName ti
                                    with Not_found ->
                                      eprintf "Anomaly: `%s' not found" id;
                                      assert false
                            end
                        | (pi1,_,_)::(pi2,_,_)::_ ->
                            typing_error loc
                              "ambiguous name from import-on-demand packages '%s' and '%s'"
                              pi1.package_info_name
                              pi2.package_info_name
                        | [] ->
                            (* otherwise look for a toplevel package
                               of that name *)
                            try
                              match Hashtbl.find toplevel_packages id with
                                | Subpackage pi -> PackageName pi
                                | Type _ti -> assert false
                                | File f ->
                                    typing_error loc "Internal error: got file %s in place of a package@." f
                            with Not_found ->
                              (* otherwise look for a logic type
                                 of that name *)
                              try
                                let i = Hashtbl.find logic_types_table id in
                                LogicTypeName i
                              with Not_found ->
                                typing_error loc "unknown identifier %s" id

        end

    | (loc,id)::n ->
        (* case of a qualified name (JLS p 97) *)
(*
	Format.eprintf "classify_name for %s...@." id;
*)
        match classify_name package_env type_env current_type local_env n with
          | PackageName pi ->
              let contents = get_package_contents pi in
              begin
                try
                  match Hashtbl.find contents id with
                    | Subpackage pi -> PackageName pi
                    | Type ti -> TypeName ti
                    | File f ->
                        let ast = Java_syntax.file f in
                        let (_, t) = get_types package_env [ast] in
                        try
                          let ti = List.assoc id t in
                          Hashtbl.replace contents id (Type ti);
                          TypeName ti
                        with Not_found ->
                          typing_error loc "type `%s' not found in file `%s'@."
                            id f
                with
                    Not_found ->
                      typing_error loc "unknown identifier %s in package %s"
			id pi.package_info_name
              end
          | TypeName ci ->
              begin
                try
                  let fi = lookup_field ci id in
                  if fi.java_field_info_is_static then
                    TermName {
                      java_term_loc = loc;
                      java_term_type = fi.java_field_info_type ;
                      java_term_node = JTstatic_field_access(ci,fi)
                    }
                  else
                    typing_error loc
                      "field %s is not static" id

                with Not_found ->
                  (* TODO: look for a method of that name ? *)
                  (* TODO: look for a member type of that name *)
                  typing_error loc
                    "no such field in %a" print_type_name ci
              end
          | TermName t ->
              type_term_field_access t loc id
          | LogicTypeName _i ->
              typing_error loc "logic type unexpected"

and type_term_field_access t loc id =
  match t.java_term_type with
    | JTYclass(_,c) ->
        begin
          try
            let fi = lookup_class_field c id in
            TermName {
              java_term_loc = loc;
              java_term_type = fi.java_field_info_type ;
              java_term_node = JTfield_access(t,fi)
            }
          with Not_found ->
            typing_error loc
              "no such field in class %s" c.class_info_name
        end
    | JTYinterface _ii ->
        assert false (* TODO *)
    | JTYarray _ ->
        if id="length" then
          TermName {
            java_term_loc = loc;
            java_term_type = integer_type;
            java_term_node = JTarray_length(t)
          }
        else
          typing_error loc
            "no such field in array type"
    | JTYnull | JTYbase _ | JTYlogic _ ->
        class_or_interface_expected t.java_term_loc
          t.java_term_type

and type_expr_field_access e loc id =
  match e.java_expr_type with
    | JTYclass(_,c) ->
        begin
          try
            let fi = lookup_class_field c id in
            {
              java_expr_loc = loc;
              java_expr_type = fi.java_field_info_type ;
              java_expr_node = JEfield_access(e,fi)
            }
          with Not_found ->
            typing_error loc
              "no such field in class %s" c.class_info_name
        end
    | JTYinterface _ii ->
        assert false (* TODO *)
    | JTYarray _ ->
        if id="length" then
          {
            java_expr_loc = loc;
            java_expr_type = int_type;
            java_expr_node = JEarray_length(e)
          }
        else
          typing_error loc
            "no such field in array type"
    | JTYnull | JTYbase _ | JTYlogic _ ->
        class_or_interface_expected e.java_expr_loc
          e.java_expr_type

and type_type package_env type_env non_null ty =
  match ty with
    | Base_type t -> JTYbase t
    | Type_name qid ->
        begin
          match classify_name package_env type_env None [] qid with
            | TypeName ti ->
                begin
                  match ti with
                    | TypeClass ci -> JTYclass (non_null, ci)
                    | TypeInterface ii -> JTYinterface(ii)
                end
            | LogicTypeName i -> JTYlogic i
            | _ -> assert false (* TODO *)
        end
    | Array_type_expr t ->
        let ty = type_type package_env type_env non_null t in
        JTYarray (non_null, ty)

and get_field_prototypes package_env type_env ci acc d =
  match d with
    | JPFvariable vd ->
        (*
          vd.variable_modifiers : modifiers ;
          vd.variable_type : type_expr ;
          vd.variable_decls : variable_declarator list }
        *)
        let is_non_null = List.mem Non_null vd.variable_modifiers in
        let is_nullable = List.mem Nullable vd.variable_modifiers in
        let non_null =
          if !Java_options.nonnull_sem = NonNullNone then is_non_null else
            not is_nullable
        in
        let ty = type_type package_env type_env non_null vd.variable_type in
        let is_static = List.mem Static vd.variable_modifiers in
        let is_final = List.mem Final vd.variable_modifiers in
        let is_ghost = List.mem Ghost vd.variable_modifiers in
        let is_model = List.mem Model vd.variable_modifiers in
        List.fold_left
          (fun acc vd ->
             let ty', (loc, id) = var_type_and_id non_null ty vd.variable_id in
               if is_non_null && !Java_options.nonnull_sem <> NonNullNone then
                 typing_error loc
                   "'non_null' modifier is not allowed in 'non_null by default' mode";
               if is_nullable && !Java_options.nonnull_sem = NonNullNone then
                 typing_error loc
                   "'nullable' modifier is only allowed in 'non_null by default' mode";
             let fi = new_field ~is_static ~is_final ~is_nullable
               ~is_model ~is_ghost ci ty' id in
             Hashtbl.add field_prototypes_table fi.java_field_info_tag
               vd.variable_initializer;
             fi::acc
          ) acc vd.variable_decls
    | _ -> acc

and type_param package_env type_env p =
  let nullable = ref false in
  let rec get_type p =
    match p with
      | Simple_parameter (mo, ty, (loc, id)) ->
          (match mo with
             | None ->
                 nullable :=
                   !Java_options.nonnull_sem <> NonNullAll &&
                     !Java_options.nonnull_sem <> NonNullAllLocal;
             | Some Non_null ->
                 nullable := false;
                 if !Java_options.nonnull_sem = NonNullAll ||
                   !Java_options.nonnull_sem = NonNullAllLocal then
                     typing_error loc
                       "'non_null' modifier is not allowed in 'non_null by default' mode";
             | Some Nullable ->
                 nullable := true;
                 if !Java_options.nonnull_sem <> NonNullAll &&
                   !Java_options.nonnull_sem <> NonNullAllLocal then
                     typing_error loc
                       "'nullable' modifier is only allowed in 'non_null by default' mode";
             | _ -> assert false);
          let non_null = not !nullable in
            (non_null, type_type package_env type_env non_null ty, loc, id)
      | Array_parameter x ->
          let (non_null, t, loc, i) = get_type x in
            non_null, JTYarray (non_null, t), loc, i
  in
  let (_, t,loc,i) = get_type p in (new_var loc t i, !nullable)

and method_header package_env type_env modifiers retty mdecl =
  match mdecl with
    | Simple_method_declarator (id, l) ->
        let is_nullable = List.mem Nullable modifiers in
        let non_null =
          (!Java_options.nonnull_sem = NonNullAll ||
              !Java_options.nonnull_sem = NonNullAllLocal) &&
            not is_nullable
        in
          non_null, id, (Option_misc.map (type_type package_env type_env non_null) retty),
        List.map (type_param package_env type_env) l
    | Array_method_declarator d ->
        let non_null, id, t, l =
          method_header package_env type_env modifiers retty d
        in
          match t with
            | Some t -> non_null, id, Some (JTYarray (non_null, t)),l
            | None -> typing_error (fst id) "invalid type void array"

and get_constructor_prototype
    package_env type_env current_type req decreases behs head eci body =
  match current_type with
    | TypeInterface _ -> assert false
    | TypeClass cur ->
        let loc, _id = head.constr_name in
        let params =
          List.map (type_param package_env type_env)
            head.constr_parameters
        in
        let ci = new_constructor_info cur loc params in
          Hashtbl.add constructors_env ci.constr_info_tag
            (ci,req,decreases,behs,eci,body);
          ci

and get_method_prototypes package_env type_env current_type (mis,cis) env l =
  match l with
    | [] -> (mis,cis)
    | JPFmethod(head,body) :: rem ->
        let non_null, (loc,id), ret_ty, params =
          method_header package_env type_env
            head.method_modifiers head.method_return_type head.method_declarator
        in
        let is_static = List.mem Static head.method_modifiers in
        let result_is_nullable = not non_null in
        let mi = new_method_info
          ~is_static ~result_is_nullable loc id current_type ret_ty params
        in
        Hashtbl.add methods_env mi.method_info_tag (mi,None,None,[],body);
        get_method_prototypes package_env type_env
          current_type (mi::mis,cis) env rem
    | JPFmethod_spec(req,decreases,behs) :: JPFmethod(head,body) :: rem ->
        let non_null, (loc,id), ret_ty, params =
          method_header package_env type_env
            head.method_modifiers head.method_return_type head.method_declarator
        in
        let is_static = List.mem Static head.method_modifiers in
        let result_is_nullable = not non_null in
        let mi = new_method_info
          ~is_static ~result_is_nullable loc id current_type ret_ty params
        in
        Hashtbl.add methods_env mi.method_info_tag
          (mi,req,decreases,behs,body);
        get_method_prototypes package_env type_env
          current_type (mi::mis,cis) env rem
    | JPFconstructor(head,eci,body) :: rem ->
        let ci =
          get_constructor_prototype package_env type_env current_type
            None None [] head eci body
        in
        get_method_prototypes package_env type_env
          current_type (mis,ci::cis) env rem
    | JPFmethod_spec(req,decreases,behs) :: JPFconstructor(head,eci,body) :: rem ->
        let ci =
          get_constructor_prototype package_env type_env current_type
            req decreases behs head eci body
        in
        get_method_prototypes package_env type_env
          current_type (mis,ci::cis) env rem
    | JPFmethod_spec _ :: _ ->
        typing_error Loc.dummy_position "out of place method specification"
    | JPFinvariant (_id, _e) :: rem ->
        get_method_prototypes package_env type_env
          current_type (mis, cis) env rem
    | JPFstatic_invariant (_id, _e) :: rem ->
        get_method_prototypes package_env type_env
          current_type (mis, cis) env rem
    | JPFannot _ :: _ -> assert false (* not possible after 2nd parsing *)
    | JPFstatic_initializer _ ::rem ->
        (* TODO ? *)
        get_method_prototypes package_env type_env
          current_type (mis,cis) env rem
    | JPFvariable _ :: rem ->
        get_method_prototypes package_env type_env
          current_type (mis,cis) env rem
    | JPFclass _ :: rem -> (* TODO *)
        get_method_prototypes package_env type_env
          current_type (mis,cis) env rem
    | JPFinterface _ :: rem -> (* TODO *)
        get_method_prototypes package_env type_env
          current_type (mis,cis) env rem

and get_class_prototypes package_env type_env ci d =
  (* extends *)
  ci.class_info_extends <-
    Option_misc.map
    (fun id ->
       match classify_name package_env type_env None [] id with
         | TypeName (TypeClass super) ->
             check_if_class_complete super;
             Java_options.lprintf "Class %s extends class %s@."
               ci.class_info_name
               super.class_info_name;
             if super.class_info_is_exception then
               begin
                 Java_options.lprintf "Class %s is an exception class@."
                   ci.class_info_name;
                 ci.class_info_is_exception <- true
               end;
             super
         | _ ->
             typing_error (fst (List.hd id)) "class type expected")
    d.class_extends;
  (* implements *)
  ci.class_info_implements <-
    List.map
    (fun id ->
       match classify_name package_env type_env None [] id with
         | TypeName (TypeInterface super) ->
             check_if_interface_complete super;
             super
         | _ ->
             typing_error (fst (List.hd id)) "interface type expected")
    d.class_implements;
  (* fields *)
  let fields = List.fold_left
    (get_field_prototypes package_env type_env (TypeClass ci)) [] d.class_fields in
    ci.class_info_fields <- List.rev fields;
    let methods, constructors =
      get_method_prototypes package_env type_env (TypeClass ci) ([],[]) [] d.class_fields
    in
    let constructors =
      (* if no constructor explicitly declared,
         then there is always an implicit default constructor *)
      if constructors <> [] then constructors else
        let default_constructor = new_constructor_info ci Loc.dummy_position [] in
          Hashtbl.add constructors_env default_constructor.constr_info_tag
            (default_constructor, None, None, [], Invoke_none, []);
        [default_constructor]
    in
      ci.class_info_methods <- methods;
      ci.class_info_constructors <- constructors;
      (* invariants *)
      let this_type = JTYclass (true, ci) (* i.e. [this] is always non-null *) in
      let vi = new_var Loc.dummy_position this_type "this" in
      let invs, static_invs =
        List.fold_left
          (fun (acc1, acc2) d ->
             match d with
               | JPFinvariant (id, e) -> (id, e) :: acc1, acc2
               | JPFstatic_invariant (id, e) -> acc1, (snd id, e) :: acc2
               | _ -> acc1, acc2) ([], []) d.class_fields
      in
        Hashtbl.add invariants_env
          ci.class_info_tag (TypeClass ci, ["this", vi], vi, invs);
        Hashtbl.add static_invariants_env
          ci.class_info_tag (TypeClass ci, static_invs)

and get_interface_field_prototypes package_env type_env ii acc d =
  match d with
    | JPFvariable vd ->
        let is_model = List.mem Model vd.variable_modifiers in
        let ty = type_type package_env type_env true vd.variable_type in
          List.fold_left
            (fun acc vd ->
               let ty',(_loc,id) = var_type_and_id false ty vd.variable_id in
               (* Note: no need to check if it is static and final, because
                  it is implicitly the case (JLS,9.3, p 203) *)
               let fi =
                 if is_model then
                   new_field ~is_static:false ~is_final:false ~is_nullable:true
                     ~is_model:true ~is_ghost:false
                     (TypeInterface ii) ty' id
                 else
                   new_field ~is_static:true ~is_final:true ~is_nullable:true
                     ~is_model:false ~is_ghost:false
                     (TypeInterface ii) ty' id
               in
                 Hashtbl.add field_prototypes_table fi.java_field_info_tag
                   vd.variable_initializer;
                 fi::acc
            ) acc vd.variable_decls
    | _ -> acc

and get_interface_prototypes package_env type_env ii d =
  (* extends *)
  ii.interface_info_extends <-
    List.map
    (fun id ->
       match classify_name package_env type_env None [] id with
         | TypeName (TypeInterface super) ->
             super
         | _ ->
             typing_error (fst (List.hd id)) "interface type expected")
    d.interface_extends;
  (* fields *)
  let fields =
    List.fold_left (get_interface_field_prototypes package_env type_env ii) []
      d.interface_members
  in
  ii.interface_info_fields <- fields;
  let methods,_constructors =
    get_method_prototypes  package_env type_env (TypeInterface ii) ([],[]) [] d.interface_members
  in
  ii.interface_info_methods <- methods

and check_if_interface_complete ii =
  if ii.interface_info_incomplete then
    begin
      (* get interface decls prototypes *)
      let (p, d) = Hashtbl.find interface_decl_table ii.interface_info_tag in
      let t = Hashtbl.find interface_type_env_table ii.interface_info_tag in
      get_interface_prototypes p t ii d;
      ii.interface_info_incomplete <- false;
    end;

and lookup_implemented_interfaces l id =
  match l with
    | [] -> raise Not_found
    | [ii] -> lookup_interface_field ii id
    | ii::l ->
	try
	  lookup_interface_field ii id
	with Not_found -> lookup_implemented_interfaces l id

and lookup_interface_field ii id =
  check_if_interface_complete ii;
  try
    list_assoc_name (fun fi -> fi.java_field_info_name)
      id ii.interface_info_fields
  with
      Not_found -> lookup_implemented_interfaces ii.interface_info_extends id

and check_if_class_complete ci =
  if ci.class_info_incomplete then
    begin
      (* get class decls prototypes *)
      let (p, d) = Hashtbl.find class_decl_table ci.class_info_tag in
      let t = Hashtbl.find class_type_env_table ci.class_info_tag in
	ci.class_info_incomplete <- false;
	get_class_prototypes p t ci d;
    end;

and lookup_class_field ci id =
  check_if_class_complete ci;
  try
    list_assoc_name (fun fi -> fi.java_field_info_name) id ci.class_info_fields
  with
      Not_found ->
        try
          match ci.class_info_extends with
            | None -> raise Not_found
            | Some ci -> lookup_class_field ci id
        with
            Not_found -> lookup_implemented_interfaces ci.class_info_implements id


and lookup_field ti id =
  match ti with
    | TypeClass ci -> lookup_class_field ci id
    | TypeInterface ii -> lookup_interface_field ii id

let () =
  object_class :=
    catch_typing_errors
      (fun () ->
         match classify_name [] [] None []
           ((Loc.dummy_position,"Object") :: javalang_qid)
         with
           | TypeName (TypeClass ci) -> ci
           | _ -> assert false)
      ()

let string_class =
  if !Java_options.javacard then dummy_class else
    catch_typing_errors
      (fun () ->
         match classify_name [] [] None []
           ((Loc.dummy_position,"String") :: javalang_qid)
         with
           | TypeName (TypeClass ci) -> ci
           | _ -> assert false)
      ()

let string_type ~valid = JTYclass(valid,string_class)

type typing_env =
    {
      package_env : Java_env.package_info list;
      type_env : (string * Java_env.java_type_info) list;
      current_type : Java_env.java_type_info option;
      behavior_names : (string * identifier) list;
      label_env : (string * logic_label) list;
      current_label : logic_label option;
      env : (string * Java_env.java_var_info) list;
    }

let find_label env (loc,id) =
  try List.assoc id env.label_env
  with Not_found -> typing_error loc "unknown label %s" id


let label_assoc loc id env fun_labels effective_labels =
  match fun_labels, effective_labels with
    | [lf], [] ->
	begin
	  match env.current_label with
	    | None ->
		typing_error loc
		  "%s expect a label but there is no current label" id
	    | Some l -> [lf,l]
	end
    | _ ->
	try
	  List.map2
	    (fun l1 lab -> let l2 = find_label env lab in (l1,l2))
	    fun_labels effective_labels
	with Invalid_argument _ ->
	  typing_error loc
	    "wrong number of labels for %s" id

(* JLS 5.1.4: Widening Reference Conversion *)
let rec is_widening_reference_convertible tfrom tto =
  match tfrom,tto with
    | JTYclass(_,c1), JTYclass(_,c2) -> is_subclass c1 c2
    | JTYbase Tstring, JTYclass(_,c) -> is_subclass string_class c
    | JTYclass(_,c), JTYinterface i -> implements c i
    | JTYbase Tstring, JTYinterface i -> implements string_class i
    | JTYnull, (JTYclass _ | JTYinterface _ | JTYarray _ ) -> true
    | JTYinterface i1, JTYinterface i2 -> is_subinterface i1 i2
    | JTYinterface _ , JTYclass(_,c) when c == !object_class -> true
    | JTYarray _ , JTYclass(_,c) when  c== !object_class -> true
(* TODO
    | JTYarray _ , JTYinterface i when i==cloneable_interface -> true
    | JTYarray _ , JTYinterface i when i==serializable_interface -> true
*)
    | JTYarray (_, t1), JTYarray (_, t2) ->
        is_widening_reference_convertible t1 t2
    | _ -> false

and is_logic_call_convertible tfrom tto =
  is_identity_convertible tfrom tto ||
  match tfrom,tto with
    | JTYbase t1, JTYbase t2 -> is_logic_widening_primitive_convertible t1 t2
    | JTYlogic s1, JTYlogic s2 -> s1==s2
    | _ -> is_widening_reference_convertible tfrom tto

and term env e =
  let termt = term env in
  let loc = e.java_pexpr_loc in
  let ty, tt =
    match e.java_pexpr_node with
      | JPElit l ->
          let ty,l =
            match l with
              | Integer _s -> integer_type,l
              | Char _s -> assert false (* TODO *)
              | String _s -> logic_string_type,l
              | Bool _b -> boolean_type,l
              | Float(_s,suf) ->
		  begin
		    match suf with
		      | `Real -> real_type,l
		      | `Single -> float_type,l
		      | `Double -> double_type,l
		  end
              | Null -> null_type,l
          in
          ty,(JTlit l)
      | JPEname n ->
          begin
            match classify_name env.package_env env.type_env env.current_type env.env n with
              | TermName t ->
                  t.java_term_type, t.java_term_node
              | TypeName _ ->
                  typing_error loc
                    "term expected, got a class or interface"
              | PackageName _ ->
                  typing_error loc
                    "term expected, got a package name"
              | LogicTypeName _ ->
                  typing_error loc
                    "term expected, got a logic type"
          end

      | JPEresult ->
          begin
            try
              let vi = List.assoc "\\result" env.env in
              vi.java_var_info_type,JTvar vi
            with Not_found ->
              typing_error loc "\\result undefined in this context"
          end
      | JPEthis ->
          let vi = get_this loc env.env in
          vi.java_var_info_type, JTvar vi
      | JPEbin (e1, op, e2) ->
          let te1 = termt e1 and te2 = termt e2 in
          make_logic_bin_op loc op
            te1.java_term_type te1 te2.java_term_type te2
      | JPEquantifier _ ->
          typing_error loc
            "quantified formulas not allowed in term position"
      | JPEold e1 ->
	  let l = find_label env (loc,"Old") in
          let te1 = term { env  with current_label = Some l} e1 in
          te1.java_term_type,JTat(te1,l)
      | JPEat(e1,lab) ->
	  let l = find_label env lab in
          let te1 = term { env  with current_label = Some l} e1 in
          te1.java_term_type,JTat(te1,l)
      | JPEinstanceof (_, _)-> assert false (* TODO *)
      | JPEcast (t, e1)->
          let te1 = termt e1 in
          let ty = type_type env.package_env env.type_env false t in
          (* TODO: check if cast allowed *)
          ty,JTcast(ty,te1)
      | JPEarray_access (e1, e2)->
          let te1 = termt e1 and te2 = termt e2 in
          begin
            match te1.java_term_type with
              | JTYarray (_, t) ->
                  begin
                    try
                      match
                        logic_unary_numeric_promotion te2.java_term_type
                      with
                        | Tinteger -> t, JTarray_access(te1,te2)
                        | _ -> raise Not_found
                    with Not_found ->
                      integer_expected e2.java_pexpr_loc te2.java_term_type
                  end
              | _ ->
                  array_expected e1.java_pexpr_loc te1.java_term_type
          end
      | JPEarray_range (e1, e2, e3)->
          let te1 = termt e1 in
          begin
            match te1.java_term_type with
              | JTYarray (_, t) ->
                  let te2 = Option_misc.map (index env) e2 in
                  let te3 = Option_misc.map (index env) e3 in
                  t, JTarray_range(te1,te2,te3)
              | _ ->
                  array_expected e1.java_pexpr_loc te1.java_term_type
          end
      | JPEnew_array _-> assert false (* TODO *)
      | JPEnew (_, _)-> assert false (* TODO *)
      | JPEsuper_call (_, _)-> assert false (* TODO *)
      | JPEcall_name (qid, labels, args)->
          begin
            match qid with
              | [(loc,id)] ->
                  begin
                    try
                      let fi = Hashtbl.find logics_env id in
		      let lab_assoc =
			label_assoc loc id env fi.java_logic_info_labels labels
		      in
                      let args =
			try
			  List.map2
			    (fun vi e ->
			       let ty = vi.java_var_info_type in
			       let te = termt e in
			       if is_logic_call_convertible te.java_term_type ty
			       then te
			       else
				 typing_error e.java_pexpr_loc
				   "type %a expected instead of %a"
				   print_type ty print_type te.java_term_type)
			    fi.java_logic_info_parameters args
			with  Invalid_argument _ ->
			  typing_error e.java_pexpr_loc
			    "wrong number of arguments for %s" id
		      in
                      match fi.java_logic_info_result_type with
                        | None ->
                            typing_error loc
                              "logic symbol `%s' is a predicate" id
                        | Some t -> t,JTapp(fi,lab_assoc,args)
                    with Not_found ->
                      typing_error loc "logic function `%s' not found" id
                  end
              | _ ->
                  typing_error loc "method calls not allowed in annotations"
          end
      | JPEcall_expr _ ->
          typing_error loc
            "method calls not allowed in annotations"
      | JPEfield_access fa ->
          begin
            match fa with
              | Primary_access (e1, f) ->
                  let te1 = termt e1 in
                    begin
                      match te1.java_term_type with
                        | JTYclass (_, ci) ->
                            begin
                              try
                                let fi = lookup_field (TypeClass ci) (snd f) in
                                  fi.java_field_info_type,JTfield_access(te1,fi)
                              with
                                  Not_found ->
                                    typing_error e1.java_pexpr_loc
                                      "not such field"
                            end
                        | JTYinterface ii ->
                            begin
                              try
                                let fi = lookup_field (TypeInterface ii) (snd f) in
                                  fi.java_field_info_type,JTfield_access(te1,fi)
                              with
                                  Not_found ->
                                    typing_error e1.java_pexpr_loc
                                      "not such field"
                            end
                        | JTYarray _ ->
                            if (snd f) = "length" then
                              integer_type, JTarray_length te1
                            else
                              typing_error e1.java_pexpr_loc
                                "not such field"
                        | _ ->
                            typing_error e1.java_pexpr_loc
                              "not a class"
                    end

              | Super_access _ -> assert false (* TODO *)
          end
      | JPEif (e1, e2, e3)->
          let te1 = termt e1 in
          if is_boolean te1.java_term_type then
            let te2 = termt e2 in
            let te3 = termt e3 in
            (* TODO: check if compatible types *)
            te1.java_term_type,JTif(te1,te2,te3)
          else
            typing_error e1.java_pexpr_loc "boolean expected"
      | JPEassign_array _
      | JPEassign_field _
      | JPEassign_name _ ->
          typing_error loc
            "assignment not allowed in annotations"
      | JPEfresh _ ->
          typing_error loc
            "fresh is a predicate not a term"
      | JPEincr (_, _) -> assert false (* TODO *)
      | JPEun (op, e) ->
          let te = termt e in
            make_logic_un_op loc op te
  in { java_term_node = tt;
       java_term_type = ty;
       java_term_loc = e.java_pexpr_loc }

and index env e =
  let te = term env e in
  match
    logic_unary_numeric_promotion te.java_term_type
  with
    | Tinteger -> te
    | _ ->
        integer_expected e.java_pexpr_loc te.java_term_type

and assertion env e =
  let termt = term env in
  let assertiont = assertion env in
  let ta =
  match e.java_pexpr_node with
    | JPElit (Bool true) -> JAtrue
    | JPElit (Bool false) -> JAfalse
    | JPElit _ ->
        typing_error e.java_pexpr_loc
          "this literal is not a boolean expression"
    | JPEun(Unot, e2) ->
        let te2 = assertiont e2 in JAnot(te2)
    | JPEun (_, _)-> assert false (* TODO *)
    | JPEbin(e1, ((Band | Bor | Bimpl | Biff) as op) , e2) ->
        let te1 = assertiont e1
        and te2 = assertiont e2
        in connective te1 op te2
    | JPEbin
        ({ java_pexpr_node =
             JPEbin (_, (Beq | Bne | Bgt | Blt | Ble | Bge), a) } as p,
         (Beq | Bne | Bgt | Blt | Ble | Bge as op), b) ->
        let q = { java_pexpr_loc = fst a.java_pexpr_loc, snd b.java_pexpr_loc ;
                  java_pexpr_node = JPEbin (a, op, b) } in
          JAand (assertiont p, assertiont q)
    | JPEbin
        (a, (Beq | Bne | Bgt | Blt | Ble | Bge as op),
        ({ java_pexpr_node =
            JPEbin (b, (Beq | Bne | Bgt | Blt | Ble | Bge), _) } as p)) ->
        let q = { java_pexpr_loc = fst a.java_pexpr_loc, snd b.java_pexpr_loc ;
                  java_pexpr_node = JPEbin (a, op, b) } in
          JAand (assertiont q, assertiont p)
    | JPEbin(e1, op, e2) ->
        let te1 = termt e1 and te2 = termt e2 in
          make_predicate_bin_op e.java_pexpr_loc op
            te1.java_term_type te1 te2.java_term_type te2
    | JPEquantifier (q, idl, e)->
      let a = make_quantified_formula
        e.java_pexpr_loc q idl env e
      in
      a.java_assertion_node
    | JPEfresh e ->
      let t = termt e in
      begin
        match t.java_term_type with
          | JTYlogic _ | JTYbase _ ->
            typing_error e.java_pexpr_loc "reference type expected for \\fresh"
          | JTYarray (_, _)
          | JTYinterface _
          | JTYnull
          | JTYclass _ -> JAfresh(t)
      end
    | JPEold a ->
        let l = find_label env (e.java_pexpr_loc,"Old") in
        let ta = assertion { env  with current_label = Some l} a in
        JAat(ta,l)
    | JPEat(a,lab) ->
        let l = find_label env lab in
        let ta = assertion { env  with current_label = Some l} a in
        JAat(ta,l)
    | JPEinstanceof (e, ty) ->
        begin
          match env.current_label with
            | None ->
                typing_error e.java_pexpr_loc "No memory state for this instanceof (\\at missing ?)"
            | Some l ->
                let te = termt e and tty = type_type env.package_env env.type_env false ty in
                if is_reference_type tty then JAinstanceof (te, l, tty) else
                  typing_error e.java_pexpr_loc "unexpected type"
        end
    | JPEcast (_, _)-> assert false (* TODO *)
    | JPEarray_access (_, _)-> assert false (* TODO *)
    | JPEarray_range (_, _,_)-> assert false (* TODO *)
    | JPEnew_array _-> assert false (* TODO *)
    | JPEnew (_, _)-> assert false (* TODO *)
    | JPEsuper_call (_, _)-> assert false (* TODO *)
    | JPEcall_name([(loc,id)], labels, args)->
        begin
          try
            let fi = Hashtbl.find logics_env id in
	    let lab_assoc =
	      label_assoc loc id env fi.java_logic_info_labels labels
	    in
            let tl =
              try
                List.map2
                  (fun vi e ->
                     let ty = vi.java_var_info_type in
                     let te = termt e in
                     if is_logic_call_convertible te.java_term_type ty then te
                     else
                       typing_error e.java_pexpr_loc
                         "type %a expected, got %a"
                         print_type ty print_type te.java_term_type)
                  fi.java_logic_info_parameters args
              with  Invalid_argument _ ->
                typing_error e.java_pexpr_loc
                  "wrong number of arguments for %s" id
            in
            match fi.java_logic_info_result_type with
              | None -> JAapp(fi, lab_assoc, tl)
              | Some _t ->
                  typing_error loc
                    "logic symbol `%s' is not a predicate" id
          with
              Not_found ->
                typing_error e.java_pexpr_loc
                  "unknown predicate `%s'" id
        end
    | JPEcall_name _ | JPEcall_expr _ ->
        typing_error e.java_pexpr_loc
          "method call not allowed in assertion"
    | JPEfield_access _->
        typing_error e.java_pexpr_loc
          "field access not allowed in assertion"
	  (* TODO: boolean fields can be seen as predicates *)
    | JPEif (e1, e2, e3)->
        let te1 = termt e1 in
        if is_boolean te1.java_term_type then
          let te2 = assertiont e2 in
          let te3 = assertiont e3 in
            (* TODO: check if compatible types *)
            JAif(te1,te2,te3)
          else
            typing_error e1.java_pexpr_loc "boolean expected"
    | JPEassign_array (_, _, _, _)
    | JPEassign_field (_, _, _)
    | JPEassign_name (_, _, _) ->
        typing_error e.java_pexpr_loc
          "assignment not allowed in annotations"
    | JPEname _-> assert false (* TODO *)
    | JPEincr (_, _)-> assert false (* TODO *)
    | JPEresult ->
        begin
          try
            let vi = List.assoc "\\result" env.env in
            match vi.java_var_info_type with
              | JTYbase Tboolean ->
                  JAbool_expr {
                    java_term_node = JTvar vi;
                    java_term_type = vi.java_var_info_type;
                    java_term_loc = e.java_pexpr_loc
                  }
              | _ ->
                  typing_error e.java_pexpr_loc "\\result is not boolean"

          with Not_found ->
            typing_error e.java_pexpr_loc "\\result undefined in this context"
        end

    | JPEthis ->
        typing_error e.java_pexpr_loc
          "'this' is not a boolean expression"

  in { java_assertion_node = ta;
       java_assertion_loc = e.java_pexpr_loc }

and make_quantified_formula loc q idl env e : assertion =
  match idl with
    | [] -> assertion env e
    | (ty,idl)::r ->
        let tty = type_type env.package_env env.type_env true ty in
        let env_local =
          List.map
            (fun id ->
               let tyv, (loc,n) = var_type_and_id false tty id in
               let vi = new_var loc tyv n in
               (n,vi))
            idl
        in
        let f =
          make_quantified_formula loc q r
	    { env with env = env_local@env.env }
            e
        in
        List.fold_right
          (fun (_,vi) acc ->
             { java_assertion_loc = loc ;
               java_assertion_node = JAquantifier(q,vi,acc) })
          env_local f



(*

  read the 'Throwable' class to initiate fields
  class_info_is_exception

*)

let () =
  match classify_name [] [] None []
    ((Loc.dummy_position,"Throwable") :: javalang_qid)
  with
    | TypeName (TypeClass ci) -> ci.class_info_is_exception <- true
    | _ -> assert false

let () =
  catch_typing_errors
    (fun () ->
       match classify_name [] [] None []
         ((Loc.dummy_position,"Exception") :: javalang_qid)
       with
         | TypeName (TypeClass ci) -> ci.class_info_is_exception <- true
         | _ -> assert false)
    ()




(*******************************

Typing level 2: extract bodies
  (logic functions definitions, axioms,
   field initializers, method and constructors bodies)

**********************************)



let field_initializer_table = Hashtbl.create 17

let lemmas_table = Hashtbl.create 17


(* JLS 5.6.1: Unary Numeric Promotion *)
let unary_numeric_promotion t =
  match t with
    | JTYbase t ->
        begin
          match t with
            | Treal | Tinteger -> assert false
            | Tchar | Tbyte | Tshort -> Tint
            | _ -> t
        end
    | _ -> assert false

(* JLS 5.6.2: Binary Numeric Promotion *)
let binary_numeric_promotion ~ghost t1 t2 =
  match t1,t2 with
    | JTYbase t1,JTYbase t2 ->
        begin
          if ghost then
            match t1,t2 with
              | (Tboolean | Tunit| Tstring),_
              | _, (Tboolean | Tunit| Tstring) -> raise Not_found
              | (Treal | Tdouble | Tfloat), _
              | _, (Treal | Tdouble | Tfloat) -> Treal
              | _ -> Tinteger
          else
            match t1,t2 with
              | (Tboolean | Tunit | Tstring),_
              | _, (Tboolean | Tunit | Tstring) -> raise Not_found
              | (Treal | Tinteger), _
              | _, (Treal | Tinteger) -> assert false
              | Tdouble,_ | _, Tdouble -> Tdouble
              | Tfloat,_ | _, Tfloat -> Tfloat
              | Tlong,_ | _, Tlong -> Tlong
            | (Tshort | Tbyte | Tint | Tchar),
                  (Tshort | Tbyte | Tint | Tchar) -> Tint
          end
    | _ -> raise Not_found

let lub_object_types _t1 _t2 = JTYnull


(* JLS 5.1.3: Narrowing Primitive Conversion *)
let is_narrowing_primitive_convertible tfrom tto =
  match tfrom, tto with
    | Tshort, (Tbyte | Tchar) -> true
    | Tchar, (Tbyte | Tshort) -> true
    | Tint, (Tbyte | Tshort | Tchar) -> true
    | Tlong, (Tbyte | Tshort | Tchar | Tint) -> true
    | Tfloat, (Tbyte | Tshort | Tchar | Tint | Tlong)  -> true
    | Tdouble, (Tbyte | Tshort | Tchar | Tint | Tlong | Tfloat)  -> true
    | _ -> false

let narrowing_primitive_conversion n tfrom tto =
  match tfrom, tto with
    | Tshort, (Tbyte | Tchar) -> assert false (* TODO *)
    | Tchar, (Tbyte | Tshort) -> assert false (* TODO *)
    | Tint, Tbyte ->
        let i = Num.int_of_num n in
        let i = i land 0xFF in (* discard all but 8 lower order bits *)
          (* if i is a byte then i else take the 2 complement of i *)
        let i = if in_byte_range (Num.num_of_int i) then i else
          let i = (lnot i) land 0xFF in
          let i = (i + 1) land 0xFF in -i
        in Num.num_of_int i
    | Tint, Tshort ->
        let i = Num.int_of_num n in
        let i = i land 0xFFFF in (* discard all but 16 lower order bits *)
          (* if i is a short then i else take the 2 complement of i *)
        let i = if in_short_range (Num.num_of_int i) then i else
          let i = (lnot i) land 0xFFFF in
          let i = (i + 1) land 0xFFFF in -i
        in Num.num_of_int i
    | Tint, Tchar -> assert false (* TODO *)
    | Tlong, (Tbyte | Tshort | Tchar | Tint) -> assert false (* TODO *)
    | Tfloat, (Tbyte | Tshort | Tchar | Tint | Tlong) -> assert false (* TODO *)
    | Tdouble, (Tbyte | Tshort | Tchar | Tint | Tlong | Tfloat) -> assert false (* TODO *)
    | _ -> assert false (* should never happen *)


(* JLS 5.2: Assignment conversion  *)

let final_field_values_table : (int, Num.num list) Hashtbl.t
    = Hashtbl.create 97

let bwor_num n1 n2 =
  try
    let n1 = Num.int_of_num n1 in
    let n2 = Num.int_of_num n2 in
    Num.num_of_int (n1 lor n2)
  with
      _ -> assert false


let rec lsl_num n1 n2 =
  if n2 = 0 then n1 else lsl_num (Num.add_num n1 n1) (n2-1)

let lsr_num _n1 _n2 = assert false

let asr_num _n1 _n2 = assert false


let rec eval_const_expression env const e =
  match e.java_expr_node with
    | JElit c ->
        begin
          match c with
            | Integer s -> Numconst.integer s
            | Float _ -> raise Not_found (* TODO *)
            | Bool false -> Num.Int 0
            | Bool true -> Num.Int 1
            | String _ -> raise Not_found (* TODO *)
            | Char s ->  Numconst.integer s
            | Null -> raise Not_found (* TODO *)
        end
    | JEcast (ty, e) ->
        let n = eval_const_expression env const e in
          begin
            match ty with
              | JTYbase t ->
                  let te = match e.java_expr_type with
                    | JTYbase t -> t | _ -> assert false
                  in
                    begin
                      match t with
                        | Tbyte -> if in_byte_range n then n else
                            if is_narrowing_primitive_convertible te t then
                              narrowing_primitive_conversion n te t
                            else
                              typing_error e.java_expr_loc
                                "outside the byte range: %s" (Num.string_of_num n)
                        | Tshort -> if in_short_range n then n else
                            if is_narrowing_primitive_convertible te t then
                              narrowing_primitive_conversion n te t
                            else
                              typing_error e.java_expr_loc
                                "outside the short range: %s" (Num.string_of_num n)
                        | Tunit | Treal | Tinteger | Tdouble | Tlong
                        | Tfloat | Tint | Tchar | Tboolean | Tstring -> assert false (* TODO *)
                    end
              | JTYarray _ | JTYinterface _ | JTYclass (_, _)
              | JTYnull | JTYlogic _
                  -> raise Not_found
          end
    | JEbin(e1,op,e2) ->
        let n1 = eval_const_expression env const e1 in
        let n2 = eval_const_expression env const e2 in
        begin
          match op with
            | Bconcat -> assert false
            | Badd -> Num.add_num n1 n2
            | Bbwxor -> assert false (* TODO *)
            | Bbwor -> bwor_num n1 n2
            | Bbwand -> assert false (* TODO *)
            | Blsl|Basr|Blsr ->
                let max =
                  match e1.java_expr_type with
                    | JTYbase Tint -> 31
                    | JTYbase Tlong -> 63
                    | _ -> assert false
                in
                if Num.le_num Numconst.zero n1 && Num.le_num n1 (Num.num_of_int max) then
                  match op with
                    | Blsl -> lsl_num n1 (Num.int_of_num n2)
                    | Basr -> asr_num n1 (Num.int_of_num n2)
                    | Blsr -> lsr_num n1 (Num.int_of_num n2)
                    | _ -> assert false
                else
                  typing_error e2.java_expr_loc "this expression is not in the rang 0-%d" max
            | Bge|Ble|Blt|Bgt|Bne|Beq
            |Biff|Bimpl|Bor|Band|Bmod|Bdiv|Bmul|Bsub ->
               raise Not_found (* TODO *)

        end
    | JEstatic_field_access (_ty, fi) ->
        begin
          try
            match fi.java_field_info_type with
              | JTYarray _ -> raise Not_found
              | _ ->
                  List.hd (Hashtbl.find final_field_values_table fi.java_field_info_tag)
          with Not_found ->
	    let ci = match env.current_type with
	      | None -> assert false (* should never happen *)
	      | Some ci -> ci
	    in
	    type_field_initializer env.package_env env.type_env ci fi;
            try
	      List.hd (Hashtbl.find final_field_values_table fi.java_field_info_tag)
	    with Not_found ->
	      raise Not_found
	      (* was assert false (* should never happen *)*)
        end
    | JEif (_, _, _)-> raise Not_found  (* TODO *)
    | JEun (op, e) ->
        let _n = eval_const_expression env const e in
        begin
          match op with
            | Uplus -> raise Not_found (* TODO *)
            | Uminus -> Num.minus_num _n
            | Unot -> raise Not_found (* TODO *)
            | Ucompl -> raise Not_found (* TODO *)
        end
    | JEinstanceof _
    | JEvar _
    | JEnew_object (_, _)
    | JEnew_array (_, _)
    | JEstatic_call (_, _)
    | JEcall (_, _, _)
    | JEconstr_call _
    | JEassign_array (_, _, _)
    | JEassign_array_op (_, _, _, _)
    | JEassign_field_op (_, _, _, _)
    | JEassign_field (_, _, _)
    | JEassign_static_field _
    | JEassign_static_field_op _
    | JEassign_local_var_op (_, _, _)
    | JEassign_local_var (_, _)
    | JEarray_access (_, _)
    | JEarray_length _
    | JEfield_access (_, _)
    | JEincr_field (_, _, _)
    | JEincr_local_var (_, _)
    | JEincr_array _ -> raise Not_found

and is_assignment_convertible ?(const=false) ~ghost env tfrom efrom tto =
  is_identity_convertible tfrom tto ||
  match tfrom,tto with
    | JTYbase t1, JTYbase t2 ->
        if ghost then is_logic_widening_primitive_convertible t1 t2
        else
          is_widening_primitive_convertible t1 t2 ||
            begin
              match t2 with
                | Tbyte | Tshort | Tchar ->
                    begin
                      try
                        let n = eval_const_expression env const efrom in
                        match t2 with
                          | Tbyte -> in_byte_range n
                          | Tshort -> in_short_range n
                          | Tchar -> in_char_range n
                          | _ -> assert false
                      with Not_found ->
                        if const then raise Not_found else false
                    end
                | _ -> false
            end
    | _ -> is_widening_reference_convertible tfrom tto

(* JLS 5.3: Method invocation conversion  *)
and is_method_invocation_convertible tfrom tto =
  is_identity_convertible tfrom tto ||
  match tfrom,tto with
    | JTYbase t1, JTYbase t2 -> is_widening_primitive_convertible t1 t2
    | _ -> is_widening_reference_convertible tfrom tto

(* JLS 5.5: Cast conversion *)
and cast_convertible tfrom tto =
  is_identity_convertible tfrom tto ||
    match tfrom,tto with
      | JTYbase _t1, JTYbase _t2 -> true (* correct ? TODO *)
      | JTYbase _,_ | _, JTYbase _ -> false
      | JTYlogic _,_ | _,JTYlogic _ -> false
      | JTYclass(_,cfrom), JTYclass(_,cto) ->
          is_subclass cfrom cto || is_subclass cto cfrom
      | JTYclass (_, ci), JTYinterface ii ->
	  if ci.class_info_is_final then implements ci ii else
	    true (* JLS 2.0: OK, JLS 3.0: TO COMPLETE *)
      | JTYclass(_,c), JTYarray _ ->
          c == !object_class
      | JTYinterface _,JTYclass _ -> assert false (* TODO *)
      | JTYinterface ifrom, JTYinterface ito ->
          is_subinterface ifrom ito || is_subinterface ito ifrom
            (* TODO: check this: JLS p73 appears to be incomplete *)
      | JTYinterface _,JTYarray _ -> assert false (* TODO *)
      | JTYarray _,_ -> assert false (* TODO *)
      | JTYnull, JTYclass _ -> true
      | JTYnull,_ -> assert false
      | _,JTYnull -> assert false

(**********************)

(* expressions *)

and string_promotion e =
  match e.java_expr_type with
    | JTYclass(_,c) when c == string_class -> e
    | JTYbase Tstring -> e (* TODO: coercion ? *)
    | JTYbase Tinteger -> e (* TODO: coercion ? *)
    | JTYbase _ -> e  (* TODO: coercion ? *)
    | _ -> assert false

and make_bin_op ~ghost loc op t1 e1 t2 e2 =
  match op with
    | Bconcat -> assert false
    | Bgt | Blt | Bge | Ble ->
        begin
          try
            let _t = binary_numeric_promotion ~ghost t1 t2 in
              boolean_type, JEbin(e1, op, e2)
          with Not_found ->
            typing_error loc "numeric types expected"
        end
    | Beq | Bne ->
        begin
          try
            let _t = binary_numeric_promotion t1 t2 in
              boolean_type, JEbin(e1, op, e2)
          with Not_found ->
            if (is_boolean t1 && is_boolean t2) ||
              (is_reference_type t1 && is_reference_type t2) then
                boolean_type, JEbin (e1, op, e2)
            else
              typing_error loc "numeric or object types expected for == and !="
        end
    | Bsub | Bmul | Bdiv | Bmod ->
        begin
          try
            let t = binary_numeric_promotion ~ghost t1 t2 in
            JTYbase t,JEbin(e1, op, e2)
          with Not_found ->
            typing_error loc "numeric types expected for -, *, / and %%"
        end
    | Badd ->
        begin
          try
            let t = binary_numeric_promotion ~ghost t1 t2 in
            JTYbase t,JEbin(e1, op, e2)
          with Not_found ->
            match t1,t2 with
              | (_,JTYclass(_,c)) | (JTYclass(_,c),_)
                    when c == string_class ->
                  (string_type ~valid:true),
                      JEbin(string_promotion e1,Bconcat,string_promotion e2)
              | (_,JTYbase Tstring) | (JTYbase Tstring,_) ->
                  (string_type ~valid:true),
                  JEbin(string_promotion e1,Bconcat,string_promotion e2)
              | _ ->
                  typing_error loc
                    "numeric types or String expected for +, got %a + %a"
                    print_type t1 print_type t2
        end
    | Band | Bor ->
        if is_boolean t1 && is_boolean t2 then
          boolean_type,JEbin(e1,op,e2)
        else
          typing_error loc "booleans expected"
    | Basr | Blsr | Blsl ->
        (* JLS 15.19: Shift Operators *)
        begin
          try
            match unary_numeric_promotion t1 with
              | (Tint | Tlong) as t1 ->
                  begin
                    try
                      match unary_numeric_promotion t2 with
                        | Tint | Tlong ->
                            JTYbase t1, JEbin(e1, op, e2)
                        | _ -> raise Not_found
                    with Not_found -> int_expected loc t2
                  end
              | _ -> raise Not_found
          with Not_found -> int_expected loc t1
        end
    | Bbwxor|Bbwor|Bbwand ->
        if is_boolean t1 && is_boolean t2 then
          boolean_type,JEbin(e1,op,e2)
        else
          begin
            try
              let t1 = unary_numeric_promotion t1 in
              let _t2 = unary_numeric_promotion t2 in
                JTYbase t1, JEbin(e1, op, e2)
            with Not_found ->
              typing_error loc "booleans or integers expected"
          end
    | Bimpl | Biff -> assert false

and make_unary_op loc op t1 e1 =
  match op with
    | Unot ->
        if is_boolean t1 then
          Tboolean,JEun(op,e1)
        else
          typing_error loc "boolean expected"
    | Ucompl ->
        begin
          try
            match unary_numeric_promotion t1 with
              | Tint -> Tint,JEun(op, e1)
              | _ -> raise Not_found
          with Not_found ->
            typing_error loc "integer type expected for ~"
        end
    | Uminus->
        begin
          try
            let t = unary_numeric_promotion t1 in
            t,JEun(op, e1)
          with Not_found ->
            typing_error loc "numeric type expected for -"
        end
    | Uplus -> assert false

and expr_var loc vi =
  { java_expr_node = JEvar vi;
    java_expr_type = vi.java_var_info_type;
    java_expr_loc = loc }

and expr_of_term t =
  let ty = ref t.java_term_type in
  let n =
    match t.java_term_node with
      | JTvar vi -> JEvar vi
      | JTat _ -> assert false (* TODO *)
      | JTfield_access(t, fi) ->
          JEfield_access(expr_of_term t,fi)
      | JTstatic_field_access(ci, fi) ->
          JEstatic_field_access(ci,fi)
      | JTarray_length(t) ->
          ty := int_type;
          JEarray_length(expr_of_term t)
      | JTarray_access(t1,t2) ->
          JEarray_access(expr_of_term t1, expr_of_term t2)
      | JTarray_range _  -> assert false (* TODO *)
      | JTapp (_, _, _) -> assert false (* TODO *)
      | JTbin (_, _, _, _) -> assert false (* TODO *)
      | JTbin_obj (_, _, _) -> assert false (* TODO *)
      | JTun (_t, _op, _e1) -> assert false (* TODO *)
      | JTlit _ -> assert false (* TODO *)
      | JTcast(ty,t) -> JEcast(ty,expr_of_term t)
      | JTif(t1,t2,t3) ->
          JEif(expr_of_term t1, expr_of_term t2, expr_of_term t3)
  in
  { java_expr_loc = t.java_term_loc;
    java_expr_type = !ty;
    java_expr_node = n ;
  }

(*
  JLS 15.12.2: Compile-Time Step 2: Determine Method signature

  ti is the class or interface to search

*)

and is_accessible_and_applicable_method mi id arg_types =
  mi.method_info_name = id &&
  (* check args number *)
  List.length arg_types = List.length mi.method_info_parameters &&
  (* check args types *)
(
  (*
    eprintf "check applicability of [%a] to [%a]@."
    (Pp.print_list Pp.comma (fun fmt t -> print_type fmt t)) arg_types
    (Pp.print_list Pp.comma (fun fmt (vi,_) -> print_type fmt vi.java_var_info_type)) mi.method_info_parameters;
  *)
  List.for_all2
   (fun vi t ->
      is_method_invocation_convertible t vi.java_var_info_type)
  (List.map fst mi.method_info_parameters) arg_types )

and is_accessible_and_applicable_constructor ci arg_types =
  (* check args number *)
  List.length arg_types = List.length ci.constr_info_parameters &&
  (* check args types *)
  List.for_all2
  (fun vi t ->
     is_method_invocation_convertible t vi.java_var_info_type)
  (List.map fst ci.constr_info_parameters) arg_types

and mci_signature mci =
  let ty, params =
    match mci with
      | MethodInfo mi ->
	  begin match mi.method_info_class_or_interface with
	    | TypeClass ci ->
		JTYclass (true (* i.e. [this] is always non-null *), ci)
	    | TypeInterface ii -> JTYinterface ii
	  end,
	  mi.method_info_parameters
      | ConstructorInfo ci ->
	  JTYclass (true (* i.e. [this] is always non-null *), ci.constr_info_class),
	  ci.constr_info_parameters
  in
    ty :: List.map (fun (vi, _) -> vi.java_var_info_type) params

and compare_signatures acc s1 s2 =
  match s1,s2 with
    | [],[] -> acc
    | [],_ | _,[] -> assert false
    | t1::r1,t2::r2 ->
        if is_identity_convertible t1 t2 then
          compare_signatures acc r1 r2
        else
          if is_method_invocation_convertible t1 t2 then
            (* t1 convertible to t2 *)
            if acc >= 0 then 1 else raise Not_found
          else
            if is_method_invocation_convertible t2 t1 then
              (* t2 convertible to t1 *)
              if acc <= 0 then -1 else raise Not_found
            else raise Not_found

and filter_maximally_specific_signature mci acc =
  match acc with
    | [] -> [mci]
    | mci' :: rem ->
        let s1 = mci_signature mci in
        let s2 = mci_signature mci' in
        try
          let c = compare_signatures 0 s1 s2 in
          if c = 0 then mci :: acc else
            if c > 0 then (* mci more specific than mci' *)
              filter_maximally_specific_signature mci rem
            else (* mci' more specific than mci *)
              acc
        with Not_found -> (* incomparable signatures *)
          mci' :: (filter_maximally_specific_signature mci rem)

and get_maximally_specific_signatures acc mcis =
  match mcis with
    | [] -> acc
    | mci::rem ->
        let acc' = filter_maximally_specific_signature mci acc in
        get_maximally_specific_signatures acc' rem

and lookup_method ti (loc,id) arg_types =
  let rec collect_methods_from_interface acc ii =
    check_if_interface_complete ii;
    let acc =
      List.fold_left
        (fun acc mi ->
           if is_accessible_and_applicable_method mi id arg_types then
             mi::acc
           else acc)
        acc ii.interface_info_methods
    in
    List.fold_left
      collect_methods_from_interface acc ii.interface_info_extends
  in
  let rec collect_methods_from_class acc ci =
    check_if_class_complete ci;
    let acc =
      List.fold_left
        (fun acc mi ->
           if is_accessible_and_applicable_method mi id arg_types then
             mi::acc
           else acc)
        acc ci.class_info_methods
    in
    let acc =
      match ci.class_info_extends with
        | None when ci == !object_class -> acc
        | None -> collect_methods_from_class acc !object_class
        | Some ci -> collect_methods_from_class acc ci
    in
    List.fold_left
      collect_methods_from_interface acc ci.class_info_implements
  in
  let meths =
    match ti with
      | TypeClass ci -> collect_methods_from_class [] ci
      | TypeInterface ii ->
          let acc = collect_methods_from_interface [] ii in
          collect_methods_from_class acc !object_class
  in
  match meths with
    | [] ->
        typing_error loc "Cannot find method @['%a.%s(%a)'@]" print_type_name ti id
          (Pp.print_list Pp.comma print_type) arg_types

    | [mi] -> mi
    | _ ->
(*
        eprintf "possible calls:@.";
        List.iter (fun mi ->
                     eprintf "%a.%s(%a)@."
                       print_type_name mi.method_info_class_or_interface
                       mi.method_info_name
                       (Pp.print_list Pp.comma (fun fmt (vi,_) -> print_type fmt vi.java_var_info_type))
                       mi.method_info_parameters)
          meths;
*)
	let meths = List.map (fun mi -> MethodInfo mi) meths in
        let meths = get_maximally_specific_signatures [] meths in
(*
        eprintf "maximally specific calls:@.";
        List.iter (fun mi ->
                     eprintf "%a.%s(%a)@."
                       print_type_name mi.method_info_class_or_interface
                       mi.method_info_name
                       (Pp.print_list Pp.comma (fun fmt (vi,_) -> print_type fmt vi.java_var_info_type))
                       mi.method_info_parameters)
          meths;
*)
        match meths with
          | [] -> assert false
          | [MethodInfo mi] -> mi
          | _ ->
              typing_error loc "ambiguity in overloading/overriding"

and lookup_constructor loc ci arg_types =
  let rec collect_constructors_from_class acc ci =
    check_if_class_complete ci;
    List.fold_left
      (fun acc ci ->
         if is_accessible_and_applicable_constructor ci arg_types then
           ci::acc
         else acc)
      acc ci.class_info_constructors
  in
  let constructors = collect_constructors_from_class [] ci in
  match constructors with
    | [] ->
        typing_error loc "Cannot find constructor @['%a(%a)'@]"
	  print_type_name  (TypeClass ci)
          (Pp.print_list Pp.comma print_type) arg_types
    | [ci] -> ci
    | _ ->
	let constrs = List.map (fun ci -> ConstructorInfo ci) constructors in
        let constrs = get_maximally_specific_signatures [] constrs in
        match constrs with
          | [] -> assert false
          | [ConstructorInfo ci] -> ci
          | _ ->
              typing_error loc "ambiguity in overloading/overriding"

and expr ~ghost env e =
  let exprt = expr ~ghost env in
  let ty, te =
    match e.java_pexpr_node with
      | JPElit l ->
          let t, l =
            match l with
              | Integer _s | Char _s -> int_type, l
              | String _s -> logic_string_type, l
              | Bool _b -> boolean_type, l
              | Float(_s,suf) ->
		  begin
		    match suf with
		      | `Single -> float_type,l
		      | `Double | `Real -> double_type, l
		  end
              | Null -> null_type, l
          in t, (JElit l)
      | JPEname n ->
          begin
            match classify_name env.package_env env.type_env env.current_type env.env n with
              | TermName t ->
                  let e = expr_of_term t in
                  e.java_expr_type, e.java_expr_node
              | TypeName _ ->
                  typing_error e.java_pexpr_loc
                    "expression expected, got a class or interface"
              | PackageName _ ->
                  typing_error e.java_pexpr_loc
                    "expression expected, got a package name"
              | LogicTypeName _ ->
                  typing_error e.java_pexpr_loc
                    "expression expected, got a logic type"
          end
      | JPEthis ->
          let vi = get_this e.java_pexpr_loc env.env in
          vi.java_var_info_type, JEvar vi
      | JPEinstanceof (e1, t)->
          let te1 = exprt e1 in
          let ty = type_type env.package_env env.type_env false t in
          if is_reference_type ty &&
            cast_convertible te1.java_expr_type ty then
            boolean_type,JEinstanceof(te1,ty)
          else
            typing_error e.java_pexpr_loc "invalid instanceof"
      | JPEcast (t, e1)->
          let te1 = exprt e1 in
          let ty = type_type env.package_env env.type_env false t in
          if cast_convertible te1.java_expr_type ty then
            ty,JEcast(ty,te1)
          else
            typing_error e.java_pexpr_loc "invalid cast"
      | JPEarray_access (e1, e2)->
          let te1 = exprt e1 and te2 = exprt e2 in
          begin
            match te1.java_expr_type with
              | JTYarray (_, t) ->
                  begin
                    try
                      match
                        unary_numeric_promotion te2.java_expr_type
                      with
                        | Tint -> t, JEarray_access(te1,te2)
                        | _ -> raise Not_found
                    with
                        Not_found ->
                          int_expected e2.java_pexpr_loc te1.java_expr_type
                  end
              | _ ->
                  array_expected e1.java_pexpr_loc te1.java_expr_type
          end
      | JPEnew_array(t,dims) ->
          let ty = type_type env.package_env env.type_env true t in
          let l =
            List.map (fun e ->
                        let te = exprt e in
                        match unary_numeric_promotion te.java_expr_type with
                          | Tint ->
                              te
                          | _ ->
                              int_expected e.java_pexpr_loc te.java_expr_type)
              dims
          in
          JTYarray (true, ty), JEnew_array(ty,l)
      | JPEnew (n, args) ->
          let args = List.map exprt args in
          let arg_types = List.map (fun e -> e.java_expr_type) args in
            begin
            match classify_name env.package_env env.type_env env.current_type env.env n with
              | TypeName (TypeClass ci) ->
(*
                  eprintf "looking up constructor in class %s@." ci.class_info_name;
*)

                  let constr = lookup_constructor (fst (List.hd n))
		    ci arg_types in
                  JTYclass (true, ci), JEnew_object(constr,args)
              | _ ->
                  typing_error (fst (List.hd n))
                    "class type expected"
          end
      | JPEsuper_call (id, el) ->
          (* JLS 15.12 *)
          let ci =
            match env.current_type with
              | Some (TypeClass ci) ->
                  if ci == !object_class then
                    typing_error e.java_pexpr_loc "cannot resolve variable super"
                  else
                    begin
                      match ci.class_info_extends with
                        | None ->
                            typing_error e.java_pexpr_loc
                              "cannot resolve variable super"
                        | Some ci -> TypeClass ci
                    end
              | _ -> typing_error e.java_pexpr_loc "not a class"
          in
          let args = List.map exprt el in
          let arg_types = List.map (fun e -> e.java_expr_type) args in
          begin
            let mi = lookup_method ci id arg_types in
            let ty =
              match mi.method_info_result with
                | None -> unit_type
                | Some vi -> vi.java_var_info_type
            in
              if mi.method_info_is_static then
                ty, JEstatic_call (mi, args)
              else
                let te2 =
                  let vi = get_this e.java_pexpr_loc env.env in
                    {
                      java_expr_node = JEvar vi;
                      java_expr_type = vi.java_var_info_type;
                      java_expr_loc = e.java_pexpr_loc;
                    }
                in
                  ty,JEcall (te2, mi, args)
          end
      | JPEcall_name (qid, labels, args)->
	  assert (labels = []);
          let args = List.map exprt args in
          let arg_types = List.map (fun e -> e.java_expr_type) args in
          let ti,id,te1 =
            match qid with
              | [] -> assert false
              | [id] ->
                  begin
                    match env.current_type with
                      | None -> assert false
                      | Some ti -> ti,id,None
                  end
              | id::n ->
                  begin
                    match
                      classify_name env.package_env env.type_env env.current_type env.env n
                    with
                      | TypeName ti -> ti, id, None
                      | TermName te ->
                          let ti =
                            match te.java_term_type with
                              | JTYclass(_,ci) -> TypeClass ci
                              | JTYinterface ii -> TypeInterface ii
                              | _ -> typing_error e.java_pexpr_loc
                                  "not a class or interface type"
                          in ti,id,Some (expr_of_term te)
                      | PackageName _ | LogicTypeName _ ->
                          typing_error (fst (List.hd n))
                            "expr or class or interface expected"
                  end
          in
(*
          eprintf "looking up method '%s' in class %a @." (snd id) print_type_name ti;
*)
          let mi = lookup_method ti id arg_types in
          let ty =
            match mi.method_info_result with
              | None -> unit_type
              | Some vi -> vi.java_var_info_type
          in
          if mi.method_info_is_static then
            ty,JEstatic_call(mi,args)
          else
            let te2 =
              match te1 with
                | Some e -> e
                | None ->
                    let vi = get_this e.java_pexpr_loc env.env in
                    {
                      java_expr_node = JEvar vi;
                      java_expr_type = vi.java_var_info_type;
                      java_expr_loc = e.java_pexpr_loc;
                    }
            in
              ty,JEcall(te2,mi,args)

      | JPEcall_expr (e1, id, args)->
          let args = List.map exprt args in
          let arg_types = List.map (fun e -> e.java_expr_type) args in
          begin
            let ci,te1 =
              let te = exprt e1 in
              begin
                match te.java_expr_type with
                  | JTYclass(_,ci) -> (TypeClass ci),Some te
                  | JTYinterface(ii) -> (TypeInterface ii),Some te
                  | _ -> typing_error e.java_pexpr_loc
                      "not a class or interface type"
              end
            in
            let mi = lookup_method ci id arg_types in
            let ty =
              match mi.method_info_result with
                | None -> unit_type
                | Some vi -> vi.java_var_info_type
            in
            if mi.method_info_is_static then
              ty,JEstatic_call(mi,args)
            else
              let te2 =
                match te1 with
                  | Some e -> e
                  | None ->
                      let vi = get_this e.java_pexpr_loc env.env in
                      {
                        java_expr_node = JEvar vi;
                        java_expr_type = vi.java_var_info_type;
                        java_expr_loc = e.java_pexpr_loc;
                      }
              in
              ty,JEcall(te2,mi,args)
          end
      | JPEfield_access(Super_access _f) -> assert false (* TODO *)
      | JPEfield_access(Primary_access(e1,(loc,id))) ->
          let te = type_expr_field_access (exprt e1) loc id in
          te.java_expr_type,te.java_expr_node
      | JPEif (e1, e2, e3)->
          let te1 = exprt e1 in
          if is_boolean te1.java_expr_type then
            let te2 = exprt e2 in
            let te3 = exprt e3 in
            (* TODO: check if compatible types *)
            te2.java_expr_type,JEif(te1,te2,te3)
          else
            typing_error e1.java_pexpr_loc "boolean expected"

      | JPEassign_array (e1, e2, op, e3)->
          let te1 = exprt e1
          and te2 = exprt e2
          and te3 = exprt e3
          in
          begin
            match te1.java_expr_type with
              | JTYarray (_, t) ->
                  begin
                    try
                      match unary_numeric_promotion te2.java_expr_type with
                        | Tint ->
                            if op = Beq then
                              if is_assignment_convertible ~ghost env
                                te3.java_expr_type te3 t
                              then
                                t, JEassign_array(te1,te2,te3)
                              else
                                typing_error e3.java_pexpr_loc
                                  "type `%a' expected" print_type t
                            else
                              if cast_convertible te3.java_expr_type t then
                                t, JEassign_array_op(te1,te2,op,te3)
                              else
                                typing_error e.java_pexpr_loc
                                  "type %a expected, got %a"
                                  print_type t
                                  print_type te3.java_expr_type

                        | _ -> raise Not_found
                    with
                        Not_found ->
                          int_expected e2.java_pexpr_loc te2.java_expr_type
                  end
              | _ ->
                  array_expected e1.java_pexpr_loc te1.java_expr_type
          end
      | JPEassign_field (Super_access((_loc,_id)), _op, _e2) ->
          assert false (* TODO *)
      | JPEassign_field (Primary_access(e1,(loc,id)), op, e2)->
          let te2 = exprt e2 in
          begin
            match
              (type_expr_field_access (exprt e1) loc id).java_expr_node
            with
              | JEfield_access(t,fi) ->
                  type_assign_field ~ghost env t fi op te2
              | _ -> assert false
          end
      | JPEassign_name (n, op, e1)->
          begin
            let te = exprt e1 in
            match classify_name env.package_env env.type_env env.current_type env.env n with
                | TermName t ->
                    begin
                      match t.java_term_node with
                        | JTvar vi ->
                            if op = Beq then
                              if is_assignment_convertible ~ghost env te.java_expr_type te
                                vi.java_var_info_type
                              then
                                (vi.java_var_info_type,
                                 JEassign_local_var(vi,te))
                              else
                                typing_error e.java_pexpr_loc
                                  "type %a expected, got %a"
                                  print_type vi.java_var_info_type
                                  print_type te.java_expr_type
                            else
                              if cast_convertible te.java_expr_type
                                vi.java_var_info_type
                              then
                                (vi.java_var_info_type,
                                 JEassign_local_var_op(vi,op,te))
                              else
                                typing_error e.java_pexpr_loc
                                  "type %a expected, got %a"
                                  print_type vi.java_var_info_type
                                  print_type te.java_expr_type
                        | JTfield_access (t, fi) ->
                            type_assign_field ~ghost env (expr_of_term t) fi op te
                        | JTstatic_field_access (_, fi) ->
                            type_assign_static_field ~ghost env fi op te
                        | _ -> assert false (* TODO *)
                    end
                | TypeName _ ->
                    typing_error e.java_pexpr_loc
                      "lvalue expected, got a class or interface"
                | PackageName _ ->
                    typing_error e.java_pexpr_loc
                      "lvalue expected, got a package name"
                | LogicTypeName _ ->
                    typing_error e.java_pexpr_loc
                      "lvalue expected, got a package name"
          end
      | JPEincr (op, e)->
          let te = exprt e in
            begin
              match te.java_expr_node with
                | JEvar vi ->
                    te.java_expr_type, JEincr_local_var (op, vi)
                | JEfield_access (e1, fi) ->
                    fi.java_field_info_type, JEincr_field (op, e1, fi)
                | JEarray_access (e1, e2) ->
                    te.java_expr_type, JEincr_array (op, e1, e2)
                | _ -> assert false (* TODO ? *)
            end
      | JPEun (op, e1)->
          let te1 = exprt e1 in
          let t,e = make_unary_op e.java_pexpr_loc op
                      te1.java_expr_type te1 in
          JTYbase t,e

      | JPEbin (e1, op, e2) ->
          let te1 = exprt e1 and te2 = exprt e2 in
          make_bin_op ~ghost e.java_pexpr_loc op
            te1.java_expr_type te1 te2.java_expr_type te2

              (* only in terms *)
      | JPEarray_range _
      | JPEquantifier (_, _, _)
      | JPEat _
      | JPEold _
      | JPEresult 
      | JPEfresh _ ->
          typing_error e.java_pexpr_loc "not allowed in expressions"

  in { java_expr_loc = e.java_pexpr_loc;
        java_expr_type = ty;
        java_expr_node = te; }

and type_assign_field ~ghost env t fi op te =
  if op = Beq then
    if is_assignment_convertible ~ghost env te.java_expr_type te
      fi.java_field_info_type
    then
      (fi.java_field_info_type, JEassign_field (t, fi, te))
    else
      typing_error te.java_expr_loc
        "type %a expected, got %a"
        print_type fi.java_field_info_type
        print_type te.java_expr_type
  else
    if cast_convertible te.java_expr_type
      fi.java_field_info_type
    then
      (fi.java_field_info_type, JEassign_field_op (t, fi, op, te))
    else
      typing_error te.java_expr_loc
        "type %a expected, got %a"
        print_type fi.java_field_info_type
        print_type te.java_expr_type

and type_assign_static_field ~ghost env fi op te =
  if op = Beq then
    if is_assignment_convertible ~ghost env te.java_expr_type te
      fi.java_field_info_type
    then
      (fi.java_field_info_type, JEassign_static_field (fi, te))
    else
      typing_error te.java_expr_loc
        "type %a expected, got %a"
        print_type fi.java_field_info_type
        print_type te.java_expr_type
  else
    if cast_convertible te.java_expr_type
      fi.java_field_info_type
    then
      (fi.java_field_info_type, JEassign_static_field_op (fi, op, te))
    else
      typing_error te.java_expr_loc
        "type %a expected, got %a"
        print_type fi.java_field_info_type
        print_type te.java_expr_type

and initializer_loc i =
  match i with
    | Simple_initializer e -> e.java_pexpr_loc
    | Array_initializer (x::_) -> initializer_loc x
    | Array_initializer [] -> assert false (* TODO *)

and type_initializer ~ghost env ty i =
  match ty, i with
    | _, Simple_initializer e ->
        let te = expr ~ghost env e in
        begin
	  try
	    if is_assignment_convertible ~const:true ~ghost env te.java_expr_type te ty
            then JIexpr te
            else
              typing_error e.java_pexpr_loc "type %a expected, got %a"
		print_type ty print_type te.java_expr_type
	  with Not_found ->
              typing_error e.java_pexpr_loc "type %a expected, got %a"
		print_type ty print_type te.java_expr_type
	end
    | JTYarray (_, t), Array_initializer vil ->
        let il =
          List.map
            (fun vi -> match vi with
               | Simple_initializer _e -> type_initializer ~ghost env t vi
               | Array_initializer _vil -> assert false (* TODO *))
            vil
        in JIlist il
    | _, Array_initializer _l ->
        typing_error (initializer_loc i) "wrong type for initializer"

and type_field_initializer package_env type_env ci fi =
  let init =
    try
      Hashtbl.find field_prototypes_table fi.java_field_info_tag
    with Not_found -> assert false
  in
  let env =
    { package_env = package_env;
      type_env = type_env;
      current_type = Some ci;
      behavior_names = [];
      label_env = [];
      current_label = None;
      env = [];
    }
  in
  let tinit =
    match init with
      | None -> None
      | Some i ->
(*
	  eprintf "Calling type_initializer for %s@." fi.java_field_info_name;
*)
          let ti =
            type_initializer ~ghost:false env fi.java_field_info_type i
          in
          if fi.java_field_info_is_final then
            begin
              match ti with
                | JIexpr e ->
                    begin
                      try
                        let v = eval_const_expression env false e in
                        Hashtbl.add final_field_values_table
                          fi.java_field_info_tag [v]
                      with Not_found ->
                        (**)
                        Java_options.lprintf
                          "FIXME: cannot evaluate this initializer, %a@."
                          Loc.gen_report_position e.java_expr_loc
                          (**)
                          (*
                            typing_error e.java_expr_loc "cannot evaluate this initializer"
                          *)
                    end
                | JIlist vil ->
                    try
                      let vil = List.map
                        (fun vi -> match vi with
                           | JIexpr e -> eval_const_expression env false e
                           | JIlist _ -> assert false (* TODO *))
                        vil
                      in
                      Hashtbl.add final_field_values_table
                        fi.java_field_info_tag vil
                    with Not_found -> assert false
            end;
          Some ti
  in
  Hashtbl.add field_initializer_table fi.java_field_info_tag tinit


(* statements *)

let location env a = term env a


let label_env_here = ["Here",LabelHere]

let labels_env l =
  let env,l =
    List.fold_right
      (fun (_loc,id) (acc1,acc2) ->
	 let lab = LabelName id in
	 ((id,lab)::acc1,lab::acc2))
      l ([],[])
  in
  match l with
    | [lab] -> env,Some lab,l
    | _ -> env,None,l

let add_Pre_Here e =
  { e with
      label_env = ("Pre",LabelPre)::("Here",LabelHere)::e.label_env;
      current_label = Some LabelHere;
  }

let add_Old e =
  { e with
      label_env = ("Pre",LabelOld)::("Old",LabelOld)::e.label_env;
  }

let behavior env pre_state_env post_state_env (id, b) =
  let throws, ensures_env =
    match b.java_pbehavior_throws with
      | None -> None,post_state_env
      | Some (c, None) ->
          (* if [current_type] is an imported type, [c] may not be in [type_env]
             so we need to add the package env of current type in [package_env]
             - Nicolas R. *)
          let package_env =
            match env.current_type with
              | None -> assert false
              | Some (TypeClass ci) ->
                  let p =
                    List.filter
                      (fun p -> not (List.mem p env.package_env))
                      ci.class_info_package_env in
                    p @ env.package_env
              | Some (TypeInterface ii) ->
                  let p =
                    List.filter
                      (fun p -> not (List.mem p env.package_env))
                      ii.interface_info_package_env in
                    p @ env.package_env
          in
          begin
            match classify_name package_env env.type_env env.current_type pre_state_env c with
              | TypeName (TypeClass ci) ->
                  check_if_class_complete ci;
                  assert (ci.class_info_is_exception);
                  (Some ci),post_state_env
              | TypeName (TypeInterface _ci) ->
                  typing_error (fst (List.hd c))
                    "class type expected, not an interface"
              | TermName _ ->
                  typing_error (fst (List.hd c))
                    "class type expected"
              | PackageName _ | LogicTypeName _ ->
                  typing_error (fst (List.hd c))
                    "class type expected"
          end
      | Some (_c, Some _id) ->
          assert false (* TODO *)
  in
  (id,
   Option_misc.map (assertion { env with env = pre_state_env}) b.java_pbehavior_assumes,
   throws,
   (* Note: the `assigns' clause is typed in post-state environnement because \result is available, but where the default label is in Pre
      TODO: we should add a Post label
   *)
   Option_misc.map
     (fun (loc,l) ->
        (loc,List.map (location ((*add_Post*) { env with env = ensures_env })) l))
     b.java_pbehavior_assigns,
   Option_misc.map
     (fun (loc,l) ->
        (loc,List.map (location ((*add_Post*) { env with env = ensures_env })) l))
     b.java_pbehavior_allocates,
   assertion (add_Old {env with env = ensures_env})
     b.java_pbehavior_ensures)



let variable_declaration ~ghost env vd =
  let is_nullable = List.mem Nullable vd.variable_modifiers in
  let non_null = !Java_options.nonnull_sem = NonNullAllLocal && not is_nullable in
  let ty = type_type env.package_env env.type_env non_null vd.variable_type in
  let l =
    List.map
      (fun vd ->
         let ty',id = var_type_and_id false ty vd.variable_id in
         match vd.variable_initializer with
           | None -> (id,ty',None)
           | Some e ->
               let i = type_initializer ~ghost env ty' e in
               (id,ty',Some i))
      vd.variable_decls
  in
  List.fold_right
      (fun ((loc,id),ty,i) (env,decls)->
         let vi = new_var loc ty id in
         (id,vi)::env,(vi,i)::decls)
      l (env.env,[])

let dummy_loop_annot = (expr_true,[],None)

let rec statement env s =
  let exprt = expr ~ghost:false env in
  let statementt = statement env in
  let s' =
    match s.java_pstatement_node with
      | JPSskip -> JSskip
      | JPSif (e, s1, s2) ->
          let te = exprt e in
          let ts1 = statementt s1 in
          let ts2 = statementt s2 in
          if is_boolean te.java_expr_type then
            JSif(te,ts1,ts2)
          else
            typing_error e.java_pexpr_loc "boolean expected"
      | JPSloop_annot (_inv, _beh_invs, _dec) -> assert false
      | JPSannot (_, _)-> assert false (* should not happen *)
      | JPSghost_local_decls _d -> assert false (* TODO *)
      | JPSghost_statement e ->
          let te = expr ~ghost:true env e in JSexpr te
      | JPSexpr e ->
          let te = exprt e in JSexpr te
      | JPSassert(forid,id,a) ->
          let ta = assertion (add_Pre_Here env) a in
          JSassert(Option_misc.map snd forid,Option_misc.map snd id,ta)
      | JPSstatement_spec(_requires,_decreases,_behaviors) ->
          typing_error s.java_pstatement_loc
            "statement spec should appear before a statement"
      | JPSsynchronized (_, _)-> assert false (* TODO *)
      | JPSblock l -> (block env l).java_statement_node
      | JPSswitch (e, l)->
          let te = exprt e in
          (* JSL, p289: switch expr must be char, byte, short or int *)
          begin
            try
              let t = unary_numeric_promotion te.java_expr_type in
              JSswitch(te,List.map (switch_case env t) l)
            with Not_found ->
              typing_error e.java_pexpr_loc "char, byte, short or int expected"
          end
      | JPStry (s, catches, finally)->
          let ts = statements env s in
          let tl =
            List.map
              (fun (p,s) ->
                 let vi, _ = type_param env.package_env env.type_env p in
                 match vi.java_var_info_type with
                   | JTYclass(_,ci) when
                       (check_if_class_complete ci;
                        ci.class_info_is_exception) ->
                       let e = (vi.java_var_info_name,vi)::env.env in
                       (vi,statements {env with env = e } s)
                   | _ ->
                       typing_error vi.java_var_info_decl_loc
                         "throwable class expected")
              catches
          in
          JStry(ts, tl,
                Option_misc.map (statements env) finally)
      | JPSfor_decl _ -> assert false
      | JPSfor _ -> assert false
      | JPSdo (_, _)-> assert false (* TODO *)
      | JPSwhile _ -> assert false
      | JPSlabel ((_loc,id), s)->
	  JSlabel(id, statement
		    {env with label_env = (id, LabelName id)::env.label_env} s)
      | JPSbreak l -> JSbreak (Option_misc.map snd l)
      | JPScontinue l -> JScontinue (Option_misc.map snd l)
      | JPSreturn None ->
          begin
            try
              let _vi = List.assoc "\\result" env.env in
              typing_error s.java_pstatement_loc "missing return value"
            with
                Not_found ->
                  JSreturn_void
          end

      | JPSreturn (Some e) ->
          begin
            try
              let te = exprt e in
              let vi = List.assoc "\\result" env.env in
              if is_assignment_convertible ~ghost:false env
		te.java_expr_type te vi.java_var_info_type then
                  JSreturn te
              else
                typing_error e.java_pexpr_loc "type %a expected, got %a"
                  print_type vi.java_var_info_type print_type te.java_expr_type
            with
                Not_found ->
                  typing_error e.java_pexpr_loc "no result expected"
          end
      | JPSthrow e ->
          let te = exprt e in
          JSthrow te
      | JPSvar_decl _-> assert false (* TODO *)

  in
  { java_statement_loc = s.java_pstatement_loc ;
    java_statement_node = s' }

and local_decl ~ghost env loc vd rem =
  let e, decls = variable_declaration ~ghost env vd in
  let r = block { env with env = e } rem in
  let s =
    List.fold_right
      (fun (vi, i) acc ->
         { java_statement_loc = loc ;
           java_statement_node =
             JSvar_decl(vi,i,acc); })
      decls r in
    [s]


and statements env b =
  match b with
    | [] -> []
    | s :: rem ->
        match s.java_pstatement_node with
          | JPSskip -> statements env rem
          | JPSghost_local_decls vd ->
              local_decl ~ghost:true env s.java_pstatement_loc vd rem
          | JPSvar_decl vd ->
              local_decl ~ghost:false env s.java_pstatement_loc vd rem
	  | JPSlabel ((_loc,id), s)->
	      [{ java_statement_node =
		  JSlabel(id, block
			    {env with label_env =
				(id, LabelName id)::env.label_env}
			    (s :: rem)) ;
		java_statement_loc = s.java_pstatement_loc }]
          | JPSloop_annot (inv,behs_inv,dec) ->
	      let annot = (inv,behs_inv,dec) in
              begin
                match rem with
                  | { java_pstatement_node = JPSdo (s, e);
                      java_pstatement_loc = _loc } :: rem ->
                      let tdo =
                        type_do env s.java_pstatement_loc annot s e
                      in
                        tdo :: statements env rem
                  | { java_pstatement_node = JPSwhile(e,s) ;
                      java_pstatement_loc = _loc } :: rem ->
                      let twhile =
                        type_while env s.java_pstatement_loc annot e s
                      in
                        twhile :: statements env rem
                  | { java_pstatement_node = JPSfor (el1, e, el2, s);
                      java_pstatement_loc = loc } :: rem ->
                      let tfor =
                        type_for env loc el1 annot e el2 s
                      in
                        tfor :: statements env rem
                  | { java_pstatement_node = JPSfor_decl(vd,e,sl,s) ;
                      java_pstatement_loc = loc } :: rem ->
                      let tfor =
                        type_for_decl env loc vd annot e sl s
                      in
                        tfor :: statements env rem
                  | _ -> assert false
              end
          | JPSfor (el1, e, el2, s) ->
              let tfor =
                type_for env
                  s.java_pstatement_loc el1 dummy_loop_annot e el2 s
              in
                tfor :: statements env rem
          | JPSfor_decl(vd,e,sl,s) ->
              let tfor =
                type_for_decl env
                  s.java_pstatement_loc vd dummy_loop_annot e sl s
              in
                tfor :: statements env rem
          | JPSdo (s, e) ->
              let tdo =
                type_do env
                  s.java_pstatement_loc dummy_loop_annot s e
              in
                tdo :: statements env rem
          | JPSwhile(e,s) ->
              let twhile =
                type_while env
                  s.java_pstatement_loc dummy_loop_annot e s
              in
                twhile :: statements env rem
          | JPSstatement_spec(requires,decreases,behaviors) ->
              let req =
                Option_misc.map
		  (assertion { env  with current_label = Some LabelHere})
		  requires
              in
              let decreases = type_variant { env with current_label = Some LabelHere } decreases
              in
              let behs = List.map (behavior env env.env env.env) behaviors in
              begin
                match rem with
                  | [] ->
                      typing_error s.java_pstatement_loc
                        "statement spec should appear before a statement"
                  | stat :: rem ->
                      { java_statement_loc =  s.java_pstatement_loc;
			java_statement_node =
			  JSstatement_spec(req,decreases,behs,
					   statement env stat)
		      } :: statements env rem
              end
          | _ ->
              let s' = statement env s in
                s' :: statements env rem

and type_variant env v =
  Option_misc.map
    (fun (t,r) ->
       let t =
         term env t
       in
       match r with
         | None -> (t,None)
         | Some(loc,id) ->
             (try
                let fi = Hashtbl.find logics_env id in
                (t,Some fi)
              with Not_found ->
                typing_error loc "relation `%s' not found" id)
    )
    v



and type_loop_annot env (inv,behs_inv,dec) =
  let inv = assertion (add_Pre_Here env) inv in
  let l = List.map
    (fun ((loc,id),a) ->
       let bid =
	 try
	   List.assoc id env.behavior_names
	 with Not_found ->
	   typing_error loc "undeclared behavior"
       in
       (bid,assertion (add_Pre_Here env) a))
    behs_inv
  in
  let dec = type_variant (add_Pre_Here env) dec in
  { loop_inv = inv;
    behs_loop_inv = l;
    loop_var = dec;
  }

and type_for env loc el1 annot e el2 s =
  let el1 = List.map (expr ~ghost:false env) el1 in
  let a = type_loop_annot env annot in
  let e = expr ~ghost:false env e in
  let el2 = List.map (expr ~ghost:false env) el2 in
  let s = statement env s in
    { java_statement_node = JSfor (el1, e, a, el2, s);
      java_statement_loc = loc }

and type_for_decl env loc vd annot e sl s =
  let env',decls = variable_declaration ~ghost:false env vd in
  let env = { env with env = env'} in
  let a = type_loop_annot env annot in
  let e = expr ~ghost:false env e in
  let sl = List.map (expr ~ghost:false env) sl in
  let s = statement env s in
  { java_statement_node = JSfor_decl(decls,e,a,sl,s);
    java_statement_loc = loc }

and type_do env loc annot s e =
  let a = type_loop_annot env annot in
  let s = statement env s in
  let e = expr ~ghost:false env e in
    { java_statement_node = JSdo (s, a, e);
      java_statement_loc = loc }

and type_while env loc annot e s =
  let a = type_loop_annot env annot in
  let e = expr ~ghost:false env e in
  let s = statement env s in
  { java_statement_node = JSwhile(e,a,s);
    java_statement_loc = loc }

and block env b =
  match statements env b with
    | [] -> { java_statement_loc = Loc.dummy_position ;
              java_statement_node = JSskip }
    | [s] -> s
    | (s::_) as l ->
        { java_statement_loc = s.java_statement_loc ;
          java_statement_node = JSblock l }

and switch_case env t (labels,b) =
  (List.map (switch_label env t) labels,
   statements env b)

and switch_label env t = function
  | Default -> Default
  | Case e ->
      let te = expr ~ghost:false env e in
      match te.java_expr_type with
        | JTYbase _ as t' when is_assignment_convertible ~ghost:false env t' te (JTYbase t) ->
	  Case te
        | _ ->
             typing_error e.java_pexpr_loc "type `%s' expected, got `%a'"
                (string_of_base_type t) print_type te.java_expr_type

(* methods *)



(* methods *)

type method_table_info =
    { mt_method_info : Java_env.method_info;
      mt_requires : Java_tast.assertion option;
      mt_decreases : (Java_tast.term * Java_env.java_logic_info option) option;
      mt_behaviors : Java_tast.behavior list ;
      mt_body : Java_tast.block option;
    }



let methods_table = Hashtbl.create 97


let type_method_spec_and_body ?(dobody=true) package_env ti mi =
  let type_env =
    match ti with
      | TypeInterface ii ->
          check_if_interface_complete ii;
          (try Hashtbl.find interface_type_env_table ii.interface_info_tag
           with Not_found -> assert false)
      | TypeClass ci ->
          check_if_class_complete ci;
          (try Hashtbl.find class_type_env_table ci.class_info_tag
           with Not_found -> assert false)
  in
  try
    let _ = Hashtbl.find methods_table mi.method_info_tag in ()
  with Not_found ->
    let (_,req,decreases,behs,body) =
      try
        Hashtbl.find methods_env mi.method_info_tag
      with Not_found -> assert false
    in
    let local_env =
      if mi.method_info_is_static then [] else
        let this_type =
          match ti with
            | TypeClass ci -> JTYclass (true, ci) (* i.e. [this] is always non-null *)
            | TypeInterface ii -> JTYinterface ii
        in
        let vi = new_var Loc.dummy_position this_type "this" in
          mi.method_info_has_this <- Some vi;
          [("this",vi)]
    in
    let local_env =
      List.fold_left
        (fun acc vi ->
           (vi.java_var_info_name,vi)::acc)
        local_env (List.map fst mi.method_info_parameters)
    in
    let env = { package_env = package_env ;
                type_env = type_env;
                current_type = (Some ti);
                behavior_names = [];
		label_env = label_env_here;
		current_label = Some LabelHere;
                env = local_env }
    in
    let req = Option_misc.map (assertion env) req in
    let decreases = type_variant env decreases in
    let env_result =
      match mi.method_info_result with
        | None -> local_env
        | Some vi -> (vi.java_var_info_name,vi)::local_env
    in
    let behs = List.map (behavior env local_env env_result) behs in
    let env =
      { env with
	  behavior_names =
	  List.map (fun (id,_,_,_,_,_) -> snd id,id) behs }
    in
    let body =
      if dobody then
        Option_misc.map (statements { env with env = env_result}) body
      else None
    in
    Hashtbl.add methods_table mi.method_info_tag
      { mt_method_info = mi;
        mt_requires = req;
        mt_decreases = decreases;
        mt_behaviors = behs;
        mt_body = body }


type constructor_table_info =
    { ct_constr_info : Java_env.constructor_info;
      ct_requires : Java_tast.assertion option;
      ct_decreases : (Java_tast.term * Java_env.java_logic_info option) option;
      ct_behaviors : (Java_ast.identifier *
                        Java_tast.assertion option *
                        Java_env.java_class_info option *
                        (Loc.position * Java_tast.term list) option *
                        (Loc.position * Java_tast.term list) option *
                        Java_tast.assertion) list ;
      ct_body : Java_tast.block;
    }

let constructors_table = Hashtbl.create 97

let type_constr_spec_and_body ?(dobody=true) package_env current_type ci =
  try
    let _ = Hashtbl.find constructors_table ci.constr_info_tag in ()
  with Not_found ->
  let type_env =
    match current_type with
      | TypeInterface ii ->
          check_if_interface_complete ii;
          (try Hashtbl.find interface_type_env_table ii.interface_info_tag
           with Not_found -> assert false)
      | TypeClass ci ->
          check_if_class_complete ci;
          (try Hashtbl.find class_type_env_table ci.class_info_tag
           with Not_found -> assert false)
  in
  let (_,req,decreases,behs,eci,body) =
    try
      Hashtbl.find constructors_env ci.constr_info_tag
    with Not_found -> assert false
  in
  let local_env =
    List.fold_left
      (fun acc (vi, _) ->
         (vi.java_var_info_name,vi)::acc)
      [] ci.constr_info_parameters
  in
  let this_type =
    match current_type with
      | TypeClass ci -> JTYclass (true, ci) (* i.e. this is always non-null *)
      | TypeInterface ii -> JTYinterface ii
  in
  let this_vi = new_var Loc.dummy_position this_type "this" in
  let this_env =
    ci.constr_info_this <- Some this_vi;
    ("this", this_vi)::local_env
  in
(*
  let spec_env =
    (* spec is typed in a env that contains "this" but it will be
       renamed to "\\result" NO: TODO *)
    let vi = new_var this_type "this" (* "\\result" *) in
      ci.constr_info_result <- Some vi;
      ("this",vi)::local_env
  in
*)
  let env = { package_env = package_env ;
              type_env = type_env;
              current_type = (Some current_type);
	      behavior_names = [];
              label_env = label_env_here;
	      current_label = Some LabelHere;
              env = this_env }
  in
  let req =
    Option_misc.map
      (assertion { env with env = local_env }) req
  in
  let decreases = type_variant { env with env = local_env } decreases in
  let behs = List.map (behavior env local_env this_env) behs in
  if dobody then
    let env =
      { env with
	  behavior_names =
	  List.map (fun (id,_,_,_,_,_) -> snd id,id) behs }
    in
    match eci with
      | Invoke_none ->
          let body = statements { env with env = this_env } body in
          Hashtbl.add constructors_table ci.constr_info_tag
            { ct_constr_info = ci;
              ct_requires = req;
              ct_decreases = decreases;
              ct_behaviors = behs;
              ct_body = body }
      | Invoke_this el ->
          let tel = List.map (expr ~ghost:false env) el in
          let arg_types = List.map (fun te -> te.java_expr_type) tel in
          let this_ci = lookup_constructor Loc.dummy_position ci.constr_info_class arg_types in
          let this_call_s =
            make_statement_no_loc
              (JSexpr (
                 make_expr_no_loc unit_type
                   (JEconstr_call
                      (make_expr_no_loc
                         this_vi.java_var_info_type
                         (JEvar this_vi),
                       this_ci, tel))))
          in
          let body = statements env body in
          Hashtbl.add constructors_table ci.constr_info_tag
            { ct_constr_info = ci;
              ct_requires = req;
              ct_decreases = decreases;
              ct_behaviors = behs;
              ct_body = this_call_s :: body }
      | Invoke_super el ->
          let tel = List.map (expr ~ghost:false env) el in
          let super_class_info =
            match ci.constr_info_class.class_info_extends with
              | None -> assert false
              | Some ci -> ci
          in
          let arg_types = List.map (fun te -> te.java_expr_type) tel in
          let super_ci = lookup_constructor Loc.dummy_position super_class_info arg_types in
          let super_call_s =
            make_statement_no_loc
              (JSexpr (
                 make_expr_no_loc unit_type
                   (JEconstr_call
                      (make_expr_no_loc
                         (JTYclass (true (* [this] is always non null *), super_class_info))
                         (JEvar this_vi),
                       super_ci, tel))))
          in
          let body = statements env body in
          Hashtbl.add constructors_table ci.constr_info_tag
            { ct_constr_info = ci;
              ct_requires = req;
              ct_decreases = decreases;
              ct_behaviors = behs;
              ct_body = super_call_s :: body }
  else
    Hashtbl.add constructors_table ci.constr_info_tag
      { ct_constr_info = ci;
        ct_requires = req;
        ct_decreases = decreases;
        ct_behaviors = behs;
        ct_body = [] }

module G = Imperative.Digraph.Concrete(
  struct
    type t = java_field_info
    let compare fi1 fi2 =
      compare fi1.java_field_info_tag fi2.java_field_info_tag
    let hash fi = fi.java_field_info_tag
    let equal fi1 fi2 = fi1.java_field_info_tag = fi2.java_field_info_tag
  end)

module T = Topological.Make(G)

let rec compute_dependencies_expr env g fi e =
  match e.java_expr_node with
    | JEstatic_field_access (_, fi') | JEfield_access (_, fi') ->
	let v1 = G.V.create fi' in
	let v2 = G.V.create fi in
	  G.add_edge g v1 v2
    | JEun (_, e) | JEcast (_, e) ->
	compute_dependencies_expr env g fi e
    | JEbin (e1, _, e2) ->
	compute_dependencies_expr env g fi e1;
	compute_dependencies_expr env g fi e2
    | JEif (e1, e2, e3) ->
	compute_dependencies_expr env g fi e1;
	compute_dependencies_expr env g fi e2;
	compute_dependencies_expr env g fi e3
    | JElit _ -> ()
    | JEvar _ | JEincr_local_var _ | JEincr_field _
    | JEincr_array _ | JEassign_local_var _ | JEassign_local_var_op _
    | JEassign_field _ | JEassign_field_op _ | JEassign_static_field _
    | JEassign_static_field_op _ | JEassign_array _| JEassign_array_op _
    | JEcall _ | JEconstr_call _ | JEstatic_call _
    | JEnew_object _ | JEnew_array _ | JEinstanceof _ ->
	() (* assert false (* should never happen -> it happens ! *) *)
    | JEarray_length _ | JEarray_access _ -> assert false (* TODO *)

and compute_dependencies_vi env g fi vi =
  match vi with
    | Simple_initializer e ->
(*
	eprintf "Calling expr in type_env:@\n";
        List.iter
          (fun (id,_) -> eprintf "  %s@\n" id)
          env.type_env;
*)
	let te = expr ~ghost:false env e in
(*
	eprintf "Return from expr@.";
*)
	compute_dependencies_expr env g fi te
    | Array_initializer vil ->
	List.iter (compute_dependencies_vi env g fi) vil

and compute_dependencies env g fi =
  let vio =
    try Hashtbl.find field_prototypes_table fi.java_field_info_tag
    with Not_found -> assert false
  in
  let vi = match vio with
    | None -> assert false (* should never happen *)
    | Some vi -> vi
  in
  let v = G.V.create fi in
    G.add_vertex g v;
    compute_dependencies_vi env g fi vi

let type_final_fields package_env type_env ti fields =
(*
  eprintf "type_final_fields in type_env:@\n";
  List.iter
    (fun (id,_) -> eprintf "  %s@\n" id)
    type_env;
*)
  let g = G.create () in
  let env = {
    package_env = package_env;
    type_env = type_env;
    current_type = Some ti;
    behavior_names = [];
    label_env = [];
    current_label = None;
    env = [];
  }
  in
(*
  eprintf "type_final_fields: start iter@.";
*)
  List.iter (compute_dependencies env g) fields;
(*
  eprintf "type_final_fields: end iter@.";
*)
  List.rev
    (T.fold
       (fun t acc ->
	  let fi = G.V.label t in
(*
	  eprintf "Calling type_field_initializer for %s@."
	    fi.java_field_info_name;
*)
	  type_field_initializer package_env type_env
	    fi.java_field_info_class_or_interface fi;
	  fi :: acc)
       g [])

let rec type_decl_aux ~in_axiomatic package_env type_env acc d =
  match d with
    | JPTclass c ->
	assert (not in_axiomatic);
        (*
          class_modifiers : modifiers;
          class_name : identifier;
          class_extends : qualified_ident option;
          class_implements : qualified_ident list;
          class_fields : field_declaration list
        *)
        begin
          let ty =
            try
              List.assoc (snd c.class_name) type_env
            with
                Not_found ->
                  eprintf "Java_typing anomaly: class '%s' not found in type_env@."
                    (snd c.class_name);
                  List.iter
                    (fun (id,_) -> eprintf "  '%s'@\n" id)
                    type_env;
                  assert false
          in
          match ty with
            | TypeInterface _ -> assert false
            | TypeClass ci as ti ->
                check_if_class_complete ci;
                let type_env =
                  try Hashtbl.find class_type_env_table ci.class_info_tag
                  with Not_found -> assert false
                in
		let non_final_fields, final_fields =
		  List.partition
		    (fun fi -> not fi.java_field_info_is_final)
		    ci.class_info_fields
		in

		let final_fields =
(*
		  Format.eprintf "Call(1) type_final_fields@.";
*)
		  let x =
		    type_final_fields package_env type_env ti final_fields
		  in
(*
		  Format.eprintf "Return(1) type_final_fields@.";
*)
		  x
		in
		ci.class_info_final_fields <- final_fields;
                List.iter (type_field_initializer package_env type_env ti)
                  non_final_fields;
                List.iter (type_method_spec_and_body package_env ti)
                  ci.class_info_methods;
                List.iter (type_constr_spec_and_body package_env ti)
                  ci.class_info_constructors;
		acc
        end
    | JPTinterface i ->
	assert (not in_axiomatic);
        begin
          let ty =
            try
              List.assoc (snd i.interface_name) type_env
            with
                Not_found ->
                  eprintf "Java_typing anomaly: interface '%s' not found in type_env@."
                    (snd i.interface_name);
                  List.iter
                    (fun (id,_) -> eprintf "  '%s'@\n" id)
                    type_env;
                  assert false
          in
          match ty with
            | TypeClass _ -> assert false
            | TypeInterface ii as ti ->
                check_if_interface_complete ii;
                let type_env =
                  try Hashtbl.find interface_type_env_table ii.interface_info_tag
                  with Not_found -> assert false
                in
		let fields =
		  type_final_fields package_env type_env ti ii.interface_info_fields
		in
		  ii.interface_info_final_fields <- fields;
                  List.iter (type_method_spec_and_body package_env ti)
                    ii.interface_info_methods;
		  acc
        end
    | JPTannot(_loc,_s) -> assert false
    | JPTlemma((loc,id),is_axiom, labels,e) ->
	let labels_env,current_label,tlabels = labels_env labels in
        let env =
          { package_env = package_env;
            type_env = type_env;
            current_type = None;
            behavior_names = [];
	    label_env = labels_env;
	    current_label = current_label;
            env = [];
          }
        in
        let te = assertion env e in
	if in_axiomatic then
	  Aaxiom(id,is_axiom,tlabels,te)::acc
	else
	  begin
	    if is_axiom then
	      typing_error loc "axioms not allowed outside axiomatics";
	    Hashtbl.add lemmas_table id (loc,tlabels,te);
	    acc
	  end
    | JPTlogic_type_decl (loc,id) ->
	if in_axiomatic then
	  Atype id :: acc
	else
	  begin
	    typing_error loc "logic types not allowed outside axiomatics";
	  end

    | JPTlogic_reads ((loc, id), ret_type, labels, params, reads) ->
	if not in_axiomatic then
	  typing_error loc "logics without def not allowed outside axiomatics";
	let labels_env,current_label,tlabels = labels_env labels in
        let pl = List.map (fun p -> fst (type_param package_env type_env p)) params in
        let env =
          List.fold_left
            (fun acc vi ->
               (vi.java_var_info_name,vi)::acc)
            [] pl
        in
        let env =
          { package_env = package_env;
            type_env = type_env;
            current_type = None;
            behavior_names = [];
	    label_env = labels_env;
	    current_label = current_label;
            env = env;
          }
        in
	let fi =
	  match ret_type with
            | None -> logic_info id None tlabels pl
	    | Some ty ->
		logic_info id
                  (Some (type_type package_env type_env false ty))
                  tlabels pl
	in
        Hashtbl.add logics_env id fi;
	Java_options.lprintf "Adding logic function '%s' in the logic environment@." id;
        let body = match reads with
          | Some r -> `Reads (List.map (location env) r)
          | None -> `None
        in
	Adecl(fi,body)::acc

    | JPTlogic_def ((_loc, id), ret_type, labels, params, body) ->
	let labels_env,current_label,tlabels = labels_env labels in
        let pl = List.map (fun p -> fst (type_param package_env type_env p)) params in
        let env =
          List.fold_left
            (fun acc vi ->
               (vi.java_var_info_name,vi)::acc)
            [] pl
        in
        let env =
          { package_env = package_env;
            type_env = type_env;
            current_type = None;
            behavior_names = [];
	    label_env = labels_env;
	    current_label = current_label;
            env = env;
          }
        in
	begin
          match ret_type with
            | None ->
		let fi = logic_info id None tlabels pl in
		let a = assertion env body in
		Hashtbl.add logics_env id fi;
		if in_axiomatic then
		  Adecl(fi,`Assertion a)::acc
		else
		  begin
		    Hashtbl.add logic_defs_table fi.java_logic_info_tag
		      (fi,`Assertion a);
		    acc
		  end
	    | Some ty ->
                let fi =
		  logic_info id
                  (Some (type_type package_env type_env false ty)) tlabels pl
		in
                let t = term env body in
                Hashtbl.add logics_env id fi;
		if in_axiomatic then
		  Adecl(fi,`Term t)::acc
		else
		  begin
		    Hashtbl.add logic_defs_table fi.java_logic_info_tag
		      (fi,`Term t);
		    acc
		  end
        end
    | JPTinductive((_loc, id), labels, params, body) ->
	let _labels_env,_current_label,tlabels = labels_env labels in
        let pl =
	  List.map (fun p -> fst (type_param package_env type_env p)) params
	in
        let env =
          List.fold_left
            (fun acc vi ->
               (vi.java_var_info_name,vi)::acc)
            [] pl
        in
        let env =
          { package_env = package_env;
            type_env = type_env;
            current_type = None;
            behavior_names = [];
	    label_env = [];
	    current_label = None;
            env = env;
          }
        in
	let fi = logic_info id None tlabels pl in
	(* adding fi in env before typing indcases *)
        Hashtbl.add logics_env id fi;
	let l = List.map
	  (fun (id,labels,e) ->
	     let labels_env,current_label,tlabels = labels_env labels in
	     let env = { env with
			   label_env = labels_env;
			   current_label = current_label;
		       }
	     in
	     let a = assertion env e in
	     (id,tlabels,a))
	  body
	in
	if in_axiomatic then
	  Adecl(fi,`Inductive l)::acc
	else
          begin
	    Hashtbl.add logic_defs_table fi.java_logic_info_tag
	      (fi,`Inductive l);
	    acc;
	  end
    | JPTaxiomatic((loc,id),l) ->
	if in_axiomatic then
	  typing_error loc "nested axiomatics not allowed";
	let l = List.fold_left
	  (type_decl_aux ~in_axiomatic:true package_env type_env) [] l
	in
	Hashtbl.add axiomatics_table id l;
	acc
    | JPTimport(PolyTheoryId(id_list,_params)) ->
        let loc = fst (List.hd id_list) in
	if in_axiomatic then
	  typing_error loc "import not allowed in axiomatics";


        let qid = Java_pervasives.qualified_ident2string id_list "." in
	let body =
	  try
	    Hashtbl.find import_spec_table qid
	  with Not_found -> assert false
	in
	let l = List.fold_left
	  (type_decl_aux ~in_axiomatic:true package_env type_env) [] body
	in
        let id = snd (List.hd id_list) in
	Hashtbl.add axiomatics_table id l;
	acc


let type_decl package_env type_env d =
  ignore (type_decl_aux ~in_axiomatic:false package_env type_env [] d)

let get_bodies package_env type_env cu =
  List.iter (type_decl package_env type_env) cu.cu_type_decls

let type_specs package_env _type_env =
  Hashtbl.iter
    (fun _ ti ->
       match ti with
	 | TypeClass ci ->
	     let final_fields =
	       List.filter
		 (fun fi -> fi.java_field_info_is_final &&
		    not (List.mem fi ci.class_info_final_fields))
		 ci.class_info_fields
	     in
             let type_env =
               try Hashtbl.find class_type_env_table ci.class_info_tag
               with Not_found -> assert false
             in
	     let final_fields =
(*
	       Format.eprintf "Call(2) type_final_fields for %s@." ci.class_info_name;
*)
	       let x = type_final_fields package_env type_env ti final_fields
	       in
(*
	       Format.eprintf "Return(2) type_final_fields@.";
*)
	       x
	     in
	       ci.class_info_final_fields <-
		 final_fields @ ci.class_info_final_fields
	 | TypeInterface ii ->
	     let final_fields =
	       List.filter
		 (fun fi -> not (List.mem fi ii.interface_info_final_fields))
		 ii.interface_info_fields
	     in
             let type_env =
               try Hashtbl.find interface_type_env_table ii.interface_info_tag
               with Not_found -> assert false
             in
	     let final_fields =
	       type_final_fields package_env type_env ti final_fields
	     in
	       ii.interface_info_final_fields <-
		 final_fields @ ii.interface_info_final_fields)
    type_table;
  Hashtbl.iter
    (fun tag (current_type, env, vi, invs) ->
       match current_type with
         | TypeClass ci ->
             let type_env =
               try Hashtbl.find class_type_env_table ci.class_info_tag
               with Not_found -> assert false
             in
             let env =
               { package_env = package_env;
                 type_env = type_env;
                 current_type = (Some current_type);
               	 behavior_names = [];
		 label_env = label_env_here;
		 current_label = Some LabelHere;
                 env = env;
               }
             in
             Hashtbl.add invariants_table tag
               (ci, vi, List.map
                  (fun (id, e) ->
                     (id, assertion env e))
                  invs)
         | _ -> assert false)
    invariants_env;
  Hashtbl.iter
    (fun tag (current_type, invs) ->
       match current_type with
         | TypeClass ci ->
             let type_env =
               try Hashtbl.find class_type_env_table ci.class_info_tag
               with Not_found -> assert false
             in
	     let env =
               { package_env = package_env;
		 type_env = type_env;
		 current_type = (Some current_type);
		 behavior_names = [];
		 label_env = [];
		 current_label = None;
		 env = [];
               }
	     in
	     Hashtbl.add static_invariants_table tag
               (List.map
		  (fun (s, e) -> s, assertion env e)
		  invs)
	 | _ -> assert false)
    static_invariants_env;
  Hashtbl.iter
    (fun _ (mi, _, _, _,_)  ->
       type_method_spec_and_body ~dobody:false
         package_env mi.method_info_class_or_interface mi)
    methods_env;
  Hashtbl.iter
    (fun _ (ci, _, _, _, _, _)  ->
       type_constr_spec_and_body ~dobody:false
         package_env (TypeClass ci.constr_info_class) ci)
    constructors_env


(*
Local Variables:
compile-command: "make -C .. bin/krakatoa.byte"
End:
*)
why-2.34/java/java_typing.mli0000644000175000017500000001300112311670312014547 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

val print_qualified_ident : Format.formatter -> Java_ast.qualified_ident -> unit

val print_type_name : Format.formatter -> Java_env.java_type_info -> unit

val print_type : Format.formatter -> Java_env.java_type -> unit

val type_table : (int, Java_env.java_type_info) Hashtbl.t

type method_table_info =
    { mt_method_info : Java_env.method_info;
      mt_requires : Java_tast.assertion option;
      mt_decreases : (Java_tast.term * Java_env.java_logic_info option) option;
      mt_behaviors : (Java_ast.identifier *
			Java_tast.assertion option *
			Java_env.java_class_info option *
			(Loc.position * Java_tast.term list) option *
			(Loc.position * Java_tast.term list) option *
			Java_tast.assertion) list ;
      mt_body : Java_tast.block option;
    }

val methods_table :
  (int, method_table_info) Hashtbl.t

type constructor_table_info =
    { ct_constr_info : Java_env.constructor_info;
      ct_requires : Java_tast.assertion option;
      ct_decreases : (Java_tast.term * Java_env.java_logic_info option) option;
      ct_behaviors : (Java_ast.identifier *
			Java_tast.assertion option *
			Java_env.java_class_info option *
			(Loc.position * Java_tast.term list) option *
			(Loc.position * Java_tast.term list) option *
			Java_tast.assertion) list ;
      ct_body : Java_tast.block;
    }

val constructors_table :
  (int, constructor_table_info) Hashtbl.t

val invariants_table :
  (int, Java_env.java_class_info * Java_env.java_var_info *
     (Java_ast.identifier * Java_tast.assertion) list) Hashtbl.t

val static_invariants_table :
  (int, (string * Java_tast.assertion) list) Hashtbl.t

val field_initializer_table :
  (int, Java_tast.initialiser option) Hashtbl.t

val final_field_values_table :
  (int, Num.num list) Hashtbl.t

val lemmas_table : (string,(Loc.position * Java_env.logic_label list * Java_tast.assertion)) Hashtbl.t


type logic_def_body =
  [ `Assertion of Java_tast.assertion
  | `Term of Java_tast.term
  | `Inductive of
      (Java_ast.identifier * Java_env.logic_label list * Java_tast.assertion)
	list
  | `Builtin ]

type logic_decl_body =
  [ logic_def_body
  | `None
  | `Reads of Java_tast.term list ]

val logic_defs_table :
  (int,Java_env.java_logic_info * logic_def_body) Hashtbl.t

type axiomatic_defs =
  | Adecl of  Java_env.java_logic_info * logic_decl_body
  | Aaxiom of string * bool * Java_env.logic_label list * Java_tast.assertion
  | Atype of string

val logic_types_table : (string, Java_env.logic_type_info) Hashtbl.t
val axiomatics_table : (string, axiomatic_defs list) Hashtbl.t

val builtin_logic_symbols : Java_env.java_logic_info list ref

exception Typing_error of Loc.position * string

val catch_typing_errors : ('a -> 'b) -> 'a -> 'b

(*
val get_types :
  Java_ast.compilation_unit ->
  Java_env.package_info list *
    (string * Java_env.java_type_info) list
*)

val get_types :
  Java_env.package_info list ->
  Java_ast.compilation_unit list ->
  Java_env.package_info list *
    (string * Java_env.java_type_info) list

val get_bodies :
  Java_env.package_info list ->
  (string * Java_env.java_type_info) list ->
  Java_ast.compilation_unit -> unit

val type_specs :
  Java_env.package_info list ->
  (string * Java_env.java_type_info) list ->
  unit



(*
Local Variables:
compile-command: "make -j -C .. bin/krakatoa.byte"
End:
*)
why-2.34/java/java_env.mli0000644000175000017500000001640112311670312014034 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*s types and environments *)

type accessibility = Apublic | Aprotected | Aprivate | Anone

type base_type =
    | Tshort | Tboolean | Tbyte | Tchar | Tint | Tfloat | Tlong | Tdouble 
	  (* native logic types *)
    | Tinteger | Treal | Tunit | Tstring

type logic_label = 
  | LabelName of string
  | LabelHere
  | LabelOld
  | LabelPre

type java_type =
  | JTYbase of base_type
  | JTYnull (*r type of 'null' *)
  | JTYclass of bool * java_class_info (*r first arg true if non_null *)
  | JTYinterface of interface_info 
  | JTYarray of bool * java_type (*r first arg true if non_null *)
  | JTYlogic of logic_type_info
      
and logic_type_info = string


and java_var_info =
    {
      java_var_info_tag : int;
      java_var_info_name : string;
      java_var_info_decl_loc : Loc.position;
      java_var_info_type : java_type;
      mutable java_var_info_final_name : string;
      mutable java_var_info_assigned : bool;
    }
    
and java_field_info =
    {
      java_field_info_tag : int;
      java_field_info_name : string;
      java_field_info_class_or_interface : java_type_info;
(*
      mutable java_field_info_trans_name : string;
      java_field_info_accessibility : accessibility;
*)
      java_field_info_is_static : bool;
      java_field_info_is_final : bool;
      java_field_info_is_nullable : bool;
      java_field_info_type : java_type;
      java_field_info_is_ghost : bool;
      java_field_info_is_model : bool;
    }
    

and method_info = 
    {
      method_info_tag : int;
      method_info_loc : Loc.position;
      method_info_name : string;
      mutable method_info_trans_name : string;
      method_info_is_static : bool;
      (*
	method_info_accessibility : accessibility;
      *)
      method_info_class_or_interface : java_type_info;
      mutable method_info_has_this : java_var_info option;
      method_info_parameters : (java_var_info * (* nullable *) bool) list;
      method_info_result : java_var_info option ;
      method_info_result_is_nullable : bool ;
      mutable method_info_calls : method_or_constructor_info list;
    }
      
and constructor_info = 
    {
      constr_info_tag : int;
      constr_info_loc : Loc.position;
      constr_info_class : java_class_info;
      mutable constr_info_trans_name : string;
      mutable constr_info_this : java_var_info option;
      mutable constr_info_result : java_var_info option;
      constr_info_parameters : (java_var_info * (* nullable : *) bool) list;
      mutable constr_info_calls : method_or_constructor_info list;
    }

and method_or_constructor_info =
  | MethodInfo of method_info
  | ConstructorInfo of constructor_info

    
and logic_type_entry =
    {
      logic_type_entry_name : string
    }

and java_logic_info =
    {
      java_logic_info_name : string;
      java_logic_info_tag : int;
      java_logic_info_result_type : java_type option;
      java_logic_info_labels : logic_label list;
      java_logic_info_parameters : java_var_info list;
      mutable java_logic_info_calls : java_logic_info list;
    }


and axiom_info = 
    {
      axiom_info_name : string;
    }
    


and package_info =
    {
      package_info_tag : int;
      package_info_name : string;
      mutable package_info_directories : string list;
    }
    
and java_class_info =
    {
      class_info_tag : int;
      class_info_name : string;
      class_info_package_env : package_info list;
      mutable class_info_incomplete : bool;
      mutable class_info_is_final : bool;
      mutable class_info_extends : java_class_info option;
      mutable class_info_is_exception : bool;
      mutable class_info_implements : interface_info list;
      mutable class_info_fields : java_field_info list;
      mutable class_info_final_fields : java_field_info list;
      mutable class_info_methods : method_info list;
      mutable class_info_constructors : constructor_info list;
    }

and interface_info =
    {
      interface_info_tag : int;
      interface_info_name : string;
      interface_info_package_env : package_info list;
      mutable interface_info_incomplete : bool;
      mutable interface_info_extends : interface_info list;
      mutable interface_info_fields : java_field_info list;
      mutable interface_info_final_fields : java_field_info list;
      mutable interface_info_methods : method_info list;
    }

and java_type_info =
  | TypeClass of java_class_info
  | TypeInterface of interface_info

(*s literals, shared between ASTs and typed ASTs *)

type float_suffix = [`Single |`Double |`Real]

type literal =
    | Integer of string
    | Float of string * float_suffix
    | Bool of bool
    | String of string
    | Char of string
    | Null

type nonnull_policy =
  | NonNullNone     (* Java semantics *)
  | NonNullFields   (* class fields non-null by default *)
  | NonNullAll      (* class fields and methods parameters & return value non-null by default *)
  | NonNullAllLocal (* class fields, methods parameters & return value, and local variables non-null by default *)


(*
  Local Variables: 
  compile-command: "make -C .. bin/krakatoa.byte"
  End: 
*)
why-2.34/java/java_main.ml0000644000175000017500000003022312311670312014015 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Java_env
open Java_ast
open Format
open Jc_constructors.PDecl

let main () =
  let files = Java_options.files () in
  if files = [] then Java_options.usage ();
  (* phase 1 : parsing *)
  let astl = List.map Java_syntax.file files in
  printf "Parsing OK.@.";
  (* phase 2 : typing *)
  Java_options.lprintf "(****** typing phase *****)@.";
  let (p, t) = Java_typing.get_types [] astl in
  Java_options.lprintf "(****** typing phase 2 : get bodies *****)@.";
  List.iter (Java_typing.get_bodies p t) astl;
  Java_options.lprintf "(****** typing phase 3 : type specs *****)@.";
  Java_typing.type_specs p t;
  printf "Typing OK.@.";

  if !Java_options.abstract <> "" then
    begin
      match astl with
	| [a] ->
	    Pp.print_in_file
	      (fun fmt -> Java_abstract.compilation_unit fmt a)
	      !Java_options.abstract;
	    exit 0
	| _ ->
	    eprintf "cannot take %d files with option -abstract@." (List.length astl);
	    Java_options.usage ()
    end;

  (************)
  (* Analyses *)
  (************)

  Hashtbl.iter
    (fun _ (f,t) -> Java_callgraph.compute_logic_calls f t)
    Java_typing.logic_defs_table;

  Hashtbl.iter
    (fun _ mt ->
       Option_misc.iter
	 (Java_callgraph.compute_calls
	    mt.Java_typing.mt_method_info
	    mt.Java_typing.mt_requires)
	 mt.Java_typing.mt_body)
    Java_typing.methods_table;

  Hashtbl.iter
    (fun _ ct ->
       Java_callgraph.compute_constr_calls
	 ct.Java_typing.ct_constr_info
	 ct.Java_typing.ct_requires
	 ct.Java_typing.ct_body)
    Java_typing.constructors_table;

  let _logic_components =
    Java_callgraph.compute_logic_components
      Java_typing.logic_defs_table
  in
  let components =
    Java_callgraph.compute_components
      Java_typing.methods_table
      Java_typing.constructors_table
  in
  Hashtbl.iter
    (fun _ ty ->
       Java_analysis.do_type ty)
    Java_typing.type_table;
  (* analyze in any order *)
  (*
    Hashtbl.iter
    (fun mi mti ->
    Java_analysis.do_method
    mti.Java_typing.mt_method_info
    mti.Java_typing.mt_requires
    mti.Java_typing.mt_ensures
    mti.Java_typing.mt_behaviors
    mti.Java_typing.mt_body)
    Java_typing.methods_table;
    Hashtbl.iter
    (fun ci cti ->
    Java_analysis.do_constructor
    cti.Java_typing.ct_constr_info
    cti.Java_typing.ct_requires
    cti.Java_typing.ct_ensures
    cti.Java_typing.ct_behaviors
    cti.Java_typing.ct_body)
    Java_typing.constructors_table;
  *)

  (* analyze following call graph order
     TODO: precise the meaning of call graph with dynamic calls *)
  Array.iter
    (List.iter
       (fun mi ->
	  match mi with
	    | MethodInfo mi ->
		let mti = Hashtbl.find Java_typing.methods_table
		  mi.method_info_tag
		in
		Java_analysis.do_method
		  mti.Java_typing.mt_method_info
		  mti.Java_typing.mt_requires
		  mti.Java_typing.mt_behaviors
		  mti.Java_typing.mt_body
	    | ConstructorInfo ci ->
		let cti = Hashtbl.find Java_typing.constructors_table
		  ci.constr_info_tag
		in
		Java_analysis.do_constructor
		  cti.Java_typing.ct_constr_info
		  cti.Java_typing.ct_requires
		  cti.Java_typing.ct_behaviors
		  cti.Java_typing.ct_body))
    components;

  (*******************************)
  (* production of jessie output *)
  (*******************************)

  Java_options.lprintf "production phase 1.1 : generation of Jessie logic types@.";
  let decls =
(*
    Hashtbl.fold
      (fun _ id acc ->
	 Java_options.lprintf "generating logic type `%s'@." id;
 	 Java_interp.tr_logic_type id acc)
      Java_typing.logic_types_table
*)
      []
  in

  Java_options.lprintf "production phase 1.2 : generation of Jessie range_types@.";
  let decls = Java_interp.range_types decls in

  let non_null_preds, acc, decls_arrays = Java_interp.array_types [] in

  let decls_constants =
    Hashtbl.fold
      (fun _ id acc -> Java_interp.tr_final_static_fields id acc)
      Java_typing.type_table
      [] in

  Java_options.lprintf "production phase 1.3 : generation of Jessie struct types@.";
  let non_null_preds = Java_interp.tr_non_null_logic_fun () :: non_null_preds in
  let decls_java_types, decls_structs =
    Hashtbl.fold
      (fun _ id (acc0, acc) ->
	 Java_interp.tr_class_or_interface id acc0 acc)
      Java_typing.type_table
      ([], decls_arrays)
  in
  let decl_any_string = Java_interp.decl_any_string in
  let decls = decls_structs @ acc @ decls_java_types @ decl_any_string @ decls_constants @ non_null_preds @ decls in


  Java_options.lprintf "production phase 1.4 : generation of Jessie logic functions@.";
  (* fix: Hashtbl.fold order is not specified... *)
  let tmp =
    Hashtbl.fold
      (fun k x acc -> (k,x)::acc)
      Java_typing.logic_defs_table []
  in
  let tmp = List.sort (fun (k1,_) (k2,_) -> Pervasives.compare k1 k2) tmp in
  let decls =
    List.fold_left
      (fun acc (_,(li,p)) ->
	 Java_options.lprintf "generating logic function `%s'@."
	   li.java_logic_info_name;
	 Java_interp.tr_logic_fun li (p :> Java_typing.logic_decl_body) acc)
      decls
      tmp
  in
  let decls =
    Hashtbl.fold Java_interp.tr_axiomatic Java_typing.axiomatics_table
      decls
  in
  (* production phase 1.5 : generation of Jessie lemmas *)
  let lemmas =
    Hashtbl.fold
      (fun id (loc,lab,p) acc -> (id,Loc.extract loc,lab,p)::acc)
      Java_typing.lemmas_table
      []
  in
  let compare_locs (id1,(_,l1,_,_),_,_) (id2,(_,l2,_,_),_,_) =
    let c = Pervasives.compare l1 l2 in
    if c = 0 then Pervasives.compare id1 id2 else c
  in
  let lemmas = List.sort compare_locs lemmas in
  let decls =
    List.fold_left
      (fun acc (id,loc,lab,p) ->
	 Java_options.lprintf "generating lemma `%s'@."  id;
	 Java_interp.tr_axiom id false loc lab p acc)
      decls
      lemmas
  in

  (* any_string function *)
  (*  let decls = Java_interp.any_string_decl :: decls in *)
  (* class invariants *)
  let decls =
    Hashtbl.fold
      (fun _ (ci, id, invs) acc ->
	 Java_interp.tr_invariants ci id invs acc)
      Java_typing.invariants_table decls
  in

  (* production phase 1.5: generation of Jessie global invariants *)
  let decls =
    Hashtbl.fold
      (fun _ invs acc ->
	 (List.map (Java_interp.tr_static_invariant) invs) @ acc)
      Java_typing.static_invariants_table
      decls
  in

  (* production phase 1.6 : generation of Jessie exceptions *)
  let decls =
    Hashtbl.fold
      (fun _ ei acc ->
	 Java_interp.tr_exception ei acc)
      Java_interp.exceptions_table
      decls
  in


  (* production phase 4 : generation of Jessie functions *)
  let decls =
    Array.fold_left
      (fun acc l ->
         let methods,constrs =
	   List.fold_left
	     (fun (m,c) f ->
	        match f with
		  | MethodInfo mi ->
		      let mt = Hashtbl.find Java_typing.methods_table
		        mi.method_info_tag
		      in
		      printf "Generating JC function %s for method %a.%s@."
		        mi.method_info_trans_name
		        Java_typing.print_type_name
		        mi.method_info_class_or_interface
		        mi.method_info_name;
		      (Java_interp.tr_method_spec mi
		        mt.Java_typing.mt_requires
		        mt.Java_typing.mt_decreases
		        mt.Java_typing.mt_behaviors
		        mt.Java_typing.mt_body m, c)
		  | ConstructorInfo ci ->
		      let ct = Hashtbl.find Java_typing.constructors_table
		        ci.constr_info_tag
		      in
		      printf "Generating JC function %s for constructor %s@."
		        ci.constr_info_trans_name
		        ci.constr_info_class.class_info_name;
		      (m,Java_interp.tr_constr_spec ci
		         ct.Java_typing.ct_requires
		         ct.Java_typing.ct_behaviors
                         ct.Java_typing.ct_body c))
             ([],[])
             l
         in
         let acc =
           List.fold_left
             (fun acc m ->
                Java_interp.tr_method_body m acc)
	     acc
             methods
         in
         List.fold_left
           (fun acc c ->
              Java_interp.tr_constr_body c acc)
	   acc
           constrs)
      decls
      components
  in

  (* production phase 5 : produce Jessie file *)
  let decls =
    (mkinvariant_policy_def ~value:!Java_options.inv_sem ())
    :: (mktermination_policy_def ~value:!Java_options.termination_policy ())
    :: (mkseparation_policy_def ~value:!Java_options.separation_policy ())
    :: (mkannotation_policy_def ~value:!Java_options.annotation_sem ())
    :: (mkabstract_domain_def ~value:!Java_options.ai_domain ())
    :: List.rev decls
  in
  let f = List.hd files in
  let f = Filename.chop_extension f in
  let cout = Pp.print_in_file_no_close
    (fun fmt -> fprintf fmt "%a@." Jc_poutput.pdecls decls)
    (f ^ ".jc")
  in
  output_string cout "/*\n";
  output_string cout "Local Variables:\n";
  output_string cout "mode: java\n";
  output_string cout "compile-command: \"jessie -why-opt -split-user-conj -locs ";
  output_string cout f;
  output_string cout ".jloc ";
  output_string cout f;
  output_string cout ".jc && make -f ";
  output_string cout f;
  output_string cout ".makefile gui\"\n";
  output_string cout "End:\n";
  output_string cout "*/\n";
  close_out cout;

  (* production phase 5.2 : produce locs file *)
  Pp.print_in_file Output.old_print_pos (f ^ ".jloc");

  printf "Done.@.";
  if not !Java_options.gen_only then
    begin
      printf "Calling Jessie...@.";
      let ret = Sys.command ("jessie -why3ml -locs " ^ f ^ ".jloc " ^ f ^ ".jc") in
      if ret <> 0 then
        printf "Jessie failed, abort.@."
      else
        begin
          let d = Filename.dirname f in
          let b = Filename.basename f in
          printf "Calling Why3...@.";
          let _ret = Sys.command ("make -C " ^ d ^" -f " ^ b ^ ".makefile why3ide") in
          ()
        end
    end


(*   with *)
(*     | Java_typing.Typing_error(l,s) -> *)
(* 	eprintf "%a: typing error: %s@." Loc.gen_report_position l s; *)
(* 	exit 1 *)
(*     | Java_options.Java_error(l,s) -> *)
(* 	eprintf "%a: %s@." Loc.gen_report_position l s; *)
(* 	exit 1 *)


let _ =
  Sys.catch_break true;
  Java_typing.catch_typing_errors main ()


(*
  Local Variables:
  compile-command: "LC_ALL=C make -j -C .. bin/krakatoa.byte"
  End:
*)
why-2.34/java/java_syntax.ml0000644000175000017500000001744212311670312014427 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Java_ast
open Format
open Lexing

let parse_annot loc s f =
  let lb = Lexing.from_string s in
    (*
      eprintf "lb.pos_fname = %s@." lb.lex_curr_p.pos_fname;
      eprintf "lb.pos_lnum = %d@." lb.lex_curr_p.pos_lnum;
      eprintf "lb.pos_bol = %d@." lb.lex_curr_p.pos_bol;
      eprintf "lb.pos_cnum = %d@." lb.lex_curr_p.pos_cnum;
    *)
    lb.lex_curr_p <- {loc with pos_bol = loc.pos_bol - loc.pos_cnum - 3};
    (*
      eprintf "lb.pos_fname = %s@." lb.lex_curr_p.pos_fname;
      eprintf "lb.pos_lnum = %d@." lb.lex_curr_p.pos_lnum;
      eprintf "lb.pos_bol = %d@." lb.lex_curr_p.pos_bol;
      eprintf "lb.pos_cnum = %d@." lb.lex_curr_p.pos_cnum;
    *)
    try
      f Java_lexer.next_token lb
    with 
      | Parsing.Parse_error ->
	  Java_options.parsing_error (Java_lexer.loc lb) "parse error in annotation"
      | Java_options.Java_error (_,msg) ->
	  Java_options.parsing_error (Java_lexer.loc lb) "%s" msg
	    
let rec statement s =
  { s with java_pstatement_node = match s.java_pstatement_node with
      | JPSannot (loc, s) -> parse_annot loc s Java_parser.kml_statement_annot
      | JPSstatement_spec _
      | JPSghost_local_decls _ | JPSghost_statement _ | JPSloop_annot _ 
      | JPSassert _ -> assert false
      | JPSsynchronized (e, s') -> JPSsynchronized(e, statements s')	
      | JPSblock b -> JPSblock(statements b)
      | JPSswitch(e, l) -> 
	  JPSswitch(e, List.map (fun (labs,b) -> (labs,statements b)) l)
      | JPStry (s, l, f) -> 
	  let l = List.map (fun (p,s) -> (p,statements s)) l in
	    JPStry(statements s,l,Option_misc.map (statements) f)
      | JPSfor_decl (d, e, sl, s) -> JPSfor_decl(d, e, sl, statement s)
      | JPSfor (el1, e, el2, s) -> JPSfor (el1, e, el2, statement s)
      | JPSdo (s', e) -> JPSdo (statement s',e)
      | JPSwhile (e, s') -> JPSwhile(e, statement s')
      | JPSif (e, s1, s2) -> JPSif(e, statement s1, statement s2)
      | JPSlabel (l, s') -> JPSlabel(l,statement s')
      | JPScontinue _
      | JPSbreak _
      | JPSreturn _
      | JPSthrow _
      | JPSvar_decl _
      | JPSexpr _
      | JPSskip -> s.java_pstatement_node }
    
and statements b = List.map statement b

let modifier m =
  match m with
    | Annot_modifier (loc, s) -> parse_annot loc s Java_parser.kml_modifier
    | _ -> m

let variable_declaration vd =
  { vd with variable_modifiers = List.map modifier vd.variable_modifiers }

let rec parameter p =
  match p with
    | Simple_parameter (mo, ty, id) -> 
	Simple_parameter (Option_misc.map modifier mo, ty, id)
    | Array_parameter p ->
	Array_parameter (parameter p)

let rec method_declarator md =
  match md with
    | Simple_method_declarator (id, pl) ->
	Simple_method_declarator (id, List.map parameter pl)
    | Array_method_declarator md -> 
	Array_method_declarator (method_declarator md)

let method_declaration md =
  { md with
      method_modifiers = List.map modifier md.method_modifiers;
      method_declarator = method_declarator md.method_declarator; } 
    
let rec field_decl f = 
  match f with
    | JPFmethod (md, None) -> JPFmethod (method_declaration md, None)
    | JPFmethod (md, Some b) -> JPFmethod (method_declaration md, Some (statements b))
    | JPFconstructor(c,eci,b) -> JPFconstructor(c,eci,statements b)
    | JPFvariable vd -> JPFvariable (variable_declaration vd) 
    | JPFstatic_initializer b -> JPFstatic_initializer (statements b)
    | JPFannot (loc,s) -> parse_annot loc s Java_parser.kml_field_decl
    | JPFinvariant _ | JPFstatic_invariant _ 
    | JPFmethod_spec _ -> assert false
    | JPFclass c -> JPFclass (class_decl c)
    | JPFinterface i -> JPFinterface (interface_decl i)
  
and class_decl c = 
  { c with class_fields = List.map field_decl c.class_fields }

and interface_decl i = 
  { i with interface_members = List.map field_decl i.interface_members }

let type_decl d =
  match d with
    | JPTclass c -> JPTclass (class_decl c)
    | JPTinterface i -> JPTinterface (interface_decl i)
    | JPTannot (loc, s) -> parse_annot loc s Java_parser.kml_global_def_eof
    | JPTlemma _ 
    | JPTlogic_type_decl _
    | JPTlogic_reads _ 
    | JPTlogic_def _  -> assert false
    | JPTinductive _ -> assert false
    | JPTaxiomatic _ -> assert false
    | JPTimport _ -> assert false
    
let compilation_unit cu =
  { cu with cu_type_decls = List.map type_decl cu.cu_type_decls }

let spec_file f =
  try
    let c = open_in f in
    (* we parse the file as a spec file *)
    let d = Java_lexer.parse_spec f c in
    close_in c;
    printf "Parsing of spec file %s was OK.@." f;
    match d with
    | JPTtheory(PolyTheoryId(qid,_params),body) ->
         printf "It contains theory '%s'@."
           (Java_pervasives.qualified_ident2string
             qid ".");
         body
  with
    | Java_lexer.Lexical_error(l,s) ->
	eprintf "%a: lexical error: %s@." Loc.gen_report_position l s;
	exit 1


let file f = 
  try
    let c = open_in f in
    if Filename.check_suffix f ".spec" then
      (* we parse the file as a spec file *)
      let d = Java_lexer.parse_spec f c in
      close_in c;
      printf "Parsing of spec file %s was OK.@." f;
      match d with
	| JPTtheory(PolyTheoryId(qid,_params),_) ->
	    printf "It contains theory '%s'@."
              (Java_pervasives.qualified_ident2string qid ".");
 	    exit 0
    else
      (* we parse the file as an annotated java file *)
      let d = Java_lexer.parse f c in
      close_in c; 
      compilation_unit d
    with
      | Java_lexer.Lexical_error(l,s) ->
	  eprintf "%a: lexical error: %s@." Loc.gen_report_position l s;
	exit 1

(*
Local Variables: 
compile-command: "make -C .. bin/krakatoa.byte"
End: 
*)
why-2.34/java/java_parser.mly0000644000175000017500000007356512311670312014576 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/



/*

Parser for Java source files

*/


%{

  open Loc
  open Java_env
  open Java_ast

  let loc () = (symbol_start_pos (), symbol_end_pos ())
  let loc_i i = (rhs_start_pos i, rhs_end_pos i)

  let locate_expr e =
    { java_pexpr_node = e ; java_pexpr_loc = loc () }

  let locate_lit e = locate_expr (JPElit e)

  let locate_statement s =
    { java_pstatement_node = s ; java_pstatement_loc = loc () }

  let rec build_array_type t n =
    if n=0 then t else Array_type_expr(build_array_type t (pred n))

(*
  let rec build_array_creation_expr t (l,n) =
    match l with
      | [] ->
	  Implicit_array_creation(build_array_type t n)
      | a::b ->
	  Explicit_array_creation(a,(build_array_creation_expr t (b,n)))
*)

  let default_behavior_name = "default"

  let default_behavior assigns allocates ensures behs =
    match assigns,allocates,ensures with
      | None, None, None -> behs
      | a, al, None ->
	  ((Loc.dummy_position,default_behavior_name),
	   { java_pbehavior_assumes = None;
	     java_pbehavior_assigns = a;
	     java_pbehavior_allocates = al;
	     java_pbehavior_throws = None;
	     java_pbehavior_ensures = Java_pervasives.expr_true }) :: behs
      | a, al, Some e ->
	  ((Loc.dummy_position,default_behavior_name),
	   { java_pbehavior_assumes = None;
	     java_pbehavior_assigns = a;
	     java_pbehavior_allocates = al;
	     java_pbehavior_throws = None;
	     java_pbehavior_ensures = e }) :: behs

(*
  let label (loc,s) = match s with
    | "Pre" -> LabelPre
    | "Here" -> LabelHere
    | "Old" -> LabelOld
    | _ -> LabelName s
*)

  let float_of_suf = function
    | None -> `Real
    | Some('f' | 'F') -> `Single
    | Some('d' | 'D') -> `Double
    | _ -> assert false
%}

/*s Start symbols */

%start compilation_unit
%type   compilation_unit

%start kml_global_def_eof
%type   kml_global_def_eof

%start kml_field_decl
%type   kml_field_decl

%start kml_statement_annot
%type   kml_statement_annot

%start kml_modifier
%type   kml_modifier

%start kml_spec_eof
%type  kml_spec_eof

%type  name

/*s Tokens */

/* Literals */

%token  ID
%token  INTCONSTANT
%token  REALCONSTANT
%token  STRING
%token  CHARACTER
%token TRUE FALSE NULL THIS

/* Keywords */

%token NEW SUPER
%token ABSTRACT BOOLEAN BYTE CASE CATCH
%token CHAR CLASS CONST DEFAULT DOUBLE ELSE EXTENDS
%token FALSE FINAL FINALLY FLOAT GHOST GOTO
/* ??? %token FUTURE BYVALUE GENERIC INNER OPERATOR OUTER REST VAR */
%token IMPLEMENTS IMPORT INSTANCEOF INT INTEGER INTERFACE LONG
%token MODEL NATIVE PACKAGE PRIVATE PROTECTED
%token PUBLIC REAL SHORT STATIC STRICTFP
%token THROWS TRANSIENT TRUE VOID VOLATILE
%token WHILE DO FOR IF SWITCH BREAK CONTINUE RETURN TRY SYNCHRONIZED THROW

%token REQUIRES DECREASES ENSURES SIGNALS ASSUMES ASSIGNS ALLOCATES
%token BEHAVIOR ASSERT
%token INVARIANT LOOP_INVARIANT LOOP_VARIANT
%token AXIOM LEMMA LOGIC TYPE PREDICATE INDUCTIVE AXIOMATIC READS
%token THEORY
%token BSFORALL BSEXISTS BSOLD BSAT BSRESULT BSNOTHING
%token BSFRESH
%token NON_NULL NULLABLE

/* Others symbols */

%token LEFTPAR
%token RIGHTPAR LEFTBRACE RIGHTBRACE LEFTBRACKET RIGHTBRACKET
%token SEMICOLON COLON COMMA QUESTIONMARK DOT DOTDOT
%token  DOC_COMMENT
%token  ANNOT
%token EOF

/* Operators (see precedences below for details) */

%token  ASSIGNOP
%token EQ EQEQGT LTEQEQGT
%token VERTICALBARVERTICALBAR
%token AMPERSANDAMPERSAND
%token VERTICALBAR
%token CARET
%token AMPERSAND
%token  EQOP
%token GT LT LE GE
%token  SHIFT
%token PLUS MINUS
%token STAR SLASH PERCENT
%token PLUSPLUS MINUSMINUS TILDA BANG


/*s Operator precedences */

%nonassoc THEN
%nonassoc ELSE
%nonassoc BSFORALL
%right LTEQEQGT
%right EQEQGT
%right EQ ASSIGNOP
  /*r ["="], ["*="],  ["/="], ["%="], ["+="], ["-="], ["<<="], [">>="],
  [">>>="], ["&="], ["^="] and ["|="], and ["==>"] ["<==>"] */
%right IFEXPR QUESTIONMARK     /*r [" ? : "] */
%left VERTICALBARVERTICALBAR  /*r conditional OR ["||"] */
%left AMPERSANDAMPERSAND  /*r conditional AND ["&&"] */
%left VERTICALBAR         /*r bitwise or boolean OR ["|"] */
%left CARET               /*r bitwise or boolean XOR ["^"] */
%left AMPERSAND           /*r bitwise or boolean AND ["&"] */
%left EQOP                /*r ["=="] and ["!="] */
%left GT LT LE GE INSTANCEOF  /*r ["<"], ["<="], [">"], [">="] and ["instanceof"] */
%left SHIFT                 /*r ["<<"], [">>"] and [">>>"] */
%left PLUS MINUS             /*r ["+"] and ["-"] */
%left STAR SLASH PERCENT     /*r ["*"], ["/"] and ["%"] */
%right UMINUS UPLUS PLUSPLUS MINUSMINUS TILDA BANG CAST
           /*r unary ["+"], ["-"], ["++"], ["--"], ["~"], ["!"] and cast */


%%

/*s Compilation units */

compilation_unit:
| package_declaration import_declarations type_declarations EOF
    { { cu_package = $1 ;
	cu_imports = $2 ;
	cu_type_decls = $3} }
;

package_declaration:
| /* $\varepsilon$ */
    { [] }
| PACKAGE name SEMICOLON
    { $2 }
;

import_declarations:
| /* $\varepsilon$ */
    { [] }
| IMPORT import_declaration SEMICOLON import_declarations
    { $2::$4 }
;


import_declaration:
| name DOT STAR
    { Import_package($1) }
| name
    { Import_class_or_interface($1) }
;

/*s type declarations */

type_declarations:
| /* $\varepsilon$ */
    { [] }
| type_declaration type_declarations
    { $1::$2 }
|  SEMICOLON type_declarations
    { $2 }
;

type_declaration:
| class_declaration
    { JPTclass($1) }
| interface_declaration
    { JPTinterface($1) }
| ANNOT
    { let (loc,s) = $1 in JPTannot(loc,s) }
;

/*s Class declarations */

class_declaration:
| modifiers_class ident extends_decl implements_decl class_body
    { { class_modifiers = $1;
	class_name = $2;
	class_extends = $3;
	class_implements = $4;
	class_fields = $5 }}
;

class_body:
  LEFTBRACE field_declarations RIGHTBRACE
    { $2 }

extends_decl:
| /* $\varepsilon$ */
    { None }
| EXTENDS name
    { Some $2 }
;

implements_decl:
| /* $\varepsilon$ */
    { [] }
| IMPLEMENTS name_comma_list
    { $2 }
;

field_declarations:
| /* $\varepsilon$ */
    { [] }
| field_declaration field_declarations
    { $1::$2 }
;

field_declaration:
| method_declaration
    { $1 }
| constructor_declaration
    { $1 }
| variable_declaration
    { JPFvariable($1) }
| static_initializer
    { JPFstatic_initializer($1) }
| ANNOT
    { let(loc,s)=$1 in JPFannot(loc,s) }
/* Java 1.4 */
| class_declaration
    { JPFclass $1 }
| interface_declaration
    { JPFinterface $1 }
;

/*s variable declarations */

variable_declaration:
| modifiers_type_expr variable_declarators SEMICOLON
    { let a, b = $1 in
	match b with
	  | Some b ->
	      { variable_modifiers = a ;
		variable_type = b ;
		variable_decls = $2 }
	  | None -> raise Parse_error }
| modifiers_type_expr ANNOT variable_declarators SEMICOLON
    { let a, b = $1 in
	match b with
	  | Some b ->
	      let loc, s = $2 in
	      { variable_modifiers = Annot_modifier (loc, s) :: a ;
		variable_type = b ;
		variable_decls = $3 }
	  | None -> raise Parse_error }
;

variable_declarators:
| variable_declarator
    { [$1] }
| variable_declarator COMMA variable_declarators
    { $1::$3 }
;

variable_declarator:
| variable_declarator_id
    { { variable_id = $1 ;
	variable_initializer = None } }
| variable_declarator_id EQ variable_initializer
    { { variable_id = $1 ;
	variable_initializer = Some $3 } }
;

variable_declarator_id:
| ident
    { let (loc,id)=$1 in Simple_id(loc,id) }
| variable_declarator_id LEFTBRACKET RIGHTBRACKET
    { Array_id($1) }

variable_initializer:
| expr
    { Simple_initializer($1) }
| array_initializer
    { Array_initializer($1) }
;

array_initializer:
| LEFTBRACE variable_initializers RIGHTBRACE
    { $2 }
;

variable_initializers:
| /* $\varepsilon$ */
    { [] }
| variable_initializer
    { [$1] }
| variable_initializer COMMA variable_initializers
    { $1::$3 }
;


/*s static initializers */

static_initializer:
| STATIC block
    { $2 }
;


/*s method declarations */

method_declaration:
| method_header method_body
    { JPFmethod($1,$2) }
;

method_header:
| modifiers_type_expr method_declarator throws_decl
    { let (a, b) = $1 in
      {
	method_modifiers = a ;
	method_return_type = b ;
	method_declarator = $2 ;
	method_throws = $3
      }
    }
| modifiers_type_expr ANNOT method_declarator throws_decl
    { let (a, b) = $1 in
      let loc, s = $2 in
	{
	  method_modifiers = Annot_modifier (loc, s) :: a ;
	  method_return_type = b ;
	  method_declarator = $3 ;
	  method_throws = $4
	}
    }
;

method_declarator:
| ident method_parameters
    { Simple_method_declarator($1,$2) }
| method_declarator LEFTBRACKET RIGHTBRACKET
    { Array_method_declarator($1) }
;


method_parameters:
| LEFTPAR RIGHTPAR
    { [] }
| LEFTPAR parameter_comma_list RIGHTPAR
    { $2 }
;

parameter_comma_list:
| parameter
    { [$1] }
| parameter COMMA parameter_comma_list
    { $1::$3 }
;

parameter:
/* final modifier allowed since 1.4 (JLS 3.0) */
| final_opt type_expr ident
    { Simple_parameter (None, $2, $3) }
| final_opt type_expr ANNOT ident
    { let loc, s = $3 in
      Simple_parameter (Some (Annot_modifier (loc, s)), $2, $4) }
| parameter LEFTBRACKET RIGHTBRACKET
    { Array_parameter($1) }
;

final_opt:
| /* \epsilon */ { false}
| FINAL { true }
;


throws_decl:
| /* $\varepsilon$ */
    { [] }
| THROWS name_comma_list
    { $2 }
;

method_body:
| block
    { Some($1) }
| SEMICOLON
    { None }
;

/*s constructor declarations */

constructor_declaration:
| modifiers_type_expr method_parameters throws_decl constructor_body
    { let (a,b)=$1 in
      match b with
	| Some (Type_name [id]) ->
	    let c =
	      {
	      constr_modifiers = a ;
	      constr_name = id ;
	      constr_parameters = $2 ;
	      constr_throws = $3 }
	    in
	    let eci,b = $4 in
	    JPFconstructor(c,eci,b)
	| _ -> raise Parse_error}
;

constructor_body:
| LEFTBRACE explicit_constructor_invocation statements RIGHTBRACE
    { ($2,$3) }
| LEFTBRACE statements RIGHTBRACE
    { (Invoke_none,$2) }
| SEMICOLON
    { (Invoke_none,[]) }
;

explicit_constructor_invocation:
| THIS LEFTPAR argument_list RIGHTPAR SEMICOLON
    { Invoke_this($3) }
| SUPER LEFTPAR argument_list RIGHTPAR SEMICOLON
    { Invoke_super($3) }
;

argument_list:
| /* $\varepsilon$ */
    { [] }
| expr_comma_list
    { $1 }
;

/*s interface declarations */

interface_declaration:
| modifiers_interface ident extends_interfaces_decl
    LEFTBRACE interface_member_declarations RIGHTBRACE
    { { interface_modifiers = $1;
	interface_name = $2;
	interface_extends = $3;
	interface_members = $5 }}
;

extends_interfaces_decl:
| /* $\varepsilon$ */
    { [] }
| EXTENDS name_comma_list
    { $2 }
;

interface_member_declarations:
| /* $\varepsilon$ */
    { [] }
| interface_member_declaration interface_member_declarations
    { $1::$2 }
;

interface_member_declaration:
| variable_declaration
    { JPFvariable($1) }
| method_header SEMICOLON
    { JPFmethod($1,None) }
| ANNOT
    { let (loc,s)=$1 in JPFannot(loc,s) }
/* Java 1.4 */
| interface_declaration
    { JPFinterface $1 }
;




/*s type expressions */

base_type:
| SHORT
    { Tshort }
| BOOLEAN
    { Tboolean }
| BYTE
    { Tbyte }
| CHAR
    { Tchar }
| INT
    { Tint }
| FLOAT
    { Tfloat }
| LONG
    { Tlong }
| DOUBLE
    { Tdouble }
| INTEGER
    { Tinteger }
| REAL
    { Treal }
;

type_expr:
| name
    { Type_name($1) }
| base_type
    { Base_type($1) }
| array_type_expr
    { Array_type_expr($1) }
;

array_type_expr:
| base_type LEFTBRACKET RIGHTBRACKET
    { Base_type($1) }
| name LEFTBRACKET RIGHTBRACKET
    { Type_name($1) }
| array_type_expr LEFTBRACKET RIGHTBRACKET
    { Array_type_expr($1) }
;


/*s modifiers */

modifiers_class:
| CLASS
    { [] }
| modifier modifiers_class
    { $1::$2 }
;

modifiers_interface:
| INTERFACE
    { [] }
| modifier modifiers_interface
    { $1::$2 }
;


modifier:
| STATIC
    { Static }
| FINAL
    { Final }
| PUBLIC
    { Public }
| PRIVATE
    { Private }
| PROTECTED
    { Protected }
| NATIVE
    { Native }
| SYNCHRONIZED
    { Synchronized }
| ABSTRACT
    { Abstract }
/* "threadsafe" ? */
| TRANSIENT
    { Transient }
| VOLATILE
    { Volatile }
| STRICTFP
    { Strictfp }
;

modifiers_type_expr:
| type_expr
    { ([],Some $1) }
| VOID
    { ([],None) }
| modifier modifiers_type_expr
    { let (a,b)=$2 in ($1::a,b) }
;

/*s Statements */

block:
| LEFTBRACE statements RIGHTBRACE
    { $2 }

statements:
| statement statements
    { $1::$2 }
| /* $\varepsilon$ */
    { [] }
;

/*s Statements */

local_variable_declaration:
| modifiers_type_expr variable_declarators
    { let (a,b)=$1 in
      match b with
	| Some b ->
	    { variable_modifiers = a ;
	      variable_type = b ;
	      variable_decls = $2 }
	| None -> raise Parse_error }
;

statement:
| ANNOT
    { let (loc, s) = $1 in
	locate_statement (JPSannot (loc, s)) }
| WHILE LEFTPAR expr RIGHTPAR statement %prec WHILE
    { locate_statement (JPSwhile($3,$5)) }
| DO statement WHILE LEFTPAR expr RIGHTPAR
    { locate_statement (JPSdo($2,$5)) }
| FOR LEFTPAR argument_list SEMICOLON for_cond SEMICOLON
  argument_list RIGHTPAR statement
    { locate_statement (JPSfor($3,$5,$7,$9)) }
| FOR LEFTPAR local_variable_declaration SEMICOLON for_cond SEMICOLON
  argument_list RIGHTPAR statement
    { locate_statement (JPSfor_decl($3,$5,$7,$9)) }
| block
    { locate_statement (JPSblock $1) }
| expr SEMICOLON
    { locate_statement (JPSexpr($1)) }
| SEMICOLON
    { locate_statement JPSskip }
| local_variable_declaration SEMICOLON
    { locate_statement (JPSvar_decl($1)) }
| IF LEFTPAR expr RIGHTPAR statement %prec THEN
    { locate_statement (JPSif($3,$5,locate_statement JPSskip)) }
| IF LEFTPAR expr RIGHTPAR statement ELSE statement %prec ELSE
    { locate_statement (JPSif($3,$5,$7)) }
| SWITCH LEFTPAR expr RIGHTPAR LEFTBRACE switch_block RIGHTBRACE
    { locate_statement (JPSswitch($3,$6)) }
| ident COLON statement
    { locate_statement (JPSlabel($1,$3)) }
| BREAK SEMICOLON
    { locate_statement (JPSbreak None) }
| BREAK ident SEMICOLON
    { locate_statement (JPSbreak(Some $2)) }
| CONTINUE SEMICOLON
    { locate_statement (JPScontinue(None)) }
| CONTINUE ident SEMICOLON
    { locate_statement (JPScontinue(Some $2)) }
| RETURN SEMICOLON
    { locate_statement (JPSreturn None) }
| RETURN expr SEMICOLON
    { locate_statement (JPSreturn(Some $2)) }
| THROW expr SEMICOLON
    { locate_statement (JPSthrow($2)) }
| TRY block catch_clauses
    { locate_statement (JPStry($2,$3,None)) }
| TRY block catch_clauses FINALLY block
    { locate_statement (JPStry($2,$3,Some($5))) }
| TRY block FINALLY block
    { locate_statement (JPStry($2,[],Some($4))) }
| SYNCHRONIZED LEFTPAR expr RIGHTPAR block
    { locate_statement (JPSsynchronized($3,$5)) }

for_cond:
| expr
    { $1 }
| /* $\varepsilon$ */
    { locate_expr Java_pervasives.expr_node_true }
;

switch_block:
| /* $\varepsilon$ */
    { [] }
| switch_labels
    { [($1,[])] }
| switch_labels statement statements switch_block
    { ($1,$2::$3)::$4 }
;

switch_labels:
| switch_label
    { [$1] }
| switch_label switch_labels
    { $1::$2 }
;

switch_label:
| CASE expr COLON
    { Case($2) }
| DEFAULT COLON
    { Default }
;

catch_clauses:
| catch_clause
    { [$1] }
| catch_clause catch_clauses
    { $1::$2 }
;

catch_clause:
| CATCH LEFTPAR parameter RIGHTPAR block
    { ($3,$5) }
;

/*s Expressions */

field_access:
| SUPER DOT ident
    { Super_access $3 }
| primary_expr DOT ident
    { Primary_access($1,$3) }
;

primary_expr:
| primary_no_new_array
    { $1 }
| array_creation_expression
    { $1 }
;

primary_no_new_array:
| INTCONSTANT
    { locate_lit (Integer $1) }
| REALCONSTANT
    { let x,suf = $1 in locate_lit (Float(x,float_of_suf suf)) }
| TRUE
    { locate_lit (Bool true) }
| FALSE
    { locate_lit (Bool false) }
| STRING
    { locate_lit (String $1) }
| NULL
    { locate_lit Null }
| CHARACTER
    { locate_lit (Char $1) }
| THIS
    { locate_expr JPEthis }
| BSRESULT
    { locate_expr JPEresult }
| LEFTPAR expr_no_name RIGHTPAR
    { $2 }
| LEFTPAR name RIGHTPAR
    { locate_expr (JPEname $2) }
| field_access
    { locate_expr (JPEfield_access $1) }
| name label_binders LEFTPAR argument_list RIGHTPAR
    { locate_expr (JPEcall_name($1,$2,$4)) }
| SUPER DOT ident LEFTPAR argument_list RIGHTPAR
    { locate_expr (JPEsuper_call($3, $5)) }
| primary_expr DOT ident LEFTPAR argument_list RIGHTPAR
    { locate_expr (JPEcall_expr($1,$3,$5)) }
| NEW name LEFTPAR argument_list RIGHTPAR
    { locate_expr (JPEnew($2,$4)) }
/* new in java 1.4 (see JLS 3.0) */
| NEW name LEFTPAR argument_list RIGHTPAR class_body
    { (* TODO: incorporate class body *)
      locate_expr (JPEnew($2,$4)) }
| array_access
    { let (a,b)=$1 in locate_expr (JPEarray_access(a,b)) }
| array_range
    { let (a,b,c)=$1 in locate_expr (JPEarray_range(a,b,c)) }
| BSFRESH LEFTPAR expr RIGHTPAR
    { locate_expr (JPEfresh $3) }
| BSOLD LEFTPAR expr RIGHTPAR
    { locate_expr (JPEold $3) }
| BSAT LEFTPAR expr COMMA ident RIGHTPAR
    { locate_expr (JPEat($3,$5)) }
;

array_access:
| primary_no_new_array LEFTBRACKET expr RIGHTBRACKET
    { ($1,$3) }
| name LEFTBRACKET expr RIGHTBRACKET
    { (locate_expr (JPEname $1),$3) }
;

array_range:
| primary_no_new_array LEFTBRACKET expr_opt DOTDOT expr_opt RIGHTBRACKET
    { ($1,$3,$5) }
| name LEFTBRACKET expr_opt DOTDOT expr_opt RIGHTBRACKET
    { (locate_expr (JPEname $1),$3,$5) }
;

expr_opt:
| /* epsilon */
    { None }
| expr
    { Some $1 }
;

array_creation_expression:
| NEW base_type array_dims
    { let (a,b) = $3 in
      let t = build_array_type (Base_type($2)) b in
      locate_expr (JPEnew_array(t,a)) }
| NEW name array_dims
    { let (a,b) = $3 in
      let t = build_array_type (Type_name($2)) b in
      locate_expr (JPEnew_array(t,a)) }
/* array_initializer allowed in 1.4 (JLS 3.0) */
| NEW base_type implicit_dims array_initializer
    { let b = $3 in
      let t = build_array_type (Base_type($2)) b in
      locate_expr (JPEnew_array(t,[])) }
| NEW name implicit_dims array_initializer
    { let b = $3 in
      let t = build_array_type (Type_name($2)) b in
      locate_expr (JPEnew_array(t,[])) }
;

array_dims:
| LEFTBRACKET expr RIGHTBRACKET implicit_dims
    { ([$2],$4) }
| LEFTBRACKET expr RIGHTBRACKET array_dims
    { let (a,b) = $4 in ($2::a,b) }
;

implicit_dims:
| /* $\varepsilon$$ */
    { 0 }
| LEFTBRACKET RIGHTBRACKET implicit_dims
    { succ $3 }
;

castable_expr:
| primary_expr
    { $1 }
| name
    { locate_expr (JPEname $1) }
| non_basic_cast
    { $1 }

non_basic_cast:
| LEFTPAR array_type_expr RIGHTPAR castable_expr %prec CAST
    { locate_expr (JPEcast(Array_type_expr($2),$4)) }
| LEFTPAR name RIGHTPAR castable_expr %prec CAST
    { locate_expr (JPEcast(Type_name($2),$4)) }
;


expr:
| name
    { locate_expr (JPEname $1) }
| expr_no_name
    { $1 }
;

expr_no_name:
| primary_expr
    { $1 }
| name assign_op expr %prec ASSIGNOP
    { locate_expr (JPEassign_name($1,$2,$3)) }
| field_access assign_op expr %prec ASSIGNOP
    { locate_expr (JPEassign_field($1,$2,$3)) }
| array_access assign_op expr %prec ASSIGNOP
    { let (a,b)=$1 in
      locate_expr (JPEassign_array(a,b,$2,$3)) }
| PLUSPLUS expr
    { locate_expr (JPEincr(Preincr,$2)) }
| MINUSMINUS expr
    { locate_expr (JPEincr(Predecr,$2)) }
| expr PLUSPLUS
    { locate_expr (JPEincr(Postincr,$1)) }
| expr MINUSMINUS
    { locate_expr (JPEincr(Postdecr,$1)) }
| expr QUESTIONMARK expr COLON expr %prec IFEXPR
    { locate_expr (JPEif($1,$3,$5)) }
| expr VERTICALBARVERTICALBAR expr
    { locate_expr (JPEbin($1,Bor,$3)) }
| expr AMPERSANDAMPERSAND expr
    { locate_expr (JPEbin($1,Band,$3)) }
| expr VERTICALBAR expr
    { locate_expr (JPEbin($1,Bbwor,$3)) }
| expr CARET expr
    { locate_expr (JPEbin($1,Bbwxor,$3)) }
| expr AMPERSAND expr
    { locate_expr (JPEbin($1,Bbwand,$3)) }
| expr EQOP expr
    { locate_expr (JPEbin($1,$2,$3)) }
| expr comp expr %prec GT
    { locate_expr (JPEbin($1,$2,$3)) }
| expr SHIFT expr
    { locate_expr (JPEbin($1,$2,$3)) }
| expr PLUS expr
    { locate_expr (JPEbin($1,Badd,$3)) }
| expr MINUS expr
    { locate_expr (JPEbin($1,Bsub,$3)) }
| expr STAR expr
    { locate_expr (JPEbin($1,Bmul,$3)) }
| expr SLASH expr
    { locate_expr (JPEbin($1,Bdiv,$3)) }
| expr PERCENT expr
    { locate_expr (JPEbin($1,Bmod,$3)) }
| PLUS expr %prec UPLUS
    { locate_expr (JPEun(Uplus,$2)) }
| MINUS expr %prec UMINUS
    { locate_expr (JPEun(Uminus,$2)) }
| BANG expr
    { locate_expr (JPEun(Unot,$2)) }
| TILDA expr
    { locate_expr (JPEun(Ucompl,$2)) }
/*

  CAST expressions

  we distinguish cast types because of syntax ambiguities:
  is (id1)-id2  a cast of a unary minus, or a binary - ?

  solution:

  if id1 is a base type, it is a cast else it is a binary operation.
  it is enough because result of unary - cannot be casted to something
  else than a base type.

  moreover, we distinguish between cast to a type identifier
  "(name) expr" and a complex type expr, because of LALR constraint:
  (name) can be both an expr and a cast, so it is factorized.

*/
| LEFTPAR base_type RIGHTPAR expr %prec CAST
    { locate_expr (JPEcast(Base_type($2),$4)) }
| non_basic_cast
    { $1 }
/*
  instanceof operator
*/
| expr INSTANCEOF type_expr
    { locate_expr (JPEinstanceof($1,$3)) }
/* annotations only operators */
| BSFORALL quantified_variables_decl SEMICOLON expr %prec BSFORALL
    { locate_expr (JPEquantifier(Forall,$2,$4)) }
| BSEXISTS quantified_variables_decl SEMICOLON expr %prec BSFORALL
    { locate_expr (JPEquantifier(Exists,$2,$4)) }
| expr EQEQGT expr
    { locate_expr (JPEbin($1,Bimpl,$3)) }
| expr LTEQEQGT expr
    { locate_expr (JPEbin($1,Biff,$3)) }
;

quantified_variables_decl:
| type_expr quantified_variables
    { [($1,$2)] }
| type_expr quantified_variables COMMA quantified_variables_decl
    { ($1,$2)::$4 }
;

quantified_variables:
| quantified_variable
    { [$1] }
| quantified_variable quantified_variables
    { $1::$2 }
;

quantified_variable:
| ident
    { let (loc,id)=$1 in Simple_id(loc,id) }
| quantified_variable LEFTBRACKET RIGHTBRACKET
    { Array_id($1) }


expr_comma_list:
| expr
    { [$1] }
| expr COMMA expr_comma_list
    { $1::$3 }
;


comp:
| GT { Bgt }
| LT { Blt }
| LE { Ble }
| GE { Bge }
;

assign_op:
| EQ
    { Beq }
| ASSIGNOP
    { $1 }
;

/*s identifiers */


name:
| ident
    { [$1] }
| name DOT ident
    { $3::$1 }
| name DOT CLASS
    { (loc_i 3,"class")::$1 }
| name DOT THIS
    { (loc_i 3,"this")::$1 }
;

name_comma_list:
| name
    { [$1] }
| name COMMA name_comma_list
    { $1::$3 }
;

ident:
| ID
    { (loc(),$1) }
| MODEL
    { (loc(), "model") }
| TYPE
    { (loc(), "type") }
;

type_parameter_list:
| ident
   { [$1] }
| ident COMMA type_parameter_list
   { $1::$3 }
;


poly_theory_id:
| name
   { PolyTheoryId($1,[]) }
| name LT type_parameter_list GT
   { PolyTheoryId($1,$3) }
;



/****************************************************/
/*s parsing of annotations: KML */

kml_spec_eof:
| kml_theory EOF
     { $1 }
;

kml_theory:
| THEORY poly_theory_id LEFTBRACE kml_global_decls RIGHTBRACE
    { JPTtheory($2,$4) }
;

kml_global_def_eof:
| kml_global_def EOF
     { $1 }
;

kml_global_def:
| PREDICATE ident label_binders method_parameters EQ expr SEMICOLON
    { JPTlogic_def($2,None,$3,$4,$6) }
| INDUCTIVE ident label_binders method_parameters LEFTBRACE indcases RIGHTBRACE
    { JPTinductive($2,$3,$4,$6) }
| LOGIC type_expr ident label_binders method_parameters EQ expr SEMICOLON
    { JPTlogic_def($3,Some $2,$4, $5,$7) }
| AXIOMATIC ident LEFTBRACE kml_global_decls RIGHTBRACE
    { JPTaxiomatic($2,$4) }
| LEMMA ident label_binders COLON expr SEMICOLON
    { JPTlemma($2,false,$3,$5) }
| IMPORT poly_theory_id SEMICOLON
    { JPTimport($2) }
;

kml_global_decls:
| /* epsilon */
    { [] }
| kml_global_decl kml_global_decls
    { $1::$2 }
;

kml_global_decl:
| TYPE ident SEMICOLON
    { JPTlogic_type_decl $2 }
| PREDICATE ident label_binders method_parameters reads_clause SEMICOLON
    { JPTlogic_reads ($2, None, $3, $4, $5) }
| LOGIC type_expr ident label_binders method_parameters reads_clause SEMICOLON
    { JPTlogic_reads($3,Some $2,$4,$5,$6) }
| AXIOM ident label_binders COLON expr SEMICOLON
    { JPTlemma($2,true,$3,$5) }
| kml_global_def
    { $1 }
;

reads_clause:
| READS expr_comma_list
    { Some $2 }
| READS BSNOTHING
    { Some [] }
| /* epsilon */
    { None }
;

indcases:
| /* epsilon */
    { [] }
| CASE ident label_binders COLON expr SEMICOLON indcases
    { ($2,$3,$5)::$7 }
;

label_binders:
| /* epsilon */ { [] }
| LEFTBRACE ident label_list_end RIGHTBRACE { $2::$3 }
;

label_list_end:
| /* epsilon */ { [] }
| COMMA ident label_list_end { $2::$3 }
;


kml_field_decl:
| requires_opt decreases_opt assigns_opt allocates_opt ensures_opt behaviors EOF
    { JPFmethod_spec($1,$2,default_behavior $3 $4 $5 $6) }
| INVARIANT ident COLON expr SEMICOLON EOF
    { JPFinvariant($2,$4) }
| STATIC INVARIANT ident COLON expr SEMICOLON EOF
    { JPFstatic_invariant($3,$5) }
| MODEL variable_declaration
    { let vd = $2 in
      JPFvariable {vd with variable_modifiers = Model::vd.variable_modifiers} }
| GHOST variable_declaration
    { let vd = $2 in
      JPFvariable {vd with variable_modifiers = Ghost::vd.variable_modifiers} }
;

kml_modifier:
| NON_NULL
    { Non_null }
| NULLABLE
    { Nullable }
;

requires_opt:
| /* $\varepsilon$ */
    { None }
| REQUIRES expr SEMICOLON
    { Some $2 }
;

ensures_opt:
| /* $\varepsilon$ */
    { None }
| ENSURES expr SEMICOLON
    { Some $2 }
;

behaviors:
| /* $\varepsilon$ */
    { [] }
| BEHAVIOR ident COLON behavior behaviors
    { ($2,$4)::$5 }
;

behavior:
| assumes_opt assigns_opt allocates_opt ENSURES expr SEMICOLON
    { { java_pbehavior_assumes = $1;
	java_pbehavior_assigns = $2;
	java_pbehavior_allocates = $3;
	java_pbehavior_throws = None;
	java_pbehavior_ensures = $5 } }
| assumes_opt assigns_opt allocates_opt SIGNALS LEFTPAR name ident_option RIGHTPAR expr SEMICOLON
    { { java_pbehavior_assumes = $1;
	java_pbehavior_assigns = $2;
	java_pbehavior_allocates = $3;
	java_pbehavior_throws = Some($6,$7);
	java_pbehavior_ensures = $9 } }
| error
	{ raise (Java_options.Java_error (loc(),"`ensures' expected")) }
;

ident_option:
| /* $\varepsilon$ */
    { None }
| ident
    { Some $1 }
;

assumes_opt:
| /* $\varepsilon$ */
    { None }
| ASSUMES expr SEMICOLON
    { Some $2 }
;


assigns_opt:
| /* $\varepsilon$ */
    { None }
| ASSIGNS BSNOTHING SEMICOLON
    { Some (loc_i 2,[]) }
| ASSIGNS expr_comma_list SEMICOLON
    { Some (loc_i 2,$2) }
;

allocates_opt:
| /* $\varepsilon$ */
    { None }
| ALLOCATES BSNOTHING SEMICOLON
    { Some (loc_i 2,[]) }
| ALLOCATES expr_comma_list SEMICOLON
    { Some (loc_i 2,$2) }
;

decreases_opt:
| /* $\varepsilon$ */
    { None }
| DECREASES expr SEMICOLON
    { Some($2, None) }
| DECREASES expr FOR ident SEMICOLON
    { Some($2, Some $4) }
;

kml_statement_annot:
| LOOP_INVARIANT expr SEMICOLON beh_loop_inv loop_variant_opt EOF
    { JPSloop_annot($2,$4,$5) }
| beh_loop_inv loop_variant EOF
    { JPSloop_annot({java_pexpr_node = JPElit (Bool true) ;
		     java_pexpr_loc = loc_i 2 },$1,$2) }
| ASSERT expr SEMICOLON EOF
    { JPSassert(None,None,$2) }
| FOR ident COLON ASSERT expr SEMICOLON EOF
    { JPSassert(Some $2,None,$5) }
/* never used ?
| ASSERT ident COLON expr SEMICOLON EOF
    { JPSassert(None,Some $2,$4) }
*/
| GHOST local_variable_declaration SEMICOLON EOF
    { JPSghost_local_decls($2) }
| GHOST expr SEMICOLON EOF
    { JPSghost_statement($2) }
| requires_opt decreases_opt assigns_opt allocates_opt ensures_opt behaviors EOF
    { JPSstatement_spec($1,$2,default_behavior $3 $4 $5 $6) }
;

beh_loop_inv:
| /* $\varepsilon$ */
    { [] }
| FOR ident COLON LOOP_INVARIANT expr SEMICOLON beh_loop_inv
    { ($2,$5)::$7 }
;

loop_variant_opt:
| /* $\varepsilon$ */
    { None }
| loop_variant
    { $1 }
;

loop_variant:
| LOOP_VARIANT expr SEMICOLON
    { Some($2, None) }
| LOOP_VARIANT expr FOR ident SEMICOLON
    { Some($2, Some $4) }
;


/*
Local Variables:
compile-command: "make -j -C .. bin/krakatoa.byte"
End:
*/
why-2.34/.depend.coq0000644000175000017500000001363212311670312012643 0ustar  rtuserslib/coq/Caduceus.vo lib/coq/Caduceus.glob lib/coq/Caduceus.v.beautified: lib/coq/Caduceus.v lib/coq/caduceus_why.vo lib/coq/caduceus_tactics.vo lib/coq/caduceus_lists.vo
lib/coq/JessieGappa.vo lib/coq/JessieGappa.glob lib/coq/JessieGappa.v.beautified: lib/coq/JessieGappa.v lib/coq/WhyFloats.vo
lib/coq/Jessie_memory_model.vo lib/coq/Jessie_memory_model.glob lib/coq/Jessie_memory_model.v.beautified: lib/coq/Jessie_memory_model.v
lib/coq/Why.vo lib/coq/Why.glob lib/coq/Why.v.beautified: lib/coq/Why.v lib/coq/WhyCoqCompat.vo lib/coq/WhyTuples.vo lib/coq/WhyInt.vo lib/coq/WhyBool.vo lib/coq/WhyArrays.vo lib/coq/WhyPermut.vo lib/coq/WhySorted.vo lib/coq/WhyTactics.vo lib/coq/WhyExn.vo lib/coq/WhyLemmas.vo lib/coq/WhyPrelude.vo
lib/coq/WhyArrays.vo lib/coq/WhyArrays.glob lib/coq/WhyArrays.v.beautified: lib/coq/WhyArrays.v lib/coq/WhyInt.vo
lib/coq/WhyArraysFMap.vo lib/coq/WhyArraysFMap.glob lib/coq/WhyArraysFMap.v.beautified: lib/coq/WhyArraysFMap.v lib/coq/WhyInt.vo
lib/coq/WhyBool.vo lib/coq/WhyBool.glob lib/coq/WhyBool.v.beautified: lib/coq/WhyBool.v
lib/coq/WhyCM.vo lib/coq/WhyCM.glob lib/coq/WhyCM.v.beautified: lib/coq/WhyCM.v lib/coq/WhyArrays.vo
lib/coq/WhyCoq8.vo lib/coq/WhyCoq8.glob lib/coq/WhyCoq8.v.beautified: lib/coq/WhyCoq8.v
lib/coq/WhyCoqCompat.vo lib/coq/WhyCoqCompat.glob lib/coq/WhyCoqCompat.v.beautified: lib/coq/WhyCoqCompat.v
lib/coq/WhyCoqDev.vo lib/coq/WhyCoqDev.glob lib/coq/WhyCoqDev.v.beautified: lib/coq/WhyCoqDev.v
lib/coq/WhyExn.vo lib/coq/WhyExn.glob lib/coq/WhyExn.v.beautified: lib/coq/WhyExn.v
lib/coq/WhyFloats.vo lib/coq/WhyFloats.glob lib/coq/WhyFloats.v.beautified: lib/coq/WhyFloats.v
lib/coq/WhyFloatsStrict.vo lib/coq/WhyFloatsStrict.glob lib/coq/WhyFloatsStrict.v.beautified: lib/coq/WhyFloatsStrict.v lib/coq/WhyFloats.vo
lib/coq/WhyFloatsStrictLegacy.vo lib/coq/WhyFloatsStrictLegacy.glob lib/coq/WhyFloatsStrictLegacy.v.beautified: lib/coq/WhyFloatsStrictLegacy.v
lib/coq/WhyInt.vo lib/coq/WhyInt.glob lib/coq/WhyInt.v.beautified: lib/coq/WhyInt.v
lib/coq/WhyLemmas.vo lib/coq/WhyLemmas.glob lib/coq/WhyLemmas.v.beautified: lib/coq/WhyLemmas.v lib/coq/WhyInt.vo lib/coq/WhyTuples.vo
lib/coq/WhyNTMonad.vo lib/coq/WhyNTMonad.glob lib/coq/WhyNTMonad.v.beautified: lib/coq/WhyNTMonad.v
lib/coq/WhyPermut.vo lib/coq/WhyPermut.glob lib/coq/WhyPermut.v.beautified: lib/coq/WhyPermut.v lib/coq/WhyArrays.vo
lib/coq/WhyPrelude.vo lib/coq/WhyPrelude.glob lib/coq/WhyPrelude.v.beautified: lib/coq/WhyPrelude.v lib/coq/WhyCoqCompat.vo lib/coq/WhyTuples.vo lib/coq/WhyInt.vo lib/coq/WhyBool.vo lib/coq/WhyArrays.vo lib/coq/WhyPermut.vo lib/coq/WhySorted.vo lib/coq/WhyTactics.vo lib/coq/WhyExn.vo lib/coq/WhyLemmas.vo
lib/coq/WhyReal.vo lib/coq/WhyReal.glob lib/coq/WhyReal.v.beautified: lib/coq/WhyReal.v lib/coq/Why.vo
lib/coq/WhySorted.vo lib/coq/WhySorted.glob lib/coq/WhySorted.v.beautified: lib/coq/WhySorted.v lib/coq/WhyArrays.vo lib/coq/WhyPermut.vo
lib/coq/WhyTactics.vo lib/coq/WhyTactics.glob lib/coq/WhyTactics.v.beautified: lib/coq/WhyTactics.v lib/coq/WhyArrays.vo lib/coq/WhyPermut.vo
lib/coq/WhyTuples.vo lib/coq/WhyTuples.glob lib/coq/WhyTuples.v.beautified: lib/coq/WhyTuples.v
lib/coq/caduceus_lists.vo lib/coq/caduceus_lists.glob lib/coq/caduceus_lists.v.beautified: lib/coq/caduceus_lists.v lib/coq/Why.vo lib/coq/caduceus_why.vo
lib/coq/caduceus_tactics.vo lib/coq/caduceus_tactics.glob lib/coq/caduceus_tactics.v.beautified: lib/coq/caduceus_tactics.v lib/coq/caduceus_why.vo
lib/coq/caduceus_why.vo lib/coq/caduceus_why.glob lib/coq/caduceus_why.v.beautified: lib/coq/caduceus_why.v lib/coq/Why.vo
lib/coq/jessie_why.vo lib/coq/jessie_why.glob lib/coq/jessie_why.v.beautified: lib/coq/jessie_why.v lib/coq/Why.vo
lib/coq-v7/Why.vo lib/coq-v7/Why.glob lib/coq-v7/Why.v.beautified: lib/coq-v7/Why.v lib/coq-v7/WhyCoqCompat.vo lib/coq-v7/WhyTuples.vo lib/coq-v7/WhyInt.vo lib/coq-v7/WhyBool.vo lib/coq-v7/WhyArrays.vo lib/coq-v7/WhyPermut.vo lib/coq-v7/WhySorted.vo lib/coq-v7/WhyTactics.vo lib/coq-v7/WhyExn.vo lib/coq-v7/WhyLemmas.vo lib/coq-v7/WhyCM.vo
lib/coq-v7/WhyArrays.vo lib/coq-v7/WhyArrays.glob lib/coq-v7/WhyArrays.v.beautified: lib/coq-v7/WhyArrays.v lib/coq-v7/WhyInt.vo
lib/coq-v7/WhyBool.vo lib/coq-v7/WhyBool.glob lib/coq-v7/WhyBool.v.beautified: lib/coq-v7/WhyBool.v lib/coq-v7/WhyCoqCompat.vo
lib/coq-v7/WhyCM.vo lib/coq-v7/WhyCM.glob lib/coq-v7/WhyCM.v.beautified: lib/coq-v7/WhyCM.v lib/coq-v7/WhyArrays.vo
lib/coq-v7/WhyCoq73.vo lib/coq-v7/WhyCoq73.glob lib/coq-v7/WhyCoq73.v.beautified: lib/coq-v7/WhyCoq73.v
lib/coq-v7/WhyCoqCompat.vo lib/coq-v7/WhyCoqCompat.glob lib/coq-v7/WhyCoqCompat.v.beautified: lib/coq-v7/WhyCoqCompat.v
lib/coq-v7/WhyCoqDev.vo lib/coq-v7/WhyCoqDev.glob lib/coq-v7/WhyCoqDev.v.beautified: lib/coq-v7/WhyCoqDev.v
lib/coq-v7/WhyExn.vo lib/coq-v7/WhyExn.glob lib/coq-v7/WhyExn.v.beautified: lib/coq-v7/WhyExn.v
lib/coq-v7/WhyInt.vo lib/coq-v7/WhyInt.glob lib/coq-v7/WhyInt.v.beautified: lib/coq-v7/WhyInt.v
lib/coq-v7/WhyLemmas.vo lib/coq-v7/WhyLemmas.glob lib/coq-v7/WhyLemmas.v.beautified: lib/coq-v7/WhyLemmas.v lib/coq-v7/WhyInt.vo lib/coq-v7/WhyTuples.vo
lib/coq-v7/WhyPermut.vo lib/coq-v7/WhyPermut.glob lib/coq-v7/WhyPermut.v.beautified: lib/coq-v7/WhyPermut.v lib/coq-v7/WhyArrays.vo
lib/coq-v7/WhyReal.vo lib/coq-v7/WhyReal.glob lib/coq-v7/WhyReal.v.beautified: lib/coq-v7/WhyReal.v lib/coq-v7/Why.vo
lib/coq-v7/WhySorted.vo lib/coq-v7/WhySorted.glob lib/coq-v7/WhySorted.v.beautified: lib/coq-v7/WhySorted.v lib/coq-v7/WhyArrays.vo lib/coq-v7/WhyPermut.vo
lib/coq-v7/WhyTactics.vo lib/coq-v7/WhyTactics.glob lib/coq-v7/WhyTactics.v.beautified: lib/coq-v7/WhyTactics.v lib/coq-v7/WhyArrays.vo lib/coq-v7/WhyPermut.vo
lib/coq-v7/WhyTuples.vo lib/coq-v7/WhyTuples.glob lib/coq-v7/WhyTuples.v.beautified: lib/coq-v7/WhyTuples.v
lib/coq-v7/caduceus_tactics.vo lib/coq-v7/caduceus_tactics.glob lib/coq-v7/caduceus_tactics.v.beautified: lib/coq-v7/caduceus_tactics.v
lib/coq-v7/caduceus_why.vo lib/coq-v7/caduceus_why.glob lib/coq-v7/caduceus_why.v.beautified: lib/coq-v7/caduceus_why.v lib/coq-v7/Why.vo lib/coq-v7/WhyReal.vo
why-2.34/c/0000755000175000017500000000000012311670312011037 5ustar  rtuserswhy-2.34/c/cast_misc.ml0000644000175000017500000000461512311670312013344 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Ctypes
open Cast

let noattr n = { ctype_node = n; ctype_storage = No_storage;
		 ctype_const = false; ctype_volatile = false } 
why-2.34/c/invariant.mli0000644000175000017500000000522512311670312013541 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Creport
open Info
open Ctypes
open Clogic
open Cenv
open Cnorm

val add_predicates : 
  Cast.ndecl Cast.located list -> Cast.ndecl Cast.located list

val min_int : Ctypes.sign * int -> string
val max_int : Ctypes.sign * int -> string

val min_cinteger : Ctypes.sign * Ctypes.cinteger -> string
val max_cinteger : Ctypes.sign * Ctypes.cinteger -> string

val string_two_power_n : int -> string
why-2.34/c/cconst.mli0000644000175000017500000000470512311670312013041 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* Evaluation of constant literals *)

exception Constant_too_large

exception Invalid of string

val int : Loc.position -> string -> Int64.t

module IntMap : Map.S with type key = int64

why-2.34/c/cseparation.ml0000644000175000017500000006377312311670312013721 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Creport
open Cast
open Info
open Clogic
open Cnorm
open Cenv



(* Automatic invariants expressing validity of local/global variables *)

open Clogic
open Ctypes

let tpred t = match t.nterm_node with
  | NTconstant (IntConstant c) -> 
      let c = string_of_int (int_of_string c - 1) in
      { t with nterm_node = NTconstant (IntConstant c) }
  | _ ->
      { t with nterm_node = NTbinop (t, Bsub, int_nconstant "1") }

let make_valid_range_from_0 t ts=
  if ts = Int64.one
  then
    npvalid t
  else
    npvalid_range (t, nzero, int_nconstant (Int64.to_string (Int64.pred ts)))


let fresh_index = 
  let r = ref (-1) in fun () -> incr r; "index_" ^ string_of_int !r


let indirection loc ty t =
  let info = make_field ty in
  let info = declare_arrow_var info in
  let zone = find_zone_for_term t in
  let () = type_why_new_zone zone info in
  { nterm_node =   NTarrow (t, zone, info);
    nterm_loc = loc; 	   
    nterm_type = ty;}
    
(*
  [make_forall_range loc t b f] builds the formula

   forall i, 0 <= i < b -> (f t i)

  unless b is 1, in which case it produces (f t 0)

*)
let make_forall_range loc t b f =
  if b = Int64.one
  then f t nzero
  else
    let i = default_var_info (fresh_index ()) in
    set_var_type (Var_info i) c_int false;
    let vari = { nterm_node = NTvar i; 
		 nterm_loc = loc;
		 nterm_type = c_int;} in
    let ti = 
      { nterm_node = NTbinop (t, Badd, vari); 
	nterm_loc = loc;
	nterm_type = t.nterm_type}
    in
    let ineq = npand (nprel (nzero, Le, vari),
		      nprel (vari, Lt, int_nconstant (Int64.to_string b))) in
    make_forall [c_int, i] (make_implies ineq (f ti vari))

let valid_for_type ?(fresh=false) loc name (t : Cast.nterm) =
  let rec valid_fields valid_for_current n (t : Cast.nterm) = 
    begin match tag_type_definition n with
      | TTStructUnion (Tstruct (_), fl) ->
	  List.fold_right 
	    (fun f acc -> 
	       let zone = find_zone_for_term t in
	       let () = type_why_new_zone zone f in
	       let tf = 
		 { nterm_node = NTarrow (t, zone, f); 
		   nterm_loc = loc;
		   nterm_type = f.var_type} 
	       in
	       make_and acc (valid_for tf))
	    fl 
	    (if valid_for_current then 
	       if fresh then npand(npvalid t, npfresh t) else npvalid t 
	     else nptrue)
      | TTIncomplete ->
	  error loc "`%s' has incomplete type" name
      | _ ->
	  assert false
    end
  and valid_for (t : Cast.nterm) = match t.nterm_type.Ctypes.ctype_node with
    | Tstruct n ->
 	valid_fields true n t
    | Tarray (_, _ty, None) ->
	error loc "array size missing in `%s'" name    
    | Tarray (Not_valid,_,_) -> assert false
    | Tarray (Valid(i,j), ty, Some s) ->
	assert (i <= Int64.zero && j > Int64.zero);
	let vrange = make_valid_range_from_0 t s in
	let valid_form =
	  make_and
	    vrange
	    (if fresh then npfresh t else nptrue)
	in		   
	begin match ty.Ctypes.ctype_node with
	  | Tstruct n ->	      
	      let vti t _i = valid_fields false n t in
	      make_and valid_form (make_forall_range loc t s vti)
	  | _ ->
	      make_and valid_form
		(make_forall_range loc t s 
		   (fun t _i -> valid_for 
			(indirection loc ty t)))
	end
    | _ -> 
	nptrue
  in
  valid_for t

let not_alias loc x y = 
  if Info.same_why_type (type_why_for_term x) (type_why_for_term y)
  then
    let ba t = { nterm_node = NTbase_addr t; 
		 nterm_loc = loc;
		 nterm_type = c_addr} in 
    nprel (ba x, Neq, ba y)
  else
    {npred_node = NPtrue;  npred_loc = loc}

let var_to_term loc v =
  {
    nterm_node = NTvar v; 
    nterm_loc = loc;
    nterm_type = v.var_type}

let in_struct v1 v = 
  (*  match v1.nterm_node with
    | NTarrow(x,ty,_,_) ->
    | _ -> *)
  let zone = find_zone_for_term v1 in
  let () = type_why_new_zone zone v in
  { nterm_node = NTarrow (v1, zone, v); 
    nterm_loc = v1.nterm_loc;
    nterm_type = v.var_type}

	
let compatible_type ty1 ty2 = 
  match ty1.Ctypes.ctype_node,ty2.Ctypes.ctype_node with
    | Tfun _ , _  | Tenum _, _ | Tpointer _ , _ 
    | Ctypes.Tvar _ , _ | Tvoid, _ | Tint _, _ | Tfloat _, _ -> false
    | _, Tfun _ | _, Tenum _| _, Tpointer _  
    | _, Ctypes.Tvar _ | _, Tvoid | _, Tint _ | _, Tfloat _ -> false
    | _, _ -> true 

let full_compatible_type ty1 ty2 = 
  match ty1.Ctypes.ctype_node,ty2.Ctypes.ctype_node with
    | Tfun _ , _  | Tenum _, _  
    | Ctypes.Tvar _ , _ | Tvoid, _ | Tint _, _ | Tfloat _, _ -> false
    | _, Tfun _ | _, Tenum _  
    | _, Ctypes.Tvar _ | _, Tvoid | _, Tint _ | _, Tfloat _ -> false
    | _, _ -> true

(* assumes v2 is an array of objects of type ty *)
let rec tab_struct mark loc v1 v2 s ty n n1 n2=
  let l = begin
    match  tag_type_definition n with
      | TTStructUnion ((Tstruct _),fl) ->
	  fl
      | _ -> assert false
  end in
  if mark then
    List.fold_left 
      (fun p t -> 
	 if  compatible_type t.var_type v2.nterm_type 
	 then make_and p (not_alias loc v2 (in_struct v1 t))
	 else p)
      nptrue l
  else
  make_and (List.fold_left 
	      (fun p t -> 
		 if  compatible_type t.var_type v2.nterm_type 
		 then make_and p (not_alias loc v2 (in_struct v1 t))
		 else p)
	      nptrue l)
    (make_forall_range loc v2 s 
       (fun t _i -> 
	  local_separation mark loc n1 v1 (n2^"[i]") (indirection loc ty t)))

and local_separation  mark loc n1 v1 n2 v2 =
  match (v1.nterm_type.Ctypes.ctype_node,v2.nterm_type.Ctypes.ctype_node) 
  with
    | Tarray (_,_ty, None), _ ->
	error loc "array size missing in `%s'" n1
    | _, Tarray (_,_ty, None) ->
	error loc "array size missing in `%s'" n2
    | Tstruct n , Tarray (_,ty,Some s) -> 
	tab_struct  mark loc v1 v2 s ty n n1 n2
    | Tarray (_,ty,Some s) , Tstruct n -> 
	tab_struct mark loc v2 v1 s ty n n1 n2
    | Tarray (_,ty1,Some s1), Tarray(_,ty2,Some s2) ->
	make_and
	  (if compatible_type v1.nterm_type v2.nterm_type
	   then
	     (not_alias loc v1 v2)
	   else
	     nptrue)
	  (make_and 
	     (make_forall_range loc v1 s1 
		(fun t _i -> local_separation mark loc (n1^"[i]") 
		     (indirection loc ty1 t) n2 v2))
	     (make_forall_range loc v2 s2  
		(fun t _i -> local_separation true loc n1 v1 (n2^"[j]")
		     (indirection loc ty2 t))))
     | _, _ -> nptrue

    
let separation loc v1 v2 =
  local_separation false loc v1.var_name (var_to_term loc v1) 
    v2.var_name (var_to_term loc v2)

let rec full_tab_struct mark loc v1 v2 s ty n n1 n2=
  let l = begin
    match  tag_type_definition n with
      | TTStructUnion ((Tstruct _),fl) ->
	  fl
      | _ -> assert false
  end in
  if mark then
    List.fold_left 
      (fun p t -> 
	 if  full_compatible_type t.var_type v2.nterm_type 
	 then make_and p (not_alias loc v2 (in_struct v1 t))
	 else p)
      nptrue l
  else
  make_and (List.fold_left 
	      (fun p t -> 
		 if  full_compatible_type t.var_type v2.nterm_type 
		 then make_and p (not_alias loc v2 (in_struct v1 t))
		 else p)
	      nptrue l)
    (make_forall_range loc v2 s 
       (fun t _i -> 
	  full_local_separation mark loc n1 v1 (n2^"[i]") (indirection loc ty t)))

and full_local_separation  mark loc n1 v1 n2 v2 =
  match (v1.nterm_type.Ctypes.ctype_node,v2.nterm_type.Ctypes.ctype_node) 
  with
    | Tarray (_,_ty, None), _ ->
	error loc "array size missing in `%s'" n1
    | _, Tarray (_,_ty, None) ->
	error loc "array size missing in `%s'" n2
    | Tstruct n , Tarray (_,ty,Some s) -> 
	full_tab_struct  mark loc v1 v2 s ty n n1 n2
    | Tarray (_,ty,Some s) , Tstruct n -> 
	full_tab_struct mark loc v2 v1 s ty n n1 n2
    | Tarray (_,ty1,Some s1), Tarray(_,ty2,Some s2) ->
	make_and
	  (if full_compatible_type v1.nterm_type v2.nterm_type
	   then
	     (not_alias loc v1 v2)
	   else
	     nptrue)
	  (make_and 
	     (make_forall_range loc v1 s1 
		(fun t _i -> full_local_separation mark loc (n1^"[i]") 
		     (indirection loc ty1 t) n2 v2))
	     (make_forall_range loc v2 s2  
		(fun t _i -> full_local_separation true loc n1 v1 (n2^"[j]")
		     (indirection loc ty2 t))))
    | Tpointer (_,_ty1) , Tpointer (_,_ty2) ->
	if full_compatible_type v1.nterm_type v2.nterm_type
	then
	  (not_alias loc v1 v2)
	else
	  nptrue
    | Tarray (_,ty2,Some s2) ,  Tpointer (_,_ty1)
    | Tpointer (_,_ty1), Tarray (_,ty2,Some s2) ->
	make_and
	  (if full_compatible_type v1.nterm_type v2.nterm_type
	   then
	     (not_alias loc v1 v2)
	   else
	     nptrue)
	  (make_forall_range loc v2 s2  
	     (fun t _i -> full_local_separation true loc n1 v1 (n2^"[j]")
		(indirection loc ty2 t)))
    | Tstruct n, Tpointer (_,_ty)  ->
	 let l = begin
	   match  tag_type_definition n with
	     | TTStructUnion ((Tstruct _),fl) ->
		 fl
	     | _ -> assert false
	 end in 
	 (List.fold_left 
	    (fun p t -> 
	       make_and p (full_local_separation mark loc n2 v2 n1 
			     (in_struct v1 t)))
	    nptrue l)
    |  Tpointer (_,_ty), Tstruct n ->
	 let l = begin
	   match  tag_type_definition n with
	     | TTStructUnion ((Tstruct _),fl) ->
		 fl
	     | _ -> assert false
	 end in 
	 (List.fold_left 
	    (fun p t -> 
	       make_and p (full_local_separation mark loc n1 v1 n2 
			     (in_struct v2 t)))
	    nptrue l)
    | Tstruct n1, Tstruct n2 ->
	let l2 = begin
	   match  tag_type_definition n2 with
	     | TTStructUnion ((Tstruct _),fl) ->
		 fl
	     | _ -> assert false
	 end in	
	let l1 = begin
	   match  tag_type_definition n1 with
	     | TTStructUnion ((Tstruct _),fl) ->
		 fl
	     | _ -> assert false
	end in
	(List.fold_left 
	    (fun p1 t1 ->
	       (List.fold_left 
		  (fun p2 t2 ->
		     make_and p2 (full_local_separation mark loc n1 
				    (in_struct v1 t1) 
				    n2  (in_struct v2 t2)))
		  p1 l2))
		 nptrue l1)
    | _, _ -> nptrue

let fullseparation loc v1 v2 =
  full_local_separation false loc v1.var_name (var_to_term loc v1) 
    v2.var_name (var_to_term loc v2)


let rec rehash z1 z2 =
  let t =
  (try 
    let t2 = Hashtbl.find type_why_table z2 in
    Hashtbl.remove type_why_table z2;
    (try 
       let t1 = Hashtbl.find type_why_table z1 in
       Hashtbl.remove type_why_table z1;
       Hashtbl.iter 
	 (fun a1 tw2 ->
	    try 
	      begin 
		let tw1 = Hashtbl.find t1 a1 in
		unifier_type_why tw1 tw2
	      end
	    with Not_found -> Hashtbl.add t1 a1 tw2
	 )
	 t2;
       t1
     with Not_found -> t2)
   with Not_found -> 
     try 
       Hashtbl.find type_why_table z1
     with Not_found -> Hashtbl.create 5) 
  in
  Hashtbl.add type_why_table z1 t;
  Hashtbl.add type_why_table z2 t
    
and unifier_type_why tw1 tw2 =
(*
  Format.eprintf " call unifier_type_why:@.";
  Format.eprintf "  tw1 = %a@." Output.fprintf_logic_type (output_why_type tw1);
  Format.eprintf "  tw2 = %a@." Output.fprintf_logic_type (output_why_type tw2);
*)
  match tw1,tw2 with
    | Pointer z1 , Pointer z2 -> unifier_zone z1 z2     
    | Addr z1 , Addr z2 -> unifier_zone z1 z2
    | Why_Logic s1, Why_Logic s2 when s1 = s2 -> ()
    (* int types *)
    | Info.Int, Info.Int -> ()
    | Why_Logic s, Info.Int 
    | Info.Int, Why_Logic s when is_int_type s -> ()
    | Why_Logic s1, Why_Logic s2 when is_int_type s1 && is_int_type s2 -> ()
    (* float types *)
    | Info.Real, Info.Real -> ()
    | Why_Logic s, Info.Real 
    | Info.Real, Why_Logic s when is_real_type s -> ()
    | Why_Logic s1, Why_Logic s2 when is_real_type s1 && is_real_type s2 -> ()
    (* errors *)
    | Memory _, _ | _, Memory _ -> assert false
    | _ ->
	let t1 = output_why_type tw1 
	and t2 = output_why_type tw2
	in
	Format.eprintf "anomaly: unify why types `%a' and `%a'@."
	  Output.fprintf_logic_type t1 Output.fprintf_logic_type t2;
	assert false
	  

and unifier_zone z1 z2 =
  let z1' = Info.repr z1
  and z2' = Info.repr z2
  in
  if z1' == z2' then ()
  else
    begin
      rehash z1' z2'; 
      match z1'.repr, z2'.repr with
	| None, None -> 
	    if z1'.zone_is_var then z1'.repr <- Some z2' else 
	      if z2'.zone_is_var then z2'.repr <- Some z1' else
	      if z1'.number < z2'.number then z2'.repr <- Some z1'
	      else z1'.repr <- Some z2' 
	| _ -> assert false
    end

let loc_name loc =
  let (_f,l,fc,lc) = Loc.extract loc in
  Format.sprintf "line %d, characters %d-%d" l fc lc

let unifier_type_why ?(var_name="?") tw1 tw2 =
  try
    unifier_type_why tw1 tw2
  with
      e ->
	Format.eprintf "Anomaly in unifier_type_why for var '%s'@." var_name;
	raise e

let assoctype  ty assoc = 
  match ty with 
    |  Pointer z ->
	 let z = repr z in
	 let z  = try Cnorm.assoc_zone z assoc with Not_found -> z in
	 Pointer z 
    | _ -> ty

let copyhash z za assoc =
  try let t = Hashtbl.copy (Hashtbl.find type_why_table z) in
  Hashtbl.iter (fun x y -> Hashtbl.replace t x (assoctype y assoc) ) t;
(*  Hashtbl.iter
    (fun f tw -> 
       let l,n = output_why_type tw in
       Format.eprintf "adding in type_why_table :(%s,%s) -> %s@." 
	 za.name f.var_name n)
    t;*)
  Hashtbl.add type_why_table za t
  with Not_found -> () 

let rec term tyf t =
  match t.nterm_node with
    | NTconstant _ -> () 
    | NTstring_literal _ -> ()
    | NTvar v -> 
	if v.var_name = "result" then 
	    unifier_type_why ~var_name:v.var_name v.var_why_type tyf
    | NTapp ({napp_pred = f;napp_args = l} as call) ->
      List.iter (term tyf) l;
      let assoc = List.map (fun z -> (z,make_zone true)) f.logic_args_zones in
      call.napp_zones_assoc <- assoc;
      List.iter (fun (x,y) ->
		   let x = repr x  in
		   copyhash x y assoc) assoc ;
      let li =  
	List.map 
	  (fun v ->
	     let t =
	     match v.var_why_type with
	       | Pointer z as ty -> 
		   begin
		     try
		       let z = repr z in
		       Pointer (assoc_zone z assoc)
		     with
			 Not_found -> ty
		   end
	       | ty -> ty in v,t)
	    f.logic_args in

      assert (List.length li = List.length l || 
	  (Format.eprintf " wrong arguments for %s : expected %d, got %d\n" 
	     f.logic_name (List.length li) (List.length l); false));
      begin
	try      
	  List.iter2 
	    (fun (v,ty) e -> 
	       unifier_type_why ~var_name:v.var_name ty (type_why_for_term e)) 
	    li l
	with Invalid_argument _ -> assert false
      end
  | NTunop (_,t) -> term tyf t 
  | NTbinop(t1,Clogic.Bsub,t2) ->
      term tyf t1; term tyf t2; 
      unifier_type_why ~var_name:(loc_name t1.nterm_loc) (type_why_for_term t1)
	(type_why_for_term t2)    
  | NTbinop (t1,_,t2)
  | NTmin (t1,t2)
  | NTmax (t1,t2) -> term tyf t1; term tyf t2 
  | NTarrow (t,_,_) -> term tyf t
  | NTif (t1,t2,t3) -> term tyf t1; term tyf t2; term tyf t3
  | NTold t 
  | NTat (t,_) 
  | NTbase_addr t
  | NToffset t
  | NTblock_length t 
  | NTarrlen t 
  | NTstrlen (t,_,_)
  | NTrange (t,None,None,_,_) -> term tyf t
  | NTrange (t1,Some t2,None,_,_) | NTrange (t1,None,Some t2,_,_) -> 
      term tyf t1; term tyf t2
  | NTminint _ | NTmaxint _ ->
      ()
  | NTrange (t1,Some t2,Some t3,_,_) -> term tyf t1; term tyf t2; term tyf t3
  | NTcast (_,t) -> term tyf t

let rec predicate tyf p =
  match p.npred_node with
  | NPfalse
  | NPtrue -> ()
  | NPapp ({napp_pred = f;napp_args = l} as call) -> 
      List.iter (term tyf) l;
      let assoc = List.map (fun z -> (z,make_zone true)) f.logic_args_zones in
      call.napp_zones_assoc <- assoc;
      List.iter (fun (x,y) ->
		   let x = repr x  in
		   copyhash x y assoc) assoc ;
      let li =  
	List.map 
	  (fun v ->
	     let t =
	       match v.var_why_type with
		 | Pointer z as ty -> 
		     begin
		       try
			 let z = repr z in
			 Pointer (assoc_zone z assoc)
		       with
			   Not_found -> ty
		     end
		 | ty -> ty in v,t )
	    f.logic_args in

      assert (List.length li = List.length l || 
	  (Format.eprintf " wrong arguments for %s : expected %d, got %d\n" 
	     f.logic_name (List.length li) (List.length l); false));
      begin 
	try      List.iter2 
	(fun (v,ty) e ->
	   unifier_type_why ~var_name:v.var_name ty (type_why_for_term e)) li l
      with Invalid_argument _ -> assert false
      end
  | NPrel (t1,_op,t2) ->      
(*
      Format.eprintf "unify args for rel op '%s'@." (Cprint.relation op);
*)
      term tyf t1; 
      term tyf t2;
      unifier_type_why ~var_name:(loc_name t1.nterm_loc) (type_why_for_term t1)
	(type_why_for_term t2)      
  | NPand (p1,p2) 
  | NPor (p1,p2) 
  | NPimplies (p1,p2) 
  | NPiff (p1,p2) -> predicate tyf p1; predicate tyf p2
  | NPnot p -> predicate tyf p
  | NPif (t,p1,p2) -> term tyf t; predicate tyf p1; predicate tyf p2
  | NPforall (_,p) 
  | NPexists (_,p) 
  | NPold p 
  | NPat (p,_) -> predicate tyf p
  | NPvalid t -> term tyf t
  | NPvalid_index (t1,t2) -> term tyf t1; term tyf t2
  | NPvalid_range (t1,t2,t3) -> term tyf t1; term tyf t2; term tyf t3
  | NPfresh  t -> term tyf t
  | NPnamed (_,p) -> predicate tyf p
  | NPseparated (t1,t2) 
  | NPfull_separated (t1,t2) -> term tyf t1; term tyf t2
  | NPbound_separated (t1,t2,t3,t4) ->
      term tyf t1; term tyf t2; term tyf t3; term tyf t4

let rec calcul_zones expr =
  match expr.nexpr_node with 
    | NEnop -> ()
    | NEconstant _ 
    | NEstring_literal _ 
    | NEvar _ -> ()
    | NEarrow (e,_,_) -> calcul_zones e
    | NEseq (e1,e2) -> calcul_zones e1; calcul_zones e2
    | NEassign_op (_lv,_,_e) -> () (* no 2 pointers here *)
    | NEassign (lv,e) -> calcul_zones lv; calcul_zones e;
(*
	Format.eprintf "lv = %a, e = %a@."
	  Cprint.nexpr lv Cprint.nexpr e;
*)
	let tw1 = type_why lv in
	let tw2 = type_why e in
	unifier_type_why ~var_name:(loc_name lv.nexpr_loc) tw1 tw2
    | NEunary (_,e) -> calcul_zones e
    | NEincr (_,e) -> calcul_zones e
    | NEbinary (e1,Bsub_pointer,e2) | NEbinary (e1,Blt_pointer,e2) 
    | NEbinary (e1,Bgt_pointer,e2) | NEbinary (e1,Ble_pointer,e2) 
    | NEbinary (e1,Bge_pointer,e2) | NEbinary (e1,Beq_pointer,e2) 
    | NEbinary (e1,Bneq_pointer,e2)   -> calcul_zones e1; calcul_zones e2;
	let tw1 = type_why e1 in
	let tw2 = type_why e2 in
	unifier_type_why ~var_name:(loc_name e1.nexpr_loc) tw1 tw2
    | NEbinary (e1,_,e2) -> calcul_zones e1; calcul_zones e2
    | NEcall ({ncall_fun = e;ncall_args = l} as call) -> 
	List.iter calcul_zones l;
	begin
	  match e.nexpr_node with 
	    | NEvar (Fun_info f) -> 
		let assoc = List.map (fun z ->(z,make_zone true)) f.args_zones in
		call.ncall_zones_assoc <- assoc;
		List.iter (fun (x,y) ->
			     let x = repr x  in
			     copyhash x y assoc) assoc ;
		let arg_types =
		  List.map 
		    (fun v ->
		       let t =
			 match v.var_why_type with
			   | Pointer z as ty -> 
			       begin
				 try
				   let z = repr z in
				   Pointer (assoc_zone z assoc)
				 with
				     Not_found -> ty
			       end
			   | ty -> ty in v,t)
		    f.args 
		in
		begin
		  try List.iter2 (fun (v,ty) e -> unifier_type_why ~var_name:v.var_name ty 
				    (type_why e))
		    arg_types l
		  with Invalid_argument _ -> 
		    warning expr.nexpr_loc "ignoring variable args function in separation analysis"
		end
	    | _  -> 
		warning expr.nexpr_loc "ignoring function pointer in separation analysis"
	end
    | NEcond (e1,e2,e3)->  calcul_zones e1; calcul_zones e2; calcul_zones e3
    | NEcast (_,e) -> calcul_zones e
    | NEmalloc (_,e) -> calcul_zones e
 
let rec c_initializer ty tw init =
  match init with 
    | Iexpr e -> 
	calcul_zones e; 
	let twe = type_why e in
(*
	Format.eprintf "unify why types for initializer@.";
	Format.eprintf " type v = %a@." Output.fprintf_logic_type (output_why_type tw)
;
	Format.eprintf " type expr = %a@." Output.fprintf_logic_type (output_why_type twe);
*)
	unifier_type_why ~var_name:(loc_name e.nexpr_loc) tw twe;
(*
	Format.eprintf "unify why types for initializer done@."
*)
    | Ilist l -> 
	match ty.ctype_node with  
	  | Tstruct tag  ->
	      begin
		match tag_type_definition tag with
		  | TTStructUnion(_ty,fields) ->
		      begin
			try List.iter2
			(fun f v ->
			    c_initializer f.var_type f.var_why_type v)
			fields l
		      with Invalid_argument _ -> assert false
		      end
		  | _ -> assert false
	      end
	  | Tarray (_,ty,_) ->	      
	      let tw = type_type_why ty false in
	      List.iter (fun init -> c_initializer ty tw init) l 
	  | _ -> assert false


let option_iter f x =
  match x with
    | None -> ()
    | Some x -> f x

let loop_annot tyf la =
  option_iter (predicate tyf) la.invariant;
  option_iter (fun (_,l) -> List.iter (term tyf) l) la.loop_assigns;
  option_iter (fun (t,_) -> term tyf t) la.variant

let spec tyf sp =
  begin
  match sp.requires with
    | None -> ()
    | Some p -> 
	predicate tyf p
  end;
  begin
  match sp.assigns with
    | None -> ()
    | Some (_,l) -> List.iter (term tyf) l
  end;
  begin
    match sp.ensures with
      | None -> ()
      | Some p -> predicate tyf p
  end;
  begin
    match sp.decreases with
      | None -> ()
      | Some (t,_) -> term tyf t
  end

let rec statement twf st =
  match st.nst_node with 
    | NSnop | NSreturn None | NSbreak | NScontinue | NSlogic_label _ 
    | NSgoto _ -> ()
    | NSassert p | NSassume p ->  predicate twf p
    | NSexpr e -> calcul_zones e
    | NSif (e,st1,st2) -> calcul_zones e; statement twf st1; statement twf st2 
    | NSwhile (lannot,e,st) 
    | NSdowhile (lannot,st,e)-> 
	loop_annot twf lannot; calcul_zones e;statement twf st
    | NSfor (lannot, e1, e2, e3, st)-> 
	loop_annot twf lannot;
	calcul_zones e1; calcul_zones e2; 
	calcul_zones e3; statement twf st
    | NSblock ls -> List.iter (statement twf) ls
    | NSreturn (Some e) -> calcul_zones e ;
	unifier_type_why ~var_name:(loc_name e.nexpr_loc) twf (type_why e)
    | NSlabel (_,st) -> statement twf st
    | NSswitch (e1, _e2, l) -> calcul_zones e1;
	List.iter (fun (_x, y) -> List.iter (statement twf) y) l
    | NSspec (sp,st) -> spec twf sp; statement twf st
    | NSdecl (_, _v, None, st) -> statement twf st
    | NSdecl (_, v, Some i, st) -> 
	c_initializer v.var_type v.var_why_type i;
	statement twf st 
	

module Hzone = Hashtbl.Make(struct
			      type t = zone
			      let equal z1 z2 = z1.number == z2.number
			      let hash z = z.number 
			    end)

let rec add_zone ty l =
(*  Format.eprintf "add_zone ty=%s@." (snd (output_why_type ty));*)
  match ty with
    | Pointer z ->
	let z = repr z in
	if List.mem z l then l else
	  begin match z.repr with 
	    | None ->
		begin
		  try 
		    let t =  Hashtbl.find type_why_table z in
		    Hashtbl.fold (fun _ tw  l ->
				    add_zone tw l) t (z::l)
		  with Not_found -> z::l
	      end
	    | Some _ -> l
	  end
    | _ -> l
      
let collect_zones args ret_type =	
  let l =
    List.fold_left  
      (fun l v ->
	 add_zone v.var_why_type l) [] args
  in
  add_zone ret_type l


let global_decl e =
  match e with 
    | Naxiom (_,sp) | Ninvariant (_,sp) | Ninvariant_strong (_,sp) ->
	predicate Unit sp
    | Nlogic (f, NPredicate_def (_,p)) -> 
	predicate Unit p;
	f.logic_args_zones <- collect_zones f.logic_args f.logic_why_type
    | Nlogic (f, NFunction_def (_,_,t)) ->
	term Unit t;
	f.logic_args_zones <- collect_zones f.logic_args f.logic_why_type
    | Nlogic (f, (NPredicate_reads _ | NFunction _)) -> 
	f.logic_args_zones <- collect_zones f.logic_args f.logic_why_type
(*    | Nfunspec (sp,_,f) -> 
	spec f.type_why_fun sp;
	if f.args_zones = [] then f.args_zones <- collect_zones f.args f.type_why_fun
*)
    | Ntypedef _ | Ntypedecl _ | Ndecl (_,_,None) | Ntype _ -> ()
    | Ndecl (_, v, Some i) -> 
	c_initializer v.var_type v.var_why_type i
(*    | Nfundef (sp, _, f, st) -> 
	spec f.type_why_fun sp; 
	statement f.type_why_fun st; 
	if f.args_zones = [] then f.args_zones <- collect_zones f.args f.type_why_fun
*)

let c_fun_poly _fun_name (_, _, f, _,_) =
  if f.args_zones = [] then 
    begin
      let l = collect_zones f.args f.type_why_fun in
      Coptions.lprintf "Why polymorphic zones for function %s:@." f.fun_name;
      List.iter
	(fun z -> Coptions.lprintf "%s " z.name) l;
      Coptions.lprintf "@.";
      f.args_zones <- l
    end

let c_fun_separation _fun_name (sp, _, f, st,_) =
  spec f.type_why_fun sp;
  begin
    match st with
      | None -> ()
      | Some st  -> statement f.type_why_fun st
  end 



let file p =  
  List.iter (fun d -> global_decl d.node) p
    
let funct l =
  List.iter 
    (fun f -> 
	let fu = try find_c_fun f.fun_name with Not_found -> assert false in
        c_fun_separation f.fun_name fu;
	c_fun_poly f.fun_name fu)
    l
(*  Hashtbl.iter c_fun_poly Cenv.c_functions;
  Hashtbl.iter c_fun_separation Cenv.c_functions;
*)

(*
Local Variables: 
compile-command: "make -j -C .. bin/caduceus.byte"
End: 
*)
why-2.34/c/cprint_graph.ml0000644000175000017500000000501612311670312014053 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Info

let print_graph () = 
  Cenv.iter_sym 
    (fun _n x -> match x with
       | Var_info _ -> () 
       | Fun_info f -> 
	   Format.eprintf "%s :"  f.fun_name;
	   List.iter (fun x -> Format.eprintf " %s," x.fun_name) f.graph;
	   Format.eprintf "@\n")
why-2.34/c/cconst.mll0000644000175000017500000001545412311670312013047 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(*i $Id: cconst.mll,v 1.15 2008-11-05 14:03:13 filliatr Exp $ i*)

(* evaluation of integer literals *)

{

  open Lexing
  open Int64
  open Creport

  module IntMap = Map.Make(struct type t = int64 let compare = compare end)

  exception Constant_too_large

  exception Invalid of string

  let val_char = function
    | '0' -> 0
    | '1' -> 1
    | '2' -> 2
    | '3' -> 3
    | '4' -> 4
    | '5' -> 5
    | '6' -> 6
    | '7' -> 7
    | '8' -> 8
    | '9' -> 9
    | 'a' | 'A' -> 10
    | 'b' | 'B' -> 11
    | 'c' | 'C' -> 12
    | 'd' | 'D' -> 13
    | 'e' | 'E' -> 14
    | 'f' | 'F' -> 15
    | _ -> assert false

  let val_char c = Int64.of_int (val_char c)

  let check_bounds loc hexa accu suffix =
    match String.lowercase suffix with
      | "" ->
	  if accu > 0x7FFFFFFFL then 
	     if hexa then warning loc "Constant too large for a int"
                     else raise Constant_too_large
          else
	    if accu > 0x7FFFL then 
	      warning loc
		"this constant overflows if sizeof(int)<=16";
	  accu 
      | "u" ->
	  if accu > 0xFFFFFFFFL then raise Constant_too_large;
	  if accu > 0xFFFFL then 
	    warning loc
	      "this constant overflows if sizeof(int)<=16";
	  accu 
      | "l" ->
	  if accu > 0x7FFFFFFFL then raise Constant_too_large else accu 
      | "ul" | "lu" ->
	  if accu > 0xFFFFFFFFL then raise Constant_too_large else accu 
      | "ll" ->
	  if accu > 0x7FFFFFFFFFFFFFFFL then raise Constant_too_large else accu
      | "ull" | "llu" -> accu 
      | _ ->
	  raise (Invalid ("suffix '" ^ suffix ^ "' on integer constant")) 

}

let rD =	['0'-'9']
let rL = ['a'-'z' 'A'-'Z' '_']
let rH = ['a'-'f' 'A'-'F' '0'-'9']
let rE = ['E''e']['+''-']? rD+
let rFS	= ('f'|'F'|'l'|'L')
let rIS = ('u'|'U'|'l'|'L')

(*
  | '0'['x''X'] rH+ rIS?    { CONSTANT (IntConstant (lexeme lexbuf)) }
  | '0' rD+ rIS?            { CONSTANT (IntConstant (lexeme lexbuf)) }
  | rD+ rIS?                { CONSTANT (IntConstant (lexeme lexbuf)) }
  | 'L'? "'" [^ '\n' '\'']+ "'"     { CONSTANT (IntConstant (lexeme lexbuf)) }
*)

rule eval_int loc = parse

  | '0'['x''X']  { eval_hexa loc Int64.zero lexbuf }
  | "'" { eval_char lexbuf }
  | '0' { eval_octa loc Int64.zero lexbuf}
  | ['1'-'9'] as d { eval_deci loc (val_char d) lexbuf}
  | 'L' { unsupported loc "extended character" } 
  | eof { raise (Invalid "empty literal") }
  | _   { raise (Invalid ("Illegal character " ^ lexeme lexbuf)) }

and eval_hexa loc accu = parse
  | rH  { if accu >= 0x10000000L then raise Constant_too_large;
	  let accu = add (mul 16L accu) (val_char (lexeme_char lexbuf 0)) in 
	  eval_hexa loc accu lexbuf }
  | eof { check_bounds loc true accu "" }
  | rIS+ { check_bounds loc true accu (lexeme lexbuf) }
  | _ { raise (Invalid ("digit '" ^ (lexeme lexbuf) ^ 
			"' in hexadecimal constant")) }

and eval_deci loc accu = parse
  | rD as c 
      { if accu >= 0x10000000L then raise Constant_too_large;
	let accu = add (mul 10L accu) (val_char c) in 
	eval_deci loc accu lexbuf }
  | eof 
      { check_bounds loc false accu "" }
  | rIS+ 
      { check_bounds loc false accu (lexeme lexbuf) }
  | _ 
      { raise (Invalid ("digit '" ^ (lexeme lexbuf) ^ 
			"' in decimal constant")) }

and eval_octa loc accu = parse
  | ['0'-'7']  { if accu >= 0x10000000L
	  then raise Constant_too_large
	  else
	    let accu = add (mul 8L accu) (val_char (lexeme_char lexbuf 0)) in 
	    eval_octa loc  accu lexbuf }
  | eof { check_bounds loc false accu "" }
  | rIS+ { check_bounds loc false accu (lexeme lexbuf) }
  | _ { raise (Invalid ("digit '" ^ (lexeme lexbuf) ^ 
			"' in octal constant")) }

and eval_char = parse
  | "\\n'" { Int64.of_int (Char.code '\n') }
  | "\\t'" { Int64.of_int (Char.code '\t') }
  | "\\v'" { Int64.of_int 11 }
  | "\\a'" { Int64.of_int 7 }
  | "\\b'" { Int64.of_int (Char.code '\b') }
  | "\\r'" { Int64.of_int (Char.code '\r') }
  | "\\f'" { Int64.of_int 12 }
  | "\\\\'" { Int64.of_int (Char.code '\\') }
  | "\\?'" { Int64.of_int (Char.code '?') }
  | "\\''" { Int64.of_int (Char.code '\'') }
  | "\\\"'" { Int64.of_int (Char.code '"') }
  | "\\" (['0'-'7'] ['0'-'7']? ['0'-'7']? as s) "'" 
      { Int64.of_int (int_of_string ("0o" ^ s)) }
  | "\\" (['0'-'9'] ['0'-'9']? ['0'-'9']? as s) "'" 
      { raise (Invalid ("digits '" ^ s ^ "' in octal constant")) }
  | "\\x" (rH rH? as s) "'" { Int64.of_int (int_of_string ("0x" ^ s)) }
  | (_ as c) "'" { Int64.of_int (Char.code c) }


{

  let int loc s =
    try
      let lb = Lexing.from_string s in
      eval_int loc lb
    with
      | Constant_too_large -> error loc "constant too large"
      | Invalid msg -> error loc "invalid constant: %s" msg

}
why-2.34/c/cnorm.mli0000644000175000017500000000722312311670312012664 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Cast

val int_nconstant : string -> nterm

val nzero : nterm

val file : tdecl located list -> ndecl located list

val make_field : Ctypes.ctype -> Info.var_info

val declare_arrow_var : Info.var_info -> Info.var_info

val type_why_table : 
  (Info.zone,(Info.var_info, Info.why_type) Hashtbl.t) Hashtbl.t  

val type_why_new_zone : Info.zone -> Info.var_info -> unit

val find_zone : nexpr -> Info.zone

val find_zone_for_term : nterm -> Info.zone

val type_why_for_term : nterm -> Info.why_type

val type_why : nexpr -> Info.why_type

val why_type_for_float_kind : Ctypes.cfloat -> Info.why_type

val make_nstrlen_node_from_nterm : nterm -> nctype Clogic.nterm_node

val assoc_zone : Info.zone -> (Info.zone * Info.zone) list -> Info.zone 

(* smart constructors for predicates *)

val make_and : npredicate -> npredicate -> npredicate
val make_forall : nctype Clogic.typed_quantifiers -> npredicate -> npredicate
val make_implies : npredicate -> npredicate -> npredicate

val nptrue : npredicate
val npfalse : npredicate
val npand : npredicate * npredicate -> npredicate
val npor : npredicate * npredicate -> npredicate
val nprel : nterm * Clogic.relation * nterm -> npredicate
val npvalid : nterm -> npredicate
val npvalid_range : nterm * nterm * nterm -> npredicate
val npapp : Info.logic_info * nterm list -> npredicate
val npfresh : nterm -> npredicate
val npiff : npredicate * npredicate -> npredicate



why-2.34/c/cenv.mli0000644000175000017500000001356112311670312012503 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Ctypes
open Info

(* Typing environments. They are common to both code and annotations. *)

val eq_type : ctype -> ctype -> bool
val eq_type_node : ctype_node -> ctype_node -> bool
val sub_type : ctype -> ctype -> bool
val compatible_type : ctype -> ctype -> bool
val arith_type : ctype -> bool
val array_type : ctype -> bool
val pointer_type : ctype -> bool
val pointer_or_array_type : ctype -> bool


(* for type why*)
val type_type_why : ?name:string -> Ctypes.ctype -> bool -> why_type 
val set_var_type : env_info -> Ctypes.ctype -> bool -> unit
val zone_table : (string,Info.zone) Hashtbl.t
val make_zone :  ?name:string -> bool -> zone

(* integer types *)
val int_size : Ctypes.cinteger -> int (* in bits *)
val int_type_for_size : Ctypes.sign -> int -> string
val int_type_for : Ctypes.sign * Ctypes.cinteger -> string
val all_int_sizes : unit -> (Ctypes.sign * int) list
val is_int_type : string -> bool
val is_real_type : string -> bool

val enum_type_for : string -> string

(* Global environment *)

val add_sym : Loc.position -> string -> ctype -> env_info -> env_info
val find_sym : string -> env_info
val iter_sym : (Lib.Sset.elt -> Info.env_info -> unit) -> unit
val add_typedef : Loc.position -> string -> ctype -> unit
val find_typedef : string -> ctype

(* Logic environment *)
val add_type : string -> unit
val mem_type : string -> bool
val iter_types : (string -> unit) -> unit


val c_functions : (string,Cast.nspec * ctype * Info.fun_info * 
  Cast.nstatement option * Loc.position ) Hashtbl.t
val add_c_fun : string -> Cast.nspec * ctype * Info.fun_info * 
  Cast.nstatement option * Loc.position -> unit
val find_c_fun : string -> Cast.nspec * ctype * Info.fun_info * 
  Cast.nstatement option * Loc.position

val add_logic : string -> ctype list * ctype * Info.logic_info -> unit
val find_logic : string -> ctype list * ctype * Info.logic_info

val add_pred : string -> ctype list * Info.logic_info -> unit
val mem_pred : string -> bool 
val find_pred : string -> ctype list * Info.logic_info 

val add_ghost : Loc.position -> string -> ctype -> var_info -> var_info
val find_ghost : string -> var_info

(* tag types *)
type tag_type_definition = 
  | TTIncomplete 
  | TTStructUnion of ctype_node * var_info list
  | TTEnum of ctype_node * (var_info * int64) list
val tag_type_definition : string -> tag_type_definition

(* iterates over all declared structures *)
val iter_all_struct : (string -> ctype_node * var_info list -> unit) -> unit
val fold_all_struct : 
  (string -> ctype_node * var_info list -> 'a -> 'a) -> 'a -> 'a

(* iterates over all pairs of structures (the pairs (a,b) and (b,a) are
   identified) *)
val fold_all_struct_pairs :
  (string -> ctype_node * var_info list ->
   string -> ctype_node * var_info list -> 'a -> 'a) -> 'a -> 'a

val fold_all_enum : 
  (string -> ctype_node * (var_info * int64) list -> 'a -> 'a) -> 'a -> 'a

(* Local environment *)
module Env : sig

  type t

  val empty : unit -> t

  val new_block : t -> t

  val add : string -> ctype -> env_info -> t -> t
  val find : string -> t -> env_info
  val mem : string -> t -> bool

  val find_tag_type : Loc.position -> t -> ctype_node -> ctype_node
  val set_struct_union_type : Loc.position -> t -> ctype_node -> 
    (var_info) list -> ctype_node
  val set_enum_type : Loc.position -> t -> ctype_node -> 
    (var_info * int64) list -> ctype_node
end

val type_of_field : Loc.position -> string -> ctype -> var_info 
val find_field : tag:string -> field:string -> var_info
val declare_fields : ctype_node -> (ctype * var_info) list -> unit

(* for normalization of fields types *)
val update_fields_type : unit -> unit

val get_fresh_name : string -> string
why-2.34/c/cmake.ml0000644000175000017500000002466512311670312012466 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Format
open Pp

let files = Hashtbl.create 97

let add ~file ~f =
  let l = try Hashtbl.find files file with Not_found -> [] in
  Hashtbl.replace files file (f :: l)

let simplify fmt f = fprintf fmt "simplify/%s_why.sx" f
let ergo fmt f = fprintf fmt "why/%s_why.why" f
let coq_v fmt f = fprintf fmt "coq/%s_why.v" f
let coq_vo fmt f = fprintf fmt "coq/%s_why.vo" f
let pvs fmt f = fprintf fmt "pvs/%s_why.pvs" f
let cvcl fmt f = fprintf fmt "cvcl/%s_why.cvc" f
let harvey fmt f = fprintf fmt "harvey/%s_why.rv" f
let zenon fmt f = fprintf fmt "zenon/%s_why.znn" f
let smtlib fmt f = fprintf fmt "smtlib/%s_why.smt" f
let why_goals fmt f = fprintf fmt "why/%s_ctx.why" f
let project fmt f = fprintf fmt "why/%s.wpr" f
let isabelle fmt f = 
  fprintf fmt "isabelle/%s_why.thy isabelle/%s_spec_why.thy" f f

let print_files = print_list (fun fmt () -> fprintf fmt "\\@\n  ")

let generic f targets =
  print_in_file 
    (fun fmt -> 
       fprintf fmt 
       "# this makefile was automatically generated; do not edit @\n@\n";
       fprintf fmt "TIMEOUT ?= 10@\n@\n";
       fprintf fmt "WHY=why -explain -locs %s.loc %s@\n@\n" 
	 f (Coptions.why_opt ());
       fprintf fmt "GWHY=gwhy-bin -explain -locs %s.loc %s@\n@\n" 
	 f (Coptions.why_opt ());
       fprintf fmt "CADULIB=%s@\n@\n" Coptions.libdir;	    
       fprintf fmt "CADULIBFILE=%s@\n@\n" Coptions.libfile;
       fprintf fmt "COQTACTIC=%s@\n@\n" Coptions.coq_tactic;	    
       fprintf fmt "COQDEP=coqdep -I `coqc -where`/user-contrib@\n@\n";	    
       fprintf fmt ".PHONY: all coq pvs simplify ergo cvcl harvey smtlib cvc3 z3 zenon@\n@\n";
       fprintf fmt "all: %a@\n@\n" 
	 (print_files simplify) targets;

       fprintf fmt "coq: coq.depend %a@\n@\n" (print_files coq_vo) targets;

       fprintf fmt "coq/%s_spec_why.v: why/%s_spec.why@\n" f f;
       fprintf fmt "\t@@echo 'why -coq-v8 [...] why/%s_spec.why' && $(WHY) -coq-v8 -dir coq -coq-preamble \"Require Export Caduceus.\" $(CADULIB)/why/$(CADULIBFILE) why/%s_spec.why@\n@\n" f f;

       fprintf fmt "coq/%%_why.v: why/%s_spec.why why/%%.why@\n" f;
       fprintf fmt "\t@@echo 'why -coq-v8 [...] why/$*.why' &&$(WHY) -coq-v8 -dir coq -coq-preamble \"Require Export %s_spec_why.\" -coq-tactic \"$(COQTACTIC)\" $(CADULIB)/why/$(CADULIBFILE) why/%s_spec.why why/$*.why@\n@\n" f f;

       fprintf fmt "coq/%%.vo: coq/%%.v@\n\tcoqc -I coq $<@\n@\n";
       
       fprintf fmt "pvs: pvs/%s_spec_why.pvs %a@\n@\n" 
	 f (print_files pvs) targets;

       fprintf fmt "pvs/%s_spec_why.pvs: why/%s_spec.why@\n" f f;
       fprintf fmt "\t$(WHY) -pvs -dir pvs -pvs-preamble \"importing why@@why\" $(CADULIB)/why/$(CADULIBFILE) why/%s_spec.why@\n@\n" f;

       fprintf fmt "pvs/%%_why.pvs: pvs/%s_spec_why.pvs why/%%.why@\n" f;
       fprintf fmt "\t$(WHY) -pvs -dir pvs -pvs-preamble \"importing %s_spec_why\" $(CADULIB)/why/$(CADULIBFILE) why/%s_spec.why why/$*.why@\n@\n" f f;

       fprintf fmt "pvs/caduceus_why.pvs:@\n";
       fprintf fmt "\t$(WHY) -pvs -dir pvs $(CADULIB)/why/$(CADULIBFILE)@\n@\n";
       
       fprintf fmt "isabelle: %a@\n@\n" (print_files isabelle) targets;

       fprintf fmt "isabelle/%%_spec_why.thy: why/%%_spec.why@\n";
       fprintf fmt "\t$(WHY) -isabelle -dir isabelle -isabelle-base-theory caduceus_why $(CADULIB)/why/$(CADULIBFILE) why/$*_spec.why@\n@\n";

       fprintf fmt "isabelle/%%_why.thy: isabelle/%s_spec_why.thy why/%%.why@\n" f;
       fprintf fmt "\t$(WHY) -isabelle -dir isabelle -isabelle-base-theory %s_spec_why $(CADULIB)/why/$(CADULIBFILE) why/%s_spec.why why/$*.why@\n" f f;
       fprintf fmt "\tcp -f %s/isabelle/caduceus_why.thy isabelle/@\n@\n" 
	 Coptions.libdir;

       fprintf fmt "simplify: %a@\n" (print_files simplify) targets;
       fprintf fmt "\t@@echo 'Running Simplify on proof obligations' && (why-dp -timeout $(TIMEOUT) $^)@\n@\n";
       fprintf fmt "simplify/%%_why.sx: why/%s_spec.why why/%%.why@\n" f;
       fprintf fmt "\t@@echo 'why -simplify [...] why/$*.why' && $(WHY) -simplify -dir  simplify $(CADULIB)/why/$(CADULIBFILE) why/%s_spec.why why/$*.why@\n@\n" f;
       
       fprintf fmt "ergo: %a@\n" (print_files ergo) targets;
       fprintf fmt "\t@@echo 'Running Ergo on proof obligations' && (why-dp -timeout $(TIMEOUT) $^)@\n@\n";
       fprintf fmt "why/%%_why.sx: why/%s_spec.why why/%%.why@\n" f;
       fprintf fmt "\t@@echo 'why -why [...] why/$*.why' && $(WHY) -why -dir why $(CADULIB)/why/$(CADULIBFILE) why/%s_spec.why why/$*.why@\n@\n" f;

       fprintf fmt "project: %a@\n@\n" (print_files project) targets;
       fprintf fmt "why/%%.wpr: why/%s_ctx.why@\n" f;
       fprintf fmt "\t@@echo 'why --project [...] why/$*.why' && $(WHY) --project -dir why $(CADULIB)/why/$(CADULIBFILE) why/%s_spec.why why/$*.why@\n@\n" f;       

       fprintf fmt "goals: %a@\n@\n" (print_files why_goals) targets;
       fprintf fmt "why/%%_ctx.why: why/%s_spec.why why/%%.why@\n" f;
       fprintf fmt "\t@@echo 'why --multi-why [...] why/$*.why' && $(WHY) --multi-why -dir why $(CADULIB)/why/$(CADULIBFILE) why/%s_spec.why why/$*.why@\n@\n" f;

       fprintf fmt "why/%%_why.why: why/%s_spec.why why/%%.why@\n" f;
       fprintf fmt "\t@@echo 'why -why [...] why/$*.why' && $(WHY) -why -dir why $(CADULIB)/why/$(CADULIBFILE) why/%s_spec.why why/$*.why@\n@\n" f;


       fprintf fmt "cvcl: %a@\n@\n" (print_files cvcl) targets;
       fprintf fmt "\t@@echo 'Running CVC Lite on proof obligations' && (why-dp -timeout $(TIMEOUT) $^)@\n@\n";
       fprintf fmt "cvcl/%%_why.cvc: why/%s_spec.why why/%%.why@\n" f;
       fprintf fmt "\t@@echo 'why -cvcl [...] why/$*.why' && $(WHY) -cvcl --encoding sstrat -dir cvcl $(CADULIB)/why/$(CADULIBFILE) why/%s_spec.why why/$*.why@\n@\n" f;
       
       fprintf fmt "harvey: %a@\n" (print_files harvey) targets;
       fprintf fmt "\t@@echo 'Running haRVey on proof obligations' && (why-dp -timeout $(TIMEOUT) $^)@\n@\n";
       fprintf fmt "harvey/%%_why.rv: why/%s_spec.why why/%%.why@\n" f;
       fprintf fmt "\t@@echo 'why -harvey [...] why/$*.why' && $(WHY) -harvey -dir harvey $(CADULIB)/why/$(CADULIBFILE) why/%s_spec.why why/$*.why@\n@\n" f;
       
       fprintf fmt "zenon: %a@\n" (print_files zenon) targets;
       fprintf fmt "\t@@echo 'Running Zenon on proof obligations' && (why-dp -timeout $(TIMEOUT) $^)@\n@\n";
       fprintf fmt "zenon/%%_why.znn: why/%s_spec.why why/%%.why@\n" f;
       fprintf fmt "\t@@echo 'why -zenon [...] why/$*.why' && $(WHY) -zenon -dir zenon $(CADULIB)/why/$(CADULIBFILE) why/%s_spec.why why/$*.why@\n@\n" f;
       
       fprintf fmt "smtlib: %a@\n" (print_files smtlib) targets;
       fprintf fmt "\t@@echo 'Running Z3 on proof obligations' && (why-dp -timeout $(TIMEOUT) $^)@\n@\n";
       fprintf fmt "smtlib/%%_why.smt: why/%s_spec.why why/%%.why@\n" f;
       fprintf fmt "\t@@echo 'why -smtlib [...] why/$*.why' && $(WHY) -smtlib --encoding sstrat -exp all   -dir smtlib $(CADULIB)/why/$(CADULIBFILE) why/%s_spec.why why/$*.why@\n@\n" f;
       
       fprintf fmt "yices: %a@\n" (print_files smtlib) targets;
       fprintf fmt "\t@@echo 'Running Yices on proof obligations' && (why-dp -smt-solver yices -timeout $(TIMEOUT) $^)@\n@\n";

       fprintf fmt "z3: %a@\n" (print_files smtlib) targets;
       fprintf fmt "\t@@echo 'Running Z3 on proof obligations' && (why-dp -smt-solver z3 -timeout $(TIMEOUT) $^)@\n@\n";

      fprintf fmt "cvc3: %a@\n" (print_files smtlib) targets;
       fprintf fmt "\t@@echo 'Running CVC3 on proof obligations' && (why-dp -smt-solver cvc3 -timeout $(TIMEOUT) $^)@\n@\n";

       fprintf fmt "gui stat: %s@\n" 
	 (match targets with f::_ -> f^".stat" | [] -> "");
       fprintf fmt "@\n";
       fprintf fmt "%%.stat: why/%s_spec.why why/%%.why@\n" f;
       fprintf fmt "\t@@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(CADULIB)/why/$(CADULIBFILE) why/%s_spec.why why/$*.why@\n@\n" f;
       
       fprintf fmt "-include %s.depend@\n@\n" f;
       fprintf fmt "coq.depend: coq/%s_spec_why.v %a@\n" f
	 (print_files coq_v) targets;
       fprintf fmt "\t-$(COQDEP) -I coq coq/%s*_why.v > %s.depend@\n@\n" f f;
       fprintf fmt "clean:@\n";
       fprintf fmt "\trm -f coq/*.vo@\n@\n";
    )
    (f ^ ".makefile")

let makefile f =
  if Coptions.separate then
    let l = try Hashtbl.find files f with Not_found -> [] in
    generic f (List.map (fun x -> f ^ "__" ^ x) l)
  else
    generic f [f]



why-2.34/c/cptr.mli0000644000175000017500000000452212311670312012515 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Cast
open Cenv
open Info

val local_aliasing_transform : unit -> unit
why-2.34/c/ctyping.mli0000644000175000017500000000520512311670312013221 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* Typing C programs *)
val tezero : Cast.texpr

val type_file : Cast.file -> Cast.tfile

val is_null : Cast.texpr -> bool

val eval_const_expr : Cast.texpr -> int64
val eval_const_expr_noerror : Cast.texpr -> int64

val int_teconstant : string -> Cast.texpr

(*
val float_constant_type : string -> string * Ctypes.cfloat
*)

val coerce : Ctypes.ctype -> Cast.texpr -> Cast.texpr
why-2.34/c/csymbol.ml0000644000175000017500000005015012311670312013042 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* TO DO:

   - implement [rewrite_pred_wrt_var]

*)

open Clogic
open Cabsint
open Pp

let debug = Coptions.debug
let debug_more = false

(* local types describing terms and predicates, sufficient for expressing
   the predicates that result from the integer analysis.
   They depend on a parameter ['v] that describes the type of a variable.
*)

type 'v int_term =
  | ITconstant of constant
  | ITvar of 'v
  | ITunop of term_unop * 'v int_term
  | ITbinop of 'v int_term * term_binop * 'v int_term
  | ITmax of 'v int_term list
  | ITmin of 'v int_term list
    (* used to translate an expression that has no counterpart in the small
       term language presented here. When computing an abstraction for
       a surrounding term, we will translate [ITany] to top. *)
  | ITany
      
type 'v int_predicate =
  | IPfalse
  | IPtrue
  | IPrel of 'v int_term * relation * 'v int_term
  | IPand of 'v int_predicate * 'v int_predicate
  | IPor of 'v int_predicate * 'v int_predicate
  | IPimplies of 'v int_predicate * 'v int_predicate
  | IPiff of 'v int_predicate * 'v int_predicate
  | IPnot of 'v int_predicate
  | IPfull_separated of 'v int_term * 'v int_term
    (* specific predicates to express (non-)nullity of pointer and
       (non-)nullity of char pointer read. These should be translated in some
       more specific predicates depending on the domain. *)
  | IPnull_pointer of 'v int_term
  | IPnot_null_pointer of 'v int_term
  | IPnull_char_pointed of 'v int_term * 'v int_term
  | IPnot_null_char_pointed of 'v int_term * 'v int_term
    (* used to translate an predicate that has no counterpart in the small
       predicate language presented here. When computing an abstraction for
       a surrounding predicate, we will translate [IPany] to top. *)
  | IPany

module type TERM = sig
  type var
  include ELEMENT_OF_CONTAINER with type t = var int_term
  val collect_term_vars : t -> var list
  val translate : (t * t) list -> t -> t
  val sub : t -> t -> t
  val add : t -> t -> t
  val minus : t -> t
end

module type PREDICATE = sig
  type var
  module T : TERM with type var = var
  include ELEMENT_OF_CONTAINER with type t = var int_predicate
  val explicit_pred : t -> t
  val rewrite_pred_wrt_var : t -> var -> int -> t
  val collect_predicate_vars : t -> var list
  val make_conjunct : t list -> t
  val get_conjuncts : t -> t list
  val make_implication : t -> t -> t
  val get_implicants : t -> t * t
  val translate : (T.t * T.t) list -> t -> t
end

module TermOfVariable (V : ELEMENT_OF_CONTAINER) 
  : TERM with type var = V.t =
struct
  
  type var = V.t
  type t = var int_term

  let equal = ( = )
  let compare = Pervasives.compare
  let hash = Hashtbl.hash

  let rec pretty fmt = function
    | ITconstant (IntConstant c | RealConstant c) -> 
	Format.fprintf fmt "%s" c
    | ITvar v            -> Format.fprintf fmt "%a" V.pretty v
    | ITunop (op,t)      -> Format.fprintf fmt "%s %a" 
	(Cprint.term_unop op) pretty t
    | ITbinop (t1,op,t2) ->  Format.fprintf fmt "%a %s %a" 
	pretty t1 (Cprint.term_binop op) pretty t2
    | ITmax tlist ->
	Format.fprintf fmt "max(%a)" (print_list comma pretty) tlist
    | ITmin tlist ->
	Format.fprintf fmt "min(%a)" (print_list comma pretty) tlist
    | ITany              -> Format.fprintf fmt "_"

  (* takes as input a term
     returns a list of variables occurring in this term, in the order 
     they appear, with possible repetitions
  *)
  let rec collect_term_vars t = match t with
    | ITconstant _ -> []
    | ITvar v -> [v]
    | ITunop (_,t1) -> collect_term_vars t1
    | ITbinop (t1,_,t2) -> collect_term_vars t1 @ (collect_term_vars t2)
    | ITmax tlist -> List.flatten (List.map collect_term_vars tlist)
    | ITmin tlist -> List.flatten (List.map collect_term_vars tlist)
    | ITany -> []

  let rec translate transl t = 
    if List.mem_assoc t transl then
      List.assoc t transl
    else
      match t with
	| ITconstant _ | ITvar _ | ITany -> 
	    t
	| ITunop (op,t1) -> 
	    ITunop (op,translate transl t1)
	| ITbinop (t1,op,t2) -> 
	    ITbinop (translate transl t1,op,translate transl t2)
	| ITmax tlist ->
	    ITmax (List.map (translate transl) tlist)
	| ITmin tlist ->
	    ITmin (List.map (translate transl) tlist)

  let rec sub t1 t2 = match t1,t2 with
    | t1,ITconstant (IntConstant "0") -> t1
    | ITconstant (IntConstant "0"),ITunop(Uminus,t2) -> t2
    | ITconstant (IntConstant "0"),t2 -> ITunop(Uminus,t2)
    | t1,ITunop(Uminus,t2) -> add t1 t2
    | _ -> ITbinop(t1,Bsub,t2)

  and add t1 t2 = match t1,t2 with
    | t1,ITconstant (IntConstant "0") -> t1
    | ITconstant (IntConstant "0"),t2 -> t2
    | t1,ITunop(Uminus,t2) -> sub t1 t2
    | _ -> ITbinop(t1,Badd,t2)

  let minus t = match t with
    | ITconstant (IntConstant s) -> 
	ITconstant (IntConstant (string_of_int (-(int_of_string s))))
    | _ -> ITunop(Uminus,t)

end

module PredicateOfVariable (V : ELEMENT_OF_CONTAINER) 
  (T : TERM with type var = V.t)
  : PREDICATE with type var = V.t =
struct
  
  type var = V.t
  type t = var int_predicate

  module T = T

  let equal = ( = )
  let compare = Pervasives.compare
  let hash = Hashtbl.hash

  let rec pretty fmt = function
    | IPfalse -> Format.fprintf fmt "false"
    | IPtrue -> Format.fprintf fmt "true"
    | IPrel (t1,rel,t2) -> Format.fprintf fmt "%a %s %a"
	T.pretty t1 (Cprint.relation rel) T.pretty t2
    | IPand (p1,p2) -> Format.fprintf fmt "%a && %a"
	pretty p1 pretty p2
    | IPor (p1,p2) -> Format.fprintf fmt "%a || %a"
	pretty p1 pretty p2
    | IPimplies (p1,p2) -> Format.fprintf fmt "%a => %a"
	pretty p1 pretty p2
    | IPiff (p1,p2) -> Format.fprintf fmt "%a <=> %a"
	pretty p1 pretty p2
    | IPnot p -> Format.fprintf fmt "! %a" pretty p
    | IPfull_separated (t1,t2) -> Format.fprintf fmt "full_separated(%a,%a)"
	T.pretty t1 T.pretty t2
    | IPnull_pointer t1 -> Format.fprintf fmt "%a == 0"
	T.pretty t1
    | IPnot_null_pointer t1 -> Format.fprintf fmt "%a != 0"
	T.pretty t1
    | IPnull_char_pointed (t1,t2) -> Format.fprintf fmt "%a[%a] == 0"
	T.pretty t1 T.pretty t2
    | IPnot_null_char_pointed (t1,t2) -> Format.fprintf fmt "%a[%a] != 0"
	T.pretty t1 T.pretty t2
    | IPany -> Format.fprintf fmt "_"

  (* explicit the more complex predicates for an easier treatment from
     the integer analysis: 
     - implication and equivalence are translated in more basic
     conjunction and disjunction (using the next item on negation)
     - negation is pushed inside sub-predicates
  *)
  let rec explicit_pred p = match p with
    | IPfalse | IPtrue | IPrel _ | IPany | IPfull_separated _ 
    | IPnull_pointer _ 
    | IPnot_null_pointer _ | IPnull_char_pointed _ | IPnot_null_char_pointed _
	-> p
    | IPand (p1,p2) -> 
	let ep1 = explicit_pred p1 in
	let ep2 = explicit_pred p2 in
	IPand (ep1,ep2)
    | IPor (p1,p2) -> 
	let ep1 = explicit_pred p1 in
	let ep2 = explicit_pred p2 in
	IPor (ep1,ep2)
    | IPimplies (p1,p2) ->
	(* strengthen the formula here, by stating that either [p1] does not
	   hold, or [p1] AND [p2] hold together *)
	explicit_pred (IPor(IPnot p1,IPand(p1,p2)))
    | IPiff (p1,p2) ->
	explicit_pred (IPand(IPimplies(p1,p2),IPimplies(p2,p1)))
    | IPnot p1 ->
	begin match explicit_pred p1 with
          | IPfalse -> IPtrue
          | IPtrue -> IPfalse
          | IPand (p3,p4) ->
	      let ep3 = explicit_pred (IPnot p3) in
	      let ep4 = explicit_pred (IPnot p4) in
	      IPor (ep3,ep4)
          | IPor (p3,p4) ->
	      let ep3 = explicit_pred (IPnot p3) in
	      let ep4 = explicit_pred (IPnot p4) in
	      IPand (ep3,ep4)
	  | IPnot p3 ->
	      p3
	  | IPrel (t3,op,t4) ->
	      let new_op = match op with
		| Lt -> Ge
		| Gt -> Le
		| Le -> Gt
		| Ge -> Lt
		| Eq -> Neq
		| Neq -> Eq
	      in
	      IPrel (t3,new_op,t4)
	  | IPimplies _ | IPiff _ -> 
	      (* those cases should not be returned by a call 
		 to [explicit_pred] *)
	      assert false
	  | IPany -> IPany
	  | IPfull_separated _ as psep -> psep
	  | IPnull_pointer t1 -> IPnot_null_pointer t1
	  | IPnot_null_pointer t1 -> IPnull_pointer t1
	  | IPnull_char_pointed (t1,t2) -> IPnot_null_char_pointed (t1,t2)
	  | IPnot_null_char_pointed (t1,t2) -> IPnull_char_pointed (t1,t2)
	end

  let rewrite_pred_wrt_var p _v _noccur = p	

  let rec collect_predicate_vars p = match p with
    | IPfalse | IPtrue | IPany -> 
	[]
    | IPnull_pointer t1 | IPnot_null_pointer t1 ->
	T.collect_term_vars t1
    | IPrel (t1,_,t2) | IPfull_separated (t1,t2) | IPnull_char_pointed (t1,t2)
    | IPnot_null_char_pointed (t1,t2) ->
	T.collect_term_vars t1 @ (T.collect_term_vars t2)
    | IPand (p1,p2) | IPor (p1,p2) | IPimplies (p1,p2) | IPiff (p1,p2) ->
	collect_predicate_vars p1 @ (collect_predicate_vars p2)
    | IPnot p1 -> 
	collect_predicate_vars p1

  let make_conjunct plist = 
    let rec make_sub p_acc plist = match p_acc,plist with
      | p_acc,[] -> p_acc
      | IPtrue,p :: plist | p,IPtrue :: plist -> make_sub p plist
      | p_acc,p :: plist -> make_sub (IPand (p_acc,p)) plist
    in
    make_sub IPtrue plist 

  let rec get_conjuncts p = match p with
    | IPand (p1,p2) -> get_conjuncts p1 @ (get_conjuncts p2)
    | _ -> [p]

  let make_implication lhs_p rhs_p = IPimplies (lhs_p,rhs_p)

  let get_implicants p = match p with
    | IPimplies (p1,p2) -> p1,p2
    | _ -> failwith "[get_implicants] expecting an implication"

  let rec translate transl p = match p with
    | IPfalse | IPtrue | IPany ->
	p
    | IPrel (t1,rel,t2) ->
	let tt1 = T.translate transl t1 in
	let tt2 = T.translate transl t2 in
	IPrel (tt1,rel,tt2)
    | IPand (p1,p2) ->
	let tp1 = translate transl p1 in
	let tp2 = translate transl p2 in
	IPand (tp1,tp2)
    | IPor (p1,p2) ->
	let tp1 = translate transl p1 in
	let tp2 = translate transl p2 in
	IPor (tp1,tp2)
    | IPimplies (p1,p2) -> 
	let tp1 = translate transl p1 in
	let tp2 = translate transl p2 in
	IPimplies (tp1,tp2)
    | IPiff (p1,p2) -> 
	let tp1 = translate transl p1 in
	let tp2 = translate transl p2 in
	IPiff (tp1,tp2)
    | IPnot p -> 
	let tp = translate transl p in
	IPnot tp
    | IPfull_separated (t1,t2) -> 
	let tt1 = T.translate transl t1 in
	let tt2 = T.translate transl t2 in
	IPfull_separated (tt1,tt2)
    | IPnull_pointer t1 -> 
	let tt1 = T.translate transl t1 in
	IPnull_pointer (tt1)
    | IPnot_null_pointer t1 -> 
	let tt1 = T.translate transl t1 in
	IPnot_null_pointer (tt1)
    | IPnull_char_pointed (t1,t2) -> 
	let tt1 = T.translate transl t1 in
	let tt2 = T.translate transl t2 in
	IPnull_char_pointed (tt1,tt2)
    | IPnot_null_char_pointed (t1,t2) -> 
	let tt1 = T.translate transl t1 in
	let tt2 = T.translate transl t2 in
	IPnot_null_char_pointed (tt1,tt2)
end

(* predicate variable interface. Same as VARIABLE, plus [translate_predicate]
   whose aim is to translate generic predicates such as [IPnull_pointer] in
   more specific ones. *)

module type PVARIABLE = sig
  include VARIABLE

  exception Introduce_variable of t

  (* containers based on [t] *)
  module S : Set.S with type elt = t
  module M : Map.S with type key = t
  module H : Hashtbl.S with type key = t

  (* modules for terms and predicates *)
  module T : TERM with type var = t
  module P : PREDICATE with type var = t

  (* containers based on terms *)
  module TS : Set.S with type elt = T.t
  module TM : Map.S with type key = T.t
  module TH : Hashtbl.S with type key = T.t

  (* containers based on predicates *)
  module PS : Set.S with type elt = P.t
  module PM : Map.S with type key = P.t
  module PH : Hashtbl.S with type key = P.t

  (* list of restrained variables may be used to better translate 
     the predicate *)
  val translate_predicate : t list -> P.t -> P.t
  (* generates a variable from a term *)
  val generate_variable : T.t -> t
end

module NPredicate =
struct

  module Self =  
  struct
    type t = Ctypes.ctype npredicate
    let equal = ( = )
    let compare = Pervasives.compare
    let hash = Hashtbl.hash
  end

  include Self 

  module S = Set.Make (Self)

  let rec get_conjuncts p = match p.npred_node with
    | NPand (p1,p2) -> get_conjuncts p1 @ (get_conjuncts p2)
    | _ -> [p]

  let make_conjunct plist = 
    let rec make_sub p_acc plist = match p_acc,plist with
      | p_acc,[] -> p_acc
      | {npred_node=NPtrue},p :: plist | p,{npred_node=NPtrue} :: plist ->
	  make_sub p plist
      | p_acc,p :: plist -> 
	  make_sub {p_acc with npred_node = NPand (p_acc,p)} plist
    in
    let plist = List.flatten (List.map get_conjuncts plist) in
    let pset = List.fold_right S.add plist S.empty in
    (* list without duplicates *)
    let plist = S.fold (fun e l -> e::l) pset [] in
    match plist with 
      | [] -> failwith "[make_conjunct] expecting non-empty list"
      | p :: _prest as plist -> make_sub {p with npred_node=NPtrue} plist 

  let subtract p1 p2 =
    let p1list = get_conjuncts p1 in
    let p2list = get_conjuncts p2 in
    let plist = List.filter (fun p -> not (List.mem p p2list)) p1list in
    match plist with
      | [] -> { p1 with npred_node = NPtrue }
      | _ -> make_conjunct plist

end

module VarElimination (V : PVARIABLE) =
struct
  exception Not_Representable

  let rec destruct v p = match p with
    | ITconstant _ -> 0,p
    | ITvar v2 -> 
	if V.equal v v2 then 1,ITconstant (IntConstant "0")
	else 0,p
    | ITunop (Uminus,p1) ->
	let fact,term = destruct v p1 in -fact,V.T.minus term
    | ITunop _ ->
	raise Not_Representable
    | ITbinop (p1,Badd,p2) ->
	let fact1,term1 = destruct v p1 in
	let fact2,term2 = destruct v p2 in
	fact1+fact2,V.T.add term1 term2
    | ITbinop (p1,Bsub,p2) ->
	let fact1,term1 = destruct v p1 in
	let fact2,term2 = destruct v p2 in
	fact1-fact2,V.T.sub term1 term2
    | ITbinop _ -> 
	raise Not_Representable
    | ITany ->
	raise Not_Representable
    | ITmin _ | ITmax _ -> 
	raise Not_Representable

  let rec min_max v p = match p with
    | IPand (p1,p2) ->
	let min_p1,max_p1 = min_max v p1 in
	let min_p2,max_p2 = min_max v p2 in
	V.TS.union min_p1 min_p2,V.TS.union max_p1 max_p2
    | IPrel (t1,Le,t2) ->
	begin try
	  let lhs_vfact,lhs_term = destruct v t1 in
	  let rhs_vfact,rhs_term = destruct v t2 in
	  match lhs_vfact - rhs_vfact with
	    | 1 -> 
		V.TS.empty,
		V.TS.singleton (V.T.sub rhs_term lhs_term)
	    | -1 -> 
		V.TS.singleton (V.T.sub lhs_term rhs_term),
		V.TS.empty
	    | _ ->
		V.TS.empty,V.TS.empty
	with Not_Representable -> V.TS.empty,V.TS.empty end
    | IPrel (t1,Ge,t2) ->
	min_max v (IPrel (t2,Le,t1))
    | IPrel (t1,Lt,t2) ->
	(* since we are working with integer variables, t1 < t2 is equivalent
	   to t1 <= t2 - 1 *)
	min_max v 
	  (IPrel (t1,Le,V.T.sub t2 (ITconstant (IntConstant "1"))))
    | IPrel (t1,Gt,t2) ->
	(* since we are working with integer variables, t1 > t2 is equivalent
	   to t2 <= t1 - 1 *)
	min_max v 
	  (IPrel (t2,Le,V.T.sub t1 (ITconstant (IntConstant "1"))))
    | IPrel (t1,Eq,t2) ->
	min_max v (IPand (IPrel (t1,Le,t2), IPrel (t1,Ge,t2)))
    | IPrel (_,Neq,_) ->
	V.TS.empty,V.TS.empty
    | _ -> failwith "[min_max] expecting conjunct"

  let relate_individual_bounds min_t max_t =
    IPrel (min_t,Le,max_t)    

  let relate_bounds min_set max_set =
    V.TS.fold (fun min_t acc_l ->
		 V.TS.fold (fun max_t acc_l -> 
			      relate_individual_bounds min_t max_t :: acc_l
			   ) max_set acc_l
	      ) min_set []

  let transitivity v p = match p with
    | IPimplies (lhs_p,rhs_p) ->
	let min_lhs_tset,max_lhs_tset = min_max v lhs_p in
	let min_rhs_tset,max_rhs_tset = min_max v rhs_p in
	let trans1 =
	  V.TS.fold (fun min_t acc_p ->
		       V.TS.fold (fun max_t acc_p -> 
				    IPand (acc_p,IPrel (min_t,Le,max_t)))
			 max_lhs_tset acc_p 
		    ) min_rhs_tset IPtrue
	in
	let trans2 =
	  V.TS.fold (fun min_t acc_p ->
		       V.TS.fold (fun max_t acc_p -> 
				    IPand (acc_p,IPrel (min_t,Le,max_t)))
			 max_rhs_tset acc_p 
		    ) min_lhs_tset IPtrue
	in
	IPand (trans1,trans2)
    | _ -> failwith "[transitivity] expecting implication"

  let fourier_motzkin v ~full:pf p = 
    let lhs_p,rhs_p = match p with
      | IPimplies (lhs_p,rhs_p) -> lhs_p,rhs_p
      | _ -> failwith "[fourier_motzkin] expecting implication"
    in
    let lhs_full_p = match pf with
      | IPimplies (lhs_p,_) -> lhs_p
      | _ -> failwith "[fourier_motzkin] expecting implication"
    in
    (* min-max in minimized version *)
    let min_lhs_tset,max_lhs_tset = min_max v lhs_p in
    let min_rhs_tset,max_rhs_tset = min_max v rhs_p in
    (* get equalities from full version *)
    let min_lhs_full_tset,max_lhs_full_tset = min_max v lhs_full_p in
    let eq_lhs_tset = V.TS.inter min_lhs_full_tset max_lhs_full_tset in
    (* remove equal terms from min-max sets *)
    let min_lhs_tset = V.TS.diff min_lhs_tset eq_lhs_tset in
    let max_lhs_tset = V.TS.diff max_lhs_tset eq_lhs_tset in
    if not (V.TS.is_empty min_rhs_tset
	    || V.TS.is_empty min_lhs_tset) then
      if V.TS.cardinal min_lhs_tset = 1 then
	let min_plist = relate_bounds min_rhs_tset min_lhs_tset in
	V.P.make_conjunct min_plist
      else
	(* treating implication of the form:
	   a < x && b < x -> c < x
	   that we rewrite into:
	   max(a,b) < x -> c < x
	*)
	let max_t = ITmax (V.TS.fold (fun x l -> x::l) min_lhs_tset []) in
	let max_t = V.TS.add max_t V.TS.empty in
	let min_plist = relate_bounds min_rhs_tset max_t in
	V.P.make_conjunct min_plist
    else if not (V.TS.is_empty max_rhs_tset
		 || V.TS.is_empty max_lhs_tset) then
      if V.TS.cardinal max_lhs_tset = 1 then
	let max_plist = relate_bounds max_lhs_tset max_rhs_tset in
	V.P.make_conjunct max_plist
      else
	(* treating implication of the form:
	   a > x && b > x -> c > x
	   that we rewrite into:
	   min(a,b) > x -> c > x
	*)
	let min_t = ITmin (V.TS.fold (fun x l -> x::l) max_lhs_tset []) in
	let min_t = V.TS.add min_t V.TS.empty in
	let max_plist = relate_bounds min_t max_rhs_tset in
	V.P.make_conjunct max_plist
    else if not (V.TS.is_empty eq_lhs_tset) then
      let eqt = V.TS.min_elt eq_lhs_tset in
      if not (V.TS.is_empty min_rhs_tset) then
	let min_plist = relate_bounds min_rhs_tset (V.TS.singleton eqt) in
	V.P.make_conjunct min_plist
      else if not (V.TS.is_empty max_rhs_tset) then
	let max_plist = relate_bounds (V.TS.singleton eqt) max_rhs_tset in
	V.P.make_conjunct max_plist
      else IPtrue
    else IPtrue
      
end
why-2.34/c/cprint.mli0000644000175000017500000000541112311670312013042 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* Pretty-printer for normalized AST *)

open Format
open Clogic
open Cast

val term_unop : Clogic.term_unop -> string

val term_binop : Clogic.term_binop -> string

val relation : Clogic.relation -> string

val nexpr : formatter -> nexpr -> unit

val nstatement : formatter -> nstatement -> unit

val ndecl : formatter -> ndecl located -> unit

val nfile : formatter -> nfile -> unit

val npredicate :  formatter -> npredicate -> unit

val nterm : formatter -> nterm -> unit

val nfunctions : formatter -> unit
why-2.34/c/cinterp.ml0000644000175000017500000025445412311670312013053 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Format
open Coptions
open Output
open Info
open Cast
open Clogic
open Creport
open Ctypes
open Cseparation
open Pp

(* locs table *)

type kind =
  | ArithOverflow
  | DownCast
  | IndexBounds
  | PointerDeref
  | UserCall
  | DivByZero
  | Pack
  | Unpack

let locs_table = Hashtbl.create 97
let name_counter = ref 0

let abs_fname f =
  if Filename.is_relative f then
    Filename.concat (Unix.getcwd ()) f 
  else f

let reg_loc ?id ?oldid ?kind ?name ?beh (b,e) =  
  let id,_oldid = match id,oldid with
    | None,_ ->  
	incr name_counter;
	"CADUCEUS_" ^ string_of_int !name_counter, oldid
    | Some n, None -> n,Some n
    | Some n, Some o -> n, Some o
  in
  let (name,f,l,b,e) = 
      let f = abs_fname b.Lexing.pos_fname in
      let l = b.Lexing.pos_lnum in
      let fc = b.Lexing.pos_cnum - b.Lexing.pos_bol in
      let lc = e.Lexing.pos_cnum - b.Lexing.pos_bol in
      (name,f,l,fc,lc)
  in
  Coptions.lprintf "recording location for id '%s'@." id;
  Hashtbl.replace locs_table id (kind,name,beh,f,l,b,e);
  id
    
let print_kind fmt k =
  fprintf fmt "%s"
    (match k with
       | Pack -> "Pack"
       | Unpack -> "Unpack"
       | DivByZero -> "DivByZero"
       | UserCall -> "UserCall"
       | PointerDeref -> "PointerDeref"
       | IndexBounds -> "IndexBounds"
       | DownCast -> "DownCast"
       | ArithOverflow -> "ArithOverflow"
    )

let print_locs fmt =
  Hashtbl.iter 
    (fun id (kind,name,beh,f,l,b,e) ->
       fprintf fmt "[%s]@\n" id;
       Option_misc.iter
	 (fun k -> fprintf fmt "kind = %a@\n" print_kind k) kind;
       Option_misc.iter
	 (fun n -> fprintf fmt "name = \"%s\"@\n" n) name;
       Option_misc.iter
	 (fun b -> fprintf fmt "behavior = \"%s\"@\n" b) beh;
       fprintf fmt "file = \"%s\"@\n" f;
       fprintf fmt "line = %d@\n" l;
       fprintf fmt "begin = %d@\n" b;
       fprintf fmt "end = %d@\n@\n" e)
    locs_table

(* end locs table *)

let print_effects2 fmt l =
  fprintf fmt "@[%a@]"
    (print_list space (fun fmt (z,s,_) -> fprintf fmt " %s_%s " s z.name)) 
    (ZoneSet.elements l)

let print_effects fmt l =
  fprintf fmt "@[%a@]"
    (print_list space (fun fmt v -> pp_print_string fmt v.var_unique_name)) 
    (HeapVarSet.elements l)

let heap_var_name v =
  match v.var_why_type with
    | Info.Memory(_,z) ->
	v.var_unique_name ^ "_" ^ (found_repr z)
    | _ -> v.var_unique_name

let is_bin_op = function
  | "add_int"
  | "sub_int" -> true
  | _ -> false

let rec is_pure e =
  match e.expr_node with
    | Var _ | Deref _ | Cte _ -> true
    | App({ expr_node = Var id},l) -> is_bin_op id && is_pure l
    | App(e1,e2) -> is_pure e1 && is_pure e2
    | _ -> false

let tempvar_count = ref 0
let reset_tmp_var () = tempvar_count := 0
let tmp_var () = incr tempvar_count; "caduceus_" ^ string_of_int !tempvar_count

let interp_int_rel = function
  | Lt -> "lt_int"
  | Le -> "le_int"
  | Gt -> "gt_int"
  | Ge -> "ge_int"
  | Eq -> "eq_int"
  | Neq -> "neq_int"

let interp_real_rel = function
  | Lt -> "lt_real"
  | Le -> "le_real"
  | Gt -> "gt_real"
  | Ge -> "ge_real"
  | Eq -> "eq_real"
  | Neq -> "neq_real"

let interp_pointer_rel = function
  | Lt -> "lt_pointer"
  | Le -> "le_pointer"
  | Gt -> "gt_pointer"
  | Ge -> "ge_pointer"
  | Eq -> "eq"
  | Neq -> "neq"

let real_of_int (t : nctype nterm) = 
  { nterm_type = c_real; 
    nterm_loc = Loc.dummy_position;
    nterm_node = NTunop (Ufloat_of_int, t);
  }

let interp_rel (t1 : nctype nterm) t2 r = 
  match t1.nterm_type.ctype_node, t2.nterm_type.ctype_node with
  | (Tenum _ | Tint _), (Tenum _ | Tint _) -> 
      t1, interp_int_rel r, t2
  | (Tfloat Real), (Tfloat Real) -> 
      t1, interp_real_rel r, t2
  | (Tenum _ | Tint _), (Tfloat Real) -> 
      real_of_int t1, interp_real_rel r, t2
  | (Tfloat Real), (Tenum _ | Tint _) -> 
      t1, interp_real_rel r, real_of_int t2
  | (Tarray _|Tpointer _), (Tarray _|Tpointer _) -> 
      t1, interp_pointer_rel r, t2
  | _ ->
      (match r with Eq -> t1,"eq",t2 | Neq -> t1,"neq",t2 | _ -> assert false)

let interp_term_bin_op ty1 ty2 op =
  match ty1.ctype_node, ty2.ctype_node, op with
  | (Tenum _ | Tint _), _, Badd -> "add_int"
  | (Tenum _ | Tint _), _, Bsub -> "sub_int"
  | (Tenum _ | Tint _), _, Bmul -> "mul_int"
  | (Tenum _ | Tint _), _, Bdiv -> "div_int"
  | (Tenum _ | Tint _), _, Bmod -> "mod_int"
  | Tfloat _, _, Badd -> "add_real"
  | Tfloat _, _, Bsub -> "sub_real"
  | Tfloat _, _, Bmul -> "mul_real"
  | Tfloat _, _, Bdiv -> "div_real"
  | _, _, Bpow_real -> "pow_real"
  | _, _, Bbw_and -> "bw_and"
  | _, _, Bbw_xor -> "bw_xor"
  | _, _, Bbw_or -> "bw_or"
  | _, _, Bshift_left -> "lsl"
  | _, _, Bshift_right -> "lsr"
  | (Tpointer _ | Tarray _), _, Badd -> "shift"
  | (Tpointer _ | Tarray _), (Tenum _ | Tint _), Bsub -> 
      assert false (* normalized at typing *)
  | (Tpointer _ | Tarray _), (Tpointer _ | Tarray _), Bsub -> "sub_pointer"
  | (Tpointer _ | Tarray _), _, Bsub -> assert false
  | Tfloat _, _, Bmod -> assert false
  | Tarray _, _, (Bmod|Bdiv|Bmul) -> assert false
  | Tpointer _, _, (Bmod|Bdiv|Bmul) -> assert false
  | Tfun (_, _), _, _-> assert false 
  | Tunion _ , _, _ -> assert false
  | Tstruct _ , _, _-> assert false
  | Tvar _ , _, _-> assert false 
  | Tvoid , _, _-> assert false

let string_of_rounding_mode = function
  | RM_nearest_even -> "nearest_even"
  | RM_to_zero -> "to_zero"
  | RM_up -> "up"
  | RM_down -> "down"
  | RM_nearest_away -> "nearest_away"
  | RM_dynamic -> assert false

let select_fk s d q = function
  | Float -> s | Double -> d | LongDouble -> q | Real -> assert false

let term_rounding_mode = LVar (string_of_rounding_mode dft_fp_rounding_mode)

let term_bin_op ty1 ty2 op t1 t2 =
  match ty1.ctype_node, op, t2 with
    | (Tpointer _ | Tarray _), Badd, LConst (Prim_int "0") ->
	t1
    | Tfloat (Float | Double | LongDouble as fk), _, _ when floats ->
	let s = match op with
	  | Badd -> select_fk "add_single" "add_double" "add_quad" fk
	  | Bsub -> select_fk "sub_single" "sub_double" "sub_quad" fk
	  | Bmul -> select_fk "mul_single" "mul_double" "mul_quad" fk
	  | Bdiv -> select_fk "div_single" "div_double" "div_quad" fk
	  | _ -> assert false
	in
	LApp (s, [term_rounding_mode; t1; t2])
    | _ -> 
	LApp (interp_term_bin_op ty1 ty2 op, [t1; t2])

let interp_term_un_op ty op t = match ty.ctype_node, op with
  | (Tenum _ | Tint _), Uminus -> LApp ("neg_int", [t])
  | Tfloat (Float | Double | LongDouble as fk), Uminus when floats -> 
      let s = select_fk "neg_single" "neg_double" "neg_quad" fk in
      LApp (s, [term_rounding_mode; t])
  | Tfloat _, Uminus -> LApp ("neg_real", [t])
  | _, Uabs_real -> LApp ("abs_real", [t])
  | _, Usqrt_real -> LApp ("sqrt_real", [t])
  | _ -> assert false

let interp_var label v =
  match label with 
    | None -> LVar v 
    | Some l -> LVarAtLabel(v,l)

let zoned_name (f : string) (ty : Info.why_type) =
  match ty with
    | Pointer z -> f ^ "_" ^ (found_repr ~quote_var:false z)
    | Addr _ 
    | Info.Int -> assert false
    | Info.Real -> assert false
    | Unit -> assert false
    | Why_Logic _s ->  assert false
    | Memory(_t,_z) -> assert false
  
let term_float_conversion fk1 fk2 e = 
  if not floats then e else
  match fk1, fk2 with
    | Real, Float -> LApp ("r_to_s", [term_rounding_mode; e])
    | Real, Double -> LApp ("r_to_d", [term_rounding_mode; e])
    | Real, LongDouble -> LApp ("r_to_q", [term_rounding_mode; e])
    | Float, Real -> LApp ("s_to_r", [e])
    | Double, Real -> LApp ("d_to_r", [e])
    | LongDouble, Real -> LApp ("q_to_r", [e])
    | Float, Double -> 
	LApp ("double_of_single", [e])
    | Double, Float -> 
	LApp ("single_of_double", [term_rounding_mode; e ])
    | Float, LongDouble -> 
	LApp ("quad_of_single", [e])
    | LongDouble, Float -> 
	LApp ("single_of_quad", [term_rounding_mode; e ])
    | Double, LongDouble -> 
	LApp ("quad_of_double", [e])
    | LongDouble, Double -> 
	LApp ("double_of_quad", [term_rounding_mode; e ])
    | fk1, fk2 when fk1 = fk2 ->
	e
    | _ -> 
	assert false

let int_of (_,i as ik) e =
  if machine_ints && i <> ExactInt then
    let name = Cenv.int_type_for ik in LApp ("of_" ^ name, [e])
  else
    e

let int_of_enum tag e =
  if enum_check then
    let name = Cenv.enum_type_for tag in LApp ("of_" ^ name, [e])
  else
    e

let term_int_conversion ty1 ty2 e =
  match ty1, ty2 with
    (* int -> exact int *)
    | Tint si1, Tint (_, ExactInt) ->
	int_of si1 e
    (* enum -> exact int *)
    | Tenum t1, Tint (_, ExactInt) ->
	int_of_enum t1 e
    (* int,enum -> int,enum ?? *)
    | (Tint _ | Tenum _), (Tint _ | Tenum _) ->
	assert false
    | _ -> 
	assert false

let rec interp_term label old_label t =
  let f = interp_term label old_label in
  match t.nterm_node with
    | NTconstant (IntConstant c) ->
	LConst(Prim_int (try Int64.to_string (Cconst.int t.nterm_loc c)
			 with _ -> c))
    | NTconstant (RealConstant c) ->
	LConst(Prim_real c)
    | NTstring_literal _ -> unsupported t.nterm_loc "string literal"
    | NTvar id ->
	let n = id.var_unique_name in
	if id.var_is_assigned && not id.var_is_a_formal_param then
	  interp_var label n
	else LVar n
    | NTold t -> interp_term (Some old_label) old_label t
    | NTbinop (t1, op, t2) ->
	term_bin_op t1.nterm_type t2.nterm_type op (f t1) (f t2)
    | NTbase_addr t -> 
	LApp("base_addr",[f t])
    | NToffset t -> 
	LApp("offset",[f t])
    | NTblock_length t -> 
	(* [block_length] should not be used with the 
	   arithmetic memory model *)
	assert (not arith_memory_model);
	LApp("block_length",[interp_var label "alloc"; f t])
    | NTarrlen t -> 
	if no_alloc_table then
	  LApp("arrlen",[f t])
	else
	  LApp("arrlen",[interp_var label "alloc"; f t])
    | NTstrlen (t,_zone,var) -> 
	(* [strlen(p)] depends on the value pointed to by [p].
	   Pass an additional parameter for the memory. *)
	let te = f t in
	let var = zoned_name var.var_unique_name (Cnorm.type_why_for_term t)
	in
	LApp("strlen",[interp_var label var;te])
    | NTmin (t1,t2) -> 
	LApp("min",[f t1; f t2])
    | NTmax (t1,t2) -> 
	LApp("max",[f t1; f t2])
    | NTminint { ctype_node = Tint (s,i) } ->
	LConst (Prim_int (Invariant.min_int (s, Cenv.int_size i)))
    | NTmaxint { ctype_node = Tint (s,i) } ->
	LConst (Prim_int (Invariant.max_int (s, Cenv.int_size i)))
    | NTminint _ | NTmaxint _ -> 
	assert false
    | NTat (t, l) -> 
	interp_term (Some l) old_label t
    | NTif (t1, t2, t3) -> 
	LApp ("ite", [interp_boolean_term label old_label t1; f t2; f t3])
    | NTarrow (t,_z, field) -> 
	let te = f t in
	let var = zoned_name field.var_unique_name (Cnorm.type_why_for_term t)
	in
	LApp("acc",[interp_var label var;te])
    | NTunop (Utilde, t) -> 
	LApp ("bw_compl", [f t])
    | NTunop (Ustar, _) -> 
	assert false
    | NTunop (Uamp, t1) -> 
	interp_term_address label old_label t1
    | NTunop (Uminus | Uabs_real | Usqrt_real as op, t1) -> 
	interp_term_un_op t1.nterm_type op (f t1)
    | NTunop (Uplus, t1) ->
	(f t1)
    | NTunop (Unot, t1) -> 
	LApp ("ite", 
	      [interp_boolean_term label old_label t1; 
	       LConst (Prim_int "0"); LConst (Prim_int "1")])
    | NTunop (Ufloat_of_int, t1) ->
	let e = LApp ("real_of_int", [f t1]) in
	begin match t.nterm_type.ctype_node with
	  | Tfloat fk -> term_float_conversion Real fk e
	  | _ -> assert false
	end
    | NTunop (Uint_of_float, t1) ->
	let e = match t1.nterm_type.ctype_node with
	  | Tfloat fk -> term_float_conversion fk Real (f t1)
	  | _ -> assert false
	in
	LApp ("int_of_real", [e])
    | NTunop (Ufloat_conversion, t1) ->
	begin match t1.nterm_type.ctype_node, t.nterm_type.ctype_node with
	  | Tfloat fk1, Tfloat fk2 -> term_float_conversion fk1 fk2 (f t1)
	  | _ -> assert false
	end
    | NTunop (Uint_conversion, t1) ->
	begin match t1.nterm_type.ctype_node, t.nterm_type.ctype_node with
	  | (Tenum _ | Tint _ as ty1), (Tint (_, ExactInt) as ty2) -> 
	      term_int_conversion ty1 ty2 (f t1)
	  | _ty1,_ty2 -> 
	      error t1.nterm_loc "cannot convert type %a to %a" 
		Creport.print_type t1.nterm_type Creport.print_type t.nterm_type; 
	end
    | NTunop ((Uround_error | Utotal_error), _t1) when not floats ->
	LConst (Prim_real "0.0")
    | NTunop (Uround_error, t1) ->
	begin match t1.nterm_type.ctype_node with
	  | Tfloat Float -> LApp ("single_round_error", [f t1])
	  | Tfloat Double -> LApp ("double_round_error", [f t1])
	  | Tfloat LongDouble -> LApp ("quad_round_error", [f t1])
	  | _ -> assert false
	end
    | NTunop (Utotal_error, t1) ->
	begin match t1.nterm_type.ctype_node with
	  | Tfloat Float -> LApp ("single_total_error", [f t1])
	  | Tfloat Double -> LApp ("double_total_error", [f t1])
	  | Tfloat LongDouble -> LApp ("quad_total_error", [f t1])
	  | _ -> assert false
	end
    | NTunop ((Uexact | Umodel), t1) when not floats ->
	f t1
    | NTunop (Uexact, t1) ->
	begin match t1.nterm_type.ctype_node with
	  | Tfloat Float -> LApp ("s_to_exact", [f t1])
	  | Tfloat Double -> LApp ("d_to_exact", [f t1])
	  | Tfloat LongDouble -> LApp ("q_to_exact", [f t1])
	  | _ -> assert false
	end
    | NTunop (Umodel, t1) ->
	begin match t1.nterm_type.ctype_node with
	  | Tfloat Float -> LApp ("s_to_model", [f t1])
	  | Tfloat Double -> LApp ("d_to_model", [f t1])
	  | Tfloat LongDouble -> LApp ("q_to_model", [f t1])
	  | _ -> assert false
	end
    | NTapp {napp_pred = v; napp_args = tl; napp_zones_assoc = assoc} ->
	let reads = ZoneSet.fold 
	  (fun (z,s,ty) acc ->
	     let z = repr z in
	     ((try Cnorm.assoc_zone z assoc with Not_found -> z),s,ty)::acc)
	  v.logic_heap_zone [] in
	let targs = List.map f tl in
	let targs = HeapVarSet.fold 
	  (fun x acc -> (interp_var label (heap_var_name x)) :: acc) 
	  v.logic_heap_args targs in
	let targs = List.fold_right 
	  (fun (z,s,_) l -> (interp_var label (zoned_name s (Pointer z)))::l)
	  reads targs 
	in
	LApp (v.logic_name,targs)
    | NTcast({ctype_node = Tpointer _}, 
	     {nterm_node = NTconstant (IntConstant "0")}) ->
	LVar "null"
    | NTcast (ty, t) -> 
	begin match ty.ctype_node, t.nterm_type.ctype_node with
	  | (Tenum _ | Tint _), (Tenum _ | Tint _) ->
	      f t
	  | Tfloat fk1, Tfloat fk2 -> 
	      term_float_conversion fk2 fk1 (f t)
	  | Tfloat fk, (Tenum _ | Tint _) ->
	      term_float_conversion Real fk (LApp ("real_of_int", [f t]))
	  | (Tenum _ | Tint _), Tfloat fk ->
	      LApp ("int_of_real", [term_float_conversion fk Real (f t)])
	  | ty1, ty2 when Cenv.eq_type_node ty1 ty2 -> 
	      f t
	  | _ -> 
	      unsupported t.nterm_loc "logic cast"
	end
    | NTrange _ ->
	error t.nterm_loc "range operator .. invalid here"

and interp_term_address  label old_label e = match e.nterm_node with
  | NTvar v -> 
      begin match e.nterm_type.ctype_node with
	| Tstruct _ | Tunion _ -> LVar v.var_unique_name
	| _ -> unsupported e.nterm_loc "& operator"
      end
  | NTunop (Ustar, e1) -> 
      interp_term  label old_label e1
  | NTarrow (e1,_z, f) ->
      begin match e.nterm_type.ctype_node with
	| Tenum _ | Tint _ | Tfloat _ -> 
  	    interp_term  label old_label e1
	| Tstruct _ | Tunion _ | Tpointer _ | Tarray _ ->
	    let var = zoned_name f.var_unique_name (Cnorm.type_why_for_term e1)
	    in
	    LApp("acc",[interp_var label var; interp_term label old_label e1])
	| _ -> unsupported e.nterm_loc "& operator on a field"
      end
  | NTcast (_, e1) ->
      interp_term_address  label old_label e1
  | _ -> 
      assert false (* not a left value *)

and interp_boolean_term label old_label t = 
  (* t <> 0 *)
  let cmp,zero = match t.nterm_type.Ctypes.ctype_node with
    | Tenum _ | Tint _ -> 
	"neq_int_bool", LConst (Prim_int "0")
    | Tfloat _fk -> 
	assert false (* TODO *)
    | Tarray _ | Tpointer _ -> 
	assert false (* TODO *)
    | _ -> 
	assert false
  in
  LApp (cmp, [interp_term label old_label t; zero])

let has_prefix p s = 
  let n = String.length p in String.length s >= n && String.sub s 0 n = p

let is_internal_pred s = String.length s >= 1 && String.sub s 0 1 = "%"

let rec interp_predicate label old_label p =
  let f = interp_predicate label old_label in
  let ft = interp_term label old_label in
  match p.npred_node with
    | NPtrue -> 
	LTrue
    | NPexists (l, p) -> 
	List.fold_right
	  (fun (_t,x) p -> 
	     LExists(x.var_unique_name,
		     Info.output_why_type x.var_why_type, [],p)) l (f p)
    | NPforall (l, p) ->	
	List.fold_right
	  (fun (_t,x) p -> 
	     LForall(x.var_unique_name,
		     Info.output_why_type x.var_why_type, [],p)) l (f p)
    | NPif (t, p1, p2) -> 
	let t = ft t in
	let zero = LConst (Prim_int "0") in
	LAnd (make_impl (LPred ("neq_int", [t; zero])) (f p1),
	      make_impl (LPred ("eq_int",  [t; zero])) (f p2))
    | NPnot p -> 
	LNot (f p)
    | NPimplies (p1, p2) -> 
	make_impl (f p1) (f p2)
    | NPiff (p1, p2) -> 
	make_equiv (f p1) (f p2)
    | NPor (p1, p2) -> 
	make_or (f p1) (f p2)
    | NPand (p1, p2) -> 
	make_and (f p1) (f p2)
    | NPrel (t1, op, t2) ->
	let t1,op,t2 = interp_rel t1 t2 op in
	LPred(op,[ft t1;ft t2])
    | NPapp {napp_pred = v; napp_args = tl} 
	when is_internal_pred v.logic_name ->
       let n = v.logic_name in
       let name,num =
	 if has_prefix "%valid_acc_range" n then "valid_acc_range", 1
	 else if has_prefix "%valid_acc" n then "valid_acc", 1
	 else if has_prefix "%separation1_range1" n then "separation1_range1",2
	 else if has_prefix "%separation1_range" n then "separation1_range", 1
	 else if has_prefix "%separation1" n then "separation1", 2
	 else if has_prefix "%separation2_range1" n then "separation2_range1",2
	 else if has_prefix "%separation2" n then "separation2", 2
	 else assert false
       in
       let tl = match tl, num with
	 | [x], 2 -> [x; x]
	 | _ -> tl
       in
       LPred(name, List.map ft tl)
    | NPapp {napp_pred = v; napp_args = tl; napp_zones_assoc = assoc} ->
	let reads = ZoneSet.fold 
	  (fun (z,s,ty) acc ->
	     let z = repr z in
	     ((try Cnorm.assoc_zone z assoc with Not_found -> z),s,ty)::acc)
	  v.logic_heap_zone [] in
	let targs = List.map ft tl in
	let targs = HeapVarSet.fold 
		 (fun x acc -> (interp_var label (heap_var_name x)) :: acc) 
		 v.logic_heap_args targs in
	let targs = List.fold_right 
	  (fun (z,s,_) l -> 
	     (interp_var label (zoned_name s (Pointer z)))::l)
	  reads targs in
	LPred (v.logic_name,targs)
    | NPfalse -> 
	LFalse
    | NPold p -> 
	interp_predicate (Some old_label) old_label p
    | NPat (p, l) -> 
	interp_predicate (Some l) old_label p
    | NPfresh (t) ->
	(* [fresh] should not be used when the alloc table is dropped *)
	assert (not no_alloc_table);
	LPred("fresh",[interp_var (Some old_label) "alloc"; ft t])
    | NPvalid (t) ->
	if no_alloc_table then
	  LPred("valid",[ft t])
	else
	  LPred("valid",[interp_var label "alloc"; ft t])
    | NPvalid_index (t,a) ->
	if no_alloc_table then
	  LPred("valid_index",[ft t;ft a])
	else
	  LPred("valid_index",[interp_var label "alloc"; ft t;ft a])
    | NPvalid_range (t,a,b) ->
	begin 
	  match a.nterm_node , b.nterm_node with
	    | NTconstant (IntConstant "0"), NTconstant (IntConstant "0") -> 
		if no_alloc_table then
		  LPred("valid",[ft t])
		else
		  LPred("valid",[interp_var label "alloc"; ft t])
	    | _ ->
		if no_alloc_table then
		  LPred("valid_range",[ft t;ft a;ft b])
		else
		  LPred("valid_range",
			[interp_var label "alloc"; ft t;ft a;ft b])
	end
    | NPnamed (n, p) ->
	LNamed (n, f p)
    | NPseparated (t1,t2) ->
	LPred("separated",[ft t1;ft t2])
    | NPfull_separated (t1,t2) ->
	LPred("full_separated",[ft t1;ft t2])
    | NPbound_separated (t1,t2,t3,t4) ->
	LPred("bound_separated",[ft t1;ft t2;ft t3;ft t4])

(*
let interp_predicate label old_label p = 
  let w = interp_predicate label old_label p in
  if p.npred_loc = Loc.dummy_position then
    w
  else
    LNamed ("\"" ^ String.escaped (Loc.string p.npred_loc) ^ "\"", w)
*)

let named_predicate loc = function
  | LNamed _ as a -> a
  | a -> let n = reg_loc loc in LNamed (n,a)

let interp_predicate label oldlabel a =
  let a' = interp_predicate label oldlabel a in
  named_predicate a.npred_loc a'

let interp_predicate_opt label old_label pred =
  match pred with
    | None -> LTrue
    | Some p -> interp_predicate label old_label p


let guarded_app f kind loc x y =
 make_label (reg_loc ~kind loc) (f x y)

let guarded_make_app = guarded_app Output.make_app

let guarded_make_app_e = guarded_app Output.make_app_e

let guarded_build_complex_app = 
  guarded_make_app (*guarded_app build_complex_app*)


let rounding_mode () = match !fp_rounding_mode with
  | RM_dynamic -> mk_expr (Deref "rounding_mode")
  | m -> mk_var (string_of_rounding_mode m)

let interp_float_of_int ft e =
  let e = make_app "real_of_int" [e] in
  if floats then match ft.Ctypes.ctype_node with
    | Tfloat Float -> make_app "r_to_s" [rounding_mode (); e]
    | Tfloat Double -> make_app "r_to_d" [rounding_mode (); e]
    | Tfloat LongDouble -> make_app "r_to_q" [rounding_mode (); e]
    | Tfloat Real -> e
    | _ -> assert false
  else
    e

let interp_int_of_float ft e =
  let e = 
    if floats then match ft.Ctypes.ctype_node with
      | Tfloat Float -> make_app "s_to_r" [e]
      | Tfloat Double -> make_app "d_to_r" [e]
      | Tfloat LongDouble -> make_app "q_to_r" [e]
      | Tfloat Real -> e
      | _ -> assert false
    else
      e
  in
  make_app "int_of_real" [e]

(* float conversion ty1 -> ty2 *)
let interp_float_conversion ty1 ty2 e = 
  if not floats then e else
  match ty1.Ctypes.ctype_node, ty2.Ctypes.ctype_node with
    | Tfloat Real, Tfloat Float -> make_app "r_to_s" [rounding_mode (); e]
    | Tfloat Real, Tfloat Double -> make_app "r_to_d" [rounding_mode (); e]
    | Tfloat Real, Tfloat LongDouble -> make_app "r_to_q" [rounding_mode (); e]
    | Tfloat Float, Tfloat Real -> make_app "s_to_r" [e]
    | Tfloat Double, Tfloat Real -> make_app "d_to_r" [e]
    | Tfloat LongDouble, Tfloat Real -> make_app "q_to_r" [e]
    | Tfloat Float, Tfloat Double -> 
	make_app "double_of_single" [e]
    | Tfloat Double, Tfloat Float -> 
	make_app "single_of_double" [rounding_mode (); e ]
    | Tfloat Float, Tfloat LongDouble -> 
	make_app "quad_of_single" [e]
    | Tfloat LongDouble, Tfloat Float -> 
	make_app "single_of_quad" [rounding_mode (); e ]
    | Tfloat Double, Tfloat LongDouble -> 
	make_app "quad_of_double" [e]
    | Tfloat LongDouble, Tfloat Double -> 
	make_app "double_of_quad" [rounding_mode (); e ]
    | Tfloat fk1, Tfloat fk2 when fk1 = fk2 ->
	e
    | _ -> 
	assert false

let int_size = Cenv.int_size

let le_cinteger i1 i2 = int_size i1 <= int_size i2

let lt_cinteger i1 i2 = int_size i1 < int_size i2

let min_cinteger = Invariant.min_cinteger
let max_cinteger = Invariant.max_cinteger

let le_max_int i e = LPred ("le_int", [e; LConst (Prim_int (max_cinteger i))])

let is_non_negative e = LPred ("le_int", [LConst (Prim_int "0"); e])

let not_zero e = LPred ("neq_int", [e; LConst (Prim_int "0")])

let within_bounds i e = 
  LAnd (LPred ("le_int", [LConst (Prim_int (min_cinteger i)); e]), 
       le_max_int i e)

let is_enum e t = 
  let _,info = Cenv.find_pred ("is_enum_" ^ e) in LPred (info.logic_name, [t])

let of_int loc (_,i as ik) e =
  if machine_ints && i <> ExactInt then
    let name = Cenv.int_type_for ik in guarded_make_app ArithOverflow loc (name ^ "_of_int") [e]
  else
    e

let int_of (_,i as ik) e =
  if machine_ints && i <> ExactInt then
    let name = Cenv.int_type_for ik in make_app ("of_" ^ name) [e]
  else
    e

let enum_of_int tag e =
  if enum_check then
    let name = Cenv.enum_type_for tag in make_app (name ^ "_of_int") [e]
  else
    e

let int_of_enum tag e =
  if enum_check then
    let name = Cenv.enum_type_for tag in make_app ("of_" ^ name) [e]
  else
    e

let guard_1 g e =
  let v = tmp_var () in 
  mk_expr (Let (v, e, mk_expr (Output.Assert (`ASSERT,g (LVar v), mk_var v))))

(* int conversion ty1 -> ty2 *)
let interp_int_conversion loc ty1 ty2 e = 
  match ty1.Ctypes.ctype_node, ty2.Ctypes.ctype_node with
    (* enum -> enum *)
    | Tenum t1, Tenum t2 ->
	enum_of_int t2 (int_of_enum t1 e) 
    (* enum -> int *)
    | Tint si1, Tenum t2 ->
	enum_of_int t2 (int_of si1 e)
    (* int -> enum *)
    | Tenum t1, Tint si2 ->
	of_int loc si2 (int_of_enum t1 e)
    (* int -> int, no check *)
    | Tint si1, Tint si2 ->
	of_int loc si2 (int_of si1 e)
    | _ -> 
	e
(***** TODO: some checks can be safely avoided
    (* exact int -> int *)
    | Tint (_, ExactInt), Tint si2 ->
	of_int si2 e
    (* int -> exact int *)
    | Tint si1, Tint (_, ExactInt) ->
	int_of si1 e
    (* int -> int *)
    | Tint (Unsigned, i1 as si1), Tint (Unsigned, i2 as si2) 
    | Tint (Signed, i1 as si1), Tint (Signed, i2 as si2) 
      when le_cinteger i1 i2 -> 
	of_int si2 (int_of si1 e) (* TODO safe *)
    | Tint (Unsigned, i1 as si1), Tint (Signed, i2 as si2) 
      when lt_cinteger i1 i2 -> 
	of_int si2 (int_of si1 e) (* TODO safe *)
    | Tint (Unsigned, i1 as si1), Tint si2 ->
	of_int si2 (int_of si1 e) (* TODO half safe: e <= le_max_int si2 *)
    | Tint (Signed, i1 as si1), Tint (Unsigned, i2 as si2) 
      when le_cinteger i1 i2 ->
	of_int si2 (int_of si1 e) (* TODO half safe: 0 <= e *)
    | Tint (Signed, _ as si1), Tint si2 ->
	of_int si2 (int_of si1 e)
*******)

let float_binop ~cmp fk opr ops opd opq =
  if floats then
    let op = match fk with 
      | Float -> ops
      | Double -> opd
      | LongDouble -> opq
      | Real -> opr
    in
    if cmp || fk = Real then
      mk_var op
    else
      make_app (if fp_overflow_check then op ^ "_" else op)
	[rounding_mode ()]
  else
    mk_var opr

let float_unop fk = function
  | Cast.Uminus -> 
      if floats && fk <> Real then 
	let op = match fk with
	  | Float -> "neg_single"
	  | Double -> "neg_double"
	  | LongDouble -> "neg_quad"
	  | Real -> assert false
	in
	mk_expr (App (mk_var op, rounding_mode ()))
      else 
	mk_var "neg_real"
  | _ -> assert false

(* arithmetic operations with overflow guards *)

let simple_logic_type s =
  { logic_type_args = [] ; logic_type_name = s}

(* buils the declarations for integer types with checks *)
let make_int_types_decls () =
  let int = Base_type (simple_logic_type "int") in
  let make_one acc ((signed, size) as i) =
    let name = Cenv.int_type_for_size signed size in
    let min = Invariant.min_int i in
    let max = Invariant.max_int i in
    let of_name = "of_" ^ name in
    let mod_name = "mod_" ^ name in
    let lt = simple_logic_type name in
    let in_bounds t = 
      LAnd (LPred ("le_int", [LConst (Prim_int min); t]),
 	    LPred ("le_int", [t; LConst (Prim_int max)]))
    in
    (Type (id_no_loc name, [])) 
    ::
    (Logic (false, id_no_loc of_name, ["x", lt], simple_logic_type "int")) 
    ::
    (Goal(KAxiom,id_no_loc (name ^ "_domain"), 
	     LForall ("x", lt,  [],in_bounds (LApp (of_name, [LVar "x"]))))) 
    ::
    (if int_model = IMmodulo then
       let width = LConst (Prim_int (Invariant.string_two_power_n size)) in
       let fmod t = LApp (mod_name, [t]) in
       [Logic (false, id_no_loc mod_name, 
	       ["x", simple_logic_type "int"], simple_logic_type "int");
	Goal(KAxiom,id_no_loc (mod_name ^ "_id"),
	       LForall ("x", simple_logic_type "int", [],
		       LImpl (in_bounds (LVar "x"), 
		             LPred ("eq", [LApp (mod_name, [LVar "x"]);
					   LVar "x"]))));
	Goal(KAxiom,id_no_loc (mod_name ^ "_lt"),
	       LForall ("x", simple_logic_type "int", [],
		       LImpl (LPred ("lt_int", [LVar "x"; 
						LConst (Prim_int min)]), 
		             LPred ("eq", [fmod (LVar "x");
					   fmod (LApp ("add_int", 
						      [LVar "x"; width]))]))));
	Goal(KAxiom,id_no_loc (mod_name ^ "_gt"),
	       LForall ("x", simple_logic_type "int", [],
		       LImpl (LPred ("gt_int", [LVar "x"; 
						LConst (Prim_int max)]), 
		             LPred ("eq", [fmod (LVar "x");
					   fmod (LApp ("sub_int", 
						      [LVar "x"; width]))]))));
	
	]
     else
       [])
    @
    (let pre = if int_model = IMbounded then in_bounds (LVar "x") else LTrue in
    let post = 
      LPred ("eq", [LApp (of_name, [LVar "result"]); 
		    if int_model = IMbounded then LVar "x" 
		    else LApp (mod_name, [LVar "x"])]) 
    in
    Param (false, id_no_loc (name ^ "_of_int"),
	  Prod_type ("x", int, 
		    Annot_type (pre, Base_type lt, [], [], post, []))))
    ::
    (Param (false, id_no_loc ("any_" ^ name),
            Prod_type ("x", unit_type,
	               Annot_type (LTrue, Base_type lt, [], [], LTrue, []))))
    ::
    (Exception (id_no_loc ("Return_" ^ name), Some lt))
    ::
    acc
  in
  List.fold_left make_one [] (Cenv.all_int_sizes ())

(* buils the declarations for enum types with checks *)
let make_enum_types_decls () =
  let int = Base_type (simple_logic_type "int") in
  let declare_enum_type s (_tyn, vl) acc =
    let name = Cenv.enum_type_for s in
    let of_name = "of_" ^ name in
    let is_enum = "is_" ^ name in
    let lt = simple_logic_type name in
    (Type (id_no_loc name, [])) 
    ::
    (Logic (false, id_no_loc of_name, ["x", lt], simple_logic_type "int")) 
    ::
    (Predicate (false, id_no_loc is_enum, ["x", simple_logic_type "int"], 
	        List.fold_left 
		  (fun p (_,v) -> 
		    let v = Int64.to_string v in
		    let p1 = LPred ("eq", [LVar "x"; LConst (Prim_int v)]) in
		    make_or p p1)
		  LFalse vl))
    ::
    (Goal(KAxiom,id_no_loc (name ^ "_domain"), 
	    LForall ("x", lt, [],LPred (is_enum, [LApp (of_name, [LVar "x"])])))) 
    ::
    (Param (false, id_no_loc (name ^ "_of_int"),
	    Prod_type ("x", int, 
		       let pre = LPred (is_enum, [LVar "x"]) in
		       let post = 
			 LPred ("eq", [LApp (of_name, [LVar "result"]); 
				       LVar "x"]) 
		       in
		       Annot_type (pre, Base_type lt, [], [], post, []))))
    ::
    (Param (false, id_no_loc ("any_" ^ name),
            Prod_type ("x", unit_type,
		       Annot_type (LTrue, Base_type lt, [], [], LTrue, []))))
    ::
    (Exception (id_no_loc ("Return_" ^ name), Some lt))
    ::
    (List.fold_left
      (fun acc (info,v) -> 
	 let x = info.var_unique_name in
	 let v = Int64.to_string v in
	 let a = LPred ("eq_int", [LApp (of_name, [LVar x]); 
				   LConst (Prim_int v)]) in
	 (Logic (false, id_no_loc x, [], lt)) ::
         (Goal(KAxiom,id_no_loc ("enum_" ^ s ^ "_" ^ x), a)) :: acc)
      acc vl)
  (******
    let ty = noattr tyn in
    let n = "is_enum_" ^ s in
    let n' = "any_enum_" ^ s in
    let is_enum_s = Info.default_logic_info n in   
    let any_enum_n' = Info.default_fun_info n' in    
    let result = {nterm_node = NTvar(Info.default_var_info "result");
		  nterm_loc = Loc.dummy_position ;
		  nterm_type = ty}
    in
    let spec_n' = { requires = None;
		    assigns = None;
		    ensures = Some (npapp (is_enum_s, [result]));
		    decreases = None} 
    in    
    Cenv.add_c_fun n' (spec_n',ty,any_enum_n',None,Loc.dummy_position);
    Cenv.add_pred n ([ty], is_enum_s);
    let x = Info.default_var_info (get_fresh_name "x") in
    set_formal_param x;
    set_var_type (Var_info x) ty true;
    is_enum_s.logic_args <- [x];
    let var_x = nterm (NTvar x) ty in
    let p = 
      List.fold_left 
	(fun p (v,_) -> 
	   let p1 = nprel (var_x, Eq, nterm (NTvar v) ty) in
	   npor (p, p1)) 
	npfalse vl
    in
    let d = tdecl (Nlogic (is_enum_s, NPredicate_def ([x,ty], p))) in
    d :: acc
  *****)
  in
  let declare_enum_val n (_, vl) acc =
    List.fold_left
      (fun acc (info,v) -> 
	let x = info.var_unique_name in
	let v = Int64.to_string v in
	let a = LPred ("eq_int", [LVar x; LConst (Prim_int v)]) in
	(Logic (false, id_no_loc x, [], simple_logic_type "int")) ::
	(Goal(KAxiom,id_no_loc ("enum_" ^ n ^ "_" ^ x), a)) :: acc)
      acc vl
  in
  Cenv.fold_all_enum 
    (if enum_check then declare_enum_type else declare_enum_val) []

let int_op = function
  | Badd_int _ -> "add_int"
  | Bsub_int _ -> "sub_int"
  | Bmul_int _ -> "mul_int"
  | Bdiv_int _ -> "div_int_"
  | Bmod_int _ -> "mod_int_"
  | _ -> assert false

open Cast

let interp_bin_op = function
  | Badd_int _ | Bsub_int _ | Bmul_int _ | Bdiv_int _ | Bmod_int _ as op ->
      mk_var (int_op op)
  | Blt_int -> mk_var "lt_int_"
  | Bgt_int -> mk_var "gt_int_"
  | Ble_int -> mk_var "le_int_"
  | Bge_int -> mk_var "ge_int_"
  | Beq_int -> mk_var "eq_int_"
  | Bneq_int -> mk_var "neq_int_" 
  | Badd_float fk -> 
      float_binop ~cmp:false fk "add_real" "add_single" "add_double" "add_quad"
  | Bsub_float fk -> 
      float_binop ~cmp:false fk "sub_real" "sub_single" "sub_double" "sub_quad"
  | Bmul_float fk -> 
      float_binop ~cmp:false fk "mul_real" "mul_single" "mul_double" "mul_quad"
  | Bdiv_float fk -> 
      float_binop 
	~cmp:false fk "div_real_" "div_single" "div_double" "div_quad"
  | Blt_float fk -> 
      float_binop ~cmp:true fk "lt_real_" "lt_single" "lt_double" "lt_quad"
  | Bgt_float fk -> 
      float_binop ~cmp:true fk "gt_real_" "gt_single" "gt_double" "gt_quad"
  | Ble_float fk -> 
      float_binop ~cmp:true fk "le_real_" "le_single" "le_double" "le_quad"
  | Bge_float fk -> 
      float_binop ~cmp:true fk "ge_real_" "ge_single" "ge_double" "ge_quad"
  | Beq_float fk -> 
      float_binop ~cmp:true fk "eq_real_" "eq_single" "eq_double" "eq_quad"
  | Bneq_float fk ->
      float_binop ~cmp:true fk "neq_real_" "neq_single" "neq_double" "neq_quad"
  | Blt_pointer -> mk_var "lt_pointer_"
  | Bgt_pointer -> mk_var "gt_pointer_"
  | Ble_pointer -> mk_var "le_pointer_"
  | Bge_pointer -> mk_var "ge_pointer_"
  | Beq_pointer -> mk_var "eq_pointer"
  | Bneq_pointer -> mk_var "neq_pointer" 
  | Badd_pointer_int -> mk_var "shift_"
  | Bsub_pointer -> mk_var "sub_pointer_"
  | Bbw_and -> mk_var "bw_and"
  | Bbw_xor -> mk_var "bw_xor"
  | Bbw_or -> mk_var "bw_or"
  | Bshift_left -> mk_var "lsl"
  | Bshift_right -> mk_var "lsr"
  (* should not happen *)
  | Badd | Bsub | Bmul | Bdiv | Bmod 
  | Blt | Bgt | Ble | Bge | Beq | Bneq | Band | Bor ->
      assert false

let int_zero = mk_expr (Cte(Prim_int "0"))
let int_one = mk_expr (Cte(Prim_int "1"))
let int_minus_one = mk_expr (Cte(Prim_int "(-1)"))

let any_float fk = 
  if floats then match fk with
    | Float -> "any_single"
    | Double -> "any_double"
    | LongDouble -> "any_quad"
    | Real -> "any_real"
  else 
    "any_real"

let float_of_real r fk = 
  if floats then match fk with
    | Float -> make_app "r_to_s" [ rounding_mode (); r] 
    | Double  -> make_app "r_to_d" [ rounding_mode () ; r]
    | LongDouble  -> make_app "r_to_q" [ rounding_mode () ; r]
    | Real -> r
  else
    r

let real_zero = mk_expr (Cte(Prim_real "0.0"))
let float_zero = float_of_real real_zero

let real_one = mk_expr (Cte(Prim_real "1.0"))
let float_one = float_of_real real_one

let interp_incr_op ty op = match ty.Ctypes.ctype_node, op with
  | (Tenum _ | Tint _), (Upostfix_inc | Uprefix_inc) -> mk_var "add_int", int_one
  | (Tenum _ | Tint _), (Upostfix_dec | Uprefix_dec) -> mk_var "sub_int", int_one
  | Tfloat fk, (Upostfix_inc | Uprefix_inc) -> 
      interp_bin_op (Badd_float fk), float_one fk
  | Tfloat fk, (Upostfix_dec | Uprefix_dec) -> 
      interp_bin_op (Bsub_float fk), float_one fk
  | (Tpointer _ | Tarray _), 
    (Upostfix_inc | Uprefix_inc) -> mk_var "shift_", int_one
  | (Tpointer _ | Tarray _), 
    (Upostfix_dec | Uprefix_dec) -> mk_var "shift_", int_minus_one
  | _ -> assert false

type interp_lvalue =
  | LocalRef of Info.var_info
  | HeapRef of valid * string * Output.expr

let build_complex_app e args =
  let rec build n e args =
    match args with
      | [] -> e
      | [p] -> mk_expr (App(e,p))
      | ({ expr_node = (Var _) | (Cte _)} as p)::l ->
	  build n (mk_expr (App(e,p))) l
      | p::l ->
	  let v = tmp_var () in
	  mk_expr (Let(v,p, build (succ n) (mk_expr (App(e,mk_var v))) l))
  in
  match args with
    | [] -> mk_expr (App(e,void))
    | _ -> build 1 e args

let build_minimal_app e args =
  match args with
    | [] -> mk_expr (App(e,void))
    | _ ->
	if List.for_all is_pure args then
	  List.fold_left (fun acc x -> mk_expr(App(acc,x))) e args
	else
	  build_complex_app e args

let bin_op loc op t1 t2 = match op, t1.expr_node, t2.expr_node with
  | Badd_pointer_int, _, Cte (Prim_int "0") ->
      t1
  | Beq_int, Cte (Prim_int n1), Cte (Prim_int n2) ->
      mk_expr (Cte (Prim_bool (n1 = n2)))
  | (Bdiv_int _ | Bmod_int _), _, _ ->
      guarded_make_app_e DivByZero loc (interp_bin_op op) [t1; t2]
  | _ ->
      build_minimal_app (interp_bin_op op) [t1; t2]

let rec interp_expr e =
  let w = interp_expr_loc e in
  if e.nexpr_loc = Loc.dummy_position then w else 
    mk_expr (Loc (fst e.nexpr_loc, w))

and interp_expr_loc e =
  let loc = e.nexpr_loc in
  match e.nexpr_node with
    | NEconstant (IntConstant c) -> 
	let t = 
          mk_expr (Cte (Prim_int (Int64.to_string (Cconst.int e.nexpr_loc c))))
        in
	if machine_ints then begin 
	  match e.nexpr_type.Ctypes.ctype_node with
	  | Tint si -> of_int loc si t
	  | Tenum _ -> assert false (*TODO*)
	  | _ -> assert false
	end else 
	  t
    | NEconstant (RealConstant c) ->
	mk_expr (Cte (Prim_real c))
    | NEvar( Var_info v) -> 
	let n = heap_var_name v in
	if v.var_is_assigned then mk_expr (Deref n) else mk_var n
    | NEvar (Fun_info _v) -> assert false
    (* a ``boolean'' expression is [if e then 1 else 0] *)
    | NEbinary (_,(Blt_int | Bgt_int | Ble_int | Bge_int | Beq_int | Bneq_int 
		  |Blt_float _ | Bgt_float _ | Ble_float _ | Bge_float _
		  |Beq_float _ | Bneq_float _
		  |Blt_pointer | Bgt_pointer | Ble_pointer | Bge_pointer 
		  |Beq_pointer | Bneq_pointer 
		  |Blt | Bgt | Ble | Bge | Beq | Bneq | Band | Bor),_) 
    | NEunary (Unot, _) ->
        let b = interp_boolean_expr e in
	let w = match b.expr_node with (* partial evaluation *)
	  | Cte (Prim_bool true) -> int_one
	  | Cte (Prim_bool false) -> int_zero
	  | _ -> mk_expr (If (b, int_one, int_zero))
	in
	interp_int_conversion loc c_exact_int e.nexpr_type w
    | NEbinary (e1, (Badd_int _ | Bsub_int _ | Bmul_int _ |
                     Bdiv_int _ | Bmod_int _ |
		     Bbw_and | Bbw_xor | Bbw_or | 
		     Bshift_left | Bshift_right as op), e2) ->
	let w = bin_op loc op (interp_int_expr e1) (interp_int_expr e2) in
	interp_int_conversion loc c_exact_int e.nexpr_type w
    | NEbinary (e1, (Badd_pointer_int as op), e2) ->
	bin_op loc op (interp_expr e1) (interp_int_expr e2)
    | NEbinary (e1,op,e2) ->
	bin_op loc op (interp_expr e1) (interp_expr e2)
    | NEassign (e,e2) ->
	begin
	  match interp_lvalue e with
	    | LocalRef v ->
		let n = v.var_unique_name in
		append (mk_expr (Assign(n,interp_expr e2))) (mk_expr (Deref n))
	    | HeapRef (Valid(a,b),var,e1) ->
		let tmp1 = tmp_var () in
		let tmp2 = tmp_var () in
		if (a <= Int64.zero && b > Int64.zero) then 
		  mk_expr (Let(tmp1, e1,
		      mk_expr(Let(tmp2, interp_expr e2,
			  append (build_complex_app (mk_var "safe_upd_")
				    [mk_var var; mk_var tmp1; mk_var tmp2])
			    (mk_var tmp2)))))
		else
		  mk_expr (Let(tmp1, e1,
		      mk_expr (Let(tmp2, interp_expr e2,
			  append (guarded_build_complex_app 
				     PointerDeref loc "upd_"
				     [mk_var var; mk_var tmp1; mk_var tmp2])
			    (mk_var tmp2)))))
	    | HeapRef (Not_valid,var,e1) ->	
		let tmp1 = tmp_var () in
		let tmp2 = tmp_var () in
		mk_expr (Let(tmp1, e1,
		    mk_expr (Let(tmp2, interp_expr e2,
			append (guarded_build_complex_app 
				   PointerDeref loc "upd_"
				   [mk_var var; mk_var tmp1; mk_var tmp2])
			  (mk_var tmp2)))))
	end 
    | NEincr(op,e) -> 
	interp_incr_expr op e
    | NEassign_op(e,op,e2) ->
	begin match interp_lvalue e with
	  | LocalRef(v) ->
	      let n = v.var_unique_name in
	      append
	        (mk_expr (Assign(n, bin_op loc op (mk_expr(Deref n)) 
                                   (interp_expr e2))))
	        (mk_expr (Deref n))
	  | HeapRef(Valid (a,b),var,e1) -> 
	      let tmp1 = tmp_var () in
	      let tmp2 = tmp_var () in
	      if (a<= Int64.zero && b> Int64.zero)	  
	      then
		mk_expr (Let(tmp1, e1,
		    mk_expr (Let(tmp2, 
			bin_op loc op
			  (make_app "safe_acc_" [mk_var var; mk_var tmp1]) 
			  (interp_expr e2),
			append
			  (build_complex_app (mk_var "safe_upd_") 
				 [mk_var var; mk_var tmp1; mk_var tmp2])
			  (mk_var tmp2)))))
	      else
		mk_expr (Let(tmp1, e1,
			mk_expr (Let(tmp2, 
			    bin_op loc op
			      (make_app "acc_" [mk_var var; mk_var tmp1]) 
			      (interp_expr e2),
			    append
			      (build_complex_app (mk_var "safe_upd_") 
				 [mk_var var; mk_var tmp1; mk_var tmp2])
			      (mk_var tmp2))) ))
	  | HeapRef(Not_valid,var,e1) ->
		    let tmp1 = tmp_var () in
		    let tmp2 = tmp_var () in
		    mk_expr (Let(tmp1, e1,
			mk_expr (Let(tmp2, 
			    bin_op loc op
			      (make_app "acc_" [mk_var var; mk_var tmp1]) 
			      (interp_expr e2),
			    append
			      (build_complex_app (mk_var "safe_upd_") 
				 [mk_var var; mk_var tmp1; mk_var tmp2])
			      (mk_var tmp2)))))
	end 
    | NEseq(e1,e2) ->
	append (interp_statement_expr e1) (interp_expr e2)
    | NEnop -> 
	void
    | NEcond(e1,e2,e3) ->
	mk_expr (If (interp_boolean_expr e1, interp_expr e2, interp_expr e3))
    | NEstring_literal _s -> 
	unsupported e.nexpr_loc "string literal"
    | NEarrow (e,_z,s) ->
	let te = interp_expr e in
	let var = zoned_name s.var_unique_name (Cnorm.type_why e) in
	let valid = 
	  match e.nexpr_type.Ctypes.ctype_node with
	    | Tpointer (valid,_)  
	    | Tarray (valid,_,_) -> valid
	    | Tstruct _ -> Valid (Int64.zero,Int64.one) 
	    | _ -> assert false
	in
	begin 
	  match valid with 
	    | Valid (a,b) ->
		if (a<= Int64.zero && b>Int64.one)
		then Output.make_app "safe_acc_" [mk_var(var);te] 
		else guarded_make_app PointerDeref loc "acc_" [mk_var(var);te]
	    | Not_valid -> 
		guarded_make_app PointerDeref loc "acc_" [mk_var(var);te] 
	end
    | NEunary (Ustar, _e) -> assert false
    | NEunary (Uplus, e) ->
	interp_expr e
    | NEunary (Uminus, e) -> 
	begin match e.nexpr_type.Ctypes.ctype_node with
	  | Tenum _ | Tint _ -> 
	      let w = make_app "neg_int" [interp_int_expr e] in
	      interp_int_conversion loc c_exact_int e.nexpr_type w
	  | Tfloat fk -> 
	      build_minimal_app (float_unop fk Uminus) [interp_expr e]
	  | _ -> 
	      assert false
	end
    | NEunary (Uint_of_float, e1) ->
	interp_int_of_float e1.nexpr_type (interp_expr e1)
    | NEunary (Ufloat_of_int, e1) ->
	interp_float_of_int e.nexpr_type (interp_expr e1)
    | NEunary (Ufloat_conversion, e1) ->
	interp_float_conversion e1.nexpr_type e.nexpr_type (interp_expr e1)
     | NEunary (Uint_conversion, e1) ->
	interp_int_conversion loc e1.nexpr_type e.nexpr_type (interp_expr e1)
    | NEunary (Utilde, e) ->
	make_app "bw_compl" [interp_expr e]
    | NEunary (Uamp, e) ->
	interp_address e
    | NEcall{ncall_fun = e; ncall_args = args ; ncall_zones_assoc = assoc } -> 
	interp_call e args assoc
    | NEcast({Ctypes.ctype_node = Tpointer _}, 
	     {nexpr_node = NEconstant (IntConstant "0")}) ->
	mk_var "null"
    | NEcast (t,e1) -> 
	begin match t.Ctypes.ctype_node, e1.nexpr_type.Ctypes.ctype_node with
	  | (Tenum _ | Tint _), (Tenum _ | Tint _) ->
	      interp_int_conversion loc e1.nexpr_type t (interp_expr e1)
	  | Tfloat _, Tfloat _ -> 
	      interp_float_conversion e1.nexpr_type t (interp_expr e1)
	  | Tfloat _, (Tenum _ | Tint _) ->
	      let e = make_app "real_of_int" [interp_expr e1] in
	      interp_float_conversion c_real t e
	  | (Tenum _ | Tint _), Tfloat _ ->
	      interp_int_of_float e1.nexpr_type (interp_expr e1)
	  | ty1, ty2 when Cenv.eq_type_node ty1 ty2 -> 
	      interp_expr e1
	  | _ -> 
	      unsupported e.nexpr_loc "cast"
	end
    | NEmalloc (_, e) ->
	make_app "malloc_parameter" [interp_expr e]

and interp_int_expr e =
  let w = interp_expr e in
  interp_int_conversion e.nexpr_loc e.nexpr_type c_exact_int w

and interp_boolean_expr e =
  let w = interp_boolean_expr_loc e in
  if e.nexpr_loc = Loc.dummy_position then w else 
    mk_expr (Loc (fst e.nexpr_loc, w))

and interp_boolean_expr_loc e = 
  let loc = e.nexpr_loc in
  match e.nexpr_node with
    | NEbinary(e1, (Blt_int | Bgt_int | Ble_int | Bge_int | 
	            Beq_int | Bneq_int as op), e2) ->
	bin_op loc op (interp_int_expr e1) (interp_int_expr e2)
    | NEbinary(e1, (Blt_float _ | Bgt_float _ | Ble_float _ | Bge_float _ 
		   |Beq_float _ | Bneq_float _
		   |Blt_pointer | Bgt_pointer | Ble_pointer | Bge_pointer 
		   |Beq_pointer | Bneq_pointer 
		   |Blt | Bgt | Ble | Bge | Beq | Bneq as op), e2) ->
	bin_op loc op (interp_expr e1) (interp_expr e2)
    | NEbinary (e1, Band, e2) ->
        mk_expr (And(interp_boolean_expr e1,interp_boolean_expr e2))
    | NEbinary (e1, Bor, e2) ->
	mk_expr (Or(interp_boolean_expr e1,interp_boolean_expr e2))
    | NEunary (Unot, e) ->
	mk_expr (Not(interp_boolean_expr e))
    (* otherwise e <> 0 *)
    | _ -> 
	let e,cmp,zero = match e.nexpr_type.Ctypes.ctype_node with
	  | Tenum _ | Tint _ -> 
	      interp_int_expr e, "neq_int_", int_zero
	  | Tfloat _fk -> 
	      interp_expr e, "neq_real_", real_zero
	  | Tarray _ | Tpointer _ -> 
	      interp_expr e, "neq_pointer", mk_var "null"
	  | _ -> 
	      assert false
	in
	build_complex_app (mk_var cmp) [e; zero]

and interp_incr_expr op e =
  let top,one = interp_incr_op e.nexpr_type op in
  let to_int = interp_int_conversion e.nexpr_loc e.nexpr_type c_exact_int in
  let of_int = interp_int_conversion e.nexpr_loc c_exact_int e.nexpr_type in
  match interp_lvalue e with
    | LocalRef v ->
	begin
	  match op with
	    | Upostfix_dec | Upostfix_inc ->
		mk_expr (Let("caduceus",
		    to_int (mk_expr (Deref v.var_unique_name)),
		    append 
		      (mk_expr (Assign (v.var_unique_name,
			       of_int (make_app_e top [mk_var "caduceus";one]))))
		      (mk_var "caduceus")))
	    | Uprefix_dec | Uprefix_inc ->
		let n = v.var_unique_name in
		append 
		  (mk_expr (Assign(n, 
                                   of_int (mk_expr (App(mk_expr (App(top, to_int (mk_expr (Deref n)))), one))))))
		  (mk_expr (Deref n))
	end
    | HeapRef(valid,var,e') ->
	begin
	  let acc = match valid with 
	    | Valid(a,b) ->
		if (a <= Int64.zero && b > Int64.one)
		then make_app "safe_acc_" [mk_var var;mk_var "caduceus1"]
		else make_app "acc_" [mk_var var;mk_var "caduceus1"] 
	    | Not_valid -> make_app "acc_" [mk_var var;mk_var "caduceus1"] 
	  in
	  match op with
	    | Upostfix_dec | Upostfix_inc ->
		mk_expr (Let("caduceus1",e',
		    mk_expr (Let("caduceus2",
		        acc,
			append
			  (make_app "safe_upd_" 
			     [mk_var var; mk_var "caduceus1";
			      of_int (make_app_e top 
					 [one; to_int (mk_var "caduceus2")])])
			  (mk_var "caduceus2")))))
	    | Uprefix_dec | Uprefix_inc ->
		mk_expr (Let("caduceus1",e',
		    mk_expr (Let("caduceus2",
			of_int (make_app_e top [to_int acc; one]),
			append
			  (make_app "safe_upd_" 
			     [mk_var var; mk_var "caduceus1"; mk_var "caduceus2"])
			  (mk_var "caduceus2")))))
	end		      

and interp_lvalue e =
  match e.nexpr_node with
    | NEvar (Var_info v) -> LocalRef v
    | NEvar (Fun_info _v) -> assert false
    | NEunary(Ustar,_e1) -> assert false
    | NEarrow (e1,_,f) ->
	let valid =
	  match e1.nexpr_type.Ctypes.ctype_node with
	    | Tpointer(v,_) | Tarray(v,_,_) -> v
	    | Tstruct _ -> Valid(Int64.zero,Int64.one)
	    | _ -> assert false
	in 
	HeapRef(valid,
		zoned_name f.var_unique_name (Cnorm.type_why e1), 
		interp_expr e1)
    | _ -> 
	assert false (* wrong typing of lvalue ??? *)

and interp_address e = match e.nexpr_node with
  | NEvar (Var_info v) -> 
      assert (v.var_is_referenced); 
       begin match e.nexpr_type.Ctypes.ctype_node with
       | Tstruct _ | Tunion _ -> mk_expr (Deref v.var_unique_name)
       | _ -> mk_var v.var_unique_name
       end
  | NEvar (Fun_info _v) -> unsupported e.nexpr_loc "& operator on functions"
  | NEunary (Ustar, _) -> assert false
  | NEarrow (e1,_, f) ->
      begin match e.nexpr_type.Ctypes.ctype_node with
	| Tenum _ | Tint _ | Tfloat _ -> 
  	    interp_expr e1
	| Tstruct _ | Tunion _ | Tpointer _ | Tarray _ ->
	    let var = zoned_name f.var_unique_name (Cnorm.type_why e1) in
	    let valid = 
	      match e1.nexpr_type.Ctypes.ctype_node with
		| Tpointer (valid,_)  
		| Tarray (valid,_,_) -> valid
		| Tstruct _ -> Valid(Int64.zero,Int64.one)  
		| _ -> assert false
	    in
	    begin 
	      match valid with 
		| Valid (a,b)-> if (a<= Int64.zero && Int64.zero < b) 
		  then build_complex_app (mk_var "safe_acc_")
		    [mk_var var; interp_expr e1]
		  else build_complex_app (mk_var "acc_")
		    [mk_var var; interp_expr e1]
		| Not_valid -> build_complex_app (mk_var "acc_")
		    [mk_var var; interp_expr e1]
	    end
	| _ -> unsupported e.nexpr_loc "& operator on a field"
      end
  | _ -> 
      assert false (* not a left value *)

and interp_statement_expr e =
(*  let loc = e.nexpr_loc in*)
  match e.nexpr_node with
    | NEseq(e1,e2) ->
	append (interp_statement_expr e1) (interp_statement_expr e2)
    | NEnop -> 
	void
    | NEassign(l,e) ->
	begin
	  match interp_lvalue l with
	    | LocalRef(v) ->
		mk_expr (Assign(v.var_unique_name,interp_expr e))
	    | HeapRef(valid,var,e1) ->
		  match valid with 
		    | Valid (a,b) when a<= Int64.zero && Int64.zero 
			build_complex_app
			  (mk_var "safe_upd_") [mk_var var;e1; interp_expr e]
		    | Valid _ | Not_valid -> 
			guarded_build_complex_app PointerDeref l.nexpr_loc
			  "upd_" 
			  [mk_var var;e1; interp_expr e]
	end 
    | NEincr(op,e) ->
	let top,one = interp_incr_op e.nexpr_type op in
	let to_int = interp_int_conversion e.nexpr_loc e.nexpr_type c_exact_int in
	let of_int = interp_int_conversion e.nexpr_loc c_exact_int e.nexpr_type in
	begin
	  match interp_lvalue e with
	    | LocalRef v ->
		mk_expr (Assign(v.var_unique_name,
		       of_int (make_app_e top 
				  [to_int (mk_expr (Deref v.var_unique_name)); one])))
	    | HeapRef(valid,var,e1) -> 
		let acc = match valid with 
		  | Valid(a,b) -> 
		      if (a <= Int64.zero && Int64.zero < b) 
		      then make_app "safe_acc_" [mk_var var; mk_var "caduceus1"]
		      else  make_app "acc_"[mk_var var; mk_var "caduceus1"]
		  | Not_valid ->  make_app "acc_"[mk_var var; mk_var "caduceus1"]
		in
		mk_expr (Let("caduceus1",e1,
		    mk_expr (Let("caduceus2",
		        to_int acc,
			make_app "safe_upd_"
			  [mk_var var; mk_var "caduceus1"; 
			   of_int (make_app_e top [mk_var "caduceus2"; one])]))))
	end
    | NEcall {ncall_fun = e1;ncall_args =  args;ncall_zones_assoc = assoc} -> 
	let app = interp_call e1 args assoc in
	if e.nexpr_type.Ctypes.ctype_node = Tvoid then
	  app
	else
	  mk_expr (Let (tmp_var (), app, void))
    | NEassign_op (l, op, e) -> 
	begin
	  match interp_lvalue l with
	    | LocalRef(v) ->
		let n = v.var_unique_name in
		mk_expr (Assign(n, bin_op e.nexpr_loc op (mk_expr (Deref n)) 
                         (interp_expr e)))
	    | HeapRef(valid,var,e1) -> 
		let acc = match valid with 
		  | Valid(a,b) -> if (a<= Int64.zero && Int64.zero  make_app "acc_"[mk_var var;mk_var "caduceus1"]
		in
		mk_expr (Let("caduceus1",e1,
		    mk_expr (Let("caduceus2",acc ,
			make_app "safe_upd_"
			  [mk_var var; mk_var "caduceus1"; 
			   bin_op e.nexpr_loc op (mk_var "caduceus2") (interp_expr e)]))))
	end 
    | NEcast (_, _)
    | NEcond (_, _, _)
    | NEbinary (_, _, _)
    | NEunary (_, _)
    | NEarrow _
    | NEvar _
    | NEstring_literal _
    | NEconstant _ 
    | NEmalloc _ -> 
	unsupported e.nexpr_loc "statement expression"

and interp_call e1 args assoc = 
  match e1.nexpr_node with
    | NEvar (Fun_info v) ->
	let reads = ZoneSet.fold 
	  (fun (z,s,ty) acc ->
	     let z = repr z in
	     (z,(try Cnorm.assoc_zone z assoc with Not_found -> z),s,ty)::acc)
	  v.function_reads [] 
	in
	let targs = List.map interp_expr args in
	let targs = List.fold_right 
	  (fun (z0,z1,s,_) l -> 
	     let z = repr z1 in
	     if z0.zone_is_var then
	       mk_var(zoned_name s (Pointer z))::l
	     else l)
	  reads targs 
	in
	build_complex_app (mk_var (v.fun_unique_name ^ "_parameter")) 
	  targs
    | _ -> 
	unsupported e1.nexpr_loc "call of a non-variable function"

and valid_acc_offset e =
  match e.nexpr_node with 
    | NEnop -> assert false
    | NEconstant _ -> assert false
    | NEstring_literal _ -> assert false
    | NEvar _ -> assert false
    | NEarrow (e,_,_)  -> valid_acc_offset e
    | NEseq _ -> assert false
    | NEassign _ -> assert false
    | NEassign_op _ -> assert false
    | NEunary _ -> assert false
    | NEincr _ -> assert false
    | NEbinary (_,Badd_pointer_int,i) -> interp_expr i    
    | NEbinary (_,_,_) -> assert false
    | NEcall _ -> assert false
    | NEcond _ -> assert false
    | NEcast _ -> assert false
    | NEmalloc _ -> assert false
 
 

module StringMap = Map.Make(String)

type mem_or_ref = Reference of bool | Memory of Output.term list

type term_loc_interp = Pset of Output.term | Term of Output.term

let collect_locations label old_label acc loc =
  (* term_loc t interprets t either as Term t' with t' a Why term of type 
     pointer, or as Pset s with s a Why term of type pset *)
  let rec term_or_pset t = match t.nterm_node with
    | NTarrow (e,z, f) ->
	let ty = Cnorm.type_why_for_term e in
	assert (same_why_type ty (Pointer z));
	let m = 
	  interp_var label
	    (zoned_name f.var_unique_name ty) in
	begin match term_or_pset e with
	  | Term te -> Term (LApp ("acc", [m; te]))
	  | Pset s -> Pset (LApp ("pset_star", [s; m]))
	end
    | NTrange (e, None, None, z, f) ->
	let ty = Cnorm.type_why_for_term e in
	assert (same_why_type ty (Pointer z));
	let var = zoned_name f.var_unique_name ty in
	Pset (LApp ("pset_acc_all", [pset e; interp_var label var]))
    | NTrange (e, None, Some a,z,f) ->
	let ty = Cnorm.type_why_for_term e in
	assert (same_why_type ty (Pointer z));
	let var = zoned_name f.var_unique_name ty in
	Pset (LApp ("pset_acc_range_left", 
		    [pset e; interp_var label var;
		     interp_term label old_label a]))
    | NTrange (e, Some a, None,z,f) ->
	let ty = Cnorm.type_why_for_term e in
	assert (same_why_type ty (Pointer z));
	let var = zoned_name f.var_unique_name ty in
	Pset (LApp ("pset_acc_range_right", 
		    [pset e; interp_var label var;
		     interp_term label old_label a]))
    | NTrange (e, Some a, Some b,z,f) ->
	let ty = Cnorm.type_why_for_term e in
	assert (same_why_type ty (Pointer z));
	let var = zoned_name f.var_unique_name ty in
	Pset (LApp ("pset_acc_range", 
		    [pset e; interp_var label var;
		     interp_term label old_label a;
		     interp_term label old_label b]))
    | _ ->
	Term (interp_term label old_label t)

  (* term_loc t interprets t as a Why term of type pset *)
  and pset t = match term_or_pset t with
    | Pset l -> l
    | Term t -> LApp ("pset_singleton", [t])
  in
  let var,iloc = match loc.nterm_node with
    | NTarrow(e,z,f) ->
	let ty = Cnorm.type_why_for_term e in
	assert (same_why_type ty (Pointer z));
	zoned_name f.var_unique_name ty, Some (pset e)
    | NTvar v ->
	v.var_unique_name, None
    | NTrange (t, None, None,z,f) -> 
	let ty = Cnorm.type_why_for_term t in
	assert (same_why_type ty (Pointer z));
	let var = zoned_name f.var_unique_name ty in
	let loc = LApp ("pset_all", [pset t]) in
	var, Some loc
    | NTrange (t, None, Some a,z,f) -> 
	let ty = Cnorm.type_why_for_term t in
	assert (same_why_type ty (Pointer z));
	let var = zoned_name f.var_unique_name ty in
	let loc = LApp ("pset_range_left", 
			[pset t; interp_term label old_label a]) in
	var, Some loc
    | NTrange (t, Some a, None,z,f) -> 
	let ty = Cnorm.type_why_for_term t in
	assert (same_why_type ty (Pointer z));
	let var = zoned_name f.var_unique_name ty in
	let loc = LApp ("pset_range_right", 
			[pset t; interp_term label old_label a]) in
	var, Some loc
    | NTrange(t1, Some t2, Some t3,z,f) -> 
	let ty = Cnorm.type_why_for_term t1 in
	assert (same_why_type ty (Pointer z));
	let var = zoned_name f.var_unique_name ty in
	let loc = 
	  LApp("pset_range",
	       [pset t1;
		interp_term label old_label t2;
		interp_term label old_label t3;])
	in
	var, Some loc
    | _ ->
	assert false
  in
  try
    let p = StringMap.find var acc in
    (match p, iloc with
       | Reference _, None -> StringMap.add var (Reference true) acc
       | Memory l, Some iloc -> StringMap.add var (Memory (iloc::l)) acc
       | Reference _,Some n -> eprintf "iloc = %a\n" fprintf_term n;assert false
       | Memory _,_ -> assert false)
  with Not_found -> 
    (match iloc with
       | None -> StringMap.add var (Reference true) acc
       | Some l -> StringMap.add var (Memory [l]) acc)

let rec make_union_loc = function
  | [] -> LVar "pset_empty"
  | [l] -> l
  | l::r -> LApp("pset_union",[l;make_union_loc r])

let interp_assigns label old_label assigns = function
  | Some (loc, locl) ->
      let m = HeapVarSet.fold
	(fun v m -> 
	  if Ceffect.is_alloc v then m 
	  else StringMap.add (heap_var_name v) (Reference false) m)
	assigns.Ceffect.assigns_var StringMap.empty 
      in
      let m = ZoneSet.fold
	(fun (z,s,_ty) m -> 
	  StringMap.add (zoned_name s (Pointer z)) (Memory []) m)
	assigns.Ceffect.assigns m 
      in
      let l = 
	List.fold_left (collect_locations label old_label) m locl
      in
      let p = 
	StringMap.fold
	  (fun v p acc -> match p with
	    | Memory p ->
		if no_alloc_table then
		  make_and acc
		    (LPred("not_assigns",
			  [interp_var (Some old_label) v;
			   LVar v; make_union_loc p]))
		else
		  make_and acc
		    (LPred("not_assigns",
			  [interp_var None "alloc"; 
			   interp_var (Some old_label) v;
			   LVar v; make_union_loc p]))
	    | Reference false ->
		make_and acc (LPred("eq", [LVar v; interp_var (Some old_label) v]))
	    | Reference true ->
		acc)
	  l LTrue
      in
      named_predicate loc p
  | None ->
      LTrue

(* we memoize the translation of weak invariants *)
let weak_invariant = 
  let h = Hashtbl.create 97 in
  fun id p -> 
    try 
      Hashtbl.find h id
    with Not_found -> 
      let p = interp_predicate None "" p in
      Hashtbl.add h id p;
      p

let weak_invariants_for hvs =
  Hashtbl.fold
    (fun id (p,e) acc -> 
       if Ceffect.intersect_only_alloc e hvs then acc
       else make_and (weak_invariant id p) acc) 
    Ceffect.weak_invariants LTrue

(* we memoize the translation of strong invariants *)

let strong_invariant = 
  let h = Hashtbl.create 97 in
  fun id p  -> 
    try 
      Hashtbl.find h id
    with Not_found -> 
      let p = interp_predicate None "" p in
      Hashtbl.add h id p;
      p

let interp_strong_invariants () =
  Hashtbl.fold
    (fun id (p,e,args) acc -> 
       let args = 
	 HeapVarSet.fold 
	   (fun x acc -> 
	      (heap_var_name x, 
	       Info.output_why_type x.var_why_type) :: acc) 
	   e.Ceffect.reads_var args
       in
       let args = 
	 ZoneSet.fold
	   (fun (z,s,ty) acc ->
	      (*if z.zone_is_var then*)
		(zoned_name s (Pointer z), 
		 (Info.output_why_type (Info.Memory(ty,z))))::acc
	      (*else acc*))
	   e.Ceffect.reads args in
       if args = [] then acc else
       (Predicate(false,id_no_loc id,args,interp_predicate None "" p))::acc)
    Ceffect.strong_invariants_2 []
    

let strong_invariant_name id reads_var reads =
  let args = 
    HeapVarSet.fold (fun x acc -> (LVar (heap_var_name x)) :: acc) reads_var []
  in
  let args = 
    ZoneSet.fold 
      (fun (z,s,_ty) l -> let z = repr z in
       (LVar (zoned_name s (Pointer z)))::l)
      reads args in
  LPred(id,args)
    
let extract_var_from_effect var lf =
  List.fold_left (fun acc (zf,nf,tyf) -> 
		    if (var.var_unique_name = nf) 
		    then (zf,nf,tyf)::acc else acc)[] lf 

let add ef ep =
  let lp = (HeapVarSet.elements ep) in
  let lf = (ZoneSet.elements ef) in
  let l = List.fold_right 
    (fun var acc -> (extract_var_from_effect var lf)::acc ) lp [] in
  match l with 
    | [] -> []
    | [l] -> List.fold_left (fun acc (z,n,_) -> [(z,n)]::acc) [] l
    | [l1;l2] -> 
	List.fold_left 
	  (fun acc (zx,nx,tyx) -> 
	     List.fold_left 
	       (fun acc (zy,ny,tyy) -> 
		  if same_why_type tyx tyy && same_zone zx zy 
		  then ([(zx,nx);(zy,ny)]::acc) else acc) acc l2) [] l1 
    | _ -> assert false

let subst a p =
  let q  =
    match p.npred_node with
      | NPapp {napp_pred = f; napp_args = tl; napp_zones_assoc = assoc} -> 
	  NPapp {napp_pred = f;
		 napp_args =
	      (List.map (fun (z,n) -> 
			   { nterm_node = 
			       (NTvar (default_var_info (zoned_name n (Pointer z))));
			     nterm_loc = Loc.dummy_position;
			     nterm_type = c_void}) a)@tl;
		 napp_zones_assoc = assoc}
      | _ -> assert false 
  in
  { p with npred_node = q} 

let strong_invariants_for hvs =
  let pred =
    Hashtbl.fold
      (fun id (p,_e1,e2) acc ->
	 let l = add hvs.Ceffect.reads e2.Ceffect.reads_var in
	 let rec add_pred id p l acc = 
	   match l with 
	     | [] -> acc
	     | a::l -> 
		 let p' = subst a p in 
		 let p'' = interp_predicate None "" p' in
		 make_and p'' (add_pred id p l acc)
	 in
	 add_pred id p l acc)
      Ceffect.invariants_for_struct 
      LTrue
  in
  Hashtbl.fold
    (fun id (p,e1,e2) acc ->
       if ZoneSet.subset e2.Ceffect.reads hvs.Ceffect.reads 
	 && HeapVarSet.subset e2.Ceffect.reads_var hvs.Ceffect.reads_var then
	 (make_and 
	   (if (Ceffect.mem_strong_invariant_2 id) || (Cenv.mem_pred id)
	    then
	      strong_invariant_name id e1.Ceffect.reads_var e1.Ceffect.reads
	    else
	      strong_invariant id p)  acc)
       else acc) 
    Ceffect.strong_invariants  
    pred

let alloc_extends () = 
  (* [alloc_extends] should not be used when the alloc table is dropped *)
  assert (not no_alloc_table);
  LPred ("alloc_extends", [LVar "alloc@"; LVar "alloc"])

let alloc_extends_at label = 
  (* [alloc_extends] should not be used when the alloc table is dropped *)
  assert (not no_alloc_table);
  LPred ("alloc_extends", [LVarAtLabel ("alloc", label); LVar "alloc"])

let interp_spec add_inv effect s =
  let tpre_without = 
    make_and
      (interp_predicate_opt None "" s.requires)
      (if add_inv then weak_invariants_for effect else LTrue) in
  let tpre_with = 
    make_and
      tpre_without
      (strong_invariants_for effect)
  and tpost = 
   make_and
     (interp_predicate_opt None "" s.ensures)
     (make_and 
	(interp_assigns None "" effect s.assigns)
	(make_and
	   (if add_inv then weak_invariants_for effect else LTrue)
	   (if Ceffect.assigns_alloc effect then alloc_extends () else LTrue)))
  in 
  (tpre_with,tpre_without,tpost)

(***
let alloc_on_stack loc v t =
  let form = 
    Cnorm.make_and 
      (List.fold_left (fun x v2 -> Cnorm.make_and x 
			   (Cseparation.separation loc v v2)) 
	 Cnorm.nptrue !Ceffect.global_var)
      (Cseparation.valid_for_type ~fresh:true loc v.var_name t)
  in
  BlackBox(Annot_type(LTrue,base_type "pointer",["alloc"],["alloc"],
		      make_and 
			(interp_predicate None "" form)
			(LPred ("alloc_stack", 
				[LVar "result"; LVar "alloc@"; LVar "alloc"])),
		      None))
***)

let interp_decl d acc = 
  match d.node with 
    | Ntypedef _
    | Ntypedecl { Ctypes.ctype_node = Tstruct _ | Tunion _ } -> 
	acc
    | Ntypedecl { Ctypes.ctype_node = Tenum _ } -> 
	unsupported d.loc "local enum type"
    | Ntype _
    | Ndecl _
    | Ntypedecl _
    | Naxiom _
    | Ninvariant _
    | Ninvariant_strong _
    | Nlogic _ ->
	assert false


let interp_invariant label effects annot =
  let inv = match annot.invariant with
    | None -> LTrue
    | Some inv -> interp_predicate None "init" inv
  in
  (* WHY does not distinguish invariants from assumed invariants presently *)
  let assinv = match annot.assume_invariant with
    | None -> LTrue
    | Some inv -> interp_predicate None "init" inv
  in
  let inv = match inv,assinv with
    | LTrue,p | p,LTrue -> p
    | p1,p2 -> LAnd (p1,p2)
  in
  let inv = 
    make_and 
      (interp_assigns None label effects annot.loop_assigns) 
      (make_and 
	 inv 
	 (if Ceffect.assigns_alloc effects 
	  then alloc_extends_at label else LTrue))
  in
  let var = match annot.variant with
    | None -> None
    | Some (var,r) -> 
	let n = reg_loc var.nterm_loc in
	Some (Tnamed(n,interp_term None "init" var), r)
  in
  (inv, var)

let new_label = let r = ref 0 in fun () -> incr r; "label_" ^ string_of_int !r

let try_with_void ex e = mk_expr (Try (e, ex, None, void))

let break b e = if b then try_with_void "Break" e else e

let continue b e = if b then try_with_void "Continue" e else e    

let return_exn ty = match ty.Ctypes.ctype_node with
  | Tint si when machine_ints -> "Return_" ^ (Cenv.int_type_for si)
  | Tenum e when enum_check -> "Return_" ^ (Cenv.enum_type_for e)
  | Tenum _ | Tint _ -> "Return_int"
  | Tfloat _ when not floats -> "Return_real"
  | Tfloat Float -> "Return_single"
  | Tfloat Double -> "Return_double"
  | Tfloat LongDouble -> "Return_quad"
  | _ -> "Return_pointer"

(* [abrupt_return] contains the exception used for last abrupt return if any *)
let abrupt_return = ref None

let catch_return e = match !abrupt_return with
  | None -> 
      e
  | Some "Return" ->
      mk_expr (Try (e, "Return", None, void))
  | Some "Return_pointer" ->
      mk_expr 
        (Let_ref("caduceus_return", mk_var "null",
	         (mk_expr (Try (e, "Return_pointer", None, (mk_expr (Deref "caduceus_return")))))))
  | Some r ->
      let tmp = tmp_var () in
      mk_expr (Try (append e (mk_expr Absurd), r, Some tmp, mk_var tmp))

let unreachable_block = function
  | [] -> ()
  | s::_ -> warning s.nst_loc "unreachable statement"

(* Interpretation of switch *)

open Cconst

let make_switch_condition tmp l = 
  if IntMap.is_empty l 
  then assert false
  else
    let a = 
      IntMap.fold 
	(fun _x n test -> 
	   make_or_expr 
	     (mk_expr (App(mk_expr (App (mk_var "eq_int_", mk_var tmp)), 
                           interp_int_expr n))) test) 
	l
	(mk_expr (Cte (Prim_bool false)))
    in
    (a,l)
    
let make_switch_condition_default tmp l used_cases= 
  let fl = IntMap.fold
    (fun x e m -> if IntMap.mem x l
     then m
     else IntMap.add x e m) used_cases IntMap.empty in
  let cond =
    IntMap.fold 
      (fun _x e test -> 
	 make_and_expr 
	   (mk_expr (App(mk_expr (App (mk_var "neq_int_", mk_var tmp)), 
                         interp_int_expr e))) test)
      fl
      (mk_expr (Cte (Prim_bool true)))
  in
  cond,fl

let in_struct v1 v = 
  let zone = Cnorm.find_zone v1 in
  let () = Cnorm.type_why_new_zone zone v in
  { nexpr_node = NEarrow (v1,zone,  v); 
    nexpr_loc = v1.nexpr_loc;
    nexpr_type = v.var_type }

let noattr loc ty e =
  { nexpr_node = e;
    nexpr_type = ty;
    nexpr_loc  = loc
  }


let labels_table = Hashtbl.create 17

let append_block e (f,l) = (append e f,l)

(* [ab] indicates if returns are abrupt *)

let rec interp_statement ab may_break stat = 
  let e = interp_statement_loc ab may_break stat in
  if stat.nst_loc = Loc.dummy_position then e else 
    mk_expr (Loc (fst stat.nst_loc, e))

and interp_statement_loc ab may_break stat = match stat.nst_node with
  | NSnop -> 
      void
  | NSexpr e ->
      interp_statement_expr e
  | NSreturn eopt ->
      if ab then match eopt with
	| None -> 
	    abrupt_return := Some "Return";
	    mk_expr (Raise ("Return", None))
	| Some e -> 
	    let r = return_exn e.nexpr_type in 
	    abrupt_return := Some r;
	    if r = "Return_pointer" then
	      mk_expr 
                (Block([mk_expr (Assign ("caduceus_return", interp_expr e)); 
		        mk_expr (Raise ("Return_pointer", None))]))
	    else
	      mk_expr (Raise (r, Some (interp_expr e)))
      else begin match eopt with
	| None -> void
	| Some e -> interp_expr e
      end
  | NSif(e,s1,s2) -> 
      mk_expr 
        (If(interp_boolean_expr e,
	    (interp_statement ab may_break s1), 
	    (interp_statement ab may_break s2)))
  | NSfor(annot,e1,e2,e3,body) ->
      let label = new_label () in
      let ef = 
	Ceffect.ef_union 
	  (Ceffect.ef_union (Ceffect.expr e1)
	     (Ceffect.expr e2))
	  (Ceffect.ef_union (Ceffect.expr e3) 
	     (Ceffect.statement body))
      in
      let (inv,dec) = interp_invariant label ef annot in
      make_label label
	(append
	   (interp_statement_expr e1)
	   (break body.nst_break 
	      (make_while (interp_boolean_expr e2) inv dec 
		 (append 
		    (continue body.nst_continue
		       (interp_statement true (ref false) body))
		    (interp_statement_expr e3)))))
  | NSwhile(annot,e,s) -> 
      let label = new_label () in
      let ef = 
	Ceffect.ef_union (Ceffect.expr e) (Ceffect.statement s) 
      in
      let (inv,dec) = interp_invariant label ef annot in
      make_label label
	(break s.nst_break
	   (make_while (interp_boolean_expr e) inv dec 
	      (continue s.nst_continue 
		 (interp_statement true (ref false) s))))
  | NSdowhile(annot,s,e) -> 
      let label = new_label () in
      let ef = 	Ceffect.ef_union (Ceffect.expr e) (Ceffect.statement s) 
      in
      let (inv,dec) = interp_invariant label ef annot in
      make_label label
	(break true
	   (make_while (mk_expr (Cte (Prim_bool true))) inv dec
	      (append 
		 (continue s.nst_continue
		    (interp_statement true (ref false) s))
		 (mk_expr (If (mk_expr (Not (interp_boolean_expr e)), 
		               mk_expr (Raise("Break", None)), 
                               void))))))
  | NSblock(b) -> 
      interp_block ab may_break b
  | NSbreak -> 
      may_break := true;
      mk_expr (Raise ("Break", None))
  | NScontinue -> 
      mk_expr (Raise ("Continue", None))
  | NSlabel(lab,s) -> 
      if lab.times_used = 0 then
	begin
	  warning stat.nst_loc "unused label %s" lab.label_info_name;	 
	  interp_statement ab may_break s
	end
      else
	begin
	  Hashtbl.add labels_table lab.label_info_name ();
	  make_label lab.label_info_name (interp_statement ab may_break s)
	end
  | NSgoto(GotoForwardOuter,lab) ->
      mk_expr (Raise ("Goto_" ^ lab.label_info_name, None))
  | NSgoto(GotoForwardInner,_lab) ->
      unsupported stat.nst_loc "forward inner goto"
  | NSgoto(GotoBackward,_lab) ->
      (* When planning to support backward gotos, add a widening node inside 
	 the induced loop in the operational graph created for various 
	 dataflow analyses in [Cabsint]. *)
      unsupported stat.nst_loc "backward goto"
  | NSswitch(e,used_cases,l) ->
      let tmp = tmp_var() in
      let switch_may_break = ref false in
      let res = 
	mk_expr (Output.Let(tmp, interp_int_expr e,
		   interp_switch tmp (*ab*) true switch_may_break l 
		     IntMap.empty used_cases false))
      in
      if !switch_may_break then
	mk_expr (Try(res,"Break", None,void))
      else
	res
  | NSassert(pred) -> 
      mk_expr (Output.Assert(`ASSERT,interp_predicate None "init" pred, void))
  | NSassume pred -> 
      (* Abusing assumptions endangers your proof ... *)
      let post,_ = interp_predicate None "init" pred, Void in
      mk_expr (BlackBox (Annot_type (LTrue, unit_type, [], [], post, [])))
  | NSlogic_label(_l) -> 
      assert false
(*
Output.Label (l, Void)
*)
  | NSspec (spec,s) ->
      let eff = Ceffect.statement s in
      let pre,_,post = interp_spec false eff spec in
      mk_expr (Triple(true,pre,interp_statement ab may_break s,post,[]))
  | NSdecl(ctype,v,init,rem) -> 
      lprintf 
	"translating local declaration of %s@." v.var_unique_name;
      let tinit,(decl,_) = match init with 
	| None | Some (Ilist [])->
	    begin match ctype.Ctypes.ctype_node with
	      | Tenum s when enum_check ->    
		  mk_expr(App (mk_var ("any_" ^ Cenv.enum_type_for s), void) )
	      | Tint (_,i as si) when i <> ExactInt && machine_ints ->
		  mk_expr(App (mk_var ("any_" ^ Cenv.int_type_for si), void))
	      | Tenum _ | Tint _ ->
		  mk_expr(App (mk_var "any_int", void))
	      | Tfloat fk -> 
		  mk_expr(App (mk_var (any_float fk), void))
	      | Tarray (_,_, None) | Tpointer _ -> 
		  mk_expr(App (mk_var "any_pointer", void))
	      | Tarray (_,_, Some n) ->
		  mk_expr(App (mk_var "alloca_parameter", 
		       mk_expr (Cte (Prim_int (Int64.to_string n)))))
	      | Tstruct _ | Tunion _ ->
		  mk_expr(App (mk_var "alloca_parameter", mk_expr (Cte (Prim_int "1"))))
	      | Tvoid | Tvar _ | Tfun _ -> 
		  assert false
	    end,([],[])
	| Some (Iexpr e)  ->   
	    interp_expr e, ([],[])
	| Some (Ilist _) ->
	    assert false
      in
      let decl = List.fold_left (fun acc x ->
				   acc@[interp_statement ab may_break x]) 
		   [] decl in
      if v.var_is_static then (* if static then still globally declared *)
	make_block [] (decl@[interp_statement ab may_break rem])
      else
	mk_expr (if v.var_is_assigned then
	  Let_ref(v.var_unique_name,tinit,
		 make_block [] (decl@[interp_statement ab may_break rem]))
	else
	  Let(v.var_unique_name,tinit,
	     make_block [] (decl@[interp_statement ab may_break rem])))


and interp_block ab may_break statements =
  let rec block = function
    | [] -> 
	void,[]
    | { nst_loc = loc ; nst_node = NSlabel(lab,st) } :: bl ->
	if lab.times_used = 0 then 
	  begin
	    warning loc "unused label %s" lab.label_info_name;
	    block (st::bl)
	  end
	else
	  let (be,bl) = block (st::bl) in
	  Hashtbl.add labels_table lab.label_info_name ();
	  (mk_expr(Raise("Goto_"^lab.label_info_name,None))),
        (lab,be)::bl
    | {nst_loc = _loc ; nst_node = NSlogic_label(l) } :: bl -> 
	  let (be,bl) = block bl in
	  (make_label l be), bl
    | [s] ->
	interp_statement ab may_break s,[]
    | { nst_node = NSnop } :: bl ->
	block bl
    | { nst_node = NSif (e, s1, s2) } as s :: bl ->
	begin match s1.nst_term, s2.nst_term with
	  | true, true ->
	      append_block (interp_statement true may_break s) (block bl)
	  | false, false ->
	      unreachable_block bl;
	      interp_statement ab may_break s,[]
	  | true, false ->
	      let (be,bl) = block (s1::bl) in
	      mk_expr (If (interp_boolean_expr e, 
		           be, interp_statement ab may_break s2)), bl
	  | false, true ->
	      let (be,bl) = block (s2::bl) in
	      mk_expr (If (interp_boolean_expr e,
		           interp_statement ab may_break s1, be)), bl
	end
    | s :: bl ->
	if not s.nst_term then unreachable_block bl;
	append_block (interp_statement true may_break s) (block bl)
  in
  let be,bl = block statements in
  List.fold_left 
    (fun acc (lab,e) ->
       mk_expr(Try(acc,"Goto_"^lab.label_info_name,None,e))) be bl


and interp_switch tmp ab may_break l c used_cases post_default =
  match l with
    | (lc, i):: l ->
	if IntMap.is_empty lc
	then
	  let (a,lc) = make_switch_condition_default tmp c used_cases in
	  (* [bl] is actually unreachable *)
	  let (linstr,final) = interp_case ab may_break i in
	  if final 
	  then
	    mk_expr(Output.If(a,
		      make_block [] linstr
			,
			interp_switch tmp ab may_break l lc used_cases false))
	  else
	    make_block [] ((mk_expr (Output.If(a,
			      make_block [] linstr
				,
				void)))::[interp_switch tmp ab may_break l lc 
					   used_cases true])
	else  
	  let (a,lc) = 
	    if post_default
	    then
	      make_switch_condition_default tmp lc c
	    else
	      make_switch_condition tmp 
		(IntMap.fold 
		   ( fun x e m ->
		       IntMap.add x e m)
		   c
		   lc) 
	  in
	  let (linstr,final) = interp_case ab may_break i in
	  if final
	  then
	    mk_expr(Output.If(a,
		      make_block [] linstr,
		      interp_switch tmp ab may_break l 
			IntMap.empty used_cases false))
	  else
	    make_block [] [mk_expr (Output.If(a,
			      make_block [] linstr,
			      void));
                        interp_switch tmp ab may_break 
		          l lc  used_cases post_default]
    | [] -> void

and interp_case ab may_break i =
  match i with
    | [] -> [],false
    | a::i -> 
	if a.nst_term
	then
	  let (instr,isfinal) = interp_case ab may_break i in
	  ((interp_statement ab may_break a)::instr),isfinal
	else
	  begin
	    unreachable_block i;
	    (if a.nst_node=NSbreak 
	     then [] 
	     else [interp_statement ab may_break a]),true
	  end
	  
	  

let interp_predicate_args id args =
  let args =
    List.fold_right
      (fun (id,_t) args -> 
	 (id.var_unique_name,Info.output_why_type id.var_why_type)::args)
      args []
  in
  let args = 
    HeapVarSet.fold
      (fun arg t -> (heap_var_name arg,Info.output_why_type arg.var_why_type) 
	 :: t)
      id.logic_heap_args args in
  ZoneSet.fold 
    (fun (z,s,ty) l -> 
	 (zoned_name s (Pointer z), 
	  (Info.output_why_type (Info.Memory(ty,z))))::l)
    id.logic_heap_zone args

let type_to_base_type l = 
  List.map (fun (x,y) -> (x,Info.output_why_type y)) l

let cinterp_logic_symbol id ls =
  match ls with
    | NPredicate_reads(args,_locs) -> 
	let args = interp_predicate_args id args in
(*
	let _ty = 
	  List.fold_right 
	    (fun (x,t) ty -> 
	       Prod_type (x, Base_type t, ty)) 
	    args 
	    (Base_type ([],"prop"))
	in
*)
	Logic(false, id_no_loc id.logic_name, args, simple_logic_type "prop")
    | NPredicate_def(args,p) -> 
	let a = interp_predicate None "" p in
	let args = interp_predicate_args id args in
	Predicate(false,id_no_loc id.logic_name, args,a)
    | NFunction(args,ret,_) ->
	let ret_type =
	  Info.output_why_type (Cenv.type_type_why ret false) 
(*
	  match ret.Ctypes.ctype_node with
	    | Tvar s -> s
	    | Tint _ -> "int"
	    | Tfloat fk -> Cnorm.why_type_for_float_kind fk
	    | Tpointer _ | Tstruct _ -> 
		begin
		  match id.logic_why_type with
		    | Pointer z -> 
			let zone = Info.output_zone_name z in
			sprintf "%s pointer" zone.logic_type_name 
		    | _ -> assert false
		end
	    | _ -> assert false
*)
	in
	let args =
	  List.fold_right
	    (fun (id,_ty) t -> 
	       (id.var_unique_name,
		Info.output_why_type id.var_why_type)::t)
	    args []
	in
	let args =
	  HeapVarSet.fold
	    (fun arg t -> 
	       let ty = arg.var_why_type in 
	       ("",Info.output_why_type ty)::t)
	    id.logic_heap_args args
	in
        let args = 
          ZoneSet.fold 
            (fun (z,_,ty) t ->
               ("",Info.output_why_type (Info.Memory(ty,z)))::t)
            id.logic_heap_zone args in
	Logic(false,id_no_loc id.logic_name,args,(*simple_logic_type*) ret_type)
    | NFunction_def(args,ret,e) ->
	let e = interp_term None "" e in
	let ret_type = 
	  Info.output_why_type (Cenv.type_type_why ret false) 
(*
	  match ret.Ctypes.ctype_node with
	    | Tvar s -> s
	    | Tint _ -> "int"
	    | Tfloat fk -> Cnorm.why_type_for_float_kind fk
	    | Tpointer _ | Tstruct _ -> 
		begin
		  match id.logic_why_type with
		    | Pointer z -> 
			let zone = Info.output_zone_name z in
			sprintf "%s pointer" zone.logic_type_name 
		    | _ -> assert false
		end
	    | _ -> assert false
*)	in
	let args = interp_predicate_args id args in
	Output.Function(false,id_no_loc id.logic_name,args,(* simple_logic_type *) ret_type,e)
	  
let interp_axiom p =
  let a = interp_predicate None "" p
  and e = Ceffect.predicate p in
  let a  =  
    HeapVarSet.fold
      (fun arg t -> LForall
	 (heap_var_name arg,Info.output_why_type arg.var_why_type, [],t))
      e.Ceffect.reads_var a in
  ZoneSet.fold 
    (fun (z,s,ty) t -> 
       let z = repr z in
       LForall (s^"_"^z.name,Info.output_why_type (Info.Memory(ty,z)), [],t))
    e.Ceffect.reads a 

let interp_effects e =
  HeapVarSet.fold (fun var acc -> var::acc) e []

let interp_fun_params reads params =
  let l = List.map 
    (fun id ->
       (id.var_unique_name,Base_type(Info.output_why_type id.var_why_type)))
    params  in
  let l = ZoneSet.fold
    (fun (z,s,ty) l ->
       let z = repr z in
       if z.zone_is_var then
	 (zoned_name s (Pointer z), 
	  Ref_type 
	    (Base_type 
	       (Info.output_why_type (Info.Memory(ty,z)))))::l
       else l )
    reads l in
  if l=[]
  then 
      ["tt",unit_type]
  else 
    l
let heap_var_unique_names v =
  HeapVarSet.fold (fun v l -> heap_var_name v::l) v []

let heap_var_unique v =
  ZoneSet.fold (fun (z,s,_) l -> zoned_name s (Pointer z)::l) v []
  
let interp_function_spec id sp _ty pl =
  (* add to precondition the validity or nullity of pointer arguments*)
  let sp = 
    if false then (* Coptions.abstract_interp || Coptions.gen_invariant then *)
      List.fold_right 
	(fun p s -> 
	   if Ctypes.is_pointer p.var_type then
	     let pterm = {
	       nterm_node = NTvar p; 
	       nterm_loc = Loc.dummy_position;
	       nterm_type = p.var_type; }
	     in
	     let valid = {
	       npred_node = NPvalid pterm;
	       npred_loc = Loc.dummy_position; }
	     in
	     let zeroterm = { 
	       nterm_node = NTconstant (IntConstant "0"); 
	       nterm_loc = Loc.dummy_position;
	       nterm_type = Ctypes.c_int; }
	     in
	     let castzero = { 
	       nterm_node = NTcast (p.var_type,zeroterm); 
	       nterm_loc = Loc.dummy_position;
	       nterm_type = p.var_type; }
	     in
	     let null = {
	       npred_node = NPrel (pterm, Eq, castzero);
	       npred_loc = Loc.dummy_position; }
	     in
	     let valid_or_null = {
	       npred_node = NPor (valid, null);
	       npred_loc = Loc.dummy_position; }
	     in
	     match s.requires with
	       | None -> { s with requires = Some valid_or_null }
	       | Some r ->
		   { s with requires = Some {
		       npred_node = NPand (valid_or_null, r);
		       npred_loc = Loc.dummy_position; } }
	   else s) pl sp
    else sp
  in
  let pre_with,pre_without,post = 
    interp_spec 
      (id != Cinit.invariants_initially_established_info)
      { Ceffect.reads = id.function_reads; 
	Ceffect.assigns = id.function_writes;
	Ceffect.reads_var = id.function_reads_var; 
	Ceffect.assigns_var = id.function_writes_var;
	(* TODO: consider pointer arguments written by function *)
	Ceffect.reads_under_pointer = HeapVarSet.empty;
	Ceffect.assigns_under_pointer = HeapVarSet.empty; } 
      sp 
  in
  let tpl = interp_fun_params id.function_reads pl in   
  let r = heap_var_unique_names id.function_reads_var in
  let w = heap_var_unique_names id.function_writes_var in
  let r = (heap_var_unique id.function_reads)@r in
  let w = (heap_var_unique id.function_writes)@w in
  let annot_type = 
    Annot_type
      (pre_without, Base_type (Info.output_why_type id.type_why_fun), r, w, 
       post, [])
  in
  let ty = 
    List.fold_right 
      (fun (x,ct) ty -> Prod_type (x, ct, ty))
      tpl 
      annot_type
  in
  tpl,pre_with,post, Param (false, id_no_loc (id.fun_unique_name ^ "_parameter"), ty)

(**** CODE TRANSFERRED TO make_enum_types_decls 
let interp_type loc ctype = match ctype.Ctypes.ctype_node with
  | Tenum e ->
      begin match Cenv.tag_type_definition e with
	| Cenv.TTEnum (Tenum n, el) -> 
	    List.flatten
	      (List.map 
		 (fun (info,v) -> 
		    let x = info.var_unique_name in
		    let v = Int64.to_string v in
		    let a = LPred ("eq_int", [LVar x; LConst (Prim_int v)]) in
		    [Logic (false, x, [], simple_logic_type "int");
		     Goal(KAxiom,"enum_" ^ n ^ "_" ^ x, a)])
		 el)
	| _ -> assert false
      end
  | _ -> 
      []
****)

let interp_located_tdecl why_spec decl =
  match decl.node with
  | Nlogic(id,ltype) -> 
      lprintf "translating logic declaration of %s@." id.logic_name;
      cinterp_logic_symbol id ltype::why_spec
  | Naxiom(id,p) -> 
      lprintf "translating axiom declaration %s@." id;      
      let a = interp_axiom p in
      Goal(KAxiom,id_no_loc id,a)::why_spec
  | Ninvariant(id,_p) -> 
      lprintf "translating invariant declaration %s@." id;      
      why_spec
  | Ninvariant_strong (id,_p) ->
      lprintf "translating invariant declaration %s@." id;      
      why_spec
  | Ntypedecl ({ Ctypes.ctype_node = Tenum _ })
  | Ntypedef _ -> 
      why_spec (* let dl = interp_type decl.loc ctype in dl @ why_spec *)
  | Ntypedecl { Ctypes.ctype_node = Tstruct _ | Tunion _ } -> 
      why_spec
  | Ntypedecl _ ->
      assert false
  | Ntype _ ->
      why_spec
  | Ndecl(_ctype,_v,_init) -> 
      (* global initialisations already handled in cinit.ml *)
      why_spec


let interp_c_fun _fun_name (spec, ctype, id, block, loc) (why_code,why_spec) =
  if (id = Cinit.invariants_initially_established_info &&  
      not !Cinit.user_invariants)
  then
    (why_code, why_spec)
  else
    (reset_tmp_var ();
     let tparams,pre,post,tspec = 
       interp_function_spec id spec ctype id.args in
     match block with 
       | None -> (why_code, tspec :: why_spec)
       | Some block ->
	   let f0 = id.fun_name in
	   let f = id.fun_unique_name in
	   let why_name = f ^ "_impl" in
	   let (_ : string) = reg_loc ~id:why_name ~oldid:f0 ~name:("C function "^f0) ~beh:"Correctness" loc in
	   if Coptions.verify id.fun_name then begin try
	     lprintf "translating function %s@." f;
	     abrupt_return := None;
	     let may_break = ref false in
	     let list_of_refs =
	       List.fold_right
		 (fun id bl ->
		    if id.var_is_assigned
		    then 
		      let n = id.var_unique_name in
		      set_unique_name (Var_info id) ("mutable_" ^ n); 
		      unset_formal_param id;
		      (id.var_unique_name,n) :: bl
		    else bl) 
		 id.args [] 
	     in
	     let tblock = catch_return 
	       (interp_statement true may_break block) in
	     assert (not !may_break);
	     let tblock = make_label "init" tblock in
	     let tblock =
	       List.fold_right
		 (fun (mut_id,id) bl ->
		    mk_expr (Let_ref(mut_id,mk_var id,bl)))
                 list_of_refs tblock
             in
	     printf "generating Why code for function %s@." f;
	     ((f, Def(id_no_loc why_name, 
		      mk_expr (Fun(tparams,pre,tblock,post,[]))))::why_code,
	      tspec :: why_spec)
	   with Error (_, Cerror.Unsupported s) ->
	     lprintf "unsupported feature (%s); skipping function %s@." s f;
	     eprintf "unsupported feature (%s); skipping function %s@." s f;
	     (why_code,
	      tspec :: why_spec)
	   end else begin
	     lprintf "assuming function %s@." f;
	     (why_code, tspec :: why_spec)
	   end
    )    

let interp l =
  let s = interp_strong_invariants () in
  List.fold_left interp_located_tdecl s l

let interp_functions why =
  let (code,spec) = 
    Hashtbl.fold interp_c_fun Cenv.c_functions ([],why)
  in
  let code = 
    Hashtbl.fold
      (fun lab () acc ->
	 (lab,Exception(id_no_loc ("Goto_"^lab),None))::acc) labels_table code
  in
  (code,spec)

  


(*
Local Variables: 
compile-command: "make -j -C .. bin/caduceus.byte"
End: 
*)
why-2.34/c/cabsint.ml0000644000175000017500000044346612311670312013035 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* TO DO:

   - call to [Ceffect] functions to compute effects of loops expects
   previous name disambiguation. This is not done, which can lead to
   errors, e.g.

   declare_heap_var : result ; oldtype = ()double ; newtype = ()global pointer 
   Anomaly: File "c/ceffect.ml", line 98, characters 6-12: Assertion failed

   - in [propagate], when doing backward prop, do not propagate on incoming
   edge with [None] value, control does not flow through this edge !

   - add location to the hooks for invariants/preconditions ?

   - problem with construction of graph for "do-while", not knowing
   if [fwd_node] or [bwd_node] is the place the invariant is checked.
   If both, problem.

   - see why code cannot be shared between [Make_PointWiseSemiLattice]
   and [Make_PointWiseLattice]. Problem with abstraction [t].

   - consider a declaration without initializer as a definition to some top
   value. Currently such declarations are ignored, which allows to translate
       char* q;
       if (b) q = p;
       *q = 0;
   by
       if (b) ;
       *p = 0;

   - treat as a test the expression in a switch statement. The difficulty here
   is that cases with multiple constants, e.g.
       case 1:
       case 2:
   should be translated by a test of the form
       (e == 1) || (e == 2)
   but [e] could be performing some side-effects. In this case a local variable
   (with switch scope) should be introduced, e.g.
       (tmp = e; (tmp == 1) || (tmp == 2))

   - check that the [default] case in a switch is properly defined by an empty
   set of constants, and use it in the definition of the operational graph.

*)

open Info
open Clogic
open Cast
open Cutil

let debug = Coptions.debug
let debug_more = false


(*****************************************************************************
 *                                                                           *
 * 		Basic modules for abstract interpretation                    *
 *                                                                           *
 *****************************************************************************)

(* type of widening performed, if any:
   - WidenFast : to infinity
   - WidenZero : if possible to 0, otherwise to infinity
   - WidenUnit : if possible to -1 or 0 or 1, otherwise to infinity
   - WidenSteps il : if possible to the first integer in [il] that fits,
                     otherwise to infinity
   Taken from Miné's example analysis.
 *)
type widening_t = WidenFast | WidenZero | WidenUnit | WidenSteps of int list

module type ELEMENT_OF_CONTAINER = sig
  type t
  val pretty : Format.formatter -> t -> unit
  val compare : t -> t -> int
  val equal : t -> t -> bool
  val hash : t -> int
end
 
module type VARIABLE = sig
  include ELEMENT_OF_CONTAINER
  val to_string : t -> string
end

(* general interface of any module representing integers *)

module type INT_VALUE = sig

  (* same as Int32/Int64 *)
  type t
  val compare : t -> t -> int
  val add : t -> t -> t
  val sub : t -> t -> t
  val mul : t -> t -> t
  val div : t -> t -> t
  val rem : t -> t -> t
  val abs : t -> t
  val zero : t
  val one : t
  val minus_one : t
  val of_int : int -> t
  val to_int : t -> int
  val of_string : string -> t
  val to_string : t -> string
  val neg : t -> t
  val succ : t -> t
  val pred : t -> t

  (* added w.r.t. Int32/Int64 *)
  val pretty: Format.formatter -> t -> unit
  val lt : t -> t -> bool
  val le : t -> t -> bool
  val gt : t -> t -> bool
  val ge : t -> t -> bool
  val eq : t -> t -> bool
  val is_zero : t -> bool
  val is_one : t -> bool
  val min : t -> t -> t
  val max : t -> t -> t
  val length : t -> t -> t (* b - a + 1 *) 
end

module type SEMI_LATTICE = sig
  type t
    (* [top] and [bottom] made functions so that they can depend 
       on the context, typed as [dim_t] (usually a dimension) *)
  type dim_t
  val top : dim_t -> t
  val bottom : dim_t -> t
  val init : dim_t -> t
  val equal : t -> t -> bool
  val pretty : Format.formatter -> t -> unit
  val join : ?backward:bool -> t -> t -> t    
    (* performs widening according to the widening strategy given as 1st
       argument, between the stored abstract value (2nd argument) and
       the new value computed (3rd argument).
       The new value should always be above the stored value in the lattice
       (or less precise), which should always be the case with monotone
       transfer functions. *)
  val widening : widening_t -> old_value:t -> new_value:t -> t
end

module type LATTICE = sig
  include SEMI_LATTICE
  val meet : t -> t -> t
end

module type POINT_WISE_SEMI_LATTICE = sig
  include SEMI_LATTICE
  type var_t
  type value_t
  type map_t
    (* creates a singleton map *)
  val singleton : var_t -> value_t -> t
    (* replace ignores the value already present for this variable, if any *)
  val replace : var_t -> value_t -> t -> t
    (* [add] performs a join if a value was already present for this variable, 
       otherwise a simple add *)
  val union : var_t -> value_t -> t -> t
    (* [addmap] performs an [add] for every entry in the map *)
  val union_map : map_t -> t -> t
    (* [find] never raises an exception, returns the bottom value to signify 
       the variable was not found *)
  val find : var_t -> t -> value_t
    (* [iter] not defined for [top] value *)
  val iter : (var_t -> value_t -> unit) -> t -> unit
    (* [fold] not defined for [top] value *)
  val fold : (var_t -> value_t -> 'a -> 'a) -> t -> 'a -> 'a
  val mapi : (var_t -> value_t -> value_t) -> t -> t
end

module type POINT_WISE_LATTICE = sig
  include POINT_WISE_SEMI_LATTICE
  val meet : t -> t -> t
end

module Make_LatticeFromSemiLattice (L : SEMI_LATTICE) =
struct
  include L
  let meet _x _y = failwith "Semi-lattice does not implement meet"
end

module Make_PairSemiLattice (L1 : SEMI_LATTICE with type dim_t = unit)
    (L2 : SEMI_LATTICE with type dim_t = unit) 
    : SEMI_LATTICE with type dim_t = unit and type t = L1.t * L2.t =
struct
  type t = L1.t * L2.t
  type dim_t = unit

  let bottom () = L1.bottom (),L2.bottom ()
  let top () = L1.top (),L2.top ()
  let init () = L1.init (),L2.init ()

  let equal p1 p2 = L1.equal (fst p1) (fst p2) && L2.equal (snd p1) (snd p2)

  let pretty fmt p =
    Format.fprintf fmt "(%a,%a)" L1.pretty (fst p) L2.pretty (snd p)

  let join ?(backward=false) p1 p2 = 
    L1.join ~backward (fst p1) (fst p2),L2.join ~backward (snd p1) (snd p2)

  let widening ws ~old_value ~new_value =
    L1.widening ws (fst old_value) (fst new_value),
    L2.widening ws (snd old_value) (snd new_value)
end

module Make_PairLattice (L1 : LATTICE with type dim_t = unit)
    (L2 : LATTICE with type dim_t = unit) 
    : LATTICE with type dim_t = unit and type t = L1.t * L2.t =
struct
  include Make_PairSemiLattice (L1) (L2)
  let meet p1 p2 = L1.meet (fst p1) (fst p2),L2.meet (snd p1) (snd p2)
end

(* public type so that it can be used in both [Make_PointWiseSemiLattice]
   and [Make_PointWiseLattice] *)
type 'map pointwise_t =
  | PWempty
  | PWmap of 'map
  | PWall
      
module Make_PointWiseSemiLattice
    (V : VARIABLE) (L : SEMI_LATTICE with type dim_t = unit) 
    (* no information needed to create L's bottom and top elements *)
  : POINT_WISE_SEMI_LATTICE with type var_t = V.t and type value_t = L.t 
	(* [t] is made public to allow its reuse in [Make_PointWiseLattice] *)
	and type dim_t = unit and type t = L.t Map.Make(V).t pointwise_t =
struct

  module VMap = Map.Make (V)

  type var_t = V.t
  type value_t = L.t
  type map_t = L.t VMap.t 

  type t = L.t VMap.t pointwise_t

  type dim_t = unit
  let bottom () = PWempty
  let top () = PWall
  let init () = PWempty

  let equal pw1 pw2 = match pw1,pw2 with
    | PWempty,PWempty -> true
    | PWmap m1,PWmap m2 -> VMap.equal L.equal m1 m2
    | PWall,PWall -> true
    | _ -> false

  let pretty fmt pw = match pw with
    | PWempty -> Format.fprintf fmt "PWempty"
    | PWmap m -> Format.fprintf fmt "PWmap{%a}"
	(fun fmt m -> VMap.iter 
	   (fun v a -> Format.fprintf fmt "(%a,%a); " 
	      V.pretty v L.pretty a) m) m
    | PWall -> Format.fprintf fmt "PWall"

  let singleton var value =
    PWmap (VMap.add var value VMap.empty)

  let replace var value pw = match pw with
    | PWempty -> PWmap (VMap.add var value VMap.empty)
    | PWmap m -> PWmap (VMap.add var value m)
    | PWall -> PWall

  let find var pw = match pw with
    | PWempty -> L.bottom ()
    | PWmap m ->
	begin 
	  try VMap.find var m with Not_found -> L.bottom ()
	end
    | PWall -> L.top ()

  let union var value pw = match pw with
    | PWempty -> PWmap (VMap.add var value VMap.empty)
    | PWmap m -> 
	let new_value = L.join value (find var pw) in
	PWmap (VMap.add var new_value m)
    | PWall -> PWall

  let union_map m1 pw = match pw with
    | PWempty -> PWmap m1
    | PWmap _m2 -> 
	(* union all elements of [m1] in [m2] *)
	VMap.fold union m1 pw
    | PWall -> PWall

  (* ideally, [pw2] should be smaller than [pw1] when unioning maps *)
  let join ?(backward=false) pw1 pw2 = 
    assert (backward=false); (* to prevent unused warning *)
    match pw1,pw2 with
    | PWempty,pw | pw,PWempty -> pw
    | PWall,_ | _,PWall -> PWall
    | PWmap _m1,PWmap m2 -> 
	(* union all elements of [m2] in [m1] *)
	union_map m2 pw1
    
  let iter f pw = match pw with
    | PWempty -> ()
    | PWmap m -> VMap.iter f m
    | PWall -> failwith "[iter] should not be called on [PWall]"

  let fold f pw init = match pw with
    | PWempty -> init
    | PWmap m -> VMap.fold f m init
    | PWall -> failwith "[fold] should not be called on [PWall]"

  let mapi f pw = match pw with
    | PWempty -> PWempty
    | PWmap m -> PWmap (VMap.mapi f m)
    | PWall -> PWall

  let widening ws ~old_value ~new_value = match old_value,new_value with
    | PWempty,new_value -> new_value
    | PWmap m1,PWmap m2 -> 
	VMap.fold 
	  (fun v a2 m -> 
	     try 
	       let a1 = VMap.find v m1 in
	       let a = L.widening ws a1 a2 in
	       replace v a m
	     with Not_found -> 
	       m (* keep current binding from [new_value] *)
	  ) m2 new_value (* yes, both from [new_value] *)
    | _,PWall -> PWall
    | _ -> 
	(* the stored value [pw1] is less precise than the new computed value
	   [pw2], which should not be the case *)
	assert false
end

module Make_PointWiseLattice
    (V : VARIABLE) (L : LATTICE with type dim_t = unit) 
    : POINT_WISE_LATTICE with type var_t = V.t and type value_t = L.t 
    and type dim_t = unit =
struct

  include Make_PointWiseSemiLattice(V)(L) 

  module VMap = Map.Make (V)

  let intersect pw var value acc =
    let new_value = L.meet value (find var pw) in
    union var new_value acc

  let intersect_map m1 pw = match pw with
    | PWempty -> PWempty
    | PWmap _m2 -> 
	(* intersect all elements of [m1] in [m2] *)
	VMap.fold (intersect pw) m1 PWempty
    | PWall -> PWmap m1

  (* ideally, [pw2] should be smaller than [pw1] when intersecting maps *)
  let meet pw1 pw2 = match pw1,pw2 with
    | PWempty,_ | _,PWempty -> PWempty
    | PWall,pw | pw,PWall -> pw
    | PWmap _m1,PWmap m2 -> 
	(* intersect all elements of [m2] in [m1] *)
	intersect_map m2 pw1
end

      
(*****************************************************************************
 *                                                                           *
 * 		Abstract interpretation core                                 *
 *                                                                           *
 *****************************************************************************)

type direction_t = Forward | Backward

(* type of pair that allows a missing part *)
type 'a pair_t = Fst of 'a | Snd of 'a | Both of 'a * 'a

(* gives operations on a control-flow graph *)

module type INTER_LANG = sig
  type ilvar_t
  type ilfun_t
  type decl_t

  (* type of declaration/statement/expression in the intermediate language *)
  module Node : ELEMENT_OF_CONTAINER
  module NodeSet : Set.S with type elt = Node.t
  module NodeMap : Map.S with type key = Node.t
  module NodeHash : sig
    include Hashtbl.S with type key = Node.t
    val find_both : 'a pair_t t -> Node.t -> 'a option * 'a option
    val find_pre : 'a pair_t t -> Node.t -> 'a option
    val find_post : 'a pair_t t -> Node.t -> 'a option
    val replace_both : 'a pair_t t -> Node.t -> 'a -> 'a -> unit
    val replace_pre : 'a pair_t t -> Node.t -> 'a -> unit
    val replace_post : 'a pair_t t -> Node.t -> 'a -> unit
    val remove_both : 'a pair_t t -> Node.t -> unit
    val remove_pre : 'a pair_t t -> Node.t -> unit
    val remove_post : 'a pair_t t -> Node.t -> unit
    val iter_both : 
      (Node.t -> 'a option -> 'a option -> unit) -> 'a pair_t t -> unit
    val iter_pre : (Node.t -> 'a -> unit) -> 'a pair_t t -> unit
    val iter_post : (Node.t -> 'a -> unit) -> 'a pair_t t -> unit
    val fold_both : 
      (Node.t -> 'a option -> 'a option -> 'b -> 'b) -> 'a pair_t t -> 'b -> 'b
    val fold_pre : (Node.t -> 'a -> 'b -> 'b) -> 'a pair_t t -> 'b -> 'b
    val fold_post : (Node.t -> 'a -> 'b -> 'b) -> 'a pair_t t -> 'b -> 'b
  end

    (* is this node the function precondition ? *)
  val is_function_precondition_node : Node.t -> bool
    (* returns true if the argument is a widening node, i.e. a node where 
       the analysis is expected to perform widening if it does not
       naturally converge *)
  val is_widening_node : Node.t -> bool
    (* returns the value of the counter associated to a widening node *)
  val get_widening_count : Node.t -> int
    (* increment the counter associated to a widening node *)
  val incr_widening_count : Node.t -> unit
    (* reset the counter associated to a widening node *)
  val reset_widening_count : Node.t -> unit
    (* list of successors in the operational graph, e.g.
       - surrounding expression for a sub-expression
       - [else] and [then] branches for an [if] test expression
       ... 
       order does not matter *)
  val successors : ?ignore_looping:bool -> Node.t -> Node.t list
    (* list of predecessors in the operational graph.
       order does not matter *)
  val predecessors : ?ignore_looping:bool -> Node.t -> Node.t list
    (* is this node merging the upward and backward flows in a loop ? *)
  val is_loop_backward_destination_node : Node.t -> bool
    (* associates to some looping destination node its source node *)
  val looping_source : Node.t -> Node.t
    (* iterators *)
  val iter_operational : 
      direction_t -> roots:Node.t list -> (Node.t -> unit) -> unit
  val fold_operational : 
      direction_t -> roots:Node.t list -> (Node.t -> 'a -> 'a) -> 'a -> 'a
end

(* defines program points where result of analysis is useful *)
  
module type WATCH_POINT = sig
  (* replicates type of INTER_LANG *)
  type node_t
    (* defines watch-points *)
  val is_watch_node : node_t -> bool
end
  
(* connects the concrete and the abstract levels *)
  
module type CONNECTION = sig
    (* replicates type of INTER_LANG *)
  type node_t
  type 'a node_hash_t
    (* type of abstract value map *)
  type absval_t
    (* type of additional information used by [transform] *)
  type transform_t
    (* parametric type for the result of an analysis.
       It is an association from nodes to abstract values.
       First abstract value is the value before the node is entered.
       Second abstract value is the value after the node is exited. *)
  type 'a analysis_t = 'a pair_t node_hash_t
    (* result of abstract interpretation analysis *)
  type absint_analysis_t = absval_t analysis_t
    (* kind of widening performed, if any *)
  val widening_strategy : widening_t
    (* number of times a widening node can be updated before widening
       is performed. Setting it to [None] means that no widening will be
       ever performed. *)
  val widening_threshold : int option
    (* transfer function *)
  val transfer : 
      ?backward:bool -> ?with_assert:bool -> ?one_pass:bool
	-> ?previous_value:absval_t -> node_t -> absval_t -> absval_t
    (* takes the initial program and the formatted analysis, as well as 
       additional information if necessary.
       returns a transformed program. *)
  val transform : 
      absint_analysis_t -> transform_t -> node_t list -> node_t list
end

module type DATA_FLOW_ANALYSIS = sig
  (* replicates type of INTER_LANG *)
  type node_t
  type 'a node_hash_t
  type 'a node_map_t
    (* replicates types of CONNECTION *)
  type absval_t
  type absval_pair_t = absval_t * absval_t
  type 'a analysis_t
  type absint_analysis_t
    (* 
       core propagation function.
       It takes as 1st argument a record of type ['a propagate_t] that gives
       all the necessary basic blocks for the propagation algorithm.
       The list of nodes is used to initialize its working list. It may be 
       all the nodes in the graph, or only the root nodes, depending on
       the analysis. 
       The optional argument is the initial analysis. It will be used as is, 
       not copied (useful to remember as it is an hash-table).
       It produces an analysis that depends on 'a. 
     *)
  type 'a propagate_t =
      { 
	  (* direction *)
	direction : direction_t;
	  (* one-pass or until convergence *)
	one_pass : bool;
	  (* initialization points *)
	init : 'a node_map_t;
          (* transfer function *)
	transfer : ?previous_value:'a -> node_t -> 'a -> 'a;
	  (* default initial value *)
	bottom : unit -> 'a;
	  (* test of equality *)
	equal : 'a -> 'a -> bool;
	  (* pretty-printer *)
	pretty : Format.formatter -> 'a -> unit;
	  (* join function *)
	join : ?backward:bool -> 'a -> 'a -> 'a;
          (* join function on contexts *)
	join_ctxt : 'a -> 'a -> 'a;
	  (* widening function (if any) *)
	widening : widening_t -> old_value:'a -> new_value:'a -> 'a;
	  (* additional action after propagation *)
	action : node_t -> 'a -> unit;
      }
  val propagate : 
      ?analysis:'a analysis_t -> ?roots:node_t list -> 'a propagate_t
	-> 'a analysis_t
    (* 
       computes the result of an analysis on the implicit program.
       It is based on [propagate]. 
     *)
  val compute : node_t list -> absint_analysis_t
    (* compute backward from exit nodes *)
  val compute_back : node_t list -> absint_analysis_t
    (*
       same as compute, with additional assertion propagation.
       Takes as input the function that selects nodes to keep before assertion
       propagation.
    *)
  val compute_with_assert : 
    (node_t -> bool) -> node_t list -> absint_analysis_t
    (* 
       takes a program and computes the result of propagating forward
       the information, and then propagating backward/forward again from
       the nodes selected by [backward_select], with this new information
       being merged with the previous one only at nodes selected by
       [merge_select] using the function [merge_analyses]. 
     *)
  type compute_bnf_t = 
     {
         (* initial computation before back-and-forth propagation *)
       compute : node_t list -> absint_analysis_t;
         (* joins contexts and add conditionals, or default join otherwise *)
       join_context : absval_t -> absval_t -> absval_t;
         (* select nodes on which to propagate backward *)
       backward_select : node_t -> absval_t -> bool;
	 (* modifier to apply before initiating backward propagation *)
       backward_modify : node_t -> absval_t -> absval_t;
	 (* select nodes on which to keep forward information *)
       keep_select : node_t -> bool;
	 (* select nodes on which to merge forward and backward informations *)
       merge_select : node_t -> bool;
	 (* do merge forward and backward informations *)
       merge_analyses : absval_t -> absval_t -> absval_t;
     }
  val compute_back_and_forth :
    compute_bnf_t -> node_t list -> absint_analysis_t
end

(* very simple dataflow analysis, with fixed characteristics:
   forward, intra-procedural, context-insensitive *)

module Make_DataFlowAnalysis
    (V : VARIABLE) (IL : INTER_LANG) (L : LATTICE with type dim_t = unit)
    (* [L.dim_t] does not need to be [unit], change code if needed *)
    (* (W : WATCH_POINT with type node_t = IL.Node.t) *)
    (C : CONNECTION with type node_t = IL.Node.t and type absval_t = L.t
                    and type 'a node_hash_t = 'a IL.NodeHash.t)
  : DATA_FLOW_ANALYSIS
      with type node_t = IL.Node.t 
      and type 'a node_hash_t = 'a IL.NodeHash.t
      and type 'a node_map_t = 'a IL.NodeMap.t
      and type absval_t = C.absval_t
      and type absval_pair_t = C.absval_t * C.absval_t
      and type 'a analysis_t = 'a C.analysis_t
      and type absint_analysis_t = C.absint_analysis_t
= struct

  open IL

  type node_t = Node.t
  type 'a node_hash_t = 'a NodeHash.t
  type 'a node_map_t = 'a NodeMap.t
  type absval_t = L.t
  type absval_pair_t = absval_t * absval_t
  type 'a analysis_t = 'a C.analysis_t
  type absint_analysis_t = C.absint_analysis_t

  type 'a propagate_t =
      { 
	  (* direction *)
	direction : direction_t;
	  (* one-pass or until convergence *)
	one_pass : bool;
	  (* initialization points *)
	init : 'a node_map_t;
          (* transfer function *)
	transfer : ?previous_value:'a -> node_t -> 'a -> 'a;
	  (* default initial value *)
	bottom : unit -> 'a;
	  (* test of equality *)
	equal : 'a -> 'a -> bool;
	  (* pretty-printer *)
	pretty : Format.formatter -> 'a -> unit;
	  (* join function *)
	join : ?backward:bool -> 'a -> 'a -> 'a;
          (* join function on contexts *)
	join_ctxt : 'a -> 'a -> 'a;
	  (* widening function (if any) *)
	widening : widening_t -> old_value:'a -> new_value:'a -> 'a;
	  (* additional action after propagation *)
	action : node_t -> 'a -> unit;
      }

  type compute_bnf_t = 
     {
         (* initial computation before back-and-forth propagation *)
       compute : node_t list -> absint_analysis_t;
         (* joins contexts and add conditionals, or default join otherwise *)
       join_context : absval_t -> absval_t -> absval_t;
         (* select nodes on which to propagate backward *)
       backward_select : node_t -> absval_t -> bool;
	 (* modifier to apply before initiating backward propagation *)
       backward_modify : node_t -> absval_t -> absval_t;
	 (* select nodes on which to keep forward information *)
       keep_select : node_t -> bool;
	 (* select nodes on which to merge forward and backward informations *)
       merge_select : node_t -> bool;
	 (* do merge forward and backward informations.
	    Forward is [post] value while backward is [pre] value, which only
	    makes sense in general if the backward transfer function on
	    the node is the identity.
	 *)
       merge_analyses : absval_t -> absval_t -> absval_t;
     }

  let propagate ?analysis ?(roots=[]) params =

    if debug_more then Coptions.lprintf 
      "[propagate] %s@." (match params.direction with
      | Forward -> "forward"
      | Backward -> "backward");

    let change = ref true in
    let visited_set = ref NodeSet.empty in

    (* result of the analysis *)
    let res : 'a C.analysis_t = match analysis with
    | None -> NodeHash.create 0 
    | Some analysis -> analysis
    in

    (* find current values associated to [node] *)
    let res_val node =
      match NodeHash.find_both res node with
      | None,None ->
	  begin try 
	    let init_val = NodeMap.find node params.init in
	    begin match params.direction with
	    | Forward -> Some init_val,None,true
	    | Backward -> None,Some init_val,true
	    end
	  with Not_found -> None,None,false end
      | pre_val,post_val -> pre_val,post_val,false
    in

    let treat_node cur_node =
      if not (NodeSet.mem cur_node (!visited_set)) then
	begin 
	  visited_set := NodeSet.add cur_node (!visited_set);
	  if IL.is_widening_node cur_node then
	    (* reset the counter for widening *)
	    IL.reset_widening_count cur_node
	end;

      (* find value associated to [cur_node] *)
      let pre_val,post_val,is_init = res_val cur_node in

      let pre_val =
	if params.one_pass && is_loop_backward_destination_node cur_node then
	  match params.direction with
	    | Forward -> 
		let sce_node = looping_source cur_node in
		let _,sce_val,_ = res_val sce_node in
		begin match pre_val,sce_val with
		  | None,_ -> pre_val
		  | Some _,None -> pre_val
		  | Some pre_val,Some sce_val ->
		      Some (params.join_ctxt pre_val sce_val)
		end
	    | Backward -> pre_val
	else pre_val
      in

      let from_val,to_val = match params.direction with
        | Forward -> pre_val,post_val
	| Backward -> post_val,pre_val
      in
      if debug_more then Coptions.lprintf 
	"[propagate] take node in working list %a from val %a@."
	Node.pretty cur_node (Option.pretty params.pretty) from_val;

      let backward = match params.direction with
	| Backward -> true | Forward -> false
      in

      (* compute next value and replace existing one *)
      let cur_val = 
	(* do not call transfer function on init node in backward mode
	   (useful for access that is also a test, e.g. "if (t[i])") *)
	if backward && is_init then
	  from_val
	else match to_val with
	  | None -> 
	      Option.app (params.transfer cur_node) from_val
	  | Some to_val ->
	      Option.app (params.transfer ~previous_value:to_val cur_node) 
		from_val
      in
      (* perform widening if necessary *)
      let cur_val = match cur_val with
	| None -> None
	| Some cur_val ->
	    if IL.is_widening_node cur_node then
	      match C.widening_threshold with
		| None -> 
		    (* analysis does not require widening to converge *)
		    Some cur_val
		| Some threshold ->
		    let cur_count = IL.get_widening_count cur_node in
		    IL.incr_widening_count cur_node;
		    if cur_count = threshold then
		      (* perform widening *)
		      match to_val with
			| None -> Some cur_val
			| Some to_val -> 
			    if debug_more then Coptions.lprintf 
			      "[propagate] perform widening@.";
			    Some (params.widening C.widening_strategy 
				    ~old_value:to_val ~new_value:cur_val)
		    else if cur_count > threshold then
		      (* needed ???????? *)
		      to_val
		    else 
		      (* not yet time for widening *)
		      Some cur_val
	    else 
	      (* not a widening node *)
	      Some cur_val
      in
      if debug_more then Coptions.lprintf 
	"[propagate] computed value: %a@." 
	(Option.pretty params.pretty) cur_val;
      if debug_more then Coptions.lprintf 
	"[propagate] previous value: %a@." 
	(Option.pretty params.pretty) to_val;

      (* change value if different in fixpoint case, or in all cases when
	 doing a one-pass propagation. In the last case, the value of the node
	 is not modified, but the successors' values are. *)
      if not (Option.equal params.equal cur_val None) 
	&& (params.one_pass
	    || not (Option.equal params.equal cur_val to_val)) then
	begin
	  (* [from_val] and [cur_val] are [Some] options here *)
	  let from_val = 
	    match from_val with Some v -> v | None -> assert false in
	  let cur_val = 
	    match cur_val with Some v -> v | None -> assert false in

	  change := true;

	  if debug_more then Coptions.lprintf 
	    "[propagate] new value is different@.";
	  
	  begin match params.direction with
	    | Forward -> 
		NodeHash.replace_both res cur_node from_val cur_val;
	    | Backward -> 
		NodeHash.replace_both res cur_node cur_val from_val
	  end;

	  let next_nodes = match params.direction with
	    | Forward -> 
                IL.successors ~ignore_looping:params.one_pass cur_node 
	    | Backward -> 
                IL.predecessors ~ignore_looping:params.one_pass cur_node 
	  in
	  if debug_more then Coptions.lprintf 
	    "[propagate] node has %i successor(s)@." (List.length next_nodes);
	  if debug_more then Coptions.lprintf 
	    "[propagate] %a@." (fun _fmt -> List.iter 
				(Coptions.lprintf "%a " Node.pretty))
	    next_nodes;
	  List.iter (fun nx_node ->
		       let nx_pre,nx_post,_ = res_val nx_node in
		       let nx_from,nx_to = match params.direction with
			 | Forward -> nx_pre,nx_post
			 | Backward -> nx_post,nx_pre
		       in
		       if debug_more then Coptions.lprintf 
			 "[propagate] succ prev value: %a@." 
			 (Option.pretty params.pretty) nx_from;
		       let nx_val = match nx_from with
			 | None -> cur_val 
			 | Some nx_from -> 
			     if is_function_precondition_node nx_node then
			       (* function precondition is non-empty, use it
				  rather than propagating initial value *)
			       nx_from (* ignore [cur_val] *)
			     else
			       params.join ~backward nx_from cur_val 
		       in
		       if debug_more then Coptions.lprintf 
			 "[propagate] succ cur value: %a@."
			   params.pretty nx_val;

		       (* change value if different *)
		       if not (Option.equal 
				 params.equal (Some nx_val) nx_from) then
			 begin
			   if debug_more then Coptions.lprintf 
			     "[propagate] new value for successor \
			      is different@.";
			   if debug_more then Coptions.lprintf 
			     "[propagate] new value: %a@." 
			       params.pretty nx_val;
			   let nx_to = match nx_to with
			     | None -> params.bottom ()
			     | Some nx_to -> nx_to
			   in
			   begin match params.direction with
			     | Forward ->
				 NodeHash.replace_both res nx_node 
				   nx_val nx_to
			     | Backward ->
				 NodeHash.replace_both res nx_node
				   nx_to nx_val
			   end;
(*
			   (* add node in working list/set if not present *)
			   add_node nx_node
*)
			 end
		    ) next_nodes
	end;

      (* perform additional action (if any) *)
      match cur_val with
	| None -> ()
	| Some cur_val -> params.action cur_node cur_val
    in

    while !change do
      change := false;
      if debug_more then Coptions.lprintf 
	  "[propagate] one more round of propagation@.";
      IL.iter_operational params.direction ~roots treat_node;
      (* immediately stop iteration in one-pass propagation *)
      if params.one_pass then change := false
    done;
    res

  let forward_params ?join_context
      ?(one_pass=false) ?(with_assert=false) init =
    { 
        (* direction *)
      direction = Forward;
        (* one-pass or until convergence *)
      one_pass = one_pass;
        (* initialization points *)
      init = init;
        (* transfer function *)
      transfer = C.transfer ~backward:false ~with_assert ~one_pass;
        (* default initial value *)
      bottom = L.bottom;
        (* test of equality *)
      equal = L.equal;
        (* pretty-printer *)
      pretty = L.pretty;
        (* join function *)
      join = L.join;
        (* join function on contexts *)
      join_ctxt = 
	begin match join_context with 
	  | None -> L.join ~backward:false 
	  | Some f -> f 
	end;
        (* widening function (if any) *)
      widening = L.widening;
        (* additional action after propagation *)
      action = fun _ _ -> ();
    }

  let backward_params ?join_context nodes cstr action =
    { 
        (* direction *)
      direction = Backward;
        (* one-pass or until convergence *)
      one_pass = true;
        (* initialization points *)
      init = List.fold_left (fun map node -> NodeMap.add node cstr map)
	NodeMap.empty nodes;
        (* transfer function *)
      transfer = C.transfer
	~backward:true ~with_assert:false ~one_pass:true;
        (* default initial value *)
      bottom = L.bottom;
        (* test of equality *)
      equal = L.equal;
        (* pretty-printer *)
      pretty = L.pretty;
        (* join function *)
      join = L.join;
        (* join function on contexts, only used in forward propagation *)
      join_ctxt = 
	begin match join_context with 
	  | None -> L.join ~backward:false 
	  | Some f -> f 
	end;
        (* widening function (if any) *)
      widening = L.widening;
        (* additional action after propagation *)
      action = action;
    }

  let keep_only_selected keep_select analysis =
    IL.iter_operational Forward ~roots:[] (fun node ->
      if keep_select node then
	NodeHash.remove_pre analysis node
      else
	NodeHash.remove analysis node
    )

  let compute decls =
    let init = List.fold_left (fun m decl -> NodeMap.add decl (L.init ()) m) 
      NodeMap.empty decls in
    propagate (forward_params init)

  let compute_back nodes =
    propagate (backward_params nodes (L.init()) (fun _ _ -> ()))

  (* propagation of assertions (e.g. resulting from verification conditions)
     should be done in one pass, without going through back edges in loops.
     Indeed, on the following code 
          int i = 0;
          int p[10]; // pp1
          while (i++) { // pp2
            p[i] = 0; // pp3
          }
     At program point 1 (pp1)  : i == 0 && arrlen(p) == 10
     At pp3 without assertions : i > 0 && arrlen(p) == 10
     At pp3 with assertions    : 0 < i < arrlen(p) == 10
     If we join pp1 and pp3 with assertions, we get a buggy assume-invariant
          0 <= i < arrlen(p) == 10
     The correct thing to do is to join pp1 and pp3 without assertions, to get
     the correct assume-invariant
          0 <= i && arrlen(p) == 10
     And then to propagate the assertions without going through back edges.
   *)
  let compute_with_assert keep_select decls =
    (* 1st step: propagate forward information *)
    let fwd_analysis = compute decls in

    (* 2nd step: propagate forward assertions *)
    keep_only_selected keep_select fwd_analysis;
    let init = List.fold_left (fun m decl -> NodeMap.add decl (L.init ()) m) 
      NodeMap.empty decls in
    propagate (forward_params ~with_assert:true ~one_pass:true init)
      ~analysis:fwd_analysis

  let compute_back_and_forth params decls =
    (* 1st step: propagate initial information *)
    let fwd_analysis = params.compute decls in

    (* 2nd step: propagate backward/forward again from every selected node *)
    IL.fold_operational Forward ~roots:[] (fun node cur_analysis ->

      let node_value_in_analysis analysis node =
	let pre_cur_val = match NodeHash.find_pre analysis node with
	| None -> 
	    (* use here top value, in order to correctly meet with value
	       from forward analysis *)
	    L.top ()
	| Some pre_val -> pre_val
	in
	let post_cur_val =  match NodeHash.find_post analysis node with
	| None -> 
	    (* use here top value, in order to correctly meet with value
	       from forward analysis *)
	    L.top ()
	| Some post_val -> post_val
	in
	(* always refer to [fwd_analysis] to keep initial fixpoint 
	   results. [analysis] may not have an appropriate value,
	   due to the fact some backward analysis may not have 
	   considered this node, and thus have "forgotten" the initial 
	   results. *)
	let pre_fwd_val,post_fwd_val =
	  match NodeHash.find_both fwd_analysis node with
	  | None,None -> 
	      (* use here top value to allow [meet] below *)
	      L.top (),L.top ()
	  | Some pre_val,None ->
	      pre_val,L.top ()
	  | None,Some post_val ->
	      L.top (),post_val
	  | Some pre_val,Some post_val ->
	      pre_val,post_val
	in
	let pre_cur_val = L.meet pre_cur_val pre_fwd_val in
	let post_cur_val = L.meet post_cur_val post_fwd_val in
	pre_cur_val,post_cur_val
      in

      let pre_val,_ = node_value_in_analysis cur_analysis node in

      if params.backward_select node pre_val then

	(* create an empty new analysis *)
	let mix_analysis = NodeHash.create (NodeHash.length cur_analysis) in
	let pre_val = params.backward_modify node pre_val in
	let bwd_action node pre_bwd_val =
	  if params.merge_select node || params.keep_select node then
	    let pre_cur_val,post_cur_val = 
	      node_value_in_analysis cur_analysis node
	    in
	    if params.merge_select node then
	      (* use [post] value, only one valid for previous analysis *)
	      let pre_mix_val = params.merge_analyses post_cur_val pre_bwd_val
	      in
	      (* for merge nodes, set same value as [pre] and [post] value *)
	      NodeHash.replace_both mix_analysis node pre_mix_val pre_mix_val
	    else if params.keep_select node then
	      NodeHash.replace_both mix_analysis node pre_cur_val post_cur_val
	    else assert false
	  else ()
	in
	(* propagate backward on the path that leads to this node *)
	let bwd_params = backward_params [node] pre_val bwd_action in
	let bwd_analysis = propagate bwd_params ~roots:[node] in
	ignore (bwd_analysis);
	(* add appropriate assume invariant when "forgotten" by last
	   backward analysis *)
	IL.iter_operational Forward ~roots:[] (fun node ->
	  if params.keep_select node then
	    let pre_mix_val,post_mix_val = 
	      node_value_in_analysis mix_analysis node
	    in
	    NodeHash.replace_both mix_analysis node pre_mix_val post_mix_val
	);
	(* propagate forward again *)
	keep_only_selected params.keep_select mix_analysis;
	let init =
	  List.fold_left (fun m decl -> NodeMap.add decl (L.init ()) m)
	    NodeMap.empty decls in
	let fwd_params = forward_params ~join_context:params.join_context 
	  ~with_assert:true ~one_pass:true init in
	propagate fwd_params ~analysis:mix_analysis

      else cur_analysis
    ) fwd_analysis

end


(*****************************************************************************
 *                                                                           *
 * 		Concrete intermediate language for analysis                  *
 *                                                                           *
 *****************************************************************************)

(* type used for offset from pointer *)
let int_offset_type = Ctypes.c_int
let int_offset_kind = Ctypes.Signed,Ctypes.Int
let int_offset_addop = Badd_int int_offset_kind

(* type to represent a function in the normalized code.
   It has the same elements as the hash-table [Cenv.c_functions]. *)
type func_t = 
    {
      name : string;
      spec : Cast.nspec; 
      typ  : Ctypes.ctype;
      f    : Info.fun_info;
      s    : Cast.nstatement option;
      loc  : Loc.position
    }

module ILVar : VARIABLE with type t = var_info = struct
  type t = var_info
  let pretty fmt v = Format.fprintf fmt "%s" v.var_name
  let to_string v = v.var_name
  let compare v1 v2 = Pervasives.compare v1.var_uniq_tag v2.var_uniq_tag
  let equal v1 v2 = compare v1 v2 = 0
  let hash v = v.var_uniq_tag
end

module ILVarMap = Map.Make (ILVar)
module ILVarSet = Set.Make (ILVar)

(* translation targetted at very simple syntaxical analysis on paths,
   since effects of calls are not considered, and unspecified evaluation order
   is translated in parallel edges in the CFG *)

module type CFG_LANG_INTERNAL = sig
  type node_t
  type var_tt
  type intern_t = 
   | InternOperational
   | InternOperationalBwdSrc
   | InternOperationalBwdDest
   | InternStructural
   | InternLogical
   | InternLogicalScope
  type count_t = { mutable count : int }
  type lvalue_t = Assign | OpAssign | IncrDecr
  type write_t = 
      { 
	(* list of variables written variables in the loop *)
	write_vars : var_tt list; 
	(* list of pointers whose content is read in the loop *)
	read_under_pointers : var_tt list; 
	(* list of pointers whose content is modified in the loop *)
	write_under_pointers : var_tt list; 
      }
  type norm_node = 
      (* coding constructs *)
    | Nexpr of nexpr
      (* execution proceeds to next nodes only if test succeeds. 
	 Replaces [Nexpr] where a test controls the flow: if, loop (switch ?).
	 The [then] branch will be preceded by the normal test of [if], while
	 the [else] branch will be preceded by the negation of this test.
	 The same occurs for loops.
	 This kind of node is produced for analysis on the operational graph
	 only. In particular, the subsequent transformations on the underlying
	 code are not supposed to return a [Ntest] node from a [Ntest] node.
	 They can return simply a [Nexpr] node.
       *)
    | Ntest of nexpr 
    | Nlvalue of nexpr * lvalue_t
    | Nstat of nstatement
    | Ndecl of func_t

      (* logical constructs *)
    | Nspec of nspec
    | Nannot of nloop_annot
    | Nterm of nterm
    | Npred of npredicate
      (* Various logical constructs act as "assume": assume statement,
	 function precondition, call postcondition, etc.
	 Each of these may already be part of an enclosing logical or
	 coding construct, e.g. the function precondition is already part of
	 a specification. Then the same [Nassume] node is used both 
	 in the operational graph and as a sub-node of an enclosing node
	 in the logical or the structural graph, e.g. an [Nspec] node 
	 in the logical graph for the function precondition. *)
    | Nassume of npredicate
      (* loop assume invariant is a special kind of assume *)
    | Nassinv of npredicate * write_t
      (* function precondition is a special kind of assume *)
    | Npre of npredicate
      (* Various logical constructs act as "assert": assert statement,
	 loop invariant, function postcondition, call precondition, etc.
	 Each of these may already be part of an enclosing logical or
	 coding construct, e.g. the loop invariant is already part of
	 an annotation. Then the same [Nassert] node is used both 
	 in the operational graph and as a sub-node of an enclosing node
	 in the logical or the structural graph, e.g. an [Nannot] node 
	 in the logical graph for the loop invariant. *)
    | Nassert of npredicate
      (* loop invariant is a special kind of assert *)
    | Ninv of npredicate * write_t

      (* special constructs *)
      (* "forward" node used in both hierarchical graphs (structural + logical)
	 and in the operational graph so far. 
	 The element it carries defines which graph it is part of.
	 This is used when changing the graph as the result of an analysis. *)
    | Nintern of intern_t
      (* widening node added in the operational lattice, to allow unbounded
	 analyses to terminate. The integer is a counter initialized to 0 and
	 incremented each time a new abstract value is computed for this node.
	 Depending on the analysis, some widening may be performed on 
	 the abstract value if the counter is above some threshold. *)
    | Nwiden of count_t

    (* create a temporary node that will not be part of either graph. 
       In particular, it will not be possible to add edges from/to this node.
       This is convenient for nodes created during the transformation of
       the code, that only store intermediate results. *)
  val create_tmp_node : norm_node -> node_t

  val get_e : node_t -> nexpr
  val get_expr : node_t -> nexpr_node
  val get_s : node_t -> nstatement
  val get_stat : node_t -> nstatement_node
  val get_decl : node_t -> func_t
  val get_spec : node_t -> nspec
  val get_annot : node_t -> nloop_annot
  val get_t : node_t -> nterm
  val get_term : node_t -> Ctypes.ctype nterm_node
  val get_p : node_t -> npredicate
  val get_predicate : node_t -> Ctypes.ctype npredicate_node

    (* is this expression an assignment ? *)
  val sub_expr_is_assign : nexpr -> bool
    (* if the left-hand side of this assignment is a variable, return it *)
  val sub_assign_get_lhs_var : nexpr -> var_tt option
    (* remove casts on top of the expression *)
  val sub_skip_casts : nexpr -> nexpr

  val decode_decl_list : nexpr -> nexpr c_initializer
  val change_sub_components_in_stat : node_t -> node_t list -> node_t
  val change_sub_components_in_expr : node_t -> node_t list -> node_t
  val change_sub_components_in_term : node_t -> node_t list -> node_t
  val change_sub_components_in_pred : node_t -> node_t list -> node_t
  val change_sub_components : node_t -> node_t list -> node_t

end

module type CFG_LANG_EXTERNAL = sig

  include INTER_LANG with type ilvar_t = ILVar.t 
		     and type ilfun_t = fun_info
		     and type decl_t = func_t

  (* successors in both structural and logical graph *)

    (* list of successors in the structural graph, e.g.
       - list of operands of an operation
       - caller and arguments of a function call
       - list of statements in a block statement 
       ... *)
  val code_children : Node.t -> Node.t list (* order matters *)
    (* list of successors in the logical graph, e.g.
       - loop annotation of a loop
       - spec of block of code
       - invariant of a loop annotation
       - sub-predicate in an invariant
       - term in a predicate
       ... *)
  val logic_children : Node.t -> Node.t list (* order matters *)
    (* beginning of logical block
       Used for \old annotations and specifications. *)
  val logic_begin : Node.t -> Node.t
    (* end of logical block
       Used for annotations and specifications. *)
  val logic_end : Node.t -> Node.t
    (* associated invariant relation, that relates corresponding invariant and
       assume invariant nodes for a specific loop *)
  val logic_invariant : Node.t -> Node.t option
    (* is it the beginning or the end of a logical scope ? *)
  val is_logic_scope : Node.t -> bool  

  (* 11 kinds of nodes: 
     for code: expression/test/statement/declaration
     for logic: specification/loop annotation/term/predicate/assume/assert
     for internal use: internal
  *)
  type node_kind = 
    (* coding *)  | NKexpr | NKtest | NKlvalue | NKstat | NKdecl 
    (* logical *) | NKspec | NKannot | NKterm | NKpred | NKassume | NKassert 
    (* special *) | NKnone

  (* query functions *)

    (* returns the node's kind *)
  val get_node_kind : Node.t -> node_kind
    (* is this node a [Ninv] node for a loop invariant ? *)
  val is_invariant_node : Node.t -> bool
    (* is this node a [Nassinv] node for a loop invariant ? *)
  val is_assume_invariant_node : Node.t -> bool
    (* is this node a [Nintern InternOperationalBwdSrc] node
       for collecting values on the backward edge of a loop before
       merging with the upward value ? *)
  val is_loop_backward_source_node : Node.t -> bool
  (* put in INTER_LANG interface :
     is_loop_backward_destination_node : Node.t -> bool
  *)
    (* get the list of variables modified in this loop *) 
  val get_loop_write_vars : Node.t -> ilvar_t list
    (* get the list of pointers whose content is read in this loop *) 
  val get_loop_read_under_pointers : Node.t -> ilvar_t list
    (* get the list of pointers whose content is modified in this loop *) 
  val get_loop_write_under_pointers : Node.t -> ilvar_t list
    (* returns the function's parameters *)
  val decl_get_params : Node.t -> ilvar_t list
    (* is it a return statement ? *)
  val stat_is_return : Node.t -> bool
    (* is it an assert statement ? *)
  val stat_is_assert : Node.t -> bool
    (* is it a loop statement ? *)
  val stat_is_loop : Node.t -> bool
    (* is it an if statement ? *)
  val stat_is_if : Node.t -> bool
    (* is it a spec statement ? *)
  val stat_is_spec : Node.t -> bool
    (* is it a label statement ? *)
  val stat_is_label : Node.t -> bool
    (* is it a declaration statement ? *)
  val stat_is_decl : Node.t -> bool
    (* get the label associated with this label statement *)
  val stat_get_label : Node.t -> string
    (* is it a jump statement ? *)
  val stat_is_jump : Node.t -> bool
    (* is it a block statement ? *)
  val stat_is_block : Node.t -> bool
    (* is it a no-op statement ? *)
  val stat_is_nop : Node.t -> bool
    (* get the variable associated with this declaration statement *)
  val decl_stat_get_var : Node.t -> ilvar_t
    (* get the next statement of this declaration statement *)
  val decl_stat_get_next : Node.t -> Node.t
    (* is this expression a -local- variable ? *)
  val expr_is_local_var : Node.t -> bool
    (* returns the variable in this term/expression over a variable *)
  val termexpr_var_get : Node.t -> ilvar_t
    (* is this expression an integer constant ? *)
  val expr_is_int_constant : Node.t -> bool
    (* returns the integer in this expression over an integer constant *)
  val expr_int_constant_get : Node.t -> int
    (* is this expression an assignment ? *)
  val expr_is_assign : Node.t -> bool
    (* get the right operand of this assignment (maybe the ony one, in case of
       an increment/decrement *)
  val assign_get_rhs_operand : Node.t -> Node.t
    (* get the left operand of this assignment (maybe the ony one, in case of
       an increment/decrement *)
  val assign_get_lhs_operand : Node.t -> Node.t
    (* is this a local variable ? *)
  val var_is_local : ilvar_t -> bool
    (* is this variable an integer ? *)
  val var_is_integer : ilvar_t -> bool
    (* is the type of this expression an integer type ? *)
  val expr_type_is_int : Node.t -> bool
    (* is the type of this expression a character type ? *)
  val expr_type_is_char : Node.t -> bool
    (* is this expression an integer assignment ? *)
  val expr_is_int_assign : Node.t -> bool
    (* is this variable a pointer ? *)
  val var_is_pointer : ilvar_t -> bool
    (* is the type of this expression a pointer type ? *)
  val expr_type_is_ptr : Node.t -> bool
    (* remove casts on top of the expression *)
  val skip_casts : Node.t -> Node.t
    (* is this term/expression a -local- variable ? *)
  val termexpr_is_local_var : Node.t -> bool
    (* is this expression a pointer assignment ? *)
  val expr_is_ptr_assign : Node.t -> bool
    (* if the left-hand side of this assignment is a -local- variable, 
       return it *)
  val assign_get_local_lhs_var : Node.t -> ilvar_t option
    (* is this expression a dereference ? *)
  val expr_is_deref : Node.t -> bool
    (* get the variable and the offset dereferenced, if any *)
  val deref_get_variable_and_offset : 
      Node.t -> (ilvar_t * Node.t option) option
    (* if the dereferenced expression is a -local- variable, return it *)
  val deref_get_local_var : Node.t -> ilvar_t option
    (* is this expression a call ? *)
  val expr_is_call : Node.t -> bool
    (* get the function called, if any *)
  val call_get_function : Node.t -> ilfun_t option
    (* get the arguments for the call, if any *)
  val call_get_args : Node.t -> Node.t list
    (* get precondition for function *)
  val function_get_precondition : ilfun_t -> Node.t option
    (* get parameters for function *)
  val function_get_params : ilfun_t -> ilvar_t list
    (* is this term/predicate an \old one ? *)
  val termpred_is_old : Node.t -> bool
    (* is this term/predicate an \at one ? *)
  val termpred_is_at : Node.t -> bool
    (* get the label associated with this \at term/predicate *)
  val termpred_get_label : Node.t -> string

  (* constructors.
     - [make_] functions operate directly on their arguments.
     - [change_] functions take a first node as context, and operate on 
     other arguments.
  *)

    (* create a new sequence expression node *)
  val make_seq_expr : Node.t -> Node.t -> Node.t
    (* create a new node expression + constant *)
  val make_int_expr_add_cst : Node.t -> int -> Node.t
    (* create a new node expression + variable *)
  val make_int_expr_add_var : Node.t -> ilvar_t -> Node.t
    (* create a new node term/expression + term/expression *)
  val make_int_termexpr_add_termexpr : Node.t -> Node.t -> Node.t
    (* create a new declaration statement for the variable, with the given
       statement as next statement *)
  val make_var_decl : Node.t -> ilvar_t -> Node.t
    (* create a new block statement node *)
  val make_seq_stat : Node.t -> Node.t -> Node.t
    (* make this node be an integer constant to be added to some pointer *)
  val change_in_int_offset_cst : Node.t -> int -> Node.t
    (* make this node be an assignment variable = constant *)
  val change_in_int_var_assign_cst : Node.t -> ilvar_t -> int -> Node.t
    (* make this node be an assignment variable = variable *)
  val change_in_int_var_assign_var : Node.t -> ilvar_t -> ilvar_t -> Node.t
    (* make this node be an assignment variable = expression *)
  val change_in_int_var_assign_expr : Node.t -> ilvar_t -> Node.t -> Node.t
    (* change the structural sub-components of this node *)
  val change_sub_components : Node.t -> Node.t list -> Node.t 

  (* language interface *)
  (* returns the list of roots *)
  val from_file : decl_t list -> (Node.t * Node.t) list
  val to_file : Node.t list -> decl_t list
    (* collect variables used and declared in the code *)
  val collect_vars : unit -> ILVarSet.t * ILVarSet.t
end

module CFGLangFromNormalized : sig
  include CFG_LANG_EXTERNAL
  include CFG_LANG_INTERNAL with type node_t = Node.t and type var_tt = ILVar.t
end = struct
  
  type var_tt = ILVar.t
  type ilvar_t = ILVar.t
  type ilfun_t = fun_info
  type decl_t = func_t

  type node_kind = 
    (* coding *)  | NKexpr | NKtest | NKlvalue | NKstat | NKdecl 
    (* logical *) | NKspec | NKannot | NKterm | NKpred | NKassume | NKassert 
    (* special *) | NKnone

  (* special node [Nintern] used for special purposes:
     - during construction to reference future nodes
     - to translate [switch] into appropriate structural tree
     - in loops to create a destination node for back edge
     ...
     It carries an element of type [intern_t] that defines which graph
     it is part of.
  *)
  type intern_t = 
   | InternOperational
   | InternOperationalBwdSrc
   | InternOperationalBwdDest
   | InternStructural
   | InternLogical
   | InternLogicalScope

  type count_t = { mutable count : int }
  type lvalue_t = Assign | OpAssign | IncrDecr
  type write_t = 
      { write_vars : ILVar.t list; 
	read_under_pointers : ILVar.t list;
	write_under_pointers : ILVar.t list; }

  let w_empty = { write_vars = []; 
		  read_under_pointers = [];
		  write_under_pointers = []; }

  type norm_node = 
      (* coding constructs *)
    | Nexpr of nexpr
    | Ntest of nexpr 
    | Nlvalue of nexpr * lvalue_t
    | Nstat of nstatement
    | Ndecl of func_t
      (* logical constructs *)
    | Nspec of nspec
    | Nannot of nloop_annot
    | Nterm of nterm
    | Npred of npredicate
    | Nassume of npredicate
    | Nassinv of npredicate * write_t
    | Npre of npredicate
    | Nassert of npredicate
    | Ninv of npredicate * write_t
      (* special constructs *)
    | Nintern of intern_t
    | Nwiden of count_t

  (* type of labels on edges in the CFG *)
  module NodeRelation = struct
    type t =
      | OperationalFwd  (* forward edge in the operational graph *)
      | OperationalBwd  (* backward edge in the operational graph *)
      | StructuralDown  (* edge to first sub-node in the structural graph *)
      | StructuralSame  (* other edges in the structural graph *)
      | LogicalDown     (* edge to first sub-node in the logical graph *)
      | LogicalSame     (* other edges in the logical graph *)
      | LogicScopeBegin (* edge to first node in logical block *)
      | LogicScopeEnd   (* edge to last node in logical block *)
      | LogicInvariant  (* edge to relate invariant and assume invariant *)
    (* arbitrary index to provide total ordering *)
    let index r = match r with
      | OperationalFwd  -> 0
      | OperationalBwd  -> 1
      | StructuralDown  -> 2
      | StructuralSame  -> 3
      | LogicalDown     -> 4
      | LogicalSame     -> 5
      | LogicScopeBegin -> 6
      | LogicScopeEnd   -> 7
      | LogicInvariant  -> 8
    let compare r1 r2 = Pervasives.compare (index r1) (index r2)
    (* if not stated otherwise, an edge is a forward operational one *)
    let default = OperationalFwd
  end

  (* We use here an abstract imperative labeled graph.
     Labels are of 4 kinds :
         - operational labels form a graph that respects evaluation order,
     to facilitate dataflow analysis
         - structural labels form a graph that respects the hierarchical order
     between expressions and statements, e.g. with [StructuralDown] labels from
     an expression to its first sub-expression, and [StructuralSame] label 
     from a sub-expression to the next sub-expression at the same level.
         - logical labels form a graph similar to the structural graph, except
     it is used for logical properties on the code instead of the code itself.
         - logical scope labels decorate some nodes in the structural or
     logical graph with information on the beginning and end of their logical
     scope. This is used to interpret correctly the logical annotations.

     Beware that since the operational graph is used for dataflow analysis 
     computation, the action associated to the node will be repeated when
     going through this node in the graph. This makes it necessary sometimes
     to create internal nodes whose sole purpose is to connect parts of 
     the graph with no associated action.
     It may be also necessary to create such internal nodes in the structural
     or logical graph, in order to encode/decode more easily the underlying
     structural/logical constructs.
  *)

  module Self = 
    Graph.Imperative.Digraph.AbstractLabeled
      (struct type t = norm_node end) (NodeRelation)
  module Node = struct
    include Self.V
    let pretty fmt n =
      match label n with
      | Nexpr e -> Cprint.nexpr fmt e
      | Ntest e -> Cprint.nexpr fmt e
      | Nlvalue (e,_) -> Cprint.nexpr fmt e
      | Nstat s -> 
	  begin match s.nst_node with
	    | NSnop -> Format.fprintf fmt "NSnop"
	    | NSassert _ -> Format.fprintf fmt "NSassert"
	    | NSassume _ -> Format.fprintf fmt "NSassume"
	    | NSlogic_label _ -> Format.fprintf fmt "NSlogic_label"
	    | NSexpr e -> Format.fprintf fmt "NSexpr(%a)" Cprint.nexpr e 
	    | NSif (_e,_s1,_s2) -> Format.fprintf fmt "NSif"
	    | NSwhile (_annot,_e,_s1) -> Format.fprintf fmt "NSwhile"
	    | NSdowhile (_annot,_s1,_e) -> Format.fprintf fmt "NSdowhile"
	    | NSfor (_annot,_einit,_etest,_eincr,_s1) -> Format.fprintf fmt "NSfor"
	    | NSblock _sl -> Format.fprintf fmt "NSblock"
	    | NSreturn None -> Format.fprintf fmt "NSreturn"
	    | NSreturn (Some _e) -> Format.fprintf fmt "NSreturn" 
	    | NSbreak -> Format.fprintf fmt "NSbreak"
	    | NScontinue -> Format.fprintf fmt "NScontinue" 
	    | NSgoto _ -> Format.fprintf fmt "NSgoto"
	    | NSlabel (_str,_s1) -> Format.fprintf fmt "NSlabel"
	    | NSspec (_spec,_s1) -> Format.fprintf fmt "NSspec"
	    | NSdecl (_typ,_var,None,_s1) -> Format.fprintf fmt "NSdecl"
	    | NSdecl (_typ,_var,Some _cinit,_s1) -> Format.fprintf fmt "NSdecl"
	    | NSswitch (_e,_c,_cases) -> Format.fprintf fmt "NSswitch" 
	  end
      | Ndecl _ -> Format.fprintf fmt "Ndecl"
      | Nspec _ -> Format.fprintf fmt "Nspec"
      | Nannot _ -> Format.fprintf fmt "Nannot"
      | Nterm t -> Cprint.nterm fmt t
      | Npred p -> Cprint.npredicate fmt p
      | Nassume _ -> Format.fprintf fmt "Nassume"
      | Nassinv _ -> Format.fprintf fmt "Nassinv"
      | Npre _ -> Format.fprintf fmt "Npre"
      | Nassert _ -> Format.fprintf fmt "Nassert"
      | Ninv _ -> Format.fprintf fmt "Ninv"
      | Nintern fk -> 
          begin match fk with
            | InternOperational -> 
		Format.fprintf fmt "Nintern(InternOperational)"
            | InternOperationalBwdSrc -> 
		Format.fprintf fmt "Nintern(InternOperationalBwdSrc)"
            | InternOperationalBwdDest -> 
		Format.fprintf fmt "Nintern(InternOperationalBwdDest)"
            | InternStructural ->
		Format.fprintf fmt "Nintern(InternStructural)"
            | InternLogical ->
		Format.fprintf fmt "Nintern(InternLogical)"
            | InternLogicalScope ->
		Format.fprintf fmt "Nintern(InternLogicalScope)"
          end
      | Nwiden c -> Format.fprintf fmt "Nwiden(%d)" c.count
  end
  module Edge = Self.E

  module NodeSet = Set.Make (Node)
  module NodeMap = Map.Make (Node)
    (* It is necessary to make it a hash-table based on [Node.equal] and
       [Node.hash], otherwise mutated nodes (e.g. the invariant node with
       its mutable field) are not recognized equal. *)
  module NodeHash = struct

    include Hashtbl.Make (Node)

    let find_both analysis node =
      try 
	match find analysis node with
	| Fst v -> Some v,None
	| Snd v -> None,Some v
	| Both (v1,v2) -> Some v1,Some v2
      with Not_found -> None,None
    let find_pre analysis node = fst (find_both analysis node)
    let find_post analysis node = snd (find_both analysis node)

    let replace_both analysis node v1 v2 = 
      replace analysis node (Both (v1,v2))
    let replace_pre analysis node v1 =
      match find_post analysis node with
      | None -> replace analysis node (Fst v1)
      | Some v2 -> replace analysis node (Both (v1,v2))
    let replace_post analysis node v2 =
      match find_pre analysis node with
      | None -> replace analysis node (Snd v2)
      | Some v1 -> replace analysis node (Both (v1,v2))

    let remove_both = remove
    let remove_pre analysis node =
      match find_post analysis node with
	| None -> remove analysis node
	| Some v -> remove analysis node; replace_post analysis node v
    let remove_post analysis node =
      match find_pre analysis node with
	| None -> remove analysis node
	| Some v -> remove analysis node; replace_pre analysis node v

    let iter_both f analysis =
      iter (fun node v -> match v with
	      | Fst v -> f node (Some v) None
	      | Snd v -> f node None (Some v)
	      | Both (v1,v2) -> f node (Some v1) (Some v2)
	   ) analysis
    let iter_pre f analysis =
      iter (fun node v -> match v with
	      | Fst v -> f node v
	      | Snd _v -> ()
	      | Both (v1,_v2) -> f node v1
	   ) analysis
    let iter_post f analysis =
      iter (fun node v -> match v with
	      | Fst _v -> ()
	      | Snd v -> f node v
	      | Both (_v1,v2) -> f node v2
	   ) analysis
	
    let fold_both f analysis init =
      fold (fun node v acc -> match v with
	      | Fst v -> f node (Some v) None acc
	      | Snd v -> f node None (Some v) acc
	      | Both (v1,v2) -> f node (Some v1) (Some v2) acc
	   ) analysis init
    let fold_pre f analysis init =
      fold (fun node v acc -> match v with
	      | Fst v -> f node v acc
	      | Snd _v -> acc
	      | Both (v1,_v2) -> f node v1 acc
	   ) analysis init
    let fold_post f analysis init =
      fold (fun node v acc -> match v with
	      | Fst _v -> acc
	      | Snd v -> f node v acc
	      | Both (_v1,v2) -> f node v2 acc
	   ) analysis init
  end

  let internal_graph = ref None
  let graph () = match !internal_graph with
  | None -> failwith "attempting to access graph before creation"
  | Some g -> g

    (* add a node *)
  type node_t = Node.t
  let add_vertex node = Self.add_vertex (graph ()) node
  let create_tmp_node node = Node.create node
    (* create a node and add it to the graph *)
  let create_node node = 
    let node = create_tmp_node node in
    add_vertex node; 
    node

  (* shortcut query functions *)

  let get_node_kind node =
    match Node.label node with
      | Nexpr _   -> NKexpr
      | Ntest _   -> NKtest
      | Nlvalue _ -> NKlvalue
      | Nstat _   -> NKstat
      | Ndecl _   -> NKdecl
      | Nspec _   -> NKspec
      | Nannot _  -> NKannot
      | Nterm _   -> NKterm
      | Npred _   -> NKpred
        (* [Npre] and [Nassinv] are special cases of [Nassume] *)
      | Nassume _ -> NKassume
      | Nassinv _ -> NKassume
      | Npre    _ -> NKassume
        (* [Ninv] is a special case of [Nassert] *)
      | Nassert _ -> NKassert
      | Ninv _    -> NKassert
        (* both forward and widening nodes belong to 
	   the "default" kind [NKnone] *)
      | Nintern _    -> NKnone
      | Nwiden _  -> NKnone

  let get_e node = 
    match Node.label node with
      | Nexpr e -> e
      | Ntest e -> e
      | Nlvalue (e,_) -> e
      | _ -> failwith "[get_e] should be called only on expression or test"
  let get_expr node = (get_e node).nexpr_node

  let get_s node = 
    match Node.label node with
      | Nstat s -> s
      | _ -> failwith "[get_s] should be called only on statement"
  let get_stat node = (get_s node).nst_node

  let get_decl node = 
    match Node.label node with
      | Ndecl d -> d
      | _ -> failwith "[get_decl] should be called only on declaration"

  let get_spec node = 
    match Node.label node with
      | Nspec s -> s
      | _ -> failwith "[get_spec] should be called only on specification"
	  
  let get_annot node = 
    match Node.label node with
      | Nannot a -> a
      | _ -> failwith "[get_annot] should be called only on loop annotation"

  let get_t node = 
    match Node.label node with
      | Nterm t -> t
      | _ -> failwith "[get_t] should be called only on term"
  let get_term node = (get_t node).nterm_node

  let get_p node = 
    match Node.label node with
      | Npred p | Nassume p | Nassinv (p,_) 
      | Npre p | Nassert p | Ninv (p,_) 
	-> p
      | _ -> failwith "[get_p] should be called only on predicate"
  let get_predicate node = (get_p node).npred_node

  let fwd_is_structural node = match Node.label node with
    | Nintern InternStructural -> true
    | Nintern _ -> false
    | _ -> failwith "[fwd_is_structural] should be called only on forward node"
  let fwd_is_logical node = match Node.label node with
    | Nintern InternLogical -> true
    | Nintern _ -> false
    | _ -> failwith "[fwd_is_logical] should be called only on forward node"

  let is_invariant_node node = match Node.label node with
    | Ninv _ -> true
    | _ -> false

  let is_assume_invariant_node node = match Node.label node with
    | Nassinv _ -> true
    | _ -> false

  let is_loop_backward_source_node node = match Node.label node with
    | Nintern InternOperationalBwdSrc -> true
    | _ -> false

  let is_loop_backward_destination_node node = match Node.label node with
    | Nintern InternOperationalBwdDest -> true
    | _ -> false

  let get_loop_write_vars node = match Node.label node with
    | Ninv (_,w) | Nassinv (_,w) -> w.write_vars
    | _ -> assert false

  let get_loop_read_under_pointers node = match Node.label node with
    | Ninv (_,w) | Nassinv (_,w) -> w.read_under_pointers
    | _ -> assert false

  let get_loop_write_under_pointers node = match Node.label node with
    | Ninv (_,w) | Nassinv (_,w) -> w.write_under_pointers
    | _ -> assert false

  let is_function_precondition_node node = match Node.label node with
    | Npre _ -> true
    | _ -> false

  let is_widening_node node = match Node.label node with
    | Nwiden _ -> true
    | _ -> false

  let get_widening_count node =
    match Node.label node with
      | Nwiden c -> c.count
      | _ -> failwith "[get_counter] should be called only on widening node"

  let incr_widening_count node =
    match Node.label node with
      | Nwiden c -> c.count <- c.count + 1
      | _ -> failwith ("[incr_widening_count] should be called only"
		       ^ " on widening node")

  let reset_widening_count node =
    match Node.label node with
      | Nwiden c -> c.count <- 0
      | _ -> failwith ("[reset_widening_count] should be called only"
		       ^ " on widening node")

  (* more elaborate query functions related to pointer usage *)

  let is_pointer_type ctyp = match ctyp.Ctypes.ctype_node with
    | Ctypes.Tvar _ -> 
	assert false (* not allowed in code *)
    | Ctypes.Tarray _ | Ctypes.Tpointer _ -> 
	true
    | Ctypes.Tvoid | Ctypes.Tint _ | Ctypes.Tfloat _ | Ctypes.Tfun _ 
    | Ctypes.Tstruct _ | Ctypes.Tunion _ | Ctypes.Tenum _ ->
	false

  let var_is_local var =
    not var.var_is_static

  let is_integer_type ctyp = match ctyp.Ctypes.ctype_node with
    | Ctypes.Tvar _ -> 
	assert false (* not allowed in code *)
    | Ctypes.Tint _ | Ctypes.Tenum _ ->
	true
    | Ctypes.Tarray _ | Ctypes.Tpointer _ 
    | Ctypes.Tvoid | Ctypes.Tfloat _ | Ctypes.Tfun _ 
    | Ctypes.Tstruct _ | Ctypes.Tunion _ ->
	false

  let is_character_type ctyp = match ctyp.Ctypes.ctype_node with
    | Ctypes.Tvar _ -> 
	assert false (* not allowed in code *)
    | Ctypes.Tint (_,Ctypes.Char) ->
	true
    | Ctypes.Tint _ | Ctypes.Tenum _ ->
	false
    | Ctypes.Tarray _ | Ctypes.Tpointer _ 
    | Ctypes.Tvoid | Ctypes.Tfloat _ | Ctypes.Tfun _ 
    | Ctypes.Tstruct _ | Ctypes.Tunion _ ->
	false

  let var_is_integer var = is_integer_type var.var_type
  let sub_expr_type_is_int e = is_integer_type e.nexpr_type
  let expr_type_is_int node = sub_expr_type_is_int (get_e node)

  let sub_expr_type_is_char e = is_character_type e.nexpr_type
  let expr_type_is_char node = sub_expr_type_is_char (get_e node)

  let is_pointer_type ctyp = match ctyp.Ctypes.ctype_node with
    | Ctypes.Tvar _ -> 
	assert false (* not allowed in code *)
    | Ctypes.Tarray _ | Ctypes.Tpointer _ -> 
	true
    | Ctypes.Tvoid | Ctypes.Tint _ | Ctypes.Tfloat _ | Ctypes.Tfun _ 
    | Ctypes.Tstruct _ | Ctypes.Tunion _ | Ctypes.Tenum _ ->
	false

  let var_is_pointer var = is_pointer_type var.var_type
  let sub_expr_type_is_ptr e = is_pointer_type e.nexpr_type
  let expr_type_is_ptr node = sub_expr_type_is_ptr (get_e node)

  let rec sub_skip_casts e = match e.nexpr_node with
    | NEcast (_,e1) -> sub_skip_casts e1
    | NEunary ((Ufloat_of_int | Uint_of_float
	       | Ufloat_conversion | Uint_conversion),e1) -> sub_skip_casts e1
    | _ -> e
    
  let skip_casts node = 
    let e = get_e node in
    let new_e = sub_skip_casts e in
    create_tmp_node (Nexpr new_e)

  let termexpr_is_local_var node =
    match get_node_kind node with
      | NKexpr | NKtest | NKlvalue -> 
	  begin match get_expr node with
	    | NEvar (Var_info var) -> var_is_local var
	    | _ -> false
	  end
      | NKterm ->
	  begin match get_term node with
	    | NTvar var -> var_is_local var
	    | _ -> false
	  end
      | _ -> assert false

  let termpred_is_old node = 
    match get_node_kind node with
      | NKpred | NKassume | NKassert -> 
	  begin match get_predicate node with
	    | NPold _ -> true
	    | _ -> false
	  end
      | NKterm ->
	  begin match get_term node with
	    | NTold _ -> true
	    | _ -> false
	  end
      | _ -> false

  let termpred_is_at node = 
    match get_node_kind node with
      | NKpred | NKassume | NKassert -> 
	  begin match get_predicate node with
	    | NPat _ -> true
	    | _ -> false
	  end
      | NKterm ->
	  begin match get_term node with
	    | NTat _ -> true
	    | _ -> false
	  end
      | _ -> false

  let termpred_get_label node = 
    match get_node_kind node with
      | NKpred | NKassume | NKassert -> 
	  begin match get_predicate node with
	    | NPat (_,lab) -> lab
	    | _ -> assert false
	  end
      | NKterm ->
	  begin match get_term node with
	    | NTat (_,lab) -> lab
	    | _ -> assert false
	  end
      | _ -> assert false

  let decl_get_params node =
    (get_decl node).f.args

  let stat_is_return node =
    match get_stat node with NSreturn _ -> true | _ -> false

  let stat_is_assert node =
    match get_stat node with NSassert _ -> true | _ -> false

  let stat_is_loop node = match get_stat node with 
      | NSwhile _ | NSdowhile _ | NSfor _ -> true | _ -> false

  let stat_is_if node = 
      match get_stat node with NSif _ -> true | _ -> false

  let stat_is_spec node =
    match get_stat node with NSspec _ -> true | _ -> false

  let stat_is_label node =
    match get_stat node with NSlabel _ | NSlogic_label _ -> true | _ -> false

  let stat_is_decl node =
    match get_stat node with NSdecl _ -> true | _ -> false

  let stat_get_label node =
    match get_stat node with 
      | NSlabel (lab,_) -> lab.label_info_name 
      | NSlogic_label lab -> lab
      | _ -> assert false

  let stat_is_jump node = match get_stat node with
    | NSreturn _ | NSbreak | NScontinue | NSgoto _ -> 
	true
    | NSnop | NSassert _ | NSassume _ | NSlogic_label _ | NSexpr _ 
    | NSif _ | NSwhile _ | NSdowhile _ | NSfor _ | NSblock _ 
    | NSlabel _ | NSspec _ | NSdecl _ | NSswitch _ ->
	false

  let stat_is_block node = 
    match get_stat node with NSblock _ -> true | _ -> false

  let stat_is_nop node =
    match get_stat node with NSnop -> true | _ -> false

  let decl_stat_get_var node =
    match get_stat node with NSdecl (_,var,_,_) -> var | _ -> assert false

  let decl_stat_get_next node =
    match get_stat node with 
      | NSdecl (_,_,_,ns) -> 
	  create_tmp_node (Nstat ns)
      | _ -> assert false
	  
  let expr_is_local_var node = match get_expr node with
    | NEvar (Var_info var) -> var_is_local var
    | _ -> false

  let termexpr_var_get node =
    match get_node_kind node with
      | NKexpr | NKtest | NKlvalue -> 
	  begin match get_expr node with
	    | NEvar (Var_info var) -> var
	    | _ -> assert false
	  end
      | NKterm ->
	  begin match get_term node with
	    | NTvar var -> var
	    | _ -> assert false
	  end
      | _ -> assert false

  let expr_is_int_constant node = match get_expr node with
    | NEconstant (IntConstant s) ->
	begin 
	  try ignore(int_of_string s); true 
	  with Failure "int_of_string" -> false
	end
    | _ -> false

  let expr_int_constant_get node = match get_expr node with
    | NEconstant (IntConstant s) -> 
	begin 
	  try int_of_string s
	  with Failure "int_of_string" -> assert false
	end
    | _ -> assert false

  let expr_is_deref node = match get_expr node with
    | NEarrow _ | NEunary (Ustar,_) -> true
    | _ -> false

  let expr_is_call node = match get_expr node with
    | NEcall _ -> true
    | _ -> false

  let call_get_function node = match get_expr node with
    | NEcall { ncall_fun = fe } -> 
	begin match fe.nexpr_node with
	  | NEvar (Fun_info f) -> Some f
	  | _ -> None
	end
    | _ -> assert false

  let call_get_args node = match get_expr node with
    | NEcall { ncall_args = el } -> 
	List.map (fun e -> create_tmp_node (Nexpr e)) el
    | _ -> assert false

  let function_get_precondition func =
    let func_name = func.fun_name in
    try
      let (spec,_,_,_,_) = Hashtbl.find Cenv.c_functions func_name in
      begin match spec.requires with
	| None -> None
	| Some p -> Some (create_tmp_node (Npred p))
      end
    with Not_found -> None

  let function_get_params func =
    let func_name = func.fun_name in
    try
      let (_,_,f,_,_) = Hashtbl.find Cenv.c_functions func_name in
      f.args
    with Not_found -> []

  let array_and_pointer_types_match arr_typ ptr_typ =
    match arr_typ.Ctypes.ctype_node,ptr_typ.Ctypes.ctype_node with
    | Ctypes.Tarray (avalid,atyp,_),Ctypes.Tpointer (pvalid,ptyp) ->
	avalid = pvalid && (atyp = ptyp)
    | _ -> false

  let change_in_int_offset_cst node index =
    let e = get_e node in
    let cst_e = NEconstant (IntConstant (string_of_int index)) in
    let cst_e = { e with nexpr_node = cst_e; nexpr_type = int_offset_type } in
    create_tmp_node (Nexpr cst_e)

  let deref_get_variable_and_offset node = match get_expr node with
    | NEarrow (e1,_,_) | NEunary (Ustar,e1) -> 
	(* exhaustive case analysis needed here, in order to 
	   guarantee no dereference can be missed *)
	let rec destruct e = match e.nexpr_node with
	    (* dereference from some variable [v] *)
	  | NEvar (Var_info v) -> Some (v,None)
	  | NEcast (typ,e1) ->
	      begin match destruct e1 with
	        | None -> None
		| Some (v,off) ->
		    if array_and_pointer_types_match v.var_type typ then
		      Some (v,off)
		    else None
	      end
	  | NEbinary (e1,Badd_pointer_int,_) | NEincr (_,e1) ->
	      let e2opt = match e.nexpr_node with
		| NEbinary (_,_,e2) -> Some e2
		| NEincr ((Upostfix_inc | Upostfix_dec),_) -> None
		| NEincr (Uprefix_inc,_) ->
		    Some (get_e (change_in_int_offset_cst node 1))
		| NEincr (Uprefix_dec,_) ->
		    Some (get_e (change_in_int_offset_cst node (-1)))
		| _ -> assert false
	      in		    
	      begin match destruct e1 with
	        | None -> None
		| Some (v,None) -> Some (v,e2opt)
		| Some (v,Some off) as e1destr ->
		    begin match e2opt with
		      | None -> e1destr
		      | Some e2 ->
			  let new_off = NEbinary (off,int_offset_addop,e2) in
			  let new_off = { off with nexpr_node = new_off } in
			  Some (v,Some new_off)
		    end
	      end
	    (* not a dereference from a variable *)
	  | NEarrow _ | NEunary (Ustar,_) | NEcall _ -> None
	    (* other cases should not be possible *)
	  | _ -> assert false
	in
	(* return a node as offset *)
	begin match destruct e1 with
	  | None -> None
	  | Some (v,None) -> Some (v,None)
	  | Some (v,Some e) -> Some (v,Some (create_tmp_node (Nexpr e)))
	end
    | _ -> assert false

  let deref_get_local_var node =
    match deref_get_variable_and_offset node with
      | None -> None
      | Some (var,_) -> if var_is_local var then Some var else None
    
  let sub_expr_is_assign e = match e.nexpr_node with
    | NEincr (_,_e1) | NEassign (_e1,_) | NEassign_op (_e1,_,_) -> true
    | _ -> false      
	  
  let expr_is_assign node = 
    sub_expr_is_assign (get_e node)

  let sub_expr_is_int_assign e =
    sub_expr_is_assign e && (sub_expr_type_is_int e)
	
  let expr_is_int_assign node =
    sub_expr_is_int_assign (get_e node)

  let sub_expr_is_ptr_assign e =
    sub_expr_is_assign e && (sub_expr_type_is_ptr e)
    
  let expr_is_ptr_assign node =
    sub_expr_is_ptr_assign (get_e node)

  let assign_get_rhs_operand node = match (get_expr node) with
    | NEincr (_,e2) | NEassign (_,e2) ->
	create_tmp_node (Nexpr e2)
    | NEassign_op (e1,op,e2) -> 
	let rhs_e = NEbinary (e1,op,e2) in
	let rhs_e = { e1 with nexpr_node = rhs_e } in
	create_tmp_node (Nexpr rhs_e)
    | _ -> assert false

  let assign_get_lhs_operand node = match (get_expr node) with
    | NEincr (_,e1) | NEassign (e1,_) | NEassign_op (e1,_,_) -> 
	create_tmp_node (Nexpr e1)
    | _ -> assert false

  let sub_assign_get_lhs_var e = match e.nexpr_node with
    | NEincr (_,e1) | NEassign (e1,_) | NEassign_op (e1,_,_) ->
	begin
	  (* exhaustive case analysis needed here, in order to 
	     guarantee no assignment can be missed *)
	  match e1.nexpr_node with
	      (* cast not allowed here for the moment, it is checked
		 and error possibly reported in an earlier stage *)
	    | NEcast _ -> assert false
		(* not an assignment to a variable *)
	    | NEarrow _ | NEunary (Ustar,_) -> None
		(* assignment to some variable [var] *)
	    | NEvar (Var_info var) -> Some var
		(* other cases should not be possible *)
	    | _ -> assert false
	end
    | _ -> failwith ("[sub_assign_get_lhs_var] should be called"
		     ^ " only on assignment")

  let assign_get_lhs_var node =
    sub_assign_get_lhs_var (get_e node)

  let assign_get_local_lhs_var node =
    match assign_get_lhs_var node with
      | None -> None
      | Some var -> if var_is_local var then Some var else None

  (* construction of the graph(s), i.e. operational + structural *)

  (* [successors n] returns the operational successors of node [n] 
     for the dataflow analysis. Only [OperationalFwd] and [OperationalBwd]
     labels should be taken into account. 
     It is also the case for [predecessors]. *)
  let successors ?(ignore_looping=false) n = 
    let el = Self.succ_e (graph ()) n in
    let el = List.filter 
	(fun e -> 
	  Edge.label e = NodeRelation.OperationalFwd
	  || ((not ignore_looping)
              && (Edge.label e = NodeRelation.OperationalBwd))
        ) el in
    List.map Edge.dst el

  let predecessors ?(ignore_looping=false) n =
    let el = Self.pred_e (graph ()) n in
    let el = List.filter 
	(fun e -> 
	  Edge.label e = NodeRelation.OperationalFwd
	  || ((not ignore_looping)
              && (Edge.label e = NodeRelation.OperationalBwd))
        ) el in
    List.map Edge.src el

  let looping_source n =
    assert (is_loop_backward_destination_node n);
    let pl = predecessors n in
    let pl = List.filter is_loop_backward_source_node pl in
    match pl with
      | [sn] -> sn
      | _ -> assert false

  (* hierarchical successors. Used for structural and logical successors. *)
  let succ edge n = 
    let el = Self.succ_e (graph ()) n in
    let el = List.filter (fun e -> Edge.label e = edge) el in
    match List.map Edge.dst el with
      | [] -> None
      | [a] -> Some a
      | _ -> failwith ("[succ edge n] should find at most one successor"
		       ^ " for node [n]")
  (* hierarchical predecessors. Used for logical scopes. *)
  let has_pred edge n = 
    let el = Self.pred_e (graph ()) n in
    let el = List.filter (fun e -> Edge.label e = edge) el in
    match List.map Edge.src el with
      | [] -> false
      | _ -> true

  let child ?(structural=false) ?(logical=false) n = 
    if structural then
      succ NodeRelation.StructuralDown n
    else if logical then
      succ NodeRelation.LogicalDown n
    else (* no graph was specified, it is an error *)
      assert false
  let sibling ?(structural=false) ?(logical=false) n = 
    if structural then
      succ NodeRelation.StructuralSame n
    else if logical then 
      succ NodeRelation.LogicalSame n
    else (* no graph was specified, it is an error *)
      assert false
  let rec siblings ?(structural=false) ?(logical=false) n =
    match sibling ~structural ~logical n with
      | None -> []
      | Some m -> m :: (siblings ~structural ~logical m)
  let children ?(structural=false) ?(logical=false) n =
    match child ~structural ~logical n with
      | None -> []
      | Some m -> m :: (siblings ~structural ~logical m)

  (* structural successors. Only [StructuralDown] and [StructuralSame]
     labels should be taken into account. *)
  let code_children = children ~structural:true ~logical:false

  (* logical successors. Only [LogicalDown] and [LogicalSame]
     labels should be taken into account. *)
  let logic_children = children ~structural:false ~logical:true

  let logic_begin n = 
    match succ NodeRelation.LogicScopeBegin n with
      | Some nb -> nb
      | None -> failwith "no logical beginning node found"
  let logic_end n = 
    match succ NodeRelation.LogicScopeEnd n with
      | Some ne -> ne
      | None -> failwith "no logical end node found"

  let logic_invariant n = succ NodeRelation.LogicInvariant n

  let is_logic_begin n = has_pred NodeRelation.LogicScopeBegin n

  let is_logic_end n = has_pred NodeRelation.LogicScopeEnd n

  let is_logic_scope n = is_logic_begin n || is_logic_end n

  let add_edge edge v1 v2 =
    let e = Edge.create v1 edge v2 in
    Self.add_edge_e (graph ()) e

  (* topological order used by operations of iteration below.
     - [direction] is either forward or backward.
     - [roots] is empty for a classical propagation, and a single element
     for a propagation from a distinguished point of the program. It could
     be used also to propagate from a set of distinguished points, although
     not useful for now.
     - [sub_graph] is used when propagating from (a) distinguished point(s),
     to identify nodes in the resulting DAG.
  *)

  module OperationalTopologicalOrder =
    struct
      type t = 
	 {
	   direction : direction_t;
	   roots : NodeSet.t;
	   mutable sub_graph : NodeSet.t;
	 }

      module V = Node

      let iter_vertex f ord =
	if NodeSet.is_empty ord.roots then
	  Self.iter_vertex f (graph ())
	else
	  (* roots are forced. Force the input-degree too. *)
	  let work_set = ref ord.roots in
	  while (not (NodeSet.is_empty (!work_set))) do
	    let cur_work_set = !work_set in
	    work_set := NodeSet.empty;
	    ord.sub_graph <- NodeSet.union ord.sub_graph cur_work_set;
	    NodeSet.iter (fun node ->
	      let succ_nodes = match ord.direction with
	      | Forward -> successors ~ignore_looping:true node
	      | Backward -> predecessors ~ignore_looping:true node
	      in
	      List.iter (fun nx_node ->
		if not (NodeSet.mem nx_node ord.sub_graph) then
		  work_set := NodeSet.add nx_node !work_set) succ_nodes
	    ) cur_work_set
	  done;
	  Self.iter_vertex f (graph ())

      let iter_succ f ord node =
	let succ_nodes = match ord.direction with
	| Forward -> successors ~ignore_looping:true node
	| Backward -> predecessors ~ignore_looping:true node
	in
	let succ_nodes = 
	  if NodeSet.is_empty ord.roots then succ_nodes
	  else List.filter 
	      (fun node -> not (NodeSet.mem node ord.roots)) succ_nodes
	in
	List.iter f succ_nodes

      let in_degree ord node = 
	let pred_nodes = match ord.direction with
	| Forward -> predecessors ~ignore_looping:true node
	| Backward -> successors ~ignore_looping:true node
	in
	if NodeSet.is_empty ord.roots then
	  let pred_length = List.length pred_nodes in
	  if pred_length = 0 then
	    let succ_nodes = match ord.direction with
	    | Forward -> successors ~ignore_looping:true node
	    | Backward -> predecessors ~ignore_looping:true node
	    in
	    let succ_length = List.length succ_nodes in
	    (* ignore nodes not in the operational graph *)
	    if succ_length = 0 then 1
	    else pred_length
	  else pred_length
	else
	  (* only nodes in path should be taken into account *)
	  let pred_nodes = List.filter 
	      (fun node -> NodeSet.mem node ord.sub_graph) pred_nodes in
	  let pred_length = List.length pred_nodes in
	  (* force the nodes given as root to be such *)
	  if NodeSet.mem node ord.roots then 0
	  (* real root nodes or nodes not in the operational graph 
	     should be ignored in that case *)
	  else if pred_length = 0 then 1
	  else pred_length
    end

  module OperationalIterator = 
    Graph.Topological.Make (OperationalTopologicalOrder)

  let iter_operational direction ~roots f =
    let ord = {
      OperationalTopologicalOrder.direction = direction;
      OperationalTopologicalOrder.roots = 
      List.fold_right NodeSet.add roots NodeSet.empty;
      OperationalTopologicalOrder.sub_graph = NodeSet.empty;
    } in
    OperationalIterator.iter f ord

  let fold_operational direction ~roots f init =
    let ord = {
      OperationalTopologicalOrder.direction = direction;
      OperationalTopologicalOrder.roots =
      List.fold_right NodeSet.add roots NodeSet.empty;
      OperationalTopologicalOrder.sub_graph = NodeSet.empty;
    } in
    OperationalIterator.fold f ord init

  (* add an operational edge.
     - [force_add_opedge] should be used for edges that originate in 
     a jumping statement like a return/break/continue/goto.
     - [add_opedge] should be used in all other cases, with the knowledge
     that an edge will be added only if the source statement is not
     a jumping one. *)
  let force_add_opedge v1 v2 = Self.add_edge (graph ()) v1 v2
  let add_opedge v1 v2 =
    match get_node_kind v1 with
      | NKstat ->
	  if stat_is_jump v1 then
	    (* normal operational edges should not originate from
	       a jumping statement, in which case [force_add_opedge]
	       is used. Do nothing. *)
	    ()
	  else force_add_opedge v1 v2
      | _ -> force_add_opedge v1 v2

  (* add backward operational edge, for loops *)
  let add_backedge = add_edge NodeRelation.OperationalBwd
    
  (* add hierarchical edges. Used for adding structural and logical edges. *)
  let add_edges is_structural v vl = 
    let add_down_edge = 
      if is_structural then
	add_edge NodeRelation.StructuralDown 
      else
	add_edge NodeRelation.LogicalDown
    in
    let add_same_edge = 
      if is_structural then
	add_edge NodeRelation.StructuralSame
      else
	add_edge NodeRelation.LogicalSame
    in
    let rec add_same_edges vl = match vl with
      | a::b::r -> add_same_edge a b; add_same_edges (b::r)
      | _ -> ()
    in
    match vl with
      | [] -> ()
      | a::_r -> add_down_edge v a; add_same_edges vl

  (* add structural edges: a [StructuralDown] edge from [v] to the first
     node in the list [vl], and [StructuralSame] edges between successive
     nodes in [vl]. Nothing to do with your hat's edge. *)
  let add_stedge = add_edges (* is_structural= *)true

  (* add logical edges: a [LogicalDown] edge from [v] to the first
     node in the list [vl], and [LogicalSame] edges between successive
     nodes in [vl]. Do not misinterpret it as a command to add luggage. *)
  let add_logedge = add_edges (* is_structural= *)false

  (* add logical block edge *)
  let add_begedge = add_edge NodeRelation.LogicScopeBegin
  let add_endedge = add_edge NodeRelation.LogicScopeEnd
  let add_invedge = add_edge NodeRelation.LogicInvariant

  (* constructors *)

  let make_seq_expr node1 node2 =
    let e1 = get_e node1 in
    let e2 = get_e node2 in
    let new_e = NEseq (e1,e2) in
    let new_e = { e2 with nexpr_node = new_e } in
    create_tmp_node (Nexpr new_e)

  let make_int_expr_add_cst node cst =
    let e = get_e node in
    let typ = e.nexpr_type in
    let op = match typ.Ctypes.ctype_node with 
      | Ctypes.Tint ik -> Badd_int ik
      | _ -> failwith ("[make_int_expr_add_cst] should only be called on"
		       ^ " integer expression") in
    let cst_e = NEconstant (IntConstant (string_of_int cst)) in
    let cst_e = { e with nexpr_node = cst_e } in
    let new_e = NEbinary (e,op,cst_e) in
    let new_e = { e with nexpr_node = new_e } in
    create_tmp_node (Nexpr new_e)

  let make_int_expr_add_var node var =
    let e = get_e node in
    let typ = e.nexpr_type in
    let op = match typ.Ctypes.ctype_node with 
      | Ctypes.Tint ik -> Badd_int ik
      | _ -> failwith ("[make_int_expr_add_cst] should only be called on"
		       ^ " integer expression") in
    let cst_e = NEvar (Var_info var) in
    let cst_e = { e with nexpr_node = cst_e } in
    (* prefer var + expr to expr + var, for ergonomic issues *)
    let new_e = NEbinary (cst_e,op,e) in
    let new_e = { e with nexpr_node = new_e } in
    create_tmp_node (Nexpr new_e)

  let make_int_termexpr_add_termexpr node1 node2 =
    match get_node_kind node1 with
      | NKexpr | NKtest | NKlvalue -> 
	  let e1 = get_e node1 in
	  let e2 = get_e node2 in
	  let typ = e1.nexpr_type in
	  let op = match typ.Ctypes.ctype_node with 
	    | Ctypes.Tint ik -> Badd_int ik
	    | _ -> failwith ("[make_int_termexpr_add_termexpr] should only"
			     ^ " be called on integer expression") in
	  let new_e = NEbinary (e1,op,e2) in
	  let new_e = { e1 with nexpr_node = new_e } in
	  create_tmp_node (Nexpr new_e)    
      | NKterm ->
	  let t1 = get_t node1 in
	  let t2 = get_t node2 in
	  let op = Clogic.Badd in
	  let new_t = NTbinop (t1,op,t2) in
	  let new_t = { t1 with nterm_node = new_t } in
	  create_tmp_node (Nterm new_t)
      | _ -> assert false

  let make_var_decl node var =
    let s = get_s node in
    let new_s = NSdecl (var.var_type,var,None,s) in
    let new_s = { s with nst_node = new_s } in
    create_tmp_node (Nstat new_s)

  let make_seq_stat node1 node2 =
    let s1 = get_s node1 in
    let s2 = get_s node2 in
    let new_s = NSblock [s1;s2] in
    let new_s = { s1 with nst_node = new_s } in
    create_tmp_node (Nstat new_s)

  (* changes the expression's type if necessary *)
  let change_in_int_var_assign_cst node var index =
    let e = get_e node in
    let var_e = NEvar (Var_info var) in
    let typ_e = var.var_type in
    let var_e = { e with nexpr_node = var_e; nexpr_type = typ_e } in
    let cst_e = NEconstant (IntConstant (string_of_int index)) in
    let cst_e = { e with nexpr_node = cst_e; nexpr_type = typ_e } in
    let new_e = NEassign (var_e, cst_e) in
    let new_e = { e with nexpr_node = new_e; nexpr_type = typ_e } in
    create_tmp_node (Nexpr new_e)
    
  (* changes the expression's type if necessary *)
  let change_in_int_var_assign_var node var other_var =
    let e = get_e node in
    let var_e = NEvar (Var_info var) in
    let typ_e = var.var_type in
    let var_e = { e with nexpr_node = var_e; nexpr_type = typ_e } in
    let cst_e = NEvar (Var_info other_var) in
    let cst_e = { e with nexpr_node = cst_e; nexpr_type = typ_e } in
    let new_e = NEassign (var_e, cst_e) in
    let new_e = { e with nexpr_node = new_e; nexpr_type = typ_e } in
    create_tmp_node (Nexpr new_e)
      
  (* changes the expression's type if necessary *)
  let change_in_int_var_assign_expr node var sub_node =
    let e = get_e node in
    let var_e = NEvar (Var_info var) in
    let typ_e = var.var_type in
    let var_e = { e with nexpr_node = var_e; nexpr_type = typ_e } in
    let cst_e = get_e sub_node in
    let new_e = NEassign (var_e, cst_e) in
    let new_e = { e with nexpr_node = new_e; nexpr_type = typ_e } in
    create_tmp_node (Nexpr new_e)    

  (* to be matched with [encode_decl_list] below *)
  let rec decode_decl_list einit = match einit.nexpr_node with
    | NEcall ce ->
	let caller = ce.ncall_fun in
	if caller.nexpr_node = NEnop then
	  (* encoding of an initialization list *)
	  let args = ce.ncall_args in
	  Ilist (List.map decode_decl_list args)
	else
	  (* only other possibility is expression *)
	  Iexpr einit
    | _ -> Iexpr einit

  let change_sub_components_in_stat node sub_nodes =
    let s = get_s node in
    let new_s = match s.nst_node with
      | NSnop | NSlogic_label _ ->
	  assert (List.length sub_nodes = 0);
	  s.nst_node
      | NSassert _ ->
	  assert (List.length sub_nodes = 1);
	  let new_p1 = list1 sub_nodes in
	  let new_p1 = get_p new_p1 in
	  NSassert new_p1	  
      | NSassume _ ->
	  assert (List.length sub_nodes = 1);
	  let new_p1 = list1 sub_nodes in
	  let new_p1 = get_p new_p1 in
	  NSassume new_p1	  
      | NSexpr _e -> 
	  assert (List.length sub_nodes = 1);
	  let new_e = list1 sub_nodes in
	  let new_e = get_e new_e in
	  NSexpr new_e
      | NSif (_e,_s1,_s2) ->
	  assert (List.length sub_nodes = 3);
	  let new_e,new_s1,new_s2 = list3 sub_nodes in
	  let new_e,new_s1,new_s2 
	    = get_e new_e,get_s new_s1,get_s new_s2 in
	  NSif (new_e,new_s1,new_s2)
      | NSwhile (_annot,_e,_s1) ->
	  assert (List.length sub_nodes = 3);
	  let new_e,new_s1,new_a = list3 sub_nodes in
	  let new_e,new_s1,new_a = get_e new_e,get_s new_s1,get_annot new_a in
	  NSwhile (new_a,new_e,new_s1)
      | NSdowhile (_annot,_s1,_e) ->
	  assert (List.length sub_nodes = 3);
	  let new_s1,new_e,new_a = list3 sub_nodes in
	  let new_s1,new_e,new_a = get_s new_s1,get_e new_e,get_annot new_a in
	  NSdowhile (new_a,new_s1,new_e)
      | NSfor (_annot,_einit,_etest,_eincr,_s1) ->
	  assert (List.length sub_nodes = 5);
	  let new_einit,new_etest,new_eincr,new_s1,new_a = list5 sub_nodes in
	  let new_einit,new_etest,new_eincr,new_s1,new_a
	    = get_e new_einit,get_e new_etest,
	    get_e new_eincr,get_s new_s1,get_annot new_a in
	  NSfor (new_a,new_einit,new_etest,new_eincr,new_s1)
      | NSblock _sl ->
	  let new_sl = List.map get_s sub_nodes in
	  NSblock new_sl
      | NSreturn None ->
	  assert (List.length sub_nodes = 0);
	  s.nst_node
      | NSreturn (Some _e) -> 
	  assert (List.length sub_nodes = 1);
	  let new_e = list1 sub_nodes in
	  let new_e = get_e new_e in
	  NSreturn (Some new_e)
      | NSbreak | NScontinue | NSgoto _ -> 
	  assert (List.length sub_nodes = 0);
	  s.nst_node
      | NSlabel (str,_s1) ->
	  assert (List.length sub_nodes = 1);
	  let new_s = list1 sub_nodes in
	  let new_s = get_s new_s in
	  NSlabel (str,new_s)
      | NSspec (_spec,_s1) ->
	  assert (List.length sub_nodes = 2);
	  let new_s,new_spc = list2 sub_nodes in
	  let new_s,new_spc = get_s new_s,get_spec new_spc in
	  NSspec (new_spc,new_s)
      | NSdecl (typ,var,None,_s1) ->
	  assert (List.length sub_nodes = 1);
	  let new_s = list1 sub_nodes in
	  let new_s = get_s new_s in
	  NSdecl (typ,var,None,new_s)
      | NSdecl (typ,var,Some _cinit,_s1) ->
	  assert (List.length sub_nodes = 2);
	  let new_e,new_s1 = list2 sub_nodes in
	  let new_e = get_e new_e in
	  let new_s1 = get_s new_s1 in
	  let lhs_expr,rhs_expr = match new_e.nexpr_node with 
	    | NEassign (lhs_expr,rhs_expr) -> lhs_expr,rhs_expr
	    | _ -> assert false in
	  let new_var = match lhs_expr.nexpr_node with
	    | NEvar (Var_info new_var) -> new_var
	    | _ -> assert false
	  in
	  assert (ILVar.equal var new_var);
	  let new_cinit = decode_decl_list rhs_expr in
	  NSdecl (typ,var,Some new_cinit,new_s1)
      | NSswitch (_e,c,cases) -> 
	  let new_e = List.hd sub_nodes in
	  let new_cases = List.tl sub_nodes in
	  let new_e = get_e new_e in
	  (* remove [Nintern] node introduced for each [case] *)
	  let new_cases = 
	    List.map (fun n -> code_children n) new_cases in
	  let new_cases = List.map (List.map get_s) new_cases in
	  let new_cases = 
	    List.map2 (fun (cmap,_) sl -> (cmap,sl)) cases new_cases in
	  NSswitch (new_e,c,new_cases)
    in
    let new_s = { s with nst_node = new_s } in
    create_tmp_node (Nstat new_s)

  let change_sub_components_in_expr node sub_nodes =
    let e = get_e node in
    let new_e = match e.nexpr_node with
      | NEnop | NEconstant _ | NEstring_literal _ | NEvar _ ->
	  assert (List.length sub_nodes = 0);
	  e.nexpr_node
      | NEarrow (_e1,zone,var) ->
	  assert (List.length sub_nodes = 1);
	  let new_e = list1 sub_nodes in
	  let new_e = get_e new_e in
	  NEarrow (new_e,zone,var)
      | NEunary (op,_e1) ->
	  assert (List.length sub_nodes = 1);
	  let new_e = list1 sub_nodes in
	  let new_e = get_e new_e in
	  NEunary (op,new_e)
      | NEincr (op,_e1) ->
	  assert (List.length sub_nodes = 1);
	  let new_e = list1 sub_nodes in
	  let new_e = get_e new_e in
	  NEincr (op,new_e)
      | NEcast (typ,_e1) ->
	  assert (List.length sub_nodes = 1);
	  let new_e = list1 sub_nodes in
	  let new_e = get_e new_e in
	  NEcast (typ,new_e)
      | NEmalloc (typ,_e1) ->
	  assert (List.length sub_nodes = 1);
	  let new_e = list1 sub_nodes in
	  let new_e = get_e new_e in
	  NEmalloc (typ,new_e)
      | NEseq (_e1,_e2) ->
	  assert (List.length sub_nodes = 2);
	  let new_e1,new_e2 = list2 sub_nodes in
	  let new_e1,new_e2 = get_e new_e1,get_e new_e2 in
	  NEseq (new_e1,new_e2)
      | NEassign (_e1,_e2) ->
	  assert (List.length sub_nodes = 2);
	  let new_e1,new_e2 = list2 sub_nodes in
	  let new_e1,new_e2 = get_e new_e1,get_e new_e2 in
	  NEassign (new_e1,new_e2)
      | NEassign_op (_e1,op,_e2) ->
	  assert (List.length sub_nodes = 2);
	  let new_e1,new_e2 = list2 sub_nodes in
	  let new_e1,new_e2 = get_e new_e1,get_e new_e2 in
	  NEassign_op (new_e1,op,new_e2)
      | NEbinary (_e1,op,_e2) ->
	  assert (List.length sub_nodes = 2);
	  let new_e1,new_e2 = list2 sub_nodes in
	  let new_e1,new_e2 = get_e new_e1,get_e new_e2 in
	  NEbinary (new_e1,op,new_e2)
      | NEcall c ->
	  let new_f = List.hd sub_nodes in
	  let new_args = List.tl sub_nodes in
	  let new_f = get_e new_f in
	  let new_args = List.map get_e new_args in
	  NEcall { c with ncall_fun = new_f; ncall_args = new_args }
      | NEcond (_e1,_e2,_e3) ->
	  assert (List.length sub_nodes = 3);
	  let new_e1,new_e2,new_e3 = list3 sub_nodes in
	  let new_e1,new_e2,new_e3 
	    = get_e new_e1,get_e new_e2,get_e new_e3 in
	  NEcond (new_e1,new_e2,new_e3)
    in		
    let new_e = { e with nexpr_node = new_e } in
    create_tmp_node (Nexpr new_e)

  let change_sub_components_in_term node sub_nodes =
    let t = get_t node in
    let new_t = match t.nterm_node with
      | NTconstant _ | NTstring_literal _ 
      | NTvar _ | NTminint _ | NTmaxint _ -> 
	  assert (List.length sub_nodes = 0);
	  t.nterm_node
      | NTapp a ->
	  let new_args = sub_nodes in
	  let new_args = List.map get_t new_args in
	  NTapp { a with napp_args = new_args }
      | NTunop (op,_t1) ->
	  assert (List.length sub_nodes = 1);
	  let new_t = list1 sub_nodes in
	  let new_t = get_t new_t in
	  NTunop (op,new_t)
      | NTarrow (_t1,zone,var) ->
	  assert (List.length sub_nodes = 1);
	  let new_t = list1 sub_nodes in
	  let new_t = get_t new_t in
	  NTarrow (new_t,zone,var)
      | NTold _t1 ->
	  assert (List.length sub_nodes = 1);
	  let new_t = list1 sub_nodes in
	  let new_t = get_t new_t in
	  NTold new_t
      | NTat (_t1,label) ->
	  assert (List.length sub_nodes = 1);
	  let new_t = list1 sub_nodes in
	  let new_t = get_t new_t in
	  NTat (new_t,label)
      | NTbase_addr _t1 ->
	  assert (List.length sub_nodes = 1);
	  let new_t = list1 sub_nodes in
	  let new_t = get_t new_t in
	  NTbase_addr new_t
      | NToffset _t1 ->
	  assert (List.length sub_nodes = 1);
	  let new_t = list1 sub_nodes in
	  let new_t = get_t new_t in
	  NToffset new_t
      | NTblock_length _t1 ->
	  assert (List.length sub_nodes = 1);
	  let new_t = list1 sub_nodes in
	  let new_t = get_t new_t in
	  NTblock_length new_t
      | NTarrlen _t1 ->
	  assert (List.length sub_nodes = 1);
	  let new_t = list1 sub_nodes in
	  let new_t = get_t new_t in
	  NTarrlen new_t
      | NTstrlen (_t1,zone,var) ->
	  assert (List.length sub_nodes = 1);
	  let new_t = list1 sub_nodes in
	  let new_t = get_t new_t in
	  NTstrlen (new_t,zone,var)
      | NTmin (_t1,_t2) ->
	  assert (List.length sub_nodes = 2);
	  let new_t1,new_t2 = list2 sub_nodes in
	  let new_t1,new_t2 = get_t new_t1,get_t new_t2 in
	  NTmin (new_t1,new_t2)
      | NTmax (_t1,_t2) ->
	  assert (List.length sub_nodes = 2);
	  let new_t1,new_t2 = list2 sub_nodes in
	  let new_t1,new_t2 = get_t new_t1,get_t new_t2 in
	  NTmax (new_t1,new_t2)
      | NTcast (typ,_t1) ->
	  assert (List.length sub_nodes = 1);
	  let new_t = list1 sub_nodes in
	  let new_t = get_t new_t in
	  NTcast (typ,new_t)
      | NTbinop (_t1,op,_t2) ->
	  assert (List.length sub_nodes = 2);
	  let new_t1,new_t2 = list2 sub_nodes in
	  let new_t1,new_t2 = get_t new_t1,get_t new_t2 in
	  NTbinop (new_t1,op,new_t2)
      | NTif (_t1,_t2,_t3) ->
	  assert (List.length sub_nodes = 3);
	  let new_t1,new_t2,new_t3 = list3 sub_nodes in
	  let new_t1,new_t2,new_t3 
	    = get_t new_t1,get_t new_t2,get_t new_t3 in
	  NTif (new_t1,new_t2,new_t3)
      | NTrange (_t1,_t2opt,_t3opt,zone,info) ->
	  assert (List.length sub_nodes = 3);
	  let new_t1,new_t2,new_t3 = list3 sub_nodes in
	  let new_t1 = get_t new_t1 in
	  let new_t2 = match logic_children new_t2 with
	    | [new_t2] -> Some (get_t new_t2)
	    | [] -> None
	    | _ -> assert false (* bad encoding *)
	  in
	  let new_t3 = match logic_children new_t3 with
	    | [new_t3] -> Some (get_t new_t3)
	    | [] -> None
	    | _ -> assert false (* bad encoding *)
	  in
	  NTrange (new_t1,new_t2,new_t3,zone,info)
    in		
    let new_t = { t with nterm_node = new_t } in
    create_tmp_node (Nterm new_t)

  let change_sub_components_in_pred node sub_nodes =
    let p = get_p node in
    let new_p = match p.npred_node with
      | NPfalse | NPtrue -> 
	  assert (List.length sub_nodes = 0);
	  p.npred_node
      | NPapp a ->
	  let new_args = sub_nodes in
	  let new_args = List.map get_t new_args in
	  NPapp { a with napp_args = new_args }
      | NPrel (_t1,rel,_t2) ->
	  assert (List.length sub_nodes = 2);
	  let new_t1,new_t2 = list2 sub_nodes in
	  let new_t1,new_t2 = get_t new_t1,get_t new_t2 in
	  NPrel (new_t1,rel,new_t2)
      | NPvalid_index (_t1,_t2) ->
	  assert (List.length sub_nodes = 2);
	  let new_t1,new_t2 = list2 sub_nodes in
	  let new_t1,new_t2 = get_t new_t1,get_t new_t2 in
	  NPvalid_index (new_t1,new_t2)
      | NPand (_p1,_p2) ->
	  assert (List.length sub_nodes = 2);
	  let new_p1,new_p2 = list2 sub_nodes in
	  let new_p1,new_p2 = get_p new_p1,get_p new_p2 in
	  NPand (new_p1,new_p2)		
      | NPor (_p1,_p2) ->
	  assert (List.length sub_nodes = 2);
	  let new_p1,new_p2 = list2 sub_nodes in
	  let new_p1,new_p2 = get_p new_p1,get_p new_p2 in
	  NPor (new_p1,new_p2)		
      | NPimplies (_p1,_p2) ->
	  assert (List.length sub_nodes = 2);
	  let new_p1,new_p2 = list2 sub_nodes in
	  let new_p1,new_p2 = get_p new_p1,get_p new_p2 in
	  NPimplies (new_p1,new_p2)		
      | NPiff (_p1,_p2) ->
	  assert (List.length sub_nodes = 2);
	  let new_p1,new_p2 = list2 sub_nodes in
	  let new_p1,new_p2 = get_p new_p1,get_p new_p2 in
	  NPiff (new_p1,new_p2)		
      | NPnot _p1 ->
	  assert (List.length sub_nodes = 1);
	  let new_p1 = list1 sub_nodes in
	  let new_p1 = get_p new_p1 in
	  NPnot new_p1
      | NPforall (q,_p1) ->
	  assert (List.length sub_nodes = 1);
	  let new_p1 = list1 sub_nodes in
	  let new_p1 = get_p new_p1 in
	  NPforall (q,new_p1)
      | NPexists (q,_p1) ->
	  assert (List.length sub_nodes = 1);
	  let new_p1 = list1 sub_nodes in
	  let new_p1 = get_p new_p1 in
	  NPexists (q,new_p1)
      | NPold _p1 ->
	  assert (List.length sub_nodes = 1);
	  let new_p1 = list1 sub_nodes in
	  let new_p1 = get_p new_p1 in
	  NPold new_p1
      | NPat (_p1,label) ->
	  assert (List.length sub_nodes = 1);
	  let new_p1 = list1 sub_nodes in
	  let new_p1 = get_p new_p1 in
	  NPat (new_p1,label)
      | NPnamed (name,_p1) ->
	  assert (List.length sub_nodes = 1);
	  let new_p1 = list1 sub_nodes in
	  let new_p1 = get_p new_p1 in
	  NPnamed (name,new_p1)
      | NPif (_t1,_p2,_p3) ->
	  assert (List.length sub_nodes = 3);
	  let new_t1,new_p2,new_p3 = list3 sub_nodes in
	  let new_t1,new_p2,new_p3
	    = get_t new_t1,get_p new_p2,get_p new_p3 in
	  NPif (new_t1,new_p2,new_p3)		
      | NPvalid _t1 ->
	  assert (List.length sub_nodes = 1);
	  let new_t = list1 sub_nodes in
	  let new_t = get_t new_t in
	  NPvalid new_t
      | NPfresh _t1 ->
	  assert (List.length sub_nodes = 1);
	  let new_t = list1 sub_nodes in
	  let new_t = get_t new_t in
	  NPfresh new_t
      | NPvalid_range (_t1,_t2,_t3) ->
	  assert (List.length sub_nodes = 3);
	  let new_t1,new_t2,new_t3 = list3 sub_nodes in
	  let new_t1,new_t2,new_t3 
	    = get_t new_t1,get_t new_t2,get_t new_t3 in
	  NPvalid_range (new_t1,new_t2,new_t3)
      | NPseparated (_t1,_t2) ->
	  assert (List.length sub_nodes = 2);
	  let new_t1,new_t2 = list2 sub_nodes in
	  let new_t1,new_t2 = get_t new_t1,get_t new_t2 in
	  NPseparated (new_t1,new_t2)
      | NPfull_separated (_t1,_t2) ->
	  assert (List.length sub_nodes = 2);
	  let new_t1,new_t2 = list2 sub_nodes in
	  let new_t1,new_t2 = get_t new_t1,get_t new_t2 in
	  NPfull_separated (new_t1,new_t2)
      | NPbound_separated (_t1,_t2,_t3,_t4) ->
	  assert (List.length sub_nodes = 2);
	  let new_t1,new_t2,new_t3,new_t4 = list4 sub_nodes in
	  let new_t1,new_t2,new_t3,new_t4 =
	    get_t new_t1,get_t new_t2,get_t new_t3,get_t new_t4 in
	  NPbound_separated (new_t1,new_t2,new_t3,new_t4)
    in		
    let new_p = { p with npred_node = new_p } in
    create_tmp_node (Npred new_p)

  let change_sub_components_in_annot node sub_nodes =
    let a = get_annot node in
    assert (List.length sub_nodes = 4);
    let new_inv,new_assinv,new_ass,new_var = list4 sub_nodes in
    let new_inv = match logic_children new_inv with
      | [new_inv] -> 
	  let new_p = get_p new_inv in
          (* remove useless assert, possibly inserted by the analysis *)
	  begin match new_p.npred_node with
	    | NPtrue -> None 
	    | _ -> Some new_p
	  end
      | [] -> None
      | _ -> assert false (* bad encoding *)
    in
    let new_assinv = match logic_children new_assinv with
      | [new_assinv] ->
	  let new_p = get_p new_assinv in
          (* remove useless assume, possibly inserted by the analysis *)
	  begin match new_p.npred_node with
	    | NPtrue -> None 
	    | _ -> Some new_p
	  end
      | [] -> None
      | _ -> assert false (* bad encoding *)
    in
    let new_ass = match logic_children new_ass with
      | [new_ass] ->
	  let new_ass = List.map get_t (logic_children new_ass) in
	  Some (Loc.dummy_position, new_ass)
      | [] -> None
      | _ -> assert false (* bad encoding *)
    in
    let name_var = match a.variant with
      | None -> None
      | Some (_,so) -> so in
    let new_var = match logic_children new_var with
      | [new_var] -> Some (get_t new_var,name_var)
      | [] -> None
      | _ -> assert false (* bad encoding *)
    in
    let new_a = { invariant = new_inv; assume_invariant = new_assinv;
		  loop_assigns = new_ass; variant = new_var } in
    create_tmp_node (Nannot new_a)

  let change_sub_components_in_spec node sub_nodes =
    let s = get_spec node in
    assert (List.length sub_nodes = 4);
    let new_req,new_ass,new_ens,new_dec = list4 sub_nodes in
    let new_req = match logic_children new_req with
      | [new_req] ->
	  let new_p = get_p new_req in
          (* remove useless assume, possibly inserted by the analysis *)
	  begin match new_p.npred_node with
	    | NPtrue -> None 
	    | _ -> Some new_p
	  end
      | [] -> None
      | _ -> assert false (* bad encoding *)
    in
    let new_ass = match logic_children new_ass with
      | [new_ass] ->
	  let new_ass = List.map get_t (logic_children new_ass) in
	  Some (Loc.dummy_position, new_ass)
      | [] -> None
      | _ -> assert false (* bad encoding *)
    in
    let new_ens = match logic_children new_ens with
      | [new_ens] -> Some (get_p new_ens)
      | [] -> None
      | _ -> assert false (* bad encoding *)
    in
    let name_dec = match s.decreases with
      | None -> None
      | Some (_,so) -> so in
    let new_dec = match logic_children new_dec with
      | [new_dec] -> Some (get_t new_dec,name_dec)
      | [] -> None
      | _ -> assert false (* bad encoding *)
    in
    let new_s = { requires = new_req; assigns = new_ass;
		  ensures = new_ens; decreases = new_dec } in
    create_tmp_node (Nspec new_s)

  let change_sub_components node sub_nodes =
    match get_node_kind node with
      | NKnone ->
	  (* forward node for upper level. Rebuild the correct one-level 
	     sub-graph so that the upper level can rely on it if necessary.
	     Chained forward nodes can recreate more than one level. *)
	  let is_structural = fwd_is_structural node in
	  let is_logical = fwd_is_logical node in
	  let fwd_node = 
             if is_structural then create_node (Nintern InternStructural)
             else if is_logical then create_node (Nintern InternLogical)
             else 
               (* only forward nodes from the hierarchical graphs should be
		  reaching here *)
               assert false
          in
	  if is_structural then
	    add_stedge fwd_node sub_nodes
	  else
	    add_logedge fwd_node sub_nodes;
	  fwd_node
	  
      | NKdecl ->
	  let d = get_decl node in
	  let new_d =
	    match d.s with
	      | Some _s ->
		  let new_s,new_spec = list2 sub_nodes in
		  let new_s,new_spec = get_s new_s,get_spec new_spec in
		  { d with s = Some new_s; spec = new_spec }
	      | _ -> d
	  in
	  create_tmp_node (Ndecl new_d)

      | NKstat ->
	  change_sub_components_in_stat node sub_nodes
	    
      | NKexpr | NKtest | NKlvalue ->
	  change_sub_components_in_expr node sub_nodes
	    
      | NKterm ->
	  change_sub_components_in_term node sub_nodes
	    
      | NKpred | NKassume | NKassert -> 
	  change_sub_components_in_pred node sub_nodes

      | NKannot ->
	  change_sub_components_in_annot node sub_nodes
	    
      | NKspec ->
	  change_sub_components_in_spec node sub_nodes

  (* extraction of graph from normalized AST *)

  let rec from_term (t : nterm) = 
    let tnode = create_node (Nterm t) in
    begin
      match t.nterm_node with
	| NTconstant _ | NTstring_literal _ 
	| NTvar _ | NTminint _ | NTmaxint _ -> ()
	| NTapp a ->
	    let args_nodes = List.map from_term a.napp_args in
	    (* logic *) add_logedge tnode args_nodes
	| NTunop (_,t1) | NTarrow (t1,_,_) | NTold t1 | NTat (t1,_)
	| NTbase_addr t1 | NToffset t1 | NTblock_length t1 
	| NTarrlen t1 | NTstrlen (t1,_,_) | NTcast (_,t1) ->
	    let t1node = from_term t1 in
	    (* logic *) add_logedge tnode [t1node]
	| NTbinop (t1,_,t2) | NTmin (t1,t2) | NTmax (t1,t2) ->
	    let t1node = from_term t1 in
	    let t2node = from_term t2 in
	    (* logic *) add_logedge tnode [t1node; t2node]
	| NTif (t1,t2,t3) ->
	    let t1node = from_term t1 in
	    let t2node = from_term t2 in
	    let t3node = from_term t3 in
	    (* logic *) add_logedge tnode [t1node; t2node; t3node]
	| NTrange (t1,t2opt,t3opt,_,_) ->
	    let t1node = from_term t1 in
	    let t2node = create_node (Nintern InternLogical) in
	    begin match t2opt with 
	      | Some t2 ->
		  let t2optnode = from_term t2 in
		  (* logic *) add_logedge t2node [t2optnode]
	      | None -> ()
	    end;
	    let t3node = create_node (Nintern InternLogical) in
	    begin match t3opt with 
	      | Some t3 ->
		  let t3optnode = from_term t3 in
		  (* logic *) add_logedge t3node [t3optnode]
	      | None -> ()
	    end;
	    (* logic *) add_logedge tnode [t1node; t2node; t3node]
    end;
    tnode

  let rec from_pred ?(is_assume=false) ?(is_funpre=false)
   ?(is_assert=false) ?(is_invariant=false) ?(writes=w_empty) 
   (p : npredicate) =
    let pnode = 
      if is_invariant then 
	if is_assume then Nassinv (p,writes)
	else if is_assert then Ninv (p,writes)
	else assert false
      else if is_assume then Nassume p
      else if is_funpre then Npre p
      else if is_assert then Nassert p
      else Npred p
    in
    let pnode = create_node pnode in
    begin
      match p.npred_node with
	| NPfalse | NPtrue -> ()
	| NPapp a ->
	    let args_nodes = List.map from_term a.napp_args in
	    (* logic *) add_logedge pnode args_nodes
	| NPrel (t1,_,t2) | NPvalid_index (t1,t2) | NPseparated (t1,t2) 
	| NPfull_separated (t1,t2) ->
	    let t1node = from_term t1 in
	    let t2node = from_term t2 in
	    (* logic *) add_logedge pnode [t1node; t2node]
	| NPbound_separated (t1,t2,t3,t4) ->
  	    let t1node = from_term t1 in
	    let t2node = from_term t2 in
	    let t3node = from_term t3 in
	    let t4node = from_term t4 in
	    (* logic *) add_logedge pnode [t1node; t2node; t3node; t4node]
	| NPand (p1,p2) | NPor (p1,p2) | NPimplies (p1,p2) | NPiff (p1,p2) ->
	    let p1node = from_pred p1 in
	    let p2node = from_pred p2 in
	    (* logic *) add_logedge pnode [p1node; p2node]
	| NPnot p1 | NPforall (_,p1) | NPexists (_,p1) | NPold p1 
	| NPat (p1,_) | NPnamed (_,p1) ->
	    let p1node = from_pred p1 in
	    (* logic *) add_logedge pnode [p1node]
	| NPif (t1,p2,p3) ->
	    let t1node = from_term t1 in
	    let p2node = from_pred p2 in
	    let p3node = from_pred p3 in
	    (* logic *) add_logedge pnode [t1node; p2node; p3node]
	| NPvalid t1 | NPfresh t1 ->
	    let t1node = from_term t1 in
	    (* logic *) add_logedge pnode [t1node]
	| NPvalid_range (t1,t2,t3) ->
  	    let t1node = from_term t1 in
	    let t2node = from_term t2 in
	    let t3node = from_term t3 in
	    (* logic *) add_logedge pnode [t1node; t2node; t3node]
    end;
    pnode

  let from_spec ?(is_function=false) (s : nspec) = 
    let requires_node = create_node (Nintern InternLogical) in 
    let reqnode_opt = match s.requires with
      | Some p ->
	  let reqnode = from_pred ~is_funpre:is_function p in
	  (* logic *) add_logedge requires_node [reqnode];
	  Some reqnode
      | None ->
	  if is_function then
	    (* create a node [requires true] that will serve as a hook to 
	       improve on the assumed precondition *)
	    let ptrue = { npred_node = NPtrue; npred_loc = Loc.dummy_position }
	    in
	    let reqnode = from_pred ~is_funpre:is_function ptrue in
	    (* logic *) add_logedge requires_node [reqnode];
	    Some reqnode
	  else
	    None
    in
    let assigns_node = create_node (Nintern InternLogical) in
    begin match s.assigns with
      | Some (_, tl) ->
	  (* differenciate [None] from [Some([])] *)
	  let assnode = create_node (Nintern InternLogical) in
	  (* logic *) add_logedge assigns_node [assnode];
	  let tnodes = List.map from_term tl in
	  add_logedge assnode tnodes
      | None -> ()
    end;
    let ensures_node = create_node (Nintern InternLogical) in
    begin match s.ensures with
      | Some p ->
	  let ensnode = from_pred p in
	  (* logic *) add_logedge ensures_node [ensnode]
      | None -> ()
    end;
    let decreases_node = create_node (Nintern InternLogical) in
    begin match s.decreases with
      | Some (t,_) ->
	  let decnode = from_term t in
	  (* logic *) add_logedge decreases_node [decnode]
      | None -> ()
    end;
    let snode = create_node (Nspec s) in
    (* logic *) add_logedge snode [requires_node; assigns_node;
				   ensures_node; decreases_node];
    snode,reqnode_opt

  let from_annot (a : nloop_annot) writes =
    let assigns_node = create_node (Nintern InternLogical) in
    begin match a.loop_assigns with
      | Some (_,tl) ->
	  (* differenciate [None] from [Some([])] *)
	  let assnode = create_node (Nintern InternLogical) in
	  (* logic *) add_logedge assigns_node [assnode];
	  let tnodes = List.map from_term tl in
	  add_logedge assnode tnodes
      | None -> ()
    end;
    let invariant_node = create_node (Nintern InternLogical) in
    let invnode_opt = match a.invariant with
      | Some p ->
	  let invnode = from_pred 
	      ~is_invariant:true ~writes ~is_assert:true p 
	  in
	  (* logic *) add_logedge invariant_node [invnode];
	  Some invnode
      | None ->
	  (* create a node [assert true] that will serve as a hook to improve
	     on the asserted invariant *)
	  let ptrue = { npred_node = NPtrue; npred_loc = Loc.dummy_position }
	  in
	  let invnode = from_pred 
	      ~is_invariant:true ~writes ~is_assert:true ptrue
	  in
	  (* logic *) add_logedge invariant_node [invnode];
	  Some invnode
    in
    let assume_invariant_node = create_node (Nintern InternLogical) in
    let assinvnode_opt = match a.assume_invariant with
      | Some p ->
	  let assinvnode = from_pred 
	      ~is_invariant:true ~writes ~is_assume:true p in
	  (* logic *) add_logedge assume_invariant_node [assinvnode];
	  Some assinvnode
      | None ->
	  (* create a node [assume true] that will serve as a hook to improve
	     on the assumed invariant *)
	  let ptrue = { npred_node = NPtrue; npred_loc = Loc.dummy_position }
	  in
	  let assinvnode = from_pred 
	      ~is_invariant:true ~writes ~is_assume:true ptrue
	  in
	  (* logic *) add_logedge assume_invariant_node [assinvnode];
	  Some assinvnode	  
    in
    let variant_node = create_node (Nintern InternLogical) in
    begin match a.variant with
      | Some (t,_) ->
	  let varnode = from_term t in
	  (* logic *) add_logedge variant_node [varnode]
      | None -> ()
    end;
    let anode = create_node (Nannot a) in 
    (* logic *) add_logedge anode
      [invariant_node; assume_invariant_node; assigns_node; variant_node];
    anode,invnode_opt,assinvnode_opt

  (* shared code between the creation of a simple expression node and 
     the creation of a test node. The parameter [is_test] tells if the node
     created should be an expression or a test. The parameter [neg_test] is 
     used to specify the opposite of the test should be created. 
     The parameter [is_lvalue] specifies a lvalue is created.
     [in_incr] is set for an lvalue inside an increment/decrement operation.
     [in_opassign] is set for an lvalue inside an op-assignment.
  *)
  let rec from_expr start_node ?(is_test=false) ?(neg_test=false) 
      ?(is_lvalue=false) ?(in_incr=false) ?(in_opassign=false) (e : nexpr) =
    let e = match e.nexpr_node with
      | NEassign_op (e1,op,e2) ->
	  (* create an expression [e12] for the right-hand side of 
	     the assignment, in order to get rid of the opassign node *)
	  let e12 = { e with nexpr_node = NEbinary (e1,op,e2) } in
	  { e with nexpr_node = NEassign (e1,e12) }
      | _ -> e
    in
    let make_test_to_zero e = 
      let sub_e = sub_skip_casts e in
      match sub_e.nexpr_node with
	| NEvar (Var_info v) -> 
	    if var_is_pointer v then
	      let null_var = Info.default_var_info "null" in 
	      (* Info.set_assigned null_var; *)
	      Cenv.set_var_type (Var_info null_var) v.var_type false;
	      let null_expr =
		{ sub_e with nexpr_node = NEvar (Var_info null_var) } in
	      { e with nexpr_node = NEbinary (e,Bneq_pointer,null_expr) }
	    else e
	| _ -> e
    in
    let rec pure e = match e.nexpr_node with
      | NEnop | NEconstant _ | NEstring_literal _ | NEvar _ 
	  -> true
      | NEarrow (e1,_,_) | NEunary (_,e1) | NEcast (_,e1) 
	  -> pure e1
      | NEbinary (e1,_,e2) | NEseq (e1,e2) 
	  -> pure e1 && pure e2
      | NEcond (e1,e2,e3)
	  -> pure e1 && pure e2 && pure e3
      | NEmalloc _ | NEincr _ | NEassign _ | NEassign_op _ | NEcall _
	  -> false
    in
    let negative_lazy = match e.nexpr_node with
      | NEbinary (_,(Band | Bor),_) when neg_test -> true
      | _ -> false
    in
    let negative_not = match e.nexpr_node with
      | NEunary (Unot,_) when neg_test -> true
      | _ -> false
    in
    let push_not_inside = match e.nexpr_node with
      | NEunary (Unot,e1) when is_test && not neg_test ->
	  begin match e1.nexpr_node with
	    | NEunary (Unot,_) -> true
	    | NEbinary (_,(Band | Bor),_) -> true
	    | _ -> false
	  end
      | _ -> false
    in
    let e = 
      if negative_lazy then
	match e.nexpr_node with
	  | NEbinary (e1,(Band | Bor as op),e2) ->
	      let not_e1 = { e1 with nexpr_node = NEunary (Unot, e1) } in
	      let not_e2 = { e2 with nexpr_node = NEunary (Unot, e2) } in
	      begin match op with
		| Bor -> 
		    { e with nexpr_node = NEbinary (not_e1,Band,not_e2) }
		| Band ->
		    { e with nexpr_node = NEbinary (not_e1,Bor,not_e2) }
		| _ -> assert false
	      end
	  | _ -> assert false
      else if negative_not then
	match e.nexpr_node with
	  | NEunary (Unot,e1) -> make_test_to_zero e1
	  | _ -> assert false
      else if push_not_inside then
	e (* code for [Unot] below takes care of the negation *)
      else if neg_test then
        { e with nexpr_node = NEunary (Unot, make_test_to_zero e) }
      else if is_test then
	make_test_to_zero e
      else e
    in
    (* effect of [neg_test] taken into account at this point,
       ignore it, except for [Unot], when not in [negative_lazy] mode *)
    let enode =
      if is_test then Ntest e
      else if is_lvalue then
	if in_incr then Nlvalue (e,IncrDecr)
	else if in_opassign then Nlvalue (e,OpAssign)
	else Nlvalue (e,Assign)
      else Nexpr e
    in
    let enode = create_node enode in 
    begin
      match e.nexpr_node with
	| NEnop | NEconstant _ | NEstring_literal _ | NEvar _ ->
	    (* oper *) add_opedge start_node enode
	| NEunary (Unot,e1) when push_not_inside ->
	    assert (is_test && not neg_test);
	    let e1node = 
	      from_expr ~is_test ~neg_test:(not neg_test) start_node e1 in
	    (* oper *) add_opedge e1node enode;
	    (* struct *) add_stedge enode [e1node]
	| NEarrow (e1,_,_) | NEunary (_,e1) 
	| NEcast (_,e1) | NEmalloc (_,e1) ->
	    let e1node = from_expr start_node e1 in
	    (* oper *) add_opedge e1node enode;
	    (* struct *) add_stedge enode [e1node]
	| NEincr (_,e1) ->
	    let e1node = 
	      from_expr ~is_lvalue:true ~in_incr:true start_node e1 in
	    (* oper *) add_opedge e1node enode;
	    (* struct *) add_stedge enode [e1node]
	| NEseq (e1,e2) ->
	    let e1node = from_expr start_node e1 in
	    let e2node = from_expr e1node e2 in
	    (* oper *) add_opedge e2node enode;
	    (* struct *) add_stedge enode [e1node; e2node]
	| NEassign (e1,e2) ->
	    let e1node,e2node =
	      if Coptions.evaluation_order.Coptions.assign_left_to_right then
		let e1node = from_expr ~is_lvalue:true start_node e1 in
		let e2node = from_expr e1node e2 in
		(* oper *) add_opedge e2node enode;
	        e1node,e2node
    	      else
		let e2node = from_expr start_node e2 in
		let e1node = from_expr ~is_lvalue:true e2node e1 in
		(* oper *) add_opedge e1node enode;
	        e1node,e2node
	    in
	    (* struct *) add_stedge enode [e1node; e2node]
	| NEassign_op (_e1,_op,_e2) ->
	    assert false (* expression should have been modified above *)
	| NEbinary (e1,Band,e2) when is_test ->
	    (* do not take [neg_test] into account, already done *)
	    (* AND succeeds only when both [e1] and [e2] succeed *)
	    let e1node = from_expr ~is_test start_node e1 in
	    let e2node = from_expr ~is_test e1node e2 in
	    (* oper *) add_opedge e2node enode;
	    (* if the and-test is free from side-effects, the order of
	       evaluation of [e1] and [e2] should not matter. We ensure this
	       by merging a path where [e1] is evaluated before [e2] with
	       a path where [e2] is evaluated before [e1]. *)
	    if pure e then
	      begin
		let e2node = from_expr ~is_test start_node e2 in
		let e1node = from_expr ~is_test e2node e1 in
		(* oper *) add_opedge e1node enode
	      end;
	    (* struct *) add_stedge enode [e1node; e2node]
	| NEbinary (e1,Bor,e2) when is_test ->
	    (* do not take [neg_test] into account, already done *)
	    (* OR succeeds whenever [e1] succeeds, 
	       or [e1] fails and [e2] succeeds *)
	    let e1node = from_expr ~is_test start_node e1 in
	    let e2node =
	      if pure e then
		from_expr ~is_test start_node e2
	      else
		let nege1node = 
		  from_expr ~is_test ~neg_test:true start_node e1 in
		from_expr ~is_test nege1node e2 
	    in
	    (* oper *) add_opedge e1node enode;
	    (* oper *) add_opedge e2node enode;
	    (* struct *) add_stedge enode [e1node; e2node]
	| NEbinary (e1,_,e2) ->
	    let e1node,e2node =
	      if Coptions.evaluation_order.Coptions.binary_left_to_right then
		let e1node = from_expr start_node e1 in
		let e2node = from_expr e1node e2 in
		(* oper *) add_opedge e2node enode;
	        e1node,e2node
    	      else
		let e2node = from_expr start_node e2 in
		let e1node = from_expr e2node e1 in
		(* oper *) add_opedge e1node enode;
	        e1node,e2node
	    in
	    (* struct *) add_stedge enode [e1node; e2node]
	| NEcall c ->
	    let expr_list = c.ncall_fun :: c.ncall_args in
	    let expr_list,list_reversal =
	      if Coptions.evaluation_order.Coptions.call_left_to_right then
		expr_list,false
	      else 
		List.rev expr_list,true
	    in
	    let anode,anodes = 
	      List.fold_left 
		(fun (startn,nlist) e -> 
		  let en = from_expr startn e in
		  en,en::nlist
		) (start_node,[]) expr_list
	    in
	    (* get back the function and the arguments in the correct order.
	       Take into account the fact that the call to [List.fold_left] 
	       already reverses the list. *)
	    let anodes = if list_reversal then anodes else List.rev anodes in
	    (* oper *) add_opedge anode enode;
	    (* struct *) add_stedge enode anodes
	| NEcond (e1,e2,e3) ->
	    let true_node = from_expr ~is_test:true start_node e1 in
	    let false_node =
	      from_expr ~is_test:true ~neg_test:true start_node e1 in
	    let e2node = from_expr true_node e2 in
	    let e3node = from_expr false_node e3 in
	    (* oper *) add_opedge e2node enode;
	    (* oper *) add_opedge e3node enode;
	    (* struct *) add_stedge enode [true_node; e2node; e3node]
    end;
    enode

  type context_descr = 
      { 
	(* target for [continue] statements in loops *)
	loop_starts : Node.t list; 
	(* target for [break] statements in loops and switches *)
	loop_switch_ends : Node.t list;
	(* context of \old logical terms *)
	function_begin : Node.t;
	(* target of return and last statement of function.
	   Set only if needed. *)
	function_end : Node.t option;
	(* targets for [goto] statements, and sources for [label] ones *)
	label_aliases : Node.t StringMap.t ref
      }

  (* Whenever a [goto] or [label] is found, this function is called 
     and returns a node that represents the label, and updates 
     globally all the contexts *)
  let update_context_for_label ctxt lab =
    try
      StringMap.find lab (!(ctxt.label_aliases))
    with Not_found ->
      let lab_node = create_node (Nintern InternOperational) in
      ctxt.label_aliases := StringMap.add lab lab_node (!(ctxt.label_aliases));
      lab_node

  let rec from_stat (ctxt : context_descr) start_node (s : nstatement) =
    (* structural statement node, for statement [s] *)
    let stsnode = create_node (Nstat s) in
    (* operational statement node for [s]. It is equal to [stsnode] in the cases
       where the control flow ends up in the node representing the statement. *)
    let opsnode = match s.nst_node with
      | NSdecl _ -> 
	  (* A declaration should be put in the operational graph before 
	     the statements that follow it. Since these statements are
	     a sub-field of the declaration, we create an internal node 
	     to serve in place of the declaration as end-node. *)
	  create_node (Nintern InternOperational)
      | _ -> stsnode
    in 
    begin
      match s.nst_node with
	| NSnop | NSlogic_label _ ->
	    (* oper *) add_opedge start_node opsnode
	| NSassert p ->
	    let pnode = from_pred ~is_assert:true p in
	    (* oper *) add_opedge start_node pnode;
	    (* oper *) add_opedge pnode opsnode;
	    (* logic *) add_logedge stsnode [pnode];
	    (* assert node is -only- its self-end *)
	    (* logic *) add_begedge stsnode ctxt.function_begin;
	    (* logic *) add_endedge stsnode opsnode
	| NSassume p ->
	    let pnode = from_pred ~is_assume:true p in
	    (* oper *) add_opedge start_node pnode;
	    (* oper *) add_opedge pnode opsnode;
	    (* logic *) add_logedge stsnode [pnode];
	    (* assume node is -only- its self-end *)
	    (* logic *) add_begedge stsnode ctxt.function_begin;
	    (* logic *) add_endedge stsnode opsnode
	| NSexpr e -> 
	    let enode = from_expr start_node e in
	    (* oper *) add_opedge enode opsnode;
	    (* struct *) add_stedge stsnode [enode]
	| NSif (e,s1,s2) ->
	    let then_node = from_expr ~is_test:true start_node e in
	    let else_node =
	      from_expr ~is_test:true ~neg_test:true start_node e in
	    let sts1node,ops1node = from_stat ctxt then_node s1 in
	    let sts2node,ops2node = from_stat ctxt else_node s2 in
	    (* oper *) add_opedge ops1node opsnode;
	    (* oper *) add_opedge ops2node opsnode;
	    (* struct *) add_stedge stsnode [then_node; sts1node; sts2node]
	| NSwhile (a,e,s1) ->
	    (* source of backward edge in loop *)
	    let bwd_node = create_node (Nintern InternOperationalBwdSrc) in
	    (* node that merges backward and upward flows *)
	    let mrg_node = create_node (Nintern InternOperationalBwdDest) in
	    (* connect backward edge *)
	    (* oper *) add_opedge start_node mrg_node;
	    (* oper *) add_backedge bwd_node mrg_node;
	    let loop_effect = 
	      Ceffect.ef_union (Ceffect.statement ~with_local:true s1)
		(Ceffect.expr ~with_local:true e) in
	    let write_vars =
	      HeapVarSet.elements (loop_effect.Ceffect.assigns_var) in
	    let write_under_pointers =
	      HeapVarSet.elements (loop_effect.Ceffect.assigns_under_pointer)
	    in
	    let read_under_pointers =
	      HeapVarSet.elements (loop_effect.Ceffect.reads_under_pointer)
	    in
	    let writes = { write_vars = write_vars; 
			   read_under_pointers = read_under_pointers;
			   write_under_pointers = write_under_pointers; } in
	    let anode,invnode_opt,assinvnode_opt = from_annot a writes in
	    let loop_node = match invnode_opt,assinvnode_opt with
	      | None,None -> mrg_node
	      | Some inode,None | None,Some inode ->
		  (* oper *) add_opedge mrg_node inode;
		  inode
	      | Some invnode,Some assinvnode ->
		  (* assume part of invariant has no successor *)
		  (* oper *) add_opedge mrg_node assinvnode;
		  (* oper *) add_opedge mrg_node invnode;
		  (* logic *) add_invedge invnode assinvnode;
		  (* logic *) add_invedge assinvnode invnode;
		  invnode
	    in
	    let test_node = from_expr ~is_test:true loop_node e in
	    let stop_node = 
	      from_expr ~is_test:true ~neg_test:true loop_node e in
	    let upd_ctxt =
	      { ctxt with 
		  loop_starts = bwd_node :: ctxt.loop_starts;
		  loop_switch_ends = opsnode :: ctxt.loop_switch_ends } in
            (* widening node is first node -in- the loop *)
            let widen_node = create_node (Nwiden { count = 0 }) in 
            (* oper *) add_opedge test_node widen_node;
	    let sts1node,ops1node = from_stat upd_ctxt widen_node s1 in
	    (* oper *) add_opedge ops1node bwd_node; (* before [e]'s eval *)
	    (* oper *) add_opedge stop_node opsnode; (* after [e]'s eval *)
	    (* struct *) add_stedge stsnode [test_node; sts1node];
	    (* logic *) add_logedge stsnode [anode];
	    (* the logical "annot" node is linked to the start and end nodes *)
	    (* [bwd_node] is the end node of the loop *)
	    (* logic *) add_begedge anode ctxt.function_begin;
	    (* logic *) add_endedge anode bwd_node
	| NSdowhile (a,s1,e) ->
	    (* source of backward edge in loop *)
	    let bwd_node = create_node (Nintern InternOperationalBwdSrc) in
	    (* node that merges backward and upward flows *)
	    let mrg_node = create_node (Nintern InternOperationalBwdDest) in
	    (* connect backward edge *)
	    (* oper *) add_opedge start_node mrg_node;
	    (* oper *) add_backedge bwd_node mrg_node;
	    let fwd_node = create_node (Nintern InternOperational) in
	    let upd_ctxt =
	      { ctxt with 
		  loop_starts = fwd_node :: ctxt.loop_starts;
		  loop_switch_ends = opsnode :: ctxt.loop_switch_ends } in
            (* widening node is first node -in- the loop *)
            let widen_node = create_node (Nwiden { count = 0 }) in 
            (* oper *) add_opedge mrg_node widen_node;
	    let sts1node,ops1node = from_stat upd_ctxt widen_node s1 in
	    let loop_effect = 
	      Ceffect.ef_union (Ceffect.statement ~with_local:true s1)
		(Ceffect.expr ~with_local:true e) in
	    let write_vars =
	      HeapVarSet.elements (loop_effect.Ceffect.assigns_var) in
	    let write_under_pointers =
	      HeapVarSet.elements (loop_effect.Ceffect.assigns_under_pointer)
	    in
	    let read_under_pointers =
	      HeapVarSet.elements (loop_effect.Ceffect.reads_under_pointer)
	    in
	    let writes = { write_vars = write_vars; 
			   read_under_pointers = read_under_pointers;
			   write_under_pointers = write_under_pointers; } in
	    let anode,invnode_opt,assinvnode_opt = from_annot a writes in
	    let loop_node = match invnode_opt,assinvnode_opt with
	      | None,None -> fwd_node
	      | Some inode,None | None,Some inode ->
		  (* oper *) add_opedge fwd_node inode;
		  inode
	      | Some invnode,Some assinvnode ->
		  (* assume part of invariant has no successor *)
		  (* oper *) add_opedge fwd_node assinvnode;
		  (* oper *) add_opedge fwd_node invnode;
		  (* logic *) add_invedge invnode assinvnode;
		  (* logic *) add_invedge assinvnode invnode;
		  invnode
	    in
	    let test_node = from_expr ~is_test:true loop_node e in
	    let stop_node = 
	      from_expr ~is_test:true ~neg_test:true loop_node e in
	    (* oper *) add_opedge ops1node fwd_node;
	    (* oper *) add_opedge test_node bwd_node;(* before [s1]'s eval *)
	    (* oper *) add_opedge stop_node opsnode;
	    (* struct *) add_stedge stsnode [sts1node; test_node];
	    (* logic *) add_logedge stsnode [anode];
	    (* the logical "annot" node is linked to the start and end nodes *)
	    (* [bwd_node] is the end node of the loop *)
	    (* logic *) add_begedge anode ctxt.function_begin;
	    (* logic *) add_endedge anode bwd_node
	| NSfor (a,einit,etest,eincr,s1) ->
	    (* source of backward edge in loop *)
	    let bwd_node = create_node (Nintern InternOperationalBwdSrc) in
	    (* node that merges backward and upward flows *)
	    let mrg_node = create_node (Nintern InternOperationalBwdDest) in
	    (* connect backward edge *)
	    let einit_node = from_expr start_node einit in
	    (* oper *) add_opedge einit_node mrg_node;
	    (* oper *) add_backedge bwd_node mrg_node;
	    let loop_effect = 
	      Ceffect.ef_union (Ceffect.expr ~with_local:true etest)
		(Ceffect.ef_union (Ceffect.statement ~with_local:true s1)
		   (Ceffect.expr ~with_local:true eincr))
	    in
	    let write_vars =
	      HeapVarSet.elements (loop_effect.Ceffect.assigns_var) in
	    let write_under_pointers =
	      HeapVarSet.elements (loop_effect.Ceffect.assigns_under_pointer)
	    in
	    let read_under_pointers =
	      HeapVarSet.elements (loop_effect.Ceffect.reads_under_pointer)
	    in
	    let writes = { write_vars = write_vars; 
			   read_under_pointers = read_under_pointers;
			   write_under_pointers = write_under_pointers; } in
	    let anode,invnode_opt,assinvnode_opt = from_annot a writes in
	    let loop_node = match invnode_opt,assinvnode_opt with
	      | None,None -> mrg_node
	      | Some inode,None | None,Some inode ->
		  (* oper *) add_opedge mrg_node inode;
		  inode
	      | Some invnode,Some assinvnode ->
		  (* assume part of invariant has no successor *)
		  (* oper *) add_opedge mrg_node assinvnode;
		  (* oper *) add_opedge mrg_node invnode;
		  (* logic *) add_invedge invnode assinvnode;
		  (* logic *) add_invedge assinvnode invnode;
		  invnode
	    in
	    let test_node = from_expr ~is_test:true loop_node etest in
	    let stop_node = 
	      from_expr ~is_test:true ~neg_test:true loop_node etest in
	    let fwd_node = create_node (Nintern InternOperational) in
	    let upd_ctxt =
	      { ctxt with 
		  loop_starts = fwd_node :: ctxt.loop_starts;
		  loop_switch_ends = opsnode :: ctxt.loop_switch_ends } in
            (* widening node is first node -in- the loop *)
            let widen_node = create_node (Nwiden { count = 0 }) in 
            (* oper *) add_opedge test_node widen_node;
	    let sts1node,ops1node = from_stat upd_ctxt widen_node s1 in
	    let eincr_node = from_expr fwd_node eincr in
	    (* oper *) add_opedge ops1node fwd_node;
	    (* oper *) add_opedge eincr_node bwd_node; (* before [etest] *)
	    (* oper *) add_opedge stop_node opsnode; (* after [etest]'s eval *)
	    (* struct *) add_stedge stsnode [einit_node; test_node;
					     eincr_node; sts1node];
	    (* logic *) add_logedge stsnode [anode];
	    (* the logical "annot" node is linked to the start and end nodes *)
	    (* [bwd_node] is the end node of the loop *)
	    (* logic *) add_begedge anode ctxt.function_begin;
	    (* logic *) add_endedge anode bwd_node
	| NSblock sl ->
	    let (opbnode,stsnodes) = 
	      List.fold_left 
		(fun (startopnode,sts1nodes) s1 -> 
		   let sts1node,ops1node = from_stat ctxt startopnode s1 in
		   ops1node,sts1node::sts1nodes
		) (start_node,[]) sl in
	    let stsnodes = List.rev stsnodes in
	    (* oper *) add_opedge opbnode opsnode;
	    (* struct *) add_stedge stsnode stsnodes
	| NSreturn None ->
	    (* oper *) add_opedge start_node opsnode;
	    begin match ctxt.function_end with
	      | Some function_end ->
		  (* logic *) force_add_opedge stsnode function_end
	      | None -> ()
	    end
	| NSreturn (Some e) -> 
	    let enode = from_expr start_node e in
	    (* oper *) add_opedge enode opsnode;
	    (* struct *) add_stedge stsnode [enode];
	    begin match ctxt.function_end with
	      | Some function_end ->
		  (* logic *) force_add_opedge stsnode function_end
	      | None -> ()
	    end
	| NSbreak -> 
	    (* oper *) add_opedge start_node opsnode;
	    (* oper *) force_add_opedge opsnode (List.hd ctxt.loop_switch_ends);
	| NScontinue -> 
	    (* oper *) add_opedge start_node opsnode;
	    (* Originally this edge was a backward one, crucial to make 
	       the topological walk work properly. Not the case anymore since
	       loops have 2 special nodes for the back edge. *)
	    (* oper *) add_opedge opsnode (List.hd ctxt.loop_starts)
	| NSgoto (_,lab) ->
            (* no problem of widening here since only forward gotos are 
	       accepted. Otherwise we should add a widening node in the induced
	       loop. *)
	    (* oper *) add_opedge start_node opsnode;
	    let label_node = update_context_for_label ctxt lab.label_info_name in
	    (* oper *) force_add_opedge opsnode label_node
	| NSspec (spc,s1) ->
	    let sts1node,ops1node = from_stat ctxt start_node s1 in
	    (* oper *) add_opedge ops1node opsnode;
	    (* struct *) add_stedge stsnode [sts1node];
	    (* ignore precondition for the moment *)
	    let spcnode,_ = from_spec spc in
	    (* logic *) add_logedge stsnode [spcnode];
	    (* the logical "spec" node is linked to the start and end nodes *)
	    (* logic *) add_begedge spcnode start_node;
	    (* logic *) add_endedge spcnode stsnode
	| NSlabel (lab,s1) ->
	    let label_node = update_context_for_label ctxt lab.label_info_name in
	    (* oper *) add_opedge start_node label_node;
	    let sts1node,ops1node = from_stat ctxt label_node s1 in
	    (* oper *) add_opedge ops1node opsnode;
	    (* struct *) add_stedge stsnode [sts1node]
	| NSdecl (_,_,None,s1) ->
	    (* here structural statement node and operational statement node
	       are not the same. [stsnode] is used in the operational graph
	       before nodes for [s1]. *)
	    (* oper *) add_opedge start_node stsnode;
	    let sts1node,ops1node = from_stat ctxt stsnode s1 in
	    (* oper *) add_opedge ops1node opsnode;
	    (* struct *) add_stedge stsnode [sts1node]
	| NSdecl (_,var,Some cinit,s1) ->
	    (* create an assignment expression node so that the treatment
	       of this initialization is shared with normal assignment *)
	    let rec first_expr cinit = match cinit with
	      | Iexpr e -> Some e
	      | Ilist clinit ->
		  List.fold_left (fun e_opt cinit ->
				    begin match e_opt with
				      | None -> first_expr cinit
				      | _ -> e_opt
				    end) None clinit
	    in
	    let base_expr = match cinit with
	      | Iexpr e -> e
	      | Ilist il -> 
		  begin match first_expr (Ilist il) with
		    | None -> 
			(* initialization list cannot be totally empty *)
			assert false 
		    | Some e -> e
		  end 
	    in
	    (* to be matched with [decode_decl_list] above *)
	    let rec encode_decl_list cinit = match cinit with
	      | Iexpr e -> e
	      | Ilist clinit ->
		  (* special encoding of [Ilist il] in the form of a fake call
		     to [NEnop] so that:
		     - assignments in the initialization expression are taken 
		     into account
		     - decoding is easy and safe *)
		  let encoded_clinit = List.map encode_decl_list clinit in
		  let fake_caller = { base_expr with nexpr_node = NEnop } in
		  let fake_call = 
		    { ncall_fun = fake_caller;
		      ncall_args = encoded_clinit;
		      ncall_zones_assoc = [] } in
		  { base_expr with nexpr_node = NEcall fake_call }
	    in
	    let var_expr = 
	      { base_expr with nexpr_node = NEvar (Var_info var) } in
	    let encoded_expr = match cinit with
	      | Iexpr e -> e
	      | Ilist _il -> encode_decl_list cinit in
	    let explicit_assign = NEassign (var_expr,encoded_expr) in
	    let explicit_assign = 
	      { base_expr with nexpr_node = explicit_assign } in
	    (* here structural statement node and operational statement node
	       are not the same. [stsnode] is used in the operational graph
	       before nodes for [s1]. *)
	    (* oper *) add_opedge start_node stsnode;
	    let enode = from_expr stsnode explicit_assign in
	    let sts1node,ops1node = from_stat ctxt enode s1 in
	    (* oper *) add_opedge ops1node opsnode;
	    (* struct *) add_stedge stsnode [enode;sts1node]
	| NSswitch (e,_,cases) -> 
	    let enode = from_expr start_node e in
	    let upd_ctxt =
	      { ctxt with 
		  loop_starts = ctxt.loop_starts;
		  loop_switch_ends = opsnode :: ctxt.loop_switch_ends } in
	    let cnodes = List.map
	      (fun (_,sl) -> 
		 let opcnode,stclnodes =
		   List.fold_left 
		     (fun (startopnode,s1nodes) s1 -> 
			let sts1node,ops1node = 
			  from_stat upd_ctxt startopnode s1 in
			ops1node,sts1node::s1nodes
		     ) (enode,[]) sl
		 in
		 (* [cnode] is the node representing this [case], which is 
		    the same as the last statement in the list of statements
		    for this [case], when this list is not empty.
		    [clnodes] is the list of statements in this [case]. *)
		 opcnode,List.rev stclnodes
	      ) cases
	    in
	    let last_cnode =
	      List.fold_left 
		(fun prev_cnode (cnode,clnodes) -> 
		   begin match clnodes with
		     | [] -> (* no statement in this [case] *)
			 prev_cnode
		     | first_node::_ -> 
			 (* in case of fallthrough, control passes from 
			    the last statement of a [case] to the first 
			    statement of next [case].
			    If [prev_cnode] is a [break], call to 
			    [add_opedge] will do nothing. *)
			 (* oper *) add_opedge prev_cnode first_node;
			 cnode
		   end) enode cnodes
	    in
	    (* control flows from end of last case to end of switch *)
	    (* oper *) add_opedge last_cnode opsnode;
	    (* in absence of stable way of recognizing presence of [default]
	       case in switch (emptiness of integer map is not stable),
	       we consider the control always flows from start to end
	       of switch *)
	    (* oper *) add_opedge start_node opsnode;
	    let first_nodes = 
	      List.map (fun (_,clnodes) ->
			  (* special encoding so that [switch] can be seen as
			     a correct structured tree: a node [Nintern] is
			     created for every [case] and serves as 
			     intermediate *)
			  let fnode = 
			    create_node (Nintern InternStructural) in
			  begin match clnodes with
			    | [] -> ()
			    | _ -> (* struct *) add_stedge fnode clnodes
			  end;
			  fnode) cnodes
	    in
	    (* struct *) add_stedge stsnode (enode::first_nodes)
    end;
    stsnode,opsnode

  let rec from_decl d =
    if debug_more then Coptions.lprintf 
      "[from_decl] treating function %s@." d.name;
    (* clear all heap variables to avoid name clash between 
       different fucntions *)
    Hashtbl.clear Ceffect.heap_vars;
    let dnode = create_node (Ndecl d) in 
    (* In order to be able to transform any [ensures] part of 
       a function, we must create an end node for the function body,
       so that all parts of information are known under the same name 
       at that point. It is also used to provide a single entry point
       for backward propagation.
       All return statements and the last statement should be linked
       to this end node.
       This transformation may lead to a less precise analysis. 
       Maybe it could be restricted to functions that have an [ensures]
       part. It could be restricted further to functions that need it 
       to translate their [ensures] part.
    *)
    let end_node = create_node (Nintern InternOperational) in
    begin match d.s with
      | Some s ->
	  let start_ctxt = 
	    { 
	      loop_starts = []; 
	      loop_switch_ends = [];
	      function_begin = dnode;
	      function_end = Some end_node;
	      label_aliases = ref StringMap.empty
	    } in
	  let spcnode,reqnode_opt = from_spec ~is_function:true d.spec in
	  let func_node = match reqnode_opt with
	    | None -> dnode
	    | Some reqnode ->
		(* oper *) add_opedge dnode reqnode;
		reqnode
	  in
	  let stsnode,opsnode = from_stat start_ctxt func_node s in
	  (* oper *) add_opedge opsnode end_node;
	  (* struct *) add_stedge dnode [stsnode];
	  (* logic *) add_logedge dnode [spcnode];
	  (* the logical "spec" node is linked to the start and end nodes *)
	  (* logic *) add_begedge spcnode dnode; (* begin of decl is itself *)
	  (* logic *) add_endedge spcnode end_node
      | None -> ()
    end;
    (* clear all heap variables to avoid polluting real effects *)
    Hashtbl.clear Ceffect.heap_vars;
    dnode,end_node

  let from_file file =
    internal_graph := Some (Self.create ());
    (* only return functions that should be verified *)
    let file = 
      List.filter (fun func -> Coptions.verify func.f.fun_name) file in
    List.map from_decl file

  let to_decl node =
    match get_node_kind node with
      | NKdecl -> get_decl node
      | _ -> failwith "[to_decl] should be called only on declaration"

  let to_file nodes =
    let decls = List.map to_decl nodes in
    internal_graph := None;
    decls

  let collect_vars () =
    fold_operational Forward ~roots:[]
      (fun node (used_vars,decl_vars) ->
	 match get_node_kind node with
	   | NKexpr | NKtest | NKlvalue ->
	       (* only on code, not on logical part *)
	       let used_vars =
		 if expr_is_local_var node then
		   let var = termexpr_var_get node in
		   ILVarSet.add var used_vars
		 else
		   used_vars
	       in
	       used_vars,decl_vars
	   | NKstat ->
	       let decl_vars = 
		 if stat_is_decl node then
		   let var = decl_stat_get_var node in
		   ILVarSet.add var decl_vars
		 else
		   decl_vars
	       in
	       used_vars,decl_vars
	   | _ -> used_vars,decl_vars
      ) (ILVarSet.empty,ILVarSet.empty)

end

(* Local Variables: *)
(* compile-command: "make -C .." *)
(* End: *)
why-2.34/c/info.ml0000644000175000017500000002241412311670312012327 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Ctypes
open Creport

type why_type = 
  | Memory of why_type * zone
  | Pointer of zone
  | Addr of zone
  | Int
  | Real
  | Unit 
  | Why_Logic of string

and zone = 
    {
      zone_is_var : bool;
      number : int;
      mutable repr : zone option;
      name : string;
    }


let rec repr_aux z =
  match z.repr with
    | None -> z
    | Some z -> repr_aux z

(* path compression *)
let repr z =
  match z.repr with
    | None -> z
    | Some z' -> 
	let z'' = repr_aux z' in
	z.repr <- Some z''; z''

let same_zone z1 z2 =
   (repr z1) = (repr z2)
  
let rec same_why_type wt1 wt2 =
  match wt1, wt2 with
    | Pointer z1 , Pointer z2 ->
	same_zone z1 z2 
    | Memory(a1,z1), Memory(a2,z2) ->
	same_zone z1 z2 && same_why_type a1 a2
    | Int, Int -> true
    | Unit, Unit -> true 
    | Real, Real -> true
    | Why_Logic s1, Why_Logic s2 -> s1=s2
    | Addr _, _ | _,Addr _ -> assert false
    | _ -> false

let rec same_why_type_no_zone wt1 wt2 =
  match wt1, wt2 with
    | Pointer _z1, Pointer _z2 -> true
    | Memory (a1,_), Memory (a2,_) ->
	same_why_type_no_zone a1 a2
    | Int, Int -> true
    | Unit, Unit -> true 
    | Real, Real -> true
    | Why_Logic s1, Why_Logic s2 -> s1=s2
    | Addr _, _ | _,Addr _ -> assert false
    | _ -> false


let found_repr ?(quote_var=true) z = 
    let z = repr z in
    if quote_var && z.zone_is_var then "'"^z.name else z.name

let output_zone_name ?(quote_var=true) z =
  let name =
    if Coptions.no_zone_type then
      "global"
    else found_repr ~quote_var z
  in
  { Output.logic_type_name = name;
    Output.logic_type_args = [] }


let rec output_why_type ?(quote_var=true) ty=
  let rec output ty =
    match ty with
    | Int -> [], "int"
    | Real -> [], "real"
    | Pointer z -> [output_zone_name ~quote_var z] , "pointer"    
    | Addr z -> [output_zone_name ~quote_var z] , "addr"
    | Memory(t,z) -> 
	[output_why_type ~quote_var t; output_zone_name ~quote_var z], "memory"
    | Unit -> [], "unit" 
    | Why_Logic v -> [], v
  in
  let l,s = output ty in
  { Output.logic_type_name = s;
    Output.logic_type_args = l }

type var_info =
    {
      var_name : string;
      var_uniq_tag : int;
      mutable var_unique_name : string;
      mutable var_is_assigned : bool;
      mutable var_is_referenced : bool;
      mutable var_is_static : bool;
      mutable var_is_a_formal_param : bool;
      mutable enum_constant_value : int64;
      mutable var_type : Ctypes.ctype;
      mutable var_why_type : why_type;
    }

let tag_counter = ref 0

let default_var_info x =
  incr tag_counter;
  { var_name = x; 
    var_uniq_tag = !tag_counter;
    var_unique_name = x;
    var_is_assigned = false;
    var_is_referenced = false;
    var_is_static = false;
    var_is_a_formal_param = false;
    enum_constant_value = Int64.zero;
    var_type = c_void;
    var_why_type = Unit;
  }

let set_assigned v = v.var_is_assigned <- true

let unset_assigned v = v.var_is_assigned <- false

let set_is_referenced v = v.var_is_referenced <- true

let without_dereference v f x =
  let old = v.var_is_referenced in
  try
    v.var_is_referenced <- false;
    let y = f x in
    v.var_is_referenced <- old;
    y
  with e ->
    v.var_is_referenced <- old;
    raise e

let set_static v = v.var_is_static <- true

let set_formal_param v = v.var_is_a_formal_param <- true

let unset_formal_param v = v.var_is_a_formal_param <- false

let set_const_value v n = v.enum_constant_value <- n

module HeapVarSet = 
  Set.Make(struct type t = var_info 
		  let compare i1 i2 = 
		    Pervasives.compare
		      i1.var_uniq_tag i2.var_uniq_tag 
	   end)

type label =
  | Label_current
  | Label_name of string

module LabelSet = 
  Set.Make(struct type t = label
		  let compare = compare end)
		    
module HeapVarMap = 
  Map.Make(struct type t = var_info 
		  let compare i1 i2 = 
		    Pervasives.compare
		      i1.var_uniq_tag i2.var_uniq_tag 
	   end)

let print_hvs fmt s =
  HeapVarSet.iter (fun v -> Format.fprintf fmt "%s," v.var_unique_name) s

module ZoneSet = 
  Set.Make(struct type t = zone * string * why_type
		  let compare (i1,s1,_) (i2,s2,_) = 
		    match Pervasives.compare (repr i1).number 
		      (repr i2).number with
		      | 0 -> Pervasives.compare s1 s2
		      | x -> x
	   end)

type logic_info =
    {
      logic_name : string;
      mutable logic_heap_zone : ZoneSet.t;
      mutable logic_heap_args : HeapVarSet.t;
(* 
      mutable logic_heap_args : LabelSet.t HeapVarMap.t;

   does not work because of hack in effect.mli, effect of logic funs:
     reads_var = id.logic_heap_args;
   which confuses global vars with heap vars 
 
*)
      mutable logic_args : var_info list;
      mutable logic_why_type : why_type;
      mutable logic_args_zones : zone list;
    }

let default_logic_info x =
  { logic_name = x;
    logic_heap_zone = ZoneSet.empty;
    logic_heap_args = HeapVarSet.empty;
    logic_args = [];
    logic_why_type = Why_Logic "?";
    logic_args_zones = [];
  }

type fun_info =
    {
      fun_tag : int;
      fun_name : string;
      mutable fun_unique_name : string;
      mutable function_reads : ZoneSet.t;
      mutable function_writes : ZoneSet.t;
      mutable function_reads_var : HeapVarSet.t;
      mutable function_writes_var : HeapVarSet.t;
      mutable has_assigns : bool;
      mutable fun_type : Ctypes.ctype;
      mutable args : var_info list;
      mutable args_zones : zone list;
      mutable graph : fun_info list;
      mutable type_why_fun : why_type;
      mutable has_body : bool;
    }

let fun_tag_counter = ref 0

let default_fun_info x =
  { fun_tag = (let n = !fun_tag_counter in incr fun_tag_counter; n);
    fun_name = x; 
    fun_unique_name = x;
    function_reads = ZoneSet.empty;
    function_writes = ZoneSet.empty;
    function_reads_var = HeapVarSet.empty;
    function_writes_var = HeapVarSet.empty; 
    has_assigns = false;
    fun_type = c_void;
    args = [];
    args_zones = [];
    graph = [];
    type_why_fun = Unit;
    has_body = false;
  }


type env_info =
  | Var_info of var_info
  | Fun_info of fun_info

let env_name e =
 match e with
    | Var_info v -> v.var_name
    | Fun_info f -> f.fun_name

let set_unique_name e n =
  match e with
    | Var_info v -> 
(*
	Coptions.lprintf "Setting unique name of %s to %s@." v.var_name n;
*)
	v.var_unique_name <- n
    | Fun_info f -> f.fun_unique_name <- n

let var_type d = 
  match d with
    | Var_info v -> v.var_type
    | Fun_info f -> f.fun_type

let set_var_type d ty whyty = match d with
  | Var_info v -> 
      Coptions.lprintf "set_var_type %s <-  %a@." v.var_name Ctypes.ctype ty;
      v.var_type <- ty;
      v.var_why_type <- whyty
  | Fun_info f -> 
      Coptions.lprintf "set_var_type %s <- %a@." f.fun_name Ctypes.ctype ty;
      f.fun_type <- ty;
      f.type_why_fun <- whyty

let set_var_type_why d whyty = match d with
  | Var_info v ->   
      v.var_why_type <- whyty
  | Fun_info f -> 
      f.type_why_fun <- whyty

let get_why_type env =
  match env with
    | Var_info v -> v.var_why_type
    | Fun_info f -> f.type_why_fun


type label_info =
    { label_info_name : string;
      mutable times_used : int;
    }
why-2.34/c/cllexer.mll0000644000175000017500000001717212311670312013213 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(*i $Id: cllexer.mll,v 1.58 2008-11-05 14:03:13 filliatr Exp $ i*)

(* tokens for the C annotations *)

{

  open Clparser
  open Lexing
  open Cerror
  open Clogic

  let loc lexbuf = 
    (Loc.reloc (lexeme_start_p lexbuf), Loc.reloc (lexeme_end_p lexbuf))

  let lex_error lexbuf s =
    Creport.raise_located (loc lexbuf) (AnyMessage ("lexical error: " ^ s))

  let identifier = 
    let h = Hashtbl.create 97 in
    List.iter (fun (i,t) -> Hashtbl.add h i t)
      [
	"if", IF;
	"then", THEN;
	"else", ELSE;
	"invariant", INVARIANT;
	"variant", VARIANT;
	"decreases", DECREASES;
	"for", FOR;
	"assert", ASSERT;
	"assume", ASSUME;
	"label", LABEL;
	"requires", REQUIRES;
	"ensures", ENSURES ;
	"assigns", ASSIGNS;
	"loop_assigns", LOOP_ASSIGNS;
	"reads", READS;
	"logic", LOGIC;
	"predicate", PREDICATE;
	"axiom", AXIOM;
	"int", INT;
	"integer", INTEGER;
	"float", FLOAT;
	"void", VOID;
	"char", CHAR;
	"signed", SIGNED;
	"unsigned", UNSIGNED;
	"short", SHORT;
	"long", LONG;
	"double", DOUBLE;
	"real", REAL;
	"struct", STRUCT;
	"enum", ENUM;
	"union", UNION;
	"ghost", GHOST;
	"set", SET;
	"type", TYPE;
      ];
    fun s -> try Hashtbl.find h s with Not_found -> IDENTIFIER s

  let newline lexbuf =
    let pos = lexbuf.lex_curr_p in
    lexbuf.lex_curr_p <- 
      { pos with 
	  pos_lnum = pos.pos_lnum + 1; 
	  pos_bol = pos.pos_cnum + !Loc.current_offset }
}

let space = [' ' '\t' '\012' '\r']

let rD =	['0'-'9']
let rL = ['a'-'z' 'A'-'Z' '_']
let rH = ['a'-'f' 'A'-'F' '0'-'9']
let rE = ['E''e']['+''-']? rD+
let rFS	= ('f'|'F'|'l'|'L')
let rIS = ('u'|'U'|'l'|'L')*

rule token = parse
  | '@' | [' ' '\t' '\012' '\r']+ { token lexbuf }
  | '\n' { newline lexbuf; token lexbuf }
  | "//" [^'\n']* ('\n'|eof) { newline lexbuf; token lexbuf }
  | "\\forall"  { FORALL }
  | "\\exists"  { EXISTS }
  | "=>" { IMPLIES }
  | "<=>" { IFF }
  | "&"     { AMP }
  | "&&"     { AND }
  | "|"      { BAR }
  | "||"      { OR }
  | "!"     { NOT }
  | "~"     { TILDE }
  | "\\true"    { TRUE }
  | "\\false"   { FALSE }
  | "\\old"    { OLD }
  | "\\at"    { AT }
  | "\\result" { RESULT }
  | "\\base_addr" { BASE_ADDR }
  | "\\offset" { OFFSET }
  | "\\block_length" { BLOCK_LENGTH }
  | "\\arrlen" { ARRLEN }
  | "\\strlen" { STRLEN }
  | "\\min" { MIN }
  | "\\max" { MAX }
  | "\\min_range" { MININT }
  | "\\max_range" { MAXINT }
  | "\\valid" { VALID }
  | "\\separated" { SEPARATED }
  | "\\bound_separated" { BOUND_SEPARATED }
  | "\\full_separated" { FULL_SEPARATED }
  | "\\fullseparated" { FULLSEPARATED }
  | "\\fresh" { FRESH }
  | "\\valid_index" { VALID_INDEX }
  | "\\valid_range" { VALID_RANGE }
  | "\\nothing"   { NOTHING }
  | "\\null" { NULL }
  | "\\abs" { ABS }
  | "\\sqrt" { SQRT }
  | "\\round_error" { ROUNDERROR }
  | "\\total_error" { TOTALERROR }
  | "\\exact" { EXACT }
  | "\\model" { MODEL }

  (* Why keywords are reserved *)
  | "in" 
      { lex_error lexbuf ("reserved keyword `" ^ lexeme lexbuf ^ "'") }
 
  | rL (rL | rD)*       { let s = lexeme lexbuf in identifier s }

  | '0'['x''X'] rH+ rIS?    { CONSTANT (IntConstant (lexeme lexbuf)) }
  | '0' rD+ rIS?            { CONSTANT (IntConstant (lexeme lexbuf)) }
  | rD+ rIS?                { CONSTANT (IntConstant (lexeme lexbuf)) }
  | 'L'? "'" [^ '\n' '\'']+ "'"     { CONSTANT (IntConstant (lexeme lexbuf)) }

  | rD+ rE rFS?             { CONSTANT (RealConstant (lexeme lexbuf)) }
  | rD* "." rD+ (rE)? rFS?  { CONSTANT (RealConstant (lexeme lexbuf)) }
  | rD+ "." rD* (rE)? rFS?  { CONSTANT (RealConstant (lexeme lexbuf)) }
  (* hack to lex 0..3 as 0 .. 3 and not as 0. .3 *)
  | (rD+ as n) ".."         { lexbuf.lex_curr_pos <- lexbuf.lex_curr_pos - 2;
			      CONSTANT (IntConstant n) }
  | 'L'? '"' [^ '"']* '"'   { STRING_LITERAL (lexeme lexbuf) }

  | "@"                     { AT }
  | ","                     { COMMA }
  | "->"                    { ARROW }
  | "?"                     { QUESTION }
  | ";"                     { SEMICOLON }
  | ":"                     { COLON }
  | "::"                    { COLONCOLON }
  | "."                     { DOT }
  | ".."                    { DOTDOT }
  | "-"                     { MINUS }
  | "+"                     { PLUS }
  | "*"                     { STAR }
  | "&"                     { AMP }
  | "/"                     { SLASH }
  | "%"                     { PERCENT }
  | "<"                     { LT }
  | "<<"                    { LTLT }
  | ">"                     { GT }
  | ">>"                    { GTGT }
  | "<="                    { LE }
  | ">="                    { GE }
  | "=="                    { EQ }
  | "!="                    { NE }
  | "("                     { LPAR }
  | ")"                     { RPAR }
  | "{"                     { LBRACE }
  | "}"                     { RBRACE }
  | ("["|"<:")              { LSQUARE }
  | ("]"|":>")              { RSQUARE }
  | "="                     { EQUAL }
  | "^"                     { HAT }
  | "^^"                    { HATHAT }

  | eof { EOF }
  | '\\' rL (rL | rD)* 
    { lex_error lexbuf ("Illegal escape sequence " ^ lexeme lexbuf) }
  | _   { lex_error lexbuf ("Illegal character " ^ lexeme lexbuf) }
 
{

  let parse_with_offset f (ofs, s) =
    let lb = from_string s in
    Loc.current_offset := ofs.pos_cnum + 3;
    lb.lex_curr_p <- ofs;
    try
      f token lb
    with Parsing.Parse_error ->
      let loc = loc lb in
      Creport.raise_located loc (AnyMessage "Syntax error in annotation")

  let annot = parse_with_offset Clparser.annot

}
why-2.34/c/invariant.ml0000644000175000017500000006162012311670312013371 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Coptions
open Creport
open Info
open Ctypes
open Clogic
open Cenv
open Cnorm
open Cprint
open Cseparation

let var_to_term loc v =
  {
    nterm_node = NTvar v; 
    nterm_loc = loc;
    nterm_type = v.var_type}

let indirection loc ty t =
  let info = make_field ty in
  let info = declare_arrow_var info  in
  let zone = find_zone_for_term t in
  let () = type_why_new_zone zone info in
  { nterm_node = NTarrow (t, zone, info); 
    nterm_loc = loc; 	   
    nterm_type = ty;}

let noattr_type ty =
  {ctype_node = ty;
   ctype_storage = No_storage;
   ctype_const = false;
   ctype_volatile = false;
   ctype_ghost = false;
  }

let noattr_term ty t= 
  { nterm_node = t; 
    nterm_loc = Loc.dummy_position;
    nterm_type = ty;}

let find_pred x = snd (find_pred x)
  
let rec predicate_for name t =
  match t.nterm_type.ctype_node with
    | Tstruct _n ->
	(*	NPand *)
	npvalid t
	  (*,
 	    NPapp (find_pred ("valid_" ^ n), [t]))*)
    | Tarray (_,_ty, None) ->
	error Loc.dummy_position "array size missing in `%s'" name
    | Tarray (_,_ty, Some s) ->
	  let i = default_var_info "counter" in
	  set_var_type (Var_info i) c_int false; 
	  let vari = noattr_term c_int (NTvar i) in
	  let ineq = npand
		       (nprel (nzero, Le, vari),
			nprel (vari, Lt, 
			       int_nconstant (Int64.to_string s))) in
	  let pre = predicate_for name vari in
	  if pre = nptrue 
	  then
	    npand ((npvalid t),(npvalid_range (t,(int_nconstant "0"), 
			  (int_nconstant (Int64.to_string (Int64.pred s))))))
	  else
	    npand (npvalid t, 
		   (npand 
		      ((npvalid_range (t,(int_nconstant "0"), 
			  (int_nconstant (Int64.to_string (Int64.pred s))))),
		      (make_forall 
			 [noattr_type (Tint (Signed, Ctypes.Int)), i]
			 (make_implies ineq pre)))))
     | _ -> nptrue


let fresh_index = 
  let r = ref (-1) in fun () -> incr r; "index_" ^ string_of_int !r

let make_forall_range loc t b f =
  if b = Int64.one
  then f t nzero
  else
    let i = default_var_info (fresh_index ()) in
    let vari = { nterm_node = NTvar i; 
		 nterm_loc = loc;
		 nterm_type = c_int;} in
    let ti = 
      { nterm_node = NTbinop (t, Badd, vari); 
	nterm_loc = loc;
	nterm_type = t.nterm_type;}
    in
    let pred = (f ti vari) in
    if pred = nptrue
    then 
      nptrue
    else
      let ineq = npand (nprel (nzero, Le, vari),
			nprel (vari, Lt, int_nconstant (Int64.to_string b))) in
      make_forall [c_int, i] (make_implies ineq pred)
     
let rec tab_struct loc v1 v2 s ty _n n1 n2=
  (make_forall_range loc v2 s 
     (fun t _i -> 
	local_separation loc n1 v1 (n2^"[i]") (indirection loc ty t)))

and local_separation loc n1 v1 n2 v2 =
  match (v1.nterm_type.Ctypes.ctype_node,v2.nterm_type.Ctypes.ctype_node) 
  with
    | Tarray (_,_ty, None), _ ->
	error loc "array size missing in `%s'" n1
    | _, Tarray (_,_ty, None) ->
	error loc "array size missing in `%s'" n2
    | Tstruct n , Tarray (_,ty,Some s) -> tab_struct loc v1 v2 s ty n n1 n2
    | Tarray (_,ty,Some s) , Tstruct n -> tab_struct loc v2 v1 s ty n n1 n2
    | Tarray (_,ty1,Some s1), Tarray(_,ty2,Some s2) ->
	make_and
	  (if compatible_type v1.nterm_type v2.nterm_type
	   then
	     (not_alias loc v1 v2)
	   else
	     nptrue)
	  (make_and 
	     (make_forall_range loc v1 s1 
		(fun t _i -> local_separation loc (n1^"[i]") 
		     (indirection loc ty1 t) n2 v2))
	     (make_forall_range loc v2 s2  
		(fun t _i -> local_separation loc n1 v1 (n2^"[j]") 
		     (indirection loc ty2 t))))
    | _, _ -> nptrue

    


let rec separation_intern2  n1 v1 =
  match v1.nterm_type.Ctypes.ctype_node with
    | Tarray (_,_,None) -> 
	error Loc.dummy_position "array size missing in `%s'" n1
    | Tarray(_,ty,Some s) ->
	  begin
	    match ty.Ctypes.ctype_node with
	      | Tarray (_,_,None) -> 
		error Loc.dummy_position "array size missing in `%s[i]'" n1 
	      | Tstruct _ ->
		  (make_forall_range Loc.dummy_position v1 s 
		     (fun t1 i1 ->
			make_forall_range Loc.dummy_position v1 s
			  (fun t2 i2 -> 
			     if i1 = nzero && i2 = nzero then nptrue 
			     else
			       make_implies (nprel (i1, Neq, i2)) 
				 (not_alias Loc.dummy_position t1 t2))))
	      | Tarray _ ->  
		  make_and
		    (make_forall_range Loc.dummy_position v1 s 
		       (fun t1 i1 ->
			  make_forall_range Loc.dummy_position v1 s
			    (fun t2 i2 -> 
			       if i1 = nzero && i2 = nzero then nptrue 
			       else
				 make_implies (nprel (i1, Neq, i2)) 
				   (not_alias Loc.dummy_position t1 t2))))
		    (make_forall_range Loc.dummy_position v1 s 
		       (fun t _i -> 
			  separation_intern2 n1 
			    (noattr_term ty t.nterm_node)))    
	      | _ -> nptrue
	  end
    | _ -> 
	nptrue

(*let rec separation loc n1 v1 n2 v2 =
  match (v1.nterm_type.Ctypes.ctype_node,v2.nterm_type.Ctypes.ctype_node) 
  with
    | Tarray (ty, None), _ ->
	error loc ("array size missing in `" ^ n1 ^ "'")
    | _, Tarray (ty, None) ->
	error loc ("array size missing in `" ^ n2 ^ "'")
    | Tstruct n , Tarray (ty,Some s) -> 
	if compatible_type ty v1.nterm_type 
	then
	  (make_forall_range loc v2 s 
	     (fun t i -> not_alias loc 
		(indirection loc ty 
		   (noattr_term (noattr_type (Tpointer ty)) 
		      (NTbinop (t,Badd,i)))) v1))
	else
	  NPtrue
    | Tarray (ty,Some s) , Tstruct n ->
	if compatible_type ty v2.nterm_type 
	then
	  (make_forall_range loc v1 s 
	     (fun t i -> not_alias loc 
		(indirection loc ty 
		   (noattr_term (noattr_type (Tpointer ty)) 
		      (NTbinop (t,Badd,i)))) v2))
	else
	  NPtrue
    | Tarray (ty1,Some s1), Tarray(ty2,Some s2) ->
	make_and
	  (if compatible_type v1.nterm_type v2.nterm_type
	   then
	     (not_alias loc v1 v2)
	   else
	     NPtrue)
	  (make_and 
	     (make_forall_range loc v1 s1 
		(fun t i -> separation loc (n1^"[i]") 
		     (indirection loc ty1  
			(noattr_term (noattr_type (Tpointer ty1)) 
			   (NTbinop (t,Badd,i)))) n2 v2))
	     (make_forall_range loc v2 s2  
		(fun t i -> separation loc n1 v1 (n2^"[j]") 
		     (indirection loc ty2  
			(noattr_term (noattr_type (Tpointer ty2)) 
			   (NTbinop (t,Badd,i)))))))
    | _, _ -> NPtrue
*)
  
let rec fold_2 f l = 
  match l with 
    | v::l ->
	List.fold_left (fun acc x ->(f v x)@acc) (fold_2 f l) l
    | _ -> [] 

let noattr_located n =  
  { Cast.node = n; Cast.loc = Loc.dummy_position }

(*
let heap_var_add v label m =
  try
    let l = HeapVarMap.find v m in
    HeapVarMap.add v (LabelSet.add label l) m 
  with Not_found ->
    HeapVarMap.add v (LabelSet.singleton label) m 
*)
    
let single v =  HeapVarSet.singleton v
(*
  heap_var_add v Label_current HeapVarMap.empty
*)

let pair v1 v2 = HeapVarSet.add v1 (single v2)
(*
  heap_var_add v1 Label_current (single v2)
*)  

let separation_first mark diag v1 v2 =
  let sep = if mark then "%separation1" else "%separation2" in
  let n1 =  v1.var_unique_name in
  let n2 =  v2.var_unique_name in
  match v1.var_type.Ctypes.ctype_node,v2.var_type.Ctypes.ctype_node with
    | Tarray (_,_,None), _  ->
	error Loc.dummy_position "array size missing in `[i]'" n1
    | _ , Tarray (_,_,None) ->
	error Loc.dummy_position "array size missing in `[i]'" n2
    | Tstruct _ , Tstruct _ ->
	let pre = sep ^ n1 ^ "_" ^ n2 in
	let info = Info.default_logic_info (pre) in
	info.logic_heap_args <- pair v1 v2;
	Cenv.add_pred (pre)  ([], info);
	[noattr_located (
	   Cast.Ninvariant_strong (
	     "separation" ^ n1 ^ "_" ^ n2 , 
	     npapp(find_pred (pre),[])))]
    | Tarray (_,ty,Some s) , Tstruct _ -> 
	if compatible_type ty v2.var_type then
	  let pre = sep ^ "_range1_" ^ n1 ^ "_" ^ n2 in 
	  let info = Info.default_logic_info (pre) in
	  info.logic_heap_args <- pair v1 v2; 
	  Cenv.add_pred (pre)  ([], info);
	  [noattr_located 
	     (Cast.Ninvariant_strong (
		"separation_" ^ n1 ^ "_" ^ n2,
		npapp
		  (find_pred (pre ), 
		   [noattr_term 
		      (noattr_type (Tint (Signed,Int)))
		      (NTconstant (IntConstant 
				     (Int64.to_string s)))])))]
	else []
    | Tstruct _ ,Tarray (_,ty,Some s)  -> 
	if compatible_type ty v1.var_type then
	  let pre = sep ^ "_range1_" ^ n1 ^ "_" ^ n2 in 
	  let info = Info.default_logic_info (pre) in
	  info.logic_heap_args <- pair v1 v2; 
	  Cenv.add_pred (pre)  ([], info);
	  [noattr_located
	     (Cast.Ninvariant_strong (
		"separation_" ^ n1 ^ "_" ^ n2,
		npapp(
		  find_pred (pre), 
		  (*(create_term n2)::(create_term n1)::*)
		    [noattr_term 
		       (noattr_type (Tint (Signed,Int)))
		       (NTconstant (IntConstant 
				      ((Int64.to_string s))))])))]
	else []
    | Tarray (_,ty1, Some _s1),  Tarray(_,ty2, Some _s2) ->
	let make_sub_term p ty v = 
	  let zone = find_zone_for_term p in
	  let () = type_why_new_zone zone v in
	  noattr_term ty (NTarrow (p, zone,v)) in
	if mark then
	  let pre = sep ^ n1 ^ "_" ^ n2 in
	  let info = Info.default_logic_info (pre) in
	  info.logic_heap_args <- pair v1 v2; 
	  Cenv.add_pred (pre)  ([], info);
	  let ty = noattr_type (Tpointer (Not_valid,noattr_type (Tvoid))) in
	  let var = default_var_info (fresh_index()) in
	  set_var_type (Var_info var) ty false;
	  let term = noattr_term ty (NTvar var) in
	  noattr_located (
	    Cast.Ninvariant_strong (
	      "internal_separation" ^ n1 ^ "_" ^ n2 , 
	      npapp(find_pred (pre),[])))::
	    [noattr_located
	       (Cast.Ninvariant_strong (
		  "separation_" ^ n1 ^ "_" ^ n2,
		  make_forall 
		    [ty,var] 
		    (local_separation Loc.dummy_position n1 
		       (make_sub_term term ty1 v1) n2
		       (make_sub_term term ty2 v2))))]
	else
 	  let pre = sep ^ n1 ^ "_" ^ n2 in
	  let info = Info.default_logic_info (pre) in
	  info.logic_heap_args <- pair v1 v2; 
	  Cenv.add_pred (pre)  ([], info);
	  let ty = noattr_type (Tpointer (Not_valid,noattr_type (Tvoid))) in
	  let var1 = default_var_info (fresh_index()) in
	  let var2 = default_var_info (fresh_index()) in
	  set_var_type (Var_info var1) ty false;
	  set_var_type (Var_info var2) ty false;
	  let term1 = noattr_term ty (NTvar var1) in
	  let term2 = noattr_term ty (NTvar var2) in
	  let pred = (local_separation Loc.dummy_position n1 
			(make_sub_term term1 ty1 v1)
			n2 
			(make_sub_term term2 ty2 v2)) in
	  if pred = nptrue then []
	  else
	    noattr_located (
	      Cast.Ninvariant_strong (
		"separation" ^ n1 ^ "_" ^ n2 , 
		npapp(find_pred (pre),[])))::
	      [noattr_located
		 (Cast.Ninvariant_strong 
		    ("separation_" ^ n1 ^ "_" ^ n2,
		     make_forall 
		       [ty,var1]
		       (make_forall 
			  [ty,var2]
			  (if diag 
			   then 
			     make_implies (nprel (term1,Neq,term2)) pred
			 else
			   pred))))]
    | _ , _ -> []
	  

let rec separation_intern n =
  match  tag_type_definition n with
    | TTStructUnion ((Tstruct _),l) ->
	let array_intern_separation v1  =
	  let n1 = v1.var_unique_name in
	  match v1.var_type.Ctypes.ctype_node with
	    | Tarray (_,_,None) -> 
		error Loc.dummy_position "array size missing in `%s[i]'" n1
	    | Tarray (_,ty,Some s) ->
		begin
		  match ty.Ctypes.ctype_node with
		    | Tstruct _ -> 
			let pre = "%separation1_range_" ^ n1  in 
			let info = Info.default_logic_info (pre) in
			info.logic_heap_args <- single v1; 
		  Cenv.add_pred (pre)  ([], info);
		  [noattr_located (Cast.Ninvariant_strong (
				    "internal_separation_" ^ n1 ^ "_array1" , 
				   npapp(
				     find_pred (pre ),
				     (*(create_term n1)::*)
				     [noattr_term (noattr_type 
						     (Tint (Signed,Int))) 
					(NTconstant 
					    (IntConstant 
					       (Int64.to_string s)))])))]
	      | Tarray _ ->	
		 let pre = "%separation1_range_" ^ n1  in 
		 let info = Info.default_logic_info (pre) in
		 info.logic_heap_args <- single v1 ; 
		 Cenv.add_pred (pre)  ([], info);
		 noattr_located (Cast.Ninvariant_strong (
				   "internal_separation_" ^ n1 ^ "_array1" , 
				   npapp(
				     find_pred (pre ),
				     (*(create_term n1)::*)
				      [noattr_term (noattr_type 
						      (Tint (Signed,Int))) 
					 (NTconstant 
					    (IntConstant 
					       (Int64.to_string s)))])))::
		   noattr_located (Cast.Ninvariant_strong (
				     "internal_separation_" ^ n1 ^ "_array2",
				     (make_forall_range Loc.dummy_position 
					(var_to_term Loc.dummy_position v1) s 
					(fun t i -> 
					    separation_intern2 n1 
					      (noattr_term 
						 (noattr_type (Tpointer (Not_valid,ty))) 
						 (NTbinop (t,Badd,i)))))))::[]
	      | _ -> []
	  end
      | _ -> []
	in
	(List.fold_left (fun acc t ->
			   array_intern_separation t@acc) [] l) @ 
	  (fold_2 (separation_first true false ) l)  
    | TTStructUnion (t,_fl) -> 
	begin match t with
	  | Tstruct _ -> assert false
	  | Tfun (_, _) -> assert false
	  | Tenum _ -> assert false
	  | Tunion _ -> [] (* TODO ? *)
	  | Tpointer (_, _) -> assert false
	  | Tarray (_, _, _) -> assert false
	  | Ctypes.Tvar _ -> assert false
	  | Tfloat _ -> assert false
	  | Tint _ -> assert false
	  | Tvoid -> assert false
	end
    | TTEnum (_, _) -> assert false
    | TTIncomplete -> assert false


let separation_2_struct _s1 l1 _s2 l2 acc=
  let l1 = snd l1 in
  let l2 = snd l2 in
  List.fold_left (fun acc1 t1 ->
		    (List.fold_left
		       (fun acc2 t2 ->
			  separation_first false (t1=t2) t1 t2@acc2) acc1 l2)) 
    acc l1

let add_predicates l =
  let f s (_ty,fl) l2 = 
    let l2 = List.fold_right 
      (fun f acc -> 
	 begin
	   match f.var_type.Ctypes.ctype_node with
	     | Tstruct n ->
		 let pre = "%valid_acc_" ^ n  in 
		 let info = Info.default_logic_info (pre) in
		 info.logic_heap_args <- single f; 
		 Cenv.add_pred (pre)  ([], info);
		 [noattr_located (
		    Cast.Ninvariant_strong (
		      "valid" ^ n,npapp(find_pred (pre),[])))]
	     | Tarray(_,ty, Some s)->
		 let n1 = f.var_unique_name in
		 let pre = "%valid_acc_" ^ n1 in 
		 let info = Info.default_logic_info (pre) in
		 info.logic_heap_args <- single f; 
		 Cenv.add_pred (pre)  ([], info);
		 let pre2 = "%valid_acc_range_" ^ n1  in 
		 let info2 = Info.default_logic_info (pre2) in
		 info2.logic_heap_args <- single f; 
		 Cenv.add_pred (pre2)  ([], info2);
		 noattr_located (
		 Cast.Ninvariant_strong ("valid_array"^ n1,
					 npapp(find_pred (pre),[])))::
		   noattr_located (
		     Cast.Ninvariant_strong 
		       ("valid_range" ^ n1,
			npapp(find_pred (pre2),
			      [noattr_term (noattr_type (Tint (Signed,Int))) 
				(NTconstant 
				   (IntConstant (Int64.to_string s)))])))::
		   begin
		     match ty.ctype_node with
		       | Tarray (_,_ty, None)->
			   error Loc.dummy_position 
			     "array size missing in `%s'" f.var_name
		       | Tarray (_,ty, Some _s1) ->
			 [noattr_located (
			    Cast.Ninvariant_strong 
			      ("valid_matrice" ^ n1,
			       make_forall_range 
				 Loc.dummy_position 
				 (var_to_term Loc.dummy_position f) s 
				 (fun t i -> predicate_for f.var_name 
				     (noattr_term (noattr_type (Tpointer (Not_valid,ty))) 
					(NTbinop (t,Badd,i))))))]
		       | _ -> []
		   end
		   
	     | _ -> []
	 end @ acc
      )		 
      fl l2
    in
    (separation_intern s) @ l2
  in
  let l = (fold_all_struct_pairs separation_2_struct l) in
  Cenv.fold_all_struct f l

(* integer sizes (should be moved elsewhere) *)

let string_two_power_n = function
  | 64 -> "18446744073709551616"
  | 63 -> "9223372036854775808"
  | n -> 
      assert (0 <= n && n <= 62); 
      Int64.to_string (Int64.shift_left Int64.one n)

let string_two_power_n_minus_one = function
  | 64 -> "18446744073709551615"
  | 63 -> "9223372036854775807"
  | n -> 
      assert (0 <= n && n <= 62); 
      Int64.to_string (Int64.pred (Int64.shift_left Int64.one n))

let min_int = function
  | Signed, n -> "-" ^ string_two_power_n (n-1)
  | Unsigned, _ -> "0"

let max_int = function
  | Signed, n -> string_two_power_n_minus_one (n-1)
  | Unsigned, n -> string_two_power_n_minus_one n

let min_cinteger (s,ty) = min_int (s, Cenv.int_size ty)
let max_cinteger (s,ty) = max_int (s, Cenv.int_size ty)

(************* DEAD CODE (--typing-predicates) **********************

let rec pred_for_type ty t = 
  match ty.Ctypes.ctype_node with
    | Ctypes.Tstruct n when Hashtbl.mem dummy_is_struct n ->
	npvalid t
    | Ctypes.Tstruct n ->
	let _,info = Cenv.find_pred ("is_struct_" ^ n) in 
	npand (npapp (info, [t]), npvalid t)
    | Ctypes.Tint (_, Ctypes.Bitfield _) ->
	nptrue (* TODO *)
    | Ctypes.Tint si ->
	let _,info = Cenv.find_pred (predicate_for_int_type si) in 
	npapp (info, [t])
    | Ctypes.Tarray (_, ty', Some s) ->
	let var_i = var_i () in
	let tvar_i = nterm (NTvar var_i) c_int in
	let n = ntconstant (Int64.to_string (Int64.pred s)) in
	let t_i = nterm (NTbinop (t, Clogic.Badd, tvar_i)) ty in
	begin
	  match ty'.ctype_node with
	    | Tstruct _ | Tunion _ ->	
		npand (npvalid_range (t, ntzero, n),
		       npforall [c_int,var_i] 
			 (npimp (npand (nprel (ntzero, Le, tvar_i),
					nprel (tvar_i, Le, n)))
			    (pred_for_type ty' t_i)))
	    | _ -> 
		let info = make_field ty' in
		let info = declare_arrow_var info in
		let zone = find_zone_for_term t in
		let () = type_why_new_zone zone info in
		let arrow_t_i = nterm (NTarrow (t_i, zone,info)) ty' in
		npand (npvalid_range (t, ntzero, n),
		       npforall [c_int,var_i] 
			 (npimp (npand (nprel (ntzero, Le, tvar_i),
					nprel (tvar_i, Le, n)))
			    (pred_for_type ty' arrow_t_i)))
	end
    | Ctypes.Tpointer (_, ty') | Ctypes.Tarray (_, ty', None) ->
	let var_i = var_i () in
	let t_i = 
	  nterm (NTbinop (t, Clogic.Badd, nterm (NTvar var_i) c_int)) ty 
	in
	begin 
	  match ty'.ctype_node with
	    | Tstruct _ | Tunion _ ->	
		npforall [c_int,var_i] (npimp (npvalid t_i) 
					  (pred_for_type ty' t_i))
	    | _ -> 
		let info = make_field ty' in
		let info = declare_arrow_var info in
		let zone = find_zone_for_term t in
		let () = type_why_new_zone zone info in
		let arrow_t_i = nterm (NTarrow (t_i, zone,info)) ty' in
		npforall [c_int,var_i] (npimp (npvalid t_i) 
					  (pred_for_type ty' arrow_t_i))
	end
    | Ctypes.Tunion n ->
	nptrue (*TODO*)
    | Ctypes.Tenum n ->
	let _,info = Cenv.find_pred ("is_enum_" ^ n) in 
	npapp (info, [t])
    | Ctypes.Tvoid | Ctypes.Tfun _ | Ctypes.Tfloat _ | Ctypes.Tvar _ -> 
	nptrue

let add_typing_predicates dl =
  let loc = Loc.dummy_position in
  let tdecl d = { node = d; loc = loc } in
  (* 1. define all is_signed_char, ... predicates *)
  let declare_int_type si acc =
    let ty = noattr (Tint si) in
    let n = predicate_for_int_type si in
    let n' = function_for_int_type si in
    let is_int_n = Info.default_logic_info n in
    let any_int_n' = Info.default_fun_info n' in
    let result = {nterm_node = NTvar(Info.default_var_info "result");
		  nterm_loc = Loc.dummy_position ;
		  nterm_type = ty}
    in
    let spec_n' = { requires = None;
		    assigns = None;
		    ensures = Some (npapp (is_int_n, [result]));
		    decreases = None} 
    in
    Cenv.add_c_fun n' (spec_n',ty,any_int_n',None,Loc.dummy_position);
    Cenv.add_pred n ([ty], is_int_n);
    let x = Info.default_var_info "x" in
    set_formal_param x;
    set_var_type (Var_info x) ty true;
    is_int_n.logic_args <- [x];
    let var_x = nterm (NTvar x) ty in
    let min_si = ntconstant (min_cinteger si) in
    let max_si = ntconstant (max_cinteger si) in
    let p = npand (nprel (min_si, Le, var_x),
		   nprel (var_x, Le, max_si)) in
    let d = tdecl (Nlogic (is_int_n, NPredicate_def ([x,ty], p))) in
    d :: acc
  in
  (* 2. define all is_enum_E predicates *)
  let declare_enum_type s (tyn, vl) acc =
    let ty = noattr tyn in
    let n = "is_enum_" ^ s in
    let n' = "any_enum_" ^ s in
    let is_enum_s = Info.default_logic_info n in   
    let any_enum_n' = Info.default_fun_info n' in    
    let result = {nterm_node = NTvar(Info.default_var_info "result");
		  nterm_loc = Loc.dummy_position ;
		  nterm_type = ty}
    in
    let spec_n' = { requires = None;
		    assigns = None;
		    ensures = Some (npapp (is_enum_s, [result]));
		    decreases = None} 
    in    
    Cenv.add_c_fun n' (spec_n',ty,any_enum_n',None,Loc.dummy_position);
    Cenv.add_pred n ([ty], is_enum_s);
    let x = Info.default_var_info (get_fresh_name "x") in
    set_formal_param x;
    set_var_type (Var_info x) ty true;
    is_enum_s.logic_args <- [x];
    let var_x = nterm (NTvar x) ty in
    let p = 
      List.fold_left 
	(fun p (v,_) -> 
	   let p1 = nprel (var_x, Eq, nterm (NTvar v) ty) in
	   npor (p, p1)) 
	npfalse vl
    in
    let d = tdecl (Nlogic (is_enum_s, NPredicate_def ([x,ty], p))) in
    d :: acc
  in
  (* 3. declare all is_struct_S predicates *)
  let declare_is_struct s (tyn, fl) acc = 
    let ty = noattr tyn in
    let n = "is_struct_" ^ s in
    let is_struct_s = Info.default_logic_info n in
    Cenv.add_pred n ([ty], is_struct_s);
    let x = Info.default_var_info "x" in
    set_formal_param x;
    set_var_type (Var_info x) ty true;
    is_struct_s.logic_args <- [x];
    let varx = nterm (NTvar x) ty in
    let reads = (* reads = x.f1, ..., x.fn *)
      List.map (fun f ->       
		  let zone = find_zone_for_term varx in
		  let () = type_why_new_zone zone f in
		  nterm (NTarrow (varx,zone, f)) f.var_type)
	fl
    in
    let d = tdecl (Nlogic (is_struct_s, NPredicate_reads ([x,ty], reads))) in
    d :: acc
  in
  (* 4. axiomatize all is_struct_S predicates *)
  let define_is_struct s (tyn,fl) acc =
    reset_var_i ();
    let _,is_struct_s = Cenv.find_pred ("is_struct_" ^ s) in
    let x = match is_struct_s.logic_args with [x] -> x | _ -> assert false in
    let ty = noattr tyn in
    let varx = nterm (NTvar x) ty in
    let ax = 
      let def = 
	List.fold_left
	  (fun acc f -> 
	     let zone = find_zone_for_term varx in
	     let () = type_why_new_zone zone f in
	     let t = nterm (NTarrow (varx, zone, f)) f.var_type in
	     npand (acc, pred_for_type f.var_type t))
	  nptrue fl
      in
      if def.npred_node = NPtrue then begin
	Hashtbl.add dummy_is_struct s ();
	[]
      end else 
	let p = npforall [ty,x] (npiff (npapp (is_struct_s, [varx]), def)) in
	[tdecl (Naxiom ("is_struct_" ^ s ^ "_def", p))]
    in
    acc @ ax  
  in
  (* 3. add typing predicates for input variables *)
  let adding_typing_invariant_requires fun_name (sp, ty, f, st, loc) =
    let requires = 
      begin 
	match sp.requires with
	  | None -> nptrue
	  | Some p -> p
      end 
    in
    let requires =
      List.fold_left (fun acc arg -> 
			let arg_term = nterm (NTvar arg) arg.var_type in
			npand (acc ,pred_for_type arg.var_type arg_term))
	requires f.args
    in
    let requires = 
      if requires.Clogic.npred_node = NPtrue then
	None
      else
	Some requires
    in
    sp.requires <- requires
  in
  let dl = 
    List.fold_right declare_int_type
      [Signed, Char; Unsigned, Char;
       Signed, Short; Unsigned, Short;
       Signed, Int; Unsigned, Int;
       Signed, Long; Unsigned, Long;
       Signed, LongLong; Unsigned, LongLong;
      ] 
      dl
  in
  let dl = Cenv.fold_all_enum declare_enum_type dl in
  let dl = Cenv.fold_all_struct declare_is_struct dl in
  let dl = Cenv.fold_all_struct define_is_struct dl in
  Hashtbl.iter  adding_typing_invariant_requires Cenv.c_functions;
  
  (*let dl = List.fold_right add_invariant_for_global dl [] in*)
  dl





**********************************************************************)
why-2.34/c/cinterp.mli0000644000175000017500000000511012311670312013203 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* Interpretation of C programs *)

open Output

val interp : Cast.nfile -> why_decl list

val interp_functions : why_decl list -> 
  (string * why_decl) list * why_decl list

val make_int_types_decls : unit -> why_decl list
val make_enum_types_decls : unit -> why_decl list

val print_locs : Format.formatter -> unit

why-2.34/c/cinit.ml0000644000175000017500000004277012311670312012511 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Cenv
open Cast
open Clogic
open Info
open Ctypes

let binop = function
  | Cast.Bbw_and -> Bbw_and
  | Cast.Bbw_or -> Bbw_or
  | Cast.Bbw_xor -> Bbw_xor
  | Cast.Bshift_right -> Bshift_right
  | Cast.Bshift_left -> Bshift_left
  | _ -> assert false


let rec term_of_expr (e:texpr)  =
  {
    term_node = 
     begin 
       match e.texpr_node with
	 | TEnop ->  assert false
	 | TEconstant c -> Tconstant c
	 | TEstring_literal s -> Tstring_literal s
	 | TEvar (Var_info v) -> 
	     Clogic.Tvar v 
	 | TEvar (Fun_info _f) -> assert false (*TODO*)
	 | TEdot (e, v) -> Tdot (term_of_expr e, v)
	 | TEarrow (e, v) -> Tarrow (term_of_expr e, v)
	 | TEarrget (e1, e2) -> Tarrget (term_of_expr e1, term_of_expr e2)
	 | TEseq (_e1, _e2) -> assert false
	 | TEassign (_e1, _e2) -> assert false (*TODO*)
	 | TEassign_op (_e1, _b, _e2) -> assert false (*TODO*)
	 | TEunary (Cast.Uplus, e) -> Tunop (Clogic.Uplus, term_of_expr e)
	 | TEunary (Cast.Uminus, e) -> Tunop (Clogic.Uminus, term_of_expr e)
	 | TEunary (Cast.Unot, e) -> Tunop (Clogic.Unot,term_of_expr e) 
	 | TEunary (Cast.Ustar, e) -> Tunop (Clogic.Ustar, term_of_expr e)
	 | TEunary (Cast.Uamp, e) -> Tunop (Clogic.Uamp, term_of_expr e)
	 | TEunary (Cast.Utilde, e) -> Tunop (Utilde, term_of_expr e)
	 | TEunary (Cast.Ufloat_of_int, e) -> 
	     Tunop (Ufloat_of_int, term_of_expr e)
	 | TEunary (Cast.Ufloat_conversion, e) -> 
	     Tunop (Ufloat_conversion, term_of_expr e)
	 | TEunary (Cast.Uint_of_float, e) -> 
	     Tunop (Uint_of_float, term_of_expr e)
	 | TEunary (Cast.Uint_conversion, e) -> 
	     (term_of_expr e).term_node
	 | TEincr (Uprefix_inc,e)| TEincr (Upostfix_inc,e) -> 
	     Tbinop (term_of_expr e, Badd, {
		       term_node = Tconstant (IntConstant "1");
		       term_loc = Loc.dummy_position;
		       term_type = c_int;
		     })	 
	 | TEincr (Uprefix_dec,e) | TEincr (Upostfix_dec,e) -> 
	     Tbinop (term_of_expr e, Bsub, {
		       term_node = Tconstant (IntConstant "1");
		       term_loc = Loc.dummy_position;
		       term_type = c_int;
		     })
	 | TEbinary (e1, Badd_pointer_int, e2) | TEbinary (e1,Badd_float _,e2) 
	 | TEbinary (e1, Badd_int _, e2) | TEbinary (e1, Cast.Badd, e2) -> 
	     Tbinop (term_of_expr e1, Badd, term_of_expr e2)
	 | TEbinary (e1, Bsub_float _, e2)| TEbinary (e1, Bsub_pointer, e2) 
	 | TEbinary (e1, Bsub_int _, e2) | TEbinary (e1, Cast.Bsub, e2) ->
	     Tbinop (term_of_expr e1, Bsub, term_of_expr e2)
	 | TEbinary (e1, Bmul_float _, e2) 
	 | TEbinary (e1, Bmul_int _, e2) | TEbinary (e1, Cast.Bmul, e2) ->
	     Tbinop (term_of_expr e1, Bmul, term_of_expr e2)
	 | TEbinary (e1, Bdiv_int _, e2) | TEbinary (e1, Cast.Bdiv, e2) 
	 | TEbinary (e1, Bdiv_float _, e2) ->
	     Tbinop (term_of_expr e1, Bdiv, term_of_expr e2)
	 | TEbinary (e1, Bmod_int _, e2) | TEbinary (e1, Cast.Bmod, e2) ->
	     Tbinop (term_of_expr e1, Bmod, term_of_expr e2)
	 | TEbinary (e1, (Cast.Bbw_and | Cast.Bbw_or | Cast.Bbw_xor |
			  Cast.Bshift_left | Cast.Bshift_right as op), e2) -> 
	     Tbinop (term_of_expr e1, binop op, term_of_expr e2)
	 | TEbinary (_e1, Blt, _e2) | TEbinary (_e1, Bgt, _e2) ->
	     assert false
	 | TEbinary (_e1, Ble, _e2) | TEbinary (_e1, Bge, _e2)->
	     assert false 
	 | TEbinary (_e1, Beq, _e2) | TEbinary (_e1, Bneq, _e2) ->
	     assert false
	 | TEbinary (_e1, Band, _e2) | TEbinary (_e1, Bor, _e2)->
	     assert false 
	 | TEbinary (e1, Blt_int, e2) ->
	     if (Ctyping.eval_const_expr e1 < Ctyping.eval_const_expr e2) 
	     then 
	       Tconstant (IntConstant "0")
	     else 
	       Tconstant (IntConstant "1")
	 | TEbinary (e1, Ble_int, e2)->
	     if (Ctyping.eval_const_expr e1 <= Ctyping.eval_const_expr e2) 
	     then 
	       Tconstant (IntConstant "0")
	     else 
	       Tconstant (IntConstant "1")
	 | TEbinary (e1, Bgt_int, e2) ->
	     if (Ctyping.eval_const_expr e1 < Ctyping.eval_const_expr e2) 
	     then 
	       Tconstant (IntConstant "0")
	     else 
	       Tconstant (IntConstant "1")
	 | TEbinary (e1, Bge_int, e2)->
	     if (Ctyping.eval_const_expr e1 >= Ctyping.eval_const_expr e2) 
	     then 
	       Tconstant (IntConstant "0")
	     else 
	       Tconstant (IntConstant "1")
	 | TEbinary (e1, Beq_int, e2)->
	    if (Ctyping.eval_const_expr e1 = Ctyping.eval_const_expr e2) 
	    then 
	      Tconstant (IntConstant "0")
	    else 
	      Tconstant (IntConstant "1")
	 | TEbinary (e1, Bneq_int, e2)->
	     if (Ctyping.eval_const_expr e1 = Ctyping.eval_const_expr e2) 
	     then 
	       Tconstant (IntConstant "1")
	     else 
	       Tconstant (IntConstant "0")
	 | TEbinary (_e1, Blt_float _, _e2) | TEbinary (_e1, Bgt_float _, _e2)->
	     assert false 
	 | TEbinary (_e1, Ble_float _, _e2) | TEbinary (_e1, Bge_float _, _e2)->
	     assert false 
	 | TEbinary (_e1, Beq_float _, _e2) | TEbinary (_e1, Bneq_float _, _e2) ->
	     assert false
	 | TEbinary (_e1, Blt_pointer, _e2) | TEbinary (_e1, Bgt_pointer, _e2) ->
	     assert false
	 | TEbinary (_e1, Ble_pointer, _e2) | TEbinary (_e1, Bge_pointer, _e2) ->
	     assert false
	 | TEbinary (_e1, Beq_pointer, _e2) | TEbinary (_e1, Bneq_pointer, _e2) ->
	     assert false
	 | TEcall (_e, _l) -> assert false
	 | TEcond (e1,e2,e3) -> 
	     Tif (term_of_expr e1, term_of_expr e2, term_of_expr e3)
	 | TEcast ({ctype_node = Tint _},
		   ({texpr_type = {ctype_node = Tfloat _}} as e) ) -> 
	     Tunop (Clogic.Uint_of_float,(term_of_expr e))
	 | TEcast ({ctype_node = Tfloat _},
		   ({texpr_type = {ctype_node = Tint _}} as e) ) -> 
	     Tunop (Clogic.Ufloat_of_int,(term_of_expr e))
	 | TEcast (ty,e) -> Tcast (ty, term_of_expr e)
	 | TEsizeof _ -> assert false
	 | TEmalloc _ -> assert false
     end;
    term_loc = e.texpr_loc;
    term_type = e.texpr_type;
  }
     

let in_struct v1 v = 
 	{ term_node = Tdot (v1, v); 
	  term_loc = v1.term_loc;
	  term_type = v.var_type }

let split_decl e ((invs,inits) as acc) = 
  match e.node with 
    | Tinvariant (_,p) -> (p :: invs, inits)
    | Tdecl (_t, _v, _c) ->  (invs, e :: inits)
	(* If a ghost is initialized, then its initialization is took account *)
    | Tghost (_vi, Some _init) -> (invs, e :: inits) 
    | _ -> acc

let split_decls d = List.fold_right split_decl d ([],[])

let dummy_pred p = { pred_node = p; pred_loc = Loc.dummy_position }

let rec combine_inv = function
  | [] -> dummy_pred Ptrue
  | a::[] -> a
  | a::l -> { a with pred_node = Pand (a, combine_inv l) }


let noattr loc ty e =
  { term_node = e;
    term_type = ty;
    term_loc  = loc
  }

let rec pop_initializer loc t i =
  match i with 
    | [] ->{ term_node = 
	       (match t.ctype_node with
		  | Tint _ | Tenum _-> Tconstant (IntConstant "0")
		  | Tfloat _ -> Tconstant (RealConstant "0.0")
		  | Tpointer _ -> let null = default_var_info "null" in       
		    Cenv.set_var_type (Var_info null) t false;
		    Clogic.Tvar (null)
		  | _ -> assert false);
	     term_type = t;
	     term_loc  = loc
	    },[]
    | (Iexpr e)::l -> 
	let term = term_of_expr e in
	let term =
	  { term with term_node = 
	      if t.ctype_node <> term.term_type.ctype_node then
		Tcast (t,term)
	      else
		term.term_node} in
	term,l
    | (Ilist [])::l -> pop_initializer loc t l
    | (Ilist l)::l' -> 
	let e,r = pop_initializer loc t l in e,r@l'


(* Added by copying pop_initializer in order to take account ghosts initialization.
   It seems that this function can be enhanced.
*)
let rec pop_term_initializer loc t i =
  match i with  
    | [] ->{ term_node = 
	       (match t.ctype_node with
		  | Tint _ | Tenum _-> Tconstant (IntConstant "0")
		  | Tfloat _ -> Tconstant (RealConstant "0.0")
		  | Tpointer _ -> let null = default_var_info "null" in       
		    Cenv.set_var_type (Var_info null) t false;
		    Clogic.Tvar (null)
		  | _ -> assert false);
	     term_type = t;
	     term_loc  = loc
	    },[]
    | (Iexpr e)::l -> 
	let term = e in
	let term =
	  { term with term_node = 
	      if t.ctype_node <> term.term_type.ctype_node then
		Tcast (t,term)
	      else
		term.term_node} in
	term,l
    | (Ilist [])::l -> pop_term_initializer loc t l
    | (Ilist l)::l' -> 
	let e,r = pop_term_initializer loc t l in e,r@l'




let make_and p1 p2 = match p1.pred_node, p2.pred_node with
  | Ptrue, _ -> p2
  | _, Ptrue -> p1
  | _ -> { p1 with pred_node = Pand (p1, p2) }

let prel (t1, r, t2) = dummy_pred (Prel (t1, r, t2))

let make_implies p1 p2 = match p2.pred_node with
  | Ptrue -> { p1 with pred_node = Ptrue }
  | _ -> { p1 with pred_node = Pimplies (p1, p2) }

let make_forall q p = match p.pred_node with
  | Ptrue -> { p with pred_node = Ptrue }
  | _ -> { p with pred_node = Pforall (q, p) }




let rec init_term loc t lvalue initializers =
  match t.ctype_node with
    | Tint _ | Tfloat _ | Tpointer _ | Tenum _ -> 
	let x,l = pop_term_initializer loc t initializers in
	({pred_node = Prel(lvalue,Eq,x);pred_loc = loc}, l)

    | Tstruct n ->
	begin match tag_type_definition n with
	  | TTStructUnion (Tstruct (_), fl) ->
	      List.fold_left 
		(fun (acc,init)  f -> 
		   let block, init' =
		     init_term loc f.var_type 
		       (in_struct lvalue f) init
		   in ({ acc with pred_node = Pand (acc, block)},init'))
		(dummy_pred Ptrue,initializers)  fl
	  | _ ->
	      assert false
	end

    | Tunion n ->
	begin match tag_type_definition n with
	  | TTStructUnion (Tunion (_), f::_) ->
	      let block, init' =
		init_term loc f.var_type 
		  (noattr loc f.var_type (Tarrow(lvalue, f)))
		  initializers
	      in (block,init')
	  | _ ->
	      assert false
	end
    | Tarray (_,ty,Some t) ->
	begin
	  match initializers with
	    | [] ->	
		let i = default_var_info "counter" in
		Cenv.set_var_type (Var_info i) c_int false;
		let vari = { term_node = Clogic.Tvar i; 
			     term_loc = Loc.dummy_position;
			     term_type = c_int;
			   } in
		let ts = Cltyping.int_constant (Int64.to_string t) in
		let ineq = make_and 
			     (prel (Cltyping.zero, Le, vari))
			     (prel (vari, Lt,ts)) in
		let (b,init') = 
		  match ty.ctype_node with 
		    | Tstruct _ |  Tunion _ ->
			init_term loc ty 
			  (noattr loc ty 
			     (Tbinop(lvalue,Badd,vari))) initializers
		    | _ ->
			init_term loc ty 
			  (noattr loc ty (Tarrget(lvalue,vari))) initializers
		  in
		((make_forall [c_int,i] (make_implies ineq b)), init')
	    | _ ->
		let rec init_cells i (block,init) =
		if i >= t then (block,init)
		else
		  let ts = Cltyping.int_constant (Int64.to_string i) in
		  let (b,init') = 
		    match ty.ctype_node with 
		      | Tstruct _ |  Tunion _ ->
			  init_term loc ty 
			    (noattr loc ty 
			       (Tbinop(lvalue,Badd,ts))) init
		      | _ ->
			  init_term loc ty 
			    (noattr loc ty (Tarrget(lvalue,ts))) init
		  in
		  init_cells (Int64.add i Int64.one) 
		    ({ block with pred_node = Pand (block,b)},init')
		in	
		init_cells Int64.zero (dummy_pred Ptrue,initializers)
	end
    | Tarray (_,_ty,None) -> assert false
    | Tfun (_, _) -> assert false
    | Tvar _ -> assert false
    | Tvoid -> dummy_pred Ptrue,initializers





let rec init_expr loc t lvalue initializers =
  match t.ctype_node with
    | Tint _ | Tfloat _ | Tpointer _ | Tenum _ -> 
	let x,l = pop_initializer loc t initializers in
	({pred_node = Prel(lvalue,Eq,x);pred_loc = loc}, l)
    | Tstruct n ->
	begin match tag_type_definition n with
	  | TTStructUnion (Tstruct (_), fl) ->
	      List.fold_left 
		(fun (acc,init)  f -> 
		   let block, init' =
		     init_expr loc f.var_type 
		       (in_struct lvalue f) init
		   in ({ acc with pred_node = Pand (acc, block)},init'))
		(dummy_pred Ptrue,initializers)  fl
	  | _ ->
	      assert false
	end
    | Tunion n ->
	begin match tag_type_definition n with
	  | TTStructUnion (Tunion (_), f::_) ->
	      let block, init' =
		init_expr loc f.var_type 
		  (noattr loc f.var_type (Tarrow(lvalue, f)))
		  initializers
	      in (block,init')
	  | _ ->
	      assert false
	end
    | Tarray (_,ty,Some t) ->
	begin
	  match initializers with
	    | [] ->	
		let i = default_var_info "counter" in
		Cenv.set_var_type (Var_info i) c_int false;
		let vari = { term_node = Clogic.Tvar i; 
			     term_loc = Loc.dummy_position;
			     term_type = c_int;
			   } in
		let ts = Cltyping.int_constant (Int64.to_string t) in
		let ineq = make_and 
			     (prel (Cltyping.zero, Le, vari))
			     (prel (vari, Lt,ts)) in
		let (b,init') = 
		  match ty.ctype_node with 
		    | Tstruct _ |  Tunion _ ->
			init_expr loc ty 
			  (noattr loc ty 
			     (Tbinop(lvalue,Badd,vari))) initializers
		    | _ ->
			init_expr loc ty 
			  (noattr loc ty (Tarrget(lvalue,vari))) initializers
		  in
		((make_forall [c_int,i] (make_implies ineq b)), init')
	    | _ ->
		let rec init_cells i (block,init) =
		if i >= t then (block,init)
		else
		  let ts = Cltyping.int_constant (Int64.to_string i) in
		  let (b,init') = 
		    match ty.ctype_node with 
		      | Tstruct _ |  Tunion _ ->
			  init_expr loc ty 
			    (noattr loc ty 
			       (Tbinop(lvalue,Badd,ts))) init
		      | _ ->
			  init_expr loc ty 
			    (noattr loc ty (Tarrget(lvalue,ts))) init
		  in
		  init_cells (Int64.add i Int64.one) 
		    ({ block with pred_node = Pand (block,b)},init')
		in	
		init_cells Int64.zero (dummy_pred Ptrue,initializers)
	end
    | Tarray (_,_ty,None) -> assert false
    | Tfun (_, _) -> assert false
    | Tvar _ -> assert false
    | Tvoid -> dummy_pred Ptrue,initializers


let rec assigns decl =
  match decl with
    | [] -> dummy_pred Ptrue
    | {node = Tdecl (t,v,None); loc = l}::decl ->
	Coptions.lprintf "initialization of %s@." v.var_name;
	let declar,_ = 
	  init_expr l t (noattr l t (Clogic.Tvar v)) [] in
	{declar with pred_node = Pand (declar, assigns decl)}

    | {node = Tdecl(t, v, Some c) ; loc = l }:: decl ->
	Coptions.lprintf "initialization of %s@." v.var_name;
	let declar,_ = init_expr l t (noattr l t (Clogic.Tvar v)) [c] in
	{declar with pred_node = Pand (declar, assigns decl) }

    | {node = Tghost (v,None); loc = l}::decl -> (* Added in order to take account ghosts initialization *)
	Coptions.lprintf "initialization of %s@." v.var_name;
	let t = v.var_type in
	let declar,_ = 
	  init_term l t (noattr l t (Clogic.Tvar v)) [] in
	  {declar with pred_node = Pand (declar, assigns decl)}

    | {node = Tghost(v, Some c) ; loc = l }:: decl -> (* Added in order to take account ghosts initialization *)
	let t = v.var_type in
	  Coptions.lprintf "initialization of %s@." v.var_name;
	  let declar,_ = init_term l t (noattr l t (Clogic.Tvar v)) [c] in
	    {declar with pred_node = Pand (declar, assigns decl) }

     | _  -> assert false


let invariants_initially_established_info =
  default_fun_info "invariants_initially_established"

let rec reorder l =
  match l with 
    | { node = Tdecl _ }as e ::l  -> let decl,other = reorder l in
      e::decl,other
    | { node = Tghost _ }as e ::l  -> let decl,other = reorder l in
      e::decl,other
    | e::l -> let decl,other = reorder l in
      decl,e::other
    | [] -> [],[]

let user_invariants = ref false

let add_init l = 
  let (inv,decl) = split_decls l in
  if inv = [] then user_invariants := false
  else user_invariants := true;
  let inv = combine_inv inv in
  let init_fun =
    Tfundef ({requires = Some (assigns decl);
	      assigns = None;
	      ensures = Some inv; 
	      decreases = None},
	     c_void,
	     invariants_initially_established_info,
	     {st_node = TSnop;
	      st_break = false;    
	      st_continue = false; 
	      st_return = false;   
		st_term = true;     
		st_loc = Loc.dummy_position 
	     })
  in
  let decl,other = 
    reorder ({ node = init_fun; loc = Loc.dummy_position } :: l) in
  decl@other
why-2.34/c/cenv.ml0000644000175000017500000004434012311670312012331 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Format
open Coptions
open Ctypes
open Cutil
open Creport
open Info

(* Type equality (i.e. structural equality, but ignoring attributes) *)

let rec eq_type ty1 ty2 = 
  eq_type_node ty1.ctype_node ty2.ctype_node

and eq_type_node tn1 tn2 = match tn1, tn2 with
  | Tvoid, Tvoid
  | Tint _, Tint _ 
  | Tfloat _, Tfloat _ 
  | Tint _, Tenum _ 
  | Tenum _, Tint _ ->
      true
  | Tvar x1, Tvar x2 ->
      x1 = x2
  | Tarray (_,ty1,_), Tarray (_,ty2,_) ->
      eq_type ty1 ty2 
  | Tpointer (_,ty1), Tpointer (_,ty2) ->
      eq_type ty1 ty2
  | Tarray (_,ty1,_), Tpointer (_,ty2) | Tpointer (_,ty1), Tarray (_,ty2,_) ->
      eq_type ty1 ty2
  | Tstruct s1, Tstruct s2 ->
      s1 = s2
  | Tunion u1, Tunion u2 ->
      u1 = u2
  | Tenum e1, Tenum e2 ->
      e1 = e2
  | Tpointer(_,{ctype_node = Tfun _ as tn1}), (Tfun _ as tn2)
  | (Tfun _ as tn1), Tpointer(_, {ctype_node = Tfun _ as tn2}) ->
      eq_type_node tn1 tn2
  | Tfun ([], ty1), Tfun (_, ty2) | Tfun (_, ty1), Tfun ([], ty2) ->
      eq_type ty1 ty2
  | Tfun (pl1, ty1), Tfun (pl2, ty2) ->
      eq_type ty1 ty2 &&
      (try List.for_all2 eq_type pl1 pl2 with Invalid_argument _ -> false)
  | _ ->
      false

(* [sub_type ty1 ty2] is true if type [ty1] can be coerced to type [ty2] *)

let sub_type ty1 ty2 = match ty1.ctype_node, ty2.ctype_node with
  | Tint _, Tfloat _ -> true
  | Tpointer(_,{ ctype_node = Tvoid }), Tpointer _ -> true
  | _ -> eq_type ty1 ty2

let compatible_type ty1 ty2 = sub_type ty1 ty2 || sub_type ty2 ty1

let arith_type ty = match ty.ctype_node with
  | Tint _ | Tenum _ | Tfloat _ -> true
  | _ -> false

let array_type ty = match ty.ctype_node with
  | Tarray _ -> true
  | _ -> false

let pointer_type ty = match ty.ctype_node with
  | Tpointer _ -> true
  | _ -> false

let pointer_or_array_type ty = match ty.ctype_node with
  | Tpointer _ | Tarray _ -> true
  | _ -> false

(*s Global environment *)

(* tagged types *)

type tag_kind = Struct | Union | Enum

let tag_kind = function
  | Tstruct _ -> Struct
  | Tunion _ -> Union
  | Tenum _ -> Enum
  | _ -> assert false

type tag_type_definition = 
  | TTIncomplete
  | TTStructUnion of ctype_node * (var_info list)
  | TTEnum of ctype_node * (var_info * int64) list

type tag_type = { 
  tag_kind : tag_kind;
  tag_name : string; (* original source name *)
  tag_uname: string; (* unique name used for further reference *)
  mutable tag_type : tag_type_definition;
}

(* map from unique names to tagged types *)
let (tags_t : (string, tag_type) Hashtbl.t) = Hashtbl.create 97

let tag_type_definition n = 
  let tt = Hashtbl.find tags_t n in tt.tag_type

let create_tag_type k n ty =
  let rec fresh i = 
    let un = n ^ "_" ^ string_of_int i in
    if Hashtbl.mem tags_t un then fresh (succ i) else un
  in
  let un = if Hashtbl.mem tags_t n then fresh 0 else n in
  let tt = 
    { tag_kind = k; tag_name = n; 
      tag_uname = un; tag_type = ty } 
  in
  Hashtbl.add tags_t un tt;
  tt

let clash_tag l s1 s2 = 
  let redef t n = error l "redeclaration of `%s %s'" t n in
  match s1, s2 with
  | Tstruct (n), Tstruct _ -> redef "struct" n
  | Tunion (n), Tunion _ -> redef "union" n
  | Tenum (n), Tenum _ -> redef "enum" n
  | (Tstruct (n) | Tunion (n) | Tenum (n)), 
    (Tstruct _ | Tunion _ | Tenum _) -> 
      error l "`%s' defined as wrong kind of tag" n
  | _ -> assert false

let iter_all_struct f =
  Hashtbl.iter 
    (fun s tt -> match tt.tag_type with
       | TTStructUnion (tn, l) -> f s (tn, l)
       | _ -> ()) 
    tags_t

let fold_all_struct f x =
  Hashtbl.fold 
    (fun s tt acc ->
      match tt.tag_type with
       | TTStructUnion (tn, l) -> f s (tn, l) acc
       | _ -> acc) 
    tags_t x

let fold_all_struct_pairs f x =
  let ls = fold_all_struct (fun s tt acc -> (s,tt) :: acc) [] in
  let rec fold acc = function
    | [] -> acc
    | ((s1, tt1) :: r) as l -> 
	fold (List.fold_left (fun acc (s2,tt2) -> f s1 tt1 s2 tt2 acc) acc l) r
  in
  fold x ls

let fold_all_enum f x =
  Hashtbl.fold
    (fun s tt acc ->
       match tt.tag_type with
	 | TTEnum (tn, l) -> f s (tn, l) acc
	 | _ -> acc)
    tags_t x

(* typedefs *)

let typedef_t = (Hashtbl.create 97 : (string, 'a) Hashtbl.t)

let is_typedef = Hashtbl.mem typedef_t

let find_typedef = Hashtbl.find typedef_t

let add_typedef l x ty = 
  if is_typedef x then begin
    if ty = find_typedef x then error l "redefinition of `%s'" x
    else error l "conflicting types for `%s'" x
  end else
    Hashtbl.add typedef_t x ty

(* used names (in order to rename heap variables when necessary) *)
let used_names = Hashtbl.create 97
let mark_as_used x = Hashtbl.add used_names x ()
let () = 
  List.iter mark_as_used 
    [ (* Why keywords *)
      "absurd"; "and"; "array"; "as"; "assert"; "axiom"; "begin";
      "bool"; "do"; "done"; "else"; "end"; "exception"; "exists";
      "external"; "false"; "for"; "forall"; "fun"; "function"; "goal";
      "if"; "in"; "int"; "invariant"; "label"; "let"; "logic"; "not";
      "of"; "or"; "parameter"; "predicate"; "prop"; "raise"; "raises";
      "reads"; "real"; "rec"; "ref"; "returns"; "then"; "true"; "try";
      "type"; "unit"; "variant"; "void"; "while"; "with"; "writes" ;
      (* caduceus names *)
      "global" ; "alloc"  
    ]

let is_used_name n = Hashtbl.mem used_names n

let use_name ?local_names n = 
  if is_used_name n then raise Exit; 
  begin match local_names with 
    | Some h -> if Lib.Sset.mem n h then raise Exit 
    | None -> () 
  end;
  n

let rec next_name ?local_names n i = 
  let n_i = n ^ "_" ^ string_of_int i in
  try use_name ?local_names n_i with Exit -> next_name ?local_names n (succ i)

let unique_name ?local_names n = 
  try use_name ?local_names n with Exit -> next_name ?local_names n 0

let get_fresh_name n = unique_name n

(*s Environments for the logical side *)

let types = Hashtbl.create 17
let add_type x = Hashtbl.add types x ()
let mem_type = Hashtbl.mem types
let find_type = Hashtbl.find types
let iter_types f = Hashtbl.iter (fun s _ -> f s) types

(* type why *)

let count = ref 0

let zone_table = Hashtbl.create 97

let global_zone =
  {
    zone_is_var = false;
    number = 0;
    repr = None;
    name =  "global";
  }

let () =
  if not Coptions.zones 
  then Hashtbl.add zone_table global_zone.name global_zone

let make_zone ?name is_var =
  if Coptions.zones then 
    begin
      let n =
	match name with
	  | Some s -> sprintf "%s_%i" s !count
	  | None -> sprintf "Z%i" !count
      in
      let z = { zone_is_var = is_var;
		number = !count;
		repr = None;
		name = n;
	      } in
      Hashtbl.add zone_table z.name z;
      count := !count +1;
      z
    end
  else
    global_zone

let int_type_for_size signed size =
  (if signed = Signed then "" else "u") ^ "int" ^ string_of_int size 

module SI = 
  Set.Make(struct type t = Ctypes.sign * int
		  let compare = Pervasives.compare end)
let int_sizes = ref SI.empty
let int_types = ref StringSet.empty
let declare_int_size ((s,i) as is) = 
  int_types := StringSet.add (int_type_for_size s i) !int_types;
  int_sizes := SI.add is !int_sizes
let all_int_sizes () = SI.elements !int_sizes
let is_int_type s = StringSet.mem s !int_types

let real_types =
  StringSet.add "single" 
    (StringSet.add "quad" 
       (StringSet.singleton "double"))

let is_real_type s = StringSet.mem s real_types

let int_size = function
  | Char -> char_size
  | Short -> short_size
  | Ctypes.Int -> int_size
  | Long -> long_size
  | LongLong -> long_long_size
  | Bitfield n -> Int64.to_int n
  | ExactInt -> assert false

let int_type_for (signed, ty) = 
  let n = int_size ty in
  declare_int_size (signed, n);
  int_type_for_size signed n

let enum_type_for s = 
  let n = "enum_" ^ s in
  int_types := StringSet.add n !int_types;
  n

let rec type_type_why ?name ty zone_is_var =
  match ty.ctype_node with
    | Tint (_,ExactInt) -> Int
    | Tint _ when not Coptions.machine_ints -> Int
    | Tenum _ when not Coptions.enum_check -> Int
    | Tint ik -> Why_Logic (int_type_for ik)
    | Tenum e -> Why_Logic (enum_type_for e)
    | Tfloat _ when not Coptions.floats -> Real
    | Tfloat Float -> Why_Logic "single"
    | Tfloat Double -> Why_Logic "double"
    | Tfloat LongDouble -> Why_Logic "quad"
    | Tfloat Ctypes.Real -> Real
    | Tarray (_,ty,_)  
    | Tpointer (_,ty) -> 
	begin match ty.ctype_node with 
	  | Tstruct _s -> 
	      let z = make_zone ?name zone_is_var in
	      Pointer z
	  | _ ->
	      let z = make_zone ?name zone_is_var in
	      Pointer z
	end
    | Tvoid -> Unit 
    | Tfun (_,ty) -> type_type_why ?name ty zone_is_var
    | Tvar v -> 
	begin
	  try
	    type_type_why ?name (find_typedef v) zone_is_var
	  with Not_found -> 
	    if mem_type v
	    then
	      Why_Logic v
	    else
	      (Format.eprintf "Undefined type %s@." v; assert false)
	end
    | Tunion _s -> 
	let z = make_zone ?name zone_is_var in
	Pointer z
    | Tstruct _s -> 
	let z = make_zone ?name zone_is_var in
	Pointer z


let set_var_type info ty zone_is_var =
  Info.set_var_type info ty 
    (type_type_why ~name:(env_name info) ty zone_is_var)

(* global variables and functions *)

let (sym_t : (string, env_info) Hashtbl.t) = Hashtbl.create 97

let is_sym = Hashtbl.mem sym_t

let find_sym = Hashtbl.find sym_t

let iter_sym f =  Hashtbl.iter f sym_t

let add_sym l x ty info = 
  let n = unique_name x in
  mark_as_used n; 
  set_unique_name info n;
  if n <> x then Coptions.lprintf "renaming %s into %s@." x n;
  try
    let d = find_sym x in
    let varty = var_type d in
    if not (eq_type varty ty) then 
      (* TODO accepter fonctions avec arguments si aucun la première fois 
	 Question de Claude: accepter aussi un raffinement des specs ? *)
      begin
	eprintf "t : %a, ty : %a@." print_type  varty print_type  ty;
	error l "conflicting types for %s" x
      end;
    d
  with Not_found ->
    set_var_type info ty false;
    Hashtbl.add sym_t x info;
    info

let c_functions = 
  (Hashtbl.create 97 : 
     (string, Cast.nspec * ctype * Info.fun_info * Cast.nstatement option * 
	Loc.position) Hashtbl.t)
let add_c_fun f = Hashtbl.remove c_functions f; Hashtbl.add c_functions f
let find_c_fun = Hashtbl.find c_functions

let logic_functions = 
  (Hashtbl.create 97 : 
     (string, ctype list * ctype * Info.logic_info) Hashtbl.t)
let add_logic = Hashtbl.add logic_functions
let find_logic = Hashtbl.find logic_functions

let predicates = 
  (Hashtbl.create 97 : (string, ctype list * Info.logic_info) Hashtbl.t) 
let add_pred = Hashtbl.add predicates
let mem_pred =  Hashtbl.mem predicates
let find_pred =  Hashtbl.find predicates 

let ghost = 
  (Hashtbl.create 97 : (string, Info.var_info) Hashtbl.t) 
let is_ghost = Hashtbl.mem ghost 
let find_ghost = Hashtbl.find ghost

let add_ghost l x ty info = 
  let n = unique_name x in
  mark_as_used n; 
  set_unique_name (Var_info info) n;
  if n <> x then Coptions.lprintf "renaming ghost variable %s into %s@." x n;
  if is_ghost x then begin
    error l "ghost variable `%s' already declared" x;
  end
  else begin
    set_var_type (Var_info info) ty false;
    Hashtbl.add ghost x info;
    info
  end


(*s Environments for local variables and local structs/unions/enums *)

module Env = struct

  module M = Map.Make(String)

  (* [tags] is the stack of blocks; 
     each block maps a tag name to a tag type *)
  type t = { 
    vars : env_info M.t; 
    used_names : Lib.Sset.t;
    tags : (string, tag_type) Hashtbl.t list;
  }

  (* note: the first hash table in [tags] is shared *)
  let shared_hash_table = Hashtbl.create 17

  let empty () = 
    { vars = M.empty; 
      used_names = Lib.Sset.empty; 
      tags = [shared_hash_table] }

  let new_block env = { env with tags = Hashtbl.create 17 :: env.tags }

  (* symbols *)
  let add x t info env = 
    let n = unique_name ~local_names:env.used_names x in
    set_unique_name info n;
    Coptions.lprintf "local %s renamed into %s\n" x n;
    set_var_type info t true;
    Coptions.lprintf "local %s has why type %a\n" x 
      Output.fprintf_logic_type (Info.output_why_type (get_why_type info));
    { env with used_names = Lib.Sset.add n env.used_names;
	vars = M.add x info env.vars }

  let find x env = M.find x env.vars

  let mem x env = M.mem x env.vars

  (* tagged type *)
  let find_tag n env =
    let rec find = function
      | [] -> raise Not_found
      | h :: hl -> try Hashtbl.find h n with Not_found -> find hl
    in
    find env.tags

  let find_tag_type _loc env tyn = 
    let tt = match tyn with
      | Tstruct (n) | Tunion (n) | Tenum (n) ->
          (try
	     find_tag n env
	   with Not_found -> 
	     let tt = create_tag_type (tag_kind tyn) n TTIncomplete in
	     Hashtbl.add (List.hd env.tags) n tt;
	     tt)
      | _ ->
	  assert false
    in
    match tt.tag_kind with
      | Struct -> Tstruct (tt.tag_uname)
      | Union -> Tunion (tt.tag_uname)
      | Enum -> Tenum (tt.tag_uname)

  let set_struct_union_type loc env tyn fields = 
    let tt = match tyn with
      | Tstruct (n) | Tunion (n) ->
	   (try
              let tt = Hashtbl.find (List.hd env.tags) n in
	      begin match tt.tag_type with
		| TTIncomplete ->
                    (* tag already seen in this block but not yet defined *)
                    tt.tag_type <- TTStructUnion (tyn,fields)
		| TTStructUnion (tyn',_) | TTEnum (tyn',_) ->  
		    (* tag [n] already defined in current block *)
		    clash_tag loc tyn tyn'
	      end;
	      tt
	    with Not_found ->
	      let tt = 
		create_tag_type (tag_kind tyn) n (TTStructUnion (tyn,fields)) 
	      in
	      Hashtbl.add (List.hd env.tags) n tt;
	      tt)
      | _ ->
	  assert false
    in
    match tt.tag_kind with
      | Struct -> Tstruct (tt.tag_uname)
      | Union -> Tunion (tt.tag_uname)
      | Enum -> assert false

  let set_enum_type loc env tyn fields = 
    let tt = match tyn with
      | Tenum (n) ->
	   (try
              let tt = Hashtbl.find (List.hd env.tags) n in
	      begin match tt.tag_type with
		| TTIncomplete ->
                    (* tag already seen in this block but not yet defined *)
                    tt.tag_type <- TTEnum (tyn,fields)
		| TTStructUnion (tyn',_) | TTEnum (tyn', _) ->
		    (* tag [n] already defined in current block *)
		    clash_tag loc tyn tyn'
	      end;
	      tt
	    with Not_found ->
	      let tt = 
		create_tag_type (tag_kind tyn) n (TTEnum (tyn,fields)) 
	      in
	      Hashtbl.add (List.hd env.tags) n tt;
	      tt)
      | _ ->
	  assert false
    in
    match tt.tag_kind with
      | Enum -> Tenum (tt.tag_uname)
      | Struct | Union -> assert false

end

(* Field access *)

let fields_t = Hashtbl.create 97

let find_field ~tag:n ~field:x = 
  try 
    Hashtbl.find fields_t (n,x)
  with Not_found -> 
    let u = 
      try use_name x with Exit -> 
	let n_x = n ^ "_" ^ x in 
	try use_name n_x with Exit -> 
	  next_name n_x 0
    in
    let f = default_var_info x in
    set_unique_name (Var_info f) u;
    mark_as_used u; 
    Hashtbl.add fields_t (n,x) f; f

let declare_fields tyn fl = match tyn with
  | Tstruct _n | Tunion _n ->
      List.iter 
	(fun (t,v) -> set_var_type (Var_info v) t false)
	fl
  | _ -> 
      assert false
  
let not_struct t = match t.ctype_node with
  | Tstruct _ -> false
  | _ -> true

let update_fields_type () =
  Hashtbl.iter
    (fun (_n,_) x ->
       if x.var_is_referenced && not_struct x.var_type then
	 begin
	   Coptions.lprintf "field %s is now a pointer@." x.var_name;
	   set_var_type (Var_info x) 
	     (noattr (Tarray(Valid(Int64.zero,Int64.one),x.var_type,Some Int64.one))) false
	 end)
    fields_t

let type_of_field loc x ty = 
  let rec lookup su n = function
    | [] -> error loc "`%s' has no member named `%s'" su x
    | y :: _ when x = y.var_name -> find_field n x
    | _ :: fl -> lookup su n fl
  in
  match ty.ctype_node with
    | Tstruct (n) | Tunion (n) -> 
        assert (Hashtbl.mem tags_t n);
	let tt = Hashtbl.find tags_t n in
	begin match tt.tag_type with
	  | TTIncomplete -> error loc ("use of incomplete type")
	  | TTStructUnion (Tstruct _, fl) -> lookup "structure" n fl
	  | TTStructUnion (Tunion _, fl) -> lookup "union" n fl
	  | TTStructUnion _ | TTEnum _ ->
	      error loc 
		"request for member `%s' in something not a structure or union" x
	end
    | _ -> error loc 
	"request for member `%s' in something not a structure or union" x

why-2.34/c/info.mli0000644000175000017500000001265412311670312012505 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



type why_type = 
  | Memory of why_type * zone
  | Pointer of zone
  | Addr of zone
  | Int
  | Real
  | Unit 
  | Why_Logic of string 

and zone = 
    {
      zone_is_var : bool;
      number : int;
      mutable repr : zone option;
      name : string;
(*      mutable type_why_zone : why_type*)
    }

val same_zone : zone -> zone -> bool

val same_why_type : why_type -> why_type -> bool

val same_why_type_no_zone : why_type -> why_type -> bool


val repr : zone -> zone

val found_repr : ?quote_var:bool -> zone -> string


val output_why_type : ?quote_var:bool -> why_type -> Output.logic_type

val output_zone_name : ?quote_var:bool -> zone -> Output.logic_type

type var_info = private
    {
      var_name : string;
      var_uniq_tag : int;
      mutable var_unique_name : string;
      mutable var_is_assigned : bool;
      mutable var_is_referenced : bool;
      mutable var_is_static : bool;
      mutable var_is_a_formal_param : bool;
      mutable enum_constant_value : int64;
      mutable var_type : Ctypes.ctype;
      mutable var_why_type : why_type;
    }

val default_var_info : string -> var_info

val set_assigned : var_info -> unit

val unset_assigned : var_info -> unit

val set_is_referenced : var_info -> unit

val without_dereference : var_info -> ('a -> 'b) -> 'a -> 'b

val set_static : var_info -> unit

val set_formal_param : var_info -> unit

val unset_formal_param : var_info -> unit

val set_const_value : var_info -> int64 -> unit

module HeapVarSet : Set.S with type elt = var_info

module HeapVarMap : Map.S with type key = var_info

module ZoneSet : Set.S with type elt = zone * string * why_type

val print_hvs : Format.formatter -> HeapVarSet.t -> unit

type label =
  | Label_current
  | Label_name of string

module LabelSet : Set.S with type elt = label

type logic_info =
    {
      logic_name : string;
      mutable logic_heap_zone : ZoneSet.t;
      mutable logic_heap_args : HeapVarSet.t;
(* see the .ml
      mutable logic_heap_args : LabelSet.t HeapVarMap.t;
*)
      mutable logic_args : var_info list;
      mutable logic_why_type : why_type;
      mutable logic_args_zones : zone list;
    }

val default_logic_info : string -> logic_info

type fun_info =
    {
      fun_tag : int;
      fun_name : string;
      mutable fun_unique_name : string;
      mutable function_reads : ZoneSet.t;
      mutable function_writes : ZoneSet.t;
      mutable function_reads_var : HeapVarSet.t;
      mutable function_writes_var : HeapVarSet.t;
      mutable has_assigns : bool;
      mutable fun_type : Ctypes.ctype;
      mutable args : var_info list;
      mutable args_zones : zone list;
      mutable graph : fun_info list;
      mutable type_why_fun : why_type;
      mutable has_body : bool;
    }

val default_fun_info : string -> fun_info

type env_info =
  | Var_info of var_info
  | Fun_info of fun_info

val env_name : env_info -> string

val set_unique_name : env_info -> string -> unit

val var_type : env_info -> Ctypes.ctype

val get_why_type : env_info -> why_type

val set_var_type : env_info -> Ctypes.ctype -> why_type -> unit

val set_var_type_why : env_info -> why_type -> unit



type label_info =
    { label_info_name : string;
      mutable times_used : int;
    }
why-2.34/c/cpp.mll0000644000175000017500000001321712311670312012333 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(*i $Id: cpp.mll,v 1.22 2008-11-05 14:03:13 filliatr Exp $ i*)

(* C-preprocessor for Caduceus *)

{

  open Coptions
  open Printf
  open Lexing 

  let channel_out = ref stdout
  let print s = output_string !channel_out s

  let start_of_comment_string = "start_of_comment_string_multiple_lines"
  let start_of_comment_string_one_line = "start_of_comment_string_one_line"
  let end_of_comment_string = "end_of_comment_string"

}

let start_of_comment_string = "start_of_comment_string_multiple_lines"
let start_of_comment_string_one_line = "start_of_comment_string_one_line"
let end_of_comment_string = "end_of_comment_string"

rule before = parse
  | "/*@" { print start_of_comment_string; before lexbuf }
(*  | "*/" { print end_of_comment_string; before lexbuf } *)
  | "//@" { print start_of_comment_string_one_line; before lexbuf }
  | "# 1 \"<" [^'\n''>']* ">\"\n#define" [^'\n']* '\n' { before lexbuf } 
  | "#define __" [^'\n']* '\n' { before lexbuf } 

  | _    { print (lexeme lexbuf); before lexbuf }
  | eof  { () }

and after = parse
  | start_of_comment_string_one_line { print "//@"; after lexbuf }
  | start_of_comment_string { print "/*@"; after lexbuf }
  | end_of_comment_string   { print "*/"; after lexbuf }
  | _    { print (lexeme lexbuf); after lexbuf }
  | eof  { () }

{

  let rec local_temp_file basename suffix =
    let i = Random.int 536870912 in
    let f = basename ^ string_of_int i ^ suffix in
    if Sys.file_exists f then local_temp_file basename suffix else f

  (* [translate_using filter f] translates file [f] using lexer rule [filter]
     and returns the translated file *)
  let translate_using filter f =
    let cin = open_in f in
    let lb = from_channel cin in
    let pf = local_temp_file (Filename.basename f) ".c" in
    let cout = open_out pf in
    fprintf cout "# 1 \"%s\"\n" f;
    channel_out := cout;
    filter lb;
    close_in cin;
    close_out cout;
    pf

  let before_cpp = translate_using before
  let after_cpp = translate_using after

  (* [external_cpp f] runs an external C preprocessor on file [f];
     returns the preprocessed file. *)
  let external_cpp f = 
    let ppf = local_temp_file (Filename.basename f) ".i" in
    let cmd = sprintf "%s %s > %s" cpp_command f ppf in
    ignore (Sys.command cmd);
    ppf

  (* [first_cpp f] runs an external C preprocessor on file [f] and preserves the definitions in trace;
     returns the preprocessed file. *)
  let first_cpp f = 
    let ppf = local_temp_file (Filename.basename f) ".c" in
    ignore (Sys.command (sprintf "%s -dD %s > %s" cpp_command f ppf));
 (*   ignore (Sys.command (sprintf "LANG=en ; %s -dD %s > %s" cpp_command f ppf)); *)
    ppf
 




  (* [translate f] preprocesses file [f]; returns the preprocessed file and a 
     finalizer to be called when the preprocessed file has been used. *)
  let translate f =
    if with_cpp then begin
      let inlinedf = first_cpp f in
      let pf = before_cpp inlinedf in
      let ppf = external_cpp pf in
      Sys.remove inlinedf; 
      Sys.remove pf; 
      let pppf = after_cpp ppf in
      Sys.remove ppf; 
      (* if not debug then *) at_exit (fun () -> Sys.remove pppf);
      pppf
    end else begin
      f
    end

  let dump f =
    let cin = open_in f in
    try
      while true do printf "%s\n" (input_line cin) done
    with End_of_file -> 
      close_in cin

  let cpp f =
    let pf = translate f in
    if cpp_dump then begin dump pf; exit 0 end;
    pf

}

why-2.34/c/cnorm.ml0000644000175000017500000013656212311670312012524 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Creport
open Cconst
open Info
open Cenv
open Cltyping
open Ctypes
open Cast
open Clogic
open Int64


let int_nconstant n = 
  { nterm_node = NTconstant (IntConstant n); 
    nterm_loc = Loc.dummy_position;
    nterm_type = c_int;}

let nzero = int_nconstant "0"

(*
let eval_array_size e = 
  { nterm_node = NTconstant (IntConstant (Int64.to_string (eval_const_expr e))); 
    nterm_loc = e.nexpr_loc;
    nterm_type = c_int }
*)



let var_requires_indirection v =
  v.var_is_referenced && 
  (match v.var_type.Ctypes.ctype_node with
     | Tstruct _ | Tunion _ -> false
     | Tarray (_,ty,_) -> (match ty.Ctypes.ctype_node with 
			     | Tstruct _ | Tunion _ -> false
			     | _ -> true)
     | _ -> true)

let var_is_referenced_or_struct_or_union v =
  v.var_is_referenced || 
  (match v.var_type.Ctypes.ctype_node with
     | Tstruct _ | Tunion _ -> true
     | _ -> false)

open Cast


let noattr2 loc ty e =
  { nexpr_node = e;
    nexpr_type = ty;
    nexpr_loc  = loc
  }

let arrow_vars = Hashtbl.create 97
  
let declare_arrow_var info =
  try  
    let info' = Hashtbl.find arrow_vars info.var_name in
    if not (same_why_type_no_zone info.var_why_type info'.var_why_type) then
      begin
	let t1 = output_why_type info.var_why_type
	and t2 = output_why_type info'.var_why_type
	in
	Format.eprintf "anomaly: unify why types `%a' and `%a'@."
	  Output.fprintf_logic_type t1 Output.fprintf_logic_type t2;
      assert false
      end;
    info'
  with Not_found ->
    Hashtbl.add arrow_vars info.var_name info;
    info

let make_field ty =
  let rec name ty =
    match ty.Ctypes.ctype_node with 
      | Tvoid -> "void"
      | Tint si when Coptions.machine_ints -> int_type_for si
      | Tenum e when Coptions.enum_check -> enum_type_for e
      | Tint  _ | Tenum _ -> "int"
      | Tfloat _ -> "float"
      | Ctypes.Tvar s -> s
      | Tarray (_, ty ,_) | Tpointer (_,ty) -> (name ty) ^"P" 
      | Tstruct s | Tunion s -> s^"P" (* "P" for "pointer" *)
      | Tfun _ -> "fun"
  in
  let n = (name ty) ^ "M" in (* "M" for "memory" *)
  let info = default_var_info n in
  set_var_type (Info.Var_info info)  ty  false;
  info

let rec assoc_zone z assoc =
  match assoc with 
    | [] -> raise Not_found
    | (x,y)::l ->
	if (repr x) == z then y else assoc_zone z l

let rename_zone assoc ty =
  match ty with
    | Pointer z ->
	let z = repr z in
	begin
	  try
	    Pointer(assoc_zone z assoc)
	  with
	      Not_found -> ty
	end
    | _ -> ty

(* table qui a tout couple zone champ associe le type why des elements pointers par p->champ ou p est un pointeur sur zone*)
let type_why_table = Hashtbl.create 97 

let why_type_for_float_kind fk =
  if Coptions.floats then match fk with
    | Float ->  Why_Logic "single"
    | Double ->  Why_Logic "double"
    | LongDouble ->  Why_Logic "quad"
    | Real -> Info.Real
  else
    Info.Real

let why_type_for_float t = match t.Ctypes.ctype_node with
  | Tfloat fk -> why_type_for_float_kind fk
  | _ -> assert false

let why_type_for_int_kind = function
  | _, ExactInt -> Info.Int
  | _ when not Coptions.machine_ints -> Info.Int
  | ik -> Why_Logic (Cenv.int_type_for ik)

let why_type_for_int t = match t.Ctypes.ctype_node with
  | Tint ik -> why_type_for_int_kind ik
  | Tenum _ -> Info.Int (*TODO*)
  | _ -> assert false

let why_type_op op =
  match op with
    | Bsub_pointer 
    | Blt_pointer | Bgt_pointer | Ble_pointer 
    | Bge_pointer | Beq_pointer | Bneq_pointer
	-> Info.Int
    | Bneq_float _ | Beq_float _ | Bge_float _
    | Ble_float _ | Bgt_float _ | Blt_float _ 
	-> Info.Int
    | Bdiv_float _ | Bmul_float _ | Bsub_float _ | Badd_float _
	-> Info.Real
    | Bmod_int _|Bdiv_int _| Bmul_int _|Bsub_int _|Badd_int _
	  -> Info.Int
    | Badd_pointer_int -> assert false
    | Bneq_int | Beq_int | Bge_int
    | Ble_int | Bgt_int | Blt_int
	  -> Info.Int
    | Bshift_right | Bshift_left 
	  -> Info.Int
    | Bor | Band | Bbw_or | Bbw_xor| Bbw_and
	  -> Info.Int
    | Bneq | Beq | Bge | Ble | Bgt | Blt 
	  -> Info.Int
    | Bmod | Bdiv | Bmul | Bsub | Badd
	  -> assert false


let rec type_why e =
  match e.nexpr_node with
    | NEvar e -> get_why_type e 
    | NEarrow (_,z,f) -> 
	begin
	  try
	    let z = repr z in
	    let t = Hashtbl.find type_why_table z  in
	    Hashtbl.find t f
	  with Not_found -> 
	    Format.eprintf "no  why type for %a@\n" Cprint.nexpr e;
	    assert false
	end
    | NEnop -> assert false (* 	Unit *)
    | NEconstant (IntConstant _)
    | NEunary (Uint_of_float, _)
    | NEunary (Uint_conversion, _) ->
	why_type_for_int e.nexpr_type
    | NEcast ({Ctypes.ctype_node = Tint ik}, _) -> 
	why_type_for_int_kind ik
    | NEconstant (RealConstant x) -> 
	let _,fk = Ctypes.float_constant_type ~in_logic:false x in 
	why_type_for_float_kind fk
    | NEstring_literal _s ->  Pointer (make_zone false)
    | NEseq (_e1,e2) -> 
	type_why e2 
    | NEassign (_l,e) -> 
	type_why e
    | NEassign_op (_l,_op,e) -> 
	type_why e
    | NEbinary (e, Badd_pointer_int, _) -> type_why e
    | NEbinary (_, op, _) -> why_type_op op
    | NEunary ((Ufloat_conversion | Ufloat_of_int), _) 
    | NEcast ({Ctypes.ctype_node = Tfloat _}, _) -> 
	why_type_for_float e.nexpr_type
(*
    | NEcast (ty,e') -> 
	unsupported e.nexpr_loc "separation analysis do no support casts"
*)
    | NEcast (ty,e) ->
	let tw = type_why e in
	begin match ty.Ctypes.ctype_node, tw with
	  | Tpointer _, Info.Pointer _ -> tw
	  | Tpointer _, _ -> Info.Pointer (make_zone true)
	  | _ -> tw
	end
    | NEunary (_,e) 
    | NEincr (_,e) 
    | NEcond (_,_,e) -> type_why e
    | NEcall {ncall_fun = e; ncall_zones_assoc = assoc } ->
	let tw = type_why e in
	rename_zone assoc tw 
    | NEmalloc _ -> 
	Info.Pointer (make_zone true)
	
let find_zone e = 
  match type_why e with
    | Pointer z -> repr z
    | _ -> assert false

let rec type_why_for_term t = 
  match t.nterm_node with
    | NTconstant (IntConstant _) -> Info.Int     
    | NTstring_literal _s -> Pointer (make_zone true)
    | NTconstant (RealConstant _)
    | NTunop ((Clogic.Usqrt_real | Clogic.Uabs_real 
	      |Clogic.Uround_error | Clogic.Utotal_error
	      |Clogic.Uexact | Clogic.Umodel), _) -> Info.Real
    | NTvar v -> v.var_why_type
    | NTapp {napp_pred = f; napp_zones_assoc = assoc } -> 
	rename_zone assoc f.logic_why_type
    | NTunop (Clogic.Uminus,t) | NTunop (Clogic.Utilde,t) 
    | NTunop (Clogic.Uplus,t) | NTunop (Clogic.Unot,t) -> 
	type_why_for_term t
    | NTunop (Clogic.Ustar,_) | NTunop (Clogic.Uamp,_) -> assert false
    | NTunop ((Clogic.Ufloat_of_int | Clogic.Ufloat_conversion),_) -> 
	why_type_for_float t.nterm_type
    | NTunop ((Clogic.Uint_of_float | Clogic.Uint_conversion),_) -> 
	why_type_for_int t.nterm_type
    | NTbinop (t1,Clogic.Bsub,t2) -> 
	begin
	  match type_why_for_term t1, type_why_for_term t2 with
	    | Pointer _, Pointer _ -> Info.Int
	    | Pointer _, _ -> assert false
	    | _, Pointer _ -> assert false
	    | ty,_ -> ty
	end
    | NTbinop (t1,_,_) -> type_why_for_term t1
    | NTarrow (_,z,f) ->
	begin
	  let z = repr z in
	  try
	    let t = Hashtbl.find type_why_table z  in
	    Hashtbl.find t f
	  with Not_found -> assert false
	end
    | NTif (_,_,t) -> type_why_for_term t
    | NTold t -> type_why_for_term t
    | NTat (t,_) -> type_why_for_term t
    | NTbase_addr t ->
	begin match type_why_for_term t with
	  | Pointer z -> Addr z
	  | _ -> assert false
	end  
    | NToffset _t -> Info.Int
    | NTblock_length _t -> Info.Int
    | NTarrlen _ -> Info.Int
    | NTstrlen _ -> Info.Int
    | NTmin _ | NTmax _ | NTminint _ | NTmaxint _ -> Info.Int
    | NTcast (ty,t) -> 
(*
	Format.eprintf "why type for term: cast@.";
*)
 	let tw = type_why_for_term t in
	let tw =
	  begin match ty.Ctypes.ctype_node, tw with
	    | Tpointer _, Info.Pointer _ -> tw
	    | Tpointer _, _ -> Info.Pointer (make_zone true)
	    | Tint _, _ -> Info.Int
	    | _ -> assert false
	  end
	in
(*
	Format.eprintf " type : %a@." Output.fprintf_logic_type (output_why_type tw);
*)
	tw
   | NTrange (_,_,_,z,f) ->
	begin
	  let z = repr z in
	  try
	    let t = Hashtbl.find type_why_table z  in
	    Hashtbl.find t f
	  with Not_found -> assert false
	end

	
let find_zone_for_term e = 
  match type_why_for_term e with
    | Pointer z -> repr z
    | ty -> 
	let wt = output_why_type ty in
	Format.eprintf "type of term %a : %a@." 
	  Cprint.nterm e Output.fprintf_logic_type wt; 
	assert false 

let type_why_new_zone zone field_info =
  let t =
    try
      Hashtbl.find type_why_table zone 
    with Not_found ->
      let t = Hashtbl.create 5 in
      Hashtbl.add type_why_table zone t; t
  in
  try
    let _ = Hashtbl.find t field_info in
    ()
  with Not_found ->
    let tw =  
      match field_info.var_why_type with 
	| Pointer z -> 
	    Pointer (make_zone ~name:z.name zone.zone_is_var)
	| tw -> tw
    in
(*    let l,n = output_why_type tw in
    Format.eprintf "adding in type_why_table :(%s,%s) -> %s@." 
      zone.name field_info.var_name n;*)
    Hashtbl.add t field_info tw 

	

let ne_arrow loc valid ty e z f =
  let () = type_why_new_zone z f in 
  NEarrow (    {nexpr_node = e;
		nexpr_type = noattr (Tpointer (valid,ty));
		nexpr_loc = loc},z,f)

let dot_translate t' var_info ty loc =
  let zone = find_zone t' in
  let () = type_why_new_zone zone var_info in 
  let t' = NEarrow (t', zone, var_info) in
  if var_requires_indirection var_info then
    let info = make_field ty in
    let info = declare_arrow_var info in
    let zone = find_zone (noattr2 loc ty t') in
    ne_arrow loc (Valid(Int64.zero,Int64.one)) ty t' zone info
  else t'	
	  
let rec expr t =
  let ty = t.texpr_type in
  { nexpr_node = expr_node t.texpr_loc ty t.texpr_node;
    nexpr_type = ty ;
    nexpr_loc = t.texpr_loc;
  }

and expr_node loc ty t =
    match t with
      | TEnop -> NEnop
      | TEconstant constant -> NEconstant constant
      | TEstring_literal string -> NEstring_literal string
      | TEvar env_info ->
	  (match env_info with
	    | Var_info v ->
		let t' = NEvar env_info in
		if var_requires_indirection v then(
		   let info = make_field ty in
		   let info = declare_arrow_var info in
		   let zone = 
		     match v.var_why_type with
		       | Pointer z -> z
		       | _ -> assert false 
		   in
		   ne_arrow loc (Valid(Int64.zero,Int64.one)) ty t' zone info)
		else t'
	    | Fun_info _  -> NEvar env_info)
      | TEdot (lvalue,var_info) ->
	  begin    
	    match lvalue.Cast.texpr_node with
	      | TEunary(Ustar, _e) -> 
		  dot_translate (expr lvalue) var_info ty loc
	      | TEarrget (e1, e2) -> 
		  let a = 
		    { lvalue with 
			texpr_node = TEbinary (e1, Badd_pointer_int, e2);
			texpr_type = e1.texpr_type }
	      in
	      dot_translate (expr a) var_info ty loc
	      | _ -> dot_translate (expr lvalue) var_info ty loc
	  end 
    | TEarrow (lvalue,var_info) ->
	  let expr = expr lvalue in
	  let zone = find_zone expr in
	  let () = type_why_new_zone zone var_info in
	  let t' = NEarrow (expr, zone, var_info) in
	  if var_requires_indirection var_info then
	    let info = make_field ty in
	    let info = declare_arrow_var info in
	    let zone = find_zone (noattr2 loc ty t') in
	    ne_arrow loc (Valid(Int64.zero,Int64.one)) ty t' zone info
	  else t'
      | TEarrget (lvalue,texpr) -> 
	  (* t[e] -> *(t+e) *)
	  let is_valid =
	    if lvalue.texpr_type.Ctypes.ctype_ghost 
	    then Valid(Int64.min_int,Int64.max_int)
	    else
	      begin
		match lvalue.texpr_type.Ctypes.ctype_node with
		  | Tarray(Valid(a,b),_,Some n) ->
		      assert (b = n);
		      begin
			try
			  let i = Ctyping.eval_const_expr_noerror texpr in
			  Valid(Int64.sub a i,Int64.sub b i)
			with Invalid_argument _ -> Not_valid
		      end
		  | _ -> Not_valid
	      end
	  in
	  let info = make_field ty in
	  let info = declare_arrow_var info in
	  let nexpr = expr lvalue in
	  let zone = find_zone nexpr in
	  let ty = { ty with Ctypes.ctype_node = Tpointer (is_valid,ty); 
		       ctype_ghost = lvalue.texpr_type.ctype_ghost } in
	  let () = type_why_new_zone zone info in
	  NEarrow ( 
	    {
	      nexpr_node = NEbinary(nexpr, Badd_pointer_int, expr texpr);
	      nexpr_type = ty ;
	      nexpr_loc = loc;
	    },
	    zone, info)
      | TEseq (texpr1,texpr2) -> NEseq ((expr texpr1) , (expr texpr2))
      | TEassign (lvalue ,texpr) -> NEassign ((expr lvalue) , (expr texpr))
      | TEassign_op (lvalue ,binary_operator, texpr) ->
	  NEassign_op ((expr lvalue),binary_operator , (expr texpr))
      | TEunary (Ustar ,texpr) -> 
	  begin
	    match texpr.texpr_type.Ctypes.ctype_node with
	      | Tvoid -> assert false
	      | Ctypes.Tvar _ -> assert false
	      | Tstruct _ 
	      | Tfun (_, _) 
	      | Tunion _ -> 
		  unsupported loc "normalization failed"
	      | Tenum _
	      | Tpointer (_, _)
	      | Tarray (_, _, _)
	      | Tfloat _|Tint _ ->
		  let info = make_field ty in
		  let info = declare_arrow_var info in
		  let expr = expr texpr in
		  let zone = find_zone expr in
		  let () = type_why_new_zone zone info in
		  NEarrow (expr, zone, info)
	  end
      | TEunary (Uamp ,texpr) ->
	  (match texpr.texpr_node with
	     | TEvar v -> NEvar v
	     | TEunary (Ustar, texpr)-> expr_node loc ty texpr.texpr_node
	     | TEdot(lvalue,var_info)->
		 begin    
		   match lvalue.Cast.texpr_node with
		     | TEunary(Ustar, _e) ->  
			 let t' = (expr lvalue) in
			 let zone = find_zone t' in
			 let () = type_why_new_zone zone var_info in 
			 NEarrow (t', zone, var_info)
		     | TEarrget (e1, e2) -> 
			 let a = 
			   { lvalue with 
			       texpr_node = 
			       TEbinary (e1, Badd_pointer_int, e2);
			       texpr_type = e1.texpr_type }
			 in
			 let t' = expr a in
			 let zone = find_zone t' in
			 let () = type_why_new_zone zone var_info in 
			 NEarrow (t', zone, var_info)
		     | _ ->   
			 let t' = (expr lvalue) in
			 let zone = find_zone t' in
			 let () = type_why_new_zone zone var_info in 
			 NEarrow (t', zone, var_info)
		 end 
	     | TEarrow(lvalue,var_info) ->
		 let t' = expr lvalue in
		 let zone = find_zone t' in 
		 let () = type_why_new_zone zone var_info in
		 NEarrow (t', zone, var_info)
	     | TEarrget (lvalue,t) ->
		 NEbinary(expr lvalue, Badd_pointer_int, expr t)
	     | _ -> 
		 warning loc "this & cannot be normalized";
		 NEunary (Uamp,expr texpr))
      | TEunary (unary_operator ,texpr) ->
	  NEunary(unary_operator, expr texpr)
      | TEincr (incr_operator,texpr) ->	NEincr(incr_operator, expr texpr)
      | TEbinary (texpr1 , binary_operator , texpr2) ->	
	  NEbinary ((expr texpr1), binary_operator , (expr texpr2))
      | TEcall (texpr ,list) -> 
	  NEcall { ncall_fun = expr texpr ;
		   ncall_args = List.map expr list;
		   ncall_zones_assoc = [] }
      | TEcond (texpr1, texpr2, texpr3) ->
	  NEcond ((expr texpr1), (expr texpr2), (expr texpr3))
      | TEsizeof (_tctype,n) ->
	  NEconstant (IntConstant (Int64.to_string n))
      | TEcast({Ctypes.ctype_node = Tpointer _}as ty, e') ->
	  begin
	    try
	      let n = Ctyping.eval_const_expr_noerror e' in
	      let name =
		if n = Int64.zero then "null" else
		  "const_ptr_" ^ Int64.to_string n
	      in
	      let info = default_var_info name in 
	      Cenv.set_var_type (Var_info info) ty false;
	      NEvar (Var_info info)    
	    with
		Invalid_argument _ ->
(*
		  unsupported loc "cast to pointer"
*)
		  NEcast (ty, expr e')
	  end
      | TEcast (tctype ,texpr) -> NEcast (tctype, expr texpr)
(*
	  begin
	    match texpr.texpr_type.Ctypes.ctype_node with
	      | Tpointer _ ->
		  unsupported loc "pointer-to-int cast"		  
	      | _ -> NEcast (tctype, expr texpr)
	  end
*)
      | TEmalloc (tctype, texpr) -> NEmalloc (tctype, expr texpr)

let nt_arrow loc _valid ty e z f =
  let () = type_why_new_zone z f in
  NTarrow ({nterm_node = e;
	    nterm_type = ty;
	    nterm_loc = loc},z,f)
      
(* transformation from a normalized term [t] to a normalized node representing
   the application of logical function [strlen] to [t]. 
   This has been factorized so that it can be called outside of [Cnorm]. *)
let make_nstrlen_node_from_nterm t =
  (* [strlen(p)] depends on the value pointed to by [p].
     Add fields to describe this dependency. *)
  let ty = match t.nterm_type.Ctypes.ctype_node with
  | Ctypes.Tarray (_,ty,_) | Ctypes.Tpointer (_,ty) -> 
      ty
  | Ctypes.Tvoid | Ctypes.Tint _ | Ctypes.Tfloat _ | Ctypes.Tvar _ 
  | Ctypes.Tstruct _ | Ctypes.Tunion _ | Ctypes.Tenum _ 
  | Ctypes.Tfun _ ->
      assert false
  in
  let info = make_field ty in
  let info = declare_arrow_var info in
  let zone = find_zone_for_term t in
  let () = type_why_new_zone zone info in
  NTstrlen (t, zone, info)

let dot_translate t' var_info ty loc =
  let zone = find_zone_for_term t' in
  let () = type_why_new_zone zone var_info in
  let t' = NTarrow (t', zone, var_info) in
  if var_requires_indirection var_info then
    let info = make_field ty in
    let info = declare_arrow_var info in
    let zone = find_zone_for_term {nterm_node = t';
				   nterm_loc = loc;
				   nterm_type =  var_info.var_type}  
    in
    nt_arrow loc true var_info.var_type t' zone info
  else
    t'


let rec term_node loc t ty =
  match t with
  | Tconstant constant -> NTconstant constant
  | Tstring_literal s -> NTstring_literal s
  | Tvar var_info -> 
      let t' = NTvar var_info in
      if var_requires_indirection var_info then
	let info = make_field ty in
	let info = declare_arrow_var info in
	let zone = 
	  match var_info.var_why_type with
	    | Pointer z -> z
	    | _ -> assert false 
	in
	nt_arrow loc true var_info.var_type t' zone info
      else
	t'
  | Tapp (logic_info ,l) -> NTapp  {napp_pred = logic_info; 
				    napp_args = List.map term l;
				    napp_zones_assoc = []}
  | Tunop (Clogic.Uamp,t) -> 
      begin match t.term_node with
	| Tvar v-> NTvar v
	| Tunop(Clogic.Ustar, t) -> term_node loc t.term_node ty
	| Tarrow(t,f) -> 
	    let t = term t in
	    let zone = find_zone_for_term t in
	    let () = type_why_new_zone zone f in
	    NTarrow (t, zone,  f) 
	| Tdot(t,f) ->  
	    begin    
	      match t.term_node with
		| Tunop (Clogic.Ustar, _e) -> 
		    dot_translate (term t) f ty loc
		| Tarrget (e1, e2) -> 
		    let a = 
		      { t with 
			  term_node = Tbinop (e1, Clogic.Badd, e2);
			  term_type = e1.term_type }
		    in
		    dot_translate (term a) f ty loc
		| Trange (e1, e2,e3) -> 
		    let t' = term e1 in
		    let zone = find_zone_for_term t' in
		    let () = type_why_new_zone zone f in
		    NTrange (term e1, term_option e2, term_option e3, 
			     zone, f)
		| _ -> dot_translate (term t) f ty loc
	    end  
      (*let t =
	      match t.term_node with
		| Tunop (Clogic.Ustar ,t) -> term t
		| _ -> term t
	    in
	    let zone = find_zone_for_term t in
	    let () = type_why_new_zone zone f in
	    NTarrow (t, zone, f)
      *)
	| _ -> 
	    unsupported loc "cannot handle this & operator"
	    (* NTunop(Clogic.Uamp,term t)    *)
      end
  | Tunop (Clogic.Ustar,t) ->  
      let info = make_field ty in
      let info = declare_arrow_var info in
      let t = term t in
      let zone = find_zone_for_term t in
      let () = type_why_new_zone zone info in
      NTarrow (t, zone, info)
  | Tunop (unop,t) -> NTunop(unop,term t)
  | Tbinop (t1, binop, t2) -> NTbinop (term t1, binop, term t2)
  | Tdot (t', var_info) ->
      begin    
	match t'.term_node with
	  | Tunop (Clogic.Ustar, _e) -> dot_translate (term t') var_info ty loc
	  | Tarrget (e1, e2) -> 
	      let a = 
		{ t' with 
		    term_node = Tbinop (e1, Clogic.Badd, e2);
		    term_type = e1.term_type }
	      in
	      dot_translate (term a) var_info ty loc
	  | Trange (e1, e2,e3) -> 
	      let t' = term e1 in
	      let zone = find_zone_for_term t' in
	      let () = type_why_new_zone zone var_info in
	      NTrange (term e1, term_option e2, term_option e3, zone, var_info)
	  | _ -> dot_translate (term t') var_info ty loc
      end 
  | Tarrow (t', var_info) ->
	  let t' = term t' in
	  let zone = find_zone_for_term t' in
	  let () = type_why_new_zone zone var_info in
	  let t' = NTarrow (t', zone, var_info) in
	  if var_requires_indirection var_info then
	    let info = make_field ty in
	    let info = declare_arrow_var info in
	    let zone = find_zone_for_term {nterm_type = ty;
					   nterm_loc = loc;
					   nterm_node= t'}
	    in
	    nt_arrow loc true ty t' zone info
	  else t'
  | Tarrget (t1, t2) ->
	  let info = make_field ty in
	  let info = declare_arrow_var info in
	  let t1' = term t1 in
	  let zone = find_zone_for_term t1' in
	  let valid =
	    try
		let n = eval_const_term_noerror t2 in
		Valid(Int64.zero,n)
	      with Invalid_argument _ -> Not_valid
	    in
	  let ty = { ty with Ctypes.ctype_node = Tpointer (valid,ty); 
		       ctype_ghost = t1.term_type.ctype_ghost } in
	  let () = type_why_new_zone zone info in
	  NTarrow ( 
	    {
	      nterm_node = NTbinop(t1', Clogic.Badd, term t2);
	      nterm_type = ty ;
	      nterm_loc = loc;
	    },
	    zone, info)
  | Tif (t1, t2, t3) -> NTif (term t1, term t2 , term t3)
  | Told t1 -> NTold (term t1)
  | Tat (t1, s) -> NTat (term t1, s)
  | Tbase_addr t -> NTbase_addr (term t)
  | Toffset t -> NToffset (term t)
  | Tblock_length t -> NTblock_length (term t)
  | Tarrlen t -> NTarrlen (term t)
  | Tstrlen t ->
      (* [strlen(p)] depends on the value pointed to by [p].
	 Add fields to describe this dependency.
	 This treatment has be factorized. *)
      make_nstrlen_node_from_nterm (term t)
  | Tmin (t1,t2) -> NTmin (term t1, term t2)
  | Tmax (t1,t2) -> NTmax (term t1, term t2)
  | Tminint ty -> NTminint ty
  | Tmaxint ty -> NTmaxint ty
  | Tcast ({Ctypes.ctype_node = Tpointer _}as ty, 
	    {term_node = Tconstant (IntConstant "0")}) ->      
      let info = default_var_info "null" in 
      Cenv.set_var_type (Var_info info) ty false;
      NTvar info
  | Tcast (ty, t) -> NTcast (ty, term t)
  | Trange (t1, t2, t3) -> 
      let t1 = term t1 in
      let info = make_field ty in
      let info = declare_arrow_var info in
      let zone = find_zone_for_term t1 in 
      let () = type_why_new_zone zone info in
      NTrange (t1, term_option t2, term_option t3, zone, info)

and term t = 
{ 
  nterm_node = term_node t.term_loc t.term_node t.term_type;
  nterm_loc = t.term_loc;
  nterm_type = t.term_type
}

and term_option t = Option_misc.map term t

let nlocation = term
(***
let nlocation l =
  match l with
    | Lterm(t) -> Lterm(term t)
    | Lstar(t) -> Lstar(term t)
    | Lrange(t1,t2,t3) -> Lrange(term t1,term t2,term t3)
***)
	
let nvariant v =
  match v with (t, sopt) -> (term t,sopt)

	
let rec predicate p =
  { npred_node = predicate_node p.pred_node;
    npred_loc = p.pred_loc }

and predicate_node = function
    | Pfalse -> NPfalse
    | Ptrue -> NPtrue 
    | Papp (info,l) -> NPapp {napp_pred = info; napp_args = List.map term l;
			      napp_zones_assoc = []}
    | Prel (t1 , relation , t2) -> NPrel (term t1,relation,term t2)
    | Pand (p1, p2) -> NPand (predicate p1, predicate p2)
    | Por (p1, p2) -> NPor (predicate p1, predicate p2)
    | Pimplies (p1, p2) -> NPimplies (predicate p1, predicate p2)
    | Piff (p1, p2) -> NPiff (predicate p1, predicate p2)
    | Pnot p1 -> NPnot (predicate p1)
    | Pif (t,p1,p2) -> NPif (term t,predicate p1 ,predicate p2)
    | Pforall (typed_quantifiers, p) -> NPforall (
	(List.map (fun (x,y) -> (x,y)) typed_quantifiers),
	(predicate p))
    | Pexists (typed_quantifiers, p) -> NPexists (
	(List.map (fun (x,y) -> (x,y)) typed_quantifiers),
	(predicate p)) 
    | Pold p -> NPold (predicate p)
    | Pat (p, s) -> NPat ((predicate p),s)
    | Pseparated (t1,t2) -> NPseparated (term t1, term t2)
    | Pbound_separated (t1,t2,t3,t4) -> 
	NPbound_separated (term t1, term t2, term t3, term t4)
    | Pfull_separated (t1,t2) -> NPfull_separated (term t1, term t2)
    | Pfullseparated (_t1,_t2) ->
	assert false (* TODO *)
    | Pvalid (t) -> NPvalid (term t) 
    | Pvalid_index (t1 , t2) -> NPvalid_index (term t1 , term t2) 
    | Pvalid_range (t1,t2,t3) -> NPvalid_range (term t1, term t2 , term t3)
    | Pfresh t -> NPfresh (term t)  
    | Pnamed (n, p) -> NPnamed (n, predicate p)

let loop_annot a =
  {
    invariant = Option_misc.map predicate a.invariant;
    assume_invariant = Option_misc.map predicate a.assume_invariant;
    loop_assigns = 
     Option_misc.map (fun (loc, l) -> loc, List.map nlocation l) 
       a.loop_assigns;
    variant = Option_misc.map nvariant a.variant;
  }

let logic_symbol l =
  match l with
    | Predicate_reads(param_list,loc_list) ->
	NPredicate_reads(param_list, List.map nlocation loc_list)
    | Predicate_def  (param_list , p ) ->
	NPredicate_def(param_list, predicate p)
    | Function (l1 , c , l2) -> 
	NFunction (l1,c,List.map nlocation l2)
    | Function_def (param_list, t, e) ->
	NFunction_def (param_list, t, term e)

let rec c_initializer c = match c with
  | Iexpr e ->  Iexpr (expr e)
  | Ilist l -> Ilist (List.map (fun x -> (c_initializer x))l)

let c_initializer_option = Option_misc.map c_initializer

let ilist = function
  | None -> None
  | Some i -> Some (Ilist [i])

let variant v = let (x,y) = v in ((term x), y)


let make_and p1 p2 = match p1.npred_node, p2.npred_node with
  | NPtrue, _ -> p2
  | _, NPtrue -> p1
  | _ -> { p1 with npred_node = NPand (p1, p2) }

let make_or p1 p2 = match p1.npred_node, p2.npred_node with
  | NPfalse, _ -> p2
  | _, NPfalse -> p1
  | _ -> { p1 with npred_node = NPor (p1, p2) }

let make_implies p1 p2 = match p2.npred_node with
  | NPtrue -> { p1 with npred_node = NPtrue }
  | _ -> { p1 with npred_node = NPimplies (p1, p2) }

let make_forall q p = match p.npred_node with
  | NPtrue -> { p with npred_node = NPtrue }
  | _ -> { p with npred_node = NPforall (q, p) }

let dummy_pred p = { npred_node = p; npred_loc = Loc.dummy_position }
let nprel (t1, r, t2) = dummy_pred (NPrel (t1, r, t2))
let npand (p1, p2) = make_and p1 p2
let npor (p1, p2) = make_or p1 p2
let npvalid t = dummy_pred (NPvalid t)
let npvalid_range (t,i,j) = dummy_pred (NPvalid_range (t,i,j))
let npfresh t = dummy_pred (NPfresh t)
let nptrue = dummy_pred NPtrue
let npfalse = dummy_pred NPfalse
let npapp (f, l) = dummy_pred (NPapp {napp_pred = f;napp_args =  l; 
				      napp_zones_assoc = []})
let npiff (p1, p2) = dummy_pred (NPiff (p1, p2))

let spec ?(add=nptrue) s = 
  let pred = match s.requires with 
    | None -> add
    | Some pred -> npand (add,(predicate pred))
  in
  let pred = if pred = nptrue then None else Some pred in
  { 
    requires = pred;
    assigns  = 
      Option_misc.map 
	(fun (loc,l) -> loc, List.map (fun x -> nlocation x) l) s.assigns;
    ensures = Option_misc.map predicate s.ensures;
    decreases = Option_misc.map variant s.decreases;
  }


let noattr loc ty e =
  { texpr_node = e;
    texpr_type = ty;
    texpr_loc  = loc
  }

let in_struct2 v1 v = 
  let x = begin
    match v1.texpr_node with
    | TEunary (Ustar, x)-> TEarrow (x, v)
    | TEarrget (x,i) -> 
	TEarrow 
	  ((noattr v1.texpr_loc v1.texpr_type 
	     (TEbinary(x, Badd_pointer_int, i))),v)
    | _ -> TEarrow (v1, v)
  end in
  { texpr_node = x; 
    texpr_loc = v1.texpr_loc;
    texpr_type = v.var_type }





let noattr3 tyn = { Ctypes.ctype_node = tyn; 
		   Ctypes.ctype_storage = No_storage;
		   Ctypes.ctype_const = false;
		   Ctypes.ctype_volatile = false;
		  Ctypes.ctype_ghost = false}

let alloca loc n =
  {nexpr_node = NEcall 
      {ncall_fun = 
	  (noattr2  loc 
	     (noattr3(
		Tfun ([noattr3
			 (Tint(Signed,Ctypes.Int))], 
		      noattr3 (Tpointer (Valid(Int64.zero,Int64.of_string n),
					 noattr3 Tvoid)))))
	     (NEvar  (Fun_info (default_fun_info "alloca"))));
       ncall_args = [{ nexpr_node = NEconstant  (IntConstant n);
		       nexpr_type =  noattr3 (Tint (Signed,Ctypes.Int));
		       nexpr_loc  = loc }];
       ncall_zones_assoc = []};
   nexpr_type = noattr3 (Tpointer (Valid(Int64.zero,Int64.of_string n),
				   noattr3 Tvoid));
   nexpr_loc  = loc
  }	  

let copyattr s s' = 
  { nst_node = s';
    nst_break = s.st_break;
    nst_continue = s.st_continue;
    nst_return = s.st_return;
    nst_term = s.st_term;
    nst_loc = s.st_loc;
  }

let rec pop_initializer loc t i =
  match i with 
    | [] ->None,[]
    | (Iexpr e)::l -> Some e,l
    | (Ilist [])::l -> pop_initializer loc t l
    | (Ilist l)::l' -> 
	let e,r = pop_initializer loc t l in e,r@l'

let rec init_expr loc t lvalue initializers =
  match t.Ctypes.ctype_node with
    | Tint _ | Tfloat _ | Tpointer _ | Tenum _ -> 
	let x,l = pop_initializer loc t initializers in
	(match x with 
	  | Some x ->
	      [{nst_node = 
		   NSexpr (noattr2 loc t (NEassign(expr lvalue, expr x)));
		nst_break = false;    
		nst_continue = false; 
		nst_return = false;   
		nst_term = true;
		nst_loc = loc     
	       }]
	  | None -> []), l
    | Tstruct n ->
	begin match tag_type_definition n with
	  | TTStructUnion (Tstruct (_), fl) ->
	      let l1,l2 = List.fold_left 
		(fun (acc,init) f -> 
		   let block, init' =
		     init_expr loc f.var_type 
		       (in_struct2 lvalue f) init
		   in (acc@block,init'))
		([],initializers)  fl
	      in
	      l1,l2
	  | _ ->
	      assert false
	end
    | Tunion n ->
	begin match tag_type_definition n with
	  | TTStructUnion (Tstruct (_), f::_) ->
	      let block, init' =
		init_expr loc f.var_type 
		  (noattr loc f.var_type (TEarrow(lvalue, f)))
		  initializers
	      in 
	      block,init'
	  | _ ->
	      assert false
	end
    | Tarray (_,ty, Some t) ->
	let int_to_init loc ty i=
	  let e = 
	    { texpr_node = TEconstant (IntConstant (Format.sprintf "%d" i));
	      texpr_type = c_int; texpr_loc = loc; }
	  in
	  Iexpr (Ctyping.coerce ty e)
	in
	let rec expand_initializer = function
	  | Iexpr e -> 	      
	      begin
		match e.texpr_node with
		  | TEstring_literal s ->
		      let ty = 
			match e.texpr_type.Ctypes.ctype_node with
			  | Tpointer (_,ty) | Tarray (_,ty,_) -> ty
			  | _ ->  ty
		      in
		      let l = ref [int_to_init e.texpr_loc ty 0] in 
		      let n = (String.length s) -1 in
		      for i = 1 to n-1  do
			l := int_to_init e.texpr_loc ty 
			  (Char.code (String.get s (n-i)))::!l
		      done; 
		      Ilist !l
		  | _ -> Iexpr e
	      end
	  | Ilist el -> Ilist el
	in
	let rec init_cells i (block,init) =
	  if i >= t then (block,init)
	  else
	    let ts = Ctyping.int_teconstant (Int64.to_string i) in
	    let (b,init') = 
	      init_expr loc ty (noattr loc ty (TEarrget(lvalue,ts))) init 
	    in
	    init_cells (Int64.add i Int64.one) (block@b,init')
	in
	let initializers = List.map expand_initializer initializers in
	init_cells Int64.zero ([],initializers)
    | Tarray (_,_ty,None) -> assert false
    | Tfun (_, _) -> assert false
    | Ctypes.Tvar _ -> assert false
    | Tvoid -> assert false

let rec texpr_of_term (t : tterm) : texpr = 
 {
  texpr_node = 
    begin
      match t.term_node with 
	| Tconstant c ->  TEconstant c
	| Tstring_literal s -> TEstring_literal s
	| Tvar v -> TEvar (Var_info v)
	| Tapp _ -> error t.term_loc 
	      "logic function can't be used with ghost variables"
	| Tunop (t , term) -> TEunary(
	    begin  match t with 
	      | Clogic.Uplus -> Uplus
	      | Clogic.Unot -> Unot
	      | Clogic.Uminus -> Uminus 
	      | Clogic.Utilde -> Utilde 
	      | Clogic.Ustar -> assert false
	      | Clogic.Uamp -> assert false
	      | Clogic.Ufloat_of_int -> Ufloat_of_int
	      | Clogic.Uint_of_float -> Uint_of_float
	      | Clogic.Ufloat_conversion -> Ufloat_conversion
	      | Clogic.Uint_conversion -> Uint_conversion
	      | Clogic.Usqrt_real
	      | Clogic.Uabs_real
	      | Clogic.Uround_error
	      | Clogic.Utotal_error
	      | Clogic.Uexact
	      | Clogic.Umodel -> assert false
	    end,
	    (texpr_of_term term))     
	| Tbinop (t1, b, t2) -> 
	    let t1 = (texpr_of_term t1) in
	    let t2 = (texpr_of_term t2) in
	    TEbinary 
	      (t1,
	       begin match b,t1.texpr_type.Ctypes.ctype_node,
	       t2.texpr_type.Ctypes.ctype_node with
		 | Clogic.Badd,Tint i , Tint _ -> Badd_int i
		 | Clogic.Badd,Tfloat fk , Tfloat _ -> Badd_float fk
		 | Clogic.Badd,Tpointer _ , Tint _ -> Badd_pointer_int
		 | Clogic.Bsub,Tint i , Tint _ -> Bsub_int i
		 | Clogic.Bsub,Tfloat fk , Tfloat _ -> Bsub_float fk
		 | Clogic.Bsub,Tpointer _ , Tint _ -> Bsub_pointer
		 | Clogic.Bmul,Tfloat fk , Tfloat _ -> Bmul_float fk
		 | Clogic.Bmul,Tint i , Tint _ -> Bmul_int i
		 | Clogic.Bdiv,Tfloat fk , Tfloat _ -> Bdiv_float fk
		 | Clogic.Bdiv,Tint i , Tint _ -> Bdiv_int i
		 | Clogic.Bmod,Tint i ,Tint _ -> Bmod_int i
		 | Clogic.Badd,Tarray _ , Tint _ -> Badd_pointer_int
		 | Clogic.Bsub,Tarray _ , Tint _ -> Bsub_pointer   
		 | _ -> error  t.term_loc 
		     "this operation can't be used with ghost variables"
	       end,
	       t2)
	| Tdot (t,v) -> TEdot (texpr_of_term t,v)
	| Tarrow (t,v) -> TEarrow (texpr_of_term t,v)
	| Tarrget (t1,t2) -> TEarrget (texpr_of_term t1, texpr_of_term t2)
	| Tif (t1,t2,t3)-> TEcond 
	      (texpr_of_term t1,texpr_of_term t2,texpr_of_term t3)
	| Told t -> error t.term_loc 
	      "old can't be used here"
	| Tat (t , _s)-> error t.term_loc 
	      "@ can't be used here"
	| Tbase_addr t -> error t.term_loc 
	      "base_addr can't be used here"
	| Toffset t -> error t.term_loc 
	      "offset can't be used here"
	| Tblock_length t -> error t.term_loc 
	      "block_length can't be used here"
	| Tarrlen _ -> error t.term_loc 
	    "arrlen can't be used here"
	| Tstrlen _ -> error t.term_loc 
	    "strlen can't be used here"
	| Tmin _ -> error t.term_loc 
	    "min can't be used here"
	| Tmax _ -> error t.term_loc 
	    "max can't be used here"
	| Tminint _ -> error t.term_loc 
	    "minint can't be used here"
	| Tmaxint _ -> error t.term_loc 
	    "maxint can't be used here"
	| Tcast (ty,t) -> TEcast(ty,texpr_of_term t)
	| Trange _ -> 
	    error t.term_loc "range cannot by used here"
    end;
    texpr_type = t.term_type;
    texpr_loc  = t.term_loc
 }


let rec expr_of_term (t : nterm) : nexpr = 
 {
  nexpr_node = 
    begin
      match t.nterm_node with 
	| NTconstant c ->  NEconstant c
	| NTstring_literal s -> NEstring_literal s
	| NTvar v -> NEvar (Var_info v)
	| NTapp _ -> error t.nterm_loc 
	      "logic function can't be used with ghost variables"
	| NTunop (t , term) -> NEunary(
	    begin  match t with 
	      | Clogic.Uplus -> Uplus
	      | Clogic.Unot -> Unot
	      | Clogic.Uminus -> Uminus 
	      | Clogic.Utilde -> Utilde 
	      | Clogic.Ustar -> assert false
	      | Clogic.Uamp -> assert false
	      | Clogic.Ufloat_of_int -> Ufloat_of_int
	      | Clogic.Uint_of_float -> Uint_of_float
	      | Clogic.Ufloat_conversion -> Ufloat_conversion
	      | Clogic.Uint_conversion -> Uint_conversion
	      | Clogic.Usqrt_real
	      | Clogic.Uabs_real
	      | Clogic.Uround_error
	      | Clogic.Utotal_error
	      | Clogic.Uexact
	      | Clogic.Umodel -> assert false
	    end,
	    (expr_of_term term))
	      
(*	| NTstar t ->  NEstar (expr_of_term t)*)
	| NTbinop (t1, b, t2) -> 
	    let t1 = (expr_of_term t1) in
	    let t2 = (expr_of_term t2) in
	    NEbinary 
	      (t1,
	       begin match b,t1.nexpr_type.Ctypes.ctype_node,
	       t2.nexpr_type.Ctypes.ctype_node with
		 | Clogic.Badd,Tint i , Tint _ -> Badd_int i
		 | Clogic.Badd,Tfloat fk , Tfloat _ -> Badd_float fk
		 | Clogic.Badd,Tpointer _ , Tint _ -> Badd_pointer_int
		 | Clogic.Bsub,Tint i , Tint _ -> Bsub_int i
		 | Clogic.Bsub,Tfloat fk , Tfloat _ -> Bsub_float fk
		 | Clogic.Bsub,Tpointer _ , Tint _ -> Bsub_pointer
		 | Clogic.Bmul,Tfloat fk , Tfloat _ -> Bmul_float fk
		 | Clogic.Bmul,Tint i , Tint _ -> Bmul_int i
		 | Clogic.Bdiv,Tfloat fk , Tfloat _ -> Bdiv_float fk
		 | Clogic.Bdiv,Tint i , Tint _ -> Bdiv_int i
		 | Clogic.Bmod,Tint i ,Tint _ -> Bmod_int i
		 | Clogic.Badd,Tarray _ , Tint _ -> Badd_pointer_int
		 | Clogic.Bsub,Tarray _ , Tint _ -> Bsub_pointer   
		 | _ -> error  t.nterm_loc 
		     "this operation can't be used with ghost variables"
	       end,
	       t2)
	| NTarrow (t,z,v) -> NEarrow (expr_of_term t,z,v)
	| NTif (t1,t2,t3)-> NEcond 
	      (expr_of_term t1,expr_of_term t2,expr_of_term t3)
	| NTold t -> error t.nterm_loc 
	      "old can't be used here"
	| NTat (t , _s)-> error t.nterm_loc 
	      "@ can't be used here"
	| NTbase_addr t -> error t.nterm_loc 
	      "base_addr can't be used here"
	| NToffset t -> error t.nterm_loc 
	      "offset can't be used here"
	| NTblock_length t -> error t.nterm_loc 
	      "block_length can't be used here"
	| NTarrlen t -> error t.nterm_loc 
	    "arrlen can't be used here"
	| NTstrlen (t,_z,_v) -> error t.nterm_loc 
	    "strlen can't be used here"
	| NTmin _ -> error t.nterm_loc 
	    "min can't be used here"
	| NTmax _ -> error t.nterm_loc 
	    "max can't be used here"
	| NTminint _ -> error t.nterm_loc 
	    "minint can't be used here"
	| NTmaxint _ -> error t.nterm_loc 
	    "maxint can't be used here"
	| NTcast (ty,t) -> NEcast(ty,expr_of_term t)
	| NTrange _ -> 
	    error t.nterm_loc "range cannot by used here"
    end;
    nexpr_type = t.nterm_type;
    nexpr_loc  = t.nterm_loc
 }

let rec st_cases default used_cases (i : tstatement) 
  : bool * 'a IntMap.t * 'a IntMap.t * tstatement =
  match i.st_node with 
    | TScase ( e ,i') ->
	let n =  Ctyping.eval_const_expr e in
	let e = expr e in
	if IntMap.mem n used_cases 
	then
	  error i.st_loc ("duplicate case")
	else
	  let (default, used_cases' , l, i) = 
	    st_cases default (IntMap.add n e used_cases) i' in
	  (default, used_cases', (IntMap.add n e l),i)
    | TSdefault s -> (true, used_cases, IntMap.empty, s)
    | _ -> (false, used_cases, IntMap.empty, i)

and st_instr (l : tstatement list) : tstatement list * nstatement list =
  match l with
    | [] -> l,[]
    | i ::l' -> 
	match i .st_node with
	  | TSdefault _ -> l,[]
	  | TScase(_,_) -> l,[]
	  | _ -> let (l,instr) = st_instr l' in
	    (l,(statement i)::instr)

      
    

and st_case_list (used_cases : 'a IntMap.t) (l : tstatement list) :
  'a IntMap.t * ('a IntMap.t * nstatement list) list =
  match l with 
    | [] -> (used_cases, [] )
    | i::l ->
	match i.st_node with 
	  | TSdefault s ->
	      begin
		match s.st_node with
		  | TScase _ -> unsupported s.st_loc "case following default"
		  | _ ->		 
		      let (l,instr) = st_instr l in
		      let(used_cases'', l'') = (st_case_list used_cases l) in
		      (used_cases'',(IntMap.empty,(statement s)::instr)::l'')
	      end
	  | TScase(e,i) -> 
	      let n = Ctyping.eval_const_expr e in 
	      let e = expr e in
	      if IntMap.mem n used_cases 
	      then
		error i.st_loc ("duplicate case")
	      else
		let (default,used_cases', l', i') = 
		  st_cases false (used_cases) i in 
		if default then begin
		    match i'.st_node with
		      | TScase _ -> 
			  unsupported i'.st_loc "case following default"
		      | _ ->
			  let i' = statement i' in
			  let (l,instr) = st_instr l in
			  let (used_cases'', l'') = (st_case_list used_cases l)
			  in
			  (used_cases'',
			   (IntMap.empty,i'::instr)::l'')
		  end
		else
		  let i' = statement i' in
		  let (l,instr) = st_instr l in
		  let (used_cases'', l'') = 
		    st_case_list (IntMap.add n e used_cases') l in
		  (used_cases'',((IntMap.add n e l'),i'::instr)::l'')
	  | _ ->  
	      let (used_cases', l') = st_case_list used_cases l in
	      match l' with
		| [] -> 
		    error i.st_loc 
		      ("unreachable statement at beginning of switch")
		| (lc,i')::l -> (used_cases',(lc,i'@[statement i])::l)
		



and st_switch i =
  match i.st_node with 
    | TSblock (_,l) -> st_case_list IntMap.empty l
    | _ -> st_case_list IntMap.empty [i]

and statement s =
  let nst =
    match s.st_node with
  | TSnop -> NSnop
  | TSexpr texpr -> NSexpr (expr texpr)
  | TSif (texpr, tstatement1, tstatement2) -> NSif ((expr texpr),
						  (statement tstatement1),
						  (statement tstatement2))
  | TSwhile (loop, texpr, tstatement) -> NSwhile (loop_annot loop,
						  (expr texpr),
						  (statement tstatement))
  | TSdowhile (loop, tstatement, texpr) -> 
      NSdowhile (loop_annot loop,statement tstatement, expr texpr) 
  | TSfor (loop ,texpr1, texpr2, texpr3, tstatement) ->
      NSfor (loop_annot loop,
	     (expr texpr1),
	     (expr texpr2),
	     (expr texpr3),
	      (statement tstatement))
  | TSblock (l1,l2) -> 
      local_decl s l1 l2
  | TSreturn option -> NSreturn (Option_misc.map expr option)
  | TSbreak -> NSbreak
  | TScontinue -> NScontinue
  | TSlabel (string, tstatement) -> NSlabel (string, (statement tstatement)) 
  | TSswitch (texpr, tstatement) -> 
      let (used_cases,s) = st_switch tstatement in
      NSswitch(expr texpr, used_cases, s) 
  | TScase (_texpr, _tstatement) -> 
      unsupported s.st_loc "misplaced case statement"
  | TSdefault _tstatement -> assert false
  | TSgoto(status,l) -> NSgoto(status,l)
  | TSassert p -> NSassert (predicate p)
  | TSassume p -> NSassume (predicate p)
  | TSlogic_label  string -> NSlogic_label string
  | TSspec (s, tstatement) -> NSspec (spec s, statement tstatement)
  | TSset (x, t) -> 
      NSexpr (noattr2 s.st_loc x.term_type 
		(NEassign 
		   (expr (texpr_of_term x),expr (texpr_of_term t))))
  in
  { nst_node = nst;
    nst_break = s.st_break;
    nst_continue = s.st_continue;
    nst_return =  s.st_return;
    nst_term = s.st_term;
    nst_loc = s.st_loc;
  }

and local_decl s l l2 = 
  match l with 
    | [] -> NSblock (List.map statement l2)
    | {node = Tdecl (_t,v,init); loc = l}::decl -> 
	if var_is_referenced_or_struct_or_union v then
	  set_var_type (Var_info v) 
	    (c_array_size (Valid(Int64.zero,Int64.one)) 
	       v.var_type Int64.one) true;
	begin match init with
	  | None ->
	      let declar = local_decl s decl l2 in
	      NSdecl(v.var_type,v,None,copyattr s declar)
	  | Some c ->
	      match v.var_type.Ctypes.ctype_node with
		| Tenum _ | Tint _ | Tfloat _ | Tpointer _ -> 
		    let declar = local_decl s decl l2 in
		    begin match c with
		      | Iexpr e ->
			  NSdecl(v.var_type, v, Some (Iexpr (expr e)),
				 copyattr s declar)
		      | _ -> assert false
		    end
		| Tarray (_,_, Some _length) ->
		    let lvalue = noattr l v.var_type (TEvar (Var_info v)) in
		    let declar,_ = 
		      without_dereference v
			(init_expr l v.var_type lvalue) [c] 
		    in
		    NSdecl(v.var_type,v,
			   None,
			   let rest = copyattr s (local_decl s decl l2) in
			   copyattr s (NSblock (declar @ [rest])))
		| Tarray _ | Tstruct _ | Tunion _ -> 
		    let lvalue = (noattr l v.var_type (TEvar (Var_info v))) in
		    let declar,_ = init_expr l v.var_type lvalue [c] in
		    NSdecl(v.var_type,v,
			   Some (Iexpr (alloca l "1")),
			   let rest = copyattr s (local_decl s decl l2) in
			   copyattr s (NSblock (declar @ [rest])))
		| Tvoid | Ctypes.Tvar _ | Tfun _ -> assert false		      
	end
    | _  -> assert false

let add_c_function spec ty f sta loc =
  try 
    let (spec2,_ty2,_f2,sta2,_loc2) = 
      find_c_fun f.fun_name 
    in
    let spec = 
      {requires = begin
	 match spec.requires with
	   | None -> spec2.requires
	   | Some p -> Some p
       end;
       assigns = begin 
	 match spec.assigns with
	   | None -> spec2.assigns
	   | Some l -> Some l
       end;
       ensures = begin
	  match spec.ensures with
	    | None -> spec2.ensures
	    | Some p -> Some p
       end;
       decreases = begin 
	 match spec.decreases with
	   | None -> spec2.decreases
	   | Some t -> Some t
       end;
      }
    in
    let sta = begin 
      match sta with 
	| None -> sta2
	| Some s -> Some s
    end 
    in
    add_c_fun  f.fun_name (spec,ty,f,sta,loc)
  with Not_found -> add_c_fun f.fun_name (spec,ty,f,sta,loc)
  


let global_decl e1 loc =
  match e1 with    
  | Tlogic(info, l) -> Nlogic (info , logic_symbol l)
  | Taxiom (s, p) -> Naxiom (s, predicate p)
  | Tinvariant(s, p) -> Ninvariant (s, predicate p)
  | Ttypedef (t, s) -> Ntypedef(t,s)
  | Ttypedecl t -> Ntypedecl (t)
  | Tdecl (t, v, c) -> 
      let t =
	if  (not v.var_is_assigned) && Coptions.closed_program then   
	  { t with Ctypes.ctype_const = true }
	else t 
      in
      set_var_type (Var_info v) t false;
      if var_is_referenced_or_struct_or_union v
      then
	begin
	  set_var_type (Var_info v) (c_array_size (Valid(Int64.zero,Int64.one))
				       v.var_type Int64.one) false;
	  Ndecl(v.var_type,v,ilist (c_initializer_option c))
	end
      else Ndecl(t,v,c_initializer_option c)
  | Tfunspec (s, t, f) -> 
      if not f.has_body then
	begin
	  set_var_type (Fun_info f) (f.fun_type) true;
	  List.iter (fun arg -> 
		       set_var_type (Var_info arg) (arg.var_type) true) f.args
	end;
      (*Nfunspec (spec s,t,f)*)
      add_c_function (spec s) t f None loc;
      raise Exit

  | Tfundef (s, t, f, st) ->
      let validity_for_struct = 
	List.fold_left 
	  (fun acc y ->
	     let x = y.var_type in
	     match x.Ctypes.ctype_node with
	       | Tstruct _ | Tunion _ -> 
		   npand (npvalid 
			    {nterm_node = NTvar y;
			     nterm_type = x;
			     nterm_loc = Loc.dummy_position},acc)
	       | _ -> acc) 
	  nptrue f.args in
      set_var_type (Fun_info f) (f.fun_type) true;
      List.iter (fun arg -> 
		   set_var_type (Var_info arg) (arg.var_type) true) f.args;
      (*Nfundef (spec ~add:validity_for_struct s,t,f,statement st)*)
      add_c_function (spec ~add:validity_for_struct s) t f 
	(Some (statement st)) loc;
      raise Exit
  | Tghost(x,cinit) ->
      let cinit = 
	match cinit with
	  | None -> None
	  | Some (Iexpr t) -> Some(Iexpr (expr (texpr_of_term t)))
	  | _ -> assert false
      in
      Info.set_assigned x;
      if var_is_referenced_or_struct_or_union x
      then
	begin
	  set_var_type (Var_info x) (c_array_size (Valid(Int64.zero,Int64.one))
				       x.var_type Int64.one) false;
	  Ndecl(x.var_type,x,ilist cinit)
	end
      else Ndecl(x.var_type,x,cinit)
  | Ttype s ->
      Ntype s
      

let rec map_succeed f = function
  | [] -> 
      []
  | x :: r -> 
      try let y = f x in y :: map_succeed f r 
      with Exit -> map_succeed f r
	
let file = map_succeed (fun d -> { node = global_decl d.node d.loc ; 
				   loc = d.loc})




(*
Local Variables: 
compile-command: "make -j -C .. bin/caduceus.byte"
End: 
*)
why-2.34/c/cprint.ml0000644000175000017500000005627412311670312012706 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* Pretty-printer for normalized AST *)

open Format
open Ctypes
open Clogic
open Cast
open Info
open Pp
open Cutil

let declare_struct fmt s (_,_fields) =
  fprintf fmt "@[struct %s {@\n" s;
  begin match Cenv.tag_type_definition s with
    | Cenv.TTStructUnion(_,fields) ->
	List.iter (fun f ->
		     fprintf fmt "%a %s;@\n" ctype f.var_type f.var_unique_name) fields 
    | _ -> assert false
  end;
  fprintf fmt "};@]@\n@\n"

let term_unop = function
  | Clogic.Uminus -> "-"
  | Clogic.Utilde -> "~"
  | Clogic.Ustar -> "*"
  | Clogic.Uamp -> "&"
  | Clogic.Ufloat_of_int -> "float_of_int"
  | Clogic.Uint_of_float -> "int_of_float"
  | Clogic.Ufloat_conversion -> "float_conversion"
  | Clogic.Uint_conversion -> "int_conversion"
  | Clogic.Uabs_real -> "abs_real"
  | Clogic.Usqrt_real -> "sqrt_real"
  | Clogic.Uround_error -> "round_error"
  | Clogic.Utotal_error -> "total_error"
  | Clogic.Uexact -> "exact"
  | Clogic.Umodel -> "model"
  | Clogic.Unot -> "!"
  | Clogic.Uplus -> "+"


let term_binop = function
  | Clogic.Badd -> "+"
  | Clogic.Bsub -> "-"
  | Clogic.Bmul -> "*"
  | Clogic.Bdiv -> "/"
  | Clogic.Bmod -> "%"
  | Clogic.Bpow_real -> "^^"
  | Clogic.Bbw_and -> "&"
  | Clogic.Bbw_or -> "|"
  | Clogic.Bbw_xor -> "^"
  | Clogic.Bshift_right -> ">>"
  | Clogic.Bshift_left -> "<<"
 
let rec nterm fmt t = match t.nterm_node with
  | NTconstant (IntConstant s | RealConstant s) ->
      fprintf fmt "%s" s
  | NTstring_literal s -> fprintf fmt "\"%s\"" s
  | NTvar x ->
      fprintf fmt "%s" x.var_unique_name
  | NTapp {napp_pred = li; napp_args = tl;} ->
      fprintf fmt "%s(%a)" li.logic_name (print_list comma nterm) tl
  | NTunop (op, t) ->
      fprintf fmt "%s%a" (term_unop op) nterm_p t
(*  | NTstar t ->
      fprintf fmt "*%a" nterm_p t*)
  | NTbinop (t1, op, t2) ->
      fprintf fmt "%a %s %a" nterm_p t1 (term_binop op) nterm_p t2
  | NTarrow (t,_, vi) ->
      fprintf fmt "%a->%s" nterm_p t vi.var_unique_name
  | NTif (t1, t2, t3) ->
      fprintf fmt "%a ? %a : %a" nterm_p t1 nterm_p t2 nterm_p t3
  | NTold t ->
      fprintf fmt "\\old(%a)" nterm t
  | NTat (t, l) ->
      fprintf fmt "\\at(%a, %s)" nterm t l
  | NTbase_addr t ->
      fprintf fmt "\\base_addr(%a)" nterm t
  | NToffset t ->
      fprintf fmt "\\offset(%a)" nterm t
  | NTblock_length t ->
      fprintf fmt "\\block_length(%a)" nterm t
  | NTarrlen t ->
      fprintf fmt "\\arrlen(%a)" nterm t
  | NTstrlen (t,_, _) ->
      fprintf fmt "\\strlen(%a)" nterm t
  | NTmin (t1,t2) ->
      fprintf fmt "\\min(%a,%a)" nterm t1 nterm t2
  | NTmax (t1,t2) ->
      fprintf fmt "\\max(%a,%a)" nterm t1 nterm t2
  | NTminint ty ->
      fprintf fmt "\\minint(%a)" ctype ty
  | NTmaxint ty ->
      fprintf fmt "\\maxint(%a)" ctype ty
  | NTcast (ty, t) ->
      fprintf fmt "(%a)%a" ctype ty nterm t
  | NTrange (t1, t2, t3, _,f) ->
      fprintf fmt "(%a+%a..%a+%a)->%s" nterm t1 nterm_option t2 nterm t1 nterm_option t3 f.var_unique_name

and nterm_p fmt t = match t.nterm_node with
  | NTconstant _ | NTvar _ | NTapp _ | NTold _ | NTat _ 
  | NTarrlen _ | NTstrlen _ | NTmin _ | NTmax _ ->
      nterm fmt t
  | _ ->
      fprintf fmt "(%a)" nterm t

and nterm_option fmt = function
  | None -> ()
  | Some t -> nterm fmt t

let quantifier fmt (ty, x) = fprintf fmt "%a %s" ctype ty x.var_unique_name

let quantifiers = print_list comma quantifier

let relation = function
  | Lt -> "<"
  | Gt -> ">"
  | Le -> "<="
  | Ge -> ">="
  | Eq -> "=="
  | Neq -> "!="
 
let rec npredicate fmt p = match p.npred_node with
  | NPfalse ->
      fprintf fmt "false"
  | NPtrue ->
      fprintf fmt "true"
  | NPapp {napp_pred = li; napp_args = tl;} ->
      fprintf fmt "%s(%a)" li.logic_name (print_list comma nterm) tl
  | NPrel (t1, rel, t2) ->
      (* no need for parentheses around a relation. It can only be used
	 inside a boolean formula, with the relational operator morally
	 binding tighter than any boolean operator. *)
      fprintf fmt "@[%a %s %a@]" nterm t1 (relation rel) nterm t2
  | NPand (_p1, _p2) ->
      (* improved printing for range inequalities, e.g. 0 <= i < 100 *)
      nconjunct fmt p
  | NPor (p1, p2) ->
      fprintf fmt "@[(%a ||@ %a)@]" npredicate p1 npredicate p2
  | NPimplies (p1, p2) ->
      fprintf fmt "@[(%a =>@ %a)@]" npredicate p1 npredicate p2
  | NPiff (p1, p2) ->
      fprintf fmt "@[(%a <=>@ %a)@]" npredicate p1 npredicate p2
  | NPnot p ->
      fprintf fmt "! %a" npredicate p
  | NPif (t, p1, p2) ->
      fprintf fmt "@[(%a ? %a : %a)@]" nterm t npredicate p1 npredicate p2
  | NPforall (q, p) ->
      fprintf fmt "@[(\\forall %a;@ %a)@]" quantifiers q npredicate p
  | NPexists (q, p) ->
      fprintf fmt "@[(\\exists %a;@ %a)@]" quantifiers q npredicate p
  | NPold p ->
      fprintf fmt "\\old(%a)" npredicate p
  | NPat (p, l) ->
      fprintf fmt "\\at(%a, %s)" npredicate p l
  | NPvalid t ->
      fprintf fmt "\\valid(%a)" nterm t
  | NPvalid_index (t1, t2) ->
      fprintf fmt "\\valid_index(%a, %a)" nterm t1 nterm t2
  | NPvalid_range (t1, t2, t3) ->
      fprintf fmt "\\valid_range(%a, %a, %a)" nterm t1 nterm t2 nterm t3
  | NPfresh t ->
      fprintf fmt "\\fresh(%a)" nterm t
  | NPnamed (id, p) ->
      fprintf fmt "@[(%s::@ %a)@]" id npredicate p
  | NPseparated (t1,t2) ->
      fprintf fmt "\\separated(%a, %a)" nterm t1 nterm t2
  | NPfull_separated (t1,t2) ->
      fprintf fmt "\\full_separated(%a, %a)" nterm t1 nterm t2
  | NPbound_separated (t1,t2,t3,t4) ->
      fprintf fmt "\\bound_separated(%a, %a, %a, %a)" 
	nterm t1 nterm t2 nterm t3 nterm t4

(* given a conjunct [p], try to match relations inside p's conjuncts, in order
   to print together range inequalities that refer to the same variable, e.g.
   print
       0 <= i < 100
   instead of
       (i < 100) && (i >= 0)
*)
and nconjunct fmt p =
  (* extract the conjuncts *)
  let rec cnf p = match p.npred_node with
    | NPand (p1,p2) -> cnf p1 @ (cnf p2)
    | _ -> [p]
  in
  (* change sides in a relation *)
  let change_side_rel rel = match rel with
    | Lt -> Gt | Le -> Ge | Gt -> Lt | Ge -> Le | Eq -> Eq | Neq -> Neq
  in
  (* if a valid combination exists, return it.
     Each parameter is a pair of a boolean stating whether the matching term
     was found on the left-hand side or right-hand side of the corresponding
     relation, and the predicate for this relation.
   *)
  let combine (left1,p1) (left2,p2) =
    if left1 = left2 then
      match p1.npred_node,p2.npred_node with
        | NPrel (tl1,op1,tr1),NPrel (tl2,op2,tr2) ->
	    begin match op1,op2 with
	      | (Lt | Le),(Gt | Ge) | (Gt | Ge),(Lt | Le) ->
		  (* combination is possible *)
		  if left1 then
		    begin match op1 with
		      | Lt | Le ->
			  Some (fun fmt ->
			  fprintf fmt "%a %s %a %s %a"
			    nterm tr2 (relation (change_side_rel op2))
			    nterm tl1 (relation op1) nterm tr1)
		      | Gt | Ge ->
			  Some (fun fmt ->
			  fprintf fmt "%a %s %a %s %a"
			    nterm tr1 (relation (change_side_rel op1))
			    nterm tl1 (relation op2) nterm tr2)
		      | Eq | Neq -> 
			  (* not a valid combination *)
			  assert false
		    end
		  else
		    begin match op1 with
		      | Lt | Le ->
			  Some (fun fmt ->
			  fprintf fmt "%a %s %a %s %a"
			    nterm tl1 (relation op1) nterm tr1
			    (relation (change_side_rel op2)) nterm tl2)
		      | Gt | Ge ->
			  Some (fun fmt ->
			  fprintf fmt "%a %s %a %s %a"
			    nterm tl2 (relation op2) nterm tr1
			    (relation (change_side_rel op1)) nterm tl1)
		      | Eq | Neq -> 
			  (* not a valid combination *)
			  assert false
		    end
	      | _ -> None
	    end
	| _ -> 
	    (* both [p1] and [p2] should be relations *)
	    assert false
    else
      match p1.npred_node,p2.npred_node with
        | NPrel (tl1,op1,tr1),NPrel (tl2,op2,tr2) ->
	    begin match op1,op2 with
	      | (Lt | Le),(Lt | Le) | (Gt | Ge),(Gt | Ge) ->
		  (* combination is possible *)
		  if left1 then
		    begin match op1 with
		      | Lt | Le ->
			  Some (fun fmt ->
			  fprintf fmt "%a %s %a %s %a"
			    nterm tl2 (relation op2)
			    nterm tl1 (relation op1) nterm tr1)
		      | Gt | Ge ->
			  Some (fun fmt ->
			  fprintf fmt "%a %s %a %s %a"
			    nterm tr1 (relation (change_side_rel op1))
			    nterm tl1 (relation (change_side_rel op2)) 
			    nterm tl2)
		      | Eq | Neq -> 
			  (* not a valid combination *)
			  assert false
		    end
		  else
		    begin match op1 with
		      | Lt | Le ->
			  Some (fun fmt ->
			  fprintf fmt "%a %s %a %s %a"
			    nterm tl1 (relation op1) nterm tr1
			    (relation op2) nterm tr2)
		      | Gt | Ge ->
			  Some (fun fmt ->
			  fprintf fmt "%a %s %a %s %a"
			    nterm tr2 (relation (change_side_rel op2)) 
			    nterm tr1 (relation op1) nterm tl1)
		      | Eq | Neq -> 
			  (* not a valid combination *)
			  assert false
		    end
	      | _ -> None
	    end
	| _ -> 
	    (* both [p1] and [p2] should be relations *)
	    assert false
  in
  (* search if sub-term [t] of relational predicate [p] can be recognized 
     in another relation. We base this search on names used for printing.
     If another relation [mp] is found in map [m] with the same term [t],
     consider whether they can be combined by calling [combine].
     Otherwise, add the correspondance [t] -> [p] to the map.
   *)
  let search_and_combine p t left m =
    match t.nterm_node with
      | NTvar _ | NTstrlen _ | NTarrlen _ ->
	  let name = match t.nterm_node with
	     | NTvar v -> Some v.var_unique_name
	     | NTstrlen (t1,_,_) ->
		 begin match t1.nterm_node with
		   | NTvar v -> Some ("\\strlen(" ^ v.var_unique_name ^ ")")
		   | _ -> None
		 end
	     | NTarrlen t1 ->
		 begin match t1.nterm_node with
		   | NTvar v -> Some ("\\arrlen(" ^ v.var_unique_name ^ ")")
		   | _ -> None
		 end
	     | _ -> assert false
	  in
	  begin match name with 
	    | Some name ->
		begin try 
		  let mp = StringMap.find name m in
		  match combine (left,p) mp with
		    | Some cp -> (Some cp),StringMap.remove name m
		    | None -> None,StringMap.add name (left,p) m
		with Not_found ->
		  None,StringMap.add name (left,p) m
		end
	    | _ -> None,m
	  end
      | _ -> None,m
  in
  (* [list_conjuncts] is the list of relational predicates combined.
     [name_map] is the pending list of correspondance from term to predicates.
   *)
  let list_conjuncts,name_map =
    List.fold_left 
      (fun (cl,m) p -> match p.npred_node with
         | NPrel (t1,_rel,t2) ->
	     begin match search_and_combine p t1 (* left = *)true m with
	       | (Some cp),new_m ->
		   (* [p] combined, do not search with [t2] *)
		   cp :: cl,new_m
	       | None,new_m ->
		   (* continue search for a combination with [t2] *)
		   begin match search_and_combine p t2 (* left = *)false new_m
		       with
		     | (Some cp),new_m ->
			 cp :: cl,new_m
		     | None,new_m ->
			 (* if [p] added to [m], do not return it now *)
			 if m == new_m then
			   (fun fmt -> npredicate fmt p) :: cl,m
			 else cl,new_m
		   end
	     end
	 | _ -> (fun fmt -> npredicate fmt p) :: cl,m
      ) ([],StringMap.empty) (cnf p)
  in
  (* if [name_map] not empty, add these predicates to the list of conjuncts *)
  let list_conjuncts =
    StringMap.fold (fun _ (_,p) cl -> (fun fmt -> npredicate fmt p) :: cl) 
      name_map list_conjuncts
  in
  fprintf fmt "@[(%a)@]" 
    (print_list (fun fmt () -> fprintf fmt "@\n && ") (fun fmt f -> f fmt))
    list_conjuncts

let parameter fmt  x = fprintf fmt "%a %s" ctype x.var_type x.var_unique_name

let parameters = print_list comma parameter

let logic_parameter fmt (x, ty) = fprintf fmt "%a %s" ctype ty x.var_unique_name

let logic_parameters = print_list comma logic_parameter

let location = nterm

let locations = print_list comma location

let nlogic_symbol fmt li = function
  | NPredicate_reads (pl, locs) ->
      fprintf fmt "/*@@ @[predicate %s(%a) reads %a@] */@\n" li.logic_name
	logic_parameters pl locations locs
  | NPredicate_def (pl, p) ->
      fprintf fmt "/*@@ @[predicate %s(%a) { %a }@] */@\n" li.logic_name
	logic_parameters pl npredicate p
  | NFunction (pl, ty, locs) ->
      fprintf fmt "/*@@ @[logic %a %s(%a) reads %a@] */@\n" ctype ty 
	li.logic_name logic_parameters pl locations locs
  | NFunction_def (pl, ty, t) ->
      fprintf fmt "/*@@ @[logic %a %s(%a) { %a }@] */@\n" ctype ty 
	li.logic_name logic_parameters pl nterm t
	
let spec fmt = function
  | { requires = None; assigns = None; ensures = None; decreases = None } ->
      ()
  | s ->
      let requires fmt p = fprintf fmt "@[requires %a@]@\n" npredicate p in
      let assigns fmt (_,a) = fprintf fmt "@[assigns %a@]@\n" locations a in
      let ensures fmt p = fprintf fmt "@[ensures %a@]@\n" npredicate p in
      let decreases fmt = function
	| (t, None) -> fprintf fmt "@[decreases %a@]@\n" nterm t
	| (t, Some r) -> fprintf fmt "@[decreases %a for %s@]@\n" nterm t r
      in
      fprintf fmt "/*@@ @[%a%a%a%a@] */@\n"
	(print_option requires) s.requires
	(print_option assigns) s.assigns
	(print_option ensures) s.ensures
	(print_option decreases) s.decreases

let loop_annot fmt = function
  | { invariant = None; assume_invariant = None; 
      loop_assigns = None; variant = None } ->
      ()
  | a ->
      let invariant fmt p = fprintf fmt "@[invariant %a@]@\n" npredicate p in
      let assume_invariant fmt p = 
	fprintf fmt "@[assume invariant %a@]@\n" npredicate p in
      let loop_assigns fmt (_,a) = 
	fprintf fmt "@[assigns %a@]@\n" locations a in
      let variant fmt = function
	| (t, None) -> fprintf fmt "@[variant %a@]@\n" nterm t
	| (t, Some r) -> fprintf fmt "@[variant %a for %s@]@\n" nterm t r
      in
      fprintf fmt "/*@@ @[%a%a%a%a@] */@\n"
	(print_option assume_invariant) a.assume_invariant
	(print_option invariant) a.invariant
	(print_option loop_assigns) a.loop_assigns
	(print_option variant) a.variant

let binop fmt = function
  | Badd | Badd_int _ | Badd_float _ | Badd_pointer_int -> fprintf fmt "+" 
  | Bsub | Bsub_int _ | Bsub_float _ | Bsub_pointer -> fprintf fmt "-"
  | Bmul | Bmul_int _ | Bmul_float _ -> fprintf fmt "*"
  | Bdiv | Bdiv_int _ | Bdiv_float _ -> fprintf fmt "/"
  | Bmod | Bmod_int _ -> fprintf fmt "%%" 
  | Blt | Blt_int | Blt_float _ | Blt_pointer -> fprintf fmt "<"
  | Bgt | Bgt_int | Bgt_float _ | Bgt_pointer -> fprintf fmt ">"
  | Ble | Ble_int | Ble_float _ | Ble_pointer -> fprintf fmt "<="
  | Bge | Bge_int | Bge_float _ | Bge_pointer -> fprintf fmt ">="
  | Beq | Beq_int | Beq_float _ | Beq_pointer -> fprintf fmt "=="
  | Bneq | Bneq_int | Bneq_float _ | Bneq_pointer -> fprintf fmt "!=" 
  | Bbw_and -> fprintf fmt "&"
  | Bbw_xor -> fprintf fmt "^"
  | Bbw_or -> fprintf fmt "|"
  | Band -> fprintf fmt "&&"
  | Bor -> fprintf fmt "||"
  | Bshift_left -> fprintf fmt "<<"
  | Bshift_right -> fprintf fmt ">>"


let unop fmt = function
  | Uplus -> fprintf fmt "+"
  | Uminus -> fprintf fmt "-"
  | Unot -> fprintf fmt "!"
  | Ustar -> fprintf fmt "*"
  | Uamp -> fprintf fmt "&"
  | Utilde -> fprintf fmt "~"
  (* these are introduced during typing *)
  | Ufloat_of_int -> fprintf fmt "float_of_int"
  | Uint_of_float -> fprintf fmt "int_of_float"
  | Ufloat_conversion -> fprintf fmt "float_conversion"
  | Uint_conversion -> fprintf fmt "int_conversion"

let rec nexpr fmt e = match e.nexpr_node with
  | NEnop ->
      ()
  | NEconstant (IntConstant s | RealConstant s) ->
      fprintf fmt "%s" s
  | NEstring_literal s ->
      fprintf fmt "\"%S\"" s
  | NEvar (Var_info x) ->
      fprintf fmt "%s" x.var_unique_name
  | NEvar (Fun_info x) ->
      fprintf fmt "%s" x.fun_name
  | NEarrow (e,_,x) ->
      let typ = e.nexpr_type in
      begin match typ.Ctypes.ctype_node with
      | Ctypes.Tpointer (Ctypes.Valid (i,j),_) 
      | Ctypes.Tarray (Ctypes.Valid(i,j),_,_) ->
	  fprintf fmt "%a-%d-ok-%d->%s" nexpr_p e (Int64.to_int i) 
	    (Int64.to_int j) x.var_unique_name
      | _ ->
	  fprintf fmt "%a->%s" nexpr_p e x.var_unique_name
      end
(*  | NEstar e ->
      fprintf fmt "*%a" nexpr_p e*)
  | NEseq (e1, e2) ->
      fprintf fmt "%a, %a" nexpr e1 nexpr e2
  | NEassign (e1, e2) ->
      fprintf fmt "%a = %a" nexpr e1 nexpr e2
  | NEassign_op (e1, op, e2) ->
      fprintf fmt "%a %a= %a" nexpr e1 binop op nexpr e2
  | NEunary (op, e) ->
      fprintf fmt "%a(%a)" unop op nexpr_p e
  | NEincr (Uprefix_inc, e) -> fprintf fmt "++%a" nexpr_p e
  | NEincr (Uprefix_dec, e) -> fprintf fmt "--%a" nexpr_p e
  | NEincr (Upostfix_inc, e) -> fprintf fmt "%a++" nexpr_p e
  | NEincr (Upostfix_dec, e) -> fprintf fmt "%a--" nexpr_p e
  | NEbinary (e1, op, e2) ->
      fprintf fmt "%a %a %a" nexpr_p e1 binop op nexpr_p e2
  | NEcall { ncall_fun = e ; ncall_args = l } ->
      fprintf fmt "%a(%a)" nexpr e (print_list comma nexpr) l
  | NEcond (e1, e2, e3) ->
      fprintf fmt "%a ? %a : %a" nexpr e1 nexpr e2 nexpr e3
  | NEcast (ty, e) ->
      fprintf fmt "(%a)%a" ctype ty nexpr_p e
  | NEmalloc (ty, e) ->
      fprintf fmt "(%a*)malloc(%a * sizeof(%a))" ctype ty nexpr_p e ctype ty

and nexpr_p fmt e = match e.nexpr_node with
  | NEnop | NEconstant _ | NEstring_literal _ | NEvar _ -> nexpr fmt e
  | _ -> fprintf fmt "(@[%a@])" nexpr e

let rec c_initializer fmt = function
  | Iexpr e -> nexpr fmt e
  | Ilist l -> fprintf fmt "@[{ %a }@]" (print_list comma c_initializer) l

let ngoto_status = function
  | GotoBackward -> "backward"
  | GotoForwardOuter -> "forward,outer"
  | GotoForwardInner -> "forward,inner"

let rec nstatement fmt s = match s.nst_node with
  | NSnop -> 
      fprintf fmt ";"
  | NSexpr e ->
      fprintf fmt "@[%a;@]" nexpr e
  | NSif (e, s1, s2) ->
      fprintf fmt "@[if (%a) {@\n    @[%a@]@\n} else {@\n    @[%a@]@\n}@]"
	nexpr e nstatement_nb s1 nstatement_nb s2
  | NSwhile (a, e, s) ->
      fprintf fmt "@[%awhile (%a) {@\n    @[%a@]@\n}@]" 
	loop_annot a nexpr e nstatement_nb s
  | NSdowhile (a, s, e) ->
      fprintf fmt "@[%ado {@\n    @[%a@]@\n} while (%a);@]" 
	loop_annot a nstatement_nb s nexpr e 
  | NSfor (a, e1, e2, e3, s) ->
      fprintf fmt "@[%afor (%a; %a; %a) {@\n    @[%a@]@\n}@]"
	loop_annot a nexpr e1 nexpr e2 nexpr e3 nstatement_nb s
  | NSreturn None ->
      fprintf fmt "return;"
  | NSreturn (Some e) ->
      fprintf fmt "@[return %a;@]" nexpr e
  | NSbreak ->
      fprintf fmt "break;"
  | NScontinue ->
      fprintf fmt "continue;"
  | NSlabel (l, s) ->
      fprintf fmt "%s: %a" l.label_info_name nstatement s
  | NSgoto (status, l) ->
      fprintf fmt "goto(%s) %s" (ngoto_status status) l.label_info_name 
  | NSswitch (e, _m, l) ->
      fprintf fmt "@[switch (%a) {@\n    @[%a@]@\n}@]"
	nexpr e (print_list newline ncase) l
  | NSassert p ->
      fprintf fmt "/*@@ assert %a */" npredicate p
  | NSassume p ->
      fprintf fmt "/*@@ assume %a */" npredicate p
  | NSlogic_label l ->
      fprintf fmt "/*@@ label %s */" l
  | NSspec (sp, s) ->
      fprintf fmt "%a%a" spec sp nstatement s
  | NSblock b ->
      fprintf fmt "@[{@\n  @[%a@]@\n}@]" nblock b
  | NSdecl _ ->
      (* successive declarations share the same block statement *)
      fprintf fmt "@[{@\n";
      nsdecl fmt s;
      fprintf fmt "@\n}@\n@]"

and nsdecl fmt s = match s.nst_node with
  | NSdecl (ty, vi, None,rem) ->
      fprintf fmt "%a %s;@\n" ctype ty vi.var_unique_name;
      nsdecl fmt rem
  | NSdecl (ty, vi, Some i, rem) ->
      fprintf fmt "%a %s = %a;@\n" ctype ty vi.var_unique_name c_initializer i;
      nsdecl fmt rem
  | _ -> nstatement fmt s
    
and nstatement_nb fmt s = match s.nst_node with
  | NSblock b -> nblock fmt b
  | _ -> nstatement fmt s

and nblock fmt sl =
  fprintf fmt "@[%a@]" 
    (print_list newline nstatement) sl

and ncase fmt (cmap,sl) =
  fprintf fmt "@[%a    %a@]"
    (fun fmt -> 
       if Cconst.IntMap.is_empty cmap then
	 (fun _ -> fprintf fmt "default:@\n")
       else
	 Cconst.IntMap.iter 
	   (fun _ e -> fprintf fmt "case %a:@\n" nexpr e)) cmap
    nblock sl

and ndecl fmt d = match d.node with
  | Nlogic (li, ls) -> 
      nlogic_symbol fmt li ls
  | Naxiom (x, p) -> 
      fprintf fmt "/*@@ @[axiom %s:@ %a@] */@\n" x npredicate p
  | Ninvariant (x, p) -> 
      fprintf fmt "/*@@ @[invariant %s:@ %a@] */@\n" x npredicate p 
  | Ninvariant_strong (x, p) -> 
      fprintf fmt "/*@@ @[strong invariant %s:@ %a@] */@\n" x 
	npredicate p
  | Ntypedef (ty, x) ->
      fprintf fmt "typedef %a %s;@\n" ctype ty x
  | Ntypedecl ty ->
      fprintf fmt "%a;@\n" ctype ty
  | Ndecl (ty, vi, None) ->
      fprintf fmt "%a %s;@\n" ctype ty vi.var_unique_name
  | Ndecl (ty, vi, Some i) ->
      fprintf fmt "%a %s = %a;@\n" ctype ty vi.var_unique_name c_initializer i
(*  | Nfunspec (s, ty, fi) ->
      fprintf fmt "%a%a %s(@[%a@]);@\n" spec s ctype ty fi.fun_name
	parameters fi.args
  | Nfundef (s, ty, fi, st) ->
      fprintf fmt "%a%a %s(@[%a@])@\n%a@\n" spec s ctype ty fi.fun_name
	 parameters fi.args nstatement st
*)
  | Ntype s ->
      fprintf fmt "/*@@ type %s */@\n" s

let nfile fmt p = 
  fprintf fmt "@[";
  Cenv.iter_all_struct (declare_struct fmt);
  List.iter (fun d -> ndecl fmt d; fprintf fmt "@\n") p;
  fprintf fmt "@]@."


let nfunctions fmt =
  Hashtbl.iter
    (fun _f (s, ty, fi, st,_) -> 
       match st with
	 | Some st ->
	     fprintf fmt "%a%a %s(@[%a@])@\n%a@\n" spec s ctype ty fi.fun_name
	       parameters fi.args nstatement st
	 | None ->
	     fprintf fmt "%a%a %s(@[%a@]);@\n" spec s ctype ty fi.fun_name
	       parameters fi.args)
    Cenv.c_functions


why-2.34/c/cinit.mli0000644000175000017500000000506412311670312012655 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Cast

val pop_initializer : Loc.position -> Cast.tctype ->
    Cast.texpr Cast.c_initializer list ->
    tterm * Cast.texpr Cast.c_initializer list

val invariants_initially_established_info : Info.fun_info

val add_init : tdecl located list -> tdecl located list

val user_invariants : bool ref
why-2.34/c/cmain.ml0000644000175000017500000001740612311670312012470 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Format
open Coptions
open Cerror
open Creport
open Output

let parse_file f =
  let ppf = Cpp.cpp f in
  let c = open_in ppf in
  let p = Clexer.parse c in
  close_in c;
  f, p

let type_file (f,p) = 
  (f, Ctyping.type_file p)


let main () = 
  let t0 = Unix.times () in
  (* parsing *)
  let input_files = files () in
  let pfiles = List.map parse_file input_files in
  if parse_only then exit 0;
  (* typing *)
  let tfiles = List.map type_file pfiles in
  if type_only then exit 0;
  let on_all_files g = List.map (fun (f, dl) -> (f, g dl)) in
  (* initialisation of global variables *)
  let tfiles = on_all_files Cinit.add_init tfiles in
  (* call graph *)
  List.iter (fun (_,p) -> Cgraph.file p) tfiles ;
  if print_graph then Cprint_graph.print_graph ();
  let tab_comp = Cgraph.find_comp tfiles in
  (* normalisation *)
  Cenv.update_fields_type ();
  lprintf "starting normalization of programs.@.";  
  let nfiles = on_all_files Cnorm.file tfiles in
  (* local aliasing analysis *)
  if local_aliasing then Cptr.local_aliasing_transform ();
  (* separation *)  
  lprintf "starting separation of variables.@.";
  List.iter (fun (_,p) -> Cseparation.file p)  nfiles;
  lprintf "starting separation of initializers.@.";
  Cseparation.funct [Cinit.invariants_initially_established_info]; 
  lprintf "starting separation of functions.@.";
  Array.iter (fun l -> 
		Cseparation.funct l ) 
    tab_comp;  
  (* typing predicates *)  
  lprintf "computing typing predicates.@.";
  let nfiles = on_all_files Invariant.add_predicates nfiles in
  if print_norm then begin
    lprintf "on user request, printing the normalized C code.@.";
    let print_fun = ref true in
    List.iter 
      (fun (f,p) -> 
	 let c = open_out (f ^ "norm") in
	 let fmt = Format.formatter_of_out_channel c in
	 Format.fprintf fmt "/* Declarations */@.@.";
	 Format.fprintf fmt "%a@." Cprint.nfile p;
	 if !print_fun then begin
	   Format.fprintf fmt "/* Functions */@.@.";
	   Cprint.nfunctions fmt;
	   Format.fprintf fmt "@.";
	   print_fun := false;
	 end;
	 close_out c) nfiles;
  end;
  (* effects *)
  lprintf "starting computation of effects.@.";
  List.iter (fun (_,p) -> Ceffect.file p) nfiles;
  Array.iter (Ceffect.effect nfiles) tab_comp;
  Queue.iter 
    (fun (loc,msg) ->
       lprintf "%a %s@." Loc.report_position loc msg;
       warning loc "%s" msg)
    Ceffect.warnings;
  lprintf "heap variables: %a@." Ceffect.print_heap_vars ();
  (* Why interpretation *)
  let why_specs =
    List.fold_left 
      (fun specs (_,f) -> 
	 let s = Cinterp.interp f in s @ specs) 
      [] nfiles
  in
  let (why_code,why_specs) = Cinterp.interp_functions why_specs in
  (* Why specs *)
  let first_file = Filename.chop_extension (List.hd input_files) in
  let file = Lib.file "why" (first_file ^ "_spec") in
  Pp.print_in_file 
    (fun fmt -> 
       fprintf fmt 
	 "(* this file was automatically generated; do not edit *)@\n@\n";
       fprintf fmt "(* zone variables *)@.";
       if Coptions.no_zone_type then
	 fprintf fmt "type global@.@."
       else
	 Hashtbl.iter 
	   (fun name z ->
	      match z.Info.repr with 
		| None ->
		    let d = Type (id_no_loc name,[]) in
		    fprintf fmt "@[%a@]" fprintf_why_decls [d]
		| Some _ -> ())
	   Cenv.zone_table;
       fprintf fmt "(* logic types *)@.";
       Cenv.iter_types (fun t -> fprintf fmt "@[type %s@\n@]" t);

       let why_int_types = 
	 Cinterp.make_int_types_decls () @ Cinterp.make_enum_types_decls ()
       in
       if why_int_types <> [] then begin
	 fprintf fmt "(* C integer types *)@.";
	 Output.fprintf_why_decls fmt why_int_types
       end;

       fprintf fmt "(* heap variables *)@.";
       Hashtbl.iter 
	 (fun v bt -> 
	    let d = Param 
	      (false, id_no_loc v, 
	       Ref_type (Base_type (Info.output_why_type ~quote_var:false 
				      bt.Info.var_why_type))) in
	    fprintf fmt "@[%a@]" fprintf_why_decls [d])
	 Ceffect.heap_vars;
       fprintf fmt "(* functions specifications *)@\n";
       Output.fprintf_why_decls fmt why_specs) 
    (file ^ ".tmp");
  Lib.file_copy_if_different (file ^ ".tmp") (file ^ ".why");
  (* function bodies *)
  if separate then begin
    List.iter
      (fun (f,d) ->
	 Cmake.add first_file f;
	 let file = Lib.file "why" (first_file ^ "__" ^ f ) in
	 Pp.print_in_file 
	   (fun fmt -> Output.fprintf_why_decl fmt d) (file ^ ".tmp");
	 Lib.file_copy_if_different (file ^ ".tmp") (file ^ ".why"))
      why_code
  end else begin
    let file = Lib.file "why" first_file in
    let why_code = List.map snd why_code in
    Pp.print_in_file 
      (fun fmt -> Output.fprintf_why_decls fmt why_code) (file ^ ".tmp");
    Lib.file_copy_if_different (file ^ ".tmp") (file ^ ".why")
  end;
  (* print locs *)
  Pp.print_in_file Cinterp.print_locs (Lib.file "." (first_file ^ ".loc"));
  (* makefile *)
  Cmake.makefile first_file;
  if show_time then
    let t1 = Unix.times () in
    printf "Caduceus execution time : %3.2f@." (t1.Unix.tms_utime -. 
					     t0.Unix.tms_utime)
  else
    ()

       
       
 
let rec explain_exception fmt = function
  | Parsing.Parse_error -> 
      fprintf fmt "Syntax error"
  | Stream.Error s -> 
      fprintf fmt "Syntax error: %s" s
  | Error (Some loc, e) ->
      fprintf fmt "%a%a" Loc.report_position loc report e
  | Error (_, e) ->
      report fmt e
  | e ->
      fprintf fmt "Anomaly: %s@." (Printexc.to_string e);
      raise e


(* for debugging *)

(*
let () = main (); exit 1
*) 

let () =
  try
    main ()
  with e ->
    eprintf "%a@." explain_exception e;
    exit 1

(*
Local Variables: 
compile-command: "make -j -C .. bin/caduceus.byte"
End: 
*)
why-2.34/c/cast.mli0000644000175000017500000003131012311670312012472 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*s C types *)

open Clogic
open Ctypes

type 'a located = { node : 'a; loc : Loc.position }

type 'expr cinteger = Char | Short | Int | Long | LongLong | Bitfield of 'expr

type 'a tagged = Tag | Decl of 'a

type 'expr ctype_node =
  | CTvoid
  | CTint of sign * 'expr cinteger
  | CTfloat of cfloat
  | CTvar of string
  | CTarray of 'expr ctype * 'expr option
  | CTpointer of 'expr ctype
  | CTstruct of string * 'expr field list tagged
  | CTunion of string * 'expr field list tagged
  | CTenum of string * (string * 'expr option) list tagged
  | CTfun of 'expr parameter list * 'expr ctype

and 'expr ctype = { 
  ctype_node : 'expr ctype_node;
  ctype_storage : storage_class;
  ctype_const : bool;
  ctype_volatile : bool;
}

and 'expr parameter = 'expr ctype * string

and 'expr field = 'expr ctype * string * 'expr option

(*s C parsed abstract syntax trees *)

type assign_operator = 
  | Aequal | Amul | Adiv | Amod | Aadd | Asub | Aleft | Aright 
  | Aand | Axor | Aor

type incr_operator = 
  | Uprefix_inc | Uprefix_dec | Upostfix_inc | Upostfix_dec 

type unary_operator = 
  | Uplus | Uminus | Unot | Ustar | Uamp | Utilde
  (* these are introduced during typing *)
  | Ufloat_of_int | Uint_of_float | Ufloat_conversion | Uint_conversion

type binary_operator =
  | Badd | Bsub | Bmul | Bdiv | Bmod 
  | Blt | Bgt | Ble | Bge | Beq | Bneq 
  | Bbw_and | Bbw_xor | Bbw_or | Band | Bor
  | Bshift_left | Bshift_right
  (* these are introduced during typing *)
  | Badd_int of (sign * Ctypes.cinteger) 
  | Bsub_int of (sign * Ctypes.cinteger) 
  | Bmul_int of (sign * Ctypes.cinteger)
  | Bdiv_int of (sign * Ctypes.cinteger)
  | Bmod_int of (sign * Ctypes.cinteger)
  | Blt_int | Bgt_int | Ble_int | Bge_int | Beq_int | Bneq_int 
  | Badd_float of cfloat | Bsub_float of cfloat 
  | Bmul_float of cfloat | Bdiv_float of cfloat
  | Blt_float of cfloat | Bgt_float of cfloat | Ble_float of cfloat 
  | Bge_float of cfloat | Beq_float of cfloat | Bneq_float of cfloat
  | Badd_pointer_int (* pointer + int *) 
  | Bsub_pointer     (* pointer - pointer *)
  | Blt_pointer | Bgt_pointer | Ble_pointer | Bge_pointer 
  | Beq_pointer | Bneq_pointer

type cexpr = cexpr_node located

and cexpr_node =
  | CEnop
  | CEconstant of constant
  | CEstring_literal of string
  | CEvar of string
  | CEdot of cexpr * string
  | CEarrow of cexpr * string
  | CEarrget of cexpr * cexpr
  | CEseq of cexpr * cexpr
  | CEassign of cexpr * cexpr
  | CEassign_op of cexpr * binary_operator * cexpr
  | CEunary of unary_operator * cexpr
  | CEincr of incr_operator * cexpr
  | CEbinary of cexpr * binary_operator * cexpr
  | CEcall of cexpr * cexpr list
  | CEcond of cexpr * cexpr * cexpr
  | CEcast of cexpr ctype * cexpr
  | CEsizeof_expr of cexpr
  | CEsizeof of cexpr ctype

type 'expr c_initializer = 
  | Iexpr of 'expr
  | Ilist of 'expr c_initializer list

type pctype = cexpr ctype

(* parsed logic AST *)

type parsed_term = Clogic.lexpr
type parsed_predicate = Clogic.lexpr
type parsed_spec = (parsed_term, parsed_predicate) spec
type parsed_loop_annot = (parsed_term, parsed_predicate) loop_annot
type parsed_logic_type = logic_type

type parsed_decl = 
  | LDlogic of 
      Info.logic_info * parsed_logic_type * string list * 
	(parsed_logic_type * string) list * parsed_term location list
  | LDlogic_def of 
      Info.logic_info * parsed_logic_type * string list * 
	(parsed_logic_type * string) list * parsed_term
  | LDpredicate_reads of 
      Info.logic_info * (parsed_logic_type * string) list 
      * parsed_term location list
  | LDpredicate_def of 
      Info.logic_info * (parsed_logic_type * string) list * parsed_predicate
  | LDaxiom of string * parsed_predicate
  | LDinvariant of string * parsed_predicate
  | LDghost of cexpr ctype * string * lexpr c_initializer option
  | LDtype of string * Loc.position

type ghost_lvalue = lexpr

type parsed_code_annot = 
  | Assert of parsed_predicate 
  | Assume of parsed_predicate 
  | Label of string
  | GhostSet of ghost_lvalue * lexpr 

type parsed_annot = 
  | Adecl of parsed_decl list
  | Aspec of parsed_spec
  | Acode_annot of parsed_code_annot
  | Aloop_annot of parsed_loop_annot

type cstatement = cstatement_node located

and cstatement_node =
  | CSnop
  | CSexpr of cexpr
  | CSif of cexpr * cstatement * cstatement
  | CSwhile of parsed_loop_annot * cexpr * cstatement
  | CSdowhile of parsed_loop_annot * cstatement * cexpr
  | CSfor of parsed_loop_annot * cexpr * cexpr * cexpr * cstatement
  | CSblock of block
  | CSreturn of cexpr option
  | CSbreak
  | CScontinue
  | CSlabel of string * cstatement
  | CSswitch of cexpr * cstatement
  | CScase of cexpr * cstatement
  | CSdefault of cstatement
  | CSgoto of string
  | CSannot of parsed_code_annot
  | CSspec of parsed_spec * cstatement

and block = decl located list * cstatement list

and decl = 
  | Cspecdecl of parsed_decl
  | Ctypedef of cexpr ctype * string
  | Ctypedecl of cexpr ctype
  | Cdecl of cexpr ctype * string * cexpr c_initializer option
  | Cfunspec of parsed_spec * cexpr ctype * string * cexpr parameter list
  | Cfundef of parsed_spec option * 
      cexpr ctype * string * cexpr parameter list * cstatement

type file = decl located list

(*s C typed abstract syntax trees *)

open Clogic

type texpr = {
  texpr_node : texpr_node;
  texpr_type : tctype;
  texpr_loc  : Loc.position;
}

and texpr_node =
  | TEnop
  | TEconstant of constant
  | TEstring_literal of string
  | TEvar of Info.env_info
  | TEdot of lvalue * Info.var_info
  | TEarrow of lvalue * Info.var_info
  | TEarrget of lvalue * texpr
  | TEseq of texpr * texpr
  | TEassign of lvalue * texpr
  | TEassign_op of lvalue * binary_operator * texpr
  | TEunary of unary_operator * texpr
  | TEincr of incr_operator * texpr
  | TEbinary of texpr * binary_operator * texpr
  | TEcall of texpr * texpr list
  | TEcond of texpr * texpr * texpr
  | TEcast of tctype * texpr
  | TEsizeof of tctype * int64
  | TEmalloc of tctype * texpr

and lvalue = texpr (* TODO: cf CIL *)

and tctype = Ctypes.ctype

type tterm = tctype term

type predicate = tctype Clogic.predicate

type spec = (tterm, predicate) Clogic.spec

type variant = tterm * string option

type loop_annot = (tterm, predicate) Clogic.loop_annot

type goto_status = GotoBackward | GotoForwardOuter | GotoForwardInner

type tstatement = {
  st_node : tstatement_node;
  st_break : bool;    (* may breaks *)
  st_continue : bool; (* may continue *)
  st_return : bool;   (* may return *)
  st_term : bool;     (* may terminate normally *)
  st_loc : Loc.position
}

and tstatement_node =
  | TSnop
  | TSexpr of texpr
  | TSif of texpr * tstatement * tstatement
  | TSwhile of loop_annot * texpr * tstatement
  | TSdowhile of loop_annot * tstatement * texpr
  | TSfor of loop_annot * texpr * texpr * texpr * tstatement
  | TSblock of tblock
  | TSreturn of texpr option
  | TSbreak
  | TScontinue
  | TSlabel of Info.label_info * tstatement
  | TSswitch of texpr * tstatement
  | TScase of texpr * tstatement
  | TSdefault of tstatement
  | TSgoto of goto_status * Info.label_info
  | TSassert of predicate
  | TSassume of predicate
  | TSlogic_label of string
  | TSspec of spec * tstatement
  | TSset of (tterm * tterm)

and tblock = tdecl located list * tstatement list

and tdecl = 
  | Tlogic of Info.logic_info * (tterm,tctype) logic_symbol
  | Taxiom of string * predicate
  | Tinvariant of string * predicate
  | Tghost of Info.var_info *  tterm c_initializer option
  | Ttype of string
  | Ttypedef of tctype * string
  | Ttypedecl of tctype
  | Tdecl of tctype * Info.var_info * texpr c_initializer option
  | Tfunspec of spec * tctype * Info.fun_info 
  | Tfundef of spec * tctype * Info.fun_info * tstatement 

type tfile = tdecl located list


(*

normalized AST

*)

type nexpr = {
  nexpr_node : nexpr_node;
  nexpr_type : nctype;
  nexpr_loc  : Loc.position;
}

and ncall = {
  ncall_fun : nexpr;
  ncall_args : nexpr list;
  mutable ncall_zones_assoc : (Info.zone * Info.zone) list;
}

and nexpr_node =
  | NEnop
  | NEconstant of constant
  | NEstring_literal of string
  | NEvar of Info.env_info
  | NEarrow of nlvalue * Info.zone * Info.var_info
  | NEseq of nexpr * nexpr
  | NEassign of nlvalue * nexpr
  | NEassign_op of nlvalue * binary_operator * nexpr
  | NEunary of unary_operator * nexpr
  | NEincr of incr_operator * nexpr
  | NEbinary of nexpr * binary_operator * nexpr
  | NEcall of ncall
  | NEcond of nexpr * nexpr * nexpr
  | NEcast of nctype * nexpr
  | NEmalloc of nctype * nexpr

and nlvalue = nexpr (* TODO: cf CIL *)

and nctype = (*int64*) Ctypes.ctype

type nterm = nctype Clogic.nterm

type npredicate = nctype Clogic.npredicate

type nspec = (nterm, npredicate) Clogic.spec

type nvariant = nterm * string option

type nloop_annot = (nterm, npredicate) Clogic.loop_annot

type nstatement = {
  nst_node : nstatement_node;
  nst_break : bool;    (* may break *)
  nst_continue : bool; (* may continue *)
  nst_return : bool;   (* may return *)
  nst_term : bool;     (* may terminate normally *)
  nst_loc : Loc.position
}

and nstatement_node =
  | NSnop
  | NSexpr of nexpr
  | NSif of nexpr * nstatement * nstatement
  | NSwhile of nloop_annot * nexpr * nstatement
  | NSdowhile of nloop_annot * nstatement * nexpr
  | NSfor of nloop_annot * nexpr * nexpr * nexpr * nstatement
  | NSblock of nblock
  | NSreturn of nexpr option
  | NSbreak
  | NScontinue
  | NSgoto of goto_status * Info.label_info
  | NSlabel of Info.label_info * nstatement
  | NSswitch of nexpr * (nexpr Cconst.IntMap.t) * 
      ((nexpr Cconst.IntMap.t * nstatement list) list)
      (* NSswitch(e,used_cases,all_cases):
	 e is the expression to test 
         used_cases is a map with gives all the possible cases, mapping each value to the constant expression in comes from in the program 
	 all_cases is the list of all branches, where each case is given by 
           - the cases involved (a submap of used_cases)
           - the statements to execute
	 *)
  | NSassert of npredicate
      (* [NSassume] used to communicate results of abstract interpretation
	 to the module that inserts verification conditions *)
  | NSassume of npredicate
  | NSlogic_label of string
  | NSspec of nspec * nstatement
  | NSdecl of nctype * Info.var_info * nexpr c_initializer option * nstatement

and nblock = nstatement list

and ndecl = 
  | Nlogic of Info.logic_info * (nterm,nctype) nlogic_symbol
  | Naxiom of string * npredicate
  | Ninvariant of string * npredicate
  | Ninvariant_strong of string * npredicate
  | Ntypedef of nctype * string
  | Ntypedecl of nctype
  | Ndecl of nctype * Info.var_info * nexpr c_initializer option
  | Ntype of string

type nfile = ndecl located list
why-2.34/c/cprint_annot.ml0000644000175000017500000003676712311670312014112 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* Pretty-printer for typed AST *)

open Format
open Ctypes
open Clogic
open Cast
open Info
open Pp

let rec ctype fmt ty =
  ctype_node fmt ty.Ctypes.ctype_node

and ctype_node fmt = function
  | Tvoid -> fprintf fmt "void"
  | Tint _ -> fprintf fmt "int"
  | Tfloat _ -> fprintf fmt "float"
  | Ctypes.Tvar s -> fprintf fmt "%s" s
  | Tarray (ty, None) -> fprintf fmt "%a[]" ctype ty
  | Tarray (ty, Some n) -> fprintf fmt "%a[%Ld]" ctype ty n
  | Tpointer ty -> fprintf fmt "%a*" ctype ty
  | Tstruct s -> fprintf fmt "struct %s" s
  | Tunion s -> fprintf fmt "union %s" s
  | Tenum s -> fprintf fmt "enum %s" s
  | Tfun _ -> fprintf fmt ""

let declare_struct fmt s (_,fields) =
  fprintf fmt "@[struct %s {@\n" s;
  begin match Cenv.tag_type_definition s with
    | Cenv.TTStructUnion(_,fields) ->
	List.iter (fun f ->
		     fprintf fmt "%a %s;@\n" ctype f.var_type f.var_unique_name) fields 
    | _ -> assert false
  end;
  fprintf fmt "};@]@\n@\n"

let term_unop = function
  | Clogic.Uminus -> "-"
  | Clogic.Utilde -> "~"
  | Clogic.Ustar -> "*"
  | Clogic.Uamp -> "&"
  | Clogic.Ufloat_of_int -> "float_of_int"
  | Clogic.Uint_of_float -> "int_of_float"

let term_binop = function
  | Clogic.Badd -> "+"
  | Clogic.Bsub -> "-"
  | Clogic.Bmul -> "*"
  | Clogic.Bdiv -> "/"
  | Clogic.Bmod -> "%"
 
let rec term fmt t = match t.term_node with
  | Tconstant (IntConstant s | FloatConstant s) ->
      fprintf fmt "%s" s
  | Tvar x ->
      fprintf fmt "%s" x.var_name
  | Tapp (li, tl) ->
      fprintf fmt "%s(%a)" li.logic_name (print_list comma term) tl
  | Tunop (op, t) ->
      fprintf fmt "%s%a" (term_unop op) term_p t
(*  | Tstar t ->
      fprintf fmt "*%a" term_p t*)
  | Tdot (t, vi) ->
       fprintf fmt "%a.%s" term_p t vi.var_name
  | Tarrget (t, n) ->
      fprintf fmt "%a[%a]" term_p t term_p n
  | Tbinop (t1, op, t2) ->
      fprintf fmt "%a %s %a" term_p t1 (term_binop op) term_p t2
  | Tarrow (t, vi) ->
      fprintf fmt "%a->%s" term_p t vi.var_name
  | Tif (t1, t2, t3) ->
      fprintf fmt "%a ? %a : %a" term_p t1 term_p t2 term_p t3
  | Told t ->
      fprintf fmt "\\old(%a)" term t
  | Tat (t, l) ->
      fprintf fmt "\\at(%a, %s)" term t l
  | Tbase_addr t ->
      fprintf fmt "\\base_addr(%a)" term t
  | Tblock_length t ->
      fprintf fmt "\\block_length(%a)" term t
  | Tarrlen t ->
      fprintf fmt "\\arrlen(%a)" term t
  | Tstrlen t ->
      fprintf fmt "\\strlen(%a)" term t
  | Tnull ->
      fprintf fmt "null"
  | Tcast (ty, t) ->
      fprintf fmt "(%a)%a" ctype ty term t
  | Trange (t1, t2, t3) ->
      fprintf fmt "%a[%a..%a]" term t1 term_option t2 term_option t3

and term_p fmt t = match t.term_node with
  | Tconstant _ | Tvar _ | Tapp _ | Tnull | Told _ | Tat _ ->
      term fmt t
  | _ ->
      fprintf fmt "(%a)" term t

and term_option fmt = function
  | None -> ()
  | Some t -> term fmt t

let quantifier fmt (ty, x) = fprintf fmt "%a %s" ctype ty x.var_name

let quantifiers = print_list comma quantifier

let relation = function
  | Lt -> "<"
  | Gt -> ">"
  | Le -> "<="
  | Ge -> ">="
  | Eq -> "=="
  | Neq -> "!="
 
let rec predicate fmt = function
  | Pfalse ->
      fprintf fmt "false"
  | Ptrue ->
      fprintf fmt "true"
  | Papp (li, tl) ->
      fprintf fmt "%s(%a)" li.logic_name (print_list comma term) tl
  | Prel (t1, rel, t2) ->
      fprintf fmt "%a %s %a" term t1 (relation rel) term t2
  | Pand (p1, p2) ->
      fprintf fmt "%a &&@ %a" predicate p1 predicate p2
  | Por (p1, p2) ->
      fprintf fmt "%a ||@ %a" predicate p1 predicate p2
  | Pimplies (p1, p2) ->
      fprintf fmt "%a ->@ %a" predicate p1 predicate p2
  | Piff (p1, p2) ->
      fprintf fmt "%a <->@ %a" predicate p1 predicate p2
  | Pnot p ->
      fprintf fmt "! %a" predicate p
  | Pif (t, p1, p2) ->
      fprintf fmt "%a ? %a : %a" term t predicate p1 predicate p2
  | Pforall (q, p) ->
      fprintf fmt "\\forall %a;@ %a" quantifiers q predicate p
  | Pexists (q, p) ->
      fprintf fmt "\\exists %a;@ %a" quantifiers q predicate p
  | Pold p ->
      fprintf fmt "\\old(%a)" predicate p
  | Pat (p, l) ->
      fprintf fmt "\\at(%a, %s)" predicate p l
  | Pseparated (t1,t2) ->
      fprintf fmt "\\separated(%a, %a)" term t1 term t2  
  | Pfullseparated (t1,t2) ->
      fprintf fmt "\\fullseparated(%a, %a)" term t1 term t2
  | Pvalid t ->
      fprintf fmt "\\valid(%a)" term t
  | Pvalid_index (t1, t2) ->
      fprintf fmt "\\valid_index(%a, %a)" term t1 term t2
  | Pvalid_range (t1, t2, t3) ->
      fprintf fmt "\\valid_range(%a, %a, %a)" term t1 term t2 term t3
  | Pfresh t ->
      fprintf fmt "\\fresh(%a)" term t
  | Pnamed (id, p) ->
      fprintf fmt "%s:: %a" id predicate p

let parameter fmt  x = fprintf fmt "%a %s" ctype x.var_type x.var_name

let parameters = print_list comma parameter

let logic_parameter fmt (x, ty) = fprintf fmt "%a %s" ctype ty x.var_unique_name

let logic_parameters = print_list comma logic_parameter

let location = term
(****
let location fmt = function
  | Lterm t -> nterm fmt t
  | Lstar t -> fprintf fmt "%a[*]" nterm t
  | Lrange (t1, t2, t3) -> fprintf fmt "%a[%a..%a]" nterm t1 nterm t2 nterm t3
****)

let locations = print_list comma location

let logic_symbol fmt li = function
  | Predicate_reads (pl, locs) ->
      fprintf fmt "/*@@ @[predicate %s(%a) reads %a@] */@\n" li.logic_name
	logic_parameters pl locations locs
  | Predicate_def (pl, p) ->
      fprintf fmt "/*@@ @[predicate %s(%a) { %a }@] */@\n" li.logic_name
	logic_parameters pl predicate p
  | Function (pl, ty, locs) ->
      fprintf fmt "/*@@ @[logic %a %s(%a) reads %a@] */@\n" ctype ty 
	li.logic_name logic_parameters pl locations locs
	
let spec fmt = function
  | { requires = None; assigns = None; ensures = None; decreases = None } ->
      ()
  | s ->
      let requires fmt p = fprintf fmt "@[requires %a@]@\n" predicate p in
      let assigns fmt a = fprintf fmt "@[assigns %a@]@\n" locations a in
      let ensures fmt p = fprintf fmt "@[ensures %a@]@\n" predicate p in
      let decreases fmt = function
	| (t, None) -> fprintf fmt "@[decreases %a@]@\n" term t
	| (t, Some r) -> fprintf fmt "@[decreases %a for %s@]@\n" term t r
      in
      fprintf fmt "/*@@ @[%a%a%a%a@] */@\n"
	(print_option requires) s.requires
	(print_option assigns) s.assigns
	(print_option ensures) s.ensures
	(print_option decreases) s.decreases

let loop_annot fmt = function
  | { invariant = None; loop_assigns = None; variant = None } ->
      ()
  | a ->
      let invariant fmt p = fprintf fmt "@[invariant %a@]@\n" predicate p in
      let loop_assigns fmt a = fprintf fmt "@[assigns %a@]@\n" locations a in
      let variant fmt = function
	| (t, None) -> fprintf fmt "@[variant %a@]@\n" term t
	| (t, Some r) -> fprintf fmt "@[variant %a for %s@]@\n" term t r
      in
      fprintf fmt "/*@@ @[%a%a%a@] */@\n"
	(print_option invariant) a.invariant
	(print_option loop_assigns) a.loop_assigns
	(print_option variant) a.variant

let binop fmt = function
  | Badd | Badd_int | Badd_float | Badd_pointer_int -> fprintf fmt "+" 
  | Bsub | Bsub_int | Bsub_float | Bsub_pointer -> fprintf fmt "-"
  | Bmul | Bmul_int | Bmul_float -> fprintf fmt "*"
  | Bdiv | Bdiv_int | Bdiv_float -> fprintf fmt "/"
  | Bmod | Bmod_int -> fprintf fmt "%%" 
  | Blt | Blt_int | Blt_float | Blt_pointer -> fprintf fmt "<"
  | Bgt | Bgt_int | Bgt_float | Bgt_pointer -> fprintf fmt ">"
  | Ble | Ble_int | Ble_float | Ble_pointer -> fprintf fmt "<="
  | Bge | Bge_int | Bge_float | Bge_pointer -> fprintf fmt ">="
  | Beq | Beq_int | Beq_float | Beq_pointer -> fprintf fmt "=="
  | Bneq | Bneq_int | Bneq_float | Bneq_pointer -> fprintf fmt "!=" 
  | Bbw_and -> fprintf fmt "&"
  | Bbw_xor -> fprintf fmt "^"
  | Bbw_or -> fprintf fmt "|"
  | Band -> fprintf fmt "&&"
  | Bor -> fprintf fmt "||"
  | Bshift_left -> fprintf fmt "<<"
  | Bshift_right -> fprintf fmt ">>"


let unop fmt = function
  | Uplus -> fprintf fmt "+"
  | Uminus -> fprintf fmt "-"
  | Unot -> fprintf fmt "!"
  | Ustar -> fprintf fmt "*"
  | Uamp -> fprintf fmt "&"
  | Utilde -> fprintf fmt "~"
  (* these are introduced during typing *)
  | Ufloat_of_int -> fprintf fmt "float_of_int"
  | Uint_of_float -> fprintf fmt "int_of_float"

let rec expr fmt e = match e.texpr_node with
  | TEnop ->
      ()
  | TEconstant (IntConstant s | FloatConstant s) ->
      fprintf fmt "%s" s
  | TEstring_literal s ->
      fprintf fmt "\"%S\"" s
  | TEvar (Var_info x) ->
      fprintf fmt "%s" x.var_name
  | TEvar (Fun_info x) ->
      fprintf fmt "%s" x.fun_name
  | TEarrow (e, x) ->
      fprintf fmt "%a->%s" expr_p e x.var_name
  | TEarrget (e1, e2) ->
      fprintf fmt "%a[%a]" expr_p e1 expr_p e2
  | TEdot (e, vi) ->
      fprintf fmt "%a.%s" expr_p e vi.var_name
  | TEsizeof (ty, s) ->
      fprintf fmt "sizeof(%a)" ctype ty
(*  | TEstar e ->
      fprintf fmt "*%a" expr_p e*)
  | TEseq (e1, e2) ->
      fprintf fmt "%a, %a" expr e1 expr e2
  | TEassign (e1, e2) ->
      fprintf fmt "%a = %a" expr e1 expr e2
  | TEassign_op (e1, op, e2) ->
      fprintf fmt "%a %a= %a" expr e1 binop op expr e2
  | TEunary (op, e) ->
      fprintf fmt "%a%a" unop op expr_p e
  | TEincr (Uprefix_inc, e) -> fprintf fmt "++%a" expr_p e
  | TEincr (Uprefix_dec, e) -> fprintf fmt "--%a" expr_p e
  | TEincr (Upostfix_inc, e) -> fprintf fmt "%a++" expr_p e
  | TEincr (Upostfix_dec, e) -> fprintf fmt "%a--" expr_p e
  | TEbinary (e1, op, e2) ->
      fprintf fmt "%a %a %a" expr_p e1 binop op expr_p e2
  | TEcall (e, l) ->
      fprintf fmt "%a(%a)" expr e (print_list comma expr) l
  | TEcond (e1, e2, e3) ->
      fprintf fmt "%a ? %a : %a" expr e1 expr e2 expr e3
  | TEcast (ty, e) ->
      fprintf fmt "(%a)%a" ctype ty expr_p e

and expr_p fmt e = match e.texpr_node with
  | TEnop | TEconstant _ | TEstring_literal _ | TEvar _ -> expr fmt e
  | _ -> fprintf fmt "(@[%a@])" expr e

let rec c_initializer fmt = function
  | Iexpr e -> expr fmt e
  | Ilist l -> fprintf fmt "@[{ %a }@]" (print_list comma c_initializer) l

let rec c_initializer_term fmt = function
  | Iexpr e -> term fmt e
  | Ilist l -> fprintf fmt "@[{ %a }@]" (print_list comma c_initializer_term) l

let rec statement fmt s = match s.st_node with
  | TSnop -> 
      fprintf fmt ";"
  | TSexpr e ->
      fprintf fmt "@[%a;@]" expr e
  | TSif (e, s1, s2) ->
      fprintf fmt "@[if (%a) {@\n    @[%a@]@\n} else {@\n    @[%a@]@\n}@]"
	expr e statement_nb s1 statement_nb s2
  | TSwhile (a, e, s) ->
      fprintf fmt "@[%awhile (%a) {@\n    @[%a@]@\n}@]" 
	loop_annot a expr e statement_nb s
  | TSdowhile (a, s, e) ->
      fprintf fmt "@[%ado {@\n    @[%a@]@\n} while (%a);@]" 
	loop_annot a statement_nb s expr e 
  | TSfor (a, e1, e2, e3, s) ->
      fprintf fmt "@[%afor (%a; %a; %a) {@\n    @[%a@]@\n}@]"
	loop_annot a expr e1 expr e2 expr e2 statement_nb s
  | TSreturn None ->
      fprintf fmt "return;"
  | TSreturn (Some e) ->
      fprintf fmt "@[return %a;@]" expr e
  | TSbreak ->
      fprintf fmt "break;"
  | TScontinue ->
      fprintf fmt "continue;"
  | TSlabel (l, s) ->
      fprintf fmt "%s: %a" l statement s
  | TSswitch (e, m) ->
      (*** nexpr * (nexpr Cconst.IntMap.t) * 
      ((nexpr Cconst.IntMap.t * nstatement list) list) ***)
      fprintf fmt ""
  | TSassert p ->
      fprintf fmt "/*@@ assert %a */" predicate p
  | TSlogic_label l ->
      fprintf fmt "/*@@ label %s */" l
  | TSspec (sp, s) ->
      fprintf fmt "%a%a" spec sp statement s
  | TSblock b ->
      fprintf fmt "@[{@\n  @[%a@]@\n}@]" block b
  | TSset (vi, t) -> 
      fprintf fmt "/*@@ Set %s = %a */" vi.var_name term t
  | TSgoto s -> 
      fprintf fmt "goto %s" s
  | TSdefault ts ->
      fprintf fmt "default %a" statement ts 
  | TScase (e, ts) ->
      fprintf fmt "case %a:@\n %a" expr e statement ts 
(*  | TSdecl (ty, vi, None,rem) ->
      fprintf fmt "%a %s;@\n" ctype ty vi.var_unique_name;
      statement fmt rem
  | TSdecl (ty, vi, Some i, rem) ->
      fprintf fmt "@[{@\n%a %s = %a;@\n" ctype ty vi.var_unique_name c_initializer i;
      statement fmt rem;
      fprintf fmt "}@\n@]"
*)
and statement_nb fmt s = match s.st_node with
  | TSblock b -> block fmt b
  | _ -> statement fmt s

and block fmt (el,sl) =
 fprintf fmt "@[";
  List.iter (fun d -> decl fmt d; fprintf fmt "@\n") el;
  List.iter (fun d -> statement fmt d; fprintf fmt "@\n") sl;
  fprintf fmt "@]@."

and decl fmt d = match d.node with
  | Tlogic (li, ls) -> 
      logic_symbol fmt li ls
  | Taxiom (x, p) -> 
      fprintf fmt "/*@@ @[axiom %s:@ %a@] */@\n" x predicate p
  | Tinvariant (x, p) -> 
      fprintf fmt "/*@@ @[invariant %s:@ %a@] */@\n" x predicate p 
  | Ttypedef (ty, x) ->
      fprintf fmt "typedef %a %s;@\n" ctype ty x
  | Ttypedecl ty ->
      fprintf fmt "%a;@\n" ctype ty
  | Tdecl (ty, vi, None) ->
      fprintf fmt "%a %s;@\n" ctype ty vi.var_unique_name
  | Tdecl (ty, vi, Some i) ->
      fprintf fmt "%a %s = %a;@\n" ctype ty vi.var_unique_name c_initializer i
  | Tfunspec (s, ty, fi) ->
      fprintf fmt "%a%a %s(@[%a@]);@\n" spec s ctype ty fi.fun_name
	parameters fi.args
  | Tfundef (s, ty, fi, st) ->
      fprintf fmt "%a%a %s(@[%a@])@\n%a@\n" spec s ctype ty fi.fun_name
	 parameters fi.args statement st
  | Tghost (vi, None) ->
      fprintf fmt "/*@@  @[ghost %s@]*/@\n" vi.var_name	
  | Tghost (vi, Some i) ->
      fprintf fmt "/*@@  @[ghost %s = @ %a@]*/@\n" vi.var_name 
	c_initializer_term i  

let file fmt p = 
  fprintf fmt "@[";
  Cenv.iter_all_struct (declare_struct fmt);
  List.iter (fun d -> decl fmt d; fprintf fmt "@\n") p;
  fprintf fmt "@]@."


why-2.34/c/clogic.mli0000644000175000017500000002425012311670312013005 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* AST for C annotations *)

type signed = bool

type logic_type = 
  | LTvoid
  | LTchar of signed
  | LTshort of signed
  | LTint of signed
  | LTlong of signed
  | LTlonglong of signed
  | LTinteger
  | LTfloat
  | LTdouble
  | LTlongdouble
  | LTreal
  | LTarray of logic_type
  | LTpointer of logic_type
  | LTvar of string

(* parsed terms and predicates *)

type constant = 
  | IntConstant of string 
  | RealConstant of string

type term_binop = 
  | Badd | Bsub | Bmul | Bdiv | Bmod | Bpow_real
  | Bbw_and | Bbw_xor | Bbw_or | Bshift_left | Bshift_right

type term_unop = 
  | Uminus | Utilde | Ustar | Uamp |Uplus
  | Uabs_real | Usqrt_real | Uround_error | Utotal_error
  | Uexact | Umodel | Unot
  (* introduced during typing *)
  | Ufloat_of_int | Uint_of_float | Ufloat_conversion | Uint_conversion

type 'ctype quantifiers = ('ctype * string) list
type 'ctype typed_quantifiers = ('ctype * Info.var_info) list

type relation = Lt | Gt | Le | Ge | Eq | Neq

type lexpr = {
  lexpr_node : lexpr_node;
  lexpr_loc : Loc.position
}

and lexpr_node = 
  (* both terms and predicates *)
  | PLvar of Info.var_info
  | PLapp of Info.logic_info * lexpr list
  (* terms *)
  | PLconstant of constant
  | PLunop of term_unop * lexpr
  | PLbinop of lexpr * term_binop * lexpr
  | PLdot of lexpr * string
  | PLarrow of lexpr * string
  | PLarrget of lexpr * lexpr
  | PLold of lexpr
  | PLat of lexpr * string
  | PLbase_addr of lexpr
  | PLoffset of lexpr
  | PLblock_length of lexpr
  | PLarrlen of lexpr
  | PLstrlen of lexpr
  | PLmin of lexpr * lexpr
  | PLmax of lexpr * lexpr
  | PLminint of logic_type
  | PLmaxint of logic_type
  | PLresult
  | PLnull
  | PLcast of logic_type * lexpr
  | PLrange of lexpr * lexpr option * lexpr option
  (* predicates *)
  | PLfalse
  | PLtrue
  | PLrel of lexpr * relation * lexpr
  | PLand of lexpr * lexpr
  | PLor of lexpr * lexpr
  | PLimplies of lexpr * lexpr
  | PLiff of lexpr * lexpr
  | PLnot of lexpr
  | PLif of lexpr * lexpr * lexpr
  | PLforall of logic_type quantifiers * lexpr
  | PLexists of logic_type quantifiers * lexpr
  | PLvalid of lexpr
  | PLseparated of lexpr * lexpr
  | PLbound_separated of lexpr * lexpr * lexpr * lexpr
  | PLfull_separated of lexpr * lexpr
  | PLfullseparated of lexpr * lexpr
  | PLvalid_index of lexpr * lexpr
  | PLvalid_range of lexpr * lexpr * lexpr
  | PLfresh of lexpr
  | PLnamed of string * lexpr

(* typed terms *)

type 'ctype term = {
  term_node : 'ctype term_node;
  term_loc : Loc.position;
  term_type : 'ctype;
}

and 'ctype term_node =
  | Tconstant of constant
  | Tstring_literal of string
  | Tvar of Info.var_info
  | Tapp of Info.logic_info * 'ctype term list
  | Tunop of term_unop * 'ctype term
  | Tbinop of 'ctype term * term_binop * 'ctype term
  | Tdot of 'ctype term * Info.var_info
  | Tarrow of 'ctype term * Info.var_info
  | Tarrget of 'ctype term * 'ctype term
  | Tif of 'ctype term * 'ctype term * 'ctype term
  | Told of 'ctype term
  | Tat of 'ctype term * string
  | Tbase_addr of 'ctype term
  | Toffset of 'ctype term
  | Tblock_length of 'ctype term
  | Tarrlen of 'ctype term
  | Tstrlen of 'ctype term
  | Tmin of 'ctype term * 'ctype term
  | Tmax of 'ctype term * 'ctype term
  | Tminint of 'ctype
  | Tmaxint of 'ctype
(*
  | Tresult of Info.env_info
  | Tnull
*)
  | Tcast of 'ctype * 'ctype term
  | Trange of 'ctype term * 'ctype term option * 'ctype term option

(* typed predicates *)

type 'ctype predicate = {
  pred_node : 'ctype predicate_node;
  pred_loc : Loc.position;
}

and 'ctype predicate_node = 
  | Pfalse
  | Ptrue
  | Papp of Info.logic_info * 'ctype term list
  | Prel of 'ctype term * relation * 'ctype term
  | Pand of 'ctype predicate * 'ctype predicate
  | Por of 'ctype predicate * 'ctype predicate
  | Pimplies of 'ctype predicate * 'ctype predicate
  | Piff of 'ctype predicate * 'ctype predicate
  | Pnot of 'ctype predicate
  | Pif of 'ctype term * 'ctype predicate * 'ctype predicate
  | Pforall of 'ctype typed_quantifiers * 'ctype predicate
  | Pexists of 'ctype typed_quantifiers * 'ctype predicate
  | Pold of 'ctype predicate
  | Pat of 'ctype predicate * string
  | Pseparated of 'ctype term * 'ctype term  
  | Pbound_separated of 'ctype term * 'ctype term * 'ctype term * 'ctype term  
  | Pfull_separated of 'ctype term * 'ctype term
  | Pfullseparated of 'ctype term * 'ctype term
  | Pvalid of 'ctype term 
  | Pvalid_index of 'ctype term * 'ctype term
  | Pvalid_range of 'ctype term * 'ctype term * 'ctype term
  | Pfresh of 'ctype term 
  | Pnamed of string * 'ctype predicate

type 'term location = 'term

type 'term variant = 'term * string option

type ('term,'pred) spec = { 
  mutable requires : 'pred option;
  mutable assigns : (Loc.position * 'term location list) option;    
  mutable ensures : 'pred option;
  mutable decreases : 'term variant option
}

type ('term,'pred) loop_annot = {
  invariant : 'pred option;
    (* part of the invariant already proved by program analysis *)
  assume_invariant : 'pred option;
  loop_assigns : (Loc.position * 'term location list) option;
  variant : 'term variant option
}

type ('term,'ctype) logic_symbol =
  | Predicate_reads of (Info.var_info * 'ctype) list * 'term location list
  | Predicate_def of (Info.var_info * 'ctype) list * 'ctype predicate 
  | Function of (Info.var_info * 'ctype) list * 'ctype * 'term location list
  | Function_def of (Info.var_info * 'ctype) list * 'ctype * 'term

(*

normalized AST

*)

type 'ctype nterm = {
  nterm_node : 'ctype nterm_node;
  nterm_loc : Loc.position;
  nterm_type : 'ctype;
}

and 'ctype nterm_node =
  | NTconstant of constant
  | NTstring_literal of string
  | NTvar of Info.var_info
  | NTapp of 'ctype napp
  | NTunop of term_unop * 'ctype nterm
  | NTbinop of 'ctype nterm * term_binop * 'ctype nterm
  | NTarrow of 'ctype nterm * Info.zone * Info.var_info
  | NTif of 'ctype nterm * 'ctype nterm * 'ctype nterm
  | NTold of 'ctype nterm
  | NTat of 'ctype nterm * string
  | NTbase_addr of 'ctype nterm
  | NToffset of 'ctype nterm
  | NTblock_length of 'ctype nterm
  | NTarrlen of 'ctype nterm
      (* [strlen(p)] depends on the value pointed to by [p] *)
  | NTstrlen of 'ctype nterm * Info.zone * Info.var_info
  | NTmin of 'ctype nterm * 'ctype nterm
  | NTmax of 'ctype nterm * 'ctype nterm
  | NTminint of 'ctype
  | NTmaxint of 'ctype
  | NTcast of 'ctype * 'ctype nterm
  | NTrange of 'ctype nterm * 'ctype nterm option * 'ctype nterm option 
      * Info.zone * Info.var_info

and 'ctype napp = { 
  napp_pred : Info.logic_info;
  napp_args : 'ctype nterm list;
  mutable napp_zones_assoc : (Info.zone * Info.zone) list;
}

type 'ctype npredicate = {
  npred_node : 'ctype npredicate_node;
  npred_loc : Loc.position
}

and 'ctype npredicate_node =
  | NPfalse
  | NPtrue
  | NPapp of 'ctype napp
  | NPrel of 'ctype nterm * relation * 'ctype nterm
  | NPand of 'ctype npredicate * 'ctype npredicate
  | NPor of 'ctype npredicate * 'ctype npredicate
  | NPimplies of 'ctype npredicate * 'ctype npredicate
  | NPiff of 'ctype npredicate * 'ctype npredicate
  | NPnot of 'ctype npredicate
  | NPif of 'ctype nterm * 'ctype npredicate * 'ctype npredicate
  | NPforall of 'ctype typed_quantifiers * 'ctype npredicate
  | NPexists of 'ctype typed_quantifiers * 'ctype npredicate
  | NPold of 'ctype npredicate
  | NPat of 'ctype npredicate * string
  | NPvalid of 'ctype nterm 
  | NPvalid_index of 'ctype nterm * 'ctype nterm
  | NPvalid_range of 'ctype nterm * 'ctype nterm * 'ctype nterm
  | NPfresh of 'ctype nterm 
  | NPnamed of string * 'ctype npredicate
  | NPseparated of 'ctype nterm * 'ctype nterm
  | NPfull_separated of 'ctype nterm * 'ctype nterm
  | NPbound_separated of 
      'ctype nterm * 'ctype nterm * 'ctype nterm * 'ctype nterm

type ('term,'ctype) nlogic_symbol =
  | NPredicate_reads of (Info.var_info * 'ctype) list * 'term location list
  | NPredicate_def of (Info.var_info * 'ctype) list * 'ctype npredicate 
  | NFunction of (Info.var_info * 'ctype) list * 'ctype * 'term location list
  | NFunction_def of (Info.var_info * 'ctype) list * 'ctype * 'term


why-2.34/c/cgraph.mli0000644000175000017500000000457512311670312013021 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Cast

val file : tdecl located list -> unit

val find_comp : (string*tfile) list -> (Info.fun_info list) array
why-2.34/c/cprint_graph.mli0000644000175000017500000000444712311670312014233 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

val print_graph : unit -> unit

why-2.34/c/creport.mli0000644000175000017500000000550512311670312013225 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Format

exception Error of (Loc.position option) * Cerror.t

val report : formatter -> Cerror.t -> unit

val raise_located : Loc.position -> Cerror.t -> 'a 
val raise_unlocated : Cerror.t -> 'a
val raise_locop : Loc.position option -> Cerror.t -> 'a
val unsupported : Loc.position -> string -> 'a

val print_type : formatter -> Ctypes.ctype -> unit
val print_type_node : formatter -> Ctypes.ctype_node -> unit

val error : Loc.position -> ('a, Format.formatter, unit, 'b) format4 -> 'a
val warning : Loc.position -> ('a, Format.formatter, unit, unit) format4 -> 'a


why-2.34/c/creport.ml0000644000175000017500000001272112311670312013052 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Format
open Cerror
open Ctypes

exception Error of (Loc.position option) * Cerror.t

(*s Pretty-printing of types *)

let rec print_type fmt t = 
  print_type_node fmt t.ctype_node

and print_type_node fmt = function
  | Tvoid -> fprintf fmt "void"
  | Tint (s, i) -> fprintf fmt "%a %a" print_sign s print_integer i
  | Tfloat f -> print_float fmt f
  | Tvar x -> fprintf fmt "%s" x
  | Tarray (_,ty,_) -> fprintf fmt "%a[]" print_type ty
  | Tpointer (_,ty) -> fprintf fmt "%a*" print_type ty
  | Tstruct (x) -> fprintf fmt "struct %s" x
  | Tunion (x) -> fprintf fmt "union %s" x
  | Tenum (x) -> fprintf fmt "enum %s" x
  | Tfun (_pl, ty) -> fprintf fmt "%a fun(...)" print_type ty

and print_sign fmt = function
  | Signed -> fprintf fmt "signed"
  | Unsigned -> fprintf fmt "unsigned"

and print_integer fmt = function
  | Char -> fprintf fmt "char"
  | Short -> fprintf fmt "short"
  | Int -> fprintf fmt "int"
  | Long -> fprintf fmt "long"
  | LongLong -> fprintf fmt "long long"
  | Bitfield _  -> fprintf fmt "int (bitfield)"
  | ExactInt -> fprintf fmt "int (exact)"

and print_float fmt = function
  | Float -> fprintf fmt "float"
  | Double -> fprintf fmt "double"
  | LongDouble -> fprintf fmt "long double"
  | Real -> fprintf fmt "real"

and print_fields fmt = function
  | [] -> ()
  | (ty, x, _) :: fl -> fprintf fmt "%a %s; %a" print_type ty x print_fields fl

and print_enums fmt = function
  | [] -> ()
  | (x, _) :: el -> fprintf fmt "%s, %a" x print_enums el

let report fmt = function
  | AnyMessage s -> 
      fprintf fmt "Error: %s" s
  | ExpectedType (t1, t2) -> 
      fprintf fmt "Error: this term has type @[%a@]@ but is expected to have type @[%a@]" print_type t1 print_type t2
  | TooManyArguments ->
      fprintf fmt "Error: too many arguments"
  | PartialApp ->
      fprintf fmt "Error: this application is partial (Argument missing?)"
  | Unsupported s ->
      fprintf fmt "Error: unsupported feature (%s)" s

let offset = ref 0

let reloc (ls, le) = (!offset + ls, !offset + le)

let with_offset ofs f x =
  let old_offset = !offset in
  try
    offset := ofs;
    let r = f x in
    offset := old_offset;
    r
  with e ->
    offset := old_offset;
    raise e
(*** 
    | Stdpp.Exc_located (loc, e) -> 
	raise (Stdpp.Exc_located (Compat.offset ofs loc, e))
    | Error (Some loc, e) ->
	raise (Error (Some (offset ofs loc), e))
***)

let option_app f = function Some x -> Some (f x) | None -> None

let raise_located loc e = raise (Error (Some (loc), e))
let raise_unlocated e = raise (Error (None, e))
let raise_locop locop e = raise (Error (locop, e))
let unsupported loc s = raise (Error (Some loc, Unsupported s))

let error l = 
  Format.kfprintf 
    (fun _fmt -> raise (Error(Some l, AnyMessage (flush_str_formatter())))) 
    str_formatter

let wtbl = Hashtbl.create 17;;

let warning loc = 
  Format.kfprintf 
    (fun _fmt -> 
       let s = flush_str_formatter() in
       let n = try Hashtbl.find wtbl s with Not_found -> 0 in
       if n <= 2 then
	 begin
	   Hashtbl.add wtbl s (n+1);
	   Format.eprintf "@[%a warning: %s@]@." Loc.report_line (fst loc) s;
	   if n = 2 then Format.eprintf "(this repeated warning will not appear anymore)@.";
	   if Coptions.werror then exit 1
    end
    )
    str_formatter

why-2.34/c/ctyping.ml0000644000175000017500000014244012311670312013053 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Format
open Coptions
open Clogic
open Cast
open Cerror
open Cltyping
open Creport
open Info
open Cenv
open Lib
open Ctypes
open Int64


let int_teconstant n = 
  { texpr_node = TEconstant (IntConstant n); 
    texpr_loc = Loc.dummy_position;
    texpr_type = c_exact_int (* ? *) }

let tezero = int_teconstant "0"

let char_size_b = char_size / 8
let short_size_b = short_size / 8
let int_size_b = Coptions.int_size / 8
let long_size_b = long_size / 8
let long_long_size_b = long_long_size / 8

(* evaluation static *)
let rec sizeof loc = 
  let incomplete_type () = 
    error loc "invalid application of `sizeof' to an incomplete type"
  in
  let warned = ref false in
  let architecture () =
    if not !warned then begin 
      warned := true;
      warning loc "compiler/architecture-dependent sizeof"
    end
  in
  let rec sizeof ?(field=false) (ty : tctype) = match ty.ctype_node with
    | Tvoid -> of_int 1
    | Tint (_, Char) -> of_int char_size_b
    | Tint (_, Short) -> of_int short_size_b
    | Tint (_, Int) -> architecture (); of_int int_size_b
    | Tint (_, Long) -> of_int long_size_b
    | Tint (_, LongLong) -> of_int long_long_size_b
    | Tint (_, Bitfield n) -> 
	architecture ();
	let d = div n (of_int 8) in
	if rem n (of_int 8) = zero then d else succ d
    | Tint (_, ExactInt) -> assert false
    | Tfloat Float -> of_int 4
    | Tfloat Double -> of_int 8
    | Tfloat LongDouble -> of_int 12
    | Tfloat Real -> assert false
    | Tvar _x -> assert false (* should be expansed *)
    | Tarray (_,ty, Some e) -> 
	mul e (sizeof ty)
    | Tarray (_,_ty, None) -> if field then of_int 0 else of_int 1
    | Tpointer _ -> of_int 4
    | Tstruct n ->
	(match tag_type_definition n with
	   | TTIncomplete -> 
	       incomplete_type ()
	   | TTStructUnion (Tstruct _, fl) -> 
	       List.fold_left 
		 (fun s v -> add s (sizeof ~field:true v.var_type)) 
		 (of_int 0) fl
	   | _ -> 
	       assert false)
    | Tunion n ->
	(match tag_type_definition n with
	   | TTIncomplete -> 
	       incomplete_type ()
	   | TTStructUnion (Tunion _, fl) -> 
	       List.fold_left 
		 (fun s v -> max s (sizeof ~field:true v.var_type)) 
		 (of_int 0) fl
	   | _ -> 
	       assert false)
    | Tenum _ -> of_int 4
    | Tfun _ -> of_int 4 (* function pointer? *)
  in
  sizeof

and eval_const_expr_noerror (e : texpr) = match e.texpr_node with
  | TEconstant (IntConstant c) -> Cconst.int e.texpr_loc c
  | TEunary (Uplus, t) -> eval_const_expr_noerror t
  | TEunary (Cast.Uminus, t) -> Int64.neg (eval_const_expr_noerror t)
  | TEbinary (t1, Cast.Badd_int _, t2) -> 
      Int64.add (eval_const_expr_noerror t1)  (eval_const_expr_noerror t2)
  | TEbinary (t1, Cast.Bsub_int _, t2) -> 
      Int64.sub (eval_const_expr_noerror t1)  (eval_const_expr_noerror t2)
  | TEbinary (t1, Cast.Bmul_int _, t2) -> 
      Int64.mul (eval_const_expr_noerror t1)  (eval_const_expr_noerror t2)
  | TEbinary (t1, Cast.Bdiv_int _, t2) -> 
      Int64.div (eval_const_expr_noerror t1)  (eval_const_expr_noerror t2)  
  | TEbinary (_t1, Cast.Bdiv_float _, _t2) -> 
      invalid_arg "not a constant expression 2"
  | TEcast (_, e) -> eval_const_expr_noerror e
  | TEunary (Uint_conversion, e) -> eval_const_expr_noerror e
  | TEsizeof (_t,n) -> n
  | TEvar (Var_info v) ->
      if e.texpr_type.Ctypes.ctype_const 
      then v.enum_constant_value
      else invalid_arg "not a const variable"
  | _ -> invalid_arg "not a constant expression"

and eval_const_expr (e : texpr) = 
  try
    eval_const_expr_noerror e
  with
      Invalid_argument msg -> error e.texpr_loc "%s" msg

(* Typing C programs *)

let located_app f x = { node = f x.node; loc = x.loc }

let type_spec ?result env s = type_spec result env s


(*s Some predefined types, subtype relation, etc. *)

let int_op i = function
  | Badd -> Badd_int i
  | Bsub -> Bsub_int i
  | Bmul -> Bmul_int i
  | Bdiv -> Bdiv_int i
  | Bmod -> Bmod_int i
  | Blt -> Blt_int
  | Ble -> Ble_int
  | Bgt -> Bgt_int
  | Bge -> Bge_int
  | Beq -> Beq_int
  | Bneq -> Bneq_int
  | _ -> assert false

let float_op fk = function
  | Badd -> Badd_float fk
  | Bsub -> Bsub_float fk
  | Bmul -> Bmul_float fk
  | Bdiv -> Bdiv_float fk
  | Blt -> Blt_float fk
  | Ble -> Ble_float fk
  | Bgt -> Bgt_float fk
  | Bge -> Bge_float fk
  | Beq -> Beq_float fk
  | Bneq -> Bneq_float fk
  | _ -> assert false

let pointer_op = function
  | Blt -> Blt_pointer
  | Ble -> Ble_pointer
  | Bgt -> Bgt_pointer
  | Bge -> Bge_pointer
  | Beq -> Beq_pointer
  | Bneq -> Bneq_pointer
  | _ -> assert false

let type_op op ty = match ty.ctype_node with 
  | Tint i -> int_op i op 
  | Tenum _ -> int_op (Signed, Int) op
  | Tfloat fk -> float_op fk op 
  | Tpointer _ | Tarray _ -> pointer_op op
  | _ -> assert false 

let is_bitfield ty = match ty.ctype_node with
  | Tint (_, Bitfield _) -> true
  | _ -> false

let va_list = Ctypes.noattr (Ctypes.Tvar "va_list")
let _ = add_typedef Loc.dummy_position "__builtin_va_list" va_list

let rec is_null e = 
  match e.texpr_node with
    | TEconstant (IntConstant s) -> (try int_of_string s = 0 with _ -> false)
    | TEcast(_,e) -> is_null e
    | _ -> false

(* Coercions (ints to floats, floats to int) *)

let coerce ty e = match e.texpr_type.ctype_node, ty.ctype_node with
  | (Tint _ | Tenum _), Tfloat _ -> 
      { e with texpr_node = TEunary (Ufloat_of_int, e); texpr_type = ty }
  | Tfloat _, (Tint _ | Tenum _) ->
      { e with texpr_node = TEunary (Uint_of_float, e); texpr_type = ty }
  | Tfloat fk1, Tfloat fk2 when fk1 <> fk2 ->
      { e with texpr_node = TEunary (Ufloat_conversion, e); texpr_type = ty }
  | (Tint _ | Tenum _ as tn1), (Tint _ | Tenum _ as tn2) when tn1 <> tn2 ->
      { e with texpr_node = TEunary (Uint_conversion, e); texpr_type = ty }
  | ty1, ty2 when eq_type_node ty1 ty2 ->
      e
  | Tpointer _ , Tpointer (_,{ ctype_node = Tvoid }) ->
      e
  | _, Tpointer (_,ty) when is_null e ->
      let ty' = { ctype_node = Tpointer (Not_valid, ty);
		  ctype_storage = No_storage;
		  ctype_const = false;
		  ctype_volatile = false;
		  ctype_ghost = false } 
      in
      { e with texpr_node = TEcast (ty', tezero); texpr_type = ty' }
  | _ ->
      error e.texpr_loc
	"incompatible type: expected %a, found %a@." 
	print_type ty print_type e.texpr_type 

let compat_pointers ty1 ty2 = 
  (ty1.ctype_node = Tvoid) || (ty2.ctype_node = Tvoid) || eq_type ty1 ty2

let max_float = function
  | Float, Float -> Float
  | (Float | Double), (Float | Double) -> Double
  | (Float | Double | LongDouble), (Float | Double | LongDouble) -> LongDouble
  | _ -> assert false

(****
let rec le_cinteger = function
  | Tint (Signed, i1), Tint (_, i2) 
  | Tint (Unsigned, i1), Tint (Unsigned, i2) ->
      Cenv.int_size i1 <= Cenv.int_size i2
  | Tint (Unsigned, i1), Tint (Signed, i2) ->
      int_size i1 < int_size i2
  (* enum = int TODO: could be unsigned int *)
  | Tenum _, ty2 ->
      le_cinteger (Tint (Signed, Int), ty2)
  | ty1, Tenum _ ->
      le_cinteger (ty1, Tint (Signed, Int))
  | _ -> 
      assert false

let max_int i1 i2 = if le_cinteger (i1, i2) then i2 else i1
****)

let integral_promotion = function
  | Tenum _ | Tint (_, (Char | Short)) -> Tint (Signed, Int)
  | tn -> tn

(* convert [e1] and [e2] to the same arithmetic type *)
let conversion e1 e2 =
  let ty1 = e1.texpr_type in
  let ty2 = e2.texpr_type in
  match ty1.ctype_node, ty2.ctype_node with
    | Tfloat _, (Tint _ | Tenum _) -> e1, coerce ty1 e2, ty1
    | (Tint _ | Tenum _), Tfloat _ -> coerce ty2 e1, e2, ty2
    | Tfloat fk1, Tfloat fk2 -> 
	let ty = noattr (Tfloat (max_float (fk1, fk2))) in
	coerce ty e1, coerce ty e2, ty
    | (Tint _ | Tenum _ as tn1), (Tint _ | Tenum _ as tn2) -> 
	let tn = match integral_promotion tn1, integral_promotion tn2 with
	  | (Tint (Unsigned, LongLong) as tn), _ -> tn
	  | _, (Tint (Unsigned, LongLong) as tn) -> tn
	  | (Tint (Signed, LongLong) as tn), _ -> tn
	  | _, (Tint (Signed, LongLong) as tn) -> tn
	  | (Tint (Unsigned, Long) as tn), _ -> tn
	  | _, (Tint (Unsigned, Long) as tn) -> tn
	  | Tint (Signed, Long), Tint (Unsigned, Int) 
	  | Tint (Unsigned, Int), Tint (Signed, Long)
	    when Coptions.long_size <= Coptions.int_size -> 
	      Tint (Unsigned, Long)
	  | (Tint (Signed, Long) as tn), _ -> tn
	  | _, (Tint (Signed, Long) as tn) -> tn
	  | (Tint (Unsigned, Int) as tn), _ -> tn
	  | _, (Tint (Unsigned, Int) as tn) -> tn
	  | (Tint (Signed, Int) as tn), _ -> tn
	  | _, (Tint (Signed, Int) as tn) -> tn
	  | _ -> assert false
	in
	let ty = noattr tn in
	coerce ty e1, coerce ty e2, ty
    | _ -> assert false

let has_suffix ~suf s =
  let nsuf = String.length suf in
  let n = String.length s  in
  n >= nsuf && String.lowercase (String.sub s (n - nsuf) nsuf) = suf

let int_constant_type s =
  if has_suffix ~suf:"ul" s || has_suffix ~suf:"lu" s then
    Unsigned, Long
  else if has_suffix ~suf:"u" s then
    Unsigned, Int
  else if has_suffix ~suf:"l" s then
    Signed, Long
  else
    (* TODO: cf K&R *)
    Signed, Int

(* type the assignment of [e2] into a left value of type [ty1] *)
let type_assignment loc ty1 e2 =
  let ty2 = e2.texpr_type in
  if (arith_type ty1 && arith_type ty2) || 
     (sub_type ty2 ty1) || 
     (pointer_type ty1 && is_null e2) 
  then
    coerce ty1 e2
  else
    error loc "incompatible types in assignment"

(* warns for assigments over read-only left-value *)

let warn_for_read_only loc e = 
  let pointer_on_read_only ty = match ty.ctype_node with
    | Tpointer (_,ty) -> ty.ctype_const 
    | _ -> false
  in
  match e.texpr_node with
  | TEarrow (_, x) | TEdot (_, x) when e.texpr_type.ctype_const  ->
      warning loc "assignment of read-only member `%s'" x.var_name
  | TEarrow (e1, x) when pointer_on_read_only e1.texpr_type ->
      warning loc "assignment of read-only member `%s'" x.var_name
  | TEdot (e1, x) when e1.texpr_type.ctype_const ->
      warning loc "assignment of read-only member `%s'" x.var_name 
  | TEvar (Var_info x) when e.texpr_type.ctype_const ->
      warning loc "assignment of read-only variable `%s'" x.var_name 
  | TEvar (Var_info x) ->
      Loc.report_position Coptions.log loc;
      fprintf Coptions.log "Variable %s is assigned@." x.var_name;
      set_assigned x
  | TEvar (Fun_info _f) ->
      warning loc ("function assignment (ignored)")
  | _ when e.texpr_type.ctype_const ->
      warning loc "assignment of read-only location"
  | _ -> 
      ()

let set_referenced e = match e.texpr_node with
  | TEvar (Var_info x) -> set_is_referenced x
  | TEdot (_,f) | TEarrow(_,f) -> set_is_referenced f
  | _ -> ()

let make_shift e1 e2 valid ty n =
  let is_valid =
      match valid, n with
	| Valid(a,b), Some n ->
	    if e1.texpr_type.ctype_ghost 
	    then Valid(Int64.min_int,Int64.max_int)
	    else
	      begin
	      assert (b = n);
		try
		  let i = eval_const_expr_noerror e2 in
		  Valid(Int64.sub a i, Int64.sub b i)
		with Invalid_argument _ -> Not_valid
	      end;
	| _, _ -> Not_valid
  in
  let ty1 = e1.texpr_type in
  TEbinary (e1, Badd_pointer_int, e2), 
  { ty1 with ctype_node = Tpointer(is_valid,ty) }

let remove_top_conversion e = match e.texpr_node with
  | TEunary (( Uint_conversion | Ufloat_conversion
	     | Uint_of_float | Ufloat_of_int), e) -> e
  | _ -> e

(*s Types *)

let rec type_type ?(ghost=false) ?(parameters=false) loc env ty = 
  { Ctypes.ctype_node = type_type_node ~ghost:ghost ~parameters:parameters loc env 
      ty;
    ctype_storage = ty.Cast.ctype_storage ;
    ctype_const = ty.Cast.ctype_const ;
    ctype_volatile = ty.Cast.ctype_volatile;
    ctype_ghost = false;
  }

and type_type_node ?(ghost=false) ?(parameters=false) loc env ty = 
  match ty.Cast.ctype_node with
  | CTvoid -> Tvoid
  | CTfloat x -> 
      begin match x with Real -> () | _ -> use_floats := true end; Tfloat x
  | CTint (s,i) ->
      Tint (s, type_integer loc env i)
  | CTvar x -> 
      (* TODO: les attributs sont perdus *)
      (* Cas d'erreur associés observés en pratique : 
            -> utilisation d'un type non déclarer (pour déclarer une variable ghost 
               ou la signature d'une fonction logique)
            -> déclaration d'une variable ghost avec un type logique *)
      (try (find_typedef x).ctype_node with Not_found -> assert false)
  | CTarray (tyn, None) ->
      Tarray (Not_valid,type_type loc env tyn, None)
  | CTarray (tyn, Some e) ->
      if ghost 
      then 
	Tarray(Valid(Int64.min_int,Int64.max_int),type_type loc env tyn,None)
      else begin
	  if parameters 
	  then Tarray (Not_valid,type_type loc env tyn, None)
	  else
	    let n = eval_const_expr  (type_int_expr env e) in
	    Tarray (Valid(Int64.zero,n),type_type loc env tyn, Some n)
	end
  | CTpointer tyn -> 
      if ghost then Tpointer (Not_valid,type_type loc env tyn)
      else
	Tpointer (Not_valid,type_type loc env tyn)
  | CTstruct (x,Tag) -> Env.find_tag_type loc env (Tstruct x)  
  | CTunion (x,Tag)  -> Env.find_tag_type loc env (Tunion x)
  | CTenum (x,Tag)  -> Env.find_tag_type loc env (Tenum x)
  | CTstruct (x, Decl fl) ->
      let fl = List.map (type_field x loc env) fl in
      let tyn = 
	Env.set_struct_union_type loc env (Tstruct x) (List.map snd fl) in
      declare_fields tyn fl;
      tyn
  | CTunion (x, Decl fl) ->
      let fl = List.map (type_field x loc env) fl in
      let tyn = Env.set_struct_union_type loc env (Tunion x) (List.map snd fl) in
      declare_fields tyn fl;
      tyn
  | CTenum (x, Decl fl) ->
      let tyn = Env.find_tag_type loc env (Tenum x) in
      let ty = noattr tyn in
      let ty = { ty with ctype_const = true } in
      let rec enum_fields v = function
	| [] -> 
	    []
	| (f, op) :: fl ->
	     let i = default_var_info f in
	     ignore (add_sym loc f ty (Var_info i)); 
	     let v = match op with
	       | None -> 
		   v
	       | Some e -> 
		   let e = type_int_expr env e in
		   eval_const_expr e
	     in
	     set_const_value i v;
	     (i, v) :: enum_fields (Int64.succ v) fl
      in
      let fl = enum_fields Int64.zero fl in
      Env.set_enum_type loc env (Tenum x) fl 
  | CTfun (pl, tyn) ->
      let pl = List.map (fun (ty,_x) -> type_type loc env ty) pl in
      let pl = match pl with
	| [{ctype_node = Tvoid}] -> []
	| _ -> pl
      in
      Tfun (pl, type_type loc env tyn)

and type_integer _loc env = function
  | Cast.Char -> Char
  | Cast.Short -> Short
  | Cast.Int -> Int 
  | Cast.Long -> Long
  | Cast.LongLong -> LongLong
  | Cast.Bitfield e -> 
      let e = type_int_expr env e in
      Bitfield (eval_const_expr e)

(*s Expressions *)

and type_expr env e = 
  let tn,ty = type_expr_node e.loc env e.node in
  { texpr_node = tn; texpr_type = ty; texpr_loc = e.loc }

and type_expr_node loc env = function
  | CEnop ->
      TEnop, c_void
  | CEconstant (IntConstant s as c) ->
      let ik = int_constant_type s in
      TEconstant c, noattr (Tint ik)
  | CEconstant (RealConstant s) ->
      use_floats := true;
      let s,fk = float_constant_type ~in_logic:false s in
      TEunary (Ufloat_conversion,
	       { texpr_node = TEconstant (RealConstant s);
		 texpr_loc = loc; texpr_type = c_real }), 
      c_float fk
  | CEstring_literal s ->
      TEstring_literal s, 
      c_string (Valid(Int64.zero,Int64.of_int (1 + String.length s)))
  | CEvar x ->
      let var =
	try Env.find x env with Not_found -> 
	  try find_sym x with Not_found -> 
	    error loc "%s undeclared" x
      in 
      (TEvar var,var_type var)
  | CEdot (e, x) ->
      let te = type_expr env e in
      let x = type_of_field loc x te.texpr_type in
      let te_dot_x = 
(*	match te.texpr_node with
	| TEunary (Ustar, e) -> TEarrow (e, x)
	| TEarrget (e1, e2) -> 
	    let a = 
	      { te with 
		  texpr_node = TEbinary (e1, Badd_pointer_int, e2);
		  texpr_type = e1.texpr_type }
	    in
	    TEarrow (a, x)
  | _ -> *) TEdot (te, x)
      in
      te_dot_x, x.var_type
  | CEarrow (e, x) ->
      let te = type_expr env e in
      begin match te.texpr_type.ctype_node with
	| Tarray (_,ty,_) | Tpointer (_,ty) ->
	    let x = type_of_field loc x ty in
	    TEarrow (te, x), x.var_type
	| _ -> 
	    error loc "invalid type argument of `->'"
      end
  | CEarrget (e1, e2) ->
      let te1 = type_expr env e1 in
      (match te1.texpr_type.ctype_node with
	 | Tarray (_,ty,_) | Tpointer (_,ty) ->
	     let te2 = type_int_expr env e2 in
	     TEarrget (te1, te2), ty
	 | _ ->
	     error loc "subscripted value is neither array nor pointer")
  | CEseq (e1, e2) ->
      let e1 = type_expr env e1 in
      let e2 = type_expr env e2 in
      TEseq (e1, e2), e2.texpr_type
  | CEcond (e1, e2, e3) ->
      let e1 = type_boolean env e1 in
      let e2 = type_expr env e2 in
      let ty2 = e2.texpr_type in
      let e3 = type_expr env e3 in
      let ty3 = e3.texpr_type in
      if sub_type ty2 ty3 then
	TEcond (e1, coerce ty3 e2, e3), ty3
      else if sub_type ty3 ty2 then
	TEcond (e1, e2, coerce ty2 e3), ty2
      else
	error loc "type mismatch in conditional expression"
  | CEassign (e1, e2) ->
      let e1_loc = e1.loc in
      let e1 = type_lvalue env e1 in
      warn_for_read_only e1_loc e1;
      let ty1 = e1.texpr_type in
      let e2 = type_expr env e2 in
      let e2 = type_assignment loc ty1 e2 in
      TEassign (e1, e2), ty1
  | CEassign_op (e1, ( Badd | Bsub | Bmul | Bdiv | Bmod 
		     | Bbw_and | Bbw_xor | Bbw_or 
		     | Bshift_left | Bshift_right as op), e2) ->
      let b = { node = CEbinary (e1, op, e2); loc = loc } in
      let b = type_expr env b in
      (match b.texpr_node with
	 | TEbinary (te1, op', te2) -> 
	     let te1 = remove_top_conversion te1 in
	     check_lvalue e1.loc te1;
	     warn_for_read_only e1.loc te1;
	     let ty1 = te1.texpr_type in
	     let _ = type_assignment loc ty1 b in
	     TEassign_op (te1, op', te2), ty1
	 | _ -> 
	     assert false)
  | CEassign_op _ ->
      assert false
  | CEincr (op, e) ->
      let e_loc = e.loc in
      let e = type_lvalue env e in
      warn_for_read_only e_loc e;
      begin match e.texpr_type.ctype_node with
	| Tenum _ | Tint _ | Tfloat _ -> 
            TEincr (op, e), e.texpr_type
	| Tpointer (_,ty) -> 
            TEincr (op, e), 
	    { e.texpr_type with ctype_node = Tpointer(Not_valid,ty) }
	| _ -> error loc "wrong type to {de,in}crement"
      end
  | CEunary (Unot, e) ->
      let e = type_boolean env e in
      TEunary (Unot, e), c_int
  | CEunary ((Uplus | Uminus as op), e) ->
      let e = type_expr env e in
      begin match e.texpr_type.ctype_node with
	| Tenum _ | Tint _ | Tfloat _ -> TEunary (op, e), e.texpr_type
	| _ -> error loc "wrong type argument to unary plus/minus"
      end
  | CEunary (Uamp, e) ->
      (* TODO: cas où e est une fonction *)
      let e = type_lvalue ~modifiable:false env e in
      let ty = e.texpr_type in
      if is_bitfield ty then error loc "cannot take address of bitfield";
      if ty.ctype_storage = Register then 
	warning loc "address of register requested";
      set_referenced e;
      TEunary (Uamp, e), noattr (Tpointer (Valid(Int64.zero,Int64.one),ty))
  | CEunary (Ustar, e) ->
      let e = type_expr env e in
      begin match e.texpr_type.ctype_node with
	| Tpointer (_,ty) | Tarray (_,ty,_) -> TEunary (Ustar, e), ty
	| _ -> error loc "invalid type argument of `unary *'"
      end
  | CEunary (Utilde, e) ->
      let e = type_int_expr env e in
      TEunary (Utilde, e), e.texpr_type
  (* these other unops cannot be built by the parser *)
  | CEunary (( Uint_of_float | Ufloat_of_int 
	     | Ufloat_conversion | Uint_conversion), _) ->
      assert false
  | CEbinary (e1, (Bmul | Bdiv as op), e2) ->
      let e1 = type_arith_expr env e1 in
      let e2 = type_arith_expr env e2 in
      let e1,e2,ty = conversion e1 e2 in
      let op = type_op op ty in 
      TEbinary (e1, op, e2), ty
  | CEbinary (e1, Bmod, e2) ->
      let e1 = type_int_expr env e1 in
      let e2 = type_int_expr env e2 in
      let e1,e2,ty = conversion e1 e2 in
      let op = type_op Bmod ty in 
      TEbinary (e1, op, e2), ty
  | CEbinary (e1, Badd, e2) ->
      let e1 = type_expr env e1 in
      let ty1 = e1.texpr_type in
      let e2 = type_expr env e2 in
      let ty2 = e2.texpr_type in
      begin match ty1.ctype_node, ty2.ctype_node with
	| (Tenum _ | Tint _ | Tfloat _), (Tenum _ | Tint _ | Tfloat _) ->
	    let e1,e2,ty = conversion e1 e2 in
	    TEbinary (e1, type_op Badd ty, e2), ty
	| (Tpointer (valid,ty)), (Tint _ | Tenum _) ->
	    make_shift e1 e2 valid ty None
	| (Tarray (valid,ty,n)), (Tint _ | Tenum _) ->
	    make_shift e1 e2 valid ty n
	| (Tint _ | Tenum _), (Tpointer(valid,ty)) -> 
	    make_shift e2 e1 valid ty None
	| (Tint _ | Tenum _), (Tarray(valid,ty,n)) -> 
	    make_shift e2 e1 valid ty n
	| _ -> error loc "invalid operands to binary +"
      end
  | CEbinary (e1, Bsub, e2) ->
      let e1 = type_expr env e1 in
      let ty1 = e1.texpr_type in
      let e2 = type_expr env e2 in
      let ty2 = e2.texpr_type in
      begin match ty1.ctype_node, ty2.ctype_node with
	| (Tint _ | Tenum _ | Tfloat _), (Tint _ | Tenum _ | Tfloat _) ->
	    let e1,e2,ty = conversion e1 e2 in
	    TEbinary (e1, type_op Bsub ty, e2), ty
	| Tpointer(valid,ty), (Tint _ | Tenum _) -> 
	    let me2 = { e2 with texpr_node = TEunary (Uminus, e2);
			  texpr_type = ty2 } in
	    make_shift e1 me2 valid ty None
	| Tarray(valid,ty,n), (Tint _ | Tenum _) -> 
	    let me2 = { e2 with texpr_node = TEunary (Uminus, e2);
			  texpr_type = ty2 } in
	    make_shift e1 me2 valid ty n
	| (Tpointer _ | Tarray _), (Tpointer _ | Tarray _) ->
	    TEbinary (e1, Bsub_pointer, e2), c_int (* TODO check types *)
	| _ -> error loc "invalid operands to binary -"
      end
  | CEbinary (e1, (Blt | Bgt | Ble | Bge | Beq | Bneq as op), e2) ->
      let e1 = type_expr env e1 in
      let ty1 = e1.texpr_type in
      let e2 = type_expr env e2 in
      let ty2 = e2.texpr_type in
      begin match ty1.ctype_node, ty2.ctype_node with
	| (Tint _ | Tenum _ | Tfloat _), (Tint _ | Tenum _ | Tfloat _) ->
	    let e1,e2,ty = conversion e1 e2 in
	    TEbinary (e1, type_op op ty, e2), c_int
	| (Tpointer (_,ty1)  | Tarray (_,ty1,_)), 
	  (Tpointer (_,ty2) | Tarray (_,ty2,_)) ->
	    if not (compat_pointers ty1 ty2) then
	      warning loc "comparison of distinct pointer types lacks a cast";
	    TEbinary (e1, pointer_op op, e2), c_int
	| (Tpointer _  | Tarray _), (Tint _ | Tenum _ | Tfloat _) ->
	    if e2.texpr_node = TEconstant (IntConstant "0") then
	      TEbinary(e1, pointer_op op, 
		       { texpr_node = TEcast(
			   { ctype_node = Tpointer ( Not_valid, ty1);
			     ctype_storage = No_storage;
			     ctype_const = false;
			     ctype_volatile = false;
			     ctype_ghost = false;
			   },e2);
			 texpr_type = ty1;
			 texpr_loc  = e2.texpr_loc;}), c_int
	    else
	      error loc "comparison between pointer and integer but not 0"
	| (Tint _ | Tenum _ | Tfloat _), (Tpointer _  | Tarray _) ->
	    if e1.texpr_node = TEconstant (IntConstant "0") then
	      TEbinary({texpr_node = TEcast(
			  { ctype_node = Tpointer ( Not_valid, ty2);
			    ctype_storage = No_storage;
			    ctype_const = false;
			    ctype_volatile = false;
			    ctype_ghost = false;
			  },e1);
			texpr_type = ty1;
			texpr_loc  = e1.texpr_loc;
		       }, pointer_op op,e2), c_int
	    else
	      error loc "comparison between pointer and integer but not 0";
	| Tvar t1, Tvar t2 when t1 = t2 && (op = Beq || op = Bneq) ->
	    TEbinary (e1, op, e2), c_int
	| _ ->
	    error loc "invalid operands to comparison"
      end
  | CEbinary (e1, (Band | Bor as op), e2) ->
      let e1 = type_boolean env e1 in
      let e2 = type_boolean env e2 in
      TEbinary (e1, op, e2), c_int
  | CEbinary (e1, ( Bbw_and | Bbw_xor | Bbw_or 
		  | Bshift_left | Bshift_right as op), e2) ->
      (* TODO: max types pour "&" "|" "^" ? *)
      let e1 = type_int_expr env e1 in
      let e2 = type_int_expr env e2 in
      TEbinary (e1, op, e2), e1.texpr_type
  (* these other binops cannot be built by the parser *)
  | CEbinary (_, (Bdiv_float _|Bmul_float _|Bsub_float _|Badd_float _
		 |Bmod_int _|Bdiv_int _|Bmul_int _|Bsub_int _|Badd_int _
		 |Blt_pointer|Bgt_pointer|Ble_pointer|Bge_pointer
		 |Bneq_pointer|Beq_pointer
		 |Bneq_float _|Beq_float _|Bge_float _|Ble_float _
		 |Bgt_float _|Blt_float _
		 |Bneq_int|Beq_int|Bge_int|Ble_int|Bgt_int|Blt_int
		 |Bsub_pointer|Badd_pointer_int), _) ->
      assert false
  | CEcast (typ, 
	    { node = 
		CEcall 
		  ({ node = CEvar "malloc" },
		   [ { node = 
			 ( CEsizeof ty
			 | CEbinary (_, Bmul, { node = CEsizeof ty })
			 | CEbinary ({ node = CEsizeof ty }, Bmul, _)) as e }
		   ])}) ->
      let ty = type_type loc env ty in
      let typ = type_type loc env typ in
      begin match typ.ctype_node with
	| Tpointer (_, ty') when eq_type ty' ty ->
	    let e = match e with
	      | CEbinary (e, _, {node = CEsizeof _}) 
	      | CEbinary ({node = CEsizeof _}, _, e) -> e
	      | _ -> { node = CEconstant (IntConstant "1"); loc = loc }
	    in
	    let e = type_int_expr env e in
	    let valid =
	      try
		let n = eval_const_expr_noerror e in
		Valid(Int64.zero,n)
	      with Invalid_argument _ -> Not_valid
	    in
	    TEmalloc (ty, e), { typ with ctype_node = Tpointer (valid, ty) }
	| _ -> error loc "incompatible types"
      end
  | CEcast (typ, 
	    { node = 
		CEcall 
		  ({ node = CEvar "calloc" },
		   [ e ; { node = CEsizeof ty }])}) ->
      let ty = type_type loc env ty in
      let typ = type_type loc env typ in
      begin match typ.ctype_node with
	| Tpointer (_, ty') when eq_type ty' ty ->
	    let e = type_int_expr env e in
	    let valid =
	      try
		let n = eval_const_expr_noerror e in
		Valid(Int64.zero,n)
	      with Invalid_argument _ -> Not_valid
	    in
	    TEmalloc (ty, e), { typ with ctype_node = Tpointer (valid, ty) }
	| _ -> 
	    error loc "incompatible types"
      end
  | CEcall (e, el) ->
      let e = type_expr env e in
      let el = List.map (type_expr env) el in
      begin match e.texpr_type.ctype_node with
	| Tfun (tl, ty) ->
	    let rec check_args i el' = function
	      | [], [] -> 
		  TEcall (e, List.rev el'), ty
	      | e :: el, t :: tl 
		  when compatible_type e.texpr_type t 
		    || (pointer_type t && is_null e) ->
		  check_args (i+1) (coerce t e :: el') (el, tl)
	      | _e :: _, _ :: _ ->
		  error loc "incompatible type for argument %d" i
	      | [], _ :: _ ->
		  error loc "too few arguments"
	      | el, [] ->
		  (* too many arguments is OK *)
		  TEcall (e, List.rev_append el' el), ty
	    in
	    check_args 1 [] (el, tl)
	| _ ->
	    (* TODO should be: warning: implicit declaration of function *)
	    error loc "not a function"
      end
  | CEcast (ty, e) ->
      let ty = type_type loc env ty in
      let e = type_expr env e in
      TEcast (ty, e), ty
  | CEsizeof_expr e ->
      let e = type_expr env e in
      let n = sizeof e.texpr_loc e.texpr_type in
      TEsizeof (e.texpr_type,n), c_int
  | CEsizeof ty ->
      let ty = type_type loc env ty in
      let n = sizeof loc ty in
      TEsizeof(ty,n), c_int

and type_lvalue ?(modifiable=true) env e = 
  let loc = e.loc in
  let e = type_expr env e in
  check_lvalue ~modifiable loc e;
  e

and check_lvalue ?(modifiable=true) loc e = 
  match e.texpr_node with
    | TEvar v -> 
	begin 
	  match (var_type v).ctype_node with
	    | Tarray (_,_,Some _ ) when modifiable -> error loc "not a lvalue"
	    | _ -> ()
	end
    | TEunary (Ustar, _)
    | TEarrget _ 
    | TEarrow _ 
    | TEdot _ ->
	(* TODO: check that e is not of enum type *)
	()
    | TEcast (_, e) ->
	check_lvalue loc e
    | _ -> 
	error loc "invalid lvalue"

and type_expr_option env eo = Option_misc.map (type_expr env) eo

and type_field n loc env (ty, x, bf) = 
  let ty = type_type loc env ty in
  let bf = type_expr_option env bf in
  let info = find_field n x in
  match bf, ty.ctype_node with
    | _, Tvoid ->
	error loc "field `%s' declared void" x
    | None, _ ->
	(ty, info)
    | Some e, (Tenum _ | Tint _ as tyn) -> 
	let s = match tyn with
	  | Tenum _ -> Unsigned (* TODO: verif assez de bits pour l'enum *)
	  | Tint (s, Int) -> s
	  | Tint (s, _) ->
	      warning loc 
		"bit-field type `%a' invalid in ANSI C"
		Creport.print_type ty; 
	      s
	  | _ -> assert false
	in
	let v = eval_const_expr e in
	({ty with ctype_node = Tint (s, Bitfield v)}, info)
    | Some _, _ -> 
	error loc "bit-field `%s' has invalid type" x

(*s Typing of integers expressions: to be used when coercion is not allowed
    (array subscript, array size, enum value, etc.) *)

and type_int_expr_option env eo = Option_misc.map (type_int_expr env) eo

and type_int_expr env e = match type_expr env e with
  | { texpr_type = { ctype_node = Tint _ | Tenum _ } } as te -> te
  | _ -> error e.loc "invalid operand (expected integer)"

(*s Typing of arithmetic expressions: integers or floats *)

and type_arith_expr env e = match type_expr env e with
  | { texpr_type = { ctype_node = Tint _ | Tenum _ | Tfloat _ } } as te -> 
      te
  | _ -> error e.loc "invalid operand (expected integer or float)"

(*s Typing of ``boolean'' expressions *)

and type_boolean env e = 
  let e' = type_expr env e in
  let ty = e'.texpr_type in
  match ty.ctype_node with
    | Tint _ | Tenum _ | Tfloat _ | Tpointer _ | Tarray _ -> e'
    | _ -> error e.loc "invalid operand (expected arith or pointer)"

let int_to_init loc env ty i=
  (Iexpr 
     (coerce ty 
	(type_expr env 
	   { node = (CEconstant 
		       (IntConstant (sprintf "%d" i)));
	     loc = loc})))


(*s Typing of initializers *)

let rec type_initializer loc env ty = function
  | Iexpr e -> 
      let e = type_expr env e in
      Iexpr (coerce ty e)
  | Ilist el -> 
      (match ty.ctype_node with
	 | Tarray (_,ty,_) ->   
	     Ilist (List.map (type_initializer loc env ty) el)
	 | Tstruct (n) ->
	     (match tag_type_definition n with
		| TTIncomplete -> 
		    error loc "initializer but incomplete type"
		| TTStructUnion (Tstruct _n, fl) -> 
		    Ilist (type_struct_initializer loc env fl el)
		| _ -> 
		    assert false)
	 | _ -> 
	     (match el with
		| [] -> error loc "empty initializer"
		| e :: el -> 
		    if el <> [] then 
		      warning loc "excess elements in initializer";
		    Ilist [type_initializer loc env ty e]))

and type_struct_initializer loc env fl el = match fl, el with
  | _, [] -> 
      []
  | v :: fl, e :: el ->
      let e = type_initializer loc env v.var_type e in
      e :: type_struct_initializer loc env fl el
  | [], _ ->
      error loc "excess elements in struct initializer"

and type_initializer_option loc env ty = 
  Option_misc.map (type_initializer loc env ty)

(*
let type_initializer_option loc env ty = function
  | None -> None
  | Some i -> Some (type_initializer loc env ty i)
*)

let array_size_from_initializer loc ty i = match ty.ctype_node, i with
  | Tarray (_,ety, None), Some (Ilist l) -> 
      let s = of_int (List.length l) in
      { ty with ctype_node = Tarray (Valid(Int64.zero,s),ety, Some s) }

  | Tarray (_,_ety, None), None -> error loc "array size missing"  

  | Tarray (_,ety, None), Some (Iexpr e) ->
      (* since string literals in initializers are no longer transformed
	 in [Ilist] during typing, we need to add a special case here to
	 compute the length of the array. *)
      begin match e.texpr_node with
	| TEstring_literal s ->
	    let s = of_int (String.length s - 1) in
	    { ty with ctype_node = Tarray (Valid(Int64.zero,s),ety, Some s) }
	| _ -> ty
      end

  | _ -> 
      ty

(*s Statements *)

type status = { 
  break : bool; 
  continue : bool; 
  return : bool;
  term : bool
}

let mt_status = 
  { return = false; break = false; continue = false; term = true }

let or_status s1 s2 =
  { return = s1.return || s2.return;
    break = s1.break || s2.break;
    continue = s1.continue || s2.continue;
    term = s1.term || s2.term }

(* structure of labels in a function body : using Huet's zipper *)

type label_tree =
  | LabelItem of label_info
  | LabelBlock of label_tree list

let rec printf_label_tree fmt lt =
  match lt with 
    | LabelItem s -> fprintf fmt "%s" s.label_info_name
    | LabelBlock l -> 
	fprintf fmt "{ %a }" (Pp.print_list Pp.space printf_label_tree ) l

let rec in_label_tree lab = function
  | LabelItem l -> if l.label_info_name=lab then l else raise Not_found
  | LabelBlock l -> in_label_tree_list lab l

and in_label_tree_list lab = function
  | [] -> raise Not_found
  | h::r -> 
      try in_label_tree lab h
      with Not_found -> in_label_tree_list lab r

let rec in_label_upper_tree_list lab = function
  | [] -> raise Not_found
  | LabelItem l :: _ when l.label_info_name=lab -> l
  | _ :: r -> in_label_upper_tree_list lab r


let rec build_label_tree st acc : label_tree list =
  match st.node with
    | CSnop  
    | CSexpr _ 
    | CSbreak 
    | CScontinue 
    | CSgoto _
    | CSreturn _
    | CSannot _ -> acc
    | CSif (_e, s1, s2) ->
	let l1 = build_label_tree s1 [] in
	let l2 = build_label_tree s2 [] in
	(LabelBlock l1) :: (LabelBlock l2) :: acc
    | CSlabel (lab, s) ->
	let info = { label_info_name = lab; times_used = 0 } in
	(LabelItem info) :: (build_label_tree s acc)
    | CSblock (_,sl) ->
	let l = List.fold_right build_label_tree sl [] in
	(LabelBlock l) :: acc
    | CSfor (_, _, _, _, s) 
    | CSdowhile (_, s, _) 
    | CSwhile (_, _, s) 
    | CSswitch (_, s) 
    | CScase (_, s) 
    | CSdefault (s) 
    | CSspec (_, s) ->
	let l = build_label_tree s [] in
	(LabelBlock l) :: acc
	
  

let rec type_statement env et lz s =
  let sn,st,lz = type_statement_node s.loc env et lz s.node in
  { st_node = sn; 
    st_return = st.return; 
    st_break = st.break;
    st_continue = st.continue;
    st_term = st.term;
    st_loc = s.loc }, st, lz

and type_statement_node loc env et lz = function
  | CSnop -> 
      TSnop, mt_status, lz
  | CSexpr e ->
      let e = type_expr env e in
      TSexpr e, mt_status, lz
  | CSif (e, s1, s2) ->
      let e = type_boolean env e in
      let lz1,lz2,lz3 = match lz with
	| before,LabelBlock b1::LabelBlock b2::after ->
	    (before,b1@(LabelBlock b2)::after),
	    (before,b2@(LabelBlock b1)::after),
	    (LabelBlock b1::LabelBlock b2::before,after)
	| _ -> assert false
      in
      let s1,st1,_ = type_statement env et lz1 s1 in
      let s2,st2,_ = type_statement env et lz2 s2 in
      TSif (e, s1, s2), or_status st1 st2, lz3
  | CSbreak ->
      TSbreak, { mt_status with term = false; break = true }, lz
  | CScontinue -> 
     TScontinue, { mt_status with term = false; continue = true }, lz
  | CSlabel (lab, s) ->
      let info,lz1 = match lz with
	| before,LabelItem lab'::after ->
	    assert (lab=lab'.label_info_name);
	    lab',(LabelItem lab'::before,after)
	| _ -> assert false
      in
      let s, st, lz2 = type_statement env et lz1 s in
      TSlabel (info, s), st, lz2
  | CSblock bl ->
      let lz1,lz2 = match lz with
	| before,LabelBlock b1::after ->
	    (before,b1@after),
	    (LabelBlock b1::before,after)
	| _ -> assert false
      in
      let bl,st,_ = type_block env et lz1 bl in
      TSblock bl, st, lz2
  | CSgoto lab ->
      let before,after = lz in
      let status,info =
	try
	  let info = in_label_tree_list lab before in
	  lprintf "%a: backward goto@." Loc.report_position loc;
	  GotoBackward,info
	with Not_found ->
	  try
	    let info = in_label_upper_tree_list lab after in
	    lprintf "%a: forward outer goto@." Loc.report_position loc;
	    GotoForwardOuter,info
	  with Not_found ->
	    try
	      let info = in_label_tree_list lab after in
	      lprintf "%a: forward inner goto@." Loc.report_position loc;
	      GotoForwardInner,info
	    with Not_found ->
	      error loc "undefined label '%s'" lab
      in
      info.times_used <- info.times_used + 1;
      TSgoto(status,info), mt_status, lz
  | CSfor (an, e1, e2, e3, s) -> 
      let an = type_loop_annot env an in
      let e1 = type_expr env e1 in
      let e2 = type_boolean env e2 in
      let e3 = type_expr env e3 in
      let lz1,lz2 = match lz with
	| before,LabelBlock b1::after ->
	    (before,b1@after),
	    (LabelBlock b1::before,after)
	| _ -> assert false
      in
      let s,st, _ = type_statement env et lz1 s in
      TSfor (an, e1, e2, e3, s),
      { mt_status with return = st.return }, lz2
  | CSdowhile (an, s, e) ->
      let an = type_loop_annot env an in
      let lz1,lz2 = match lz with
	| before,LabelBlock b1::after ->
	    (before,b1@after),
	    (LabelBlock b1::before,after)
	| _ -> assert false
      in
      let s, st, _ = type_statement env et lz1 s in
      let e = type_boolean env e in
      TSdowhile (an, s, e), 
      { mt_status with return = st.return }, lz2
  | CSwhile (an, e, s) ->
      let an = type_loop_annot env an in
      let e = type_boolean env e in
      let lz1,lz2 = match lz with
	| before,LabelBlock b1::after ->
	    (before,b1@after),
	    (LabelBlock b1::before,after)
	| _ -> assert false
      in
      let s, st, _ = type_statement env et lz1 s in
      TSwhile (an, e, s), 
      { mt_status with return = st.return }, lz2
  | CSreturn None ->
      if et <> None then warning loc 
	      "`return' with no value, in function returning non-void";
      TSreturn None,{ mt_status with term = false; return = true }, lz
  | CSreturn (Some e) ->
      let e' = type_expr env e in
      let e' = match et with
	| None -> 
	    warning e.loc "`return' with a value, in function returning void";
	    None
	| Some ty ->
	    Some (coerce ty e')
      in
      TSreturn e', { mt_status with term = false; return = true }, lz
  | CSswitch (e, s) ->
      let e = type_int_expr env e in
      let lz1,lz2 = match lz with
	| before,LabelBlock b1::after ->
	    (before,b1@after),
	    (LabelBlock b1::before,after)
	| _ -> assert false
      in
      let s,st,_ = type_statement env et lz1 s in
      TSswitch (e, s), { st with break = false ; term = true }, lz2
  | CScase (e, s) ->
      let e = type_int_expr env e in
      let lz1,lz2 = match lz with
	| before,LabelBlock b1::after ->
	    (before,b1@after),
	    (LabelBlock b1::before,after)
	| _ -> assert false
      in
      let s,st,_ = type_statement env et lz1 s in
      TScase (e, s), st, lz2
  | CSdefault (s) ->
      let lz1,lz2 = match lz with
	| before,LabelBlock b1::after ->
	    (before,b1@after),
	    (LabelBlock b1::before,after)
	| _ -> assert false
      in
      let s,st,_ = type_statement env et lz1 s in
      TSdefault (s), st, lz2
  | CSannot (Assert p) ->
      let p = type_predicate env p in
      TSassert p, mt_status, lz
  | CSannot (Assume p) ->
      let p = type_predicate env p in
      TSassume p, mt_status, lz
  | CSannot (Label l) ->
      TSlogic_label l, mt_status, lz
  | CSannot (GhostSet(x,t)) ->
      let x = type_ghost_lvalue env x in
      let t = type_term env t in
      TSset (x, Cltyping.coerce x.term_type t), mt_status, lz
  | CSspec (spec, s) ->
      let spec = type_spec env spec in
      let lz1,lz2 = match lz with
	| before,LabelBlock b1::after ->
	    (before,b1@after),
	    (LabelBlock b1::before,after)
	| _ -> assert false
      in
      let s,st,_ = type_statement env et lz1 s in
      TSspec (spec, s), st, lz2

and type_block env et lz (dl,sl) = 
  let rec type_decls vs env = function
    | [] -> 
	[], env
    | { node = Cdecl (ty, x, i) } as d :: dl ->
	if Sset.mem x vs then error d.loc "redeclaration of `%s'" x;
	let ty = type_type d.loc env ty in	
	if eq_type_node ty.ctype_node Tvoid then 
	  error d.loc "variable `%s' declared void" x;
	let i = type_initializer_option d.loc env ty i in
	let ty = array_size_from_initializer d.loc ty i in
	let info = default_var_info x in
	if ty.ctype_storage = Static then set_static info;
	let env' = Env.add x ty (Var_info info) env in
	let dl',env'' = type_decls (Sset.add x vs) env' dl in
	{ d with node = Tdecl (ty, info, i) } :: dl', env''
    | { node = Ctypedecl ty } as d :: dl ->
	let ty' = type_type d.loc env ty in
	let dl',env' = type_decls vs env dl in
	{ d with node = Ttypedecl ty' } :: dl', env'
    | { loc = l } :: _ ->
	error l "unsupported local declaration"
  in
  let dl',env' = type_decls Sset.empty (Env.new_block env) dl in
  let rec type_bl lz = function
    | [] -> 
	[], mt_status, lz
    | [s] ->
	let s',st, lz1 = type_statement env' et lz s in
	[s'], st, lz1
    | s :: bl ->
	let s', st1, lz1 = type_statement env' et lz s in
	let bl', st2, lz2 = type_bl lz1 bl in
	let st = or_status st1 st2 in
	s' :: bl', { st with term = st2.term }, lz2
  in
  let sl', st, lz1 = type_bl lz sl in
  (dl', sl'), st, lz1

let type_parameters loc env pl =
  let type_one (ty,x) pl =
    let ty = type_type loc ~parameters:true env ty in 
    let info = default_var_info x in
    set_formal_param info;
    set_var_type (Var_info info) ty true;
    Coptions.lprintf 
      "Parameter %s added in env with unique name %s@." x info.var_unique_name;
    (ty,info) :: pl 
  in
  let is_void (ty,_) = ty.ctype_node = Tvoid in
  let pl = List.fold_right type_one pl [] in
  match pl with
    | [p] when is_void p -> 
	[]
    | _ -> 
	if List.exists is_void pl then 
	  error loc "`void' in parameter list must be the entire list";
	pl
  
let type_logic_parameters loc env pl = 
  List.fold_right
    (fun (ty,x) (pl,env) ->
       let info = default_var_info x in
       let ty = type_logic_type loc env ty in 
       (info,ty) :: pl, Env.add x ty (Var_info info) env)
    pl 
    ([], env)

let type_spec_decl loc = function
  | LDaxiom (id, p) -> 
      Taxiom (id, type_predicate (Env.empty ()) p)
  | LDinvariant (id, p) -> 
      Tinvariant (id, type_predicate (Env.empty ()) p)
  | LDlogic (id, ty, _labels, pl, ll) ->
      let ty = type_logic_type loc (Env.empty ()) ty in
      let pl,env' = type_logic_parameters loc (Env.empty ()) pl in
      id.logic_args <- List.map fst pl;
      id.logic_why_type <- type_type_why ty false;
      let ll = List.map (type_location env') ll in
      Cenv.add_logic id.logic_name (List.map snd pl, ty, id);
      Tlogic (id, Function (pl, ty, ll))
  | LDlogic_def (id, ty, _labels, pl, t) ->
      let ty = type_logic_type loc (Env.empty ()) ty in
      let pl,env' = type_logic_parameters loc (Env.empty ()) pl in
      id.logic_args <- List.map fst pl;
      id.logic_why_type <- type_type_why ty false;
      let t = type_term env' t in
      Cenv.add_logic id.logic_name (List.map snd pl, ty, id);
      Tlogic (id, Function_def (pl, ty, t))
  | LDpredicate_reads (id, pl, ll) ->
      let pl,env' = type_logic_parameters loc (Env.empty ()) pl in
      id.logic_args <- List.map fst pl;
      let ll = List.map (type_location env') ll in
      Cenv.add_pred id.logic_name (List.map snd pl,id);
      Tlogic (id, Predicate_reads (pl, ll))
  | LDpredicate_def (id, pl, p) ->
      let pl,env' = type_logic_parameters loc (Env.empty ()) pl in
      id.logic_args <- List.map fst pl;
      let p = type_predicate env' p in
      Cenv.add_pred id.logic_name (List.map snd pl,id);
      Tlogic (id, Predicate_def (pl, p))
  | LDghost (ty,x,cinit) -> 
      let ty = type_type ~ghost:true loc (Env.empty ()) ty in
      let info = add_ghost loc x ty (default_var_info x) in 
      set_static info;
      set_var_type (Var_info info) {ty with Ctypes.ctype_ghost = true} false;
      let cinit = 
	match cinit with
	  | None -> None
	  | Some (Iexpr t) -> Some(Iexpr (type_term (Env.empty()) t))
	  | _ -> assert false(*TODO*)
      in
      Tghost (info, cinit)
  | LDtype (id, loc) ->
      if Cenv.mem_type id then error loc "clash with previous type %s" id;
      Cenv.add_type id;
      Ttype id

(* table storing function specifications *)
let function_specs = Hashtbl.create 97

let empty_spec () = 
  { requires = None; assigns = None; ensures = None; decreases = None } 

let is_empty_spec s = 
  s.requires = None && s.assigns = None && 
  s.ensures = None && s.decreases = None

let function_spec loc f = function
  (* no spec given; we return the current spec if any, or [empty_spec] *)
  | None ->
      (try 
	 Hashtbl.find function_specs f
       with Not_found -> 
	 let s = empty_spec () in Hashtbl.add function_specs f s; s)
  (* a spec is given; we update the current spec only if [empty_spec] *)
  | Some s ->
      (try 
	 let s' = Hashtbl.find function_specs f in
	 if not (is_empty_spec s') then 
	   error loc "already a specification for %s" f;
	 s'.requires <- s.requires;
	 s'.assigns <- s.assigns;
	 s'.ensures <- s.ensures;
	 s'.decreases <- s.decreases;
	 s'
       with Not_found -> 
	 Hashtbl.add function_specs f s; s)

let combine_args loc l1 l2 =
  if l1 = [] then l2 else
    try
      List.map2 (fun x1 x2 ->
		if eq_type x1.var_type x2.var_type then 
		  if x1.var_name = "" then x2 else x1
		else error loc "clash with previous declaration: expected type %a, got %a"
		  print_type x1.var_type print_type x2.var_type
		)
	l1 l2
    with Invalid_argument _ -> 
      error loc "clash with previous declaration: not the same number of arguments"

let type_prototype loc pl ty f = 
  let pl = type_parameters loc (Env.empty ()) pl in
  let ty_res = type_type loc (Env.empty ()) ty in
  let info = default_fun_info f in
  let spl = List.map fst pl in
  let info = 
    match add_sym loc f (noattr (Tfun (spl, ty_res))) 
      (Fun_info info) with
	| Var_info _ -> assert false
	| Fun_info f -> 
	    f.args <- combine_args loc f.args (List.map snd pl);
	    f
  in
  let env = (* we build the env. to type the spec and the body *)
    List.fold_right 
      (fun v env -> Env.add v.var_name v.var_type (Var_info v) env)
      info.args (Env.empty ())
  in
  info,ty_res,env


let type_decl d = match d.node with
  | Cspecdecl s -> 
      type_spec_decl d.loc s
  | Ctypedef (ty, x) -> 
      let ty = type_type d.loc (Env.empty ()) ty in
      add_typedef d.loc x ty;
      Ttypedef (ty, x)
  | Ctypedecl ty -> 
      let ty = type_type d.loc (Env.empty ()) ty in
      Ttypedecl ty
  | Cdecl (ty, x, i) -> 
      begin match ty.Cast.ctype_node with
	| CTfun(pl,ty_res) ->
	    let info,ty_res,_ = type_prototype d.loc pl ty_res x in
	    Tfunspec (function_spec d.loc x None, ty_res, info)
	| _ -> 
	    let ty = type_type d.loc (Env.empty ()) ty in
	    let info = 
	      match add_sym d.loc x ty (Var_info (default_var_info x)) with
		| Var_info v -> v
		| Fun_info _ -> assert false
	    in
	    set_static info;
	    Loc.report_position Coptions.log d.loc;
	    fprintf Coptions.log "Variable %s is assigned@." info.var_name;
	    set_assigned info; (* ????? *)
	    let i = type_initializer_option d.loc (Env.empty ()) ty i in
	    let ty = array_size_from_initializer d.loc ty i in
	    set_var_type (Var_info info) ty false;
	    if ty.ctype_const then begin match ty.ctype_node, i with
	      | (Tint _ | Tfloat _ | Tenum _), Some (Iexpr e) -> 
		  begin
		    try
		      set_const_value info (eval_const_expr_noerror e)
		    with
			Invalid_argument _msg -> ()	
		  end
	      | _ ->
		  ()
	    end;
	    Tdecl (ty, info,i)
      end
  | Cfunspec (s, ty, f, pl) ->
      let info,ty,env = type_prototype d.loc pl ty f in
      info.has_assigns <- (s.assigns <> None);
      let s = type_spec ~result:ty env s in
      let s = function_spec d.loc f (Some s) in
      Tfunspec (s, ty, info)
  | Cfundef (s, ty, f, pl, bl) -> 
      let info,ty,env = type_prototype d.loc pl ty f in
      let et = if eq_type ty c_void then None else Some ty in
      info.has_body <- true;
      let s = Option_misc.map (type_spec ~result:ty env) s in
      let s = function_spec d.loc f s in
      info.has_assigns <- (s.assigns <> None);
      let lz = build_label_tree bl [] in
      fprintf Coptions.log "Labels for function %s:@\n" f;
      printf_label_tree Coptions.log (LabelBlock lz);
      fprintf Coptions.log "@.";
      let bl,st,_ = type_statement env et ([],lz) bl in
      if st.term && et <> None then
	warning d.loc "control reaches end of non-void function";
      if st.break then 
	error d.loc "break statement not within a loop or switch";
      if st.continue then 
	error d.loc "continue statement not within a loop";
      Tfundef (s, ty, info, bl)

let type_file = List.map (fun d -> { d with node = type_decl d })

(*
Local Variables: 
compile-command: "unset LANG; make -C .. bin/caduceus.byte"
End: 
*)
why-2.34/c/cutil.ml0000644000175000017500000001004012311670312012504 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(* wrap treatment on option *)

module Option = struct
  let equal f x1 x2 = match x1,x2 with
    | None,None -> true
    | Some y1,Some y2 -> f y1 y2
    | _ -> false
  (* returns [Some x] iff one argument is [None] and the other is [Some x] *)
  let some x1 x2 = match x1,x2 with
    | None,x | x,None -> x
    | _ -> None
  let app f x = match x with None -> None | Some s -> Some (f s)
  let fold f x y = match x with None -> y | Some s -> f s y
  let binapp f x1 x2 = match x1,x2 with
    | None,_ | _,None -> None
    | Some y1,Some y2 -> Some (f y1 y2)
  let transform f x1 x2 = match x1,x2 with
    | None,None -> None
    | None,Some x | Some x,None -> Some x
    | Some y1,Some y2 -> Some (f y1 y2)
  let pretty f fmt x = match x with
    | None -> ()
    | Some x -> f fmt x
end

(* very basic pair *)

module Pair = struct
  let any f x1 x2 = f x1 || f x2
  let both f x1 x2 = f x1 && f x2

  module Make (L1 : Set.OrderedType) (L2 : Set.OrderedType)
    : Set.OrderedType with type t = L1.t * L2.t =
  struct
    type t = L1.t * L2.t
    let compare x1 x2 =
      let v = L1.compare (fst x1) (fst x2) in
      if (v = 0) then L2.compare (snd x1) (snd x2) else v
  end
end

(* commonly used maps/sets based on std lib *)

module StringSet = Set.Make (String)
module StringMap = Map.Make (String)
module Int32Map = Map.Make (Int32)
module Int32Set = Set.Make (Int32)

(* to avoid warnings about missing cases in pattern-matching,
   when exact form of the list known due to context *)

let list1 l = match l with [a] -> a | _ -> assert false
let list2 l = match l with [a;b] -> a,b | _ -> assert false
let list3 l = match l with [a;b;c] -> a,b,c | _ -> assert false
let list4 l = match l with [a;b;c;d] -> a,b,c,d | _ -> assert false
let list5 l = match l with [a;b;c;d;e] -> a,b,c,d,e | _ -> assert false
why-2.34/c/cutil.mli0000644000175000017500000000647312311670312012674 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

module Option : sig
  val equal : ('a -> 'a -> bool) -> 'a option -> 'a option -> bool
  val some : 'a option -> 'a option -> 'a option
  val app : ('a -> 'b) -> 'a option -> 'b option
  val fold : ('a -> 'b -> 'b) -> 'a option -> 'b -> 'b
  val binapp : ('a -> 'a -> 'b) -> 'a option -> 'a option -> 'b option
  val transform : ('a -> 'a -> 'a) -> 'a option -> 'a option -> 'a option
  val pretty :
    (Format.formatter -> 'a -> unit) -> Format.formatter -> 'a option -> unit
end

module Pair : sig
  val any : ('a -> bool) -> 'a -> 'a -> bool
  val both : ('a -> bool) -> 'a -> 'a -> bool
  module Make (L1 : Set.OrderedType) (L2 : Set.OrderedType)
      : Set.OrderedType with type t = L1.t * L2.t
end

module StringSet : Set.S with type elt = string
module StringMap : Map.S with type key = string
module Int32Map : Map.S with type key = int32
module Int32Set : Set.S with type elt = int32

val list1 : 'a list -> 'a
val list2 : 'a list -> 'a * 'a
val list3 : 'a list -> 'a * 'a * 'a
val list4 : 'a list -> 'a * 'a * 'a * 'a
val list5 : 'a list -> 'a * 'a * 'a * 'a * 'a
why-2.34/c/cptr.ml0000644000175000017500000025047612311670312012357 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* TO DO:

   - treat correctly variables whose address is taken (probably do not treat
   them at all). Problem even without option on code:
   void f(int* p) {
     int** q = &p;
     ( *q )++;
     *p = 0;
   }
   Definition of [q] printed in cnorm:
     int** q = p;

   - change the naming scheme for offset variables.
   Currently, offset variable for pointer [p] is either "p_offset" or
   "p_self_offset". Neither one is satisfactory, since a variable could
   already be called like this. The solution should use "__" in front of
   the name, to make it a reserved name by the compiler, e.g.
   "__offset_p" and "__self_offset_p". We must only check that such names
   are correctly understood by the provers, or translated appropriately.

   - add same transformation for integers, e.g. on [size] in
         while (size --) *p++ = *q++;
   --> DONE. document it.
   
   - take into account possible non-initialization

*)

open Info
open Clogic
open Cast
open Cutil
open Cabsint

let debug = Coptions.debug
let debug_more = false


(*****************************************************************************
 *                                                                           *
 * 		Pointer lattice used for local aliasing analysis             *
 *                                                                           *
 *****************************************************************************)

module type POINTER_SEMI_LATTICE = sig
  include SEMI_LATTICE
  type var_t
    (* in the following, an [alias] is the same as an [index] of 0.
       It is provided for the sake of simplicity. *)
    (* constructors *)
  val make_alias : var_t -> t
  val make_index : var_t -> int -> t
  val make_offset : var_t -> var_t option -> t
  val make_defined : var_t -> var_t option -> t
    (* query functions *)
  val is_alias : t -> bool
  val is_index : t -> bool
  val is_self_index : var_t -> t -> bool
  val is_offset : t -> bool
  val is_self_offset : var_t -> t -> bool
  val is_defined : t -> bool
  val is_top : t -> bool
    (* destructors *)
  val get_alias : t -> var_t
  val get_index : t -> var_t * int
  val get_offset_opt : t -> var_t * var_t option
  val get_offset : t -> var_t * var_t
  val get_defined_opt : t -> var_t * var_t option
  val has_variable : t -> bool
  val get_variable : t -> var_t
end

module Make_PtrSemiLattice(V : VARIABLE)
    : POINTER_SEMI_LATTICE with type var_t = V.t and type dim_t = unit =
struct

  type var_t = V.t

  (* different kinds of pointers, depending on their local aliasing,
     obtained through assignments. 
     Only relevant for local variables, i.e. parameters and locals, 
     because globals could be modified inside a function call. *)
  type t =
        (* result of join between incompatible pointers on different paths *)
    | PKcomplex
	(* not known offset from local/global variable or parameter.
	   The optional variable will be set during the analysis to be 
	   an integer variable containing the actual offset. *)
    | PKoffset of V.t * V.t option
	(* known index from local/global variable or parameter.
	   In the particular case of a 0 index, it represents an alias of 
	   a local/global variable or parameter. *)
    | PKindex of V.t * int 
	(* defined pointer, but definition was too complex to be classified
	   as an offset or an index pointer. 
	   The 1st variable allows for a common treatment with other kinds.
	   The optional variable will be possibly set during the analysis 
	   to be an integer variable containing an offset to reset to 0
	   when assigning the pointer variable.
	   Conceptually, [PKdefined] is not far from [PKindex] on the same 
	   variable with index 0. *)
    | PKdefined of V.t * V.t option
	(* undefined pointer *)
    | PKundefined

  type dim_t = unit
  let top () = PKcomplex
  let bottom () = PKundefined
  let init = bottom

  (* get underlying variable if any *)
  let get_var_opt p1 = match p1 with
    | PKundefined | PKcomplex -> None
    | PKindex (v,_) | PKoffset (v,_) | PKdefined (v,_) -> Some v

  let same_var p1 p2 = match get_var_opt p1,get_var_opt p2 with
    | Some v1,Some v2 -> V.compare v1 v2 = 0
    | _ -> false

  let is_not_self_index_offset p = match p with
    | PKindex _ | PKoffset _ -> true
    | _ -> false

  (* constructors *)
  let make_alias v = PKindex (v,0)
  let make_index v i = PKindex (v,i)
  let make_offset v vo = PKoffset (v,vo)
  let make_defined v vo = PKdefined (v,vo)

  (* query functions *)
  let is_alias t = match t with PKindex (_,0) -> true | _ -> false
  let is_index t = match t with PKindex _ -> true | _ -> false
  let is_self_index var t = 
    match t with PKindex (v,_) -> V.equal var v | _ -> false
  let is_offset t = match t with PKoffset _ -> true | _ -> false
  let is_self_offset var t = 
    match t with PKoffset (v,_) -> V.equal var v | _ -> false
  let is_defined t = match t with PKdefined _ -> true | _ -> false
  let is_top t = match t with PKcomplex -> true | _ -> false

  (* destructors *)
  let get_alias t = match t with 
    | PKindex (v,0) -> v 
    | _ -> assert false
  let get_index t = match t with 
    | PKindex (v,i) -> v,i 
    | _ -> assert false
  let get_offset_opt t = match t with 
    | PKoffset (v,vo) -> v,vo 
    | _ -> assert false
  let get_offset t = match t with 
    | PKoffset (v,o) ->
	begin match o with
	  | Some off -> v,off
	  | _ -> 
	      (* when querying an [offset] pointer kind, we expect 
		 the offset variable to be set *)
	      assert false
	end
    | _ -> assert false
  let get_defined_opt t = match t with 
    | PKdefined (v,vo) -> v,vo 
    | _ -> assert false
  let has_variable t = match t with
    | PKindex _ | PKoffset _ | PKdefined _ -> true
    | _ -> false
  let get_variable t = match t with
    | PKindex _ -> fst (get_index t)
    | PKoffset _ -> fst (get_offset_opt t)
    | PKdefined _ -> fst (get_defined_opt t)
    | _ -> assert false

  let equal p1 p2 = match p1,p2 with
    | PKundefined,PKundefined -> true
    | PKindex (v1,o1),PKindex (v2,o2) ->
	V.equal v1 v2 && o1 = o2
    | PKoffset (v1,o1),PKoffset (v2,o2)
    | PKdefined (v1,o1),PKdefined (v2,o2) ->
	V.equal v1 v2 && (Option.equal V.equal o1 o2)
    | PKcomplex,PKcomplex -> true
    | _ -> false

  let pretty fmt t = match t with
    | PKundefined -> Format.fprintf fmt "PKundefined"
    | PKindex (v,i) -> Format.fprintf fmt "PKindex(%a,%d)" V.pretty v i
    | PKoffset (v,o) -> 
	begin
	  match o with
	    | None -> Format.fprintf fmt "PKoffset(%a)" V.pretty v
	    | Some vo -> 
		Format.fprintf fmt "PKoffset(%a,%a)" V.pretty v V.pretty vo
	end
    | PKdefined (v,o) ->
	begin
	  match o with
	    | None -> Format.fprintf fmt "PKdefined(%a)" V.pretty v
	    | Some vo -> Format.fprintf 
		fmt "PKdefined(%a,%a)" V.pretty v V.pretty vo
	end
    | PKcomplex -> Format.fprintf fmt "PKcomplex"

  (* lattice associated to var [v] has the following form:

                              PKcomplex
                                   |
                              PKoffset(v,o)
                                   |
                              PKindex(v,i)
                                   |
                              PKdefined(v,o)
                                   |
                              PKundefined

     2 different lattices for [u] and [v] only connect at top and bottom.
  *)

  (* 2 pointer kinds are comparable only if they have the same underlying 
     variable, if any. The opposite is true too, except for pairs of the same
     pointer kind with different second argument. 
     A subtlety is that a PKdefined pointer is comparable to a PKindex one
     only if the index is 0. *)
  let comparable p1 p2 = match get_var_opt p1,get_var_opt p2 with
    | Some v1,Some v2 -> 
	let second_arg_same = 
	  if is_offset p1 && (is_offset p2) then
	    let o1 = snd (get_offset_opt p1) in
	    let o2 = snd (get_offset_opt p2) in
	    Option.equal V.equal o1 o2
	  else if is_index p1 && (is_index p2) then
	    let o1 = snd (get_index p1) in
	    let o2 = snd (get_index p2) in
	    o1 = o2
	  else if is_defined p1 && (is_defined p2) then
	    let o1 = snd (get_defined_opt p1) in
	    let o2 = snd (get_defined_opt p2) in
	    Option.equal V.equal o1 o2
	  else true
	in
	let defined_with_index0 =
	  if is_defined p1 || (is_defined p2) then
	    if is_index p1 then snd (get_index p1) = 0
	    else if is_index p2 then snd (get_index p2) = 0
	    else true
	  else true
	in
	V.compare v1 v2 = 0 && second_arg_same && defined_with_index0
    | _ -> true

  (* p1 <= p2 *)
  let inf p1 p2 = 
    comparable p1 p2 &&
      match p1,p2 with
            (* PKundefined is the bottom element *)
	| PKundefined,_ -> true
	| _,PKundefined -> false
	    (* PKdefined is the next lowest element *)
	| PKdefined _,_ -> true
	| _,PKdefined _ -> false
	    (* PKindex is the next lowest element *)
	| PKindex _,_ -> true
	| _,PKindex _ -> false
	    (* PKoffset is the next lowest element *)
	| PKoffset _,_ -> true
	| _,PKoffset _ -> false
	    (* PKcomplex is the top element *)
	| PKcomplex,PKcomplex -> true

  (* union *)
  let rec join ?(backward=false) p1 p2 = 
    assert (backward=false); (* to prevent unused warning *)
    if not (comparable p1 p2) then 
      if same_var p1 p2 then
	(* case of interest here is 2 PKindex with different indices,
	   or equivalently a PKdefined with a PKindex of index different 
	   from 0 *)
	let v = get_variable p1 in
	PKoffset (v,None)
      else
	PKcomplex
    else if inf p2 p1 && not (equal p2 p1) then join p2 p1 else
      (* only treat here the case where p1 <= p2 *)
      match p1,p2 with
          (* PKundefined is the bottom element *)
	| PKundefined,p -> p
	    (* PKdefined is the next lowest element *)
	| PKdefined _,p -> p
	    (* PKindex is the next lowest element *)
	| PKindex _,p -> p
	    (* PKoffset is the next lowest element *)
	| PKoffset _,p -> p
	    (* PKcomplex is the top element *)
	| PKcomplex,_ -> PKcomplex

    (* widening should not be used on this finite lattice *)
    let widening _ = assert false
end


(*****************************************************************************
 *                                                                           *
 * 		Concrete modules for local pointer analysis		     *
 *                                                                           *
 *****************************************************************************)

(* We make the following choices in the following:
   - variables are represented by an entity of type [Info.var_info]
   - the intermediate language is the normalized AST as described by
   Cast.ndecl/nstatement/nexpr
   
   Other choices are perfectly possible, e.g. the pre-normalized AST
   as described by Cast.tdecl/tstatement/texpr as intermediate language.
*)

(* it happens to be the same as ILVar *)
module Var : VARIABLE with type t = var_info = struct
  type t = var_info
  let pretty fmt v = Format.fprintf fmt "%s" v.var_name
  let to_string v = v.var_name
  let compare v1 v2 = Pervasives.compare v1.var_uniq_tag v2.var_uniq_tag
  let equal v1 v2 = compare v1 v2 = 0
  let hash v = v.var_uniq_tag
end

module VarMap = Map.Make (Var)
module VarSet = Set.Make (Var)

module PtrLattice 
    : POINTER_SEMI_LATTICE with type var_t = Var.t and type dim_t = unit
  = Make_PtrSemiLattice(Var)

module PointWisePtrLattice = 
  Make_PointWiseSemiLattice(Var)(PtrLattice)

(* specialized intermediate language for pointer analysis *)

module PtrLangFromNormalized : sig
  include CFG_LANG_EXTERNAL
  
  (* query functions *)
    (* if the right-hand side of this assignment is a variable, 
       return it, with an optional constant offset if known.
       Only when [assign_get_local_lhs_var] has been called before
       with success. *)
  val assign_get_rhs_var : Node.t -> ilvar_t option * int option
    (* takes a variable expression or a pointer/integer addition 
       of an expression and an offset.
       returns as 1st item the possible variable in the addition.
       returns as 2nd item the possible offset expression in the addition. *)
  val get_intptr_add_on_var_opt : Node.t -> ilvar_t option * Node.t option

  (* constructors.
     - [make_] functions operate directly on their arguments.
     - [change_] functions take a first node as context, and operate on 
     other arguments.

     Most of those functions are valid both for pointer and integer variables.
  *)
    (* create a new node integer/pointer expression + constant *)
  val make_intptr_expr_add_cst : Node.t -> int -> Node.t
    (* create a new node integer/pointer expression + expression *)
  val make_intptr_expr_add_expr : Node.t -> Node.t -> Node.t
    (* make this node be a term/expression over an integer/pointer variable *)
  val change_in_intptr_var : Node.t -> ilvar_t -> Node.t
    (* make this node be a term/expression of a sum variable + constant *)
  val change_in_intptr_var_add_cst : Node.t -> ilvar_t -> int -> Node.t
    (* make this node be a term/expression of a sum variable + variable *)
  val change_in_intptr_var_add_var : Node.t -> ilvar_t -> ilvar_t -> Node.t
    (* make this node be an increment/decrement of the 2nd node,
       materialized as a pointer addition.
       The boolean is [true] if the function is called on the result of
       the assignment, to get back a pointer expression for the evaluation
       of the increment/decrement expression.
       The boolean is [false] if the function is called before the assignment,
       to get the result of the increment/decrement evaluation. *)
  val change_in_intptr_incr : Node.t -> Node.t -> bool -> Node.t

    (* make this node be an increment/decrement of the variable,
       materialized as an integer addition, that is assigned to
       the 1st node *)
  val change_in_int_incr_assign : Node.t -> ilvar_t -> Node.t
    (* change the structural sub-components of this node.
       Supersede the same function from CFGLangFromNormalized. *)
  val change_sub_components : Node.t -> Node.t list -> Node.t 
    (* add new local variables to this declaration node.
       The boolean is [true] if the variables are zero-initialized. *)
  val introduce_new_vars : Node.t -> ilvar_t list -> bool -> Node.t

end = struct
  
  include CFGLangFromNormalized

  (* more elaborate query functions related to pointer usage *)

  let assign_get_rhs_var node =
    let rec get_rhs_var e = match e.nexpr_node with
      | NEvar (Var_info var) -> 
	  (* direct alias *)
	  Some var,Some 0
      | NEincr _ | NEassign _ | NEassign_op _ ->
	  (* right-hand side is itself an assignment *)
	  begin match sub_assign_get_lhs_var e with
	    | None -> None,None (* rhs variable not identified *)
	    | Some var ->
		(* rhs variable has been identified *)
		(* post- and pre- increment/decrement not treated uniformly
		   since we are interested in the -value- resulting from
		   this operation *)
		begin match e.nexpr_node with
		  | NEincr (Upostfix_inc,_) ->
		      Some var,Some (-1)
		  | NEincr (Upostfix_dec,_) ->
		      Some var,Some 1
		  | _ -> Some var,Some 0
		end
	  end
      | NEbinary (e1,(Badd_pointer_int | Badd_int _ | Bsub_int _ as op),e2) ->
	  (* right-hand side is an offset from a pointer/integer expression *)
	  begin match get_rhs_var e1 with
	    | Some var,Some off ->
		(* rhs is an known offset from some variable *)
		begin match e2.nexpr_node with
		  | NEconstant (IntConstant s) ->
		      (* rhs is constant offset from variable *)
		      begin
			try 
			  let new_off = match op with
			    | Badd_pointer_int | Badd_int _ -> 
				off + (int_of_string s)
			    | Bsub_int _ ->
				off - (int_of_string s)
			    | _ -> assert false
			  in
			  (* constant offset is representable *)
			  Some var,Some new_off
			with Failure "int_of_string" ->
			  (* constant offset not representable *)
			  Some var,None
		      end
		  | _ -> Some var,None (* offset not known *)
		end
	    | _ -> None,None (* rhs not offset from variable *)
	  end
      | _ -> None,None (* rhs not recognized *)
    in
    match get_expr node with
      | NEincr (op,e) ->
	  begin match e.nexpr_node with
	    | NEvar (Var_info var) ->
		(* post- and pre- increment/decrement treated uniformy,
		   since we are interested here in the -assignment- resulting
		   from this operation *)
		begin match op with
		  | Upostfix_inc | Uprefix_inc ->
		      Some var,Some 1
		  | Upostfix_dec | Uprefix_dec ->
		      Some var,Some (-1)
		end
	    | _ -> None,None (* rhs not recognized *)
	  end
      | NEassign_op (e1,(Badd_pointer_int | Badd_int _ | Bsub_int _ as op),
		     e2) ->
	  begin match e1.nexpr_node with
	    | NEvar (Var_info var) ->
		begin match e2.nexpr_node with
		  | NEconstant (IntConstant s) ->
		      (* rhs is constant offset from variable *)
		      begin
			try 
			  let new_off = match op with
			    | Badd_pointer_int | Badd_int _ -> 
			        (int_of_string s)
			    | Bsub_int _ ->
			        - (int_of_string s)
			    | _ -> assert false
			  in
			  (* constant offset is representable *)
			  Some var,Some new_off
			with Failure "int_of_string" ->
			  (* constant offset not representable *)
			  Some var,None
		      end
		  | _ -> Some var,None (* offset not known *)
		end
	    | _ -> None,None (* rhs not recognized *)
	  end
      | NEassign (_,e) ->
	  get_rhs_var e
      | _ -> failwith ("[assign_get_rhs_var] should be called on assignment")

  let rec get_intptr_add_on_var_opt node =
    if debug_more then Coptions.lprintf 
      "[get_intptr_add_on_var_opt] %a@." Node.pretty node;
    (* a cast may have been introduced for arrays used as pointers *)
    let node = skip_casts node in
    let e = get_e node in
    match e.nexpr_node with
      | NEvar _ -> None,None
      | NEbinary (e1,(Badd_pointer_int | Badd_int _ | Bsub_int _ as op),e2) ->
	  let e2 = match op with
	    | Bsub_int _ -> { e2 with nexpr_node = NEunary (Uminus,e2) }
	    | _ -> e2
	  in
	  let add_opt = Some (create_tmp_node (Nexpr e2)) in
	  let var_opt = match e1.nexpr_node with
	    | NEvar (Var_info v) -> Some v
	    | _ -> None
	  in
	  var_opt,add_opt
      | _ -> assert false

  (* constructors *)

  (* expr + neg_cst is coded as expr + (-abs(neg_cst))
     This format is expected by [Cconst] module. *)
  let make_intptr_expr_add_cst node cst =
    let e = get_e node in
    let cst_e = NEconstant (IntConstant (string_of_int (abs cst))) in
    let cst_e = { e with nexpr_node = cst_e; nexpr_type = int_offset_type } in
    let cst_e = if cst >= 0 then cst_e else
      { cst_e with nexpr_node = NEunary (Uminus,cst_e) } in
    let addop = 
      if expr_type_is_ptr node then Badd_pointer_int
      else if expr_type_is_int node then int_offset_addop
      else assert false in
    let new_e = NEbinary (e,addop,cst_e) in
    let new_e = { e with nexpr_node = new_e } in
    create_tmp_node (Nexpr new_e)

  let make_intptr_expr_add_expr node1 node2 =
    let e1 = get_e node1 in
    let e2 = get_e node2 in
    let addop = 
      if expr_type_is_ptr node1 then Badd_pointer_int
      else if expr_type_is_int node1 then int_offset_addop
      else assert false in
    let new_e = NEbinary (e1,addop,e2) in
    let new_e = { e1 with nexpr_node = new_e } in
    create_tmp_node (Nexpr new_e)

  (* deals with array address used as pointer *)
  let change_in_intptr_var node var =
    match get_node_kind node with
      | NKexpr | NKtest | NKlvalue -> 
	  let e = get_e node in
	  let var_e = NEvar (Var_info var) in
	  let var_e = { e with nexpr_node = var_e } in
	  let new_e =
	    match var.var_type.Ctypes.ctype_node with 
	      | Ctypes.Tarray (valid,ty,_) -> 
		  let cast_e = NEcast (Ctypes.c_pointer valid ty,var_e) in
		  { e with nexpr_node = cast_e }
	      | _ -> var_e
	  in
	  create_tmp_node (Nexpr new_e) 
      | NKterm ->
	  let t = get_t node in
	  let var_t = NTvar var in
	  let var_t = { t with nterm_node = var_t } in
	  let new_t = 
	    match var.var_type.Ctypes.ctype_node with 
	      | Ctypes.Tarray (valid,ty,_) -> 
		  let cast_t = NTcast (Ctypes.c_pointer valid ty,var_t) in
		  { t with nterm_node = cast_t }
	      | _ -> var_t
	  in
	  create_tmp_node (Nterm new_t)
      | _ -> assert false

  (* var + neg_cst is coded as var + (-abs(neg_cst))
     This format is expected by [Cconst] module. *)
  let change_in_intptr_var_add_cst node var offset =
    let var_te = change_in_intptr_var node var in
    match get_node_kind node with
      | NKexpr | NKtest | NKlvalue -> 
	  let e = get_e node in
	  let cst_e = NEconstant (IntConstant (string_of_int (abs offset))) in
	  let cst_e = { e with nexpr_node = cst_e; 
			  nexpr_type = int_offset_type } in
	  let cst_e = if offset >= 0 then cst_e else
	    { cst_e with nexpr_node = NEunary (Uminus,cst_e) } in
	  let addop = 
	    if var_is_pointer var then Badd_pointer_int
	    else if var_is_integer var then int_offset_addop
	    else assert false in
	  let new_e = NEbinary (get_e var_te, addop, cst_e) in
	  let new_e = { e with nexpr_node = new_e } in
	  create_tmp_node (Nexpr new_e)
      | NKterm ->
	  let t = get_t node in
	  let cst_t = NTconstant (IntConstant (string_of_int (abs offset))) in
	  let cst_t = { t with nterm_node = cst_t; 
			  nterm_type = int_offset_type } in
	  let cst_t = if offset >= 0 then cst_t else
	    { cst_t with nterm_node = NTunop (Clogic.Uminus,cst_t) } in
	  let new_t = NTbinop (get_t var_te, Clogic.Badd, cst_t) in
	  let new_t = { t with nterm_node = new_t } in
	  create_tmp_node (Nterm new_t)
      | _ -> assert false

  let change_in_intptr_var_add_var node var offset_var =
    let var_te = change_in_intptr_var node var in
    match get_node_kind node with
      | NKexpr | NKtest | NKlvalue -> 
	  let e = get_e node in
	  let cst_e = NEvar (Var_info offset_var) in
	  let cst_e = { e with nexpr_node = cst_e; 
			  nexpr_type = int_offset_type } in
	  let addop = 
	    if var_is_pointer var then Badd_pointer_int
	    else if var_is_integer var then int_offset_addop
	    else assert false in
	  let new_e = NEbinary (get_e var_te, addop, cst_e) in
	  let new_e = { e with nexpr_node = new_e } in
	  create_tmp_node (Nexpr new_e)
      | NKterm ->
	  let t = get_t node in
	  let cst_t = NTvar offset_var in
	  let cst_t = { t with nterm_node = cst_t; 
			  nterm_type = int_offset_type } in
	  let new_t = NTbinop (get_t var_te, Clogic.Badd, cst_t) in
	  let new_t = { t with nterm_node = new_t } in
	  create_tmp_node (Nterm new_t)
      | _ -> assert false

  let change_in_intptr_incr node new_rhs_node is_after_assign =
    let e = get_e node in
    let op = match e.nexpr_node with NEincr (op,_) -> op | _ -> assert false in
    let is_inop_op op =
      if is_after_assign then
	(* prefix operations must have occurred after assignment *)
	op = Uprefix_inc || op = Uprefix_dec
      else
	(* postfix operations must not have occurred before assignment *)
	op = Upostfix_inc || op = Upostfix_dec
    in
    let is_add1_op op =
      if is_after_assign then
	(* postfix decrement should be reversed after asssignment *)
	op = Upostfix_dec
      else
	(* prefix increment must be coded before assignment *)
	op = Uprefix_inc
    in
    let is_sub1_op op =
      if is_after_assign then
	(* postfix increment should be reversed after asssignment *)
	op = Upostfix_inc
      else
	(* prefix decrement must be coded before assignment *)
	op = Uprefix_dec
    in
    if is_inop_op op then
      new_rhs_node
    else if is_add1_op op then
      make_intptr_expr_add_cst new_rhs_node 1
    else if is_sub1_op op then
      make_intptr_expr_add_cst new_rhs_node (-1)
    else
      assert false

  let change_in_int_incr_assign node offset_var =
    let e = get_e node in
    let var_e = NEvar (Var_info offset_var) in
    let var_e = { e with nexpr_node = var_e; nexpr_type = int_offset_type } in
    let new_e =
      match e.nexpr_node with
	| NEincr (op,_) -> 
	    (* keep the original increment/decrement operator for ergonomy
	       purposes. Postfix/prefix choice should have no effect here
	       since this node is not supposed to be used as 
	       a sub-expression. *)
	    NEincr (op,var_e)
	| _ -> assert false
    in
    let new_e = { e with nexpr_node = new_e; nexpr_type = int_offset_type } in
    create_tmp_node (Nexpr new_e)

  (* exception used to report unexpected encoding in [change_sub_components]
     or its sub-functions. *)
  exception Bad_encoding

  (* exception used to report CFGLangFromNormalized treatment should be 
     applied, instead of a special treatment for pointer analysis *)
  exception Use_inherited

  let change_sub_components_in_stat node sub_nodes =
    let s = get_s node in
    (* in case an assignment was transformed into its right-hand side,
       do not keep the resulting expression if useless.
       In general this could be seen as an optimization.
       Currently it is necessary because [Cinterp] module might fail
       on such code that it considers as a "statement expression". *)
    let rec useless_expr e = match e.nexpr_node with
	(* only possible "statement expression" cases returned 
	   by the transformation *)
      | NEconstant _ | NEvar _ -> true
      | NEbinary (e1,_,e2) -> (useless_expr e1) && (useless_expr e2)
      | NEunary (_,e1) | NEcast (_,e1) -> useless_expr e1
      | _ -> false
    in
    let simplify_expr e = match e.nexpr_node with
      | NEseq (e1,e2) ->
	  (* [e2] may be the pointer evaluation, useless here *)
	  if useless_expr e2 then e1 else e
      | _ -> e
    in
    let simplify_expr_under_stat e = 
      let e = simplify_expr e in
      match e.nexpr_node with
	| NEbinary (e1,_,e2) ->
	    (* [e1] may be the base pointer evaluation, useless here *)
	    if useless_expr e1 then e2 else e
	| _ -> e
    in
    let statement_expr_or_nop e = 
      let e = simplify_expr_under_stat e in
      if useless_expr e then NSnop else NSexpr e
    in
    let filter_nop sl =
      List.filter (fun s -> not (s.nst_node = NSnop)) sl
    in
    try let new_s = match s.nst_node with
      | NSexpr _e -> 
	  assert (List.length sub_nodes = 1);
	  let new_e = list1 sub_nodes in
	  let new_e = get_e new_e in
	  statement_expr_or_nop new_e
      | NSif (_e,_s1,_s2) ->
	  assert (List.length sub_nodes = 3);
	  let new_e,new_s1,new_s2 = list3 sub_nodes in
	  let new_e,new_s1,new_s2 
	    = get_e new_e,get_s new_s1,get_s new_s2 in
	  let new_e = simplify_expr new_e in
	  NSif (new_e,new_s1,new_s2)
      | NSwhile (_annot,_e,_s1) ->
	  assert (List.length sub_nodes = 3);
	  let new_e,new_s1,new_a = list3 sub_nodes in
	  let new_e,new_s1,new_a = get_e new_e,get_s new_s1,get_annot new_a in
	  let new_e = simplify_expr new_e in
	  NSwhile (new_a,new_e,new_s1)
      | NSdowhile (_annot,_s1,_e) ->
	  assert (List.length sub_nodes = 3);
	  let new_s1,new_e,new_a = list3 sub_nodes in
	  let new_s1,new_e,new_a = get_s new_s1,get_e new_e,get_annot new_a in
	  let new_e = simplify_expr new_e in
	  NSdowhile (new_a,new_s1,new_e)
      | NSfor (_annot,_einit,_etest,_eincr,_s1) ->
	  assert (List.length sub_nodes = 5);
	  let new_einit,new_etest,new_eincr,new_s1,new_a = list5 sub_nodes in
	  let new_einit,new_etest,new_eincr,new_s1,new_a
	    = get_e new_einit,get_e new_etest,
	    get_e new_eincr,get_s new_s1,get_annot new_a in
	  let new_einit = simplify_expr_under_stat new_einit in
	  let new_etest = simplify_expr new_etest in
	  let new_eincr = simplify_expr_under_stat new_eincr in
	  NSfor (new_a,new_einit,new_etest,new_eincr,new_s1)
      | NSblock _sl ->
	  let new_sl = filter_nop (List.map get_s sub_nodes) in
	  NSblock new_sl
      | NSreturn (Some _e) -> 
	  assert (List.length sub_nodes = 1);
	  let new_e = list1 sub_nodes in
	  let new_e = get_e new_e in
	  let new_e = simplify_expr new_e in
	  NSreturn (Some new_e)
      | NSdecl (typ,var,Some cinit,_s1) ->
	  assert (List.length sub_nodes = 2);
	  let new_e,new_s1 = list2 sub_nodes in
	  let new_e = get_e new_e in
	  let new_e = simplify_expr new_e in
	  let new_s1 = get_s new_s1 in
	  begin try
	    let lhs_expr,rhs_expr = match new_e.nexpr_node with 
	      | NEassign (lhs_expr,rhs_expr) -> lhs_expr,rhs_expr
	      | _ -> raise Bad_encoding in
	    let new_var = match lhs_expr.nexpr_node with
	      | NEvar (Var_info new_var) -> new_var
	      | _ -> raise Bad_encoding
	    in
	    if ILVar.equal var new_var then
	      (* not an offset assignment *)
	      let new_cinit = decode_decl_list rhs_expr in
	      NSdecl (typ,var,Some new_cinit,new_s1)
	    else if var_is_pointer new_var then
	      (* neither the original variable nor an offset 
		 assignment. It must be of pointer type. *)
	      raise Bad_encoding
	    else
	      begin
		(* offset assignment.
		   Can only occur for [Iexpr] initializer, because 
		   [Ilist] initializer is encoded into a call, which
		   can only lead to a complex pointer kind for [var].
		   The variable [var] is not used anymore in the new
		   program. We can safely eliminate it. *)
		match cinit with
		  | Iexpr _e ->
		      (* keep the offset initialization *)
		      let new_typ = new_var.var_type in
		      let new_cinit = decode_decl_list rhs_expr in
		      let offset_stat = 
			NSdecl (new_typ,new_var,Some new_cinit,new_s1) in
		      let offset_stat = { s with nst_node = offset_stat } in
		      (* always keep the pointer declaration *)
		      NSdecl (typ,var,None,offset_stat)
		  | _ -> assert false
	      end
	  with Bad_encoding ->
	    (* exception [Bad_encoding] was raised if the encoded
	       assignment was neither maintained nor transformed 
	       into an offset assignment. This can happen if
	       the assignment was detected as useless, and therefore
	       only the right-hand side was returned. Keep it. *)
	    let new_s = statement_expr_or_nop new_e in
	    match new_s with
	      | NSnop ->
		  (* always keep the pointer declaration *)
		  NSdecl (typ,var,None,new_s1)
	      | _ ->
		  let new_stat = { s with nst_node = new_s } in
		  let block_stat = NSblock [new_stat;new_s1] in
		  let block_stat = { s with nst_node = block_stat }
		  in
		  (* always keep the pointer declaration *)
		  NSdecl (typ,var,None,block_stat)
	  end
      | NSswitch (_e,c,cases) -> 
	  let new_e = List.hd sub_nodes in
	  let new_cases = List.tl sub_nodes in
	  let new_e = get_e new_e in
	  let new_e = simplify_expr new_e in
	  (* remove [Nfwd] node introduced for each [case] *)
	  let new_cases = 
	    List.map (fun n -> code_children n) new_cases in
	  let new_cases = List.map (List.map get_s) new_cases in
	  let new_cases = 
	    List.map2 (fun (cmap,_) sl -> (cmap,sl)) cases new_cases in
	  NSswitch (new_e,c,new_cases)
      | NSnop | NSlogic_label _ | NSassert _ | NSassume _ | NSreturn None 
      | NSbreak | NScontinue | NSgoto _ | NSlabel _ | NSspec _
      | NSdecl (_,_,None,_) ->
	  raise Use_inherited
    in
    let new_s = { s with nst_node = new_s } in
    create_tmp_node (Nstat new_s)
    with Use_inherited ->
      CFGLangFromNormalized.change_sub_components_in_stat node sub_nodes

  let change_sub_components_in_expr node sub_nodes =
    let e = get_e node in
    try let new_e = match e.nexpr_node with
      | NEbinary (_e1,op,_e2) ->
	  assert (List.length sub_nodes = 2);
	  let new_e1,new_e2 = list2 sub_nodes in
	  let new_e1,new_e2 = get_e new_e1,get_e new_e2 in
	  begin match op with
	    | Bsub_pointer | Blt_pointer | Bgt_pointer | Ble_pointer 
	    | Bge_pointer | Beq_pointer | Bneq_pointer ->
		(* binary operation on pointers. If both arguments are
		   indices/offsets from the same pointer, translate
		   the pointer operation into an equivalent integer 
		   operation. *)
		let rec destr_ptr_off e = match e.nexpr_node with
		  | NEvar (Var_info v) -> Some (v,None)
		  | NEcast (_,e3) ->
		      (* deals with array address used as pointer *)
		      begin match e3.nexpr_node with
			| NEvar (Var_info v) -> Some (v,None)
			| _ -> None
		      end
		  | NEbinary(e1,Badd_pointer_int,e2) ->
		      (* recursive call *)
		      begin match destr_ptr_off e1 with
			| Some (v,None) ->
			    Some (v,Some e2)
			| Some (v,Some e3) ->
			    let e2 = create_tmp_node (Nexpr e2) in
			    let e3 = create_tmp_node (Nexpr e3) in
			    let e4 = make_int_termexpr_add_termexpr e2 e3
			    in
			    Some (v,Some (get_e e4))
			| None -> None
		      end
		  | _ -> None
		in
		let pointer_op_to_int_op op = match op with
		  | Bsub_pointer -> Bsub_int int_offset_kind
		  | Blt_pointer -> Blt_int
		  | Bgt_pointer -> Bgt_int
		  | Ble_pointer -> Ble_int
		  | Bge_pointer -> Bge_int
		  | Beq_pointer -> Beq_int
		  | Bneq_pointer -> Bneq_int
		  | _ -> assert false
		in
		begin match destr_ptr_off new_e1,destr_ptr_off new_e2 with
		  | Some (v1,e3),Some (v2,e4) ->
		      if ILVar.equal v1 v2 then 
			let op = pointer_op_to_int_op op in
			match e3,e4 with
			  | None,None -> 
			      let e3 = 
				NEconstant (IntConstant (string_of_int 0)) in
			      let e3 = { new_e1 with nexpr_node = e3;
					   nexpr_type = int_offset_type } in
			      let e4 = 
				NEconstant (IntConstant (string_of_int 0)) in
			      let e4 = { new_e2 with nexpr_node = e4;
					   nexpr_type = int_offset_type } in
			      NEbinary (e3,op,e4)
			  | None,Some e4 ->
			      let e3 = 
				NEconstant (IntConstant (string_of_int 0)) in
			      let e3 = { new_e1 with nexpr_node = e3;
					   nexpr_type = int_offset_type } in
			      NEbinary (e3,op,e4)
			  | Some e3,None ->
			      let e4 = 
				NEconstant (IntConstant (string_of_int 0)) in
			      let e4 = { new_e2 with nexpr_node = e4;
					   nexpr_type = int_offset_type } in
			      NEbinary (e3,op,e4)
			  | Some e3,Some e4 ->
			      NEbinary (e3,op,e4)
		      else NEbinary (new_e1,op,new_e2)
		  | _ -> NEbinary (new_e1,op,new_e2)
		end
	    | _ -> NEbinary (new_e1,op,new_e2)
	  end
      | NEnop | NEconstant _ | NEstring_literal _ | NEvar _ | NEarrow _ 
      | NEunary _ | NEincr _ | NEcast _ | NEmalloc _ | NEseq _ | NEassign _
      | NEassign_op _ | NEcall _ | NEcond _ ->
	  raise Use_inherited
    in		
    let new_e = { e with nexpr_node = new_e } in
    create_tmp_node (Nexpr new_e)
    with Use_inherited ->
      CFGLangFromNormalized.change_sub_components_in_expr node sub_nodes

  (* recognize offset from pointer *)
  let rec term_destr_ptr_off t = match t.nterm_node with
    | NTvar v -> Some (v,None)
    | NTcast (_,t3) -> (* deals with array address used as pointer *)
	begin match t3.nterm_node with
	  | NTvar v -> Some (v,None)
	  | _ -> None
	end
    | NTbinop(t1,Clogic.Badd,t2) ->
	(* recursive call *)
	begin match term_destr_ptr_off t1 with
	  | Some (v,None) ->
	      Some (v,Some t2)
	  | Some (v,Some t3) ->
	      let t2 = create_tmp_node (Nterm t2) in
	      let t3 = create_tmp_node (Nterm t3) in
	      let t4 = make_int_termexpr_add_termexpr t2 t3
	      in
	      Some (v,Some (get_t t4))
	  | None -> None
	end
    | _ -> None

  let change_sub_components_in_term node sub_nodes =
    let t = get_t node in
    try let new_t = match t.nterm_node with
      | NTbinop (_t1,op,_t2) ->
	  assert (List.length sub_nodes = 2);
	  let new_t1,new_t2 = list2 sub_nodes in
	  let new_t1,new_t2 = get_t new_t1,get_t new_t2 in
	  begin match op with
	    | Clogic.Bsub ->
		(* could be a binary operation on pointers. 
		   If both arguments are indices/offsets from the same pointer,
		   translate the pointer operation into an equivalent integer 
		   operation. *)
		begin match term_destr_ptr_off new_t1,
		  term_destr_ptr_off new_t2 with
		    | Some (v1,t3),Some (v2,t4) ->
			if ILVar.equal v1 v2 then 
			  match t3,t4 with
			    | None,None -> 
				NTconstant (IntConstant (string_of_int 0))
			    | Some t,None ->
				t.nterm_node
			    | None,Some t ->
				NTunop (Clogic.Uminus,t)
			    | Some t3,Some t4 ->
				NTbinop (t3,op,t4)
			else NTbinop (new_t1,op,new_t2)
		    | _ -> NTbinop (new_t1,op,new_t2)
		end
	    | _ -> NTbinop (new_t1,op,new_t2)
	  end
      | NTrange (_t1,_t2opt,_t3opt,zone,info) ->
	  assert (List.length sub_nodes = 3);
	  let new_t1,new_t2,new_t3 = list3 sub_nodes in
	  let new_t1 = get_t new_t1 in
	  let new_t2 = match logic_children new_t2 with
	    | [new_t2] -> Some (get_t new_t2)
	    | [] -> None
	    | _ -> assert false (* bad encoding *)
	  in
	  let new_t3 = match logic_children new_t3 with
	    | [new_t3] -> Some (get_t new_t3)
	    | [] -> None
	    | _ -> assert false (* bad encoding *)
	  in
	  (* [new_t1] could be an offset from some pointer *)
	  begin match term_destr_ptr_off new_t1 with
	    | Some (v,Some t4) ->
		let new_t2 = match new_t2 with
		  | Some new_t2 -> 
		      let t2 = create_tmp_node (Nterm new_t2) in
		      let t4 = create_tmp_node (Nterm t4) in
		      Some (get_t (make_int_termexpr_add_termexpr t2 t4))
		  | None -> None
		in
		let new_t3 = match new_t3 with
		  | Some new_t3 -> 
		      let t3 = create_tmp_node (Nterm new_t3) in
		      let t4 = create_tmp_node (Nterm t4) in
		      Some (get_t (make_int_termexpr_add_termexpr t3 t4))
		  | None -> None
		in
		let new_t1 = { new_t1 with nterm_node = NTvar v } in
		NTrange (new_t1,new_t2,new_t3,zone,info)
	    | _ ->
		NTrange (new_t1,new_t2,new_t3,zone,info)
	  end
      | NTconstant _ | NTstring_literal _
      | NTvar _ | NTapp _ | NTunop _ | NTarrow _ | NTold _
      | NTat _ | NTbase_addr _ | NToffset _ | NTblock_length _ | NTarrlen _
      | NTstrlen _ | NTcast _ | NTif _ | NTmin _ | NTmax _ 
      | NTminint _ | NTmaxint _
	  -> raise Use_inherited
    in		
    let new_t = { t with nterm_node = new_t } in
    create_tmp_node (Nterm new_t)
    with Use_inherited ->
      CFGLangFromNormalized.change_sub_components_in_term node sub_nodes

  let change_sub_components_in_pred node sub_nodes =
    let p = get_p node in
    try let new_p = match p.npred_node with
      | NPrel (_t1,rel,_t2) ->
	  assert (List.length sub_nodes = 2);
	  let new_t1,new_t2 = list2 sub_nodes in
	  let new_t1,new_t2 = get_t new_t1,get_t new_t2 in
	  (* could be a binary operation on pointers. 
	     If both arguments are indices/offsets from the same pointer,
	     translate the pointer operation into an equivalent integer 
	     operation. *)
	  begin match term_destr_ptr_off new_t1,term_destr_ptr_off new_t2 with
	    | Some (v1,t3),Some (v2,t4) ->
		if ILVar.equal v1 v2 then 
		  match t3,t4 with
		    | None,None -> 
			begin match rel with
			  | Le | Ge | Eq -> NPtrue
			  | Lt | Gt | Neq -> NPfalse
			end
		    | None,Some t4 ->
			let t3 = NTconstant (IntConstant (string_of_int 0)) in
			let t3 = { new_t1 with nterm_node = t3;
				     nterm_type = t4.nterm_type } in
			NPrel (t3,rel,t4)
		    | Some t3,None ->
			let t4 = NTconstant (IntConstant (string_of_int 0)) in
			let t4 = { new_t2 with nterm_node = t4;
				     nterm_type = t3.nterm_type } in
			NPrel (t3,rel,t4)
		    | Some t3,Some t4 ->
			NPrel (t3,rel,t4)
		else NPrel (new_t1,rel,new_t2)
	    | _ -> NPrel (new_t1,rel,new_t2)
	  end
      | NPfalse | NPtrue | NPapp _ | NPvalid_index _ | NPand _ | NPor _
      | NPimplies _ | NPiff _ | NPnot _ | NPforall _ | NPexists _ | NPold _
      | NPat _ | NPnamed _ | NPif _ | NPvalid _ | NPfresh _ 
      | NPvalid_range _ | NPseparated _ | NPfull_separated _ 
      | NPbound_separated _ ->
	  raise Use_inherited
    in		
    let new_p = { p with npred_node = new_p } in
    create_tmp_node (Npred new_p)
    with Use_inherited ->
      CFGLangFromNormalized.change_sub_components_in_pred node sub_nodes

  let change_sub_components node sub_nodes =
    match get_node_kind node with
      | NKstat ->
	  change_sub_components_in_stat node sub_nodes
	    
      | NKexpr | NKtest | NKlvalue ->
	  change_sub_components_in_expr node sub_nodes

      | NKterm ->
	  change_sub_components_in_term node sub_nodes
	    
      | NKpred | NKassume | NKassert -> 
	  change_sub_components_in_pred node sub_nodes
	    
      | NKnone | NKdecl | NKannot | NKspec ->
	  CFGLangFromNormalized.change_sub_components node sub_nodes

  let introduce_new_vars node var_list zero_init =
    let d = get_decl node in
    let new_d = match d.s with
      | Some s ->
	  let new_s = 
	    List.fold_left 
	      (fun next_s var -> 
		 let init = 
		   if zero_init then
		     let zero_cst = 
		       NEconstant (IntConstant (string_of_int 0)) in
		     let zero_expr = { nexpr_node = zero_cst; 
				       nexpr_type = int_offset_type;
				       nexpr_loc = Loc.dummy_position }
		     in
		     Some (Iexpr zero_expr)
		   else None
		 in
		 let decl_stat = 
		   NSdecl (var.var_type,var,init,next_s) in
		 { next_s with nst_node = decl_stat }
	      ) s var_list
	  in
	  { d with s = Some new_s }
      | None -> 
	  begin match var_list with
	    | [] -> d
	    | _ -> failwith ("[introduce_new_vars] should be called with"
			     ^ " empty [var_list] in this case")
	  end
    in
    create_tmp_node (Ndecl new_d)

end

module ConnectCFGtoPtr : sig
  include CONNECTION with type node_t = PtrLangFromNormalized.Node.t 
                and type 'a node_hash_t = 'a PtrLangFromNormalized.NodeHash.t 
		and type absval_t = PointWisePtrLattice.t
		and type transform_t = ILVar.t ILVarMap.t

    (* type of a map from variables to their offset variable *)
  type map_t = ILVar.t ILVarMap.t

    (* takes the result of the abstract interpretation.
       returns a formatted analysis easily exploited by [transform].
       The map returned is the map of all offset variables. *)
  val format : absint_analysis_t -> absint_analysis_t * map_t
    (* cleanup variable declarations and declare offset variables *)
  val cleanup : ILVarSet.t -> ILVarSet.t -> map_t -> node_t list -> node_t list
end = struct

  open PtrLangFromNormalized

  type node_t = Node.t
  type 'a node_hash_t = 'a NodeHash.t
  type absval_t = PointWisePtrLattice.t
  type 'a analysis_t = 'a pair_t node_hash_t
  type absint_analysis_t = absval_t analysis_t
  type map_t = ILVar.t ILVarMap.t
  type transform_t = map_t

  (* type used in [transfer] to compute the representant of a pointer *)
  type transfer_rep_t = 
      {
	orig_lhs_var : ILVar.t;
	orig_rhs_var : ILVar.t;
	is_index : bool;
	sum_index : int;
	is_offset : bool
      }

  (* no need for widening here as we are operating on a finite lattice *)
  let widening_threshold = None
  let widening_strategy = WidenFast (* any value would fit *)

  (* exception used in [representative] to end the search *)
  exception End_representative of int

  (* transfer function.
     Only interesting case is the assignment to a pointer variable,
     in which case we discriminate on the form of the right-hand side.
  *)
  let transfer ?(backward=false) ?(with_assert=false) ?(one_pass=false) 
      ?previous_value node cur_val =

    assert (backward=false); (* to prevent unused warning *)
    assert (with_assert=false); (* to prevent unused warning *)
    assert (one_pass=false); (* to prevent unused warning *)
    assert (previous_value=None); (* to prevent unused warning *)

    if debug_more then Coptions.lprintf 
      "[transfer] %a@." Node.pretty node;

    (* returns the representative integer/pointer kind for offset/index
       on [var], as described by [rep], with the invariant that [cur_val] 
       does not contain a loop between variables, except possible self-loops.
       [rep] is an accumulator that tells if on the current path of 
       representative integers/pointers, we found index or offset pointer
       kinds. [rep.orig_lhs_var] is the original variable for which we compute 
       a representant.
    *)
    let rec representative rep cur_val var =
      try
	let pval = PointWisePtrLattice.find var cur_val in
	(* [var] has itself a representant *)
	if PtrLattice.is_index pval then
	  let new_var,index = PtrLattice.get_index pval in
	  if ILVar.equal var new_var then
	    (* [var] is a self-index *)
	    raise (End_representative index)
	  else
	    let new_rep = { rep with is_index = true; 
			      sum_index = rep.sum_index + index } in
	    representative new_rep cur_val new_var
	else if PtrLattice.is_offset pval then
	  let new_var,_ = PtrLattice.get_offset_opt pval in
	  if ILVar.equal var new_var && rep.is_offset then
	    (* [var] is a self-offset *)
	    raise (End_representative 0)
	  else
	    let new_rep = { rep with is_offset = true } in
	    representative new_rep cur_val new_var
	else 
	  (* [var] has no representant *)
	  raise (End_representative 0)
      with End_representative last_index ->
	if rep.is_offset then
	  begin
	    if debug_more then Coptions.lprintf 
	      "[transfer] %a is represented by an offset of %a@."
	      ILVar.pretty rep.orig_lhs_var ILVar.pretty var;
	    PtrLattice.make_offset var None
	  end
	else if rep.is_index then
	  begin
	    (* In an assignment
	           q = p;
	       if [p] is a self-index, then count this self-index for [q].
	       But if [p] is an index on [r], which is itself a self-index, 
	       then only count [p]'s index for [q]. *)
	    let idx = 
	      if ILVar.equal rep.orig_rhs_var var then
		rep.sum_index + last_index
	      else
		rep.sum_index 
	    in
	    if debug_more then Coptions.lprintf 
	      "[transfer] %a is represented by an index of %i from %a@."
	      ILVar.pretty rep.orig_lhs_var idx ILVar.pretty var;
	    PtrLattice.make_index var idx
	  end
	else assert false
    in
    match get_node_kind node with
      | NKnone | NKstat | NKassume | NKassert -> cur_val

      | NKdecl ->
	  (* initially define an abstract value for parameters *)
	  let param_list = decl_get_params node in
	  List.fold_left 
	    (fun pw param ->
	       let init_val = PtrLattice.make_defined param None in
	       PointWisePtrLattice.replace param init_val pw
	    ) cur_val param_list

      | NKexpr | NKtest | NKlvalue ->
	  if expr_is_ptr_assign node || expr_is_int_assign node then
	    match assign_get_local_lhs_var node with
	      | None -> cur_val
	      | Some lhs_var ->
		  begin
		    (* compute new value for [lhs_var] *)
		    let rhs_val =
		      match assign_get_rhs_var node with
			| None,None -> 
			    if expr_is_int_assign node then
			      let rhs_node = 
				skip_casts (assign_get_rhs_operand node) 
			      in
			      if expr_is_int_constant rhs_node then
				(* avoid creating a self-offset variable for
				   an integer variable that is initialized
				   with some integer constant *)
				PtrLattice.top ()
			      else 
				PtrLattice.make_defined lhs_var None
			    else
			      PtrLattice.make_defined lhs_var None
			| Some rhs_var,None -> 
			    let rep = { orig_lhs_var = lhs_var; 
					orig_rhs_var = rhs_var; 
					is_index = false; 
					sum_index = 0; is_offset = true } in
			    representative rep cur_val rhs_var
			| Some rhs_var,Some index ->
			    let rep = { orig_lhs_var = lhs_var; 
					orig_rhs_var = rhs_var; 
					is_index = true;
					sum_index = index; is_offset = false }
			    in
			    representative rep cur_val rhs_var
			| _ -> assert false
		    in
		    let representative_or_var var rep_val = 
		      if PtrLattice.has_variable rep_val then
			PtrLattice.get_variable rep_val 
		      else var
		    in
		    let remove_ref_to_var rem_var var abs_val =
		      let rep_var = representative_or_var var abs_val in
		      if ILVar.equal rem_var rep_var then
			PtrLattice.top ()
		      else
			abs_val
		    in
		    (* remove information on variables previously represented
		       by [lhs_var] if this last variable representant 
		       changes *)
		    let old_val = PointWisePtrLattice.find lhs_var cur_val in
		    let old_rep_var = representative_or_var lhs_var old_val in
		    let new_rep_var = representative_or_var lhs_var rhs_val in
		    let cur_val =
		      if ILVar.equal old_rep_var new_rep_var
			&& not (PtrLattice.is_defined rhs_val) then
			cur_val
		      else
			PointWisePtrLattice.mapi 
			  (remove_ref_to_var lhs_var) cur_val
		    in
		    PointWisePtrLattice.replace lhs_var rhs_val cur_val
		  end
	  else cur_val
	    
      | NKspec | NKannot | NKterm | NKpred -> cur_val

  (* format function.
     Only the post-part of the analysis is relevant here.
     - If a variable is always referenced as an (un)defined or an index 
     pointer, leave it as such.
     - If a variable is always references as an (un)defined, index or offset
     pointer, make it always an offset pointer, with a fixed offset variable.
     - If a variable is sometimes references as a complex pointer, make it
     a complex pointer everywhere.

     Self-index/offset pointers are those that only reference themselves.

     This allows to exploit the pointer kind information locally to transform 
     the program.
  *)
  let format analysis =

    (* sets of variables of interest *)
    let index_vars = ref VarSet.empty in
    let self_index_vars = ref VarSet.empty in
    let offset_vars = ref VarSet.empty in
    let self_offset_vars = ref VarSet.empty in
    let defined_vars = ref VarSet.empty in
    let complex_vars = ref VarSet.empty in

    (* correspondance between representative variable and the variables 
       it represents at some point *)
    let rep_to_based = Hashtbl.create 0 in

    (* basic operations on sets of variables *)
    let add_to_set var set =
      set := VarSet.add var (!set) in
    let print_set set msg =
      Coptions.lprintf 
	"[format] detected %i %s integer/pointer(s)@."
	(VarSet.cardinal set) msg;
      if not (VarSet.is_empty set) then 
	Coptions.lprintf "[format] %a@." 
	  (fun _fmt -> (VarSet.iter (Coptions.lprintf "%a " ILVar.pretty))) set
    in
    let add_to_table rep_var var =
      let var_set =
	try 
	  VarSet.add var (Hashtbl.find rep_to_based rep_var)
	with Not_found ->
	  VarSet.add var VarSet.empty 
      in
      Hashtbl.replace rep_to_based rep_var var_set
    in

    (* only keep variables where read/written *)
    let analysis = 
      NodeHash.fold_post
	(fun node pwval new_analysis ->
	   match get_node_kind node with
	     | NKexpr | NKtest | NKlvalue | NKterm -> 
		 let new_pwval =
		   if termexpr_is_local_var node then
		     let var = termexpr_var_get node in
		     let pval = PointWisePtrLattice.find var pwval in 
		     PointWisePtrLattice.singleton var pval
		   else if (expr_is_ptr_assign node 
			    || expr_is_int_assign node) then
		     match assign_get_local_lhs_var node with
		       | None -> PointWisePtrLattice.bottom ()
		       | Some lhs_var ->
			   let pval = PointWisePtrLattice.find lhs_var pwval in
			   PointWisePtrLattice.singleton lhs_var pval
		   else PointWisePtrLattice.bottom ()
		 in
		 (* also store abstract value for rhs variable in assignment *)
		 let new_pwval =
		   match get_node_kind node with
		     | NKexpr | NKtest | NKlvalue ->
			 if expr_is_assign node then
			   match assign_get_rhs_var node with
			     | Some rhs_var,_ -> 
				 let pval = 
				   PointWisePtrLattice.find rhs_var pwval in 
				 PointWisePtrLattice.replace 
				   rhs_var pval new_pwval
			     | _ -> new_pwval
			 else new_pwval
		     | _ -> new_pwval
		 in
		 NodeHash.replace_post new_analysis node new_pwval;
		 new_analysis
	     | NKstat | NKpred | NKassume | NKassert
	     | NKnone | NKdecl | NKannot | NKspec ->
		 if is_logic_scope node then
		   NodeHash.replace_post new_analysis node pwval
		 else 
                   (* do not include abstract values for these constructs *)
		   (); 
		 new_analysis
	) analysis (NodeHash.create 0)
    in

    (* collect variables in the sets they match *)
    NodeHash.iter_post
	(fun _ pwval ->
	   PointWisePtrLattice.iter
	     (fun var pval ->
		(* if [pval] uses a representative variable, 
		   store this correspondance *)
		if PtrLattice.has_variable pval then
		  begin
		    let rep_var = PtrLattice.get_variable pval in
		    add_to_table rep_var var
		  end;
		(* dispatch [var] in sets according to [pval] *)
		if PtrLattice.is_index pval then
		  if PtrLattice.is_self_index var pval then
		    add_to_set var self_index_vars
		  else
		    add_to_set var index_vars
		else if PtrLattice.is_offset pval then
		  if PtrLattice.is_self_offset var pval then
		    add_to_set var self_offset_vars
		  else
		    add_to_set var offset_vars
		else if PtrLattice.is_defined pval then
		  add_to_set var defined_vars
		else if PtrLattice.is_top pval then
		  add_to_set var complex_vars
		else (* undefined integer/pointer value *)
		  ()
	     ) pwval
	) analysis;

    (* remove references *)
    let index_vars = !index_vars in
    let self_index_vars = !self_index_vars in
    let offset_vars = !offset_vars in
    let self_offset_vars = !self_offset_vars in
    let defined_vars = !defined_vars in
    let complex_vars = !complex_vars in
    if debug_more then print_set index_vars "basic index";
    if debug_more then print_set self_index_vars "basic self-index";
    if debug_more then print_set offset_vars "basic offset";
    if debug_more then print_set self_offset_vars "basic self-offset";
    if debug_more then print_set defined_vars "basic defined";
    if debug_more then print_set complex_vars "basic complex";

    (* all variables represented by a complex one are complex *)
    let rec close_set corresp set =
      let new_set =
	VarSet.fold (fun v vs -> 
		       try
			 let ns = Hashtbl.find corresp v in
			 VarSet.fold VarSet.add ns vs
		       with Not_found -> vs
		    ) set set
      in
      if VarSet.equal new_set set then
	set
      else
	close_set corresp new_set
    in
    let complex_vars = close_set rep_to_based complex_vars in

    (* compute cross-referencing integers/pointers *)
    let cross_vars = VarSet.union offset_vars index_vars in
    (* cross-referencing integers/pointers (index/offset) cannot be self-one *)
    let cross_rest = VarSet.inter self_offset_vars cross_vars in
    let self_offset_vars = VarSet.diff self_offset_vars cross_rest in
    let offset_vars = VarSet.union offset_vars cross_rest in
    (* offset integers/pointers must never be complex *)
    let offset_vars = VarSet.diff offset_vars complex_vars in
    if debug_more then print_set offset_vars "offset"; 
    (* self-offset integers/pointers must never be complex *)
    let self_offset_vars = VarSet.diff self_offset_vars complex_vars in
    if debug_more then print_set self_offset_vars "self-offset";
    (* compute sum of offset and self-offset integers/pointers *)
    let all_offset_vars = VarSet.union offset_vars self_offset_vars in

    (* index integers/pointers must never be offset *)
    let index_vars = VarSet.diff index_vars all_offset_vars in
    (* self-index integers/pointers must never be offset *)
    let self_index_vars = VarSet.diff self_index_vars all_offset_vars in
    (* index integers/pointers must never be complex *)
    let index_vars = VarSet.diff index_vars complex_vars in
    if debug_more then print_set index_vars "index";
    (* self_index integers/pointers must never be complex *)
    let self_index_vars = VarSet.diff self_index_vars complex_vars in
    if debug_more then print_set self_index_vars "self-index";

    (* defined integers/pointers must never be complex *)
    let defined_vars = VarSet.diff defined_vars complex_vars in

    (* associate a unique offset variable to every offset integer/pointer *)
    let offset_map =
      VarSet.fold (fun var m ->
		     let offset_var = 
		       Info.default_var_info (var.var_unique_name ^ "_offset")
		     in
		     Info.set_assigned offset_var;
		     Cenv.set_var_type 
		       (Var_info offset_var) int_offset_type false;
		     ILVarMap.add var offset_var m
		  ) offset_vars ILVarMap.empty 
    in
    let offset_map =
      VarSet.fold (fun var m ->
		     let offset_var = 
		       Info.default_var_info 
			 (var.var_unique_name ^ "_self_offset") in
		     Info.set_assigned offset_var;
		     Cenv.set_var_type 
		       (Var_info offset_var) int_offset_type false;
		     ILVarMap.add var offset_var m
		  ) self_offset_vars offset_map
    in

    (* compute the formatted analysis from the information just gathered *)
    let formatted_analysis = 
      NodeHash.fold_post
	(fun node pwval new_analysis ->
	   let new_pwval =
	     PointWisePtrLattice.mapi
	       (fun var pval ->
		  if VarSet.mem var index_vars then
		    (* pval = undefined/self-index/index/defined *)
		    pval 
		  else if VarSet.mem var self_index_vars then
		    (* pval = undefined/self-index/defined *)
		    pval
		  else if VarSet.mem var offset_vars then
		    (* pval = all except complex *)
		    if PtrLattice.is_defined pval then
		      (* explicit the offset variable for initialization *)
		      let offset_var = ILVarMap.find var offset_map in
		      PtrLattice.make_defined var (Some offset_var)
		    else if PtrLattice.is_index pval 
		      || PtrLattice.is_offset pval then
			(* explicit the offset variable *)
			let avar = PtrLattice.get_variable pval in
			let offset_var = ILVarMap.find var offset_map in
			PtrLattice.make_offset avar (Some offset_var)
		    else (* undefined *)
		      pval
		  else if VarSet.mem var self_offset_vars then
		    (* pval = undefined/self-index/self-offset/defined *)
		    if PtrLattice.is_defined pval then
		      (* explicit the offset variable for initialization *)
		      let offset_var = ILVarMap.find var offset_map in
		      PtrLattice.make_defined var (Some offset_var)
		    else if PtrLattice.is_index pval 
		      || PtrLattice.is_offset pval then
			(* explicit the offset variable *)
			let avar = PtrLattice.get_variable pval in
			assert (ILVar.equal avar var);
			let offset_var = ILVarMap.find var offset_map in
			PtrLattice.make_offset var (Some offset_var)
		    else (* undefined *)
		      pval
		  else if VarSet.mem var defined_vars then
		    (* pval = all except complex *)
		    PtrLattice.make_defined var None
		  else if VarSet.mem var complex_vars then
		    (* pval = any one is possible
		       Destroy any information associated to [var]. *)
		    PtrLattice.top ()
		  else
		    (* pval = undefined *)
		    pval
	       ) pwval
	   in
	   NodeHash.replace_post new_analysis node new_pwval;
	   new_analysis
	) analysis (NodeHash.create 0)
    in
    formatted_analysis,offset_map

  (* exception used to share the default treatment in [sub_transform] *)
  exception Rec_transform

  (* type used to propagate information in [sub_transform] and
     its sub-functions *)
  type inter_transform_t =
      {
        offset_nodes : NodeSet.t ref;
	offset_vars : VarSet.t ref;
	offset_map : ILVar.t ILVarMap.t;
	label_corresp : Node.t StringMap.t;
	block_begin : Node.t;
	block_end : Node.t;
	has_old : bool;
	has_at : String.t option
      }

  (* types used to pass information from [sub_transform] to 
     its sub-functions *)
  type addon_t = 
      {
	is_replacement : bool;
	addon_node : Node.t
      }
  type local_nodes_t =
      {
	node : Node.t;
	sub_nodes : Node.t list;
	new_sub_nodes : (Node.t * addon_t option) list
      }

  (* transformation on an individual node.
     takes as input a node [node] in the graph(s) previously created.
     returns a pair consisting of:
     - a main part, i.e. a potentially new node that is not connected 
     to the graph(s), that corresponds to the transformed node.
     - an addon part, i.e. a potentially new node that corresponds to
     the resulting pointer.

     On an assignment 
          [p = q], 
     the main part could be e.g. 
          [p_offset = q_offset] 
     and the addon part could be 
          [r + p_offset].
     The statement 
          [p = q;] 
     would be transformed into 
          [p_offset = q_offset;]
     and the statement 
          [return (p = q);] 
     into the more complex:
          [return (p_offset = q_offset,r + p_offset);]

     The results of the data-flow analysis [analysis] contain only 
     the relevant information for code transformation. Other intermediate
     results of the analysis have been erased after the analysis phase.
     Only the post-part of the analysis is relevant here.
  *)

  (* 4 sub-functions that share code between cases below *)

  (* every offset variable that is used in the code must be stored in 
     the repository [offset_vars], to be declared later on by a call to
     [introduce_new_vars]. *)
  let store_offset_var params offset_var =
    params.offset_vars := VarSet.add offset_var (!(params.offset_vars))

  (* returns an integer/pointer read that corresponds to the abstract value
     [aval], with other elements taken in [node] 
  *)
  let make_integer_pointer_read params node pval =
    if PtrLattice.is_alias pval then
      (* rewrite alias of v as v *)
      let new_var = PtrLattice.get_alias pval in
      change_in_intptr_var node new_var
    else if PtrLattice.is_index pval then
      (* rewrite constant offset i of v as v+i *)
      let new_var,index = PtrLattice.get_index pval in
      change_in_intptr_var_add_cst node new_var index
    else if PtrLattice.is_offset pval then
      (* rewrite offset o of v as v+o *)
      let new_var,offset_var = PtrLattice.get_offset pval in
      store_offset_var params offset_var;
      change_in_intptr_var_add_var node new_var offset_var
    else if PtrLattice.is_defined pval then
      (* rewrite possible assignment to v as v *)
      let new_var,_ = PtrLattice.get_defined_opt pval in
      change_in_intptr_var node new_var
    else node

  (* returns an integer/pointer read that corresponds to the base 
     integer/pointer for the abstract value [aval], with other elements
     taken in [node] 
  *)
  let make_base_integer_pointer_read node pval =
    if PtrLattice.is_alias pval then
      (* rewrite alias of v as v *)
      let new_var = PtrLattice.get_alias pval in
      change_in_intptr_var node new_var
    else if PtrLattice.is_index pval then
      (* rewrite constant offset i of v as v *)
      let new_var,_ = PtrLattice.get_index pval in
      change_in_intptr_var node new_var
    else if PtrLattice.is_offset pval then
      (* rewrite offset o of v as v *)
      let new_var,_ = PtrLattice.get_offset pval in
      change_in_intptr_var node new_var
    else if PtrLattice.is_defined pval then
      (* rewrite possible assignment to v as v *)
      let new_var,_ = PtrLattice.get_defined_opt pval in
      change_in_intptr_var node new_var
    else node

  (* returns an offset assignment from the abstract value [rhs_val]
     to the variable [offset_lhs_var], with the possible addition
     of an expression [add_offset_opt]. Other elements are taken
     in [node]. 
  *)
  let make_offset_assign params 
      node offset_lhs_var rhs_val add_offset_opt is_incr_decr =
    if PtrLattice.is_index rhs_val then
      begin
	(* it cannot be an increment/decrement *)
	assert (not is_incr_decr);
	(* [offset_lhs_var] is assigned a constant *)
	let (_,index) = PtrLattice.get_index rhs_val in
	match add_offset_opt with
	  | None -> 
	      change_in_int_var_assign_cst node offset_lhs_var index
	  | Some offset_expr ->
	      let add_expr = make_int_expr_add_cst offset_expr index
	      in
	      change_in_int_var_assign_expr node offset_lhs_var add_expr
      end
    else if PtrLattice.is_offset rhs_val then
      (* [offset_lhs_var] is assigned another offset *)
      let (_,offset_rhs_var) = 
	PtrLattice.get_offset rhs_val in
      store_offset_var params offset_rhs_var;
      match add_offset_opt with
	| None -> 
	    (* only possible case for an increment/decrement *)
	    if is_incr_decr then
	      change_in_int_incr_assign node offset_lhs_var
	    else
	      change_in_int_var_assign_var 
		node offset_lhs_var offset_rhs_var
	| Some offset_expr ->
	    begin
	      (* it cannot be an increment/decrement *)
	      assert (not is_incr_decr);
	      let add_expr = 
		make_int_expr_add_var offset_expr offset_rhs_var in
	      change_in_int_var_assign_expr node offset_lhs_var add_expr
	    end
    else
      begin
	(* it cannot be an increment/decrement *)
	assert (not is_incr_decr);
	match add_offset_opt with
	  | None -> (* [offset_lhs_var] is reset *)
	      change_in_int_var_assign_cst node offset_lhs_var 0
	  | Some offset_expr ->
	      change_in_int_var_assign_expr 
		node offset_lhs_var offset_expr
      end

  (* returns an integer/pointer assignment from [new_rhs_node] to [lhs_node],
     with [new_rhs_not_offset] telling if the new right-hand side
     is the translation for the original expression, or an offset expression.
     Other elements are taken in [node]. 
  *)
  let keep_integer_pointer_assignment params 
      node aval new_rhs_not_offset lhs_node new_rhs_node is_incr_decr =
    (* integer/pointer assignment must be kept.
       The only possible problem is that the right-hand side might be 
       an integer/pointer assignment too, that could have been transformed
       into an offset assignment. *)
    if new_rhs_not_offset then
      if is_incr_decr then
	(* nothing to change *)
	node
      else
	(* keep old lhs and new rhs *)
	change_sub_components node [lhs_node;new_rhs_node]
    else
      begin
	(* it cannot be an increment/decrement *)
	assert (not is_incr_decr);
	(* The rhs is now an offset assignment.
	   In all cases, the analysis must have computed 
	   an index or an offset for the right-hand side.
	   Create an equivalent sequence of assignments. *)
	let rhs_val =
	  match assign_get_rhs_var node with
	    | Some rhs_var,_ -> 
		PointWisePtrLattice.find rhs_var aval
	    | _ -> assert false
	in
	let ptr_node = make_integer_pointer_read params node rhs_val in
	let assign_node = 
	  change_sub_components node [lhs_node;ptr_node]
	in
	make_seq_expr new_rhs_node assign_node
      end

  (* part of the transformation that deals with expressions.
     Can raise exception Rec_transform for a common treatment with
     [sub_transform]. *)
  let sub_transform_on_expr analysis params local_nodes =
    let node = local_nodes.node in
    let sub_nodes = local_nodes.sub_nodes in
    let new_sub_nodes = local_nodes.new_sub_nodes in

    if debug_more then Coptions.lprintf
      "[sub_transform_on_expr] node %a@." Node.pretty node;

    (* transformation is possible only if analysis provides some information. 
       Otherwise raise Not_found. *)
    let aval = match NodeHash.find_post analysis node with
      | None -> raise Rec_transform
      | Some v -> v
    in

    (* beginning of transformation for expressions *)
    
    (* reading some integer/pointer variable.
       This is called also on integer/pointer write, but the result
       of this rewrite is ignored by the calling [sub_transform]
       on integer/pointer assignment. *)
    if termexpr_is_local_var node then
      let var = termexpr_var_get node in
      if var_is_pointer var || var_is_integer var then
	let pval = PointWisePtrLattice.find var aval in 
	(make_integer_pointer_read params node pval,
	 None) (* nothing to add to make it a pointer *)
      else
	raise Rec_transform

    (* writing some integer/pointer variable *)
    else if (expr_is_ptr_assign node || expr_is_int_assign node)
	     && (match assign_get_local_lhs_var node with
	           | None -> false | Some _ -> true)
    then
      (* 2 possibilities: it may be a real assignment or 
	 an increment/decrement operation *)
      let is_incr_decr = List.length sub_nodes = 1 in
      assert (List.length sub_nodes = List.length new_sub_nodes);
      let lhs_node,new_rhs_node =
	if is_incr_decr then
	  (* increment/decrement *)
	  list1 sub_nodes,list1 new_sub_nodes
	else
	  (* assignment *)
	  fst (list2 sub_nodes),snd (list2 new_sub_nodes)
      in
      (* separate main part from addon part *)
      let new_rhs_node,new_rhs_node_addon = new_rhs_node in
      let new_rhs_is_assign = expr_is_assign new_rhs_node in
      let new_rhs_not_offset =
	not (NodeSet.mem new_rhs_node !(params.offset_nodes))
      in
      match assign_get_local_lhs_var node with
	| None -> 
	    (keep_integer_pointer_assignment params node aval
	       new_rhs_not_offset lhs_node new_rhs_node is_incr_decr,
	     None) (* nothing to add to make it an integer/pointer *)
	      
	| Some lhs_var ->
	    let lhs_val = PointWisePtrLattice.find lhs_var aval in 

	    (* share addon part used in offset/defined cases *)
	    let wrap_addon offset_node = 
	      let addon_part = 
		if is_incr_decr then
		  (* [new_rhs_node] must be a variable here, 
		     in the offset/defined cases *)
		  (* the original treatment here was 
		         { is_replacement = false;
		           addon_node = 
		             change_in_intptr_incr node new_rhs_node true }
		     but this led to some problems with Simplify trying
		     to prove the subsequent goal.
		     Therefore it was change to the following, which gives
		     Simplify an easier goal.
		     e.g. the C code
		         *p++ = 0;
		     was changed to
		         *(p_offset++, q+p_offset-1) = 0;
		     and is now translated into
		         *(q+(p_offset++)) = 0;
		  *)
		  let base_node = make_base_integer_pointer_read node lhs_val 
		  in
		  { is_replacement = true;
		    addon_node = 
		    make_intptr_expr_add_expr base_node offset_node }
		else
		  { is_replacement = false;
		    addon_node = 
		    make_integer_pointer_read params node lhs_val }
	      in
	      (* store the information that this node is an offset node *)
	      params.offset_nodes := 
		NodeSet.add offset_node !(params.offset_nodes);
	      offset_node,Some addon_part in

	    if PtrLattice.is_index lhs_val then
	      (* assignment to [lhs_var] not useful, since reading
		 [lhs_var] will be replaced by reading its alias
		 or its constant offset from some variable.
		 Contains the test [PtrLattice.is_alias lhs_val]. *)
	      if is_incr_decr then
		(change_in_intptr_incr node new_rhs_node false,
		 None) (* nothing to add to make it a pointer *)
	      else
		(* just propagate the right-hand side *)
		(new_rhs_node,new_rhs_node_addon)

	    else if PtrLattice.is_offset lhs_val then
	      let (_new_lhs_var,offset_lhs_var) =
		PtrLattice.get_offset lhs_val in
	      store_offset_var params offset_lhs_var;
	      (* right-hand side can only be another variable or
		 another integer/pointer assignment.
		 In either case, the analysis must have computed 
		 an index or an offset for the right-hand side. *)
	      let rhs_val =
		match assign_get_rhs_var node with
		  | Some rhs_var,_ -> 
		      PointWisePtrLattice.find rhs_var aval
		  | _ -> assert false
	      in
	      (* The integer/pointer assignment must be changed into
		 an offset assignment. 4 cases are possible depending
		 on the new right-hand side computed :
		 - the rhs is still an integer/pointer assignment, e.g. in
		 p = q = malloc(...);
		 Create an equivalent sequence of assignments, e.g.:
		 q = malloc(...), p_offset = 0;
		 - the rhs is itself an offset assignment. Use it.
		 - the rhs is the sum of a integer/pointer variable 
		 and an integer expression. Ignore the integer/pointer 
		 and keep the expression.
		 - the rhs is another integer/pointer expression. Ignore it. *)
	      if new_rhs_is_assign then
		begin
		  (* it cannot be an increment/decrement *)
		  assert (not is_incr_decr);
		  if new_rhs_not_offset then	
		    (* The rhs is still an integer/pointer assignment.
		       Create an equivalent sequence of assignments. *)
		    let offset_node = 
		      make_offset_assign params 
			node offset_lhs_var rhs_val None false
		    in
		    wrap_addon (make_seq_expr new_rhs_node offset_node)
		  else
		    (* The rhs is itself an offset assignment. Use it. *)
		    wrap_addon (change_in_int_var_assign_expr 
				  node offset_lhs_var new_rhs_node)
		end
	      else
		(* The rhs can be:
		   - the sum of an integer/pointer variable 
		   and an integer expression
		   - or any other integer/pointer expression.
		   The former case can be the original source code or 
		   due to the transformation of an offset pointer 
		   or an index pointer.
		*)
		if is_incr_decr then
		  (* do not compute [off_opt] here, it would be equal
		     to the offset variable, because the rhs has been
		     translated to the sum var + offset_var *)
		  wrap_addon (make_offset_assign params 
				node offset_lhs_var rhs_val None true)
		else
		  let var_opt,off_opt = 
		    get_intptr_add_on_var_opt new_rhs_node in
		  let off_opt = match off_opt with
		    | None -> None
		    | Some off_node ->
			if expr_is_local_var off_node then
			  (* rule out transformation of offset *)
			  let off_var = termexpr_var_get off_node in
			  if VarSet.mem off_var (!(params.offset_vars)) then
			    (* here, offset is only the transformation
			       on the sub-node. Same as the increment/
			       decrement case. Ignore it. *)
			    None
			  else off_opt
			else 
			  match var_opt with
			    | Some var ->
				(* rule out transformation of index *)
				let var_val = PointWisePtrLattice.find 
				  var aval in 
				if PtrLattice.is_index var_val
				  && not (PtrLattice.is_alias var_val)
				then None
				else off_opt
			    | None -> off_opt
		  in    
		  wrap_addon 
		    (make_offset_assign params 
		       node offset_lhs_var rhs_val off_opt false)

	    else if PtrLattice.is_defined lhs_val then
	      let assign_node = 
		keep_integer_pointer_assignment params node aval 
		  new_rhs_not_offset lhs_node new_rhs_node is_incr_decr
	      in
	      match PtrLattice.get_defined_opt lhs_val with
		| _,Some offset_var ->
		    store_offset_var params offset_var;
		    let reset_node = 
		      change_in_int_var_assign_cst node offset_var 0 in
		    (* sequence in this order due to possible effects
		       in [assign_node]. Use [wrap_addon] to return 
		       pointer. *) 
		    wrap_addon (make_seq_expr assign_node reset_node)
		| _,None -> (* like in the default assignment case *)
		    (assign_node,
		     None) (* nothing to add to make it a pointer *)

	    else (* default: not any of index/offset/defined pointer *)
	      (keep_integer_pointer_assignment params node aval 
		 new_rhs_not_offset lhs_node new_rhs_node is_incr_decr,
	       None) (* nothing to add to make it a pointer *)

    else raise Rec_transform

  let sub_transform_on_term analysis params local_nodes =
    let node = local_nodes.node in

    if termexpr_is_local_var node then
      let var = termexpr_var_get node in
      if var_is_pointer var || var_is_integer var then
	let pval = 
	  if params.has_old then
	    begin
	      assert (params.has_at = None);
	      if debug then Coptions.lprintf
		  "[sub_transform_on_term] has old@.";
	      let begin_val = 
		match NodeHash.find_post analysis params.block_begin with
		  | None -> PointWisePtrLattice.bottom ()
		  | Some v -> v
	      in
	      PointWisePtrLattice.find var begin_val
	    end
	  else match params.has_at with
	  | Some lab ->
	      begin
		assert (not params.has_old);
		if debug then Coptions.lprintf
		    "[sub_transform_on_term] has at@.";
		let at_node = StringMap.find lab params.label_corresp in
		let at_val = match NodeHash.find_post analysis at_node with
		  | None -> PointWisePtrLattice.bottom ()
		  | Some v -> v
		in
		PointWisePtrLattice.find var at_val
	      end
	  | None ->
	      let end_val = 
		match NodeHash.find_post analysis params.block_end with
		  | None -> PointWisePtrLattice.bottom ()
		  | Some v -> v
	      in
	      PointWisePtrLattice.find var end_val
	in
	let new_node = make_integer_pointer_read params node pval in
	if debug then Coptions.lprintf
	    "[sub_transform_on_term] term %a@.into %a@."
	    Node.pretty node Node.pretty new_node;
	(new_node,
	 None) (* addon part useless here *)
      else raise Rec_transform
    else raise Rec_transform

  let rec sub_transform analysis params node =

    let params = match get_node_kind node with
      | NKstat ->
	  if stat_is_assert node then
	    let beg_node = logic_begin node in
	    let end_node = logic_end node in
	    { params with block_begin = beg_node; block_end = end_node }
	  else if stat_is_label node then (* both kinds of labels ? *)
	    let lab = stat_get_label node in
	    { params with label_corresp = 
		StringMap.add lab node params.label_corresp }
	  else params 
      | NKpred | NKassume | NKassert | NKterm ->
	  if termpred_is_old node then
	    { params with has_old = true }
	  else if termpred_is_at node then
	    let lab = termpred_get_label node in
	    { params with has_at = Some lab }
	  else params
      | _ -> params
    in

    (* apply [sub_transform] recursively on sub-nodes *)
    let sub_nodes = (code_children node) @ (logic_children node) in
    let new_sub_nodes = match get_node_kind node with
      | NKannot ->
	  let beg_function = logic_begin node and beg_loop = logic_end node in
	  let inv_params = 
	    { params with block_begin = beg_function; block_end = beg_loop } in
	  let assinv_params = inv_params in
	  let ass_params = inv_params in
	  let var_params = inv_params in
	  let params = [inv_params; assinv_params; ass_params; var_params] in
	  List.map2 (sub_transform analysis) params sub_nodes
      | NKspec ->
	  let beg_block = logic_begin node and end_block = logic_end node in
	  let req_params = 
	    { params with block_begin = beg_block; block_end = beg_block } in
	  let ass_params = req_params in
	  let ens_params = 
	    { params with block_begin = beg_block; block_end = end_block } in
	  let dec_params = req_params in
	  let params = [req_params; ass_params; ens_params; dec_params] in
	  List.map2 (sub_transform analysis) params sub_nodes	  
      | _ ->
	  List.map (sub_transform analysis params) sub_nodes
    in
    let local_nodes =
      {
	node = node;
	sub_nodes = sub_nodes;
	new_sub_nodes = new_sub_nodes
      } 
    in

    (* treat declaration/statement/expression separately *)
    try match get_node_kind node with
      | NKnone | NKstat | NKpred 
      | NKassume | NKassert | NKannot | NKspec -> 
	  raise Rec_transform

      | NKdecl -> 
	  (* no type change needed here, keep only main part *)
	  let new_sub_nodes = List.map fst new_sub_nodes in
	  let new_node = change_sub_components node new_sub_nodes in
	  let param_list = decl_get_params node in
	  let param_offset_vars =
	    List.fold_left 
	      (fun set param ->
		 try 
		   let offset_var = ILVarMap.find param params.offset_map in
		   if VarSet.mem offset_var (!(params.offset_vars)) then
		     VarSet.add offset_var set
		   else set
		 with Not_found -> set
	      ) VarSet.empty param_list
	  in
	  (* only introduce offset variables for parameters here.
	     Other offset variables are already declared locally, or will
	     be declared in [cleanup]. *)
	  let new_node = introduce_new_vars new_node 
	    (VarSet.elements param_offset_vars) (* zero_init= *)true
	  in
	  (new_node,None) (* addon part has no meaning here *)

      | NKexpr | NKtest | NKlvalue ->
	  sub_transform_on_expr analysis params local_nodes

      | NKterm ->
	  sub_transform_on_term analysis params local_nodes
	  

    with Rec_transform -> 
      (* return same expression on new sub-nodes.
	 Only subtlety is to use the addon part of an expression sub-node when
	 the new sub-node is an offset node (which the original sub-node
	 obviously was not). *)
      let new_sub_nodes =
	List.map2 (fun sub_node (new_main,new_addon) ->
		     begin match get_node_kind sub_node with
		       | NKexpr | NKtest | NKlvalue ->
			   if NodeSet.mem new_main !(params.offset_nodes) then
			       match new_addon with
				 | Some new_addon ->
				     let addon_node = new_addon.addon_node in
				     if new_addon.is_replacement then
				       addon_node
				     else
				       make_seq_expr new_main addon_node
				 | None -> assert false
			   else
			     new_main
		       | _ -> new_main
		     end
		  ) sub_nodes new_sub_nodes
      in
      (change_sub_components node new_sub_nodes,
       None) (* addon part empty here *)

  let transform analysis offset_map decls =
    List.map (fun decl ->
		let params = 
		  { 
		    offset_nodes = ref NodeSet.empty;
		    offset_vars = ref VarSet.empty;
		    offset_map = offset_map;
		    label_corresp = StringMap.empty;
		    block_begin = decl; (* dummy value *)
		    block_end = decl; (* dummy value *)
		    has_old = false;
		    has_at = None
		  } 
		in
		let new_decl,_ = 
		  sub_transform analysis params decl in
		new_decl
	     ) decls

  let cleanup used_vars decl_vars offset_map decls =
    
    let rec sub_cleanup node = 

      let sub_nodes = (code_children node) @ (logic_children node) in
      let new_sub_nodes = List.map sub_cleanup sub_nodes in
      let node = change_sub_components node new_sub_nodes in

      match get_node_kind node with
	| NKstat ->
	    if stat_is_decl node then
	      let var = decl_stat_get_var node in
	      if debug_more then Coptions.lprintf
		"[sub_cleanup] declaration of variable %s used ? %B@."
		var.var_name (ILVarSet.mem var used_vars);
	      let node =
		if ILVarSet.mem var used_vars then 
		  node 
		else 
		  decl_stat_get_next node 
	      in
	      try
		let offset_var = ILVarMap.find var offset_map in
		if ILVarSet.mem offset_var decl_vars then
		  node
		else
		  make_var_decl node offset_var
	      with Not_found -> node
	    else node
	| _ -> node
    in
    List.map sub_cleanup decls
end

module LocalPtrAnalysis = Make_DataFlowAnalysis(Var)(PtrLangFromNormalized)
    (Make_LatticeFromSemiLattice(PointWisePtrLattice))(ConnectCFGtoPtr)


(*****************************************************************************
 *                                                                           *
 * 		External interface for local pointer analysis		     *
 *                                                                           *
 *****************************************************************************)

let local_aliasing fundecl =

  if debug_more then Coptions.lprintf 
    "[local_aliasing] treating function %s@." fundecl.f.fun_name; 

  (* build control-flow graph *)
  let decls = PtrLangFromNormalized.from_file [fundecl] in
  let decls = List.map fst decls in
  (* perform local pointer analysis *)
  let raw_analysis = LocalPtrAnalysis.compute decls in
  (* format results of the analysis *)
  let analysis,offset_map = ConnectCFGtoPtr.format raw_analysis in
  (* transform the program using the analysis *)
  let decls = ConnectCFGtoPtr.transform analysis offset_map decls in
  (* return the new program *)
  let file = PtrLangFromNormalized.to_file decls in

  (* rebuild control-flow graph *)
  let decls = PtrLangFromNormalized.from_file file in
  let decls = List.map fst decls in
  (* collect the local variables used/declared *)
  let used_vars,decl_vars = PtrLangFromNormalized.collect_vars () in
  if debug_more then Coptions.lprintf
    "[local_aliasing_transform] %i local variables used@." 
    (ILVarSet.cardinal used_vars);
  if debug_more && not (ILVarSet.is_empty used_vars) then 
    Coptions.lprintf "[local_aliasing_transform] %a@." 
      (fun _ -> (ILVarSet.iter (Coptions.lprintf "%a " ILVar.pretty))) 
      used_vars;
  (* add the necessary declarations *)
  let decls = ConnectCFGtoPtr.cleanup used_vars decl_vars offset_map decls in
  (* return the new program *)
  PtrLangFromNormalized.to_file decls

let local_aliasing_transform () =
  (* necessary prefix to translate the hash-table of functions in 
     the normalized code into a list of function representatives,
     as defined by type [func_t] in [Cabsint] *)
  let file = Hashtbl.fold 
    (fun name (spec,typ,f,s,loc) funcs ->
       { name = name; spec = spec; typ = typ; f = f; s = s; loc = loc } 
       :: funcs
    ) Cenv.c_functions []
  in

  if debug_more then Coptions.lprintf 
    "[local_aliasing_transform] %i functions to treat@." (List.length file); 

  let file = List.fold_right
    (fun fundecl acc -> (local_aliasing fundecl) @ acc) file [] in

  if debug_more then Coptions.lprintf 
    "[local_aliasing_transform] %i functions treated@." (List.length file);

  (* necessary suffix to translate the list of function representatives
     to the hash-table format *)
  List.iter (fun { name = name; spec = spec; typ = typ; 
		   f = f; s = s; loc = loc } ->
	       Cenv.add_c_fun name (spec,typ,f,s,loc)) file

(* Local Variables: *)
(* compile-command: "make -C .." *)
(* End: *)
why-2.34/c/cltyping.mli0000644000175000017500000000570412311670312013401 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* Typing of C annotations *)

open Clogic
open Cast
open Cenv

(* logical environments *)
val eval_const_term_noerror : tterm -> Int64.t
val type_term : Env.t -> parsed_term  -> tterm
val type_ghost_lvalue : Env.t -> parsed_term  -> tterm
val type_predicate : Env.t -> parsed_predicate -> Cast.predicate
val type_location : Env.t -> parsed_term location -> tterm location
val type_spec : tctype option -> Env.t -> parsed_spec -> Cast.spec
val type_loop_annot : Env.t -> parsed_loop_annot -> Cast.loop_annot
val type_logic_type : 
  ?machine_ints:bool -> Loc.position -> Env.t -> parsed_logic_type -> tctype
val int_constant : string -> tterm
val zero : tterm
val coerce : tctype -> tterm -> tterm

why-2.34/c/cseparation.mli0000644000175000017500000000547712311670312014067 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Cast
open Info


val not_alias : Loc.position ->
  Cast.nctype Clogic.nterm -> Cast.nctype Clogic.nterm -> Cast.npredicate 

val file : nfile -> unit

val valid_for_type : 
  ?fresh:bool -> Loc.position -> string -> 
    nterm -> npredicate

val predicate : Info.why_type -> Cast.nctype Clogic.npredicate -> unit

val separation :
  Loc.position -> 
  Info.var_info -> Info.var_info -> Ctypes.ctype Clogic.npredicate

val in_struct :  nterm -> Info.var_info -> nterm 


val assoctype : why_type -> (zone *zone) list -> why_type

val funct : fun_info list -> unit
why-2.34/c/cpp.mli0000644000175000017500000000455512311670312012335 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* [cpp f] preprocesses file [f] and returns the preprocessed file. *)

val cpp : string -> string

why-2.34/c/cparser.mly0000644000175000017500000007317512311670312013236 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* from http://www.lysator.liu.se/c/ANSI-C-grammar-y.html */

%{

  open Format
  open Coptions
  open Ptree
  open Ctypes
  open Cast
  open Parsing
  open Cerror

  let loc () = (symbol_start_pos (), symbol_end_pos ())
  let loc_i i = (rhs_start_pos i, rhs_end_pos i)

  let locate x = { node = x; loc = loc() }
  let locate_i i x = { node = x; loc = loc_i i }
  let with_loc l x = { node = x; loc = l }

  let error s = 
    Creport.raise_located (loc ()) (AnyMessage ("Syntax error: " ^ s))

  let uns () = error "Unsupported C syntax"
  let unss s = error ("Unsupported C syntax: " ^ s)

  let warning s =
    Format.eprintf "%a warning: %s\n" Loc.report_line (symbol_start_pos ()) s
  let vwarning s = if verbose then warning s
  let dwarning s = if debug then warning s

  let no_loop_annot = 
    { Clogic.invariant = None; 
      Clogic.assume_invariant = None;
      Clogic.loop_assigns = None;
      Clogic.variant = None }

  let add_pre_loc lb = function
    | Some (b,_) -> Loc.join (b,0) lb 
    | _ -> lb

  let expr_of_statement s = match s.node with
    | CSnop -> { node = CEnop; loc = s.loc }
    | CSexpr e -> e
    | _ -> assert false

  (* used only for parsing types *)

  type specifier = 
    | Stypedef 
    | Sstorage of storage_class
    | Stype of cexpr ctype_node
    | Slong
    | Sshort
    | Sconst
    | Svolatile
    | Srestrict
    | Ssign of sign
    | Sstruct_decl of string option * fields
    | Sunion_decl of string option * fields
	
  and specifiers = specifier list

  and declarator =
    | Dsimple
    | Dpointer of declarator
    | Darray of declarator * cexpr option
    | Dfunction of declarator * parameters

  and parameters = (specifiers * declarator * string) list

  and fields = (specifiers * declarator * string * cexpr option) list

  (* interps a list of specifiers / declarators as a [ctype] *)
  (* TODO: short/long *)

  let storage_class = 
    let rec loop st = function
      | [] -> 
	  st
      | Sstorage st' :: s when st = No_storage -> 
	  loop st' s
      | Sstorage st' :: s when st' = st ->
	  warning "duplicate storage class"; loop st s
      | Sstorage _st' :: _ ->
	  error "multiple storage class"
      | _ :: s -> 
	  loop st s
    in
    loop No_storage

  let sign =
    let rec loop so = function
      | [] -> 
	  so
      | Ssign b' :: sp -> 
	  (match so with 
	     | None -> loop (Some b') sp
	     | Some b when b = b' -> warning "duplicate (un)signed"; loop so sp
	     | Some _b -> error "both signed and unsigned")
      | _ :: sp -> 
	  loop so sp
    in
    loop None

  let apply_sign sg ty = match sg, ty with
    | None, _ -> ty
    | Some b, (CTint (_, i)) -> CTint (b, i)
    | Some _, _ -> error "signed or unsigned invalid"

  type length = Short | Long | LongLong

  let length =
    let rec loop lo = function
      | [] -> 
	  lo
      | (Sshort | Slong as s) :: sp -> 
	  (match s, lo with 
	     | Sshort, None -> 
		 loop (Some Short) sp
	     | Slong, None -> 
		 loop (Some Long) sp
	     | Sshort, Some Short -> 
		 warning "duplicate short"; loop lo sp
	     | Sshort, Some (Long | LongLong) | Slong, Some Short -> 
		 error "both long and short specified"
	     | Slong, Some Long -> 
		 loop (Some LongLong) sp
	     | Slong, Some LongLong ->
		 error "too long for caduceus"
	     | _ -> 
		 assert false)
      | _ :: sp -> 
	  loop lo sp
    in
    loop None

  let apply_length lg ty = match lg, ty with
    | None, _ -> ty
    | Some Short, (CTint (s, _)) -> CTint (s, Cast.Short)
    | Some Long, (CTint (s, _)) -> CTint (s, Cast.Long)
    | Some LongLong, (CTint (s, _)) -> CTint (s, Cast.LongLong)
    | Some Long, CTfloat Double -> CTfloat LongDouble
    | Some _, CTfloat Float 
    | Some Short, CTfloat _ -> 
	error "long or short specified with floating type"
    | Some LongLong, CTfloat _ -> 
	error "the only valid combination is `long double'"
    | Some _, _ -> ty

  (* debug *)
  let rec explain_type fmt = function
    | CTfun (_, t) -> 
	fprintf fmt "function returning %a" explain_type t.ctype_node
    | CTpointer t -> 
	fprintf fmt "pointer on %a" explain_type t.ctype_node
    | CTarray (t, _) -> 
	fprintf fmt "array[] of %a" explain_type t.ctype_node
    | _ -> 
	fprintf fmt "other"

  (* fresh names for anonymous structures *)

  let fresh_name =
    let r = ref (-1) in
    function 
      | Some s -> s
      | None -> incr r; "anonymous_" ^ string_of_int !r

  (* Interpretation of type expression.
     [gl] indicates a global declaration (implies the check for a type or 
     a storage class) *)

  let rec interp_type gl specs decl = 
    let st = storage_class specs in
    let cst = List.exists ((=) Sconst) specs in
    let vl = List.exists ((=) Svolatile) specs in
    let sg = sign specs in
    let lg = length specs in
    let rec base_type tyo = function
      | [] -> 
	  (match tyo with 
	     | Some ty -> ty
	     | None when gl && st = No_storage && sg = None && lg = None -> 
		 error "data definition has no type or storage class"
	     | None -> CTint (Signed, Int))
      | Stype t :: sp when tyo = None ->
	  base_type (Some t) sp
      | Sstruct_decl (so, pl) :: sp when tyo = None ->
	  base_type (Some (CTstruct (fresh_name so, Decl (fields pl)))) sp
      | Sunion_decl (so, pl) :: sp when tyo = None ->
	  base_type (Some (CTunion (fresh_name so, Decl (fields pl)))) sp
      | (Stype _ | Sstruct_decl _ | Sunion_decl _) :: _ ->
	  error "two or more data types in declaration"
      | _ :: sp ->
	  base_type tyo sp
    and full_type ty = function
      | Dsimple -> ty
      | Dpointer d -> full_type (Cast_misc.noattr (CTpointer ty)) d
      | Darray (d, so) -> full_type (Cast_misc.noattr (CTarray (ty, so))) d
      | Dfunction (d, pl) -> full_type (Cast_misc.noattr (CTfun (params pl, ty))) d
    and params pl = 
      List.map (fun (s,d,x) -> (interp_type false s d, x)) pl
    and fields fl =
      List.map (fun (s,d,x,bf) -> (interp_type false s d, x, bf)) fl
    in
    let bt = base_type None specs in
    let bt = apply_sign sg bt in
    let bt = apply_length lg bt in
    let bt = { ctype_node = bt; ctype_storage = st;
	       ctype_const = cst; ctype_volatile = vl } 
    in
    let ty = full_type bt decl in
    if debug then eprintf "%a@." explain_type ty.ctype_node;
    ty

  let interp_param (s, d, id) = interp_type false s d, id
  let interp_params = List.map interp_param

  let is_typedef = List.exists ((=) Stypedef)

  let declaration specs decls =
    if is_typedef specs then
      let interp = function
	| (n,d), None -> 
	    Ctypes.add n; Ctypedef (interp_type true specs d, n)
	| (n,_), _ -> 
	    error ("typedef " ^ n ^ " is initialized")
      in
      List.map interp decls
    else
      let interp ((n,d),i) =
	Ctypes.remove n; Cdecl (interp_type true specs d, n, i)
      in
      List.map interp decls

  let spec_declaration s specs decls =
    match declaration specs decls with
      | [Cdecl ({ ctype_node = CTfun (pl, ty) }, f, _)] ->
	  Cfunspec (s, ty, f, pl)
      | _ ->
	  raise Parsing.Parse_error

  let type_declarations specs =
    if is_typedef specs then warning "useless keyword in empty declaration";
    let ty = interp_type true specs Dsimple in
    match ty.ctype_node with
      | CTstruct _ | CTunion _ | CTenum _ ->
          [ locate (Ctypedecl ty) ]
      | _ ->
	  warning "empty declaration";
	  []

  (* old style function prototype: f(x,y,z) t1 x; t2 y; ...
     some parameters may be omitted *)
  let old_style_params pl decls =
    let pids = List.map (fun (_,x) -> x) pl in
    let h = Hashtbl.create 17 in
    (* we first check that no parameter is initialized or occurs twice *)
    List.iter
      (fun d -> match d.node with
	 | Cdecl (ty, x, None) -> 
	     if not (List.mem x pids) then 
	       error ("declaration for " ^ x ^ " but no such parameter");
	     if Hashtbl.mem h x then error ("duplicate declaration for " ^ x);
	     Hashtbl.add h x ty
	 | Cdecl (_,x,_) -> error ("parameter " ^ x ^ " is initialized")
	 | _ -> ()) 
      decls;
    (* do it for all parameters *)
    List.map (fun (tx, x) -> (try Hashtbl.find h x with Not_found -> tx), x) pl

  let function_declaration specs (id,d) decls = 
    let ty = interp_type false specs d in
    match ty.ctype_node with
      | CTfun (pl, tyf) ->
	  let pl = 
	    if decls = [] then pl else old_style_params pl decls 
	  in
	  List.iter (fun (_,x) -> Ctypes.remove x) pl;
	  tyf, id, pl
      | _ -> 
	  raise Parsing.Parse_error

%}

%token  SPEC
%token  DECL
%token  CODE_ANNOT
%token  LOOP_ANNOT

%token  CONSTANT
%token  IDENTIFIER STRING_LITERAL TYPE_NAME
%token SIZEOF
%token PTR_OP INC_OP DEC_OP LEFT_OP RIGHT_OP LE_OP GE_OP EQ_OP NE_OP
%token AND_OP OR_OP MUL_ASSIGN DIV_ASSIGN MOD_ASSIGN ADD_ASSIGN
%token SUB_ASSIGN LEFT_ASSIGN RIGHT_ASSIGN AND_ASSIGN
%token XOR_ASSIGN OR_ASSIGN

%token TYPEDEF EXTERN STATIC AUTO REGISTER
%token CHAR SHORT INT LONG SIGNED UNSIGNED FLOAT DOUBLE CONST VOLATILE VOID
%token STRUCT UNION ENUM ELLIPSIS

%token CASE DEFAULT IF ELSE SWITCH WHILE DO FOR GOTO CONTINUE BREAK RETURN

%token SEMICOLON LBRACE RBRACE COMMA COLON EQUAL LPAR RPAR LSQUARE RSQUARE
%token DOT AMP EXL TILDE MINUS PLUS STAR SLASH PERCENT LT GT HAT PIPE
%token QUESTION EOF

/* non-ANSI tokens */
%token ATTRIBUTE RESTRICT

%nonassoc specs
%nonassoc TYPE_NAME
%nonassoc no_annot
/* %nonassoc ANNOT */

%type  file
%start file
%%

file
        : translation_unit EOF { $1 }
        | EOF { [] }
        ;

primary_expression
        : IDENTIFIER { locate (CEvar $1) }
        | CONSTANT { locate (CEconstant $1) }
        | STRING_LITERAL { locate (CEstring_literal $1) }
        | LPAR expression RPAR { $2 }
        ;

postfix_expression
        : primary_expression 
            { $1 }
        | postfix_expression LSQUARE expression RSQUARE 
	    { locate (CEarrget ($1, $3)) }
        | postfix_expression LPAR RPAR 
	    { locate (CEcall ($1, [])) }
        | postfix_expression LPAR argument_expression_list RPAR 
	    { locate (CEcall ($1, $3)) }
        | postfix_expression DOT identifier/*ICI*/ 
	    { locate (CEdot ($1, $3)) }
        | postfix_expression PTR_OP identifier/*ICI*/ 
	    { locate (CEarrow ($1, $3)) }
        | postfix_expression INC_OP 
	    { locate (CEincr (Upostfix_inc, $1)) }
        | postfix_expression DEC_OP
	    { locate (CEincr (Upostfix_dec, $1)) }
        ;

argument_expression_list
        : assignment_expression { [$1] }
        | argument_expression_list COMMA assignment_expression { $1 @ [$3] }
        ;

unary_expression
        : postfix_expression { $1 }
        | INC_OP unary_expression { locate (CEincr (Uprefix_inc, $2)) }
        | DEC_OP unary_expression { locate (CEincr (Uprefix_dec, $2)) }
        | unary_operator cast_expression { locate (CEunary ($1, $2)) }
        | SIZEOF unary_expression { locate (CEsizeof_expr $2) }
        | SIZEOF LPAR type_name RPAR 
	    { let s,d = $3 in locate (CEsizeof (interp_type false s d)) }
        ;

unary_operator
        : AMP { Uamp }
        | STAR { Ustar }
        | PLUS { Uplus }
        | MINUS { Uminus }
        | TILDE { Utilde }
        | EXL { Unot }
        ;

cast_expression
        : unary_expression { $1 }
        | LPAR type_name RPAR cast_expression 
	    { let s,d = $2 in locate (CEcast (interp_type false s d, $4)) }
        ;

multiplicative_expression
        : cast_expression 
            { $1 }
        | multiplicative_expression STAR cast_expression 
	    { locate (CEbinary ($1, Bmul, $3)) }
        | multiplicative_expression SLASH cast_expression 
	    { locate (CEbinary ($1, Bdiv, $3)) }
        | multiplicative_expression PERCENT cast_expression 
	    { locate (CEbinary ($1, Bmod, $3)) }
        ;

additive_expression
        : multiplicative_expression 
           { $1 }
        | additive_expression PLUS multiplicative_expression 
	    { locate (CEbinary ($1, Badd, $3)) }
        | additive_expression MINUS multiplicative_expression 
	    { locate (CEbinary ($1, Bsub, $3)) }
        ;

shift_expression
        : additive_expression { $1 }
        | shift_expression LEFT_OP additive_expression 
	    { locate (CEbinary ($1, Bshift_left, $3)) }
        | shift_expression RIGHT_OP additive_expression 
	    { locate (CEbinary ($1, Bshift_right, $3)) }
        ;

relational_expression
        : shift_expression 
            { $1 }
        | relational_expression LT shift_expression 
	    { locate (CEbinary ($1, Blt, $3)) }
        | relational_expression GT shift_expression
	    { locate (CEbinary ($1, Bgt, $3)) }
        | relational_expression LE_OP shift_expression
	    { locate (CEbinary ($1, Ble, $3)) }
        | relational_expression GE_OP shift_expression
	    { locate (CEbinary ($1, Bge, $3)) }
        ;

equality_expression
        : relational_expression 
            { $1 }
        | equality_expression EQ_OP relational_expression 
	    { locate (CEbinary ($1, Beq, $3)) }
        | equality_expression NE_OP relational_expression 
	    { locate (CEbinary ($1, Bneq, $3)) }
        ;

and_expression
        : equality_expression 
            { $1 }
        | and_expression AMP equality_expression 
	    { locate (CEbinary ($1, Bbw_and, $3)) }
        ;

exclusive_or_expression
        : and_expression 
            { $1 }
        | exclusive_or_expression HAT and_expression 
	    { locate (CEbinary ($1, Bbw_xor, $3)) }
        ;

inclusive_or_expression
        : exclusive_or_expression 
            { $1 }
        | inclusive_or_expression PIPE exclusive_or_expression 
	    { locate (CEbinary ($1, Bbw_or, $3)) }
        ;

logical_and_expression
        : inclusive_or_expression 
            { $1 }
        | logical_and_expression AND_OP inclusive_or_expression 
	    { locate (CEbinary ($1, Band, $3)) }
        ;

logical_or_expression
        : logical_and_expression 
            { $1 }
        | logical_or_expression OR_OP logical_and_expression 
	    { locate (CEbinary ($1, Bor, $3)) }
        ;

conditional_expression
        : logical_or_expression 
            { $1 }
        | logical_or_expression QUESTION expression COLON conditional_expression 
	    { locate (CEcond ($1, $3, $5)) }
        ;

assignment_expression
        : conditional_expression 
            { $1 }
        | unary_expression assignment_operator assignment_expression 
	    { locate (match $2 with
			| Aequal -> CEassign ($1, $3)
			| Amul -> CEassign_op ($1, Bmul, $3)
			| Adiv -> CEassign_op ($1, Bdiv, $3)
			| Amod -> CEassign_op ($1, Bmod, $3)
			| Aadd -> CEassign_op ($1, Badd, $3)
			| Asub -> CEassign_op ($1, Bsub, $3)
			| Aleft -> CEassign_op ($1, Bshift_left, $3)
			| Aright -> CEassign_op ($1, Bshift_right, $3)
			| Aand -> CEassign_op ($1, Bbw_and, $3)
			| Axor -> CEassign_op ($1, Bbw_xor, $3)
			| Aor -> CEassign_op ($1, Bbw_or, $3)) }
        ;

assignment_operator
        : EQUAL { Aequal }
        | MUL_ASSIGN { Amul }
        | DIV_ASSIGN { Adiv }
        | MOD_ASSIGN { Amod }
        | ADD_ASSIGN { Aadd }
        | SUB_ASSIGN { Asub }
        | LEFT_ASSIGN { Aleft }
        | RIGHT_ASSIGN { Aright }
        | AND_ASSIGN { Aand }
        | XOR_ASSIGN { Axor }
        | OR_ASSIGN { Aor }
        ;

expression
        : assignment_expression { $1 }
        | expression COMMA assignment_expression { locate (CEseq ($1, $3)) }
        ;

constant_expression
        : conditional_expression { $1 }
        ;

declaration
        : declaration_specifiers SEMICOLON 
            { type_declarations $1 }
        | declaration_specifiers init_declarator_list attributes_opt SEMICOLON 
	    { List.map locate (declaration $1 $2) }
        | SPEC 
	  declaration_specifiers init_declarator_list attributes_opt SEMICOLON 
	    { [locate (spec_declaration $1 $2 $3)] }
	| DECL  /* ADDED FOR WHY */
	    { List.map (fun d -> locate (Cspecdecl d)) $1 }
        ;

/* the precedence specs indicates to keep going with declaration_specifiers */
declaration_specifiers
        : storage_class_specifier %prec specs { [$1] }
        | storage_class_specifier declaration_specifiers { $1 :: $2 }
        | type_specifier { [$1] }
        | type_specifier declaration_specifiers_no_name { $1 :: $2 }
        | type_qualifier %prec specs { [$1] }
        | type_qualifier declaration_specifiers { $1 :: $2 }
        ;
/* same thing, with TYPE_NAME no more allowed */
declaration_specifiers_no_name
        : storage_class_specifier %prec specs { [$1] }
        | storage_class_specifier declaration_specifiers_no_name { $1 :: $2 }
        | type_specifier_no_name { [$1] }
        | type_specifier_no_name declaration_specifiers_no_name { $1 :: $2 }
        | type_qualifier %prec specs { [$1] }
        | type_qualifier declaration_specifiers { $1 :: $2 }
        ;

init_declarator_list
        : init_declarator { [$1] }
        | init_declarator_list COMMA init_declarator { $1 @ [$3] }
        ;

init_declarator
        : declarator 
            { $1, None }
        | declarator EQUAL c_initializer 
	    { $1, Some $3 }
        ;

storage_class_specifier
        : TYPEDEF { Stypedef }
        | EXTERN { Sstorage Extern }
        | STATIC { Sstorage Static }
        | AUTO { Sstorage Auto }
        | REGISTER { Sstorage Register }
        ;

type_specifier
        : type_specifier_no_name { $1 }
        | TYPE_NAME { Stype (CTvar $1) }
        ;
type_specifier_no_name
        : VOID { Stype CTvoid }
        | CHAR { Stype (CTint (Unsigned, Char)) }
        | SHORT { Sshort }
        | INT { Stype (CTint (Signed, Int)) }
        | LONG { Slong }
        | FLOAT { Stype (CTfloat Float) }
        | DOUBLE { Stype (CTfloat Double) }
        | SIGNED { Ssign Signed }
        | UNSIGNED { Ssign Unsigned }
        | struct_or_union_specifier { $1 }
        | enum_specifier { $1 }
        ;

identifier
        : IDENTIFIER { $1 }
        | TYPE_NAME  { $1 }
	;

struct_or_union_specifier
        : struct_or_union identifier/*ICI*/ LBRACE struct_declaration_list RBRACE 
            { if $1 then 
		Sstruct_decl (Some $2, $4) 
	      else 
		Sunion_decl (Some $2, $4) }
        | struct_or_union LBRACE struct_declaration_list RBRACE 
	    { if $1 then Sstruct_decl (None, $3) else Sunion_decl (None, $3) }
        | struct_or_union identifier/*ICI*/ 
	    { Stype (if $1 then CTstruct ($2, Tag) else CTunion ($2, Tag)) }
        ;

struct_or_union
        : STRUCT { true }
        | UNION { false }
        ;

struct_declaration_list
        : struct_declaration { $1 }
        | struct_declaration_list struct_declaration { $1 @ $2 }
        ;

struct_declaration
        : specifier_qualifier_list struct_declarator_list SEMICOLON 
            { let s = $1 in List.map (fun ((id,d),bf) -> s,d,id,bf) $2 }
        ;

specifier_qualifier_list
        : type_specifier specifier_qualifier_list_no_name { $1 :: $2 }
        | type_specifier { [$1] }
        | type_qualifier specifier_qualifier_list { $1 :: $2 }
        | type_qualifier %prec specs { [$1] }
        ;
/* same thing, with TYPE_NAME no more allowed */
specifier_qualifier_list_no_name
        : type_specifier_no_name specifier_qualifier_list_no_name { $1 :: $2 }
        | type_specifier_no_name { [$1] }
        | type_qualifier specifier_qualifier_list_no_name { $1 :: $2 }
        | type_qualifier { [$1] }
        ;

struct_declarator_list
        : struct_declarator { [$1] }
        | struct_declarator_list COMMA struct_declarator { $1 @ [$3] }
        ;

struct_declarator
        : declarator 
            { $1, None }
        | COLON constant_expression 
	    { ("_", Dsimple), Some $2 }
        | declarator COLON constant_expression 
	    { $1, Some $3 }
        ;

enum_specifier
        : ENUM LBRACE enumerator_list RBRACE 
            { Stype (CTenum (fresh_name None, Decl $3)) }
        | ENUM identifier/*ICI*/ LBRACE enumerator_list RBRACE 
	    { Stype (CTenum ($2, Decl $4)) }
        | ENUM identifier/*ICI*/ 
	    { Stype (CTenum ($2, Tag)) }
        ;

enumerator_list
        : enumerator { [$1] }
        | enumerator_list COMMA enumerator { $1 @ [$3] }
        ;

enumerator
        : IDENTIFIER { $1, None }
        | IDENTIFIER EQUAL constant_expression { $1, Some $3 }
        ;

type_qualifier
        : CONST { Sconst }
        | VOLATILE { Svolatile }
	| RESTRICT { dwarning "ignored __restrict"; Srestrict }
        ;

declarator
        : pointer direct_declarator { let id,d = $2 in id, $1 d }
        | direct_declarator { $1 }
        ;

direct_declarator
        : identifier
            { $1, Dsimple }
        | LPAR declarator RPAR 
	    { $2 }
        | direct_declarator LSQUARE constant_expression RSQUARE 
	    { let id,d = $1 in id, Darray (d, Some $3) }
        | direct_declarator LSQUARE RSQUARE 
	    { let id,d = $1 in id, Darray (d, None) }
        | direct_declarator LPAR parameter_type_list RPAR
	    { let id,d = $1 in id, Dfunction (d, $3) }
        | direct_declarator LPAR identifier_list RPAR
	    { let pl = List.map (fun x -> ([], Dsimple, x)) $3 in
	      let id,d = $1 in id, Dfunction (d, pl) }
        | direct_declarator LPAR RPAR
            { let id,d = $1 in id, Dfunction (d, []) }
        ;

/* ADDED FOR WHY */
loop_annot
        : LOOP_ANNOT                   { $1 }
        | /* epsilon */ %prec no_annot { no_loop_annot }
        ;

pointer
        : STAR { fun d -> Dpointer d }
        | STAR type_qualifier_list 
	    { dwarning "ignored qualifiers"; fun d -> Dpointer d }
        | STAR pointer { fun d -> Dpointer ($2 d) }
        | STAR type_qualifier_list pointer 
	    { dwarning "ignored qualifiers"; fun d -> Dpointer ($3 d) }
        ;

type_qualifier_list
        : type_qualifier { [$1] }
        | type_qualifier_list type_qualifier { $1 @ [$2] }
        ;


parameter_type_list
        : parameter_list { $1 }
        /* TODO */
        | parameter_list COMMA ELLIPSIS { dwarning "ignored <...>"; $1 }
        ;

parameter_list
        : parameter_declaration { [$1] }
        | parameter_list COMMA parameter_declaration { $1 @ [$3] }
        ;

parameter_declaration
        : declaration_specifiers declarator 
            { let id,d = $2 in $1, d, id }
        | declaration_specifiers abstract_declarator 
	    { $1, $2, "" }
        | declaration_specifiers 
	    { ($1, Dsimple, "") }
        ;

identifier_list
        : IDENTIFIER { [$1] }
        | identifier_list COMMA IDENTIFIER { $1 @ [$3] }
        ;

type_name
        : specifier_qualifier_list { $1, Dsimple }
        | specifier_qualifier_list abstract_declarator { $1, $2 }
        ;

abstract_declarator
        : pointer { $1 Dsimple }
        | direct_abstract_declarator { $1 }
        | pointer direct_abstract_declarator { $1 $2 }
        ;

direct_abstract_declarator
        : LPAR abstract_declarator RPAR 
            { $2 }
        | LSQUARE RSQUARE 
	    { Darray (Dsimple, None) }
        | LSQUARE constant_expression RSQUARE 
	    { Darray (Dsimple, Some $2) }
        | direct_abstract_declarator LSQUARE RSQUARE 
	    { Darray ($1, None) }
        | direct_abstract_declarator LSQUARE constant_expression RSQUARE 
	    { Darray ($1, Some $3) }
        | LPAR RPAR 
	    { Dfunction (Dsimple, []) }
        | LPAR parameter_type_list RPAR 
	    { Dfunction (Dsimple, $2) }
        | direct_abstract_declarator LPAR RPAR 
	    { Dfunction ($1, []) }
        | direct_abstract_declarator LPAR parameter_type_list RPAR 
	    { Dfunction ($1, $3) }
        ;

c_initializer
        : assignment_expression { Iexpr $1 }
        | LBRACE c_initializer_list RBRACE { Ilist $2 }
        | LBRACE c_initializer_list COMMA RBRACE { Ilist $2 }
        ;

c_initializer_list
        : c_initializer { [$1] }
        | c_initializer_list COMMA c_initializer { $1 @ [$3] }
        ;

statement
        : labeled_statement { $1 }
        | compound_statement { locate (CSblock $1) }
        | expression_statement { $1 }
        | selection_statement { $1 }
        | iteration_statement { $1 }
        | jump_statement { $1 }
	| SPEC statement { locate (CSspec ($1,$2)) }
        ;

labeled_statement
        : identifier/*ICI*/ COLON statement { locate (CSlabel ($1, $3)) }
        | CASE constant_expression COLON statement { locate (CScase ($2, $4)) }
        | DEFAULT COLON statement { locate (CSdefault($3)) }
        ;

compound_statement
        : compound_statement_LBRACE RBRACE 
            { Ctypes.pop (); [], [] }
        | compound_statement_LBRACE statement_list RBRACE 
	    { Ctypes.pop (); [], $2 }
        | compound_statement_LBRACE declaration_list RBRACE 
	    { Ctypes.pop (); $2, [] }
        | compound_statement_LBRACE declaration_list statement_list RBRACE 
	    { Ctypes.pop (); $2, $3 }
        ;

compound_statement_LBRACE:
  LBRACE { Ctypes.push () }
;

declaration_list
        : declaration { $1 }
        | declaration_list declaration { $1 @ $2 }
        ;

statement_list
        : statement { [$1] }
        | statement_list statement { $1 @ [$2] }
        ;

expression_statement
        : SEMICOLON { locate CSnop }
	| CODE_ANNOT { locate (CSannot $1) } /* ADDED FOR WHY */
        | expression SEMICOLON { locate (CSexpr $1) }
        ;

selection_statement
        : IF LPAR expression RPAR statement 
            { locate (CSif ($3, $5, locate CSnop)) }
        | IF LPAR expression RPAR statement ELSE statement 
	    { locate (CSif ($3, $5, $7)) }
        | SWITCH LPAR expression RPAR statement 
	    { locate (CSswitch ($3, $5)) }
        ;

iteration_statement
        : loop_annot WHILE LPAR expression RPAR statement 
            { locate (CSwhile ($1, $4, $6)) }
        | loop_annot DO statement WHILE LPAR expression RPAR SEMICOLON 
	    { locate (CSdowhile ($1, $3, $6)) }
        | loop_annot FOR LPAR expression_statement expression_statement RPAR 
          statement
	    { locate (CSfor ($1, expr_of_statement $4, expr_of_statement $5, 
			     locate CEnop, $7)) }
        | loop_annot 
          FOR LPAR expression_statement expression_statement expression RPAR 
          statement 
	    { locate (CSfor ($1, expr_of_statement $4, expr_of_statement $5, 
			     $6, $8)) }
        ;

jump_statement
        : GOTO identifier/*ICI*/ SEMICOLON { locate (CSgoto $2) }
        | CONTINUE SEMICOLON { locate CScontinue }
        | BREAK SEMICOLON { locate CSbreak }
        | RETURN SEMICOLON { locate (CSreturn None) }
        | RETURN expression SEMICOLON { locate (CSreturn (Some $2)) }
        ;

translation_unit
        : external_declaration { $1 }
        | translation_unit external_declaration { $1 @ $2 }
        ;

external_declaration
        : function_definition { [$1] }
        | declaration { $1 }
        ;

function_definition
        : function_prototype compound_statement
            { Ctypes.pop (); (* pushed by function_prototype *)
	      let ty,id,pl = $1 in
	      let bl = locate_i 2 (CSblock $2) in
	      locate (Cfundef (None, ty, id, pl, bl)) }
        | SPEC function_prototype compound_statement
            { Ctypes.pop (); (* pushed by function_prototype *)
	      let ty,id,pl = $2 in
	      let bl = locate_i 3 (CSblock $3) in
	      locate (Cfundef (Some $1, ty, id, pl, bl)) }
        ;
	      
function_prototype
        : declaration_specifiers declarator declaration_list 
            { Ctypes.push (); function_declaration $1 $2 $3 }
        | declaration_specifiers declarator 
	    { Ctypes.push (); function_declaration $1 $2 [] }
        | declarator declaration_list
	    { Ctypes.push (); function_declaration [] $1 $2 }
        | declarator
	    { Ctypes.push (); function_declaration [] $1 [] }
        ;

/* non-ANSI */

attributes_opt:
  /* empty */ {}
| attributes { dwarning "ignored attributes" }
;

attributes:
  attribute {}
| attributes attribute {} 
;

attribute:
  ATTRIBUTE LPAR LPAR attribute_list RPAR RPAR {}
;

attribute_list:
  attrib {}
| attribute_list COMMA attrib {}
;

attrib:
  /* empty */ {}
| identifier {}
| identifier LPAR RPAR {}
| identifier LPAR argument_expression_list RPAR {}
| CONST {}
;


why-2.34/c/coptions.ml0000644000175000017500000002604512311670312013236 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Format

(*s The log file *)

let c = ref stdout

let log =
  c := open_out "caduceus.log";
  Format.formatter_of_out_channel !c

let lprintf s = Format.fprintf log s

let close_log () =
  Format.fprintf log "End of log.@.";
  close_out !c;
  c := stdout

(*s environment variables *)

let libdir = 
  try
    let v = Sys.getenv "CADUCEUSLIB" in
    Format.fprintf log "CADUCEUSLIB is set to %s@." v;
    v
  with Not_found -> 
    let p = Cversion.libdir in
    Format.fprintf log 
      "CADUCEUSLIB is not set, using %s as default@." p;
    p

let whylib =
  try
    Sys.getenv "WHYLIB"
  with Not_found -> 
    Version.libdir

(*s command-line options *)

let zones = ref false
let show_time = ref false
let parse_only = ref false
let type_only = ref false
let print_norm = ref false
let print_graph = ref false
let cpp_command = ref "gcc -E -C"
let cpp_dump = ref false
let with_cpp = ref true
let debug = ref false
let verbose = ref false
let werror = ref false
let why_opt = ref ""
let coq_tactic = ref "intuition"
let separate = ref false
let no_zone_type = ref false
let closed_program = ref false
let floats = ref true
let local_aliasing = ref false
let arith_memory_model = ref false
let no_alloc_table = ref false 
let abstract_interp = ref false
let gen_invariant = ref false
let absint_as_proof = ref false

type fp_rounding_mode = 
  | RM_nearest_even | RM_to_zero | RM_up | RM_down | RM_nearest_away 
  | RM_dynamic
let fp_rounding_mode = ref RM_nearest_even
let set_fp_rounding_mode = function
  | "nearest_even" -> fp_rounding_mode := RM_nearest_even
  | "to_zero" -> fp_rounding_mode := RM_to_zero
  | "up" -> fp_rounding_mode := RM_up
  | "down" -> fp_rounding_mode := RM_down
  | "nearest_away" -> fp_rounding_mode := RM_nearest_away
  | _ -> 
      eprintf "rounding mode should be nearest_even, to_zero, up, down, or nearest_away@."; exit 1
let fp_overflow_check = ref false

type int_model = IMexact | IMbounded | IMmodulo

let int_model = ref IMexact
let set_int_model = function
  | "exact" -> 
      int_model := IMexact
  | "bounded" -> 
      int_model := IMbounded
  | "modulo" -> 
      int_model := IMmodulo
  | _ -> 
      eprintf 
	"integer arithmetic model should be `exact', `bounded' or `modulo'@."; 
      exit 1

let enum_check = ref false

let char_size_ = ref 8
let short_size_ = ref 16
let int_size_ = ref 32
let long_size_ = ref 32
let long_long_size_ = ref 64

let set_integer_size r s = 
  if s < 1 || s > 64 then begin
    eprintf "invalid integer size: %d (should be with 1..64)@." s; exit 1
  end;
  r := s

let add_why_opt s = why_opt := !why_opt ^ " " ^ s

let files_ = ref []
let add_file f = 
  if not (Sys.file_exists f) then begin
    eprintf "caduceus: %s: no such file@." f;
    exit 1
  end;
  files_ := f :: !files_
let files () = List.rev !files_

let version () = 
  Printf.printf "This is Caduceus version %s, compiled on %s
Copyright (c) 2003-2008 - Jean-Christophe Filliâtre, Thierry Hubert and Claude Marché
This is free software with ABSOLUTELY NO WARRANTY (use option -warranty)
" Cversion.version Cversion.date;
  exit 0

type verification = All | Verify | Assume
let verification = ref All

let comma = Str.regexp "[ \t]*,[ \t]*"
let split = Str.split comma

let functions = Hashtbl.create 97

let verify s =
  separate := true;
  if !verification = Assume then begin
    Printf.eprintf "you cannot use both -verify and -assume\n"; exit 1
  end;
  verification := Verify;
  List.iter (fun f -> Hashtbl.add functions f ()) (split s)

let assume s =
  if !verification = Verify then begin
    eprintf "you cannot use both -verify and -assume\n"; exit 1
  end;
  verification := Assume;
  List.iter (fun f -> Hashtbl.add functions f ()) (split s)

let spec =
  [ "-parse-only", Arg.Set parse_only, 
  "  stops after parsing";
    "-type-only", Arg.Set type_only, 
  "  stops after typing";
    "-print-norm", Arg.Set print_norm, 
  "  stops after normalization and print C tree";
    "-print-call-graph", Arg.Set print_graph, 
  "  stops after call graph and print call graph";
    "-no-cpp", Arg.Clear with_cpp, 
  "  no C preprocessor";
    "-ccp", Arg.String ((:=) cpp_command), 
  "   sets the C preprocessor";
    "-E", Arg.Set cpp_dump,
  "  stops after pre-processing and dump pre-processed file";
    "-d", Arg.Set debug,
  "  debugging mode";
    "-why-opt", Arg.String add_why_opt,
  "   passes options to Why";
    "-coq-tactic", Arg.String ((:=) coq_tactic),
  "   Coq tactic for new goals";
    "-v", Arg.Set verbose,
  "  verbose mode";
    "-q", Arg.Clear verbose,
  "  quiet mode (default)";
    "--werror", Arg.Set werror,
  "  treats warnings as errors";
    "--version", Arg.Unit version,
  "  prints version and exit";
    "-s", Arg.Set separate,
  "  a separate file for each function";
    "-verify", Arg.String verify,
  "   specifies the functions to verify; implies -s";
    "-assume", Arg.String assume,
  "   specifies functions not to be verified (i.e. assumed)";
    "-closed", Arg.Set closed_program,
  "  assumes a closed program";
    "-separation", 
  Arg.Unit(fun () -> zones := true; closed_program := true),
  "  separates pointers into several zones (implies -closed)";	
    "-show-time", 
  Arg.Unit(fun () -> show_time := true;),
  " prints execution time ";
    "-no-zone-type", 
  Arg.Set no_zone_type,
  "  zones do not generate different why types";
    "--no-fp", Arg.Clear floats,
  "  do not use floating-point arithmetic";
    "--fp-rounding-mode", Arg.String set_fp_rounding_mode,
  "  set the default FP rounding mode";
    "--fp-overflow", Arg.Set fp_overflow_check,
  "  check for FP overflows";
    "-int-model", Arg.String set_int_model, 
  "  set the model for integer arithmetic (exact, bounded or modulo)";
    "-check-enum", Arg.Set enum_check,
  "  check for enum values";
    "-char-size", Arg.Int (set_integer_size char_size_),
  "  set the size of type `char' (default is 8)";
    "-short-size", Arg.Int (set_integer_size short_size_),
  "  set the size of type `short' (default is 16)";
    "-int-size", Arg.Int (set_integer_size int_size_),
  "  set the size of type `int' (default is 32)";
    "-long-size", Arg.Int (set_integer_size long_size_),
  "  set the size of type `long' (default is 32)";
    "-long-long-size", Arg.Int (set_integer_size long_long_size_),
  "  set the size of type `long long' (default is 64)";
    "--loc-alias", Arg.Set local_aliasing,
  "  local aliasing analysis (experimental)";
    "--arith-mem", Arg.Set arith_memory_model,
  "  alternate arithmetic memory model (experimental)";
    "--abs-int", Arg.Set abstract_interp,
  "  local abstract interpretation over integers (experimental)";
    "--inv-gen", Arg.Set gen_invariant,
  "  invariant generation by local abstract interpretation over integers (experimental)";
    "--abs-int-proof", Arg.Set absint_as_proof,
  "  proof by local abstract interpretation over integers (experimental)";
  ]

let () = Arg.parse spec add_file "caduceus [options] file..."

let () = 
  if !files_ = [] then begin
    Arg.usage spec "usage: caduceus [options] file...\nOptions are:";
    exit 1
  end

let zones = !zones
let show_time = !show_time
let no_zone_type = !no_zone_type
let parse_only = !parse_only
let type_only = !type_only
let print_norm = !print_norm
let print_graph = !print_graph
let debug = !debug
let verbose = !verbose
let werror = !werror
let with_cpp = !with_cpp
let cpp_command = !cpp_command
let cpp_dump = !cpp_dump
let coq_tactic = !coq_tactic
let separate = !separate
let closed_program = !closed_program
let local_aliasing = !local_aliasing
let arith_memory_model = !arith_memory_model
let no_alloc_table = !no_alloc_table
let abstract_interp = !abstract_interp
let gen_invariant = !gen_invariant
let absint_as_proof = !absint_as_proof

let floats = !floats
let fp_overflow_check = !fp_overflow_check
let dft_fp_rounding_mode = !fp_rounding_mode

let char_size = !char_size_
let short_size = !short_size_
let int_size = !int_size_
let long_size = !long_size_
let long_long_size = !long_long_size_

let int_model = !int_model
let machine_ints = int_model = IMbounded || int_model = IMmodulo

let enum_check = !enum_check

let libfile =
  if arith_memory_model then
    "caduceus_arith.why"
  else
    "caduceus.why"

let use_floats = ref false

let why_opt () = 
  let o = !why_opt in
  (*let o = if int_overflow_check then o ^ " --lib-file marith.why" else o in*)
  if floats && !use_floats then o ^ " -lib-file floats.why" else o

let verify f = match !verification with
  | All -> true
  | Verify -> Hashtbl.mem functions f
  | Assume -> not (Hashtbl.mem functions f)

type evaluation_order_t =
    { binary_left_to_right : bool;
      assign_left_to_right : bool;
      call_left_to_right : bool }

let evaluation_order = 
  { binary_left_to_right = true;
    assign_left_to_right = false;
    call_left_to_right = true }

(*
Local Variables: 
compile-command: "make -j -C .. bin/caduceus.byte"
End: 
*)
why-2.34/c/clexer.mll0000644000175000017500000002226412311670312013035 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(*i $Id: clexer.mll,v 1.29 2009-04-02 11:51:39 melquion Exp $ i*)

(* from http://www.lysator.liu.se/c/ANSI-C-grammar-l.html *)

{

  open Cast
  open Cparser
  open Lexing
  open Cerror
  open Clogic

  let loc lexbuf = (lexeme_start_p lexbuf, lexeme_end_p lexbuf)

  let lex_error lexbuf s =
    Creport.raise_located (loc lexbuf) (AnyMessage ("lexical error: " ^ s))

  let annot_start_pos = ref Lexing.dummy_pos
  let buf = Buffer.create 1024

  let make_annot s =
    let loc = !annot_start_pos in
    match Cllexer.annot (loc, s) with
      | Cast.Adecl d -> DECL d
      | Cast.Aspec s -> SPEC s
      | Cast.Acode_annot a -> CODE_ANNOT a
      | Cast.Aloop_annot a -> LOOP_ANNOT a
	 
  let newline lexbuf =
    let pos = lexbuf.lex_curr_p in
    lexbuf.lex_curr_p <- 
      { pos with pos_lnum = pos.pos_lnum + 1; pos_bol = pos.pos_cnum }

  (* Update the current location with file name and line number. *)

  let update_loc lexbuf file line absolute chars =
    let pos = lexbuf.lex_curr_p in
    let new_file = match file with
      | None -> pos.pos_fname
      | Some s -> s
    in
    lexbuf.lex_curr_p <- 
      { pos with
	  pos_fname = new_file;
	  pos_lnum = if absolute then line else pos.pos_lnum + line;
	  pos_bol = pos.pos_cnum - chars;
      }

}

let space = [' ' '\t' '\012' '\r']

let rD =	['0'-'9']
let rL = ['a'-'z' 'A'-'Z' '_']
let rH = ['a'-'f' 'A'-'F' '0'-'9']
let rE = ['E''e']['+''-']? rD+
let rP = ['P''p']['+''-']? rD+
let rFS = ('f'|'F'|'l'|'L')
let rIS = ('u'|'U'|'l'|'L')*

rule token = parse
  | [' ' '\t' '\012' '\r']+ { token lexbuf }
  | '\n'                    { newline lexbuf; token lexbuf }
  | "/*"                    { comment lexbuf; token lexbuf }
  | "/*@"                   { annot_start_pos := lexeme_start_p lexbuf;
			      Buffer.clear buf; annot lexbuf }
  | "//@" [^ '\n']* '\n'    { annot_start_pos := lexeme_start_p lexbuf;
			      newline lexbuf;
			      let s = lexeme lexbuf in
			      make_annot 
				(String.sub s 3 (String.length s - 4)) }
  | "//" [^ '\n']* '\n'     { newline lexbuf; token lexbuf }
  | "auto"                  { AUTO }
  | "break"                 { BREAK }
  | "case"                  { CASE }
  | "char"                  { CHAR }
  | "__const" | "const"     { CONST }
  | "continue"              { CONTINUE }
  | "default"               { DEFAULT }
  | "do"                    { DO }
  | "double"                { DOUBLE }
  | "else"                  { ELSE }
  | "enum"                  { ENUM }
  | "extern"                { EXTERN }
  | "float"                 { FLOAT }
  | "for"                   { FOR }
  | "goto"                  { GOTO }
  | "if"                    { IF }
  | "int"                   { INT }
  | "long"                  { LONG }
  | "register"              { REGISTER }
  | "return"                { RETURN }
  | "short"                 { SHORT }
  | "signed"                { SIGNED }
  | "sizeof"                { SIZEOF }
  | "static"                { STATIC }
  | "struct"                { STRUCT }
  | "switch"                { SWITCH }
  | "typedef"               { TYPEDEF }
  | "union"                 { UNION }
  | "unsigned"              { UNSIGNED }
  | "void"                  { VOID }
  | "volatile"              { VOLATILE }
  | "while"                 { WHILE }

  (* preprocessor, compiler-dependent extensions, etc. *)
  | "__LINE__"              { let n = lexeme_start_p lexbuf in
			      let s = string_of_int n.pos_lnum in
			      CONSTANT (IntConstant s) }
  | "__FILE__"              { let f = (lexeme_start_p lexbuf).pos_fname in
			      STRING_LITERAL ("\"" ^ f ^ "\"") }
  | "__extension__"         { token lexbuf }
  | "__attribute__"         { ATTRIBUTE }
  | "__restrict"            { RESTRICT }
  | "#" [' ' '\t']* (['0'-'9']+ as num) [' ' '\t']*
        ("\"" ([^ '\010' '\013' '"' ] * as name) "\"")?
        [^ '\010' '\013'] * '\n'
      { update_loc lexbuf name (int_of_string num) true 0;
        token lexbuf }
  | '#' [^'\n']* '\n'       { newline lexbuf; token lexbuf }

  | rL (rL | rD)*       { let s = lexeme lexbuf in
			  if Ctypes.mem s then TYPE_NAME s else IDENTIFIER s }

  | '0'['x''X'] rH+ rIS?
  | '0' rD+ rIS?
  | rD+ rIS?
  | 'L'? "'" [^ '\n' '\'']+ "'"
    { CONSTANT (IntConstant (lexeme lexbuf)) }

  | rD+ rE rFS?
  | rD* '.' rD+ (rE)? rFS?
  | rD+ '.' rD* (rE)? rFS?
  | '0' ['x''X'] rH+ '.'? rH* rP rFS?
  | '0' ['x''X'] rH* '.' rH+ rP rFS?
    { CONSTANT (RealConstant (lexeme lexbuf)) }

  | 'L'? '"' [^ '"']* '"'     { STRING_LITERAL (lexeme lexbuf) }

  | "..."                   { ELLIPSIS }
  | ">>="                   { RIGHT_ASSIGN }
  | "<<="                   { LEFT_ASSIGN }
  | "+="                    { ADD_ASSIGN }
  | "-="                    { SUB_ASSIGN }
  | "*="                    { MUL_ASSIGN }
  | "/="                    { DIV_ASSIGN }
  | "%="                    { MOD_ASSIGN }
  | "&="                    { AND_ASSIGN }
  | "^="                    { XOR_ASSIGN }
  | "|="                    { OR_ASSIGN }
  | ">>"                    { RIGHT_OP }
  | "<<"                    { LEFT_OP }
  | "++"                    { INC_OP }
  | "--"                    { DEC_OP }
  | "->"                    { PTR_OP }
  | "&&"                    { AND_OP }
  | "||"                    { OR_OP }
  | "<="                    { LE_OP }
  | ">="                    { GE_OP }
  | "=="                    { EQ_OP }
  | "!="                    { NE_OP }
  | ";"                     { SEMICOLON }
  | ("{"|"<%")              { LBRACE }
  | ("}"|"%>")              { RBRACE }
  | ","                     { COMMA }
  | ":"                     { COLON }
  | "="                     { EQUAL }
  | "("                     { LPAR }
  | ")"                     { RPAR }
  | ("["|"<:")              { LSQUARE }
  | ("]"|":>")              { RSQUARE }
  | "."                     { DOT }
  | "&"                     { AMP }
  | "!"                     { EXL }
  | "~"                     { TILDE }
  | "-"                     { MINUS }
  | "+"                     { PLUS }
  | "*"                     { STAR }
  | "/"                     { SLASH }
  | "%"                     { PERCENT }
  | "<"                     { LT }
  | ">"                     { GT }
  | "^"                     { HAT }
  | "|"                     { PIPE }
  | "?"                     { QUESTION }

  | eof { EOF }
  | '"' { lex_error lexbuf "Unterminated string" }
  | _   { lex_error lexbuf ("Illegal_character " ^ lexeme lexbuf) }

and comment = parse
  | "*/" { () }
  | eof  { lex_error lexbuf "Unterminated_comment" }
  | '\n' { newline lexbuf; comment lexbuf }
  | _    { comment lexbuf }

and annot = parse
  | "*/" { make_annot (Buffer.contents buf) }
  | eof  { lex_error lexbuf "Unterminated annotation" }
  | '\n' { newline lexbuf; Buffer.add_char buf '\n'; annot lexbuf }
  | _    { Buffer.add_char buf (lexeme_char lexbuf 0); annot lexbuf }

{

  let parse c =
    let lb = from_channel c in
    try
      Cparser.file token lb
    with Parsing.Parse_error ->
      Creport.raise_located (loc lb) (AnyMessage "Syntax error")

}
why-2.34/c/cgraph.ml0000644000175000017500000001672212311670312012645 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Clogic
open Cast

let rec term t =
  match t.term_node with
    | Tconstant _
    | Tstring_literal _ 
    | Tvar _ 
    | Tminint _ 
    | Tmaxint _ ->  []
    | Tapp (f,lt) -> f::(List.fold_left (fun acc x -> term x@acc) []  lt)
    | Tcast (_,t)| Tblock_length t | Tarrlen t | Tstrlen t
    | Toffset t| Tbase_addr t| Tat (t,_)| Told t 
    | Tdot (t,_)  | Tarrow (t,_) | Tunop (_,t) -> term t
    | Tarrget (t1,t2) | Tbinop (t1,_,t2) | Tmin (t1,t2) | Tmax (t1,t2) ->
	(term t1)@(term t2)
    | Tif (t1,t2,t3) -> (term t1)@(term t2)@(term t3)
    | Trange (t,ot1,ot2) -> 
	(term t) @ (begin match ot1,ot2 with
		      | None, None -> []
		      | Some t , None -> term t
		      | None, Some t -> term t
		      | Some t1,Some t2 -> (term t1)@(term t2)
		    end)


let rec predicate p =
  match p.pred_node with
  | Pfalse
  | Ptrue -> []
  | Papp (l,lt) -> l::(List.fold_left (fun acc t -> (term t)@acc) []  lt)
  | Pvalid_index  (t1,t2) | Pfullseparated (t1,t2) | Pseparated (t1,t2) 
  | Pfull_separated (t1,t2) | Prel (t1,_,t2) -> (term t1) @(term t2)
  | Pbound_separated (t1,t2,t3,t4) ->
      (term t1) @(term t2) @(term t3) @(term t4)
  | Pand (p1,p2) | Por (p1,p2)  | Pimplies (p1,p2)| Piff (p1,p2) -> 
      (predicate p1) @(predicate p2)
  | Pold p | Pat (p,_) | Pforall (_,p) | Pexists (_,p)  | Pnamed (_,p)  
  | Pnot p -> predicate p
  | Pif (t,p1,p2) -> (term t) @(predicate p1) @(predicate p2)
  | Pfresh t | Pvalid t -> term t
  | Pvalid_range (t1,t2,t3) -> (term t1) @(term t2) @(term t3)

let spec s = 
  begin
  match s.requires with
    | None -> []
    | Some p -> 
	predicate p
  end @
  begin
  match s.assigns with
    | None -> []
    | Some (_, l) -> List.fold_left (fun acc t -> (term t) @acc)  [] l
  end @
  begin
    match s.ensures with
      | None -> []
      | Some p -> predicate p
  end @
  begin
    match s.decreases with
      | None -> []
      | Some (t,_) -> term t
  end

let loop_annot la =
  begin
    match la.invariant with
    | None -> []
    | Some p -> predicate p
  end @
  begin
  match la.loop_assigns with
    | None -> []
    | Some (_,l) -> List.fold_left (fun acc t -> (term t) @acc)  [] l
  end @
  begin
    match la.variant with
      | None -> []
      | Some (t,_) -> term t
  end 

let rec expr e =
  match e.texpr_node with 
    | TEnop -> []
    | TEconstant _ -> []
    | TEstring_literal _ -> []
    | TEvar (Info.Fun_info f ) -> [f]    
    | TEvar (Info.Var_info _f ) -> []
    | TEdot (e, _) -> expr e
    | TEarrow (e, _) -> expr e
    | TEarrget (e1, e2) -> (expr e1)@(expr e2)
    | TEseq (e1, e2) -> (expr e1)@(expr e2)
    | TEassign (e1, e2) -> (expr e1)@(expr e2)
    | TEassign_op(e1, _, e2) -> (expr e1)@(expr e2)
    | TEunary (_, e) -> expr e
    | TEincr (_, e) -> expr e
    | TEbinary (e1, _, e2) -> (expr e1)@(expr e2)
    | TEcall (e, le) -> (expr e)@
	(List.fold_left (fun acc x -> (expr x)@acc) [] le)
    | TEcond (e1, e2 ,e3) -> (expr e1)@(expr e2)@(expr e3)
    | TEcast (_, e) | TEmalloc (_, e) -> expr e
    | TEsizeof _ -> []

let rec statement s = 
  match s.st_node with  
    | TSnop -> [],[]
    | TSexpr e -> expr e,[]
    | TSif (e, s1, s2) ->
	let (a1,b1) = statement s1 in	
	let (a2,b2) = statement s2 in
	(expr e)@a1@a2,b1@b2  
    | TSwhile (sp,e,s)     | TSdowhile (sp,s,e) -> 
	let (a,b) = statement s in
	(expr e)@a,b@(loop_annot sp)
    | TSfor (sp, e1, e2, e3, s) ->
 	let (a,b) = statement s in
	(expr e1)@(expr e2)@(expr e3)@a,b@(loop_annot sp)
    | TSblock (_, sl) -> 
	List.fold_left 
	  (fun (acc1,acc2) x -> 
	     let (a,b) = statement x in
	     a@acc1,b@acc2) ([],[]) sl 
    | TSreturn (Some e) -> (expr e),[]
    | TSreturn None | TSbreak | TScontinue -> [],[]
    | TSlabel (_, s) -> statement s
    | TSswitch (e, s)     | TScase  (e, s)-> 
 	let (a,b) = statement s in
	(expr e)@a,b
    | TSdefault s -> statement s
    | TSgoto _ -> [] ,[]
    | TSassert _ | TSassume _ -> [],[]
    | TSlogic_label _ -> [],[]
    | TSspec (sp, s) -> 
	let (a,b) = statement s in
	a,(spec sp) @b
    | TSset _ -> [],[]


let make_graph e = 
  match e with    
  | Tfundef (_s, _t, f, st) -> 
      let (a,_b) = statement st in
      f.Info.graph <- a;
      (*f.Info.logic_calls <- (spec s)@b *)
  | _ -> ()

      
let file  = List.iter (fun d -> make_graph d.node) 

open Info




module G = struct 
  type t = (string*Cast.tfile) list
  module V = struct
    type t = fun_info
    let compare f1 f2 = Pervasives.compare f1.fun_tag f2.fun_tag
    let hash f = f.fun_tag 
    let equal f1 f2 = f1.fun_tag == f2.fun_tag
  end
  let iter_vertex iter _files =
    (*let iter_fun  e = 
      match e with    
	| Tfundef (s, t, f, _)  -> iter f
	| _ -> () in*)
      Cenv.iter_sym 
	(fun _n x -> match x with
	   | Var_info _ -> () 
	   | Fun_info f -> iter f) 
    (*List.iter (fun (_,file) ->List.iter (fun d -> iter_fun d.node) file) files*)
  let iter_succ iter _ f =
    List.iter iter f.graph 
  end

module SCC = Graph.Components.Make(G)

let find_comp tfiles =
  let tab_comp = SCC.scc_array tfiles in
  Coptions.lprintf "Call graph by components: @.";
  Array.iteri (fun i l -> Coptions.lprintf "%d: " i;
		 List.iter (fun f -> Coptions.lprintf "%s " f.fun_name) l;
		 Coptions.lprintf "@.")
    tab_comp;
  tab_comp


(*
Local Variables: 
compile-command: "make -j -C .. bin/caduceus.byte"
End: 
*)
why-2.34/c/ctypes.ml0000644000175000017500000001242212311670312012701 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Format
open Coptions
open Lib


type storage_class = No_storage | Extern | Auto | Static | Register

type sign = Signed | Unsigned

type cinteger = 
  | Char | Short | Int | Long | LongLong | Bitfield of int64
  | ExactInt

type cfloat = Float | Double | LongDouble | Real

type valid = Valid of int64 * int64 | Not_valid 

type ctype_node =
  | Tvoid
  | Tint of (sign * cinteger)
  | Tfloat of cfloat
  | Tvar of string
  | Tarray of valid * ctype * int64 option
  | Tpointer of valid * ctype
  | Tstruct of string 
  | Tunion of string 
  | Tenum of string 
  | Tfun of ctype list * ctype

and ctype = { 
  ctype_node : ctype_node;
  ctype_storage : storage_class;
  ctype_const : bool;
  ctype_volatile : bool;
  ctype_ghost : bool;
}

let noattr tyn = { ctype_node = tyn; 
		   ctype_storage = No_storage;
		   ctype_const = false;
		   ctype_volatile = false; 
		   ctype_ghost = false;
		 }
let c_void = noattr Tvoid
let c_int = noattr (Tint (Signed, Int))
let c_exact_int = noattr (Tint (Signed, ExactInt))
let c_char = noattr (Tint (Unsigned, Char))
let c_float fk = noattr (Tfloat fk)
let c_string valid = noattr (Tpointer(valid, c_char))
let c_array valid ty = noattr (Tarray (valid,ty,None))
let c_array_size valid ty n = noattr (Tarray (valid,ty,Some n))
let c_pointer valid ty = noattr (Tpointer(valid, ty))
let c_void_star valid = c_pointer valid c_void
let c_real = noattr (Tfloat Real)
let c_addr = noattr (Tvar "addr")


let stack = ref [ref Sset.empty]

let add s = match !stack with
  | m :: _ -> 
      if debug then eprintf "Ctypes.add %s@." s; 
      m := Sset.add s !m
  | [] -> assert false

let _ = add "__builtin_va_list"

let remove s = match !stack with
  | m :: _ -> 
      if debug then eprintf "Ctypes.remove %s@." s; 
      m := Sset.remove s !m
  | [] -> assert false

let mem s = match !stack with
  | m :: _ -> Sset.mem s !m
  | [] -> assert false

let push () = match !stack with
  | (m :: _) as s -> stack := ref !m :: s
  | [] -> assert false

let pop () = match !stack with
  | _ :: s -> stack := s
  | [] -> assert false

let rec ctype fmt ty =
  (if ty.ctype_ghost then fprintf fmt "ghost "else ());
  (if ty.ctype_const then fprintf fmt "const "else ());
  ctype_node fmt ty.ctype_node

and ctype_node fmt = function
  | Tvoid -> fprintf fmt "void"
  | Tint _ -> fprintf fmt "int"
  | Tfloat _ -> fprintf fmt "float"
  | Tvar s -> fprintf fmt "%s" s
  | Tarray (_,ty, None) -> fprintf fmt "%a[]" ctype ty
  | Tarray (_,ty, Some n) -> fprintf fmt "%a[%Ld]" ctype ty n
  | Tpointer (_,ty) -> fprintf fmt "%a*" ctype ty
  | Tstruct s -> fprintf fmt "struct %s" s
  | Tunion s -> fprintf fmt "union %s" s
  | Tenum s -> fprintf fmt "enum %s" s
  | Tfun _ -> fprintf fmt ""

let is_pointer ty = 
  match ty.ctype_node with
    | Tarray _ | Tpointer _ -> true
    | _ -> false


let float_constant_type ~in_logic s =
  let n = String.length s in
  assert (n >= 1);
  match s.[n-1] with
    | 'f' | 'F' -> String.sub s 0 (n-1), Float
    | 'l' | 'L' -> String.sub s 0 (n-1), LongDouble
    | _ -> s, if in_logic then Real else Double

why-2.34/c/coptions.mli0000644000175000017500000000745712311670312013415 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*s environment variables *)

val libdir : string
val whylib : string
val libfile : string (* depends on the command-line option --arith-mem *)

(*s command-line options *)

val zones : bool
val show_time : bool
val no_zone_type : bool
val parse_only : bool
val type_only : bool
val print_norm : bool
val print_graph : bool
val debug : bool
val verbose : bool
val werror : bool
val with_cpp : bool
val cpp_command : string
val cpp_dump : bool
val why_opt : unit -> string
val coq_tactic : string
val separate : bool
val closed_program : bool
val local_aliasing : bool
val no_alloc_table : bool
val arith_memory_model : bool
val abstract_interp : bool
val gen_invariant : bool
val absint_as_proof : bool

val use_floats : bool ref
val floats : bool
type fp_rounding_mode = 
  | RM_nearest_even | RM_to_zero | RM_up | RM_down | RM_nearest_away 
  | RM_dynamic
val fp_rounding_mode : fp_rounding_mode ref
val dft_fp_rounding_mode : fp_rounding_mode
val fp_overflow_check : bool

type int_model = IMexact | IMbounded | IMmodulo
val int_model : int_model
val machine_ints : bool

val enum_check : bool

val char_size : int
val short_size : int
val int_size : int
val long_size : int
val long_long_size : int

val files : unit -> string list 

val verify : string -> bool

(*s The log file *)

val log : Format.formatter
val lprintf : ('a, Format.formatter, unit) format -> 'a
val close_log : unit -> unit

type evaluation_order_t =
    { binary_left_to_right : bool;
      assign_left_to_right : bool;
      call_left_to_right : bool }

val evaluation_order : evaluation_order_t
why-2.34/c/clparser.mly0000644000175000017500000003620212311670312013400 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* Grammar for C annotations */

%{
  open Ctypes
  open Cast
  open Clogic

  let loc () = (Loc.reloc (symbol_start_pos ()), Loc.reloc (symbol_end_pos ()))
  let loc_i i = (Loc.reloc (rhs_start_pos i), Loc.reloc (rhs_end_pos i))
  let info x = { Clogic.lexpr_node = x; lexpr_loc = loc () }

  type ghost_decl =
    | Dsimple 
    | Darray of ghost_decl * lexpr option

  let rec expr_of_lexpr e =
    match e.lexpr_node with
      | PLconstant c -> 
	  { Cast.node = Cast.CEconstant c ; Cast.loc = e.lexpr_loc }
      | _ -> Creport.error e.lexpr_loc "not a constant"

  let option_app f = function None -> None | Some x -> Some (f x)

  let rec ghost_type ty gd =
    match gd with
      | Dsimple -> ty
      | Darray(gd,size) -> 
	    Cast_misc.noattr 
	      (Cast.CTarray (ghost_type ty gd, option_app expr_of_lexpr size))

  let ghost ty (id,gd,cinit) =
    let gty = ghost_type ty gd in
    LDghost(gty,id,cinit)
    
    
%}

%token  IDENTIFIER STRING_LITERAL TYPENAME
%token  CONSTANT
%token LPAR RPAR IF ELSE COLON COLONCOLON DOT DOTDOT AMP TILDE
%token INT INTEGER FLOAT REAL LT GT LE GE EQ NE COMMA ARROW EQUAL LTLT GTGT
%token FORALL EXISTS IFF IMPLIES AND OR NOT BAR ABS SQRT HATHAT HAT
%token TRUE FALSE OLD AT RESULT BLOCK_LENGTH ARRLEN STRLEN BASE_ADDR OFFSET
%token SEPARATED BOUND_SEPARATED FULL_SEPARATED FULLSEPARATED 
%token VALID VALID_INDEX VALID_RANGE FRESH THEN AT
%token QUESTION MINUS PLUS STAR AMP SLASH PERCENT LSQUARE RSQUARE EOF
%token INVARIANT VARIANT DECREASES FOR LABEL ASSERT ASSUME SEMICOLON NULL
%token REQUIRES ENSURES ASSIGNS LOOP_ASSIGNS NOTHING 
%token READS LOGIC PREDICATE AXIOM LBRACE RBRACE GHOST SET
%token VOID CHAR SIGNED UNSIGNED SHORT LONG DOUBLE STRUCT ENUM UNION TYPE
%token ROUNDERROR TOTALERROR EXACT MODEL MIN MAX MININT MAXINT

%right prec_named
%nonassoc prec_forall prec_exists
%right IFF
%right IMPLIES
%left OR
%left AND
%nonassoc prec_not
%nonassoc prec_if
%right QUESTION prec_question
%left prec_relation LT GT LE GE EQ NE
%left BAR
%left HAT
%left prec_bamp
%left LTLT GTGT
%left PLUS MINUS
%left STAR SLASH PERCENT AMP TILDE
%right HATHAT
%right prec_uminus 
%right prec_abs
%right prec_cast
%left DOT ARROW LSQUARE
%right prec_par 

%type  annot
%start annot

%%

lexpr:
  /* predicates */
  lexpr IMPLIES lexpr { info (PLimplies ($1, $3)) }
| lexpr IFF lexpr { info (PLiff ($1, $3)) }
| lexpr OR lexpr     { info (PLor ($1, $3)) }
| lexpr AND lexpr    { info (PLand ($1, $3)) }
| NOT lexpr %prec prec_not { info (PLnot $2) }
| TRUE { info PLtrue }
| FALSE { info PLfalse }
| lexpr relation lexpr %prec prec_relation { info (PLrel ($1, $2, $3)) }
| IF lexpr THEN lexpr ELSE lexpr %prec prec_if
      { info (PLif ($2, $4, $6)) }
| FORALL ne_parameters SEMICOLON lexpr %prec prec_forall
      { info (PLforall ($2, $4)) }
| EXISTS ne_parameters SEMICOLON lexpr %prec prec_exists
      { info (PLexists ($2, $4)) }
| SEPARATED LPAR lexpr COMMA lexpr RPAR { info (PLseparated ($3,$5)) }
| BOUND_SEPARATED LPAR lexpr COMMA lexpr COMMA lexpr COMMA lexpr RPAR 
      { info (PLbound_separated ($3,$5,$7,$9)) }
| FULL_SEPARATED LPAR lexpr COMMA lexpr RPAR 
      { info (PLfull_separated ($3,$5)) }
| FULLSEPARATED LPAR lexpr COMMA lexpr RPAR { info (PLfullseparated ($3,$5)) }
| VALID LPAR lexpr RPAR { info (PLvalid ($3)) }
| VALID_INDEX LPAR lexpr COMMA lexpr RPAR { info (PLvalid_index ($3,$5)) }
| VALID_RANGE LPAR lexpr COMMA lexpr COMMA lexpr RPAR 
      { info (PLvalid_range ($3,$5,$7)) }
| FRESH LPAR lexpr RPAR { info (PLfresh ($3)) }
/* terms */
| NULL { info PLnull } 
| CONSTANT { info (PLconstant $1) }
| lexpr PLUS lexpr { info (PLbinop ($1, Badd, $3)) }
| lexpr MINUS lexpr { info (PLbinop ($1, Bsub, $3)) }
| lexpr STAR lexpr { info (PLbinop ($1, Bmul, $3)) }
| lexpr SLASH lexpr { info (PLbinop ($1, Bdiv, $3)) }
| lexpr PERCENT lexpr { info (PLbinop ($1, Bmod, $3)) }
| lexpr BAR lexpr { info (PLbinop ($1, Bbw_or, $3)) }
| lexpr HAT lexpr { info (PLbinop ($1, Bbw_xor, $3)) }
| lexpr AMP lexpr %prec prec_bamp { info (PLbinop ($1, Bbw_and, $3)) }
| lexpr LTLT lexpr { info (PLbinop ($1, Bshift_left, $3)) }
| lexpr GTGT lexpr { info (PLbinop ($1, Bshift_right, $3)) }
| lexpr ARROW IDENTIFIER { info (PLarrow ($1, $3)) }
| lexpr DOT IDENTIFIER { info (PLdot ($1, $3)) }
| lexpr LSQUARE lexpr RSQUARE { info (PLarrget ($1, $3)) }
| lexpr LSQUARE lexpr_option DOTDOT lexpr_option RSQUARE    
   { info (PLrange ($1, $3, $5)) }
| MINUS lexpr %prec prec_uminus { info (PLunop (Uminus, $2)) }
| BAR lexpr BAR %prec prec_abs { info (PLunop (Uabs_real, $2)) }
| ABS LPAR lexpr RPAR { info (PLunop (Uabs_real, $3)) }
| SQRT LPAR lexpr RPAR { info (PLunop (Usqrt_real, $3)) }
| ROUNDERROR LPAR lexpr RPAR { info (PLunop (Uround_error, $3)) }
| TOTALERROR LPAR lexpr RPAR { info (PLunop (Utotal_error, $3)) }
| EXACT LPAR lexpr RPAR { info (PLunop (Uexact, $3)) }
| MODEL LPAR lexpr RPAR { info (PLunop (Umodel, $3)) }
| lexpr HATHAT lexpr { info (PLbinop ($1, Bpow_real, $3)) }
| PLUS lexpr %prec prec_uminus { $2 }
| STAR lexpr { info (PLunop (Ustar, $2)) }
| AMP lexpr { info (PLunop (Uamp, $2)) }
| TILDE lexpr { info (PLunop (Utilde, $2)) }
| lexpr QUESTION lexpr COLON lexpr %prec prec_question 
    { info (PLif ($1, $3, $5)) }
| OLD LPAR lexpr RPAR { info (PLold $3) }
| AT LPAR lexpr COMMA IDENTIFIER RPAR { info (PLat ($3, $5)) }
| BASE_ADDR LPAR lexpr RPAR { info (PLbase_addr $3) }
| OFFSET LPAR lexpr RPAR { info (PLoffset $3) }
| BLOCK_LENGTH LPAR lexpr RPAR { info (PLblock_length $3) }
| ARRLEN LPAR lexpr RPAR { info (PLarrlen $3) }
| STRLEN LPAR lexpr RPAR { info (PLstrlen $3) }
| MIN LPAR lexpr COMMA lexpr RPAR { info (PLmin ($3, $5)) }
| MAX LPAR lexpr COMMA lexpr RPAR { info (PLmax ($3, $5)) }
| MININT LPAR logic_type RPAR { info (PLminint $3) }
| MAXINT LPAR logic_type RPAR { info (PLmaxint $3) }
| RESULT { info PLresult }
/* both terms and predicates */
| LPAR lexpr RPAR %prec prec_par { $2 }
| IDENTIFIER
    { info (PLvar (Info.default_var_info $1)) }
| IDENTIFIER label_parameters LPAR lexpr_list RPAR 
    { info (PLapp (Info.default_logic_info $1, $4)) }
/* Cast. TODO: (identifier *) lexpr needs TYPENAME (see below) */
| LPAR logic_type_not_id RPAR lexpr %prec prec_cast { info (PLcast ($2, $4)) }
| LPAR lexpr RPAR lexpr %prec prec_cast
    { match $2.lexpr_node with
	| PLvar x -> info (PLcast (LTvar x.Info.var_name, $4))
	| _ -> raise Parse_error }
| IDENTIFIER COLONCOLON lexpr %prec prec_named
    { info (PLnamed ($1, $3)) }
;

lexpr_option:
| /* epsilon */ { None }
| lexpr         { Some $1 }
;

logic_type:
  IDENTIFIER { LTvar $1 }
| IDENTIFIER stars { $2 (LTvar $1) }
| logic_type_not_id { $1 }
;

logic_type_not_id:
| VOID           { LTvoid }
| CHAR           { LTchar true }       /** [char] */
| SIGNED CHAR    { LTchar true }      /** [signed char] */
| UNSIGNED CHAR  { LTchar false }      /** [unsigned char] */
| SIGNED INT     { LTint true }        /** [int] */
| INT            { LTint true }        /** [int] */
| UNSIGNED INT   { LTint false }       /** [unsigned int] */
| SIGNED SHORT   { LTshort true }      /** [short] */
| SHORT          { LTshort true }      /** [short] */
| UNSIGNED SHORT { LTshort false }     /** [unsigned short] */
| SIGNED LONG    { LTlong true }       /** [long] */
| LONG           { LTlong true }       /** [long] */
| UNSIGNED LONG  { LTlong false }      /** [unsigned long] */
| SIGNED LONG LONG { LTlonglong true }   /** [long long] (or [_int64] on 
					   Microsoft Visual C) */
| LONG LONG   { LTlonglong true }   /** [long long] (or [_int64] on 
					   Microsoft Visual C) */
| UNSIGNED LONG LONG { LTlonglong false }  /** [unsigned long long] 
                                (or [unsigned _int64] on Microsoft Visual C) */
| INTEGER     { LTinteger }
| FLOAT       { LTfloat }
| DOUBLE      { LTdouble }
| LONG DOUBLE { LTlongdouble }
| REAL        { LTreal }
/***
| STRUCT IDENTIFIER { LTstruct $2 }
| ENUM IDENTIFIER { LTenum $2 }
| UNION IDENTIFIER { LTunion $2 }
***/
| TYPENAME         { LTvar $1 } /* TODO: Logic_lexer should make it */
| logic_type_not_id STAR { LTpointer $1 }
;

stars:
  STAR { fun t -> LTpointer t }
| stars STAR { fun t -> $1 (LTpointer t) }
;

relation:
  | LT    { Lt } 
  | GT    { Gt }
  | LE    { Le }
  | GE    { Ge }
  | EQ    { Eq }
  | NE    { Neq }
;

lexpr_list:
| /* epsilon */ { [] }
| ne_lexpr_list  { $1 }
;

ne_lexpr_list:
| lexpr                    { [$1] }
| lexpr COMMA ne_lexpr_list { $1 :: $3 }
;

pre_condition:
  /* epsilon */ { None }
| REQUIRES lexpr { Some $2 }
;

post_condition:
  /* epsilon */  { None }
| ENSURES lexpr { Some $2 }
;

spec:
  pre_condition effects post_condition decreases 
    { { requires = $1; assigns = $2; ensures = $3; decreases = $4 } }
;

loop_annot:
  invariant loop_effects variant 
    { { invariant = Some $1; assume_invariant = None; 
        loop_assigns = $2; variant = Some $3 } }
| loop_effects variant 
    { { invariant = None; assume_invariant = None; 
        loop_assigns = $1; variant = Some $2 } }
| invariant loop_effects 
    { { invariant = Some $1; assume_invariant = None; 
        loop_assigns = $2; variant = None } }
| ne_loop_effects 
    { { invariant = None; assume_invariant = None; 
        loop_assigns = Some $1; variant = None } }
;

invariant:
| INVARIANT lexpr { $2 }
;

variant:
  VARIANT lexpr FOR IDENTIFIER { ($2, Some $4) }
| VARIANT lexpr                { ($2, None) }
;

decreases:
  /* epsilon */   { None }
| DECREASES variant { Some $2 }
;

annot: 
  annotation EOF   { $1 }
;

annotation:
| decl             { Adecl [$1] }
| ghost_decl       { Adecl $1 }
| spec             { Aspec $1 }
| loop_annot       { Aloop_annot $1 }
| ASSERT lexpr   { Acode_annot (Assert $2) }
| ASSUME lexpr   { Acode_annot (Assume $2) }
| LABEL IDENTIFIER { Acode_annot (Label $2) }
| SET ghost_lvalue EQUAL lexpr 
                   { Acode_annot(GhostSet($2,$4)) }
;

ghost_lvalue: lexpr { $1 }
;

effects:
  /* epsilon */ { None }
| ASSIGNS locations { Some (loc_i 2, $2) }
| ASSIGNS NOTHING { Some (loc_i 2, []) }
;

loop_effects:
  /* epsilon */ { None }
| ne_loop_effects { Some $1 }
;

ne_loop_effects:
| LOOP_ASSIGNS locations { loc_i 2, $2 }
| LOOP_ASSIGNS NOTHING { loc_i 2, [] }
;

locations:
| location { [$1] }
| location COMMA locations { $1 :: $3 }
;

location:
  lexpr { $1 }
;

label_parameters:
| /* epsilon */ { [] }
| LBRACE IDENTIFIER label_list_end RBRACE { $2::$3 }
;

label_list_end:
| /* epsilon */ { [] }
| COMMA IDENTIFIER label_list_end { $2::$3 }
;
 

decl:
  LOGIC logic_type IDENTIFIER label_parameters LPAR parameters RPAR 
    { LDlogic (Info.default_logic_info $3, $2, $4, $6, []) }
| LOGIC logic_type IDENTIFIER label_parameters LPAR parameters RPAR READS locations 
    { LDlogic (Info.default_logic_info $3, $2, $4, $6, $9) }
| LOGIC logic_type IDENTIFIER label_parameters LPAR parameters RPAR LBRACE lexpr RBRACE 
    { LDlogic_def (Info.default_logic_info $3, $2, $4, $6, $9) }
| PREDICATE IDENTIFIER label_parameters LPAR parameters RPAR 
    { LDpredicate_reads (Info.default_logic_info $2, $5, []) }
| PREDICATE IDENTIFIER label_parameters LPAR parameters RPAR READS locations 
    { LDpredicate_reads (Info.default_logic_info $2, $5, $8) }
| PREDICATE IDENTIFIER label_parameters LPAR parameters RPAR LBRACE lexpr RBRACE 
    { LDpredicate_def (Info.default_logic_info $2, $5, $8) }
| AXIOM IDENTIFIER label_parameters COLON lexpr { LDaxiom ($2, $5) }
| INVARIANT IDENTIFIER COLON lexpr { LDinvariant ($2,$4) }
| TYPE IDENTIFIER { LDtype ($2, loc_i 2) }
;

ghost_decl:
| GHOST type_specifier init_declarator_list 
      { List.map (ghost $2) $3 }
;

type_specifier:
| CHAR { Cast_misc.noattr (CTint (Unsigned, Char)) }
| INT { Cast_misc.noattr (CTint (Signed, Int)) }
| FLOAT { Cast_misc.noattr (CTfloat Float) }
| DOUBLE { Cast_misc.noattr (CTfloat Double) }
| IDENTIFIER { Cast_misc.noattr (CTvar $1) }
;

parameters:
  /* epsilon */  { [] }
| ne_parameters { $1 }
;

ne_parameters:
  parameter { [$1] }
| parameter COMMA ne_parameters { $1 :: $3 }
;

parameter:
  logic_type IDENTIFIER { ($1, $2) }
| logic_type IDENTIFIER LSQUARE RSQUARE { (LTarray $1, $2) }
;


/* ghost variables */

init_declarator_list
        : init_declarator { [$1] }
        | init_declarator_list COMMA init_declarator { $1 @ [$3] }
        ;

init_declarator
        : declarator 
            { let (id,d) = $1 in (id,d, None) }
        | declarator EQUAL c_initializer 
	    { let (id,d) = $1 in (id,d, Some $3) }
        ;

declarator
        : /*TODO pointer direct_declarator { let id,d = $2 in id, $1 d }
        | */direct_declarator { $1 }
        ;

direct_declarator
        : IDENTIFIER
            { $1, Dsimple }
        | direct_declarator LSQUARE lexpr RSQUARE 
	    { let id,d = $1 in id, Darray (d, Some $3) }
        | direct_declarator LSQUARE RSQUARE 
	    { let id,d = $1 in id, Darray (d, None) }
        ;

c_initializer
        : lexpr { Iexpr $1 }
        | LBRACE c_initializer_list RBRACE { Ilist $2 }
        | LBRACE c_initializer_list COMMA RBRACE { Ilist $2 }
        ;

c_initializer_list
        : c_initializer { [$1] }
        | c_initializer_list COMMA c_initializer { $1 @ [$3] }
        ;

%%
why-2.34/c/cltyping.ml0000644000175000017500000007074412311670312013236 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Coptions
open Format
open Cast
open Clogic
open Creport
open Cerror
open Cenv
open Ctypes

let rec eval_const_term_noerror (e : tterm) = match e.term_node with
  | Clogic.Tconstant (RealConstant c | IntConstant c) -> 
      Cconst.int e.term_loc c
  | Clogic.Tvar v ->
      if e.term_type.Ctypes.ctype_const 
      then v.Info.enum_constant_value
      else invalid_arg "not a const variable"
  | Tunop (Uplus,t) -> eval_const_term_noerror t  
  | Tunop (Uminus,t) -> Int64.neg (eval_const_term_noerror t)
  | Tbinop (t1,Badd,t2) ->  
      Int64.add (eval_const_term_noerror t1)  (eval_const_term_noerror t2)
  | Tbinop (t1,Bsub,t2) ->  
      Int64.sub (eval_const_term_noerror t1)  (eval_const_term_noerror t2)
  | Tbinop (t1,Bmul,t2) ->  
      Int64.mul (eval_const_term_noerror t1)  (eval_const_term_noerror t2)
  | Tbinop (t1,Bdiv,t2) ->  
      Int64.div (eval_const_term_noerror t1)  (eval_const_term_noerror t2)
  | _ -> invalid_arg "not a constant expression"

let option_app f = function Some x -> Some (f x) | None -> None

let sign = function true -> Signed | false -> Unsigned

let retype_typedef = function
  | Tint _ when not machine_ints -> Tint (Signed, ExactInt)
  | tn -> tn

let rec type_logic_type ?(machine_ints=machine_ints) loc env = function
  | LTvoid -> c_void
  | LTchar _ | LTshort _ | LTint _ | LTlong _ | LTlonglong _ 
    when not machine_ints ->
      c_exact_int
  | LTchar s -> noattr (Tint (sign s, Char))
  | LTshort s -> noattr (Tint (sign s, Short))
  | LTint s -> noattr (Tint (sign s, Int))
  | LTlong s -> noattr (Tint (sign s, Long))
  | LTlonglong s -> noattr (Tint (sign s, LongLong))
  | LTinteger -> c_exact_int
  | LTfloat -> use_floats := true; c_float Ctypes.Float
  | LTdouble -> use_floats := true; c_float Ctypes.Double
  | LTlongdouble -> use_floats := true; c_float Ctypes.LongDouble
  | LTreal -> c_real
  | LTarray ty -> 
      c_array Not_valid (type_logic_type ~machine_ints loc env ty)
  | LTpointer ty -> 
      c_pointer Not_valid (type_logic_type ~machine_ints loc env ty)
  | LTvar id ->  
      noattr 
	(try 
	   retype_typedef (find_typedef id).ctype_node 
	 with Not_found -> 
	   if not (Cenv.mem_type id) then error loc "unbound type"; 
	   Tvar id )

(* Typing terms *)

let rec is_null t = match t.term_node with
  | Clogic.Tvar v -> v.Info.var_name = "null"
  | Tconstant (IntConstant s) -> (try int_of_string s = 0 with _ -> false)
  | Tcast (_,t) -> is_null t
  | _ -> false

(*
let compatible t1 t2 = 
  sub_type t1.term_type t2.term_type || 
  sub_type t2.term_type t1.term_type ||
  (pointer_or_array_type t1.term_type && is_null t2) ||
  (pointer_or_array_type t2.term_type && is_null t1)
*)
let compatible_term_type t ty = 
  sub_type t.term_type ty || 
  sub_type ty t.term_type ||
  (pointer_or_array_type ty && is_null t)

let expected_type loc t1 t2 =
  if not (eq_type t1 t2) then raise_located loc (ExpectedType (t1, t2))

let expected_term_type loc t1 t2 =
  if not (compatible_term_type t1 t2) 
  then raise_located loc (ExpectedType (t1.term_type, t2))

let expected_num loc t = match t.term_type.ctype_node with
  | Tenum _ | Tint _ | Tfloat _ -> ()
  | _ -> error loc "invalid operand (expected integer or float)"

let expected_num_pointer loc t = match t.term_type.ctype_node with
  | Tenum _ | Tint _ | Tfloat _
  | Tarray _ | Tpointer _ -> ()
  | _ -> 
      Format.eprintf "type = %a@." print_type t.term_type;
      error loc "invalid operand (expected integer, float or pointer)"

let expected_int loc t = match t.term_type.ctype_node with
  | Tenum _ | Tint _ -> ()
  | _ -> error loc "invalid operand (expected integer)"

let coerce ty e = match e.term_type.ctype_node, ty.ctype_node with
  | (Tint _ | Tenum _), Tfloat _ -> 
      { e with term_node = Tunop (Ufloat_of_int, e); term_type = ty }
  | Tfloat _, (Tint _ | Tenum _) ->
      { e with term_node = Tunop (Uint_of_float, e); term_type = ty }
  | Tfloat fk1, Tfloat fk2 when fk1 <> fk2 ->
      { e with term_node = Tunop (Ufloat_conversion, e); term_type = ty }
  | (Tint _ | Tenum _ as ty1), (Tint _ | Tenum _ as ty2) when ty1 <> ty2 ->
      { e with term_node = Tunop (Uint_conversion, e); term_type = ty }
  | ty1, ty2 when eq_type_node ty1 ty2 ->
      e
  | Tpointer (_,{ ctype_node = Tvoid }), Tpointer _ ->
      e
  | _ ->
      if verbose || debug then eprintf 
	"expected %a, found %a@." print_type ty print_type e.term_type;
      error e.term_loc "incompatible type"

(* convert [t1] and [t2] to the same arithmetic type *)
let arith_conversion t1 t2 =
  let ty1 = t1.term_type in
  let ty2 = t2.term_type in
  match ty1.ctype_node, ty2.ctype_node with
    | (Tint _ | Tenum _), (Tint _ | Tenum _) -> 
	coerce c_exact_int t1, coerce c_exact_int t2, c_exact_int
    | Tfloat _, (Tint _ | Tenum _) 
    | (Tint _ | Tenum _), Tfloat _ 
    | Tfloat _, Tfloat _ ->
	coerce c_real t1, coerce c_real t2, c_real
    | _ -> 
	assert false

(* Typing terms *)

open Info

let set_referenced t = match t.term_node with
  | Clogic.Tvar x -> set_is_referenced x
  | Tdot (_,f) | Tarrow(_,f) -> set_is_referenced f
  | _ -> ()


let rec type_term env t =
  let t', ty = type_term_node t.lexpr_loc env t.lexpr_node in
  { term_node = t'; term_loc = t.lexpr_loc; term_type = ty}

and type_term_node loc env = function
  | PLconstant (IntConstant _ as c) -> 
      Tconstant c, c_exact_int
  | PLconstant (RealConstant s) ->
      use_floats := true;
      let s,fk = float_constant_type ~in_logic:true s in
      begin match fk with
	| Ctypes.Real -> Tconstant (RealConstant s), c_real
	| _ ->
	    Tunop (Ufloat_conversion,
		     { term_node = Tconstant (RealConstant s);
		       term_loc = loc; term_type = c_real }), 
	    c_float fk	      
      end
  | PLvar x ->
      let info = 
	try Env.find x.var_name env with Not_found -> 
	  try (Var_info (find_ghost x.var_name)) with Not_found -> 
	    try find_sym x.var_name with Not_found -> 
              error loc "unbound logic variable %s " x.var_name
      in 
      begin match info with
	| Var_info v -> Clogic.Tvar v, v.var_type
	| Fun_info f -> 
            error loc "variable %s is a function" f.fun_name
      end
  | PLapp (f, [t]) when f.logic_name = "sqrt" ->
      let t = type_real_term env t in
      Tunop (Usqrt_real, t), c_real
  | PLapp (f, tl) ->
      (try 
	 let pl, ty, info = find_logic f.logic_name in
	 let tl = type_terms loc env pl tl in
	 Tapp (info, tl), ty
       with Not_found -> 
	 error loc "unbound function %s" f.logic_name)
  | PLunop (Utilde, t) -> 
      let t = type_int_term env t in
      Tunop (Utilde, t), t.term_type
  | PLunop (Uminus, t) -> 
      let t = type_num_term env t in
      begin match t.term_type.ctype_node with
	| Tenum _ | Tint _ -> Tunop (Uminus, coerce c_exact_int t), c_exact_int
	| Tfloat _ -> Tunop (Uminus, coerce c_real t), c_real
	| _ -> assert false
      end  
  | PLunop (Uplus, t) -> 
      let t = type_num_term env t in
      begin match t.term_type.ctype_node with
	| Tenum _ | Tint _ -> Tunop (Uplus, coerce c_exact_int t), c_exact_int
	| Tfloat _ -> Tunop (Uplus, coerce c_real t), c_real
	| _ -> assert false
      end
  | PLunop (Uabs_real | Usqrt_real as op, t) -> 
      let t = type_real_term env t in
      Tunop (op, t), c_real
  | PLunop (Ustar, t) -> 
      let t = type_term env t in
      begin match t.term_type.ctype_node with
	| Tpointer (_,ty) | Tarray (_,ty,_) -> 
	    Tunop (Ustar, t), ty
	| _ -> error loc "invalid type argument of `unary *'"
      end
  | PLunop (Uamp, t) -> 
      let t = type_term env t in
      set_referenced t;
      Tunop (Uamp, t), noattr (Tpointer(Valid(Int64.zero,Int64.one), t.term_type))   
  | PLnot t -> 
      let t = type_term env t in
      Tunop (Unot, t), t.term_type   
  | PLunop (Uround_error | Utotal_error | Uexact | Umodel as op, t) ->
      let t = type_float_term env t in
      Tunop (op, t), c_real
  | PLunop ((Ufloat_of_int | Uint_of_float | 
	     Ufloat_conversion | Uint_conversion | Unot), _) ->
      assert false
  | PLbinop (t1, Badd, t2) ->
      let t1 = type_term env t1 in
      let ty1 = t1.term_type in
      let t2 = type_term env t2 in
      let ty2 = t2.term_type in
      begin match ty1.ctype_node, ty2.ctype_node with
	| (Tenum _ | Tint _ | Tfloat _), (Tenum _ | Tint _ | Tfloat _) ->
	    let t1,t2,ty = arith_conversion t1 t2 in
	    Tbinop (t1, Badd, t2), ty
	| (Tpointer _ | Tarray _), (Tint _ | Tenum _) -> 
	    Tbinop (t1, Badd, coerce c_exact_int t2), ty1
	| (Tenum _ | Tint _), (Tpointer _ | Tarray _) ->
	    Tbinop (coerce c_exact_int t2, Badd, t1), ty2
	| _ -> 
	    error loc "invalid operands to binary +"
      end
  | PLbinop (t1, Bsub, t2) ->
      let t1 = type_term env t1 in
      let ty1 = t1.term_type in
      let t2 = type_term env t2 in
      let ty2 = t2.term_type in
      begin match ty1.ctype_node, ty2.ctype_node with
	| (Tenum _ | Tint _ | Tfloat _), (Tenum _ | Tint _ | Tfloat _) ->
	    let t1,t2,ty = arith_conversion t1 t2 in
	    Tbinop (t1, Bsub, t2),ty
	| (Tpointer _ | Tarray _), (Tint _ | Tenum _) -> 
	    let mt2 = { term_node = Tunop (Uminus, t2); 
			term_loc = t2.term_loc;
			term_type = ty2} in
	    Tbinop (t1, Badd, mt2), ty1
	| (Tpointer _ | Tarray _), (Tpointer _ | Tarray _) ->
	    Tbinop (t1, Bsub, t2), c_exact_int (* TODO check types *)
	| _ -> error loc "invalid operands to binary -"
      end
  | PLbinop (t1, (Bmul | Bdiv as op), t2) ->
      let t1 = type_num_term env t1 in
      let t2 = type_num_term env t2 in
      let t1,t2,ty = arith_conversion t1 t2 in
      Tbinop (t1, op, t2), ty
  | PLbinop (t1, (Bmod | Bbw_and | Bbw_or | Bbw_xor | 
		  Bshift_right | Bshift_left as op), t2) ->
      let t1 = type_int_term env t1 in
      let t2 = type_int_term env t2 in
      Tbinop (t1, op, t2), c_exact_int
  | PLbinop (t1, Bpow_real, t2) ->
      let t1 = type_real_term env t1 in
      let t2 = type_real_term env t2 in
      Tbinop (t1, Bpow_real, t2), c_real
  | PLdot (t, x) ->
      let t = type_term env t in
      let x = type_of_field loc x t.term_type in
      let t_dot_x = match t.term_node with
(*	| Tunop (Ustar, e) -> 
	    Tarrow (e, x)
	| Tarrget (e1, e2) -> 
	    let a = 
	      { term_node = Tbinop (e1, Badd, e2); 
		term_loc = t.term_loc;
		term_type = e1.term_type}
	    in
	    Tarrow (a, x)*)
	| _ -> 
	    Tdot (t, x)
      in
      t_dot_x, x.var_type
  | PLarrow (t, x) ->
      let t = type_term env t in
      begin match t.term_type.ctype_node with
	| Tpointer(_, ty) -> 
	    let x = type_of_field loc x ty in
	    Tarrow (t, x), x.var_type
	| _ -> 
	    error loc "invalid type argument of `->'"
      end
  | PLarrget (t1, t2) ->
      let t1 = type_term env t1 in
      (match t1.term_type.ctype_node with
	 | Tarray (_,ty,_) | Tpointer(_, ty) ->
	     let t2 = type_int_term env t2 in
	     Tarrget (t1, t2), ty
	 | _ ->
	     error loc "subscripted value must be either array or pointer")
  | PLrange (t1, t2, t3) ->
      let t1 = type_term env t1 in
      (match t1.term_type.ctype_node with
	 | Tarray (_,ty,_) | Tpointer (_,ty) ->
	     let t2 = type_int_term_option env t2 in
	     let t3 = type_int_term_option env t3 in
	     Trange (t1, t2, t3), ty
	 | _ ->
	     error loc "subscripted value must be either array or pointer")
  | PLif (t1, t2, t3) ->
      let tt1 = type_term env t1 in
      expected_num_pointer t1.lexpr_loc tt1;
      let t2 = type_term env t2 in
      let t3 = type_term env t3 in
      expected_term_type loc t3 t2.term_type;
      expected_term_type loc t2 t3.term_type;
      Tif (tt1, t2, t3), t2.term_type
  | PLold t ->
      let t = type_term env t in
      Told t, t.term_type
  | PLat (t, l) ->
      (* TODO check label l *)
      let t = type_term env t in
      Tat (t, l), t.term_type
  | PLbase_addr t ->
      let t = type_term env t in
      (match t.term_type.ctype_node with
	 | Tarray _ | Tpointer _ -> Tbase_addr t, c_addr
	 | _ -> error loc "base_addr argument must be either array or pointer")
  | PLoffset t ->
      let t = type_term env t in
      (match t.term_type.ctype_node with
	 | Tarray _ | Tpointer _ -> Toffset t, c_exact_int
	 | _ -> error loc "offset argument must be either array or pointer")
  | PLblock_length t ->
      let t = type_term env t in
      (match t.term_type.ctype_node with
	 | Tarray _ | Tpointer _ -> Tblock_length t, c_exact_int
	 | _ -> error loc "block_length argument must be either array or pointer")
  | PLarrlen t ->
      let t = type_term env t in
      (match t.term_type.ctype_node with
	 | Tarray _ | Tpointer _ -> Tarrlen t, c_exact_int
	 | _ -> error loc "arrlen argument must be either array or pointer")
  | PLstrlen t ->
      let t = type_term env t in
      (match t.term_type.ctype_node with
	 | Tarray _ | Tpointer _ -> Tstrlen t, c_exact_int
	 | _ -> error loc "strlen argument must be either array or pointer")
  | PLmin (t1,t2) ->
      let t1 = type_int_term env t1 in
      let t2 = type_int_term env t2 in
      Tmin (t1,t2), c_exact_int
  | PLmax (t1,t2) ->
      let t1 = type_int_term env t1 in
      let t2 = type_int_term env t2 in
      Tmax (t1,t2), c_exact_int
  | PLminint ty ->
      let ty = type_logic_type ~machine_ints:true loc env ty in
      begin match ty.ctype_node with
	| Tint (_, (Char | Short | Ctypes.Int | Long | LongLong)) -> 
	    Tminint ty, c_exact_int
	| _ -> 
	    error loc "argument must be a C integer type"
      end
  | PLmaxint ty ->
      let ty = type_logic_type ~machine_ints:true loc env ty in
      begin match ty.ctype_node with
	| Tint (_, (Char | Short | Ctypes.Int | Long | LongLong)) -> 
	    Tmaxint ty, c_exact_int
	| _ -> 
	    error loc "argument must be a C integer type"
      end
  | PLresult ->
      (try 
	 let t = Env.find "result" env in 
	 begin match t with
	   | Var_info v -> Clogic.Tvar v, v.var_type
	   | Fun_info _f -> error loc ("result is a function")
	 end
       with Not_found -> error loc "\\result meaningless")
  | PLnull ->
      let info = default_var_info "null" in 
      Cenv.set_var_type (Var_info info) (c_void_star Not_valid) false;
      Clogic.Tvar info, (c_void_star Not_valid)
  | PLcast (ty, t) ->
      let tty = type_logic_type loc env ty in
      let t = type_term env t in
      let tt = t.term_type in
      begin match tty.ctype_node, tt.ctype_node with
	| Tvoid, Tvoid -> 
	    t.term_node, tt
	| (Tint _ | Tfloat _ | Tenum _), 
	  (Tenum _ | Tint _ | Tfloat _) -> 
	    let t = coerce tty t in t.term_node, t.term_type
	| _ -> 
	    Tcast(tty, t) , tty
      end
  | PLvalid _ | PLvalid_index _ | PLvalid_range _ | PLfresh _ | PLseparated _ 
  | PLexists _ | PLforall _ | PLimplies _ | PLiff _ | PLfalse
  | PLfullseparated _ | PLor _ | PLand _ | PLrel _ | PLtrue | PLnamed _ 
  | PLbound_separated _ | PLfull_separated _ ->
      raise_located loc (AnyMessage "predicates are not allowed here")

and type_int_term env t =
  let tt = type_term env t in
  expected_int t.lexpr_loc tt;
  coerce c_exact_int tt

and type_real_term env t = 
  let tt = type_num_term env t in
  coerce c_real tt

and type_float_term env t = 
  let tt = type_num_term env t in
  match tt.term_type.ctype_node with
    | Tfloat (Ctypes.Float | Double | LongDouble) -> tt
    | _ -> error t.lexpr_loc "illegal operand (expected float)"

and type_int_term_option env = function
  | None -> None 
  | Some t -> Some (type_int_term env t)

and type_num_term env t =
  let tt = type_term env t in
  expected_num t.lexpr_loc tt;
  tt

and type_num_pointer_term env t =
  let tt = type_term env t in
  expected_num_pointer t.lexpr_loc tt;
  tt

and type_terms loc env at tl =
  let rec type_list = function
    | [], [] -> 
	[]
    | et :: etl, ({lexpr_loc=tloc} as t) :: tl ->
	let t = type_term env t in
	expected_term_type tloc t et;
  	coerce et t :: type_list (etl, tl)
    | [], _ ->
	raise_located loc TooManyArguments
    | _, [] ->
	raise_located loc PartialApp
  in
  type_list (at, tl)


(* ghost *)

let rec type_ghost_lvalue env t =
  let t', ty =   type_ghost_lvalue_node t.lexpr_loc env t.lexpr_node in
  { term_node = t'; term_loc = t.lexpr_loc; term_type = ty}

and type_ghost_lvalue_node loc env t =
  match t with
    | PLvar x ->
	let v = 
	  try find_ghost x.var_name
	  with Not_found -> 
            error loc "unbound ghost variable %s" x.var_name
	in 
	Clogic.Tvar v, v.var_type
    | PLarrget (t1, t2) ->
	let t1 = type_ghost_lvalue env t1 in
	(match t1.term_type.ctype_node with
	   | Tarray (_,ty,_) | Tpointer (_,ty) ->
	       let t2 = type_int_term env t2 in
	       Tarrget (t1, t2), ty
	   | _ ->
	       error loc "subscripted value is neither array nor pointer")
    | _ ->
	error loc "not allowed as ghost left value"




(* Typing logic types *)

let rec type_type env t = 
  { t with ctype_node = type_type_node env t.ctype_node }

and type_type_node env = function
  | Tint _ | Tfloat _ as t -> t
  | Tarray (valid,ty,t) -> Tarray (valid,type_type env ty,t)
  | _ -> assert false


(*
let type_quantifier env (ty, x) = (type_logic_type env ty, x)
let type_quantifiers env = List.map (type_quantifier env)
*)

let add_quantifiers loc q env =
  let (tq,env) =
    List.fold_left
      (fun (tq,env) (ty, x) -> 
	 let i = Info.default_var_info x 
	 and ty = type_logic_type loc env ty in
	 ((ty,i)::tq, Env.add x ty (Var_info i) env))
      ([],env) q
  in
  (List.rev tq,env)


let int_constant n = 
  { term_node = Tconstant (IntConstant n); 
    term_loc = Loc.dummy_position;
    term_type = c_exact_int}

let zero = int_constant "0"

let compat_pointers ty1 ty2 = 
  (ty1.ctype_node = Tvoid) || (ty2.ctype_node = Tvoid) || eq_type ty1 ty2

(* Typing predicates *)

let rec type_term env t =
  let t', ty = type_term_node t.lexpr_loc env t.lexpr_node in
  { term_node = t'; term_loc = t.lexpr_loc; term_type = ty}


let rec type_predicate env p0 = 
  let p' = type_predicate_node env p0 in
  { pred_node = p'; pred_loc = p0.lexpr_loc }

and type_predicate_node env p0 = match p0.lexpr_node with
  | PLfalse -> Pfalse
  | PLtrue -> Ptrue
  | PLrel ({lexpr_node = PLrel (_, _, t2)} as p1, op, t3) ->
      let p1 = type_predicate env p1 in
      let p2 = { lexpr_node = PLrel (t2, op, t3); 
		 lexpr_loc = p0.lexpr_loc } in
      let p2 = type_predicate env p2 in
      Pand (p1, p2)
  | PLrel (t1, (Lt | Le | Gt | Ge as r), t2) -> 
      let loc = Loc.join t1.lexpr_loc t2.lexpr_loc in
      let t1 = type_num_pointer_term env t1 in
      let t2 = type_num_pointer_term env t2 in
       begin match t1.term_type.ctype_node, t2.term_type.ctype_node with
	| (Tint _ | Tenum _ | Tfloat _), (Tint _ | Tenum _ | Tfloat _) ->
	    let t1,t2,_ = arith_conversion t1 t2 in
	    Prel (t1, r, t2)
	| (Tpointer (_,ty1)  | Tarray (_,ty1,_)), 
	  (Tpointer (_,ty2) | Tarray (_,ty2,_)) ->
	    if not (compat_pointers ty1 ty2) then
	      warning loc "comparison of distinct pointer types lacks a cast";
	    Prel (t1, r, t2)
	| (Tpointer _  | Tarray _), (Tint _ | Tenum _ | Tfloat _)
	| (Tint _ | Tenum _ | Tfloat _), (Tpointer _  | Tarray _) ->
	    error loc "comparison between pointer and integer" (* C warning *)
	    (* Prel (t1, r, t2) *)
	| _ ->
	    error loc "invalid operands to comparison"
       end
  | PLrel (t1, (Eq | Neq as r), t2) -> 
      let loc = Loc.join t1.lexpr_loc t2.lexpr_loc in
      let t1 = type_term env t1 in
      let t2 = type_term env t2 in
       begin match t1.term_type.ctype_node, t2.term_type.ctype_node with
	| (Tint _ | Tenum _ | Tfloat _), (Tint _ | Tenum _ | Tfloat _) ->
	    let t1,t2,_ = arith_conversion t1 t2 in
	    Prel (t1, r, t2)
	| (Tpointer (_,ty1)  | Tarray (_,ty1,_)), 
	  (Tpointer (_,ty2) | Tarray (_,ty2,_)) ->
	    if not (compat_pointers ty1 ty2) then
	      warning loc "comparison of distinct pointer types lacks a cast";
	    Prel (t1, r, t2)
	| (Tpointer _  | Tarray _), (Tint _ | Tenum _ | Tfloat _) ->
	    if t2.term_node = Tconstant (IntConstant "0") then
	      let ty1 = Tpointer ( Not_valid, t1.term_type) in
	      let ty1 = 
		{ ctype_node = ty1;
		  ctype_storage = No_storage;
		  ctype_const = false;
		  ctype_volatile = false;
		  ctype_ghost = false;
		}
	      in
	      Prel(t1, r, 
		   { term_node = Tcast(ty1,t2);
		     term_type = ty1;
		     term_loc  = t2.term_loc;})
	    else
	      error loc "comparison between pointer and integer" (* C warning *)
		(* Prel (t1, r, t2) *)
	| (Tint _ | Tenum _ | Tfloat _), (Tpointer _  | Tarray _) ->
	    if t1.term_node = Tconstant (IntConstant "0") then
	      let ty2 = Tpointer ( Not_valid, t2.term_type) in
	      let ty2 = 
		{ ctype_node = ty2;
		  ctype_storage = No_storage;
		  ctype_const = false;
		  ctype_volatile = false;
		  ctype_ghost = false;
		}
	      in
	      Prel({ term_node = Tcast(ty2,t1);
		     term_type = ty2;
		     term_loc  = t1.term_loc;},
		   r, t2)
	    else
	      error loc "comparison between pointer and integer" (* C warning *)
		(* Prel (t1, r, t2) *)
	| Tvar s1, Tvar s2 when s1 = s2 -> Prel (t1, r, t2)
	| _ ->
	    error loc "invalid operands to comparison"
      end
  | PLand (p1, p2) -> 
      Pand (type_predicate env p1, type_predicate env p2)
  | PLor (p1, p2) -> 
      Por (type_predicate env p1, type_predicate env p2)
  | PLimplies (p1, p2) -> 
      Pimplies (type_predicate env p1, type_predicate env p2) 
  | PLiff (p1, p2) -> 
      Piff (type_predicate env p1, type_predicate env p2) 
  | PLnot p -> 
      (match type_predicate env p with
	 | { pred_node = Prel (t, Neq, z) } when z == zero -> 
	     Prel (t, Eq, zero)
	 | p -> Pnot p)
  | PLapp (p, tl) ->
      (try
	 let pl,info = find_pred p.logic_name in
	 let tl = type_terms p0.lexpr_loc env pl tl in
	 Papp (info, tl)
       with Not_found -> 
	 error p0.lexpr_loc "unbound predicate %s" p.logic_name)
  | PLif (t, p1, p2) -> 
      let t = type_int_term env t in
      Pif (t, type_predicate env p1, type_predicate env p2)
  | PLforall (q, p) -> 
      let q, env' = add_quantifiers p0.lexpr_loc q env in
      Pforall (q, type_predicate env' p)
  | PLexists (q, p) -> 
      let q, env' = add_quantifiers p0.lexpr_loc q env in
      Pexists (q, type_predicate env' p)
  | PLfresh (t) ->
      let tloc = t.lexpr_loc in
      let t = type_term env t in
      (match t.term_type.ctype_node with
	 | Tarray _ | Tpointer _ -> Pfresh(t)
	 | _ -> error tloc "subscripted value is neither array nor pointer")
  | PLseparated (t1,t2) ->
      let t1loc = t1.lexpr_loc in
      let t1 = type_term env t1 in 
      let t2loc = t2.lexpr_loc in
      let t2 = type_term env t2 in
      Pseparated (
      (match t1.term_type.ctype_node with
	 | Tstruct _ | Tarray _ | Tpointer _ -> t1
	 | _ -> error t1loc "subscripted value is neither array nor pointer"),
	(match t2.term_type.ctype_node with
	 | Tstruct _ | Tarray _ | Tpointer _ -> t2
	 | _ -> error t2loc "subscripted value is neither array nor pointer"))
  | PLbound_separated (t1,tu1,t2,tu2) ->
      let t1loc = t1.lexpr_loc in
      let t1 = type_term env t1 in 
      let tu1 = type_int_term env tu1 in
      let t2loc = t2.lexpr_loc in
      let t2 = type_term env t2 in
      let tu2 = type_int_term env tu2 in
      Pbound_separated (
      (match t1.term_type.ctype_node with
	 | Tstruct _ | Tarray _ | Tpointer _ -> t1
	 | _ -> error t1loc "subscripted value is neither array nor pointer"),
	tu1,
	(match t2.term_type.ctype_node with
	 | Tstruct _ | Tarray _ | Tpointer _ -> t2
	 | _ -> error t2loc "subscripted value is neither array nor pointer"),
	tu2)
  | PLfull_separated (t1,t2) ->
      let t1loc = t1.lexpr_loc in
      let t1 = type_term env t1 in 
      let t2loc = t2.lexpr_loc in
      let t2 = type_term env t2 in
      Pfull_separated (
      (match t1.term_type.ctype_node with
	 | Tstruct _ | Tarray _ | Tpointer _ -> t1
	 | _ -> error t1loc "subscripted value is neither array nor pointer"),
	(match t2.term_type.ctype_node with
	 | Tstruct _ | Tarray _ | Tpointer _ -> t2
	 | _ -> error t2loc "subscripted value is neither array nor pointer"))
  | PLfullseparated (t1,t2) ->
      let t1loc = t1.lexpr_loc in
      let t1 = type_term env t1 in 
      let t2loc = t2.lexpr_loc in
      let t2 = type_term env t2 in
      Pfullseparated (
      (match t1.term_type.ctype_node with
	 | Tstruct _ -> t1
	 | _ -> error t1loc "subscripted value is neither array nor pointer"),
	(match t2.term_type.ctype_node with
	 | Tstruct _ -> t2
	 | _ -> error t2loc "subscripted value is neither array nor pointer"))
  | PLvalid (t) ->
      let tloc = t.lexpr_loc in
      let t = type_term env t in
      (match t.term_type.ctype_node with
	 | Tstruct _ | Tunion _
	 | Tarray _ | Tpointer _ -> Pvalid(t)
	 | _ -> error tloc "subscripted value is neither array nor pointer")
  | PLvalid_index (t,a) ->
      let tloc = t.lexpr_loc in
      let t = type_term env t in
      let a = type_int_term env a in
      (match t.term_type.ctype_node with
	 | Tarray _ | Tpointer _ -> Pvalid_index(t,a)
	 | _ -> error tloc "subscripted value is neither array nor pointer")
  | PLvalid_range (t,a,b) ->
      let tloc = t.lexpr_loc in
      let t = type_term env t in
      let a = type_int_term env a in
      let b = type_int_term env b in
      (match t.term_type.ctype_node with
	 | Tarray _ | Tpointer _ -> Pvalid_range(t,a,b)
	 | _ -> error tloc "subscripted value is neither array nor pointer")
  | PLold p ->
      Pold (type_predicate env p)
  | PLat (p, l) ->
      (* TODO check label l *)
      Pat (type_predicate env p, l)
  | PLcast _ | PLblock_length _ | PLarrlen _ | PLstrlen _ 
  | PLbase_addr _ | PLoffset _ | PLarrget _ | PLarrow _ 
  | PLdot _ | PLbinop _ | PLunop _ | PLconstant _ | PLvar _ | PLnull 
  | PLresult | PLrange _ | PLmin _ | PLmax _ | PLminint _ | PLmaxint _ ->
      (*raise (Stdpp.Exc_located (p0.lexpr_loc, Parsing.Parse_error))*)
      (* interpret term [t] as [t != 0] *)
      let t = type_int_term env p0 in
      Prel (t, Neq, zero)
  | PLnamed (n, p) ->
      Pnamed (n, type_predicate env p)

let type_variant env = function 
  | (t, None) -> (type_int_term env t, None)
  | (t, r) -> (type_term env t, r)

let type_location = type_term

let type_loop_annot env la =
  { invariant = option_app (type_predicate env) la.invariant;
    assume_invariant = option_app (type_predicate env) la.assume_invariant;
    loop_assigns = 
      option_app (fun (loc,l) -> loc, List.map (type_location env) l) 
	la.loop_assigns;
    variant = option_app (type_variant env) la.variant }

let type_spec result env s = 
  let p = option_app (type_predicate env) s.requires in
  let env' = match result with
    | None -> env
    | Some ty ->
	let v = Var_info (Info.default_var_info "result") in
	Cenv.set_var_type v ty true;
	Env.add "result" ty v env
  in
  let q = option_app (type_predicate env') s.ensures in
  let v = option_app (type_variant env) s.decreases in
  let m = option_app (fun (loc,l) -> loc, List.map (type_location env) l) s.assigns in
  { requires = p;
    assigns = m;
    ensures = q;
    decreases = v }
why-2.34/c/cerror.mli0000644000175000017500000000463612311670312013047 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



type t = 
  | AnyMessage of string
  | ExpectedType of Ctypes.ctype * Ctypes.ctype
  | TooManyArguments
  | PartialApp
  | Unsupported of string
	  
why-2.34/c/cmake.mli0000644000175000017500000000471312311670312012627 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* Makefile generation *)

(* declares a function [f] in file [file] *)
val add : file:string -> f:string -> unit

(* generates the makefile for a given C file *)
val makefile : string -> unit

why-2.34/c/ctypes.mli0000644000175000017500000000736612311670312013065 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* Parsing C requires to separate identifiers and type names during
   lexical analysis. This table is for this purpose. It is fill during
   syntactic analysis. *)


type storage_class = No_storage | Extern | Auto | Static | Register

type sign = Signed | Unsigned

type cinteger = 
  | Char | Short | Int | Long | LongLong | Bitfield of int64
  | ExactInt

type cfloat = Float | Double | LongDouble | Real

type valid = Valid of int64 * int64 | Not_valid 

type ctype_node =
  | Tvoid
  | Tint of (sign * cinteger)
  | Tfloat of cfloat
  | Tvar of string
  | Tarray of valid * ctype * int64 option 
  | Tpointer of valid * ctype
  | Tstruct of string 
  | Tunion of string 
  | Tenum of string 
  | Tfun of ctype list * ctype

and ctype = { 
  ctype_node : ctype_node;
  ctype_storage : storage_class;
  ctype_const : bool;
  ctype_volatile : bool;
  ctype_ghost : bool;
}

val noattr : ctype_node -> ctype
val c_void : ctype
val c_int : ctype
val c_exact_int : ctype
val c_float : cfloat -> ctype
val c_string : valid -> ctype
val c_array :  valid -> ctype ->  ctype
val c_array_size : valid ->  ctype -> int64 ->  ctype
val c_pointer :  valid -> ctype ->  ctype
val c_void_star : valid -> ctype
val c_real : ctype
val c_addr : ctype

val add : string -> unit

val remove : string -> unit

val mem : string -> bool

val push : unit -> unit

val pop : unit -> unit

val ctype : Format.formatter -> ctype -> unit

val is_pointer : ctype -> bool


val float_constant_type : in_logic:bool -> string -> string * cfloat
why-2.34/c/ceffect.mli0000644000175000017500000000766112311670312013153 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Info

type effect =
    {
      reads : ZoneSet.t;
      assigns : ZoneSet.t;
      reads_var : HeapVarSet.t;
      assigns_var : HeapVarSet.t;
      (* useful for generating separation invariants *)
      reads_under_pointer : HeapVarSet.t;
      assigns_under_pointer : HeapVarSet.t;
    }

val ef_union : effect -> effect -> effect

val ef_empty : effect

val global_var :  Info.var_info list ref

val intersect_only_alloc : effect -> effect -> bool

val is_alloc : Info.var_info -> bool

val assigns_alloc : effect -> bool

(* all heap vars and their associated types *)
val heap_vars : (string, Info.var_info) Hashtbl.t

val print_heap_vars : Format.formatter -> unit -> unit

val is_memory_var : var_info -> bool

val locations : Cast.nterm Clogic.location list -> effect

val predicate : Cast.npredicate -> effect

val expr : ?with_local:bool -> Cast.nexpr -> effect

val statement : ?with_local:bool -> Cast.nstatement -> effect

(* computes effects for logical symbols only *)
val file : Cast.nfile -> unit

(* Compute functions effects *)
val effect : ('a * Cast.ndecl Cast.located list) list -> fun_info list -> unit

(* table for weak invariants *)
val weak_invariants : (string, Cast.npredicate * effect) Hashtbl.t

(* table for strong invariants *)
val strong_invariants : 
  (string, (Cast.npredicate * effect * effect)) Hashtbl.t

val strong_invariants_2 : 
  (string, Cast.npredicate * effect * (string * Output.logic_type) list ) 
  Hashtbl.t

val invariants_for_struct : 
  (string, (Cast.npredicate * effect * effect)) Hashtbl.t

val mem_strong_invariant_2 : string -> bool
    
(* table of warnings from computation of effects *)
val warnings : (Loc.position * string) Queue.t

why-2.34/c/cast_misc.mli0000644000175000017500000000447112311670312013515 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)


val noattr : 'a Cast.ctype_node -> 'a Cast.ctype
why-2.34/c/ceffect.ml0000644000175000017500000012143012311670312012771 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Cast
open Cnorm
open Coptions
open Clogic
open Creport
open Info
open Format
open Pp
open Output
open Ctypes
open Cenv
open Cseparation

let memory_type t1 t2 = ([t1;t2],"memory")

let heap_vars = Hashtbl.create 97

let heap_vars2 = Hashtbl.create 97

let print_heap_vars fmt () =
(*
  let base_type fmt = function
    | [], s -> fprintf fmt "%s" s
    | [x], s -> fprintf fmt "%s %s" x s
    | l, s -> fprintf fmt "(%a) %s" (print_list comma pp_print_string) l s
  in
*)
  fprintf fmt "@[";
  Hashtbl.iter 
    (fun s t -> fprintf fmt "(%s:%a)" s Output.fprintf_logic_type
       (Info.output_why_type t.var_why_type)) 
    heap_vars;
  fprintf fmt "@]"

let print_effects fmt l =
  fprintf fmt "@[%a@]"
    (print_list space (fun fmt v -> pp_print_string fmt v.var_unique_name)) 
    (HeapVarSet.elements l)

let print_effects2 fmt l =
  fprintf fmt "@[%a@]"
    (print_list space (fun fmt (z,s,_) ->let z = repr z in
		       fprintf fmt " %s_%s_%d " s z.Info.name z.number)) 
    (ZoneSet.elements l)

let print_effects3 fmt l =
  fprintf fmt "@[%a@]"
    (print_list space (fun fmt (z,s,_) -> let z = repr z in
		       fprintf fmt " %s_%s:%b " s z.Info.name z.zone_is_var)) 
    (ZoneSet.elements l)

let alloc = 
  let x = "alloc" in
  let v = (*

    Cenv.add_sym 
      Loc.dummy_position x Ctypes.c_void *)
    (Var_info (default_var_info x)) 
  in
  set_var_type_why v (Why_Logic "alloc_table");
  match v with
    | Var_info v -> v
    | Fun_info _ -> assert false

let is_alloc = (==) alloc

let is_memory_var v = 
  if v == alloc then false
  else
    match v.var_why_type with 
      | Memory _ -> true 
      | _ -> false


let declare_heap_var info name =
try  let info' = Hashtbl.find heap_vars name in
    if not (same_why_type_no_zone info.var_why_type info'.var_why_type)
    then
      let ty' = Info.output_why_type info'.var_why_type in
      let ty =  Info.output_why_type info.var_why_type in
	Format.eprintf "declare_heap_var : %s ; oldtype = %a ; newtype = %a@." 
	  name Output.fprintf_logic_type ty' Output.fprintf_logic_type ty ;
      assert false
    else
      info'
with
    Not_found ->
      begin
	Hashtbl.add heap_vars name info;
	info
      end


let empty = ZoneSet.empty
let union = ZoneSet.union


(* static variables *)


let add_var v (_ty : Info.why_type) s =
  let info = declare_heap_var v v.var_unique_name in
  HeapVarSet.add info s

  
let add_alloc s = HeapVarSet.add alloc s

let add_heap_var n z ty =
  let ty' = Memory(ty,z) in
  let info = default_var_info n in
  let n' = info.var_name ^ "_" ^ (found_repr z) in
  set_var_type_why (Var_info info) ty';
  let _ = declare_heap_var info n' in ()
(*  let info = declare_heap_var info n' in
  HeapVarSet.add info s*)
  

let add_field_var v ty s =
  match ty with
    | Pointer z ->
	let z = repr z in
	let ty' = 
	  try
	    let table = 
	      try
		Hashtbl.find type_why_table z 
	      with Not_found -> 
		Format.eprintf "no why type table for zone %s@\n" z.Info.name;
		assert false
	    in
	    Hashtbl.find  table v 
	  with Not_found -> 
	    Format.eprintf "no  why type for field %s@\n" v.var_name;
	    assert false
	in
	let n = v.var_unique_name in
	if not z.zone_is_var then  add_heap_var n z ty';
	ZoneSet.add (z,n,ty') s
    | Unit -> assert false
    | Info.Int -> assert false
    | _ -> assert false
	

type effect =
    {
      reads : ZoneSet.t;
      assigns : ZoneSet.t;
      reads_var : HeapVarSet.t;
      assigns_var : HeapVarSet.t;
      (* useful for generating separation invariants *)
      reads_under_pointer : HeapVarSet.t;
      assigns_under_pointer : HeapVarSet.t;
    }

let ef_empty = { reads = empty; assigns = empty ; 
		 reads_var = HeapVarSet.empty ; 
		 assigns_var = HeapVarSet.empty;
		 reads_under_pointer = HeapVarSet.empty;
		 assigns_under_pointer = HeapVarSet.empty; }

(*
let merge_var_map m1 m2 =
  HeapVarMap.fold
    (fun v labs acc ->
       try
	 let l = HeapVarMap.find v m2 in
	 HeapVarMap.add v (LabelSet.union labs l) acc
       with Not_found ->
	   HeapVarMap.add v labs acc)
    m1 m2
*)

let ef_union e1 e2 = 
  { reads = union e1.reads e2.reads;
    assigns = union e1.assigns e2.assigns ;
    reads_var = HeapVarSet.union e1.reads_var e2.reads_var;
    assigns_var = HeapVarSet.union e1.assigns_var e2.assigns_var;
    reads_under_pointer = 
      HeapVarSet.union e1.reads_under_pointer e2.reads_under_pointer;
    assigns_under_pointer = 
      HeapVarSet.union e1.assigns_under_pointer e2.assigns_under_pointer; }

let reads_add_var v ty e =   { e with reads_var = add_var v ty e.reads_var }
let reads_add_field_var v ty e = { e with reads = add_field_var v ty e.reads }
(*let reads_add_pointer_var ty e = { e with reads = add_pointer_var ty e.reads }*)

let reads_add_alloc e = 
  (* [alloc] not used when the alloc table is dropped *)
  assert (not no_alloc_table);
  { e with reads_var = add_alloc e.reads_var }

let assigns_add_var v ty e = { e with reads_var = add_var v ty e.reads_var;
				 assigns_var = add_var v ty e.assigns_var }

let reads_add_under_pointer v _ty e = 
  { e with reads_under_pointer = HeapVarSet.add v e.reads_under_pointer }

let assigns_add_under_pointer v _ty e = 
  { e with assigns_under_pointer = HeapVarSet.add v e.assigns_under_pointer }

let assigns_add_field_var v ty e = 
  { e with reads = add_field_var v ty e.reads;
      assigns = add_field_var v ty e.assigns }

let assigns_add_alloc e = 
  (* [alloc] should not be used when the alloc table is dropped *)
  assert (not no_alloc_table);
  { e with reads_var = add_alloc e.reads_var;
      assigns_var = add_alloc e.assigns_var }

let assigns_alloc e = HeapVarSet.mem alloc e.assigns_var

let rec term t = match t.nterm_node with 
  | NTvar v -> 
      if v.var_is_static
      then reads_add_var v v.var_why_type ef_empty
      else ef_empty
  | NTarrow (t1,z,f) -> 
      let z = repr z in
      assert (same_why_type (Cnorm.type_why_for_term t1) (Pointer z));
      let ef = reads_add_field_var f (Pointer z) (term t1) in
      (* [alloc] not used when the alloc table is dropped *)
      (* CLAUDE: in terms e->f, DOES NOT reads alloc *)
      (* if no_alloc_table then *) ef (* else reads_add_alloc ef *)
  | NTunop (Ustar,_) -> assert false
  | NTunop (Uamp, t) -> term t
  | NTunop (Uplus, t) -> term t
  | NTunop (Uminus, t) -> term t
  | NTunop (Unot, t) -> term t
  | NTunop (Utilde, t) -> term t
  | NTunop (( Ufloat_of_int | Uint_of_float | Ufloat_conversion 
	    | Uint_conversion | Uabs_real | Usqrt_real 
	    | Uround_error | Utotal_error | Uexact | Umodel), t) -> term t
  | NTbase_addr t -> term t
  | NToffset t -> reads_add_alloc (term t)
  | NTblock_length t -> 
      (* [block_length] should not be used with the arithmetic memory model *)
      assert (not arith_memory_model);
      reads_add_alloc (term t)
  | NTarrlen t -> 
      let ef = term t in
      (* [alloc] not used when the alloc table is dropped *)
      if no_alloc_table then ef else reads_add_alloc ef
  | NTstrlen (t1,zone,var) ->
      (* effect of [strlen(p)] is to read the memory pointed-to by [p] *)
      let zone = repr zone in
      assert (same_why_type (Cnorm.type_why_for_term t1) (Pointer zone));
      reads_add_var var (Pointer zone) (term t1)
  | NTat (t, _) -> 
      term t
  | NTold t -> 
      term t
  | NTif (t1, t2, t3) -> 
      ef_union (term t1) (ef_union (term t2) (term t3))
  | NTbinop (t1, _, t2) 
  | NTmin (t1,t2)
  | NTmax (t1,t2) -> 
      ef_union (term t1) (term t2) 
  | NTapp {napp_pred = id; napp_args = tl; napp_zones_assoc = assoc} -> 
	let reads = ZoneSet.fold 
	  (fun (z,s,ty) acc ->
	     let z = repr z in
	     let z = try assoc_zone z assoc with Not_found -> z in
	     let z = repr z in
	     let ty = Cseparation.assoctype ty assoc in
	     if not z.zone_is_var then add_heap_var s z ty else ();
	     ZoneSet.add (z,s,ty) acc)
	  id.logic_heap_zone empty in
	List.fold_left 
	  (fun acc t -> ef_union acc (term t))
	  {ef_empty with reads = reads; reads_var = id.logic_heap_args; }
	  tl  
  | NTconstant _ -> ef_empty
  | NTstring_literal _ -> ef_empty
  | NTminint _ | NTmaxint _ -> ef_empty
  | NTcast (_, t) -> term t
  | NTrange (t1, t2, t3, z, f) ->
      let z = repr z in
      assert (same_why_type (Cnorm.type_why_for_term t1) (Pointer z));
      let ef = 
	(reads_add_field_var f (Pointer z)
	   (ef_union (term t1) (ef_union (term_option t2) (term_option t3))))
      in
      (* [alloc] not used when the alloc table is dropped *)
      (* CLAUDE: e->f ne lit jamais alloc *)
      (* if no_alloc_table then *) ef (* else reads_add_alloc ef *)

and term_option = function None -> ef_empty | Some t -> term t


(* used to interpret the reads clause *)
let locations ll =
  List.fold_left
    (fun acc l -> ef_union acc (term l)) ef_empty ll

(* used to interpret the assigns clause *)
let rec assign_location t = match t.nterm_node with 
  | NTvar v ->
      if v.var_is_static
      then
	{ ef_empty with assigns_var = add_var v (Cnorm.type_why_for_term t) HeapVarSet.empty } 
      else ef_empty
  | NTarrow (t1,_z,f) -> 
      let ef = 
	(assigns_add_field_var f (Cnorm.type_why_for_term t1) (term t1))
      in
      (* [alloc] not used when the alloc table is dropped *)
      (* CLAUDE: in terms e->f, DOES NOT reads alloc *)
      (* if no_alloc_table then *) ef (* else reads_add_alloc ef *)
  | NTunop (Ustar,_) -> assert false
  | NTunop (Uamp, _) -> assert false
  | NTunop (Uminus, _)  | NTunop (Uplus, _)    | NTunop (Unot, _)  
  | NTunop (Utilde, _)  
  | NTunop ((Ufloat_of_int | Uint_of_float | Ufloat_conversion 
	    | Uint_conversion | Uabs_real | Usqrt_real | Uround_error 
	    | Utotal_error |Uexact | Umodel), _)  
  | NTbase_addr _  
  | NToffset _  
  | NTblock_length _  
  | NTarrlen _  
  | NTstrlen _
  | NTmin _
  | NTmax _
  | NTminint _
  | NTmaxint _
  | NTat (_, _)  
  | NTold _  
  | NTif (_, _, _)  
  | NTbinop (_, _, _)  
  | NTapp _  
  | NTconstant _
  | NTstring_literal _  
  | NTcast (_, _) -> 
      error t.nterm_loc "invalid location"
  | NTrange (t1, t2, t3, _z, f) ->
      let ef = 
	(assigns_add_field_var f (Cnorm.type_why_for_term t1)
	   (ef_union (term t1) (ef_union (term_option t2) (term_option t3))))
      in
      (* [alloc] not used when the alloc table is dropped *)
      (* CLAUDE: in terms e->f, DOES NOT reads alloc *)
      (* if no_alloc_table then *) ef (* else reads_add_alloc ef *)

(***let assign_location loc =
  match loc with
    | Lterm t ->
	 begin 
	   match t.nterm_node with
	     | NTarrow (t1,f) -> 
		 { reads = add_alloc (term t1);
		   assigns = add_field_var f t.nterm_type empty }
	     | NTstar t1 ->
		 { reads = add_alloc (term t1);
		   assigns = add_pointer_var t1.nterm_type empty }
	     | NTunop (Ustar,_) -> assert false
	     | NTvar v ->
		 { reads = empty;
		   assigns = 
		     if v.var_is_static
		     then add_var v t.nterm_type empty
		     else empty }
	     | _ -> assert false
	 end
    | Lstar t ->
	{ reads = add_alloc (term t);
	  assigns = add_pointer_var t.nterm_type empty }
    | Lrange(t1,t2,t3) -> 
	{ reads = add_alloc (union (term t1) (union (term t2) (term t3)));
	  assigns = add_pointer_var t1.nterm_type empty }
***)	  

let rec predicate p =  
  match p.npred_node with
    | NPtrue -> ef_empty
    | NPfalse -> ef_empty
    | NPapp {napp_pred = id; napp_args = tl; napp_zones_assoc = assoc} -> 
	let reads = ZoneSet.fold 
	  (fun (z,s,ty) acc ->
	     let z = repr z in
	     let z = try assoc_zone z assoc with Not_found -> z in
	     let z = repr z in
	     let ty = Cseparation.assoctype ty assoc in
	     if not z.zone_is_var then add_heap_var s z ty else ();
	     ZoneSet.add (z,s,ty) acc)
	  id.logic_heap_zone empty in
	List.fold_left 
	  (fun acc t -> ef_union acc (term t)) 
	  {ef_empty with reads = reads; reads_var = id.logic_heap_args; }
	  tl 
    | NPrel (t1, _, t2) -> ef_union (term t1) (term t2)
    | NPand (p1, p2)
    | NPor (p1, p2) 
    | NPiff (p1, p2) 
    | NPimplies (p1, p2) -> ef_union (predicate p1) (predicate p2)
    | NPnot p -> predicate p
    | NPif (t, p1, p2) -> ef_union (term t) 
	(ef_union (predicate p1) (predicate p2))
    | NPforall (_, p) -> predicate p	
    | NPexists (_, p) -> predicate p
    | NPfresh t -> 
	(* [fresh] should not be used when the alloc table is dropped *)
	assert (not no_alloc_table);
	assigns_add_alloc (term t)
    | NPvalid t -> 
	(* [alloc] not used when the alloc table is dropped *)
	if no_alloc_table then term t else reads_add_alloc (term t)
    | NPvalid_index (t1,t2) ->
	let ef = ef_union (term t1) (term t2) in
	(* [alloc] not used when the alloc table is dropped *)
	if no_alloc_table then ef else reads_add_alloc ef
    | NPvalid_range (t1,t2, t3) -> 
	let ef = ef_union (term t1) (ef_union (term t2) (term t3)) in
	(* [alloc] not used when the alloc table is dropped *)
	if no_alloc_table then ef else reads_add_alloc ef
    | NPold p -> predicate p
    | NPat (p,_) -> predicate p
    | NPnamed (_, p) -> predicate p
    | NPseparated (t1,t2) | NPfull_separated (t1,t2) -> 
	ef_union (term t1) (term t2)
    | NPbound_separated (t1,t2,t3,t4) -> 
	let ef1 = ef_union (term t1) (term t2) in 
	let ef2 = ef_union (term t3) (term t4) in
	ef_union ef1 ef2

(* table for weak invariants *)
let weak_invariants = Hashtbl.create 97


let add_weak_invariant id p =
  Hashtbl.add weak_invariants id (p, predicate p)

(* table for strong invariants *)
let strong_invariants = Hashtbl.create 97

let add_strong_invariant id p vars =
  if p.npred_node <> NPtrue then
  let ef = predicate p in
  Hashtbl.add strong_invariants id (p,ef,vars)

let strong_invariants_2 = Hashtbl.create 97

let mem_strong_invariant_2 id =
  Hashtbl.mem strong_invariants_2 id

let add_strong_invariant_2 id p args =
  if not (mem_strong_invariant_2 id) 
  then
    if p.npred_node <> NPtrue then
      let ef = predicate p in
      Hashtbl.add strong_invariants_2 id (p,ef,args)      

let invariants_for_struct = Hashtbl.create 97

let add_invariants_for_struct id p vars =
  if p.npred_node <> NPtrue then
  let ef = predicate p in
  Hashtbl.add invariants_for_struct id (p,ef,vars)


let intersect_only_alloc e1 e2 =
  HeapVarSet.is_empty 
    (HeapVarSet.remove alloc 
       (HeapVarSet.inter e1.reads_var e2.reads_var))
(* TODO : useless, because always empty because zones are distincts *)
  &&
    ZoneSet.is_empty (ZoneSet.inter e1.reads e2.reads)



let weak_invariants_for hvs =
  Hashtbl.fold
    (fun _name (_,e) acc ->
        if intersect_only_alloc e hvs then acc
       else ef_union e acc) 
    weak_invariants ef_empty

let strong_invariants_for hvs =
  Hashtbl.fold
    (fun _s (_,_,e) acc -> 
       if HeapVarSet.subset e.reads_var hvs.reads_var &&
	 ZoneSet.subset e.reads hvs.reads 
       then ef_union e acc
       else acc) 
    strong_invariants ef_empty


let logic_type ls =
  match ls with
    | Clogic.NPredicate_reads(_args,locs) -> locations locs
    | Clogic.NPredicate_def(_args,pred) -> predicate pred
    | Clogic.NFunction(_args,_ret,locs) -> locations locs
    | Clogic.NFunction_def(_args,_ret,t) -> term t


let option f = function None -> empty | Some x -> f x
let ef_option f = function None -> ef_empty | Some x -> f x

let variant (t,_) = term t

let loop_annot a = 
  ef_union (ef_option predicate a.invariant) 
    (ef_option variant a.variant) 
  (* TODO : loop_assigns ? *) 


let spec sp = 
  ef_union
    (ef_union 
	(ef_union (ef_option predicate sp.requires) 
	   (ef_option predicate sp.ensures))
	(ef_option variant sp.decreases))
    (ef_option 
       (fun (_,l) -> 
	 List.fold_left
	   (fun acc l -> ef_union acc (assign_location l)) ef_empty l)
       sp.Clogic.assigns)

open Cast

let rec expr ?(with_local=false) e = match e.nexpr_node with
  | NEnop
  | NEconstant _
  | NEstring_literal _ -> ef_empty
  | NEvar (Var_info v) ->
      if with_local || v.var_is_static 
      then reads_add_var v (type_why e) ef_empty
      else ef_empty
  | NEvar (Fun_info _v) ->
      ef_empty
  | NEarrow (e1,z, f) ->
      let z = repr z in
      assert (same_why_type (type_why e1)  (Pointer z));
      let ef = 
	reads_add_field_var f (Pointer z) (expr ~with_local e1) in
      let ef = ef_union ef (reads_under_pointer e1) in
      (* [alloc] not used when the alloc table is dropped *)
      if no_alloc_table then ef else reads_add_alloc ef 
  | NEbinary (e1, _, e2) | NEseq (e1, e2) ->
      ef_union (expr ~with_local e1) 
	(expr ~with_local e2)
  | NEassign (lv, e) | NEassign_op (lv, _, e) ->
      ef_union (assign_expr ~with_local lv)
	(expr ~with_local e)
  | NEunary (Ustar , _ ) -> assert false
  | NEunary (Uamp, _e) -> assert false (* address_expr e *)
  | NEunary 
      (( Uplus | Uminus | Unot | Utilde 
       | Ufloat_of_int | Uint_of_float 
       | Ufloat_conversion | Uint_conversion), e) ->
      expr ~with_local e
  | NEincr (_, e) ->
      assign_expr ~with_local e
  | NEcall {ncall_fun = e; ncall_args = el; ncall_zones_assoc = assoc} ->
      let ef = match e.nexpr_node with
	| NEvar (Fun_info f) ->    	   
	    let reads = ZoneSet.fold 
	      (fun (z,s,ty) acc ->
		 let z = repr z in
		 let z = try assoc_zone z assoc with Not_found -> z in
		 let z = repr z in
		 let ty = Cseparation.assoctype ty assoc in
		 if not z.zone_is_var then add_heap_var s z ty else ();
		 ZoneSet.add (z,s,ty) acc)
	      f.function_reads empty in
	    let writes = ZoneSet.fold 
	      (fun (z,s,ty) acc ->	 
		 let z = repr z in
		 let z = try assoc_zone z assoc with Not_found -> z in
		 let z = repr z in
		 let ty = Cseparation.assoctype ty assoc in
		 if not z.zone_is_var then add_heap_var s z ty else ();
		 ZoneSet.add (z,s,ty) acc)
	(*	 let z = repr z in
		 ZoneSet.add 
		   ((try assoc_zone z assoc with Not_found -> z),s,ty) acc)*)
	      f.function_writes empty in
	    { reads = reads; assigns = writes; 
	      reads_var = f.function_reads_var; 
	      assigns_var = f.function_writes_var;
	      (* TODO: consider pointer arguments written by function *)
	      reads_under_pointer = HeapVarSet.empty;
	      assigns_under_pointer = HeapVarSet.empty; } 
	| _ -> expr ~with_local e
      in

      List.fold_left 
	(fun ef arg -> ef_union (expr ~with_local arg) ef) ef el
  | NEcond (e1, e2, e3) ->
      ef_union (ef_union (expr ~with_local e1) 
		  (expr ~with_local e2))
	(expr ~with_local e3)
  | NEcast (_, e) ->
      expr ~with_local e
  | NEmalloc (_, e) ->
      if no_alloc_table then
	expr ~with_local e
      else
	assigns_add_alloc (expr ~with_local e)

(* effects for [e = ...] *)
and assign_expr ?(with_local=false) e = match e.nexpr_node with
  | NEvar (Var_info v) -> 
      if with_local || v.var_is_static
      then assigns_add_var v v.var_why_type ef_empty
      else ef_empty
  | NEvar (Fun_info _) ->
      ef_empty
  | NEunary (Ustar,_) -> assert false
  | NEarrow (e1,_z, f) ->
      let ef = assigns_add_field_var f (type_why e1)
	  (expr ~with_local e1) in
      let ef = ef_union ef (assign_under_pointer e1) in
      (* [alloc] not used when the alloc table is dropped *)
      if no_alloc_table then ef else reads_add_alloc ef 
  | NEcast (_, e1) ->
      assign_expr ~with_local e1
  | _ -> 
      assert false (* not a left value *)

and reads_under_pointer e = match e.nexpr_node with
  | NEvar (Var_info v) ->
      reads_add_under_pointer v v.var_why_type ef_empty
  | NEbinary (e1,Badd_pointer_int,_) ->
      reads_under_pointer e1
  | NEcast (_, e1) ->
      reads_under_pointer e1
  | _ -> ef_empty

and assign_under_pointer e = match e.nexpr_node with
  | NEvar (Var_info v) ->
      assigns_add_under_pointer v v.var_why_type ef_empty
  | NEbinary (e1,Badd_pointer_int,_) ->
      assign_under_pointer e1
  | NEcast (_, e1) ->
      assign_under_pointer e1
  | _ -> ef_empty (* TODO: encode in some way the fact some pointer was
		     assigned *)

(* effects for [&e] *)
(*
and address_expr e = match e.nexpr_node with
  | NEvar v -> 
      begin match e.nexpr_type.Ctypes.ctype_node with
	| Tstruct _ | Tunion _ -> assert false (* ef_empty *)
	| _ -> ef_empty (* unsupported "& operator" *)
      end
  | NEarrow (e1,z, f) ->
      begin match e1.nexpr_type.Ctypes.ctype_node with
	| Tenum _ | Tint _ | Tfloat _ -> expr e1
	| _ -> reads_add_field_var f (type_why e1) (expr e1)
      end
 (* | NEcast (_, e1) ->
      address_expr e1*)
  | _ -> 
      assert false (* not a left value *)
*)

let rec statement ?(with_local=false) s = match s.nst_node with
  | NSnop
  | NSbreak
  | NScontinue
  | NSlogic_label _
  | NSreturn None 
  | NSgoto _ ->
      ef_empty
  | NSexpr e -> 
      expr ~with_local e
  | NSif (e, s1, s2) -> 
      ef_union (expr ~with_local e)
	(ef_union (statement ~with_local s1)
	   (statement ~with_local s2))
  | NSwhile (annot, e, s)
  | NSdowhile (annot, s, e) ->
      ef_union (loop_annot annot) 
	(ef_union (statement ~with_local s)
	   (expr ~with_local e))
  | NSfor (annot, e1, e2, e3, s) ->
      ef_union (loop_annot annot) 
	(ef_union (ef_union (expr ~with_local e1)
		     (expr ~with_local e2))
	   (ef_union (expr ~with_local e3)
	      (statement ~with_local s)))
  | NSblock bl ->
      block ~with_local bl
  | NSreturn (Some e) ->
      expr ~with_local e
  | NSlabel (_, s) ->
      statement ~with_local s
  | NSswitch (e, _used_cases, case_list) -> 
      List.fold_left
	(fun ef (_cases,bl) ->
	   List.fold_left 
	     (fun ef i -> ef_union ef (statement ~with_local i))
	     ef bl)
	(expr ~with_local e)
	case_list
  | NSassert p | NSassume p ->
      predicate p
  | NSspec (sp, s) ->
      ef_union (spec sp) (statement ~with_local s)
  | NSdecl (_, _, i,rem) -> 
      ef_union (initializer_option ~with_local i)
	(statement ~with_local rem)

and block ?(with_local=false) sl =
(*  let local_decl d = match d.node with
    | Ndecl (_, _, i) -> initializer_option i
    | Ntypedecl _ -> ef_empty
    | _ -> ef_empty (* unsupported local declaration *)
  in*)
  List.fold_left
    (fun ef s -> ef_union (statement ~with_local s) ef)
(*    (List.fold_left (fun ef d -> ef_union (local_decl d) ef) ef_empty dl)*)
    ef_empty
    sl

and initializer_ ?(with_local=false) = function
  | Iexpr e -> 
      expr ~with_local e
  | Ilist il -> 
      List.fold_left (fun ef i -> ef_union
	  (initializer_ ~with_local i) ef) ef_empty il

and initializer_option ?(with_local=false) = function
  | None -> ef_empty
  | Some i -> initializer_ ~with_local i

(* first pass: declare invariants and computes effects for logics *)


let rec ctype ty =
  ctype_node ty.Ctypes.ctype_node

and ctype_node = function
  | Tvoid -> sprintf "void"
  | Tint _ -> sprintf "int"
  | Tfloat _ -> sprintf "float"
  | Ctypes.Tvar s -> sprintf "%s" s
  | Tarray (_,ty, _) -> sprintf "%s" (ctype ty)
  | Tpointer (_,ty) -> sprintf "%s_Pointer" (ctype ty)
  | Tstruct s -> sprintf "%s" s;
  | Tunion s -> sprintf "%s" s
  | Tenum s -> sprintf "%s" s
  | Tfun _ -> assert false
		   
let global_var = ref [] 

let invariant_for_global loc v =
  if List.mem v !global_var then []
  else
    let form =
      List.fold_left 
	(fun p x ->
	   ("separation_" ^ (ctype v.var_type) ^ "_" ^ (ctype x.var_type),
	    "separation_"^v.var_name^"_"^x.var_name,
	    Cseparation.separation loc v x,
	    HeapVarSet.add v (HeapVarSet.singleton x)) :: p) 
	[] !global_var 
    in 
    global_var := v::!global_var;
    form
    
let not_a_constant_value loc = error loc "is not a constant value"

let unop = function
  | Ustar -> Clogic.Ustar
  | Uamp -> Clogic.Uamp
  | Utilde -> Clogic.Utilde
  | Ufloat_of_int -> Clogic.Ufloat_of_int
  | Uint_of_float -> Clogic.Uint_of_float
  | Ufloat_conversion -> Clogic.Ufloat_conversion
  | Uminus -> Clogic.Uminus
  | Uplus | Unot | Uint_conversion -> assert false

let rec term_of_expr e =
  let make n = 
    { nterm_node = n; nterm_type = e.nexpr_type; nterm_loc = e.nexpr_loc}
  in
  match e.nexpr_node with 
  | NEconstant e -> make (NTconstant e)
  | NEvar (Var_info info) -> make (NTvar info)
  | NEarrow (nlvalue,z,var_info) -> 
      make (NTarrow (term_of_expr nlvalue,z, var_info))
  | NEunary (Uplus, nexpr) -> 
      term_of_expr nexpr
  | NEunary (Unot, nexpr) -> 
      make (NTif (term_of_expr nexpr, 
		  make (NTconstant (IntConstant "0")), 
		  make (NTconstant (IntConstant "1"))))
  | NEunary (Uint_conversion, e) ->
      term_of_expr e
  | NEunary (op, nexpr) ->  
      make (NTunop (unop op, term_of_expr nexpr))  
  | NEbinary (e1, op, e2) ->
      begin
	match e1.nexpr_node, e2.nexpr_node, op with
	  | _, _, Badd | _, _, Badd_int _ | _, _, Badd_float _
	  | _, _, Badd_pointer_int ->
	      make (NTbinop(term_of_expr e1, Clogic.Badd, term_of_expr e2))
	  | _, _, Bsub | _, _, Bsub_int _ | _, _, Bsub_float _
	  | _, _, Bsub_pointer -> 
	      make (NTbinop(term_of_expr e1, Clogic.Bsub, term_of_expr e2))
	  | _, _, Bmul | _, _, Bmul_int _ | _, _, Bmul_float _ -> 
	      make (NTbinop(term_of_expr e1, Clogic.Bmul, term_of_expr e2))
	  | _, _, Bdiv | _, _, Bdiv_int _ | _, _, Bdiv_float _ -> 
	      make (NTbinop(term_of_expr e1, Clogic.Bdiv, term_of_expr e2))
	  | _, _, Bmod | _, _, Bmod_int _ ->  
	      make (NTbinop(term_of_expr e1, Clogic.Bmod, term_of_expr e2))
	  | NEconstant (IntConstant e1), NEconstant (IntConstant e2), Beq_int 
	  | NEconstant (RealConstant e1), NEconstant (RealConstant e2), 
	    Beq_float _
	  | NEconstant (IntConstant e1), NEconstant (IntConstant e2), 
	    Beq_pointer  ->
	      if e1 = e2 then make (NTconstant (IntConstant "0"))
	      else make (NTconstant (IntConstant "1"))
	  | NEconstant (IntConstant e1), NEconstant (IntConstant e2), Bneq_int 
	  | NEconstant (RealConstant e1), NEconstant (RealConstant e2), 
	    Bneq_float _
	  | NEconstant (IntConstant e1), NEconstant (IntConstant e2), 
	    Bneq_pointer  ->
	      if e1 = e2 then make (NTconstant (IntConstant "1"))
	      else make (NTconstant (IntConstant "0"))
	  | NEconstant (IntConstant e1), NEconstant (IntConstant e2), Blt_int 
	  | NEconstant (RealConstant e1), NEconstant (RealConstant e2), 
	    Blt_float _
	  | NEconstant (IntConstant e1), NEconstant (IntConstant e2), 
	    Blt_pointer  ->
	      if e1 < e2 then make (NTconstant (IntConstant "0"))
	      else make (NTconstant (IntConstant "1"))
	  | NEconstant (IntConstant e1), NEconstant (IntConstant e2), Bgt_int 
	  | NEconstant (RealConstant e1), NEconstant (RealConstant e2), 
	    Bgt_float _
	  | NEconstant (IntConstant e1), NEconstant (IntConstant e2), 
	    Bgt_pointer  ->
	      if e1 > e2 then make (NTconstant (IntConstant "0"))
	      else make (NTconstant (IntConstant "1"))
	  | NEconstant (IntConstant e1), NEconstant (IntConstant e2), Ble_int 
	  | NEconstant (RealConstant e1), NEconstant (RealConstant e2), 
	    Ble_float _
	  | NEconstant (IntConstant e1), NEconstant (IntConstant e2), 
	    Ble_pointer  ->
	      if e1 <= e2 then make (NTconstant (IntConstant "0"))
	      else make (NTconstant (IntConstant "1"))
	  | NEconstant (IntConstant e1), NEconstant (IntConstant e2), Bge_int 
	  | NEconstant (RealConstant e1), NEconstant (RealConstant e2), 
	    Bge_float _
	  | NEconstant (IntConstant e1), NEconstant (IntConstant e2), 
	    Bge_pointer  ->
	      if e1 >= e2 then make (NTconstant (IntConstant "0"))
	      else make (NTconstant (IntConstant "1"))
	  | _, _, Beq | _, _, Beq_int | _, _, Beq_float _ | _, _, Beq_pointer 
	  | _, _, Blt | _, _, Blt_int | _, _, Blt_float _ | _, _, Blt_pointer
	  | _, _, Bgt | _, _, Bgt_int | _, _, Bgt_float _ | _, _, Bgt_pointer
	  | _, _, Ble | _, _, Ble_int | _, _, Ble_float _ | _, _, Ble_pointer
	  | _, _, Bge | _, _, Bge_int | _, _, Bge_float _ | _, _, Bge_pointer
	  | _, _, Bneq | _, _, Bneq_int | _, _, Bneq_float _
	  | _, _, Bneq_pointer
	  | _, _, Bbw_and
	  | _, _, Bbw_xor
	  | _, _, Bbw_or
	  | _, _, Band
	  | _, _, Bor
	  | _, _, Bshift_left
	  | _, _, Bshift_right -> error e.nexpr_loc "not a constant value"
      end
  | NEcond (e1, e2, e3) ->
      make (NTif (term_of_expr e1, term_of_expr e2, term_of_expr e3))
  | NEcast (ty, e) ->
      make (NTcast (ty, term_of_expr e))
  | NEvar (Fun_info _)
  | NEcall _ 
  | NEincr (_, _)
  | NEassign_op (_, _, _)
  | NEassign (_, _) 
  | NEseq (_, _)
  | NEstring_literal _
  | NEnop -> 
      not_a_constant_value e.nexpr_loc
  | NEmalloc _ ->
      error e.nexpr_loc "not a side-effects free expression"

let noattr loc ty e =
  { nterm_node = e;
    nterm_type = ty;
    nterm_loc  = loc;
  }

let rec pop_initializer loc t i =
  let mk node ty = { nterm_node = node; nterm_type = ty; nterm_loc = loc } in
  match i with 
    | [] -> { nterm_node = 
	       (match t.Ctypes.ctype_node with
		  | Tint _ | Tenum _ -> 
		      NTconstant(IntConstant "0")
		  | Tfloat _ -> 
		      NTunop (Clogic.Ufloat_conversion,
			      mk (NTconstant(RealConstant "0.0")) c_real)
		  | Tpointer _ -> 
		      NTcast (t, mk (NTconstant (IntConstant "0")) c_int)
		  | _ -> 
		      assert false);
	      nterm_type = t;
	      nterm_loc  = loc;
	    },[]
    | (Iexpr e)::l -> term_of_expr e,l
    | (Ilist [])::l -> pop_initializer loc t l
    | (Ilist l)::l' -> 
	let e,r = pop_initializer loc t l in e,r@l'

let rec invariant_for_constant loc t lvalue initializers =
  match t.Ctypes.ctype_node with
    | Tint _ | Tfloat _ | Tpointer _ | Tenum _ -> 
	let x,l = pop_initializer loc t initializers in
	nprel (lvalue, Eq, x), l
    | Tstruct n ->
	begin match tag_type_definition n with
	  | TTStructUnion (Tstruct _, fl) ->
	      List.fold_left 
		(fun (acc,init) f -> 
		   let tyf = f.var_type in
		   let tyf =  { tyf with
		     Ctypes.ctype_const = tyf.Ctypes.ctype_const 
					  || t.Ctypes.ctype_const;
		   }  in 
		   let block, init' =
		     invariant_for_constant loc tyf 
		       (Cseparation.in_struct lvalue f) init
		   in 
		   if tyf.Ctypes.ctype_const then
		     (npand (acc,block),init')
		   else
		     (acc,init'))
		(nptrue,initializers)  fl
	  | _ ->
	      assert false
	end
    | Tunion n ->
	begin match tag_type_definition n with
	  | TTStructUnion (Tstruct (_), f::_) ->
	      let zone = Cnorm.find_zone_for_term lvalue in
	      let () = type_why_new_zone zone f in
	      let block, init' =
		 invariant_for_constant loc f.var_type 
		  (noattr loc f.var_type 
		     (NTarrow(lvalue,zone, f)))
		  initializers
	      in (block,init')
	  | _ ->
	      assert false
	end
    | Tarray (_,ty,Some t) ->
	let rec init_cells i (block,init) =
	  if i >= t then (block,init)
	  else
	    let ts = (noattr loc c_int 
			(NTconstant (IntConstant (Int64.to_string i)))) in
	    let shift = 
	      noattr loc 
		{ty with Ctypes.ctype_node = (Tpointer (Not_valid,ty)) }
		(NTbinop (lvalue,Clogic.Badd, ts))
	    in
	    let e =
	      match ty.Ctypes.ctype_node with
		| Tstruct _ | Tunion _ -> shift
		| _ ->
		    let info = make_field ty in
		    let info = declare_arrow_var info in
		    let zone = find_zone_for_term lvalue in
		    let () = type_why_new_zone zone info in
		    noattr loc ty 
		      (NTarrow
			 (shift, zone,info))
	    in
	    let (b,init') = 
	      invariant_for_constant loc ty e init 
	    in
	    init_cells (Int64.add i Int64.one) (npand (block,b),init')
	in
	init_cells Int64.zero (nptrue,initializers)
    | Tarray (_,_ty,None) -> assert false
    | Tfun (_, _) -> assert false
    | Tvar _ -> assert false
    | Tvoid -> nptrue,initializers 

let rec has_constant_values ty = match ty.Ctypes.ctype_node with
  | Tvoid | Tint _ | Tfloat _ | Tenum _ | Tpointer _ ->
      ty.Ctypes.ctype_const
  | Tstruct n -> 
      ty.Ctypes.ctype_const ||
      (match tag_type_definition n with
	 | TTStructUnion (Tstruct _, fl) -> 
	     List.exists (fun f -> has_constant_values f.var_type) fl
	 | _ -> assert false)
  | Tarray (_,ty', _) -> has_constant_values ty'
  | Tunion _ | Tfun _ | Tvar _ -> false

let diff _loc x y = 
  nprel ( x, Neq,  y)
	  
let rec validity x ty size =
  match ty.Ctypes.ctype_node with
    | Tarray (_,ty', Some size') ->
	let i = default_var_info "counter" in
	set_var_type (Var_info i) c_int false;
	let vari = { nterm_node = NTvar i; 
		     nterm_loc = x.nterm_loc;
		     nterm_type = c_int;
		     } in
	let j = default_var_info "counter2" in
	let varj = { nterm_node = NTvar j; 
		     nterm_loc = x.nterm_loc;
		     nterm_type = c_int;
		     } in	  
	let term_sup = { nterm_node = 
   	                   NTconstant (IntConstant 
					 (Int64.to_string (Int64.pred size))); 
			 nterm_loc = x.nterm_loc;
			 nterm_type = c_int;
			 } in
	let ineq = npand 
		     (nprel (Cnorm.nzero, Le, vari),
		      nprel (vari, Lt, 
			       term_sup)) in	
	let jneq = npand 
		     (nprel (Cnorm.nzero, Le, varj),
		      nprel (varj, Lt, 
			     term_sup)) in
	let (pre1,pre2) = validity 
			(noattr x.nterm_loc ty 
			   (NTbinop (x,Clogic.Badd,vari)))
					     ty' size' in
	(npand (
	  npvalid_range (x, Cnorm.nzero,term_sup),
	  make_forall 
	    [c_int,i]
	    (make_implies ineq pre1)),
	 make_forall 
	   [(c_int,j); (c_int,i)]
	   (make_implies
	      (npand (npand (ineq,jneq),
		      diff x.nterm_loc vari varj))
	      (npand (diff x.nterm_loc 
			(noattr x.nterm_loc ty 
			   (NTbinop (x,Clogic.Badd,vari)))
			(noattr x.nterm_loc ty 
			   (NTbinop (x,Clogic.Badd,varj))),
		      pre2))))
    | _ ->  
	let term_sup = { nterm_node = 
	                   NTconstant 
	                     (IntConstant (Int64.to_string (Int64.pred size)));
			 nterm_loc = x.nterm_loc;
			 nterm_type = c_int;
			 } in
      npvalid_range (x, Cnorm.nzero,term_sup), nptrue

let decl d =
  match d.Cast.node with
    | Nlogic(id,ltype) -> 
	let l = logic_type ltype in
	lprintf 
	  "effects of logic declaration of %s: @[%a %a@]@." id.logic_name
	  print_effects l.reads_var print_effects2 l.reads;
	id.logic_heap_args <- l.reads_var;
	id.logic_heap_zone <- l.reads
    | Ninvariant(id,p) -> 
	add_weak_invariant id p
    | Ninvariant_strong(id,p) -> 
	let pre = (predicate p) in 
	lprintf 
	  "effects of strong invariant %s: @[reads_var : %a  reads :%a@]@." id
	  print_effects pre.reads_var print_effects2 pre.reads;
	add_invariants_for_struct id p pre	  
    | Ndecl(ty,v,init) when ty.Ctypes.ctype_storage <> Extern -> 
	begin
	  match ty.Ctypes.ctype_node with
	    | Tvoid -> ()
	    | Tint _| Tfloat _ | Tpointer _ | Tenum _ -> ()
	    | Tvar _s -> ()
	    | Tfun _ -> ()
	    | Tunion _ -> ()
	    | Tarray (_,_,None) -> 
		if ty.ctype_ghost then () else assert false
	    | Tstruct _ -> assert false
	    | Tarray (_,typ, Some s) ->
		lprintf "adding implicit invariant for type of %s@." 
		 v.var_name;
		let t = { nterm_node = NTvar v; 
			  nterm_loc = d.loc;
			  nterm_type = ty ;
			} in
		let name1 = "predicate_for_" ^ v.var_name in
		let pre1,_ = validity t typ s in
		add_strong_invariant name1 pre1 
		  {ef_empty with reads_var =(HeapVarSet.singleton v)};
		List.iter 
		  (fun (x1,x2,p,y) -> 
		     add_strong_invariant x2 p {ef_empty with reads_var = y};
		    add_strong_invariant_2 x1 p [])
		  (invariant_for_global d.loc v);
	end;
	
	let init = (match init with | None -> [] | Some l -> [l]) in
	if has_constant_values ty then begin
	  lprintf "adding implicit invariant for constant %s@." v.var_name;
	  let id = "constant_" ^ v.var_name in
	  let t = {nterm_node = NTvar v; 
		   nterm_loc = Loc.dummy_position;
		   nterm_type = ty ;
		     } in
	  let (pre,_) = invariant_for_constant d.loc ty t init in
	  add_strong_invariant_2 id pre [] ;
	  add_strong_invariant id pre 
	    {ef_empty with reads_var = (HeapVarSet.singleton v)}
	end;
    | Ndecl(_ty,_v,_init) -> () (* nothing to do for extern var *)	
    | Naxiom(_id,_p) -> () (* TODO *)
    | Ntypedef(_ctype,_id) -> () 
    | Ntypedecl(_ctype) -> ()
    | Ntype _ -> ()

let file l = List.iter decl l

(* second pass: compute functions effects as a fixpoint *)

let warnings = Queue.create ()

let functions fun_list  = 
  let fixpoint = ref true in
  let declare id ef =
    lprintf "previous effects for function %s: reads %a %a writes %a %a@." id.fun_name 
      print_effects id.function_reads_var print_effects2 id.function_reads print_effects id.function_writes_var print_effects2 id.function_writes;
(*
    lprintf "effects for function %s before invariants: reads %a %a writes %a %a@." 
      id.fun_name print_effects ef.reads_var print_effects2 ef.reads print_effects ef.assigns_var print_effects2 ef.assigns;
*)
    let ef  = 
      ef_union
	(ef_union
	   (weak_invariants_for ef)
	   (strong_invariants_for ef)) 
	(ef_union ef { reads = id.function_reads ;
		       reads_var = id.function_reads_var;
		       assigns = id.function_writes;
		       assigns_var = id.function_writes_var;
		       (* TODO: consider pointer params written by function *)
		       reads_under_pointer = HeapVarSet.empty;
		       assigns_under_pointer = HeapVarSet.empty; })
    in
    lprintf "effects for function %s: reads %a %a writes %a %a@." id.fun_name 
      print_effects ef.reads_var print_effects2 ef.reads print_effects ef.assigns_var print_effects2 ef.assigns;
    if not (HeapVarSet.subset ef.reads_var id.function_reads_var) then begin
      fixpoint := false;
      lprintf "effects for function %s: reads_var changed@." id.fun_name;
      id.function_reads_var <- ef.reads_var
    end;
    if not (ZoneSet.subset ef.reads id.function_reads) then begin
      fixpoint := false;
      lprintf "effects for function %s: reads changed@." id.fun_name;
      id.function_reads <- ef.reads;
    end;
    if not (HeapVarSet.subset ef.assigns_var id.function_writes_var) then begin
      fixpoint := false;
      lprintf "effects for function %s: assigns_var changed@." id.fun_name;
      id.function_writes_var <- ef.assigns_var;
    end;
    if not (ZoneSet.subset ef.assigns id.function_writes) then begin
      fixpoint := false;
      lprintf "effects for function %s: assigns changed@." id.fun_name;
      id.function_writes <- ef.assigns;
    end
  in
  let decl f  = 
    let (sp,_,id,s,loc) = find_c_fun f.fun_name in
    let ef_spec = spec sp in
    let ef = 
(*      if (verify id.fun_name) && s <> None then*)
      begin 
	match s with 
	  | None -> ef_spec
	  | Some s -> 
  	      let ef_body = statement s in
	      begin match sp.Clogic.assigns with
		| None -> 
		    (*no assigns given by user:
		      emit a warning if some side-effects have been detected *)
		    if id <> Cinit.invariants_initially_established_info &&
		      not ((ZoneSet.is_empty ef_body.assigns) && 
			     (HeapVarSet.is_empty ef_body.assigns_var)) then
			Queue.add 
			  (loc,
			   "function " ^ id.fun_name ^ 
			     " has side-effects but no 'assigns' clause given")
			  warnings
		| Some _ -> 
		    (* some assigns given by user:
		       emit a warning if side-effects of spec differs from 
		       side-effects of body *) 
		    if not ((ZoneSet.equal ef_spec.assigns ef_body.assigns) &&
			      (HeapVarSet.equal 
				 ef_spec.assigns_var ef_body.assigns_var))
		    then begin 
		      Queue.add 
			(loc,
			 "'assigns' clause for function " ^ id.fun_name ^
			   " do not match side-effects of its body ")
			warnings		    
		    end
	      end;
	      ef_union ef_spec ef_body
      end
(*      else
	ef_spec*)
    in
    declare id ef
  in
  List.iter decl fun_list (*dl*);
  !fixpoint
    
let effect  _nfiles fun_list =
  while not (functions [Cinit.invariants_initially_established_info]) 
  do 
    Queue.clear warnings
  done;
  List.iter (fun _f ->
	       while not (functions fun_list) 
	       do 
		 Queue.clear warnings
	       done) 
    fun_list 


(*
Local Variables: 
compile-command: "make -j -C .. bin/caduceus.byte"
End: 
*)
why-2.34/COPYING0000644000175000017500000000122512311670312011650 0ustar  rtusersThe Why platform for program certification
Copyright (C) 2002-2008
  Romain BARDOU
  Jean-François COUCHOT
  Mehdi DOGGUY
  Jean-Christophe FILLIÂTRE
  Thierry HUBERT
  Claude MARCHÉ
  Yannick MOY
  Christine PAULIN
  Yann RÉGIS-GIANAS
  Nicolas ROUSSET
  Xavier URBAIN

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU Library General Public License version 2.1,
with the special exception on linking described in file LICENSE.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

why-2.34/INSTALL0000644000175000017500000000132512311670312011647 0ustar  rtusers
INSTALLATION
============

  You need Objective Caml >= 3.08 to compile the sources.
 
  To compile the graphical user interface gwhy (optional) you also need the 
  Lablgtk2 library (http://wwwfun.kurims.kyoto-u.ac.jp/soft/olabl/lablgtk.html)
  There is a Debian package (liblablgtk2-ocaml-dev).

  1. Configure with "./configure"

  2. Compile with "make".  

  2. Install with "make install".  You may need superuser permissions.


If you are willing to use Coq (more precisely if Coq is detected when
running ./configure), you need Coq >= 7.4.


If you are willing to verify floating-point C programs using Coq, you
need to install the Coq library on floating-point arithmetic available at
http://flocq.gforge.inria.fr/
why-2.34/bench/0000755000175000017500000000000012311670312011674 5ustar  rtuserswhy-2.34/bench/good/0000755000175000017500000000000012311670312012624 5ustar  rtuserswhy-2.34/bench/good/poly_why.v0000644000175000017500000000114612311670312014667 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Export Why.

(*Why type*) Definition t: Set ->Set.
Admitted.

(*Why logic*) Definition f : forall (A1:Set), A1 -> (t A1).
Admitted.
Implicit Arguments f.

(* Why obligation from file ".", line 0, characters 0-0: *)
(*Why goal*) Lemma p_po_1 : 
  forall (result: bool),
  forall (HW_1: result = true),
  (if result then (forall (result:Z), (result = 1 -> result = 1))
   else (forall (result:Z), (result = 2 -> result = 1))).
Proof.
destruct result; intuition.
discriminate HW_1.
Save.


why-2.34/bench/good/wpcalls_why.v0000644000175000017500000000061512311670312015351 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Import Why.





(* Why obligation from file "wpcalls.mlw", line 12, characters 13-23: *)
(*Why goal*) Lemma p_po_1 : 
  forall (x0: Z),
  forall (x: Z),
  forall (HW_1: x = (1 - x0)),
  forall (x1: Z),
  forall (HW_2: x1 = (1 - x)),
  x1 = x0.
Proof.
intuition.
Save.

why-2.34/bench/good/loops.mlw0000644000175000017500000000077612311670312014513 0ustar  rtusers
(** 1. A loop increasing [i] up to 10. *)

parameter i : int ref

let loop1 (u:unit) = 
  { i <= 10 }
  while !i < 10 do
    { invariant i <= 10 variant 10-i }
    i := !i + 1
  done
  { i = 10 }


(** 2. The same loop, followed by a function call. *)

parameter x: int ref

let oppose (u:unit) = x := - !x { x = -x@ }

let loop2 (u:unit) = 
  { x <= 10 }
  begin
    while !x < 10 do { invariant x <= 10 variant 10-x } x := !x + 1 done
    { x = 10 };
    if !x > 0 then (oppose void) 
    { x = -10 }
  end
why-2.34/bench/good/inductive.mlw0000644000175000017500000000200712311670312015336 0ustar  rtusersinductive isfib: int, int -> prop =
| isfib0: isfib(0,0) 
| isfib1: isfib(1,1)
| isfibn: forall n:int. forall p:int. forall q:int. 
            n >= 0 and isfib(n,p) and isfib(n+1,q) -> isfib(n+2, p+q)

goal fib0: isfib(0,0)
goal fib1: isfib(1,1)
goal fib2: isfib(2,1)
goal fib6: isfib(6,8)
goal neg_fib2: not isfib(2,2)
goal neg_fib5: not isfib(5,6)

let rec fib (n:int) : int { variant n } =
  { n >= 0 }
  if 0<=n && n<=1 then n else
    (fib (n-1)) + (fib (n-2))
  { isfib(n,result) }

(*
inductive isfib': int, int -> prop =
| isfib'0: isfib'(0,0) 
| isfib'1: isfib'(1,1)
| isfib'n: forall n:int. forall p:int. forall q:int. forall r:int.
            n >= 2 and isfib'(n-2,p) and isfib'(n-1,q) and p+q=r -> isfib'(n, r)

goal fib'2: isfib'(2,1)
goal fib'2: isfib'(2,1)
goal fib'2: isfib'(2,1)
goal fib'6: isfib'(6,8)
goal neg_fib'2: not isfib'(2,2)
goal neg_fib'5: not isfib'(5,6)

let rec fib' (n:int) : int { variant n } =
  { n >= 0 }
  if 0<=n && n<=1 then n else
    (fib' (n-1)) + (fib' (n-2))
  { isfib'(n,result) }
*)
why-2.34/bench/good/exns.mlw0000644000175000017500000000415312311670312014325 0ustar  rtusers
(* exception without argument *)

exception E

let p1 () = (raise E : unit) { false | E => true }

(* exception with an argument *)

exception F of int

let p2 () = raise (F 1) : unit { false | F => result = 1 }

let p2a () = 
  raise (F (raise E : int)) : unit { false | E => true | F => false }

(* composition of exceptions with other constructs *)

let p3 () = 
  begin raise (F 1); raise (F 2) : unit end { false | F => result = 1 }

let p4 () = 
  (if true then raise (F 1) : unit else raise (F 2) : unit) 
  { false | F => result = 1 }

let p5 () = 
  begin
    if true then raise (F 1);
    raise E : unit
  end
  { false | E => false | F => result = 1 }

let p6 () = 
  begin
    if false then raise (F 1);
    raise E : unit
  end
  { false | E => true | F => false }

(* composition of exceptions with side-effect on a reference *)

parameter x : int ref

let p7 () = 
  begin x := 1; raise E; x := 2 end { false | E => x = 1 }

let p8 () = 
  begin x := 1; raise (F !x); x := 2 end 
  { false | F => x = 1 and result = 1 }

let p9 () = 
  (raise (F begin x := 1; !x end) : unit) 
  { false | F => x = 1 and result = 1 }

(* try / with *)

let p10 () = (try raise E : int with E -> 0 end) { result = 0 }

let p11 () = (try raise (F 1) : int with F x -> x end) { result = 1 }

let p12 () = 
  try 
    begin raise E; raise (F 1); 1 end
  with E -> 2
     | F x -> 3
  end
  { result = 2 }

let p13 () = 
  try 
    begin raise E; raise (F 1); x := 1 end
  with E -> x := 2
     | F _ -> x := 3
  end
  { x = 2 }

let p13a () =
  try
    (if !x = 1 then raise E) 
    { true | E => x = 1 }
  with E ->
    x := 0
  end
  { x <> 1 }

exception E1 
exception E2
exception E3

let p14 () = 
  begin
    if !x = 1 then raise E1;
    if !x = 2 then raise E2;
    if !x = 3 then raise E3;
    raise E : unit
  end
  { false | E1 => x = 1 | E2 => x = 2 | E3 => x = 3 
  | E => x <> 1 and x <> 2 and x <> 3 }

let p15 () = if !x = 0 then raise E else (x := 0; raise (F !x))
              { false | E => x=0 | F => result=0 }

let p16 () = if !x = 0 then (x:=1; raise E) { x<>0 | E => x=1 }

let p17 () = (x := 0; (raise E; x := 1)) { false | E => x=0 }
why-2.34/bench/good/see.mlw0000644000175000017500000000051312311670312014120 0ustar  rtusers
axiom mult_1_1 : 1 * 1 = 1

(* Side effect in expressions (Bart Jacobs' tricky example) *)

parameter b, b1, b2 : int ref

let f () = 
  begin b := 1 - !b; !b end { result = b and b = 1 - b@ }

let k () = 
  begin
    b := 0;
    b1 := (1 - (f void)) + (f void);
    b2 := (f void) * (1 - (f void)) 
  end
  { b1 = 0 and b2 = 1 }
why-2.34/bench/good/opaque.mlw0000644000175000017500000000010112311670312014627 0ustar  rtusers
parameter x : int ref

let p () = (x := 1) {{ true }} { x = 1 }
why-2.34/bench/good/po_why.v0000644000175000017500000002247412311670312014331 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Import Why.
Require Import Omega.

(*Why logic*) Definition q : Z -> Prop.
Admitted.

(* Why obligation from file "po.mlw", line 10, characters 47-51: *)
(*Why goal*) Lemma p1_po_1 : 
  forall (x: Z),
  forall (HW_1: (q (x + 1))),
  forall (x0: Z),
  forall (HW_2: x0 = (x + 1)),
  (q x0).
Proof.
intuition.
subst; trivial.
Save.

(* Why obligation from file "po.mlw", line 12, characters 44-48: *)
(*Why goal*) Lemma p2_po_1 : 
  forall (HW_1: (q 7)),
  forall (x: Z),
  forall (HW_2: x = (3 + 4)),
  (q x).
Proof.
intuition.
subst; trivial.
Save.

(* Why obligation from file "po.mlw", line 14, characters 49-59: *)
(*Why goal*) Lemma p3_po_1 : 
  forall (x0: Z),
  forall (x: Z),
  forall (HW_1: x = (x0 + 1)),
  forall (x1: Z),
  forall (HW_2: x1 = (x + 2)),
  x1 = (x0 + 3).
Proof.
intuition.
Save.

(* Why obligation from file "po.mlw", line 16, characters 44-50: *)
(*Why goal*) Lemma p4_po_1 : 
  forall (x: Z),
  forall (HW_1: x = 7),
  forall (x0: Z),
  forall (HW_2: x0 = (2 * x)),
  x0 = 14.
Proof.
intuition.
Save.

(* Why obligation from file "po.mlw", line 18, characters 22-32: *)
(*Why goal*) Lemma p5_po_1 : 
  (3 + 4) = 7.
Proof.
intuition.
Save.

(* Why obligation from file "po.mlw", line 20, characters 35-45: *)
(*Why goal*) Lemma p6_po_1 : 
  (3 + 4) = 7.
Proof.
intuition.
Save.



(* Why obligation from file "po.mlw", line 22, characters 41-52: *)
(*Why goal*) Lemma p7_po_1 : 
  (3 + (4 + 4)) = 11.
Proof.
intuition.
Save.

(* Why obligation from file "po.mlw", line 27, characters 47-71: *)
(*Why goal*) Lemma p8_po_1 : 
  forall (x: Z),
  forall (HW_1: (q (x + 1))),
  forall (x0: Z),
  forall (HW_2: x0 = (x + 1)),
  ((q x0) /\ (3 + x0) = (x + 4)).
Proof.
intuition.
subst; auto.
Save.

(* Why obligation from file "po.mlw", line 32, characters 48-68: *)
(*Why goal*) Lemma p9_po_1 : 
  forall (x: Z),
  forall (HW_1: x = 1),
  forall (x0: Z),
  forall (HW_2: x0 = 2),
  ((1 + 1) = 2 /\ x0 = 2).
Proof.
intuition.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "po.mlw", line 34, characters 41-61: *)
(*Why goal*) Lemma p9a_po_1 : 
  forall (x: Z),
  forall (HW_1: x = 1),
  ((1 + 1) = 2 /\ x = 1).
Proof.
intuition.
Save.

(* Why obligation from file "po.mlw", line 40, characters 25-35: *)
(*Why goal*) Lemma p10_po_1 : 
  forall (result: Z),
  forall (HW_1: result = (0 + 1)),
  result = 1.
Proof.
intuition.
Save.

(* Why obligation from file "po.mlw", line 42, characters 39-49: *)
(*Why goal*) Lemma p11_po_1 : 
  forall (result: Z),
  forall (HW_1: result = (0 + 1)),
  forall (result0: Z),
  forall (HW_2: result0 = (3 + 1)),
  (result + result0) = 5.
Proof.
intuition.
Save.

(* Why obligation from file "po.mlw", line 44, characters 45-55: *)
(*Why goal*) Lemma p11a_po_1 : 
  forall (result: Z),
  forall (HW_1: result = (1 + 1)),
  (result + result) = 4.
Proof.
intuition.
Save.



(* Why obligation from file "po.mlw", line 50, characters 38-43: *)
(*Why goal*) Lemma p12_po_1 : 
  forall (x: Z),
  forall (HW_1: x = 0),
  forall (x0: Z),
  forall (HW_2: x0 = (x + 1)),
  x0 = 1.
Proof.
intuition.
Save.

(* Why obligation from file "po.mlw", line 52, characters 52-62: *)
(*Why goal*) Lemma p13_po_1 : 
  forall (x0: Z),
  forall (x: Z),
  forall (HW_1: x = (x0 + 1)),
  forall (x1: Z),
  forall (HW_2: x1 = (x + 1)),
  x1 = (x0 + 2).
Proof.
intuition.
Save.

(* Why obligation from file "po.mlw", line 54, characters 37-47: *)
(*Why goal*) Lemma p13a_po_1 : 
  forall (x0: Z),
  forall (x: Z),
  forall (HW_1: x = (x0 + 1)),
  forall (x1: Z),
  forall (HW_2: x1 = (x + 1)),
  x1 = (x0 + 2).
Proof.
intuition.
Save.



(* Why obligation from file "po.mlw", line 60, characters 39-49: *)
(*Why goal*) Lemma p14_po_1 : 
  forall (x: Z),
  forall (HW_1: x = 0),
  forall (result: Z),
  forall (x0: Z),
  forall (HW_2: x0 = (x + 1) /\ result = x0),
  result = 1.
Proof.
intuition.
Save.

(*Why type*) Definition farray: Set ->Set.
Admitted.

(*Why logic*) Definition access : forall (A1:Set), (array A1) -> Z -> A1.
Admitted.
Implicit Arguments access.

(*Why logic*) Definition update :
  forall (A1:Set), (array A1) -> Z -> A1 -> (array A1).
Admitted.
Implicit Arguments update.

(*Why axiom*) Lemma access_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z), (forall (v:A1), (access (update a i v) i) = v))).
Admitted.

(*Why axiom*) Lemma access_update_neq :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (forall (v:A1), (i <> j -> (access (update a i v) j) = (access a j)))))).
Admitted.

(*Why logic*) Definition array_length : forall (A1:Set), (array A1) -> Z.
Admitted.
Implicit Arguments array_length.

(*Why predicate*) Definition sorted_array  (t:(array Z)) (i:Z) (j:Z)
  := (forall (k1:Z),
      (forall (k2:Z),
       ((i <= k1 /\ k1 <= k2) /\ k2 <= j -> (access t k1) <= (access t k2)))).

(*Why predicate*) Definition exchange (A104:Set) (a1:(array A104)) (a2:(array A104)) (i:Z) (j:Z)
  := (array_length a1) = (array_length a2) /\
     (access a1 i) = (access a2 j) /\ (access a2 i) = (access a1 j) /\
     (forall (k:Z), (k <> i /\ k <> j -> (access a1 k) = (access a2 k))).
Implicit Arguments exchange.

(*Why logic*) Definition permut :
  forall (A1:Set), (array A1) -> (array A1) -> Z -> Z -> Prop.
Admitted.
Implicit Arguments permut.

(*Why axiom*) Lemma permut_refl :
  forall (A1:Set),
  (forall (t:(array A1)), (forall (l:Z), (forall (u:Z), (permut t t l u)))).
Admitted.

(*Why axiom*) Lemma permut_sym :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (l:Z), (forall (u:Z), ((permut t1 t2 l u) -> (permut t2 t1 l u)))))).
Admitted.

(*Why axiom*) Lemma permut_trans :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (t3:(array A1)),
     (forall (l:Z),
      (forall (u:Z),
       ((permut t1 t2 l u) -> ((permut t2 t3 l u) -> (permut t1 t3 l u)))))))).
Admitted.

(*Why axiom*) Lemma permut_exchange :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (forall (i:Z),
       (forall (j:Z),
        (l <= i /\ i <= u ->
         (l <= j /\ j <= u -> ((exchange a1 a2 i j) -> (permut a1 a2 l u)))))))))).
Admitted.

(*Why axiom*) Lemma exchange_upd :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (exchange a (update (update a i (access a j)) j (access a i)) i j)))).
Admitted.

(*Why axiom*) Lemma permut_weakening :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l1:Z),
     (forall (r1:Z),
      (forall (l2:Z),
       (forall (r2:Z),
        ((l1 <= l2 /\ l2 <= r2) /\ r2 <= r1 ->
         ((permut a1 a2 l2 r2) -> (permut a1 a2 l1 r1))))))))).
Admitted.

(*Why axiom*) Lemma permut_eq :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (l <= u ->
       ((permut a1 a2 l u) ->
        (forall (i:Z), (i < l \/ u < i -> (access a2 i) = (access a1 i))))))))).
Admitted.

(*Why predicate*) Definition permutation (A113:Set) (a1:(array A113)) (a2:(array A113))
  := (permut a1 a2 0 ((array_length a1) - 1)).
Implicit Arguments permutation.

(*Why axiom*) Lemma array_length_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (v:A1), (array_length (update a i v)) = (array_length a)))).
Admitted.

(*Why axiom*) Lemma permut_array_length :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      ((permut a1 a2 l u) -> (array_length a1) = (array_length a2)))))).
Admitted.

(* Why obligation from file "po.mlw", line 68, characters 38-42: *)
(*Why goal*) Lemma p15_po_1 : 
  forall (t: (array Z)),
  forall (HW_1: (array_length t) = 10),
  (0 <= 0 /\ 0 < (array_length t)).
Proof.
intuition.
Save.

(* Why obligation from file "po.mlw", line 70, characters 38-47: *)
(*Why goal*) Lemma p16_po_1 : 
  forall (t: (array Z)),
  forall (HW_1: (array_length t) = 10),
  (0 <= 9 /\ 9 < (array_length t)).
Proof.
intuition.
Save.

(* Why obligation from file "po.mlw", line 72, characters 59-63: *)
(*Why goal*) Lemma p17_po_1 : 
  forall (t: (array Z)),
  forall (HW_1: (array_length t) = 10 /\ 0 <= (access t 0) /\ (access t 0) <
                10),
  (0 <= 0 /\ 0 < (array_length t)).
Proof.
intuition.
Save.

(* Why obligation from file "po.mlw", line 72, characters 57-69: *)
(*Why goal*) Lemma p17_po_2 : 
  forall (t: (array Z)),
  forall (HW_1: (array_length t) = 10 /\ 0 <= (access t 0) /\ (access t 0) <
                10),
  forall (HW_2: 0 <= 0 /\ 0 < (array_length t)),
  forall (result: Z),
  forall (HW_3: result = (access t 0)),
  (0 <= result /\ result < (array_length t)).
Proof.
intuition.
Save.

(* Why obligation from file "po.mlw", line 75, characters 28-57: *)
(*Why goal*) Lemma p18_po_1 : 
  forall (t: (array Z)),
  forall (HW_1: (array_length t) = 10),
  forall (x: Z),
  forall (HW_2: x = 0),
  (0 <= x /\ x < (array_length t)).
Proof.
intuition.
Save.

(* Why obligation from file "po.mlw", line 75, characters 61-69: *)
(*Why goal*) Lemma p18_po_2 : 
  forall (t: (array Z)),
  forall (HW_1: (array_length t) = 10),
  forall (x: Z),
  forall (HW_2: x = 0),
  forall (HW_3: 0 <= x /\ x < (array_length t)),
  forall (t0: (array Z)),
  forall (HW_4: t0 = (update t x x)),
  (access t0 0) = x.
Proof.
intuition.
subst.
rewrite access_update; auto.
Save.

why-2.34/bench/good/booleans_why.v0000644000175000017500000000776312311670312015521 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)
Require Export Why.

(* Why obligation from file "booleans.mlw", line 12, characters 4-14: *)
(*Why goal*) Lemma test_and_1_po_1 : 
  forall (x0: Z),
  forall (x: Z),
  forall (HW_1: x = (x0 + 1)),
  forall (result: Z),
  forall (HW_2: result = x),
  forall (HW_3: x > 0 /\ result = 1),
  x = 1.
Proof.
intuition.
Save.

(* Why obligation from file "booleans.mlw", line 12, characters 4-14: *)
(*Why goal*) Lemma test_and_1_po_2 : 
  forall (x0: Z),
  forall (x: Z),
  forall (HW_1: x = (x0 + 1)),
  forall (result: Z),
  forall (HW_2: result = x),
  forall (HW_4: x <= 0 \/ x > 0 /\ result <> 1),
  (0 + 1) = 1.
Proof.
intuition.
Save.

(* Why obligation from file "booleans.mlw", line 17, characters 4-14: *)
(*Why goal*) Lemma test_and_2_po_1 : 
  forall (x: Z),
  forall (HW_2: x <> 0),
  forall (result: Z),
  forall (HW_3: result = x),
  forall (HW_4: result >= 1 /\ x <= 1),
  x = 1.
Proof.
intuition.
Save.

(* Why obligation from file "booleans.mlw", line 17, characters 4-14: *)
(*Why goal*) Lemma test_and_2_po_2 : 
  forall (x: Z),
  forall (HW_2: x <> 0),
  forall (result: Z),
  forall (HW_3: result = x),
  forall (HW_5: result < 1 \/ result >= 1 /\ x > 1),
  (0 + 1) = 1.
Proof.
intuition.
Save.

(* Why obligation from file "booleans.mlw", line 21, characters 4-24: *)
(*Why goal*) Lemma test_or_1_po_1 : 
  forall (x0: Z),
  forall (x: Z),
  forall (HW_1: x = (x0 + 1)),
  forall (HW_2: x > 0 \/ x <= 0 /\ x < 0),
  forall (HW_3: 1 = 1),
  x <> 0.
Proof.
intuition.
Save.

(* Why obligation from file "booleans.mlw", line 21, characters 4-24: *)
(*Why goal*) Lemma test_or_1_po_2 : 
  forall (x0: Z),
  forall (x: Z),
  forall (HW_1: x = (x0 + 1)),
  forall (HW_4: x <= 0 /\ x >= 0),
  forall (HW_5: 2 = 1),
  x <> 0.
Proof.
intuition.
Save.

(* Why obligation from file "booleans.mlw", line 25, characters 4-20: *)
(*Why goal*) Lemma test_or_2_po_1 : 
  forall (x: Z),
  forall (HW_1: x = 0 \/ x <> 0 /\ x = 1),
  (0 <= x /\ x <= 1).
Proof.
intuition.
Save.

(* Why obligation from file "booleans.mlw", line 25, characters 4-20: *)
(*Why goal*) Lemma test_or_2_po_2 : 
  forall (x: Z),
  forall (HW_2: x <> 0 /\ x <> 1),
  (0 <= 1 /\ 1 <= 1).
Proof.
intuition.
Save.

(* Why obligation from file "booleans.mlw", line 29, characters 4-9: *)
(*Why goal*) Lemma test_not_1_po_1 : 
  forall (x: Z),
  forall (HW_1: x <> 0),
  forall (x0: Z),
  forall (HW_2: x0 = 0),
  x0 = 0.
Proof.
intuition.
Save.

(* Why obligation from file "booleans.mlw", line 33, characters 36-42: *)
(*Why goal*) Lemma test_not_2_po_1 : 
  forall (x: Z),
  forall (HW_1: x <= 0),
  forall (x0: Z),
  forall (HW_2: x0 <= 0),
  forall (HW_3: x0 <> 0),
  forall (x1: Z),
  forall (HW_4: x1 = (x0 + 1)),
  x1 <= 0.
Proof.
intuition.
Save.

(* Why obligation from file "booleans.mlw", line 38, characters 4-24: *)
(*Why goal*) Lemma test_all_1_po_1 : 
  forall (x: Z),
  ((x >= 0 /\ x <> 0 \/ (x < 0 \/ x >= 0 /\ x = 0) /\ x >= 1 <-> x >= 1)).
Proof.
intuition.
Save.

(*Why logic*) Definition D : Z.
Admitted.

(* Why obligation from file "booleans.mlw", line 51, characters 3-28: *)
(*Why goal*) Lemma test_cd3d_po_1 : 
  forall (vx: Z),
  forall (vy: Z),
  forall (result: Z),
  forall (HW_1: result = (vx * vx)),
  forall (result0: Z),
  forall (HW_2: result0 = (vy * vy)),
  forall (result1: Z),
  forall (HW_3: result1 = (D * D)),
  forall (HW_4: vx = 0 /\ vy = 0 /\ (result + result0) < result1),
  forall (HW_5: 1 = 1),
  (vx = 0 /\ vy = 0).
Proof.
intuition.
Save.

(* Why obligation from file "booleans.mlw", line 51, characters 3-28: *)
(*Why goal*) Lemma test_cd3d_po_2 : 
  forall (vx: Z),
  forall (vy: Z),
  forall (result: Z),
  forall (HW_1: result = (vx * vx)),
  forall (result0: Z),
  forall (HW_2: result0 = (vy * vy)),
  forall (result1: Z),
  forall (HW_3: result1 = (D * D)),
  forall (HW_6: vx <> 0 \/ vx = 0 /\ (vy <> 0 \/ vy = 0 /\
                (result + result0) >= result1)),
  forall (HW_7: 2 = 1),
  (vx = 0 /\ vy = 0).
Proof.
intuition.
Save.

why-2.34/bench/good/complex_arg_1_why.v0000644000175000017500000000021412311670312016417 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Export Why.

why-2.34/bench/good/set.mlw0000644000175000017500000000143712311670312014145 0ustar  rtusers
(* side effects in tests *)

parameter x : int ref

parameter set_and_test_zero : 
  v:int -> {} bool writes x { x = v and if result then x = 0 else x <> 0 }

let p () = if (set_and_test_zero 0) then 1 else 2 { result = 1 }

parameter set_and_test_nzero : 
  v:int -> {} bool writes x { x = v and if result then x <> 0 else x = 0 }

let p2 (y:int ref) = 
  { y >= 0 } 
  while (set_and_test_nzero !y) do 
    { invariant y >= 0 variant y } 
    y := !y - 1 
  done 
  { y = 0 }

let p3 (y:int ref) = 
  { y >= 0 } 
  while let b = (set_and_test_nzero !y) in b do 
    { invariant y >= 0 variant y } 
    y := !y - 1 
  done 
  { y = 0 }

let p4 (y:int ref) = 
  { y >= 1 } 
  while begin y := !y - 1; (set_and_test_nzero !y) end do 
    { invariant y >= 1 variant y } 
    void
  done 
  { y = 0 }
why-2.34/bench/good/oldify.mlw0000644000175000017500000000063712311670312014641 0ustar  rtusers
logic q1 : int, int, int -> prop

parameter r : int ref

parameter f1 : y:int ->
             {} unit writes r { q1(r, r@, y) }

let g1 () = (f1 !r) { q1(r, r@, r@) }


include "arrays.why"

logic q: int farray, int farray, int -> prop

parameter f : t:int array -> x:int -> 
             {} unit reads t writes t { q(t, t@, x) }

let g (t:int array) =
  (f t (array_length_ t))
  { q(t, t@, array_length(t@)) }


why-2.34/bench/good/complex_arg_1.mlw0000644000175000017500000000035312311670312016066 0ustar  rtusersexception Exception

parameter f0 : tt:unit ->
   { }
   unit
   { true }

parameter f1 : tt:unit ->
  { }
  unit
  raises Exception
  { true | Exception => true }

let f = fun () ->
  { }
  f0 (f1 void)
  { true | Exception => true }
why-2.34/bench/good/wpcalls.mlw0000644000175000017500000000033212311670312015010 0ustar  rtusers
parameter x : int ref

parameter f : unit -> { } unit writes x { x = 1 - x@ }

let p () =
  begin
    init:
    let t = void in void;
    (f void);
    (f void);
    assert { x = x@init };
    void
  end
  { true }


why-2.34/bench/good/return.mlw0000644000175000017500000000070112311670312014662 0ustar  rtusers
include "arrays.why"

exception Return of int

logic N : int

parameter i : int ref
parameter t : int array

let p () = 
  { array_length(t) = N }
  try begin
    i := 0;
    while !i < N do
      { invariant 0 <= i (* and forall k:int. 0 <= k < i => t[k] <> 0 *)
        variant N - i }							 
      if t[!i] = 0 then raise (Return !i);
      i := !i + 1
    done;
    N
  end with Return x ->
    x
  end
  { 0 <= result < N -> t[result] = 0 }

why-2.34/bench/good/booleans.mlw0000644000175000017500000000204212311670312015145 0ustar  rtusers
parameter incr : x:int ref -> { } unit writes x { x = x@ + 1 }

parameter x : int ref

parameter id_not_0 : x:int -> { x <> 0 } int { result = x }

parameter id : x:int -> { } int { result = x }

let test_and_1 () =
  if (incr x; !x > 0) && id !x = 1 then !x else 0+1
  { result = 1 }

let test_and_2 () =
  { x <> 0 }
  if id_not_0 !x >= 1 && !x <= 1 then !x else 0+1
  { result = 1 }

let test_or_1 () =
  if (incr x; !x > 0) || !x < 0 then 1 else 2
  { result = 1 -> x <> 0 }

let test_or_2 () =
  if !x = 0 || !x = 1 then !x else 1
  { 0 <= result <= 1 }

let test_not_1 () =
  if not (!x = 0) then x := 0
  { x = 0 }

let test_not_2 () =
  { x <= 0 }
  while not (!x = 0) do { invariant x <= 0 } incr x done
  { x = 0 }

let test_all_1 () =
  (!x >= 0 && not (!x = 0) || !x >= 1)
  { result=true <-> x>=1 }

(* from Cesar Munoz's CD3D *)

logic D : int

parameter vx,vy : int ref

parameter sq : x:int -> {} int { result = x*x }

let test_cd3d () =
 { true }
 if !vx=0 && !vy=0 && sq !vx + sq !vy < sq D  then 1 else 2
 { result=1 -> vx=0 and vy=0 }


why-2.34/bench/good/oldify_why.v0000644000175000017500000001023512311670312015171 0ustar  rtusers
Require Import Why.

(*Why logic*) Definition q1 : Z -> Z -> Z -> Prop.
Admitted.







(*Why type*) Definition farray: Set ->Set.
Admitted.

(*Why logic*) Definition access : forall (A1:Set), (array A1) -> Z -> A1.
Admitted.
Implicit Arguments access.

(*Why logic*) Definition update :
  forall (A1:Set), (array A1) -> Z -> A1 -> (array A1).
Admitted.
Implicit Arguments update.

(*Why axiom*) Lemma access_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z), (forall (v:A1), (access (update a i v) i) = v))).
Admitted.

(*Why axiom*) Lemma access_update_neq :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (forall (v:A1), (i <> j -> (access (update a i v) j) = (access a j)))))).
Admitted.

(*Why logic*) Definition array_length : forall (A1:Set), (array A1) -> Z.
Admitted.
Implicit Arguments array_length.

(*Why predicate*) Definition sorted_array  (t:(array Z)) (i:Z) (j:Z)
  := (forall (k1:Z),
      (forall (k2:Z),
       ((i <= k1 /\ k1 <= k2) /\ k2 <= j -> (access t k1) <= (access t k2)))).

(*Why predicate*) Definition exchange (A81:Set) (a1:(array A81)) (a2:(array A81)) (i:Z) (j:Z)
  := (array_length a1) = (array_length a2) /\
     (access a1 i) = (access a2 j) /\ (access a2 i) = (access a1 j) /\
     (forall (k:Z), (k <> i /\ k <> j -> (access a1 k) = (access a2 k))).
Implicit Arguments exchange.

(*Why logic*) Definition permut :
  forall (A1:Set), (array A1) -> (array A1) -> Z -> Z -> Prop.
Admitted.
Implicit Arguments permut.

(*Why axiom*) Lemma permut_refl :
  forall (A1:Set),
  (forall (t:(array A1)), (forall (l:Z), (forall (u:Z), (permut t t l u)))).
Admitted.

(*Why axiom*) Lemma permut_sym :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (l:Z), (forall (u:Z), ((permut t1 t2 l u) -> (permut t2 t1 l u)))))).
Admitted.

(*Why axiom*) Lemma permut_trans :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (t3:(array A1)),
     (forall (l:Z),
      (forall (u:Z),
       ((permut t1 t2 l u) -> ((permut t2 t3 l u) -> (permut t1 t3 l u)))))))).
Admitted.

(*Why axiom*) Lemma permut_exchange :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (forall (i:Z),
       (forall (j:Z),
        (l <= i /\ i <= u ->
         (l <= j /\ j <= u -> ((exchange a1 a2 i j) -> (permut a1 a2 l u)))))))))).
Admitted.

(*Why axiom*) Lemma exchange_upd :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (exchange a (update (update a i (access a j)) j (access a i)) i j)))).
Admitted.

(*Why axiom*) Lemma permut_weakening :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l1:Z),
     (forall (r1:Z),
      (forall (l2:Z),
       (forall (r2:Z),
        ((l1 <= l2 /\ l2 <= r2) /\ r2 <= r1 ->
         ((permut a1 a2 l2 r2) -> (permut a1 a2 l1 r1))))))))).
Admitted.

(*Why axiom*) Lemma permut_eq :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (l <= u ->
       ((permut a1 a2 l u) ->
        (forall (i:Z), (i < l \/ u < i -> (access a2 i) = (access a1 i))))))))).
Admitted.

(*Why predicate*) Definition permutation (A90:Set) (a1:(array A90)) (a2:(array A90))
  := (permut a1 a2 0 ((array_length a1) - 1)).
Implicit Arguments permutation.

(*Why axiom*) Lemma array_length_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (v:A1), (array_length (update a i v)) = (array_length a)))).
Admitted.

(*Why axiom*) Lemma permut_array_length :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      ((permut a1 a2 l u) -> (array_length a1) = (array_length a2)))))).
Admitted.

(*Why logic*) Definition q : (array Z) -> (array Z) -> Z -> Prop.
Admitted.





(* Why obligation from file "oldify.mlw", line 21, characters 4-30: *)
(*Why goal*) Lemma g_po_1 : 
  forall (t: (array Z)),
  forall (result: Z),
  forall (HW_1: result = (array_length t)),
  forall (t0: (array Z)),
  forall (HW_2: (q t0 t result)),
  (q t0 t (array_length t)).
Proof.
intuition.
subst; intuition.
Save.



why-2.34/bench/good/return_why.v0000644000175000017500000001421612311670312015225 0ustar  rtusers
Require Import Why.


(*Why type*) Definition farray: Set ->Set.
Admitted.

(*Why logic*) Definition access : forall (A1:Set), (array A1) -> Z -> A1.
Admitted.
Implicit Arguments access.

(*Why logic*) Definition update :
  forall (A1:Set), (array A1) -> Z -> A1 -> (array A1).
Admitted.
Implicit Arguments update.

(*Why axiom*) Lemma access_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z), (forall (v:A1), (access (update a i v) i) = v))).
Admitted.

(*Why axiom*) Lemma access_update_neq :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (forall (v:A1), (i <> j -> (access (update a i v) j) = (access a j)))))).
Admitted.

(*Why logic*) Definition array_length : forall (A1:Set), (array A1) -> Z.
Admitted.
Implicit Arguments array_length.

(*Why predicate*) Definition sorted_array  (t:(array Z)) (i:Z) (j:Z)
  := (forall (k1:Z),
      (forall (k2:Z),
       ((i <= k1 /\ k1 <= k2) /\ k2 <= j -> (access t k1) <= (access t k2)))).

(*Why predicate*) Definition exchange (A87:Set) (a1:(array A87)) (a2:(array A87)) (i:Z) (j:Z)
  := (array_length a1) = (array_length a2) /\
     (access a1 i) = (access a2 j) /\ (access a2 i) = (access a1 j) /\
     (forall (k:Z), (k <> i /\ k <> j -> (access a1 k) = (access a2 k))).
Implicit Arguments exchange.

(*Why logic*) Definition permut :
  forall (A1:Set), (array A1) -> (array A1) -> Z -> Z -> Prop.
Admitted.
Implicit Arguments permut.

(*Why axiom*) Lemma permut_refl :
  forall (A1:Set),
  (forall (t:(array A1)), (forall (l:Z), (forall (u:Z), (permut t t l u)))).
Admitted.

(*Why axiom*) Lemma permut_sym :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (l:Z), (forall (u:Z), ((permut t1 t2 l u) -> (permut t2 t1 l u)))))).
Admitted.

(*Why axiom*) Lemma permut_trans :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (t3:(array A1)),
     (forall (l:Z),
      (forall (u:Z),
       ((permut t1 t2 l u) -> ((permut t2 t3 l u) -> (permut t1 t3 l u)))))))).
Admitted.

(*Why axiom*) Lemma permut_exchange :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (forall (i:Z),
       (forall (j:Z),
        (l <= i /\ i <= u ->
         (l <= j /\ j <= u -> ((exchange a1 a2 i j) -> (permut a1 a2 l u)))))))))).
Admitted.

(*Why axiom*) Lemma exchange_upd :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (exchange a (update (update a i (access a j)) j (access a i)) i j)))).
Admitted.

(*Why axiom*) Lemma permut_weakening :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l1:Z),
     (forall (r1:Z),
      (forall (l2:Z),
       (forall (r2:Z),
        ((l1 <= l2 /\ l2 <= r2) /\ r2 <= r1 ->
         ((permut a1 a2 l2 r2) -> (permut a1 a2 l1 r1))))))))).
Admitted.

(*Why axiom*) Lemma permut_eq :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (l <= u ->
       ((permut a1 a2 l u) ->
        (forall (i:Z), (i < l \/ u < i -> (access a2 i) = (access a1 i))))))))).
Admitted.

(*Why predicate*) Definition permutation (A96:Set) (a1:(array A96)) (a2:(array A96))
  := (permut a1 a2 0 ((array_length a1) - 1)).
Implicit Arguments permutation.

(*Why axiom*) Lemma array_length_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (v:A1), (array_length (update a i v)) = (array_length a)))).
Admitted.

(*Why axiom*) Lemma permut_array_length :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      ((permut a1 a2 l u) -> (array_length a1) = (array_length a2)))))).
Admitted.

(*Why logic*) Definition N : Z.
Admitted.

(* Why obligation from file "return.mlw", line 16, characters 18-24: *)
(*Why goal*) Lemma p_po_1 : 
  forall (t: (array Z)),
  forall (HW_1: (array_length t) = N),
  forall (i: Z),
  forall (HW_2: i = 0),
  0 <= i.
Proof.
intuition.
Save.

(* Why obligation from file "return.mlw", line 18, characters 9-14: *)
(*Why goal*) Lemma p_po_2 : 
  forall (t: (array Z)),
  forall (HW_1: (array_length t) = N),
  forall (i: Z),
  forall (HW_2: i = 0),
  forall (i0: Z),
  forall (HW_3: 0 <= i0),
  forall (HW_4: i0 < N),
  (0 <= i0 /\ i0 < (array_length t)).
Proof.
intuition.
Save.

(* Why obligation from file "return.mlw", line 25, characters 4-36: *)
(*Why goal*) Lemma p_po_3 : 
  forall (t: (array Z)),
  forall (HW_1: (array_length t) = N),
  forall (i: Z),
  forall (HW_2: i = 0),
  forall (i0: Z),
  forall (HW_3: 0 <= i0),
  forall (HW_4: i0 < N),
  forall (HW_5: 0 <= i0 /\ i0 < (array_length t)),
  forall (result: Z),
  forall (HW_6: result = (access t i0)),
  forall (HW_7: result = 0),
  forall (HW_8: 0 <= i0 /\ i0 < N),
  (access t i0) = 0.
Proof.
intuition.
Save.

(* Why obligation from file "return.mlw", line 16, characters 18-24: *)
(*Why goal*) Lemma p_po_4 : 
  forall (t: (array Z)),
  forall (HW_1: (array_length t) = N),
  forall (i: Z),
  forall (HW_2: i = 0),
  forall (i0: Z),
  forall (HW_3: 0 <= i0),
  forall (HW_4: i0 < N),
  forall (HW_5: 0 <= i0 /\ i0 < (array_length t)),
  forall (result: Z),
  forall (HW_6: result = (access t i0)),
  forall (HW_9: result <> 0),
  forall (i1: Z),
  forall (HW_10: i1 = (i0 + 1)),
  0 <= i1.
Proof.
intuition.
Save.

(* Why obligation from file "return.mlw", line 17, characters 16-21: *)
(*Why goal*) Lemma p_po_5 : 
  forall (t: (array Z)),
  forall (HW_1: (array_length t) = N),
  forall (i: Z),
  forall (HW_2: i = 0),
  forall (i0: Z),
  forall (HW_3: 0 <= i0),
  forall (HW_4: i0 < N),
  forall (HW_5: 0 <= i0 /\ i0 < (array_length t)),
  forall (result: Z),
  forall (HW_6: result = (access t i0)),
  forall (HW_9: result <> 0),
  forall (i1: Z),
  forall (HW_10: i1 = (i0 + 1)),
  (Zwf 0 (N - i1) (N - i0)).
Proof.
intuition.
Save.

(* Why obligation from file "return.mlw", line 25, characters 4-36: *)
(*Why goal*) Lemma p_po_6 : 
  forall (t: (array Z)),
  forall (HW_1: (array_length t) = N),
  forall (i: Z),
  forall (HW_2: i = 0),
  forall (i0: Z),
  forall (HW_3: 0 <= i0),
  forall (HW_11: i0 >= N),
  forall (HW_12: 0 <= N /\ N < N),
  (access t N) = 0.
Proof.
intuition.
Save.

why-2.34/bench/good/all.mlw0000644000175000017500000000640412311670312014121 0ustar  rtusers
include "integer.why"
include "divisions.why"
include "arrays.why"

(* Unitary (typing) tests *)

(* types syntax: values *)
parameter v1 : bool ref
parameter v2 : int
parameter v3 : (int)
parameter v4 : int ref
type foo
parameter v5 : foo
parameter v6 : int array
parameter v7 : int array

(* types syntax: functions *)
parameter f1 : int -> bool -> int

parameter f2 : int -> int ref -> bool

parameter f3 : x:int ref -> y:int ref -> 
             { x >= 0 } returns r:int reads x,y writes y { y = y@ + x + r }

parameter f4 : unit -> {} unit {}

parameter f5 : foo -> foo
parameter f6 : x:foo -> foo
parameter f7 : x:foo -> {} foo {}

parameter f8 : t:int array -> {} unit reads t { t[1] = 2 }

(* predicates *)
let p1 = 0 { true }
let p2 = 0 { not false }
let p3 = 0 { true and true }
let p4 = 0 { true or false }
let p5 = 0 { false or not false }
let p6 = 0 { true -> not false }
let p7 = 0 { forall x:int. x=x }
let p8 = 0 { true and forall x:int. x=x }
let p9 = 0 { forall x:int. forall y:int. x=y -> x=y }

(* variables *)
let acc1 = v2
let acc2 = acc1
let acc3 = f8

(* deref *)
let d1 () = !v1
let d2 () = !v4

(* arithmetic *)
let ar1 = 1
let ar2 = -1
let ar3 = 1+1
let ar4 = 1-1
let ar5 = 1*1
let ar6 = math_div 1 1
let ar7 = math_mod 1 1
let ar8 = computer_div 1 1
let ar9 = computer_mod 1 1
let ar10 = computer_div_ 1 1
let ar11 = computer_mod_ 1 1

(* assignements *)
let a1 () = v4 := 1
let a2 () = v1 := true
let a3 () = v4 := 2+2
let a4 () = v4 := !v4

(* sequences *)
let s1 () = begin v4 := 1; v4 := 2 end
let s2 () = begin v1 := true; v4 := 2 end
let s3 () = begin v4 := 1; v4 := !v4; v4 := 3 end
let s4 () = begin v4 := 1; 2 end

(* conditionals *)
let c1 = if true then 1 else 2
let c2 () = if !v1 then 1 else 2
let c3 () = if !v4 = 1 then v4 := 2 else v4 := 3

(* local variables *)
let l1 = let x = 1 in x
let l2 () = let x = 1 in v4 := x
let l3 = let x = 1 in let y = 2 in x + y
let l4 () = v4 := (let x = 1 in 1)
let l5 () = let x = 1 in begin v1 := true; v4 := x end

(* local references *)
let lr1 = let x = ref 1 in x := 2
let lr2 = let x = ref 1 in begin x := !x + 1; !x end
let lr3 = let x = ref 1 in let y = ref !x in x := !y

(* relations *)
let r1 = 1 = 1
let r2 = 2 > 1
let r3 = 2 >= 1
let r4 = 1 < 2
let r5 = 1 <= 2
let r6 = 1 <> 2
let r7 = 1 = 2 || 2 = 3
let r8 = 1 = 2 && 2 = 3

(* arrays *)
let arr1 () = { array_length(v6) >= 1 } v6[0]  
let arr2 () = { array_length(v6) >= 4 } v6[1+2] 
let arr3 () = { array_length(v6) >= 1 and v4 = 0 } v6[!v4] 
let arr4 () = { array_length(v6) >= 10 and v6[0] = 9 } v6[v6[0]] 

let arr5 () = { array_length(v6) >= 1 } v6[0] := 1
let arr6 () = { array_length(v6) >= 4 } v6[1+2] := 3+4 
let arr7 () = { array_length(v6) >= 10 and v6[0] = 9 } v6[v6[0]] := 1

(* function calls *)
let fc1 () = (f5 v5)
let fc2 () = (f4 void)
let fc3 () = let a = ref 0 in let b = ref 0 in (f3 a b)

(* while loops: in file loops.ml *)

(* recursive functions: in file recfun.ml *)

(* annotations *)
let an1 () = 0 { result = 0 }
let an2 () = { v4 >= 0 } begin v4 := !v4 + 1 end { v4 > v4@ }
(* let an3 = { v4 >= 0 } begin v4 := !v4 + 1 end { v4 > v4@init } *)

(* exceptions *)
exception E1
exception E2 of int
exception E3 of foo

(* effects with exceptions *)
parameter f1_ex : n:int -> {} unit raises E1 {}
parameter f2_ex : x:int ref -> {} bool writes x raises E1,E2 {}
why-2.34/bench/good/opaque_why.v0000644000175000017500000000044512311670312015177 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Import Why.

(* Why obligation from file "opaque.mlw", line 4, characters 33-38: *)
(*Why goal*) Lemma p_po_1 : 
  forall (x: Z),
  x = 1.
Proof.
intuition.
Abort.


why-2.34/bench/good/interval_arith_full_why.v0000644000175000017500000144765312311670312017763 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)
Require Export Why.
Require Export JessieGappa.


(* maintenant axiom dans JessieGappa, ou plutot floats_common_why.v

Lemma round_down_less: forall f x, (round_float f down x <= x)%R.
intros;case f;unfold round_float.
unfold gappa_rounding.
unfold rounding_float.
Admitted.

*)

(* Why obligation from file "interval_arith_full.why", line 8, characters 3-56: *)
(*Why goal*) Lemma min_po_1 : 
  forall (x: gen_float),
  forall (y: gen_float),
  forall (HW_1: (is_not_NaN x) /\ (is_not_NaN y)),
  forall (HW_2: (is_not_NaN x) /\ (is_not_NaN y) /\ (is_finite x) /\
                (is_finite y) /\ (Rlt (float_value x) (float_value y)) \/
                (is_minus_infinity x) /\ (is_plus_infinity y) \/
                (is_minus_infinity x) /\ (is_finite y) \/ (is_finite x) /\
                (is_plus_infinity y)),
  (float_le_float x x).
Proof.
(* 
cvc3.
Qed. pas de version svn de coq
*) 
Admitted.


(*
destruct result.
ergo.
intuition; try ergo.
unfold float_le_float, is_not_NaN, is_NaN,
   is_plus_infinity, is_minus_infinity.
destruct (float_sign y); ergo.
Save.
*)

(* Why obligation from file "interval_arith_full.why", line 8, characters 3-56: *)
(*Why goal*) Lemma min_po_2 : 
  forall (x: gen_float),
  forall (y: gen_float),
  forall (HW_1: (is_not_NaN x) /\ (is_not_NaN y)),
  forall (HW_2: (is_not_NaN x) /\ (is_not_NaN y) /\ (is_finite x) /\
                (is_finite y) /\ (Rlt (float_value x) (float_value y)) \/
                (is_minus_infinity x) /\ (is_plus_infinity y) \/
                (is_minus_infinity x) /\ (is_finite y) \/ (is_finite x) /\
                (is_plus_infinity y)),
  (float_le_float x y).
Proof.
(*
unfold float_le_float, is_not_NaN, is_NaN,
   is_plus_infinity, is_minus_infinity.
intuition; try ergo.
*)
Admitted.

(* Why obligation from file "interval_arith_full.why", line 8, characters 3-56: *)
(*Why goal*) Lemma min_po_3 : 
  forall (x: gen_float),
  forall (y: gen_float),
  forall (HW_1: (is_not_NaN x) /\ (is_not_NaN y)),
  forall (HW_3: (is_NaN x) \/ (is_NaN y) \/ (is_finite x) /\ (is_finite y) /\
                (Rge (float_value x) (float_value y)) \/
                (is_plus_infinity x) \/ (is_minus_infinity y)),
  (float_le_float y x).
Proof.
intros.
Admitted.


(* Why obligation from file "interval_arith_full.why", line 8, characters 3-56: *)
(*Why goal*) Lemma min_po_4 : 
  forall (x: gen_float),
  forall (y: gen_float),
  forall (HW_1: (is_not_NaN x) /\ (is_not_NaN y)),
  forall (HW_3: (is_NaN x) \/ (is_NaN y) \/ (is_finite x) /\ (is_finite y) /\
                (Rge (float_value x) (float_value y)) \/
                (is_plus_infinity x) \/ (is_minus_infinity y)),
  (float_le_float y y).
Proof.
intros.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 16, characters 3-56: *)
(*Why goal*) Lemma max_po_1 : 
  forall (x: gen_float),
  forall (y: gen_float),
  forall (HW_1: (is_not_NaN x) /\ (is_not_NaN y)),
  forall (HW_2: (is_not_NaN x) /\ (is_not_NaN y) /\ (is_finite x) /\
                (is_finite y) /\ (Rgt (float_value x) (float_value y)) \/
                (is_plus_infinity x) /\ (is_minus_infinity y) \/
                (is_plus_infinity x) /\ (is_finite y) \/ (is_finite x) /\
                (is_minus_infinity y)),
  (float_le_float x x).
Proof.
(*
destruct result.
ergo.
intuition; try ergo.
unfold float_le_float, is_not_NaN, is_NaN,
   is_plus_infinity, is_minus_infinity.
destruct (float_sign y); ergo.
*)
Admitted.

(* Why obligation from file "interval_arith_full.why", line 16, characters 3-56: *)
(*Why goal*) Lemma max_po_2 : 
  forall (x: gen_float),
  forall (y: gen_float),
  forall (HW_1: (is_not_NaN x) /\ (is_not_NaN y)),
  forall (HW_2: (is_not_NaN x) /\ (is_not_NaN y) /\ (is_finite x) /\
                (is_finite y) /\ (Rgt (float_value x) (float_value y)) \/
                (is_plus_infinity x) /\ (is_minus_infinity y) \/
                (is_plus_infinity x) /\ (is_finite y) \/ (is_finite x) /\
                (is_minus_infinity y)),
  (float_le_float y x).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 16, characters 3-56: *)
(*Why goal*) Lemma max_po_3 : 
  forall (x: gen_float),
  forall (y: gen_float),
  forall (HW_1: (is_not_NaN x) /\ (is_not_NaN y)),
  forall (HW_3: (is_NaN x) \/ (is_NaN y) \/ (is_finite x) /\ (is_finite y) /\
                (Rle (float_value x) (float_value y)) \/
                (is_minus_infinity x) \/ (is_plus_infinity y)),
  (float_le_float x y).
Proof.
intros.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 16, characters 3-56: *)
(*Why goal*) Lemma max_po_4 : 
  forall (x: gen_float),
  forall (y: gen_float),
  forall (HW_1: (is_not_NaN x) /\ (is_not_NaN y)),
  forall (HW_3: (is_NaN x) \/ (is_NaN y) \/ (is_finite x) /\ (is_finite y) /\
                (Rle (float_value x) (float_value y)) \/
                (is_minus_infinity x) \/ (is_plus_infinity y)),
  (float_le_float y y).
Proof.
intros.
Admitted.

(*Why predicate*) Definition float_less_than_real  (x:gen_float) (y:R)
  := (is_finite x) /\ (Rle (float_value x) y) \/ (is_minus_infinity x).

(*Why predicate*) Definition real_less_than_float  (x:R) (y:gen_float)
  := (is_finite y) /\ (Rle x (float_value y)) \/ (is_plus_infinity y).

(*
Dp_hint round_down_le.
Dp_hint round_up_ge.
*)
 
(* Why obligation from file "interval_arith_full.why", line 39, characters 2-128: *)
(*Why goal*) Lemma mul_dn_po_1 : 
  forall (x: gen_float),
  forall (y: gen_float),
  forall (HW_1: (is_not_NaN x) /\ (is_not_NaN y) /\
                (((is_infinite x) \/ (is_infinite y) -> (diff_sign x y))) /\
                (((is_infinite x) /\ (is_finite y) ->
                  ~(eq (float_value y) (0)%R))) /\
                (((is_infinite y) /\ (is_finite x) ->
                  ~(eq (float_value x) (0)%R)))),
  forall (result: gen_float),
  forall (HW_2: (((is_NaN x) \/ (is_NaN y) -> (is_NaN result))) /\
                (((is_gen_zero x) /\ (is_infinite y) -> (is_NaN result))) /\
                (((is_finite x) /\ (is_infinite y) /\
                  ~(eq (float_value x) (0)%R) -> (is_infinite result))) /\
                (((is_infinite x) /\ (is_gen_zero y) -> (is_NaN result))) /\
                (((is_infinite x) /\ (is_finite y) /\
                  ~(eq (float_value y) (0)%R) -> (is_infinite result))) /\
                (((is_infinite x) /\ (is_infinite y) -> (is_infinite result))) /\
                (((is_finite x) /\ (is_finite y) /\
                  (no_overflow
                   Double down (Rmult (float_value x) (float_value y))) ->
                  (is_finite result) /\
                  (eq (float_value result) (round_float
                                            Double down (Rmult
                                                         (float_value x) (
                                                         float_value y)))))) /\
                (((is_finite x) /\ (is_finite y) /\
                  ~(no_overflow
                    Double down (Rmult (float_value x) (float_value y))) ->
                  (overflow_value Double down result))) /\
                (product_sign result x y) /\
                (eq (exact_value result) (Rmult
                                          (exact_value x) (exact_value y))) /\
                (eq (model_value result) (Rmult
                                          (model_value x) (model_value y)))),
  (float_less_than_real result (Rmult (float_value x) (float_value y))).
Proof.
(*
unfold float_less_than_real,product_sign, is_not_NaN,is_finite,is_minus_infinity.
(*
intuition.
*)
intros.
decompose [and or] HW_2; clear HW_2.
decompose [and] HW_1; clear HW_1.
elim H9.
elim H13.
intros.
case (overflow_dec Double down (float_value x * float_value y)).
(* replaced by cvc3.
intros.
left.
generalize (H5 (conj H16 (conj H14 H17))).
intros (H18,H19).
split; trivial.
rewrite H19.
apply round_down_le (* Admitted above *).
*)
cvc3.
intros.
generalize (proj1 (H6 (conj H16 (conj H14 H17))) (refl_equal _)).
clear H6.
intros H6.
case (same_sign_dec x y).

intros.
rewrite H8 in *;auto.
left.
split.
(* replaced by cvc3.
clear -H6.
intuition.
*)
cvc3.
generalize (proj2 H6 (refl_equal _)); clear H6; intros (H6, h1).
rewrite h1.
unfold no_overflow in H17.
unfold same_sign in H18.
case (Req_dec (genf x) 0%R).
intro.
contradiction H17.
unfold float_value.
rewrite H19.
rewrite Rmult_0_l.
rewrite round_of_zero,Rabs_R0.
unfold max_gen_float.
admit. (*as in JessieGappa*)
intro x_not_zero.
case (Req_dec (genf y) 0%R).
intro.
contradiction H17.
unfold float_value.
rewrite H19.
rewrite Rmult_0_r.
rewrite round_of_zero,Rabs_R0.
admit. (*as in JessieGappa*)
intro y_not_zero.
generalize (sign_invariant x H16 x_not_zero); intro x_sign_inv.
generalize (sign_invariant y H14 y_not_zero); intro y_sign_inv.
destruct (float_sign x).
destruct (float_sign y).
unfold same_sign_real_bool in *.
unfold float_value in *.
clear -x_sign_inv y_sign_inv H17.
apply Rnot_lt_le.
intros H.
apply H17.
rewrite Rabs_right.
apply Rlt_le.
apply Rle_lt_trans with (2 := H).
apply round_down_le (* Admitted above *).
replace R0 with (round_float Double down 0).
unfold round_float.
apply Rle_ge.
apply Gappa_round.round_extension_monotone.
apply Rlt_le.
admit.
apply round_of_zero.
discriminate.
destruct (float_sign y).
discriminate.
unfold same_sign_real_bool in *.
unfold float_value.
admit. (* reasoning of reals and Rabs as above *)


intro; right.
clear -H10 H6 H18;intuition.

intros; right.
clear -H15 H10 H14 H16 H0;intuition.

elim H13.
intros; right.
clear -H12 H10 H14 H16 H3;intuition.

intros; right.
clear -H12 H15 H10 H14 H16 H4; intuition.
*)
Admitted.




(* Why obligation from file "interval_arith_full.why", line 39, characters 2-128: *)
(*Why goal*) Lemma mul_dn_po_2 : 
  forall (x: gen_float),
  forall (y: gen_float),
  forall (HW_1: (is_not_NaN x) /\ (is_not_NaN y) /\
                (((is_infinite x) \/ (is_infinite y) -> (diff_sign x y))) /\
                (((is_infinite x) /\ (is_finite y) ->
                  ~(eq (float_value y) (0)%R))) /\
                (((is_infinite y) /\ (is_finite x) ->
                  ~(eq (float_value x) (0)%R)))),
  forall (result: gen_float),
  forall (HW_2: (((is_NaN x) \/ (is_NaN y) -> (is_NaN result))) /\
                (((is_gen_zero x) /\ (is_infinite y) -> (is_NaN result))) /\
                (((is_finite x) /\ (is_infinite y) /\
                  ~(eq (float_value x) (0)%R) -> (is_infinite result))) /\
                (((is_infinite x) /\ (is_gen_zero y) -> (is_NaN result))) /\
                (((is_infinite x) /\ (is_finite y) /\
                  ~(eq (float_value y) (0)%R) -> (is_infinite result))) /\
                (((is_infinite x) /\ (is_infinite y) -> (is_infinite result))) /\
                (((is_finite x) /\ (is_finite y) /\
                  (no_overflow
                   Double down (Rmult (float_value x) (float_value y))) ->
                  (is_finite result) /\
                  (eq (float_value result) (round_float
                                            Double down (Rmult
                                                         (float_value x) (
                                                         float_value y)))))) /\
                (((is_finite x) /\ (is_finite y) /\
                  ~(no_overflow
                    Double down (Rmult (float_value x) (float_value y))) ->
                  (overflow_value Double down result))) /\
                (product_sign result x y) /\
                (eq (exact_value result) (Rmult
                                          (exact_value x) (exact_value y))) /\
                (eq (model_value result) (Rmult
                                          (model_value x) (model_value y)))),
  forall (HW_3: (is_infinite x) \/ (is_infinite y)),
  (is_minus_infinity result).
Proof.
intros.
Admitted.


(* Why obligation from file "interval_arith_full.why", line 81, characters 10-74: *)
(*Why goal*) Lemma mul_up_po_1 : 
  forall (x: gen_float),
  forall (y: gen_float),
  forall (HW_1: (is_not_NaN x) /\ (is_not_NaN y) /\
                (((is_infinite x) \/ (is_infinite y) -> (same_sign x y))) /\
                (((is_infinite x) /\ (is_finite y) ->
                  ~(eq (float_value y) (0)%R))) /\
                (((is_infinite y) /\ (is_finite x) ->
                  ~(eq (float_value x) (0)%R)))),
  forall (HW_2: ~(eq (float_value y) (0)%R)),
  (Rge (Rabs (float_value y))
   (1 / 202402253307310618352495346718917307049556649764142118356901358027430339567995346891960383701437124495187077864316811911389808737385793476867013399940738509921517424276566361364466907742093216341239767678472745068562007483424692698618103355649159556340810056512358769552333414615230502532186327508646006263307707741093494784)%R).
Proof.
Admitted.




(* Why obligation from file "interval_arith_full.why", line 84, characters 0-126: *)
(*Why goal*) Lemma mul_up_po_2 : 
  forall (x: gen_float),
  forall (y: gen_float),
  forall (HW_1: (is_not_NaN x) /\ (is_not_NaN y) /\
                (((is_infinite x) \/ (is_infinite y) -> (same_sign x y))) /\
                (((is_infinite x) /\ (is_finite y) ->
                  ~(eq (float_value y) (0)%R))) /\
                (((is_infinite y) /\ (is_finite x) ->
                  ~(eq (float_value x) (0)%R)))),
  forall (HW_3: (~(eq (float_value y) (0)%R) ->
                 (Rge (Rabs (float_value y))
                  (1 / 202402253307310618352495346718917307049556649764142118356901358027430339567995346891960383701437124495187077864316811911389808737385793476867013399940738509921517424276566361364466907742093216341239767678472745068562007483424692698618103355649159556340810056512358769552333414615230502532186327508646006263307707741093494784)%R))),
  forall (result: gen_float),
  forall (HW_4: (((is_NaN y) -> (is_NaN result))) /\
                (((is_infinite y) -> (is_infinite result))) /\
                (((is_finite y) /\
                  (no_overflow Double down (Ropp (float_value y))) ->
                  (is_finite result) /\
                  (eq (float_value result) (round_float
                                            Double down (Ropp (float_value y)))))) /\
                (((is_finite y) /\
                  ~(no_overflow Double down (Ropp (float_value y))) ->
                  (overflow_value Double down result))) /\
                (diff_sign result y) /\
                (eq (exact_value result) (Ropp (exact_value y))) /\
                (eq (model_value result) (Ropp (model_value y)))),
  forall (result0: gen_float),
  forall (HW_5: (((is_NaN x) \/ (is_NaN result) -> (is_NaN result0))) /\
                (((is_gen_zero x) /\ (is_infinite result) -> (is_NaN result0))) /\
                (((is_finite x) /\ (is_infinite result) /\
                  ~(eq (float_value x) (0)%R) -> (is_infinite result0))) /\
                (((is_infinite x) /\ (is_gen_zero result) -> (is_NaN result0))) /\
                (((is_infinite x) /\ (is_finite result) /\
                  ~(eq (float_value result) (0)%R) -> (is_infinite result0))) /\
                (((is_infinite x) /\ (is_infinite result) ->
                  (is_infinite result0))) /\
                (((is_finite x) /\ (is_finite result) /\
                  (no_overflow
                   Double down (Rmult (float_value x) (float_value result))) ->
                  (is_finite result0) /\
                  (eq (float_value result0) (round_float
                                             Double down (Rmult
                                                          (float_value x) (
                                                          float_value result)))))) /\
                (((is_finite x) /\ (is_finite result) /\
                  ~(no_overflow
                    Double down (Rmult (float_value x) (float_value result))) ->
                  (overflow_value Double down result0))) /\
                (product_sign result0 x result) /\
                (eq (exact_value result0) (Rmult
                                           (exact_value x) (exact_value
                                                            result))) /\
                (eq (model_value result0) (Rmult
                                           (model_value x) (model_value
                                                            result)))),
  forall (result1: gen_float),
  forall (HW_6: (((is_NaN result0) -> (is_NaN result1))) /\
                (((is_infinite result0) -> (is_infinite result1))) /\
                (((is_finite result0) /\
                  (no_overflow Double down (Ropp (float_value result0))) ->
                  (is_finite result1) /\
                  (eq (float_value result1) (round_float
                                             Double down (Ropp
                                                          (float_value
                                                           result0)))))) /\
                (((is_finite result0) /\
                  ~(no_overflow Double down (Ropp (float_value result0))) ->
                  (overflow_value Double down result1))) /\
                (diff_sign result1 result0) /\
                (eq (exact_value result1) (Ropp (exact_value result0))) /\
                (eq (model_value result1) (Ropp (model_value result0)))),
  (real_less_than_float (Rmult (float_value x) (float_value y)) result1).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 84, characters 0-126: *)
(*Why goal*) Lemma mul_up_po_3 : 
  forall (x: gen_float),
  forall (y: gen_float),
  forall (HW_1: (is_not_NaN x) /\ (is_not_NaN y) /\
                (((is_infinite x) \/ (is_infinite y) -> (same_sign x y))) /\
                (((is_infinite x) /\ (is_finite y) ->
                  ~(eq (float_value y) (0)%R))) /\
                (((is_infinite y) /\ (is_finite x) ->
                  ~(eq (float_value x) (0)%R)))),
  forall (HW_3: (~(eq (float_value y) (0)%R) ->
                 (Rge (Rabs (float_value y))
                  (1 / 202402253307310618352495346718917307049556649764142118356901358027430339567995346891960383701437124495187077864316811911389808737385793476867013399940738509921517424276566361364466907742093216341239767678472745068562007483424692698618103355649159556340810056512358769552333414615230502532186327508646006263307707741093494784)%R))),
  forall (result: gen_float),
  forall (HW_4: (((is_NaN y) -> (is_NaN result))) /\
                (((is_infinite y) -> (is_infinite result))) /\
                (((is_finite y) /\
                  (no_overflow Double down (Ropp (float_value y))) ->
                  (is_finite result) /\
                  (eq (float_value result) (round_float
                                            Double down (Ropp (float_value y)))))) /\
                (((is_finite y) /\
                  ~(no_overflow Double down (Ropp (float_value y))) ->
                  (overflow_value Double down result))) /\
                (diff_sign result y) /\
                (eq (exact_value result) (Ropp (exact_value y))) /\
                (eq (model_value result) (Ropp (model_value y)))),
  forall (result0: gen_float),
  forall (HW_5: (((is_NaN x) \/ (is_NaN result) -> (is_NaN result0))) /\
                (((is_gen_zero x) /\ (is_infinite result) -> (is_NaN result0))) /\
                (((is_finite x) /\ (is_infinite result) /\
                  ~(eq (float_value x) (0)%R) -> (is_infinite result0))) /\
                (((is_infinite x) /\ (is_gen_zero result) -> (is_NaN result0))) /\
                (((is_infinite x) /\ (is_finite result) /\
                  ~(eq (float_value result) (0)%R) -> (is_infinite result0))) /\
                (((is_infinite x) /\ (is_infinite result) ->
                  (is_infinite result0))) /\
                (((is_finite x) /\ (is_finite result) /\
                  (no_overflow
                   Double down (Rmult (float_value x) (float_value result))) ->
                  (is_finite result0) /\
                  (eq (float_value result0) (round_float
                                             Double down (Rmult
                                                          (float_value x) (
                                                          float_value result)))))) /\
                (((is_finite x) /\ (is_finite result) /\
                  ~(no_overflow
                    Double down (Rmult (float_value x) (float_value result))) ->
                  (overflow_value Double down result0))) /\
                (product_sign result0 x result) /\
                (eq (exact_value result0) (Rmult
                                           (exact_value x) (exact_value
                                                            result))) /\
                (eq (model_value result0) (Rmult
                                           (model_value x) (model_value
                                                            result)))),
  forall (result1: gen_float),
  forall (HW_6: (((is_NaN result0) -> (is_NaN result1))) /\
                (((is_infinite result0) -> (is_infinite result1))) /\
                (((is_finite result0) /\
                  (no_overflow Double down (Ropp (float_value result0))) ->
                  (is_finite result1) /\
                  (eq (float_value result1) (round_float
                                             Double down (Ropp
                                                          (float_value
                                                           result0)))))) /\
                (((is_finite result0) /\
                  ~(no_overflow Double down (Ropp (float_value result0))) ->
                  (overflow_value Double down result1))) /\
                (diff_sign result1 result0) /\
                (eq (exact_value result1) (Ropp (exact_value result0))) /\
                (eq (model_value result1) (Ropp (model_value result0)))),
  forall (HW_7: (is_infinite x) \/ (is_infinite y)),
  (is_plus_infinity result1).
Proof.
intros.
Admitted.

(*Why predicate*) Definition is_interval  (l:gen_float) (u:gen_float)
  := ((is_finite l) \/ (is_infinite l) /\ (float_sign l) = Negative) /\
     ((is_finite u) \/ (is_infinite u) /\ (float_sign u) = Positive).

(*Why predicate*) Definition in_interval  (a:R) (l:gen_float) (u:gen_float)
  := (float_less_than_real l a) /\ (real_less_than_float a u).


(* Why obligation from file "interval_arith_full.why", line 117, characters 2-113: *)
(*Why goal*) Lemma add_po_1 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (result: gen_float),
  forall (HW_1: (((is_NaN xl) \/ (is_NaN yl) -> (is_NaN result))) /\
                (((is_finite xl) /\ (is_infinite yl) ->
                  (is_infinite result) /\ (same_sign result yl))) /\
                (((is_infinite xl) /\ (is_finite yl) ->
                  (is_infinite result) /\ (same_sign result xl))) /\
                (((is_infinite xl) /\ (is_infinite yl) /\
                  (same_sign xl yl) -> (is_infinite result) /\
                  (same_sign result xl))) /\
                (((is_infinite xl) /\ (is_infinite yl) /\
                  (diff_sign xl yl) -> (is_NaN result))) /\
                (((is_finite xl) /\ (is_finite yl) /\
                  (no_overflow
                   Double down (Rplus (float_value xl) (float_value yl))) ->
                  (is_finite result) /\
                  (eq (float_value result) (round_float
                                            Double down (Rplus
                                                         (float_value xl) (
                                                         float_value yl)))) /\
                  (sign_zero_result down result))) /\
                (((is_finite xl) /\ (is_finite yl) /\
                  ~(no_overflow
                    Double down (Rplus (float_value xl) (float_value yl))) ->
                  (same_sign_real
                   result (Rplus (float_value xl) (float_value yl))) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (Rplus
                                          (exact_value xl) (exact_value yl))) /\
                (eq (model_value result) (Rplus
                                          (model_value xl) (model_value yl)))),
  forall (zl: gen_float),
  forall (HW_2: zl = result),
  forall (result0: gen_float),
  forall (HW_3: (((is_NaN xu) -> (is_NaN result0))) /\
                (((is_infinite xu) -> (is_infinite result0))) /\
                (((is_finite xu) /\
                  (no_overflow Double down (Ropp (float_value xu))) ->
                  (is_finite result0) /\
                  (eq (float_value result0) (round_float
                                             Double down (Ropp
                                                          (float_value xu)))))) /\
                (((is_finite xu) /\
                  ~(no_overflow Double down (Ropp (float_value xu))) ->
                  (overflow_value Double down result0))) /\
                (diff_sign result0 xu) /\
                (eq (exact_value result0) (Ropp (exact_value xu))) /\
                (eq (model_value result0) (Ropp (model_value xu)))),
  forall (result1: gen_float),
  forall (HW_4: (((is_NaN result0) \/ (is_NaN yu) -> (is_NaN result1))) /\
                (((is_finite result0) /\ (is_infinite yu) ->
                  (is_infinite result1) /\ (diff_sign result1 yu))) /\
                (((is_infinite result0) /\ (is_finite yu) ->
                  (is_infinite result1) /\ (same_sign result1 result0))) /\
                (((is_infinite result0) /\ (is_infinite yu) /\
                  (same_sign result0 yu) -> (is_NaN result1))) /\
                (((is_infinite result0) /\ (is_infinite yu) /\
                  (diff_sign result0 yu) -> (is_infinite result1) /\
                  (same_sign result1 result0))) /\
                (((is_finite result0) /\ (is_finite yu) /\
                  (no_overflow
                   Double down (Rminus (float_value result0) (float_value yu))) ->
                  (is_finite result1) /\
                  (eq (float_value result1) (round_float
                                             Double down (Rminus
                                                          (float_value
                                                           result0) (
                                                          float_value yu)))) /\
                  (sign_zero_result down result1))) /\
                (((is_finite result0) /\ (is_finite yu) /\
                  ~(no_overflow
                    Double down (Rminus
                                 (float_value result0) (float_value yu))) ->
                  (same_sign_real
                   result1 (Rminus (float_value result0) (float_value yu))) /\
                  (overflow_value Double down result1))) /\
                (eq (exact_value result1) (Rminus
                                           (exact_value result0) (exact_value
                                                                  yu))) /\
                (eq (model_value result1) (Rminus
                                           (model_value result0) (model_value
                                                                  yu)))),
  forall (result2: gen_float),
  forall (HW_5: (((is_NaN result1) -> (is_NaN result2))) /\
                (((is_infinite result1) -> (is_infinite result2))) /\
                (((is_finite result1) /\
                  (no_overflow Double down (Ropp (float_value result1))) ->
                  (is_finite result2) /\
                  (eq (float_value result2) (round_float
                                             Double down (Ropp
                                                          (float_value
                                                           result1)))))) /\
                (((is_finite result1) /\
                  ~(no_overflow Double down (Ropp (float_value result1))) ->
                  (overflow_value Double down result2))) /\
                (diff_sign result2 result1) /\
                (eq (exact_value result2) (Ropp (exact_value result1))) /\
                (eq (model_value result2) (Ropp (model_value result1)))),
  forall (zu: gen_float),
  forall (HW_6: zu = result2),
  forall (a: R),
  forall (b: R),
  forall (HW_7: (in_interval a xl xu) /\ (in_interval b yl yu)),
  (in_interval (Rplus a b) zl zu).
Proof.
(* old proof in Coq v8.2
unfold in_interval, float_less_than_real, real_less_than_float.
intros.
decompose [and or] HW_1; clear HW_1.
decompose [and or] HW_3; clear HW_3.
decompose [and or] HW_4; clear HW_4.
decompose [and or] HW_5; clear HW_5.
decompose [and or] HW_7; clear HW_7.
subst.
unfold is_finite,is_infinite,is_plus_infinity,is_minus_infinity in *.
split.
case (overflow_dec Double down (float_value xl + float_value yl)).
intro.
left.
generalize (H4 (conj H33 (conj H30 H32))); intros (h1,h2).
split;trivial.
rewrite h2.
apply Rle_trans with (float_value xl + float_value yl)%R.
apply round_down_less (* Admitted above *).
auto with real.
intro.
generalize (H5 (conj H33 (conj H30 H32)));intros (h2, h3).
unfold same_sign_real in h2.
unfold overflow_value in h3.
destruct h3;clear H41.
unfold float_value in *.
unfold no_overflow in H32.
case (Req_dec (genf xl) 0).
intro.
case (Req_dec (genf yl) 0).
intro.
contradiction H32.
rewrite H41, H42.
rewrite Rplus_0_l.
rewrite round_of_zero,Rabs_R0.
admit. (*as in JessieGappa *)
intro.
rewrite H41 in h2.
rewrite Rplus_0_l in h2.
case (sign_dec yl).
intro.
generalize (sign_invariant yl H30 H42);intro yl_sign.
rewrite H43 in yl_sign.
unfold same_sign_real_bool in yl_sign.
right.
generalize ((proj1 (same_sign_real_bool_correct2 (float_sign result) 
(genf yl) h2)) yl_sign);intro.
clear -H40 H44; intuition.
intro.
generalize (sign_invariant yl H30 H42);intro yl_sign.
rewrite H43 in yl_sign.
unfold same_sign_real_bool in yl_sign.
left.
generalize ((proj1 (same_sign_real_bool_correct3 (float_sign result) 
(genf yl) h2)) yl_sign);intro.
clear -H40 H44 H41 H32 H35 H38 yl_sign.
split;intuition.
rewrite H2.
rewrite Rabs_right in H32.
rewrite H41, Rplus_0_l in H32.
apply Rle_trans with (round_float Double down (genf yl)).
apply Rge_le.
apply Rgt_ge; apply Rnot_le_gt;auto.
apply Rle_trans with (genf yl).
apply round_down_less. (* Admitted above *) 
rewrite <- Rplus_0_l with (genf yl); rewrite <- H41; auto with real.
rewrite H41, Rplus_0_l.
admit. (* round_float_of_pos_real_underflow in JessieGappa *)
intro.
case (Req_dec (genf yl) 0).
intro.
admit. (* as above *)

intro.
case (Rtotal_order (genf xl + genf yl) 0).
intro.
right.
generalize ((proj1 (same_sign_real_bool_correct2 (float_sign result) 
(genf xl + genf yl) h2)) H43);intro.
split;auto.
clear -H40 H44;intuition.
intro h3.
destruct h3.
rewrite H43 in h2.
generalize (same_sign_real_bool_zero1 (float_sign result));intro.
contradiction H44.
generalize ((proj1 (same_sign_real_bool_correct3 (float_sign result) 
(genf xl + genf yl) h2)) H43);intro.
left.
rewrite H44 in H40.
clear -H40 H35 H38 H32 H43.
split;intuition.
rewrite H2.
rewrite Rabs_right in H32.
apply Rle_trans with (round_float Double down (genf xl + genf yl)).
apply Rlt_le.
apply Rnot_le_lt;auto.
apply Rle_trans with (genf xl + genf yl)%R.
apply round_down_less (* Admitted above *).
auto with real.
admit. (* round_float_of_pos_real_underflow in JessieGappa *)

case (overflow_dec Double down (- float_value xu)).
intro.
generalize (H9 (conj H34 H32));intros (h1,h2).
case (overflow_dec Double down (float_value result0 - float_value yu)).
intro.
generalize (H20 (conj h1 (conj H37 H40)));intros (h3,h4).
unfold no_overflow in H40.
rewrite <- h4 in H40.
generalize (bounded_real_no_overflow Double down 
(float_value result1) H40);intro.
case (overflow_dec Double down (-float_value result1)).
intro.
generalize (H25 (conj h3 H42));intros (h5,h6).
left.
split;auto.
rewrite h6,h4,h2.
apply Rle_trans with (- ((- (float_value xu)) - float_value yu))%R.
rewrite (Ropp_minus_distr (-float_value xu) (float_value yu)).
admit.
admit. (*apply round_down_less:Admitted above with some modification *)
intro.
generalize (proj1 (H27 (conj h3 H42)));intro.
case (Rtotal_order (float_value result1) 0);intro.
generalize (finite_sign_neg1 result1 (conj h3 H44));intro.
unfold diff_sign in H28.
rewrite H45 in H28.
generalize (sign_not_neg_pos result2 H28);intro.
rewrite H46 in H43.
left.
clear -H43 H36 H39 H32 H40 H41 H42.
split; intuition.
rewrite H2.
unfold no_overflow in *.
apply Rle_trans with (float_value xu + float_value yu)%R.
auto with real.
admit. (* !!!!*)
destruct H44.
contradiction H42.
rewrite H44,Ropp_0.
apply bounded_real_no_overflow.
rewrite Rabs_R0.
admit.
generalize (finite_sign_pos1 result1 (conj h3 H44));intro.
unfold diff_sign in H28.
rewrite H45 in H28.
generalize (sign_not_pos_neg result2 H28);intro.
rewrite H46 in H43.
right.

 







H28 : diff_sign result2 result1


generalize (H21 (conj h1 (conj H37 H40)));intros (h5,h6).
unfold overflow_value in h6.
destruct h6; clear H42.
unfold same_sign_real in h5.
unfold no_overflow in H40.
generalize (same_sign_real_bool_zero3 (float_sign result1) 
(float_value result0 - float_value yu) h5);intro.
case (Req_dec (float_value xu) 0).
intro.
rewrite H43 in h2.
rewrite Ropp_0 in h2.
assert (float_value result0= 0)%R.
rewrite h2.
unfold round_float,down;gappa.
rewrite H44 in h5.
case (sign_dec yu).
intro.

rewrite Rminus_0_l in h2.




case (Req_dec (genf yu) 0).
intro.
rewrite H43 in h5


destruct 
unfold no_overflow in H41.
unfold diff_sign,float_value in *.
case (Req_dec (genf result0 - genf yu) 0).
intro.
rewrite H42 in h4.
(*sign of 0=result1 ????).
 

case (sign_dec xu).
intro.
assert (float_sign result0=Positive).
rewrite H42 in H12;apply (sign_not_neg_pos result0 H12).
case (Rtotal_order (genf result0 - genf yu) 0).


admit.
admit.
admit.

intros.
destruct H32.
destruct H36.
destruct H37.
destruct H38.
split.
admit. (*as above *)
case (overflow_dec Double down (- float_value xu)).
intro.
generalize (H9 (conj H36 H43));intros (h1,h2).
generalize (H17 (conj h1 H32));intros (h3,h4).
generalize (H26 (h3)); intros (h5,h6).
right.
split;auto.
unfold diff_sign in *.
rewrite H39 in h4.
clear -h4 h6;
assert (float_sign result1=Negative) by (apply (sign_not_pos_neg result1 h4));
rewrite H in h6;apply (sign_not_neg_pos result2 h6).
intro.
generalize (proj1 (H11 (conj H36 H43)) (refl_equal _)).
clear H11;intros.
case (sign_dec xu).
intro.
unfold diff_sign in*.
rewrite H44 in H12.
assert (float_sign result0 =Positive).
apply (sign_not_neg_pos result0 H12).
generalize ((proj2 H11) H45);intros (h1,h2).
generalize (H17 (conj h1 H32));intros (h3,h4).
generalize (H26 (h3)); intros (h5,h6).
right.
split;auto.
rewrite H39 in h4.
assert (float_sign result1=Negative) by (apply (sign_not_pos_neg result1 h4)).
rewrite H46 in h6.
apply (sign_not_neg_pos result2 h6).
intro.
unfold diff_sign in*.
rewrite H44 in H12.
assert (float_sign result0 =Negative).
apply (sign_not_pos_neg result0 H12).
generalize ((proj1 H11) H45); intro h.
assert (float_sign result0 <> float_sign yu).
rewrite H45,H39;discriminate.
generalize (H19 (conj h (conj H32 H46)));intros (h1,h2).
unfold same_sign in h2;rewrite H45 in h2.
generalize (H26 (h1)); intros (h4,h5).
right;rewrite h2 in h5.
split;auto.
apply (sign_not_neg_pos result2 h5).


intros.
destruct H32.
destruct H36.
destruct H37.
split.
admit.  (*as above *)
*)
*)
Admitted.




(*Why axiom*) Lemma help :
  (forall (x:R),
   (forall (y:R),
    (forall (z:R),
     (forall (t:R),
      (((Rle (0)%R x) /\ (Rle x y)) /\ (Rle (0)%R z) /\ (Rle z t) ->
       (Rle (Rmult x z) (Rmult y t))))))).
Admitted.

(* Why obligation from file "interval_arith_full.why", line 135, characters 8-29: *)
(*Why goal*) Lemma mul_po_1 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  (eq (float_value zero) (0)%R).
Proof.
(*
intros.
unfold in_interval,is_interval in *.
destruct result0.
destruct result0.
admit.
admit.
destruct result0.
admit.
ergo.
cvc3.
assert (yl_positive: ((float_value yl) >=0)%R).
cvc3.
destruct result0.
*)
Admitted.

(* Why obligation from file "interval_arith_full.why", line 141, characters 16-28: *)
(*Why goal*) Lemma mul_po_2 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_8: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                (is_finite zero) /\
                (Rgt (float_value yu) (float_value zero)) \/
                (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity yu) /\ (is_finite zero) \/
                (is_finite yu) /\ (is_minus_infinity zero)),
  (is_not_NaN xl).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 141, characters 16-28: *)
(*Why goal*) Lemma mul_po_3 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_8: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                (is_finite zero) /\
                (Rgt (float_value yu) (float_value zero)) \/
                (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity yu) /\ (is_finite zero) \/
                (is_finite yu) /\ (is_minus_infinity zero)),
  (is_not_NaN yu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 141, characters 16-28: *)
(*Why goal*) Lemma mul_po_4 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_8: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                (is_finite zero) /\
                (Rgt (float_value yu) (float_value zero)) \/
                (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity yu) /\ (is_finite zero) \/
                (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_9: (is_infinite xl) \/ (is_infinite yu)),
  (diff_sign xl yu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 141, characters 16-28: *)
(*Why goal*) Lemma mul_po_5 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_8: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                (is_finite zero) /\
                (Rgt (float_value yu) (float_value zero)) \/
                (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity yu) /\ (is_finite zero) \/
                (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_10: (is_infinite xl) /\ (is_finite yu)),
  ~(eq (float_value yu) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 141, characters 16-28: *)
(*Why goal*) Lemma mul_po_6 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_8: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                (is_finite zero) /\
                (Rgt (float_value yu) (float_value zero)) \/
                (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity yu) /\ (is_finite zero) \/
                (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_11: (is_infinite yu) /\ (is_finite xl)),
  ~(eq (float_value xl) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 141, characters 31-43: *)
(*Why goal*) Lemma mul_po_7 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_8: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                (is_finite zero) /\
                (Rgt (float_value yu) (float_value zero)) \/
                (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity yu) /\ (is_finite zero) \/
                (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_12: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_13: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  (is_not_NaN xu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 141, characters 31-43: *)
(*Why goal*) Lemma mul_po_8 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_8: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                (is_finite zero) /\
                (Rgt (float_value yu) (float_value zero)) \/
                (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity yu) /\ (is_finite zero) \/
                (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_12: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_13: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  (is_not_NaN yl).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 141, characters 31-43: *)
(*Why goal*) Lemma mul_po_9 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_8: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                (is_finite zero) /\
                (Rgt (float_value yu) (float_value zero)) \/
                (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity yu) /\ (is_finite zero) \/
                (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_12: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_13: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (HW_14: (is_infinite xu) \/ (is_infinite yl)),
  (diff_sign xu yl).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 141, characters 31-43: *)
(*Why goal*) Lemma mul_po_10 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_8: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                (is_finite zero) /\
                (Rgt (float_value yu) (float_value zero)) \/
                (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity yu) /\ (is_finite zero) \/
                (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_12: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_13: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (HW_15: (is_infinite xu) /\ (is_finite yl)),
  ~(eq (float_value yl) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 141, characters 31-43: *)
(*Why goal*) Lemma mul_po_11 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_8: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                (is_finite zero) /\
                (Rgt (float_value yu) (float_value zero)) \/
                (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity yu) /\ (is_finite zero) \/
                (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_12: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_13: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (HW_16: (is_infinite yl) /\ (is_finite xu)),
  ~(eq (float_value xu) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 141, characters 11-44: *)
(*Why goal*) Lemma mul_po_12 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_8: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                (is_finite zero) /\
                (Rgt (float_value yu) (float_value zero)) \/
                (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity yu) /\ (is_finite zero) \/
                (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_12: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_13: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (HW_17: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                 (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                 (((is_infinite xu) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result1: gen_float),
  forall (HW_18: (float_less_than_real
                  result1 (Rmult (float_value xu) (float_value yl))) /\
                 (((is_infinite xu) \/ (is_infinite yl) ->
                   (is_minus_infinity result1)))),
  (is_not_NaN result0).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 141, characters 11-44: *)
(*Why goal*) Lemma mul_po_13 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_8: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                (is_finite zero) /\
                (Rgt (float_value yu) (float_value zero)) \/
                (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity yu) /\ (is_finite zero) \/
                (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_12: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_13: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (HW_17: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                 (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                 (((is_infinite xu) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result1: gen_float),
  forall (HW_18: (float_less_than_real
                  result1 (Rmult (float_value xu) (float_value yl))) /\
                 (((is_infinite xu) \/ (is_infinite yl) ->
                   (is_minus_infinity result1)))),
  (is_not_NaN result1).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 142, characters 23-35: *)
(*Why goal*) Lemma mul_po_14 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_8: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                (is_finite zero) /\
                (Rgt (float_value yu) (float_value zero)) \/
                (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity yu) /\ (is_finite zero) \/
                (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_12: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_13: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (HW_17: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                 (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                 (((is_infinite xu) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result1: gen_float),
  forall (HW_18: (float_less_than_real
                  result1 (Rmult (float_value xu) (float_value yl))) /\
                 (((is_infinite xu) \/ (is_infinite yl) ->
                   (is_minus_infinity result1)))),
  forall (HW_19: (is_not_NaN result0) /\ (is_not_NaN result1)),
  forall (result2: gen_float),
  forall (HW_20: (float_le_float result2 result0) /\
                 (float_le_float result2 result1)),
  forall (tl: gen_float),
  forall (HW_21: tl = result2),
  (is_not_NaN yl).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 142, characters 23-35: *)
(*Why goal*) Lemma mul_po_15 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_8: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                (is_finite zero) /\
                (Rgt (float_value yu) (float_value zero)) \/
                (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity yu) /\ (is_finite zero) \/
                (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_12: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_13: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (HW_17: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                 (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                 (((is_infinite xu) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result1: gen_float),
  forall (HW_18: (float_less_than_real
                  result1 (Rmult (float_value xu) (float_value yl))) /\
                 (((is_infinite xu) \/ (is_infinite yl) ->
                   (is_minus_infinity result1)))),
  forall (HW_19: (is_not_NaN result0) /\ (is_not_NaN result1)),
  forall (result2: gen_float),
  forall (HW_20: (float_le_float result2 result0) /\
                 (float_le_float result2 result1)),
  forall (tl: gen_float),
  forall (HW_21: tl = result2),
  forall (HW_22: (is_infinite xl) \/ (is_infinite yl)),
  (same_sign xl yl).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 142, characters 23-35: *)
(*Why goal*) Lemma mul_po_16 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_8: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                (is_finite zero) /\
                (Rgt (float_value yu) (float_value zero)) \/
                (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity yu) /\ (is_finite zero) \/
                (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_12: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_13: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (HW_17: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                 (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                 (((is_infinite xu) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result1: gen_float),
  forall (HW_18: (float_less_than_real
                  result1 (Rmult (float_value xu) (float_value yl))) /\
                 (((is_infinite xu) \/ (is_infinite yl) ->
                   (is_minus_infinity result1)))),
  forall (HW_19: (is_not_NaN result0) /\ (is_not_NaN result1)),
  forall (result2: gen_float),
  forall (HW_20: (float_le_float result2 result0) /\
                 (float_le_float result2 result1)),
  forall (tl: gen_float),
  forall (HW_21: tl = result2),
  forall (HW_23: (is_infinite xl) /\ (is_finite yl)),
  ~(eq (float_value yl) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 142, characters 23-35: *)
(*Why goal*) Lemma mul_po_17 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_8: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                (is_finite zero) /\
                (Rgt (float_value yu) (float_value zero)) \/
                (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity yu) /\ (is_finite zero) \/
                (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_12: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_13: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (HW_17: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                 (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                 (((is_infinite xu) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result1: gen_float),
  forall (HW_18: (float_less_than_real
                  result1 (Rmult (float_value xu) (float_value yl))) /\
                 (((is_infinite xu) \/ (is_infinite yl) ->
                   (is_minus_infinity result1)))),
  forall (HW_19: (is_not_NaN result0) /\ (is_not_NaN result1)),
  forall (result2: gen_float),
  forall (HW_20: (float_le_float result2 result0) /\
                 (float_le_float result2 result1)),
  forall (tl: gen_float),
  forall (HW_21: tl = result2),
  forall (HW_24: (is_infinite yl) /\ (is_finite xl)),
  ~(eq (float_value xl) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 142, characters 38-50: *)
(*Why goal*) Lemma mul_po_18 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_8: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                (is_finite zero) /\
                (Rgt (float_value yu) (float_value zero)) \/
                (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity yu) /\ (is_finite zero) \/
                (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_12: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_13: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (HW_17: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                 (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                 (((is_infinite xu) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result1: gen_float),
  forall (HW_18: (float_less_than_real
                  result1 (Rmult (float_value xu) (float_value yl))) /\
                 (((is_infinite xu) \/ (is_infinite yl) ->
                   (is_minus_infinity result1)))),
  forall (HW_19: (is_not_NaN result0) /\ (is_not_NaN result1)),
  forall (result2: gen_float),
  forall (HW_20: (float_le_float result2 result0) /\
                 (float_le_float result2 result1)),
  forall (tl: gen_float),
  forall (HW_21: tl = result2),
  forall (HW_25: (is_not_NaN xl) /\ (is_not_NaN yl) /\
                 (((is_infinite xl) \/ (is_infinite yl) -> (same_sign xl yl))) /\
                 (((is_infinite xl) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result3: gen_float),
  forall (HW_26: (real_less_than_float
                  (Rmult (float_value xl) (float_value yl)) result3) /\
                 (((is_infinite xl) \/ (is_infinite yl) ->
                   (is_plus_infinity result3)))),
  (is_not_NaN yu).
Proof.
Admitted.


(* Why obligation from file "interval_arith_full.why", line 142, characters 38-50: *)
(*Why goal*) Lemma mul_po_19 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_8: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                (is_finite zero) /\
                (Rgt (float_value yu) (float_value zero)) \/
                (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity yu) /\ (is_finite zero) \/
                (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_12: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_13: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (HW_17: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                 (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                 (((is_infinite xu) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result1: gen_float),
  forall (HW_18: (float_less_than_real
                  result1 (Rmult (float_value xu) (float_value yl))) /\
                 (((is_infinite xu) \/ (is_infinite yl) ->
                   (is_minus_infinity result1)))),
  forall (HW_19: (is_not_NaN result0) /\ (is_not_NaN result1)),
  forall (result2: gen_float),
  forall (HW_20: (float_le_float result2 result0) /\
                 (float_le_float result2 result1)),
  forall (tl: gen_float),
  forall (HW_21: tl = result2),
  forall (HW_25: (is_not_NaN xl) /\ (is_not_NaN yl) /\
                 (((is_infinite xl) \/ (is_infinite yl) -> (same_sign xl yl))) /\
                 (((is_infinite xl) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result3: gen_float),
  forall (HW_26: (real_less_than_float
                  (Rmult (float_value xl) (float_value yl)) result3) /\
                 (((is_infinite xl) \/ (is_infinite yl) ->
                   (is_plus_infinity result3)))),
  forall (HW_27: (is_infinite xu) \/ (is_infinite yu)),
  (same_sign xu yu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 142, characters 38-50: *)
(*Why goal*) Lemma mul_po_20 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_8: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                (is_finite zero) /\
                (Rgt (float_value yu) (float_value zero)) \/
                (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity yu) /\ (is_finite zero) \/
                (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_12: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_13: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (HW_17: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                 (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                 (((is_infinite xu) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result1: gen_float),
  forall (HW_18: (float_less_than_real
                  result1 (Rmult (float_value xu) (float_value yl))) /\
                 (((is_infinite xu) \/ (is_infinite yl) ->
                   (is_minus_infinity result1)))),
  forall (HW_19: (is_not_NaN result0) /\ (is_not_NaN result1)),
  forall (result2: gen_float),
  forall (HW_20: (float_le_float result2 result0) /\
                 (float_le_float result2 result1)),
  forall (tl: gen_float),
  forall (HW_21: tl = result2),
  forall (HW_25: (is_not_NaN xl) /\ (is_not_NaN yl) /\
                 (((is_infinite xl) \/ (is_infinite yl) -> (same_sign xl yl))) /\
                 (((is_infinite xl) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result3: gen_float),
  forall (HW_26: (real_less_than_float
                  (Rmult (float_value xl) (float_value yl)) result3) /\
                 (((is_infinite xl) \/ (is_infinite yl) ->
                   (is_plus_infinity result3)))),
  forall (HW_28: (is_infinite xu) /\ (is_finite yu)),
  ~(eq (float_value yu) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 142, characters 38-50: *)
(*Why goal*) Lemma mul_po_21 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_8: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                (is_finite zero) /\
                (Rgt (float_value yu) (float_value zero)) \/
                (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity yu) /\ (is_finite zero) \/
                (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_12: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_13: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (HW_17: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                 (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                 (((is_infinite xu) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result1: gen_float),
  forall (HW_18: (float_less_than_real
                  result1 (Rmult (float_value xu) (float_value yl))) /\
                 (((is_infinite xu) \/ (is_infinite yl) ->
                   (is_minus_infinity result1)))),
  forall (HW_19: (is_not_NaN result0) /\ (is_not_NaN result1)),
  forall (result2: gen_float),
  forall (HW_20: (float_le_float result2 result0) /\
                 (float_le_float result2 result1)),
  forall (tl: gen_float),
  forall (HW_21: tl = result2),
  forall (HW_25: (is_not_NaN xl) /\ (is_not_NaN yl) /\
                 (((is_infinite xl) \/ (is_infinite yl) -> (same_sign xl yl))) /\
                 (((is_infinite xl) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result3: gen_float),
  forall (HW_26: (real_less_than_float
                  (Rmult (float_value xl) (float_value yl)) result3) /\
                 (((is_infinite xl) \/ (is_infinite yl) ->
                   (is_plus_infinity result3)))),
  forall (HW_29: (is_infinite yu) /\ (is_finite xu)),
  ~(eq (float_value xu) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 142, characters 18-51: *)
(*Why goal*) Lemma mul_po_22 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_8: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                (is_finite zero) /\
                (Rgt (float_value yu) (float_value zero)) \/
                (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity yu) /\ (is_finite zero) \/
                (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_12: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_13: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (HW_17: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                 (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                 (((is_infinite xu) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result1: gen_float),
  forall (HW_18: (float_less_than_real
                  result1 (Rmult (float_value xu) (float_value yl))) /\
                 (((is_infinite xu) \/ (is_infinite yl) ->
                   (is_minus_infinity result1)))),
  forall (HW_19: (is_not_NaN result0) /\ (is_not_NaN result1)),
  forall (result2: gen_float),
  forall (HW_20: (float_le_float result2 result0) /\
                 (float_le_float result2 result1)),
  forall (tl: gen_float),
  forall (HW_21: tl = result2),
  forall (HW_25: (is_not_NaN xl) /\ (is_not_NaN yl) /\
                 (((is_infinite xl) \/ (is_infinite yl) -> (same_sign xl yl))) /\
                 (((is_infinite xl) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result3: gen_float),
  forall (HW_26: (real_less_than_float
                  (Rmult (float_value xl) (float_value yl)) result3) /\
                 (((is_infinite xl) \/ (is_infinite yl) ->
                   (is_plus_infinity result3)))),
  forall (HW_30: (is_not_NaN xu) /\ (is_not_NaN yu) /\
                 (((is_infinite xu) \/ (is_infinite yu) -> (same_sign xu yu))) /\
                 (((is_infinite xu) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result4: gen_float),
  forall (HW_31: (real_less_than_float
                  (Rmult (float_value xu) (float_value yu)) result4) /\
                 (((is_infinite xu) \/ (is_infinite yu) ->
                   (is_plus_infinity result4)))),
  (is_not_NaN result3).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 142, characters 18-51: *)
(*Why goal*) Lemma mul_po_23 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_8: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                (is_finite zero) /\
                (Rgt (float_value yu) (float_value zero)) \/
                (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity yu) /\ (is_finite zero) \/
                (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_12: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_13: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (HW_17: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                 (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                 (((is_infinite xu) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result1: gen_float),
  forall (HW_18: (float_less_than_real
                  result1 (Rmult (float_value xu) (float_value yl))) /\
                 (((is_infinite xu) \/ (is_infinite yl) ->
                   (is_minus_infinity result1)))),
  forall (HW_19: (is_not_NaN result0) /\ (is_not_NaN result1)),
  forall (result2: gen_float),
  forall (HW_20: (float_le_float result2 result0) /\
                 (float_le_float result2 result1)),
  forall (tl: gen_float),
  forall (HW_21: tl = result2),
  forall (HW_25: (is_not_NaN xl) /\ (is_not_NaN yl) /\
                 (((is_infinite xl) \/ (is_infinite yl) -> (same_sign xl yl))) /\
                 (((is_infinite xl) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result3: gen_float),
  forall (HW_26: (real_less_than_float
                  (Rmult (float_value xl) (float_value yl)) result3) /\
                 (((is_infinite xl) \/ (is_infinite yl) ->
                   (is_plus_infinity result3)))),
  forall (HW_30: (is_not_NaN xu) /\ (is_not_NaN yu) /\
                 (((is_infinite xu) \/ (is_infinite yu) -> (same_sign xu yu))) /\
                 (((is_infinite xu) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result4: gen_float),
  forall (HW_31: (real_less_than_float
                  (Rmult (float_value xu) (float_value yu)) result4) /\
                 (((is_infinite xu) \/ (is_infinite yu) ->
                   (is_plus_infinity result4)))),
  (is_not_NaN result4).
Proof.
Admitted.


(* Why obligation from file "interval_arith_full.why", line 224, characters 2-152: *)
(*Why goal*) Lemma mul_po_24 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_8: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                (is_finite zero) /\
                (Rgt (float_value yu) (float_value zero)) \/
                (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity yu) /\ (is_finite zero) \/
                (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_12: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_13: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (HW_17: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                 (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                 (((is_infinite xu) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result1: gen_float),
  forall (HW_18: (float_less_than_real
                  result1 (Rmult (float_value xu) (float_value yl))) /\
                 (((is_infinite xu) \/ (is_infinite yl) ->
                   (is_minus_infinity result1)))),
  forall (HW_19: (is_not_NaN result0) /\ (is_not_NaN result1)),
  forall (result2: gen_float),
  forall (HW_20: (float_le_float result2 result0) /\
                 (float_le_float result2 result1)),
  forall (tl: gen_float),
  forall (HW_21: tl = result2),
  forall (HW_25: (is_not_NaN xl) /\ (is_not_NaN yl) /\
                 (((is_infinite xl) \/ (is_infinite yl) -> (same_sign xl yl))) /\
                 (((is_infinite xl) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result3: gen_float),
  forall (HW_26: (real_less_than_float
                  (Rmult (float_value xl) (float_value yl)) result3) /\
                 (((is_infinite xl) \/ (is_infinite yl) ->
                   (is_plus_infinity result3)))),
  forall (HW_30: (is_not_NaN xu) /\ (is_not_NaN yu) /\
                 (((is_infinite xu) \/ (is_infinite yu) -> (same_sign xu yu))) /\
                 (((is_infinite xu) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result4: gen_float),
  forall (HW_31: (real_less_than_float
                  (Rmult (float_value xu) (float_value yu)) result4) /\
                 (((is_infinite xu) \/ (is_infinite yu) ->
                   (is_plus_infinity result4)))),
  forall (HW_32: (is_not_NaN result3) /\ (is_not_NaN result4)),
  forall (result5: gen_float),
  forall (HW_33: (float_le_float result3 result5) /\
                 (float_le_float result4 result5)),
  forall (tu: gen_float),
  forall (HW_34: tu = result5),
  (is_interval tl tu).
Proof.
intros.

Admitted.

(* Why obligation from file "interval_arith_full.why", line 224, characters 2-152: *)
(*Why goal*) Lemma mul_po_25 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_8: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                (is_finite zero) /\
                (Rgt (float_value yu) (float_value zero)) \/
                (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity yu) /\ (is_finite zero) \/
                (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_12: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_13: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (HW_17: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                 (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                 (((is_infinite xu) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result1: gen_float),
  forall (HW_18: (float_less_than_real
                  result1 (Rmult (float_value xu) (float_value yl))) /\
                 (((is_infinite xu) \/ (is_infinite yl) ->
                   (is_minus_infinity result1)))),
  forall (HW_19: (is_not_NaN result0) /\ (is_not_NaN result1)),
  forall (result2: gen_float),
  forall (HW_20: (float_le_float result2 result0) /\
                 (float_le_float result2 result1)),
  forall (tl: gen_float),
  forall (HW_21: tl = result2),
  forall (HW_25: (is_not_NaN xl) /\ (is_not_NaN yl) /\
                 (((is_infinite xl) \/ (is_infinite yl) -> (same_sign xl yl))) /\
                 (((is_infinite xl) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result3: gen_float),
  forall (HW_26: (real_less_than_float
                  (Rmult (float_value xl) (float_value yl)) result3) /\
                 (((is_infinite xl) \/ (is_infinite yl) ->
                   (is_plus_infinity result3)))),
  forall (HW_30: (is_not_NaN xu) /\ (is_not_NaN yu) /\
                 (((is_infinite xu) \/ (is_infinite yu) -> (same_sign xu yu))) /\
                 (((is_infinite xu) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result4: gen_float),
  forall (HW_31: (real_less_than_float
                  (Rmult (float_value xu) (float_value yu)) result4) /\
                 (((is_infinite xu) \/ (is_infinite yu) ->
                   (is_plus_infinity result4)))),
  forall (HW_32: (is_not_NaN result3) /\ (is_not_NaN result4)),
  forall (result5: gen_float),
  forall (HW_33: (float_le_float result3 result5) /\
                 (float_le_float result4 result5)),
  forall (tu: gen_float),
  forall (HW_34: tu = result5),
  forall (a: R),
  forall (b: R),
  forall (HW_35: (in_interval a xl xu) /\ (in_interval b yl yu)),
  (in_interval (Rmult a b) tl tu).
Proof.
intros.
unfold in_interval,float_less_than_real,real_less_than_float in *.
split.
Admitted.



(* Why obligation from file "interval_arith_full.why", line 146, characters 11-23: *)
(*Why goal*) Lemma mul_po_26 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_36: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rle (float_value yu) (float_value zero)) \/
                 (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  (is_not_NaN xu).
Proof.

Admitted.

(* Why obligation from file "interval_arith_full.why", line 146, characters 11-23: *)
(*Why goal*) Lemma mul_po_27 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_36: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rle (float_value yu) (float_value zero)) \/
                 (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  (is_not_NaN yl).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 146, characters 11-23: *)
(*Why goal*) Lemma mul_po_28 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_36: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rle (float_value yu) (float_value zero)) \/
                 (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (HW_37: (is_infinite xu) \/ (is_infinite yl)),
  (diff_sign xu yl).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 146, characters 11-23: *)
(*Why goal*) Lemma mul_po_29 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_36: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rle (float_value yu) (float_value zero)) \/
                 (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (HW_38: (is_infinite xu) /\ (is_finite yl)),
  ~(eq (float_value yl) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 146, characters 11-23: *)
(*Why goal*) Lemma mul_po_30 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_36: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rle (float_value yu) (float_value zero)) \/
                 (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (HW_39: (is_infinite yl) /\ (is_finite xu)),
  ~(eq (float_value xu) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 147, characters 18-30: *)
(*Why goal*) Lemma mul_po_31 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_36: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rle (float_value yu) (float_value zero)) \/
                 (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (HW_40: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                 (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                 (((is_infinite xu) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_41: (float_less_than_real
                  result0 (Rmult (float_value xu) (float_value yl))) /\
                 (((is_infinite xu) \/ (is_infinite yl) ->
                   (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_42: tl = result0),
  (is_not_NaN xl).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 147, characters 18-30: *)
(*Why goal*) Lemma mul_po_32 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_36: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rle (float_value yu) (float_value zero)) \/
                 (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (HW_40: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                 (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                 (((is_infinite xu) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_41: (float_less_than_real
                  result0 (Rmult (float_value xu) (float_value yl))) /\
                 (((is_infinite xu) \/ (is_infinite yl) ->
                   (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_42: tl = result0),
  (is_not_NaN yl).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 147, characters 18-30: *)
(*Why goal*) Lemma mul_po_33 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_36: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rle (float_value yu) (float_value zero)) \/
                 (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (HW_40: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                 (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                 (((is_infinite xu) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_41: (float_less_than_real
                  result0 (Rmult (float_value xu) (float_value yl))) /\
                 (((is_infinite xu) \/ (is_infinite yl) ->
                   (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_42: tl = result0),
  forall (HW_43: (is_infinite xl) \/ (is_infinite yl)),
  (same_sign xl yl).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 147, characters 18-30: *)
(*Why goal*) Lemma mul_po_34 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_36: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rle (float_value yu) (float_value zero)) \/
                 (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (HW_40: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                 (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                 (((is_infinite xu) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_41: (float_less_than_real
                  result0 (Rmult (float_value xu) (float_value yl))) /\
                 (((is_infinite xu) \/ (is_infinite yl) ->
                   (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_42: tl = result0),
  forall (HW_44: (is_infinite xl) /\ (is_finite yl)),
  ~(eq (float_value yl) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 147, characters 18-30: *)
(*Why goal*) Lemma mul_po_35 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_36: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rle (float_value yu) (float_value zero)) \/
                 (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (HW_40: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                 (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                 (((is_infinite xu) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_41: (float_less_than_real
                  result0 (Rmult (float_value xu) (float_value yl))) /\
                 (((is_infinite xu) \/ (is_infinite yl) ->
                   (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_42: tl = result0),
  forall (HW_45: (is_infinite yl) /\ (is_finite xl)),
  ~(eq (float_value xl) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 224, characters 2-152: *)
(*Why goal*) Lemma mul_po_36 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_36: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rle (float_value yu) (float_value zero)) \/
                 (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (HW_40: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                 (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                 (((is_infinite xu) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_41: (float_less_than_real
                  result0 (Rmult (float_value xu) (float_value yl))) /\
                 (((is_infinite xu) \/ (is_infinite yl) ->
                   (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_42: tl = result0),
  forall (HW_46: (is_not_NaN xl) /\ (is_not_NaN yl) /\
                 (((is_infinite xl) \/ (is_infinite yl) -> (same_sign xl yl))) /\
                 (((is_infinite xl) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result1: gen_float),
  forall (HW_47: (real_less_than_float
                  (Rmult (float_value xl) (float_value yl)) result1) /\
                 (((is_infinite xl) \/ (is_infinite yl) ->
                   (is_plus_infinity result1)))),
  forall (tu: gen_float),
  forall (HW_48: tu = result1),
  (is_interval tl tu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 224, characters 2-152: *)
(*Why goal*) Lemma mul_po_37 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_7: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                (is_finite zero) /\
                (Rlt (float_value yl) (float_value zero)) \/
                (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity yl) /\ (is_finite zero) \/
                (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_36: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rle (float_value yu) (float_value zero)) \/
                 (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (HW_40: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                 (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                 (((is_infinite xu) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_41: (float_less_than_real
                  result0 (Rmult (float_value xu) (float_value yl))) /\
                 (((is_infinite xu) \/ (is_infinite yl) ->
                   (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_42: tl = result0),
  forall (HW_46: (is_not_NaN xl) /\ (is_not_NaN yl) /\
                 (((is_infinite xl) \/ (is_infinite yl) -> (same_sign xl yl))) /\
                 (((is_infinite xl) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result1: gen_float),
  forall (HW_47: (real_less_than_float
                  (Rmult (float_value xl) (float_value yl)) result1) /\
                 (((is_infinite xl) \/ (is_infinite yl) ->
                   (is_plus_infinity result1)))),
  forall (tu: gen_float),
  forall (HW_48: tu = result1),
  forall (a: R),
  forall (b: R),
  forall (HW_49: (in_interval a xl xu) /\ (in_interval b yl yu)),
  (in_interval (Rmult a b) tl tu).
Proof.
intros.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 153, characters 11-23: *)
(*Why goal*) Lemma mul_po_38 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_50: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rge (float_value yl) (float_value zero)) \/
                 (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_51: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rgt (float_value yu) (float_value zero)) \/
                 (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                 (is_plus_infinity yu) /\ (is_finite zero) \/
                 (is_finite yu) /\ (is_minus_infinity zero)),
  (is_not_NaN xl).
Proof.
intros.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 153, characters 11-23: *)
(*Why goal*) Lemma mul_po_39 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_50: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rge (float_value yl) (float_value zero)) \/
                 (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_51: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rgt (float_value yu) (float_value zero)) \/
                 (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                 (is_plus_infinity yu) /\ (is_finite zero) \/
                 (is_finite yu) /\ (is_minus_infinity zero)),
  (is_not_NaN yu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 153, characters 11-23: *)
(*Why goal*) Lemma mul_po_40 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_50: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rge (float_value yl) (float_value zero)) \/
                 (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_51: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rgt (float_value yu) (float_value zero)) \/
                 (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                 (is_plus_infinity yu) /\ (is_finite zero) \/
                 (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_52: (is_infinite xl) \/ (is_infinite yu)),
  (diff_sign xl yu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 153, characters 11-23: *)
(*Why goal*) Lemma mul_po_41 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_50: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rge (float_value yl) (float_value zero)) \/
                 (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_51: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rgt (float_value yu) (float_value zero)) \/
                 (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                 (is_plus_infinity yu) /\ (is_finite zero) \/
                 (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_53: (is_infinite xl) /\ (is_finite yu)),
  ~(eq (float_value yu) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 153, characters 11-23: *)
(*Why goal*) Lemma mul_po_42 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_50: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rge (float_value yl) (float_value zero)) \/
                 (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_51: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rgt (float_value yu) (float_value zero)) \/
                 (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                 (is_plus_infinity yu) /\ (is_finite zero) \/
                 (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_54: (is_infinite yu) /\ (is_finite xl)),
  ~(eq (float_value xl) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 154, characters 18-30: *)
(*Why goal*) Lemma mul_po_43 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_50: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rge (float_value yl) (float_value zero)) \/
                 (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_51: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rgt (float_value yu) (float_value zero)) \/
                 (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                 (is_plus_infinity yu) /\ (is_finite zero) \/
                 (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_55: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_56: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_57: tl = result0),
  (is_not_NaN xu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 154, characters 18-30: *)
(*Why goal*) Lemma mul_po_44 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_50: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rge (float_value yl) (float_value zero)) \/
                 (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_51: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rgt (float_value yu) (float_value zero)) \/
                 (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                 (is_plus_infinity yu) /\ (is_finite zero) \/
                 (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_55: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_56: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_57: tl = result0),
  (is_not_NaN yu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 154, characters 18-30: *)
(*Why goal*) Lemma mul_po_45 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_50: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rge (float_value yl) (float_value zero)) \/
                 (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_51: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rgt (float_value yu) (float_value zero)) \/
                 (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                 (is_plus_infinity yu) /\ (is_finite zero) \/
                 (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_55: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_56: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_57: tl = result0),
  forall (HW_58: (is_infinite xu) \/ (is_infinite yu)),
  (same_sign xu yu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 154, characters 18-30: *)
(*Why goal*) Lemma mul_po_46 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_50: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rge (float_value yl) (float_value zero)) \/
                 (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_51: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rgt (float_value yu) (float_value zero)) \/
                 (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                 (is_plus_infinity yu) /\ (is_finite zero) \/
                 (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_55: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_56: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_57: tl = result0),
  forall (HW_59: (is_infinite xu) /\ (is_finite yu)),
  ~(eq (float_value yu) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 154, characters 18-30: *)
(*Why goal*) Lemma mul_po_47 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_50: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rge (float_value yl) (float_value zero)) \/
                 (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_51: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rgt (float_value yu) (float_value zero)) \/
                 (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                 (is_plus_infinity yu) /\ (is_finite zero) \/
                 (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_55: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_56: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_57: tl = result0),
  forall (HW_60: (is_infinite yu) /\ (is_finite xu)),
  ~(eq (float_value xu) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 224, characters 2-152: *)
(*Why goal*) Lemma mul_po_48 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_50: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rge (float_value yl) (float_value zero)) \/
                 (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_51: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rgt (float_value yu) (float_value zero)) \/
                 (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                 (is_plus_infinity yu) /\ (is_finite zero) \/
                 (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_55: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_56: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_57: tl = result0),
  forall (HW_61: (is_not_NaN xu) /\ (is_not_NaN yu) /\
                 (((is_infinite xu) \/ (is_infinite yu) -> (same_sign xu yu))) /\
                 (((is_infinite xu) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result1: gen_float),
  forall (HW_62: (real_less_than_float
                  (Rmult (float_value xu) (float_value yu)) result1) /\
                 (((is_infinite xu) \/ (is_infinite yu) ->
                   (is_plus_infinity result1)))),
  forall (tu: gen_float),
  forall (HW_63: tu = result1),
  (is_interval tl tu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 224, characters 2-152: *)
(*Why goal*) Lemma mul_po_49 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_50: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rge (float_value yl) (float_value zero)) \/
                 (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_51: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rgt (float_value yu) (float_value zero)) \/
                 (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                 (is_plus_infinity yu) /\ (is_finite zero) \/
                 (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_55: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_56: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_57: tl = result0),
  forall (HW_61: (is_not_NaN xu) /\ (is_not_NaN yu) /\
                 (((is_infinite xu) \/ (is_infinite yu) -> (same_sign xu yu))) /\
                 (((is_infinite xu) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result1: gen_float),
  forall (HW_62: (real_less_than_float
                  (Rmult (float_value xu) (float_value yu)) result1) /\
                 (((is_infinite xu) \/ (is_infinite yu) ->
                   (is_plus_infinity result1)))),
  forall (tu: gen_float),
  forall (HW_63: tu = result1),
  forall (a: R),
  forall (b: R),
  forall (HW_64: (in_interval a xl xu) /\ (in_interval b yl yu)),
  (in_interval (Rmult a b) tl tu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 224, characters 2-152: *)
(*Why goal*) Lemma mul_po_50 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_50: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rge (float_value yl) (float_value zero)) \/
                 (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_65: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rle (float_value yu) (float_value zero)) \/
                 (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (tl: gen_float),
  forall (HW_66: tl = zero),
  forall (tu: gen_float),
  forall (HW_67: tu = zero),
  (is_interval tl tu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 224, characters 2-152: *)
(*Why goal*) Lemma mul_po_51 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_6: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                (is_finite zero) /\
                (Rgt (float_value xu) (float_value zero)) \/
                (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                (is_plus_infinity xu) /\ (is_finite zero) \/
                (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_50: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rge (float_value yl) (float_value zero)) \/
                 (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_65: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rle (float_value yu) (float_value zero)) \/
                 (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (tl: gen_float),
  forall (HW_66: tl = zero),
  forall (tu: gen_float),
  forall (HW_67: tu = zero),
  forall (a: R),
  forall (b: R),
  forall (HW_68: (in_interval a xl xu) /\ (in_interval b yl yu)),
  (in_interval (Rmult a b) tl tu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 168, characters 11-23: *)
(*Why goal*) Lemma mul_po_52 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_70: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rlt (float_value yl) (float_value zero)) \/
                 (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                 (is_minus_infinity yl) /\ (is_finite zero) \/
                 (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_71: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rgt (float_value yu) (float_value zero)) \/
                 (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                 (is_plus_infinity yu) /\ (is_finite zero) \/
                 (is_finite yu) /\ (is_minus_infinity zero)),
  (is_not_NaN xl).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 168, characters 11-23: *)
(*Why goal*) Lemma mul_po_53 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_70: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rlt (float_value yl) (float_value zero)) \/
                 (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                 (is_minus_infinity yl) /\ (is_finite zero) \/
                 (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_71: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rgt (float_value yu) (float_value zero)) \/
                 (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                 (is_plus_infinity yu) /\ (is_finite zero) \/
                 (is_finite yu) /\ (is_minus_infinity zero)),
  (is_not_NaN yu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 168, characters 11-23: *)
(*Why goal*) Lemma mul_po_54 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_70: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rlt (float_value yl) (float_value zero)) \/
                 (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                 (is_minus_infinity yl) /\ (is_finite zero) \/
                 (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_71: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rgt (float_value yu) (float_value zero)) \/
                 (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                 (is_plus_infinity yu) /\ (is_finite zero) \/
                 (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_72: (is_infinite xl) \/ (is_infinite yu)),
  (diff_sign xl yu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 168, characters 11-23: *)
(*Why goal*) Lemma mul_po_55 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_70: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rlt (float_value yl) (float_value zero)) \/
                 (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                 (is_minus_infinity yl) /\ (is_finite zero) \/
                 (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_71: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rgt (float_value yu) (float_value zero)) \/
                 (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                 (is_plus_infinity yu) /\ (is_finite zero) \/
                 (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_73: (is_infinite xl) /\ (is_finite yu)),
  ~(eq (float_value yu) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 168, characters 11-23: *)
(*Why goal*) Lemma mul_po_56 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_70: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rlt (float_value yl) (float_value zero)) \/
                 (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                 (is_minus_infinity yl) /\ (is_finite zero) \/
                 (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_71: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rgt (float_value yu) (float_value zero)) \/
                 (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                 (is_plus_infinity yu) /\ (is_finite zero) \/
                 (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_74: (is_infinite yu) /\ (is_finite xl)),
  ~(eq (float_value xl) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 169, characters 18-30: *)
(*Why goal*) Lemma mul_po_57 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_70: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rlt (float_value yl) (float_value zero)) \/
                 (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                 (is_minus_infinity yl) /\ (is_finite zero) \/
                 (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_71: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rgt (float_value yu) (float_value zero)) \/
                 (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                 (is_plus_infinity yu) /\ (is_finite zero) \/
                 (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_75: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_76: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_77: tl = result0),
  (is_not_NaN yl).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 169, characters 18-30: *)
(*Why goal*) Lemma mul_po_58 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_70: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rlt (float_value yl) (float_value zero)) \/
                 (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                 (is_minus_infinity yl) /\ (is_finite zero) \/
                 (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_71: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rgt (float_value yu) (float_value zero)) \/
                 (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                 (is_plus_infinity yu) /\ (is_finite zero) \/
                 (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_75: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_76: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_77: tl = result0),
  forall (HW_78: (is_infinite xl) \/ (is_infinite yl)),
  (same_sign xl yl).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 169, characters 18-30: *)
(*Why goal*) Lemma mul_po_59 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_70: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rlt (float_value yl) (float_value zero)) \/
                 (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                 (is_minus_infinity yl) /\ (is_finite zero) \/
                 (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_71: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rgt (float_value yu) (float_value zero)) \/
                 (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                 (is_plus_infinity yu) /\ (is_finite zero) \/
                 (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_75: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_76: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_77: tl = result0),
  forall (HW_79: (is_infinite xl) /\ (is_finite yl)),
  ~(eq (float_value yl) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 169, characters 18-30: *)
(*Why goal*) Lemma mul_po_60 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_70: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rlt (float_value yl) (float_value zero)) \/
                 (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                 (is_minus_infinity yl) /\ (is_finite zero) \/
                 (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_71: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rgt (float_value yu) (float_value zero)) \/
                 (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                 (is_plus_infinity yu) /\ (is_finite zero) \/
                 (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_75: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_76: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_77: tl = result0),
  forall (HW_80: (is_infinite yl) /\ (is_finite xl)),
  ~(eq (float_value xl) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 224, characters 2-152: *)
(*Why goal*) Lemma mul_po_61 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_70: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rlt (float_value yl) (float_value zero)) \/
                 (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                 (is_minus_infinity yl) /\ (is_finite zero) \/
                 (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_71: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rgt (float_value yu) (float_value zero)) \/
                 (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                 (is_plus_infinity yu) /\ (is_finite zero) \/
                 (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_75: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_76: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_77: tl = result0),
  forall (HW_81: (is_not_NaN xl) /\ (is_not_NaN yl) /\
                 (((is_infinite xl) \/ (is_infinite yl) -> (same_sign xl yl))) /\
                 (((is_infinite xl) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result1: gen_float),
  forall (HW_82: (real_less_than_float
                  (Rmult (float_value xl) (float_value yl)) result1) /\
                 (((is_infinite xl) \/ (is_infinite yl) ->
                   (is_plus_infinity result1)))),
  forall (tu: gen_float),
  forall (HW_83: tu = result1),
  (is_interval tl tu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 224, characters 2-152: *)
(*Why goal*) Lemma mul_po_62 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_70: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rlt (float_value yl) (float_value zero)) \/
                 (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                 (is_minus_infinity yl) /\ (is_finite zero) \/
                 (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_71: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rgt (float_value yu) (float_value zero)) \/
                 (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                 (is_plus_infinity yu) /\ (is_finite zero) \/
                 (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_75: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                 (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                 (((is_infinite xl) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_76: (float_less_than_real
                  result0 (Rmult (float_value xl) (float_value yu))) /\
                 (((is_infinite xl) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_77: tl = result0),
  forall (HW_81: (is_not_NaN xl) /\ (is_not_NaN yl) /\
                 (((is_infinite xl) \/ (is_infinite yl) -> (same_sign xl yl))) /\
                 (((is_infinite xl) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result1: gen_float),
  forall (HW_82: (real_less_than_float
                  (Rmult (float_value xl) (float_value yl)) result1) /\
                 (((is_infinite xl) \/ (is_infinite yl) ->
                   (is_plus_infinity result1)))),
  forall (tu: gen_float),
  forall (HW_83: tu = result1),
  forall (a: R),
  forall (b: R),
  forall (HW_84: (in_interval a xl xu) /\ (in_interval b yl yu)),
  (in_interval (Rmult a b) tl tu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 173, characters 11-23: *)
(*Why goal*) Lemma mul_po_63 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_70: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rlt (float_value yl) (float_value zero)) \/
                 (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                 (is_minus_infinity yl) /\ (is_finite zero) \/
                 (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_85: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rle (float_value yu) (float_value zero)) \/
                 (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  (is_not_NaN xu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 173, characters 11-23: *)
(*Why goal*) Lemma mul_po_64 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_70: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rlt (float_value yl) (float_value zero)) \/
                 (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                 (is_minus_infinity yl) /\ (is_finite zero) \/
                 (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_85: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rle (float_value yu) (float_value zero)) \/
                 (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  (is_not_NaN yu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 173, characters 11-23: *)
(*Why goal*) Lemma mul_po_65 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_70: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rlt (float_value yl) (float_value zero)) \/
                 (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                 (is_minus_infinity yl) /\ (is_finite zero) \/
                 (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_85: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rle (float_value yu) (float_value zero)) \/
                 (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (HW_86: (is_infinite xu) \/ (is_infinite yu)),
  (diff_sign xu yu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 173, characters 11-23: *)
(*Why goal*) Lemma mul_po_66 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_70: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rlt (float_value yl) (float_value zero)) \/
                 (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                 (is_minus_infinity yl) /\ (is_finite zero) \/
                 (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_85: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rle (float_value yu) (float_value zero)) \/
                 (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (HW_87: (is_infinite xu) /\ (is_finite yu)),
  ~(eq (float_value yu) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 173, characters 11-23: *)
(*Why goal*) Lemma mul_po_67 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_70: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rlt (float_value yl) (float_value zero)) \/
                 (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                 (is_minus_infinity yl) /\ (is_finite zero) \/
                 (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_85: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rle (float_value yu) (float_value zero)) \/
                 (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (HW_88: (is_infinite yu) /\ (is_finite xu)),
  ~(eq (float_value xu) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 174, characters 18-30: *)
(*Why goal*) Lemma mul_po_68 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_70: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rlt (float_value yl) (float_value zero)) \/
                 (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                 (is_minus_infinity yl) /\ (is_finite zero) \/
                 (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_85: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rle (float_value yu) (float_value zero)) \/
                 (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (HW_89: (is_not_NaN xu) /\ (is_not_NaN yu) /\
                 (((is_infinite xu) \/ (is_infinite yu) -> (diff_sign xu yu))) /\
                 (((is_infinite xu) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_90: (float_less_than_real
                  result0 (Rmult (float_value xu) (float_value yu))) /\
                 (((is_infinite xu) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_91: tl = result0),
  (is_not_NaN xl).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 174, characters 18-30: *)
(*Why goal*) Lemma mul_po_69 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_70: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rlt (float_value yl) (float_value zero)) \/
                 (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                 (is_minus_infinity yl) /\ (is_finite zero) \/
                 (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_85: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rle (float_value yu) (float_value zero)) \/
                 (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (HW_89: (is_not_NaN xu) /\ (is_not_NaN yu) /\
                 (((is_infinite xu) \/ (is_infinite yu) -> (diff_sign xu yu))) /\
                 (((is_infinite xu) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_90: (float_less_than_real
                  result0 (Rmult (float_value xu) (float_value yu))) /\
                 (((is_infinite xu) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_91: tl = result0),
  (is_not_NaN yl).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 174, characters 18-30: *)
(*Why goal*) Lemma mul_po_70 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_70: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rlt (float_value yl) (float_value zero)) \/
                 (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                 (is_minus_infinity yl) /\ (is_finite zero) \/
                 (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_85: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rle (float_value yu) (float_value zero)) \/
                 (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (HW_89: (is_not_NaN xu) /\ (is_not_NaN yu) /\
                 (((is_infinite xu) \/ (is_infinite yu) -> (diff_sign xu yu))) /\
                 (((is_infinite xu) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_90: (float_less_than_real
                  result0 (Rmult (float_value xu) (float_value yu))) /\
                 (((is_infinite xu) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_91: tl = result0),
  forall (HW_92: (is_infinite xl) \/ (is_infinite yl)),
  (same_sign xl yl).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 174, characters 18-30: *)
(*Why goal*) Lemma mul_po_71 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_70: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rlt (float_value yl) (float_value zero)) \/
                 (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                 (is_minus_infinity yl) /\ (is_finite zero) \/
                 (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_85: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rle (float_value yu) (float_value zero)) \/
                 (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (HW_89: (is_not_NaN xu) /\ (is_not_NaN yu) /\
                 (((is_infinite xu) \/ (is_infinite yu) -> (diff_sign xu yu))) /\
                 (((is_infinite xu) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_90: (float_less_than_real
                  result0 (Rmult (float_value xu) (float_value yu))) /\
                 (((is_infinite xu) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_91: tl = result0),
  forall (HW_93: (is_infinite xl) /\ (is_finite yl)),
  ~(eq (float_value yl) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 174, characters 18-30: *)
(*Why goal*) Lemma mul_po_72 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_70: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rlt (float_value yl) (float_value zero)) \/
                 (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                 (is_minus_infinity yl) /\ (is_finite zero) \/
                 (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_85: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rle (float_value yu) (float_value zero)) \/
                 (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (HW_89: (is_not_NaN xu) /\ (is_not_NaN yu) /\
                 (((is_infinite xu) \/ (is_infinite yu) -> (diff_sign xu yu))) /\
                 (((is_infinite xu) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_90: (float_less_than_real
                  result0 (Rmult (float_value xu) (float_value yu))) /\
                 (((is_infinite xu) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_91: tl = result0),
  forall (HW_94: (is_infinite yl) /\ (is_finite xl)),
  ~(eq (float_value xl) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 224, characters 2-152: *)
(*Why goal*) Lemma mul_po_73 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_70: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rlt (float_value yl) (float_value zero)) \/
                 (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                 (is_minus_infinity yl) /\ (is_finite zero) \/
                 (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_85: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rle (float_value yu) (float_value zero)) \/
                 (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (HW_89: (is_not_NaN xu) /\ (is_not_NaN yu) /\
                 (((is_infinite xu) \/ (is_infinite yu) -> (diff_sign xu yu))) /\
                 (((is_infinite xu) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_90: (float_less_than_real
                  result0 (Rmult (float_value xu) (float_value yu))) /\
                 (((is_infinite xu) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_91: tl = result0),
  forall (HW_95: (is_not_NaN xl) /\ (is_not_NaN yl) /\
                 (((is_infinite xl) \/ (is_infinite yl) -> (same_sign xl yl))) /\
                 (((is_infinite xl) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result1: gen_float),
  forall (HW_96: (real_less_than_float
                  (Rmult (float_value xl) (float_value yl)) result1) /\
                 (((is_infinite xl) \/ (is_infinite yl) ->
                   (is_plus_infinity result1)))),
  forall (tu: gen_float),
  forall (HW_97: tu = result1),
  (is_interval tl tu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 224, characters 2-152: *)
(*Why goal*) Lemma mul_po_74 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_70: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rlt (float_value yl) (float_value zero)) \/
                 (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                 (is_minus_infinity yl) /\ (is_finite zero) \/
                 (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_85: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                 (is_finite zero) /\
                 (Rle (float_value yu) (float_value zero)) \/
                 (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (HW_89: (is_not_NaN xu) /\ (is_not_NaN yu) /\
                 (((is_infinite xu) \/ (is_infinite yu) -> (diff_sign xu yu))) /\
                 (((is_infinite xu) /\ (is_finite yu) ->
                   ~(eq (float_value yu) (0)%R))) /\
                 (((is_infinite yu) /\ (is_finite xu) ->
                   ~(eq (float_value xu) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_90: (float_less_than_real
                  result0 (Rmult (float_value xu) (float_value yu))) /\
                 (((is_infinite xu) \/ (is_infinite yu) ->
                   (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_91: tl = result0),
  forall (HW_95: (is_not_NaN xl) /\ (is_not_NaN yl) /\
                 (((is_infinite xl) \/ (is_infinite yl) -> (same_sign xl yl))) /\
                 (((is_infinite xl) /\ (is_finite yl) ->
                   ~(eq (float_value yl) (0)%R))) /\
                 (((is_infinite yl) /\ (is_finite xl) ->
                   ~(eq (float_value xl) (0)%R)))),
  forall (result1: gen_float),
  forall (HW_96: (real_less_than_float
                  (Rmult (float_value xl) (float_value yl)) result1) /\
                 (((is_infinite xl) \/ (is_infinite yl) ->
                   (is_plus_infinity result1)))),
  forall (tu: gen_float),
  forall (HW_97: tu = result1),
  forall (a: R),
  forall (b: R),
  forall (HW_98: (in_interval a xl xu) /\ (in_interval b yl yu)),
  (in_interval (Rmult a b) tl tu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 180, characters 11-23: *)
(*Why goal*) Lemma mul_po_75 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_99: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rge (float_value yl) (float_value zero)) \/
                 (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_100: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  (is_not_NaN xl).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 180, characters 11-23: *)
(*Why goal*) Lemma mul_po_76 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_99: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rge (float_value yl) (float_value zero)) \/
                 (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_100: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  (is_not_NaN yu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 180, characters 11-23: *)
(*Why goal*) Lemma mul_po_77 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_99: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rge (float_value yl) (float_value zero)) \/
                 (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_100: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_101: (is_infinite xl) \/ (is_infinite yu)),
  (diff_sign xl yu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 180, characters 11-23: *)
(*Why goal*) Lemma mul_po_78 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_99: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rge (float_value yl) (float_value zero)) \/
                 (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_100: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_102: (is_infinite xl) /\ (is_finite yu)),
  ~(eq (float_value yu) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 180, characters 11-23: *)
(*Why goal*) Lemma mul_po_79 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_99: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rge (float_value yl) (float_value zero)) \/
                 (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_100: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_103: (is_infinite yu) /\ (is_finite xl)),
  ~(eq (float_value xl) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 181, characters 18-30: *)
(*Why goal*) Lemma mul_po_80 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_99: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rge (float_value yl) (float_value zero)) \/
                 (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_100: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_104: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                  (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                  (((is_infinite xl) /\ (is_finite yu) ->
                    ~(eq (float_value yu) (0)%R))) /\
                  (((is_infinite yu) /\ (is_finite xl) ->
                    ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_105: (float_less_than_real
                   result0 (Rmult (float_value xl) (float_value yu))) /\
                  (((is_infinite xl) \/ (is_infinite yu) ->
                    (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_106: tl = result0),
  (is_not_NaN xu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 181, characters 18-30: *)
(*Why goal*) Lemma mul_po_81 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_99: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rge (float_value yl) (float_value zero)) \/
                 (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_100: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_104: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                  (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                  (((is_infinite xl) /\ (is_finite yu) ->
                    ~(eq (float_value yu) (0)%R))) /\
                  (((is_infinite yu) /\ (is_finite xl) ->
                    ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_105: (float_less_than_real
                   result0 (Rmult (float_value xl) (float_value yu))) /\
                  (((is_infinite xl) \/ (is_infinite yu) ->
                    (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_106: tl = result0),
  (is_not_NaN yl).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 181, characters 18-30: *)
(*Why goal*) Lemma mul_po_82 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_99: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rge (float_value yl) (float_value zero)) \/
                 (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_100: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_104: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                  (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                  (((is_infinite xl) /\ (is_finite yu) ->
                    ~(eq (float_value yu) (0)%R))) /\
                  (((is_infinite yu) /\ (is_finite xl) ->
                    ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_105: (float_less_than_real
                   result0 (Rmult (float_value xl) (float_value yu))) /\
                  (((is_infinite xl) \/ (is_infinite yu) ->
                    (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_106: tl = result0),
  forall (HW_107: (is_infinite xu) \/ (is_infinite yl)),
  (same_sign xu yl).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 181, characters 18-30: *)
(*Why goal*) Lemma mul_po_83 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_99: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rge (float_value yl) (float_value zero)) \/
                 (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_100: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_104: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                  (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                  (((is_infinite xl) /\ (is_finite yu) ->
                    ~(eq (float_value yu) (0)%R))) /\
                  (((is_infinite yu) /\ (is_finite xl) ->
                    ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_105: (float_less_than_real
                   result0 (Rmult (float_value xl) (float_value yu))) /\
                  (((is_infinite xl) \/ (is_infinite yu) ->
                    (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_106: tl = result0),
  forall (HW_108: (is_infinite xu) /\ (is_finite yl)),
  ~(eq (float_value yl) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 181, characters 18-30: *)
(*Why goal*) Lemma mul_po_84 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_99: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rge (float_value yl) (float_value zero)) \/
                 (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_100: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_104: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                  (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                  (((is_infinite xl) /\ (is_finite yu) ->
                    ~(eq (float_value yu) (0)%R))) /\
                  (((is_infinite yu) /\ (is_finite xl) ->
                    ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_105: (float_less_than_real
                   result0 (Rmult (float_value xl) (float_value yu))) /\
                  (((is_infinite xl) \/ (is_infinite yu) ->
                    (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_106: tl = result0),
  forall (HW_109: (is_infinite yl) /\ (is_finite xu)),
  ~(eq (float_value xu) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 224, characters 2-152: *)
(*Why goal*) Lemma mul_po_85 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_99: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rge (float_value yl) (float_value zero)) \/
                 (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_100: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_104: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                  (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                  (((is_infinite xl) /\ (is_finite yu) ->
                    ~(eq (float_value yu) (0)%R))) /\
                  (((is_infinite yu) /\ (is_finite xl) ->
                    ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_105: (float_less_than_real
                   result0 (Rmult (float_value xl) (float_value yu))) /\
                  (((is_infinite xl) \/ (is_infinite yu) ->
                    (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_106: tl = result0),
  forall (HW_110: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                  (((is_infinite xu) \/ (is_infinite yl) -> (same_sign xu yl))) /\
                  (((is_infinite xu) /\ (is_finite yl) ->
                    ~(eq (float_value yl) (0)%R))) /\
                  (((is_infinite yl) /\ (is_finite xu) ->
                    ~(eq (float_value xu) (0)%R)))),
  forall (result1: gen_float),
  forall (HW_111: (real_less_than_float
                   (Rmult (float_value xu) (float_value yl)) result1) /\
                  (((is_infinite xu) \/ (is_infinite yl) ->
                    (is_plus_infinity result1)))),
  forall (tu: gen_float),
  forall (HW_112: tu = result1),
  (is_interval tl tu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 224, characters 2-152: *)
(*Why goal*) Lemma mul_po_86 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_99: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rge (float_value yl) (float_value zero)) \/
                 (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_100: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_104: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                  (((is_infinite xl) \/ (is_infinite yu) -> (diff_sign xl yu))) /\
                  (((is_infinite xl) /\ (is_finite yu) ->
                    ~(eq (float_value yu) (0)%R))) /\
                  (((is_infinite yu) /\ (is_finite xl) ->
                    ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_105: (float_less_than_real
                   result0 (Rmult (float_value xl) (float_value yu))) /\
                  (((is_infinite xl) \/ (is_infinite yu) ->
                    (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_106: tl = result0),
  forall (HW_110: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                  (((is_infinite xu) \/ (is_infinite yl) -> (same_sign xu yl))) /\
                  (((is_infinite xu) /\ (is_finite yl) ->
                    ~(eq (float_value yl) (0)%R))) /\
                  (((is_infinite yl) /\ (is_finite xu) ->
                    ~(eq (float_value xu) (0)%R)))),
  forall (result1: gen_float),
  forall (HW_111: (real_less_than_float
                   (Rmult (float_value xu) (float_value yl)) result1) /\
                  (((is_infinite xu) \/ (is_infinite yl) ->
                    (is_plus_infinity result1)))),
  forall (tu: gen_float),
  forall (HW_112: tu = result1),
  forall (a: R),
  forall (b: R),
  forall (HW_113: (in_interval a xl xu) /\ (in_interval b yl yu)),
  (in_interval (Rmult a b) tl tu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 224, characters 2-152: *)
(*Why goal*) Lemma mul_po_87 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_99: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rge (float_value yl) (float_value zero)) \/
                 (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_114: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rle (float_value yu) (float_value zero)) \/
                  (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (tl: gen_float),
  forall (HW_115: tl = zero),
  forall (tu: gen_float),
  forall (HW_116: tu = zero),
  (is_interval tl tu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 224, characters 2-152: *)
(*Why goal*) Lemma mul_po_88 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_5: (is_not_NaN xl) /\ (is_not_NaN zero) /\ (is_finite xl) /\
                (is_finite zero) /\
                (Rlt (float_value xl) (float_value zero)) \/
                (is_minus_infinity xl) /\ (is_plus_infinity zero) \/
                (is_minus_infinity xl) /\ (is_finite zero) \/
                (is_finite xl) /\ (is_plus_infinity zero)),
  forall (HW_69: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                 (is_finite zero) /\
                 (Rle (float_value xu) (float_value zero)) \/
                 (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (HW_99: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                 (is_finite zero) /\
                 (Rge (float_value yl) (float_value zero)) \/
                 (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_114: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rle (float_value yu) (float_value zero)) \/
                  (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (tl: gen_float),
  forall (HW_115: tl = zero),
  forall (tu: gen_float),
  forall (HW_116: tu = zero),
  forall (a: R),
  forall (b: R),
  forall (HW_117: (in_interval a xl xu) /\ (in_interval b yl yu)),
  (in_interval (Rmult a b) tl tu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 194, characters 11-23: *)
(*Why goal*) Lemma mul_po_89 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_120: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rlt (float_value yl) (float_value zero)) \/
                  (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                  (is_minus_infinity yl) /\ (is_finite zero) \/
                  (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_121: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  (is_not_NaN xu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 194, characters 11-23: *)
(*Why goal*) Lemma mul_po_90 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_120: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rlt (float_value yl) (float_value zero)) \/
                  (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                  (is_minus_infinity yl) /\ (is_finite zero) \/
                  (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_121: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  (is_not_NaN yl).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 194, characters 11-23: *)
(*Why goal*) Lemma mul_po_91 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_120: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rlt (float_value yl) (float_value zero)) \/
                  (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                  (is_minus_infinity yl) /\ (is_finite zero) \/
                  (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_121: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_122: (is_infinite xu) \/ (is_infinite yl)),
  (diff_sign xu yl).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 194, characters 11-23: *)
(*Why goal*) Lemma mul_po_92 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_120: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rlt (float_value yl) (float_value zero)) \/
                  (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                  (is_minus_infinity yl) /\ (is_finite zero) \/
                  (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_121: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_123: (is_infinite xu) /\ (is_finite yl)),
  ~(eq (float_value yl) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 194, characters 11-23: *)
(*Why goal*) Lemma mul_po_93 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_120: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rlt (float_value yl) (float_value zero)) \/
                  (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                  (is_minus_infinity yl) /\ (is_finite zero) \/
                  (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_121: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_124: (is_infinite yl) /\ (is_finite xu)),
  ~(eq (float_value xu) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 195, characters 18-30: *)
(*Why goal*) Lemma mul_po_94 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_120: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rlt (float_value yl) (float_value zero)) \/
                  (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                  (is_minus_infinity yl) /\ (is_finite zero) \/
                  (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_121: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_125: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                  (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                  (((is_infinite xu) /\ (is_finite yl) ->
                    ~(eq (float_value yl) (0)%R))) /\
                  (((is_infinite yl) /\ (is_finite xu) ->
                    ~(eq (float_value xu) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_126: (float_less_than_real
                   result0 (Rmult (float_value xu) (float_value yl))) /\
                  (((is_infinite xu) \/ (is_infinite yl) ->
                    (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_127: tl = result0),
  (is_not_NaN yu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 195, characters 18-30: *)
(*Why goal*) Lemma mul_po_95 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_120: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rlt (float_value yl) (float_value zero)) \/
                  (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                  (is_minus_infinity yl) /\ (is_finite zero) \/
                  (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_121: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_125: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                  (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                  (((is_infinite xu) /\ (is_finite yl) ->
                    ~(eq (float_value yl) (0)%R))) /\
                  (((is_infinite yl) /\ (is_finite xu) ->
                    ~(eq (float_value xu) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_126: (float_less_than_real
                   result0 (Rmult (float_value xu) (float_value yl))) /\
                  (((is_infinite xu) \/ (is_infinite yl) ->
                    (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_127: tl = result0),
  forall (HW_128: (is_infinite xu) \/ (is_infinite yu)),
  (same_sign xu yu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 195, characters 18-30: *)
(*Why goal*) Lemma mul_po_96 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_120: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rlt (float_value yl) (float_value zero)) \/
                  (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                  (is_minus_infinity yl) /\ (is_finite zero) \/
                  (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_121: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_125: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                  (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                  (((is_infinite xu) /\ (is_finite yl) ->
                    ~(eq (float_value yl) (0)%R))) /\
                  (((is_infinite yl) /\ (is_finite xu) ->
                    ~(eq (float_value xu) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_126: (float_less_than_real
                   result0 (Rmult (float_value xu) (float_value yl))) /\
                  (((is_infinite xu) \/ (is_infinite yl) ->
                    (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_127: tl = result0),
  forall (HW_129: (is_infinite xu) /\ (is_finite yu)),
  ~(eq (float_value yu) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 195, characters 18-30: *)
(*Why goal*) Lemma mul_po_97 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_120: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rlt (float_value yl) (float_value zero)) \/
                  (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                  (is_minus_infinity yl) /\ (is_finite zero) \/
                  (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_121: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_125: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                  (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                  (((is_infinite xu) /\ (is_finite yl) ->
                    ~(eq (float_value yl) (0)%R))) /\
                  (((is_infinite yl) /\ (is_finite xu) ->
                    ~(eq (float_value xu) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_126: (float_less_than_real
                   result0 (Rmult (float_value xu) (float_value yl))) /\
                  (((is_infinite xu) \/ (is_infinite yl) ->
                    (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_127: tl = result0),
  forall (HW_130: (is_infinite yu) /\ (is_finite xu)),
  ~(eq (float_value xu) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 224, characters 2-152: *)
(*Why goal*) Lemma mul_po_98 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_120: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rlt (float_value yl) (float_value zero)) \/
                  (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                  (is_minus_infinity yl) /\ (is_finite zero) \/
                  (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_121: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_125: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                  (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                  (((is_infinite xu) /\ (is_finite yl) ->
                    ~(eq (float_value yl) (0)%R))) /\
                  (((is_infinite yl) /\ (is_finite xu) ->
                    ~(eq (float_value xu) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_126: (float_less_than_real
                   result0 (Rmult (float_value xu) (float_value yl))) /\
                  (((is_infinite xu) \/ (is_infinite yl) ->
                    (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_127: tl = result0),
  forall (HW_131: (is_not_NaN xu) /\ (is_not_NaN yu) /\
                  (((is_infinite xu) \/ (is_infinite yu) -> (same_sign xu yu))) /\
                  (((is_infinite xu) /\ (is_finite yu) ->
                    ~(eq (float_value yu) (0)%R))) /\
                  (((is_infinite yu) /\ (is_finite xu) ->
                    ~(eq (float_value xu) (0)%R)))),
  forall (result1: gen_float),
  forall (HW_132: (real_less_than_float
                   (Rmult (float_value xu) (float_value yu)) result1) /\
                  (((is_infinite xu) \/ (is_infinite yu) ->
                    (is_plus_infinity result1)))),
  forall (tu: gen_float),
  forall (HW_133: tu = result1),
  (is_interval tl tu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 224, characters 2-152: *)
(*Why goal*) Lemma mul_po_99 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_120: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rlt (float_value yl) (float_value zero)) \/
                  (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                  (is_minus_infinity yl) /\ (is_finite zero) \/
                  (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_121: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_125: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                  (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                  (((is_infinite xu) /\ (is_finite yl) ->
                    ~(eq (float_value yl) (0)%R))) /\
                  (((is_infinite yl) /\ (is_finite xu) ->
                    ~(eq (float_value xu) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_126: (float_less_than_real
                   result0 (Rmult (float_value xu) (float_value yl))) /\
                  (((is_infinite xu) \/ (is_infinite yl) ->
                    (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_127: tl = result0),
  forall (HW_131: (is_not_NaN xu) /\ (is_not_NaN yu) /\
                  (((is_infinite xu) \/ (is_infinite yu) -> (same_sign xu yu))) /\
                  (((is_infinite xu) /\ (is_finite yu) ->
                    ~(eq (float_value yu) (0)%R))) /\
                  (((is_infinite yu) /\ (is_finite xu) ->
                    ~(eq (float_value xu) (0)%R)))),
  forall (result1: gen_float),
  forall (HW_132: (real_less_than_float
                   (Rmult (float_value xu) (float_value yu)) result1) /\
                  (((is_infinite xu) \/ (is_infinite yu) ->
                    (is_plus_infinity result1)))),
  forall (tu: gen_float),
  forall (HW_133: tu = result1),
  forall (a: R),
  forall (b: R),
  forall (HW_134: (in_interval a xl xu) /\ (in_interval b yl yu)),
  (in_interval (Rmult a b) tl tu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 199, characters 11-23: *)
(*Why goal*) Lemma mul_po_100 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_120: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rlt (float_value yl) (float_value zero)) \/
                  (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                  (is_minus_infinity yl) /\ (is_finite zero) \/
                  (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_135: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rle (float_value yu) (float_value zero)) \/
                  (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  (is_not_NaN xu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 199, characters 11-23: *)
(*Why goal*) Lemma mul_po_101 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_120: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rlt (float_value yl) (float_value zero)) \/
                  (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                  (is_minus_infinity yl) /\ (is_finite zero) \/
                  (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_135: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rle (float_value yu) (float_value zero)) \/
                  (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  (is_not_NaN yl).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 199, characters 11-23: *)
(*Why goal*) Lemma mul_po_102 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_120: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rlt (float_value yl) (float_value zero)) \/
                  (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                  (is_minus_infinity yl) /\ (is_finite zero) \/
                  (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_135: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rle (float_value yu) (float_value zero)) \/
                  (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (HW_136: (is_infinite xu) \/ (is_infinite yl)),
  (diff_sign xu yl).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 199, characters 11-23: *)
(*Why goal*) Lemma mul_po_103 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_120: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rlt (float_value yl) (float_value zero)) \/
                  (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                  (is_minus_infinity yl) /\ (is_finite zero) \/
                  (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_135: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rle (float_value yu) (float_value zero)) \/
                  (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (HW_137: (is_infinite xu) /\ (is_finite yl)),
  ~(eq (float_value yl) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 199, characters 11-23: *)
(*Why goal*) Lemma mul_po_104 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_120: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rlt (float_value yl) (float_value zero)) \/
                  (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                  (is_minus_infinity yl) /\ (is_finite zero) \/
                  (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_135: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rle (float_value yu) (float_value zero)) \/
                  (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (HW_138: (is_infinite yl) /\ (is_finite xu)),
  ~(eq (float_value xu) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 200, characters 18-30: *)
(*Why goal*) Lemma mul_po_105 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_120: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rlt (float_value yl) (float_value zero)) \/
                  (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                  (is_minus_infinity yl) /\ (is_finite zero) \/
                  (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_135: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rle (float_value yu) (float_value zero)) \/
                  (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (HW_139: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                  (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                  (((is_infinite xu) /\ (is_finite yl) ->
                    ~(eq (float_value yl) (0)%R))) /\
                  (((is_infinite yl) /\ (is_finite xu) ->
                    ~(eq (float_value xu) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_140: (float_less_than_real
                   result0 (Rmult (float_value xu) (float_value yl))) /\
                  (((is_infinite xu) \/ (is_infinite yl) ->
                    (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_141: tl = result0),
  (is_not_NaN xl).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 200, characters 18-30: *)
(*Why goal*) Lemma mul_po_106 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_120: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rlt (float_value yl) (float_value zero)) \/
                  (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                  (is_minus_infinity yl) /\ (is_finite zero) \/
                  (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_135: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rle (float_value yu) (float_value zero)) \/
                  (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (HW_139: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                  (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                  (((is_infinite xu) /\ (is_finite yl) ->
                    ~(eq (float_value yl) (0)%R))) /\
                  (((is_infinite yl) /\ (is_finite xu) ->
                    ~(eq (float_value xu) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_140: (float_less_than_real
                   result0 (Rmult (float_value xu) (float_value yl))) /\
                  (((is_infinite xu) \/ (is_infinite yl) ->
                    (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_141: tl = result0),
  (is_not_NaN yu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 200, characters 18-30: *)
(*Why goal*) Lemma mul_po_107 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_120: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rlt (float_value yl) (float_value zero)) \/
                  (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                  (is_minus_infinity yl) /\ (is_finite zero) \/
                  (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_135: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rle (float_value yu) (float_value zero)) \/
                  (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (HW_139: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                  (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                  (((is_infinite xu) /\ (is_finite yl) ->
                    ~(eq (float_value yl) (0)%R))) /\
                  (((is_infinite yl) /\ (is_finite xu) ->
                    ~(eq (float_value xu) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_140: (float_less_than_real
                   result0 (Rmult (float_value xu) (float_value yl))) /\
                  (((is_infinite xu) \/ (is_infinite yl) ->
                    (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_141: tl = result0),
  forall (HW_142: (is_infinite xl) \/ (is_infinite yu)),
  (same_sign xl yu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 200, characters 18-30: *)
(*Why goal*) Lemma mul_po_108 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_120: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rlt (float_value yl) (float_value zero)) \/
                  (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                  (is_minus_infinity yl) /\ (is_finite zero) \/
                  (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_135: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rle (float_value yu) (float_value zero)) \/
                  (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (HW_139: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                  (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                  (((is_infinite xu) /\ (is_finite yl) ->
                    ~(eq (float_value yl) (0)%R))) /\
                  (((is_infinite yl) /\ (is_finite xu) ->
                    ~(eq (float_value xu) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_140: (float_less_than_real
                   result0 (Rmult (float_value xu) (float_value yl))) /\
                  (((is_infinite xu) \/ (is_infinite yl) ->
                    (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_141: tl = result0),
  forall (HW_143: (is_infinite xl) /\ (is_finite yu)),
  ~(eq (float_value yu) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 200, characters 18-30: *)
(*Why goal*) Lemma mul_po_109 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_120: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rlt (float_value yl) (float_value zero)) \/
                  (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                  (is_minus_infinity yl) /\ (is_finite zero) \/
                  (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_135: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rle (float_value yu) (float_value zero)) \/
                  (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (HW_139: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                  (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                  (((is_infinite xu) /\ (is_finite yl) ->
                    ~(eq (float_value yl) (0)%R))) /\
                  (((is_infinite yl) /\ (is_finite xu) ->
                    ~(eq (float_value xu) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_140: (float_less_than_real
                   result0 (Rmult (float_value xu) (float_value yl))) /\
                  (((is_infinite xu) \/ (is_infinite yl) ->
                    (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_141: tl = result0),
  forall (HW_144: (is_infinite yu) /\ (is_finite xl)),
  ~(eq (float_value xl) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 224, characters 2-152: *)
(*Why goal*) Lemma mul_po_110 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_120: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rlt (float_value yl) (float_value zero)) \/
                  (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                  (is_minus_infinity yl) /\ (is_finite zero) \/
                  (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_135: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rle (float_value yu) (float_value zero)) \/
                  (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (HW_139: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                  (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                  (((is_infinite xu) /\ (is_finite yl) ->
                    ~(eq (float_value yl) (0)%R))) /\
                  (((is_infinite yl) /\ (is_finite xu) ->
                    ~(eq (float_value xu) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_140: (float_less_than_real
                   result0 (Rmult (float_value xu) (float_value yl))) /\
                  (((is_infinite xu) \/ (is_infinite yl) ->
                    (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_141: tl = result0),
  forall (HW_145: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                  (((is_infinite xl) \/ (is_infinite yu) -> (same_sign xl yu))) /\
                  (((is_infinite xl) /\ (is_finite yu) ->
                    ~(eq (float_value yu) (0)%R))) /\
                  (((is_infinite yu) /\ (is_finite xl) ->
                    ~(eq (float_value xl) (0)%R)))),
  forall (result1: gen_float),
  forall (HW_146: (real_less_than_float
                   (Rmult (float_value xl) (float_value yu)) result1) /\
                  (((is_infinite xl) \/ (is_infinite yu) ->
                    (is_plus_infinity result1)))),
  forall (tu: gen_float),
  forall (HW_147: tu = result1),
  (is_interval tl tu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 224, characters 2-152: *)
(*Why goal*) Lemma mul_po_111 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_120: (is_not_NaN yl) /\ (is_not_NaN zero) /\ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rlt (float_value yl) (float_value zero)) \/
                  (is_minus_infinity yl) /\ (is_plus_infinity zero) \/
                  (is_minus_infinity yl) /\ (is_finite zero) \/
                  (is_finite yl) /\ (is_plus_infinity zero)),
  forall (HW_135: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rle (float_value yu) (float_value zero)) \/
                  (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (HW_139: (is_not_NaN xu) /\ (is_not_NaN yl) /\
                  (((is_infinite xu) \/ (is_infinite yl) -> (diff_sign xu yl))) /\
                  (((is_infinite xu) /\ (is_finite yl) ->
                    ~(eq (float_value yl) (0)%R))) /\
                  (((is_infinite yl) /\ (is_finite xu) ->
                    ~(eq (float_value xu) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_140: (float_less_than_real
                   result0 (Rmult (float_value xu) (float_value yl))) /\
                  (((is_infinite xu) \/ (is_infinite yl) ->
                    (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_141: tl = result0),
  forall (HW_145: (is_not_NaN xl) /\ (is_not_NaN yu) /\
                  (((is_infinite xl) \/ (is_infinite yu) -> (same_sign xl yu))) /\
                  (((is_infinite xl) /\ (is_finite yu) ->
                    ~(eq (float_value yu) (0)%R))) /\
                  (((is_infinite yu) /\ (is_finite xl) ->
                    ~(eq (float_value xl) (0)%R)))),
  forall (result1: gen_float),
  forall (HW_146: (real_less_than_float
                   (Rmult (float_value xl) (float_value yu)) result1) /\
                  (((is_infinite xl) \/ (is_infinite yu) ->
                    (is_plus_infinity result1)))),
  forall (tu: gen_float),
  forall (HW_147: tu = result1),
  forall (a: R),
  forall (b: R),
  forall (HW_148: (in_interval a xl xu) /\ (in_interval b yl yu)),
  (in_interval (Rmult a b) tl tu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 205, characters 18-57: *)
(*Why goal*) Lemma mul_po_112 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_149: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rge (float_value yl) (float_value zero)) \/
                  (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_150: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  (is_finite xl).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 205, characters 18-57: *)
(*Why goal*) Lemma mul_po_113 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_149: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rge (float_value yl) (float_value zero)) \/
                  (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_150: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  (Rge (float_value xl) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 206, characters 11-50: *)
(*Why goal*) Lemma mul_po_114 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_149: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rge (float_value yl) (float_value zero)) \/
                  (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_150: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_151: (is_finite xl) /\ (Rge (float_value xl) (0)%R)),
  (is_finite yl).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 206, characters 11-50: *)
(*Why goal*) Lemma mul_po_115 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_149: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rge (float_value yl) (float_value zero)) \/
                  (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_150: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_151: (is_finite xl) /\ (Rge (float_value xl) (0)%R)),
  (Rge (float_value yl) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 207, characters 18-104: *)
(*Why goal*) Lemma mul_po_116 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_149: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rge (float_value yl) (float_value zero)) \/
                  (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_150: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_151: (is_finite xl) /\ (Rge (float_value xl) (0)%R)),
  forall (HW_152: (is_finite yl) /\ (Rge (float_value yl) (0)%R)),
  ((is_plus_infinity yu) \/ (is_finite yu) /\ (Rgt (float_value yu) (0)%R)).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 209, characters 18-104: *)
(*Why goal*) Lemma mul_po_117 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_149: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rge (float_value yl) (float_value zero)) \/
                  (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_150: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_151: (is_finite xl) /\ (Rge (float_value xl) (0)%R)),
  forall (HW_152: (is_finite yl) /\ (Rge (float_value yl) (0)%R)),
  forall (HW_153: (is_plus_infinity yu) \/ (is_finite yu) /\
                  (Rgt (float_value yu) (0)%R)),
  ((is_plus_infinity xu) \/ (is_finite xu) /\ (Rgt (float_value xu) (0)%R)).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 211, characters 18-30: *)
(*Why goal*) Lemma mul_po_118 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_149: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rge (float_value yl) (float_value zero)) \/
                  (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_150: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_151: (is_finite xl) /\ (Rge (float_value xl) (0)%R)),
  forall (HW_152: (is_finite yl) /\ (Rge (float_value yl) (0)%R)),
  forall (HW_153: (is_plus_infinity yu) \/ (is_finite yu) /\
                  (Rgt (float_value yu) (0)%R)),
  forall (HW_154: (is_plus_infinity xu) \/ (is_finite xu) /\
                  (Rgt (float_value xu) (0)%R)),
  (is_not_NaN xl).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 211, characters 18-30: *)
(*Why goal*) Lemma mul_po_119 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_149: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rge (float_value yl) (float_value zero)) \/
                  (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_150: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_151: (is_finite xl) /\ (Rge (float_value xl) (0)%R)),
  forall (HW_152: (is_finite yl) /\ (Rge (float_value yl) (0)%R)),
  forall (HW_153: (is_plus_infinity yu) \/ (is_finite yu) /\
                  (Rgt (float_value yu) (0)%R)),
  forall (HW_154: (is_plus_infinity xu) \/ (is_finite xu) /\
                  (Rgt (float_value xu) (0)%R)),
  (is_not_NaN yl).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 211, characters 18-30: *)
(*Why goal*) Lemma mul_po_120 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_149: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rge (float_value yl) (float_value zero)) \/
                  (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_150: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_151: (is_finite xl) /\ (Rge (float_value xl) (0)%R)),
  forall (HW_152: (is_finite yl) /\ (Rge (float_value yl) (0)%R)),
  forall (HW_153: (is_plus_infinity yu) \/ (is_finite yu) /\
                  (Rgt (float_value yu) (0)%R)),
  forall (HW_154: (is_plus_infinity xu) \/ (is_finite xu) /\
                  (Rgt (float_value xu) (0)%R)),
  forall (HW_155: (is_infinite xl) \/ (is_infinite yl)),
  (diff_sign xl yl).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 211, characters 18-30: *)
(*Why goal*) Lemma mul_po_121 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_149: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rge (float_value yl) (float_value zero)) \/
                  (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_150: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_151: (is_finite xl) /\ (Rge (float_value xl) (0)%R)),
  forall (HW_152: (is_finite yl) /\ (Rge (float_value yl) (0)%R)),
  forall (HW_153: (is_plus_infinity yu) \/ (is_finite yu) /\
                  (Rgt (float_value yu) (0)%R)),
  forall (HW_154: (is_plus_infinity xu) \/ (is_finite xu) /\
                  (Rgt (float_value xu) (0)%R)),
  forall (HW_156: (is_infinite xl) /\ (is_finite yl)),
  ~(eq (float_value yl) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 211, characters 18-30: *)
(*Why goal*) Lemma mul_po_122 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_149: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rge (float_value yl) (float_value zero)) \/
                  (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_150: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_151: (is_finite xl) /\ (Rge (float_value xl) (0)%R)),
  forall (HW_152: (is_finite yl) /\ (Rge (float_value yl) (0)%R)),
  forall (HW_153: (is_plus_infinity yu) \/ (is_finite yu) /\
                  (Rgt (float_value yu) (0)%R)),
  forall (HW_154: (is_plus_infinity xu) \/ (is_finite xu) /\
                  (Rgt (float_value xu) (0)%R)),
  forall (HW_157: (is_infinite yl) /\ (is_finite xl)),
  ~(eq (float_value xl) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 212, characters 18-30: *)
(*Why goal*) Lemma mul_po_123 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_149: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rge (float_value yl) (float_value zero)) \/
                  (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_150: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_151: (is_finite xl) /\ (Rge (float_value xl) (0)%R)),
  forall (HW_152: (is_finite yl) /\ (Rge (float_value yl) (0)%R)),
  forall (HW_153: (is_plus_infinity yu) \/ (is_finite yu) /\
                  (Rgt (float_value yu) (0)%R)),
  forall (HW_154: (is_plus_infinity xu) \/ (is_finite xu) /\
                  (Rgt (float_value xu) (0)%R)),
  forall (HW_158: (is_not_NaN xl) /\ (is_not_NaN yl) /\
                  (((is_infinite xl) \/ (is_infinite yl) -> (diff_sign xl yl))) /\
                  (((is_infinite xl) /\ (is_finite yl) ->
                    ~(eq (float_value yl) (0)%R))) /\
                  (((is_infinite yl) /\ (is_finite xl) ->
                    ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_159: (float_less_than_real
                   result0 (Rmult (float_value xl) (float_value yl))) /\
                  (((is_infinite xl) \/ (is_infinite yl) ->
                    (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_160: tl = result0),
  (is_not_NaN xu).
Proof.
Admitted.


(* Why obligation from file "interval_arith_full.why", line 212, characters 18-30: *)
(*Why goal*) Lemma mul_po_124 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_149: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rge (float_value yl) (float_value zero)) \/
                  (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_150: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_151: (is_finite xl) /\ (Rge (float_value xl) (0)%R)),
  forall (HW_152: (is_finite yl) /\ (Rge (float_value yl) (0)%R)),
  forall (HW_153: (is_plus_infinity yu) \/ (is_finite yu) /\
                  (Rgt (float_value yu) (0)%R)),
  forall (HW_154: (is_plus_infinity xu) \/ (is_finite xu) /\
                  (Rgt (float_value xu) (0)%R)),
  forall (HW_158: (is_not_NaN xl) /\ (is_not_NaN yl) /\
                  (((is_infinite xl) \/ (is_infinite yl) -> (diff_sign xl yl))) /\
                  (((is_infinite xl) /\ (is_finite yl) ->
                    ~(eq (float_value yl) (0)%R))) /\
                  (((is_infinite yl) /\ (is_finite xl) ->
                    ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_159: (float_less_than_real
                   result0 (Rmult (float_value xl) (float_value yl))) /\
                  (((is_infinite xl) \/ (is_infinite yl) ->
                    (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_160: tl = result0),
  (is_not_NaN yu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 212, characters 18-30: *)
(*Why goal*) Lemma mul_po_125 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_149: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rge (float_value yl) (float_value zero)) \/
                  (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_150: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_151: (is_finite xl) /\ (Rge (float_value xl) (0)%R)),
  forall (HW_152: (is_finite yl) /\ (Rge (float_value yl) (0)%R)),
  forall (HW_153: (is_plus_infinity yu) \/ (is_finite yu) /\
                  (Rgt (float_value yu) (0)%R)),
  forall (HW_154: (is_plus_infinity xu) \/ (is_finite xu) /\
                  (Rgt (float_value xu) (0)%R)),
  forall (HW_158: (is_not_NaN xl) /\ (is_not_NaN yl) /\
                  (((is_infinite xl) \/ (is_infinite yl) -> (diff_sign xl yl))) /\
                  (((is_infinite xl) /\ (is_finite yl) ->
                    ~(eq (float_value yl) (0)%R))) /\
                  (((is_infinite yl) /\ (is_finite xl) ->
                    ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_159: (float_less_than_real
                   result0 (Rmult (float_value xl) (float_value yl))) /\
                  (((is_infinite xl) \/ (is_infinite yl) ->
                    (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_160: tl = result0),
  forall (HW_161: (is_infinite xu) \/ (is_infinite yu)),
  (same_sign xu yu).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 212, characters 18-30: *)
(*Why goal*) Lemma mul_po_126 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_149: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rge (float_value yl) (float_value zero)) \/
                  (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_150: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_151: (is_finite xl) /\ (Rge (float_value xl) (0)%R)),
  forall (HW_152: (is_finite yl) /\ (Rge (float_value yl) (0)%R)),
  forall (HW_153: (is_plus_infinity yu) \/ (is_finite yu) /\
                  (Rgt (float_value yu) (0)%R)),
  forall (HW_154: (is_plus_infinity xu) \/ (is_finite xu) /\
                  (Rgt (float_value xu) (0)%R)),
  forall (HW_158: (is_not_NaN xl) /\ (is_not_NaN yl) /\
                  (((is_infinite xl) \/ (is_infinite yl) -> (diff_sign xl yl))) /\
                  (((is_infinite xl) /\ (is_finite yl) ->
                    ~(eq (float_value yl) (0)%R))) /\
                  (((is_infinite yl) /\ (is_finite xl) ->
                    ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_159: (float_less_than_real
                   result0 (Rmult (float_value xl) (float_value yl))) /\
                  (((is_infinite xl) \/ (is_infinite yl) ->
                    (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_160: tl = result0),
  forall (HW_162: (is_infinite xu) /\ (is_finite yu)),
  ~(eq (float_value yu) (0)%R).
Proof.
Admitted.

(* Why obligation from file "interval_arith_full.why", line 212, characters 18-30: *)
(*Why goal*) Lemma mul_po_127 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_149: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rge (float_value yl) (float_value zero)) \/
                  (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_150: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_151: (is_finite xl) /\ (Rge (float_value xl) (0)%R)),
  forall (HW_152: (is_finite yl) /\ (Rge (float_value yl) (0)%R)),
  forall (HW_153: (is_plus_infinity yu) \/ (is_finite yu) /\
                  (Rgt (float_value yu) (0)%R)),
  forall (HW_154: (is_plus_infinity xu) \/ (is_finite xu) /\
                  (Rgt (float_value xu) (0)%R)),
  forall (HW_158: (is_not_NaN xl) /\ (is_not_NaN yl) /\
                  (((is_infinite xl) \/ (is_infinite yl) -> (diff_sign xl yl))) /\
                  (((is_infinite xl) /\ (is_finite yl) ->
                    ~(eq (float_value yl) (0)%R))) /\
                  (((is_infinite yl) /\ (is_finite xl) ->
                    ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_159: (float_less_than_real
                   result0 (Rmult (float_value xl) (float_value yl))) /\
                  (((is_infinite xl) \/ (is_infinite yl) ->
                    (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_160: tl = result0),
  forall (HW_163: (is_infinite yu) /\ (is_finite xu)),
  ~(eq (float_value xu) (0)%R).
Proof.
Admitted.



(* Why obligation from file "interval_arith_full.why", line 224, characters 2-152: *)
(*Why goal*) Lemma mul_po_128 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_149: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rge (float_value yl) (float_value zero)) \/
                  (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_150: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_151: (is_finite xl) /\ (Rge (float_value xl) (0)%R)),
  forall (HW_152: (is_finite yl) /\ (Rge (float_value yl) (0)%R)),
  forall (HW_153: (is_plus_infinity yu) \/ (is_finite yu) /\
                  (Rgt (float_value yu) (0)%R)),
  forall (HW_154: (is_plus_infinity xu) \/ (is_finite xu) /\
                  (Rgt (float_value xu) (0)%R)),
  forall (HW_158: (is_not_NaN xl) /\ (is_not_NaN yl) /\
                  (((is_infinite xl) \/ (is_infinite yl) -> (diff_sign xl yl))) /\
                  (((is_infinite xl) /\ (is_finite yl) ->
                    ~(eq (float_value yl) (0)%R))) /\
                  (((is_infinite yl) /\ (is_finite xl) ->
                    ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_159: (float_less_than_real
                   result0 (Rmult (float_value xl) (float_value yl))) /\
                  (((is_infinite xl) \/ (is_infinite yl) ->
                    (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_160: tl = result0),
  forall (HW_164: (is_not_NaN xu) /\ (is_not_NaN yu) /\
                  (((is_infinite xu) \/ (is_infinite yu) -> (same_sign xu yu))) /\
                  (((is_infinite xu) /\ (is_finite yu) ->
                    ~(eq (float_value yu) (0)%R))) /\
                  (((is_infinite yu) /\ (is_finite xu) ->
                    ~(eq (float_value xu) (0)%R)))),
  forall (result1: gen_float),
  forall (HW_165: (real_less_than_float
                   (Rmult (float_value xu) (float_value yu)) result1) /\
                  (((is_infinite xu) \/ (is_infinite yu) ->
                    (is_plus_infinity result1)))),
  forall (tu: gen_float),
  forall (HW_166: tu = result1),
  (is_interval tl tu).
Proof.
intros.
Admitted.


(* Why obligation from file "interval_arith_full.why", line 224, characters 2-152: *)
(*Why goal*) Lemma mul_po_129 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_149: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rge (float_value yl) (float_value zero)) \/
                  (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_150: (is_not_NaN yu) /\ (is_not_NaN zero) /\ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rgt (float_value yu) (float_value zero)) \/
                  (is_plus_infinity yu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity yu) /\ (is_finite zero) \/
                  (is_finite yu) /\ (is_minus_infinity zero)),
  forall (HW_151: (is_finite xl) /\ (Rge (float_value xl) (0)%R)),
  forall (HW_152: (is_finite yl) /\ (Rge (float_value yl) (0)%R)),
  forall (HW_153: (is_plus_infinity yu) \/ (is_finite yu) /\
                  (Rgt (float_value yu) (0)%R)),
  forall (HW_154: (is_plus_infinity xu) \/ (is_finite xu) /\
                  (Rgt (float_value xu) (0)%R)),
  forall (HW_158: (is_not_NaN xl) /\ (is_not_NaN yl) /\
                  (((is_infinite xl) \/ (is_infinite yl) -> (diff_sign xl yl))) /\
                  (((is_infinite xl) /\ (is_finite yl) ->
                    ~(eq (float_value yl) (0)%R))) /\
                  (((is_infinite yl) /\ (is_finite xl) ->
                    ~(eq (float_value xl) (0)%R)))),
  forall (result0: gen_float),
  forall (HW_159: (float_less_than_real
                   result0 (Rmult (float_value xl) (float_value yl))) /\
                  (((is_infinite xl) \/ (is_infinite yl) ->
                    (is_minus_infinity result0)))),
  forall (tl: gen_float),
  forall (HW_160: tl = result0),
  forall (HW_164: (is_not_NaN xu) /\ (is_not_NaN yu) /\
                  (((is_infinite xu) \/ (is_infinite yu) -> (same_sign xu yu))) /\
                  (((is_infinite xu) /\ (is_finite yu) ->
                    ~(eq (float_value yu) (0)%R))) /\
                  (((is_infinite yu) /\ (is_finite xu) ->
                    ~(eq (float_value xu) (0)%R)))),
  forall (result1: gen_float),
  forall (HW_165: (real_less_than_float
                   (Rmult (float_value xu) (float_value yu)) result1) /\
                  (((is_infinite xu) \/ (is_infinite yu) ->
                    (is_plus_infinity result1)))),
  forall (tu: gen_float),
  forall (HW_166: tu = result1),
  forall (a: R),
  forall (b: R),
  forall (HW_167: (in_interval a xl xu) /\ (in_interval b yl yu)),
  (in_interval (Rmult a b) tl tu).
Proof.
unfold in_interval,float_less_than_real,real_less_than_float.
intros.
split.
destruct HW_159.
subst.
destruct H.
left.
split.
destruct H;auto.
2:right;exact H.
assert ((float_value xl <= a)%R).
decompose [and] HW_167.
destruct H3.
destruct H2;auto.
destruct HW_151.
unfold is_minus_infinity,is_finite in *.
rewrite H3 in H2.
destruct H2.
discriminate.
assert ((float_value yl <= b)%R).
decompose [and] HW_167.
destruct H2.
destruct H2;auto.
destruct HW_152.
unfold is_minus_infinity,is_finite in *.
rewrite H3 in H2.
destruct H2.
discriminate.
destruct H.
apply Rle_trans with ((float_value xl)*(float_value yl))%R.
exact H3.
apply help.
split.
destruct HW_151.
split;auto with real.
destruct HW_152.
split;auto with real.
(*borne sup*)
subst.
decompose [and] HW_165.
decompose [or] HW_154.
right.
apply H0.
left.
unfold is_plus_infinity, is_infinite in *.
destruct H1.
exact H1.
decompose [or] HW_153.
right.
apply H0.
right.
unfold is_plus_infinity, is_infinite in *.
destruct H2.
exact H2.
destruct H.
left.
split.
destruct H;auto.
decompose [and] HW_167.
destruct H6.
destruct H4.
destruct H7.
destruct H7.
apply Rle_trans with ((float_value xu)*(float_value yu))%R.
apply help.
split;split;auto with real.
destruct H5.
destruct HW_151.
destruct H5.
apply Rle_trans with (float_value xl);auto with real.
destruct HW_151.
unfold is_minus_infinity, is_finite in *.
destruct H5.
rewrite H9 in H5.
discriminate.
destruct H3.
destruct H3.
destruct HW_152.
apply Rle_trans with (float_value yl);auto with real.
destruct HW_152.
unfold is_minus_infinity, is_finite in *.
destruct H3.
rewrite H9 in H3.
discriminate.
destruct H;auto.
unfold is_plus_infinity, is_finite in *.
destruct H2.
rewrite H2 in H7.
destruct H7;discriminate.
unfold is_plus_infinity, is_finite in *.
destruct H4.
rewrite H4 in H1.
destruct H1;discriminate.
right;auto.
Qed.

 
(* Why obligation from file "interval_arith_full.why", line 224, characters 2-152: *)
(*Why goal*) Lemma mul_po_130 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_149: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rge (float_value yl) (float_value zero)) \/
                  (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_168: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rle (float_value yu) (float_value zero)) \/
                  (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (tl: gen_float),
  forall (HW_169: tl = zero),
  forall (tu: gen_float),
  forall (HW_170: tu = zero),
  (is_interval tl tu).
Proof.
intros.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "interval_arith_full.why", line 224, characters 2-152: *)
(*Why goal*) Lemma mul_po_131 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_119: (is_not_NaN xu) /\ (is_not_NaN zero) /\ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rgt (float_value xu) (float_value zero)) \/
                  (is_plus_infinity xu) /\ (is_minus_infinity zero) \/
                  (is_plus_infinity xu) /\ (is_finite zero) \/
                  (is_finite xu) /\ (is_minus_infinity zero)),
  forall (HW_149: (is_NaN yl) \/ (is_NaN zero) \/ (is_finite yl) /\
                  (is_finite zero) /\
                  (Rge (float_value yl) (float_value zero)) \/
                  (is_plus_infinity yl) \/ (is_minus_infinity zero)),
  forall (HW_168: (is_NaN yu) \/ (is_NaN zero) \/ (is_finite yu) /\
                  (is_finite zero) /\
                  (Rle (float_value yu) (float_value zero)) \/
                  (is_minus_infinity yu) \/ (is_plus_infinity zero)),
  forall (tl: gen_float),
  forall (HW_169: tl = zero),
  forall (tu: gen_float),
  forall (HW_170: tu = zero),
  forall (a: R),
  forall (b: R),
  forall (HW_171: (in_interval a xl xu) /\ (in_interval b yl yu)),
  (in_interval (Rmult a b) tl tu).
Proof.
intros.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "interval_arith_full.why", line 224, characters 2-152: *)
(*Why goal*) Lemma mul_po_132 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_172: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rle (float_value xu) (float_value zero)) \/
                  (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (tl: gen_float),
  forall (HW_173: tl = zero),
  forall (tu: gen_float),
  forall (HW_174: tu = zero),
  (is_interval tl tu).
Proof.
intros.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "interval_arith_full.why", line 224, characters 2-152: *)
(*Why goal*) Lemma mul_po_133 : 
  forall (xl: gen_float),
  forall (xu: gen_float),
  forall (yl: gen_float),
  forall (yu: gen_float),
  forall (HW_1: (is_interval xl xu) /\ (is_interval yl yu)),
  forall (result: gen_float),
  forall (HW_2: (((no_overflow Double down (0)%R) -> (is_finite result) /\
                  (eq (float_value result) (round_float Double down (0)%R)))) /\
                ((~(no_overflow Double down (0)%R) ->
                  (same_sign_real result (0)%R) /\
                  (overflow_value Double down result))) /\
                (eq (exact_value result) (0)%R) /\
                (eq (model_value result) (0)%R)),
  forall (zero: gen_float),
  forall (HW_3: zero = result),
  forall (HW_4: (eq (float_value zero) (0)%R)),
  forall (HW_118: (is_NaN xl) \/ (is_NaN zero) \/ (is_finite xl) /\
                  (is_finite zero) /\
                  (Rge (float_value xl) (float_value zero)) \/
                  (is_plus_infinity xl) \/ (is_minus_infinity zero)),
  forall (HW_172: (is_NaN xu) \/ (is_NaN zero) \/ (is_finite xu) /\
                  (is_finite zero) /\
                  (Rle (float_value xu) (float_value zero)) \/
                  (is_minus_infinity xu) \/ (is_plus_infinity zero)),
  forall (tl: gen_float),
  forall (HW_173: tl = zero),
  forall (tu: gen_float),
  forall (HW_174: tu = zero),
  forall (a: R),
  forall (b: R),
  forall (HW_175: (in_interval a xl xu) /\ (in_interval b yl yu)),
  (in_interval (Rmult a b) tl tu).
Proof.
intros.
(* FILL PROOF HERE *)
Save.

why-2.34/bench/good/complex_arg_2_why.v0000644000175000017500000000021412311670312016420 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Export Why.

why-2.34/bench/good/loops_why.v0000644000175000017500000000512412311670312015040 0ustar  rtusers
Require Import Why.
Require Import Omega.

(* Why obligation from file "loops.mlw", line 9, characters 16-23: *)
(*Why goal*) Lemma loop1_po_1 : 
  forall (i: Z),
  forall (HW_1: i <= 10),
  forall (i0: Z),
  forall (HW_2: i0 <= 10),
  forall (HW_3: i0 < 10),
  forall (i1: Z),
  forall (HW_4: i1 = (i0 + 1)),
  i1 <= 10.
Proof.
intuition.
Save.

(* Why obligation from file "loops.mlw", line 9, characters 32-36: *)
(*Why goal*) Lemma loop1_po_2 : 
  forall (i: Z),
  forall (HW_1: i <= 10),
  forall (i0: Z),
  forall (HW_2: i0 <= 10),
  forall (HW_3: i0 < 10),
  forall (i1: Z),
  forall (HW_4: i1 = (i0 + 1)),
  (Zwf 0 (10 - i1) (10 - i0)).
Proof.
intuition.
Save.



(* Why obligation from file "loops.mlw", line 12, characters 4-10: *)
(*Why goal*) Lemma loop1_po_3 : 
  forall (i: Z),
  forall (HW_1: i <= 10),
  forall (i0: Z),
  forall (HW_2: i0 <= 10),
  forall (HW_5: i0 >= 10),
  i0 = 10.
Proof.
intuition.
Save.

(* Why obligation from file "loops.mlw", line 19, characters 34-41: *)
(*Why goal*) Lemma oppose_po_1 : 
  forall (x0: Z),
  forall (x: Z),
  forall (HW_1: x = (Zopp x0)),
  x = (Zopp x0).
Proof.
intuition.
Save.



(* Why obligation from file "loops.mlw", line 24, characters 33-40: *)
(*Why goal*) Lemma loop2_po_1 : 
  forall (x: Z),
  forall (HW_1: x <= 10),
  forall (x0: Z),
  forall (HW_2: x0 <= 10),
  forall (HW_3: x0 < 10),
  forall (x1: Z),
  forall (HW_4: x1 = (x0 + 1)),
  x1 <= 10.
Proof.
intuition.
Save.

(* Why obligation from file "loops.mlw", line 24, characters 49-53: *)
(*Why goal*) Lemma loop2_po_2 : 
  forall (x: Z),
  forall (HW_1: x <= 10),
  forall (x0: Z),
  forall (HW_2: x0 <= 10),
  forall (HW_3: x0 < 10),
  forall (x1: Z),
  forall (HW_4: x1 = (x0 + 1)),
  (Zwf 0 (10 - x1) (10 - x0)).
Proof.
intuition.
Save.

(* Why obligation from file "loops.mlw", line 25, characters 6-14: *)
(*Why goal*) Lemma loop2_po_3 : 
  forall (x: Z),
  forall (HW_1: x <= 10),
  forall (x0: Z),
  forall (HW_2: x0 <= 10),
  forall (HW_5: x0 >= 10),
  x0 = 10.
Proof.
intuition.
Save.

(* Why obligation from file "loops.mlw", line 27, characters 6-13: *)
(*Why goal*) Lemma loop2_po_4 : 
  forall (x: Z),
  forall (HW_1: x <= 10),
  forall (x0: Z),
  forall (HW_2: x0 <= 10),
  forall (HW_5: x0 >= 10),
  forall (HW_6: x0 > 0),
  forall (x1: Z),
  forall (HW_7: x1 = (Zopp x0)),
  x1 = (-10).
Proof.
intuition.
Save.



(* Why obligation from file "loops.mlw", line 27, characters 6-13: *)
(*Why goal*) Lemma loop2_po_5 : 
  forall (x: Z),
  forall (HW_1: x <= 10),
  forall (x0: Z),
  forall (HW_2: x0 <= 10),
  forall (HW_5: x0 >= 10),
  forall (HW_8: x0 <= 0),
  x0 = (-10).
Proof.
intuition.
Save.

why-2.34/bench/good/all_why.v0000644000175000017500000003032512311670312014455 0ustar  rtusers
Require Import Why.
Require Import Omega.







(*Why logic*) Definition lt_int_bool : Z -> Z -> bool.
Admitted.

(*Why logic*) Definition le_int_bool : Z -> Z -> bool.
Admitted.

(*Why logic*) Definition gt_int_bool : Z -> Z -> bool.
Admitted.

(*Why logic*) Definition ge_int_bool : Z -> Z -> bool.
Admitted.

(*Why logic*) Definition eq_int_bool : Z -> Z -> bool.
Admitted.

(*Why logic*) Definition neq_int_bool : Z -> Z -> bool.
Admitted.

(*Why axiom*) Lemma lt_int_bool_axiom :
  (forall (x:Z), (forall (y:Z), ((lt_int_bool x y) = true <-> x < y))).
Admitted.

(*Why axiom*) Lemma le_int_bool_axiom :
  (forall (x:Z), (forall (y:Z), ((le_int_bool x y) = true <-> x <= y))).
Admitted.

(*Why axiom*) Lemma gt_int_bool_axiom :
  (forall (x:Z), (forall (y:Z), ((gt_int_bool x y) = true <-> x > y))).
Admitted.

(*Why axiom*) Lemma ge_int_bool_axiom :
  (forall (x:Z), (forall (y:Z), ((ge_int_bool x y) = true <-> x >= y))).
Admitted.

(*Why axiom*) Lemma eq_int_bool_axiom :
  (forall (x:Z), (forall (y:Z), ((eq_int_bool x y) = true <-> x = y))).
Admitted.

(*Why axiom*) Lemma neq_int_bool_axiom :
  (forall (x:Z), (forall (y:Z), ((neq_int_bool x y) = true <-> x <> y))).
Admitted.

(*Why logic*) Definition abs_int : Z -> Z.
Admitted.

(*Why axiom*) Lemma abs_int_pos :
  (forall (x:Z), (x >= 0 -> (abs_int x) = x)).
Admitted.

(*Why axiom*) Lemma abs_int_neg :
  (forall (x:Z), (x <= 0 -> (abs_int x) = (Zopp x))).
Admitted.

(*Why logic*) Definition int_max : Z -> Z -> Z.
Admitted.

(*Why logic*) Definition int_min : Z -> Z -> Z.
Admitted.

(*Why axiom*) Lemma int_max_is_ge :
  (forall (x:Z), (forall (y:Z), (int_max x y) >= x /\ (int_max x y) >= y)).
Admitted.

(*Why axiom*) Lemma int_max_is_some :
  (forall (x:Z), (forall (y:Z), (int_max x y) = x \/ (int_max x y) = y)).
Admitted.

(*Why axiom*) Lemma int_min_is_le :
  (forall (x:Z), (forall (y:Z), (int_min x y) <= x /\ (int_min x y) <= y)).
Admitted.

(*Why axiom*) Lemma int_min_is_some :
  (forall (x:Z), (forall (y:Z), (int_min x y) = x \/ (int_min x y) = y)).
Admitted.

(*Why logic*) Definition computer_div : Z -> Z -> Z.
Admitted.

(*Why logic*) Definition computer_mod : Z -> Z -> Z.
Admitted.

(*Why logic*) Definition math_div : Z -> Z -> Z.
Admitted.

(*Why logic*) Definition math_mod : Z -> Z -> Z.
Admitted.

(*Why axiom*) Lemma math_div_mod :
  (forall (x:Z),
   (forall (y:Z), (y <> 0 -> x = (y * (math_div x y) + (math_mod x y))))).
Admitted.

(*Why axiom*) Lemma math_mod_bound :
  (forall (x:Z),
   (forall (y:Z),
    (y <> 0 -> 0 <= (math_mod x y) /\ (math_mod x y) < (abs_int y)))).
Admitted.

(*Why axiom*) Lemma computer_div_mod :
  (forall (x:Z),
   (forall (y:Z),
    (y <> 0 -> x = (y * (computer_div x y) + (computer_mod x y))))).
Admitted.

(*Why axiom*) Lemma computer_div_bound :
  (forall (x:Z),
   (forall (y:Z),
    (x >= 0 /\ y > 0 -> 0 <= (computer_div x y) /\ (computer_div x y) <= x))).
Admitted.

(*Why axiom*) Lemma computer_mod_bound :
  (forall (x:Z),
   (forall (y:Z), (y <> 0 -> (abs_int (computer_mod x y)) < (abs_int y)))).
Admitted.

(*Why axiom*) Lemma computer_mod_sign_pos :
  (forall (x:Z),
   (forall (y:Z), (x >= 0 /\ y <> 0 -> (computer_mod x y) >= 0))).
Admitted.

(*Why axiom*) Lemma computer_mod_sign_neg :
  (forall (x:Z),
   (forall (y:Z), (x <= 0 /\ y <> 0 -> (computer_mod x y) <= 0))).
Admitted.

(*Why axiom*) Lemma computer_rounds_toward_zero :
  (forall (x:Z),
   (forall (y:Z),
    (y <> 0 -> (abs_int ((computer_div x y) * y)) <= (abs_int x)))).
Admitted.

(*Why type*) Definition farray: Set ->Set.
Admitted.

(*Why logic*) Definition access : forall (A1:Set), (array A1) -> Z -> A1.
Admitted.
Implicit Arguments access.

(*Why logic*) Definition update :
  forall (A1:Set), (array A1) -> Z -> A1 -> (array A1).
Admitted.
Implicit Arguments update.

(*Why axiom*) Lemma access_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z), (forall (v:A1), (access (update a i v) i) = v))).
Admitted.

(*Why axiom*) Lemma access_update_neq :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (forall (v:A1), (i <> j -> (access (update a i v) j) = (access a j)))))).
Admitted.

(*Why logic*) Definition array_length : forall (A1:Set), (array A1) -> Z.
Admitted.
Implicit Arguments array_length.

(*Why predicate*) Definition sorted_array  (t:(array Z)) (i:Z) (j:Z)
  := (forall (k1:Z),
      (forall (k2:Z),
       ((i <= k1 /\ k1 <= k2) /\ k2 <= j -> (access t k1) <= (access t k2)))).

(*Why predicate*) Definition exchange (A120:Set) (a1:(array A120)) (a2:(array A120)) (i:Z) (j:Z)
  := (array_length a1) = (array_length a2) /\
     (access a1 i) = (access a2 j) /\ (access a2 i) = (access a1 j) /\
     (forall (k:Z), (k <> i /\ k <> j -> (access a1 k) = (access a2 k))).
Implicit Arguments exchange.

(*Why logic*) Definition permut :
  forall (A1:Set), (array A1) -> (array A1) -> Z -> Z -> Prop.
Admitted.
Implicit Arguments permut.

(*Why axiom*) Lemma permut_refl :
  forall (A1:Set),
  (forall (t:(array A1)), (forall (l:Z), (forall (u:Z), (permut t t l u)))).
Admitted.

(*Why axiom*) Lemma permut_sym :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (l:Z), (forall (u:Z), ((permut t1 t2 l u) -> (permut t2 t1 l u)))))).
Admitted.

(*Why axiom*) Lemma permut_trans :
  forall (A1:Set),
  (forall (t1:(array A1)),
   (forall (t2:(array A1)),
    (forall (t3:(array A1)),
     (forall (l:Z),
      (forall (u:Z),
       ((permut t1 t2 l u) -> ((permut t2 t3 l u) -> (permut t1 t3 l u)))))))).
Admitted.

(*Why axiom*) Lemma permut_exchange :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (forall (i:Z),
       (forall (j:Z),
        (l <= i /\ i <= u ->
         (l <= j /\ j <= u -> ((exchange a1 a2 i j) -> (permut a1 a2 l u)))))))))).
Admitted.

(*Why axiom*) Lemma exchange_upd :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (j:Z),
     (exchange a (update (update a i (access a j)) j (access a i)) i j)))).
Admitted.

(*Why axiom*) Lemma permut_weakening :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l1:Z),
     (forall (r1:Z),
      (forall (l2:Z),
       (forall (r2:Z),
        ((l1 <= l2 /\ l2 <= r2) /\ r2 <= r1 ->
         ((permut a1 a2 l2 r2) -> (permut a1 a2 l1 r1))))))))).
Admitted.

(*Why axiom*) Lemma permut_eq :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      (l <= u ->
       ((permut a1 a2 l u) ->
        (forall (i:Z), (i < l \/ u < i -> (access a2 i) = (access a1 i))))))))).
Admitted.

(*Why predicate*) Definition permutation (A129:Set) (a1:(array A129)) (a2:(array A129))
  := (permut a1 a2 0 ((array_length a1) - 1)).
Implicit Arguments permutation.

(*Why axiom*) Lemma array_length_update :
  forall (A1:Set),
  (forall (a:(array A1)),
   (forall (i:Z),
    (forall (v:A1), (array_length (update a i v)) = (array_length a)))).
Admitted.

(*Why axiom*) Lemma permut_array_length :
  forall (A1:Set),
  (forall (a1:(array A1)),
   (forall (a2:(array A1)),
    (forall (l:Z),
     (forall (u:Z),
      ((permut a1 a2 l u) -> (array_length a1) = (array_length a2)))))).
Admitted.

(*Why type*) Definition foo: Set.
Admitted.

















(*Why*) Inductive ET_E1 (T:Set) : Set :=
          | Val_E1 : T -> ET_E1 T
          | Exn_E1 : ET_E1 T.

(*Why*) Definition post_E1 (T:Set) (P:Prop) (Q:T -> Prop)
          (x:ET_E1 T) :=
          match x with
          | Val_E1 v => Q v
          | Exn_E1 => P
          end.

(*Why*) Implicit Arguments post_E1.

(*Why*) Inductive ET_E2 (T:Set) : Set :=
          | Val_E2 : T -> ET_E2 T
          | Exn_E2 : Z -> ET_E2 T.

(*Why*) Definition post_E2 (T:Set) (P:Z -> Prop) (Q:T -> Prop)
          (x:ET_E2 T) :=
          match x with
          | Val_E2 v => Q v
          | Exn_E2 v => P v
          end.

(*Why*) Implicit Arguments post_E2.

(*Why*) Inductive ET_E3 (T:Set) : Set :=
          | Val_E3 : T -> ET_E3 T
          | Exn_E3 : foo -> ET_E3 T.

(*Why*) Definition post_E3 (T:Set) (P:foo -> Prop) (Q:T -> Prop)
          (x:ET_E3 T) :=
          match x with
          | Val_E3 v => Q v
          | Exn_E3 v => P v
          end.

(*Why*) Implicit Arguments post_E3.



























(* Why obligation from file "all.mlw", line 36, characters 13-22: *)
(*Why goal*) Lemma p2_po_1 : 
  ~False.
Proof.
tauto.
Save.



(* Why obligation from file "all.mlw", line 37, characters 13-26: *)
(*Why goal*) Lemma p3_po_1 : 
  (True /\ True).
Proof.
tauto.
Save.



(* Why obligation from file "all.mlw", line 38, characters 13-26: *)
(*Why goal*) Lemma p4_po_1 : 
  (True \/ False).
Proof.
tauto.
Save.



(* Why obligation from file "all.mlw", line 39, characters 13-31: *)
(*Why goal*) Lemma p5_po_1 : 
  (False \/ ~False).
Proof.
tauto.
Save.



(* Why obligation from file "all.mlw", line 40, characters 13-30: *)
(*Why goal*) Lemma p6_po_1 : 
  ((True -> ~False)).
Proof.
tauto.
Save.





(* Why obligation from file "all.mlw", line 42, characters 13-39: *)
(*Why goal*) Lemma p8_po_1 : 
  (True /\ (forall (x:Z), x = x)).
Proof.
intuition.
Save.




(* Why obligation from file "all.mlw", line 64, characters 11-28: *)
(*Why goal*) Lemma ar10_po_1 : 
  1 <> 0.
Proof.
omega.
Save.

(* Why obligation from file "all.mlw", line 65, characters 11-28: *)
(*Why goal*) Lemma ar11_po_1 : 
  1 <> 0.
Proof.
omega.
Save.

(* Why obligation from file ".", line 0, characters 0-0: *)
(*Why goal*) Lemma c2_po_1 : 
  forall (v1: bool),
  (if v1 then True else True).
Proof.
destruct v1; intuition.
Save.

(* Why obligation from file "all.mlw", line 107, characters 40-45: *)
(*Why goal*) Lemma arr1_po_1 : 
  forall (v6: (array Z)),
  forall (HW_1: (array_length v6) >= 1),
  (0 <= 0 /\ 0 < (array_length v6)).
Proof.
intuition.
Save.



(* Why obligation from file "all.mlw", line 108, characters 40-47: *)
(*Why goal*) Lemma arr2_po_1 : 
  forall (v6: (array Z)),
  forall (HW_1: (array_length v6) >= 4),
  (0 <= (1 + 2) /\ (1 + 2) < (array_length v6)).
Proof.
intuition.
Save.



(* Why obligation from file "all.mlw", line 109, characters 51-58: *)
(*Why goal*) Lemma arr3_po_1 : 
  forall (v4: Z),
  forall (v6: (array Z)),
  forall (HW_1: (array_length v6) >= 1 /\ v4 = 0),
  (0 <= v4 /\ v4 < (array_length v6)).
Proof.
intuition.
Save.



(* Why obligation from file "all.mlw", line 110, characters 58-63: *)
(*Why goal*) Lemma arr4_po_1 : 
  forall (v6: (array Z)),
  forall (HW_1: (array_length v6) >= 10 /\ (access v6 0) = 9),
  (0 <= 0 /\ 0 < (array_length v6)).
Proof.
intuition.
Save.


(* Why obligation from file "all.mlw", line 110, characters 55-64: *)
(*Why goal*) Lemma arr4_po_2 : 
  forall (v6: (array Z)),
  forall (HW_1: (array_length v6) >= 10 /\ (access v6 0) = 9),
  forall (HW_2: 0 <= 0 /\ 0 < (array_length v6)),
  forall (result: Z),
  forall (HW_3: result = (access v6 0)),
  (0 <= result /\ result < (array_length v6)).
Proof.
intuition.
Save.

(* Why obligation from file "all.mlw", line 112, characters 40-50: *)
(*Why goal*) Lemma arr5_po_1 : 
  forall (v6: (array Z)),
  forall (HW_1: (array_length v6) >= 1),
  (0 <= 0 /\ 0 < (array_length v6)).
Proof.
intuition.
Save.



(* Why obligation from file "all.mlw", line 113, characters 40-54: *)
(*Why goal*) Lemma arr6_po_1 : 
  forall (v6: (array Z)),
  forall (HW_1: (array_length v6) >= 4),
  (0 <= (1 + 2) /\ (1 + 2) < (array_length v6)).
Proof.
intuition.
Save.



(* Why obligation from file "all.mlw", line 114, characters 58-63: *)
(*Why goal*) Lemma arr7_po_1 : 
  forall (v6: (array Z)),
  forall (HW_1: (array_length v6) >= 10 /\ (access v6 0) = 9),
  (0 <= 0 /\ 0 < (array_length v6)).
Proof.
intuition.
Save.





(* Why obligation from file "all.mlw", line 114, characters 55-69: *)
(*Why goal*) Lemma arr7_po_2 : 
  forall (v6: (array Z)),
  forall (HW_1: (array_length v6) >= 10 /\ (access v6 0) = 9),
  forall (HW_2: 0 <= 0 /\ 0 < (array_length v6)),
  forall (result: Z),
  forall (HW_3: result = (access v6 0)),
  (0 <= result /\ result < (array_length v6)).
Proof.
intuition.
Save.

(* Why obligation from file "all.mlw", line 119, characters 48-54: *)
(*Why goal*) Lemma fc3_po_1 : 
  0 >= 0.
Proof.
intuition.
Save.





(* Why obligation from file "all.mlw", line 127, characters 51-59: *)
(*Why goal*) Lemma an2_po_1 : 
  forall (v4: Z),
  forall (HW_1: v4 >= 0),
  forall (v4_0: Z),
  forall (HW_2: v4_0 = (v4 + 1)),
  v4_0 > v4.
Proof.
intuition.
Save.









why-2.34/bench/good/set_why.v0000644000175000017500000000322012311670312014472 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Import Why.

(* Why obligation from file ".", line 0, characters 0-0: *)
(*Why goal*) Lemma p_po_1 : 
  forall (result: bool),
  forall (x: Z),
  forall (HW_1: x = 0 /\ ((if result then x = 0 else x <> 0))),
  (if result then 1 = 1 else 2 = 1).
Proof.
destruct result; intuition.
Save.


(* Why obligation from file ".", line 0, characters 0-0: *)
(*Why goal*) Lemma p2_po_1 : 
  forall (y: Z),
  forall (HW_1: y >= 0),
  forall (y0: Z),
  forall (HW_2: y0 >= 0),
  forall (result: bool),
  forall (x: Z),
  forall (HW_3: x = y0 /\ ((if result then x <> 0 else x = 0))),
  (if result then (forall (y:Z), (y = (y0 - 1) -> y >= 0 /\ (Zwf 0 y y0)))
   else y0 = 0).
Proof.
destruct result; intuition.
Save.

(* Why obligation from file ".", line 0, characters 0-0: *)
(*Why goal*) Lemma p3_po_1 : 
  forall (y: Z),
  forall (HW_1: y >= 0),
  forall (y0: Z),
  forall (HW_2: y0 >= 0),
  forall (result: bool),
  forall (x: Z),
  forall (HW_3: x = y0 /\ ((if result then x <> 0 else x = 0))),
  (if result then (forall (y:Z), (y = (y0 - 1) -> y >= 0 /\ (Zwf 0 y y0)))
   else y0 = 0).
Proof.
destruct result; intuition.
Save.

(* Why obligation from file ".", line 0, characters 0-0: *)
(*Why goal*) Lemma p4_po_1 : 
  forall (y: Z),
  forall (HW_1: y >= 1),
  forall (y0: Z),
  forall (HW_2: y0 >= 1),
  forall (y1: Z),
  forall (HW_3: y1 = (y0 - 1)),
  forall (result: bool),
  forall (x: Z),
  forall (HW_4: x = y1 /\ ((if result then x <> 0 else x = 0))),
  (if result then y1 >= 1 /\ (Zwf 0 y1 y0) else y1 = 0).
Proof.
destruct result; intuition.
Save.
why-2.34/bench/good/recfun.mlw0000644000175000017500000000165012311670312014631 0ustar  rtusers
(** Recursive functions *)

(** 1. Pure function *)

let rec f1 (x:int) : int { variant x } = 
  { x >= 0 } (if x > 0 then (f1 (x-1)) else x) { result = 0 }

(** 2. With effects but no argument *)

parameter x : int ref

let rec f2 (u:unit) : unit { variant x } =
  { x >= 0 } (if !x > 0 then begin x := !x - 1; (f2 void) end) { x = 0 }

(** 3. With effects and a pure argument *)

let rec f3 (a:int) : unit { variant a } =
  { a >= 0 } (if a > 0 then begin x := !x + 1; (f3 (a-1)) end) { x = x@ + a }

(** 4. With effects and a reference as argument *)

let rec f4 (a:int ref) : unit { variant a } =
  { a >= 0 } 
  (if !a > 0 then begin x := !x + 1; a := !a - 1; (f4 a) end)
  { x = x@ + a@ }

(** 5. The acid test: 
       partial application of a recursive function with effects *)

(*TODO
let rec f5 (a:int ref) (b:int ref) : unit { variant a } = !a + !b

let test_f5 = let f = (f5 x) in let b = ref 0 in (f b) { result = x }
*)

why-2.34/bench/good/exns_why.v0000644000175000017500000000410312311670312014655 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Import Why.















(* Why obligation from file "exns.mlw", line 45, characters 51-56: *)
(*Why goal*) Lemma p7_po_1 : 
  forall (x: Z),
  forall (HW_1: x = 1),
  x = 1.
Proof.
intuition.
(* FILL PROOF HERE *)
Save.



(* Why obligation from file "exns.mlw", line 49, characters 17-37: *)
(*Why goal*) Lemma p8_po_1 : 
  forall (x: Z),
  forall (HW_1: x = 1),
  (x = 1 /\ x = 1).
Proof.
intuition.
(* FILL PROOF HERE *)
Save.



(* Why obligation from file "exns.mlw", line 53, characters 17-37: *)
(*Why goal*) Lemma p9_po_1 : 
  forall (x: Z),
  forall (HW_1: x = 1),
  (x = 1 /\ x = 1).
Proof.
intuition.
(* FILL PROOF HERE *)
Save.









(* Why obligation from file "exns.mlw", line 75, characters 4-9: *)
(*Why goal*) Lemma p13_po_1 : 
  forall (x: Z),
  forall (HW_1: x = 2),
  x = 2.
Proof.
intuition.
(* FILL PROOF HERE *)
Save.



(* Why obligation from file "exns.mlw", line 84, characters 4-10: *)
(*Why goal*) Lemma p13a_po_1 : 
  forall (x: Z),
  forall (HW_1: x = 1),
  forall (x0: Z),
  forall (HW_2: x0 = 0),
  x0 <> 1.
Proof.
intuition.
(* FILL PROOF HERE *)
Save.



(* Why obligation from file "exns.mlw", line 98, characters 9-37: *)
(*Why goal*) Lemma p14_po_1 : 
  forall (x: Z),
  forall (HW_2: x <> 1),
  forall (HW_4: x <> 2),
  forall (HW_6: x <> 3),
  (x <> 1 /\ x <> 2 /\ x <> 3).
Proof.
intuition.
(* FILL PROOF HERE *)
Save.



(* Why obligation from file "exns.mlw", line 101, characters 40-48: *)
(*Why goal*) Lemma p15_po_1 : 
  forall (x: Z),
  forall (HW_2: x <> 0),
  forall (x0: Z),
  forall (HW_3: x0 = 0),
  x0 = 0.
Proof.
intuition.
Save.

(* Why obligation from file "exns.mlw", line 103, characters 58-61: *)
(*Why goal*) Lemma p16_po_1 : 
  forall (x: Z),
  forall (HW_1: x = 0),
  forall (x0: Z),
  forall (HW_2: x0 = 1),
  x0 = 1.
Proof.
intuition.
Save.

(* Why obligation from file "exns.mlw", line 105, characters 56-59: *)
(*Why goal*) Lemma p17_po_1 : 
  forall (x: Z),
  forall (HW_1: x = 0),
  x = 0.
Proof.
intuition.
Save.

why-2.34/bench/good/recfun_why.v0000644000175000017500000000777112311670312015200 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Import Why.

(* Why obligation from file "recfun.mlw", line 7, characters 29-37: *)
(*Why goal*) Lemma f1_po_1 : 
  forall (x: Z),
  forall (HW_1: x >= 0),
  forall (HW_2: x > 0),
  (Zwf 0 (x - 1) x).
Proof.
intuition.
Save.

(* Why obligation from file "recfun.mlw", line 7, characters 29-37: *)
(*Why goal*) Lemma f1_po_2 : 
  forall (x: Z),
  forall (HW_1: x >= 0),
  forall (HW_2: x > 0),
  forall (HW_3: (Zwf 0 (x - 1) x)),
  (x - 1) >= 0.
Proof.
intuition.
Save.

(* Why obligation from file "recfun.mlw", line 7, characters 49-59: *)
(*Why goal*) Lemma f1_po_3 : 
  forall (x: Z),
  forall (HW_1: x >= 0),
  forall (HW_6: x <= 0),
  x = 0.
Proof.
intuition.
Save.

(* Why obligation from file "recfun.mlw", line 14, characters 49-56: *)
(*Why goal*) Lemma f2_po_1 : 
  forall (x: Z),
  forall (HW_1: x >= 0),
  forall (HW_2: x > 0),
  forall (x0: Z),
  forall (HW_3: x0 = (x - 1)),
  (Zwf 0 x0 x).
Proof.
intuition.
Save.

(* Why obligation from file "recfun.mlw", line 14, characters 49-56: *)
(*Why goal*) Lemma f2_po_2 : 
  forall (x: Z),
  forall (HW_1: x >= 0),
  forall (HW_2: x > 0),
  forall (x0: Z),
  forall (HW_3: x0 = (x - 1)),
  forall (HW_4: (Zwf 0 x0 x)),
  x0 >= 0.
Proof.
intuition.
Save.

(* Why obligation from file "recfun.mlw", line 14, characters 65-70: *)
(*Why goal*) Lemma f2_po_3 : 
  forall (x: Z),
  forall (HW_1: x >= 0),
  forall (HW_7: x <= 0),
  x = 0.
Proof.
intuition.
Save.

(* Why obligation from file "recfun.mlw", line 19, characters 48-56: *)
(*Why goal*) Lemma f3_po_1 : 
  forall (a: Z),
  forall (x: Z),
  forall (HW_1: a >= 0),
  forall (HW_2: a > 0),
  forall (x0: Z),
  forall (HW_3: x0 = (x + 1)),
  (Zwf 0 (a - 1) a).
Proof.
intuition.
Save.

(* Why obligation from file "recfun.mlw", line 19, characters 48-56: *)
(*Why goal*) Lemma f3_po_2 : 
  forall (a: Z),
  forall (x: Z),
  forall (HW_1: a >= 0),
  forall (HW_2: a > 0),
  forall (x0: Z),
  forall (HW_3: x0 = (x + 1)),
  forall (HW_4: (Zwf 0 (a - 1) a)),
  (a - 1) >= 0.
Proof.
intuition.
Save.

(* Why obligation from file "recfun.mlw", line 19, characters 65-75: *)
(*Why goal*) Lemma f3_po_3 : 
  forall (a: Z),
  forall (x: Z),
  forall (HW_1: a >= 0),
  forall (HW_2: a > 0),
  forall (x0: Z),
  forall (HW_3: x0 = (x + 1)),
  forall (HW_4: (Zwf 0 (a - 1) a)),
  forall (HW_5: (a - 1) >= 0),
  forall (x1: Z),
  forall (HW_6: x1 = (x0 + (a - 1))),
  x1 = (x + a).
Proof.
intuition.
Save.

(* Why obligation from file "recfun.mlw", line 19, characters 65-75: *)
(*Why goal*) Lemma f3_po_4 : 
  forall (a: Z),
  forall (x: Z),
  forall (HW_1: a >= 0),
  forall (HW_7: a <= 0),
  x = (x + a).
Proof.
intuition.
Save.

(* Why obligation from file "recfun.mlw", line 25, characters 51-55: *)
(*Why goal*) Lemma f4_po_1 : 
  forall (a: Z),
  forall (x: Z),
  forall (HW_1: a >= 0),
  forall (HW_2: a > 0),
  forall (x0: Z),
  forall (HW_3: x0 = (x + 1)),
  forall (a0: Z),
  forall (HW_4: a0 = (a - 1)),
  (Zwf 0 a0 a).
Proof.
intuition.
Save.

(* Why obligation from file "recfun.mlw", line 25, characters 51-55: *)
(*Why goal*) Lemma f4_po_2 : 
  forall (a: Z),
  forall (x: Z),
  forall (HW_1: a >= 0),
  forall (HW_2: a > 0),
  forall (x0: Z),
  forall (HW_3: x0 = (x + 1)),
  forall (a0: Z),
  forall (HW_4: a0 = (a - 1)),
  forall (HW_5: (Zwf 0 a0 a)),
  a0 >= 0.
Proof.
intuition.
Save.

(* Why obligation from file "recfun.mlw", line 26, characters 4-15: *)
(*Why goal*) Lemma f4_po_3 : 
  forall (a: Z),
  forall (x: Z),
  forall (HW_1: a >= 0),
  forall (HW_2: a > 0),
  forall (x0: Z),
  forall (HW_3: x0 = (x + 1)),
  forall (a0: Z),
  forall (HW_4: a0 = (a - 1)),
  forall (HW_5: (Zwf 0 a0 a)),
  forall (HW_6: a0 >= 0),
  forall (x1: Z),
  forall (HW_7: x1 = (x0 + a0)),
  x1 = (x + a).
Proof.
intuition.
Save.

(* Why obligation from file "recfun.mlw", line 26, characters 4-15: *)
(*Why goal*) Lemma f4_po_4 : 
  forall (a: Z),
  forall (x: Z),
  forall (HW_1: a >= 0),
  forall (HW_8: a <= 0),
  x = (x + a).
Proof.
intuition.
Save.

why-2.34/bench/good/see_why.v0000644000175000017500000000212512311670312014456 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Import Why.

(*Why axiom*) Lemma mult_1_1 : (1 * 1) = 1.
Admitted.

(* Why obligation from file "see.mlw", line 9, characters 30-55: *)
(*Why goal*) Lemma f_po_1 : 
  forall (b0: Z),
  forall (b: Z),
  forall (HW_1: b = (1 - b0)),
  (b = b /\ b = (1 - b0)).
Proof.
intuition.
Save.


(* Why obligation from file "see.mlw", line 17, characters 4-21: *)
(*Why goal*) Lemma k_po_1 : 
  forall (b: Z),
  forall (HW_1: b = 0),
  forall (result: Z),
  forall (b0: Z),
  forall (HW_2: result = b0 /\ b0 = (1 - b)),
  forall (result0: Z),
  forall (b1: Z),
  forall (HW_3: result0 = b1 /\ b1 = (1 - b0)),
  forall (b1_0: Z),
  forall (HW_4: b1_0 = (1 - result + result0)),
  forall (result1: Z),
  forall (b2: Z),
  forall (HW_5: result1 = b2 /\ b2 = (1 - b1)),
  forall (result2: Z),
  forall (b3: Z),
  forall (HW_6: result2 = b3 /\ b3 = (1 - b2)),
  forall (b2_0: Z),
  forall (HW_7: b2_0 = (result1 * (1 - result2))),
  (b1_0 = 0 /\ b2_0 = 1).
Proof.
intuition; subst; trivial.
Save.


why-2.34/bench/good/init_why.v0000644000175000017500000000053012311670312014643 0ustar  rtusers
Require Import Why.


(* Why obligation from file , characters 41-84 *)
Lemma f_po_1 : forall (x x0:Z) (Post1:x0 = (1 - x)%Z), x0 = (1 - x)%Z.
Proof.
intuition.
Qed.


(* Why obligation from file , characters 103-149 *)
Lemma g_po_1 :
 forall (x x0:Z) (Post1:x0 = (1 - x)%Z) (x1:Z) (Post3:x1 = (1 - x0)%Z),
   x1 = x.
Proof.
intuition.
Qed.


why-2.34/bench/good/inductive_why.v0000644000175000017500000001000212311670312015665 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)
Require Export Why.

(*Why inductive*) Inductive isfib  : Z -> Z -> Prop 
  := | isfib0 : (isfib 0 0)
     
     | isfib1 : (isfib 1 1)
     
     | isfibn : (forall (n:Z),
                 (forall (p:Z),
                  (forall (q:Z),
                   (n >= 0 /\ (isfib n p) /\ (isfib (n + 1) q) ->
                    (isfib (n + 2) (p + q))))))
     .


Hint Constructors isfib.



(* Why obligation from file "inductive.mlw", line 7, characters 0-21: *)
(*Why goal*) Lemma fib0 : 
  (isfib 0 0).
Proof.
auto.
Save.

(* Why obligation from file "inductive.mlw", line 8, characters 0-21: *)
(*Why goal*) Lemma fib1 : 
  (isfib 1 1).
Proof.
auto.
Save.

(* Why obligation from file "inductive.mlw", line 9, characters 0-21: *)
(*Why goal*) Lemma fib2 : 
  (isfib 2 1).
Proof.
change (isfib(0+2)(0+1)).
apply isfibn; intuition.
Save.

(* Why obligation from file "inductive.mlw", line 10, characters 0-21: *)
(*Why goal*) Lemma fib6 : 
  (isfib 6 8).
Proof.
assert (fib3:isfib 3 2).
change (isfib(1+2)(1+1)).
apply isfibn; intuition.
apply fib2.
assert (fib4:isfib 4 3).
change (isfib(2+2)(1+2)).
apply isfibn; intuition.
apply fib2.
assert (fib5:isfib 5 5).
change (isfib(3+2)(2+3)).
apply isfibn; intuition.
change (isfib(4+2)(3+5)).
apply isfibn; intuition.
Save.

(* Why obligation from file "inductive.mlw", line 11, characters 0-29: *)
(*Why goal*) Lemma neg_fib2 : 
  ~(isfib 2 2).
Proof.
intro H.
inversion H.
assert (n=0) ; try omega.
subst; intuition.
inversion H2.
subst.
assert (q=2) ; try omega.
replace (0+1) with 1 in H5 ; try  omega.
inversion H5.
omega.
intuition.
intuition.
Save.

(* Why obligation from file "inductive.mlw", line 12, characters 0-29: *)
(*Why goal*) Lemma neg_fib5 : 
  ~(isfib 5 6).
Proof.
Admitted.

(* Why obligation from file "inductive.mlw", line 18, characters 4-19: *)
(*Why goal*) Lemma fib_po_1 : 
  forall (n: Z),
  forall (HW_1: n >= 0),
  forall (HW_2: 0 <= n /\ n <= 1),
  (isfib n n).
Proof.
intros.
assert (n=0 \/ n=1).
  omega.
intuition; subst; auto.
Save.

(* Why obligation from file "inductive.mlw", line 17, characters 5-14: *)
(*Why goal*) Lemma fib_po_2 : 
  forall (n: Z),
  forall (HW_1: n >= 0),
  forall (HW_3: 0 > n \/ 0 <= n /\ n > 1),
  (Zwf 0 (n - 1) n).
Proof.
intuition.
Save.

(* Why obligation from file "inductive.mlw", line 17, characters 5-14: *)
(*Why goal*) Lemma fib_po_3 : 
  forall (n: Z),
  forall (HW_1: n >= 0),
  forall (HW_3: 0 > n \/ 0 <= n /\ n > 1),
  forall (HW_4: (Zwf 0 (n - 1) n)),
  (n - 1) >= 0.
Proof.
intuition.
Save.

(* Why obligation from file "inductive.mlw", line 17, characters 19-28: *)
(*Why goal*) Lemma fib_po_4 : 
  forall (n: Z),
  forall (HW_1: n >= 0),
  forall (HW_3: 0 > n \/ 0 <= n /\ n > 1),
  forall (HW_4: (Zwf 0 (n - 1) n)),
  forall (HW_5: (n - 1) >= 0),
  forall (result: Z),
  forall (HW_6: (isfib (n - 1) result)),
  (Zwf 0 (n - 2) n).
Proof.
intuition.
Save.

(* Why obligation from file "inductive.mlw", line 17, characters 19-28: *)
(*Why goal*) Lemma fib_po_5 : 
  forall (n: Z),
  forall (HW_1: n >= 0),
  forall (HW_3: 0 > n \/ 0 <= n /\ n > 1),
  forall (HW_4: (Zwf 0 (n - 1) n)),
  forall (HW_5: (n - 1) >= 0),
  forall (result: Z),
  forall (HW_6: (isfib (n - 1) result)),
  forall (HW_7: (Zwf 0 (n - 2) n)),
  (n - 2) >= 0.
Proof.
intuition.
Save.

(* Why obligation from file "inductive.mlw", line 18, characters 4-19: *)
(*Why goal*) Lemma fib_po_6 : 
  forall (n: Z),
  forall (HW_1: n >= 0),
  forall (HW_3: 0 > n \/ 0 <= n /\ n > 1),
  forall (HW_4: (Zwf 0 (n - 1) n)),
  forall (HW_5: (n - 1) >= 0),
  forall (result: Z),
  forall (HW_6: (isfib (n - 1) result)),
  forall (HW_7: (Zwf 0 (n - 2) n)),
  forall (HW_8: (n - 2) >= 0),
  forall (result0: Z),
  forall (HW_9: (isfib (n - 2) result0)),
  (isfib n (result + result0)).
Proof.
intros.
replace n with ((n-2)+2) ; try omega.
replace (result+result0) with (result0+result) ; try omega.
apply isfibn.
split; auto.
split; auto.
replace (n-2+1) with (n-1) ; try omega.
apply HW_6.
Save.

why-2.34/bench/good/floats1_why.v0000644000175000017500000003574612311670312015272 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)
Require Export Why.
Require Export JessieGappa.


(* Why obligation from file "floats1.why", line 16, characters 2-23: *)
(*Why goal*) Lemma tes1_po_1 : 
  forall (x: gen_float),
  forall (y: gen_float),
  forall (HW_1: (is_finite x) /\ (is_finite y) /\
                ~(eq (float_value x) (0)%R) /\ ~(eq (float_value y) (0)%R) /\
                (eq (float_value x) (float_value y))),
  forall (result: gen_float),
  forall (HW_2: result = (gen_float_of_real_logic Double nearest_even (1)%R)),
  forall (one: gen_float),
  forall (HW_3: one = result),
  forall (result0: gen_float),
  forall (HW_4: (((is_NaN one) \/ (is_NaN x) -> (is_NaN result0))) /\
                (((is_finite one) /\ (is_infinite x) -> (is_gen_zero result0))) /\
                (((is_infinite one) /\ (is_finite x) -> (is_infinite result0))) /\
                (((is_infinite one) /\ (is_infinite x) -> (is_NaN result0))) /\
                (((is_finite one) /\ (is_finite x) /\
                  ~(eq (float_value x) (0)%R) /\
                  (no_overflow
                   Double nearest_even (Rdiv
                                        (float_value one) (float_value x))) ->
                  (is_finite result0) /\
                  (eq (float_value result0) (round_float
                                             Double nearest_even (Rdiv
                                                                  (float_value
                                                                   one) (
                                                                  float_value
                                                                  x)))))) /\
                (((is_finite one) /\ (is_finite x) /\
                  ~(eq (float_value x) (0)%R) /\
                  ~(no_overflow
                    Double nearest_even (Rdiv
                                         (float_value one) (float_value x))) ->
                  (overflow_value Double nearest_even result0))) /\
                (((is_finite one) /\ (is_gen_zero x) /\
                  ~(eq (float_value one) (0)%R) -> (is_infinite result0))) /\
                (((is_gen_zero one) /\ (is_gen_zero x) -> (is_NaN result0))) /\
                (product_sign result0 one x) /\
                (eq (exact_value result0) (Rdiv
                                           (exact_value one) (exact_value x))) /\
                (eq (model_value result0) (Rdiv
                                           (model_value one) (model_value x)))),
  forall (z1: gen_float),
  forall (HW_5: z1 = result0),
  forall (result1: gen_float),
  forall (HW_6: (((is_NaN one) \/ (is_NaN y) -> (is_NaN result1))) /\
                (((is_finite one) /\ (is_infinite y) -> (is_gen_zero result1))) /\
                (((is_infinite one) /\ (is_finite y) -> (is_infinite result1))) /\
                (((is_infinite one) /\ (is_infinite y) -> (is_NaN result1))) /\
                (((is_finite one) /\ (is_finite y) /\
                  ~(eq (float_value y) (0)%R) /\
                  (no_overflow
                   Double nearest_even (Rdiv
                                        (float_value one) (float_value y))) ->
                  (is_finite result1) /\
                  (eq (float_value result1) (round_float
                                             Double nearest_even (Rdiv
                                                                  (float_value
                                                                   one) (
                                                                  float_value
                                                                  y)))))) /\
                (((is_finite one) /\ (is_finite y) /\
                  ~(eq (float_value y) (0)%R) /\
                  ~(no_overflow
                    Double nearest_even (Rdiv
                                         (float_value one) (float_value y))) ->
                  (overflow_value Double nearest_even result1))) /\
                (((is_finite one) /\ (is_gen_zero y) /\
                  ~(eq (float_value one) (0)%R) -> (is_infinite result1))) /\
                (((is_gen_zero one) /\ (is_gen_zero y) -> (is_NaN result1))) /\
                (product_sign result1 one y) /\
                (eq (exact_value result1) (Rdiv
                                           (exact_value one) (exact_value y))) /\
                (eq (model_value result1) (Rdiv
                                           (model_value one) (model_value y)))),
  forall (z2: gen_float),
  forall (HW_7: z2 = result1),
  (float_eq_float z1 z2).
Proof.
unfold float_eq_float,is_finite,is_infinite,same_sign,is_not_NaN.
intros.
decompose [and or] HW_4;clear HW_4.
decompose [and or] HW_6;clear HW_6.
decompose [and] HW_1;clear HW_1.
subst.
repeat split.
case (overflow_dec Double nearest_even (float_value (gen_float_of_real_logic Double nearest_even 1) /
        float_value x));intro.
assert (Rabs 1 <= max_gen_float Double)%R.
unfold max_gen_float.
gappa.
generalize (H3 (conj (proj1 
(gen_bounded_real_no_overflow Double nearest_even 1%R H27))
(conj H20 (conj H22 H25))));intros (h1,h2).
rewrite H26 in H25.
generalize (H14 (conj (proj1 
(gen_bounded_real_no_overflow Double nearest_even 1%R H27))
(conj H23 (conj H24 H25))));intros (h3,h4).
left.
repeat split;trivial.
rewrite h2,H26;auto.
assert (Rabs 1 <= max_gen_float Double)%R.
unfold max_gen_float.
gappa.
generalize (proj2 (proj2 (proj2 (H4 (conj (proj1 
(gen_bounded_real_no_overflow Double nearest_even 1%R H27))
(conj H20 (conj H22 H25)))))));intro h5.
rewrite H26 in H25.
generalize (proj2 (proj2 (proj2 (H15 (conj (proj1 
(gen_bounded_real_no_overflow Double nearest_even 1%R H27))
(conj H23 (conj H24 H25)))))));intro h6.
right.
repeat split;clear -h5 h6 H7 H18 H20 H23 H22 H24 H26;intuition.
unfold product_sign in *.
assert (float_sign x = float_sign y).
generalize (sign_invariant x H20 H22);intro.
generalize (sign_invariant y H23 H24);intro.
unfold float_value in *.
rewrite H26 in H2.
destruct (float_sign x).
unfold same_sign_real_bool in H2.
symmetry.
apply (proj1 (same_sign_real_bool_correct2 (float_sign y) (genf y) H4)).
auto.
unfold same_sign_real_bool in H2.
symmetry.
apply (proj1 (same_sign_real_bool_correct3 (float_sign y) (genf y) H4)).
auto.
unfold same_sign,diff_sign in *.
rewrite H2 in *.
case (same_sign_dec (gen_float_of_real_logic Double nearest_even 1) y).
intro.
unfold same_sign in *.
rewrite ((proj1 H7) H4).
symmetry.
apply ((proj1 H18) H4).
intro.
unfold diff_sign in *.
rewrite ((proj2 H7) H4).
symmetry.
apply ((proj2 H18) H4).
Save.

(*
assert (float_class result = Finite /\
           float_value result = round_float Double nearest_even 1).
apply H.
unfold no_overflow, round_float,max_gen_float, nearest_even.
admit. (*gappa succeeds*)
destruct H33.
assert (float_class result1 = Finite /\
           float_value result1 = round_float Double nearest_even 1).
apply H13.
unfold no_overflow, round_float,max_gen_float, nearest_even.
admit. (*gappa succeeds*)
destruct H36.
case (overflow_dec Double nearest_even (float_value result / float_value x)).
intro.
generalize (H7 (conj H33 (conj H28 (conj H30 H38)))).
intros (h1,h2).
assert (no_overflow  Double nearest_even (float_value result1 / float_value y)).
rewrite H37; rewrite <- H34; rewrite <- H35;exact H38. 
generalize (H22 (conj H36 (conj H31 (conj H32 H39)))).
intros (h3,h4).
left.
split;auto.
split;auto.
rewrite h4;rewrite <- H34;rewrite H37;rewrite <- H35;auto.
intro.
generalize (H8 (conj H33 (conj H28 (conj H30 H38))));intro.
unfold overflow_value in H39.
decompose [and] H39;clear H39 H40 H41 H42.
assert (~ no_overflow Double nearest_even (float_value result1 / float_value y)).
rewrite H37; rewrite <- H34; rewrite <- H35;exact H38. 
generalize (H23 (conj H36 (conj H31 (conj H32 H39))));intro.
unfold overflow_value in H40.
decompose [and] H40;clear H40 H41 H42 H43.
unfold product_sign in *.
unfold same_sign in *.
unfold diff_sign in *.

assert (float_sign result = Positive).
apply finite_sign_pos1.
split;trivial.
rewrite H35.
admit. 
(* apply pos_round_of_pos_real with (Double nearest_even 1%R).
auto with real. *)

assert (float_sign result1 = Positive).
admit. (*pareil*)

case (sign_dec x).
intro.
destruct H11.
assert (float_sign result0=Negative).
apply H43;rewrite H40,H42;discriminate.

assert (float_sign y =Negative).
generalize (sign_invariant x H28 H30); intro.
generalize (sign_invariant y H31 H32); intro.
unfold float_value in *.
rewrite H42 in H47.
rewrite H34 in H47.
unfold same_sign_real_bool in *.
case (sign_dec y);intro;auto.
rewrite H49 in H48.
admit. (*absurd H47 H48 *)
destruct H26.
assert (float_sign result2=Negative).
apply H48;rewrite H41,H47;discriminate.
right.
rewrite H45,H49.
clear -H44 H46; intuition.

intro.
destruct H11.
assert (float_sign result0=Positive).
apply H11;rewrite H40,H42;auto.


assert (float_sign y =Positive).
generalize (sign_invariant x H28 H30); intro.
generalize (sign_invariant y H31 H32); intro.
unfold float_value in *.
rewrite H42 in H47.
rewrite H34 in H47.
unfold same_sign_real_bool in *.
case (sign_dec y);intro;auto.
rewrite H49 in H48.
admit. (*absurd H47 H48 *)
destruct H26.
assert (float_sign result2=Positive).
apply H26;rewrite H41,H47;auto.
right.
rewrite H45,H49.
clear -H44 H46; intuition.
Save.
*)



(* Why obligation from file "floats1.why", line 31, characters 9-62: *)
(*Why goal*) Lemma tes2_po_1 : 
  forall (x: gen_float),
  forall (y: gen_float),
  forall (HW_1: (is_gen_zero_plus x) /\ (is_gen_zero_minus y)),
  ((Rle (min_gen_float Double) (1)%R) /\ (Rle (1)%R (max_gen_float Double))).
Proof.
intros.
unfold min_gen_float,max_gen_float.
gappa.
Save.


(* Why obligation from file "floats1.why", line 32, characters 8-92: *)
(*Why goal*) Lemma tes2_po_2 : 
  forall (x: gen_float),
  forall (y: gen_float),
  forall (one: gen_float),
  forall (HW_1: (is_gen_zero_plus x) /\ (is_gen_zero_minus y)),
  forall (HW_2: (Rle (min_gen_float Double) (1)%R) /\
                (Rle (1)%R (max_gen_float Double))),
  ((float_class one) = Finite /\ (float_sign one) = Positive /\
  ~(eq (float_value one) (0)%R)).
Proof.
intros.
Admitted.


(* Why obligation from file "floats1.why", line 36, characters 2-48: *)
(*Why goal*) Lemma tes2_po_3 : 
  forall (x: gen_float),
  forall (y: gen_float),
  forall (one: gen_float),
  forall (HW_1: (is_gen_zero_plus x) /\ (is_gen_zero_minus y)),
  forall (HW_2: (Rle (min_gen_float Double) (1)%R) /\
                (Rle (1)%R (max_gen_float Double))),
  forall (HW_3: (float_class one) = Finite /\ (float_sign one) = Positive /\
                ~(eq (float_value one) (0)%R)),
  forall (result: gen_float),
  forall (HW_4: (((is_NaN one) \/ (is_NaN x) -> (is_NaN result))) /\
                (((is_finite one) /\ (is_infinite x) -> (is_gen_zero result))) /\
                (((is_infinite one) /\ (is_finite x) -> (is_infinite result))) /\
                (((is_infinite one) /\ (is_infinite x) -> (is_NaN result))) /\
                (((is_finite one) /\ (is_finite x) /\
                  ~(eq (float_value x) (0)%R) /\
                  (no_overflow
                   Double nearest_even (Rdiv
                                        (float_value one) (float_value x))) ->
                  (is_finite result) /\
                  (eq (float_value result) (round_float
                                            Double nearest_even (Rdiv
                                                                 (float_value
                                                                  one) (
                                                                 float_value
                                                                 x)))))) /\
                (((is_finite one) /\ (is_finite x) /\
                  ~(eq (float_value x) (0)%R) /\
                  ~(no_overflow
                    Double nearest_even (Rdiv
                                         (float_value one) (float_value x))) ->
                  (overflow_value Double nearest_even result))) /\
                (((is_finite one) /\ (is_gen_zero x) /\
                  ~(eq (float_value one) (0)%R) -> (is_infinite result))) /\
                (((is_gen_zero one) /\ (is_gen_zero x) -> (is_NaN result))) /\
                (product_sign result one x) /\
                (eq (exact_value result) (Rdiv
                                          (exact_value one) (exact_value x))) /\
                (eq (model_value result) (Rdiv
                                          (model_value one) (model_value x)))),
  forall (t1: gen_float),
  forall (HW_5: t1 = result),
  forall (result0: gen_float),
  forall (HW_6: (((is_NaN one) \/ (is_NaN y) -> (is_NaN result0))) /\
                (((is_finite one) /\ (is_infinite y) -> (is_gen_zero result0))) /\
                (((is_infinite one) /\ (is_finite y) -> (is_infinite result0))) /\
                (((is_infinite one) /\ (is_infinite y) -> (is_NaN result0))) /\
                (((is_finite one) /\ (is_finite y) /\
                  ~(eq (float_value y) (0)%R) /\
                  (no_overflow
                   Double nearest_even (Rdiv
                                        (float_value one) (float_value y))) ->
                  (is_finite result0) /\
                  (eq (float_value result0) (round_float
                                             Double nearest_even (Rdiv
                                                                  (float_value
                                                                   one) (
                                                                  float_value
                                                                  y)))))) /\
                (((is_finite one) /\ (is_finite y) /\
                  ~(eq (float_value y) (0)%R) /\
                  ~(no_overflow
                    Double nearest_even (Rdiv
                                         (float_value one) (float_value y))) ->
                  (overflow_value Double nearest_even result0))) /\
                (((is_finite one) /\ (is_gen_zero y) /\
                  ~(eq (float_value one) (0)%R) -> (is_infinite result0))) /\
                (((is_gen_zero one) /\ (is_gen_zero y) -> (is_NaN result0))) /\
                (product_sign result0 one y) /\
                (eq (exact_value result0) (Rdiv
                                           (exact_value one) (exact_value y))) /\
                (eq (model_value result0) (Rdiv
                                           (model_value one) (model_value y)))),
  forall (t2: gen_float),
  forall (HW_7: t2 = result0),
  ((is_plus_infinity t1) /\ (is_minus_infinity t2)).
Proof.
unfold is_finite,is_infinite, is_plus_infinity, is_minus_infinity,is_gen_zero_plus, is_gen_zero_minus.
intros.
subst.
decompose [and or] HW_4;clear HW_4.
decompose [and or] HW_6;clear HW_6.
decompose [and] HW_1;clear HW_1.
decompose [and] HW_3;clear HW_3.
generalize (is_gen_zero_correct1 x H23);intro.
generalize (is_gen_zero_correct1 y H20);intro.
generalize (H5 (conj H22 (conj H23 H28)));intro.
generalize (H16 (conj H22 (conj H20 H28)));intro.
repeat split;trivial;unfold product_sign,same_sign,diff_sign in *;
rewrite H27,H24,H25 in *.
clear -H7; intuition.
clear -H18;apply (proj2 H18);discriminate.
Save.
why-2.34/bench/good/po.mlw0000644000175000017500000000350012311670312013761 0ustar  rtusers
(* Tests for proof obligations. *)

parameter x : int ref

logic q : int -> prop

(* basic stuff: assignment, sequence and local variables *)

let p1 () = { q(x+1) } begin x := !x + 1 end { q(x) }

let p2 () = { q(7) } begin x := 3 + 4 end { q(x) }

let p3 () = begin x := !x + 1; x := !x + 2 end { x = x@ + 3 }

let p4 () = begin x := 7; x := 2 * !x end { x = 14 }

let p5 () = (3 + 4) { result = 7 }

let p6 () = (let a = 3 in a + 4) { result = 7 }

let p7 () = (3 + (let a = 4 in a + a)) { result = 11 }

(* side effects in function arguments *)

let p8 () = 
  { q(x+1) } (3 + begin x := !x + 1; !x end) { q(x) and result = x@ + 4 }

(* evaluation order (argument first) *)

let p9 () = 
  (begin x := 1; 1 end + begin x := 2; 1 end) { result = 2 and x = 2 }

let p9a () = (begin x := 1; 1 end + 1) { result = 2 and x = 1 }

(* function with a post-condition *)

parameter fsucc : x:int -> { } int { result = x + 1 }

let p10 () = (fsucc 0) { result = 1 }

let p11 () = ((fsucc 0) + (fsucc 3)) { result = 5 }

let p11a () = (let a = (fsucc 1) in a + a) { result = 4 }

(* function with a post-condition and side-effects *)

parameter incrx : unit -> { } unit writes x { x = x@ + 1 }

let p12 () = { x = 0 } (incrx void) { x = 1 }

let p13 () = begin (incrx void); (incrx void) end { x = x@ + 2 }

let p13a () = (incrx (incrx void)) { x = x@ + 2 }

(* function with side-effects, result and post-condition *)

parameter incrx2 : unit -> { } int writes x { x = x@ + 1 and result = x }

let p14 () = { x = 0 } (incrx2 void) { result = 1 }

(* arrays *)

include "arrays.why"

parameter t : int array

let p15 () = { array_length(t) = 10 } t[0] 

let p16 () = { array_length(t) = 10 } t[9] := 1 

let p17 () = { array_length(t) = 10 and 0 <= t[0] < 10 } t[t[0]] := 1 

let p18 () = 
  { array_length(t) = 10 } (t[begin x := 0; !x end] := !x) { t[0] = x }
why-2.34/bench/good/complex_arg_2.mlw0000644000175000017500000000040212311670312016062 0ustar  rtusersexception Exception of int

parameter t : int ref

parameter m : a:int -> b:int ->
    { }
    unit reads t raises Exception
    { true | Exception => true }

let test = fun (tt : unit) ->
  { }
  (m ( assert { true } ; 0) 0)
  { true | Exception => true }

why-2.34/bench/good/poly.mlw0000644000175000017500000000023112311670312014324 0ustar  rtusers
(* polymorphism tests *)

type 'a t
logic f : 'b -> 'b t

let p () =
  let f (x:'a) = x { result=x } in
  if f true then f 1 else f 2 
  { result = 1 }
why-2.34/bench/java/0000755000175000017500000000000012311670312012615 5ustar  rtuserswhy-2.34/bench/java/good/0000755000175000017500000000000012311670312013545 5ustar  rtuserswhy-2.34/bench/java/good/AllZeros.java0000644000175000017500000000524612311670312016152 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

class AllZeros {

    /*@ requires t != null;
      @ ensures \result <==> \forall integer i; 0 <= i < t.length ==> t[i] == 0; 
      @*/
    static boolean all_zeros(int t[]) {
	/*@ loop_invariant 
	  @  0 <= k <= t.length && 
	  @  \forall integer i; 0 <= i < k ==> t[i] == 0;
	  @ loop_variant t.length - k;
	  @*/
	for (int k = 0; k < t.length; k++) 
	    if (t[k] != 0) 
		return false;
	return true;
    }
}

why-2.34/bench/java/good/Trace.java0000644000175000017500000001122112311670312015443 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

class Trace {

    /* Example 0
     * We want the message: 
     *  "assertion `x < 9' cannot be established"
     * localized on `x < 9' 
     */

    /*@ ensures this.f == 0;
      @*/
    Trace() {
	f = 0;
    }

    /* Example 1 
     * We want the message: 
     *  "assertion `x < 9' cannot be established"
     * localized on `x < 9' 
     */
    
    /*@ requires x > 0;
      @*/
    int m1(int x) {
	//@ assert x >= 0 && x < 9; 
	return x+1;
    }

    /* Example 2 
     * We want the message: 
     *  "post-condition `\result > 10' of function m2 cannot be established"
     * localized on `return x+1'
     * Bonus: all lines involved in the execution path should be ~underlined 
     */
    /*@ requires x > 0 && x < 100;
      @ ensures \result != 0 && \result > 10;  
      @*/
    int m2(int x) {
	int y;
	if (x<50) 
	    return x+1;
	else 
	    y = x-1;
	return y;
    }


    /* Example 3 
     * We want the message: 
     *  "pre-condition `x > 0' for call to function m3 cannot be established"
     * localized on `m2(x)' 
     */
    /*@ requires x >= 0 && x < 50;
      @*/
    int m3(int x) {
	return m2(x);
    }


    /* Example 4 
     * Explanation expected: 
     *   "validity of loop invariant `0 <= y' at loop entrance"
     * localized on `while ...' 
     */
    void m4(int x) { 
	int y = x;
	/*@ loop_invariant 0 <= y && y <= x;
	  @ loop_variant y;
	  @*/
	while (y > 0)
	    {
	    y = y - 1;
	}
    }

    
    /* Example 5 
     * Explanation expected:
     *   "preservation of loop invariant `y = x'"
     * localized on the '}' closing the loop body 
     */
    
    void m5(int x) {
	int y = x;
	/*@ loop_invariant y == x;
	  @ loop_variant y;
	  @*/
	while (y > 0) {
	    y = y - 1;
	}
    }

    /* Example 6
     * Explanation expected:
     *   "arithmetic overflow"
     * localized on first "x", on "(byte)(x+1)" and on "(byte)(x+2)"
     */
    byte m6(byte x) {
	x += x+1;
	x = (byte)(x+1); 
	return (byte)(x+2);
    }

    /* Example 7
     * Explanation expected:
     *   "pointer dereferencing"
     * localized on "p.f"
     */
    int f; 
    int m7(Trace p)
    {
	return p.f;
    }

    /* Example 8
     * Explanation expected:
     *   "pointer dereferencing"
     * localized on "p.f"
     */
    /*@ assigns p.f;
      @ ensures p.f == 0;
      @*/
    void m8(Trace p)
    {
	p.f = 0;
    }

    
}



/*
Local Variables: 
mode: java
compile-command: "make Trace"
End: 
*/
why-2.34/bench/java/good/Purse.java0000644000175000017500000000756312311670312015521 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = no

class NoCreditException extends Exception {

    public NoCreditException() { }

}

public class Purse {
    
    static NoCreditException noCreditException = new NoCreditException();

    private int balance;
    //@ invariant balance_positive: balance > 0;

    /*@ requires amount > 0;
      @ assigns balance;
      @ ensures balance == amount;
      @*/
    public Purse(int amount) {
        balance = amount;
    }

    /*@ requires s >= 0;
      @ assigns balance;
      @ ensures balance == \old(balance) + s;
      @*/
    public void credit(int s) {
        balance += s;
    }

    /*@ requires s >= 0;
      @ assigns balance;
      @ ensures s < \old(balance) && balance == \old(balance) - s;
      @ behavior amount_too_large:
      @   assigns \nothing;
      @   signals (NoCreditException) 
      @         s >= \old(balance) ;
      @*/
    public void withdraw(int s) throws NoCreditException {
        if (s < balance)
            balance = balance - s;
        else
            throw noCreditException;
    }


    /*@ requires p != null && s >= 0;
      @ behavior transfer_ok:
      @   ensures 
      @       balance == \old(balance) - s &&
      @       p.balance == \old(p.balance) + s &&
      @       \result == balance;
      @ behavior transfer_failed: 
      @   signals (NoCreditException) 
      @       balance == \old(balance) &&
      @       p.balance == \old(p.balance);
      @*/
    public int transfer_to(Purse p, int s) throws NoCreditException {
	p.credit(s);
	withdraw(s);
	return balance;
    }
	
}



/*
  Local Variables: 
  compile-command: "make Purse"
  End: 
*/
why-2.34/bench/java/good/InsertSort.java0000644000175000017500000000502212311670312016523 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = no

public class InsertSort {
	
	/*@ requires (t != null)&&(0<=i 0)
		    t[j--] = 0;
	}
		
}
why-2.34/bench/java/good/ArrayStoreExceptionTest.java0000644000175000017500000000540012311670312021221 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* JLS 2.0, page 216 */

class Point { int x,y; }

class ColoredPoint extends Point { int color; }

class ArrayStoreExceptionTest {

    public static void main(String[] args) {
	ColoredPoint[] cpa = new ColoredPoint[10];
	Point[] pa = cpa;
	System.out.println(pa[1] == null);
	try {
	    pa[0] = new Point();
	}
	catch (ArrayStoreException e) {
	    System.out.println(""+e);
	}

	int[][] t = new int[10][];
	Object[] u = t;
	u[0] = new int[5]; // OK
	u[1] = new Object(); // ArrayStoreException
    }
}
why-2.34/bench/java/good/Validity.java0000644000175000017500000000544612311670312016206 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

class VA {

    VA();

    int n;
}

class VB {

    int m(VA x) {
	return x.n;
    }

    void m1(int[] t) {
	for (int i = 0; i < t.length; i++)
	    t[i] = 0;
    }

    int main() {
	VA y = new VA();
	int[] t = new int[3];
	m1(t);
	return m(y);
    }

}

class T {

    int p[];

    //@ requires t != null && t.length >= 1;
    static int m(int t[]) {
	return t[0];
    }

    //@ ensures \result == 0;
    public int test() {
	p = new int [1];
	return m(p);
    }
	
}



/*
Local Variables: 
compile-command: "make Validity.io"
End: 
*/

why-2.34/bench/java/good/Sorting.java0000644000175000017500000001327612311670312016046 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = no

/*@ predicate Sorted{L}(long a[], integer l, integer h) =
  @   \forall integer i; l <= i < h ==> a[i] <= a[i+1] ;
  @*/

/*@ predicate Swap{L1,L2}(long a[], integer i, integer j) =
  @   \at(a[i],L1) == \at(a[j],L2) &&
  @   \at(a[j],L1) == \at(a[i],L2) &&
  @   \forall integer k; k != i && k != j ==> \at(a[k],L1) == \at(a[k],L2);
  @*/

/*@ axiomatic Permut {
  @  predicate Permut{L1,L2}(long a[], integer l, integer h);
  @  axiom Permut_refl{L}: 
  @   \forall long a[], integer l h; Permut{L,L}(a, l, h) ;
  @  axiom Permut_sym{L1,L2}: 
  @    \forall long a[], integer l h; 
  @      Permut{L1,L2}(a, l, h) ==> Permut{L2,L1}(a, l, h) ;
  @  axiom Permut_trans{L1,L2,L3}: 
  @    \forall long a[], integer l h; 
  @      Permut{L1,L2}(a, l, h) && Permut{L2,L3}(a, l, h) ==> 
  @        Permut{L1,L3}(a, l, h) ;
  @  axiom Permut_swap{L1,L2}: 
  @    \forall long a[], integer l h i j; 
  @       l <= i <= h && l <= j <= h && Swap{L1,L2}(a, i, j) ==> 
  @     Permut{L1,L2}(a, l, h) ;
  @ }
  @*/

class Sorting {

    /*@ requires t != null && 
      @    0 <= i < t.length && 0 <= j < t.length;
      @ assigns t[i],t[j];
      @ ensures Swap{Old,Here}(t,i,j);
      @*/
    static void swap(long t[], int i, int j) {
	int tmp = t[i];
	t[i] = t[j];
	t[j] = tmp;
    }
    
    /*@ requires t != null;
      @ behavior sorted:
      @   ensures Sorted(t,0,t.length-1);
      @ behavior permutation:
      @   ensures Permut{Old,Here}(t,0,t.length-1);
      @*/
    static void min_sort(long t[]) {
	int i,j, mi;
	long mv;
	/*@ loop_invariant 0 <= i;
	  @ for sorted: 
	  @  loop_invariant Sorted(t,0,i) && 
	  @   (\forall integer k1 k2 ; 
	  @      0 <= k1 < i <= k2 < t.length ==> t[k1] <= t[k2]) ;
	  @ for permutation:
	  @   loop_invariant Permut{Pre,Here}(t,0,t.length-1);
	  @*/
	for (i=0; i t[k] >= mv);
	      @ for permutation:
	      @  loop_invariant Permut{Pre,Here}(t,0,t.length-1);
	      @*/
	    for (j=i+1; j < t.length; j++) {
		if (t[j] < mv) { 
		    mi = j ; mv = t[j]; 
		}
	    }
	    swap(t,i,mi);
	}
    }

    /*@ requires t != null;
      @ behavior sorted:
      @   ensures Sorted(t,0,t.length-1);
      @ behavior permutation:
      @   ensures Permut{Old,Here}(t,0,t.length-1);
      @*/
    static void insert_sort(long t[]) {
	/* main loop:
	 * for i from 1 to t.length-1: sorts t[0..i]
	 */
	/*@ loop_invariant 1 <= i <= t.length;
	  @ for sorted:
	  @   loop_invariant Sorted(t,0,i-1);
	  @ for permutation:
	  @   loop_invariant Permut{Pre,Here}(t,0,t.length-1);
	  @*/
	for (int i=1; i < t.length; i++) {
	    
	    // find the right index mi to insert t[i] into t[0..i-1]
	    int mi = i;
	    for (int j=i-1; j >= 0; j--) {
		if (t[j] < t[i]) mi=j;
	    }
	    // we shift the block t[mi..i-1] to the right
	    long tmp = t[i];
	    shift_right(t,mi,i);
	    // and put t[i] at the right index
	    t[mi] = tmp;
	}
    }


    /* shift_right(t,a,b) moves the block t[a..b-1] to t[a+1..b]
     * beware: the old value of t[b] is lost!
     */
    /*@ requires t!=null && 0 <= a && b < t.length ;
      @ assigns t[a+1..b];
      @ ensures \forall integer k; 
      @     a+1 <= k <= b ==> t[k] == \old(t[k-1]);
      @*/
    static void shift_right(long t[], int a, int b);	
    
}
why-2.34/bench/java/good/Search.java0000644000175000017500000000662512311670312015626 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*@ lemma mean_property : 
  @   \forall integer x y; x <= y ==> x <= (x+y)/2 <= y; */


/*@ predicate sorted{L}(long t[]) {
  @   \forall integer i j; 0 <= i && i <= j && j < t.length ==>
  @          t[i] <= t[j] } */

public class Search {

    long t[];
    // pb with recursive def of type and logic in Jessie
    // @ invariant t_sorted: t != null && sorted(t);

    /*@ requires t != null && t.length < 2147483647 && sorted(t);
      @ behavior search_success:
      @   ensures \result >= 0 ==> t[\result] == v;
      @ behavior search_failure:
      @   ensures \result < 0 ==> 
      @     \forall integer k; 0 <= k && k < t.length ==> t[k] != v;
      @*/
    int binary_search(long v) {
	int l = 0, u = t.length-1;
	/*@ loop_invariant 
	  @   0 <= l && u <= t.length-1 &&
	  @     \forall integer i; 
	  @        0 <= i && i < t.length ==> t[i] == v ==> l <= i && i <= u;
	  @ loop_variant u-l ;
	  @*/
	while (l <= u ) {
	    int m = (l + u) / 2;
	    //@ assert l <= m && m <= u;
	    if (t[m] < v) l = m + 1;
	    else if (t[m] > v) u = m - 1;
	    else return m;
	}
	return -1;
    }
}


/*
Local Variables: 
compile-command: "make Search"
End: 
*/

why-2.34/bench/java/good/IntSetModelField.java0000644000175000017500000001474212311670312017553 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


//@ lemma mean1 : (\forall integer x y ; x <= y ==> x <= (x + y) / 2) ;
//@ lemma mean2 : (\forall integer x y ; x < y ==> (x + y) / 2 < y) ;

//@ type intset ;

//@ logic intset emptyset() ;

//@ logic intset singleton(int n) ;

/*@ logic intset union(intset s1, intset s2) {
  @  axiom union_empty_left :
  @   \forall intset s ; union(emptyset(),s) == s;
  @ }
  @*/

/*@ predicate In(int n, intset s) {
  @  axiom In_emptyset : 
  @   \forall int n ; ! In(n,emptyset()) ;
  @  axiom In_union : 
  @   \forall intset s1 s2, int n ; 
  @      In(n,union(s1,s2)) <==> In(n,s1) || In(n,s2) ;
  @  axiom In_singleton : 
  @   \forall int n k ; 
  @      In(n,singleton(k)) <==> n==k ;
  @  axiom intset_ext : 
  @   \forall intset s1 s2;
  @     (\forall int n ; In(n,s1) <==> In(n,s2)) ==> s1==s2 ;
  @ }
  @*/

/*@ predicate array_models(intset s, int t[], integer i, integer j) =
  @   t != null && 
  @   0 <= i && j < t.length &&
  @   (\forall int n; In(n,s) <==> 
  @      (\exists int k;  i <= k <= j && n==t[k])) ;
  @*/

/*@ predicate IntSetModelField_models(intset s, IntSetModelField i) =
  @   i != null && 
  @   array_models(s,i.t,0,i.size-1) ;
  @*/

public class IntSetModelField {

    int size;
    int t[];

    /*@ invariant private_inv:
      @   t != null && 0 <= size <= t.length &&
      @   (\forall integer i j; 0 <= i <= j < size ==> t[i] <= t[j]);
      @*/

    //@ model intset my_model;

    //@ invariant repr_inv: IntSetModelField_models(this.my_model,this);

    /*@ assigns my_model;
      @ ensures my_model == emptyset();
      @*/
    IntSetModelField () {
        t = new int[10]; 
	size = 0;
    }



    /*@ assigns \nothing;
      @ ensures
      @   0 <= \result <= size &&
      @   (\forall integer i; 0 <= i < \result ==> t[i] < n) && 
      @   (\forall integer i; \result <= i < size ==> t[i] >= n) ;
      @*/
    public int index(int n) {
	int a = 0, b = size, m;
	/*@ loop_invariant 
	  @   0 <= a <= b <= size &&
	  @   (\forall integer i; 0 <= i < a ==> t[i] < n) && 
	  @   (\forall integer i; b <= i < size ==> t[i] >= n) ; 
	  @ loop_variant b-a;
	  @*/
	while (a In(n,my_model);
      @*/
    public boolean mem(int n) {
	int i = index(n);
	return (i < size && t[i] == n);
    }	
        
    /* add with intermediate annotations for automatic
     * proof with simplify 
     */
    /*@ assigns t,size, my_model; // t[..], syntax error ?
      @ ensures my_model == union(\old(my_model),singleton(n));
      @*/
    public void add(int n) {	
	int i = index(n);
	if (i < size && t[i] == n) return;
        /* @ // assigns t; // ,t[*]; syntax error ?
            ensures (\forall int j; 0 <= j && j < i; t[j]==\old(t[j])) 
              && (\forall int j; i+1 <= j && j < size + 1; t[j]==\old(t[j-1]))
              && (\forall int j; i <= j && j < size; \old(t[j])==t[j+1])
              && t !=null && t[i]==n && size < t.length && t instanceof int[];
        */
	{if (size < t.length) {
	    copy(t,t,i,size-1,i+1);
	}
	else {
	    int old[] = t;
	    t = new int[2*size+1];
	    copy(old,t,0,i-1,0);
	    copy(old,t,i,size-1,i+1);
	}
	t[i] = n;};
	size++; 
    }



    /*@ ensures \result == true;
      @*/
    public static boolean test() {
	IntSetModelField s = new IntSetModelField();
	s.add(1);
	s.add(2);
	//@ assert s.my_model == union(singleton(1),singleton(2));
	return s.mem(1);
    }

    /*
       copy(src,dest,a,b,c) copies src[a..b] to dest[c..c+b-a]
       if src and dest are the same, c is assumed greater than or equal to a.
     */
    /*@ requires src != null && dest != null && 
      @   0 <= a && a-1 <= b < src.length && 0 <= c && 
      @     c+b-a < dest.length && (dest == src ==> c >= a);
      @ assigns dest[c..c+b-a]; 
      @ ensures \forall integer i; c <= i <= c+b-a ==> dest[i] == \old(src[i+a-c]);
      @*/

    public static void copy(int src[], int dest[],int a, int b, int c) {
	/*@ loop_invariant 
	  @   a-1 <= j <= b &&
	  @   \forall integer i; j < i <= b ==> dest[i+c-a] == \old(src[i]) &&
	  @   \forall integer i; c <= i <= j+c-a ==> dest[i] == \old(dest[i]);
	  @ loop_variant j;
	  @*/
	for (int j = b; j >= a; j--) {
	    dest[j+c-a] = src[j];
	}
    }


}


why-2.34/bench/java/good/SCID_nonnull.java0000644000175000017500000007524612311670312016715 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* $Id: SCID_nonnull.java,v 1.8 2008-11-05 14:03:13 filliatr Exp $ */

//@+ CheckArithOverflow = no
//@+ InvariantPolicy = Arguments
//@+ NonNullByDefault = alllocal
// @+ AnnotationPolicy = Invariants
// @+ AbstractDomain = Box
// @+ AbstractDomain = Oct
// @+ AbstractDomain = Pol

// Smart Card ID - Example for a Smart Card based Identification and Authentication Application
// File: SCID.java
//
// This applet realizes a identification and authentication application which is typically used
// in online environment. The advantage of this solution is that nearly no adinistrative overhead
// on the smart card side is neccessary because the card is only used for identification of the
// user by PIN verification and authentication of the smart card by a challenge response algorithm.
//
// Smart Card ID is a multi purpose applet. Nearly all applications can be realised with it 
// (e.g. physical access for room, logical access computers or information, ....). 
// The application functionality is in the background system. Offline Terminals can use precomputed 
// triplets for secure authentication of the smart card. For a no security authentication only the 
// smart card ID can be used.
//
// In the administrative phase it is possible to write after a successful verification of the
// administrative PIN all data objects into the memory.
// In the operative phase it is possible to read the unique smart card ID, to authenticate the
// smart card with a callenge response algorithm based on DES and to identifiay the user with 
// his user PIN. A successful PIN verification can be checked in a secured way.
//
// Memory consumption: EEPROM: 1344 byte, RAM 44 byte
// 
// Package AID: 'D2 76 00 00 60 50 05'
// Applet AID:  'D2 76 00 00 60 41 05'
//
// Source code based on java card specification version 2.1.
// Compiled and tested with JDK 1.3.1 Java Card Application Studio (JCAST) V 2.3,
// JLoad 2.0, Java Card Class File Converter 2.1.2, IFDSIM 4.0 and UniverSIM Java Card 64 kB from G&D.
//
//---------------------------------------------------------------------------------------
// Specification of ISO/IEC 7816-4 case 3 command SELECT FILE
//   command APDU               CLA = '00' || INS = 'A4' ||
//                              P1 (= '04' = select by DF Name) || P2 (='00') ||
//                              Lc (= length of DF Name) || DATA (= DF Name)
//   response APDU (all case)   SW1 || SW2
//
// Specification of ISO/IEC 7816-4 case 3 command VERIFY
//   command APDU               CLA = '00' || INS = '20' || P1 (= '00') ||
//                              P2 ('01' = user PIN, '02' = admin PIN)
//                              Lc (= length of PIN) || DATA (= PIN)
//   response APDU (all case)   SW1 || SW2
//
// Specification of ISO/IEC 7816-4 case 3 command PUT DATA
//   command APDU               CLA = '00' || INS = 'DA' ||
//                              P1 (= '00') || P2 (= TAG ['40' ... 'FE']) ||
//                              Lc (= length of DATA) ||
//                              DATA (value field of the DO, with length Lc)
//   response APDU (all case)   SW1 || SW2
//
// Specification of ISO/IEC 7816-4 case 2 command GET DATA
//   command APDU               CLA = '00' || INS = 'CA' ||
//                              P1 (= '00') || P2 (= TAG ['40' ... 'FE'])
//                              Le (= length of expected data)
//   response APDU (good case)  DATA (value field of the DO, with length Le) ||
//                              SW1 || SW2
//   response APDU (bad case)   SW1 || SW2
//
// Specification of the proprietary case 4 command AUTH SC (authenticate smart card)
//   command APDU               CLA = '80' || INS = '08' || P1 (= '00') || P2 (= '00')
//                              Lc (= 8 byte) || C-DATA (with length Lc) || Le (= 21)
//   response APDU (good case)  R-DATA (with length Le) || SW1 || SW2
//   response APDU (bad case)   SW1 || SW2
//
//                C-DATA: RND [8 byte]
//                R-DATA: authentication data || MAC
//                authentication data = RND [8 byte] || smart card ID [4 byte] ||
//                                      authentication counter [2 byte] ||
//                                      admin PIN error counter [1 byte] ||
//                                      user PIN error counter [1 byte] || PIN status [1 byte] || 
//                                      padding (with '00', length must be a multiple of 8)
//                PIN status = Bit 8 (RFU) || ... Bit 3 (RFU) ||
//                             Bit 2 (1 = admin PIN succesful verified) ||
//                             Bit 1 (1 = user PIN succesful verified)
//                MAC = last 4 byte of enc (AuthKey) (authentication data)
//                authentication counter: no of further possible authentications 
//                                        '7FFF' = 32767 max. value, 
//                                        '0000' = no further authentication possible
//                padding according to ISO/IEC 9797 Method 1 (= 00 00 ...)
//
//---------------------------------------------------------------------------------------
// Implementation Notes
//    * no support of different DFs
//    * no secure messaging support (= class is alway '00')
//    * the authentication counter is used to limit the number of possible attacks to 
//      the used cryptoalgorithm, it can be set to any value with the PUT DATA command
//    * instead of the encryption of the whole response data in the AUTH SC command only 
//      a 4 byte MAC is used for authentication, because this gives more transperency about
//      the exchanged data (data protection laws)
//    * the adminstration phase (e.g. the personalisation of the smart card) is done with the
//      PUT DATA command. All external seeable data elements of the smart card can be written
//      with this ISO/IEC 7816-4 compatible command.
//    * The access condition for the administration phase is a VERIFY command with the 
//      administration PIN.
//    * the authentication key could be smart card individual or common for all smart cards
//    * if neccessary it is possible to use smart card individual authentication keys. This 
//      keys should be written into the smart card during the personalisation. As a reference 
//      to smart card individual keys the smart card ID can be used.
//    * abbreviations:  RND   - random number
//                      RFU   - reserved for future use (content of such a data element is not defined!)
//                      admin - administration
//
//---------------------------------------------------------------------------------------
// Use Cases
//   note:   all shown use cases are good cases
//   format: --command to smart card-->
//           <--response from smart card--
//
// -----Administrative Phase
// Personalisation
//   --VERIFY (with default Admin PIN)-->
//   <--ok--
//   --PUT DATA (Smart Card ID, admin PIN, user PIN, authentication key, authentication counter)-->
//   <--ok--
//  the following reset is important because of the reset of the validation status of the admin PIN
//   --Reset-->            
//   <--ATR--
//
// change user PIN (e.g. new user PIN, forgotten user PIN, error counter of the user PIN reached maximum value)
//   the following command is only neccessary if a card individual admin PIN is used
//   --GET DATA (smart card ID)-->
//   <--Smart Card ID--
//   --VERIFY (with admin PIN)-->
//   <--ok--
//   --PUT DATA (new user PIN)-->
//   <--ok--
//  the following reset is important because of the reset of the validation status of the admin PIN
//   --Reset-->            
//   <--ATR--
//
// forgotten admin PIN, error counter of the admin PIN reached maximum value
//   new smart card neccessary
//
// -----Operative Phase
// get smart card ID
//   --GET DATA (smart card ID)-->
//   <--smart card ID--
//
// authenticate smart card without security (advantage: no key is neccessary)
//   --GET DATA (Smart Card ID)-->
//   <--smart card ID--
//
// authenticate smart card with security
//   the following command is only neccessary if a card individual authentication key is used
//   --GET DATA (smart card ID)-->
//   <--smart card ID--
//   --AUTH SC (RND)-->
//   <--auth data || MAC--
//
// check user identity
//   the following command is only neccessary if a card individual authentication key is used
//   --GET DATA (smart card ID)-->
//   <--smart card ID--
//   --VERIFY (with user PIN)-->
//   <--ok--
//   --AUTH SC (RND)-->
//   <--auth data || MAC--
//
//---------------------------------------------------------------------------------------
// Test Strategy
//          good case tests:
//               1.1 test all use cases in good case
//               2.1 write all data objects and verify if they are stored correct
//               3.1 Test all marked "Test!" testpoints
//
//          bad case tests:
//              1.1 test correct and wrong admin PIN incl. error counter behaviour
//              1.2 is PUT DATA only possible after successful admin PIN verification?
//              1.3 does AUTH SC give the correct admin PIN validation state back?
//              1.4 does AUTH SC give the correct admin PIN error counter back?
//              2.1 test case 1.1 with user PIN
//              2.2 test case 1.3 with user PIN
//              2.2 test case 1.4 with user PIN
//              4.1 correct authetication behaviour if error counter = 0?
//
//---------------------------------------------------------------------------------------
// This source code is under GNU general public license (see www.opensource.org for details).
// Please send corrections and ideas for extensions to Wolfgang Rankl (www.wrankl.de)
// Copyright 2004 by Wolfgang Rankl, Munich
//---------------------------------------------------------------------------------------
// 29. April 2004 - V 1: initial runnable version
// 10. May   2004 - V 2: improved documentation, 1st published version
//---------------------------------------------------------------------------------------

import  javacard.framework.*;    // import all neccessary packages for the java card framework
import  javacard.security.*;     // import all neccessary packages for the java card security

// Bug with lemma ? : gwhy blocked ?
// @ lemma a1: \forall int b; 0 <= b <= 127 ==> (b & 0x00FF) == b;
// @ axiom a1: \forall int b; 0 <= b <= 127 ==> (b & 0x00FF) == b;

public class SCID extends Applet {
    // definitions for the classes and commands
    final static byte    PROP_CLASS  = (byte) 0x80;     // Class of the proprietary APDU commands
    final static byte    INS_SELECT  = (byte) 0xA4;     // instruction for the ISO/IEC 7816-4 SELECT FILE command
    final static byte    INS_VERIFY  = (byte) 0x20;     // instruction for the ISO/IEC 7816-4 VERIFY command
    final static byte    INS_PUTDATA = (byte) 0xDA;     // instruction for the ISO/IEC 7816-4 PUT DATA command
    final static byte    INS_GETDATA = (byte) 0xCA;     // instruction for the ISO/IEC 7816-4 GET DATA command
    final static byte    INS_AUTHSC  = (byte) 0x08;     // instruction for the proprietary AUTH SC command
    
    // definitions for specific returncodes
    final static short   SW_PIN_FAILED =     (short) 0x63C0;  // returncode for PIN verification failed
    // the last nibble shows the number of remaining tries
    final static short   SW_DATA_NOT_FOUND = (short) 0x6A88;  // referenced data not found
    
    // definitions for the AUTH SC command
    final static byte    LEN_CAPDU_AUTHSC = (byte)   8;   // length of the data in the command APDU of the AUTH SC command
    final static byte    LEN_RAPDU_AUTHSC = (byte)  21;   // length of the data in the response APDU of the AUTH SC command
    final static short   INDEX_RND        = (short)  0;   // start position of the RND in the AUTH SC response
    final static short   INDEX_SCID       = (short)  8;   // start position of the authentication counter in the AUTH SC response
    final static short   INDEX_AuthCntr   = (short) 12;   // start position of the authentication counter in the AUTH SC response
    final static short   INDEX_APINTries  = (short) 14;   // position of the admin PIN remaining tries in the AUTH SC response
    final static short   INDEX_UPINTries  = (short) 15;   // position of the user PIN remaining tries in the AUTH SC response
    final static short   INDEX_APINValid  = (short) 16;   // position of the admin PIN validation status in the AUTH SC response
    final static short   INDEX_UPINValid  = (short) 16;   // position of the user PIN validation status in the AUTH SC response
    final static short   INDEX_MAC        = (short) 17;   // start position of the MAC in the AUTH SC response
    
    // definitions for some data elements
    static short         authcntr;                        // authentication counter, it is a 2 byte signed short value
    final static short   SIZE_AUTHCNTR  = (short)  2;     // size of the authentication counter in byte
    static byte[]        scid;                            // the smart card ID
    final static short   SIZE_SCID      = (short)  4;     // size of the unique smart card identifier in byte
    //@ static invariant scid_inv: scid.length == SIZE_SCID;

    static byte[]        workarray;                       // workarray
    final static short   SIZE_WORKARRAY = (short) 30;     // size of the workarray 
    //@ static invariant workarray_inv: workarray.length == SIZE_WORKARRAY;
    
    static DESKey        authkey;                         // authentication key
    final static short   SIZE_AUTHKEY   = (short)  8;     // authentication key is a 8 byte long DES key
    static Signature     mac;                             // MAC (message authentication code)
    
    // definitions for the storage of the data elements
    final static short TAG_USERPIN  = (short) 0x51;   // tag for the user PIN
    final static short TAG_ADMINPIN = (short) 0x52;   // tag for the administrative PIN
    final static short TAG_AUTHKEY  = (short) 0x53;   // tag for the authentication key
    final static short TAG_AUTHCNTR = (short) 0x54;   // tag for the athentication counter
    final static short TAG_SCID     = (short) 0x55;   // tag for the smart card ID
    
    // constants and variables for the admin PIN management
    final static byte[]  DEFAULT_ADMINPIN                     // default admin PIN value
	= {(byte) 0x22, (byte) 0x22, (byte) 0x22};
    final static byte    ADMINPIN_SIZE          = (byte) 3;   // size of the PIN in byte
    final static byte    DEFAULT_ADMINPIN_MAXEC = (byte) 2;   // default value of the PIN error counter
    final static byte    ADMINPIN_ID            = (byte) 2;   // PIN identifier, PIN 2 = admin PIN
    static OwnerPIN      adminpin;                            // the PIN object
    
    // constants and variables for the user PIN management
    final static byte[]  DEFAULT_USERPIN                      // default user PIN value
	= {(byte) 0x00, (byte) 0x00};
    final static byte    USERPIN_SIZE          = (byte) 2;    // size of the PIN in byte
    final static byte    DEFAULT_USERPIN_MAXEC = (byte) 3;    // default value of the PIN error counter
    final static byte    USERPIN_ID            = (byte) 1;    // PIN identifier, PIN 1 = user PIN
    static OwnerPIN      userpin;                             // the PIN object
    
    // constants and variables for the key management
    final static byte[]  DEFAULT_AUTHKEY            // default authentication key
	= {(byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00,
	   (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00};
    

    //---------------------------------------------------------------------------------------
    //----- installation and registration of the applet
    public static void install(byte[] buffer, short offset, byte length) {
	// create the object for the smart card ID
	scid = new byte[SIZE_SCID];
	
	// create a multiple useable object in RAM with an array of bytes
	workarray = JCSystem.makeTransientByteArray(SIZE_WORKARRAY, JCSystem.CLEAR_ON_DESELECT);  // Test!
	
	// create the object for admin PIN and set it to the default value
	adminpin = new OwnerPIN(DEFAULT_ADMINPIN_MAXEC, ADMINPIN_SIZE);
	adminpin.update(DEFAULT_ADMINPIN, (short)(0), ADMINPIN_SIZE);
	
	// create the object for user PIN and set it to the default value
	userpin = new OwnerPIN(DEFAULT_USERPIN_MAXEC, USERPIN_SIZE);
	userpin.update(DEFAULT_USERPIN, (short)(0), USERPIN_SIZE);
	
	// create the key object for authentication and set the key to the default value
	authkey = (DESKey)KeyBuilder.buildKey(KeyBuilder.TYPE_DES, KeyBuilder.LENGTH_DES, false);
	authkey.setKey(DEFAULT_AUTHKEY, (short)0);
	
	// create a signature object for MAC calculating
	// padding in line with ISO/IEC 9797 Method 1 (= 000 ...)
	mac = Signature.getInstance(Signature.ALG_DES_MAC4_ISO9797_M1, false);
	
	// register the application within the JCRE
	new SCID().register();
    }  // install
    
    //---------------------------------------------------------------------------------------
    //----- this is the command dispatcher
    public void process(APDU apdu) {
      byte[] cmd_apdu = apdu.getBuffer();
      
    // delete global used variables, for better robustness
    Util.arrayFillNonAtomic(workarray, (short) 0, SIZE_WORKARRAY, (byte) 0);

    if (cmd_apdu[ISO7816.OFFSET_CLA] == ISO7816.CLA_ISO7816) {
      //----- it is the ISO/IEC 7816 class
      switch(cmd_apdu[ISO7816.OFFSET_INS]) {
        case INS_SELECT:
          // it is a SELECT FILE instruction
          cmdSELECT(apdu);
          break;
        case INS_VERIFY:
          // it is a VERIFY instruction
          cmdVERIFY(apdu);
          break;
        case INS_PUTDATA:
          // it is a PUT DATA instruction
          cmdPUTDATA(apdu);
          break;
        case INS_GETDATA:
          // it is a GET DATA instruction
          cmdGETDATA(apdu);
          break;
        default :
          // the instruction in the command apdu is not supported
          ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
      }  // switch
    }  // if
    else if (cmd_apdu[ISO7816.OFFSET_CLA] == PROP_CLASS) {
      //----- it is the proprietary class
      switch(cmd_apdu[ISO7816.OFFSET_INS]) {
        case INS_AUTHSC:
          // it is a AUTH SC instruction
          cmdAUTHSC(apdu);
          break;
        default :
          // the instruction in the command apdu is not supported
          ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
      }  // switch
    }  // else if
    else {
      // the class in the command apdu is not supported
      ISOException.throwIt(ISO7816.SW_CLA_NOT_SUPPORTED);
    }  // else
  }  // process

    //---------------------------------------------------------------------------------------
    //----- program code for the APDU command SELECT FILE
    private void cmdSELECT(APDU apdu) {
	byte[] cmd_apdu = apdu.getBuffer();
	
	//----- check preconditions in the APDU header
	// check if P1='04'
	if (cmd_apdu[ISO7816.OFFSET_P1] != 0x04) {
	    ISOException.throwIt(ISO7816.SW_WRONG_P1P2);
	} // if
	// check if P2='00'
	if (cmd_apdu[ISO7816.OFFSET_P2] != 0x00) {
	    ISOException.throwIt(ISO7816.SW_WRONG_P1P2);
	} // if
	short lc = (short)(cmd_apdu[ISO7816.OFFSET_LC] & 0x00FF);  // get Lc (command length)
	receiveAPDUBody(apdu);                                     // get the command body
	
	//----- command functionality
	if (JCSystem.getAID().equals(cmd_apdu, ISO7816.OFFSET_CDATA, (byte) lc) == false) {
	    ISOException.throwIt(ISO7816.SW_APPLET_SELECT_FAILED);
	} // if
	
	//----- prepare response APDU
	ISOException.throwIt(ISO7816.SW_NO_ERROR);   // command proper executed
    }  // cmdSELECT
    
  //---------------------------------------------------------------------------------------
  //----- program code for the APDU command VERIFY
  private void cmdVERIFY(APDU apdu) {
    byte[] cmd_apdu = apdu.getBuffer();

    //----- check preconditions in the APDU header
    // check if P1='00'
    if (cmd_apdu[ISO7816.OFFSET_P1] != 0) {
      ISOException.throwIt(ISO7816.SW_WRONG_P1P2);
    } // if
    short lc = (short)(cmd_apdu[ISO7816.OFFSET_LC] & 0x00FF);  // get Lc (command length)
    receiveAPDUBody(apdu);                                     // get the command body

    if (cmd_apdu[ISO7816.OFFSET_P2] == USERPIN_ID) {  // it is the user PIN
      if (lc != USERPIN_SIZE) {                       // Lc = length of PIN ?
        ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
      } //if
      if (userpin.check(cmd_apdu, ISO7816.OFFSET_CDATA, USERPIN_SIZE) == false) {
        // PIN verification not successful
        short tries = userpin.getTriesRemaining();
        ISOException.throwIt( (short) (SW_PIN_FAILED + tries));  // send error counter in APDU back
      } // if
    } // if
    else if (cmd_apdu[ISO7816.OFFSET_P2] == ADMINPIN_ID) {    // it is the administrative PIN
      if (lc != ADMINPIN_SIZE) {                              // Lc = length of PIN ?
        ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
      } //if
      if (adminpin.check(cmd_apdu, ISO7816.OFFSET_CDATA, ADMINPIN_SIZE) == false) {
        // PIN verification not successful
        short tries = adminpin.getTriesRemaining();
        ISOException.throwIt( (short) (SW_PIN_FAILED + tries));  // send error counter in APDU back
      } // if
    } // if
    else {          // it is not a valid PIN identifier
      ISOException.throwIt(ISO7816.SW_WRONG_P1P2);
    } // else
    // PIN verification successful
    ISOException.throwIt(ISO7816.SW_NO_ERROR);               // command proper executed
  }  // cmdVERIFY

  //---------------------------------------------------------------------------------------
  //----- program code for the APDU command PUT DATA
  private void cmdPUTDATA(APDU apdu) {
    byte[] cmd_apdu = apdu.getBuffer();

    //----- check preconditions in the APDU header
    // check if P1=0
    if (cmd_apdu[ISO7816.OFFSET_P1] != 0) {
      ISOException.throwIt(ISO7816.SW_WRONG_P1P2);
    } // if
    // check if P2 contents an allowed tag value
    short tag = (short) (cmd_apdu[ISO7816.OFFSET_P2] & (short) 0x00FF);
    if ((tag < (short) 0x0040) || (tag > (short) 0x00FE)) {
      ISOException.throwIt(ISO7816.SW_WRONG_P1P2);
    } // if
    short lc = (short)(cmd_apdu[ISO7816.OFFSET_LC] & (short) 0x00FF);  // calculate Lc (command length)
    receiveAPDUBody(apdu);     // get the command body

    //----- check precoditions of security status
    if (adminpin.isValidated() == false) {
      ISOException.throwIt(ISO7816.SW_SECURITY_STATUS_NOT_SATISFIED);
    } // if

    //----- command functionality
    switch(tag) {
      case TAG_USERPIN:
        // the user PIN must be changed
        if (lc != USERPIN_SIZE) ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
        Util.arrayCopy(cmd_apdu, (short)((ISO7816.OFFSET_CDATA) & 0x00FF), workarray, (short) 0, lc);
        userpin.update(workarray, (short) 0, USERPIN_SIZE);
        break;
      case TAG_ADMINPIN:
        // the admin PIN must be changed
        if (lc != ADMINPIN_SIZE) ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
        Util.arrayCopy(cmd_apdu, (short)((ISO7816.OFFSET_CDATA) & 0x00FF), workarray, (short) 0, lc);
        adminpin.update(workarray, (short) 0, ADMINPIN_SIZE);
        break;
      case TAG_AUTHKEY:
        // the authentication key must be changed
        if (lc != SIZE_AUTHKEY) ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
        Util.arrayCopy(cmd_apdu, (short)((ISO7816.OFFSET_CDATA) & 0x00FF), workarray, (short) 0, lc);
        authkey.setKey(workarray, (short)0);
        break;
      case TAG_AUTHCNTR:
        // the authentication counter must be changed
        if (lc != SIZE_AUTHCNTR) ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
        Util.arrayCopy(cmd_apdu, (short)((ISO7816.OFFSET_CDATA) & 0x00FF), workarray, (short) 0, lc);
        if (Util.getShort(workarray, (short)0) > 0x7FFF) ISOException.throwIt(ISO7816.SW_WRONG_DATA);
        authcntr = Util.getShort(workarray, (short)0);
        break;
      case TAG_SCID:
        // the smart card ID must be changed
        if (lc != SIZE_SCID) ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
        Util.arrayCopy(cmd_apdu, (short)((ISO7816.OFFSET_CDATA) & 0x00FF), scid, (short) 0, lc);
        break;
    default :
      // the tag in the command apdu is not supported
      ISOException.throwIt(SW_DATA_NOT_FOUND);
    }  // switch

    //----- prepare response APDU
    ISOException.throwIt(ISO7816.SW_NO_ERROR);   // command proper executed
  }  // cmdPUTDATA

  //---------------------------------------------------------------------------------------
  //----- program code for the APDU command GET DATA
  private void cmdGETDATA(APDU apdu) {
    byte[] cmd_apdu = apdu.getBuffer();

    //----- check preconditions in the APDU header
    // check if P1=0
    if (cmd_apdu[ISO7816.OFFSET_P1] != 0) {
      ISOException.throwIt(ISO7816.SW_WRONG_P1P2);
    } // if
    // check if P2 contents an allowed tag value
    short tag = (short) (cmd_apdu[ISO7816.OFFSET_P2] & (short) 0x00FF);
    if ((tag < 0x40) || (tag > 0xFE)) {
      ISOException.throwIt(ISO7816.SW_WRONG_P1P2);
    } // if
    short le = (short)(cmd_apdu[ISO7816.OFFSET_LC] & 0x00FF);  // calculate Le (expected length)

    //----- command functionality
    switch(tag) {       // a switch construct is used because of the easy extensibility for additional tags
      case TAG_SCID:
        // get the smart card ID
        if (le != SIZE_SCID) ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
        Util.arrayCopy(scid, (short) (0), workarray, (short) 0, le);
        break;
    default :
      // the tag in the command apdu could not found
      ISOException.throwIt(SW_DATA_NOT_FOUND);
    }  // switch

    //----- now all preparations are done, the data object can be send to the IFD -----
    apdu.setOutgoing();                           // set transmission to outgoing data
    apdu.setOutgoingLength((short)le);            // set the number of bytes to send to the IFD
    apdu.sendBytesLong(workarray, (short) 0, (short)le); // send the requested the number of bytes to the IFD, data field of the DO
  }  // cmdGETDATA

  //---------------------------------------------------------------------------------------
  //----- program code for the APDU command AUTH SC
  private void cmdAUTHSC(APDU apdu) {
    byte[] cmd_apdu = apdu.getBuffer();
    //----- check preconditions in the APDU header
    // check if P1=0
    if (cmd_apdu[ISO7816.OFFSET_P1] != 0) 
	ISOException.throwIt(ISO7816.SW_WRONG_P1P2);
    // check if P2=0
    if (cmd_apdu[ISO7816.OFFSET_P2] != 0) 
	ISOException.throwIt(ISO7816.SW_WRONG_P1P2);
    short lc = (short)(cmd_apdu[ISO7816.OFFSET_LC] & 0x00FF); // get Lc (command length)
    if (lc != LEN_CAPDU_AUTHSC) 
	ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
    receiveAPDUBody(apdu); // get the command body
    //----- check security preconditions
    if (authcntr < 0) 
	ISOException.throwIt(SW_PIN_FAILED);  // Test!
    //----- collect all data for the signature
    Util.arrayCopy(cmd_apdu, (short) ISO7816.OFFSET_CDATA, workarray, INDEX_RND, lc); // RND from IFD
    Util.arrayCopy(scid, (short) (0), workarray, INDEX_SCID, SIZE_SCID);     // smart card ID
    Util.setShort(workarray, INDEX_AuthCntr, authcntr);                      // authentication counter
    workarray[INDEX_APINTries] = adminpin.getTriesRemaining();
    workarray[INDEX_UPINTries] = userpin.getTriesRemaining();
    if (adminpin.isValidated() == true) {
      workarray[INDEX_APINValid] = (byte) (workarray[INDEX_APINValid] | (byte) 0x01);  // Test!
    } // if
    if (userpin.isValidated() == true) {
      workarray[INDEX_UPINValid] = (byte) (workarray[INDEX_UPINValid] | (byte) 0x02);  // Test!
    } // if
    mac.init(authkey, Signature.MODE_SIGN);
    short len = mac.sign(workarray, (short) 0, LEN_RAPDU_AUTHSC, workarray, INDEX_MAC);  // calculate the MAC
    authcntr = (short) (authcntr - (short) 1);                    // update number of allowed authentication

    //----- now all calculations are done, the data can be send to the IFD
    apdu.setOutgoing();                           // set transmission to outgoing data
    apdu.setOutgoingLength(LEN_RAPDU_AUTHSC);            // set the number of bytes to send to the IFD
    apdu.sendBytesLong(workarray, (short) 0, LEN_RAPDU_AUTHSC);  // send the requested the number of bytes to the IFD, data field of the DO
  }  // cmdAUTHSC

    //---------------------------------------------------------------------------------------
    //----- receive the body of the command APDU
    public void receiveAPDUBody(APDU apdu) {
	byte[] buffer = apdu.getBuffer();
	short lc = (short)(buffer[ISO7816.OFFSET_LC] & 0x00FF);  // calculate Lc (command length)
	// check if Lc != number of received bytes of the command APDU body
	if (lc != apdu.setIncomingAndReceive()) {
	    ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
	} // if
    }  // receiveAPDUBody
    
}  // class

why-2.34/bench/java/good/Increment.java0000644000175000017500000000455012311670312016340 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


class Increment {

    void g(short m) {
    }

    void m() {
	byte b = 127;	
	g(b++);
    }

}why-2.34/bench/java/good/Fibonacci.java0000644000175000017500000000621612311670312016272 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// RUNCOQ: will ask regtests to check Coq proofs of this program

// int model: unbounded mathematical integers
//@+ CheckArithOverflow = no

/*@ inductive isfib(integer x, integer r) {
  @  case isfib0: isfib(0,0);
  @  case isfib1: isfib(1,1);
  @  case isfibn: 
  @   \forall integer n r p; 
  @     n >= 2 && isfib(n-2,r) && isfib(n-1,p) ==> isfib(n,p+r);
  @ }
  @*/ 

//@ lemma isfib_2_1 : isfib(2,1);
//@ lemma isfib_6_8 : isfib(6,8);

// provable only if def is inductive (least fix point)
//@ lemma not_isfib_2_2 : ! isfib(2,2);

public class Fibonacci {

    /*@ requires n >= 0;
      @ decreases n;
      @ ensures isfib(n, \result); 
      @*/
    public static long Fib(int n) {
	long y=0, x=1, aux;

	/*@ loop_invariant 0 <= i <= n && isfib(i+1,x) && isfib(i,y);
	  @ loop_variant n-i;
	  @*/
	for(int i=0; i < n; i++) {
	    aux = y;
	    y = x;
	    x = x + aux;
	}
	return y;
    }
}

why-2.34/bench/java/good/TestExceptions.java0000644000175000017500000000500512311670312017371 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


class C {

    /*@ behavior exc:
      @   signals (Exception) true;
      @*/
    void throwException() {
	throw new Exception();
    }

    void m() {
	throwException();
    }

}



/*
Local Variables: 
compile-command: "make TestExceptions"
End: 
*/
why-2.34/bench/java/good/PArray.java0000644000175000017500000001526412311670312015616 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@ type larray

/* [create(x)] returns an array  
 * where each cell contains [x] 
 **/
//@ logic larray create(double x);

//@ logic double select(larray t, integer i);

/*@ logic larray store(larray t, integer i, double x) {
  @  axiom select_store_eq:
  @   \forall larray t, integer i, double x;
  @    select(store(t,i,x),i) == x;
  @  axiom select_store_neq:
  @   \forall larray t, integer i j;
  @    \forall double x;
  @     i != j ==> 
  @      select(store(t,i,x),j) == select(x,j);
  @ }
  @*/


// public Interface for PArray
interface PArrayInterface {

    //@ model larray model_array;
    //@ model integer model_length;
  
    /* @ requires n >= 0;
      @ ensures 
      @   this.model_array == create(0.0)
      @   && this.model_length == n;
      @*/
    // PArrayInterface(int n);
    
    /*@ requires 0 <= i < this.model_length;
      @ assigns \nothing;
      @ ensures \result == select(this.model_array,i);
      @*/
    double get(int i);

    /*@ requires 0 <= i < this.model_length;
      @ assigns \nothing;
      @ // ensures \fresh(\result); 
      @ ensures \result.model_array == store(this.model_array,i,x)
      @   && \result.model_length == this.model_length;
      @*/
    PArrayInterface set(int i, double x);

}



abstract class Data {

    abstract double get(int i);
    
    abstract PArray set(int i, double x, PArray parent);

}

class Arr extends Data {

    double table[];

    //@ invariant table_non_null: table != null;

    Arr(int n) {
	table = new double[n];
    }

    double get(int i) {
	return table[i];
    }

    PArray set(int i, double x, PArray parent) {
	double old = table[i];
	table[i] = x;
	PArray tmp1 = new PArray(this);
	Data tmp2 = new Diff(i,old,tmp1);
	parent.contents = tmp2;
	return tmp1;
    }

    public String toString() {
	String s = "Arr [";
	for (int i = 0; i < table.length; i++)
	    s += table[i] + "; ";
	return (s + "]");
    }
}

class Diff extends Data {

    private int index;
    private double value;
    private PArray remaining;

    //@ invariant remaining_non_null: remaining != null;
    /*@ invariant diff_repr: 
      @   data_repr(this.remaining.model_length,store(index,value,this.remaining.model_array),this);
      @*/

    Diff(int i, double x, PArray rem) {
	index = i;
	value = x;
	remaining = rem;
    }

    double get(int i) {
	if (i == index) return value;
	return remaining.get(i);
    }

    PArray set(int i, double x, PArray t) {
	Data tmp = new Diff(i,x,t);
	return new PArray(tmp);
    }

    public String toString() {
	return "Diff " + index + ", " + value + ", " + remaining;
    }
}

public class PArray implements PArrayInterface 
{
    
    protected Data contents;
    
    //@ invariant contents_non_null: contents != null;
    /*@ invariant data_repr:
      @    data_repr(model_length,model_array,contents);
      @*/
    
    protected PArray(Data d) {
	contents = d;
    }
    
    public PArray(int n) {
	this(new Arr(n));
    }
    
    public double get(int i) {
	return contents.get(i);
    }

    public PArray set(int i, double x) {
	return contents.set(i,x,this);
    }

    public String toString() {
	return ("-> " + contents);
    }

    public static void main(String argv[]) {

	PArray t1 = new PArray(4);
	PArray t2 = t1.set(0,2.2);
	PArray t3 = t2.set(1,3.3);
	System.out.println("t1 = " + t1);
	System.out.println("t2 = " + t2);
	System.out.println("t3 = " + t3);
    }

}


/*@ predicate data_repr(integer model_length, 
  @                     larray model_array, Data contents);
  @*/

/*@ predicate repr(integer model_length, 
  @                larray model_array, PArray p);
  @*/
 
/*@ axiom arr_repr :
  @   \forall integer model_length, larray model_array, Arr a ;
  @     data_repr(model_length, model_array,a) 
  @     <==>
  @     model_length == a.table.length &&
  @     \forall integer i; 
  @       0 <= i < a.table.length ==> a.table[i] == select(model_array,i) ;
  @*/

/*@ axiom diff_repr_1 :
  @   \forall integer model_length, larray model_array, Diff d; 
  @   \forall integer i, double x; 
  @     repr(model_length, model_array, d.remaining) &&
  @     i == d.index && x == d.value  
  @     ==> 
  @     data_repr(model_length, store(i,x,model_array),d) ;
  @*/

/*@ axiom diff_repr_2 :
  @   \forall integer model_length, larray model_array, Diff d ;
  @     data_repr(model_length, model_array, d) &&
  @     \exists larray a; 
  @     model_array == store(d.index,d.value,a)
  @     &&
  @     repr(model_length, a, d.remaining) ;
  @*/




	
	
	
why-2.34/bench/java/good/Flag.java0000644000175000017500000001036612311670312015267 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = no

/* Dijkstra's dutch flag */

//@ predicate is_color(integer c) = Flag.BLUE <= c && c <= Flag.RED ;

/*@ predicate is_color_array{L}(int t[]) =
  @   t != null && 
  @   \forall integer i; 0 <= i < t.length ==> is_color(t[i]) ;
  @*/

/*@ predicate is_monochrome{L}(int t[],integer i, integer j, int c) =
  @   \forall integer k; i <= k < j ==> t[k] == c ;
  @*/



class Flag {
    
    public static final int BLUE = 1, WHITE = 2, RED = 3;
    
    int t[];
    //@ invariant t_non_null: t != null;
    //@ invariant is_color_array_inv: is_color_array(t);

    /*@ requires 0 <= i <= j <= t.length ;
      @ ensures \result <==> is_monochrome(t,i,j,c);
      @*/
    public boolean isMonochrome(int i, int j, int c) {
    	/*@ loop_invariant i <= k && 
	  @   (\forall integer l; i <= l < k ==> t[l]==c);
    	  @ loop_variant j - k;
	  @*/
	for (int k = i; k < j; k++) if (t[k] != c) return false;
	return true;
    }

    /*@ requires 0 <= i < t.length && 0 <= j < t.length;
      @ behavior i_j_swapped:
      @   assigns t[i],t[j];
      @   ensures t[i] == \old(t[j]) && t[j] == \old(t[i]);
      @*/
    private void swap(int i, int j) {
	int z = t[i];
	t[i] = t[j];
	t[j] = z;
    }

    /*@ behavior sorts:
      @   assigns t[..];
      @   ensures 
      @     (\exists integer b r; 
      @          is_monochrome(t,0,b,BLUE) &&
      @          is_monochrome(t,b,r,WHITE) &&
      @          is_monochrome(t,r,t.length,RED));
      @*/
    public void flag() {
	int b = 0;
	int i = 0;
	int r = t.length;
	/*@ loop_invariant
	  @   is_color_array(t) &&
	  @   0 <= b <= i <= r <= t.length &&
	  @   is_monochrome(t,0,b,BLUE) &&
	  @   is_monochrome(t,b,i,WHITE) &&
          @   is_monochrome(t,r,t.length,RED);
	  @ loop_variant r - i; 
	  @*/
	while (i < r) {
	    switch (t[i]) {
	    case BLUE:  
		swap(b++, i++);
		break;	    
	    case WHITE: 
		i++; 
		break;
	    case RED: 
		swap(--r, i);
		break;
	    }
	}
    }
}



/*
Local Variables: 
compile-command: "make Flag"
End: 
*/
why-2.34/bench/java/good/IntSet.java0000644000175000017500000001324512311670312015623 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@ lemma mean1 : (\forall integer x y ; x <= y ==> x <= (x + y) / 2) ;
//@ lemma mean2 : (\forall integer x y ; x < y ==> (x + y) / 2 < y) ;

/*@ predicate mem(IntSet s,int n) =
  @    \exists integer i; 0 <= i < s.taille && s.t[i] == n ;
  @*/

public class IntSet {

    int taille = 0;
    int t[] = new int[10];

    /*@ invariant sorted:
      @   t != null && 0 <= taille <= t.length &&
      @   (\forall integer i j; 0 <= i <= j < taille ==> t[i] <= t[j]);
      @*/

    /*@ assigns \nothing;
      @ ensures
      @   0 <= \result <= taille &&
      @   (\forall integer i; 0 <= i < \result ==> t[i] < n) && 
      @   (\forall integer i; \result <= i < taille ==> t[i] >= n) ;
      @*/
    public int index(int n) {
	int a = 0, b = taille, m;
	/*@ loop_invariant 
	  @   0 <= a <= b <= taille &&
	  @   (\forall integer i; 0 <= i < a ==> t[i] < n) && 
	  @   (\forall integer i; b <= i < taille ==> t[i] >= n) ; 
	  @ loop_variant b-a;
	  @*/
	while (a 
      @   (\exists integer i; 0 <= i < taille && t[i] == n);
      @*/
    public boolean mem(int n) {
	int i = index(n);
	return (i < taille && t[i] == n);
    }	
        
    /*@ assigns t,taille; // ,t[..]; syntax error ??
      @ ensures (\forall int k; mem(this,k) <==> \old(mem(this,k)) || k==n);
      @*/
    public void add(int n) {	
	int i = index(n);
	if (i < taille && t[i] == n) return;
	/* ensures taille < t.length ....
	  */
	if (taille < t.length) {
	    copy(t,t,i,taille-1,i+1);
	}
	else {
	    int old[] = t;
	    t = new int[2*taille+1];
	    copy(old,t,0,i-1,0);
	    copy(old,t,i,taille-1,i+1);
	}
	t[i] = n;
	taille++; 
    }

    /* A version of add with intermediate annotation for automatic
     * proof with simplify 
     */
    /*@ assigns t,taille; // ,t[..]; syntax error ??
      @ ensures (\forall int k; mem(this,k) <==> \old(mem(this,k)) || k==n);
      @*/
    public void add2(int n) {	
	int i = index(n);
	if (i < taille && t[i] == n) return;
        /* @ assigns t,t[..];
          @ ensures (\forall int j; 0 <= j && j < i; t[j]==\old(t[j])) 
          @    && (\forall int j; i+1 <= j && j < taille + 1; t[j]==\old(t[j-1]))
              && (\forall int j; i <= j && j < taille; \old(t[j])==t[j+1])
              && t !=null && t[i]==n && taille < t.length && t instanceof int[];
        */
	{if (taille < t.length) {
	    copy(t,t,i,taille-1,i+1);
	}
	else {
	    int old[] = t;
	    t = new int[2*taille+1];
	    copy(old,t,0,i-1,0);
	    copy(old,t,i,taille-1,i+1);
	}
	t[i] = n;};
	taille++; 
    }


    /*
       copy(src,dest,a,b,c) copies src[a..b] to dest[c..c+b-a]
       if src and dest are the same, c is assumed greater than or equal to a.
     */
    /*@ requires src != null && dest != null && 
      @   0 <= a && a-1 <= b && b < src.length && 0 <= c && 
      @     c+b-a < dest.length && (dest == src ==> c >= a);
      @ assigns dest[c..c+b-a]; 
      @ ensures (\forall integer i; c <= i <= c+b-a ==> dest[i] == \old(src[i+a-c]));
      @*/

    public static void copy(int src[], int dest[],int a, int b, int c) {
	/*@ loop_invariant 
	  @   a-1 <= j <= b &&
	  @   (\forall integer i; j < i <= b ==> dest[i+c-a] == \at(src[i],Pre)) &&
	  @   (\forall integer i; c <= i <= j+c-a ==> dest[i] == \at(dest[i],Pre));
	  @ loop_variant j;
	  @*/
	for (int j = b; j >= a; j--) {
	    dest[j+c-a] = src[j];
	}
    }
}


why-2.34/bench/java/good/Invariants.java0000644000175000017500000000633612311670312016536 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//////////////////////////////////////////////////////////////////////

class C1 {

    int[] t;
    //@ invariant C1_t_inv: t != null && t.length >= 1;

    void m(int[] p) {
	p[0] = 1;
   }

    void main() {
	m(t);
    }

}

//////////////////////////////////////////////////////////////////////

class C2 {

    static int[] t;
    //@ static invariant C2_t_inv: t != null && t.length >= 1;

    void m(int[] p) {
	p[0] = 1;
   }

    void main() {
	m(t);
    }

}

//////////////////////////////////////////////////////////////////////

class C3 {

    static Object t;
    //@ static invariant C3_t_inv: t != null;

    void m() {
	t = new Object();
	//@ assert t != null; 
   }

}

//////////////////////////////////////////////////////////////////////

class C4 {
    static int[] t; 
    //@ static invariant C4_t_inv: t != null && t.length == 10;
}

class C5 {
    void m() {
	int i = C4.t[0]; 
    }
}



/*
Local Variables: 
compile-command: "make Invariants"
End: 
*/


why-2.34/bench/java/good/BinarySearch.java0000644000175000017500000001264412311670312016771 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = yes

/* @ lemma mean_property : 
  @   \forall integer x y; x <= y ==> x <= (x+y)/2 <= y ;
  @*/

/* @ lemma mean_property_2 : 
  @   \forall integer x y; x <= y ==> x <= x+(y-x)/2 <= y; 
  @*/

/*@ predicate is_sorted{L}(int[] t) =
  @   t != null && 
  @   \forall integer i j; 
  @     0 <= i && i <= j && j < t.length ==> t[i] <= t[j];
  @*/


class BinarySearch {

    /* binary_search(t,n,v) search for element v in array t 
       between index 0 and n-1
       array t is assumed to be sorted in increasing order
       returns an index i between 0 and n-1 where t[i] equals v, 
       or -1 if no element in t is equal to v  
    */
    
    /*@ requires 
      @   0 <= n <= t.length &&
      @   \forall integer k1 k2; 
      @       0 <= k1 <= k2 <= n-1 ==> t[k1] <= t[k2];
      @ behavior correctness:
      @ ensures
      @   (\result >= 0 && t[\result] == v) ||
      @   (\result == -1 && \forall integer k; 0 <= k < n ==> t[k] != v);
      @*/
    static int binary_search(int t[], int n, int v) {
	int l = 0, u = n-1;
	/*@ loop_invariant 
	  @   0 <= l && u <= n-1 && 
	  @   \forall integer k; 0 <= k < n ==> t[k] == v ==> l <= k <= u;
	  @ loop_variant 
	  @   u-l ;
	  @*/
	while (l <= u ) {
	    int m = l + (u - l) / 2;
	    if (t[m] < v) l = m + 1;
	    else if (t[m] > v) u = m - 1;
	    else return m; 
	}
	return -1;
    }

    /* idiomatic code, using t.length instead of n as argument */

    /*@ requires t != null;
      @ ensures -1 <= \result < t.length; 
      @ behavior success:
      @   ensures \result >= 0 ==> t[\result] == v;
      @ behavior failure:
      @  assumes 
      @    \forall integer k1 k2; 
      @       0 <= k1 <= k2 <= t.length-1 ==> t[k1] <= t[k2];
      @  ensures \result == -1 ==>
      @     \forall integer k; 0 <= k < t.length ==> t[k] != v;
      @*/
    static int binary_search2(int t[], int v) {
	int l = 0, u = t.length - 1;
	/*@ loop_invariant 
	  @   0 <= l && u <= t.length - 1;
	  @ for failure: 
	  @  loop_invariant 
	  @    \forall integer k; 0 <= k < t.length ==> t[k] == v ==> l <= k <= u;
	  @ loop_variant 
	  @   u-l ;
	  @*/
	while (l <= u ) {
	    int m = l + (u - l) / 2;
	    if (t[m] < v) l = m + 1;
	    else if (t[m] > v) u = m - 1;
	    else return m; 
	}
	return -1;
    }

    /* search in a field */

    public int t[];
    // pb with recursive def of type and logic in Jessie
    // @ invariant t_is_sorted: is_sorted(t);
    
    /*@	requires t != null && t.length <= 2147483647 && is_sorted(t);
      @ behavior search_success:
      @   ensures
      @   \result >= 0 ==> t[\result] == v;
      @ behavior search_failure:
      @   ensures \result < 0 ==> (\forall integer k; 
      @     0 <= k < t.length ==> t[k] != v);
      @*/
    public int binary_search3(int v) {
	int l = 0, u = t.length-1;
	/*@ loop_invariant 
	  @   0 <= l && u <= t.length-1 && 
	  @   \forall integer k; 
	  @     0 <= k < t.length && t[k] == v ==> l <= k <= u;
	  @ loop_variant u-l ;
	  @*/
	while (l <= u ) {
	    int m = l + (u-l) / 2;
	    if (t[m] < v) l = m + 1; 
	    else if (t[m] > v) u = m - 1;
	    else return m;
	}
	return -1;
    }


}
    
/*
Local Variables: 
compile-command: "make BinarySearch"
End: 
*/
why-2.34/bench/java/good/Arrays.java0000644000175000017500000001056112311670312015654 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


//@+ CheckArithOverflow = no

/* is_max(t,i,l) is true whenever t[i] is the maximum of t[0]..t[l-1]
 * l is an integer and not an int, because used as t.length which 
 * (in the logic) returns an integer and not an int 
 */
/*@ predicate is_max{L}(int[] t,int i,integer l) =
  @   t != null && 0 <= i < l <= t.length &&
  @   (\forall integer j; 0 <= j < l ==> t[j] <= t[i]);
  @*/

public class Arrays {

    /*@ requires t != null && 1 <= t.length <= 32767;
      @ behavior max_found:
      @   ensures 
      @      0 <= \result < t.length && 
      @      (\forall integer i; 
      @           0 <= i < t.length ==> t[i] <= t[\result]);
      @*/
    public static short findMax(int[] t) {
	int m = t[0];
	short r = 0;
        /*@ loop_invariant 
          @   1 <= i <= t.length && 0 <= r < t.length &&
          @   m == t[r] && (\forall integer j; 0 <= j < i ==> t[j] <= m);
          @ loop_variant t.length-i;
          @*/
	for (short i=1; i < t.length; i++) {
	    if (t[i] > m) {
		r = i; 
		m = t[i];
	    }
	}
	return r;
    }

    /*@ requires t != null && t.length >= 1;
      @ behavior max_found:
      @  ensures 
      @      0 <= \result < t.length && 
      @      is_max(t,\result,t.length) ;
      @*/
    public static int findMax2(int[] t) {
	int m = t[0];
	int r = 0; 
	/*@ loop_invariant 
	  @   1 <= i <= t.length && 0 <= r < t.length &&
          @   m == t[r] && is_max(t,r,i) ;
	  @ loop_variant t.length-i;
	  @*/
	for (int i=1; i < t.length; i++) {
	    if (t[i] > m) {
		r = i; 
		m = t[i];
	    }
	}
	return r;
    }


    /*@ requires t != null ;
      @ ensures 
      @   \forall integer i; 0 < i < t.length ==> t[i] == \old(t[i-1]);
      @*/
    public static void arrayShift(int[] t) {
	/*@ loop_invariant 
	  @   j < t.length &&
	  @   (t.length > 0 ==>
	  @     (0 <= j && 
          @     (\forall integer i; 0 <= i <= j ==> t[i] == \at(t[i],Pre)) &&
          @     (\forall integer i; j < i < t.length ==> t[i] == \at(t[i-1],Pre))));
	  @ loop_variant j;
	  @*/
      for (int j = t.length-1 ; j > 0 ; j--) {
	  t[j] = t[j-1];
	}
    }


}


/*
Local Variables: 
compile-command: "make Arrays"
End: 
*/

why-2.34/bench/java/good/Termination.java0000644000175000017500000000517312311670312016707 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = yes

class Termination {

    void loop1(int n) { 
	//@ loop_variant n;
	while (n > 0) n--; 
    }

    void loop2(int n) { 
	//@ loop_variant 100-n;
	while (n < 100) n++; 
    }

    //@ ensures \result == 0;
    int loop3() {
	int i = 100;
	/*@ loop_invariant 0 <= i <= 100;
	  @ loop_variant i;
	  @*/
	while (i > 0) i--;
	return i;
    }

}

why-2.34/bench/java/good/Gcd.java0000644000175000017500000001073212311670312015110 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = yes

/* complements for non-linear integer arithmetic */

/*@ lemma distr_right: 
  @   \forall integer x y z; x*(y+z) == (x*y)+(x*z); 
  @*/

/*@ lemma distr_left: 
  @   \forall integer x y z; (x+y)*z == (x*z)+(y*z);
  @*/

/*  lemma distr_right_minus: 
  @   \forall integer x y z; x*(y-z) == (x*y)-(x*z); 
  @*/

/*@ lemma distr_left_minus: 
  @   \forall integer x y z; (x-y)*z == (x*z)-(y*z);
  @*/

/*@ lemma mul_comm: 
  @   \forall integer x y; x*y == y*x; 
  @*/

/*@ lemma mul_assoc: 
  @   \forall integer x y z; x*(y*z) == (x*y)*z; 
  @*/

/*@ predicate divides(integer x, integer y) =
  @   \exists integer q; y == q*x ;
  @*/

/*@ lemma div_mod_property:
  @  \forall integer x y; 
  @    x >=0 && y > 0 ==> x%y  == x - y*(x/y);  
  @*/

/*@ lemma mod_property:
  @  \forall integer x y; 
  @    x >=0 && y > 0 ==> 0 <= x%y && x%y < y; 
  @*/

/*@ predicate isGcd(integer a, integer b, integer d) =
  @   divides(d,a) && divides(d,b) && 
  @     \forall integer z;
  @     divides(z,a) && divides(z,b) ==> divides(z,d) ;
  @*/

/*@ lemma gcd_zero :
  @   \forall integer a; isGcd(a,0,a) ;
  @*/

/*@ lemma gcd_property :
  @   \forall integer a b d q;
  @      b > 0 && isGcd(b,a % b,d) ==> isGcd(a,b,d) ;
  @*/

class Gcd {

    /*@ requires x >= 0 && y >= 0;
      @ behavior resultIsGcd: 
      @   ensures isGcd(x,y,\result) ;
      @ behavior bezoutProperty:
      @   ensures \exists integer a b; a*x+b*y == \result;
      @*/
    static int gcd(int x, int y) {
        //@ ghost integer a = 1, b = 0, c = 0, d = 1;
        /*@ loop_invariant 
          @    x >= 0 && y >= 0 &&  
	  @    (\forall integer d ;  isGcd(x,y,d) ==> 
	  @        \at(isGcd(x,y,d),Pre)) && 
          @    a*\at(x,Pre)+b*\at(y,Pre) == x && 
          @    c*\at(x,Pre)+d*\at(y,Pre) == y ;
          @ loop_variant y;
          @*/
        while (y > 0) {
            int r = x % y;
            //@ ghost integer q = x / y;
            x = y;
            y = r;
            //@ ghost integer ta = a, tb = b;
            //@ ghost a = c; 
	    //@ ghost b = d;
            //@ ghost c = ta - c * q;
            //@ ghost d = tb - d * q;
        }
        return x;
    }

}




/*
Local Variables: 
compile-command: "make Gcd"
End: 
*/

why-2.34/bench/java/good/Switch.java0000644000175000017500000000574212311670312015661 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

public class Switch {

    /*@ behavior normal:
      @   assigns \nothing;
      @   ensures (n==0 || n==1) <==> \result == 0;
      @*/
    public static int test1 (int n) {
	int r;
	switch(n) {
	case 0:
	case 1:
	    r = 0;
	    break;
	default:
	    r = 2;
	}
	return r;
    }

    /*@ behavior normal:
      @   assigns \nothing;
      @   ensures ((n==4 || n==7) <==> \result == 1) && 
      @            ((n==0 || n==1) <==> \result == 0);
      @*/
    public static int test2 (int n) {
	int r;
	switch(n) {
	case 0:
	case 1:
	    r = 0;
	    break;
	case 4:
	case 7:
	    r = 1;
	    break;
	case 12:
	default:
	case 26:
	    r = 2;
	}
	return r;
    }

}

/*
Local Variables: 
compile-command: "make Switch.io"
End: 
*/

why-2.34/bench/java/good/FibMemo.java0000644000175000017500000001350412311670312015731 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = yes
// @+ MinimalClassHierarchy = yes

import java.util.HashMapIntegerInteger;
import java.util.HashMapIntegerLong;


//@ type mappings;

//@ logic Integer access_int(mappings m, Integer key);
/*@ logic mappings update_int(mappings m, Integer key, Integer value) {
  @  axiom access_update_eq_int:
  @     \forall mappings m, Integer key, Integer value ;
  @       access_int(update_int(m,key,value),key) == value ;
  @  axiom access_update_neq_int:
  @   \forall mappings m, Integer key1 key2, Integer value ;
  @       key1 != key2 ==>
  @       access_int(update_int(m,key1,value),key2) == access_int(m,key2) ;
  @ }
  @*/ 



//@ logic Long access(mappings m, Integer key);
/*@ logic mappings update(mappings m, Integer key, Long value) {
  @  axiom access_update_eq:
  @   \forall mappings m, Integer key, Long value ;
  @       access(update(m,key,value),key) == value ;
  @  axiom access_update_neq:
  @   \forall mappings m, Integer key1 key2, Long value ;
  @       key1 != key2 ==>
  @       access(update(m,key1,value),key2) == access(m,key2) ;
  @ }
  @*/


//@ logic mappings empty_mappings();

/*@ predicate containsKey(mappings m, Integer key) {
  @  axiom containsKey_empty:
  @    \forall Integer key; ! containsKey(empty_mappings(),key);
  @  axiom containsKey_update_any_int:
  @   \forall mappings m, Integer key1 key2, Integer value; 
  @      containsKey(m,key1) ==> containsKey(update_int(m,key2,value),key1);
  @ axiom containsKey_update_any:
  @   \forall mappings m, Integer key1 key2, Long value; 
  @      containsKey(m,key1) ==> containsKey(update(m,key2,value),key1);
  @ axiom containsKey_update_eq_int:
  @   \forall mappings m, Integer key, Integer value; 
  @      containsKey(update_int(m,key,value),key);
  @ axiom containsKey_update_eq:
  @   \forall mappings m, Integer key, Long value; 
  @      containsKey(update(m,key,value),key);
  @ }
  @*/

/* @ axiom containsKey_update_discr:
  @   \forall mappings m, Integer key, Integer value; 
  @      containsKey(update(m,key1,value),key2) ==> key1==key2 || containsKey(m,key2);
  @*/

/*@ logic integer math_fib(integer n) {
  @  axiom fib0 : math_fib(0) == 1;
  @  axiom fib1 : math_fib(1) == 1;
  @  axiom fibn : \forall integer n; n >= 2 ==> 
  @    math_fib(n) == math_fib(n-1) + math_fib(n-2);
  @ }
  @*/

class FibMemo {

    private HashMapIntegerInteger memo_int;
    private HashMapIntegerLong memo;

    /*@ invariant fib_safety: memo != null;
      @*/

    /*@ invariant fib_inv: \forall Integer x; 
      @     containsKey(memo.hashmap_model,x) ==>
      @        access(memo.hashmap_model,x) != null &&
      @        access(memo.hashmap_model,x).value == math_fib(x.value);
      @*/


    FibMemo () {
	memo_int = new HashMapIntegerInteger();
	memo = new HashMapIntegerLong();
    }



    /*@ requires n >=0 ;
      @ assigns \nothing;
      @ ensures \result == math_fib(n);
      @*/
    int fib_int(int n) {       
	if (n <= 1) return 1; 
	Integer m = new Integer(n);
	Integer x = memo_int.get(m);
	if (! (x == null)) return x.intValue();
	x = new Integer(fib_int(n-1) + fib_int(n-2));
	memo_int.put(m,x); return x.intValue();
    }

    /*@ requires n >=0 ;
      @ ensures \result == math_fib(n);
      @*/
    long fib(int n) {       
	if (n <= 1) return 1; 
	Integer m = new Integer(n);
	Long x = memo.get(m);
	if (x != null) return x.longValue();
	x = new Long(fib(n-1) + fib(n-2));
	memo.put(m,x); return x.longValue();
    }

    /*@ requires n >=0 ;
      @ ensures \result == math_fib(n);
      @*/
    long fib_slow(int n) {       
	if (n <= 1) return 1; 
	return fib_slow(n-1)+fib_slow(n-2);

    }
}why-2.34/bench/java/good/Muller.java0000644000175000017500000000732112311670312015653 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = no

/*@ axiomatic NumOfPos {
  @  logic integer num_of_pos{L}(integer i,integer j,int t[]);
  @  axiom num_of_pos_empty{L} :
  @   \forall integer i j, int t[];
  @    i > j ==> num_of_pos(i,j,t) == 0;
  @  axiom num_of_pos_true_case{L} :
  @   \forall integer i j k, int t[];
  @       i <= j && t[j] > 0 ==> 
  @         num_of_pos(i,j,t) == num_of_pos(i,j-1,t) + 1;
  @  axiom num_of_pos_false_case{L} :
  @   \forall integer i j k, int t[];
  @       i <= j && ! (t[j] > 0) ==> 
  @         num_of_pos(i,j,t) == num_of_pos(i,j-1,t);
  @ }
  @*/

/*@ lemma num_of_pos_strictly_increasing{L} :
  @   \forall integer i j k l, int t[];
  @       j < k && k <= l && t[k] > 0 ==> 
  @       num_of_pos(i,j,t) < num_of_pos(i,l,t);
  @*/

public class Muller {

    /*@ requires t!=null;
      @*/
    public static int[] m(int t[]) {
	int count = 0;
	
	/*@ loop_invariant
	  @    0 <= i && i <= t.length && 
	  @    0 <= count && count <= i && 
	  @    count == num_of_pos(0,i-1,t) ; 
	  @ loop_variant t.length - i;
	  @*/
	for (int i=0 ; i < t.length; i++) if (t[i] > 0) count++;
	
	int u[] = new int[count];
	count = 0;
	
	/*@ loop_invariant
	  @    0 <= i && i <= t.length && 
	  @    0 <= count && count <= i && 
	  @    count == num_of_pos(0,i-1,t);
	  @ loop_variant t.length - i;
	  @*/
	for (int i=0 ; i < t.length; i++) {
	    if (t[i] > 0) u[count++] = t[i];
	}
	return u;
    }
    
}

/*
Local Variables: 
compile-command: "make Muller"
End: 
*/
why-2.34/bench/java/good/Literals.java0000644000175000017500000000474112311670312016175 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


class Literals {

    public static final int x = 0xbad;

    /*@ ensures \result == 0xd;
      @*/
    int f() {
	int x = 0xbad;
	return 015;
    }
}

/*
Local Variables: 
compile-command: "make Literals"
End: 
*/


why-2.34/bench/java/good/Sort.java0000644000175000017500000001100512311670312015334 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = no

/*@ predicate Sorted{L}(int a[], integer l, integer h) =
  @   \forall integer i; l <= i < h ==> a[i] <= a[i+1] ;
  @*/

/*@ predicate Swap{L1,L2}(int a[], integer i, integer j) =
  @   \at(a[i],L1) == \at(a[j],L2) &&
  @   \at(a[j],L1) == \at(a[i],L2) &&
  @   \forall integer k; k != i && k != j ==> \at(a[k],L1) == \at(a[k],L2);
  @*/

/*@ axiomatic Permut {
  @  predicate Permut{L1,L2}(int a[], integer l, integer h);
  @  axiom Permut_refl{L}: 
  @   \forall int a[], integer l h; Permut{L,L}(a, l, h) ;
  @  axiom Permut_sym{L1,L2}: 
  @    \forall int a[], integer l h; 
  @      Permut{L1,L2}(a, l, h) ==> Permut{L2,L1}(a, l, h) ;
  @  axiom Permut_trans{L1,L2,L3}: 
  @    \forall int a[], integer l h; 
  @      Permut{L1,L2}(a, l, h) && Permut{L2,L3}(a, l, h) ==> 
  @        Permut{L1,L3}(a, l, h) ;
  @  axiom Permut_swap{L1,L2}: 
  @    \forall int a[], integer l h i j; 
  @       l <= i <= h && l <= j <= h && Swap{L1,L2}(a, i, j) ==> 
  @     Permut{L1,L2}(a, l, h) ;
  @ }
  @*/

class Sort {

    /*@ requires t != null && 
      @    0 <= i < t.length && 0 <= j < t.length;
      @ assigns t[i],t[j];
      @ ensures Swap{Old,Here}(t,i,j);
      @*/
    void swap(int t[], int i, int j) {
	int tmp = t[i];
	t[i] = t[j];
	t[j] = tmp;
    }
    
    /*@ requires t != null;
      @ behavior sorted:
      @   ensures Sorted(t,0,t.length-1);
      @ behavior permutation:
      @   ensures Permut{Old,Here}(t,0,t.length-1);
      @*/
    void min_sort(int t[]) {
	int i,j;
	int mi,mv;
	/*@ loop_invariant 0 <= i;
	  @ for sorted: 
	  @  loop_invariant Sorted(t,0,i) && 
	  @   (\forall integer k1 k2 ; 
	  @      0 <= k1 < i <= k2 < t.length ==> t[k1] <= t[k2]) ;
	  @ for permutation:
	  @   loop_invariant Permut{Pre,Here}(t,0,t.length-1);
	  @*/
	for (i=0; i t[k] >= mv);
	      @ for permutation:
	      @  loop_invariant Permut{Pre,Here}(t,0,t.length-1);
	      @*/
	    for (j=i+1; j < t.length; j++) {
		if (t[j] < mv) { 
		    mi = j ; mv = t[j]; 
		}
	    }
	    swap(t,i,mi);
	}
    }

    
}

why-2.34/bench/java/good/Lesson1.java0000644000175000017500000001126512311670312015741 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* complements for non-linear integer arithmetic */

//@ lemma zero_right: \forall integer x; x*0 == 0;
//@ lemma zero_left: \forall integer x; 0*x == 0;
//@ lemma one_right: \forall integer x; x*1 == x;
//@ lemma one_left: \forall integer x; 1*x == x;
//@ lemma two_right: \forall integer x; x*2 == x+x;
//@ lemma two_left: \forall integer x; 2*x == x+x;

/*@ lemma distr_right: 
  @   \forall integer x y z; x*(y+z) == (x*y)+(x*z);
  @*/

/*@ lemma distr_left: 
  @   \forall integer x y z; (x+y)*z == (x*z)+(y*z);
  @*/

/*@ lemma sqr_short_elim: 
  @   \forall integer x; x*x <= 32760 ==> x <= 180;
  @*/

/*@ lemma sqr_short_intro: 
  @   \forall integer x; 0 <= x && x <= 181 ==> x*x <= 32761;
  @*/

/*@ lemma sqr_int_elim: 
  @   \forall integer x; x*x <= 2147395599 ==> x <= 46339;
  @*/

/*@ lemma sqr_int_intro: 
  @   \forall integer x; 0 <= x && x <= 46340 ==> x*x <= 2147395600;
  @*/


public class Lesson1 {

    /*@ behavior result_ge_x:
      @   ensures \result >= x; 
      @ behavior result_ge_y:
      @   ensures \result >= y; 
      @ behavior result_is_lub:
      @   ensures \forall integer z; z >= x && z >= y ==> z >= \result;
      @*/
    public static int max(int x, int y) {
	if (x>y) return x; else  return y; 
    }
    
    /*@ requires x >= 0 && x <= 32760;
      @ ensures \result >= 0 && \result * \result <= x 
      @    && x < (\result + 1) * (\result + 1);
      @*/
    public static short short_sqrt(short x) {
	short count = 0, sum = 1;
    	/*@ loop_invariant 
	  @   count >= 0 && x >= count*count &&
          @   sum == (count+1)*(count+1) &&
	  @   count <= 180 && sum <= 32761;
	  @ loop_variant x - sum;
	  @*/
	while (sum <= x) { 
	    count++;
	    //@ assert (count*count)+2*count+1 == (count+1)*(count+1);
	    sum += 2*count+1;
	}
	return count;
    }   
  
    /*@ requires x >= 0 && x <= 2147395599;
      @ behavior result_is_sqrt: 
      @   ensures \result >= 0 && \result * \result <= x 
      @      && x < (\result + 1) * (\result + 1) ;
      @*/
    public static int sqrt(int x) {
	int count = 0, sum = 1;
    	/*@ loop_invariant 
	  @   count >= 0 && x >= count*count &&
          @   sum == (count+1)*(count+1) &&
	  @   count <= 46339 && sum <= 2147395600;
	  @ loop_variant x - sum;
	  @*/
	while (sum <= x) {
	    count++;
	    //@ assert (count*count)+2*count+1 == (count+1)*(count+1);
	    sum += 2*count+1;
	}
	return count;
    }   
  
}

/*
Local Variables: 
compile-command: "make Lesson1"
End: 
*/
why-2.34/bench/java/good/CreationTricky.java0000644000175000017500000000573512311670312017354 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* from JLS p 244
 */ 

class Super {

    Super() { printThree(); }

    void printThree() { Out.print(-1); }

}

class Test extends Super {

    int three = 3;

    // Krakatoa bug: should be implicit
    Test () { super(); }

    public static void test () {
	Test t = new Test();
	t.printThree();
	//@ assert Out.count == 2 && Out.data[0] == 0 && Out.data[1] == 3;
    }

    void printThree() { Out.print(three); }

}

// ghost model of output channel
class Out {

    public static int data[] = new int [10];
    static int count = 0;

    /*@ assigns data[count];
      @ ensures count == \old(count) + 1
      @     && data[\old(count)] == v;
      @*/
    static void print(int v) {
	data[count] = v;
	v++;
    }

}

why-2.34/bench/java/good/Cube.java0000644000175000017500000000611612311670312015272 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = no

/*@ lemma distr_right: 
  @   \forall integer x y z; x*(y+z) == (x*y)+(x*z);
  @*/

/*@ lemma distr_left: 
  @   \forall integer x y z; (x+y)*z == (x*z)+(y*z);
  @*/

/*@ lemma distr_right2: 
  @   \forall integer x y z; x*(y-z) == (x*y)-(x*z);
  @*/

/*@ lemma distr_left2: 
  @   \forall integer x y z; (x-y)*z == (x*z)-(y*z);
  @*/

public class Cube {
    /*@ requires x > 0;
      @ ensures \result == x * x * x;
      @*/
  public static int cube(int x) {
    int a = 1;
    int b = 0;
    int c = x;
    int z = 0;
    /*@ loop_invariant 
      @    0 <= c &&
      @    a == 3*(x-c) + 1 &&
      @    b == 3*(x-c)*(x-c) &&
      @    z == (x-c)*(x-c)*(x-c);
      @ loop_variant c;
      @*/
    while (c > 0) {
      z += a + b;
      b += 2*a + 1;
      a += 3;
      c--;
    }
    return z;
  }
}
why-2.34/bench/java/good/Fact.java0000644000175000017500000000471712311670312015276 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = no

public class Fact {

    /*@ requires n >= 0;
      @ decreases n;
      @*/
    public static long f(int n) {
	if (n <= 1) return 1;
        return n * f(n-1);
    }
}

why-2.34/bench/java/good/Decimal.java0000644000175000017500000001133512311670312015751 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = no

/*@ lemma real_add_int : 
  @   (\forall integer x y; (real) (x + y) == (real) x + (real) y);
  @*/

/*@ lemma real_mul_int : 
  @   (\forall integer x y; (real) (x * y) == (real) x * (real) y);
  @*/

/*@ lemma mul_add_distr1 : 
  @   (\forall real x y z; x * (y + z) == (x * y) + (x * z));
  @*/

/*@ lemma add_comm : 
  @   (\forall real x y; x + y == y + x);
  @*/

/*@ lemma add_assoc : 
  @   (\forall real x y z; x + (y + z) == (x + y) + z);
  @*/

/* @ lemma PRECISION_property : 
  @   0.01 * (real) DecimalAbstractReal.PRECISION == 1.0;
  @*/

/* @ lemma PRECISION_property : 
  @   0.01 * (real) 100 == 1.0;
  @*/

/*@ lemma PRECISION_property_real : 
  @   0.01 * 100.0 == 1.0;
  @*/

/*@ logic real amount_real_value{L}(DecimalAbstractReal x) =
  @    (real) x.intPart + 0.01 * (real) x.decPart ;
  @*/

  
/*@ logic integer amount_cent_value{L}(DecimalAbstractReal x) =
  @    DecimalAbstractReal.PRECISION * x.intPart + x.decPart ;
  @*/

public class DecimalAbstractReal {
  
    /** minimal fraction of currency = 1/PRECISION */
    public static final short PRECISION = 100;

    short intPart;
    short decPart;
    //@ invariant decimal: 0 <= decPart && decPart < 100;
    // bug: should be PRECISION ;

    /*@ requires a != null;
      @ assigns intPart, decPart;
      @ behavior real_value:
      @   ensures 
      @     amount_real_value(this) == 
      @         \old(amount_real_value(this)) + \old(amount_real_value(a));
      @ behavior cent_value:
      @   ensures 
      @     amount_cent_value(this) ==
      @         \old(amount_cent_value(this)) + \old(amount_cent_value(a));
      @ 
      @*/
    public void add(DecimalAbstractReal a) {
	short d = (short)(decPart + a.decPart);
	short i = (short)(intPart + a.intPart);
	if (d >= PRECISION) {
	    d -= PRECISION;
	    i++;
	}
	intPart = i;
	decPart = d;
    }

    
    /*@ requires a != null && a != this;
      @ assigns intPart, decPart;
      @ behavior real_value:
      @   ensures 
      @     amount_real_value(this) ==
      @         \old(amount_real_value(this)) + amount_real_value(a);
      @ behavior cent_value:
      @   ensures 
      @     amount_cent_value(this) ==
      @         \old(amount_cent_value(this)) + amount_cent_value(a);
      @ 
      @*/

    public void add2(DecimalAbstractReal a) {
	short d = (short)(decPart + a.decPart);
	short i = (short)(intPart + a.intPart);
	if (d >= PRECISION) {
	    d -= PRECISION;
	    i++;
	}
	intPart = i;
	decPart = d;
    }

}
why-2.34/bench/java/good/TestSuperConstructor.java0000644000175000017500000000514012311670312020614 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = no

class C {

    int i;

    /* @ behavior normal:
      @   assigns i;
      @   ensures i == j;
      @*/
    C (int j) {
	i = j;
    }
}


class TestSuperConstructor extends C {

    /* @ behavior normal:
      @   assigns i;
      @   ensures i == 12;
      @*/
    TestSuperConstructor() {
	super (12);
    }

}
why-2.34/bench/java/good/NonNullByDefault.java0000644000175000017500000000546612311670312017610 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


//@+ CheckArithOverflow = no
//@+ InvariantPolicy = Arguments
//@+ NonNullByDefault = yes

class C { int x; }

class NonNullByDefault {
    
    int[] t;
    C c;
    static C sc;

    int[] m1() {
	return t;
    }
    
    int[] /*@ nullable @*/ m1bis() {
	return null;
    }
    
    C m2() {
	return c;
    }
    
    C /*@ nullable @*/ m2bis() {
	return null;
    }
    
    C m2ter() {
	return new C();
    }

    void m3(int[] pt, C pc) {
	int n = pt.length;
	this.t = pt;
	int m = pc.x;
	this.c = c;
    }
    
    void m4() {
	int n = sc.x;
    }

}
why-2.34/bench/java/good/StaticTyping.java0000644000175000017500000000535312311670312017040 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ NonNullByDefault = alllocal

class C { 
    public int x;
}

class StaticTyping {

    C a;
    int[] t;

    void m1(C c) {
	a = null; // bug jessie : OP non generee
	C b = c; // b pas marque "non null"...
	b.x = 0; // ..du coup : PO inutile
	int[] tmp = t;
    }


    void m2(C c) {
	m1(c);
    }

    byte[] buffer;

    byte[] getBuffer() { return buffer; }

    void m3() {
	byte[] cmd_apdu = getBuffer();
	
	if (cmd_apdu.length >= 3) cmd_apdu[9] = 0;
    }

}
    


    
why-2.34/bench/java/good/Misc.java0000644000175000017500000000506712311670312015313 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

class Misc {

    private final static byte TAG_DEBIT_KEY_SET = 8;

    private final static byte TAG_PIN = 11;
 
    private final static short FLAGS_PREDEF_OP_2_0 =
	(1 << TAG_PIN);

    private final static short FLAGS_PREDEF_OP_2_1 = 
	((1 << TAG_PIN)            |
	 (1 << TAG_DEBIT_KEY_SET)  );


}
why-2.34/bench/java/good/NameConflicts.java0000644000175000017500000000513712311670312017143 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

class C1 {
    int i;
    
    void setI(int i) {
	this.i = i;
    }

}

class C2 {
    
    /*@ behavior normal:
      @   ensures \result == 0;
      @*/
    int m() {
	int result = 0;
	return 0;
    }
}

class C3 {

    int field;

    int field() { return field; }

}

/*
Local Variables: 
compile-command: "make NameConflicts.io"
End: 
*/
why-2.34/bench/java/good/Purse0.java0000644000175000017500000000753412311670312015577 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

class NoCreditException0 extends Exception {

    static final long serialVersionUID = 0;

    NoCreditException0();

}

public class Purse0 {
    
    public int balance;

    //@ invariant balance_non_negative: balance >= 0;

    /*@ behavior created:
      @   ensures balance == 0;
      @*/
    public Purse0() {
	balance = 0;
    }

    /*@ requires s >= 0;
      @ behavior done:
      @   assigns balance;
      @   ensures balance == \old(balance)+s;
      @*/
    public void credit(int s) {
	balance += s;
    }

    /*@ requires s >= 0;
      @ behavior done:
      @   assigns balance;
      @   ensures s <= \old(balance) && balance == \old(balance) - s;
      @ behavior amount_too_large:
      @   assigns \nothing;
      @   signals (NoCreditException0) s > \old(balance) ;
      @*/
    public void withdraw(int s) throws NoCreditException0 {
	if (balance >= s) {
	    balance = balance - s;
	}
	else {
	    throw new NoCreditException0();
	}
    }

    /*@ // requires p1 != null && p2 != null && p1 != p2;
      @ behavior ok:
      @   assigns p1.balance,p2.balance;
      @   ensures \result == 0;
      @*/
    public static int test(Purse0 p1, Purse0 p2) {
	p1.balance = 0;
	p2.credit(100);
	return p1.balance;
    }


    /*@ requires p != null;
      @ behavior ok:
      @   assigns p.balance ;
      @   ensures \result <==> (\old(p.balance) >= 1000);
      @*/
    public static boolean test2(Purse0 p) {
	try {
	    p.withdraw(1000);
	    return true;
	}
	catch (NoCreditException0 e) { 
	    return false; 
	}
    }

    
}


/*
Local Variables: 
compile-command: "make Purse0.io"
End: 
*/
why-2.34/bench/java/good/SCID.java0000755000175000017500000007563112311670312015151 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* $Id: SCID.java,v 1.18 2008-11-05 14:03:13 filliatr Exp $ */

//@+ CheckArithOverflow = no
//@+ InvariantPolicy = Arguments
// @+ AnnotationPolicy = Invariants
// @+ AbstractDomain = Box
// @+ AbstractDomain = Oct
// @+ AbstractDomain = Pol

// Smart Card ID - Example for a Smart Card based Identification and Authentication Application
// File: SCID.java
//
// This applet realizes a identification and authentication application which is typically used
// in online environment. The advantage of this solution is that nearly no adinistrative overhead
// on the smart card side is neccessary because the card is only used for identification of the
// user by PIN verification and authentication of the smart card by a challenge response algorithm.
//
// Smart Card ID is a multi purpose applet. Nearly all applications can be realised with it 
// (e.g. physical access for room, logical access computers or information, ....). 
// The application functionality is in the background system. Offline Terminals can use precomputed 
// triplets for secure authentication of the smart card. For a no security authentication only the 
// smart card ID can be used.
//
// In the administrative phase it is possible to write after a successful verification of the
// administrative PIN all data objects into the memory.
// In the operative phase it is possible to read the unique smart card ID, to authenticate the
// smart card with a callenge response algorithm based on DES and to identifiay the user with 
// his user PIN. A successful PIN verification can be checked in a secured way.
//
// Memory consumption: EEPROM: 1344 byte, RAM 44 byte
// 
// Package AID: 'D2 76 00 00 60 50 05'
// Applet AID:  'D2 76 00 00 60 41 05'
//
// Source code based on java card specification version 2.1.
// Compiled and tested with JDK 1.3.1 Java Card Application Studio (JCAST) V 2.3,
// JLoad 2.0, Java Card Class File Converter 2.1.2, IFDSIM 4.0 and UniverSIM Java Card 64 kB from G&D.
//
//---------------------------------------------------------------------------------------
// Specification of ISO/IEC 7816-4 case 3 command SELECT FILE
//   command APDU               CLA = '00' || INS = 'A4' ||
//                              P1 (= '04' = select by DF Name) || P2 (='00') ||
//                              Lc (= length of DF Name) || DATA (= DF Name)
//   response APDU (all case)   SW1 || SW2
//
// Specification of ISO/IEC 7816-4 case 3 command VERIFY
//   command APDU               CLA = '00' || INS = '20' || P1 (= '00') ||
//                              P2 ('01' = user PIN, '02' = admin PIN)
//                              Lc (= length of PIN) || DATA (= PIN)
//   response APDU (all case)   SW1 || SW2
//
// Specification of ISO/IEC 7816-4 case 3 command PUT DATA
//   command APDU               CLA = '00' || INS = 'DA' ||
//                              P1 (= '00') || P2 (= TAG ['40' ... 'FE']) ||
//                              Lc (= length of DATA) ||
//                              DATA (value field of the DO, with length Lc)
//   response APDU (all case)   SW1 || SW2
//
// Specification of ISO/IEC 7816-4 case 2 command GET DATA
//   command APDU               CLA = '00' || INS = 'CA' ||
//                              P1 (= '00') || P2 (= TAG ['40' ... 'FE'])
//                              Le (= length of expected data)
//   response APDU (good case)  DATA (value field of the DO, with length Le) ||
//                              SW1 || SW2
//   response APDU (bad case)   SW1 || SW2
//
// Specification of the proprietary case 4 command AUTH SC (authenticate smart card)
//   command APDU               CLA = '80' || INS = '08' || P1 (= '00') || P2 (= '00')
//                              Lc (= 8 byte) || C-DATA (with length Lc) || Le (= 21)
//   response APDU (good case)  R-DATA (with length Le) || SW1 || SW2
//   response APDU (bad case)   SW1 || SW2
//
//                C-DATA: RND [8 byte]
//                R-DATA: authentication data || MAC
//                authentication data = RND [8 byte] || smart card ID [4 byte] ||
//                                      authentication counter [2 byte] ||
//                                      admin PIN error counter [1 byte] ||
//                                      user PIN error counter [1 byte] || PIN status [1 byte] || 
//                                      padding (with '00', length must be a multiple of 8)
//                PIN status = Bit 8 (RFU) || ... Bit 3 (RFU) ||
//                             Bit 2 (1 = admin PIN succesful verified) ||
//                             Bit 1 (1 = user PIN succesful verified)
//                MAC = last 4 byte of enc (AuthKey) (authentication data)
//                authentication counter: no of further possible authentications 
//                                        '7FFF' = 32767 max. value, 
//                                        '0000' = no further authentication possible
//                padding according to ISO/IEC 9797 Method 1 (= 00 00 ...)
//
//---------------------------------------------------------------------------------------
// Implementation Notes
//    * no support of different DFs
//    * no secure messaging support (= class is alway '00')
//    * the authentication counter is used to limit the number of possible attacks to 
//      the used cryptoalgorithm, it can be set to any value with the PUT DATA command
//    * instead of the encryption of the whole response data in the AUTH SC command only 
//      a 4 byte MAC is used for authentication, because this gives more transperency about
//      the exchanged data (data protection laws)
//    * the adminstration phase (e.g. the personalisation of the smart card) is done with the
//      PUT DATA command. All external seeable data elements of the smart card can be written
//      with this ISO/IEC 7816-4 compatible command.
//    * The access condition for the administration phase is a VERIFY command with the 
//      administration PIN.
//    * the authentication key could be smart card individual or common for all smart cards
//    * if neccessary it is possible to use smart card individual authentication keys. This 
//      keys should be written into the smart card during the personalisation. As a reference 
//      to smart card individual keys the smart card ID can be used.
//    * abbreviations:  RND   - random number
//                      RFU   - reserved for future use (content of such a data element is not defined!)
//                      admin - administration
//
//---------------------------------------------------------------------------------------
// Use Cases
//   note:   all shown use cases are good cases
//   format: --command to smart card-->
//           <--response from smart card--
//
// -----Administrative Phase
// Personalisation
//   --VERIFY (with default Admin PIN)-->
//   <--ok--
//   --PUT DATA (Smart Card ID, admin PIN, user PIN, authentication key, authentication counter)-->
//   <--ok--
//  the following reset is important because of the reset of the validation status of the admin PIN
//   --Reset-->            
//   <--ATR--
//
// change user PIN (e.g. new user PIN, forgotten user PIN, error counter of the user PIN reached maximum value)
//   the following command is only neccessary if a card individual admin PIN is used
//   --GET DATA (smart card ID)-->
//   <--Smart Card ID--
//   --VERIFY (with admin PIN)-->
//   <--ok--
//   --PUT DATA (new user PIN)-->
//   <--ok--
//  the following reset is important because of the reset of the validation status of the admin PIN
//   --Reset-->            
//   <--ATR--
//
// forgotten admin PIN, error counter of the admin PIN reached maximum value
//   new smart card neccessary
//
// -----Operative Phase
// get smart card ID
//   --GET DATA (smart card ID)-->
//   <--smart card ID--
//
// authenticate smart card without security (advantage: no key is neccessary)
//   --GET DATA (Smart Card ID)-->
//   <--smart card ID--
//
// authenticate smart card with security
//   the following command is only neccessary if a card individual authentication key is used
//   --GET DATA (smart card ID)-->
//   <--smart card ID--
//   --AUTH SC (RND)-->
//   <--auth data || MAC--
//
// check user identity
//   the following command is only neccessary if a card individual authentication key is used
//   --GET DATA (smart card ID)-->
//   <--smart card ID--
//   --VERIFY (with user PIN)-->
//   <--ok--
//   --AUTH SC (RND)-->
//   <--auth data || MAC--
//
//---------------------------------------------------------------------------------------
// Test Strategy
//          good case tests:
//               1.1 test all use cases in good case
//               2.1 write all data objects and verify if they are stored correct
//               3.1 Test all marked "Test!" testpoints
//
//          bad case tests:
//              1.1 test correct and wrong admin PIN incl. error counter behaviour
//              1.2 is PUT DATA only possible after successful admin PIN verification?
//              1.3 does AUTH SC give the correct admin PIN validation state back?
//              1.4 does AUTH SC give the correct admin PIN error counter back?
//              2.1 test case 1.1 with user PIN
//              2.2 test case 1.3 with user PIN
//              2.2 test case 1.4 with user PIN
//              4.1 correct authetication behaviour if error counter = 0?
//
//---------------------------------------------------------------------------------------
// This source code is under GNU general public license (see www.opensource.org for details).
// Please send corrections and ideas for extensions to Wolfgang Rankl (www.wrankl.de)
// Copyright 2004 by Wolfgang Rankl, Munich
//---------------------------------------------------------------------------------------
// 29. April 2004 - V 1: initial runnable version
// 10. May   2004 - V 2: improved documentation, 1st published version
//---------------------------------------------------------------------------------------

import  javacard.framework.*;    // import all neccessary packages for the java card framework
import  javacard.security.*;     // import all neccessary packages for the java card security

// Bug with lemma ? : gwhy blocked ?
// @ lemma a1: \forall integer b; 0 <= b <= 127 ==> (b & 0x00FF) == b;
// @ axiom a1: \forall integer b; 0 <= b <= 127 ==> (b & 0x00FF) == b;

public class SCID extends Applet {
    // definitions for the classes and commands
    final static byte    PROP_CLASS  = (byte) 0x80;     // Class of the proprietary APDU commands
    final static byte    INS_SELECT  = (byte) 0xA4;     // instruction for the ISO/IEC 7816-4 SELECT FILE command
    final static byte    INS_VERIFY  = (byte) 0x20;     // instruction for the ISO/IEC 7816-4 VERIFY command
    final static byte    INS_PUTDATA = (byte) 0xDA;     // instruction for the ISO/IEC 7816-4 PUT DATA command
    final static byte    INS_GETDATA = (byte) 0xCA;     // instruction for the ISO/IEC 7816-4 GET DATA command
    final static byte    INS_AUTHSC  = (byte) 0x08;     // instruction for the proprietary AUTH SC command
    
    // definitions for specific returncodes
    final static short   SW_PIN_FAILED =     (short) 0x63C0;  // returncode for PIN verification failed
    // the last nibble shows the number of remaining tries
    final static short   SW_DATA_NOT_FOUND = (short) 0x6A88;  // referenced data not found
    
    // definitions for the AUTH SC command
    final static byte    LEN_CAPDU_AUTHSC = (byte)   8;   // length of the data in the command APDU of the AUTH SC command
    final static byte    LEN_RAPDU_AUTHSC = (byte)  21;   // length of the data in the response APDU of the AUTH SC command
    final static short   INDEX_RND        = (short)  0;   // start position of the RND in the AUTH SC response
    final static short   INDEX_SCID       = (short)  8;   // start position of the authentication counter in the AUTH SC response
    final static short   INDEX_AuthCntr   = (short) 12;   // start position of the authentication counter in the AUTH SC response
    final static short   INDEX_APINTries  = (short) 14;   // position of the admin PIN remaining tries in the AUTH SC response
    final static short   INDEX_UPINTries  = (short) 15;   // position of the user PIN remaining tries in the AUTH SC response
    final static short   INDEX_APINValid  = (short) 16;   // position of the admin PIN validation status in the AUTH SC response
    final static short   INDEX_UPINValid  = (short) 16;   // position of the user PIN validation status in the AUTH SC response
    final static short   INDEX_MAC        = (short) 17;   // start position of the MAC in the AUTH SC response
    
    // definitions for some data elements
    static short         authcntr;                        // authentication counter, it is a 2 byte signed short value
    final static short   SIZE_AUTHCNTR  = (short)  2;     // size of the authentication counter in byte
    static byte[]        scid;                            // the smart card ID
    final static short   SIZE_SCID      = (short)  4;     // size of the unique smart card identifier in byte
    //@ static invariant scid_inv: scid != null && scid.length == SIZE_SCID;

    static byte[]        workarray;                       // workarray
    final static short   SIZE_WORKARRAY = (short) 30;     // size of the workarray 
    //@ static invariant workarray_inv: workarray != null && workarray.length == SIZE_WORKARRAY;
    
    static DESKey        authkey;                         // authentication key
    //@ static invariant authkey_inv: authkey != null;

    final static short   SIZE_AUTHKEY   = (short)  8;     // authentication key is a 8 byte long DES key
    static Signature     mac;                             // MAC (message authentication code)
    //@ static invariant mac_inv: mac != null;

    // definitions for the storage of the data elements
    final static short TAG_USERPIN  = (short) 0x51;   // tag for the user PIN
    final static short TAG_ADMINPIN = (short) 0x52;   // tag for the administrative PIN
    final static short TAG_AUTHKEY  = (short) 0x53;   // tag for the authentication key
    final static short TAG_AUTHCNTR = (short) 0x54;   // tag for the athentication counter
    final static short TAG_SCID     = (short) 0x55;   // tag for the smart card ID
    
    // constants and variables for the admin PIN management
    final static byte[]  DEFAULT_ADMINPIN                     // default admin PIN value
	= {(byte) 0x22, (byte) 0x22, (byte) 0x22};
    final static byte    ADMINPIN_SIZE          = (byte) 3;   // size of the PIN in byte
    final static byte    DEFAULT_ADMINPIN_MAXEC = (byte) 2;   // default value of the PIN error counter
    final static byte    ADMINPIN_ID            = (byte) 2;   // PIN identifier, PIN 2 = admin PIN
    static OwnerPIN      adminpin;                            // the PIN object
    //@ static invariant adminpin_inv: adminpin != null;
    
    // constants and variables for the user PIN management
    final static byte[]  DEFAULT_USERPIN                      // default user PIN value
	= {(byte) 0x00, (byte) 0x00};
    final static byte    USERPIN_SIZE          = (byte) 2;    // size of the PIN in byte
    final static byte    DEFAULT_USERPIN_MAXEC = (byte) 3;    // default value of the PIN error counter
    final static byte    USERPIN_ID            = (byte) 1;    // PIN identifier, PIN 1 = user PIN
    static OwnerPIN      userpin;                             // the PIN object
    //@ static invariant userpin_inv: userpin != null;

    // constants and variables for the key management
    final static byte[]  DEFAULT_AUTHKEY            // default authentication key
	= {(byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00,
	   (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00};
    

    //---------------------------------------------------------------------------------------
    //----- installation and registration of the applet
    public static void install(byte[] buffer, short offset, byte length) {
	// create the object for the smart card ID
	scid = new byte[SIZE_SCID];
	
	// create a multiple useable object in RAM with an array of bytes
	workarray = JCSystem.makeTransientByteArray(SIZE_WORKARRAY, JCSystem.CLEAR_ON_DESELECT);  // Test!
	
	// create the object for admin PIN and set it to the default value
	adminpin = new OwnerPIN(DEFAULT_ADMINPIN_MAXEC, ADMINPIN_SIZE);
	adminpin.update(DEFAULT_ADMINPIN, (short)(0), ADMINPIN_SIZE);
	
	// create the object for user PIN and set it to the default value
	userpin = new OwnerPIN(DEFAULT_USERPIN_MAXEC, USERPIN_SIZE);
	userpin.update(DEFAULT_USERPIN, (short)(0), USERPIN_SIZE);
	
	// create the key object for authentication and set the key to the default value
	authkey = (DESKey)KeyBuilder.buildKey(KeyBuilder.TYPE_DES, KeyBuilder.LENGTH_DES, false);
	authkey.setKey(DEFAULT_AUTHKEY, (short)0);
	
	// create a signature object for MAC calculating
	// padding in line with ISO/IEC 9797 Method 1 (= 000 ...)
	mac = Signature.getInstance(Signature.ALG_DES_MAC4_ISO9797_M1, false);
	
	// register the application within the JCRE
	new SCID().register();
    }  // install
    
    //---------------------------------------------------------------------------------------
    //----- this is the command dispatcher

    //@ requires apdu != null;
    public void process(APDU apdu) {
      byte[] cmd_apdu = apdu.getBuffer();
      
    // delete global used variables, for better robustness
    Util.arrayFillNonAtomic(workarray, (short) 0, SIZE_WORKARRAY, (byte) 0);

    if (cmd_apdu[ISO7816.OFFSET_CLA] == ISO7816.CLA_ISO7816) {
      //----- it is the ISO/IEC 7816 class
      switch(cmd_apdu[ISO7816.OFFSET_INS]) {
        case INS_SELECT:
          // it is a SELECT FILE instruction
          cmdSELECT(apdu);
          break;
        case INS_VERIFY:
          // it is a VERIFY instruction
          cmdVERIFY(apdu);
          break;
        case INS_PUTDATA:
          // it is a PUT DATA instruction
          cmdPUTDATA(apdu);
          break;
        case INS_GETDATA:
          // it is a GET DATA instruction
          cmdGETDATA(apdu);
          break;
        default :
          // the instruction in the command apdu is not supported
          ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
      }  // switch
    }  // if
    else if (cmd_apdu[ISO7816.OFFSET_CLA] == PROP_CLASS) {
      //----- it is the proprietary class
      switch(cmd_apdu[ISO7816.OFFSET_INS]) {
        case INS_AUTHSC:
          // it is a AUTH SC instruction
          cmdAUTHSC(apdu);
          break;
        default :
          // the instruction in the command apdu is not supported
          ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
      }  // switch
    }  // else if
    else {
      // the class in the command apdu is not supported
      ISOException.throwIt(ISO7816.SW_CLA_NOT_SUPPORTED);
    }  // else
  }  // process

    //---------------------------------------------------------------------------------------
    //----- program code for the APDU command SELECT FILE
    private void cmdSELECT(APDU apdu) {
	byte[] cmd_apdu = apdu.getBuffer();
	
	//----- check preconditions in the APDU header
	// check if P1='04'
	if (cmd_apdu[ISO7816.OFFSET_P1] != 0x04) {
	    ISOException.throwIt(ISO7816.SW_WRONG_P1P2);
	} // if
	// check if P2='00'
	if (cmd_apdu[ISO7816.OFFSET_P2] != 0x00) {
	    ISOException.throwIt(ISO7816.SW_WRONG_P1P2);
	} // if
	short lc = (short)(cmd_apdu[ISO7816.OFFSET_LC] & 0x00FF);  // get Lc (command length)
	receiveAPDUBody(apdu);                                     // get the command body
	
	//----- command functionality
	if (JCSystem.getAID().equals(cmd_apdu, ISO7816.OFFSET_CDATA, (byte) lc) == false) {
	    ISOException.throwIt(ISO7816.SW_APPLET_SELECT_FAILED);
	} // if
	
	//----- prepare response APDU
	ISOException.throwIt(ISO7816.SW_NO_ERROR);   // command proper executed
    }  // cmdSELECT
    
  //---------------------------------------------------------------------------------------
  //----- program code for the APDU command VERIFY
  private void cmdVERIFY(APDU apdu) {
    byte[] cmd_apdu = apdu.getBuffer();

    //----- check preconditions in the APDU header
    // check if P1='00'
    if (cmd_apdu[ISO7816.OFFSET_P1] != 0) {
      ISOException.throwIt(ISO7816.SW_WRONG_P1P2);
    } // if
    short lc = (short)(cmd_apdu[ISO7816.OFFSET_LC] & 0x00FF);  // get Lc (command length)
    receiveAPDUBody(apdu);                                     // get the command body

    if (cmd_apdu[ISO7816.OFFSET_P2] == USERPIN_ID) {  // it is the user PIN
      if (lc != USERPIN_SIZE) {                       // Lc = length of PIN ?
        ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
      } //if
      if (userpin.check(cmd_apdu, ISO7816.OFFSET_CDATA, USERPIN_SIZE) == false) {
        // PIN verification not successful
        short tries = userpin.getTriesRemaining();
        ISOException.throwIt( (short) (SW_PIN_FAILED + tries));  // send error counter in APDU back
      } // if
    } // if
    else if (cmd_apdu[ISO7816.OFFSET_P2] == ADMINPIN_ID) {    // it is the administrative PIN
      if (lc != ADMINPIN_SIZE) {                              // Lc = length of PIN ?
        ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
      } //if
      if (adminpin.check(cmd_apdu, ISO7816.OFFSET_CDATA, ADMINPIN_SIZE) == false) {
        // PIN verification not successful
        short tries = adminpin.getTriesRemaining();
        ISOException.throwIt( (short) (SW_PIN_FAILED + tries));  // send error counter in APDU back
      } // if
    } // if
    else {          // it is not a valid PIN identifier
      ISOException.throwIt(ISO7816.SW_WRONG_P1P2);
    } // else
    // PIN verification successful
    ISOException.throwIt(ISO7816.SW_NO_ERROR);               // command proper executed
  }  // cmdVERIFY

  //---------------------------------------------------------------------------------------
  //----- program code for the APDU command PUT DATA
  private void cmdPUTDATA(APDU apdu) {
    byte[] cmd_apdu = apdu.getBuffer();

    //----- check preconditions in the APDU header
    // check if P1=0
    if (cmd_apdu[ISO7816.OFFSET_P1] != 0) {
      ISOException.throwIt(ISO7816.SW_WRONG_P1P2);
    } // if
    // check if P2 contents an allowed tag value
    short tag = (short) (cmd_apdu[ISO7816.OFFSET_P2] & (short) 0x00FF);
    if ((tag < (short) 0x0040) || (tag > (short) 0x00FE)) {
      ISOException.throwIt(ISO7816.SW_WRONG_P1P2);
    } // if
    short lc = (short)(cmd_apdu[ISO7816.OFFSET_LC] & (short) 0x00FF);  // calculate Lc (command length)
    receiveAPDUBody(apdu);     // get the command body

    //----- check precoditions of security status
    if (adminpin.isValidated() == false) {
      ISOException.throwIt(ISO7816.SW_SECURITY_STATUS_NOT_SATISFIED);
    } // if

    //----- command functionality
    switch(tag) {
      case TAG_USERPIN:
        // the user PIN must be changed
        if (lc != USERPIN_SIZE) ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
        Util.arrayCopy(cmd_apdu, (short)((ISO7816.OFFSET_CDATA) & 0x00FF), workarray, (short) 0, lc);
        userpin.update(workarray, (short) 0, USERPIN_SIZE);
        break;
      case TAG_ADMINPIN:
        // the admin PIN must be changed
        if (lc != ADMINPIN_SIZE) ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
        Util.arrayCopy(cmd_apdu, (short)((ISO7816.OFFSET_CDATA) & 0x00FF), workarray, (short) 0, lc);
        adminpin.update(workarray, (short) 0, ADMINPIN_SIZE);
        break;
      case TAG_AUTHKEY:
        // the authentication key must be changed
        if (lc != SIZE_AUTHKEY) ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
        Util.arrayCopy(cmd_apdu, (short)((ISO7816.OFFSET_CDATA) & 0x00FF), workarray, (short) 0, lc);
        authkey.setKey(workarray, (short)0);
        break;
      case TAG_AUTHCNTR:
        // the authentication counter must be changed
        if (lc != SIZE_AUTHCNTR) ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
        Util.arrayCopy(cmd_apdu, (short)((ISO7816.OFFSET_CDATA) & 0x00FF), workarray, (short) 0, lc);
        if (Util.getShort(workarray, (short)0) > 0x7FFF) ISOException.throwIt(ISO7816.SW_WRONG_DATA);
        authcntr = Util.getShort(workarray, (short)0);
        break;
      case TAG_SCID:
        // the smart card ID must be changed
        if (lc != SIZE_SCID) ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
        Util.arrayCopy(cmd_apdu, (short)((ISO7816.OFFSET_CDATA) & 0x00FF), scid, (short) 0, lc);
        break;
    default :
      // the tag in the command apdu is not supported
      ISOException.throwIt(SW_DATA_NOT_FOUND);
    }  // switch

    //----- prepare response APDU
    ISOException.throwIt(ISO7816.SW_NO_ERROR);   // command proper executed
  }  // cmdPUTDATA

  //---------------------------------------------------------------------------------------
  //----- program code for the APDU command GET DATA
  private void cmdGETDATA(APDU apdu) {
    byte[] cmd_apdu = apdu.getBuffer();

    //----- check preconditions in the APDU header
    // check if P1=0
    if (cmd_apdu[ISO7816.OFFSET_P1] != 0) {
      ISOException.throwIt(ISO7816.SW_WRONG_P1P2);
    } // if
    // check if P2 contents an allowed tag value
    short tag = (short) (cmd_apdu[ISO7816.OFFSET_P2] & (short) 0x00FF);
    if ((tag < 0x40) || (tag > 0xFE)) {
      ISOException.throwIt(ISO7816.SW_WRONG_P1P2);
    } // if
    short le = (short)(cmd_apdu[ISO7816.OFFSET_LC] & 0x00FF);  // calculate Le (expected length)

    //----- command functionality
    switch(tag) {       // a switch construct is used because of the easy extensibility for additional tags
      case TAG_SCID:
        // get the smart card ID
        if (le != SIZE_SCID) ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
        Util.arrayCopy(scid, (short) (0), workarray, (short) 0, le);
        break;
    default :
      // the tag in the command apdu could not found
      ISOException.throwIt(SW_DATA_NOT_FOUND);
    }  // switch

    //----- now all preparations are done, the data object can be send to the IFD -----
    apdu.setOutgoing();                           // set transmission to outgoing data
    apdu.setOutgoingLength((short)le);            // set the number of bytes to send to the IFD
    apdu.sendBytesLong(workarray, (short) 0, (short)le); // send the requested the number of bytes to the IFD, data field of the DO
  }  // cmdGETDATA

  //---------------------------------------------------------------------------------------
  //----- program code for the APDU command AUTH SC
  private void cmdAUTHSC(APDU apdu) {
    byte[] cmd_apdu = apdu.getBuffer();
    //----- check preconditions in the APDU header
    // check if P1=0
    if (cmd_apdu[ISO7816.OFFSET_P1] != 0) 
	ISOException.throwIt(ISO7816.SW_WRONG_P1P2);
    // check if P2=0
    if (cmd_apdu[ISO7816.OFFSET_P2] != 0) 
	ISOException.throwIt(ISO7816.SW_WRONG_P1P2);
    short lc = (short)(cmd_apdu[ISO7816.OFFSET_LC] & 0x00FF); // get Lc (command length)
    if (lc != LEN_CAPDU_AUTHSC) 
	ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
    receiveAPDUBody(apdu); // get the command body
    //----- check security preconditions
    if (authcntr < 0) 
	ISOException.throwIt(SW_PIN_FAILED);  // Test!
    //----- collect all data for the signature
    Util.arrayCopy(cmd_apdu, (short) ISO7816.OFFSET_CDATA, workarray, INDEX_RND, lc); // RND from IFD
    Util.arrayCopy(scid, (short) (0), workarray, INDEX_SCID, SIZE_SCID);     // smart card ID
    Util.setShort(workarray, INDEX_AuthCntr, authcntr);                      // authentication counter
    workarray[INDEX_APINTries] = adminpin.getTriesRemaining();
    workarray[INDEX_UPINTries] = userpin.getTriesRemaining();
    if (adminpin.isValidated() == true) {
      workarray[INDEX_APINValid] = (byte) (workarray[INDEX_APINValid] | (byte) 0x01);  // Test!
    } // if
    if (userpin.isValidated() == true) {
      workarray[INDEX_UPINValid] = (byte) (workarray[INDEX_UPINValid] | (byte) 0x02);  // Test!
    } // if
    mac.init(authkey, Signature.MODE_SIGN);
    short len = mac.sign(workarray, (short) 0, LEN_RAPDU_AUTHSC, workarray, INDEX_MAC);  // calculate the MAC
    authcntr = (short) (authcntr - (short) 1);                    // update number of allowed authentication

    //----- now all calculations are done, the data can be send to the IFD
    apdu.setOutgoing();                           // set transmission to outgoing data
    apdu.setOutgoingLength(LEN_RAPDU_AUTHSC);            // set the number of bytes to send to the IFD
    apdu.sendBytesLong(workarray, (short) 0, LEN_RAPDU_AUTHSC);  // send the requested the number of bytes to the IFD, data field of the DO
  }  // cmdAUTHSC

    //---------------------------------------------------------------------------------------
    //----- receive the body of the command APDU
    public void receiveAPDUBody(APDU apdu) {
	byte[] buffer = apdu.getBuffer();
	short lc = (short)(buffer[ISO7816.OFFSET_LC] & 0x00FF);  // calculate Lc (command length)
	// check if Lc != number of received bytes of the command APDU body
	if (lc != apdu.setIncomingAndReceive()) {
	    ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
	} // if
    }  // receiveAPDUBody
    
}  // class
why-2.34/bench/java/good/MacCarthy.java0000644000175000017500000000524112311670312016265 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* McCarthy's ``91'' function. */


public class MacCarthy {

    /*@ decreases 101-n ;
      @ behavior less_than_101:
      @   assumes n <= 100;
      @   ensures \result == 91;
      @ behavior greater_than_100:
      @   assumes n >= 101;
      @   ensures \result == n - 10;
      @*/
    public static int f91(int n) {
	if (n <= 100) {
	    return f91(f91(n + 11));
	}
	else
	    return n - 10;
    }

}why-2.34/bench/java/good/HashMapTest.java0000644000175000017500000000726212311670312016600 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

import java.util.HashMap;

/*

- ajout du source dans le repertoire de l'API Java de krakatoa

  cd .../lib/java_api
  unzip src.zip java/util/HashMap.java

- resol pb syntaxe dans HashMap.java

  commenté (avec //KML) 4 occurrences de
 
    HashMap.this.expr ...

  dans le code (pb support inner classes par Krakatoa)

  de toute facon: le code des methodes de l'API n'est pas utilise par Krakatoa, seulement les spec

- HashMap etend AbstractMap: besoin de

  unzip src.zip java/util/AbstractMap.java

- de nouveau 4 occurrences de 

    AbstractMap.this.... 

  commentees avec //KML

- import explicite de java.util.Map.Entry dans AbstractMap: commenté

- AbstractMap implemente Map -> ajouter Map

  unzip src.zip java/util/Map.java

- Map utilise Set et Collection ->

  unzip src.zip java/util/Set.java
  unzip src.zip java/util/Collection.java

- HashMap: champ transient Entry[] table; commente

- HashMap: methode getEntry commentee

- HashMap: methode removeEntryForKey commentee

- HashMap: methode removeMapping commentee

- ajout de Iterator

  unzip src.zip java/util/Iterator.java

- methodes de serialization commentees

*/

class HashMapTest {

    public static void main(String argv[]) {

	HashMap m = new HashMap();

	Integer zero = new Integer(0);

	Integer one = new Integer(1);

	m.put(zero,one);

	Object o = m.get(zero);

	//@ assert o instanceof Integer ; 
	// && o == 1;
	
	// System.out.println("o = " + o);

    }

}
	why-2.34/bench/java/good/Subclass.java0000644000175000017500000000464212311670312016175 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


class A {
    
    int x;

}


class B extends A {

    int m() {
	return x;
    }

}


/*
Local Variables: 
compile-command: "make Subclass.io"
End: 
*/
why-2.34/bench/java/good/FlagStatic.java0000644000175000017500000001047212311670312016435 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* Dijkstra's dutch flag */

//@+ CheckArithOverflow = no

/*@ predicate is_color(integer c) =
  @   c == FlagStatic.BLUE || c == FlagStatic.WHITE || c == FlagStatic.RED ;
  @*/

/*@ predicate is_color_array{L}(int t[]) =
  @   t != null && 
  @   \forall integer i; 0 <= i < t.length ==> is_color(t[i]) ;
  @*/

/*@ predicate is_monochrome{L}(int t[],integer i, integer j, int c) =
  @   \forall integer k; i <= k < j ==> t[k] == c ;
  @*/


class FlagStatic {
    
    public static final int BLUE = 1, WHITE = 2, RED = 3;
    
    /*@ requires t != null && 0 <= i <= j <= t.length ;
      @ behavior decides_monochromatic:
      @   ensures \result <==> is_monochrome(t,i,j,c);
      @*/
    public static boolean isMonochrome(int t[], int i, int j, int c) {
    	/*@ loop_invariant i <= k && 
	  @   (\forall integer l; i <= l < k ==> t[l]==c);
    	  @ loop_variant j - k;
	  @*/
	for (int k = i; k < j; k++) if (t[k] != c) return false;
	return true;
    }

    /*@ requires 0 <= i < t.length && 0 <= j < t.length;
      @ behavior i_j_swapped:
      @   assigns t[i],t[j];
      @   ensures t[i] == \old(t[j]) && t[j] == \old(t[i]);
      @*/
    private static void swap(int t[], int i, int j) {
	int z = t[i];
	t[i] = t[j];
	t[j] = z;
    }

    /*@ requires
      @   is_color_array(t); 
      @ behavior sorts:
      @   ensures 
      @     (\exists integer b r;
      @        is_monochrome(t,0,b,BLUE) &&
      @        is_monochrome(t,b,r,WHITE) &&
      @        is_monochrome(t,r,t.length,RED));
      @*/
    public static void flag(int t[]) {
	int b = 0;
	int i = 0;
	int r = t.length;
	/*@ loop_invariant
	  @   is_color_array(t) &&
	  @   0 <= b <= i <= r <= t.length &&
	  @   is_monochrome(t,0,b,BLUE) &&
	  @   is_monochrome(t,b,i,WHITE) &&
          @   is_monochrome(t,r,t.length,RED);
	  @ loop_variant r - i; 
	  @*/
	while (i < r) {
	    switch (t[i]) {
	    case BLUE:  
		swap(t,b++, i++);
		break;	    
	    case WHITE: 
		i++; 
		break;
	    case RED: 
		swap(t,--r, i);
		break;
	    }
	}
    }
}



/*
Local Variables: 
compile-command: "make FlagStatic"
End: 
*/
why-2.34/bench/java/good/ArrayLength.java0000644000175000017500000000512012311670312016626 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


class ArrayLength {

    //@ requires t != null;
    int getLength(int[] t) {
	int[] p = new int[0];
	return t.length;
    }
    
    public static void main(String[] args) {
	ArrayLength al = new ArrayLength();
	al.getLength(new int[12]);
    }
    
}


/*
  Local Variables: 
  compile-command: "make ArrayLength"
  End: 
*/

why-2.34/bench/java/good/SimpleNew.java0000644000175000017500000000653012311670312016317 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

public class SimpleNew {

    int simple_val;

    /*@ behavior normal:
      @   assigns \nothing; // not `this.simple_val'; 
      @   ensures this.simple_val == 0;
      @*/
    SimpleNew() {
	this(0);
    }

    /*@ behavior normal:
      @   assigns \nothing; 
      @   ensures this.simple_val == n;
      @*/
    SimpleNew(int n) {
	simple_val = n;
    }

    /*@ behavior normal:
      @   assigns \nothing;
      @   ensures this.simple_val == n + m;
      @*/
    SimpleNew(int n,int m) {
	this(n+m); 
    }

    /*@ behavior normal:
      @   ensures \result == 17;
      @*/
    public static int test1() {
	SimpleNew t = new SimpleNew(17);
	return t.simple_val;
    }

    /*@ behavior normal:
      @   ensures \result == 0;
      @*/
    public static int test2() {
	SimpleNew t = new SimpleNew();
	return t.simple_val;
    }

    /*@ behavior normal:
      @   assigns \nothing;
      @   ensures \result == 17;
      @*/
    public static int test3() {
	SimpleNew t = new SimpleNew(10,7);
	return t.simple_val;
    }
}


/*
Local Variables: 
compile-command: "make SimpleNew.io"
End: 
*/
why-2.34/bench/java/bench0000644000175000017500000000712612311670312013625 0ustar  rtusers#!/bin/sh

# benchmark for krakatoa
export KRAKATOALIB=`pwd`/../../lib
export JESSIELIB=`pwd`/../../lib
export WHYCOQ=`pwd`/../../lib/coq
make="make WHYCOQ=$WHYCOQ"

# Java files to parse with success
echo "Java parsing (good)"
# cd good/syntax
parsing="../../../../bin/krakatoa.opt -parse-only"
for f in *.java; do
    echo -n "  "$f"... "
    if ! $parsing  $f > /dev/null 2>&1; then
	echo "krakatoa FAILED"
	$parsing $f
	# exit 1
    else
	echo "krakatoa ok... "
    fi
done

echo "Java parsing (bad)"
# cd ../../bad-syn
parsing="../../../bin/krakatoa.opt -parse-only"
for f in *.java; do
    echo -n "  "$f"... "
    if $parsing  $f > /dev/null 2>&1; then
	echo "krakatoa FAILED (accepted a bad file)"
	$parsing $f
	exit 1
    else
	echo "krakatoa ok... "
    fi
done

echo "Java parsing/typing (bad)"
# cd ../bad-sem
parsing="../../../bin/krakatoa.opt -type-only"
for f in *.java; do
    echo -n "  "$f"... "
    if $parsing  $f > /dev/null 2>&1; then
	echo "krakatoa FAILED (accepted a bad file)"
	$parsing $f
	exit 1
    else
	echo "krakatoa ok... "
    fi
done

echo "Java parsing/typing (good)"
# cd ../good
parsing="../../../bin/krakatoa.opt -type-only"
for f in *.java; do
    echo -n "  "$f"... "
    if ! $parsing  $f > /dev/null 2>&1; then
	echo "krakatoa FAILED"
	$parsing $f
	# exit 1
    else
	echo "krakatoa ok... "
    fi
done

echo "Java interp (bad)"
# cd ../bad-interp
parsing="../../../bin/krakatoa.opt"
for f in *.java; do
    echo -n "  "$f"... "
    if $parsing  $f > /dev/null 2>&1; then
	echo "krakatoa FAILED (accepted a bad file)"
	$parsing $f
	exit 1
    else
	echo "krakatoa ok... "
    fi
done

echo "Java interp (good)"
cd good

bench_java_good () {
    options="$* -why-opt -show-time"
    echo "-------------------------------------------------------------------"
    echo "Bench Krakatoa+Simplify/Yices/Ergo with options: $options"
    parsing="../../../bin/krakatoa.opt"
    jessie="../../../bin/jessie.opt $options"

    rm -f why/*.why
    rm -f simplify/*_why.sx
    rm -f smtlib/*_why.smt
    VCS=""
    for file in *.java; do
	echo -n "  Generating VCs for $file... "
	f=`basename $file .java`
	options=""
	if [ $f = "SCID" ]; then 
	    options="-javacard" 
	fi
	if $parsing $options $f.java > /tmp/krakatoa.tmp 2>&1; then
	    if $jessie  $f.jc > /tmp/krakatoa.tmp 2>&1; then
		if $make -f $f.makefile simplify/${f}_why.sx > /tmp/krakatoa.tmp 2>&1 ; then
		    if $make -f $f.makefile why/${f}_why.why > /tmp/krakatoa.tmp 2>&1 ; then
			VCS="$VCS simplify/${f}_why.sx why/${f}_why.why"    
			echo "ok"
		    else
			echo "why FAILED :"
			cat /tmp/krakatoa.tmp
			exit 1
		    fi
		else
		    echo "why FAILED :"
		    # cat /tmp/krakatoa.tmp
		    # exit 1
		fi
	    else
		echo "jessie FAILED (rejected a good file) :"
		# cat /tmp/krakatoa.tmp
		# exit 1
	    fi
	else
	    echo "krakatoa FAILED (rejected a good file) :"
	    # cat /tmp/krakatoa.tmp
	    # exit 1
	fi
    done
    ../../../bin/dp.opt -timeout 10 $VCS 2>/dev/null || true
}

bench_java_good
# bench_jc_good -separation -no-zone-type

# Coq proofs
# for f in $FILES; do
#     echo -n "  $f.c... "
#     rm -f coq/krakatoa_spec_why.v
#     if $parsing  $f.c > /tmp/krakatoa.tmp 2>&1; then
# 	echo -n "krakatoa ok... "
# 	if $make -f $f.makefile coq > /tmp/krakatoa.tmp 2>&1; then
# 	    n=`grep -c Admitted coq/${f}_why.v`
# 	    if test $n -ne 0 ; then
# 		echo "Coq proof ok (with $n Admitted)... "
# 	    else
# 		echo "Coq proof ok... "
# 	    fi
# 	else
# 	    echo "Coq proof FAILED !"
# 	    cat /tmp/krakatoa.tmp
# 	    exit 1
# 	fi
#     else
# 	echo "krakatoa FAILED (rejected a good file) :"
# 	cat /tmp/krakatoa.tmp
# 	exit 1
#     fi
# done


why-2.34/bench/provers/0000755000175000017500000000000012311670312013374 5ustar  rtuserswhy-2.34/bench/provers/loop_monomorph.mlw0000644000175000017500000000035412311670312017166 0ustar  rtusers
(* fichier qui fait boucler la méthode actuelle de monomorphisation *)

type 'a list

logic one : 'a -> 'a list

logic hd : 'a list -> 'a

axiom hd_one : forall x:'a. hd(hd(one(one(x)))) = x

goal test : forall l:int list. hd(l) = 0


why-2.34/bench/provers/jmeq.mlw0000644000175000017500000000110412311670312015045 0ustar  rtusers
(* John Major's equality *)

type mem
type 'a index

logic get : mem, 'a index -> 'a
logic set : mem, 'a index, 'a -> mem

logic jmeq : 'a, 'b -> prop
axiom jmeq : forall x,y:'a. jmeq(x,y) <-> x=y

axiom get_set_eq : 
  forall m:mem. forall x:'a index. forall v:'a.
  get(set(m, x, v), x) = v

axiom get_seq_neq :
  forall m:mem. forall x:'a index. forall v:'a. forall y:'b index.
  not jmeq(x,y) -> get(set(m, x, v), y) = get(m, y)

goal test : 
  forall m:mem.
  forall xi: int index. forall xb: bool index. 
  not jmeq(xi,xb) ->
  get(set(set(m, xb, true), xi, 1), xb) = true
why-2.34/bench/provers/everything.mlw0000644000175000017500000000251612311670312016305 0ustar  rtusers
(* Fichier regroupant tous les aspects du langage logique de Why,
   pour tester les sorties vers les différents proveurs *)


(* propositional logic *)

logic A,B,C : prop

goal prop_1 : A -> A

goal prop_2 : (A or B) -> (B or A)


(* first-order logic *)

type t

logic c : t
logic f : t -> t
logic p,q : t -> prop

goal fol_1 : (forall x:t. p(x)) -> p(c)

goal fol_2 : (forall x:t. p(x) <-> q(x)) -> p(c) -> q(c)


(* equality *)

goal eq_1 : p(c) -> forall x:t. x=c -> p(x)


(* arithmetic *)

goal arith_1 : forall x:int. x=0 -> x+1=1

goal arith_2 : forall x:int. 0 <= x <= 1 -> (x = 0 or x = 1)

goal arith_3 : forall x:int. x < 3 -> x <= 2


(* list (of elements of type t; see list.mlw for polymorphic lists) *)

type list

logic nil : list
logic cons : t, list -> list

logic hd : list -> t
logic tl : list -> list

axiom hd_cons : forall x:t. forall l:list. hd (cons(x,l)) = x
axiom tl_cons : forall x:t. forall l:list. tl (cons(x,l)) = l

goal hdtlconscons :
    forall x,y:t. hd(tl(cons(x, cons(y, nil)))) = y


(* first-order *)

logic nbocc : t, list -> int

predicate equiv(l1:list, l2:list) = forall x:t. nbocc(x,l1) = nbocc(x,l2)

goal equiv_trans :
  forall l1,l2,l3:list. equiv(l1,l2) -> equiv(l2,l3) -> equiv(l1,l3)


(* if-then-else *)

include "bool.why"

goal ite1 : 1 = if true then 1 else 2

goal ite2 : 2 = if false then 1 else 2
why-2.34/bench/provers/gene.mlw0000644000175000017500000000320512311670312015033 0ustar  rtusers
type personne

logic homme,femme : personne -> prop
axiom homme_ou_femme : forall p:personne. homme(p) or femme(p)
axiom homme_non_femme : forall p:personne. not (homme(p) and femme(p))

logic pere,mere : personne -> personne

axiom pere_homme : forall p:personne. homme(pere(p))
axiom mere_femme : forall p:personne. femme(mere(p))

predicate enfant(e:personne, p:personne) = p=pere(e) or p=mere(e)

predicate fils(f:personne, p:personne) = homme(f) and enfant(f,p)
predicate fille(f:personne, p:personne) = femme(f) and enfant(f,p)

predicate frere_ou_soeur(f1:personne, f2:personne) =
  pere(f1)=pere(f2) and mere(f1)=mere(f2)

goal frere_ou_soeur_bis : forall f1,f2:personne.
  frere_ou_soeur(f1,f2) <-> 
  (exists p:personne. exists m:personne. 
     homme(p) and femme(m) and
     enfant(f1,p) and enfant(f2,p) and enfant(f1,m) and enfant(f2,m))

predicate demi_frere_ou_soeur(f1:personne, f2:personne) =
  pere(f1)=pere(f2) or mere(f1)=mere(f2)

goal demi_frere_ou_soeur_bis : forall f1,f2:personne.
  demi_frere_ou_soeur(f1,f2) <-> 
  (exists p:personne. enfant(f1,p) and enfant(f2,p))

predicate grandpere(g:personne, p:personne) = 
  g=pere(pere(p)) or g=pere(mere(p))
predicate grandmere(g:personne, p:personne) = 
  g=mere(pere(p)) or g=mere(mere(p))

goal grandpere_homme : forall g,p:personne. grandpere(g,p) -> homme(g)
goal grandmere_femme : forall g,p:personne. grandmere(g,p) -> femme(g)

goal grandpere_bis : forall g,p:personne.
  grandpere(g,p) <-> exists pp:personne. g=pere(pp) and enfant(p,pp)

goal deux_grandperes : forall g1,g2,g3,p:personne.
  grandpere(g1,p) -> 
  grandpere(g2,p) ->
  grandpere(g3,p) ->
  (g1 = g2 or g2 = g3 or g1 = g3)
why-2.34/bench/provers/exchange.mlw0000644000175000017500000000241112311670312015675 0ustar  rtusers
type int_array

logic length : int_array -> int

logic acc : int_array, int -> int

logic upd : int_array, int, int -> int_array

axiom access_update : 
  forall t : int_array. forall i : int. forall v : int.
  acc(upd(t,i,v), i) = v

axiom access_update_neq : 
  forall t : int_array. forall i : int. forall j : int. forall v : int.
  i <> j -> acc(upd(t,i,v), j) = acc(t,j)

axiom length_update :
  forall t:int_array. forall i:int. forall v:int.
    length(upd(t,i,v)) = length(t)

logic exch : int_array, int_array, int, int -> prop

axiom exch_def :
  forall t1:int_array. forall t2:int_array. forall i:int. forall j:int.
    exch(t1,t2,i,j) <-> 
    (length(t1) = length(t2) and
    acc(t1,i) = acc(t2,j) and acc(t2,i) = acc(t1,j) and
    forall k:int. (k <> i and k <> j) -> acc(t1,k) = acc(t2,k))

goal test : 
  forall i: int.
  forall j: int.
  forall t: int_array.
  ((0 <= i and i < length(t)) and 0 <= j and j < length(t)) ->
  (0 <= i and i < length(t)) ->
  forall result: int.
  result = acc(t, i) ->
  (0 <= j and j < length(t)) ->
  forall result0: int.
  result0 = acc(t, j) ->
  (0 <= i and i < length(t)) ->
  forall t0: int_array.
  t0 = upd(t, i, result0) ->
  (0 <= j and j < length(t0)) ->
  forall t1: int_array.
  t1 = upd(t0, j, result) ->
  exch(t1, t, i, j)
why-2.34/bench/provers/tree.mlw0000644000175000017500000000174712311670312015065 0ustar  rtusers
type 'a tree

logic leaf : 'a tree
logic node : 'a tree, 'a, 'a tree -> 'a tree

axiom leaf_not_node :
  forall l,r : 'a tree. forall v:'a. leaf <> node(l,v,r)

logic left, right : 'a tree -> 'a tree
logic value : 'a tree -> 'a

axiom leaf_or_node : 
  forall t: 'a tree. t = leaf or t = node(left(t), value(t), right(t))

axiom left_node :
  forall l,r: 'a tree. forall v: 'a. left(node(l,v,r)) = l

axiom right_node :
  forall l,r: 'a tree. forall v: 'a. right(node(l,v,r)) = r

axiom value_node :
  forall l,r: 'a tree. forall v: 'a. value(node(l,v,r)) = v

(* peut se déduire de ce qui précède *)
goal node_injective :
  forall l1,l2,r1,r2: 'a tree. forall v1,v2: 'a. 
  node(l1,v1,r1) = node(l2,v2,r2) -> l1 = l2 and v1 = v2 and r1 = r2

parameter is_leaf :
  t: 'a tree -> 
  {} bool {if result then t = leaf else t = node(left(t), value(t), right(t))}

let rec nb_nodes (t : 'a tree) : int = 
  if is_leaf t then
    0
  else
    1 + nb_nodes (left t) + nb_nodes (right t)
  { result >= 0 }
why-2.34/bench/provers/arith.mlw0000644000175000017500000000156612311670312015234 0ustar  rtusers
goal arith1 : forall x:int. 0 <= x <= 1 -> x=0 or x=1

logic p,q : int -> prop

goal arith2 : forall x:int. 0 <= x <= 1 -> p(0) -> p(1) -> p(x)

goal arith3a : 
  (forall k:int. 0 <= k <= 10 -> p(k)) ->
  p(11) -> 
  forall k:int. 0 <= k <= 11 -> p(k)

goal arith3b : 
  (forall k:int. 0 <= k <= 10 -> (p(k) and q(k))) ->
  p(11) -> q(11) ->
  forall k:int. 0 <= k <= 11 -> (p(k) and q(k))

goal arith3c : 
  (forall k:int. 0 <= k <= 10 -> p(k) -> q(k)) ->
  (p(11) -> q(11)) ->
  forall k:int. 0 <= k <= 11 -> p(k) -> q(k)

logic a,b : int

goal arith4a : 
  (forall k:int. a <= k <= b -> p(k)) ->
  p(b+1) -> 
  forall k:int. a <= k <= b+1 -> p(k)

goal arith4b : 
  (forall k:int. a <= k <= b -> (p(k) and q(k))) ->
  p(b+1) -> q(b+1) ->
  forall k:int. a <= k <= b+1 -> (p(k) and q(k))

logic f : int -> int

goal arith5 : forall x:int. 2 <= x -> f(x)<>f(2) -> f(x)<>f(3) -> 4<=x

why-2.34/bench/provers/list.mlw0000644000175000017500000000454612311670312015101 0ustar  rtusers
(* polymorphic lists *)

type 'a list

logic nil : 'a list
logic cons : 'a, 'a list -> 'a list

(* hd and tl *)

logic hd : 'a list -> 'a
logic tl : 'a list -> 'a list

axiom hd_cons : forall x:'a. forall l:'a list. hd (cons(x,l)) = x
axiom tl_cons : forall x:'a. forall l:'a list. tl (cons(x,l)) = l
axiom hd_tl : forall l:'a list. l = cons(hd(l), tl(l))

goal hd_tl_1 :
  forall x,y:int. hd(tl(cons(x, cons(y, nil)))) = y
  (* forall x,y:'a. hd(tl(cons(x, cons(y, nil)))) = y *)

(* length *)

logic length : 'a list -> int

axiom length_def_1 : length(nil) = 0

axiom length_def_2 : 
  forall x:'a. forall l:'a list. 
  length(cons(x,l)) = 1 + length(l)

goal length_1 : length(cons(1,cons(2,cons(3,nil)))) = 3

(* nth *)

logic nth : 'a list, int -> 'a

axiom nth_def_1 : 
  forall x:'a. forall l:'a list. nth(cons(x,l),0) = x

axiom nth_def_2 : 
  forall x:'a. forall l:'a list. forall n:int.
  n > 0 -> nth(cons(x,l),n) = nth(l,n-1)

goal nth_1 : nth(cons(1,cons(2,cons(3,nil))), 1) = 2

(* mem *)

logic mem : 'a, 'a list -> prop

axiom mem_def_1 : 
  forall x:'a. not mem(x,nil)

axiom mem_def_2 : 
  forall x:'a. forall y:'a. forall l:'a list.
  mem(x, cons(y,l)) <-> (x = y or mem(x,l))

goal mem_1 : mem(2, cons(1,cons(2,cons(3,nil))))

(* append *)

logic append : 'a list, 'a list -> 'a list

axiom append_def_1 : 
  forall l:'a list. append(nil,l) = l

axiom append_def_2 : 
  forall x:'a. forall l1,l2:'a list.
  append(cons(x,l1),l2) = cons(x,append(l1,l2))

goal append_1 : 
  append(cons(1,cons(2,nil)), cons(3,cons(4,nil))) = 
  cons(1, cons(2, cons(3, cons(4, nil))))

(* rev *)

logic rev : 'a list -> 'a list

axiom rev_def_1 : rev(nil) = nil

axiom rev_def_2 : 
  forall x:'a. forall l:'a list.
  rev(cons(x,l)) = append(rev(l), cons(x,nil))

goal rev_1 : rev(cons(1,cons(2,nil))) = cons(2,cons(1,nil))

(* flatten *)

logic flatten : 'a list list -> 'a list

axiom flatten_def_1 : 
  flatten(nil) = nil

axiom flatten_def_2 : 
  forall x:'a list. forall l:'a list list. 
  flatten(cons(x,l)) = append(x,flatten(l))

(* note : monomorph loops on this example *)

goal flatten_1 : flatten(cons(cons(1,nil), 
                              cons(cons(2,cons(3,nil)), 
	                           nil))) = cons(1,cons(2,cons(3,nil)))

(* poly goals *)

goal poly_2 : 
  forall l1:'a list. length(cons(hd(l1),tl(l1))) = length(l1)

goal poly_1 : forall l:'a list. l=nil -> length(l) = 0

why-2.34/bench/c/0000755000175000017500000000000012311670312012116 5ustar  rtuserswhy-2.34/bench/c/good/0000755000175000017500000000000012311670312013046 5ustar  rtuserswhy-2.34/bench/c/good/selection_safety.c0000644000175000017500000000621712311670312016560 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* Insertion sort (safety only; for correctness proof, see selection.c) */

/*@ requires \valid(a+i) && \valid(a+j)
  @*/
void swap(int* a, unsigned int i, unsigned int j) {
  int tmp = a[i];
  a[i] = a[j];
  a[j] = tmp;
}

/*@ requires n >= 0 && \valid_range(a, 0, n-1) 
  @*/
void selection(int a[], unsigned int n) {
  unsigned int i, j, min;
  if (n <= 1) return;
  /*@ // a[0..i-1] is already sorted 
    @ invariant 
    @   0 <= i <= n-1
    @ variant 
    @   n - i 
    @*/
  for (i = 0; i < n-1; i++) {
    /* we look for the minimum of a[i..n-1] */
    min = i; 
    /*@ invariant 
      @   i+1 <= j <= n &&
      @   i <= min < n 
      @ variant 
      @   n - j 
      @*/
    for (j = i + 1; j < n; j++) {
      if (a[j] < a[min]) min = j;
    }
    /* we swap a[i] and a[min] */
    swap(a,min,i);
  }
}


/*
Local Variables: 
compile-command: "make selection_safety.overflows"
End: 
*/
why-2.34/bench/c/good/overflows.c0000644000175000017500000000731112311670312015242 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* integer arithmetic overflows (requires --int-overflow) */

/* operations */

/*@ ensures \result == 2 */
int add1() {
  unsigned char uc = 1;
  signed short s = 1;
  return uc + s;
}

/*@ requires x <= 1000
    ensures \result == x+1 */
int add2(int x) {
  return x+1;
}

int lsl() { return 1<<2; }

/* comparisons */

int cmp1() { return 1<2; }

/*@ ensures \result == 0 */
int not1() { signed char c = 1; return !c; }

/* constants */
void constant1() { int x = 1; }

/* incrementation */

void incr1() {
  unsigned char c = 254;
  c++;
  /*@ assert c == 255 */
}

unsigned short us;

/*@ requires us == 13 ensures us == 15 */
void incr2() { us++; ++us; }

/* casts */

void cast1() { 
  char c = 1;
  unsigned char uc = c;
}

/* arrays */

int t[10];

void array1() {
  signed char c = 1;
  t[c] = 0;
  t[c+1] = 0;
}

/*@ requires t[0] <= 1000 assigns t[0] */
void incr3() {
  t[0]++;
}

/* loops */

void loop1() {
  unsigned char uc;
  short ss;
  /*@ invariant 0 <= uc <= 255 variant 256-uc */
  for (uc = 0; uc < 255; uc++) ss = uc;
}

/* structures */

struct S {
  unsigned char uc;
  signed char c;
  int i;
} s;

/*@ requires s.c == 0
    ensures  s.c == 3 && \result == 2 */
int struct1() { ++s.c; s.c++; return s.c++; }

/* bit fields */

struct BF {
  int f1 :1 ;
  unsigned int uf1 :1 ; 
  int f2 :2 ;
  unsigned int uf2 :2 ;
  int f7 :7;
} bf;

void bit_fields() {
  bf.f1 = 0;
}

/*
Local Variables: 
compile-command: "make overflows.overflows"
End: 
*/
why-2.34/bench/c/good/false2.c0000644000175000017500000000470512311670312014374 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

int e;

/*@ assigns e
  @ ensures e == 0
  @*/
void f();

/*@ ensures e == 1
  @*/
int main() {
  e=1;
  f();
  return 0;
}

/*
Local Variables: 
compile-command: "make false2.gui"
End: 
*/
why-2.34/bench/c/good/sort.c0000644000175000017500000001067012311670312014205 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* sort 4 integers */


void sort4_1() {
  int a, b, c, d;
  int tmp;
  if (a > b) { tmp = a; a = b; b = tmp; }
  if (c > d) { tmp = c; c = d; d = tmp; }
  if (a > c) { tmp = a; a = c; c = tmp; }
  if (b > d) { tmp = b; b = d; d = tmp; }
  if (b > c) { tmp = b; b = c; c = tmp; }
  /*@ assert a <= b <= c <= d */
}



/*@ requires \valid_range(t,0,4) 
    ensures t[0] <= t[1] <= t[2] <= t[3] */
void sort4_4(int t[]) {
  int tmp;
  if (t[0] > t[1]) { tmp = t[0]; t[0] = t[1]; t[1] = tmp; }
  if (t[2] > t[3]) { tmp = t[2]; t[2] = t[3]; t[3] = tmp; }
  if (t[0] > t[2]) { tmp = t[0]; t[0] = t[2]; t[2] = tmp; }
  if (t[1] > t[3]) { tmp = t[1]; t[1] = t[3]; t[3] = tmp; }
  if (t[1] > t[2]) { tmp = t[1]; t[1] = t[2]; t[2] = tmp; }
}


/* commented because of memory explosion */
#if 0
/*@ requires \valid(a) && \valid(b) && \valid(c) && \valid(d) &&
  @   a != b && a != c && a != d && b != c && b != d && c != d
  @ ensures *a <= *b <= *c <= *d */
void sort4_2(int *a, int *b, int *c, int *d) {
  int tmp;
  if (*a > *b) { tmp = *a; *a = *b; *b = tmp; }
  if (*c > *d) { tmp = *c; *c = *d; *d = tmp; }
  if (*a > *c) { tmp = *a; *a = *c; *c = tmp; }
  if (*b > *d) { tmp = *b; *b = *d; *d = tmp; }
  if (*b > *c) { tmp = *b; *b = *c; *c = tmp; }
}
#endif



/*@ predicate swap_ord(int a2,int b2,int a1,int b1) {
  @   (a1 <= b1 => (a2 == a1 && b2 == b1)) && 
  @   (a1 > b1 => (a2 == b1 && b2 == a1))
  @ }
  @*/

/*@ requires \valid(a) && \valid(b) && \valid(c) && \valid(d) &&
  @   a != b && a != c && a != d && b != c && b != d && c != d
  @ ensures *a <= *b <= *c <= *d */
void sort4_3(int *a, int *b, int *c, int *d) {
  int tmp;
  //@ assigns *a,*b,tmp ensures swap_ord( *a,*b,\old( *a),\old( *b))
  if (*a > *b) { tmp = *a; *a = *b; *b = tmp; }
  //@ assigns *c,*d,tmp ensures swap_ord( *c,*d,\old( *c),\old( *d))
  if (*c > *d) { tmp = *c; *c = *d; *d = tmp; }
  //@ assigns *a,*c,tmp ensures swap_ord( *a,*c,\old( *a),\old( *c))
  if (*a > *c) { tmp = *a; *a = *c; *c = tmp; }
  //@ assigns *b,*d,tmp ensures swap_ord( *b,*d,\old( *b),\old( *d))
  if (*b > *d) { tmp = *b; *b = *d; *d = tmp; }
  //@ assigns *b,*c,tmp ensures swap_ord( *b,*c,\old( *b),\old( *c))
  if (*b > *c) { tmp = *b; *b = *c; *c = tmp; }
}

why-2.34/bench/c/good/inv_perm.c0000644000175000017500000001405112311670312015032 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* Program I: Inverse of a permutation, in place.
   The Art of Computer Programming, vol. 1, page 176.*/

/*@ predicate permutation(int *t, int n) {
  @   \forall int i; 1 <= i <= n => \exists int j; 1 <= j <= n && t[j] == i 
  @ } */

/*@ axiom permut_domain :
  @  \forall int *t, int n; permutation(t,n) =>
  @    \forall int k; 1 <= k <= n => 1 <= t[k] <= n
  @*/

/*@ axiom permut_involution : 
  @  \forall int *t, int n; permutation(t,n) =>
  @    \forall int k; 1 <= k <= n => t[t[k]] == k
  @*/

// cycle-free path from k1 to k2 in t

//@ predicate path(int *t, int k1, int k2) reads t[..]

//@ axiom path_nil : \forall int *t, int k; path(t, k, k)

/*@ axiom path_cons : 
  @   \forall int *t, int k0, int k; 
  @     path(t, k0, k) => t[k] != k0 => path(t, k0, t[k])
  @*/

/*@ predicate path3(int *t, int ml, int k, int m) {
  @   path(t, ml, k) && t[k] != m && path(t, k, m)
  @ }
  @*/

// largest element in the cycle of k

//@ logic int largest(int *t, int k) reads t[..]

/*@ axiom largest_domain : 
  @   \forall int *t, int n; permutation(t, n) => 
  @     \forall int k; 1 <= largest(t, k) <= n
  @*/

/*@ requires 
  @   n >= 1 && \valid_range(t,1,n) && permutation(t, n)
  @ ensures
  @   \forall int k; 1 <= k <= n => t[\old(t[k])] == k
  @*/
void inverse(int *t, int n) {
  int m = n, j = -1;
  //@ label init
  /*@ invariant 
    @   1 <= m <= n && j < 0 &&
    @   (\forall int k; 1 <= k <= n => 
    @      (\at(largest(t, k), init) > m &&
    @        // cycle done
    @        (\forall int tk; t[k] == tk =>
    @          (m <  k &&  1 <= tk <= n  && \at(t[tk],  init) == k) ||
    @          (k <= m && -n <= tk <= -1 && \at(t[-tk], init) == k)))
    @   ||
    @      (\at(largest(t, k), init) <= m && t[k] == \at(t[k], init)))
    @ variant 
    @   m
    @*/
  do {
    int i = t[m];
    //@ label L
    if (i > 0) {
      /*@ invariant 
	@   1 <= m <= n && i == t[m] && j < 0 && 
	@   (m < \at(m,L) => 
	@     \forall int cj; cj == -j => \at(t[cj], init) == m) &&
	@   (\forall int mc; mc == m => \at(path(t, \at(m, L), mc), init)) &&
	@   (\forall int k; 1 <= k <= n => 
	@      (\at(largest(t, k), init) > m &&
	@        // cycle done
	@        (\forall int tk; t[k] == tk =>
	@          (m <  k &&  1 <= tk <= n  && \at(t[tk],  init) == k) ||
	@          (k <= m && -n <= tk <= -1 && \at(t[-tk], init) == k)))
	@   ||
	@      (\at(largest(t, k), init) < m && t[k] == \at(t[k], init))
	@   ||
	@      (\at(largest(t, k), init) == m && 
	@         (  (\at(path3(t, \at(m,L), k, m), init) && 
	@             (\forall int tk; t[k] == tk => 
	@                -n <= tk <= -1 && \at(t[-tk], init) == k))
	@         || (\at(path3(t, m, k, \at(m,L)), init) && 
	@             t[k] == \at(t[k], init)))))
	@ // variant
	@ // todo  
	@*/
      do {
	t[m] = j;
	j = -m;
	m = i;
	i = t[m];
      } while (i > 0);
      //@ assert m == \at(m,L)
      i = j;
    }
    t[m] = -i;
    m--;
  } while (m > 0);
}

/*@ requires 
  @   n >= 1 && \valid_range(t,1,n) &&
  @   \forall int k; 1 <= k <= n => 1 <= t[k] <= n
  @*/
void safety(int *t, int n) {
  int m = n, j = -1;
  /*@ invariant 
    @   1 <= m <= n && -n <= j <= -1 &&
    @   \forall int k; 1 <= k <= n => (-n <= t[k] <= -1 || 1 <= t[k] <= n)
    @*/
  do {
    int i = t[m];
    if (i > 0) {
      /*@ invariant 
	@   1 <= m <= n && 1 <= i <= n && -n <= j <= -1 &&
	@   \forall int k; 1 <= k <= n => (-n <= t[k] <= -1 || 1 <= t[k] <= n)
	@*/
      do {
	t[m] = j;
	j = -m;
	m = i;
	i = t[m];
      } while (i > 0);
      i = j;
    }
    t[m] = -i;
    m--;
  } while (m > 0);
}


/* test */

#ifdef TEST

int n = 6;
int t[7] = { 0,2,3,1,6,5,4 };

void print(int *t, int n) {
  int i;
  for (i = 1; i <= n; i++) printf("%d ", t[i]);
  printf("\n");
}

int main() {
  print(t,n);
  inverse(t, n);
  print(t,n);
}
#endif

/*
Local Variables: 
compile-command: "make inv_perm.gui"
End: 
*/
why-2.34/bench/c/good/switch.c0000644000175000017500000000750112311670312014516 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*@ ensures x==4 => \result==2 */
int f1 (int x){
  int y ;
  
  switch (x) {
  case 0 :
  case 1 : 
    y=1 ;
    y=4;
    break;
  case 2:
  case 4:
    y=2; break;
  case 3:
    y=3; break;
  default :
    y=4;
    y=5;
  }
  return y;
}

/*@ ensures x==4 => \result==2 */
int f1a (int x){
  int y ;
  
  switch (x) {
  case 0 :
  case 1 : 
    y=1 ;
    y=4;
    break;
  case 2:
  case 4:
    y=2; return y;
  case 3:
    y=3; return y;
  default :
    y=4;
  }
  y=5;
  return y;
}

/*@ ensures \result==4 */
int f2 (int x){
  int y ;
  
  switch (x) {
  case 0 :
  case 1 : 
    y=1 ;
  case 2:
  case 4:
    y=2;
  case 3:
    y=3;
  default :
    y=4;
  }
  return y;
}

/*@ ensures \result==4 */
int f3 (int x){
  int y;

  switch (x) { 
  case 0 :
  case 1 : 
    y=1 ;
  default :
    y=2;
  case 3 :
    y=3;
  case 2 :
    y=4;
  }
  return y;
}

/*@ ensures \result==0 */
int f4 (int x){
  int y = 0;

  switch (x) { 
  case 0 :
    if (x==0) break ;
    y = 1;
  }
  return y;
}

/*@ ensures x==1 => \result==1 */
int f5 (int x){
  int y = 0;

  switch (x) { 
  case 1 :
    while (x>0) break ;
    y = 1;
  }
  return y;
}

/*@ ensures x==2 => \result==1 */
int f6 (int x){
  int y = 0;

  switch (x) { 
  case 1+1 :
    y = 1;
  }
  return y;
}

enum {A=5};

/*@ ensures x==A => \result==1 */
int f7 (int x){
  int y = 0;

  switch (x) { 
  case A :
    y = 1;
  }
  return y;
}

/*@ ensures x==0 && y>=1 => \result == 0
  @*/
int f8 (int x, int y){
  int z = 0;

  switch (x) { 
  case 0:
    if (y >= 1) break;
    z = 1;
    break;
  default: 
    z = 2;
  }
  return z;
}
why-2.34/bench/c/good/ref_glob.c0000644000175000017500000000572412311670312015001 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*@ requires \valid(p)
  @ assigns *p
  @ ensures *p == 1
  @*/
void g(int *p) {
  *p = 1;
}

int x = 45;

/*@ assigns x
  @ ensures x == 1
  @*/
void f1() {
  x = 1;
}

/*@ assigns x
  @ ensures x == 1
  @*/
void f2() {
  g(&x);
}

typedef struct{ int c1; int c2; } las;
las * plas; 

/*@ 
  @ requires \valid(plas) 
  @ assigns plas->c1,plas->c2 
  @ ensures plas->c1 == 1 && plas->c2 == 1
  @*/ 
void f4() 
{ 
  plas->c2 = 2; 
  g(&plas->c1); 
  g(&plas->c2); 
}



int t[3] = {1,2,3};

/*@ requires \valid(p) && \valid( *p)
  @ assigns **p
  @ ensures **p == 2
  @*/
void h(int **p) {
  **p = 2;
}

// mal typ‚ !
// /*@ requires t[1] == 2
//   @ ensures t[0] == 2 && t[1] == 2 */
// void f3() {
//   h(&t);
// }

why-2.34/bench/c/good/gappa.c0000644000175000017500000000664012311670312014310 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*@ requires 0 <= x <= 1
  @ ensures  0 <= \result <= 1
  @*/


double calcul_debile0(double x) {
  double a;
  a=1-x;
  return a*a*a*a*a*a*a*a*a*a*a*a;
}


/*@ requires 0 <= x <= 1 && \exact(x)==x
  @ ensures
  @   161 <= \result <= 276 &&
  @   \round_error(\result) <= 2^^(-50)*|\result|  
  @*/

double calcul_debile1(double x) {
  double a,b;
  a=2*x+3;
  b=x*x+55;
  /*@ assert 0 <= b */
  a=a*b-4;
  return a;
}

/*@ requires 0 <= x <= 2^^(-3) && \round_error(x) <= 2^^(-54) 
  @ ensures
  @   \round_error(\result) <= 2^^(-51)  
  @*/

double calcul_debile2(double x) {
  return 1+x*(1+x*(1/2+x/6));
}





/*@ ensures
  @   \result == 256*x 
  @      && \round_error(\result)== 256*\round_error(x)
  @*/

double calcul_debile3(double x) {
  int i;
  /*@ invariant 0 <= i <= 8
    @    &&  x==2^^i*\old(x)
    @ variant 8 - i */ 
  
  for (i=0; i<8;i++)
    x*=2;
  return x;
}


/*@ requires 0 <= x <= 0.9
  @*/
void boucle(double x) {
  /*@ invariant 0 <= x <= 0.9 */
  while (x >= 0.5) 
    x = x*x;
}

/*
Local Variables: 
compile-command: "make gappa && ../../../bin/why.byte --fp --why why/gappa.why && ../../../bin/why.byte --fp --gappa why/gappa.why"
End: 
*/

why-2.34/bench/c/good/bug2.c0000644000175000017500000000450412311670312014054 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

struct S {
  int t [10];
};

struct S x [4];
struct S y [6];
why-2.34/bench/c/good/heapsort_swap_safety.c0000644000175000017500000000740012311670312017445 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* Heapsort (safety only) */

/*** arith *******************************************************************/

//@ axiom div2_1 : \forall unsigned int i; 0 <= i => 0 <= i/2 <= i

//@ axiom div2_2 : \forall unsigned int i; 0 < i => 0 <= i/2 < i

// @ axiom div2_3 : \forall int i; 0 <= i => 2*(i/2) <= i

/*****************************************************************************/

/*@ requires \valid(a+i) && \valid(a+j)
  @*/
void swap(int* a, unsigned int i, unsigned int j) {
  int tmp = a[i];
  a[i] = a[j];
  a[j] = tmp;
}

/*@ requires 
  @   0 <= low <= high && 2*high <= \max_range(unsigned int) 
  @   && \valid_range(a, low, high)
  @*/
void sift_down(int* a, unsigned int low, unsigned int high) {
  unsigned int i = low, child;
  /*@ invariant 
    @   low <= i <= high
    @ variant 
    @   high - i
    @*/
  while ((child = 2*i+1) <= high) {
    if (child+1 <= high && a[child+1] >= a[child]) child++;
    if (a[i] >= a[child]) break;
    swap(a, i, child);
    i = child;
  }
}

/*@ requires 
  @   0 <= n  && 2*(n-1) <= \max_range(unsigned int) && \valid_range(a, 0, n-1)
  @*/
void heapsort(int* a, unsigned int n) {
  unsigned int i;
  if (n <= 1) return;
  /*@ invariant 
    @   0 <= i < n
    @ variant 
    @   i
    @*/
  for (i = n/2; i >= 1; i--) sift_down(a, i-1, n-1);
  /*@ invariant 
    @   0 <= i < n
    @ variant 
    @   i
    @*/
  for (i = n-1; i >= 1; i--) { swap(a, 0, i); sift_down(a, 0, i-1); }
}

/*
Local Variables: 
compile-command: "make heapsort_swap_safety.overflows"
End: 
*/
why-2.34/bench/c/good/mean.c0000644000175000017500000000565412311670312014144 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* right way to compute the mean of two integers without overflow
   (extracted from binary_search.c) */

//@ axiom mean_1 : \forall int x; 0 <= x => 0 <= x/2 <= x

//@ requires 0 <= l <= r 
int mean(int l, int r) {
  return l + (r - l)/2;
}

//@ requires l <= r 
unsigned int umean(unsigned int l, unsigned int r) {
  //@ assert 0 <= (r-l)/2 <= r-l
  return l + (r - l)/2;
}

//@ ensures (\result == x <= y) || (\result == y <= x)
int min_int(int x, int y);

//@ ensures (\result == x >= y) || (\result == y >= x)
int max_int(int x, int y);

//@ requires 0 <= x && 0 <= y
int mean2(int x, int y) {
  int min = min_int(x,y), max = max_int(x,y);
  return min + (max - min)/2;
}
why-2.34/bench/c/good/float.c0000644000175000017500000000654712311670312014333 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* The following functions are not intended to be correct;
   this is only a test file for the syntax and the typing of floating-point
   annotations */
   
const float ff = -(1 / (85 / (float)99));
float f;
double d;
long double l = 123.L;

/*@ requires -f == -0 + (int)1.0 + 2.0
  @ ensures  d >= 1 - 2.34
  @*/
void f1() { 
  f = (float)1 + (int)1.2;
  d = -f + 1.0 + 12.L;
  l = f + d + (long double)3;
}

/*@ requires x == \exact(x) && | x | <= 1
  @ ensures  \round_error(\result) <= 2 ^^ (-48)
  @*/
double my_exp(double x) {
  return 1 + x + x*x/2;
}

/*@ requires \model(x) == 0.0
  @ ensures \total_error(\result) <= 0.1
  @*/
double f2(double x) {
  return x + 1.0f + 2 * 3.14 / 3.6l;
}

/*@ requires x == y
  @ ensures \result == 1
  @*/
double f3(double x, float y) {
  long double z;
  if (x < y ) z = y; else z = x;
  return z;
}

/*@ ensures \result == 2 ^^ 40
  @*/
double f4(double x) {
  return x;
}

//@ logic real f_double_to_real(double x)

/*@ ensures \result == f_double_to_real(x) */
double f5(double x) {
  return x - 1;
}

/*@ ensures \result == -(1.0) */
double f6(double x) { return -1.0; }
why-2.34/bench/c/good/copy.c0000644000175000017500000000512012311670312014162 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* array copy */

/*@ requires \valid_range(t1,0,n) && \valid_range(t2,0,n) 
  @ ensures \forall int k; 0 <= k < n => t2[k] == t1[k]
  @*/
void copy(int t1[], int t2[], int n) {
  int i = n;
  /*@ invariant i <= n && \forall int k; i <= k < n => t2[k] == t1[k]
      variant i */   
  while (i-- > 0) {
    t2[i] = t1[i];
  }
}

why-2.34/bench/c/good/loop_inv.c0000644000175000017500000000472512311670312015047 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

int i;
int c;

/*@ requires i >=0 && c > 0
  @ ensures i==0
  @*/
void f() {
  /*@ invariant i >= 0
    @ variant i
    @*/
  while (i > 0) {
    if (i >= c) {
      i -= c;
    }
    else
      i--;
  }
}
why-2.34/bench/c/good/count_bits.c0000644000175000017500000000555712311670312015377 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// the number of bits 1 in x
//@ logic int nbits(int x)

//@ axiom nbits_nonneg : \forall int x; nbits(x) >= 0

//@ axiom nbits_zero : nbits(0) == 0

/*@ axiom lowest_bit_zero :
  @   \forall int x; (x&-x) == 0 <=> x == 0
  @*/

/*@ axiom remove_one_bit :
  @    \forall int x; 
  @       x != 0 => nbits(x - (x&-x)) == nbits(x) - 1
  @*/

/*@ ensures \result == nbits(x) */
int count_bits(int x) {
  int d, c;
  /*@ invariant c + nbits(x) == nbits(\at(x,init))
    @ variant   nbits(x)
    @*/
  for (c = 0; d = x&-x; x -= d) c++;
  return c;
}

/*
Local Variables: 
compile-command: "make count_bits.gui"
End: 
*/
why-2.34/bench/c/good/zones2.c0000644000175000017500000000472012311670312014435 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

struct S{ int x[1]; int y [2];}s;

/*@ ensures s.x[0] == 1*/
void f (){
  s.x[0] = 1;
  s.y[1] = 2;
}


typedef struct T {
  struct S *p;
} T;

T *t,*u;


int g() {
  return t->p->x[0] + u->p->x[0];
}
why-2.34/bench/c/good/queens.c0000644000175000017500000002437012311670312014520 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* Verification of the following 2 lines code for the N queens:

t(a,b,c){int d=0,e=a&~b&~c,f=1;if(a)for(f=0;d=(e-=d)&-e;f+=t(a-d,(b+d)*2,(
c+d)/2));return f;}main(q){scanf("%d",&q);printf("%d\n",t(~(~0< in_(i,b) }

//@ logic int card(iset s)
//@ axiom card_nonneg : \forall iset s; card(s) >= 0

//@ logic iset empty()
//@ axiom empty_def : \forall int i; !in_(i,empty())
//@ axiom empty_card : \forall iset s; card(s)==0 <=> s==empty()

//@ logic iset diff(iset a, iset b)
/*@ axiom diff_def : 
  @   \forall iset a, iset b; \forall int i;
  @     in_(i,diff(a,b)) <=> (in_(i,a) && !in_(i,b))
  @*/

//@ logic iset add(int x, iset a)
/*@ axiom add_def : 
  @   \forall iset s; \forall int x; \forall int i;
  @     in_(i,add(x,s))  <=> (i==x || in_(i,s))
  @*/

//@ logic iset remove(int x, iset s)
/*@ axiom remove_def : 
  @   \forall iset s; \forall int x; \forall int i;
  @     in_(i,remove(x,s))  <=> (in_(i,s) && i!=x)
  @*/

/*@ axiom remove_card : 
  @   \forall iset s; \forall int i;
  @     in_(i,s) => card(remove(i,s)) == card(s) - 1
  @*/

//@ logic int min_elt(iset s)
/*@ axiom min_elt_def : 
  @   \forall iset s; card(s) > 0 => 
  @     (in_(min_elt(s), s) &&
  @     \forall int i; in_(i,s) => min_elt(s) <= i)
  @*/

//@ logic iset singleton(int x)
/*@ axiom singleton_def : \forall int i, int j; in_(j,singleton(i)) <=> j==i
  @*/

//@ logic iset succ(iset s)
/*@ axiom succ_def_1 :  
  @   \forall iset s; \forall int i; in_(i,s) => in_(i+1,succ(s))
  @*/
/*@ axiom succ_def_2 :  
  @   \forall iset s; \forall int i; in_(i,succ(s)) => i>=1 && in_(i-1,s)
  @*/

//@ logic iset pred(iset s)
/*@ axiom pred_def_1 : 
  @   \forall iset s; \forall int i; i>=1 => in_(i,s) => in_(i-1,pred(s))
  @*/
/*@ axiom pred_def_2 : 
  @   \forall iset s; \forall int i; in_(i,pred(s)) => in_(i+1,s)
  @*/

//@ logic iset below(int n)
//@ axiom below_def : \forall int n, int i; in_(i, below(n)) <=> 0<=i x==0

/*@ axiom iset_c_remove : 
  @  \forall int x, int a, int b; 
  @    iset(b)==singleton(x) => in_(x,iset(a)) => iset(a-b)==remove(x, iset(a))
  @*/

// lowest bit trick
/*@ axiom iset_c_min_elt :
  @   \forall int x; x != 0 => iset(x&-x) == singleton(min_elt(iset(x)))
  @*/
/*@ axiom iset_c_min_elt_help :
  @   \forall int x; x != 0 <=> x&-x != 0
  @*/

/*@ axiom iset_c_diff :
  @  \forall int a, int b; iset(a&~b) == diff(iset(a), iset(b))
  @*/

/*@ axiom iset_c_add :
  @  \forall int x, int a, int b; 
  @    iset(b)==singleton(x) => !in_(x,iset(a)) => iset(a+b) == add(x, iset(a))
  @*/

// @ axiom iset_c_succ : \forall int a; iset(a*2) == succ(iset(a))

// @ axiom iset_c_pred : \forall int a; iset(a/2) == pred(iset(a))

//@ axiom iset_c_below : \forall int n; iset(~(~0< included(b,c) => included(a,c)
  @*/

/* @ axiom included_diff : \forall iset a, iset b; included(diff(a,b), a) */

/* @ axiom included_remove : \forall iset a, int x; included(remove(x,a), a) */

/***************************************************************************/

// t1: termination of the for loop
int t1(int a, int b, int c){
  int d, e=a&~b&~c, f=1;
  if (a)
    /*@ variant card(iset(e)) */
    for (f=0; d=e&-e; e-=d) {
      f+=t1(a-d,(b+d)*2,(c+d)/2);
    }
  return f;
}

/****************************************************************************/

// t2: termination of the recursive function: card(iset(a)) decreases
int t2(int a, int b, int c){
  int d, e=a&~b&~c, f=1;
  //@ label L
  if (a)
    /*@ invariant included(iset(e),\at(iset(e),L)) */
    for (f=0; d=e&-e; e-=d) {
      //@ assert \exists int x; iset(d) == singleton(x) && in_(x,iset(e)) 
      //@ assert card(iset(a-d)) < card(iset(a))
      f+=t2(a-d,(b+d)*2,(c+d)/2);
    }
  return f;
}

/****************************************************************************/

//@ logic int N() // N queens on a NxN chessboard 
//@ axiom N_positive : N() > 0

// t and u have the same prefix [0..i[
/*@ predicate eq_prefix(int *t, int *u, int i) {
  @   \forall int k; 0 <= k < i => t[k]==u[k]
  @ } 
  @*/

//@ predicate eq_sol(int *t, int *u) { eq_prefix(t, u, N()) } 

int** sol; // sol[i] is the i-th solution
/*@ axiom dont_bother_me_I_am_a_ghost_1 : 
  @   \forall int i; \valid(sol+i) */
/*@ axiom dont_bother_me_I_am_a_ghost_2 : 
  @   \forall int i, int j; \valid(sol[i]+j) */

int s = 0; // next empty slot in sol for a solution

int* col; // current solution being built
int k;    // current row in the current solution

// s stores a partial solution, for the rows 0..k-1
/*@ predicate partial_solution(int k, int* s) {
  @   \forall int i; 0 <= i < k => 
  @     0 <= s[i] < N() &&
  @     (\forall int j; 0 <= j < i => s[i] != s[j] &&
  @                                   s[i]-s[j] != i-j &&
  @                                   s[i]-s[j] != j-i)
  @ }
  @*/

//@ predicate solution(int* s) { partial_solution(N(), s) }

// lemma
/*@ axiom partial_solution_eq_prefix:
  @   \forall int *t, int *u; \forall int k;
  @     partial_solution(k,t) => eq_prefix(t,u,k) => partial_solution(k,u)
  @*/

/*@ predicate lt_sol(int *s1, int *s2) {
  @   \exists int i; 0 <= i < N() && eq_prefix(s1, s2, i) && s1[i] < s2[i]
  @ } 
  @*/

/* s[a..b[ is sorted for lt_sol */
/*@ predicate sorted(int **s, int a, int b) {
  @   \forall int i, int j; a <= i < j < b => lt_sol(s[i], s[j])
  @ } 
  @*/

/*@ requires x != 0
  @ ensures  \result == min_elt(iset(x))
  @*/
int min_elt(int x);

/*@ requires solution(col)
  @ assigns  s, sol[s][0..N()-1]
  @ ensures  s==\old(s)+1 && eq_sol(sol[\old(s)], col)
  @*/
void store_solution();

/*@ requires
  @   0 <= k && k + card(iset(a)) == N() && 0 <= s &&
  @   pre_a:: (\forall int i; in_(i,iset(a)) <=> 
  @            (0<=i i != col[j])) &&
  @   pre_b:: (\forall int i; i>=0 => (in_(i,iset(b)) <=> 
  @            (\exists int j; 0<=j=0 => (in_(i,iset(c)) <=> 
  @            (\exists int j; 0<=j= 0 && k == \old(k) &&
  @   sorted(sol, \old(s), s) &&
  @   \forall int* t; ((solution(t) && eq_prefix(col,t,k)) <=>
  @                    (\exists int i; \old(s)<=i= 0 && k == \old(k) && 
      @   partial_solution(k, col) &&
      @   sorted(sol, \at(s,L), s) &&
      @   \forall int *t; 
      @     (solution(t) && 
      @      \exists int di; in_(di, diff(\at(iset(e),L), iset(e))) &&
      @          eq_prefix(col,t,k) && t[k]==di) <=>
      @     (\exists int i; \at(s,L)<=i (\exists int i; 0<=i<\result && eq_sol(t,sol[i]))
  @*/
int queens(int n) {
  return t3(~(~0< t[k] == 0 */
void f1() {
  int i;
  /*@ invariant 0 <= i <= 10 && \forall int k; 0 <= k < i => t[k] == 0
    @ loop_assigns t[..]
    @ variant 10-i
    @*/
  for (i = 0; i < 10; i++) t[i] = 0;
}

/*@ assigns t[0 .. 9]
    ensures \forall int k; 0 <= k < 10 => t[k] == 0 */
void f2() {
  int i;
  /*@ invariant 0 <= i <= 10 && \forall int k; 0 <= k < i => t[k] == 0
    @ loop_assigns t[0 .. 9]
    @ variant 10-i
    @*/
  for (i = 0; i < 10; i++) t[i] = 0;
}

/*@ assigns t[0 .. 9]
    ensures \forall int k; 0 <= k < 10 => t[k] == 0 */
void f3() {
  int i;
  /*@ invariant 0 <= i <= 10 && \forall int k; 0 <= k < i => t[k] == 0
    @ loop_assigns t[0 .. i-1]
    @ variant 10-i
    @*/
  for (i = 0; i < 10; i++) t[i] = 0;
}

why-2.34/bench/c/good/separation1.c0000644000175000017500000000476312311670312015452 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

int x;
int y;
int z;


/*@ requires \valid(p) 
  @ assigns *p
  @ ensures *p == 0
  @*/
void f(int *p){
  *p=0;
}

//@ requires \valid(p)
void g(int *p){
  *p=0;
}

//@ ensures y == 0
void main (){
  f(&x);
  x=1;
  f(&y);
  g(&z);
}


why-2.34/bench/c/good/queue_jr.c0000644000175000017500000002234412311670312015036 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// TODO: does Caduceus permit verification where N and t are
// parameters?

// TODO: assert that the initial queue state models Qnew() -- not
// clear that Caduceus supports this

// TODO: create separate interface functions that implement the spec,
// that call internal functions to do the work, put the algebraic
// queue into a separate file

// TODO: head and dequeue require q_size>0 but also handle the case
// where this is not true -- can and should the spec say something
// about this case?

// TODO: is the set of axioms sound, complete, and minimal?  would be
// nice to check this.

typedef unsigned char uint8_t;
typedef uint8_t bool;
typedef uint8_t error_t;
typedef int t;

#define N 10



// Simplify has no model for mod and verifying this queue requires
// only these special cases

/*@ axiom int_mod_1: \forall int x; \forall int y; 
  @   ((0 <= x < y) => ((x%y) == x))
  @*/

/*@ axiom int_mod_2: \forall int x; \forall int y; 
  @   ((y > 0) && (y <= x < (y+y))) => ((x%y) == (x-y))
  @*/





/*@ type Q */

/*@ logic Q Qnew() */
/*@ logic Q Qerror() */
/*@ logic t Ierror() */

/*@ logic int QmaxSize(Q q) */
/*@ logic int Qsize(Q q) */
/*@ logic Q Qenqueue(Q q, t x) */
/*@ logic int Qempty(Q q) */
/*@ logic t Qelement(Q q, int x) */
/*@ logic t Qhead(Q q) */
/*@ logic t Qdequeue_t(Q q) */
/*@ logic Q Qdequeue_Q(Q q) */

/*@ axiom Q01 : \forall Q q; QmaxSize(q) == N */

/*@ axiom Q02 : \forall Q q; \forall t x; (N <= Qsize(q)) => (Qenqueue(q,x) == Qerror()) */
/*@ axiom Q02a : \forall Q q; \forall t x; (Qsize(q) < N) => (Qenqueue(q,x) != Qerror()) */
/*@ axiom Q02b : \forall Q q; (Qsize(q) == 0) => (Qdequeue_t(q) == Ierror()) */
/*@ axiom Q02c : \forall Q q; (0 < Qsize(q)) => !(Qdequeue_t(q) == Ierror()) */
/*@ axiom Q02d : \forall Q q; (Qsize(q) == 0) => (Qdequeue_Q(q) == Qerror()) */
/*@ axiom Q02e : \forall Q q; (0 < Qsize(q)) => (Qdequeue_Q(q) != Qerror()) */
/*@ axiom Q09 : \forall Q q; \forall int x; (x >= Qsize(q)) => (Qelement(q,x) == Ierror()) */

/*@ axiom Q03 : \forall Q q; Qsize(Qnew()) == 0 */

/*@ axiom Q04 : \forall Q q; \forall t x; (Qsize(q) < N) => Qsize(Qenqueue(q,x)) == 1+Qsize(q) */
/*@ axiom Q04a : \forall Q q; ((0 < Qsize(q))) => Qsize(Qdequeue_Q(q)) == Qsize(q) - 1 */

/*@ axiom Q05 : \forall Q q; (Qsize(q) == 0) => (Qempty(q) == 1) */
/*@ axiom Q06 : \forall Q q; (0 < Qsize(q)) => (Qempty(q) == 0) */


/*@ axiom Q08 : \forall t y; \forall Q q; \forall int x; (0 <= x < Qsize(q))  => 
  @                            ( Qelement(Qenqueue(q,y),x) == Qelement(q,x)) 
  @*/
/*@ axiom Q08a : \forall Q q; \forall int x; ((0 <= x < Qsize(q) - 1) )  => 
  @                            (Qelement(Qdequeue_Q(q),x) == Qelement(q,x + 1)) 
  @*/
/*@ axiom Q08b : \forall Q q; \forall int x; ((x == Qsize(q)) && (Qsize(q) < N))  => 
  @                            (\forall t y; Qelement(Qenqueue(q,y),x) == y) 
  @*/


/*@ axiom Q10 : \forall Q q; Qhead(q) == Qelement(q,0) */
/*@ axiom Q11 : \forall Q q; Qdequeue_t(q) == Qelement(q,0) */
/*@ axiom Q12 : \forall Q q; (Qempty(q) == 1) => 
  @                            (\forall t x; Qdequeue_Q(Qenqueue(q,x)) == Qnew()) 
  @*/
/*@ axiom Q13 : \forall Q q; (Qempty(q) == 0) => 
  @                            (\forall t x; Qdequeue_Q(Qenqueue(q,x)) == 
  @                                          Qenqueue(Qdequeue_Q(q),x)) 
  @*/


static t queue[N];
static unsigned char q_head = 0;
static unsigned char q_tail = 0;
static unsigned char q_size = 0;

/*@ predicate models(Q q) {
  @   (q != Qerror()) &&
  @   (q_size == Qsize(q)) &&
  @   (\forall int i; (0 <= i < q_size) => (Qelement(q,i) == queue[(i+q_head)%N]))
  @ }
  @*/

/*@ predicate valid_slot (uint8_t i) {
  @   (i >= 0) && (i < N) &&
  @   \valid_index(queue,i)
  @ }
  @*/

/*@ predicate occupied_slot (uint8_t i) {   
  @   ((q_tail > q_head) && (q_head <= i < q_tail)) ||
  @   ((q_tail < q_head) && ((q_head <= i) || (i < q_tail))) ||
  @   ((q_head == q_tail) && (q_size == N))
  @ }
  @*/

/* should say 2**(8*sizeof(uint8_t)) instead of 256 */
/*@ invariant q0 : 0 <= N < 256 */ 
/*@ invariant q1 : 0 <= q_size <= N */
/*@ invariant q2 : valid_slot(q_head) */
/*@ invariant q3 : valid_slot(q_tail) */

/*@ invariant size_1 : (q_tail > q_head) => (q_size == (q_tail - q_head)) */
/*@ invariant size_2 : (q_tail < q_head) => (q_size == (N + q_tail - q_head)) */
/*@ invariant size_3 : (q_tail == q_head) <=> ((q_size == 0) || (q_size == N)) */


/*@ assigns \nothing
  @ ensures (\result == N) && 
  @         (\forall Q q; \old(models(q)) => (\result == QmaxSize(q)))
  @*/


uint8_t maxSize (void)
{
  return N;
}

/*@ assigns \nothing
  @ ensures (\result == q_size) && 
  @         (\forall Q q; \old(models(q)) => (\result == Qsize(q)))
  @*/
uint8_t size (void)
{
  return q_size;
}

/*@ assigns \nothing
  @ ensures ((q_size == 0) => (\result == 1)) && 
  @         ((q_size != 0) => (\result == 0)) &&
  @         (\forall Q q; \old(models(q)) => (\result == Qempty(q)))
  @*/
bool empty (void)
{
  return (q_size == 0);
}

/*@ requires q_size > 0
  @ assigns \nothing
  @ ensures (\forall Q q; \old(models(q)) => ((Qhead(q) == \result) &&
  @                                           (Qhead(q) != Ierror())))
  @*/
t head (void)
{ 
  /*@ assert occupied_slot(q_head) */
  return queue[q_head];
}

/*@ requires 0 <= e < q_size 
  @ assigns \nothing
  @ ensures (\forall Q q; \old(models(q)) => ((Qelement(q,e) == \result))) 
  @*/
t element (uint8_t e)
{
  uint8_t tmp = e + q_head;
  tmp = tmp % N;
  /*@ assert valid_slot(tmp) */
  /*@ assert occupied_slot(tmp) */
  return queue[tmp];
}


/*@ assigns queue[\old(q_tail)], q_tail, q_size 
  @ ensures (((\old(q_size)  
  @           (
  @            (\result == 1) && 
  @            (q_size == (\old(q_size)+1)) &&
  @	       (occupied_slot(\old(q_tail))) &&
  @            (\forall Q q; \old(models(q)) =>
  @              ( 
  @               (Qelement(Qenqueue(q,e),Qsize(q)) ==queue[(Qsize(q)+q_head)%N]) &&
  @               (models(Qenqueue(q,e)))
  @              )
  @            )
  @           )
  @          ) &&
  @          ((\old(q_size) == N) => 
  @           ((\result == 0) && (q_size == \old(q_size)) &&   (\forall Q q; \old(models(q)) => (Qenqueue(q,e) == Qerror())))
  @          )
  @         )
  @*/
error_t enqueue (t e)
{
  if (q_size < N) {
    /*@ assert !occupied_slot(q_tail) */
    queue[q_tail] = e;
    q_tail = q_tail + 1;
    q_tail = q_tail % N;
    q_size = q_size + 1;
    return 1;
  } else {
    return 0;
  }
}

/*@ requires q_size > 0
  @ assigns q_head, q_size
  @ ensures (\result == queue[\old(q_head)]) &&
  @         (q_size == (\old(q_size)-1)) &&
  @         (!occupied_slot(\old(q_head))) &&
  @         (\forall Q q; \old(models(q)) => models(Qdequeue_Q(q)))  &&
  @         (\forall Q q; \old(models(q)) => ((Qdequeue_t(q) == \result) &&
  @                                           (Qdequeue_t(q) != Ierror())))
  @*/
t dequeue (void)
{
  int tmp;
  /*@ assert occupied_slot(q_head) */
  tmp = queue[q_head];
  if (!(q_size == 0)) {
    q_head = q_head + 1;
    q_head = q_head % N;
    q_size = q_size - 1;
  }
  return tmp;
}

why-2.34/bench/c/good/logic.c0000644000175000017500000000556612311670312014323 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*@ logic int f1(int t[], int x) reads t[..] */

/*@ axiom ax_f1 : \forall int t[], int x; f1(t,x) == t[x] */

void test_f1() {
  int t[2];
  t[0] = 0;
  //@ assert f1(t,0) == 0
}


/*@ logic int f2(int t[], int x) { t[x] } */

void test_f2() {
  int t[2];
  t[0] = 0;
  // @ assert f2(t,0) == 0
}


/*@ predicate p1(int t[], int x, int v) reads t[..] */

/*@ axiom ax_p1 : \forall int t[], int x, int v; p1(t,x,v) <=> t[x]==v */

void test_p1() {
  int t[2];
  t[0] = 0;
  //@ assert p1(t,0,0)
}



/*@ predicate p2(int t[], int x, int v) { t[x]==v } */

void test_p2() {
  int t[2];
  t[0] = 0;
  //@ assert p2(t,0,0)
}

why-2.34/bench/c/good/assigns_range.c0000644000175000017500000000446312311670312016044 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

int t[10];

/*@ assigns t[0..3] */
int f();
why-2.34/bench/c/good/conflict.c0000644000175000017500000000445612311670312015024 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

int f(int x);

int f(int x){return 1;}
why-2.34/bench/c/good/pi.c0000644000175000017500000000645512311670312013634 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/******
int a=10000,b,c=2800,d,e,f[2801],g;main(){for(;b-c;)f[b++]=a/5;
for(;d=0,g=c*2;c-=14,printf("%.4d",e+d/a),e=d%a)for(b=c;d+=f[b]*a,
f[b]=d%--g,d/=g--,--b;d*=b);}
******/

/*@ axiom simplify_dumb_1 : 2800 % 14 == 0 */
/*@ axiom simplify_dumb_2 : \forall int c; c*2>0 => c*2>1 */
/*@ axiom simplify_dumb_3 : \forall int c; c%14==0 => (c-14)%14==0 */
/*@ axiom simplify_dumb_4 : \forall int c; c%14==0 => c>0 => c>=14 */
/*@ axiom simplify_dumb_5 : 10000 / 5 == 2000 */

void print4(int);

int a=10000,b,c=2800,d,e,f[2801],g,i;

/*@ requires b == 0 && c == 2800 && a == 10000 */
void main(){
  /*@ invariant 0 <= b <= 2800 && \forall int i; 0 <= i < b => f[i] == 2000
      variant c-b */
  for(; b-c; b++) 
    f[b] = a/5;

  /*@ invariant 0 <= c <= 2800 && c%14==0
      variant c */
  for(; d=0, g=c*2; ) {
    /*@ invariant 1 <= b <= c && g == b*2
        variant b */
    for(b=c; 1; ) {
      d += f[b]*a;
      f[b] = d % --g;
      d /= g--;
      --b;
      if (!b) break; 
      d *= b;
    }
    c -= 14; 
    print4(e+d/a); 
    e = d%a;
    }
}
why-2.34/bench/c/good/flag.c0000644000175000017500000000730612311670312014131 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* Dijkstra's dutch flag */

typedef enum { BLUE, WHITE, RED } color;

/*@ predicate isColor(int i) { i == BLUE || i == WHITE || i == RED }
  @*/

/*@ predicate isMonochrome(int t[], int i, int j, color c)
  @   { \valid_range(t,i,j) && \forall int k; i <= k && k <= j => t[k] == c } 
  @*/

/*@ requires \valid_index(t,i) && \valid_index(t,j)
  @ assigns t[i],t[j]
  @ ensures t[i] == \old(t[j]) && t[j] == \old(t[i])
  @*/
void swap(color t[], int i, int j) {
  int tmp = t[i];
  t[i] = t[j];
  t[j] = tmp;
}

/*@ requires 
  @   n >= 0 && \valid_range(t,0,n-1) &&
  @   (\forall int k; 0 <= k && k < n => isColor(t[k]))
  @ assigns t[0 .. n-1]
  @ ensures 
  @   (\exists int b, int r; 
  @            isMonochrome(t,0,b-1,BLUE) &&
  @            isMonochrome(t,b,r-1,WHITE) &&
  @            isMonochrome(t,r,n-1,RED))
  @*/
void flag(color t[], int n) {
  int b = 0;
  int i = 0;
  int r = n;
  /*@ invariant
    @   (\forall int k; 0 <= k && k < n => isColor(t[k])) &&
    @   0 <= b && b <= i && i <= r && r <= n &&
    @   isMonochrome(t,0,b-1,BLUE) &&
    @   isMonochrome(t,b,i-1,WHITE) &&
    @   isMonochrome(t,r,n-1,RED)
    @ loop_assigns b,i,r,t[0 .. n-1]
    @ variant r - i
    @*/
  while (i < r) {
    switch (t[i]) {
    case BLUE:  
      swap(t, b++, i++);
      break;	    
    case WHITE: 
      i++; 
      break;
    case RED: 
      swap(t, --r, i);
      break;
    }
  }
}

    
/*
Local Variables: 
compile-command: "make flag.gui"
End: 
*/
why-2.34/bench/c/good/sum1.c0000644000175000017500000000470212311670312014102 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*

C test file

*/

int x;

/*@ requires x == 0 ensures x == 10 */ 
void main() 
{
  int i = 0;
  /*@ invariant x == i && i <= 10 variant 10-i */
  for (i = 0; i < 10; ++i)
    x++;
} 

why-2.34/bench/c/good/syntax/0000755000175000017500000000000012311670312014374 5ustar  rtuserswhy-2.34/bench/c/good/syntax/hw.c0000644000175000017500000000011212311670312015150 0ustar  rtusers
#include 

int main() { printf("hello world\n"); exit(0); }
why-2.34/bench/c/good/syntax/horribilis.c0000644000175000017500000000034112311670312016704 0ustar  rtusers
int a, b;
typedef int t, u;
void f1() { a * b; }
void f2() { t * u; }
void f3() { t * b; }
void f4() { int t; t * b; }
void f5(t u, unsigned t) {
  switch ( t ) {
  case 0: if ( u )
    default: return;
  }
}

why-2.34/bench/c/good/syntax/annot.c0000644000175000017500000000137012311670312015660 0ustar  rtusers
/* Annotations in C programs */

/*W logic p : int -> prop */

/*@ requires x == 0 ensures \result == 1 */
int f(int x) {
  return x+1;
}


/*W external h : int -> int */

int g();

/*@ ensures \result > 0 */
int g() {
  int s = 0;
  int i = 0;
  /*@ assert s == 0 */;
  /*@ invariant 0 <= i <= 10 variant 10 - i */ 
  while (i < 10) 
  {
    s += i++;
  }
}

/* recursive function with a variant */

/*@ ensures n >= 0 // variant n 
  @*/
int fact(int n) {
  return n == 0 ? 1 : n * fact(n-1);
}

void h() {
  int i = 1000;
  /*@ invariant i >= 0 variant i */ 
  do i--; while (i > 0);
  { 
    int j = 0;
    /*@ assert j == 0 */;
    /*@ invariant i >= 0 variant i */ 
    for (; j < 10; j++) i += j; 
  }
}

why-2.34/bench/c/good/syntax/types.c0000644000175000017500000000272512311670312015712 0ustar  rtusers
/* basic types */

char a;
short c;
int b;
long d;
long long e;
float f;
double g;
long double h;

/* void i; GCC refused by 3.2.3 */

/* arrays */

char j[5];
long l[5][6];

/* pointers */

int * m;
short ** n;

/* type specifiers */

extern int o;
const char p;
signed char q;
unsigned int r;
signed s; /* defaults to signed int */

/* misc. (specifiers and pointers) */

unsigned char * * t;
const char** u;

/* structures */

struct S1; /* forward declaration */
struct S2 { int fa; }; 
struct S1 { char fb; float fc; };
struct { struct S1 fe; int ff; } sb;
struct S3 { struct S1 * fg; };
struct S4 { int fh; struct S4 * next; };
struct S4 * sc;

/* bit fields */

struct { int fd :3; } sa;

struct flags { 
  unsigned int is_keyword : 1;
  unsigned int is_extern  : 1;
  unsigned int is_static  : 1;
};

/* unions */

union U1 { int fi; float fj; };
union U2 { union U1 fk; int fl; };

/* mixed structures / unions / arrays */

struct S5 { char fm; union { int fn; float fo; } fp; } arr1[10];

/* enums */

enum boolean { FALSE, TRUE };
enum { E11, E12, E13 };
enum { E21 = 1, E22, E23 };
enum letters { E31 = 'a', E32 = 'b', E33 = 'c', E34 = 'd' };

/* nightmare examples from K&R, section 5.12 */

int (*kra)[13];
int *krb[13];
int *krc();
int (*krd)();
char (*(*kre())[])();
char (*(*krf[3])())[5];

/* typedefs */

typedef int t1;
typedef struct { int fq; } t2;
typedef struct S1 t3;
typedef struct S2 * t4;
typedef int t5[10];

typedef struct t6_ { int fr; struct t6_ * fs; } * t6;
why-2.34/bench/c/good/syntax/obfuscated.c0000644000175000017500000000162412311670312016662 0ustar  rtusers/*
* compile me with "cc", and run "a.out"
* Incredible!
*/
#include 
main(t,_,a)
char *a;
{
return!0 0) n--;
}

void loop2(int n) {
  //@ variant 100-n
  while (n < 100) n++;
}

//@ ensures \result == 0
int loop3() {
  int i = 100;
  //@ invariant 0 <= i variant i
  while (i > 0) i--;
  return i;
}

//@ ensures \result == 100
int sum() {
  int i = 100, s;
  //@ invariant 0 <= i <= 100 && s == 100-i variant i
  for (s = 0; i > 0; i--) s++;
  return s;
} 


//@ requires 0 <= n
void loop(int n) {
  int i;
  //@ invariant 0 <= i <= n variant n-i
  for (i = 0; i < n; i++);
}

why-2.34/bench/c/good/Dillon.c0000644000175000017500000000753112311670312014441 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

typedef struct { int t2[5]; int t2bis[5]; int *p2; } las2; 
typedef struct { int t1[5]; int t1bis[5]; int *p1; las2 * pp; } las; 

las u,v,w; 


/* 
invariant inv0: 
\forall las x; x.p1!=x.t1 && x.p1!=x.pp->t2 && x.t1!=x.pp->t2 && x.pp->p2!=x.t1 && x.pp->p2!=x.p1 
*/ 
/*@ 
invariant inv1: 
\forall las x,las y; 
&x!=&y => 
   \base_addr(x.p1) != \base_addr(y.t1) 
 &&  \base_addr(x.p1) != \base_addr(y.p1) 
 &&  \base_addr(x.p1) != \base_addr(y.pp->t2) 


 &&  \base_addr(x.pp) != \base_addr(y.pp) 


 &&  \base_addr(x.t1) != \base_addr(y.pp->t2) 
 &&  \base_addr(x.pp->t2) != \base_addr(y.pp->t2) 
*/ 


/*@ 
requires \valid (p) && \valid(p->p1) && \valid(p->pp) && \valid(p->t1) 
 && \valid_range(p->t1,0,5) && \valid_range(p->pp->t2,0,5) && \valid(p->pp->p2) 
assigns p->t1[0 .. 5],*p->p1,p->pp->t2[0 .. 5],*p->pp->p2 
ensures p->t1[1] == *p->p1 + p->pp->t2[1] + *p->pp->p2 
*/ 
void g(las * p); 


/*@ 
requires \forall las x; (&x==&u  || &x==&v  || &x==&w) 
 => \valid(x.p1) && \valid(x.pp) && \valid(x.pp->t2) && \valid_range(x.t1,0,5) && \valid_range(x.pp->t2,0,5) 
 && \valid(x.pp->p2) 
assigns 
u.t1[0 .. 5],*u.p1,u.pp->t2[0 .. 5],u.pp->p2, 
v.t1[0 .. 5],*v.p1,v.pp->t2[0 .. 5],v.pp->p2, 
w.t1[0 .. 5],*w.p1,w.pp->t2[0 .. 5],w.pp->p2 
ensures \forall las x; (&x==&u  || &x==&v  || &x==&w) 
 => x.t1[1] == *x.p1 + x.pp->t2[1] + *x.pp->p2 
*/ 
void f() 
{ int a = (u.t1[1] == *u.p1 + u.pp->t2[1] + *u.pp->p2); 
 g(&u); /*@ assert u.t1[1] == *u.p1 + u.pp->t2[1] + *u.pp->p2 */ 
 g(&v); /*@ assert u.t1[1] == *u.p1 + u.pp->t2[1] + *u.pp->p2 *//*@ assert v.t1[1] == *v.p1 + v.pp->t2[1] + *v.pp->p2 */ 
 g(&w); 
}
why-2.34/bench/c/good/dassault_1.c0000644000175000017500000000477012311670312015262 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

typedef struct las3
{
  int  c;
} las3;

typedef struct las2
{
  las3    b[3];
  
} las2;

typedef struct las1
{
  las2  b;
  
} las1;

typedef struct las
{
  las1    a;
} las;

las x;
las2 y;

int f() {
  return x.a.b.b[0].c + y.b[1].c;
}

why-2.34/bench/c/good/separation3.c0000644000175000017500000000537412311670312015453 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

struct S { int a; int b[5]; int c[5]; };

struct L { struct S q; struct S *p; int r[10]; };

struct S s0;
struct L l;

/* no alias between s0 and l.q */
/*@ ensures \result == 1 */
int f() {
  s0.a = 1;
  l.q.a = 2;
  return s0.a;
}

/* s0 and l.p are the same structure (alias) */
/*@ ensures \result == 1 */
int f2() {
  s0.b[2] = 1;
  l.p = &s0;
  return l.p->b[2];
}

/* internal separation of s0.b and s0.c */
//@ ensures \result == 1
int f3() {
  s0.b[2] = 1;
  s0.c[2] = 2;
  return s0.b[2];
}
why-2.34/bench/c/good/negate.c0000644000175000017500000000520112311670312014453 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*@ requires n >= 0 && \valid_range(t,0,n-1)
  @ assigns t[0..n-1]
  @ ensures \forall int k; 0 <= k < n => t[k] == -\old(t[k])
  @*/
void negate(int *t, int n) {
  int i = 0;
  /*@ invariant 
    @   0 <= i <= n && 
    @   (\forall int k; 0 <= k < i => t[k] == -\old(t[k])) 
    @ loop_assigns t[0..i-1]
    @ variant n-i */
  while (i < n) {
    t[i] = -t[i];
    i++;
  }
}
why-2.34/bench/c/good/false.c0000644000175000017500000000523512311670312014311 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* These programs _are_ incorrect i.e. the corresponding proof obligations
   should _not_ be provable.
   They are here to test the consistence of the theory. */

struct u{int x;};

struct v{struct u x; int y[5];};

struct v  *z;
struct u zz;

int x[4];
int y[5];

/*@ ensures \false */
void false0() {
}

void false1() {
  z->y[5] = 3;
}

void false2() {
  x[-1] = 1;
}

void false3() {
  y[5] = 2;
  }

why-2.34/bench/c/good/queue.c0000644000175000017500000000653312311670312014345 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

typedef struct queue { 
  char *contents;
  int length;
  int first, last;
  unsigned int empty, full :1;
} queue;

char t[] = { 0, 0, 0, 0, 0 } ;

queue q = { t, 5, 0, 0, 0, 1};

/*@ invariant q_invariant : 
  @   \valid_range(q.contents, 0, q.length-1) &&
  @   0 <= q.first < q.length &&
  @   0 <= q.last < q.length 
  @   // && (q.full != 0 <=> q.last == q.first)
  @*/

/*@ requires !q.full
  @ assigns  q.empty, q.full, q.last, q.contents[q.last]
  @ ensures  !q.empty && q.contents[\old(q.last)] == c
  @*/
void push(char c) {
  q.contents[q.last++] = c;
  if (q.last == q.length) q.last = 0;
  q.empty = 0;
  q.full = q.first == q.last;
}

/* q.last = (q.last + 1) % q.length; BUG */

/*@ requires !q.empty
  @ assigns q.empty, q.full, q.first
  @ ensures !q.full && \result == q.contents[\old(q.first)]
  @*/
char pop() {
  char r = q.contents[q.first++];
  if (q.first == q.length) q.first = 0;
  q.full = 0;
  q.empty = q.first == q.last;
  return r;
}

/*@ requires \valid(q1) && !q.empty
  @ ensures \result == \old(q1->empty) 
  @*/
int test(struct queue *q1) {
  pop();
  return q1->empty;
}
why-2.34/bench/c/good/coord.c0000644000175000017500000000473512311670312014331 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

typedef struct coord {
    int x;   
    int y;
} coord;

coord  tab [3];

/*@ assigns \nothing */
void f (int x);

/*@ requires 0 <= index < 3 */
void g (int index)
{
    f((tab+index)->x);
    f(tab[index].x);
}
why-2.34/bench/c/good/trop.c0000644000175000017500000000474012311670312014203 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

typedef struct las { int * p; int ta[1]; } las;

las u,v;

/*@
  requires \valid(u.p) && \base_addr(u.ta)!=\base_addr(u.p)
  assigns *u.p,u.ta[0]
  ensures u.ta[0]==0
*/
void f()
{
  //	g();
  u.ta[0]=0;
  *u.p=5;
}

why-2.34/bench/c/good/search.c0000644000175000017500000000606312311670312014464 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* search for a value in an array */

/*@ requires \valid_range(t,0,n-1)
  @ ensures 
  @   (0 <= \result < n => t[\result] == v) &&
  @   (\result == n => \forall int i; 0 <= i < n => t[i] != v) 
  @*/
int index(int t[], int n, int v) {
  int i = 0;
  /*@ invariant 0 <= i && \forall int k; 0 <= k < i => t[k] != v
      variant n - i */ 
  while (i < n) {
    if (t[i] == v) break;
    i++;
  }
  return i;
}

/* same thing, with a return instead of a break */

/*@ requires \valid_range(t,0,n-1)
  @ ensures 0 <= \result < n => t[\result] == v 
  @*/
int index2(int t[], int n, int v) {
  int i = 0;
  /*@ invariant 0 <= i && \forall int k; 0 <= k < i => t[k] != v
      variant n - i */
  while (i < n) {
    if (t[i] == v) return i;
    i++;
  }
  return n;
}

int t[4];

void test() {
  index(t, 4, 12);
}
why-2.34/bench/c/good/call.c0000644000175000017500000000500012311670312014120 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*

C test file

*/

int x;
/* int t[]; */

/*@ requires y == ddd 
  @ assigns \nothing 
  @ ensures \result == z */ 
int f(int y, int ddd, int z) 
{
  int u = z;
  return u++;
} 

/*@ ensures x == 2 */
void main() 
{
  x = 0;
  x = f(1,++x,2);
} 

why-2.34/bench/c/good/struct.c0000644000175000017500000000527612311670312014550 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

typedef struct T {
  int x;
  int y;
} T;

/*@ requires \valid(t2) && t2->x == 0
  @ assigns t2->x
  @ ensures \result == 1 && t2->x == 2 && t2->y == \old(t2->y)
  @*/
int f(T* t2) {
  t2->x++; 
  return t2->x++;
}

struct S { int z; T t; } s;
struct S *ps;

struct S *pps[] = { (void *)0 };

/*@ requires \valid(ps)
  @ ensures \result == 1
  @*/
int g() {
  T *p;
  ps = &s;
  pps[0] = ps;
  p = &(s.t);
  ps->t.x = 1;
  return s.t.x;
}
why-2.34/bench/c/good/binary_search_safety.c0000644000175000017500000000576012311670312017406 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* binary_search(t,n,v) search for element v in array t 
   between index 0 and n-1
   array t is assumed sorted in increasing order
   returns an index i between 0 and n-1 where t[i] equals v, 
   or -1 if no element of t is equal to v  
 */

/* safety */


/*@ axiom mean_1 : \forall int x, int y; x <= y => x <= (x+y)/2 <= y */

/*@ requires n >= 0 && \valid_range(t,0,n-1) */
int binary_search1(int* t, int n, int v) {
  int l = 0, u = n-1;
  /*@ invariant 0 <= l && u <= n-1 
    @ variant   u-l 
    @*/
  while (l <= u ) {
    int m = (l + u) / 2;
    if (t[m] < v) l = m + 1;
    else if (t[m] > v) u = m - 1;
    else return m; 
  }
  return -1;
}




    
/*
Local Variables: 
compile-command: "make binary_search_safety.gui"
End: 
*/
why-2.34/bench/c/good/strcpy.c0000644000175000017500000001105412311670312014537 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


/*@ predicate is_c_string(char *src, int n) {
       n >= 0 && \valid_range(src,0,n) && src[n] == 0 && 
       (\forall int i; 0 <= i < n => src[i] != 0) }
*/


/*@ requires 
  @   \base_addr(src) != \base_addr(dest) &&
  @   (\exists int n; is_c_string(src,n) && \valid_range(dest,0,n)) 
  @      
  @ ensures
  @   \forall int n ;  is_c_string(src,n) =>
  @      \forall int k; 0 <= k <= n => dest[k] == src[k]
  @*/
void strcpy(char *dest, const char *src) {
  /*@ invariant 
    @   \old(dest) <= dest && \old(src) <= src &&
    @   dest - \old(dest) == src - \old(src) &&
    @   (\forall char *p;  \old(dest) <= p < dest => 
    @          *p == *(\old(src) + (p-\old(dest)))) &&
    @   (\forall int n ;  is_c_string(\old(src),n) =>
    @      dest <= \old(dest)+n && src <= \old(src) + n)
    @ loop_assigns dest[..]
    @ */   
  while (*dest++ = *src++);
}







/*

> man strcpy

STRCPY(3)                  Linux Programmer's Manual                 STRCPY(3)

NAME
       strcpy, strncpy - copy a string

SYNOPSIS
       #include 

       char *strcpy(char *dest, const char *src);

       char *strncpy(char *dest, const char *src, size_t n);

DESCRIPTION
       The  strcpy()  function  copies the string pointed to by src (including
       the terminating `\0' character) to the array pointed to by  dest.   The
       strings  may not overlap, and the destination string dest must be large
       enough to receive the copy.

       The strncpy() function is similar, except that not more than n bytes of
       src  are copied. Thus, if there is no null byte among the first n bytes
       of src, the result will not be null-terminated.

       In the case where the length of src is less than that of n, the remain-
       der of dest will be padded with nulls.

RETURN VALUE
       The  strcpy()  and strncpy() functions return a pointer to the destina-
       tion string dest.

BUGS
       If the destination string of a strcpy() is not large enough  (that  is,
       if  the programmer was stupid/lazy, and failed to check the size before
       copying) then anything might happen.  Overflowing fixed length  strings
       is a favourite cracker technique.

*/



/* axiom is_c_string_uniq :
  \forall char * s; \forall int n1 ; \forall int n2 ;
    is_c_string(s,n1) => is_c_string(s,n2) => n1 == n2
*/
why-2.34/bench/c/good/rec.c0000644000175000017500000000471412311670312013771 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* C recursive function */

/*@ requires x >= 0 
  @ assigns \nothing 
  @ // variant x 
  @ ensures \result == 0 
  @*/ 
int f(int x) {
  if (x == 0) 
    return 0;
  else
    return f(x - 1);
}

why-2.34/bench/c/good/clash_redef.c0000644000175000017500000000513412311670312015454 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


typedef struct{int * p2;} las;

int f3(  las*  p1,  int*  p2); 

/*@ requires \valid(p1)
  @ ensures \result == 0 
  @*/ 
int f3(  las*  p1,  int*  p2) 
{ 
  p1->p2 = p2; 
  return ( 0 ); 
}




typedef struct st {  int p;} st; 
/* ... */ 
void f4(  int*  p);
/* ... */ 
void f4(  int*  p){}

/*@ requires \valid(p)*/ 
void f4(  int*  p); 
why-2.34/bench/c/good/all.c0000644000175000017500000000712312311670312013765 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


/* all features, orthogonally */

int x;
int y;

/*@ ensures x == 0 */
void f1() { x = 0; }

/*@ requires x == 0 
    ensures x == 1 */ 
void f2() { x++; }

/*@ requires x == 0 
    ensures x == 1 */ 
void f3() { ++x; }

/*@ requires x == 0 
    ensures x == 1 && y == 0 */ 
void f4() { y = x++; }

/*@ requires x == 0 
    ensures x == 1 && y == 1 */ 
void f5() { y = ++x; }

/*@ requires x == 1 
    ensures x == 3 */ 
void f6() { x += 2; }

/*@ requires x == 0 
    ensures y == 1 */ 
void f7a() { y = x == 0 ? 1 : 2; }

/*@ requires x != 0 
    ensures y == 2 */ 
void f7b() { y = x == 0 ? 1 : 2; }

int t[3];

/*@ requires t[0] == 1 
    ensures y == 1 */ 
void t1() { y = t[0]; }

/*@ requires x == 0 && t[0] == 1 
    ensures y == 1 */ 
void t2() { y = t[x++]; }

/*@ requires x == 0 && t[1] == 1 
    ensures y == 1 */ 
void t3() { y = t[++x]; }

/*@ requires x == 2 && t[2] == 3 
    ensures x == 3 && t[2] == 5 */ 
void t4() { t[x] += x++; } 

#if 0
/* evaluation order */

/*@ requires x == 2 
    ensures y == 4 */ 
void e1() { y = x + x++; }

/*@ requires x == 2 
    ensures y == 5 */ 
void e2() { y = x + ++x; }

/*@ requires x == 2 
    ensures y == 5 */ 
void e3() { y = x++ + x; }

/*@ requires x == 2 
    ensures y == 6 */ 
void e4() { y = ++x + x; }

/*@ requires x == 2 
    ensures y == 6 */ 
void e5() { y = ++x + x++; }

#endif


why-2.34/bench/c/good/selection.c0000644000175000017500000000731112311670312015201 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* Insertion sort */

#include "sorting.h"

/*@ requires \valid(a+i) && \valid(a+j)
  @ assigns  a[i], a[j]
  @ ensures  Swap(contents(a), \old(contents(a)), i, j)
  @*/
void swap(int* a, unsigned int i, unsigned int j) {
  int tmp = a[i];
  a[i] = a[j];
  a[j] = tmp;
}

/*@ requires n >= 0 && \valid_range(a, 0, n-1) 
  @ assigns  a[0..n-1]
  @ ensures  Sorted(a,0,n-1) && Permut(contents(a), \old(contents(a)), 0, n-1)
  @*/
void selection(int a[], unsigned int n) {
  unsigned int i, j, min;
  if (n <= 1) return;
  /*@ // a[0..i-1] is already sorted 
    @ invariant 
    @   0 <= i <= n-1 &&
    @   Sorted(a, 0, i-1) && 
    @   Permut(contents(a), \at(contents(a), init), 0, n-1) &&
    @   \forall integer k; \forall integer l; 
    @      0 <= k < i => i <= l < n => a[k] <= a[l]
    @ loop_assigns
    @   a[0..n-1]
    @ variant 
    @   n - i 
    @*/
  for (i = 0; i < n-1; i++) {
    /* we look for the minimum of a[i..n-1] */
    min = i; 
    /*@ invariant 
      @   i+1 <= j <= n && 
      @   i <= min < n &&
      @   \forall int k; i <= k < j => a[min] <= a[k]
      @ variant 
      @   n - j 
      @*/
    for (j = i + 1; j < n; j++) {
      if (a[j] < a[min]) min = j;
    }
    /* we swap a[i] and a[min] */
    swap(a,min,i);
  }
}


/* test 
int main() {
  int i;
  int t[10] = { 3,5,1,0,6,8,4,2,9,7 };
  selection(t, 10);
  for (i = 0; i < 10; i++) printf("%d ", t[i]);
}
*/

/*
Local Variables: 
compile-command: "make selection.gui"
End: 
*/
why-2.34/bench/c/good/pointer.c0000644000175000017500000000607212311670312014677 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* C tests with pointers */

/*@ requires \valid(x)
  @ assigns *x
  @ ensures *x == 1 && \result == 0 */
int f(int *x) {
  *x = 0;
  return (*x)++;
} 

/*@ requires \valid(x)
  @ ensures *x == 1 && \result == 1 */
int f2(int *x) {
  *x = 0;
  return ++(*x);
} 

int* r;


/*@ requires \valid(r)
  @ ensures *r == 1 */
int g() { 
  return f(r); 
}

/*@ ensures *r == 1 */
int g2() { 
  r = (int*)malloc(sizeof(int));
  return f(r); 
}

/*@ ensures \result == 1 */
int h() { int z; z = 0; return f(&z) + z; }


int t[5];

//@ requires \valid_index(t,2) ensures \result == 1 
int array1() {
  int * p;
  p = &t[2];
  return *p++ = 1;
}

/* pointers and structures */

struct S { int x; int y; } s;

//@ requires \valid(s)  ensures \result >= 1
int struct1(int n) { 
  int * p = &s.x;
  *p = 1;
  s.y = 2;
  return *p; 
}
why-2.34/bench/c/good/see.c0000644000175000017500000000500512311670312013766 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* Side effect in expressions (Bart Jacobs' tricky example) */

int b;
int b1; 
int b2;

/*@ assigns b 
  @ ensures \result == b && b == 1 - \old(b) */
int f() {
  b = 1 - b;
  return b;
}

/*@ ensures b1 == 1 */
void k() {
  b = 1;
  b1 = f() + f();
}

why-2.34/bench/c/good/skip_lists.c0000644000175000017500000001146712311670312015407 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* Skip lists. */

#if 0
#include 
#else
void* malloc(int);
float drand48();
#endif

#define MaxNbLevels 16
#define MaxLevel 15

typedef struct node_struct *node;

struct node_struct {
  int elt;
  node forward[];
};

typedef struct list_struct {
  int level;
  node header;
} *list;

node NIL;

/*@ assigns \nothing
  @ ensures \valid(\result) && \block_length(\result->forward) == lvl */
node make_node(int lvl) {
  return (node)malloc(sizeof(struct node_struct) + lvl * sizeof(node));
}

/*@ ensures \valid(NIL) && \block_length(NIL->forward) == MaxNbLevels */
void init() {
  NIL = make_node(MaxNbLevels);
  NIL->elt = 0x7fffffff;
}

//@ type int_list
/*@ logic int_list nil() */
/*@ logic int_list cons(int x, int_list l) */
/*@ predicate mem(int x, int_list l) */

/*@ predicate elements(list l, int_list il) 
      reads l->header,l->header->forward[..] */

/*@ ensures \valid(\result) && elements(\result,nil()) */
list empty() {
  list l;
  int i;
  l = (list)malloc(sizeof(struct list_struct));
  l->level = 0;
  l->header = make_node(MaxNbLevels);
  for (i = 0; i < MaxNbLevels; i++)
    l->header->forward[i] = NIL;
  return l;
}

/*@ assigns \nothing ensures 0.0 <= \result <= 1.0 */
float rand01();

/*@ assigns \nothing ensures 1 <= \result <= MaxNbLevels */
int random_level() {
  static float prob = 0.25;
  int lvl = 1;
  while (rand01() < prob && lvl < MaxNbLevels) 
    lvl++;
  return lvl;
}

/*@ requires \valid(l) 
  @  // ensures \result == 0 
  @*/
char search(list l, int v) {
  node p = l->header;
  node q;
  int k = l->level;
  do {
    while (q = p->forward[k], q->elt < v) p = q;
  } while (--k >= 0);
  if (p->elt != v) return 0;
  return 1;
}

/*@ requires \valid(l) 
  @ // ensures ???? 
  @*/
void insert(list l, int v) {
  node update[MaxNbLevels];
  node p = l->header;
  node q;
  int k = l->level;
  do {
    while (q = p->forward[k], q->elt < v) p = q;
    update[k] = p;
  } while (--k >= 0);
  if (p->elt == v) return;
  k = random_level();
  if (k > l->level) {
    k = ++l->level;
    update[k] = l->header;
  }
  q = make_node(k);
  q->elt = v;
  do {
    p = update[k];
    q->forward[k] = p->forward[k];
    p->forward[k] = q;
  } while (--k >= 0);
}

/* test */
#if 0
#include 

void print(list l) {
  node x = l->header->forward[0];
  while (x != NIL) {
    printf("%d :: ", x->elt);
    x = x->forward[0];
  }
  printf("nil\n");
}

float rand01() { return drand48(); }

int main() {
  list l;

  init ();
  l = empty();
  print(l);
  insert(l, 1);
  print(l);
  insert(l, 7);
  print(l);
  insert(l, 3);
  print(l);
  return 0;
}

#endif

why-2.34/bench/c/good/string.c0000644000175000017500000000620012311670312014516 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*@ predicate is_string(char *s) { 
      \exists int n; \valid_range(s,0,n) && s[n] == 0 
    } */

/*@ logic int length(char *s) reads s[..] */

/*@ axiom length_non_negative :
      \forall char *s; is_string(s) => 0 <= length(s) */

/*@ axiom length_not_zero :
      \forall char *s; is_string(s) => 
      \forall int i; 0 <= i < length(s) => s[i] != 0 */

/*@ axiom length_zero :
      \forall char *s; is_string(s) => s[length(s)] == 0 */

/*@ axiom is_string_valid :
      \forall char *s; is_string(s) =>
      \forall int i; 0 <= i <= length(s) => \valid(s+i) */

/*@ requires is_string(s)
    ensures  \valid(s+\result) && s[\result] == 0 
             // && \forall int i; 0 <= i < \result => s[i] != 0 
 */
int strlen(char * s) {
  int len = 0;
  /*@ invariant \valid(s + len) && len <= length(s)
      variant length(s) - len */
  while (s[len] != 0) len++;
  return len;
}

why-2.34/bench/c/good/minusminus.c0000644000175000017500000000444212311670312015425 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

void f(char *p) {
  p--;
}
why-2.34/bench/c/good/ifs.c0000644000175000017500000000554212311670312014001 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

typedef struct {
	int Pn;
	int CPRE_Pn;
	int Nivpn;
	int CPRE_Nivpn;
	int CPRE_VC[4];
	int VC[4];
	int * Cpt[4];
	int Param;
	int Param4_Pn;
	int V;
	} MaStruct;
int Ch_Pn[4];
int SPMEP[4];

/*@ requires \valid(Parametre) && \valid_range(Pn_Bac, 0, 4)
  @*/
void V4A (MaStruct *Parametre,int Val_Boitier [ 4 ],int Pn_Bac [ 4 ],MaStruct *Parametre_Ref)
{
  Parametre->VC[0] = ! ( Ch_Pn[0] || Pn_Bac[0] || SPMEP[0] );
  Parametre->VC[1] = ! ( Ch_Pn[1] || Pn_Bac[1] || SPMEP[1] );
  Parametre->VC[2] = ! ( Ch_Pn[2] || Pn_Bac[2] || SPMEP[2] );
  Parametre->VC[3] = ! ( Parametre->Param4_Pn || Pn_Bac[3]);
}
why-2.34/bench/c/good/consts.c0000644000175000017500000000466712311670312014540 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*@ ensures \result == 18 */
int f1(void) {
  return 010+0x0A;
}

int f2(void){
  int i = 0xFFFF0000;
  return i;
}

//@ ensures \result == 0.1f 
float f3() {
  return 0.1f;
}
why-2.34/bench/c/good/rec2.c0000644000175000017500000000467512311670312014061 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* C recursive function */

/*@ requires x >= 0 
  @ assigns \nothing 
  @ // variant x 
  @ ensures \result == 0 
  @*/ 
int f(int x){
  if (x == 0) return 0;
  return f(x - 1);
}

why-2.34/bench/c/good/passing.c0000644000175000017500000000530212311670312014656 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*

C test file

*/

/*@ requires \valid(x) assigns *x ensures *x == 0 */
void g(int* x) { *x = 0; }

int * r;

/*@ requires \valid(r) ensures \result == 0 */
int g2() { g(r); return *r; }

#if 0
/*@ ensures \result == 0 */
int g3() { int i = 1; g(&i); return i; }
#endif

/*@ requires \valid_index(x,0)  assigns x[0]  ensures x[0] == 1 */ 
void f(int x[]) { 
  x[0] = 1;
}

int t[2];

/*@ ensures t[0] == 1 */ 
void main() {
  f(t);
} 



  
why-2.34/bench/c/good/heapsort.c0000644000175000017500000001607712311670312015052 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* Heapsort */

//@ type int_array

//@ logic int access(int_array a, integer i)

//@ logic int_array update(int_array a, integer i, int v)

/*@ axiom access_update_eq : 
  @   \forall int_array a, integer i, int v; access(update(a, i, v), i) == v
  @*/

/*@ axiom access_update_neq : 
  @   \forall int_array a, integer i, integer j, int v; 
  @      i != j => access(update(a, i, v), j) == access(a, j)
  @*/

//@ logic int_array contents(int* a) reads a[..]

/*@ axiom access_contents : 
  @   \forall int* a; \forall int i; access(contents(a), i) == a[i]
  @*/

/*** permutation ************************************************************/

/*@ predicate Swap(int_array a1, int_array a2, int i, int j) {
  @   access(a1, i) == access(a2, j) &&
  @   access(a1, j) == access(a2, i) &&
  @   \forall int k; k != i => k != j => access(a1, k) == access(a2, k)
  @ }
  @*/

//@ predicate Permut(int_array a1, int_array a2, int l, int h)

/*@ axiom Permut_refl: 
  @   \forall int_array a; \forall int l, int h; Permut(a, a, l, h)
  @*/

/*@ axiom Permut_sym: 
  @   \forall int_array a1, int_array a2, int l, int h; 
  @     Permut(a1, a2, l, h) => Permut(a2, a1, l, h)
  @*/

/*@ axiom Permut_trans: 
  @   \forall int_array a1, int_array a2, int_array a3, int l, int h; 
  @     Permut(a1, a2, l, h) => Permut(a2, a3, l, h) => Permut(a1, a3, l, h)
  @*/

/*@ axiom Permut_swap: 
  @   \forall int_array a1, int_array a2, int l, int h, int i, int j; 
  @   l <= i <= h => l <= j <= h => Swap(a1, a2, i, j) => Permut(a1, a2, l, h)
  @*/

/*@ axiom Permut_extend: 
  @   \forall int_array a1, int_array a2, int l, int h, int ll, int hh; 
  @     Permut(a1, a2, l, h) => ll <= l => h <= hh => Permut(a1, a2, ll, hh)
  @*/

/*** sorted property *********************************************************/

/*@ predicate Sorted(int* a, int l, int h) {
  @   \forall int i; l <= i < h => a[i] <= a[i+1]
  @ }
  @*/

/*** heap property ***********************************************************/

/*@ predicate Hnode(int* a, int i, int h) {
  @   (2*i+1 <= h => a[i] >= a[2*i+1]) &&
  @   (2*i+2 <= h => a[i] >= a[2*i+2]) 
  @ }
  @*/

/*@ predicate H(int* a, int l, int h) {
  @   \forall int i; l <= i <= h => Hnode(a, i, h)
  @ }
  @*/

//@ axiom H_init: \forall int* a, int l, int h; l <= h < 2*l+1 => H(a, l, h)

// @ axiom H_reduce: \forall int* a, int h; 0 < h => H(a, 0, h) => H(a, 1, h-1)

/*@ axiom H_max: 
  @   \forall int* a, int h; 
  @     H(a, 0, h) => \forall int i; 0 <= i <= h => a[0] >= a[i]
  @*/

/*** arith *******************************************************************/

//@ axiom div2_1 : \forall int i; 0 <= i => 0 <= i/2 <= i

//@ axiom div2_2 : \forall int i; 0 < i => 0 <= i/2 < i

// @ axiom div2_3 : \forall int i; 0 <= i => i-1 < 2*(i/2)+1

/*@ axiom div2_4 : \forall int i, int k; 
  @   0 <= i => 0 <= k => k != (i-1)/2 => 2*k+1 != i
  @*/

/*@ axiom div2_5 : \forall int i, int k; 
  @   0 <= i => 0 <= k => k != (i-1)/2 => 2*k+2 != i
  @*/

/*****************************************************************************/

/*@ requires 
  @   0 <= low <= high && \valid_range(a, low, high) && 
  @   H(a, low+1, high)
  @ assigns  
  @   a[low..high]
  @ ensures  
  @   // Permut(contents(a), \old(update(contents(a), low, v)), low, high) && 
  @   H(a, low, high)
  @*/
void down_heap(int* a, unsigned int low, unsigned int high, int v) {
  unsigned int i = low, child;
  /*@ invariant 
    @   low <= i <= high && 
    @   // Permut(contents(a), \at(contents(a), init), low, high) &&
    @   (\forall int k; low < k <= high => Hnode(a, k, high)) &&
    @   (low < i => Hnode(a, low, high)) &&
    @   (low <= (i-1)/2 => a[(i-1)/2] >= v)
    @ loop_assigns
    @   a[low..high]
    @ variant 
    @   high - i
    @*/
  while ((child = 2*i+1) <= high) {
    if (child+1 <= high && a[child+1] >= a[child]) child++;
    if (v >= a[child]) break;
    a[i] = a[child];
    //@ assert Hnode(a, i, high)
    i = child;
  }
  a[i] = v;
}

/*@ requires 
  @   0 <= n && \valid_range(a, 0, n-1)
  @ ensures  
  @   // Permut(contents(a), \old(contents(a)), 0, n-1) && 
  @   Sorted(a, 0, n-1)
  @*/
void heapsort(int* a, unsigned int n) {
  unsigned int i;
  if (n <= 1) return;
  /*@ invariant 
    @   0 <= i < n && 
    @   // Permut(contents(a), \at(contents(a), init), 0, n-1) &&
    @   H(a, i, n-1)
    @ variant i
    @*/
  for (i = n/2; i >= 1; i--) down_heap(a, i-1, n-1, a[i-1]);
  /*@ invariant 
    @   0 <= i < n && 
    @   // Permut(contents(a), \at(contents(a), init), 0, n-1) &&
    @   H(a, 0, i) && Sorted(a, i+1, n-1) &&
    @   \forall int k1, int k2; 0 <= k1 <= i => i < k2 < n => a[k1] <= a[k2]
    @ variant i
    @*/
  for (i = n-1; i >= 1; i--) { 
    int tmp = a[i];
    a[i] = a[0];
    down_heap(a, 0, i-1, tmp); 
  }
}

/* test 
int main() {
  int i;
  int t[10] = { 3,5,1,0,6,8,4,2,9,7 };
  heapsort(t, 10);
  for (i = 0; i < 10; i++) printf("%d ", t[i]);
}
*/
why-2.34/bench/c/good/sum2.c0000644000175000017500000000635112311670312014105 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* ATTENTION ! on veut sum(t,i,j) = t[i]+...+t[j-1] */

/*@ logic int sum(int t[], int i, int j) 
  reads i,j,t,t[..] 
*/

/*@ axiom sum1 : 
      \forall int t[], int i; sum(t,i,i) == 0 */

/*@ axiom sum2 : 
      \forall int t[], int i, int j; sum(t,i,j+1) == sum(t,i,j) + t[j] */

/*@ axiom sum3 : 
      \forall int t[], int i, int j, int k; 
         i <= j && j <= k =>
          sum(t,i,k) == sum(t,i,j) + sum(t,j,k) */

/*@ requires n >= 1 && \valid_range(t,0,n-1) 
  @ ensures \result == sum(t,0,n)
*/  
int test1(int t[],int n) {
  int i,s = 0;

  /*@invariant 0 <= i <= n && s == sum(t,0,i)
    @ variant n-i
  */
  for(i=0; i < n; i++) 
  {
    s += t[i];
  }
  return s;
}


/*@ requires \valid_range(t,0,n-1)
  @ assigns t[..]
  @ ensures sum(t,0,n) == \old(sum(t,0,n))+n
  @*/
void test2(int t[],int n) {
  int i;
  //@ label L 
  /*@ invariant 0 <= i <= n && 
         sum(t,0,n) == \at(sum(t,0,n),L)+i
    @ variant n-i
    @*/
  for(i=0; i < n; i++) 
  {
    t[i] += 1;
  }
}
why-2.34/bench/c/good/invariants.c0000644000175000017500000000500412311670312015367 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

struct s {
  int x;
  int y;
} s;
/*@ invariant i: 0 <= s.x && s.x <= s.y && s.y <= 100 */

const int c[] = {12 , 14 };
/*@ invariant const_c : c[0]==12 */

/*@ requires n>=0 @*/
void f(int n) {
  int t = s.x+n;
  if (t <= s.y - 20) s.x = t + c[0] ;
}

why-2.34/bench/c/good/abs.c0000644000175000017500000000465212311670312013766 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


//@ ensures *p >= 0
void abs1(int *p) {
  if (*p < 0) *p = -*p;
}

/*@ requires \valid(p)
  @ ensures *p >= 0
  @*/
void abs2(int *p) {
  if (*p < 0) *p = -*p;
}
why-2.34/bench/c/good/bug.c0000644000175000017500000000616212311670312013774 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*@ axiom A : \forall double t[]; \forall int i; \valid(t+i) => t[i]>0.0 => t[i]>=0.0 */

typedef struct U { int t2[5]; int t2bis[5]; int *p2; } las2;
typedef struct V { int t1[5]; int t1bis[5]; int *p1; las2 * pp; } las;
las u,v,w;
las2 z;
las2 y1[5];
las2 y2[10];

/* predicate separation_intern_struct_U(las2* p) reads p->t2, p->t2bis */

/* axiom sep_U : 
  \forall las2 *p; \valid(p) => separation_intern_struct_U(p) */


/*@ requires \valid(x) */
void f(struct U *x) { x->t2[0] = 1; *u.p1 = 1; *z.p2 = 2; }

int ff(double a,double b)
{
int x;
x=(a is_unsigned_char(x.v) 
 */

/* @ predicate is_struct_S(S x) reads x.a,x.b,x.c,x.i */

/* @ axiom is_struct_S_def : 
  \forall S x ; is_struct_S(x) <=> 
       ( is_struct_A(x.a) 
       && (\forall int i; \valid(x.b+i) => is_struct_A( *(x.b+i)))
       && \valid_range(x.c,0,3) 
       && (\forall int i; 0<=i<=3 => is_struct_A(x.c[i]))
       && (\forall int i; \valid(x.s+i) => is_struct_S( *(x.s+i)))
       && is_unsigned_char(x.i))
       
 */

struct S aaa;

/*@ requires \valid(x.s) */
int f(struct S x) {
  x.s->a.v = 0;
  aaa.i = 'a';
  return x.c[1].v;
}
why-2.34/bench/c/good/zones.c0000644000175000017500000000456112311670312014356 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


typedef struct S {
  int *x;
  int *y;
} S;

S *a,*b;


int f() {
  a = b;
  return *(a->x) + *(b->y);
}
why-2.34/bench/c/good/break.c0000644000175000017500000000562512311670312014306 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* break tests */


/*@ ensures \result == 12 */
int f1()
{
  /*@ invariant \true variant 1 */ while (1) break;
  return 12;
}


/*@ ensures \result == 1 */
int f2() 
{
  int n = 10;
  
  /*@ invariant 0 <= n variant n */ 
  while (n >= 0) { 
    if (n == 0) { n++; break; }
    n--;
  }
  return n;
}
    

/*@ ensures \result == 2 */
int f3() 
{
  int n = 10;
  /*@ invariant 1 <= n variant n */
  while (n >= 0) { 
    if (n == 1) { n++; break; }
    n--;
  }
  return n;
}
    
/*@ ensures \result == 3 */
int f4(int x) 
{ 
  int i = 0;
  /*@ invariant i <= 3 variant 10 - i */
  for (i = 0; i < 10; i++) { 
    if (i == 3) break;
  }
  return i;
}

why-2.34/bench/c/good/assigns_range_right.c0000644000175000017500000000502612311670312017235 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

int t[10];
int k;

/*@ requires 0 <= k < 10
  @ assigns  t[k..], k
  @ ensures  k == \old(k)
  @*/
void f() {
  int i;
  /*@ invariant k == \old(k)
    @ loop_assigns k, t[k..]
    @*/
  for (i = 0; i < 10; i++) {
    t[k] = i;
    k++;
    if (k<10) f();
    k--;
  }
}
why-2.34/bench/c/good/bresenham.c0000644000175000017500000000777312311670312015174 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/**************************************************************************/
/*                                                                        */
/* Proof of the Bresenham line drawing algorithm.                         */
/* (see examples/bresenham/ for the Why proof)                            */
/*                                                                        */
/* Jean-Christophe Filliâtre (LRI, Université Paris Sud)                  */
/* June 2008                                                              */
/*                                                                        */
/**************************************************************************/

int x2, y2;

//@ invariant first_octant : 0 <= y2 <= x2

//@ logic int abs(int x)

/*@ axiom abs_def: 
  @   \forall int x; (x >= 0 && abs(x) == x) || (x <= 0 && abs(x) == -x)
  @*/

/*@ predicate best(int x, int y) {
  @   \forall int yp; abs(x2 * y - x * y2) <= abs (x2 * yp - x * y2)
  @ } */

/*@ predicate Invariant(int x, int y, int e) {
  @   e == 2 * (x + 1) * y2 - (2 * y + 1) * x2 &&
  @   2 * (y2 - x2) <= e <= 2 * y2
  @ } */

/*@ axiom invariant_is_ok : 
  @  \forall int x, int y, int e; Invariant(x,y,e) => best(x,y)
  @*/

//@ axiom z_ring_0 : \forall int a, int b, int c; a * (b+c) == a*b + a*c
//@ axiom z_ring_1 : \forall int a, int b, int c; (b+c) * a == b*a + c*a

void bresenham() {
  int x = 0;
  int y = 0;
  int e = 2 * y2 - x2;
  /*@ invariant 0 <= x <= x2 + 1 && Invariant(x,y,e)
    @ variant x2 - x
    @*/
  for (x = 0; x <= x2; x++) {
    // plot (x,y) at this point
    //@ assert best(x,y)
    if (e < 0)
      e += 2 * y2;
    else {
      y++;
      e += 2 * (y2 - x2);
    }
  }
}

/*
Local Variables: 
compile-command: "make bresenham.gui"
End: 
*/
why-2.34/bench/c/good/enum.c0000644000175000017500000000543712311670312014167 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

enum E { A = 1 , y = A + 3 };

/*@ ensures y == 4 */
void f() { }

/*@ ensures 1 <= \result <= 4 */
int g(enum E e) { return e; }

typedef enum { BLUE, WHITE, RED } color;

/*@ requires \valid_range(t,0,9)
  @ ensures t[2] == BLUE || t[2] == WHITE || t[2] == RED 
  @*/
void h(color *t) { 
  t[2] = t[0];
}

// enum used as array index

enum I { U, V, W };

/*@ requires \valid_range(t, U, W)
  @ ensures  t[V] == 0
  @*/
void enum_as_array_index(int *t) {
  t[V] = 0;
}

/*
Local Variables: 
compile-command: "make enum.enum"
End: 
*/
why-2.34/bench/c/good/binary_search_overflows.c0000644000175000017500000000623012311670312020132 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* binary search without overflows i.e. with mean computed with
   l+(u-l)/2 instead of (l+u)/2 (see binary_search.c) */

/*@ axiom mean_1 : \forall int x, int y; x <= y => x <= x+(y-x)/2 <= y */

/*@ requires 
  @   n >= 0 && \valid_range(t,0,n-1) &&
  @   \forall int k1, int k2; 0 <= k1 <= k2 <= n-1 => t[k1] <= t[k2]
  @ ensures
  @   (\result >= 0 && t[\result] == v) ||
  @   (\result == -1 && \forall int k; 0 <= k < n => t[k] != v)
  @*/
int binary_search(int* t, int n, int v) {
  int l = 0, u = n-1;
  /*@ invariant 
    @   0 <= l && u <= n-1 
    @   && (\forall int k; 0 <= k < n => t[k] == v => l <= k <= u)
    @ variant u-l 
    @*/
  while (l <= u ) {
    int m = l + (u-l) / 2;
    //@ assert l <= m <= u
    if (t[m] < v) l = m + 1;
    else if (t[m] > v) u = m - 1;
    else return m;
  }
  return -1;
}

/*
Local Variables: 
compile-command: "make binary_search_overflows.overflows"
End: 
*/
why-2.34/bench/c/good/ghost.c0000644000175000017500000000554012311670312014342 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


int x;

/*@ ghost int pre_x = x */

/*@ ensures pre_x == \old(x) */
int f() {
  /*@ set pre_x = x */
  return x++;
}

/******** ghost arrays *******/

/*@ ghost int t[] */

int u[5];

/*@ ensures u[0] == \old(u[0]) && t[0] == 3 */
void g (){
  u[1]= 3;
  /*@set t[0] = u[1]*/
}


typedef struct S {
  int a;
  int b;
} S;



/*@ghost S tab[]*/

/*@ensures tab[0].a == 1*/
void h (){
  struct S a ;
  a.a = 1;
  /*@set tab[0] = a*/
}

/*@ ghost S s */


/*@ ensures s.a == 1*/
void i (){
  struct S a ;
  a.a = 1;
  /*@set s = a*/
}




/*
Local Variables: 
compile-command: "make ghost.gui"
End: 
*/
why-2.34/bench/c/good/labels.c0000644000175000017500000000537312311670312014464 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


/*@ ensures \result == 0
  @*/
int f1() {
  int x=0;
  goto l1;
  x=1;
 l1: return x;
}

int f2() {
  goto l1;
 l2: goto l3;
 l1: goto l2;
 l3: return 0;
}

int f3(int x) {
  if (x==0) { 
    goto l2; 
    l1 : x = 1;  
  } else {
    goto l1;
    l2 : x = 2;
  }
  return x;
}

  
int f4() {
  int x;
  //@ label L
  /*@ invariant x <= \at(x,L)
    @ variant x
    @*/
  while(x > 0) x--;
}

int f5() {
  int x;
 L:
  /* TODO @ invariant x <= \at(x,L)
    @ variant x
    @*/
  while(x > 0) x--;
}
why-2.34/bench/c/good/alias.c0000644000175000017500000000466212311670312014313 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*@ requires \valid(x) && \valid(y) 
  @ ensures \result == 0
  @*/
int f(int *x, int *y) {
  *x = 0;
  *y = 1;
  return *x;
}


int  p[1];

int g() {
  return f(p,p);
}

why-2.34/bench/c/good/goto.c0000644000175000017500000000530012311670312014160 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


/*@ ensures \result == 0
  @*/
int f1() {
  int x=0;
  goto l1;
  x=1;
 l1: return x;
}


/*@ ensures x == 0 => \result == 0
  @*/
int f2(int x) {
  if (x==0) goto l1;
  x=1;
 l1: return x;
}


/*@ ensures x == 9 <=> \result == 10
  @*/
int f3(int x) {
  if (x==0) goto l1;
  x++;
  if (x==10) goto l1;
  x=1;
 l1: return x;
}

  
/*@ ensures x == 0 => \result == 0
  @*/
int f4(int x) {
  if (x==0) goto l1;
 l2:  x++;
 l1: return x;
}
  
why-2.34/bench/c/good/alloca.c0000644000175000017500000000565412311670312014457 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


/*@ ensures \result == 3 */
int f() {
  int t[3] = {1,2,3};
  return t[2];
}

//@ ensures \result == 3
int g() {
  int t[] = {1,2,3};
  return t[2];
}

int u[4];

/*@ requires u[2] == 12
  @ ensures  \result == 12 */
int h() {
  int t[4] = {1,2,3,4};
  return u[2];
}

//@ ensures \result == 3
int two_local_arrays() {
  int t[4] = {1,2,3,4};
  int u[5] = {0,0,t[2],0};
  return u[2];
}

//@ ensures \result == 3
int two_local_arrays_not_alias() {
  int t[5];
  int v[6];
  t[4] = 3;
  v[4] = 1;
  return t[4];
}

struct S { int a; int b[4]; struct S *next; };

/*
//@ ensures \result == 3
int local_struct() {
  struct S s = { 1, {1,2,3,4}, (void*)0 };
  return s.b[2];
}
*/
why-2.34/bench/c/good/ghost2.c0000644000175000017500000000536512311670312014431 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

int v; 
/*@ ghost int pre_v */ 
/*@ ghost int pre2_v */ 

/*@ 
assigns v 
ensures v==-\old(v) 
*/ 
void g(){ v = -v; } 


/*@ 
assigns v,pre_v,pre2_v 
*/ 
void f() 
{ 
  int n; 
  
  n=100; 
  /*@ set pre2_v = 5 */ 
  /*@ set pre_v = -5 */ 
  v=5; 
  
  
  /*@ 
    invariant 0<=n<=100 && (pre2_v > pre_v => pre_v < v) && (pre_v == -v) 
    loop_assigns v,pre_v,pre2_v 
    variant n 
  */ 
  while(n--) 
    { 
      /*@ set pre2_v = pre_v */ 
      /*@ set pre_v = v */ 
      g(); 
    } 
}
why-2.34/bench/c/good/division.c0000644000175000017500000000525612311670312015046 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@ axiom distr_right: \forall int x, int y, int z; x*(y+z) == (x*y)+(x*z)
//@ axiom distr_left: \forall int x, int y, int z; (x+y)*z == (x*z)+(y*z)

/*@ requires x >= 0 && y > 0
  @ ensures  \exists int r; x == \result * y + r && 0 <= r < y
  @*/
int division(int x, int y) {
  int i = 0, j = x;
  /*@ invariant x == i * y + j && 0 <= j
    @ variant   j
    @*/
  while (j >= y) {
    i++;
    j -= y;
  }
  return i;
}

why-2.34/bench/c/good/heapsort_swap.c0000644000175000017500000001207312311670312016074 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* Heapsort */

#include "sorting.h"

/*** heap property ***********************************************************/

/*@ predicate Hnode(int* a, int i, int h) {
  @   (2*i+1 <= h => a[i] >= a[2*i+1]) &&
  @   (2*i+2 <= h => a[i] >= a[2*i+2]) 
  @ }
  @*/

/*@ predicate H(int* a, int l, int h) {
  @   \forall int i; l <= i <= h => Hnode(a, i, h)
  @ }
  @*/

//@ axiom H_init: \forall int* a, int l, int h; l <= h < 2*l+1 => H(a, l, h)

// @ axiom H_reduce: \forall int* a, int h; 0 < h => H(a, 0, h) => H(a, 1, h-1)

/*@ axiom H_max: 
  @   \forall int* a, int h; 
  @     H(a, 0, h) => \forall int i; 0 <= i <= h => a[0] >= a[i]
  @*/

/*** arith *******************************************************************/

//@ axiom div2_1 : \forall int i; 0 <= i => 0 <= i/2 <= i

//@ axiom div2_2 : \forall int i; 0 < i => 0 <= i/2 < i

//@ axiom div2_3 : \forall int i; 0 <= i => i-1 < 2*(i/2)+1

/*****************************************************************************/

/*@ requires \valid(a+i) && \valid(a+j)
  @ assigns  a[i], a[j]
  @ ensures  Swap(contents(a), \old(contents(a)), i, j)
  @*/
void swap(int* a, int i, int j) {
  int tmp = a[i];
  a[i] = a[j];
  a[j] = tmp;
}

/*@ requires 
  @   0 <= low <= high && \valid_range(a, low, high) && H(a, low+1, high)
  @ assigns  
  @   a[low..high]
  @ ensures  
  @   Permut(contents(a), \old(contents(a)), low, high) && H(a, low, high)
  @*/
void sift_down(int* a, unsigned int low, unsigned int high) {
  unsigned int i = low, child;
  /*@ invariant 
    @   low <= i <= high && 
    @   Permut(contents(a), \at(contents(a), init), low, high) &&
    @   (\forall int k; low <= k <= high => k != i => Hnode(a, k, high)) &&
    @   ((low < i && low <= (i-1)/2) => 
    @      ((2*i+1 <= high => a[(i-1)/2] >= a[2*i+1]) &&
    @       (2*i+2 <= high => a[(i-1)/2] >= a[2*i+2])))
    @ loop_assigns
    @   a[low..high]
    @ variant 
    @   high - i
    @*/
  while ((child = 2*i+1) <= high) {
    if (child+1 <= high && a[child+1] >= a[child]) child++;
    if (a[i] >= a[child]) break;
    swap(a, i, child);
    i = child;
  }
}

/*@ requires 
  @   0 <= n && \valid_range(a, 0, n-1)
  @ ensures  
  @   Permut(contents(a), \old(contents(a)), 0, n-1) && Sorted(a, 0, n-1)
  @*/
void heapsort(int* a, unsigned int n) {
  unsigned int i;
  if (n <= 1) return;
  /*@ invariant 
    @   0 <= i < n && Permut(contents(a), \at(contents(a), init), 0, n-1) &&
    @   H(a, i, n-1)
    @ variant i
    @*/
  for (i = n/2; i >= 1; i--) sift_down(a, i-1, n-1);
  /*@ invariant 
    @   0 <= i < n && Permut(contents(a), \at(contents(a), init), 0, n-1) &&
    @   H(a, 0, i) && Sorted(a, i+1, n-1) &&
    @   \forall int k1, int k2; 0 <= k1 <= i => i < k2 < n => a[k1] <= a[k2]
    @ variant i
    @*/
  for (i = n-1; i >= 1; i--) { 
    swap(a, 0, i); 
    //@ assert H(a, 1, i-1)
    sift_down(a, 0, i-1); 
  }
}
why-2.34/bench/c/good/fact.c0000644000175000017500000000457212311670312014137 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*@ requires n >= 0 
  @ // variant n
  @*/
int fact(int n) { 
  if (n == 0) return 1; 
  return n * fact(n-1); 
}
why-2.34/bench/c/good/incr.c0000644000175000017500000000454312311670312014153 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

int b;
int t[10];

/*@ requires b == 0 
  @ ensures b == 1
  @*/
void f() {
  t[b++] = 1;
}
why-2.34/bench/c/good/matrix.c0000644000175000017500000001054712311670312014525 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* matrices */

/* initialize a matrix a[n][m] with a[i][j] = i+j */

/*@ predicate separated(int *a1, int n1, int *a2, int n2) {
  @   \base_addr(a1) != \base_addr(a2) ||
  @   a1 + n1 <= a2 ||
  @   a2 + n2 <= a1
  @ }
  @*/

/*@ predicate is_matrix(int **a, int n, int m) { 
  @   \valid_range(a, 0, n-1) &&
  @   (\forall int i; 0 <= i < n => \valid_range(a[i], 0, m-1)) &&
  @   (\forall int i, int j; 0 <= i < n => 0 <= j < n => i != j =>
  @      separated(a[i], m, a[j], m))
  @ }
  @*/

/*@ requires 0 <= n && 0 <= m && is_matrix(a,n,m)
  @ ensures  \forall int i, int j; 0 <= i < n => 0 <= j < m => a[i][j] == i+j
  @*/
void initialize(int **a, int n, int m) {
  int i, j;
  /*@ invariant 
    @   0 <= i <= n &&
    @   \forall int i0; 0 <= i0 < i => 
    @     \forall int j; 0 <= j < m => a[i0][j] == i0+j
    @ loop_assigns a[..][..]
    @*/
  for (i = 0; i < n; i++)
    /*@ invariant 
      @  0 <= j <= m &&
      @  \forall int i0, int j0; 
      @    ((0 <= i0 < i && 0 <= j0 < m) || (i0 == i && 0 <= j0 < j)) => 
      @    a[i0][j0] == i0+j0
      @ loop_assigns a[i][..]
      @*/
    for (j = 0; j < m; j++)
      a[i][j] = i+j;
}

/*@ requires 0 <= n && 0 <= m && is_matrix(a,n,m)
  @ ensures  \forall int i, int j; 0 <= i < n => 0 <= j < m => a[i][j] == i+j
  @*/
void initialize2(int **a, int n, int m) {
  int i, j;
  /*@ invariant 
    @   0 <= j <= m &&
    @   \forall int j0; 0 <= j0 < j => 
    @     \forall int i; 0 <= i < n => a[i][j0] == i+j0
    @ // loop_assigns a[..][..]
    @*/
  for (j = 0; j < m; j++)
    /*@ invariant 
      @  0 <= i <= n &&
      @  \forall int i0, int j0; 
      @    ((0 <= j0 < j && 0 <= i0 < n) || (j0 == j && 0 <= i0 < i)) => 
      @    a[i0][j0] == i0+j0
      @ // loop_assigns a[..][j]
      @*/
    for (i = 0; i < n; i++)
      a[i][j] = i+j;
}


/*@ requires 
  @   0 <= n && 0 <= m
  @ ensures  
  @   is_matrix(\result, n, m) &&
  @   \fresh(\result) &&
  @   \forall int i; 0 <= i < n => \fresh(\result[i])
  @*/
int ** alloc_matrix(int n, int m);
  
//@ requires 0 <= n && 0 <= m
void main(int n, int m) {
  int ** a = alloc_matrix(n, m);
  initialize(a, n, m);
}
why-2.34/bench/c/good/sizeof.c0000644000175000017500000000477312311670312014524 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*@ ensures \result == 4 */
int f1() { return sizeof(long int); }

/*@ ensures \result == 34 */
int f2() { return sizeof(short[17]); }

typedef struct { int x :16; int y :16; } tau;
/*@ ensures \result == 4 */
int f3() { return sizeof(tau); }

why-2.34/bench/c/good/insertion.c0000644000175000017500000000665312311670312015236 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* Insertion sort */

#include "sorting.h"

/*@ requires 
  @   0 <= n && \valid_range(a, 0, n-1)
  @ ensures  
  @   Permut(contents(a), \old(contents(a)), 0, n-1) && 
  @   Sorted(a, 0, n-1)
  @*/
void insertion_sort(int* a, unsigned int n) {
  unsigned int i;
  if (n <= 1) return;
  /*@ invariant
    @   0 < i <= n &&
    @   Permut(contents(a), \at(contents(a), init), 0, n-1) &&
    @   Sorted(a, 0, i-1) 
    @ loop_assigns
    @   a[0..n-1]
    @ variant
    @   n - i
    @*/
  for (i = 1; i < n; i++) {
    int v = a[i];
    unsigned int j = i;
    /*@ invariant
      @   0 <= j <= i &&
      @   Permut(update(contents(a), j, v), \at(contents(a), init), 0, n-1) &&
      @   Sorted(a, 0, j-1) &&
      @   Sorted(a, j+1, i) &&
      @   (j < i => v < a[j+1]) &&
      @   (0 < j < i => a[j-1] <= a[j+1])
      @ loop_assigns
      @   a[0..i]
      @ variant
      @   j
      @*/
    while (j > 0 && a[j-1] > v) { a[j] = a[j-1]; j--; }
    a[j] = v;
  }
}

/* test 
int main() {
  int i;
  int t[10] = { 3,5,1,0,6,8,4,2,9,7 };
  insertion_sort(t, 10);
  for (i = 0; i < 10; i++) printf("%d ", t[i]);
}
*/

/*
Local Variables: 
compile-command: "make insertion.gui"
End: 
*/
why-2.34/bench/c/good/ref.c0000644000175000017500000000470512311670312013774 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/



/*@ requires \valid(p)
  @ assigns *p
  @ ensures *p == 1
  @*/
void g(int *p) {
  *p = 1;
}

/*@ assigns \nothing
  @ ensures \result == 1
  @*/
int f() {
  int i;
  g(&i);
  return i;
}
why-2.34/bench/c/good/dowhile.c0000644000175000017500000000475312311670312014656 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*

C test file

*/

int x;
int i;

/*@ requires x >= 0  ensures x == 10 */ 
void main() 
{
  x = 0;
  i = 10;
  /*@ invariant x == 10 - i && 10 >= i > 0 variant i */
  do {
    x = x + 1;
    i = i - 1;
  } while (i > 0);
} 


why-2.34/bench/c/good/modulo.c0000644000175000017500000000445212311670312014516 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* tests for modulo arithmetic */

why-2.34/bench/c/good/binary_search.c0000644000175000017500000000635312311670312016032 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*@ axiom mean_1 : \forall int x, int y; x <= y => x <= (x+y)/2 <= y */

/* binary_search(t,n,v) search for element v in array t 
   between index 0 and n-1
   array t is assumed sorted in increasing order
   returns an index i between 0 and n-1 where t[i] equals v, 
   or -1 if no element of t is equal to v  
 */

/*@ requires 
  @   n >= 0 && \valid_range(t,0,n-1) &&
  @   \forall int k1, int k2; 0 <= k1 <= k2 <= n-1 => t[k1] <= t[k2]
  @ ensures
  @   (\result >= 0 && t[\result] == v) ||
  @   (\result == -1 && \forall int k; 0 <= k < n => t[k] != v)
  @*/
int binary_search(int* t, int n, int v) {
  int l = 0, u = n-1;
  /*@ invariant 
    @   0 <= l && u <= n-1 && 
    @   \forall int k; 0 <= k < n => t[k] == v => l <= k <= u
    @ variant u-l 
    @*/
  while (l <= u) {
    int m = (l + u) / 2;
    if (t[m] < v) l = m + 1;
    else if (t[m] > v) u = m - 1;
    else return m; 
  }
  return -1;
}
    
/*
Local Variables: 
compile-command: "make binary_search.overflows"
End: 
*/
why-2.34/bench/c/good/return.c0000644000175000017500000000460612311670312014537 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* return tests */

int * p;
int * q;

int* f() {
  int x;
  if (x) return p;
  return p;
}

char* cast_null() {
  return 0;
}
why-2.34/bench/c/good/rc4.c0000644000175000017500000001145712311670312013712 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

typedef struct rc4_key_st
{
  unsigned char x,y;
  unsigned char data[256];
} RC4_KEY;

   
/*@ axiom valid_range_ax1a:
  @	\forall unsigned long k; k>=0 => 0<=(k>>3L)<=k
  @*/

/*@ axiom valid_range_ax1b:
  @	\forall unsigned long k; k>=0 => 0<=((k>>3L)*8)<=k
  @*/

/*@ axiom valid_range_ax1c:
  @	\forall unsigned long k; k>=0 => 0<= (k&0x07) <= 7
  @*/

/*@ axiom valid_range_ax1d:
  @	\forall unsigned long k; k>=0 => ((k>>3L)*8 + (k&0x07) == k)
  @*/
   
/*@ axiom valid_range_ax2:
  @	\forall unsigned char k; 0 <= (k&0xff) < 256
  @*/	
   
/*@ axiom valid_range_ax4:
  @	\forall unsigned char inp; \forall unsigned char k; 
  @	\forall unsigned char out; out == (k ^ inp) => 0<=out<256
  @*/
     
  
/*@ requires len >= 0 && 
  @ 	\valid(key) && \valid_range(d,0,255) &&
  @		\valid_range(indata,0,len-1) &&  \valid_range(outdata,0,len-1)	
  @*/
void RC4(RC4_KEY *key,register unsigned char *d, unsigned long len, const unsigned char *indata,
	 unsigned char *outdata)
{
  //register unsigned char *d;
  register unsigned char x,y,tx,ty;
  int i;

  x=key->x;
  y=key->y;
  //d=key->data;
         
#define LOOP(in,out)				\
  x=((x+1)&0xff);				\
  tx=d[x];					\
  y=(tx+y)&0xff;				\
  d[x]=ty=d[y];					\
  d[y]=tx;					\
  (out) = d[(tx+ty)&0xff]^ (in);

#define RC4_LOOP(a,b,i)	LOOP(a[i],b[i])

  i=(int)(len>>3L);
  if (i)
    {
      /*@ invariant i>0 && i<=len && 
	@   \valid_range(indata,0,7) && \valid_range(outdata,0,7) &&
	@   indata == \old(indata)+((len>>3L)-i)*8 && 
	@   outdata == \old(outdata)+((len>>3L)-i)*8 
	@ variant i
	@*/	
      while(1) //for (;;)
	{
	  RC4_LOOP(indata,outdata,0);  
	  RC4_LOOP(indata,outdata,1); 
	  RC4_LOOP(indata,outdata,2);
	  RC4_LOOP(indata,outdata,3);
	  RC4_LOOP(indata,outdata,4);
	  RC4_LOOP(indata,outdata,5);
	  RC4_LOOP(indata,outdata,6);
	  RC4_LOOP(indata,outdata,7); 
	  indata+=8;
	  outdata+=8;
	  if (--i == 0) break;
	}
    }
  /*@ assert i==0 &&
    @   indata == \old(indata)+((len>>3L)*8) && 
    @   outdata == \old(outdata)+((len>>3L)*8)
    @*/
		
  i=(int)len&0x07;
  /*@ assert i== (len&0x07) && \valid_range(indata,0,i-1) &&
    @				 \valid_range(outdata,0,i-1)
    @*/
		
  if(i>0){ RC4_LOOP(indata,outdata,0);
    if (--i > 0){ RC4_LOOP(indata,outdata,1);
      if (--i > 0) { RC4_LOOP(indata,outdata,2); 
	if (--i > 0) { RC4_LOOP(indata,outdata,3); 
	  if (--i > 0) { RC4_LOOP(indata,outdata,4); 
	    if (--i > 0) { RC4_LOOP(indata,outdata,5); 
	      if (--i > 0) { RC4_LOOP(indata,outdata,6);}}}}}}
  }	
		
  key->x=x;
  key->y=y;
}


    
/*
  Local Variables: 
  compile-command: "make rc4.gui"
  End: 
*/
why-2.34/bench/c/good/calloc.c0000644000175000017500000000535012311670312014452 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


/*@ requires 
  @   n >= 1 
  @ ensures 
  @   \valid_range(\result,0,n-1) && 
  @   \forall int i; 0<=i \valid(\result[i]) */
int** test(int n) { 
  int** t = (int**)calloc(n,sizeof(int*));
  int i;
  /*@ invariant 
    @   0 <= i <= n && \forall int k; 0<=k \valid(t[k]) */
  for (i = 0; i < n; i++)
    t[i] = (int*)calloc(1,sizeof(int));
  return t;
}

//@ ensures \result == 0
int main() {
  int** t = test(10);
  t[3][0] = 0;
  // t[4][0] = 1;
  return t[3][0];
}
why-2.34/bench/c/good/lexico.c0000644000175000017500000000574112311670312014504 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


//@ ensures \result >= 0
int any();

//@ type intpair // = (int,int)

//@ logic intpair pair(int x, int y) 

//@ predicate lexico(intpair p1, intpair p2)

/* @ predicate lexico(intpair p1, intpair p2) = 
   @ \let (px1,py1) = p1 in ...
   @*/

/*@ axiom lexico_1 : \forall int x1, int x2, int y1, int y2; 
  @    x1 < y1 => lexico(pair(x1,x2),pair(y1,y2))
  @*/

/*@ axiom lexico_2 : \forall int x1, int x2, int y1, int y2; 
  @    x1 == y1 && x2 < y2 => lexico(pair(x1,x2),pair(y1,y2))
  @*/


//@ requires x >= 0 && y >= 0
int f(int x,int y) {

  /*@ invariant x >= 0 && y >= 0
    @ variant pair(x,y) for lexico
    @*/
  while (x > 0 && y > 0) {
    
    if (any()) {
      x--; y = any();
    }
    else y--;
    
  }

}
  
why-2.34/bench/c/good/dassault_2.c0000644000175000017500000000470212311670312015256 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

void g( 
  int  Def_Rv 
  );


typedef struct SCONT 
{ 
  int        Def_Rv; 
} SCONT; 

/*@ requires Def_Rv == 1*/
void g( 
  int Def_Rv
); 

void g (int Def_Rv){
  Def_Rv = 1;
}







why-2.34/bench/c/good/assigns2.c0000644000175000017500000000453212311670312014747 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

int x;

void f() {
  x = 2;
}

void g() {
  x = 1;
  f();
  /*@ assert x == 1 */
}
why-2.34/bench/c/good/blit.c0000644000175000017500000000640612311670312014152 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*@ requires \valid_range(t, ofs1, ofs1+len-1) 
  @       && \valid_range(t, ofs2, ofs2+len-1)
  @       && 0 <= len
  @ ensures  \forall int i; 0 <= i < len => t[ofs2 + i] == \old(t[ofs1 + i])
  @*/
void blit(char *t, int ofs1, int ofs2, int len) {
  if (ofs1 == ofs2) return;
  if (ofs1 < ofs2)
    /*@ invariant 0 <= len <= \at(len, init)
      @        && \forall int i; len <= i < \at(len, init) => t[ofs2 + i] == \at(t[ofs1 + i], init)
      @ loop_assigns t[ofs2+len..ofs2+\at(len, init)-1]
      @ variant len
      @*/
    while (len-- > 0)
      t[ofs2 + len] = t[ofs1 + len];
  else 
    /*@ invariant 0 <= len <= \at(len, init)
      @        && ofs2 - \at(ofs2, init) == ofs1 - \at(ofs1, init) == \at(len, init) - len
      @        && \forall int i; 0 <= i < ofs2 - \at(ofs2, init) => 
      @                          t[\at(ofs2,init) + i] == \at(t[\at(ofs1, init) + i], init)
      @ loop_assigns t[\at(ofs2, init)..ofs2-1]
      @ variant len
      @*/
    while (len-- > 0)
      t[ofs2++] = t[ofs1++];
}
why-2.34/bench/c/good/separation.c0000644000175000017500000001027612311670312015365 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

struct s1 {
  int t[2];
  int u[3];
} s;

struct s1 ss;

int v[4];

//@ ensures \result == 1
int f() {
  ss.t[0] = 0;
  s.t[0] = 1;
  s.u[0] = 2;
  v[0] = 3;
  return s.t[0];
}

int g(){
  return v[0];
}

/*@ ensures \result == v[0] */
int g0();

struct {
  int x[1];
} tab[5];


int h(){
  return tab[0].x[0];
}

/* Dillon's example */

typedef struct { 
  int p1[5]; 
  int p2[5];
  int v1; 
  int v2;
} las; 

/*@ requires 
  @   \valid(p) 
  @ assigns p->p1[0 .. 4],p->p2[0 .. 4], p->v1, p->v2 
  @ // ensures ...
  @*/ 
void g1(las * p); 

las u1, u2; 

/*@ assigns 
  @   u1.v1,u1.v2,u1.p1[0 .. 4],u1.p2[0 .. 4], 
  @   u2.v1,u2.v2,u2.p1[0 .. 4],u2.p2[0 .. 4] 
  @ // ensures ... 
  @*/ 
void f1() { 
  g1(&u1); g1(&u2); 
}

/* Dillon's example of separation hypothesis of large size */
 
typedef struct { 
  int p1[5]; 
  int p2[5]; 
  int v1; 
  int v2; 
  int * p3; 
  int * p4; 
  int * p5; 
  int * p6; 
  int * p7; 
  int * p8; 
  int * p9; 
  int * p10;
} las2; 

/*@ requires 
  @   \valid(p)
  @ assigns p->p1[0 .. 4],p->p2[0 .. 4], p->v1, p->v2 
  @ // ensures ...
  @*/ 
void g3(las2 * p); 

las2 u3, u4; 


/* ajout : */ 
las2 w1,w2,w3,w4,w5,w6,w7,w8,w9,w10; 
las2 var1,var2,var3,var4,var5,var6,var7,var8,var9,var10; 

/*@ assigns u3.v1,u3.v2,u3.p1[0 .. 4],u3.p2[0 .. 4], 
  @   u4.v1,u4.v2,u4.p1[0 .. 4],u4.p2[0 .. 4], 
  @   w1.v1,w1.v2,w1.p1[0 .. 4],w1.p2[0 .. 4], 
  @   w2.v1,w2.v2,w2.p1[0 .. 4],w2.p2[0 .. 4], 
  @   w3.v1,w3.v2,w3.p1[0 .. 4],w3.p2[0 .. 4], 
  @   w4.v1,w4.v2,w4.p1[0 .. 4],w4.p2[0 .. 4], 
  @   w5.v1,w5.v2,w5.p1[0 .. 4],w5.p2[0 .. 4], 
  @   w6.v1,w6.v2,w6.p1[0 .. 4],w6.p2[0 .. 4], 
  @   w7.v1,w7.v2,w7.p1[0 .. 4],w7.p2[0 .. 4], 
  @   w8.v1,w8.v2,w8.p1[0 .. 4],w8.p2[0 .. 4], 
  @   w9.v1,w9.v2,w9.p1[0 .. 4],w9.p2[0 .. 4], 
  @   w10.v1,w10.v2,w10.p1[0 .. 4],w10.p2[0 .. 4] 
  @ // ensures ... 
  @*/ 
void f3() {
  g3(&u3); 
  g3(&u4); 
  g3(&w1);g3(&w2);g3(&w3);g3(&w4);g3(&w5);
  g3(&w6);g3(&w7);g3(&w8);g3(&w9);g3(&w10); 
}
why-2.34/bench/c/good/math_mod.c0000644000175000017500000000524512311670312015010 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*@ axiom times_0: \forall integer x; 0 * x == 0 */
/*@ axiom times_S: \forall integer d, integer x; (d+1) * x == d * x + x */

/*@ requires
  @   x >= 0 && y > 0
  @ ensures
  @   0 <= \result < y &&
  @   \exists integer d; x == d * y + \result
  @*/
int math_mod(int x, int y) {
  /*@ invariant 0 <= x && \exists integer d; \old(x) == d * y + x
    @ variant x
    @*/
  while (x >= y) x = x - y;
  return x;
}
why-2.34/bench/c/good/purse.c0000644000175000017500000000672512311670312014362 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

typedef struct purse {
  int balance;
} purse;

//@ predicate purse_inv(purse *p) { \valid(p) && p->balance >= 0 }

/*@ requires purse_inv(p) && s >= 0
  @ assigns p->balance
  @ ensures purse_inv(p) && p->balance == \old(p->balance) + s 
  @*/
void credit(purse *p,int s) {
  p->balance = p->balance + s;
}



/*@ requires purse_inv(p) && 0 <= s <= p->balance
  @ assigns p->balance
  @ ensures purse_inv(p) && p->balance == \old(p->balance) - s
  @*/
void withdraw(purse *p,int s) {
  p->balance = p->balance - s;
}


/*@ requires purse_inv(p1) && purse_inv(p2) && p1 != p2
  @ assigns p1->balance, p2->balance
  @ ensures \result == 0
  @*/
int test1(purse *p1, purse *p2) {
    p1->balance = 0;
    credit(p2,100);
    return p1->balance;
}

/*@ assigns \nothing
  @ ensures \fresh(\result) && purse_inv(\result) && \result->balance == 0
  @*/
purse *new_purse() { 
  purse* p = (purse*) malloc(1 * sizeof(purse));
  p->balance = 0;
  return p;
}

/*@ ensures \result == 150
  @*/
int test2() {
  purse *p1 = new_purse();
  purse *p2 = new_purse();
  credit(p1,100);
  credit(p2,200);
  withdraw(p1,50);
  withdraw(p2,100);
  return p1->balance + p2->balance;
}


/*
void main() {
  purse *p = new_purse();
  test1(p,p);
}
*/
why-2.34/bench/c/good/band.c0000644000175000017500000000562012311670312014121 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

short ValueA;
/*@ invariant tev: 0 <= ValueA <= 10*/
short ValueB;
/*@ invariant ev: 0 <= ValueB <= 10*/
short returnValue;
/*@ invariant eev: 0 <= returnValue <= 10*/


/*@ 
  @ assigns returnValue
  @ ensures \result >= 0
  */
short test1(void)
{	
	returnValue = ValueA & ValueB;

	return returnValue;
}

/*@ 
  @ assigns returnValue
  @ ensures \result >= 0
  */
short test2(void)
{	
	returnValue = ValueA & ValueB;

	if((returnValue < 0) || (returnValue > 10))
	{
		returnValue = 0;
	}
	
	return returnValue;
}

/*@ 
  @ assigns returnValue
  @ ensures \result >= 0
  */
short test3(void)
{	
	returnValue = returnValue;

	return returnValue;
}

why-2.34/bench/c/good/separation2.c0000644000175000017500000000745112311670312015450 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

typedef struct { int p1[5]; int p2[5]; int v1; int v2; int *pp1; } las;
typedef struct { int *pp2; } las2;
las u, v, w, m;
las2 u2, v2;

/*
  invariant inv1:
  \forall las x,las y;
  &x != &y =>
  \base_addr(x.p1) != \base_addr(y.pp1)
  &&  \base_addr(x.p2) != \base_addr(y.pp1)
  &&  \base_addr(x.pp1) != \base_addr(y.pp1)
*/
/*
  invariant inv2:
  \forall las x,las2 y;
  \base_addr(x.p1) != \base_addr(y.pp2)
  &&  \base_addr(x.p2) != \base_addr(y.pp2)
  &&  \base_addr(x.pp1) != \base_addr(y.pp2)
*/
/*
  invariant inv3:
  \forall las2 x,las2 y;
  &x != &y => \base_addr(x.pp2) != \base_addr(y.pp2)
*/

/*@
  requires \valid(p) && \valid(p->p1) && \valid(p->p2) && \valid(p->pp1)
  && \valid_range(p->p1,0,4) && \valid_range(p->p2,0,4)
  assigns p->p1[0 .. 5] ,p->p2[0 .. 5], p->v1, p->v2, *p->pp1 
  ensures p->p1[1] <= p->v1
*/
void g(las * p);

/*@
  requires \valid(p) && \valid(p->pp2)
  assigns *p->pp2
  ensures *p->pp2>=5
*/
void g2(las2 * p);

/*@
  requires 
  // \valid(u.pp1) && \valid(v.pp1) 
  // && \valid(w.pp1) && 
  \valid(m.pp1) 
  // && \valid(u2.pp2) && \valid(v2.pp2)
  
//
//  assigns u.v1,u.v2,u.p1[0 .. 5],u.p2[0 .. 5],*u.pp1
//  ,v.v1,v.v2,v.p1[0 .. 5],v.p2[0 .. 5],*v.pp1
//  ,w.v1,w.v2,w.p1[0 .. 5],w.p2[0 .. 5],*w.pp1
//  ,m.v1,m.v2,m.p1[0 .. 5],m.p2[0 .. 5],*m.pp1
//  ,*u2.pp2,*v2.pp2

  ensures
   (\exists int i; u.p1[i] <= u.v1) &&
   (\exists int i; v.p1[i] <= v.v1) &&
   (\exists int i; w.p1[i] <= w.v1) &&
   ( // \exists int i;
    m.p1[1] <= m.v1) 
*/
void f()
{ 
  g(&u);
  g(&v);
  g(&w);
  g(&m);
  g2(&u2); 
  g2(&v2); 
}
why-2.34/bench/c/good/extern.c0000644000175000017500000000455512311670312014530 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

int x = 5;
/*@ ensures \result == 5 */
int f() {
  void *x;
  {
    extern int x;
    return x;
  }
}
why-2.34/bench/c/good/arith.c0000644000175000017500000000533712311670312014331 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*

C test file

*/

int i;
int j;

/*@ ensures i == \old(j) + k && j == 3 * \old(j) + 11 * k + 12 */
void test(int k) 
{ 
  int l = 1;
  int m = 12;
  i = j + k;
  l *= j ;
  j += l + 10 * k + i + m;
}

/* axiom to help simplify make the proof */
/*@ axiom dist1: \forall int x, int y, int z; x*(y+z) == x*y + x*z */
/*@ axiom dist2: \forall int x, int y, int z; (x+y)*z == x*z + y*z */
/*@ axiom id1: \forall int x; x*1 == x */
/*@ axiom id2: \forall int x; 1*x == x */
why-2.34/bench/c/good/pi_again.c0000644000175000017500000000513212311670312014762 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* 112 characters long and calculates pi to 2880 decimal places: 

g,o,p,i=1e4,a[10001];main(x){for(;p?g=g/x*p+a[p]*i+2*!o:
53^(printf("%.4d",o+g/i),p=i,o=g%i);a[p--]=g%x)x=p*2-1;}

*/

void printint(int);

int g,o,p,i=1e4,a[10001];

void main(x) {
  for(; p?g=g/x*p+a[p]*i+2*!o: 53^(printint(o+g/i),p=i,o=g%i); a[p--]=g%x)
    x=p*2-1;
}
why-2.34/bench/c/good/flag_checkenum.c0000755000175000017500000000701512311670312016153 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* Dijkstra's dutch flag */

typedef enum { BLUE, WHITE, RED } color;

/*@ predicate isMonochrome(color t[], int i, int j, color c)
  @   { \valid_range(t,i,j) && \forall int k; i <= k && k <= j => t[k] == c } 
  @*/

/*@ requires \valid_index(t,i) && \valid_index(t,j)
  @ assigns t[i],t[j]
  @ ensures t[i] == \old(t[j]) && t[j] == \old(t[i])
  @*/
void swap(color t[], int i, int j) {
  color tmp = t[i];
  t[i] = t[j];
  t[j] = tmp;
}

/*@ requires 
  @   n >= 0 && \valid_range(t,0,n-1) 
  @ assigns t[0 .. n-1]
  @ ensures 
  @   (\exists int b, int r; 
  @            isMonochrome(t,0,b-1,BLUE) &&
  @            isMonochrome(t,b,r-1,WHITE) &&
  @            isMonochrome(t,r,n-1,RED))
  @*/
void flag(color t[], int n) {
  int b = 0;
  int i = 0;
  int r = n;
  /*@ invariant
    @   0 <= b && b <= i && i <= r && r <= n &&
    @   isMonochrome(t,0,b-1,BLUE) &&
    @   isMonochrome(t,b,i-1,WHITE) &&
    @   isMonochrome(t,r,n-1,RED)
    @ loop_assigns b,i,r,t[0 .. n-1]
    @ variant r - i
    @*/
  while (i < r) {
    switch (t[i]) {
    case BLUE:  
      swap(t, b++, i++);
      break;	    
    case WHITE: 
      i++; 
      break;
    case RED: 
      swap(t, --r, i);
      break;
    }
  }
}

/*
Local Variables: 
compile-command: "make flag_checkenum.enum"
End: 
*/
why-2.34/bench/c/good/const.c0000644000175000017500000000565112311670312014347 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

const int c = 5;

const int t[] = {1,2,3,4};

/*@ ensures \result == 8 */
int f (){
  return c+t[2];
}



struct T {
  int x;
  int y;
  int z[3];
};

const struct T x = {5,6,{1,2,3}};

/*@ ensures \result == 3*/
int g(){
  return x.z[2];
}



struct U {
  int x;
  const int y;
};

struct U y = { 1, 2 };

/*@ ensures \result == 2 */
int h() { return y.y; }


struct V {
  int t1[2];
  int t2[1];
};

struct V w = {{1, 2},{3}};


/*@ ensures \result == 1 */
int i (){
  w.t1[0] = 1;
  w.t2[0] = 2;
  return w.t1[0];
}
/*
const int N = 100;
int t2[N];

void j() { return t2[99]; }
*/

enum E { A,B,C };
const enum E e = B;

//@ ensures \result == B
enum E k() { return e; }
why-2.34/bench/c/good/insertion_safety.c0000644000175000017500000000553712311670312016611 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* Insertion sort (safety only; for correctness proof, see insertion.c) */

/*@ requires 
  @   0 <= n && \valid_range(a, 0, n-1)
  @*/
void insertion_sort(int* a, unsigned int n) {
  unsigned int i;
  if (n <= 1) return;
  /*@ invariant
    @   0 < i <= n
    @ variant
    @   n - i
    @*/
  for (i = 1; i < n; i++) {
    int v = a[i];
    unsigned int j = i;
    /*@ invariant
      @   0 <= j <= i
      @ variant
      @   j
      @*/
    while (j > 0 && a[j-1] > v) { a[j] = a[j-1]; j--; }
    a[j] = v;
  }
}


/*
Local Variables: 
compile-command: "make insertion_safety.overflows"
End: 
*/
why-2.34/bench/c/good/malloc.c0000644000175000017500000000534712311670312014472 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*@ requires 
  @   n >= 1 
  @ ensures 
  @   \valid_range(\result,0,n-1) && 
  @   \forall int i; 0<=i \valid(\result[i]) */
int** test(int n) { 
  int** t = (int**)malloc(n * sizeof(int*));
  int i;
  /*@ invariant 
    @   0 <= i <= n && \forall int k; 0<=k \valid(t[k]) */
  for (i = 0; i < n; i++)
    t[i] = (int*)malloc(sizeof(int));
  return t;
}

//@ ensures \result == 0
int main() {
  int** t = test(10);
  t[3][0] = 0;
  // t[4][0] = 1;
  return t[3][0];
}
why-2.34/bench/c/good/gcd.c0000644000175000017500000000634012311670312013752 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*@ predicate divides(int x, int y) {
  @   \exists int q; y == q*x
  @ }
  @*/

/*@ axiom div_mod_property:
  @  \forall int x; \forall int y; 
  @    x >=0 && y > 0 => x == y*(x/y) + (x%y) 
  @*/

/*@ requires x >= 0 && y >= 0
  @ ensures 
  @  (divides_both::
  @    divides(\result,x) && divides(\result,y)) &&
  @  (is_greatest_divisor::
  @    \forall int z;
  @      z>0 && divides(z,x) && divides(z,y) => z>=\result) && 
  @  (bezout_property::
  @    \exists int a; \exists int b; a*x+b*y == \result)
  @*/
int gcd(int x, int y) {
  //@ ghost int a = 1
  //@ ghost int b = 0
  //@ ghost int c = 0
  //@ ghost int d = 1
  /*@ invariant 
    @    a*\old(x)+b*\old(y)==x && 
    @    c*\old(x)+d*\old(y)==y 
    @ variant y
    @*/
  while (y > 0) {
    int r = x % y;
    //@ ghost int q = x / y
    //@ ghost int ta = a
    //@ ghost int tb = b
    x = y;
    y = r;
    //@ set a = c 
    //@ set b = d
    //@ set c = ta - c * q
    //@ set d = tb - d * q
  }
  return x;
}

why-2.34/bench/c/good/all_zeros.c0000644000175000017500000000554112311670312015211 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* check that t[0..n-1] only contains 0 */

/*@ requires n >= 0 && \valid_range(t,0,n) 
    ensures \result <=> \forall int i; 0<=i t[i]==0 */
int all_zeros(int t[], int n) {
  /*@ invariant n <= \old(n) && \forall int i; n<=i<\old(n) => t[i]==0
      variant n */
  while (--n>=0 && !t[n]);
  return n < 0;
}

/*@ requires n >= 0 && \valid_range(t,0,n) 
    ensures \result <=> \forall int i; 0<=i t[i]==0 */
int all_zeros_0(int t[], int n) {
  int k;
  /*@ invariant 0 <= k <= n && \forall int i; 0<=i t[i]==0 variant n-k */
  for (k = 0; k < n; k++) if (t[k]) return 0;
  return 1;
}
why-2.34/bench/c/good/keiko1.c0000644000175000017500000000453112311670312014400 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*@ ensures \result > 1 @*/
int arr(){
  int m[3];
  m[1] = 2;
  return (m[1]);
}
why-2.34/bench/c/good/separation4.c0000644000175000017500000000465012311670312015450 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

typedef struct S {
  int a;
  int b[5];
}
S;



S x,y;

/*@ predicate p(S a) { a.b[0] >= 0 } */

/*@ requires p(x) */
void f() {
  x.b[0] = 0;
  y.b[1] = 1;
}


why-2.34/bench/c/good/latespec.c0000644000175000017500000000472112311670312015016 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


void f(int *p) {
  *p = 0;
}

/*@ requires \valid(p) 
  @ assigns *p
  @*/
void f(int *p);


int x;
void h();

//@ assigns x
void g();

void h();

void g() { h(); }

int x = 0;

void h() {
  x = 1;
}

why-2.34/bench/c/good/assigns.c0000644000175000017500000000505712311670312014670 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*@ requires size >= 0 && \valid_range(p,0,size-1)
  @ assigns  p[0..size-1] 
  @*/
void erase(int *p, int size){
  /*@ invariant 
    @   0 <= size <= \old(size) && p == \old(p) + (\old(size)-size)
    @ loop_assigns p[0..size-1] 
    @ variant size
    @ 
    @*/
  while (size--) *p++ = 0;
}

why-2.34/bench/c/good/local_aliasing.c0000644000175000017500000001022012311670312016146 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* test option --local-aliasing */

char name[200];
// invariant name_valid : \valid_range(name,0,99)
//@ invariant name_valid : \arrlen(name) >= 100

// requires \valid_range(buf,0,size-1) && 0 <= size <= 100
//@ requires \arrlen(buf) >= size && 0 <= size <= 100
int f(char* buf, int size) {
  int i;
  char* p = buf;
  char* q = name;
  /*@ invariant 0 <= size <= \old(size)
    @           && p-buf == \old(size)-size
    @           && q-name == \old(size)-size
    @*/
  while (size--) {
    *p++ = *q++;
  }
  if (q == name) return 1;
  --buf;
  /*@ invariant 0 <= i <= \old(size)
    @*/
  for (i = p-buf-2; i> 1; i--) {
    buf[i] += 2;
  }
  ++buf;
  return 0;
}

// requires \exists int i; i >= 0 && s[i] == 0 && \valid_range(s,0,i)
//@ requires 0 <= \strlen(s) < \arrlen(s)
int g(char* s) {
  char c;
  int count = 0;
  /* invariant \exists int i; i >= 0 && s[i] == 0 && \valid_range(s,0,i)
    */
  /*@ invariant 0 <= s-\old(s) <= \strlen(\old(s)) < \arrlen(\old(s))
   */
  while (c = *s++) {
    switch (c) {
    case '0':
    case '1':
      count += 1;
      break;
    case '2':
      count -= count;
      if (!*s++) s--;
//  case '3':
    default:
      ++count;
      if (!*s++) s--;
      if (!*s++) s--;
    }
  }
  return count;
}

int h(char* p, int s) {
  char *q = p+s;
  char *pp = p;
  char buf[100];
  char *b = buf;
  //@ assert b == buf
  pp++;
  //@ assert pp == p + 1
  ++b;
  //@ assert b == buf + 1
  if (p < q && buf < b) {
    int diff = (buf-b) + (pp-p);
    diff += (q-p);
    //p = malloc(100 * sizeof(char));
    p++;
    //@ assert pp == p
    pp++;
    //@ assert pp == p + 1
    q++;
    //@ assert pp + s == q + 1
    diff += (q-pp);
    q = (char*)malloc(100 * sizeof(char));
    p = pp;
    //@ assert pp == p
    diff += (p-pp);
    return diff;
  }
  return -1;
}

int main() {
  char buf[100];
  int r = f(buf,100);
  buf[99] = 0;
  r += g(buf);
  r += h(buf,100);
  return r;
}
why-2.34/bench/c/good/init.c0000644000175000017500000000532312311670312014160 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

int x = 45;

int t[3] = {1,2,3};
/*@ invariant t_const : t[1] == 2 */

struct S {
  int a;
  int b[3];
};

struct S s = {1,{1,3,4}};
/*@ invariant s_const : s.b[0] == 1 && s.b[2] == 4 */

/*@ ensures \result == 7 */
int f() {
  int y =x;
  return t[1] + s.b[0] + s.b[2];
}



/*@ ensures \result == 4 */
int g() {
  int t[] = {4,5};
  int x = 45;
  return t[0];
}


/*@ ensures \result == 12 */
int h() {
  int u[3] = { 3,4,5 };
  return u[0] + u[1] + u[2];
}
why-2.34/bench/c/good/invariant.c0000644000175000017500000000445512311670312015215 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

const struct {
  int x;
  int y;
} s;
why-2.34/bench/c/good/e.c0000644000175000017500000000505112311670312013437 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* It is 84 characters long and calculates e to 992 decimal places: 

a[999],x,n;main(N){for(;n||(putchar(48^x),
n=998+--N);x+=10*a[--n]+!N)a[n]=x%n,x/=n;}

*/

void putchar(char);

int a[999],x,n;

void main(N){
  for(; n||(putchar(48^x), n=998+--N); x+=10*a[--n]+!N)
    a[n]=x%n,x/=n;
}
why-2.34/bench/c/good/alloc.c0000644000175000017500000000465312311670312014314 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


typedef unsigned int size_t;

void * alloc (size_t size);

void *ptr1, *ptr2;

/*@ ensures ptr1 != ptr2
  @*/
void f() {
  ptr1 = alloc(10);
  ptr2 = alloc(10);
}
why-2.34/bench/c/good/fib.c0000644000175000017500000000533012311670312013753 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@ logic int fib(int x)

//@ axiom fib_0 : fib(0) == 0
//@ axiom fib_1 : fib(1) == 1
//@ axiom fin_n : \forall int n; 2 <= n => fib(n) == fib(n-1) + fib(n-2)


/*@ requires 1 < n && \valid_range(t,0,n-1)
  @*/
void compute_fib(int *t, int n) {
  int i;
  t[0] = 0;
  t[1] = 1;
  //@ invariant 2 <= i <= n && t[i-1]==fib(i-1) && t[i-2]==fib(i-2)
  for (i = 2; i < n; i++)
    t[i] = t[i-1] + t[i-2];
}

/*
Local Variables: 
compile-command: "make fib.gui"
End: 
*/
why-2.34/bench/c/good/linked-list.c0000644000175000017500000000601412311670312015432 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

typedef struct struct_list {
  int hd;
  struct struct_list * tl;
} *list;

#define NULL ((void*)0)

/*@ predicate is_list(list p) reads p->tl */

/*@ axiom is_list_def : 
     \forall list p; 
     is_list(p) <=> (p == NULL || (\valid(p) && is_list(p->tl))) */

/*@ logic int length(list p) reads p->tl */

/* @ axiom length_null : length((list)NULL) == 0 */

/*@ axiom length_nonneg : \forall list p; is_list(p) => length(p) >= 0 */

/*@ axiom length_cons : 
     \forall list p; 
     is_list(p) => p != NULL => length(p) == length(p->tl) + 1 */

/*@ requires is_list(p)
  @ ensures  \result != NULL => \result->hd == v
  @*/
list search(list p, int v) {
  /*@ invariant is_list(p)
      variant   length(p) */
  while (p != NULL && p->hd != v) p = p->tl;
  return p;
}
why-2.34/bench/c/good/heap.c0000644000175000017500000001553412311670312014137 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* Priority queues */

/**** misc ************************************************************/

//@ axiom div2_1: \forall int x; 0 <= x => 0 <= x/2 <= x

/**** bags ************************************************************/

//@ type bag 

//@ logic bag empty_bag()

//@ logic bag singleton_bag(int x)

//@ logic bag union_bag(bag b1, bag b2)

//@ logic bag add_bag(int x, bag b) { union_bag(b, singleton_bag(x)) }

//@ logic int occ_bag(int x, bag b)

/*@ predicate is_max_bag(bag b, int m) {
  @   occ_bag(m, b) >= 1 &&
  @   \forall int x; occ_bag(x,b) >= 1 => x <= m
  @  }
  @*/

/**** trees ************************************************************/

//@ type tree

//@ logic tree Empty()

//@ logic tree Node(tree l, int x, tree r)

//@ logic bag bag_of_tree(tree t)

/*@ axiom bag_of_tree_def_1:
  @   bag_of_tree(Empty()) == empty_bag()
  @*/

/*@ axiom bag_of_tree_def_2:
  @   \forall tree l; \forall int x; \forall tree r;
  @     bag_of_tree(Node(l, x, r)) == 
  @     add_bag(x, union_bag(bag_of_tree(l), bag_of_tree(r)))
  @*/

/*** heap property *******************************************************/

//@ predicate is_heap(tree t)

//@ axiom is_heap_def_1: is_heap(Empty())

//@ axiom is_heap_def_2: \forall int x; is_heap(Node(Empty(), x, Empty()))

/*@ axiom is_heap_def_3: 
  @   \forall tree ll; \forall int lx; \forall tree lr; \forall int x;
  @     x >= lx => is_heap(Node(ll, lx, lr)) => 
  @     is_heap(Node(Node(ll, lx, lr), x, Empty()))
  @*/

/*@ axiom is_heap_def_4: 
  @   \forall tree rl; \forall int rx; \forall tree rr; \forall int x;
  @     x >= rx => is_heap(Node(rl, rx, rr)) => 
  @     is_heap(Node(Empty(), x, Node(rl, rx, rr)))
  @*/

/*@ axiom is_heap_def_5: 
  @   \forall tree ll; \forall int lx; \forall tree lr; 
  @   \forall int x;
  @   \forall tree rl; \forall int rx; \forall tree rr; 
  @     x >= lx => is_heap(Node(ll, lx, lr)) => 
  @     x >= rx => is_heap(Node(rl, rx, rr)) => 
  @     is_heap(Node(Node(ll, lx, lr), x, Node(rl, rx, rr)))
  @*/

/**** trees encoded in arrays *********************************************/

//@ logic tree tree_of_array(int *t, int root, int bound) reads t[..]

/*@ axiom tree_of_array_def_1:
  @   \forall int *t; \forall int root; \forall int bound;
  @     root >= bound => tree_of_array(t, root, bound) == Empty()
  @*/

/*@ axiom tree_of_array_def_2:
  @   \forall int *t; \forall int root; \forall int bound;
  @     0 <= root < bound => 
  @     tree_of_array(t, root, bound) == 
  @     Node(tree_of_array(t, 2*root+1, bound), 
  @          t[root],
  @          tree_of_array(t, 2*root+2, bound))
  @*/

/**** the heap and its model **********************************************/

#define MAXSIZE 100

int heap[MAXSIZE];

int size = 0;

/*@ invariant size_inv : 0 <= size < MAXSIZE */

//@ invariant is_heap: is_heap(tree_of_array(heap, 0, size))

//@ logic bag model() { bag_of_tree(tree_of_array(heap, 0, size)) }

/**** the code ************************************************************/

/*@ assigns
  @   size
  @ ensures 
  @   model() == empty_bag()
  @*/
void clear() {
  size = 0;
}

/*@ requires 
  @   size < MAXSIZE-1
  @ assigns 
  @    heap[..], size
  @ ensures
  @   model() == add_bag(x, \old(model()))
  @*/
void push(int x) {
  int i = size;
  /*@ invariant
    @   0 <= i <= size &&
    @   (i == size => 
    @      is_heap(tree_of_array(heap, 0, size)) &&
    @      model() == \old(model())) &&
    @   (i < size =>
    @      is_heap(tree_of_array(heap, 0, size+1)) &&
    @      bag_of_tree(tree_of_array(heap, 0, size+1)) ==
    @      add_bag(heap[i], \old(model())))
    @ loop_assigns
    @   heap[..]
    @ variant
    @   i
    @*/
  while (i > 0) {
    int parent = (i-1) / 2;
    int p = heap[parent];
    if (p >= x) break;
    heap[i] = p;
    i = parent;
  }
  heap[i] = x;
  size++;
}

/*@ requires 
  @   size > 0
  @ assigns
  @   \nothing
  @ ensures  
  @   is_max_bag(model(), \result)
  @*/
int max() {
  return heap[0];
}

/*@ requires 
  @   size > 0
  @ assigns 
  @    heap[..], size
  @ ensures  
  @   size == \old(size) -  1 &&
  @   is_max_bag(\old(model()), \result) && 
  @   \old(model()) == add_bag(\result, model())
  @*/
int pop() {
  int res = heap[0];
  if (--size) {
    int v = heap[size]; // value to insert
    int i = 0;          // candidate position
    /*@ invariant
      @   0 <= i <= size // TODO: complete invariant
      @ loop_assigns
      @   heap[..]
      @ variant
      @   size - i
      @*/
    while (i < size) {
      int j = 2*i+1;
      if (j < size-1 && heap[j] < heap[j+1]) j++;
      if (v >= heap[j]) break;
      heap[i] = heap[j];
      i = j;
    }
    heap[i] = v;
  }
  return res;
}

why-2.34/bench/c/good/ll_parser.c0000644000175000017500000000672612311670312015210 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* LL parser */

/* grammar for arithmetic expressions:

     E ::= T | T "+" E 
     E ::= F | F "*" T
     F ::= "id" | "(" E ")"

*/

enum T { PLUS, MULT, LPAR, RPAR, ID, EOF };
typedef enum T token;

token *text; // should be ghost?

//@ ensures \result == *text
token next_token();

//@ ensures text == text+1
void advance();

/*@ requires 1 // TODO
  @ ensures  0 // never returns
  @*/
void parse_error();

/*@ requires 1 // TODO
  @ ensures  0 // never returns
  @*/
void success();

void parse_S();
void parse_E();
void parse_T();
void parse_F();

void parse_S() {
  parse_E();
  if (next_token() == EOF) 
    success(); 
  else 
    parse_error();
}

void parse_E() {
  parse_T();
  switch (next_token()) {
  case PLUS: 
    advance(); 
    parse_E(); 
    return;
  default: 
    return;
  }
}

void parse_T() {
  parse_F();
  switch (next_token()) {
  case MULT: 
    advance(); 
    parse_T(); 
    return;
  default: 
    return;
  }
}

void parse_F() {
  switch (next_token ()) { 
  case ID: 
    advance();
    return;
  case LPAR:
    advance();
    parse_E();
    switch (next_token()) { 
    case RPAR: 
      advance();
      return;
    default:
      parse_error();
    }
  default:
    parse_error();
  }
}

why-2.34/bench/c/good/clash.c0000644000175000017500000000632612311670312014313 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


int y;

/*@ ensures \result == 0 && y == \old(y) */
int g() {
  int y; y = 0 ;
  return y;
}


/*@ ensures (x==0 => \result == 1) && (x !=0 => \result == 2) */
int f(int x) {
  if (x == 0) {
    int y; 
    y = 1;
    return y;
  }
  else {
    int y;
    y = 2;
    return y;
  }
}


/*@ ensures (x == 0 => \result == 1) && (x != 0 => \result == 2) */
int h(int x) {
  int y;
  y = 2;
  if (x == 0) {
    int y; 
    y = 1;
    return y;
  }
  return y;
}


typedef struct {
    int toto;
    int titi;    
} S1;

/*@ assigns ma_structure.toto */
void f1(S1 ma_structure)
{
    int toto;
    toto = 0;
    ma_structure.toto = toto;
 }

typedef struct {
    int fst;
    int sec;
} S2;

typedef struct {
    S2 substruct;
    int titi;
} S3;

/*@ requires \valid(ma_structure) && \valid(ma_structure.substruct)
  @ assigns ma_structure.substruct.fst */
void f2(S3 ma_structure)
{
    S2 substruct;
    substruct.fst = 0;
    ma_structure.substruct.fst = substruct.fst;
 }


why-2.34/bench/c/good/count_bits_2.c0000644000175000017500000000712012311670312015604 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/****** abstract sets of integers *******************************************/

//@ type iset

//@ predicate in_(int x, iset s)

//@ logic int card(iset s)
//@ axiom card_nonneg : \forall iset s; card(s) >= 0

//@ logic iset empty()
//@ axiom empty_card : \forall iset s; card(s)==0 <=> s==empty()

//@ logic iset remove(int x, iset s)
/*@ axiom remove_card : 
  @   \forall iset s; \forall int i;
  @     in_(i,s) => card(remove(i,s)) == card(s) - 1
  @*/

//@ logic int min_elt(iset s)
/*@ axiom min_elt_def : 
  @   \forall iset s; card(s) > 0 => in_(min_elt(s), s)
  @*/

/****** interpretation of C ints as abstract sets of integers ***************/

//@ logic iset iset(int x)

//@ axiom iset_c_zero : \forall int x; iset(x)==empty() <=> x==0

/*@ axiom iset_c_minus : 
  @   \forall int x, int a; 
  @     in_(x, iset(a)) => iset(a-x) == remove(x, iset(a))
  @*/

/*@ axiom iset_c_lowest_bit :
  @   \forall int x; x != 0 => x&-x == min_elt(iset(x))
  @*/
/*@ axiom iset_c_lowest_bit_help :
  @   \forall int x; x != 0 <=> x&-x != 0
  @*/

/**** count_bits ************************************************************/

/*@ ensures \result == card(iset(x)) */
int count_bits(int x) {
  int d, c;
  /*@ invariant c + card(iset(x)) == card(iset(\at(x,init)))
    @ variant   card(iset(x))
    @*/
  for (c = 0; d = x&-x; x -= d) c++;
  return c;
}
why-2.34/bench/c/good/array.c0000644000175000017500000000501312311670312014327 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

int t[3][3];

//@ requires \valid_index(t,1) && \valid_index(t[1],2)
int getcell() { return t[1][2];  }

/*@ predicate valid_dim2(int** t, int i, int j, int k, int l)
    { \valid_range(t,i,j) &&
    \forall int n; i <= n <= j => \valid_range(t[n],k,l) } */


why-2.34/bench/c/good/init2.c0000644000175000017500000000522712311670312014245 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

typedef struct {int a;int b;} lastruct1; 
typedef struct {lastruct1 c;int d;} lastruct2; 
lastruct2 ls = {{1,2},3}; 

int varglo=123; 


typedef enum 
{ 
 a = 12, 
 b = 34, 
 c = 56 
} lenum;

 
lenum le=b; 


const int laconstante=7; 


/*@ 
assigns \nothing 
ensures  ls.c.a==1 && varglo==123 &&  \result==4  && le==34  
   && laconstante==7 
*/ 
int f() 
{ 
  int varloc=4; 
  return varloc;  

}
why-2.34/bench/c/good/param.c0000644000175000017500000000452512311670312014320 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*@ ensures \result == x+y */
int f(int x, int y){
  x = x+y ;
  return x;
}

why-2.34/bench/c/good/clash_alloc.c0000644000175000017500000000456012311670312015463 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

typedef struct T {
    int alloc;
} S;

/*@ requires \valid(p) */
int f(S* p)
{
  return p->alloc;
}




why-2.34/bench/c/good/not_assigns.c0000644000175000017500000000515512311670312015547 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

struct p {
  int x;
} p;


struct q {
  struct p *w;
} q;

struct s {
  struct q v;
} s;


struct s u [5];

/*@ assigns a->v.w->x*/
void h(struct s *a);


void i(){
  int i;

/*@ invariant 0<=i<=5
  @ loop_assigns u[0 .. 5].v.w -> x
  @*/
  for (i = 0; i < 5; i++ ){
    h(&u[i]);
  }
}

/*
Local Variables: 
compile-command: "make not_assigns.gui"
End: 
*/
why-2.34/bench/c/good/logic_cast.c0000644000175000017500000000463212311670312015326 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

typedef unsigned long ULONG;
#define N (ULONG)4

ULONG t[N];
void f( )
{
ULONG I;
/*@
invariant 0<=I<=N
variant N-I
*/
for(I=0;I j => num_of_pos(i,j,t) == 0
  @*/
 
/*@ axiom num_of_pos_true_case :
  @   \forall int i, int j, int t[];
  @       i <= j && t[j] > 0 => 
  @         num_of_pos(i,j,t) == num_of_pos(i,j-1,t) + 1
  @*/

/*@ axiom num_of_pos_false_case :
  @   \forall int i, int j, int t[];
  @       i <= j && ! (t[j] > 0) => 
  @         num_of_pos(i,j,t) == num_of_pos(i,j-1,t)
  @*/

/*@ axiom num_of_pos_strictly_increasing:
  @   \forall int i, int j, int k, int l, int t[];
  @       j < k && k <= l && t[k] > 0 => num_of_pos(i,j,t) < num_of_pos(i,l,t)
  @*/

/*@ requires length >= 0 && \valid_range(t,0,length-1)
  @*/
void m(int t[], int length) {
  int count = 0;
  int i;
  int *u;

  /*@ invariant
    @    0 <= i && i <= length && 
    @    0 <= count && count <= i && 
    @    count == num_of_pos(0,i-1,t)  
    @ variant length - i
    @*/
  for (i=0 ; i < length; i++) {
    if (t[i] > 0) count++;
  }
  u = (int *)calloc(count,sizeof(int));
  count = 0;
  
  /*@ invariant
    @    0 <= i && i <= length && 
    @    0 <= count && count <= i && 
    @    count == num_of_pos(0,i-1,t)
    @ variant length - i
    @*/
  for (i=0 ; i < length; i++) {
    if (t[i] > 0) {
      u[count++] = t[i];
    }
  }
}

/*
Local Variables: 
compile-command: "make muller.nosep"
End: 
*/
why-2.34/bench/c/good/continue.c0000644000175000017500000000557612311670312015053 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* continue tests */

/*@ ensures \result == 0 */
int f1()
{
  int n = 10;
  /*@ invariant 0 <= n variant n */ 
  while (n > 0) {
    if (n == 5) { n = 0; continue; }
    n--;
  }
  return n;
}

/*@ ensures \result == 10 */
int f2()
{
  int i = 17;
  /*@ invariant i <= 10 variant 10 - i */ 
  for (i = 0; i < 10; i++) {
    if (i == 5) { i = 6; continue; }
  }
  return i;
}

/*@ ensures \result == 7 */
int f3()
{
  int i;
  /*@ invariant i <= 7 && i != 6 variant 7 - i */ 
  for (i = 0; i < 6; i++) {
    if (i == 5) 
      { i = 6; continue; }
  }
  return i;
}

/*
int main(void) {
  printf("%d\n",f3());
  return 0;
}
*/

  
why-2.34/bench/c/good/russian.c0000644000175000017500000000550612311670312014704 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// this example was contributed by Daniel Zingaro

//@ axiom div2 : \forall int a; 0 < a => 0 <= a/2 < a
//@ axiom mul0 : \forall int a; 0 * a == 0

//@ axiom mul_odd : \forall int a, int b; a%2==1 => a*b == (a/2)*(b*2)+b
//@ axiom mul_even: \forall int a, int b; a%2!=1 => a*b == (a/2)*(b*2)

/*@ requires x >= 0 && y >= 0
  @ ensures
  @   \result == x * y
    @*/
int mult(int x, int y){
  int a = x, b = y, z = 0;
  /*@ invariant 0 <= a && 0 <= b && a * b + z == x * y
    @ variant a */
  while (a > 0) {
    if (a %2 == 1) z += b;
    a /= 2; b *= 2;
  }
  return z;
}
why-2.34/bench/c/good/shift.c0000644000175000017500000000451312311670312014332 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*@ ensures \result == x / 2 */
int f(int x) {
  return (x >> 1);
}
why-2.34/bench/c/good/tracability.c0000644000175000017500000000502212311670312015520 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// memory safety VC
int f1(int *p) { return *p; }


// loop invariant VCs (initially true, preserved)
void f2() {
  int i = 10;
  //@ invariant i == 5 //intentionally false
  while (i > 0) i--;
}

/*
Local Variables: 
compile-command: "make tracability.gui"
End: 
*/
why-2.34/bench/c/good/sqrt.c0000644000175000017500000000506712311670312014213 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@ predicate le_root(int r, int x) { 0 <= r && r * r <= x }

//@ predicate is_root(int r, int x) { le_root(r, x) && (r+1)*(r+1) > x }

/*@ requires n >= 0
  @ ensures  is_root(\result, n)
  @*/
int sqrt(int n) {
  int y = 0;
  //@ invariant le_root(y, n) 
  while ((y+1)*(y+1) <= n) y++;
  return y;
}

why-2.34/bench/c/good/overflow.c0000644000175000017500000000517312311670312015063 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

char c;
signed char sc;
char c1;
short s;

enum E1 { A1, B1 };
enum E2 { A2, B2, C2 };

enum E1 e1;
enum E2 e2;

/*@ requires e2 != C2 */
void f() {
  e1 = e2;
}

/*@ requires 0 <= s <= 255 */
void g() {
  c = s;
}

int i;
long int li;
long long int lli;

void h() {
  c = 10;
  sc = c;
  s = c1;
  i = s;
  li = i;
  lli = li;
}

void hh() {
  i = 7;
  s = i;
  c = s;
}
why-2.34/bench/c/good/unsafe.c0000644000175000017500000000463412311670312014502 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


int t[10];


int f(int i) {
  return t[i-i];
}

int g(int i) {
  return t[10];
}

int h(int i) {
  return t[i];
}

int h2(int i) {
  return t[0];
}
why-2.34/bench/c/good/struct2.c0000644000175000017500000000471212311670312014624 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

struct S { int a; int b[5]; int c; };

struct S s0;

//@ ensures \true
void f() {
  s0.b[2] = 1;
}


struct U { struct S d; int e; };

struct U u;

//@ ensures \true
void g() {
  u.d.b[2] = 1;
}
why-2.34/bench/c/bench-files0000644000175000017500000000107712311670312014225 0ustar  rtusersassigns_range_right
separation separation1 separation2 separation3 separation4 
ifs sort fib
all minusminus 
array assigns loop_assigns not_assigns break continue goto
call clash clash_alloc clash_redef  
logic coord dassault_1 dassault_2 muller
copy dowhile invariants latespec logic_cast 
param passing queue rec ref ref_glob search see 
sizeof alloca all_zeros malloc calloc pointer init
struct struct2 struct3 switch enum sum1 sum2 incr pi count_bits count_bits_2
purse abs string return binary_search division negate mean loops matrix
selection russian
false false2 



why-2.34/bench/c/bad-interp/0000755000175000017500000000000012311670312014143 5ustar  rtuserswhy-2.34/bench/c/bad-interp/eval4.c0000644000175000017500000000005212311670312015317 0ustar  rtusersvoid f () {
  int x = 0x100000000ul;
}
why-2.34/bench/c/bad-interp/eval2.c0000644000175000017500000000006012311670312015314 0ustar  rtusersvoid f (){
  int x = 0x100000000u;
  x=x;
}
why-2.34/bench/c/bad-interp/goto1.c0000644000175000017500000000010312311670312015332 0ustar  rtusers
int f() {
  goto l1;
 l2: goto l3;
 l1: goto l2;
 l3: return 0;
}
why-2.34/bench/c/bad-interp/eval5.c0000644000175000017500000000005112311670312015317 0ustar  rtusersvoid f (){
  int x = 0x100000000ul;
}
why-2.34/bench/c/bad-interp/eval9.c0000644000175000017500000000004112311670312015322 0ustar  rtusersvoid f (){
  char x = '\9';
}
why-2.34/bench/c/bad-interp/switch1.c0000644000175000017500000000027712311670312015677 0ustar  rtusers
/* should warn about unreachable statement y=1 */
/*@ ensures \result==0 */
int f (int x){
  int y = 0;

  switch (x) { 
    y = 1;
  case 0 :
    break ;
  }
  return y;
}


why-2.34/bench/c/bad-interp/eval1.c0000644000175000017500000000017112311670312015316 0ustar  rtusers/* #include  */

int main (){
  int x = 2147483648; /* 2^31 */
  /*   printf("%u\n",x); */
  return 0;
}
why-2.34/bench/c/bad-interp/goto2.c0000644000175000017500000000017112311670312015340 0ustar  rtusers
int f(int x) {
  if (x==0) { 
    goto l2; 
    l1 : x = 1;  
  } else {
    goto l1;
    l2 : x = 2;
  }
  return x;
}
why-2.34/bench/c/bad-interp/eval8.c0000644000175000017500000000003512311670312015324 0ustar  rtusersvoid f(){
  int x = 09;
}
why-2.34/bench/c/bad-interp/eval6.c0000644000175000017500000000006212311670312015322 0ustar  rtusersvoid f (){
  int x = 0x800000000000000000ll;
}
why-2.34/bench/c/bad-interp/switch3.c0000644000175000017500000000027712311670312015701 0ustar  rtusers
/* should error about duplicate case 0 */
/*@ ensures \result==0 */
int f (int x){
  int y = 0;

  switch (x) { 
  case 0 :
    break ;
  case 0 :
    break;
  }
  return y;
}
why-2.34/bench/c/bad-interp/eval7.c0000644000175000017500000000005712311670312015327 0ustar  rtusersvoid f (){
  int x = 1000000000000000llu;
}
why-2.34/bench/c/bad-interp/eval3.c0000644000175000017500000000005012311670312015314 0ustar  rtusersvoid f (){
  long x = 0x80000000l;
}
why-2.34/bench/c/bad-interp/switch4.c0000644000175000017500000000020712311670312015673 0ustar  rtusers
/* should error about duplicate case 0 */
/*@ ensures \result==0 */
int f (int x){

  case 0 :
    break;
  }
  return y;
}
why-2.34/bench/c/bad-interp/switch2.c0000644000175000017500000000030112311670312015664 0ustar  rtusers
/* should warn about unreachable statement y=1 */
/*@ ensures \result==0 */
int f (int x){
  int y = 0;

  switch (x) { 
  case 0 :
    break ;
    y = 1;
  }
  return y;
}



why-2.34/bench/c/bench0000755000175000017500000000743612311670312013135 0ustar  rtusers#!/bin/sh

FILES=`cat bench-files`

# benchmark for caduceus
export CADUCEUSLIB=`pwd`/../../lib/why
export WHYCOQ=`pwd`/../../lib/coq
make="make WHYCOQ=$WHYCOQ"

# C files to parse with success
echo "C parsing (good)"
cd good/syntax
parsing="../../../../bin/caduceus.opt -parse-only"
for f in *.c; do
    echo -n "  "$f"... "
    if ! gcc -c $f > /dev/null 2>&1; then
	echo "GCC failed"
	if test $f != "obfuscated.c" ; then
           gcc -c $f
	   exit 1
        fi
    else
      echo -n "GCC ok... "
    fi
    if ! $parsing  $f > /dev/null 2>&1; then
	echo "caduceus FAILED"
	#$parsing $f
	#exit 1
    else
	echo "caduceus ok... "
    fi
done

echo "C parsing (bad)"
cd ../../bad-syn
parsing="../../../bin/caduceus.opt -parse-only"
for f in *.c; do
    echo -n "  "$f"... "
    if gcc -c $f > /dev/null 2>&1; then
	echo "GCC failed (accepted a bad file)"
	gcc -c $f
	exit 1
    fi
    echo -n "GCC ok... "
    if $parsing  $f > /dev/null 2>&1; then
	echo "caduceus FAILED (accepted a bad file)"
	#$parsing $f
	#exit 1
    else
	echo "caduceus ok... "
    fi
done

echo "C parsing/typing (bad)"
cd ../bad-sem
parsing="../../../bin/caduceus.opt -type-only"
for f in *.c; do
    echo -n "  "$f"... "
    if gcc -c -Wall -Werror $f > /dev/null 2>&1; then
	echo "GCC failed (accepted a bad file)"
	gcc -c $f
	exit 1
    fi
    echo -n "GCC ok... "
    if $parsing  $f > /dev/null 2>&1; then
	echo "caduceus FAILED (accepted a bad file)"
	#$parsing $f
	#exit 1
    else
	echo "caduceus ok... "
    fi
done

echo "C parsing/typing (good)"
cd ../good
parsing="../../../bin/caduceus.opt -type-only"
for f in *.c; do
    echo -n "  "$f"... "
    if ! gcc -c $f > /dev/null 2>&1; then
	echo "GCC failed"
	gcc -c $f
	exit 1
    fi
    echo -n "GCC ok... "
    if ! $parsing  $f > /dev/null 2>&1; then
	echo "caduceus FAILED"
	#$parsing $f
	#exit 1
    else
	echo "caduceus ok... "
    fi
done

echo "C interp (bad)"
cd ../bad-interp
parsing="../../../bin/caduceus.opt"
for f in *.c; do
    echo -n "  "$f"... "
    if gcc -ansi -pedantic -Wall -Werror -c $f > /dev/null 2>&1; then
	echo "GCC failed (accepted a bad file, maybe not detected)"
	gcc -ansi -pedantic -Wall -Werror -c $f
    else
        echo -n "GCC ok... "
    fi
    if $parsing  $f > /dev/null 2>&1; then
	echo "caduceus FAILED (accepted a bad file)"
	#$parsing $f
	#exit 1
    else
	echo "caduceus ok... "
    fi
done

echo "C interp (good)"
cd ../good
export CADUCEUSLIB=`pwd`/../../../lib

bench_c_good () {
    options="$* -why-opt -split-user-conj " # -why-opt -show-time"  # --typing-predicates"
    echo "-------------------------------------------------------------------"
    echo "Bench Caduceus+Simplify/Yices with options: $options"
    parsing="../../../bin/caduceus.opt $options"

    rm -f why/*.why
    rm -f simplify/*_why.sx
    rm -f smtlib/*_why.smt
    rm -f *.time
    hostname=`hostname`
    if test $hostname = "belzebuth"; then parall="-j 7"; fi
    CADUCEUS=$parsing make -e $parall -f Makefile.bench
    cat *.time
    echo "===TOTAL==============================="
    ocaml ../stat.ml *.time
    echo "======================================="
}

# bench_c_good
# bench_c_good -separation -no-zone-type
bench_c_good -separation

cd ../../../examples-c
make bench

# Coq proofs
# for f in $FILES; do
#     echo -n "  $f.c... "
#     rm -f coq/caduceus_spec_why.v
#     if $parsing  $f.c > /tmp/caduceus.tmp 2>&1; then
# 	echo -n "caduceus ok... "
# 	if $make -f $f.makefile coq > /tmp/caduceus.tmp 2>&1; then
# 	    n=`grep -c Admitted coq/${f}_why.v`
# 	    if test $n -ne 0 ; then
# 		echo "Coq proof ok (with $n Admitted)... "
# 	    else
# 		echo "Coq proof ok... "
# 	    fi
# 	else
# 	    echo "Coq proof FAILED !"
# 	    cat /tmp/caduceus.tmp
# 	    exit 1
# 	fi
#     else
# 	echo "caduceus FAILED (rejected a good file) :"
# 	cat /tmp/caduceus.tmp
# 	exit 1
#     fi
# done


why-2.34/bench/c/absint/0000755000175000017500000000000012311670312013376 5ustar  rtuserswhy-2.34/bench/c/absint/string1.c0000644000175000017500000000143012311670312015127 0ustar  rtusers
void f1(char* t1, char* t2) {
  int i;
  for (i = 0; i < 5; ++i) t1[i] = t2[i];
}

void f2(char* t1, char* t2) {
  int i;
  for (i = 0; i < 5; ++i) t1[i] = t1[i+1];
}

void f3(char* t1, char* t2) {
  int i;
  for (i = 0; i < 5; ++i) t1[i] = t2[i+1];
}

void f4(char* t1, char* t2) {
  int i = 0;
  while (i < 5) { t1[i] = t2[i]; ++i; }
}

void f5(char* t1, char* t2) {
  int i = 0;
  while (i < 5) { t1[i] = t1[i+1]; ++i; }
}

void f6(char* t1, char* t2) {
  int i = 0;
  while (i < 5) { t1[i] = t2[i+1]; ++i; }
}

int main() {
  char t1[] = "12345";
  char t2[] = "12345";
  f1(t1,t2);
  f2(t1,t2);
  f3(t1,t2);
  f4(t1,t2);
  f5(t1,t2);
  f6(t1,t2);
  return 0;
}

/* Local Variables: */
/* compile-command: "caduceus -print-norm --loc-alias --arith-mem --abs-int string1.c" */
/* End: */
why-2.34/bench/c/absint/pointer5.c0000644000175000017500000000172112311670312015310 0ustar  rtusers
void f1(int* t1, int* t2) {
  int i;
  for (i = 0; i < 5; ++i)
    if (t1) t1[i] = t2[i];
}

void f2(int* t1, int* t2) {
  int i;
  for (i = 0; i < 5; ++i) 
    if (t1 != 0) t1[i] = t1[i+1];
}

void f3(int* t1, int* t2) {
  int i;
  for (i = 0; i < 5; ++i) 
    if (!(t1 == 0)) t1[i] = t2[i+1];
}

void f4(int* t1, int* t2) {
  int i = 0;
  while (i < 5) 
    if (t1) { t1[i] = t2[i]; ++i; }
}

void f5(int* t1, int* t2) {
  int i = 0;
  while (i < 5) 
    if (t1 != 0) { t1[i] = t1[i+1]; ++i; }
}

void f6(int* t1, int* t2) {
  int i = 0;
  while (i < 5)
    if (!(t1 == 0)) { t1[i] = t2[i+1]; ++i; }
}

int main() {
  int t1[6];
  int t2[6];
  f1(t1,t2); f1(0,t2); f1(0,0);
  f2(t1,t2); f2(0,t2); f2(0,0);
  f3(t1,t2); f3(0,t2); f3(0,0);
  f4(t1,t2); f4(0,t2); f4(0,0);
  f5(t1,t2); f5(0,t2); f5(0,0);
  f6(t1,t2); f6(0,t2); f6(0,0);
  return 0;
}

/* Local Variables: */
/* compile-command: "caduceus -print-norm --loc-alias --arith-mem --abs-int pointer5.c" */
/* End: */
why-2.34/bench/c/absint/motivating.c0000644000175000017500000000046112311670312015724 0ustar  rtuserschar* foo(char* dest, char* src, int s) {
  char* cur = dest;
  if (dest == 0) return 0;
  while (s-- > 0 && *src) {
    *cur++ = *src++;
  }
  *cur = '\0';
  return dest;
}

/* Local Variables: */
/* compile-command: "caduceus -print-norm --loc-alias --arith-mem --abs-int -d motivating.c" */
/* End: */
why-2.34/bench/c/absint/pointer3.c0000644000175000017500000000221312311670312015303 0ustar  rtusers
void f1(int* t1, int* t2) {
  int i;
  if (t1 != (int*)0 && !(t2 == 0)) 
    for (i = 0; i < 5; ++i) t1[i] = t2[i];
}

void f2(int* t1, int* t2) {
  int i;
  if (t1 != (int*)0 && !(t2 == 0)) 
    for (i = 0; i < 5; ++i) t1[i] = t1[i+1];
}

void f3(int* t1, int* t2) {
  int i;
  if (t1 != (int*)0 && !(t2 == 0)) 
    for (i = 0; i < 5; ++i) t1[i] = t2[i+1];
}

void f4(int* t1, int* t2) {
  int i = 0;
  if (t1 != (int*)0 && !(t2 == 0)) 
    while (i < 5) { t1[i] = t2[i]; ++i; }
}

void f5(int* t1, int* t2) {
  int i = 0;
  if (t1 != (int*)0 && !(t2 == 0)) 
    while (i < 5) { t1[i] = t1[i+1]; ++i; }
}

void f6(int* t1, int* t2) {
  int i = 0;
  if (t1 != (int*)0 && !(t2 == 0)) 
    while (i < 5) { t1[i] = t2[i+1]; ++i; }
}

int main() {
  int t1[6];
  int t2[6];
  f1(t1,t2); f1(t1,0); f1(0,t2); f1(0,0);
  f2(t1,t2); f2(t1,0); f2(0,t2); f2(0,0);
  f3(t1,t2); f3(t1,0); f3(0,t2); f3(0,0);
  f4(t1,t2); f4(t1,0); f4(0,t2); f4(0,0);
  f5(t1,t2); f5(t1,0); f5(0,t2); f5(0,0);
  f6(t1,t2); f6(t1,0); f6(0,t2); f6(0,0);
  return 0;
}

/* Local Variables: */
/* compile-command: "caduceus -print-norm --loc-alias --arith-mem --abs-int pointer3.c" */
/* End: */
why-2.34/bench/c/absint/string_loop2.c0000644000175000017500000000170712311670312016170 0ustar  rtusers
void f1(char* t1, char* t2, int s) {
  int i;
  for (i = 0; i < s && t1[i] && t2[i]; ++i) t1[i] = t2[i];
}

void f2(char* t1, char* t2, int s) {
  int i;
  for (i = 0; i < s && t1[i] && t1[i+1]; ++i) t1[i] = t1[i+1];
}

void f3(char* t1, char* t2, int s) {
  int i;
  for (i = 0; i < s && t1[i] && t2[i+1]; ++i) t1[i] = t2[i+1];
}

void f4(char* t1, char* t2, int s) {
  int i = 0;
  while (i < s && t1[i] && t2[i]) { t1[i] = t2[i]; ++i; }
}

void f5(char* t1, char* t2, int s) {
  int i = 0;
  while (i < s && t1[i] && t1[i+1]) { t1[i] = t1[i+1]; ++i; }
}

void f6(char* t1, char* t2, int s) {
  int i = 0;
  while (i < s && t1[i] && t2[i+1]) { t1[i] = t2[i+1]; ++i; }
}

int main() {
  char t1[] = "12345";
  char t2[] = "12345";
  f1(t1,t2,5);
  f2(t1,t2,5);
  f3(t1,t2,5);
  f4(t1,t2,5);
  f5(t1,t2,5);
  f6(t1,t2,5);
  return 0;
}

/* Local Variables: */
/* compile-command: "caduceus -print-norm --loc-alias --arith-mem --abs-int string_loop2.c" */
/* End: */
why-2.34/bench/c/absint/string_loop1.c0000644000175000017500000000162112311670312016162 0ustar  rtusers
void f1(char* t1, char* t2) {
  int i;
  for (i = 0; i < 5 && t1[i] && t2[i]; ++i) t1[i] = t2[i];
}

void f2(char* t1, char* t2) {
  int i;
  for (i = 0; i < 5 && t1[i] && t1[i+1]; ++i) t1[i] = t1[i+1];
}

void f3(char* t1, char* t2) {
  int i;
  for (i = 0; i < 5 && t1[i] && t2[i+1]; ++i) t1[i] = t2[i+1];
}

void f4(char* t1, char* t2) {
  int i = 0;
  while (i < 5 && t1[i] && t2[i]) { t1[i] = t2[i]; ++i; }
}

void f5(char* t1, char* t2) {
  int i = 0;
  while (i < 5 && t1[i] && t1[i+1]) { t1[i] = t1[i+1]; ++i; }
}

void f6(char* t1, char* t2) {
  int i = 0;
  while (i < 5 && t1[i] && t2[i+1]) { t1[i] = t2[i+1]; ++i; }
}

int main() {
  char t1[] = "12345";
  char t2[] = "12345";
  f1(t1,t2);
  f2(t1,t2);
  f3(t1,t2);
  f4(t1,t2);
  f5(t1,t2);
  f6(t1,t2);
  return 0;
}

/* Local Variables: */
/* compile-command: "caduceus -print-norm --loc-alias --arith-mem --abs-int string_loop1.c" */
/* End: */
why-2.34/bench/c/absint/string_loop6.c0000644000175000017500000000227512311670312016175 0ustar  rtusers
void f1(char* t1, char* t2, int s) {
  int i;
  for (i = 0; i < s; ++i)
    if (t1 && t1[i] && t2[i]) t1[i] = t2[i];
}

void f2(char* t1, char* t2, int s) {
  int i;
  for (i = 0; i < s; ++i) 
    if (t1 != 0 && t1[i] && t1[i+1]) t1[i] = t1[i+1];
}

void f3(char* t1, char* t2, int s) {
  int i;
  for (i = 0; i < s; ++i) 
    if (!(t1 == 0) && t1[i] && t2[i+1]) t1[i] = t2[i+1];
}

void f4(char* t1, char* t2, int s) {
  int i = 0;
  while (i < s) 
    if (t1 && t1[i] && t2[i]) { t1[i] = t2[i]; ++i; }
}

void f5(char* t1, char* t2, int s) {
  int i = 0;
  while (i < s) 
    if (t1 != 0 && t1[i] && t1[i+1]) { t1[i] = t1[i+1]; ++i; }
}

void f6(char* t1, char* t2, int s) {
  int i = 0;
  while (i < s)
    if (!(t1 == 0) && t1[i] && t2[i+1]) { t1[i] = t2[i+1]; ++i; }
}

int main() {
  char t1[] = "12345";
  char t2[] = "12345";
  f1(t1,t2,5); f1(0,t2,4); f1(0,0,-1);
  f2(t1,t2,5); f2(0,t2,4); f2(0,0,-1);
  f3(t1,t2,5); f3(0,t2,4); f3(0,0,-1);
  f4(t1,t2,5); f4(0,t2,4); f4(0,0,-1);
  f5(t1,t2,5); f5(0,t2,4); f5(0,0,-1);
  f6(t1,t2,5); f6(0,t2,4); f6(0,0,-1);
  return 0;
}

/* Local Variables: */
/* compile-command: "caduceus -print-norm --loc-alias --arith-mem --abs-int string_loop6.c" */
/* End: */
why-2.34/bench/c/absint/arith3.c0000644000175000017500000000224512311670312014737 0ustar  rtusers
void f1(int* p1, int* p2) {
  int i;
  if (p1 != (int*)0 && !(p2 == 0)) 
    for (i = 0; i < 5; ++i) *p1++ = *p2++;
}

void f2(int* p1, int* p2) {
  int i;
  if (p1 != (int*)0 && !(p2 == 0)) 
    for (i = 0; i < 5; ++i) { *p1 = *(p1 + 1); p1++; }
}

void f3(int* p1, int* p2) {
  int i;
  if (p1 != (int*)0 && !(p2 == 0)) 
    for (i = 0; i < 5; ++i) { *p1++ = *(p2++ + 1); }
}

void f4(int* p1, int* p2) {
  int i = 0;
  if (p1 != (int*)0 && !(p2 == 0)) 
    while (i < 5) { *p1++ = *p2++; ++i; }
}

void f5(int* p1, int* p2) {
  int i = 0;
  if (p1 != (int*)0 && !(p2 == 0)) 
    while (i < 5) { *p1 = *(p1 + 1); p1++; ++i; }
}

void f6(int* p1, int* p2) {
  int i = 0;
  if (p1 != (int*)0 && !(p2 == 0)) 
    while (i < 5) { *p1++ = *(p2++ + 1); ++i; }
}

int main() {
  int t1[6];
  int t2[6];
  f1(t1,t2); f1(t1,0); f1(0,t2); f1(0,0);
  f2(t1,t2); f2(t1,0); f2(0,t2); f2(0,0);
  f3(t1,t2); f3(t1,0); f3(0,t2); f3(0,0);
  f4(t1,t2); f4(t1,0); f4(0,t2); f4(0,0);
  f5(t1,t2); f5(t1,0); f5(0,t2); f5(0,0);
  f6(t1,t2); f6(t1,0); f6(0,t2); f6(0,0);
  return 0;
}

/* Local Variables: */
/* compile-command: "caduceus -print-norm --loc-alias --arith-mem --abs-int arith3.c" */
/* End: */
why-2.34/bench/c/absint/pointer1.c0000644000175000017500000000137112311670312015305 0ustar  rtusers
void f1(int* t1, int* t2) {
  int i;
  for (i = 0; i < 5; ++i) t1[i] = t2[i];
}

void f2(int* t1, int* t2) {
  int i;
  for (i = 0; i < 5; ++i) t1[i] = t1[i+1];
}

void f3(int* t1, int* t2) {
  int i;
  for (i = 0; i < 5; ++i) t1[i] = t2[i+1];
}

void f4(int* t1, int* t2) {
  int i = 0;
  while (i < 5) { t1[i] = t2[i]; ++i; }
}

void f5(int* t1, int* t2) {
  int i = 0;
  while (i < 5) { t1[i] = t1[i+1]; ++i; }
}

void f6(int* t1, int* t2) {
  int i = 0;
  while (i < 5) { t1[i] = t2[i+1]; ++i; }
}

int main() {
  int t1[6];
  int t2[6];
  f1(t1,t2);
  f2(t1,t2);
  f3(t1,t2);
  f4(t1,t2);
  f5(t1,t2);
  f6(t1,t2);
  return 0;
}

/* Local Variables: */
/* compile-command: "caduceus -print-norm --loc-alias --arith-mem --abs-int pointer1.c" */
/* End: */
why-2.34/bench/c/absint/pointer6.c0000644000175000017500000000204612311670312015312 0ustar  rtusers
void f1(int* t1, int* t2, int s) {
  int i;
  for (i = 0; i < s; ++i)
    if (t1) t1[i] = t2[i];
}

void f2(int* t1, int* t2, int s) {
  int i;
  for (i = 0; i < s; ++i) 
    if (t1 != 0) t1[i] = t1[i+1];
}

void f3(int* t1, int* t2, int s) {
  int i;
  for (i = 0; i < s; ++i) 
    if (!(t1 == 0)) t1[i] = t2[i+1];
}

void f4(int* t1, int* t2, int s) {
  int i = 0;
  while (i < s) 
    if (t1) { t1[i] = t2[i]; ++i; }
}

void f5(int* t1, int* t2, int s) {
  int i = 0;
  while (i < s) 
    if (t1 != 0) { t1[i] = t1[i+1]; ++i; }
}

void f6(int* t1, int* t2, int s) {
  int i = 0;
  while (i < s)
    if (!(t1 == 0)) { t1[i] = t2[i+1]; ++i; }
}

int main() {
  int t1[6];
  int t2[6]; 
  f1(t1,t2,5); f1(0,t2,4); f1(0,0,-1);
  f2(t1,t2,5); f2(0,t2,4); f2(0,0,-1);
  f3(t1,t2,5); f3(0,t2,4); f3(0,0,-1);
  f4(t1,t2,5); f4(0,t2,4); f4(0,0,-1);
  f5(t1,t2,5); f5(0,t2,4); f5(0,0,-1);
  f6(t1,t2,5); f6(0,t2,4); f6(0,0,-1);
  return 0;
}

/* Local Variables: */
/* compile-command: "caduceus -print-norm --loc-alias --arith-mem --abs-int pointer6.c" */
/* End: */
why-2.34/bench/c/absint/string.c0000644000175000017500000000736112311670312015057 0ustar  rtusers
typedef unsigned int size_t;

// 7.21.2.1: memcpy

char *memcpy(char *s1, const char *s2, size_t n) {
  char *r = s1;
  while (n-- > 0) *s1++ = *s2++;
  return r;
}

// 7.21.2.2: memmove

char *memmove(char *s1, const char *s2, size_t n) {
  char *tmp;
  if (n < 1) return s1;
  tmp = (char*)malloc(n * sizeof(char));
  memcpy(tmp,s2,n);
  memcpy(s1,tmp,n);
  return s1;
}

// 7.21.2.3: strcpy

char *strcpy(char *s1, const char *s2) {
  char *r = s1;
  while (*s1++ = *s2++) ;
  return r;
}

// 7.21.2.4: strncpy

char* strncpy(char *s1, const char *s2, size_t n) {
  char *r = s1;
  while ((n-- > 0) && (*s1++ = *s2++)) ;
  while (n-- > 0) *s1++ = 0;
  return r;
}

// 7.21.3.1: strcat

char *strcat (char *s1, const char *s2) {
  char *r = s1;
  while (*s1) s1++;
  strcpy(s1,s2);
  return r;
}

// 7.21.3.2: strncat

char *strncat (char *s1, const char *s2, size_t n) {
  char *r = s1;
  while (*s1) s1++;
  while ((n-- > 0) && (*s1++ = *s2++)) ;
  if (n >= 0) *s1 = 0;
  return r;
}

// 7.21.4.1: memcmp

int memcmp (const char *s1, const char *s2, size_t n) {
  int c;
  while (n-- > 0) {
    if ((c = *s1++ - *s2++) != 0) return c;
  }
  return 0;
}

// 7.21.4.2: strcmp

int strcmp (const char *s1, const char *s2) {
  int c;
  while (*s1 && *s2) {
    c = *s1++ - *s2++;
    if (c != 0) return c;
  }
  c = *s1 - *s2;
  return c;
}

// 7.21.4.3: strcoll

int strcoll (const char *s1, const char *s2) {
  return strcmp(s1,s2);
}

// 7.21.4.4: strncmp

int strncmp (const char *s1, const char *s2, size_t n) {
  int c = 0;
  while (*s1 && *s2 && (n-- > 0)) {
    c = *s1++ - *s2++;
    if (c != 0) return c;
  }
  if (n > 0) c = *s1 - *s2;
  return c;
}

// 7.21.4.4: strxfrm

size_t strxfrm (char *s1, const char *s2, size_t n) {
  size_t n1 = 0;
  while (*s2) {
    if (n-- > 0) *s1++ = *s2;
    s2++; n1++;
  }
  if (n > 0) *s1 = 0;
  return n1;
}

// 7.21.5.1: memchr

char *memchr (const char *s, char c, size_t n) {
  while (n-- > 0) {
    if (*s++ == c) return s-1;
  }
  return 0;
}

// 7.21.5.2: strchr

char *strchr (const char *s, char c) {
  while (*s) {
    if (*s++ == c) return s-1;
  }
  if (*s == c) return s;
  return 0;
}

// 7.21.5.3: strcspn

size_t strcspn (const char *s1, const char *s2) {
  size_t n = 0;
  while (*s1 && strchr(s2,*s1++) == 0) ++n;
  return n;
}

// 7.21.5.4: strpbrk

char *strpbrk (const char *s1, const char *s2) {
  while (*s1) {
    if (strchr(s2,*s1) == 0) ++s1;
    else return s1;
  }
  return 0;
}

// 7.21.5.5: strrchr

char *strrchr(const char *s, char c) {
  char *r = 0;
  while (*s) {
    if (*s++ == c) r = s-1;
  }
  if (c == 0) r = s;
  return r;
}

// 7.21.5.6: strspn

size_t strspn (const char *s1, const char *s2) {
  size_t n = 0;
  while (*s1 && strchr(s2,*s1++) != 0) ++n;
  return n;
}

// 7.21.5.7: strstr

char *strstr (const char *s1, const char *s2) {
  if (*s2 == 0) return s1;
  while (*s1) { 
    const char *rs1 = s1;
    const char *rs2 = s2;
    while (*rs1 && *rs2 && (*rs1 == *rs2)) { rs1++; rs2++; }
    if (*rs2 == 0) return s1;
    s1++;
  }
  return 0;
}

// 7.21.5.8: strtok

static char *tok;

char *strtok (char *s1, const char *s2) {
  char *r = 0;
  size_t n;
  if (s1 == 0) s1 = tok;
  s1 += strspn(s1,s2);
  if ((n = strcspn(s1,s2)) > 0) {
    r = s1;
    tok = s1 + n;
    if (*tok != 0) *tok++ = 0;
  }
  return r;
}

// 7.21.6.1: memset

char *memset (char *s, char c, size_t n) {
  char *r = s;
  while (n-- > 0) *s++ = c;
  return r;
}

// 7.21.6.2: strerror

static char errbuf[1024];

extern char** errmsg;

char *strerror (int errnum) {
  strcpy(errbuf,errmsg[errnum-1]);
  return errbuf;
}

// 7.21.6.3: strlen

size_t strlen(const char *s) {
  size_t n = 0;
  while (*s++) ++n;
  return n;
}


/*
  (* Local Variables: *)
  (* compile-command: "caduceus --loc-alias --arith-mem --abs-int string.c" *)
  (* End: *)
*/
why-2.34/bench/c/absint/pointer2.c0000644000175000017500000000145712311670312015313 0ustar  rtusers
void f1(int* t1, int* t2, int s) {
  int i;
  for (i = 0; i < s; ++i) t1[i] = t2[i];
}

void f2(int* t1, int* t2, int s) {
  int i;
  for (i = 0; i < s; ++i) t1[i] = t1[i+1];
}

void f3(int* t1, int* t2, int s) {
  int i;
  for (i = 0; i < s; ++i) t1[i] = t2[i+1];
}

void f4(int* t1, int* t2, int s) {
  int i = 0;
  while (i < s) { t1[i] = t2[i]; ++i; }
}

void f5(int* t1, int* t2, int s) {
  int i = 0;
  while (i < s) { t1[i] = t1[i+1]; ++i; }
}

void f6(int* t1, int* t2, int s) {
  int i = 0;
  while (i < s) { t1[i] = t2[i+1]; ++i; }
}

int main() {
  int t1[6];
  int t2[6];
  f1(t1,t2,5);
  f2(t1,t2,5);
  f3(t1,t2,5);
  f4(t1,t2,5);
  f5(t1,t2,5);
  f6(t1,t2,5);
  return 0;
}

/* Local Variables: */
/* compile-command: "caduceus -print-norm --loc-alias --arith-mem --abs-int pointer2.c" */
/* End: */
why-2.34/bench/c/absint/demo.c0000644000175000017500000000126012311670312014465 0ustar  rtusersint f(int);

int* g(int* p, int n, int d) {

    int* r;

    if (p == 0) {
        p = (int*)malloc(n * sizeof(int));
    }
    p += d;
    while (n--) {
        *p++ = 0; 
        if (f(*p)) {
            r = p;
        }
    }
    return r;
}

char* h(char* p, int s) {


    char* q;
    if (s > 0) {
        q = p+s;
        while (p < q) {
            p += 
                f(q-p);
        }
        return q;
    } else {
        q = (char*)malloc(s * sizeof(char));
        while (f(*q) > 0) {
            *q++ = '\0';
        }
        return q;
    }
}

/* Local Variables: */
/* compile-command: "caduceus -print-norm --loc-alias --arith-mem --abs-int -d demo.c" */
/* End: */
why-2.34/bench/c/absint/string2.c0000644000175000017500000000151612311670312015135 0ustar  rtusers
void f1(char* t1, char* t2, int s) {
  int i;
  for (i = 0; i < s; ++i) t1[i] = t2[i];
}

void f2(char* t1, char* t2, int s) {
  int i;
  for (i = 0; i < s; ++i) t1[i] = t1[i+1];
}

void f3(char* t1, char* t2, int s) {
  int i;
  for (i = 0; i < s; ++i) t1[i] = t2[i+1];
}

void f4(char* t1, char* t2, int s) {
  int i = 0;
  while (i < s) { t1[i] = t2[i]; ++i; }
}

void f5(char* t1, char* t2, int s) {
  int i = 0;
  while (i < s) { t1[i] = t1[i+1]; ++i; }
}

void f6(char* t1, char* t2, int s) {
  int i = 0;
  while (i < s) { t1[i] = t2[i+1]; ++i; }
}

int main() {
  char t1[] = "12345";
  char t2[] = "12345";
  f1(t1,t2,5);
  f2(t1,t2,5);
  f3(t1,t2,5);
  f4(t1,t2,5);
  f5(t1,t2,5);
  f6(t1,t2,5);
  return 0;
}

/* Local Variables: */
/* compile-command: "caduceus -print-norm --loc-alias --arith-mem --abs-int string2.c" */
/* End: */
why-2.34/bench/c/absint/pointer4.c0000644000175000017500000000235412311670312015312 0ustar  rtusers
void f1(int* t1, int* t2, int s) {
  int i;
  if (t1 != (int*)0 && !(t2 == 0)) 
    for (i = 0; i < s; ++i) t1[i] = t2[i];
}

void f2(int* t1, int* t2, int s) {
  int i;
  if (t1 != (int*)0 && !(t2 == 0)) 
    for (i = 0; i < s; ++i) t1[i] = t1[i+1];
}

void f3(int* t1, int* t2, int s) {
  int i;
  if (t1 != (int*)0 && !(t2 == 0)) 
    for (i = 0; i < s; ++i) t1[i] = t2[i+1];
}

void f4(int* t1, int* t2, int s) {
  int i = 0;
  if (t1 != (int*)0 && !(t2 == 0)) 
    while (i < s) { t1[i] = t2[i]; ++i; }
}

void f5(int* t1, int* t2, int s) {
  int i = 0;
  if (t1 != (int*)0 && !(t2 == 0)) 
    while (i < s) { t1[i] = t1[i+1]; ++i; }
}

void f6(int* t1, int* t2, int s) {
  int i = 0;
  if (t1 != (int*)0 && !(t2 == 0)) 
    while (i < s) { t1[i] = t2[i+1]; ++i; }
}

int main() {
  int t1[6];
  int t2[6]; 
  f1(t1,t2,5); f1(t1,0,0); f1(0,t2,4); f1(0,0,-1);
  f2(t1,t2,5); f2(t1,0,0); f2(0,t2,4); f2(0,0,-1);
  f3(t1,t2,5); f3(t1,0,0); f3(0,t2,4); f3(0,0,-1);
  f4(t1,t2,5); f4(t1,0,0); f4(0,t2,4); f4(0,0,-1);
  f5(t1,t2,5); f5(t1,0,0); f5(0,t2,4); f5(0,0,-1);
  f6(t1,t2,5); f6(t1,0,0); f6(0,t2,4); f6(0,0,-1);
  return 0;
}

/* Local Variables: */
/* compile-command: "caduceus -print-norm --loc-alias --arith-mem --abs-int pointer4.c" */
/* End: */
why-2.34/bench/c/absint/string6.c0000644000175000017500000000210412311670312015133 0ustar  rtusers
void f1(char* t1, char* t2, int s) {
  int i;
  for (i = 0; i < s; ++i)
    if (t1) t1[i] = t2[i];
}

void f2(char* t1, char* t2, int s) {
  int i;
  for (i = 0; i < s; ++i) 
    if (t1 != 0) t1[i] = t1[i+1];
}

void f3(char* t1, char* t2, int s) {
  int i;
  for (i = 0; i < s; ++i) 
    if (!(t1 == 0)) t1[i] = t2[i+1];
}

void f4(char* t1, char* t2, int s) {
  int i = 0;
  while (i < s) 
    if (t1) { t1[i] = t2[i]; ++i; }
}

void f5(char* t1, char* t2, int s) {
  int i = 0;
  while (i < s) 
    if (t1 != 0) { t1[i] = t1[i+1]; ++i; }
}

void f6(char* t1, char* t2, int s) {
  int i = 0;
  while (i < s)
    if (!(t1 == 0)) { t1[i] = t2[i+1]; ++i; }
}

int main() {
  char t1[] = "12345";
  char t2[] = "12345";
  f1(t1,t2,5); f1(0,t2,4); f1(0,0,-1);
  f2(t1,t2,5); f2(0,t2,4); f2(0,0,-1);
  f3(t1,t2,5); f3(0,t2,4); f3(0,0,-1);
  f4(t1,t2,5); f4(0,t2,4); f4(0,0,-1);
  f5(t1,t2,5); f5(0,t2,4); f5(0,0,-1);
  f6(t1,t2,5); f6(0,t2,4); f6(0,0,-1);
  return 0;
}

/* Local Variables: */
/* compile-command: "caduceus -print-norm --loc-alias --arith-mem --abs-int string6.c" */
/* End: */
why-2.34/bench/c/absint/arith2.c0000644000175000017500000000151112311670312014731 0ustar  rtusers
void f1(int* p1, int* p2, int s) {
  int i;
  for (i = 0; i < s; ++i) *p1++ = *p2++;
}

void f2(int* p1, int* p2, int s) {
  int i;
  for (i = 0; i < s; ++i) { *p1 = *(p1 + 1); p1++; }
}

void f3(int* p1, int* p2, int s) {
  int i;
  for (i = 0; i < s; ++i) { *p1++ = *(p2++ + 1); }
}

void f4(int* p1, int* p2, int s) {
  int i = 0;
  while (i < s) { *p1++ = *p2++; ++i; }
}

void f5(int* p1, int* p2, int s) {
  int i = 0;
  while (i < s) { *p1 = *(p1 + 1); p1++; ++i; }
}

void f6(int* p1, int* p2, int s) {
  int i = 0;
  while (i < s) { *p1++ = *(p2++ + 1); ++i; }
}

int main() {
  int t1[6];
  int t2[6];
  f1(t1,t2,5);
  f2(t1,t2,5);
  f3(t1,t2,5);
  f4(t1,t2,5);
  f5(t1,t2,5);
  f6(t1,t2,5);
  return 0;
}

/* Local Variables: */
/* compile-command: "caduceus -print-norm --loc-alias --arith-mem --abs-int arith2.c" */
/* End: */
why-2.34/bench/c/absint/string_loop3.c0000644000175000017500000000245112311670312016166 0ustar  rtusers
void f1(char* t1, char* t2) {
  int i;
  if (t1 != (char*)0 && !(t2 == 0)) 
    for (i = 0; i < 5 && t1[i] && t2[i]; ++i) t1[i] = t2[i];
}

void f2(char* t1, char* t2) {
  int i;
  if (t1 != (char*)0 && !(t2 == 0)) 
    for (i = 0; i < 5 && t1[i] && t1[i+1]; ++i) t1[i] = t1[i+1];
}

void f3(char* t1, char* t2) {
  int i;
  if (t1 != (char*)0 && !(t2 == 0)) 
    for (i = 0; i < 5 && t1[i] && t2[i+1]; ++i) t1[i] = t2[i+1];
}

void f4(char* t1, char* t2) {
  int i = 0;
  if (t1 != (char*)0 && !(t2 == 0)) 
    while (i < 5 && t1[i] && t2[i]) { t1[i] = t2[i]; ++i; }
}

void f5(char* t1, char* t2) {
  int i = 0;
  if (t1 != (char*)0 && !(t2 == 0)) 
    while (i < 5 && t1[i] && t1[i+1]) { t1[i] = t1[i+1]; ++i; }
}

void f6(char* t1, char* t2) {
  int i = 0;
  if (t1 != (char*)0 && !(t2 == 0)) 
    while (i < 5 && t1[i] && t2[i+1]) { t1[i] = t2[i+1]; ++i; }
}

int main() {
  char t1[] = "12345";
  char t2[] = "12345";
  f1(t1,t2); f1(t1,0); f1(0,t2); f1(0,0);
  f2(t1,t2); f2(t1,0); f2(0,t2); f2(0,0);
  f3(t1,t2); f3(t1,0); f3(0,t2); f3(0,0);
  f4(t1,t2); f4(t1,0); f4(0,t2); f4(0,0);
  f5(t1,t2); f5(t1,0); f5(0,t2); f5(0,0);
  f6(t1,t2); f6(t1,0); f6(0,t2); f6(0,0);
  return 0;
}

/* Local Variables: */
/* compile-command: "caduceus -print-norm --loc-alias --arith-mem --abs-int string_loop3.c" */
/* End: */
why-2.34/bench/c/absint/string4.c0000644000175000017500000000242012311670312015132 0ustar  rtusers
void f1(char* t1, char* t2, int s) {
  int i;
  if (t1 != (char*)0 && !(t2 == 0)) 
    for (i = 0; i < s; ++i) t1[i] = t2[i];
}

void f2(char* t1, char* t2, int s) {
  int i;
  if (t1 != (char*)0 && !(t2 == 0)) 
    for (i = 0; i < s; ++i) t1[i] = t1[i+1];
}

void f3(char* t1, char* t2, int s) {
  int i;
  if (t1 != (char*)0 && !(t2 == 0)) 
    for (i = 0; i < s; ++i) t1[i] = t2[i+1];
}

void f4(char* t1, char* t2, int s) {
  int i = 0;
  if (t1 != (char*)0 && !(t2 == 0)) 
    while (i < s) { t1[i] = t2[i]; ++i; }
}

void f5(char* t1, char* t2, int s) {
  int i = 0;
  if (t1 != (char*)0 && !(t2 == 0)) 
    while (i < s) { t1[i] = t1[i+1]; ++i; }
}

void f6(char* t1, char* t2, int s) {
  int i = 0;
  if (t1 != (char*)0 && !(t2 == 0)) 
    while (i < s) { t1[i] = t2[i+1]; ++i; }
}

int main() {
  char t1[] = "12345";
  char t2[] = "12345";
  f1(t1,t2,5); f1(t1,0,0); f1(0,t2,4); f1(0,0,-1);
  f2(t1,t2,5); f2(t1,0,0); f2(0,t2,4); f2(0,0,-1);
  f3(t1,t2,5); f3(t1,0,0); f3(0,t2,4); f3(0,0,-1);
  f4(t1,t2,5); f4(t1,0,0); f4(0,t2,4); f4(0,0,-1);
  f5(t1,t2,5); f5(t1,0,0); f5(0,t2,4); f5(0,0,-1);
  f6(t1,t2,5); f6(t1,0,0); f6(0,t2,4); f6(0,0,-1);
  return 0;
}

/* Local Variables: */
/* compile-command: "caduceus -print-norm --loc-alias --arith-mem --abs-int string4.c" */
/* End: */
why-2.34/bench/c/absint/string3.c0000644000175000017500000000226012311670312015133 0ustar  rtusers
void f1(char* t1, char* t2) {
  int i;
  if (t1 != (char*)0 && !(t2 == 0)) 
    for (i = 0; i < 5; ++i) t1[i] = t2[i];
}

void f2(char* t1, char* t2) {
  int i;
  if (t1 != (char*)0 && !(t2 == 0)) 
    for (i = 0; i < 5; ++i) t1[i] = t1[i+1];
}

void f3(char* t1, char* t2) {
  int i;
  if (t1 != (char*)0 && !(t2 == 0)) 
    for (i = 0; i < 5; ++i) t1[i] = t2[i+1];
}

void f4(char* t1, char* t2) {
  int i = 0;
  if (t1 != (char*)0 && !(t2 == 0)) 
    while (i < 5) { t1[i] = t2[i]; ++i; }
}

void f5(char* t1, char* t2) {
  int i = 0;
  if (t1 != (char*)0 && !(t2 == 0)) 
    while (i < 5) { t1[i] = t1[i+1]; ++i; }
}

void f6(char* t1, char* t2) {
  int i = 0;
  if (t1 != (char*)0 && !(t2 == 0)) 
    while (i < 5) { t1[i] = t2[i+1]; ++i; }
}

int main() {
  char t1[] = "12345";
  char t2[] = "12345";
  f1(t1,t2); f1(t1,0); f1(0,t2); f1(0,0);
  f2(t1,t2); f2(t1,0); f2(0,t2); f2(0,0);
  f3(t1,t2); f3(t1,0); f3(0,t2); f3(0,0);
  f4(t1,t2); f4(t1,0); f4(0,t2); f4(0,0);
  f5(t1,t2); f5(t1,0); f5(0,t2); f5(0,0);
  f6(t1,t2); f6(t1,0); f6(0,t2); f6(0,0);
  return 0;
}

/* Local Variables: */
/* compile-command: "caduceus -print-norm --loc-alias --arith-mem --abs-int string3.c" */
/* End: */
why-2.34/bench/c/absint/string5.c0000644000175000017500000000176012311670312015141 0ustar  rtusers
void f1(char* t1, char* t2) {
  int i;
  for (i = 0; i < 5; ++i)
    if (t1) t1[i] = t2[i];
}

void f2(char* t1, char* t2) {
  int i;
  for (i = 0; i < 5; ++i) 
    if (t1 != 0) t1[i] = t1[i+1];
}

void f3(char* t1, char* t2) {
  int i;
  for (i = 0; i < 5; ++i) 
    if (!(t1 == 0)) t1[i] = t2[i+1];
}

void f4(char* t1, char* t2) {
  int i = 0;
  while (i < 5) 
    if (t1) { t1[i] = t2[i]; ++i; }
}

void f5(char* t1, char* t2) {
  int i = 0;
  while (i < 5) 
    if (t1 != 0) { t1[i] = t1[i+1]; ++i; }
}

void f6(char* t1, char* t2) {
  int i = 0;
  while (i < 5)
    if (!(t1 == 0)) { t1[i] = t2[i+1]; ++i; }
}

int main() {
  char t1[] = "12345";
  char t2[] = "12345";
  f1(t1,t2); f1(0,t2); f1(0,0);
  f2(t1,t2); f2(0,t2); f2(0,0);
  f3(t1,t2); f3(0,t2); f3(0,0);
  f4(t1,t2); f4(0,t2); f4(0,0);
  f5(t1,t2); f5(0,t2); f5(0,0);
  f6(t1,t2); f6(0,t2); f6(0,0);
  return 0;
}

/* Local Variables: */
/* compile-command: "caduceus -print-norm --loc-alias --arith-mem --abs-int string5.c" */
/* End: */
why-2.34/bench/c/absint/string_loop4.c0000644000175000017500000000261112311670312016165 0ustar  rtusers
void f1(char* t1, char* t2, int s) {
  int i;
  if (t1 != (char*)0 && !(t2 == 0)) 
    for (i = 0; i < s && t1[i] && t2[i]; ++i) t1[i] = t2[i];
}

void f2(char* t1, char* t2, int s) {
  int i;
  if (t1 != (char*)0 && !(t2 == 0)) 
    for (i = 0; i < s && t1[i] && t1[i+1]; ++i) t1[i] = t1[i+1];
}

void f3(char* t1, char* t2, int s) {
  int i;
  if (t1 != (char*)0 && !(t2 == 0)) 
    for (i = 0; i < s && t1[i] && t2[i+1]; ++i) t1[i] = t2[i+1];
}

void f4(char* t1, char* t2, int s) {
  int i = 0;
  if (t1 != (char*)0 && !(t2 == 0)) 
    while (i < s && t1[i] && t2[i]) { t1[i] = t2[i]; ++i; }
}

void f5(char* t1, char* t2, int s) {
  int i = 0;
  if (t1 != (char*)0 && !(t2 == 0)) 
    while (i < s && t1[i] && t1[i+1]) { t1[i] = t1[i+1]; ++i; }
}

void f6(char* t1, char* t2, int s) {
  int i = 0;
  if (t1 != (char*)0 && !(t2 == 0)) 
    while (i < s && t1[i] && t2[i+1]) { t1[i] = t2[i+1]; ++i; }
}

int main() {
  char t1[] = "12345";
  char t2[] = "12345";
  f1(t1,t2,5); f1(t1,0,0); f1(0,t2,4); f1(0,0,-1);
  f2(t1,t2,5); f2(t1,0,0); f2(0,t2,4); f2(0,0,-1);
  f3(t1,t2,5); f3(t1,0,0); f3(0,t2,4); f3(0,0,-1);
  f4(t1,t2,5); f4(t1,0,0); f4(0,t2,4); f4(0,0,-1);
  f5(t1,t2,5); f5(t1,0,0); f5(0,t2,4); f5(0,0,-1);
  f6(t1,t2,5); f6(t1,0,0); f6(0,t2,4); f6(0,0,-1);
  return 0;
}

/* Local Variables: */
/* compile-command: "caduceus -print-norm --loc-alias --arith-mem --abs-int string_loop4.c" */
/* End: */
why-2.34/bench/c/absint/arith4.c0000644000175000017500000000240512311670312014736 0ustar  rtusers
void f1(int* p1, int* p2, int s) {
  int i;
  if (p1 != (int*)0 && !(p2 == 0)) 
    for (i = 0; i < s; ++i) *p1++ = *p2++;
}

void f2(int* p1, int* p2, int s) {
  int i;
  if (p1 != (int*)0 && !(p2 == 0)) 
    for (i = 0; i < s; ++i) { *p1 = *(p1 + 1); p1++; }
}

void f3(int* p1, int* p2, int s) {
  int i;
  if (p1 != (int*)0 && !(p2 == 0)) 
    for (i = 0; i < s; ++i) { *p1++ = *(p2++ + 1); }
}

void f4(int* p1, int* p2, int s) {
  int i = 0;
  if (p1 != (int*)0 && !(p2 == 0)) 
    while (i < s) { *p1++ = *p2++; ++i; }
}

void f5(int* p1, int* p2, int s) {
  int i = 0;
  if (p1 != (int*)0 && !(p2 == 0)) 
    while (i < s) { *p1 = *(p1 + 1); p1++; ++i; }
}

void f6(int* p1, int* p2, int s) {
  int i = 0;
  if (p1 != (int*)0 && !(p2 == 0)) 
    while (i < s) { *p1++ = *(p2++ + 1); ++i; }
}

int main() {
  int t1[6];
  int t2[6];
  f1(t1,t2,5); f1(t1,0,0); f1(0,t2,4); f1(0,0,-1);
  f2(t1,t2,5); f2(t1,0,0); f2(0,t2,4); f2(0,0,-1);
  f3(t1,t2,5); f3(t1,0,0); f3(0,t2,4); f3(0,0,-1);
  f4(t1,t2,5); f4(t1,0,0); f4(0,t2,4); f4(0,0,-1);
  f5(t1,t2,5); f5(t1,0,0); f5(0,t2,4); f5(0,0,-1);
  f6(t1,t2,5); f6(t1,0,0); f6(0,t2,4); f6(0,0,-1);
  return 0;
}

/* Local Variables: */
/* compile-command: "caduceus -print-norm --loc-alias --arith-mem --abs-int arith4.c" */
/* End: */
why-2.34/bench/c/absint/arith1.c0000644000175000017500000000142312311670312014732 0ustar  rtusers
void f1(int* p1, int* p2) {
  int i;
  for (i = 0; i < 5; ++i) *p1++ = *p2++;
}

void f2(int* p1, int* p2) {
  int i;
  for (i = 0; i < 5; ++i) { *p1 = *(p1 + 1); p1++; }
}

void f3(int* p1, int* p2) {
  int i;
  for (i = 0; i < 5; ++i) { *p1++ = *(p2++ + 1); }
}

void f4(int* p1, int* p2) {
  int i = 0;
  while (i < 5) { *p1++ = *p2++; ++i; }
}

void f5(int* p1, int* p2) {
  int i = 0;
  while (i < 5) { *p1 = *(p1 + 1); p1++; ++i; }
}

void f6(int* p1, int* p2) {
  int i = 0;
  while (i < 5) { *p1++ = *(p2++ + 1); ++i; }
}

int main() {
  int t1[6];
  int t2[6];
  f1(t1,t2);
  f2(t1,t2);
  f3(t1,t2);
  f4(t1,t2);
  f5(t1,t2);
  f6(t1,t2);
  return 0;
}

/* Local Variables: */
/* compile-command: "caduceus -print-norm --loc-alias --arith-mem --abs-int arith1.c" */
/* End: */
why-2.34/bench/c/absint/string_loop5.c0000644000175000017500000000231212311670312016164 0ustar  rtusers
void f1(char* t1, char* t2) {
  int i;
  for (i = 0; i < 5; ++i)
    if (t1 && t1[i] && t2[i]) t1[i] = t2[i];
    else break;
}

void f2(char* t1, char* t2) {
  int i;
  for (i = 0; i < 5; ++i) 
    if (t1 != 0  && t1[i] && t1[i+1]) t1[i] = t1[i+1];
    else break;
}

void f3(char* t1, char* t2) {
  int i;
  for (i = 0; i < 5; ++i) 
    if (!(t1 == 0) && t1[i] && t2[i+1]) t1[i] = t2[i+1];
    else break;
}

void f4(char* t1, char* t2) {
  int i = 0;
  while (i < 5) 
    if (t1 && t1[i] && t2[i]) { t1[i] = t2[i]; ++i; }
    else break;
}

void f5(char* t1, char* t2) {
  int i = 0;
  while (i < 5) 
    if (t1 != 0 && t1[i] && t1[i+1]) { t1[i] = t1[i+1]; ++i; }
    else break;
}

void f6(char* t1, char* t2) {
  int i = 0;
  while (i < 5)
    if (!(t1 == 0) && t1[i] && t2[i+1]) { t1[i] = t2[i+1]; ++i; }
    else break;
}

int main() {
  char t1[] = "12345";
  char t2[] = "12345";
  f1(t1,t2); f1(0,t2); f1(0,0);
  f2(t1,t2); f2(0,t2); f2(0,0);
  f3(t1,t2); f3(0,t2); f3(0,0);
  f4(t1,t2); f4(0,t2); f4(0,0);
  f5(t1,t2); f5(0,t2); f5(0,0);
  f6(t1,t2); f6(0,t2); f6(0,0);
  return 0;
}

/* Local Variables: */
/* compile-command: "caduceus -print-norm --loc-alias --arith-mem --abs-int string_loop5.c" */
/* End: */
why-2.34/bench/c/absint/arith6.c0000644000175000017500000000243512311670312014743 0ustar  rtusers
void f1(int* p1, int* p2, int s) {
  int i;
  for (i = 0; i < s; ++i)
    if (p1) *p1++ = *p2++;
}

void f2(int* p1, int* p2, int s) {
  int i;
  for (i = 0; i < s; ++i) 
    if (p1 != 0) { *p1 = *(p1 + 1); p1++; }
}

void f3(int* p1, int* p2, int s) {
  int i;
  for (i = 0; i < s; ++i) 
    if (!(p1 == 0)) { *p1++ = *(p2++ + 1); }
}

void f4(int* p1, int* p2, int s) {
  int i = 0;
  while (i < s) 
    if (p1) { *p1++ = *p2++; ++i; }
}

void f5(int* p1, int* p2, int s) {
  int i = 0;
  while (i < s) 
    if (p1 != 0) { *p1 = *(p1 + 1); p1++; ++i; }
}

void f6(int* p1, int* p2, int s) {
  int i = 0;
  while (i < s)
    if (!(p1 == 0)) { *p1++ = *(p2++ + 1); ++i; }
}

int main() {
  int t1[6];
  int t2[6];
  // Calls with [p1] null are commented out. Indeed, code above is testing 
  // nullity of [p1], which is incremented in the loop !
  // Therefore it is incorrect to call these functions with [p1] null.
  f1(t1,t2,5); // f1(0,t2,4); f1(0,0,-1);
  f2(t1,t2,5); // f2(0,t2,4); f2(0,0,-1);
  f3(t1,t2,5); // f3(0,t2,4); f3(0,0,-1);
  f4(t1,t2,5); // f4(0,t2,4); f4(0,0,-1);
  f5(t1,t2,5); // f5(0,t2,4); f5(0,0,-1);
  f6(t1,t2,5); // f6(0,t2,4); f6(0,0,-1);
  return 0;
}

/* Local Variables: */
/* compile-command: "caduceus -print-norm --loc-alias --arith-mem --abs-int arith6.c" */
/* End: */
why-2.34/bench/c/absint/string_annot.c0000644000175000017500000001215612311670312016254 0ustar  rtusers
typedef unsigned int size_t;

// 7.21.2.1: memcpy

char *memcpy(char *s1, const char *s2, size_t n) {
  char *r = s1;
  while (n-- > 0) *s1++ = *s2++;
  return r;
}

// 7.21.2.2: memmove

char *memmove(char *s1, const char *s2, size_t n) {
  char *tmp;
  if (n < 1) return s1;
  tmp = (char*)malloc(n * sizeof(char));
  memcpy(tmp,s2,n);
  memcpy(s1,tmp,n);
  return s1;
}

// 7.21.2.3: strcpy

char *strcpy(char *s1, const char *s2) {
  char *r = s1;
  while (*s1++ = *s2++) ;
  return r;
}

// 7.21.2.4: strncpy

char* strncpy(char *s1, const char *s2, size_t n) {
  char *r = s1;
  while ((n-- > 0) && (*s1++ = *s2++)) ;
  while (n-- > 0) *s1++ = 0;
  return r;
}

// 7.21.4.1: memcmp

int memcmp (const char *s1, const char *s2, size_t n) {
  int c;
  while (n-- > 0) {
    if ((c = *s1++ - *s2++) != 0) return c;
  }
  return 0;
}

// 7.21.4.2: strcmp

int strcmp (const char *s1, const char *s2) {
  int c;
  while (*s1 && *s2) {
    c = *s1++ - *s2++;
    if (c != 0) return c;
  }
  c = *s1 - *s2;
  return c;
}

// 7.21.4.3: strcoll

int strcoll (const char *s1, const char *s2) {
  return strcmp(s1,s2);
}

// 7.21.4.4: strncmp

int strncmp (const char *s1, const char *s2, size_t n) {
  int c = 0;
  while (*s1 && *s2 && (n-- > 0)) {
    c = *s1++ - *s2++;
    if (c != 0) return c;
  }
  if (n > 0) c = *s1 - *s2;
  return c;
}

// 7.21.4.4: strxfrm

size_t strxfrm (char *s1, const char *s2, size_t n) {
  size_t n1 = 0;
  while (*s2) {
    if (n-- > 0) *s1++ = *s2;
    s2++; n1++;
  }
  if (n > 0) *s1 = 0;
  return n1;
}

// 7.21.5.1: memchr

char *memchr (const char *s, char c, size_t n) {
  while (n-- > 0) {
    if (*s++ == c) return s-1;
  }
  return 0;
}

// 7.21.5.2: strchr

char *strchr (const char *s, char c) {
  while (*s) {
    if (*s++ == c) return s-1;
  }
  if (*s == c) return s;
  return 0;
}

// 7.21.5.3: strcspn
// postcondition added for strtok

/*@ ensures 0 <= \result <= \strlen(\old(s1)) */
size_t strcspn (const char *s1, const char *s2) {
  size_t n = 0;
  while (*s1 && strchr(s2,*s1++) == 0) ++n;
  return n;
}

// 7.21.5.4: strpbrk

char *strpbrk (const char *s1, const char *s2) {
  while (*s1) {
    if (strchr(s2,*s1) == 0) ++s1;
    else return s1;
  }
  return 0;
}

// 7.21.5.5: strrchr

char *strrchr(const char *s, char c) {
  char *r = 0;
  while (*s) {
    if (*s++ == c) r = s-1;
  }
  if (c == 0) r = s;
  return r;
}

// 7.21.5.6: strspn
// postcondition added for strtok

/*@ ensures 0 <= \result <= \strlen(\old(s1)) */
size_t strspn (const char *s1, const char *s2) {
  size_t n = 0;
  while (*s1 && strchr(s2,*s1++) != 0) ++n;
  return n;
}

// 7.21.5.7: strstr

char *strstr (const char *s1, const char *s2) {
  if (*s2 == 0) return s1;
  while (*s1) { 
    const char *rs1 = s1;
    const char *rs2 = s2;
    while (*rs1 && *rs2 && (*rs1 == *rs2)) { rs1++; rs2++; }
    if (*rs2 == 0) return s1;
    s1++;
  }
  return 0;
}

// 7.21.6.1: memset

char *memset (char *s, char c, size_t n) {
  char *r = s;
  while (n-- > 0) *s++ = c;
  return r;
}

// 7.21.6.3: strlen

size_t strlen(const char *s) {
  size_t n = 0;
  while (*s++) ++n;
  return n;
}


// Here we have gathered all 4 functions on which 
// inference does not work well, for 2 different reasons:
// - on strcat/strncat, precondition should include 
//   an inequality between 3 variables, which is not 
//   possible with only octagons
// - on strtok/strerror, precondition should mention 
//   global variables


// 7.21.3.1: strcat

/*@ requires \strlen(s1) >= 0 
  @       && \strlen(s2) >= 0
  @       && \arrlen(s1) > \strlen(s1) + \strlen(s2)
  @       && \full_separated(s1,s2)
*/
char *strcat (char *s1, const char *s2) {
  char *r = s1;
  /*@ invariant 0 <= s1 - \old(s1) <= \strlen(\old(s1)) */
  while (*s1) s1++;
  strcpy(s1,s2);
  return r;
}

// 7.21.3.2: strncat

/*@ requires \strlen(s1) >= 0 
  @       && \strlen(s2) >= 0
  @       && \arrlen(s1) >= \strlen(s1) + n 
  @       && \full_separated(s1,s2)
*/
char *strncat (char *s1, const char *s2, size_t n) {
  char *r = s1;
  /*@ invariant 0 <= s1 - \old(s1) <= \strlen(\old(s1)) */
  while (*s1) s1++;
  /*@ invariant s1 - \old(s1) == \old(\strlen(s1)) + \old(n) - n
    @        && 0 <= s1 - \old(s1)
    @        && 0 <= s2 - \old(s2) <= \strlen(\old(s2))
   */
  while ((n-- > 0) && (*s1++ = *s2++)) ;
  if (n >= 0) *s1 = 0;
  return r;
}

// 7.21.5.8: strtok

static char *tok;

/*@ requires (s1 != 0 => \strlen(s1) >= 0)
  @       && (s1 == 0 => \strlen(tok) >= 0)
  @       && \strlen(s2) >= 0
*/
char *strtok (char *s1, const char *s2) {
  char *r = 0;
  size_t n;
  if (s1 == 0) s1 = tok;
  s1 += strspn(s1,s2);
  if ((n = strcspn(s1,s2)) > 0) {
    r = s1;
    tok = s1 + n;
    if (*tok != 0) *tok++ = 0;
  }
  return r;
}

// 7.21.6.2: strerror

static char errbuf[1024];

extern char** errmsg;

/*@ requires 1 <= errnum <= \arrlen(errmsg)
  @       && \forall int i; 0 <= i < \arrlen(errmsg) 
  @          => (0 <= \strlen(errmsg[i]) < 1024 
  @              && \full_separated(errbuf, errmsg[i]))
 */
char *strerror (int errnum) {
  strcpy(errbuf,errmsg[errnum-1]);
  return errbuf;
}


/*
  (* Local Variables: *)
  (* compile-command: "caduceus --loc-alias --arith-mem --abs-int string_annot.c" *)
  (* End: *)
*/
why-2.34/bench/c/absint/string_full_annot.c0000644000175000017500000001743512311670312017303 0ustar  rtusers
typedef unsigned int size_t;

// 7.21.2.1: memcpy

/*@ requires \arrlen(s1) >= n
  @       && \arrlen(s2) >= n
 */
char *memcpy(char *s1, const char *s2, size_t n) {
  char *r = s1;
  /*@ invariant 0 <= s1 - \old(s1) == \old(n) - n 
    @        && 0 <= s2 - \old(s2) == \old(n) - n 
  */
  while (n-- > 0) *s1++ = *s2++;
  return r;
}

// 7.21.2.2: memmove

/*@ requires \arrlen(s1) >= n
  @       && \arrlen(s2) >= n
 */
char *memmove(char *s1, const char *s2, size_t n) {
  char *tmp;
  if (n < 1) return s1;
  tmp = (char*)malloc(n * sizeof(char));
  memcpy(tmp,s2,n);
  memcpy(s1,tmp,n);
  return s1;
}

// 7.21.2.3: strcpy

/*@ requires \strlen(s2) >= 0
  @       && \arrlen(s1) > \strlen(s2)
  @       && \full_separated(s1,s2)
 */
char *strcpy(char *s1, const char *s2) {
  char *r = s1;
  /*@ invariant 0 <= s1 - \old(s1) == s2 - \old(s2)
    @        && 0 <= s2 - \old(s2) <= \strlen(\old(s2))
    @        && \strlen(\old(s2)) == \old(\strlen(s2))
   */
  while (*s1++ = *s2++) ;
  return r;
}

// 7.21.2.4: strncpy

/*@ requires \strlen(s2) >= 0
  @       && \arrlen(s1) >= n
  @       && \full_separated(s1,s2)
 */
char* strncpy(char *s1, const char *s2, size_t n) {
  char *r = s1;
  /*@ invariant 0 <= s1 - \old(s1) == \old(n) - n 
    @        && 0 <= s2 - \old(s2) <= \strlen(\old(s2))
  */
  while ((n-- > 0) && (*s1++ = *s2++)) ;
  /*@ invariant 0 <= s1 - \old(s1) <= \old(n) - n */
  while (n-- > 0) *s1++ = 0;
  return r;
}

// 7.21.4.1: memcmp

/*@ requires \arrlen(s1) >= n
  @       && \arrlen(s2) >= n
 */
int memcmp (const char *s1, const char *s2, size_t n) {
  int c;
  /*@ invariant 0 <= s1 - \old(s1) == \old(n) - n 
    @        && 0 <= s2 - \old(s2) == \old(n) - n 
  */
  while (n-- > 0) {
    if ((c = *s1++ - *s2++) != 0) return c;
  }
  return 0;
}

// 7.21.4.2: strcmp

/*@ requires \strlen(s1) >= 0
  @       && \strlen(s2) >= 0
*/
int strcmp (const char *s1, const char *s2) {
  int c;
  /*@ invariant 0 <= s1 - \old(s1) <= \strlen(\old(s1))
    @        && 0 <= s2 - \old(s2) <= \strlen(\old(s2))
  */
  while (*s1 && *s2) {
    c = *s1++ - *s2++;
    if (c != 0) return c;
  }
  c = *s1 - *s2;
  return c;
}

// 7.21.4.3: strcoll

/*@ requires \strlen(s1) >= 0
  @       && \strlen(s2) >= 0
*/
int strcoll (const char *s1, const char *s2) {
  return strcmp(s1,s2);
}

// 7.21.4.4: strncmp

/*@ requires \strlen(s1) >= 0
  @       && \strlen(s2) >= 0
*/
int strncmp (const char *s1, const char *s2, size_t n) {
  int c = 0;
  /*@ invariant 0 <= s1 - \old(s1) <= \strlen(\old(s1))
    @        && 0 <= s2 - \old(s2) <= \strlen(\old(s2))
  */
  while (*s1 && *s2 && (n-- > 0)) {
    c = *s1++ - *s2++;
    if (c != 0) return c;
  }
  if (n > 0) c = *s1 - *s2;
  return c;
}

// 7.21.4.4: strxfrm

/*@ requires \strlen(s2) >= 0
  @       && \arrlen(s1) >= n
  @       && \full_separated(s1,s2)
 */
size_t strxfrm (char *s1, const char *s2, size_t n) {
  size_t n1 = 0;
  /*@ invariant 0 <= s2 - \old(s2) <= \strlen(\old(s2)) 
    @        && 0 <= s1 - \old(s1) <= \old(n) - n
    @        && \strlen(\old(s2)) == \old(\strlen(s2))
  */
  while (*s2) {
    if (n-- > 0) *s1++ = *s2;
    s2++; n1++;
  }
  if (n > 0) *s1 = 0;
  return n1;
}

// 7.21.5.1: memchr

/*@ requires \arrlen(s) >= n */
char *memchr (const char *s, char c, size_t n) {
  /*@ invariant 0 <= s - \old(s) == \old(n) - n */
  while (n-- > 0) {
    if (*s++ == c) return s-1;
  }
  return 0;
}

// 7.21.5.2: strchr

/*@ requires \strlen(s) >= 0 */
char *strchr (const char *s, char c) {
  /*@ invariant 0 <= s - \old(s) <= \strlen(\old(s)) */
  while (*s) {
    if (*s++ == c) return s-1;
  }
  if (*s == c) return s;
  return 0;
}

// 7.21.5.3: strcspn
// postcondition added for strtok

/*@ requires \strlen(s1) >= 0
  @       && \strlen(s2) >= 0
  @ ensures 0 <= \result <= \strlen(\old(s1)) 
*/
size_t strcspn (const char *s1, const char *s2) {
  size_t n = 0;
  /*@ invariant 0 <= s1 - \old(s1) <= \strlen(\old(s1)) 
    @        && 0 <= s1 - \old(s1) == n
   */
  while (*s1 && strchr(s2,*s1++) == 0) ++n;
  return n;
}

// 7.21.5.4: strpbrk

/*@ requires \strlen(s1) >= 0
  @       && \strlen(s2) >= 0
*/
char *strpbrk (const char *s1, const char *s2) {
  /*@ invariant 0 <= s1 - \old(s1) <= \strlen(\old(s1)) */
  while (*s1) {
    if (strchr(s2,*s1) == 0) ++s1;
    else return s1;
  }
  return 0;
}

// 7.21.5.5: strrchr

/*@ requires \strlen(s) >= 0 */
char *strrchr(const char *s, char c) {
  char *r = 0;
  /*@ invariant 0 <= s - \old(s) <= \strlen(\old(s)) */
  while (*s) {
    if (*s++ == c) r = s-1;
  }
  if (c == 0) r = s;
  return r;
}

// 7.21.5.6: strspn
// postcondition added for strtok

/*@ requires \strlen(s1) >= 0
  @       && \strlen(s2) >= 0
  @ ensures 0 <= \result <= \strlen(\old(s1)) 
*/
size_t strspn (const char *s1, const char *s2) {
  size_t n = 0;
  /*@ invariant 0 <= s1 - \old(s1) <= \strlen(\old(s1))
    @        && 0 <= s1 - \old(s1) == n
  */
  while (*s1 && strchr(s2,*s1++) != 0) ++n;
  return n;
}

// 7.21.5.7: strstr

/*@ requires \strlen(s1) >= 0
  @       && \strlen(s2) >= 0
*/
char *strstr (const char *s1, const char *s2) {
  if (*s2 == 0) return s1;
  /*@ invariant 0 <= s1 - \old(s1) <= \strlen(\old(s1)) */
  while (*s1) { 
    const char *rs1 = s1;
    const char *rs2 = s2;
    /*@ invariant 0 <= rs1 - s1 <= \strlen(s1)
      @        && 0 <= rs2 - s2 <= \strlen(s2)
    */
    while (*rs1 && *rs2 && (*rs1 == *rs2)) { rs1++; rs2++; }
    if (*rs2 == 0) return s1;
    s1++;
  }
  return 0;
}

// 7.21.6.1: memset

/*@ requires \arrlen(s) >= n */
char *memset (char *s, char c, size_t n) {
  char *r = s;
  /*@ invariant 0 <= s - \old(s) == \old(n) - n */
  while (n-- > 0) *s++ = c;
  return r;
}

// 7.21.6.3: strlen

/*@ requires \strlen(s) >= 0 */
size_t strlen(const char *s) {
  size_t n = 0;
  /*@ invariant 0 <= s - \old(s) <= \strlen(\old(s)) */
  while (*s++) ++n;
  return n;
}


// Here we have gathered all 4 functions on which 
// inference does not work well, for 2 different reasons:
// - on strcat/strncat, precondition should include 
//   an inequality between 3 variables, which is not 
//   possible with only octagons
// - on strtok/strerror, precondition should mention 
//   global variables


// 7.21.3.1: strcat

/*@ requires \strlen(s1) >= 0 
  @       && \strlen(s2) >= 0
  @       && \arrlen(s1) > \strlen(s1) + \strlen(s2)
  @       && \full_separated(s1,s2)
*/
char *strcat (char *s1, const char *s2) {
  char *r = s1;
  /*@ invariant 0 <= s1 - \old(s1) <= \strlen(\old(s1)) */
  while (*s1) s1++;
  strcpy(s1,s2);
  return r;
}

// 7.21.3.2: strncat

/*@ requires \strlen(s1) >= 0 
  @       && \strlen(s2) >= 0
  @       && \arrlen(s1) >= \strlen(s1) + n 
  @       && \full_separated(s1,s2)
*/
char *strncat (char *s1, const char *s2, size_t n) {
  char *r = s1;
  /*@ invariant 0 <= s1 - \old(s1) <= \strlen(\old(s1)) */
  while (*s1) s1++;
  /*@ invariant s1 - \old(s1) == \old(\strlen(s1)) + \old(n) - n
    @        && 0 <= s1 - \old(s1)
    @        && 0 <= s2 - \old(s2) <= \strlen(\old(s2))
   */
  while ((n-- > 0) && (*s1++ = *s2++)) ;
  if (n >= 0) *s1 = 0;
  return r;
}

// 7.21.5.8: strtok

static char *tok;

/*@ requires (s1 != 0 => \strlen(s1) >= 0)
  @       && (s1 == 0 => \strlen(tok) >= 0)
  @       && \strlen(s2) >= 0
*/
char *strtok (char *s1, const char *s2) {
  char *r = 0;
  size_t n;
  if (s1 == 0) s1 = tok;
  s1 += strspn(s1,s2);
  if ((n = strcspn(s1,s2)) > 0) {
    r = s1;
    tok = s1 + n;
    if (*tok != 0) *tok++ = 0;
  }
  return r;
}

// 7.21.6.2: strerror

static char errbuf[1024];

extern char** errmsg;

/*@ requires 1 <= errnum <= \arrlen(errmsg)
  @       && \forall int i; 0 <= i < \arrlen(errmsg) 
  @          => (0 <= \strlen(errmsg[i]) < 1024 
  @              && \full_separated(errbuf, errmsg[i]))
 */
char *strerror (int errnum) {
  strcpy(errbuf,errmsg[errnum-1]);
  return errbuf;
}


/*
  (* Local Variables: *)
  (* compile-command: "caduceus --loc-alias --arith-mem string_full_annot.c" *)
  (* End: *)
*/
why-2.34/bench/c/absint/arith5.c0000644000175000017500000000231112311670312014733 0ustar  rtusers
void f1(int* p1, int* p2) {
  int i;
  for (i = 0; i < 5; ++i)
    if (p1) *p1++ = *p2++;
}

void f2(int* p1, int* p2) {
  int i;
  for (i = 0; i < 5; ++i) 
    if (p1 != 0) { *p1 = *(p1 + 1); p1++; }
}

void f3(int* p1, int* p2) {
  int i;
  for (i = 0; i < 5; ++i) 
    if (!(p1 == 0)) { *p1++ = *(p2++ + 1); }
}

void f4(int* p1, int* p2) {
  int i = 0;
  while (i < 5) 
    if (p1) { *p1++ = *p2++; ++i; }
}

void f5(int* p1, int* p2) {
  int i = 0;
  while (i < 5) 
    if (p1 != 0) { *p1 = *(p1 + 1); p1++; ++i; }
}

void f6(int* p1, int* p2) {
  int i = 0;
  while (i < 5)
    if (!(p1 == 0)) { *p1++ = *(p2++ + 1); ++i; }
}

int main() {
  int t1[6];
  int t2[6];
  // Calls with [p1] null are commented out. Indeed, code above is testing 
  // nullity of [p1], which is incremented in the loop !
  // Therefore it is incorrect to call these functions with [p1] null.
  f1(t1,t2); // f1(0,t2); f1(0,0);
  f2(t1,t2); // f2(0,t2); f2(0,0);
  f3(t1,t2); // f3(0,t2); f3(0,0);
  f4(t1,t2); // f4(0,t2); f4(0,0);
  f5(t1,t2); // f5(0,t2); f5(0,0);
  f6(t1,t2); // f6(0,t2); f6(0,0);
  return 0;
}

/* Local Variables: */
/* compile-command: "caduceus -print-norm --loc-alias --arith-mem --abs-int arith5.c" */
/* End: */
why-2.34/bench/c/bad-sem/0000755000175000017500000000000012311670312013426 5ustar  rtuserswhy-2.34/bench/c/bad-sem/two_types_2.c0000644000175000017500000000003112311670312016042 0ustar  rtusersstruct { int x; } int y;
why-2.34/bench/c/bad-sem/clash_tag_2.c0000644000175000017500000000006012311670312015734 0ustar  rtusersstruct S { int x; };
union S { double f; };

why-2.34/bench/c/bad-sem/continue_not_in_a_loop.c0000644000175000017500000000003012311670312020306 0ustar  rtusersvoid f() { continue; }
why-2.34/bench/c/bad-sem/unsigned_float.c0000644000175000017500000000002312311670312016566 0ustar  rtusersunsigned float a;
why-2.34/bench/c/bad-sem/array_size_not_int.c0000644000175000017500000000001512311670312017470 0ustar  rtusersint t[1.2];
why-2.34/bench/c/bad-sem/two_types_1.c0000644000175000017500000000001312311670312016041 0ustar  rtusersint int x;
why-2.34/bench/c/bad-sem/too_long.c0000644000175000017500000000002212311670312015404 0ustar  rtuserslong long long x;
why-2.34/bench/c/bad-sem/old_style_1.c0000644000175000017500000000007312311670312016010 0ustar  rtusers/* old style parameters declaration */
void f(x)
int y;
{}
why-2.34/bench/c/bad-sem/member_1.c0000644000175000017500000000012712311670312015261 0ustar  rtusersstruct S { int x; } s;
void f() { s.y = 0; } /* structure has no member named y */

why-2.34/bench/c/bad-sem/member_4.c0000644000175000017500000000014712311670312015266 0ustar  rtusersint * s;
void f() { s->x = 0; } 
/* request for member x in something not a structure or union */

why-2.34/bench/c/bad-sem/undeclared_variable_1.c0000644000175000017500000000001312311670312017757 0ustar  rtusersint x = y;
why-2.34/bench/c/bad-sem/clash_tag_1.c0000644000175000017500000000005712311670312015741 0ustar  rtusersstruct S { int x; };
struct S { doubld f; };
why-2.34/bench/c/bad-sem/incomplete_type_2.c0000644000175000017500000000004412311670312017211 0ustar  rtusersstruct S x;
void f() { x.f = 0; }
why-2.34/bench/c/bad-sem/incomplete_type_1.c0000644000175000017500000000004612311670312017212 0ustar  rtusersstruct S * x;
void f() { x.f = 0; }
why-2.34/bench/c/bad-sem/old_style_3.c0000644000175000017500000000007712311670312016016 0ustar  rtusers/* old style parameters declaration */
void f(x)
int x = 0;
{}
why-2.34/bench/c/bad-sem/multiple_storage_class_1.c0000644000175000017500000000002512311670312020553 0ustar  rtusersextern static int x;
why-2.34/bench/c/bad-sem/short_long.c0000644000175000017500000000002212311670312015742 0ustar  rtusersshort long int x;
why-2.34/bench/c/bad-sem/warnings.c0000644000175000017500000000043612311670312015425 0ustar  rtusers

const int x = 0xFFFFFFFF;

struct s {
  long a : 40;
};

const int y = 0xFFFFFFF0;

struct t {
  long b : 44;
};

const int z = 0xFFFFFFF9;

struct u {
  long c : 48;
};

const int w = 0xFFFFFFF9;

struct v {
  long d : 50;
};


int f () {
  return x;
}
why-2.34/bench/c/bad-sem/old_style_2.c0000644000175000017500000000010312311670312016003 0ustar  rtusers/* old style parameters declaration */
void f(x)
int y;
char y;
{}
why-2.34/bench/c/bad-sem/break_not_in_a_loop.c0000644000175000017500000000002512311670312017552 0ustar  rtusersvoid f() { break; }
why-2.34/bench/c/bad-sem/goto.c0000644000175000017500000000003012311670312014533 0ustar  rtusers

int f() {
  goto l;
}
why-2.34/bench/c/bad-sem/typedef_initialized_1.c0000644000175000017500000000002312311670312020032 0ustar  rtuserstypedef int x = 0;
why-2.34/bench/c/bad-sem/struct_compare.c0000644000175000017500000000010612311670312016621 0ustar  rtusers

struct s { int x; };


int f() {
  struct s a b;
  return (a==b);
}
why-2.34/bench/c/bad-sem/undeclared_variable_2.c0000644000175000017500000000002712311670312017765 0ustar  rtusersvoid f() { x = 1; }

why-2.34/bench/c/bad-sem/member_3.c0000644000175000017500000000014412311670312015262 0ustar  rtusersint s;
void f() { s.x = 0; } 
/* request for member x in something not a structure or union */

why-2.34/bench/c/bad-sem/member_5.c0000644000175000017500000000010612311670312015262 0ustar  rtusersint s;
void f() { s->x = 0; } /* invalid type argument of `->' */

why-2.34/bench/c/bad-sem/sign_invalid_1.c0000644000175000017500000000003412311670312016455 0ustar  rtuserssigned struct { int x; } y;
why-2.34/bench/c/bad-sem/array_subscript_not_int.c0000644000175000017500000000003412311670312020535 0ustar  rtusersint t[5];
int x = t[1.2];
why-2.34/bench/c/bad-sem/member_2.c0000644000175000017500000000012212311670312015255 0ustar  rtusersunion S { int x; } s;
void f() { s.y = 0; } /* union has no member named y */

why-2.34/bench/c/bad-sem/incomplete_type_3.c0000644000175000017500000000006612311670312017216 0ustar  rtuserstypedef struct S tau;
tau x;
void f() { x.f = 0; }
why-2.34/bench/c/bad-sem/signed_unsigned.c0000644000175000017500000000002712311670312016736 0ustar  rtuserssigned unsigned int x;
why-2.34/bench/c/bad-syn/0000755000175000017500000000000012311670312013453 5ustar  rtuserswhy-2.34/bench/c/bad-syn/unbound_type_2.c0000644000175000017500000000003012311670312016544 0ustar  rtusers
struct { t x; } y;

why-2.34/bench/c/bad-syn/unbound_type_1.c0000644000175000017500000000001012311670312016541 0ustar  rtusers
t x;
why-2.34/bench/c/bad-syn/type_name_1.c0000644000175000017500000000010212311670312016011 0ustar  rtuserstypedef int t;
signed t x; /* signed cannot qualify a typedef */

why-2.34/bench/good-v7/0000755000175000017500000000000012311670312013156 5ustar  rtuserswhy-2.34/bench/good-v7/all_valid.v0000644000175000017500000003701712311670312015304 0ustar  rtusers(* This file is generated by Why; do not edit *)

Require Import Why.
Require Export all_why.

Definition p1 (* validation *)
  : (sig_1 Z [result: Z](True))
  := (exist_1 [result: Z]True `0` I).

Definition p2 (* validation *)
  : (sig_1 Z [result: Z](~False))
  := (exist_1 [result: Z]~False `0` p2_po_1).

Definition p3 (* validation *)
  : (sig_1 Z [result: Z](True /\ True))
  := (exist_1 [result: Z]True /\ True `0` p3_po_1).

Definition p4 (* validation *)
  : (sig_1 Z [result: Z](True \/ False))
  := (exist_1 [result: Z]True \/ False `0` p4_po_1).

Definition p5 (* validation *)
  : (sig_1 Z [result: Z](False \/ ~False))
  := (exist_1 [result: Z]False \/ ~False `0` p5_po_1).

Definition p6 (* validation *)
  : (sig_1 Z [result: Z]((True -> ~False)))
  := (exist_1 [result: Z](True -> ~False) `0` p6_po_1).

Definition p7 (* validation *)
  : (sig_1 Z [result: Z](((x:Z) `x = x`)))
  := (exist_1 [result: Z]((x:Z) `x = x`) `0` p7_po_1).

Definition p8 (* validation *)
  : (sig_1 Z [result: Z](True /\ ((x:Z) `x = x`)))
  := (exist_1 [result: Z]True /\ ((x:Z) `x = x`) `0` p8_po_1).

Definition p9 (* validation *)
  : (sig_1 Z [result: Z](((x:Z) ((y:Z) (`x = y` -> `x = y`)))))
  := (exist_1 [result: Z]((x:Z) ((y:Z) (`x = y` -> `x = y`))) `0` p9_po_1).

Definition acc1 (* validation *)
  : Z
  := v2.

Definition acc2 (* validation *)
  : Z
  := acc1.

Definition acc3 (* validation *)
  : (t: (array Z))(sig_1 unit [result: unit](`(access t 1) = 2`))
  := f8.

Definition d1 (* validation *)
  : (v1: bool)bool
  := [v1: bool]v1.

Definition d2 (* validation *)
  : (v4: Z)Z
  := [v4: Z]v4.

Definition ar1 (* validation *)
  : Z
  := `1`.

Definition ar2 (* validation *)
  : Z
  := `(-1)`.

Definition ar3 (* validation *)
  : Z
  := `1 + 1`.

Definition ar4 (* validation *)
  : Z
  := `1 - 1`.

Definition ar5 (* validation *)
  : Z
  := `1 * 1`.

Definition ar6 (* validation *)
  : Z
  := let Pre1 = ar6_po_1 in
     (Zdiv `1` `1`).

Definition ar7 (* validation *)
  : Z
  := let Pre1 = ar7_po_1 in
     (Zmod `1` `1`).

Definition a1 (* validation *)
  : (v4: Z)(sig_2 Z unit [v4_0: Z][result: unit](v4_0 = `1`))
  := [v4: Z]
       let (result, Post1) = (exist_1 [result: Z]result = `1` `1`
         (refl_equal ? `1`)) in
       (exist_2 [v4_1: Z][result0: unit]v4_1 = `1` result tt Post1).

Definition a2 (* validation *)
  : (v1: bool)(sig_2 bool unit [v1_0: bool][result: unit](v1_0 = true))
  := [v1: bool]
       let (result, Post1) = (exist_1 [result: bool]result = true true
         (refl_equal ? true)) in
       (exist_2 [v1_1: bool][result0: unit]v1_1 = true result tt Post1).

Definition a3 (* validation *)
  : (v4: Z)(sig_2 Z unit [v4_0: Z][result: unit](v4_0 = `2 + 2`))
  := [v4: Z]
       let (result, Post1) = (exist_1 [result: Z]result = `2 + 2` `2 + 2`
         (refl_equal ? `2 + 2`)) in
       (exist_2 [v4_1: Z][result0: unit]v4_1 = `2 + 2` result tt Post1).

Definition a4 (* validation *)
  : (v4: Z)(sig_2 Z unit [v4_0: Z][result: unit](v4_0 = v4))
  := [v4: Z]
       let (result, Post1) = (exist_1 [result: Z]result = v4 v4
         (refl_equal ? v4)) in
       (exist_2 [v4_1: Z][result0: unit]v4_1 = v4 result tt Post1).

Definition s1 (* validation *)
  : (v4: Z)(tuple_2 Z unit)
  := [v4: Z]
       let (v4_0, result, Post1) =
         let (result, Post1) = (exist_1 [result: Z]result = `1` `1`
           (refl_equal ? `1`)) in
         (exist_2 [v4_1: Z][result0: unit]v4_1 = `1` result tt Post1) in
       let (v4_1, result0, Post2) =
         let (result0, Post2) = (exist_1 [result0: Z]result0 = `2` `2`
           (refl_equal ? `2`)) in
         (exist_2 [v4_2: Z][result1: unit]v4_2 = `2` result0 tt Post2) in
       (Build_tuple_2 v4_1 result0).

Definition s2 (* validation *)
  : (v1: bool)(v4: Z)(tuple_3 bool Z unit)
  := [v1: bool; v4: Z]
       let (v1_0, result, Post1) =
         let (result, Post1) = (exist_1 [result: bool]result = true true
           (refl_equal ? true)) in
         (exist_2 [v1_1: bool][result0: unit]v1_1 = true result tt Post1) in
       let (v4_0, result0, Post2) =
         let (result0, Post2) = (exist_1 [result0: Z]result0 = `2` `2`
           (refl_equal ? `2`)) in
         (exist_2 [v4_1: Z][result1: unit]v4_1 = `2` result0 tt Post2) in
       (Build_tuple_3 v1_0 v4_0 result0).

Definition s3 (* validation *)
  : (v4: Z)(tuple_2 Z unit)
  := [v4: Z]
       let (v4_0, result, Post1) =
         let (result, Post1) = (exist_1 [result: Z]result = `1` `1`
           (refl_equal ? `1`)) in
         (exist_2 [v4_1: Z][result0: unit]v4_1 = `1` result tt Post1) in
       let (v4_1, result0, Post2) =
         let (result0, Post2) = (exist_1 [result0: Z]result0 = v4_0 v4_0
           (refl_equal ? v4_0)) in
         (exist_2 [v4_2: Z][result1: unit]v4_2 = v4_0 result0 tt Post2) in
       let (v4_2, result1, Post3) =
         let (result1, Post3) = (exist_1 [result1: Z]result1 = `3` `3`
           (refl_equal ? `3`)) in
         (exist_2 [v4_3: Z][result2: unit]v4_3 = `3` result1 tt Post3) in
       (Build_tuple_2 v4_2 result1).

Definition s4 (* validation *)
  : (v4: Z)(tuple_2 Z Z)
  := [v4: Z]
       let (v4_0, result, Post1) =
         let (result, Post1) = (exist_1 [result: Z]result = `1` `1`
           (refl_equal ? `1`)) in
         (exist_2 [v4_1: Z][result0: unit]v4_1 = `1` result tt Post1) in
       (Build_tuple_2 v4_0 `2`).

Definition c1 (* validation *)
  : Z
  := if true then
       `1`
     else
       `2`.

Definition c2 (* validation *)
  : (v1: bool)Z
  := [v1: bool]if v1 then
                 `1`
               else
                 `2`.

Definition c3 (* validation *)
  : (v4: Z)(tuple_2 Z unit)
  := [v4: Z]
       let (result, Bool1) =
         let (result1, Post4) = (Z_eq_bool v4 `1`) in
         (exist_1 [result2: bool]
         (if result2 then `v4 = 1` else `v4 <> 1`) result1 Post4) in
       Cases
         (btest [result:bool](if result then `v4 = 1` else `v4 <> 1`) result
          Bool1) of
       | (left Test2) =>
           let (v4_0, result0, Post1) =
             let (result0, Post1) = (exist_1 [result0: Z]result0 = `2` 
               `2` (refl_equal ? `2`)) in
             (exist_2 [v4_1: Z][result1: unit]v4_1 = `2` result0 tt Post1) in
           (Build_tuple_2 v4_0 result0)
       | (right Test1) =>
           let (v4_0, result0, Post2) =
             let (result0, Post2) = (exist_1 [result0: Z]result0 = `3` 
               `3` (refl_equal ? `3`)) in
             (exist_2 [v4_1: Z][result1: unit]v4_1 = `3` result0 tt Post2) in
           (Build_tuple_2 v4_0 result0) end.

Definition l1 (* validation *)
  : Z
  := let (x, Post1) = (exist_1 [result: Z]result = `1` `1`
       (refl_equal ? `1`)) in
     x.

Definition l2 (* validation *)
  : (v4: Z)(tuple_2 Z unit)
  := [v4: Z]
       let (x, Post2) = (exist_1 [result: Z]result = `1` `1`
         (refl_equal ? `1`)) in
       let (v4_0, result, Post1) =
         let (result, Post1) = (exist_1 [result: Z]result = x x
           (refl_equal ? x)) in
         (exist_2 [v4_1: Z][result0: unit]v4_1 = x result tt Post1) in
       (Build_tuple_2 v4_0 result).

Definition l3 (* validation *)
  : Z
  := let (x, Post2) = (exist_1 [result: Z]result = `1` `1`
       (refl_equal ? `1`)) in
     let result =
       let (y, Post1) = (exist_1 [result: Z]result = `2` `2`
         (refl_equal ? `2`)) in
       `x + y` in
     result.

Definition l4 (* validation *)
  : (v4: Z)(tuple_2 Z unit)
  := [v4: Z]
       let result =
         let (x, Post1) = (exist_1 [result: Z]result = `1` `1`
           (refl_equal ? `1`)) in
         `1` in
       (Build_tuple_2 result tt).

Definition l5 (* validation *)
  : (v1: bool)(v4: Z)(tuple_3 bool Z unit)
  := [v1: bool; v4: Z]
       let (x, Post3) = (exist_1 [result: Z]result = `1` `1`
         (refl_equal ? `1`)) in
       let (v1_0, v4_0, result) =
         let (v1_0, result, Post1) =
           let (result, Post1) = (exist_1 [result: bool]result = true 
             true (refl_equal ? true)) in
           (exist_2 [v1_1: bool][result0: unit]v1_1 = true result tt Post1) in
         let (v4_0, result0, Post2) =
           let (result0, Post2) = (exist_1 [result0: Z]result0 = x x
             (refl_equal ? x)) in
           (exist_2 [v4_1: Z][result1: unit]v4_1 = x result0 tt Post2) in
         (Build_tuple_3 v1_0 v4_0 result0) in
       (Build_tuple_3 v1_0 v4_0 result).

Definition lr1 (* validation *)
  : unit
  := let (x, Post2) = (exist_1 [result: Z]result = `1` `1`
       (refl_equal ? `1`)) in
     let (x1, result, Post1) =
       let (result, Post1) = (exist_1 [result: Z]result = `2` `2`
         (refl_equal ? `2`)) in
       (exist_2 [x2: Z][result0: unit]x2 = `2` result tt Post1) in
     result.

Definition lr2 (* validation *)
  : Z
  := let (x, Post2) = (exist_1 [result: Z]result = `1` `1`
       (refl_equal ? `1`)) in
     let (x1, result) =
       let (x1, result, Post1) =
         let (result, Post1) = (exist_1 [result: Z]result = `x + 1` `x + 1`
           (refl_equal ? `x + 1`)) in
         (exist_2 [x2: Z][result0: unit]x2 = `x + 1` result tt Post1) in
       (Build_tuple_2 x1 x1) in
     result.

Definition lr3 (* validation *)
  : unit
  := let (x, Post3) = (exist_1 [result: Z]result = `1` `1`
       (refl_equal ? `1`)) in
     let (x1, result) =
       let (y, Post2) = (exist_1 [result: Z]result = x x (refl_equal ? x)) in
       let (x1, result, Post1) =
         let (result, Post1) = (exist_1 [result: Z]result = y y
           (refl_equal ? y)) in
         (exist_2 [x2: Z][result0: unit]x2 = y result tt Post1) in
       (Build_tuple_2 x1 result) in
     result.

Definition r1 (* validation *)
  : (sig_1 bool [result: bool]((if result then `1 = 1` else `1 <> 1`)))
  := let (result1, Post1) = (Z_eq_bool `1` `1`) in
     (exist_1 [result2: bool](if result2 then `1 = 1` else `1 <> 1`) 
     result1 Post1).

Definition r2 (* validation *)
  : (sig_1 bool [result: bool]((if result then `2 > 1` else `2 <= 1`)))
  := let (result1, Post1) = (Z_gt_le_bool `2` `1`) in
     (exist_1 [result2: bool](if result2 then `2 > 1` else `2 <= 1`) 
     result1 Post1).

Definition r3 (* validation *)
  : (sig_1 bool [result: bool]((if result then `2 >= 1` else `2 < 1`)))
  := let (result1, Post1) = (Z_ge_lt_bool `2` `1`) in
     (exist_1 [result2: bool](if result2 then `2 >= 1` else `2 < 1`) 
     result1 Post1).

Definition r4 (* validation *)
  : (sig_1 bool [result: bool]((if result then `1 < 2` else `1 >= 2`)))
  := let (result1, Post1) = (Z_lt_ge_bool `1` `2`) in
     (exist_1 [result2: bool](if result2 then `1 < 2` else `1 >= 2`) 
     result1 Post1).

Definition r5 (* validation *)
  : (sig_1 bool [result: bool]((if result then `1 <= 2` else `1 > 2`)))
  := let (result1, Post1) = (Z_le_gt_bool `1` `2`) in
     (exist_1 [result2: bool](if result2 then `1 <= 2` else `1 > 2`) 
     result1 Post1).

Definition r6 (* validation *)
  : (sig_1 bool [result: bool]((if result then `1 <> 2` else `1 = 2`)))
  := let (result1, Post1) = (Z_noteq_bool `1` `2`) in
     (exist_1 [result2: bool](if result2 then `1 <> 2` else `1 = 2`) 
     result1 Post1).

Definition r7 (* validation *)
  : bool
  := let (result, Bool1) =
       let (result1, Post1) = (Z_eq_bool `1` `2`) in
       (exist_1 [result2: bool]
       (if result2 then `1 = 2` else `1 <> 2`) result1 Post1) in
     Cases
       (btest [result:bool](if result then `1 = 2` else `1 <> 2`) result
        Bool1) of
     | (left Test2) => true
     | (right Test1) =>
         let (result0, Post2) =
           let (result2, Post3) = (Z_eq_bool `2` `3`) in
           (exist_1 [result3: bool]
           (if result3 then `2 = 3` else `2 <> 3`) result2 Post3) in
         result0 end.

Definition r8 (* validation *)
  : bool
  := let (result, Bool1) =
       let (result1, Post1) = (Z_eq_bool `1` `2`) in
       (exist_1 [result2: bool]
       (if result2 then `1 = 2` else `1 <> 2`) result1 Post1) in
     Cases
       (btest [result:bool](if result then `1 = 2` else `1 <> 2`) result
        Bool1) of
     | (left Test2) =>
         let (result0, Post2) =
           let (result2, Post3) = (Z_eq_bool `2` `3`) in
           (exist_1 [result3: bool]
           (if result3 then `2 = 3` else `2 <> 3`) result2 Post3) in
         result0
     | (right Test1) => false end.

Definition arr1 (* validation *)
  : (v6: (array Z))(H: `(array_length v6) >= 1`)Z
  := [v6: (array Z); Pre2: `(array_length v6) >= 1`]
       let Pre1 = (arr1_po_1 v6 Pre2) in
       (access v6 `0`).

Definition arr2 (* validation *)
  : (v6: (array Z))(H: `(array_length v6) >= 4`)Z
  := [v6: (array Z); Pre2: `(array_length v6) >= 4`]
       let Pre1 = (arr2_po_1 v6 Pre2) in
       (access v6 `1 + 2`).

Definition arr3 (* validation *)
  : (v4: Z)(v6: (array Z))(H: `(array_length v6) >= 1` /\ `v4 = 0`)Z
  := [v4: Z; v6: (array Z); Pre2: `(array_length v6) >= 1` /\ `v4 = 0`]
       let Pre1 = (arr3_po_1 v4 v6 Pre2) in
       (access v6 v4).

Definition arr4 (* validation *)
  : (v6: (array Z))(H: `(array_length v6) >= 10` /\ `(access v6 0) = 9`)Z
  := [v6: (array Z); Pre3: `(array_length v6) >= 10` /\ `(access v6 0) = 9`]
       let Pre2 = (arr4_po_1 v6 Pre3) in
       let Pre1 = (arr4_po_2 v6 Pre3 Pre2) in
       (access v6 (access v6 `0`)).

Definition arr5 (* validation *)
  : (v6: (array Z))(H: `(array_length v6) >= 1`)
    (sig_2 (array Z) unit [v6_0: (array Z)][result: unit]
     (v6_0 = (store v6 `0` `1`)))
  := [v6: (array Z); Pre2: `(array_length v6) >= 1`]
       let Pre1 = (arr5_po_1 v6 Pre2) in
       (exist_2 [v6_1: (array Z)][result1: unit]
       v6_1 = (store v6 `0` `1`) (store v6 `0` `1`) tt
       (refl_equal ? (store v6 `0` `1`))).

Definition arr6 (* validation *)
  : (v6: (array Z))(H: `(array_length v6) >= 4`)
    (sig_2 (array Z) unit [v6_0: (array Z)][result: unit]
     (v6_0 = (store v6 `1 + 2` `3 + 4`)))
  := [v6: (array Z); Pre2: `(array_length v6) >= 4`]
       let Pre1 = (arr6_po_1 v6 Pre2) in
       (exist_2 [v6_1: (array Z)][result1: unit]
       v6_1 = (store v6 `1 + 2` `3 + 4`) (store v6 `1 + 2` `3 + 4`) tt
       (refl_equal ? (store v6 `1 + 2` `3 + 4`))).

Definition arr7 (* validation *)
  : (v6: (array Z))(H: `(array_length v6) >= 10` /\ `(access v6 0) = 9`)
    (sig_2 (array Z) unit [v6_0: (array Z)][result: unit]
     (v6_0 = (store v6 (access v6 `0`) `1`)))
  := [v6: (array Z); Pre3: `(array_length v6) >= 10` /\ `(access v6 0) = 9`]
       let Pre2 = (arr7_po_1 v6 Pre3) in
       let Pre1 = (arr7_po_2 v6 Pre3 Pre2) in
       (exist_2 [v6_1: (array Z)][result1: unit]
       v6_1 = (store v6 (access v6 `0`) `1`) (store v6 (access v6 `0`) `1`)
       tt (refl_equal ? (store v6 (access v6 `0`) `1`))).

Definition fc1 (* validation *)
  : foo
  := (f5 v5).

Definition fc2 (* validation *)
  : unit
  := (f4 tt).

Definition fc3 (* validation *)
  : Z
  := let (a, Post2) = (exist_1 [result: Z]result = `0` `0`
       (refl_equal ? `0`)) in
     let result =
       let (b, Post1) = (exist_1 [result: Z]result = `0` `0`
         (refl_equal ? `0`)) in
       let Pre3 = (fc3_po_1 a Post2 b Post1) in
       let (b1, result, Post3) =
         let Pre1 = Pre3 in
         let Pre2 = Pre1 in
         let (b1, r, Post4) = (f3 a b Pre1) in
         (exist_2 [b2: Z][result0: Z]`b2 = b + a + result0` b1 r Post4) in
       result in
     result.

Definition an1 (* validation *)
  : (sig_1 Z [result: Z](`result = 0`))
  := (exist_1 [result: Z]`result = 0` `0` (refl_equal ? `0`)).

Definition an2 (* validation *)
  : (v4: Z)(H: `v4 >= 0`)(sig_2 Z unit [v4_0: Z][result: unit](`v4_0 > v4`))
  := [v4: Z; Pre1: `v4 >= 0`]
       let (v4_0, result, Post1) =
         let (result, Post1) = (exist_1 [result: Z]result = `v4 + 1` 
           `v4 + 1` (refl_equal ? `v4 + 1`)) in
         (exist_2 [v4_1: Z][result0: unit]v4_1 = `v4 + 1` result tt Post1) in
       (exist_2 [v4_1: Z][result0: unit]`v4_1 > v4` v4_0 result
       (an2_po_1 v4 Pre1 v4_0 Post1)).

why-2.34/bench/good-v7/wpcalls_why.v0000644000175000017500000000067312311670312015707 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Why.

(*Why*) Parameter f :
  (_: unit)(x: Z)(sig_2 Z unit [x0: Z][result: unit](`x0 = 1 - x`)).

(* Why obligation from file "good/wpcalls.mlw", characters 146-150 *)
Lemma p_po_1 : 
  (x: Z)
  (t: unit)
  (Post1: t = tt)
  ((x0:Z) (`x0 = 1 - x` -> ((x1:Z) (`x1 = 1 - x0` -> `x1 = x`)))).
Proof.
Intuition.
Save.


why-2.34/bench/good-v7/loops.mlw0000644000175000017500000000100412311670312015026 0ustar  rtusers
(** 1. A loop increasing [i] up to 10. *)

parameter i : int ref

let loop1 = 
  { i <= 10 }
  while !i < 10 do
    { invariant i <= 10 variant 10-i }
    i := !i + 1
  done
  { i = 10 }


(** 2. The same loop, followed by a function call. *)

parameter x: int ref

let oppose (u:unit) = {} x := - !x { x = -x@ }

let loop2 = 
  { x <= 10 }
  begin
    {} 
    while !x < 10 do { invariant x <= 10 variant 10-x } x := !x + 1 done
    { x = 10 };
    {} 
    if !x > 0 then (oppose void) 
    { x = -10 }
  end
  {}
why-2.34/bench/good-v7/exns.mlw0000644000175000017500000000330012311670312014650 0ustar  rtusers
(* exception without argument *)

exception E

let p1 = {} (raise E) { false | E => true }

(* exception with an argument *)

exception F of int

let p2 = {} raise (F 1) { false | F => result = 1 }

let p2a = {} raise (F (raise E : int)) { false | E => true | F => false }

(* composition of exceptions with other constructs *)

let p3 = {} begin raise (F 1); raise (F 2) end { false | F => result = 1 }

let p4 = 
  {} (if true then raise (F 1) else raise (F 2)) { false | F => result = 1 }

let p5 = 
  {} 
  begin
    if true then raise (F 1);
    raise E
  end
  { false | E => false | F => result = 1 }

let p6 = 
  {} 
  begin
    if false then raise (F 1);
    raise E
  end
  { false | E => true | F => false }

(* composition of exceptions with side-effect on a reference *)

parameter x : int ref

let p7 = 
  {} begin x := 1; raise E; x := 2 end { false | E => x = 1 }

let p8 = 
  {} 
  begin x := 1; raise (F !x); x := 2 end 
  { false | F => x = 1 and result = 1 }

let p9 = 
  {} (raise (F begin x := 1; !x end)) { false | F => x = 1 and result = 1 }

(* try / with *)

let p10 = {} (try raise E : int with E -> 0 end) { result = 0 }

let p11 = {} (try raise (F 1) : int with F x -> x end) { result = 1 }

let p12 = 
  {} 
  try 
    begin raise E; raise (F 1); 1 end
  with E -> 2
     | F x -> 3
  end
  { result = 2 }

let p13 = 
  {} 
  try 
    begin raise E; raise (F 1); x := 1 end
  with E -> x := 2
     | F _ -> x := 3
  end
  { x = 2 }

exception E1 
exception E2
exception E3

let p14 = 
  {} 
  begin
    if !x = 1 then raise E1;
    if !x = 2 then raise E2;
    if !x = 3 then raise E3;
    raise E
  end
  { false | E1 => x = 1 | E2 => x = 2 | E3 => x = 3 
  | E => x <> 1 and x <> 2 and x <> 3 }
why-2.34/bench/good-v7/see.mlw0000644000175000017500000000050312311670312014451 0ustar  rtusers
(* Side effect in expressions (Bart Jacobs' tricky example) *)

parameter b, b1, b2 : int ref

let f (u:unit) = 
  {} begin b := 1 - !b; !b end { result = b and b = 1 - b@ }

let k (u:unit) = 
  {}
  begin
    b := 1;
    b1 := (1 - (f void)) + (f void);
    b2 := (f void) * (1 - (f void)) 
  end
  { b1 = 0 and b2 = 1 }
why-2.34/bench/good-v7/po_why.v0000644000175000017500000001212312311670312014651 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Why.
Require Omega.

Parameter q : Z -> Prop.

(* Why obligation from file "good/po.mlw", characters 153-194 *)
Lemma p1_po_1 : 
  (x: Z)
  (Pre1: (q `x + 1`))
  (x0: Z)
  (Post1: x0 = `x + 1`)
  (q x0).
Proof. 
Intros; Rewrite Post1; Assumption.
Save.




(* Why obligation from file "good/po.mlw", characters 205-243 *)
Lemma p2_po_1 : 
  (Pre1: (q `7`))
  (x0: Z)
  (Post1: x0 = `3 + 4`)
  (q x0).
Proof.
Intros; Rewrite Post1; Assumption.
Save.




(* Why obligation from file "good/po.mlw", characters 254-306 *)
Lemma p3_po_1 : 
  (x: Z)
  (x0: Z)
  (Post1: x0 = `x + 1`)
  (x1: Z)
  (Post2: x1 = `x0 + 2`)
  `x1 = x + 3`.
Proof. 
Intros; Omega.
Save.




(* Why obligation from file "good/po.mlw", characters 317-360 *)
Lemma p4_po_1 : 
  (x0: Z)
  (Post1: x0 = `7`)
  (x1: Z)
  (Post2: x1 = `2 * x0`)
  `x1 = 14`.
Proof. 
Intros; Omega.
Save.




(* Why obligation from file "good/po.mlw", characters 371-396 *)
Lemma p5_po_1 : 
  `3 + 4 = 7`.
Proof.
Omega.
Save.




(* Why obligation from file "good/po.mlw", characters 424-429 *)
Lemma p6_po_1 : 
  (a: Z)
  (Post1: a = `3`)
  `a + 4 = 7`.
Proof.
Intros; Omega.
Save.




(* Why obligation from file "good/po.mlw", characters 478-483 *)
Lemma p7_po_1 : 
  (a: Z)
  (Post1: a = `4`)
  `3 + (a + a) = 11`.
Proof.
Intros; Omega.
Save.




(* Why obligation from file "good/po.mlw", characters 592-594 *)
Lemma p8_po_1 : 
  (x: Z)
  (Pre1: (q `x + 1`))
  (x0: Z)
  (Post1: x0 = `x + 1`)
  (q x0) /\ `3 + x0 = x + 4`.
Proof.
Intuition; Rewrite Post1; Assumption.
Save.




(* Why obligation from file "good/po.mlw", characters 723-724 *)
Lemma p9_po_1 : 
  (x0: Z)
  (Post3: x0 = `2`)
  ((x:Z) (x = `1` -> `1 + 1 = 2` /\ `x = 1`)).
Proof.
Intuition.
Save.


(* Why obligation from file "good/po.mlw", characters 784-785 *)
Lemma p9a_po_1 : 
  (x0: Z)
  (Post2: x0 = `1`)
  `1 + 1 = 2` /\ `x0 = 1`.
Proof.
Intuition.
Save.




(*Why*) Parameter fsucc : (x: Z)(sig_1 Z [result: Z](`result = x + 1`)).

(* Why obligation from file "good/po.mlw", characters 924-951 *)
Lemma p10_po_1 : 
  (result1: Z)
  (Post1: `result1 = 0 + 1`)
  `result1 = 1`.
Proof.
Intros; Omega.
Save.




(* Why obligation from file "good/po.mlw", characters 963-1004 *)
Lemma p11_po_1 : 
  (aux_2: Z)
  (Post1: `aux_2 = 3 + 1`)
  (aux_1: Z)
  (Post4: `aux_1 = 0 + 1`)
  `aux_1 + aux_2 = 5`.
Proof.
Intros; Omega.
Save.




(* Why obligation from file "good/po.mlw", characters 1042-1047 *)
Lemma p11a_po_1 : 
  (a: Z)
  (Post1: `a = 1 + 1`)
  `a + a = 4`.
Proof.
Intros; Omega.
Save.




(*Why*) Parameter incrx :
  (_: unit)(x: Z)(sig_2 Z unit [x0: Z][result: unit](`x0 = x + 1`)).

(* Why obligation from file "good/po.mlw", characters 1190-1222 *)
Lemma p12_po_1 : 
  (x: Z)
  (Pre1: `x = 0`)
  (x0: Z)
  (Post1: `x0 = x + 1`)
  `x0 = 1`.
Proof.
Intros; Omega.
Save.




(* Why obligation from file "good/po.mlw", characters 1234-1288 *)
Lemma p13_po_1 : 
  (x: Z)
  (x0: Z)
  (Post1: `x0 = x + 1`)
  (x1: Z)
  (Post3: `x1 = x0 + 1`)
  `x1 = x + 2`.
Proof.
Intros; Omega.
Save.




(* Why obligation from file "good/po.mlw", characters 1301-1339 *)
Lemma p13a_po_1 : 
  (x: Z)
  (x0: Z)
  (Post1: `x0 = x + 1`)
  (x1: Z)
  (Post3: `x1 = x0 + 1`)
  `x1 = x + 2`.
Proof.
Intros; Omega.
Save.




(*Why*) Parameter incrx2 :
  (_: unit)(x: Z)
  (sig_2 Z Z [x0: Z][result: Z](`x0 = x + 1` /\ `result = x0`)).

(* Why obligation from file "good/po.mlw", characters 1487-1525 *)
Lemma p14_po_1 : 
  (x: Z)
  (Pre1: `x = 0`)
  (x0: Z)
  (result1: Z)
  (Post1: `x0 = x + 1` /\ `result1 = x0`)
  `result1 = 1`.
Proof.
Intros; Omega.
Save.




(* Why obligation from file "good/po.mlw", characters 1576-1608 *)
Lemma p15_po_1 : 
  (t: (array Z))
  (Pre2: `(array_length t) = 10`)
  `0 <= 0` /\ `0 < (array_length t)`.
Proof. (* p15_po_1 *)
Intros; Omega.
Save.




(* Why obligation from file "good/po.mlw", characters 1621-1658 *)
Lemma p16_po_1 : 
  (t: (array Z))
  (Pre2: `(array_length t) = 10`)
  `0 <= 9` /\ `9 < (array_length t)`.
Proof. (* p16_po_1 *)
Intros; Simpl; Omega.
Save.




(* Why obligation from file "good/po.mlw", characters 1671-1730 *)
Lemma p17_po_1 : 
  (t: (array Z))
  (Pre3: `(array_length t) = 10` /\ `0 <= (access t 0)` /\
         `(access t 0) < 10`)
  `0 <= (access t 0)` /\ `(access t 0) < (array_length t)`.
Proof. (* p17_po_1 *)
Intros; Omega.
Save.


(* 
 Local Variables:
 mode: coq 
  coq-prog-name: "coqtop -emacs -q -I ../../lib/coq"
 End:
*)


(* Why obligation from file "good/po.mlw", characters 1717-1721 *)
Lemma p17_po_2 : 
  (t: (array Z))
  (Pre3: `(array_length t) = 10` /\ `0 <= (access t 0)` /\
         `(access t 0) < 10`)
  (Pre2: `0 <= (access t 0)` /\ `(access t 0) < (array_length t)`)
  `0 <= 0` /\ `0 < (array_length t)`.
Proof.
Intros; Simpl; Omega.
Save.


(* Why obligation from file "good/po.mlw", characters 1788-1790 *)
Lemma p18_po_1 : 
  (t: (array Z))
  (x: Z)
  (Pre2: `(array_length t) = 10`)
  (aux_2: Z)
  (Post2: aux_2 = x)
  (x0: Z)
  (Post1: x0 = `0`)
  `(access (store t x0 aux_2) 0) = x` /\ `0 <= x0` /\ `x0 < (array_length t)`.
Proof.
Intuition.
Subst x0; AccessSame.
Save.


why-2.34/bench/good-v7/return_valid.v0000644000175000017500000002613412311670312016051 0ustar  rtusers(* This file is generated by Why; do not edit *)

Require Why.
Require Export return_why.

Definition p (* validation *)
  : (i: Z)(t: (array Z))(_: `(array_length t) = N`)
    (sig_2 Z Z [i0: Z][result: Z]
     ((`0 <= result` /\ `result < N` -> `(access t result) = 0`)))
  := [i: Z; t: (array Z); Pre9: `(array_length t) = N`]
       let (i0, result, Post6) =
         let (i0, result, Post1) =
           let (result, Post1) = (exist_1 [result: Z]result = `0` `0`
             (refl_equal ? `0`)) in
           (exist_2 [i1: Z][result0: unit]i1 = `0` result tt Post1) in
         let (i1, result0, Post7) =
           (well_founded_induction Z (Zwf ZERO) (Zwf_well_founded `0`)
             [Variant1: Z](i1: Z)(_: Variant1 = `N - i1`)(_0: `0 <= i1`)
             (sig_2 Z (EM Z unit) [i2: Z][result0: (EM Z unit)]
              (((qcomb [result1: Z]
                 (`0 <= result1` /\ `result1 < N` -> `(access t result1) = 0`)
                 [result1: unit]`0 <= i2` /\ `i2 >= N`)
                result0)))
             [Variant1: Z; wf1: (Variant2: Z)
              (Pre1: (Zwf `0` Variant2 Variant1))(i1: Z)
              (_: Variant2 = `N - i1`)(_0: `0 <= i1`)
              (sig_2 Z (EM Z unit) [i2: Z][result0: (EM Z unit)]
               (((qcomb [result1: Z]
                  (`0 <= result1` /\ `result1 < N` ->
                   `(access t result1) = 0`)
                  [result1: unit]`0 <= i2` /\ `i2 >= N`)
                 result0)));
              i1: Z; Pre8: Variant1 = `N - i1`; Pre7: `0 <= i1`]
               let (result0, Bool2) =
                 let (result2, Post8) = (Z_lt_ge_bool i1 N) in
                 (exist_1 [result3: bool]
                 (if result3 then `i1 < N` else `i1 >= N`) result2 Post8) in
               Cases
                 (btest
                  [result0:bool](if result0 then `i1 < N` else `i1 >= N`) result0
                  Bool2) of
               | (left Test4) =>
                   let (i2, result1, Post10) =
                     let (i2, result1, Post11) =
                       let (result1, Post12) =
                         let Pre6 =
                           (p_po_1 t Pre9 i0 Post1 Variant1 i1 Pre8 Pre7
                           Test4) in
                         let (result1, Bool1) =
                           let Pre5 = Pre6 in
                           let result2 =
                             let Pre3 = Pre5 in
                             let Pre2 = Pre3 in
                             (Z_eq_bool (access t i1)) in
                           let Pre4 = Pre5 in
                           let (result3, Post13) = (result2 `0`) in
                           (exist_1 [result4: bool]
                           (if result4 then `(access t i1) = 0`
                            else `(access t i1) <> 0`) result3
                           Post13) in
                         Cases
                           (btest
                            [result1:bool]
                            (if result1 then `(access t i1) = 0`
                             else `(access t i1) <> 0`) result1
                            Bool1) of
                         | (left Test3) =>
                             let (result2, Post14) =
                               let (result2, WP1) = (exist_1 [result2: Z]
                                 (`0 <= result2` /\ `result2 < N` ->
                                  `(access t result2) = 0`) i1
                                 (p_po_2 t Pre9 i0 Post1 Variant1 i1 Pre8
                                 Pre7 Test4 Pre6 Test3)) in
                               (exist_1 (qcomb [result3: Z]
                                         (`0 <= result3` /\ `result3 < N` ->
                                          `(access t result3) = 0`)
                                         [result3: unit]
                                         ((i:Z)
                                          (i = `i1 + 1` -> `0 <= i` /\
                                           (Zwf `0` `N - i` `N - i1`)))) 
                               (Exn unit result2) WP1) in
                             Cases (decomp1 Post14) of
                             | (Qval (exist result3 WP4)) =>
                               (exist_1 (qcomb [result4: Z]
                                         (`0 <= result4` /\ `result4 < N` ->
                                          `(access t result4) = 0`)
                                         [result4: unit]
                                         ((i:Z)
                                          (i = `i1 + 1` -> `0 <= i` /\
                                           (Zwf `0` `N - i` `N - i1`)))) 
                               (Val Z result3) WP4)
                             | (Qexn result3 WP1) =>
                               (exist_1 (qcomb [result4: Z]
                                         (`0 <= result4` /\ `result4 < N` ->
                                          `(access t result4) = 0`)
                                         [result4: unit]
                                         ((i:Z)
                                          (i = `i1 + 1` -> `0 <= i` /\
                                           (Zwf `0` `N - i` `N - i1`)))) 
                               (Exn unit result3) WP1)
                             end
                         | (right Test2) =>
                             let (result2, WP4) = (exist_1 [result2: unit]
                               ((i:Z)
                                (i = `i1 + 1` -> `0 <= i` /\
                                 (Zwf `0` `N - i` `N - i1`))) tt
                               (p_po_3 t Pre9 i0 Post1 Variant1 i1 Pre8 Pre7
                               Test4 Pre6 Test2)) in
                             (exist_1 (qcomb [result3: Z]
                                       (`0 <= result3` /\ `result3 < N` ->
                                        `(access t result3) = 0`)
                                       [result3: unit]
                                       ((i:Z)
                                        (i = `i1 + 1` -> `0 <= i` /\
                                         (Zwf `0` `N - i` `N - i1`)))) 
                             (Val Z result2) WP4) end in
                       Cases (decomp1 Post12) of
                       | (Qval (exist result2 WP4)) =>
                         let (i2, result3, Post2) =
                           let (result3, Post2) = (exist_1 [result3: Z]
                             result3 = `i1 + 1` `i1 + 1`
                             (refl_equal ? `i1 + 1`)) in
                           (exist_2 [i3: Z][result4: unit]
                           i3 = `i1 + 1` result3 tt Post2) in
                         (exist_2 [i3: Z]
                         (qcomb [result4: Z]
                          (`0 <= result4` /\ `result4 < N` ->
                           `(access t result4) = 0`)
                          [result4: unit]`0 <= i3` /\
                          (Zwf `0` `N - i3` `N - i1`)) i2
                         (Val Z result3) let HW_2 = (WP4 i2 Post2) in
                                         HW_2)
                       | (Qexn result2 WP1) => (exist_2 [i2: Z]
                         (qcomb [result3: Z]
                          (`0 <= result3` /\ `result3 < N` ->
                           `(access t result3) = 0`)
                          [result3: unit]`0 <= i2` /\
                          (Zwf `0` `N - i2` `N - i1`)) i1 (Exn unit result2)
                         WP1)
                       end in
                     Cases (decomp1 Post11) of
                     | (Qval (exist result2 Post4)) =>
                       ((wf1 `N - i2`) (loop_variant_1 Pre8 Post4) i2
                         (refl_equal ? `N - i2`) (proj1 ? ? Post4))
                     | (Qexn result2 WP1) => (exist_2 [i3: Z]
                       (qcomb [result3: Z]
                        (`0 <= result3` /\ `result3 < N` ->
                         `(access t result3) = 0`)
                        [result3: unit]`0 <= i3` /\ `i3 >= N`) i2
                       (Exn unit result2) WP1)
                     end in
                   Cases (decomp1 Post10) of
                   | (Qval (exist result2 Post3)) => (exist_2 [i3: Z]
                     (qcomb [result3: Z]
                      (`0 <= result3` /\ `result3 < N` ->
                       `(access t result3) = 0`)
                      [result3: unit]`0 <= i3` /\ `i3 >= N`) i2
                     (Val Z result2) Post3)
                   | (Qexn result2 WP1) => (exist_2 [i3: Z]
                     (qcomb [result3: Z]
                      (`0 <= result3` /\ `result3 < N` ->
                       `(access t result3) = 0`)
                      [result3: unit]`0 <= i3` /\ `i3 >= N`) i2
                     (Exn unit result2) WP1)
                   end
               | (right Test1) =>
                   let (i2, result1, Post9) = (exist_2 [i2: Z]
                     (qcomb [result1: Z]
                      (`0 <= result1` /\ `result1 < N` ->
                       `(access t result1) = 0`)
                      [result1: unit]`0 <= i2` /\ `i2 >= N`) i1 (Val Z tt)
                     (conj ? ? Pre7 Test1)) in
                   Cases (decomp1 Post9) of
                   | (Qval (exist result2 Post3)) => (exist_2 [i3: Z]
                     (qcomb [result3: Z]
                      (`0 <= result3` /\ `result3 < N` ->
                       `(access t result3) = 0`)
                      [result3: unit]`0 <= i3` /\ `i3 >= N`) i2
                     (Val Z result2) Post3)
                   | (Qexn result2 WP1) => (exist_2 [i3: Z]
                     (qcomb [result3: Z]
                      (`0 <= result3` /\ `result3 < N` ->
                       `(access t result3) = 0`)
                      [result3: unit]`0 <= i3` /\ `i3 >= N`) i2
                     (Exn unit result2) WP1)
                   end end `N - i0` i0 (refl_equal ? `N - i0`)
             (p_po_4 t Pre9 i0 Post1)) in
         Cases (decomp1 Post7) of
         | (Qval (exist result1 Post3)) =>
           let (result2, Post15) = (exist_1 [result2: Z]
             (`0 <= result2` /\ `result2 < N` -> `(access t result2) = 0`) 
             N (p_po_5 t Pre9 i0 Post1 i1 Post3)) in
           (exist_2 [i2: Z]
           (qcomb [result3: Z]
            (`0 <= result3` /\ `result3 < N` -> `(access t result3) = 0`)
            [result3: Z]
            (`0 <= result3` /\ `result3 < N` -> `(access t result3) = 0`)) 
           i1 (Val Z result2) Post15)
         | (Qexn result1 WP1) => (exist_2 [i2: Z]
           (qcomb [result2: Z]
            (`0 <= result2` /\ `result2 < N` -> `(access t result2) = 0`)
            [result2: Z]
            (`0 <= result2` /\ `result2 < N` -> `(access t result2) = 0`)) 
           i1 (Exn Z result1) WP1)
         end in
       Cases (decomp1 Post6) of
       | (Qval (exist result0 Post16)) => (exist_2 [i1: Z][result1: Z]
         (`0 <= result1` /\ `result1 < N` -> `(access t result1) = 0`) 
         i0 result0 Post16)
       | (Qexn result0 WP1) =>
         let (result1, Post17) = (exist_1 [result1: Z]
           (`0 <= result1` /\ `result1 < N` -> `(access t result1) = 0`) 
           result0 WP1) in
         (exist_2 [i1: Z][result2: Z]
         (`0 <= result2` /\ `result2 < N` -> `(access t result2) = 0`) 
         i0 result1 Post17)
       end.

why-2.34/bench/good-v7/po_valid.v0000644000175000017500000002660212311670312015150 0ustar  rtusers(* This file is generated by Why; do not edit *)

Require Why.
Require Export po_why.

Definition p1 (* validation *)
  : (x: Z)(_: (q `x + 1`))(sig_2 Z unit [x0: Z][result: unit]((q x0)))
  := [x: Z; Pre1: (q `x + 1`)]
       let (x0, result, Post1) =
         let (result, Post1) = (exist_1 [result: Z]result = `x + 1` `x + 1`
           (refl_equal ? `x + 1`)) in
         (exist_2 [x1: Z][result0: unit]x1 = `x + 1` result tt Post1) in
       (exist_2 [x1: Z][result0: unit](q x1) x0 result
       (p1_po_1 x Pre1 x0 Post1)).

Definition p2 (* validation *)
  : (x: Z)(_: (q `7`))(sig_2 Z unit [x0: Z][result: unit]((q x0)))
  := [x: Z; Pre1: (q `7`)]
       let (x0, result, Post1) =
         let (result, Post1) = (exist_1 [result: Z]result = `3 + 4` `3 + 4`
           (refl_equal ? `3 + 4`)) in
         (exist_2 [x1: Z][result0: unit]x1 = `3 + 4` result tt Post1) in
       (exist_2 [x1: Z][result0: unit](q x1) x0 result
       (p2_po_1 Pre1 x0 Post1)).

Definition p3 (* validation *)
  : (x: Z)(sig_2 Z unit [x0: Z][result: unit](`x0 = x + 3`))
  := [x: Z]
       let (x0, result, Post1) =
         let (result, Post1) = (exist_1 [result: Z]result = `x + 1` `x + 1`
           (refl_equal ? `x + 1`)) in
         (exist_2 [x1: Z][result0: unit]x1 = `x + 1` result tt Post1) in
       let (x1, result0, Post2) =
         let (result0, Post2) = (exist_1 [result0: Z]
           result0 = `x0 + 2` `x0 + 2` (refl_equal ? `x0 + 2`)) in
         (exist_2 [x2: Z][result1: unit]x2 = `x0 + 2` result0 tt Post2) in
       (exist_2 [x2: Z][result1: unit]`x2 = x + 3` x1 result0
       (p3_po_1 x x0 Post1 x1 Post2)).

Definition p4 (* validation *)
  : (x: Z)(sig_2 Z unit [x0: Z][result: unit](`x0 = 14`))
  := [x: Z]
       let (x0, result, Post1) =
         let (result, Post1) = (exist_1 [result: Z]result = `7` `7`
           (refl_equal ? `7`)) in
         (exist_2 [x1: Z][result0: unit]x1 = `7` result tt Post1) in
       let (x1, result0, Post2) =
         let (result0, Post2) = (exist_1 [result0: Z]
           result0 = `2 * x0` `2 * x0` (refl_equal ? `2 * x0`)) in
         (exist_2 [x2: Z][result1: unit]x2 = `2 * x0` result0 tt Post2) in
       (exist_2 [x2: Z][result1: unit]`x2 = 14` x1 result0
       (p4_po_1 x0 Post1 x1 Post2)).

Definition p5 (* validation *)
  : (sig_1 Z [result: Z](`result = 7`))
  := (exist_1 [result: Z]`result = 7` `3 + 4` p5_po_1).

Definition p6 (* validation *)
  : (sig_1 Z [result: Z](`result = 7`))
  := let (a, Post1) = (exist_1 [result: Z]result = `3` `3`
       (refl_equal ? `3`)) in
     let (result, Post2) = (exist_1 [result: Z]`result = 7` `a + 4`
       (p6_po_1 a Post1)) in
     (exist_1 [result0: Z]`result0 = 7` result Post2).

Definition p7 (* validation *)
  : (sig_1 Z [result: Z](`result = 11`))
  := let (aux_1, WP1) =
       let (a, Post1) = (exist_1 [result: Z]result = `4` `4`
         (refl_equal ? `4`)) in
       let (result, WP1) = (exist_1 [result: Z]`3 + result = 11` `a + a`
         (p7_po_1 a Post1)) in
       (exist_1 [result0: Z]`3 + result0 = 11` result WP1) in
     let (result, Post2) = (exist_1 [result: Z]`result = 11` `3 + aux_1`
       WP1) in
     (exist_1 [result0: Z]`result0 = 11` result Post2).

Definition p8 (* validation *)
  : (x: Z)(_: (q `x + 1`))
    (sig_2 Z Z [x0: Z][result: Z]((q x0) /\ `result = x + 4`))
  := [x: Z; Pre1: (q `x + 1`)]
       let (x0, aux_1, WP1) =
         let (x0, result, Post1) =
           let (result, Post1) = (exist_1 [result: Z]result = `x + 1` 
             `x + 1` (refl_equal ? `x + 1`)) in
           (exist_2 [x1: Z][result0: unit]x1 = `x + 1` result tt Post1) in
         let (result0, WP1) = (exist_1 [result0: Z](q x0) /\
           `3 + result0 = x + 4` x0 (p8_po_1 x Pre1 x0 Post1)) in
         (exist_2 [x1: Z][result1: Z](q x1) /\ `3 + result1 = x + 4` 
         x0 result0 WP1) in
       let (result, Post2) = (exist_1 [result: Z](q x0) /\
         `result = x + 4` `3 + aux_1` WP1) in
       (exist_2 [x1: Z][result0: Z](q x1) /\ `result0 = x + 4` x0 result
       Post2).

Definition p9 (* validation *)
  : (x: Z)(sig_2 Z Z [x0: Z][result: Z](`result = 2` /\ `x0 = 1`))
  := [x: Z]
       let (x0, aux_2, WP6) =
         let (x0, result, Post3) =
           let (result, Post3) = (exist_1 [result: Z]result = `2` `2`
             (refl_equal ? `2`)) in
           (exist_2 [x1: Z][result0: unit]x1 = `2` result tt Post3) in
         let (result0, WP6) = (exist_1 [result0: Z]
           ((x:Z) (x = `1` -> `1 + result0 = 2` /\ `x = 1`)) `1`
           (p9_po_1 x0 Post3)) in
         (exist_2 [x1: Z][result1: Z]
         ((x:Z) (x = `1` -> `1 + result1 = 2` /\ `x = 1`)) x0 result0 WP6) in
       let (x1, result, Post4) =
         let (x1, aux_1, WP1) =
           let (x1, result, Post2) =
             let (result, Post2) = (exist_1 [result: Z]result = `1` `1`
               (refl_equal ? `1`)) in
             (exist_2 [x2: Z][result0: unit]x2 = `1` result tt Post2) in
           let (result0, WP1) = (exist_1 [result0: Z]`result0 + aux_2 = 2` /\
             `x1 = 1` `1` let HW_2 = (WP6 x1 Post2) in
                          HW_2) in
           (exist_2 [x2: Z][result1: Z]`result1 + aux_2 = 2` /\ `x2 = 1` 
           x1 result0 WP1) in
         let (result, Post5) = (exist_1 [result: Z]`result = 2` /\
           `x1 = 1` `aux_1 + aux_2` WP1) in
         (exist_2 [x2: Z][result0: Z]`result0 = 2` /\ `x2 = 1` x1 result
         Post5) in
       (exist_2 [x2: Z][result0: Z]`result0 = 2` /\ `x2 = 1` x1 result Post4).

Definition p9a (* validation *)
  : (x: Z)(sig_2 Z Z [x0: Z][result: Z](`result = 2` /\ `x0 = 1`))
  := [x: Z]
       let (x0, aux_1, WP1) =
         let (x0, result, Post2) =
           let (result, Post2) = (exist_1 [result: Z]result = `1` `1`
             (refl_equal ? `1`)) in
           (exist_2 [x1: Z][result0: unit]x1 = `1` result tt Post2) in
         let (result0, WP1) = (exist_1 [result0: Z]`result0 + 1 = 2` /\
           `x0 = 1` `1` (p9a_po_1 x0 Post2)) in
         (exist_2 [x1: Z][result1: Z]`result1 + 1 = 2` /\ `x1 = 1` x0 
         result0 WP1) in
       let (result, Post3) = (exist_1 [result: Z]`result = 2` /\
         `x0 = 1` `aux_1 + 1` WP1) in
       (exist_2 [x1: Z][result0: Z]`result0 = 2` /\ `x1 = 1` x0 result Post3).

Definition p10 (* validation *)
  : (sig_1 Z [result: Z](`result = 1`))
  := let (result1, Post1) = (fsucc `0`) in
     (exist_1 [result2: Z]`result2 = 1` result1 (p10_po_1 result1 Post1)).

Definition p11 (* validation *)
  : (sig_1 Z [result: Z](`result = 5`))
  := let (aux_2, Post1) =
       let (result1, Post2) = (fsucc `3`) in
       (exist_1 [result2: Z]`result2 = 3 + 1` result1 Post2) in
     let (result, Post3) =
       let (aux_1, Post4) =
         let (result1, Post5) = (fsucc `0`) in
         (exist_1 [result2: Z]`result2 = 0 + 1` result1 Post5) in
       let (result, Post6) = (exist_1 [result: Z]`result = 5` `aux_1 + aux_2`
         (p11_po_1 aux_2 Post1 aux_1 Post4)) in
       (exist_1 [result0: Z]`result0 = 5` result Post6) in
     (exist_1 [result0: Z]`result0 = 5` result Post3).

Definition p11a (* validation *)
  : (sig_1 Z [result: Z](`result = 4`))
  := let (a, Post1) =
       let (result1, Post2) = (fsucc `1`) in
       (exist_1 [result2: Z]`result2 = 1 + 1` result1 Post2) in
     let (result, Post3) = (exist_1 [result: Z]`result = 4` `a + a`
       (p11a_po_1 a Post1)) in
     (exist_1 [result0: Z]`result0 = 4` result Post3).

Definition p12 (* validation *)
  : (x: Z)(_: `x = 0`)(sig_2 Z unit [x0: Z][result: unit](`x0 = 1`))
  := [x: Z; Pre1: `x = 0`]
       let (x0, result1, Post1) = (incrx tt x) in
       (exist_2 [x1: Z][result2: unit]`x1 = 1` x0 result1
       (p12_po_1 x Pre1 x0 Post1)).

Definition p13 (* validation *)
  : (x: Z)(sig_2 Z unit [x0: Z][result: unit](`x0 = x + 2`))
  := [x: Z]
       let (x0, result, Post1) =
         let (x0, result1, Post2) = (incrx tt x) in
         (exist_2 [x1: Z][result2: unit]`x1 = x + 1` x0 result1 Post2) in
       let (x1, result0, Post3) =
         let (x1, result2, Post4) = (incrx tt x0) in
         (exist_2 [x2: Z][result3: unit]`x2 = x0 + 1` x1 result2 Post4) in
       (exist_2 [x2: Z][result1: unit]`x2 = x + 2` x1 result0
       (p13_po_1 x x0 Post1 x1 Post3)).

Definition p13a (* validation *)
  : (x: Z)(sig_2 Z unit [x0: Z][result: unit](`x0 = x + 2`))
  := [x: Z]
       let (x0, aux_1, Post1) =
         let (x0, result1, Post2) = (incrx tt x) in
         (exist_2 [x1: Z][result2: unit]`x1 = x + 1` x0 result1 Post2) in
       let (x1, result, Post3) =
         let (x1, result1, Post4) = (incrx aux_1 x0) in
         (exist_2 [x2: Z][result2: unit]`x2 = x0 + 1` x1 result1 Post4) in
       (exist_2 [x2: Z][result0: unit]`x2 = x + 2` x1 result
       (p13a_po_1 x x0 Post1 x1 Post3)).

Definition p14 (* validation *)
  : (x: Z)(_: `x = 0`)(sig_2 Z Z [x0: Z][result: Z](`result = 1`))
  := [x: Z; Pre1: `x = 0`]
       let (x0, result1, Post1) = (incrx2 tt x) in
       (exist_2 [x1: Z][result2: Z]`result2 = 1` x0 result1
       (p14_po_1 x Pre1 x0 result1 Post1)).

Definition p15 (* validation *)
  : (t: (array Z))(_: `(array_length t) = 10`)Z
  := [t: (array Z); Pre2: `(array_length t) = 10`]
       let Pre1 = (p15_po_1 t Pre2) in
       (access t `0`).

Definition p16 (* validation *)
  : (t: (array Z))(_: `(array_length t) = 10`)
    (sig_2 (array Z) unit [t0: (array Z)][result: unit]
     (t0 = (store t `9` `1`)))
  := [t: (array Z); Pre2: `(array_length t) = 10`]
       let Pre1 = (p16_po_1 t Pre2) in
       (exist_2 [t1: (array Z)][result1: unit]
       t1 = (store t `9` `1`) (store t `9` `1`) tt
       (refl_equal ? (store t `9` `1`))).

Definition p17 (* validation *)
  : (t: (array Z))(_: `(array_length t) = 10` /\ `0 <= (access t 0)` /\
    `(access t 0) < 10`)
    (sig_2 (array Z) unit [t0: (array Z)][result: unit]
     (t0 = (store t (access t `0`) `1`)))
  := [t: (array Z); Pre3: `(array_length t) = 10` /\ `0 <= (access t 0)` /\
      `(access t 0) < 10`]
       let Pre2 = (p17_po_1 t Pre3) in
       let Pre1 = (p17_po_2 t Pre3 Pre2) in
       (exist_2 [t1: (array Z)][result1: unit]
       t1 = (store t (access t `0`) `1`) (store t (access t `0`) `1`) 
       tt (refl_equal ? (store t (access t `0`) `1`))).

Definition p18 (* validation *)
  : (t: (array Z))(x: Z)(_: `(array_length t) = 10`)
    (sig_3 (array Z) Z unit [t0: (array Z)][x0: Z][result: unit]
     (`(access t0 0) = x`))
  := [t: (array Z); x: Z; Pre2: `(array_length t) = 10`]
       let (aux_2, Post2) = (exist_1 [result: Z]result = x x
         (refl_equal ? x)) in
       let (t0, x0, result, Post3) =
         let (x0, aux_1, WP1) =
           let (x0, result, Post1) =
             let (result, Post1) = (exist_1 [result: Z]result = `0` `0`
               (refl_equal ? `0`)) in
             (exist_2 [x1: Z][result0: unit]x1 = `0` result tt Post1) in
           let (result0, WP1) = (exist_1 [result0: Z]
             `(access (store t result0 aux_2) 0) = x` /\ `0 <= result0` /\
             `result0 < (array_length t)` x0
             (p18_po_1 t x Pre2 aux_2 Post2 x0 Post1)) in
           (exist_2 [x1: Z][result1: Z]
           `(access (store t result1 aux_2) 0) = x` /\ `0 <= result1` /\
           `result1 < (array_length t)` x0 result0 WP1) in
         let Pre1 = let (HW_1, HW_2) = WP1 in
                    HW_2 in
         let (t0, result, Post4) = (exist_2 [t1: (array Z)][result1: unit]
           `(access t1 0) = x` (store t aux_1 aux_2) tt (proj1 ? ? WP1)) in
         (exist_3 [t1: (array Z)][x1: Z][result0: unit]`(access t1 0) = x` 
         t0 x0 result Post4) in
       (exist_3 [t1: (array Z)][x1: Z][result0: unit]`(access t1 0) = x` 
       t0 x0 result Post3).

why-2.34/bench/good-v7/set.mlw0000644000175000017500000000143712311670312014477 0ustar  rtusers
(* side effects in tests *)

parameter x : int ref

parameter set_and_test_zero : 
  v:int -> {} bool writes x { x = v and if result then x = 0 else x <> 0 }

let p = {} if (set_and_test_zero 0) then 1 else 2 { result = 1 }

parameter set_and_test_nzero : 
  v:int -> {} bool writes x { x = v and if result then x <> 0 else x = 0 }

let p2 (y:int ref) = 
  { y >= 0 } 
  while (set_and_test_nzero !y) do 
    { invariant y >= 0 variant y } 
    y := !y - 1 
  done 
  { y = 0 }

let p3 (y:int ref) = 
  { y >= 0 } 
  while let b = (set_and_test_nzero !y) in b do 
    { invariant y >= 0 variant y } 
    y := !y - 1 
  done 
  { y = 0 }

let p4 (y:int ref) = 
  { y >= 1 } 
  while begin y := !y - 1; (set_and_test_nzero !y) end do 
    { invariant y >= 1 variant y } 
    void
  done 
  { y = 0 }
why-2.34/bench/good-v7/oldify.mlw0000644000175000017500000000061612311670312015170 0ustar  rtusers
logic q1 : int, int, int -> prop

parameter r : int ref

parameter f1 : y:int ->
             {} unit writes r { q1(r, r@, y) }

let g1 =
  {} (f1 !r) { q1(r, r@, r@) }


logic q: int array, int array, int -> prop

parameter f : t:int array -> x:int -> 
             {} unit reads t writes t { q(t, t@, x) }

let g (t:int array) =
  {} 
  (f t (array_length t))
  { q(t, t@, array_length(t@)) }


why-2.34/bench/good-v7/wpcalls.mlw0000644000175000017500000000034212311670312015343 0ustar  rtusers
parameter x : int ref

parameter f : unit -> { } unit writes x { x = 1 - x@ }

let p (u:unit) =
  {}
  begin
    label init;
    let t = void in void;
    (f void);
    (f void);
    { x = x@init } void {}
  end
  { true }


why-2.34/bench/good-v7/oldify_valid.v0000644000175000017500000000116512311670312016015 0ustar  rtusers(* This file is generated by Why; do not edit *)

Require Why.
Require Export oldify_why.

Definition g1 (* validation *)
  : (r: Z)(sig_2 Z unit [r0: Z][result: unit]((q1 r0 r r)))
  := [r: Z]
       let (r0, result1, Post1) = (f1 r r) in
       (exist_2 [r1: Z][result2: unit](q1 r1 r r) r0 result1 Post1).

Definition g (* validation *)
  : (t: (array Z))
    (sig_2 (array Z) unit [t0: (array Z)][result: unit]
     ((q t0 t (array_length t))))
  := [t: (array Z)]
       let (t0, result1, Post1) = (f (array_length t) t) in
       (exist_2 [t1: (array Z)][result2: unit](q t1 t (array_length t)) 
       t0 result1 Post1).

why-2.34/bench/good-v7/return.mlw0000644000175000017500000000065412311670312015223 0ustar  rtusers
exception Return of int

parameter N : int

parameter i : int ref
parameter t : int array

let p = 
  { array_length(t) = N }
  try begin
    i := 0;
    while !i < N do
      { invariant 0 <= i (* and forall k:int. 0 <= k < i => t[k] <> 0 *)
        variant N - i }							 
      if t[!i] = 0 then raise (Return !i);
      i := !i + 1
    done;
    N
  end with Return x ->
    x
  end
  { 0 <= result < N -> t[result] = 0 }

why-2.34/bench/good-v7/loops_valid.v0000644000175000017500000001323412311670312015663 0ustar  rtusers(* This file is generated by Why; do not edit *)

Require Why.
Require Export loops_why.

Definition loop1 (* validation *)
  : (i: Z)(_: `i <= 10`)(sig_2 Z unit [i0: Z][result: unit](`i0 = 10`))
  := [i: Z; Pre6: `i <= 10`]
       (well_founded_induction Z (Zwf ZERO) (Zwf_well_founded `0`)
         [Variant1: Z](i0: Z)(_: Variant1 = `10 - i0`)(_0: `i0 <= 10`)
         (sig_2 Z unit [i1: Z][result: unit](`i1 = 10`))
         [Variant1: Z; wf1: (Variant2: Z)(Pre1: (Zwf `0` Variant2 Variant1))
          (i0: Z)(_: Variant2 = `10 - i0`)(_0: `i0 <= 10`)
          (sig_2 Z unit [i1: Z][result: unit](`i1 = 10`)); i0: Z;
          Pre5: Variant1 = `10 - i0`; Pre4: `i0 <= 10`]
           let (result, Bool1) =
             let (result1, Post3) = (Z_lt_ge_bool i0 `10`) in
             (exist_1 [result2: bool]
             (if result2 then `i0 < 10` else `i0 >= 10`) result1 Post3) in
           Cases
             (btest
              [result:bool](if result then `i0 < 10` else `i0 >= 10`) result
              Bool1) of
           | (left Test2) =>
               let Pre3 = Pre4 in
               let (i1, result0, Post5) =
                 let (i1, result0, Post2) =
                   let (i1, result0, Post1) =
                     let (result0, Post1) = (exist_1 [result0: Z]
                       result0 = `i0 + 1` `i0 + 1`
                       (refl_equal ? `i0 + 1`)) in
                     (exist_2 [i2: Z][result1: unit]i2 = `i0 + 1` result0 
                     tt Post1) in
                   (exist_2 [i2: Z][result1: unit]`i2 <= 10` /\
                   (Zwf `0` `10 - i2` `10 - i0`) i1 result0
                   (loop1_po_1 i Pre6 Variant1 i0 Pre5 Pre4 Test2 Pre3 i1
                   Post1)) in
                 ((wf1 `10 - i1`) (loop_variant_1 Pre5 Post2) i1
                   (refl_equal ? `10 - i1`) (proj1 ? ? Post2)) in
               (exist_2 [i2: Z][result1: unit]`i2 = 10` i1 result0 Post5)
           | (right Test1) =>
               let Pre2 = Pre4 in
               let (i1, result0, Post4) = (exist_2 [i1: Z][result0: unit]
                 `i1 = 10` i0 tt
                 (loop1_po_2 i Pre6 Variant1 i0 Pre5 Pre4 Test1 Pre2)) in
               (exist_2 [i2: Z][result1: unit]`i2 = 10` i1 result0 Post4) end
         `10 - i` i (refl_equal ? `10 - i`) Pre6).

Definition oppose (* validation *)
  : (u: unit)(x: Z)(sig_2 Z unit [x0: Z][result: unit](`x0 = (-x)`))
  := [u: unit; x: Z]
       let (result, Post1) = (exist_1 [result: Z]`result = (-x)` `(-x)`
         (refl_equal ? `(-x)`)) in
       (exist_2 [x1: Z][result0: unit]`x1 = (-x)` result tt Post1).

Definition loop2 (* validation *)
  : (x: Z)(_: `x <= 10`)(tuple_2 Z unit)
  := [x: Z; Pre4: `x <= 10`]
       let (x0, result, Post4) =
         (well_founded_induction Z (Zwf ZERO) (Zwf_well_founded `0`)
           [Variant1: Z](x0: Z)(_: Variant1 = `10 - x0`)(_0: `x0 <= 10`)
           (sig_2 Z unit [x1: Z][result: unit](`x1 = 10`))
           [Variant1: Z; wf1: (Variant2: Z)
            (Pre1: (Zwf `0` Variant2 Variant1))(x0: Z)
            (_: Variant2 = `10 - x0`)(_0: `x0 <= 10`)
            (sig_2 Z unit [x1: Z][result: unit](`x1 = 10`)); x0: Z;
            Pre3: Variant1 = `10 - x0`; Pre2: `x0 <= 10`]
             let (result, Bool1) =
               let (result1, Post5) = (Z_lt_ge_bool x0 `10`) in
               (exist_1 [result2: bool]
               (if result2 then `x0 < 10` else `x0 >= 10`) result1 Post5) in
             Cases
               (btest
                [result:bool](if result then `x0 < 10` else `x0 >= 10`) result
                Bool1) of
             | (left Test2) =>
                 let (x1, result0, Post7) =
                   let (x1, result0, Post3) =
                     let (x1, result0, Post1) =
                       let (result0, Post1) = (exist_1 [result0: Z]
                         result0 = `x0 + 1` `x0 + 1`
                         (refl_equal ? `x0 + 1`)) in
                       (exist_2 [x2: Z][result1: unit]x2 = `x0 + 1` result0
                       tt Post1) in
                     (exist_2 [x2: Z][result1: unit]`x2 <= 10` /\
                     (Zwf `0` `10 - x2` `10 - x0`) x1 result0
                     (loop2_po_1 x Pre4 Variant1 x0 Pre3 Pre2 Test2 x1 Post1)) in
                   ((wf1 `10 - x1`) (loop_variant_1 Pre3 Post3) x1
                     (refl_equal ? `10 - x1`) (proj1 ? ? Post3)) in
                 (exist_2 [x2: Z][result1: unit]`x2 = 10` x1 result0 Post7)
             | (right Test1) =>
                 let (x1, result0, Post6) = (exist_2 [x1: Z][result0: unit]
                   `x1 = 10` x0 tt
                   (loop2_po_2 x Pre4 Variant1 x0 Pre3 Pre2 Test1)) in
                 (exist_2 [x2: Z][result1: unit]`x2 = 10` x1 result0 Post6) end
           `10 - x` x (refl_equal ? `10 - x`) Pre4) in
       let (x1, result0, Post8) =
         let (result0, Bool2) =
           let (result2, Post9) = (Z_gt_le_bool x0 `0`) in
           (exist_1 [result3: bool]
           (if result3 then `x0 > 0` else `x0 <= 0`) result2 Post9) in
         Cases
           (btest
            [result0:bool](if result0 then `x0 > 0` else `x0 <= 0`) result0
            Bool2) of
         | (left Test4) =>
             let (x1, result1, Post11) =
               let (x1, result3, Post12) = (oppose tt x0) in
               (exist_2 [x2: Z][result4: unit]`x2 = (-x0)` x1 result3 Post12) in
             (exist_2 [x2: Z][result2: unit]`x2 = (-10)` x1 result1
             (loop2_po_3 x Pre4 x0 Post4 Test4 x1 Post11))
         | (right Test3) =>
             let (result1, Post10) = (exist_1 [result1: unit]`x0 = (-10)` 
               tt (loop2_po_4 x Pre4 x0 Post4 Test3)) in
             (exist_2 [x1: Z][result2: unit]`x1 = (-10)` x0 result1 Post10) end in
       (Build_tuple_2 x1 result0).

why-2.34/bench/good-v7/oldify_why.v0000644000175000017500000000033412311670312015522 0ustar  rtusers
Require Why.

(*Why*) Parameter f1 :
  (y: Z)(r: Z)(sig_2 Z unit [r0: Z][result: unit]((q1 r0 r y))).


(*Why*) Parameter f :
  (x: Z)(t: (array Z))
  (sig_2 (array Z) unit [t0: (array Z)][result: unit]((q t0 t x))).


why-2.34/bench/good-v7/return_why.v0000644000175000017500000000324412311670312015556 0ustar  rtusers
Require Why.

(*Why*) Parameter N : Z.

(* Why obligation from file "good/return.mlw", characters 285-290 *)
Lemma p_po_1 : 
  (t: (array Z))
  (Pre9: `(array_length t) = N`)
  (i0: Z)
  (Post1: i0 = `0`)
  (Variant1: Z)
  (i1: Z)
  (Pre8: Variant1 = `N - i1`)
  (Pre7: `0 <= i1`)
  (Test4: `i1 < N`)
  `0 <= i1` /\ `i1 < (array_length t)`.
Proof.
Intuition.
Save.

(* Why obligation from file "good/return.mlw", characters 314-316 *)
Lemma p_po_2 : 
  (t: (array Z))
  (Pre9: `(array_length t) = N`)
  (i0: Z)
  (Post1: i0 = `0`)
  (Variant1: Z)
  (i1: Z)
  (Pre8: Variant1 = `N - i1`)
  (Pre7: `0 <= i1`)
  (Test4: `i1 < N`)
  (Pre6: `0 <= i1` /\ `i1 < (array_length t)`)
  (Test3: `(access t i1) = 0`)
  (`0 <= i1` /\ `i1 < N` -> `(access t i1) = 0`).
Proof.
Intuition.
Save.

(* Why obligation from file "good/return.mlw", characters 317-317 *)
Lemma p_po_3 : 
  (t: (array Z))
  (Pre9: `(array_length t) = N`)
  (i0: Z)
  (Post1: i0 = `0`)
  (Variant1: Z)
  (i1: Z)
  (Pre8: Variant1 = `N - i1`)
  (Pre7: `0 <= i1`)
  (Test4: `i1 < N`)
  (Pre6: `0 <= i1` /\ `i1 < (array_length t)`)
  (Test2: `(access t i1) <> 0`)
  ((i:Z) (i = `i1 + 1` -> `0 <= i` /\ (Zwf `0` `N - i` `N - i1`))).
Proof.
Intuition.
Save.

(* Why obligation from file "good/return.mlw", characters 189-195 *)
Lemma p_po_4 : 
  (t: (array Z))
  (Pre9: `(array_length t) = N`)
  (i0: Z)
  (Post1: i0 = `0`)
  `0 <= i0`.
Proof.
Intuition.
Save.

(* Why obligation from file "good/return.mlw", characters 351-352 *)
Lemma p_po_5 : 
  (t: (array Z))
  (Pre9: `(array_length t) = N`)
  (i0: Z)
  (Post1: i0 = `0`)
  (i1: Z)
  (Post3: `0 <= i1` /\ `i1 >= N`)
  (`0 <= N` /\ `N < N` -> `(access t N) = 0`).
Proof.
Auto with *.
Save.

why-2.34/bench/good-v7/all.mlw0000644000175000017500000000602612311670312014453 0ustar  rtusers
(* Unitary (typing) tests *)

(* types syntax: values *)
parameter v1 : bool ref
parameter v2 : int
parameter v3 : (int)
parameter v4 : (int) ref
parameter v5 : foo
parameter v6 : int array
parameter v7 : (int) array

(* types syntax: functions *)
parameter f1 : int -> bool -> int

parameter f2 : int -> int ref -> bool

parameter f3 : x:int ref -> y:int ref -> 
             { x >= 0 } returns r:int reads x,y writes y { y = y@ + x + r }

parameter f4 : unit -> {} unit {}

parameter f5 : foo -> foo
parameter f6 : x:foo -> foo
parameter f7 : x:foo -> {} foo {}

parameter f8 : t:int array -> {} unit reads t { t[1] = 2 }

(* predicates *)
let p1 = {} 0 { true }
let p2 = {} 0 { not false }
let p3 = {} 0 { true and true }
let p4 = {} 0 { true or false }
let p5 = {} 0 { false or not false }
let p6 = {} 0 { true -> not false }
let p7 = {} 0 { forall x:int. x=x }
let p8 = {} 0 { true and forall x:int. x=x }
let p9 = {} 0 { forall x:int. forall y:int. x=y -> x=y }

(* variables *)
let acc1 = v2
let acc2 = acc1
let acc3 = f8

(* deref *)
let d1 = !v1
let d2 = !v4

(* arithmetic *)
let ar1 = 1
let ar2 = -1
let ar3 = 1+1
let ar4 = 1-1
let ar5 = 1*1
let ar6 = 1/1
let ar7 = 1%1

(* assignements *)
let a1 = v4 := 1
let a2 = v1 := true
let a3 = v4 := 2+2
let a4 = v4 := !v4

(* sequences *)
let s1 = begin v4 := 1; v4 := 2 end
let s2 = begin v1 := true; v4 := 2 end
let s3 = begin v4 := 1; v4 := !v4; v4 := 3 end
let s4 = begin v4 := 1; 2 end

(* conditionals *)
let c1 = if true then 1 else 2
let c2 = if !v1 then 1 else 2
let c3 = if !v4 = 1 then v4 := 2 else v4 := 3

(* local variables *)
let l1 = let x = 1 in x
let l2 = let x = 1 in v4 := x
let l3 = let x = 1 in let y = 2 in x + y
let l4 = v4 := (let x = 1 in 1)
let l5 = let x = 1 in begin v1 := true; v4 := x end

(* local references *)
let lr1 = let x = ref 1 in x := 2
let lr2 = let x = ref 1 in begin x := !x + 1; !x end
let lr3 = let x = ref 1 in let y = ref !x in x := !y

(* relations *)
let r1 = 1 = 1
let r2 = 2 > 1
let r3 = 2 >= 1
let r4 = 1 < 2
let r5 = 1 <= 2
let r6 = 1 <> 2
let r7 = 1 = 2 || 2 = 3
let r8 = 1 = 2 && 2 = 3

(* arrays *)
let arr1 = { array_length(v6) >= 1 } v6[0] {} 
let arr2 = { array_length(v6) >= 4 } v6[1+2] {}
let arr3 = { array_length(v6) >= 1 and v4 = 0 } v6[!v4] {}
let arr4 = { array_length(v6) >= 10 and v6[0] = 9 } v6[v6[0]] {}

let arr5 = { array_length(v6) >= 1 } v6[0] := 1 {}
let arr6 = { array_length(v6) >= 4 } v6[1+2] := 3+4 {}
let arr7 = { array_length(v6) >= 10 and v6[0] = 9 } v6[v6[0]] := 1 {}

(* function calls *)
let fc1 = (f5 v5)
let fc2 = (f4 void)
let fc3 = let a = ref 0 in let b = ref 0 in (f3 a b)

(* while loops: in file loops.ml *)

(* recursive functions: in file recfun.ml *)

(* annotations *)
let an1 = {} 0 { result = 0 }
let an2 = { v4 >= 0 } begin v4 := !v4 + 1 end { v4 > v4@ }
(* let an3 = { v4 >= 0 } begin v4 := !v4 + 1 end { v4 > v4@init } *)

(* exceptions *)
exception E1
exception E2 of int
exception E3 of foo

(* effects with exceptions *)
parameter f1_ex : n:int -> {} unit raises E1 {}
parameter f2_ex : x:int ref -> {} bool writes x raises E1,E2 {}
why-2.34/bench/good-v7/exns_valid.v0000644000175000017500000006606512311670312015516 0ustar  rtusers(* This file is generated by Why; do not edit *)

Require Why.
Require Export exns_why.

Definition p1 (* validation *)
  : (sig_1 (EM unit unit) [result: (EM unit unit)]
     (((qcomb [result: unit]True [result: unit]False) result)))
  := (exist_1 (qcomb [result: unit]True [result: unit]False) (Exn unit tt) I).

Definition p2 (* validation *)
  : (sig_1 (EM Z unit) [result: (EM Z unit)]
     (((qcomb [result: Z]`result = 1` [result: unit]False) result)))
  := let (result, Post1) = (exist_1 [result: Z]`result = 1` `1`
       (refl_equal ? `1`)) in
     (exist_1 (qcomb [result0: Z]`result0 = 1` [result0: unit]False) 
     (Exn unit result) Post1).

Definition p2a (* validation *)
  : (sig_1 (EM unit (EM Z unit)) [result: (EM unit (EM Z unit))]
     (((qcomb [result: unit]True (qcomb [result: Z]False [result: unit]False))
       result)))
  := let (result, Post1) =
       (exist_1 (qcomb [result: unit]True [result: Z]False) (Exn Z tt) I) in
     Cases (decomp1 Post1) of
     | (Qval (exist result0 Post2)) =>
       (exist_1 (qcomb [result0_0: unit]True
                 (qcomb [result0_0: Z]False [result0_0: unit]False)) 
       (Val unit (Exn unit result0)) (False_ind ? Post2))
     | (Qexn _ Post3) =>
       (exist_1 (qcomb [result0: unit]True
                 (qcomb [result0: Z]False [result0: unit]False)) (Exn
                                                                   (EM Z unit)
                                                                   tt) I)
     end.

Definition p3 (* validation *)
  : (sig_1 (EM Z unit) [result: (EM Z unit)]
     (((qcomb [result: Z]`result = 1` [result: unit]False) result)))
  := let (result, Post1) =
       let (result, Post2) = (exist_1 [result: Z]`result = 1` `1`
         (refl_equal ? `1`)) in
       (exist_1 (qcomb [result0: Z]`result0 = 1` [result0: unit]`2 = 1`) 
       (Exn unit result) Post2) in
     Cases (decomp1 Post1) of
     | (Qval (exist result0 WP2)) =>
       let (result0_0, Post4) =
         let (result0_0, Post5) = (exist_1 [result0_0: Z]`result0_0 = 1` 
           `2` WP2) in
         (exist_1 (qcomb [result1: Z]`result1 = 1` [result1: unit]False) 
         (Exn unit result0_0) Post5) in
       Cases (decomp1 Post4) of
       | (Qval (exist result0_1 Post6)) =>
         (exist_1 (qcomb [result1: Z]`result1 = 1` [result1: unit]False) 
         (Val Z result0_1) (False_ind ? Post6))
       | (Qexn result0_1 Post7) =>
         (exist_1 (qcomb [result1: Z]`result1 = 1` [result1: unit]False) 
         (Exn unit result0_1) Post7)
       end
     | (Qexn result0 Post3) =>
       (exist_1 (qcomb [result0_0: Z]`result0_0 = 1` [result0_0: unit]False) 
       (Exn unit result0) Post3)
     end.

Definition p4 (* validation *)
  : (sig_1 (EM Z unit) [result: (EM Z unit)]
     (((qcomb [result: Z]`result = 1` [result: unit]False) result)))
  := let (result, WP5) = (exist_1 [result: bool]
       (if result then `1 = 1` else `2 = 1`) true (refl_equal ? `1`)) in
     Cases
       (btest [result:bool](if result then `1 = 1` else `2 = 1`) result WP5) of
     | (left WP5_0) =>
         let (result0, Post6) =
           let (result0, Post7) = (exist_1 [result0: Z]`result0 = 1` 
             `1` (refl_equal ? `1`)) in
           (exist_1 (qcomb [result1: Z]`result1 = 1` [result1: unit]False) 
           (Exn unit result0) Post7) in
         Cases (decomp1 Post6) of
         | (Qval (exist result0_0 Post8)) =>
           (exist_1 (qcomb [result1: Z]`result1 = 1` [result1: unit]False) 
           (Val Z result0_0) (False_ind ? Post8))
         | (Qexn result0_0 Post9) =>
           (exist_1 (qcomb [result1: Z]`result1 = 1` [result1: unit]False) 
           (Exn unit result0_0) Post9)
         end
     | (right WP5_0) =>
         let (result0, Post2) =
           let (result0, Post3) = (exist_1 [result0: Z]`result0 = 1` 
             `2` WP5_0) in
           (exist_1 (qcomb [result1: Z]`result1 = 1` [result1: unit]False) 
           (Exn unit result0) Post3) in
         Cases (decomp1 Post2) of
         | (Qval (exist result0_0 Post4)) =>
           (exist_1 (qcomb [result1: Z]`result1 = 1` [result1: unit]False) 
           (Val Z result0_0) (False_ind ? Post4))
         | (Qexn result0_0 Post5) =>
           (exist_1 (qcomb [result1: Z]`result1 = 1` [result1: unit]False) 
           (Exn unit result0_0) Post5)
         end end.

Definition p5 (* validation *)
  : (sig_1 (EM unit (EM Z unit)) [result: (EM unit (EM Z unit))]
     (((qcomb [result: unit]False
        (qcomb [result: Z]`result = 1` [result: unit]False))
       result)))
  := let (result, Post2) =
       let (result, WP5) = (exist_1 [result: bool]
         (if result then `1 = 1` else False) true (refl_equal ? `1`)) in
       Cases
         (btest [result:bool](if result then `1 = 1` else False) result WP5) of
       | (left WP5_0) =>
           let (result0, Post3) =
             let (result0, Post4) = (exist_1 [result0: Z]`result0 = 1` 
               `1` (refl_equal ? `1`)) in
             (exist_1 (qcomb [result1: Z]`result1 = 1` [result1: unit]False) 
             (Exn unit result0) Post4) in
           Cases (decomp1 Post3) of
           | (Qval (exist result0_0 WP1)) =>
             (exist_1 (qcomb [result1: Z]`result1 = 1` [result1: unit]False) 
             (Val Z result0_0) (False_ind ? WP1))
           | (Qexn result0_0 Post5) =>
             (exist_1 (qcomb [result1: Z]`result1 = 1` [result1: unit]False) 
             (Exn unit result0_0) Post5)
           end
       | (right WP5_0) =>
           let (result0, WP1) = (exist_1 [result0: unit]False tt
             (False_ind ? WP5_0)) in
           (exist_1 (qcomb [result1: Z]`result1 = 1` [result1: unit]False) 
           (Val Z result0) (False_ind ? WP1)) end in
     Cases (decomp1 Post2) of
     | (Qval (exist result0 WP1)) =>
       let (result0_0, Post7) =
         (exist_1 (qcomb [result0_0: unit]False [result0_0: unit]False) 
         (Exn unit tt) (False_ind ? WP1)) in
       Cases (decomp1 Post7) of
       | (Qval (exist result0_1 Post8)) =>
         (exist_1 (qcomb [result1: unit]False
                   (qcomb [result1: Z]`result1 = 1` [result1: unit]False)) 
         (Val unit (Val Z result0_1)) (False_ind ? Post8))
       | (Qexn _ Post9) =>
         (exist_1 (qcomb [result1: unit]False
                   (qcomb [result1: Z]`result1 = 1` [result1: unit]False)) 
         (Exn (EM Z unit) tt) (False_ind ? Post9))
       end
     | (Qexn result0 Post6) =>
       (exist_1 (qcomb [result0_0: unit]False
                 (qcomb [result0_0: Z]`result0_0 = 1` [result0_0: unit]False)) 
       (Val unit (Exn unit result0)) Post6)
     end.

Definition p6 (* validation *)
  : (sig_1 (EM unit (EM Z unit)) [result: (EM unit (EM Z unit))]
     (((qcomb [result: unit]True (qcomb [result: Z]False [result: unit]False))
       result)))
  := let (result, Post2) =
       let (result, WP5) = (exist_1 [result: bool]
         (if result then False else True) false I) in
       Cases
         (btest [result:bool](if result then False else True) result WP5) of
       | (left WP5_0) =>
           let (result0, Post3) =
             let (result0, Post4) = (exist_1 [result0: Z]False `1`
               (False_ind ? WP5_0)) in
             (exist_1 (qcomb [result1: Z]False [result1: unit]True) (Exn unit
                                                                    result0)
             (False_ind ? Post4)) in
           Cases (decomp1 Post3) of
           | (Qval (exist result0_0 WP1)) =>
             (exist_1 (qcomb [result1: Z]False [result1: unit]True) (Val Z
                                                                    result0_0)
             I)
           | (Qexn result0_0 Post5) =>
             (exist_1 (qcomb [result1: Z]False [result1: unit]True) (Exn unit
                                                                    result0_0)
             (False_ind ? Post5))
           end
       | (right WP5_0) =>
           let (result0, WP1) = (exist_1 [result0: unit]True tt I) in
           (exist_1 (qcomb [result1: Z]False [result1: unit]True) (Val Z
                                                                    result0)
           I) end in
     Cases (decomp1 Post2) of
     | (Qval (exist result0 WP1)) =>
       let (result0_0, Post7) =
         (exist_1 (qcomb [result0_0: unit]True [result0_0: unit]False) 
         (Exn unit tt) I) in
       Cases (decomp1 Post7) of
       | (Qval (exist result0_1 Post8)) =>
         (exist_1 (qcomb [result1: unit]True
                   (qcomb [result1: Z]False [result1: unit]False)) (Val unit
                                                                    (Val Z
                                                                    result0_1))
         (False_ind ? Post8))
       | (Qexn _ Post9) =>
         (exist_1 (qcomb [result1: unit]True
                   (qcomb [result1: Z]False [result1: unit]False)) (Exn
                                                                    (EM Z
                                                                    unit) 
                                                                    tt) I)
       end
     | (Qexn result0 Post6) =>
       (exist_1 (qcomb [result0_0: unit]True
                 (qcomb [result0_0: Z]False [result0_0: unit]False)) 
       (Val unit (Exn unit result0)) (False_ind ? Post6))
     end.

Definition p7 (* validation *)
  : (x: Z)
    (sig_2 Z (EM unit unit) [x0: Z][result: (EM unit unit)]
     (((qcomb [result: unit]`x0 = 1` [result: unit]False) result)))
  := [x: Z]
       let (x0, result, Post1) =
         let (result, Post1) = (exist_1 [result: Z]result = `1` `1`
           (refl_equal ? `1`)) in
         (exist_2 [x1: Z][result0: unit]x1 = `1` result tt Post1) in
       let (result0, Post3) =
         (exist_1 (qcomb [result0: unit]`x0 = 1` [result0: unit]
                   ((x:Z) (x = `2` -> False))) (Exn unit tt)
         (p7_po_1 x0 Post1)) in
       Cases (decomp1 Post3) of
       | (Qval (exist result0_0 WP2)) =>
         let (x1, result1, Post2) =
           let (result1, Post2) = (exist_1 [result1: Z]result1 = `2` 
             `2` (refl_equal ? `2`)) in
           (exist_2 [x2: Z][result2: unit]x2 = `2` result1 tt Post2) in
         (exist_2 [x2: Z]
         (qcomb [result2: unit]`x2 = 1` [result2: unit]False) x1
         (Val unit result1) let HW_1 = (WP2 x1 Post2) in
                            HW_1)
       | (Qexn _ Post4) => (exist_2 [x1: Z]
         (qcomb [result1: unit]`x1 = 1` [result1: unit]False) x0
         (Exn unit tt) Post4)
       end.

Definition p8 (* validation *)
  : (x: Z)
    (sig_2 Z (EM Z unit) [x0: Z][result: (EM Z unit)]
     (((qcomb [result: Z]`x0 = 1` /\ `result = 1` [result: unit]False) result)))
  := [x: Z]
       let (x0, result, Post1) =
         let (result, Post1) = (exist_1 [result: Z]result = `1` `1`
           (refl_equal ? `1`)) in
         (exist_2 [x1: Z][result0: unit]x1 = `1` result tt Post1) in
       let (result0, Post3) =
         let (result0, Post4) = (exist_1 [result0: Z]`x0 = 1` /\
           `result0 = 1` x0 (p8_po_1 x0 Post1)) in
         (exist_1 (qcomb [result1: Z]`x0 = 1` /\ `result1 = 1`
                   [result1: unit]((x:Z) (x = `2` -> False))) (Exn unit
                                                                result0)
         Post4) in
       Cases (decomp1 Post3) of
       | (Qval (exist result0_0 WP2)) =>
         let (x1, result1, Post2) =
           let (result1, Post2) = (exist_1 [result1: Z]result1 = `2` 
             `2` (refl_equal ? `2`)) in
           (exist_2 [x2: Z][result2: unit]x2 = `2` result1 tt Post2) in
         (exist_2 [x2: Z]
         (qcomb [result2: Z]`x2 = 1` /\ `result2 = 1` [result2: unit]False) 
         x1 (Val Z result1) let HW_1 = (WP2 x1 Post2) in
                            HW_1)
       | (Qexn result0_0 Post5) => (exist_2 [x1: Z]
         (qcomb [result1: Z]`x1 = 1` /\ `result1 = 1` [result1: unit]False) 
         x0 (Exn unit result0_0) Post5)
       end.

Definition p9 (* validation *)
  : (x: Z)
    (sig_2 Z (EM Z unit) [x0: Z][result: (EM Z unit)]
     (((qcomb [result: Z]`x0 = 1` /\ `result = 1` [result: unit]False) result)))
  := [x: Z]
       let (x0, result, Post2) =
         let (x0, result, Post1) =
           let (result, Post1) = (exist_1 [result: Z]result = `1` `1`
             (refl_equal ? `1`)) in
           (exist_2 [x1: Z][result0: unit]x1 = `1` result tt Post1) in
         let (result0, Post3) = (exist_1 [result0: Z]`x0 = 1` /\
           `result0 = 1` x0 (p9_po_1 x0 Post1)) in
         (exist_2 [x1: Z][result1: Z]`x1 = 1` /\ `result1 = 1` x0 result0
         Post3) in
       (exist_2 [x1: Z]
       (qcomb [result0: Z]`x1 = 1` /\ `result0 = 1` [result0: unit]False) 
       x0 (Exn unit result) Post2).

Definition p10 (* validation *)
  : (sig_1 Z [result: Z](`result = 0`))
  := let (result, Post1) =
       (exist_1 (qcomb [result: unit]`0 = 0` [result: Z]`result = 0`) 
       (Exn Z tt) (refl_equal ? `0`)) in
     Cases (decomp1 Post1) of
     | (Qval (exist result0 Post2)) => (exist_1 [result0_0: Z]
       `result0_0 = 0` result0 Post2)
     | (Qexn _ WP1) =>
       let (result0, Post3) = (exist_1 [result0: Z]`result0 = 0` `0`
         (refl_equal ? `0`)) in
       (exist_1 [result1: Z]`result1 = 0` result0 Post3)
     end.

Definition p11 (* validation *)
  : (sig_1 Z [result: Z](`result = 1`))
  := let (result, Post1) =
       let (result, WP1) = (exist_1 [result: Z]`result = 1` `1`
         (refl_equal ? `1`)) in
       (exist_1 (qcomb [result0: Z]`result0 = 1` [result0: Z]`result0 = 1`) 
       (Exn Z result) WP1) in
     Cases (decomp1 Post1) of
     | (Qval (exist result0 Post2)) => (exist_1 [result0_0: Z]
       `result0_0 = 1` result0 Post2)
     | (Qexn result0 WP1) =>
       let (result0_0, Post3) = (exist_1 [result0_0: Z]
         `result0_0 = 1` result0 WP1) in
       (exist_1 [result1: Z]`result1 = 1` result0_0 Post3)
     end.

Definition p12 (* validation *)
  : (sig_1 Z [result: Z](`result = 2`))
  := let (result, Post1) =
       let (result, Post2) =
         (exist_1 (qcomb [result: unit]`2 = 2` [result: unit]`3 = 2`) 
         (Exn unit tt) (refl_equal ? `2`)) in
       Cases (decomp1 Post2) of
       | (Qval (exist result0 WP5)) =>
         let (result0_0, Post3) =
           let (result0_0, WP2) = (exist_1 [result0_0: Z]`3 = 2` `1` WP5) in
           (exist_1 (qcomb [result1: Z]`3 = 2` [result1: unit]`1 = 2`) 
           (Exn unit result0_0) WP2) in
         Cases (decomp1 Post3) of
         | (Qval (exist result0_1 WP3)) =>
           let (result1, Post4) = (exist_1 [result1: Z]`result1 = 2` 
             `1` WP3) in
           (exist_1 (qcomb [result2: unit]`2 = 2`
                     (qcomb [result2: Z]`3 = 2` [result2: Z]`result2 = 2`)) 
           (Val unit (Val Z result1)) Post4)
         | (Qexn result0_1 WP2) =>
           (exist_1 (qcomb [result1: unit]`2 = 2`
                     (qcomb [result1: Z]`3 = 2` [result1: Z]`result1 = 2`)) 
           (Val unit (Exn Z result0_1)) WP2)
         end
       | (Qexn _ WP1) =>
         (exist_1 (qcomb [result0: unit]`2 = 2`
                   (qcomb [result0: Z]`3 = 2` [result0: Z]`result0 = 2`)) 
         (Exn (EM Z Z) tt) (refl_equal ? `2`))
       end in
     Cases (decomp2 Post1) of
     | (Qval (Qval (exist result0 Post5))) => (exist_1 [result0_0: Z]
       `result0_0 = 2` result0 Post5)
     | (Qexn _ WP1) =>
       let (result0, Post6) = (exist_1 [result0: Z]`result0 = 2` `2`
         (refl_equal ? `2`)) in
       (exist_1 [result1: Z]`result1 = 2` result0 Post6)
     | (Qval (Qexn result0 WP2)) =>
       let (result0_0, Post7) = (exist_1 [result0_0: Z]`result0_0 = 2` 
         `3` WP2) in
       (exist_1 [result1: Z]`result1 = 2` result0_0 Post7)
     end.

Definition p13 (* validation *)
  : (x: Z)(sig_2 Z unit [x0: Z][result: unit](`x0 = 2`))
  := [x: Z]
       let (x0, result, Post4) =
         let (result, Post5) =
           (exist_1 (qcomb [result: unit]((x:Z) (x = `2` -> `x = 2`))
                     [result: unit]((x:Z) (x = `3` -> `x = 2`))) (Exn unit
                                                                   tt)
           p13_po_1) in
         Cases (decomp1 Post5) of
         | (Qval (exist result0 WP8)) =>
           let (result0_0, Post6) =
             let (result0_0, WP4) = (exist_1 [result0_0: Z]
               ((x:Z) (x = `3` -> `x = 2`)) `1` WP8) in
             (exist_1 (qcomb [result1: Z]((x:Z) (x = `3` -> `x = 2`))
                       [result1: unit]((x:Z) (x = `1` -> `x = 2`))) (Exn unit
                                                                    result0_0)
             WP4) in
           Cases (decomp1 Post6) of
           | (Qval (exist result0_1 WP6)) =>
             let (x0, result1, Post1) =
               let (result1, Post1) = (exist_1 [result1: Z]result1 = `1` 
                 `1` (refl_equal ? `1`)) in
               (exist_2 [x1: Z][result2: unit]x1 = `1` result1 tt Post1) in
             (exist_2 [x1: Z]
             (qcomb [result2: unit]((x:Z) (x = `2` -> `x = 2`))
              (qcomb [result2: Z]((x:Z) (x = `3` -> `x = 2`)) [result2: unit]
               `x1 = 2`)) x0
             (Val unit (Val Z result1)) let HW_2 = (WP6 x0 Post1) in
                                        HW_2)
           | (Qexn result0_1 WP4) => (exist_2 [x0: Z]
             (qcomb [result1: unit]((x:Z) (x = `2` -> `x = 2`))
              (qcomb [result1: Z]((x:Z) (x = `3` -> `x = 2`)) [result1: unit]
               `x0 = 2`)) x (Val unit (Exn unit result0_1)) WP4)
           end
         | (Qexn _ WP2) => (exist_2 [x0: Z]
           (qcomb [result0: unit]((x:Z) (x = `2` -> `x = 2`))
            (qcomb [result0: Z]((x:Z) (x = `3` -> `x = 2`)) [result0: unit]
             `x0 = 2`)) x (Exn (EM Z unit) tt) WP2)
         end in
       Cases (decomp2 Post4) of
       | (Qval (Qval (exist result0 Post7))) => (exist_2 [x1: Z]
         [result0_0: unit]`x1 = 2` x0 result0 Post7)
       | (Qexn _ WP2) =>
         let (x1, result0, Post2) =
           let (result0, Post2) = (exist_1 [result0: Z]result0 = `2` 
             `2` (refl_equal ? `2`)) in
           (exist_2 [x2: Z][result1: unit]x2 = `2` result0 tt Post2) in
         (exist_2 [x2: Z][result1: unit]`x2 = 2` x1 result0
         let HW_3 = (WP2 x1 Post2) in
         HW_3)
       | (Qval (Qexn result0 WP4)) =>
         let (x1, result0_0, Post3) =
           let (result0_0, Post3) = (exist_1 [result0_0: Z]
             result0_0 = `3` `3` (refl_equal ? `3`)) in
           (exist_2 [x2: Z][result1: unit]x2 = `3` result0_0 tt Post3) in
         (exist_2 [x2: Z][result1: unit]`x2 = 2` x1 result0_0
         let HW_4 = (WP4 x1 Post3) in
         HW_4)
       end.

Definition p14 (* validation *)
  : (x: Z)
    (sig_1 (EM unit (EM unit (EM unit (EM unit unit))))
     [result: (EM unit (EM unit (EM unit (EM unit unit))))]
     (((qcomb [result: unit]`x <> 1` /\ `x <> 2` /\ `x <> 3`
        (qcomb [result: unit]`x = 1`
         (qcomb [result: unit]`x = 2`
          (qcomb [result: unit]`x = 3` [result: unit]False))))
       result)))
  := [x: Z]
       let (result, Post4) =
         let (result, Bool1) =
           let (result1, Post5) = (Z_eq_bool x `1`) in
           (exist_1 [result2: bool]
           (if result2 then `x = 1` else `x <> 1`) result1 Post5) in
         Cases
           (btest [result:bool](if result then `x = 1` else `x <> 1`) result
            Bool1) of
         | (left Test2) =>
             let (result0, Post6) =
               (exist_1 (qcomb [result0: unit]`x = 1` [result0: unit]
                         ((`x = 2` -> `x = 2`)) /\
                         ((`x <> 2` -> ((`x = 3` -> `x = 3`)) /\
                           ((`x <> 3` -> `x <> 1` /\ `x <> 2` /\ `x <> 3`))))) 
               (Exn unit tt) Test2) in
             Cases (decomp1 Post6) of
             | (Qval (exist result0_0 WP11)) =>
               (exist_1 (qcomb [result1: unit]`x = 1` [result1: unit]
                         ((`x = 2` -> `x = 2`)) /\
                         ((`x <> 2` -> ((`x = 3` -> `x = 3`)) /\
                           ((`x <> 3` -> `x <> 1` /\ `x <> 2` /\ `x <> 3`))))) 
               (Val unit result0_0) WP11)
             | (Qexn _ Post7) =>
               (exist_1 (qcomb [result1: unit]`x = 1` [result1: unit]
                         ((`x = 2` -> `x = 2`)) /\
                         ((`x <> 2` -> ((`x = 3` -> `x = 3`)) /\
                           ((`x <> 3` -> `x <> 1` /\ `x <> 2` /\ `x <> 3`))))) 
               (Exn unit tt) Post7)
             end
         | (right Test1) =>
             let (result0, WP11) = (exist_1 [result0: unit]
               ((`x = 2` -> `x = 2`)) /\
               ((`x <> 2` -> ((`x = 3` -> `x = 3`)) /\
                 ((`x <> 3` -> `x <> 1` /\ `x <> 2` /\ `x <> 3`)))) tt
               (p14_po_1 x Test1)) in
             (exist_1 (qcomb [result1: unit]`x = 1` [result1: unit]
                       ((`x = 2` -> `x = 2`)) /\
                       ((`x <> 2` -> ((`x = 3` -> `x = 3`)) /\
                         ((`x <> 3` -> `x <> 1` /\ `x <> 2` /\ `x <> 3`))))) 
             (Val unit result0) WP11) end in
       Cases (decomp1 Post4) of
       | (Qval (exist result0 WP11)) =>
         let (result0_0, Post9) =
           let (result0_0, Bool2) =
             let (result2, Post10) = (Z_eq_bool x `2`) in
             (exist_1 [result3: bool]
             (if result3 then `x = 2` else `x <> 2`) result2 Post10) in
           Cases
             (btest
              [result0_0:bool](if result0_0 then `x = 2` else `x <> 2`) result0_0
              Bool2) of
           | (left Test4) =>
               let (result1, Post11) =
                 (exist_1 (qcomb [result1: unit]`x = 2` [result1: unit]
                           ((`x = 3` -> `x = 3`)) /\
                           ((`x <> 3` -> `x <> 1` /\ `x <> 2` /\ `x <> 3`))) 
                 (Exn unit tt) Test4) in
               Cases (decomp1 Post11) of
               | (Qval (exist result1_0 WP6)) =>
                 (exist_1 (qcomb [result2: unit]`x = 2` [result2: unit]
                           ((`x = 3` -> `x = 3`)) /\
                           ((`x <> 3` -> `x <> 1` /\ `x <> 2` /\ `x <> 3`))) 
                 (Val unit result1_0) WP6)
               | (Qexn _ Post12) =>
                 (exist_1 (qcomb [result2: unit]`x = 2` [result2: unit]
                           ((`x = 3` -> `x = 3`)) /\
                           ((`x <> 3` -> `x <> 1` /\ `x <> 2` /\ `x <> 3`))) 
                 (Exn unit tt) Post12)
               end
           | (right Test3) =>
               let (result1, WP6) = (exist_1 [result1: unit]
                 ((`x = 3` -> `x = 3`)) /\
                 ((`x <> 3` -> `x <> 1` /\ `x <> 2` /\ `x <> 3`)) tt
                 let HW_1 =
                   (why_boolean_forall
                     [result: bool]
                       (((if result then `x = 2` else `x <> 2`)) ->
                        (if result then `x = 2`
                         else ((`x = 3` -> `x = 3`)) /\
                         ((`x <> 3` -> `x <> 1` /\ `x <> 2` /\ `x <> 3`))))
                     WP11 false Test3) in
                 HW_1) in
               (exist_1 (qcomb [result2: unit]`x = 2` [result2: unit]
                         ((`x = 3` -> `x = 3`)) /\
                         ((`x <> 3` -> `x <> 1` /\ `x <> 2` /\ `x <> 3`))) 
               (Val unit result1) WP6) end in
         Cases (decomp1 Post9) of
         | (Qval (exist result0_1 WP6)) =>
           let (result1, Post14) =
             let (result1, Bool3) =
               let (result3, Post15) = (Z_eq_bool x `3`) in
               (exist_1 [result4: bool]
               (if result4 then `x = 3` else `x <> 3`) result3 Post15) in
             Cases
               (btest
                [result1:bool](if result1 then `x = 3` else `x <> 3`) result1
                Bool3) of
             | (left Test6) =>
                 let (result2, Post16) =
                   (exist_1 (qcomb [result2: unit]`x = 3` [result2: unit]
                             `x <> 1` /\ `x <> 2` /\ `x <> 3`) (Exn unit tt)
                   Test6) in
                 Cases (decomp1 Post16) of
                 | (Qval (exist result2_0 WP1)) =>
                   (exist_1 (qcomb [result3: unit]`x = 3` [result3: unit]
                             `x <> 1` /\ `x <> 2` /\ `x <> 3`) (Val unit
                                                                 result2_0)
                   WP1)
                 | (Qexn _ Post17) =>
                   (exist_1 (qcomb [result3: unit]`x = 3` [result3: unit]
                             `x <> 1` /\ `x <> 2` /\ `x <> 3`) (Exn unit tt)
                   Post17)
                 end
             | (right Test5) =>
                 let (result2, WP1) = (exist_1 [result2: unit]`x <> 1` /\
                   `x <> 2` /\ `x <> 3` tt
                   let HW_2 =
                     (why_boolean_forall
                       [result: bool]
                         (((if result then `x = 3` else `x <> 3`)) ->
                          (if result then `x = 3` else `x <> 1` /\
                           `x <> 2` /\ `x <> 3`)) WP6 false Test5) in
                   HW_2) in
                 (exist_1 (qcomb [result3: unit]`x = 3` [result3: unit]
                           `x <> 1` /\ `x <> 2` /\ `x <> 3`) (Val unit
                                                               result2)
                 WP1) end in
           Cases (decomp1 Post14) of
           | (Qval (exist result1_0 WP1)) =>
             let (result2, Post19) =
               (exist_1 (qcomb [result2: unit]`x <> 1` /\ `x <> 2` /\
                         `x <> 3` [result2: unit]False) (Exn unit tt) WP1) in
             Cases (decomp1 Post19) of
             | (Qval (exist result2_0 Post20)) =>
               (exist_1 (qcomb [result3: unit]`x <> 1` /\ `x <> 2` /\
                         `x <> 3`
                         (qcomb [result3: unit]`x = 1`
                          (qcomb [result3: unit]`x = 2`
                           (qcomb [result3: unit]`x = 3` [result3: unit]False)))) 
               (Val unit (Val unit (Val unit (Val unit result2_0))))
               (False_ind ? Post20))
             | (Qexn _ Post21) =>
               (exist_1 (qcomb [result3: unit]`x <> 1` /\ `x <> 2` /\
                         `x <> 3`
                         (qcomb [result3: unit]`x = 1`
                          (qcomb [result3: unit]`x = 2`
                           (qcomb [result3: unit]`x = 3` [result3: unit]False)))) 
               (Exn (EM unit (EM unit (EM unit unit))) tt) Post21)
             end
           | (Qexn _ Post18) =>
             (exist_1 (qcomb [result2: unit]`x <> 1` /\ `x <> 2` /\ `
                       x <> 3`
                       (qcomb [result2: unit]`x = 1`
                        (qcomb [result2: unit]`x = 2`
                         (qcomb [result2: unit]`x = 3` [result2: unit]False)))) 
             (Val unit (Val unit (Val unit (Exn unit tt)))) Post18)
           end
         | (Qexn _ Post13) =>
           (exist_1 (qcomb [result1: unit]`x <> 1` /\ `x <> 2` /\ `x <> 3`
                     (qcomb [result1: unit]`x = 1`
                      (qcomb [result1: unit]`x = 2`
                       (qcomb [result1: unit]`x = 3` [result1: unit]False)))) 
           (Val unit (Val unit (Exn (EM unit unit) tt))) Post13)
         end
       | (Qexn _ Post8) =>
         (exist_1 (qcomb [result0: unit]`x <> 1` /\ `x <> 2` /\ `x <> 3`
                   (qcomb [result0: unit]`x = 1`
                    (qcomb [result0: unit]`x = 2`
                     (qcomb [result0: unit]`x = 3` [result0: unit]False)))) 
         (Val unit (Exn (EM unit (EM unit unit)) tt)) Post8)
       end.

why-2.34/bench/good-v7/see_valid.v0000644000175000017500000001303612311670312015303 0ustar  rtusers(* This file is generated by Why; do not edit *)

Require Why.
Require Export see_why.

Definition f (* validation *)
  : (u: unit)(b: Z)
    (sig_2 Z Z [b0: Z][result: Z](`result = b0` /\ `b0 = 1 - b`))
  := [u: unit; b: Z]
       let (b0, result, Post1) =
         let (result, Post1) = (exist_1 [result: Z]result = `1 - b` `1 - b`
           (refl_equal ? `1 - b`)) in
         (exist_2 [b3: Z][result0: unit]b3 = `1 - b` result tt Post1) in
       let (result0, Post2) = (exist_1 [result0: Z]`result0 = b0` /\
         `b0 = 1 - b` b0 (f_po_1 b b0 Post1)) in
       (exist_2 [b3: Z][result1: Z]`result1 = b3` /\ `b3 = 1 - b` b0 
       result0 Post2).

Definition k (* validation *)
  : (u: unit)(b: Z)(b1: Z)(b2: Z)
    (sig_4 Z Z Z unit [b0: Z][b4: Z][b3: Z][result: unit](`b4 = 0` /\
     `b3 = 1`))
  := [u: unit; b: Z; b1: Z; b2: Z]
       let (b0, result, Post1) =
         let (result, Post1) = (exist_1 [result: Z]result = `1` `1`
           (refl_equal ? `1`)) in
         (exist_2 [b3: Z][result0: unit]b3 = `1` result tt Post1) in
       let (b4, b3, result0, WP8) =
         let (b3, result0, WP8) =
           let (b3, aux_4, Post2) =
             let (b3, result2, Post3) = (f tt b0) in
             (exist_2 [b4: Z][result3: Z]`result3 = b4` /\ `b4 = 1 - b0` 
             b3 result2 Post3) in
           let (b4, result0, WP8) =
             let (b4, aux_3, WP9) =
               let (b4, aux_2, Post4) =
                 let (b4, result2, Post5) = (f tt b3) in
                 (exist_2 [b5: Z][result3: Z]`result3 = b5` /\
                 `b5 = 1 - b3` b4 result2 Post5) in
               let (result0, WP9) = (exist_1 [result0: Z]
                 ((result:Z)
                  ((b:Z)
                   (`result = b` /\ `b = 1 - b4` ->
                    ((result1:Z)
                     ((b0:Z)
                      (`result1 = b0` /\ `b0 = 1 - b` ->
                       `result0 + aux_4 = 0` /\ `result1 * (1 - result) = 1`)))))) 
                 `1 - aux_2`
                 (k_po_1 b0 Post1 b3 aux_4 Post2 b4 aux_2 Post4)) in
               (exist_2 [b5: Z][result1: Z]
               ((result:Z)
                ((b:Z)
                 (`result = b` /\ `b = 1 - b5` ->
                  ((result0:Z)
                   ((b0:Z)
                    (`result0 = b0` /\ `b0 = 1 - b` ->
                     `result1 + aux_4 = 0` /\ `result0 * (1 - result) = 1`)))))) 
               b4 result0 WP9) in
             let (result0, WP8) = (exist_1 [result0: Z]
               ((result:Z)
                ((b:Z)
                 (`result = b` /\ `b = 1 - b4` ->
                  ((result1:Z)
                   ((b0:Z)
                    (`result1 = b0` /\ `b0 = 1 - b` -> `result0 = 0` /\
                     `result1 * (1 - result) = 1`)))))) `aux_3 + aux_4`
               WP9) in
             (exist_2 [b5: Z][result1: Z]
             ((result:Z)
              ((b:Z)
               (`result = b` /\ `b = 1 - b5` ->
                ((result0:Z)
                 ((b0:Z)
                  (`result0 = b0` /\ `b0 = 1 - b` -> `result1 = 0` /\
                   `result0 * (1 - result) = 1`)))))) b4
             result0 WP8) in
           (exist_2 [b5: Z][result1: Z]
           ((result:Z)
            ((b:Z)
             (`result = b` /\ `b = 1 - b5` ->
              ((result0:Z)
               ((b0:Z)
                (`result0 = b0` /\ `b0 = 1 - b` -> `result1 = 0` /\
                 `result0 * (1 - result) = 1`)))))) b4
           result0 WP8) in
         (exist_3 [b6: Z][b5: Z][result1: unit]
         ((result:Z)
          ((b:Z)
           (`result = b` /\ `b = 1 - b6` ->
            ((result0:Z)
             ((b0:Z)
              (`result0 = b0` /\ `b0 = 1 - b` -> `b5 = 0` /\
               `result0 * (1 - result) = 1`)))))) b3
         result0 tt WP8) in
       let (b6, b5, result1, Post6) =
         let (b5, result1, Post7) =
           let (b5, aux_7, WP3) =
             let (b5, aux_6, Post8) =
               let (b5, result3, Post9) = (f tt b4) in
               (exist_2 [b6: Z][result4: Z]`result4 = b6` /\ `b6 = 1 - b4` 
               b5 result3 Post9) in
             let (result1, WP3) = (exist_1 [result1: Z]
               ((result:Z)
                ((b:Z)
                 (`result = b` /\ `b = 1 - b5` -> `b3 = 0` /\
                  `result * result1 = 1`))) `1 - aux_6`
               [result: Z]
                 [b: Z]
                   [HW_3: `result = b` /\ `b = 1 - b5`]
                     let HW_4 = (WP8 aux_6 b5 Post8) in
                     let HW_5 = (HW_4 result b HW_3) in
                     HW_5) in
             (exist_2 [b6: Z][result2: Z]
             ((result:Z)
              ((b:Z)
               (`result = b` /\ `b = 1 - b6` -> `b3 = 0` /\
                `result * result2 = 1`))) b5
             result1 WP3) in
           let (b6, result1, Post10) =
             let (b6, aux_5, Post11) =
               let (b6, result3, Post12) = (f tt b5) in
               (exist_2 [b7: Z][result4: Z]`result4 = b7` /\ `b7 = 1 - b5` 
               b6 result3 Post12) in
             let (result1, Post13) = (exist_1 [result1: Z]`b3 = 0` /\
               `result1 = 1` `aux_5 * aux_7`
               let HW_6 = (WP3 aux_5 b6 Post11) in
               HW_6) in
             (exist_2 [b7: Z][result2: Z]`b3 = 0` /\ `result2 = 1` b6 
             result1 Post13) in
           (exist_2 [b7: Z][result2: Z]`b3 = 0` /\ `result2 = 1` b6 result1
           Post10) in
         (exist_3 [b8: Z][b7: Z][result2: unit]`b3 = 0` /\ `b7 = 1` b5
         result1 tt Post7) in
       (exist_4 [b9: Z][b8: Z][b7: Z][result2: unit]`b8 = 0` /\ `b7 = 1` 
       b6 b3 b5 result1 Post6).

why-2.34/bench/good-v7/loops_why.v0000644000175000017500000000332512311670312015373 0ustar  rtusers
Require Why.
Require Omega.

(* Why obligation from file "good/loops.mlw", characters 156-167 *)
Lemma loop1_po_1 : 
  (i: Z)
  (Pre6: `i <= 10`)
  (Variant1: Z)
  (i0: Z)
  (Pre5: Variant1 = `10 - i0`)
  (Pre4: `i0 <= 10`)
  (Test2: `i0 < 10`)
  (Pre3: `i0 <= 10`)
  (i1: Z)
  (Post1: i1 = `i0 + 1`)
  `i1 <= 10` /\ (Zwf `0` `10 - i1` `10 - i0`).
Proof.
Unfold Zwf; Intros; Omega.
Save.

(* Why obligation from file "good/loops.mlw", characters 82-187 *)
Lemma loop1_po_2 : 
  (i: Z)
  (Pre6: `i <= 10`)
  (Variant1: Z)
  (i0: Z)
  (Pre5: Variant1 = `10 - i0`)
  (Pre4: `i0 <= 10`)
  (Test1: `i0 >= 10`)
  (Pre2: `i0 <= 10`)
  `i0 = 10`.
Proof.
Intros; Omega.
Save.







(* Why obligation from file "good/loops.mlw", characters 414-425 *)
Lemma loop2_po_1 : 
  (x: Z)
  (Pre4: `x <= 10`)
  (Variant1: Z)
  (x0: Z)
  (Pre3: Variant1 = `10 - x0`)
  (Pre2: `x0 <= 10`)
  (Test2: `x0 < 10`)
  (x1: Z)
  (Post1: x1 = `x0 + 1`)
  `x1 <= 10` /\ (Zwf `0` `10 - x1` `10 - x0`).
Proof.
Unfold Zwf; Intros; Omega.
Save.

(* Why obligation from file "good/loops.mlw", characters 354-445 *)
Lemma loop2_po_2 : 
  (x: Z)
  (Pre4: `x <= 10`)
  (Variant1: Z)
  (x0: Z)
  (Pre3: Variant1 = `10 - x0`)
  (Pre2: `x0 <= 10`)
  (Test1: `x0 >= 10`)
  `x0 = 10`.
Proof.
Intros; Intuition.
Save.

(* Why obligation from file "good/loops.mlw", characters 474-487 *)
Lemma loop2_po_3 : 
  (x: Z)
  (Pre4: `x <= 10`)
  (x0: Z)
  (Post4: `x0 = 10`)
  (Test4: `x0 > 0`)
  (x1: Z)
  (Post11: `x1 = (-x0)`)
  `x1 = (-10)`.
Proof.
Simpl; Intros; Omega.
Save.

(* Why obligation from file "good/loops.mlw", characters 487-487 *)
Lemma loop2_po_4 : 
  (x: Z)
  (Pre4: `x <= 10`)
  (x0: Z)
  (Post4: `x0 = 10`)
  (Test3: `x0 <= 0`)
  `x0 = (-10)`.
Proof.
Intros; Omega.
Save.




why-2.34/bench/good-v7/all_why.v0000644000175000017500000001263312311670312015011 0ustar  rtusers
Require Import Why.
Require Omega.

Parameter foo : Set.

(*Why*) Parameter v2 : Z.

(*Why*) Parameter v3 : Z.

(*Why*) Parameter v5 : foo.

(*Why*) Parameter f1 : (_: Z)(_: bool)Z.

(*Why*) Parameter f2 : (_: Z)bool.

(*Why*) Parameter f3 :
  (x: Z)(y: Z)(H: `x >= 0`)
  (sig_2 Z Z [y0: Z][result: Z](`y0 = y + x + result`)).

(*Why*) Parameter f4 : (_: unit)unit.

(*Why*) Parameter f5 : (_: foo)foo.

(*Why*) Parameter f6 : (x: foo)foo.

(*Why*) Parameter f7 : (x: foo)foo.

(*Why*) Parameter f8 :
  (t: (array Z))(sig_1 unit [result: unit](`(access t 1) = 2`)).





(* Why obligation from file "all.mlw", characters 675-693 *)
Lemma p2_po_1 : 
  ~False.
Proof.
Tauto.
Save.





(* Why obligation from file "all.mlw", characters 703-725 *)
Lemma p3_po_1 : 
  True /\ True.
Proof.
Tauto.
Save.





(* Why obligation from file "all.mlw", characters 735-757 *)
Lemma p4_po_1 : 
  True \/ False.
Proof.
Tauto.
Save.





(* Why obligation from file "all.mlw", characters 767-794 *)
Lemma p5_po_1 : 
  False \/ ~False.
Proof. 
Auto.
Save.





(* Why obligation from file "all.mlw", characters 804-830 *)
Lemma p6_po_1 : 
  (True -> ~False).
Proof.
Auto.
Save.





(* Why obligation from file "all.mlw", characters 840-866 *)
Lemma p7_po_1 : 
  ((x:Z) `x = x`).
Proof.
Auto.
Save.





(* Why obligation from file "all.mlw", characters 876-911 *)
Lemma p8_po_1 : 
  True /\ ((x:Z) `x = x`).
Proof.
Auto.
Save.


(* Why obligation from file "all.mlw", characters 921-968 *)
Lemma p9_po_1 : 
  ((x:Z) ((y:Z) (`x = y` -> `x = y`))).
Proof.
Trivial.
Save.

(* Why obligation from file "all.mlw", characters 1164-1167 *)
Lemma ar6_po_1 : 
  ~(`1` = `0`).
Proof.
Omega.
Save.





(* Why obligation from file "all.mlw", characters 1178-1181 *)
Lemma ar7_po_1 : 
  ~(`1` = `0`).
Proof.
Omega.
Save.

















































































































(* Why obligation from file "all.mlw", characters 2122-2156 *)
Lemma arr1_po_1 : 
  (v6: (array Z))
  (Pre2: `(array_length v6) >= 1`)
  `0 <= 0` /\ `0 < (array_length v6)`.
Proof. (* arr1_po_1 *)
Intros; Omega.
Save.





(* Why obligation from file "all.mlw", characters 2169-2205 *)
Lemma arr2_po_1 : 
  (v6: (array Z))
  (Pre2: `(array_length v6) >= 4`)
  `0 <= 1 + 2` /\ `1 + 2 < (array_length v6)`.
Proof. (* arr2_po_1 *)
Intros; Omega.
Save.





(* Why obligation from file "all.mlw", characters 2217-2264 *)
Lemma arr3_po_1 : 
  (v4: Z)
  (v6: (array Z))
  (Pre2: `(array_length v6) >= 1` /\ `v4 = 0`)
  `0 <= v4` /\ `v4 < (array_length v6)`.
Proof. (* arr3_po_1 *)
Intros; Omega.
Save.





(* Why obligation from file "all.mlw", characters 2320-2325 *)
Lemma arr4_po_1 : 
  (v6: (array Z))
  (Pre3: `(array_length v6) >= 10` /\ `(access v6 0) = 9`)
  `0 <= 0` /\ `0 < (array_length v6)`.
Proof. (* arr4_po_1 *)
Intros; Omega.
Save.

(* Why obligation from file "all.mlw", characters 2276-2329 *)
Lemma arr4_po_2 : 
  (v6: (array Z))
  (Pre3: `(array_length v6) >= 10` /\ `(access v6 0) = 9`)
  (Pre2: `0 <= 0` /\ `0 < (array_length v6)`)
  `0 <= (access v6 0)` /\ `(access v6 0) < (array_length v6)`.
Proof. (* arr4_po_2 *)
Intros; Omega.
Save.





(* Why obligation from file "all.mlw", characters 2342-2381 *)
Lemma arr5_po_1 : 
  (v6: (array Z))
  (Pre2: `(array_length v6) >= 1`)
  `0 <= 0` /\ `0 < (array_length v6)`.
Proof. (* arr5_po_1 *)
Intros; Simpl; Omega.
Save.


(* Why obligation from file "all.mlw", characters 2393-2436 *)
Lemma arr6_po_1 : 
  (v6: (array Z))
  (Pre2: `(array_length v6) >= 4`)
  `0 <= 1 + 2` /\ `1 + 2 < (array_length v6)`.
Proof. (* arr6_po_1 *)
Intros; Simpl; Omega.
Save.



(* Why obligation from file "all.mlw", characters 2448-2506 *)
Lemma arr7_po_1 : 
  (v6: (array Z))
  (Pre3: `(array_length v6) >= 10` /\ `(access v6 0) = 9`)
  `0 <= (access v6 0)` /\ `(access v6 0) < (array_length v6)`.
Proof. (* arr7_po_1 *)
Intros; Omega.
Save.

(* Why obligation from file "all.mlw", characters 2492-2497 *)
Lemma arr7_po_2 : 
  (v6: (array Z))
  (Pre3: `(array_length v6) >= 10` /\ `(access v6 0) = 9`)
  (Pre2: `0 <= (access v6 0)` /\ `(access v6 0) < (array_length v6)`)
  `0 <= 0` /\ `0 < (array_length v6)`.
Proof. (* arr7_po_2 *)
Intros; Simpl; Omega.
Save.





(* Why obligation from file "all.mlw", characters 2611-2619 *)
Lemma fc3_po_1 : 
  (a: Z)
  (Post2: a = `0`)
  (b: Z)
  (Post1: b = `0`)
  `a >= 0`.
Proof. Intros; Omega. Save.









(* Why obligation from file "all.mlw", characters 2762-2810 *)
Lemma an2_po_1 : 
  (v4: Z)
  (Pre1: `v4 >= 0`)
  (v4_0: Z)
  (Post1: v4_0 = `v4 + 1`)
  `v4_0 > v4`.
Proof.
Intros; Omega.
Save.


(*Why*) Inductive ET_E1 [T:Set] : Set :=
  | Val_E1 : T -> (ET_E1 T)
  | Exn_E1 : (ET_E1 T).

(*Why*) Definition post_E1 :=
  [T:Set][P:Prop][Q:T->Prop][x:(ET_E1 T)]
  Cases x of 
  | (Val_E1 v) => (Q v)
  | Exn_E1 => P
  end.

(*Why*) Implicits post_E1.

(*Why*) Inductive ET_E2 [T:Set] : Set :=
  | Val_E2 : T -> (ET_E2 T)
  | Exn_E2 : Z -> (ET_E2 T).

(*Why*) Definition post_E2 :=
  [T:Set][P:Z -> Prop][Q:T->Prop][x:(ET_E2 T)]
  Cases x of 
  | (Val_E2 v) => (Q v)
  | (Exn_E2 v) => (P v)
  end.

(*Why*) Implicits post_E2.

(*Why*) Inductive ET_E3 [T:Set] : Set :=
  | Val_E3 : T -> (ET_E3 T)
  | Exn_E3 : foo -> (ET_E3 T).

(*Why*) Definition post_E3 :=
  [T:Set][P:foo -> Prop][Q:T->Prop][x:(ET_E3 T)]
  Cases x of 
  | (Val_E3 v) => (Q v)
  | (Exn_E3 v) => (P v)
  end.

(*Why*) Implicits post_E3.



(*Why*) Parameter f1_ex : (n: Z)(EM unit unit).

(*Why*) Parameter f2_ex : (x: Z)(tuple_2 Z (EM unit (EM Z bool))).

why-2.34/bench/good-v7/set_why.v0000644000175000017500000000410212311670312015024 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Why.


(*Why*) Parameter set_and_test_zero :
  (v: Z)(x: Z)
  (sig_2 Z bool [x0: Z][result: bool](`x0 = v` /\
   ((if result then `x0 = 0` else `x0 <> 0`)))).

(* Why obligation from file "good/set.mlw", characters 208-209 *)
Lemma p_po_1 : 
  (x0: Z)
  (Test1: `x0 = 0` /\ `x0 <> 0`)
  `2 = 1`.
Proof.
Intros; Omega.
Save.

(*Why*) Parameter set_and_test_nzero :
  (v: Z)(x: Z)
  (sig_2 Z bool [x0: Z][result: bool](`x0 = v` /\
   ((if result then `x0 <> 0` else `x0 = 0`)))).

(* Why obligation from file "good/set.mlw", characters 446-457 *)
Lemma p2_po_1 : 
  (y: Z)
  (Pre6: `y >= 0`)
  (Variant1: Z)
  (y0: Z)
  (Pre5: Variant1 = y0)
  (Pre4: `y0 >= 0`)
  (x1: Z)
  (Test2: `x1 = y0` /\ `x1 <> 0`)
  (Pre3: `y0 >= 0`)
  (y1: Z)
  (Post1: y1 = `y0 - 1`)
  `y1 >= 0` /\ (Zwf `0` y1 y0).
Proof.
Unfold Zwf; Intuition.
Save.

(* Why obligation from file "good/set.mlw", characters 358-478 *)
Lemma p2_po_2 : 
  (y: Z)
  (Pre6: `y >= 0`)
  (Variant1: Z)
  (y0: Z)
  (Pre5: Variant1 = y0)
  (Pre4: `y0 >= 0`)
  (x1: Z)
  (Test1: `x1 = y0` /\ `x1 = 0`)
  (Pre2: `y0 >= 0`)
  `y0 = 0`.
Proof.
Intuition.
Save.

(* Why obligation from file "good/set.mlw", characters 559-560 *)
Lemma p3_po_1 : 
  (y: Z)
  (Pre4: `y >= 0`)
  (Variant1: Z)
  (y0: Z)
  (Pre3: Variant1 = y0)
  (Pre2: `y0 >= 0`)
  (Test2: true = true)
  (x1: Z)
  (b: bool)
  (Post10: `x1 = y0` /\ ((if b then `x1 <> 0` else `x1 = 0`)))
  (if b then ((y:Z) (y = `y0 - 1` -> `y >= 0` /\ (Zwf `0` y y0)))
   else `y0 = 0`).
Proof.
Unfold Zwf; Destruct b; Intuition.
Save.

(* Why obligation from file "good/set.mlw", characters 683-729 *)
Lemma p4_po_1 : 
  (y: Z)
  (Pre4: `y >= 1`)
  (Variant1: Z)
  (y0: Z)
  (Pre3: Variant1 = y0)
  (Pre2: `y0 >= 1`)
  (Test2: true = true)
  (y1: Z)
  (Post1: y1 = `y0 - 1`)
  (x1: Z)
  (result1: bool)
  (Post10: `x1 = y1` /\ ((if result1 then `x1 <> 0` else `x1 = 0`)))
  (if result1 then `y1 >= 1` /\ (Zwf `0` y1 y0) else `y1 = 0`).
Proof.
Unfold Zwf; Destruct result1; Intuition.
Save.

why-2.34/bench/good-v7/recfun.mlw0000644000175000017500000000165012311670312015163 0ustar  rtusers
(** Recursive functions *)

(** 1. Pure function *)

let rec f1 (x:int) : int { variant x } = 
  { x >= 0 } (if x > 0 then (f1 (x-1)) else x) { result = 0 }

(** 2. With effects but no argument *)

parameter x : int ref

let rec f2 (u:unit) : unit { variant x } =
  { x >= 0 } (if !x > 0 then begin x := !x - 1; (f2 void) end) { x = 0 }

(** 3. With effects and a pure argument *)

let rec f3 (a:int) : unit { variant a } =
  { a >= 0 } (if a > 0 then begin x := !x + 1; (f3 (a-1)) end) { x = x@ + a }

(** 4. With effects and a reference as argument *)

let rec f4 (a:int ref) : unit { variant a } =
  { a >= 0 } 
  (if !a > 0 then begin x := !x + 1; a := !a - 1; (f4 a) end)
  { x = x@ + a@ }

(** 5. The acid test: 
       partial application of a recursive function with effects *)

(*TODO
let rec f5 (a:int ref) (b:int ref) : unit { variant a } = !a + !b

let test_f5 = let f = (f5 x) in let b = ref 0 in (f b) { result = x }
*)

why-2.34/bench/good-v7/exns_why.v0000644000175000017500000000201612311670312015210 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Why.



(* Why obligation from file "good/exns.mlw", characters 838-845 *)
Lemma p7_po_1 : 
  (x0: Z)
  (Post1: x0 = `1`)
  `x0 = 1`.
Proof.
Intuition.
Save.


(* Why obligation from file "good/exns.mlw", characters 923-925 *)
Lemma p8_po_1 : 
  (x0: Z)
  (Post1: x0 = `1`)
  `x0 = 1` /\ `x0 = 1`.
Proof.
Intuition.
Save.


(* Why obligation from file "good/exns.mlw", characters 1020-1022 *)
Lemma p9_po_1 : 
  (x0: Z)
  (Post1: x0 = `1`)
  `x0 = 1` /\ `x0 = 1`.
Proof.
Intuition.
Save.









(* Why obligation from file "good/exns.mlw", characters 1372-1379 *)
Lemma p13_po_1 : 
  ((x:Z) (x = `2` -> `x = 2`)).
Proof.
Intuition.
Save.



(* Why obligation from file "good/exns.mlw", characters 1557-1557 *)
Lemma p14_po_1 : 
  (x: Z)
  (Test1: `x <> 1`)
  ((`x = 2` -> `x = 2`)) /\
  ((`x <> 2` -> ((`x = 3` -> `x = 3`)) /\
    ((`x <> 3` -> `x <> 1` /\ `x <> 2` /\ `x <> 3`)))).
Proof.
Intuition.
Save.


why-2.34/bench/good-v7/recfun_valid.v0000644000175000017500000002251112311670312016007 0ustar  rtusers(* This file is generated by Why; do not edit *)

Require Why.
Require Export recfun_why.

Definition f1 (* validation *)
  : (x: Z)(_: `x >= 0`)(sig_1 Z [result: Z](`result = 0`))
  := [x: Z; Pre8: `x >= 0`]
       (well_founded_induction Z (Zwf ZERO) (Zwf_well_founded `0`)
         [Variant1: Z](x0: Z)(_: Variant1 = x0)(_0: `x0 >= 0`)
         (sig_1 Z [result: Z](`result = 0`))
         [Variant1: Z; wf1: (Variant2: Z)(Pre1: (Zwf `0` Variant2 Variant1))
          (x0: Z)(_: Variant2 = x0)(_0: `x0 >= 0`)
          (sig_1 Z [result: Z](`result = 0`)); x0: Z; Pre7: Variant1 = x0;
          Pre6: `x0 >= 0`]
           let (result, Bool3) =
             let (result1, Post2) = (Z_gt_le_bool x0 `0`) in
             (exist_1 [result2: bool]
             (if result2 then `x0 > 0` else `x0 <= 0`) result1 Post2) in
           Cases
             (btest
              [result:bool](if result then `x0 > 0` else `x0 <= 0`) result
              Bool3) of
           | (left Test2) =>
               let Pre5 = (f1_po_1 x Pre8 Variant1 x0 Pre7 Pre6 Test2) in
               let (result0, Post4) =
                 let Pre3 = Pre5 in
                 let Pre4 = Pre3 in
                 let (result2, Post5) =
                   ((wf1 `x0 - 1`)
                     (f1_po_2 x Pre8 Variant1 x0 Pre7 Pre6 Test2 Pre5 Pre3
                     Pre4) `x0 - 1` (refl_equal ? `x0 - 1`) Pre4) in
                 (exist_1 [result3: Z]`result3 = 0` result2 Post5) in
               (exist_1 [result1: Z]`result1 = 0` result0 Post4)
           | (right Test1) =>
               let (result0, Post3) = (exist_1 [result0: Z]`result0 = 0` 
                 x0 (f1_po_3 x Pre8 Variant1 x0 Pre7 Pre6 Test1)) in
               (exist_1 [result1: Z]`result1 = 0` result0 Post3) end 
         x x (refl_equal ? x) Pre8).

Definition f2 (* validation *)
  : (u: unit)(x: Z)(_: `x >= 0`)
    (sig_2 Z unit [x0: Z][result: unit](`x0 = 0`))
  := [u: unit; x: Z; Pre8: `x >= 0`]
       (well_founded_induction Z (Zwf ZERO) (Zwf_well_founded `0`)
         [Variant1: Z](u0: unit)(x0: Z)(_: Variant1 = x0)(_0: `x0 >= 0`)
         (sig_2 Z unit [x1: Z][result: unit](`x1 = 0`))
         [Variant1: Z; wf1: (Variant2: Z)(Pre1: (Zwf `0` Variant2 Variant1))
          (u0: unit)(x0: Z)(_: Variant2 = x0)(_0: `x0 >= 0`)
          (sig_2 Z unit [x1: Z][result: unit](`x1 = 0`)); u0: unit; x0: Z;
          Pre7: Variant1 = x0; Pre6: `x0 >= 0`]
           let (result, Bool3) =
             let (result1, Post5) = (Z_gt_le_bool x0 `0`) in
             (exist_1 [result2: bool]
             (if result2 then `x0 > 0` else `x0 <= 0`) result1 Post5) in
           Cases
             (btest
              [result:bool](if result then `x0 > 0` else `x0 <= 0`) result
              Bool3) of
           | (left Test2) =>
               let (x1, result0, Post7) =
                 let (x1, result0, Post3) =
                   let (result0, Post3) = (exist_1 [result0: Z]
                     result0 = `x0 - 1` `x0 - 1` (refl_equal ? `x0 - 1`)) in
                   (exist_2 [x2: Z][result1: unit]x2 = `x0 - 1` result0 
                   tt Post3) in
                 let Pre5 =
                   (f2_po_1 x Pre8 Variant1 x0 Pre7 Pre6 Test2 x1 Post3) in
                 let (x2, result1, Post8) =
                   let Pre3 = Pre5 in
                   let Pre4 = Pre3 in
                   let (x2, result3, Post9) =
                     ((wf1 x1)
                       (f2_po_2 x Pre8 Variant1 x0 Pre7 Pre6 Test2 x1 Post3
                       Pre5 Pre3 Pre4) tt x1 (refl_equal ? x1) Pre4) in
                   (exist_2 [x3: Z][result4: unit]`x3 = 0` x2 result3 Post9) in
                 (exist_2 [x3: Z][result2: unit]`x3 = 0` x2 result1 Post8) in
               (exist_2 [x2: Z][result1: unit]`x2 = 0` x1 result0 Post7)
           | (right Test1) =>
               let (result0, Post6) = (exist_1 [result0: unit]`x0 = 0` 
                 tt (f2_po_3 x Pre8 Variant1 x0 Pre7 Pre6 Test1)) in
               (exist_2 [x1: Z][result1: unit]`x1 = 0` x0 result0 Post6) end
         x u x (refl_equal ? x) Pre8).

Definition f3 (* validation *)
  : (a: Z)(x: Z)(_: `a >= 0`)
    (sig_2 Z unit [x0: Z][result: unit](`x0 = x + a`))
  := [a: Z; x: Z; Pre8: `a >= 0`]
       (well_founded_induction Z (Zwf ZERO) (Zwf_well_founded `0`)
         [Variant1: Z](a0: Z)(x0: Z)(_: Variant1 = a0)(_0: `a0 >= 0`)
         (sig_2 Z unit [x1: Z][result: unit](`x1 = x0 + a0`))
         [Variant1: Z; wf1: (Variant2: Z)(Pre1: (Zwf `0` Variant2 Variant1))
          (a0: Z)(x0: Z)(_: Variant2 = a0)(_0: `a0 >= 0`)
          (sig_2 Z unit [x1: Z][result: unit](`x1 = x0 + a0`)); a0: Z; x0: Z;
          Pre7: Variant1 = a0; Pre6: `a0 >= 0`]
           let (result, Bool3) =
             let (result1, Post5) = (Z_gt_le_bool a0 `0`) in
             (exist_1 [result2: bool]
             (if result2 then `a0 > 0` else `a0 <= 0`) result1 Post5) in
           Cases
             (btest
              [result:bool](if result then `a0 > 0` else `a0 <= 0`) result
              Bool3) of
           | (left Test2) =>
               let (x1, result0, Post7) =
                 let (x1, result0, Post3) =
                   let (result0, Post3) = (exist_1 [result0: Z]
                     result0 = `x0 + 1` `x0 + 1` (refl_equal ? `x0 + 1`)) in
                   (exist_2 [x2: Z][result1: unit]x2 = `x0 + 1` result0 
                   tt Post3) in
                 let Pre5 =
                   (f3_po_1 a Pre8 Variant1 a0 x0 Pre7 Pre6 Test2 x1 Post3) in
                 let (x2, result1, Post8) =
                   let Pre3 = Pre5 in
                   let Pre4 = Pre3 in
                   let (x2, result3, Post9) =
                     ((wf1 `a0 - 1`)
                       (f3_po_2 a Pre8 Variant1 a0 x0 Pre7 Pre6 Test2 x1
                       Post3 Pre5 Pre3 Pre4) `a0 - 1` x1
                       (refl_equal ? `a0 - 1`) Pre4) in
                   (exist_2 [x3: Z][result4: unit]`x3 = x1 + (a0 - 1)` 
                   x2 result3 Post9) in
                 (exist_2 [x3: Z][result2: unit]`x3 = x0 + a0` x2 result1
                 (f3_po_3 a Pre8 Variant1 a0 x0 Pre7 Pre6 Test2 x1 Post3 Pre5
                 x2 Post8)) in
               (exist_2 [x2: Z][result1: unit]`x2 = x0 + a0` x1 result0
               Post7)
           | (right Test1) =>
               let (result0, Post6) = (exist_1 [result0: unit]
                 `x0 = x0 + a0` tt
                 (f3_po_4 a Pre8 Variant1 a0 x0 Pre7 Pre6 Test1)) in
               (exist_2 [x1: Z][result1: unit]`x1 = x0 + a0` x0 result0
               Post6) end a a x (refl_equal ? a) Pre8).

Definition f4 (* validation *)
  : (a: Z)(x: Z)(_: `a >= 0`)
    (sig_3 Z Z unit [a0: Z][x0: Z][result: unit](`x0 = x + a`))
  := [a: Z; x: Z; Pre8: `a >= 0`]
       (well_founded_induction Z (Zwf ZERO) (Zwf_well_founded `0`)
         [Variant1: Z](a0: Z)(x0: Z)(_: Variant1 = a0)(_0: `a0 >= 0`)
         (sig_3 Z Z unit [a1: Z][x1: Z][result: unit](`x1 = x0 + a0`))
         [Variant1: Z; wf1: (Variant2: Z)(Pre1: (Zwf `0` Variant2 Variant1))
          (a0: Z)(x0: Z)(_: Variant2 = a0)(_0: `a0 >= 0`)
          (sig_3 Z Z unit [a1: Z][x1: Z][result: unit](`x1 = x0 + a0`));
          a0: Z; x0: Z; Pre7: Variant1 = a0; Pre6: `a0 >= 0`]
           let (result, Bool3) =
             let (result1, Post8) = (Z_gt_le_bool a0 `0`) in
             (exist_1 [result2: bool]
             (if result2 then `a0 > 0` else `a0 <= 0`) result1 Post8) in
           Cases
             (btest
              [result:bool](if result then `a0 > 0` else `a0 <= 0`) result
              Bool3) of
           | (left Test2) =>
               let (a1, x1, result0, Post10) =
                 let (x1, result0, Post5) =
                   let (result0, Post5) = (exist_1 [result0: Z]
                     result0 = `x0 + 1` `x0 + 1` (refl_equal ? `x0 + 1`)) in
                   (exist_2 [x2: Z][result1: unit]x2 = `x0 + 1` result0 
                   tt Post5) in
                 let (a1, result1, Post6) =
                   let (result1, Post6) = (exist_1 [result1: Z]
                     result1 = `a0 - 1` `a0 - 1` (refl_equal ? `a0 - 1`)) in
                   (exist_2 [a2: Z][result2: unit]a2 = `a0 - 1` result1 
                   tt Post6) in
                 let Pre5 =
                   (f4_po_1 a Pre8 Variant1 a0 x0 Pre7 Pre6 Test2 x1 Post5 a1
                   Post6) in
                 let (a2, x2, result2, Post11) =
                   let Pre3 = Pre5 in
                   let Pre4 = Pre3 in
                   let (a2, x2, result3, Post12) =
                     ((wf1 a1)
                       (f4_po_2 a Pre8 Variant1 a0 x0 Pre7 Pre6 Test2 x1
                       Post5 a1 Post6 Pre5 Pre3 Pre4) a1 x1 (refl_equal ? a1)
                       Pre4) in
                   (exist_3 [a3: Z][x3: Z][result4: unit]`x3 = x1 + a1` 
                   a2 x2 result3 Post12) in
                 (exist_3 [a3: Z][x3: Z][result3: unit]`x3 = x0 + a0` 
                 a2 x2 result2
                 (f4_po_3 a Pre8 Variant1 a0 x0 Pre7 Pre6 Test2 x1 Post5 a1
                 Post6 Pre5 x2 Post11)) in
               (exist_3 [a2: Z][x2: Z][result1: unit]`x2 = x0 + a0` a1 
               x1 result0 Post10)
           | (right Test1) =>
               let (result0, Post9) = (exist_1 [result0: unit]
                 `x0 = x0 + a0` tt
                 (f4_po_4 a Pre8 Variant1 a0 x0 Pre7 Pre6 Test1)) in
               (exist_3 [a1: Z][x1: Z][result1: unit]`x1 = x0 + a0` a0 
               x0 result0 Post9) end a a x (refl_equal ? a) Pre8).

why-2.34/bench/good-v7/set_valid.v0000644000175000017500000003646712311670312015337 0ustar  rtusers(* This file is generated by Why; do not edit *)

Require Why.
Require Export set_why.

Definition p (* validation *)
  : (x: Z)(sig_2 Z Z [x0: Z][result: Z](`result = 1`))
  := [x: Z]
       let (x0, result, Bool1) =
         let (x0, result1, Post2) = (set_and_test_zero `0` x) in
         (exist_2 [x1: Z][result2: bool]`x1 = 0` /\
         ((if result2 then `x1 = 0` else `x1 <> 0`)) x0 result1 Post2) in
       Cases
         (btest
          [result:bool]`x0 = 0` /\ ((if result then `x0 = 0` else `x0 <> 0`)) result
          Bool1) of
       | (left Test2) =>
           let (result0, Post4) = (exist_1 [result0: Z]`result0 = 1` 
             `1` (refl_equal ? `1`)) in
           (exist_2 [x1: Z][result1: Z]`result1 = 1` x0 result0 Post4)
       | (right Test1) =>
           let (result0, Post3) = (exist_1 [result0: Z]`result0 = 1` 
             `2` (p_po_1 x0 Test1)) in
           (exist_2 [x1: Z][result1: Z]`result1 = 1` x0 result0 Post3) end.

Definition p2 (* validation *)
  : (x: Z)(y: Z)(_: `y >= 0`)
    (sig_3 Z Z unit [x0: Z][y0: Z][result: unit](`y0 = 0`))
  := [x: Z; y: Z; Pre6: `y >= 0`]
       (well_founded_induction Z (Zwf ZERO) (Zwf_well_founded `0`)
         [Variant1: Z](x0: Z)(y0: Z)(_: Variant1 = y0)(_0: `y0 >= 0`)
         (sig_3 Z Z unit [x1: Z][y1: Z][result: unit](`y1 = 0`))
         [Variant1: Z; wf1: (Variant2: Z)(Pre1: (Zwf `0` Variant2 Variant1))
          (x0: Z)(y0: Z)(_: Variant2 = y0)(_0: `y0 >= 0`)
          (sig_3 Z Z unit [x1: Z][y1: Z][result: unit](`y1 = 0`)); x0: Z;
          y0: Z; Pre5: Variant1 = y0; Pre4: `y0 >= 0`]
           let (x1, result, Bool1) =
             let (x1, result1, Post3) = (set_and_test_nzero y0 x0) in
             (exist_2 [x2: Z][result2: bool]`x2 = y0` /\
             ((if result2 then `x2 <> 0` else `x2 = 0`)) x1 result1 Post3) in
           Cases
             (btest
              [result:bool]`x1 = y0` /\
              ((if result then `x1 <> 0` else `x1 = 0`)) result Bool1) of
           | (left Test2) =>
               let Pre3 = Pre4 in
               let (x2, y1, result0, Post5) =
                 let (y1, result0, Post2) =
                   let (y1, result0, Post1) =
                     let (result0, Post1) = (exist_1 [result0: Z]
                       result0 = `y0 - 1` `y0 - 1`
                       (refl_equal ? `y0 - 1`)) in
                     (exist_2 [y2: Z][result1: unit]y2 = `y0 - 1` result0 
                     tt Post1) in
                   (exist_2 [y2: Z][result1: unit]`y2 >= 0` /\
                   (Zwf `0` y2 y0) y1 result0
                   (p2_po_1 y Pre6 Variant1 y0 Pre5 Pre4 x1 Test2 Pre3 y1
                   Post1)) in
                 ((wf1 y1) (loop_variant_1 Pre5 Post2) x1 y1
                   (refl_equal ? y1) (proj1 ? ? Post2)) in
               (exist_3 [x3: Z][y2: Z][result1: unit]`y2 = 0` x2 y1 result0
               Post5)
           | (right Test1) =>
               let Pre2 = Pre4 in
               let (x2, y1, result0, Post4) = (exist_3 [x2: Z][y1: Z]
                 [result0: unit]`y1 = 0` x1 y0 tt
                 (p2_po_2 y Pre6 Variant1 y0 Pre5 Pre4 x1 Test1 Pre2)) in
               (exist_3 [x3: Z][y2: Z][result1: unit]`y2 = 0` x2 y1 result0
               Post4) end y x y (refl_equal ? y) Pre6).

Definition p3 (* validation *)
  : (x: Z)(y: Z)(_: `y >= 0`)
    (sig_3 Z Z unit [x0: Z][y0: Z][result: unit](`y0 = 0`))
  := [x: Z; y: Z; Pre4: `y >= 0`]
       let (x0, y0, result, Post4) =
         (well_founded_induction Z (Zwf ZERO) (Zwf_well_founded `0`)
           [Variant1: Z](x0: Z)(y0: Z)(_: Variant1 = y0)(_0: `y0 >= 0`)
           (sig_3 Z Z (EM unit unit) [x1: Z][y1: Z][result: (EM unit unit)]
            (((qcomb [result0: unit]`y1 = 0` [result0: unit]`y1 = 0`) result)))
           [Variant1: Z; wf1: (Variant2: Z)
            (Pre1: (Zwf `0` Variant2 Variant1))(x0: Z)(y0: Z)
            (_: Variant2 = y0)(_0: `y0 >= 0`)
            (sig_3 Z Z (EM unit unit) [x1: Z][y1: Z][result: (EM unit unit)]
             (((qcomb [result0: unit]`y1 = 0` [result0: unit]`y1 = 0`) result)));
            x0: Z; y0: Z; Pre3: Variant1 = y0; Pre2: `y0 >= 0`]
             let (result, Post5) = (exist_1 [result: bool]result = true 
               true (refl_equal ? true)) in
             Cases (btest [result:bool]result = true result Post5) of
             | (left Test2) =>
                 let (x1, y1, result0, Post8) =
                   let (x1, y1, result0, Post9) =
                     let (x1, result0, WP7) =
                       let (x1, b, Post10) =
                         let (x1, result2, Post11) =
                           (set_and_test_nzero y0 x0) in
                         (exist_2 [x2: Z][result3: bool]`x2 = y0` /\
                         ((if result3 then `x2 <> 0` else `x2 = 0`)) 
                         x1 result2 Post11) in
                       let (result0, WP7) = (exist_1 [result0: bool]
                         (if result0
                          then ((y:Z)
                                (y = `y0 - 1` -> `y >= 0` /\ (Zwf `0` y y0)))
                          else `y0 = 0`) b
                         (p3_po_1 y Pre4 Variant1 y0 Pre3 Pre2 Test2 x1 b
                         Post10)) in
                       (exist_2 [x2: Z][result1: bool]
                       (if result1
                        then ((y:Z)
                              (y = `y0 - 1` -> `y >= 0` /\ (Zwf `0` y y0)))
                        else `y0 = 0`) x1
                       result0 WP7) in
                     Cases
                       (btest
                        [result0:bool]
                        (if result0
                         then ((y:Z)
                               (y = `y0 - 1` -> `y >= 0` /\ (Zwf `0` y y0)))
                         else `y0 = 0`) result0
                        WP7) of
                     | (left WP8) =>
                         let (y1, result1, Post2) =
                           let (y1, result1, Post1) =
                             let (result1, Post1) = (exist_1 [result1: Z]
                               result1 = `y0 - 1` `y0 - 1`
                               (refl_equal ? `y0 - 1`)) in
                             (exist_2 [y2: Z][result2: unit]
                             y2 = `y0 - 1` result1 tt Post1) in
                           (exist_2 [y2: Z][result2: unit]`y2 >= 0` /\
                           (Zwf `0` y2 y0) y1 result1
                           let HW_1 = (WP8 y1 Post1) in
                           HW_1) in
                         (exist_3 [x2: Z][y2: Z]
                         (qcomb [result2: unit]`y2 = 0` [result2: unit]
                          `y2 >= 0` /\ (Zwf `0` y2 y0)) x1
                         y1 (Val unit result1) Post2)
                     | (right WP8) =>
                         let (result1, Post12) =
                           (exist_1 (qcomb [result1: unit]`y0 = 0`
                                     [result1: unit]`y0 >= 0` /\
                                     (Zwf `0` y0 y0)) (Exn unit tt) WP8) in
                         Cases (decomp1 Post12) of
                         | (Qval (exist result2 Post2)) => (exist_3 [x2: Z]
                           [y1: Z]
                           (qcomb [result3: unit]`y1 = 0` [result3: unit]
                            `y1 >= 0` /\ (Zwf `0` y1 y0)) x1 y0
                           (Val unit result2) Post2)
                         | (Qexn _ WP1) => (exist_3 [x2: Z][y1: Z]
                           (qcomb [result2: unit]`y1 = 0` [result2: unit]
                            `y1 >= 0` /\ (Zwf `0` y1 y0)) x1 y0 (Exn unit tt)
                           WP1)
                         end end in
                   Cases (decomp1 Post9) of
                   | (Qval (exist result1 Post2)) =>
                     ((wf1 y1) (loop_variant_1 Pre3 Post2) x1 y1
                       (refl_equal ? y1) (proj1 ? ? Post2))
                   | (Qexn _ WP1) => (exist_3 [x2: Z][y2: Z]
                     (qcomb [result1: unit]`y2 = 0` [result1: unit]`y2 = 0`) 
                     x1 y1 (Exn unit tt) WP1)
                   end in
                 Cases (decomp1 Post8) of
                 | (Qval (exist result1 Post13)) => (exist_3 [x2: Z][y2: Z]
                   (qcomb [result2: unit]`y2 = 0` [result2: unit]`y2 = 0`) 
                   x1 y1 (Val unit result1) Post13)
                 | (Qexn _ WP1) => (exist_3 [x2: Z][y2: Z]
                   (qcomb [result1: unit]`y2 = 0` [result1: unit]`y2 = 0`) 
                   x1 y1 (Exn unit tt) WP1)
                 end
             | (right Test1) =>
                 let (x1, y1, result0, Post6) = (exist_3 [x1: Z][y1: Z]
                   (qcomb [result0: unit]`y1 = 0` [result0: unit]`y1 = 0`) 
                   x0 y0 (Val unit tt)
                   (why_boolean_discriminate Test1 `y0 = 0`)) in
                 Cases (decomp1 Post6) of
                 | (Qval (exist result1 Post7)) => (exist_3 [x2: Z][y2: Z]
                   (qcomb [result2: unit]`y2 = 0` [result2: unit]`y2 = 0`) 
                   x1 y1 (Val unit result1) Post7)
                 | (Qexn _ WP1) => (exist_3 [x2: Z][y2: Z]
                   (qcomb [result1: unit]`y2 = 0` [result1: unit]`y2 = 0`) 
                   x1 y1 (Exn unit tt) WP1)
                 end end y x y (refl_equal ? y) Pre4) in
       Cases (decomp1 Post4) of
       | (Qval (exist result0 Post14)) => (exist_3 [x1: Z][y1: Z]
         [result1: unit]`y1 = 0` x0 y0 result0 Post14)
       | (Qexn _ WP1) =>
         let (result0, Post15) = (exist_1 [result0: unit]`y0 = 0` tt WP1) in
         (exist_3 [x1: Z][y1: Z][result1: unit]`y1 = 0` x0 y0 result0 Post15)
       end.

Definition p4 (* validation *)
  : (x: Z)(y: Z)(_: `y >= 1`)
    (sig_3 Z Z unit [x0: Z][y0: Z][result: unit](`y0 = 0`))
  := [x: Z; y: Z; Pre4: `y >= 1`]
       let (x0, y0, result, Post4) =
         (well_founded_induction Z (Zwf ZERO) (Zwf_well_founded `0`)
           [Variant1: Z](x0: Z)(y0: Z)(_: Variant1 = y0)(_0: `y0 >= 1`)
           (sig_3 Z Z (EM unit unit) [x1: Z][y1: Z][result: (EM unit unit)]
            (((qcomb [result0: unit]`y1 = 0` [result0: unit]`y1 = 0`) result)))
           [Variant1: Z; wf1: (Variant2: Z)
            (Pre1: (Zwf `0` Variant2 Variant1))(x0: Z)(y0: Z)
            (_: Variant2 = y0)(_0: `y0 >= 1`)
            (sig_3 Z Z (EM unit unit) [x1: Z][y1: Z][result: (EM unit unit)]
             (((qcomb [result0: unit]`y1 = 0` [result0: unit]`y1 = 0`) result)));
            x0: Z; y0: Z; Pre3: Variant1 = y0; Pre2: `y0 >= 1`]
             let (result, Post5) = (exist_1 [result: bool]result = true 
               true (refl_equal ? true)) in
             Cases (btest [result:bool]result = true result Post5) of
             | (left Test2) =>
                 let (x1, y1, result0, Post8) =
                   let (x1, y1, result0, Post9) =
                     let (x1, y1, result0, WP6) =
                       let (y1, result0, Post1) =
                         let (result0, Post1) = (exist_1 [result0: Z]
                           result0 = `y0 - 1` `y0 - 1`
                           (refl_equal ? `y0 - 1`)) in
                         (exist_2 [y2: Z][result1: unit]y2 = `y0 - 1` 
                         result0 tt Post1) in
                       let (x1, result1, Post10) =
                         let (x1, result3, Post11) =
                           (set_and_test_nzero y1 x0) in
                         (exist_2 [x2: Z][result4: bool]`x2 = y1` /\
                         ((if result4 then `x2 <> 0` else `x2 = 0`)) 
                         x1 result3 Post11) in
                       (exist_3 [x2: Z][y2: Z][result2: bool]
                       (if result2 then `y2 >= 1` /\ (Zwf `0` y2 y0)
                        else `y2 = 0`) x1
                       y1 result1
                       (p4_po_1 y Pre4 Variant1 y0 Pre3 Pre2 Test2 y1 Post1
                       x1 result1 Post10)) in
                     Cases
                       (btest
                        [result0:bool]
                        (if result0 then `y1 >= 1` /\ (Zwf `0` y1 y0)
                         else `y1 = 0`) result0
                        WP6) of
                     | (left WP7) =>
                         let (result1, Post2) =
                           let (result1, Post2) = (exist_1 [result1: unit]
                             `y1 >= 1` /\ (Zwf `0` y1 y0) tt WP7) in
                           (exist_1 [result2: unit]`y1 >= 1` /\
                           (Zwf `0` y1 y0) result1 Post2) in
                         (exist_3 [x2: Z][y2: Z]
                         (qcomb [result2: unit]`y2 = 0` [result2: unit]
                          `y2 >= 1` /\ (Zwf `0` y2 y0)) x1
                         y1 (Val unit result1) Post2)
                     | (right WP7) =>
                         let (result1, Post12) =
                           (exist_1 (qcomb [result1: unit]`y1 = 0`
                                     [result1: unit]`y1 >= 1` /\
                                     (Zwf `0` y1 y0)) (Exn unit tt) WP7) in
                         Cases (decomp1 Post12) of
                         | (Qval (exist result2 Post2)) => (exist_3 [x2: Z]
                           [y2: Z]
                           (qcomb [result3: unit]`y2 = 0` [result3: unit]
                            `y2 >= 1` /\ (Zwf `0` y2 y0)) x1 y1
                           (Val unit result2) Post2)
                         | (Qexn _ WP1) => (exist_3 [x2: Z][y2: Z]
                           (qcomb [result2: unit]`y2 = 0` [result2: unit]
                            `y2 >= 1` /\ (Zwf `0` y2 y0)) x1 y1 (Exn unit tt)
                           WP1)
                         end end in
                   Cases (decomp1 Post9) of
                   | (Qval (exist result1 Post2)) =>
                     ((wf1 y1) (loop_variant_1 Pre3 Post2) x1 y1
                       (refl_equal ? y1) (proj1 ? ? Post2))
                   | (Qexn _ WP1) => (exist_3 [x2: Z][y2: Z]
                     (qcomb [result1: unit]`y2 = 0` [result1: unit]`y2 = 0`) 
                     x1 y1 (Exn unit tt) WP1)
                   end in
                 Cases (decomp1 Post8) of
                 | (Qval (exist result1 Post13)) => (exist_3 [x2: Z][y2: Z]
                   (qcomb [result2: unit]`y2 = 0` [result2: unit]`y2 = 0`) 
                   x1 y1 (Val unit result1) Post13)
                 | (Qexn _ WP1) => (exist_3 [x2: Z][y2: Z]
                   (qcomb [result1: unit]`y2 = 0` [result1: unit]`y2 = 0`) 
                   x1 y1 (Exn unit tt) WP1)
                 end
             | (right Test1) =>
                 let (x1, y1, result0, Post6) = (exist_3 [x1: Z][y1: Z]
                   (qcomb [result0: unit]`y1 = 0` [result0: unit]`y1 = 0`) 
                   x0 y0 (Val unit tt)
                   (why_boolean_discriminate Test1 `y0 = 0`)) in
                 Cases (decomp1 Post6) of
                 | (Qval (exist result1 Post7)) => (exist_3 [x2: Z][y2: Z]
                   (qcomb [result2: unit]`y2 = 0` [result2: unit]`y2 = 0`) 
                   x1 y1 (Val unit result1) Post7)
                 | (Qexn _ WP1) => (exist_3 [x2: Z][y2: Z]
                   (qcomb [result1: unit]`y2 = 0` [result1: unit]`y2 = 0`) 
                   x1 y1 (Exn unit tt) WP1)
                 end end y x y (refl_equal ? y) Pre4) in
       Cases (decomp1 Post4) of
       | (Qval (exist result0 Post14)) => (exist_3 [x1: Z][y1: Z]
         [result1: unit]`y1 = 0` x0 y0 result0 Post14)
       | (Qexn _ WP1) =>
         let (result0, Post15) = (exist_1 [result0: unit]`y0 = 0` tt WP1) in
         (exist_3 [x1: Z][y1: Z][result1: unit]`y1 = 0` x0 y0 result0 Post15)
       end.

why-2.34/bench/good-v7/wpcalls_valid.v0000644000175000017500000000223412311670312016172 0ustar  rtusers(* This file is generated by Why; do not edit *)

Require Why.
Require Export wpcalls_why.

Definition p (* validation *)
  : (u: unit)(x: Z)(sig_2 Z unit [x0: Z][result: unit](True))
  := [u: unit; x: Z]
       let (result, WP3) =
         let (t, Post1) = (exist_1 [result: unit]result = tt tt
           (refl_equal ? tt)) in
         let (result, WP3) = (exist_1 [result: unit]
           ((x0:Z) (`x0 = 1 - x` -> ((x1:Z) (`x1 = 1 - x0` -> `x1 = x`)))) 
           tt (p_po_1 x t Post1)) in
         (exist_1 [result0: unit]
         ((x0:Z) (`x0 = 1 - x` -> ((x1:Z) (`x1 = 1 - x0` -> `x1 = x`)))) 
         result WP3) in
       let (x0, result0, Post2) =
         let (x0, result2, Post3) = (f tt x) in
         (exist_2 [x1: Z][result3: unit]`x1 = 1 - x` x0 result2 Post3) in
       let (x1, result1, Post4) =
         let (x1, result3, Post5) = (f tt x0) in
         (exist_2 [x2: Z][result4: unit]`x2 = 1 - x0` x1 result3 Post5) in
       let Pre1 =
         let HW_3 = (WP3 x0 Post2) in
         let HW_4 = (HW_3 x1 Post4) in
         HW_4 in
       let (result2, Post6) = (exist_1 [result2: unit]True tt I) in
       (exist_2 [x2: Z][result3: unit]True x1 result2 I).

why-2.34/bench/good-v7/recfun_why.v0000644000175000017500000001074712311670312015527 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Why.

(* Why obligation from file "good/recfun.mlw", characters 124-134 *)
Lemma f1_po_1 : 
  (x: Z)
  (Pre8: `x >= 0`)
  (Variant1: Z)
  (x0: Z)
  (Pre7: Variant1 = x0)
  (Pre6: `x0 >= 0`)
  (Test2: `x0 > 0`)
  `x0 - 1 >= 0`.
Proof.
Intros; Omega.
Save.

(* Why obligation from file "good/recfun.mlw", characters 98-157 *)
Lemma f1_po_2 : 
  (x: Z)
  (Pre8: `x >= 0`)
  (Variant1: Z)
  (x0: Z)
  (Pre7: Variant1 = x0)
  (Pre6: `x0 >= 0`)
  (Test2: `x0 > 0`)
  (Pre5: `x0 - 1 >= 0`)
  (Pre3: `x0 - 1 >= 0`)
  (Pre4: `x0 - 1 >= 0`)
  (Zwf `0` `x0 - 1` Variant1).
Proof.
Intros; Unfold Zwf; Omega.
Save.

(* Why obligation from file "good/recfun.mlw", characters 140-141 *)
Lemma f1_po_3 : 
  (x: Z)
  (Pre8: `x >= 0`)
  (Variant1: Z)
  (x0: Z)
  (Pre7: Variant1 = x0)
  (Pre6: `x0 >= 0`)
  (Test1: `x0 <= 0`)
  `x0 = 0`.
Proof.
Intros; Omega.
Save.






(* Why obligation from file "good/recfun.mlw", characters 313-322 *)
Lemma f2_po_1 : 
  (x: Z)
  (Pre8: `x >= 0`)
  (Variant1: Z)
  (x0: Z)
  (Pre7: Variant1 = x0)
  (Pre6: `x0 >= 0`)
  (Test2: `x0 > 0`)
  (x1: Z)
  (Post3: x1 = `x0 - 1`)
  `x1 >= 0`.
Proof.
Intros; Omega.
Save.

(* Why obligation from file "good/recfun.mlw", characters 267-337 *)
Lemma f2_po_2 : 
  (x: Z)
  (Pre8: `x >= 0`)
  (Variant1: Z)
  (x0: Z)
  (Pre7: Variant1 = x0)
  (Pre6: `x0 >= 0`)
  (Test2: `x0 > 0`)
  (x1: Z)
  (Post3: x1 = `x0 - 1`)
  (Pre5: `x1 >= 0`)
  (Pre3: `x1 >= 0`)
  (Pre4: `x1 >= 0`)
  (Zwf `0` x1 Variant1).
Proof.
Intros; Unfold Zwf; Omega.
Save.

(* Why obligation from file "good/recfun.mlw", characters 326-326 *)
Lemma f2_po_3 : 
  (x: Z)
  (Pre8: `x >= 0`)
  (Variant1: Z)
  (x0: Z)
  (Pre7: Variant1 = x0)
  (Pre6: `x0 >= 0`)
  (Test1: `x0 <= 0`)
  `x0 = 0`.
Proof.
Intros; Omega.
Save.





(* Why obligation from file "good/recfun.mlw", characters 472-482 *)
Lemma f3_po_1 : 
  (a: Z)
  (Pre8: `a >= 0`)
  (Variant1: Z)
  (a0: Z)
  (x0: Z)
  (Pre7: Variant1 = a0)
  (Pre6: `a0 >= 0`)
  (Test2: `a0 > 0`)
  (x1: Z)
  (Post3: x1 = `x0 + 1`)
  `a0 - 1 >= 0`.
Proof.
Intros; Omega.
Save.

(* Why obligation from file "good/recfun.mlw", characters 427-502 *)
Lemma f3_po_2 : 
  (a: Z)
  (Pre8: `a >= 0`)
  (Variant1: Z)
  (a0: Z)
  (x0: Z)
  (Pre7: Variant1 = a0)
  (Pre6: `a0 >= 0`)
  (Test2: `a0 > 0`)
  (x1: Z)
  (Post3: x1 = `x0 + 1`)
  (Pre5: `a0 - 1 >= 0`)
  (Pre3: `a0 - 1 >= 0`)
  (Pre4: `a0 - 1 >= 0`)
  (Zwf `0` `a0 - 1` Variant1).
Proof.
Intros; Unfold Zwf; Omega.
Save.

(* Why obligation from file "good/recfun.mlw", characters 453-486 *)
Lemma f3_po_3 : 
  (a: Z)
  (Pre8: `a >= 0`)
  (Variant1: Z)
  (a0: Z)
  (x0: Z)
  (Pre7: Variant1 = a0)
  (Pre6: `a0 >= 0`)
  (Test2: `a0 > 0`)
  (x1: Z)
  (Post3: x1 = `x0 + 1`)
  (Pre5: `a0 - 1 >= 0`)
  (x2: Z)
  (Post8: `x2 = x1 + (a0 - 1)`)
  `x2 = x0 + a0`.
Proof.
Intros; Omega.
Save.

(* Why obligation from file "good/recfun.mlw", characters 486-486 *)
Lemma f3_po_4 : 
  (a: Z)
  (Pre8: `a >= 0`)
  (Variant1: Z)
  (a0: Z)
  (x0: Z)
  (Pre7: Variant1 = a0)
  (Pre6: `a0 >= 0`)
  (Test1: `a0 <= 0`)
  `x0 = x0 + a0`.
Proof.
Intros; Omega.
Save.





(* Why obligation from file "good/recfun.mlw", characters 666-672 *)
Lemma f4_po_1 : 
  (a: Z)
  (Pre8: `a >= 0`)
  (Variant1: Z)
  (a0: Z)
  (x0: Z)
  (Pre7: Variant1 = a0)
  (Pre6: `a0 >= 0`)
  (Test2: `a0 > 0`)
  (x1: Z)
  (Post5: x1 = `x0 + 1`)
  (a1: Z)
  (Post6: a1 = `a0 - 1`)
  `a1 >= 0`.
Proof.
Intros; Omega.
Save.

(* Why obligation from file "good/recfun.mlw", characters 604-695 *)
Lemma f4_po_2 : 
  (a: Z)
  (Pre8: `a >= 0`)
  (Variant1: Z)
  (a0: Z)
  (x0: Z)
  (Pre7: Variant1 = a0)
  (Pre6: `a0 >= 0`)
  (Test2: `a0 > 0`)
  (x1: Z)
  (Post5: x1 = `x0 + 1`)
  (a1: Z)
  (Post6: a1 = `a0 - 1`)
  (Pre5: `a1 >= 0`)
  (Pre3: `a1 >= 0`)
  (Pre4: `a1 >= 0`)
  (Zwf `0` a1 Variant1).
Proof.
Intros; Unfold Zwf; Omega.
Save.

(* Why obligation from file "good/recfun.mlw", characters 634-676 *)
Lemma f4_po_3 : 
  (a: Z)
  (Pre8: `a >= 0`)
  (Variant1: Z)
  (a0: Z)
  (x0: Z)
  (Pre7: Variant1 = a0)
  (Pre6: `a0 >= 0`)
  (Test2: `a0 > 0`)
  (x1: Z)
  (Post5: x1 = `x0 + 1`)
  (a1: Z)
  (Post6: a1 = `a0 - 1`)
  (Pre5: `a1 >= 0`)
  (x2: Z)
  (Post11: `x2 = x1 + a1`)
  `x2 = x0 + a0`.
Proof.
Intros; Omega.
Save.

(* Why obligation from file "good/recfun.mlw", characters 676-676 *)
Lemma f4_po_4 : 
  (a: Z)
  (Pre8: `a >= 0`)
  (Variant1: Z)
  (a0: Z)
  (x0: Z)
  (Pre7: Variant1 = a0)
  (Pre6: `a0 >= 0`)
  (Test1: `a0 <= 0`)
  `x0 = x0 + a0`.
Proof.
Intros; Omega.
Save.





why-2.34/bench/good-v7/see_why.v0000644000175000017500000000143512311670312015013 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)

Require Why.

(* Why obligation from file "good/see.mlw", characters 138-140 *)
Lemma f_po_1 : 
  (b: Z)
  (b0: Z)
  (Post1: b0 = `1 - b`)
  `b0 = b0` /\ `b0 = 1 - b`.
Proof.
Intuition.
Save.


(* Why obligation from file "good/see.mlw", characters 230-242 *)
Lemma k_po_1 : 
  (b0: Z)
  (Post1: b0 = `1`)
  (b3: Z)
  (aux_4: Z)
  (Post2: `aux_4 = b3` /\ `b3 = 1 - b0`)
  (b4: Z)
  (aux_2: Z)
  (Post4: `aux_2 = b4` /\ `b4 = 1 - b3`)
  ((result:Z)
   ((b:Z)
    (`result = b` /\ `b = 1 - b4` ->
     ((result0:Z)
      ((b0:Z)
       (`result0 = b0` /\ `b0 = 1 - b` -> `1 - aux_2 + aux_4 = 0` /\
        `result0 * (1 - result) = 1`)))))).
Proof.
Intuition.
Subst; Ring.
Save.

why-2.34/bench/good-v7/init_why.v0000644000175000017500000000056312311670312015203 0ustar  rtusers
Require Why.


(* Why obligation from file "init.mlw", characters 41-84 *)
Lemma f_po_1 : 
  (x: Z)
  (x0: Z)
  (Post1: x0 = `1 - x`)
  `x0 = 1 - x`.
Proof.
Intuition.
Save.


(* Why obligation from file "init.mlw", characters 103-149 *)
Lemma g_po_1 : 
  (x: Z)
  (x0: Z)
  (Post1: `x0 = 1 - x`)
  (x1: Z)
  (Post3: `x1 = 1 - x0`)
  `x1 = x`.
Proof.
Intuition.
Save.


why-2.34/bench/good-v7/po.mlw0000644000175000017500000000343112311670312014316 0ustar  rtusers
(* Tests for proof obligations. *)

parameter x : int ref

logic q : int -> prop

(* basic stuff: assignment, sequence and local variables *)

let p1 = { q(x+1) } begin x := !x + 1 end { q(x) }

let p2 = { q(7) } begin x := 3 + 4 end { q(x) }

let p3 = {} begin x := !x + 1; x := !x + 2 end { x = x@ + 3 }

let p4 = {} begin x := 7; x := 2 * !x end { x = 14 }

let p5 = {} (3 + 4) { result = 7 }

let p6 = {} (let a = 3 in a + 4) { result = 7 }

let p7 = {} (3 + (let a = 4 in a + a)) { result = 11 }

(* side effects in function arguments *)

let p8 = 
  { q(x+1) } (3 + begin x := !x + 1; !x end) { q(x) and result = x@ + 4 }

(* evaluation order (argument first) *)

let p9 = 
  {} (begin x := 1; 1 end + begin x := 2; 1 end) { result = 2 and x = 1 }

let p9a = {} (begin x := 1; 1 end + 1) { result = 2 and x = 1 }

(* function with a post-condition *)

parameter fsucc : x:int -> { } int { result = x + 1 }

let p10 = {} (fsucc 0) { result = 1 }

let p11 = {} ((fsucc 0) + (fsucc 3)) { result = 5 }

let p11a = {} (let a = (fsucc 1) in a + a) { result = 4 }

(* function with a post-condition and side-effects *)

parameter incrx : unit -> { } unit writes x { x = x@ + 1 }

let p12 = { x = 0 } (incrx void) { x = 1 }

let p13 = {} begin (incrx void); (incrx void) end { x = x@ + 2 }

let p13a = {} (incrx (incrx void)) { x = x@ + 2 }

(* function with side-effects, result and post-condition *)

parameter incrx2 : unit -> { } int writes x { x = x@ + 1 and result = x }

let p14 = { x = 0 } (incrx2 void) { result = 1 }

(* arrays *)

parameter t : int array

let p15 = { array_length(t) = 10 } t[0] {} 

let p16 = { array_length(t) = 10 } t[9] := 1 {} 

let p17 = { array_length(t) = 10 and 0 <= t[0] < 10 } t[t[0]] := 1 {} 

let p18 = 
  { array_length(t) = 10 } (t[begin x := 0; !x end] := !x) { t[0] = x@ }
why-2.34/bench/good-v7/init_valid.v0000644000175000017500000000250712311670312015473 0ustar  rtusers(* This file is generated by Why; do not edit *)

Require Why.
Require Export init_why.

Definition f (* validation *)
  : (u: unit)(x: Z)(sig_2 Z unit [x0: Z][result: unit](`x0 = 1 - x`))
  := [u: unit; x: Z]
       let (x0, result, Post1) =
         let (result, Post1) = (exist_1 [result: Z]result = `1 - x` `1 - x`
           (refl_equal ? `1 - x`)) in
         (exist_2 [x1: Z][result0: unit]x1 = `1 - x` result tt Post1) in
       (exist_2 [x1: Z][result0: unit]`x1 = 1 - x` x0 result
       (f_po_1 x x0 Post1)).

Definition g (* validation *)
  : (u: unit)(x: Z)(sig_2 Z unit [x0: Z][result: unit](`x0 = x`))
  := [u: unit; x: Z]
       let (x0, result, Post1) =
         let (x0, result1, Post2) = (f tt x) in
         (exist_2 [x1: Z][result2: unit]`x1 = 1 - x` x0 result1 Post2) in
       let (x1, result0, Post3) =
         let (x1, result2, Post4) = (f tt x0) in
         (exist_2 [x2: Z][result3: unit]`x2 = 1 - x0` x1 result2 Post4) in
       (exist_2 [x2: Z][result1: unit]`x2 = x` x1 result0
       (g_po_1 x x0 Post1 x1 Post3)).

Definition h1 (* validation *)
  : (x: Z)(_: `x = 0`)(sig_1 unit [result: unit](`x = 0` /\ `x = 0`))
  := [x: Z; Pre2: `x = 0`]
       let (result, Post2) = (exist_1 [result: unit]`x = 0` /\ `x = 0` 
         tt (conj ? ? Pre2 Pre2)) in
       (exist_1 [result0: unit]`x = 0` /\ `x = 0` result Post2).

why-2.34/bench/jc/0000755000175000017500000000000012311670312012270 5ustar  rtuserswhy-2.34/bench/jc/good/0000755000175000017500000000000012311670312013220 5ustar  rtuserswhy-2.34/bench/jc/good/point.jc0000644000175000017500000000330012311670312014663 0ustar  rtusers# InvariantPolicy = Arguments


/*

hand-made translation from Java program

class Point { 
  int x,y; 

  void move(int dx, int dy) {
    x += dx;
    y += dy;
  } 
}

class ColoredPoint extends Point { 
  int col; 

  void move(int dx, int dy) {
    col = col > 0 ? col-1 : 0;
    super.move(dx,dy);
  }

}

*/

type Point = { integer x; integer y; }

tag ColoredPoint = Point with { integer col; }


unit Point_move(Point[0] this, integer dx, integer dy) 
  behavior x_moved:
    ensures this.x == \old(this.x)+dx;
  behavior y_moved:
    ensures this.y == \old(this.y)+dy;
{
    this.x += dx;
    this.y += dy;
}

unit ColoredPoint_move(ColoredPoint[0] this, integer dx, integer dy) 
  behavior x_moved:
    ensures this.x == \old(this.x)+dx;
  behavior y_moved:
    ensures this.y == \old(this.y)+dy;
  behavior col_decreased_if_positive:
    assumes this.col > 0;
    ensures this.col == \old(this.col) - 1;
{
    this.col = (if this.col > 0 then this.col-1 else 0);
    Point_move(this,dx,dy);
}

unit move(Point[0] this, integer dx, integer dy) 
  behavior x_moved:
    ensures this.x == \old(this.x)+dx;
  behavior y_moved:
    ensures this.y == \old(this.y)+dy;
  behavior col_decreased:
    assumes 
      this <: ColoredPoint && (this :> ColoredPoint).col > 0;
    ensures 
      (this :> ColoredPoint).col == \old((this :> ColoredPoint).col) - 1;
{
    if this <: ColoredPoint then
	ColoredPoint_move(this :> ColoredPoint,dx,dy)
    else Point_move(this,dx,dy);
}
	
unit test1(ColoredPoint[0] p) 
  behavior ok:
    ensures p.x == 10 && p.y == 20 && p.col == 99;
{
    p.x = 0;
    p.y = 0;
    p.col = 100;
    move(p,10,20);
}
 

   



    
/*
Local Variables: 
mode: java
compile-command: "make point"
End: 
*/
why-2.34/bench/jc/good/booleq.jc0000644000175000017500000000016612311670312015022 0ustar  rtusersboolean f() {
        return true == false
}

/*
Local Variables: 
mode: java
compile-command: "make booleq"
End: 
*/
why-2.34/bench/jc/good/incr.jc0000644000175000017500000000064112311670312014472 0ustar  rtusers

type byte = -128..127

type short = -32768..32767

unit f(short m)
  requires true;
{
      ()
}

unit g1()
  requires true;
{  var byte b = 127;
   f(b++);
}

unit g2()
  requires true;
{  var byte b = 127;
   f(++b);
}

type T = { byte b; }

unit g3(T[0] x)
  requires true;
{  f(x.b++);
}

unit g4(T[0] x)
  requires true;
{  f(++x.b);
}



/*
Local Variables: 
mode: java
compile-command: "make incr"
End: 
*/

why-2.34/bench/jc/good/typeparams.jc0000644000175000017500000000034312311670312015723 0ustar  rtuserstype list = {
  A[0] item;
  list[0..] item;
}

tag meganode = list with {
  B[0] meti;
}

int head(list[0] l) {
  return l.item;
}

/*
Local Variables: 
mode: java
compile-command: "make typeparams"
End: 
*/why-2.34/bench/jc/good/goto.jc0000644000175000017500000000027112311670312014506 0ustar  rtusers
integer f() 
{
  var integer ret;
  if true then {
      goto lab;
      (lab: ());
  } else ();
  return ret;
}

/*
Local Variables: 
mode: java
compile-command: "make goto"
End: 
*/
why-2.34/bench/jc/good/old.jc0000644000175000017500000000023612311670312014315 0ustar  rtusers
integer j;

unit f() 
    behavior default:
    ensures j == \old(j) + 1;
{
    j++;
}

/*
Local Variables: 
mode: java
compile-command: "make old"
End: 
*/
why-2.34/bench/jc/good/flag-ownership.jc0000644000175000017500000000324512311670312016467 0ustar  rtusers# InvariantPolicy = Ownership

/* Dijkstra's dutch flag: with ownership policy */

type color = 1..3
   
logic color BLUE = (1 :> color)
logic color WHITE = (2 :> color)
logic color RED = (3 :> color) 

type colorT = {
    color colorM;
}

    logic isMonochrome{L}(colorT[..] t, integer i, integer j, color c) =
    //    \offset_min(t) <= i && i <= j && j <= \offset_max(t) &&
	\forall integer k; i <= k && k <= j ==> (t+k).colorM == c



unit swap(colorT[..] t, integer i, integer j) 
  requires
    \offset_min(t) <= i && i <= \offset_max(t) &&
    \offset_min(t) <= j && j <= \offset_max(t) &&
    \forall integer k; \mutable(t+k, colorT);    
  behavior swaps_i_and_j:
    assigns (t+i).colorM,(t+j).colorM;
    ensures (t+i).colorM == \old((t+j).colorM) && 
	(t+j).colorM == \old((t+i).colorM);
{
    var color z = (t+i).colorM;
    (t+i).colorM = (t+j).colorM;
    (t+j).colorM = z;
}

unit flag(colorT[..] t, integer length) 
    requires 0 <= length && length <= \offset_max(t)+1;
    behavior sorts_t:
      ensures 
        \exists integer b,r; 
           isMonochrome(t,0,b-1,BLUE) &&
	   isMonochrome(t,b,r-1,WHITE) &&
	   isMonochrome(t,r,length-1,RED);
{
    var integer b = 0;
    var integer i = 0;
    var integer r = length;
    invariant
	0 <= b && b <= i && i <= r && r <= length &&
	isMonochrome(t,0,b-1,BLUE) &&
	isMonochrome(t,b,i-1,WHITE) &&
	isMonochrome(t,r,length-1,RED);
    variant r - i; 
    while (i < r) 
	{
	    switch ((t+i).colorM) {
	    case BLUE:  
		swap(t, b++, i++);
		break;	    
	    case WHITE: 
		i++; 
		break;
	    case RED: 
		swap(t, --r, i);
		break;
	    }
	}
}



/*
Local Variables: 
mode: java
compile-command: "make flag-ownership"
End: 
*/

why-2.34/bench/jc/good/not_assigns.jc0000644000175000017500000000123412311670312016065 0ustar  rtusers

type T = {
  integer x;
  integer y;
}

unit f(integer n, T[0] t) 
  requires -100 <= n && n <= 100;
  behavior x_changed:
    assumes n > 0; 
    assigns t.x;
    ensures t.x == n;
  behavior y_changed:
    assumes n <= 0;
    assigns t.y;
    ensures t.y == n;
{
  if n > 0 then t.x = n else t.y = n;
}

unit test1(T[0] t)
  behavior y_unchanged:
    ensures t.y == \old(t.y);
  behavior x_set_to_3:
    ensures t.x == 3;
{
    f(3,t);
}

unit test2(T[0] t)
  behavior x_unchanged:
    ensures t.x == \old(t.x);
  behavior y_set_to_minus_3:
    ensures t.y == -3;
{
    f(-3,t);
}

/*
Local Variables: 
mode: java
compile-command: "make not_assigns"
End: 
*/


  
why-2.34/bench/jc/good/bounds.jc0000644000175000017500000000223412311670312015031 0ustar  rtusers
type T = {
    integer i;
}

type U = {
    T[0..4] b;
    T[0..] lb;
    T[..4] rb;
    T[..] ub;
}

unit init(U[0] u) {
    var integer k;

    /* read constant offset */
    if u.b.i == 0 then return ();
    if (u.b + 4).i == 0 then return ();
    if u.lb.i == 0 then return ();
    if (u.lb + 4).i == 0 then return ();
    if u.rb.i == 0 then return ();
    if (u.rb + 4).i == 0 then return ();
    if u.ub.i == 0 then return ();
    if (u.ub + 4).i == 0 then return ();

    /* read variable offset */
    (L1:
    invariant 0 <= k && k <= 5;
    for(k = 0; k < 5; ++k) {
	if (u.b + k).i == 0 then return ();
	if (u.lb + k).i == 0 then return ();
	if (u.rb + k).i == 0 then return ();
	if (u.ub + k).i == 0 then return ()
    });

    /* write constant offset */
    u.b.i = 0;
    (u.b + 4).i = 0;
    u.lb.i = 0;
    (u.lb + 4).i = 0;
    u.rb.i = 0;
    (u.rb + 4).i = 0;
    u.ub.i = 0;
    (u.ub + 4).i = 0;

    /* write variable offset */
    (L2:
    invariant 0 <= k && k <= 5; 
    for(k = 0; k < 5; ++k) {
	(u.b + k).i = 0;
	(u.lb + k).i = 0;
	(u.rb + k).i = 0;
	(u.ub + k).i = 0
    })

}

/*
Local Variables: 
mode: java
compile-command: "make bounds"
End: 
*/
why-2.34/bench/jc/good/separation.jc0000644000175000017500000000041012311670312015676 0ustar  rtusers
# SeparationPolicy = Regions

type intP = {
    integer intM;
}

unit f(intP[0] p, intP[0] q) 
  behavior ok:
    ensures p.intM == 0 && q.intM == 1;
{
    p.intM = 0;
    q.intM = 1;
}

/*
Local Variables: 
mode: java
compile-command: "make separation"
End: 
*/
why-2.34/bench/jc/good/inv_arguments.jc0000644000175000017500000000036212311670312016420 0ustar  rtusers# InvariantPolicy = Arguments

type A = {
  integer i;
  invariant invA(x) = x.i > 0;
}

unit test(A[0] a)
  behavior ok:
    ensures true;
{
  a.i = 100 * a.i;
}

/*
Local Variables: 
mode: java
compile-command: "make inv_arguments"
End: 
*/why-2.34/bench/jc/good/color.jc0000644000175000017500000000057612311670312014664 0ustar  rtusers
/*
example taken from "Coping with Type Casts in C"
*/

type Point = {
  integer x;
  integer y;
}

type color = 0..1

tag ColorPoint = Point with {
  color c;
}

unit translateX(Point[0] p, integer dx) {
  p.x += dx
}

unit main(Point[0] pt, ColorPoint[0] cpt) {
  translateX(pt, 1);
  translateX(cpt, 1)
}


/*
Local Variables: 
mode: java
compile-command: "make color"
End: 
*/
why-2.34/bench/jc/good/purse.jc0000644000175000017500000000420012311670312014670 0ustar  rtusers# InvariantPolicy = Arguments

/* Jessie sample file: electronic purse toy example */

type purse = {		
  integer balance;
  invariant balance_non_negative(this) = this.balance >= 0;
}	



unit credit(purse[0] this, integer s) 
  requires s >= 0;
  behavior amount_credited:
    assigns this.balance;
    ensures this.balance == \old(this.balance)+s;
{
    this.balance += s;
}

unit withdraw(purse[0] this, integer s) 
  requires s >= 0 && s <= this.balance;
  behavior amount_withdrawn:
    assigns this.balance;
    ensures this.balance == \old(this.balance) - s;
{
  this.balance -= s;
}

integer test1(purse[0] p1, purse[0] p2)
// requires p1 != p2; 
  behavior result_is_nul:
    assigns p1.balance,p2.balance;
    ensures \result == 0;
{	
    p1.balance = 0;
    credit(p2,100);
    return p1.balance;
}

/* introducing exceptions */
    
exception NoCreditException of unit

unit withdraw2(purse[0] this, integer s) 
  requires s >= 0;
  behavior amount_withdrawn:
     assigns this.balance;
     ensures s <= \old(this.balance) && 
	 this.balance == \old(this.balance) - s;
  behavior amount_too_large:
     throws NoCreditException; 
     assigns \nothing;
     ensures s > \old(this.balance);
{
    if this.balance >= s then {
	this.balance -= s;
    }
    else {
	throw NoCreditException ();
    }
}	
 
boolean test2(purse[0] p) 
  behavior ok_iff_enough_balance:
    assigns p.balance ;
    ensures \result <==> \old(p.balance) >= 1000;
{
    try {
	withdraw2(p,1000);
        return true;
    }
    catch NoCreditException e { 
	return false; 
    }
    end
}

/* introducing dynamic memory allocation */

/*

purse[0] new_purse() 
  allocates \result;
  behavior balance_is_zero:
    assigns \result.balance;
    ensures \result.balance == 0;
  {     
    purse this = new purse[0];
    this.balance = 0;	
    return this;
  }

integer test2() 
  behavior result_is_150:
    ensures \result == 150;
{    
    purse p1 = new_purse();
    purse p2 = new_purse();
    credit(p1,100);
    credit(p2,200);
    withdraw(p1,50);
    withdraw(p2,100);
    return p1.balance+p2.balance;
}
*/


    
/*
Local Variables: 
mode: java
compile-command: "make purse"
End: 
*/
why-2.34/bench/jc/good/range_types.jc0000644000175000017500000000327212311670312016062 0ustar  rtusers
type unsignedchar = 0..255

type shortint = -32768..32767

    /*
type int32 = -2147483648..2147483647
     */
shortint f(unsignedchar x, shortint y) 
  requires y <= 32000;
{
  return x+y;
}



shortint max(shortint x, shortint y) 
  behavior result_ge_x: 
    ensures \result >= x ;
  behavior result_ge_y: 
    ensures \result >= y; 
  behavior result_is_lub:
    ensures \forall integer z ; z >= x && z >= y ==> z >= \result;
{
  if x >= y then return (x+1)-1 else return y;
} 


/* complements for non-linear integer arithmetic */

axiom zero_right: \forall integer x; x*0 == 0
axiom zero_left: \forall integer x; 0*x == 0
axiom one_right: \forall integer x; x*1 == x
axiom one_left: \forall integer x; 1*x == x
axiom distr_right: \forall integer x,y,z; x*(y+z) == (x*y)+(x*z)
axiom distr_left: \forall integer x,y,z; (x+y)*z == (x*z)+(y*z)
    // axiom sqr_elim: \forall integer x; x*x <= 32767 ==> x < 256
axiom sqr_elim2: \forall integer x; x*x <= 32760 ==> x <= 180
axiom sqr_intro2: \forall integer x; 0 <= x && x <= 181 ==> x*x <= 32761


/* computes the square root of x, rounded to the floor */ 
shortint isqrt(shortint x) 
    requires x >= 0 && x <= 32760;
    behavior is_rounded_sqrt:	
      ensures 
	\result >= 0 && \result * \result <= x && 
	x < (\result + 1) * (\result + 1);
{
    var shortint count = 0;
    var shortint sum = 1;
    invariant 
        count >= 0 && x >= count*count && sum == (count+1)*(count+1) &&
        count <= 180 && sum <= 32761;
    variant x - sum;
    while (sum <= x) 
    { 
	count++; 
	assert (count+2 <= 181);
	sum += 2*count + 1;
    };
    assert 1==0;
    return count;
    
}   
    
/*
Local Variables: 
mode: java
compile-command: "make range_types"
End: 
*/
why-2.34/bench/jc/good/moncos.jc0000644000175000017500000000053512311670312015037 0ustar  rtusersfloat mycos(float x)
  requires \real_abs((x :> real)) <= 0.03;
behavior default:
  ensures (\real_abs(((\result :> real) - \cos((x :> real)))) <= 6.5e-8);
{
   var float retres;
   assert (\real_abs(1.0 - ((x :> real) * (x :> real)) * 0.5 - \cos((x :> real))) <= 3.5e-8);
   retres = (1.0 :> float) - (x * x) * (0.5 :> float);

   return retres
}

why-2.34/bench/jc/good/let.jc0000644000175000017500000000014412311670312014321 0ustar  rtusers

integer f(integer x)
  behavior default:
    ensures \result == x+1;
{
   return let y=x+1 in y;
}why-2.34/bench/jc/good/sterbenz.jc0000644000175000017500000000040012311670312015364 0ustar  rtusers


double diff(double x, double y)
behavior default:
	assumes (y:> real)/2.0 <= (x :> real) 
	         && (x:>real) <= 2.0*(y :> real); 
        ensures (\result :> real) == (x :> real) - (y :> real);
{
  return (((x :> real) - (y :> real)) :> double);
}

why-2.34/bench/jc/good/struct_inheritance.jc0000644000175000017500000000025712311670312017437 0ustar  rtusers# InvariantPolicy = Arguments

type A = {
  integer i;
  invariant i_inv(this) = this.i >= 0;
}

tag B = A with {
  integer j;
}


unit f(B[0] this) {
  assert this.i >= 0;
}
why-2.34/bench/jc/good/switch.jc0000644000175000017500000000110012311670312015027 0ustar  rtusers
integer main(integer i)
  behavior safety: 
    ensures i == 1 || \result == 1;
{
  var integer j = i + 1;
  switch (j) {
    case 0:
      ++j;
    case 1:
      break;
    default:
      j = 1;
      break;
    case 2:
      j = 2;
  };
  return j;
}

integer main2(integer i)
  behavior switchok:
    ensures \old(i == 0) ==> \result == 1;
{
  var integer j = i;
  switch (j) {
    case 0:
      j += 4;
    default:
      j = 1;
    case 4:
      break;
    case 2:
      j = 2;
  };
  return j;
}

/*
Local Variables: 
mode: java
compile-command: "make switch"
End: 
*/
why-2.34/bench/jc/good/Sbox.jc0000644000175000017500000010674312311670312014464 0ustar  rtusers
axiomatic integer_theory {

  predicate is_prime(integer x)
   
  axiom prime_gcd :
  (\forall integer x;
    (\forall integer p;
      ((is_prime(p) && (x != 0)) ==> (gcd(x, p) == 1))))
   
  logic integer gcd(integer p1, integer p2)
  
}

type mod_2_ref = {
  mod_2 contents;
}

axiomatic mod_2 {

  logic type mod_2
   
  logic mod_2 mod_2_of_int(integer x)
   
  logic integer int_of_mod_2(mod_2 x)
   
  logic integer mod_2_mod_2(integer x)
   
  logic mod_2 mod_2_add(mod_2 x1, mod_2 x2)
   
  logic mod_2 mod_2_subt(mod_2 x1, mod_2 x2)
   
  logic mod_2 mod_2_div(mod_2 x1, mod_2 x2)
   
  logic mod_2 mod_2_mult(mod_2 x1, mod_2 x2)
   
  axiom mod_2_bounds :
  (\forall mod_2 x;
    ((0 <= int_of_mod_2(x)) && (int_of_mod_2(x) <= 1)))
   
  axiom mod_2_eq :
  (\forall integer x;
    (((0 <= x) && (x <= 1)) ==> (mod_2_mod_2(x) == x)))
   
  axiom mod_2_of_int_congruent :
  (\forall integer x;
    (mod_2_mod_2(int_of_mod_2(mod_2_of_int(x))) == mod_2_mod_2(x)))
   
  axiom mod_2_int_lower :
  (\forall integer x;
    ((x < 0) ==> (mod_2_mod_2(x) == mod_2_mod_2((x + 2)))))
   
  axiom mod_2_int_greater :
  (\forall integer x;
    ((x > 2) ==> (mod_2_mod_2(x) == mod_2_mod_2((x - 2)))))
   
  axiom mod_2_add_congruent :
  (\forall mod_2 p1;
    (\forall mod_2 p2;
      (mod_2_mod_2(int_of_mod_2(mod_2_add(p1, p2))) ==
        mod_2_mod_2((int_of_mod_2(p1) + int_of_mod_2(p2))))))
   
  axiom mod_2_mult_congruent :
  (\forall mod_2 p1;
    (\forall mod_2 p2;
      (mod_2_mod_2(int_of_mod_2(mod_2_mult(p1, p2))) ==
        mod_2_mod_2((int_of_mod_2(p1) * int_of_mod_2(p2))))))
   
  axiom mod_2_subt_congruent :
  (\forall mod_2 p1;
    (\forall mod_2 p2;
      (mod_2_mod_2(int_of_mod_2(mod_2_subt(p1, p2))) ==
        mod_2_mod_2((int_of_mod_2(p1) - int_of_mod_2(p2))))))
   
  axiom mod_2_div_congruent :
  (\forall mod_2 p1;
    (\forall mod_2 p2;
      ((gcd(int_of_mod_2(p2), 2) == 1) ==>
        (mod_2_mod_2(int_of_mod_2(mod_2_div(p1, p2))) ==
          mod_2_mod_2((int_of_mod_2(p1) / int_of_mod_2(p2)))))))
  
}

axiomatic vector_1_mod_2 {

  logic type vector_1_mod_2
   
  logic vector_1_mod_2 vector_1_mod_2_any()
   
  logic mod_2 vector_1_mod_2_get(vector_1_mod_2 v, integer x)
   
  logic vector_1_mod_2 vector_1_mod_2_set(vector_1_mod_2 v, integer x,
                                          mod_2 y)
   
  logic boolean vector_1_mod_2_neq(vector_1_mod_2 p1, vector_1_mod_2 p2)
   
  logic boolean vector_1_mod_2_eq(vector_1_mod_2 p1, vector_1_mod_2 p2)
   
  axiom vector_1_mod_2_eq_ax :
  (\forall vector_1_mod_2 v1;
    (\forall vector_1_mod_2 v2;
      (\forall integer i;
        ((vector_1_mod_2_eq(v1, v2) == true) ==>
          (vector_1_mod_2_get(v1, i) == vector_1_mod_2_get(v2, i))))))
   
  axiom vector_1_mod_2_neq_ax :
  (\forall vector_1_mod_2 v1;
    (\forall vector_1_mod_2 v2;
      (\forall integer i;
        ((vector_1_mod_2_neq(v1, v2) == true) ==>
          (vector_1_mod_2_get(v1, i) != vector_1_mod_2_get(v2, i))))))
   
  axiom vector_1_mod_2_get_set_eq :
  (\forall vector_1_mod_2 v;
    (\forall integer i;
      (\forall mod_2 x;
        (vector_1_mod_2_get(vector_1_mod_2_set(v, i, x), i) == x))))
   
  axiom vector_1_mod_2_set_neq :
  (\forall vector_1_mod_2 v;
    (\forall integer i;
      (\forall integer j;
        (\forall mod_2 x;
          ((i != j) ==>
            (vector_1_mod_2_get(vector_1_mod_2_set(v, i, x), j) ==
              vector_1_mod_2_get(v, j)))))))
   
  axiom vector_1_mod_2_extensionality :
  (\forall vector_1_mod_2 v1;
    (\forall vector_1_mod_2 v2;
      (\forall integer i;
        ((vector_1_mod_2_get(v1, i) == vector_1_mod_2_get(v2, i)) ==>
          (v1 == v2)))))
   
  logic vector_1_mod_2 vector_1_mod_2_shift(vector_1_mod_2 v, integer ofs)
   
  axiom vector_1_mod_2_shift_def :
  (\forall vector_1_mod_2 v;
    (\forall integer ofs;
      (\forall integer i;
        (vector_1_mod_2_get(vector_1_mod_2_shift(v, ofs), i) ==
          vector_1_mod_2_get(v, (ofs + i))))))
   
  logic vector_1_mod_2 vector_1_mod_2_blit(vector_1_mod_2 src,
                                           vector_1_mod_2 dst, integer ofs,
                                           integer len)
   
  axiom vector_1_mod_2_get_blit_eq :
  (\forall vector_1_mod_2 src;
    (\forall vector_1_mod_2 dst;
      (\forall integer ofs;
        (\forall integer len;
          (\forall integer i;
            (((i >= ofs) && (i < (ofs + len))) ==>
              (vector_1_mod_2_get(vector_1_mod_2_blit(src, dst, ofs, len), i) ==
                vector_1_mod_2_get(src, (i - ofs)))))))))
   
  axiom vector_1_mod_2_get_blit_neq :
  (\forall vector_1_mod_2 src;
    (\forall vector_1_mod_2 dst;
      (\forall integer ofs;
        (\forall integer len;
          (\forall integer i;
            (((i < ofs) || (i >= (ofs + len))) ==>
              (vector_1_mod_2_get(vector_1_mod_2_blit(src, dst, ofs, len), i) ==
                vector_1_mod_2_get(dst, i))))))))
   
  logic vector_1_mod_2 vector_1_mod_2_of_matrix_mod_2(matrix_mod_2 v1)
   
  logic matrix_mod_2 matrix_mod_2_of_vector_1_mod_2(vector_1_mod_2 v1)
  
}

type matrix_mod_2_ref = {
  matrix_mod_2 contents;
}

axiomatic matrix_mod_2 {

  logic type matrix_mod_2
   
  logic matrix_mod_2 matrix_mod_2_any()
   
  logic boolean matrix_mod_2_neq(matrix_mod_2 p1, matrix_mod_2 p2)
   
  logic boolean matrix_mod_2_eq(matrix_mod_2 p1, matrix_mod_2 p2)
   
  logic mod_2 matrix_mod_2_get(matrix_mod_2 v, integer m, integer n)
   
  logic matrix_mod_2 matrix_mod_2_set(matrix_mod_2 v, integer m, integer n,
                                      mod_2 y)
   
  logic matrix_mod_2 matrix_mod_2_shift(matrix_mod_2 v, integer ofs1,
                                        integer ofs2)
   
  logic matrix_mod_2 matrix_mod_2_blit(matrix_mod_2 src, matrix_mod_2 dst,
                                       integer ofs1, integer ofs2,
                                       integer len1, integer len2)
   
  logic matrix_mod_2 matrix_mod_2_add(matrix_mod_2 m, matrix_mod_2 n)
   
  logic matrix_mod_2 matrix_mod_2_mult(matrix_mod_2 m, matrix_mod_2 n)
   
  logic matrix_mod_2 matrix_mod_2_mult_by_scalar(mod_2 scalar, matrix_mod_2 m)
   
  logic matrix_mod_2 matrix_mod_2_of_vector_1_mod_2(vector_1_mod_2 v)
   
  logic vector_1_mod_2 vector_1_mod_2_of_matrix_mod_2(matrix_mod_2 v)
   
  axiom matrix_mod_2_add_ax :
  (\forall matrix_mod_2 m1;
    (\forall matrix_mod_2 m2;
      (\forall integer i;
        (\forall integer j;
          (matrix_mod_2_get(matrix_mod_2_add(m1, m2), i, j) ==
            mod_2_add(matrix_mod_2_get(m1, i, j), matrix_mod_2_get(m2, i, j)))))))
   
  axiom matrix_mod_2_mult_by_scalar_ax :
  (\forall matrix_mod_2 m;
    (\forall mod_2 alpha;
      (\forall integer i;
        (\forall integer j;
          (matrix_mod_2_get(matrix_mod_2_mult_by_scalar(alpha, m), i, j) ==
            mod_2_mult(matrix_mod_2_get(m, i, j), alpha))))))
   
  axiom matrix_mod_2_eq_ax :
  (\forall matrix_mod_2 v1;
    (\forall matrix_mod_2 v2;
      (\forall integer i;
        (\forall integer j;
          ((matrix_mod_2_eq(v1, v2) == true) ==>
            (matrix_mod_2_get(v1, i, j) == matrix_mod_2_get(v2, i, j)))))))
   
  axiom matrix_mod_2_neq_ax :
  (\forall matrix_mod_2 v1;
    (\forall matrix_mod_2 v2;
      (\forall integer i;
        (\forall integer j;
          ((matrix_mod_2_neq(v1, v2) == true) ==>
            (matrix_mod_2_get(v1, i, j) != matrix_mod_2_get(v2, i, j)))))))
   
  axiom matrix_mod_2_get_set_eq :
  (\forall matrix_mod_2 v;
    (\forall integer m;
      (\forall integer n;
        (\forall mod_2 x;
          (matrix_mod_2_get(matrix_mod_2_set(v, m, n, x), m, n) == x)))))
   
  axiom matrix_mod_2_set_neq :
  (\forall matrix_mod_2 v;
    (\forall integer m1;
      (\forall integer n1;
        (\forall integer m2;
          (\forall integer n2;
            (\forall mod_2 x;
              (((m1 != m2) || (n1 != n2)) ==>
                (matrix_mod_2_get(matrix_mod_2_set(v, m1, n1, x), m2, n2) ==
                  matrix_mod_2_get(v, m2, n2)))))))))
   
  axiom matrix_mod_2_extensionality :
  (\forall matrix_mod_2 m1;
    (\forall matrix_mod_2 m2;
      (\forall integer i;
        (\forall integer j;
          ((matrix_mod_2_get(m1, i, j) == matrix_mod_2_get(m2, i, j)) ==>
            (m1 == m2))))))
   
  axiom matrix_mod_2_shift_def :
  (\forall matrix_mod_2 v;
    (\forall integer ofs1;
      (\forall integer ofs2;
        (\forall integer i;
          (\forall integer j;
            (matrix_mod_2_get(matrix_mod_2_shift(v, ofs1, ofs2), i, j) ==
              matrix_mod_2_get(v, (ofs1 + i), (ofs2 + j))))))))
   
  axiom matrix_mod_2_get_blit_eq :
  (\forall matrix_mod_2 src;
    (\forall matrix_mod_2 dst;
      (\forall integer ofs1;
        (\forall integer len1;
          (\forall integer i;
            (\forall integer ofs2;
              (\forall integer len2;
                (\forall integer j;
                  ((((i >= ofs1) && (i < (ofs1 + len1))) &&
                     ((j >= ofs2) && (j < (ofs2 + len2)))) ==>
                    (matrix_mod_2_get(matrix_mod_2_blit(src, dst, ofs1, len1,
                                                        ofs2, len2),
                                      i, j) ==
                      matrix_mod_2_get(src, (i - ofs1), (j - ofs2))))))))))))
   
  axiom matrix_mod_2_get_blit_neq :
  (\forall matrix_mod_2 src;
    (\forall matrix_mod_2 dst;
      (\forall integer ofs1;
        (\forall integer len1;
          (\forall integer i;
            (\forall integer ofs2;
              (\forall integer len2;
                (\forall integer j;
                  ((((i < ofs1) || (i >= (ofs1 + len1))) ||
                     ((j < ofs2) || (j >= (ofs2 + len2)))) ==>
                    (matrix_mod_2_get(matrix_mod_2_blit(src, dst, ofs1, len1,
                                                        ofs2, len2),
                                      i, j) ==
                      matrix_mod_2_get(dst, i, j)))))))))))
  
}

axiomatic ring_mod_2 {

  logic type ring_mod_2
   
  logic ring_mod_2 ring_mod_2_zero =
  ring_mod_2_monomial(mod_2_of_int(0), 0)
   
  logic ring_mod_2 ring_mod_2_unit =
  ring_mod_2_monomial(mod_2_of_int(1), 0)
   
  logic ring_mod_2 ring_mod_2_monomial(mod_2 ring, integer x)
   
  logic ring_mod_2 ring_mod_2_add(ring_mod_2 x1, ring_mod_2 x2)
   
  logic ring_mod_2 ring_mod_2_subt(ring_mod_2 x1, ring_mod_2 x2)
   
  logic ring_mod_2 ring_mod_2_div(ring_mod_2 x1, ring_mod_2 x2)
   
  logic ring_mod_2 ring_mod_2_mult(ring_mod_2 x1, ring_mod_2 x2)
   
  logic ring_mod_2 ring_mod_2_exp(ring_mod_2 p1, integer p2)
   
  logic ring_mod_2 ring_mod_2_uminus(ring_mod_2 p1)
   
  logic ring_mod_2 ring_mod_2_uplus(ring_mod_2 p1)
   
  logic boolean ring_mod_2_neq(ring_mod_2 p1, ring_mod_2 p2)
   
  logic boolean ring_mod_2_eq(ring_mod_2 p1, ring_mod_2 p2)
   
  logic boolean ring_mod_2_congruent(ring_mod_2 p1, ring_mod_2 p2,
                                     ring_mod_2 p3)
   
  axiom ring_mod_2_mult_ax :
  (\forall ring_mod_2 A;
    (\forall ring_mod_2 B;
      (((A != ring_mod_2_zero) && (B != ring_mod_2_zero)) ==>
        (ring_mod_2_mult(A, B) != ring_mod_2_zero))))
   
  axiom ring_mod_2_subt_ax :
  (\forall ring_mod_2 A;
    (\forall ring_mod_2 B;
      ((A != B) ==> (ring_mod_2_subt(A, B) != ring_mod_2_zero))))
   
  axiom ring_mod_2_div_ax :
  (\forall ring_mod_2 A;
    (\forall ring_mod_2 B;
      ((A != ring_mod_2_zero) ==> (ring_mod_2_div(A, B) != ring_mod_2_zero))))
   
  axiom ring_mod_2_div_ax :
  (\forall ring_mod_2 A;
    (\forall ring_mod_2 B;
      ((A != ring_mod_2_uminus(B)) ==>
        (ring_mod_2_add(A, B) != ring_mod_2_zero))))
   
  axiom ring_mod_2_exp_ax :
  (\forall ring_mod_2 A;
    (\forall integer B;
      ((A != ring_mod_2_zero) ==> (ring_mod_2_exp(A, B) != ring_mod_2_zero))))
   
  axiom ring_mod_2_uminus_ax :
  (\forall ring_mod_2 A;
    ((A != ring_mod_2_zero) ==> (ring_mod_2_uminus(A) != ring_mod_2_zero)))
   
  predicate ring_mod_2_is_irreducible(ring_mod_2 x)
  
}

axiomatic field_mod_2_poly_1 {

  logic type field_mod_2_poly_1
   
  logic ring_mod_2 field_mod_2_poly_1_generator =
  ring_mod_2_add(ring_mod_2_monomial(mod_2_of_int(1), 8),
                 ring_mod_2_add(ring_mod_2_monomial(mod_2_of_int(1), 4),
                                ring_mod_2_add(ring_mod_2_monomial(mod_2_of_int(
                                                                   1), 3),
                                               ring_mod_2_add(ring_mod_2_monomial(
                                                              mod_2_of_int(
                                                              1), 1),
                                                              ring_mod_2_monomial(
                                                              mod_2_of_int(
                                                              1), 0)))))
   
  logic ring_mod_2 field_mod_2_poly_1_zero =
  ring_mod_2_monomial(mod_2_of_int(0), 0)
   
  logic ring_mod_2 field_mod_2_poly_1_unit =
  ring_mod_2_monomial(mod_2_of_int(1), 0)
   
  logic mod_2 field_mod_2_poly_1_get_coef(field_mod_2_poly_1 poly,
                                          integer power)
   
  logic field_mod_2_poly_1 field_mod_2_poly_1_set_coef(field_mod_2_poly_1 poly,
                                                       integer power,
                                                       mod_2 coef)
   
  logic ring_mod_2 ring_mod_2_of_field_mod_2_poly_1(field_mod_2_poly_1 x)
   
  logic field_mod_2_poly_1 field_mod_2_poly_1_of_ring_mod_2(ring_mod_2 x)
   
  logic ring_mod_2 field_mod_2_poly_1_congruence(ring_mod_2 x)
   
  logic field_mod_2_poly_1 field_mod_2_poly_1_of_mod_2(mod_2 x)
   
  logic boolean field_mod_2_poly_1_neq(field_mod_2_poly_1 p1,
                                       field_mod_2_poly_1 p2)
   
  predicate field_mod_2_poly_1_eq(field_mod_2_poly_1 p1,
                                      field_mod_2_poly_1 p2)
   
  axiom field_mod_2_poly_1_cong :
  (\forall ring_mod_2 v;
    (field_mod_2_poly_1_congruence(ring_mod_2_of_field_mod_2_poly_1(field_mod_2_poly_1_of_ring_mod_2(
                                                                    v))) ==
      field_mod_2_poly_1_congruence(v)))
   
  logic vector_1_mod_2 vector_1_mod_2_of_field_mod_2_poly_1(field_mod_2_poly_1 x)
   
  logic field_mod_2_poly_1 field_mod_2_poly_1_of_vector_1_mod_2(vector_1_mod_2 x)
   
  axiom field_mod_2_poly_1_mult_ax :
  (\forall field_mod_2_poly_1 A;
    (\forall field_mod_2_poly_1 B;
      (((A != field_mod_2_poly_1_of_ring_mod_2(field_mod_2_poly_1_zero)) &&
         (B != field_mod_2_poly_1_of_ring_mod_2(field_mod_2_poly_1_zero))) ==>
        (field_mod_2_poly_1_of_ring_mod_2(ring_mod_2_mult(ring_mod_2_of_field_mod_2_poly_1(
                                                          A),
                                                          ring_mod_2_of_field_mod_2_poly_1(
                                                          B))) !=
          field_mod_2_poly_1_of_ring_mod_2(field_mod_2_poly_1_zero)))))
   
  axiom field_mod_2_poly_1_subt_ax :
  (\forall field_mod_2_poly_1 A;
    (\forall field_mod_2_poly_1 B;
      ((A != B) ==>
        (field_mod_2_poly_1_of_ring_mod_2(ring_mod_2_subt(ring_mod_2_of_field_mod_2_poly_1(
                                                          A),
                                                          ring_mod_2_of_field_mod_2_poly_1(
                                                          B))) !=
          field_mod_2_poly_1_of_ring_mod_2(field_mod_2_poly_1_zero)))))
   
  axiom field_mod_2_poly_1_div_ax :
  (\forall field_mod_2_poly_1 A;
    (\forall field_mod_2_poly_1 B;
      ((A != field_mod_2_poly_1_of_ring_mod_2(field_mod_2_poly_1_zero)) ==>
        (field_mod_2_poly_1_of_ring_mod_2(ring_mod_2_div(ring_mod_2_of_field_mod_2_poly_1(
                                                         A),
                                                         ring_mod_2_of_field_mod_2_poly_1(
                                                         B))) !=
          field_mod_2_poly_1_of_ring_mod_2(field_mod_2_poly_1_zero)))))
   
  axiom field_mod_2_poly_1_add_ax :
  (\forall field_mod_2_poly_1 A;
    (\forall field_mod_2_poly_1 B;
      ((A !=
         field_mod_2_poly_1_of_ring_mod_2(ring_mod_2_uminus(ring_mod_2_of_field_mod_2_poly_1(
                                                            B)))) ==>
        (field_mod_2_poly_1_of_ring_mod_2(ring_mod_2_add(ring_mod_2_of_field_mod_2_poly_1(
                                                         A),
                                                         ring_mod_2_of_field_mod_2_poly_1(
                                                         B))) !=
          field_mod_2_poly_1_of_ring_mod_2(field_mod_2_poly_1_zero)))))
   
  axiom field_mod_2_poly_1_exp_ax :
  (\forall field_mod_2_poly_1 A;
    (\forall integer B;
      ((A != field_mod_2_poly_1_of_ring_mod_2(field_mod_2_poly_1_zero)) ==>
        (field_mod_2_poly_1_of_ring_mod_2(ring_mod_2_exp(ring_mod_2_of_field_mod_2_poly_1(
                                                         A), B)) !=
          field_mod_2_poly_1_of_ring_mod_2(field_mod_2_poly_1_zero)))))
   
  axiom field_mod_2_poly_1_uminus_ax :
  (\forall field_mod_2_poly_1 A;
    ((A != field_mod_2_poly_1_of_ring_mod_2(field_mod_2_poly_1_zero)) ==>
      (field_mod_2_poly_1_of_ring_mod_2(ring_mod_2_uminus(ring_mod_2_of_field_mod_2_poly_1(
                                                          A))) !=
        field_mod_2_poly_1_of_ring_mod_2(field_mod_2_poly_1_zero))))
   
  axiom field_mod_2_poly_1_get_set_eq :
  (\forall field_mod_2_poly_1 v;
    (\forall integer i;
      (\forall mod_2 x;
        (field_mod_2_poly_1_get_coef(field_mod_2_poly_1_set_coef(v, i, x), i) ==
          x))))
   
  axiom field_mod_2_poly_1_set_neq :
  (\forall field_mod_2_poly_1 v;
    (\forall integer i;
      (\forall integer j;
        (\forall mod_2 x;
          ((i != j) ==>
            (field_mod_2_poly_1_get_coef(field_mod_2_poly_1_set_coef(
                                         v, i, x), j) ==
              field_mod_2_poly_1_get_coef(v, j)))))))
  
}

lemma ring_mod_2_is_irreducible_po :
ring_mod_2_is_irreducible(field_mod_2_poly_1_generator)

lemma field_mod_2_poly_1_is_prime_po :
is_prime(2)

boolean field_mod_2_poly_1_eq_param(field_mod_2_poly_1 x,field_mod_2_poly_1 y)
  behavior default:
    assigns \nothing;
    ensures if \result then field_mod_2_poly_1_eq(x,y) else !field_mod_2_poly_1_eq(x,y);
;

matrix_mod_2 M = matrix_mod_2_any();

vector_1_mod_2 C = vector_1_mod_2_any();

field_mod_2_poly_1 SBox(field_mod_2_poly_1 input_e)
{  
   (var field_mod_2_poly_1 e = input_e);
   
   {  
        
        (var field_mod_2_poly_1 x)
      ;
      (if field_mod_2_poly_1_eq_param(e,
                                field_mod_2_poly_1_of_ring_mod_2(ring_mod_2_monomial(
                                                                 mod_2_of_int(
                                                                 0), 0))) then 
      {  (x = field_mod_2_poly_1_of_ring_mod_2(ring_mod_2_monomial(mod_2_of_int(
                                                                   0), 0)))
      } else 
      {  
         (assert (!field_mod_2_poly_1_eq(e,
                   field_mod_2_poly_1_of_ring_mod_2(ring_mod_2_monomial(
                                                    mod_2_of_int(0), 0)))));
         (x = (let cao_var_1 = e
              in 
              {  
                 (assert for safety: (!field_mod_2_poly_1_eq(cao_var_1,
                                       field_mod_2_poly_1_of_ring_mod_2(
                                       field_mod_2_poly_1_zero))));
                 field_mod_2_poly_1_of_ring_mod_2(ring_mod_2_div(ring_mod_2_of_field_mod_2_poly_1(
                                                                 field_mod_2_poly_1_of_ring_mod_2(
                                                                 ring_mod_2_monomial(
                                                                 mod_2_of_int(
                                                                 1), 0))),
                                                                 ring_mod_2_of_field_mod_2_poly_1(
                                                                 cao_var_1)))
              }))
      });
      
        
        (var matrix_mod_2 A = (let cao_var_2 = matrix_mod_2_any()
                              in (let cao_var_3 =
                                 (let cao_var_4 = vector_1_mod_2_any(
                                 )
                                 in (let cao_var_5 = x
                                    in (let cao_var_6 =
                                       vector_1_mod_2_set(cao_var_4, 7,
                                                          field_mod_2_poly_1_get_coef(
                                                          cao_var_5, 7))
                                       in (let cao_var_7 =
                                          vector_1_mod_2_set(cao_var_4, 6,
                                                             field_mod_2_poly_1_get_coef(
                                                             cao_var_5, 6))
                                          in (let cao_var_8 =
                                             vector_1_mod_2_set(cao_var_4, 5,
                                                                field_mod_2_poly_1_get_coef(
                                                                cao_var_5, 5))
                                             in (let cao_var_9 =
                                                vector_1_mod_2_set(cao_var_4,
                                                                   4,
                                                                   field_mod_2_poly_1_get_coef(
                                                                   cao_var_5,
                                                                   4))
                                                in (let cao_var_10 =
                                                   vector_1_mod_2_set(
                                                   cao_var_4, 3,
                                                   field_mod_2_poly_1_get_coef(
                                                   cao_var_5, 3))
                                                   in (let cao_var_11 =
                                                      vector_1_mod_2_set(
                                                      cao_var_4, 2,
                                                      field_mod_2_poly_1_get_coef(
                                                      cao_var_5, 2))
                                                      in (let cao_var_12 =
                                                         vector_1_mod_2_set(
                                                         cao_var_4, 1,
                                                         field_mod_2_poly_1_get_coef(
                                                         cao_var_5, 1))
                                                         in (let cao_var_13 =
                                                            vector_1_mod_2_set(
                                                            cao_var_4, 0,
                                                            field_mod_2_poly_1_get_coef(
                                                            cao_var_5, 0))
                                                            in cao_var_4))))))))))
                                 in (let cao_var_2 =
                                    matrix_mod_2_set(cao_var_2, 7, 0,
                                                     vector_1_mod_2_get(
                                                     cao_var_3, 7))
                                    in (let cao_var_2 =
                                       matrix_mod_2_set(cao_var_2, 6, 0,
                                                        vector_1_mod_2_get(
                                                        cao_var_3, 6))
                                       in (let cao_var_2 =
                                          matrix_mod_2_set(cao_var_2, 5, 0,
                                                           vector_1_mod_2_get(
                                                           cao_var_3, 5))
                                          in (let cao_var_2 =
                                             matrix_mod_2_set(cao_var_2, 4,
                                                              0,
                                                              vector_1_mod_2_get(
                                                              cao_var_3, 4))
                                             in (let cao_var_2 =
                                                matrix_mod_2_set(cao_var_2,
                                                                 3, 0,
                                                                 vector_1_mod_2_get(
                                                                 cao_var_3, 3))
                                                in (let cao_var_2 =
                                                   matrix_mod_2_set(cao_var_2,
                                                                    2, 0,
                                                                    vector_1_mod_2_get(
                                                                    cao_var_3,
                                                                    2))
                                                   in (let cao_var_2 =
                                                      matrix_mod_2_set(
                                                      cao_var_2, 1, 0,
                                                      vector_1_mod_2_get(
                                                      cao_var_3, 1))
                                                      in (let cao_var_2 =
                                                         matrix_mod_2_set(
                                                         cao_var_2, 0, 0,
                                                         vector_1_mod_2_get(
                                                         cao_var_3, 0))
                                                         in cao_var_2)))))))))))
      ;
      
        
        (var vector_1_mod_2 B = (let cao_var_14 = vector_1_mod_2_any(
                                )
                                in (let cao_var_15 = matrix_mod_2_mult(
                                   M, A)
                                   in (let cao_var_14 =
                                      vector_1_mod_2_set(cao_var_14, 7,
                                                         matrix_mod_2_get(
                                                         cao_var_15, 7, 0))
                                      in (let cao_var_14 =
                                         vector_1_mod_2_set(cao_var_14, 6,
                                                            matrix_mod_2_get(
                                                            cao_var_15, 6, 0))
                                         in (let cao_var_14 =
                                            vector_1_mod_2_set(cao_var_14, 5,
                                                               matrix_mod_2_get(
                                                               cao_var_15, 5,
                                                               0))
                                            in (let cao_var_14 =
                                               vector_1_mod_2_set(cao_var_14,
                                                                  4,
                                                                  matrix_mod_2_get(
                                                                  cao_var_15,
                                                                  4, 0))
                                               in (let cao_var_14 =
                                                  vector_1_mod_2_set(
                                                  cao_var_14, 3,
                                                  matrix_mod_2_get(cao_var_15,
                                                                   3, 0))
                                                  in (let cao_var_14 =
                                                     vector_1_mod_2_set(
                                                     cao_var_14, 2,
                                                     matrix_mod_2_get(
                                                     cao_var_15, 2, 0))
                                                     in (let cao_var_14 =
                                                        vector_1_mod_2_set(
                                                        cao_var_14, 1,
                                                        matrix_mod_2_get(
                                                        cao_var_15, 1, 0))
                                                        in (let cao_var_14 =
                                                           vector_1_mod_2_set(
                                                           cao_var_14, 0,
                                                           matrix_mod_2_get(
                                                           cao_var_15, 0, 0))
                                                           in cao_var_14)))))))))))
      ;
      
      (return field_mod_2_poly_1_of_ring_mod_2(ring_mod_2_add(ring_mod_2_of_field_mod_2_poly_1(
                                                              field_mod_2_poly_1_of_ring_mod_2(
                                                              (let cao_var_16 =
                                                              B
                                                              in ring_mod_2_add(
                                                              ring_mod_2_monomial(
                                                              vector_1_mod_2_get(
                                                              cao_var_16, 7),
                                                              7),
                                                              ring_mod_2_add(
                                                              ring_mod_2_monomial(
                                                              vector_1_mod_2_get(
                                                              cao_var_16, 6),
                                                              6),
                                                              ring_mod_2_add(
                                                              ring_mod_2_monomial(
                                                              vector_1_mod_2_get(
                                                              cao_var_16, 5),
                                                              5),
                                                              ring_mod_2_add(
                                                              ring_mod_2_monomial(
                                                              vector_1_mod_2_get(
                                                              cao_var_16, 4),
                                                              4),
                                                              ring_mod_2_add(
                                                              ring_mod_2_monomial(
                                                              vector_1_mod_2_get(
                                                              cao_var_16, 3),
                                                              3),
                                                              ring_mod_2_add(
                                                              ring_mod_2_monomial(
                                                              vector_1_mod_2_get(
                                                              cao_var_16, 2),
                                                              2),
                                                              ring_mod_2_add(
                                                              ring_mod_2_monomial(
                                                              vector_1_mod_2_get(
                                                              cao_var_16, 1),
                                                              1),
                                                              ring_mod_2_monomial(
                                                              vector_1_mod_2_get(
                                                              cao_var_16, 0),
                                                              0))))))))))),
                                                              ring_mod_2_of_field_mod_2_poly_1(
                                                              field_mod_2_poly_1_of_ring_mod_2(
                                                              (let cao_var_17 =
                                                              C
                                                              in ring_mod_2_add(
                                                              ring_mod_2_monomial(
                                                              vector_1_mod_2_get(
                                                              cao_var_17, 7),
                                                              7),
                                                              ring_mod_2_add(
                                                              ring_mod_2_monomial(
                                                              vector_1_mod_2_get(
                                                              cao_var_17, 6),
                                                              6),
                                                              ring_mod_2_add(
                                                              ring_mod_2_monomial(
                                                              vector_1_mod_2_get(
                                                              cao_var_17, 5),
                                                              5),
                                                              ring_mod_2_add(
                                                              ring_mod_2_monomial(
                                                              vector_1_mod_2_get(
                                                              cao_var_17, 4),
                                                              4),
                                                              ring_mod_2_add(
                                                              ring_mod_2_monomial(
                                                              vector_1_mod_2_get(
                                                              cao_var_17, 3),
                                                              3),
                                                              ring_mod_2_add(
                                                              ring_mod_2_monomial(
                                                              vector_1_mod_2_get(
                                                              cao_var_17, 2),
                                                              2),
                                                              ring_mod_2_add(
                                                              ring_mod_2_monomial(
                                                              vector_1_mod_2_get(
                                                              cao_var_17, 1),
                                                              1),
                                                              ring_mod_2_monomial(
                                                              vector_1_mod_2_get(
                                                              cao_var_17, 0),
                                                              0))))))))))))))
   }
}
why-2.34/bench/jc/good/floats.jc0000644000175000017500000000737112311670312015036 0ustar  rtusers/*
lemma l1: 0.5 <= 1.0 && 1.0 <= 2.0


double test1()
  behavior default: 
   ensures (\result :> real) == 7.0;
{ 
return ((2.0 * 3.5) :> double);
}





double test1bis()
  behavior default: 
   ensures (\result :> real) == 7.0;
{ 
 return (2.0 :>double) * (3.5 :> double);

}

float test2()
  behavior default: 
   ensures (\result :> real) == 0.100000001490116119384765625;
{ 
return (0.1 :> float);
}



double diff(double x, double y)
behavior default:
	assumes (y:> real)/2.0 <= (x :> real) 
	         && (x:>real) <= 2.0*(y :> real); 
        ensures (\result :> real) == (x :> real) - (y :> real);
{
  return (((x :> real) - (y :> real)) :> double);
}


double diffbis(double x, double y)
behavior default:
	assumes (y:> real)/2.0 <= (x :> real) 
	         && (x:>real) <= 2.0*(y :> real); 
        ensures (\result :> real) == (x :> real) - (y :> real);
{
  return (x - y);
}








/* racine polynome */

float poly(float x) 
  behavior default:
	assumes (x :> real) == \real_sqrt(2.0)/2.0;
	ensures (\result :> real) == 0.0;
{
return (2.0:>float)*x*x-(1.0 :> float);
}





axiomatic axo {
logic real cos(real x)
logic real exp(real x)
logic real power(real x, integer n)
}

float moncos(float x) 
behavior default:
	assumes \real_abs((x :> real)) <= 1.0/32.0;
	ensures \real_abs((\result :> real) - cos((x :> real))) <= power(2.0,-23);
{
  return (1.0 :> float) - x*x*(0.5 :>float);
}




double monexp(double x) 
behavior default:
	assumes \real_abs(x :> real) <= power(2.0,-3);
        ensures \real_abs((\result :> real) - exp(x :> real)) <= power(2.0,-23);
{
  return (1.0 :> double)+x*((1.0:>double)+x/(2.0:>double));
}







lemma sqrt_def : \forall real x; x>= 0.0 ==> \real_sqrt(x)*\real_sqrt(x) == x

lemma sqrt_def2 : \forall real x;  x>= 0.0 ==> \real_sqrt(x*x) == x

lemma l2 : 4.0 == 2.0 * 2.0

lemma l3 : 2.0 >= 0.0


real testsqrt()
  behavior default: 
   ensures \result == 2.0;
{ 
  return \real_sqrt(4.0); 
}


double testsqrt_double()
  behavior default: 
   ensures (\result :>real) == 2.0;
{ 
  return \double_sqrt(4.0 :>double); 
}






real testabs()
  behavior default: 
   ensures \result == 2.0;
{ 
  return \real_abs(-2.0); 
}


double testabs_double()
  behavior default: 
   ensures (\result :> real) == 2.0;
{ 
  return \double_abs((-2.0) :>double); 
}







double testneg()
  behavior default: 
   ensures (\result :> real) == 2.0;
{ 
  return \neg_double((-2.0) :>double); 
}





boolean testlt()
  behavior default: 
   ensures \result == true;
{ 
  return ((2.0 :>double) < (3.0 :>double)); 
}

boolean testltfloat()
  behavior default: 
   ensures \result == true;
{ 
  return ((2.0 :>float) < (3.0 :>float)); 
}





float testcast(double x)
 behavior default: 
   ensures (\result :>real) == 2.0;
{
return ((2.0 :>double):>float);
}






/* test de rounding errors */

double Sterbenz(double x, double y) 
 behavior default: 
   assumes (y:> real)/2.0 <= (x :> real) 
	         && (x:>real) <= 2.0*(y :> real) 
		 && \double_round_error(x)== 0.0 
		 && \double_round_error(y)== 0.0;
   ensures \double_round_error(\result)== 0.0;
{
  return x-y;
}







double test3(double x)
behavior default :
  assumes \is_plus_infinity_double(x);  
  ensures (\result :> real) == 0.0; 
{ 
return ((3.0:>double)/x);
}


double test4()
behavior default :
   ensures \is_plus_infinity_double(\result); 
{ 
return (1.0 :> double)/(0.0 :>double);  
}


double test5(double x,double y)
behavior default :
  assumes \is_plus_infinity_double(x) && \is_plus_infinity_double(y);  
  ensures \is_NaN_double(\result);
{ 
return (x-y);
}


double test6(double x,double y)
behavior default :
  assumes (x :>real) == 0.0 && (y :>real) == 0.0;  
  ensures \is_NaN_double(\result);
{ 
return (x/y);
}


double test7()
behavior default :
  ensures \is_finite_double(\result);
{
return (2.0:>double);
}
*/why-2.34/bench/jc/good/discr_union.jc0000644000175000017500000000214312311670312016052 0ustar  rtusers# InvariantPolicy = Arguments

/*

hand-made from C program:

struct packet {
    int discr;
    union {
        int val1;
        float val2;
    } uni;
};
void get(struct packet *p, int *v1, float *v2) {
    switch (p->discr) {
        case 0: *v1 = p->uni.val1; break;
        case 1: *v2 = p->uni.val2; break;
    }
}

*/

type integerT = { integer i; }
type realT = { real r; }

type packet_uni = {
}

tag packet_uni_int = packet_uni with {
    integer val1;
}

tag packet_uni_float = packet_uni with {
    real val2;
}

type packet = {
    integer discr;
    rep packet_uni[0] uni;
    invariant discr0(this) = this.discr == 0 ==> this.uni <: packet_uni_int;
    invariant discr1(this) = this.discr == 1 ==> this.uni <: packet_uni_float;
}

unit get(packet[0] p, integerT[0] v1, realT[0] v2)
    requires discr0(p) && discr1(p);
    behavior normal: ensures  discr0(p) && discr1(p);
{
    switch (p.discr) {
        case 0: v1.i = (p.uni :> packet_uni_int).val1; break;
        case 1: v2.r = (p.uni :> packet_uni_float).val2; break;
    }
}

/*
Local Variables: 
mode: C
compile-command: "make discr_union"
End: 
*/
why-2.34/bench/jc/good/validity.jc0000644000175000017500000000054212311670312015364 0ustar  rtuserstype intM = {
    integer intP;
}

type T = {
    intM[0..] p;
}


integer m(intM[0..] t) 
  requires \offset_max(t) >= 0;
{
    return (t+0).intP;
}

integer test() 
  behavior default:
    ensures \result == 0;
{
    var T[0] t = new T[1];
    t.p = new intM[1];
    return m(t.p);
}




/*
Local Variables: 
compile-command: "make validity"
End: 
*/

why-2.34/bench/jc/good/variant.jc0000644000175000017500000000233512311670312015205 0ustar  rtusers#InvariantPolicy = Ownership

tag Parallelogram = {
  integer l1;
  integer l2;
  integer l3;
  integer l4;
  invariant par_inv(x) = x.l1 >= 0 && x.l2 >= 0 && x.l3 >= 0 && x.l4 >= 0;
}

tag Rectangle = Parallelogram with {
  integer smallsidelen;
  integer greatsidelen;
  invariant rect_inv(x) =
    x.l1 == x.l3 &&
    x.l1 == x.smallsidelen &&
    x.l2 == x.l4 &&
    x.l2 == x.greatsidelen;
}

tag Circle = {
  integer radius;
}

type Test = {
  integer plouf;
}

type shape = [Parallelogram | Circle]

integer parallelogram_perimeter(Parallelogram[0] P)
  behavior ok: ensures \result >= 0;
{
  return P.l1 + P.l2 + P.l3 + P.l4;
}

integer circle_perimeter(Circle[0] C)
  behavior ok: ensures \result >= 0;
{
  return 3 * C.radius * C.radius;
}

integer perimeter(shape[0] S)
  behavior ok: ensures match S with
      Circle{radius = r;} -> \result == 3*r*r;
    _ -> \result >= 0;
  end;
  behavior bla: ensures match S with
    Circle{radius = r;} -> 0 == 0 <==> 1 == 1;
  end;
{
  return match S with
    Parallelogram{} as P ->
      parallelogram_perimeter(P);
    Circle{radius = r;} as C ->
      3 * r * r;
  end;
}

lemma test: \forall integer r; 3*r*r >= 0

/*
Local Variables: 
mode: java
compile-command: "make variant"
End: 
*/why-2.34/bench/jc/good/remez.jc0000644000175000017500000000065112311670312014662 0ustar  rtusersfloat my_exp(float x)
  requires \real_abs((x :> real)) <= 1.0 && (x :> real) == \float_exact(x);
  behavior default:
    ensures \real_abs((\result :> real) - \exp((x :> real))) <= 0.05;
{
  var float retres;

  retres = (0.9890365552 :> float) +
           (1.130258690 :> float) * x +
           (0.5540440796 :> float) * x * x;

  assert \real_abs(\float_exact(retres) - \exp((x :> real))) <= 0.049;

  return retres;
}

why-2.34/bench/jc/good/liste_chainee.jc0000644000175000017500000000724312311670312016340 0ustar  rtusers# InvariantPolicy = Arguments

/*
 *  Présentation :
 *  --------------
 *
 *  Ce source est une abstraction d'une partie de logiciel embarqué
 *  plus volumineuse, et intégrée avec de nombreuses définitions de variables
 *  et de constantes pour remplir les structures de données utilisées
 *  (tables de signaux, listes chaînées de messages, etc.)
 *
 *  Il comporte des alias, principalement dus :
 *      - à la présence de listes chaînées ;
 *      - à l'utilisation de "raccourcis" pour accéder à des champs
 *      accessibles par plusieurs niveaux d'indirection.
 *
 *  On souhaite se donner les moyens de prouver sur ce code :
 *      - des propriétés fonctionnelles en intégré (ou au moins en unitaire) ;
 *      - des propriétés de sûreté de fonctionnement en intégré.
 *
 *
 *  Hypothèses :
 *  ------------
 *
 *      Tout pointeur contient l'adresse d'une constante ou d'une variable
 *      du type correspondant, et allouée statiquement.
 *
 *      Le champ PTR de toute variable de type STR_MESSAGE contient
 *      l'adresse d'une constante de type T_1MSG16C ou T_2MSG41C.
 *      Le champ NATURE de toute constante de type T_1MSG16C vaut T1MSG16C.
 *      Le champ NATURE de toute constante de type T_2MSG41C vaut T2MSG41C.
 *
 *      Tous les tableaux de caractères associés aux messages contiennent
 *      au moins un caractère de fin de chaîne '\0'.
 *
 *
 *  Propriété à prouver :
 *  ---------------------
 *
 *      A l'issue de l'exécution de la fonction ComposerPage(),
 *      la ressource Page contient exactement la liste des messages visibles
 *      associés aux signaux textuels actifs :
 *
 *          - dans l'ordre induit par :
 *              > l'ordre des signaux défini par la table ListeSignaux[] d'abord ;
 *              > l'ordre de chaînage des messages sur chaque signal ensuite.
 *
 *          - dans la limite des 18 premiers messages.
 *
 *
 *  Autre propriété à vérifier :
 *  ----------------------------
 *
 *      La fonction DeclarerPanneRobustesse n'est jamais appelée.
 */


/* Définition des types et constantes */

type BOOLEAN = 0..1

type charM = -128..127

type char = {
 charM c;
}

type T_NATURE_MSG = 0..1

type T_MSG = {
    T_NATURE_MSG    NATURE ;
    invariant dicr(msg) = (msg.NATURE == 0 ==> msg <: T_1MSG16C)
                       && (msg.NATURE == 1 ==> msg <: T_2MSG41C);
}

tag T_1MSG16C = T_MSG with {
    char[0..15]            TEXTE ;
} 

tag T_2MSG41C = T_MSG with {
    char[0..40]            TEXTE1 ;
    char[0..40]            TEXTE2 ;
} 

type STR_MESSAGE = {
    T_MSG[0]                 PTR ;
    BOOLEAN             VISIBLE ;
    STR_MESSAGE[..] MESSAGESUIVANT ;
}

type T_TYPE = 0..1

type T_SIGNAL = {
    T_TYPE  TYPE ;
    integer     PRIORITE ;
} 


type STR_SIGNAL =
{
    T_SIGNAL[0]    DEF ;
    BOOLEAN     ACTIF ;
    STR_MESSAGE[0] MESSAGE ;
} 


type T_CompositionPage = {
    integer     IndexLigne;
    char[0..40]    Texte ;
} 


/* Définition des variables globales */


/*  Autre propriété à vérifier :
 *  ----------------------------
 *
 *      La fonction DeclarerPanneRobustesse n'est jamais appelée.
 */
//@ requires 0
unit DeclarerPanneRobustesse(integer codeErr)
{
    /* Fonction non implantée ici */()
}



unit ComposerMsg(STR_MESSAGE[0] Msg, T_CompositionPage[0] Page)
{
    /* Ecriture du message sur la page */
    if Msg.PTR.NATURE == 0 then
    {	
	var T_1MSG16C[0] Ligne1Etat = Msg.PTR :> T_1MSG16C;
	Page.Texte = Ligne1Etat.TEXTE;
    }
    else if Msg.PTR.NATURE == 1 then
    {
	var T_2MSG41C[0] Ligne2Etats = Msg.PTR :> T_2MSG41C;
	Page.Texte = Ligne2Etats.TEXTE2;
    }
    else
    {
	DeclarerPanneRobustesse(Msg.PTR.NATURE) ;
    }
    
}



/*
Local Variables: 
mode: java
compile-command: "make liste_chainee"
End: 
*/
why-2.34/bench/jc/good/hashmap.jc0000644000175000017500000000501512311670312015160 0ustar  rtusers# InvariantPolicy = Arguments

// mathematical Fib function

logic integer math_fib(integer n)
axiom fib0 : math_fib(0) == 1
axiom fib1 : math_fib(1) == 1
axiom fibn : \forall integer n; n >= 2 ==> 
   math_fib(n) == math_fib(n-1) + math_fib(n-2)


// structure to store long integers
type Long = {
  integer value; 
  invariant long_inv(self) = self.value < 9223372036854775808;
}

// logic mappings from integer to Long
logic type mapping
logic Long[..] access(mapping m, integer n)
logic mapping update(mapping m, integer key, Long[..] l) 
axiom access_update_eq:
  \forall mapping m; \forall integer key; \forall Long[..] l ;
      access(update(m,key,l),key) == l
axiom access_update_neq:
  \forall mapping m; \forall integer key1, key2; \forall Long[..] l ;
     key1 != key2 ==>
        access(update(m,key1,l),key2) == access(m,key2) 
  
logic mapping empty_mapping

logic containsKey(mapping m, integer key)

axiom containsKey_empty:
  \forall integer key; ! containsKey(empty_mapping,key)

axiom containsKey_update_eq:
   \forall mapping m; \forall integer key; \forall Long[..] l; 
      containsKey(update(m,key,l),key)

axiom containsKey_update_any:
  \forall mapping m; \forall integer key1, key2; \forall Long[..] l; 
     containsKey(m,key1) ==> containsKey(update(m,key2,l),key1)




// abstract view of a hashmap with key = integer and data = Long
type HashMap = { 
 mapping hashmap_model; //model
}

unit HashMap_put(HashMap[..] this, integer x, Long[..] y)
 behavior default:
  assigns this.hashmap_model;
  ensures 
   this.hashmap_model == update(\old(this.hashmap_model),x,y);
;

Long[..] HashMap_get(HashMap[..] this, integer x)
 behavior key_found:
   assigns \nothing;
   ensures \result != null ==>
     containsKey(this.hashmap_model,x) &&
     \result == access(this.hashmap_model,x) ;
 behavior null_found:
   assumes containsKey(this.hashmap_model,x);
   assigns \nothing;
   ensures access(this.hashmap_model,x) == null ;
;

type FibMemo = {
  HashMap[0] memo;
  invariant fib_inv(self) =
      \forall integer x; containsKey(self.memo.hashmap_model,x) ==>
        access(self.memo.hashmap_model,x) != null &&
        access(self.memo.hashmap_model,x).value == math_fib(x);
}


integer fib(FibMemo[0] this, integer n) 
  requires 0 <= n && n <= 92 ;
  behavior default:
    ensures \result == math_fib(n);
  {       
	if (n <= 1) then return 1; 
	var Long[..] x = HashMap_get(this.memo,n);
	if (x != null) then return x.value;
	x = new Long[0];
	x.value = fib(this,n-1) + fib(this,n-2);
	HashMap_put(this.memo,n,x); 
	return x.value;
    }

why-2.34/bench/jc/good/loop_assigns.jc0000644000175000017500000000043312311670312016236 0ustar  rtusers

type T = {
     integer i;
}

T[0] a;

T[0..9] b;


unit f()
  behavior default:
     assigns a.i,(b+[0..\old(a.i)]).i;
     ensures true;
{
     a.i = 0;
     var integer k = 0;
     invariant 0 <= k;
     while (k<=9) 
     {     
       (b+k).i = 1;
       k++;
     }
}


     why-2.34/bench/jc/good/shape.jc0000644000175000017500000000133212311670312014635 0ustar  rtusers# InvariantPolicy = Arguments

/*
example taken from "Coping with Type Casts in C"
*/

type shape_kind = 0..1

type Shape = {
  shape_kind kind;
  invariant dicr(s) = (s.kind == 0 ==> s <: Circle)
		   && (s.kind == 1 ==> s <: Rectangle);
}

tag Circle = Shape with {
  real radius;
}

tag Rectangle = Shape with {
  real length;
  real width;
}

real circ_area(Circle[0] s) {
  return s.radius * s.radius * 3.14;
}

real rect_area(Rectangle[0] s) {
  return s.length * s.width;
}

real area(Shape[0] s)
{
    if s.kind == 0 then {
    return circ_area(s:>Circle);
    } else if s.kind == 1 then {
    return rect_area(s:>Rectangle);
  }
  else return 0.;
}

/*
Local Variables: 
mode: java
compile-command: "make shape"
End: 
*/
why-2.34/bench/jc/good/short.jc0000644000175000017500000000030612311670312014674 0ustar  rtusers
type unsignedchar = 0..255

type shortint = -32768..32767


unsignedchar f(unsignedchar x, shortint y) {
  return x+y;
}
    
/*
Local Variables: 
mode: java
compile-command: "make short"
End: 
*/
why-2.34/bench/jc/good/valid_range.jc0000644000175000017500000000034712311670312016015 0ustar  rtuserstype Int = {
  integer i;
}

integer get(Int[0..] I)
  requires \offset_max(I + [0..42]) >= 0;
  behavior plop:
    ensures true;
{
  return (I+37).i;
}

/*
Local Variables: 
mode: java
compile-command: "make valid_range"
End: 
*/
why-2.34/bench/jc/good/null.jc0000644000175000017500000000062112311670312014507 0ustar  rtusers
type list = {
  integer content;
  list[..] next;
}

unit sum(list[0] l) {
    var integer s = 0;
    invariant true;
    variant 0;
    while (l != null) 
    {
	s += l.content;
	l = l.next;
    }
}

unit nullify(list[0] l) {
    invariant true;
    variant 0;
    while (l != null) 
    {
	l.content = 0;
	l = l.next;
    }
}


/*
Local Variables: 
mode: java
compile-command: "make null"
End: 
*/
why-2.34/bench/jc/good/match_axiom.jc0000644000175000017500000000034212311670312016026 0ustar  rtuserstype Circle = {
  integer radius;
}

axiom match_in_axiom{L} :
(\forall Circle[0] c;
   match c with
       Circle{ radius = r; } -> true;
     end)

/*
Local Variables: 
mode: java
compile-command: "make match_axiom"
End: 
*/why-2.34/bench/jc/good/loop_inv.jc0000644000175000017500000000116212311670312015363 0ustar  rtusers
/* code generated by Jessie plugin in Frama-C from loop_inv.c */

integer c = 0;

integer i = 0;

unit f()
  requires ((i >= 0) && (c > 0));
  behavior b_default:
    assumes true;
    ensures (i == 0);
{
  {
    {
      invariant (i >= 0);
      variant i;
      while (true)
      {
        {
          if i > 0 then () else goto while_0_break;
          
          if i >= c then i = (i - c)
           else i = (i - 1);
          
          
        }
      };
      (while_0_break:
      {
        ()
      })
      
    };return ();
    
  }
}

/*
Local Variables: 
mode: java
compile-command: "make loop_inv"
End: 
*/
why-2.34/bench/jc/good/new.jc0000644000175000017500000000157312311670312014335 0ustar  rtusers# InvariantPolicy = Ownership

type Point = {
    integer x;
    integer y;
}

type PointSet = {
    integer num;
    rep Point[..] set;
    invariant inv_num(p) =
      p.num > 0 && \offset_min(p.set) == 0 && \offset_max(p.set) == p.num-1;
}

PointSet[1] createPointSet(integer n) 
    requires n > 0;
    behavior normal:
      ensures \result.committed == false && \mutable(\result, PointSet);
{
    var Point[..] p = new Point[n];
    var PointSet[1] ps = new PointSet[1];
    ps.num = n;
    ps.set = p;
    pack(p);
    pack(ps);
    return ps;
}

unit deletePointSet(PointSet[1] ps) 
    requires ps.committed == false && \mutable(ps, PointSet);
    behavior normal:
	ensures \offset_max(ps) < \offset_min(ps);
{
    var integer i;
    //    unpack(ps);
    //    unpack(ps.set);
    free(ps.set);
    free(ps);
}

/*
Local Variables: 
mode: java
compile-command: "make new"
End: 
*/
why-2.34/bench/jc/good/max.jc0000644000175000017500000000062612311670312014327 0ustar  rtusers
/***********
 * Jessie sample file #1 
 ***********/

integer max(integer x, integer y) 
  behavior result_ge_x: 
    ensures \result >= x ;
  behavior result_ge_y: 
    ensures \result >= y; 
  behavior result_is_lub:
    ensures \forall integer z ; z >= x && z >= y ==> z >= \result;
{
  if x >= y then return x;
  return y;
} 


   
/*
Local Variables: 
mode: java
compile-command: "make max"
End: 
*/
why-2.34/bench/jc/good/discr_cast.jc0000644000175000017500000000207112311670312015654 0ustar  rtusers# InvariantPolicy = Arguments

/*

hand-made from C program:

struct header {
    int discr;
};
struct packet1 {
    int discr;
    int val1;
};
struct packet2 {
    struct header head;
    float val2;
};
void get(struct header *p, int *v1, float *v2) {
    switch (p->discr) {
        case 0: *v1 = ((struct packet1*) p)->val1; break;
        case 1: *v2 = ((struct packet2*) p)->val2; break;
    }
}

*/

type integerT = { integer i; }
type realT = { real r; }

type header = {
    integer discr;
    invariant discr0(this) = this.discr == 0 ==> this <: packet1;
    invariant discr1(this) = this.discr == 1 ==> this <: packet2;
}

tag packet1 = header with {
    integer val1;
}

tag packet2 = header with {
    real val2;
}

unit get(header[0] p, integerT[0] v1, realT[0] v2) 
    requires discr0(p) && discr1(p);
    behavior normal: ensures  discr0(p) && discr1(p);
{
    switch (p.discr) {
        case 0: v1.i = (p :> packet1).val1; break;
        case 1: v2.r = (p :> packet2).val2; break;
    }
}

/*
Local Variables: 
mode: C
compile-command: "make discr_cast"
End: 
*/
why-2.34/bench/jc/good/queue.jc0000644000175000017500000000276512311670312014674 0ustar  rtusers# InvariantPolicy = Arguments

type char = 0..127

type char_array = {
 char charM;
}


type queue = {
  rep char_array[0..] contents;
  integer length;
  integer first;	
  integer last;
  boolean empty;
  boolean full;
  invariant is_queue(q) = 
     \offset_min(q.contents) == 0 && /* redondant with type of q.contents */
     q.length == \offset_max(q.contents) + 1 &&
     0 <= q.first && q.first < q.length &&
     0 <= q.last && q.last < q.length &&
     (q.full <==> q.first == (q.last+1) % q.length) &&
     (q.empty <==> q.first == q.last) ;
}

unit push(queue[0] q, char c) 
  requires !q.full;
  behavior correct_push:
    assigns q.empty, q.full, q.last, (q.contents+q.last).charM;
ensures !q.empty && (q.contents+\old(q.last)).charM == c;
{
  (q.contents+q.last++).charM = c;
  if q.last == q.length then q.last = 0;
  q.empty = false;
  q.full = q.first == (q.last+1) % q.length;
}

char pop(queue[0] q) 
  requires !q.empty;
  behavior correct_pop:
    assigns q.empty, q.full, q.first;
    ensures !q.full && \result == (q.contents+\old(q.first)).charM;
{
  var char r = (q.contents+q.first++).charM;
  if q.first == q.length then q.first = 0;
  q.full = false;
  q.empty = q.first == q.last;
  return r;
}

boolean test(queue[0] q, queue[0] q1) 
  requires !q.empty;
  behavior q1_unchanged:
    assumes q != q1; // useless if separation analysis
    ensures \result == \old(q1.empty); 
{
  var char c = pop(q);
  return q1.empty;
}


/*
Local Variables: 
mode: java
compile-command: "make queue"
End: 
*/


why-2.34/bench/jc/good/power.jc0000644000175000017500000000200512311670312014667 0ustar  rtusersaxiomatic Power { 

  logic real lpower(real x, integer n)

  axiom lpower_square: \forall real t; \forall integer n;
    lpower(t*t, n) == lpower(t, 2*n)

  axiom lpower_mult: \forall real t; \forall integer n;
    t*lpower(t, n) == lpower(t, n+1)

  axiom lpower_zero: \forall real t;
    lpower(t, 0) == 1.0

}

lemma assoc_mult: \forall real x, y, z;
  x*(y*z) == (x*y)*z

lemma int_deux: \forall integer i;
  i % 2 != 1 ==> 2*(i/2) == i

lemma int_deux_impair: \forall integer i;
  i % 2 == 1 ==> 2*(i/2) == i-1

lemma real_unit_left: \forall real x; 1.0*x == x
lemma real_unit_right: \forall real x; x*1.0 == x

real power(real x, integer n)
  requires n >= 0;
  behavior result_is_power:
    ensures \result == lpower(x, n);
{
  var real r = 1.;
  var real t = x;
  var integer i = n;
    invariant r * lpower(t, i) == lpower(x, n) && i >= 0;
    variant i;
  while (i > 0)
  {
    if i % 2 == 1 then r = r * t;
    t = t * t;
    i = i / 2;
  };
  return r;
}


/*
Local Variables: 
compile-command: "make power"
End: 
*/why-2.34/bench/jc/good/div.jc0000644000175000017500000000034212311670312014317 0ustar  rtusers
integer main(integer x, integer y) {

 if x >= 10 then x = 10 else if x <= 0 then x = 0 else ();

 if x*x-10 > 0 then return 1/(x*x-8);

 return 0;
}

/* 
Local Variables:
mode: C
compile-command: "LC_ALL=C make div"
End:
*/
why-2.34/bench/jc/good/invariants.jc0000644000175000017500000000103512311670312015713 0ustar  rtusers# InvariantPolicy = Ownership

type A = {
  integer x;
  invariant pos(this) = this.x > 0;
}

integer f(A[0] a)
    requires \mutable(a, A);
  behavior ok:
    ensures true;
{
    assert a.x != 0;
    return 100/a.x;
}

unit g(A[0] a)
    requires \mutable(a, \typeof(a)) && a.committed == false;
  behavior ok:
    ensures \mutable(a, A) && a.committed == false;
{
    unpack(a);
    a.x -= 1;
    var integer r = f(a); // erreur
    a.x += 1;
    pack(a, A);
}

/*
Local Variables: 
mode: java
compile-command: "make invariants"
End: 
*/

why-2.34/bench/jc/good/asserts.jc0000644000175000017500000000036412311670312015225 0ustar  rtuserstype A = {
  integer i;
}

unit test(A[0] a)
  behavior default:
    assigns a.i;
    ensures true;
{
  a.i = 0;
  assert a.i == 0;
  a.i = a.i + 1;
  assert a.i != 0;
}

/*
Local Variables: 
mode: java
compile-command: "make asserts"
End: 
*/
why-2.34/bench/jc/good/gcd.jc0000644000175000017500000000345112311670312014276 0ustar  rtusers
predicate divides(integer x, integer y) = \exists integer q; y == q * x

predicate isGcd(integer a, integer b, integer d) =
 divides(d, a) && divides(d, b) &&
  \forall integer z;
    divides(z, a) && divides(z, b) ==> divides(z, d)

lemma gcd_zero: \forall integer a; isGcd(a, 0, a)

lemma distr_left_minus :
 \forall integer x,y,z;(x - y) * z == x * z - y * z

lemma mul_comm : \forall integer x, y; x * y == y * x

lemma gcd_property:
 \forall integer a, b, d;
   (\forall integer q; b > 0 && isGcd(b, a % b, d)) ==>
       isGcd(a, b, d)

lemma distr_left :
 \forall integer x,y,z; (x + y) * z == x * z + y * z

lemma distr_right :
 \forall integer x,y,z; x * (y + z) == x * y + x * z

lemma div_mod_property:
 \forall integer x,y; x >= 0 && y > 0 ==> x % y == x - y * (x / y)

lemma mul_assoc : \forall integer x,y,z; x * (y * z) == (x * y) * z

lemma mod_property :
(\forall integer x_6;
  (\forall integer y_6;
    (((x_6 >= 0) && (y_6 > 0)) ==>
      ((0 <= (x_6 % y_6)) && ((x_6 % y_6) < y_6)))))

integer gcd(integer x, integer y)
  requires x >= 0 && y >= 0;
behavior resultIsGcd:
  ensures isGcd(x, y, \result);
behavior bezoutProperty:
  ensures \exists integer a,b; a * x + b * y == \result;
{  
var integer a = 1;
var integer b = 0;
var integer c = 0;
var integer d = 1;
    
invariant x >= 0 && y >= 0;
invariant for resultIsGcd:
  \forall integer d; isGcd(x, y, d) ==> \at(isGcd(x, y, d),Pre);
invariant for bezoutProperty:
  a * \at(x,Pre) + b * \at(y,Pre) == x &&
  c * \at(x,Pre) + d * \at(y,Pre) == y;
variant y;
while (y > 0) {
  var integer r = x % y;
  var integer q = x / y;
  x = y;
  y = r;
  var integer ta = a;
  var integer tb = b;
  a = c;
  b = d;
  c = ta - c * q;
  d = tb - d * q;
};
return x;
}

/*
Local Variables:
mode: java
compile-command: "jessie gcd.jc && make -f gcd.makefile gui"
End:
*/
why-2.34/bench/jc/good/label.jc0000644000175000017500000000027612311670312014622 0ustar  rtusersinteger f() {
    var integer x = 0;
    (L:
     {
      x++;
      assert (\at(x, L) == 0)
     });
    return x;
}

/*
Local Variables: 
mode: java
compile-command: "make label"
End: 
*/
why-2.34/bench/jc/good/insert_sort.jc0000644000175000017500000000320012311670312016104 0ustar  rtusers


type realP = {
  real realM;
}

/* permut{Lab1,Lab2}(t1,t2,n) is true whenever t1[0..n-1] in state Lab1 
 * is a permutation of  t2[0..n-1] in state Lab2 
 */

predicate permut{Lab1,Lab2}(realP[..] t1,realP[..] t2,integer n)
    reads \at((t1+[..]).realM,Lab1), \at((t2+[..]).realM,Lab2) ;

axiom permut_refl{L} :
   \forall realP[..] t; \forall integer n; permut{L,L}(t,t,n)
 
axiom permut_sym{L1,L2} :
   \forall realP[..] t1, t2; \forall integer n; 
     permut{L1,L2}(t1,t2,n) ==> permut{L2,L1}(t2,t1,n) 
 
axiom permut_trans{L1,L2,L3} :
   \forall realP[..] t1, t2, t3; \forall integer n;
     permut{L1,L2}(t1,t2,n) && permut{L2,L3}(t2,t3,n) 
     ==> permut{L1,L3}(t1,t3,n) 

  
axiom permut_exchange{L1,L2} :
   \forall realP[..] t1, t2; \forall integer i, j, n;
       \at((t1+i).realM,L1) == \at((t2+j).realM,L2) &&
       \at((t1+j).realM,L1) == \at((t2+i).realM,L2) &&
       (\forall integer k; 0 <= k && k < n && k != i && k != j ==>
            \at((t1+k).realM,L1) == \at((t2+k).realM,L2)) 
       ==> permut{L1,L2}(t1,t2,n) 


unit swap(realP[0..] t, integer i, integer j) 
  requires 0 <= i && i <= \offset_max(t); 
  requires 0 <= j && j <= \offset_max(t);
  behavior default:
    ensures 
	permut{Old,Here}(t,t,\offset_max(t)+1);
{
    (L: {
     var real tmp = (t+i).realM;
     (t+i).realM = (t+j).realM;
     (t+j).realM = tmp;
     assert (t+i).realM == \at((t+j).realM,L) &&
	 (t+j).realM == \at((t+i).realM,L) &&
       \forall integer k; 
          0 <= k && k <= \offset_max(t) && k != i && k != j ==>
	      (t+k).realM == \at((t+k).realM,L)
     })
}



/*
Local Variables: 
mode: java
compile-command: "make insert_sort"
End: 
*/
why-2.34/bench/jc/good/simplenew.jc0000644000175000017500000000017512311670312015544 0ustar  rtusers


type T = { 
  integer i;
}


unit f() {
     var T[0] t1 = new T[1];
     var T[0] t2 = new T[1];
     assert t1 != t2;
}
why-2.34/bench/jc/good/logic_type.jc0000644000175000017500000000011412311670312015670 0ustar  rtuserstype Set = {
}

logic type myset

logic myset mycontents(Set[0] s) reads s;
why-2.34/bench/jc/good/isqrt.jc0000644000175000017500000000233712311670312014705 0ustar  rtusers

/***********
 * Jessie sample file: integer square root 
 ***********/

/* complements for non-linear integer arithmetic */

axiom distr_right: \forall integer x,y,z; x*(y+z) == (x*y)+(x*z)
axiom distr_left: \forall integer x,y,z; (x+y)*z == (x*z)+(y*z)


/* computes the square root of x, rounded to the floor */ 
integer isqrt(integer x) 
    requires x >= 0;
    behavior is_rounded_sqrt:	
      ensures 
	\result >=0 && \result * \result <= x && 
	x < (\result + 1) * (\result + 1);
{
    var integer count = 0;
    var integer sum = 1;
    invariant 
        count >= 0 && x >= count*count && sum == (count+1)*(count+1);
    variant x - sum;
    while (sum <= x) 
    { 
	count++;
	sum = sum + 2*count+1;
    };
    return count;
}   

/*

logic integer sqr(integer x) = x * x

integer isqrt2(integer x) 
    requires x >= 0
    behavior is_rounded_sqrt:
      ensures 
         \result >=0 && sqr(\result) <= x && x < sqr(\result + 1)
{
    integer count = 0;
    integer sum = 1;
    while (sum <= x) 
	invariant 
	   count >= 0 && x >= sqr(count) && sum == sqr(count+1)
	variant x - sum
    { 
	count++;
	sum = sum + 2*count+1;
    }
    return count;
}   

*/
  

/*
Local Variables: 
mode: java
compile-command: "make isqrt"
End: 
*/

why-2.34/bench/jc/good/name_conflict.jc0000644000175000017500000000030112311670312016331 0ustar  rtusers
/* Jessie -> OK ; Why -> KO */

// TODO

integer i;

unit f() { var integer i = 0; i++; }

unit g() { i = 1; }

/*
Local Variables: 
mode: java
compile-command: "make name_conflict"
End: 
*/

why-2.34/bench/jc/good/bsearch.jc0000644000175000017500000000175212311670312015152 0ustar  rtusers
lemma mean_1 : \forall integer x,y; x <= y ==> x <= (x+y)/2 && (x+y)/2 <= y 

type byte = -128..127

type short = -32768..32767

type shortT = { short shortM; }

byte binary_search(shortT[0..] t, byte n, short v) 
 requires 
   n >= 0 && \offset_max(t) >= n-1 &&
    (\forall byte k1, k2; 0 <= k1 && k1 <= k2 && k2 <= n-1 ==>
     (t+k1).shortM <= (t+k2).shortM);
 behavior search_ok:
    ensures
      (\result >= 0 && (t+\result).shortM == v) ||
      (\result == -1 && (\forall byte k; 0 <= k && k < n ==> (t+k).shortM != v));
{
  var byte l = 0;
  var byte u = n-1;
  invariant 
      0 <= l && u <= n-1 &&  
      \forall byte k; 0 <= k && k < n ==> 
			  (t+k).shortM == v ==> l <= k && k <= u;
  variant u-l; 
  while (l <= u ) 
  {
    var byte m = (l + u :> byte) / 2;
    // @ assert l <= m <= u
    if (t+m).shortM < v then l = m + 1
    else if (t+m).shortM > v then u = m - 1
    else return m
  };
  return -1
}


/*
Local Variables: 
mode: java
compile-command: "make bsearch"
End: 
*/
why-2.34/bench/jc/good/separation_plus.jc0000644000175000017500000000065612311670312016755 0ustar  rtusers
# SeparationPolicy = Regions

type intP = {
    integer intM;
}

integer f() {
    var intP[..] tab = new intP[10];
    return tab.intM;
}

intP[0] myalloc() {
    return new intP[1];
}

unit g() {
    var intP[0] p = myalloc();
    var intP[0] q = myalloc();
    p.intM = 0;
    q.intM = 1;
    assert(p.intM == 0 && q.intM == 1);
}

/*
Local Variables: 
mode: java
compile-command: "LC_ALL=C make -j separation_plus"
End: 
*/

why-2.34/bench/jc/good/order.jc0000644000175000017500000000074612311670312014660 0ustar  rtusers


integer f1(unit x) 
   behavior ok:
	ensures \result == 0;
{
  var integer x = 0;
  x += x++;
  return x;
}

integer f2(unit x) 
   behavior ok:
	ensures \result == 1;
{
  var integer x = 0;
  x += ++x;
  return x;
}


type T = {
    integer i;
}


unit f3(T[0..1] p) 
   behavior ok:
	ensures p.i == \old(p.i) && (p+1).i == \old((p+1).i)+1;
{
    var T[..] q = p;
    (q = q+1).i += 1;
    assert q == p+1;
}


/*
Local Variables: 
mode: java
compile-command: "make order"
End: 
*/
why-2.34/bench/jc/good/array_store_error.jc0000644000175000017500000000034212311670312017300 0ustar  rtusers

type T = {
     integer f;
}

tag U = T with {
     real g;
}


type Tarray = {
     T[..] Tmemory;
}

type Uarray = {
     U[..] Umemory;
}

unit f() {
 var Uarray[0..9] Up = new Uarray[10];
 var Tarray[0..9] Tp = Up;
}



why-2.34/bench/jc/good/fibonacci.jc0000644000175000017500000000141312311670312015452 0ustar  rtusers
inductive isfib(integer x, integer r) {
case isfib0 : isfib(0, 0) ;
case isfib1 : isfib(1, 1) ;
case isfibn : 
    \forall integer n,r,p; 
    n >= 0 && isfib(n,r) && isfib(n+1,p) ==> isfib(n+2,p+r) ;
}

lemma fib2: isfib(2,1)
lemma fib6: isfib(6,8)
lemma neg_fib2: ! isfib(2,2)
lemma neg_fib5: ! isfib(5,6)

integer Fib(integer n)
    requires n >= 0;
    behavior default:
      ensures isfib(n,\result);
{  
    var integer y = 0;
    var integer x = 1;
    var integer tmp;
    var integer i = 0;
    invariant 0<=i && i<=n && isfib(i+1, x) && isfib(i, y);
    while (i < n)
	{  
	    tmp = y;
	    y = x;
	    x = x + tmp;
	    i = i + 1;
	};
    return y;
}


/*
Local Variables:
mode: java
compile-command: "jessie fibonacci.jc && make -f fibonacci.makefile gui"
End:
*/
why-2.34/bench/jc/good/queue2.jc0000644000175000017500000000305012311670312014742 0ustar  rtusers# InvariantPolicy = Arguments

type char = {
  integer char_val;
  invariant is_char(c) = 0 <= c.char_val && c.char_val <= 255;
}

type char_pointer = {
 char[..] charM;
}


type queue = {
  rep char_pointer[0..] contents;
  integer length;
  integer first;	
  integer last;
  boolean empty;
  boolean full;
  invariant is_queue(q) = 
     \offset_min(q.contents) == 0 && /* redondant with type of q.contents */
     q.length == \offset_max(q.contents) + 1 &&
     0 <= q.first && q.first < q.length &&
     0 <= q.last && q.last < q.length &&
     (q.full <==> q.last == (q.first-1) % q.length) &&
     (q.empty <==> q.last == q.first) ;
}

unit push(queue[0] q, char[0] c) 
  requires !q.full;
  behavior correct_push:
    assigns q.empty, q.full, q.last, (q.contents+q.last).charM;
    ensures !q.empty && (q.contents+\old(q.last)).charM == c;
{
  (q.contents+q.last++).charM = c;
  if q.last == q.length then q.last = 0;
  q.empty = false;
  q.full = q.first == q.last;
}

char[0] pop(queue[0] q) 
  requires !q.empty;
  behavior correct_pop:
    assigns q.empty, q.full, q.first;
    ensures !q.full && \result == (q.contents+\old(q.first)).charM;
{
  var char[0] r = (q.contents+q.first++).charM;
  if q.first == q.length then q.first = 0;
  q.full = false;
  q.empty = q.last == (q.first + 1) % q.length;
  return r;
}

boolean test(queue[0] q, queue[0] q1) 
  requires !q.empty;
  behavior q1_unchanged:
   ensures \result == \old(q1.empty); 
{
  var char[0] c = pop(q);
  return q1.empty;
}


/*
Local Variables: 
mode: java
compile-command: "make queue2"
End: 
*/


why-2.34/bench/jc/good/union.jc0000644000175000017500000000160312311670312014666 0ustar  rtusers# InvariantPolicy = Arguments

/*

hand-made translation from C program

union U { int x; float y; }
struct T { 
  int my_tag ; 
  U v ;
  //@ invariant my_tag_0_is_int(t) = t.my_tag==0 => t.v <: x ;  
  //@ invariant my_tag_1_is_float(t) = t.my_tag==1 => t.v <: y ;
}

*/

/*type U = [ U_x | U_y ] */
type U = {}
tag U_x = U with { integer x; }
tag U_y = U with { real y; }


type T = { 	
    integer my_tag ; 
    rep U[0] v ;
    invariant my_tag_0_is_int(t) = t.my_tag==0 ==> t.v <: U_x ; 
    invariant my_tag_1_is_float(t) = t.my_tag==1 ==> t.v <: U_y ;
}


unit add(T[0] res, T[0] n1, T[0] n2) 
{
    if n1.my_tag == 0 && n2.my_tag == 0 then {
	res.my_tag = 0;
	(res.v :> U_x).x = (n1.v :> U_x).x + (n2.v :> U_x).x;
    }
    else {
	res.my_tag = 1;
	(res.v :> U_y).y = (n1.v :> U_y).y + (n2.v :> U_y).y;
    }
}
    


/*
Local Variables: 
mode: java
compile-command: "make union"
End: 
*/

why-2.34/bench/jc/good/flag_struct.jc0000644000175000017500000000325412311670312016057 0ustar  rtusers# InvariantPolicy = Arguments

/* Dijkstra's dutch flag */


type color = 1..3
   
logic color BLUE = (1 :> color)
logic color WHITE = (2 :> color)
logic color RED = (3 :> color) 

type colorT = {
    integer colorT_length;
    color colorM;
}

logic isMonochrome{L}(colorT[..] t, integer i, integer j, color c) =
    //    \offset_min(t) <= i && i <= j && j <= \offset_max(t) &&
  \forall integer k; i <= k && k <= j ==> (t+k).colorM == c



unit swap(colorT[..] t, integer i, integer j) 
  requires
    \offset_min(t) <= i && i <= \offset_max(t) &&
    \offset_min(t) <= j && j <= \offset_max(t) ;    
  behavior swaps_i_and_j:
    assigns (t+i).colorM,(t+j).colorM;
    ensures (t+i).colorM == \old((t+j).colorM) && 
	(t+j).colorM == \old((t+i).colorM);
{
    var color z = (t+i).colorM;
    (t+i).colorM = (t+j).colorM;
    (t+j).colorM = z;
}

unit flag(colorT[0..] t, integer length) 
    requires \offset_min(t) == 0; // Bug: should be implicit
    requires 0 <= length && length <= \offset_max(t)+1;
    behavior sorts_t:
      ensures 
        \exists integer b,r; 
           isMonochrome(t,0,b-1,BLUE) &&
	   isMonochrome(t,b,r-1,WHITE) &&
	   isMonochrome(t,r,length-1,RED);
{
    var integer b = 0;
    var integer i = 0;
    var integer r = length;
    invariant
	0 <= b && b <= i && i <= r && r <= length &&
	isMonochrome(t,0,b-1,BLUE) &&
	isMonochrome(t,b,i-1,WHITE) &&
	isMonochrome(t,r,length-1,RED);
    variant r - i; 
    while (i < r) 
	{
	    switch ((t+i).colorM) {
	    case BLUE:  
		swap(t, b++, i++);
		break;	    
	    case WHITE: 
		i++; 
		break;
	    case RED: 
		swap(t, --r, i);
		break;
	    }
	}
}



/*
Local Variables: 
mode: java
compile-command: "make flag"
End: 
*/

why-2.34/bench/jc/good/trace.jc0000644000175000017500000000402312311670312014633 0ustar  rtusers
/* Example 0
 * Explanation expected: "validity of lemma"
 * localized on "l1"
 */
// lemma l1: \forall integer x; x+1 == x+2

/* Example 1 
 * We want the message: 
 *  "assertion `x < 9' cannot be established"
 * localized on `x < 9' 
 */

integer f1(integer x)
  requires x > 0;
{
  assert x >= 0 && x < 9; 
  return x+1;
}

/* Example 2 
 * We want the message: 
 *  "post-condition `\result > 10' of function f2 cannot be established"
 * localized on `return x+1'
 * Bonus: all lines involved in the execution path should be ~underlined 
 */
integer f2 (integer x) 
  requires x > 0 && x < 100;
  behavior default:
    ensures \result != 0 && \result > 10;  
{
  var integer y;
  if x<50 then
     return x+1
  else 
     y = x-1;
  return y;
}


/* Example 3 
 * We want the message: 
 *  "pre-condition `x > 0' for call to function f2 cannot be established"
 * localized on `(f2 x)' 
 */
integer f3 (integer x)  
  requires x >= 0 && x < 50;
{
    return f2(x);
}


/* Example 4 
 * Explanation expected: 
 *   "validity of loop invariant `0 <= y' at loop entrance"
 * localized on `while ...' 
 */

unit f4 (integer x) 
{ 
 var integer y = x;
 invariant 0 <= y && y <= x;
 variant y;
 while (y > 0)
 {
     y = y - 1;
 }
}


/* Example 5 
 * Explanation expected:
 *   "preservation of loop invariant `y = x'"
 * localized on the '}' closing the loop body 
 */

unit f5 (integer x)  
{
 var integer y = x;
 invariant y == x;
 while (y > 0)
 {
 y = y - 1;
 }
}

/* Example 6
 * Explanation expected:
 *   "arithmetic overflow"
 * localized on "y", "x+y :> byte" and on "y+z"
 */
type byte = 0..255
byte f6(byte x)
{
    var byte y = x+1;
    var byte z = (x+y) :> byte; 
    return y+z;
}

/* Example 7
 * Explanation expected:
 *   "pointer dereferencing"
 * localized on "p.f"
 */
type S = { integer f; }
integer f7(S[..] p)
{
    return p.f;
}


/* Example 8
 *  assigns clause
 */

unit f8(S[0] p) 
  behavior default:
    assigns p.f;
    ensures p.f == 0;
{
    p.f = 0;
}



/*
Local Variables: 
mode: java
compile-command: "make trace.goals"
End: 
*/
why-2.34/bench/jc/good/flag.jc0000644000175000017500000000315612311670312014454 0ustar  rtusers
/* Dijkstra's dutch flag */


type color = 1..3
   
logic color BLUE = (1 :> color)
logic color WHITE = (2 :> color)
logic color RED = (3 :> color) 

type colorT = {
    color colorM;
}

    logic isMonochrome{L}(colorT[..] t, integer i, integer j, color c) =
    //    \offset_min(t) <= i && i <= j && j <= \offset_max(t) &&
    \forall integer k; i <= k && k <= j ==> (t+k).colorM == c



unit swap(colorT[..] t, integer i, integer j) 
  requires
    \offset_min(t) <= i && i <= \offset_max(t) &&
    \offset_min(t) <= j && j <= \offset_max(t)  ;
  behavior swaps_i_and_j:
    assigns (t+i).colorM,(t+j).colorM;
    ensures (t+i).colorM == \old((t+j).colorM) && 
	(t+j).colorM == \old((t+i).colorM);
{
    var color z = (t+i).colorM;
    (t+i).colorM = (t+j).colorM;
    (t+j).colorM = z;
}

unit flag(colorT[0..] t, integer length) 
    requires \offset_min(t) == 0 && // devrait etre inutile
      0 <= length && length <= \offset_max(t)+1;
    behavior sorts_t:
      ensures 
        \exists integer b,r; 
           isMonochrome(t,0,b-1,BLUE) &&
	   isMonochrome(t,b,r-1,WHITE) &&
	   isMonochrome(t,r,length-1,RED);
{
    var integer b = 0;
    var integer i = 0;
    var integer r = length;
    invariant
	0 <= b && b <= i && i <= r && r <= length &&
	isMonochrome(t,0,b-1,BLUE) &&
	isMonochrome(t,b,i-1,WHITE) &&
	isMonochrome(t,r,length-1,RED);
    variant r - i; 
    while (i < r) 
	{
	    switch ((t+i).colorM) {
	    case BLUE:  
		swap(t, b++, i++);
		break;	    
	    case WHITE: 
		i++; 
		break;
	    case RED: 
		swap(t, --r, i);
		break;
	    }
	}
}



/*
Local Variables: 
mode: java
compile-command: "make flag"
End: 
*/

why-2.34/bench/jc/good/typeof.jc0000644000175000017500000000065712311670312015054 0ustar  rtusers# InvariantPolicy = Arguments


type A = {
    integer i;
    boolean is_b;
    invariant is_b_inv(this) = this.is_b ==> this <: B;
}

tag B = A with {
    integer j;
}

boolean equal(A[0] a, A[0] b)
    requires \typeeq(\typeof(a), \typeof(b));
{
    if a.is_b then {
	return a.i == b.i && (a :> B).j == (b :> B).j;
    } else {
	return a.i == b.i;
    }
}

/*
Local Variables: 
mode: java
compile-command: "make typeof"
End: 
*/
why-2.34/bench/jc/bench0000644000175000017500000000075112311670312013275 0ustar  rtusers#!/bin/sh

JCKLOG=$1-jessica.log
JCLOG=$1-jessie.log
WHYLOG=$1-why.log

if WHYLIB=../../../lib ../../../bin/jessie.opt $1.jc 2>> $JCLOG >> $JCLOG
then
    cat jessie.log >> $JCLOG
    if WHYLIB=../../../lib WHYEXEC=../../../bin/why.opt make -f $1.makefile goals 2>> $WHYLOG >> $WHYLOG
    then
	echo "$1.jc: OK"
	mv $1.jc $1.jc.bak
    else
	echo "$1.jc: Why FAILED:"
	cat $WHYLOG
	#exit 1
    fi
else
    cat jessie.log >> $JCLOG
    echo "$1.jc: Jessie FAILED, see $JCLOG for details"
fiwhy-2.34/bench/bench.in0000755000175000017500000000434612311670312013315 0ustar  rtusers#!/bin/sh

# auto bench for why

export WHYLIB=../lib

pgm=$1
option=$2
coqc="@COQC@ -R ../lib/coq Why"

pvstc () {
    context=`dirname $1`
    theory=`basename $1`
    cd $context
    echo "(typecheck "'"'$theory'"'")" > pvstc.el
    pvs -q -batch -l pvstc.el
    cd ..
}

provers () {
    file=$1
    base=$2
    dir=`dirname $1`
    # running Coq
    if ! $coqc "$base"_why.v > /dev/null 2>&1; then
	echo "coq FAILED"
	$coqc "$base"_why.v
	exit 1
    fi
#      if ! $coqc -I $dir "$base"_valid.v > /dev/null 2>&1; then
#  	echo "coq validation FAILED"
#  	$coqc -I $dir "$base"_valid.v
#  	exit 1
#      fi
    echo -n "coq ok... "
    # running PVS
    if ! $pgm --pvs $f > /dev/null 2>&1; then
	echo "pvs generation FAILED"
	$pgm --pvs $f
	exit 1
    fi
    if test "$option" = "pvs"; then 
    if ! pvstc "$base"_why > /dev/null 2>&1; then
	echo "pvs typecheck FAILED"
	pvs -q -v 3 -batch -l pvstc.el
	exit 1
    fi
    echo "pvs ok"
    else
    echo
    fi
}

good_tc () {
    for f in $1/*.mlw; do
	echo -n "  "$f"... "
	base=$1/`basename $f .mlw`
	# running Why
	if ! $pgm --type-only $f > /dev/null 2>&1; then
	    echo "why FAILED"
	    $pgm --type-only $f
	    exit 1
	fi
	echo "why ok... "
    done
}

good_ml () {
    for f in $1/*.mlw; do
	echo -n "  "$f"... "
	base=$1/`basename $f .mlw`
	# running Why
	if ! $pgm --coq-@COQVER@ $f > /dev/null 2>&1; then
	    echo "why FAILED"
	    $pgm --coq-@COQVER@ $f
	    exit 1
	fi
	echo -n "why ok... "
	provers $f $base
#  		echo -n "coq ok..."
#  		$pgm --ocaml --ocaml-ext $f > $base.ml 2>/dev/null
#  		if ocamlc -c $base.ml > /dev/null 2>&1; then
#  		    echo "ocaml ok"
#  		else
#  		    echo "ocaml FAILED"
#  		fi
    done
}

bads () {
    for f in $1/*.mlw; do
	echo -n "  "$f"... "
	if $pgm $2 $f > /dev/null 2>&1; then 
	    echo "$pgm $2 $f"
	    echo "FAILED!"
	    exit 1 
        else 
	    echo "ok"
	fi
    done
}

# 1. Syntax
echo "=== Checking parsing errors ==="
bads bad/syntax --parse-only
echo ""

# 2. Typing
echo "=== Checking typing errors ==="
bads bad/typing --type-only
echo ""

# 2. Other
echo "=== Checking other errors ==="
bads bad/other
echo ""

# 3. benchmark
echo "=== Type-checking good files ==="
good_tc provers
echo ""

echo "=== Checking good files ==="
good_ml good
echo ""

why-2.34/doc/0000755000175000017500000000000012311670312011362 5ustar  rtuserswhy-2.34/doc/Makefile0000644000175000017500000000760212311670312013027 0ustar  rtusersHEVEA=hevea -noiso -entities -exec xxdate.exe -fix

all: main.pdf manual.ps $(KFILES) krakatoa.pdf \
	sourcepp jessie.pdf krakatoa.html jessie.html \
	index.html

install: all
	cp krakatoa.pdf jessie.pdf krakatoa.html jessie.html \
		why_frama_c2-mps.png why_frama_c2.mps *.png \
		/users/www-perso/projets/krakatoa
	mkdir -p /users/www-perso/projets/krakatoa/jessie
	cp jessie/*.png /users/www-perso/projets/krakatoa/jessie
	cp index.html /users/www-perso/projets/krakatoa/index.html

index.html:: why_frama_c2-mps.png

%.html: %.prehtml
	yamlpp  $< -o $@

doc.dvi: doc.tex rules.tex macros.tex code.tex dep.ps

SRCFILES=../src/loc.mli ../src/logic.mli ../src/types.mli \
	 ../src/ptree.mli ../src/ltyping.mli ../src/ast.mli ../src/env.mli \
         ../src/typing.mli ../src/typing.ml ../src/wp.mli ../src/wp.ml \
	 ../src/monad.mli ../src/monad.ml ../src/mlize.mli ../src/mlize.ml

KFILES=Lesson1_max.pp \
	Lesson1_sqrt.pp Lesson1_sqrtbody.pp Lesson1_sqrtloopinv.pp \
	Lesson1_lemmas.pp Lesson1_pragma.pp Lesson1_sqrtdecr.pp \
	Arrays_findMax.pp Arrays_findMaxbody.pp \
	Arrays_findMax2.pp Arrays_shift.pp \
	Purse.pp Purse0.pp Purse_test1.pp Purse_test2.pp Purse2.pp \
	Purse_withdraw2.pp \
	Flag.pp Flag1.pp Flag_inv.pp Flag_isMonochrome.pp Flag_flag.pp \
	Flag_swap.pp Flag_body.pp \
	contracts.bnf lexpr.bnf \
	Gcd-nospec.pp Gcd-spec.pp Gcd.pp Gcd-lemmas.pp

# for jessie
SNIPPET=$(wildcard codes/*.c)
SNIPPETPP:=$(patsubst codes/%.c, texpp/%.cpp, $(SNIPPET))

sourcepp: $(SNIPPETPP) $(EXAMPLESPP)

why_frama_c1.mps: why_frama_c.ml
	mlpost -pdf -latex jessie.tex why_frama_c.ml

why_frama_c1-mps.pdf: why_frama_c1.mps
	mptopdf why_frama_c1.mps 

why_frama_c2.mps: why_frama_c.ml
	mlpost -pdf -latex jessie.tex why_frama_c.ml

why_frama_c2-mps.pdf: why_frama_c2.mps
	mptopdf why_frama_c2.mps 

why_frama_c2-mps.png: why_frama_c2-mps.pdf
	pdftoppm -r 150 why_frama_c2-mps.pdf | pnmtopng -transparent white > why_frama_c2-mps.png

dep.ps:
	(cd ../src; ocamldep *.ml* | ocamldot | dot -Tps) > dep.ps

code.tex: $(SRCFILES)
	ocamlweb --no-preamble -o $@ $(SRCFILES)

logo-why.pdf: logos.tex
	pdflatex logos.tex

logo-why.png: logo-why.pdf
	pdftoppm logos.pdf | pnmcrop | pnmtopng > logowhy.png

logo-why-small.png:

manual.ps: manual.tex version.tex
	latex manual
	latex manual
	makeindex manual
	latex manual
	dvips manual.dvi -o manual.ps

manual.html: manual.tex version.tex
	rm -f manual.aux
	$(HEVEA) manual.tex

caduceus.ps: caduceus.tex version.tex
	latex caduceus
	bibtex caduceus
	makeindex caduceus
	latex caduceus
	latex caduceus
	dvips caduceus.dvi -o caduceus.ps

caduceus.html: caduceus.tex version.tex
	rm -f caduceus.aux
	$(HEVEA) caduceus.tex

krakatoa.pdf: $(KFILES) krakatoa.tex version.tex
	pdflatex krakatoa.tex
	bibtex krakatoa
	makeindex krakatoa
	pdflatex krakatoa.tex
	pdflatex krakatoa.tex

jessie.pdf: sourcepp jessie.tex version.tex
	pdflatex jessie.tex
	bibtex jessie
	makeindex jessie
	pdflatex jessie.tex
	pdflatex jessie.tex

february2008.pdf: $(KFILES) version.tex
	pdflatex february2008.tex

krakatoa.html: krakatoa.tex version.tex
	rm -f krakatoa.aux
	$(HEVEA) krakatoa.tex

jessie.html: jessie.tex version.tex
	rm -f jessie.aux
	$(HEVEA) jessie.tex

main.html: main.tex version.tex
	rm -f main.aux
	$(HEVEA) main.tex


main.pdf: main.tex version.tex
	pdflatex main.tex


%.pp: %.tex pp
	./pp $< > $@

%.pp: %.c pp
	./pp -c $< > $@

%.pp: %.java pp
	./pp -java $< > $@

texpp/%.cpp: codes/%.c pp  Makefile
	mkdir -p texpp
	./pp -c $< > $@

%.dvi: %.tex
	latex $< && latex $<

%.ps: %.dvi
	dvips -o $@ $<

%.eps: %.dia
	dia --filter=eps-builtin $^

%.pdf: %.eps
	epstopdf $^

%.tex: %.dia
	dia --filter=tex $^

%.png: %.dia
	dia --filter=png --size=2048,1536 $^

%.bnf: %.tex tex2bnf
	./tex2bnf < $< > $@

tex2bnf: tex2bnf.ml
	ocamlopt.opt -o $@ $^

pp: pp.ml
	ocamlopt.opt -o $@ $^

%.ml: %.mll
	ocamllex.opt $<

clean::
	rm -f *~ *.dvi *.log *.aux *.toc \
		dep.ps doc.ps manual.ps caduceus.ps krakatoa.pdf main.pdf 
	rm -f *.cm*


why-2.34/doc/why.10000644000175000017500000000110312311670312012246 0ustar  rtusers.TH why 1 "March, 2002"

.SH NAME
why \- A multi-language multi-prover verification tool


.SH SYNOPSIS
.B why
[
.B options
]
.B files


.SH DESCRIPTION

.B why
is a verification tool. 
It takes annotated programs as input (in ML or C syntax)
and outputs verification conditions for several proof assistants (Coq,
PVS, HOL Light, Mizar) and decision procedures (haRVey, Simplify).

.SH OPTIONS

.TP
.B \-h
Help. Will give you the full list of command line options.


.SH AUTHORS
.I Jean-Christophe Filliatre 


.SH SEE ALSO

.I
Why web site: http://why.lri.fr/

why-2.34/bin/0000755000175000017500000000000012311670312011365 5ustar  rtuserswhy-2.34/bin/gwhy.sh0000755000175000017500000000111712311670312012702 0ustar  rtusers#!/bin/sh

case $1 in
  *.java)
	b=`basename $1 .java`
	krakatoa -gen-only $1 || exit 1
	echo "krakatoa on $b.java done"
        d=`dirname $1`
        echo "cd $d"
        cd $d
	jessie -locs $b.jloc -why-opt -split-user-conj $b.jc || exit 2
	echo "jessie done"
	make -f $b.makefile gui
	;;
  *.c)
	frama-c -jessie -jessie-atp=gui -jessie-why-opt="-split-user-conj" $1 || exit 1
	;;
  *.jc)
	b=`basename $1 .jc`
	jessie -why-opt -split-user-conj $b.jc || exit 1
	make -f $b.makefile gui
	;;
  *.mlw|*.why)
	gwhy-bin -split-user-conj $1
	;;
  *)
	echo "don't know what to do with $1"
esac


why-2.34/configure0000755000175000017500000037224012311670312012534 0ustar  rtusers#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
#
#
# This configure script is free software; the Free Software Foundation
# gives unlimited permission to copy, distribute and modify it.
## -------------------- ##
## M4sh Initialization. ##
## -------------------- ##

# Be more Bourne compatible
DUALCASE=1; export DUALCASE # for MKS sh
if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then :
  emulate sh
  NULLCMD=:
  # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
  # is contrary to our usage.  Disable this feature.
  alias -g '${1+"$@"}'='"$@"'
  setopt NO_GLOB_SUBST
else
  case `(set -o) 2>/dev/null` in #(
  *posix*) :
    set -o posix ;; #(
  *) :
     ;;
esac
fi


as_nl='
'
export as_nl
# Printing a long string crashes Solaris 7 /usr/bin/printf.
as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
# Prefer a ksh shell builtin over an external printf program on Solaris,
# but without wasting forks for bash or zsh.
if test -z "$BASH_VERSION$ZSH_VERSION" \
    && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then
  as_echo='print -r --'
  as_echo_n='print -rn --'
elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
  as_echo='printf %s\n'
  as_echo_n='printf %s'
else
  if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then
    as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"'
    as_echo_n='/usr/ucb/echo -n'
  else
    as_echo_body='eval expr "X$1" : "X\\(.*\\)"'
    as_echo_n_body='eval
      arg=$1;
      case $arg in #(
      *"$as_nl"*)
	expr "X$arg" : "X\\(.*\\)$as_nl";
	arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;;
      esac;
      expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl"
    '
    export as_echo_n_body
    as_echo_n='sh -c $as_echo_n_body as_echo'
  fi
  export as_echo_body
  as_echo='sh -c $as_echo_body as_echo'
fi

# The user is always right.
if test "${PATH_SEPARATOR+set}" != set; then
  PATH_SEPARATOR=:
  (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
    (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
      PATH_SEPARATOR=';'
  }
fi


# IFS
# We need space, tab and new line, in precisely that order.  Quoting is
# there to prevent editors from complaining about space-tab.
# (If _AS_PATH_WALK were called with IFS unset, it would disable word
# splitting by setting IFS to empty value.)
IFS=" ""	$as_nl"

# Find who we are.  Look in the path if we contain no directory separator.
as_myself=
case $0 in #((
  *[\\/]* ) as_myself=$0 ;;
  *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
  done
IFS=$as_save_IFS

     ;;
esac
# We did not find ourselves, most probably we were run as `sh COMMAND'
# in which case we are not to be found in the path.
if test "x$as_myself" = x; then
  as_myself=$0
fi
if test ! -f "$as_myself"; then
  $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
  exit 1
fi

# Unset variables that we do not need and which cause bugs (e.g. in
# pre-3.0 UWIN ksh).  But do not cause bugs in bash 2.01; the "|| exit 1"
# suppresses any "Segmentation fault" message there.  '((' could
# trigger a bug in pdksh 5.2.14.
for as_var in BASH_ENV ENV MAIL MAILPATH
do eval test x\${$as_var+set} = xset \
  && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || :
done
PS1='$ '
PS2='> '
PS4='+ '

# NLS nuisances.
LC_ALL=C
export LC_ALL
LANGUAGE=C
export LANGUAGE

# CDPATH.
(unset CDPATH) >/dev/null 2>&1 && unset CDPATH

# Use a proper internal environment variable to ensure we don't fall
  # into an infinite loop, continuously re-executing ourselves.
  if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then
    _as_can_reexec=no; export _as_can_reexec;
    # We cannot yet assume a decent shell, so we have to provide a
# neutralization value for shells without unset; and this also
# works around shells that cannot unset nonexistent variables.
# Preserve -v and -x to the replacement shell.
BASH_ENV=/dev/null
ENV=/dev/null
(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
case $- in # ((((
  *v*x* | *x*v* ) as_opts=-vx ;;
  *v* ) as_opts=-v ;;
  *x* ) as_opts=-x ;;
  * ) as_opts= ;;
esac
exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
# Admittedly, this is quite paranoid, since all the known shells bail
# out after a failed `exec'.
$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
as_fn_exit 255
  fi
  # We don't want this to propagate to other subprocesses.
          { _as_can_reexec=; unset _as_can_reexec;}
if test "x$CONFIG_SHELL" = x; then
  as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then :
  emulate sh
  NULLCMD=:
  # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which
  # is contrary to our usage.  Disable this feature.
  alias -g '\${1+\"\$@\"}'='\"\$@\"'
  setopt NO_GLOB_SUBST
else
  case \`(set -o) 2>/dev/null\` in #(
  *posix*) :
    set -o posix ;; #(
  *) :
     ;;
esac
fi
"
  as_required="as_fn_return () { (exit \$1); }
as_fn_success () { as_fn_return 0; }
as_fn_failure () { as_fn_return 1; }
as_fn_ret_success () { return 0; }
as_fn_ret_failure () { return 1; }

exitcode=0
as_fn_success || { exitcode=1; echo as_fn_success failed.; }
as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; }
as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; }
as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; }
if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then :

else
  exitcode=1; echo positional parameters were not saved.
fi
test x\$exitcode = x0 || exit 1
test -x / || exit 1"
  as_suggested="  as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO
  as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO
  eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" &&
  test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1"
  if (eval "$as_required") 2>/dev/null; then :
  as_have_required=yes
else
  as_have_required=no
fi
  if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null; then :

else
  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
as_found=false
for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
  as_found=:
  case $as_dir in #(
	 /*)
	   for as_base in sh bash ksh sh5; do
	     # Try only shells that exist, to save several forks.
	     as_shell=$as_dir/$as_base
	     if { test -f "$as_shell" || test -f "$as_shell.exe"; } &&
		    { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$as_shell"; } 2>/dev/null; then :
  CONFIG_SHELL=$as_shell as_have_required=yes
		   if { $as_echo "$as_bourne_compatible""$as_suggested" | as_run=a "$as_shell"; } 2>/dev/null; then :
  break 2
fi
fi
	   done;;
       esac
  as_found=false
done
$as_found || { if { test -f "$SHELL" || test -f "$SHELL.exe"; } &&
	      { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$SHELL"; } 2>/dev/null; then :
  CONFIG_SHELL=$SHELL as_have_required=yes
fi; }
IFS=$as_save_IFS


      if test "x$CONFIG_SHELL" != x; then :
  export CONFIG_SHELL
             # We cannot yet assume a decent shell, so we have to provide a
# neutralization value for shells without unset; and this also
# works around shells that cannot unset nonexistent variables.
# Preserve -v and -x to the replacement shell.
BASH_ENV=/dev/null
ENV=/dev/null
(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
case $- in # ((((
  *v*x* | *x*v* ) as_opts=-vx ;;
  *v* ) as_opts=-v ;;
  *x* ) as_opts=-x ;;
  * ) as_opts= ;;
esac
exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
# Admittedly, this is quite paranoid, since all the known shells bail
# out after a failed `exec'.
$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
exit 255
fi

    if test x$as_have_required = xno; then :
  $as_echo "$0: This script requires a shell more modern than all"
  $as_echo "$0: the shells that I found on your system."
  if test x${ZSH_VERSION+set} = xset ; then
    $as_echo "$0: In particular, zsh $ZSH_VERSION has bugs and should"
    $as_echo "$0: be upgraded to zsh 4.3.4 or later."
  else
    $as_echo "$0: Please tell bug-autoconf@gnu.org about your system,
$0: including any error possibly output before this
$0: message. Then install a modern shell, or manually run
$0: the script under such a shell if you do have one."
  fi
  exit 1
fi
fi
fi
SHELL=${CONFIG_SHELL-/bin/sh}
export SHELL
# Unset more variables known to interfere with behavior of common tools.
CLICOLOR_FORCE= GREP_OPTIONS=
unset CLICOLOR_FORCE GREP_OPTIONS

## --------------------- ##
## M4sh Shell Functions. ##
## --------------------- ##
# as_fn_unset VAR
# ---------------
# Portably unset VAR.
as_fn_unset ()
{
  { eval $1=; unset $1;}
}
as_unset=as_fn_unset

# as_fn_set_status STATUS
# -----------------------
# Set $? to STATUS, without forking.
as_fn_set_status ()
{
  return $1
} # as_fn_set_status

# as_fn_exit STATUS
# -----------------
# Exit the shell with STATUS, even in a "trap 0" or "set -e" context.
as_fn_exit ()
{
  set +e
  as_fn_set_status $1
  exit $1
} # as_fn_exit

# as_fn_mkdir_p
# -------------
# Create "$as_dir" as a directory, including parents if necessary.
as_fn_mkdir_p ()
{

  case $as_dir in #(
  -*) as_dir=./$as_dir;;
  esac
  test -d "$as_dir" || eval $as_mkdir_p || {
    as_dirs=
    while :; do
      case $as_dir in #(
      *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'(
      *) as_qdir=$as_dir;;
      esac
      as_dirs="'$as_qdir' $as_dirs"
      as_dir=`$as_dirname -- "$as_dir" ||
$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
	 X"$as_dir" : 'X\(//\)[^/]' \| \
	 X"$as_dir" : 'X\(//\)$' \| \
	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
$as_echo X"$as_dir" |
    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
	    s//\1/
	    q
	  }
	  /^X\(\/\/\)[^/].*/{
	    s//\1/
	    q
	  }
	  /^X\(\/\/\)$/{
	    s//\1/
	    q
	  }
	  /^X\(\/\).*/{
	    s//\1/
	    q
	  }
	  s/.*/./; q'`
      test -d "$as_dir" && break
    done
    test -z "$as_dirs" || eval "mkdir $as_dirs"
  } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir"


} # as_fn_mkdir_p

# as_fn_executable_p FILE
# -----------------------
# Test if FILE is an executable regular file.
as_fn_executable_p ()
{
  test -f "$1" && test -x "$1"
} # as_fn_executable_p
# as_fn_append VAR VALUE
# ----------------------
# Append the text in VALUE to the end of the definition contained in VAR. Take
# advantage of any shell optimizations that allow amortized linear growth over
# repeated appends, instead of the typical quadratic growth present in naive
# implementations.
if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then :
  eval 'as_fn_append ()
  {
    eval $1+=\$2
  }'
else
  as_fn_append ()
  {
    eval $1=\$$1\$2
  }
fi # as_fn_append

# as_fn_arith ARG...
# ------------------
# Perform arithmetic evaluation on the ARGs, and store the result in the
# global $as_val. Take advantage of shells that can avoid forks. The arguments
# must be portable across $(()) and expr.
if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then :
  eval 'as_fn_arith ()
  {
    as_val=$(( $* ))
  }'
else
  as_fn_arith ()
  {
    as_val=`expr "$@" || test $? -eq 1`
  }
fi # as_fn_arith


# as_fn_error STATUS ERROR [LINENO LOG_FD]
# ----------------------------------------
# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are
# provided, also output the error to LOG_FD, referencing LINENO. Then exit the
# script with STATUS, using 1 if that was 0.
as_fn_error ()
{
  as_status=$1; test $as_status -eq 0 && as_status=1
  if test "$4"; then
    as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
    $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4
  fi
  $as_echo "$as_me: error: $2" >&2
  as_fn_exit $as_status
} # as_fn_error

if expr a : '\(a\)' >/dev/null 2>&1 &&
   test "X`expr 00001 : '.*\(...\)'`" = X001; then
  as_expr=expr
else
  as_expr=false
fi

if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
  as_basename=basename
else
  as_basename=false
fi

if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
  as_dirname=dirname
else
  as_dirname=false
fi

as_me=`$as_basename -- "$0" ||
$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
	 X"$0" : 'X\(//\)$' \| \
	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
$as_echo X/"$0" |
    sed '/^.*\/\([^/][^/]*\)\/*$/{
	    s//\1/
	    q
	  }
	  /^X\/\(\/\/\)$/{
	    s//\1/
	    q
	  }
	  /^X\/\(\/\).*/{
	    s//\1/
	    q
	  }
	  s/.*/./; q'`

# Avoid depending upon Character Ranges.
as_cr_letters='abcdefghijklmnopqrstuvwxyz'
as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
as_cr_Letters=$as_cr_letters$as_cr_LETTERS
as_cr_digits='0123456789'
as_cr_alnum=$as_cr_Letters$as_cr_digits


  as_lineno_1=$LINENO as_lineno_1a=$LINENO
  as_lineno_2=$LINENO as_lineno_2a=$LINENO
  eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" &&
  test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || {
  # Blame Lee E. McMahon (1931-1989) for sed's syntax.  :-)
  sed -n '
    p
    /[$]LINENO/=
  ' <$as_myself |
    sed '
      s/[$]LINENO.*/&-/
      t lineno
      b
      :lineno
      N
      :loop
      s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
      t loop
      s/-\n.*//
    ' >$as_me.lineno &&
  chmod +x "$as_me.lineno" ||
    { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; }

  # If we had to re-execute with $CONFIG_SHELL, we're ensured to have
  # already done that, so ensure we don't try to do so again and fall
  # in an infinite loop.  This has already happened in practice.
  _as_can_reexec=no; export _as_can_reexec
  # Don't try to exec as it changes $[0], causing all sort of problems
  # (the dirname of $[0] is not the place where we might find the
  # original and so on.  Autoconf is especially sensitive to this).
  . "./$as_me.lineno"
  # Exit status is that of the last command.
  exit
}

ECHO_C= ECHO_N= ECHO_T=
case `echo -n x` in #(((((
-n*)
  case `echo 'xy\c'` in
  *c*) ECHO_T='	';;	# ECHO_T is single tab character.
  xy)  ECHO_C='\c';;
  *)   echo `echo ksh88 bug on AIX 6.1` > /dev/null
       ECHO_T='	';;
  esac;;
*)
  ECHO_N='-n';;
esac

rm -f conf$$ conf$$.exe conf$$.file
if test -d conf$$.dir; then
  rm -f conf$$.dir/conf$$.file
else
  rm -f conf$$.dir
  mkdir conf$$.dir 2>/dev/null
fi
if (echo >conf$$.file) 2>/dev/null; then
  if ln -s conf$$.file conf$$ 2>/dev/null; then
    as_ln_s='ln -s'
    # ... but there are two gotchas:
    # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
    # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
    # In both cases, we have to default to `cp -pR'.
    ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
      as_ln_s='cp -pR'
  elif ln conf$$.file conf$$ 2>/dev/null; then
    as_ln_s=ln
  else
    as_ln_s='cp -pR'
  fi
else
  as_ln_s='cp -pR'
fi
rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
rmdir conf$$.dir 2>/dev/null

if mkdir -p . 2>/dev/null; then
  as_mkdir_p='mkdir -p "$as_dir"'
else
  test -d ./-p && rmdir ./-p
  as_mkdir_p=false
fi

as_test_x='test -x'
as_executable_p=as_fn_executable_p

# Sed expression to map a string onto a valid CPP name.
as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"

# Sed expression to map a string onto a valid variable name.
as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"


test -n "$DJDIR" || exec 7<&0 &1

# Name of the host.
# hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status,
# so uname gets run too.
ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q`

#
# Initializations.
#
ac_default_prefix=/usr/local
ac_clean_files=
ac_config_libobj_dir=.
LIBOBJS=
cross_compiling=no
subdirs=
MFLAGS=
MAKEFLAGS=

# Identity of this package.
PACKAGE_NAME=
PACKAGE_TARNAME=
PACKAGE_VERSION=
PACKAGE_STRING=
PACKAGE_BUGREPORT=
PACKAGE_URL=

ac_unique_file="src/monad.mli"
ac_subst_vars='LTLIBOBJS
LIBOBJS
FORPACK
MIZARLIB
MIZAR
PVSLIB
PVS
enable_local
WHY3COQPATH
JESSIEWHY3LIBCOQ
JESSIELIBCOQ
WHYFLOATS
WHYLIBCOQ
COQVER
COQLIB
COQC8
COQC7
COQ
ATPCMO
FRAMACPLUGIN
APRONLIBS
APRONLIB
enable_apron
INCLUDEGTK2
LABLGTK2
OCAMLGRAPHLIB
OCAMLLIB
OCAMLV
OCAMLVERSION
OCAMLBEST
CPULIMIT
STRIP
EXE
VERBOSEMAKE
MIZF
PVSC
COQDEP
COQC
WHY3
CAMLP4O
FRAMAC
OCAMLWEB
OCAMLDOCOPT
OCAMLDOC
OCAMLYACC
OCAMLLEXDOTOPT
OCAMLLEX
OCAMLDEPDOTOPT
OCAMLDEP
OCAMLOPTDOTOPT
OCAMLCDOTOPT
OCAMLOPT
USEOCAMLFIND
OCAMLC
target_alias
host_alias
build_alias
LIBS
ECHO_T
ECHO_N
ECHO_C
DEFS
mandir
localedir
libdir
psdir
pdfdir
dvidir
htmldir
infodir
docdir
oldincludedir
includedir
localstatedir
sharedstatedir
sysconfdir
datadir
datarootdir
libexecdir
sbindir
bindir
program_transform_name
prefix
exec_prefix
PACKAGE_URL
PACKAGE_BUGREPORT
PACKAGE_STRING
PACKAGE_VERSION
PACKAGE_TARNAME
PACKAGE_NAME
PATH_SEPARATOR
SHELL'
ac_subst_files=''
ac_user_opts='
enable_option_checking
enable_verbosemake
enable_local
enable_apron
'
      ac_precious_vars='build_alias
host_alias
target_alias'


# Initialize some variables set by options.
ac_init_help=
ac_init_version=false
ac_unrecognized_opts=
ac_unrecognized_sep=
# The variables have the same names as the options, with
# dashes changed to underlines.
cache_file=/dev/null
exec_prefix=NONE
no_create=
no_recursion=
prefix=NONE
program_prefix=NONE
program_suffix=NONE
program_transform_name=s,x,x,
silent=
site=
srcdir=
verbose=
x_includes=NONE
x_libraries=NONE

# Installation directory options.
# These are left unexpanded so users can "make install exec_prefix=/foo"
# and all the variables that are supposed to be based on exec_prefix
# by default will actually change.
# Use braces instead of parens because sh, perl, etc. also accept them.
# (The list follows the same order as the GNU Coding Standards.)
bindir='${exec_prefix}/bin'
sbindir='${exec_prefix}/sbin'
libexecdir='${exec_prefix}/libexec'
datarootdir='${prefix}/share'
datadir='${datarootdir}'
sysconfdir='${prefix}/etc'
sharedstatedir='${prefix}/com'
localstatedir='${prefix}/var'
includedir='${prefix}/include'
oldincludedir='/usr/include'
docdir='${datarootdir}/doc/${PACKAGE}'
infodir='${datarootdir}/info'
htmldir='${docdir}'
dvidir='${docdir}'
pdfdir='${docdir}'
psdir='${docdir}'
libdir='${exec_prefix}/lib'
localedir='${datarootdir}/locale'
mandir='${datarootdir}/man'

ac_prev=
ac_dashdash=
for ac_option
do
  # If the previous option needs an argument, assign it.
  if test -n "$ac_prev"; then
    eval $ac_prev=\$ac_option
    ac_prev=
    continue
  fi

  case $ac_option in
  *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;;
  *=)   ac_optarg= ;;
  *)    ac_optarg=yes ;;
  esac

  # Accept the important Cygnus configure options, so we can diagnose typos.

  case $ac_dashdash$ac_option in
  --)
    ac_dashdash=yes ;;

  -bindir | --bindir | --bindi | --bind | --bin | --bi)
    ac_prev=bindir ;;
  -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*)
    bindir=$ac_optarg ;;

  -build | --build | --buil | --bui | --bu)
    ac_prev=build_alias ;;
  -build=* | --build=* | --buil=* | --bui=* | --bu=*)
    build_alias=$ac_optarg ;;

  -cache-file | --cache-file | --cache-fil | --cache-fi \
  | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c)
    ac_prev=cache_file ;;
  -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \
  | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*)
    cache_file=$ac_optarg ;;

  --config-cache | -C)
    cache_file=config.cache ;;

  -datadir | --datadir | --datadi | --datad)
    ac_prev=datadir ;;
  -datadir=* | --datadir=* | --datadi=* | --datad=*)
    datadir=$ac_optarg ;;

  -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \
  | --dataroo | --dataro | --datar)
    ac_prev=datarootdir ;;
  -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \
  | --dataroot=* | --dataroo=* | --dataro=* | --datar=*)
    datarootdir=$ac_optarg ;;

  -disable-* | --disable-*)
    ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
    # Reject names that are not valid shell variable names.
    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
      as_fn_error $? "invalid feature name: $ac_useropt"
    ac_useropt_orig=$ac_useropt
    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
    case $ac_user_opts in
      *"
"enable_$ac_useropt"
"*) ;;
      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig"
	 ac_unrecognized_sep=', ';;
    esac
    eval enable_$ac_useropt=no ;;

  -docdir | --docdir | --docdi | --doc | --do)
    ac_prev=docdir ;;
  -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*)
    docdir=$ac_optarg ;;

  -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv)
    ac_prev=dvidir ;;
  -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*)
    dvidir=$ac_optarg ;;

  -enable-* | --enable-*)
    ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
    # Reject names that are not valid shell variable names.
    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
      as_fn_error $? "invalid feature name: $ac_useropt"
    ac_useropt_orig=$ac_useropt
    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
    case $ac_user_opts in
      *"
"enable_$ac_useropt"
"*) ;;
      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig"
	 ac_unrecognized_sep=', ';;
    esac
    eval enable_$ac_useropt=\$ac_optarg ;;

  -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
  | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
  | --exec | --exe | --ex)
    ac_prev=exec_prefix ;;
  -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \
  | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \
  | --exec=* | --exe=* | --ex=*)
    exec_prefix=$ac_optarg ;;

  -gas | --gas | --ga | --g)
    # Obsolete; use --with-gas.
    with_gas=yes ;;

  -help | --help | --hel | --he | -h)
    ac_init_help=long ;;
  -help=r* | --help=r* | --hel=r* | --he=r* | -hr*)
    ac_init_help=recursive ;;
  -help=s* | --help=s* | --hel=s* | --he=s* | -hs*)
    ac_init_help=short ;;

  -host | --host | --hos | --ho)
    ac_prev=host_alias ;;
  -host=* | --host=* | --hos=* | --ho=*)
    host_alias=$ac_optarg ;;

  -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht)
    ac_prev=htmldir ;;
  -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \
  | --ht=*)
    htmldir=$ac_optarg ;;

  -includedir | --includedir | --includedi | --included | --include \
  | --includ | --inclu | --incl | --inc)
    ac_prev=includedir ;;
  -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \
  | --includ=* | --inclu=* | --incl=* | --inc=*)
    includedir=$ac_optarg ;;

  -infodir | --infodir | --infodi | --infod | --info | --inf)
    ac_prev=infodir ;;
  -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*)
    infodir=$ac_optarg ;;

  -libdir | --libdir | --libdi | --libd)
    ac_prev=libdir ;;
  -libdir=* | --libdir=* | --libdi=* | --libd=*)
    libdir=$ac_optarg ;;

  -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \
  | --libexe | --libex | --libe)
    ac_prev=libexecdir ;;
  -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \
  | --libexe=* | --libex=* | --libe=*)
    libexecdir=$ac_optarg ;;

  -localedir | --localedir | --localedi | --localed | --locale)
    ac_prev=localedir ;;
  -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*)
    localedir=$ac_optarg ;;

  -localstatedir | --localstatedir | --localstatedi | --localstated \
  | --localstate | --localstat | --localsta | --localst | --locals)
    ac_prev=localstatedir ;;
  -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \
  | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*)
    localstatedir=$ac_optarg ;;

  -mandir | --mandir | --mandi | --mand | --man | --ma | --m)
    ac_prev=mandir ;;
  -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*)
    mandir=$ac_optarg ;;

  -nfp | --nfp | --nf)
    # Obsolete; use --without-fp.
    with_fp=no ;;

  -no-create | --no-create | --no-creat | --no-crea | --no-cre \
  | --no-cr | --no-c | -n)
    no_create=yes ;;

  -no-recursion | --no-recursion | --no-recursio | --no-recursi \
  | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r)
    no_recursion=yes ;;

  -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \
  | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \
  | --oldin | --oldi | --old | --ol | --o)
    ac_prev=oldincludedir ;;
  -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \
  | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \
  | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*)
    oldincludedir=$ac_optarg ;;

  -prefix | --prefix | --prefi | --pref | --pre | --pr | --p)
    ac_prev=prefix ;;
  -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*)
    prefix=$ac_optarg ;;

  -program-prefix | --program-prefix | --program-prefi | --program-pref \
  | --program-pre | --program-pr | --program-p)
    ac_prev=program_prefix ;;
  -program-prefix=* | --program-prefix=* | --program-prefi=* \
  | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*)
    program_prefix=$ac_optarg ;;

  -program-suffix | --program-suffix | --program-suffi | --program-suff \
  | --program-suf | --program-su | --program-s)
    ac_prev=program_suffix ;;
  -program-suffix=* | --program-suffix=* | --program-suffi=* \
  | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*)
    program_suffix=$ac_optarg ;;

  -program-transform-name | --program-transform-name \
  | --program-transform-nam | --program-transform-na \
  | --program-transform-n | --program-transform- \
  | --program-transform | --program-transfor \
  | --program-transfo | --program-transf \
  | --program-trans | --program-tran \
  | --progr-tra | --program-tr | --program-t)
    ac_prev=program_transform_name ;;
  -program-transform-name=* | --program-transform-name=* \
  | --program-transform-nam=* | --program-transform-na=* \
  | --program-transform-n=* | --program-transform-=* \
  | --program-transform=* | --program-transfor=* \
  | --program-transfo=* | --program-transf=* \
  | --program-trans=* | --program-tran=* \
  | --progr-tra=* | --program-tr=* | --program-t=*)
    program_transform_name=$ac_optarg ;;

  -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd)
    ac_prev=pdfdir ;;
  -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*)
    pdfdir=$ac_optarg ;;

  -psdir | --psdir | --psdi | --psd | --ps)
    ac_prev=psdir ;;
  -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*)
    psdir=$ac_optarg ;;

  -q | -quiet | --quiet | --quie | --qui | --qu | --q \
  | -silent | --silent | --silen | --sile | --sil)
    silent=yes ;;

  -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
    ac_prev=sbindir ;;
  -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
  | --sbi=* | --sb=*)
    sbindir=$ac_optarg ;;

  -sharedstatedir | --sharedstatedir | --sharedstatedi \
  | --sharedstated | --sharedstate | --sharedstat | --sharedsta \
  | --sharedst | --shareds | --shared | --share | --shar \
  | --sha | --sh)
    ac_prev=sharedstatedir ;;
  -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \
  | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \
  | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \
  | --sha=* | --sh=*)
    sharedstatedir=$ac_optarg ;;

  -site | --site | --sit)
    ac_prev=site ;;
  -site=* | --site=* | --sit=*)
    site=$ac_optarg ;;

  -srcdir | --srcdir | --srcdi | --srcd | --src | --sr)
    ac_prev=srcdir ;;
  -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*)
    srcdir=$ac_optarg ;;

  -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \
  | --syscon | --sysco | --sysc | --sys | --sy)
    ac_prev=sysconfdir ;;
  -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \
  | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*)
    sysconfdir=$ac_optarg ;;

  -target | --target | --targe | --targ | --tar | --ta | --t)
    ac_prev=target_alias ;;
  -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*)
    target_alias=$ac_optarg ;;

  -v | -verbose | --verbose | --verbos | --verbo | --verb)
    verbose=yes ;;

  -version | --version | --versio | --versi | --vers | -V)
    ac_init_version=: ;;

  -with-* | --with-*)
    ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
    # Reject names that are not valid shell variable names.
    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
      as_fn_error $? "invalid package name: $ac_useropt"
    ac_useropt_orig=$ac_useropt
    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
    case $ac_user_opts in
      *"
"with_$ac_useropt"
"*) ;;
      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig"
	 ac_unrecognized_sep=', ';;
    esac
    eval with_$ac_useropt=\$ac_optarg ;;

  -without-* | --without-*)
    ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'`
    # Reject names that are not valid shell variable names.
    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
      as_fn_error $? "invalid package name: $ac_useropt"
    ac_useropt_orig=$ac_useropt
    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
    case $ac_user_opts in
      *"
"with_$ac_useropt"
"*) ;;
      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig"
	 ac_unrecognized_sep=', ';;
    esac
    eval with_$ac_useropt=no ;;

  --x)
    # Obsolete; use --with-x.
    with_x=yes ;;

  -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \
  | --x-incl | --x-inc | --x-in | --x-i)
    ac_prev=x_includes ;;
  -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \
  | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*)
    x_includes=$ac_optarg ;;

  -x-libraries | --x-libraries | --x-librarie | --x-librari \
  | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l)
    ac_prev=x_libraries ;;
  -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \
  | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
    x_libraries=$ac_optarg ;;

  -*) as_fn_error $? "unrecognized option: \`$ac_option'
Try \`$0 --help' for more information"
    ;;

  *=*)
    ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='`
    # Reject names that are not valid shell variable names.
    case $ac_envvar in #(
      '' | [0-9]* | *[!_$as_cr_alnum]* )
      as_fn_error $? "invalid variable name: \`$ac_envvar'" ;;
    esac
    eval $ac_envvar=\$ac_optarg
    export $ac_envvar ;;

  *)
    # FIXME: should be removed in autoconf 3.0.
    $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2
    expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null &&
      $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2
    : "${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}"
    ;;

  esac
done

if test -n "$ac_prev"; then
  ac_option=--`echo $ac_prev | sed 's/_/-/g'`
  as_fn_error $? "missing argument to $ac_option"
fi

if test -n "$ac_unrecognized_opts"; then
  case $enable_option_checking in
    no) ;;
    fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;;
    *)     $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;;
  esac
fi

# Check all directory arguments for consistency.
for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
		datadir sysconfdir sharedstatedir localstatedir includedir \
		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
		libdir localedir mandir
do
  eval ac_val=\$$ac_var
  # Remove trailing slashes.
  case $ac_val in
    */ )
      ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'`
      eval $ac_var=\$ac_val;;
  esac
  # Be sure to have absolute directory names.
  case $ac_val in
    [\\/$]* | ?:[\\/]* )  continue;;
    NONE | '' ) case $ac_var in *prefix ) continue;; esac;;
  esac
  as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val"
done

# There might be people who depend on the old broken behavior: `$host'
# used to hold the argument of --host etc.
# FIXME: To remove some day.
build=$build_alias
host=$host_alias
target=$target_alias

# FIXME: To remove some day.
if test "x$host_alias" != x; then
  if test "x$build_alias" = x; then
    cross_compiling=maybe
  elif test "x$build_alias" != "x$host_alias"; then
    cross_compiling=yes
  fi
fi

ac_tool_prefix=
test -n "$host_alias" && ac_tool_prefix=$host_alias-

test "$silent" = yes && exec 6>/dev/null


ac_pwd=`pwd` && test -n "$ac_pwd" &&
ac_ls_di=`ls -di .` &&
ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` ||
  as_fn_error $? "working directory cannot be determined"
test "X$ac_ls_di" = "X$ac_pwd_ls_di" ||
  as_fn_error $? "pwd does not report name of working directory"


# Find the source files, if location was not specified.
if test -z "$srcdir"; then
  ac_srcdir_defaulted=yes
  # Try the directory containing this script, then the parent directory.
  ac_confdir=`$as_dirname -- "$as_myself" ||
$as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
	 X"$as_myself" : 'X\(//\)[^/]' \| \
	 X"$as_myself" : 'X\(//\)$' \| \
	 X"$as_myself" : 'X\(/\)' \| . 2>/dev/null ||
$as_echo X"$as_myself" |
    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
	    s//\1/
	    q
	  }
	  /^X\(\/\/\)[^/].*/{
	    s//\1/
	    q
	  }
	  /^X\(\/\/\)$/{
	    s//\1/
	    q
	  }
	  /^X\(\/\).*/{
	    s//\1/
	    q
	  }
	  s/.*/./; q'`
  srcdir=$ac_confdir
  if test ! -r "$srcdir/$ac_unique_file"; then
    srcdir=..
  fi
else
  ac_srcdir_defaulted=no
fi
if test ! -r "$srcdir/$ac_unique_file"; then
  test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .."
  as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir"
fi
ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work"
ac_abs_confdir=`(
	cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg"
	pwd)`
# When building in place, set srcdir=.
if test "$ac_abs_confdir" = "$ac_pwd"; then
  srcdir=.
fi
# Remove unnecessary trailing slashes from srcdir.
# Double slashes in file names in object file debugging info
# mess up M-x gdb in Emacs.
case $srcdir in
*/) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;;
esac
for ac_var in $ac_precious_vars; do
  eval ac_env_${ac_var}_set=\${${ac_var}+set}
  eval ac_env_${ac_var}_value=\$${ac_var}
  eval ac_cv_env_${ac_var}_set=\${${ac_var}+set}
  eval ac_cv_env_${ac_var}_value=\$${ac_var}
done

#
# Report the --help message.
#
if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
\`configure' configures this package to adapt to many kinds of systems.

Usage: $0 [OPTION]... [VAR=VALUE]...

To assign environment variables (e.g., CC, CFLAGS...), specify them as
VAR=VALUE.  See below for descriptions of some of the useful variables.

Defaults for the options are specified in brackets.

Configuration:
  -h, --help              display this help and exit
      --help=short        display options specific to this package
      --help=recursive    display the short help of all the included packages
  -V, --version           display version information and exit
  -q, --quiet, --silent   do not print \`checking ...' messages
      --cache-file=FILE   cache test results in FILE [disabled]
  -C, --config-cache      alias for \`--cache-file=config.cache'
  -n, --no-create         do not create output files
      --srcdir=DIR        find the sources in DIR [configure dir or \`..']

Installation directories:
  --prefix=PREFIX         install architecture-independent files in PREFIX
                          [$ac_default_prefix]
  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
                          [PREFIX]

By default, \`make install' will install all the files in
\`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc.  You can specify
an installation prefix other than \`$ac_default_prefix' using \`--prefix',
for instance \`--prefix=\$HOME'.

For better control, use the options below.

Fine tuning of the installation directories:
  --bindir=DIR            user executables [EPREFIX/bin]
  --sbindir=DIR           system admin executables [EPREFIX/sbin]
  --libexecdir=DIR        program executables [EPREFIX/libexec]
  --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
  --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
  --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
  --libdir=DIR            object code libraries [EPREFIX/lib]
  --includedir=DIR        C header files [PREFIX/include]
  --oldincludedir=DIR     C header files for non-gcc [/usr/include]
  --datarootdir=DIR       read-only arch.-independent data root [PREFIX/share]
  --datadir=DIR           read-only architecture-independent data [DATAROOTDIR]
  --infodir=DIR           info documentation [DATAROOTDIR/info]
  --localedir=DIR         locale-dependent data [DATAROOTDIR/locale]
  --mandir=DIR            man documentation [DATAROOTDIR/man]
  --docdir=DIR            documentation root [DATAROOTDIR/doc/PACKAGE]
  --htmldir=DIR           html documentation [DOCDIR]
  --dvidir=DIR            dvi documentation [DOCDIR]
  --pdfdir=DIR            pdf documentation [DOCDIR]
  --psdir=DIR             ps documentation [DOCDIR]
_ACEOF

  cat <<\_ACEOF
_ACEOF
fi

if test -n "$ac_init_help"; then

  cat <<\_ACEOF

Optional Features:
  --disable-option-checking  ignore unrecognized --enable/--with options
  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
  --enable-verbosemake    verbose makefile commands
  --enable-local          use Jessie in the build directory (no installation)
  --enable-apron=no/yes  use APRON library for abstract interpretation default=yes

Report bugs to the package provider.
_ACEOF
ac_status=$?
fi

if test "$ac_init_help" = "recursive"; then
  # If there are subdirs, report their specific --help.
  for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue
    test -d "$ac_dir" ||
      { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } ||
      continue
    ac_builddir=.

case "$ac_dir" in
.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
*)
  ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'`
  # A ".." for each directory in $ac_dir_suffix.
  ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'`
  case $ac_top_builddir_sub in
  "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
  *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
  esac ;;
esac
ac_abs_top_builddir=$ac_pwd
ac_abs_builddir=$ac_pwd$ac_dir_suffix
# for backward compatibility:
ac_top_builddir=$ac_top_build_prefix

case $srcdir in
  .)  # We are building in place.
    ac_srcdir=.
    ac_top_srcdir=$ac_top_builddir_sub
    ac_abs_top_srcdir=$ac_pwd ;;
  [\\/]* | ?:[\\/]* )  # Absolute name.
    ac_srcdir=$srcdir$ac_dir_suffix;
    ac_top_srcdir=$srcdir
    ac_abs_top_srcdir=$srcdir ;;
  *) # Relative name.
    ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix
    ac_top_srcdir=$ac_top_build_prefix$srcdir
    ac_abs_top_srcdir=$ac_pwd/$srcdir ;;
esac
ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix

    cd "$ac_dir" || { ac_status=$?; continue; }
    # Check for guested configure.
    if test -f "$ac_srcdir/configure.gnu"; then
      echo &&
      $SHELL "$ac_srcdir/configure.gnu" --help=recursive
    elif test -f "$ac_srcdir/configure"; then
      echo &&
      $SHELL "$ac_srcdir/configure" --help=recursive
    else
      $as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
    fi || ac_status=$?
    cd "$ac_pwd" || { ac_status=$?; break; }
  done
fi

test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
  cat <<\_ACEOF
configure
generated by GNU Autoconf 2.69

Copyright (C) 2012 Free Software Foundation, Inc.
This configure script is free software; the Free Software Foundation
gives unlimited permission to copy, distribute and modify it.
_ACEOF
  exit
fi

## ------------------------ ##
## Autoconf initialization. ##
## ------------------------ ##
cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.

It was created by $as_me, which was
generated by GNU Autoconf 2.69.  Invocation command line was

  $ $0 $@

_ACEOF
exec 5>>config.log
{
cat <<_ASUNAME
## --------- ##
## Platform. ##
## --------- ##

hostname = `(hostname || uname -n) 2>/dev/null | sed 1q`
uname -m = `(uname -m) 2>/dev/null || echo unknown`
uname -r = `(uname -r) 2>/dev/null || echo unknown`
uname -s = `(uname -s) 2>/dev/null || echo unknown`
uname -v = `(uname -v) 2>/dev/null || echo unknown`

/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown`
/bin/uname -X     = `(/bin/uname -X) 2>/dev/null     || echo unknown`

/bin/arch              = `(/bin/arch) 2>/dev/null              || echo unknown`
/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null       || echo unknown`
/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown`
/usr/bin/hostinfo      = `(/usr/bin/hostinfo) 2>/dev/null      || echo unknown`
/bin/machine           = `(/bin/machine) 2>/dev/null           || echo unknown`
/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null       || echo unknown`
/bin/universe          = `(/bin/universe) 2>/dev/null          || echo unknown`

_ASUNAME

as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    $as_echo "PATH: $as_dir"
  done
IFS=$as_save_IFS

} >&5

cat >&5 <<_ACEOF


## ----------- ##
## Core tests. ##
## ----------- ##

_ACEOF


# Keep a trace of the command line.
# Strip out --no-create and --no-recursion so they do not pile up.
# Strip out --silent because we don't want to record it for future runs.
# Also quote any args containing shell meta-characters.
# Make two passes to allow for proper duplicate-argument suppression.
ac_configure_args=
ac_configure_args0=
ac_configure_args1=
ac_must_keep_next=false
for ac_pass in 1 2
do
  for ac_arg
  do
    case $ac_arg in
    -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;;
    -q | -quiet | --quiet | --quie | --qui | --qu | --q \
    | -silent | --silent | --silen | --sile | --sil)
      continue ;;
    *\'*)
      ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
    esac
    case $ac_pass in
    1) as_fn_append ac_configure_args0 " '$ac_arg'" ;;
    2)
      as_fn_append ac_configure_args1 " '$ac_arg'"
      if test $ac_must_keep_next = true; then
	ac_must_keep_next=false # Got value, back to normal.
      else
	case $ac_arg in
	  *=* | --config-cache | -C | -disable-* | --disable-* \
	  | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \
	  | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \
	  | -with-* | --with-* | -without-* | --without-* | --x)
	    case "$ac_configure_args0 " in
	      "$ac_configure_args1"*" '$ac_arg' "* ) continue ;;
	    esac
	    ;;
	  -* ) ac_must_keep_next=true ;;
	esac
      fi
      as_fn_append ac_configure_args " '$ac_arg'"
      ;;
    esac
  done
done
{ ac_configure_args0=; unset ac_configure_args0;}
{ ac_configure_args1=; unset ac_configure_args1;}

# When interrupted or exit'd, cleanup temporary files, and complete
# config.log.  We remove comments because anyway the quotes in there
# would cause problems or look ugly.
# WARNING: Use '\'' to represent an apostrophe within the trap.
# WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug.
trap 'exit_status=$?
  # Save into config.log some information that might help in debugging.
  {
    echo

    $as_echo "## ---------------- ##
## Cache variables. ##
## ---------------- ##"
    echo
    # The following way of writing the cache mishandles newlines in values,
(
  for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do
    eval ac_val=\$$ac_var
    case $ac_val in #(
    *${as_nl}*)
      case $ac_var in #(
      *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5
$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
      esac
      case $ac_var in #(
      _ | IFS | as_nl) ;; #(
      BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #(
      *) { eval $ac_var=; unset $ac_var;} ;;
      esac ;;
    esac
  done
  (set) 2>&1 |
    case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #(
    *${as_nl}ac_space=\ *)
      sed -n \
	"s/'\''/'\''\\\\'\'''\''/g;
	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p"
      ;; #(
    *)
      sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p"
      ;;
    esac |
    sort
)
    echo

    $as_echo "## ----------------- ##
## Output variables. ##
## ----------------- ##"
    echo
    for ac_var in $ac_subst_vars
    do
      eval ac_val=\$$ac_var
      case $ac_val in
      *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
      esac
      $as_echo "$ac_var='\''$ac_val'\''"
    done | sort
    echo

    if test -n "$ac_subst_files"; then
      $as_echo "## ------------------- ##
## File substitutions. ##
## ------------------- ##"
      echo
      for ac_var in $ac_subst_files
      do
	eval ac_val=\$$ac_var
	case $ac_val in
	*\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
	esac
	$as_echo "$ac_var='\''$ac_val'\''"
      done | sort
      echo
    fi

    if test -s confdefs.h; then
      $as_echo "## ----------- ##
## confdefs.h. ##
## ----------- ##"
      echo
      cat confdefs.h
      echo
    fi
    test "$ac_signal" != 0 &&
      $as_echo "$as_me: caught signal $ac_signal"
    $as_echo "$as_me: exit $exit_status"
  } >&5
  rm -f core *.core core.conftest.* &&
    rm -f -r conftest* confdefs* conf$$* $ac_clean_files &&
    exit $exit_status
' 0
for ac_signal in 1 2 13 15; do
  trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal
done
ac_signal=0

# confdefs.h avoids OS command line length limits that DEFS can exceed.
rm -f -r conftest* confdefs.h

$as_echo "/* confdefs.h */" > confdefs.h

# Predefined preprocessor variables.

cat >>confdefs.h <<_ACEOF
#define PACKAGE_NAME "$PACKAGE_NAME"
_ACEOF

cat >>confdefs.h <<_ACEOF
#define PACKAGE_TARNAME "$PACKAGE_TARNAME"
_ACEOF

cat >>confdefs.h <<_ACEOF
#define PACKAGE_VERSION "$PACKAGE_VERSION"
_ACEOF

cat >>confdefs.h <<_ACEOF
#define PACKAGE_STRING "$PACKAGE_STRING"
_ACEOF

cat >>confdefs.h <<_ACEOF
#define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT"
_ACEOF

cat >>confdefs.h <<_ACEOF
#define PACKAGE_URL "$PACKAGE_URL"
_ACEOF


# Let the site file select an alternate cache file if it wants to.
# Prefer an explicitly selected file to automatically selected ones.
ac_site_file1=NONE
ac_site_file2=NONE
if test -n "$CONFIG_SITE"; then
  # We do not want a PATH search for config.site.
  case $CONFIG_SITE in #((
    -*)  ac_site_file1=./$CONFIG_SITE;;
    */*) ac_site_file1=$CONFIG_SITE;;
    *)   ac_site_file1=./$CONFIG_SITE;;
  esac
elif test "x$prefix" != xNONE; then
  ac_site_file1=$prefix/share/config.site
  ac_site_file2=$prefix/etc/config.site
else
  ac_site_file1=$ac_default_prefix/share/config.site
  ac_site_file2=$ac_default_prefix/etc/config.site
fi
for ac_site_file in "$ac_site_file1" "$ac_site_file2"
do
  test "x$ac_site_file" = xNONE && continue
  if test /dev/null != "$ac_site_file" && test -r "$ac_site_file"; then
    { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5
$as_echo "$as_me: loading site script $ac_site_file" >&6;}
    sed 's/^/| /' "$ac_site_file" >&5
    . "$ac_site_file" \
      || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error $? "failed to load site script $ac_site_file
See \`config.log' for more details" "$LINENO" 5; }
  fi
done

if test -r "$cache_file"; then
  # Some versions of bash will fail to source /dev/null (special files
  # actually), so we avoid doing that.  DJGPP emulates it as a regular file.
  if test /dev/null != "$cache_file" && test -f "$cache_file"; then
    { $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5
$as_echo "$as_me: loading cache $cache_file" >&6;}
    case $cache_file in
      [\\/]* | ?:[\\/]* ) . "$cache_file";;
      *)                      . "./$cache_file";;
    esac
  fi
else
  { $as_echo "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5
$as_echo "$as_me: creating cache $cache_file" >&6;}
  >$cache_file
fi

# Check that the precious variables saved in the cache have kept the same
# value.
ac_cache_corrupted=false
for ac_var in $ac_precious_vars; do
  eval ac_old_set=\$ac_cv_env_${ac_var}_set
  eval ac_new_set=\$ac_env_${ac_var}_set
  eval ac_old_val=\$ac_cv_env_${ac_var}_value
  eval ac_new_val=\$ac_env_${ac_var}_value
  case $ac_old_set,$ac_new_set in
    set,)
      { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
$as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
      ac_cache_corrupted=: ;;
    ,set)
      { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5
$as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
      ac_cache_corrupted=: ;;
    ,);;
    *)
      if test "x$ac_old_val" != "x$ac_new_val"; then
	# differences in whitespace do not lead to failure.
	ac_old_val_w=`echo x $ac_old_val`
	ac_new_val_w=`echo x $ac_new_val`
	if test "$ac_old_val_w" != "$ac_new_val_w"; then
	  { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5
$as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;}
	  ac_cache_corrupted=:
	else
	  { $as_echo "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5
$as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;}
	  eval $ac_var=\$ac_old_val
	fi
	{ $as_echo "$as_me:${as_lineno-$LINENO}:   former value:  \`$ac_old_val'" >&5
$as_echo "$as_me:   former value:  \`$ac_old_val'" >&2;}
	{ $as_echo "$as_me:${as_lineno-$LINENO}:   current value: \`$ac_new_val'" >&5
$as_echo "$as_me:   current value: \`$ac_new_val'" >&2;}
      fi;;
  esac
  # Pass precious variables to config.status.
  if test "$ac_new_set" = set; then
    case $ac_new_val in
    *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
    *) ac_arg=$ac_var=$ac_new_val ;;
    esac
    case " $ac_configure_args " in
      *" '$ac_arg' "*) ;; # Avoid dups.  Use of quotes ensures accuracy.
      *) as_fn_append ac_configure_args " '$ac_arg'" ;;
    esac
  fi
done
if $ac_cache_corrupted; then
  { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
  { $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5
$as_echo "$as_me: error: changes in the environment can compromise the build" >&2;}
  as_fn_error $? "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5
fi
## -------------------- ##
## Main body of script. ##
## -------------------- ##

ac_ext=c
ac_cpp='$CPP $CPPFLAGS'
ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
ac_compiler_gnu=$ac_cv_c_compiler_gnu



# verbosemake feature

# Check whether --enable-verbosemake was given.
if test "${enable_verbosemake+set}" = set; then :
  enableval=$enable_verbosemake; VERBOSEMAKE=yes
else
  VERBOSEMAKE=no
fi

if test "$VERBOSEMAKE" = yes ; then
	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: Make will be verbose." >&5
$as_echo "Make will be verbose." >&6; }
fi

# Check whether --enable-local was given.
if test "${enable_local+set}" = set; then :
  enableval=$enable_local;
else
  enable_local=no
fi



# Check for Ocaml compilers

# we first look for ocamlc in the path; if not present, we fail
# Extract the first word of "ocamlc", so it can be a program name with args.
set dummy ocamlc; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_prog_OCAMLC+:} false; then :
  $as_echo_n "(cached) " >&6
else
  if test -n "$OCAMLC"; then
  ac_cv_prog_OCAMLC="$OCAMLC" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_OCAMLC="ocamlc"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_OCAMLC" && ac_cv_prog_OCAMLC="no"
fi
fi
OCAMLC=$ac_cv_prog_OCAMLC
if test -n "$OCAMLC"; then
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OCAMLC" >&5
$as_echo "$OCAMLC" >&6; }
else
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi


if test "$OCAMLC" = no ; then
	as_fn_error $? "Cannot find ocamlc." "$LINENO" 5
fi

# we extract Ocaml version number
OCAMLVERSION=`$OCAMLC -v | sed -n -e 's|.*version* *\(.*\)$|\1|p' `
echo "ocaml version is $OCAMLVERSION"

case $OCAMLVERSION in
  0.*|1.*|2.00|3.00*|3.01*|3.02*|3.03*|3.04*|3.05*|3.06*|3.07*)
        as_fn_error $? "You need Objective 3.08 or later" "$LINENO" 5;;
  3.08.2)
	FORPACK=""
	OCAMLV=3082;;
  3.08*)
	FORPACK=""
	OCAMLV=308;;
  *)
	FORPACK="-for-pack Graph";;
esac

# Ocaml library path
# old way: OCAMLLIB=`$OCAMLC -v | tail -1 | cut -f 4 -d ' ' | tr -d '\\r'`
OCAMLLIB=`$OCAMLC -where | tr -d '\\r'`
echo "ocaml library path is $OCAMLLIB"


## Where are the library we need
# we look for ocamlfind; if not present, we just don't use it to find
# libraries
# Extract the first word of "ocamlfind", so it can be a program name with args.
set dummy ocamlfind; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_prog_USEOCAMLFIND+:} false; then :
  $as_echo_n "(cached) " >&6
else
  if test -n "$USEOCAMLFIND"; then
  ac_cv_prog_USEOCAMLFIND="$USEOCAMLFIND" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_USEOCAMLFIND="yes"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_USEOCAMLFIND" && ac_cv_prog_USEOCAMLFIND="no"
fi
fi
USEOCAMLFIND=$ac_cv_prog_USEOCAMLFIND
if test -n "$USEOCAMLFIND"; then
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $USEOCAMLFIND" >&5
$as_echo "$USEOCAMLFIND" >&6; }
else
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi



if test "$USEOCAMLFIND" = yes; then
   OCAMLFINDLIB=$(ocamlfind printconf stdlib)
   OCAMLFIND=$(which ocamlfind)
   if test "$OCAMLFINDLIB" != "$OCAMLLIB"; then
   USEOCAMLFIND=no;
   echo "but your ocamlfind is not compatible with your ocamlc:"
   echo "ocamlfind : $OCAMLFINDLIB, ocamlc : $OCAMLLIB"
   fi
fi



# Check for arch/OS

{ $as_echo "$as_me:${as_lineno-$LINENO}: checking OS dependent settings" >&5
$as_echo_n "checking OS dependent settings... " >&6; }
OSTYPE=`echo 'prerr_endline Sys.os_type;;' | ocaml 2>&1 > /dev/null | tr -d '\\r' `
case $OSTYPE in
  Win32)
    EXE=.exe
    STRIP='echo "no strip "'
    CPULIMIT=cpulimit-win
    { $as_echo "$as_me:${as_lineno-$LINENO}: result: Win32" >&5
$as_echo "Win32" >&6; }
    ;;
  Cygwin)
    EXE=.exe
    STRIP=strip
    CPULIMIT=cpulimit-win
    { $as_echo "$as_me:${as_lineno-$LINENO}: result: Cygwin" >&5
$as_echo "Cygwin" >&6; }
    ;;
  Unix)
    EXE=
    STRIP=strip
    CPULIMIT=cpulimit
    { $as_echo "$as_me:${as_lineno-$LINENO}: result: Unix" >&5
$as_echo "Unix" >&6; }
    ;;
  *) as_fn_error $? "Unknown OS type: $OSTYPE" "$LINENO" 5
    ;;
esac


# then we look for ocamlopt; if not present, we issue a warning
# if the version is not the same, we also discard it
# we set OCAMLBEST to "opt" or "byte", whether ocamlopt is available or not
# Extract the first word of "ocamlopt", so it can be a program name with args.
set dummy ocamlopt; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_prog_OCAMLOPT+:} false; then :
  $as_echo_n "(cached) " >&6
else
  if test -n "$OCAMLOPT"; then
  ac_cv_prog_OCAMLOPT="$OCAMLOPT" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_OCAMLOPT="ocamlopt"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_OCAMLOPT" && ac_cv_prog_OCAMLOPT="no"
fi
fi
OCAMLOPT=$ac_cv_prog_OCAMLOPT
if test -n "$OCAMLOPT"; then
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OCAMLOPT" >&5
$as_echo "$OCAMLOPT" >&6; }
else
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi


OCAMLBEST=byte
if test "$OCAMLOPT" = no ; then
	{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Cannot find ocamlopt; bytecode compilation only." >&5
$as_echo "$as_me: WARNING: Cannot find ocamlopt; bytecode compilation only." >&2;}
else
	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking ocamlopt version" >&5
$as_echo_n "checking ocamlopt version... " >&6; }
	TMPVERSION=`$OCAMLOPT -v | sed -n -e 's|.*version* *\(.*\)$|\1|p' `
	if test "$TMPVERSION" != "$OCAMLVERSION" ; then
	    { $as_echo "$as_me:${as_lineno-$LINENO}: result: differs from ocamlc; ocamlopt discarded." >&5
$as_echo "differs from ocamlc; ocamlopt discarded." >&6; }
	    OCAMLOPT=no
	else
	    { $as_echo "$as_me:${as_lineno-$LINENO}: result: ok" >&5
$as_echo "ok" >&6; }
	    OCAMLBEST=opt
	fi
fi

# checking for ocamlc.opt
# Extract the first word of "ocamlc.opt", so it can be a program name with args.
set dummy ocamlc.opt; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_prog_OCAMLCDOTOPT+:} false; then :
  $as_echo_n "(cached) " >&6
else
  if test -n "$OCAMLCDOTOPT"; then
  ac_cv_prog_OCAMLCDOTOPT="$OCAMLCDOTOPT" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_OCAMLCDOTOPT="ocamlc.opt"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_OCAMLCDOTOPT" && ac_cv_prog_OCAMLCDOTOPT="no"
fi
fi
OCAMLCDOTOPT=$ac_cv_prog_OCAMLCDOTOPT
if test -n "$OCAMLCDOTOPT"; then
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OCAMLCDOTOPT" >&5
$as_echo "$OCAMLCDOTOPT" >&6; }
else
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi


if test "$OCAMLCDOTOPT" != no ; then
	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking ocamlc.opt version" >&5
$as_echo_n "checking ocamlc.opt version... " >&6; }
	TMPVERSION=`$OCAMLCDOTOPT -v | sed -n -e 's|.*version* *\(.*\)$|\1|p' `
	if test "$TMPVERSION" != "$OCAMLVERSION" ; then
	    { $as_echo "$as_me:${as_lineno-$LINENO}: result: differs from ocamlc; ocamlc.opt discarded." >&5
$as_echo "differs from ocamlc; ocamlc.opt discarded." >&6; }
	else
	    { $as_echo "$as_me:${as_lineno-$LINENO}: result: ok" >&5
$as_echo "ok" >&6; }
	    OCAMLC=$OCAMLCDOTOPT
	fi
fi

# checking for ocamlopt.opt
if test "$OCAMLOPT" != no ; then
    # Extract the first word of "ocamlopt.opt", so it can be a program name with args.
set dummy ocamlopt.opt; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_prog_OCAMLOPTDOTOPT+:} false; then :
  $as_echo_n "(cached) " >&6
else
  if test -n "$OCAMLOPTDOTOPT"; then
  ac_cv_prog_OCAMLOPTDOTOPT="$OCAMLOPTDOTOPT" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_OCAMLOPTDOTOPT="ocamlopt.opt"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_OCAMLOPTDOTOPT" && ac_cv_prog_OCAMLOPTDOTOPT="no"
fi
fi
OCAMLOPTDOTOPT=$ac_cv_prog_OCAMLOPTDOTOPT
if test -n "$OCAMLOPTDOTOPT"; then
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OCAMLOPTDOTOPT" >&5
$as_echo "$OCAMLOPTDOTOPT" >&6; }
else
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi


    if test "$OCAMLOPTDOTOPT" != no ; then
	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking ocamlc.opt version" >&5
$as_echo_n "checking ocamlc.opt version... " >&6; }
	TMPVER=`$OCAMLOPTDOTOPT -v | sed -n -e 's|.*version* *\(.*\)$|\1|p' `
	if test "$TMPVER" != "$OCAMLVERSION" ; then
	    { $as_echo "$as_me:${as_lineno-$LINENO}: result: differs from ocamlc; ocamlopt.opt discarded." >&5
$as_echo "differs from ocamlc; ocamlopt.opt discarded." >&6; }
	else
	    { $as_echo "$as_me:${as_lineno-$LINENO}: result: ok" >&5
$as_echo "ok" >&6; }
	    OCAMLOPT=$OCAMLOPTDOTOPT
	fi
    fi
fi

# ocamldep, ocamllex and ocamlyacc should also be present in the path
# Extract the first word of "ocamldep", so it can be a program name with args.
set dummy ocamldep; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_prog_OCAMLDEP+:} false; then :
  $as_echo_n "(cached) " >&6
else
  if test -n "$OCAMLDEP"; then
  ac_cv_prog_OCAMLDEP="$OCAMLDEP" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_OCAMLDEP="ocamldep"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_OCAMLDEP" && ac_cv_prog_OCAMLDEP="no"
fi
fi
OCAMLDEP=$ac_cv_prog_OCAMLDEP
if test -n "$OCAMLDEP"; then
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OCAMLDEP" >&5
$as_echo "$OCAMLDEP" >&6; }
else
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi


if test "$OCAMLDEP" = no ; then
   as_fn_error $? "Cannot find ocamldep." "$LINENO" 5
else
   # Extract the first word of "ocamldep.opt", so it can be a program name with args.
set dummy ocamldep.opt; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_prog_OCAMLDEPDOTOPT+:} false; then :
  $as_echo_n "(cached) " >&6
else
  if test -n "$OCAMLDEPDOTOPT"; then
  ac_cv_prog_OCAMLDEPDOTOPT="$OCAMLDEPDOTOPT" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_OCAMLDEPDOTOPT="ocamldep.opt"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_OCAMLDEPDOTOPT" && ac_cv_prog_OCAMLDEPDOTOPT="no"
fi
fi
OCAMLDEPDOTOPT=$ac_cv_prog_OCAMLDEPDOTOPT
if test -n "$OCAMLDEPDOTOPT"; then
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OCAMLDEPDOTOPT" >&5
$as_echo "$OCAMLDEPDOTOPT" >&6; }
else
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi


   if test "$OCAMLDEPDOTOPT" != no ; then
      OCAMLDEP=$OCAMLDEPDOTOPT
   fi
fi

# Extract the first word of "ocamllex", so it can be a program name with args.
set dummy ocamllex; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_prog_OCAMLLEX+:} false; then :
  $as_echo_n "(cached) " >&6
else
  if test -n "$OCAMLLEX"; then
  ac_cv_prog_OCAMLLEX="$OCAMLLEX" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_OCAMLLEX="ocamllex"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_OCAMLLEX" && ac_cv_prog_OCAMLLEX="no"
fi
fi
OCAMLLEX=$ac_cv_prog_OCAMLLEX
if test -n "$OCAMLLEX"; then
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OCAMLLEX" >&5
$as_echo "$OCAMLLEX" >&6; }
else
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi


if test "$OCAMLLEX" = no ; then
	as_fn_error $? "Cannot find ocamllex." "$LINENO" 5
else
    # Extract the first word of "ocamllex.opt", so it can be a program name with args.
set dummy ocamllex.opt; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_prog_OCAMLLEXDOTOPT+:} false; then :
  $as_echo_n "(cached) " >&6
else
  if test -n "$OCAMLLEXDOTOPT"; then
  ac_cv_prog_OCAMLLEXDOTOPT="$OCAMLLEXDOTOPT" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_OCAMLLEXDOTOPT="ocamllex.opt"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_OCAMLLEXDOTOPT" && ac_cv_prog_OCAMLLEXDOTOPT="no"
fi
fi
OCAMLLEXDOTOPT=$ac_cv_prog_OCAMLLEXDOTOPT
if test -n "$OCAMLLEXDOTOPT"; then
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OCAMLLEXDOTOPT" >&5
$as_echo "$OCAMLLEXDOTOPT" >&6; }
else
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi


    if test "$OCAMLLEXDOTOPT" != no ; then
	OCAMLLEX=$OCAMLLEXDOTOPT
    fi
fi

# Extract the first word of "ocamlyacc", so it can be a program name with args.
set dummy ocamlyacc; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_prog_OCAMLYACC+:} false; then :
  $as_echo_n "(cached) " >&6
else
  if test -n "$OCAMLYACC"; then
  ac_cv_prog_OCAMLYACC="$OCAMLYACC" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_OCAMLYACC="ocamlyacc"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_OCAMLYACC" && ac_cv_prog_OCAMLYACC="no"
fi
fi
OCAMLYACC=$ac_cv_prog_OCAMLYACC
if test -n "$OCAMLYACC"; then
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OCAMLYACC" >&5
$as_echo "$OCAMLYACC" >&6; }
else
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi


if test "$OCAMLYACC" = no ; then
	as_fn_error $? "Cannot find ocamlyacc." "$LINENO" 5
fi

# Extract the first word of "ocamldoc", so it can be a program name with args.
set dummy ocamldoc; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_prog_OCAMLDOC+:} false; then :
  $as_echo_n "(cached) " >&6
else
  if test -n "$OCAMLDOC"; then
  ac_cv_prog_OCAMLDOC="$OCAMLDOC" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_OCAMLDOC="ocamldoc"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_OCAMLDOC" && ac_cv_prog_OCAMLDOC="true"
fi
fi
OCAMLDOC=$ac_cv_prog_OCAMLDOC
if test -n "$OCAMLDOC"; then
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OCAMLDOC" >&5
$as_echo "$OCAMLDOC" >&6; }
else
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi


if test "$OCAMLDOC" = true ; then
    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Cannot find ocamldoc" >&5
$as_echo "$as_me: WARNING: Cannot find ocamldoc" >&2;}
else
    # Extract the first word of "ocamldoc.opt", so it can be a program name with args.
set dummy ocamldoc.opt; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_prog_OCAMLDOCOPT+:} false; then :
  $as_echo_n "(cached) " >&6
else
  if test -n "$OCAMLDOCOPT"; then
  ac_cv_prog_OCAMLDOCOPT="$OCAMLDOCOPT" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_OCAMLDOCOPT="ocamldoc.opt"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_OCAMLDOCOPT" && ac_cv_prog_OCAMLDOCOPT="no"
fi
fi
OCAMLDOCOPT=$ac_cv_prog_OCAMLDOCOPT
if test -n "$OCAMLDOCOPT"; then
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OCAMLDOCOPT" >&5
$as_echo "$OCAMLDOCOPT" >&6; }
else
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi


    if test "$OCAMLDOCOPT" != no ; then
	OCAMLDOC=$OCAMLDOCOPT
    fi
fi


#looking for ocamlgraph library

LOCALOCAMLGRAPH=no

if test "$USEOCAMLFIND" = yes; then
  OCAMLGRAPHLIB=$(ocamlfind query ocamlgraph)
fi
if test -n "$OCAMLGRAPHLIB"; then
   echo "ocamlfind found ocamlgraph in $OCAMLGRAPHLIB"
      OCAMLGRAPHLIB="-I $OCAMLGRAPHLIB"
      OCAMLGRAPHVER=" found by ocamlfind"
 else
 as_ac_File=`$as_echo "ac_cv_file_$OCAMLLIB/ocamlgraph/graph.cmi" | $as_tr_sh`
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $OCAMLLIB/ocamlgraph/graph.cmi" >&5
$as_echo_n "checking for $OCAMLLIB/ocamlgraph/graph.cmi... " >&6; }
if eval \${$as_ac_File+:} false; then :
  $as_echo_n "(cached) " >&6
else
  test "$cross_compiling" = yes &&
  as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5
if test -r "$OCAMLLIB/ocamlgraph/graph.cmi"; then
  eval "$as_ac_File=yes"
else
  eval "$as_ac_File=no"
fi
fi
eval ac_res=\$$as_ac_File
	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
$as_echo "$ac_res" >&6; }
if eval test \"x\$"$as_ac_File"\" = x"yes"; then :
  OCAMLGRAPH=yes
else
  OCAMLGRAPH=no
fi

 if test "$OCAMLGRAPH" = no ; then
    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ocamlgraph/src/sig.mli" >&5
$as_echo_n "checking for ocamlgraph/src/sig.mli... " >&6; }
if ${ac_cv_file_ocamlgraph_src_sig_mli+:} false; then :
  $as_echo_n "(cached) " >&6
else
  test "$cross_compiling" = yes &&
  as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5
if test -r "ocamlgraph/src/sig.mli"; then
  ac_cv_file_ocamlgraph_src_sig_mli=yes
else
  ac_cv_file_ocamlgraph_src_sig_mli=no
fi
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_file_ocamlgraph_src_sig_mli" >&5
$as_echo "$ac_cv_file_ocamlgraph_src_sig_mli" >&6; }
if test "x$ac_cv_file_ocamlgraph_src_sig_mli" = xyes; then :
  OCAMLGRAPH=yes
else
  OCAMLGRAPH=no
fi

    if test "$OCAMLGRAPH" = no ; then
      as_fn_error $? "Cannot find ocamlgraph library. Please install the *libocamlgraph-ocaml-dev* Debian package - or use the GODI caml package system *http://godi.ocaml-programming.de/* - or compile from sources *http://ocamlgraph.lri.fr/*" "$LINENO" 5
    else
      OCAMLGRAPHLIB="-I ocamlgraph"
      OCAMLGRAPHVER=" in local subdir ocamlgraph"
      LOCALOCAMLGRAPH=yes
    fi
 else
    OCAMLGRAPHLIB="-I +ocamlgraph"
    OCAMLGRAPHVER=" in Ocaml lib, subdir ocamlgraph"
 fi
fi

# checking local ocamlgraph compilation

if test "$LOCALOCAMLGRAPH" = yes; then
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking ocamlgraph compilation" >&5
$as_echo_n "checking ocamlgraph compilation... " >&6; }
   if (cd ocamlgraph; ./configure && make) > /dev/null 2>&1; then
      { $as_echo "$as_me:${as_lineno-$LINENO}: result: ok" >&5
$as_echo "ok" >&6; }
   else
      as_fn_error $? "cannot compile ocamlgraph in ocamlgraph" "$LINENO" 5
   fi
fi

# checking for lablgtk2
if test "$USEOCAMLFIND" = yes; then
   LABLGTKSV2LIB=$(ocamlfind query lablgtk2.sourceview2)
   if test -z "$LABLGTKSV2LIB"; then
      LABLGTKSV2LIB=$(ocamlfind query lablgtksourceview2)
   fi
fi
if test -n "$LABLGTKSV2LIB";then
   echo "ocamlfind found lablgtksourceview2 in $LABLGTKSV2LIB"
   INCLUDEGTK2="-I $LABLGTKSV2LIB"
   LABLGTK2=yes
else
  as_ac_File=`$as_echo "ac_cv_file_$OCAMLLIB/lablgtk2/lablgtk.cma" | $as_tr_sh`
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $OCAMLLIB/lablgtk2/lablgtk.cma" >&5
$as_echo_n "checking for $OCAMLLIB/lablgtk2/lablgtk.cma... " >&6; }
if eval \${$as_ac_File+:} false; then :
  $as_echo_n "(cached) " >&6
else
  test "$cross_compiling" = yes &&
  as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5
if test -r "$OCAMLLIB/lablgtk2/lablgtk.cma"; then
  eval "$as_ac_File=yes"
else
  eval "$as_ac_File=no"
fi
fi
eval ac_res=\$$as_ac_File
	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
$as_echo "$ac_res" >&6; }
if eval test \"x\$"$as_ac_File"\" = x"yes"; then :
  LABLGTK2=yes
else
  LABLGTK2=no
fi

  # AC_CHECK_PROG(LABLGTK2,lablgtk2,yes,no) not always available (Win32)
  if test "$LABLGTK2" = yes ; then
        INCLUDEGTK2="-I +lablgtk2"
  fi
fi


# Extract the first word of "ocamlweb", so it can be a program name with args.
set dummy ocamlweb; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_prog_OCAMLWEB+:} false; then :
  $as_echo_n "(cached) " >&6
else
  if test -n "$OCAMLWEB"; then
  ac_cv_prog_OCAMLWEB="$OCAMLWEB" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_OCAMLWEB="ocamlweb"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_OCAMLWEB" && ac_cv_prog_OCAMLWEB="true"
fi
fi
OCAMLWEB=$ac_cv_prog_OCAMLWEB
if test -n "$OCAMLWEB"; then
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OCAMLWEB" >&5
$as_echo "$OCAMLWEB" >&6; }
else
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi



# apron library
default_apron=no
APRONLIBS=
# Check whether --enable-apron was given.
if test "${enable_apron+set}" = set; then :
  enableval=$enable_apron;
else
  enable_apron=$default_apron
fi


if test "$enable_apron" = "yes" ; then
   as_ac_File=`$as_echo "ac_cv_file_$OCAMLLIB/apron/apron.cmxa" | $as_tr_sh`
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $OCAMLLIB/apron/apron.cmxa" >&5
$as_echo_n "checking for $OCAMLLIB/apron/apron.cmxa... " >&6; }
if eval \${$as_ac_File+:} false; then :
  $as_echo_n "(cached) " >&6
else
  test "$cross_compiling" = yes &&
  as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5
if test -r "$OCAMLLIB/apron/apron.cmxa"; then
  eval "$as_ac_File=yes"
else
  eval "$as_ac_File=no"
fi
fi
eval ac_res=\$$as_ac_File
	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
$as_echo "$ac_res" >&6; }
if eval test \"x\$"$as_ac_File"\" = x"yes"; then :
  APRONLIB="-I +apron -I +gmp"
else
  APRONLIB=no
fi

   if test "$APRONLIB" = no ; then
      { $as_echo "$as_me:${as_lineno-$LINENO}: checking for /usr/lib/apron.cmxa" >&5
$as_echo_n "checking for /usr/lib/apron.cmxa... " >&6; }
if ${ac_cv_file__usr_lib_apron_cmxa+:} false; then :
  $as_echo_n "(cached) " >&6
else
  test "$cross_compiling" = yes &&
  as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5
if test -r "/usr/lib/apron.cmxa"; then
  ac_cv_file__usr_lib_apron_cmxa=yes
else
  ac_cv_file__usr_lib_apron_cmxa=no
fi
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_file__usr_lib_apron_cmxa" >&5
$as_echo "$ac_cv_file__usr_lib_apron_cmxa" >&6; }
if test "x$ac_cv_file__usr_lib_apron_cmxa" = xyes; then :
  APRONLIB="-I /usr/lib -I /usr/local/lib"
else
  APRONLIB=no
fi

      if test "$APRONLIB" = no ; then
	 { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Cannot find APRON library." >&5
$as_echo "$as_me: WARNING: Cannot find APRON library." >&2;}
	 enable_apron="no (APRON library cannot be found, see above)"
      fi
   fi
fi

if test "$enable_apron" = "yes" ; then
   APRONLIBS="-cclib ' -lpolkaMPQ_caml -lpolkaMPQ -loctMPQ_caml -loctMPQ -lboxMPQ_caml -lboxMPQ -lapron_caml -lapron -lgmp_caml -lmpfr -lgmp -lbigarray -lcamlidl' bigarray.cmxa gmp.cmxa apron.cmxa box.cmxa polka.cmxa"
   ATPCMO=atp/atp.cmo
else
   APRONLIB=""
fi

# Frama-C
TESTFRAMAC=yes

if test "$TESTFRAMAC" = no ; then
   FRAMACPLUGIN=no
   FRAMACMSG="Disabled on user request"
else
   # Extract the first word of "frama-c", so it can be a program name with args.
set dummy frama-c; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_prog_FRAMAC+:} false; then :
  $as_echo_n "(cached) " >&6
else
  if test -n "$FRAMAC"; then
  ac_cv_prog_FRAMAC="$FRAMAC" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_FRAMAC="frama-c"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_FRAMAC" && ac_cv_prog_FRAMAC="no"
fi
fi
FRAMAC=$ac_cv_prog_FRAMAC
if test -n "$FRAMAC"; then
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $FRAMAC" >&5
$as_echo "$FRAMAC" >&6; }
else
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi


   if test "$FRAMAC" = no ; then
	{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Cannot find frama-c." >&5
$as_echo "$as_me: WARNING: Cannot find frama-c." >&2;}
	FRAMACPLUGIN=no
        FRAMACMSG="Cannot find Frama-C"
   else
      # we extract Ocaml version number
      { $as_echo "$as_me:${as_lineno-$LINENO}: checking Frama-c version" >&5
$as_echo_n "checking Frama-c version... " >&6; }
      FRAMACVERSION=`$FRAMAC -version | sed -n -e 's|Version: *\(.*\)$|\1|p' `
      { $as_echo "$as_me:${as_lineno-$LINENO}: result: $FRAMACVERSION" >&5
$as_echo "$FRAMACVERSION" >&6; }
      case $FRAMACVERSION in
        Neon-rc1|Neon-rc2|Neon-rc3|Neon-rc4|Neon-20140301)
           FRAMACPLUGIN=yes
           ;;
        Neon-*)
	   FRAMACMSG="Found unknown variant of Frama-C Neon (hope this works)"
           { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $FRAMACMSG" >&5
$as_echo "$as_me: WARNING: $FRAMACMSG" >&2;}
           FRAMACPLUGIN=yes
           ;;
        *) FRAMACMSG="you need Frama-C version Neon"
           FRAMACPLUGIN=no
           { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $FRAMACMSG" >&5
$as_echo "$as_me: WARNING: $FRAMACMSG" >&2;}
           ;;
      esac
   fi
fi

# camlp4
# Extract the first word of "camlp4o", so it can be a program name with args.
set dummy camlp4o; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_prog_CAMLP4O+:} false; then :
  $as_echo_n "(cached) " >&6
else
  if test -n "$CAMLP4O"; then
  ac_cv_prog_CAMLP4O="$CAMLP4O" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_CAMLP4O="camlp4o"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_CAMLP4O" && ac_cv_prog_CAMLP4O="no"
fi
fi
CAMLP4O=$ac_cv_prog_CAMLP4O
if test -n "$CAMLP4O"; then
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CAMLP4O" >&5
$as_echo "$CAMLP4O" >&6; }
else
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi


if test "$CAMLP4O" = no ; then
     as_fn_error $? "Cannot find camlp4o." "$LINENO" 5
fi
CAMLP4LIB=`camlp4o -where`
CAMLP4VERSION=`$CAMLP4O -v 2>&1 | sed -n -e 's|.*version *\(.*\)$|\1|p'`
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking camlp4 version" >&5
$as_echo_n "checking camlp4 version... " >&6; }
if test "$CAMLP4VERSION" != "$OCAMLVERSION" ; then
     as_fn_error $? "differs from ocaml version" "$LINENO" 5
else
     { $as_echo "$as_me:${as_lineno-$LINENO}: result: ok" >&5
$as_echo "ok" >&6; }
fi

# Why3

# Extract the first word of "why3", so it can be a program name with args.
set dummy why3; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_prog_WHY3+:} false; then :
  $as_echo_n "(cached) " >&6
else
  if test -n "$WHY3"; then
  ac_cv_prog_WHY3="$WHY3" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_WHY3="yes"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_WHY3" && ac_cv_prog_WHY3="no"
fi
fi
WHY3=$ac_cv_prog_WHY3
if test -n "$WHY3"; then
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $WHY3" >&5
$as_echo "$WHY3" >&6; }
else
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi


if test "$WHY3" = no ; then
  WHY3MSG="command 'why3' not found"
  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $WHY3MSG" >&5
$as_echo "$as_me: WARNING: $WHY3MSG" >&2;}
else
  { $as_echo "$as_me:${as_lineno-$LINENO}: checking Why3 version" >&5
$as_echo_n "checking Why3 version... " >&6; }
  WHY3VERSION=`why3 --version | sed -n -e 's|.*version \([^ ]\+\) .*$|\1|p'`
  case $WHY3VERSION in
  0.83)
      { $as_echo "$as_me:${as_lineno-$LINENO}: result: $WHY3VERSION" >&5
$as_echo "$WHY3VERSION" >&6; }
      ;;
  0.82+git|0.83+git)
      { $as_echo "$as_me:${as_lineno-$LINENO}: result: $WHY3VERSION" >&5
$as_echo "$WHY3VERSION" >&6; }
      WHY3MSG="(version not guaranteed to be supported, hope this works)"
      { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $WHY3MSG" >&5
$as_echo "$as_me: WARNING: $WHY3MSG" >&2;}
      ;;
  0.6*|0.7*|0.8*)
      { $as_echo "$as_me:${as_lineno-$LINENO}: result: $WHY3VERSION" >&5
$as_echo "$WHY3VERSION" >&6; }
      WHY3="no"
      WHY3MSG="version $WHY3VERSION too old, why3 support discarded"
      { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $WHY3MSG" >&5
$as_echo "$as_me: WARNING: $WHY3MSG" >&2;}
      ;;
  *)
      { $as_echo "$as_me:${as_lineno-$LINENO}: result: $WHY3VERSION" >&5
$as_echo "$WHY3VERSION" >&6; }
      WHY3="no"
      WHY3MSG="unknown version $WHY3VERSION, why3 support discarded"
      { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $WHY3MSG" >&5
$as_echo "$as_me: WARNING: $WHY3MSG" >&2;}
      ;;
  esac
fi


WHYFLOATS=

# Coq
# Extract the first word of "coqc", so it can be a program name with args.
set dummy coqc; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_prog_COQC+:} false; then :
  $as_echo_n "(cached) " >&6
else
  if test -n "$COQC"; then
  ac_cv_prog_COQC="$COQC" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_COQC="coqc"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_COQC" && ac_cv_prog_COQC="no"
fi
fi
COQC=$ac_cv_prog_COQC
if test -n "$COQC"; then
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $COQC" >&5
$as_echo "$COQC" >&6; }
else
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi


if test "$COQC" = no ; then
    COQ=no
    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Cannot find coqc." >&5
$as_echo "$as_me: WARNING: Cannot find coqc." >&2;}
else
    COQ=yes
    # Extract the first word of "coqdep", so it can be a program name with args.
set dummy coqdep; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_prog_COQDEP+:} false; then :
  $as_echo_n "(cached) " >&6
else
  if test -n "$COQDEP"; then
  ac_cv_prog_COQDEP="$COQDEP" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_COQDEP="coqdep"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_COQDEP" && ac_cv_prog_COQDEP="true"
fi
fi
COQDEP=$ac_cv_prog_COQDEP
if test -n "$COQDEP"; then
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $COQDEP" >&5
$as_echo "$COQDEP" >&6; }
else
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi


    if test "$COQDEP" = true ; then
	as_fn_error $? "Cannot find coqdep." "$LINENO" 5
    fi
    COQLIB=`$COQC -where | sed -e 's|\\\|/|g' -e 's| |\\ |g'`
    { $as_echo "$as_me:${as_lineno-$LINENO}: checking Coq version" >&5
$as_echo_n "checking Coq version... " >&6; }
    COQVERSION=`$COQC -v | sed -n -e 's|.*version \([^ ]\+\) .*$|\1|p' `

    case $COQVERSION in
    7.4*)
	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $COQVERSION" >&5
$as_echo "$COQVERSION" >&6; }
	COQC7=$COQC
	COQVER=v7
	WHYLIBCOQ=lib/coq-v7
	cp -f lib/coq-v7/WhyCoqDev.v lib/coq-v7/WhyCoqCompat.v;;
    8.*)
	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $COQVERSION" >&5
$as_echo "$COQVERSION" >&6; }
	COQC7="$COQC -v7"
	COQC8=$COQC
	COQVER=v8
	WHYLIBCOQ=lib/coq
	cp -f lib/coq-v7/WhyCoqDev.v lib/coq-v7/WhyCoqCompat.v
	case $COQVERSION in
	8.1*|8.2*|8.3*|8.4*|trunk)
	  JESSIELIBCOQ=lib/coq/jessie_why.vo
	  cp -f lib/coq/WhyCoqDev.v lib/coq/WhyCoqCompat.v
          # useful ??? [VP] Yes, the hack for making the output compliant with
          # Dp needs >= v8.1
          COQVER=v8.1
          ;;
	*)
	  JESSIELIBCOQ=
	  cp -f lib/coq/WhyCoq8.v lib/coq/WhyCoqCompat.v;;
        esac
	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking Coq floating-point library" >&5
$as_echo_n "checking Coq floating-point library... " >&6; }
	if test -f "$COQLIB/user-contrib/Flocq/Core/Fcore.vo"; then
	  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
	  WHYFLOATS="lib/coq/WhyFloats.vo lib/coq/WhyFloatsStrict.vo"
	  COQFLOATSMSG=yes
	else
	  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
	  COQFLOATSMSG="no (Coq library Flocq/Core/Fcore.vo not found)"
	fi
	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking Coq legacy floating-point library" >&5
$as_echo_n "checking Coq legacy floating-point library... " >&6; }
	if test -f "$COQLIB/user-contrib/AllFloat.vo" || test -f "$COQLIB/user-contrib/Float/AllFloat.vo"; then
	  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
	  WHYFLOATS="$WHYFLOATS lib/coq/WhyFloatsStrictLegacy.vo"
	  COQFLOATSLEGACYMSG=yes
	else
	  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
	  COQFLOATSLEGACYMSG="no (Coq library AllFloat.vo not found)"
	fi

	if test "$WHY3" != no ; then
	  { $as_echo "$as_me:${as_lineno-$LINENO}: checking Coq realizations for Why3" >&5
$as_echo_n "checking Coq realizations for Why3... " >&6; }
	  WHY3COQPATH=`why3 --print-libdir`/coq
	  if test -f "$WHY3COQPATH/int/Int.vo"; then
	    { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
	    JESSIEWHY3LIBCOQ="lib/coq/Jessie_memory_model.vo"
	  else
	    { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
	  fi
	fi
	;;
    *)
	COQ=no
	{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: You need Coq 7.4 or later; Coq support discarded" >&5
$as_echo "$as_me: WARNING: You need Coq 7.4 or later; Coq support discarded" >&2;};;
    esac
fi

# Alt-ergo

# PVS
# Extract the first word of "pvs", so it can be a program name with args.
set dummy pvs; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_path_PVSC+:} false; then :
  $as_echo_n "(cached) " >&6
else
  case $PVSC in
  [\\/]* | ?:[\\/]*)
  ac_cv_path_PVSC="$PVSC" # Let the user override the test with a path.
  ;;
  *)
  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_path_PVSC="$as_dir/$ac_word$ac_exec_ext"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_path_PVSC" && ac_cv_path_PVSC="no"
  ;;
esac
fi
PVSC=$ac_cv_path_PVSC
if test -n "$PVSC"; then
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PVSC" >&5
$as_echo "$PVSC" >&6; }
else
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi


if test "$PVSC" = no ; then
    PVS=no
    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Cannot find PVS." >&5
$as_echo "$as_me: WARNING: Cannot find PVS." >&2;}
else
    PVS=yes
    PVSLIB=`pvs -where`/lib
    if test "$PVSLIB" = /lib; then
       { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: PVS found but pvs -where did not work" >&5
$as_echo "$as_me: WARNING: PVS found but pvs -where did not work" >&2;}
       PVS=no;
    fi
fi

# Mizar
# Extract the first word of "mizf", so it can be a program name with args.
set dummy mizf; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_prog_MIZF+:} false; then :
  $as_echo_n "(cached) " >&6
else
  if test -n "$MIZF"; then
  ac_cv_prog_MIZF="$MIZF" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_prog_MIZF="mizf"
    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_MIZF" && ac_cv_prog_MIZF="no"
fi
fi
MIZF=$ac_cv_prog_MIZF
if test -n "$MIZF"; then
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MIZF" >&5
$as_echo "$MIZF" >&6; }
else
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi


if test "$MIZF" = no; then
    MIZAR=no
    { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Cannot find Mizar." >&5
$as_echo "$as_me: WARNING: Cannot find Mizar." >&2;}
else
    MIZAR=yes
    { $as_echo "$as_me:${as_lineno-$LINENO}: checking Mizar library" >&5
$as_echo_n "checking Mizar library... " >&6; }
    if test -d "$MIZFILES"; then
	MIZARLIB=$MIZFILES
	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $MIZARLIB" >&5
$as_echo "$MIZARLIB" >&6; }
    else if test -d /usr/local/lib/mizar; then
	MIZARLIB=$MIZFILES
	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $MIZARLIB" >&5
$as_echo "$MIZARLIB" >&6; }
    else
	{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Cannot find Mizar library; please set \$MIZFILES" >&5
$as_echo "$as_me: WARNING: Cannot find Mizar library; please set \$MIZFILES" >&2;}
	MIZAR=no
    fi
    fi
fi

# substitutions to perform



















# AC_SUBST(CAMLP4O)
# AC_SUBST(CAMLP4LIB)
































# Finally create the Makefile from Makefile.in
ac_config_files="$ac_config_files Makefile bench/bench"

cat >confcache <<\_ACEOF
# This file is a shell script that caches the results of configure
# tests run on this system so they can be shared between configure
# scripts and configure runs, see configure's option --config-cache.
# It is not useful on other systems.  If it contains results you don't
# want to keep, you may remove or edit it.
#
# config.status only pays attention to the cache file if you give it
# the --recheck option to rerun configure.
#
# `ac_cv_env_foo' variables (set or unset) will be overridden when
# loading this file, other *unset* `ac_cv_foo' will be assigned the
# following values.

_ACEOF

# The following way of writing the cache mishandles newlines in values,
# but we know of no workaround that is simple, portable, and efficient.
# So, we kill variables containing newlines.
# Ultrix sh set writes to stderr and can't be redirected directly,
# and sets the high bit in the cache file unless we assign to the vars.
(
  for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do
    eval ac_val=\$$ac_var
    case $ac_val in #(
    *${as_nl}*)
      case $ac_var in #(
      *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5
$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
      esac
      case $ac_var in #(
      _ | IFS | as_nl) ;; #(
      BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #(
      *) { eval $ac_var=; unset $ac_var;} ;;
      esac ;;
    esac
  done

  (set) 2>&1 |
    case $as_nl`(ac_space=' '; set) 2>&1` in #(
    *${as_nl}ac_space=\ *)
      # `set' does not quote correctly, so add quotes: double-quote
      # substitution turns \\\\ into \\, and sed turns \\ into \.
      sed -n \
	"s/'/'\\\\''/g;
	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
      ;; #(
    *)
      # `set' quotes correctly as required by POSIX, so do not add quotes.
      sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p"
      ;;
    esac |
    sort
) |
  sed '
     /^ac_cv_env_/b end
     t clear
     :clear
     s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/
     t end
     s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/
     :end' >>confcache
if diff "$cache_file" confcache >/dev/null 2>&1; then :; else
  if test -w "$cache_file"; then
    if test "x$cache_file" != "x/dev/null"; then
      { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5
$as_echo "$as_me: updating cache $cache_file" >&6;}
      if test ! -f "$cache_file" || test -h "$cache_file"; then
	cat confcache >"$cache_file"
      else
        case $cache_file in #(
        */* | ?:*)
	  mv -f confcache "$cache_file"$$ &&
	  mv -f "$cache_file"$$ "$cache_file" ;; #(
        *)
	  mv -f confcache "$cache_file" ;;
	esac
      fi
    fi
  else
    { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5
$as_echo "$as_me: not updating unwritable cache $cache_file" >&6;}
  fi
fi
rm -f confcache

test "x$prefix" = xNONE && prefix=$ac_default_prefix
# Let make expand exec_prefix.
test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'

# Transform confdefs.h into DEFS.
# Protect against shell expansion while executing Makefile rules.
# Protect against Makefile macro expansion.
#
# If the first sed substitution is executed (which looks for macros that
# take arguments), then branch to the quote section.  Otherwise,
# look for a macro that doesn't take arguments.
ac_script='
:mline
/\\$/{
 N
 s,\\\n,,
 b mline
}
t clear
:clear
s/^[	 ]*#[	 ]*define[	 ][	 ]*\([^	 (][^	 (]*([^)]*)\)[	 ]*\(.*\)/-D\1=\2/g
t quote
s/^[	 ]*#[	 ]*define[	 ][	 ]*\([^	 ][^	 ]*\)[	 ]*\(.*\)/-D\1=\2/g
t quote
b any
:quote
s/[	 `~#$^&*(){}\\|;'\''"<>?]/\\&/g
s/\[/\\&/g
s/\]/\\&/g
s/\$/$$/g
H
:any
${
	g
	s/^\n//
	s/\n/ /g
	p
}
'
DEFS=`sed -n "$ac_script" confdefs.h`


ac_libobjs=
ac_ltlibobjs=
U=
for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
  # 1. Remove the extension, and $U if already installed.
  ac_script='s/\$U\././;s/\.o$//;s/\.obj$//'
  ac_i=`$as_echo "$ac_i" | sed "$ac_script"`
  # 2. Prepend LIBOBJDIR.  When used with automake>=1.10 LIBOBJDIR
  #    will be set to the directory where LIBOBJS objects are built.
  as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext"
  as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo'
done
LIBOBJS=$ac_libobjs

LTLIBOBJS=$ac_ltlibobjs



: "${CONFIG_STATUS=./config.status}"
ac_write_fail=0
ac_clean_files_save=$ac_clean_files
ac_clean_files="$ac_clean_files $CONFIG_STATUS"
{ $as_echo "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5
$as_echo "$as_me: creating $CONFIG_STATUS" >&6;}
as_write_fail=0
cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1
#! $SHELL
# Generated by $as_me.
# Run this file to recreate the current configuration.
# Compiler output produced by configure, useful for debugging
# configure, is in config.log if it exists.

debug=false
ac_cs_recheck=false
ac_cs_silent=false

SHELL=\${CONFIG_SHELL-$SHELL}
export SHELL
_ASEOF
cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1
## -------------------- ##
## M4sh Initialization. ##
## -------------------- ##

# Be more Bourne compatible
DUALCASE=1; export DUALCASE # for MKS sh
if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then :
  emulate sh
  NULLCMD=:
  # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
  # is contrary to our usage.  Disable this feature.
  alias -g '${1+"$@"}'='"$@"'
  setopt NO_GLOB_SUBST
else
  case `(set -o) 2>/dev/null` in #(
  *posix*) :
    set -o posix ;; #(
  *) :
     ;;
esac
fi


as_nl='
'
export as_nl
# Printing a long string crashes Solaris 7 /usr/bin/printf.
as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
# Prefer a ksh shell builtin over an external printf program on Solaris,
# but without wasting forks for bash or zsh.
if test -z "$BASH_VERSION$ZSH_VERSION" \
    && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then
  as_echo='print -r --'
  as_echo_n='print -rn --'
elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
  as_echo='printf %s\n'
  as_echo_n='printf %s'
else
  if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then
    as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"'
    as_echo_n='/usr/ucb/echo -n'
  else
    as_echo_body='eval expr "X$1" : "X\\(.*\\)"'
    as_echo_n_body='eval
      arg=$1;
      case $arg in #(
      *"$as_nl"*)
	expr "X$arg" : "X\\(.*\\)$as_nl";
	arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;;
      esac;
      expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl"
    '
    export as_echo_n_body
    as_echo_n='sh -c $as_echo_n_body as_echo'
  fi
  export as_echo_body
  as_echo='sh -c $as_echo_body as_echo'
fi

# The user is always right.
if test "${PATH_SEPARATOR+set}" != set; then
  PATH_SEPARATOR=:
  (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
    (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
      PATH_SEPARATOR=';'
  }
fi


# IFS
# We need space, tab and new line, in precisely that order.  Quoting is
# there to prevent editors from complaining about space-tab.
# (If _AS_PATH_WALK were called with IFS unset, it would disable word
# splitting by setting IFS to empty value.)
IFS=" ""	$as_nl"

# Find who we are.  Look in the path if we contain no directory separator.
as_myself=
case $0 in #((
  *[\\/]* ) as_myself=$0 ;;
  *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
    test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
  done
IFS=$as_save_IFS

     ;;
esac
# We did not find ourselves, most probably we were run as `sh COMMAND'
# in which case we are not to be found in the path.
if test "x$as_myself" = x; then
  as_myself=$0
fi
if test ! -f "$as_myself"; then
  $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
  exit 1
fi

# Unset variables that we do not need and which cause bugs (e.g. in
# pre-3.0 UWIN ksh).  But do not cause bugs in bash 2.01; the "|| exit 1"
# suppresses any "Segmentation fault" message there.  '((' could
# trigger a bug in pdksh 5.2.14.
for as_var in BASH_ENV ENV MAIL MAILPATH
do eval test x\${$as_var+set} = xset \
  && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || :
done
PS1='$ '
PS2='> '
PS4='+ '

# NLS nuisances.
LC_ALL=C
export LC_ALL
LANGUAGE=C
export LANGUAGE

# CDPATH.
(unset CDPATH) >/dev/null 2>&1 && unset CDPATH


# as_fn_error STATUS ERROR [LINENO LOG_FD]
# ----------------------------------------
# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are
# provided, also output the error to LOG_FD, referencing LINENO. Then exit the
# script with STATUS, using 1 if that was 0.
as_fn_error ()
{
  as_status=$1; test $as_status -eq 0 && as_status=1
  if test "$4"; then
    as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
    $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4
  fi
  $as_echo "$as_me: error: $2" >&2
  as_fn_exit $as_status
} # as_fn_error


# as_fn_set_status STATUS
# -----------------------
# Set $? to STATUS, without forking.
as_fn_set_status ()
{
  return $1
} # as_fn_set_status

# as_fn_exit STATUS
# -----------------
# Exit the shell with STATUS, even in a "trap 0" or "set -e" context.
as_fn_exit ()
{
  set +e
  as_fn_set_status $1
  exit $1
} # as_fn_exit

# as_fn_unset VAR
# ---------------
# Portably unset VAR.
as_fn_unset ()
{
  { eval $1=; unset $1;}
}
as_unset=as_fn_unset
# as_fn_append VAR VALUE
# ----------------------
# Append the text in VALUE to the end of the definition contained in VAR. Take
# advantage of any shell optimizations that allow amortized linear growth over
# repeated appends, instead of the typical quadratic growth present in naive
# implementations.
if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then :
  eval 'as_fn_append ()
  {
    eval $1+=\$2
  }'
else
  as_fn_append ()
  {
    eval $1=\$$1\$2
  }
fi # as_fn_append

# as_fn_arith ARG...
# ------------------
# Perform arithmetic evaluation on the ARGs, and store the result in the
# global $as_val. Take advantage of shells that can avoid forks. The arguments
# must be portable across $(()) and expr.
if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then :
  eval 'as_fn_arith ()
  {
    as_val=$(( $* ))
  }'
else
  as_fn_arith ()
  {
    as_val=`expr "$@" || test $? -eq 1`
  }
fi # as_fn_arith


if expr a : '\(a\)' >/dev/null 2>&1 &&
   test "X`expr 00001 : '.*\(...\)'`" = X001; then
  as_expr=expr
else
  as_expr=false
fi

if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
  as_basename=basename
else
  as_basename=false
fi

if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
  as_dirname=dirname
else
  as_dirname=false
fi

as_me=`$as_basename -- "$0" ||
$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
	 X"$0" : 'X\(//\)$' \| \
	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
$as_echo X/"$0" |
    sed '/^.*\/\([^/][^/]*\)\/*$/{
	    s//\1/
	    q
	  }
	  /^X\/\(\/\/\)$/{
	    s//\1/
	    q
	  }
	  /^X\/\(\/\).*/{
	    s//\1/
	    q
	  }
	  s/.*/./; q'`

# Avoid depending upon Character Ranges.
as_cr_letters='abcdefghijklmnopqrstuvwxyz'
as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
as_cr_Letters=$as_cr_letters$as_cr_LETTERS
as_cr_digits='0123456789'
as_cr_alnum=$as_cr_Letters$as_cr_digits

ECHO_C= ECHO_N= ECHO_T=
case `echo -n x` in #(((((
-n*)
  case `echo 'xy\c'` in
  *c*) ECHO_T='	';;	# ECHO_T is single tab character.
  xy)  ECHO_C='\c';;
  *)   echo `echo ksh88 bug on AIX 6.1` > /dev/null
       ECHO_T='	';;
  esac;;
*)
  ECHO_N='-n';;
esac

rm -f conf$$ conf$$.exe conf$$.file
if test -d conf$$.dir; then
  rm -f conf$$.dir/conf$$.file
else
  rm -f conf$$.dir
  mkdir conf$$.dir 2>/dev/null
fi
if (echo >conf$$.file) 2>/dev/null; then
  if ln -s conf$$.file conf$$ 2>/dev/null; then
    as_ln_s='ln -s'
    # ... but there are two gotchas:
    # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
    # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
    # In both cases, we have to default to `cp -pR'.
    ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
      as_ln_s='cp -pR'
  elif ln conf$$.file conf$$ 2>/dev/null; then
    as_ln_s=ln
  else
    as_ln_s='cp -pR'
  fi
else
  as_ln_s='cp -pR'
fi
rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
rmdir conf$$.dir 2>/dev/null


# as_fn_mkdir_p
# -------------
# Create "$as_dir" as a directory, including parents if necessary.
as_fn_mkdir_p ()
{

  case $as_dir in #(
  -*) as_dir=./$as_dir;;
  esac
  test -d "$as_dir" || eval $as_mkdir_p || {
    as_dirs=
    while :; do
      case $as_dir in #(
      *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'(
      *) as_qdir=$as_dir;;
      esac
      as_dirs="'$as_qdir' $as_dirs"
      as_dir=`$as_dirname -- "$as_dir" ||
$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
	 X"$as_dir" : 'X\(//\)[^/]' \| \
	 X"$as_dir" : 'X\(//\)$' \| \
	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
$as_echo X"$as_dir" |
    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
	    s//\1/
	    q
	  }
	  /^X\(\/\/\)[^/].*/{
	    s//\1/
	    q
	  }
	  /^X\(\/\/\)$/{
	    s//\1/
	    q
	  }
	  /^X\(\/\).*/{
	    s//\1/
	    q
	  }
	  s/.*/./; q'`
      test -d "$as_dir" && break
    done
    test -z "$as_dirs" || eval "mkdir $as_dirs"
  } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir"


} # as_fn_mkdir_p
if mkdir -p . 2>/dev/null; then
  as_mkdir_p='mkdir -p "$as_dir"'
else
  test -d ./-p && rmdir ./-p
  as_mkdir_p=false
fi


# as_fn_executable_p FILE
# -----------------------
# Test if FILE is an executable regular file.
as_fn_executable_p ()
{
  test -f "$1" && test -x "$1"
} # as_fn_executable_p
as_test_x='test -x'
as_executable_p=as_fn_executable_p

# Sed expression to map a string onto a valid CPP name.
as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"

# Sed expression to map a string onto a valid variable name.
as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"


exec 6>&1
## ----------------------------------- ##
## Main body of $CONFIG_STATUS script. ##
## ----------------------------------- ##
_ASEOF
test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1

cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# Save the log message, to keep $0 and so on meaningful, and to
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by $as_me, which was
generated by GNU Autoconf 2.69.  Invocation command line was

  CONFIG_FILES    = $CONFIG_FILES
  CONFIG_HEADERS  = $CONFIG_HEADERS
  CONFIG_LINKS    = $CONFIG_LINKS
  CONFIG_COMMANDS = $CONFIG_COMMANDS
  $ $0 $@

on `(hostname || uname -n) 2>/dev/null | sed 1q`
"

_ACEOF

case $ac_config_files in *"
"*) set x $ac_config_files; shift; ac_config_files=$*;;
esac



cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
# Files that config.status was made for.
config_files="$ac_config_files"

_ACEOF

cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
ac_cs_usage="\
\`$as_me' instantiates files and other configuration actions
from templates according to the current configuration.  Unless the files
and actions are specified as TAGs, all are instantiated by default.

Usage: $0 [OPTION]... [TAG]...

  -h, --help       print this help, then exit
  -V, --version    print version number and configuration settings, then exit
      --config     print configuration, then exit
  -q, --quiet, --silent
                   do not print progress messages
  -d, --debug      don't remove temporary files
      --recheck    update $as_me by reconfiguring in the same conditions
      --file=FILE[:TEMPLATE]
                   instantiate the configuration file FILE

Configuration files:
$config_files

Report bugs to the package provider."

_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
config.status
configured by $0, generated by GNU Autoconf 2.69,
  with options \\"\$ac_cs_config\\"

Copyright (C) 2012 Free Software Foundation, Inc.
This config.status script is free software; the Free Software Foundation
gives unlimited permission to copy, distribute and modify it."

ac_pwd='$ac_pwd'
srcdir='$srcdir'
test -n "\$AWK" || AWK=awk
_ACEOF

cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# The default lists apply if the user does not specify any file.
ac_need_defaults=:
while test $# != 0
do
  case $1 in
  --*=?*)
    ac_option=`expr "X$1" : 'X\([^=]*\)='`
    ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'`
    ac_shift=:
    ;;
  --*=)
    ac_option=`expr "X$1" : 'X\([^=]*\)='`
    ac_optarg=
    ac_shift=:
    ;;
  *)
    ac_option=$1
    ac_optarg=$2
    ac_shift=shift
    ;;
  esac

  case $ac_option in
  # Handling of the options.
  -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
    ac_cs_recheck=: ;;
  --version | --versio | --versi | --vers | --ver | --ve | --v | -V )
    $as_echo "$ac_cs_version"; exit ;;
  --config | --confi | --conf | --con | --co | --c )
    $as_echo "$ac_cs_config"; exit ;;
  --debug | --debu | --deb | --de | --d | -d )
    debug=: ;;
  --file | --fil | --fi | --f )
    $ac_shift
    case $ac_optarg in
    *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;;
    '') as_fn_error $? "missing file argument" ;;
    esac
    as_fn_append CONFIG_FILES " '$ac_optarg'"
    ac_need_defaults=false;;
  --he | --h |  --help | --hel | -h )
    $as_echo "$ac_cs_usage"; exit ;;
  -q | -quiet | --quiet | --quie | --qui | --qu | --q \
  | -silent | --silent | --silen | --sile | --sil | --si | --s)
    ac_cs_silent=: ;;

  # This is an error.
  -*) as_fn_error $? "unrecognized option: \`$1'
Try \`$0 --help' for more information." ;;

  *) as_fn_append ac_config_targets " $1"
     ac_need_defaults=false ;;

  esac
  shift
done

ac_configure_extra_args=

if $ac_cs_silent; then
  exec 6>/dev/null
  ac_configure_extra_args="$ac_configure_extra_args --silent"
fi

_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
if \$ac_cs_recheck; then
  set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
  shift
  \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6
  CONFIG_SHELL='$SHELL'
  export CONFIG_SHELL
  exec "\$@"
fi

_ACEOF
cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
exec 5>>config.log
{
  echo
  sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
## Running $as_me. ##
_ASBOX
  $as_echo "$ac_log"
} >&5

_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
_ACEOF

cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1

# Handling of arguments.
for ac_config_target in $ac_config_targets
do
  case $ac_config_target in
    "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
    "bench/bench") CONFIG_FILES="$CONFIG_FILES bench/bench" ;;

  *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
  esac
done


# If the user did not use the arguments to specify the items to instantiate,
# then the envvar interface is used.  Set only those that are not.
# We use the long form for the default assignment because of an extremely
# bizarre bug on SunOS 4.1.3.
if $ac_need_defaults; then
  test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files
fi

# Have a temporary directory for convenience.  Make it in the build tree
# simply because there is no reason against having it here, and in addition,
# creating and moving files from /tmp can sometimes cause problems.
# Hook for its removal unless debugging.
# Note that there is a small window in which the directory will not be cleaned:
# after its creation but before its name has been assigned to `$tmp'.
$debug ||
{
  tmp= ac_tmp=
  trap 'exit_status=$?
  : "${ac_tmp:=$tmp}"
  { test ! -d "$ac_tmp" || rm -fr "$ac_tmp"; } && exit $exit_status
' 0
  trap 'as_fn_exit 1' 1 2 13 15
}
# Create a (secure) tmp directory for tmp files.

{
  tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` &&
  test -d "$tmp"
}  ||
{
  tmp=./conf$$-$RANDOM
  (umask 077 && mkdir "$tmp")
} || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5
ac_tmp=$tmp

# Set up the scripts for CONFIG_FILES section.
# No need to generate them if there are no CONFIG_FILES.
# This happens for instance with `./config.status config.h'.
if test -n "$CONFIG_FILES"; then


ac_cr=`echo X | tr X '\015'`
# On cygwin, bash can eat \r inside `` if the user requested igncr.
# But we know of no other shell where ac_cr would be empty at this
# point, so we can use a bashism as a fallback.
if test "x$ac_cr" = x; then
  eval ac_cr=\$\'\\r\'
fi
ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' /dev/null`
if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then
  ac_cs_awk_cr='\\r'
else
  ac_cs_awk_cr=$ac_cr
fi

echo 'BEGIN {' >"$ac_tmp/subs1.awk" &&
_ACEOF


{
  echo "cat >conf$$subs.awk <<_ACEOF" &&
  echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' &&
  echo "_ACEOF"
} >conf$$subs.sh ||
  as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'`
ac_delim='%!_!# '
for ac_last_try in false false false false false :; do
  . ./conf$$subs.sh ||
    as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5

  ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X`
  if test $ac_delim_n = $ac_delim_num; then
    break
  elif $ac_last_try; then
    as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
  else
    ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
  fi
done
rm -f conf$$subs.sh

cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
cat >>"\$ac_tmp/subs1.awk" <<\\_ACAWK &&
_ACEOF
sed -n '
h
s/^/S["/; s/!.*/"]=/
p
g
s/^[^!]*!//
:repl
t repl
s/'"$ac_delim"'$//
t delim
:nl
h
s/\(.\{148\}\)..*/\1/
t more1
s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/
p
n
b repl
:more1
s/["\\]/\\&/g; s/^/"/; s/$/"\\/
p
g
s/.\{148\}//
t nl
:delim
h
s/\(.\{148\}\)..*/\1/
t more2
s/["\\]/\\&/g; s/^/"/; s/$/"/
p
b
:more2
s/["\\]/\\&/g; s/^/"/; s/$/"\\/
p
g
s/.\{148\}//
t delim
' >$CONFIG_STATUS || ac_write_fail=1
rm -f conf$$subs.awk
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
_ACAWK
cat >>"\$ac_tmp/subs1.awk" <<_ACAWK &&
  for (key in S) S_is_set[key] = 1
  FS = ""

}
{
  line = $ 0
  nfields = split(line, field, "@")
  substed = 0
  len = length(field[1])
  for (i = 2; i < nfields; i++) {
    key = field[i]
    keylen = length(key)
    if (S_is_set[key]) {
      value = S[key]
      line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3)
      len += length(value) + length(field[++i])
      substed = 1
    } else
      len += 1 + keylen
  }

  print line
}

_ACAWK
_ACEOF
cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then
  sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g"
else
  cat
fi < "$ac_tmp/subs1.awk" > "$ac_tmp/subs.awk" \
  || as_fn_error $? "could not setup config files machinery" "$LINENO" 5
_ACEOF

# VPATH may cause trouble with some makes, so we remove sole $(srcdir),
# ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and
# trailing colons and then remove the whole line if VPATH becomes empty
# (actually we leave an empty line to preserve line numbers).
if test "x$srcdir" = x.; then
  ac_vpsub='/^[	 ]*VPATH[	 ]*=[	 ]*/{
h
s///
s/^/:/
s/[	 ]*$/:/
s/:\$(srcdir):/:/g
s/:\${srcdir}:/:/g
s/:@srcdir@:/:/g
s/^:*//
s/:*$//
x
s/\(=[	 ]*\).*/\1/
G
s/\n//
s/^[^=]*=[	 ]*$//
}'
fi

cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
fi # test -n "$CONFIG_FILES"


eval set X "  :F $CONFIG_FILES      "
shift
for ac_tag
do
  case $ac_tag in
  :[FHLC]) ac_mode=$ac_tag; continue;;
  esac
  case $ac_mode$ac_tag in
  :[FHL]*:*);;
  :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5;;
  :[FH]-) ac_tag=-:-;;
  :[FH]*) ac_tag=$ac_tag:$ac_tag.in;;
  esac
  ac_save_IFS=$IFS
  IFS=:
  set x $ac_tag
  IFS=$ac_save_IFS
  shift
  ac_file=$1
  shift

  case $ac_mode in
  :L) ac_source=$1;;
  :[FH])
    ac_file_inputs=
    for ac_f
    do
      case $ac_f in
      -) ac_f="$ac_tmp/stdin";;
      *) # Look for the file first in the build tree, then in the source tree
	 # (if the path is not absolute).  The absolute path cannot be DOS-style,
	 # because $ac_f cannot contain `:'.
	 test -f "$ac_f" ||
	   case $ac_f in
	   [\\/$]*) false;;
	   *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";;
	   esac ||
	   as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5;;
      esac
      case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac
      as_fn_append ac_file_inputs " '$ac_f'"
    done

    # Let's still pretend it is `configure' which instantiates (i.e., don't
    # use $as_me), people would be surprised to read:
    #    /* config.h.  Generated by config.status.  */
    configure_input='Generated from '`
	  $as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g'
	`' by configure.'
    if test x"$ac_file" != x-; then
      configure_input="$ac_file.  $configure_input"
      { $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5
$as_echo "$as_me: creating $ac_file" >&6;}
    fi
    # Neutralize special characters interpreted by sed in replacement strings.
    case $configure_input in #(
    *\&* | *\|* | *\\* )
       ac_sed_conf_input=`$as_echo "$configure_input" |
       sed 's/[\\\\&|]/\\\\&/g'`;; #(
    *) ac_sed_conf_input=$configure_input;;
    esac

    case $ac_tag in
    *:-:* | *:-) cat >"$ac_tmp/stdin" \
      || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;;
    esac
    ;;
  esac

  ac_dir=`$as_dirname -- "$ac_file" ||
$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
	 X"$ac_file" : 'X\(//\)[^/]' \| \
	 X"$ac_file" : 'X\(//\)$' \| \
	 X"$ac_file" : 'X\(/\)' \| . 2>/dev/null ||
$as_echo X"$ac_file" |
    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
	    s//\1/
	    q
	  }
	  /^X\(\/\/\)[^/].*/{
	    s//\1/
	    q
	  }
	  /^X\(\/\/\)$/{
	    s//\1/
	    q
	  }
	  /^X\(\/\).*/{
	    s//\1/
	    q
	  }
	  s/.*/./; q'`
  as_dir="$ac_dir"; as_fn_mkdir_p
  ac_builddir=.

case "$ac_dir" in
.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
*)
  ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'`
  # A ".." for each directory in $ac_dir_suffix.
  ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'`
  case $ac_top_builddir_sub in
  "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
  *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
  esac ;;
esac
ac_abs_top_builddir=$ac_pwd
ac_abs_builddir=$ac_pwd$ac_dir_suffix
# for backward compatibility:
ac_top_builddir=$ac_top_build_prefix

case $srcdir in
  .)  # We are building in place.
    ac_srcdir=.
    ac_top_srcdir=$ac_top_builddir_sub
    ac_abs_top_srcdir=$ac_pwd ;;
  [\\/]* | ?:[\\/]* )  # Absolute name.
    ac_srcdir=$srcdir$ac_dir_suffix;
    ac_top_srcdir=$srcdir
    ac_abs_top_srcdir=$srcdir ;;
  *) # Relative name.
    ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix
    ac_top_srcdir=$ac_top_build_prefix$srcdir
    ac_abs_top_srcdir=$ac_pwd/$srcdir ;;
esac
ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix


  case $ac_mode in
  :F)
  #
  # CONFIG_FILE
  #

_ACEOF

cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# If the template does not know about datarootdir, expand it.
# FIXME: This hack should be removed a few years after 2.60.
ac_datarootdir_hack=; ac_datarootdir_seen=
ac_sed_dataroot='
/datarootdir/ {
  p
  q
}
/@datadir@/p
/@docdir@/p
/@infodir@/p
/@localedir@/p
/@mandir@/p'
case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in
*datarootdir*) ac_datarootdir_seen=yes;;
*@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*)
  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
$as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
  ac_datarootdir_hack='
  s&@datadir@&$datadir&g
  s&@docdir@&$docdir&g
  s&@infodir@&$infodir&g
  s&@localedir@&$localedir&g
  s&@mandir@&$mandir&g
  s&\\\${datarootdir}&$datarootdir&g' ;;
esac
_ACEOF

# Neutralize VPATH when `$srcdir' = `.'.
# Shell code in configure.ac might set extrasub.
# FIXME: do we really want to maintain this feature?
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_sed_extra="$ac_vpsub
$extrasub
_ACEOF
cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
:t
/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
s|@configure_input@|$ac_sed_conf_input|;t t
s&@top_builddir@&$ac_top_builddir_sub&;t t
s&@top_build_prefix@&$ac_top_build_prefix&;t t
s&@srcdir@&$ac_srcdir&;t t
s&@abs_srcdir@&$ac_abs_srcdir&;t t
s&@top_srcdir@&$ac_top_srcdir&;t t
s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t
s&@builddir@&$ac_builddir&;t t
s&@abs_builddir@&$ac_abs_builddir&;t t
s&@abs_top_builddir@&$ac_abs_top_builddir&;t t
$ac_datarootdir_hack
"
eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$ac_tmp/subs.awk" \
  >$ac_tmp/out || as_fn_error $? "could not create $ac_file" "$LINENO" 5

test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
  { ac_out=`sed -n '/\${datarootdir}/p' "$ac_tmp/out"`; test -n "$ac_out"; } &&
  { ac_out=`sed -n '/^[	 ]*datarootdir[	 ]*:*=/p' \
      "$ac_tmp/out"`; test -z "$ac_out"; } &&
  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir'
which seems to be undefined.  Please make sure it is defined" >&5
$as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
which seems to be undefined.  Please make sure it is defined" >&2;}

  rm -f "$ac_tmp/stdin"
  case $ac_file in
  -) cat "$ac_tmp/out" && rm -f "$ac_tmp/out";;
  *) rm -f "$ac_file" && mv "$ac_tmp/out" "$ac_file";;
  esac \
  || as_fn_error $? "could not create $ac_file" "$LINENO" 5
 ;;



  esac

done # for ac_tag


as_fn_exit 0
_ACEOF
ac_clean_files=$ac_clean_files_save

test $ac_write_fail = 0 ||
  as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5


# configure is writing to config.log, and then calls config.status.
# config.status does its own redirection, appending to config.log.
# Unfortunately, on DOS this fails, as config.log is still kept open
# by configure, so config.status won't be able to write to it; its
# output is simply discarded.  So we exec the FD to /dev/null,
# effectively closing config.log, so it can be properly (re)opened and
# appended to by config.status.  When coming back to configure, we
# need to make the FD available again.
if test "$no_create" != yes; then
  ac_cs_success=:
  ac_config_status_args=
  test "$silent" = yes &&
    ac_config_status_args="$ac_config_status_args --quiet"
  exec 5>/dev/null
  $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false
  exec 5>>config.log
  # Use ||, not &&, to avoid exiting from the if with $? = 1, which
  # would make configure fail if this is the last instruction.
  $ac_cs_success || as_fn_exit 1
fi
if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then
  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5
$as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;}
fi

chmod a-w Makefile bench/bench
chmod a+x bench/bench

# Summary

echo
echo "                 Summary"
echo "-----------------------------------------"
echo "OCaml version            : $OCAMLVERSION"
echo "OCaml library path       : $OCAMLLIB"
echo "OcamlGraph lib           : $OCAMLGRAPHVER"
echo "Verbose make             : $VERBOSEMAKE"
echo "Inference of annotations : $enable_apron"
if test "$enable_apron" = "yes" ; then
   echo "    APRON lib            : $APRONLIB"
fi
echo "Why3 support             : $WHY3"
if test "$WHY3" = "yes" ; then
   echo "    Version              : $WHY3VERSION"
fi
if test -n "$WHY3MSG" ; then
   echo "    $WHY3MSG"
fi
echo "Frama-C plugin           : $FRAMACPLUGIN"
if test "$FRAMACPLUGIN" = "yes" ; then
   echo "    Frama-C version      : $FRAMACVERSION"
   if test -n "$FRAMACMSG" ; then
      echo "    $FRAMACMSG"
   fi
else
   echo "    $FRAMACMSG"
fi
echo "GWhy                     : $LABLGTK2"
echo "Coq support              : $COQ"
if test "$COQ" = "yes" ; then
   echo "    Version              : $COQVER ($COQVERSION)"
   if test "$JESSIELIBCOQ" = ""; then
      echo "                         : (Jessie/Why2 Coq proofs disabled, requires >= 8.1)"
   fi
   if test "$JESSIEWHY3LIBCOQ" = ""; then
      echo "                         : (Jessie/Why3 Coq proofs disabled, requires Coq realizations for Why3)"
   fi
   echo "    Lib                  : $COQLIB"
   echo "    FP lib (Flocq)       : $COQFLOATSMSG"
   echo "    FP lib (Float)       : $COQFLOATSLEGACYMSG"
fi
echo "PVS support              : $PVS"
if test "$PVS" = "yes" ; then
   echo "    Bin                  : $PVSC"
   echo "    Lib                  : $PVSLIB"
fi
echo "Mizar support            : $MIZAR"
echo "Other provers support    : at run-time (use why-config to configure)"
why-2.34/Makefile.in0000644000175000017500000011733312311670312012672 0ustar  rtusers##########################################################################
#                                                                        #
#  The Why platform for program certification                            #
#                                                                        #
#  Copyright (C) 2002-2014                                               #
#                                                                        #
#    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   #
#    Claude MARCHE, INRIA & Univ. Paris-sud                              #
#    Yannick MOY, Univ. Paris-sud                                        #
#    Romain BARDOU, Univ. Paris-sud                                      #
#                                                                        #
#  Secondary contributors:                                               #
#                                                                        #
#    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        #
#    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             #
#    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           #
#    Sylvie BOLDO, INRIA              (floating-point support)           #
#    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     #
#    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          #
#                                                                        #
#  This software is free software; you can redistribute it and/or        #
#  modify it under the terms of the GNU Lesser General Public            #
#  License version 2.1, with the special exception on linking            #
#  described in file LICENSE.                                            #
#                                                                        #
#  This software is distributed in the hope that it will be useful,      #
#  but WITHOUT ANY WARRANTY; without even the implied warranty of        #
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  #
#                                                                        #
##########################################################################

VERBOSEMAKE ?= @VERBOSEMAKE@

ifeq ($(VERBOSEMAKE),yes)
 QUIET =
else
 QUIET = yes
endif

# where to install the binaries
DESTDIR =
prefix=@prefix@
datarootdir=@datarootdir@
exec_prefix=@exec_prefix@
BINDIR=$(DESTDIR)@bindir@
LIBDIR=$(DESTDIR)@libdir@

EXE=@EXE@
STRIP=@STRIP@

# where to install the man page
MANDIR=$(DESTDIR)@mandir@

# other variables
OCAMLC   = @OCAMLC@
OCAMLOPT = @OCAMLOPT@
OCAMLDEP = @OCAMLDEP@
OCAMLLEX = @OCAMLLEX@
OCAMLYACC= @OCAMLYACC@
OCAMLDOC = @OCAMLDOC@
OCAMLLIB = @OCAMLLIB@
OCAMLBEST= @OCAMLBEST@
OCAMLVERSION = @OCAMLVERSION@
CAMLP4   = @CAMLP4O@

INCLUDES = -I src -I jc -I c -I java -I intf -I tools -I mix -I ml
BFLAGS   = -w Z -warn-error A -dtypes -g $(INCLUDES) @INCLUDEGTK2@ -I +threads @OCAMLGRAPHLIB@
OFLAGS   = -w Z -warn-error A -dtypes $(INCLUDES) @INCLUDEGTK2@ -I +threads @OCAMLGRAPHLIB@

LCFLAGS = -L/usr/lib -L/usr/local/lib/ocaml

APRONLIB = @APRONLIB@
APRONLIBS = @APRONLIBS@
APRONBYTLIBS = $(APRONLIBS:.cmxa=.cma)

export FRAMAC = @FRAMAC@
FRAMACPLUGIN = @FRAMACPLUGIN@

ifeq ($(FRAMACPLUGIN),yes)
JESSIE_PLUGIN_BYTE= jessie_plugin.byte
JESSIE_PLUGIN_OPT= jessie_plugin.opt
JESSIE_PLUGIN_BEST= jessie_plugin.$(OCAMLBEST)
.PHONY: $(JESSIE_PLUGIN_BYTE) $(JESSIE_PLUGIN_OPT)
endif

enable_local=@enable_local@

ATPLIB = -I atp

COQC7  = @COQC7@
COQC8  = @COQC8@
COQDEP = @COQDEP@
COQLIB = $(DESTDIR)"@COQLIB@"
COQVER = @COQVER@

VO7= lib/coq-v7/WhyInt.vo lib/coq-v7/WhyArrays.vo  lib/coq-v7/WhyBool.vo \
     lib/coq-v7/WhyTuples.vo  lib/coq-v7/WhyPermut.vo \
     lib/coq-v7/WhySorted.vo  lib/coq-v7/Why.vo     lib/coq-v7/WhyReal.vo \
     lib/coq-v7/WhyExn.vo lib/coq-v7/WhyCoqCompat.vo \
     lib/coq-v7/WhyLemmas.vo  lib/coq-v7/WhyTactics.vo lib/coq-v7/WhyCM.vo

V7FILES=$(VO7:.vo=.v)

VO8= lib/coq/WhyInt.vo lib/coq/WhyArrays.vo  lib/coq/WhyBool.vo \
     lib/coq/WhyTuples.vo  lib/coq/WhyPermut.vo lib/coq/WhyCoqCompat.vo \
     lib/coq/WhySorted.vo  \
     lib/coq/WhyExn.vo lib/coq/WhyLemmas.vo  lib/coq/WhyTactics.vo \
     lib/coq/WhyPrelude.vo lib/coq/WhyCM.vo lib/coq/Why.vo lib/coq/WhyReal.vo \
     @JESSIEWHY3LIBCOQ@ \
     @JESSIELIBCOQ@ \
     @WHYFLOATS@

V8FILES=$(VO8:.vo=.v)

PVSFILES = lib/pvs/why.pvs lib/pvs/jessie.pvs lib/pvs/whyfloat.pvs
PVSLIB = $(DESTDIR)@PVSLIB@

GENERATED = src/version.ml src/rc.ml src/xml.ml \
	    src/lexer.ml src/parser.mli \
            src/parser.ml src/linenum.ml \
            jc/numconst.ml jc/jc_stdlib.ml \
	    jc/jc_lexer.ml jc/jc_parser.mli jc/jc_parser.ml \
	    jc/jc_ai.ml \
	    java/java_parser.mli java/java_parser.ml java/java_lexer.ml \
	    ml/parsing/parser.mli ml/parsing/parser.ml ml/parsing/lexer.ml \
	    ml/parsing/linenum.ml \
	    c/cversion.ml c/clexer.ml c/cparser.ml c/cparser.mli \
	    c/cllexer.ml c/clparser.ml c/clparser.mli c/cpp.ml c/cconst.ml \
	    intf/hilight.ml intf/whyhilight.ml \
	    intf/tagsplit.ml intf/config.ml \
	    tools/why2html.ml  tools/cvcl_split.ml \
	    tools/simplify_split.ml tools/smtlib_split.ml tools/rv_split.ml \
	    tools/zenon_split.ml tools/ergo_split.ml \
	    tools/simplify_lexer.ml tools/simplify_parser.mli \
	    tools/simplify_parser.ml \
	    tools/toolstat_lex.ml \
	    tools/toolstat_pars.ml tools/toolstat_pars.mli \
	    mix/mix_lexer.ml mix/mix_parser.mli mix/mix_parser.ml \
	    lib/why3/why3.conf


# main targets
##############

BINARY=bin/why.$(OCAMLBEST)
WHYCONFIG=bin/why-config.$(OCAMLBEST)
JESSIE=bin/jessie.$(OCAMLBEST)
KRAKATOA=bin/krakatoa.$(OCAMLBEST)
JESSICA=bin/jessica.$(OCAMLBEST)
STATICBINARY=bin/why.static
WHY2HTML=bin/why2html.$(OCAMLBEST)
RVMERGE=bin/rv_merge.$(OCAMLBEST)
DP=bin/why-dp.$(OCAMLBEST)
CPULIMIT=bin/why-cpulimit
WHYOBFUSCATOR=bin/why-obfuscator.$(OCAMLBEST)
WHYSTAT=bin/why-stat.$(OCAMLBEST)
TOOLSTAT=bin/tool-stat.$(OCAMLBEST)
SIMPLIFY2WHY=bin/simplify2why.$(OCAMLBEST)
REGTEST=regtest.$(OCAMLBEST)

TOOLS=$(WHY2HTML) $(DP) $(CPULIMIT) $(RVMERGE) $(WHYOBFUSCATOR) \
      $(SIMPLIFY2WHY) $(WHYSTAT) $(TOOLSTAT)

ifeq ($(OCAMLBEST),opt)
JCLIB=jc/jc.cmo jc/jc.cmx jc/jc.o
else
JCLIB=jc/jc.cmo
endif

all: all-without-frama-c-plugin .depend $(JESSIE_PLUGIN_BEST)

all-without-frama-c-plugin: $(BINARY) $(WHYCONFIG) check $(JESSIE) $(KRAKATOA) coq-@COQ@ pvs-@PVS@ $(TOOLS) gwhy-@LABLGTK2@ $(JCLIB) $(REGTEST)

# refrain parallel make (-j nn) from starting ocaml compilation too early
*.cm*: .depend

opt: bin/why.opt bin/gwhy.opt bin/jessie.opt bin/krakatoa.opt \
	$(JESSIE_PLUGIN_OPT)
byte: bin/why.byte bin/gwhy.byte bin/jessie.byte bin/krakatoa.byte \
	$(JESSIE_PLUGIN_BYTE)

.PHONY: check

WHYLIBS=lib/why/bool.why lib/why/integer.why lib/why/divisions.why \
	lib/why/real.why lib/why/arrays.why \
	lib/why/jessie.why lib/why/jessie_bitvectors.why \
	lib/why/mybag.why \
	lib/why/mix.why \
	lib/why/floats_common.why lib/why/floats_strict.why \
	lib/why/floats_full.why lib/why/floats_multi_rounding.why 



PRELUDE=lib/why/prelude.why $(WHYLIBS)

# sanity check: the prelude files do typecheck
check: $(BINARY) $(PRELUDE)
	WHYLIB=lib $(BINARY) --no-pervasives -tc lib/why/prelude.why
	for f in $(WHYLIBS) ; do \
		WHYLIB=lib $(BINARY) -tc $$f; \
	done

#lib/coq/float_common_Gappa_why.v: lib/why/floats_common.why
#	WHYLIB=lib $(BINARY) -tc -output $@ $<

# why-config
WHYCONFIGCMO = src/rc.cmo src/version.cmo tools/dpConfig.cmo tools/whyConfig.cmo
WHYCONFIGCMX = $(WHYCONFIGCMO:.cmo=.cmx)

bin/why-config.opt: $(WHYCONFIGCMX)
	$(if $(QUIET),@echo 'Linking  $@' &&) $(OCAMLOPT) $(OFLAGS) -o $@ unix.cmxa str.cmxa $^
	$(STRIP) $@

bin/why-config.byte: $(WHYCONFIGCMO)
	# $(if $(QUIET),@echo 'Linking  $@' &&)
	$(OCAMLC) $(BFLAGS) -o $@ unix.cma str.cma $^


# why
CMO_EXPORT =  src/lib.cmo src/rc.cmo src/loc.cmo \
	   src/ident.cmo src/print_real.cmo  \
	   src/effect.cmo src/pp.cmo src/option_misc.cmo \
	   src/parser.cmo src/lexer.cmo src/report.cmo \
           src/explain.cmo 	\
	   src/xml.cmo src/project.cmo

CMO = src/lib.cmo src/rc.cmo tools/dpConfig.cmo \
      src/version.cmo src/options.cmo src/linenum.cmo src/loc.cmo \
	   src/ident.cmo src/print_real.cmo  \
	   src/effect.cmo src/pp.cmo src/option_misc.cmo src/misc.cmo 	\
	   src/parser.cmo src/lexer.cmo src/report.cmo \
           src/env.cmo src/mapenv.cmo src/rename.cmo src/explain.cmo src/util.cmo \
           src/ltyping.cmo src/typing.cmo src/wp.cmo src/fastwp.cmo \
           src/monad.cmo src/mlize.cmo src/red.cmo src/vcg.cmo \
	   src/predDefExpansor.cmo src/encoding_mono_inst.cmo \
	   src/encoding_rec.cmo src/encoding_pred.cmo src/encoding_strat.cmo \
	   src/encoding_mono.cmo src/monomorph.cmo src/encoding.cmo \
	   src/pvs.cmo src/hol4.cmo src/gappa.cmo \
	   src/holl.cmo src/harvey.cmo src/simplify.cmo  \
           src/regen.cmo src/mizar.cmo src/smtlib.cmo src/coq.cmo \
	   src/zenon.cmo src/z3.cmo src/cvcl.cmo tools/calldp.cmo \
	   src/xml.cmo src/project.cmo \
	   src/why3_kw.cmo src/why3.cmo src/pretty.cmo  \
           src/unionfind.cmo src/theoryreducer.cmo \
           src/theory_filtering.cmo src/hypotheses_filtering.cmo \
           src/dispatcher.cmo src/isabelle.cmo src/ocaml.cmo  \
	   src/main.cmo
CMX      = $(CMO:.cmo=.cmx)

bin/why.opt: $(CMX) src/why.cmx
	$(if $(QUIET),@echo 'Linking  $@' &&) $(OCAMLOPT) $(OFLAGS) -o $@ unix.cmxa str.cmxa nums.cmxa graph.cmxa $^
	$(STRIP) $@

bin/why.byte: $(CMO) src/why.cmo
	$(if $(QUIET),@echo 'Linking  $@' &&) $(OCAMLC) $(BFLAGS) -o $@ unix.cma str.cma nums.cma graph.cma $^

bin/why.static: $(CMX) src/why.cmx
	$(if $(QUIET),@echo 'Linking  $@' &&) $(OCAMLOPT) -cclib -static $(OFLAGS) -o $@ unix.cmxa str.cmxa nums.cmxa graph.cmxa $^
	$(STRIP) $@

bin/top: $(CMO)
	ocamlmktop $(BFLAGS) -o $@ str.cma $^

# world-why-web
# WWEBCMO = src/lib.cmo src/rc.cmo src/version.cmo src/options.cmo src/loc.cmo\
# 	 src/ident.cmo  src/effect.cmo src/pp.cmo \
# 	src/option_misc.cmo\
# 	src/misc.cmo src/parser.cmo src/lexer.cmo src/report.cmo\
# 	 src/env.cmo src/rename.cmo src/explain.cmo src/util.cmo src/xml.cmo\
# 	src/project.cmo src/pretty.cmo src/wserver.cmo src/whyweb.cmo
# WWEBCMX = $(WWEBCMO:.cmo=.cmx)

# src/wserver.ml: src/wserver.ml4
# 	camlp4r pa_ifdef.cmo pr_o.cmo -DUNIX -DNOFORK  -impl $^ -o $@

# bin/whyweb.opt: $(WWEBCMX)
# 	$(if $(QUIET),@echo 'Linking  $@' &&) $(OCAMLOPT) \
# 	      $(OFLAGS) -thread -o $@ str.cmxa unix.cmxa threads.cmxa $^
# 	$(STRIP)    $@


# jessie
JCCML_EXPORT = src/why3_kw.ml jc/output.ml \
	jc/jc_common_options.ml jc/jc_stdlib.ml \
	jc/jc_envset.ml jc/jc_region.ml jc/jc_fenv.ml \
	jc/jc_constructors.ml \
	jc/jc_pervasives.ml jc/jc_iterators.ml jc/jc_type_var.ml \
	jc/jc_output_misc.ml jc/jc_poutput.ml jc/jc_output.ml jc/jc_noutput.ml
JCCMO_EXPORT = $(CMO_EXPORT) $(JCCML_EXPORT:.ml=.cmo)
JCCMX_EXPORT = $(JCCMO_EXPORT:.cmo=.cmx)
JCCMI_EXPORT = jc/jc_ast.cmi jc/jc_env.cmi jc/jc.cmi $(JCCMO_EXPORT:.cmo=.cmi)

JCCMO = src/version.cmo \
	@ATPCMO@ $(JCCMO_EXPORT) \
	jc/jc_options.cmo \
	jc/jc_name.cmo \
	jc/jc_struct_tools.cmo \
	jc/jc_norm.cmo jc/jc_typing.cmo \
	jc/numconst.cmo \
	jc/jc_parser.cmo jc/jc_lexer.cmo \
	jc/jc_separation.cmo \
	jc/jc_callgraph.cmo \
	jc/jc_effect.cmo \
	jc/jc_ai.cmo \
	jc/jc_interp_misc.cmo jc/jc_invariants.cmo \
	jc/jc_pattern.cmo \
	jc/jc_frame_notin.cmo \
	jc/jc_interp.cmo \
	jc/jc_frame.cmo \
	jc/jc_make.cmo jc/jc_main.cmo
JCCMX = $(JCCMO:.cmo=.cmx)

jc/jc_stdlib.ml: jc/jc_stdlib_lt312.ml jc/jc_stdlib_ge312.ml jc/jc_stdlib_ge40.ml
	rm -f $@
	case $(OCAMLVERSION) in \
         3.0*|3.10*|3.11*) cp jc/jc_stdlib_lt312.ml $@ ;; \
         3.12*) cp jc/jc_stdlib_ge312.ml $@ ;; \
         4.0*) cp jc/jc_stdlib_ge40.ml $@ ;; \
        esac
	chmod -w $@

$(JCCMX_EXPORT): OFLAGS:=$(OFLAGS) -for-pack Jc

atp/atp.cmx:
	make -C atp atp.cmx

atp/atp.cmo:
	make -C atp atp.cmo

jc/jc.cmi jc/jc.cmo: $(JCCMO_EXPORT)
	$(OCAMLC) $(BFLAGS) -pack -o jc/jc.cmo src/ast.cmi $^

jc/jc.cmx jc/jc.o: $(JCCMX_EXPORT)
	$(OCAMLOPT) $(OFLAGS) -pack -o jc/jc.cmx src/ast.cmi $^

ppc: jc/jc.cmi jc/jc.cmo jc/jc.cmx

bin/jessie.opt: $(JCCMX)
	$(if $(QUIET),@echo 'Linking  $@' &&) $(OCAMLOPT) $(OFLAGS) $(APRONLIB) $(APRONLIBS) $(ATPLIB) -o $@ \
		unix.cmxa str.cmxa nums.cmxa graph.cmxa $^
	$(STRIP)    $@

bin/jessie.byte: $(JCCMO)
	$(if $(QUIET),@echo 'Linking  $@' &&) $(OCAMLC) $(BFLAGS) $(APRONLIB) $(APRONBYTLIBS) $(ATPLIB) -o $@ \
		unix.cma str.cma nums.cma graph.cma $^

# Frama-C plugin for Jessie
ifeq ($(FRAMACPLUGIN),yes)
JESSIE_PLUGIN_PATH=frama-c-plugin
$(JESSIE_PLUGIN_BYTE): jc/jc.cmo $(JCCMO) $(CMO)
	$(MAKE) -C $(JESSIE_PLUGIN_PATH) depend
	$(MAKE) -C $(JESSIE_PLUGIN_PATH) Jessie.cma

$(JESSIE_PLUGIN_OPT): $(JCLIB) $(JCCMX) $(CMX)
	$(MAKE) -C $(JESSIE_PLUGIN_PATH) depend
	$(MAKE) -C $(JESSIE_PLUGIN_PATH)

install:
	$(MAKE) -C $(JESSIE_PLUGIN_PATH) install
clean::
	$(MAKE) -C $(JESSIE_PLUGIN_PATH) clean
endif

# krakatoa
# CAUTION! NEVER ADD jc/jc_options.cmo INTO THIS LIST
KCMO = src/lib.cmo src/version.cmo \
	src/loc.cmo src/pp.cmo src/option_misc.cmo \
	src/why3_kw.cmo jc/output.cmo jc/jc_stdlib.cmo \
	jc/jc_envset.cmo jc/jc_common_options.cmo \
	jc/jc_region.cmo jc/jc_fenv.cmo jc/numconst.cmo jc/jc_constructors.cmo \
	jc/jc_pervasives.cmo jc/jc_name.cmo \
	jc/jc_iterators.cmo jc/jc_type_var.cmo jc/jc_output_misc.cmo \
	jc/jc_poutput.cmo jc/jc_output.cmo jc/jc_noutput.cmo jc/output.cmo \
	java/java_options.cmo java/java_pervasives.cmo \
	java/java_abstract.cmo \
	java/java_parser.cmo java/java_lexer.cmo java/java_syntax.cmo \
	java/java_typing.cmo java/java_callgraph.cmo \
	java/java_analysis.cmo java/java_interp.cmo \
	java/java_main.cmo
KCMX = $(KCMO:.cmo=.cmx)

bin/krakatoa.opt: $(KCMX)
	$(if $(QUIET),@echo 'Linking  $@' &&) $(OCAMLOPT) $(OFLAGS) -o $@ \
		unix.cmxa nums.cmxa graph.cmxa $^
	$(STRIP)    $@

bin/krakatoa.byte: $(KCMO)
	$(if $(QUIET),@echo 'Linking  $@' &&) $(OCAMLC) $(BFLAGS) -o $@ \
	 	 unix.cma nums.cma graph.cma $^


# jessica

JESSICACMO = ml/ml_misc.cmo ml/ml_options.cmo ml/ml_pervasives.cmo \
	ml/ml_env.cmo ml/ml_constant.cmo ml/ml_type.cmo ml/ml_pattern.cmo \
	ml/ml_interp.cmo ml/ml_main.cmo
JESSICACMI = ml/ml_options.cmi ml/ml_env.cmi ml/ml_pattern.cmi

JESSICACMX = $(JESSICACMO:.cmo=.cmx)
MLCMO = src/loc.cmo src/pp.cmo src/option_misc.cmo jc/jc_stdlib.cmo \
	jc/jc_envset.cmo jc/jc_common_options.cmo \
	jc/jc_region.cmo jc/jc_fenv.cmo jc/numconst.cmo jc/jc_constructors.cmo \
	jc/jc_pervasives.cmo jc/jc_name.cmo \
	jc/jc_iterators.cmo jc/jc_output_misc.cmo \
	jc/jc_poutput.cmo jc/jc_output.cmo jc/jc_noutput.cmo \
	$(JESSICACMO)
MLCMX = $(MLCMO:.cmo=.cmx)

# The following files must be compiled with different includes and with the
# -for-pack option
OCAMLCMO = ml/utils/config.cmo ml/utils/clflags.cmo \
	ml/utils/misc.cmo ml/utils/terminfo.cmo ml/utils/warnings.cmo \
	ml/utils/consistbl.cmo ml/utils/tbl.cmo \
	ml/parsing/linenum.cmo ml/parsing/location.cmo \
	ml/parsing/syntaxerr.cmo \
	ml/parsing/longident.cmo ml/parsing/parser.cmo ml/parsing/lexer.cmo \
	ml/typing/ident.cmo ml/typing/path.cmo ml/typing/types.cmo \
	ml/typing/oprint.cmo ml/typing/btype.cmo ml/typing/predef.cmo \
	ml/typing/datarepr.cmo ml/typing/subst.cmo ml/typing/env.cmo \
	ml/typing/primitive.cmo ml/typing/ctype.cmo ml/typing/printtyp.cmo \
	ml/typing/includeclass.cmo ml/typing/parmatch.cmo \
	ml/typing/stypes.cmo ml/typing/typedtree.cmo \
	ml/typing/includecore.cmo ml/typing/typetexp.cmo ml/typing/mtype.cmo \
	ml/typing/typedecl.cmo ml/typing/unused_var.cmo \
	ml/typing/typecore.cmo ml/typing/typeclass.cmo \
	ml/typing/includemod.cmo ml/typing/typemod.cmo
OCAMLCMINOIMPL = ml/parsing/asttypes.cmi ml/parsing/parsetree.cmi \
	ml/typing/outcometree.cmi
OCAMLCMI = $(OCAMLCMINOIMPL) ml/utils/config.cmi ml/utils/clflags.cmi \
	ml/utils/misc.cmi ml/utils/terminfo.cmi ml/utils/warnings.cmi \
	ml/utils/consistbl.cmi ml/utils/tbl.cmi \
	ml/parsing/linenum.cmi ml/parsing/location.cmi ml/parsing/parser.cmi \
	ml/parsing/lexer.cmi ml/parsing/longident.cmi ml/parsing/syntaxerr.cmi \
	ml/typing/btype.cmi ml/typing/ctype.cmi ml/typing/datarepr.cmi \
	ml/typing/env.cmi ml/typing/ident.cmi ml/typing/includeclass.cmi \
	ml/typing/includecore.cmi ml/typing/includemod.cmi ml/typing/mtype.cmi \
	ml/typing/oprint.cmi ml/typing/parmatch.cmi \
	ml/typing/path.cmi ml/typing/predef.cmi ml/typing/primitive.cmi \
	ml/typing/printtyp.cmi ml/typing/stypes.cmi ml/typing/subst.cmi \
	ml/typing/typeclass.cmi ml/typing/typecore.cmi ml/typing/typedecl.cmi \
	ml/typing/typedtree.cmi ml/typing/typemod.cmi ml/typing/types.cmi \
	ml/typing/typetexp.cmi ml/typing/unused_var.cmi
OCAMLCMX = $(OCAMLCMO:.cmo=.cmx)

MLINCLUDES = -I ml/utils -I ml/parsing -I ml/typing

# The following dependencies are not found by ocamldep because there is no
# file ml/ml_ocaml.ml or ml/ml_ocaml.mli.
$(JESSICACMO): ml/ml_ocaml.cmo
$(JESSICACMX): ml/ml_ocaml.cmx
$(JESSICACMI): ml/ml_ocaml.cmo

ml/parsing/%.cmi: ml/parsing/%.mli
	$(if $(QUIET),@echo 'Ocamlc   $@' &&) \
		$(OCAMLC) -c $(MLINCLUDES) -for-pack Ml_ocaml ml/parsing/$*.mli

ml/parsing/%.cmx: ml/parsing/%.ml
	$(if $(QUIET),@echo 'Ocamlopt $@' &&) \
		$(OCAMLOPT) -c $(MLINCLUDES) -for-pack Ml_ocaml ml/parsing/$*.ml

ml/parsing/%.cmo: ml/parsing/%.ml
	$(if $(QUIET),@echo 'Ocamlc   $@' &&) \
		$(OCAMLC) -c $(MLINCLUDES) -for-pack Ml_ocaml ml/parsing/$*.ml

ml/typing/%.cmi: ml/typing/%.mli
	$(if $(QUIET),@echo 'Ocamlc   $@' &&) \
		$(OCAMLC) -c $(MLINCLUDES) -for-pack Ml_ocaml ml/typing/$*.mli

ml/typing/%.cmx: ml/typing/%.ml
	$(if $(QUIET),@echo 'Ocamlopt $@' &&) \
		$(OCAMLOPT) -c $(MLINCLUDES) -for-pack Ml_ocaml ml/typing/$*.ml

ml/typing/%.cmo: ml/typing/%.ml
	$(if $(QUIET),@echo 'Ocamlc   $@' &&) \
		$(OCAMLC) -c $(MLINCLUDES) -for-pack Ml_ocaml ml/typing/$*.ml

ml/utils/%.cmi: ml/utils/%.mli
	$(if $(QUIET),@echo 'Ocamlc   $@' &&) \
		$(OCAMLC) -c $(MLINCLUDES) -for-pack Ml_ocaml ml/utils/$*.mli

ml/utils/%.cmx: ml/utils/%.ml
	$(if $(QUIET),@echo 'Ocamlopt $@' &&) \
		$(OCAMLOPT) -c $(MLINCLUDES) -for-pack Ml_ocaml ml/utils/$*.ml

ml/utils/%.cmo: ml/utils/%.ml
	$(if $(QUIET),@echo 'Ocamlc   $@' &&) \
		$(OCAMLC) -c $(MLINCLUDES) -for-pack Ml_ocaml ml/utils/$*.ml

ml/ml_ocaml.cmx: $(OCAMLCMINOIMPL) $(OCAMLCMX)
	$(if $(QUIET),@echo 'Ocamlopt $@' &&) \
		$(OCAMLOPT) -c $(MLINCLUDES) -pack -o $@ $^

ml/ml_ocaml.cmo: $(OCAMLCMINOIMPL) $(OCAMLCMO)
	$(if $(QUIET),@echo 'Ocamlc   $@' &&) \
		$(OCAMLC) -c $(MLINCLUDES) -pack -o $@ $^

bin/jessica.opt: ml/ml_ocaml.cmx $(MLCMX)
	$(if $(QUIET),@echo 'Linking  $@' &&) $(OCAMLOPT) $(OFLAGS) -o $@ \
		unix.cmxa nums.cmxa graph.cmxa $^
	$(STRIP)    $@

bin/jessica.byte: ml/ml_ocaml.cmo $(MLCMO)
	$(if $(QUIET),@echo 'Linking  $@' &&) $(OCAMLC) $(BFLAGS) -o $@ \
	 	 unix.cma nums.cma graph.cma $^


# demixify

MIXCMO=src/pp.cmo mix/mix_parser.cmo mix/mix_lexer.cmo mix/mix_cfg.cmo \
       mix/mix_seq.cmo mix/mix_interp.cmo mix/mix_main.cmo
MIXCMX = $(MIXCMO:.cmo=.cmx)

bin/demixify.opt: $(MIXCMX)
	$(if $(QUIET),@echo 'Linking  $@' &&) $(OCAMLOPT) $(OFLAGS) -o $@ $^
	$(STRIP)    $@

bin/demixify.byte: $(MIXCMO)
	$(if $(QUIET),@echo 'Linking  $@' &&) $(OCAMLC) $(BFLAGS) -o $@ $^

# graphical interface
WVCMO = $(CMO) intf/navig.cmo intf/hilight.cmo intf/viewer.cmo
WVCMX = $(WVCMO:.cmo=.cmx)

bin/why-viewer.opt: $(WVCMX)
	$(OCAMLOPT) $(OFLAGS) -o $@ unix.cmxa gramlib.cmxa str.cmxa lablgtk.cmxa $^
	$(STRIP) $@

bin/why-viewer.byte: $(WVCMO)
	$(OCAMLC) $(BFLAGS) -o $@ unix.cma gramlib.cma str.cma lablgtk.cma $^

# graphical interface
GCMO = $(CMO) intf/colors.cmo intf/tags.cmo intf/tools.cmo intf/tagsplit.cmo\
	      intf/astprinter.cmo intf/astnprinter.cmo intf/astpprinter.cmo\
	      intf/model.cmo intf/cache.cmo intf/gConfig.cmo intf/hilight.cmo\
	      intf/whyhilight.cmo intf/pprinter.cmo intf/preferences.cmo intf/stat.cmo
GCMX = $(GCMO:.cmo=.cmx)

gwhy-yes: bin/gwhy.$(OCAMLBEST)
gwhy-no:
gwhy: bin/gwhy.$(OCAMLBEST)

bin/gwhy.opt: $(GCMX)
	$(if $(QUIET),@echo 'Linking  $@' &&) $(OCAMLOPT) $(OFLAGS) -o $@ unix.cmxa threads.cmxa nums.cmxa str.cmxa graph.cmxa lablgtk.cmxa gtkThread.cmx $^
	$(STRIP)    $@

bin/gwhy.static: $(GCMX)
	$(if $(QUIET),@echo 'Linking  $@' &&) $(OCAMLOPT) -cclib -static $(OFLAGS) -o $@ unix.cmxa threads.cmxa nums.cmxa str.cmxa graph.cmxa lablgtk.cmxa gtkThread.cmx $^
	$(STRIP)    $@

bin/gwhy.byte: $(GCMO)
	$(if $(QUIET),@echo 'Linking  $@' &&) $(OCAMLC) $(BFLAGS) -o $@ unix.cma str.cma nums.cma graph.cma lablgtk.cma threads.cma gtkThread.cmo $^

# tools
regtest.opt: tools/regtest.ml
	$(OCAMLOPT) $(OFLAGS) -thread -o $@ unix.cmxa str.cmxa threads.cmxa $^

regtest.byte: tools/regtest.ml
	$(OCAMLC) $(BFLAGS) -thread -o $@ unix.cma str.cma threads.cma $^

bin/why2html.byte: tools/why2html.ml
	$(OCAMLC) $(BFLAGS) -o $@ $^

bin/why2html.opt: tools/why2html.ml
	$(OCAMLOPT) $(OFLAGS) -o $@ $^

SIMPLIFYTOWHYCMO=src/ident.cmo src/pp.cmo \
                 tools/simplify_parser.cmo tools/simplify_lexer.cmo \
                 tools/simplify_towhy.cmo
SIMPLIFYTOWHYCMX = $(SIMPLIFYTOWHYCMO:.cmo=.cmx)

bin/simplify2why.byte: $(SIMPLIFYTOWHYCMO)
	$(OCAMLC) $(BFLAGS) -o $@ $^

bin/simplify2why.opt: $(SIMPLIFYTOWHYCMX)
	$(OCAMLOPT) $(OFLAGS) -o $@ $^

DPCMO =  src/lib.cmo tools/cvcl_split.cmo tools/simplify_split.cmo tools/smtlib_split.cmo\
        tools/zenon_split.cmo tools/ergo_split.cmo tools/rv_split.cmo \
        src/rc.cmo tools/dpConfig.cmo src/version.cmo \
	tools/calldp.cmo tools/dp.cmo
DPCMX = $(DPCMO:.cmo=.cmx)

bin/why-dp.byte: $(DPCMO)
	$(OCAMLC) $(BFLAGS) -o $@ unix.cma str.cma $^

bin/why-dp.opt: $(DPCMX)
	$(OCAMLOPT) $(OFLAGS) -o $@ unix.cmxa str.cmxa $^

bin/why-cpulimit: tools/@CPULIMIT@.c
	$(CC) -o $@ $^

bin/rv_merge.byte: tools/rv_merge.ml
	$(OCAMLC) $(BFLAGS) -o $@ $^

bin/rv_merge.opt: tools/rv_merge.ml
	$(OCAMLOPT) $(OFLAGS) -o $@ $^

OBFCMO=src/pp.cmo src/loc.cmo src/ident.cmo  \
       src/parser.cmo src/lexer.cmo src/print_real.cmo \
	tools/obfuscator.cmo
OBFCMX=$(OBFCMO:.cmo=.cmx)

bin/why-obfuscator.byte: $(OBFCMO)
	$(OCAMLC) $(BFLAGS) -o $@ nums.cma $^

bin/why-obfuscator.opt: $(OBFCMX)
	$(OCAMLOPT) $(OFLAGS) -o $@ nums.cmxa $^

STATCMO=src/pp.cmo src/loc.cmo src/ident.cmo  \
        src/parser.cmo src/lexer.cmo tools/whystat.cmo
STATCMX=$(STATCMO:.cmo=.cmx)

bin/why-stat.byte: $(STATCMO)
	$(OCAMLC) $(BFLAGS) -o $@ $^

bin/why-stat.opt: $(STATCMX)
	$(OCAMLOPT) $(OFLAGS) -o $@ $^

TOOLCMO=src/loc.cmo src/pp.cmo tools/toolstat_pars.cmo \
	tools/toolstat_lex.cmo tools/toolstat.cmo
TOOLCMX=$(TOOLCMO:.cmo=.cmx)

bin/tool-stat.byte: $(TOOLCMO)
	$(OCAMLC) $(BFLAGS) -o $@ $^

bin/tool-stat.opt: $(TOOLCMX)
	$(OCAMLOPT) $(OFLAGS) -o $@ $^

bin/cadlog.opt: src/version.cmx c/cversion.cmx tools/cadlog.cmx
	$(OCAMLOPT) unix.cmxa -o $@ $^

static:: $(STATICBINARY)

ifeq ($(enable_local),no)
LIBWHY3=$(LIBDIR)/why
else
LIBWHY3=$(PWD)/lib
endif

lib/why3/why3.conf: Makefile
	printf "[main]\n" > $@
	printf "loadpath=\"$(LIBWHY3)/why3\"\n" >> $@
	printf "\n" >> $@
	printf "[prover_modifiers]\n" >> $@
	printf "name=\"Coq\"\n" >> $@
	printf "option=\"-R $(LIBWHY3)/coq Why\"\n" >> $@
	printf "driver=\"$(LIBWHY3)/why3/coq.drv\"\n" >> $@
	printf "\n"  >> $@
	printf "[editor_modifiers coqide]\n" >> $@
	printf "option=\"-R $(LIBWHY3)/coq Why\"\n" >> $@
	printf "\n"  >> $@
	printf "[editor_modifiers proofgeneral-coq]\n" >> $@
	printf "option=\"--eval \\\\\"(setq coq-load-path (cons '(\\\\\\\\\\\\\"$(LIBWHY3)/coq\\\\\\\\\\\\\" \\\\\\\\\\\\\"Why\\\\\\\\\\\\\") coq-load-path))\\\\\"\"\n"  >> $@


########
# COQ
########

coq-no:
coq-yes: coq-@COQVER@
coq-v7: $(VO7)
coq-v8: $(VO8)
coq-v8.1: $(VO8)

########
# PVS
########

pvs-no:
pvs-yes: $(PVSFILES)

include Version

doc/version.tex src/version.ml c/cversion.ml: Version version.sh config.status
	BINDIR=$(BINDIR) LIBDIR=$(LIBDIR) COQVER=$(COQVER) ./version.sh

lib/coq/jessie_why.v: lib/why/jessie.why $(BINARY)
	WHYLIB=lib $(BINARY) --dir lib/coq --coq-v8 -coq-preamble \
        "Require Export Reals. Require Export Why." \
        --no-coq-use-dp lib/why/jessie.why

lib/pvs/jessie_why.pvs: lib/why/jessie.why $(BINARY)
	WHYLIB=lib $(BINARY) --dir lib/pvs --pvs --pvs-preamble "IMPORTING why" lib/why/jessie.why

# bench

.PHONY: bench test

WHYVO=lib/coq/Why.vo

bench:: $(BINARY) $(WHYVO)
	cd bench; sh ./bench "../$(BINARY)"
	make -C bench fastwp.bench.ergo
	make -C examples ergo
	#cd bench/provers; sh ./bench "../../$(BINARY)"

JCBENCHLOG=jessie-bench-`date +%d-%m-%y`.log

# Claude: does not work anymore, because someone modified bench/jc/bench
# GRRRRRRRRRRRR
# jc-bench:: $(JESSIE) bin/cadlog.opt
#	(cd bench/jc; sh ./bench 2>&1) | bin/cadlog.opt -jc $(JCBENCHLOG)

jc-fast-bench:: $(JESSIE)
	make -C bench/jc -f Makefile good.bench

JCAIBENCHLOG=jessie-ai-bench-`date +%d-%m-%y`.log

jc-ai-bench:: $(JESSIE) bin/cadlog.opt
	(cd bench/jc/ai; sh ./bench 2>&1) | bin/cadlog.opt -jc $(JCAIBENCHLOG)

JAVABENCHLOG=krakatoa-bench-`date +%d-%m-%y`.log

java-bench:: $(KRAKATOA) bin/cadlog.opt
	(cd bench/java; sh ./bench 2>&1) | bin/cadlog.opt -java $(JAVABENCHLOG)

ml-bench:: $(JESSICA) $(JESSIE)
	make -C bench/ml -f Makefile good.bench

bench-pvs:: $(BINARY) $(WHYVO)
	cd bench; sh ./bench "../$(BINARY) --valid" pvs

bench-tc:: $(BINARY) $(WHYVO)
	cd bench; sh ./bench "../$(BINARY) -tc"

test:: $(BINARY) $(WHYVO)
	[ ! -f bench/test.ml ] || $(BINARY) -d -V -coq bench/test.ml

.PHONY: examples examples-c

examples:: $(BINARY) $(WHYVO)
	make -C examples check

# debugging

db debug: bin/why.byte src/logic.cmo

#src/logic.ml: src/logic.mli
#	cp -f $^ $@

# java APIs
#################

java_api:
	(cd lib/java_api ; for i in java/lang/*.java; do \
		mkdir -p `dirname ../distr_java_api/$$i` ; \
		echo "Generating $$i" ; \
		KRAKATOALIB=.. ../../$(KRAKATOA) -abstract ../distr_java_api/$$i $$i || break ; done)

# installation
##############

install: install-binary install-lib install-man install-coq-@COQ@ install-pvs-@PVS@

BINARYFILES = $(BINARY) $(WHYCONFIG) $(JESSIE) $(KRAKATOA) \
	$(WHY2HTML) $(DP) $(CPULIMIT) $(RVMERGE) bin/gwhy.$(OCAMLBEST) \
	$(WHYSTAT) $(TOOLSTAT) $(WHYOBFUSCATOR) $(SIMPLIFY2WHY)

# install-binary should not depend on $(BINARYFILES); otherwise it
# enforces the compilation of gwhy, even when lablgtk2 is not installed
install-binary:
	mkdir -p $(BINDIR)
	cp -f $(BINARY) $(BINDIR)/why$(EXE)
	cp -f $(WHYCONFIG) $(BINDIR)/why-config$(EXE)
	cp -f $(JESSIE) $(BINDIR)/jessie$(EXE)
	cp -f $(KRAKATOA) $(BINDIR)/krakatoa$(EXE)
	cp -f bin/gwhy.sh $(BINDIR)/gwhy
	cp -f $(WHY2HTML) $(BINDIR)/why2html$(EXE)
	cp -f $(DP) $(BINDIR)/why-dp$(EXE)
	cp -f $(CPULIMIT) $(BINDIR)/why-cpulimit$(EXE)
	cp -f $(RVMERGE) $(BINDIR)/rv_merge$(EXE)
	cp -f $(WHYOBFUSCATOR) $(BINDIR)/why-obfuscator$(EXE)
	cp -f $(WHYSTAT) $(BINDIR)/why-stat$(EXE)
	cp -f $(TOOLSTAT) $(BINDIR)/tool-stat$(EXE)
	cp -f $(SIMPLIFY2WHY) $(BINDIR)/simplify2why$(EXE)
	if test -f bin/gwhy.$(OCAMLBEST); then \
		cp -f bin/gwhy.$(OCAMLBEST) $(BINDIR)/gwhy-bin$(EXE); \
	fi

install-lib: $(JCLIB) lib/why3/why3.conf
	mkdir -p $(LIBDIR)/why/why
	cp -f $(PRELUDE) $(LIBDIR)/why/why
	rm -rf $(LIBDIR)/why/why3
	mkdir -p $(LIBDIR)/why/why3
	cp -f lib/why3/why3.conf lib/why3/coq.drv lib/why3/jessie3theories.why lib/why3/jessie3.mlw lib/why3/jessie3_integer.why $(LIBDIR)/why/why3
	mkdir -p $(LIBDIR)/jessie
	cp -f $(JCLIB) $(JCCMI_EXPORT) $(LIBDIR)/jessie
	cd lib; cp -rf java_api $(LIBDIR)/why
	cd lib; cp -rf javacard_api $(LIBDIR)/why
	mkdir -p $(LIBDIR)/why/images
	cp -f lib/images/*.png $(LIBDIR)/why/images
	mkdir -p $(LIBDIR)/why/emacs
	cp -f lib/emacs/why.el $(LIBDIR)/why/emacs
#	remove CVS directories
	find $(LIBDIR) -name CVS | xargs $(RM) -r

install-man:
	mkdir -p $(MANDIR)/man1
	cp -f doc/*.1 $(MANDIR)/man1

install-coq-no:
install-coq-yes: install-coq-@COQVER@
install-coq-v7:
	mkdir -p $(LIBDIR)/why/coq7
	cp -f $(VO7) $(LIBDIR)/why/coq7
install-coq-v8 install-coq-v8.1:
	if test -w $(COQLIB) ; then \
	  rm -f $(COQLIB)/user-contrib/Why*.v* ; \
	  rm -f $(COQLIB)/user-contrib/caduceus*.v* $(COQLIB)/user-contrib/Caduceus*.v* ; \
	  rm -f $(COQLIB)/user-contrib/jessie*.v* $(COQLIB)/user-contrib/Jessie*.v* ; \
	  mkdir -p $(COQLIB)/user-contrib/Why ; \
	  cp -f $(VO8) $(COQLIB)/user-contrib/Why ; \
	else \
	  echo "Cannot copy to Coq standard library. Add \"-R $(LIBDIR)/why/coq Why\" to Coq options." ;\
	fi
	mkdir -p $(LIBDIR)/why/coq
	cp -f $(VO8) $(LIBDIR)/why/coq

install-pvs-no:
install-pvs-yes: $(PVSFILES)
	mkdir -p $(PVSLIB)/why
	cp $(PVSFILES) $(PVSFILES:.pvs=.prf) $(PVSLIB)/why
	cp lib/pvs/top.pvs lib/pvs/pvscontext.el $(PVSLIB)/why
	@echo "======  Compiling PVS theories, this may take some time ======"
	(cd $(PVSLIB)/why ; @PVSC@ -batch -l pvscontext.el -q -v 2 > top.out)
	@echo "======  Done compiling PVS theories ======"

MIZARLIB = $(DESTDIR)@MIZARLIB@

install-mizar-no:
install-mizar-yes:
	mkdir -p $(MIZARLIB)/mml/dict
	cp lib/mizar/why.miz $(MIZARLIB)/mml
	cp lib/mizar/dict/why.voc $(MIZARLIB)/mml/dict

local-install: $(BINARY) $(WHYCONFIG) $(JESSIE) bin/gwhy.$(OCAMLBEST) byte bin/gwhy.byte
	cp $(BINARY) $$HOME/bin/why
	cp $(WHYCONFIG) $$HOME/bin/why
	cp $(JESSIE) $$HOME/bin/jessie
	if test -f bin/gwhy.$(OCAMLBEST); then \
	  cp -f bin/gwhy.$(OCAMLBEST) $$HOME/bin/gwhy; \
	fi

local: install
# local: bin/why.opt $(WHY2HTML) $(DP) $(RVMERGE) coq-@COQ@
# 	cp -f bin/why.opt $$HOME/bin/$$OSTYPE/why
# 	cp -f $(WHY2HTML) $$HOME/bin/$$OSTYPE/why2html
# 	cp -f $(DP) $$HOME/bin/$$OSTYPE/dp
# 	cp -f $(RVMERGE) $$HOME/bin/$$OSTYPE/rv_merge
# #	mkdir -p $(COQLIB)/contrib7/why
# #	cp -f $(VO7) $(VFILES) $(COQLIB)/contrib7/why
# #	mkdir -p $(COQLIB)/contrib/why
# #	cp -f $(VO8) $(VFILES) $(COQLIB)/contrib/why
# 	mkdir -p $(PVSLIB)/why
# 	cp $(PVSFILES) $(PVSLIB)/why
# 	mkdir -p $(MIZFILES)/mml/dict
# 	cp lib/mizar/why.miz $(MIZFILES)/mml
# 	cp lib/mizar/dict/why.voc $(MIZFILES)/mml/dict
# 	mkdir -p $$HOME/man/man1
# 	cp -f doc/*.1 $$HOME/man/man1

demons: $(STATICBINARY) doc/manual.ps
	cp -f $(STATICBINARY) /users/demons/demons/bin/$$OSTYPE/why
	cp doc/manual.ps /users/demons/demons/docs/why.ps

win: why.nsi
	"/cygdrive/c/Program Files (x86)/NSIS/makensis" /DVERSION=$(VERSION) why.nsi

zip:
	zip -A -r why-$(VERSION).zip c:/why/bin c:/why/lib c:/coq/lib/contrib/why c:/coq/lib/contrib7/why

# doc

DOC=doc/manual.ps doc/manual.html \
	doc/krakatoa.pdf doc/krakatoa.html \
	doc/jessie.pdf doc/jessie.html \
	doc/main.pdf doc/main.html

doc:: $(DOC)


doc/manual.ps: doc/manual.tex doc/version.tex
	make -C doc manual.ps

# doc/version.tex: Version Makefile.in
#	echo '\newcommand{\whyversion}'"{$(VERSION)}" > $@
#	echo '\newcommand{\jessieversion}'"{$(JCVERSION)}" >> $@
#	echo '\newcommand{\krakatoaversion}'"{$(KVERSION)}" >> $@

doc/manual.html: doc/manual.tex doc/version.tex
	make -C doc manual.html

doc/krakatoa.pdf: doc/krakatoa.tex doc/version.tex
	make -C doc krakatoa.pdf

doc/krakatoa.html: doc/krakatoa.tex doc/version.tex
	make -C doc krakatoa.html

doc/jessie.pdf: doc/jessie.tex doc/version.tex
	make -C doc jessie.pdf

doc/jessie.html: doc/jessie.tex doc/version.tex
	make -C doc jessie.html

doc/main.pdf: doc/main.tex doc/version.tex
	make -C doc main.pdf

doc/main.html: doc/main.tex doc/version.tex
	make -C doc main.html


# API HTML DOC
##############

OCAMLDOCSRC = intf/model.mli $(WHYCONFIGCMO:.cmo=.ml) $(WHYCONFIGCMI:.cmi=.mli)
	# $(JCCMO:.cmo=.ml) $(JCCMI:.cmi=.mli)

apidoc: $(OCAMLDOCSRC)
	mkdir -p ocamldoc
	rm -f ocamldoc/*
	$(OCAMLDOC) -d ocamldoc -html $(INCLUDES) @INCLUDEGTK2@ $(OCAMLDOCSRC)


# special rules
###############

# CAMLP4=@CAMLP4O@ pa_extend.cmo pa_macro.cmo

# src/%.cmo: src/%.ml4
# 	$(OCAMLC) -c $(BFLAGS) -pp "$(CAMLP4) -DOCAML@OCAMLV@ -impl" -impl $<

# src/%.cmx: src/%.ml4
# 	$(OCAMLOPT) -c $(OFLAGS) -pp "$(CAMLP4) -DOCAML@OCAMLV@ -impl" -impl $<

# src/%.ml: src/%.ml4
# 	$(CAMLP4) pr_o.cmo -DOCAML@OCAMLV@ -impl $< > $@

# generic rules
###############

.SUFFIXES: .mli .ml .cmi .cmo .cmx .mll .mly .v .vo .ml4

.mli.cmi:
	$(if $(QUIET),@echo 'Ocamlc   $<' &&) $(OCAMLC) $(APRONLIB) $(ATPLIB) -c $(BFLAGS) $<

.ml.cmi:
	$(if $(QUIET),@echo 'Ocamlc   $<' &&) $(OCAMLC) $(APRONLIB) $(ATPLIB) -c $(BFLAGS) $<

.ml.cmo:
	$(if $(QUIET),@echo 'Ocamlc   $<' &&) $(OCAMLC) $(APRONLIB) $(ATPLIB) -c $(BFLAGS) $<

.ml.o:
	$(OCAMLOPT) $(APRONLIB) $(ATPLIB) -c $(OFLAGS) $<

.ml.cmx:
	$(if $(QUIET),@echo 'Ocamlopt $<' &&) $(OCAMLOPT) $(APRONLIB) $(ATPLIB) -c $(OFLAGS) $<

.mll.ml:
	$(OCAMLLEX) $<

.mly.ml:
	$(OCAMLYACC) -v $<

.mly.mli:
	$(OCAMLYACC) -v $<

.ml4.ml:
	$(CAMLP4) pr_o.cmo -impl $< > $@

@JESSIEWHY3LIBCOQ@: COQEXTRAR += -R @WHY3COQPATH@ Why3

lib/coq/%.vo: lib/coq/%.v
	$(COQC8) $(COQEXTRAR) -R lib/coq Why $<

lib/coq-v7/%.vo: lib/coq-v7/%.v
	$(COQC7) -I lib/coq-v7 $<

jc/jc_ai.ml: jc/jc_annot_inference.ml jc/jc_annot_fail.ml Makefile
	if test "@enable_apron@" = "yes" ; then \
	  echo "# 1 \"jc/jc_annot_inference.ml\"" > jc/jc_ai.ml; \
	  cat jc/jc_annot_inference.ml >> jc/jc_ai.ml; \
	else \
	  echo "# 1 \"jc/jc_annot_fail.ml\"" > jc/jc_ai.ml; \
	  cat jc/jc_annot_fail.ml >> jc/jc_ai.ml; \
	fi

# %_why.v: %.mlw $(BINARY)
# 	$(BINARY) -coq $*.mlw

# %_why.pvs: %.mlw $(BINARY)
# 	$(BINARY) -pvs $*.mlw

# Emacs tags
############

tags:
	find src -name "*.ml*" | sort -r | xargs \
	etags "--regex=/let[ \t]+\([^ \t]+\)/\1/" \
	      "--regex=/let[ \t]+rec[ \t]+\([^ \t]+\)/\1/" \
	      "--regex=/and[ \t]+\([^ \t]+\)/\1/" \
	      "--regex=/type[ \t]+\([^ \t]+\)/\1/" \
              "--regex=/exception[ \t]+\([^ \t]+\)/\1/" \
	      "--regex=/val[ \t]+\([^ \t]+\)/\1/" \
	      "--regex=/module[ \t]+\([^ \t]+\)/\1/"

otags:
	otags src/*.mli src/*.ml c/*.mli c/*.ml intf/*.mli intf/*.ml

wc:
	ocamlwc -p src/*.ml* jc/*.ml* c/*.ml* intf/*.ml* tools/*.ml* java/*.ml*

# distrib
#########

NAME=why-$(VERSION)
EXPORT=export/$(NAME)

WWW = /users/www-perso/projets/why
FTP = $(WWW)/download
WWWSRC=/home/cmarche/www/why
WWWKRAKATOA = /users/www-perso/projets/krakatoa

FILES =src/*.ml* c/*.ml* jc/*.ml* java/*.ml* ml/*.ml* ml/*/*.ml* intf/*.ml* tools/*.ml* tools/*.c bin/gwhy.sh \
       mix/*.ml* \
       version.sh Version Makefile.in configure.in configure .depend .depend.coq \
       config/check_ocamlgraph.ml \
       README INSTALL COPYING LICENSE CHANGES \
       doc/Makefile doc/manual.ps doc/why.1 \
	examples-c/*/*.h examples-c/*/*.c \
	examples-c/Makefile examples-c/*/Makefile \
	examples-c/*/coq/*.v \
	examples/Makefile* \
	examples/*/*.mlw examples/*/*.why examples/*/*.v examples/*/*.sx \
	examples/*/.depend examples/*/Makefile \
	bench/bench.in bench/good*/*.mlw bench/good*/*.v \
        bench/c/bench bench/c/bench-files bench/c/*/*.c bench/c/*/*/*.c \
	bench/jc/bench bench/jc/good/*.jc \
	bench/java/bench bench/java/*/*.java bench/provers/*.mlw \
	tests/regtest.sh \
	tests/java/*.java tests/java/coq/*.v \
	tests/java/result/README tests/java/oracle/*.oracle \
	tests/c/*.c tests/c/*/coq/*.v \
	tests/c/result/README tests/c/oracle/*.oracle \
	lib/emacs/why.el \
	lib/coq*/*.v \
	lib/pvs/pvscontext.el lib/pvs/*.pvs lib/pvs/*.prf \
	lib/mizar/why.miz lib/mizar/dict/why.voc \
	lib/why/*.why lib/isabelle/*.thy lib/hol4/*.ml lib/harvey/*.rv \
	lib/why3/*.why lib/why3/*.mlw lib/why3/coq.drv \
	lib/java_api/java/*/*.java \
	lib/javacard_api/java/lang/*.java \
	lib/javacard_api/javacard/*/*.java \
	lib/javacard_api/javacardx/crypto/*.java \
	lib/javacard_api/com/sun/javacard/impl/*.java \
	lib/images/*.png \
	atp/*.ml atp/LICENSE.txt atp/Makefile atp/Mk_ml_file \
        frama-c-plugin/Makefile frama-c-plugin/configure \
	frama-c-plugin/*.ml* frama-c-plugin/share/jessie/*.h

#	ocamlgraph/configure.in ocamlgraph/configure ocamlgraph/.depend \
#	ocamlgraph/Makefile.in ocamlgraph/META.in ocamlgraph/*/*.ml* \

# ne pas distribuer ces tests-la	frama-c-plugin/tests/jessie/*.c

distrib export: source export-doc export-www export-examples 

export-www:
	echo "<#def version>$(VERSION)" > $(WWWSRC)/version.prehtml
	echo "<#def cversion>$(CVERSION)" >> $(WWWSRC)/version.prehtml
	make -C $(WWWSRC) install

source: export/$(NAME).tar.gz
	cp CHANGES export/$(NAME).tar.gz $(FTP)

export/$(NAME).tar.gz: $(FILES)
	rm -rf $(EXPORT)
	mkdir -p $(EXPORT)/bin
	cp --parents $(FILES) $(EXPORT)
	cd $(EXPORT); rm -f $(GENERATED)
	cd export; tar cf $(NAME).tar $(NAME); gzip -f --best $(NAME).tar

tarball-for-framac:
	make tarball
	cp export/$(NAME).tar.gz export/why-for-framac.tar.gz

tarball:
	mkdir -p export
	cd export; rm -rf $(NAME) $(NAME).tar.gz
	make export/$(NAME).tar.gz

EXFILES = lib/coq*/*.v examples/*/*.v examples/*/*.mlw

export-examples:
	cp --parents $(EXFILES) $(WWW)
	make -C $(WWW)/examples clean depend
	echo "*** faire make all dans $(WWW)/examples ***"

export-doc: $(DOC) export-krakatoa-doc
	cp doc/manual.ps doc/manual.html $(WWW)/manual
	cp doc/logic_syntax.bnf $(WWW)/manual
	(cd $(WWW)/manual; hacha manual.html)

export-krakatoa-doc:
	cp doc/krakatoa.pdf doc/krakatoa.html doc/*.png $(WWWKRAKATOA)/manual
	cp doc/jessie.pdf doc/jessie.html doc/*.png $(WWWKRAKATOA)/manual
#	(cd $(WWWKRAKATOA)/manual; hacha krakatoa.html)

OSTYPE  ?= linux

BINARYNAME = $(NAME)-$(OSTYPE)

linux: binary

ALLBINARYFILES = $(FILES) $(BINARYFILES)

binary: $(ALLBINARYFILES)
	mkdir -p export/$(BINARYNAME)
	cp --parents $(ALLBINARYFILES) export/$(BINARYNAME)
	(cd export; tar czf $(BINARYNAME).tar.gz $(BINARYNAME))
	cp export/$(BINARYNAME).tar.gz $(FTP)

# file headers
##############
headers:
	headache -c doc/headache_config.txt -h doc/header.txt \
		Makefile.in configure.in README \
		*/*.ml */*.ml[ily4] tools/*.c bench/c/good/*.c \
		bench/java/good/*.java \
		tests/java/*.java \
		tests/c/*.c \
		doc/*.tex

# myself
########

Makefile: Makefile.in config.status
	./config.status

config.status: configure
	./config.status --recheck

configure: configure.in
	autoconf

# clean and depend
##################

clean::
	rm -f src/*.cm[iox] src/*.o src/*~ src/*.annot src/*.output
	rm -f c/*.cm[iox] c/*.o c/*~ c/*.annot c/*.output
	rm -f intf/*.cm[iox] intf/*.o intf/*~ intf/*.annot
	rm -f tools/*.cm[iox] tools/*.o tools/*~ tools/*.annot
	rm -f jc/*.cm[iox] jc/*.o jc/*~ jc/*.annot jc/*.output
	rm -f java/*.cm[iox] java/*.o java/*~ java/*.annot java/*.output
	rm -f ml/*.cm[iox] ml/*.o ml/*~ ml/*.annot
	rm -f ml/parsing/*.cm[iox] ml/parsing/*.o ml/parsing/*~ \
		ml/parsing/*.annot ml/parsing/*.output
	rm -f ml/utils/*.cm[iox] ml/utils/*.o ml/utils/*~ ml/utils/*.annot
	rm -f ml/typing/*.cm[iox] ml/typing/*.o ml/typing/*~ ml/typing/*.annot
	rm -f bin/why.opt bin/why.byte bin/why.static bin/top
	rm -f bin/jessie.opt bin/jessie.byte
	rm -f bin/jessica.opt bin/jessica.byte
	rm -f bin/why-obfuscator.opt bin/why-obfuscator.byte
	rm -f bin/rv_merge.opt bin/rv_merge.byte
	rm -f bin/why-stat.opt bin/why-stat.byte
	rm -f bin/tool-stat.opt bin/tool-stat.byte
	rm -f bin/why2html.opt bin/why2html.byte
	rm -f bin/why-dp.opt bin/why-dp.byte
	rm -f bin/why-cpulimit
	rm -f lib/coq*/*.vo lib/coq*/*~
	rm -f $(GENERATED)
	make -C atp clean
	make -C doc clean
	if test -d examples-v7; then \
		make -C examples-v7 clean ; \
	fi
	make -C examples clean

dist-clean:: clean
	rm -f Makefile config.status config.cache config.log

coq-clean::
	rm -f lib/coq*/*.vo examples/*/*.vo
	rm .depend.coq

.PHONY: depend
.depend depend: $(GENERATED)
	rm -f .depend
	$(OCAMLDEP) -slash $(INCLUDES) src/*.ml src/*.mli jc/*.mli jc/*.ml c/*.mli c/*.ml java/*.mli java/*.ml intf/*.ml intf/*.mli tools/*.mli tools/*.ml mix/*.mli mix/*.ml ml/*.ml ml/*.mli > .depend
	$(OCAMLDEP) -slash $(MLINCLUDES) ml/parsing/*.ml ml/parsing/*.mli ml/typing/*.ml ml/typing/*.mli ml/utils/*.ml ml/utils/*.mli >> .depend
ifeq ($(FRAMACPLUGIN),yes)
	$(MAKE) -C $(JESSIE_PLUGIN_PATH) depend
endif

.depend.coq: #lib/coq*/*.v
	if test @COQ@ = yes; then \
	  rm -f .depend.coq; \
	  $(COQDEP) -I lib/coq lib/coq/*.v > .depend.coq; \
	  $(COQDEP) -I lib/coq-v7 lib/coq-v7/*.v >> .depend.coq; \
	else touch .depend.coq; \
	fi

alldepend:
	make -C examples-v7 depend
	make -C examples depend

ifneq ($(MAKECMDGOALS),clean)
include .depend
include .depend.coq
endif

#################################################################
# Building the Why platform with ocamlbuild (OCaml 3.10 needed) #
#################################################################

# There used to be targets here but they are no longer useful.

# To build using Ocamlbuild:
# 1) Run "make Makefile" to ensure that the generated files (version.ml, ...)
# are generated.
# 2) Run Ocamlbuild with any target to generate the sanitization script.
# 3) Run ./sanitize to delete the generated files that shouldn't be generated
# (i.e. all lexers and parsers).
# 4) Run Ocamlbuild with the target you need, for example:
# ocamlbuild jc/jc_main.native

# You can also use the Makefile ./build.makefile which has some handy targets.
why-2.34/tests/0000755000175000017500000000000012311670312011757 5ustar  rtuserswhy-2.34/tests/java/0000755000175000017500000000000012311670312012700 5ustar  rtuserswhy-2.34/tests/java/AllZeros.java0000644000175000017500000000550512311670312015303 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

class AllZeros {

    static int should_not_be_proved(int t[]) {
	return t.length;

    }


    /*@ requires t != null;
      @ ensures \result <==> 
      @      \forall integer i; 0 <= i < t.length ==> t[i] == 0; 
      @*/
    static boolean all_zeros(int t[]) {
	/*@ loop_invariant 
	  @  0 <= k <= t.length && 
	  @  \forall integer i; 0 <= i < k ==> t[i] == 0;
	  @ loop_variant t.length - k;
	  @*/
	for (int k = 0; k < t.length; k++) 
	    if (t[k] != 0) 
		return false;
	return true;
    }
}

/*
Local Variables:
compile-command: "make AllZeros.why3ide"
End:
*/


why-2.34/tests/java/Hello.java0000644000175000017500000000470112311670312014610 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

class Hello {

    public static void main(String argv[]) {
        System.out.println("Hello Krakatoa");
    }

}



/*
Local Variables:
compile-command: "make Hello.why3ide"
End:
*/


why-2.34/tests/java/Purse.java0000644000175000017500000000655212311670312014651 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = no


class NoCreditException extends Exception {

    public NoCreditException() { }

}

public class Purse {

    private int balance;
    //@ invariant balance_non_negative: balance >= 0;

    /*@ requires true;
      @ assigns balance;
      @ ensures balance == 0;
      @*/
    public Purse() {
        balance = 0;
    }

    /*@ requires s >= 0;
      @ assigns balance;
      @ ensures balance == \old(balance) + s;
      @*/
    public void credit(int s) {
        balance += s;
    }

    /*@ requires s >= 0;
      @ assigns balance;
      @ ensures s <= \old(balance) && balance == \old(balance) - s;
      @ behavior amount_too_large:
      @   assigns \nothing;
      @   signals (NoCreditException) s > \old(balance) ;
      @*/
    public void withdraw(int s) throws NoCreditException {
        if (balance >= s)
            balance = balance - s;
        else
            throw new NoCreditException();
    }

    //@ ensures \result == balance;
    public int getBalance() {
        return balance;
    }

}



/*
Local Variables:
compile-command: "make Purse.why3ide"
End:
*/


why-2.34/tests/java/SimpleApplet.java0000644000175000017500000001203112311670312016137 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// JAVACARD: will ask regtests to use Java Card API for this program

/*****************************

Very basic Java Card Applet to check non-regression of basic Java Card support

thanks to Peter Trommler 

********************/



import javacard.framework.APDU;
import javacard.framework.Applet;
import javacard.framework.ISO7816;
import javacard.framework.ISOException;
import javacard.framework.JCSystem;
import javacard.framework.OwnerPIN;
import javacard.security.*;

public class Card extends Applet {
	
    //##################################################
    //Instruction Variables
    //##################################################
    final static byte Card_Class = (byte)0x80;
    final static byte Card_Ins_Pin= (byte)0x02;
    final static byte Card_Ins_Auth=(byte)0x01;
    final static byte Card_Ins_Write= (byte) 0x05;
    final static byte Card_Ins_Del = (byte) 0x06;
    final static byte Card_Ins_Read = (byte) 0x07;
	
	
    //##################################################
    //Other Parameters
    //##################################################
    final static byte Key_Length = (byte) 0x84;
    final static short Data_Count = 10; 
    final static short Data_Len = 5;
    final static byte Term_Function_Writer =(byte) 0xAA;
    final static byte Term_Function_Reader = (byte)0x11;
	
    /**
     * Constructor for the Card.
     */
    Card(){
	// nothing to be done
    }

    //#####################################################
    //Applet Card install
    //####################################################
    public static void install(byte[] bArray, short bOffset, byte bLength) {
	// GP-compliant JavaCard applet registration
	new Card().register(bArray, (short) (bOffset + 1), bArray[bOffset]);
    }
	
    //####################################################
    //Here starts the good part.
    //###################################################
    public void process(APDU apdu) {
	//When the applet is selected, the card will be initialised!		
	if (selectingApplet()) {
	    return;
	}
		
	byte[] buf = apdu.getBuffer();
		
	//Returns an error if the Class  is wrong.
	if(buf[ISO7816.OFFSET_CLA]!= Card_Class){
	    ISOException.throwIt(ISO7816.SW_CLA_NOT_SUPPORTED);
	}
		
	switch (buf[ISO7816.OFFSET_INS]) {
	    //Here is where the Signature from the terminal will be checked
	    //and also here is where will be decided to what functions
	    //the Terminal will have access to.
				
	    //Calls the Read Method	
	case Card_Ins_Read:
	    // for now just return OK SW1SW2=0x9000
	    break;
				
	default:
	    // good practice: If you don't know the INStruction, say so:
	    ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
	}
	return;
    }
}


/*
Local Variables:
compile-command: "make SimpleApplet.why3ide"
End:
*/

why-2.34/tests/java/TreeMax.java0000644000175000017500000001072612311670312015116 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ TerminationPolicy = user

/*@ axiomatic integer_max {
  @   logic integer max(integer x, integer y);
  @   axiom max_is_ge : \forall integer x y; max(x,y) >= x && max(x,y) >= y;
  @   axiom max_is_some : \forall integer x y; max(x,y) == x || max(x,y) == y;
  @ }
  @*/

class Int {
    //@ ensures \result == max(x,y);
    public static int max(int x, int y);
}

/*@ axiomatic Mem {
  @   predicate mem{L}(int x, Tree t);
  @   axiom mem_null{L}: \forall int x; ! mem(x,null);
  @   axiom mem_root{L}: \forall Tree t; t != null ==>
  @     mem(t.value,t);
  @   axiom mem_root_eq{L}: \forall int x, Tree t; t != null ==>
  @     x==t.value ==> mem(x,t);
  @   axiom mem_left{L}: \forall int x, Tree t; t != null ==>
  @     mem(x,t.left) ==> mem(x,t);
  @   axiom mem_right{L}: \forall int x, Tree t; t != null ==>
  @     mem(x,t.right) ==> mem(x,t);
  @   axiom mem_inversion{L}: \forall int x, Tree t;
  @     mem(x,t) ==> t != null &&
  @       (x==t.value || mem(x,t.left) || mem(x,t.right));
  @ }
  @*/

/* attempt to prove termination, not succesful yet */
/* axiomatic Finite {
  @   predicate has_size{L}(Tree t, integer s);
  @   axiom has_size_null{L}: has_size(null,0);
  @   axiom has_size_non_null{L}: \forall Tree t; t != null ==>
  @     \forall integer s1 s2;
  @     has_size(t.left,s1) && has_size(t.right,s2) ==>
  @     has_size(t,s1+s2+1) ;
  @   axiom has_size_inversion{L}: \forall Tree t, integer s;
  @     has_size(t,s) ==>
  @       (t == null && s == 0) ||
  @       (t != null && \exists integer s1 s2;
  @            has_size(t.left,s1) && has_size(t.right,s2) &&
  @            0 <= s1 && 0 <= s2 && s == s1+s2+1) ;
  @   predicate size_decreases{L}(Tree t1, Tree t2) =
  @     \exists integer s1 s2; has_size(t1,s1) && has_size(t2,s2) && s1 > s2;
  @ }
  @*/

class Tree {

    int value;
    Tree left;
    Tree right;

    /*@ // requires \exists integer s; has_size(this,s);
      @ // decreases this for size_decreases;
      @ ensures mem(\result,this) &&
      @   \forall int x; mem(x,this) ==> \result >= x;
      @*/
    int tree_max() {
        int m = value;
        if (left != null) m = Int.max(m,left.tree_max());
        if (right != null) m = Int.max(m,right.tree_max());
        return m;
    }

}

why-2.34/tests/java/TestNonNull.java0000644000175000017500000000536612311670312016002 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ NonNullByDefault = all


class TestNonNull {

    static final int N = 2;

    static int[] st;
    //@ static invariant st_length: st.length >= 4;

    int[] t;
    //@ invariant t_length: t.length >= 4;

    TestNonNull() {
	t = new int[5];
	//@ assert t.length == 5;
    }


    //@ requires t.length >= 4;
    void test(int[] t) {
	int _i = t[3];
	t[2] = 1;
	int _j = t[N];
	t[N + 1] = 1;
	st[3] == 1;
    }

}

/*
Local Variables:
compile-command: "make TestNonNull.why3ide"
End:
*/


why-2.34/tests/java/Fibonacci.java0000644000175000017500000000630112311670312015420 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// RUNCOQ: will ask regtests to check Coq proofs of this program

// int model: unbounded mathematical integers
//@+ CheckArithOverflow = no

/*@ inductive isfib(integer x, integer r) {
  @  case isfib0: isfib(0,0);
  @  case isfib1: isfib(1,1);
  @  case isfibn: 
  @   \forall integer n r p; 
  @     n >= 2 && isfib(n-2,r) && isfib(n-1,p) ==> isfib(n,p+r);
  @ }
  @*/ 

//@ lemma isfib_2_1 : isfib(2,1);
//@ lemma isfib_6_8 : isfib(6,8);

// provable only if def is inductive (least fix point)
//@ lemma not_isfib_2_2 : ! isfib(2,2);

public class Fibonacci {

    /*@ requires n >= 0;
      @ ensures isfib(n, \result); 
      @*/
    public static long Fib(int n) {
	long y=0, x=1, aux;

	/*@ loop_invariant 0 <= i <= n && isfib(i+1,x) && isfib(i,y);
	  @ loop_variant n-i;
	  @*/
	for(int i=0; i < n; i++) {
	    aux = y;
	    y = x;
	    x = x + aux;
	}
	return y;
    }
}

/*
Local Variables:
compile-command: "make Fibonacci.why3ide"
End:
*/


why-2.34/tests/java/Power.java0000644000175000017500000000716212311670312014645 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


// int model: unbounded mathematical integers
//@+ CheckArithOverflow = no


/*@ axiomatic Power {
  @   logic integer power(integer x, integer n);
  @   axiom power_0: \forall integer x; power(x,0) == 1;
  @   axiom power_s: \forall integer x n; power(x,n+1) == x*power(x,n);
  @ }
  @*/

/*@ lemma power_mul:
  @   \forall integer x y n; n >= 0 ==> power(x*y,n) == power(x,n)*power(y,n);
  @*/

/*@ lemma power_even:
  @   \forall integer x n; n >= 0 && n % 2 == 0 ==> power(x,n) == power(x*x,n/2);
  @*/

/*@ lemma power_odd:
  @   \forall integer x n; n >= 0 && n % 2 != 0 ==> power(x,n) == x*power(x*x,n/2);
  @*/


class Power {

    // recursive implementation

    /*@ requires 0 <= n;
      @ decreases n;
      @ ensures \result == power(x,n);
      @*/
    static long rec(long x, int n) {
        if ( n == 0) return 1;
        long r = rec(x, n/2);
        if ( n % 2 == 0 ) return r*r;
        return r*r*x;
    }


    // non-recursive implementation

    /*@ requires 0 <= n;
      @ ensures \result == power(x,n);
      @*/
    static long imp(long x, int n) {
        long r = 1, p = x;
        int e = n;

        /*@ loop_invariant
          @   0 <= e && r * power(p,e) == power(x,n);
          @ loop_variant e;
          @*/
        while (e > 0) {
            if (e % 2 != 0) r *= p;
            p *= p;
            e /= 2;
        }
        return r;
    }

}

why-2.34/tests/java/MullerTheory.java0000755000175000017500000000631612311670312016207 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* File Muller.java */

//@+ CheckArithOverflow = no
//@+ SeparationPolicy = Regions

//@ import tests.spec.NumOfPos;

/*@ lemma num_of_pos_strictly_increasing{L} :
  @   \forall integer i j k l, int t[];
  @       j < k && k <= l && t[k] > 0 ==> 
  @       num_of_pos(i,j,t) < num_of_pos(i,l,t);
  @*/

public class MullerTheory {

    /*@ requires t!=null;
      @*/
    public static int[] m(int t[]) {
	int count = 0;
	
	/*@ loop_invariant
	  @    0 <= i <= t.length && 
	  @    0 <= count <= i && 
	  @    count == num_of_pos(0,i-1,t) ; 
	  @ loop_variant t.length - i;
	  @*/
	for (int i=0 ; i < t.length; i++) if (t[i] > 0) count++;
	
	int u[] = new int[count];
	count = 0;
	
	/*@ loop_invariant
	  @    0 <= i <= t.length && 
	  @    0 <= count <= i && 
	  @    count == num_of_pos(0,i-1,t);
	  @ loop_variant t.length - i;
	  @*/
	for (int i=0 ; i < t.length; i++) {
	    if (t[i] > 0) u[count++] = t[i];
	}
	return u;
    }
}

/* End of file Muller.java */
why-2.34/tests/java/SideEffects.java0000644000175000017500000000532512311670312015734 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = no

class SideEffects {

    /*@ requires t.length > 10;
      @*/
    void m1(int t[]) {
	int i = 0;
	t[i++] = 1;
	//@ assert t[0] == 1 && i == 1;
	t[++i] = 2;
	//@ assert t[0] == 1 && t[2] == 2 && i == 2;
	t[--i] = 3;
	//@ assert t[0] == 1 && t[2] == 2 && t[1] == 3 && i == 1;
	t[i--] = 4;
	//@ assert t[0] == 1 && t[2] == 2 && t[1] == 4 && i == 0;
    }

}


/*
Local Variables:
compile-command: "make SideEffects.why3ide"
End:
*/


why-2.34/tests/java/Fresh3.java0000644000175000017500000000550612311670312014703 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ SeparationPolicy = None

class Int { int f; }

class Fresh3 {

  Int i;

/*@ assigns this.i;
  @ allocates this.i;
  @ ensures this.i != null && \fresh(this.i);
  @*/
void create() {
    this.i = new Int();
}

/*@ requires f != null && this.i != null && this != f;
  @*/
void test(Fresh3 f) {
  f.create();
  //@ assert this.i != f.i;
}

static void smoke_detector() {
    Fresh3 s1, s2;
    s1 = new Fresh3();
    s2 = new Fresh3();
    s1.create();
    s2.create();
    //@ assert 0 == 1;
}

}

/*
Local Variables:
compile-command: "LC_ALL=C make Fresh3.why3"
End:
*/
why-2.34/tests/java/Bug_sort_exns.java0000644000175000017500000000457112311670312016373 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

public class Bug_sort_exns {
    public static void exn() {
        throw new IllegalArgumentException();
    }
}
why-2.34/tests/java/Sort2.java0000644000175000017500000001050512311670312014555 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/



//@+ TerminationPolicy = user

//@+ CheckArithOverflow = no

/*@ predicate Sorted{L}(int a[], integer l, integer h) =
  @   \forall integer i; l <= i < h ==> a[i] <= a[i+1] ;
  @*/

/*@ predicate Swap{L1,L2}(int a[], integer i, integer j) =
  @   \at(a[i],L1) == \at(a[j],L2) &&
  @   \at(a[j],L1) == \at(a[i],L2) &&
  @   \forall integer k; k != i && k != j ==> \at(a[k],L1) == \at(a[k],L2);
  @*/

/*@ axiomatic Permut {
  @  predicate Permut{L1,L2}(int a[], integer l, integer h);
  @  axiom Permut_refl{L}: 
  @   \forall int a[], integer l h; Permut{L,L}(a, l, h) ;
  @  axiom Permut_sym{L1,L2}: 
  @    \forall int a[], integer l h; 
  @      Permut{L1,L2}(a, l, h) ==> Permut{L2,L1}(a, l, h) ;
  @  axiom Permut_trans{L1,L2,L3}: 
  @    \forall int a[], integer l h; 
  @      Permut{L1,L2}(a, l, h) && Permut{L2,L3}(a, l, h) ==> 
  @        Permut{L1,L3}(a, l, h) ;
  @  axiom Permut_swap{L1,L2}: 
  @    \forall int a[], integer l h i j; 
  @       l <= i <= h && l <= j <= h && Swap{L1,L2}(a, i, j) ==> 
  @     Permut{L1,L2}(a, l, h) ;
  @ }
  @*/

class Sort {

    /*@ requires t != null && 
      @    0 <= i < t.length && 0 <= j < t.length;
      @ assigns t[i],t[j];
      @ ensures Swap{Old,Here}(t,i,j);
      @*/
    void swap(int t[], int i, int j) {
	int tmp = t[i];
	t[i] = t[j];
	t[j] = tmp;
    }
    
    /*@ requires t != null;
      @ ensures Sorted(t,0,t.length-1) && Permut{Old,Here}(t,0,t.length-1);
      @*/
    void min_sort(int t[]) {
	int i,j;
	int mi,mv;
	/*@ loop_invariant 0 <= i && Sorted(t,0,i) && 
	  @   (\forall integer k1 k2 ; 
	  @      0 <= k1 < i <= k2 < t.length ==> t[k1] <= t[k2]) &&
	  @     Permut{Pre,Here}(t,0,t.length-1);
	  @*/
	for (i=0; i t[k] >= mv) &&
	      @ Permut{Pre,Here}(t,0,t.length-1);
	      @*/
	    for (j=i+1; j < t.length; j++) {
		if (t[j] < mv) { 
		    mi = j ; mv = t[j]; 
		}
	    }
	    swap(t,i,mi);
	}
    }

}
why-2.34/tests/java/MyCosine.java0000644000175000017500000000707212311670312015277 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*@ lemma method_error: \forall real x;
  @     \real_abs(x) <= 0x1p-5 ==> \real_abs(1.0 - x*x*0.5 - \cos(x)) <= 0x1p-24;
  @*/

class MyCosine {

/*@ requires \real_abs(x) <= 0x1p-5;
  @ ensures \real_abs(\result - \cos(x)) <= 0x1p-23;
  @*/
static float my_cos1(float x) {
  //@ assert \real_abs(1.0 - x*x*0.5 - \cos(x)) <= 0x1p-24;
  return 1.0f - x * x * 0.5f;
}

/* requires \real_abs(x) <= 0x1p-5 && \round_error(x) == 0.0;
  @ ensures \real_abs(\result - \cos(x)) <= 0x1p-23;
  @*/
static float my_cos2(float x) {
  // assert \exact(x) == x;
  float r = 1.0f - x * x * 0.5f;
  // assert \real_abs(\exact(r) - \cos(x)) <= 0x1p-24;
  return r;
}


/* requires \real_abs(\exact(x)) <= 0x1p-5
  @     && \round_error(x) <= 0x1p-20;
  @ ensures \real_abs(\exact(\result) - \cos(\exact(x))) <= 0x1p-24
  @     && \round_error(\result) <= \round_error(x) + 0x3p-24;
  @*/
static float my_cos3(float x) {
  float r = 1.0f - x * x * 0.5f;
  // assert \real_abs(\exact(r) - \cos(\exact(x))) <= 0x1p-24;  // by interval
  return r;
}

/*@ requires \real_abs(x) <= 0.07 ;
  @ ensures \real_abs(\result - \cos(x)) <= 0x1.3p-20;
  @*/
static float my_cos4(float x) {
  //@ assert \real_abs(1.0 - x*x*0.5 - \cos(x)) <= 0x1.2p-20;
  return 1.0f - x * x * 0.5f;
}

}


/*
Local Variables:
compile-command: "krakatoa MyCosine.java"
End:
*/


why-2.34/tests/java/Fresh2.java0000644000175000017500000000562412311670312014703 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ SeparationPolicy = None

class Fresh2 {

    int x;

    /*@ assigns \nothing;
      @ allocates this;
      @ ensures \fresh(this);
      @*/
    Fresh2 ();

    /*@ assigns \nothing;
      @ allocates \result;
      @ ensures \result != null && \fresh(\result);
      @*/
    static Fresh2 create() {
        return new Fresh2();
    }

    void test() {
        Fresh2 f;
        f = create ();
        //@ assert this != f;
    }

    static void smoke_detector() {
        Fresh2 _s1 = create ();
        Fresh2 _s2 = create ();
        //@ assert 0 == 1;
    }

}


/*
Local Variables:
compile-command: "LC_ALL=C make Fresh2.why3ide"
End:
*/
why-2.34/tests/java/SimpleAlloc.java0000644000175000017500000000525712311670312015760 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

class Node {
    int val;

    /*@ assigns \nothing;
      @ allocates this;
      @ ensures this.val == 0;
      @*/
    Node(){}
}

class test {
    Node[] x;

    /*@ requires x != null && x.length == 10  ;
      @ assigns x[0];
      @ allocates x[0];
      @ ensures x[0] != null;
      @*/
    void test() {
        x[0]=new Node();
    }
}




/*
Local Variables:
compile-command: "make SimpleAlloc.why3ide"
End:
*/

why-2.34/tests/java/BinarySearch.java0000644000175000017500000001020112311670312016107 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// RUNSIMPLIFY this tells regtests to run Simplify in this example

//+ CheckArithOverflow = yes

/* lemma mean_property1 :
  @   \forall integer x y; x <= y ==> x <= (x+y)/2 <= y;
  @*/

/* lemma mean_property2 :
  @   \forall integer x y; x <= y ==> x <= x+(y-x)/2 <= y;
  @*/

/* lemma div2_property :
  @   \forall integer x; 0 <= x ==> 0 <= x/2 <= x;
  @*/

/*@ predicate is_sorted{L}(int[] t) =
  @   t != null &&
  @   \forall integer i j;
  @     0 <= i && i <= j && j < t.length ==> t[i] <= t[j] ;
  @*/


class BinarySearch {

    /* binary_search(t,v) search for element v in array t
       between index 0 and t.length-1
       array t is assumed to be sorted in increasing order
       returns an index i between 0 and t.length-1 where t[i] equals v,
       or -1 if no element in t is equal to v
    */

    /*@ requires t != null;
      @ ensures -1 <= \result < t.length;
      @ behavior success:
      @   ensures \result >= 0 ==> t[\result] == v;
      @ behavior failure:
      @  assumes is_sorted(t);
      @  // assumes
      @  //   \forall integer k1 k2;
      @  //      0 <= k1 <= k2 <= t.length-1 ==> t[k1] <= t[k2];
      @  ensures \result == -1 ==>
      @    \forall integer k; 0 <= k < t.length ==> t[k] != v;
      @*/
    static int binary_search(int t[], int v) {
	int l = 0, u = t.length - 1;
	/*@ loop_invariant
	  @   0 <= l && u <= t.length - 1;
	  @ for failure:
	  @  loop_invariant
	  @    \forall integer k; 0 <= k < t.length ==> t[k] == v ==> l <= k <= u;
	  @ loop_variant
	  @   u-l ;
	  @*/
	while (l <= u ) {
	    int m;
            m = (u + l) / 2;
            // fix: m = l + (u - l) / 2;
            // the following assertion helps provers
            //@ assert l <= m <= u;
	    if (t[m] < v) l = m + 1;
	    else if (t[m] > v) u = m - 1;
	    else return m;
	}
	return -1;
    }

}

/*
Local Variables:
compile-command: "make BinarySearch.why3ide"
End:
*/


why-2.34/tests/java/Arrays.java0000644000175000017500000001057212311670312015011 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


//@+ CheckArithOverflow = no

/* is_max(t,i,l) is true whenever t[i] is the maximum of t[0]..t[l-1]
 * l is an integer and not an int, because used as t.length which 
 * (in the logic) returns an integer and not an int 
 */
/*@ predicate is_max{L}(int[] t,int i,integer l) =
  @   t != null && 0 <= i < l <= t.length &&
  @   (\forall integer j; 0 <= j < l ==> t[j] <= t[i]) ;
  @*/

public class Arrays {

    /*@ requires t != null && 1 <= t.length <= 32767;
      @ behavior max_found:
      @   ensures 
      @      0 <= \result < t.length && 
      @      (\forall integer i; 
      @           0 <= i < t.length ==> t[i] <= t[\result]);
      @*/
    public static short findMax(int[] t) {
	int m = t[0];
	short r = 0;
        /*@ loop_invariant 
          @   1 <= i <= t.length && 0 <= r < t.length &&
          @   m == t[r] && (\forall integer j; 0 <= j < i ==> t[j] <= m);
          @ loop_variant t.length-i;
          @*/
	for (short i=1; i < t.length; i++) {
	    if (t[i] > m) {
		r = i; 
		m = t[i];
	    }
	}
	return r;
    }

    /*@ requires t != null && t.length >= 1;
      @ behavior max_found:
      @  ensures 
      @      0 <= \result < t.length && 
      @      is_max(t,\result,t.length) ;
      @*/
    public static int findMax2(int[] t) {
	int m = t[0];
	int r = 0; 
	/*@ loop_invariant 
	  @   1 <= i <= t.length && 0 <= r < t.length &&
          @   m == t[r] && is_max(t,r,i) ;
	  @ loop_variant t.length-i;
	  @*/
	for (int i=1; i < t.length; i++) {
	    if (t[i] > m) {
		r = i; 
		m = t[i];
	    }
	}
	return r;
    }


    /*@ requires t != null ;
      @ ensures 
      @   \forall integer i; 0 < i < t.length ==> t[i] == \old(t[i-1]);
      @*/
    public static void arrayShift(int[] t) {
	/*@ loop_invariant 
	  @   j < t.length &&
	  @   (t.length > 0 ==>
	  @     (0 <= j && 
          @     (\forall integer i; 0 <= i <= j ==> t[i] == \at(t[i],Pre)) &&
          @     (\forall integer i; j < i < t.length ==> t[i] == \at(t[i-1],Pre))));
	  @ loop_variant j;
	  @*/
      for (int j = t.length-1 ; j > 0 ; j--) {
	  t[j] = t[j-1];
	}
    }


}


/*
Local Variables: 
compile-command: "make Arrays.why3ide"
End: 
*/

why-2.34/tests/java/Termination.java0000644000175000017500000000530512311670312016037 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = no

class Termination {

    void loop1(int n) { 
	//@ loop_variant n;
	while (n > 0) n--; 
    }

    void loop2(int n) { 
	//@ loop_variant 100-n;
	while (n < 100) n++; 
    }

    //@ ensures \result == 0;
    int loop3() {
	int i = 100;
	/*@ loop_invariant 0 <= i <= 100;
	  @ loop_variant i;
	  @*/
	while (i > 0) i--;
	return i;
    }

}


/*
Local Variables:
compile-command: "make Termination.why3ide"
End:
*/


why-2.34/tests/java/Gcd.java0000644000175000017500000001071712311670312014246 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = no

/* complements for non-linear integer arithmetic */

/*@ lemma distr_right:
  @   \forall integer x y z; x*(y+z) == (x*y)+(x*z);
  @*/

/*@ lemma distr_left:
  @   \forall integer x y z; (x+y)*z == (x*z)+(y*z);
  @*/

/*@ lemma distr_right_minus:
  @   \forall integer x y z; x*(y-z) == (x*y)-(x*z);
  @*/

/*@ lemma distr_left_minus:
  @   \forall integer x y z; (x-y)*z == (x*z)-(y*z);
  @*/

/*@ lemma mul_comm:
  @   \forall integer x y; x*y == y*x;
  @*/

/*@ lemma mul_assoc:
  @   \forall integer x y z; x*(y*z) == (x*y)*z;
  @*/

/*@ predicate divides(integer x, integer y) =
  @   \exists integer q; y == q*x ;
  @*/

/*@ lemma div_mod_property:
  @  \forall integer x y;
  @    x >=0 && y > 0 ==> x%y  == x - y*(x/y);
  @*/

/*@ lemma mod_property:
  @  \forall integer x y;
  @    x >=0 && y > 0 ==> 0 <= x%y && x%y < y;
  @*/

/*@ predicate isGcd(integer a, integer b, integer d) =
  @   divides(d,a) && divides(d,b) &&
  @     \forall integer z;
  @     divides(z,a) && divides(z,b) ==> divides(z,d) ;
  @*/

/*@ lemma gcd_zero :
  @   \forall integer a; isGcd(a,0,a) ;
  @*/

/*@ lemma gcd_property :
  @   \forall integer a b d;
  @      a >= 0 && b > 0 && isGcd(b,a % b,d) ==> isGcd(a,b,d) ;
  @*/

class Gcd {

    /*@ requires x >= 0 && y >= 0;
      @ behavior resultIsGcd:
      @   ensures isGcd(x,y,\result) ;
      @ behavior bezoutProperty:
      @   ensures \exists integer a b; a*x+b*y == \result;
      @*/
    static int gcd(int x, int y) {
        //@ ghost integer a = 1, b = 0, c = 0, d = 1;
        /*@ loop_invariant
          @    x >= 0 && y >= 0 &&
	  @    (\forall integer d ;  isGcd(x,y,d) ==>
	  @        \at(isGcd(x,y,d),Pre)) &&
          @    a*\at(x,Pre)+b*\at(y,Pre) == x &&
          @    c*\at(x,Pre)+d*\at(y,Pre) == y ;
          @ loop_variant y;
          @*/
        while (y > 0) {
            int r = x % y;
            //@ ghost integer q = x / y;
            x = y;
            y = r;
            //@ ghost integer ta = a, tb = b;
            //@ ghost a = c;
	    //@ ghost b = d;
            //@ ghost c = ta - c * q;
            //@ ghost d = tb - d * q;
        }
        return x;
    }

}




/*
Local Variables:
compile-command: "make Gcd.why3ide"
End:
*/

why-2.34/tests/java/Switch.java0000644000175000017500000000574412311670312015016 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

public class Switch {

    /*@ behavior normal:
      @   assigns \nothing;
      @   ensures (n==0 || n==1) <==> \result == 0;
      @*/
    public static int test1 (int n) {
	int r;
	switch(n) {
	case 0:
	case 1:
	    r = 0;
	    break;
	default:
	    r = 2;
	}
	return r;
    }

    /*@ behavior normal:
      @   assigns \nothing;
      @   ensures ((n==4 || n==7) <==> \result == 1) &&
      @            ((n==0 || n==1) <==> \result == 0);
      @*/
    public static int test2 (int n) {
	int r;
	switch(n) {
	case 0:
	case 1:
	    r = 0;
	    break;
	case 4:
	case 7:
	    r = 1;
	    break;
	case 12:
	default:
	case 26:
	    r = 2;
	}
	return r;
    }

}

/*
Local Variables:
compile-command: "make Switch.why3ide"
End:
*/

why-2.34/tests/java/Duplets.java0000644000175000017500000001234512311670312015170 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*
COST Verification Competition. vladimir@cost-ic0701.org

Challenge 3: Two equal elements

Given: An integer array a of length n+2 with n>=2. It is known that at
least two values stored in the array appear twice (i.e., there are at
least two duplets).

Implement and verify a program finding such two values.

You may assume that the array contains values between 0 and n-1.
*/


class Integer {
    int value;
    /*@ ensures this.value == a;
      @*/
    Integer(int a) {
        value = a;
    }
}

class Pair {
    int x,y;
    /*@ ensures this.x == a && this.y == b;
      @*/
    Pair(int a,int b) {
        x = a; y = b;
    }
}

class Quadruple {
    int x,y,z,t;
    /*@ ensures this.x == a && this.y == b &&
      @         this.z == c && this.t == d;
      @*/
    Pair(int a,int b,int c,int d) {
        x = a; y = b; z = c; t = d;
    }
}

/* equality between an integer and a possibly null Integer object */
/*@ predicate eq_opt{L}(integer x, Integer o) =
  @   o != null && x == o.value;
  @*/

/* A duplet in array a is a pair of indexes (i,j) in the bounds of array
   a such that a[i] = a[j] */
/*@ predicate is_duplet{L}(int a[], integer i, integer j) =
  @    0 <= i < j < a.length && a[i] == a[j];
  @*/

class Duplets {

    /* duplet(a) returns the indexes (i,j) of a duplet in a.
     * moreover, if except is not null, the value of this duplet must
     * be different from it.
     */
    /*@ requires 2 <= a.length &&
      @   \exists integer i j;
      @     is_duplet(a,i,j) && ! eq_opt(a[i],except) ;
      @ ensures
      @   is_duplet(a,\result.x,\result.y) &&
      @   ! eq_opt(a[\result.x],except); 
      @*/
    Pair duplet(int a[], Integer except) {
        /*@ loop_invariant
          @  \forall integer k l; 0 <= k < i && k < l < a.length ==>
          @    ! eq_opt(a[k],except) ==> ! is_duplet(a,k,l);
          @ loop_variant a.length - i;
          @*/
        for(int i=0; i <= a.length - 2; i++) {
            int v = a[i];
            if (except != null && except.value != v) {
                /*@ loop_invariant
                  @   \forall integer l; i < l < j ==> ! is_duplet(a,i,l);
                  @ loop_variant a.length - j;
                  @*/
                for (int j=i+1; j < a.length; j++) {
                    if (a[j] == v) {
                        return new Pair(i, j);
                    }
                }
            }
        }
        // assert \forall integer i j; ! is_duplet(a,i,j);
        //@ assert false;
        return null;
    }


    /* requires 4 <= a.length && \exists integer i j k l;
      @   is_duplet(a,i,j) && is_duplet(a,k,l) && a[i] != a[k];
      @ ensures is_duplet(a,\result.x,\result.y) &&
      @   is_duplet(a,\result.z,\result.t) &&
      @   a[\result.x] != a[\result.z];
      @*/
    Quadruple duplets(int a[]) {
        Pair p = duplet(a,null);
        Pair q = duplet(a,new Integer(a[p.x]));
        return new Quadruple(p.x,p.y,q.x,q.y);
    }
   

}

/*
Local Variables:
compile-command: "make Duplets.why3ide"
End:
*/

why-2.34/tests/java/Muller.java0000644000175000017500000001010312311670312014776 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ SeparationPolicy = Regions

/*@ axiomatic NumOfPos {
  @  logic integer num_of_pos{L}(integer i,integer j,int t[]);
  @  axiom num_of_pos_empty{L} :
  @   \forall integer i j, int t[];
  @    i >= j ==> num_of_pos(i,j,t) == 0;
  @  axiom num_of_pos_true_case{L} :
  @   \forall integer i j, int t[];
  @       i < j && t[j-1] > 0 ==>
  @         num_of_pos(i,j,t) == num_of_pos(i,j-1,t) + 1;
  @  axiom num_of_pos_false_case{L} :
  @   \forall integer i j, int t[];
  @       i < j && ! (t[j-1] > 0) ==>
  @         num_of_pos(i,j,t) == num_of_pos(i,j-1,t);
  @ }
  @*/


/*@ lemma num_of_pos_non_negative{L} :
  @   \forall integer i j, int t[]; 0 <= num_of_pos(i,j,t);
  @*/

/*@ lemma num_of_pos_additive{L} :
  @   \forall integer i j k, int t[]; i <= j <= k ==>
  @       num_of_pos(i,k,t) == num_of_pos(i,j,t) + num_of_pos(j,k,t);
  @*/

/*@ lemma num_of_pos_increasing{L} :
  @   \forall integer i j k, int t[];
  @       j <= k ==> num_of_pos(i,j,t) <= num_of_pos(i,k,t);
  @*/

/*@ lemma num_of_pos_strictly_increasing{L} :
  @   \forall integer i n, int t[];
  @       0 <= i < n && t[i] > 0 ==>
  @       num_of_pos(0,i,t) < num_of_pos(0,n,t);
  @*/

public class Muller {

    /*@ requires t != null;
      @*/
    public static int[] m(int t[]) {
	int count = 0;

	/*@ loop_invariant
	  @    0 <= i <= t.length &&
	  @    0 <= count <= i &&
	  @    count == num_of_pos(0,i,t) ;
	  @ loop_variant t.length - i;
	  @*/
	for (int i=0 ; i < t.length; i++) if (t[i] > 0) count++;

	int u[] = new int[count];
	count = 0;

	/*@ loop_invariant
	  @    0 <= i <= t.length &&
	  @    0 <= count <= i &&
	  @    count == num_of_pos(0,i,t);
	  @ loop_variant t.length - i;
	  @*/
	for (int i=0 ; i < t.length; i++) {
	    if (t[i] > 0) u[count++] = t[i];
	}
	return u;
    }

}

/*
Local Variables:
compile-command: "make Muller.why3ide"
End:
*/
why-2.34/tests/java/Literals.java0000644000175000017500000000475512311670312015335 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

class Literals {

    public static final int x = 0xbad;

    /*@ ensures \result == 5991;
      @*/
    int f() {
	int y = 0xbad;
	return y+x+015;
    }

}


/*
Local Variables:
compile-command: "make Literals.why3ide"
End:
*/


why-2.34/tests/java/Sort.java0000644000175000017500000001101312311670312014466 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ TerminationPolicy = user

//@+ CheckArithOverflow = no

/*@ predicate Sorted{L}(int a[], integer l, integer h) =
  @   \forall integer i; l <= i < h ==> a[i] <= a[i+1] ;
  @*/

/*@ predicate Swap{L1,L2}(int a[], integer i, integer j) =
  @   \at(a[i],L1) == \at(a[j],L2) &&
  @   \at(a[j],L1) == \at(a[i],L2) &&
  @   \forall integer k; k != i && k != j ==> \at(a[k],L1) == \at(a[k],L2);
  @*/

/*@ axiomatic Permut {
  @  predicate Permut{L1,L2}(int a[], integer l, integer h);
  @  axiom Permut_refl{L}:
  @   \forall int a[], integer l h; Permut{L,L}(a, l, h) ;
  @  axiom Permut_sym{L1,L2}:
  @    \forall int a[], integer l h;
  @      Permut{L1,L2}(a, l, h) ==> Permut{L2,L1}(a, l, h) ;
  @  axiom Permut_trans{L1,L2,L3}:
  @    \forall int a[], integer l h;
  @      Permut{L1,L2}(a, l, h) && Permut{L2,L3}(a, l, h) ==>
  @        Permut{L1,L3}(a, l, h) ;
  @  axiom Permut_swap{L1,L2}:
  @    \forall int a[], integer l h i j;
  @       l <= i <= h && l <= j <= h && Swap{L1,L2}(a, i, j) ==>
  @     Permut{L1,L2}(a, l, h) ;
  @ }
  @*/

class Sort {

    /*@ requires t != null &&
      @    0 <= i < t.length && 0 <= j < t.length;
      @ assigns t[i],t[j];
      @ ensures Swap{Old,Here}(t,i,j);
      @*/
    void swap(int t[], int i, int j) {
	int tmp = t[i];
	t[i] = t[j];
	t[j] = tmp;
    }

    /*@ requires t != null;
      @ behavior sorted:
      @   ensures Sorted(t,0,t.length-1);
      @ behavior permutation:
      @   ensures Permut{Old,Here}(t,0,t.length-1);
      @*/
    void min_sort(int t[]) {
	int i,j;
	int mi,mv;
	/*@ loop_invariant 0 <= i;
	  @ for sorted:
	  @  loop_invariant Sorted(t,0,i) &&
	  @   (\forall integer k1 k2 ;
	  @      0 <= k1 < i <= k2 < t.length ==> t[k1] <= t[k2]) ;
	  @ for permutation:
	  @   loop_invariant Permut{Pre,Here}(t,0,t.length-1);
	  @*/
	for (i=0; i t[k] >= mv);
	      @ for permutation:
	      @  loop_invariant Permut{Pre,Here}(t,0,t.length-1);
	      @*/
	    for (j=i+1; j < t.length; j++) {
		if (t[j] < mv) {
		    mi = j ; mv = t[j];
		}
	    }
	    swap(t,i,mi);
	}
    }

}
why-2.34/tests/java/oracle/0000755000175000017500000000000012311670312014145 5ustar  rtuserswhy-2.34/tests/java/oracle/TestNonNull.err.oracle0000644000175000017500000000006512311670312020351 0ustar  rtusersgenerating logic fun t_length with one default label
why-2.34/tests/java/oracle/SideEffects.res.oracle0000644000175000017500000061761212311670312020325 0ustar  rtusers========== file tests/java/SideEffects.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = no

class SideEffects {

    /*@ requires t.length > 10;
      @*/
    void m1(int t[]) {
	int i = 0;
	t[i++] = 1;
	//@ assert t[0] == 1 && i == 1;
	t[++i] = 2;
	//@ assert t[0] == 1 && t[2] == 2 && i == 2;
	t[--i] = 3;
	//@ assert t[0] == 1 && t[2] == 2 && t[1] == 3 && i == 1;
	t[i--] = 4;
	//@ assert t[0] == 1 && t[2] == 2 && t[1] == 4 && i == 0;
    }

}


/*
Local Variables:
compile-command: "make SideEffects.why3ide"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_SideEffects for constructor SideEffects
Generating JC function SideEffects_m1 for method SideEffects.m1
Done.
========== file tests/java/SideEffects.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_intM{Here}(intM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag SideEffects = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag intM = Object with {
  integer intP;
}

boolean non_null_intM(! intM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_intM(! intM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_SideEffects(! SideEffects[0] this_1){()}

unit SideEffects_m1(SideEffects[0] this_0, intM[0..] t)
  requires (K_1 : ((\offset_max(t) + 1) > 10));
{  
   {  
      (var integer i = (K_36 : 0));
      
      {  (K_3 : ((t + (K_2 : (i ++))).intP = 1));
         (K_7 : 
         (assert (K_6 : ((K_5 : ((t + 0).intP == 1)) && (K_4 : (i == 1))))));
         (K_9 : ((t + (K_8 : (++ i))).intP = 2));
         (K_15 : 
         (assert (K_14 : ((K_13 : ((K_12 : ((t + 0).intP == 1)) &&
                                    (K_11 : ((t + 2).intP == 2)))) &&
                           (K_10 : (i == 2))))));
         (K_17 : ((t + (K_16 : (-- i))).intP = 3));
         (K_25 : 
         (assert (K_24 : ((K_23 : ((K_22 : ((K_21 : ((t + 0).intP == 1)) &&
                                             (K_20 : ((t + 2).intP == 2)))) &&
                                    (K_19 : ((t + 1).intP == 3)))) &&
                           (K_18 : (i == 1))))));
         (K_27 : ((t + (K_26 : (i --))).intP = 4));
         (K_35 : 
         (assert (K_34 : ((K_33 : ((K_32 : ((K_31 : ((t + 0).intP == 1)) &&
                                             (K_30 : ((t + 2).intP == 2)))) &&
                                    (K_29 : ((t + 1).intP == 4)))) &&
                           (K_28 : (i == 0))))))
      }
   }
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/SideEffects.jloc tests/java/SideEffects.jc && make -f tests/java/SideEffects.makefile gui"
End:
*/
========== file tests/java/SideEffects.jloc ==========
[K_30]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 25
end = 34

[K_23]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 12
end = 47

[K_33]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 12
end = 47

[K_17]
file = "HOME/tests/java/SideEffects.java"
line = 44
begin = 1
end = 11

[K_11]
file = "HOME/tests/java/SideEffects.java"
line = 43
begin = 25
end = 34

[K_25]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 12
end = 57

[K_13]
file = "HOME/tests/java/SideEffects.java"
line = 43
begin = 12
end = 34

[K_9]
file = "HOME/tests/java/SideEffects.java"
line = 42
begin = 1
end = 11

[K_28]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 51
end = 57

[K_1]
file = "HOME/tests/java/SideEffects.java"
line = 36
begin = 17
end = 30

[K_15]
file = "HOME/tests/java/SideEffects.java"
line = 43
begin = 12
end = 44

[K_4]
file = "HOME/tests/java/SideEffects.java"
line = 41
begin = 25
end = 31

[K_12]
file = "HOME/tests/java/SideEffects.java"
line = 43
begin = 12
end = 21

[K_34]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 12
end = 57

[K_20]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 25
end = 34

[K_2]
file = "HOME/tests/java/SideEffects.java"
line = 40
begin = 3
end = 6

[K_29]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 38
end = 47

[K_10]
file = "HOME/tests/java/SideEffects.java"
line = 43
begin = 38
end = 44

[K_35]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 12
end = 57

[K_6]
file = "HOME/tests/java/SideEffects.java"
line = 41
begin = 12
end = 31

[K_8]
file = "HOME/tests/java/SideEffects.java"
line = 42
begin = 3
end = 6

[K_3]
file = "HOME/tests/java/SideEffects.java"
line = 40
begin = 1
end = 11

[K_31]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 12
end = 21

[cons_SideEffects]
name = "Constructor of class SideEffects"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_32]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 12
end = 34

[K_27]
file = "HOME/tests/java/SideEffects.java"
line = 46
begin = 1
end = 11

[K_21]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 12
end = 21

[K_24]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 12
end = 57

[K_14]
file = "HOME/tests/java/SideEffects.java"
line = 43
begin = 12
end = 44

[K_36]
file = "HOME/tests/java/SideEffects.java"
line = 39
begin = 9
end = 10

[K_19]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 38
end = 47

[K_5]
file = "HOME/tests/java/SideEffects.java"
line = 41
begin = 12
end = 21

[K_18]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 51
end = 57

[SideEffects_m1]
name = "Method m1"
file = "HOME/tests/java/SideEffects.java"
line = 38
begin = 9
end = 11

[K_7]
file = "HOME/tests/java/SideEffects.java"
line = 41
begin = 12
end = 31

[K_26]
file = "HOME/tests/java/SideEffects.java"
line = 46
begin = 3
end = 6

[K_22]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 12
end = 34

[K_16]
file = "HOME/tests/java/SideEffects.java"
line = 44
begin = 3
end = 6

========== jessie execution ==========
Generating Why function cons_SideEffects
Generating Why function SideEffects_m1
========== file tests/java/SideEffects.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs SideEffects.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs SideEffects.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/SideEffects_why.sx

project: why/SideEffects.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/SideEffects_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/SideEffects_why.vo

coq/SideEffects_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/SideEffects_why.v: why/SideEffects.why
	@echo 'why -coq [...] why/SideEffects.why' && $(WHY) $(JESSIELIBFILES) why/SideEffects.why && rm -f coq/jessie_why.v

coq-goals: goals coq/SideEffects_ctx_why.vo
	for f in why/*_po*.why; do make -f SideEffects.makefile coq/`basename $$f .why`_why.v ; done

coq/SideEffects_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/SideEffects_ctx_why.v: why/SideEffects_ctx.why
	@echo 'why -coq [...] why/SideEffects_ctx.why' && $(WHY) why/SideEffects_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export SideEffects_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/SideEffects_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/SideEffects_ctx_why.vo

pvs: pvs/SideEffects_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/SideEffects_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/SideEffects_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/SideEffects_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/SideEffects_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/SideEffects_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/SideEffects_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/SideEffects_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/SideEffects_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/SideEffects_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/SideEffects_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/SideEffects_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/SideEffects_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/SideEffects_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/SideEffects_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: SideEffects.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/SideEffects_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: SideEffects.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: SideEffects.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: SideEffects.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include SideEffects.depend

depend: coq/SideEffects_why.v
	-$(COQDEP) -I coq coq/SideEffects*_why.v > SideEffects.depend

clean:
	rm -f coq/*.vo

========== file tests/java/SideEffects.loc ==========
[JC_73]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 38
end = 47

[JC_63]
file = "HOME/tests/java/SideEffects.java"
line = 43
begin = 12
end = 44

[JC_80]
file = "HOME/tests/java/SideEffects.java"
line = 43
begin = 25
end = 34

[JC_51]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_SideEffects_ensures_default]
name = "Constructor of class SideEffects"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_71]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 12
end = 21

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_64]
kind = PointerDeref
file = "HOME/tests/java/SideEffects.jc"
line = 80
begin = 18
end = 48

[JC_85]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 38
end = 47

[JC_31]
file = "HOME/tests/java/SideEffects.jc"
line = 55
begin = 8
end = 23

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
file = "HOME/tests/java/SideEffects.java"
line = 43
begin = 38
end = 44

[JC_55]
kind = PointerDeref
file = "HOME/tests/java/SideEffects.jc"
line = 72
begin = 17
end = 46

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/tests/java/SideEffects.jc"
line = 51
begin = 11
end = 103

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 38
end = 47

[JC_9]
file = "HOME/tests/java/SideEffects.jc"
line = 42
begin = 8
end = 21

[JC_75]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 12
end = 57

[JC_24]
file = "HOME/tests/java/SideEffects.jc"
line = 50
begin = 10
end = 18

[JC_25]
file = "HOME/tests/java/SideEffects.jc"
line = 51
begin = 11
end = 103

[JC_78]
file = "HOME/tests/java/SideEffects.java"
line = 41
begin = 12
end = 31

[JC_41]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_74]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 51
end = 57

[JC_47]
file = "HOME/tests/java/SideEffects.java"
line = 36
begin = 17
end = 30

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/tests/java/SideEffects.jc"
line = 50
begin = 10
end = 18

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
file = "HOME/tests/java/SideEffects.java"
line = 43
begin = 12
end = 21

[JC_13]
file = "HOME/tests/java/SideEffects.jc"
line = 45
begin = 11
end = 66

[JC_82]
file = "HOME/tests/java/SideEffects.java"
line = 43
begin = 12
end = 44

[JC_87]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 12
end = 57

[JC_11]
file = "HOME/tests/java/SideEffects.jc"
line = 42
begin = 8
end = 21

[JC_70]
kind = PointerDeref
file = "HOME/tests/java/SideEffects.jc"
line = 86
begin = 18
end = 48

[JC_15]
file = "HOME/tests/java/SideEffects.jc"
line = 45
begin = 11
end = 66

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_91]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 51
end = 57

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[SideEffects_m1_safety]
name = "Method m1"
behavior = "Safety"
file = "HOME/tests/java/SideEffects.java"
line = 38
begin = 9
end = 11

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 12
end = 21

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_69]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 12
end = 57

[JC_38]
file = "HOME/tests/java/SideEffects.jc"
line = 57
begin = 11
end = 65

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/tests/java/SideEffects.java"
line = 43
begin = 38
end = 44

[JC_88]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 12
end = 21

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/tests/java/SideEffects.java"
line = 43
begin = 25
end = 34

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/tests/java/SideEffects.java"
line = 41
begin = 12
end = 21

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 12
end = 21

[JC_29]
file = "HOME/tests/java/SideEffects.jc"
line = 55
begin = 8
end = 23

[JC_68]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 51
end = 57

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/java/SideEffects.jc"
line = 44
begin = 10
end = 18

[JC_43]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 25
end = 34

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/tests/java/SideEffects.jc"
line = 44
begin = 10
end = 18

[JC_90]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 38
end = 47

[JC_53]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/tests/java/SideEffects.jc"
line = 48
begin = 8
end = 30

[SideEffects_m1_ensures_default]
name = "Method m1"
behavior = "default behavior"
file = "HOME/tests/java/SideEffects.java"
line = 38
begin = 9
end = 11

[JC_77]
file = "HOME/tests/java/SideEffects.java"
line = 41
begin = 25
end = 31

[JC_49]
file = "HOME/tests/java/SideEffects.java"
line = 36
begin = 17
end = 30

[JC_1]
file = "HOME/tests/java/SideEffects.jc"
line = 13
begin = 12
end = 22

[JC_37]
file = "HOME/tests/java/SideEffects.jc"
line = 57
begin = 11
end = 65

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/java/SideEffects.java"
line = 41
begin = 25
end = 31

[JC_89]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 25
end = 34

[JC_66]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 25
end = 34

[JC_59]
kind = PointerDeref
file = "HOME/tests/java/SideEffects.jc"
line = 75
begin = 17
end = 46

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_SideEffects_safety]
name = "Constructor of class SideEffects"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/java/SideEffects.jc"
line = 13
begin = 12
end = 22

[JC_92]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 12
end = 57

[JC_86]
file = "HOME/tests/java/SideEffects.java"
line = 45
begin = 51
end = 57

[JC_60]
file = "HOME/tests/java/SideEffects.java"
line = 43
begin = 12
end = 21

[JC_72]
file = "HOME/tests/java/SideEffects.java"
line = 47
begin = 25
end = 34

[JC_19]
file = "HOME/tests/java/SideEffects.jc"
line = 48
begin = 8
end = 30

[JC_76]
file = "HOME/tests/java/SideEffects.java"
line = 41
begin = 12
end = 21

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/tests/java/SideEffects.java"
line = 41
begin = 12
end = 31

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/SideEffects.why ==========
type Object

type interface

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_1), (0))

predicate Non_null_intM(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), neg_int((1)))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic SideEffects_tag:  -> Object tag_id

axiom SideEffects_parenttag_Object : parenttag(SideEffects_tag, Object_tag)

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic intM_tag:  -> Object tag_id

axiom intM_parenttag_Object : parenttag(intM_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_SideEffects(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_intM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_SideEffects(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_intM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_SideEffects(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_SideEffects(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

parameter intM_intP : (Object, int) memory ref

parameter SideEffects_m1 :
 this_0:Object pointer ->
  t:Object pointer ->
   { } unit reads Object_alloc_table,intM_intP writes intM_intP { true }

parameter SideEffects_m1_requires :
 this_0:Object pointer ->
  t:Object pointer ->
   { (JC_47: gt_int(add_int(offset_max(Object_alloc_table, t), (1)), (10)))}
   unit reads Object_alloc_table,intM_intP writes intM_intP { true }

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_SideEffects :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_SideEffects(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, SideEffects_tag)))) }

parameter alloc_struct_SideEffects_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_SideEffects(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, SideEffects_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_intM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter alloc_struct_intM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_SideEffects :
 this_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_SideEffects_requires :
 this_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter java_array_length_intM :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter java_array_length_intM_requires :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter non_null_Object :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_Object_requires :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_intM :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter non_null_intM_requires :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

let SideEffects_m1_ensures_default =
 fun (this_0 : Object pointer) (t : Object pointer) ->
  { (left_valid_struct_intM(t, (0), Object_alloc_table)
    and (valid_struct_SideEffects(this_0, (0), (0), Object_alloc_table)
        and (JC_49:
            gt_int(add_int(offset_max(Object_alloc_table, t), (1)), (10))))) }
  (init:
  try
   begin
     (let i = ref (K_36: (0)) in
     (K_3:
     begin
       (let _jessie_ =
       (let _jessie_ = (1) in
       (let _jessie_ = t in
       (let _jessie_ =
       (K_2:
       (let _jessie_ = !i in
       begin
         (let _jessie_ = (i := ((add_int _jessie_) (1))) in void);
        _jessie_ end)) in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (((safe_upd_ intM_intP) _jessie_) _jessie_))))) in void);
      (K_7:
      begin
        (assert
        { (JC_78:
          ((JC_76: (select(intM_intP, shift(t, (0))) = (1)))
          and (JC_77: (i = (1))))) }; void);
       (K_9:
       begin
         (let _jessie_ =
         (let _jessie_ = (2) in
         (let _jessie_ = t in
         (let _jessie_ =
         (K_8: begin   (i := ((add_int !i) (1))); !i end) in
         (let _jessie_ = ((shift _jessie_) _jessie_) in
         (((safe_upd_ intM_intP) _jessie_) _jessie_))))) in void);
        (K_15:
        begin
          (assert
          { (JC_82:
            ((JC_79: (select(intM_intP, shift(t, (0))) = (1)))
            and ((JC_80: (select(intM_intP, shift(t, (2))) = (2)))
                and (JC_81: (i = (2)))))) }; void);
         (K_17:
         begin
           (let _jessie_ =
           (let _jessie_ = (3) in
           (let _jessie_ = t in
           (let _jessie_ =
           (K_16: begin   (i := ((sub_int !i) (1))); !i end) in
           (let _jessie_ = ((shift _jessie_) _jessie_) in
           (((safe_upd_ intM_intP) _jessie_) _jessie_))))) in void);
          (K_25:
          begin
            (assert
            { (JC_87:
              ((JC_83: (select(intM_intP, shift(t, (0))) = (1)))
              and ((JC_84: (select(intM_intP, shift(t, (2))) = (2)))
                  and ((JC_85: (select(intM_intP, shift(t, (1))) = (3)))
                      and (JC_86: (i = (1))))))) }; void);
           (K_27:
           begin
             (let _jessie_ =
             (let _jessie_ = (4) in
             (let _jessie_ = t in
             (let _jessie_ =
             (K_26:
             (let _jessie_ = !i in
             begin
               (let _jessie_ = (i := ((sub_int _jessie_) (1))) in void);
              _jessie_ end)) in
             (let _jessie_ = ((shift _jessie_) _jessie_) in
             (((safe_upd_ intM_intP) _jessie_) _jessie_))))) in void);
            (K_35:
            (assert
            { (JC_92:
              ((JC_88: (select(intM_intP, shift(t, (0))) = (1)))
              and ((JC_89: (select(intM_intP, shift(t, (2))) = (2)))
                  and ((JC_90: (select(intM_intP, shift(t, (1))) = (4)))
                      and (JC_91: (i = (0))))))) }; void)) end) end) end) end)
       end) end) end)); (raise Return) end with Return -> void end)
  { (JC_51: true) }

let SideEffects_m1_safety =
 fun (this_0 : Object pointer) (t : Object pointer) ->
  { (left_valid_struct_intM(t, (0), Object_alloc_table)
    and (valid_struct_SideEffects(this_0, (0), (0), Object_alloc_table)
        and (JC_49:
            gt_int(add_int(offset_max(Object_alloc_table, t), (1)), (10))))) }
  (init:
  try
   begin
     (let i = ref (K_36: (0)) in
     (K_3:
     begin
       (let _jessie_ =
       (let _jessie_ = (1) in
       (let _jessie_ = t in
       (let _jessie_ =
       (K_2:
       (let _jessie_ = !i in
       begin
         (let _jessie_ = (i := ((add_int _jessie_) (1))) in void);
        _jessie_ end)) in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (JC_55:
       (((((offset_upd_ !Object_alloc_table) intM_intP) _jessie_) _jessie_) _jessie_)))))) in
       void);
      (K_7:
      begin
        [ { } unit reads i,intM_intP
          { (JC_58:
            ((JC_56: (select(intM_intP, shift(t, (0))) = (1)))
            and (JC_57: (i = (1))))) } ];
       (K_9:
       begin
         (let _jessie_ =
         (let _jessie_ = (2) in
         (let _jessie_ = t in
         (let _jessie_ =
         (K_8: begin   (i := ((add_int !i) (1))); !i end) in
         (let _jessie_ = ((shift _jessie_) _jessie_) in
         (JC_59:
         (((((offset_upd_ !Object_alloc_table) intM_intP) _jessie_) _jessie_) _jessie_)))))) in
         void);
        (K_15:
        begin
          [ { } unit reads i,intM_intP
            { (JC_63:
              ((JC_60: (select(intM_intP, shift(t, (0))) = (1)))
              and ((JC_61: (select(intM_intP, shift(t, (2))) = (2)))
                  and (JC_62: (i = (2)))))) } ];
         (K_17:
         begin
           (let _jessie_ =
           (let _jessie_ = (3) in
           (let _jessie_ = t in
           (let _jessie_ =
           (K_16: begin   (i := ((sub_int !i) (1))); !i end) in
           (let _jessie_ = ((shift _jessie_) _jessie_) in
           (JC_64:
           (((((offset_upd_ !Object_alloc_table) intM_intP) _jessie_) _jessie_) _jessie_)))))) in
           void);
          (K_25:
          begin
            [ { } unit reads i,intM_intP
              { (JC_69:
                ((JC_65: (select(intM_intP, shift(t, (0))) = (1)))
                and ((JC_66: (select(intM_intP, shift(t, (2))) = (2)))
                    and ((JC_67: (select(intM_intP, shift(t, (1))) = (3)))
                        and (JC_68: (i = (1))))))) } ];
           (K_27:
           begin
             (let _jessie_ =
             (let _jessie_ = (4) in
             (let _jessie_ = t in
             (let _jessie_ =
             (K_26:
             (let _jessie_ = !i in
             begin
               (let _jessie_ = (i := ((sub_int _jessie_) (1))) in void);
              _jessie_ end)) in
             (let _jessie_ = ((shift _jessie_) _jessie_) in
             (JC_70:
             (((((offset_upd_ !Object_alloc_table) intM_intP) _jessie_) _jessie_) _jessie_)))))) in
             void);
            (K_35:
            [ { } unit reads i,intM_intP
              { (JC_75:
                ((JC_71: (select(intM_intP, shift(t, (0))) = (1)))
                and ((JC_72: (select(intM_intP, shift(t, (2))) = (2)))
                    and ((JC_73: (select(intM_intP, shift(t, (1))) = (4)))
                        and (JC_74: (i = (0))))))) } ]) end) end) end) end)
       end) end) end)); (raise Return) end with Return -> void end) { true }

let cons_SideEffects_ensures_default =
 fun (this_1 : Object pointer) ->
  { valid_struct_SideEffects(this_1, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_43: true) }

let cons_SideEffects_safety =
 fun (this_1 : Object pointer) ->
  { valid_struct_SideEffects(this_1, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/SideEffects.why
========== file tests/java/why/SideEffects.wpr ==========

  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  
  
    
  

========== file tests/java/why/SideEffects_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_1) >= 0)

predicate Non_null_intM(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= (-1))

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic SideEffects_tag : Object tag_id

axiom SideEffects_parenttag_Object: parenttag(SideEffects_tag, Object_tag)

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic intM_tag : Object tag_id

axiom intM_parenttag_Object: parenttag(intM_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_SideEffects(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_intM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_SideEffects(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_intM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_SideEffects(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_SideEffects(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

========== file tests/java/why/SideEffects_po1.why ==========
goal SideEffects_m1_ensures_default_po_1:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_78": ("JC_76": (select(intM_intP0, shift(t, 0)) = 1)))

========== file tests/java/why/SideEffects_po10.why ==========
goal SideEffects_m1_ensures_default_po_10:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_78":
  (("JC_76": (select(intM_intP0, shift(t, 0)) = 1)) and ("JC_77": (i = 1)))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i0), 2)) ->
  ("JC_82":
  (("JC_79": (select(intM_intP1, shift(t, 0)) = 1)) and
   (("JC_80": (select(intM_intP1, shift(t, 2)) = 2)) and ("JC_81": (i0 = 2))))) ->
  forall i1:int.
  (i1 = (i0 - 1)) ->
  forall intM_intP2:(Object,
  int) memory.
  (intM_intP2 = store(intM_intP1, shift(t, i1), 3)) ->
  ("JC_87":
  (("JC_83": (select(intM_intP2, shift(t, 0)) = 1)) and
   (("JC_84": (select(intM_intP2, shift(t, 2)) = 2)) and
    (("JC_85": (select(intM_intP2, shift(t, 1)) = 3)) and ("JC_86": (i1 = 1)))))) ->
  forall i2:int.
  (i2 = (i1 - 1)) ->
  forall intM_intP3:(Object,
  int) memory.
  (intM_intP3 = store(intM_intP2, shift(t, i1), 4)) ->
  ("JC_92": ("JC_88": (select(intM_intP3, shift(t, 0)) = 1)))

========== file tests/java/why/SideEffects_po11.why ==========
goal SideEffects_m1_ensures_default_po_11:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_78":
  (("JC_76": (select(intM_intP0, shift(t, 0)) = 1)) and ("JC_77": (i = 1)))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i0), 2)) ->
  ("JC_82":
  (("JC_79": (select(intM_intP1, shift(t, 0)) = 1)) and
   (("JC_80": (select(intM_intP1, shift(t, 2)) = 2)) and ("JC_81": (i0 = 2))))) ->
  forall i1:int.
  (i1 = (i0 - 1)) ->
  forall intM_intP2:(Object,
  int) memory.
  (intM_intP2 = store(intM_intP1, shift(t, i1), 3)) ->
  ("JC_87":
  (("JC_83": (select(intM_intP2, shift(t, 0)) = 1)) and
   (("JC_84": (select(intM_intP2, shift(t, 2)) = 2)) and
    (("JC_85": (select(intM_intP2, shift(t, 1)) = 3)) and ("JC_86": (i1 = 1)))))) ->
  forall i2:int.
  (i2 = (i1 - 1)) ->
  forall intM_intP3:(Object,
  int) memory.
  (intM_intP3 = store(intM_intP2, shift(t, i1), 4)) ->
  ("JC_92": ("JC_89": (select(intM_intP3, shift(t, 2)) = 2)))

========== file tests/java/why/SideEffects_po12.why ==========
goal SideEffects_m1_ensures_default_po_12:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_78":
  (("JC_76": (select(intM_intP0, shift(t, 0)) = 1)) and ("JC_77": (i = 1)))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i0), 2)) ->
  ("JC_82":
  (("JC_79": (select(intM_intP1, shift(t, 0)) = 1)) and
   (("JC_80": (select(intM_intP1, shift(t, 2)) = 2)) and ("JC_81": (i0 = 2))))) ->
  forall i1:int.
  (i1 = (i0 - 1)) ->
  forall intM_intP2:(Object,
  int) memory.
  (intM_intP2 = store(intM_intP1, shift(t, i1), 3)) ->
  ("JC_87":
  (("JC_83": (select(intM_intP2, shift(t, 0)) = 1)) and
   (("JC_84": (select(intM_intP2, shift(t, 2)) = 2)) and
    (("JC_85": (select(intM_intP2, shift(t, 1)) = 3)) and ("JC_86": (i1 = 1)))))) ->
  forall i2:int.
  (i2 = (i1 - 1)) ->
  forall intM_intP3:(Object,
  int) memory.
  (intM_intP3 = store(intM_intP2, shift(t, i1), 4)) ->
  ("JC_92": ("JC_90": (select(intM_intP3, shift(t, 1)) = 4)))

========== file tests/java/why/SideEffects_po13.why ==========
goal SideEffects_m1_ensures_default_po_13:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_78":
  (("JC_76": (select(intM_intP0, shift(t, 0)) = 1)) and ("JC_77": (i = 1)))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i0), 2)) ->
  ("JC_82":
  (("JC_79": (select(intM_intP1, shift(t, 0)) = 1)) and
   (("JC_80": (select(intM_intP1, shift(t, 2)) = 2)) and ("JC_81": (i0 = 2))))) ->
  forall i1:int.
  (i1 = (i0 - 1)) ->
  forall intM_intP2:(Object,
  int) memory.
  (intM_intP2 = store(intM_intP1, shift(t, i1), 3)) ->
  ("JC_87":
  (("JC_83": (select(intM_intP2, shift(t, 0)) = 1)) and
   (("JC_84": (select(intM_intP2, shift(t, 2)) = 2)) and
    (("JC_85": (select(intM_intP2, shift(t, 1)) = 3)) and ("JC_86": (i1 = 1)))))) ->
  forall i2:int.
  (i2 = (i1 - 1)) ->
  forall intM_intP3:(Object,
  int) memory.
  (intM_intP3 = store(intM_intP2, shift(t, i1), 4)) ->
  ("JC_92": ("JC_91": (i2 = 0)))

========== file tests/java/why/SideEffects_po14.why ==========
goal SideEffects_m1_safety_po_1:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  (offset_min(Object_alloc_table, t) <= 0)

========== file tests/java/why/SideEffects_po15.why ==========
goal SideEffects_m1_safety_po_2:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  (0 <= offset_max(Object_alloc_table, t))

========== file tests/java/why/SideEffects_po16.why ==========
goal SideEffects_m1_safety_po_3:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  ((offset_min(Object_alloc_table, t) <= 0) and
   (0 <= offset_max(Object_alloc_table, t))) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_58":
  (("JC_56": (select(intM_intP0, shift(t, 0)) = 1)) and ("JC_57": (i = 1)))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  (offset_min(Object_alloc_table, t) <= i0)

========== file tests/java/why/SideEffects_po17.why ==========
goal SideEffects_m1_safety_po_4:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  ((offset_min(Object_alloc_table, t) <= 0) and
   (0 <= offset_max(Object_alloc_table, t))) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_58":
  (("JC_56": (select(intM_intP0, shift(t, 0)) = 1)) and ("JC_57": (i = 1)))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  (i0 <= offset_max(Object_alloc_table, t))

========== file tests/java/why/SideEffects_po18.why ==========
goal SideEffects_m1_safety_po_5:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  ((offset_min(Object_alloc_table, t) <= 0) and
   (0 <= offset_max(Object_alloc_table, t))) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_58":
  (("JC_56": (select(intM_intP0, shift(t, 0)) = 1)) and ("JC_57": (i = 1)))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  ((offset_min(Object_alloc_table, t) <= i0) and
   (i0 <= offset_max(Object_alloc_table, t))) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i0), 2)) ->
  ("JC_63":
  (("JC_60": (select(intM_intP1, shift(t, 0)) = 1)) and
   (("JC_61": (select(intM_intP1, shift(t, 2)) = 2)) and ("JC_62": (i0 = 2))))) ->
  forall i1:int.
  (i1 = (i0 - 1)) ->
  (offset_min(Object_alloc_table, t) <= i1)

========== file tests/java/why/SideEffects_po19.why ==========
goal SideEffects_m1_safety_po_6:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  ((offset_min(Object_alloc_table, t) <= 0) and
   (0 <= offset_max(Object_alloc_table, t))) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_58":
  (("JC_56": (select(intM_intP0, shift(t, 0)) = 1)) and ("JC_57": (i = 1)))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  ((offset_min(Object_alloc_table, t) <= i0) and
   (i0 <= offset_max(Object_alloc_table, t))) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i0), 2)) ->
  ("JC_63":
  (("JC_60": (select(intM_intP1, shift(t, 0)) = 1)) and
   (("JC_61": (select(intM_intP1, shift(t, 2)) = 2)) and ("JC_62": (i0 = 2))))) ->
  forall i1:int.
  (i1 = (i0 - 1)) ->
  (i1 <= offset_max(Object_alloc_table, t))

========== file tests/java/why/SideEffects_po2.why ==========
goal SideEffects_m1_ensures_default_po_2:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_78": ("JC_77": (i = 1)))

========== file tests/java/why/SideEffects_po3.why ==========
goal SideEffects_m1_ensures_default_po_3:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_78":
  (("JC_76": (select(intM_intP0, shift(t, 0)) = 1)) and ("JC_77": (i = 1)))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i0), 2)) ->
  ("JC_82": ("JC_79": (select(intM_intP1, shift(t, 0)) = 1)))

========== file tests/java/why/SideEffects_po4.why ==========
goal SideEffects_m1_ensures_default_po_4:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_78":
  (("JC_76": (select(intM_intP0, shift(t, 0)) = 1)) and ("JC_77": (i = 1)))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i0), 2)) ->
  ("JC_82": ("JC_80": (select(intM_intP1, shift(t, 2)) = 2)))

========== file tests/java/why/SideEffects_po5.why ==========
goal SideEffects_m1_ensures_default_po_5:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_78":
  (("JC_76": (select(intM_intP0, shift(t, 0)) = 1)) and ("JC_77": (i = 1)))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i0), 2)) ->
  ("JC_82": ("JC_81": (i0 = 2)))

========== file tests/java/why/SideEffects_po6.why ==========
goal SideEffects_m1_ensures_default_po_6:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_78":
  (("JC_76": (select(intM_intP0, shift(t, 0)) = 1)) and ("JC_77": (i = 1)))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i0), 2)) ->
  ("JC_82":
  (("JC_79": (select(intM_intP1, shift(t, 0)) = 1)) and
   (("JC_80": (select(intM_intP1, shift(t, 2)) = 2)) and ("JC_81": (i0 = 2))))) ->
  forall i1:int.
  (i1 = (i0 - 1)) ->
  forall intM_intP2:(Object,
  int) memory.
  (intM_intP2 = store(intM_intP1, shift(t, i1), 3)) ->
  ("JC_87": ("JC_83": (select(intM_intP2, shift(t, 0)) = 1)))

========== file tests/java/why/SideEffects_po7.why ==========
goal SideEffects_m1_ensures_default_po_7:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_78":
  (("JC_76": (select(intM_intP0, shift(t, 0)) = 1)) and ("JC_77": (i = 1)))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i0), 2)) ->
  ("JC_82":
  (("JC_79": (select(intM_intP1, shift(t, 0)) = 1)) and
   (("JC_80": (select(intM_intP1, shift(t, 2)) = 2)) and ("JC_81": (i0 = 2))))) ->
  forall i1:int.
  (i1 = (i0 - 1)) ->
  forall intM_intP2:(Object,
  int) memory.
  (intM_intP2 = store(intM_intP1, shift(t, i1), 3)) ->
  ("JC_87": ("JC_84": (select(intM_intP2, shift(t, 2)) = 2)))

========== file tests/java/why/SideEffects_po8.why ==========
goal SideEffects_m1_ensures_default_po_8:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_78":
  (("JC_76": (select(intM_intP0, shift(t, 0)) = 1)) and ("JC_77": (i = 1)))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i0), 2)) ->
  ("JC_82":
  (("JC_79": (select(intM_intP1, shift(t, 0)) = 1)) and
   (("JC_80": (select(intM_intP1, shift(t, 2)) = 2)) and ("JC_81": (i0 = 2))))) ->
  forall i1:int.
  (i1 = (i0 - 1)) ->
  forall intM_intP2:(Object,
  int) memory.
  (intM_intP2 = store(intM_intP1, shift(t, i1), 3)) ->
  ("JC_87": ("JC_85": (select(intM_intP2, shift(t, 1)) = 3)))

========== file tests/java/why/SideEffects_po9.why ==========
goal SideEffects_m1_ensures_default_po_9:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_78":
  (("JC_76": (select(intM_intP0, shift(t, 0)) = 1)) and ("JC_77": (i = 1)))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i0), 2)) ->
  ("JC_82":
  (("JC_79": (select(intM_intP1, shift(t, 0)) = 1)) and
   (("JC_80": (select(intM_intP1, shift(t, 2)) = 2)) and ("JC_81": (i0 = 2))))) ->
  forall i1:int.
  (i1 = (i0 - 1)) ->
  forall intM_intP2:(Object,
  int) memory.
  (intM_intP2 = store(intM_intP1, shift(t, i1), 3)) ->
  ("JC_87": ("JC_86": (i1 = 1)))

========== generation of Simplify VC output ==========
why -simplify [...] why/SideEffects.why
========== file tests/java/simplify/SideEffects_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_1 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_1) 0))

(DEFPRED (Non_null_intM x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) (- 0 1)))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom SideEffects_parenttag_Object
 (EQ (parenttag SideEffects_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom intM_parenttag_Object
 (EQ (parenttag intM_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_SideEffects p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_intM p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_SideEffects p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_intM p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_SideEffects p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_intM p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_SideEffects p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_intM p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

;; SideEffects_m1_ensures_default_po_1, File "HOME/tests/java/SideEffects.java", line 41, characters 12-21
(FORALL (this_0)
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_SideEffects this_0 0 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table t) 1) 10)))
(FORALL (i)
(IMPLIES (EQ i (+ 0 1))
(FORALL (intM_intP0)
(IMPLIES (EQ intM_intP0 (|why__store| intM_intP (shift t 0) 1))
(EQ (select intM_intP0 (shift t 0)) 1))))))))))

;; SideEffects_m1_ensures_default_po_2, File "HOME/tests/java/SideEffects.java", line 41, characters 25-31
(FORALL (this_0)
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_SideEffects this_0 0 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table t) 1) 10)))
(FORALL (i)
(IMPLIES (EQ i (+ 0 1))
(FORALL (intM_intP0)
(IMPLIES (EQ intM_intP0 (|why__store| intM_intP (shift t 0) 1)) (EQ i 1))))))))))

;; SideEffects_m1_ensures_default_po_3, File "HOME/tests/java/SideEffects.java", line 43, characters 12-21
(FORALL (this_0)
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_SideEffects this_0 0 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table t) 1) 10)))
(FORALL (i)
(IMPLIES (EQ i (+ 0 1))
(FORALL (intM_intP0)
(IMPLIES (EQ intM_intP0 (|why__store| intM_intP (shift t 0) 1))
(IMPLIES (AND (EQ (select intM_intP0 (shift t 0)) 1) (EQ i 1))
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t i0) 2))
(EQ (select intM_intP1 (shift t 0)) 1)))))))))))))))

;; SideEffects_m1_ensures_default_po_4, File "HOME/tests/java/SideEffects.java", line 43, characters 25-34
(FORALL (this_0)
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_SideEffects this_0 0 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table t) 1) 10)))
(FORALL (i)
(IMPLIES (EQ i (+ 0 1))
(FORALL (intM_intP0)
(IMPLIES (EQ intM_intP0 (|why__store| intM_intP (shift t 0) 1))
(IMPLIES (AND (EQ (select intM_intP0 (shift t 0)) 1) (EQ i 1))
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t i0) 2))
(EQ (select intM_intP1 (shift t 2)) 2)))))))))))))))

;; SideEffects_m1_ensures_default_po_5, File "HOME/tests/java/SideEffects.java", line 43, characters 38-44
(FORALL (this_0)
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_SideEffects this_0 0 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table t) 1) 10)))
(FORALL (i)
(IMPLIES (EQ i (+ 0 1))
(FORALL (intM_intP0)
(IMPLIES (EQ intM_intP0 (|why__store| intM_intP (shift t 0) 1))
(IMPLIES (AND (EQ (select intM_intP0 (shift t 0)) 1) (EQ i 1))
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t i0) 2)) (EQ i0 2)))))))))))))))

;; SideEffects_m1_ensures_default_po_6, File "HOME/tests/java/SideEffects.java", line 45, characters 12-21
(FORALL (this_0)
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_SideEffects this_0 0 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table t) 1) 10)))
(FORALL (i)
(IMPLIES (EQ i (+ 0 1))
(FORALL (intM_intP0)
(IMPLIES (EQ intM_intP0 (|why__store| intM_intP (shift t 0) 1))
(IMPLIES (AND (EQ (select intM_intP0 (shift t 0)) 1) (EQ i 1))
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t i0) 2))
(IMPLIES (AND (EQ (select intM_intP1 (shift t 0)) 1)
         (AND (EQ (select intM_intP1 (shift t 2)) 2) (EQ i0 2)))
(FORALL (i1)
(IMPLIES (EQ i1 (- i0 1))
(FORALL (intM_intP2)
(IMPLIES (EQ intM_intP2 (|why__store| intM_intP1 (shift t i1) 3))
(EQ (select intM_intP2 (shift t 0)) 1))))))))))))))))))))

;; SideEffects_m1_ensures_default_po_7, File "HOME/tests/java/SideEffects.java", line 45, characters 25-34
(FORALL (this_0)
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_SideEffects this_0 0 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table t) 1) 10)))
(FORALL (i)
(IMPLIES (EQ i (+ 0 1))
(FORALL (intM_intP0)
(IMPLIES (EQ intM_intP0 (|why__store| intM_intP (shift t 0) 1))
(IMPLIES (AND (EQ (select intM_intP0 (shift t 0)) 1) (EQ i 1))
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t i0) 2))
(IMPLIES (AND (EQ (select intM_intP1 (shift t 0)) 1)
         (AND (EQ (select intM_intP1 (shift t 2)) 2) (EQ i0 2)))
(FORALL (i1)
(IMPLIES (EQ i1 (- i0 1))
(FORALL (intM_intP2)
(IMPLIES (EQ intM_intP2 (|why__store| intM_intP1 (shift t i1) 3))
(EQ (select intM_intP2 (shift t 2)) 2))))))))))))))))))))

;; SideEffects_m1_ensures_default_po_8, File "HOME/tests/java/SideEffects.java", line 45, characters 38-47
(FORALL (this_0)
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_SideEffects this_0 0 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table t) 1) 10)))
(FORALL (i)
(IMPLIES (EQ i (+ 0 1))
(FORALL (intM_intP0)
(IMPLIES (EQ intM_intP0 (|why__store| intM_intP (shift t 0) 1))
(IMPLIES (AND (EQ (select intM_intP0 (shift t 0)) 1) (EQ i 1))
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t i0) 2))
(IMPLIES (AND (EQ (select intM_intP1 (shift t 0)) 1)
         (AND (EQ (select intM_intP1 (shift t 2)) 2) (EQ i0 2)))
(FORALL (i1)
(IMPLIES (EQ i1 (- i0 1))
(FORALL (intM_intP2)
(IMPLIES (EQ intM_intP2 (|why__store| intM_intP1 (shift t i1) 3))
(EQ (select intM_intP2 (shift t 1)) 3))))))))))))))))))))

;; SideEffects_m1_ensures_default_po_9, File "HOME/tests/java/SideEffects.java", line 45, characters 51-57
(FORALL (this_0)
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_SideEffects this_0 0 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table t) 1) 10)))
(FORALL (i)
(IMPLIES (EQ i (+ 0 1))
(FORALL (intM_intP0)
(IMPLIES (EQ intM_intP0 (|why__store| intM_intP (shift t 0) 1))
(IMPLIES (AND (EQ (select intM_intP0 (shift t 0)) 1) (EQ i 1))
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t i0) 2))
(IMPLIES (AND (EQ (select intM_intP1 (shift t 0)) 1)
         (AND (EQ (select intM_intP1 (shift t 2)) 2) (EQ i0 2)))
(FORALL (i1)
(IMPLIES (EQ i1 (- i0 1))
(FORALL (intM_intP2)
(IMPLIES (EQ intM_intP2 (|why__store| intM_intP1 (shift t i1) 3)) (EQ i1 1))))))))))))))))))))

;; SideEffects_m1_ensures_default_po_10, File "HOME/tests/java/SideEffects.java", line 47, characters 12-21
(FORALL (this_0)
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_SideEffects this_0 0 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table t) 1) 10)))
(FORALL (i)
(IMPLIES (EQ i (+ 0 1))
(FORALL (intM_intP0)
(IMPLIES (EQ intM_intP0 (|why__store| intM_intP (shift t 0) 1))
(IMPLIES (AND (EQ (select intM_intP0 (shift t 0)) 1) (EQ i 1))
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t i0) 2))
(IMPLIES (AND (EQ (select intM_intP1 (shift t 0)) 1)
         (AND (EQ (select intM_intP1 (shift t 2)) 2) (EQ i0 2)))
(FORALL (i1)
(IMPLIES (EQ i1 (- i0 1))
(FORALL (intM_intP2)
(IMPLIES (EQ intM_intP2 (|why__store| intM_intP1 (shift t i1) 3))
(IMPLIES (AND (EQ (select intM_intP2 (shift t 0)) 1)
         (AND (EQ (select intM_intP2 (shift t 2)) 2)
         (AND (EQ (select intM_intP2 (shift t 1)) 3) (EQ i1 1))))
(FORALL (i2)
(IMPLIES (EQ i2 (- i1 1))
(FORALL (intM_intP3)
(IMPLIES (EQ intM_intP3 (|why__store| intM_intP2 (shift t i1) 4))
(EQ (select intM_intP3 (shift t 0)) 1)))))))))))))))))))))))))

;; SideEffects_m1_ensures_default_po_11, File "HOME/tests/java/SideEffects.java", line 47, characters 25-34
(FORALL (this_0)
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_SideEffects this_0 0 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table t) 1) 10)))
(FORALL (i)
(IMPLIES (EQ i (+ 0 1))
(FORALL (intM_intP0)
(IMPLIES (EQ intM_intP0 (|why__store| intM_intP (shift t 0) 1))
(IMPLIES (AND (EQ (select intM_intP0 (shift t 0)) 1) (EQ i 1))
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t i0) 2))
(IMPLIES (AND (EQ (select intM_intP1 (shift t 0)) 1)
         (AND (EQ (select intM_intP1 (shift t 2)) 2) (EQ i0 2)))
(FORALL (i1)
(IMPLIES (EQ i1 (- i0 1))
(FORALL (intM_intP2)
(IMPLIES (EQ intM_intP2 (|why__store| intM_intP1 (shift t i1) 3))
(IMPLIES (AND (EQ (select intM_intP2 (shift t 0)) 1)
         (AND (EQ (select intM_intP2 (shift t 2)) 2)
         (AND (EQ (select intM_intP2 (shift t 1)) 3) (EQ i1 1))))
(FORALL (i2)
(IMPLIES (EQ i2 (- i1 1))
(FORALL (intM_intP3)
(IMPLIES (EQ intM_intP3 (|why__store| intM_intP2 (shift t i1) 4))
(EQ (select intM_intP3 (shift t 2)) 2)))))))))))))))))))))))))

;; SideEffects_m1_ensures_default_po_12, File "HOME/tests/java/SideEffects.java", line 47, characters 38-47
(FORALL (this_0)
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_SideEffects this_0 0 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table t) 1) 10)))
(FORALL (i)
(IMPLIES (EQ i (+ 0 1))
(FORALL (intM_intP0)
(IMPLIES (EQ intM_intP0 (|why__store| intM_intP (shift t 0) 1))
(IMPLIES (AND (EQ (select intM_intP0 (shift t 0)) 1) (EQ i 1))
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t i0) 2))
(IMPLIES (AND (EQ (select intM_intP1 (shift t 0)) 1)
         (AND (EQ (select intM_intP1 (shift t 2)) 2) (EQ i0 2)))
(FORALL (i1)
(IMPLIES (EQ i1 (- i0 1))
(FORALL (intM_intP2)
(IMPLIES (EQ intM_intP2 (|why__store| intM_intP1 (shift t i1) 3))
(IMPLIES (AND (EQ (select intM_intP2 (shift t 0)) 1)
         (AND (EQ (select intM_intP2 (shift t 2)) 2)
         (AND (EQ (select intM_intP2 (shift t 1)) 3) (EQ i1 1))))
(FORALL (i2)
(IMPLIES (EQ i2 (- i1 1))
(FORALL (intM_intP3)
(IMPLIES (EQ intM_intP3 (|why__store| intM_intP2 (shift t i1) 4))
(EQ (select intM_intP3 (shift t 1)) 4)))))))))))))))))))))))))

;; SideEffects_m1_ensures_default_po_13, File "HOME/tests/java/SideEffects.java", line 47, characters 51-57
(FORALL (this_0)
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_SideEffects this_0 0 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table t) 1) 10)))
(FORALL (i)
(IMPLIES (EQ i (+ 0 1))
(FORALL (intM_intP0)
(IMPLIES (EQ intM_intP0 (|why__store| intM_intP (shift t 0) 1))
(IMPLIES (AND (EQ (select intM_intP0 (shift t 0)) 1) (EQ i 1))
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t i0) 2))
(IMPLIES (AND (EQ (select intM_intP1 (shift t 0)) 1)
         (AND (EQ (select intM_intP1 (shift t 2)) 2) (EQ i0 2)))
(FORALL (i1)
(IMPLIES (EQ i1 (- i0 1))
(FORALL (intM_intP2)
(IMPLIES (EQ intM_intP2 (|why__store| intM_intP1 (shift t i1) 3))
(IMPLIES (AND (EQ (select intM_intP2 (shift t 0)) 1)
         (AND (EQ (select intM_intP2 (shift t 2)) 2)
         (AND (EQ (select intM_intP2 (shift t 1)) 3) (EQ i1 1))))
(FORALL (i2)
(IMPLIES (EQ i2 (- i1 1))
(FORALL (intM_intP3)
(IMPLIES (EQ intM_intP3 (|why__store| intM_intP2 (shift t i1) 4)) (EQ i2 0)))))))))))))))))))))))))

;; SideEffects_m1_safety_po_1, File "HOME/tests/java/SideEffects.jc", line 72, characters 17-46
(FORALL (this_0)
(FORALL (t)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_SideEffects this_0 0 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table t) 1) 10)))
(FORALL (i)
(IMPLIES (EQ i (+ 0 1)) (<= (offset_min Object_alloc_table t) 0)))))))

;; SideEffects_m1_safety_po_2, File "HOME/tests/java/SideEffects.jc", line 72, characters 17-46
(FORALL (this_0)
(FORALL (t)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_SideEffects this_0 0 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table t) 1) 10)))
(FORALL (i)
(IMPLIES (EQ i (+ 0 1)) (<= 0 (offset_max Object_alloc_table t))))))))

;; SideEffects_m1_safety_po_3, File "HOME/tests/java/SideEffects.jc", line 75, characters 17-46
(FORALL (this_0)
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_SideEffects this_0 0 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table t) 1) 10)))
(FORALL (i)
(IMPLIES (EQ i (+ 0 1))
(IMPLIES (AND (<= (offset_min Object_alloc_table t) 0)
         (<= 0 (offset_max Object_alloc_table t)))
(FORALL (intM_intP0)
(IMPLIES (EQ intM_intP0 (|why__store| intM_intP (shift t 0) 1))
(IMPLIES (AND (EQ (select intM_intP0 (shift t 0)) 1) (EQ i 1))
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1)) (<= (offset_min Object_alloc_table t) i0))))))))))))))

;; SideEffects_m1_safety_po_4, File "HOME/tests/java/SideEffects.jc", line 75, characters 17-46
(FORALL (this_0)
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_SideEffects this_0 0 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table t) 1) 10)))
(FORALL (i)
(IMPLIES (EQ i (+ 0 1))
(IMPLIES (AND (<= (offset_min Object_alloc_table t) 0)
         (<= 0 (offset_max Object_alloc_table t)))
(FORALL (intM_intP0)
(IMPLIES (EQ intM_intP0 (|why__store| intM_intP (shift t 0) 1))
(IMPLIES (AND (EQ (select intM_intP0 (shift t 0)) 1) (EQ i 1))
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1)) (<= i0 (offset_max Object_alloc_table t)))))))))))))))

;; SideEffects_m1_safety_po_5, File "HOME/tests/java/SideEffects.jc", line 80, characters 18-48
(FORALL (this_0)
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_SideEffects this_0 0 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table t) 1) 10)))
(FORALL (i)
(IMPLIES (EQ i (+ 0 1))
(IMPLIES (AND (<= (offset_min Object_alloc_table t) 0)
         (<= 0 (offset_max Object_alloc_table t)))
(FORALL (intM_intP0)
(IMPLIES (EQ intM_intP0 (|why__store| intM_intP (shift t 0) 1))
(IMPLIES (AND (EQ (select intM_intP0 (shift t 0)) 1) (EQ i 1))
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(IMPLIES (AND (<= (offset_min Object_alloc_table t) i0)
         (<= i0 (offset_max Object_alloc_table t)))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t i0) 2))
(IMPLIES (AND (EQ (select intM_intP1 (shift t 0)) 1)
         (AND (EQ (select intM_intP1 (shift t 2)) 2) (EQ i0 2)))
(FORALL (i1)
(IMPLIES (EQ i1 (- i0 1)) (<= (offset_min Object_alloc_table t) i1))))))))))))))))))))

;; SideEffects_m1_safety_po_6, File "HOME/tests/java/SideEffects.jc", line 80, characters 18-48
(FORALL (this_0)
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_SideEffects this_0 0 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table t) 1) 10)))
(FORALL (i)
(IMPLIES (EQ i (+ 0 1))
(IMPLIES (AND (<= (offset_min Object_alloc_table t) 0)
         (<= 0 (offset_max Object_alloc_table t)))
(FORALL (intM_intP0)
(IMPLIES (EQ intM_intP0 (|why__store| intM_intP (shift t 0) 1))
(IMPLIES (AND (EQ (select intM_intP0 (shift t 0)) 1) (EQ i 1))
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(IMPLIES (AND (<= (offset_min Object_alloc_table t) i0)
         (<= i0 (offset_max Object_alloc_table t)))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t i0) 2))
(IMPLIES (AND (EQ (select intM_intP1 (shift t 0)) 1)
         (AND (EQ (select intM_intP1 (shift t 2)) 2) (EQ i0 2)))
(FORALL (i1)
(IMPLIES (EQ i1 (- i0 1)) (<= i1 (offset_max Object_alloc_table t)))))))))))))))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/SideEffects_why.sx   : ................... (19/0/0/0/0)
total   :  19
valid   :  19 (100%)
invalid :   0 (  0%)
unknown :   0 (  0%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/SideEffects.why
========== file tests/java/why/SideEffects_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_1) >= 0)

predicate Non_null_intM(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= (-1))

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic SideEffects_tag : Object tag_id

axiom SideEffects_parenttag_Object: parenttag(SideEffects_tag, Object_tag)

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic intM_tag : Object tag_id

axiom intM_parenttag_Object: parenttag(intM_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_SideEffects(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_intM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_SideEffects(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_intM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_SideEffects(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_SideEffects(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

goal SideEffects_m1_ensures_default_po_1:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_78": ("JC_76": (select(intM_intP0, shift(t, 0)) = 1)))

goal SideEffects_m1_ensures_default_po_2:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_78": ("JC_77": (i = 1)))

goal SideEffects_m1_ensures_default_po_3:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_78":
  (("JC_76": (select(intM_intP0, shift(t, 0)) = 1)) and ("JC_77": (i = 1)))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i0), 2)) ->
  ("JC_82": ("JC_79": (select(intM_intP1, shift(t, 0)) = 1)))

goal SideEffects_m1_ensures_default_po_4:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_78":
  (("JC_76": (select(intM_intP0, shift(t, 0)) = 1)) and ("JC_77": (i = 1)))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i0), 2)) ->
  ("JC_82": ("JC_80": (select(intM_intP1, shift(t, 2)) = 2)))

goal SideEffects_m1_ensures_default_po_5:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_78":
  (("JC_76": (select(intM_intP0, shift(t, 0)) = 1)) and ("JC_77": (i = 1)))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i0), 2)) ->
  ("JC_82": ("JC_81": (i0 = 2)))

goal SideEffects_m1_ensures_default_po_6:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_78":
  (("JC_76": (select(intM_intP0, shift(t, 0)) = 1)) and ("JC_77": (i = 1)))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i0), 2)) ->
  ("JC_82":
  (("JC_79": (select(intM_intP1, shift(t, 0)) = 1)) and
   (("JC_80": (select(intM_intP1, shift(t, 2)) = 2)) and ("JC_81": (i0 = 2))))) ->
  forall i1:int.
  (i1 = (i0 - 1)) ->
  forall intM_intP2:(Object,
  int) memory.
  (intM_intP2 = store(intM_intP1, shift(t, i1), 3)) ->
  ("JC_87": ("JC_83": (select(intM_intP2, shift(t, 0)) = 1)))

goal SideEffects_m1_ensures_default_po_7:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_78":
  (("JC_76": (select(intM_intP0, shift(t, 0)) = 1)) and ("JC_77": (i = 1)))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i0), 2)) ->
  ("JC_82":
  (("JC_79": (select(intM_intP1, shift(t, 0)) = 1)) and
   (("JC_80": (select(intM_intP1, shift(t, 2)) = 2)) and ("JC_81": (i0 = 2))))) ->
  forall i1:int.
  (i1 = (i0 - 1)) ->
  forall intM_intP2:(Object,
  int) memory.
  (intM_intP2 = store(intM_intP1, shift(t, i1), 3)) ->
  ("JC_87": ("JC_84": (select(intM_intP2, shift(t, 2)) = 2)))

goal SideEffects_m1_ensures_default_po_8:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_78":
  (("JC_76": (select(intM_intP0, shift(t, 0)) = 1)) and ("JC_77": (i = 1)))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i0), 2)) ->
  ("JC_82":
  (("JC_79": (select(intM_intP1, shift(t, 0)) = 1)) and
   (("JC_80": (select(intM_intP1, shift(t, 2)) = 2)) and ("JC_81": (i0 = 2))))) ->
  forall i1:int.
  (i1 = (i0 - 1)) ->
  forall intM_intP2:(Object,
  int) memory.
  (intM_intP2 = store(intM_intP1, shift(t, i1), 3)) ->
  ("JC_87": ("JC_85": (select(intM_intP2, shift(t, 1)) = 3)))

goal SideEffects_m1_ensures_default_po_9:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_78":
  (("JC_76": (select(intM_intP0, shift(t, 0)) = 1)) and ("JC_77": (i = 1)))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i0), 2)) ->
  ("JC_82":
  (("JC_79": (select(intM_intP1, shift(t, 0)) = 1)) and
   (("JC_80": (select(intM_intP1, shift(t, 2)) = 2)) and ("JC_81": (i0 = 2))))) ->
  forall i1:int.
  (i1 = (i0 - 1)) ->
  forall intM_intP2:(Object,
  int) memory.
  (intM_intP2 = store(intM_intP1, shift(t, i1), 3)) ->
  ("JC_87": ("JC_86": (i1 = 1)))

goal SideEffects_m1_ensures_default_po_10:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_78":
  (("JC_76": (select(intM_intP0, shift(t, 0)) = 1)) and ("JC_77": (i = 1)))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i0), 2)) ->
  ("JC_82":
  (("JC_79": (select(intM_intP1, shift(t, 0)) = 1)) and
   (("JC_80": (select(intM_intP1, shift(t, 2)) = 2)) and ("JC_81": (i0 = 2))))) ->
  forall i1:int.
  (i1 = (i0 - 1)) ->
  forall intM_intP2:(Object,
  int) memory.
  (intM_intP2 = store(intM_intP1, shift(t, i1), 3)) ->
  ("JC_87":
  (("JC_83": (select(intM_intP2, shift(t, 0)) = 1)) and
   (("JC_84": (select(intM_intP2, shift(t, 2)) = 2)) and
    (("JC_85": (select(intM_intP2, shift(t, 1)) = 3)) and ("JC_86": (i1 = 1)))))) ->
  forall i2:int.
  (i2 = (i1 - 1)) ->
  forall intM_intP3:(Object,
  int) memory.
  (intM_intP3 = store(intM_intP2, shift(t, i1), 4)) ->
  ("JC_92": ("JC_88": (select(intM_intP3, shift(t, 0)) = 1)))

goal SideEffects_m1_ensures_default_po_11:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_78":
  (("JC_76": (select(intM_intP0, shift(t, 0)) = 1)) and ("JC_77": (i = 1)))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i0), 2)) ->
  ("JC_82":
  (("JC_79": (select(intM_intP1, shift(t, 0)) = 1)) and
   (("JC_80": (select(intM_intP1, shift(t, 2)) = 2)) and ("JC_81": (i0 = 2))))) ->
  forall i1:int.
  (i1 = (i0 - 1)) ->
  forall intM_intP2:(Object,
  int) memory.
  (intM_intP2 = store(intM_intP1, shift(t, i1), 3)) ->
  ("JC_87":
  (("JC_83": (select(intM_intP2, shift(t, 0)) = 1)) and
   (("JC_84": (select(intM_intP2, shift(t, 2)) = 2)) and
    (("JC_85": (select(intM_intP2, shift(t, 1)) = 3)) and ("JC_86": (i1 = 1)))))) ->
  forall i2:int.
  (i2 = (i1 - 1)) ->
  forall intM_intP3:(Object,
  int) memory.
  (intM_intP3 = store(intM_intP2, shift(t, i1), 4)) ->
  ("JC_92": ("JC_89": (select(intM_intP3, shift(t, 2)) = 2)))

goal SideEffects_m1_ensures_default_po_12:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_78":
  (("JC_76": (select(intM_intP0, shift(t, 0)) = 1)) and ("JC_77": (i = 1)))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i0), 2)) ->
  ("JC_82":
  (("JC_79": (select(intM_intP1, shift(t, 0)) = 1)) and
   (("JC_80": (select(intM_intP1, shift(t, 2)) = 2)) and ("JC_81": (i0 = 2))))) ->
  forall i1:int.
  (i1 = (i0 - 1)) ->
  forall intM_intP2:(Object,
  int) memory.
  (intM_intP2 = store(intM_intP1, shift(t, i1), 3)) ->
  ("JC_87":
  (("JC_83": (select(intM_intP2, shift(t, 0)) = 1)) and
   (("JC_84": (select(intM_intP2, shift(t, 2)) = 2)) and
    (("JC_85": (select(intM_intP2, shift(t, 1)) = 3)) and ("JC_86": (i1 = 1)))))) ->
  forall i2:int.
  (i2 = (i1 - 1)) ->
  forall intM_intP3:(Object,
  int) memory.
  (intM_intP3 = store(intM_intP2, shift(t, i1), 4)) ->
  ("JC_92": ("JC_90": (select(intM_intP3, shift(t, 1)) = 4)))

goal SideEffects_m1_ensures_default_po_13:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_78":
  (("JC_76": (select(intM_intP0, shift(t, 0)) = 1)) and ("JC_77": (i = 1)))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i0), 2)) ->
  ("JC_82":
  (("JC_79": (select(intM_intP1, shift(t, 0)) = 1)) and
   (("JC_80": (select(intM_intP1, shift(t, 2)) = 2)) and ("JC_81": (i0 = 2))))) ->
  forall i1:int.
  (i1 = (i0 - 1)) ->
  forall intM_intP2:(Object,
  int) memory.
  (intM_intP2 = store(intM_intP1, shift(t, i1), 3)) ->
  ("JC_87":
  (("JC_83": (select(intM_intP2, shift(t, 0)) = 1)) and
   (("JC_84": (select(intM_intP2, shift(t, 2)) = 2)) and
    (("JC_85": (select(intM_intP2, shift(t, 1)) = 3)) and ("JC_86": (i1 = 1)))))) ->
  forall i2:int.
  (i2 = (i1 - 1)) ->
  forall intM_intP3:(Object,
  int) memory.
  (intM_intP3 = store(intM_intP2, shift(t, i1), 4)) ->
  ("JC_92": ("JC_91": (i2 = 0)))

goal SideEffects_m1_safety_po_1:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  (offset_min(Object_alloc_table, t) <= 0)

goal SideEffects_m1_safety_po_2:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  (0 <= offset_max(Object_alloc_table, t))

goal SideEffects_m1_safety_po_3:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  ((offset_min(Object_alloc_table, t) <= 0) and
   (0 <= offset_max(Object_alloc_table, t))) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_58":
  (("JC_56": (select(intM_intP0, shift(t, 0)) = 1)) and ("JC_57": (i = 1)))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  (offset_min(Object_alloc_table, t) <= i0)

goal SideEffects_m1_safety_po_4:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  ((offset_min(Object_alloc_table, t) <= 0) and
   (0 <= offset_max(Object_alloc_table, t))) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_58":
  (("JC_56": (select(intM_intP0, shift(t, 0)) = 1)) and ("JC_57": (i = 1)))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  (i0 <= offset_max(Object_alloc_table, t))

goal SideEffects_m1_safety_po_5:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  ((offset_min(Object_alloc_table, t) <= 0) and
   (0 <= offset_max(Object_alloc_table, t))) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_58":
  (("JC_56": (select(intM_intP0, shift(t, 0)) = 1)) and ("JC_57": (i = 1)))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  ((offset_min(Object_alloc_table, t) <= i0) and
   (i0 <= offset_max(Object_alloc_table, t))) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i0), 2)) ->
  ("JC_63":
  (("JC_60": (select(intM_intP1, shift(t, 0)) = 1)) and
   (("JC_61": (select(intM_intP1, shift(t, 2)) = 2)) and ("JC_62": (i0 = 2))))) ->
  forall i1:int.
  (i1 = (i0 - 1)) ->
  (offset_min(Object_alloc_table, t) <= i1)

goal SideEffects_m1_safety_po_6:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SideEffects(this_0, 0, 0, Object_alloc_table) and
    ("JC_49": ((offset_max(Object_alloc_table, t) + 1) > 10)))) ->
  forall i:int.
  (i = (0 + 1)) ->
  ((offset_min(Object_alloc_table, t) <= 0) and
   (0 <= offset_max(Object_alloc_table, t))) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, 0), 1)) ->
  ("JC_58":
  (("JC_56": (select(intM_intP0, shift(t, 0)) = 1)) and ("JC_57": (i = 1)))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  ((offset_min(Object_alloc_table, t) <= i0) and
   (i0 <= offset_max(Object_alloc_table, t))) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i0), 2)) ->
  ("JC_63":
  (("JC_60": (select(intM_intP1, shift(t, 0)) = 1)) and
   (("JC_61": (select(intM_intP1, shift(t, 2)) = 2)) and ("JC_62": (i0 = 2))))) ->
  forall i1:int.
  (i1 = (i0 - 1)) ->
  (i1 <= offset_max(Object_alloc_table, t))

why-2.34/tests/java/oracle/MacCarthy.res.oracle0000644000175000017500000053007412311670312020010 0ustar  rtusers========== file tests/java/MacCarthy.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


/* McCarthy's ``91'' function. */

public class MacCarthy {

    /*@ decreases 101-n ;
      @ behavior less_than_101:
      @   assumes n <= 100;
      @   ensures \result == 91;
      @ behavior greater_than_100:
      @   assumes n >= 101;
      @   ensures \result == n - 10;
      @*/
    public static int f91(int n) {
	if (n <= 100) {
	    return f91(f91(n + 11));
	}
	else
	    return n - 10;
    }

}

/*
Local Variables:
compile-command: "make MacCarthy.why3ide"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_MacCarthy for constructor MacCarthy
Generating JC function Object_toString for method Object.toString
Generating JC function Object_wait_long for method Object.wait
Generating JC function Object_equals for method Object.equals
Generating JC function Object_clone for method Object.clone
Generating JC function Object_finalize for method Object.finalize
Generating JC function Object_notifyAll for method Object.notifyAll
Generating JC function Object_wait_long_int for method Object.wait
Generating JC function Object_registerNatives for method Object.registerNatives
Generating JC function MacCarthy_f91 for method MacCarthy.f91
Generating JC function Object_notify for method Object.notify
Generating JC function Object_wait for method Object.wait
Generating JC function cons_Object for constructor Object
Generating JC function Object_hashCode for method Object.hashCode
Done.
========== file tests/java/MacCarthy.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag MacCarthy = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_MacCarthy(! MacCarthy[0] this_1){()}

String[0..] Object_toString(Object[0] this_2)
;

unit Object_wait_long(Object[0] this_3, long timeout)
;

boolean Object_equals(Object[0] this_4, Object[0..] obj)
;

Object[0..] Object_clone(Object[0] this_5)
;

unit Object_finalize(Object[0] this_6)
;

unit Object_notifyAll(Object[0] this_7)
;

unit Object_wait_long_int(Object[0] this_8, long timeout_0, int32 nanos)
;

unit Object_registerNatives()
;

int32 MacCarthy_f91(int32 n)
  decreases (K_3 : (101 - n));
behavior less_than_101:
  assumes (n <= 100);
  ensures (K_1 : (\result == 91));
behavior greater_than_100:
  assumes (n >= 101);
  ensures (K_2 : (\result == (n - 10)));
{  (if (K_8 : (n <= 100)) then 
   (return (K_7 : MacCarthy_f91((K_6 : MacCarthy_f91((K_5 : ((n + 11) :> int32))))))) else 
   (return (K_4 : ((n - 10) :> int32))))
}

unit Object_notify(Object[0] this_9)
;

unit Object_wait(Object[0] this_10)
;

unit cons_Object(! Object[0] this_12){()}

int32 Object_hashCode(Object[0] this_11)
;

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/MacCarthy.jloc tests/java/MacCarthy.jc && make -f tests/java/MacCarthy.makefile gui"
End:
*/
========== file tests/java/MacCarthy.jloc ==========
[Object_wait_long]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[Object_finalize]
name = "Method finalize"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[Object_wait]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[Object_notify]
name = "Method notify"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[Object_clone]
name = "Method clone"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[cons_Object]
name = "Constructor of class Object"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_1]
file = "HOME/tests/java/MacCarthy.java"
line = 40
begin = 18
end = 31

[MacCarthy_f91]
name = "Method f91"
file = "HOME/tests/java/MacCarthy.java"
line = 45
begin = 22
end = 25

[K_4]
file = "HOME/tests/java/MacCarthy.java"
line = 50
begin = 12
end = 18

[Object_wait_long_int]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[Object_registerNatives]
name = "Method registerNatives"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[K_2]
file = "HOME/tests/java/MacCarthy.java"
line = 43
begin = 18
end = 35

[K_6]
file = "HOME/tests/java/MacCarthy.java"
line = 47
begin = 16
end = 27

[K_8]
file = "HOME/tests/java/MacCarthy.java"
line = 46
begin = 5
end = 13

[K_3]
file = "HOME/tests/java/MacCarthy.java"
line = 37
begin = 18
end = 23

[Object_notifyAll]
name = "Method notifyAll"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[cons_MacCarthy]
name = "Constructor of class MacCarthy"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_5]
file = "HOME/tests/java/MacCarthy.java"
line = 47
begin = 20
end = 26

[Object_equals]
name = "Method equals"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[K_7]
file = "HOME/tests/java/MacCarthy.java"
line = 47
begin = 12
end = 28

[Object_hashCode]
name = "Method hashCode"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[Object_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

========== jessie execution ==========
Generating Why function cons_MacCarthy
Generating Why function MacCarthy_f91
Generating Why function cons_Object
========== file tests/java/MacCarthy.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs MacCarthy.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs MacCarthy.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/MacCarthy_why.sx

project: why/MacCarthy.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/MacCarthy_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/MacCarthy_why.vo

coq/MacCarthy_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/MacCarthy_why.v: why/MacCarthy.why
	@echo 'why -coq [...] why/MacCarthy.why' && $(WHY) $(JESSIELIBFILES) why/MacCarthy.why && rm -f coq/jessie_why.v

coq-goals: goals coq/MacCarthy_ctx_why.vo
	for f in why/*_po*.why; do make -f MacCarthy.makefile coq/`basename $$f .why`_why.v ; done

coq/MacCarthy_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/MacCarthy_ctx_why.v: why/MacCarthy_ctx.why
	@echo 'why -coq [...] why/MacCarthy_ctx.why' && $(WHY) why/MacCarthy_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export MacCarthy_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/MacCarthy_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/MacCarthy_ctx_why.vo

pvs: pvs/MacCarthy_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/MacCarthy_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/MacCarthy_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/MacCarthy_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/MacCarthy_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/MacCarthy_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/MacCarthy_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/MacCarthy_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/MacCarthy_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/MacCarthy_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/MacCarthy_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/MacCarthy_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/MacCarthy_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/MacCarthy_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/MacCarthy_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: MacCarthy.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/MacCarthy_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: MacCarthy.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: MacCarthy.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: MacCarthy.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include MacCarthy.depend

depend: coq/MacCarthy_why.v
	-$(COQDEP) -I coq coq/MacCarthy*_why.v > MacCarthy.depend

clean:
	rm -f coq/*.vo

========== file tests/java/MacCarthy.loc ==========
[JC_94]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_73]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_63]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_51]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_147]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_123]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_106]
file = "HOME/tests/java/MacCarthy.java"
line = 37
begin = 18
end = 23

[cons_MacCarthy_safety]
name = "Constructor of class MacCarthy"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_143]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_113]
kind = UserCall
file = "HOME/tests/java/MacCarthy.java"
line = 47
begin = 16
end = 27

[JC_116]
kind = UserCall
file = "HOME/tests/java/MacCarthy.java"
line = 47
begin = 12
end = 28

[JC_64]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_133]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Object_ensures_default]
name = "Constructor of class Object"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_99]
file = "HOME/tests/java/MacCarthy.java"
line = 40
begin = 18
end = 31

[JC_85]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_126]
file = "HOME/"
line = 0
begin = -1
end = -1

[MacCarthy_f91_ensures_less_than_101]
name = "Method f91"
behavior = "Behavior `less_than_101'"
file = "HOME/tests/java/MacCarthy.java"
line = 45
begin = 22
end = 25

[JC_31]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_17]
file = "HOME/tests/java/MacCarthy.jc"
line = 47
begin = 11
end = 65

[JC_122]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_138]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_134]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_148]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_137]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_121]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_125]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_9]
file = "HOME/tests/java/MacCarthy.jc"
line = 45
begin = 8
end = 23

[JC_75]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_78]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_MacCarthy_ensures_default]
name = "Constructor of class MacCarthy"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_130]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_87]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/MacCarthy.jc"
line = 45
begin = 8
end = 23

[JC_98]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_104]
kind = UserCall
file = "HOME/tests/java/MacCarthy.java"
line = 47
begin = 16
end = 27

[JC_91]
file = "HOME/tests/java/MacCarthy.java"
line = 45
begin = 22
end = 25

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_112]
kind = ArithOverflow
file = "HOME/tests/java/MacCarthy.java"
line = 50
begin = 12
end = 18

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_135]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_35]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_132]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_115]
kind = UserCall
file = "HOME/tests/java/MacCarthy.java"
line = 47
begin = 16
end = 27

[JC_109]
file = "HOME/tests/java/MacCarthy.java"
line = 37
begin = 18
end = 23

[JC_107]
kind = VarDecr
file = "HOME/tests/java/MacCarthy.java"
line = 47
begin = 16
end = 27

[JC_69]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_124]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/"
line = 0
begin = -1
end = -1

[MacCarthy_f91_ensures_default]
name = "Method f91"
behavior = "default behavior"
file = "HOME/tests/java/MacCarthy.java"
line = 45
begin = 22
end = 25

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_127]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_101]
file = "HOME/tests/java/MacCarthy.java"
line = 43
begin = 18
end = 35

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_129]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_110]
file = "HOME/tests/java/MacCarthy.java"
line = 37
begin = 18
end = 23

[JC_103]
kind = ArithOverflow
file = "HOME/tests/java/MacCarthy.java"
line = 47
begin = 20
end = 26

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_141]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_118]
kind = UserCall
file = "HOME/tests/java/MacCarthy.java"
line = 47
begin = 12
end = 28

[JC_105]
file = "HOME/tests/java/MacCarthy.java"
line = 37
begin = 18
end = 23

[JC_140]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_144]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Object_safety]
name = "Constructor of class Object"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_68]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_93]
file = "HOME/tests/java/MacCarthy.java"
line = 45
begin = 22
end = 25

[JC_97]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_128]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
kind = UserCall
file = "HOME/tests/java/MacCarthy.java"
line = 47
begin = 12
end = 28

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_150]
file = "HOME/"
line = 0
begin = -1
end = -1

[MacCarthy_f91_ensures_greater_than_100]
name = "Method f91"
behavior = "Behavior `greater_than_100'"
file = "HOME/tests/java/MacCarthy.java"
line = 45
begin = 22
end = 25

[JC_117]
kind = UserCall
file = "HOME/tests/java/MacCarthy.java"
line = 47
begin = 16
end = 27

[JC_90]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_145]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[MacCarthy_f91_safety]
name = "Method f91"
behavior = "Safety"
file = "HOME/tests/java/MacCarthy.java"
line = 45
begin = 22
end = 25

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_149]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_111]
kind = VarDecr
file = "HOME/tests/java/MacCarthy.java"
line = 47
begin = 12
end = 28

[JC_77]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/java/MacCarthy.jc"
line = 20
begin = 12
end = 22

[JC_131]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_102]
file = "HOME/tests/java/MacCarthy.java"
line = 43
begin = 18
end = 35

[JC_37]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_142]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
kind = UserCall
file = "HOME/tests/java/MacCarthy.java"
line = 47
begin = 12
end = 28

[JC_57]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_146]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_89]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_136]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/MacCarthy.jc"
line = 47
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/MacCarthy.jc"
line = 20
begin = 12
end = 22

[JC_92]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_86]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_60]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_139]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_72]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_119]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_76]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_120]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_100]
file = "HOME/tests/java/MacCarthy.java"
line = 40
begin = 18
end = 31

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/MacCarthy.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

logic MacCarthy_tag:  -> Object tag_id

axiom MacCarthy_parenttag_Object : parenttag(MacCarthy_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_MacCarthy(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_MacCarthy(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_MacCarthy(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_MacCarthy(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter MacCarthy_f91 :
 n:int32 ->
  { } int32
  { ((ge_int(integer_of_int32(n), (101)) ->
      (JC_102:
      (integer_of_int32(result) = sub_int(integer_of_int32(n), (10)))))
    and (le_int(integer_of_int32(n), (100)) ->
         (JC_100: (integer_of_int32(result) = (91))))) }

parameter MacCarthy_f91_requires :
 n:int32 ->
  { } int32
  { ((ge_int(integer_of_int32(n), (101)) ->
      (JC_102:
      (integer_of_int32(result) = sub_int(integer_of_int32(n), (10)))))
    and (le_int(integer_of_int32(n), (100)) ->
         (JC_100: (integer_of_int32(result) = (91))))) }

parameter Object_alloc_table : Object alloc_table ref

parameter Object_clone :
 this_5:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_clone_requires :
 this_5:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_equals :
 this_4:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_equals_requires :
 this_4:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_finalize :
 this_6:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_finalize_requires :
 this_6:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_hashCode :
 this_11:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter Object_hashCode_requires :
 this_11:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter Object_notify :
 this_9:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll :
 this_7:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll_requires :
 this_7:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notify_requires :
 this_9:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_registerNatives : tt:unit -> { } unit { true }

parameter Object_registerNatives_requires : tt:unit -> { } unit { true }

parameter Object_tag_table : Object tag_table ref

parameter Object_toString :
 this_2:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_toString_requires :
 this_2:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_wait :
 this_10:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long :
 this_3:Object pointer ->
  timeout:long -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int :
 this_8:Object pointer ->
  timeout_0:long -> nanos:int32 -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int_requires :
 this_8:Object pointer ->
  timeout_0:long -> nanos:int32 -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_requires :
 this_3:Object pointer ->
  timeout:long -> { } unit reads Object_alloc_table { true }

parameter Object_wait_requires :
 this_10:Object pointer -> { } unit reads Object_alloc_table { true }

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_MacCarthy :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_MacCarthy(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, MacCarthy_tag)))) }

parameter alloc_struct_MacCarthy_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_MacCarthy(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, MacCarthy_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_MacCarthy :
 this_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_MacCarthy_requires :
 this_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object :
 this_12:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object_requires :
 this_12:Object pointer -> { } unit reads Object_alloc_table { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let MacCarthy_f91_ensures_default =
 fun (n : int32) ->
  { (JC_94: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (if (K_8: ((le_int_ (integer_of_int32 n)) (100)))
     then
      begin
        (return := (K_7:
                   (let _jessie_ =
                   (K_6:
                   (let _jessie_ =
                   (K_5:
                   (safe_int32_of_integer_ ((add_int (integer_of_int32 n)) (11)))) in
                   (JC_113: (MacCarthy_f91 _jessie_)))) in
                   (JC_114: (MacCarthy_f91 _jessie_))))); (raise Return) end
     else
      begin
        (return := (K_4:
                   (safe_int32_of_integer_ ((sub_int (integer_of_int32 n)) (10)))));
       (raise Return) end); absurd  end with Return -> !return end))
  { (JC_95: true) }

let MacCarthy_f91_ensures_greater_than_100 =
 fun (n : int32) ->
  { ge_int(integer_of_int32(n), (101)) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (if (K_8: ((le_int_ (integer_of_int32 n)) (100)))
     then
      begin
        (return := (K_7:
                   (let _jessie_ =
                   (K_6:
                   (let _jessie_ =
                   (K_5:
                   (safe_int32_of_integer_ ((add_int (integer_of_int32 n)) (11)))) in
                   (JC_117: (MacCarthy_f91 _jessie_)))) in
                   (JC_118: (MacCarthy_f91 _jessie_))))); (raise Return)
      end
     else
      begin
        (return := (K_4:
                   (safe_int32_of_integer_ ((sub_int (integer_of_int32 n)) (10)))));
       (raise Return) end); absurd  end with Return -> !return end))
  { (JC_101: (integer_of_int32(result) = sub_int(integer_of_int32(n), (10)))) }

let MacCarthy_f91_ensures_less_than_101 =
 fun (n : int32) ->
  { le_int(integer_of_int32(n), (100)) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (if (K_8: ((le_int_ (integer_of_int32 n)) (100)))
     then
      begin
        (return := (K_7:
                   (let _jessie_ =
                   (K_6:
                   (let _jessie_ =
                   (K_5:
                   (safe_int32_of_integer_ ((add_int (integer_of_int32 n)) (11)))) in
                   (JC_115: (MacCarthy_f91 _jessie_)))) in
                   (JC_116: (MacCarthy_f91 _jessie_))))); (raise Return)
      end
     else
      begin
        (return := (K_4:
                   (safe_int32_of_integer_ ((sub_int (integer_of_int32 n)) (10)))));
       (raise Return) end); absurd  end with Return -> !return end))
  { (JC_99: (integer_of_int32(result) = (91))) }

let MacCarthy_f91_safety =
 fun (n : int32) ->
  { (JC_94: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (if (K_8: ((le_int_ (integer_of_int32 n)) (100)))
     then
      begin
        (return := (K_7:
                   (let _jessie_ =
                   (K_6:
                   (let _jessie_ =
                   (K_5:
                   (JC_103:
                   (int32_of_integer_ ((add_int (integer_of_int32 n)) (11))))) in
                   (JC_107:
                   (check
                   { zwf_zero((JC_106 : sub_int((101),
                                        integer_of_int32(_jessie_))),
                     (JC_105 : sub_int((101), integer_of_int32(n)))) };
                   (JC_104: (MacCarthy_f91_requires _jessie_)))))) in
                   (JC_111:
                   (check
                   { zwf_zero((JC_110 : sub_int((101),
                                        integer_of_int32(_jessie_))),
                     (JC_109 : sub_int((101), integer_of_int32(n)))) };
                   (JC_108: (MacCarthy_f91_requires _jessie_)))))));
       (raise Return) end
     else
      begin
        (return := (K_4:
                   (JC_112:
                   (int32_of_integer_ ((sub_int (integer_of_int32 n)) (10))))));
       (raise Return) end); absurd  end with Return -> !return end)) 
  { true }

let cons_MacCarthy_ensures_default =
 fun (this_1 : Object pointer) ->
  { valid_struct_MacCarthy(this_1, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_23: true) }

let cons_MacCarthy_safety =
 fun (this_1 : Object pointer) ->
  { valid_struct_MacCarthy(this_1, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_Object_ensures_default =
 fun (this_12 : Object pointer) ->
  { valid_struct_Object(this_12, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_139: true) }

let cons_Object_safety =
 fun (this_12 : Object pointer) ->
  { valid_struct_Object(this_12, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/MacCarthy.why
========== file tests/java/why/MacCarthy.wpr ==========

  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
  
  
    
  
  
    
  

========== file tests/java/why/MacCarthy_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic MacCarthy_tag : Object tag_id

axiom MacCarthy_parenttag_Object: parenttag(MacCarthy_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte [(integer_of_byte(x) = integer_of_byte(y))].
      ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char [(integer_of_char(x) = integer_of_char(y))].
      ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32 [(integer_of_int32(x) = integer_of_int32(y))].
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_MacCarthy(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long [(integer_of_long(x) = integer_of_long(y))].
      ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_MacCarthy(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short [(integer_of_short(x) = integer_of_short(y))].
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_MacCarthy(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_MacCarthy(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

========== file tests/java/why/MacCarthy_po1.why ==========
goal MacCarthy_f91_ensures_greater_than_100_po_1:
  forall n:int32.
  (integer_of_int32(n) >= 101) ->
  (integer_of_int32(n) <= 100) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(n) + 11)) ->
  forall result0:int32.
  (((integer_of_int32(result) >= 101) ->
    ("JC_102": (integer_of_int32(result0) = (integer_of_int32(result) - 10)))) and
   ((integer_of_int32(result) <= 100) ->
    ("JC_100": (integer_of_int32(result0) = 91)))) ->
  forall result1:int32.
  (((integer_of_int32(result0) >= 101) ->
    ("JC_102":
    (integer_of_int32(result1) = (integer_of_int32(result0) - 10)))) and
   ((integer_of_int32(result0) <= 100) ->
    ("JC_100": (integer_of_int32(result1) = 91)))) ->
  forall return:int32.
  (return = result1) ->
  ("JC_101": (integer_of_int32(return) = (integer_of_int32(n) - 10)))

========== file tests/java/why/MacCarthy_po10.why ==========
goal MacCarthy_f91_safety_po_6:
  forall n:int32.
  ("JC_94": true) ->
  (integer_of_int32(n) <= 100) ->
  (((-2147483648) <= (integer_of_int32(n) + 11)) and
   ((integer_of_int32(n) + 11) <= 2147483647)) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(n) + 11)) ->
  forall result0:int32.
  (((integer_of_int32(result) >= 101) ->
    ("JC_102": (integer_of_int32(result0) = (integer_of_int32(result) - 10)))) and
   ((integer_of_int32(result) <= 100) ->
    ("JC_100": (integer_of_int32(result0) = 91)))) ->
  (("JC_110": (101 - integer_of_int32(result0))) < ("JC_109":
                                                   (101 - integer_of_int32(n))))

========== file tests/java/why/MacCarthy_po11.why ==========
goal MacCarthy_f91_safety_po_7:
  forall n:int32.
  ("JC_94": true) ->
  (integer_of_int32(n) > 100) ->
  ((-2147483648) <= (integer_of_int32(n) - 10))

========== file tests/java/why/MacCarthy_po12.why ==========
goal MacCarthy_f91_safety_po_8:
  forall n:int32.
  ("JC_94": true) ->
  (integer_of_int32(n) > 100) ->
  ((integer_of_int32(n) - 10) <= 2147483647)

========== file tests/java/why/MacCarthy_po2.why ==========
goal MacCarthy_f91_ensures_greater_than_100_po_2:
  forall n:int32.
  (integer_of_int32(n) >= 101) ->
  (integer_of_int32(n) > 100) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(n) - 10)) ->
  forall return:int32.
  (return = result) ->
  ("JC_101": (integer_of_int32(return) = (integer_of_int32(n) - 10)))

========== file tests/java/why/MacCarthy_po3.why ==========
goal MacCarthy_f91_ensures_less_than_101_po_1:
  forall n:int32.
  (integer_of_int32(n) <= 100) ->
  (integer_of_int32(n) <= 100) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(n) + 11)) ->
  forall result0:int32.
  (((integer_of_int32(result) >= 101) ->
    ("JC_102": (integer_of_int32(result0) = (integer_of_int32(result) - 10)))) and
   ((integer_of_int32(result) <= 100) ->
    ("JC_100": (integer_of_int32(result0) = 91)))) ->
  forall result1:int32.
  (((integer_of_int32(result0) >= 101) ->
    ("JC_102":
    (integer_of_int32(result1) = (integer_of_int32(result0) - 10)))) and
   ((integer_of_int32(result0) <= 100) ->
    ("JC_100": (integer_of_int32(result1) = 91)))) ->
  forall return:int32.
  (return = result1) ->
  ("JC_99": (integer_of_int32(return) = 91))

========== file tests/java/why/MacCarthy_po4.why ==========
goal MacCarthy_f91_ensures_less_than_101_po_2:
  forall n:int32.
  (integer_of_int32(n) <= 100) ->
  (integer_of_int32(n) > 100) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(n) - 10)) ->
  forall return:int32.
  (return = result) ->
  ("JC_99": (integer_of_int32(return) = 91))

========== file tests/java/why/MacCarthy_po5.why ==========
goal MacCarthy_f91_safety_po_1:
  forall n:int32.
  ("JC_94": true) ->
  (integer_of_int32(n) <= 100) ->
  ((-2147483648) <= (integer_of_int32(n) + 11))

========== file tests/java/why/MacCarthy_po6.why ==========
goal MacCarthy_f91_safety_po_2:
  forall n:int32.
  ("JC_94": true) ->
  (integer_of_int32(n) <= 100) ->
  ((integer_of_int32(n) + 11) <= 2147483647)

========== file tests/java/why/MacCarthy_po7.why ==========
goal MacCarthy_f91_safety_po_3:
  forall n:int32.
  ("JC_94": true) ->
  (integer_of_int32(n) <= 100) ->
  (((-2147483648) <= (integer_of_int32(n) + 11)) and
   ((integer_of_int32(n) + 11) <= 2147483647)) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(n) + 11)) ->
  (0 <= ("JC_105": (101 - integer_of_int32(n))))

========== file tests/java/why/MacCarthy_po8.why ==========
goal MacCarthy_f91_safety_po_4:
  forall n:int32.
  ("JC_94": true) ->
  (integer_of_int32(n) <= 100) ->
  (((-2147483648) <= (integer_of_int32(n) + 11)) and
   ((integer_of_int32(n) + 11) <= 2147483647)) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(n) + 11)) ->
  (("JC_106": (101 - integer_of_int32(result))) < ("JC_105":
                                                  (101 - integer_of_int32(n))))

========== file tests/java/why/MacCarthy_po9.why ==========
goal MacCarthy_f91_safety_po_5:
  forall n:int32.
  ("JC_94": true) ->
  (integer_of_int32(n) <= 100) ->
  (((-2147483648) <= (integer_of_int32(n) + 11)) and
   ((integer_of_int32(n) + 11) <= 2147483647)) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(n) + 11)) ->
  forall result0:int32.
  (((integer_of_int32(result) >= 101) ->
    ("JC_102": (integer_of_int32(result0) = (integer_of_int32(result) - 10)))) and
   ((integer_of_int32(result) <= 100) ->
    ("JC_100": (integer_of_int32(result0) = 91)))) ->
  (0 <= ("JC_109": (101 - integer_of_int32(n))))

========== generation of Simplify VC output ==========
why -simplify [...] why/MacCarthy.why
========== file tests/java/simplify/MacCarthy_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom MacCarthy_parenttag_Object
 (EQ (parenttag MacCarthy_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) 0))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom byte_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 128) x) (<= x 127))
 (EQ (integer_of_byte (byte_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom byte_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_byte x) (integer_of_byte y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom byte_range
 (FORALL (x)
 (AND (<= (- 0 128) (integer_of_byte x)) (<= (integer_of_byte x) 127))))

(BG_PUSH
 ;; Why axiom char_coerce
 (FORALL (x)
 (IMPLIES (AND (<= 0 x) (<= x 65535))
 (EQ (integer_of_char (char_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom char_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_char x) (integer_of_char y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom char_range
 (FORALL (x) (AND (<= 0 (integer_of_char x)) (<= (integer_of_char x) 65535))))

(DEFPRED (eq_byte x y) (EQ (integer_of_byte x) (integer_of_byte y)))

(DEFPRED (eq_char x y) (EQ (integer_of_char x) (integer_of_char y)))

(DEFPRED (eq_int32 x y) (EQ (integer_of_int32 x) (integer_of_int32 y)))

(DEFPRED (eq_long x y) (EQ (integer_of_long x) (integer_of_long y)))

(DEFPRED (eq_short x y) (EQ (integer_of_short x) (integer_of_short y)))

(BG_PUSH
 ;; Why axiom int32_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_2147483648) x)
 (<= x constant_too_large_2147483647))
 (EQ (integer_of_int32 (int32_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom int32_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_int32 x) (integer_of_int32 y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom int32_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_2147483648) (integer_of_int32 x))
 (<= (integer_of_int32 x) constant_too_large_2147483647))))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_MacCarthy p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom long_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_9223372036854775808) x)
 (<= x constant_too_large_9223372036854775807))
 (EQ (integer_of_long (long_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom long_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_long x) (integer_of_long y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom long_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_9223372036854775808) (integer_of_long x))
 (<= (integer_of_long x) constant_too_large_9223372036854775807))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_MacCarthy p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(BG_PUSH
 ;; Why axiom short_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 32768) x) (<= x 32767))
 (EQ (integer_of_short (short_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom short_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_short x) (integer_of_short y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom short_range
 (FORALL (x)
 (AND (<= (- 0 32768) (integer_of_short x)) (<= (integer_of_short x) 32767))))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_MacCarthy p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_MacCarthy p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

;; MacCarthy_f91_ensures_greater_than_100_po_1, File "HOME/tests/java/MacCarthy.java", line 43, characters 18-35
(FORALL (n)
(IMPLIES (>= (integer_of_int32 n) 101)
(IMPLIES (<= (integer_of_int32 n) 100)
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) (+ (integer_of_int32 n) 11))
(FORALL (result0)
(IMPLIES (AND
         (IMPLIES (>= (integer_of_int32 result) 101)
         (EQ (integer_of_int32 result0) (- (integer_of_int32 result) 10)))
         (IMPLIES (<= (integer_of_int32 result) 100)
         (EQ (integer_of_int32 result0) 91)))
(FORALL (result1)
(IMPLIES (AND
         (IMPLIES (>= (integer_of_int32 result0) 101)
         (EQ (integer_of_int32 result1) (- (integer_of_int32 result0) 10)))
         (IMPLIES (<= (integer_of_int32 result0) 100)
         (EQ (integer_of_int32 result1) 91)))
(FORALL (return)
(IMPLIES (EQ return result1)
(EQ (integer_of_int32 return) (- (integer_of_int32 n) 10)))))))))))))

;; MacCarthy_f91_ensures_greater_than_100_po_2, File "HOME/tests/java/MacCarthy.java", line 43, characters 18-35
(FORALL (n)
(IMPLIES (>= (integer_of_int32 n) 101)
(IMPLIES (> (integer_of_int32 n) 100)
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) (- (integer_of_int32 n) 10))
(FORALL (return)
(IMPLIES (EQ return result)
(EQ (integer_of_int32 return) (- (integer_of_int32 n) 10)))))))))

;; MacCarthy_f91_ensures_less_than_101_po_1, File "HOME/tests/java/MacCarthy.java", line 40, characters 18-31
(FORALL (n)
(IMPLIES (<= (integer_of_int32 n) 100)
(IMPLIES (<= (integer_of_int32 n) 100)
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) (+ (integer_of_int32 n) 11))
(FORALL (result0)
(IMPLIES (AND
         (IMPLIES (>= (integer_of_int32 result) 101)
         (EQ (integer_of_int32 result0) (- (integer_of_int32 result) 10)))
         (IMPLIES (<= (integer_of_int32 result) 100)
         (EQ (integer_of_int32 result0) 91)))
(FORALL (result1)
(IMPLIES (AND
         (IMPLIES (>= (integer_of_int32 result0) 101)
         (EQ (integer_of_int32 result1) (- (integer_of_int32 result0) 10)))
         (IMPLIES (<= (integer_of_int32 result0) 100)
         (EQ (integer_of_int32 result1) 91)))
(FORALL (return)
(IMPLIES (EQ return result1) (EQ (integer_of_int32 return) 91))))))))))))

;; MacCarthy_f91_ensures_less_than_101_po_2, File "HOME/tests/java/MacCarthy.java", line 40, characters 18-31
(FORALL (n)
(IMPLIES (<= (integer_of_int32 n) 100)
(IMPLIES (> (integer_of_int32 n) 100)
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) (- (integer_of_int32 n) 10))
(FORALL (return)
(IMPLIES (EQ return result) (EQ (integer_of_int32 return) 91))))))))

;; MacCarthy_f91_safety_po_1, File "HOME/tests/java/MacCarthy.java", line 47, characters 20-26
(FORALL (n)
(IMPLIES TRUE
(IMPLIES (<= (integer_of_int32 n) 100)
(<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 n) 11)))))

;; MacCarthy_f91_safety_po_2, File "HOME/tests/java/MacCarthy.java", line 47, characters 20-26
(FORALL (n)
(IMPLIES TRUE
(IMPLIES (<= (integer_of_int32 n) 100)
(<= (+ (integer_of_int32 n) 11) constant_too_large_2147483647))))

;; MacCarthy_f91_safety_po_3, File "why/MacCarthy.why", line 728, characters 21-194
(FORALL (n)
(IMPLIES TRUE
(IMPLIES (<= (integer_of_int32 n) 100)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 n) 11))
         (<= (+ (integer_of_int32 n) 11) constant_too_large_2147483647))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) (+ (integer_of_int32 n) 11))
(<= 0 (- 101 (integer_of_int32 n)))))))))

;; MacCarthy_f91_safety_po_4, File "why/MacCarthy.why", line 728, characters 21-194
(FORALL (n)
(IMPLIES TRUE
(IMPLIES (<= (integer_of_int32 n) 100)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 n) 11))
         (<= (+ (integer_of_int32 n) 11) constant_too_large_2147483647))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) (+ (integer_of_int32 n) 11))
(< (- 101 (integer_of_int32 result)) (- 101 (integer_of_int32 n)))))))))

;; MacCarthy_f91_safety_po_5, File "why/MacCarthy.why", line 734, characters 21-194
(FORALL (n)
(IMPLIES TRUE
(IMPLIES (<= (integer_of_int32 n) 100)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 n) 11))
         (<= (+ (integer_of_int32 n) 11) constant_too_large_2147483647))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) (+ (integer_of_int32 n) 11))
(FORALL (result0)
(IMPLIES (AND
         (IMPLIES (>= (integer_of_int32 result) 101)
         (EQ (integer_of_int32 result0) (- (integer_of_int32 result) 10)))
         (IMPLIES (<= (integer_of_int32 result) 100)
         (EQ (integer_of_int32 result0) 91)))
(<= 0 (- 101 (integer_of_int32 n)))))))))))

;; MacCarthy_f91_safety_po_6, File "why/MacCarthy.why", line 734, characters 21-194
(FORALL (n)
(IMPLIES TRUE
(IMPLIES (<= (integer_of_int32 n) 100)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 n) 11))
         (<= (+ (integer_of_int32 n) 11) constant_too_large_2147483647))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) (+ (integer_of_int32 n) 11))
(FORALL (result0)
(IMPLIES (AND
         (IMPLIES (>= (integer_of_int32 result) 101)
         (EQ (integer_of_int32 result0) (- (integer_of_int32 result) 10)))
         (IMPLIES (<= (integer_of_int32 result) 100)
         (EQ (integer_of_int32 result0) 91)))
(< (- 101 (integer_of_int32 result0)) (- 101 (integer_of_int32 n)))))))))))

;; MacCarthy_f91_safety_po_7, File "HOME/tests/java/MacCarthy.java", line 50, characters 12-18
(FORALL (n)
(IMPLIES TRUE
(IMPLIES (> (integer_of_int32 n) 100)
(<= (- 0 constant_too_large_2147483648) (- (integer_of_int32 n) 10)))))

;; MacCarthy_f91_safety_po_8, File "HOME/tests/java/MacCarthy.java", line 50, characters 12-18
(FORALL (n)
(IMPLIES TRUE
(IMPLIES (> (integer_of_int32 n) 100)
(<= (- (integer_of_int32 n) 10) constant_too_large_2147483647))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/MacCarthy_why.sx     : .....?....?. (10/0/2/0/0)
total   :  12
valid   :  10 ( 83%)
invalid :   0 (  0%)
unknown :   2 ( 17%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/MacCarthy.why
========== file tests/java/why/MacCarthy_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic MacCarthy_tag : Object tag_id

axiom MacCarthy_parenttag_Object: parenttag(MacCarthy_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte. ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char. ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_MacCarthy(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long. ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_MacCarthy(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short.
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_MacCarthy(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_MacCarthy(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

goal MacCarthy_f91_ensures_greater_than_100_po_1:
  forall n:int32.
  (integer_of_int32(n) >= 101) ->
  (integer_of_int32(n) <= 100) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(n) + 11)) ->
  forall result0:int32.
  (((integer_of_int32(result) >= 101) ->
    ("JC_102": (integer_of_int32(result0) = (integer_of_int32(result) - 10)))) and
   ((integer_of_int32(result) <= 100) ->
    ("JC_100": (integer_of_int32(result0) = 91)))) ->
  forall result1:int32.
  (((integer_of_int32(result0) >= 101) ->
    ("JC_102":
    (integer_of_int32(result1) = (integer_of_int32(result0) - 10)))) and
   ((integer_of_int32(result0) <= 100) ->
    ("JC_100": (integer_of_int32(result1) = 91)))) ->
  forall return:int32.
  (return = result1) ->
  ("JC_101": (integer_of_int32(return) = (integer_of_int32(n) - 10)))

goal MacCarthy_f91_ensures_greater_than_100_po_2:
  forall n:int32.
  (integer_of_int32(n) >= 101) ->
  (integer_of_int32(n) > 100) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(n) - 10)) ->
  forall return:int32.
  (return = result) ->
  ("JC_101": (integer_of_int32(return) = (integer_of_int32(n) - 10)))

goal MacCarthy_f91_ensures_less_than_101_po_1:
  forall n:int32.
  (integer_of_int32(n) <= 100) ->
  (integer_of_int32(n) <= 100) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(n) + 11)) ->
  forall result0:int32.
  (((integer_of_int32(result) >= 101) ->
    ("JC_102": (integer_of_int32(result0) = (integer_of_int32(result) - 10)))) and
   ((integer_of_int32(result) <= 100) ->
    ("JC_100": (integer_of_int32(result0) = 91)))) ->
  forall result1:int32.
  (((integer_of_int32(result0) >= 101) ->
    ("JC_102":
    (integer_of_int32(result1) = (integer_of_int32(result0) - 10)))) and
   ((integer_of_int32(result0) <= 100) ->
    ("JC_100": (integer_of_int32(result1) = 91)))) ->
  forall return:int32.
  (return = result1) ->
  ("JC_99": (integer_of_int32(return) = 91))

goal MacCarthy_f91_ensures_less_than_101_po_2:
  forall n:int32.
  (integer_of_int32(n) <= 100) ->
  (integer_of_int32(n) > 100) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(n) - 10)) ->
  forall return:int32.
  (return = result) ->
  ("JC_99": (integer_of_int32(return) = 91))

goal MacCarthy_f91_safety_po_1:
  forall n:int32.
  ("JC_94": true) ->
  (integer_of_int32(n) <= 100) ->
  ((-2147483648) <= (integer_of_int32(n) + 11))

goal MacCarthy_f91_safety_po_2:
  forall n:int32.
  ("JC_94": true) ->
  (integer_of_int32(n) <= 100) ->
  ((integer_of_int32(n) + 11) <= 2147483647)

goal MacCarthy_f91_safety_po_3:
  forall n:int32.
  ("JC_94": true) ->
  (integer_of_int32(n) <= 100) ->
  (((-2147483648) <= (integer_of_int32(n) + 11)) and
   ((integer_of_int32(n) + 11) <= 2147483647)) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(n) + 11)) ->
  (0 <= ("JC_105": (101 - integer_of_int32(n))))

goal MacCarthy_f91_safety_po_4:
  forall n:int32.
  ("JC_94": true) ->
  (integer_of_int32(n) <= 100) ->
  (((-2147483648) <= (integer_of_int32(n) + 11)) and
   ((integer_of_int32(n) + 11) <= 2147483647)) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(n) + 11)) ->
  (("JC_106": (101 - integer_of_int32(result))) < ("JC_105":
                                                  (101 - integer_of_int32(n))))

goal MacCarthy_f91_safety_po_5:
  forall n:int32.
  ("JC_94": true) ->
  (integer_of_int32(n) <= 100) ->
  (((-2147483648) <= (integer_of_int32(n) + 11)) and
   ((integer_of_int32(n) + 11) <= 2147483647)) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(n) + 11)) ->
  forall result0:int32.
  (((integer_of_int32(result) >= 101) ->
    ("JC_102": (integer_of_int32(result0) = (integer_of_int32(result) - 10)))) and
   ((integer_of_int32(result) <= 100) ->
    ("JC_100": (integer_of_int32(result0) = 91)))) ->
  (0 <= ("JC_109": (101 - integer_of_int32(n))))

goal MacCarthy_f91_safety_po_6:
  forall n:int32.
  ("JC_94": true) ->
  (integer_of_int32(n) <= 100) ->
  (((-2147483648) <= (integer_of_int32(n) + 11)) and
   ((integer_of_int32(n) + 11) <= 2147483647)) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(n) + 11)) ->
  forall result0:int32.
  (((integer_of_int32(result) >= 101) ->
    ("JC_102": (integer_of_int32(result0) = (integer_of_int32(result) - 10)))) and
   ((integer_of_int32(result) <= 100) ->
    ("JC_100": (integer_of_int32(result0) = 91)))) ->
  (("JC_110": (101 - integer_of_int32(result0))) < ("JC_109":
                                                   (101 - integer_of_int32(n))))

goal MacCarthy_f91_safety_po_7:
  forall n:int32.
  ("JC_94": true) ->
  (integer_of_int32(n) > 100) ->
  ((-2147483648) <= (integer_of_int32(n) - 10))

goal MacCarthy_f91_safety_po_8:
  forall n:int32.
  ("JC_94": true) ->
  (integer_of_int32(n) > 100) ->
  ((integer_of_int32(n) - 10) <= 2147483647)

why-2.34/tests/java/oracle/Isqrt.res.oracle0000644000175000017500000050407312311670312017237 0ustar  rtusers========== file tests/java/Isqrt.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


//@+ CheckArithOverflow = no

//@ logic integer sqr(integer x) = x * x;

class Isqrt {

/*@ requires x >= 0;
  @ ensures \result >= 0 && sqr(\result) <= x && x < sqr(\result + 1);
  @*/
static int isqrt(int x) {
  int count = 0, sum = 1;
  /*@ loop_invariant count >= 0 && x >= sqr(count) && sum == sqr(count+1);
    @ loop_variant  x - count; 
    @*/
  while (sum <= x) sum += 2 * ++count + 1;
  return count;
}

//@ ensures \result == 4;
static int main () {
  int r;
  r = isqrt(17);
  //@ assert r < 4 ==> false;
  //@ assert r > 4 ==> false;
  return r;
}

}

/*
Local Variables:
compile-command: "make Isqrt.why3ide"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function Isqrt_isqrt for method Isqrt.isqrt
Generating JC function Isqrt_main for method Isqrt.main
Generating JC function Object_clone for method Object.clone
Generating JC function Object_notifyAll for method Object.notifyAll
Generating JC function Object_hashCode for method Object.hashCode
Generating JC function Object_equals for method Object.equals
Generating JC function Object_wait for method Object.wait
Generating JC function Object_notify for method Object.notify
Generating JC function Object_wait_long for method Object.wait
Generating JC function cons_Isqrt for constructor Isqrt
Generating JC function Object_toString for method Object.toString
Generating JC function Object_wait_long_int for method Object.wait
Generating JC function cons_Object for constructor Object
Generating JC function Object_finalize for method Object.finalize
Generating JC function Object_registerNatives for method Object.registerNatives
Done.
========== file tests/java/Isqrt.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Isqrt = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

logic integer sqr(integer x) =
(x * x)

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

integer Isqrt_isqrt(integer x_0)
  requires (K_6 : (x_0 >= 0));
behavior default:
  ensures (K_5 : ((K_4 : ((K_3 : (\result >= 0)) &&
                           (K_2 : (sqr(\result) <= x_0)))) &&
                   (K_1 : (x_0 < sqr((\result + 1))))));
{  
   {  
      (var integer count = (K_19 : 0));
      
      {  
         (var integer sum = (K_18 : 1));
         
         {  
            loop 
            behavior default:
              invariant (K_11 : ((K_10 : ((K_9 : (count >= 0)) &&
                                           (K_8 : (x_0 >= sqr(count))))) &&
                                  (K_7 : (sum == sqr((count + 1))))));
            variant (K_12 : (x_0 - count));
            while ((K_17 : (sum <= x_0)))
            {  (K_16 : sum += (K_15 : ((K_14 : (2 * (K_13 : (++ count)))) +
                                        1)))
            };
            
            (return count)
         }
      }
   }
}

integer Isqrt_main()
behavior default:
  ensures (K_20 : (\result == 4));
{  
   {  
      (var integer r);
      
      {  (r = (K_21 : Isqrt_isqrt(17)));
         (K_23 : 
         (assert (K_22 : ((r < 4) ==> false))));
         (K_25 : 
         (assert (K_24 : ((r > 4) ==> false))));
         
         (return r)
      }
   }
}

Object[0..] Object_clone(Object[0] this_2)
;

unit Object_notifyAll(Object[0] this_3)
;

integer Object_hashCode(Object[0] this_4)
;

boolean Object_equals(Object[0] this_5, Object[0..] obj)
;

unit Object_wait(Object[0] this_6)
;

unit Object_notify(Object[0] this_7)
;

unit Object_wait_long(Object[0] this_8, integer timeout)
;

unit cons_Isqrt(! Isqrt[0] this_1){()}

String[0..] Object_toString(Object[0] this_9)
;

unit Object_wait_long_int(Object[0] this_10, integer timeout_0, integer nanos)
;

unit cons_Object(! Object[0] this_12){()}

unit Object_finalize(Object[0] this_11)
;

unit Object_registerNatives()
;

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Isqrt.jloc tests/java/Isqrt.jc && make -f tests/java/Isqrt.makefile gui"
End:
*/
========== file tests/java/Isqrt.jloc ==========
[K_23]
file = "HOME/tests/java/Isqrt.java"
line = 55
begin = 13
end = 28

[K_17]
file = "HOME/tests/java/Isqrt.java"
line = 47
begin = 9
end = 17

[Object_wait_long]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[K_11]
file = "HOME/tests/java/Isqrt.java"
line = 44
begin = 21
end = 73

[K_25]
file = "HOME/tests/java/Isqrt.java"
line = 56
begin = 13
end = 28

[K_13]
file = "HOME/tests/java/Isqrt.java"
line = 47
begin = 30
end = 37

[Object_finalize]
name = "Method finalize"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[K_9]
file = "HOME/tests/java/Isqrt.java"
line = 44
begin = 21
end = 31

[Object_wait]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[Isqrt_main]
name = "Method main"
file = "HOME/tests/java/Isqrt.java"
line = 52
begin = 11
end = 15

[Object_notify]
name = "Method notify"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[Object_clone]
name = "Method clone"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[cons_Object]
name = "Constructor of class Object"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_1]
file = "HOME/tests/java/Isqrt.java"
line = 40
begin = 49
end = 69

[K_15]
file = "HOME/tests/java/Isqrt.java"
line = 47
begin = 26
end = 41

[K_4]
file = "HOME/tests/java/Isqrt.java"
line = 40
begin = 12
end = 45

[K_12]
file = "HOME/tests/java/Isqrt.java"
line = 45
begin = 20
end = 29

[Object_wait_long_int]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[Object_registerNatives]
name = "Method registerNatives"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[K_20]
file = "HOME/tests/java/Isqrt.java"
line = 51
begin = 12
end = 24

[K_2]
file = "HOME/tests/java/Isqrt.java"
line = 40
begin = 28
end = 45

[K_10]
file = "HOME/tests/java/Isqrt.java"
line = 44
begin = 21
end = 50

[K_6]
file = "HOME/tests/java/Isqrt.java"
line = 39
begin = 13
end = 19

[K_8]
file = "HOME/tests/java/Isqrt.java"
line = 44
begin = 35
end = 50

[K_3]
file = "HOME/tests/java/Isqrt.java"
line = 40
begin = 12
end = 24

[K_21]
file = "HOME/tests/java/Isqrt.java"
line = 54
begin = 6
end = 15

[Isqrt_isqrt]
name = "Method isqrt"
file = "HOME/tests/java/Isqrt.java"
line = 42
begin = 11
end = 16

[K_24]
file = "HOME/tests/java/Isqrt.java"
line = 56
begin = 13
end = 28

[K_14]
file = "HOME/tests/java/Isqrt.java"
line = 47
begin = 26
end = 37

[Object_notifyAll]
name = "Method notifyAll"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[K_19]
file = "HOME/tests/java/Isqrt.java"
line = 43
begin = 14
end = 15

[K_5]
file = "HOME/tests/java/Isqrt.java"
line = 40
begin = 12
end = 69

[K_18]
file = "HOME/tests/java/Isqrt.java"
line = 43
begin = 23
end = 24

[Object_equals]
name = "Method equals"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[K_7]
file = "HOME/tests/java/Isqrt.java"
line = 44
begin = 54
end = 73

[Object_hashCode]
name = "Method hashCode"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[Object_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[K_22]
file = "HOME/tests/java/Isqrt.java"
line = 55
begin = 13
end = 28

[K_16]
file = "HOME/tests/java/Isqrt.java"
line = 47
begin = 19
end = 41

[cons_Isqrt]
name = "Constructor of class Isqrt"
file = "HOME/"
line = 0
begin = -1
end = -1

========== jessie execution ==========
Generating Why function Isqrt_isqrt
Generating Why function Isqrt_main
Generating Why function cons_Isqrt
Generating Why function cons_Object
========== file tests/java/Isqrt.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Isqrt.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Isqrt.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/Isqrt_why.sx

project: why/Isqrt.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/Isqrt_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/Isqrt_why.vo

coq/Isqrt_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Isqrt_why.v: why/Isqrt.why
	@echo 'why -coq [...] why/Isqrt.why' && $(WHY) $(JESSIELIBFILES) why/Isqrt.why && rm -f coq/jessie_why.v

coq-goals: goals coq/Isqrt_ctx_why.vo
	for f in why/*_po*.why; do make -f Isqrt.makefile coq/`basename $$f .why`_why.v ; done

coq/Isqrt_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Isqrt_ctx_why.v: why/Isqrt_ctx.why
	@echo 'why -coq [...] why/Isqrt_ctx.why' && $(WHY) why/Isqrt_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export Isqrt_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/Isqrt_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/Isqrt_ctx_why.vo

pvs: pvs/Isqrt_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/Isqrt_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/Isqrt_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/Isqrt_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/Isqrt_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/Isqrt_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/Isqrt_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/Isqrt_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/Isqrt_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/Isqrt_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/Isqrt_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/Isqrt_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/Isqrt_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/Isqrt_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/Isqrt_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: Isqrt.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/Isqrt_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Isqrt.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Isqrt.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Isqrt.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include Isqrt.depend

depend: coq/Isqrt_why.v
	-$(COQDEP) -I coq coq/Isqrt*_why.v > Isqrt.depend

clean:
	rm -f coq/*.vo

========== file tests/java/Isqrt.loc ==========
[JC_94]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_73]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_158]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_63]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_80]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_51]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_147]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_151]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_123]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_106]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_143]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_113]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_116]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_64]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_133]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Object_ensures_default]
name = "Constructor of class Object"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_99]
file = "HOME/"
line = 0
begin = -1
end = -1

[Isqrt_isqrt_safety]
name = "Method isqrt"
behavior = "Safety"
file = "HOME/tests/java/Isqrt.java"
line = 42
begin = 11
end = 16

[JC_85]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_126]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_31]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_17]
file = "HOME/tests/java/Isqrt.jc"
line = 37
begin = 11
end = 65

[JC_122]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_138]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_134]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_148]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_137]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Isqrt_ensures_default]
name = "Constructor of class Isqrt"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_48]
file = "HOME/tests/java/Isqrt.java"
line = 52
begin = 11
end = 15

[JC_23]
file = "HOME/tests/java/Isqrt.java"
line = 40
begin = 12
end = 24

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_121]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_125]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/Isqrt.jc"
line = 35
begin = 8
end = 23

[JC_75]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/tests/java/Isqrt.java"
line = 40
begin = 28
end = 45

[JC_25]
file = "HOME/tests/java/Isqrt.java"
line = 40
begin = 49
end = 69

[JC_78]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_41]
file = "HOME/tests/java/Isqrt.java"
line = 44
begin = 21
end = 31

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/tests/java/Isqrt.jc"
line = 61
begin = 12
end = 481

[JC_52]
file = "HOME/tests/java/Isqrt.java"
line = 51
begin = 12
end = 24

[JC_26]
file = "HOME/tests/java/Isqrt.java"
line = 40
begin = 12
end = 69

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_154]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_130]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_163]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_153]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_87]
file = "HOME/"
line = 0
begin = -1
end = -1

[Isqrt_main_safety]
name = "Method main"
behavior = "Safety"
file = "HOME/tests/java/Isqrt.java"
line = 52
begin = 11
end = 15

[JC_11]
file = "HOME/tests/java/Isqrt.jc"
line = 35
begin = 8
end = 23

[JC_98]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[Isqrt_isqrt_ensures_default]
name = "Method isqrt"
behavior = "default behavior"
file = "HOME/tests/java/Isqrt.java"
line = 42
begin = 11
end = 16

[JC_36]
file = "HOME/tests/java/Isqrt.java"
line = 44
begin = 21
end = 73

[JC_104]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_91]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/tests/java/Isqrt.jc"
line = 61
begin = 12
end = 481

[JC_112]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_40]
file = "HOME/tests/java/Isqrt.java"
line = 45
begin = 20
end = 29

[JC_162]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_135]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/tests/java/Isqrt.java"
line = 44
begin = 54
end = 73

[JC_132]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/tests/java/Isqrt.java"
line = 40
begin = 12
end = 24

[JC_115]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_109]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_107]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_69]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_124]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/tests/java/Isqrt.jc"
line = 61
begin = 12
end = 481

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_156]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_127]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_164]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/tests/java/Isqrt.java"
line = 44
begin = 21
end = 73

[JC_155]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_101]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_88]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_129]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/tests/java/Isqrt.java"
line = 44
begin = 35
end = 50

[JC_110]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_103]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/tests/java/Isqrt.jc"
line = 61
begin = 12
end = 481

[JC_141]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/tests/java/Isqrt.java"
line = 56
begin = 13
end = 28

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
kind = UserCall
file = "HOME/tests/java/Isqrt.java"
line = 54
begin = 6
end = 15

[JC_33]
file = "HOME/tests/java/Isqrt.java"
line = 44
begin = 21
end = 31

[cons_Isqrt_safety]
name = "Constructor of class Isqrt"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_118]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_105]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_140]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/tests/java/Isqrt.java"
line = 40
begin = 49
end = 69

[JC_144]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_159]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Object_safety]
name = "Constructor of class Object"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_68]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_43]
file = "HOME/tests/java/Isqrt.java"
line = 44
begin = 54
end = 73

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_93]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_97]
file = "HOME/"
line = 0
begin = -1
end = -1

[Isqrt_main_ensures_default]
name = "Method main"
behavior = "default behavior"
file = "HOME/tests/java/Isqrt.java"
line = 52
begin = 11
end = 15

[JC_84]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_160]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_128]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_34]
file = "HOME/tests/java/Isqrt.java"
line = 44
begin = 35
end = 50

[JC_114]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_150]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_117]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_90]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
file = "HOME/tests/java/Isqrt.java"
line = 51
begin = 12
end = 24

[JC_157]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_145]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/tests/java/Isqrt.java"
line = 39
begin = 13
end = 19

[JC_149]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_111]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_77]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/java/Isqrt.jc"
line = 10
begin = 12
end = 22

[JC_131]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_102]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_37]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_142]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/java/Isqrt.java"
line = 55
begin = 13
end = 28

[JC_161]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_146]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_89]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_136]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
kind = UserCall
file = "HOME/tests/java/Isqrt.java"
line = 54
begin = 6
end = 15

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_165]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/Isqrt.jc"
line = 37
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/Isqrt.jc"
line = 10
begin = 12
end = 22

[JC_92]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_152]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_86]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_60]
file = "HOME/tests/java/Isqrt.java"
line = 55
begin = 13
end = 28

[JC_139]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_72]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_19]
file = "HOME/tests/java/Isqrt.java"
line = 39
begin = 13
end = 19

[JC_119]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_76]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
file = "HOME/tests/java/Isqrt.java"
line = 52
begin = 11
end = 15

[JC_30]
file = "HOME/tests/java/Isqrt.java"
line = 40
begin = 12
end = 69

[JC_120]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/tests/java/Isqrt.java"
line = 56
begin = 13
end = 28

[JC_100]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/tests/java/Isqrt.java"
line = 40
begin = 28
end = 45

========== file tests/java/why/Isqrt.why ==========
type Object

type interface

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

logic Isqrt_tag:  -> Object tag_id

axiom Isqrt_parenttag_Object : parenttag(Isqrt_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Isqrt(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Isqrt(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

function sqr(x_2:int) : int = mul_int(x_2, x_2)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Isqrt(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Isqrt(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

parameter Isqrt_isqrt :
 x_0_0:int ->
  { } int
  { (JC_30:
    ((JC_27: ge_int(result, (0)))
    and ((JC_28: le_int(sqr(result), x_0_0))
        and (JC_29: lt_int(x_0_0, sqr(add_int(result, (1)))))))) }

parameter Isqrt_isqrt_requires :
 x_0_0:int ->
  { (JC_19: ge_int(x_0_0, (0)))} int
  { (JC_30:
    ((JC_27: ge_int(result, (0)))
    and ((JC_28: le_int(sqr(result), x_0_0))
        and (JC_29: lt_int(x_0_0, sqr(add_int(result, (1)))))))) }

parameter Isqrt_main : tt:unit -> { } int { (JC_53: (result = (4))) }

parameter Isqrt_main_requires :
 tt:unit -> { } int { (JC_53: (result = (4))) }

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_alloc_table : Object alloc_table ref

parameter Object_clone :
 this_2:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_clone_requires :
 this_2:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_equals :
 this_5:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_equals_requires :
 this_5:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_finalize :
 this_11:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_finalize_requires :
 this_11:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_hashCode :
 this_4:Object pointer -> { } int reads Object_alloc_table { true }

parameter Object_hashCode_requires :
 this_4:Object pointer -> { } int reads Object_alloc_table { true }

parameter Object_notify :
 this_7:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll :
 this_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll_requires :
 this_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notify_requires :
 this_7:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_registerNatives : tt:unit -> { } unit { true }

parameter Object_registerNatives_requires : tt:unit -> { } unit { true }

parameter Object_tag_table : Object tag_table ref

parameter Object_toString :
 this_9:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_toString_requires :
 this_9:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_wait :
 this_6:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long :
 this_8:Object pointer ->
  timeout:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int :
 this_10:Object pointer ->
  timeout_0:int -> nanos:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int_requires :
 this_10:Object pointer ->
  timeout_0:int -> nanos:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_requires :
 this_8:Object pointer ->
  timeout:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_requires :
 this_6:Object pointer -> { } unit reads Object_alloc_table { true }

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Isqrt :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Isqrt(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Isqrt_tag)))) }

parameter alloc_struct_Isqrt_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Isqrt(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Isqrt_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_Isqrt :
 this_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Isqrt_requires :
 this_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object :
 this_12:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object_requires :
 this_12:Object pointer -> { } unit reads Object_alloc_table { true }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

let Isqrt_isqrt_ensures_default =
 fun (x_0_0 : int) ->
  { (JC_21: ge_int(x_0_0, (0))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let count = ref (K_19: (0)) in
     (let sum = ref (K_18: (1)) in
     begin
       try
        (loop_2:
        while true do
        { invariant
            (JC_44:
            ((JC_41: ge_int(count, (0)))
            and ((JC_42: ge_int(x_0_0, sqr(count)))
                and (JC_43: (sum = sqr(add_int(count, (1))))))))  }
         begin
           [ { } unit { true } ];
          try
           begin
             (if (K_17: ((le_int_ !sum) x_0_0))
             then
              (let _jessie_ =
              (K_16:
              begin
                (sum := ((add_int !sum) (K_15:
                                        ((add_int (K_14:
                                                  ((mul_int (2)) (K_13:
                                                                 begin
                                                                   (count := 
                                                                    ((add_int !count) (1)));
                                                                  !count end)))) (1)))));
               !sum end) in void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end; (return := !count);
      (raise Return) end)); absurd  end with Return -> !return end))
  { (JC_26:
    ((JC_23: ge_int(result, (0)))
    and ((JC_24: le_int(sqr(result), x_0_0))
        and (JC_25: lt_int(x_0_0, sqr(add_int(result, (1)))))))) }

let Isqrt_isqrt_safety =
 fun (x_0_0 : int) ->
  { (JC_21: ge_int(x_0_0, (0))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let count = ref (K_19: (0)) in
     (let sum = ref (K_18: (1)) in
     begin
       try
        (loop_1:
        while true do
        { invariant (JC_38: true) variant (JC_40 : sub_int(x_0_0, count)) }
         begin
           [ { } unit reads count,sum
             { (JC_36:
               ((JC_33: ge_int(count, (0)))
               and ((JC_34: ge_int(x_0_0, sqr(count)))
                   and (JC_35: (sum = sqr(add_int(count, (1)))))))) } ];
          try
           begin
             (if (K_17: ((le_int_ !sum) x_0_0))
             then
              (let _jessie_ =
              (K_16:
              begin
                (sum := ((add_int !sum) (K_15:
                                        ((add_int (K_14:
                                                  ((mul_int (2)) (K_13:
                                                                 begin
                                                                   (count := 
                                                                    ((add_int !count) (1)));
                                                                  !count end)))) (1)))));
               !sum end) in void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end; (return := !count);
      (raise Return) end)); absurd  end with Return -> !return end)) 
  { true }

let Isqrt_main_ensures_default =
 fun (tt : unit) ->
  { (JC_51: true) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let r = ref (any_int void) in
     begin
       (let _jessie_ =
       (r := (K_21:
             (let _jessie_ = (17) in (JC_59: (Isqrt_isqrt _jessie_))))) in
       void);
      (K_23:
      begin
        (assert { (JC_60: (lt_int(r, (4)) -> (false = true))) }; void);
       (K_25:
       begin
         (assert { (JC_61: (gt_int(r, (4)) -> (false = true))) }; void);
        (return := !r); (raise Return) end) end) end); absurd  end with
   Return -> !return end)) { (JC_52: (result = (4))) }

let Isqrt_main_safety =
 fun (tt : unit) ->
  { (JC_51: true) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let r = ref (any_int void) in
     begin
       (let _jessie_ =
       (r := (K_21:
             (let _jessie_ = (17) in
             (JC_56: (Isqrt_isqrt_requires _jessie_))))) in void);
      (K_23:
      begin
        [ { } unit reads r { (JC_57: (lt_int(r, (4)) -> (false = true))) } ];
       (K_25:
       begin
         [ { } unit reads r { (JC_58: (gt_int(r, (4)) -> (false = true))) } ];
        (return := !r); (raise Return) end) end) end); absurd  end with
   Return -> !return end)) { true }

let cons_Isqrt_ensures_default =
 fun (this_1 : Object pointer) ->
  { valid_struct_Isqrt(this_1, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_122: true) }

let cons_Isqrt_safety =
 fun (this_1 : Object pointer) ->
  { valid_struct_Isqrt(this_1, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_Object_ensures_default =
 fun (this_12 : Object pointer) ->
  { valid_struct_Object(this_12, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_146: true) }

let cons_Object_safety =
 fun (this_12 : Object pointer) ->
  { valid_struct_Object(this_12, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/Isqrt.why
========== file tests/java/why/Isqrt.wpr ==========

  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
  
  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
  
  
    
  
  
    
  

========== file tests/java/why/Isqrt_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic Isqrt_tag : Object tag_id

axiom Isqrt_parenttag_Object: parenttag(Isqrt_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Isqrt(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Isqrt(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

function sqr(x_2: int) : int = (x_2 * x_2)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Isqrt(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Isqrt(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

========== file tests/java/why/Isqrt_po1.why ==========
goal Isqrt_isqrt_ensures_default_po_1:
  forall x_0_0:int.
  ("JC_21": (x_0_0 >= 0)) ->
  ("JC_44": ("JC_41": (0 >= 0)))

========== file tests/java/why/Isqrt_po10.why ==========
goal Isqrt_isqrt_safety_po_1:
  forall x_0_0:int.
  ("JC_21": (x_0_0 >= 0)) ->
  forall count:int.
  forall sum:int.
  ("JC_38": true) ->
  ("JC_36":
  (("JC_33": (count >= 0)) and
   (("JC_34": (x_0_0 >= sqr(count))) and ("JC_35": (sum = sqr((count + 1))))))) ->
  (sum <= x_0_0) ->
  forall count0:int.
  (count0 = (count + 1)) ->
  forall sum0:int.
  (sum0 = (sum + ((2 * count0) + 1))) ->
  (0 <= ("JC_40": (x_0_0 - count)))

========== file tests/java/why/Isqrt_po11.why ==========
goal Isqrt_isqrt_safety_po_2:
  forall x_0_0:int.
  ("JC_21": (x_0_0 >= 0)) ->
  forall count:int.
  forall sum:int.
  ("JC_38": true) ->
  ("JC_36":
  (("JC_33": (count >= 0)) and
   (("JC_34": (x_0_0 >= sqr(count))) and ("JC_35": (sum = sqr((count + 1))))))) ->
  (sum <= x_0_0) ->
  forall count0:int.
  (count0 = (count + 1)) ->
  forall sum0:int.
  (sum0 = (sum + ((2 * count0) + 1))) ->
  (("JC_40": (x_0_0 - count0)) < ("JC_40": (x_0_0 - count)))

========== file tests/java/why/Isqrt_po12.why ==========
goal Isqrt_main_ensures_default_po_1:
  ("JC_51": true) ->
  forall result:int.
  ("JC_30":
  (("JC_27": (result >= 0)) and
   (("JC_28": (sqr(result) <= 17)) and ("JC_29": (17 < sqr((result + 1))))))) ->
  forall r:int.
  (r = result) ->
  (r < 4) ->
  ("JC_60": (false = true))

========== file tests/java/why/Isqrt_po13.why ==========
goal Isqrt_main_ensures_default_po_2:
  ("JC_51": true) ->
  forall result:int.
  ("JC_30":
  (("JC_27": (result >= 0)) and
   (("JC_28": (sqr(result) <= 17)) and ("JC_29": (17 < sqr((result + 1))))))) ->
  forall r:int.
  (r = result) ->
  ("JC_60": ((r < 4) -> (false = true))) ->
  (r > 4) ->
  ("JC_61": (false = true))

========== file tests/java/why/Isqrt_po14.why ==========
goal Isqrt_main_ensures_default_po_3:
  ("JC_51": true) ->
  forall result:int.
  ("JC_30":
  (("JC_27": (result >= 0)) and
   (("JC_28": (sqr(result) <= 17)) and ("JC_29": (17 < sqr((result + 1))))))) ->
  forall r:int.
  (r = result) ->
  ("JC_60": ((r < 4) -> (false = true))) ->
  ("JC_61": ((r > 4) -> (false = true))) ->
  forall return:int.
  (return = r) ->
  ("JC_52": (return = 4))

========== file tests/java/why/Isqrt_po15.why ==========
goal Isqrt_main_safety_po_1:
  ("JC_51": true) ->
  ("JC_19": (17 >= 0))

========== file tests/java/why/Isqrt_po2.why ==========
goal Isqrt_isqrt_ensures_default_po_2:
  forall x_0_0:int.
  ("JC_21": (x_0_0 >= 0)) ->
  ("JC_44": ("JC_42": (x_0_0 >= sqr(0))))

========== file tests/java/why/Isqrt_po3.why ==========
goal Isqrt_isqrt_ensures_default_po_3:
  forall x_0_0:int.
  ("JC_21": (x_0_0 >= 0)) ->
  ("JC_44": ("JC_43": (1 = sqr((0 + 1)))))

========== file tests/java/why/Isqrt_po4.why ==========
goal Isqrt_isqrt_ensures_default_po_4:
  forall x_0_0:int.
  ("JC_21": (x_0_0 >= 0)) ->
  forall count:int.
  forall sum:int.
  ("JC_44":
  (("JC_41": (count >= 0)) and
   (("JC_42": (x_0_0 >= sqr(count))) and ("JC_43": (sum = sqr((count + 1))))))) ->
  (sum <= x_0_0) ->
  forall count0:int.
  (count0 = (count + 1)) ->
  forall sum0:int.
  (sum0 = (sum + ((2 * count0) + 1))) ->
  ("JC_44": ("JC_41": (count0 >= 0)))

========== file tests/java/why/Isqrt_po5.why ==========
goal Isqrt_isqrt_ensures_default_po_5:
  forall x_0_0:int.
  ("JC_21": (x_0_0 >= 0)) ->
  forall count:int.
  forall sum:int.
  ("JC_44":
  (("JC_41": (count >= 0)) and
   (("JC_42": (x_0_0 >= sqr(count))) and ("JC_43": (sum = sqr((count + 1))))))) ->
  (sum <= x_0_0) ->
  forall count0:int.
  (count0 = (count + 1)) ->
  forall sum0:int.
  (sum0 = (sum + ((2 * count0) + 1))) ->
  ("JC_44": ("JC_42": (x_0_0 >= sqr(count0))))

========== file tests/java/why/Isqrt_po6.why ==========
goal Isqrt_isqrt_ensures_default_po_6:
  forall x_0_0:int.
  ("JC_21": (x_0_0 >= 0)) ->
  forall count:int.
  forall sum:int.
  ("JC_44":
  (("JC_41": (count >= 0)) and
   (("JC_42": (x_0_0 >= sqr(count))) and ("JC_43": (sum = sqr((count + 1))))))) ->
  (sum <= x_0_0) ->
  forall count0:int.
  (count0 = (count + 1)) ->
  forall sum0:int.
  (sum0 = (sum + ((2 * count0) + 1))) ->
  ("JC_44": ("JC_43": (sum0 = sqr((count0 + 1)))))

========== file tests/java/why/Isqrt_po7.why ==========
goal Isqrt_isqrt_ensures_default_po_7:
  forall x_0_0:int.
  ("JC_21": (x_0_0 >= 0)) ->
  forall count:int.
  forall sum:int.
  ("JC_44":
  (("JC_41": (count >= 0)) and
   (("JC_42": (x_0_0 >= sqr(count))) and ("JC_43": (sum = sqr((count + 1))))))) ->
  (sum > x_0_0) ->
  forall return:int.
  (return = count) ->
  ("JC_26": ("JC_23": (return >= 0)))

========== file tests/java/why/Isqrt_po8.why ==========
goal Isqrt_isqrt_ensures_default_po_8:
  forall x_0_0:int.
  ("JC_21": (x_0_0 >= 0)) ->
  forall count:int.
  forall sum:int.
  ("JC_44":
  (("JC_41": (count >= 0)) and
   (("JC_42": (x_0_0 >= sqr(count))) and ("JC_43": (sum = sqr((count + 1))))))) ->
  (sum > x_0_0) ->
  forall return:int.
  (return = count) ->
  ("JC_26": ("JC_24": (sqr(return) <= x_0_0)))

========== file tests/java/why/Isqrt_po9.why ==========
goal Isqrt_isqrt_ensures_default_po_9:
  forall x_0_0:int.
  ("JC_21": (x_0_0 >= 0)) ->
  forall count:int.
  forall sum:int.
  ("JC_44":
  (("JC_41": (count >= 0)) and
   (("JC_42": (x_0_0 >= sqr(count))) and ("JC_43": (sum = sqr((count + 1))))))) ->
  (sum > x_0_0) ->
  forall return:int.
  (return = count) ->
  ("JC_26": ("JC_25": (x_0_0 < sqr((return + 1)))))

========== generation of Simplify VC output ==========
why -simplify [...] why/Isqrt.why
========== file tests/java/simplify/Isqrt_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Isqrt_parenttag_Object
 (EQ (parenttag Isqrt_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) 0))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Isqrt p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Isqrt p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(BG_PUSH
 ;; Why axiom sqr_def
 (FORALL (x_2) (EQ (sqr x_2) (* x_2 x_2))))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Isqrt p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Isqrt p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

;; Isqrt_isqrt_ensures_default_po_1, File "HOME/tests/java/Isqrt.java", line 44, characters 21-31
(FORALL (x_0_0) (IMPLIES (>= x_0_0 0) (>= 0 0)))

;; Isqrt_isqrt_ensures_default_po_2, File "HOME/tests/java/Isqrt.java", line 44, characters 35-50
(FORALL (x_0_0) (IMPLIES (>= x_0_0 0) (>= x_0_0 (sqr 0))))

;; Isqrt_isqrt_ensures_default_po_3, File "HOME/tests/java/Isqrt.java", line 44, characters 54-73
(FORALL (x_0_0) (IMPLIES (>= x_0_0 0) (EQ 1 (sqr (+ 0 1)))))

;; Isqrt_isqrt_ensures_default_po_4, File "HOME/tests/java/Isqrt.java", line 44, characters 21-31
(FORALL (x_0_0)
(IMPLIES (>= x_0_0 0)
(FORALL (count)
(FORALL (sum)
(IMPLIES (AND (>= count 0)
         (AND (>= x_0_0 (sqr count)) (EQ sum (sqr (+ count 1)))))
(IMPLIES (<= sum x_0_0)
(FORALL (count0)
(IMPLIES (EQ count0 (+ count 1))
(FORALL (sum0) (IMPLIES (EQ sum0 (+ sum (+ (* 2 count0) 1))) (>= count0 0)))))))))))

;; Isqrt_isqrt_ensures_default_po_5, File "HOME/tests/java/Isqrt.java", line 44, characters 35-50
(FORALL (x_0_0)
(IMPLIES (>= x_0_0 0)
(FORALL (count)
(FORALL (sum)
(IMPLIES (AND (>= count 0)
         (AND (>= x_0_0 (sqr count)) (EQ sum (sqr (+ count 1)))))
(IMPLIES (<= sum x_0_0)
(FORALL (count0)
(IMPLIES (EQ count0 (+ count 1))
(FORALL (sum0)
(IMPLIES (EQ sum0 (+ sum (+ (* 2 count0) 1))) (>= x_0_0 (sqr count0))))))))))))

;; Isqrt_isqrt_ensures_default_po_6, File "HOME/tests/java/Isqrt.java", line 44, characters 54-73
(FORALL (x_0_0)
(IMPLIES (>= x_0_0 0)
(FORALL (count)
(FORALL (sum)
(IMPLIES (AND (>= count 0)
         (AND (>= x_0_0 (sqr count)) (EQ sum (sqr (+ count 1)))))
(IMPLIES (<= sum x_0_0)
(FORALL (count0)
(IMPLIES (EQ count0 (+ count 1))
(FORALL (sum0)
(IMPLIES (EQ sum0 (+ sum (+ (* 2 count0) 1))) (EQ sum0 (sqr (+ count0 1)))))))))))))

;; Isqrt_isqrt_ensures_default_po_7, File "HOME/tests/java/Isqrt.java", line 40, characters 12-24
(FORALL (x_0_0)
(IMPLIES (>= x_0_0 0)
(FORALL (count)
(FORALL (sum)
(IMPLIES (AND (>= count 0)
         (AND (>= x_0_0 (sqr count)) (EQ sum (sqr (+ count 1)))))
(IMPLIES (> sum x_0_0)
(FORALL (return) (IMPLIES (EQ return count) (>= return 0)))))))))

;; Isqrt_isqrt_ensures_default_po_8, File "HOME/tests/java/Isqrt.java", line 40, characters 28-45
(FORALL (x_0_0)
(IMPLIES (>= x_0_0 0)
(FORALL (count)
(FORALL (sum)
(IMPLIES (AND (>= count 0)
         (AND (>= x_0_0 (sqr count)) (EQ sum (sqr (+ count 1)))))
(IMPLIES (> sum x_0_0)
(FORALL (return) (IMPLIES (EQ return count) (<= (sqr return) x_0_0)))))))))

;; Isqrt_isqrt_ensures_default_po_9, File "HOME/tests/java/Isqrt.java", line 40, characters 49-69
(FORALL (x_0_0)
(IMPLIES (>= x_0_0 0)
(FORALL (count)
(FORALL (sum)
(IMPLIES (AND (>= count 0)
         (AND (>= x_0_0 (sqr count)) (EQ sum (sqr (+ count 1)))))
(IMPLIES (> sum x_0_0)
(FORALL (return) (IMPLIES (EQ return count) (< x_0_0 (sqr (+ return 1)))))))))))

;; Isqrt_isqrt_safety_po_1, File "HOME/tests/java/Isqrt.java", line 45, characters 20-29
(FORALL (x_0_0)
(IMPLIES (>= x_0_0 0)
(FORALL (count)
(FORALL (sum)
(IMPLIES TRUE
(IMPLIES (AND (>= count 0)
         (AND (>= x_0_0 (sqr count)) (EQ sum (sqr (+ count 1)))))
(IMPLIES (<= sum x_0_0)
(FORALL (count0)
(IMPLIES (EQ count0 (+ count 1))
(FORALL (sum0)
(IMPLIES (EQ sum0 (+ sum (+ (* 2 count0) 1))) (<= 0 (- x_0_0 count)))))))))))))

;; Isqrt_isqrt_safety_po_2, File "HOME/tests/java/Isqrt.java", line 45, characters 20-29
(FORALL (x_0_0)
(IMPLIES (>= x_0_0 0)
(FORALL (count)
(FORALL (sum)
(IMPLIES TRUE
(IMPLIES (AND (>= count 0)
         (AND (>= x_0_0 (sqr count)) (EQ sum (sqr (+ count 1)))))
(IMPLIES (<= sum x_0_0)
(FORALL (count0)
(IMPLIES (EQ count0 (+ count 1))
(FORALL (sum0)
(IMPLIES (EQ sum0 (+ sum (+ (* 2 count0) 1)))
(< (- x_0_0 count0) (- x_0_0 count)))))))))))))

;; Isqrt_main_ensures_default_po_1, File "HOME/tests/java/Isqrt.java", line 55, characters 13-28
(IMPLIES TRUE
(FORALL (result)
(IMPLIES (AND (>= result 0)
         (AND (<= (sqr result) 17) (< 17 (sqr (+ result 1)))))
(FORALL (r) (IMPLIES (EQ r result) (IMPLIES (< r 4) (EQ |@false| |@true|)))))))

;; Isqrt_main_ensures_default_po_2, File "HOME/tests/java/Isqrt.java", line 56, characters 13-28
(IMPLIES TRUE
(FORALL (result)
(IMPLIES (AND (>= result 0)
         (AND (<= (sqr result) 17) (< 17 (sqr (+ result 1)))))
(FORALL (r)
(IMPLIES (EQ r result)
(IMPLIES (IMPLIES (< r 4) (EQ |@false| |@true|))
(IMPLIES (> r 4) (EQ |@false| |@true|))))))))

;; Isqrt_main_ensures_default_po_3, File "HOME/tests/java/Isqrt.java", line 51, characters 12-24
(IMPLIES TRUE
(FORALL (result)
(IMPLIES (AND (>= result 0)
         (AND (<= (sqr result) 17) (< 17 (sqr (+ result 1)))))
(FORALL (r)
(IMPLIES (EQ r result)
(IMPLIES (IMPLIES (< r 4) (EQ |@false| |@true|))
(IMPLIES (IMPLIES (> r 4) (EQ |@false| |@true|))
(FORALL (return) (IMPLIES (EQ return r) (EQ return 4))))))))))

;; Isqrt_main_safety_po_1, File "HOME/tests/java/Isqrt.java", line 54, characters 6-15
(IMPLIES TRUE (>= 17 0))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/Isqrt_why.sx         : .....?...?.??.. (11/0/4/0/0)
total   :  15
valid   :  11 ( 73%)
invalid :   0 (  0%)
unknown :   4 ( 27%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/Isqrt.why
========== file tests/java/why/Isqrt_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic Isqrt_tag : Object tag_id

axiom Isqrt_parenttag_Object: parenttag(Isqrt_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Isqrt(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Isqrt(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

function sqr(x_2: int) : int = (x_2 * x_2)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Isqrt(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Isqrt(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

goal Isqrt_isqrt_ensures_default_po_1:
  forall x_0_0:int.
  ("JC_21": (x_0_0 >= 0)) ->
  ("JC_44": ("JC_41": (0 >= 0)))

goal Isqrt_isqrt_ensures_default_po_2:
  forall x_0_0:int.
  ("JC_21": (x_0_0 >= 0)) ->
  ("JC_44": ("JC_42": (x_0_0 >= sqr(0))))

goal Isqrt_isqrt_ensures_default_po_3:
  forall x_0_0:int.
  ("JC_21": (x_0_0 >= 0)) ->
  ("JC_44": ("JC_43": (1 = sqr((0 + 1)))))

goal Isqrt_isqrt_ensures_default_po_4:
  forall x_0_0:int.
  ("JC_21": (x_0_0 >= 0)) ->
  forall count:int.
  forall sum:int.
  ("JC_44":
  (("JC_41": (count >= 0)) and
   (("JC_42": (x_0_0 >= sqr(count))) and ("JC_43": (sum = sqr((count + 1))))))) ->
  (sum <= x_0_0) ->
  forall count0:int.
  (count0 = (count + 1)) ->
  forall sum0:int.
  (sum0 = (sum + ((2 * count0) + 1))) ->
  ("JC_44": ("JC_41": (count0 >= 0)))

goal Isqrt_isqrt_ensures_default_po_5:
  forall x_0_0:int.
  ("JC_21": (x_0_0 >= 0)) ->
  forall count:int.
  forall sum:int.
  ("JC_44":
  (("JC_41": (count >= 0)) and
   (("JC_42": (x_0_0 >= sqr(count))) and ("JC_43": (sum = sqr((count + 1))))))) ->
  (sum <= x_0_0) ->
  forall count0:int.
  (count0 = (count + 1)) ->
  forall sum0:int.
  (sum0 = (sum + ((2 * count0) + 1))) ->
  ("JC_44": ("JC_42": (x_0_0 >= sqr(count0))))

goal Isqrt_isqrt_ensures_default_po_6:
  forall x_0_0:int.
  ("JC_21": (x_0_0 >= 0)) ->
  forall count:int.
  forall sum:int.
  ("JC_44":
  (("JC_41": (count >= 0)) and
   (("JC_42": (x_0_0 >= sqr(count))) and ("JC_43": (sum = sqr((count + 1))))))) ->
  (sum <= x_0_0) ->
  forall count0:int.
  (count0 = (count + 1)) ->
  forall sum0:int.
  (sum0 = (sum + ((2 * count0) + 1))) ->
  ("JC_44": ("JC_43": (sum0 = sqr((count0 + 1)))))

goal Isqrt_isqrt_ensures_default_po_7:
  forall x_0_0:int.
  ("JC_21": (x_0_0 >= 0)) ->
  forall count:int.
  forall sum:int.
  ("JC_44":
  (("JC_41": (count >= 0)) and
   (("JC_42": (x_0_0 >= sqr(count))) and ("JC_43": (sum = sqr((count + 1))))))) ->
  (sum > x_0_0) ->
  forall return:int.
  (return = count) ->
  ("JC_26": ("JC_23": (return >= 0)))

goal Isqrt_isqrt_ensures_default_po_8:
  forall x_0_0:int.
  ("JC_21": (x_0_0 >= 0)) ->
  forall count:int.
  forall sum:int.
  ("JC_44":
  (("JC_41": (count >= 0)) and
   (("JC_42": (x_0_0 >= sqr(count))) and ("JC_43": (sum = sqr((count + 1))))))) ->
  (sum > x_0_0) ->
  forall return:int.
  (return = count) ->
  ("JC_26": ("JC_24": (sqr(return) <= x_0_0)))

goal Isqrt_isqrt_ensures_default_po_9:
  forall x_0_0:int.
  ("JC_21": (x_0_0 >= 0)) ->
  forall count:int.
  forall sum:int.
  ("JC_44":
  (("JC_41": (count >= 0)) and
   (("JC_42": (x_0_0 >= sqr(count))) and ("JC_43": (sum = sqr((count + 1))))))) ->
  (sum > x_0_0) ->
  forall return:int.
  (return = count) ->
  ("JC_26": ("JC_25": (x_0_0 < sqr((return + 1)))))

goal Isqrt_isqrt_safety_po_1:
  forall x_0_0:int.
  ("JC_21": (x_0_0 >= 0)) ->
  forall count:int.
  forall sum:int.
  ("JC_38": true) ->
  ("JC_36":
  (("JC_33": (count >= 0)) and
   (("JC_34": (x_0_0 >= sqr(count))) and ("JC_35": (sum = sqr((count + 1))))))) ->
  (sum <= x_0_0) ->
  forall count0:int.
  (count0 = (count + 1)) ->
  forall sum0:int.
  (sum0 = (sum + ((2 * count0) + 1))) ->
  (0 <= ("JC_40": (x_0_0 - count)))

goal Isqrt_isqrt_safety_po_2:
  forall x_0_0:int.
  ("JC_21": (x_0_0 >= 0)) ->
  forall count:int.
  forall sum:int.
  ("JC_38": true) ->
  ("JC_36":
  (("JC_33": (count >= 0)) and
   (("JC_34": (x_0_0 >= sqr(count))) and ("JC_35": (sum = sqr((count + 1))))))) ->
  (sum <= x_0_0) ->
  forall count0:int.
  (count0 = (count + 1)) ->
  forall sum0:int.
  (sum0 = (sum + ((2 * count0) + 1))) ->
  (("JC_40": (x_0_0 - count0)) < ("JC_40": (x_0_0 - count)))

goal Isqrt_main_ensures_default_po_1:
  ("JC_51": true) ->
  forall result:int.
  ("JC_30":
  (("JC_27": (result >= 0)) and
   (("JC_28": (sqr(result) <= 17)) and ("JC_29": (17 < sqr((result + 1))))))) ->
  forall r:int.
  (r = result) ->
  (r < 4) ->
  ("JC_60": (false = true))

goal Isqrt_main_ensures_default_po_2:
  ("JC_51": true) ->
  forall result:int.
  ("JC_30":
  (("JC_27": (result >= 0)) and
   (("JC_28": (sqr(result) <= 17)) and ("JC_29": (17 < sqr((result + 1))))))) ->
  forall r:int.
  (r = result) ->
  ("JC_60": ((r < 4) -> (false = true))) ->
  (r > 4) ->
  ("JC_61": (false = true))

goal Isqrt_main_ensures_default_po_3:
  ("JC_51": true) ->
  forall result:int.
  ("JC_30":
  (("JC_27": (result >= 0)) and
   (("JC_28": (sqr(result) <= 17)) and ("JC_29": (17 < sqr((result + 1))))))) ->
  forall r:int.
  (r = result) ->
  ("JC_60": ((r < 4) -> (false = true))) ->
  ("JC_61": ((r > 4) -> (false = true))) ->
  forall return:int.
  (return = r) ->
  ("JC_52": (return = 4))

goal Isqrt_main_safety_po_1:
  ("JC_51": true) ->
  ("JC_19": (17 >= 0))

why-2.34/tests/java/oracle/Termination.res.oracle0000644000175000017500000045204312311670312020425 0ustar  rtusers========== file tests/java/Termination.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = no

class Termination {

    void loop1(int n) { 
	//@ loop_variant n;
	while (n > 0) n--; 
    }

    void loop2(int n) { 
	//@ loop_variant 100-n;
	while (n < 100) n++; 
    }

    //@ ensures \result == 0;
    int loop3() {
	int i = 100;
	/*@ loop_invariant 0 <= i <= 100;
	  @ loop_variant i;
	  @*/
	while (i > 0) i--;
	return i;
    }

}


/*
Local Variables:
compile-command: "make Termination.why3ide"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function Termination_loop2 for method Termination.loop2
Generating JC function Termination_loop3 for method Termination.loop3
Generating JC function Termination_loop1 for method Termination.loop1
Generating JC function cons_Termination for constructor Termination
Done.
========== file tests/java/Termination.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Termination = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit Termination_loop2(Termination[0] this_1, integer n_0)
{  
   loop 
   behavior default:
     invariant (K_1 : true);
   variant (K_2 : (100 - n_0));
   while ((K_4 : (n_0 < 100)))
   {  (K_3 : (n_0 ++))
   }
}

integer Termination_loop3(Termination[0] this_0)
behavior default:
  ensures (K_5 : (\result == 0));
{  
   {  
      (var integer i = (K_12 : 100));
      
      {  
         loop 
         behavior default:
           invariant (K_8 : ((K_7 : (0 <= i)) && (K_6 : (i <= 100))));
         variant (K_9 : i);
         while ((K_11 : (i > 0)))
         {  (K_10 : (i --))
         };
         
         (return i)
      }
   }
}

unit Termination_loop1(Termination[0] this_2, integer n)
{  
   loop 
   behavior default:
     invariant (K_13 : true);
   variant (K_14 : n);
   while ((K_16 : (n > 0)))
   {  (K_15 : (n --))
   }
}

unit cons_Termination(! Termination[0] this_3){()}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Termination.jloc tests/java/Termination.jc && make -f tests/java/Termination.makefile gui"
End:
*/
========== file tests/java/Termination.jloc ==========
[Termination_loop2]
name = "Method loop2"
file = "HOME/tests/java/Termination.java"
line = 41
begin = 9
end = 14

[K_11]
file = "HOME/tests/java/Termination.java"
line = 52
begin = 8
end = 13

[K_13]
file = "HOME/tests/java/Termination.java"
line = 37
begin = 5
end = 20

[cons_Termination]
name = "Constructor of class Termination"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_9]
file = "HOME/tests/java/Termination.java"
line = 50
begin = 18
end = 19

[K_1]
file = "HOME/tests/java/Termination.java"
line = 42
begin = 5
end = 24

[K_15]
file = "HOME/tests/java/Termination.java"
line = 38
begin = 15
end = 18

[K_4]
file = "HOME/tests/java/Termination.java"
line = 43
begin = 8
end = 15

[K_12]
file = "HOME/tests/java/Termination.java"
line = 48
begin = 9
end = 12

[Termination_loop1]
name = "Method loop1"
file = "HOME/tests/java/Termination.java"
line = 36
begin = 9
end = 14

[K_2]
file = "HOME/tests/java/Termination.java"
line = 42
begin = 18
end = 23

[Termination_loop3]
name = "Method loop3"
file = "HOME/tests/java/Termination.java"
line = 47
begin = 8
end = 13

[K_10]
file = "HOME/tests/java/Termination.java"
line = 52
begin = 15
end = 18

[K_6]
file = "HOME/tests/java/Termination.java"
line = 49
begin = 25
end = 33

[K_8]
file = "HOME/tests/java/Termination.java"
line = 49
begin = 20
end = 33

[K_3]
file = "HOME/tests/java/Termination.java"
line = 43
begin = 17
end = 20

[K_14]
file = "HOME/tests/java/Termination.java"
line = 37
begin = 18
end = 19

[K_5]
file = "HOME/tests/java/Termination.java"
line = 46
begin = 16
end = 28

[K_7]
file = "HOME/tests/java/Termination.java"
line = 49
begin = 20
end = 26

[K_16]
file = "HOME/tests/java/Termination.java"
line = 38
begin = 8
end = 13

========== jessie execution ==========
Generating Why function Termination_loop2
Generating Why function Termination_loop3
Generating Why function Termination_loop1
Generating Why function cons_Termination
========== file tests/java/Termination.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Termination.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Termination.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/Termination_why.sx

project: why/Termination.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/Termination_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/Termination_why.vo

coq/Termination_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Termination_why.v: why/Termination.why
	@echo 'why -coq [...] why/Termination.why' && $(WHY) $(JESSIELIBFILES) why/Termination.why && rm -f coq/jessie_why.v

coq-goals: goals coq/Termination_ctx_why.vo
	for f in why/*_po*.why; do make -f Termination.makefile coq/`basename $$f .why`_why.v ; done

coq/Termination_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Termination_ctx_why.v: why/Termination_ctx.why
	@echo 'why -coq [...] why/Termination_ctx.why' && $(WHY) why/Termination_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export Termination_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/Termination_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/Termination_ctx_why.vo

pvs: pvs/Termination_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/Termination_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/Termination_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/Termination_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/Termination_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/Termination_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/Termination_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/Termination_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/Termination_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/Termination_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/Termination_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/Termination_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/Termination_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/Termination_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/Termination_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: Termination.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/Termination_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Termination.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Termination.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Termination.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include Termination.depend

depend: coq/Termination_why.v
	-$(COQDEP) -I coq coq/Termination*_why.v > Termination.depend

clean:
	rm -f coq/*.vo

========== file tests/java/Termination.loc ==========
[JC_73]
file = "HOME/tests/java/Termination.jc"
line = 78
begin = 3
end = 137

[JC_63]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_51]
file = "HOME/tests/java/Termination.java"
line = 49
begin = 20
end = 26

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/tests/java/Termination.java"
line = 49
begin = 25
end = 33

[JC_64]
file = "HOME/"
line = 0
begin = -1
end = -1

[Termination_loop2_safety]
name = "Method loop2"
behavior = "Safety"
file = "HOME/tests/java/Termination.java"
line = 41
begin = 9
end = 14

[JC_31]
file = "HOME/tests/java/Termination.java"
line = 42
begin = 18
end = 23

[JC_17]
file = "HOME/tests/java/Termination.jc"
line = 37
begin = 11
end = 65

[Termination_loop3_ensures_default]
name = "Method loop3"
behavior = "default behavior"
file = "HOME/tests/java/Termination.java"
line = 47
begin = 8
end = 13

[JC_81]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
file = "HOME/tests/java/Termination.jc"
line = 63
begin = 9
end = 213

[JC_48]
file = "HOME/tests/java/Termination.jc"
line = 63
begin = 9
end = 213

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/tests/java/Termination.jc"
line = 78
begin = 3
end = 137

[JC_9]
file = "HOME/tests/java/Termination.jc"
line = 35
begin = 8
end = 23

[JC_75]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Termination_safety]
name = "Constructor of class Termination"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_78]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/tests/java/Termination.java"
line = 46
begin = 16
end = 28

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_52]
file = "HOME/tests/java/Termination.java"
line = 49
begin = 25
end = 33

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[Termination_loop3_safety]
name = "Method loop3"
behavior = "Safety"
file = "HOME/tests/java/Termination.java"
line = 47
begin = 8
end = 13

[JC_11]
file = "HOME/tests/java/Termination.jc"
line = 35
begin = 8
end = 23

[JC_70]
file = "HOME/tests/java/Termination.java"
line = 37
begin = 5
end = 20

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/tests/java/Termination.java"
line = 47
begin = 8
end = 13

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/tests/java/Termination.java"
line = 46
begin = 16
end = 28

[JC_35]
file = "HOME/tests/java/Termination.jc"
line = 46
begin = 3
end = 149

[JC_27]
file = "HOME/tests/java/Termination.java"
line = 42
begin = 5
end = 24

[JC_69]
file = "HOME/tests/java/Termination.java"
line = 37
begin = 18
end = 19

[JC_38]
file = "HOME/tests/java/Termination.java"
line = 47
begin = 8
end = 13

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/tests/java/Termination.java"
line = 49
begin = 20
end = 26

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/tests/java/Termination.java"
line = 49
begin = 20
end = 33

[JC_61]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/tests/java/Termination.java"
line = 42
begin = 5
end = 24

[JC_56]
file = "HOME/tests/java/Termination.jc"
line = 63
begin = 9
end = 213

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/tests/java/Termination.java"
line = 37
begin = 5
end = 20

[Termination_loop2_ensures_default]
name = "Method loop2"
behavior = "default behavior"
file = "HOME/tests/java/Termination.java"
line = 41
begin = 9
end = 14

[JC_29]
file = "HOME/tests/java/Termination.jc"
line = 46
begin = 3
end = 149

[JC_68]
file = "HOME/tests/java/Termination.jc"
line = 78
begin = 3
end = 137

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[Termination_loop1_safety]
name = "Method loop1"
behavior = "Safety"
file = "HOME/tests/java/Termination.java"
line = 36
begin = 9
end = 14

[JC_43]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/tests/java/Termination.jc"
line = 46
begin = 3
end = 149

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
file = "HOME/tests/java/Termination.java"
line = 49
begin = 20
end = 33

[JC_21]
file = "HOME/tests/java/Termination.java"
line = 41
begin = 9
end = 14

[JC_77]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
file = "HOME/tests/java/Termination.jc"
line = 63
begin = 9
end = 213

[JC_1]
file = "HOME/tests/java/Termination.jc"
line = 10
begin = 12
end = 22

[Termination_loop1_ensures_default]
name = "Method loop1"
behavior = "default behavior"
file = "HOME/tests/java/Termination.java"
line = 36
begin = 9
end = 14

[JC_37]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Termination_ensures_default]
name = "Constructor of class Termination"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/java/Termination.java"
line = 36
begin = 9
end = 14

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
file = "HOME/tests/java/Termination.java"
line = 36
begin = 9
end = 14

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/Termination.jc"
line = 37
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/Termination.jc"
line = 10
begin = 12
end = 22

[JC_60]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_72]
file = "HOME/tests/java/Termination.jc"
line = 78
begin = 3
end = 137

[JC_19]
file = "HOME/tests/java/Termination.java"
line = 41
begin = 9
end = 14

[JC_76]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
file = "HOME/tests/java/Termination.java"
line = 50
begin = 18
end = 19

[JC_30]
file = "HOME/tests/java/Termination.jc"
line = 46
begin = 3
end = 149

[JC_58]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/Termination.why ==========
type Object

type interface

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Termination_tag:  -> Object tag_id

axiom Termination_parenttag_Object : parenttag(Termination_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Termination(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Termination(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Termination(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Termination(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

parameter Termination_loop1 :
 this_2:Object pointer -> n:int -> { } unit reads Object_alloc_table { true }

parameter Termination_loop1_requires :
 this_2:Object pointer -> n:int -> { } unit reads Object_alloc_table { true }

parameter Termination_loop2 :
 this_1:Object pointer ->
  n_0:int -> { } unit reads Object_alloc_table { true }

parameter Termination_loop2_requires :
 this_1:Object pointer ->
  n_0:int -> { } unit reads Object_alloc_table { true }

parameter Termination_loop3 :
 this_0:Object pointer ->
  { } int reads Object_alloc_table { (JC_41: (result = (0))) }

parameter Termination_loop3_requires :
 this_0:Object pointer ->
  { } int reads Object_alloc_table { (JC_41: (result = (0))) }

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Termination :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Termination(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Termination_tag)))) }

parameter alloc_struct_Termination_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Termination(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Termination_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_Termination :
 this_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Termination_requires :
 this_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

let Termination_loop1_ensures_default =
 fun (this_2 : Object pointer) (n : int) ->
  { valid_struct_Termination(this_2, (0), (0), Object_alloc_table) }
  (let mutable_n = ref n in
  (init:
  try
   begin
     try
      (loop_6:
      while true do
      { invariant (JC_70: (true = true))  }
       begin
         [ { } unit { true } ];
        try
         begin
           (if (K_16: ((gt_int_ !mutable_n) (0)))
           then
            (let _jessie_ =
            (K_15:
            (let _jessie_ = !mutable_n in
            begin
              (let _jessie_ = (mutable_n := ((sub_int _jessie_) (1))) in
              void); _jessie_ end)) in void)
           else (raise (Loop_exit_exc void)));
          (raise (Loop_continue_exc void)) end with
         Loop_continue_exc _jessie_ -> void end end done) with
      Loop_exit_exc _jessie_ -> void end; (raise Return) end with Return ->
   void end)) { (JC_61: true) }

let Termination_loop1_safety =
 fun (this_2 : Object pointer) (n : int) ->
  { valid_struct_Termination(this_2, (0), (0), Object_alloc_table) }
  (let mutable_n = ref n in
  (init:
  try
   begin
     try
      (loop_5:
      while true do
      { invariant (JC_67: true) variant (JC_69 : mutable_n) }
       begin
         [ { } unit { (JC_65: (true = true)) } ];
        try
         begin
           (if (K_16: ((gt_int_ !mutable_n) (0)))
           then
            (let _jessie_ =
            (K_15:
            (let _jessie_ = !mutable_n in
            begin
              (let _jessie_ = (mutable_n := ((sub_int _jessie_) (1))) in
              void); _jessie_ end)) in void)
           else (raise (Loop_exit_exc void)));
          (raise (Loop_continue_exc void)) end with
         Loop_continue_exc _jessie_ -> void end end done) with
      Loop_exit_exc _jessie_ -> void end; (raise Return) end with Return ->
   void end)) { true }

let Termination_loop2_ensures_default =
 fun (this_1 : Object pointer) (n_0 : int) ->
  { valid_struct_Termination(this_1, (0), (0), Object_alloc_table) }
  (let mutable_n_0 = ref n_0 in
  (init:
  try
   begin
     try
      (loop_2:
      while true do
      { invariant (JC_32: (true = true))  }
       begin
         [ { } unit { true } ];
        try
         begin
           (if (K_4: ((lt_int_ !mutable_n_0) (100)))
           then
            (let _jessie_ =
            (K_3:
            (let _jessie_ = !mutable_n_0 in
            begin
              (let _jessie_ = (mutable_n_0 := ((add_int _jessie_) (1))) in
              void); _jessie_ end)) in void)
           else (raise (Loop_exit_exc void)));
          (raise (Loop_continue_exc void)) end with
         Loop_continue_exc _jessie_ -> void end end done) with
      Loop_exit_exc _jessie_ -> void end; (raise Return) end with Return ->
   void end)) { (JC_23: true) }

let Termination_loop2_safety =
 fun (this_1 : Object pointer) (n_0 : int) ->
  { valid_struct_Termination(this_1, (0), (0), Object_alloc_table) }
  (let mutable_n_0 = ref n_0 in
  (init:
  try
   begin
     try
      (loop_1:
      while true do
      { invariant (JC_29: true)
        variant (JC_31 : sub_int((100), mutable_n_0)) }
       begin
         [ { } unit { (JC_27: (true = true)) } ];
        try
         begin
           (if (K_4: ((lt_int_ !mutable_n_0) (100)))
           then
            (let _jessie_ =
            (K_3:
            (let _jessie_ = !mutable_n_0 in
            begin
              (let _jessie_ = (mutable_n_0 := ((add_int _jessie_) (1))) in
              void); _jessie_ end)) in void)
           else (raise (Loop_exit_exc void)));
          (raise (Loop_continue_exc void)) end with
         Loop_continue_exc _jessie_ -> void end end done) with
      Loop_exit_exc _jessie_ -> void end; (raise Return) end with Return ->
   void end)) { true }

let Termination_loop3_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_Termination(this_0, (0), (0), Object_alloc_table) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let i = ref (K_12: (100)) in
     begin
       try
        (loop_4:
        while true do
        { invariant
            (JC_53: ((JC_51: le_int((0), i)) and (JC_52: le_int(i, (100)))))
           }
         begin
           [ { } unit { true } ];
          try
           begin
             (if (K_11: ((gt_int_ !i) (0)))
             then
              (let _jessie_ =
              (K_10:
              (let _jessie_ = !i in
              begin
                (let _jessie_ = (i := ((sub_int _jessie_) (1))) in void);
               _jessie_ end)) in void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end; (return := !i); (raise Return)
     end); absurd  end with Return -> !return end))
  { (JC_40: (result = (0))) }

let Termination_loop3_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_Termination(this_0, (0), (0), Object_alloc_table) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let i = ref (K_12: (100)) in
     begin
       try
        (loop_3:
        while true do
        { invariant (JC_48: true) variant (JC_50 : i) }
         begin
           [ { } unit reads i
             { (JC_46:
               ((JC_44: le_int((0), i)) and (JC_45: le_int(i, (100))))) } ];
          try
           begin
             (if (K_11: ((gt_int_ !i) (0)))
             then
              (let _jessie_ =
              (K_10:
              (let _jessie_ = !i in
              begin
                (let _jessie_ = (i := ((sub_int _jessie_) (1))) in void);
               _jessie_ end)) in void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end; (return := !i); (raise Return)
     end); absurd  end with Return -> !return end)) { true }

let cons_Termination_ensures_default =
 fun (this_3 : Object pointer) ->
  { valid_struct_Termination(this_3, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_78: true) }

let cons_Termination_safety =
 fun (this_3 : Object pointer) ->
  { valid_struct_Termination(this_3, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/Termination.why
========== file tests/java/why/Termination.wpr ==========

  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
  
  
    
    
    
      
      
    
    
      
      
    
    
  
  
    
    
    
      
      
    
    
      
      
    
    
  
  
    
  

========== file tests/java/why/Termination_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Termination_tag : Object tag_id

axiom Termination_parenttag_Object: parenttag(Termination_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Termination(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Termination(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Termination(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Termination(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

========== file tests/java/why/Termination_po1.why ==========
goal Termination_loop1_safety_po_1:
  forall this_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Termination(this_2, 0, 0, Object_alloc_table) ->
  forall mutable_n:int.
  ("JC_67": true) ->
  ("JC_65": (true = true)) ->
  (mutable_n > 0) ->
  forall mutable_n0:int.
  (mutable_n0 = (mutable_n - 1)) ->
  (0 <= ("JC_69": mutable_n))

========== file tests/java/why/Termination_po10.why ==========
goal Termination_loop3_safety_po_1:
  forall this_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Termination(this_0, 0, 0, Object_alloc_table) ->
  forall i:int.
  ("JC_48": true) ->
  ("JC_46": (("JC_44": (0 <= i)) and ("JC_45": (i <= 100)))) ->
  (i > 0) ->
  forall i0:int.
  (i0 = (i - 1)) ->
  (0 <= ("JC_50": i))

========== file tests/java/why/Termination_po11.why ==========
goal Termination_loop3_safety_po_2:
  forall this_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Termination(this_0, 0, 0, Object_alloc_table) ->
  forall i:int.
  ("JC_48": true) ->
  ("JC_46": (("JC_44": (0 <= i)) and ("JC_45": (i <= 100)))) ->
  (i > 0) ->
  forall i0:int.
  (i0 = (i - 1)) ->
  (("JC_50": i0) < ("JC_50": i))

========== file tests/java/why/Termination_po2.why ==========
goal Termination_loop1_safety_po_2:
  forall this_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Termination(this_2, 0, 0, Object_alloc_table) ->
  forall mutable_n:int.
  ("JC_67": true) ->
  ("JC_65": (true = true)) ->
  (mutable_n > 0) ->
  forall mutable_n0:int.
  (mutable_n0 = (mutable_n - 1)) ->
  (("JC_69": mutable_n0) < ("JC_69": mutable_n))

========== file tests/java/why/Termination_po3.why ==========
goal Termination_loop2_safety_po_1:
  forall this_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Termination(this_1, 0, 0, Object_alloc_table) ->
  forall mutable_n_0:int.
  ("JC_29": true) ->
  ("JC_27": (true = true)) ->
  (mutable_n_0 < 100) ->
  forall mutable_n_0_0:int.
  (mutable_n_0_0 = (mutable_n_0 + 1)) ->
  (0 <= ("JC_31": (100 - mutable_n_0)))

========== file tests/java/why/Termination_po4.why ==========
goal Termination_loop2_safety_po_2:
  forall this_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Termination(this_1, 0, 0, Object_alloc_table) ->
  forall mutable_n_0:int.
  ("JC_29": true) ->
  ("JC_27": (true = true)) ->
  (mutable_n_0 < 100) ->
  forall mutable_n_0_0:int.
  (mutable_n_0_0 = (mutable_n_0 + 1)) ->
  (("JC_31": (100 - mutable_n_0_0)) < ("JC_31": (100 - mutable_n_0)))

========== file tests/java/why/Termination_po5.why ==========
goal Termination_loop3_ensures_default_po_1:
  forall this_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Termination(this_0, 0, 0, Object_alloc_table) ->
  ("JC_53": ("JC_51": (0 <= 100)))

========== file tests/java/why/Termination_po6.why ==========
goal Termination_loop3_ensures_default_po_2:
  forall this_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Termination(this_0, 0, 0, Object_alloc_table) ->
  ("JC_53": ("JC_52": (100 <= 100)))

========== file tests/java/why/Termination_po7.why ==========
goal Termination_loop3_ensures_default_po_3:
  forall this_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Termination(this_0, 0, 0, Object_alloc_table) ->
  forall i:int.
  ("JC_53": (("JC_51": (0 <= i)) and ("JC_52": (i <= 100)))) ->
  (i > 0) ->
  forall i0:int.
  (i0 = (i - 1)) ->
  ("JC_53": ("JC_51": (0 <= i0)))

========== file tests/java/why/Termination_po8.why ==========
goal Termination_loop3_ensures_default_po_4:
  forall this_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Termination(this_0, 0, 0, Object_alloc_table) ->
  forall i:int.
  ("JC_53": (("JC_51": (0 <= i)) and ("JC_52": (i <= 100)))) ->
  (i > 0) ->
  forall i0:int.
  (i0 = (i - 1)) ->
  ("JC_53": ("JC_52": (i0 <= 100)))

========== file tests/java/why/Termination_po9.why ==========
goal Termination_loop3_ensures_default_po_5:
  forall this_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Termination(this_0, 0, 0, Object_alloc_table) ->
  forall i:int.
  ("JC_53": (("JC_51": (0 <= i)) and ("JC_52": (i <= 100)))) ->
  (i <= 0) ->
  forall return:int.
  (return = i) ->
  ("JC_40": (return = 0))

========== generation of Simplify VC output ==========
why -simplify [...] why/Termination.why
========== file tests/java/simplify/Termination_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) 0))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Termination_parenttag_Object
 (EQ (parenttag Termination_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Termination p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Termination p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Termination p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Termination p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

;; Termination_loop1_safety_po_1, File "HOME/tests/java/Termination.java", line 37, characters 18-19
(FORALL (this_2)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Termination this_2 0 0 Object_alloc_table)
(FORALL (mutable_n)
(IMPLIES TRUE
(IMPLIES (EQ |@true| |@true|)
(IMPLIES (> mutable_n 0)
(FORALL (mutable_n0)
(IMPLIES (EQ mutable_n0 (- mutable_n 1)) (<= 0 mutable_n))))))))))

;; Termination_loop1_safety_po_2, File "HOME/tests/java/Termination.java", line 37, characters 18-19
(FORALL (this_2)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Termination this_2 0 0 Object_alloc_table)
(FORALL (mutable_n)
(IMPLIES TRUE
(IMPLIES (EQ |@true| |@true|)
(IMPLIES (> mutable_n 0)
(FORALL (mutable_n0)
(IMPLIES (EQ mutable_n0 (- mutable_n 1)) (< mutable_n0 mutable_n))))))))))

;; Termination_loop2_safety_po_1, File "HOME/tests/java/Termination.java", line 42, characters 18-23
(FORALL (this_1)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Termination this_1 0 0 Object_alloc_table)
(FORALL (mutable_n_0)
(IMPLIES TRUE
(IMPLIES (EQ |@true| |@true|)
(IMPLIES (< mutable_n_0 100)
(FORALL (mutable_n_0_0)
(IMPLIES (EQ mutable_n_0_0 (+ mutable_n_0 1)) (<= 0 (- 100 mutable_n_0)))))))))))

;; Termination_loop2_safety_po_2, File "HOME/tests/java/Termination.java", line 42, characters 18-23
(FORALL (this_1)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Termination this_1 0 0 Object_alloc_table)
(FORALL (mutable_n_0)
(IMPLIES TRUE
(IMPLIES (EQ |@true| |@true|)
(IMPLIES (< mutable_n_0 100)
(FORALL (mutable_n_0_0)
(IMPLIES (EQ mutable_n_0_0 (+ mutable_n_0 1))
(< (- 100 mutable_n_0_0) (- 100 mutable_n_0)))))))))))

;; Termination_loop3_ensures_default_po_1, File "HOME/tests/java/Termination.java", line 49, characters 20-26
(FORALL (this_0)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Termination this_0 0 0 Object_alloc_table) (<= 0 100))))

;; Termination_loop3_ensures_default_po_2, File "HOME/tests/java/Termination.java", line 49, characters 25-33
(FORALL (this_0)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Termination this_0 0 0 Object_alloc_table)
(<= 100 100))))

;; Termination_loop3_ensures_default_po_3, File "HOME/tests/java/Termination.java", line 49, characters 20-26
(FORALL (this_0)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Termination this_0 0 0 Object_alloc_table)
(FORALL (i)
(IMPLIES (AND (<= 0 i) (<= i 100))
(IMPLIES (> i 0) (FORALL (i0) (IMPLIES (EQ i0 (- i 1)) (<= 0 i0)))))))))

;; Termination_loop3_ensures_default_po_4, File "HOME/tests/java/Termination.java", line 49, characters 25-33
(FORALL (this_0)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Termination this_0 0 0 Object_alloc_table)
(FORALL (i)
(IMPLIES (AND (<= 0 i) (<= i 100))
(IMPLIES (> i 0) (FORALL (i0) (IMPLIES (EQ i0 (- i 1)) (<= i0 100)))))))))

;; Termination_loop3_ensures_default_po_5, File "HOME/tests/java/Termination.java", line 46, characters 16-28
(FORALL (this_0)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Termination this_0 0 0 Object_alloc_table)
(FORALL (i)
(IMPLIES (AND (<= 0 i) (<= i 100))
(IMPLIES (<= i 0) (FORALL (return) (IMPLIES (EQ return i) (EQ return 0)))))))))

;; Termination_loop3_safety_po_1, File "HOME/tests/java/Termination.java", line 50, characters 18-19
(FORALL (this_0)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Termination this_0 0 0 Object_alloc_table)
(FORALL (i)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i) (<= i 100))
(IMPLIES (> i 0) (FORALL (i0) (IMPLIES (EQ i0 (- i 1)) (<= 0 i))))))))))

;; Termination_loop3_safety_po_2, File "HOME/tests/java/Termination.java", line 50, characters 18-19
(FORALL (this_0)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Termination this_0 0 0 Object_alloc_table)
(FORALL (i)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i) (<= i 100))
(IMPLIES (> i 0) (FORALL (i0) (IMPLIES (EQ i0 (- i 1)) (< i0 i))))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/Termination_why.sx   : ........... (11/0/0/0/0)
total   :  11
valid   :  11 (100%)
invalid :   0 (  0%)
unknown :   0 (  0%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/Termination.why
========== file tests/java/why/Termination_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Termination_tag : Object tag_id

axiom Termination_parenttag_Object: parenttag(Termination_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Termination(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Termination(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Termination(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Termination(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

goal Termination_loop1_safety_po_1:
  forall this_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Termination(this_2, 0, 0, Object_alloc_table) ->
  forall mutable_n:int.
  ("JC_67": true) ->
  ("JC_65": (true = true)) ->
  (mutable_n > 0) ->
  forall mutable_n0:int.
  (mutable_n0 = (mutable_n - 1)) ->
  (0 <= ("JC_69": mutable_n))

goal Termination_loop1_safety_po_2:
  forall this_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Termination(this_2, 0, 0, Object_alloc_table) ->
  forall mutable_n:int.
  ("JC_67": true) ->
  ("JC_65": (true = true)) ->
  (mutable_n > 0) ->
  forall mutable_n0:int.
  (mutable_n0 = (mutable_n - 1)) ->
  (("JC_69": mutable_n0) < ("JC_69": mutable_n))

goal Termination_loop2_safety_po_1:
  forall this_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Termination(this_1, 0, 0, Object_alloc_table) ->
  forall mutable_n_0:int.
  ("JC_29": true) ->
  ("JC_27": (true = true)) ->
  (mutable_n_0 < 100) ->
  forall mutable_n_0_0:int.
  (mutable_n_0_0 = (mutable_n_0 + 1)) ->
  (0 <= ("JC_31": (100 - mutable_n_0)))

goal Termination_loop2_safety_po_2:
  forall this_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Termination(this_1, 0, 0, Object_alloc_table) ->
  forall mutable_n_0:int.
  ("JC_29": true) ->
  ("JC_27": (true = true)) ->
  (mutable_n_0 < 100) ->
  forall mutable_n_0_0:int.
  (mutable_n_0_0 = (mutable_n_0 + 1)) ->
  (("JC_31": (100 - mutable_n_0_0)) < ("JC_31": (100 - mutable_n_0)))

goal Termination_loop3_ensures_default_po_1:
  forall this_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Termination(this_0, 0, 0, Object_alloc_table) ->
  ("JC_53": ("JC_51": (0 <= 100)))

goal Termination_loop3_ensures_default_po_2:
  forall this_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Termination(this_0, 0, 0, Object_alloc_table) ->
  ("JC_53": ("JC_52": (100 <= 100)))

goal Termination_loop3_ensures_default_po_3:
  forall this_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Termination(this_0, 0, 0, Object_alloc_table) ->
  forall i:int.
  ("JC_53": (("JC_51": (0 <= i)) and ("JC_52": (i <= 100)))) ->
  (i > 0) ->
  forall i0:int.
  (i0 = (i - 1)) ->
  ("JC_53": ("JC_51": (0 <= i0)))

goal Termination_loop3_ensures_default_po_4:
  forall this_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Termination(this_0, 0, 0, Object_alloc_table) ->
  forall i:int.
  ("JC_53": (("JC_51": (0 <= i)) and ("JC_52": (i <= 100)))) ->
  (i > 0) ->
  forall i0:int.
  (i0 = (i - 1)) ->
  ("JC_53": ("JC_52": (i0 <= 100)))

goal Termination_loop3_ensures_default_po_5:
  forall this_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Termination(this_0, 0, 0, Object_alloc_table) ->
  forall i:int.
  ("JC_53": (("JC_51": (0 <= i)) and ("JC_52": (i <= 100)))) ->
  (i <= 0) ->
  forall return:int.
  (return = i) ->
  ("JC_40": (return = 0))

goal Termination_loop3_safety_po_1:
  forall this_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Termination(this_0, 0, 0, Object_alloc_table) ->
  forall i:int.
  ("JC_48": true) ->
  ("JC_46": (("JC_44": (0 <= i)) and ("JC_45": (i <= 100)))) ->
  (i > 0) ->
  forall i0:int.
  (i0 = (i - 1)) ->
  (0 <= ("JC_50": i))

goal Termination_loop3_safety_po_2:
  forall this_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Termination(this_0, 0, 0, Object_alloc_table) ->
  forall i:int.
  ("JC_48": true) ->
  ("JC_46": (("JC_44": (0 <= i)) and ("JC_45": (i <= 100)))) ->
  (i > 0) ->
  forall i0:int.
  (i0 = (i - 1)) ->
  (("JC_50": i0) < ("JC_50": i))

why-2.34/tests/java/oracle/Fibonacci.res.oracle0000644000175000017500000051050612311670312020010 0ustar  rtusers========== file tests/java/Fibonacci.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// RUNCOQ: will ask regtests to check Coq proofs of this program

// int model: unbounded mathematical integers
//@+ CheckArithOverflow = no

/*@ inductive isfib(integer x, integer r) {
  @  case isfib0: isfib(0,0);
  @  case isfib1: isfib(1,1);
  @  case isfibn: 
  @   \forall integer n r p; 
  @     n >= 2 && isfib(n-2,r) && isfib(n-1,p) ==> isfib(n,p+r);
  @ }
  @*/ 

//@ lemma isfib_2_1 : isfib(2,1);
//@ lemma isfib_6_8 : isfib(6,8);

// provable only if def is inductive (least fix point)
//@ lemma not_isfib_2_2 : ! isfib(2,2);

public class Fibonacci {

    /*@ requires n >= 0;
      @ ensures isfib(n, \result); 
      @*/
    public static long Fib(int n) {
	long y=0, x=1, aux;

	/*@ loop_invariant 0 <= i <= n && isfib(i+1,x) && isfib(i,y);
	  @ loop_variant n-i;
	  @*/
	for(int i=0; i < n; i++) {
	    aux = y;
	    y = x;
	    x = x + aux;
	}
	return y;
    }
}

/*
Local Variables:
compile-command: "make Fibonacci.why3ide"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_Fibonacci for constructor Fibonacci
Generating JC function Fibonacci_Fib for method Fibonacci.Fib
Done.
========== file tests/java/Fibonacci.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Fibonacci = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

predicate isfib(integer x, integer r) {
case isfib0: isfib(0, 0);
  
  case isfib1: isfib(1, 1);
  
  case isfibn: (\forall integer n;
                 (\forall integer r_0;
                   (\forall integer p;
                     ((((n >= 2) && isfib((n - 2), r_0)) &&
                        isfib((n - 1), p)) ==>
                       isfib(n, (p + r_0))))));
  
}

lemma isfib_2_1 :
isfib(2, 1)

lemma isfib_6_8 :
isfib(6, 8)

lemma not_isfib_2_2 :
(! isfib(2, 2))

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_Fibonacci(! Fibonacci[0] this_0){()}

integer Fibonacci_Fib(integer n_0)
  requires (K_2 : (n_0 >= 0));
behavior default:
  ensures (K_1 : isfib(n_0, \result));
{  
   {  
      (var integer y = (K_16 : 0));
      
      {  
         (var integer x_0 = (K_15 : 1));
         
         {  
            (var integer aux);
            
            {  
               {  
                  {  
                     (var integer i = (K_3 : 0));
                     
                     loop 
                     behavior default:
                       invariant (K_10 : ((K_9 : ((K_8 : ((K_7 : (0 <= i)) &&
                                                           (K_6 : (i <= n_0)))) &&
                                                   (K_5 : isfib((i + 1), x_0)))) &&
                                           (K_4 : isfib(i, y))));
                     
                     variant (K_11 : (n_0 - i));
                     for ( ; (K_14 : (i < n_0)) ; (K_13 : (i ++)))
                     {  
                        {  (aux = y);
                           (y = x_0);
                           (x_0 = (K_12 : (x_0 + aux)))
                        }
                     }
                  }
               };
               
               (return y)
            }
         }
      }
   }
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Fibonacci.jloc tests/java/Fibonacci.jc && make -f tests/java/Fibonacci.makefile gui"
End:
*/
========== file tests/java/Fibonacci.jloc ==========
[K_11]
file = "HOME/tests/java/Fibonacci.java"
line = 61
begin = 18
end = 21

[K_13]
file = "HOME/tests/java/Fibonacci.java"
line = 63
begin = 21
end = 24

[K_9]
file = "HOME/tests/java/Fibonacci.java"
line = 60
begin = 20
end = 47

[K_1]
file = "HOME/tests/java/Fibonacci.java"
line = 55
begin = 16
end = 33

[K_15]
file = "HOME/tests/java/Fibonacci.java"
line = 58
begin = 13
end = 14

[K_4]
file = "HOME/tests/java/Fibonacci.java"
line = 60
begin = 51
end = 61

[K_12]
file = "HOME/tests/java/Fibonacci.java"
line = 66
begin = 9
end = 16

[cons_Fibonacci]
name = "Constructor of class Fibonacci"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_2]
file = "HOME/tests/java/Fibonacci.java"
line = 54
begin = 17
end = 23

[K_10]
file = "HOME/tests/java/Fibonacci.java"
line = 60
begin = 20
end = 61

[K_6]
file = "HOME/tests/java/Fibonacci.java"
line = 60
begin = 25
end = 31

[K_8]
file = "HOME/tests/java/Fibonacci.java"
line = 60
begin = 20
end = 31

[K_3]
file = "HOME/tests/java/Fibonacci.java"
line = 63
begin = 11
end = 12

[isfib_2_1]
name = "Lemma isfib_2_1"
file = "HOME/tests/java/Fibonacci.java"
line = 46
begin = 10
end = 19

[K_14]
file = "HOME/tests/java/Fibonacci.java"
line = 63
begin = 14
end = 19

[not_isfib_2_2]
name = "Lemma not_isfib_2_2"
file = "HOME/tests/java/Fibonacci.java"
line = 50
begin = 10
end = 23

[isfib_6_8]
name = "Lemma isfib_6_8"
file = "HOME/tests/java/Fibonacci.java"
line = 47
begin = 10
end = 19

[K_5]
file = "HOME/tests/java/Fibonacci.java"
line = 60
begin = 35
end = 47

[K_7]
file = "HOME/tests/java/Fibonacci.java"
line = 60
begin = 20
end = 26

[Fibonacci_Fib]
name = "Method Fib"
file = "HOME/tests/java/Fibonacci.java"
line = 57
begin = 23
end = 26

[K_16]
file = "HOME/tests/java/Fibonacci.java"
line = 58
begin = 8
end = 9

========== jessie execution ==========
Generating Why function cons_Fibonacci
Generating Why function Fibonacci_Fib
========== file tests/java/Fibonacci.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Fibonacci.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Fibonacci.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/Fibonacci_why.sx

project: why/Fibonacci.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/Fibonacci_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/Fibonacci_why.vo

coq/Fibonacci_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Fibonacci_why.v: why/Fibonacci.why
	@echo 'why -coq [...] why/Fibonacci.why' && $(WHY) $(JESSIELIBFILES) why/Fibonacci.why && rm -f coq/jessie_why.v

coq-goals: goals coq/Fibonacci_ctx_why.vo
	for f in why/*_po*.why; do make -f Fibonacci.makefile coq/`basename $$f .why`_why.v ; done

coq/Fibonacci_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Fibonacci_ctx_why.v: why/Fibonacci_ctx.why
	@echo 'why -coq [...] why/Fibonacci_ctx.why' && $(WHY) why/Fibonacci_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export Fibonacci_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/Fibonacci_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/Fibonacci_ctx_why.vo

pvs: pvs/Fibonacci_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/Fibonacci_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/Fibonacci_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/Fibonacci_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/Fibonacci_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/Fibonacci_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/Fibonacci_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/Fibonacci_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/Fibonacci_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/Fibonacci_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/Fibonacci_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/Fibonacci_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/Fibonacci_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/Fibonacci_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/Fibonacci_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: Fibonacci.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/Fibonacci_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Fibonacci.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Fibonacci.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Fibonacci.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include Fibonacci.depend

depend: coq/Fibonacci_why.v
	-$(COQDEP) -I coq coq/Fibonacci*_why.v > Fibonacci.depend

clean:
	rm -f coq/*.vo

========== file tests/java/Fibonacci.loc ==========
[JC_51]
file = "HOME/tests/java/Fibonacci.jc"
line = 88
begin = 21
end = 720

[JC_45]
file = "HOME/tests/java/Fibonacci.java"
line = 60
begin = 25
end = 31

[JC_31]
file = "HOME/tests/java/Fibonacci.java"
line = 55
begin = 16
end = 33

[JC_17]
file = "HOME/tests/java/Fibonacci.jc"
line = 37
begin = 11
end = 65

[JC_48]
file = "HOME/tests/java/Fibonacci.java"
line = 60
begin = 20
end = 61

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/Fibonacci.jc"
line = 35
begin = 8
end = 23

[Fibonacci_Fib_safety]
name = "Method Fib"
behavior = "Safety"
file = "HOME/tests/java/Fibonacci.java"
line = 57
begin = 23
end = 26

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/tests/java/Fibonacci.jc"
line = 88
begin = 21
end = 720

[JC_47]
file = "HOME/tests/java/Fibonacci.java"
line = 60
begin = 51
end = 61

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/Fibonacci.jc"
line = 35
begin = 8
end = 23

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/tests/java/Fibonacci.java"
line = 60
begin = 25
end = 31

[JC_39]
file = "HOME/tests/java/Fibonacci.java"
line = 60
begin = 20
end = 61

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/tests/java/Fibonacci.java"
line = 60
begin = 20
end = 26

[JC_27]
file = "HOME/tests/java/Fibonacci.java"
line = 54
begin = 17
end = 23

[JC_38]
file = "HOME/tests/java/Fibonacci.java"
line = 60
begin = 51
end = 61

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/tests/java/Fibonacci.java"
line = 60
begin = 20
end = 26

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[isfib_2_1]
name = "Lemma isfib_2_1"
behavior = "lemma"
file = "HOME/tests/java/Fibonacci.java"
line = 46
begin = 10
end = 19

[Fibonacci_Fib_ensures_default]
name = "Method Fib"
behavior = "default behavior"
file = "HOME/tests/java/Fibonacci.java"
line = 57
begin = 23
end = 26

[JC_42]
file = "HOME/tests/java/Fibonacci.jc"
line = 88
begin = 21
end = 720

[JC_46]
file = "HOME/tests/java/Fibonacci.java"
line = 60
begin = 35
end = 47

[JC_32]
file = "HOME/tests/java/Fibonacci.java"
line = 55
begin = 16
end = 33

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/tests/java/Fibonacci.java"
line = 54
begin = 17
end = 23

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
file = "HOME/tests/java/Fibonacci.java"
line = 61
begin = 18
end = 21

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[not_isfib_2_2]
name = "Lemma not_isfib_2_2"
behavior = "lemma"
file = "HOME/tests/java/Fibonacci.java"
line = 50
begin = 10
end = 23

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/java/Fibonacci.jc"
line = 10
begin = 12
end = 22

[cons_Fibonacci_safety]
name = "Constructor of class Fibonacci"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[isfib_6_8]
name = "Lemma isfib_6_8"
behavior = "lemma"
file = "HOME/tests/java/Fibonacci.java"
line = 47
begin = 10
end = 19

[JC_37]
file = "HOME/tests/java/Fibonacci.java"
line = 60
begin = 35
end = 47

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/Fibonacci.jc"
line = 37
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/Fibonacci.jc"
line = 10
begin = 12
end = 22

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
file = "HOME/tests/java/Fibonacci.jc"
line = 88
begin = 21
end = 720

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Fibonacci_ensures_default]
name = "Constructor of class Fibonacci"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/Fibonacci.why ==========
type Object

type interface

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

logic Fibonacci_tag:  -> Object tag_id

axiom Fibonacci_parenttag_Object : parenttag(Fibonacci_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

inductive isfib: int, int -> prop =
 | isfib0: isfib((0), (0))
 | isfib1: isfib((1), (1))
 | isfibn: (forall n:int.
            (forall r_0:int.
             (forall p:int.
              ((ge_int(n, (2))
               and (isfib(sub_int(n, (2)), r_0)
                   and isfib(sub_int(n, (1)), p))) ->
               isfib(n, add_int(p, r_0))))))
 
predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Fibonacci(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Fibonacci(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Fibonacci(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Fibonacci(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

lemma isfib_2_1 : isfib((2), (1))

lemma isfib_6_8 : isfib((6), (8))

lemma not_isfib_2_2 : (not isfib((2), (2)))

exception Exception_exc of Object pointer

parameter Fibonacci_Fib : n_0:int -> { } int { (JC_32: isfib(n_0, result)) }

parameter Fibonacci_Fib_requires :
 n_0:int -> { (JC_27: ge_int(n_0, (0)))} int { (JC_32: isfib(n_0, result)) }

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Fibonacci :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Fibonacci(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Fibonacci_tag)))) }

parameter alloc_struct_Fibonacci_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Fibonacci(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Fibonacci_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_Fibonacci :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Fibonacci_requires :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

let Fibonacci_Fib_ensures_default =
 fun (n_0 : int) ->
  { (JC_29: ge_int(n_0, (0))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let y = ref (K_16: (0)) in
     (let x_0_0 = ref (K_15: (1)) in
     (let aux = ref (any_int void) in
     begin
       (let i = ref (K_3: (0)) in
       try
        (loop_2:
        while true do
        { invariant
            (JC_48:
            ((JC_44: le_int((0), i))
            and ((JC_45: le_int(i, n_0))
                and ((JC_46: isfib(add_int(i, (1)), x_0_0))
                    and (JC_47: isfib(i, y))))))  }
         begin
           [ { } unit { true } ];
          try
           begin
             (if (K_14: ((lt_int_ !i) n_0))
             then
              (let _jessie_ =
              begin
                (let _jessie_ = (aux := !y) in void);
               (let _jessie_ = (y := !x_0_0) in void);
               (x_0_0 := (K_12: ((add_int !x_0_0) !aux))); !x_0_0 end in
              void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ ->
           (let _jessie_ =
           (K_13:
           (let _jessie_ = !i in
           begin
             (let _jessie_ = (i := ((add_int _jessie_) (1))) in void);
            _jessie_ end)) in void) end end done) with
        Loop_exit_exc _jessie_ -> void end); (return := !y); (raise Return)
     end))); absurd  end with Return -> !return end))
  { (JC_31: isfib(n_0, result)) }

let Fibonacci_Fib_safety =
 fun (n_0 : int) ->
  { (JC_29: ge_int(n_0, (0))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let y = ref (K_16: (0)) in
     (let x_0_0 = ref (K_15: (1)) in
     (let aux = ref (any_int void) in
     begin
       (let i = ref (K_3: (0)) in
       try
        (loop_1:
        while true do
        { invariant (JC_41: true) variant (JC_43 : sub_int(n_0, i)) }
         begin
           [ { } unit reads i,x_0_0,y
             { (JC_39:
               ((JC_35: le_int((0), i))
               and ((JC_36: le_int(i, n_0))
                   and ((JC_37: isfib(add_int(i, (1)), x_0_0))
                       and (JC_38: isfib(i, y)))))) } ];
          try
           begin
             (if (K_14: ((lt_int_ !i) n_0))
             then
              (let _jessie_ =
              begin
                (let _jessie_ = (aux := !y) in void);
               (let _jessie_ = (y := !x_0_0) in void);
               (x_0_0 := (K_12: ((add_int !x_0_0) !aux))); !x_0_0 end in
              void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ ->
           (let _jessie_ =
           (K_13:
           (let _jessie_ = !i in
           begin
             (let _jessie_ = (i := ((add_int _jessie_) (1))) in void);
            _jessie_ end)) in void) end end done) with
        Loop_exit_exc _jessie_ -> void end); (return := !y); (raise Return)
     end))); absurd  end with Return -> !return end)) { true }

let cons_Fibonacci_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_Fibonacci(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_23: true) }

let cons_Fibonacci_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_Fibonacci(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/Fibonacci.why
========== file tests/java/why/Fibonacci.wpr ==========

  
    
    
      
      
    
  
  
    
    
      
      
    
  
  
    
    
      
      
    
  
  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
  
  
    
  
  
    
  
  
    
  
  
    
  

========== file tests/java/why/Fibonacci_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic Fibonacci_tag : Object tag_id

axiom Fibonacci_parenttag_Object: parenttag(Fibonacci_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

inductive isfib: int, int -> prop =
  | isfib0: isfib(0, 0)
  | isfib1: isfib(1, 1)
  | isfibn: (forall n:int.
              (forall r_0:int.
                (forall p:int.
                  (((n >= 2) and (isfib((n - 2), r_0) and isfib((n - 1), p))) ->
                   isfib(n, (p + r_0))))))



predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Fibonacci(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Fibonacci(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Fibonacci(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Fibonacci(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

========== file tests/java/why/Fibonacci_po1.why ==========
lemma isfib_2_1:
  isfib(2, 1)

========== file tests/java/why/Fibonacci_po10.why ==========
goal Fibonacci_Fib_ensures_default_po_7:
  forall n_0:int.
  ("JC_29": (n_0 >= 0)) ->
  forall i:int.
  forall x_0_0:int.
  forall y:int.
  ("JC_48":
  (("JC_44": (0 <= i)) and
   (("JC_45": (i <= n_0)) and
    (("JC_46": isfib((i + 1), x_0_0)) and ("JC_47": isfib(i, y)))))) ->
  (i < n_0) ->
  forall aux:int.
  (aux = y) ->
  forall y0:int.
  (y0 = x_0_0) ->
  forall x_0_0_0:int.
  (x_0_0_0 = (x_0_0 + aux)) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  ("JC_48": ("JC_46": isfib((i0 + 1), x_0_0_0)))

========== file tests/java/why/Fibonacci_po11.why ==========
goal Fibonacci_Fib_ensures_default_po_8:
  forall n_0:int.
  ("JC_29": (n_0 >= 0)) ->
  forall i:int.
  forall x_0_0:int.
  forall y:int.
  ("JC_48":
  (("JC_44": (0 <= i)) and
   (("JC_45": (i <= n_0)) and
    (("JC_46": isfib((i + 1), x_0_0)) and ("JC_47": isfib(i, y)))))) ->
  (i < n_0) ->
  forall aux:int.
  (aux = y) ->
  forall y0:int.
  (y0 = x_0_0) ->
  forall x_0_0_0:int.
  (x_0_0_0 = (x_0_0 + aux)) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  ("JC_48": ("JC_47": isfib(i0, y0)))

========== file tests/java/why/Fibonacci_po12.why ==========
goal Fibonacci_Fib_ensures_default_po_9:
  forall n_0:int.
  ("JC_29": (n_0 >= 0)) ->
  forall i:int.
  forall x_0_0:int.
  forall y:int.
  ("JC_48":
  (("JC_44": (0 <= i)) and
   (("JC_45": (i <= n_0)) and
    (("JC_46": isfib((i + 1), x_0_0)) and ("JC_47": isfib(i, y)))))) ->
  (i >= n_0) ->
  forall return:int.
  (return = y) ->
  ("JC_31": isfib(n_0, return))

========== file tests/java/why/Fibonacci_po13.why ==========
goal Fibonacci_Fib_safety_po_1:
  forall n_0:int.
  ("JC_29": (n_0 >= 0)) ->
  forall i:int.
  forall x_0_0:int.
  forall y:int.
  ("JC_41": true) ->
  ("JC_39":
  (("JC_35": (0 <= i)) and
   (("JC_36": (i <= n_0)) and
    (("JC_37": isfib((i + 1), x_0_0)) and ("JC_38": isfib(i, y)))))) ->
  (i < n_0) ->
  forall aux:int.
  (aux = y) ->
  forall y0:int.
  (y0 = x_0_0) ->
  forall x_0_0_0:int.
  (x_0_0_0 = (x_0_0 + aux)) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  (0 <= ("JC_43": (n_0 - i)))

========== file tests/java/why/Fibonacci_po14.why ==========
goal Fibonacci_Fib_safety_po_2:
  forall n_0:int.
  ("JC_29": (n_0 >= 0)) ->
  forall i:int.
  forall x_0_0:int.
  forall y:int.
  ("JC_41": true) ->
  ("JC_39":
  (("JC_35": (0 <= i)) and
   (("JC_36": (i <= n_0)) and
    (("JC_37": isfib((i + 1), x_0_0)) and ("JC_38": isfib(i, y)))))) ->
  (i < n_0) ->
  forall aux:int.
  (aux = y) ->
  forall y0:int.
  (y0 = x_0_0) ->
  forall x_0_0_0:int.
  (x_0_0_0 = (x_0_0 + aux)) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  (("JC_43": (n_0 - i0)) < ("JC_43": (n_0 - i)))

========== file tests/java/why/Fibonacci_po2.why ==========
lemma isfib_6_8:
  isfib(6, 8)

========== file tests/java/why/Fibonacci_po3.why ==========
lemma not_isfib_2_2:
  (not isfib(2, 2))

========== file tests/java/why/Fibonacci_po4.why ==========
goal Fibonacci_Fib_ensures_default_po_1:
  forall n_0:int.
  ("JC_29": (n_0 >= 0)) ->
  ("JC_48": ("JC_44": (0 <= 0)))

========== file tests/java/why/Fibonacci_po5.why ==========
goal Fibonacci_Fib_ensures_default_po_2:
  forall n_0:int.
  ("JC_29": (n_0 >= 0)) ->
  ("JC_48": ("JC_45": (0 <= n_0)))

========== file tests/java/why/Fibonacci_po6.why ==========
goal Fibonacci_Fib_ensures_default_po_3:
  forall n_0:int.
  ("JC_29": (n_0 >= 0)) ->
  ("JC_48": ("JC_46": isfib((0 + 1), 1)))

========== file tests/java/why/Fibonacci_po7.why ==========
goal Fibonacci_Fib_ensures_default_po_4:
  forall n_0:int.
  ("JC_29": (n_0 >= 0)) ->
  ("JC_48": ("JC_47": isfib(0, 0)))

========== file tests/java/why/Fibonacci_po8.why ==========
goal Fibonacci_Fib_ensures_default_po_5:
  forall n_0:int.
  ("JC_29": (n_0 >= 0)) ->
  forall i:int.
  forall x_0_0:int.
  forall y:int.
  ("JC_48":
  (("JC_44": (0 <= i)) and
   (("JC_45": (i <= n_0)) and
    (("JC_46": isfib((i + 1), x_0_0)) and ("JC_47": isfib(i, y)))))) ->
  (i < n_0) ->
  forall aux:int.
  (aux = y) ->
  forall y0:int.
  (y0 = x_0_0) ->
  forall x_0_0_0:int.
  (x_0_0_0 = (x_0_0 + aux)) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  ("JC_48": ("JC_44": (0 <= i0)))

========== file tests/java/why/Fibonacci_po9.why ==========
goal Fibonacci_Fib_ensures_default_po_6:
  forall n_0:int.
  ("JC_29": (n_0 >= 0)) ->
  forall i:int.
  forall x_0_0:int.
  forall y:int.
  ("JC_48":
  (("JC_44": (0 <= i)) and
   (("JC_45": (i <= n_0)) and
    (("JC_46": isfib((i + 1), x_0_0)) and ("JC_47": isfib(i, y)))))) ->
  (i < n_0) ->
  forall aux:int.
  (aux = y) ->
  forall y0:int.
  (y0 = x_0_0) ->
  forall x_0_0_0:int.
  (x_0_0_0 = (x_0_0 + aux)) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  ("JC_48": ("JC_45": (i0 <= n_0)))

========== generation of Simplify VC output ==========
why -simplify [...] why/Fibonacci.why
========== file tests/java/simplify/Fibonacci_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Fibonacci_parenttag_Object
 (EQ (parenttag Fibonacci_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) 0))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(BG_PUSH
 ;; Why axiom isfib_inversion
 (FORALL (aux_1 aux_2)
 (IMPLIES (EQ (isfib aux_1 aux_2) |@true|)
 (OR (AND (EQ aux_1 0) (EQ aux_2 0))
 (OR (AND (EQ aux_1 1) (EQ aux_2 1))
 (EXISTS (n)
 (EXISTS (r_0)
 (EXISTS (p)
 (AND
 (AND (>= n 2)
 (AND (EQ (isfib (- n 2) r_0) |@true|) (EQ (isfib (- n 1) p) |@true|)))
 (AND (EQ aux_1 n) (EQ aux_2 (+ p r_0))))))))))))

(BG_PUSH
 ;; Why axiom isfib0
 (EQ (isfib 0 0) |@true|))

(BG_PUSH
 ;; Why axiom isfib1
 (EQ (isfib 1 1) |@true|))

(BG_PUSH
 ;; Why axiom isfibn
 (FORALL (n r_0 p)
 (IMPLIES
 (AND (>= n 2)
 (AND (EQ (isfib (- n 2) r_0) |@true|) (EQ (isfib (- n 1) p) |@true|)))
 (EQ (isfib n (+ p r_0)) |@true|))))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Fibonacci p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Fibonacci p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Fibonacci p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Fibonacci p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

;; isfib_2_1, File "HOME/tests/java/Fibonacci.java", line 46, characters 10-19
(EQ (isfib 2 1) |@true|)

(BG_PUSH
 ;; lemma isfib_2_1 as axiom
(EQ (isfib 2 1) |@true|))

;; isfib_6_8, File "HOME/tests/java/Fibonacci.java", line 47, characters 10-19
(EQ (isfib 6 8) |@true|)

(BG_PUSH
 ;; lemma isfib_6_8 as axiom
(EQ (isfib 6 8) |@true|))

;; not_isfib_2_2, File "HOME/tests/java/Fibonacci.java", line 50, characters 10-23
(NOT (EQ (isfib 2 2) |@true|))

(BG_PUSH
 ;; lemma not_isfib_2_2 as axiom
(NOT (EQ (isfib 2 2) |@true|)))

;; Fibonacci_Fib_ensures_default_po_1, File "HOME/tests/java/Fibonacci.java", line 60, characters 20-26
(FORALL (n_0) (IMPLIES (>= n_0 0) (<= 0 0)))

;; Fibonacci_Fib_ensures_default_po_2, File "HOME/tests/java/Fibonacci.java", line 60, characters 25-31
(FORALL (n_0) (IMPLIES (>= n_0 0) (<= 0 n_0)))

;; Fibonacci_Fib_ensures_default_po_3, File "HOME/tests/java/Fibonacci.java", line 60, characters 35-47
(FORALL (n_0) (IMPLIES (>= n_0 0) (EQ (isfib (+ 0 1) 1) |@true|)))

;; Fibonacci_Fib_ensures_default_po_4, File "HOME/tests/java/Fibonacci.java", line 60, characters 51-61
(FORALL (n_0) (IMPLIES (>= n_0 0) (EQ (isfib 0 0) |@true|)))

;; Fibonacci_Fib_ensures_default_po_5, File "HOME/tests/java/Fibonacci.java", line 60, characters 20-26
(FORALL (n_0)
(IMPLIES (>= n_0 0)
(FORALL (i)
(FORALL (x_0_0)
(FORALL (y)
(IMPLIES (AND (<= 0 i)
         (AND (<= i n_0)
         (AND (EQ (isfib (+ i 1) x_0_0) |@true|) (EQ (isfib i y) |@true|))))
(IMPLIES (< i n_0)
(FORALL (aux)
(IMPLIES (EQ aux y)
(FORALL (y0)
(IMPLIES (EQ y0 x_0_0)
(FORALL (x_0_0_0)
(IMPLIES (EQ x_0_0_0 (+ x_0_0 aux))
(FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (<= 0 i0))))))))))))))))

;; Fibonacci_Fib_ensures_default_po_6, File "HOME/tests/java/Fibonacci.java", line 60, characters 25-31
(FORALL (n_0)
(IMPLIES (>= n_0 0)
(FORALL (i)
(FORALL (x_0_0)
(FORALL (y)
(IMPLIES (AND (<= 0 i)
         (AND (<= i n_0)
         (AND (EQ (isfib (+ i 1) x_0_0) |@true|) (EQ (isfib i y) |@true|))))
(IMPLIES (< i n_0)
(FORALL (aux)
(IMPLIES (EQ aux y)
(FORALL (y0)
(IMPLIES (EQ y0 x_0_0)
(FORALL (x_0_0_0)
(IMPLIES (EQ x_0_0_0 (+ x_0_0 aux))
(FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (<= i0 n_0))))))))))))))))

;; Fibonacci_Fib_ensures_default_po_7, File "HOME/tests/java/Fibonacci.java", line 60, characters 35-47
(FORALL (n_0)
(IMPLIES (>= n_0 0)
(FORALL (i)
(FORALL (x_0_0)
(FORALL (y)
(IMPLIES (AND (<= 0 i)
         (AND (<= i n_0)
         (AND (EQ (isfib (+ i 1) x_0_0) |@true|) (EQ (isfib i y) |@true|))))
(IMPLIES (< i n_0)
(FORALL (aux)
(IMPLIES (EQ aux y)
(FORALL (y0)
(IMPLIES (EQ y0 x_0_0)
(FORALL (x_0_0_0)
(IMPLIES (EQ x_0_0_0 (+ x_0_0 aux))
(FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (EQ (isfib (+ i0 1) x_0_0_0) |@true|))))))))))))))))

;; Fibonacci_Fib_ensures_default_po_8, File "HOME/tests/java/Fibonacci.java", line 60, characters 51-61
(FORALL (n_0)
(IMPLIES (>= n_0 0)
(FORALL (i)
(FORALL (x_0_0)
(FORALL (y)
(IMPLIES (AND (<= 0 i)
         (AND (<= i n_0)
         (AND (EQ (isfib (+ i 1) x_0_0) |@true|) (EQ (isfib i y) |@true|))))
(IMPLIES (< i n_0)
(FORALL (aux)
(IMPLIES (EQ aux y)
(FORALL (y0)
(IMPLIES (EQ y0 x_0_0)
(FORALL (x_0_0_0)
(IMPLIES (EQ x_0_0_0 (+ x_0_0 aux))
(FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (EQ (isfib i0 y0) |@true|))))))))))))))))

;; Fibonacci_Fib_ensures_default_po_9, File "HOME/tests/java/Fibonacci.java", line 55, characters 16-33
(FORALL (n_0)
(IMPLIES (>= n_0 0)
(FORALL (i)
(FORALL (x_0_0)
(FORALL (y)
(IMPLIES (AND (<= 0 i)
         (AND (<= i n_0)
         (AND (EQ (isfib (+ i 1) x_0_0) |@true|) (EQ (isfib i y) |@true|))))
(IMPLIES (>= i n_0)
(FORALL (return) (IMPLIES (EQ return y) (EQ (isfib n_0 return) |@true|))))))))))

;; Fibonacci_Fib_safety_po_1, File "HOME/tests/java/Fibonacci.java", line 61, characters 18-21
(FORALL (n_0)
(IMPLIES (>= n_0 0)
(FORALL (i)
(FORALL (x_0_0)
(FORALL (y)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i)
         (AND (<= i n_0)
         (AND (EQ (isfib (+ i 1) x_0_0) |@true|) (EQ (isfib i y) |@true|))))
(IMPLIES (< i n_0)
(FORALL (aux)
(IMPLIES (EQ aux y)
(FORALL (y0)
(IMPLIES (EQ y0 x_0_0)
(FORALL (x_0_0_0)
(IMPLIES (EQ x_0_0_0 (+ x_0_0 aux))
(FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (<= 0 (- n_0 i))))))))))))))))))

;; Fibonacci_Fib_safety_po_2, File "HOME/tests/java/Fibonacci.java", line 61, characters 18-21
(FORALL (n_0)
(IMPLIES (>= n_0 0)
(FORALL (i)
(FORALL (x_0_0)
(FORALL (y)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i)
         (AND (<= i n_0)
         (AND (EQ (isfib (+ i 1) x_0_0) |@true|) (EQ (isfib i y) |@true|))))
(IMPLIES (< i n_0)
(FORALL (aux)
(IMPLIES (EQ aux y)
(FORALL (y0)
(IMPLIES (EQ y0 x_0_0)
(FORALL (x_0_0_0)
(IMPLIES (EQ x_0_0_0 (+ x_0_0 aux))
(FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (< (- n_0 i0) (- n_0 i))))))))))))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/Fibonacci_why.sx     : ??............ (12/0/2/0/0)
total   :  14
valid   :  12 ( 86%)
invalid :   0 (  0%)
unknown :   2 ( 14%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/Fibonacci.why
========== file tests/java/why/Fibonacci_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic Fibonacci_tag : Object tag_id

axiom Fibonacci_parenttag_Object: parenttag(Fibonacci_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

logic isfib : int, int -> prop

axiom isfib_inversion:
  (forall aux_1:int.
    (forall aux_2:int [isfib(aux_1, aux_2)].
      (isfib(aux_1, aux_2) ->
       (((aux_1 = 0) and (aux_2 = 0)) or
        (((aux_1 = 1) and (aux_2 = 1)) or
         (exists n:int.
           (exists r_0:int.
             (exists p:int.
               (((n >= 2) and (isfib((n - 2), r_0) and isfib((n - 1), p))) and
                ((aux_1 = n) and (aux_2 = (p + r_0))))))))))))

axiom isfib0: isfib(0, 0)

axiom isfib1: isfib(1, 1)

axiom isfibn:
  (forall n:int.
    (forall r_0:int.
      (forall p:int.
        (((n >= 2) and (isfib((n - 2), r_0) and isfib((n - 1), p))) ->
         isfib(n, (p + r_0))))))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Fibonacci(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Fibonacci(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Fibonacci(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Fibonacci(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

goal isfib_2_1:
  isfib(2, 1)

axiom isfib_2_1_as_axiom:
  isfib(2, 1)

goal isfib_6_8:
  isfib(6, 8)

axiom isfib_6_8_as_axiom:
  isfib(6, 8)

goal not_isfib_2_2:
  (not isfib(2, 2))

axiom not_isfib_2_2_as_axiom:
  (not isfib(2, 2))

goal Fibonacci_Fib_ensures_default_po_1:
  forall n_0:int.
  ("JC_29": (n_0 >= 0)) ->
  ("JC_48": ("JC_44": (0 <= 0)))

goal Fibonacci_Fib_ensures_default_po_2:
  forall n_0:int.
  ("JC_29": (n_0 >= 0)) ->
  ("JC_48": ("JC_45": (0 <= n_0)))

goal Fibonacci_Fib_ensures_default_po_3:
  forall n_0:int.
  ("JC_29": (n_0 >= 0)) ->
  ("JC_48": ("JC_46": isfib((0 + 1), 1)))

goal Fibonacci_Fib_ensures_default_po_4:
  forall n_0:int.
  ("JC_29": (n_0 >= 0)) ->
  ("JC_48": ("JC_47": isfib(0, 0)))

goal Fibonacci_Fib_ensures_default_po_5:
  forall n_0:int.
  ("JC_29": (n_0 >= 0)) ->
  forall i:int.
  forall x_0_0:int.
  forall y:int.
  ("JC_48":
  (("JC_44": (0 <= i)) and
   (("JC_45": (i <= n_0)) and
    (("JC_46": isfib((i + 1), x_0_0)) and ("JC_47": isfib(i, y)))))) ->
  (i < n_0) ->
  forall aux:int.
  (aux = y) ->
  forall y0:int.
  (y0 = x_0_0) ->
  forall x_0_0_0:int.
  (x_0_0_0 = (x_0_0 + aux)) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  ("JC_48": ("JC_44": (0 <= i0)))

goal Fibonacci_Fib_ensures_default_po_6:
  forall n_0:int.
  ("JC_29": (n_0 >= 0)) ->
  forall i:int.
  forall x_0_0:int.
  forall y:int.
  ("JC_48":
  (("JC_44": (0 <= i)) and
   (("JC_45": (i <= n_0)) and
    (("JC_46": isfib((i + 1), x_0_0)) and ("JC_47": isfib(i, y)))))) ->
  (i < n_0) ->
  forall aux:int.
  (aux = y) ->
  forall y0:int.
  (y0 = x_0_0) ->
  forall x_0_0_0:int.
  (x_0_0_0 = (x_0_0 + aux)) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  ("JC_48": ("JC_45": (i0 <= n_0)))

goal Fibonacci_Fib_ensures_default_po_7:
  forall n_0:int.
  ("JC_29": (n_0 >= 0)) ->
  forall i:int.
  forall x_0_0:int.
  forall y:int.
  ("JC_48":
  (("JC_44": (0 <= i)) and
   (("JC_45": (i <= n_0)) and
    (("JC_46": isfib((i + 1), x_0_0)) and ("JC_47": isfib(i, y)))))) ->
  (i < n_0) ->
  forall aux:int.
  (aux = y) ->
  forall y0:int.
  (y0 = x_0_0) ->
  forall x_0_0_0:int.
  (x_0_0_0 = (x_0_0 + aux)) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  ("JC_48": ("JC_46": isfib((i0 + 1), x_0_0_0)))

goal Fibonacci_Fib_ensures_default_po_8:
  forall n_0:int.
  ("JC_29": (n_0 >= 0)) ->
  forall i:int.
  forall x_0_0:int.
  forall y:int.
  ("JC_48":
  (("JC_44": (0 <= i)) and
   (("JC_45": (i <= n_0)) and
    (("JC_46": isfib((i + 1), x_0_0)) and ("JC_47": isfib(i, y)))))) ->
  (i < n_0) ->
  forall aux:int.
  (aux = y) ->
  forall y0:int.
  (y0 = x_0_0) ->
  forall x_0_0_0:int.
  (x_0_0_0 = (x_0_0 + aux)) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  ("JC_48": ("JC_47": isfib(i0, y0)))

goal Fibonacci_Fib_ensures_default_po_9:
  forall n_0:int.
  ("JC_29": (n_0 >= 0)) ->
  forall i:int.
  forall x_0_0:int.
  forall y:int.
  ("JC_48":
  (("JC_44": (0 <= i)) and
   (("JC_45": (i <= n_0)) and
    (("JC_46": isfib((i + 1), x_0_0)) and ("JC_47": isfib(i, y)))))) ->
  (i >= n_0) ->
  forall return:int.
  (return = y) ->
  ("JC_31": isfib(n_0, return))

goal Fibonacci_Fib_safety_po_1:
  forall n_0:int.
  ("JC_29": (n_0 >= 0)) ->
  forall i:int.
  forall x_0_0:int.
  forall y:int.
  ("JC_41": true) ->
  ("JC_39":
  (("JC_35": (0 <= i)) and
   (("JC_36": (i <= n_0)) and
    (("JC_37": isfib((i + 1), x_0_0)) and ("JC_38": isfib(i, y)))))) ->
  (i < n_0) ->
  forall aux:int.
  (aux = y) ->
  forall y0:int.
  (y0 = x_0_0) ->
  forall x_0_0_0:int.
  (x_0_0_0 = (x_0_0 + aux)) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  (0 <= ("JC_43": (n_0 - i)))

goal Fibonacci_Fib_safety_po_2:
  forall n_0:int.
  ("JC_29": (n_0 >= 0)) ->
  forall i:int.
  forall x_0_0:int.
  forall y:int.
  ("JC_41": true) ->
  ("JC_39":
  (("JC_35": (0 <= i)) and
   (("JC_36": (i <= n_0)) and
    (("JC_37": isfib((i + 1), x_0_0)) and ("JC_38": isfib(i, y)))))) ->
  (i < n_0) ->
  forall aux:int.
  (aux = y) ->
  forall y0:int.
  (y0 = x_0_0) ->
  forall x_0_0_0:int.
  (x_0_0_0 = (x_0_0 + aux)) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  (("JC_43": (n_0 - i0)) < ("JC_43": (n_0 - i)))

// RUNCOQ: will ask regtests to check Coq proofs of this program
========== generation of Coq VC output ==========
why -coq [...] why/Fibonacci.why
========== file tests/java/coq/Fibonacci_why.v ==========
(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)
Require Export jessie_why.

(*Why type*) Definition Object: Set.
Admitted.

(*Why type*) Definition interface: Set.
Admitted.

(*Why logic*) Definition Exception_tag : (tag_id Object).
Admitted.

(*Why logic*) Definition Object_tag : (tag_id Object).
Admitted.

(*Why axiom*) Lemma Exception_parenttag_Object :
  (parenttag Exception_tag Object_tag).
Admitted.

(*Why logic*) Definition Fibonacci_tag : (tag_id Object).
Admitted.

(*Why axiom*) Lemma Fibonacci_parenttag_Object :
  (parenttag Fibonacci_tag Object_tag).
Admitted.

(*Why predicate*) Definition Non_null_Object  (x_0:(pointer Object)) (Object_alloc_table:(alloc_table Object))
  := (offset_max Object_alloc_table x_0) >= 0.

(*Why axiom*) Lemma Object_int : (int_of_tag Object_tag) = 1.
Admitted.

(*Why logic*) Definition Object_of_pointer_address :
  (pointer unit) -> (pointer Object).
Admitted.

(*Why axiom*) Lemma Object_of_pointer_address_of_pointer_addr :
  (forall (p:(pointer Object)),
   p = (Object_of_pointer_address (pointer_address p))).
Admitted.

(*Why axiom*) Lemma Object_parenttag_bottom :
  (parenttag Object_tag (@bottom_tag Object)).
Admitted.

(*Why axiom*) Lemma Object_tags :
  (forall (x:(pointer Object)),
   (forall (Object_tag_table:(tag_table Object)),
    (instanceof Object_tag_table x Object_tag))).
Admitted.

(*Why logic*) Definition String_tag : (tag_id Object).
Admitted.

(*Why axiom*) Lemma String_parenttag_Object :
  (parenttag String_tag Object_tag).
Admitted.

(*Why logic*) Definition Throwable_tag : (tag_id Object).
Admitted.

(*Why axiom*) Lemma Throwable_parenttag_Object :
  (parenttag Throwable_tag Object_tag).
Admitted.


(*Why logic*) Definition interface_tag : (tag_id interface).
Admitted.

(*Why axiom*) Lemma interface_int : (int_of_tag interface_tag) = 1.
Admitted.

(*Why logic*) Definition interface_of_pointer_address :
  (pointer unit) -> (pointer interface).
Admitted.

(*Why axiom*) Lemma interface_of_pointer_address_of_pointer_addr :
  (forall (p:(pointer interface)),
   p = (interface_of_pointer_address (pointer_address p))).
Admitted.

(*Why axiom*) Lemma interface_parenttag_bottom :
  (parenttag interface_tag (@bottom_tag interface)).
Admitted.

(*Why axiom*) Lemma interface_tags :
  (forall (x:(pointer interface)),
   (forall (interface_tag_table:(tag_table interface)),
    (instanceof interface_tag_table x interface_tag))).
Admitted.

(*Why inductive*) Inductive isfib  : Z -> Z -> Prop 
  := | isfib0 : (isfib 0 0)
     
     | isfib1 : (isfib 1 1)
     
     | isfibn : (forall (n:Z),
                 (forall (r_0:Z),
                  (forall (p:Z),
                   (n >= 2 /\ (isfib (n - 2) r_0) /\ (isfib (n - 1) p) ->
                    (isfib n (p + r_0))))))
     .

(*Why predicate*) Definition left_valid_struct_Object  (p:(pointer Object)) (a:Z) (Object_alloc_table:(alloc_table Object))
  := (offset_min Object_alloc_table p) <= a.

(*Why predicate*) Definition left_valid_struct_Exception  (p:(pointer Object)) (a:Z) (Object_alloc_table:(alloc_table Object))
  := (left_valid_struct_Object p a Object_alloc_table).

(*Why predicate*) Definition left_valid_struct_Fibonacci  (p:(pointer Object)) (a:Z) (Object_alloc_table:(alloc_table Object))
  := (left_valid_struct_Object p a Object_alloc_table).

(*Why predicate*) Definition left_valid_struct_String  (p:(pointer Object)) (a:Z) (Object_alloc_table:(alloc_table Object))
  := (left_valid_struct_Object p a Object_alloc_table).

(*Why predicate*) Definition left_valid_struct_Throwable  (p:(pointer Object)) (a:Z) (Object_alloc_table:(alloc_table Object))
  := (left_valid_struct_Object p a Object_alloc_table).

(*Why predicate*) Definition left_valid_struct_interface  (p:(pointer interface)) (a:Z) (interface_alloc_table:(alloc_table interface))
  := (offset_min interface_alloc_table p) <= a.

(*Why axiom*) Lemma pointer_addr_of_Object_of_pointer_address :
  (forall (p:(pointer unit)),
   p = (pointer_address (Object_of_pointer_address p))).
Admitted.

(*Why axiom*) Lemma pointer_addr_of_interface_of_pointer_address :
  (forall (p:(pointer unit)),
   p = (pointer_address (interface_of_pointer_address p))).
Admitted.

(*Why predicate*) Definition right_valid_struct_Object  (p:(pointer Object)) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (offset_max Object_alloc_table p) >= b.

(*Why predicate*) Definition right_valid_struct_Exception  (p:(pointer Object)) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (right_valid_struct_Object p b Object_alloc_table).

(*Why predicate*) Definition right_valid_struct_Fibonacci  (p:(pointer Object)) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (right_valid_struct_Object p b Object_alloc_table).

(*Why predicate*) Definition right_valid_struct_String  (p:(pointer Object)) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (right_valid_struct_Object p b Object_alloc_table).

(*Why predicate*) Definition right_valid_struct_Throwable  (p:(pointer Object)) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (right_valid_struct_Object p b Object_alloc_table).

(*Why predicate*) Definition right_valid_struct_interface  (p:(pointer interface)) (b:Z) (interface_alloc_table:(alloc_table interface))
  := (offset_max interface_alloc_table p) >= b.

(*Why predicate*) Definition strict_valid_root_Object  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (offset_min Object_alloc_table p) = a /\
     (offset_max Object_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_root_interface  (p:(pointer interface)) (a:Z) (b:Z) (interface_alloc_table:(alloc_table interface))
  := (offset_min interface_alloc_table p) = a /\
     (offset_max interface_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_struct_Object  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (offset_min Object_alloc_table p) = a /\
     (offset_max Object_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_struct_Exception  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (strict_valid_struct_Object p a b Object_alloc_table).

(*Why predicate*) Definition strict_valid_struct_Fibonacci  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (strict_valid_struct_Object p a b Object_alloc_table).

(*Why predicate*) Definition strict_valid_struct_String  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (strict_valid_struct_Object p a b Object_alloc_table).

(*Why predicate*) Definition strict_valid_struct_Throwable  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (strict_valid_struct_Object p a b Object_alloc_table).

(*Why predicate*) Definition strict_valid_struct_interface  (p:(pointer interface)) (a:Z) (b:Z) (interface_alloc_table:(alloc_table interface))
  := (offset_min interface_alloc_table p) = a /\
     (offset_max interface_alloc_table p) = b.







(*Why predicate*) Definition valid_root_Object  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (offset_min Object_alloc_table p) <= a /\
     (offset_max Object_alloc_table p) >= b.

(*Why predicate*) Definition valid_root_interface  (p:(pointer interface)) (a:Z) (b:Z) (interface_alloc_table:(alloc_table interface))
  := (offset_min interface_alloc_table p) <= a /\
     (offset_max interface_alloc_table p) >= b.

(*Why predicate*) Definition valid_struct_Object  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (offset_min Object_alloc_table p) <= a /\
     (offset_max Object_alloc_table p) >= b.

(*Why predicate*) Definition valid_struct_Exception  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (valid_struct_Object p a b Object_alloc_table).

(*Why predicate*) Definition valid_struct_Fibonacci  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (valid_struct_Object p a b Object_alloc_table).

(*Why predicate*) Definition valid_struct_String  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (valid_struct_Object p a b Object_alloc_table).

(*Why predicate*) Definition valid_struct_Throwable  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (valid_struct_Object p a b Object_alloc_table).

(*Why predicate*) Definition valid_struct_interface  (p:(pointer interface)) (a:Z) (b:Z) (interface_alloc_table:(alloc_table interface))
  := (offset_min interface_alloc_table p) <= a /\
     (offset_max interface_alloc_table p) >= b.

(* Why obligation from file "Fibonacci.java", line 46, characters 10-19: *)
(*Why goal*) Lemma isfib_2_1 : 
  (isfib 2 1).
Proof.
apply isfibn with (r_0:=0) (p:=1); intuition.
apply isfib0.
apply isfib1.
Save.

(* Why obligation from file "Fibonacci.java", line 47, characters 10-19: *)
(*Why goal*) Lemma isfib_6_8 : 
  (isfib 6 8).
Proof.
assert (isfib3: isfib 3 2).
apply isfibn with (r_0:=1) (p:=1); intuition.
apply isfib1.
apply isfib_2_1.
assert (isfib4: isfib 4 3).
apply isfibn with (r_0:=1) (p:=2); intuition.
apply isfib_2_1.
assert (isfib5: isfib 5 5).
apply isfibn with (r_0:=2) (p:=3); intuition.
apply isfibn with (r_0:=3) (p:=5); intuition.
Save.

(* Why obligation from file "Fibonacci.java", line 50, characters 10-23: *)
(*Why goal*) Lemma not_isfib_2_2 : 
  ~(isfib 2 2).
Proof.
intro h; inversion h; intuition.
replace (p + r_0 - (p + r_0)) with 0 in H1 by omega.
inversion H1; auto with zarith.
assert (p=2) by omega.
subst.
replace (2 + 0 - 1) with 1 in H4 by omega.
inversion H4; auto with zarith.
Save.




































(* Why obligation from file "Fibonacci.java", line 60, characters 20-26: *)
(*Why goal*) Lemma Fibonacci_Fib_ensures_default_po_1 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  (* JC_48 *) (* JC_44 *) 0 <= 0.
Proof.
intuition.
Save.

(* Why obligation from file "Fibonacci.java", line 60, characters 25-31: *)
(*Why goal*) Lemma Fibonacci_Fib_ensures_default_po_2 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  (* JC_48 *) (* JC_45 *) 0 <= n_0.
Proof.
intuition.
Save.

(* Why obligation from file "Fibonacci.java", line 60, characters 35-47: *)
(*Why goal*) Lemma Fibonacci_Fib_ensures_default_po_3 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  (* JC_48 *) (* JC_46 *) (isfib (0 + 1) 1).
Proof.
intros; apply isfib1.
Save.

(* Why obligation from file "Fibonacci.java", line 60, characters 51-61: *)
(*Why goal*) Lemma Fibonacci_Fib_ensures_default_po_4 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  (* JC_48 *) (* JC_47 *) (isfib 0 0).
Proof.
intros; apply isfib0.
Save.

(* Why obligation from file "Fibonacci.java", line 60, characters 20-26: *)
(*Why goal*) Lemma Fibonacci_Fib_ensures_default_po_5 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  forall (i: Z),
  forall (x_0_0: Z),
  forall (y: Z),
  forall (HW_4: (* JC_48 *) ((* JC_44 *) 0 <= i /\ (* JC_45 *) i <= n_0 /\
                (* JC_46 *) (isfib (i + 1) x_0_0) /\ (* JC_47 *) (isfib i y))),
  forall (HW_6: i < n_0),
  forall (aux: Z),
  forall (HW_7: aux = y),
  forall (y0: Z),
  forall (HW_8: y0 = x_0_0),
  forall (x_0_0_0: Z),
  forall (HW_9: x_0_0_0 = (x_0_0 + aux)),
  forall (i0: Z),
  forall (HW_10: i0 = (i + 1)),
  (* JC_48 *) (* JC_44 *) 0 <= i0.
Proof.
intuition.
Save.

(* Why obligation from file "Fibonacci.java", line 60, characters 25-31: *)
(*Why goal*) Lemma Fibonacci_Fib_ensures_default_po_6 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  forall (i: Z),
  forall (x_0_0: Z),
  forall (y: Z),
  forall (HW_4: (* JC_48 *) ((* JC_44 *) 0 <= i /\ (* JC_45 *) i <= n_0 /\
                (* JC_46 *) (isfib (i + 1) x_0_0) /\ (* JC_47 *) (isfib i y))),
  forall (HW_6: i < n_0),
  forall (aux: Z),
  forall (HW_7: aux = y),
  forall (y0: Z),
  forall (HW_8: y0 = x_0_0),
  forall (x_0_0_0: Z),
  forall (HW_9: x_0_0_0 = (x_0_0 + aux)),
  forall (i0: Z),
  forall (HW_10: i0 = (i + 1)),
  (* JC_48 *) (* JC_45 *) i0 <= n_0.
Proof.
intuition.
Save.

(* Why obligation from file "Fibonacci.java", line 60, characters 35-47: *)
(*Why goal*) Lemma Fibonacci_Fib_ensures_default_po_7 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  forall (i: Z),
  forall (x_0_0: Z),
  forall (y: Z),
  forall (HW_4: (* JC_48 *) ((* JC_44 *) 0 <= i /\ (* JC_45 *) i <= n_0 /\
                (* JC_46 *) (isfib (i + 1) x_0_0) /\ (* JC_47 *) (isfib i y))),
  forall (HW_6: i < n_0),
  forall (aux: Z),
  forall (HW_7: aux = y),
  forall (y0: Z),
  forall (HW_8: y0 = x_0_0),
  forall (x_0_0_0: Z),
  forall (HW_9: x_0_0_0 = (x_0_0 + aux)),
  forall (i0: Z),
  forall (HW_10: i0 = (i + 1)),
  (* JC_48 *) (* JC_46 *) (isfib (i0 + 1) x_0_0_0).
Proof.
intuition;subst; auto.
apply isfibn; intuition.
replace (i+1+1-2) with i; auto with zarith.
replace (i+1+1-1) with (i+1); auto with zarith.
Save.

(* Why obligation from file "Fibonacci.java", line 60, characters 51-61: *)
(*Why goal*) Lemma Fibonacci_Fib_ensures_default_po_8 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  forall (i: Z),
  forall (x_0_0: Z),
  forall (y: Z),
  forall (HW_4: (* JC_48 *) ((* JC_44 *) 0 <= i /\ (* JC_45 *) i <= n_0 /\
                (* JC_46 *) (isfib (i + 1) x_0_0) /\ (* JC_47 *) (isfib i y))),
  forall (HW_6: i < n_0),
  forall (aux: Z),
  forall (HW_7: aux = y),
  forall (y0: Z),
  forall (HW_8: y0 = x_0_0),
  forall (x_0_0_0: Z),
  forall (HW_9: x_0_0_0 = (x_0_0 + aux)),
  forall (i0: Z),
  forall (HW_10: i0 = (i + 1)),
  (* JC_48 *) (* JC_47 *) (isfib i0 y0).
Proof.
intuition; subst; auto.
Save.

(* Why obligation from file "Fibonacci.java", line 55, characters 16-33: *)
(*Why goal*) Lemma Fibonacci_Fib_ensures_default_po_9 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  forall (i: Z),
  forall (x_0_0: Z),
  forall (y: Z),
  forall (HW_4: (* JC_48 *) ((* JC_44 *) 0 <= i /\ (* JC_45 *) i <= n_0 /\
                (* JC_46 *) (isfib (i + 1) x_0_0) /\ (* JC_47 *) (isfib i y))),
  forall (HW_11: i >= n_0),
  forall (why__return: Z),
  forall (HW_12: why__return = y),
  (* JC_31 *) (isfib n_0 why__return).
Proof.
intuition.
assert (i=n_0) by omega.
subst; auto.
Save.

(* Why obligation from file "Fibonacci.java", line 61, characters 18-21: *)
(*Why goal*) Lemma Fibonacci_Fib_safety_po_1 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  forall (i: Z),
  forall (x_0_0: Z),
  forall (y: Z),
  forall (HW_4: (* JC_41 *) True),
  forall (HW_5: (* JC_39 *) ((* JC_35 *) 0 <= i /\ (* JC_36 *) i <= n_0 /\
                (* JC_37 *) (isfib (i + 1) x_0_0) /\ (* JC_38 *) (isfib i y))),
  forall (HW_6: i < n_0),
  forall (aux: Z),
  forall (HW_7: aux = y),
  forall (y0: Z),
  forall (HW_8: y0 = x_0_0),
  forall (x_0_0_0: Z),
  forall (HW_9: x_0_0_0 = (x_0_0 + aux)),
  forall (i0: Z),
  forall (HW_10: i0 = (i + 1)),
  0 <= ((* JC_43 *) (n_0 - i)).
Proof.
intuition.
Save.

(* Why obligation from file "Fibonacci.java", line 61, characters 18-21: *)
(*Why goal*) Lemma Fibonacci_Fib_safety_po_2 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  forall (i: Z),
  forall (x_0_0: Z),
  forall (y: Z),
  forall (HW_4: (* JC_41 *) True),
  forall (HW_5: (* JC_39 *) ((* JC_35 *) 0 <= i /\ (* JC_36 *) i <= n_0 /\
                (* JC_37 *) (isfib (i + 1) x_0_0) /\ (* JC_38 *) (isfib i y))),
  forall (HW_6: i < n_0),
  forall (aux: Z),
  forall (HW_7: aux = y),
  forall (y0: Z),
  forall (HW_8: y0 = x_0_0),
  forall (x_0_0_0: Z),
  forall (HW_9: x_0_0_0 = (x_0_0 + aux)),
  forall (i0: Z),
  forall (HW_10: i0 = (i + 1)),
  ((* JC_43 *) (n_0 - i0)) < ((* JC_43 *) (n_0 - i)).
Proof.
intuition.
Save.

========== running Coq ==========
why-2.34/tests/java/oracle/AllZeros.res.oracle0000644000175000017500000065145012311670312017672 0ustar  rtusers========== file tests/java/AllZeros.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

class AllZeros {

    static int should_not_be_proved(int t[]) {
	return t.length;

    }


    /*@ requires t != null;
      @ ensures \result <==> 
      @      \forall integer i; 0 <= i < t.length ==> t[i] == 0; 
      @*/
    static boolean all_zeros(int t[]) {
	/*@ loop_invariant 
	  @  0 <= k <= t.length && 
	  @  \forall integer i; 0 <= i < k ==> t[i] == 0;
	  @ loop_variant t.length - k;
	  @*/
	for (int k = 0; k < t.length; k++) 
	    if (t[k] != 0) 
		return false;
	return true;
    }
}

/*
Local Variables:
compile-command: "make AllZeros.why3ide"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function AllZeros_all_zeros for method AllZeros.all_zeros
Generating JC function cons_AllZeros for constructor AllZeros
Generating JC function AllZeros_should_not_be_proved for method AllZeros.should_not_be_proved
Done.
========== file tests/java/AllZeros.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_intM{Here}(intM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag AllZeros = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag intM = Object with {
  int32 intP;
}

boolean non_null_intM(! intM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_intM(! intM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

boolean AllZeros_all_zeros(intM[0..] t_0)
  requires (K_2 : Non_null_intM(t_0));
behavior default:
  ensures (K_1 : (\result <==>
                   (\forall integer i;
                     (((0 <= i) && (i < (\offset_max(t_0) + 1))) ==>
                       ((t_0 + i).intP == 0)))));
{  
   {  
      {  
         (var int32 k = (K_3 : 0));
         
         loop 
         behavior default:
           invariant (K_8 : ((K_7 : ((K_6 : (0 <= k)) &&
                                      (K_5 : (k <= (\offset_max(t_0) + 1))))) &&
                              (K_4 : (\forall integer i_0;
                                       (((0 <= i_0) && (i_0 < k)) ==>
                                         ((t_0 + i_0).intP == 0))))));
         
         variant (K_9 : ((\offset_max(t_0) + 1) - k));
         for ( ; (K_14 : (k < (K_13 : java_array_length_intM(t_0)))) ; 
         (K_12 : (k ++)))
         {  (if (K_11 : ((K_10 : (t_0 + k).intP) != 0)) then 
            (return false) else ())
         }
      }
   };
   
   (return true)
}

unit cons_AllZeros(! AllZeros[0] this_0){()}

int32 AllZeros_should_not_be_proved(intM[0..] t)
{  
   (return (K_15 : java_array_length_intM(t)))
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/AllZeros.jloc tests/java/AllZeros.jc && make -f tests/java/AllZeros.makefile gui"
End:
*/
========== file tests/java/AllZeros.jloc ==========
[K_11]
file = "HOME/tests/java/AllZeros.java"
line = 51
begin = 9
end = 18

[K_13]
file = "HOME/tests/java/AllZeros.java"
line = 50
begin = 21
end = 29

[AllZeros_all_zeros]
name = "Method all_zeros"
file = "HOME/tests/java/AllZeros.java"
line = 44
begin = 19
end = 28

[K_9]
file = "HOME/tests/java/AllZeros.java"
line = 48
begin = 18
end = 30

[K_1]
file = "HOME/tests/java/AllZeros.java"
line = 41
begin = 16
end = 93

[AllZeros_should_not_be_proved]
name = "Method should_not_be_proved"
file = "HOME/tests/java/AllZeros.java"
line = 34
begin = 15
end = 35

[K_15]
file = "HOME/tests/java/AllZeros.java"
line = 35
begin = 8
end = 16

[K_4]
file = "HOME/tests/java/AllZeros.java"
line = 47
begin = 6
end = 49

[K_12]
file = "HOME/tests/java/AllZeros.java"
line = 50
begin = 31
end = 34

[K_2]
file = "HOME/tests/java/AllZeros.java"
line = 40
begin = 17
end = 26

[K_10]
file = "HOME/tests/java/AllZeros.java"
line = 51
begin = 9
end = 13

[K_6]
file = "HOME/tests/java/AllZeros.java"
line = 46
begin = 6
end = 12

[K_8]
file = "HOME/tests/java/AllZeros.java"
line = 46
begin = 6
end = 78

[K_3]
file = "HOME/tests/java/AllZeros.java"
line = 50
begin = 14
end = 15

[K_14]
file = "HOME/tests/java/AllZeros.java"
line = 50
begin = 17
end = 29

[K_5]
file = "HOME/tests/java/AllZeros.java"
line = 46
begin = 11
end = 24

[K_7]
file = "HOME/tests/java/AllZeros.java"
line = 46
begin = 6
end = 24

[cons_AllZeros]
name = "Constructor of class AllZeros"
file = "HOME/"
line = 0
begin = -1
end = -1

========== jessie execution ==========
Generating Why function AllZeros_all_zeros
Generating Why function cons_AllZeros
Generating Why function AllZeros_should_not_be_proved
========== file tests/java/AllZeros.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs AllZeros.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs AllZeros.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/AllZeros_why.sx

project: why/AllZeros.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/AllZeros_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/AllZeros_why.vo

coq/AllZeros_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/AllZeros_why.v: why/AllZeros.why
	@echo 'why -coq [...] why/AllZeros.why' && $(WHY) $(JESSIELIBFILES) why/AllZeros.why && rm -f coq/jessie_why.v

coq-goals: goals coq/AllZeros_ctx_why.vo
	for f in why/*_po*.why; do make -f AllZeros.makefile coq/`basename $$f .why`_why.v ; done

coq/AllZeros_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/AllZeros_ctx_why.v: why/AllZeros_ctx.why
	@echo 'why -coq [...] why/AllZeros_ctx.why' && $(WHY) why/AllZeros_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export AllZeros_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/AllZeros_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/AllZeros_ctx_why.vo

pvs: pvs/AllZeros_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/AllZeros_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/AllZeros_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/AllZeros_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/AllZeros_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/AllZeros_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/AllZeros_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/AllZeros_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/AllZeros_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/AllZeros_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/AllZeros_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/AllZeros_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/AllZeros_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/AllZeros_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/AllZeros_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: AllZeros.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/AllZeros_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: AllZeros.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: AllZeros.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: AllZeros.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include AllZeros.depend

depend: coq/AllZeros_why.v
	-$(COQDEP) -I coq coq/AllZeros*_why.v > AllZeros.depend

clean:
	rm -f coq/*.vo

========== file tests/java/AllZeros.loc ==========
[cons_AllZeros_ensures_default]
name = "Constructor of class AllZeros"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_73]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_63]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_51]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_64]
file = "HOME/tests/java/AllZeros.jc"
line = 86
begin = 9
end = 651

[JC_85]
kind = ArithOverflow
file = "HOME/tests/java/AllZeros.java"
line = 35
begin = 8
end = 16

[JC_31]
file = "HOME/tests/java/AllZeros.jc"
line = 65
begin = 8
end = 23

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
kind = IndexBounds
file = "HOME/tests/java/AllZeros.java"
line = 50
begin = 21
end = 29

[JC_48]
file = "HOME/tests/java/AllZeros.java"
line = 46
begin = 11
end = 24

[JC_23]
file = "HOME/tests/java/AllZeros.jc"
line = 61
begin = 11
end = 103

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/AllZeros.jc"
line = 52
begin = 8
end = 21

[JC_75]
file = "HOME/tests/java/AllZeros.java"
line = 34
begin = 15
end = 35

[JC_24]
file = "HOME/tests/java/AllZeros.jc"
line = 60
begin = 10
end = 18

[JC_25]
file = "HOME/tests/java/AllZeros.jc"
line = 61
begin = 11
end = 103

[JC_78]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/tests/java/AllZeros.java"
line = 40
begin = 17
end = 26

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/tests/java/AllZeros.java"
line = 46
begin = 6
end = 12

[JC_52]
file = "HOME/tests/java/AllZeros.jc"
line = 86
begin = 9
end = 651

[JC_26]
file = "HOME/tests/java/AllZeros.jc"
line = 60
begin = 10
end = 18

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
kind = UserCall
file = "HOME/tests/java/AllZeros.java"
line = 50
begin = 21
end = 29

[JC_79]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/tests/java/AllZeros.jc"
line = 55
begin = 11
end = 66

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/AllZeros.jc"
line = 52
begin = 8
end = 21

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/tests/java/AllZeros.jc"
line = 55
begin = 11
end = 66

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/tests/java/AllZeros.java"
line = 40
begin = 17
end = 26

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_AllZeros_safety]
name = "Constructor of class AllZeros"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
kind = UserCall
file = "HOME/tests/java/AllZeros.java"
line = 35
begin = 8
end = 16

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_69]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/tests/java/AllZeros.jc"
line = 67
begin = 11
end = 65

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/tests/java/AllZeros.java"
line = 41
begin = 16
end = 93

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[AllZeros_should_not_be_proved_ensures_default]
name = "Method should_not_be_proved"
behavior = "default behavior"
file = "HOME/tests/java/AllZeros.java"
line = 34
begin = 15
end = 35

[JC_62]
file = "HOME/tests/java/AllZeros.java"
line = 46
begin = 6
end = 78

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/tests/java/AllZeros.java"
line = 47
begin = 6
end = 49

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
kind = PointerDeref
file = "HOME/tests/java/AllZeros.java"
line = 51
begin = 9
end = 13

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/tests/java/AllZeros.jc"
line = 86
begin = 9
end = 651

[JC_29]
file = "HOME/tests/java/AllZeros.jc"
line = 65
begin = 8
end = 23

[AllZeros_all_zeros_ensures_default]
name = "Method all_zeros"
behavior = "default behavior"
file = "HOME/tests/java/AllZeros.java"
line = 44
begin = 19
end = 28

[JC_68]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/java/AllZeros.jc"
line = 54
begin = 10
end = 18

[JC_43]
file = "HOME/tests/java/AllZeros.java"
line = 41
begin = 16
end = 93

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
kind = IndexBounds
file = "HOME/tests/java/AllZeros.java"
line = 35
begin = 8
end = 16

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/tests/java/AllZeros.jc"
line = 54
begin = 10
end = 18

[JC_53]
file = "HOME/tests/java/AllZeros.jc"
line = 86
begin = 9
end = 651

[JC_21]
file = "HOME/tests/java/AllZeros.jc"
line = 58
begin = 8
end = 30

[JC_77]
file = "HOME/tests/java/AllZeros.java"
line = 34
begin = 15
end = 35

[JC_49]
file = "HOME/tests/java/AllZeros.java"
line = 47
begin = 6
end = 49

[JC_1]
file = "HOME/tests/java/AllZeros.jc"
line = 23
begin = 12
end = 22

[JC_37]
file = "HOME/tests/java/AllZeros.jc"
line = 67
begin = 11
end = 65

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
kind = ArithOverflow
file = "HOME/tests/java/AllZeros.jc"
line = 96
begin = 18
end = 22

[AllZeros_should_not_be_proved_safety]
name = "Method should_not_be_proved"
behavior = "Safety"
file = "HOME/tests/java/AllZeros.java"
line = 34
begin = 15
end = 35

[JC_66]
kind = UserCall
file = "HOME/tests/java/AllZeros.java"
line = 50
begin = 21
end = 29

[JC_59]
file = "HOME/tests/java/AllZeros.java"
line = 46
begin = 6
end = 12

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/java/AllZeros.jc"
line = 23
begin = 12
end = 22

[JC_86]
kind = UserCall
file = "HOME/tests/java/AllZeros.java"
line = 35
begin = 8
end = 16

[JC_60]
file = "HOME/tests/java/AllZeros.java"
line = 46
begin = 11
end = 24

[JC_72]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/tests/java/AllZeros.jc"
line = 58
begin = 8
end = 30

[JC_76]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
file = "HOME/tests/java/AllZeros.java"
line = 46
begin = 6
end = 78

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[AllZeros_all_zeros_safety]
name = "Method all_zeros"
behavior = "Safety"
file = "HOME/tests/java/AllZeros.java"
line = 44
begin = 19
end = 28

[JC_58]
file = "HOME/tests/java/AllZeros.java"
line = 48
begin = 18
end = 30

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/AllZeros.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic AllZeros_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom AllZeros_parenttag_Object : parenttag(AllZeros_tag, Object_tag)

logic Exception_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_1), (0))

predicate Non_null_intM(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), neg_int((1)))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic intM_tag:  -> Object tag_id

axiom intM_parenttag_Object : parenttag(intM_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_AllZeros(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_intM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_AllZeros(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_intM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_AllZeros(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_AllZeros(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

parameter Object_alloc_table : Object alloc_table ref

parameter intM_intP : (Object, int32) memory ref

parameter AllZeros_all_zeros :
 t_0:Object pointer ->
  { } bool reads Object_alloc_table,intM_intP
  { (JC_44:
    ((result = true)
    <-> (forall i:int.
         ((le_int((0), i)
          and lt_int(i, add_int(offset_max(Object_alloc_table, t_0), (1)))) ->
          (integer_of_int32(select(intM_intP, shift(t_0, i))) = (0)))))) }

parameter AllZeros_all_zeros_requires :
 t_0:Object pointer ->
  { (JC_39: Non_null_intM(t_0, Object_alloc_table))} bool
  reads Object_alloc_table,intM_intP
  { (JC_44:
    ((result = true)
    <-> (forall i:int.
         ((le_int((0), i)
          and lt_int(i, add_int(offset_max(Object_alloc_table, t_0), (1)))) ->
          (integer_of_int32(select(intM_intP, shift(t_0, i))) = (0)))))) }

parameter AllZeros_should_not_be_proved :
 t:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter AllZeros_should_not_be_proved_requires :
 t:Object pointer -> { } int32 reads Object_alloc_table { true }

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_AllZeros :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_AllZeros(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, AllZeros_tag)))) }

parameter alloc_struct_AllZeros_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_AllZeros(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, AllZeros_tag)))) }

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_intM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter alloc_struct_intM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_AllZeros :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_AllZeros_requires :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter java_array_length_intM :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter java_array_length_intM_requires :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_Object_requires :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_intM :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter non_null_intM_requires :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let AllZeros_all_zeros_ensures_default =
 fun (t_0 : Object pointer) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (JC_41: Non_null_intM(t_0, Object_alloc_table))) }
  (init:
  (let return = ref (any_bool void) in
  try
   begin
     (let k = ref (safe_int32_of_integer_ (K_3: (0))) in
     try
      (loop_2:
      while true do
      { invariant
          (JC_62:
          ((JC_59: le_int((0), integer_of_int32(k)))
          and ((JC_60:
               le_int(integer_of_int32(k),
               add_int(offset_max(Object_alloc_table, t_0), (1))))
              and (JC_61:
                  (forall i_0:int.
                   ((le_int((0), i_0) and lt_int(i_0, integer_of_int32(k))) ->
                    (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = (0))))))))
         }
       begin
         [ { } unit { true } ];
        try
         begin
           (if (K_14:
               ((lt_int_ (integer_of_int32 !k)) (K_13:
                                                (let _jessie_ = t_0 in
                                                (JC_66:
                                                (java_array_length_intM _jessie_))))))
           then
            (if (K_11:
                ((neq_int_ (integer_of_int32 (K_10:
                                             ((safe_acc_ !intM_intP) 
                                              ((shift t_0) (integer_of_int32 !k)))))) (0)))
            then begin   (return := false); (raise Return) end else void)
           else (raise (Loop_exit_exc void)));
          (raise (Loop_continue_exc void)) end with
         Loop_continue_exc _jessie_ ->
         (let _jessie_ =
         (K_12:
         (let _jessie_ = !k in
         begin
           (let _jessie_ =
           (k := (safe_int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1)))) in
           void); _jessie_ end)) in void) end end done) with
      Loop_exit_exc _jessie_ -> void end); (return := true); (raise Return);
    absurd  end with Return -> !return end))
  { (JC_43:
    ((result = true)
    <-> (forall i:int.
         ((le_int((0), i)
          and lt_int(i, add_int(offset_max(Object_alloc_table, t_0), (1)))) ->
          (integer_of_int32(select(intM_intP, shift(t_0, i))) = (0)))))) }

let AllZeros_all_zeros_safety =
 fun (t_0 : Object pointer) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (JC_41: Non_null_intM(t_0, Object_alloc_table))) }
  (init:
  (let return = ref (any_bool void) in
  try
   begin
     (let k = ref (safe_int32_of_integer_ (K_3: (0))) in
     try
      (loop_1:
      while true do
      { invariant (JC_52: true)
        variant (JC_58 : sub_int(add_int(offset_max(Object_alloc_table, t_0),
                                 (1)),
                         integer_of_int32(k))) }
       begin
         [ { } unit reads Object_alloc_table,intM_intP,k
           { (JC_50:
             ((JC_47: le_int((0), integer_of_int32(k)))
             and ((JC_48:
                  le_int(integer_of_int32(k),
                  add_int(offset_max(Object_alloc_table, t_0), (1))))
                 and (JC_49:
                     (forall i_0:int.
                      ((le_int((0), i_0)
                       and lt_int(i_0, integer_of_int32(k))) ->
                       (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = (0)))))))) } ];
        try
         begin
           (if (K_14:
               ((lt_int_ (integer_of_int32 !k)) (K_13:
                                                (let _jessie_ = t_0 in
                                                (JC_55:
                                                (assert
                                                { ge_int(offset_max(Object_alloc_table,
                                                         _jessie_),
                                                  (-1)) };
                                                (JC_54:
                                                (java_array_length_intM_requires _jessie_))))))))
           then
            (if (K_11:
                ((neq_int_ (integer_of_int32 (K_10:
                                             (JC_56:
                                             ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) 
                                              (integer_of_int32 !k)))))) (0)))
            then begin   (return := false); (raise Return) end else void)
           else (raise (Loop_exit_exc void)));
          (raise (Loop_continue_exc void)) end with
         Loop_continue_exc _jessie_ ->
         (let _jessie_ =
         (K_12:
         (let _jessie_ = !k in
         begin
           (let _jessie_ =
           (k := (JC_57:
                 (int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1))))) in
           void); _jessie_ end)) in void) end end done) with
      Loop_exit_exc _jessie_ -> void end); (return := true); (raise Return);
    absurd  end with Return -> !return end)) { true }

let AllZeros_should_not_be_proved_ensures_default =
 fun (t : Object pointer) ->
  { left_valid_struct_intM(t, (0), Object_alloc_table) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (return := (safe_int32_of_integer_ (K_15:
                                        (let _jessie_ = t in
                                        (JC_86:
                                        (java_array_length_intM _jessie_))))));
    (raise Return); absurd  end with Return -> !return end))
  { (JC_79: true) }

let AllZeros_should_not_be_proved_safety =
 fun (t : Object pointer) ->
  { left_valid_struct_intM(t, (0), Object_alloc_table) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (return := (JC_85:
                (int32_of_integer_ (K_15:
                                   (let _jessie_ = t in
                                   (JC_84:
                                   (assert
                                   { ge_int(offset_max(Object_alloc_table,
                                            _jessie_),
                                     (-1)) };
                                   (JC_83:
                                   (java_array_length_intM_requires _jessie_)))))))));
    (raise Return); absurd  end with Return -> !return end)) { true }

let cons_AllZeros_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_AllZeros(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_71: true) }

let cons_AllZeros_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_AllZeros(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/AllZeros.why
========== file tests/java/why/AllZeros.wpr ==========

  
    
    
    
      
      
    
    
      
      
    
    
  
  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  
  
    
  

========== file tests/java/why/AllZeros_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic AllZeros_tag : Object tag_id

logic Object_tag : Object tag_id

axiom AllZeros_parenttag_Object: parenttag(AllZeros_tag, Object_tag)

logic Exception_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_1) >= 0)

predicate Non_null_intM(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= (-1))

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte [(integer_of_byte(x) = integer_of_byte(y))].
      ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char [(integer_of_char(x) = integer_of_char(y))].
      ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32 [(integer_of_int32(x) = integer_of_int32(y))].
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic intM_tag : Object tag_id

axiom intM_parenttag_Object: parenttag(intM_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_AllZeros(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_intM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long [(integer_of_long(x) = integer_of_long(y))].
      ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_AllZeros(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_intM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short [(integer_of_short(x) = integer_of_short(y))].
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_AllZeros(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_AllZeros(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

========== file tests/java/why/AllZeros_po1.why ==========
goal AllZeros_all_zeros_ensures_default_po_1:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  ("JC_62": ("JC_59": (0 <= integer_of_int32(result))))

========== file tests/java/why/AllZeros_po10.why ==========
goal AllZeros_all_zeros_ensures_default_po_10:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall k:int32.
  ("JC_62":
  (("JC_59": (0 <= integer_of_int32(k))) and
   (("JC_60": (integer_of_int32(k) <= (offset_max(Object_alloc_table,
    t_0) + 1))) and
    ("JC_61":
    (forall i_0:int.
      (((0 <= i_0) and (i_0 < integer_of_int32(k))) ->
       (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(k) >= result0) ->
  forall return:bool.
  (return = true) ->
  (forall i:int.
    (((0 <= i) and (i < (offset_max(Object_alloc_table, t_0) + 1))) ->
     (integer_of_int32(select(intM_intP, shift(t_0, i))) = 0))) ->
  ("JC_43": (return = true))

========== file tests/java/why/AllZeros_po11.why ==========
goal AllZeros_all_zeros_safety_po_1:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall k:int32.
  ("JC_52": true) ->
  ("JC_50":
  (("JC_47": (0 <= integer_of_int32(k))) and
   (("JC_48": (integer_of_int32(k) <= (offset_max(Object_alloc_table,
    t_0) + 1))) and
    ("JC_49":
    (forall i_0:int.
      (((0 <= i_0) and (i_0 < integer_of_int32(k))) ->
       (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1))

========== file tests/java/why/AllZeros_po12.why ==========
goal AllZeros_all_zeros_safety_po_2:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall k:int32.
  ("JC_52": true) ->
  ("JC_50":
  (("JC_47": (0 <= integer_of_int32(k))) and
   (("JC_48": (integer_of_int32(k) <= (offset_max(Object_alloc_table,
    t_0) + 1))) and
    ("JC_49":
    (forall i_0:int.
      (((0 <= i_0) and (i_0 < integer_of_int32(k))) ->
       (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(k) < result0) ->
  (offset_min(Object_alloc_table, t_0) <= integer_of_int32(k))

========== file tests/java/why/AllZeros_po13.why ==========
goal AllZeros_all_zeros_safety_po_3:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall k:int32.
  ("JC_52": true) ->
  ("JC_50":
  (("JC_47": (0 <= integer_of_int32(k))) and
   (("JC_48": (integer_of_int32(k) <= (offset_max(Object_alloc_table,
    t_0) + 1))) and
    ("JC_49":
    (forall i_0:int.
      (((0 <= i_0) and (i_0 < integer_of_int32(k))) ->
       (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(k) < result0) ->
  (integer_of_int32(k) <= offset_max(Object_alloc_table, t_0))

========== file tests/java/why/AllZeros_po14.why ==========
goal AllZeros_all_zeros_safety_po_4:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall k:int32.
  ("JC_52": true) ->
  ("JC_50":
  (("JC_47": (0 <= integer_of_int32(k))) and
   (("JC_48": (integer_of_int32(k) <= (offset_max(Object_alloc_table,
    t_0) + 1))) and
    ("JC_49":
    (forall i_0:int.
      (((0 <= i_0) and (i_0 < integer_of_int32(k))) ->
       (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(k) < result0) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(k)) and
   (integer_of_int32(k) <= offset_max(Object_alloc_table, t_0))) ->
  forall result1:int32.
  (result1 = select(intM_intP, shift(t_0, integer_of_int32(k)))) ->
  (integer_of_int32(result1) = 0) ->
  ((-2147483648) <= (integer_of_int32(k) + 1))

========== file tests/java/why/AllZeros_po15.why ==========
goal AllZeros_all_zeros_safety_po_5:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall k:int32.
  ("JC_52": true) ->
  ("JC_50":
  (("JC_47": (0 <= integer_of_int32(k))) and
   (("JC_48": (integer_of_int32(k) <= (offset_max(Object_alloc_table,
    t_0) + 1))) and
    ("JC_49":
    (forall i_0:int.
      (((0 <= i_0) and (i_0 < integer_of_int32(k))) ->
       (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(k) < result0) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(k)) and
   (integer_of_int32(k) <= offset_max(Object_alloc_table, t_0))) ->
  forall result1:int32.
  (result1 = select(intM_intP, shift(t_0, integer_of_int32(k)))) ->
  (integer_of_int32(result1) = 0) ->
  ((integer_of_int32(k) + 1) <= 2147483647)

========== file tests/java/why/AllZeros_po16.why ==========
goal AllZeros_all_zeros_safety_po_6:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall k:int32.
  ("JC_52": true) ->
  ("JC_50":
  (("JC_47": (0 <= integer_of_int32(k))) and
   (("JC_48": (integer_of_int32(k) <= (offset_max(Object_alloc_table,
    t_0) + 1))) and
    ("JC_49":
    (forall i_0:int.
      (((0 <= i_0) and (i_0 < integer_of_int32(k))) ->
       (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(k) < result0) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(k)) and
   (integer_of_int32(k) <= offset_max(Object_alloc_table, t_0))) ->
  forall result1:int32.
  (result1 = select(intM_intP, shift(t_0, integer_of_int32(k)))) ->
  (integer_of_int32(result1) = 0) ->
  (((-2147483648) <= (integer_of_int32(k) + 1)) and
   ((integer_of_int32(k) + 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(k) + 1)) ->
  forall k0:int32.
  (k0 = result2) ->
  (0 <= ("JC_58": ((offset_max(Object_alloc_table,
        t_0) + 1) - integer_of_int32(k))))

========== file tests/java/why/AllZeros_po17.why ==========
goal AllZeros_all_zeros_safety_po_7:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall k:int32.
  ("JC_52": true) ->
  ("JC_50":
  (("JC_47": (0 <= integer_of_int32(k))) and
   (("JC_48": (integer_of_int32(k) <= (offset_max(Object_alloc_table,
    t_0) + 1))) and
    ("JC_49":
    (forall i_0:int.
      (((0 <= i_0) and (i_0 < integer_of_int32(k))) ->
       (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(k) < result0) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(k)) and
   (integer_of_int32(k) <= offset_max(Object_alloc_table, t_0))) ->
  forall result1:int32.
  (result1 = select(intM_intP, shift(t_0, integer_of_int32(k)))) ->
  (integer_of_int32(result1) = 0) ->
  (((-2147483648) <= (integer_of_int32(k) + 1)) and
   ((integer_of_int32(k) + 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(k) + 1)) ->
  forall k0:int32.
  (k0 = result2) ->
  (("JC_58": ((offset_max(Object_alloc_table,
   t_0) + 1) - integer_of_int32(k0))) < ("JC_58":
                                        ((offset_max(Object_alloc_table,
                                        t_0) + 1) - integer_of_int32(k))))

========== file tests/java/why/AllZeros_po18.why ==========
goal AllZeros_should_not_be_proved_safety_po_1:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  left_valid_struct_intM(t, 0, Object_alloc_table) ->
  (offset_max(Object_alloc_table, t) >= (-1))

========== file tests/java/why/AllZeros_po19.why ==========
goal AllZeros_should_not_be_proved_safety_po_2:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  left_valid_struct_intM(t, 0, Object_alloc_table) ->
  (offset_max(Object_alloc_table, t) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t) + 1))))) ->
  ((-2147483648) <= result)

========== file tests/java/why/AllZeros_po2.why ==========
goal AllZeros_all_zeros_ensures_default_po_2:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  ("JC_62":
  ("JC_60": (integer_of_int32(result) <= (offset_max(Object_alloc_table,
  t_0) + 1))))

========== file tests/java/why/AllZeros_po3.why ==========
goal AllZeros_all_zeros_ensures_default_po_3:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_0:int.
  ((0 <= i_0) and (i_0 < integer_of_int32(result))) ->
  ("JC_62":
  ("JC_61": (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0)))

========== file tests/java/why/AllZeros_po4.why ==========
goal AllZeros_all_zeros_ensures_default_po_4:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall k:int32.
  ("JC_62":
  (("JC_59": (0 <= integer_of_int32(k))) and
   (("JC_60": (integer_of_int32(k) <= (offset_max(Object_alloc_table,
    t_0) + 1))) and
    ("JC_61":
    (forall i_0:int.
      (((0 <= i_0) and (i_0 < integer_of_int32(k))) ->
       (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(k) < result0) ->
  forall result1:int32.
  (result1 = select(intM_intP, shift(t_0, integer_of_int32(k)))) ->
  (integer_of_int32(result1) <> 0) ->
  forall return:bool.
  (return = false) ->
  (return = true) ->
  forall i:int.
  ((0 <= i) and (i < (offset_max(Object_alloc_table, t_0) + 1))) ->
  ("JC_43": (integer_of_int32(select(intM_intP, shift(t_0, i))) = 0))

========== file tests/java/why/AllZeros_po5.why ==========
goal AllZeros_all_zeros_ensures_default_po_5:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall k:int32.
  ("JC_62":
  (("JC_59": (0 <= integer_of_int32(k))) and
   (("JC_60": (integer_of_int32(k) <= (offset_max(Object_alloc_table,
    t_0) + 1))) and
    ("JC_61":
    (forall i_0:int.
      (((0 <= i_0) and (i_0 < integer_of_int32(k))) ->
       (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(k) < result0) ->
  forall result1:int32.
  (result1 = select(intM_intP, shift(t_0, integer_of_int32(k)))) ->
  (integer_of_int32(result1) <> 0) ->
  forall return:bool.
  (return = false) ->
  (forall i:int.
    (((0 <= i) and (i < (offset_max(Object_alloc_table, t_0) + 1))) ->
     (integer_of_int32(select(intM_intP, shift(t_0, i))) = 0))) ->
  ("JC_43": (return = true))

========== file tests/java/why/AllZeros_po6.why ==========
goal AllZeros_all_zeros_ensures_default_po_6:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall k:int32.
  ("JC_62":
  (("JC_59": (0 <= integer_of_int32(k))) and
   (("JC_60": (integer_of_int32(k) <= (offset_max(Object_alloc_table,
    t_0) + 1))) and
    ("JC_61":
    (forall i_0:int.
      (((0 <= i_0) and (i_0 < integer_of_int32(k))) ->
       (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(k) < result0) ->
  forall result1:int32.
  (result1 = select(intM_intP, shift(t_0, integer_of_int32(k)))) ->
  (integer_of_int32(result1) = 0) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(k) + 1)) ->
  forall k0:int32.
  (k0 = result2) ->
  ("JC_62": ("JC_59": (0 <= integer_of_int32(k0))))

========== file tests/java/why/AllZeros_po7.why ==========
goal AllZeros_all_zeros_ensures_default_po_7:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall k:int32.
  ("JC_62":
  (("JC_59": (0 <= integer_of_int32(k))) and
   (("JC_60": (integer_of_int32(k) <= (offset_max(Object_alloc_table,
    t_0) + 1))) and
    ("JC_61":
    (forall i_0:int.
      (((0 <= i_0) and (i_0 < integer_of_int32(k))) ->
       (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(k) < result0) ->
  forall result1:int32.
  (result1 = select(intM_intP, shift(t_0, integer_of_int32(k)))) ->
  (integer_of_int32(result1) = 0) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(k) + 1)) ->
  forall k0:int32.
  (k0 = result2) ->
  ("JC_62":
  ("JC_60": (integer_of_int32(k0) <= (offset_max(Object_alloc_table,
  t_0) + 1))))

========== file tests/java/why/AllZeros_po8.why ==========
goal AllZeros_all_zeros_ensures_default_po_8:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall k:int32.
  ("JC_62":
  (("JC_59": (0 <= integer_of_int32(k))) and
   (("JC_60": (integer_of_int32(k) <= (offset_max(Object_alloc_table,
    t_0) + 1))) and
    ("JC_61":
    (forall i_0:int.
      (((0 <= i_0) and (i_0 < integer_of_int32(k))) ->
       (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(k) < result0) ->
  forall result1:int32.
  (result1 = select(intM_intP, shift(t_0, integer_of_int32(k)))) ->
  (integer_of_int32(result1) = 0) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(k) + 1)) ->
  forall k0:int32.
  (k0 = result2) ->
  forall i_0:int.
  ((0 <= i_0) and (i_0 < integer_of_int32(k0))) ->
  ("JC_62":
  ("JC_61": (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0)))

========== file tests/java/why/AllZeros_po9.why ==========
goal AllZeros_all_zeros_ensures_default_po_9:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall k:int32.
  ("JC_62":
  (("JC_59": (0 <= integer_of_int32(k))) and
   (("JC_60": (integer_of_int32(k) <= (offset_max(Object_alloc_table,
    t_0) + 1))) and
    ("JC_61":
    (forall i_0:int.
      (((0 <= i_0) and (i_0 < integer_of_int32(k))) ->
       (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(k) >= result0) ->
  forall return:bool.
  (return = true) ->
  (return = true) ->
  forall i:int.
  ((0 <= i) and (i < (offset_max(Object_alloc_table, t_0) + 1))) ->
  ("JC_43": (integer_of_int32(select(intM_intP, shift(t_0, i))) = 0))

========== generation of Simplify VC output ==========
why -simplify [...] why/AllZeros.why
========== file tests/java/simplify/AllZeros_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom AllZeros_parenttag_Object
 (EQ (parenttag AllZeros_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_1 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_1) 0))

(DEFPRED (Non_null_intM x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) (- 0 1)))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom byte_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 128) x) (<= x 127))
 (EQ (integer_of_byte (byte_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom byte_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_byte x) (integer_of_byte y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom byte_range
 (FORALL (x)
 (AND (<= (- 0 128) (integer_of_byte x)) (<= (integer_of_byte x) 127))))

(BG_PUSH
 ;; Why axiom char_coerce
 (FORALL (x)
 (IMPLIES (AND (<= 0 x) (<= x 65535))
 (EQ (integer_of_char (char_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom char_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_char x) (integer_of_char y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom char_range
 (FORALL (x) (AND (<= 0 (integer_of_char x)) (<= (integer_of_char x) 65535))))

(DEFPRED (eq_byte x y) (EQ (integer_of_byte x) (integer_of_byte y)))

(DEFPRED (eq_char x y) (EQ (integer_of_char x) (integer_of_char y)))

(DEFPRED (eq_int32 x y) (EQ (integer_of_int32 x) (integer_of_int32 y)))

(DEFPRED (eq_long x y) (EQ (integer_of_long x) (integer_of_long y)))

(DEFPRED (eq_short x y) (EQ (integer_of_short x) (integer_of_short y)))

(BG_PUSH
 ;; Why axiom int32_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_2147483648) x)
 (<= x constant_too_large_2147483647))
 (EQ (integer_of_int32 (int32_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom int32_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_int32 x) (integer_of_int32 y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom int32_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_2147483648) (integer_of_int32 x))
 (<= (integer_of_int32 x) constant_too_large_2147483647))))

(BG_PUSH
 ;; Why axiom intM_parenttag_Object
 (EQ (parenttag intM_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_AllZeros p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_intM p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom long_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_9223372036854775808) x)
 (<= x constant_too_large_9223372036854775807))
 (EQ (integer_of_long (long_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom long_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_long x) (integer_of_long y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom long_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_9223372036854775808) (integer_of_long x))
 (<= (integer_of_long x) constant_too_large_9223372036854775807))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_AllZeros p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_intM p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(BG_PUSH
 ;; Why axiom short_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 32768) x) (<= x 32767))
 (EQ (integer_of_short (short_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom short_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_short x) (integer_of_short y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom short_range
 (FORALL (x)
 (AND (<= (- 0 32768) (integer_of_short x)) (<= (integer_of_short x) 32767))))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_AllZeros p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_intM p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_AllZeros p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_intM p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

;; AllZeros_all_zeros_ensures_default_po_1, File "HOME/tests/java/AllZeros.java", line 46, characters 6-12
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0) (<= 0 (integer_of_int32 result)))))))

;; AllZeros_all_zeros_ensures_default_po_2, File "HOME/tests/java/AllZeros.java", line 46, characters 11-24
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(<= (integer_of_int32 result) (+ (offset_max Object_alloc_table t_0) 1)))))))

;; AllZeros_all_zeros_ensures_default_po_3, File "HOME/tests/java/AllZeros.java", line 47, characters 6-49
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_0)
(IMPLIES (AND (<= 0 i_0) (< i_0 (integer_of_int32 result)))
(EQ (integer_of_int32 (select intM_intP (shift t_0 i_0))) 0)))))))))

;; AllZeros_all_zeros_ensures_default_po_4, File "HOME/tests/java/AllZeros.java", line 41, characters 16-93
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (k)
(IMPLIES (AND (<= 0 (integer_of_int32 k))
         (AND
         (<= (integer_of_int32 k) (+ (offset_max Object_alloc_table t_0) 1))
         (FORALL (i_0)
         (IMPLIES (AND (<= 0 i_0) (< i_0 (integer_of_int32 k)))
         (EQ (integer_of_int32 (select intM_intP (shift t_0 i_0))) 0)))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< (integer_of_int32 k) result0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_0 (integer_of_int32 k))))
(IMPLIES (NEQ (integer_of_int32 result1) 0)
(FORALL (return)
(IMPLIES (EQ return |@false|)
(IMPLIES (EQ return |@true|)
(FORALL (i)
(IMPLIES (AND (<= 0 i) (< i (+ (offset_max Object_alloc_table t_0) 1)))
(EQ (integer_of_int32 (select intM_intP (shift t_0 i))) 0))))))))))))))))))))

;; AllZeros_all_zeros_ensures_default_po_5, File "HOME/tests/java/AllZeros.java", line 41, characters 16-93
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (k)
(IMPLIES (AND (<= 0 (integer_of_int32 k))
         (AND
         (<= (integer_of_int32 k) (+ (offset_max Object_alloc_table t_0) 1))
         (FORALL (i_0)
         (IMPLIES (AND (<= 0 i_0) (< i_0 (integer_of_int32 k)))
         (EQ (integer_of_int32 (select intM_intP (shift t_0 i_0))) 0)))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< (integer_of_int32 k) result0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_0 (integer_of_int32 k))))
(IMPLIES (NEQ (integer_of_int32 result1) 0)
(FORALL (return)
(IMPLIES (EQ return |@false|)
(IMPLIES (FORALL (i)
         (IMPLIES
         (AND (<= 0 i) (< i (+ (offset_max Object_alloc_table t_0) 1)))
         (EQ (integer_of_int32 (select intM_intP (shift t_0 i))) 0)))
(EQ return |@true|))))))))))))))))))

;; AllZeros_all_zeros_ensures_default_po_6, File "HOME/tests/java/AllZeros.java", line 46, characters 6-12
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (k)
(IMPLIES (AND (<= 0 (integer_of_int32 k))
         (AND
         (<= (integer_of_int32 k) (+ (offset_max Object_alloc_table t_0) 1))
         (FORALL (i_0)
         (IMPLIES (AND (<= 0 i_0) (< i_0 (integer_of_int32 k)))
         (EQ (integer_of_int32 (select intM_intP (shift t_0 i_0))) 0)))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< (integer_of_int32 k) result0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_0 (integer_of_int32 k))))
(IMPLIES (EQ (integer_of_int32 result1) 0)
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2) (+ (integer_of_int32 k) 1))
(FORALL (k0) (IMPLIES (EQ k0 result2) (<= 0 (integer_of_int32 k0))))))))))))))))))))

;; AllZeros_all_zeros_ensures_default_po_7, File "HOME/tests/java/AllZeros.java", line 46, characters 11-24
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (k)
(IMPLIES (AND (<= 0 (integer_of_int32 k))
         (AND
         (<= (integer_of_int32 k) (+ (offset_max Object_alloc_table t_0) 1))
         (FORALL (i_0)
         (IMPLIES (AND (<= 0 i_0) (< i_0 (integer_of_int32 k)))
         (EQ (integer_of_int32 (select intM_intP (shift t_0 i_0))) 0)))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< (integer_of_int32 k) result0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_0 (integer_of_int32 k))))
(IMPLIES (EQ (integer_of_int32 result1) 0)
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2) (+ (integer_of_int32 k) 1))
(FORALL (k0)
(IMPLIES (EQ k0 result2)
(<= (integer_of_int32 k0) (+ (offset_max Object_alloc_table t_0) 1))))))))))))))))))))

;; AllZeros_all_zeros_ensures_default_po_8, File "HOME/tests/java/AllZeros.java", line 47, characters 6-49
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (k)
(IMPLIES (AND (<= 0 (integer_of_int32 k))
         (AND
         (<= (integer_of_int32 k) (+ (offset_max Object_alloc_table t_0) 1))
         (FORALL (i_0)
         (IMPLIES (AND (<= 0 i_0) (< i_0 (integer_of_int32 k)))
         (EQ (integer_of_int32 (select intM_intP (shift t_0 i_0))) 0)))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< (integer_of_int32 k) result0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_0 (integer_of_int32 k))))
(IMPLIES (EQ (integer_of_int32 result1) 0)
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2) (+ (integer_of_int32 k) 1))
(FORALL (k0)
(IMPLIES (EQ k0 result2)
(FORALL (i_0)
(IMPLIES (AND (<= 0 i_0) (< i_0 (integer_of_int32 k0)))
(EQ (integer_of_int32 (select intM_intP (shift t_0 i_0))) 0)))))))))))))))))))))

;; AllZeros_all_zeros_ensures_default_po_9, File "HOME/tests/java/AllZeros.java", line 41, characters 16-93
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (k)
(IMPLIES (AND (<= 0 (integer_of_int32 k))
         (AND
         (<= (integer_of_int32 k) (+ (offset_max Object_alloc_table t_0) 1))
         (FORALL (i_0)
         (IMPLIES (AND (<= 0 i_0) (< i_0 (integer_of_int32 k)))
         (EQ (integer_of_int32 (select intM_intP (shift t_0 i_0))) 0)))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (integer_of_int32 k) result0)
(FORALL (return)
(IMPLIES (EQ return |@true|)
(IMPLIES (EQ return |@true|)
(FORALL (i)
(IMPLIES (AND (<= 0 i) (< i (+ (offset_max Object_alloc_table t_0) 1)))
(EQ (integer_of_int32 (select intM_intP (shift t_0 i))) 0)))))))))))))))))

;; AllZeros_all_zeros_ensures_default_po_10, File "HOME/tests/java/AllZeros.java", line 41, characters 16-93
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (k)
(IMPLIES (AND (<= 0 (integer_of_int32 k))
         (AND
         (<= (integer_of_int32 k) (+ (offset_max Object_alloc_table t_0) 1))
         (FORALL (i_0)
         (IMPLIES (AND (<= 0 i_0) (< i_0 (integer_of_int32 k)))
         (EQ (integer_of_int32 (select intM_intP (shift t_0 i_0))) 0)))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (integer_of_int32 k) result0)
(FORALL (return)
(IMPLIES (EQ return |@true|)
(IMPLIES (FORALL (i)
         (IMPLIES
         (AND (<= 0 i) (< i (+ (offset_max Object_alloc_table t_0) 1)))
         (EQ (integer_of_int32 (select intM_intP (shift t_0 i))) 0)))
(EQ return |@true|)))))))))))))))

;; AllZeros_all_zeros_safety_po_1, File "why/AllZeros.why", line 732, characters 50-212
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (k)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 k))
         (AND
         (<= (integer_of_int32 k) (+ (offset_max Object_alloc_table t_0) 1))
         (FORALL (i_0)
         (IMPLIES (AND (<= 0 i_0) (< i_0 (integer_of_int32 k)))
         (EQ (integer_of_int32 (select intM_intP (shift t_0 i_0))) 0)))))
(>= (offset_max Object_alloc_table t_0) (- 0 1)))))))))))

;; AllZeros_all_zeros_safety_po_2, File "HOME/tests/java/AllZeros.java", line 51, characters 9-13
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (k)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 k))
         (AND
         (<= (integer_of_int32 k) (+ (offset_max Object_alloc_table t_0) 1))
         (FORALL (i_0)
         (IMPLIES (AND (<= 0 i_0) (< i_0 (integer_of_int32 k)))
         (EQ (integer_of_int32 (select intM_intP (shift t_0 i_0))) 0)))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< (integer_of_int32 k) result0)
(<= (offset_min Object_alloc_table t_0) (integer_of_int32 k)))))))))))))))

;; AllZeros_all_zeros_safety_po_3, File "HOME/tests/java/AllZeros.java", line 51, characters 9-13
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (k)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 k))
         (AND
         (<= (integer_of_int32 k) (+ (offset_max Object_alloc_table t_0) 1))
         (FORALL (i_0)
         (IMPLIES (AND (<= 0 i_0) (< i_0 (integer_of_int32 k)))
         (EQ (integer_of_int32 (select intM_intP (shift t_0 i_0))) 0)))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< (integer_of_int32 k) result0)
(<= (integer_of_int32 k) (offset_max Object_alloc_table t_0)))))))))))))))

;; AllZeros_all_zeros_safety_po_4, File "HOME/tests/java/AllZeros.jc", line 96, characters 18-22
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (k)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 k))
         (AND
         (<= (integer_of_int32 k) (+ (offset_max Object_alloc_table t_0) 1))
         (FORALL (i_0)
         (IMPLIES (AND (<= 0 i_0) (< i_0 (integer_of_int32 k)))
         (EQ (integer_of_int32 (select intM_intP (shift t_0 i_0))) 0)))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< (integer_of_int32 k) result0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) (integer_of_int32 k))
         (<= (integer_of_int32 k) (offset_max Object_alloc_table t_0)))
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_0 (integer_of_int32 k))))
(IMPLIES (EQ (integer_of_int32 result1) 0)
(<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 k) 1)))))))))))))))))))

;; AllZeros_all_zeros_safety_po_5, File "HOME/tests/java/AllZeros.jc", line 96, characters 18-22
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (k)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 k))
         (AND
         (<= (integer_of_int32 k) (+ (offset_max Object_alloc_table t_0) 1))
         (FORALL (i_0)
         (IMPLIES (AND (<= 0 i_0) (< i_0 (integer_of_int32 k)))
         (EQ (integer_of_int32 (select intM_intP (shift t_0 i_0))) 0)))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< (integer_of_int32 k) result0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) (integer_of_int32 k))
         (<= (integer_of_int32 k) (offset_max Object_alloc_table t_0)))
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_0 (integer_of_int32 k))))
(IMPLIES (EQ (integer_of_int32 result1) 0)
(<= (+ (integer_of_int32 k) 1) constant_too_large_2147483647))))))))))))))))))

;; AllZeros_all_zeros_safety_po_6, File "HOME/tests/java/AllZeros.java", line 48, characters 18-30
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (k)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 k))
         (AND
         (<= (integer_of_int32 k) (+ (offset_max Object_alloc_table t_0) 1))
         (FORALL (i_0)
         (IMPLIES (AND (<= 0 i_0) (< i_0 (integer_of_int32 k)))
         (EQ (integer_of_int32 (select intM_intP (shift t_0 i_0))) 0)))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< (integer_of_int32 k) result0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) (integer_of_int32 k))
         (<= (integer_of_int32 k) (offset_max Object_alloc_table t_0)))
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_0 (integer_of_int32 k))))
(IMPLIES (EQ (integer_of_int32 result1) 0)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 k) 1))
         (<= (+ (integer_of_int32 k) 1) constant_too_large_2147483647))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2) (+ (integer_of_int32 k) 1))
(FORALL (k0)
(IMPLIES (EQ k0 result2)
(<= 0 (- (+ (offset_max Object_alloc_table t_0) 1) (integer_of_int32 k)))))))))))))))))))))))))

;; AllZeros_all_zeros_safety_po_7, File "HOME/tests/java/AllZeros.java", line 48, characters 18-30
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (k)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 k))
         (AND
         (<= (integer_of_int32 k) (+ (offset_max Object_alloc_table t_0) 1))
         (FORALL (i_0)
         (IMPLIES (AND (<= 0 i_0) (< i_0 (integer_of_int32 k)))
         (EQ (integer_of_int32 (select intM_intP (shift t_0 i_0))) 0)))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< (integer_of_int32 k) result0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) (integer_of_int32 k))
         (<= (integer_of_int32 k) (offset_max Object_alloc_table t_0)))
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_0 (integer_of_int32 k))))
(IMPLIES (EQ (integer_of_int32 result1) 0)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 k) 1))
         (<= (+ (integer_of_int32 k) 1) constant_too_large_2147483647))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2) (+ (integer_of_int32 k) 1))
(FORALL (k0)
(IMPLIES (EQ k0 result2)
(< (- (+ (offset_max Object_alloc_table t_0) 1) (integer_of_int32 k0)) 
(- (+ (offset_max Object_alloc_table t_0) 1) (integer_of_int32 k)))))))))))))))))))))))))

;; AllZeros_should_not_be_proved_safety_po_1, File "why/AllZeros.why", line 784, characters 37-174
(FORALL (t)
(FORALL (Object_alloc_table)
(IMPLIES (left_valid_struct_intM t 0 Object_alloc_table)
(>= (offset_max Object_alloc_table t) (- 0 1)))))

;; AllZeros_should_not_be_proved_safety_po_2, File "HOME/tests/java/AllZeros.java", line 35, characters 8-16
(FORALL (t)
(FORALL (Object_alloc_table)
(IMPLIES (left_valid_struct_intM t 0 Object_alloc_table)
(IMPLIES (>= (offset_max Object_alloc_table t) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t) 1))))
(<= (- 0 constant_too_large_2147483648) result)))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/AllZeros_why.sx      : .................?? (17/0/2/0/0)
total   :  19
valid   :  17 ( 89%)
invalid :   0 (  0%)
unknown :   2 ( 11%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/AllZeros.why
========== file tests/java/why/AllZeros_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic AllZeros_tag : Object tag_id

logic Object_tag : Object tag_id

axiom AllZeros_parenttag_Object: parenttag(AllZeros_tag, Object_tag)

logic Exception_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_1) >= 0)

predicate Non_null_intM(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= (-1))

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte. ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char. ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic intM_tag : Object tag_id

axiom intM_parenttag_Object: parenttag(intM_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_AllZeros(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_intM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long. ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_AllZeros(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_intM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short.
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_AllZeros(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_AllZeros(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

goal AllZeros_all_zeros_ensures_default_po_1:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  ("JC_62": ("JC_59": (0 <= integer_of_int32(result))))

goal AllZeros_all_zeros_ensures_default_po_2:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  ("JC_62":
  ("JC_60": (integer_of_int32(result) <= (offset_max(Object_alloc_table,
  t_0) + 1))))

goal AllZeros_all_zeros_ensures_default_po_3:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_0:int.
  ((0 <= i_0) and (i_0 < integer_of_int32(result))) ->
  ("JC_62":
  ("JC_61": (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0)))

goal AllZeros_all_zeros_ensures_default_po_4:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall k:int32.
  ("JC_62":
  (("JC_59": (0 <= integer_of_int32(k))) and
   (("JC_60": (integer_of_int32(k) <= (offset_max(Object_alloc_table,
    t_0) + 1))) and
    ("JC_61":
    (forall i_0:int.
      (((0 <= i_0) and (i_0 < integer_of_int32(k))) ->
       (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(k) < result0) ->
  forall result1:int32.
  (result1 = select(intM_intP, shift(t_0, integer_of_int32(k)))) ->
  (integer_of_int32(result1) <> 0) ->
  forall return:bool.
  (return = false) ->
  (return = true) ->
  forall i:int.
  ((0 <= i) and (i < (offset_max(Object_alloc_table, t_0) + 1))) ->
  ("JC_43": (integer_of_int32(select(intM_intP, shift(t_0, i))) = 0))

goal AllZeros_all_zeros_ensures_default_po_5:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall k:int32.
  ("JC_62":
  (("JC_59": (0 <= integer_of_int32(k))) and
   (("JC_60": (integer_of_int32(k) <= (offset_max(Object_alloc_table,
    t_0) + 1))) and
    ("JC_61":
    (forall i_0:int.
      (((0 <= i_0) and (i_0 < integer_of_int32(k))) ->
       (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(k) < result0) ->
  forall result1:int32.
  (result1 = select(intM_intP, shift(t_0, integer_of_int32(k)))) ->
  (integer_of_int32(result1) <> 0) ->
  forall return:bool.
  (return = false) ->
  (forall i:int.
    (((0 <= i) and (i < (offset_max(Object_alloc_table, t_0) + 1))) ->
     (integer_of_int32(select(intM_intP, shift(t_0, i))) = 0))) ->
  ("JC_43": (return = true))

goal AllZeros_all_zeros_ensures_default_po_6:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall k:int32.
  ("JC_62":
  (("JC_59": (0 <= integer_of_int32(k))) and
   (("JC_60": (integer_of_int32(k) <= (offset_max(Object_alloc_table,
    t_0) + 1))) and
    ("JC_61":
    (forall i_0:int.
      (((0 <= i_0) and (i_0 < integer_of_int32(k))) ->
       (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(k) < result0) ->
  forall result1:int32.
  (result1 = select(intM_intP, shift(t_0, integer_of_int32(k)))) ->
  (integer_of_int32(result1) = 0) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(k) + 1)) ->
  forall k0:int32.
  (k0 = result2) ->
  ("JC_62": ("JC_59": (0 <= integer_of_int32(k0))))

goal AllZeros_all_zeros_ensures_default_po_7:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall k:int32.
  ("JC_62":
  (("JC_59": (0 <= integer_of_int32(k))) and
   (("JC_60": (integer_of_int32(k) <= (offset_max(Object_alloc_table,
    t_0) + 1))) and
    ("JC_61":
    (forall i_0:int.
      (((0 <= i_0) and (i_0 < integer_of_int32(k))) ->
       (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(k) < result0) ->
  forall result1:int32.
  (result1 = select(intM_intP, shift(t_0, integer_of_int32(k)))) ->
  (integer_of_int32(result1) = 0) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(k) + 1)) ->
  forall k0:int32.
  (k0 = result2) ->
  ("JC_62":
  ("JC_60": (integer_of_int32(k0) <= (offset_max(Object_alloc_table,
  t_0) + 1))))

goal AllZeros_all_zeros_ensures_default_po_8:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall k:int32.
  ("JC_62":
  (("JC_59": (0 <= integer_of_int32(k))) and
   (("JC_60": (integer_of_int32(k) <= (offset_max(Object_alloc_table,
    t_0) + 1))) and
    ("JC_61":
    (forall i_0:int.
      (((0 <= i_0) and (i_0 < integer_of_int32(k))) ->
       (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(k) < result0) ->
  forall result1:int32.
  (result1 = select(intM_intP, shift(t_0, integer_of_int32(k)))) ->
  (integer_of_int32(result1) = 0) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(k) + 1)) ->
  forall k0:int32.
  (k0 = result2) ->
  forall i_0:int.
  ((0 <= i_0) and (i_0 < integer_of_int32(k0))) ->
  ("JC_62":
  ("JC_61": (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0)))

goal AllZeros_all_zeros_ensures_default_po_9:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall k:int32.
  ("JC_62":
  (("JC_59": (0 <= integer_of_int32(k))) and
   (("JC_60": (integer_of_int32(k) <= (offset_max(Object_alloc_table,
    t_0) + 1))) and
    ("JC_61":
    (forall i_0:int.
      (((0 <= i_0) and (i_0 < integer_of_int32(k))) ->
       (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(k) >= result0) ->
  forall return:bool.
  (return = true) ->
  (return = true) ->
  forall i:int.
  ((0 <= i) and (i < (offset_max(Object_alloc_table, t_0) + 1))) ->
  ("JC_43": (integer_of_int32(select(intM_intP, shift(t_0, i))) = 0))

goal AllZeros_all_zeros_ensures_default_po_10:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall k:int32.
  ("JC_62":
  (("JC_59": (0 <= integer_of_int32(k))) and
   (("JC_60": (integer_of_int32(k) <= (offset_max(Object_alloc_table,
    t_0) + 1))) and
    ("JC_61":
    (forall i_0:int.
      (((0 <= i_0) and (i_0 < integer_of_int32(k))) ->
       (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(k) >= result0) ->
  forall return:bool.
  (return = true) ->
  (forall i:int.
    (((0 <= i) and (i < (offset_max(Object_alloc_table, t_0) + 1))) ->
     (integer_of_int32(select(intM_intP, shift(t_0, i))) = 0))) ->
  ("JC_43": (return = true))

goal AllZeros_all_zeros_safety_po_1:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall k:int32.
  ("JC_52": true) ->
  ("JC_50":
  (("JC_47": (0 <= integer_of_int32(k))) and
   (("JC_48": (integer_of_int32(k) <= (offset_max(Object_alloc_table,
    t_0) + 1))) and
    ("JC_49":
    (forall i_0:int.
      (((0 <= i_0) and (i_0 < integer_of_int32(k))) ->
       (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1))

goal AllZeros_all_zeros_safety_po_2:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall k:int32.
  ("JC_52": true) ->
  ("JC_50":
  (("JC_47": (0 <= integer_of_int32(k))) and
   (("JC_48": (integer_of_int32(k) <= (offset_max(Object_alloc_table,
    t_0) + 1))) and
    ("JC_49":
    (forall i_0:int.
      (((0 <= i_0) and (i_0 < integer_of_int32(k))) ->
       (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(k) < result0) ->
  (offset_min(Object_alloc_table, t_0) <= integer_of_int32(k))

goal AllZeros_all_zeros_safety_po_3:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall k:int32.
  ("JC_52": true) ->
  ("JC_50":
  (("JC_47": (0 <= integer_of_int32(k))) and
   (("JC_48": (integer_of_int32(k) <= (offset_max(Object_alloc_table,
    t_0) + 1))) and
    ("JC_49":
    (forall i_0:int.
      (((0 <= i_0) and (i_0 < integer_of_int32(k))) ->
       (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(k) < result0) ->
  (integer_of_int32(k) <= offset_max(Object_alloc_table, t_0))

goal AllZeros_all_zeros_safety_po_4:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall k:int32.
  ("JC_52": true) ->
  ("JC_50":
  (("JC_47": (0 <= integer_of_int32(k))) and
   (("JC_48": (integer_of_int32(k) <= (offset_max(Object_alloc_table,
    t_0) + 1))) and
    ("JC_49":
    (forall i_0:int.
      (((0 <= i_0) and (i_0 < integer_of_int32(k))) ->
       (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(k) < result0) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(k)) and
   (integer_of_int32(k) <= offset_max(Object_alloc_table, t_0))) ->
  forall result1:int32.
  (result1 = select(intM_intP, shift(t_0, integer_of_int32(k)))) ->
  (integer_of_int32(result1) = 0) ->
  ((-2147483648) <= (integer_of_int32(k) + 1))

goal AllZeros_all_zeros_safety_po_5:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall k:int32.
  ("JC_52": true) ->
  ("JC_50":
  (("JC_47": (0 <= integer_of_int32(k))) and
   (("JC_48": (integer_of_int32(k) <= (offset_max(Object_alloc_table,
    t_0) + 1))) and
    ("JC_49":
    (forall i_0:int.
      (((0 <= i_0) and (i_0 < integer_of_int32(k))) ->
       (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(k) < result0) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(k)) and
   (integer_of_int32(k) <= offset_max(Object_alloc_table, t_0))) ->
  forall result1:int32.
  (result1 = select(intM_intP, shift(t_0, integer_of_int32(k)))) ->
  (integer_of_int32(result1) = 0) ->
  ((integer_of_int32(k) + 1) <= 2147483647)

goal AllZeros_all_zeros_safety_po_6:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall k:int32.
  ("JC_52": true) ->
  ("JC_50":
  (("JC_47": (0 <= integer_of_int32(k))) and
   (("JC_48": (integer_of_int32(k) <= (offset_max(Object_alloc_table,
    t_0) + 1))) and
    ("JC_49":
    (forall i_0:int.
      (((0 <= i_0) and (i_0 < integer_of_int32(k))) ->
       (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(k) < result0) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(k)) and
   (integer_of_int32(k) <= offset_max(Object_alloc_table, t_0))) ->
  forall result1:int32.
  (result1 = select(intM_intP, shift(t_0, integer_of_int32(k)))) ->
  (integer_of_int32(result1) = 0) ->
  (((-2147483648) <= (integer_of_int32(k) + 1)) and
   ((integer_of_int32(k) + 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(k) + 1)) ->
  forall k0:int32.
  (k0 = result2) ->
  (0 <= ("JC_58": ((offset_max(Object_alloc_table,
        t_0) + 1) - integer_of_int32(k))))

goal AllZeros_all_zeros_safety_po_7:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_41": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall k:int32.
  ("JC_52": true) ->
  ("JC_50":
  (("JC_47": (0 <= integer_of_int32(k))) and
   (("JC_48": (integer_of_int32(k) <= (offset_max(Object_alloc_table,
    t_0) + 1))) and
    ("JC_49":
    (forall i_0:int.
      (((0 <= i_0) and (i_0 < integer_of_int32(k))) ->
       (integer_of_int32(select(intM_intP, shift(t_0, i_0))) = 0))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(k) < result0) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(k)) and
   (integer_of_int32(k) <= offset_max(Object_alloc_table, t_0))) ->
  forall result1:int32.
  (result1 = select(intM_intP, shift(t_0, integer_of_int32(k)))) ->
  (integer_of_int32(result1) = 0) ->
  (((-2147483648) <= (integer_of_int32(k) + 1)) and
   ((integer_of_int32(k) + 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(k) + 1)) ->
  forall k0:int32.
  (k0 = result2) ->
  (("JC_58": ((offset_max(Object_alloc_table,
   t_0) + 1) - integer_of_int32(k0))) < ("JC_58":
                                        ((offset_max(Object_alloc_table,
                                        t_0) + 1) - integer_of_int32(k))))

goal AllZeros_should_not_be_proved_safety_po_1:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  left_valid_struct_intM(t, 0, Object_alloc_table) ->
  (offset_max(Object_alloc_table, t) >= (-1))

goal AllZeros_should_not_be_proved_safety_po_2:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  left_valid_struct_intM(t, 0, Object_alloc_table) ->
  (offset_max(Object_alloc_table, t) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t) + 1))))) ->
  ((-2147483648) <= result)

why-2.34/tests/java/oracle/Sort2.res.oracle0000644000175000017500000147527112311670312017156 0ustar  rtusers========== file tests/java/Sort2.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/



//@+ TerminationPolicy = user

//@+ CheckArithOverflow = no

/*@ predicate Sorted{L}(int a[], integer l, integer h) =
  @   \forall integer i; l <= i < h ==> a[i] <= a[i+1] ;
  @*/

/*@ predicate Swap{L1,L2}(int a[], integer i, integer j) =
  @   \at(a[i],L1) == \at(a[j],L2) &&
  @   \at(a[j],L1) == \at(a[i],L2) &&
  @   \forall integer k; k != i && k != j ==> \at(a[k],L1) == \at(a[k],L2);
  @*/

/*@ axiomatic Permut {
  @  predicate Permut{L1,L2}(int a[], integer l, integer h);
  @  axiom Permut_refl{L}: 
  @   \forall int a[], integer l h; Permut{L,L}(a, l, h) ;
  @  axiom Permut_sym{L1,L2}: 
  @    \forall int a[], integer l h; 
  @      Permut{L1,L2}(a, l, h) ==> Permut{L2,L1}(a, l, h) ;
  @  axiom Permut_trans{L1,L2,L3}: 
  @    \forall int a[], integer l h; 
  @      Permut{L1,L2}(a, l, h) && Permut{L2,L3}(a, l, h) ==> 
  @        Permut{L1,L3}(a, l, h) ;
  @  axiom Permut_swap{L1,L2}: 
  @    \forall int a[], integer l h i j; 
  @       l <= i <= h && l <= j <= h && Swap{L1,L2}(a, i, j) ==> 
  @     Permut{L1,L2}(a, l, h) ;
  @ }
  @*/

class Sort {

    /*@ requires t != null && 
      @    0 <= i < t.length && 0 <= j < t.length;
      @ assigns t[i],t[j];
      @ ensures Swap{Old,Here}(t,i,j);
      @*/
    void swap(int t[], int i, int j) {
	int tmp = t[i];
	t[i] = t[j];
	t[j] = tmp;
    }
    
    /*@ requires t != null;
      @ ensures Sorted(t,0,t.length-1) && Permut{Old,Here}(t,0,t.length-1);
      @*/
    void min_sort(int t[]) {
	int i,j;
	int mi,mv;
	/*@ loop_invariant 0 <= i && Sorted(t,0,i) && 
	  @   (\forall integer k1 k2 ; 
	  @      0 <= k1 < i <= k2 < t.length ==> t[k1] <= t[k2]) &&
	  @     Permut{Pre,Here}(t,0,t.length-1);
	  @*/
	for (i=0; i t[k] >= mv) &&
	      @ Permut{Pre,Here}(t,0,t.length-1);
	      @*/
	    for (j=i+1; j < t.length; j++) {
		if (t[j] < mv) { 
		    mi = j ; mv = t[j]; 
		}
	    }
	    swap(t,i,mi);
	}
    }

}
========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function Sort_swap for method Sort.swap
Generating JC function Sort_min_sort for method Sort.min_sort
Generating JC function Object_clone for method Object.clone
Generating JC function Object_notifyAll for method Object.notifyAll
Generating JC function Object_hashCode for method Object.hashCode
Generating JC function Object_equals for method Object.equals
Generating JC function Object_wait for method Object.wait
Generating JC function Object_notify for method Object.notify
Generating JC function Object_wait_long for method Object.wait
Generating JC function cons_Sort for constructor Sort
Generating JC function Object_toString for method Object.toString
Generating JC function Object_wait_long_int for method Object.wait
Generating JC function cons_Object for constructor Object
Generating JC function Object_finalize for method Object.finalize
Generating JC function Object_registerNatives for method Object.registerNatives
Done.
========== file tests/java/Sort2.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = user
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_intM{Here}(intM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Sort = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag intM = Object with {
  integer intP;
}

boolean non_null_intM(! intM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_intM(! intM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

predicate Sorted{L}(intM[0..] a, integer l, integer h) =
(\forall integer i;
  (((l <= i) && (i < h)) ==> ((a + i).intP <= (a + (i + 1)).intP)))

predicate Swap{L1, L2}(intM[0..] a_0, integer i_0, integer j) =
(((\at((a_0 + i_0).intP,L1) == \at((a_0 + j).intP,L2)) &&
   (\at((a_0 + j).intP,L1) == \at((a_0 + i_0).intP,L2))) &&
  (\forall integer k;
    (((k != i_0) && (k != j)) ==>
      (\at((a_0 + k).intP,L1) == \at((a_0 + k).intP,L2)))))

axiomatic Permut {

  predicate Permut{L1, L2}(intM[0..] a_1, integer l_0, integer h_0)
   
  axiom Permut_swap{L1, L2} :
  (\forall intM[0..] a_5;
    (\forall integer l_4;
      (\forall integer h_4;
        (\forall integer i_1;
          (\forall integer j_0;
            (((((l_4 <= i_1) && (i_1 <= h_4)) &&
                ((l_4 <= j_0) && (j_0 <= h_4))) &&
               Swap{L1,
               L2}(a_5, i_1, j_0)) ==>
              Permut{L1,
              L2}(a_5, l_4, h_4)))))))
   
  axiom Permut_trans{L1, L2, L3} :
  (\forall intM[0..] a_4;
    (\forall integer l_3;
      (\forall integer h_3;
        ((Permut{L1, L2}(a_4, l_3, h_3) && Permut{L2, L3}(a_4, l_3, h_3)) ==>
          Permut{L1,
          L3}(a_4, l_3, h_3)))))
   
  axiom Permut_sym{L1, L2} :
  (\forall intM[0..] a_3;
    (\forall integer l_2;
      (\forall integer h_2;
        (Permut{L1, L2}(a_3, l_2, h_2) ==> Permut{L2, L1}(a_3, l_2, h_2)))))
   
  axiom Permut_refl{L} :
  (\forall intM[0..] a_2;
    (\forall integer l_1;
      (\forall integer h_1;
        Permut{L, L}(a_2, l_1, h_1))))
  
}

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit Sort_swap(Sort[0] this_2, intM[0..] t, integer i_2, integer j_1)
  requires (K_10 : ((K_9 : ((K_8 : Non_null_intM(t)) &&
                             (K_7 : ((K_6 : (0 <= i_2)) &&
                                      (K_5 : (i_2 < (\offset_max(t) + 1))))))) &&
                     (K_4 : ((K_3 : (0 <= j_1)) &&
                              (K_2 : (j_1 < (\offset_max(t) + 1)))))));
behavior default:
  assigns (t + [i_2..i_2]).intP,
  (t + [j_1..j_1]).intP;
  ensures (K_1 : Swap{Old, Here}(t, i_2, j_1));
{  
   {  
      (var integer tmp = (K_14 : (t + i_2).intP));
      
      {  (K_12 : ((t + i_2).intP = (K_11 : (t + j_1).intP)));
         (K_13 : ((t + j_1).intP = tmp))
      }
   }
}

unit Sort_min_sort(Sort[0] this_0, intM[0..] t_0)
  requires (K_18 : Non_null_intM(t_0));
behavior default:
  ensures (K_17 : ((K_16 : Sorted{Here}(t_0, 0, ((\offset_max(t_0) + 1) - 1))) &&
                    (K_15 : Permut{Old,
                    Here}(t_0, 0, ((\offset_max(t_0) + 1) - 1)))));
{  
   {  
      (var integer i_3);
      
      {  
         (var integer j_2);
         
         {  
            (var integer mi);
            
            {  
               (var integer mv);
               
               loop 
               behavior default:
                 invariant (K_25 : ((K_24 : ((K_23 : ((K_22 : (0 <= i_3)) &&
                                                       (K_21 : Sorted{Here}(
                                                       t_0, 0, i_3)))) &&
                                              (K_20 : (\forall integer k1;
                                                        (\forall integer k2;
                                                          (((((0 <= k1) &&
                                                               (k1 < i_3)) &&
                                                              (i_3 <= k2)) &&
                                                             (k2 <
                                                               (\offset_max(t_0) +
                                                                 1))) ==>
                                                            ((t_0 + k1).intP <=
                                                              (t_0 + k2).intP))))))) &&
                                     (K_19 : Permut{Pre,
                                     Here}(t_0, 0,
                                           ((\offset_max(t_0) + 1) - 1)))));
               
               for ((i_3 = 0) ; (K_49 : (i_3 <
                                          (K_48 : ((K_47 : java_array_length_intM(
                                                   t_0)) -
                                                    1)))) ; (K_46 : (i_3 ++)))
               {  
                  {  (mv = (K_26 : (t_0 + i_3).intP));
                     (mi = i_3);
                     
                     loop 
                     behavior default:
                       invariant (K_37 : ((K_36 : ((K_35 : ((K_34 : ((K_33 : 
                                                                    (i_3 <
                                                                    j_2)) &&
                                                                    (K_32 : 
                                                                    ((K_31 : 
                                                                    (i_3 <=
                                                                    mi)) &&
                                                                    (K_30 : 
                                                                    (mi <
                                                                    (\offset_max(t_0) +
                                                                    1))))))) &&
                                                             (K_29 : 
                                                             (mv ==
                                                               (t_0 + mi).intP)))) &&
                                                    (K_28 : (\forall integer k_0;
                                                              (((i_3 <= k_0) &&
                                                                 (k_0 < j_2)) ==>
                                                                ((t_0 + k_0).intP >=
                                                                  mv)))))) &&
                                           (K_27 : Permut{Pre,
                                           Here}(t_0, 0,
                                                 ((\offset_max(t_0) + 1) - 1)))));
                     
                     for ((j_2 = (K_44 : (i_3 + 1))) ; (K_43 : (j_2 <
                                                                 (K_42 : java_array_length_intM(
                                                                 t_0)))) ; 
                     (K_41 : (j_2 ++)))
                     {  (if (K_40 : ((K_39 : (t_0 + j_2).intP) < mv)) then 
                        {  (mi = j_2);
                           (mv = (K_38 : (t_0 + j_2).intP))
                        } else ())
                     };
                     (K_45 : Sort_swap(this_0, t_0, i_3, mi))
                  }
               }
            }
         }
      }
   }
}

Object[0..] Object_clone(Object[0] this_4)
;

unit Object_notifyAll(Object[0] this_5)
;

integer Object_hashCode(Object[0] this_6)
;

boolean Object_equals(Object[0] this_7, Object[0..] obj)
;

unit Object_wait(Object[0] this_8)
;

unit Object_notify(Object[0] this_9)
;

unit Object_wait_long(Object[0] this_10, integer timeout)
;

unit cons_Sort(! Sort[0] this_3){()}

String[0..] Object_toString(Object[0] this_11)
;

unit Object_wait_long_int(Object[0] this_12, integer timeout_0, integer nanos)
;

unit cons_Object(! Object[0] this_14){()}

unit Object_finalize(Object[0] this_13)
;

unit Object_registerNatives()
;

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Sort2.jloc tests/java/Sort2.jc && make -f tests/java/Sort2.makefile gui"
End:
*/
========== file tests/java/Sort2.jloc ==========
[Permut_swap]
name = "Lemma Permut_swap"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_30]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 38
end = 51

[K_23]
file = "HOME/tests/java/Sort2.java"
line = 85
begin = 20
end = 43

[Permut_refl]
name = "Lemma Permut_refl"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_33]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 24
end = 29

[K_49]
file = "HOME/tests/java/Sort2.java"
line = 90
begin = 11
end = 23

[K_17]
file = "HOME/tests/java/Sort2.java"
line = 80
begin = 16
end = 74

[Object_wait_long]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[K_11]
file = "HOME/tests/java/Sort2.java"
line = 75
begin = 8
end = 12

[K_38]
file = "HOME/tests/java/Sort2.java"
line = 100
begin = 20
end = 24

[K_25]
file = "HOME/tests/java/Sort2.java"
line = 85
begin = 20
end = 184

[K_13]
file = "HOME/tests/java/Sort2.java"
line = 76
begin = 1
end = 11

[Object_finalize]
name = "Method finalize"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[K_9]
file = "HOME/tests/java/Sort2.java"
line = 68
begin = 17
end = 59

[Object_wait]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[K_44]
file = "HOME/tests/java/Sort2.java"
line = 98
begin = 12
end = 15

[Object_notify]
name = "Method notify"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[Object_clone]
name = "Method clone"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[K_28]
file = "HOME/tests/java/Sort2.java"
line = 95
begin = 12
end = 56

[cons_Object]
name = "Constructor of class Object"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_1]
file = "HOME/tests/java/Sort2.java"
line = 71
begin = 16
end = 37

[K_15]
file = "HOME/tests/java/Sort2.java"
line = 80
begin = 42
end = 74

[K_4]
file = "HOME/tests/java/Sort2.java"
line = 69
begin = 32
end = 49

[K_12]
file = "HOME/tests/java/Sort2.java"
line = 75
begin = 1
end = 12

[Object_wait_long_int]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[K_34]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 24
end = 51

[Object_registerNatives]
name = "Method registerNatives"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[K_20]
file = "HOME/tests/java/Sort2.java"
line = 86
begin = 8
end = 90

[K_2]
file = "HOME/tests/java/Sort2.java"
line = 69
begin = 37
end = 49

[K_41]
file = "HOME/tests/java/Sort2.java"
line = 98
begin = 31
end = 34

[K_47]
file = "HOME/tests/java/Sort2.java"
line = 90
begin = 13
end = 21

[K_29]
file = "HOME/tests/java/Sort2.java"
line = 94
begin = 9
end = 20

[K_10]
file = "HOME/tests/java/Sort2.java"
line = 68
begin = 17
end = 80

[K_35]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 24
end = 75

[K_6]
file = "HOME/tests/java/Sort2.java"
line = 69
begin = 11
end = 17

[K_8]
file = "HOME/tests/java/Sort2.java"
line = 68
begin = 17
end = 26

[K_48]
file = "HOME/tests/java/Sort2.java"
line = 90
begin = 13
end = 23

[Permut_trans]
name = "Lemma Permut_trans"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_3]
file = "HOME/tests/java/Sort2.java"
line = 69
begin = 32
end = 38

[K_31]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 33
end = 40

[K_32]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 33
end = 51

[K_27]
file = "HOME/tests/java/Sort2.java"
line = 96
begin = 9
end = 41

[cons_Sort]
name = "Constructor of class Sort"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_46]
file = "HOME/tests/java/Sort2.java"
line = 90
begin = 25
end = 28

[K_21]
file = "HOME/tests/java/Sort2.java"
line = 85
begin = 30
end = 43

[K_42]
file = "HOME/tests/java/Sort2.java"
line = 98
begin = 21
end = 29

[K_24]
file = "HOME/tests/java/Sort2.java"
line = 85
begin = 20
end = 139

[K_14]
file = "HOME/tests/java/Sort2.java"
line = 74
begin = 11
end = 15

[K_39]
file = "HOME/tests/java/Sort2.java"
line = 99
begin = 6
end = 10

[K_36]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 24
end = 136

[Permut_sym]
name = "Lemma Permut_sym"
file = "HOME/"
line = 0
begin = 0
end = 0

[Object_notifyAll]
name = "Method notifyAll"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[K_37]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 24
end = 181

[K_19]
file = "HOME/tests/java/Sort2.java"
line = 88
begin = 9
end = 41

[K_5]
file = "HOME/tests/java/Sort2.java"
line = 69
begin = 16
end = 28

[Sort_min_sort]
name = "Method min_sort"
file = "HOME/tests/java/Sort2.java"
line = 82
begin = 9
end = 17

[K_18]
file = "HOME/tests/java/Sort2.java"
line = 79
begin = 17
end = 26

[Object_equals]
name = "Method equals"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[Sort_swap]
name = "Method swap"
file = "HOME/tests/java/Sort2.java"
line = 73
begin = 9
end = 13

[K_7]
file = "HOME/tests/java/Sort2.java"
line = 69
begin = 11
end = 28

[K_40]
file = "HOME/tests/java/Sort2.java"
line = 99
begin = 6
end = 15

[Object_hashCode]
name = "Method hashCode"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[K_26]
file = "HOME/tests/java/Sort2.java"
line = 92
begin = 10
end = 14

[Object_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[K_22]
file = "HOME/tests/java/Sort2.java"
line = 85
begin = 20
end = 26

[K_45]
file = "HOME/tests/java/Sort2.java"
line = 103
begin = 5
end = 17

[K_16]
file = "HOME/tests/java/Sort2.java"
line = 80
begin = 16
end = 38

[K_43]
file = "HOME/tests/java/Sort2.java"
line = 98
begin = 17
end = 29

========== jessie execution ==========
Generating Why function Sort_swap
Generating Why function Sort_min_sort
Generating Why function cons_Sort
Generating Why function cons_Object
========== file tests/java/Sort2.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Sort2.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Sort2.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/Sort2_why.sx

project: why/Sort2.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/Sort2_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/Sort2_why.vo

coq/Sort2_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Sort2_why.v: why/Sort2.why
	@echo 'why -coq [...] why/Sort2.why' && $(WHY) $(JESSIELIBFILES) why/Sort2.why && rm -f coq/jessie_why.v

coq-goals: goals coq/Sort2_ctx_why.vo
	for f in why/*_po*.why; do make -f Sort2.makefile coq/`basename $$f .why`_why.v ; done

coq/Sort2_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Sort2_ctx_why.v: why/Sort2_ctx.why
	@echo 'why -coq [...] why/Sort2_ctx.why' && $(WHY) why/Sort2_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export Sort2_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/Sort2_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/Sort2_ctx_why.vo

pvs: pvs/Sort2_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/Sort2_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/Sort2_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/Sort2_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/Sort2_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/Sort2_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/Sort2_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/Sort2_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/Sort2_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/Sort2_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/Sort2_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/Sort2_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/Sort2_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/Sort2_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/Sort2_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: Sort2.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/Sort2_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Sort2.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Sort2.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Sort2.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include Sort2.depend

depend: coq/Sort2_why.v
	-$(COQDEP) -I coq coq/Sort2*_why.v > Sort2.depend

clean:
	rm -f coq/*.vo

========== file tests/java/Sort2.loc ==========
[JC_198]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_176]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_177]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_94]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 24
end = 181

[JC_73]
file = "HOME/tests/java/Sort2.java"
line = 80
begin = 42
end = 74

[Permut_swap]
name = "Lemma Permut_swap"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_221]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_158]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_63]
kind = PointerDeref
file = "HOME/tests/java/Sort2.jc"
line = 128
begin = 18
end = 58

[JC_196]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_80]
file = "HOME/tests/java/Sort2.java"
line = 88
begin = 9
end = 41

[JC_51]
file = "HOME/tests/java/Sort2.java"
line = 68
begin = 17
end = 80

[Permut_refl]
name = "Lemma Permut_refl"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_71]
file = "HOME/tests/java/Sort2.java"
line = 80
begin = 16
end = 74

[JC_197]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_147]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_207]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_151]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_123]
kind = UserCall
file = "HOME/tests/java/Sort2.jc"
line = 214
begin = 29
end = 60

[JC_106]
file = "HOME/tests/java/Sort2.java"
line = 88
begin = 9
end = 41

[JC_143]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_113]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 33
end = 40

[JC_203]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_116]
file = "HOME/tests/java/Sort2.java"
line = 95
begin = 12
end = 56

[JC_64]
kind = PointerDeref
file = "HOME/tests/java/Sort2.jc"
line = 129
begin = 18
end = 38

[JC_133]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_227]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_188]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[cons_Object_ensures_default]
name = "Constructor of class Object"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_180]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_99]
kind = IndexBounds
file = "HOME/tests/java/Sort2.java"
line = 98
begin = 21
end = 29

[JC_200]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_85]
kind = UserCall
file = "HOME/tests/java/Sort2.java"
line = 90
begin = 13
end = 21

[JC_126]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_201]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_170]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_31]
file = "HOME/tests/java/Sort2.jc"
line = 55
begin = 8
end = 23

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_194]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_122]
kind = UserCall
file = "HOME/tests/java/Sort2.java"
line = 98
begin = 21
end = 29

[Sort_min_sort_safety]
name = "Method min_sort"
behavior = "Safety"
file = "HOME/tests/java/Sort2.java"
line = 82
begin = 9
end = 17

[JC_205]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
file = "HOME/tests/java/Sort2.java"
line = 85
begin = 20
end = 184

[JC_55]
file = "HOME/tests/java/Sort2.jc"
line = 120
begin = 9
end = 16

[JC_138]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_134]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_148]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_137]
file = "HOME/"
line = 0
begin = -1
end = -1

[Sort_min_sort_ensures_default]
name = "Method min_sort"
behavior = "default behavior"
file = "HOME/tests/java/Sort2.java"
line = 82
begin = 9
end = 17

[JC_48]
file = "HOME/tests/java/Sort2.java"
line = 69
begin = 16
end = 28

[JC_23]
file = "HOME/tests/java/Sort2.jc"
line = 51
begin = 11
end = 103

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_172]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_121]
file = "HOME/tests/java/Sort2.jc"
line = 180
begin = 21
end = 2293

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_125]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/tests/java/Sort2.java"
line = 79
begin = 17
end = 26

[JC_9]
file = "HOME/tests/java/Sort2.jc"
line = 42
begin = 8
end = 21

[JC_75]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/tests/java/Sort2.jc"
line = 50
begin = 10
end = 18

[JC_193]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/tests/java/Sort2.jc"
line = 51
begin = 11
end = 103

[JC_189]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_186]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_78]
file = "HOME/tests/java/Sort2.java"
line = 85
begin = 30
end = 43

[JC_212]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_175]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/tests/java/Sort2.java"
line = 69
begin = 16
end = 28

[JC_224]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_74]
file = "HOME/tests/java/Sort2.java"
line = 80
begin = 16
end = 74

[JC_195]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/tests/java/Sort2.java"
line = 69
begin = 11
end = 17

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/tests/java/Sort2.jc"
line = 50
begin = 10
end = 18

[Sort_swap_safety]
name = "Method swap"
behavior = "Safety"
file = "HOME/tests/java/Sort2.java"
line = 73
begin = 9
end = 13

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Sort_ensures_default]
name = "Constructor of class Sort"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_154]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/tests/java/Sort2.java"
line = 73
begin = 9
end = 13

[JC_208]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
file = "HOME/tests/java/Sort2.java"
line = 86
begin = 8
end = 90

[JC_13]
file = "HOME/tests/java/Sort2.jc"
line = 45
begin = 11
end = 66

[JC_130]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_174]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_163]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_153]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_222]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_87]
kind = PointerDeref
file = "HOME/tests/java/Sort2.java"
line = 92
begin = 10
end = 14

[JC_11]
file = "HOME/tests/java/Sort2.jc"
line = 42
begin = 8
end = 21

[JC_185]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_184]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_167]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_98]
kind = UserCall
file = "HOME/tests/java/Sort2.java"
line = 98
begin = 21
end = 29

[JC_70]
file = "HOME/tests/java/Sort2.java"
line = 80
begin = 42
end = 74

[JC_15]
file = "HOME/tests/java/Sort2.jc"
line = 45
begin = 11
end = 66

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_182]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_168]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_104]
file = "HOME/tests/java/Sort2.java"
line = 85
begin = 30
end = 43

[JC_91]
file = "HOME/tests/java/Sort2.java"
line = 94
begin = 9
end = 20

[JC_39]
file = "HOME/tests/java/Sort2.java"
line = 68
begin = 17
end = 26

[JC_112]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 24
end = 29

[JC_40]
file = "HOME/tests/java/Sort2.java"
line = 69
begin = 11
end = 17

[JC_162]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_135]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_169]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
file = "HOME/tests/java/Sort2.jc"
line = 153
begin = 15
end = 4048

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_215]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_132]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_115]
file = "HOME/tests/java/Sort2.java"
line = 94
begin = 9
end = 20

[JC_109]
file = "HOME/tests/java/Sort2.jc"
line = 153
begin = 15
end = 4048

[JC_107]
file = "HOME/tests/java/Sort2.java"
line = 85
begin = 20
end = 184

[JC_69]
file = "HOME/tests/java/Sort2.java"
line = 80
begin = 16
end = 38

[JC_219]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_179]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_124]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[Sort_swap_ensures_default]
name = "Method swap"
behavior = "default behavior"
file = "HOME/tests/java/Sort2.java"
line = 73
begin = 9
end = 13

[JC_38]
file = "HOME/tests/java/Sort2.jc"
line = 57
begin = 11
end = 65

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_156]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_127]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_171]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_164]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_44]
file = "HOME/tests/java/Sort2.java"
line = 68
begin = 17
end = 80

[JC_155]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[Permut_trans]
name = "Lemma Permut_trans"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_206]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_218]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_191]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
kind = PointerDeref
file = "HOME/tests/java/Sort2.java"
line = 75
begin = 8
end = 12

[JC_101]
kind = PointerDeref
file = "HOME/tests/java/Sort2.java"
line = 100
begin = 20
end = 24

[JC_88]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 24
end = 29

[JC_223]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_129]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/tests/java/Sort2.java"
line = 69
begin = 32
end = 38

[JC_190]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_178]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_110]
file = "HOME/tests/java/Sort2.jc"
line = 153
begin = 15
end = 4048

[JC_166]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_103]
file = "HOME/tests/java/Sort2.java"
line = 85
begin = 20
end = 26

[JC_46]
file = "HOME/tests/java/Sort2.java"
line = 68
begin = 17
end = 26

[cons_Sort_safety]
name = "Constructor of class Sort"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_141]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
kind = PointerDeref
file = "HOME/tests/java/Sort2.java"
line = 74
begin = 11
end = 15

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_199]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/tests/java/Sort2.java"
line = 71
begin = 16
end = 37

[JC_220]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/tests/java/Sort2.java"
line = 79
begin = 17
end = 26

[JC_118]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 24
end = 181

[JC_173]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_105]
file = "HOME/tests/java/Sort2.java"
line = 86
begin = 8
end = 90

[JC_140]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_29]
file = "HOME/tests/java/Sort2.jc"
line = 55
begin = 8
end = 23

[JC_202]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_144]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Object_safety]
name = "Constructor of class Object"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_159]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_68]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/java/Sort2.jc"
line = 44
begin = 10
end = 18

[JC_96]
file = "HOME/tests/java/Sort2.jc"
line = 180
begin = 21
end = 2293

[JC_43]
file = "HOME/tests/java/Sort2.java"
line = 69
begin = 37
end = 49

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_93]
file = "HOME/tests/java/Sort2.java"
line = 96
begin = 9
end = 41

[JC_97]
file = "HOME/tests/java/Sort2.jc"
line = 180
begin = 21
end = 2293

[Permut_sym]
name = "Lemma Permut_sym"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_84]
file = "HOME/tests/java/Sort2.jc"
line = 153
begin = 15
end = 4048

[JC_214]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_160]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_128]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 38
end = 51

[JC_14]
file = "HOME/tests/java/Sort2.jc"
line = 44
begin = 10
end = 18

[JC_150]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_117]
file = "HOME/tests/java/Sort2.java"
line = 96
begin = 9
end = 41

[JC_90]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 38
end = 51

[JC_53]
file = "HOME/tests/java/Sort2.java"
line = 71
begin = 16
end = 37

[JC_225]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_204]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_157]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_145]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/tests/java/Sort2.jc"
line = 48
begin = 8
end = 30

[JC_209]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_149]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_111]
kind = UserCall
file = "HOME/tests/java/Sort2.java"
line = 90
begin = 13
end = 21

[JC_77]
file = "HOME/tests/java/Sort2.java"
line = 85
begin = 20
end = 26

[JC_49]
file = "HOME/tests/java/Sort2.java"
line = 69
begin = 32
end = 38

[JC_1]
file = "HOME/tests/java/Sort2.jc"
line = 13
begin = 12
end = 22

[JC_216]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_131]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_102]
kind = UserCall
file = "HOME/tests/java/Sort2.jc"
line = 214
begin = 29
end = 60

[JC_37]
file = "HOME/tests/java/Sort2.jc"
line = 57
begin = 11
end = 65

[JC_181]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_142]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/java/Sort2.java"
line = 73
begin = 9
end = 13

[JC_211]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_161]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_146]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_89]
file = "HOME/tests/java/Sort2.java"
line = 93
begin = 33
end = 40

[JC_136]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_165]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_213]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_192]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_217]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/java/Sort2.jc"
line = 13
begin = 12
end = 22

[JC_92]
file = "HOME/tests/java/Sort2.java"
line = 95
begin = 12
end = 56

[JC_152]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_86]
kind = IndexBounds
file = "HOME/tests/java/Sort2.java"
line = 90
begin = 13
end = 21

[JC_60]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_183]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_139]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_72]
file = "HOME/tests/java/Sort2.java"
line = 80
begin = 16
end = 38

[JC_19]
file = "HOME/tests/java/Sort2.jc"
line = 48
begin = 8
end = 30

[JC_119]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_210]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_187]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_76]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
file = "HOME/tests/java/Sort2.java"
line = 69
begin = 37
end = 49

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_120]
file = "HOME/tests/java/Sort2.jc"
line = 180
begin = 21
end = 2293

[JC_58]
file = "HOME/tests/java/Sort2.jc"
line = 120
begin = 9
end = 16

[JC_226]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_100]
kind = PointerDeref
file = "HOME/tests/java/Sort2.java"
line = 99
begin = 6
end = 10

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/Sort2.why ==========
type Object

type interface

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_1), (0))

predicate Non_null_intM(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), neg_int((1)))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic Permut: Object pointer, int, int, (Object, int) memory,
 (Object, int) memory -> prop

logic Sort_tag:  -> Object tag_id

axiom Sort_parenttag_Object : parenttag(Sort_tag, Object_tag)

predicate Sorted(a:Object pointer, l:int, h:int,
 intM_intP_at_L:(Object, int) memory) =
 (forall i:int.
  ((le_int(l, i) and lt_int(i, h)) ->
   le_int(select(intM_intP_at_L, shift(a, i)),
   select(intM_intP_at_L, shift(a, add_int(i, (1)))))))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

predicate Swap(a_0:Object pointer, i_0:int, j:int,
 intM_intP_at_L2:(Object, int) memory,
 intM_intP_at_L1:(Object, int) memory) =
 ((select(intM_intP_at_L1, shift(a_0, i_0)) = select(intM_intP_at_L2,
                                              shift(a_0, j)))
 and ((select(intM_intP_at_L1, shift(a_0, j)) = select(intM_intP_at_L2,
                                                shift(a_0, i_0)))
     and (forall k:int.
          (((k <> i_0) and (k <> j)) ->
           (select(intM_intP_at_L1, shift(a_0, k)) = select(intM_intP_at_L2,
                                                     shift(a_0, k)))))))

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic intM_tag:  -> Object tag_id

axiom intM_parenttag_Object : parenttag(intM_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Sort(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_intM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Sort(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_intM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Sort(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Sort(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

axiom Permut_swap :
 (forall intM_intP_at_L2:(Object, int) memory.
  (forall intM_intP_at_L1:(Object, int) memory.
   (forall a_5:Object pointer.
    (forall l_4:int.
     (forall h_4:int.
      (forall i_1:int.
       (forall j_0:int.
        ((le_int(l_4, i_1)
         and (le_int(i_1, h_4)
             and (le_int(l_4, j_0)
                 and (le_int(j_0, h_4)
                     and Swap(a_5, i_1, j_0, intM_intP_at_L2,
                         intM_intP_at_L1))))) ->
         Permut(a_5, l_4, h_4, intM_intP_at_L2, intM_intP_at_L1)))))))))

axiom Permut_trans :
 (forall intM_intP_at_L3:(Object, int) memory.
  (forall intM_intP_at_L2:(Object, int) memory.
   (forall intM_intP_at_L1:(Object, int) memory.
    (forall a_4:Object pointer.
     (forall l_3:int.
      (forall h_3:int.
       ((Permut(a_4, l_3, h_3, intM_intP_at_L2, intM_intP_at_L1)
        and Permut(a_4, l_3, h_3, intM_intP_at_L3, intM_intP_at_L2)) ->
        Permut(a_4, l_3, h_3, intM_intP_at_L3, intM_intP_at_L1))))))))

axiom Permut_sym :
 (forall intM_intP_at_L2:(Object, int) memory.
  (forall intM_intP_at_L1:(Object, int) memory.
   (forall a_3:Object pointer.
    (forall l_2:int.
     (forall h_2:int.
      (Permut(a_3, l_2, h_2, intM_intP_at_L2, intM_intP_at_L1) ->
       Permut(a_3, l_2, h_2, intM_intP_at_L1, intM_intP_at_L2)))))))

axiom Permut_refl :
 (forall intM_intP_at_L:(Object, int) memory.
  (forall a_2:Object pointer.
   (forall l_1:int.
    (forall h_1:int. Permut(a_2, l_1, h_1, intM_intP_at_L, intM_intP_at_L)))))

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_alloc_table : Object alloc_table ref

parameter Object_clone :
 this_4:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_clone_requires :
 this_4:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_equals :
 this_7:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_equals_requires :
 this_7:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_finalize :
 this_13:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_finalize_requires :
 this_13:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_hashCode :
 this_6:Object pointer -> { } int reads Object_alloc_table { true }

parameter Object_hashCode_requires :
 this_6:Object pointer -> { } int reads Object_alloc_table { true }

parameter Object_notify :
 this_9:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll :
 this_5:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll_requires :
 this_5:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notify_requires :
 this_9:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_registerNatives : tt:unit -> { } unit { true }

parameter Object_registerNatives_requires : tt:unit -> { } unit { true }

parameter Object_tag_table : Object tag_table ref

parameter Object_toString :
 this_11:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_toString_requires :
 this_11:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_wait :
 this_8:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long :
 this_10:Object pointer ->
  timeout:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int :
 this_12:Object pointer ->
  timeout_0:int -> nanos:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int_requires :
 this_12:Object pointer ->
  timeout_0:int -> nanos:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_requires :
 this_10:Object pointer ->
  timeout:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_requires :
 this_8:Object pointer -> { } unit reads Object_alloc_table { true }

exception Return_label_exc of unit

parameter intM_intP : (Object, int) memory ref

parameter Sort_min_sort :
 this_0:Object pointer ->
  t_0:Object pointer ->
   { } unit reads Object_alloc_table,intM_intP writes intM_intP
   { (JC_74:
     ((JC_72:
      Sorted(t_0, (0),
      sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
      intM_intP))
     and (JC_73:
         Permut(t_0, (0),
         sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
         intM_intP, intM_intP@)))) }

parameter Sort_min_sort_requires :
 this_0:Object pointer ->
  t_0:Object pointer ->
   { (JC_65: Non_null_intM(t_0, Object_alloc_table))} unit
   reads Object_alloc_table,intM_intP writes intM_intP
   { (JC_74:
     ((JC_72:
      Sorted(t_0, (0),
      sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
      intM_intP))
     and (JC_73:
         Permut(t_0, (0),
         sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
         intM_intP, intM_intP@)))) }

parameter Sort_swap :
 this_2:Object pointer ->
  t:Object pointer ->
   i_2:int ->
    j_1:int ->
     { } unit reads Object_alloc_table,intM_intP writes intM_intP
     { (JC_58:
       ((JC_56: Swap(t, i_2, j_1, intM_intP, intM_intP@))
       and (JC_57:
           not_assigns(Object_alloc_table@, intM_intP@, intM_intP,
           pset_union(pset_range(pset_singleton(t), j_1, j_1),
           pset_range(pset_singleton(t), i_2, i_2)))))) }

parameter Sort_swap_requires :
 this_2:Object pointer ->
  t:Object pointer ->
   i_2:int ->
    j_1:int ->
     { (JC_44:
       ((JC_39: Non_null_intM(t, Object_alloc_table))
       and ((JC_40: le_int((0), i_2))
           and ((JC_41:
                lt_int(i_2, add_int(offset_max(Object_alloc_table, t), (1))))
               and ((JC_42: le_int((0), j_1))
                   and (JC_43:
                       lt_int(j_1,
                       add_int(offset_max(Object_alloc_table, t), (1)))))))))}
     unit reads Object_alloc_table,intM_intP writes intM_intP
     { (JC_58:
       ((JC_56: Swap(t, i_2, j_1, intM_intP, intM_intP@))
       and (JC_57:
           not_assigns(Object_alloc_table@, intM_intP@, intM_intP,
           pset_union(pset_range(pset_singleton(t), j_1, j_1),
           pset_range(pset_singleton(t), i_2, i_2)))))) }

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Sort :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Sort(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Sort_tag)))) }

parameter alloc_struct_Sort_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Sort(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Sort_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_intM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter alloc_struct_intM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_Object :
 this_14:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object_requires :
 this_14:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Sort :
 this_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Sort_requires :
 this_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter java_array_length_intM :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter java_array_length_intM_requires :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter non_null_Object :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_Object_requires :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_intM :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter non_null_intM_requires :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

let Sort_min_sort_ensures_default =
 fun (this_0 : Object pointer) (t_0 : Object pointer) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (valid_struct_Sort(this_0, (0), (0), Object_alloc_table)
        and (JC_67: Non_null_intM(t_0, Object_alloc_table)))) }
  (init:
  try
   begin
     (let i_3 = ref (any_int void) in
     (let j_2 = ref (any_int void) in
     (let mi = ref (any_int void) in
     (let mv = ref (any_int void) in
     begin
       (let _jessie_ = (i_3 := (0)) in void);
      try
       (loop_3:
       while true do
       { invariant
           (JC_107:
           ((JC_103: le_int((0), i_3))
           and ((JC_104: Sorted(t_0, (0), i_3, intM_intP))
               and ((JC_105:
                    (forall k1:int.
                     (forall k2:int.
                      ((le_int((0), k1)
                       and (lt_int(k1, i_3)
                           and (le_int(i_3, k2)
                               and lt_int(k2,
                                   add_int(offset_max(Object_alloc_table,
                                           t_0),
                                   (1)))))) ->
                       le_int(select(intM_intP, shift(t_0, k1)),
                       select(intM_intP, shift(t_0, k2)))))))
                   and (JC_106:
                       Permut(t_0, (0),
                       sub_int(add_int(offset_max(Object_alloc_table, t_0),
                               (1)),
                       (1)), intM_intP, intM_intP@init))))))  }
        begin
          [ { } unit { true } ];
         try
          begin
            (if (K_49:
                ((lt_int_ !i_3) (K_48:
                                ((sub_int (K_47:
                                          (let _jessie_ = t_0 in
                                          (JC_111:
                                          (java_array_length_intM _jessie_))))) (1)))))
            then
             begin
               (let _jessie_ =
               (mv := (K_26: ((safe_acc_ !intM_intP) ((shift t_0) !i_3)))) in
               void); (let _jessie_ = (mi := !i_3) in void);
              (let _jessie_ = (j_2 := (K_44: ((add_int !i_3) (1)))) in
              void);
              try
               (loop_4:
               while true do
               { invariant
                   (JC_118:
                   ((JC_112: lt_int(i_3, j_2))
                   and ((JC_113: le_int(i_3, mi))
                       and ((JC_114:
                            lt_int(mi,
                            add_int(offset_max(Object_alloc_table, t_0), (1))))
                           and ((JC_115:
                                (mv = select(intM_intP, shift(t_0, mi))))
                               and ((JC_116:
                                    (forall k_0:int.
                                     ((le_int(i_3, k_0) and lt_int(k_0, j_2)) ->
                                      ge_int(select(intM_intP,
                                             shift(t_0, k_0)),
                                      mv))))
                                   and (JC_117:
                                       Permut(t_0, (0),
                                       sub_int(add_int(offset_max(Object_alloc_table,
                                                       t_0),
                                               (1)),
                                       (1)), intM_intP, intM_intP@init))))))))
                  }
                begin
                  [ { } unit { true } ];
                 try
                  begin
                    (if (K_43:
                        ((lt_int_ !j_2) (K_42:
                                        (let _jessie_ = t_0 in
                                        (JC_122:
                                        (java_array_length_intM _jessie_))))))
                    then
                     (if (K_40:
                         ((lt_int_ (K_39:
                                   ((safe_acc_ !intM_intP) ((shift t_0) !j_2)))) !mv))
                     then
                      (let _jessie_ =
                      begin
                        (let _jessie_ = (mi := !j_2) in void);
                       (mv := (K_38:
                              ((safe_acc_ !intM_intP) ((shift t_0) !j_2))));
                       !mv end in void) else void)
                    else (raise (Loop_exit_exc void)));
                   (raise (Loop_continue_exc void)) end with
                  Loop_continue_exc _jessie_ ->
                  (let _jessie_ =
                  (K_41:
                  (let _jessie_ = !j_2 in
                  begin
                    (let _jessie_ = (j_2 := ((add_int _jessie_) (1))) in
                    void); _jessie_ end)) in void) end end done) with
               Loop_exit_exc _jessie_ -> void end;
              (K_45:
              (let _jessie_ = this_0 in
              (let _jessie_ = t_0 in
              (let _jessie_ = !i_3 in
              (let _jessie_ = !mi in
              (JC_123:
              ((((Sort_swap _jessie_) _jessie_) _jessie_) _jessie_)))))))
             end else (raise (Loop_exit_exc void)));
           (raise (Loop_continue_exc void)) end with
          Loop_continue_exc _jessie_ ->
          (let _jessie_ =
          (K_46:
          (let _jessie_ = !i_3 in
          begin
            (let _jessie_ = (i_3 := ((add_int _jessie_) (1))) in void);
           _jessie_ end)) in void) end end done) with
       Loop_exit_exc _jessie_ -> void end end)))); (raise Return) end with
   Return -> void end)
  { (JC_71:
    ((JC_69:
     Sorted(t_0, (0),
     sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
     intM_intP))
    and (JC_70:
        Permut(t_0, (0),
        sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
        intM_intP, intM_intP@)))) }

let Sort_min_sort_safety =
 fun (this_0 : Object pointer) (t_0 : Object pointer) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (valid_struct_Sort(this_0, (0), (0), Object_alloc_table)
        and (JC_67: Non_null_intM(t_0, Object_alloc_table)))) }
  (init:
  try
   begin
     (let i_3 = ref (any_int void) in
     (let j_2 = ref (any_int void) in
     (let mi = ref (any_int void) in
     (let mv = ref (any_int void) in
     begin
       (let _jessie_ = (i_3 := (0)) in void);
      try
       (loop_1:
       while true do
       { invariant (JC_83: true)  }
        begin
          [ { } unit reads Object_alloc_table,i_3,intM_intP
            { (JC_81:
              ((JC_77: le_int((0), i_3))
              and ((JC_78: Sorted(t_0, (0), i_3, intM_intP))
                  and ((JC_79:
                       (forall k1:int.
                        (forall k2:int.
                         ((le_int((0), k1)
                          and (lt_int(k1, i_3)
                              and (le_int(i_3, k2)
                                  and lt_int(k2,
                                      add_int(offset_max(Object_alloc_table,
                                              t_0),
                                      (1)))))) ->
                          le_int(select(intM_intP, shift(t_0, k1)),
                          select(intM_intP, shift(t_0, k2)))))))
                      and (JC_80:
                          Permut(t_0, (0),
                          sub_int(add_int(offset_max(Object_alloc_table, t_0),
                                  (1)),
                          (1)), intM_intP, intM_intP@init)))))) } ];
         try
          begin
            (if (K_49:
                ((lt_int_ !i_3) (K_48:
                                ((sub_int (K_47:
                                          (let _jessie_ = t_0 in
                                          (JC_86:
                                          (assert
                                          { ge_int(offset_max(Object_alloc_table,
                                                   _jessie_),
                                            (-1)) };
                                          (JC_85:
                                          (java_array_length_intM_requires _jessie_))))))) (1)))))
            then
             begin
               (let _jessie_ =
               (mv := (K_26:
                      (JC_87:
                      ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) !i_3)))) in
               void); (let _jessie_ = (mi := !i_3) in void);
              (let _jessie_ = (j_2 := (K_44: ((add_int !i_3) (1)))) in
              void);
              try
               (loop_2:
               while true do
               { invariant (JC_96: true)  }
                begin
                  [ { } unit reads Object_alloc_table,i_3,intM_intP,j_2,mi,mv
                    { (JC_94:
                      ((JC_88: lt_int(i_3, j_2))
                      and ((JC_89: le_int(i_3, mi))
                          and ((JC_90:
                               lt_int(mi,
                               add_int(offset_max(Object_alloc_table, t_0),
                               (1))))
                              and ((JC_91:
                                   (mv = select(intM_intP, shift(t_0, mi))))
                                  and ((JC_92:
                                       (forall k_0:int.
                                        ((le_int(i_3, k_0)
                                         and lt_int(k_0, j_2)) ->
                                         ge_int(select(intM_intP,
                                                shift(t_0, k_0)),
                                         mv))))
                                      and (JC_93:
                                          Permut(t_0, (0),
                                          sub_int(add_int(offset_max(Object_alloc_table,
                                                          t_0),
                                                  (1)),
                                          (1)), intM_intP, intM_intP@init)))))))) } ];
                 try
                  begin
                    (if (K_43:
                        ((lt_int_ !j_2) (K_42:
                                        (let _jessie_ = t_0 in
                                        (JC_99:
                                        (assert
                                        { ge_int(offset_max(Object_alloc_table,
                                                 _jessie_),
                                          (-1)) };
                                        (JC_98:
                                        (java_array_length_intM_requires _jessie_))))))))
                    then
                     (if (K_40:
                         ((lt_int_ (K_39:
                                   (JC_100:
                                   ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) !j_2)))) !mv))
                     then
                      (let _jessie_ =
                      begin
                        (let _jessie_ = (mi := !j_2) in void);
                       (mv := (K_38:
                              (JC_101:
                              ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) !j_2))));
                       !mv end in void) else void)
                    else (raise (Loop_exit_exc void)));
                   (raise (Loop_continue_exc void)) end with
                  Loop_continue_exc _jessie_ ->
                  (let _jessie_ =
                  (K_41:
                  (let _jessie_ = !j_2 in
                  begin
                    (let _jessie_ = (j_2 := ((add_int _jessie_) (1))) in
                    void); _jessie_ end)) in void) end end done) with
               Loop_exit_exc _jessie_ -> void end;
              (K_45:
              (let _jessie_ = this_0 in
              (let _jessie_ = t_0 in
              (let _jessie_ = !i_3 in
              (let _jessie_ = !mi in
              (JC_102:
              ((((Sort_swap_requires _jessie_) _jessie_) _jessie_) _jessie_)))))))
             end else (raise (Loop_exit_exc void)));
           (raise (Loop_continue_exc void)) end with
          Loop_continue_exc _jessie_ ->
          (let _jessie_ =
          (K_46:
          (let _jessie_ = !i_3 in
          begin
            (let _jessie_ = (i_3 := ((add_int _jessie_) (1))) in void);
           _jessie_ end)) in void) end end done) with
       Loop_exit_exc _jessie_ -> void end end)))); (raise Return) end with
   Return -> void end) { true }

let Sort_swap_ensures_default =
 fun (this_2 : Object pointer) (t : Object pointer) (i_2 : int) (j_1 : int) ->
  { (left_valid_struct_intM(t, (0), Object_alloc_table)
    and (valid_struct_Sort(this_2, (0), (0), Object_alloc_table)
        and (JC_51:
            ((JC_46: Non_null_intM(t, Object_alloc_table))
            and ((JC_47: le_int((0), i_2))
                and ((JC_48:
                     lt_int(i_2,
                     add_int(offset_max(Object_alloc_table, t), (1))))
                    and ((JC_49: le_int((0), j_1))
                        and (JC_50:
                            lt_int(j_1,
                            add_int(offset_max(Object_alloc_table, t), (1))))))))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (let tmp = (K_14: ((safe_acc_ !intM_intP) ((shift t) i_2))) in
     (K_12:
     begin
       (let _jessie_ =
       (let _jessie_ = (K_11: ((safe_acc_ !intM_intP) ((shift t) j_1))) in
       (let _jessie_ = t in
       (let _jessie_ = i_2 in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (((safe_upd_ intM_intP) _jessie_) _jessie_))))) in void);
      (K_13:
      (let _jessie_ = tmp in
      (let _jessie_ = t in
      (let _jessie_ = j_1 in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      begin   (((safe_upd_ intM_intP) _jessie_) _jessie_); _jessie_ end)))))
     end)) in void); (raise Return) end with Return -> void end)
  { (JC_55:
    ((JC_53: Swap(t, i_2, j_1, intM_intP, intM_intP@))
    and (JC_54:
        not_assigns(Object_alloc_table@, intM_intP@, intM_intP,
        pset_union(pset_range(pset_singleton(t), j_1, j_1),
        pset_range(pset_singleton(t), i_2, i_2)))))) }

let Sort_swap_safety =
 fun (this_2 : Object pointer) (t : Object pointer) (i_2 : int) (j_1 : int) ->
  { (left_valid_struct_intM(t, (0), Object_alloc_table)
    and (valid_struct_Sort(this_2, (0), (0), Object_alloc_table)
        and (JC_51:
            ((JC_46: Non_null_intM(t, Object_alloc_table))
            and ((JC_47: le_int((0), i_2))
                and ((JC_48:
                     lt_int(i_2,
                     add_int(offset_max(Object_alloc_table, t), (1))))
                    and ((JC_49: le_int((0), j_1))
                        and (JC_50:
                            lt_int(j_1,
                            add_int(offset_max(Object_alloc_table, t), (1))))))))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (let tmp =
     (K_14:
     (JC_61: ((((offset_acc_ !Object_alloc_table) !intM_intP) t) i_2))) in
     (K_12:
     begin
       (let _jessie_ =
       (let _jessie_ =
       (K_11:
       (JC_62: ((((offset_acc_ !Object_alloc_table) !intM_intP) t) j_1))) in
       (let _jessie_ = t in
       (let _jessie_ = i_2 in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (JC_63:
       (((((offset_upd_ !Object_alloc_table) intM_intP) _jessie_) _jessie_) _jessie_)))))) in
       void);
      (K_13:
      (let _jessie_ = tmp in
      (let _jessie_ = t in
      (let _jessie_ = j_1 in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (JC_64:
      begin
        (((((offset_upd_ !Object_alloc_table) intM_intP) _jessie_) _jessie_) _jessie_);
       _jessie_ end)))))) end)) in void); (raise Return) end with Return ->
   void end) { true }

let cons_Object_ensures_default =
 fun (this_14 : Object pointer) ->
  { valid_struct_Object(this_14, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_208: true) }

let cons_Object_safety =
 fun (this_14 : Object pointer) ->
  { valid_struct_Object(this_14, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_Sort_ensures_default =
 fun (this_3 : Object pointer) ->
  { valid_struct_Sort(this_3, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_184: true) }

let cons_Sort_safety =
 fun (this_3 : Object pointer) ->
  { valid_struct_Sort(this_3, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/Sort2.why
========== file tests/java/why/Sort2.wpr ==========

  
    
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  
  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  
  
    
  
  
    
  

========== file tests/java/why/Sort2_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_1) >= 0)

predicate Non_null_intM(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= (-1))

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic Permut : Object pointer, int, int, (Object, int) memory, (Object,
int) memory -> prop

logic Sort_tag : Object tag_id

axiom Sort_parenttag_Object: parenttag(Sort_tag, Object_tag)

predicate Sorted(a: Object pointer, l: int, h: int, intM_intP_at_L: (Object,
  int) memory) =
  (forall i:int.
    (((l <= i) and (i < h)) -> (select(intM_intP_at_L, shift(a,
     i)) <= select(intM_intP_at_L, shift(a, (i + 1))))))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

predicate Swap(a_0: Object pointer, i_0: int, j: int,
  intM_intP_at_L2: (Object, int) memory, intM_intP_at_L1: (Object,
  int) memory) =
  ((select(intM_intP_at_L1, shift(a_0, i_0)) = select(intM_intP_at_L2,
   shift(a_0, j))) and
   ((select(intM_intP_at_L1, shift(a_0, j)) = select(intM_intP_at_L2,
    shift(a_0, i_0))) and
    (forall k:int.
      (((k <> i_0) and (k <> j)) -> (select(intM_intP_at_L1, shift(a_0,
       k)) = select(intM_intP_at_L2, shift(a_0, k)))))))

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic intM_tag : Object tag_id

axiom intM_parenttag_Object: parenttag(intM_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Sort(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_intM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Sort(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_intM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Sort(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Sort(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

axiom Permut_swap:
  (forall intM_intP_at_L2:(Object, int) memory.
    (forall intM_intP_at_L1:(Object, int) memory.
      (forall a_5:Object pointer.
        (forall l_4:int.
          (forall h_4:int.
            (forall i_1:int.
              (forall j_0:int.
                (((l_4 <= i_1) and
                  ((i_1 <= h_4) and
                   ((l_4 <= j_0) and
                    ((j_0 <= h_4) and Swap(a_5, i_1, j_0, intM_intP_at_L2,
                     intM_intP_at_L1))))) ->
                 Permut(a_5, l_4, h_4, intM_intP_at_L2, intM_intP_at_L1)))))))))

axiom Permut_trans:
  (forall intM_intP_at_L3:(Object, int) memory.
    (forall intM_intP_at_L2:(Object, int) memory.
      (forall intM_intP_at_L1:(Object, int) memory.
        (forall a_4:Object pointer.
          (forall l_3:int.
            (forall h_3:int.
              ((Permut(a_4, l_3, h_3, intM_intP_at_L2, intM_intP_at_L1) and
                Permut(a_4, l_3, h_3, intM_intP_at_L3, intM_intP_at_L2)) ->
               Permut(a_4, l_3, h_3, intM_intP_at_L3, intM_intP_at_L1))))))))

axiom Permut_sym:
  (forall intM_intP_at_L2:(Object, int) memory.
    (forall intM_intP_at_L1:(Object, int) memory.
      (forall a_3:Object pointer.
        (forall l_2:int.
          (forall h_2:int.
            (Permut(a_3, l_2, h_2, intM_intP_at_L2, intM_intP_at_L1) ->
             Permut(a_3, l_2, h_2, intM_intP_at_L1, intM_intP_at_L2)))))))

axiom Permut_refl:
  (forall intM_intP_at_L:(Object, int) memory.
    (forall a_2:Object pointer.
      (forall l_1:int.
        (forall h_1:int. Permut(a_2, l_1, h_1, intM_intP_at_L,
          intM_intP_at_L)))))

========== file tests/java/why/Sort2_po1.why ==========
goal Sort_min_sort_ensures_default_po_1:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  ("JC_107": ("JC_103": (0 <= i_3)))

========== file tests/java/why/Sort2_po10.why ==========
goal Sort_min_sort_ensures_default_po_10:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  ("JC_118":
  ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP0, intM_intP)))

========== file tests/java/why/Sort2_po11.why ==========
goal Sort_min_sort_ensures_default_po_11:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP0, shift(t_0, j_2_0))) ->
  (result2 < mv0) ->
  forall mi1:int.
  (mi1 = j_2_0) ->
  forall result3:int.
  (result3 = select(intM_intP0, shift(t_0, j_2_0))) ->
  forall mv1:int.
  (mv1 = result3) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_118": ("JC_112": (i_3_0 < j_2_1)))

========== file tests/java/why/Sort2_po12.why ==========
goal Sort_min_sort_ensures_default_po_12:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP0, shift(t_0, j_2_0))) ->
  (result2 < mv0) ->
  forall mi1:int.
  (mi1 = j_2_0) ->
  forall result3:int.
  (result3 = select(intM_intP0, shift(t_0, j_2_0))) ->
  forall mv1:int.
  (mv1 = result3) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_118": ("JC_113": (i_3_0 <= mi1)))

========== file tests/java/why/Sort2_po13.why ==========
goal Sort_min_sort_ensures_default_po_13:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP0, shift(t_0, j_2_0))) ->
  (result2 < mv0) ->
  forall mi1:int.
  (mi1 = j_2_0) ->
  forall result3:int.
  (result3 = select(intM_intP0, shift(t_0, j_2_0))) ->
  forall mv1:int.
  (mv1 = result3) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_118": ("JC_114": (mi1 < (offset_max(Object_alloc_table, t_0) + 1))))

========== file tests/java/why/Sort2_po14.why ==========
goal Sort_min_sort_ensures_default_po_14:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP0, shift(t_0, j_2_0))) ->
  (result2 < mv0) ->
  forall mi1:int.
  (mi1 = j_2_0) ->
  forall result3:int.
  (result3 = select(intM_intP0, shift(t_0, j_2_0))) ->
  forall mv1:int.
  (mv1 = result3) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_118": ("JC_115": (mv1 = select(intM_intP0, shift(t_0, mi1)))))

========== file tests/java/why/Sort2_po15.why ==========
goal Sort_min_sort_ensures_default_po_15:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP0, shift(t_0, j_2_0))) ->
  (result2 < mv0) ->
  forall mi1:int.
  (mi1 = j_2_0) ->
  forall result3:int.
  (result3 = select(intM_intP0, shift(t_0, j_2_0))) ->
  forall mv1:int.
  (mv1 = result3) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  forall k_0:int.
  ((i_3_0 <= k_0) and (k_0 < j_2_1)) ->
  ("JC_118": ("JC_116": (select(intM_intP0, shift(t_0, k_0)) >= mv1)))

========== file tests/java/why/Sort2_po16.why ==========
goal Sort_min_sort_ensures_default_po_16:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP0, shift(t_0, j_2_0))) ->
  (result2 < mv0) ->
  forall mi1:int.
  (mi1 = j_2_0) ->
  forall result3:int.
  (result3 = select(intM_intP0, shift(t_0, j_2_0))) ->
  forall mv1:int.
  (mv1 = result3) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_118":
  ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP0, intM_intP)))

========== file tests/java/why/Sort2_po17.why ==========
goal Sort_min_sort_ensures_default_po_17:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP0, shift(t_0, j_2_0))) ->
  (result2 >= mv0) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_118": ("JC_112": (i_3_0 < j_2_1)))

========== file tests/java/why/Sort2_po18.why ==========
goal Sort_min_sort_ensures_default_po_18:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP0, shift(t_0, j_2_0))) ->
  (result2 >= mv0) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_118": ("JC_113": (i_3_0 <= mi0)))

========== file tests/java/why/Sort2_po19.why ==========
goal Sort_min_sort_ensures_default_po_19:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP0, shift(t_0, j_2_0))) ->
  (result2 >= mv0) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_118": ("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))))

========== file tests/java/why/Sort2_po2.why ==========
goal Sort_min_sort_ensures_default_po_2:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  ("JC_107": ("JC_104": Sorted(t_0, 0, i_3, intM_intP)))

========== file tests/java/why/Sort2_po20.why ==========
goal Sort_min_sort_ensures_default_po_20:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP0, shift(t_0, j_2_0))) ->
  (result2 >= mv0) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_118": ("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))))

========== file tests/java/why/Sort2_po21.why ==========
goal Sort_min_sort_ensures_default_po_21:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP0, shift(t_0, j_2_0))) ->
  (result2 >= mv0) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  forall k_0:int.
  ((i_3_0 <= k_0) and (k_0 < j_2_1)) ->
  ("JC_118": ("JC_116": (select(intM_intP0, shift(t_0, k_0)) >= mv0)))

========== file tests/java/why/Sort2_po22.why ==========
goal Sort_min_sort_ensures_default_po_22:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP0, shift(t_0, j_2_0))) ->
  (result2 >= mv0) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_118":
  ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP0, intM_intP)))

========== file tests/java/why/Sort2_po23.why ==========
goal Sort_min_sort_ensures_default_po_23:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_58":
  (("JC_56": Swap(t_0, i_3_0, mi0, intM_intP1, intM_intP0)) and
   ("JC_57": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_0), mi0, mi0),
   pset_range(pset_singleton(t_0), i_3_0, i_3_0)))))) ->
  forall i_3_1:int.
  (i_3_1 = (i_3_0 + 1)) ->
  ("JC_107": ("JC_103": (0 <= i_3_1)))

========== file tests/java/why/Sort2_po24.why ==========
goal Sort_min_sort_ensures_default_po_24:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_58":
  (("JC_56": Swap(t_0, i_3_0, mi0, intM_intP1, intM_intP0)) and
   ("JC_57": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_0), mi0, mi0),
   pset_range(pset_singleton(t_0), i_3_0, i_3_0)))))) ->
  forall i_3_1:int.
  (i_3_1 = (i_3_0 + 1)) ->
  ("JC_107": ("JC_104": Sorted(t_0, 0, i_3_1, intM_intP1)))

========== file tests/java/why/Sort2_po25.why ==========
goal Sort_min_sort_ensures_default_po_25:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_58":
  (("JC_56": Swap(t_0, i_3_0, mi0, intM_intP1, intM_intP0)) and
   ("JC_57": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_0), mi0, mi0),
   pset_range(pset_singleton(t_0), i_3_0, i_3_0)))))) ->
  forall i_3_1:int.
  (i_3_1 = (i_3_0 + 1)) ->
  forall k1:int.
  forall k2:int.
  ((0 <= k1) and
   ((k1 < i_3_1) and
    ((i_3_1 <= k2) and (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
  ("JC_107":
  ("JC_105": (select(intM_intP1, shift(t_0, k1)) <= select(intM_intP1,
  shift(t_0, k2)))))

========== file tests/java/why/Sort2_po26.why ==========
goal Sort_min_sort_ensures_default_po_26:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_58":
  (("JC_56": Swap(t_0, i_3_0, mi0, intM_intP1, intM_intP0)) and
   ("JC_57": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_0), mi0, mi0),
   pset_range(pset_singleton(t_0), i_3_0, i_3_0)))))) ->
  forall i_3_1:int.
  (i_3_1 = (i_3_0 + 1)) ->
  ("JC_107":
  ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP1, intM_intP)))

========== file tests/java/why/Sort2_po27.why ==========
goal Sort_min_sort_ensures_default_po_27:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 >= (result - 1)) ->
  ("JC_71":
  ("JC_69": Sorted(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP0)))

========== file tests/java/why/Sort2_po28.why ==========
goal Sort_min_sort_ensures_default_po_28:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 >= (result - 1)) ->
  ("JC_71":
  ("JC_70": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP0, intM_intP)))

========== file tests/java/why/Sort2_po29.why ==========
goal Sort_min_sort_safety_po_1:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_83": true) ->
  ("JC_81":
  (("JC_77": (0 <= i_3_0)) and
   (("JC_78": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_79":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_80": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1))

========== file tests/java/why/Sort2_po3.why ==========
goal Sort_min_sort_ensures_default_po_3:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall k1:int.
  forall k2:int.
  ((0 <= k1) and
   ((k1 < i_3) and
    ((i_3 <= k2) and (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
  ("JC_107":
  ("JC_105": (select(intM_intP, shift(t_0, k1)) <= select(intM_intP,
  shift(t_0, k2)))))

========== file tests/java/why/Sort2_po30.why ==========
goal Sort_min_sort_safety_po_2:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_83": true) ->
  ("JC_81":
  (("JC_77": (0 <= i_3_0)) and
   (("JC_78": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_79":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_80": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  (offset_min(Object_alloc_table, t_0) <= i_3_0)

========== file tests/java/why/Sort2_po31.why ==========
goal Sort_min_sort_safety_po_3:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_83": true) ->
  ("JC_81":
  (("JC_77": (0 <= i_3_0)) and
   (("JC_78": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_79":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_80": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  (i_3_0 <= offset_max(Object_alloc_table, t_0))

========== file tests/java/why/Sort2_po32.why ==========
goal Sort_min_sort_safety_po_4:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_83": true) ->
  ("JC_81":
  (("JC_77": (0 <= i_3_0)) and
   (("JC_78": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_79":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_80": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  ((offset_min(Object_alloc_table, t_0) <= i_3_0) and
   (i_3_0 <= offset_max(Object_alloc_table, t_0))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_96": true) ->
  ("JC_94":
  (("JC_88": (i_3_0 < j_2_0)) and
   (("JC_89": (i_3_0 <= mi0)) and
    (("JC_90": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_91": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_92":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_93": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  (offset_min(Object_alloc_table, t_0) <= j_2_0)

========== file tests/java/why/Sort2_po33.why ==========
goal Sort_min_sort_safety_po_5:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_83": true) ->
  ("JC_81":
  (("JC_77": (0 <= i_3_0)) and
   (("JC_78": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_79":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_80": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  ((offset_min(Object_alloc_table, t_0) <= i_3_0) and
   (i_3_0 <= offset_max(Object_alloc_table, t_0))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_96": true) ->
  ("JC_94":
  (("JC_88": (i_3_0 < j_2_0)) and
   (("JC_89": (i_3_0 <= mi0)) and
    (("JC_90": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_91": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_92":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_93": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  (j_2_0 <= offset_max(Object_alloc_table, t_0))

========== file tests/java/why/Sort2_po34.why ==========
goal Sort_min_sort_safety_po_6:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_83": true) ->
  ("JC_81":
  (("JC_77": (0 <= i_3_0)) and
   (("JC_78": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_79":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_80": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  ((offset_min(Object_alloc_table, t_0) <= i_3_0) and
   (i_3_0 <= offset_max(Object_alloc_table, t_0))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_96": true) ->
  ("JC_94":
  (("JC_88": (i_3_0 < j_2_0)) and
   (("JC_89": (i_3_0 <= mi0)) and
    (("JC_90": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_91": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_92":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_93": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  ("JC_44": ("JC_39": Non_null_intM(t_0, Object_alloc_table)))

========== file tests/java/why/Sort2_po35.why ==========
goal Sort_min_sort_safety_po_7:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_83": true) ->
  ("JC_81":
  (("JC_77": (0 <= i_3_0)) and
   (("JC_78": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_79":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_80": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  ((offset_min(Object_alloc_table, t_0) <= i_3_0) and
   (i_3_0 <= offset_max(Object_alloc_table, t_0))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_96": true) ->
  ("JC_94":
  (("JC_88": (i_3_0 < j_2_0)) and
   (("JC_89": (i_3_0 <= mi0)) and
    (("JC_90": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_91": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_92":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_93": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  ("JC_44": ("JC_41": (i_3_0 < (offset_max(Object_alloc_table, t_0) + 1))))

========== file tests/java/why/Sort2_po36.why ==========
goal Sort_min_sort_safety_po_8:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_83": true) ->
  ("JC_81":
  (("JC_77": (0 <= i_3_0)) and
   (("JC_78": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_79":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_80": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  ((offset_min(Object_alloc_table, t_0) <= i_3_0) and
   (i_3_0 <= offset_max(Object_alloc_table, t_0))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_96": true) ->
  ("JC_94":
  (("JC_88": (i_3_0 < j_2_0)) and
   (("JC_89": (i_3_0 <= mi0)) and
    (("JC_90": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_91": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_92":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_93": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  ("JC_44": ("JC_42": (0 <= mi0)))

========== file tests/java/why/Sort2_po37.why ==========
goal Sort_min_sort_safety_po_9:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_83": true) ->
  ("JC_81":
  (("JC_77": (0 <= i_3_0)) and
   (("JC_78": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_79":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_80": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  ((offset_min(Object_alloc_table, t_0) <= i_3_0) and
   (i_3_0 <= offset_max(Object_alloc_table, t_0))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_96": true) ->
  ("JC_94":
  (("JC_88": (i_3_0 < j_2_0)) and
   (("JC_89": (i_3_0 <= mi0)) and
    (("JC_90": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_91": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_92":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_93": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  ("JC_44": ("JC_43": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))))

========== file tests/java/why/Sort2_po38.why ==========
goal Sort_swap_ensures_default_po_1:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int.
  forall j_1:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_Sort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= i_2)) and
      (("JC_48": (i_2 < (offset_max(Object_alloc_table, t) + 1))) and
       (("JC_49": (0 <= j_1)) and
        ("JC_50": (j_1 < (offset_max(Object_alloc_table, t) + 1)))))))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t, i_2))) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t, j_1))) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, i_2), result0)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, j_1), result)) ->
  ("JC_55": ("JC_53": Swap(t, i_2, j_1, intM_intP1, intM_intP)))

========== file tests/java/why/Sort2_po39.why ==========
goal Sort_swap_ensures_default_po_2:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int.
  forall j_1:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_Sort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= i_2)) and
      (("JC_48": (i_2 < (offset_max(Object_alloc_table, t) + 1))) and
       (("JC_49": (0 <= j_1)) and
        ("JC_50": (j_1 < (offset_max(Object_alloc_table, t) + 1)))))))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t, i_2))) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t, j_1))) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, i_2), result0)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, j_1), result)) ->
  ("JC_55":
  ("JC_54": not_assigns(Object_alloc_table, intM_intP, intM_intP1,
  pset_union(pset_range(pset_singleton(t), j_1, j_1),
  pset_range(pset_singleton(t), i_2, i_2)))))

========== file tests/java/why/Sort2_po4.why ==========
goal Sort_min_sort_ensures_default_po_4:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  ("JC_107":
  ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP, intM_intP)))

========== file tests/java/why/Sort2_po40.why ==========
goal Sort_swap_safety_po_1:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int.
  forall j_1:int.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_Sort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= i_2)) and
      (("JC_48": (i_2 < (offset_max(Object_alloc_table, t) + 1))) and
       (("JC_49": (0 <= j_1)) and
        ("JC_50": (j_1 < (offset_max(Object_alloc_table, t) + 1)))))))))) ->
  (offset_min(Object_alloc_table, t) <= i_2)

========== file tests/java/why/Sort2_po41.why ==========
goal Sort_swap_safety_po_2:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int.
  forall j_1:int.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_Sort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= i_2)) and
      (("JC_48": (i_2 < (offset_max(Object_alloc_table, t) + 1))) and
       (("JC_49": (0 <= j_1)) and
        ("JC_50": (j_1 < (offset_max(Object_alloc_table, t) + 1)))))))))) ->
  (i_2 <= offset_max(Object_alloc_table, t))

========== file tests/java/why/Sort2_po42.why ==========
goal Sort_swap_safety_po_3:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int.
  forall j_1:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_Sort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= i_2)) and
      (("JC_48": (i_2 < (offset_max(Object_alloc_table, t) + 1))) and
       (("JC_49": (0 <= j_1)) and
        ("JC_50": (j_1 < (offset_max(Object_alloc_table, t) + 1)))))))))) ->
  ((offset_min(Object_alloc_table, t) <= i_2) and
   (i_2 <= offset_max(Object_alloc_table, t))) ->
  forall result:int.
  (result = select(intM_intP, shift(t, i_2))) ->
  (offset_min(Object_alloc_table, t) <= j_1)

========== file tests/java/why/Sort2_po43.why ==========
goal Sort_swap_safety_po_4:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int.
  forall j_1:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_Sort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= i_2)) and
      (("JC_48": (i_2 < (offset_max(Object_alloc_table, t) + 1))) and
       (("JC_49": (0 <= j_1)) and
        ("JC_50": (j_1 < (offset_max(Object_alloc_table, t) + 1)))))))))) ->
  ((offset_min(Object_alloc_table, t) <= i_2) and
   (i_2 <= offset_max(Object_alloc_table, t))) ->
  forall result:int.
  (result = select(intM_intP, shift(t, i_2))) ->
  (j_1 <= offset_max(Object_alloc_table, t))

========== file tests/java/why/Sort2_po5.why ==========
goal Sort_min_sort_ensures_default_po_5:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  ("JC_118": ("JC_112": (i_3_0 < j_2)))

========== file tests/java/why/Sort2_po6.why ==========
goal Sort_min_sort_ensures_default_po_6:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  ("JC_118": ("JC_113": (i_3_0 <= mi)))

========== file tests/java/why/Sort2_po7.why ==========
goal Sort_min_sort_ensures_default_po_7:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  ("JC_118": ("JC_114": (mi < (offset_max(Object_alloc_table, t_0) + 1))))

========== file tests/java/why/Sort2_po8.why ==========
goal Sort_min_sort_ensures_default_po_8:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  ("JC_118": ("JC_115": (mv = select(intM_intP0, shift(t_0, mi)))))

========== file tests/java/why/Sort2_po9.why ==========
goal Sort_min_sort_ensures_default_po_9:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall k_0:int.
  ((i_3_0 <= k_0) and (k_0 < j_2)) ->
  ("JC_118": ("JC_116": (select(intM_intP0, shift(t_0, k_0)) >= mv)))

========== generation of Simplify VC output ==========
why -simplify [...] why/Sort2.why
========== file tests/java/simplify/Sort2_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_1 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_1) 0))

(DEFPRED (Non_null_intM x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) (- 0 1)))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom Sort_parenttag_Object
 (EQ (parenttag Sort_tag Object_tag) |@true|))

(DEFPRED (Sorted a l h intM_intP_at_L)
  (FORALL (i)
  (IMPLIES (AND (<= l i) (< i h))
  (<= (select intM_intP_at_L (shift a i)) (select
                                          intM_intP_at_L (shift a (+ i 1)))))))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(DEFPRED (Swap a_0 i_0 j intM_intP_at_L2 intM_intP_at_L1)
  (AND
  (EQ (select intM_intP_at_L1 (shift a_0 i_0))
  (select intM_intP_at_L2 (shift a_0 j)))
  (AND
  (EQ (select intM_intP_at_L1 (shift a_0 j))
  (select intM_intP_at_L2 (shift a_0 i_0)))
  (FORALL (k)
  (IMPLIES (AND (NEQ k i_0) (NEQ k j))
  (EQ (select intM_intP_at_L1 (shift a_0 k))
  (select intM_intP_at_L2 (shift a_0 k))))))))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom intM_parenttag_Object
 (EQ (parenttag intM_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Sort p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_intM p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Sort p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_intM p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Sort p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_intM p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Sort p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_intM p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(BG_PUSH
 ;; Why axiom Permut_swap
 (FORALL (intM_intP_at_L2 intM_intP_at_L1 a_5 l_4 h_4 i_1 j_0)
 (IMPLIES
 (AND (<= l_4 i_1)
 (AND (<= i_1 h_4)
 (AND (<= l_4 j_0)
 (AND (<= j_0 h_4) (Swap a_5 i_1 j_0 intM_intP_at_L2 intM_intP_at_L1)))))
 (EQ (Permut a_5 l_4 h_4 intM_intP_at_L2 intM_intP_at_L1) |@true|))))

(BG_PUSH
 ;; Why axiom Permut_trans
 (FORALL (intM_intP_at_L3 intM_intP_at_L2 intM_intP_at_L1 a_4 l_3 h_3)
 (IMPLIES
 (AND (EQ (Permut a_4 l_3 h_3 intM_intP_at_L2 intM_intP_at_L1) |@true|)
 (EQ (Permut a_4 l_3 h_3 intM_intP_at_L3 intM_intP_at_L2) |@true|))
 (EQ (Permut a_4 l_3 h_3 intM_intP_at_L3 intM_intP_at_L1) |@true|))))

(BG_PUSH
 ;; Why axiom Permut_sym
 (FORALL (intM_intP_at_L2 intM_intP_at_L1 a_3 l_2 h_2)
 (IMPLIES (EQ (Permut a_3 l_2 h_2 intM_intP_at_L2 intM_intP_at_L1) |@true|)
 (EQ (Permut a_3 l_2 h_2 intM_intP_at_L1 intM_intP_at_L2) |@true|))))

(BG_PUSH
 ;; Why axiom Permut_refl
 (FORALL (intM_intP_at_L a_2 l_1 h_1)
 (EQ (Permut a_2 l_1 h_1 intM_intP_at_L intM_intP_at_L) |@true|)))

;; Sort_min_sort_ensures_default_po_1, File "HOME/tests/java/Sort2.java", line 85, characters 20-26
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3) (IMPLIES (EQ i_3 0) (<= 0 i_3)))))))

;; Sort_min_sort_ensures_default_po_2, File "HOME/tests/java/Sort2.java", line 85, characters 30-43
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3) (IMPLIES (EQ i_3 0) (Sorted t_0 0 i_3 intM_intP))))))))

;; Sort_min_sort_ensures_default_po_3, File "HOME/tests/java/Sort2.java", line 86, characters 8-90
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (k1)
(FORALL (k2)
(IMPLIES (AND (<= 0 k1)
         (AND (< k1 i_3)
         (AND (<= i_3 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
(<= (select intM_intP (shift t_0 k1)) (select intM_intP (shift t_0 k2)))))))))))))

;; Sort_min_sort_ensures_default_po_4, File "HOME/tests/java/Sort2.java", line 88, characters 9-41
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(EQ (Permut
t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP intM_intP) |@true|))))))))

;; Sort_min_sort_ensures_default_po_5, File "HOME/tests/java/Sort2.java", line 93, characters 24-29
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2) (IMPLIES (EQ j_2 (+ i_3_0 1)) (< i_3_0 j_2))))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_6, File "HOME/tests/java/Sort2.java", line 93, characters 33-40
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2) (IMPLIES (EQ j_2 (+ i_3_0 1)) (<= i_3_0 mi))))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_7, File "HOME/tests/java/Sort2.java", line 93, characters 38-51
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(< mi (+ (offset_max Object_alloc_table t_0) 1)))))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_8, File "HOME/tests/java/Sort2.java", line 94, characters 9-20
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1)) (EQ mv (select intM_intP0 (shift t_0 mi))))))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_9, File "HOME/tests/java/Sort2.java", line 95, characters 12-56
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (k_0)
(IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2))
(>= (select intM_intP0 (shift t_0 k_0)) mv))))))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_10, File "HOME/tests/java/Sort2.java", line 96, characters 9-41
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(EQ (Permut
t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_11, File "HOME/tests/java/Sort2.java", line 93, characters 24-29
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (AND (< mi0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ mv0 (select intM_intP0 (shift t_0 mi0)))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_0))
         (>= (select intM_intP0 (shift t_0 k_0)) mv0)))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< j_2_0 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP0 (shift t_0 j_2_0)))
(IMPLIES (< result2 mv0)
(FORALL (mi1)
(IMPLIES (EQ mi1 j_2_0)
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP0 (shift t_0 j_2_0)))
(FORALL (mv1)
(IMPLIES (EQ mv1 result3)
(FORALL (j_2_1) (IMPLIES (EQ j_2_1 (+ j_2_0 1)) (< i_3_0 j_2_1))))))))))))))))))))))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_12, File "HOME/tests/java/Sort2.java", line 93, characters 33-40
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (AND (< mi0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ mv0 (select intM_intP0 (shift t_0 mi0)))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_0))
         (>= (select intM_intP0 (shift t_0 k_0)) mv0)))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< j_2_0 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP0 (shift t_0 j_2_0)))
(IMPLIES (< result2 mv0)
(FORALL (mi1)
(IMPLIES (EQ mi1 j_2_0)
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP0 (shift t_0 j_2_0)))
(FORALL (mv1)
(IMPLIES (EQ mv1 result3)
(FORALL (j_2_1) (IMPLIES (EQ j_2_1 (+ j_2_0 1)) (<= i_3_0 mi1))))))))))))))))))))))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_13, File "HOME/tests/java/Sort2.java", line 93, characters 38-51
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (AND (< mi0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ mv0 (select intM_intP0 (shift t_0 mi0)))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_0))
         (>= (select intM_intP0 (shift t_0 k_0)) mv0)))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< j_2_0 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP0 (shift t_0 j_2_0)))
(IMPLIES (< result2 mv0)
(FORALL (mi1)
(IMPLIES (EQ mi1 j_2_0)
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP0 (shift t_0 j_2_0)))
(FORALL (mv1)
(IMPLIES (EQ mv1 result3)
(FORALL (j_2_1)
(IMPLIES (EQ j_2_1 (+ j_2_0 1))
(< mi1 (+ (offset_max Object_alloc_table t_0) 1)))))))))))))))))))))))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_14, File "HOME/tests/java/Sort2.java", line 94, characters 9-20
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (AND (< mi0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ mv0 (select intM_intP0 (shift t_0 mi0)))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_0))
         (>= (select intM_intP0 (shift t_0 k_0)) mv0)))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< j_2_0 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP0 (shift t_0 j_2_0)))
(IMPLIES (< result2 mv0)
(FORALL (mi1)
(IMPLIES (EQ mi1 j_2_0)
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP0 (shift t_0 j_2_0)))
(FORALL (mv1)
(IMPLIES (EQ mv1 result3)
(FORALL (j_2_1)
(IMPLIES (EQ j_2_1 (+ j_2_0 1)) (EQ mv1 (select intM_intP0 (shift t_0 mi1))))))))))))))))))))))))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_15, File "HOME/tests/java/Sort2.java", line 95, characters 12-56
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (AND (< mi0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ mv0 (select intM_intP0 (shift t_0 mi0)))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_0))
         (>= (select intM_intP0 (shift t_0 k_0)) mv0)))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< j_2_0 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP0 (shift t_0 j_2_0)))
(IMPLIES (< result2 mv0)
(FORALL (mi1)
(IMPLIES (EQ mi1 j_2_0)
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP0 (shift t_0 j_2_0)))
(FORALL (mv1)
(IMPLIES (EQ mv1 result3)
(FORALL (j_2_1)
(IMPLIES (EQ j_2_1 (+ j_2_0 1))
(FORALL (k_0)
(IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_1))
(>= (select intM_intP0 (shift t_0 k_0)) mv1))))))))))))))))))))))))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_16, File "HOME/tests/java/Sort2.java", line 96, characters 9-41
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (AND (< mi0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ mv0 (select intM_intP0 (shift t_0 mi0)))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_0))
         (>= (select intM_intP0 (shift t_0 k_0)) mv0)))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< j_2_0 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP0 (shift t_0 j_2_0)))
(IMPLIES (< result2 mv0)
(FORALL (mi1)
(IMPLIES (EQ mi1 j_2_0)
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP0 (shift t_0 j_2_0)))
(FORALL (mv1)
(IMPLIES (EQ mv1 result3)
(FORALL (j_2_1)
(IMPLIES (EQ j_2_1 (+ j_2_0 1))
(EQ (Permut
t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))))))))))))))))))))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_17, File "HOME/tests/java/Sort2.java", line 93, characters 24-29
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (AND (< mi0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ mv0 (select intM_intP0 (shift t_0 mi0)))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_0))
         (>= (select intM_intP0 (shift t_0 k_0)) mv0)))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< j_2_0 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP0 (shift t_0 j_2_0)))
(IMPLIES (>= result2 mv0)
(FORALL (j_2_1) (IMPLIES (EQ j_2_1 (+ j_2_0 1)) (< i_3_0 j_2_1))))))))))))))))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_18, File "HOME/tests/java/Sort2.java", line 93, characters 33-40
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (AND (< mi0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ mv0 (select intM_intP0 (shift t_0 mi0)))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_0))
         (>= (select intM_intP0 (shift t_0 k_0)) mv0)))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< j_2_0 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP0 (shift t_0 j_2_0)))
(IMPLIES (>= result2 mv0)
(FORALL (j_2_1) (IMPLIES (EQ j_2_1 (+ j_2_0 1)) (<= i_3_0 mi0))))))))))))))))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_19, File "HOME/tests/java/Sort2.java", line 93, characters 38-51
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (AND (< mi0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ mv0 (select intM_intP0 (shift t_0 mi0)))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_0))
         (>= (select intM_intP0 (shift t_0 k_0)) mv0)))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< j_2_0 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP0 (shift t_0 j_2_0)))
(IMPLIES (>= result2 mv0)
(FORALL (j_2_1)
(IMPLIES (EQ j_2_1 (+ j_2_0 1))
(< mi0 (+ (offset_max Object_alloc_table t_0) 1)))))))))))))))))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_20, File "HOME/tests/java/Sort2.java", line 94, characters 9-20
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (AND (< mi0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ mv0 (select intM_intP0 (shift t_0 mi0)))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_0))
         (>= (select intM_intP0 (shift t_0 k_0)) mv0)))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< j_2_0 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP0 (shift t_0 j_2_0)))
(IMPLIES (>= result2 mv0)
(FORALL (j_2_1)
(IMPLIES (EQ j_2_1 (+ j_2_0 1)) (EQ mv0 (select intM_intP0 (shift t_0 mi0))))))))))))))))))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_21, File "HOME/tests/java/Sort2.java", line 95, characters 12-56
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (AND (< mi0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ mv0 (select intM_intP0 (shift t_0 mi0)))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_0))
         (>= (select intM_intP0 (shift t_0 k_0)) mv0)))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< j_2_0 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP0 (shift t_0 j_2_0)))
(IMPLIES (>= result2 mv0)
(FORALL (j_2_1)
(IMPLIES (EQ j_2_1 (+ j_2_0 1))
(FORALL (k_0)
(IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_1))
(>= (select intM_intP0 (shift t_0 k_0)) mv0))))))))))))))))))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_22, File "HOME/tests/java/Sort2.java", line 96, characters 9-41
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (AND (< mi0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ mv0 (select intM_intP0 (shift t_0 mi0)))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_0))
         (>= (select intM_intP0 (shift t_0 k_0)) mv0)))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< j_2_0 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP0 (shift t_0 j_2_0)))
(IMPLIES (>= result2 mv0)
(FORALL (j_2_1)
(IMPLIES (EQ j_2_1 (+ j_2_0 1))
(EQ (Permut
t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))))))))))))))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_23, File "HOME/tests/java/Sort2.java", line 85, characters 20-26
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (AND (< mi0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ mv0 (select intM_intP0 (shift t_0 mi0)))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_0))
         (>= (select intM_intP0 (shift t_0 k_0)) mv0)))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= j_2_0 result1)
(FORALL (intM_intP1)
(IMPLIES (AND (Swap t_0 i_3_0 mi0 intM_intP1 intM_intP0)
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_0) mi0 mi0) 
                                                  (pset_range
                                                  (pset_singleton t_0) i_3_0 i_3_0))))
(FORALL (i_3_1) (IMPLIES (EQ i_3_1 (+ i_3_0 1)) (<= 0 i_3_1)))))))))))))))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_24, File "HOME/tests/java/Sort2.java", line 85, characters 30-43
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (AND (< mi0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ mv0 (select intM_intP0 (shift t_0 mi0)))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_0))
         (>= (select intM_intP0 (shift t_0 k_0)) mv0)))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= j_2_0 result1)
(FORALL (intM_intP1)
(IMPLIES (AND (Swap t_0 i_3_0 mi0 intM_intP1 intM_intP0)
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_0) mi0 mi0) 
                                                  (pset_range
                                                  (pset_singleton t_0) i_3_0 i_3_0))))
(FORALL (i_3_1)
(IMPLIES (EQ i_3_1 (+ i_3_0 1)) (Sorted t_0 0 i_3_1 intM_intP1)))))))))))))))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_25, File "HOME/tests/java/Sort2.java", line 86, characters 8-90
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (AND (< mi0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ mv0 (select intM_intP0 (shift t_0 mi0)))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_0))
         (>= (select intM_intP0 (shift t_0 k_0)) mv0)))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= j_2_0 result1)
(FORALL (intM_intP1)
(IMPLIES (AND (Swap t_0 i_3_0 mi0 intM_intP1 intM_intP0)
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_0) mi0 mi0) 
                                                  (pset_range
                                                  (pset_singleton t_0) i_3_0 i_3_0))))
(FORALL (i_3_1)
(IMPLIES (EQ i_3_1 (+ i_3_0 1))
(FORALL (k1)
(FORALL (k2)
(IMPLIES (AND (<= 0 k1)
         (AND (< k1 i_3_1)
         (AND (<= i_3_1 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
(<= (select intM_intP1 (shift t_0 k1)) (select intM_intP1 (shift t_0 k2))))))))))))))))))))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_26, File "HOME/tests/java/Sort2.java", line 88, characters 9-41
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (AND (< mi0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ mv0 (select intM_intP0 (shift t_0 mi0)))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_0))
         (>= (select intM_intP0 (shift t_0 k_0)) mv0)))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= j_2_0 result1)
(FORALL (intM_intP1)
(IMPLIES (AND (Swap t_0 i_3_0 mi0 intM_intP1 intM_intP0)
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_0) mi0 mi0) 
                                                  (pset_range
                                                  (pset_singleton t_0) i_3_0 i_3_0))))
(FORALL (i_3_1)
(IMPLIES (EQ i_3_1 (+ i_3_0 1))
(EQ (Permut
t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP1 intM_intP) |@true|)))))))))))))))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_27, File "HOME/tests/java/Sort2.java", line 80, characters 16-38
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= i_3_0 (- result 1))
(Sorted t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0))))))))))))))

;; Sort_min_sort_ensures_default_po_28, File "HOME/tests/java/Sort2.java", line 80, characters 42-74
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= i_3_0 (- result 1))
(EQ (Permut
t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))))))))))))

;; Sort_min_sort_safety_po_1, File "why/Sort2.why", line 839, characters 44-195
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(>= (offset_max Object_alloc_table t_0) (- 0 1)))))))))))))

;; Sort_min_sort_safety_po_2, File "HOME/tests/java/Sort2.java", line 92, characters 10-14
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(<= (offset_min Object_alloc_table t_0) i_3_0))))))))))))))))

;; Sort_min_sort_safety_po_3, File "HOME/tests/java/Sort2.java", line 92, characters 10-14
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(<= i_3_0 (offset_max Object_alloc_table t_0)))))))))))))))))

;; Sort_min_sort_safety_po_4, File "HOME/tests/java/Sort2.java", line 99, characters 6-10
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) i_3_0)
         (<= i_3_0 (offset_max Object_alloc_table t_0)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES TRUE
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (AND (< mi0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ mv0 (select intM_intP0 (shift t_0 mi0)))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_0))
         (>= (select intM_intP0 (shift t_0 k_0)) mv0)))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< j_2_0 result1) (<= (offset_min Object_alloc_table t_0) j_2_0))))))))))))))))))))))))))))))))))

;; Sort_min_sort_safety_po_5, File "HOME/tests/java/Sort2.java", line 99, characters 6-10
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) i_3_0)
         (<= i_3_0 (offset_max Object_alloc_table t_0)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES TRUE
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (AND (< mi0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ mv0 (select intM_intP0 (shift t_0 mi0)))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_0))
         (>= (select intM_intP0 (shift t_0 k_0)) mv0)))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< j_2_0 result1) (<= j_2_0 (offset_max Object_alloc_table t_0)))))))))))))))))))))))))))))))))))

;; Sort_min_sort_safety_po_6, File "HOME/tests/java/Sort2.jc", line 214, characters 29-60
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) i_3_0)
         (<= i_3_0 (offset_max Object_alloc_table t_0)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES TRUE
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (AND (< mi0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ mv0 (select intM_intP0 (shift t_0 mi0)))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_0))
         (>= (select intM_intP0 (shift t_0 k_0)) mv0)))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= j_2_0 result1) (Non_null_intM t_0 Object_alloc_table))))))))))))))))))))))))))))))))))

;; Sort_min_sort_safety_po_7, File "HOME/tests/java/Sort2.jc", line 214, characters 29-60
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) i_3_0)
         (<= i_3_0 (offset_max Object_alloc_table t_0)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES TRUE
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (AND (< mi0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ mv0 (select intM_intP0 (shift t_0 mi0)))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_0))
         (>= (select intM_intP0 (shift t_0 k_0)) mv0)))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= j_2_0 result1)
(< i_3_0 (+ (offset_max Object_alloc_table t_0) 1)))))))))))))))))))))))))))))))))))

;; Sort_min_sort_safety_po_8, File "HOME/tests/java/Sort2.jc", line 214, characters 29-60
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) i_3_0)
         (<= i_3_0 (offset_max Object_alloc_table t_0)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES TRUE
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (AND (< mi0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ mv0 (select intM_intP0 (shift t_0 mi0)))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_0))
         (>= (select intM_intP0 (shift t_0 k_0)) mv0)))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= j_2_0 result1) (<= 0 mi0))))))))))))))))))))))))))))))))))

;; Sort_min_sort_safety_po_9, File "HOME/tests/java/Sort2.jc", line 214, characters 29-60
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_3_0)
         (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (AND
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2)))))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) i_3_0)
         (<= i_3_0 (offset_max Object_alloc_table t_0)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES TRUE
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (AND (< mi0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ mv0 (select intM_intP0 (shift t_0 mi0)))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_0))
         (>= (select intM_intP0 (shift t_0 k_0)) mv0)))
         (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|))))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= j_2_0 result1)
(< mi0 (+ (offset_max Object_alloc_table t_0) 1)))))))))))))))))))))))))))))))))))

;; Sort_swap_ensures_default_po_1, File "HOME/tests/java/Sort2.java", line 71, characters 16-37
(FORALL (this_2)
(FORALL (t)
(FORALL (i_2)
(FORALL (j_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_Sort this_2 0 0 Object_alloc_table)
         (AND (Non_null_intM t Object_alloc_table)
         (AND (<= 0 i_2)
         (AND (< i_2 (+ (offset_max Object_alloc_table t) 1))
         (AND (<= 0 j_1) (< j_1 (+ (offset_max Object_alloc_table t) 1))))))))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t i_2)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP (shift t j_1)))
(FORALL (intM_intP0)
(IMPLIES (EQ intM_intP0 (|why__store| intM_intP (shift t i_2) result0))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t j_1) result))
(Swap t i_2 j_1 intM_intP1 intM_intP))))))))))))))))

;; Sort_swap_ensures_default_po_2, File "HOME/tests/java/Sort2.java", line 73, characters 9-13
(FORALL (this_2)
(FORALL (t)
(FORALL (i_2)
(FORALL (j_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_Sort this_2 0 0 Object_alloc_table)
         (AND (Non_null_intM t Object_alloc_table)
         (AND (<= 0 i_2)
         (AND (< i_2 (+ (offset_max Object_alloc_table t) 1))
         (AND (<= 0 j_1) (< j_1 (+ (offset_max Object_alloc_table t) 1))))))))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t i_2)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP (shift t j_1)))
(FORALL (intM_intP0)
(IMPLIES (EQ intM_intP0 (|why__store| intM_intP (shift t i_2) result0))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t j_1) result))
(not_assigns
Object_alloc_table intM_intP intM_intP1 (pset_union
                                        (pset_range
                                        (pset_singleton t) j_1 j_1) (pset_range
                                                                    (pset_singleton
                                                                    t) i_2 i_2))))))))))))))))))

;; Sort_swap_safety_po_1, File "HOME/tests/java/Sort2.java", line 74, characters 11-15
(FORALL (this_2)
(FORALL (t)
(FORALL (i_2)
(FORALL (j_1)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_Sort this_2 0 0 Object_alloc_table)
         (AND (Non_null_intM t Object_alloc_table)
         (AND (<= 0 i_2)
         (AND (< i_2 (+ (offset_max Object_alloc_table t) 1))
         (AND (<= 0 j_1) (< j_1 (+ (offset_max Object_alloc_table t) 1))))))))
(<= (offset_min Object_alloc_table t) i_2)))))))

;; Sort_swap_safety_po_2, File "HOME/tests/java/Sort2.java", line 74, characters 11-15
(FORALL (this_2)
(FORALL (t)
(FORALL (i_2)
(FORALL (j_1)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_Sort this_2 0 0 Object_alloc_table)
         (AND (Non_null_intM t Object_alloc_table)
         (AND (<= 0 i_2)
         (AND (< i_2 (+ (offset_max Object_alloc_table t) 1))
         (AND (<= 0 j_1) (< j_1 (+ (offset_max Object_alloc_table t) 1))))))))
(<= i_2 (offset_max Object_alloc_table t))))))))

;; Sort_swap_safety_po_3, File "HOME/tests/java/Sort2.java", line 75, characters 8-12
(FORALL (this_2)
(FORALL (t)
(FORALL (i_2)
(FORALL (j_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_Sort this_2 0 0 Object_alloc_table)
         (AND (Non_null_intM t Object_alloc_table)
         (AND (<= 0 i_2)
         (AND (< i_2 (+ (offset_max Object_alloc_table t) 1))
         (AND (<= 0 j_1) (< j_1 (+ (offset_max Object_alloc_table t) 1))))))))
(IMPLIES (AND (<= (offset_min Object_alloc_table t) i_2)
         (<= i_2 (offset_max Object_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t i_2)))
(<= (offset_min Object_alloc_table t) j_1)))))))))))

;; Sort_swap_safety_po_4, File "HOME/tests/java/Sort2.java", line 75, characters 8-12
(FORALL (this_2)
(FORALL (t)
(FORALL (i_2)
(FORALL (j_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_Sort this_2 0 0 Object_alloc_table)
         (AND (Non_null_intM t Object_alloc_table)
         (AND (<= 0 i_2)
         (AND (< i_2 (+ (offset_max Object_alloc_table t) 1))
         (AND (<= 0 j_1) (< j_1 (+ (offset_max Object_alloc_table t) 1))))))))
(IMPLIES (AND (<= (offset_min Object_alloc_table t) i_2)
         (<= i_2 (offset_max Object_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t i_2)))
(<= j_1 (offset_max Object_alloc_table t))))))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/Sort2_why.sx         : .........................?................. (42/0/1/0/0)
total   :  43
valid   :  42 ( 98%)
invalid :   0 (  0%)
unknown :   1 (  2%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/Sort2.why
========== file tests/java/why/Sort2_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_1) >= 0)

predicate Non_null_intM(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= (-1))

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic Permut : Object pointer, int, int, (Object, int) memory, (Object,
int) memory -> prop

logic Sort_tag : Object tag_id

axiom Sort_parenttag_Object: parenttag(Sort_tag, Object_tag)

predicate Sorted(a: Object pointer, l: int, h: int, intM_intP_at_L: (Object,
  int) memory) =
  (forall i:int.
    (((l <= i) and (i < h)) -> (select(intM_intP_at_L, shift(a,
     i)) <= select(intM_intP_at_L, shift(a, (i + 1))))))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

predicate Swap(a_0: Object pointer, i_0: int, j: int,
  intM_intP_at_L2: (Object, int) memory, intM_intP_at_L1: (Object,
  int) memory) =
  ((select(intM_intP_at_L1, shift(a_0, i_0)) = select(intM_intP_at_L2,
   shift(a_0, j))) and
   ((select(intM_intP_at_L1, shift(a_0, j)) = select(intM_intP_at_L2,
    shift(a_0, i_0))) and
    (forall k:int.
      (((k <> i_0) and (k <> j)) -> (select(intM_intP_at_L1, shift(a_0,
       k)) = select(intM_intP_at_L2, shift(a_0, k)))))))

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic intM_tag : Object tag_id

axiom intM_parenttag_Object: parenttag(intM_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Sort(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_intM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Sort(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_intM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Sort(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Sort(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

axiom Permut_swap:
  (forall intM_intP_at_L2:(Object, int) memory.
    (forall intM_intP_at_L1:(Object, int) memory.
      (forall a_5:Object pointer.
        (forall l_4:int.
          (forall h_4:int.
            (forall i_1:int.
              (forall j_0:int.
                (((l_4 <= i_1) and
                  ((i_1 <= h_4) and
                   ((l_4 <= j_0) and
                    ((j_0 <= h_4) and Swap(a_5, i_1, j_0, intM_intP_at_L2,
                     intM_intP_at_L1))))) ->
                 Permut(a_5, l_4, h_4, intM_intP_at_L2, intM_intP_at_L1)))))))))

axiom Permut_trans:
  (forall intM_intP_at_L3:(Object, int) memory.
    (forall intM_intP_at_L2:(Object, int) memory.
      (forall intM_intP_at_L1:(Object, int) memory.
        (forall a_4:Object pointer.
          (forall l_3:int.
            (forall h_3:int.
              ((Permut(a_4, l_3, h_3, intM_intP_at_L2, intM_intP_at_L1) and
                Permut(a_4, l_3, h_3, intM_intP_at_L3, intM_intP_at_L2)) ->
               Permut(a_4, l_3, h_3, intM_intP_at_L3, intM_intP_at_L1))))))))

axiom Permut_sym:
  (forall intM_intP_at_L2:(Object, int) memory.
    (forall intM_intP_at_L1:(Object, int) memory.
      (forall a_3:Object pointer.
        (forall l_2:int.
          (forall h_2:int.
            (Permut(a_3, l_2, h_2, intM_intP_at_L2, intM_intP_at_L1) ->
             Permut(a_3, l_2, h_2, intM_intP_at_L1, intM_intP_at_L2)))))))

axiom Permut_refl:
  (forall intM_intP_at_L:(Object, int) memory.
    (forall a_2:Object pointer.
      (forall l_1:int.
        (forall h_1:int. Permut(a_2, l_1, h_1, intM_intP_at_L,
          intM_intP_at_L)))))

goal Sort_min_sort_ensures_default_po_1:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  ("JC_107": ("JC_103": (0 <= i_3)))

goal Sort_min_sort_ensures_default_po_2:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  ("JC_107": ("JC_104": Sorted(t_0, 0, i_3, intM_intP)))

goal Sort_min_sort_ensures_default_po_3:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall k1:int.
  forall k2:int.
  ((0 <= k1) and
   ((k1 < i_3) and
    ((i_3 <= k2) and (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
  ("JC_107":
  ("JC_105": (select(intM_intP, shift(t_0, k1)) <= select(intM_intP,
  shift(t_0, k2)))))

goal Sort_min_sort_ensures_default_po_4:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  ("JC_107":
  ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP, intM_intP)))

goal Sort_min_sort_ensures_default_po_5:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  ("JC_118": ("JC_112": (i_3_0 < j_2)))

goal Sort_min_sort_ensures_default_po_6:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  ("JC_118": ("JC_113": (i_3_0 <= mi)))

goal Sort_min_sort_ensures_default_po_7:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  ("JC_118": ("JC_114": (mi < (offset_max(Object_alloc_table, t_0) + 1))))

goal Sort_min_sort_ensures_default_po_8:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  ("JC_118": ("JC_115": (mv = select(intM_intP0, shift(t_0, mi)))))

goal Sort_min_sort_ensures_default_po_9:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall k_0:int.
  ((i_3_0 <= k_0) and (k_0 < j_2)) ->
  ("JC_118": ("JC_116": (select(intM_intP0, shift(t_0, k_0)) >= mv)))

goal Sort_min_sort_ensures_default_po_10:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  ("JC_118":
  ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP0, intM_intP)))

goal Sort_min_sort_ensures_default_po_11:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP0, shift(t_0, j_2_0))) ->
  (result2 < mv0) ->
  forall mi1:int.
  (mi1 = j_2_0) ->
  forall result3:int.
  (result3 = select(intM_intP0, shift(t_0, j_2_0))) ->
  forall mv1:int.
  (mv1 = result3) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_118": ("JC_112": (i_3_0 < j_2_1)))

goal Sort_min_sort_ensures_default_po_12:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP0, shift(t_0, j_2_0))) ->
  (result2 < mv0) ->
  forall mi1:int.
  (mi1 = j_2_0) ->
  forall result3:int.
  (result3 = select(intM_intP0, shift(t_0, j_2_0))) ->
  forall mv1:int.
  (mv1 = result3) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_118": ("JC_113": (i_3_0 <= mi1)))

goal Sort_min_sort_ensures_default_po_13:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP0, shift(t_0, j_2_0))) ->
  (result2 < mv0) ->
  forall mi1:int.
  (mi1 = j_2_0) ->
  forall result3:int.
  (result3 = select(intM_intP0, shift(t_0, j_2_0))) ->
  forall mv1:int.
  (mv1 = result3) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_118": ("JC_114": (mi1 < (offset_max(Object_alloc_table, t_0) + 1))))

goal Sort_min_sort_ensures_default_po_14:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP0, shift(t_0, j_2_0))) ->
  (result2 < mv0) ->
  forall mi1:int.
  (mi1 = j_2_0) ->
  forall result3:int.
  (result3 = select(intM_intP0, shift(t_0, j_2_0))) ->
  forall mv1:int.
  (mv1 = result3) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_118": ("JC_115": (mv1 = select(intM_intP0, shift(t_0, mi1)))))

goal Sort_min_sort_ensures_default_po_15:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP0, shift(t_0, j_2_0))) ->
  (result2 < mv0) ->
  forall mi1:int.
  (mi1 = j_2_0) ->
  forall result3:int.
  (result3 = select(intM_intP0, shift(t_0, j_2_0))) ->
  forall mv1:int.
  (mv1 = result3) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  forall k_0:int.
  ((i_3_0 <= k_0) and (k_0 < j_2_1)) ->
  ("JC_118": ("JC_116": (select(intM_intP0, shift(t_0, k_0)) >= mv1)))

goal Sort_min_sort_ensures_default_po_16:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP0, shift(t_0, j_2_0))) ->
  (result2 < mv0) ->
  forall mi1:int.
  (mi1 = j_2_0) ->
  forall result3:int.
  (result3 = select(intM_intP0, shift(t_0, j_2_0))) ->
  forall mv1:int.
  (mv1 = result3) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_118":
  ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP0, intM_intP)))

goal Sort_min_sort_ensures_default_po_17:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP0, shift(t_0, j_2_0))) ->
  (result2 >= mv0) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_118": ("JC_112": (i_3_0 < j_2_1)))

goal Sort_min_sort_ensures_default_po_18:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP0, shift(t_0, j_2_0))) ->
  (result2 >= mv0) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_118": ("JC_113": (i_3_0 <= mi0)))

goal Sort_min_sort_ensures_default_po_19:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP0, shift(t_0, j_2_0))) ->
  (result2 >= mv0) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_118": ("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))))

goal Sort_min_sort_ensures_default_po_20:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP0, shift(t_0, j_2_0))) ->
  (result2 >= mv0) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_118": ("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))))

goal Sort_min_sort_ensures_default_po_21:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP0, shift(t_0, j_2_0))) ->
  (result2 >= mv0) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  forall k_0:int.
  ((i_3_0 <= k_0) and (k_0 < j_2_1)) ->
  ("JC_118": ("JC_116": (select(intM_intP0, shift(t_0, k_0)) >= mv0)))

goal Sort_min_sort_ensures_default_po_22:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP0, shift(t_0, j_2_0))) ->
  (result2 >= mv0) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_118":
  ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP0, intM_intP)))

goal Sort_min_sort_ensures_default_po_23:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_58":
  (("JC_56": Swap(t_0, i_3_0, mi0, intM_intP1, intM_intP0)) and
   ("JC_57": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_0), mi0, mi0),
   pset_range(pset_singleton(t_0), i_3_0, i_3_0)))))) ->
  forall i_3_1:int.
  (i_3_1 = (i_3_0 + 1)) ->
  ("JC_107": ("JC_103": (0 <= i_3_1)))

goal Sort_min_sort_ensures_default_po_24:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_58":
  (("JC_56": Swap(t_0, i_3_0, mi0, intM_intP1, intM_intP0)) and
   ("JC_57": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_0), mi0, mi0),
   pset_range(pset_singleton(t_0), i_3_0, i_3_0)))))) ->
  forall i_3_1:int.
  (i_3_1 = (i_3_0 + 1)) ->
  ("JC_107": ("JC_104": Sorted(t_0, 0, i_3_1, intM_intP1)))

goal Sort_min_sort_ensures_default_po_25:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_58":
  (("JC_56": Swap(t_0, i_3_0, mi0, intM_intP1, intM_intP0)) and
   ("JC_57": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_0), mi0, mi0),
   pset_range(pset_singleton(t_0), i_3_0, i_3_0)))))) ->
  forall i_3_1:int.
  (i_3_1 = (i_3_0 + 1)) ->
  forall k1:int.
  forall k2:int.
  ((0 <= k1) and
   ((k1 < i_3_1) and
    ((i_3_1 <= k2) and (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
  ("JC_107":
  ("JC_105": (select(intM_intP1, shift(t_0, k1)) <= select(intM_intP1,
  shift(t_0, k2)))))

goal Sort_min_sort_ensures_default_po_26:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_118":
  (("JC_112": (i_3_0 < j_2_0)) and
   (("JC_113": (i_3_0 <= mi0)) and
    (("JC_114": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_115": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_116":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_117": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_58":
  (("JC_56": Swap(t_0, i_3_0, mi0, intM_intP1, intM_intP0)) and
   ("JC_57": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_0), mi0, mi0),
   pset_range(pset_singleton(t_0), i_3_0, i_3_0)))))) ->
  forall i_3_1:int.
  (i_3_1 = (i_3_0 + 1)) ->
  ("JC_107":
  ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP1, intM_intP)))

goal Sort_min_sort_ensures_default_po_27:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 >= (result - 1)) ->
  ("JC_71":
  ("JC_69": Sorted(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP0)))

goal Sort_min_sort_ensures_default_po_28:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_107":
  (("JC_103": (0 <= i_3_0)) and
   (("JC_104": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_105":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_106": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 >= (result - 1)) ->
  ("JC_71":
  ("JC_70": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP0, intM_intP)))

goal Sort_min_sort_safety_po_1:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_83": true) ->
  ("JC_81":
  (("JC_77": (0 <= i_3_0)) and
   (("JC_78": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_79":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_80": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1))

goal Sort_min_sort_safety_po_2:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_83": true) ->
  ("JC_81":
  (("JC_77": (0 <= i_3_0)) and
   (("JC_78": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_79":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_80": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  (offset_min(Object_alloc_table, t_0) <= i_3_0)

goal Sort_min_sort_safety_po_3:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_83": true) ->
  ("JC_81":
  (("JC_77": (0 <= i_3_0)) and
   (("JC_78": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_79":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_80": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  (i_3_0 <= offset_max(Object_alloc_table, t_0))

goal Sort_min_sort_safety_po_4:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_83": true) ->
  ("JC_81":
  (("JC_77": (0 <= i_3_0)) and
   (("JC_78": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_79":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_80": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  ((offset_min(Object_alloc_table, t_0) <= i_3_0) and
   (i_3_0 <= offset_max(Object_alloc_table, t_0))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_96": true) ->
  ("JC_94":
  (("JC_88": (i_3_0 < j_2_0)) and
   (("JC_89": (i_3_0 <= mi0)) and
    (("JC_90": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_91": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_92":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_93": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  (offset_min(Object_alloc_table, t_0) <= j_2_0)

goal Sort_min_sort_safety_po_5:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_83": true) ->
  ("JC_81":
  (("JC_77": (0 <= i_3_0)) and
   (("JC_78": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_79":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_80": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  ((offset_min(Object_alloc_table, t_0) <= i_3_0) and
   (i_3_0 <= offset_max(Object_alloc_table, t_0))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_96": true) ->
  ("JC_94":
  (("JC_88": (i_3_0 < j_2_0)) and
   (("JC_89": (i_3_0 <= mi0)) and
    (("JC_90": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_91": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_92":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_93": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  (j_2_0 <= offset_max(Object_alloc_table, t_0))

goal Sort_min_sort_safety_po_6:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_83": true) ->
  ("JC_81":
  (("JC_77": (0 <= i_3_0)) and
   (("JC_78": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_79":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_80": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  ((offset_min(Object_alloc_table, t_0) <= i_3_0) and
   (i_3_0 <= offset_max(Object_alloc_table, t_0))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_96": true) ->
  ("JC_94":
  (("JC_88": (i_3_0 < j_2_0)) and
   (("JC_89": (i_3_0 <= mi0)) and
    (("JC_90": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_91": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_92":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_93": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  ("JC_44": ("JC_39": Non_null_intM(t_0, Object_alloc_table)))

goal Sort_min_sort_safety_po_7:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_83": true) ->
  ("JC_81":
  (("JC_77": (0 <= i_3_0)) and
   (("JC_78": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_79":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_80": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  ((offset_min(Object_alloc_table, t_0) <= i_3_0) and
   (i_3_0 <= offset_max(Object_alloc_table, t_0))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_96": true) ->
  ("JC_94":
  (("JC_88": (i_3_0 < j_2_0)) and
   (("JC_89": (i_3_0 <= mi0)) and
    (("JC_90": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_91": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_92":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_93": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  ("JC_44": ("JC_41": (i_3_0 < (offset_max(Object_alloc_table, t_0) + 1))))

goal Sort_min_sort_safety_po_8:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_83": true) ->
  ("JC_81":
  (("JC_77": (0 <= i_3_0)) and
   (("JC_78": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_79":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_80": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  ((offset_min(Object_alloc_table, t_0) <= i_3_0) and
   (i_3_0 <= offset_max(Object_alloc_table, t_0))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_96": true) ->
  ("JC_94":
  (("JC_88": (i_3_0 < j_2_0)) and
   (("JC_89": (i_3_0 <= mi0)) and
    (("JC_90": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_91": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_92":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_93": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  ("JC_44": ("JC_42": (0 <= mi0)))

goal Sort_min_sort_safety_po_9:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_83": true) ->
  ("JC_81":
  (("JC_77": (0 <= i_3_0)) and
   (("JC_78": Sorted(t_0, 0, i_3_0, intM_intP0)) and
    (("JC_79":
     (forall k1:int.
       (forall k2:int.
         (((0 <= k1) and
           ((k1 < i_3_0) and
            ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table,
             t_0) + 1))))) ->
          (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0,
          shift(t_0, k2))))))) and
     ("JC_80": Permut(t_0, 0, ((offset_max(Object_alloc_table,
     t_0) + 1) - 1), intM_intP0, intM_intP)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  ((offset_min(Object_alloc_table, t_0) <= i_3_0) and
   (i_3_0 <= offset_max(Object_alloc_table, t_0))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_96": true) ->
  ("JC_94":
  (("JC_88": (i_3_0 < j_2_0)) and
   (("JC_89": (i_3_0 <= mi0)) and
    (("JC_90": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_91": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
      (("JC_92":
       (forall k_0:int.
         (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0,
          shift(t_0, k_0)) >= mv0)))) and
       ("JC_93": Permut(t_0, 0, ((offset_max(Object_alloc_table,
       t_0) + 1) - 1), intM_intP0, intM_intP)))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  ("JC_44": ("JC_43": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))))

goal Sort_swap_ensures_default_po_1:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int.
  forall j_1:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_Sort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= i_2)) and
      (("JC_48": (i_2 < (offset_max(Object_alloc_table, t) + 1))) and
       (("JC_49": (0 <= j_1)) and
        ("JC_50": (j_1 < (offset_max(Object_alloc_table, t) + 1)))))))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t, i_2))) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t, j_1))) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, i_2), result0)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, j_1), result)) ->
  ("JC_55": ("JC_53": Swap(t, i_2, j_1, intM_intP1, intM_intP)))

goal Sort_swap_ensures_default_po_2:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int.
  forall j_1:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_Sort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= i_2)) and
      (("JC_48": (i_2 < (offset_max(Object_alloc_table, t) + 1))) and
       (("JC_49": (0 <= j_1)) and
        ("JC_50": (j_1 < (offset_max(Object_alloc_table, t) + 1)))))))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t, i_2))) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t, j_1))) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, i_2), result0)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, j_1), result)) ->
  ("JC_55":
  ("JC_54": not_assigns(Object_alloc_table, intM_intP, intM_intP1,
  pset_union(pset_range(pset_singleton(t), j_1, j_1),
  pset_range(pset_singleton(t), i_2, i_2)))))

goal Sort_swap_safety_po_1:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int.
  forall j_1:int.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_Sort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= i_2)) and
      (("JC_48": (i_2 < (offset_max(Object_alloc_table, t) + 1))) and
       (("JC_49": (0 <= j_1)) and
        ("JC_50": (j_1 < (offset_max(Object_alloc_table, t) + 1)))))))))) ->
  (offset_min(Object_alloc_table, t) <= i_2)

goal Sort_swap_safety_po_2:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int.
  forall j_1:int.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_Sort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= i_2)) and
      (("JC_48": (i_2 < (offset_max(Object_alloc_table, t) + 1))) and
       (("JC_49": (0 <= j_1)) and
        ("JC_50": (j_1 < (offset_max(Object_alloc_table, t) + 1)))))))))) ->
  (i_2 <= offset_max(Object_alloc_table, t))

goal Sort_swap_safety_po_3:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int.
  forall j_1:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_Sort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= i_2)) and
      (("JC_48": (i_2 < (offset_max(Object_alloc_table, t) + 1))) and
       (("JC_49": (0 <= j_1)) and
        ("JC_50": (j_1 < (offset_max(Object_alloc_table, t) + 1)))))))))) ->
  ((offset_min(Object_alloc_table, t) <= i_2) and
   (i_2 <= offset_max(Object_alloc_table, t))) ->
  forall result:int.
  (result = select(intM_intP, shift(t, i_2))) ->
  (offset_min(Object_alloc_table, t) <= j_1)

goal Sort_swap_safety_po_4:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int.
  forall j_1:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_Sort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= i_2)) and
      (("JC_48": (i_2 < (offset_max(Object_alloc_table, t) + 1))) and
       (("JC_49": (0 <= j_1)) and
        ("JC_50": (j_1 < (offset_max(Object_alloc_table, t) + 1)))))))))) ->
  ((offset_min(Object_alloc_table, t) <= i_2) and
   (i_2 <= offset_max(Object_alloc_table, t))) ->
  forall result:int.
  (result = select(intM_intP, shift(t, i_2))) ->
  (j_1 <= offset_max(Object_alloc_table, t))

why-2.34/tests/java/oracle/PreAndOld.res.oracle0000644000175000017500000040205312311670312017740 0ustar  rtusers========== file tests/java/PreAndOld.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


//@+ CheckArithOverflow = no

//@ logic integer f{L}(integer n) = n+PreAndOld.y;


class PreAndOld {

    static int y;

    /*@ ensures \result == \old(f(x))
      @      && \result == f{Old}(x)
      @      && \result == \at(f(x),Pre);
      @*/
    int g(int x) {
        int tmp = y;
        y = 12;
        return x+tmp;
    }
}





/*
Local Variables:
compile-command: "make PreAndOld.why3ide"
End:
*/

========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_PreAndOld for constructor PreAndOld
Generating JC function PreAndOld_g for method PreAndOld.g
Done.
========== file tests/java/PreAndOld.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag PreAndOld = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

integer PreAndOld_y;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

logic integer f{L}(integer n) =
(n + PreAndOld_y)

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_PreAndOld(! PreAndOld[0] this_1){()}

integer PreAndOld_g(PreAndOld[0] this_0, integer x)
behavior default:
  ensures (K_5 : ((K_4 : ((K_3 : (\result == \at(f{Old}(x),Old))) &&
                           (K_2 : (\result == f{Old}(x))))) &&
                   (K_1 : (\result == \at(f{Old}(x),Old)))));
{  
   {  
      (var integer tmp = (K_7 : PreAndOld_y));
      
      {  (PreAndOld_y = 12);
         
         (return (K_6 : (x + tmp)))
      }
   }
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/PreAndOld.jloc tests/java/PreAndOld.jc && make -f tests/java/PreAndOld.makefile gui"
End:
*/
========== file tests/java/PreAndOld.jloc ==========
[K_1]
file = "HOME/tests/java/PreAndOld.java"
line = 44
begin = 16
end = 40

[PreAndOld_g]
name = "Method g"
file = "HOME/tests/java/PreAndOld.java"
line = 46
begin = 8
end = 9

[K_4]
file = "HOME/tests/java/PreAndOld.java"
line = 42
begin = 16
end = 74

[K_2]
file = "HOME/tests/java/PreAndOld.java"
line = 43
begin = 16
end = 36

[K_6]
file = "HOME/tests/java/PreAndOld.java"
line = 49
begin = 15
end = 20

[K_3]
file = "HOME/tests/java/PreAndOld.java"
line = 42
begin = 16
end = 37

[cons_PreAndOld]
name = "Constructor of class PreAndOld"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_5]
file = "HOME/tests/java/PreAndOld.java"
line = 42
begin = 16
end = 115

[K_7]
file = "HOME/tests/java/PreAndOld.java"
line = 47
begin = 18
end = 19

========== jessie execution ==========
Generating Why function cons_PreAndOld
Generating Why function PreAndOld_g
========== file tests/java/PreAndOld.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs PreAndOld.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs PreAndOld.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/PreAndOld_why.sx

project: why/PreAndOld.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/PreAndOld_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/PreAndOld_why.vo

coq/PreAndOld_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/PreAndOld_why.v: why/PreAndOld.why
	@echo 'why -coq [...] why/PreAndOld.why' && $(WHY) $(JESSIELIBFILES) why/PreAndOld.why && rm -f coq/jessie_why.v

coq-goals: goals coq/PreAndOld_ctx_why.vo
	for f in why/*_po*.why; do make -f PreAndOld.makefile coq/`basename $$f .why`_why.v ; done

coq/PreAndOld_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/PreAndOld_ctx_why.v: why/PreAndOld_ctx.why
	@echo 'why -coq [...] why/PreAndOld_ctx.why' && $(WHY) why/PreAndOld_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export PreAndOld_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/PreAndOld_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/PreAndOld_ctx_why.vo

pvs: pvs/PreAndOld_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/PreAndOld_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/PreAndOld_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/PreAndOld_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/PreAndOld_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/PreAndOld_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/PreAndOld_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/PreAndOld_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/PreAndOld_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/PreAndOld_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/PreAndOld_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/PreAndOld_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/PreAndOld_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/PreAndOld_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/PreAndOld_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: PreAndOld.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/PreAndOld_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: PreAndOld.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: PreAndOld.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: PreAndOld.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include PreAndOld.depend

depend: coq/PreAndOld_why.v
	-$(COQDEP) -I coq coq/PreAndOld*_why.v > PreAndOld.depend

clean:
	rm -f coq/*.vo

========== file tests/java/PreAndOld.loc ==========
[JC_31]
file = "HOME/tests/java/PreAndOld.java"
line = 42
begin = 16
end = 37

[JC_17]
file = "HOME/tests/java/PreAndOld.jc"
line = 39
begin = 11
end = 65

[PreAndOld_g_safety]
name = "Method g"
behavior = "Safety"
file = "HOME/tests/java/PreAndOld.java"
line = 46
begin = 8
end = 9

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/PreAndOld.jc"
line = 37
begin = 8
end = 23

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[PreAndOld_g_ensures_default]
name = "Method g"
behavior = "default behavior"
file = "HOME/tests/java/PreAndOld.java"
line = 46
begin = 8
end = 9

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/PreAndOld.jc"
line = 37
begin = 8
end = 23

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/tests/java/PreAndOld.java"
line = 43
begin = 16
end = 36

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/tests/java/PreAndOld.java"
line = 42
begin = 16
end = 37

[JC_27]
file = "HOME/tests/java/PreAndOld.java"
line = 46
begin = 8
end = 9

[JC_38]
file = "HOME/tests/java/PreAndOld.java"
line = 42
begin = 16
end = 115

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/tests/java/PreAndOld.java"
line = 43
begin = 16
end = 36

[JC_33]
file = "HOME/tests/java/PreAndOld.java"
line = 44
begin = 16
end = 40

[JC_29]
file = "HOME/tests/java/PreAndOld.java"
line = 46
begin = 8
end = 9

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_PreAndOld_safety]
name = "Constructor of class PreAndOld"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/tests/java/PreAndOld.java"
line = 42
begin = 16
end = 115

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/java/PreAndOld.jc"
line = 10
begin = 12
end = 22

[JC_37]
file = "HOME/tests/java/PreAndOld.java"
line = 44
begin = 16
end = 40

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_PreAndOld_ensures_default]
name = "Constructor of class PreAndOld"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/PreAndOld.jc"
line = 39
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/PreAndOld.jc"
line = 10
begin = 12
end = 22

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/PreAndOld.why ==========
type Object

type interface

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic PreAndOld_tag:  -> Object tag_id

axiom PreAndOld_parenttag_Object : parenttag(PreAndOld_tag, Object_tag)

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

function f(n:int, PreAndOld_y_at_L:int) : int = add_int(n, PreAndOld_y_at_L)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_PreAndOld(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_PreAndOld(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_PreAndOld(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_PreAndOld(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

parameter PreAndOld_y : int ref

parameter PreAndOld_g :
 this_0:Object pointer ->
  x_2:int ->
   { } int reads Object_alloc_table,PreAndOld_y writes PreAndOld_y
   { (JC_38:
     ((JC_35: (result = f(x_2, PreAndOld_y@)))
     and ((JC_36: (result = f(x_2, PreAndOld_y@)))
         and (JC_37: (result = f(x_2, PreAndOld_y@)))))) }

parameter PreAndOld_g_requires :
 this_0:Object pointer ->
  x_2:int ->
   { } int reads Object_alloc_table,PreAndOld_y writes PreAndOld_y
   { (JC_38:
     ((JC_35: (result = f(x_2, PreAndOld_y@)))
     and ((JC_36: (result = f(x_2, PreAndOld_y@)))
         and (JC_37: (result = f(x_2, PreAndOld_y@)))))) }

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_PreAndOld :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_PreAndOld(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, PreAndOld_tag)))) }

parameter alloc_struct_PreAndOld_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_PreAndOld(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, PreAndOld_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_PreAndOld :
 this_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_PreAndOld_requires :
 this_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

let PreAndOld_g_ensures_default =
 fun (this_0 : Object pointer) (x_2 : int) ->
  { valid_struct_PreAndOld(this_0, (0), (0), Object_alloc_table) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let tmp = (K_7: !PreAndOld_y) in
     begin
       (let _jessie_ = (PreAndOld_y := (12)) in void);
      (return := (K_6: ((add_int x_2) tmp))); (raise Return) end); absurd 
   end with Return -> !return end))
  { (JC_34:
    ((JC_31: (result = f(x_2, PreAndOld_y@)))
    and ((JC_32: (result = f(x_2, PreAndOld_y@)))
        and (JC_33: (result = f(x_2, PreAndOld_y@)))))) }

let PreAndOld_g_safety =
 fun (this_0 : Object pointer) (x_2 : int) ->
  { valid_struct_PreAndOld(this_0, (0), (0), Object_alloc_table) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let tmp = (K_7: !PreAndOld_y) in
     begin
       (let _jessie_ = (PreAndOld_y := (12)) in void);
      (return := (K_6: ((add_int x_2) tmp))); (raise Return) end); absurd 
   end with Return -> !return end)) { true }

let cons_PreAndOld_ensures_default =
 fun (this_1 : Object pointer) ->
  { valid_struct_PreAndOld(this_1, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_23: true) }

let cons_PreAndOld_safety =
 fun (this_1 : Object pointer) ->
  { valid_struct_PreAndOld(this_1, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/PreAndOld.why
========== file tests/java/why/PreAndOld.wpr ==========

  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  
  
    
  

========== file tests/java/why/PreAndOld_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic PreAndOld_tag : Object tag_id

axiom PreAndOld_parenttag_Object: parenttag(PreAndOld_tag, Object_tag)

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

function f(n: int, PreAndOld_y_at_L: int) : int = (n + PreAndOld_y_at_L)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_PreAndOld(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_PreAndOld(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_PreAndOld(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_PreAndOld(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

========== file tests/java/why/PreAndOld_po1.why ==========
goal PreAndOld_g_ensures_default_po_1:
  forall this_0:Object pointer.
  forall x_2:int.
  forall Object_alloc_table:Object alloc_table.
  forall PreAndOld_y:int.
  valid_struct_PreAndOld(this_0, 0, 0, Object_alloc_table) ->
  forall PreAndOld_y0:int.
  (PreAndOld_y0 = 12) ->
  forall return:int.
  (return = (x_2 + PreAndOld_y)) ->
  ("JC_34": ("JC_31": (return = f(x_2, PreAndOld_y))))

========== file tests/java/why/PreAndOld_po2.why ==========
goal PreAndOld_g_ensures_default_po_2:
  forall this_0:Object pointer.
  forall x_2:int.
  forall Object_alloc_table:Object alloc_table.
  forall PreAndOld_y:int.
  valid_struct_PreAndOld(this_0, 0, 0, Object_alloc_table) ->
  forall PreAndOld_y0:int.
  (PreAndOld_y0 = 12) ->
  forall return:int.
  (return = (x_2 + PreAndOld_y)) ->
  ("JC_34": ("JC_32": (return = f(x_2, PreAndOld_y))))

========== file tests/java/why/PreAndOld_po3.why ==========
goal PreAndOld_g_ensures_default_po_3:
  forall this_0:Object pointer.
  forall x_2:int.
  forall Object_alloc_table:Object alloc_table.
  forall PreAndOld_y:int.
  valid_struct_PreAndOld(this_0, 0, 0, Object_alloc_table) ->
  forall PreAndOld_y0:int.
  (PreAndOld_y0 = 12) ->
  forall return:int.
  (return = (x_2 + PreAndOld_y)) ->
  ("JC_34": ("JC_33": (return = f(x_2, PreAndOld_y))))

========== generation of Simplify VC output ==========
why -simplify [...] why/PreAndOld.why
========== file tests/java/simplify/PreAndOld_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) 0))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom PreAndOld_parenttag_Object
 (EQ (parenttag PreAndOld_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom f_def
 (FORALL (n PreAndOld_y_at_L)
 (EQ (f n PreAndOld_y_at_L) (+ n PreAndOld_y_at_L))))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_PreAndOld p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_PreAndOld p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_PreAndOld p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_PreAndOld p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

;; PreAndOld_g_ensures_default_po_1, File "HOME/tests/java/PreAndOld.java", line 42, characters 16-37
(FORALL (this_0)
(FORALL (x_2)
(FORALL (Object_alloc_table)
(FORALL (PreAndOld_y)
(IMPLIES (valid_struct_PreAndOld this_0 0 0 Object_alloc_table)
(FORALL (PreAndOld_y0)
(IMPLIES (EQ PreAndOld_y0 12)
(FORALL (return)
(IMPLIES (EQ return (+ x_2 PreAndOld_y)) (EQ return (f x_2 PreAndOld_y)))))))))))

;; PreAndOld_g_ensures_default_po_2, File "HOME/tests/java/PreAndOld.java", line 43, characters 16-36
(FORALL (this_0)
(FORALL (x_2)
(FORALL (Object_alloc_table)
(FORALL (PreAndOld_y)
(IMPLIES (valid_struct_PreAndOld this_0 0 0 Object_alloc_table)
(FORALL (PreAndOld_y0)
(IMPLIES (EQ PreAndOld_y0 12)
(FORALL (return)
(IMPLIES (EQ return (+ x_2 PreAndOld_y)) (EQ return (f x_2 PreAndOld_y)))))))))))

;; PreAndOld_g_ensures_default_po_3, File "HOME/tests/java/PreAndOld.java", line 44, characters 16-40
(FORALL (this_0)
(FORALL (x_2)
(FORALL (Object_alloc_table)
(FORALL (PreAndOld_y)
(IMPLIES (valid_struct_PreAndOld this_0 0 0 Object_alloc_table)
(FORALL (PreAndOld_y0)
(IMPLIES (EQ PreAndOld_y0 12)
(FORALL (return)
(IMPLIES (EQ return (+ x_2 PreAndOld_y)) (EQ return (f x_2 PreAndOld_y)))))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/PreAndOld_why.sx     : ... (3/0/0/0/0)
total   :   3
valid   :   3 (100%)
invalid :   0 (  0%)
unknown :   0 (  0%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/PreAndOld.why
========== file tests/java/why/PreAndOld_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic PreAndOld_tag : Object tag_id

axiom PreAndOld_parenttag_Object: parenttag(PreAndOld_tag, Object_tag)

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

function f(n: int, PreAndOld_y_at_L: int) : int = (n + PreAndOld_y_at_L)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_PreAndOld(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_PreAndOld(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_PreAndOld(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_PreAndOld(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

goal PreAndOld_g_ensures_default_po_1:
  forall this_0:Object pointer.
  forall x_2:int.
  forall Object_alloc_table:Object alloc_table.
  forall PreAndOld_y:int.
  valid_struct_PreAndOld(this_0, 0, 0, Object_alloc_table) ->
  forall PreAndOld_y0:int.
  (PreAndOld_y0 = 12) ->
  forall return:int.
  (return = (x_2 + PreAndOld_y)) ->
  ("JC_34": ("JC_31": (return = f(x_2, PreAndOld_y))))

goal PreAndOld_g_ensures_default_po_2:
  forall this_0:Object pointer.
  forall x_2:int.
  forall Object_alloc_table:Object alloc_table.
  forall PreAndOld_y:int.
  valid_struct_PreAndOld(this_0, 0, 0, Object_alloc_table) ->
  forall PreAndOld_y0:int.
  (PreAndOld_y0 = 12) ->
  forall return:int.
  (return = (x_2 + PreAndOld_y)) ->
  ("JC_34": ("JC_32": (return = f(x_2, PreAndOld_y))))

goal PreAndOld_g_ensures_default_po_3:
  forall this_0:Object pointer.
  forall x_2:int.
  forall Object_alloc_table:Object alloc_table.
  forall PreAndOld_y:int.
  valid_struct_PreAndOld(this_0, 0, 0, Object_alloc_table) ->
  forall PreAndOld_y0:int.
  (PreAndOld_y0 = 12) ->
  forall return:int.
  (return = (x_2 + PreAndOld_y)) ->
  ("JC_34": ("JC_33": (return = f(x_2, PreAndOld_y))))

why-2.34/tests/java/oracle/Assertion.err.oracle0000644000175000017500000000000012311670312020060 0ustar  rtuserswhy-2.34/tests/java/oracle/Literals.err.oracle0000644000175000017500000000000012311670312017670 0ustar  rtuserswhy-2.34/tests/java/oracle/NameConflicts.err.oracle0000644000175000017500000000000012311670312020636 0ustar  rtuserswhy-2.34/tests/java/oracle/TestNonNull.res.oracle0000644000175000017500000057010312311670312020357 0ustar  rtusers========== file tests/java/TestNonNull.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ NonNullByDefault = all


class TestNonNull {

    static final int N = 2;

    static int[] st;
    //@ static invariant st_length: st.length >= 4;

    int[] t;
    //@ invariant t_length: t.length >= 4;

    TestNonNull() {
	t = new int[5];
	//@ assert t.length == 5;
    }


    //@ requires t.length >= 4;
    void test(int[] t) {
	int _i = t[3];
	t[2] = 1;
	int _j = t[N];
	t[N + 1] = 1;
	st[3] == 1;
    }

}

/*
Local Variables:
compile-command: "make TestNonNull.why3ide"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function TestNonNull_test for method TestNonNull.test
Generating JC function cons_TestNonNull for constructor TestNonNull
Done.
========== file tests/java/TestNonNull.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_intM{Here}(intM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

logic int32 TestNonNull_N =
2

String[0..] any_string()
;

tag String = Object with {
}

tag TestNonNull = Object with {
  intM[0..-1] t;
  invariant t_length(this) = ((\offset_max(this.t) + 1) >= 4);
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag intM = Object with {
  int32 intP;
}

boolean non_null_intM(! intM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_intM(! intM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

intM[0..-1] TestNonNull_st;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

invariant st_length :
((\offset_max(TestNonNull_st) + 1) >= 4)

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit TestNonNull_test(TestNonNull[0] this_0, intM[0..-1] t)
  requires (K_1 : ((\offset_max(t) + 1) >= 4));
{  
   {  
      (var int32 _i = (K_8 : (t + 3).intP));
      
      {  (K_2 : ((t + 2).intP = 1));
         
         {  
            (var int32 _j = (K_7 : (t + TestNonNull_N).intP));
            
            {  (K_4 : ((t + (K_3 : ((TestNonNull_N + 1) :> int32))).intP = 1));
               (K_6 : ((K_5 : (TestNonNull_st + 3).intP) == 1))
            }
         }
      }
   }
}

unit cons_TestNonNull(! TestNonNull[0] this_1)
{  (this_1.t = null);
   (K_9 : (this_1.t = (new intM[5])));
   (K_11 : 
   (assert (K_10 : ((\offset_max(this_1.t) + 1) == 5))))
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/TestNonNull.jloc tests/java/TestNonNull.jc && make -f tests/java/TestNonNull.makefile gui"
End:
*/
========== file tests/java/TestNonNull.jloc ==========
[K_11]
file = "HOME/tests/java/TestNonNull.java"
line = 47
begin = 12
end = 25

[K_9]
file = "HOME/tests/java/TestNonNull.java"
line = 46
begin = 1
end = 15

[K_1]
file = "HOME/tests/java/TestNonNull.java"
line = 51
begin = 17
end = 30

[K_4]
file = "HOME/tests/java/TestNonNull.java"
line = 56
begin = 1
end = 13

[K_2]
file = "HOME/tests/java/TestNonNull.java"
line = 54
begin = 1
end = 9

[K_10]
file = "HOME/tests/java/TestNonNull.java"
line = 47
begin = 12
end = 25

[K_6]
file = "HOME/tests/java/TestNonNull.java"
line = 57
begin = 1
end = 11

[K_8]
file = "HOME/tests/java/TestNonNull.java"
line = 53
begin = 10
end = 14

[K_3]
file = "HOME/tests/java/TestNonNull.java"
line = 56
begin = 3
end = 8

[cons_TestNonNull]
name = "Constructor of class TestNonNull"
file = "HOME/tests/java/TestNonNull.java"
line = 45
begin = 4
end = 15

[TestNonNull_test]
name = "Method test"
file = "HOME/tests/java/TestNonNull.java"
line = 52
begin = 9
end = 13

[K_5]
file = "HOME/tests/java/TestNonNull.java"
line = 57
begin = 1
end = 6

[K_7]
file = "HOME/tests/java/TestNonNull.java"
line = 55
begin = 10
end = 14

========== jessie execution ==========
Generating Why function TestNonNull_test
Generating Why function cons_TestNonNull
========== file tests/java/TestNonNull.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs TestNonNull.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs TestNonNull.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/TestNonNull_why.sx

project: why/TestNonNull.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/TestNonNull_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/TestNonNull_why.vo

coq/TestNonNull_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/TestNonNull_why.v: why/TestNonNull.why
	@echo 'why -coq [...] why/TestNonNull.why' && $(WHY) $(JESSIELIBFILES) why/TestNonNull.why && rm -f coq/jessie_why.v

coq-goals: goals coq/TestNonNull_ctx_why.vo
	for f in why/*_po*.why; do make -f TestNonNull.makefile coq/`basename $$f .why`_why.v ; done

coq/TestNonNull_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/TestNonNull_ctx_why.v: why/TestNonNull_ctx.why
	@echo 'why -coq [...] why/TestNonNull_ctx.why' && $(WHY) why/TestNonNull_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export TestNonNull_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/TestNonNull_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/TestNonNull_ctx_why.vo

pvs: pvs/TestNonNull_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/TestNonNull_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/TestNonNull_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/TestNonNull_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/TestNonNull_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/TestNonNull_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/TestNonNull_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/TestNonNull_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/TestNonNull_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/TestNonNull_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/TestNonNull_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/TestNonNull_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/TestNonNull_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/TestNonNull_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/TestNonNull_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: TestNonNull.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/TestNonNull_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: TestNonNull.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: TestNonNull.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: TestNonNull.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include TestNonNull.depend

depend: coq/TestNonNull_why.v
	-$(COQDEP) -I coq coq/TestNonNull*_why.v > TestNonNull.depend

clean:
	rm -f coq/*.vo

========== file tests/java/TestNonNull.loc ==========
[JC_73]
file = "HOME/tests/java/TestNonNull.java"
line = 45
begin = 4
end = 15

[JC_63]
kind = IndexBounds
file = "HOME/tests/java/TestNonNull.java"
line = 57
begin = 1
end = 6

[JC_80]
file = "HOME/tests/java/TestNonNull.java"
line = 47
begin = 12
end = 25

[JC_51]
file = "HOME/tests/java/TestNonNull.java"
line = 51
begin = 17
end = 30

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/tests/java/TestNonNull.jc"
line = 72
begin = 8
end = 23

[JC_64]
kind = IndexBounds
file = "HOME/tests/java/TestNonNull.jc"
line = 90
begin = 17
end = 33

[JC_31]
file = "HOME/tests/java/TestNonNull.jc"
line = 66
begin = 11
end = 103

[JC_17]
file = "HOME/tests/java/TestNonNull.jc"
line = 57
begin = 8
end = 21

[JC_55]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_48]
file = "HOME/tests/java/TestNonNull.java"
line = 52
begin = 9
end = 13

[JC_23]
file = "HOME/tests/java/TestNonNull.jc"
line = 57
begin = 8
end = 21

[JC_22]
file = "HOME/tests/java/TestNonNull.jc"
line = 59
begin = 10
end = 18

[JC_67]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/TestNonNull.jc"
line = 26
begin = 12
end = 22

[JC_75]
file = "HOME/tests/java/TestNonNull.java"
line = 45
begin = 4
end = 15

[JC_24]
file = "HOME/tests/java/TestNonNull.jc"
line = 57
begin = 8
end = 21

[JC_25]
file = "HOME/tests/java/TestNonNull.jc"
line = 63
begin = 8
end = 30

[JC_78]
file = "HOME/tests/java/TestNonNull.java"
line = 47
begin = 12
end = 25

[JC_41]
file = "HOME/tests/java/TestNonNull.jc"
line = 72
begin = 8
end = 23

[cons_TestNonNull_safety]
name = "Constructor of class TestNonNull"
behavior = "Safety"
file = "HOME/tests/java/TestNonNull.java"
line = 45
begin = 4
end = 15

[JC_74]
file = "HOME/tests/java/TestNonNull.java"
line = 45
begin = 4
end = 15

[JC_47]
file = "HOME/tests/java/TestNonNull.java"
line = 51
begin = 17
end = 30

[TestNonNull_test_safety]
name = "Method test"
behavior = "Safety"
file = "HOME/tests/java/TestNonNull.java"
line = 52
begin = 9
end = 13

[JC_52]
file = "HOME/tests/java/TestNonNull.java"
line = 52
begin = 9
end = 13

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
kind = AllocSize
file = "HOME/tests/java/TestNonNull.jc"
line = 105
begin = 23
end = 34

[TestNonNull_test_ensures_default]
name = "Method test"
behavior = "default behavior"
file = "HOME/tests/java/TestNonNull.java"
line = 52
begin = 9
end = 13

[JC_13]
file = "HOME/tests/java/TestNonNull.jc"
line = 26
begin = 12
end = 22

[JC_11]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/tests/java/TestNonNull.jc"
line = 57
begin = 8
end = 21

[cons_TestNonNull_ensures_default]
name = "Constructor of class TestNonNull"
behavior = "default behavior"
file = "HOME/tests/java/TestNonNull.java"
line = 45
begin = 4
end = 15

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/tests/java/TestNonNull.jc"
line = 72
begin = 8
end = 23

[JC_27]
file = "HOME/tests/java/TestNonNull.jc"
line = 63
begin = 8
end = 30

[JC_69]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/tests/java/TestNonNull.jc"
line = 72
begin = 8
end = 23

[JC_62]
kind = IndexBounds
file = "HOME/tests/java/TestNonNull.java"
line = 55
begin = 10
end = 14

[JC_42]
file = "HOME/tests/java/TestNonNull.jc"
line = 72
begin = 8
end = 23

[JC_46]
file = "HOME/tests/java/TestNonNull.jc"
line = 72
begin = 8
end = 23

[JC_61]
kind = IndexBounds
file = "HOME/tests/java/TestNonNull.java"
line = 53
begin = 10
end = 14

[JC_32]
file = "HOME/tests/java/TestNonNull.jc"
line = 65
begin = 10
end = 18

[JC_56]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_33]
file = "HOME/tests/java/TestNonNull.jc"
line = 63
begin = 8
end = 30

[JC_65]
kind = IndexBounds
file = "HOME/tests/java/TestNonNull.jc"
line = 95
begin = 23
end = 76

[JC_29]
file = "HOME/tests/java/TestNonNull.jc"
line = 66
begin = 11
end = 103

[JC_68]
file = "HOME/tests/java/TestNonNull.java"
line = 45
begin = 4
end = 15

[JC_7]
file = "HOME/tests/java/TestNonNull.jc"
line = 26
begin = 12
end = 22

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
file = "HOME/tests/java/TestNonNull.jc"
line = 72
begin = 8
end = 23

[JC_34]
file = "HOME/tests/java/TestNonNull.jc"
line = 63
begin = 8
end = 30

[JC_14]
file = "HOME/tests/java/TestNonNull.jc"
line = 26
begin = 12
end = 22

[JC_53]
file = "HOME/tests/java/TestNonNull.java"
line = 52
begin = 9
end = 13

[JC_21]
file = "HOME/tests/java/TestNonNull.jc"
line = 60
begin = 11
end = 66

[JC_77]
kind = IndexBounds
file = "HOME/tests/java/TestNonNull.jc"
line = 105
begin = 11
end = 35

[JC_49]
file = "HOME/tests/java/TestNonNull.java"
line = 52
begin = 9
end = 13

[JC_37]
file = "HOME/tests/java/TestNonNull.jc"
line = 72
begin = 8
end = 23

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/java/TestNonNull.java"
line = 52
begin = 9
end = 13

[JC_66]
file = "HOME/tests/java/TestNonNull.java"
line = 45
begin = 4
end = 15

[JC_59]
file = "HOME/tests/java/TestNonNull.java"
line = 52
begin = 9
end = 13

[JC_20]
file = "HOME/tests/java/TestNonNull.jc"
line = 59
begin = 10
end = 18

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_60]
file = "HOME/tests/java/TestNonNull.java"
line = 52
begin = 9
end = 13

[JC_72]
file = "HOME/tests/java/TestNonNull.java"
line = 45
begin = 4
end = 15

[JC_19]
file = "HOME/tests/java/TestNonNull.jc"
line = 60
begin = 11
end = 66

[JC_76]
kind = AllocSize
file = "HOME/tests/java/TestNonNull.jc"
line = 105
begin = 23
end = 34

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/tests/java/TestNonNull.jc"
line = 65
begin = 10
end = 18

[JC_58]
file = "HOME/tests/java/TestNonNull.java"
line = 52
begin = 9
end = 13

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/TestNonNull.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_1), (0))

predicate Non_null_intM(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), neg_int((1)))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic int32_of_integer: int -> int32

function TestNonNull_N() : int32 = int32_of_integer((2))

logic TestNonNull_tag:  -> Object tag_id

axiom TestNonNull_parenttag_Object : parenttag(TestNonNull_tag, Object_tag)

logic TestNonNull_st:  -> Object pointer

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic intM_tag:  -> Object tag_id

axiom intM_parenttag_Object : parenttag(intM_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_intM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_TestNonNull(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table,
 TestNonNull_t:(Object, Object pointer) memory) =
 (left_valid_struct_Object(p, a, Object_alloc_table)
 and left_valid_struct_intM(select(TestNonNull_t, p), (0),
     Object_alloc_table))

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_intM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_TestNonNull(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table,
 TestNonNull_t:(Object, Object pointer) memory) =
 (right_valid_struct_Object(p, b, Object_alloc_table)
 and right_valid_struct_intM(select(TestNonNull_t, p), (-1),
     Object_alloc_table))

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate st_length(Object_alloc_table:Object alloc_table) =
 ge_int(add_int(offset_max(Object_alloc_table, TestNonNull_st), (1)), (4))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_TestNonNull(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table,
 TestNonNull_t:(Object, Object pointer) memory) =
 (strict_valid_struct_Object(p, a, b, Object_alloc_table)
 and strict_valid_struct_intM(select(TestNonNull_t, p), (0), (-1),
     Object_alloc_table))

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate t_length(this:Object pointer,
 Object_alloc_table:Object alloc_table,
 TestNonNull_t:(Object, Object pointer) memory) =
 ge_int(add_int(offset_max(Object_alloc_table, select(TestNonNull_t, this)),
        (1)),
 (4))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_TestNonNull(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table,
 TestNonNull_t:(Object, Object pointer) memory) =
 (valid_struct_Object(p, a, b, Object_alloc_table)
 and valid_struct_intM(select(TestNonNull_t, p), (0), (-1),
     Object_alloc_table))

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

parameter TestNonNull_t : (Object, Object pointer) memory ref

parameter intM_intP : (Object, int32) memory ref

parameter TestNonNull_test :
 this_0:Object pointer ->
  t:Object pointer ->
   { } unit reads Object_alloc_table,TestNonNull_t,intM_intP writes intM_intP
   { (JC_60:
     ((JC_59: st_length(Object_alloc_table))
     and t_length(this_0, Object_alloc_table, TestNonNull_t))) }

parameter TestNonNull_test_requires :
 this_0:Object pointer ->
  t:Object pointer ->
   { (JC_49:
     ((JC_47: ge_int(add_int(offset_max(Object_alloc_table, t), (1)), (4)))
     and ((JC_48: st_length(Object_alloc_table))
         and t_length(this_0, Object_alloc_table, TestNonNull_t))))}
   unit reads Object_alloc_table,TestNonNull_t,intM_intP writes intM_intP
   { (JC_60:
     ((JC_59: st_length(Object_alloc_table))
     and t_length(this_0, Object_alloc_table, TestNonNull_t))) }

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_TestNonNull :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    TestNonNull_t:(Object, Object pointer) memory ->
     { } Object pointer writes Object_alloc_table,Object_tag_table
     { (strict_valid_struct_TestNonNull(result, (0), sub_int(n, (1)),
        Object_alloc_table, TestNonNull_t)
       and (alloc_extends(Object_alloc_table@, Object_alloc_table)
           and (alloc_fresh(Object_alloc_table@, result, n)
               and instanceof(Object_tag_table, result, TestNonNull_tag)))) }

parameter alloc_struct_TestNonNull_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    TestNonNull_t:(Object, Object pointer) memory ->
     { ge_int(n, (0))} Object pointer
     writes Object_alloc_table,Object_tag_table
     { (strict_valid_struct_TestNonNull(result, (0), sub_int(n, (1)),
        Object_alloc_table, TestNonNull_t)
       and (alloc_extends(Object_alloc_table@, Object_alloc_table)
           and (alloc_fresh(Object_alloc_table@, result, n)
               and instanceof(Object_tag_table, result, TestNonNull_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_intM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter alloc_struct_intM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 :
 tt:unit ->
  { } Object pointer reads Object_alloc_table
  { (JC_14: st_length(Object_alloc_table)) }

parameter any_string_0_requires :
 tt:unit ->
  { (JC_7: st_length(Object_alloc_table))} Object pointer
  reads Object_alloc_table { (JC_14: st_length(Object_alloc_table)) }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_TestNonNull :
 this_1:Object pointer ->
  { } unit reads Object_alloc_table,TestNonNull_t
  writes Object_alloc_table,Object_tag_table,TestNonNull_t
  { (JC_75:
    ((JC_74: st_length(Object_alloc_table))
    and t_length(this_1, Object_alloc_table, TestNonNull_t))) }

parameter cons_TestNonNull_requires :
 this_1:Object pointer ->
  { (JC_66: st_length(Object_alloc_table))} unit
  reads Object_alloc_table,TestNonNull_t
  writes Object_alloc_table,Object_tag_table,TestNonNull_t
  { (JC_75:
    ((JC_74: st_length(Object_alloc_table))
    and t_length(this_1, Object_alloc_table, TestNonNull_t))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter java_array_length_intM :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { ((JC_34: st_length(Object_alloc_table))
    and (JC_31:
        (le_int(result, (2147483647))
        and (ge_int(result, (0))
            and (result = add_int(offset_max(Object_alloc_table, x_3), (1))))))) }

parameter java_array_length_intM_requires :
 x_3:Object pointer ->
  { (JC_25: st_length(Object_alloc_table))} int reads Object_alloc_table
  { ((JC_34: st_length(Object_alloc_table))
    and (JC_31:
        (le_int(result, (2147483647))
        and (ge_int(result, (0))
            and (result = add_int(offset_max(Object_alloc_table, x_3), (1))))))) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { ((JC_42: st_length(Object_alloc_table))
    and (JC_46:
        ((if result then (offset_max(Object_alloc_table, x_4) = (0))
          else (x_4 = null))
        and (JC_45: st_length(Object_alloc_table))))) }

parameter non_null_Object_requires :
 x_4:Object pointer ->
  { (JC_35: st_length(Object_alloc_table))} bool reads Object_alloc_table
  { ((JC_42: st_length(Object_alloc_table))
    and (JC_46:
        ((if result then (offset_max(Object_alloc_table, x_4) = (0))
          else (x_4 = null))
        and (JC_45: st_length(Object_alloc_table))))) }

parameter non_null_intM :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { ((JC_24: st_length(Object_alloc_table))
    and (JC_21:
        (if result
         then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
         else (x_2 = null)))) }

parameter non_null_intM_requires :
 x_2:Object pointer ->
  { (JC_15: st_length(Object_alloc_table))} bool reads Object_alloc_table
  { ((JC_24: st_length(Object_alloc_table))
    and (JC_21:
        (if result
         then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
         else (x_2 = null)))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let TestNonNull_test_ensures_default =
 fun (this_0 : Object pointer) (t : Object pointer) ->
  { (valid_struct_intM(t, (0), (-1), Object_alloc_table)
    and (valid_struct_TestNonNull(this_0, (0), (0), Object_alloc_table,
         TestNonNull_t)
        and (JC_53:
            ((JC_51:
             ge_int(add_int(offset_max(Object_alloc_table, t), (1)), (4)))
            and ((JC_52: st_length(Object_alloc_table))
                and t_length(this_0, Object_alloc_table, TestNonNull_t)))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (let _i = (K_8: ((safe_acc_ !intM_intP) ((shift t) (3)))) in
     (K_2:
     begin
       (let _jessie_ = (safe_int32_of_integer_ (1)) in
       (let _jessie_ = t in
       (let _jessie_ = (2) in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (let _jessie_ = ((shift _jessie_) (2)) in
       (((safe_upd_ intM_intP) _jessie_) _jessie_))))));
      (let _j =
      (K_7:
      ((safe_acc_ !intM_intP) ((shift t) (integer_of_int32 TestNonNull_N)))) in
      (K_4:
      begin
        (let _jessie_ = (safe_int32_of_integer_ (1)) in
        (let _jessie_ = t in
        (let _jessie_ = (3) in
        (let _jessie_ = ((shift _jessie_) _jessie_) in
        (let _jessie_ = ((shift _jessie_) (3)) in
        (((safe_upd_ intM_intP) _jessie_) _jessie_))))));
       (K_6:
       ((eq_int_ (integer_of_int32 (K_5:
                                   ((safe_acc_ !intM_intP) ((shift TestNonNull_st) (3)))))) (1)))
      end)) end)) in void); (raise Return) end with Return -> void end)
  { (JC_55: true) }

let TestNonNull_test_safety =
 fun (this_0 : Object pointer) (t : Object pointer) ->
  { (valid_struct_intM(t, (0), (-1), Object_alloc_table)
    and (valid_struct_TestNonNull(this_0, (0), (0), Object_alloc_table,
         TestNonNull_t)
        and (JC_53:
            ((JC_51:
             ge_int(add_int(offset_max(Object_alloc_table, t), (1)), (4)))
            and ((JC_52: st_length(Object_alloc_table))
                and t_length(this_0, Object_alloc_table, TestNonNull_t)))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (let _i =
     (K_8:
     (JC_61: ((((lsafe_lbound_acc_ !Object_alloc_table) !intM_intP) t) (3)))) in
     (K_2:
     begin
       (let _jessie_ = (safe_int32_of_integer_ (1)) in
       (let _jessie_ = t in
       (let _jessie_ = (2) in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (let _jessie_ = ((shift _jessie_) (2)) in
       (JC_64:
       (((((lsafe_lbound_upd_ !Object_alloc_table) intM_intP) _jessie_) (2)) _jessie_)))))));
      (let _j =
      (K_7:
      (JC_62: ((((lsafe_lbound_acc_ !Object_alloc_table) !intM_intP) t) (2)))) in
      (K_4:
      begin
        (let _jessie_ = (safe_int32_of_integer_ (1)) in
        (let _jessie_ = t in
        (let _jessie_ = (3) in
        (let _jessie_ = ((shift _jessie_) _jessie_) in
        (let _jessie_ = ((shift _jessie_) (3)) in
        (JC_65:
        (((((lsafe_lbound_upd_ !Object_alloc_table) intM_intP) _jessie_) (3)) _jessie_)))))));
       (K_6:
       ((eq_int_ (integer_of_int32 (K_5:
                                   (JC_63:
                                   ((((lsafe_lbound_acc_ !Object_alloc_table) !intM_intP) TestNonNull_st) (3)))))) (1)))
      end)) end)) in void); (raise Return) end with Return -> void end)
  { (JC_58:
    ((JC_57: st_length(Object_alloc_table))
    and t_length(this_0, Object_alloc_table, TestNonNull_t))) }

let cons_TestNonNull_ensures_default =
 fun (this_1 : Object pointer) ->
  { (valid_struct_TestNonNull(this_1, (0), (0), Object_alloc_table,
     TestNonNull_t)
    and (JC_68: st_length(Object_alloc_table))) }
  (init:
  try
   begin
     (let _jessie_ = null in
     (let _jessie_ = this_1 in
     (((safe_upd_ TestNonNull_t) _jessie_) _jessie_)));
    (K_9:
    begin
      (let _jessie_ =
      (JC_79:
      (((alloc_struct_intM (5)) Object_alloc_table) Object_tag_table)) in
      (let _jessie_ = this_1 in
      (((safe_upd_ TestNonNull_t) _jessie_) _jessie_)));
     (K_11:
     begin
       (assert
       { (JC_80:
         (add_int(offset_max(Object_alloc_table,
                  select(TestNonNull_t, this_1)),
          (1)) = (5))) }; void); (raise Return) end) end) end with Return ->
   void end) { (JC_70: true) }

let cons_TestNonNull_safety =
 fun (this_1 : Object pointer) ->
  { (valid_struct_TestNonNull(this_1, (0), (0), Object_alloc_table,
     TestNonNull_t)
    and (JC_68: st_length(Object_alloc_table))) }
  (init:
  try
   begin
     (let _jessie_ = null in
     (let _jessie_ = this_1 in
     (((safe_upd_ TestNonNull_t) _jessie_) _jessie_)));
    (K_9:
    begin
      (let _jessie_ =
      (let _jessie_ =
      (JC_76:
      (((alloc_struct_intM_requires (5)) Object_alloc_table) Object_tag_table)) in
      (JC_77:
      (assert { ge_int(offset_max(Object_alloc_table, _jessie_), (-1)) };
      _jessie_))) in
      (let _jessie_ = this_1 in
      (((safe_upd_ TestNonNull_t) _jessie_) _jessie_)));
     (K_11:
     begin
       [ { } unit reads Object_alloc_table,TestNonNull_t
         { (JC_78:
           (add_int(offset_max(Object_alloc_table,
                    select(TestNonNull_t, this_1)),
            (1)) = (5))) } ]; (raise Return) end) end) end with Return ->
   void end)
  { (JC_73:
    ((JC_72: st_length(Object_alloc_table))
    and t_length(this_1, Object_alloc_table, TestNonNull_t))) }


========== make project execution ==========
why --project [...] why/TestNonNull.why
========== file tests/java/why/TestNonNull.wpr ==========

  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  
  
    
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  

========== file tests/java/why/TestNonNull_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_1) >= 0)

predicate Non_null_intM(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= (-1))

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic int32_of_integer : int -> int32

function TestNonNull_N() : int32 = int32_of_integer(2)

logic TestNonNull_tag : Object tag_id

axiom TestNonNull_parenttag_Object: parenttag(TestNonNull_tag, Object_tag)

logic TestNonNull_st : Object pointer

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte [(integer_of_byte(x) = integer_of_byte(y))].
      ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char [(integer_of_char(x) = integer_of_char(y))].
      ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32 [(integer_of_int32(x) = integer_of_int32(y))].
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic intM_tag : Object tag_id

axiom intM_parenttag_Object: parenttag(intM_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_intM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_TestNonNull(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table, TestNonNull_t: (Object,
  Object pointer) memory) =
  (left_valid_struct_Object(p, a, Object_alloc_table) and
   left_valid_struct_intM(select(TestNonNull_t, p), 0, Object_alloc_table))

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long [(integer_of_long(x) = integer_of_long(y))].
      ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_intM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_TestNonNull(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table, TestNonNull_t: (Object,
  Object pointer) memory) =
  (right_valid_struct_Object(p, b, Object_alloc_table) and
   right_valid_struct_intM(select(TestNonNull_t, p), (-1),
   Object_alloc_table))

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short [(integer_of_short(x) = integer_of_short(y))].
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate st_length(Object_alloc_table: Object alloc_table) =
  ((offset_max(Object_alloc_table, TestNonNull_st) + 1) >= 4)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_TestNonNull(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table, TestNonNull_t: (Object,
  Object pointer) memory) =
  (strict_valid_struct_Object(p, a, b, Object_alloc_table) and
   strict_valid_struct_intM(select(TestNonNull_t, p), 0, (-1),
   Object_alloc_table))

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate t_length(this: Object pointer,
  Object_alloc_table: Object alloc_table, TestNonNull_t: (Object,
  Object pointer) memory) = ((offset_max(Object_alloc_table,
  select(TestNonNull_t, this)) + 1) >= 4)

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_TestNonNull(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table, TestNonNull_t: (Object,
  Object pointer) memory) =
  (valid_struct_Object(p, a, b, Object_alloc_table) and
   valid_struct_intM(select(TestNonNull_t, p), 0, (-1), Object_alloc_table))

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

========== file tests/java/why/TestNonNull_po1.why ==========
goal TestNonNull_test_safety_po_1:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall TestNonNull_t:(Object,
  Object pointer) memory.
  (valid_struct_intM(t, 0, (-1), Object_alloc_table) and
   (valid_struct_TestNonNull(this_0, 0, 0, Object_alloc_table,
    TestNonNull_t) and
    ("JC_53":
    (("JC_51": ((offset_max(Object_alloc_table, t) + 1) >= 4)) and
     (("JC_52": st_length(Object_alloc_table)) and t_length(this_0,
      Object_alloc_table, TestNonNull_t)))))) ->
  (3 <= offset_max(Object_alloc_table, t))

========== file tests/java/why/TestNonNull_po10.why ==========
goal cons_TestNonNull_safety_po_4:
  forall this_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall TestNonNull_t:(Object,
  Object pointer) memory.
  (valid_struct_TestNonNull(this_1, 0, 0, Object_alloc_table,
   TestNonNull_t) and ("JC_68": st_length(Object_alloc_table))) ->
  forall TestNonNull_t0:(Object,
  Object pointer) memory.
  (TestNonNull_t0 = store(TestNonNull_t, this_1, null)) ->
  (5 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_intM(result, 0, (5 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 5) and
     instanceof(Object_tag_table, result, intM_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= (-1)) ->
  forall TestNonNull_t1:(Object,
  Object pointer) memory.
  (TestNonNull_t1 = store(TestNonNull_t0, this_1, result)) ->
  ("JC_78": ((offset_max(Object_alloc_table0, select(TestNonNull_t1,
  this_1)) + 1) = 5)) ->
  ("JC_73": t_length(this_1, Object_alloc_table0, TestNonNull_t1))

========== file tests/java/why/TestNonNull_po2.why ==========
goal TestNonNull_test_safety_po_2:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall TestNonNull_t:(Object,
  Object pointer) memory.
  forall intM_intP:(Object,
  int32) memory.
  (valid_struct_intM(t, 0, (-1), Object_alloc_table) and
   (valid_struct_TestNonNull(this_0, 0, 0, Object_alloc_table,
    TestNonNull_t) and
    ("JC_53":
    (("JC_51": ((offset_max(Object_alloc_table, t) + 1) >= 4)) and
     (("JC_52": st_length(Object_alloc_table)) and t_length(this_0,
      Object_alloc_table, TestNonNull_t)))))) ->
  (3 <= offset_max(Object_alloc_table, t)) ->
  forall result:int32.
  (result = select(intM_intP, shift(t, 3))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 1) ->
  (2 <= offset_max(Object_alloc_table, t))

========== file tests/java/why/TestNonNull_po3.why ==========
goal TestNonNull_test_safety_po_3:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall TestNonNull_t:(Object,
  Object pointer) memory.
  forall intM_intP:(Object,
  int32) memory.
  (valid_struct_intM(t, 0, (-1), Object_alloc_table) and
   (valid_struct_TestNonNull(this_0, 0, 0, Object_alloc_table,
    TestNonNull_t) and
    ("JC_53":
    (("JC_51": ((offset_max(Object_alloc_table, t) + 1) >= 4)) and
     (("JC_52": st_length(Object_alloc_table)) and t_length(this_0,
      Object_alloc_table, TestNonNull_t)))))) ->
  (3 <= offset_max(Object_alloc_table, t)) ->
  forall result:int32.
  (result = select(intM_intP, shift(t, 3))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 1) ->
  (2 <= offset_max(Object_alloc_table, t)) ->
  forall intM_intP0:(Object,
  int32) memory.
  (intM_intP0 = store(intM_intP, shift(t, 2), result0)) ->
  (2 <= offset_max(Object_alloc_table, t)) ->
  forall result1:int32.
  (result1 = select(intM_intP0, shift(t, 2))) ->
  forall result2:int32.
  (integer_of_int32(result2) = 1) ->
  (3 <= offset_max(Object_alloc_table, t)) ->
  forall intM_intP1:(Object,
  int32) memory.
  (intM_intP1 = store(intM_intP0, shift(t, 3), result2)) ->
  (3 <= offset_max(Object_alloc_table, TestNonNull_st))

========== file tests/java/why/TestNonNull_po4.why ==========
goal TestNonNull_test_safety_po_4:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall TestNonNull_t:(Object,
  Object pointer) memory.
  forall intM_intP:(Object,
  int32) memory.
  (valid_struct_intM(t, 0, (-1), Object_alloc_table) and
   (valid_struct_TestNonNull(this_0, 0, 0, Object_alloc_table,
    TestNonNull_t) and
    ("JC_53":
    (("JC_51": ((offset_max(Object_alloc_table, t) + 1) >= 4)) and
     (("JC_52": st_length(Object_alloc_table)) and t_length(this_0,
      Object_alloc_table, TestNonNull_t)))))) ->
  (3 <= offset_max(Object_alloc_table, t)) ->
  forall result:int32.
  (result = select(intM_intP, shift(t, 3))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 1) ->
  (2 <= offset_max(Object_alloc_table, t)) ->
  forall intM_intP0:(Object,
  int32) memory.
  (intM_intP0 = store(intM_intP, shift(t, 2), result0)) ->
  (2 <= offset_max(Object_alloc_table, t)) ->
  forall result1:int32.
  (result1 = select(intM_intP0, shift(t, 2))) ->
  forall result2:int32.
  (integer_of_int32(result2) = 1) ->
  (3 <= offset_max(Object_alloc_table, t)) ->
  forall intM_intP1:(Object,
  int32) memory.
  (intM_intP1 = store(intM_intP0, shift(t, 3), result2)) ->
  (3 <= offset_max(Object_alloc_table, TestNonNull_st)) ->
  forall result3:int32.
  (result3 = select(intM_intP1, shift(TestNonNull_st, 3))) ->
  ("JC_58": ("JC_57": st_length(Object_alloc_table)))

========== file tests/java/why/TestNonNull_po5.why ==========
goal TestNonNull_test_safety_po_5:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall TestNonNull_t:(Object,
  Object pointer) memory.
  forall intM_intP:(Object,
  int32) memory.
  (valid_struct_intM(t, 0, (-1), Object_alloc_table) and
   (valid_struct_TestNonNull(this_0, 0, 0, Object_alloc_table,
    TestNonNull_t) and
    ("JC_53":
    (("JC_51": ((offset_max(Object_alloc_table, t) + 1) >= 4)) and
     (("JC_52": st_length(Object_alloc_table)) and t_length(this_0,
      Object_alloc_table, TestNonNull_t)))))) ->
  (3 <= offset_max(Object_alloc_table, t)) ->
  forall result:int32.
  (result = select(intM_intP, shift(t, 3))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 1) ->
  (2 <= offset_max(Object_alloc_table, t)) ->
  forall intM_intP0:(Object,
  int32) memory.
  (intM_intP0 = store(intM_intP, shift(t, 2), result0)) ->
  (2 <= offset_max(Object_alloc_table, t)) ->
  forall result1:int32.
  (result1 = select(intM_intP0, shift(t, 2))) ->
  forall result2:int32.
  (integer_of_int32(result2) = 1) ->
  (3 <= offset_max(Object_alloc_table, t)) ->
  forall intM_intP1:(Object,
  int32) memory.
  (intM_intP1 = store(intM_intP0, shift(t, 3), result2)) ->
  (3 <= offset_max(Object_alloc_table, TestNonNull_st)) ->
  forall result3:int32.
  (result3 = select(intM_intP1, shift(TestNonNull_st, 3))) ->
  ("JC_58": t_length(this_0, Object_alloc_table, TestNonNull_t))

========== file tests/java/why/TestNonNull_po6.why ==========
goal cons_TestNonNull_ensures_default_po_1:
  forall this_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall TestNonNull_t:(Object,
  Object pointer) memory.
  (valid_struct_TestNonNull(this_1, 0, 0, Object_alloc_table,
   TestNonNull_t) and ("JC_68": st_length(Object_alloc_table))) ->
  forall TestNonNull_t0:(Object,
  Object pointer) memory.
  (TestNonNull_t0 = store(TestNonNull_t, this_1, null)) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_intM(result, 0, (5 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 5) and
     instanceof(Object_tag_table, result, intM_tag)))) ->
  forall TestNonNull_t1:(Object,
  Object pointer) memory.
  (TestNonNull_t1 = store(TestNonNull_t0, this_1, result)) ->
  ("JC_80": ((offset_max(Object_alloc_table0, select(TestNonNull_t1,
  this_1)) + 1) = 5))

========== file tests/java/why/TestNonNull_po7.why ==========
goal cons_TestNonNull_safety_po_1:
  forall this_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall TestNonNull_t:(Object,
  Object pointer) memory.
  (valid_struct_TestNonNull(this_1, 0, 0, Object_alloc_table,
   TestNonNull_t) and ("JC_68": st_length(Object_alloc_table))) ->
  forall TestNonNull_t0:(Object,
  Object pointer) memory.
  (TestNonNull_t0 = store(TestNonNull_t, this_1, null)) ->
  (5 >= 0)

========== file tests/java/why/TestNonNull_po8.why ==========
goal cons_TestNonNull_safety_po_2:
  forall this_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall TestNonNull_t:(Object,
  Object pointer) memory.
  (valid_struct_TestNonNull(this_1, 0, 0, Object_alloc_table,
   TestNonNull_t) and ("JC_68": st_length(Object_alloc_table))) ->
  forall TestNonNull_t0:(Object,
  Object pointer) memory.
  (TestNonNull_t0 = store(TestNonNull_t, this_1, null)) ->
  (5 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_intM(result, 0, (5 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 5) and
     instanceof(Object_tag_table, result, intM_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= (-1))

========== file tests/java/why/TestNonNull_po9.why ==========
goal cons_TestNonNull_safety_po_3:
  forall this_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall TestNonNull_t:(Object,
  Object pointer) memory.
  (valid_struct_TestNonNull(this_1, 0, 0, Object_alloc_table,
   TestNonNull_t) and ("JC_68": st_length(Object_alloc_table))) ->
  forall TestNonNull_t0:(Object,
  Object pointer) memory.
  (TestNonNull_t0 = store(TestNonNull_t, this_1, null)) ->
  (5 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_intM(result, 0, (5 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 5) and
     instanceof(Object_tag_table, result, intM_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= (-1)) ->
  forall TestNonNull_t1:(Object,
  Object pointer) memory.
  (TestNonNull_t1 = store(TestNonNull_t0, this_1, result)) ->
  ("JC_78": ((offset_max(Object_alloc_table0, select(TestNonNull_t1,
  this_1)) + 1) = 5)) ->
  ("JC_73": ("JC_72": st_length(Object_alloc_table0)))

========== generation of Simplify VC output ==========
why -simplify [...] why/TestNonNull.why
========== file tests/java/simplify/TestNonNull_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_1 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_1) 0))

(DEFPRED (Non_null_intM x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) (- 0 1)))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom TestNonNull_N_def
 (EQ TestNonNull_N (int32_of_integer 2)))

(BG_PUSH
 ;; Why axiom TestNonNull_parenttag_Object
 (EQ (parenttag TestNonNull_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom byte_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 128) x) (<= x 127))
 (EQ (integer_of_byte (byte_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom byte_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_byte x) (integer_of_byte y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom byte_range
 (FORALL (x)
 (AND (<= (- 0 128) (integer_of_byte x)) (<= (integer_of_byte x) 127))))

(BG_PUSH
 ;; Why axiom char_coerce
 (FORALL (x)
 (IMPLIES (AND (<= 0 x) (<= x 65535))
 (EQ (integer_of_char (char_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom char_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_char x) (integer_of_char y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom char_range
 (FORALL (x) (AND (<= 0 (integer_of_char x)) (<= (integer_of_char x) 65535))))

(DEFPRED (eq_byte x y) (EQ (integer_of_byte x) (integer_of_byte y)))

(DEFPRED (eq_char x y) (EQ (integer_of_char x) (integer_of_char y)))

(DEFPRED (eq_int32 x y) (EQ (integer_of_int32 x) (integer_of_int32 y)))

(DEFPRED (eq_long x y) (EQ (integer_of_long x) (integer_of_long y)))

(DEFPRED (eq_short x y) (EQ (integer_of_short x) (integer_of_short y)))

(BG_PUSH
 ;; Why axiom int32_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_2147483648) x)
 (<= x constant_too_large_2147483647))
 (EQ (integer_of_int32 (int32_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom int32_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_int32 x) (integer_of_int32 y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom int32_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_2147483648) (integer_of_int32 x))
 (<= (integer_of_int32 x) constant_too_large_2147483647))))

(BG_PUSH
 ;; Why axiom intM_parenttag_Object
 (EQ (parenttag intM_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_intM p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_TestNonNull p a Object_alloc_table TestNonNull_t)
  (AND (left_valid_struct_Object p a Object_alloc_table)
  (left_valid_struct_intM (select TestNonNull_t p) 0 Object_alloc_table)))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom long_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_9223372036854775808) x)
 (<= x constant_too_large_9223372036854775807))
 (EQ (integer_of_long (long_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom long_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_long x) (integer_of_long y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom long_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_9223372036854775808) (integer_of_long x))
 (<= (integer_of_long x) constant_too_large_9223372036854775807))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_intM p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_TestNonNull p b Object_alloc_table TestNonNull_t)
  (AND (right_valid_struct_Object p b Object_alloc_table)
  (right_valid_struct_intM
  (select TestNonNull_t p) (- 0 1) Object_alloc_table)))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(BG_PUSH
 ;; Why axiom short_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 32768) x) (<= x 32767))
 (EQ (integer_of_short (short_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom short_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_short x) (integer_of_short y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom short_range
 (FORALL (x)
 (AND (<= (- 0 32768) (integer_of_short x)) (<= (integer_of_short x) 32767))))

(DEFPRED (st_length Object_alloc_table)
  (>= (+ (offset_max Object_alloc_table TestNonNull_st) 1) 4))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_intM p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_TestNonNull p a b Object_alloc_table TestNonNull_t)
  (AND (strict_valid_struct_Object p a b Object_alloc_table)
  (strict_valid_struct_intM
  (select TestNonNull_t p) 0 (- 0 1) Object_alloc_table)))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (t_length this Object_alloc_table TestNonNull_t)
  (>= (+ (offset_max Object_alloc_table (select TestNonNull_t this)) 1) 4))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_intM p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_TestNonNull p a b Object_alloc_table TestNonNull_t)
  (AND (valid_struct_Object p a b Object_alloc_table)
  (valid_struct_intM (select TestNonNull_t p) 0 (- 0 1) Object_alloc_table)))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

;; TestNonNull_test_safety_po_1, File "HOME/tests/java/TestNonNull.java", line 53, characters 10-14
(FORALL (this_0)
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (TestNonNull_t)
(IMPLIES (AND (valid_struct_intM t 0 (- 0 1) Object_alloc_table)
         (AND
         (valid_struct_TestNonNull
         this_0 0 0 Object_alloc_table TestNonNull_t)
         (AND (>= (+ (offset_max Object_alloc_table t) 1) 4)
         (AND (st_length Object_alloc_table)
         (t_length this_0 Object_alloc_table TestNonNull_t)))))
(<= 3 (offset_max Object_alloc_table t)))))))

;; TestNonNull_test_safety_po_2, File "HOME/tests/java/TestNonNull.jc", line 90, characters 17-33
(FORALL (this_0)
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (TestNonNull_t)
(FORALL (intM_intP)
(IMPLIES (AND (valid_struct_intM t 0 (- 0 1) Object_alloc_table)
         (AND
         (valid_struct_TestNonNull
         this_0 0 0 Object_alloc_table TestNonNull_t)
         (AND (>= (+ (offset_max Object_alloc_table t) 1) 4)
         (AND (st_length Object_alloc_table)
         (t_length this_0 Object_alloc_table TestNonNull_t)))))
(IMPLIES (<= 3 (offset_max Object_alloc_table t))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t 3)))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 1)
(<= 2 (offset_max Object_alloc_table t)))))))))))))

;; TestNonNull_test_safety_po_3, File "HOME/tests/java/TestNonNull.java", line 57, characters 1-6
(FORALL (this_0)
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (TestNonNull_t)
(FORALL (intM_intP)
(IMPLIES (AND (valid_struct_intM t 0 (- 0 1) Object_alloc_table)
         (AND
         (valid_struct_TestNonNull
         this_0 0 0 Object_alloc_table TestNonNull_t)
         (AND (>= (+ (offset_max Object_alloc_table t) 1) 4)
         (AND (st_length Object_alloc_table)
         (t_length this_0 Object_alloc_table TestNonNull_t)))))
(IMPLIES (<= 3 (offset_max Object_alloc_table t))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t 3)))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 1)
(IMPLIES (<= 2 (offset_max Object_alloc_table t))
(FORALL (intM_intP0)
(IMPLIES (EQ intM_intP0 (|why__store| intM_intP (shift t 2) result0))
(IMPLIES (<= 2 (offset_max Object_alloc_table t))
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP0 (shift t 2)))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2) 1)
(IMPLIES (<= 3 (offset_max Object_alloc_table t))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t 3) result2))
(<= 3 (offset_max Object_alloc_table TestNonNull_st))))))))))))))))))))))))

;; TestNonNull_test_safety_po_4, File "HOME/tests/java/TestNonNull.java", line 52, characters 9-13
(FORALL (this_0)
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (TestNonNull_t)
(FORALL (intM_intP)
(IMPLIES (AND (valid_struct_intM t 0 (- 0 1) Object_alloc_table)
         (AND
         (valid_struct_TestNonNull
         this_0 0 0 Object_alloc_table TestNonNull_t)
         (AND (>= (+ (offset_max Object_alloc_table t) 1) 4)
         (AND (st_length Object_alloc_table)
         (t_length this_0 Object_alloc_table TestNonNull_t)))))
(IMPLIES (<= 3 (offset_max Object_alloc_table t))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t 3)))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 1)
(IMPLIES (<= 2 (offset_max Object_alloc_table t))
(FORALL (intM_intP0)
(IMPLIES (EQ intM_intP0 (|why__store| intM_intP (shift t 2) result0))
(IMPLIES (<= 2 (offset_max Object_alloc_table t))
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP0 (shift t 2)))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2) 1)
(IMPLIES (<= 3 (offset_max Object_alloc_table t))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t 3) result2))
(IMPLIES (<= 3 (offset_max Object_alloc_table TestNonNull_st))
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP1 (shift TestNonNull_st 3)))
(st_length Object_alloc_table))))))))))))))))))))))))))

;; TestNonNull_test_safety_po_5, File "HOME/tests/java/TestNonNull.java", line 52, characters 9-13
(FORALL (this_0)
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (TestNonNull_t)
(FORALL (intM_intP)
(IMPLIES (AND (valid_struct_intM t 0 (- 0 1) Object_alloc_table)
         (AND
         (valid_struct_TestNonNull
         this_0 0 0 Object_alloc_table TestNonNull_t)
         (AND (>= (+ (offset_max Object_alloc_table t) 1) 4)
         (AND (st_length Object_alloc_table)
         (t_length this_0 Object_alloc_table TestNonNull_t)))))
(IMPLIES (<= 3 (offset_max Object_alloc_table t))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t 3)))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 1)
(IMPLIES (<= 2 (offset_max Object_alloc_table t))
(FORALL (intM_intP0)
(IMPLIES (EQ intM_intP0 (|why__store| intM_intP (shift t 2) result0))
(IMPLIES (<= 2 (offset_max Object_alloc_table t))
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP0 (shift t 2)))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2) 1)
(IMPLIES (<= 3 (offset_max Object_alloc_table t))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t 3) result2))
(IMPLIES (<= 3 (offset_max Object_alloc_table TestNonNull_st))
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP1 (shift TestNonNull_st 3)))
(t_length this_0 Object_alloc_table TestNonNull_t))))))))))))))))))))))))))

;; cons_TestNonNull_ensures_default_po_1, File "HOME/tests/java/TestNonNull.java", line 47, characters 12-25
(FORALL (this_1)
(FORALL (Object_alloc_table)
(FORALL (TestNonNull_t)
(IMPLIES (AND
         (valid_struct_TestNonNull
         this_1 0 0 Object_alloc_table TestNonNull_t)
         (st_length Object_alloc_table))
(FORALL (TestNonNull_t0)
(IMPLIES (EQ TestNonNull_t0 (|why__store| TestNonNull_t this_1 null))
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND (strict_valid_struct_intM result 0 (- 5 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 5)
         (instanceof Object_tag_table result intM_tag))))
(FORALL (TestNonNull_t1)
(IMPLIES (EQ TestNonNull_t1 (|why__store| TestNonNull_t0 this_1 result))
(EQ (+ (offset_max Object_alloc_table0 (select TestNonNull_t1 this_1)) 1) 5)))))))))))))

;; cons_TestNonNull_safety_po_1, File "HOME/tests/java/TestNonNull.jc", line 105, characters 23-34
(FORALL (this_1)
(FORALL (Object_alloc_table)
(FORALL (TestNonNull_t)
(IMPLIES (AND
         (valid_struct_TestNonNull
         this_1 0 0 Object_alloc_table TestNonNull_t)
         (st_length Object_alloc_table))
(FORALL (TestNonNull_t0)
(IMPLIES (EQ TestNonNull_t0 (|why__store| TestNonNull_t this_1 null))
(>= 5 0)))))))

;; cons_TestNonNull_safety_po_2, File "why/TestNonNull.why", line 822, characters 16-72
(FORALL (this_1)
(FORALL (Object_alloc_table)
(FORALL (TestNonNull_t)
(IMPLIES (AND
         (valid_struct_TestNonNull
         this_1 0 0 Object_alloc_table TestNonNull_t)
         (st_length Object_alloc_table))
(FORALL (TestNonNull_t0)
(IMPLIES (EQ TestNonNull_t0 (|why__store| TestNonNull_t this_1 null))
(IMPLIES (>= 5 0)
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND (strict_valid_struct_intM result 0 (- 5 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 5)
         (instanceof Object_tag_table result intM_tag))))
(>= (offset_max Object_alloc_table0 result) (- 0 1)))))))))))))

;; cons_TestNonNull_safety_po_3, File "HOME/tests/java/TestNonNull.java", line 45, characters 4-15
(FORALL (this_1)
(FORALL (Object_alloc_table)
(FORALL (TestNonNull_t)
(IMPLIES (AND
         (valid_struct_TestNonNull
         this_1 0 0 Object_alloc_table TestNonNull_t)
         (st_length Object_alloc_table))
(FORALL (TestNonNull_t0)
(IMPLIES (EQ TestNonNull_t0 (|why__store| TestNonNull_t this_1 null))
(IMPLIES (>= 5 0)
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND (strict_valid_struct_intM result 0 (- 5 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 5)
         (instanceof Object_tag_table result intM_tag))))
(IMPLIES (>= (offset_max Object_alloc_table0 result) (- 0 1))
(FORALL (TestNonNull_t1)
(IMPLIES (EQ TestNonNull_t1 (|why__store| TestNonNull_t0 this_1 result))
(IMPLIES (EQ (+ (offset_max
                Object_alloc_table0 (select TestNonNull_t1 this_1)) 1)
         5)
(st_length Object_alloc_table0))))))))))))))))

;; cons_TestNonNull_safety_po_4, File "HOME/tests/java/TestNonNull.java", line 45, characters 4-15
(FORALL (this_1)
(FORALL (Object_alloc_table)
(FORALL (TestNonNull_t)
(IMPLIES (AND
         (valid_struct_TestNonNull
         this_1 0 0 Object_alloc_table TestNonNull_t)
         (st_length Object_alloc_table))
(FORALL (TestNonNull_t0)
(IMPLIES (EQ TestNonNull_t0 (|why__store| TestNonNull_t this_1 null))
(IMPLIES (>= 5 0)
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND (strict_valid_struct_intM result 0 (- 5 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 5)
         (instanceof Object_tag_table result intM_tag))))
(IMPLIES (>= (offset_max Object_alloc_table0 result) (- 0 1))
(FORALL (TestNonNull_t1)
(IMPLIES (EQ TestNonNull_t1 (|why__store| TestNonNull_t0 this_1 result))
(IMPLIES (EQ (+ (offset_max
                Object_alloc_table0 (select TestNonNull_t1 this_1)) 1)
         5)
(t_length this_1 Object_alloc_table0 TestNonNull_t1))))))))))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/TestNonNull_why.sx   : ........?. (9/0/1/0/0)
total   :  10
valid   :   9 ( 90%)
invalid :   0 (  0%)
unknown :   1 ( 10%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/TestNonNull.why
========== file tests/java/why/TestNonNull_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_1) >= 0)

predicate Non_null_intM(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= (-1))

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic int32_of_integer : int -> int32

function TestNonNull_N() : int32 = int32_of_integer(2)

logic TestNonNull_tag : Object tag_id

axiom TestNonNull_parenttag_Object: parenttag(TestNonNull_tag, Object_tag)

logic TestNonNull_st : Object pointer

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte. ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char. ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic intM_tag : Object tag_id

axiom intM_parenttag_Object: parenttag(intM_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_intM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_TestNonNull(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table, TestNonNull_t: (Object,
  Object pointer) memory) =
  (left_valid_struct_Object(p, a, Object_alloc_table) and
   left_valid_struct_intM(select(TestNonNull_t, p), 0, Object_alloc_table))

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long. ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_intM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_TestNonNull(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table, TestNonNull_t: (Object,
  Object pointer) memory) =
  (right_valid_struct_Object(p, b, Object_alloc_table) and
   right_valid_struct_intM(select(TestNonNull_t, p), (-1),
   Object_alloc_table))

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short.
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate st_length(Object_alloc_table: Object alloc_table) =
  ((offset_max(Object_alloc_table, TestNonNull_st) + 1) >= 4)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_TestNonNull(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table, TestNonNull_t: (Object,
  Object pointer) memory) =
  (strict_valid_struct_Object(p, a, b, Object_alloc_table) and
   strict_valid_struct_intM(select(TestNonNull_t, p), 0, (-1),
   Object_alloc_table))

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate t_length(this: Object pointer,
  Object_alloc_table: Object alloc_table, TestNonNull_t: (Object,
  Object pointer) memory) = ((offset_max(Object_alloc_table,
  select(TestNonNull_t, this)) + 1) >= 4)

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_TestNonNull(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table, TestNonNull_t: (Object,
  Object pointer) memory) =
  (valid_struct_Object(p, a, b, Object_alloc_table) and
   valid_struct_intM(select(TestNonNull_t, p), 0, (-1), Object_alloc_table))

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

goal TestNonNull_test_safety_po_1:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall TestNonNull_t:(Object,
  Object pointer) memory.
  (valid_struct_intM(t, 0, (-1), Object_alloc_table) and
   (valid_struct_TestNonNull(this_0, 0, 0, Object_alloc_table,
    TestNonNull_t) and
    ("JC_53":
    (("JC_51": ((offset_max(Object_alloc_table, t) + 1) >= 4)) and
     (("JC_52": st_length(Object_alloc_table)) and t_length(this_0,
      Object_alloc_table, TestNonNull_t)))))) ->
  (3 <= offset_max(Object_alloc_table, t))

goal TestNonNull_test_safety_po_2:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall TestNonNull_t:(Object,
  Object pointer) memory.
  forall intM_intP:(Object,
  int32) memory.
  (valid_struct_intM(t, 0, (-1), Object_alloc_table) and
   (valid_struct_TestNonNull(this_0, 0, 0, Object_alloc_table,
    TestNonNull_t) and
    ("JC_53":
    (("JC_51": ((offset_max(Object_alloc_table, t) + 1) >= 4)) and
     (("JC_52": st_length(Object_alloc_table)) and t_length(this_0,
      Object_alloc_table, TestNonNull_t)))))) ->
  (3 <= offset_max(Object_alloc_table, t)) ->
  forall result:int32.
  (result = select(intM_intP, shift(t, 3))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 1) ->
  (2 <= offset_max(Object_alloc_table, t))

goal TestNonNull_test_safety_po_3:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall TestNonNull_t:(Object,
  Object pointer) memory.
  forall intM_intP:(Object,
  int32) memory.
  (valid_struct_intM(t, 0, (-1), Object_alloc_table) and
   (valid_struct_TestNonNull(this_0, 0, 0, Object_alloc_table,
    TestNonNull_t) and
    ("JC_53":
    (("JC_51": ((offset_max(Object_alloc_table, t) + 1) >= 4)) and
     (("JC_52": st_length(Object_alloc_table)) and t_length(this_0,
      Object_alloc_table, TestNonNull_t)))))) ->
  (3 <= offset_max(Object_alloc_table, t)) ->
  forall result:int32.
  (result = select(intM_intP, shift(t, 3))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 1) ->
  (2 <= offset_max(Object_alloc_table, t)) ->
  forall intM_intP0:(Object,
  int32) memory.
  (intM_intP0 = store(intM_intP, shift(t, 2), result0)) ->
  (2 <= offset_max(Object_alloc_table, t)) ->
  forall result1:int32.
  (result1 = select(intM_intP0, shift(t, 2))) ->
  forall result2:int32.
  (integer_of_int32(result2) = 1) ->
  (3 <= offset_max(Object_alloc_table, t)) ->
  forall intM_intP1:(Object,
  int32) memory.
  (intM_intP1 = store(intM_intP0, shift(t, 3), result2)) ->
  (3 <= offset_max(Object_alloc_table, TestNonNull_st))

goal TestNonNull_test_safety_po_4:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall TestNonNull_t:(Object,
  Object pointer) memory.
  forall intM_intP:(Object,
  int32) memory.
  (valid_struct_intM(t, 0, (-1), Object_alloc_table) and
   (valid_struct_TestNonNull(this_0, 0, 0, Object_alloc_table,
    TestNonNull_t) and
    ("JC_53":
    (("JC_51": ((offset_max(Object_alloc_table, t) + 1) >= 4)) and
     (("JC_52": st_length(Object_alloc_table)) and t_length(this_0,
      Object_alloc_table, TestNonNull_t)))))) ->
  (3 <= offset_max(Object_alloc_table, t)) ->
  forall result:int32.
  (result = select(intM_intP, shift(t, 3))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 1) ->
  (2 <= offset_max(Object_alloc_table, t)) ->
  forall intM_intP0:(Object,
  int32) memory.
  (intM_intP0 = store(intM_intP, shift(t, 2), result0)) ->
  (2 <= offset_max(Object_alloc_table, t)) ->
  forall result1:int32.
  (result1 = select(intM_intP0, shift(t, 2))) ->
  forall result2:int32.
  (integer_of_int32(result2) = 1) ->
  (3 <= offset_max(Object_alloc_table, t)) ->
  forall intM_intP1:(Object,
  int32) memory.
  (intM_intP1 = store(intM_intP0, shift(t, 3), result2)) ->
  (3 <= offset_max(Object_alloc_table, TestNonNull_st)) ->
  forall result3:int32.
  (result3 = select(intM_intP1, shift(TestNonNull_st, 3))) ->
  ("JC_58": ("JC_57": st_length(Object_alloc_table)))

goal TestNonNull_test_safety_po_5:
  forall this_0:Object pointer.
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall TestNonNull_t:(Object,
  Object pointer) memory.
  forall intM_intP:(Object,
  int32) memory.
  (valid_struct_intM(t, 0, (-1), Object_alloc_table) and
   (valid_struct_TestNonNull(this_0, 0, 0, Object_alloc_table,
    TestNonNull_t) and
    ("JC_53":
    (("JC_51": ((offset_max(Object_alloc_table, t) + 1) >= 4)) and
     (("JC_52": st_length(Object_alloc_table)) and t_length(this_0,
      Object_alloc_table, TestNonNull_t)))))) ->
  (3 <= offset_max(Object_alloc_table, t)) ->
  forall result:int32.
  (result = select(intM_intP, shift(t, 3))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 1) ->
  (2 <= offset_max(Object_alloc_table, t)) ->
  forall intM_intP0:(Object,
  int32) memory.
  (intM_intP0 = store(intM_intP, shift(t, 2), result0)) ->
  (2 <= offset_max(Object_alloc_table, t)) ->
  forall result1:int32.
  (result1 = select(intM_intP0, shift(t, 2))) ->
  forall result2:int32.
  (integer_of_int32(result2) = 1) ->
  (3 <= offset_max(Object_alloc_table, t)) ->
  forall intM_intP1:(Object,
  int32) memory.
  (intM_intP1 = store(intM_intP0, shift(t, 3), result2)) ->
  (3 <= offset_max(Object_alloc_table, TestNonNull_st)) ->
  forall result3:int32.
  (result3 = select(intM_intP1, shift(TestNonNull_st, 3))) ->
  ("JC_58": t_length(this_0, Object_alloc_table, TestNonNull_t))

goal cons_TestNonNull_ensures_default_po_1:
  forall this_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall TestNonNull_t:(Object,
  Object pointer) memory.
  (valid_struct_TestNonNull(this_1, 0, 0, Object_alloc_table,
   TestNonNull_t) and ("JC_68": st_length(Object_alloc_table))) ->
  forall TestNonNull_t0:(Object,
  Object pointer) memory.
  (TestNonNull_t0 = store(TestNonNull_t, this_1, null)) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_intM(result, 0, (5 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 5) and
     instanceof(Object_tag_table, result, intM_tag)))) ->
  forall TestNonNull_t1:(Object,
  Object pointer) memory.
  (TestNonNull_t1 = store(TestNonNull_t0, this_1, result)) ->
  ("JC_80": ((offset_max(Object_alloc_table0, select(TestNonNull_t1,
  this_1)) + 1) = 5))

goal cons_TestNonNull_safety_po_1:
  forall this_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall TestNonNull_t:(Object,
  Object pointer) memory.
  (valid_struct_TestNonNull(this_1, 0, 0, Object_alloc_table,
   TestNonNull_t) and ("JC_68": st_length(Object_alloc_table))) ->
  forall TestNonNull_t0:(Object,
  Object pointer) memory.
  (TestNonNull_t0 = store(TestNonNull_t, this_1, null)) ->
  (5 >= 0)

goal cons_TestNonNull_safety_po_2:
  forall this_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall TestNonNull_t:(Object,
  Object pointer) memory.
  (valid_struct_TestNonNull(this_1, 0, 0, Object_alloc_table,
   TestNonNull_t) and ("JC_68": st_length(Object_alloc_table))) ->
  forall TestNonNull_t0:(Object,
  Object pointer) memory.
  (TestNonNull_t0 = store(TestNonNull_t, this_1, null)) ->
  (5 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_intM(result, 0, (5 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 5) and
     instanceof(Object_tag_table, result, intM_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= (-1))

goal cons_TestNonNull_safety_po_3:
  forall this_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall TestNonNull_t:(Object,
  Object pointer) memory.
  (valid_struct_TestNonNull(this_1, 0, 0, Object_alloc_table,
   TestNonNull_t) and ("JC_68": st_length(Object_alloc_table))) ->
  forall TestNonNull_t0:(Object,
  Object pointer) memory.
  (TestNonNull_t0 = store(TestNonNull_t, this_1, null)) ->
  (5 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_intM(result, 0, (5 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 5) and
     instanceof(Object_tag_table, result, intM_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= (-1)) ->
  forall TestNonNull_t1:(Object,
  Object pointer) memory.
  (TestNonNull_t1 = store(TestNonNull_t0, this_1, result)) ->
  ("JC_78": ((offset_max(Object_alloc_table0, select(TestNonNull_t1,
  this_1)) + 1) = 5)) ->
  ("JC_73": ("JC_72": st_length(Object_alloc_table0)))

goal cons_TestNonNull_safety_po_4:
  forall this_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall TestNonNull_t:(Object,
  Object pointer) memory.
  (valid_struct_TestNonNull(this_1, 0, 0, Object_alloc_table,
   TestNonNull_t) and ("JC_68": st_length(Object_alloc_table))) ->
  forall TestNonNull_t0:(Object,
  Object pointer) memory.
  (TestNonNull_t0 = store(TestNonNull_t, this_1, null)) ->
  (5 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_intM(result, 0, (5 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 5) and
     instanceof(Object_tag_table, result, intM_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= (-1)) ->
  forall TestNonNull_t1:(Object,
  Object pointer) memory.
  (TestNonNull_t1 = store(TestNonNull_t0, this_1, result)) ->
  ("JC_78": ((offset_max(Object_alloc_table0, select(TestNonNull_t1,
  this_1)) + 1) = 5)) ->
  ("JC_73": t_length(this_1, Object_alloc_table0, TestNonNull_t1))

why-2.34/tests/java/oracle/Bug_sort_exns.res.oracle0000644000175000017500000062052512311670312020757 0ustar  rtusers========== file tests/java/Bug_sort_exns.java ==========
public class Bug_sort_exns {
    public static void exn() {
        throw new IllegalArgumentException();
    }
}
========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_Bug_sort_exns for constructor Bug_sort_exns
Generating JC function cons_RuntimeException for constructor RuntimeException
Generating JC function Throwable_getMessage for method Throwable.getMessage
Generating JC function Throwable_initCause for method Throwable.initCause
Generating JC function cons_Throwable_String_Throwable for constructor Throwable
Generating JC function cons_RuntimeException_String_Throwable for constructor RuntimeException
Generating JC function cons_Throwable_Throwable for constructor Throwable
Generating JC function cons_Exception_String for constructor Exception
Generating JC function cons_Exception_Throwable for constructor Exception
Generating JC function Throwable_printStackTrace_PrintStream for method Throwable.printStackTrace
Generating JC function Throwable_getCause for method Throwable.getCause
Generating JC function Throwable_toString for method Throwable.toString
Generating JC function cons_RuntimeException_String for constructor RuntimeException
Generating JC function cons_IllegalArgumentException for constructor IllegalArgumentException
Generating JC function cons_Exception for constructor Exception
Generating JC function cons_Throwable for constructor Throwable
Generating JC function cons_RuntimeException_Throwable for constructor RuntimeException
Generating JC function Bug_sort_exns_exn for method Bug_sort_exns.exn
Generating JC function Throwable_getLocalizedMessage for method Throwable.getLocalizedMessage
Generating JC function Throwable_printStackTrace for method Throwable.printStackTrace
Generating JC function Throwable_getStackTraceDepth for method Throwable.getStackTraceDepth
Generating JC function Throwable_fillInStackTrace for method Throwable.fillInStackTrace
Generating JC function cons_Throwable_String for constructor Throwable
Generating JC function cons_IllegalArgumentException_String for constructor IllegalArgumentException
Generating JC function cons_Exception_String_Throwable for constructor Exception
Done.
========== file tests/java/Bug_sort_exns.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

logic long RuntimeException_serialVersionUID =
-7034897190745766939

logic long Throwable_serialVersionUID =
-3042686055658047285

logic long Exception_serialVersionUID =
-3387516993124229948

String[0..] any_string()
;

tag String = Object with {
}

tag RuntimeException = Exception with {
}

tag Bug_sort_exns = Object with {
}

tag IllegalArgumentException = RuntimeException with {
}

tag PrintStream = Object with {
}

tag Throwable = Object with {
  Object[0..] backtrace; 
  String[0..] detailMessage; 
  Throwable[0..] cause;
}

tag Object = {
}

tag Exception = Throwable with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception IllegalArgumentException of IllegalArgumentException[0..]

exception RuntimeException of RuntimeException[0..]

exception Throwable of Throwable[0..]

unit cons_Bug_sort_exns(! Bug_sort_exns[0] this_4){()}

unit cons_RuntimeException(! RuntimeException[0] this_14){()}

String[0..] Throwable_getMessage(Throwable[0] this_5)
;

Throwable[0..] Throwable_initCause(Throwable[0] this_6,
                                   Throwable[0..] cause_1)
;

unit cons_Throwable_String_Throwable(! Throwable[0] this_15,
                                     String[0..] message_0,
                                     Throwable[0..] cause)
{  (this_15.backtrace = null);
   (this_15.detailMessage = null);
   (this_15.cause = null)
}

unit cons_RuntimeException_String_Throwable(! RuntimeException[0] this_16,
                                            String[0..] message_4,
                                            Throwable[0..] cause_4){()}

unit cons_Throwable_Throwable(! Throwable[0] this_17, Throwable[0..] cause_0)
{  (this_17.backtrace = null);
   (this_17.detailMessage = null);
   (this_17.cause = null)
}

unit cons_Exception_String(! Exception[0] this_18, String[0..] message_1){()}

unit cons_Exception_Throwable(! Exception[0] this_19, Throwable[0..] cause_3){()}

unit Throwable_printStackTrace_PrintStream(Throwable[0] this_7,
                                           PrintStream[0..] s)
;

Throwable[0..] Throwable_getCause(Throwable[0] this_8)
;

String[0..] Throwable_toString(Throwable[0] this_9)
;

unit cons_RuntimeException_String(! RuntimeException[0] this_20,
                                  String[0..] message_3){()}

unit cons_IllegalArgumentException(! IllegalArgumentException[0] this_21){()}

unit cons_Exception(! Exception[0] this_22){()}

unit cons_Throwable(! Throwable[0] this_23)
{  (this_23.backtrace = null);
   (this_23.detailMessage = null);
   (this_23.cause = null)
}

unit cons_RuntimeException_Throwable(! RuntimeException[0] this_24,
                                     Throwable[0..] cause_5){()}

unit Bug_sort_exns_exn()
{  
   {  
      (var IllegalArgumentException[..] java_thrown_exception = 
      {  
         (var IllegalArgumentException[0] this = (new IllegalArgumentException[1]));
         
         {  
            (var unit _tt = cons_IllegalArgumentException(this));
            this
         }
      });
      
      {  
         (assert Non_null_Object(java_thrown_exception));
         
         (throw IllegalArgumentException java_thrown_exception)
      }
   }
}

String[0..] Throwable_getLocalizedMessage(Throwable[0] this_10)
;

unit Throwable_printStackTrace(Throwable[0] this_11)
;

int32 Throwable_getStackTraceDepth(Throwable[0] this_12)
;

Throwable[0..] Throwable_fillInStackTrace(Throwable[0] this_13)
;

unit cons_Throwable_String(! Throwable[0] this_25, String[0..] message)
{  (this_25.backtrace = null);
   (this_25.detailMessage = null);
   (this_25.cause = null)
}

unit cons_IllegalArgumentException_String(! IllegalArgumentException[0] this_26,
                                          String[0..] s_0){()}

unit cons_Exception_String_Throwable(! Exception[0] this_27,
                                     String[0..] message_2,
                                     Throwable[0..] cause_2){()}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Bug_sort_exns.jloc tests/java/Bug_sort_exns.jc && make -f tests/java/Bug_sort_exns.makefile gui"
End:
*/
========== file tests/java/Bug_sort_exns.jloc ==========
[Throwable_getCause]
name = "Method getCause"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 289
begin = 21
end = 29

[cons_Exception_Throwable]
name = "Constructor of class Exception"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 76
begin = 11
end = 20

[Throwable_initCause]
name = "Method initCause"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 317
begin = 34
end = 43

[Throwable_getLocalizedMessage]
name = "Method getLocalizedMessage"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 265
begin = 18
end = 37

[cons_Exception_String]
name = "Constructor of class Exception"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 40
begin = 11
end = 20

[Throwable_getMessage]
name = "Method getMessage"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 251
begin = 18
end = 28

[Throwable_printStackTrace_PrintStream]
name = "Method printStackTrace"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 459
begin = 16
end = 31

[cons_Throwable_Throwable]
name = "Constructor of class Throwable"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 239
begin = 11
end = 20

[Throwable_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 341
begin = 18
end = 26

[cons_RuntimeException_String_Throwable]
name = "Constructor of class RuntimeException"
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 60
begin = 11
end = 27

[cons_Bug_sort_exns]
name = "Constructor of class Bug_sort_exns"
file = "HOME/"
line = 0
begin = -1
end = -1

[Throwable_fillInStackTrace]
name = "Method fillInStackTrace"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 562
begin = 41
end = 57

[cons_RuntimeException_String]
name = "Constructor of class RuntimeException"
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 42
begin = 11
end = 27

[cons_Throwable]
name = "Constructor of class Throwable"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 179
begin = 11
end = 20

[cons_Throwable_String_Throwable]
name = "Constructor of class Throwable"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 216
begin = 11
end = 20

[cons_Exception_String_Throwable]
name = "Constructor of class Exception"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 58
begin = 11
end = 20

[cons_IllegalArgumentException_String]
name = "Constructor of class IllegalArgumentException"
file = "HOME/lib/java_api/java/lang/IllegalArgumentException.java"
line = 35
begin = 11
end = 35

[cons_Exception]
name = "Constructor of class Exception"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 28
begin = 11
end = 20

[Bug_sort_exns_exn]
name = "Method exn"
file = "HOME/tests/java/Bug_sort_exns.java"
line = 2
begin = 23
end = 26

[cons_IllegalArgumentException]
name = "Constructor of class IllegalArgumentException"
file = "HOME/lib/java_api/java/lang/IllegalArgumentException.java"
line = 25
begin = 11
end = 35

[cons_Throwable_String]
name = "Constructor of class Throwable"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 194
begin = 11
end = 20

[cons_RuntimeException]
name = "Constructor of class RuntimeException"
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 31
begin = 11
end = 27

[Throwable_getStackTraceDepth]
name = "Method getStackTraceDepth"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 645
begin = 23
end = 41

[cons_RuntimeException_Throwable]
name = "Constructor of class RuntimeException"
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 76
begin = 11
end = 27

[Throwable_printStackTrace]
name = "Method printStackTrace"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 450
begin = 16
end = 31

========== jessie execution ==========
Generating Why function cons_Bug_sort_exns
Generating Why function cons_RuntimeException
Generating Why function cons_Throwable_String_Throwable
Generating Why function cons_RuntimeException_String_Throwable
Generating Why function cons_Throwable_Throwable
Generating Why function cons_Exception_String
Generating Why function cons_Exception_Throwable
Generating Why function cons_RuntimeException_String
Generating Why function cons_IllegalArgumentException
Generating Why function cons_Exception
Generating Why function cons_Throwable
Generating Why function cons_RuntimeException_Throwable
Generating Why function Bug_sort_exns_exn
Generating Why function cons_Throwable_String
Generating Why function cons_IllegalArgumentException_String
Generating Why function cons_Exception_String_Throwable
========== file tests/java/Bug_sort_exns.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Bug_sort_exns.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Bug_sort_exns.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/Bug_sort_exns_why.sx

project: why/Bug_sort_exns.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/Bug_sort_exns_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/Bug_sort_exns_why.vo

coq/Bug_sort_exns_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Bug_sort_exns_why.v: why/Bug_sort_exns.why
	@echo 'why -coq [...] why/Bug_sort_exns.why' && $(WHY) $(JESSIELIBFILES) why/Bug_sort_exns.why && rm -f coq/jessie_why.v

coq-goals: goals coq/Bug_sort_exns_ctx_why.vo
	for f in why/*_po*.why; do make -f Bug_sort_exns.makefile coq/`basename $$f .why`_why.v ; done

coq/Bug_sort_exns_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Bug_sort_exns_ctx_why.v: why/Bug_sort_exns_ctx.why
	@echo 'why -coq [...] why/Bug_sort_exns_ctx.why' && $(WHY) why/Bug_sort_exns_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export Bug_sort_exns_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/Bug_sort_exns_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/Bug_sort_exns_ctx_why.vo

pvs: pvs/Bug_sort_exns_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/Bug_sort_exns_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/Bug_sort_exns_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/Bug_sort_exns_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/Bug_sort_exns_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/Bug_sort_exns_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/Bug_sort_exns_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/Bug_sort_exns_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/Bug_sort_exns_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/Bug_sort_exns_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/Bug_sort_exns_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/Bug_sort_exns_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/Bug_sort_exns_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/Bug_sort_exns_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/Bug_sort_exns_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: Bug_sort_exns.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/Bug_sort_exns_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Bug_sort_exns.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Bug_sort_exns.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Bug_sort_exns.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include Bug_sort_exns.depend

depend: coq/Bug_sort_exns_why.v
	-$(COQDEP) -I coq coq/Bug_sort_exns*_why.v > Bug_sort_exns.depend

clean:
	rm -f coq/*.vo

========== file tests/java/Bug_sort_exns.loc ==========
[JC_176]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_177]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_221]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_51]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 216
begin = 11
end = 20

[JC_147]
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 76
begin = 11
end = 27

[JC_123]
file = "HOME/lib/java_api/java/lang/IllegalArgumentException.java"
line = 25
begin = 11
end = 35

[cons_RuntimeException_String_Throwable_ensures_default]
name = "Constructor of class RuntimeException"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 60
begin = 11
end = 27

[JC_143]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_113]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_116]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_64]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_133]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 28
begin = 11
end = 20

[cons_Bug_sort_exns_safety]
name = "Constructor of class Bug_sort_exns"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_188]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 645
begin = 23
end = 41

[JC_180]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 450
begin = 16
end = 31

[cons_Throwable_ensures_default]
name = "Constructor of class Throwable"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 179
begin = 11
end = 20

[JC_99]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 289
begin = 21
end = 29

[JC_200]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_85]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 76
begin = 11
end = 20

[JC_201]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_31]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_17]
file = "HOME/tests/java/Bug_sort_exns.jc"
line = 68
begin = 11
end = 65

[JC_194]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 562
begin = 41
end = 57

[JC_122]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_205]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_134]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_172]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 265
begin = 18
end = 37

[JC_121]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_125]
file = "HOME/lib/java_api/java/lang/IllegalArgumentException.java"
line = 25
begin = 11
end = 35

[JC_67]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 239
begin = 11
end = 20

[JC_9]
file = "HOME/tests/java/Bug_sort_exns.jc"
line = 66
begin = 8
end = 23

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_189]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_78]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_IllegalArgumentException_String_safety]
name = "Constructor of class IllegalArgumentException"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/IllegalArgumentException.java"
line = 35
begin = 11
end = 35

[JC_195]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_163]
kind = AllocSize
file = "HOME/tests/java/Bug_sort_exns.jc"
line = 143
begin = 50
end = 81

[JC_153]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_222]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/Bug_sort_exns.jc"
line = 66
begin = 8
end = 23

[JC_185]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_167]
kind = AllocSize
file = "HOME/tests/java/Bug_sort_exns.jc"
line = 143
begin = 50
end = 81

[JC_98]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Throwable_String_ensures_default]
name = "Constructor of class Throwable"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 194
begin = 11
end = 20

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_RuntimeException_safety]
name = "Constructor of class RuntimeException"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 31
begin = 11
end = 27

[JC_104]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_112]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_135]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_169]
file = "HOME/tests/java/Bug_sort_exns.jc"
line = 152
begin = 17
end = 55

[JC_132]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 31
begin = 11
end = 27

[JC_115]
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 42
begin = 11
end = 27

[JC_109]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 341
begin = 18
end = 26

[JC_69]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 239
begin = 11
end = 20

[JC_219]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_124]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_206]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_218]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 58
begin = 11
end = 20

[JC_191]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Throwable_String_safety]
name = "Constructor of class Throwable"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 194
begin = 11
end = 20

[JC_101]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 289
begin = 21
end = 29

[JC_223]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_129]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_190]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_110]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_166]
file = "HOME/tests/java/Bug_sort_exns.jc"
line = 152
begin = 17
end = 55

[JC_103]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 60
begin = 11
end = 27

[cons_Throwable_String_Throwable_safety]
name = "Constructor of class Throwable"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 216
begin = 11
end = 20

[JC_199]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_RuntimeException_Throwable_ensures_default]
name = "Constructor of class RuntimeException"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 76
begin = 11
end = 27

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_173]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 31
begin = 11
end = 27

[JC_202]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 194
begin = 11
end = 20

[JC_144]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 317
begin = 34
end = 43

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_97]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
file = "HOME/"
line = 0
begin = -1
end = -1

[Bug_sort_exns_exn_ensures_default]
name = "Method exn"
behavior = "default behavior"
file = "HOME/tests/java/Bug_sort_exns.java"
line = 2
begin = 23
end = 26

[JC_160]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_128]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_90]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_225]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_149]
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 76
begin = 11
end = 27

[JC_216]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_131]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 28
begin = 11
end = 20

[cons_RuntimeException_String_ensures_default]
name = "Constructor of class RuntimeException"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 42
begin = 11
end = 27

[JC_37]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 251
begin = 18
end = 28

[cons_IllegalArgumentException_String_ensures_default]
name = "Constructor of class IllegalArgumentException"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/IllegalArgumentException.java"
line = 35
begin = 11
end = 35

[JC_181]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_IllegalArgumentException_safety]
name = "Constructor of class IllegalArgumentException"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/IllegalArgumentException.java"
line = 25
begin = 11
end = 35

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_161]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_89]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_136]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_165]
kind = UserCall
file = "HOME/tests/java/Bug_sort_exns.jc"
line = 146
begin = 28
end = 63

[JC_213]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_217]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_86]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_72]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_187]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Throwable_safety]
name = "Constructor of class Throwable"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 179
begin = 11
end = 20

[cons_Exception_ensures_default]
name = "Constructor of class Exception"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 28
begin = 11
end = 20

[JC_120]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Throwable_Throwable_safety]
name = "Constructor of class Throwable"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 239
begin = 11
end = 20

[JC_58]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_198]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_94]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_73]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_158]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_63]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_RuntimeException_ensures_default]
name = "Constructor of class RuntimeException"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 31
begin = 11
end = 27

[JC_196]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 562
begin = 41
end = 57

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_197]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_RuntimeException_Throwable_safety]
name = "Constructor of class RuntimeException"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 76
begin = 11
end = 27

[JC_207]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_151]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 317
begin = 34
end = 43

[JC_106]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_203]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_126]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_170]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 265
begin = 18
end = 37

[JC_138]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_148]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_137]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_75]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 40
begin = 11
end = 20

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_193]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_186]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 645
begin = 23
end = 41

[JC_212]
file = "HOME/lib/java_api/java/lang/IllegalArgumentException.java"
line = 35
begin = 11
end = 35

[JC_175]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_224]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[Bug_sort_exns_exn_safety]
name = "Method exn"
behavior = "Safety"
file = "HOME/tests/java/Bug_sort_exns.java"
line = 2
begin = 23
end = 26

[cons_Throwable_String_Throwable_ensures_default]
name = "Constructor of class Throwable"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 216
begin = 11
end = 20

[cons_Bug_sort_exns_ensures_default]
name = "Constructor of class Bug_sort_exns"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_154]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_208]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Exception_String_safety]
name = "Constructor of class Exception"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 40
begin = 11
end = 20

[JC_79]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Exception_String_Throwable_ensures_default]
name = "Constructor of class Exception"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 58
begin = 11
end = 20

[JC_130]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Exception_String_ensures_default]
name = "Constructor of class Exception"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 40
begin = 11
end = 20

[JC_174]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_87]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_184]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_182]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_168]
kind = UserCall
file = "HOME/tests/java/Bug_sort_exns.jc"
line = 146
begin = 28
end = 63

[JC_91]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 459
begin = 16
end = 31

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_162]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 76
begin = 11
end = 20

[cons_Throwable_Throwable_ensures_default]
name = "Constructor of class Throwable"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 239
begin = 11
end = 20

[cons_RuntimeException_String_Throwable_safety]
name = "Constructor of class RuntimeException"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 60
begin = 11
end = 27

[JC_35]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 251
begin = 18
end = 28

[JC_215]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_107]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 341
begin = 18
end = 26

[JC_179]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Exception_Throwable_safety]
name = "Constructor of class Exception"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 76
begin = 11
end = 20

[JC_38]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_156]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_127]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_171]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_164]
kind = IndexBounds
file = "HOME/tests/java/Bug_sort_exns.jc"
line = 143
begin = 10
end = 82

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_155]
file = "HOME/tests/java/Bug_sort_exns.java"
line = 2
begin = 23
end = 26

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_178]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 450
begin = 16
end = 31

[JC_141]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 179
begin = 11
end = 20

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_220]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 58
begin = 11
end = 20

[JC_65]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_118]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_105]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_140]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_159]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_68]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_IllegalArgumentException_ensures_default]
name = "Constructor of class IllegalArgumentException"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/IllegalArgumentException.java"
line = 25
begin = 11
end = 35

[JC_93]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 459
begin = 16
end = 31

[JC_214]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_150]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_117]
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 42
begin = 11
end = 27

[JC_53]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 216
begin = 11
end = 20

[cons_Exception_String_Throwable_safety]
name = "Constructor of class Exception"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 58
begin = 11
end = 20

[JC_204]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 194
begin = 11
end = 20

[JC_157]
file = "HOME/tests/java/Bug_sort_exns.java"
line = 2
begin = 23
end = 26

[JC_145]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_209]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_111]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_77]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 40
begin = 11
end = 20

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/java/Bug_sort_exns.jc"
line = 29
begin = 12
end = 22

[JC_102]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_142]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Exception_safety]
name = "Constructor of class Exception"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 28
begin = 11
end = 20

[JC_211]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_146]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 60
begin = 11
end = 27

[cons_Exception_Throwable_ensures_default]
name = "Constructor of class Exception"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 76
begin = 11
end = 20

[JC_192]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/Bug_sort_exns.jc"
line = 68
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/Bug_sort_exns.jc"
line = 29
begin = 12
end = 22

[JC_92]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_152]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_60]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_183]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_139]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 179
begin = 11
end = 20

[JC_119]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_210]
file = "HOME/lib/java_api/java/lang/IllegalArgumentException.java"
line = 35
begin = 11
end = 35

[JC_76]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_RuntimeException_String_safety]
name = "Constructor of class RuntimeException"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/RuntimeException.java"
line = 42
begin = 11
end = 27

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_100]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/Bug_sort_exns.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Bug_sort_exns_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Bug_sort_exns_parenttag_Object :
 parenttag(Bug_sort_exns_tag, Object_tag)

logic Exception_tag:  -> Object tag_id

logic Throwable_tag:  -> Object tag_id

axiom Exception_parenttag_Throwable : parenttag(Exception_tag, Throwable_tag)

logic long_of_integer: int -> long

function Exception_serialVersionUID() : long =
 long_of_integer(neg_int((3387516993124229948)))

logic IllegalArgumentException_tag:  -> Object tag_id

logic RuntimeException_tag:  -> Object tag_id

axiom IllegalArgumentException_parenttag_RuntimeException :
 parenttag(IllegalArgumentException_tag, RuntimeException_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic PrintStream_tag:  -> Object tag_id

axiom PrintStream_parenttag_Object : parenttag(PrintStream_tag, Object_tag)

axiom RuntimeException_parenttag_Exception :
 parenttag(RuntimeException_tag, Exception_tag)

function RuntimeException_serialVersionUID() : long =
 long_of_integer(neg_int((7034897190745766939)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

function Throwable_serialVersionUID() : long =
 long_of_integer(neg_int((3042686055658047285)))

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Bug_sort_exns(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Throwable(p, a, Object_alloc_table)

predicate left_valid_struct_RuntimeException(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Exception(p, a, Object_alloc_table)

predicate left_valid_struct_IllegalArgumentException(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_RuntimeException(p, a, Object_alloc_table)

predicate left_valid_struct_PrintStream(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Bug_sort_exns(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Throwable(p, b, Object_alloc_table)

predicate right_valid_struct_RuntimeException(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Exception(p, b, Object_alloc_table)

predicate right_valid_struct_IllegalArgumentException(p:Object pointer,
 b:int, Object_alloc_table:Object alloc_table) =
 right_valid_struct_RuntimeException(p, b, Object_alloc_table)

predicate right_valid_struct_PrintStream(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Bug_sort_exns(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Throwable(p, a, b, Object_alloc_table)

predicate strict_valid_struct_RuntimeException(p:Object pointer, a:int,
 b:int, Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Exception(p, a, b, Object_alloc_table)

predicate strict_valid_struct_IllegalArgumentException(p:Object pointer,
 a:int, b:int, Object_alloc_table:Object alloc_table) =
 strict_valid_struct_RuntimeException(p, a, b, Object_alloc_table)

predicate strict_valid_struct_PrintStream(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Bug_sort_exns(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Throwable(p, a, b, Object_alloc_table)

predicate valid_struct_RuntimeException(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Exception(p, a, b, Object_alloc_table)

predicate valid_struct_IllegalArgumentException(p:Object pointer, a:int,
 b:int, Object_alloc_table:Object alloc_table) =
 valid_struct_RuntimeException(p, a, b, Object_alloc_table)

predicate valid_struct_PrintStream(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

exception IllegalArgumentException_exc of Object pointer

parameter Bug_sort_exns_exn :
 tt:unit ->
  { } unit reads Object_alloc_table
  writes Object_alloc_table,Object_tag_table
  raises IllegalArgumentException_exc
  { true | IllegalArgumentException_exc => true }

parameter Bug_sort_exns_exn_requires :
 tt:unit ->
  { } unit reads Object_alloc_table
  writes Object_alloc_table,Object_tag_table
  raises IllegalArgumentException_exc
  { true | IllegalArgumentException_exc => true }

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

exception RuntimeException_exc of Object pointer

parameter Throwable_backtrace : (Object, Object pointer) memory ref

parameter Throwable_cause : (Object, Object pointer) memory ref

parameter Throwable_detailMessage : (Object, Object pointer) memory ref

exception Throwable_exc of Object pointer

parameter Throwable_fillInStackTrace :
 this_13:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_fillInStackTrace_requires :
 this_13:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_getCause :
 this_8:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_getCause_requires :
 this_8:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_getLocalizedMessage :
 this_10:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_getLocalizedMessage_requires :
 this_10:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_getMessage :
 this_5:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_getMessage_requires :
 this_5:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_getStackTraceDepth :
 this_12:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter Throwable_getStackTraceDepth_requires :
 this_12:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter Throwable_initCause :
 this_6:Object pointer ->
  cause_1:Object pointer ->
   { } Object pointer reads Object_alloc_table { true }

parameter Throwable_initCause_requires :
 this_6:Object pointer ->
  cause_1:Object pointer ->
   { } Object pointer reads Object_alloc_table { true }

parameter Throwable_printStackTrace :
 this_11:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Throwable_printStackTrace_PrintStream :
 this_7:Object pointer ->
  s_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Throwable_printStackTrace_PrintStream_requires :
 this_7:Object pointer ->
  s_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Throwable_printStackTrace_requires :
 this_11:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Throwable_toString :
 this_9:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_toString_requires :
 this_9:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter alloc_struct_Bug_sort_exns :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Bug_sort_exns(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Bug_sort_exns_tag)))) }

parameter alloc_struct_Bug_sort_exns_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Bug_sort_exns(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Bug_sort_exns_tag)))) }

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_IllegalArgumentException :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_IllegalArgumentException(result, (0),
       sub_int(n, (1)), Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result,
                  IllegalArgumentException_tag)))) }

parameter alloc_struct_IllegalArgumentException_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_IllegalArgumentException(result, (0),
       sub_int(n, (1)), Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result,
                  IllegalArgumentException_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_PrintStream :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_PrintStream(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, PrintStream_tag)))) }

parameter alloc_struct_PrintStream_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_PrintStream(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, PrintStream_tag)))) }

parameter alloc_struct_RuntimeException :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_RuntimeException(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, RuntimeException_tag)))) }

parameter alloc_struct_RuntimeException_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_RuntimeException(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, RuntimeException_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_Bug_sort_exns :
 this_4:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Bug_sort_exns_requires :
 this_4:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception :
 this_22:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception_String :
 this_18:Object pointer ->
  message_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception_String_Throwable :
 this_27:Object pointer ->
  message_2:Object pointer ->
   cause_2:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception_String_Throwable_requires :
 this_27:Object pointer ->
  message_2:Object pointer ->
   cause_2:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception_String_requires :
 this_18:Object pointer ->
  message_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception_Throwable :
 this_19:Object pointer ->
  cause_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception_Throwable_requires :
 this_19:Object pointer ->
  cause_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception_requires :
 this_22:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_IllegalArgumentException :
 this_21:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_IllegalArgumentException_String :
 this_26:Object pointer ->
  s_0_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_IllegalArgumentException_String_requires :
 this_26:Object pointer ->
  s_0_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_IllegalArgumentException_requires :
 this_21:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_RuntimeException :
 this_14:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_RuntimeException_String :
 this_20:Object pointer ->
  message_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_RuntimeException_String_Throwable :
 this_16:Object pointer ->
  message_4:Object pointer ->
   cause_4:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_RuntimeException_String_Throwable_requires :
 this_16:Object pointer ->
  message_4:Object pointer ->
   cause_4:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_RuntimeException_String_requires :
 this_20:Object pointer ->
  message_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_RuntimeException_Throwable :
 this_24:Object pointer ->
  cause_5:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_RuntimeException_Throwable_requires :
 this_24:Object pointer ->
  cause_5:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_RuntimeException_requires :
 this_14:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Throwable :
 this_23:Object pointer ->
  { } unit reads Object_alloc_table
  writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage 
  { true }

parameter cons_Throwable_String :
 this_25:Object pointer ->
  message:Object pointer ->
   { } unit reads Object_alloc_table
   writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage
   { true }

parameter cons_Throwable_String_Throwable :
 this_15:Object pointer ->
  message_0:Object pointer ->
   cause:Object pointer ->
    { } unit reads Object_alloc_table
    writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage
    { true }

parameter cons_Throwable_String_Throwable_requires :
 this_15:Object pointer ->
  message_0:Object pointer ->
   cause:Object pointer ->
    { } unit reads Object_alloc_table
    writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage
    { true }

parameter cons_Throwable_String_requires :
 this_25:Object pointer ->
  message:Object pointer ->
   { } unit reads Object_alloc_table
   writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage
   { true }

parameter cons_Throwable_Throwable :
 this_17:Object pointer ->
  cause_0:Object pointer ->
   { } unit reads Object_alloc_table
   writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage
   { true }

parameter cons_Throwable_Throwable_requires :
 this_17:Object pointer ->
  cause_0:Object pointer ->
   { } unit reads Object_alloc_table
   writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage
   { true }

parameter cons_Throwable_requires :
 this_23:Object pointer ->
  { } unit reads Object_alloc_table
  writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage 
  { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let Bug_sort_exns_exn_ensures_default =
 fun (tt : unit) ->
  { (JC_158: true) }
  (init:
  try
   begin
     (let java_thrown_exception =
     (let this =
     (JC_167:
     (((alloc_struct_IllegalArgumentException (1)) Object_alloc_table) Object_tag_table)) in
     (let _tt =
     (let _jessie_ = this in
     (JC_168: (cons_IllegalArgumentException _jessie_))) in this)) in
     begin
       (assert
       { (JC_169: Non_null_Object(java_thrown_exception, Object_alloc_table)) };
       void); (raise (IllegalArgumentException_exc java_thrown_exception))
     end); (raise Return) end with Return -> void end)
  { (JC_159: true) | IllegalArgumentException_exc => true }

let Bug_sort_exns_exn_safety =
 fun (tt : unit) ->
  { (JC_158: true) }
  (init:
  try
   begin
     (let java_thrown_exception =
     (let this =
     (let _jessie_ =
     (JC_163:
     (((alloc_struct_IllegalArgumentException_requires (1)) Object_alloc_table) Object_tag_table)) in
     (JC_164:
     (assert { ge_int(offset_max(Object_alloc_table, _jessie_), (0)) };
     _jessie_))) in
     (let _tt =
     (let _jessie_ = this in
     (JC_165: (cons_IllegalArgumentException_requires _jessie_))) in this)) in
     begin
       [ { } unit reads Object_alloc_table
         { (JC_166:
           Non_null_Object(java_thrown_exception, Object_alloc_table)) } ];
      (raise (IllegalArgumentException_exc java_thrown_exception)) end);
    (raise Return) end with Return -> void end)
  { true | IllegalArgumentException_exc => true }

let cons_Bug_sort_exns_ensures_default =
 fun (this_4 : Object pointer) ->
  { valid_struct_Bug_sort_exns(this_4, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_23: true) }

let cons_Bug_sort_exns_safety =
 fun (this_4 : Object pointer) ->
  { valid_struct_Bug_sort_exns(this_4, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_Exception_String_Throwable_ensures_default =
 fun (this_27 : Object pointer) (message_2 : Object pointer) (cause_2 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_2, (0), Object_alloc_table)
    and (left_valid_struct_String(message_2, (0), Object_alloc_table)
        and valid_struct_Exception(this_27, (0), (0), Object_alloc_table))) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_222: true) }

let cons_Exception_String_Throwable_safety =
 fun (this_27 : Object pointer) (message_2 : Object pointer) (cause_2 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_2, (0), Object_alloc_table)
    and (left_valid_struct_String(message_2, (0), Object_alloc_table)
        and valid_struct_Exception(this_27, (0), (0), Object_alloc_table))) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_Exception_String_ensures_default =
 fun (this_18 : Object pointer) (message_1 : Object pointer) ->
  { (left_valid_struct_String(message_1, (0), Object_alloc_table)
    and valid_struct_Exception(this_18, (0), (0), Object_alloc_table)) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_79: true) }

let cons_Exception_String_safety =
 fun (this_18 : Object pointer) (message_1 : Object pointer) ->
  { (left_valid_struct_String(message_1, (0), Object_alloc_table)
    and valid_struct_Exception(this_18, (0), (0), Object_alloc_table)) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_Exception_Throwable_ensures_default =
 fun (this_19 : Object pointer) (cause_3 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_3, (0), Object_alloc_table)
    and valid_struct_Exception(this_19, (0), (0), Object_alloc_table)) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_87: true) }

let cons_Exception_Throwable_safety =
 fun (this_19 : Object pointer) (cause_3 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_3, (0), Object_alloc_table)
    and valid_struct_Exception(this_19, (0), (0), Object_alloc_table)) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_Exception_ensures_default =
 fun (this_22 : Object pointer) ->
  { valid_struct_Exception(this_22, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_135: true) }

let cons_Exception_safety =
 fun (this_22 : Object pointer) ->
  { valid_struct_Exception(this_22, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_IllegalArgumentException_String_ensures_default =
 fun (this_26 : Object pointer) (s_0_0 : Object pointer) ->
  { (left_valid_struct_String(s_0_0, (0), Object_alloc_table)
    and valid_struct_IllegalArgumentException(this_26, (0), (0),
        Object_alloc_table)) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_214: true) }

let cons_IllegalArgumentException_String_safety =
 fun (this_26 : Object pointer) (s_0_0 : Object pointer) ->
  { (left_valid_struct_String(s_0_0, (0), Object_alloc_table)
    and valid_struct_IllegalArgumentException(this_26, (0), (0),
        Object_alloc_table)) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_IllegalArgumentException_ensures_default =
 fun (this_21 : Object pointer) ->
  { valid_struct_IllegalArgumentException(this_21, (0), (0),
    Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_127: true) }

let cons_IllegalArgumentException_safety =
 fun (this_21 : Object pointer) ->
  { valid_struct_IllegalArgumentException(this_21, (0), (0),
    Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_RuntimeException_String_Throwable_ensures_default =
 fun (this_16 : Object pointer) (message_4 : Object pointer) (cause_4 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_4, (0), Object_alloc_table)
    and (left_valid_struct_String(message_4, (0), Object_alloc_table)
        and valid_struct_RuntimeException(this_16, (0), (0),
            Object_alloc_table))) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_63: true) }

let cons_RuntimeException_String_Throwable_safety =
 fun (this_16 : Object pointer) (message_4 : Object pointer) (cause_4 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_4, (0), Object_alloc_table)
    and (left_valid_struct_String(message_4, (0), Object_alloc_table)
        and valid_struct_RuntimeException(this_16, (0), (0),
            Object_alloc_table))) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_RuntimeException_String_ensures_default =
 fun (this_20 : Object pointer) (message_3 : Object pointer) ->
  { (left_valid_struct_String(message_3, (0), Object_alloc_table)
    and valid_struct_RuntimeException(this_20, (0), (0), Object_alloc_table)) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_119: true) }

let cons_RuntimeException_String_safety =
 fun (this_20 : Object pointer) (message_3 : Object pointer) ->
  { (left_valid_struct_String(message_3, (0), Object_alloc_table)
    and valid_struct_RuntimeException(this_20, (0), (0), Object_alloc_table)) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_RuntimeException_Throwable_ensures_default =
 fun (this_24 : Object pointer) (cause_5 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_5, (0), Object_alloc_table)
    and valid_struct_RuntimeException(this_24, (0), (0), Object_alloc_table)) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_151: true) }

let cons_RuntimeException_Throwable_safety =
 fun (this_24 : Object pointer) (cause_5 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_5, (0), Object_alloc_table)
    and valid_struct_RuntimeException(this_24, (0), (0), Object_alloc_table)) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_RuntimeException_ensures_default =
 fun (this_14 : Object pointer) ->
  { valid_struct_RuntimeException(this_14, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_31: true) }

let cons_RuntimeException_safety =
 fun (this_14 : Object pointer) ->
  { valid_struct_RuntimeException(this_14, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_Throwable_String_Throwable_ensures_default =
 fun (this_15 : Object pointer) (message_0 : Object pointer) (cause : Object pointer) ->
  { (left_valid_struct_Throwable(cause, (0), Object_alloc_table)
    and (left_valid_struct_String(message_0, (0), Object_alloc_table)
        and valid_struct_Throwable(this_15, (0), (0), Object_alloc_table))) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_15 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_15 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_15 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end)
  { (JC_55: true) }

let cons_Throwable_String_Throwable_safety =
 fun (this_15 : Object pointer) (message_0 : Object pointer) (cause : Object pointer) ->
  { (left_valid_struct_Throwable(cause, (0), Object_alloc_table)
    and (left_valid_struct_String(message_0, (0), Object_alloc_table)
        and valid_struct_Throwable(this_15, (0), (0), Object_alloc_table))) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_15 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_15 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_15 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end) 
  { true }

let cons_Throwable_String_ensures_default =
 fun (this_25 : Object pointer) (message : Object pointer) ->
  { (left_valid_struct_String(message, (0), Object_alloc_table)
    and valid_struct_Throwable(this_25, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_25 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_25 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_25 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end)
  { (JC_206: true) }

let cons_Throwable_String_safety =
 fun (this_25 : Object pointer) (message : Object pointer) ->
  { (left_valid_struct_String(message, (0), Object_alloc_table)
    and valid_struct_Throwable(this_25, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_25 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_25 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_25 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end) 
  { true }

let cons_Throwable_Throwable_ensures_default =
 fun (this_17 : Object pointer) (cause_0 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_0, (0), Object_alloc_table)
    and valid_struct_Throwable(this_17, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_17 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_17 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_17 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end)
  { (JC_71: true) }

let cons_Throwable_Throwable_safety =
 fun (this_17 : Object pointer) (cause_0 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_0, (0), Object_alloc_table)
    and valid_struct_Throwable(this_17, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_17 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_17 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_17 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end) 
  { true }

let cons_Throwable_ensures_default =
 fun (this_23 : Object pointer) ->
  { valid_struct_Throwable(this_23, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_23 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_23 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_23 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end)
  { (JC_143: true) }

let cons_Throwable_safety =
 fun (this_23 : Object pointer) ->
  { valid_struct_Throwable(this_23, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_23 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_23 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_23 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end) 
  { true }


========== make project execution ==========
why --project [...] why/Bug_sort_exns.why
========== file tests/java/why/Bug_sort_exns.wpr ==========

  
    
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
  
  
    
  
  
    
  
  
    
  
  
    
  
  
    
  

========== file tests/java/why/Bug_sort_exns_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Bug_sort_exns_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Bug_sort_exns_parenttag_Object: parenttag(Bug_sort_exns_tag,
  Object_tag)

logic Exception_tag : Object tag_id

logic Throwable_tag : Object tag_id

axiom Exception_parenttag_Throwable: parenttag(Exception_tag, Throwable_tag)

logic long_of_integer : int -> long

function Exception_serialVersionUID() : long =
  long_of_integer((-3387516993124229948))

logic IllegalArgumentException_tag : Object tag_id

logic RuntimeException_tag : Object tag_id

axiom IllegalArgumentException_parenttag_RuntimeException:
  parenttag(IllegalArgumentException_tag, RuntimeException_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic PrintStream_tag : Object tag_id

axiom PrintStream_parenttag_Object: parenttag(PrintStream_tag, Object_tag)

axiom RuntimeException_parenttag_Exception: parenttag(RuntimeException_tag,
  Exception_tag)

function RuntimeException_serialVersionUID() : long =
  long_of_integer((-7034897190745766939))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

function Throwable_serialVersionUID() : long =
  long_of_integer((-3042686055658047285))

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte [(integer_of_byte(x) = integer_of_byte(y))].
      ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char [(integer_of_char(x) = integer_of_char(y))].
      ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32 [(integer_of_int32(x) = integer_of_int32(y))].
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Bug_sort_exns(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Throwable(p, a,
  Object_alloc_table)

predicate left_valid_struct_RuntimeException(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Exception(p, a,
  Object_alloc_table)

predicate left_valid_struct_IllegalArgumentException(p: Object pointer,
  a: int, Object_alloc_table: Object alloc_table) =
  left_valid_struct_RuntimeException(p, a, Object_alloc_table)

predicate left_valid_struct_PrintStream(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long [(integer_of_long(x) = integer_of_long(y))].
      ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Bug_sort_exns(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Throwable(p,
  b, Object_alloc_table)

predicate right_valid_struct_RuntimeException(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Exception(p,
  b, Object_alloc_table)

predicate right_valid_struct_IllegalArgumentException(p: Object pointer,
  b: int, Object_alloc_table: Object alloc_table) =
  right_valid_struct_RuntimeException(p, b, Object_alloc_table)

predicate right_valid_struct_PrintStream(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short [(integer_of_short(x) = integer_of_short(y))].
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Bug_sort_exns(p: Object pointer, a: int,
  b: int, Object_alloc_table: Object alloc_table) =
  strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Throwable(p,
  a, b, Object_alloc_table)

predicate strict_valid_struct_RuntimeException(p: Object pointer, a: int,
  b: int, Object_alloc_table: Object alloc_table) =
  strict_valid_struct_Exception(p, a, b, Object_alloc_table)

predicate strict_valid_struct_IllegalArgumentException(p: Object pointer,
  a: int, b: int, Object_alloc_table: Object alloc_table) =
  strict_valid_struct_RuntimeException(p, a, b, Object_alloc_table)

predicate strict_valid_struct_PrintStream(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Bug_sort_exns(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Throwable(p, a, b,
  Object_alloc_table)

predicate valid_struct_RuntimeException(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Exception(p, a, b,
  Object_alloc_table)

predicate valid_struct_IllegalArgumentException(p: Object pointer, a: int,
  b: int, Object_alloc_table: Object alloc_table) =
  valid_struct_RuntimeException(p, a, b, Object_alloc_table)

predicate valid_struct_PrintStream(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

========== file tests/java/why/Bug_sort_exns_po1.why ==========
goal Bug_sort_exns_exn_ensures_default_po_1:
  forall Object_alloc_table:Object alloc_table.
  ("JC_158": true) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_IllegalArgumentException(result, 0, (1 - 1),
   Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, IllegalArgumentException_tag)))) ->
  ("JC_169": Non_null_Object(result, Object_alloc_table0))

========== file tests/java/why/Bug_sort_exns_po2.why ==========
goal Bug_sort_exns_exn_safety_po_1:
  ("JC_158": true) ->
  (1 >= 0)

========== file tests/java/why/Bug_sort_exns_po3.why ==========
goal Bug_sort_exns_exn_safety_po_2:
  forall Object_alloc_table:Object alloc_table.
  ("JC_158": true) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_IllegalArgumentException(result, 0, (1 - 1),
   Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, IllegalArgumentException_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0)

========== generation of Simplify VC output ==========
why -simplify [...] why/Bug_sort_exns.why
========== file tests/java/simplify/Bug_sort_exns_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Bug_sort_exns_parenttag_Object
 (EQ (parenttag Bug_sort_exns_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Throwable
 (EQ (parenttag Exception_tag Throwable_tag) |@true|))

(BG_PUSH
 ;; Why axiom Exception_serialVersionUID_def
 (EQ Exception_serialVersionUID
 (long_of_integer (- 0 constant_too_large_3387516993124229948))))

(BG_PUSH
 ;; Why axiom IllegalArgumentException_parenttag_RuntimeException
 (EQ (parenttag IllegalArgumentException_tag RuntimeException_tag) |@true|))

(DEFPRED (Non_null_Object x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) 0))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom PrintStream_parenttag_Object
 (EQ (parenttag PrintStream_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom RuntimeException_parenttag_Exception
 (EQ (parenttag RuntimeException_tag Exception_tag) |@true|))

(BG_PUSH
 ;; Why axiom RuntimeException_serialVersionUID_def
 (EQ RuntimeException_serialVersionUID
 (long_of_integer (- 0 constant_too_large_7034897190745766939))))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_serialVersionUID_def
 (EQ Throwable_serialVersionUID
 (long_of_integer (- 0 constant_too_large_3042686055658047285))))

(BG_PUSH
 ;; Why axiom byte_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 128) x) (<= x 127))
 (EQ (integer_of_byte (byte_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom byte_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_byte x) (integer_of_byte y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom byte_range
 (FORALL (x)
 (AND (<= (- 0 128) (integer_of_byte x)) (<= (integer_of_byte x) 127))))

(BG_PUSH
 ;; Why axiom char_coerce
 (FORALL (x)
 (IMPLIES (AND (<= 0 x) (<= x 65535))
 (EQ (integer_of_char (char_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom char_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_char x) (integer_of_char y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom char_range
 (FORALL (x) (AND (<= 0 (integer_of_char x)) (<= (integer_of_char x) 65535))))

(DEFPRED (eq_byte x y) (EQ (integer_of_byte x) (integer_of_byte y)))

(DEFPRED (eq_char x y) (EQ (integer_of_char x) (integer_of_char y)))

(DEFPRED (eq_int32 x y) (EQ (integer_of_int32 x) (integer_of_int32 y)))

(DEFPRED (eq_long x y) (EQ (integer_of_long x) (integer_of_long y)))

(DEFPRED (eq_short x y) (EQ (integer_of_short x) (integer_of_short y)))

(BG_PUSH
 ;; Why axiom int32_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_2147483648) x)
 (<= x constant_too_large_2147483647))
 (EQ (integer_of_int32 (int32_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom int32_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_int32 x) (integer_of_int32 y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom int32_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_2147483648) (integer_of_int32 x))
 (<= (integer_of_int32 x) constant_too_large_2147483647))))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Bug_sort_exns p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Throwable p a Object_alloc_table))

(DEFPRED (left_valid_struct_RuntimeException p a Object_alloc_table)
  (left_valid_struct_Exception p a Object_alloc_table))

(DEFPRED (left_valid_struct_IllegalArgumentException p a Object_alloc_table)
  (left_valid_struct_RuntimeException p a Object_alloc_table))

(DEFPRED (left_valid_struct_PrintStream p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom long_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_9223372036854775808) x)
 (<= x constant_too_large_9223372036854775807))
 (EQ (integer_of_long (long_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom long_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_long x) (integer_of_long y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom long_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_9223372036854775808) (integer_of_long x))
 (<= (integer_of_long x) constant_too_large_9223372036854775807))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Bug_sort_exns p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Throwable p b Object_alloc_table))

(DEFPRED (right_valid_struct_RuntimeException p b Object_alloc_table)
  (right_valid_struct_Exception p b Object_alloc_table))

(DEFPRED (right_valid_struct_IllegalArgumentException p b Object_alloc_table)
  (right_valid_struct_RuntimeException p b Object_alloc_table))

(DEFPRED (right_valid_struct_PrintStream p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(BG_PUSH
 ;; Why axiom short_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 32768) x) (<= x 32767))
 (EQ (integer_of_short (short_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom short_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_short x) (integer_of_short y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom short_range
 (FORALL (x)
 (AND (<= (- 0 32768) (integer_of_short x)) (<= (integer_of_short x) 32767))))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Bug_sort_exns p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Throwable p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_RuntimeException p a b Object_alloc_table)
  (strict_valid_struct_Exception p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_IllegalArgumentException p a b Object_alloc_table)
  (strict_valid_struct_RuntimeException p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_PrintStream p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Bug_sort_exns p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Throwable p a b Object_alloc_table))

(DEFPRED (valid_struct_RuntimeException p a b Object_alloc_table)
  (valid_struct_Exception p a b Object_alloc_table))

(DEFPRED (valid_struct_IllegalArgumentException p a b Object_alloc_table)
  (valid_struct_RuntimeException p a b Object_alloc_table))

(DEFPRED (valid_struct_PrintStream p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

;; Bug_sort_exns_exn_ensures_default_po_1, File "HOME/tests/java/Bug_sort_exns.jc", line 152, characters 17-55
(FORALL (Object_alloc_table)
(IMPLIES TRUE
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND
         (strict_valid_struct_IllegalArgumentException
         result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result IllegalArgumentException_tag))))
(Non_null_Object result Object_alloc_table0)))))))

;; Bug_sort_exns_exn_safety_po_1, File "HOME/tests/java/Bug_sort_exns.jc", line 143, characters 50-81
(IMPLIES TRUE (>= 1 0))

;; Bug_sort_exns_exn_safety_po_2, File "why/Bug_sort_exns.why", line 937, characters 15-70
(FORALL (Object_alloc_table)
(IMPLIES TRUE
(IMPLIES (>= 1 0)
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND
         (strict_valid_struct_IllegalArgumentException
         result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result IllegalArgumentException_tag))))
(>= (offset_max Object_alloc_table0 result) 0))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/Bug_sort_exns_why.sx : ... (3/0/0/0/0)
total   :   3
valid   :   3 (100%)
invalid :   0 (  0%)
unknown :   0 (  0%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/Bug_sort_exns.why
========== file tests/java/why/Bug_sort_exns_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Bug_sort_exns_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Bug_sort_exns_parenttag_Object: parenttag(Bug_sort_exns_tag,
  Object_tag)

logic Exception_tag : Object tag_id

logic Throwable_tag : Object tag_id

axiom Exception_parenttag_Throwable: parenttag(Exception_tag, Throwable_tag)

logic long_of_integer : int -> long

function Exception_serialVersionUID() : long =
  long_of_integer((-3387516993124229948))

logic IllegalArgumentException_tag : Object tag_id

logic RuntimeException_tag : Object tag_id

axiom IllegalArgumentException_parenttag_RuntimeException:
  parenttag(IllegalArgumentException_tag, RuntimeException_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic PrintStream_tag : Object tag_id

axiom PrintStream_parenttag_Object: parenttag(PrintStream_tag, Object_tag)

axiom RuntimeException_parenttag_Exception: parenttag(RuntimeException_tag,
  Exception_tag)

function RuntimeException_serialVersionUID() : long =
  long_of_integer((-7034897190745766939))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

function Throwable_serialVersionUID() : long =
  long_of_integer((-3042686055658047285))

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte. ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char. ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Bug_sort_exns(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Throwable(p, a,
  Object_alloc_table)

predicate left_valid_struct_RuntimeException(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Exception(p, a,
  Object_alloc_table)

predicate left_valid_struct_IllegalArgumentException(p: Object pointer,
  a: int, Object_alloc_table: Object alloc_table) =
  left_valid_struct_RuntimeException(p, a, Object_alloc_table)

predicate left_valid_struct_PrintStream(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long. ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Bug_sort_exns(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Throwable(p,
  b, Object_alloc_table)

predicate right_valid_struct_RuntimeException(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Exception(p,
  b, Object_alloc_table)

predicate right_valid_struct_IllegalArgumentException(p: Object pointer,
  b: int, Object_alloc_table: Object alloc_table) =
  right_valid_struct_RuntimeException(p, b, Object_alloc_table)

predicate right_valid_struct_PrintStream(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short.
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Bug_sort_exns(p: Object pointer, a: int,
  b: int, Object_alloc_table: Object alloc_table) =
  strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Throwable(p,
  a, b, Object_alloc_table)

predicate strict_valid_struct_RuntimeException(p: Object pointer, a: int,
  b: int, Object_alloc_table: Object alloc_table) =
  strict_valid_struct_Exception(p, a, b, Object_alloc_table)

predicate strict_valid_struct_IllegalArgumentException(p: Object pointer,
  a: int, b: int, Object_alloc_table: Object alloc_table) =
  strict_valid_struct_RuntimeException(p, a, b, Object_alloc_table)

predicate strict_valid_struct_PrintStream(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Bug_sort_exns(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Throwable(p, a, b,
  Object_alloc_table)

predicate valid_struct_RuntimeException(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Exception(p, a, b,
  Object_alloc_table)

predicate valid_struct_IllegalArgumentException(p: Object pointer, a: int,
  b: int, Object_alloc_table: Object alloc_table) =
  valid_struct_RuntimeException(p, a, b, Object_alloc_table)

predicate valid_struct_PrintStream(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

goal Bug_sort_exns_exn_ensures_default_po_1:
  forall Object_alloc_table:Object alloc_table.
  ("JC_158": true) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_IllegalArgumentException(result, 0, (1 - 1),
   Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, IllegalArgumentException_tag)))) ->
  ("JC_169": Non_null_Object(result, Object_alloc_table0))

goal Bug_sort_exns_exn_safety_po_1:
  ("JC_158": true) ->
  (1 >= 0)

goal Bug_sort_exns_exn_safety_po_2:
  forall Object_alloc_table:Object alloc_table.
  ("JC_158": true) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_IllegalArgumentException(result, 0, (1 - 1),
   Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, IllegalArgumentException_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0)

why-2.34/tests/java/oracle/MyCosine.res.oracle0000644000175000017500000046153512311670312017670 0ustar  rtusers========== file tests/java/MyCosine.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*@ lemma method_error: \forall real x;
  @     \real_abs(x) <= 0x1p-5 ==> \real_abs(1.0 - x*x*0.5 - \cos(x)) <= 0x1p-24;
  @*/

class MyCosine {

/*@ requires \real_abs(x) <= 0x1p-5;
  @ ensures \real_abs(\result - \cos(x)) <= 0x1p-23;
  @*/
static float my_cos1(float x) {
  //@ assert \real_abs(1.0 - x*x*0.5 - \cos(x)) <= 0x1p-24;
  return 1.0f - x * x * 0.5f;
}

/* requires \real_abs(x) <= 0x1p-5 && \round_error(x) == 0.0;
  @ ensures \real_abs(\result - \cos(x)) <= 0x1p-23;
  @*/
static float my_cos2(float x) {
  // assert \exact(x) == x;
  float r = 1.0f - x * x * 0.5f;
  // assert \real_abs(\exact(r) - \cos(x)) <= 0x1p-24;
  return r;
}


/* requires \real_abs(\exact(x)) <= 0x1p-5
  @     && \round_error(x) <= 0x1p-20;
  @ ensures \real_abs(\exact(\result) - \cos(\exact(x))) <= 0x1p-24
  @     && \round_error(\result) <= \round_error(x) + 0x3p-24;
  @*/
static float my_cos3(float x) {
  float r = 1.0f - x * x * 0.5f;
  // assert \real_abs(\exact(r) - \cos(\exact(x))) <= 0x1p-24;  // by interval
  return r;
}

/*@ requires \real_abs(x) <= 0.07 ;
  @ ensures \real_abs(\result - \cos(x)) <= 0x1.3p-20;
  @*/
static float my_cos4(float x) {
  //@ assert \real_abs(1.0 - x*x*0.5 - \cos(x)) <= 0x1.2p-20;
  return 1.0f - x * x * 0.5f;
}

}


/*
Local Variables:
compile-command: "krakatoa MyCosine.java"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function MyCosine_my_cos2 for method MyCosine.my_cos2
Generating JC function cons_MyCosine for constructor MyCosine
Generating JC function MyCosine_my_cos3 for method MyCosine.my_cos3
Generating JC function MyCosine_my_cos1 for method MyCosine.my_cos1
Generating JC function MyCosine_my_cos4 for method MyCosine.my_cos4
Done.
========== file tests/java/MyCosine.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag MyCosine = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

lemma method_error :
(\forall real x;
  ((\real_abs(x) <= 0x1p-5) ==>
    (\real_abs(((1.0 - ((x * x) * 0.5)) - \cos(x))) <= 0x1p-24)))

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

real MyCosine_my_cos2(real x_1)
{  
   {  
      (var real r_0 = (K_3 : (1.0 - (K_2 : ((K_1 : (x_1 * x_1)) * 0.5)))));
      
      (return r_0)
   }
}

unit cons_MyCosine(! MyCosine[0] this_0){()}

real MyCosine_my_cos3(real x_2)
{  
   {  
      (var real r = (K_6 : (1.0 - (K_5 : ((K_4 : (x_2 * x_2)) * 0.5)))));
      
      (return r)
   }
}

real MyCosine_my_cos1(real x_0)
  requires (K_8 : (\real_abs(x_0) <= 0x1p-5));
behavior default:
  ensures (K_7 : (\real_abs((\result - \cos(x_0))) <= 0x1p-23));
{  (K_10 : 
   (assert (K_9 : (\real_abs(((1.0 - ((x_0 * x_0) * 0.5)) - \cos(x_0))) <=
                    0x1p-24))));
   
   (return (K_13 : (1.0 - (K_12 : ((K_11 : (x_0 * x_0)) * 0.5)))))
}

real MyCosine_my_cos4(real x_3)
  requires (K_15 : (\real_abs(x_3) <= 0.07));
behavior default:
  ensures (K_14 : (\real_abs((\result - \cos(x_3))) <= 0x1.3p-20));
{  (K_17 : 
   (assert (K_16 : (\real_abs(((1.0 - ((x_3 * x_3) * 0.5)) - \cos(x_3))) <=
                     0x1.2p-20))));
   
   (return (K_20 : (1.0 - (K_19 : ((K_18 : (x_3 * x_3)) * 0.5)))))
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/MyCosine.jloc tests/java/MyCosine.jc && make -f tests/java/MyCosine.makefile gui"
End:
*/
========== file tests/java/MyCosine.jloc ==========
[K_17]
file = "HOME/tests/java/MyCosine.java"
line = 72
begin = 13
end = 60

[K_11]
file = "HOME/tests/java/MyCosine.java"
line = 43
begin = 16
end = 21

[K_13]
file = "HOME/tests/java/MyCosine.java"
line = 43
begin = 9
end = 28

[K_9]
file = "HOME/tests/java/MyCosine.java"
line = 42
begin = 13
end = 58

[K_1]
file = "HOME/tests/java/MyCosine.java"
line = 51
begin = 19
end = 24

[K_15]
file = "HOME/tests/java/MyCosine.java"
line = 68
begin = 13
end = 33

[K_4]
file = "HOME/tests/java/MyCosine.java"
line = 63
begin = 19
end = 24

[K_12]
file = "HOME/tests/java/MyCosine.java"
line = 43
begin = 16
end = 28

[MyCosine_my_cos4]
name = "Method my_cos4"
file = "HOME/tests/java/MyCosine.java"
line = 71
begin = 13
end = 20

[K_20]
file = "HOME/tests/java/MyCosine.java"
line = 73
begin = 9
end = 28

[K_2]
file = "HOME/tests/java/MyCosine.java"
line = 51
begin = 19
end = 31

[MyCosine_my_cos1]
name = "Method my_cos1"
file = "HOME/tests/java/MyCosine.java"
line = 41
begin = 13
end = 20

[K_10]
file = "HOME/tests/java/MyCosine.java"
line = 42
begin = 13
end = 58

[cons_MyCosine]
name = "Constructor of class MyCosine"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_6]
file = "HOME/tests/java/MyCosine.java"
line = 63
begin = 12
end = 31

[K_8]
file = "HOME/tests/java/MyCosine.java"
line = 38
begin = 13
end = 35

[MyCosine_my_cos3]
name = "Method my_cos3"
file = "HOME/tests/java/MyCosine.java"
line = 62
begin = 13
end = 20

[K_3]
file = "HOME/tests/java/MyCosine.java"
line = 51
begin = 12
end = 31

[MyCosine_my_cos2]
name = "Method my_cos2"
file = "HOME/tests/java/MyCosine.java"
line = 49
begin = 13
end = 20

[K_14]
file = "HOME/tests/java/MyCosine.java"
line = 69
begin = 12
end = 53

[method_error]
name = "Lemma method_error"
file = "HOME/tests/java/MyCosine.java"
line = 32
begin = 10
end = 22

[K_19]
file = "HOME/tests/java/MyCosine.java"
line = 73
begin = 16
end = 28

[K_5]
file = "HOME/tests/java/MyCosine.java"
line = 63
begin = 19
end = 31

[K_18]
file = "HOME/tests/java/MyCosine.java"
line = 73
begin = 16
end = 21

[K_7]
file = "HOME/tests/java/MyCosine.java"
line = 39
begin = 12
end = 51

[K_16]
file = "HOME/tests/java/MyCosine.java"
line = 72
begin = 13
end = 60

========== jessie execution ==========
Generating Why function MyCosine_my_cos2
Generating Why function cons_MyCosine
Generating Why function MyCosine_my_cos3
Generating Why function MyCosine_my_cos1
Generating Why function MyCosine_my_cos4
========== file tests/java/MyCosine.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs MyCosine.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs MyCosine.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/MyCosine_why.sx

project: why/MyCosine.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/MyCosine_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/MyCosine_why.vo

coq/MyCosine_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/MyCosine_why.v: why/MyCosine.why
	@echo 'why -coq [...] why/MyCosine.why' && $(WHY) $(JESSIELIBFILES) why/MyCosine.why && rm -f coq/jessie_why.v

coq-goals: goals coq/MyCosine_ctx_why.vo
	for f in why/*_po*.why; do make -f MyCosine.makefile coq/`basename $$f .why`_why.v ; done

coq/MyCosine_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/MyCosine_ctx_why.v: why/MyCosine_ctx.why
	@echo 'why -coq [...] why/MyCosine_ctx.why' && $(WHY) why/MyCosine_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export MyCosine_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/MyCosine_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/MyCosine_ctx_why.vo

pvs: pvs/MyCosine_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/MyCosine_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/MyCosine_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/MyCosine_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/MyCosine_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/MyCosine_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/MyCosine_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/MyCosine_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/MyCosine_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/MyCosine_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/MyCosine_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/MyCosine_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/MyCosine_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/MyCosine_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/MyCosine_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: MyCosine.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/MyCosine_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: MyCosine.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: MyCosine.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: MyCosine.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include MyCosine.depend

depend: coq/MyCosine_why.v
	-$(COQDEP) -I coq coq/MyCosine*_why.v > MyCosine.depend

clean:
	rm -f coq/*.vo

========== file tests/java/MyCosine.loc ==========
[JC_51]
file = "HOME/tests/java/MyCosine.java"
line = 42
begin = 13
end = 58

[cons_MyCosine_safety]
name = "Constructor of class MyCosine"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/tests/java/MyCosine.java"
line = 38
begin = 13
end = 35

[MyCosine_my_cos2_ensures_default]
name = "Method my_cos2"
behavior = "default behavior"
file = "HOME/tests/java/MyCosine.java"
line = 49
begin = 13
end = 20

[JC_31]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_17]
file = "HOME/tests/java/MyCosine.jc"
line = 47
begin = 11
end = 65

[JC_55]
file = "HOME/tests/java/MyCosine.java"
line = 68
begin = 13
end = 33

[JC_48]
file = "HOME/tests/java/MyCosine.java"
line = 39
begin = 12
end = 51

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/MyCosine.jc"
line = 45
begin = 8
end = 23

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[MyCosine_my_cos4_ensures_default]
name = "Method my_cos4"
behavior = "default behavior"
file = "HOME/tests/java/MyCosine.java"
line = 71
begin = 13
end = 20

[JC_41]
file = "HOME/"
line = 0
begin = -1
end = -1

[MyCosine_my_cos2_safety]
name = "Method my_cos2"
behavior = "Safety"
file = "HOME/tests/java/MyCosine.java"
line = 49
begin = 13
end = 20

[MyCosine_my_cos1_safety]
name = "Method my_cos1"
behavior = "Safety"
file = "HOME/tests/java/MyCosine.java"
line = 41
begin = 13
end = 20

[JC_47]
file = "HOME/tests/java/MyCosine.java"
line = 39
begin = 12
end = 51

[JC_52]
file = "HOME/tests/java/MyCosine.java"
line = 42
begin = 13
end = 58

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[MyCosine_my_cos3_safety]
name = "Method my_cos3"
behavior = "Safety"
file = "HOME/tests/java/MyCosine.java"
line = 62
begin = 13
end = 20

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/MyCosine.jc"
line = 45
begin = 8
end = 23

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/tests/java/MyCosine.java"
line = 62
begin = 13
end = 20

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/tests/java/MyCosine.java"
line = 72
begin = 13
end = 60

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/tests/java/MyCosine.java"
line = 72
begin = 13
end = 60

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/"
line = 0
begin = -1
end = -1

[method_error]
name = "Lemma method_error"
behavior = "lemma"
file = "HOME/tests/java/MyCosine.java"
line = 32
begin = 10
end = 22

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[MyCosine_my_cos4_safety]
name = "Method my_cos4"
behavior = "Safety"
file = "HOME/tests/java/MyCosine.java"
line = 71
begin = 13
end = 20

[JC_43]
file = "HOME/tests/java/MyCosine.java"
line = 38
begin = 13
end = 35

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
file = "HOME/tests/java/MyCosine.java"
line = 68
begin = 13
end = 33

[JC_21]
file = "HOME/tests/java/MyCosine.java"
line = 49
begin = 13
end = 20

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/java/MyCosine.jc"
line = 20
begin = 12
end = 22

[cons_MyCosine_ensures_default]
name = "Constructor of class MyCosine"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_37]
file = "HOME/tests/java/MyCosine.java"
line = 62
begin = 13
end = 20

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/java/MyCosine.java"
line = 69
begin = 12
end = 53

[JC_59]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/MyCosine.jc"
line = 47
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/MyCosine.jc"
line = 20
begin = 12
end = 22

[JC_60]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/tests/java/MyCosine.java"
line = 49
begin = 13
end = 20

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[MyCosine_my_cos3_ensures_default]
name = "Method my_cos3"
behavior = "default behavior"
file = "HOME/tests/java/MyCosine.java"
line = 62
begin = 13
end = 20

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/tests/java/MyCosine.java"
line = 69
begin = 12
end = 53

[MyCosine_my_cos1_ensures_default]
name = "Method my_cos1"
behavior = "default behavior"
file = "HOME/tests/java/MyCosine.java"
line = 41
begin = 13
end = 20

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/MyCosine.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

logic MyCosine_tag:  -> Object tag_id

axiom MyCosine_parenttag_Object : parenttag(MyCosine_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_MyCosine(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_MyCosine(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_MyCosine(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_MyCosine(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

lemma method_error :
 (forall x_4:real.
  (le_real(abs_real(x_4), 0x1p-5) ->
   le_real(abs_real(sub_real(sub_real(1.0, mul_real(mul_real(x_4, x_4), 0.5)),
                    cos(x_4))),
   0x1p-24)))

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter MyCosine_my_cos1 :
 x_0_0:real ->
  { } real
  { (JC_48: le_real(abs_real(sub_real(result, cos(x_0_0))), 0x1p-23)) }

parameter MyCosine_my_cos1_requires :
 x_0_0:real ->
  { (JC_43: le_real(abs_real(x_0_0), 0x1p-5))} real
  { (JC_48: le_real(abs_real(sub_real(result, cos(x_0_0))), 0x1p-23)) }

parameter MyCosine_my_cos2 : x_1_0:real -> { } real { true }

parameter MyCosine_my_cos2_requires : x_1_0:real -> { } real { true }

parameter MyCosine_my_cos3 : x_2:real -> { } real { true }

parameter MyCosine_my_cos3_requires : x_2:real -> { } real { true }

parameter MyCosine_my_cos4 :
 x_3:real ->
  { } real
  { (JC_58: le_real(abs_real(sub_real(result, cos(x_3))), 0x1.3p-20)) }

parameter MyCosine_my_cos4_requires :
 x_3:real ->
  { (JC_53: le_real(abs_real(x_3), 0.07))} real
  { (JC_58: le_real(abs_real(sub_real(result, cos(x_3))), 0x1.3p-20)) }

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_MyCosine :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_MyCosine(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, MyCosine_tag)))) }

parameter alloc_struct_MyCosine_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_MyCosine(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, MyCosine_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_MyCosine :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_MyCosine_requires :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let MyCosine_my_cos1_ensures_default =
 fun (x_0_0 : real) ->
  { (JC_45: le_real(abs_real(x_0_0), 0x1p-5)) }
  (init:
  (let return = ref (any_real void) in
  try
   (K_10:
   begin
     (assert
     { (JC_52:
       le_real(abs_real(sub_real(sub_real(1.0,
                                 mul_real(mul_real(x_0_0, x_0_0), 0.5)),
                        cos(x_0_0))),
       0x1p-24)) }; void);
    (return := (K_13:
               ((sub_real 1.0) (K_12:
                               ((mul_real (K_11: ((mul_real x_0_0) x_0_0))) 0.5)))));
    (raise Return); absurd  end) with Return -> !return end))
  { (JC_47: le_real(abs_real(sub_real(result, cos(x_0_0))), 0x1p-23)) }

let MyCosine_my_cos1_safety =
 fun (x_0_0 : real) ->
  { (JC_45: le_real(abs_real(x_0_0), 0x1p-5)) }
  (init:
  (let return = ref (any_real void) in
  try
   (K_10:
   begin
     [ { } unit
       { (JC_51:
         le_real(abs_real(sub_real(sub_real(1.0,
                                   mul_real(mul_real(x_0_0, x_0_0), 0.5)),
                          cos(x_0_0))),
         0x1p-24)) } ];
    (return := (K_13:
               ((sub_real 1.0) (K_12:
                               ((mul_real (K_11: ((mul_real x_0_0) x_0_0))) 0.5)))));
    (raise Return); absurd  end) with Return -> !return end)) { true }

let MyCosine_my_cos2_ensures_default =
 fun (x_1_0 : real) ->
  { (JC_22: true) }
  (init:
  (let return = ref (any_real void) in
  try
   begin
     (let r_0 =
     (K_3:
     ((sub_real 1.0) (K_2: ((mul_real (K_1: ((mul_real x_1_0) x_1_0))) 0.5)))) in
     begin   (return := r_0); (raise Return) end); absurd  end with Return ->
   !return end)) { (JC_23: true) }

let MyCosine_my_cos2_safety =
 fun (x_1_0 : real) ->
  { (JC_22: true) }
  (init:
  (let return = ref (any_real void) in
  try
   begin
     (let r_0 =
     (K_3:
     ((sub_real 1.0) (K_2: ((mul_real (K_1: ((mul_real x_1_0) x_1_0))) 0.5)))) in
     begin   (return := r_0); (raise Return) end); absurd  end with Return ->
   !return end)) { true }

let MyCosine_my_cos3_ensures_default =
 fun (x_2 : real) ->
  { (JC_38: true) }
  (init:
  (let return = ref (any_real void) in
  try
   begin
     (let r =
     (K_6:
     ((sub_real 1.0) (K_5: ((mul_real (K_4: ((mul_real x_2) x_2))) 0.5)))) in
     begin   (return := r); (raise Return) end); absurd  end with Return ->
   !return end)) { (JC_39: true) }

let MyCosine_my_cos3_safety =
 fun (x_2 : real) ->
  { (JC_38: true) }
  (init:
  (let return = ref (any_real void) in
  try
   begin
     (let r =
     (K_6:
     ((sub_real 1.0) (K_5: ((mul_real (K_4: ((mul_real x_2) x_2))) 0.5)))) in
     begin   (return := r); (raise Return) end); absurd  end with Return ->
   !return end)) { true }

let MyCosine_my_cos4_ensures_default =
 fun (x_3 : real) ->
  { (JC_55: le_real(abs_real(x_3), 0.07)) }
  (init:
  (let return = ref (any_real void) in
  try
   (K_17:
   begin
     (assert
     { (JC_62:
       le_real(abs_real(sub_real(sub_real(1.0,
                                 mul_real(mul_real(x_3, x_3), 0.5)),
                        cos(x_3))),
       0x1.2p-20)) }; void);
    (return := (K_20:
               ((sub_real 1.0) (K_19:
                               ((mul_real (K_18: ((mul_real x_3) x_3))) 0.5)))));
    (raise Return); absurd  end) with Return -> !return end))
  { (JC_57: le_real(abs_real(sub_real(result, cos(x_3))), 0x1.3p-20)) }

let MyCosine_my_cos4_safety =
 fun (x_3 : real) ->
  { (JC_55: le_real(abs_real(x_3), 0.07)) }
  (init:
  (let return = ref (any_real void) in
  try
   (K_17:
   begin
     [ { } unit
       { (JC_61:
         le_real(abs_real(sub_real(sub_real(1.0,
                                   mul_real(mul_real(x_3, x_3), 0.5)),
                          cos(x_3))),
         0x1.2p-20)) } ];
    (return := (K_20:
               ((sub_real 1.0) (K_19:
                               ((mul_real (K_18: ((mul_real x_3) x_3))) 0.5)))));
    (raise Return); absurd  end) with Return -> !return end)) { true }

let cons_MyCosine_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_MyCosine(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_31: true) }

let cons_MyCosine_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_MyCosine(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/MyCosine.why
========== file tests/java/why/MyCosine.wpr ==========

  
    
    
      
      
    
  
  
    
    
    
      
      
    
    
      
      
    
    
  
  
    
  
  
    
  
  
    
    
    
      
      
    
    
      
      
    
    
  
  
    
  
  
    
  

========== file tests/java/why/MyCosine_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic MyCosine_tag : Object tag_id

axiom MyCosine_parenttag_Object: parenttag(MyCosine_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte [(integer_of_byte(x) = integer_of_byte(y))].
      ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char [(integer_of_char(x) = integer_of_char(y))].
      ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32 [(integer_of_int32(x) = integer_of_int32(y))].
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_MyCosine(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long [(integer_of_long(x) = integer_of_long(y))].
      ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_MyCosine(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short [(integer_of_short(x) = integer_of_short(y))].
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_MyCosine(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_MyCosine(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

========== file tests/java/why/MyCosine_po1.why ==========
lemma method_error:
  (forall x_4:real.
    ((abs_real(x_4) <= 0x1.p-5) ->
     (abs_real(((1.0 - ((x_4 * x_4) * 0.5)) - cos(x_4))) <= 0x1.p-24)))

========== file tests/java/why/MyCosine_po2.why ==========
goal MyCosine_my_cos1_ensures_default_po_1:
  forall x_0_0:real.
  ("JC_45": (abs_real(x_0_0) <= 0x1.p-5)) ->
  ("JC_52":
  (abs_real(((1.0 - ((x_0_0 * x_0_0) * 0.5)) - cos(x_0_0))) <= 0x1.p-24))

========== file tests/java/why/MyCosine_po3.why ==========
goal MyCosine_my_cos1_ensures_default_po_2:
  forall x_0_0:real.
  ("JC_45": (abs_real(x_0_0) <= 0x1.p-5)) ->
  ("JC_52":
  (abs_real(((1.0 - ((x_0_0 * x_0_0) * 0.5)) - cos(x_0_0))) <= 0x1.p-24)) ->
  forall return:real.
  (return = (1.0 - ((x_0_0 * x_0_0) * 0.5))) ->
  ("JC_47": (abs_real((return - cos(x_0_0))) <= 0x1.p-23))

========== file tests/java/why/MyCosine_po4.why ==========
goal MyCosine_my_cos4_ensures_default_po_1:
  forall x_3:real.
  ("JC_55": (abs_real(x_3) <= 0.07)) ->
  ("JC_62":
  (abs_real(((1.0 - ((x_3 * x_3) * 0.5)) - cos(x_3))) <= 0x1.2p-20))

========== file tests/java/why/MyCosine_po5.why ==========
goal MyCosine_my_cos4_ensures_default_po_2:
  forall x_3:real.
  ("JC_55": (abs_real(x_3) <= 0.07)) ->
  ("JC_62":
  (abs_real(((1.0 - ((x_3 * x_3) * 0.5)) - cos(x_3))) <= 0x1.2p-20)) ->
  forall return:real.
  (return = (1.0 - ((x_3 * x_3) * 0.5))) ->
  ("JC_57": (abs_real((return - cos(x_3))) <= 0x1.3p-20))

========== generation of Simplify VC output ==========
why -simplify [...] why/MyCosine.why
========== file tests/java/simplify/MyCosine_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom MyCosine_parenttag_Object
 (EQ (parenttag MyCosine_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) 0))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom byte_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 128) x) (<= x 127))
 (EQ (integer_of_byte (byte_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom byte_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_byte x) (integer_of_byte y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom byte_range
 (FORALL (x)
 (AND (<= (- 0 128) (integer_of_byte x)) (<= (integer_of_byte x) 127))))

(BG_PUSH
 ;; Why axiom char_coerce
 (FORALL (x)
 (IMPLIES (AND (<= 0 x) (<= x 65535))
 (EQ (integer_of_char (char_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom char_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_char x) (integer_of_char y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom char_range
 (FORALL (x) (AND (<= 0 (integer_of_char x)) (<= (integer_of_char x) 65535))))

(DEFPRED (eq_byte x y) (EQ (integer_of_byte x) (integer_of_byte y)))

(DEFPRED (eq_char x y) (EQ (integer_of_char x) (integer_of_char y)))

(DEFPRED (eq_int32 x y) (EQ (integer_of_int32 x) (integer_of_int32 y)))

(DEFPRED (eq_long x y) (EQ (integer_of_long x) (integer_of_long y)))

(DEFPRED (eq_short x y) (EQ (integer_of_short x) (integer_of_short y)))

(BG_PUSH
 ;; Why axiom int32_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_2147483648) x)
 (<= x constant_too_large_2147483647))
 (EQ (integer_of_int32 (int32_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom int32_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_int32 x) (integer_of_int32 y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom int32_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_2147483648) (integer_of_int32 x))
 (<= (integer_of_int32 x) constant_too_large_2147483647))))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_MyCosine p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom long_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_9223372036854775808) x)
 (<= x constant_too_large_9223372036854775807))
 (EQ (integer_of_long (long_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom long_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_long x) (integer_of_long y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom long_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_9223372036854775808) (integer_of_long x))
 (<= (integer_of_long x) constant_too_large_9223372036854775807))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_MyCosine p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(BG_PUSH
 ;; Why axiom short_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 32768) x) (<= x 32767))
 (EQ (integer_of_short (short_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom short_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_short x) (integer_of_short y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom short_range
 (FORALL (x)
 (AND (<= (- 0 32768) (integer_of_short x)) (<= (integer_of_short x) 32767))))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_MyCosine p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_MyCosine p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

;; method_error, File "HOME/tests/java/MyCosine.java", line 32, characters 10-22
(FORALL (x_4)
(IMPLIES (EQ (le_real (real_abs x_4) real_constant_0x1_pminus5) |@true|)
(EQ (le_real
(real_abs (real_sub (real_sub real_constant_1_0e (real_mul (real_mul x_4 x_4) real_constant_0_5e)) 
          (cos x_4))) real_constant_0x1_pminus24) |@true|)))

(BG_PUSH
 ;; lemma method_error as axiom
(FORALL (x_4)
(IMPLIES (EQ (le_real (real_abs x_4) real_constant_0x1_pminus5) |@true|)
(EQ (le_real
(real_abs (real_sub (real_sub real_constant_1_0e (real_mul (real_mul x_4 x_4) real_constant_0_5e)) 
          (cos x_4))) real_constant_0x1_pminus24) |@true|))))

;; MyCosine_my_cos1_ensures_default_po_1, File "HOME/tests/java/MyCosine.java", line 42, characters 13-58
(FORALL (x_0_0)
(IMPLIES (EQ (le_real (real_abs x_0_0) real_constant_0x1_pminus5) |@true|)
(EQ (le_real
(real_abs (real_sub (real_sub real_constant_1_0e (real_mul (real_mul x_0_0 x_0_0) real_constant_0_5e)) 
          (cos x_0_0))) real_constant_0x1_pminus24) |@true|)))

;; MyCosine_my_cos1_ensures_default_po_2, File "HOME/tests/java/MyCosine.java", line 39, characters 12-51
(FORALL (x_0_0)
(IMPLIES (EQ (le_real (real_abs x_0_0) real_constant_0x1_pminus5) |@true|)
(IMPLIES (EQ (le_real
         (real_abs (real_sub (real_sub real_constant_1_0e (real_mul (real_mul x_0_0 x_0_0) real_constant_0_5e)) 
                   (cos x_0_0))) real_constant_0x1_pminus24) |@true|)
(FORALL (return)
(IMPLIES (EQ return
         (real_sub real_constant_1_0e (real_mul (real_mul x_0_0 x_0_0) real_constant_0_5e)))
(EQ (le_real
(real_abs (real_sub return (cos x_0_0))) real_constant_0x1_pminus23) |@true|))))))

;; MyCosine_my_cos4_ensures_default_po_1, File "HOME/tests/java/MyCosine.java", line 72, characters 13-60
(FORALL (x_3)
(IMPLIES (EQ (le_real (real_abs x_3) real_constant_0_07e) |@true|)
(EQ (le_real
(real_abs (real_sub (real_sub real_constant_1_0e (real_mul (real_mul x_3 x_3) real_constant_0_5e)) 
          (cos x_3))) real_constant_0x1_2pminus20) |@true|)))

;; MyCosine_my_cos4_ensures_default_po_2, File "HOME/tests/java/MyCosine.java", line 69, characters 12-53
(FORALL (x_3)
(IMPLIES (EQ (le_real (real_abs x_3) real_constant_0_07e) |@true|)
(IMPLIES (EQ (le_real
         (real_abs (real_sub (real_sub real_constant_1_0e (real_mul (real_mul x_3 x_3) real_constant_0_5e)) 
                   (cos x_3))) real_constant_0x1_2pminus20) |@true|)
(FORALL (return)
(IMPLIES (EQ return
         (real_sub real_constant_1_0e (real_mul (real_mul x_3 x_3) real_constant_0_5e)))
(EQ (le_real
(real_abs (real_sub return (cos x_3))) real_constant_0x1_3pminus20) |@true|))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/MyCosine_why.sx      : ##### (0/0/0/5/0)
total   :   5
valid   :   0 (  0%)
invalid :   0 (  0%)
unknown :   0 (  0%)
timeout :   5 (100%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/MyCosine.why
========== file tests/java/why/MyCosine_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic MyCosine_tag : Object tag_id

axiom MyCosine_parenttag_Object: parenttag(MyCosine_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte. ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char. ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_MyCosine(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long. ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_MyCosine(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short.
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_MyCosine(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_MyCosine(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

goal method_error:
  (forall x_4:real.
    ((abs_real(x_4) <= 0x1.p-5) ->
     (abs_real(((1.0 - ((x_4 * x_4) * 0.5)) - cos(x_4))) <= 0x1.p-24)))

axiom method_error_as_axiom:
  (forall x_4:real.
    ((abs_real(x_4) <= 0x1.p-5) ->
     (abs_real(((1.0 - ((x_4 * x_4) * 0.5)) - cos(x_4))) <= 0x1.p-24)))

goal MyCosine_my_cos1_ensures_default_po_1:
  forall x_0_0:real.
  ("JC_45": (abs_real(x_0_0) <= 0x1.p-5)) ->
  ("JC_52":
  (abs_real(((1.0 - ((x_0_0 * x_0_0) * 0.5)) - cos(x_0_0))) <= 0x1.p-24))

goal MyCosine_my_cos1_ensures_default_po_2:
  forall x_0_0:real.
  ("JC_45": (abs_real(x_0_0) <= 0x1.p-5)) ->
  ("JC_52":
  (abs_real(((1.0 - ((x_0_0 * x_0_0) * 0.5)) - cos(x_0_0))) <= 0x1.p-24)) ->
  forall return:real.
  (return = (1.0 - ((x_0_0 * x_0_0) * 0.5))) ->
  ("JC_47": (abs_real((return - cos(x_0_0))) <= 0x1.p-23))

goal MyCosine_my_cos4_ensures_default_po_1:
  forall x_3:real.
  ("JC_55": (abs_real(x_3) <= 0.07)) ->
  ("JC_62":
  (abs_real(((1.0 - ((x_3 * x_3) * 0.5)) - cos(x_3))) <= 0x1.2p-20))

goal MyCosine_my_cos4_ensures_default_po_2:
  forall x_3:real.
  ("JC_55": (abs_real(x_3) <= 0.07)) ->
  ("JC_62":
  (abs_real(((1.0 - ((x_3 * x_3) * 0.5)) - cos(x_3))) <= 0x1.2p-20)) ->
  forall return:real.
  (return = (1.0 - ((x_3 * x_3) * 0.5))) ->
  ("JC_57": (abs_real((return - cos(x_3))) <= 0x1.3p-20))

why-2.34/tests/java/oracle/BinarySearch.err.oracle0000644000175000017500000000000012311670312020463 0ustar  rtuserswhy-2.34/tests/java/oracle/Hello.res.oracle0000644000175000017500000142454512311670312017206 0ustar  rtusers========== file tests/java/Hello.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

class Hello {

    public static void main(String argv[]) {
        System.out.println("Hello Krakatoa");
    }

}



/*
Local Variables:
compile-command: "make Hello.why3ide"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_Hello for constructor Hello
Generating JC function System_runFinalizersOnExit for method System.runFinalizersOnExit
Generating JC function cons_String_byteA_String for constructor String
Generating JC function cons_PrintStream_OutputStream_boolean_String for constructor PrintStream
Generating JC function String_replaceAll for method String.replaceAll
Generating JC function OutputStream_write_byteA_int_int for method OutputStream.write
Generating JC function FilterOutputStream_write_byteA for method FilterOutputStream.write
Generating JC function cons_String_byteA for constructor String
Generating JC function System_checkIO for method System.checkIO
Generating JC function cons_String_byteA_int for constructor String
Generating JC function cons_PrintStream_OutputStream for constructor PrintStream
Generating JC function PrintStream_println_int for method PrintStream.println
Generating JC function Object_wait_long for method Object.wait
Generating JC function PrintStream_close for method PrintStream.close
Generating JC function String_valueOf_charA_int_int for method String.valueOf
Generating JC function cons_PrintStream_OutputStream_boolean for constructor PrintStream
Generating JC function System_currentTimeMillis for method System.currentTimeMillis
Generating JC function String_indexOf_charA_int_int_charA_int_int_int for method String.indexOf
Generating JC function String_charAt for method String.charAt
Generating JC function Object_clone for method Object.clone
Generating JC function String_getBytes_String for method String.getBytes
Generating JC function PrintStream_init for method PrintStream.init
Generating JC function String_substring_int for method String.substring
Generating JC function String_getChars for method String.getChars
Generating JC function cons_FilterOutputStream_OutputStream for constructor FilterOutputStream
Generating JC function PrintStream_println_boolean for method PrintStream.println
Generating JC function FilterOutputStream_flush for method FilterOutputStream.flush
Generating JC function String_indexOf_String_int for method String.indexOf
Generating JC function String_equalsIgnoreCase for method String.equalsIgnoreCase
Generating JC function PrintStream_println_Object for method PrintStream.println
Generating JC function String_equals for method String.equals
Generating JC function String_substring_int_int for method String.substring
Generating JC function String_length for method String.length
Generating JC function System_setOut for method System.setOut
Generating JC function PrintStream_ensureOpen for method PrintStream.ensureOpen
Generating JC function Comparable_compareTo for method Comparable.compareTo
Generating JC function PrintStream_checkError for method PrintStream.checkError
Generating JC function PrintStream_println_char for method PrintStream.println
Generating JC function Object_equals for method Object.equals
Generating JC function PrintStream_newLine for method PrintStream.newLine
Generating JC function OutputStream_write_byteA for method OutputStream.write
Generating JC function System_loadLibrary for method System.loadLibrary
Generating JC function PrintStream_println_String for method PrintStream.println
Generating JC function Object_hashCode for method Object.hashCode
Generating JC function String_valueOf_boolean for method String.valueOf
Generating JC function String_split_String_int for method String.split
Generating JC function PrintStream_setError for method PrintStream.setError
Generating JC function String_replace for method String.replace
Generating JC function CharSequence_charAt for method CharSequence.charAt
Generating JC function String_lastIndexOf_int_int for method String.lastIndexOf
Generating JC function CharSequence_length for method CharSequence.length
Generating JC function FilterOutputStream_write_int for method FilterOutputStream.write
Generating JC function String_checkBounds for method String.checkBounds
Generating JC function PrintStream_print_float for method PrintStream.print
Generating JC function String_copyValueOf_charA for method String.copyValueOf
Generating JC function String_indexOf_String for method String.indexOf
Generating JC function cons_String_byteA_int_int for constructor String
Generating JC function PrintStream_print_String for method PrintStream.print
Generating JC function FilterOutputStream_close for method FilterOutputStream.close
Generating JC function cons_Object for constructor Object
Generating JC function Object_notify for method Object.notify
Generating JC function Object_wait_long_int for method Object.wait
Generating JC function OutputStream_write for method OutputStream.write
Generating JC function String_copyValueOf_charA_int_int for method String.copyValueOf
Generating JC function String_lastIndexOf_String for method String.lastIndexOf
Generating JC function String_valueOf_double for method String.valueOf
Generating JC function String_valueOf_long for method String.valueOf
Generating JC function Object_wait for method Object.wait
Generating JC function System_setErr for method System.setErr
Generating JC function PrintStream_print_double for method PrintStream.print
Generating JC function Object_toString for method Object.toString
Generating JC function PrintStream_print_charA for method PrintStream.print
Generating JC function String_indexOf_int_int for method String.indexOf
Generating JC function String_toString for method String.toString
Generating JC function String_lastIndexOf_String_int for method String.lastIndexOf
Generating JC function PrintStream_print_char for method PrintStream.print
Generating JC function PrintStream_println_long for method PrintStream.println
Generating JC function cons_PrintStream_boolean_OutputStream for constructor PrintStream
Generating JC function cons_String_int_int_charA for constructor String
Generating JC function System_exit for method System.exit
Generating JC function cons_OutputStream for constructor OutputStream
Generating JC function System_runFinalization for method System.runFinalization
Generating JC function String_valueOf_float for method String.valueOf
Generating JC function String_replaceFirst for method String.replaceFirst
Generating JC function Object_registerNatives for method Object.registerNatives
Generating JC function String_endsWith for method String.endsWith
Generating JC function PrintStream_write_charA for method PrintStream.write
Generating JC function PrintStream_println for method PrintStream.println
Generating JC function System_getProperty_String for method System.getProperty
Generating JC function String_valueOf_charA for method String.valueOf
Generating JC function System_setErr0 for method System.setErr0
Generating JC function System_arraycopy for method System.arraycopy
Generating JC function String_startsWith_String_int for method String.startsWith
Generating JC function String_contentEquals for method String.contentEquals
Generating JC function System_initializeSystemClass for method System.initializeSystemClass
Generating JC function String_compareTo_String for method String.compareTo
Generating JC function cons_String_byteA_int_int_String for constructor String
Generating JC function String_concat for method String.concat
Generating JC function Object_finalize for method Object.finalize
Generating JC function PrintStream_println_float for method PrintStream.println
Generating JC function PrintStream_print_long for method PrintStream.print
Generating JC function String_trim for method String.trim
Generating JC function CharSequence_subSequence for method CharSequence.subSequence
Generating JC function FilterOutputStream_write for method FilterOutputStream.write
Generating JC function String_indexOf for method String.indexOf
Generating JC function String_getBytes_int_int_byteA_int for method String.getBytes
Generating JC function System_load for method System.load
Generating JC function System_nullInputStream for method System.nullInputStream
Generating JC function System_getenv for method System.getenv
Generating JC function String_valueOf_Object for method String.valueOf
Generating JC function System_registerNatives for method System.registerNatives
Generating JC function PrintStream_println_charA for method PrintStream.println
Generating JC function CharSequence_toString for method CharSequence.toString
Generating JC function System_mapLibraryName for method System.mapLibraryName
Generating JC function cons_String_charA_int_int for constructor String
Generating JC function Hello_main for method Hello.main
Generating JC function String_split_String for method String.split
Generating JC function String_valueOf_char for method String.valueOf
Generating JC function String_lastIndexOf_charA_int_int_charA_int_int_int for method String.lastIndexOf
Generating JC function cons_String for constructor String
Generating JC function String_matches for method String.matches
Generating JC function PrintStream_print_boolean for method PrintStream.print
Generating JC function PrintStream_flush for method PrintStream.flush
Generating JC function String_getBytes for method String.getBytes
Generating JC function System_setOut0 for method System.setOut0
Generating JC function Object_notifyAll for method Object.notifyAll
Generating JC function PrintStream_println_double for method PrintStream.println
Generating JC function String_compareTo_Object for method String.compareTo
Generating JC function String_valueOf for method String.valueOf
Generating JC function System_identityHashCode for method System.identityHashCode
Generating JC function String_subSequence for method String.subSequence
Generating JC function OutputStream_close for method OutputStream.close
Generating JC function cons_String_String for constructor String
Generating JC function PrintStream_print_int for method PrintStream.print
Generating JC function cons_String_StringBuffer for constructor String
Generating JC function String_toCharArray for method String.toCharArray
Generating JC function cons_String_byteA_int_int_int for constructor String
Generating JC function System_setProperty for method System.setProperty
Generating JC function String_intern for method String.intern
Generating JC function String_lastIndexOf for method String.lastIndexOf
Generating JC function System_getProperty_String_String for method System.getProperty
Generating JC function String_startsWith_String for method String.startsWith
Generating JC function String_compareToIgnoreCase for method String.compareToIgnoreCase
Generating JC function String_regionMatches_int_String_int_int for method String.regionMatches
Generating JC function PrintStream_print for method PrintStream.print
Generating JC function OutputStream_flush for method OutputStream.flush
Generating JC function cons_System for constructor System
Generating JC function PrintStream_write_String for method PrintStream.write
Generating JC function PrintStream_write_int for method PrintStream.write
Generating JC function System_nullPrintStream for method System.nullPrintStream
Generating JC function String_toUpperCase for method String.toUpperCase
Generating JC function String_regionMatches_boolean_int_String_int_int for method String.regionMatches
Generating JC function cons_String_charA for constructor String
Generating JC function String_hashCode for method String.hashCode
Generating JC function PrintStream_write_byteA_int_int for method PrintStream.write
Generating JC function String_toLowerCase for method String.toLowerCase
Generating JC function System_gc for method System.gc
Done.
========== file tests/java/Hello.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_StringM{Here}(StringM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_charM{Here}(charM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_byteM{Here}(byteM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

logic long String_serialVersionUID =
-6849794470754667710

axiomatic in_theory {

  logic InputStream[0..] System_in 
  
}

axiomatic out_theory {

  logic PrintStream[0..] System_out 
  
}

axiomatic err_theory {

  logic PrintStream[0..] System_err 
  
}

String[0..] any_string()
;

tag String = Object with {
  charM[0..] value; 
  int32 offset; 
  int32 count; 
  int32 hash;
}

tag InputStream = Object with {
}

tag OutputStream = Object with {
}

tag Hello = Object with {
}

tag System = Object with {
}

tag FilterOutputStream = OutputStream with {
  OutputStream[0..] out;
}

tag OutputStreamWriter = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag PrintStream = FilterOutputStream with {
  boolean autoFlush; 
  boolean trouble; 
  boolean closing;
}

tag StringBuffer = Object with {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag StringM = Object with {
  String[0..] StringP;
}

tag charM = Object with {
  char charP;
}

tag byteM = Object with {
  byte byteP;
}

boolean non_null_StringM(! StringM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_StringM(! StringM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_charM(! charM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_charM(! charM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_byteM(! byteM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_byteM(! byteM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_Hello(! Hello[0] this_6){()}

unit System_runFinalizersOnExit(boolean value_0)
;

unit cons_String_byteA_String(! String[0] this_104, byteM[0..] bytes_1,
                              String[0..] charsetName_0)
{  (this_104.value = null);
   (this_104.offset = 0);
   (this_104.count = 0);
   (this_104.hash = 0)
}

unit cons_PrintStream_OutputStream_boolean_String(! PrintStream[0] this_105,
                                                  OutputStream[0..] out_5,
                                                  boolean autoFlush_1,
                                                  String[0..] encoding)
{  (this_105.autoFlush = false);
   (this_105.trouble = false);
   (this_105.closing = false)
}

String[0..] String_replaceAll(String[0] this_7, String[0..] regex_1,
                              String[0..] replacement_0)
;

unit OutputStream_write_byteA_int_int(OutputStream[0] this_8, byteM[0..] b_1,
                                      int32 off, int32 len)
;

unit FilterOutputStream_write_byteA(FilterOutputStream[0] this_9,
                                    byteM[0..] b_3)
;

unit cons_String_byteA(! String[0] this_106, byteM[0..] bytes_3)
{  (this_106.value = null);
   (this_106.offset = 0);
   (this_106.count = 0);
   (this_106.hash = 0)
}

unit System_checkIO()
;

unit cons_String_byteA_int(! String[0] this_107, byteM[0..] ascii_0,
                           int32 hibyte_0)
{  (this_107.value = null);
   (this_107.offset = 0);
   (this_107.count = 0);
   (this_107.hash = 0)
}

unit cons_PrintStream_OutputStream(! PrintStream[0] this_108,
                                   OutputStream[0..] out_2)
{  (this_108.autoFlush = false);
   (this_108.trouble = false);
   (this_108.closing = false)
}

unit PrintStream_println_int(PrintStream[0] this_10, int32 x_2)
;

unit Object_wait_long(Object[0] this_11, long timeout)
;

unit PrintStream_close(PrintStream[0] this_12)
;

String[0..] String_valueOf_charA_int_int(charM[0..] data_0, int32 offset_5,
                                         int32 count_2)
;

unit cons_PrintStream_OutputStream_boolean(! PrintStream[0] this_109,
                                           OutputStream[0..] out_4,
                                           boolean autoFlush_0)
{  (this_109.autoFlush = false);
   (this_109.trouble = false);
   (this_109.closing = false)
}

long System_currentTimeMillis()
;

int32 String_indexOf_charA_int_int_charA_int_int_int(charM[0..] source,
                                                     int32 sourceOffset,
                                                     int32 sourceCount,
                                                     charM[0..] target,
                                                     int32 targetOffset,
                                                     int32 targetCount,
                                                     int32 fromIndex_2)
;

char String_charAt(String[0] this_13, int32 index_0)
;

Object[0..] Object_clone(Object[0] this_14)
;

byteM[0..] String_getBytes_String(String[0] this_15,
                                  String[0..] charsetName_1)
;

unit PrintStream_init(PrintStream[0] this_16, OutputStreamWriter[0..] osw)
;

String[0..] String_substring_int(String[0] this_17, int32 beginIndex)
;

unit String_getChars(String[0] this_18, int32 srcBegin, int32 srcEnd,
                     charM[0..] dst, int32 dstBegin)
;

unit cons_FilterOutputStream_OutputStream(! FilterOutputStream[0] this_110,
                                          OutputStream[0..] out_1)
{  (this_110.out = null)
}

unit PrintStream_println_boolean(PrintStream[0] this_19, boolean x_0)
;

unit FilterOutputStream_flush(FilterOutputStream[0] this_20)
;

int32 String_indexOf_String_int(String[0] this_21, String[0..] str_1,
                                int32 fromIndex_1)
;

boolean String_equalsIgnoreCase(String[0] this_22, String[0..] anotherString)
;

unit PrintStream_println_Object(PrintStream[0] this_23, Object[0..] x_8)
;

boolean String_equals(String[0] this_24, Object[0..] anObject)
;

String[0..] String_substring_int_int(String[0] this_25, int32 beginIndex_0,
                                     int32 endIndex)
;

int32 String_length(String[0] this_26)
;

unit System_setOut(PrintStream[0..] out)
;

unit PrintStream_ensureOpen(PrintStream[0] this_27)
;

int32 Comparable_compareTo(Object/*interface*/[0..] this_28, Object[0..] o)
;

boolean PrintStream_checkError(PrintStream[0] this_29)
;

unit PrintStream_println_char(PrintStream[0] this_30, char x_1)
;

boolean Object_equals(Object[0] this_31, Object[0..] obj_1)
;

unit PrintStream_newLine(PrintStream[0] this_32)
;

unit OutputStream_write_byteA(OutputStream[0] this_33, byteM[0..] b_0)
;

unit System_loadLibrary(String[0..] libname)
;

unit PrintStream_println_String(PrintStream[0] this_34, String[0..] x_7)
;

int32 Object_hashCode(Object[0] this_35)
;

String[0..] String_valueOf_boolean(boolean b_7)
;

StringM[0..] String_split_String_int(String[0] this_36, String[0..] regex_2,
                                     int32 limit)
;

unit PrintStream_setError(PrintStream[0] this_37)
;

String[0..] String_replace(String[0] this_38, char oldChar, char newChar)
;

char CharSequence_charAt(Object/*interface*/[0..] this_39, int32 index)
;

int32 String_lastIndexOf_int_int(String[0] this_40, int32 ch_2,
                                 int32 fromIndex_0)
;

int32 CharSequence_length(Object/*interface*/[0..] this_41)
;

unit FilterOutputStream_write_int(FilterOutputStream[0] this_42, int32 b_2)
;

unit String_checkBounds(byteM[0..] bytes, int32 offset_1, int32 length_0)
;

unit PrintStream_print_float(PrintStream[0] this_43, real f)
;

String[0..] String_copyValueOf_charA(charM[0..] data_2)
;

int32 String_indexOf_String(String[0] this_44, String[0..] str_0)
;

unit cons_String_byteA_int_int(! String[0] this_111, byteM[0..] bytes_2,
                               int32 offset_3, int32 length_2)
{  (this_111.value = null);
   (this_111.offset = 0);
   (this_111.count = 0);
   (this_111.hash = 0)
}

unit PrintStream_print_String(PrintStream[0] this_45, String[0..] s_1)
;

unit FilterOutputStream_close(FilterOutputStream[0] this_46)
;

unit cons_Object(! Object[0] this_112){()}

unit Object_notify(Object[0] this_47)
;

unit Object_wait_long_int(Object[0] this_48, long timeout_0, int32 nanos)
;

unit OutputStream_write(OutputStream[0] this_49, int32 b)
;

String[0..] String_copyValueOf_charA_int_int(charM[0..] data_1,
                                             int32 offset_6, int32 count_3)
;

int32 String_lastIndexOf_String(String[0] this_50, String[0..] str_2)
;

String[0..] String_valueOf_double(real d_0)
;

String[0..] String_valueOf_long(long l_0)
;

unit Object_wait(Object[0] this_51)
;

unit System_setErr(PrintStream[0..] err)
;

unit PrintStream_print_double(PrintStream[0] this_52, real d)
;

String[0..] Object_toString(Object[0] this_53)
;

unit PrintStream_print_charA(PrintStream[0] this_54, charM[0..] s_0)
;

int32 String_indexOf_int_int(String[0] this_55, int32 ch_0, int32 fromIndex)
;

String[0..] String_toString(String[0] this_56)
;

int32 String_lastIndexOf_String_int(String[0] this_57, String[0..] str_3,
                                    int32 fromIndex_3)
;

unit PrintStream_print_char(PrintStream[0] this_58, char c)
;

unit PrintStream_println_long(PrintStream[0] this_59, long x_3)
;

unit cons_PrintStream_boolean_OutputStream(! PrintStream[0] this_113,
                                           boolean autoFlush,
                                           OutputStream[0..] out_3)
{  (this_113.autoFlush = false);
   (this_113.trouble = false);
   (this_113.closing = false)
}

unit cons_String_int_int_charA(! String[0] this_114, int32 offset_4,
                               int32 count_1, charM[0..] value_3)
{  (this_114.value = null);
   (this_114.offset = 0);
   (this_114.count = 0);
   (this_114.hash = 0)
}

unit System_exit(int32 status)
;

unit cons_OutputStream(! OutputStream[0] this_115){()}

unit System_runFinalization()
;

String[0..] String_valueOf_float(real f_0)
;

String[0..] String_replaceFirst(String[0] this_60, String[0..] regex_0,
                                String[0..] replacement)
;

unit Object_registerNatives()
;

boolean String_endsWith(String[0] this_61, String[0..] suffix)
;

unit PrintStream_write_charA(PrintStream[0] this_62, charM[0..] buf_0)
;

unit PrintStream_println(PrintStream[0] this_63)
;

String[0..] System_getProperty_String(String[0..] key)
;

String[0..] String_valueOf_charA(charM[0..] data)
;

unit System_setErr0(PrintStream[0..] err_0)
;

unit System_arraycopy(Object[0..] src, int32 srcPos, Object[0..] dest,
                      int32 destPos, int32 length)
;

boolean String_startsWith_String_int(String[0] this_64, String[0..] prefix,
                                     int32 toffset_1)
;

boolean String_contentEquals(String[0] this_65, StringBuffer[0..] sb)
;

unit System_initializeSystemClass()
;

int32 String_compareTo_String(String[0] this_66, String[0..] anotherString_0)
;

unit cons_String_byteA_int_int_String(! String[0] this_116,
                                      byteM[0..] bytes_0, int32 offset_2,
                                      int32 length_1, String[0..] charsetName)
{  (this_116.value = null);
   (this_116.offset = 0);
   (this_116.count = 0);
   (this_116.hash = 0)
}

String[0..] String_concat(String[0] this_67, String[0..] str_4)
;

unit Object_finalize(Object[0] this_68)
;

unit PrintStream_println_float(PrintStream[0] this_69, real x_4)
;

unit PrintStream_print_long(PrintStream[0] this_70, long l)
;

String[0..] String_trim(String[0] this_71)
;

Object/*interface*/[0..] CharSequence_subSequence(Object/*interface*/[0..] this_72,
                                                  int32 start, int32 end_0)
;

unit FilterOutputStream_write(FilterOutputStream[0] this_73, byteM[0..] b_4,
                              int32 off_0, int32 len_0)
;

int32 String_indexOf(String[0] this_74, int32 ch)
;

unit String_getBytes_int_int_byteA_int(String[0] this_75, int32 srcBegin_0,
                                       int32 srcEnd_0, byteM[0..] dst_0,
                                       int32 dstBegin_0)
;

unit System_load(String[0..] filename)
;

InputStream[0..] System_nullInputStream()
;

String[0..] System_getenv(String[0..] name)
;

String[0..] String_valueOf_Object(Object[0..] obj_0)
;

unit System_registerNatives()
;

unit PrintStream_println_charA(PrintStream[0] this_76, charM[0..] x_6)
;

String[0..] CharSequence_toString(Object/*interface*/[0..] this_77)
;

String[0..] System_mapLibraryName(String[0..] libname_0)
;

unit cons_String_charA_int_int(! String[0] this_117, charM[0..] value_2,
                               int32 offset, int32 count)
{  (this_117.value = null);
   (this_117.offset = 0);
   (this_117.count = 0);
   (this_117.hash = 0)
}

unit Hello_main(StringM[0..] argv)
{  (K_1 : PrintStream_println_String(System_out, any_string()))
}

StringM[0..] String_split_String(String[0] this_78, String[0..] regex_3)
;

String[0..] String_valueOf_char(char c_0)
;

int32 String_lastIndexOf_charA_int_int_charA_int_int_int(charM[0..] source_0,
                                                         int32 sourceOffset_0,
                                                         int32 sourceCount_0,
                                                         charM[0..] target_0,
                                                         int32 targetOffset_0,
                                                         int32 targetCount_0,
                                                         int32 fromIndex_4)
;

unit cons_String(! String[0] this_118)
{  (this_118.value = null);
   (this_118.offset = 0);
   (this_118.count = 0);
   (this_118.hash = 0)
}

boolean String_matches(String[0] this_79, String[0..] regex)
;

unit PrintStream_print_boolean(PrintStream[0] this_80, boolean b_6)
;

unit PrintStream_flush(PrintStream[0] this_81)
;

byteM[0..] String_getBytes(String[0] this_82)
;

unit System_setOut0(PrintStream[0..] out_0)
;

unit Object_notifyAll(Object[0] this_83)
;

unit PrintStream_println_double(PrintStream[0] this_84, real x_5)
;

int32 String_compareTo_Object(String[0] this_85, Object[0..] o_0)
;

String[0..] String_valueOf(int32 i_0)
;

int32 System_identityHashCode(Object[0..] x)
;

Object/*interface*/[0..] String_subSequence(String[0] this_86,
                                            int32 beginIndex_1,
                                            int32 endIndex_0)
;

unit OutputStream_close(OutputStream[0] this_87)
;

unit cons_String_String(! String[0] this_119, String[0..] original)
{  (this_119.value = null);
   (this_119.offset = 0);
   (this_119.count = 0);
   (this_119.hash = 0)
}

unit PrintStream_print_int(PrintStream[0] this_88, int32 i)
;

unit cons_String_StringBuffer(! String[0] this_120, StringBuffer[0..] buffer)
{  (this_120.value = null);
   (this_120.offset = 0);
   (this_120.count = 0);
   (this_120.hash = 0)
}

charM[0..] String_toCharArray(String[0] this_89)
;

unit cons_String_byteA_int_int_int(! String[0] this_121, byteM[0..] ascii,
                                   int32 hibyte, int32 offset_0,
                                   int32 count_0)
{  (this_121.value = null);
   (this_121.offset = 0);
   (this_121.count = 0);
   (this_121.hash = 0)
}

String[0..] System_setProperty(String[0..] key_1, String[0..] value)
;

String[0..] String_intern(String[0] this_90)
;

int32 String_lastIndexOf(String[0] this_91, int32 ch_1)
;

String[0..] System_getProperty_String_String(String[0..] key_0,
                                             String[0..] def)
;

boolean String_startsWith_String(String[0] this_92, String[0..] prefix_0)
;

int32 String_compareToIgnoreCase(String[0] this_93, String[0..] str)
;

boolean String_regionMatches_int_String_int_int(String[0] this_94,
                                                int32 toffset,
                                                String[0..] other,
                                                int32 ooffset, int32 len_2)
;

unit PrintStream_print(PrintStream[0] this_95, Object[0..] obj)
;

unit OutputStream_flush(OutputStream[0] this_96)
;

unit cons_System(! System[0] this_122){()}

unit PrintStream_write_String(PrintStream[0] this_97, String[0..] s)
;

unit PrintStream_write_int(PrintStream[0] this_98, int32 b_5)
;

PrintStream[0..] System_nullPrintStream()
;

String[0..] String_toUpperCase(String[0] this_99)
;

boolean String_regionMatches_boolean_int_String_int_int(String[0] this_100,
                                                        boolean ignoreCase,
                                                        int32 toffset_0,
                                                        String[0..] other_0,
                                                        int32 ooffset_0,
                                                        int32 len_3)
;

unit cons_String_charA(! String[0] this_123, charM[0..] value_1)
{  (this_123.value = null);
   (this_123.offset = 0);
   (this_123.count = 0);
   (this_123.hash = 0)
}

int32 String_hashCode(String[0] this_101)
;

unit PrintStream_write_byteA_int_int(PrintStream[0] this_102, byteM[0..] buf,
                                     int32 off_1, int32 len_1)
;

String[0..] String_toLowerCase(String[0] this_103)
;

unit System_gc()
;

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Hello.jloc tests/java/Hello.jc && make -f tests/java/Hello.makefile gui"
End:
*/
========== file tests/java/Hello.jloc ==========
[String_replaceAll]
name = "Method replaceAll"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1666
begin = 18
end = 28

[OutputStream_flush]
name = "Method flush"
file = "HOME/lib/java_api/java/io/OutputStream.java"
line = 115
begin = 16
end = 21

[String_indexOf]
name = "Method indexOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1102
begin = 15
end = 22

[String_indexOf_String]
name = "Method indexOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1221
begin = 15
end = 22

[CharSequence_charAt]
name = "Method charAt"
file = "HOME/lib/java_api/java/lang/CharSequence.java"
line = 56
begin = 9
end = 15

[PrintStream_init]
name = "Method init"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 75
begin = 17
end = 21

[String_compareTo_String]
name = "Method compareTo"
file = "HOME/lib/java_api/java/lang/String.java"
line = 728
begin = 15
end = 24

[String_equalsIgnoreCase]
name = "Method equalsIgnoreCase"
file = "HOME/lib/java_api/java/lang/String.java"
line = 681
begin = 19
end = 35

[String_lastIndexOf_String_int]
name = "Method lastIndexOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1333
begin = 15
end = 26

[PrintStream_setError]
name = "Method setError"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 199
begin = 19
end = 27

[String_intern]
name = "Method intern"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2313
begin = 25
end = 31

[String_getBytes_int_int_byteA_int]
name = "Method getBytes"
file = "HOME/lib/java_api/java/lang/String.java"
line = 532
begin = 16
end = 24

[String_split_String_int]
name = "Method split"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1750
begin = 20
end = 25

[PrintStream_println_float]
name = "Method println"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 541
begin = 16
end = 23

[String_valueOf_boolean]
name = "Method valueOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2216
begin = 25
end = 32

[System_checkIO]
name = "Method checkIO"
file = "HOME/lib/java_api/java/lang/System.java"
line = 175
begin = 24
end = 31

[Object_wait_long]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[String_getChars]
name = "Method getChars"
file = "HOME/lib/java_api/java/lang/String.java"
line = 481
begin = 16
end = 24

[String_indexOf_charA_int_int_charA_int_int_int]
name = "Method indexOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1257
begin = 15
end = 22

[PrintStream_write_int]
name = "Method write"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 223
begin = 16
end = 21

[System_mapLibraryName]
name = "Method mapLibraryName"
file = "HOME/lib/java_api/java/lang/System.java"
line = 857
begin = 32
end = 46

[FilterOutputStream_write]
name = "Method write"
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 103
begin = 16
end = 21

[cons_String_byteA_String]
name = "Constructor of class String"
file = "HOME/lib/java_api/java/lang/String.java"
line = 345
begin = 11
end = 17

[System_arraycopy]
name = "Method arraycopy"
file = "HOME/lib/java_api/java/lang/System.java"
line = 374
begin = 30
end = 39

[String_valueOf_long]
name = "Method valueOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2257
begin = 25
end = 32

[String_toCharArray]
name = "Method toCharArray"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2123
begin = 18
end = 29

[String_toLowerCase]
name = "Method toLowerCase"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1904
begin = 18
end = 29

[Object_finalize]
name = "Method finalize"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[String_charAt]
name = "Method charAt"
file = "HOME/lib/java_api/java/lang/String.java"
line = 444
begin = 16
end = 22

[System_load]
name = "Method load"
file = "HOME/lib/java_api/java/lang/System.java"
line = 820
begin = 23
end = 27

[PrintStream_print_charA]
name = "Method print"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 431
begin = 16
end = 21

[Object_wait]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[PrintStream_println_int]
name = "Method println"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 513
begin = 16
end = 23

[cons_String_String]
name = "Constructor of class String"
file = "HOME/lib/java_api/java/lang/String.java"
line = 142
begin = 11
end = 17

[PrintStream_print]
name = "Method print"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 461
begin = 16
end = 21

[Object_notify]
name = "Method notify"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[Object_clone]
name = "Method clone"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[PrintStream_print_int]
name = "Method print"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 375
begin = 16
end = 21

[PrintStream_println]
name = "Method println"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 474
begin = 16
end = 23

[cons_String_int_int_charA]
name = "Constructor of class String"
file = "HOME/lib/java_api/java/lang/String.java"
line = 413
begin = 4
end = 10

[System_registerNatives]
name = "Method registerNatives"
file = "HOME/lib/java_api/java/lang/System.java"
line = 38
begin = 31
end = 46

[String_valueOf_float]
name = "Method valueOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2271
begin = 25
end = 32

[FilterOutputStream_flush]
name = "Method flush"
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 122
begin = 16
end = 21

[String_toUpperCase]
name = "Method toUpperCase"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2056
begin = 18
end = 29

[cons_Object]
name = "Constructor of class Object"
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_FilterOutputStream_OutputStream]
name = "Constructor of class FilterOutputStream"
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 43
begin = 11
end = 29

[String_startsWith_String]
name = "Method startsWith"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1038
begin = 19
end = 29

[K_1]
file = "HOME/tests/java/Hello.java"
line = 35
begin = 8
end = 44

[String_trim]
name = "Method trim"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2092
begin = 18
end = 22

[System_setErr0]
name = "Method setErr0"
file = "HOME/lib/java_api/java/lang/System.java"
line = 182
begin = 31
end = 38

[String_checkBounds]
name = "Method checkBounds"
file = "HOME/lib/java_api/java/lang/String.java"
line = 283
begin = 24
end = 35

[PrintStream_flush]
name = "Method flush"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 132
begin = 16
end = 21

[FilterOutputStream_close]
name = "Method close"
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 138
begin = 16
end = 21

[System_nullInputStream]
name = "Method nullInputStream"
file = "HOME/lib/java_api/java/lang/System.java"
line = 865
begin = 31
end = 46

[cons_String_byteA_int_int]
name = "Constructor of class String"
file = "HOME/lib/java_api/java/lang/String.java"
line = 371
begin = 11
end = 17

[Comparable_compareTo]
name = "Method compareTo"
file = "HOME/lib/java_api/java/lang/Comparable.java"
line = 121
begin = 15
end = 24

[System_loadLibrary]
name = "Method loadLibrary"
file = "HOME/lib/java_api/java/lang/System.java"
line = 843
begin = 23
end = 34

[String_regionMatches_boolean_int_String_int_int]
name = "Method regionMatches"
file = "HOME/lib/java_api/java/lang/String.java"
line = 950
begin = 19
end = 32

[OutputStream_write]
name = "Method write"
file = "HOME/lib/java_api/java/io/OutputStream.java"
line = 45
begin = 25
end = 30

[PrintStream_println_String]
name = "Method println"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 583
begin = 16
end = 23

[PrintStream_checkError]
name = "Method checkError"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 188
begin = 19
end = 29

[OutputStream_close]
name = "Method close"
file = "HOME/lib/java_api/java/io/OutputStream.java"
line = 128
begin = 16
end = 21

[CharSequence_subSequence]
name = "Method subSequence"
file = "HOME/lib/java_api/java/lang/CharSequence.java"
line = 75
begin = 17
end = 28

[System_currentTimeMillis]
name = "Method currentTimeMillis"
file = "HOME/lib/java_api/java/lang/System.java"
line = 280
begin = 30
end = 47

[Object_wait_long_int]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[OutputStream_write_byteA_int_int]
name = "Method write"
file = "HOME/lib/java_api/java/io/OutputStream.java"
line = 89
begin = 16
end = 21

[cons_PrintStream_boolean_OutputStream]
name = "Constructor of class PrintStream"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 67
begin = 12
end = 23

[cons_PrintStream_OutputStream_boolean_String]
name = "Constructor of class PrintStream"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 113
begin = 11
end = 22

[Object_registerNatives]
name = "Method registerNatives"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[String_subSequence]
name = "Method subSequence"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1482
begin = 24
end = 35

[System_setProperty]
name = "Method setProperty"
file = "HOME/lib/java_api/java/lang/System.java"
line = 656
begin = 25
end = 36

[String_indexOf_String_int]
name = "Method indexOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1239
begin = 15
end = 22

[String_getBytes]
name = "Method getBytes"
file = "HOME/lib/java_api/java/lang/String.java"
line = 591
begin = 18
end = 26

[cons_String]
name = "Constructor of class String"
file = "HOME/lib/java_api/java/lang/String.java"
line = 129
begin = 11
end = 17

[String_valueOf_Object]
name = "Method valueOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2138
begin = 25
end = 32

[PrintStream_println_Object]
name = "Method println"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 597
begin = 16
end = 23

[Hello_main]
name = "Method main"
file = "HOME/tests/java/Hello.java"
line = 34
begin = 23
end = 27

[String_endsWith]
name = "Method endsWith"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1053
begin = 19
end = 27

[String_lastIndexOf]
name = "Method lastIndexOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1167
begin = 15
end = 26

[System_runFinalization]
name = "Method runFinalization"
file = "HOME/lib/java_api/java/lang/System.java"
line = 768
begin = 23
end = 38

[String_getBytes_String]
name = "Method getBytes"
file = "HOME/lib/java_api/java/lang/String.java"
line = 572
begin = 18
end = 26

[System_getProperty_String]
name = "Method getProperty"
file = "HOME/lib/java_api/java/lang/System.java"
line = 575
begin = 25
end = 36

[System_exit]
name = "Method exit"
file = "HOME/lib/java_api/java/lang/System.java"
line = 724
begin = 23
end = 27

[String_indexOf_int_int]
name = "Method indexOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1134
begin = 15
end = 22

[String_copyValueOf_charA_int_int]
name = "Method copyValueOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2191
begin = 25
end = 36

[System_setOut]
name = "Method setOut"
file = "HOME/lib/java_api/java/lang/System.java"
line = 146
begin = 23
end = 29

[System_runFinalizersOnExit]
name = "Method runFinalizersOnExit"
file = "HOME/lib/java_api/java/lang/System.java"
line = 797
begin = 23
end = 42

[PrintStream_print_boolean]
name = "Method print"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 349
begin = 16
end = 21

[String_compareTo_Object]
name = "Method compareTo"
file = "HOME/lib/java_api/java/lang/String.java"
line = 778
begin = 15
end = 24

[String_valueOf_charA_int_int]
name = "Method valueOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2177
begin = 25
end = 32

[String_matches]
name = "Method matches"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1600
begin = 19
end = 26

[String_lastIndexOf_charA_int_int_charA_int_int_int]
name = "Method lastIndexOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1351
begin = 15
end = 26

[String_startsWith_String_int]
name = "Method startsWith"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1007
begin = 19
end = 29

[System_getenv]
name = "Method getenv"
file = "HOME/lib/java_api/java/lang/System.java"
line = 700
begin = 25
end = 31

[String_copyValueOf_charA]
name = "Method copyValueOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2204
begin = 25
end = 36

[cons_System]
name = "Constructor of class System"
file = "HOME/lib/java_api/java/lang/System.java"
line = 44
begin = 12
end = 18

[PrintStream_println_charA]
name = "Method println"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 569
begin = 16
end = 23

[String_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2112
begin = 18
end = 26

[System_setOut0]
name = "Method setOut0"
file = "HOME/lib/java_api/java/lang/System.java"
line = 181
begin = 31
end = 38

[String_equals]
name = "Method equals"
file = "HOME/lib/java_api/java/lang/String.java"
line = 608
begin = 19
end = 25

[String_substring_int]
name = "Method substring"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1414
begin = 18
end = 27

[cons_PrintStream_OutputStream_boolean]
name = "Constructor of class PrintStream"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 92
begin = 11
end = 22

[PrintStream_newLine]
name = "Method newLine"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 318
begin = 17
end = 24

[String_substring_int_int]
name = "Method substring"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1440
begin = 18
end = 27

[PrintStream_write_byteA_int_int]
name = "Method write"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 254
begin = 16
end = 21

[String_compareToIgnoreCase]
name = "Method compareToIgnoreCase"
file = "HOME/lib/java_api/java/lang/String.java"
line = 846
begin = 15
end = 34

[System_getProperty_String_String]
name = "Method getProperty"
file = "HOME/lib/java_api/java/lang/System.java"
line = 614
begin = 25
end = 36

[System_identityHashCode]
name = "Method identityHashCode"
file = "HOME/lib/java_api/java/lang/System.java"
line = 389
begin = 29
end = 45

[String_valueOf_double]
name = "Method valueOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2285
begin = 25
end = 32

[String_lastIndexOf_String]
name = "Method lastIndexOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1315
begin = 15
end = 26

[CharSequence_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/CharSequence.java"
line = 84
begin = 18
end = 26

[PrintStream_print_long]
name = "Method print"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 389
begin = 16
end = 21

[PrintStream_write_String]
name = "Method write"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 299
begin = 17
end = 22

[PrintStream_println_long]
name = "Method println"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 527
begin = 16
end = 23

[cons_Hello]
name = "Constructor of class Hello"
file = "HOME/"
line = 0
begin = -1
end = -1

[String_valueOf]
name = "Method valueOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2243
begin = 25
end = 32

[String_lastIndexOf_int_int]
name = "Method lastIndexOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1194
begin = 15
end = 26

[String_valueOf_char]
name = "Method valueOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2228
begin = 25
end = 32

[FilterOutputStream_write_int]
name = "Method write"
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 59
begin = 16
end = 21

[cons_PrintStream_OutputStream]
name = "Constructor of class PrintStream"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 55
begin = 11
end = 22

[System_initializeSystemClass]
name = "Method initializeSystemClass"
file = "HOME/lib/java_api/java/lang/System.java"
line = 882
begin = 24
end = 45

[String_replaceFirst]
name = "Method replaceFirst"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1633
begin = 18
end = 30

[String_regionMatches_int_String_int_int]
name = "Method regionMatches"
file = "HOME/lib/java_api/java/lang/String.java"
line = 881
begin = 19
end = 32

[PrintStream_close]
name = "Method close"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 152
begin = 16
end = 21

[Object_notifyAll]
name = "Method notifyAll"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[PrintStream_println_boolean]
name = "Method println"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 485
begin = 16
end = 23

[String_valueOf_charA]
name = "Method valueOf"
file = "HOME/lib/java_api/java/lang/String.java"
line = 2152
begin = 25
end = 32

[System_setErr]
name = "Method setErr"
file = "HOME/lib/java_api/java/lang/System.java"
line = 170
begin = 23
end = 29

[cons_String_byteA_int]
name = "Constructor of class String"
file = "HOME/lib/java_api/java/lang/String.java"
line = 275
begin = 11
end = 17

[String_contentEquals]
name = "Method contentEquals"
file = "HOME/lib/java_api/java/lang/String.java"
line = 640
begin = 19
end = 32

[PrintStream_print_double]
name = "Method print"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 417
begin = 16
end = 21

[PrintStream_ensureOpen]
name = "Method ensureOpen"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 121
begin = 17
end = 27

[cons_String_charA]
name = "Constructor of class String"
file = "HOME/lib/java_api/java/lang/String.java"
line = 167
begin = 11
end = 17

[String_replace]
name = "Method replace"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1546
begin = 18
end = 25

[System_nullPrintStream]
name = "Method nullPrintStream"
file = "HOME/lib/java_api/java/lang/System.java"
line = 873
begin = 31
end = 46

[cons_String_byteA_int_int_String]
name = "Constructor of class String"
file = "HOME/lib/java_api/java/lang/String.java"
line = 316
begin = 11
end = 17

[PrintStream_print_float]
name = "Method print"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 403
begin = 16
end = 21

[cons_OutputStream]
name = "Constructor of class OutputStream"
file = "HOME/"
line = 0
begin = -1
end = -1

[FilterOutputStream_write_byteA]
name = "Method write"
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 79
begin = 16
end = 21

[PrintStream_println_double]
name = "Method println"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 555
begin = 16
end = 23

[OutputStream_write_byteA]
name = "Method write"
file = "HOME/lib/java_api/java/io/OutputStream.java"
line = 57
begin = 16
end = 21

[PrintStream_print_char]
name = "Method print"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 361
begin = 16
end = 21

[System_gc]
name = "Method gc"
file = "HOME/lib/java_api/java/lang/System.java"
line = 746
begin = 23
end = 25

[PrintStream_print_String]
name = "Method print"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 444
begin = 16
end = 21

[PrintStream_println_char]
name = "Method println"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 499
begin = 16
end = 23

[cons_String_StringBuffer]
name = "Constructor of class String"
file = "HOME/lib/java_api/java/lang/String.java"
line = 403
begin = 11
end = 17

[cons_String_byteA_int_int_int]
name = "Constructor of class String"
file = "HOME/lib/java_api/java/lang/String.java"
line = 234
begin = 11
end = 17

[String_concat]
name = "Method concat"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1506
begin = 18
end = 24

[Object_equals]
name = "Method equals"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[String_length]
name = "Method length"
file = "HOME/lib/java_api/java/lang/String.java"
line = 427
begin = 15
end = 21

[String_split_String]
name = "Method split"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1792
begin = 20
end = 25

[String_hashCode]
name = "Method hashCode"
file = "HOME/lib/java_api/java/lang/String.java"
line = 1070
begin = 15
end = 23

[PrintStream_write_charA]
name = "Method write"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 277
begin = 17
end = 22

[CharSequence_length]
name = "Method length"
file = "HOME/lib/java_api/java/lang/CharSequence.java"
line = 40
begin = 8
end = 14

[Object_hashCode]
name = "Method hashCode"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[Object_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[cons_String_byteA]
name = "Constructor of class String"
file = "HOME/lib/java_api/java/lang/String.java"
line = 391
begin = 11
end = 17

[cons_String_charA_int_int]
name = "Constructor of class String"
file = "HOME/lib/java_api/java/lang/String.java"
line = 189
begin = 11
end = 17

========== jessie execution ==========
Generating Why function cons_Hello
Generating Why function cons_String_byteA_String
Generating Why function cons_PrintStream_OutputStream_boolean_String
Generating Why function cons_String_byteA
Generating Why function cons_String_byteA_int
Generating Why function cons_PrintStream_OutputStream
Generating Why function cons_PrintStream_OutputStream_boolean
Generating Why function cons_FilterOutputStream_OutputStream
Generating Why function cons_String_byteA_int_int
Generating Why function cons_Object
Generating Why function cons_PrintStream_boolean_OutputStream
Generating Why function cons_String_int_int_charA
Generating Why function cons_OutputStream
Generating Why function cons_String_byteA_int_int_String
Generating Why function cons_String_charA_int_int
Generating Why function Hello_main
Generating Why function cons_String
Generating Why function cons_String_String
Generating Why function cons_String_StringBuffer
Generating Why function cons_String_byteA_int_int_int
Generating Why function cons_System
Generating Why function cons_String_charA
========== file tests/java/Hello.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Hello.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Hello.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/Hello_why.sx

project: why/Hello.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/Hello_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/Hello_why.vo

coq/Hello_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Hello_why.v: why/Hello.why
	@echo 'why -coq [...] why/Hello.why' && $(WHY) $(JESSIELIBFILES) why/Hello.why && rm -f coq/jessie_why.v

coq-goals: goals coq/Hello_ctx_why.vo
	for f in why/*_po*.why; do make -f Hello.makefile coq/`basename $$f .why`_why.v ; done

coq/Hello_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Hello_ctx_why.v: why/Hello_ctx.why
	@echo 'why -coq [...] why/Hello_ctx.why' && $(WHY) why/Hello_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export Hello_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/Hello_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/Hello_ctx_why.vo

pvs: pvs/Hello_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/Hello_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/Hello_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/Hello_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/Hello_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/Hello_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/Hello_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/Hello_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/Hello_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/Hello_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/Hello_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/Hello_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/Hello_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/Hello_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/Hello_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: Hello.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/Hello_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Hello.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Hello.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Hello.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include Hello.depend

depend: coq/Hello_why.v
	-$(COQDEP) -I coq coq/Hello*_why.v > Hello.depend

clean:
	rm -f coq/*.vo

========== file tests/java/Hello.loc ==========
[JC_451]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_294]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_176]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1079]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1055]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_421]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_798]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_915]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_774]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_617]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_1291]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_964]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_116]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_825]
file = "HOME/lib/java_api/java/lang/String.java"
line = 640
begin = 19
end = 32

[JC_327]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1440
begin = 18
end = 27

[JC_544]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1133]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1031]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1219]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1116]
file = "HOME/lib/java_api/java/lang/System.java"
line = 389
begin = 29
end = 45

[JC_871]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 541
begin = 16
end = 23

[JC_410]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_180]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1322]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1172]
file = "HOME/lib/java_api/java/lang/String.java"
line = 234
begin = 11
end = 17

[JC_473]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1194
begin = 15
end = 26

[JC_394]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_460]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_200]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_491]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_201]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 92
begin = 11
end = 22

[JC_1287]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1033]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_813]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_513]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2204
begin = 25
end = 36

[JC_194]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_122]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1228]
file = "HOME/lib/java_api/java/lang/String.java"
line = 881
begin = 19
end = 32

[JC_810]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_734]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_642]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_323]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1318]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 254
begin = 16
end = 21

[JC_1253]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_902]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_134]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1043]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/tests/java/Hello.jc"
line = 125
begin = 11
end = 103

[JC_934]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_699]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_125]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1251]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_726]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_925]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/tests/java/Hello.jc"
line = 135
begin = 8
end = 31

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1132]
file = "HOME/lib/java_api/java/io/OutputStream.java"
line = 128
begin = 16
end = 21

[JC_733]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_195]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1280]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/tests/java/Hello.jc"
line = 124
begin = 10
end = 18

[JC_827]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1198]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1167
begin = 15
end = 26

[JC_1136]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1038]
file = "HOME/lib/java_api/java/lang/String.java"
line = 129
begin = 11
end = 17

[JC_646]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_794]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1337]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_781]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1028]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1351
begin = 15
end = 26

[JC_1258]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_415]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 583
begin = 16
end = 23

[JC_405]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_PrintStream_OutputStream_boolean_safety]
name = "Constructor of class PrintStream"
behavior = "Safety"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 92
begin = 11
end = 22

[JC_953]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2138
begin = 25
end = 32

[JC_696]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_411]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_163]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_634]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_359]
file = "HOME/lib/java_api/java/lang/Comparable.java"
line = 121
begin = 15
end = 24

[JC_1264]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_687]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 527
begin = 16
end = 23

[JC_417]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 583
begin = 16
end = 23

[JC_36]
file = "HOME/tests/java/Hello.jc"
line = 131
begin = 10
end = 18

[JC_1097]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_386]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_340]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_291]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_135]
file = "HOME/lib/java_api/java/lang/String.java"
line = 391
begin = 11
end = 17

[JC_1015]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_169]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 513
begin = 16
end = 23

[JC_1125]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_599]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2285
begin = 25
end = 32

[JC_420]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_314]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_115]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_109]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_69]
file = "HOME/tests/java/Hello.jc"
line = 155
begin = 8
end = 23

[JC_1218]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_881]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 389
begin = 16
end = 21

[JC_936]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_byteA_int_int_safety]
name = "Constructor of class String"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/String.java"
line = 371
begin = 11
end = 17

[JC_329]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1440
begin = 18
end = 27

[JC_328]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1153]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_838]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_583]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2191
begin = 25
end = 36

[JC_1123]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_191]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2177
begin = 25
end = 32

[JC_1236]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 461
begin = 16
end = 21

[JC_1014]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1792
begin = 20
end = 25

[JC_387]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_884]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_744]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_980]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_459]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_372]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_440]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/tests/java/Hello.jc"
line = 137
begin = 10
end = 18

[JC_1150]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 375
begin = 16
end = 21

[JC_199]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 92
begin = 11
end = 22

[JC_56]
file = "HOME/tests/java/Hello.jc"
line = 144
begin = 10
end = 18

[JC_929]
file = "HOME/lib/java_api/java/lang/System.java"
line = 820
begin = 23
end = 27

[JC_1307]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1270]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 223
begin = 16
end = 21

[JC_704]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_370]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_173]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_524]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_859]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1317]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1294]
file = "HOME/lib/java_api/java/lang/String.java"
line = 950
begin = 19
end = 32

[JC_43]
file = "HOME/tests/java/Hello.jc"
line = 138
begin = 11
end = 103

[cons_String_byteA_int_int_int_ensures_default]
name = "Constructor of class String"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/String.java"
line = 234
begin = 11
end = 17

[JC_783]
file = "HOME/lib/java_api/java/lang/System.java"
line = 575
begin = 25
end = 36

[JC_1121]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_944]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_97]
file = "HOME/lib/java_api/java/lang/String.java"
line = 345
begin = 11
end = 17

[JC_1067]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_343]
file = "HOME/lib/java_api/java/lang/System.java"
line = 146
begin = 23
end = 29

[JC_1152]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_754]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1196]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1167
begin = 15
end = 26

[JC_830]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_90]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1306]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1245]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_760]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_504]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_281]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 485
begin = 16
end = 23

[JC_131]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_721]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_581]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1076]
file = "HOME/lib/java_api/java/lang/System.java"
line = 181
begin = 31
end = 38

[JC_257]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1414
begin = 18
end = 27

[JC_161]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 55
begin = 11
end = 22

[JC_333]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1183]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_136]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_605]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1252]
file = "HOME/lib/java_api/java/lang/System.java"
line = 44
begin = 12
end = 18

[JC_831]
file = "HOME/lib/java_api/java/lang/System.java"
line = 882
begin = 24
end = 45

[JC_1330]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_834]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_PrintStream_OutputStream_boolean_ensures_default]
name = "Constructor of class PrintStream"
behavior = "default behavior"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 92
begin = 11
end = 22

[JC_1185]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1062]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 132
begin = 16
end = 21

[JC_229]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1107]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_951]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2138
begin = 25
end = 32

[JC_564]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_500]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_882]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1008]
kind = UserCall
file = "HOME/tests/java/Hello.jc"
line = 589
begin = 10
end = 62

[JC_731]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_633]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 417
begin = 16
end = 21

[JC_620]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_684]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_615]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_1099]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1046]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1600
begin = 19
end = 26

[JC_994]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_741]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_479]
file = "HOME/lib/java_api/java/lang/CharSequence.java"
line = 40
begin = 8
end = 14

[JC_198]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_285]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_94]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_73]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1115]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_695]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 67
begin = 12
end = 23

[JC_422]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1224]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1041]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1032]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_678]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_627]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_381]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_71]
file = "HOME/tests/java/Hello.jc"
line = 155
begin = 8
end = 23

[JC_380]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1312]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1319]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_896]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_365]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_251]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_376]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1310]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1070
begin = 15
end = 23

[JC_1018]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_844]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_963]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1156]
file = "HOME/lib/java_api/java/lang/String.java"
line = 403
begin = 11
end = 17

[JC_720]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_906]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_986]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_675]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_170]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_804]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_593]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1315
begin = 15
end = 26

[JC_492]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_300]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_319]
file = "HOME/lib/java_api/java/lang/String.java"
line = 608
begin = 19
end = 25

[JC_995]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_347]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_735]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2271
begin = 25
end = 32

[JC_1165]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_550]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_231]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_809]
file = "HOME/lib/java_api/java/lang/System.java"
line = 374
begin = 30
end = 39

[JC_1026]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_857]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1506
begin = 18
end = 24

[JC_643]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_553]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_768]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_350]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_528]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_356]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1130]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_568]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_298]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_224]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1229]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_481]
file = "HOME/lib/java_api/java/lang/CharSequence.java"
line = 40
begin = 8
end = 14

[JC_664]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_427]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_332]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_710]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_795]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_154]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_713]
file = "HOME/lib/java_api/java/lang/System.java"
line = 724
begin = 23
end = 27

[JC_237]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_367]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 188
begin = 19
end = 29

[JC_1286]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2056
begin = 18
end = 29

[JC_875]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_130]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1324]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1904
begin = 18
end = 29

[JC_1074]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_charA_safety]
name = "Constructor of class String"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/String.java"
line = 167
begin = 11
end = 17

[JC_686]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_997]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_578]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1137]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_893]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_182]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_516]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_903]
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 103
begin = 16
end = 21

[JC_1262]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 299
begin = 17
end = 22

[JC_215]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1257
begin = 15
end = 22

[JC_869]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_850]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_charA_int_int_ensures_default]
name = "Constructor of class String"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/String.java"
line = 189
begin = 11
end = 17

[JC_242]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_877]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_305]
file = "HOME/lib/java_api/java/lang/String.java"
line = 681
begin = 19
end = 35

[JC_252]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1159]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1180]
file = "HOME/lib/java_api/java/lang/System.java"
line = 656
begin = 25
end = 36

[JC_846]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_charA_ensures_default]
name = "Constructor of class String"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/String.java"
line = 167
begin = 11
end = 17

[JC_274]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_485]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1105]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_551]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1210]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_968]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_765]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_742]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_446]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_907]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_int_int_charA_safety]
name = "Constructor of class String"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/String.java"
line = 413
begin = 4
end = 10

[JC_666]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_425]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_310]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_670]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_471]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1194
begin = 15
end = 26

[JC_648]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_891]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_916]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_736]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_575]
file = "HOME/lib/java_api/java/io/OutputStream.java"
line = 45
begin = 25
end = 30

[JC_490]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_118]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_988]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_418]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_105]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 113
begin = 11
end = 22

[JC_245]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_68]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_429]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_353]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 121
begin = 17
end = 27

[JC_96]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_958]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1260]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 299
begin = 17
end = 22

[JC_1069]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_259]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_706]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_532]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_445]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_150]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_117]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_996]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_880]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_287]
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 122
begin = 16
end = 21

[JC_49]
file = "HOME/tests/java/Hello.jc"
line = 142
begin = 8
end = 22

[JC_1]
file = "HOME/tests/java/Hello.jc"
line = 50
begin = 12
end = 22

[JC_854]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_771]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1095]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1110]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2243
begin = 25
end = 32

[JC_737]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2271
begin = 25
end = 32

[JC_1166]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2123
begin = 18
end = 29

[JC_1057]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_861]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_249]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 75
begin = 17
end = 21

[JC_66]
file = "HOME/tests/java/Hello.jc"
line = 150
begin = 10
end = 18

[JC_918]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_950]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_943]
file = "HOME/lib/java_api/java/lang/System.java"
line = 700
begin = 25
end = 31

[JC_876]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_192]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_749]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_152]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_228]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_863]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_495]
file = "HOME/lib/java_api/java/lang/String.java"
line = 283
begin = 24
end = 35

[JC_384]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_139]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_352]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1045]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_489]
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 59
begin = 16
end = 21

[JC_244]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_230]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_728]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_275]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_234]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1048]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1053]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_777]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 474
begin = 16
end = 23

[JC_577]
file = "HOME/lib/java_api/java/io/OutputStream.java"
line = 45
begin = 25
end = 30

[JC_708]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_467]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_727]
file = "HOME/lib/java_api/java/lang/System.java"
line = 768
begin = 23
end = 38

[JC_221]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_952]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_862]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_778]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_51]
file = "HOME/tests/java/Hello.jc"
line = 142
begin = 8
end = 22

[JC_766]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_780]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_382]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_784]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_689]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 527
begin = 16
end = 23

[JC_1108]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2243
begin = 25
end = 32

[JC_442]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_123]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1233]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_935]
file = "HOME/lib/java_api/java/lang/System.java"
line = 865
begin = 31
end = 46

[JC_933]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_587]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_248]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_64]
file = "HOME/tests/java/Hello.jc"
line = 150
begin = 10
end = 18

[JC_457]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1546
begin = 18
end = 25

[JC_366]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1078]
file = "HOME/lib/java_api/java/lang/System.java"
line = 181
begin = 31
end = 38

[JC_1297]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1201]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_897]
file = "HOME/lib/java_api/java/lang/CharSequence.java"
line = 75
begin = 17
end = 28

[JC_379]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1256]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_346]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_99]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1065]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_820]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_622]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_693]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_307]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_465]
file = "HOME/lib/java_api/java/lang/CharSequence.java"
line = 56
begin = 9
end = 15

[JC_772]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_740]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1122]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_832]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_626]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_205]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1024]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
file = "HOME/tests/java/Hello.jc"
line = 145
begin = 11
end = 66

[JC_369]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 188
begin = 19
end = 29

[JC_354]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_926]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_241]
file = "HOME/lib/java_api/java/lang/String.java"
line = 572
begin = 18
end = 26

[JC_973]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_966]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_938]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_358]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_563]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1338]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1146]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_759]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1053
begin = 19
end = 27

[JC_923]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_558]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_659]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_468]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_271]
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 43
begin = 11
end = 29

[JC_1124]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1482
begin = 24
end = 35

[JC_999]
file = "HOME/tests/java/Hello.java"
line = 34
begin = 23
end = 27

[JC_270]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_975]
file = "HOME/lib/java_api/java/lang/CharSequence.java"
line = 84
begin = 18
end = 26

[JC_547]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_426]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/tests/java/Hello.jc"
line = 119
begin = 11
end = 66

[JC_539]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_892]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_246]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/Hello.jc"
line = 116
begin = 8
end = 24

[JC_954]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_569]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_185]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 152
begin = 16
end = 21

[JC_98]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_639]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_1101]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_412]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_904]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_899]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_104]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_971]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_949]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_913]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1102
begin = 15
end = 22

[JC_752]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1162]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_132]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_472]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Hello_ensures_default]
name = "Constructor of class Hello"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1283]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_322]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_590]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_992]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_873]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 541
begin = 16
end = 23

[JC_206]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_816]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_308]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1212]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1038
begin = 19
end = 29

[JC_223]
file = "HOME/lib/java_api/java/lang/String.java"
line = 444
begin = 16
end = 22

[JC_129]
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 79
begin = 16
end = 21

[JC_883]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1309]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_190]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1120]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/tests/java/Hello.jc"
line = 148
begin = 8
end = 31

[JC_254]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_243]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_276]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1168]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_847]
file = "HOME/lib/java_api/java/lang/String.java"
line = 316
begin = 11
end = 17

[JC_557]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_432]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_PrintStream_boolean_OutputStream_ensures_default]
name = "Constructor of class PrintStream"
behavior = "default behavior"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 67
begin = 12
end = 23

[JC_470]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_202]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_753]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_998]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_507]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_515]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_792]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_435]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_128]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/tests/java/Hello.jc"
line = 131
begin = 10
end = 18

[JC_993]
file = "HOME/lib/java_api/java/lang/String.java"
line = 189
begin = 11
end = 17

[JC_1084]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_888]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_697]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 67
begin = 12
end = 23

[JC_852]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_225]
file = "HOME/lib/java_api/java/lang/String.java"
line = 444
begin = 16
end = 22

[JC_890]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_149]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_723]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_618]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_216]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_889]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2092
begin = 18
end = 22

[JC_812]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_324]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_37]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1138]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_523]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_845]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_796]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_390]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1215]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1091]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_688]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_213]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1092]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 555
begin = 16
end = 23

[JC_1087]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_253]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_819]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_612]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_598]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_606]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_782]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_652]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_344]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1240]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_187]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_543]
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 138
begin = 16
end = 21

[JC_309]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1064]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_591]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1315
begin = 15
end = 26

[JC_336]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1261]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_823]
file = "HOME/lib/java_api/java/lang/String.java"
line = 640
begin = 19
end = 32

[JC_609]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2257
begin = 25
end = 32

[JC_709]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_625]
file = "HOME/lib/java_api/java/lang/System.java"
line = 170
begin = 23
end = 29

[JC_63]
file = "HOME/tests/java/Hello.jc"
line = 151
begin = 11
end = 103

[JC_1301]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_520]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_610]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_197]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_579]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/tests/java/Hello.jc"
line = 138
begin = 11
end = 103

[JC_956]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_106]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_361]
file = "HOME/lib/java_api/java/lang/Comparable.java"
line = 121
begin = 15
end = 24

[JC_1316]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 254
begin = 16
end = 21

[JC_608]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_408]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_339]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1187]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_930]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_406]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_400]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1023]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_227]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1100]
file = "HOME/lib/java_api/java/lang/String.java"
line = 778
begin = 15
end = 24

[JC_839]
file = "HOME/lib/java_api/java/lang/String.java"
line = 728
begin = 15
end = 24

[JC_623]
file = "HOME/lib/java_api/java/lang/System.java"
line = 170
begin = 23
end = 29

[JC_886]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_527]
file = "HOME/lib/java_api/java/lang/String.java"
line = 371
begin = 11
end = 17

[JC_1214]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1038
begin = 19
end = 29

[JC_1225]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_434]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_761]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1053
begin = 19
end = 27

[JC_1299]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_879]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 389
begin = 16
end = 21

[JC_533]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_791]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2152
begin = 25
end = 32

[JC_236]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_138]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_556]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_458]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1160]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1009]
kind = IndexBounds
file = "HOME/tests/java/Hello.jc"
line = 589
begin = 10
end = 62

[JC_193]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2177
begin = 25
end = 32

[JC_1275]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1295]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_714]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_282]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_826]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_371]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_991]
file = "HOME/lib/java_api/java/lang/String.java"
line = 189
begin = 11
end = 17

[JC_592]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_232]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1320]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/tests/java/Hello.jc"
line = 144
begin = 10
end = 18

[JC_990]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_654]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1259]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1012]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1792
begin = 20
end = 25

[JC_836]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_208]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_455]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1546
begin = 18
end = 25

[JC_644]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_184]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_922]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1329]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1025]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_660]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_91]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1335]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_548]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_162]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1254]
file = "HOME/lib/java_api/java/lang/System.java"
line = 44
begin = 12
end = 18

[JC_398]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1052]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 349
begin = 16
end = 21

[JC_1039]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_840]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1163]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_681]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 361
begin = 16
end = 21

[JC_1112]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_722]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_822]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_572]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_514]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1013]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_byteA_int_safety]
name = "Constructor of class String"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/String.java"
line = 275
begin = 11
end = 17

[JC_1242]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1249]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_870]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_614]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_454]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_341]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1177]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1208]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1206]
file = "HOME/lib/java_api/java/lang/System.java"
line = 614
begin = 25
end = 36

[JC_1292]
file = "HOME/lib/java_api/java/lang/String.java"
line = 950
begin = 19
end = 32

[JC_874]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1246]
file = "HOME/lib/java_api/java/io/OutputStream.java"
line = 115
begin = 16
end = 21

[JC_141]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_927]
file = "HOME/lib/java_api/java/lang/System.java"
line = 820
begin = 23
end = 27

[JC_712]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_803]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_596]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_566]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/tests/java/Hello.jc"
line = 151
begin = 11
end = 103

[JC_1239]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_511]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2204
begin = 25
end = 36

[JC_395]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_905]
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 103
begin = 16
end = 21

[JC_1083]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_738]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1109]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_266]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_214]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_303]
file = "HOME/lib/java_api/java/lang/String.java"
line = 681
begin = 19
end = 35

[JC_258]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_PrintStream_OutputStream_ensures_default]
name = "Constructor of class PrintStream"
behavior = "default behavior"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 55
begin = 11
end = 22

[JC_1243]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1070]
file = "HOME/lib/java_api/java/lang/String.java"
line = 591
begin = 18
end = 26

[JC_959]
file = "HOME/lib/java_api/java/lang/System.java"
line = 38
begin = 31
end = 46

[JC_145]
file = "HOME/lib/java_api/java/lang/System.java"
line = 175
begin = 24
end = 31

[JC_898]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_209]
file = "HOME/lib/java_api/java/lang/System.java"
line = 280
begin = 30
end = 47

[JC_1267]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1171]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_111]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1666
begin = 18
end = 28

[JC_1104]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_349]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1232]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1197]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_211]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1326]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1904
begin = 18
end = 29

[JC_974]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_588]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_262]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1226]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_637]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_775]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 474
begin = 16
end = 23

[JC_841]
file = "HOME/lib/java_api/java/lang/String.java"
line = 728
begin = 15
end = 24

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1288]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1072]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_984]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1030]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1351
begin = 15
end = 26

[JC_941]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_748]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_437]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1314]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_210]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1247]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_423]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_510]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_478]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_297]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1239
begin = 15
end = 22

[JC_1203]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_100]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1184]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_762]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_494]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_ensures_default]
name = "Constructor of class String"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/String.java"
line = 129
begin = 11
end = 17

[JC_373]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_848]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_817]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1007
begin = 19
end = 29

[JC_1303]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1296]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1222]
file = "HOME/lib/java_api/java/lang/String.java"
line = 846
begin = 15
end = 34

[JC_1217]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_453]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1282]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1143]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_842]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_920]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_914]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_143]
file = "HOME/lib/java_api/java/lang/System.java"
line = 175
begin = 24
end = 31

[JC_113]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1666
begin = 18
end = 28

[JC_1155]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_448]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_945]
file = "HOME/lib/java_api/java/lang/System.java"
line = 700
begin = 25
end = 31

[JC_404]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_133]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_475]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1188]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2313
begin = 25
end = 31

[JC_1148]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 375
begin = 16
end = 21

[JC_320]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1305]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1002]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_683]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_502]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1308]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1070
begin = 15
end = 23

[JC_1086]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_1313]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1281]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_536]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1193]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1250]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_280]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1056]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_976]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_931]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_865]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_858]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1060]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 132
begin = 16
end = 21

[JC_967]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 569
begin = 16
end = 23

[JC_375]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 499
begin = 16
end = 23

[JC_9]
file = "HOME/tests/java/Hello.jc"
line = 116
begin = 8
end = 24

[JC_690]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_315]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1049]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_860]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_486]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1066]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_924]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1274]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_724]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1194]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_594]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_357]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1231]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_561]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_656]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_673]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1333
begin = 15
end = 26

[JC_326]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_616]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_byteA_String_safety]
name = "Constructor of class String"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/String.java"
line = 345
begin = 11
end = 17

[JC_1190]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2313
begin = 25
end = 31

[JC_802]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_665]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2112
begin = 18
end = 26

[JC_1061]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_694]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_430]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_909]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_955]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_833]
file = "HOME/lib/java_api/java/lang/System.java"
line = 882
begin = 24
end = 45

[JC_1126]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1482
begin = 24
end = 35

[JC_1202]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_403]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1129]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_589]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_917]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_661]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_595]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1273]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_940]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_112]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1241]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1154]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_362]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_295]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1239
begin = 15
end = 22

[JC_268]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1145]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_449]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 199
begin = 19
end = 27

[JC_1248]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_304]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_String_ensures_default]
name = "Constructor of class String"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/String.java"
line = 142
begin = 11
end = 17

[JC_650]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_218]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1093]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_101]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_526]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_851]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_921]
file = "HOME/lib/java_api/java/lang/String.java"
line = 532
begin = 16
end = 24

[JC_790]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_773]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1170]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_705]
file = "HOME/lib/java_api/java/lang/String.java"
line = 413
begin = 4
end = 10

[JC_103]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 113
begin = 11
end = 22

[JC_1279]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1036]
file = "HOME/lib/java_api/java/lang/String.java"
line = 129
begin = 11
end = 17

[JC_509]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_289]
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 122
begin = 16
end = 21

[JC_302]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1220]
file = "HOME/lib/java_api/java/lang/String.java"
line = 846
begin = 15
end = 34

[JC_33]
file = "HOME/tests/java/Hello.jc"
line = 132
begin = 11
end = 66

[JC_296]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_290]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_567]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_29]
file = "HOME/tests/java/Hello.jc"
line = 129
begin = 8
end = 22

[JC_144]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1098]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_360]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/java/Hello.jc"
line = 118
begin = 10
end = 18

[JC_335]
file = "HOME/lib/java_api/java/lang/String.java"
line = 427
begin = 15
end = 21

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/lib/java_api/java/lang/String.java"
line = 345
begin = 11
end = 17

[JC_318]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1169]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_byteA_int_int_String_ensures_default]
name = "Constructor of class String"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/String.java"
line = 316
begin = 11
end = 17

[JC_160]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/tests/java/Hello.jc"
line = 118
begin = 10
end = 18

[JC_981]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_653]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1321]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_645]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_181]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1278]
file = "HOME/lib/java_api/java/lang/System.java"
line = 873
begin = 31
end = 46

[JC_538]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_89]
file = "HOME/lib/java_api/java/lang/System.java"
line = 797
begin = 23
end = 42

[JC_1263]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1207]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1077]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_byteA_int_int_ensures_default]
name = "Constructor of class String"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/String.java"
line = 371
begin = 11
end = 17

[JC_293]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_165]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1059]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1089]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_718]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_217]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1257
begin = 15
end = 22

[JC_338]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_894]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_402]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1010]
kind = UserCall
file = "HOME/tests/java/Hello.jc"
line = 589
begin = 49
end = 61

[JC_1111]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_364]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1140]
file = "HOME/lib/java_api/java/lang/String.java"
line = 142
begin = 11
end = 17

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1204]
file = "HOME/lib/java_api/java/lang/System.java"
line = 614
begin = 25
end = 36

[JC_1051]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_409]
file = "HOME/lib/java_api/java/lang/System.java"
line = 843
begin = 23
end = 34

[JC_120]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1276]
file = "HOME/lib/java_api/java/lang/System.java"
line = 873
begin = 31
end = 46

[JC_559]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1068]
file = "HOME/lib/java_api/java/lang/String.java"
line = 591
begin = 18
end = 26

[JC_580]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_555]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_483]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_OutputStream_ensures_default]
name = "Constructor of class OutputStream"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_604]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_597]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_279]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 485
begin = 16
end = 23

[JC_306]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_207]
file = "HOME/lib/java_api/java/lang/System.java"
line = 280
begin = 30
end = 47

[JC_655]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1134
begin = 15
end = 22

[JC_611]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1128]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1027]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_203]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1004]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_313]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 597
begin = 16
end = 23

[JC_756]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1271]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Object_ensures_default]
name = "Constructor of class Object"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_FilterOutputStream_OutputStream_safety]
name = "Constructor of class FilterOutputStream"
behavior = "Safety"
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 43
begin = 11
end = 29

[Hello_main_ensures_default]
name = "Method main"
behavior = "default behavior"
file = "HOME/tests/java/Hello.java"
line = 34
begin = 23
end = 27

[JC_546]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_265]
file = "HOME/lib/java_api/java/lang/String.java"
line = 481
begin = 16
end = 24

[JC_900]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_691]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1141]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1007]
kind = UserCall
file = "HOME/tests/java/Hello.jc"
line = 589
begin = 49
end = 61

[JC_1144]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_635]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_818]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_716]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_493]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_787]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_247]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 75
begin = 17
end = 21

[JC_969]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 569
begin = 16
end = 23

[JC_137]
file = "HOME/lib/java_api/java/lang/String.java"
line = 391
begin = 11
end = 17

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_466]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_866]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_75]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_658]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_628]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_641]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_530]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1047]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1022]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2228
begin = 25
end = 32

[cons_System_ensures_default]
name = "Constructor of class System"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/System.java"
line = 44
begin = 12
end = 18

[JC_260]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_212]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1189]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_707]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_571]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_474]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_770]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_542]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_702]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_278]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1235]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_663]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2112
begin = 18
end = 26

[JC_334]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1265]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1102]
file = "HOME/lib/java_api/java/lang/String.java"
line = 778
begin = 15
end = 24

[JC_1331]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1090]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_960]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_867]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_174]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1333]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_745]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1633
begin = 18
end = 30

[JC_464]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_985]
file = "HOME/lib/java_api/java/lang/System.java"
line = 857
begin = 32
end = 46

[cons_String_byteA_safety]
name = "Constructor of class String"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/String.java"
line = 391
begin = 11
end = 17

[JC_87]
file = "HOME/lib/java_api/java/lang/System.java"
line = 797
begin = 23
end = 42

[JC_1268]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 223
begin = 16
end = 21

[JC_560]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/tests/java/Hello.jc"
line = 119
begin = 11
end = 66

[JC_1298]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1071]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_939]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_835]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_788]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_368]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_321]
file = "HOME/lib/java_api/java/lang/String.java"
line = 608
begin = 19
end = 25

[JC_805]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_685]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_629]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_byteA_int_int_int_safety]
name = "Constructor of class String"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/String.java"
line = 234
begin = 11
end = 17

[JC_1000]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_668]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_299]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_156]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_127]
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 79
begin = 16
end = 21

[JC_171]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/tests/java/Hello.jc"
line = 137
begin = 10
end = 18

[JC_155]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1192]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1181]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_730]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_540]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_477]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1127]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1266]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_987]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1158]
file = "HOME/lib/java_api/java/lang/String.java"
line = 403
begin = 11
end = 17

[JC_348]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_853]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1011]
kind = UserCall
file = "HOME/tests/java/Hello.jc"
line = 589
begin = 10
end = 62

[JC_140]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1073]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_937]
file = "HOME/lib/java_api/java/lang/System.java"
line = 865
begin = 31
end = 46

[JC_159]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 55
begin = 11
end = 22

[JC_828]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_517]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_393]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 318
begin = 17
end = 24

[JC_586]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_93]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_895]
file = "HOME/lib/java_api/java/lang/CharSequence.java"
line = 75
begin = 17
end = 28

[JC_554]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_277]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_288]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_283]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1237]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_815]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1007
begin = 19
end = 29

[JC_484]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
file = "HOME/tests/java/Hello.jc"
line = 145
begin = 11
end = 66

[JC_1238]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 461
begin = 16
end = 21

[JC_414]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_byteA_ensures_default]
name = "Constructor of class String"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/String.java"
line = 391
begin = 11
end = 17

[JC_21]
file = "HOME/tests/java/Hello.jc"
line = 122
begin = 8
end = 33

[JC_1269]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_977]
file = "HOME/lib/java_api/java/lang/CharSequence.java"
line = 84
begin = 18
end = 26

[JC_758]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_743]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1633
begin = 18
end = 30

[JC_77]
file = "HOME/tests/java/Hello.jc"
line = 157
begin = 11
end = 65

[JC_602]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_102]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_charA_int_int_safety]
name = "Constructor of class String"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/String.java"
line = 189
begin = 11
end = 17

[JC_142]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_byteA_String_ensures_default]
name = "Constructor of class String"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/String.java"
line = 345
begin = 11
end = 17

[JC_146]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_399]
file = "HOME/lib/java_api/java/io/OutputStream.java"
line = 57
begin = 16
end = 21

[JC_59]
file = "HOME/tests/java/Hello.jc"
line = 148
begin = 8
end = 31

[cons_OutputStream_safety]
name = "Constructor of class OutputStream"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_355]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_342]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_397]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_576]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/java/Hello.jc"
line = 50
begin = 12
end = 22

[JC_1080]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1003]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_957]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_377]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 499
begin = 16
end = 23

[JC_60]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_965]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_183]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 152
begin = 16
end = 21

[JC_1119]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_692]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_119]
file = "HOME/lib/java_api/java/io/OutputStream.java"
line = 89
begin = 16
end = 21

[JC_786]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_671]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1333
begin = 15
end = 26

[cons_String_StringBuffer_ensures_default]
name = "Constructor of class String"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/String.java"
line = 403
begin = 11
end = 17

[JC_76]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_462]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_698]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_498]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_311]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 597
begin = 16
end = 23

[JC_286]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1205]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1134]
file = "HOME/lib/java_api/java/io/OutputStream.java"
line = 128
begin = 16
end = 21

[JC_1001]
file = "HOME/tests/java/Hello.java"
line = 34
begin = 23
end = 27

[cons_PrintStream_OutputStream_safety]
name = "Constructor of class PrintStream"
behavior = "Safety"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 55
begin = 11
end = 22

[JC_534]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_363]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_619]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_978]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_719]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_233]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_1147]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_948]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_177]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_461]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1323]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_970]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_757]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_732]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_392]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_746]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_519]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1221
begin = 15
end = 22

[JC_316]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_565]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_147]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_636]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_436]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1034]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_961]
file = "HOME/lib/java_api/java/lang/System.java"
line = 38
begin = 31
end = 46

[JC_301]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1042]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1284]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2056
begin = 18
end = 29

[JC_452]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_261]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_188]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_729]
file = "HOME/lib/java_api/java/lang/System.java"
line = 768
begin = 23
end = 38

[JC_1029]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_632]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_630]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_570]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_501]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_85]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1209]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_byteA_int_int_String_safety]
name = "Constructor of class String"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/String.java"
line = 316
begin = 11
end = 17

[JC_647]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 431
begin = 16
end = 21

[JC_250]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_942]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_391]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 318
begin = 17
end = 24

[JC_31]
file = "HOME/tests/java/Hello.jc"
line = 129
begin = 8
end = 22

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_401]
file = "HOME/lib/java_api/java/io/OutputStream.java"
line = 57
begin = 16
end = 21

[cons_String_safety]
name = "Constructor of class String"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/String.java"
line = 129
begin = 11
end = 17

[JC_172]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_121]
file = "HOME/lib/java_api/java/io/OutputStream.java"
line = 89
begin = 16
end = 21

[JC_518]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_799]
file = "HOME/lib/java_api/java/lang/System.java"
line = 182
begin = 31
end = 38

[JC_1035]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_443]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/tests/java/Hello.jc"
line = 125
begin = 11
end = 103

[JC_1006]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_480]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_416]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_189]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_78]
file = "HOME/tests/java/Hello.jc"
line = 157
begin = 11
end = 65

[JC_447]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 199
begin = 19
end = 27

[JC_1300]
file = "HOME/lib/java_api/java/lang/String.java"
line = 167
begin = 11
end = 17

[JC_582]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_983]
file = "HOME/lib/java_api/java/lang/System.java"
line = 857
begin = 32
end = 46

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_715]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_476]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_256]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1334]
file = "HOME/lib/java_api/java/lang/System.java"
line = 746
begin = 23
end = 25

[JC_982]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_717]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_385]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_1142]
file = "HOME/lib/java_api/java/lang/String.java"
line = 142
begin = 11
end = 17

[JC_1088]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_711]
file = "HOME/lib/java_api/java/lang/System.java"
line = 724
begin = 23
end = 27

[JC_767]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 277
begin = 17
end = 22

[JC_674]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_240]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_153]
file = "HOME/lib/java_api/java/lang/String.java"
line = 275
begin = 11
end = 17

[JC_222]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1230]
file = "HOME/lib/java_api/java/lang/String.java"
line = 881
begin = 19
end = 32

[JC_450]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_167]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 513
begin = 16
end = 23

[JC_345]
file = "HOME/lib/java_api/java/lang/System.java"
line = 146
begin = 23
end = 29

[JC_1157]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/tests/java/Hello.jc"
line = 135
begin = 8
end = 31

[JC_573]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_PrintStream_boolean_OutputStream_safety]
name = "Constructor of class PrintStream"
behavior = "Safety"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 67
begin = 12
end = 23

[JC_701]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_979]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_FilterOutputStream_OutputStream_ensures_default]
name = "Constructor of class FilterOutputStream"
behavior = "default behavior"
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 43
begin = 11
end = 29

[JC_496]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1175]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1113]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1106]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1211]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1017]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_811]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_219]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_124]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_273]
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 43
begin = 11
end = 29

[JC_428]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_901]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_800]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_672]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_843]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_325]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_264]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1289]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_433]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2216
begin = 25
end = 32

[JC_601]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2285
begin = 25
end = 32

[JC_584]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_574]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_110]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_764]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_166]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1339]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_272]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_613]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1191]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_497]
file = "HOME/lib/java_api/java/lang/String.java"
line = 283
begin = 24
end = 35

[JC_1302]
file = "HOME/lib/java_api/java/lang/String.java"
line = 167
begin = 11
end = 17

[JC_1195]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1058]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1050]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1016]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_989]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_824]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1285]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_864]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_267]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1161]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_235]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1178]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1005]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1244]
file = "HOME/lib/java_api/java/io/OutputStream.java"
line = 115
begin = 16
end = 21

[JC_292]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1311]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1234]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_677]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_StringBuffer_safety]
name = "Constructor of class String"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/String.java"
line = 403
begin = 11
end = 17

[JC_284]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1044]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1600
begin = 19
end = 26

[JC_503]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 403
begin = 16
end = 21

[JC_552]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_972]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_441]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1750
begin = 20
end = 25

[JC_962]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1139]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_86]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1223]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_549]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_72]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/tests/java/Hello.jc"
line = 122
begin = 8
end = 33

[cons_String_int_int_charA_ensures_default]
name = "Constructor of class String"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/String.java"
line = 413
begin = 4
end = 10

[JC_407]
file = "HOME/lib/java_api/java/lang/System.java"
line = 843
begin = 23
end = 34

[JC_1040]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_238]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1200]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_947]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_910]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_669]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_488]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1131]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_378]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1085]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_531]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_383]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_1164]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2123
begin = 18
end = 29

[JC_872]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_849]
file = "HOME/lib/java_api/java/lang/String.java"
line = 316
begin = 11
end = 17

[JC_829]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_158]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1186]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_196]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_640]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_419]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_438]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_151]
file = "HOME/lib/java_api/java/lang/String.java"
line = 275
begin = 11
end = 17

[JC_814]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_374]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_487]
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 59
begin = 16
end = 21

[JC_463]
file = "HOME/lib/java_api/java/lang/CharSequence.java"
line = 56
begin = 9
end = 15

[cons_String_String_safety]
name = "Constructor of class String"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/String.java"
line = 142
begin = 11
end = 17

[JC_776]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_337]
file = "HOME/lib/java_api/java/lang/String.java"
line = 427
begin = 15
end = 21

[JC_522]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1328]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_801]
file = "HOME/lib/java_api/java/lang/System.java"
line = 182
begin = 31
end = 38

[JC_649]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 431
begin = 16
end = 21

[JC_1114]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1054]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 349
begin = 16
end = 21

[JC_887]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2092
begin = 18
end = 22

[JC_126]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1199]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1182]
file = "HOME/lib/java_api/java/lang/System.java"
line = 656
begin = 25
end = 36

[JC_607]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2257
begin = 25
end = 32

[JC_1149]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1135]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1332]
file = "HOME/lib/java_api/java/lang/System.java"
line = 746
begin = 23
end = 25

[cons_PrintStream_OutputStream_boolean_String_ensures_default]
name = "Constructor of class PrintStream"
behavior = "default behavior"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 113
begin = 11
end = 22

[JC_603]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1290]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_541]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_269]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1082]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_525]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_148]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_785]
file = "HOME/lib/java_api/java/lang/System.java"
line = 575
begin = 25
end = 36

[JC_657]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1134
begin = 15
end = 22

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/tests/java/Hello.jc"
line = 124
begin = 10
end = 18

[JC_186]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_175]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_797]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_545]
file = "HOME/lib/java_api/java/io/FilterOutputStream.java"
line = 138
begin = 16
end = 21

[JC_1213]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_928]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_330]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Hello_safety]
name = "Constructor of class Hello"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1336]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_739]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_System_safety]
name = "Constructor of class System"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/System.java"
line = 44
begin = 12
end = 18

[JC_789]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_638]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_413]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_389]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_700]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1255]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_807]
file = "HOME/lib/java_api/java/lang/System.java"
line = 374
begin = 30
end = 39

[JC_512]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1293]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1081]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_855]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1506
begin = 18
end = 24

[JC_932]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_779]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_621]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_168]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_662]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1117]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_911]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1102
begin = 15
end = 22

[JC_35]
file = "HOME/tests/java/Hello.jc"
line = 132
begin = 11
end = 66

[JC_1315]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_908]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_469]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1304]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1103]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_946]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_856]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1325]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_263]
file = "HOME/lib/java_api/java/lang/String.java"
line = 481
begin = 16
end = 24

[JC_107]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1096]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_508]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_179]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1176]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_651]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_600]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_164]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_821]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_868]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_667]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1327]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_439]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1750
begin = 20
end = 25

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1179]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_878]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_String_byteA_int_ensures_default]
name = "Constructor of class String"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/String.java"
line = 275
begin = 11
end = 17

[JC_1021]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_751]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_178]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1020]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2228
begin = 25
end = 32

[JC_885]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_506]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1063]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_331]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_220]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_521]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1221
begin = 15
end = 22

[JC_747]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_529]
file = "HOME/lib/java_api/java/lang/String.java"
line = 371
begin = 11
end = 17

[JC_312]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_676]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_444]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Object_safety]
name = "Constructor of class Object"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_682]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1227]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1174]
file = "HOME/lib/java_api/java/lang/String.java"
line = 234
begin = 11
end = 17

[JC_755]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_750]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_631]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 417
begin = 16
end = 21

[JC_585]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2191
begin = 25
end = 36

[JC_703]
file = "HOME/lib/java_api/java/lang/String.java"
line = 413
begin = 4
end = 10

[JC_919]
file = "HOME/lib/java_api/java/lang/String.java"
line = 532
begin = 16
end = 24

[JC_431]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2216
begin = 25
end = 32

[JC_424]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_769]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 277
begin = 17
end = 22

[JC_562]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_679]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 361
begin = 16
end = 21

[JC_255]
file = "HOME/lib/java_api/java/lang/String.java"
line = 1414
begin = 18
end = 27

[JC_1151]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_793]
file = "HOME/lib/java_api/java/lang/String.java"
line = 2152
begin = 25
end = 32

[JC_204]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_157]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_806]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1277]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1118]
file = "HOME/lib/java_api/java/lang/System.java"
line = 389
begin = 29
end = 45

[JC_1257]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1216]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_396]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1173]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_456]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_388]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_763]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_808]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1167]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_537]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 444
begin = 16
end = 21

[JC_535]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 444
begin = 16
end = 21

[JC_1037]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_837]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_725]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_239]
file = "HOME/lib/java_api/java/lang/String.java"
line = 572
begin = 18
end = 26

[JC_1019]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_92]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1272]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_351]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 121
begin = 17
end = 27

[JC_1221]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_PrintStream_OutputStream_boolean_String_safety]
name = "Constructor of class PrintStream"
behavior = "Safety"
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 113
begin = 11
end = 22

[JC_317]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_680]
file = "HOME/"
line = 0
begin = -1
end = -1

[Hello_main_safety]
name = "Method main"
behavior = "Safety"
file = "HOME/tests/java/Hello.java"
line = 34
begin = 23
end = 27

[JC_912]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1094]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 555
begin = 16
end = 23

[JC_1075]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_624]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_499]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_482]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_505]
file = "HOME/lib/java_api/java/io/PrintStream.java"
line = 403
begin = 16
end = 21

[JC_226]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/Hello.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

logic FilterOutputStream_tag:  -> Object tag_id

logic OutputStream_tag:  -> Object tag_id

axiom FilterOutputStream_parenttag_OutputStream :
 parenttag(FilterOutputStream_tag, OutputStream_tag)

logic Hello_tag:  -> Object tag_id

axiom Hello_parenttag_Object : parenttag(Hello_tag, Object_tag)

logic InputStream_tag:  -> Object tag_id

axiom InputStream_parenttag_Object : parenttag(InputStream_tag, Object_tag)

predicate Non_null_Object(x_3:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_3), (0))

predicate Non_null_StringM(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), neg_int((1)))

predicate Non_null_byteM(x_2:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))

predicate Non_null_charM(x_1:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_1), neg_int((1)))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic OutputStreamWriter_tag:  -> Object tag_id

axiom OutputStreamWriter_parenttag_Object :
 parenttag(OutputStreamWriter_tag, Object_tag)

axiom OutputStream_parenttag_Object : parenttag(OutputStream_tag, Object_tag)

logic PrintStream_tag:  -> Object tag_id

axiom PrintStream_parenttag_FilterOutputStream :
 parenttag(PrintStream_tag, FilterOutputStream_tag)

logic StringBuffer_tag:  -> Object tag_id

axiom StringBuffer_parenttag_Object : parenttag(StringBuffer_tag, Object_tag)

logic StringM_tag:  -> Object tag_id

axiom StringM_parenttag_Object : parenttag(StringM_tag, Object_tag)

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic long_of_integer: int -> long

function String_serialVersionUID() : long =
 long_of_integer(neg_int((6849794470754667710)))

logic System_err:  -> Object pointer

logic System_in:  -> Object pointer

logic System_out:  -> Object pointer

logic System_tag:  -> Object tag_id

axiom System_parenttag_Object : parenttag(System_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic byteM_tag:  -> Object tag_id

axiom byteM_parenttag_Object : parenttag(byteM_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic charM_tag:  -> Object tag_id

axiom charM_parenttag_Object : parenttag(charM_tag, Object_tag)

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_OutputStream(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_FilterOutputStream(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_OutputStream(p, a, Object_alloc_table)

predicate left_valid_struct_Hello(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_InputStream(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_OutputStreamWriter(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_PrintStream(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_FilterOutputStream(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_StringBuffer(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_StringM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_System(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_byteM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_charM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_OutputStream(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_FilterOutputStream(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_OutputStream(p, b, Object_alloc_table)

predicate right_valid_struct_Hello(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_InputStream(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_OutputStreamWriter(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_PrintStream(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_FilterOutputStream(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_StringBuffer(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_StringM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_System(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_byteM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_charM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_OutputStream(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_FilterOutputStream(p:Object pointer, a:int,
 b:int, Object_alloc_table:Object alloc_table) =
 strict_valid_struct_OutputStream(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Hello(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_InputStream(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_OutputStreamWriter(p:Object pointer, a:int,
 b:int, Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_PrintStream(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_FilterOutputStream(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_StringBuffer(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_StringM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_System(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_byteM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_charM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_OutputStream(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_FilterOutputStream(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_OutputStream(p, a, b, Object_alloc_table)

predicate valid_struct_Hello(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_InputStream(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_OutputStreamWriter(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_PrintStream(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_FilterOutputStream(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_StringBuffer(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_StringM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_System(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_byteM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_charM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

parameter CharSequence_charAt :
 this_39:Object pointer -> index:int32 -> { } char { true }

parameter CharSequence_charAt_requires :
 this_39:Object pointer -> index:int32 -> { } char { true }

parameter CharSequence_length : this_41:Object pointer -> { } int32 { true }

parameter CharSequence_length_requires :
 this_41:Object pointer -> { } int32 { true }

parameter CharSequence_subSequence :
 this_72:Object pointer ->
  start:int32 -> end_0:int32 -> { } Object pointer { true }

parameter CharSequence_subSequence_requires :
 this_72:Object pointer ->
  start:int32 -> end_0:int32 -> { } Object pointer { true }

parameter CharSequence_toString :
 this_77:Object pointer -> { } Object pointer { true }

parameter CharSequence_toString_requires :
 this_77:Object pointer -> { } Object pointer { true }

parameter Comparable_compareTo :
 this_28:Object pointer -> o:Object pointer -> { } int32 { true }

parameter Comparable_compareTo_requires :
 this_28:Object pointer -> o:Object pointer -> { } int32 { true }

exception Exception_exc of Object pointer

parameter Object_alloc_table : Object alloc_table ref

parameter FilterOutputStream_close :
 this_46:Object pointer -> { } unit reads Object_alloc_table { true }

parameter FilterOutputStream_close_requires :
 this_46:Object pointer -> { } unit reads Object_alloc_table { true }

parameter FilterOutputStream_flush :
 this_20:Object pointer -> { } unit reads Object_alloc_table { true }

parameter FilterOutputStream_flush_requires :
 this_20:Object pointer -> { } unit reads Object_alloc_table { true }

parameter FilterOutputStream_out : (Object, Object pointer) memory ref

parameter FilterOutputStream_write :
 this_73:Object pointer ->
  b_4:Object pointer ->
   off_0:int32 -> len_0:int32 -> { } unit reads Object_alloc_table { true }

parameter FilterOutputStream_write_byteA :
 this_9:Object pointer ->
  b_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter FilterOutputStream_write_byteA_requires :
 this_9:Object pointer ->
  b_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter FilterOutputStream_write_int :
 this_42:Object pointer ->
  b_2:int32 -> { } unit reads Object_alloc_table { true }

parameter FilterOutputStream_write_int_requires :
 this_42:Object pointer ->
  b_2:int32 -> { } unit reads Object_alloc_table { true }

parameter FilterOutputStream_write_requires :
 this_73:Object pointer ->
  b_4:Object pointer ->
   off_0:int32 -> len_0:int32 -> { } unit reads Object_alloc_table { true }

parameter Hello_main :
 argv:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Hello_main_requires :
 argv:Object pointer -> { } unit reads Object_alloc_table { true }

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_clone :
 this_14:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_clone_requires :
 this_14:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_equals :
 this_31:Object pointer ->
  obj_1:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_equals_requires :
 this_31:Object pointer ->
  obj_1:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_finalize :
 this_68:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_finalize_requires :
 this_68:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_hashCode :
 this_35:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter Object_hashCode_requires :
 this_35:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter Object_notify :
 this_47:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll :
 this_83:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll_requires :
 this_83:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notify_requires :
 this_47:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_registerNatives : tt:unit -> { } unit { true }

parameter Object_registerNatives_requires : tt:unit -> { } unit { true }

parameter Object_tag_table : Object tag_table ref

parameter Object_toString :
 this_53:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_toString_requires :
 this_53:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_wait :
 this_51:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long :
 this_11:Object pointer ->
  timeout:long -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int :
 this_48:Object pointer ->
  timeout_0:long -> nanos:int32 -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int_requires :
 this_48:Object pointer ->
  timeout_0:long -> nanos:int32 -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_requires :
 this_11:Object pointer ->
  timeout:long -> { } unit reads Object_alloc_table { true }

parameter Object_wait_requires :
 this_51:Object pointer -> { } unit reads Object_alloc_table { true }

parameter OutputStream_close :
 this_87:Object pointer -> { } unit reads Object_alloc_table { true }

parameter OutputStream_close_requires :
 this_87:Object pointer -> { } unit reads Object_alloc_table { true }

parameter OutputStream_flush :
 this_96:Object pointer -> { } unit reads Object_alloc_table { true }

parameter OutputStream_flush_requires :
 this_96:Object pointer -> { } unit reads Object_alloc_table { true }

parameter OutputStream_write :
 this_49:Object pointer ->
  b:int32 -> { } unit reads Object_alloc_table { true }

parameter OutputStream_write_byteA :
 this_33:Object pointer ->
  b_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter OutputStream_write_byteA_int_int :
 this_8:Object pointer ->
  b_1:Object pointer ->
   off:int32 -> len:int32 -> { } unit reads Object_alloc_table { true }

parameter OutputStream_write_byteA_int_int_requires :
 this_8:Object pointer ->
  b_1:Object pointer ->
   off:int32 -> len:int32 -> { } unit reads Object_alloc_table { true }

parameter OutputStream_write_byteA_requires :
 this_33:Object pointer ->
  b_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter OutputStream_write_requires :
 this_49:Object pointer ->
  b:int32 -> { } unit reads Object_alloc_table { true }

parameter PrintStream_autoFlush : (Object, bool) memory ref

parameter PrintStream_checkError :
 this_29:Object pointer -> { } bool reads Object_alloc_table { true }

parameter PrintStream_checkError_requires :
 this_29:Object pointer -> { } bool reads Object_alloc_table { true }

parameter PrintStream_close :
 this_12:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_close_requires :
 this_12:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_closing : (Object, bool) memory ref

parameter PrintStream_ensureOpen :
 this_27:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_ensureOpen_requires :
 this_27:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_flush :
 this_81:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_flush_requires :
 this_81:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_init :
 this_16:Object pointer ->
  osw:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_init_requires :
 this_16:Object pointer ->
  osw:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_newLine :
 this_32:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_newLine_requires :
 this_32:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print :
 this_95:Object pointer ->
  obj:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_String :
 this_45:Object pointer ->
  s_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_String_requires :
 this_45:Object pointer ->
  s_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_boolean :
 this_80:Object pointer ->
  b_6:bool -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_boolean_requires :
 this_80:Object pointer ->
  b_6:bool -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_char :
 this_58:Object pointer ->
  c:char -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_charA :
 this_54:Object pointer ->
  s_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_charA_requires :
 this_54:Object pointer ->
  s_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_char_requires :
 this_58:Object pointer ->
  c:char -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_double :
 this_52:Object pointer ->
  d:real -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_double_requires :
 this_52:Object pointer ->
  d:real -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_float :
 this_43:Object pointer ->
  f:real -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_float_requires :
 this_43:Object pointer ->
  f:real -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_int :
 this_88:Object pointer ->
  i:int32 -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_int_requires :
 this_88:Object pointer ->
  i:int32 -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_long :
 this_70:Object pointer ->
  l:long -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_long_requires :
 this_70:Object pointer ->
  l:long -> { } unit reads Object_alloc_table { true }

parameter PrintStream_print_requires :
 this_95:Object pointer ->
  obj:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println :
 this_63:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_Object :
 this_23:Object pointer ->
  x_8_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_Object_requires :
 this_23:Object pointer ->
  x_8_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_String :
 this_34:Object pointer ->
  x_7_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_String_requires :
 this_34:Object pointer ->
  x_7_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_boolean :
 this_19:Object pointer ->
  x_0_0:bool -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_boolean_requires :
 this_19:Object pointer ->
  x_0_0:bool -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_char :
 this_30:Object pointer ->
  x_1_0:char -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_charA :
 this_76:Object pointer ->
  x_6_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_charA_requires :
 this_76:Object pointer ->
  x_6_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_char_requires :
 this_30:Object pointer ->
  x_1_0:char -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_double :
 this_84:Object pointer ->
  x_5_0:real -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_double_requires :
 this_84:Object pointer ->
  x_5_0:real -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_float :
 this_69:Object pointer ->
  x_4_0:real -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_float_requires :
 this_69:Object pointer ->
  x_4_0:real -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_int :
 this_10:Object pointer ->
  x_2_0:int32 -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_int_requires :
 this_10:Object pointer ->
  x_2_0:int32 -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_long :
 this_59:Object pointer ->
  x_3_0:long -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_long_requires :
 this_59:Object pointer ->
  x_3_0:long -> { } unit reads Object_alloc_table { true }

parameter PrintStream_println_requires :
 this_63:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_setError :
 this_37:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_setError_requires :
 this_37:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_trouble : (Object, bool) memory ref

parameter PrintStream_write_String :
 this_97:Object pointer ->
  s_2:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_write_String_requires :
 this_97:Object pointer ->
  s_2:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_write_byteA_int_int :
 this_102:Object pointer ->
  buf:Object pointer ->
   off_1:int32 -> len_1:int32 -> { } unit reads Object_alloc_table { true }

parameter PrintStream_write_byteA_int_int_requires :
 this_102:Object pointer ->
  buf:Object pointer ->
   off_1:int32 -> len_1:int32 -> { } unit reads Object_alloc_table { true }

parameter PrintStream_write_charA :
 this_62:Object pointer ->
  buf_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_write_charA_requires :
 this_62:Object pointer ->
  buf_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter PrintStream_write_int :
 this_98:Object pointer ->
  b_5:int32 -> { } unit reads Object_alloc_table { true }

parameter PrintStream_write_int_requires :
 this_98:Object pointer ->
  b_5:int32 -> { } unit reads Object_alloc_table { true }

exception Return_label_exc of unit

parameter StringM_StringP : (Object, Object pointer) memory ref

parameter String_charAt :
 this_13:Object pointer ->
  index_0:int32 -> { } char reads Object_alloc_table { true }

parameter String_charAt_requires :
 this_13:Object pointer ->
  index_0:int32 -> { } char reads Object_alloc_table { true }

parameter String_checkBounds :
 bytes:Object pointer ->
  offset_1:int32 -> length_0:int32 -> { } unit { true }

parameter String_checkBounds_requires :
 bytes:Object pointer ->
  offset_1:int32 -> length_0:int32 -> { } unit { true }

parameter String_compareToIgnoreCase :
 this_93:Object pointer ->
  str:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter String_compareToIgnoreCase_requires :
 this_93:Object pointer ->
  str:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter String_compareTo_Object :
 this_85:Object pointer ->
  o_0:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter String_compareTo_Object_requires :
 this_85:Object pointer ->
  o_0:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter String_compareTo_String :
 this_66:Object pointer ->
  anotherString_0:Object pointer ->
   { } int32 reads Object_alloc_table { true }

parameter String_compareTo_String_requires :
 this_66:Object pointer ->
  anotherString_0:Object pointer ->
   { } int32 reads Object_alloc_table { true }

parameter String_concat :
 this_67:Object pointer ->
  str_4:Object pointer ->
   { } Object pointer reads Object_alloc_table { true }

parameter String_concat_requires :
 this_67:Object pointer ->
  str_4:Object pointer ->
   { } Object pointer reads Object_alloc_table { true }

parameter String_contentEquals :
 this_65:Object pointer ->
  sb:Object pointer -> { } bool reads Object_alloc_table { true }

parameter String_contentEquals_requires :
 this_65:Object pointer ->
  sb:Object pointer -> { } bool reads Object_alloc_table { true }

parameter String_copyValueOf_charA :
 data_2:Object pointer -> { } Object pointer { true }

parameter String_copyValueOf_charA_int_int :
 data_1:Object pointer ->
  offset_6:int32 -> count_3:int32 -> { } Object pointer { true }

parameter String_copyValueOf_charA_int_int_requires :
 data_1:Object pointer ->
  offset_6:int32 -> count_3:int32 -> { } Object pointer { true }

parameter String_copyValueOf_charA_requires :
 data_2:Object pointer -> { } Object pointer { true }

parameter String_count : (Object, int32) memory ref

parameter String_endsWith :
 this_61:Object pointer ->
  suffix:Object pointer -> { } bool reads Object_alloc_table { true }

parameter String_endsWith_requires :
 this_61:Object pointer ->
  suffix:Object pointer -> { } bool reads Object_alloc_table { true }

parameter String_equals :
 this_24:Object pointer ->
  anObject:Object pointer -> { } bool reads Object_alloc_table { true }

parameter String_equalsIgnoreCase :
 this_22:Object pointer ->
  anotherString:Object pointer -> { } bool reads Object_alloc_table { true }

parameter String_equalsIgnoreCase_requires :
 this_22:Object pointer ->
  anotherString:Object pointer -> { } bool reads Object_alloc_table { true }

parameter String_equals_requires :
 this_24:Object pointer ->
  anObject:Object pointer -> { } bool reads Object_alloc_table { true }

parameter String_getBytes :
 this_82:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter String_getBytes_String :
 this_15:Object pointer ->
  charsetName_1:Object pointer ->
   { } Object pointer reads Object_alloc_table { true }

parameter String_getBytes_String_requires :
 this_15:Object pointer ->
  charsetName_1:Object pointer ->
   { } Object pointer reads Object_alloc_table { true }

parameter String_getBytes_int_int_byteA_int :
 this_75:Object pointer ->
  srcBegin_0:int32 ->
   srcEnd_0:int32 ->
    dst_0:Object pointer ->
     dstBegin_0:int32 -> { } unit reads Object_alloc_table { true }

parameter String_getBytes_int_int_byteA_int_requires :
 this_75:Object pointer ->
  srcBegin_0:int32 ->
   srcEnd_0:int32 ->
    dst_0:Object pointer ->
     dstBegin_0:int32 -> { } unit reads Object_alloc_table { true }

parameter String_getBytes_requires :
 this_82:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter String_getChars :
 this_18:Object pointer ->
  srcBegin:int32 ->
   srcEnd:int32 ->
    dst:Object pointer ->
     dstBegin:int32 -> { } unit reads Object_alloc_table { true }

parameter String_getChars_requires :
 this_18:Object pointer ->
  srcBegin:int32 ->
   srcEnd:int32 ->
    dst:Object pointer ->
     dstBegin:int32 -> { } unit reads Object_alloc_table { true }

parameter String_hash : (Object, int32) memory ref

parameter String_hashCode :
 this_101:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter String_hashCode_requires :
 this_101:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter String_indexOf :
 this_74:Object pointer ->
  ch:int32 -> { } int32 reads Object_alloc_table { true }

parameter String_indexOf_String :
 this_44:Object pointer ->
  str_0:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter String_indexOf_String_int :
 this_21:Object pointer ->
  str_1:Object pointer ->
   fromIndex_1:int32 -> { } int32 reads Object_alloc_table { true }

parameter String_indexOf_String_int_requires :
 this_21:Object pointer ->
  str_1:Object pointer ->
   fromIndex_1:int32 -> { } int32 reads Object_alloc_table { true }

parameter String_indexOf_String_requires :
 this_44:Object pointer ->
  str_0:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter String_indexOf_charA_int_int_charA_int_int_int :
 source:Object pointer ->
  sourceOffset:int32 ->
   sourceCount:int32 ->
    target:Object pointer ->
     targetOffset:int32 ->
      targetCount:int32 -> fromIndex_2:int32 -> { } int32 { true }

parameter String_indexOf_charA_int_int_charA_int_int_int_requires :
 source:Object pointer ->
  sourceOffset:int32 ->
   sourceCount:int32 ->
    target:Object pointer ->
     targetOffset:int32 ->
      targetCount:int32 -> fromIndex_2:int32 -> { } int32 { true }

parameter String_indexOf_int_int :
 this_55:Object pointer ->
  ch_0:int32 ->
   fromIndex:int32 -> { } int32 reads Object_alloc_table { true }

parameter String_indexOf_int_int_requires :
 this_55:Object pointer ->
  ch_0:int32 ->
   fromIndex:int32 -> { } int32 reads Object_alloc_table { true }

parameter String_indexOf_requires :
 this_74:Object pointer ->
  ch:int32 -> { } int32 reads Object_alloc_table { true }

parameter String_intern :
 this_90:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter String_intern_requires :
 this_90:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter String_lastIndexOf :
 this_91:Object pointer ->
  ch_1:int32 -> { } int32 reads Object_alloc_table { true }

parameter String_lastIndexOf_String :
 this_50:Object pointer ->
  str_2:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter String_lastIndexOf_String_int :
 this_57:Object pointer ->
  str_3:Object pointer ->
   fromIndex_3:int32 -> { } int32 reads Object_alloc_table { true }

parameter String_lastIndexOf_String_int_requires :
 this_57:Object pointer ->
  str_3:Object pointer ->
   fromIndex_3:int32 -> { } int32 reads Object_alloc_table { true }

parameter String_lastIndexOf_String_requires :
 this_50:Object pointer ->
  str_2:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter String_lastIndexOf_charA_int_int_charA_int_int_int :
 source_0:Object pointer ->
  sourceOffset_0:int32 ->
   sourceCount_0:int32 ->
    target_0:Object pointer ->
     targetOffset_0:int32 ->
      targetCount_0:int32 -> fromIndex_4:int32 -> { } int32 { true }

parameter String_lastIndexOf_charA_int_int_charA_int_int_int_requires :
 source_0:Object pointer ->
  sourceOffset_0:int32 ->
   sourceCount_0:int32 ->
    target_0:Object pointer ->
     targetOffset_0:int32 ->
      targetCount_0:int32 -> fromIndex_4:int32 -> { } int32 { true }

parameter String_lastIndexOf_int_int :
 this_40:Object pointer ->
  ch_2:int32 ->
   fromIndex_0:int32 -> { } int32 reads Object_alloc_table { true }

parameter String_lastIndexOf_int_int_requires :
 this_40:Object pointer ->
  ch_2:int32 ->
   fromIndex_0:int32 -> { } int32 reads Object_alloc_table { true }

parameter String_lastIndexOf_requires :
 this_91:Object pointer ->
  ch_1:int32 -> { } int32 reads Object_alloc_table { true }

parameter String_length :
 this_26:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter String_length_requires :
 this_26:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter String_matches :
 this_79:Object pointer ->
  regex:Object pointer -> { } bool reads Object_alloc_table { true }

parameter String_matches_requires :
 this_79:Object pointer ->
  regex:Object pointer -> { } bool reads Object_alloc_table { true }

parameter String_offset : (Object, int32) memory ref

parameter String_regionMatches_boolean_int_String_int_int :
 this_100:Object pointer ->
  ignoreCase:bool ->
   toffset_0:int32 ->
    other_0:Object pointer ->
     ooffset_0:int32 ->
      len_3:int32 -> { } bool reads Object_alloc_table { true }

parameter String_regionMatches_boolean_int_String_int_int_requires :
 this_100:Object pointer ->
  ignoreCase:bool ->
   toffset_0:int32 ->
    other_0:Object pointer ->
     ooffset_0:int32 ->
      len_3:int32 -> { } bool reads Object_alloc_table { true }

parameter String_regionMatches_int_String_int_int :
 this_94:Object pointer ->
  toffset:int32 ->
   other:Object pointer ->
    ooffset:int32 ->
     len_2:int32 -> { } bool reads Object_alloc_table { true }

parameter String_regionMatches_int_String_int_int_requires :
 this_94:Object pointer ->
  toffset:int32 ->
   other:Object pointer ->
    ooffset:int32 ->
     len_2:int32 -> { } bool reads Object_alloc_table { true }

parameter String_replace :
 this_38:Object pointer ->
  oldChar:char ->
   newChar:char -> { } Object pointer reads Object_alloc_table { true }

parameter String_replaceAll :
 this_7:Object pointer ->
  regex_1:Object pointer ->
   replacement_0:Object pointer ->
    { } Object pointer reads Object_alloc_table { true }

parameter String_replaceAll_requires :
 this_7:Object pointer ->
  regex_1:Object pointer ->
   replacement_0:Object pointer ->
    { } Object pointer reads Object_alloc_table { true }

parameter String_replaceFirst :
 this_60:Object pointer ->
  regex_0:Object pointer ->
   replacement:Object pointer ->
    { } Object pointer reads Object_alloc_table { true }

parameter String_replaceFirst_requires :
 this_60:Object pointer ->
  regex_0:Object pointer ->
   replacement:Object pointer ->
    { } Object pointer reads Object_alloc_table { true }

parameter String_replace_requires :
 this_38:Object pointer ->
  oldChar:char ->
   newChar:char -> { } Object pointer reads Object_alloc_table { true }

parameter String_split_String :
 this_78:Object pointer ->
  regex_3:Object pointer ->
   { } Object pointer reads Object_alloc_table { true }

parameter String_split_String_int :
 this_36:Object pointer ->
  regex_2:Object pointer ->
   limit:int32 -> { } Object pointer reads Object_alloc_table { true }

parameter String_split_String_int_requires :
 this_36:Object pointer ->
  regex_2:Object pointer ->
   limit:int32 -> { } Object pointer reads Object_alloc_table { true }

parameter String_split_String_requires :
 this_78:Object pointer ->
  regex_3:Object pointer ->
   { } Object pointer reads Object_alloc_table { true }

parameter String_startsWith_String :
 this_92:Object pointer ->
  prefix_0:Object pointer -> { } bool reads Object_alloc_table { true }

parameter String_startsWith_String_int :
 this_64:Object pointer ->
  prefix:Object pointer ->
   toffset_1:int32 -> { } bool reads Object_alloc_table { true }

parameter String_startsWith_String_int_requires :
 this_64:Object pointer ->
  prefix:Object pointer ->
   toffset_1:int32 -> { } bool reads Object_alloc_table { true }

parameter String_startsWith_String_requires :
 this_92:Object pointer ->
  prefix_0:Object pointer -> { } bool reads Object_alloc_table { true }

parameter String_subSequence :
 this_86:Object pointer ->
  beginIndex_1:int32 ->
   endIndex_0:int32 -> { } Object pointer reads Object_alloc_table { true }

parameter String_subSequence_requires :
 this_86:Object pointer ->
  beginIndex_1:int32 ->
   endIndex_0:int32 -> { } Object pointer reads Object_alloc_table { true }

parameter String_substring_int :
 this_17:Object pointer ->
  beginIndex:int32 -> { } Object pointer reads Object_alloc_table { true }

parameter String_substring_int_int :
 this_25:Object pointer ->
  beginIndex_0:int32 ->
   endIndex:int32 -> { } Object pointer reads Object_alloc_table { true }

parameter String_substring_int_int_requires :
 this_25:Object pointer ->
  beginIndex_0:int32 ->
   endIndex:int32 -> { } Object pointer reads Object_alloc_table { true }

parameter String_substring_int_requires :
 this_17:Object pointer ->
  beginIndex:int32 -> { } Object pointer reads Object_alloc_table { true }

parameter String_toCharArray :
 this_89:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter String_toCharArray_requires :
 this_89:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter String_toLowerCase :
 this_103:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter String_toLowerCase_requires :
 this_103:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter String_toString :
 this_56:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter String_toString_requires :
 this_56:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter String_toUpperCase :
 this_99:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter String_toUpperCase_requires :
 this_99:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter String_trim :
 this_71:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter String_trim_requires :
 this_71:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter String_value : (Object, Object pointer) memory ref

parameter String_valueOf : i_0:int32 -> { } Object pointer { true }

parameter String_valueOf_Object :
 obj_0:Object pointer -> { } Object pointer { true }

parameter String_valueOf_Object_requires :
 obj_0:Object pointer -> { } Object pointer { true }

parameter String_valueOf_boolean : b_7:bool -> { } Object pointer { true }

parameter String_valueOf_boolean_requires :
 b_7:bool -> { } Object pointer { true }

parameter String_valueOf_char : c_0:char -> { } Object pointer { true }

parameter String_valueOf_charA :
 data:Object pointer -> { } Object pointer { true }

parameter String_valueOf_charA_int_int :
 data_0:Object pointer ->
  offset_5:int32 -> count_2:int32 -> { } Object pointer { true }

parameter String_valueOf_charA_int_int_requires :
 data_0:Object pointer ->
  offset_5:int32 -> count_2:int32 -> { } Object pointer { true }

parameter String_valueOf_charA_requires :
 data:Object pointer -> { } Object pointer { true }

parameter String_valueOf_char_requires :
 c_0:char -> { } Object pointer { true }

parameter String_valueOf_double : d_0:real -> { } Object pointer { true }

parameter String_valueOf_double_requires :
 d_0:real -> { } Object pointer { true }

parameter String_valueOf_float : f_0:real -> { } Object pointer { true }

parameter String_valueOf_float_requires :
 f_0:real -> { } Object pointer { true }

parameter String_valueOf_long : l_0:long -> { } Object pointer { true }

parameter String_valueOf_long_requires :
 l_0:long -> { } Object pointer { true }

parameter String_valueOf_requires : i_0:int32 -> { } Object pointer { true }

parameter System_arraycopy :
 src:Object pointer ->
  srcPos:int32 ->
   dest:Object pointer -> destPos:int32 -> length:int32 -> { } unit { true }

parameter System_arraycopy_requires :
 src:Object pointer ->
  srcPos:int32 ->
   dest:Object pointer -> destPos:int32 -> length:int32 -> { } unit { true }

parameter System_checkIO : tt:unit -> { } unit { true }

parameter System_checkIO_requires : tt:unit -> { } unit { true }

parameter System_currentTimeMillis : tt:unit -> { } long { true }

parameter System_currentTimeMillis_requires : tt:unit -> { } long { true }

parameter System_exit : status:int32 -> { } unit { true }

parameter System_exit_requires : status:int32 -> { } unit { true }

parameter System_gc : tt:unit -> { } unit { true }

parameter System_gc_requires : tt:unit -> { } unit { true }

parameter System_getProperty_String :
 key:Object pointer -> { } Object pointer { true }

parameter System_getProperty_String_String :
 key_0:Object pointer -> def:Object pointer -> { } Object pointer { true }

parameter System_getProperty_String_String_requires :
 key_0:Object pointer -> def:Object pointer -> { } Object pointer { true }

parameter System_getProperty_String_requires :
 key:Object pointer -> { } Object pointer { true }

parameter System_getenv : name:Object pointer -> { } Object pointer { true }

parameter System_getenv_requires :
 name:Object pointer -> { } Object pointer { true }

parameter System_identityHashCode : x_11:Object pointer -> { } int32 { true }

parameter System_identityHashCode_requires :
 x_11:Object pointer -> { } int32 { true }

parameter System_initializeSystemClass : tt:unit -> { } unit { true }

parameter System_initializeSystemClass_requires :
 tt:unit -> { } unit { true }

parameter System_load : filename:Object pointer -> { } unit { true }

parameter System_loadLibrary : libname:Object pointer -> { } unit { true }

parameter System_loadLibrary_requires :
 libname:Object pointer -> { } unit { true }

parameter System_load_requires : filename:Object pointer -> { } unit { true }

parameter System_mapLibraryName :
 libname_0:Object pointer -> { } Object pointer { true }

parameter System_mapLibraryName_requires :
 libname_0:Object pointer -> { } Object pointer { true }

parameter System_nullInputStream : tt:unit -> { } Object pointer { true }

parameter System_nullInputStream_requires :
 tt:unit -> { } Object pointer { true }

parameter System_nullPrintStream : tt:unit -> { } Object pointer { true }

parameter System_nullPrintStream_requires :
 tt:unit -> { } Object pointer { true }

parameter System_registerNatives : tt:unit -> { } unit { true }

parameter System_registerNatives_requires : tt:unit -> { } unit { true }

parameter System_runFinalization : tt:unit -> { } unit { true }

parameter System_runFinalization_requires : tt:unit -> { } unit { true }

parameter System_runFinalizersOnExit : value_0:bool -> { } unit { true }

parameter System_runFinalizersOnExit_requires :
 value_0:bool -> { } unit { true }

parameter System_setErr : err:Object pointer -> { } unit { true }

parameter System_setErr0 : err_0:Object pointer -> { } unit { true }

parameter System_setErr0_requires : err_0:Object pointer -> { } unit { true }

parameter System_setErr_requires : err:Object pointer -> { } unit { true }

parameter System_setOut : out:Object pointer -> { } unit { true }

parameter System_setOut0 : out_0:Object pointer -> { } unit { true }

parameter System_setOut0_requires : out_0:Object pointer -> { } unit { true }

parameter System_setOut_requires : out:Object pointer -> { } unit { true }

parameter System_setProperty :
 key_1:Object pointer -> value:Object pointer -> { } Object pointer { true }

parameter System_setProperty_requires :
 key_1:Object pointer -> value:Object pointer -> { } Object pointer { true }

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_FilterOutputStream :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_FilterOutputStream(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result,
                  FilterOutputStream_tag)))) }

parameter alloc_struct_FilterOutputStream_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_FilterOutputStream(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result,
                  FilterOutputStream_tag)))) }

parameter alloc_struct_Hello :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Hello(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Hello_tag)))) }

parameter alloc_struct_Hello_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Hello(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Hello_tag)))) }

parameter alloc_struct_InputStream :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_InputStream(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, InputStream_tag)))) }

parameter alloc_struct_InputStream_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_InputStream(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, InputStream_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_OutputStream :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_OutputStream(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, OutputStream_tag)))) }

parameter alloc_struct_OutputStreamWriter :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_OutputStreamWriter(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result,
                  OutputStreamWriter_tag)))) }

parameter alloc_struct_OutputStreamWriter_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_OutputStreamWriter(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result,
                  OutputStreamWriter_tag)))) }

parameter alloc_struct_OutputStream_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_OutputStream(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, OutputStream_tag)))) }

parameter alloc_struct_PrintStream :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_PrintStream(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, PrintStream_tag)))) }

parameter alloc_struct_PrintStream_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_PrintStream(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, PrintStream_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_StringBuffer :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_StringBuffer(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, StringBuffer_tag)))) }

parameter alloc_struct_StringBuffer_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_StringBuffer(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, StringBuffer_tag)))) }

parameter alloc_struct_StringM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_StringM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, StringM_tag)))) }

parameter alloc_struct_StringM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_StringM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, StringM_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_System :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_System(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, System_tag)))) }

parameter alloc_struct_System_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_System(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, System_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_byteM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_byteM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, byteM_tag)))) }

parameter alloc_struct_byteM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_byteM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, byteM_tag)))) }

parameter alloc_struct_charM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_charM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, charM_tag)))) }

parameter alloc_struct_charM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_charM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, charM_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byteM_byteP : (Object, byte) memory ref

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter charM_charP : (Object, char) memory ref

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_FilterOutputStream_OutputStream :
 this_110:Object pointer ->
  out_1:Object pointer ->
   { } unit reads Object_alloc_table writes FilterOutputStream_out { true }

parameter cons_FilterOutputStream_OutputStream_requires :
 this_110:Object pointer ->
  out_1:Object pointer ->
   { } unit reads Object_alloc_table writes FilterOutputStream_out { true }

parameter cons_Hello :
 this_6:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Hello_requires :
 this_6:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object :
 this_112:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object_requires :
 this_112:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_OutputStream :
 this_115:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_OutputStream_requires :
 this_115:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_PrintStream_OutputStream :
 this_108:Object pointer ->
  out_2:Object pointer ->
   { } unit reads Object_alloc_table
   writes PrintStream_autoFlush,PrintStream_closing,PrintStream_trouble
   { true }

parameter cons_PrintStream_OutputStream_boolean :
 this_109:Object pointer ->
  out_4:Object pointer ->
   autoFlush_0:bool ->
    { } unit reads Object_alloc_table
    writes PrintStream_autoFlush,PrintStream_closing,PrintStream_trouble
    { true }

parameter cons_PrintStream_OutputStream_boolean_String :
 this_105:Object pointer ->
  out_5:Object pointer ->
   autoFlush_1:bool ->
    encoding:Object pointer ->
     { } unit reads Object_alloc_table
     writes PrintStream_autoFlush,PrintStream_closing,PrintStream_trouble
     { true }

parameter cons_PrintStream_OutputStream_boolean_String_requires :
 this_105:Object pointer ->
  out_5:Object pointer ->
   autoFlush_1:bool ->
    encoding:Object pointer ->
     { } unit reads Object_alloc_table
     writes PrintStream_autoFlush,PrintStream_closing,PrintStream_trouble
     { true }

parameter cons_PrintStream_OutputStream_boolean_requires :
 this_109:Object pointer ->
  out_4:Object pointer ->
   autoFlush_0:bool ->
    { } unit reads Object_alloc_table
    writes PrintStream_autoFlush,PrintStream_closing,PrintStream_trouble
    { true }

parameter cons_PrintStream_OutputStream_requires :
 this_108:Object pointer ->
  out_2:Object pointer ->
   { } unit reads Object_alloc_table
   writes PrintStream_autoFlush,PrintStream_closing,PrintStream_trouble
   { true }

parameter cons_PrintStream_boolean_OutputStream :
 this_113:Object pointer ->
  autoFlush:bool ->
   out_3:Object pointer ->
    { } unit reads Object_alloc_table
    writes PrintStream_autoFlush,PrintStream_closing,PrintStream_trouble
    { true }

parameter cons_PrintStream_boolean_OutputStream_requires :
 this_113:Object pointer ->
  autoFlush:bool ->
   out_3:Object pointer ->
    { } unit reads Object_alloc_table
    writes PrintStream_autoFlush,PrintStream_closing,PrintStream_trouble
    { true }

parameter cons_String :
 this_118:Object pointer ->
  { } unit reads Object_alloc_table
  writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_String :
 this_119:Object pointer ->
  original:Object pointer ->
   { } unit reads Object_alloc_table
   writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_StringBuffer :
 this_120:Object pointer ->
  buffer:Object pointer ->
   { } unit reads Object_alloc_table
   writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_StringBuffer_requires :
 this_120:Object pointer ->
  buffer:Object pointer ->
   { } unit reads Object_alloc_table
   writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_String_requires :
 this_119:Object pointer ->
  original:Object pointer ->
   { } unit reads Object_alloc_table
   writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_byteA :
 this_106:Object pointer ->
  bytes_3:Object pointer ->
   { } unit reads Object_alloc_table
   writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_byteA_String :
 this_104:Object pointer ->
  bytes_1:Object pointer ->
   charsetName_0:Object pointer ->
    { } unit reads Object_alloc_table
    writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_byteA_String_requires :
 this_104:Object pointer ->
  bytes_1:Object pointer ->
   charsetName_0:Object pointer ->
    { } unit reads Object_alloc_table
    writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_byteA_int :
 this_107:Object pointer ->
  ascii_0:Object pointer ->
   hibyte_0:int32 ->
    { } unit reads Object_alloc_table
    writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_byteA_int_int :
 this_111:Object pointer ->
  bytes_2:Object pointer ->
   offset_3:int32 ->
    length_2:int32 ->
     { } unit reads Object_alloc_table
     writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_byteA_int_int_String :
 this_116:Object pointer ->
  bytes_0:Object pointer ->
   offset_2:int32 ->
    length_1:int32 ->
     charsetName:Object pointer ->
      { } unit reads Object_alloc_table
      writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_byteA_int_int_String_requires :
 this_116:Object pointer ->
  bytes_0:Object pointer ->
   offset_2:int32 ->
    length_1:int32 ->
     charsetName:Object pointer ->
      { } unit reads Object_alloc_table
      writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_byteA_int_int_int :
 this_121:Object pointer ->
  ascii:Object pointer ->
   hibyte:int32 ->
    offset_0:int32 ->
     count_0:int32 ->
      { } unit reads Object_alloc_table
      writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_byteA_int_int_int_requires :
 this_121:Object pointer ->
  ascii:Object pointer ->
   hibyte:int32 ->
    offset_0:int32 ->
     count_0:int32 ->
      { } unit reads Object_alloc_table
      writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_byteA_int_int_requires :
 this_111:Object pointer ->
  bytes_2:Object pointer ->
   offset_3:int32 ->
    length_2:int32 ->
     { } unit reads Object_alloc_table
     writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_byteA_int_requires :
 this_107:Object pointer ->
  ascii_0:Object pointer ->
   hibyte_0:int32 ->
    { } unit reads Object_alloc_table
    writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_byteA_requires :
 this_106:Object pointer ->
  bytes_3:Object pointer ->
   { } unit reads Object_alloc_table
   writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_charA :
 this_123:Object pointer ->
  value_1:Object pointer ->
   { } unit reads Object_alloc_table
   writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_charA_int_int :
 this_117:Object pointer ->
  value_2:Object pointer ->
   offset:int32 ->
    count:int32 ->
     { } unit reads Object_alloc_table
     writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_charA_int_int_requires :
 this_117:Object pointer ->
  value_2:Object pointer ->
   offset:int32 ->
    count:int32 ->
     { } unit reads Object_alloc_table
     writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_charA_requires :
 this_123:Object pointer ->
  value_1:Object pointer ->
   { } unit reads Object_alloc_table
   writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_int_int_charA :
 this_114:Object pointer ->
  offset_4:int32 ->
   count_1:int32 ->
    value_3:Object pointer ->
     { } unit reads Object_alloc_table
     writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_int_int_charA_requires :
 this_114:Object pointer ->
  offset_4:int32 ->
   count_1:int32 ->
    value_3:Object pointer ->
     { } unit reads Object_alloc_table
     writes String_count,String_hash,String_offset,String_value { true }

parameter cons_String_requires :
 this_118:Object pointer ->
  { } unit reads Object_alloc_table
  writes String_count,String_hash,String_offset,String_value { true }

parameter cons_System :
 this_122:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_System_requires :
 this_122:Object pointer -> { } unit reads Object_alloc_table { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter java_array_length_StringM :
 x_5:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_5), (1)))))) }

parameter java_array_length_StringM_requires :
 x_5:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_5), (1)))))) }

parameter java_array_length_byteM :
 x_9:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_65:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_9), (1)))))) }

parameter java_array_length_byteM_requires :
 x_9:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_65:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_9), (1)))))) }

parameter java_array_length_charM :
 x_7:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_45:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_7), (1)))))) }

parameter java_array_length_charM_requires :
 x_7:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_45:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_7), (1)))))) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_10:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_78:
    (if result then (offset_max(Object_alloc_table, x_10) = (0))
     else (x_10 = null))) }

parameter non_null_Object_requires :
 x_10:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_78:
    (if result then (offset_max(Object_alloc_table, x_10) = (0))
     else (x_10 = null))) }

parameter non_null_StringM :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_4), neg_int((1)))
     else (x_4 = null))) }

parameter non_null_StringM_requires :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_4), neg_int((1)))
     else (x_4 = null))) }

parameter non_null_byteM :
 x_8:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_55:
    (if result then ge_int(offset_max(Object_alloc_table, x_8), neg_int((1)))
     else (x_8 = null))) }

parameter non_null_byteM_requires :
 x_8:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_55:
    (if result then ge_int(offset_max(Object_alloc_table, x_8), neg_int((1)))
     else (x_8 = null))) }

parameter non_null_charM :
 x_6:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_35:
    (if result then ge_int(offset_max(Object_alloc_table, x_6), neg_int((1)))
     else (x_6 = null))) }

parameter non_null_charM_requires :
 x_6:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_35:
    (if result then ge_int(offset_max(Object_alloc_table, x_6), neg_int((1)))
     else (x_6 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let Hello_main_ensures_default =
 fun (argv : Object pointer) ->
  { left_valid_struct_StringM(argv, (0), Object_alloc_table) }
  (init:
  try
   (K_1:
   begin
     (let _jessie_ = System_out in
     (let _jessie_ = (JC_1010: (any_string_0 void)) in
     (JC_1011: ((PrintStream_println_String _jessie_) _jessie_))));
    (raise Return) end) with Return -> void end) { (JC_1003: true) }

let Hello_main_safety =
 fun (argv : Object pointer) ->
  { left_valid_struct_StringM(argv, (0), Object_alloc_table) }
  (init:
  try
   (K_1:
   begin
     (let _jessie_ = System_out in
     (let _jessie_ = (JC_1007: (any_string_0_requires void)) in
     (JC_1009:
     (assert { ge_int(offset_max(Object_alloc_table, _jessie_), (0)) };
     (JC_1008:
     ((PrintStream_println_String_requires _jessie_) _jessie_))))));
    (raise Return) end) with Return -> void end) { true }

let cons_FilterOutputStream_OutputStream_ensures_default =
 fun (this_110 : Object pointer) (out_1 : Object pointer) ->
  { (left_valid_struct_OutputStream(out_1, (0), Object_alloc_table)
    and valid_struct_FilterOutputStream(this_110, (0), (0),
        Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = null in
     begin
       (let _jessie_ = this_110 in
       (((safe_upd_ FilterOutputStream_out) _jessie_) _jessie_));
      _jessie_ end) in void); (raise Return) end with Return -> void end)
  { (JC_275: true) }

let cons_FilterOutputStream_OutputStream_safety =
 fun (this_110 : Object pointer) (out_1 : Object pointer) ->
  { (left_valid_struct_OutputStream(out_1, (0), Object_alloc_table)
    and valid_struct_FilterOutputStream(this_110, (0), (0),
        Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = null in
     begin
       (let _jessie_ = this_110 in
       (((safe_upd_ FilterOutputStream_out) _jessie_) _jessie_));
      _jessie_ end) in void); (raise Return) end with Return -> void end)
  { true }

let cons_Hello_ensures_default =
 fun (this_6 : Object pointer) ->
  { valid_struct_Hello(this_6, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_83: true) }

let cons_Hello_safety =
 fun (this_6 : Object pointer) ->
  { valid_struct_Hello(this_6, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_Object_ensures_default =
 fun (this_112 : Object pointer) ->
  { valid_struct_Object(this_112, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_555: true) }

let cons_Object_safety =
 fun (this_112 : Object pointer) ->
  { valid_struct_Object(this_112, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_OutputStream_ensures_default =
 fun (this_115 : Object pointer) ->
  { valid_struct_OutputStream(this_115, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_723: true) }

let cons_OutputStream_safety =
 fun (this_115 : Object pointer) ->
  { valid_struct_OutputStream(this_115, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_PrintStream_OutputStream_boolean_String_ensures_default =
 fun (this_105 : Object pointer) (out_5 : Object pointer) (autoFlush_1 : bool) (encoding : Object pointer) ->
  { (left_valid_struct_String(encoding, (0), Object_alloc_table)
    and (left_valid_struct_OutputStream(out_5, (0), Object_alloc_table)
        and valid_struct_PrintStream(this_105, (0), (0), Object_alloc_table))) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = false in
       (let _jessie_ = this_105 in
       (((safe_upd_ PrintStream_autoFlush) _jessie_) _jessie_)));
      (let _jessie_ = false in
      (let _jessie_ = this_105 in
      (((safe_upd_ PrintStream_trouble) _jessie_) _jessie_)));
      (let _jessie_ = false in
      begin
        (let _jessie_ = this_105 in
        (((safe_upd_ PrintStream_closing) _jessie_) _jessie_));
       _jessie_ end) end in void); (raise Return) end with Return ->
   void end) { (JC_107: true) }

let cons_PrintStream_OutputStream_boolean_String_safety =
 fun (this_105 : Object pointer) (out_5 : Object pointer) (autoFlush_1 : bool) (encoding : Object pointer) ->
  { (left_valid_struct_String(encoding, (0), Object_alloc_table)
    and (left_valid_struct_OutputStream(out_5, (0), Object_alloc_table)
        and valid_struct_PrintStream(this_105, (0), (0), Object_alloc_table))) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = false in
       (let _jessie_ = this_105 in
       (((safe_upd_ PrintStream_autoFlush) _jessie_) _jessie_)));
      (let _jessie_ = false in
      (let _jessie_ = this_105 in
      (((safe_upd_ PrintStream_trouble) _jessie_) _jessie_)));
      (let _jessie_ = false in
      begin
        (let _jessie_ = this_105 in
        (((safe_upd_ PrintStream_closing) _jessie_) _jessie_));
       _jessie_ end) end in void); (raise Return) end with Return ->
   void end) { true }

let cons_PrintStream_OutputStream_boolean_ensures_default =
 fun (this_109 : Object pointer) (out_4 : Object pointer) (autoFlush_0 : bool) ->
  { (left_valid_struct_OutputStream(out_4, (0), Object_alloc_table)
    and valid_struct_PrintStream(this_109, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = false in
       (let _jessie_ = this_109 in
       (((safe_upd_ PrintStream_autoFlush) _jessie_) _jessie_)));
      (let _jessie_ = false in
      (let _jessie_ = this_109 in
      (((safe_upd_ PrintStream_trouble) _jessie_) _jessie_)));
      (let _jessie_ = false in
      begin
        (let _jessie_ = this_109 in
        (((safe_upd_ PrintStream_closing) _jessie_) _jessie_));
       _jessie_ end) end in void); (raise Return) end with Return ->
   void end) { (JC_203: true) }

let cons_PrintStream_OutputStream_boolean_safety =
 fun (this_109 : Object pointer) (out_4 : Object pointer) (autoFlush_0 : bool) ->
  { (left_valid_struct_OutputStream(out_4, (0), Object_alloc_table)
    and valid_struct_PrintStream(this_109, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = false in
       (let _jessie_ = this_109 in
       (((safe_upd_ PrintStream_autoFlush) _jessie_) _jessie_)));
      (let _jessie_ = false in
      (let _jessie_ = this_109 in
      (((safe_upd_ PrintStream_trouble) _jessie_) _jessie_)));
      (let _jessie_ = false in
      begin
        (let _jessie_ = this_109 in
        (((safe_upd_ PrintStream_closing) _jessie_) _jessie_));
       _jessie_ end) end in void); (raise Return) end with Return ->
   void end) { true }

let cons_PrintStream_OutputStream_ensures_default =
 fun (this_108 : Object pointer) (out_2 : Object pointer) ->
  { (left_valid_struct_OutputStream(out_2, (0), Object_alloc_table)
    and valid_struct_PrintStream(this_108, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = false in
       (let _jessie_ = this_108 in
       (((safe_upd_ PrintStream_autoFlush) _jessie_) _jessie_)));
      (let _jessie_ = false in
      (let _jessie_ = this_108 in
      (((safe_upd_ PrintStream_trouble) _jessie_) _jessie_)));
      (let _jessie_ = false in
      begin
        (let _jessie_ = this_108 in
        (((safe_upd_ PrintStream_closing) _jessie_) _jessie_));
       _jessie_ end) end in void); (raise Return) end with Return ->
   void end) { (JC_163: true) }

let cons_PrintStream_OutputStream_safety =
 fun (this_108 : Object pointer) (out_2 : Object pointer) ->
  { (left_valid_struct_OutputStream(out_2, (0), Object_alloc_table)
    and valid_struct_PrintStream(this_108, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = false in
       (let _jessie_ = this_108 in
       (((safe_upd_ PrintStream_autoFlush) _jessie_) _jessie_)));
      (let _jessie_ = false in
      (let _jessie_ = this_108 in
      (((safe_upd_ PrintStream_trouble) _jessie_) _jessie_)));
      (let _jessie_ = false in
      begin
        (let _jessie_ = this_108 in
        (((safe_upd_ PrintStream_closing) _jessie_) _jessie_));
       _jessie_ end) end in void); (raise Return) end with Return ->
   void end) { true }

let cons_PrintStream_boolean_OutputStream_ensures_default =
 fun (this_113 : Object pointer) (autoFlush : bool) (out_3 : Object pointer) ->
  { (left_valid_struct_OutputStream(out_3, (0), Object_alloc_table)
    and valid_struct_PrintStream(this_113, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = false in
       (let _jessie_ = this_113 in
       (((safe_upd_ PrintStream_autoFlush) _jessie_) _jessie_)));
      (let _jessie_ = false in
      (let _jessie_ = this_113 in
      (((safe_upd_ PrintStream_trouble) _jessie_) _jessie_)));
      (let _jessie_ = false in
      begin
        (let _jessie_ = this_113 in
        (((safe_upd_ PrintStream_closing) _jessie_) _jessie_));
       _jessie_ end) end in void); (raise Return) end with Return ->
   void end) { (JC_699: true) }

let cons_PrintStream_boolean_OutputStream_safety =
 fun (this_113 : Object pointer) (autoFlush : bool) (out_3 : Object pointer) ->
  { (left_valid_struct_OutputStream(out_3, (0), Object_alloc_table)
    and valid_struct_PrintStream(this_113, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = false in
       (let _jessie_ = this_113 in
       (((safe_upd_ PrintStream_autoFlush) _jessie_) _jessie_)));
      (let _jessie_ = false in
      (let _jessie_ = this_113 in
      (((safe_upd_ PrintStream_trouble) _jessie_) _jessie_)));
      (let _jessie_ = false in
      begin
        (let _jessie_ = this_113 in
        (((safe_upd_ PrintStream_closing) _jessie_) _jessie_));
       _jessie_ end) end in void); (raise Return) end with Return ->
   void end) { true }

let cons_String_StringBuffer_ensures_default =
 fun (this_120 : Object pointer) (buffer : Object pointer) ->
  { (left_valid_struct_StringBuffer(buffer, (0), Object_alloc_table)
    and valid_struct_String(this_120, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_120 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_120 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_120 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_120 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end)
  { (JC_1160: true) }

let cons_String_StringBuffer_safety =
 fun (this_120 : Object pointer) (buffer : Object pointer) ->
  { (left_valid_struct_StringBuffer(buffer, (0), Object_alloc_table)
    and valid_struct_String(this_120, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_120 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_120 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_120 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_120 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end) { true }

let cons_String_String_ensures_default =
 fun (this_119 : Object pointer) (original : Object pointer) ->
  { (left_valid_struct_String(original, (0), Object_alloc_table)
    and valid_struct_String(this_119, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_119 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_119 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_119 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_119 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end)
  { (JC_1144: true) }

let cons_String_String_safety =
 fun (this_119 : Object pointer) (original : Object pointer) ->
  { (left_valid_struct_String(original, (0), Object_alloc_table)
    and valid_struct_String(this_119, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_119 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_119 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_119 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_119 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end) { true }

let cons_String_byteA_String_ensures_default =
 fun (this_104 : Object pointer) (bytes_1 : Object pointer) (charsetName_0 : Object pointer) ->
  { (left_valid_struct_String(charsetName_0, (0), Object_alloc_table)
    and (left_valid_struct_byteM(bytes_1, (0), Object_alloc_table)
        and valid_struct_String(this_104, (0), (0), Object_alloc_table))) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_104 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_104 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_104 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_104 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end)
  { (JC_99: true) }

let cons_String_byteA_String_safety =
 fun (this_104 : Object pointer) (bytes_1 : Object pointer) (charsetName_0 : Object pointer) ->
  { (left_valid_struct_String(charsetName_0, (0), Object_alloc_table)
    and (left_valid_struct_byteM(bytes_1, (0), Object_alloc_table)
        and valid_struct_String(this_104, (0), (0), Object_alloc_table))) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_104 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_104 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_104 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_104 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end) { true }

let cons_String_byteA_ensures_default =
 fun (this_106 : Object pointer) (bytes_3 : Object pointer) ->
  { (left_valid_struct_byteM(bytes_3, (0), Object_alloc_table)
    and valid_struct_String(this_106, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_106 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_106 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_106 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_106 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end)
  { (JC_139: true) }

let cons_String_byteA_int_ensures_default =
 fun (this_107 : Object pointer) (ascii_0 : Object pointer) (hibyte_0 : int32) ->
  { (left_valid_struct_byteM(ascii_0, (0), Object_alloc_table)
    and valid_struct_String(this_107, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_107 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_107 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_107 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_107 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end)
  { (JC_155: true) }

let cons_String_byteA_int_int_String_ensures_default =
 fun (this_116 : Object pointer) (bytes_0 : Object pointer) (offset_2 : int32) (length_1 : int32) (charsetName : Object pointer) ->
  { (left_valid_struct_String(charsetName, (0), Object_alloc_table)
    and (left_valid_struct_byteM(bytes_0, (0), Object_alloc_table)
        and valid_struct_String(this_116, (0), (0), Object_alloc_table))) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_116 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_116 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_116 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_116 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end)
  { (JC_851: true) }

let cons_String_byteA_int_int_String_safety =
 fun (this_116 : Object pointer) (bytes_0 : Object pointer) (offset_2 : int32) (length_1 : int32) (charsetName : Object pointer) ->
  { (left_valid_struct_String(charsetName, (0), Object_alloc_table)
    and (left_valid_struct_byteM(bytes_0, (0), Object_alloc_table)
        and valid_struct_String(this_116, (0), (0), Object_alloc_table))) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_116 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_116 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_116 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_116 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end) { true }

let cons_String_byteA_int_int_ensures_default =
 fun (this_111 : Object pointer) (bytes_2 : Object pointer) (offset_3 : int32) (length_2 : int32) ->
  { (left_valid_struct_byteM(bytes_2, (0), Object_alloc_table)
    and valid_struct_String(this_111, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_111 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_111 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_111 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_111 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end)
  { (JC_531: true) }

let cons_String_byteA_int_int_int_ensures_default =
 fun (this_121 : Object pointer) (ascii : Object pointer) (hibyte : int32) (offset_0 : int32) (count_0 : int32) ->
  { (left_valid_struct_byteM(ascii, (0), Object_alloc_table)
    and valid_struct_String(this_121, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_121 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_121 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_121 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_121 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end)
  { (JC_1176: true) }

let cons_String_byteA_int_int_int_safety =
 fun (this_121 : Object pointer) (ascii : Object pointer) (hibyte : int32) (offset_0 : int32) (count_0 : int32) ->
  { (left_valid_struct_byteM(ascii, (0), Object_alloc_table)
    and valid_struct_String(this_121, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_121 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_121 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_121 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_121 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end) { true }

let cons_String_byteA_int_int_safety =
 fun (this_111 : Object pointer) (bytes_2 : Object pointer) (offset_3 : int32) (length_2 : int32) ->
  { (left_valid_struct_byteM(bytes_2, (0), Object_alloc_table)
    and valid_struct_String(this_111, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_111 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_111 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_111 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_111 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end) { true }

let cons_String_byteA_int_safety =
 fun (this_107 : Object pointer) (ascii_0 : Object pointer) (hibyte_0 : int32) ->
  { (left_valid_struct_byteM(ascii_0, (0), Object_alloc_table)
    and valid_struct_String(this_107, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_107 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_107 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_107 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_107 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end) { true }

let cons_String_byteA_safety =
 fun (this_106 : Object pointer) (bytes_3 : Object pointer) ->
  { (left_valid_struct_byteM(bytes_3, (0), Object_alloc_table)
    and valid_struct_String(this_106, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_106 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_106 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_106 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_106 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end) { true }

let cons_String_charA_ensures_default =
 fun (this_123 : Object pointer) (value_1 : Object pointer) ->
  { (left_valid_struct_charM(value_1, (0), Object_alloc_table)
    and valid_struct_String(this_123, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_123 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_123 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_123 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_123 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end)
  { (JC_1304: true) }

let cons_String_charA_int_int_ensures_default =
 fun (this_117 : Object pointer) (value_2 : Object pointer) (offset : int32) (count : int32) ->
  { (left_valid_struct_charM(value_2, (0), Object_alloc_table)
    and valid_struct_String(this_117, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_117 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_117 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_117 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_117 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end)
  { (JC_995: true) }

let cons_String_charA_int_int_safety =
 fun (this_117 : Object pointer) (value_2 : Object pointer) (offset : int32) (count : int32) ->
  { (left_valid_struct_charM(value_2, (0), Object_alloc_table)
    and valid_struct_String(this_117, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_117 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_117 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_117 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_117 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end) { true }

let cons_String_charA_safety =
 fun (this_123 : Object pointer) (value_1 : Object pointer) ->
  { (left_valid_struct_charM(value_1, (0), Object_alloc_table)
    and valid_struct_String(this_123, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_123 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_123 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_123 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_123 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end) { true }

let cons_String_ensures_default =
 fun (this_118 : Object pointer) ->
  { valid_struct_String(this_118, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_118 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_118 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_118 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_118 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end)
  { (JC_1040: true) }

let cons_String_int_int_charA_ensures_default =
 fun (this_114 : Object pointer) (offset_4 : int32) (count_1 : int32) (value_3 : Object pointer) ->
  { (left_valid_struct_charM(value_3, (0), Object_alloc_table)
    and valid_struct_String(this_114, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_114 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_114 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_114 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_114 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end)
  { (JC_707: true) }

let cons_String_int_int_charA_safety =
 fun (this_114 : Object pointer) (offset_4 : int32) (count_1 : int32) (value_3 : Object pointer) ->
  { (left_valid_struct_charM(value_3, (0), Object_alloc_table)
    and valid_struct_String(this_114, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_114 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_114 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_114 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_114 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end) { true }

let cons_String_safety =
 fun (this_118 : Object pointer) ->
  { valid_struct_String(this_118, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_118 in
       (((safe_upd_ String_value) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_118 in
      (((safe_upd_ String_offset) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      (let _jessie_ = this_118 in
      (((safe_upd_ String_count) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_118 in
        (((safe_upd_ String_hash) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end) { true }

let cons_System_ensures_default =
 fun (this_122 : Object pointer) ->
  { valid_struct_System(this_122, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_1256: true) }

let cons_System_safety =
 fun (this_122 : Object pointer) ->
  { valid_struct_System(this_122, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/Hello.why
========== file tests/java/why/Hello.wpr ==========

  
    
    
    
      
      
    
    
  
  
    
  
  
    
  
  
    
  
  
    
  
  
    
  
  
    
  
  
    
  

========== file tests/java/why/Hello_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic FilterOutputStream_tag : Object tag_id

logic OutputStream_tag : Object tag_id

axiom FilterOutputStream_parenttag_OutputStream:
  parenttag(FilterOutputStream_tag, OutputStream_tag)

logic Hello_tag : Object tag_id

axiom Hello_parenttag_Object: parenttag(Hello_tag, Object_tag)

logic InputStream_tag : Object tag_id

axiom InputStream_parenttag_Object: parenttag(InputStream_tag, Object_tag)

predicate Non_null_Object(x_3: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_3) >= 0)

predicate Non_null_StringM(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= (-1))

predicate Non_null_byteM(x_2: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_2) >= (-1))

predicate Non_null_charM(x_1: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_1) >= (-1))

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic OutputStreamWriter_tag : Object tag_id

axiom OutputStreamWriter_parenttag_Object: parenttag(OutputStreamWriter_tag,
  Object_tag)

axiom OutputStream_parenttag_Object: parenttag(OutputStream_tag, Object_tag)

logic PrintStream_tag : Object tag_id

axiom PrintStream_parenttag_FilterOutputStream: parenttag(PrintStream_tag,
  FilterOutputStream_tag)

logic StringBuffer_tag : Object tag_id

axiom StringBuffer_parenttag_Object: parenttag(StringBuffer_tag, Object_tag)

logic StringM_tag : Object tag_id

axiom StringM_parenttag_Object: parenttag(StringM_tag, Object_tag)

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic long_of_integer : int -> long

function String_serialVersionUID() : long =
  long_of_integer((-6849794470754667710))

logic System_err : Object pointer

logic System_in : Object pointer

logic System_out : Object pointer

logic System_tag : Object tag_id

axiom System_parenttag_Object: parenttag(System_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic byteM_tag : Object tag_id

axiom byteM_parenttag_Object: parenttag(byteM_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte [(integer_of_byte(x) = integer_of_byte(y))].
      ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic charM_tag : Object tag_id

axiom charM_parenttag_Object: parenttag(charM_tag, Object_tag)

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char [(integer_of_char(x) = integer_of_char(y))].
      ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32 [(integer_of_int32(x) = integer_of_int32(y))].
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_OutputStream(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_FilterOutputStream(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_OutputStream(p,
  a, Object_alloc_table)

predicate left_valid_struct_Hello(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_InputStream(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_OutputStreamWriter(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_PrintStream(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) =
  left_valid_struct_FilterOutputStream(p, a, Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_StringBuffer(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_StringM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_System(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_byteM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_charM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long [(integer_of_long(x) = integer_of_long(y))].
      ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_OutputStream(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_FilterOutputStream(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) =
  right_valid_struct_OutputStream(p, b, Object_alloc_table)

predicate right_valid_struct_Hello(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_InputStream(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_OutputStreamWriter(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_PrintStream(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) =
  right_valid_struct_FilterOutputStream(p, b, Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_StringBuffer(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_StringM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_System(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_byteM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_charM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short [(integer_of_short(x) = integer_of_short(y))].
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_OutputStream(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_FilterOutputStream(p: Object pointer, a: int,
  b: int, Object_alloc_table: Object alloc_table) =
  strict_valid_struct_OutputStream(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Hello(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_InputStream(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_OutputStreamWriter(p: Object pointer, a: int,
  b: int, Object_alloc_table: Object alloc_table) =
  strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_PrintStream(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  strict_valid_struct_FilterOutputStream(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_StringBuffer(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_StringM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_System(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_byteM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_charM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_OutputStream(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_FilterOutputStream(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_OutputStream(p, a,
  b, Object_alloc_table)

predicate valid_struct_Hello(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_InputStream(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_OutputStreamWriter(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_PrintStream(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  valid_struct_FilterOutputStream(p, a, b, Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_StringBuffer(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_StringM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_System(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_byteM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_charM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

========== file tests/java/why/Hello_po1.why ==========
goal Hello_main_safety_po_1:
  forall argv:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  left_valid_struct_StringM(argv, 0, Object_alloc_table) ->
  (offset_max(Object_alloc_table, System_out) >= 0)

========== generation of Simplify VC output ==========
why -simplify [...] why/Hello.why
========== file tests/java/simplify/Hello_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom FilterOutputStream_parenttag_OutputStream
 (EQ (parenttag FilterOutputStream_tag OutputStream_tag) |@true|))

(BG_PUSH
 ;; Why axiom Hello_parenttag_Object
 (EQ (parenttag Hello_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom InputStream_parenttag_Object
 (EQ (parenttag InputStream_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_3 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_3) 0))

(DEFPRED (Non_null_StringM x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) (- 0 1)))

(DEFPRED (Non_null_byteM x_2 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_2) (- 0 1)))

(DEFPRED (Non_null_charM x_1 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_1) (- 0 1)))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom OutputStreamWriter_parenttag_Object
 (EQ (parenttag OutputStreamWriter_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom OutputStream_parenttag_Object
 (EQ (parenttag OutputStream_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom PrintStream_parenttag_FilterOutputStream
 (EQ (parenttag PrintStream_tag FilterOutputStream_tag) |@true|))

(BG_PUSH
 ;; Why axiom StringBuffer_parenttag_Object
 (EQ (parenttag StringBuffer_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom StringM_parenttag_Object
 (EQ (parenttag StringM_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom String_serialVersionUID_def
 (EQ String_serialVersionUID
 (long_of_integer (- 0 constant_too_large_6849794470754667710))))

(BG_PUSH
 ;; Why axiom System_parenttag_Object
 (EQ (parenttag System_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom byteM_parenttag_Object
 (EQ (parenttag byteM_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom byte_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 128) x) (<= x 127))
 (EQ (integer_of_byte (byte_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom byte_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_byte x) (integer_of_byte y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom byte_range
 (FORALL (x)
 (AND (<= (- 0 128) (integer_of_byte x)) (<= (integer_of_byte x) 127))))

(BG_PUSH
 ;; Why axiom charM_parenttag_Object
 (EQ (parenttag charM_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom char_coerce
 (FORALL (x)
 (IMPLIES (AND (<= 0 x) (<= x 65535))
 (EQ (integer_of_char (char_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom char_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_char x) (integer_of_char y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom char_range
 (FORALL (x) (AND (<= 0 (integer_of_char x)) (<= (integer_of_char x) 65535))))

(DEFPRED (eq_byte x y) (EQ (integer_of_byte x) (integer_of_byte y)))

(DEFPRED (eq_char x y) (EQ (integer_of_char x) (integer_of_char y)))

(DEFPRED (eq_int32 x y) (EQ (integer_of_int32 x) (integer_of_int32 y)))

(DEFPRED (eq_long x y) (EQ (integer_of_long x) (integer_of_long y)))

(DEFPRED (eq_short x y) (EQ (integer_of_short x) (integer_of_short y)))

(BG_PUSH
 ;; Why axiom int32_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_2147483648) x)
 (<= x constant_too_large_2147483647))
 (EQ (integer_of_int32 (int32_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom int32_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_int32 x) (integer_of_int32 y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom int32_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_2147483648) (integer_of_int32 x))
 (<= (integer_of_int32 x) constant_too_large_2147483647))))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_OutputStream p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_FilterOutputStream p a Object_alloc_table)
  (left_valid_struct_OutputStream p a Object_alloc_table))

(DEFPRED (left_valid_struct_Hello p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_InputStream p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_OutputStreamWriter p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_PrintStream p a Object_alloc_table)
  (left_valid_struct_FilterOutputStream p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_StringBuffer p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_StringM p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_System p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_byteM p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_charM p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom long_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_9223372036854775808) x)
 (<= x constant_too_large_9223372036854775807))
 (EQ (integer_of_long (long_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom long_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_long x) (integer_of_long y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom long_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_9223372036854775808) (integer_of_long x))
 (<= (integer_of_long x) constant_too_large_9223372036854775807))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_OutputStream p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_FilterOutputStream p b Object_alloc_table)
  (right_valid_struct_OutputStream p b Object_alloc_table))

(DEFPRED (right_valid_struct_Hello p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_InputStream p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_OutputStreamWriter p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_PrintStream p b Object_alloc_table)
  (right_valid_struct_FilterOutputStream p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_StringBuffer p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_StringM p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_System p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_byteM p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_charM p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(BG_PUSH
 ;; Why axiom short_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 32768) x) (<= x 32767))
 (EQ (integer_of_short (short_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom short_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_short x) (integer_of_short y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom short_range
 (FORALL (x)
 (AND (<= (- 0 32768) (integer_of_short x)) (<= (integer_of_short x) 32767))))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_OutputStream p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_FilterOutputStream p a b Object_alloc_table)
  (strict_valid_struct_OutputStream p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Hello p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_InputStream p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_OutputStreamWriter p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_PrintStream p a b Object_alloc_table)
  (strict_valid_struct_FilterOutputStream p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_StringBuffer p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_StringM p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_System p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_byteM p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_charM p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_OutputStream p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_FilterOutputStream p a b Object_alloc_table)
  (valid_struct_OutputStream p a b Object_alloc_table))

(DEFPRED (valid_struct_Hello p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_InputStream p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_OutputStreamWriter p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_PrintStream p a b Object_alloc_table)
  (valid_struct_FilterOutputStream p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_StringBuffer p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_StringM p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_System p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_byteM p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_charM p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

;; Hello_main_safety_po_1, File "why/Hello.why", line 2411, characters 15-71
(FORALL (argv)
(FORALL (Object_alloc_table)
(IMPLIES (left_valid_struct_StringM argv 0 Object_alloc_table)
(>= (offset_max Object_alloc_table System_out) 0))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/Hello_why.sx         : ? (0/0/1/0/0)
total   :   1
valid   :   0 (  0%)
invalid :   0 (  0%)
unknown :   1 (100%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/Hello.why
========== file tests/java/why/Hello_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic FilterOutputStream_tag : Object tag_id

logic OutputStream_tag : Object tag_id

axiom FilterOutputStream_parenttag_OutputStream:
  parenttag(FilterOutputStream_tag, OutputStream_tag)

logic Hello_tag : Object tag_id

axiom Hello_parenttag_Object: parenttag(Hello_tag, Object_tag)

logic InputStream_tag : Object tag_id

axiom InputStream_parenttag_Object: parenttag(InputStream_tag, Object_tag)

predicate Non_null_Object(x_3: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_3) >= 0)

predicate Non_null_StringM(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= (-1))

predicate Non_null_byteM(x_2: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_2) >= (-1))

predicate Non_null_charM(x_1: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_1) >= (-1))

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic OutputStreamWriter_tag : Object tag_id

axiom OutputStreamWriter_parenttag_Object: parenttag(OutputStreamWriter_tag,
  Object_tag)

axiom OutputStream_parenttag_Object: parenttag(OutputStream_tag, Object_tag)

logic PrintStream_tag : Object tag_id

axiom PrintStream_parenttag_FilterOutputStream: parenttag(PrintStream_tag,
  FilterOutputStream_tag)

logic StringBuffer_tag : Object tag_id

axiom StringBuffer_parenttag_Object: parenttag(StringBuffer_tag, Object_tag)

logic StringM_tag : Object tag_id

axiom StringM_parenttag_Object: parenttag(StringM_tag, Object_tag)

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic long_of_integer : int -> long

function String_serialVersionUID() : long =
  long_of_integer((-6849794470754667710))

logic System_err : Object pointer

logic System_in : Object pointer

logic System_out : Object pointer

logic System_tag : Object tag_id

axiom System_parenttag_Object: parenttag(System_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic byteM_tag : Object tag_id

axiom byteM_parenttag_Object: parenttag(byteM_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte. ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic charM_tag : Object tag_id

axiom charM_parenttag_Object: parenttag(charM_tag, Object_tag)

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char. ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_OutputStream(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_FilterOutputStream(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_OutputStream(p,
  a, Object_alloc_table)

predicate left_valid_struct_Hello(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_InputStream(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_OutputStreamWriter(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_PrintStream(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) =
  left_valid_struct_FilterOutputStream(p, a, Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_StringBuffer(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_StringM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_System(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_byteM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_charM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long. ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_OutputStream(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_FilterOutputStream(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) =
  right_valid_struct_OutputStream(p, b, Object_alloc_table)

predicate right_valid_struct_Hello(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_InputStream(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_OutputStreamWriter(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_PrintStream(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) =
  right_valid_struct_FilterOutputStream(p, b, Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_StringBuffer(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_StringM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_System(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_byteM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_charM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short.
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_OutputStream(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_FilterOutputStream(p: Object pointer, a: int,
  b: int, Object_alloc_table: Object alloc_table) =
  strict_valid_struct_OutputStream(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Hello(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_InputStream(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_OutputStreamWriter(p: Object pointer, a: int,
  b: int, Object_alloc_table: Object alloc_table) =
  strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_PrintStream(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  strict_valid_struct_FilterOutputStream(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_StringBuffer(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_StringM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_System(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_byteM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_charM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_OutputStream(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_FilterOutputStream(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_OutputStream(p, a,
  b, Object_alloc_table)

predicate valid_struct_Hello(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_InputStream(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_OutputStreamWriter(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_PrintStream(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  valid_struct_FilterOutputStream(p, a, b, Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_StringBuffer(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_StringM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_System(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_byteM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_charM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

goal Hello_main_safety_po_1:
  forall argv:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  left_valid_struct_StringM(argv, 0, Object_alloc_table) ->
  (offset_max(Object_alloc_table, System_out) >= 0)

why-2.34/tests/java/oracle/MullerTheory.err.oracle0000644000175000017500000000000012311670312020544 0ustar  rtuserswhy-2.34/tests/java/oracle/Fresh.res.oracle0000644000175000017500000046323112311670312017204 0ustar  rtusers========== file tests/java/Fresh.java ==========


class Fresh {

    /*@ allocates \result;
      @ ensures \fresh(\result);
      @*/
    static Fresh create() {
        return new Fresh ();
    }

    void test () {
        Fresh f = create ();
        //@ assert this != f;
    }
}




/*
Local Variables:
compile-command: "make Fresh.why3ide"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_Fresh for constructor Fresh
Generating JC function Fresh_create for method Fresh.create
Generating JC function Fresh_test for method Fresh.test
Generating JC function Object_clone for method Object.clone
Generating JC function Object_notifyAll for method Object.notifyAll
Generating JC function Object_hashCode for method Object.hashCode
Generating JC function Object_equals for method Object.equals
Generating JC function Object_wait for method Object.wait
Generating JC function Object_notify for method Object.notify
Generating JC function Object_wait_long for method Object.wait
Generating JC function Object_toString for method Object.toString
Generating JC function Object_wait_long_int for method Object.wait
Generating JC function cons_Object for constructor Object
Generating JC function Object_finalize for method Object.finalize
Generating JC function Object_registerNatives for method Object.registerNatives
Done.
========== file tests/java/Fresh.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Fresh = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_Fresh(! Fresh[0] this_2){()}

Fresh[0..] Fresh_create()
behavior default:
  allocates \result;
  ensures (K_1 : \fresh(\result));
{  
   (return 
   {  
      (var Fresh[0] this = (new Fresh[1]));
      
      {  
         (var unit _tt = cons_Fresh(this));
         this
      }
   })
}

unit Fresh_test(Fresh[0] this_0)
{  
   {  
      (var Fresh[0..] f = (K_4 : Fresh_create()));
      (K_3 : 
      (assert (K_2 : (this_0 != f))))
   }
}

Object[0..] Object_clone(Object[0] this_3)
;

unit Object_notifyAll(Object[0] this_4)
;

int32 Object_hashCode(Object[0] this_5)
;

boolean Object_equals(Object[0] this_6, Object[0..] obj)
;

unit Object_wait(Object[0] this_7)
;

unit Object_notify(Object[0] this_8)
;

unit Object_wait_long(Object[0] this_9, long timeout)
;

String[0..] Object_toString(Object[0] this_10)
;

unit Object_wait_long_int(Object[0] this_11, long timeout_0, int32 nanos)
;

unit cons_Object(! Object[0] this_13){()}

unit Object_finalize(Object[0] this_12)
;

unit Object_registerNatives()
;

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Fresh.jloc tests/java/Fresh.jc && make -f tests/java/Fresh.makefile gui"
End:
*/
========== file tests/java/Fresh.jloc ==========
[cons_Fresh]
name = "Constructor of class Fresh"
file = "HOME/"
line = 0
begin = -1
end = -1

[Object_wait_long]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[Object_finalize]
name = "Method finalize"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[Object_wait]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[Object_notify]
name = "Method notify"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[Object_clone]
name = "Method clone"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[cons_Object]
name = "Constructor of class Object"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_1]
file = "HOME/tests/java/Fresh.java"
line = 6
begin = 16
end = 31

[K_4]
file = "HOME/tests/java/Fresh.java"
line = 13
begin = 18
end = 27

[Object_wait_long_int]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[Object_registerNatives]
name = "Method registerNatives"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[K_2]
file = "HOME/tests/java/Fresh.java"
line = 14
begin = 19
end = 28

[K_3]
file = "HOME/tests/java/Fresh.java"
line = 14
begin = 19
end = 28

[Fresh_test]
name = "Method test"
file = "HOME/tests/java/Fresh.java"
line = 12
begin = 9
end = 13

[Object_notifyAll]
name = "Method notifyAll"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[Fresh_create]
name = "Method create"
file = "HOME/tests/java/Fresh.java"
line = 8
begin = 17
end = 23

[Object_equals]
name = "Method equals"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[Object_hashCode]
name = "Method hashCode"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[Object_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

========== jessie execution ==========
Generating Why function cons_Fresh
Generating Why function Fresh_create
Generating Why function Fresh_test
Generating Why function cons_Object
========== file tests/java/Fresh.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Fresh.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Fresh.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/Fresh_why.sx

project: why/Fresh.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/Fresh_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/Fresh_why.vo

coq/Fresh_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Fresh_why.v: why/Fresh.why
	@echo 'why -coq [...] why/Fresh.why' && $(WHY) $(JESSIELIBFILES) why/Fresh.why && rm -f coq/jessie_why.v

coq-goals: goals coq/Fresh_ctx_why.vo
	for f in why/*_po*.why; do make -f Fresh.makefile coq/`basename $$f .why`_why.v ; done

coq/Fresh_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Fresh_ctx_why.v: why/Fresh_ctx.why
	@echo 'why -coq [...] why/Fresh_ctx.why' && $(WHY) why/Fresh_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export Fresh_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/Fresh_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/Fresh_ctx_why.vo

pvs: pvs/Fresh_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/Fresh_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/Fresh_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/Fresh_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/Fresh_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/Fresh_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/Fresh_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/Fresh_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/Fresh_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/Fresh_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/Fresh_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/Fresh_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/Fresh_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/Fresh_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/Fresh_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: Fresh.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/Fresh_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Fresh.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Fresh.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Fresh.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include Fresh.depend

depend: coq/Fresh_why.v
	-$(COQDEP) -I coq coq/Fresh*_why.v > Fresh.depend

clean:
	rm -f coq/*.vo

========== file tests/java/Fresh.loc ==========
[JC_94]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_73]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_63]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_51]
file = "HOME/tests/java/Fresh.java"
line = 14
begin = 19
end = 28

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_147]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_123]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_106]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_143]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_113]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_116]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_64]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_133]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Object_ensures_default]
name = "Constructor of class Object"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_99]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_85]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_126]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_31]
file = "HOME/tests/java/Fresh.java"
line = 6
begin = 16
end = 31

[JC_17]
file = "HOME/tests/java/Fresh.jc"
line = 47
begin = 11
end = 65

[JC_122]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_138]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_134]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_137]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_48]
kind = UserCall
file = "HOME/tests/java/Fresh.java"
line = 13
begin = 18
end = 27

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_121]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_125]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/Fresh.jc"
line = 45
begin = 8
end = 23

[JC_75]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_78]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_41]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_52]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_79]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_130]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Fresh_ensures_default]
name = "Constructor of class Fresh"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_87]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/Fresh.jc"
line = 45
begin = 8
end = 23

[JC_98]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
kind = IndexBounds
file = "HOME/tests/java/Fresh.jc"
line = 63
begin = 7
end = 41

[JC_104]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_91]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
kind = UserCall
file = "HOME/tests/java/Fresh.jc"
line = 66
begin = 25
end = 41

[JC_112]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/tests/java/Fresh.java"
line = 12
begin = 9
end = 13

[JC_135]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
kind = AllocSize
file = "HOME/tests/java/Fresh.jc"
line = 63
begin = 28
end = 40

[JC_132]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_27]
file = "HOME/tests/java/Fresh.java"
line = 8
begin = 17
end = 23

[JC_115]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_109]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_107]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_69]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_124]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
kind = AllocSize
file = "HOME/tests/java/Fresh.jc"
line = 63
begin = 28
end = 40

[Fresh_create_safety]
name = "Method create"
behavior = "Safety"
file = "HOME/tests/java/Fresh.java"
line = 8
begin = 17
end = 23

[Fresh_test_safety]
name = "Method test"
behavior = "Safety"
file = "HOME/tests/java/Fresh.java"
line = 12
begin = 9
end = 13

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_127]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_101]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_129]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/tests/java/Fresh.java"
line = 12
begin = 9
end = 13

[JC_110]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_103]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_141]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/tests/java/Fresh.java"
line = 6
begin = 16
end = 31

[JC_56]
file = "HOME/"
line = 0
begin = -1
end = -1

[Fresh_create_ensures_default]
name = "Method create"
behavior = "default behavior"
file = "HOME/tests/java/Fresh.java"
line = 8
begin = 17
end = 23

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_118]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_105]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_140]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_29]
file = "HOME/tests/java/Fresh.java"
line = 8
begin = 17
end = 23

[JC_144]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Object_safety]
name = "Constructor of class Object"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_68]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_93]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_97]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_128]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_117]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_90]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_145]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_111]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_77]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
file = "HOME/tests/java/Fresh.java"
line = 14
begin = 19
end = 28

[JC_1]
file = "HOME/tests/java/Fresh.jc"
line = 20
begin = 12
end = 22

[JC_131]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_102]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_37]
kind = UserCall
file = "HOME/tests/java/Fresh.jc"
line = 66
begin = 25
end = 41

[JC_142]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_57]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_146]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_89]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_136]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/Fresh.jc"
line = 47
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/Fresh.jc"
line = 20
begin = 12
end = 22

[JC_92]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_86]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_60]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_139]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_72]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_119]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Fresh_safety]
name = "Constructor of class Fresh"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_76]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[Fresh_test_ensures_default]
name = "Method test"
behavior = "default behavior"
file = "HOME/tests/java/Fresh.java"
line = 12
begin = 9
end = 13

[JC_50]
kind = UserCall
file = "HOME/tests/java/Fresh.java"
line = 13
begin = 18
end = 27

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_120]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_100]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/Fresh.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

logic Fresh_tag:  -> Object tag_id

axiom Fresh_parenttag_Object : parenttag(Fresh_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Fresh(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Fresh(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Fresh(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Fresh(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

parameter Fresh_create :
 tt:unit ->
  { } Object pointer reads Object_alloc_table
  writes Object_alloc_table,Object_tag_table
  { (JC_32: (not valid(Object_alloc_table@, result))) }

parameter Fresh_create_requires :
 tt:unit ->
  { } Object pointer reads Object_alloc_table
  writes Object_alloc_table,Object_tag_table
  { (JC_32: (not valid(Object_alloc_table@, result))) }

parameter Fresh_test :
 this_0:Object pointer ->
  { } unit reads Object_alloc_table
  writes Object_alloc_table,Object_tag_table { true }

parameter Fresh_test_requires :
 this_0:Object pointer ->
  { } unit reads Object_alloc_table
  writes Object_alloc_table,Object_tag_table { true }

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_clone :
 this_3:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_clone_requires :
 this_3:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_equals :
 this_6:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_equals_requires :
 this_6:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_finalize :
 this_12:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_finalize_requires :
 this_12:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_hashCode :
 this_5:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter Object_hashCode_requires :
 this_5:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter Object_notify :
 this_8:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll :
 this_4:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll_requires :
 this_4:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notify_requires :
 this_8:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_registerNatives : tt:unit -> { } unit { true }

parameter Object_registerNatives_requires : tt:unit -> { } unit { true }

parameter Object_toString :
 this_10:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_toString_requires :
 this_10:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_wait :
 this_7:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long :
 this_9:Object pointer ->
  timeout:long -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int :
 this_11:Object pointer ->
  timeout_0:long -> nanos:int32 -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int_requires :
 this_11:Object pointer ->
  timeout_0:long -> nanos:int32 -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_requires :
 this_9:Object pointer ->
  timeout:long -> { } unit reads Object_alloc_table { true }

parameter Object_wait_requires :
 this_7:Object pointer -> { } unit reads Object_alloc_table { true }

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Fresh :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Fresh(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Fresh_tag)))) }

parameter alloc_struct_Fresh_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Fresh(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Fresh_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_Fresh :
 this_2:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Fresh_requires :
 this_2:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object :
 this_13:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object_requires :
 this_13:Object pointer -> { } unit reads Object_alloc_table { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let Fresh_create_ensures_default =
 fun (tt : unit) ->
  { (JC_30: true) }
  (init:
  (let return = ref (any_pointer void) in
  try
   begin
     (return := (let this =
                (JC_38:
                (((alloc_struct_Fresh (1)) Object_alloc_table) Object_tag_table)) in
                (let _tt =
                (let _jessie_ = this in (JC_39: (cons_Fresh _jessie_))) in
                this))); (raise Return); absurd  end with Return ->
   !return end)) { (JC_31: (not valid(Object_alloc_table@, result))) }

let Fresh_create_safety =
 fun (tt : unit) ->
  { (JC_30: true) }
  (init:
  (let return = ref (any_pointer void) in
  try
   begin
     (return := (let this =
                (let _jessie_ =
                (JC_35:
                (((alloc_struct_Fresh_requires (1)) Object_alloc_table) Object_tag_table)) in
                (JC_36:
                (assert
                { ge_int(offset_max(Object_alloc_table, _jessie_), (0)) };
                _jessie_))) in
                (let _tt =
                (let _jessie_ = this in
                (JC_37: (cons_Fresh_requires _jessie_))) in this)));
    (raise Return); absurd  end with Return -> !return end)) { true }

let Fresh_test_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_Fresh(this_0, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let f = (K_4: (JC_50: (Fresh_create void))) in
     (K_3: (assert { (JC_51: (this_0 <> f)) }; void))); (raise Return) end
   with Return -> void end) { (JC_44: true) }

let Fresh_test_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_Fresh(this_0, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let f = (K_4: (JC_48: (Fresh_create_requires void))) in
     (K_3: [ { } unit { (JC_49: (this_0 <> f)) } ])); (raise Return) end with
   Return -> void end) { true }

let cons_Fresh_ensures_default =
 fun (this_2 : Object pointer) ->
  { valid_struct_Fresh(this_2, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_23: true) }

let cons_Fresh_safety =
 fun (this_2 : Object pointer) ->
  { valid_struct_Fresh(this_2, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_Object_ensures_default =
 fun (this_13 : Object pointer) ->
  { valid_struct_Object(this_13, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_128: true) }

let cons_Object_safety =
 fun (this_13 : Object pointer) ->
  { valid_struct_Object(this_13, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/Fresh.why
========== file tests/java/why/Fresh.wpr ==========

  
    
    
    
      
      
    
    
  
  
    
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
  
  
    
  
  
    
  

========== file tests/java/why/Fresh_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic Fresh_tag : Object tag_id

axiom Fresh_parenttag_Object: parenttag(Fresh_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte [(integer_of_byte(x) = integer_of_byte(y))].
      ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char [(integer_of_char(x) = integer_of_char(y))].
      ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32 [(integer_of_int32(x) = integer_of_int32(y))].
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Fresh(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long [(integer_of_long(x) = integer_of_long(y))].
      ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Fresh(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short [(integer_of_short(x) = integer_of_short(y))].
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Fresh(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Fresh(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

========== file tests/java/why/Fresh_po1.why ==========
goal Fresh_create_ensures_default_po_1:
  forall Object_alloc_table:Object alloc_table.
  ("JC_30": true) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Fresh(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Fresh_tag)))) ->
  forall return:Object pointer.
  (return = result) ->
  ("JC_31": (not valid(Object_alloc_table, return)))

========== file tests/java/why/Fresh_po2.why ==========
goal Fresh_create_safety_po_1:
  ("JC_30": true) ->
  (1 >= 0)

========== file tests/java/why/Fresh_po3.why ==========
goal Fresh_create_safety_po_2:
  forall Object_alloc_table:Object alloc_table.
  ("JC_30": true) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Fresh(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Fresh_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0)

========== file tests/java/why/Fresh_po4.why ==========
goal Fresh_test_ensures_default_po_1:
  forall this_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Fresh(this_0, 0, 0, Object_alloc_table) ->
  forall result:Object pointer.
  ("JC_32": (not valid(Object_alloc_table, result))) ->
  ("JC_51": (this_0 <> result))

========== generation of Simplify VC output ==========
why -simplify [...] why/Fresh.why
========== file tests/java/simplify/Fresh_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Fresh_parenttag_Object
 (EQ (parenttag Fresh_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) 0))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom byte_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 128) x) (<= x 127))
 (EQ (integer_of_byte (byte_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom byte_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_byte x) (integer_of_byte y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom byte_range
 (FORALL (x)
 (AND (<= (- 0 128) (integer_of_byte x)) (<= (integer_of_byte x) 127))))

(BG_PUSH
 ;; Why axiom char_coerce
 (FORALL (x)
 (IMPLIES (AND (<= 0 x) (<= x 65535))
 (EQ (integer_of_char (char_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom char_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_char x) (integer_of_char y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom char_range
 (FORALL (x) (AND (<= 0 (integer_of_char x)) (<= (integer_of_char x) 65535))))

(DEFPRED (eq_byte x y) (EQ (integer_of_byte x) (integer_of_byte y)))

(DEFPRED (eq_char x y) (EQ (integer_of_char x) (integer_of_char y)))

(DEFPRED (eq_int32 x y) (EQ (integer_of_int32 x) (integer_of_int32 y)))

(DEFPRED (eq_long x y) (EQ (integer_of_long x) (integer_of_long y)))

(DEFPRED (eq_short x y) (EQ (integer_of_short x) (integer_of_short y)))

(BG_PUSH
 ;; Why axiom int32_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_2147483648) x)
 (<= x constant_too_large_2147483647))
 (EQ (integer_of_int32 (int32_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom int32_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_int32 x) (integer_of_int32 y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom int32_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_2147483648) (integer_of_int32 x))
 (<= (integer_of_int32 x) constant_too_large_2147483647))))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Fresh p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom long_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_9223372036854775808) x)
 (<= x constant_too_large_9223372036854775807))
 (EQ (integer_of_long (long_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom long_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_long x) (integer_of_long y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom long_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_9223372036854775808) (integer_of_long x))
 (<= (integer_of_long x) constant_too_large_9223372036854775807))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Fresh p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(BG_PUSH
 ;; Why axiom short_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 32768) x) (<= x 32767))
 (EQ (integer_of_short (short_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom short_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_short x) (integer_of_short y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom short_range
 (FORALL (x)
 (AND (<= (- 0 32768) (integer_of_short x)) (<= (integer_of_short x) 32767))))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Fresh p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Fresh p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

;; Fresh_create_ensures_default_po_1, File "HOME/tests/java/Fresh.java", line 6, characters 16-31
(FORALL (Object_alloc_table)
(IMPLIES TRUE
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND
         (strict_valid_struct_Fresh result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Fresh_tag))))
(FORALL (return)
(IMPLIES (EQ return result) (NOT (valid Object_alloc_table return))))))))))

;; Fresh_create_safety_po_1, File "HOME/tests/java/Fresh.jc", line 63, characters 28-40
(IMPLIES TRUE (>= 1 0))

;; Fresh_create_safety_po_2, File "why/Fresh.why", line 664, characters 18-72
(FORALL (Object_alloc_table)
(IMPLIES TRUE
(IMPLIES (>= 1 0)
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND
         (strict_valid_struct_Fresh result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Fresh_tag))))
(>= (offset_max Object_alloc_table0 result) 0))))))))

;; Fresh_test_ensures_default_po_1, File "HOME/tests/java/Fresh.java", line 14, characters 19-28
(FORALL (this_0)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Fresh this_0 0 0 Object_alloc_table)
(FORALL (result)
(IMPLIES (NOT (valid Object_alloc_table result)) (NEQ this_0 result))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/Fresh_why.sx         : ?... (3/0/1/0/0)
total   :   4
valid   :   3 ( 75%)
invalid :   0 (  0%)
unknown :   1 ( 25%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/Fresh.why
========== file tests/java/why/Fresh_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic Fresh_tag : Object tag_id

axiom Fresh_parenttag_Object: parenttag(Fresh_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte. ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char. ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Fresh(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long. ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Fresh(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short.
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Fresh(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Fresh(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

goal Fresh_create_ensures_default_po_1:
  forall Object_alloc_table:Object alloc_table.
  ("JC_30": true) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Fresh(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Fresh_tag)))) ->
  forall return:Object pointer.
  (return = result) ->
  ("JC_31": (not valid(Object_alloc_table, return)))

goal Fresh_create_safety_po_1:
  ("JC_30": true) ->
  (1 >= 0)

goal Fresh_create_safety_po_2:
  forall Object_alloc_table:Object alloc_table.
  ("JC_30": true) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Fresh(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Fresh_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0)

goal Fresh_test_ensures_default_po_1:
  forall this_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Fresh(this_0, 0, 0, Object_alloc_table) ->
  forall result:Object pointer.
  ("JC_32": (not valid(Object_alloc_table, result))) ->
  ("JC_51": (this_0 <> result))

why-2.34/tests/java/oracle/Isqrt.err.oracle0000644000175000017500000000000012311670312017213 0ustar  rtuserswhy-2.34/tests/java/oracle/Fresh.err.oracle0000644000175000017500000000000012311670312017160 0ustar  rtuserswhy-2.34/tests/java/oracle/BinarySearch.res.oracle0000644000175000017500000156756712311670312020531 0ustar  rtusers========== file tests/java/BinarySearch.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// RUNSIMPLIFY this tells regtests to run Simplify in this example

//+ CheckArithOverflow = yes

/* lemma mean_property1 :
  @   \forall integer x y; x <= y ==> x <= (x+y)/2 <= y;
  @*/

/* lemma mean_property2 :
  @   \forall integer x y; x <= y ==> x <= x+(y-x)/2 <= y;
  @*/

/* lemma div2_property :
  @   \forall integer x; 0 <= x ==> 0 <= x/2 <= x;
  @*/

/*@ predicate is_sorted{L}(int[] t) =
  @   t != null &&
  @   \forall integer i j;
  @     0 <= i && i <= j && j < t.length ==> t[i] <= t[j] ;
  @*/


class BinarySearch {

    /* binary_search(t,v) search for element v in array t
       between index 0 and t.length-1
       array t is assumed to be sorted in increasing order
       returns an index i between 0 and t.length-1 where t[i] equals v,
       or -1 if no element in t is equal to v
    */

    /*@ requires t != null;
      @ ensures -1 <= \result < t.length;
      @ behavior success:
      @   ensures \result >= 0 ==> t[\result] == v;
      @ behavior failure:
      @  assumes is_sorted(t);
      @  // assumes
      @  //   \forall integer k1 k2;
      @  //      0 <= k1 <= k2 <= t.length-1 ==> t[k1] <= t[k2];
      @  ensures \result == -1 ==>
      @    \forall integer k; 0 <= k < t.length ==> t[k] != v;
      @*/
    static int binary_search(int t[], int v) {
	int l = 0, u = t.length - 1;
	/*@ loop_invariant
	  @   0 <= l && u <= t.length - 1;
	  @ for failure:
	  @  loop_invariant
	  @    \forall integer k; 0 <= k < t.length ==> t[k] == v ==> l <= k <= u;
	  @ loop_variant
	  @   u-l ;
	  @*/
	while (l <= u ) {
	    int m;
            m = (u + l) / 2;
            // fix: m = l + (u - l) / 2;
            // the following assertion helps provers
            //@ assert l <= m <= u;
	    if (t[m] < v) l = m + 1;
	    else if (t[m] > v) u = m - 1;
	    else return m;
	}
	return -1;
    }

}

/*
Local Variables:
compile-command: "make BinarySearch.why3ide"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_BinarySearch for constructor BinarySearch
Generating JC function BinarySearch_binary_search for method BinarySearch.binary_search
Done.
========== file tests/java/BinarySearch.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_intM{Here}(intM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag BinarySearch = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag intM = Object with {
  int32 intP;
}

boolean non_null_intM(! intM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_intM(! intM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

predicate is_sorted{L}(intM[0..] t) =
(Non_null_intM(t) &&
  (\forall integer i;
    (\forall integer j;
      ((((0 <= i) && (i <= j)) && (j < (\offset_max(t) + 1))) ==>
        ((t + i).intP <= (t + j).intP)))))

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_BinarySearch(! BinarySearch[0] this_0){()}

int32 BinarySearch_binary_search(intM[0..] t_0, int32 v)
  requires (K_6 : Non_null_intM(t_0));
behavior default:
  ensures (K_3 : ((K_2 : ((- 1) <= \result)) &&
                   (K_1 : (\result < (\offset_max(t_0) + 1)))));
behavior success:
  ensures (K_4 : ((\result >= 0) ==> ((t_0 + \result).intP == v)));
behavior failure:
  assumes is_sorted{Here}(t_0);
  ensures (K_5 : ((\result == (- 1)) ==>
                   (\forall integer k;
                     (((0 <= k) && (k < (\offset_max(t_0) + 1))) ==>
                       ((t_0 + k).intP != v)))));
{  
   {  
      (var int32 l = (K_28 : 0));
      
      {  
         (var int32 u = (K_27 : (((K_26 : java_array_length_intM(t_0)) - 1) :> int32)));
         
         {  
            loop 
            behavior default:
              invariant (K_9 : ((K_8 : (0 <= l)) &&
                                 (K_7 : (u <= ((\offset_max(t_0) + 1) - 1)))));
            behavior failure:
              invariant (K_10 : (\forall integer k_0;
                                  (((0 <= k_0) &&
                                     (k_0 < (\offset_max(t_0) + 1))) ==>
                                    (((t_0 + k_0).intP == v) ==>
                                      ((l <= k_0) && (k_0 <= u))))));
            variant (K_11 : (u - l));
            while ((K_24 : (l <= u)))
            {  
               {  
                  (var int32 m);
                  
                  {  (m = (K_13 : (((K_12 : ((u + l) :> int32)) / 2) :> int32)));
                     (K_17 : 
                     (assert (K_16 : ((K_15 : (l <= m)) && (K_14 : (m <= u))))));
                     (if (K_23 : ((K_22 : (t_0 + m).intP) < v)) then (l = 
                     (K_21 : ((m + 1) :> int32))) else (if (K_20 : ((K_19 : 
                                                                    (t_0 +
                                                                    m).intP) >
                                                                    v)) then (u = 
                                                       (K_18 : ((m - 1) :> int32))) else 
                                                       (return m)))
                  }
               }
            };
            
            (return (K_25 : ((- 1) :> int32)))
         }
      }
   }
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/BinarySearch.jloc tests/java/BinarySearch.jc && make -f tests/java/BinarySearch.makefile gui"
End:
*/
========== file tests/java/BinarySearch.jloc ==========
[K_23]
file = "HOME/tests/java/BinarySearch.java"
line = 92
begin = 9
end = 17

[K_17]
file = "HOME/tests/java/BinarySearch.java"
line = 91
begin = 23
end = 34

[K_11]
file = "HOME/tests/java/BinarySearch.java"
line = 84
begin = 7
end = 10

[K_25]
file = "HOME/tests/java/BinarySearch.java"
line = 96
begin = 8
end = 10

[K_13]
file = "HOME/tests/java/BinarySearch.java"
line = 88
begin = 16
end = 27

[K_9]
file = "HOME/tests/java/BinarySearch.java"
line = 79
begin = 7
end = 34

[K_28]
file = "HOME/tests/java/BinarySearch.java"
line = 77
begin = 9
end = 10

[K_1]
file = "HOME/tests/java/BinarySearch.java"
line = 65
begin = 22
end = 40

[K_15]
file = "HOME/tests/java/BinarySearch.java"
line = 91
begin = 23
end = 29

[K_4]
file = "HOME/tests/java/BinarySearch.java"
line = 67
begin = 18
end = 50

[K_12]
file = "HOME/tests/java/BinarySearch.java"
line = 88
begin = 17
end = 22

[K_20]
file = "HOME/tests/java/BinarySearch.java"
line = 93
begin = 14
end = 22

[cons_BinarySearch]
name = "Constructor of class BinarySearch"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_2]
file = "HOME/tests/java/BinarySearch.java"
line = 65
begin = 16
end = 29

[K_10]
file = "HOME/tests/java/BinarySearch.java"
line = 82
begin = 8
end = 74

[K_6]
file = "HOME/tests/java/BinarySearch.java"
line = 64
begin = 17
end = 26

[K_8]
file = "HOME/tests/java/BinarySearch.java"
line = 79
begin = 7
end = 13

[K_3]
file = "HOME/tests/java/BinarySearch.java"
line = 65
begin = 16
end = 40

[K_27]
file = "HOME/tests/java/BinarySearch.java"
line = 77
begin = 16
end = 28

[K_21]
file = "HOME/tests/java/BinarySearch.java"
line = 92
begin = 23
end = 28

[K_24]
file = "HOME/tests/java/BinarySearch.java"
line = 86
begin = 8
end = 14

[K_14]
file = "HOME/tests/java/BinarySearch.java"
line = 91
begin = 28
end = 34

[K_19]
file = "HOME/tests/java/BinarySearch.java"
line = 93
begin = 14
end = 18

[K_5]
file = "HOME/tests/java/BinarySearch.java"
line = 73
begin = 17
end = 96

[BinarySearch_binary_search]
name = "Method binary_search"
file = "HOME/tests/java/BinarySearch.java"
line = 76
begin = 15
end = 28

[K_18]
file = "HOME/tests/java/BinarySearch.java"
line = 93
begin = 28
end = 33

[K_7]
file = "HOME/tests/java/BinarySearch.java"
line = 79
begin = 17
end = 34

[K_26]
file = "HOME/tests/java/BinarySearch.java"
line = 77
begin = 16
end = 24

[K_22]
file = "HOME/tests/java/BinarySearch.java"
line = 92
begin = 9
end = 13

[K_16]
file = "HOME/tests/java/BinarySearch.java"
line = 91
begin = 23
end = 34

========== jessie execution ==========
Generating Why function cons_BinarySearch
Generating Why function BinarySearch_binary_search
========== file tests/java/BinarySearch.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs BinarySearch.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs BinarySearch.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/BinarySearch_why.sx

project: why/BinarySearch.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/BinarySearch_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/BinarySearch_why.vo

coq/BinarySearch_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/BinarySearch_why.v: why/BinarySearch.why
	@echo 'why -coq [...] why/BinarySearch.why' && $(WHY) $(JESSIELIBFILES) why/BinarySearch.why && rm -f coq/jessie_why.v

coq-goals: goals coq/BinarySearch_ctx_why.vo
	for f in why/*_po*.why; do make -f BinarySearch.makefile coq/`basename $$f .why`_why.v ; done

coq/BinarySearch_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/BinarySearch_ctx_why.v: why/BinarySearch_ctx.why
	@echo 'why -coq [...] why/BinarySearch_ctx.why' && $(WHY) why/BinarySearch_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export BinarySearch_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/BinarySearch_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/BinarySearch_ctx_why.vo

pvs: pvs/BinarySearch_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/BinarySearch_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/BinarySearch_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/BinarySearch_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/BinarySearch_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/BinarySearch_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/BinarySearch_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/BinarySearch_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/BinarySearch_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/BinarySearch_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/BinarySearch_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/BinarySearch_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/BinarySearch_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/BinarySearch_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/BinarySearch_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: BinarySearch.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/BinarySearch_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: BinarySearch.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: BinarySearch.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: BinarySearch.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include BinarySearch.depend

depend: coq/BinarySearch_why.v
	-$(COQDEP) -I coq coq/BinarySearch*_why.v > BinarySearch.depend

clean:
	rm -f coq/*.vo

========== file tests/java/BinarySearch.loc ==========
[JC_94]
kind = UserCall
file = "HOME/tests/java/BinarySearch.java"
line = 77
begin = 16
end = 24

[JC_73]
kind = DivByZero
file = "HOME/tests/java/BinarySearch.jc"
line = 120
begin = 36
end = 67

[JC_63]
kind = UserCall
file = "HOME/tests/java/BinarySearch.java"
line = 77
begin = 16
end = 24

[BinarySearch_binary_search_ensures_success]
name = "Method binary_search"
behavior = "Behavior `success'"
file = "HOME/tests/java/BinarySearch.java"
line = 76
begin = 15
end = 28

[JC_80]
kind = PointerDeref
file = "HOME/tests/java/BinarySearch.java"
line = 93
begin = 14
end = 18

[JC_51]
file = "HOME/tests/java/BinarySearch.java"
line = 65
begin = 16
end = 29

[JC_71]
file = "HOME/tests/java/BinarySearch.jc"
line = 104
begin = 12
end = 1476

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_106]
file = "HOME/tests/java/BinarySearch.java"
line = 82
begin = 8
end = 74

[JC_113]
kind = DivByZero
file = "HOME/tests/java/BinarySearch.jc"
line = 120
begin = 36
end = 67

[JC_116]
file = "HOME/tests/java/BinarySearch.java"
line = 91
begin = 23
end = 34

[JC_64]
kind = IndexBounds
file = "HOME/tests/java/BinarySearch.java"
line = 77
begin = 16
end = 24

[JC_99]
file = "HOME/tests/java/BinarySearch.jc"
line = 104
begin = 12
end = 1476

[JC_85]
file = "HOME/tests/java/BinarySearch.java"
line = 79
begin = 17
end = 34

[JC_31]
file = "HOME/tests/java/BinarySearch.jc"
line = 65
begin = 8
end = 23

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
kind = ArithOverflow
file = "HOME/tests/java/BinarySearch.java"
line = 93
begin = 28
end = 33

[JC_55]
file = "HOME/tests/java/BinarySearch.java"
line = 65
begin = 22
end = 40

[BinarySearch_binary_search_ensures_failure]
name = "Method binary_search"
behavior = "Behavior `failure'"
file = "HOME/tests/java/BinarySearch.java"
line = 76
begin = 15
end = 28

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/tests/java/BinarySearch.jc"
line = 61
begin = 11
end = 103

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/tests/java/BinarySearch.java"
line = 79
begin = 17
end = 34

[JC_9]
file = "HOME/tests/java/BinarySearch.jc"
line = 52
begin = 8
end = 21

[JC_75]
file = "HOME/tests/java/BinarySearch.java"
line = 91
begin = 23
end = 29

[JC_24]
file = "HOME/tests/java/BinarySearch.jc"
line = 60
begin = 10
end = 18

[JC_25]
file = "HOME/tests/java/BinarySearch.jc"
line = 61
begin = 11
end = 103

[JC_78]
kind = PointerDeref
file = "HOME/tests/java/BinarySearch.java"
line = 92
begin = 9
end = 13

[JC_41]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_74]
kind = ArithOverflow
file = "HOME/tests/java/BinarySearch.java"
line = 88
begin = 16
end = 27

[JC_47]
file = "HOME/tests/java/BinarySearch.java"
line = 64
begin = 17
end = 26

[JC_52]
file = "HOME/tests/java/BinarySearch.java"
line = 65
begin = 22
end = 40

[JC_26]
file = "HOME/tests/java/BinarySearch.jc"
line = 60
begin = 10
end = 18

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_BinarySearch_safety]
name = "Constructor of class BinarySearch"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/tests/java/BinarySearch.java"
line = 65
begin = 16
end = 29

[JC_79]
kind = ArithOverflow
file = "HOME/tests/java/BinarySearch.java"
line = 92
begin = 23
end = 28

[JC_13]
file = "HOME/tests/java/BinarySearch.jc"
line = 55
begin = 11
end = 66

[JC_82]
file = "HOME/tests/java/BinarySearch.java"
line = 84
begin = 7
end = 10

[JC_87]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/BinarySearch.jc"
line = 52
begin = 8
end = 21

[JC_98]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
file = "HOME/tests/java/BinarySearch.jc"
line = 104
begin = 12
end = 1476

[JC_15]
file = "HOME/tests/java/BinarySearch.jc"
line = 55
begin = 11
end = 66

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_104]
file = "HOME/tests/java/BinarySearch.java"
line = 91
begin = 23
end = 34

[JC_91]
file = "HOME/tests/java/BinarySearch.java"
line = 91
begin = 23
end = 29

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_112]
file = "HOME/tests/java/BinarySearch.jc"
line = 104
begin = 12
end = 1476

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
kind = UserCall
file = "HOME/tests/java/BinarySearch.java"
line = 77
begin = 16
end = 24

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_115]
file = "HOME/tests/java/BinarySearch.java"
line = 91
begin = 28
end = 34

[JC_109]
file = "HOME/tests/java/BinarySearch.java"
line = 79
begin = 7
end = 34

[JC_107]
file = "HOME/tests/java/BinarySearch.java"
line = 79
begin = 7
end = 13

[JC_69]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/tests/java/BinarySearch.jc"
line = 67
begin = 11
end = 65

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/tests/java/BinarySearch.java"
line = 73
begin = 17
end = 96

[JC_101]
kind = DivByZero
file = "HOME/tests/java/BinarySearch.jc"
line = 120
begin = 36
end = 67

[JC_88]
file = "HOME/tests/java/BinarySearch.jc"
line = 104
begin = 12
end = 1476

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_110]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_103]
file = "HOME/tests/java/BinarySearch.java"
line = 91
begin = 28
end = 34

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/tests/java/BinarySearch.java"
line = 73
begin = 17
end = 96

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/tests/java/BinarySearch.java"
line = 65
begin = 16
end = 40

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
kind = ArithOverflow
file = "HOME/tests/java/BinarySearch.java"
line = 77
begin = 16
end = 28

[JC_105]
kind = UserCall
file = "HOME/tests/java/BinarySearch.java"
line = 77
begin = 16
end = 24

[JC_29]
file = "HOME/tests/java/BinarySearch.jc"
line = 65
begin = 8
end = 23

[BinarySearch_binary_search_ensures_default]
name = "Method binary_search"
behavior = "default behavior"
file = "HOME/tests/java/BinarySearch.java"
line = 76
begin = 15
end = 28

[JC_68]
file = "HOME/tests/java/BinarySearch.java"
line = 79
begin = 7
end = 34

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/java/BinarySearch.jc"
line = 54
begin = 10
end = 18

[JC_96]
file = "HOME/tests/java/BinarySearch.java"
line = 79
begin = 17
end = 34

[JC_43]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/tests/java/BinarySearch.java"
line = 79
begin = 7
end = 13

[JC_93]
file = "HOME/tests/java/BinarySearch.java"
line = 91
begin = 23
end = 34

[cons_BinarySearch_ensures_default]
name = "Constructor of class BinarySearch"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_97]
file = "HOME/tests/java/BinarySearch.java"
line = 79
begin = 7
end = 34

[JC_84]
file = "HOME/tests/java/BinarySearch.java"
line = 79
begin = 7
end = 13

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
file = "HOME/tests/java/BinarySearch.java"
line = 91
begin = 23
end = 29

[JC_14]
file = "HOME/tests/java/BinarySearch.jc"
line = 54
begin = 10
end = 18

[JC_90]
kind = DivByZero
file = "HOME/tests/java/BinarySearch.jc"
line = 120
begin = 36
end = 67

[JC_53]
file = "HOME/tests/java/BinarySearch.java"
line = 65
begin = 16
end = 40

[JC_21]
file = "HOME/tests/java/BinarySearch.jc"
line = 58
begin = 8
end = 30

[JC_111]
file = "HOME/tests/java/BinarySearch.jc"
line = 104
begin = 12
end = 1476

[JC_77]
file = "HOME/tests/java/BinarySearch.java"
line = 91
begin = 23
end = 34

[JC_49]
file = "HOME/tests/java/BinarySearch.java"
line = 64
begin = 17
end = 26

[JC_1]
file = "HOME/tests/java/BinarySearch.jc"
line = 23
begin = 12
end = 22

[JC_102]
file = "HOME/tests/java/BinarySearch.java"
line = 91
begin = 23
end = 29

[JC_37]
file = "HOME/tests/java/BinarySearch.jc"
line = 67
begin = 11
end = 65

[BinarySearch_binary_search_safety]
name = "Method binary_search"
behavior = "Safety"
file = "HOME/tests/java/BinarySearch.java"
line = 76
begin = 15
end = 28

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
file = "HOME/tests/java/BinarySearch.java"
line = 79
begin = 17
end = 34

[JC_57]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_89]
file = "HOME/tests/java/BinarySearch.jc"
line = 104
begin = 12
end = 1476

[JC_66]
file = "HOME/tests/java/BinarySearch.java"
line = 79
begin = 7
end = 13

[JC_59]
file = "HOME/tests/java/BinarySearch.java"
line = 67
begin = 18
end = 50

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/java/BinarySearch.jc"
line = 23
begin = 12
end = 22

[JC_92]
file = "HOME/tests/java/BinarySearch.java"
line = 91
begin = 28
end = 34

[JC_86]
file = "HOME/tests/java/BinarySearch.java"
line = 79
begin = 7
end = 34

[JC_60]
file = "HOME/tests/java/BinarySearch.java"
line = 67
begin = 18
end = 50

[JC_72]
kind = ArithOverflow
file = "HOME/tests/java/BinarySearch.java"
line = 88
begin = 17
end = 22

[JC_19]
file = "HOME/tests/java/BinarySearch.jc"
line = 58
begin = 8
end = 30

[JC_76]
file = "HOME/tests/java/BinarySearch.java"
line = 91
begin = 28
end = 34

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_100]
file = "HOME/tests/java/BinarySearch.jc"
line = 104
begin = 12
end = 1476

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/BinarySearch.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic BinarySearch_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom BinarySearch_parenttag_Object : parenttag(BinarySearch_tag, Object_tag)

logic Exception_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_1), (0))

predicate Non_null_intM(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), neg_int((1)))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic intM_tag:  -> Object tag_id

axiom intM_parenttag_Object : parenttag(intM_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate is_sorted(t:Object pointer,
 Object_alloc_table_at_L:Object alloc_table,
 intM_intP_at_L:(Object, int32) memory) =
 (Non_null_intM(t, Object_alloc_table_at_L)
 and (forall i:int.
      (forall j:int.
       ((le_int((0), i)
        and (le_int(i, j)
            and lt_int(j,
                add_int(offset_max(Object_alloc_table_at_L, t), (1))))) ->
        le_int(integer_of_int32(select(intM_intP_at_L, shift(t, i))),
        integer_of_int32(select(intM_intP_at_L, shift(t, j))))))))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_BinarySearch(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_intM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_BinarySearch(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_intM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_BinarySearch(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_BinarySearch(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

parameter Object_alloc_table : Object alloc_table ref

parameter intM_intP : (Object, int32) memory ref

parameter BinarySearch_binary_search :
 t_0:Object pointer ->
  v:int32 ->
   { } int32 reads Object_alloc_table,intM_intP
   { ((is_sorted(t_0, Object_alloc_table@, intM_intP@) ->
       (JC_62:
       ((integer_of_int32(result) = neg_int((1))) ->
        (forall k:int.
         ((le_int((0), k)
          and lt_int(k, add_int(offset_max(Object_alloc_table, t_0), (1)))) ->
          (integer_of_int32(select(intM_intP, shift(t_0, k))) <> integer_of_int32(v)))))))
     and ((JC_60:
          (ge_int(integer_of_int32(result), (0)) ->
           (integer_of_int32(select(intM_intP,
                             shift(t_0, integer_of_int32(result)))) = 
           integer_of_int32(v))))
         and (JC_56:
             ((JC_54: le_int(neg_int((1)), integer_of_int32(result)))
             and (JC_55:
                 lt_int(integer_of_int32(result),
                 add_int(offset_max(Object_alloc_table, t_0), (1)))))))) }

parameter BinarySearch_binary_search_requires :
 t_0:Object pointer ->
  v:int32 ->
   { (JC_47: Non_null_intM(t_0, Object_alloc_table))} int32
   reads Object_alloc_table,intM_intP
   { ((is_sorted(t_0, Object_alloc_table@, intM_intP@) ->
       (JC_62:
       ((integer_of_int32(result) = neg_int((1))) ->
        (forall k:int.
         ((le_int((0), k)
          and lt_int(k, add_int(offset_max(Object_alloc_table, t_0), (1)))) ->
          (integer_of_int32(select(intM_intP, shift(t_0, k))) <> integer_of_int32(v)))))))
     and ((JC_60:
          (ge_int(integer_of_int32(result), (0)) ->
           (integer_of_int32(select(intM_intP,
                             shift(t_0, integer_of_int32(result)))) = 
           integer_of_int32(v))))
         and (JC_56:
             ((JC_54: le_int(neg_int((1)), integer_of_int32(result)))
             and (JC_55:
                 lt_int(integer_of_int32(result),
                 add_int(offset_max(Object_alloc_table, t_0), (1)))))))) }

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_BinarySearch :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_BinarySearch(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, BinarySearch_tag)))) }

parameter alloc_struct_BinarySearch_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_BinarySearch(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, BinarySearch_tag)))) }

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_intM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter alloc_struct_intM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_BinarySearch :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_BinarySearch_requires :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter java_array_length_intM :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter java_array_length_intM_requires :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_Object_requires :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_intM :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter non_null_intM_requires :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let BinarySearch_binary_search_ensures_default =
 fun (t_0 : Object pointer) (v : int32) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (JC_49: Non_null_intM(t_0, Object_alloc_table))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let l = ref (safe_int32_of_integer_ (K_28: (0))) in
     (let u =
     ref (K_27:
         (safe_int32_of_integer_ ((sub_int (K_26:
                                           (let _jessie_ = t_0 in
                                           (JC_83:
                                           (java_array_length_intM _jessie_))))) (1)))) in
     begin
       try
        (loop_2:
        while true do
        { invariant
            (JC_86:
            ((JC_84: le_int((0), integer_of_int32(l)))
            and (JC_85:
                le_int(integer_of_int32(u),
                sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)),
                (1))))))  }
         begin
           [ { } unit { true } ];
          try
           begin
             (if (K_24:
                 ((le_int_ (integer_of_int32 !l)) (integer_of_int32 !u)))
             then
              (let m = ref (any_int32 void) in
              begin
                (let _jessie_ =
                (m := (K_13:
                      (safe_int32_of_integer_ (JC_90:
                                              ((computer_div (integer_of_int32 
                                                              (K_12:
                                                              (safe_int32_of_integer_ 
                                                               ((add_int 
                                                                 (integer_of_int32 !u)) 
                                                                (integer_of_int32 !l)))))) (2)))))) in
                void);
               (K_17:
               begin
                 (assert
                 { (JC_93:
                   ((JC_91: le_int(integer_of_int32(l), integer_of_int32(m)))
                   and (JC_92:
                       le_int(integer_of_int32(m), integer_of_int32(u))))) };
                 void);
                (if (K_23:
                    ((lt_int_ (integer_of_int32 (K_22:
                                                ((safe_acc_ !intM_intP) 
                                                 ((shift t_0) (integer_of_int32 !m)))))) 
                     (integer_of_int32 v)))
                then
                 (let _jessie_ =
                 (l := (K_21:
                       (safe_int32_of_integer_ ((add_int (integer_of_int32 !m)) (1))))) in
                 void)
                else
                 (if (K_20:
                     ((gt_int_ (integer_of_int32 (K_19:
                                                 ((safe_acc_ !intM_intP) 
                                                  ((shift t_0) (integer_of_int32 !m)))))) 
                      (integer_of_int32 v)))
                 then
                  (let _jessie_ =
                  (u := (K_18:
                        (safe_int32_of_integer_ ((sub_int (integer_of_int32 !m)) (1))))) in
                  void) else begin   (return := !m); (raise Return) end)) end)
              end) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end;
      (return := (K_25: (safe_int32_of_integer_ (neg_int (1)))));
      (raise Return) end)); absurd  end with Return -> !return end))
  { (JC_53:
    ((JC_51: le_int(neg_int((1)), integer_of_int32(result)))
    and (JC_52:
        lt_int(integer_of_int32(result),
        add_int(offset_max(Object_alloc_table, t_0), (1)))))) }

let BinarySearch_binary_search_ensures_failure =
 fun (t_0 : Object pointer) (v : int32) ->
  { (is_sorted(t_0, Object_alloc_table, intM_intP)
    and (left_valid_struct_intM(t_0, (0), Object_alloc_table)
        and (JC_49: Non_null_intM(t_0, Object_alloc_table)))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let l = ref (safe_int32_of_integer_ (K_28: (0))) in
     (let u =
     ref (K_27:
         (safe_int32_of_integer_ ((sub_int (K_26:
                                           (let _jessie_ = t_0 in
                                           (JC_105:
                                           (java_array_length_intM _jessie_))))) (1)))) in
     begin
       try
        (loop_4:
        while true do
        { invariant
            (JC_106:
            (forall k_0:int.
             ((le_int((0), k_0)
              and lt_int(k_0,
                  add_int(offset_max(Object_alloc_table, t_0), (1)))) ->
              ((integer_of_int32(select(intM_intP, shift(t_0, k_0))) = 
               integer_of_int32(v)) ->
               (le_int(integer_of_int32(l), k_0)
               and le_int(k_0, integer_of_int32(u)))))))  }
         begin
           [ { } unit reads Object_alloc_table,l,u
             { (JC_109:
               ((JC_107: le_int((0), integer_of_int32(l)))
               and (JC_108:
                   le_int(integer_of_int32(u),
                   sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)),
                   (1)))))) } ];
          try
           begin
             (if (K_24:
                 ((le_int_ (integer_of_int32 !l)) (integer_of_int32 !u)))
             then
              (let m = ref (any_int32 void) in
              begin
                (let _jessie_ =
                (m := (K_13:
                      (safe_int32_of_integer_ (JC_113:
                                              ((computer_div (integer_of_int32 
                                                              (K_12:
                                                              (safe_int32_of_integer_ 
                                                               ((add_int 
                                                                 (integer_of_int32 !u)) 
                                                                (integer_of_int32 !l)))))) (2)))))) in
                void);
               (K_17:
               begin
                 [ { } unit reads l,m,u
                   { (JC_116:
                     ((JC_114:
                      le_int(integer_of_int32(l), integer_of_int32(m)))
                     and (JC_115:
                         le_int(integer_of_int32(m), integer_of_int32(u))))) } ];
                (if (K_23:
                    ((lt_int_ (integer_of_int32 (K_22:
                                                ((safe_acc_ !intM_intP) 
                                                 ((shift t_0) (integer_of_int32 !m)))))) 
                     (integer_of_int32 v)))
                then
                 (let _jessie_ =
                 (l := (K_21:
                       (safe_int32_of_integer_ ((add_int (integer_of_int32 !m)) (1))))) in
                 void)
                else
                 (if (K_20:
                     ((gt_int_ (integer_of_int32 (K_19:
                                                 ((safe_acc_ !intM_intP) 
                                                  ((shift t_0) (integer_of_int32 !m)))))) 
                      (integer_of_int32 v)))
                 then
                  (let _jessie_ =
                  (u := (K_18:
                        (safe_int32_of_integer_ ((sub_int (integer_of_int32 !m)) (1))))) in
                  void) else begin   (return := !m); (raise Return) end)) end)
              end) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end;
      (return := (K_25: (safe_int32_of_integer_ (neg_int (1)))));
      (raise Return) end)); absurd  end with Return -> !return end))
  { (JC_61:
    ((integer_of_int32(result) = neg_int((1))) ->
     (forall k:int.
      ((le_int((0), k)
       and lt_int(k, add_int(offset_max(Object_alloc_table, t_0), (1)))) ->
       (integer_of_int32(select(intM_intP, shift(t_0, k))) <> integer_of_int32(v)))))) }

let BinarySearch_binary_search_ensures_success =
 fun (t_0 : Object pointer) (v : int32) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (JC_49: Non_null_intM(t_0, Object_alloc_table))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let l = ref (safe_int32_of_integer_ (K_28: (0))) in
     (let u =
     ref (K_27:
         (safe_int32_of_integer_ ((sub_int (K_26:
                                           (let _jessie_ = t_0 in
                                           (JC_94:
                                           (java_array_length_intM _jessie_))))) (1)))) in
     begin
       try
        (loop_3:
        while true do
        { invariant (JC_99: true)  }
         begin
           [ { } unit reads Object_alloc_table,l,u
             { (JC_97:
               ((JC_95: le_int((0), integer_of_int32(l)))
               and (JC_96:
                   le_int(integer_of_int32(u),
                   sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)),
                   (1)))))) } ];
          try
           begin
             (if (K_24:
                 ((le_int_ (integer_of_int32 !l)) (integer_of_int32 !u)))
             then
              (let m = ref (any_int32 void) in
              begin
                (let _jessie_ =
                (m := (K_13:
                      (safe_int32_of_integer_ (JC_101:
                                              ((computer_div (integer_of_int32 
                                                              (K_12:
                                                              (safe_int32_of_integer_ 
                                                               ((add_int 
                                                                 (integer_of_int32 !u)) 
                                                                (integer_of_int32 !l)))))) (2)))))) in
                void);
               (K_17:
               begin
                 [ { } unit reads l,m,u
                   { (JC_104:
                     ((JC_102:
                      le_int(integer_of_int32(l), integer_of_int32(m)))
                     and (JC_103:
                         le_int(integer_of_int32(m), integer_of_int32(u))))) } ];
                (if (K_23:
                    ((lt_int_ (integer_of_int32 (K_22:
                                                ((safe_acc_ !intM_intP) 
                                                 ((shift t_0) (integer_of_int32 !m)))))) 
                     (integer_of_int32 v)))
                then
                 (let _jessie_ =
                 (l := (K_21:
                       (safe_int32_of_integer_ ((add_int (integer_of_int32 !m)) (1))))) in
                 void)
                else
                 (if (K_20:
                     ((gt_int_ (integer_of_int32 (K_19:
                                                 ((safe_acc_ !intM_intP) 
                                                  ((shift t_0) (integer_of_int32 !m)))))) 
                      (integer_of_int32 v)))
                 then
                  (let _jessie_ =
                  (u := (K_18:
                        (safe_int32_of_integer_ ((sub_int (integer_of_int32 !m)) (1))))) in
                  void) else begin   (return := !m); (raise Return) end)) end)
              end) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end;
      (return := (K_25: (safe_int32_of_integer_ (neg_int (1)))));
      (raise Return) end)); absurd  end with Return -> !return end))
  { (JC_59:
    (ge_int(integer_of_int32(result), (0)) ->
     (integer_of_int32(select(intM_intP,
                       shift(t_0, integer_of_int32(result)))) = integer_of_int32(v)))) }

let BinarySearch_binary_search_safety =
 fun (t_0 : Object pointer) (v : int32) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (JC_49: Non_null_intM(t_0, Object_alloc_table))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let l = ref (safe_int32_of_integer_ (K_28: (0))) in
     (let u =
     ref (K_27:
         (JC_65:
         (int32_of_integer_ ((sub_int (K_26:
                                      (let _jessie_ = t_0 in
                                      (JC_64:
                                      (assert
                                      { ge_int(offset_max(Object_alloc_table,
                                               _jessie_),
                                        (-1)) };
                                      (JC_63:
                                      (java_array_length_intM_requires _jessie_))))))) (1))))) in
     begin
       try
        (loop_1:
        while true do
        { invariant (JC_70: true)
          variant (JC_82 : sub_int(integer_of_int32(u), integer_of_int32(l))) }
         begin
           [ { } unit reads Object_alloc_table,l,u
             { (JC_68:
               ((JC_66: le_int((0), integer_of_int32(l)))
               and (JC_67:
                   le_int(integer_of_int32(u),
                   sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)),
                   (1)))))) } ];
          try
           begin
             (if (K_24:
                 ((le_int_ (integer_of_int32 !l)) (integer_of_int32 !u)))
             then
              (let m = ref (any_int32 void) in
              begin
                (let _jessie_ =
                (m := (K_13:
                      (JC_74:
                      (int32_of_integer_ (JC_73:
                                         ((computer_div_ (integer_of_int32 
                                                          (K_12:
                                                          (JC_72:
                                                          (int32_of_integer_ 
                                                           ((add_int 
                                                             (integer_of_int32 !u)) 
                                                            (integer_of_int32 !l))))))) (2))))))) in
                void);
               (K_17:
               begin
                 [ { } unit reads l,m,u
                   { (JC_77:
                     ((JC_75:
                      le_int(integer_of_int32(l), integer_of_int32(m)))
                     and (JC_76:
                         le_int(integer_of_int32(m), integer_of_int32(u))))) } ];
                (if (K_23:
                    ((lt_int_ (integer_of_int32 (K_22:
                                                (JC_78:
                                                ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) 
                                                 (integer_of_int32 !m)))))) 
                     (integer_of_int32 v)))
                then
                 (let _jessie_ =
                 (l := (K_21:
                       (JC_79:
                       (int32_of_integer_ ((add_int (integer_of_int32 !m)) (1)))))) in
                 void)
                else
                 (if (K_20:
                     ((gt_int_ (integer_of_int32 (K_19:
                                                 (JC_80:
                                                 ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) 
                                                  (integer_of_int32 !m)))))) 
                      (integer_of_int32 v)))
                 then
                  (let _jessie_ =
                  (u := (K_18:
                        (JC_81:
                        (int32_of_integer_ ((sub_int (integer_of_int32 !m)) (1)))))) in
                  void) else begin   (return := !m); (raise Return) end)) end)
              end) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end;
      (return := (K_25: (safe_int32_of_integer_ (neg_int (1)))));
      (raise Return) end)); absurd  end with Return -> !return end)) 
  { true }

let cons_BinarySearch_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_BinarySearch(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_43: true) }

let cons_BinarySearch_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_BinarySearch(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/BinarySearch.why
========== file tests/java/why/BinarySearch.wpr ==========

  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  
  
    
  

========== file tests/java/why/BinarySearch_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic BinarySearch_tag : Object tag_id

logic Object_tag : Object tag_id

axiom BinarySearch_parenttag_Object: parenttag(BinarySearch_tag, Object_tag)

logic Exception_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_1) >= 0)

predicate Non_null_intM(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= (-1))

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte [(integer_of_byte(x) = integer_of_byte(y))].
      ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char [(integer_of_char(x) = integer_of_char(y))].
      ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32 [(integer_of_int32(x) = integer_of_int32(y))].
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic intM_tag : Object tag_id

axiom intM_parenttag_Object: parenttag(intM_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate is_sorted(t: Object pointer,
  Object_alloc_table_at_L: Object alloc_table, intM_intP_at_L: (Object,
  int32) memory) =
  (Non_null_intM(t, Object_alloc_table_at_L) and
   (forall i:int.
     (forall j:int.
       (((0 <= i) and
         ((i <= j) and (j < (offset_max(Object_alloc_table_at_L, t) + 1)))) ->
        (integer_of_int32(select(intM_intP_at_L, shift(t,
        i))) <= integer_of_int32(select(intM_intP_at_L, shift(t, j))))))))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_BinarySearch(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_intM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long [(integer_of_long(x) = integer_of_long(y))].
      ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_BinarySearch(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_intM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short [(integer_of_short(x) = integer_of_short(y))].
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_BinarySearch(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_BinarySearch(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

========== file tests/java/why/BinarySearch_po1.why ==========
goal BinarySearch_binary_search_ensures_default_po_1:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  ("JC_86": ("JC_84": (0 <= integer_of_int32(result))))

========== file tests/java/why/BinarySearch_po10.why ==========
goal BinarySearch_binary_search_ensures_default_po_10:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_86":
  (("JC_84": (0 <= integer_of_int32(l))) and
   ("JC_85": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) > integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (-1)) ->
  forall return:int32.
  (return = result2) ->
  ("JC_53":
  ("JC_52": (integer_of_int32(return) < (offset_max(Object_alloc_table,
  t_0) + 1))))

========== file tests/java/why/BinarySearch_po11.why ==========
goal BinarySearch_binary_search_ensures_failure_po_1:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (is_sorted(t_0, Object_alloc_table, intM_intP) and
   (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
    ("JC_49": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall k_0:int.
  ((0 <= k_0) and (k_0 < (offset_max(Object_alloc_table, t_0) + 1))) ->
  (integer_of_int32(select(intM_intP, shift(t_0,
  k_0))) = integer_of_int32(v)) ->
  ("JC_106": (integer_of_int32(result) <= k_0))

========== file tests/java/why/BinarySearch_po12.why ==========
goal BinarySearch_binary_search_ensures_failure_po_2:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (is_sorted(t_0, Object_alloc_table, intM_intP) and
   (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
    ("JC_49": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall k_0:int.
  ((0 <= k_0) and (k_0 < (offset_max(Object_alloc_table, t_0) + 1))) ->
  (integer_of_int32(select(intM_intP, shift(t_0,
  k_0))) = integer_of_int32(v)) ->
  ("JC_106": (k_0 <= integer_of_int32(result1)))

========== file tests/java/why/BinarySearch_po13.why ==========
goal BinarySearch_binary_search_ensures_failure_po_3:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (is_sorted(t_0, Object_alloc_table, intM_intP) and
   (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
    ("JC_49": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_106":
  (forall k_0:int.
    (((0 <= k_0) and (k_0 < (offset_max(Object_alloc_table, t_0) + 1))) ->
     ((integer_of_int32(select(intM_intP, shift(t_0,
      k_0))) = integer_of_int32(v)) ->
      ((integer_of_int32(l) <= k_0) and (k_0 <= integer_of_int32(u))))))) ->
  ("JC_109":
  (("JC_107": (0 <= integer_of_int32(l))) and
   ("JC_108": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  forall result3:int32.
  (integer_of_int32(result3) = computer_div(integer_of_int32(result2), 2)) ->
  forall m:int32.
  (m = result3) ->
  ("JC_116":
  (("JC_114": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_115": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  forall result4:int32.
  (result4 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) < integer_of_int32(v)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(m) + 1)) ->
  forall l0:int32.
  (l0 = result5) ->
  forall k_0:int.
  ((0 <= k_0) and (k_0 < (offset_max(Object_alloc_table, t_0) + 1))) ->
  (integer_of_int32(select(intM_intP, shift(t_0,
  k_0))) = integer_of_int32(v)) ->
  ("JC_106": (integer_of_int32(l0) <= k_0))

========== file tests/java/why/BinarySearch_po14.why ==========
goal BinarySearch_binary_search_ensures_failure_po_4:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (is_sorted(t_0, Object_alloc_table, intM_intP) and
   (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
    ("JC_49": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_106":
  (forall k_0:int.
    (((0 <= k_0) and (k_0 < (offset_max(Object_alloc_table, t_0) + 1))) ->
     ((integer_of_int32(select(intM_intP, shift(t_0,
      k_0))) = integer_of_int32(v)) ->
      ((integer_of_int32(l) <= k_0) and (k_0 <= integer_of_int32(u))))))) ->
  ("JC_109":
  (("JC_107": (0 <= integer_of_int32(l))) and
   ("JC_108": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  forall result3:int32.
  (integer_of_int32(result3) = computer_div(integer_of_int32(result2), 2)) ->
  forall m:int32.
  (m = result3) ->
  ("JC_116":
  (("JC_114": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_115": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  forall result4:int32.
  (result4 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) < integer_of_int32(v)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(m) + 1)) ->
  forall l0:int32.
  (l0 = result5) ->
  forall k_0:int.
  ((0 <= k_0) and (k_0 < (offset_max(Object_alloc_table, t_0) + 1))) ->
  (integer_of_int32(select(intM_intP, shift(t_0,
  k_0))) = integer_of_int32(v)) ->
  ("JC_106": (k_0 <= integer_of_int32(u)))

========== file tests/java/why/BinarySearch_po15.why ==========
goal BinarySearch_binary_search_ensures_failure_po_5:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (is_sorted(t_0, Object_alloc_table, intM_intP) and
   (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
    ("JC_49": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_106":
  (forall k_0:int.
    (((0 <= k_0) and (k_0 < (offset_max(Object_alloc_table, t_0) + 1))) ->
     ((integer_of_int32(select(intM_intP, shift(t_0,
      k_0))) = integer_of_int32(v)) ->
      ((integer_of_int32(l) <= k_0) and (k_0 <= integer_of_int32(u))))))) ->
  ("JC_109":
  (("JC_107": (0 <= integer_of_int32(l))) and
   ("JC_108": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  forall result3:int32.
  (integer_of_int32(result3) = computer_div(integer_of_int32(result2), 2)) ->
  forall m:int32.
  (m = result3) ->
  ("JC_116":
  (("JC_114": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_115": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  forall result4:int32.
  (result4 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) >= integer_of_int32(v)) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) > integer_of_int32(v)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(m) - 1)) ->
  forall u0:int32.
  (u0 = result6) ->
  forall k_0:int.
  ((0 <= k_0) and (k_0 < (offset_max(Object_alloc_table, t_0) + 1))) ->
  (integer_of_int32(select(intM_intP, shift(t_0,
  k_0))) = integer_of_int32(v)) ->
  ("JC_106": (integer_of_int32(l) <= k_0))

========== file tests/java/why/BinarySearch_po16.why ==========
goal BinarySearch_binary_search_ensures_failure_po_6:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (is_sorted(t_0, Object_alloc_table, intM_intP) and
   (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
    ("JC_49": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_106":
  (forall k_0:int.
    (((0 <= k_0) and (k_0 < (offset_max(Object_alloc_table, t_0) + 1))) ->
     ((integer_of_int32(select(intM_intP, shift(t_0,
      k_0))) = integer_of_int32(v)) ->
      ((integer_of_int32(l) <= k_0) and (k_0 <= integer_of_int32(u))))))) ->
  ("JC_109":
  (("JC_107": (0 <= integer_of_int32(l))) and
   ("JC_108": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  forall result3:int32.
  (integer_of_int32(result3) = computer_div(integer_of_int32(result2), 2)) ->
  forall m:int32.
  (m = result3) ->
  ("JC_116":
  (("JC_114": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_115": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  forall result4:int32.
  (result4 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) >= integer_of_int32(v)) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) > integer_of_int32(v)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(m) - 1)) ->
  forall u0:int32.
  (u0 = result6) ->
  forall k_0:int.
  ((0 <= k_0) and (k_0 < (offset_max(Object_alloc_table, t_0) + 1))) ->
  (integer_of_int32(select(intM_intP, shift(t_0,
  k_0))) = integer_of_int32(v)) ->
  ("JC_106": (k_0 <= integer_of_int32(u0)))

========== file tests/java/why/BinarySearch_po17.why ==========
goal BinarySearch_binary_search_ensures_failure_po_7:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (is_sorted(t_0, Object_alloc_table, intM_intP) and
   (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
    ("JC_49": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_106":
  (forall k_0:int.
    (((0 <= k_0) and (k_0 < (offset_max(Object_alloc_table, t_0) + 1))) ->
     ((integer_of_int32(select(intM_intP, shift(t_0,
      k_0))) = integer_of_int32(v)) ->
      ((integer_of_int32(l) <= k_0) and (k_0 <= integer_of_int32(u))))))) ->
  ("JC_109":
  (("JC_107": (0 <= integer_of_int32(l))) and
   ("JC_108": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  forall result3:int32.
  (integer_of_int32(result3) = computer_div(integer_of_int32(result2), 2)) ->
  forall m:int32.
  (m = result3) ->
  ("JC_116":
  (("JC_114": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_115": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  forall result4:int32.
  (result4 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) >= integer_of_int32(v)) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) <= integer_of_int32(v)) ->
  forall return:int32.
  (return = m) ->
  (integer_of_int32(return) = (-1)) ->
  forall k:int.
  ((0 <= k) and (k < (offset_max(Object_alloc_table, t_0) + 1))) ->
  ("JC_61": (integer_of_int32(select(intM_intP, shift(t_0,
  k))) <> integer_of_int32(v)))

========== file tests/java/why/BinarySearch_po18.why ==========
goal BinarySearch_binary_search_ensures_failure_po_8:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (is_sorted(t_0, Object_alloc_table, intM_intP) and
   (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
    ("JC_49": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_106":
  (forall k_0:int.
    (((0 <= k_0) and (k_0 < (offset_max(Object_alloc_table, t_0) + 1))) ->
     ((integer_of_int32(select(intM_intP, shift(t_0,
      k_0))) = integer_of_int32(v)) ->
      ((integer_of_int32(l) <= k_0) and (k_0 <= integer_of_int32(u))))))) ->
  ("JC_109":
  (("JC_107": (0 <= integer_of_int32(l))) and
   ("JC_108": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) > integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (-1)) ->
  forall return:int32.
  (return = result2) ->
  (integer_of_int32(return) = (-1)) ->
  forall k:int.
  ((0 <= k) and (k < (offset_max(Object_alloc_table, t_0) + 1))) ->
  ("JC_61": (integer_of_int32(select(intM_intP, shift(t_0,
  k))) <> integer_of_int32(v)))

========== file tests/java/why/BinarySearch_po19.why ==========
goal BinarySearch_binary_search_ensures_success_po_1:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_99": true) ->
  ("JC_97":
  (("JC_95": (0 <= integer_of_int32(l))) and
   ("JC_96": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  forall result3:int32.
  (integer_of_int32(result3) = computer_div(integer_of_int32(result2), 2)) ->
  forall m:int32.
  (m = result3) ->
  ("JC_104":
  (("JC_102": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_103": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  forall result4:int32.
  (result4 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) >= integer_of_int32(v)) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) <= integer_of_int32(v)) ->
  forall return:int32.
  (return = m) ->
  (integer_of_int32(return) >= 0) ->
  ("JC_59": (integer_of_int32(select(intM_intP, shift(t_0,
  integer_of_int32(return)))) = integer_of_int32(v)))

========== file tests/java/why/BinarySearch_po2.why ==========
goal BinarySearch_binary_search_ensures_default_po_2:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  ("JC_86":
  ("JC_85": (integer_of_int32(result1) <= ((offset_max(Object_alloc_table,
  t_0) + 1) - 1))))

========== file tests/java/why/BinarySearch_po20.why ==========
goal BinarySearch_binary_search_ensures_success_po_2:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_99": true) ->
  ("JC_97":
  (("JC_95": (0 <= integer_of_int32(l))) and
   ("JC_96": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) > integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (-1)) ->
  forall return:int32.
  (return = result2) ->
  (integer_of_int32(return) >= 0) ->
  ("JC_59": (integer_of_int32(select(intM_intP, shift(t_0,
  integer_of_int32(return)))) = integer_of_int32(v)))

========== file tests/java/why/BinarySearch_po21.why ==========
goal BinarySearch_binary_search_safety_po_1:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1))

========== file tests/java/why/BinarySearch_po22.why ==========
goal BinarySearch_binary_search_safety_po_2:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  ((-2147483648) <= (result0 - 1))

========== file tests/java/why/BinarySearch_po23.why ==========
goal BinarySearch_binary_search_safety_po_3:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  ((result0 - 1) <= 2147483647)

========== file tests/java/why/BinarySearch_po24.why ==========
goal BinarySearch_binary_search_safety_po_4:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_66": (0 <= integer_of_int32(l))) and
   ("JC_67": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  ((-2147483648) <= (integer_of_int32(u) + integer_of_int32(l)))

========== file tests/java/why/BinarySearch_po25.why ==========
goal BinarySearch_binary_search_safety_po_5:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_66": (0 <= integer_of_int32(l))) and
   ("JC_67": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  ((integer_of_int32(u) + integer_of_int32(l)) <= 2147483647)

========== file tests/java/why/BinarySearch_po26.why ==========
goal BinarySearch_binary_search_safety_po_6:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_66": (0 <= integer_of_int32(l))) and
   ("JC_67": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  (((-2147483648) <= (integer_of_int32(u) + integer_of_int32(l))) and
   ((integer_of_int32(u) + integer_of_int32(l)) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  (2 <> 0)

========== file tests/java/why/BinarySearch_po27.why ==========
goal BinarySearch_binary_search_safety_po_7:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_66": (0 <= integer_of_int32(l))) and
   ("JC_67": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  (((-2147483648) <= (integer_of_int32(u) + integer_of_int32(l))) and
   ((integer_of_int32(u) + integer_of_int32(l)) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  (2 <> 0) ->
  forall result3:int.
  (result3 = computer_div(integer_of_int32(result2), 2)) ->
  ((-2147483648) <= result3)

========== file tests/java/why/BinarySearch_po28.why ==========
goal BinarySearch_binary_search_safety_po_8:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_66": (0 <= integer_of_int32(l))) and
   ("JC_67": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  (((-2147483648) <= (integer_of_int32(u) + integer_of_int32(l))) and
   ((integer_of_int32(u) + integer_of_int32(l)) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  (2 <> 0) ->
  forall result3:int.
  (result3 = computer_div(integer_of_int32(result2), 2)) ->
  (result3 <= 2147483647)

========== file tests/java/why/BinarySearch_po29.why ==========
goal BinarySearch_binary_search_safety_po_9:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_66": (0 <= integer_of_int32(l))) and
   ("JC_67": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  (((-2147483648) <= (integer_of_int32(u) + integer_of_int32(l))) and
   ((integer_of_int32(u) + integer_of_int32(l)) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  (2 <> 0) ->
  forall result3:int.
  (result3 = computer_div(integer_of_int32(result2), 2)) ->
  (((-2147483648) <= result3) and (result3 <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = result3) ->
  forall m:int32.
  (m = result4) ->
  ("JC_77":
  (("JC_75": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_76": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  (offset_min(Object_alloc_table, t_0) <= integer_of_int32(m))

========== file tests/java/why/BinarySearch_po3.why ==========
goal BinarySearch_binary_search_ensures_default_po_3:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_86":
  (("JC_84": (0 <= integer_of_int32(l))) and
   ("JC_85": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  forall result3:int32.
  (integer_of_int32(result3) = computer_div(integer_of_int32(result2), 2)) ->
  forall m:int32.
  (m = result3) ->
  ("JC_93": ("JC_91": (integer_of_int32(l) <= integer_of_int32(m))))

========== file tests/java/why/BinarySearch_po30.why ==========
goal BinarySearch_binary_search_safety_po_10:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_66": (0 <= integer_of_int32(l))) and
   ("JC_67": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  (((-2147483648) <= (integer_of_int32(u) + integer_of_int32(l))) and
   ((integer_of_int32(u) + integer_of_int32(l)) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  (2 <> 0) ->
  forall result3:int.
  (result3 = computer_div(integer_of_int32(result2), 2)) ->
  (((-2147483648) <= result3) and (result3 <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = result3) ->
  forall m:int32.
  (m = result4) ->
  ("JC_77":
  (("JC_75": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_76": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  (integer_of_int32(m) <= offset_max(Object_alloc_table, t_0))

========== file tests/java/why/BinarySearch_po31.why ==========
goal BinarySearch_binary_search_safety_po_11:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_66": (0 <= integer_of_int32(l))) and
   ("JC_67": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  (((-2147483648) <= (integer_of_int32(u) + integer_of_int32(l))) and
   ((integer_of_int32(u) + integer_of_int32(l)) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  (2 <> 0) ->
  forall result3:int.
  (result3 = computer_div(integer_of_int32(result2), 2)) ->
  (((-2147483648) <= result3) and (result3 <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = result3) ->
  forall m:int32.
  (m = result4) ->
  ("JC_77":
  (("JC_75": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_76": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) < integer_of_int32(v)) ->
  ((-2147483648) <= (integer_of_int32(m) + 1))

========== file tests/java/why/BinarySearch_po32.why ==========
goal BinarySearch_binary_search_safety_po_12:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_66": (0 <= integer_of_int32(l))) and
   ("JC_67": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  (((-2147483648) <= (integer_of_int32(u) + integer_of_int32(l))) and
   ((integer_of_int32(u) + integer_of_int32(l)) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  (2 <> 0) ->
  forall result3:int.
  (result3 = computer_div(integer_of_int32(result2), 2)) ->
  (((-2147483648) <= result3) and (result3 <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = result3) ->
  forall m:int32.
  (m = result4) ->
  ("JC_77":
  (("JC_75": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_76": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) < integer_of_int32(v)) ->
  ((integer_of_int32(m) + 1) <= 2147483647)

========== file tests/java/why/BinarySearch_po33.why ==========
goal BinarySearch_binary_search_safety_po_13:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_66": (0 <= integer_of_int32(l))) and
   ("JC_67": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  (((-2147483648) <= (integer_of_int32(u) + integer_of_int32(l))) and
   ((integer_of_int32(u) + integer_of_int32(l)) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  (2 <> 0) ->
  forall result3:int.
  (result3 = computer_div(integer_of_int32(result2), 2)) ->
  (((-2147483648) <= result3) and (result3 <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = result3) ->
  forall m:int32.
  (m = result4) ->
  ("JC_77":
  (("JC_75": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_76": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) < integer_of_int32(v)) ->
  (((-2147483648) <= (integer_of_int32(m) + 1)) and
   ((integer_of_int32(m) + 1) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(m) + 1)) ->
  forall l0:int32.
  (l0 = result6) ->
  (0 <= ("JC_82": (integer_of_int32(u) - integer_of_int32(l))))

========== file tests/java/why/BinarySearch_po34.why ==========
goal BinarySearch_binary_search_safety_po_14:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_66": (0 <= integer_of_int32(l))) and
   ("JC_67": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  (((-2147483648) <= (integer_of_int32(u) + integer_of_int32(l))) and
   ((integer_of_int32(u) + integer_of_int32(l)) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  (2 <> 0) ->
  forall result3:int.
  (result3 = computer_div(integer_of_int32(result2), 2)) ->
  (((-2147483648) <= result3) and (result3 <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = result3) ->
  forall m:int32.
  (m = result4) ->
  ("JC_77":
  (("JC_75": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_76": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) < integer_of_int32(v)) ->
  (((-2147483648) <= (integer_of_int32(m) + 1)) and
   ((integer_of_int32(m) + 1) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(m) + 1)) ->
  forall l0:int32.
  (l0 = result6) ->
  (("JC_82": (integer_of_int32(u) - integer_of_int32(l0))) < ("JC_82":
                                                             (integer_of_int32(u) - integer_of_int32(l))))

========== file tests/java/why/BinarySearch_po35.why ==========
goal BinarySearch_binary_search_safety_po_15:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_66": (0 <= integer_of_int32(l))) and
   ("JC_67": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  (((-2147483648) <= (integer_of_int32(u) + integer_of_int32(l))) and
   ((integer_of_int32(u) + integer_of_int32(l)) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  (2 <> 0) ->
  forall result3:int.
  (result3 = computer_div(integer_of_int32(result2), 2)) ->
  (((-2147483648) <= result3) and (result3 <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = result3) ->
  forall m:int32.
  (m = result4) ->
  ("JC_77":
  (("JC_75": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_76": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) >= integer_of_int32(v)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(Object_alloc_table, t_0))) ->
  forall result6:int32.
  (result6 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result6) > integer_of_int32(v)) ->
  ((-2147483648) <= (integer_of_int32(m) - 1))

========== file tests/java/why/BinarySearch_po36.why ==========
goal BinarySearch_binary_search_safety_po_16:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_66": (0 <= integer_of_int32(l))) and
   ("JC_67": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  (((-2147483648) <= (integer_of_int32(u) + integer_of_int32(l))) and
   ((integer_of_int32(u) + integer_of_int32(l)) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  (2 <> 0) ->
  forall result3:int.
  (result3 = computer_div(integer_of_int32(result2), 2)) ->
  (((-2147483648) <= result3) and (result3 <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = result3) ->
  forall m:int32.
  (m = result4) ->
  ("JC_77":
  (("JC_75": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_76": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) >= integer_of_int32(v)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(Object_alloc_table, t_0))) ->
  forall result6:int32.
  (result6 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result6) > integer_of_int32(v)) ->
  ((integer_of_int32(m) - 1) <= 2147483647)

========== file tests/java/why/BinarySearch_po37.why ==========
goal BinarySearch_binary_search_safety_po_17:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_66": (0 <= integer_of_int32(l))) and
   ("JC_67": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  (((-2147483648) <= (integer_of_int32(u) + integer_of_int32(l))) and
   ((integer_of_int32(u) + integer_of_int32(l)) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  (2 <> 0) ->
  forall result3:int.
  (result3 = computer_div(integer_of_int32(result2), 2)) ->
  (((-2147483648) <= result3) and (result3 <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = result3) ->
  forall m:int32.
  (m = result4) ->
  ("JC_77":
  (("JC_75": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_76": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) >= integer_of_int32(v)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(Object_alloc_table, t_0))) ->
  forall result6:int32.
  (result6 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result6) > integer_of_int32(v)) ->
  (((-2147483648) <= (integer_of_int32(m) - 1)) and
   ((integer_of_int32(m) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(m) - 1)) ->
  forall u0:int32.
  (u0 = result7) ->
  (0 <= ("JC_82": (integer_of_int32(u) - integer_of_int32(l))))

========== file tests/java/why/BinarySearch_po38.why ==========
goal BinarySearch_binary_search_safety_po_18:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_66": (0 <= integer_of_int32(l))) and
   ("JC_67": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  (((-2147483648) <= (integer_of_int32(u) + integer_of_int32(l))) and
   ((integer_of_int32(u) + integer_of_int32(l)) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  (2 <> 0) ->
  forall result3:int.
  (result3 = computer_div(integer_of_int32(result2), 2)) ->
  (((-2147483648) <= result3) and (result3 <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = result3) ->
  forall m:int32.
  (m = result4) ->
  ("JC_77":
  (("JC_75": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_76": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) >= integer_of_int32(v)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(Object_alloc_table, t_0))) ->
  forall result6:int32.
  (result6 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result6) > integer_of_int32(v)) ->
  (((-2147483648) <= (integer_of_int32(m) - 1)) and
   ((integer_of_int32(m) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(m) - 1)) ->
  forall u0:int32.
  (u0 = result7) ->
  (("JC_82": (integer_of_int32(u0) - integer_of_int32(l))) < ("JC_82":
                                                             (integer_of_int32(u) - integer_of_int32(l))))

========== file tests/java/why/BinarySearch_po4.why ==========
goal BinarySearch_binary_search_ensures_default_po_4:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_86":
  (("JC_84": (0 <= integer_of_int32(l))) and
   ("JC_85": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  forall result3:int32.
  (integer_of_int32(result3) = computer_div(integer_of_int32(result2), 2)) ->
  forall m:int32.
  (m = result3) ->
  ("JC_93": ("JC_92": (integer_of_int32(m) <= integer_of_int32(u))))

========== file tests/java/why/BinarySearch_po5.why ==========
goal BinarySearch_binary_search_ensures_default_po_5:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_86":
  (("JC_84": (0 <= integer_of_int32(l))) and
   ("JC_85": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  forall result3:int32.
  (integer_of_int32(result3) = computer_div(integer_of_int32(result2), 2)) ->
  forall m:int32.
  (m = result3) ->
  ("JC_93":
  (("JC_91": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_92": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  forall result4:int32.
  (result4 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) < integer_of_int32(v)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(m) + 1)) ->
  forall l0:int32.
  (l0 = result5) ->
  ("JC_86": ("JC_84": (0 <= integer_of_int32(l0))))

========== file tests/java/why/BinarySearch_po6.why ==========
goal BinarySearch_binary_search_ensures_default_po_6:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_86":
  (("JC_84": (0 <= integer_of_int32(l))) and
   ("JC_85": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  forall result3:int32.
  (integer_of_int32(result3) = computer_div(integer_of_int32(result2), 2)) ->
  forall m:int32.
  (m = result3) ->
  ("JC_93":
  (("JC_91": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_92": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  forall result4:int32.
  (result4 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) >= integer_of_int32(v)) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) > integer_of_int32(v)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(m) - 1)) ->
  forall u0:int32.
  (u0 = result6) ->
  ("JC_86":
  ("JC_85": (integer_of_int32(u0) <= ((offset_max(Object_alloc_table,
  t_0) + 1) - 1))))

========== file tests/java/why/BinarySearch_po7.why ==========
goal BinarySearch_binary_search_ensures_default_po_7:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_86":
  (("JC_84": (0 <= integer_of_int32(l))) and
   ("JC_85": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  forall result3:int32.
  (integer_of_int32(result3) = computer_div(integer_of_int32(result2), 2)) ->
  forall m:int32.
  (m = result3) ->
  ("JC_93":
  (("JC_91": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_92": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  forall result4:int32.
  (result4 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) >= integer_of_int32(v)) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) <= integer_of_int32(v)) ->
  forall return:int32.
  (return = m) ->
  ("JC_53": ("JC_51": ((-1) <= integer_of_int32(return))))

========== file tests/java/why/BinarySearch_po8.why ==========
goal BinarySearch_binary_search_ensures_default_po_8:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_86":
  (("JC_84": (0 <= integer_of_int32(l))) and
   ("JC_85": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  forall result3:int32.
  (integer_of_int32(result3) = computer_div(integer_of_int32(result2), 2)) ->
  forall m:int32.
  (m = result3) ->
  ("JC_93":
  (("JC_91": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_92": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  forall result4:int32.
  (result4 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) >= integer_of_int32(v)) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) <= integer_of_int32(v)) ->
  forall return:int32.
  (return = m) ->
  ("JC_53":
  ("JC_52": (integer_of_int32(return) < (offset_max(Object_alloc_table,
  t_0) + 1))))

========== file tests/java/why/BinarySearch_po9.why ==========
goal BinarySearch_binary_search_ensures_default_po_9:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_86":
  (("JC_84": (0 <= integer_of_int32(l))) and
   ("JC_85": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) > integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (-1)) ->
  forall return:int32.
  (return = result2) ->
  ("JC_53": ("JC_51": ((-1) <= integer_of_int32(return))))

========== generation of Simplify VC output ==========
why -simplify [...] why/BinarySearch.why
========== file tests/java/simplify/BinarySearch_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom BinarySearch_parenttag_Object
 (EQ (parenttag BinarySearch_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_1 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_1) 0))

(DEFPRED (Non_null_intM x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) (- 0 1)))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom byte_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 128) x) (<= x 127))
 (EQ (integer_of_byte (byte_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom byte_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_byte x) (integer_of_byte y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom byte_range
 (FORALL (x)
 (AND (<= (- 0 128) (integer_of_byte x)) (<= (integer_of_byte x) 127))))

(BG_PUSH
 ;; Why axiom char_coerce
 (FORALL (x)
 (IMPLIES (AND (<= 0 x) (<= x 65535))
 (EQ (integer_of_char (char_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom char_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_char x) (integer_of_char y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom char_range
 (FORALL (x) (AND (<= 0 (integer_of_char x)) (<= (integer_of_char x) 65535))))

(DEFPRED (eq_byte x y) (EQ (integer_of_byte x) (integer_of_byte y)))

(DEFPRED (eq_char x y) (EQ (integer_of_char x) (integer_of_char y)))

(DEFPRED (eq_int32 x y) (EQ (integer_of_int32 x) (integer_of_int32 y)))

(DEFPRED (eq_long x y) (EQ (integer_of_long x) (integer_of_long y)))

(DEFPRED (eq_short x y) (EQ (integer_of_short x) (integer_of_short y)))

(BG_PUSH
 ;; Why axiom int32_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_2147483648) x)
 (<= x constant_too_large_2147483647))
 (EQ (integer_of_int32 (int32_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom int32_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_int32 x) (integer_of_int32 y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom int32_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_2147483648) (integer_of_int32 x))
 (<= (integer_of_int32 x) constant_too_large_2147483647))))

(BG_PUSH
 ;; Why axiom intM_parenttag_Object
 (EQ (parenttag intM_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (is_sorted t Object_alloc_table_at_L intM_intP_at_L)
  (AND (Non_null_intM t Object_alloc_table_at_L)
  (FORALL (i j)
  (IMPLIES
  (AND (<= 0 i)
  (AND (<= i j) (< j (+ (offset_max Object_alloc_table_at_L t) 1))))
  (<= (integer_of_int32 (select intM_intP_at_L (shift t i))) (integer_of_int32
                                                             (select
                                                             intM_intP_at_L 
                                                             (shift t j))))))))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_BinarySearch p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_intM p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom long_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_9223372036854775808) x)
 (<= x constant_too_large_9223372036854775807))
 (EQ (integer_of_long (long_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom long_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_long x) (integer_of_long y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom long_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_9223372036854775808) (integer_of_long x))
 (<= (integer_of_long x) constant_too_large_9223372036854775807))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_BinarySearch p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_intM p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(BG_PUSH
 ;; Why axiom short_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 32768) x) (<= x 32767))
 (EQ (integer_of_short (short_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom short_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_short x) (integer_of_short y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom short_range
 (FORALL (x)
 (AND (<= (- 0 32768) (integer_of_short x)) (<= (integer_of_short x) 32767))))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_BinarySearch p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_intM p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_BinarySearch p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_intM p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

;; BinarySearch_binary_search_ensures_default_po_1, File "HOME/tests/java/BinarySearch.java", line 79, characters 7-13
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(<= 0 (integer_of_int32 result)))))))))))

;; BinarySearch_binary_search_ensures_default_po_2, File "HOME/tests/java/BinarySearch.java", line 79, characters 17-34
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(<= (integer_of_int32 result1) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))))))))))

;; BinarySearch_binary_search_ensures_default_po_3, File "HOME/tests/java/BinarySearch.java", line 91, characters 23-29
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3)
         (computer_div (integer_of_int32 result2) 2))
(FORALL (m)
(IMPLIES (EQ m result3) (<= (integer_of_int32 l) (integer_of_int32 m)))))))))))))))))))))

;; BinarySearch_binary_search_ensures_default_po_4, File "HOME/tests/java/BinarySearch.java", line 91, characters 28-34
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3)
         (computer_div (integer_of_int32 result2) 2))
(FORALL (m)
(IMPLIES (EQ m result3) (<= (integer_of_int32 m) (integer_of_int32 u)))))))))))))))))))))

;; BinarySearch_binary_search_ensures_default_po_5, File "HOME/tests/java/BinarySearch.java", line 79, characters 7-13
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3)
         (computer_div (integer_of_int32 result2) 2))
(FORALL (m)
(IMPLIES (EQ m result3)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(FORALL (result4)
(IMPLIES (EQ result4 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (< (integer_of_int32 result4) (integer_of_int32 v))
(FORALL (result5)
(IMPLIES (EQ (integer_of_int32 result5) (+ (integer_of_int32 m) 1))
(FORALL (l0) (IMPLIES (EQ l0 result5) (<= 0 (integer_of_int32 l0)))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_ensures_default_po_6, File "HOME/tests/java/BinarySearch.java", line 79, characters 17-34
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3)
         (computer_div (integer_of_int32 result2) 2))
(FORALL (m)
(IMPLIES (EQ m result3)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(FORALL (result4)
(IMPLIES (EQ result4 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result4) (integer_of_int32 v))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (> (integer_of_int32 result5) (integer_of_int32 v))
(FORALL (result6)
(IMPLIES (EQ (integer_of_int32 result6) (- (integer_of_int32 m) 1))
(FORALL (u0)
(IMPLIES (EQ u0 result6)
(<= (integer_of_int32 u0) (- (+ (offset_max Object_alloc_table t_0) 1) 1))))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_ensures_default_po_7, File "HOME/tests/java/BinarySearch.java", line 65, characters 16-29
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3)
         (computer_div (integer_of_int32 result2) 2))
(FORALL (m)
(IMPLIES (EQ m result3)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(FORALL (result4)
(IMPLIES (EQ result4 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result4) (integer_of_int32 v))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (<= (integer_of_int32 result5) (integer_of_int32 v))
(FORALL (return)
(IMPLIES (EQ return m) (<= (- 0 1) (integer_of_int32 return))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_ensures_default_po_8, File "HOME/tests/java/BinarySearch.java", line 65, characters 22-40
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3)
         (computer_div (integer_of_int32 result2) 2))
(FORALL (m)
(IMPLIES (EQ m result3)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(FORALL (result4)
(IMPLIES (EQ result4 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result4) (integer_of_int32 v))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (<= (integer_of_int32 result5) (integer_of_int32 v))
(FORALL (return)
(IMPLIES (EQ return m)
(< (integer_of_int32 return) (+ (offset_max Object_alloc_table t_0) 1))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_ensures_default_po_9, File "HOME/tests/java/BinarySearch.java", line 65, characters 16-29
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (> (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2) (- 0 1))
(FORALL (return)
(IMPLIES (EQ return result2) (<= (- 0 1) (integer_of_int32 return)))))))))))))))))))

;; BinarySearch_binary_search_ensures_default_po_10, File "HOME/tests/java/BinarySearch.java", line 65, characters 22-40
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (> (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2) (- 0 1))
(FORALL (return)
(IMPLIES (EQ return result2)
(< (integer_of_int32 return) (+ (offset_max Object_alloc_table t_0) 1)))))))))))))))))))

;; BinarySearch_binary_search_ensures_failure_po_1, File "HOME/tests/java/BinarySearch.java", line 82, characters 8-74
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (is_sorted t_0 Object_alloc_table intM_intP)
         (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (k_0)
(IMPLIES (AND (<= 0 k_0) (< k_0 (+ (offset_max Object_alloc_table t_0) 1)))
(IMPLIES (EQ (integer_of_int32 (select intM_intP (shift t_0 k_0)))
         (integer_of_int32 v))
(<= (integer_of_int32 result) k_0)))))))))))))))

;; BinarySearch_binary_search_ensures_failure_po_2, File "HOME/tests/java/BinarySearch.java", line 82, characters 8-74
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (is_sorted t_0 Object_alloc_table intM_intP)
         (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (k_0)
(IMPLIES (AND (<= 0 k_0) (< k_0 (+ (offset_max Object_alloc_table t_0) 1)))
(IMPLIES (EQ (integer_of_int32 (select intM_intP (shift t_0 k_0)))
         (integer_of_int32 v))
(<= k_0 (integer_of_int32 result1))))))))))))))))

;; BinarySearch_binary_search_ensures_failure_po_3, File "HOME/tests/java/BinarySearch.java", line 82, characters 8-74
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (is_sorted t_0 Object_alloc_table intM_intP)
         (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES (FORALL (k_0)
         (IMPLIES
         (AND (<= 0 k_0) (< k_0 (+ (offset_max Object_alloc_table t_0) 1)))
         (IMPLIES
         (EQ (integer_of_int32 (select intM_intP (shift t_0 k_0)))
         (integer_of_int32 v))
         (AND (<= (integer_of_int32 l) k_0) (<= k_0 (integer_of_int32 u))))))
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3)
         (computer_div (integer_of_int32 result2) 2))
(FORALL (m)
(IMPLIES (EQ m result3)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(FORALL (result4)
(IMPLIES (EQ result4 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (< (integer_of_int32 result4) (integer_of_int32 v))
(FORALL (result5)
(IMPLIES (EQ (integer_of_int32 result5) (+ (integer_of_int32 m) 1))
(FORALL (l0)
(IMPLIES (EQ l0 result5)
(FORALL (k_0)
(IMPLIES (AND (<= 0 k_0) (< k_0 (+ (offset_max Object_alloc_table t_0) 1)))
(IMPLIES (EQ (integer_of_int32 (select intM_intP (shift t_0 k_0)))
         (integer_of_int32 v))
(<= (integer_of_int32 l0) k_0))))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_ensures_failure_po_4, File "HOME/tests/java/BinarySearch.java", line 82, characters 8-74
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (is_sorted t_0 Object_alloc_table intM_intP)
         (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES (FORALL (k_0)
         (IMPLIES
         (AND (<= 0 k_0) (< k_0 (+ (offset_max Object_alloc_table t_0) 1)))
         (IMPLIES
         (EQ (integer_of_int32 (select intM_intP (shift t_0 k_0)))
         (integer_of_int32 v))
         (AND (<= (integer_of_int32 l) k_0) (<= k_0 (integer_of_int32 u))))))
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3)
         (computer_div (integer_of_int32 result2) 2))
(FORALL (m)
(IMPLIES (EQ m result3)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(FORALL (result4)
(IMPLIES (EQ result4 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (< (integer_of_int32 result4) (integer_of_int32 v))
(FORALL (result5)
(IMPLIES (EQ (integer_of_int32 result5) (+ (integer_of_int32 m) 1))
(FORALL (l0)
(IMPLIES (EQ l0 result5)
(FORALL (k_0)
(IMPLIES (AND (<= 0 k_0) (< k_0 (+ (offset_max Object_alloc_table t_0) 1)))
(IMPLIES (EQ (integer_of_int32 (select intM_intP (shift t_0 k_0)))
         (integer_of_int32 v))
(<= k_0 (integer_of_int32 u)))))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_ensures_failure_po_5, File "HOME/tests/java/BinarySearch.java", line 82, characters 8-74
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (is_sorted t_0 Object_alloc_table intM_intP)
         (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES (FORALL (k_0)
         (IMPLIES
         (AND (<= 0 k_0) (< k_0 (+ (offset_max Object_alloc_table t_0) 1)))
         (IMPLIES
         (EQ (integer_of_int32 (select intM_intP (shift t_0 k_0)))
         (integer_of_int32 v))
         (AND (<= (integer_of_int32 l) k_0) (<= k_0 (integer_of_int32 u))))))
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3)
         (computer_div (integer_of_int32 result2) 2))
(FORALL (m)
(IMPLIES (EQ m result3)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(FORALL (result4)
(IMPLIES (EQ result4 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result4) (integer_of_int32 v))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (> (integer_of_int32 result5) (integer_of_int32 v))
(FORALL (result6)
(IMPLIES (EQ (integer_of_int32 result6) (- (integer_of_int32 m) 1))
(FORALL (u0)
(IMPLIES (EQ u0 result6)
(FORALL (k_0)
(IMPLIES (AND (<= 0 k_0) (< k_0 (+ (offset_max Object_alloc_table t_0) 1)))
(IMPLIES (EQ (integer_of_int32 (select intM_intP (shift t_0 k_0)))
         (integer_of_int32 v))
(<= (integer_of_int32 l) k_0)))))))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_ensures_failure_po_6, File "HOME/tests/java/BinarySearch.java", line 82, characters 8-74
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (is_sorted t_0 Object_alloc_table intM_intP)
         (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES (FORALL (k_0)
         (IMPLIES
         (AND (<= 0 k_0) (< k_0 (+ (offset_max Object_alloc_table t_0) 1)))
         (IMPLIES
         (EQ (integer_of_int32 (select intM_intP (shift t_0 k_0)))
         (integer_of_int32 v))
         (AND (<= (integer_of_int32 l) k_0) (<= k_0 (integer_of_int32 u))))))
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3)
         (computer_div (integer_of_int32 result2) 2))
(FORALL (m)
(IMPLIES (EQ m result3)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(FORALL (result4)
(IMPLIES (EQ result4 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result4) (integer_of_int32 v))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (> (integer_of_int32 result5) (integer_of_int32 v))
(FORALL (result6)
(IMPLIES (EQ (integer_of_int32 result6) (- (integer_of_int32 m) 1))
(FORALL (u0)
(IMPLIES (EQ u0 result6)
(FORALL (k_0)
(IMPLIES (AND (<= 0 k_0) (< k_0 (+ (offset_max Object_alloc_table t_0) 1)))
(IMPLIES (EQ (integer_of_int32 (select intM_intP (shift t_0 k_0)))
         (integer_of_int32 v))
(<= k_0 (integer_of_int32 u0))))))))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_ensures_failure_po_7, File "HOME/tests/java/BinarySearch.java", line 73, characters 17-96
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (is_sorted t_0 Object_alloc_table intM_intP)
         (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES (FORALL (k_0)
         (IMPLIES
         (AND (<= 0 k_0) (< k_0 (+ (offset_max Object_alloc_table t_0) 1)))
         (IMPLIES
         (EQ (integer_of_int32 (select intM_intP (shift t_0 k_0)))
         (integer_of_int32 v))
         (AND (<= (integer_of_int32 l) k_0) (<= k_0 (integer_of_int32 u))))))
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3)
         (computer_div (integer_of_int32 result2) 2))
(FORALL (m)
(IMPLIES (EQ m result3)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(FORALL (result4)
(IMPLIES (EQ result4 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result4) (integer_of_int32 v))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (<= (integer_of_int32 result5) (integer_of_int32 v))
(FORALL (return)
(IMPLIES (EQ return m)
(IMPLIES (EQ (integer_of_int32 return) (- 0 1))
(FORALL (k)
(IMPLIES (AND (<= 0 k) (< k (+ (offset_max Object_alloc_table t_0) 1)))
(NEQ (integer_of_int32 (select intM_intP (shift t_0 k)))
(integer_of_int32 v))))))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_ensures_failure_po_8, File "HOME/tests/java/BinarySearch.java", line 73, characters 17-96
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (is_sorted t_0 Object_alloc_table intM_intP)
         (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES (FORALL (k_0)
         (IMPLIES
         (AND (<= 0 k_0) (< k_0 (+ (offset_max Object_alloc_table t_0) 1)))
         (IMPLIES
         (EQ (integer_of_int32 (select intM_intP (shift t_0 k_0)))
         (integer_of_int32 v))
         (AND (<= (integer_of_int32 l) k_0) (<= k_0 (integer_of_int32 u))))))
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (> (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2) (- 0 1))
(FORALL (return)
(IMPLIES (EQ return result2)
(IMPLIES (EQ (integer_of_int32 return) (- 0 1))
(FORALL (k)
(IMPLIES (AND (<= 0 k) (< k (+ (offset_max Object_alloc_table t_0) 1)))
(NEQ (integer_of_int32 (select intM_intP (shift t_0 k)))
(integer_of_int32 v)))))))))))))))))))))))))

;; BinarySearch_binary_search_ensures_success_po_1, File "HOME/tests/java/BinarySearch.java", line 67, characters 18-50
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3)
         (computer_div (integer_of_int32 result2) 2))
(FORALL (m)
(IMPLIES (EQ m result3)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(FORALL (result4)
(IMPLIES (EQ result4 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result4) (integer_of_int32 v))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (<= (integer_of_int32 result5) (integer_of_int32 v))
(FORALL (return)
(IMPLIES (EQ return m)
(IMPLIES (>= (integer_of_int32 return) 0)
(EQ (integer_of_int32
    (select intM_intP (shift t_0 (integer_of_int32 return))))
(integer_of_int32 v))))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_ensures_success_po_2, File "HOME/tests/java/BinarySearch.java", line 67, characters 18-50
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (> (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2) (- 0 1))
(FORALL (return)
(IMPLIES (EQ return result2)
(IMPLIES (>= (integer_of_int32 return) 0)
(EQ (integer_of_int32
    (select intM_intP (shift t_0 (integer_of_int32 return))))
(integer_of_int32 v)))))))))))))))))))))))

;; BinarySearch_binary_search_safety_po_1, File "why/BinarySearch.why", line 955, characters 40-182
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(>= (offset_max Object_alloc_table t_0) (- 0 1)))))))

;; BinarySearch_binary_search_safety_po_2, File "HOME/tests/java/BinarySearch.java", line 77, characters 16-28
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(<= (- 0 constant_too_large_2147483648) (- result0 1))))))))))

;; BinarySearch_binary_search_safety_po_3, File "HOME/tests/java/BinarySearch.java", line 77, characters 16-28
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(<= (- result0 1) constant_too_large_2147483647)))))))))

;; BinarySearch_binary_search_safety_po_4, File "HOME/tests/java/BinarySearch.java", line 88, characters 17-22
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 u) (integer_of_int32
                                                                l)))))))))))))))))))

;; BinarySearch_binary_search_safety_po_5, File "HOME/tests/java/BinarySearch.java", line 88, characters 17-22
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(<= (+ (integer_of_int32 u) (integer_of_int32 l)) constant_too_large_2147483647)))))))))))))))))

;; BinarySearch_binary_search_safety_po_6, File "HOME/tests/java/BinarySearch.jc", line 120, characters 36-67
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 u) 
                                                 (integer_of_int32 l)))
         (<= (+ (integer_of_int32 u) (integer_of_int32 l)) constant_too_large_2147483647))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(NEQ 2 0))))))))))))))))))))

;; BinarySearch_binary_search_safety_po_7, File "HOME/tests/java/BinarySearch.java", line 88, characters 16-27
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 u) 
                                                 (integer_of_int32 l)))
         (<= (+ (integer_of_int32 u) (integer_of_int32 l)) constant_too_large_2147483647))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(IMPLIES (NEQ 2 0)
(FORALL (result3)
(IMPLIES (EQ result3 (computer_div (integer_of_int32 result2) 2))
(<= (- 0 constant_too_large_2147483648) result3)))))))))))))))))))))))

;; BinarySearch_binary_search_safety_po_8, File "HOME/tests/java/BinarySearch.java", line 88, characters 16-27
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 u) 
                                                 (integer_of_int32 l)))
         (<= (+ (integer_of_int32 u) (integer_of_int32 l)) constant_too_large_2147483647))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(IMPLIES (NEQ 2 0)
(FORALL (result3)
(IMPLIES (EQ result3 (computer_div (integer_of_int32 result2) 2))
(<= result3 constant_too_large_2147483647)))))))))))))))))))))))

;; BinarySearch_binary_search_safety_po_9, File "HOME/tests/java/BinarySearch.java", line 92, characters 9-13
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 u) 
                                                 (integer_of_int32 l)))
         (<= (+ (integer_of_int32 u) (integer_of_int32 l)) constant_too_large_2147483647))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(IMPLIES (NEQ 2 0)
(FORALL (result3)
(IMPLIES (EQ result3 (computer_div (integer_of_int32 result2) 2))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) result3)
         (<= result3 constant_too_large_2147483647))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) result3)
(FORALL (m)
(IMPLIES (EQ m result4)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(<= (offset_min Object_alloc_table t_0) (integer_of_int32 m))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_safety_po_10, File "HOME/tests/java/BinarySearch.java", line 92, characters 9-13
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 u) 
                                                 (integer_of_int32 l)))
         (<= (+ (integer_of_int32 u) (integer_of_int32 l)) constant_too_large_2147483647))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(IMPLIES (NEQ 2 0)
(FORALL (result3)
(IMPLIES (EQ result3 (computer_div (integer_of_int32 result2) 2))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) result3)
         (<= result3 constant_too_large_2147483647))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) result3)
(FORALL (m)
(IMPLIES (EQ m result4)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(<= (integer_of_int32 m) (offset_max Object_alloc_table t_0))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_safety_po_11, File "HOME/tests/java/BinarySearch.java", line 92, characters 23-28
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 u) 
                                                 (integer_of_int32 l)))
         (<= (+ (integer_of_int32 u) (integer_of_int32 l)) constant_too_large_2147483647))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(IMPLIES (NEQ 2 0)
(FORALL (result3)
(IMPLIES (EQ result3 (computer_div (integer_of_int32 result2) 2))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) result3)
         (<= result3 constant_too_large_2147483647))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) result3)
(FORALL (m)
(IMPLIES (EQ m result4)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max Object_alloc_table t_0)))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (< (integer_of_int32 result5) (integer_of_int32 v))
(<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 m) 1))))))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_safety_po_12, File "HOME/tests/java/BinarySearch.java", line 92, characters 23-28
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 u) 
                                                 (integer_of_int32 l)))
         (<= (+ (integer_of_int32 u) (integer_of_int32 l)) constant_too_large_2147483647))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(IMPLIES (NEQ 2 0)
(FORALL (result3)
(IMPLIES (EQ result3 (computer_div (integer_of_int32 result2) 2))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) result3)
         (<= result3 constant_too_large_2147483647))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) result3)
(FORALL (m)
(IMPLIES (EQ m result4)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max Object_alloc_table t_0)))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (< (integer_of_int32 result5) (integer_of_int32 v))
(<= (+ (integer_of_int32 m) 1) constant_too_large_2147483647)))))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_safety_po_13, File "HOME/tests/java/BinarySearch.java", line 84, characters 7-10
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 u) 
                                                 (integer_of_int32 l)))
         (<= (+ (integer_of_int32 u) (integer_of_int32 l)) constant_too_large_2147483647))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(IMPLIES (NEQ 2 0)
(FORALL (result3)
(IMPLIES (EQ result3 (computer_div (integer_of_int32 result2) 2))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) result3)
         (<= result3 constant_too_large_2147483647))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) result3)
(FORALL (m)
(IMPLIES (EQ m result4)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max Object_alloc_table t_0)))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (< (integer_of_int32 result5) (integer_of_int32 v))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 m) 1))
         (<= (+ (integer_of_int32 m) 1) constant_too_large_2147483647))
(FORALL (result6)
(IMPLIES (EQ (integer_of_int32 result6) (+ (integer_of_int32 m) 1))
(FORALL (l0)
(IMPLIES (EQ l0 result6)
(<= 0 (- (integer_of_int32 u) (integer_of_int32 l))))))))))))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_safety_po_14, File "HOME/tests/java/BinarySearch.java", line 84, characters 7-10
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 u) 
                                                 (integer_of_int32 l)))
         (<= (+ (integer_of_int32 u) (integer_of_int32 l)) constant_too_large_2147483647))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(IMPLIES (NEQ 2 0)
(FORALL (result3)
(IMPLIES (EQ result3 (computer_div (integer_of_int32 result2) 2))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) result3)
         (<= result3 constant_too_large_2147483647))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) result3)
(FORALL (m)
(IMPLIES (EQ m result4)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max Object_alloc_table t_0)))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (< (integer_of_int32 result5) (integer_of_int32 v))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 m) 1))
         (<= (+ (integer_of_int32 m) 1) constant_too_large_2147483647))
(FORALL (result6)
(IMPLIES (EQ (integer_of_int32 result6) (+ (integer_of_int32 m) 1))
(FORALL (l0)
(IMPLIES (EQ l0 result6)
(< (- (integer_of_int32 u) (integer_of_int32 l0)) (- (integer_of_int32 u) 
                                                  (integer_of_int32 l))))))))))))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_safety_po_15, File "HOME/tests/java/BinarySearch.java", line 93, characters 28-33
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 u) 
                                                 (integer_of_int32 l)))
         (<= (+ (integer_of_int32 u) (integer_of_int32 l)) constant_too_large_2147483647))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(IMPLIES (NEQ 2 0)
(FORALL (result3)
(IMPLIES (EQ result3 (computer_div (integer_of_int32 result2) 2))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) result3)
         (<= result3 constant_too_large_2147483647))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) result3)
(FORALL (m)
(IMPLIES (EQ m result4)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max Object_alloc_table t_0)))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result5) (integer_of_int32 v))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max Object_alloc_table t_0)))
(FORALL (result6)
(IMPLIES (EQ result6 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (> (integer_of_int32 result6) (integer_of_int32 v))
(<= (- 0 constant_too_large_2147483648) (- (integer_of_int32 m) 1))))))))))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_safety_po_16, File "HOME/tests/java/BinarySearch.java", line 93, characters 28-33
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 u) 
                                                 (integer_of_int32 l)))
         (<= (+ (integer_of_int32 u) (integer_of_int32 l)) constant_too_large_2147483647))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(IMPLIES (NEQ 2 0)
(FORALL (result3)
(IMPLIES (EQ result3 (computer_div (integer_of_int32 result2) 2))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) result3)
         (<= result3 constant_too_large_2147483647))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) result3)
(FORALL (m)
(IMPLIES (EQ m result4)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max Object_alloc_table t_0)))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result5) (integer_of_int32 v))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max Object_alloc_table t_0)))
(FORALL (result6)
(IMPLIES (EQ result6 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (> (integer_of_int32 result6) (integer_of_int32 v))
(<= (- (integer_of_int32 m) 1) constant_too_large_2147483647)))))))))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_safety_po_17, File "HOME/tests/java/BinarySearch.java", line 84, characters 7-10
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 u) 
                                                 (integer_of_int32 l)))
         (<= (+ (integer_of_int32 u) (integer_of_int32 l)) constant_too_large_2147483647))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(IMPLIES (NEQ 2 0)
(FORALL (result3)
(IMPLIES (EQ result3 (computer_div (integer_of_int32 result2) 2))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) result3)
         (<= result3 constant_too_large_2147483647))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) result3)
(FORALL (m)
(IMPLIES (EQ m result4)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max Object_alloc_table t_0)))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result5) (integer_of_int32 v))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max Object_alloc_table t_0)))
(FORALL (result6)
(IMPLIES (EQ result6 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (> (integer_of_int32 result6) (integer_of_int32 v))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (- (integer_of_int32 m) 1))
         (<= (- (integer_of_int32 m) 1) constant_too_large_2147483647))
(FORALL (result7)
(IMPLIES (EQ (integer_of_int32 result7) (- (integer_of_int32 m) 1))
(FORALL (u0)
(IMPLIES (EQ u0 result7)
(<= 0 (- (integer_of_int32 u) (integer_of_int32 l))))))))))))))))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_safety_po_18, File "HOME/tests/java/BinarySearch.java", line 84, characters 7-10
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 u) 
                                                 (integer_of_int32 l)))
         (<= (+ (integer_of_int32 u) (integer_of_int32 l)) constant_too_large_2147483647))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(IMPLIES (NEQ 2 0)
(FORALL (result3)
(IMPLIES (EQ result3 (computer_div (integer_of_int32 result2) 2))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) result3)
         (<= result3 constant_too_large_2147483647))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) result3)
(FORALL (m)
(IMPLIES (EQ m result4)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max Object_alloc_table t_0)))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result5) (integer_of_int32 v))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max Object_alloc_table t_0)))
(FORALL (result6)
(IMPLIES (EQ result6 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (> (integer_of_int32 result6) (integer_of_int32 v))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (- (integer_of_int32 m) 1))
         (<= (- (integer_of_int32 m) 1) constant_too_large_2147483647))
(FORALL (result7)
(IMPLIES (EQ (integer_of_int32 result7) (- (integer_of_int32 m) 1))
(FORALL (u0)
(IMPLIES (EQ u0 result7)
(< (- (integer_of_int32 u0) (integer_of_int32 l)) (- (integer_of_int32 u) 
                                                  (integer_of_int32 l))))))))))))))))))))))))))))))))))))))))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/BinarySearch_why.sx  : .....................#..?.........?... (35/0/2/1/0)
total   :  38
valid   :  35 ( 92%)
invalid :   0 (  0%)
unknown :   2 (  5%)
timeout :   1 (  3%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/BinarySearch.why
========== file tests/java/why/BinarySearch_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic BinarySearch_tag : Object tag_id

logic Object_tag : Object tag_id

axiom BinarySearch_parenttag_Object: parenttag(BinarySearch_tag, Object_tag)

logic Exception_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_1) >= 0)

predicate Non_null_intM(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= (-1))

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte. ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char. ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic intM_tag : Object tag_id

axiom intM_parenttag_Object: parenttag(intM_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate is_sorted(t: Object pointer,
  Object_alloc_table_at_L: Object alloc_table, intM_intP_at_L: (Object,
  int32) memory) =
  (Non_null_intM(t, Object_alloc_table_at_L) and
   (forall i:int.
     (forall j:int.
       (((0 <= i) and
         ((i <= j) and (j < (offset_max(Object_alloc_table_at_L, t) + 1)))) ->
        (integer_of_int32(select(intM_intP_at_L, shift(t,
        i))) <= integer_of_int32(select(intM_intP_at_L, shift(t, j))))))))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_BinarySearch(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_intM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long. ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_BinarySearch(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_intM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short.
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_BinarySearch(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_BinarySearch(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

goal BinarySearch_binary_search_ensures_default_po_1:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  ("JC_86": ("JC_84": (0 <= integer_of_int32(result))))

goal BinarySearch_binary_search_ensures_default_po_2:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  ("JC_86":
  ("JC_85": (integer_of_int32(result1) <= ((offset_max(Object_alloc_table,
  t_0) + 1) - 1))))

goal BinarySearch_binary_search_ensures_default_po_3:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_86":
  (("JC_84": (0 <= integer_of_int32(l))) and
   ("JC_85": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  forall result3:int32.
  (integer_of_int32(result3) = computer_div(integer_of_int32(result2), 2)) ->
  forall m:int32.
  (m = result3) ->
  ("JC_93": ("JC_91": (integer_of_int32(l) <= integer_of_int32(m))))

goal BinarySearch_binary_search_ensures_default_po_4:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_86":
  (("JC_84": (0 <= integer_of_int32(l))) and
   ("JC_85": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  forall result3:int32.
  (integer_of_int32(result3) = computer_div(integer_of_int32(result2), 2)) ->
  forall m:int32.
  (m = result3) ->
  ("JC_93": ("JC_92": (integer_of_int32(m) <= integer_of_int32(u))))

goal BinarySearch_binary_search_ensures_default_po_5:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_86":
  (("JC_84": (0 <= integer_of_int32(l))) and
   ("JC_85": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  forall result3:int32.
  (integer_of_int32(result3) = computer_div(integer_of_int32(result2), 2)) ->
  forall m:int32.
  (m = result3) ->
  ("JC_93":
  (("JC_91": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_92": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  forall result4:int32.
  (result4 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) < integer_of_int32(v)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(m) + 1)) ->
  forall l0:int32.
  (l0 = result5) ->
  ("JC_86": ("JC_84": (0 <= integer_of_int32(l0))))

goal BinarySearch_binary_search_ensures_default_po_6:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_86":
  (("JC_84": (0 <= integer_of_int32(l))) and
   ("JC_85": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  forall result3:int32.
  (integer_of_int32(result3) = computer_div(integer_of_int32(result2), 2)) ->
  forall m:int32.
  (m = result3) ->
  ("JC_93":
  (("JC_91": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_92": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  forall result4:int32.
  (result4 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) >= integer_of_int32(v)) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) > integer_of_int32(v)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(m) - 1)) ->
  forall u0:int32.
  (u0 = result6) ->
  ("JC_86":
  ("JC_85": (integer_of_int32(u0) <= ((offset_max(Object_alloc_table,
  t_0) + 1) - 1))))

goal BinarySearch_binary_search_ensures_default_po_7:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_86":
  (("JC_84": (0 <= integer_of_int32(l))) and
   ("JC_85": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  forall result3:int32.
  (integer_of_int32(result3) = computer_div(integer_of_int32(result2), 2)) ->
  forall m:int32.
  (m = result3) ->
  ("JC_93":
  (("JC_91": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_92": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  forall result4:int32.
  (result4 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) >= integer_of_int32(v)) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) <= integer_of_int32(v)) ->
  forall return:int32.
  (return = m) ->
  ("JC_53": ("JC_51": ((-1) <= integer_of_int32(return))))

goal BinarySearch_binary_search_ensures_default_po_8:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_86":
  (("JC_84": (0 <= integer_of_int32(l))) and
   ("JC_85": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  forall result3:int32.
  (integer_of_int32(result3) = computer_div(integer_of_int32(result2), 2)) ->
  forall m:int32.
  (m = result3) ->
  ("JC_93":
  (("JC_91": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_92": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  forall result4:int32.
  (result4 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) >= integer_of_int32(v)) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) <= integer_of_int32(v)) ->
  forall return:int32.
  (return = m) ->
  ("JC_53":
  ("JC_52": (integer_of_int32(return) < (offset_max(Object_alloc_table,
  t_0) + 1))))

goal BinarySearch_binary_search_ensures_default_po_9:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_86":
  (("JC_84": (0 <= integer_of_int32(l))) and
   ("JC_85": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) > integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (-1)) ->
  forall return:int32.
  (return = result2) ->
  ("JC_53": ("JC_51": ((-1) <= integer_of_int32(return))))

goal BinarySearch_binary_search_ensures_default_po_10:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_86":
  (("JC_84": (0 <= integer_of_int32(l))) and
   ("JC_85": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) > integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (-1)) ->
  forall return:int32.
  (return = result2) ->
  ("JC_53":
  ("JC_52": (integer_of_int32(return) < (offset_max(Object_alloc_table,
  t_0) + 1))))

goal BinarySearch_binary_search_ensures_failure_po_1:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (is_sorted(t_0, Object_alloc_table, intM_intP) and
   (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
    ("JC_49": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall k_0:int.
  ((0 <= k_0) and (k_0 < (offset_max(Object_alloc_table, t_0) + 1))) ->
  (integer_of_int32(select(intM_intP, shift(t_0,
  k_0))) = integer_of_int32(v)) ->
  ("JC_106": (integer_of_int32(result) <= k_0))

goal BinarySearch_binary_search_ensures_failure_po_2:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (is_sorted(t_0, Object_alloc_table, intM_intP) and
   (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
    ("JC_49": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall k_0:int.
  ((0 <= k_0) and (k_0 < (offset_max(Object_alloc_table, t_0) + 1))) ->
  (integer_of_int32(select(intM_intP, shift(t_0,
  k_0))) = integer_of_int32(v)) ->
  ("JC_106": (k_0 <= integer_of_int32(result1)))

goal BinarySearch_binary_search_ensures_failure_po_3:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (is_sorted(t_0, Object_alloc_table, intM_intP) and
   (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
    ("JC_49": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_106":
  (forall k_0:int.
    (((0 <= k_0) and (k_0 < (offset_max(Object_alloc_table, t_0) + 1))) ->
     ((integer_of_int32(select(intM_intP, shift(t_0,
      k_0))) = integer_of_int32(v)) ->
      ((integer_of_int32(l) <= k_0) and (k_0 <= integer_of_int32(u))))))) ->
  ("JC_109":
  (("JC_107": (0 <= integer_of_int32(l))) and
   ("JC_108": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  forall result3:int32.
  (integer_of_int32(result3) = computer_div(integer_of_int32(result2), 2)) ->
  forall m:int32.
  (m = result3) ->
  ("JC_116":
  (("JC_114": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_115": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  forall result4:int32.
  (result4 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) < integer_of_int32(v)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(m) + 1)) ->
  forall l0:int32.
  (l0 = result5) ->
  forall k_0:int.
  ((0 <= k_0) and (k_0 < (offset_max(Object_alloc_table, t_0) + 1))) ->
  (integer_of_int32(select(intM_intP, shift(t_0,
  k_0))) = integer_of_int32(v)) ->
  ("JC_106": (integer_of_int32(l0) <= k_0))

goal BinarySearch_binary_search_ensures_failure_po_4:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (is_sorted(t_0, Object_alloc_table, intM_intP) and
   (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
    ("JC_49": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_106":
  (forall k_0:int.
    (((0 <= k_0) and (k_0 < (offset_max(Object_alloc_table, t_0) + 1))) ->
     ((integer_of_int32(select(intM_intP, shift(t_0,
      k_0))) = integer_of_int32(v)) ->
      ((integer_of_int32(l) <= k_0) and (k_0 <= integer_of_int32(u))))))) ->
  ("JC_109":
  (("JC_107": (0 <= integer_of_int32(l))) and
   ("JC_108": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  forall result3:int32.
  (integer_of_int32(result3) = computer_div(integer_of_int32(result2), 2)) ->
  forall m:int32.
  (m = result3) ->
  ("JC_116":
  (("JC_114": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_115": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  forall result4:int32.
  (result4 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) < integer_of_int32(v)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(m) + 1)) ->
  forall l0:int32.
  (l0 = result5) ->
  forall k_0:int.
  ((0 <= k_0) and (k_0 < (offset_max(Object_alloc_table, t_0) + 1))) ->
  (integer_of_int32(select(intM_intP, shift(t_0,
  k_0))) = integer_of_int32(v)) ->
  ("JC_106": (k_0 <= integer_of_int32(u)))

goal BinarySearch_binary_search_ensures_failure_po_5:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (is_sorted(t_0, Object_alloc_table, intM_intP) and
   (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
    ("JC_49": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_106":
  (forall k_0:int.
    (((0 <= k_0) and (k_0 < (offset_max(Object_alloc_table, t_0) + 1))) ->
     ((integer_of_int32(select(intM_intP, shift(t_0,
      k_0))) = integer_of_int32(v)) ->
      ((integer_of_int32(l) <= k_0) and (k_0 <= integer_of_int32(u))))))) ->
  ("JC_109":
  (("JC_107": (0 <= integer_of_int32(l))) and
   ("JC_108": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  forall result3:int32.
  (integer_of_int32(result3) = computer_div(integer_of_int32(result2), 2)) ->
  forall m:int32.
  (m = result3) ->
  ("JC_116":
  (("JC_114": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_115": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  forall result4:int32.
  (result4 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) >= integer_of_int32(v)) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) > integer_of_int32(v)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(m) - 1)) ->
  forall u0:int32.
  (u0 = result6) ->
  forall k_0:int.
  ((0 <= k_0) and (k_0 < (offset_max(Object_alloc_table, t_0) + 1))) ->
  (integer_of_int32(select(intM_intP, shift(t_0,
  k_0))) = integer_of_int32(v)) ->
  ("JC_106": (integer_of_int32(l) <= k_0))

goal BinarySearch_binary_search_ensures_failure_po_6:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (is_sorted(t_0, Object_alloc_table, intM_intP) and
   (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
    ("JC_49": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_106":
  (forall k_0:int.
    (((0 <= k_0) and (k_0 < (offset_max(Object_alloc_table, t_0) + 1))) ->
     ((integer_of_int32(select(intM_intP, shift(t_0,
      k_0))) = integer_of_int32(v)) ->
      ((integer_of_int32(l) <= k_0) and (k_0 <= integer_of_int32(u))))))) ->
  ("JC_109":
  (("JC_107": (0 <= integer_of_int32(l))) and
   ("JC_108": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  forall result3:int32.
  (integer_of_int32(result3) = computer_div(integer_of_int32(result2), 2)) ->
  forall m:int32.
  (m = result3) ->
  ("JC_116":
  (("JC_114": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_115": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  forall result4:int32.
  (result4 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) >= integer_of_int32(v)) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) > integer_of_int32(v)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(m) - 1)) ->
  forall u0:int32.
  (u0 = result6) ->
  forall k_0:int.
  ((0 <= k_0) and (k_0 < (offset_max(Object_alloc_table, t_0) + 1))) ->
  (integer_of_int32(select(intM_intP, shift(t_0,
  k_0))) = integer_of_int32(v)) ->
  ("JC_106": (k_0 <= integer_of_int32(u0)))

goal BinarySearch_binary_search_ensures_failure_po_7:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (is_sorted(t_0, Object_alloc_table, intM_intP) and
   (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
    ("JC_49": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_106":
  (forall k_0:int.
    (((0 <= k_0) and (k_0 < (offset_max(Object_alloc_table, t_0) + 1))) ->
     ((integer_of_int32(select(intM_intP, shift(t_0,
      k_0))) = integer_of_int32(v)) ->
      ((integer_of_int32(l) <= k_0) and (k_0 <= integer_of_int32(u))))))) ->
  ("JC_109":
  (("JC_107": (0 <= integer_of_int32(l))) and
   ("JC_108": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  forall result3:int32.
  (integer_of_int32(result3) = computer_div(integer_of_int32(result2), 2)) ->
  forall m:int32.
  (m = result3) ->
  ("JC_116":
  (("JC_114": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_115": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  forall result4:int32.
  (result4 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) >= integer_of_int32(v)) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) <= integer_of_int32(v)) ->
  forall return:int32.
  (return = m) ->
  (integer_of_int32(return) = (-1)) ->
  forall k:int.
  ((0 <= k) and (k < (offset_max(Object_alloc_table, t_0) + 1))) ->
  ("JC_61": (integer_of_int32(select(intM_intP, shift(t_0,
  k))) <> integer_of_int32(v)))

goal BinarySearch_binary_search_ensures_failure_po_8:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (is_sorted(t_0, Object_alloc_table, intM_intP) and
   (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
    ("JC_49": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_106":
  (forall k_0:int.
    (((0 <= k_0) and (k_0 < (offset_max(Object_alloc_table, t_0) + 1))) ->
     ((integer_of_int32(select(intM_intP, shift(t_0,
      k_0))) = integer_of_int32(v)) ->
      ((integer_of_int32(l) <= k_0) and (k_0 <= integer_of_int32(u))))))) ->
  ("JC_109":
  (("JC_107": (0 <= integer_of_int32(l))) and
   ("JC_108": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) > integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (-1)) ->
  forall return:int32.
  (return = result2) ->
  (integer_of_int32(return) = (-1)) ->
  forall k:int.
  ((0 <= k) and (k < (offset_max(Object_alloc_table, t_0) + 1))) ->
  ("JC_61": (integer_of_int32(select(intM_intP, shift(t_0,
  k))) <> integer_of_int32(v)))

goal BinarySearch_binary_search_ensures_success_po_1:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_99": true) ->
  ("JC_97":
  (("JC_95": (0 <= integer_of_int32(l))) and
   ("JC_96": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  forall result3:int32.
  (integer_of_int32(result3) = computer_div(integer_of_int32(result2), 2)) ->
  forall m:int32.
  (m = result3) ->
  ("JC_104":
  (("JC_102": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_103": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  forall result4:int32.
  (result4 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) >= integer_of_int32(v)) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) <= integer_of_int32(v)) ->
  forall return:int32.
  (return = m) ->
  (integer_of_int32(return) >= 0) ->
  ("JC_59": (integer_of_int32(select(intM_intP, shift(t_0,
  integer_of_int32(return)))) = integer_of_int32(v)))

goal BinarySearch_binary_search_ensures_success_po_2:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_99": true) ->
  ("JC_97":
  (("JC_95": (0 <= integer_of_int32(l))) and
   ("JC_96": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) > integer_of_int32(u)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (-1)) ->
  forall return:int32.
  (return = result2) ->
  (integer_of_int32(return) >= 0) ->
  ("JC_59": (integer_of_int32(select(intM_intP, shift(t_0,
  integer_of_int32(return)))) = integer_of_int32(v)))

goal BinarySearch_binary_search_safety_po_1:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1))

goal BinarySearch_binary_search_safety_po_2:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  ((-2147483648) <= (result0 - 1))

goal BinarySearch_binary_search_safety_po_3:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  ((result0 - 1) <= 2147483647)

goal BinarySearch_binary_search_safety_po_4:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_66": (0 <= integer_of_int32(l))) and
   ("JC_67": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  ((-2147483648) <= (integer_of_int32(u) + integer_of_int32(l)))

goal BinarySearch_binary_search_safety_po_5:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_66": (0 <= integer_of_int32(l))) and
   ("JC_67": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  ((integer_of_int32(u) + integer_of_int32(l)) <= 2147483647)

goal BinarySearch_binary_search_safety_po_6:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_66": (0 <= integer_of_int32(l))) and
   ("JC_67": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  (((-2147483648) <= (integer_of_int32(u) + integer_of_int32(l))) and
   ((integer_of_int32(u) + integer_of_int32(l)) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  (2 <> 0)

goal BinarySearch_binary_search_safety_po_7:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_66": (0 <= integer_of_int32(l))) and
   ("JC_67": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  (((-2147483648) <= (integer_of_int32(u) + integer_of_int32(l))) and
   ((integer_of_int32(u) + integer_of_int32(l)) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  (2 <> 0) ->
  forall result3:int.
  (result3 = computer_div(integer_of_int32(result2), 2)) ->
  ((-2147483648) <= result3)

goal BinarySearch_binary_search_safety_po_8:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_66": (0 <= integer_of_int32(l))) and
   ("JC_67": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  (((-2147483648) <= (integer_of_int32(u) + integer_of_int32(l))) and
   ((integer_of_int32(u) + integer_of_int32(l)) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  (2 <> 0) ->
  forall result3:int.
  (result3 = computer_div(integer_of_int32(result2), 2)) ->
  (result3 <= 2147483647)

goal BinarySearch_binary_search_safety_po_9:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_66": (0 <= integer_of_int32(l))) and
   ("JC_67": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  (((-2147483648) <= (integer_of_int32(u) + integer_of_int32(l))) and
   ((integer_of_int32(u) + integer_of_int32(l)) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  (2 <> 0) ->
  forall result3:int.
  (result3 = computer_div(integer_of_int32(result2), 2)) ->
  (((-2147483648) <= result3) and (result3 <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = result3) ->
  forall m:int32.
  (m = result4) ->
  ("JC_77":
  (("JC_75": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_76": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  (offset_min(Object_alloc_table, t_0) <= integer_of_int32(m))

goal BinarySearch_binary_search_safety_po_10:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_66": (0 <= integer_of_int32(l))) and
   ("JC_67": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  (((-2147483648) <= (integer_of_int32(u) + integer_of_int32(l))) and
   ((integer_of_int32(u) + integer_of_int32(l)) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  (2 <> 0) ->
  forall result3:int.
  (result3 = computer_div(integer_of_int32(result2), 2)) ->
  (((-2147483648) <= result3) and (result3 <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = result3) ->
  forall m:int32.
  (m = result4) ->
  ("JC_77":
  (("JC_75": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_76": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  (integer_of_int32(m) <= offset_max(Object_alloc_table, t_0))

goal BinarySearch_binary_search_safety_po_11:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_66": (0 <= integer_of_int32(l))) and
   ("JC_67": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  (((-2147483648) <= (integer_of_int32(u) + integer_of_int32(l))) and
   ((integer_of_int32(u) + integer_of_int32(l)) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  (2 <> 0) ->
  forall result3:int.
  (result3 = computer_div(integer_of_int32(result2), 2)) ->
  (((-2147483648) <= result3) and (result3 <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = result3) ->
  forall m:int32.
  (m = result4) ->
  ("JC_77":
  (("JC_75": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_76": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) < integer_of_int32(v)) ->
  ((-2147483648) <= (integer_of_int32(m) + 1))

goal BinarySearch_binary_search_safety_po_12:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_66": (0 <= integer_of_int32(l))) and
   ("JC_67": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  (((-2147483648) <= (integer_of_int32(u) + integer_of_int32(l))) and
   ((integer_of_int32(u) + integer_of_int32(l)) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  (2 <> 0) ->
  forall result3:int.
  (result3 = computer_div(integer_of_int32(result2), 2)) ->
  (((-2147483648) <= result3) and (result3 <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = result3) ->
  forall m:int32.
  (m = result4) ->
  ("JC_77":
  (("JC_75": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_76": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) < integer_of_int32(v)) ->
  ((integer_of_int32(m) + 1) <= 2147483647)

goal BinarySearch_binary_search_safety_po_13:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_66": (0 <= integer_of_int32(l))) and
   ("JC_67": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  (((-2147483648) <= (integer_of_int32(u) + integer_of_int32(l))) and
   ((integer_of_int32(u) + integer_of_int32(l)) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  (2 <> 0) ->
  forall result3:int.
  (result3 = computer_div(integer_of_int32(result2), 2)) ->
  (((-2147483648) <= result3) and (result3 <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = result3) ->
  forall m:int32.
  (m = result4) ->
  ("JC_77":
  (("JC_75": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_76": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) < integer_of_int32(v)) ->
  (((-2147483648) <= (integer_of_int32(m) + 1)) and
   ((integer_of_int32(m) + 1) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(m) + 1)) ->
  forall l0:int32.
  (l0 = result6) ->
  (0 <= ("JC_82": (integer_of_int32(u) - integer_of_int32(l))))

goal BinarySearch_binary_search_safety_po_14:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_66": (0 <= integer_of_int32(l))) and
   ("JC_67": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  (((-2147483648) <= (integer_of_int32(u) + integer_of_int32(l))) and
   ((integer_of_int32(u) + integer_of_int32(l)) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  (2 <> 0) ->
  forall result3:int.
  (result3 = computer_div(integer_of_int32(result2), 2)) ->
  (((-2147483648) <= result3) and (result3 <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = result3) ->
  forall m:int32.
  (m = result4) ->
  ("JC_77":
  (("JC_75": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_76": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) < integer_of_int32(v)) ->
  (((-2147483648) <= (integer_of_int32(m) + 1)) and
   ((integer_of_int32(m) + 1) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(m) + 1)) ->
  forall l0:int32.
  (l0 = result6) ->
  (("JC_82": (integer_of_int32(u) - integer_of_int32(l0))) < ("JC_82":
                                                             (integer_of_int32(u) - integer_of_int32(l))))

goal BinarySearch_binary_search_safety_po_15:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_66": (0 <= integer_of_int32(l))) and
   ("JC_67": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  (((-2147483648) <= (integer_of_int32(u) + integer_of_int32(l))) and
   ((integer_of_int32(u) + integer_of_int32(l)) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  (2 <> 0) ->
  forall result3:int.
  (result3 = computer_div(integer_of_int32(result2), 2)) ->
  (((-2147483648) <= result3) and (result3 <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = result3) ->
  forall m:int32.
  (m = result4) ->
  ("JC_77":
  (("JC_75": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_76": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) >= integer_of_int32(v)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(Object_alloc_table, t_0))) ->
  forall result6:int32.
  (result6 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result6) > integer_of_int32(v)) ->
  ((-2147483648) <= (integer_of_int32(m) - 1))

goal BinarySearch_binary_search_safety_po_16:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_66": (0 <= integer_of_int32(l))) and
   ("JC_67": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  (((-2147483648) <= (integer_of_int32(u) + integer_of_int32(l))) and
   ((integer_of_int32(u) + integer_of_int32(l)) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  (2 <> 0) ->
  forall result3:int.
  (result3 = computer_div(integer_of_int32(result2), 2)) ->
  (((-2147483648) <= result3) and (result3 <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = result3) ->
  forall m:int32.
  (m = result4) ->
  ("JC_77":
  (("JC_75": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_76": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) >= integer_of_int32(v)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(Object_alloc_table, t_0))) ->
  forall result6:int32.
  (result6 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result6) > integer_of_int32(v)) ->
  ((integer_of_int32(m) - 1) <= 2147483647)

goal BinarySearch_binary_search_safety_po_17:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_66": (0 <= integer_of_int32(l))) and
   ("JC_67": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  (((-2147483648) <= (integer_of_int32(u) + integer_of_int32(l))) and
   ((integer_of_int32(u) + integer_of_int32(l)) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  (2 <> 0) ->
  forall result3:int.
  (result3 = computer_div(integer_of_int32(result2), 2)) ->
  (((-2147483648) <= result3) and (result3 <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = result3) ->
  forall m:int32.
  (m = result4) ->
  ("JC_77":
  (("JC_75": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_76": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) >= integer_of_int32(v)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(Object_alloc_table, t_0))) ->
  forall result6:int32.
  (result6 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result6) > integer_of_int32(v)) ->
  (((-2147483648) <= (integer_of_int32(m) - 1)) and
   ((integer_of_int32(m) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(m) - 1)) ->
  forall u0:int32.
  (u0 = result7) ->
  (0 <= ("JC_82": (integer_of_int32(u) - integer_of_int32(l))))

goal BinarySearch_binary_search_safety_po_18:
  forall t_0:Object pointer.
  forall v:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t_0, Object_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall l:int32.
  forall u:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_66": (0 <= integer_of_int32(l))) and
   ("JC_67": (integer_of_int32(u) <= ((offset_max(Object_alloc_table,
   t_0) + 1) - 1))))) ->
  (integer_of_int32(l) <= integer_of_int32(u)) ->
  (((-2147483648) <= (integer_of_int32(u) + integer_of_int32(l))) and
   ((integer_of_int32(u) + integer_of_int32(l)) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(u) + integer_of_int32(l))) ->
  (2 <> 0) ->
  forall result3:int.
  (result3 = computer_div(integer_of_int32(result2), 2)) ->
  (((-2147483648) <= result3) and (result3 <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = result3) ->
  forall m:int32.
  (m = result4) ->
  ("JC_77":
  (("JC_75": (integer_of_int32(l) <= integer_of_int32(m))) and
   ("JC_76": (integer_of_int32(m) <= integer_of_int32(u))))) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) >= integer_of_int32(v)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(Object_alloc_table, t_0))) ->
  forall result6:int32.
  (result6 = select(intM_intP, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result6) > integer_of_int32(v)) ->
  (((-2147483648) <= (integer_of_int32(m) - 1)) and
   ((integer_of_int32(m) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(m) - 1)) ->
  forall u0:int32.
  (u0 = result7) ->
  (("JC_82": (integer_of_int32(u0) - integer_of_int32(l))) < ("JC_82":
                                                             (integer_of_int32(u) - integer_of_int32(l))))

// RUNSIMPLIFY this tells regtests to run Simplify in this example
========== generation of Simplify VC output ==========
========== file tests/java/simplify/BinarySearch_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom BinarySearch_parenttag_Object
 (EQ (parenttag BinarySearch_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_1 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_1) 0))

(DEFPRED (Non_null_intM x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) (- 0 1)))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom byte_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 128) x) (<= x 127))
 (EQ (integer_of_byte (byte_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom byte_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_byte x) (integer_of_byte y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom byte_range
 (FORALL (x)
 (AND (<= (- 0 128) (integer_of_byte x)) (<= (integer_of_byte x) 127))))

(BG_PUSH
 ;; Why axiom char_coerce
 (FORALL (x)
 (IMPLIES (AND (<= 0 x) (<= x 65535))
 (EQ (integer_of_char (char_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom char_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_char x) (integer_of_char y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom char_range
 (FORALL (x) (AND (<= 0 (integer_of_char x)) (<= (integer_of_char x) 65535))))

(DEFPRED (eq_byte x y) (EQ (integer_of_byte x) (integer_of_byte y)))

(DEFPRED (eq_char x y) (EQ (integer_of_char x) (integer_of_char y)))

(DEFPRED (eq_int32 x y) (EQ (integer_of_int32 x) (integer_of_int32 y)))

(DEFPRED (eq_long x y) (EQ (integer_of_long x) (integer_of_long y)))

(DEFPRED (eq_short x y) (EQ (integer_of_short x) (integer_of_short y)))

(BG_PUSH
 ;; Why axiom int32_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_2147483648) x)
 (<= x constant_too_large_2147483647))
 (EQ (integer_of_int32 (int32_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom int32_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_int32 x) (integer_of_int32 y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom int32_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_2147483648) (integer_of_int32 x))
 (<= (integer_of_int32 x) constant_too_large_2147483647))))

(BG_PUSH
 ;; Why axiom intM_parenttag_Object
 (EQ (parenttag intM_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (is_sorted t Object_alloc_table_at_L intM_intP_at_L)
  (AND (Non_null_intM t Object_alloc_table_at_L)
  (FORALL (i j)
  (IMPLIES
  (AND (<= 0 i)
  (AND (<= i j) (< j (+ (offset_max Object_alloc_table_at_L t) 1))))
  (<= (integer_of_int32 (select intM_intP_at_L (shift t i))) (integer_of_int32
                                                             (select
                                                             intM_intP_at_L 
                                                             (shift t j))))))))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_BinarySearch p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_intM p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom long_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_9223372036854775808) x)
 (<= x constant_too_large_9223372036854775807))
 (EQ (integer_of_long (long_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom long_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_long x) (integer_of_long y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom long_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_9223372036854775808) (integer_of_long x))
 (<= (integer_of_long x) constant_too_large_9223372036854775807))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_BinarySearch p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_intM p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(BG_PUSH
 ;; Why axiom short_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 32768) x) (<= x 32767))
 (EQ (integer_of_short (short_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom short_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_short x) (integer_of_short y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom short_range
 (FORALL (x)
 (AND (<= (- 0 32768) (integer_of_short x)) (<= (integer_of_short x) 32767))))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_BinarySearch p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_intM p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_BinarySearch p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_intM p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

;; BinarySearch_binary_search_ensures_default_po_1, File "HOME/tests/java/BinarySearch.java", line 79, characters 7-13
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(<= 0 (integer_of_int32 result)))))))))))

;; BinarySearch_binary_search_ensures_default_po_2, File "HOME/tests/java/BinarySearch.java", line 79, characters 17-34
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(<= (integer_of_int32 result1) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))))))))))

;; BinarySearch_binary_search_ensures_default_po_3, File "HOME/tests/java/BinarySearch.java", line 91, characters 23-29
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3)
         (computer_div (integer_of_int32 result2) 2))
(FORALL (m)
(IMPLIES (EQ m result3) (<= (integer_of_int32 l) (integer_of_int32 m)))))))))))))))))))))

;; BinarySearch_binary_search_ensures_default_po_4, File "HOME/tests/java/BinarySearch.java", line 91, characters 28-34
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3)
         (computer_div (integer_of_int32 result2) 2))
(FORALL (m)
(IMPLIES (EQ m result3) (<= (integer_of_int32 m) (integer_of_int32 u)))))))))))))))))))))

;; BinarySearch_binary_search_ensures_default_po_5, File "HOME/tests/java/BinarySearch.java", line 79, characters 7-13
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3)
         (computer_div (integer_of_int32 result2) 2))
(FORALL (m)
(IMPLIES (EQ m result3)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(FORALL (result4)
(IMPLIES (EQ result4 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (< (integer_of_int32 result4) (integer_of_int32 v))
(FORALL (result5)
(IMPLIES (EQ (integer_of_int32 result5) (+ (integer_of_int32 m) 1))
(FORALL (l0) (IMPLIES (EQ l0 result5) (<= 0 (integer_of_int32 l0)))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_ensures_default_po_6, File "HOME/tests/java/BinarySearch.java", line 79, characters 17-34
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3)
         (computer_div (integer_of_int32 result2) 2))
(FORALL (m)
(IMPLIES (EQ m result3)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(FORALL (result4)
(IMPLIES (EQ result4 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result4) (integer_of_int32 v))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (> (integer_of_int32 result5) (integer_of_int32 v))
(FORALL (result6)
(IMPLIES (EQ (integer_of_int32 result6) (- (integer_of_int32 m) 1))
(FORALL (u0)
(IMPLIES (EQ u0 result6)
(<= (integer_of_int32 u0) (- (+ (offset_max Object_alloc_table t_0) 1) 1))))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_ensures_default_po_7, File "HOME/tests/java/BinarySearch.java", line 65, characters 16-29
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3)
         (computer_div (integer_of_int32 result2) 2))
(FORALL (m)
(IMPLIES (EQ m result3)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(FORALL (result4)
(IMPLIES (EQ result4 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result4) (integer_of_int32 v))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (<= (integer_of_int32 result5) (integer_of_int32 v))
(FORALL (return)
(IMPLIES (EQ return m) (<= (- 0 1) (integer_of_int32 return))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_ensures_default_po_8, File "HOME/tests/java/BinarySearch.java", line 65, characters 22-40
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3)
         (computer_div (integer_of_int32 result2) 2))
(FORALL (m)
(IMPLIES (EQ m result3)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(FORALL (result4)
(IMPLIES (EQ result4 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result4) (integer_of_int32 v))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (<= (integer_of_int32 result5) (integer_of_int32 v))
(FORALL (return)
(IMPLIES (EQ return m)
(< (integer_of_int32 return) (+ (offset_max Object_alloc_table t_0) 1))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_ensures_default_po_9, File "HOME/tests/java/BinarySearch.java", line 65, characters 16-29
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (> (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2) (- 0 1))
(FORALL (return)
(IMPLIES (EQ return result2) (<= (- 0 1) (integer_of_int32 return)))))))))))))))))))

;; BinarySearch_binary_search_ensures_default_po_10, File "HOME/tests/java/BinarySearch.java", line 65, characters 22-40
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (> (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2) (- 0 1))
(FORALL (return)
(IMPLIES (EQ return result2)
(< (integer_of_int32 return) (+ (offset_max Object_alloc_table t_0) 1)))))))))))))))))))

;; BinarySearch_binary_search_ensures_failure_po_1, File "HOME/tests/java/BinarySearch.java", line 82, characters 8-74
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (is_sorted t_0 Object_alloc_table intM_intP)
         (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (k_0)
(IMPLIES (AND (<= 0 k_0) (< k_0 (+ (offset_max Object_alloc_table t_0) 1)))
(IMPLIES (EQ (integer_of_int32 (select intM_intP (shift t_0 k_0)))
         (integer_of_int32 v))
(<= (integer_of_int32 result) k_0)))))))))))))))

;; BinarySearch_binary_search_ensures_failure_po_2, File "HOME/tests/java/BinarySearch.java", line 82, characters 8-74
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (is_sorted t_0 Object_alloc_table intM_intP)
         (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (k_0)
(IMPLIES (AND (<= 0 k_0) (< k_0 (+ (offset_max Object_alloc_table t_0) 1)))
(IMPLIES (EQ (integer_of_int32 (select intM_intP (shift t_0 k_0)))
         (integer_of_int32 v))
(<= k_0 (integer_of_int32 result1))))))))))))))))

;; BinarySearch_binary_search_ensures_failure_po_3, File "HOME/tests/java/BinarySearch.java", line 82, characters 8-74
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (is_sorted t_0 Object_alloc_table intM_intP)
         (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES (FORALL (k_0)
         (IMPLIES
         (AND (<= 0 k_0) (< k_0 (+ (offset_max Object_alloc_table t_0) 1)))
         (IMPLIES
         (EQ (integer_of_int32 (select intM_intP (shift t_0 k_0)))
         (integer_of_int32 v))
         (AND (<= (integer_of_int32 l) k_0) (<= k_0 (integer_of_int32 u))))))
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3)
         (computer_div (integer_of_int32 result2) 2))
(FORALL (m)
(IMPLIES (EQ m result3)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(FORALL (result4)
(IMPLIES (EQ result4 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (< (integer_of_int32 result4) (integer_of_int32 v))
(FORALL (result5)
(IMPLIES (EQ (integer_of_int32 result5) (+ (integer_of_int32 m) 1))
(FORALL (l0)
(IMPLIES (EQ l0 result5)
(FORALL (k_0)
(IMPLIES (AND (<= 0 k_0) (< k_0 (+ (offset_max Object_alloc_table t_0) 1)))
(IMPLIES (EQ (integer_of_int32 (select intM_intP (shift t_0 k_0)))
         (integer_of_int32 v))
(<= (integer_of_int32 l0) k_0))))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_ensures_failure_po_4, File "HOME/tests/java/BinarySearch.java", line 82, characters 8-74
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (is_sorted t_0 Object_alloc_table intM_intP)
         (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES (FORALL (k_0)
         (IMPLIES
         (AND (<= 0 k_0) (< k_0 (+ (offset_max Object_alloc_table t_0) 1)))
         (IMPLIES
         (EQ (integer_of_int32 (select intM_intP (shift t_0 k_0)))
         (integer_of_int32 v))
         (AND (<= (integer_of_int32 l) k_0) (<= k_0 (integer_of_int32 u))))))
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3)
         (computer_div (integer_of_int32 result2) 2))
(FORALL (m)
(IMPLIES (EQ m result3)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(FORALL (result4)
(IMPLIES (EQ result4 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (< (integer_of_int32 result4) (integer_of_int32 v))
(FORALL (result5)
(IMPLIES (EQ (integer_of_int32 result5) (+ (integer_of_int32 m) 1))
(FORALL (l0)
(IMPLIES (EQ l0 result5)
(FORALL (k_0)
(IMPLIES (AND (<= 0 k_0) (< k_0 (+ (offset_max Object_alloc_table t_0) 1)))
(IMPLIES (EQ (integer_of_int32 (select intM_intP (shift t_0 k_0)))
         (integer_of_int32 v))
(<= k_0 (integer_of_int32 u)))))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_ensures_failure_po_5, File "HOME/tests/java/BinarySearch.java", line 82, characters 8-74
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (is_sorted t_0 Object_alloc_table intM_intP)
         (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES (FORALL (k_0)
         (IMPLIES
         (AND (<= 0 k_0) (< k_0 (+ (offset_max Object_alloc_table t_0) 1)))
         (IMPLIES
         (EQ (integer_of_int32 (select intM_intP (shift t_0 k_0)))
         (integer_of_int32 v))
         (AND (<= (integer_of_int32 l) k_0) (<= k_0 (integer_of_int32 u))))))
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3)
         (computer_div (integer_of_int32 result2) 2))
(FORALL (m)
(IMPLIES (EQ m result3)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(FORALL (result4)
(IMPLIES (EQ result4 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result4) (integer_of_int32 v))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (> (integer_of_int32 result5) (integer_of_int32 v))
(FORALL (result6)
(IMPLIES (EQ (integer_of_int32 result6) (- (integer_of_int32 m) 1))
(FORALL (u0)
(IMPLIES (EQ u0 result6)
(FORALL (k_0)
(IMPLIES (AND (<= 0 k_0) (< k_0 (+ (offset_max Object_alloc_table t_0) 1)))
(IMPLIES (EQ (integer_of_int32 (select intM_intP (shift t_0 k_0)))
         (integer_of_int32 v))
(<= (integer_of_int32 l) k_0)))))))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_ensures_failure_po_6, File "HOME/tests/java/BinarySearch.java", line 82, characters 8-74
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (is_sorted t_0 Object_alloc_table intM_intP)
         (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES (FORALL (k_0)
         (IMPLIES
         (AND (<= 0 k_0) (< k_0 (+ (offset_max Object_alloc_table t_0) 1)))
         (IMPLIES
         (EQ (integer_of_int32 (select intM_intP (shift t_0 k_0)))
         (integer_of_int32 v))
         (AND (<= (integer_of_int32 l) k_0) (<= k_0 (integer_of_int32 u))))))
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3)
         (computer_div (integer_of_int32 result2) 2))
(FORALL (m)
(IMPLIES (EQ m result3)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(FORALL (result4)
(IMPLIES (EQ result4 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result4) (integer_of_int32 v))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (> (integer_of_int32 result5) (integer_of_int32 v))
(FORALL (result6)
(IMPLIES (EQ (integer_of_int32 result6) (- (integer_of_int32 m) 1))
(FORALL (u0)
(IMPLIES (EQ u0 result6)
(FORALL (k_0)
(IMPLIES (AND (<= 0 k_0) (< k_0 (+ (offset_max Object_alloc_table t_0) 1)))
(IMPLIES (EQ (integer_of_int32 (select intM_intP (shift t_0 k_0)))
         (integer_of_int32 v))
(<= k_0 (integer_of_int32 u0))))))))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_ensures_failure_po_7, File "HOME/tests/java/BinarySearch.java", line 73, characters 17-96
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (is_sorted t_0 Object_alloc_table intM_intP)
         (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES (FORALL (k_0)
         (IMPLIES
         (AND (<= 0 k_0) (< k_0 (+ (offset_max Object_alloc_table t_0) 1)))
         (IMPLIES
         (EQ (integer_of_int32 (select intM_intP (shift t_0 k_0)))
         (integer_of_int32 v))
         (AND (<= (integer_of_int32 l) k_0) (<= k_0 (integer_of_int32 u))))))
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3)
         (computer_div (integer_of_int32 result2) 2))
(FORALL (m)
(IMPLIES (EQ m result3)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(FORALL (result4)
(IMPLIES (EQ result4 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result4) (integer_of_int32 v))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (<= (integer_of_int32 result5) (integer_of_int32 v))
(FORALL (return)
(IMPLIES (EQ return m)
(IMPLIES (EQ (integer_of_int32 return) (- 0 1))
(FORALL (k)
(IMPLIES (AND (<= 0 k) (< k (+ (offset_max Object_alloc_table t_0) 1)))
(NEQ (integer_of_int32 (select intM_intP (shift t_0 k)))
(integer_of_int32 v))))))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_ensures_failure_po_8, File "HOME/tests/java/BinarySearch.java", line 73, characters 17-96
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (is_sorted t_0 Object_alloc_table intM_intP)
         (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES (FORALL (k_0)
         (IMPLIES
         (AND (<= 0 k_0) (< k_0 (+ (offset_max Object_alloc_table t_0) 1)))
         (IMPLIES
         (EQ (integer_of_int32 (select intM_intP (shift t_0 k_0)))
         (integer_of_int32 v))
         (AND (<= (integer_of_int32 l) k_0) (<= k_0 (integer_of_int32 u))))))
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (> (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2) (- 0 1))
(FORALL (return)
(IMPLIES (EQ return result2)
(IMPLIES (EQ (integer_of_int32 return) (- 0 1))
(FORALL (k)
(IMPLIES (AND (<= 0 k) (< k (+ (offset_max Object_alloc_table t_0) 1)))
(NEQ (integer_of_int32 (select intM_intP (shift t_0 k)))
(integer_of_int32 v)))))))))))))))))))))))))

;; BinarySearch_binary_search_ensures_success_po_1, File "HOME/tests/java/BinarySearch.java", line 67, characters 18-50
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3)
         (computer_div (integer_of_int32 result2) 2))
(FORALL (m)
(IMPLIES (EQ m result3)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(FORALL (result4)
(IMPLIES (EQ result4 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result4) (integer_of_int32 v))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (<= (integer_of_int32 result5) (integer_of_int32 v))
(FORALL (return)
(IMPLIES (EQ return m)
(IMPLIES (>= (integer_of_int32 return) 0)
(EQ (integer_of_int32
    (select intM_intP (shift t_0 (integer_of_int32 return))))
(integer_of_int32 v))))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_ensures_success_po_2, File "HOME/tests/java/BinarySearch.java", line 67, characters 18-50
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (> (integer_of_int32 l) (integer_of_int32 u))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2) (- 0 1))
(FORALL (return)
(IMPLIES (EQ return result2)
(IMPLIES (>= (integer_of_int32 return) 0)
(EQ (integer_of_int32
    (select intM_intP (shift t_0 (integer_of_int32 return))))
(integer_of_int32 v)))))))))))))))))))))))

;; BinarySearch_binary_search_safety_po_1, File "why/BinarySearch.why", line 955, characters 40-182
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(>= (offset_max Object_alloc_table t_0) (- 0 1)))))))

;; BinarySearch_binary_search_safety_po_2, File "HOME/tests/java/BinarySearch.java", line 77, characters 16-28
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(<= (- 0 constant_too_large_2147483648) (- result0 1))))))))))

;; BinarySearch_binary_search_safety_po_3, File "HOME/tests/java/BinarySearch.java", line 77, characters 16-28
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(<= (- result0 1) constant_too_large_2147483647)))))))))

;; BinarySearch_binary_search_safety_po_4, File "HOME/tests/java/BinarySearch.java", line 88, characters 17-22
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 u) (integer_of_int32
                                                                l)))))))))))))))))))

;; BinarySearch_binary_search_safety_po_5, File "HOME/tests/java/BinarySearch.java", line 88, characters 17-22
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(<= (+ (integer_of_int32 u) (integer_of_int32 l)) constant_too_large_2147483647)))))))))))))))))

;; BinarySearch_binary_search_safety_po_6, File "HOME/tests/java/BinarySearch.jc", line 120, characters 36-67
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 u) 
                                                 (integer_of_int32 l)))
         (<= (+ (integer_of_int32 u) (integer_of_int32 l)) constant_too_large_2147483647))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(NEQ 2 0))))))))))))))))))))

;; BinarySearch_binary_search_safety_po_7, File "HOME/tests/java/BinarySearch.java", line 88, characters 16-27
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 u) 
                                                 (integer_of_int32 l)))
         (<= (+ (integer_of_int32 u) (integer_of_int32 l)) constant_too_large_2147483647))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(IMPLIES (NEQ 2 0)
(FORALL (result3)
(IMPLIES (EQ result3 (computer_div (integer_of_int32 result2) 2))
(<= (- 0 constant_too_large_2147483648) result3)))))))))))))))))))))))

;; BinarySearch_binary_search_safety_po_8, File "HOME/tests/java/BinarySearch.java", line 88, characters 16-27
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 u) 
                                                 (integer_of_int32 l)))
         (<= (+ (integer_of_int32 u) (integer_of_int32 l)) constant_too_large_2147483647))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(IMPLIES (NEQ 2 0)
(FORALL (result3)
(IMPLIES (EQ result3 (computer_div (integer_of_int32 result2) 2))
(<= result3 constant_too_large_2147483647)))))))))))))))))))))))

;; BinarySearch_binary_search_safety_po_9, File "HOME/tests/java/BinarySearch.java", line 92, characters 9-13
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 u) 
                                                 (integer_of_int32 l)))
         (<= (+ (integer_of_int32 u) (integer_of_int32 l)) constant_too_large_2147483647))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(IMPLIES (NEQ 2 0)
(FORALL (result3)
(IMPLIES (EQ result3 (computer_div (integer_of_int32 result2) 2))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) result3)
         (<= result3 constant_too_large_2147483647))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) result3)
(FORALL (m)
(IMPLIES (EQ m result4)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(<= (offset_min Object_alloc_table t_0) (integer_of_int32 m))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_safety_po_10, File "HOME/tests/java/BinarySearch.java", line 92, characters 9-13
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 u) 
                                                 (integer_of_int32 l)))
         (<= (+ (integer_of_int32 u) (integer_of_int32 l)) constant_too_large_2147483647))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(IMPLIES (NEQ 2 0)
(FORALL (result3)
(IMPLIES (EQ result3 (computer_div (integer_of_int32 result2) 2))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) result3)
         (<= result3 constant_too_large_2147483647))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) result3)
(FORALL (m)
(IMPLIES (EQ m result4)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(<= (integer_of_int32 m) (offset_max Object_alloc_table t_0))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_safety_po_11, File "HOME/tests/java/BinarySearch.java", line 92, characters 23-28
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 u) 
                                                 (integer_of_int32 l)))
         (<= (+ (integer_of_int32 u) (integer_of_int32 l)) constant_too_large_2147483647))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(IMPLIES (NEQ 2 0)
(FORALL (result3)
(IMPLIES (EQ result3 (computer_div (integer_of_int32 result2) 2))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) result3)
         (<= result3 constant_too_large_2147483647))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) result3)
(FORALL (m)
(IMPLIES (EQ m result4)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max Object_alloc_table t_0)))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (< (integer_of_int32 result5) (integer_of_int32 v))
(<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 m) 1))))))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_safety_po_12, File "HOME/tests/java/BinarySearch.java", line 92, characters 23-28
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 u) 
                                                 (integer_of_int32 l)))
         (<= (+ (integer_of_int32 u) (integer_of_int32 l)) constant_too_large_2147483647))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(IMPLIES (NEQ 2 0)
(FORALL (result3)
(IMPLIES (EQ result3 (computer_div (integer_of_int32 result2) 2))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) result3)
         (<= result3 constant_too_large_2147483647))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) result3)
(FORALL (m)
(IMPLIES (EQ m result4)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max Object_alloc_table t_0)))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (< (integer_of_int32 result5) (integer_of_int32 v))
(<= (+ (integer_of_int32 m) 1) constant_too_large_2147483647)))))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_safety_po_13, File "HOME/tests/java/BinarySearch.java", line 84, characters 7-10
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 u) 
                                                 (integer_of_int32 l)))
         (<= (+ (integer_of_int32 u) (integer_of_int32 l)) constant_too_large_2147483647))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(IMPLIES (NEQ 2 0)
(FORALL (result3)
(IMPLIES (EQ result3 (computer_div (integer_of_int32 result2) 2))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) result3)
         (<= result3 constant_too_large_2147483647))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) result3)
(FORALL (m)
(IMPLIES (EQ m result4)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max Object_alloc_table t_0)))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (< (integer_of_int32 result5) (integer_of_int32 v))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 m) 1))
         (<= (+ (integer_of_int32 m) 1) constant_too_large_2147483647))
(FORALL (result6)
(IMPLIES (EQ (integer_of_int32 result6) (+ (integer_of_int32 m) 1))
(FORALL (l0)
(IMPLIES (EQ l0 result6)
(<= 0 (- (integer_of_int32 u) (integer_of_int32 l))))))))))))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_safety_po_14, File "HOME/tests/java/BinarySearch.java", line 84, characters 7-10
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 u) 
                                                 (integer_of_int32 l)))
         (<= (+ (integer_of_int32 u) (integer_of_int32 l)) constant_too_large_2147483647))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(IMPLIES (NEQ 2 0)
(FORALL (result3)
(IMPLIES (EQ result3 (computer_div (integer_of_int32 result2) 2))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) result3)
         (<= result3 constant_too_large_2147483647))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) result3)
(FORALL (m)
(IMPLIES (EQ m result4)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max Object_alloc_table t_0)))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (< (integer_of_int32 result5) (integer_of_int32 v))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 m) 1))
         (<= (+ (integer_of_int32 m) 1) constant_too_large_2147483647))
(FORALL (result6)
(IMPLIES (EQ (integer_of_int32 result6) (+ (integer_of_int32 m) 1))
(FORALL (l0)
(IMPLIES (EQ l0 result6)
(< (- (integer_of_int32 u) (integer_of_int32 l0)) (- (integer_of_int32 u) 
                                                  (integer_of_int32 l))))))))))))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_safety_po_15, File "HOME/tests/java/BinarySearch.java", line 93, characters 28-33
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 u) 
                                                 (integer_of_int32 l)))
         (<= (+ (integer_of_int32 u) (integer_of_int32 l)) constant_too_large_2147483647))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(IMPLIES (NEQ 2 0)
(FORALL (result3)
(IMPLIES (EQ result3 (computer_div (integer_of_int32 result2) 2))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) result3)
         (<= result3 constant_too_large_2147483647))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) result3)
(FORALL (m)
(IMPLIES (EQ m result4)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max Object_alloc_table t_0)))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result5) (integer_of_int32 v))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max Object_alloc_table t_0)))
(FORALL (result6)
(IMPLIES (EQ result6 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (> (integer_of_int32 result6) (integer_of_int32 v))
(<= (- 0 constant_too_large_2147483648) (- (integer_of_int32 m) 1))))))))))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_safety_po_16, File "HOME/tests/java/BinarySearch.java", line 93, characters 28-33
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 u) 
                                                 (integer_of_int32 l)))
         (<= (+ (integer_of_int32 u) (integer_of_int32 l)) constant_too_large_2147483647))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(IMPLIES (NEQ 2 0)
(FORALL (result3)
(IMPLIES (EQ result3 (computer_div (integer_of_int32 result2) 2))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) result3)
         (<= result3 constant_too_large_2147483647))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) result3)
(FORALL (m)
(IMPLIES (EQ m result4)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max Object_alloc_table t_0)))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result5) (integer_of_int32 v))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max Object_alloc_table t_0)))
(FORALL (result6)
(IMPLIES (EQ result6 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (> (integer_of_int32 result6) (integer_of_int32 v))
(<= (- (integer_of_int32 m) 1) constant_too_large_2147483647)))))))))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_safety_po_17, File "HOME/tests/java/BinarySearch.java", line 84, characters 7-10
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 u) 
                                                 (integer_of_int32 l)))
         (<= (+ (integer_of_int32 u) (integer_of_int32 l)) constant_too_large_2147483647))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(IMPLIES (NEQ 2 0)
(FORALL (result3)
(IMPLIES (EQ result3 (computer_div (integer_of_int32 result2) 2))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) result3)
         (<= result3 constant_too_large_2147483647))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) result3)
(FORALL (m)
(IMPLIES (EQ m result4)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max Object_alloc_table t_0)))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result5) (integer_of_int32 v))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max Object_alloc_table t_0)))
(FORALL (result6)
(IMPLIES (EQ result6 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (> (integer_of_int32 result6) (integer_of_int32 v))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (- (integer_of_int32 m) 1))
         (<= (- (integer_of_int32 m) 1) constant_too_large_2147483647))
(FORALL (result7)
(IMPLIES (EQ (integer_of_int32 result7) (- (integer_of_int32 m) 1))
(FORALL (u0)
(IMPLIES (EQ u0 result7)
(<= 0 (- (integer_of_int32 u) (integer_of_int32 l))))))))))))))))))))))))))))))))))))))))))))))

;; BinarySearch_binary_search_safety_po_18, File "HOME/tests/java/BinarySearch.java", line 84, characters 7-10
(FORALL (t_0)
(FORALL (v)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (l)
(FORALL (u)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l))
         (<= (integer_of_int32 u) (- (+ (offset_max Object_alloc_table t_0) 1) 1)))
(IMPLIES (<= (integer_of_int32 l) (integer_of_int32 u))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 u) 
                                                 (integer_of_int32 l)))
         (<= (+ (integer_of_int32 u) (integer_of_int32 l)) constant_too_large_2147483647))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (+ (integer_of_int32 u) (integer_of_int32 l)))
(IMPLIES (NEQ 2 0)
(FORALL (result3)
(IMPLIES (EQ result3 (computer_div (integer_of_int32 result2) 2))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) result3)
         (<= result3 constant_too_large_2147483647))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) result3)
(FORALL (m)
(IMPLIES (EQ m result4)
(IMPLIES (AND (<= (integer_of_int32 l) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u)))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max Object_alloc_table t_0)))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result5) (integer_of_int32 v))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max Object_alloc_table t_0)))
(FORALL (result6)
(IMPLIES (EQ result6 (select intM_intP (shift t_0 (integer_of_int32 m))))
(IMPLIES (> (integer_of_int32 result6) (integer_of_int32 v))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (- (integer_of_int32 m) 1))
         (<= (- (integer_of_int32 m) 1) constant_too_large_2147483647))
(FORALL (result7)
(IMPLIES (EQ (integer_of_int32 result7) (- (integer_of_int32 m) 1))
(FORALL (u0)
(IMPLIES (EQ u0 result7)
(< (- (integer_of_int32 u0) (integer_of_int32 l)) (- (integer_of_int32 u) 
                                                  (integer_of_int32 l))))))))))))))))))))))))))))))))))))))))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/BinarySearch_why.sx  : .....................#..?.........?... (35/0/2/1/0)
total   :  38
valid   :  35 ( 92%)
invalid :   0 (  0%)
unknown :   2 (  5%)
timeout :   1 (  3%)
failure :   0 (  0%)
why-2.34/tests/java/oracle/Termination.err.oracle0000644000175000017500000000000012311670312020402 0ustar  rtuserswhy-2.34/tests/java/oracle/Muller.res.oracle0000644000175000017500000221234412311670312017374 0ustar  rtusers========== file tests/java/Muller.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ SeparationPolicy = Regions

/*@ axiomatic NumOfPos {
  @  logic integer num_of_pos{L}(integer i,integer j,int t[]);
  @  axiom num_of_pos_empty{L} :
  @   \forall integer i j, int t[];
  @    i >= j ==> num_of_pos(i,j,t) == 0;
  @  axiom num_of_pos_true_case{L} :
  @   \forall integer i j, int t[];
  @       i < j && t[j-1] > 0 ==>
  @         num_of_pos(i,j,t) == num_of_pos(i,j-1,t) + 1;
  @  axiom num_of_pos_false_case{L} :
  @   \forall integer i j, int t[];
  @       i < j && ! (t[j-1] > 0) ==>
  @         num_of_pos(i,j,t) == num_of_pos(i,j-1,t);
  @ }
  @*/


/*@ lemma num_of_pos_non_negative{L} :
  @   \forall integer i j, int t[]; 0 <= num_of_pos(i,j,t);
  @*/

/*@ lemma num_of_pos_additive{L} :
  @   \forall integer i j k, int t[]; i <= j <= k ==>
  @       num_of_pos(i,k,t) == num_of_pos(i,j,t) + num_of_pos(j,k,t);
  @*/

/*@ lemma num_of_pos_increasing{L} :
  @   \forall integer i j k, int t[];
  @       j <= k ==> num_of_pos(i,j,t) <= num_of_pos(i,k,t);
  @*/

/*@ lemma num_of_pos_strictly_increasing{L} :
  @   \forall integer i n, int t[];
  @       0 <= i < n && t[i] > 0 ==>
  @       num_of_pos(0,i,t) < num_of_pos(0,n,t);
  @*/

public class Muller {

    /*@ requires t != null;
      @*/
    public static int[] m(int t[]) {
	int count = 0;

	/*@ loop_invariant
	  @    0 <= i <= t.length &&
	  @    0 <= count <= i &&
	  @    count == num_of_pos(0,i,t) ;
	  @ loop_variant t.length - i;
	  @*/
	for (int i=0 ; i < t.length; i++) if (t[i] > 0) count++;

	int u[] = new int[count];
	count = 0;

	/*@ loop_invariant
	  @    0 <= i <= t.length &&
	  @    0 <= count <= i &&
	  @    count == num_of_pos(0,i,t);
	  @ loop_variant t.length - i;
	  @*/
	for (int i=0 ; i < t.length; i++) {
	    if (t[i] > 0) u[count++] = t[i];
	}
	return u;
    }

}

/*
Local Variables:
compile-command: "make Muller.why3ide"
End:
*/
========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_Muller for constructor Muller
Generating JC function Muller_m for method Muller.m
Done.
========== file tests/java/Muller.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_intM{Here}(intM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Muller = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag intM = Object with {
  int32 intP;
}

boolean non_null_intM(! intM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_intM(! intM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

axiomatic NumOfPos {

  logic integer num_of_pos{L}(integer i, integer j, intM[0..] t)
   
  axiom num_of_pos_false_case{L} :
  (\forall integer i_2;
    (\forall integer j_2;
      (\forall intM[0..] t_2;
        (((i_2 < j_2) && (! ((t_2 + (j_2 - 1)).intP > 0))) ==>
          (num_of_pos{L}(i_2, j_2, t_2) ==
            num_of_pos{L}(i_2, (j_2 - 1), t_2))))))
   
  axiom num_of_pos_true_case{L} :
  (\forall integer i_1;
    (\forall integer j_1;
      (\forall intM[0..] t_1;
        (((i_1 < j_1) && ((t_1 + (j_1 - 1)).intP > 0)) ==>
          (num_of_pos{L}(i_1, j_1, t_1) ==
            (num_of_pos{L}(i_1, (j_1 - 1), t_1) + 1))))))
   
  axiom num_of_pos_empty{L} :
  (\forall integer i_0;
    (\forall integer j_0;
      (\forall intM[0..] t_0;
        ((i_0 >= j_0) ==> (num_of_pos{L}(i_0, j_0, t_0) == 0)))))
  
}

lemma num_of_pos_non_negative{L} :
(\forall integer i_3;
  (\forall integer j_3;
    (\forall intM[0..] t_3;
      (0 <= num_of_pos{L}(i_3, j_3, t_3)))))

lemma num_of_pos_additive{L} :
(\forall integer i_4;
  (\forall integer j_4;
    (\forall integer k;
      (\forall intM[0..] t_4;
        (((i_4 <= j_4) && (j_4 <= k)) ==>
          (num_of_pos{L}(i_4, k, t_4) ==
            (num_of_pos{L}(i_4, j_4, t_4) + num_of_pos{L}(j_4, k, t_4))))))))

lemma num_of_pos_increasing{L} :
(\forall integer i_5;
  (\forall integer j_5;
    (\forall integer k_0;
      (\forall intM[0..] t_5;
        ((j_5 <= k_0) ==>
          (num_of_pos{L}(i_5, j_5, t_5) <= num_of_pos{L}(i_5, k_0, t_5)))))))

lemma num_of_pos_strictly_increasing{L} :
(\forall integer i_6;
  (\forall integer n;
    (\forall intM[0..] t_6;
      ((((0 <= i_6) && (i_6 < n)) && ((t_6 + i_6).intP > 0)) ==>
        (num_of_pos{L}(0, i_6, t_6) < num_of_pos{L}(0, n, t_6))))))

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_Muller(! Muller[0] this_0){()}

intM[0..] Muller_m(intM[0..] t_7)
  requires (K_1 : Non_null_intM(t_7));
{  
   {  
      (var int32 count = (K_39 : 0));
      
      {  
         {  
            {  
               (var int32 i_7 = (K_2 : 0));
               
               loop 
               behavior default:
                 invariant (K_11 : ((K_10 : ((K_9 : ((K_8 : (0 <= i_7)) &&
                                                      (K_7 : (i_7 <=
                                                               (\offset_max(t_7) +
                                                                 1))))) &&
                                              (K_6 : ((K_5 : (0 <= count)) &&
                                                       (K_4 : (count <= i_7)))))) &&
                                     (K_3 : (count ==
                                              num_of_pos{Here}(0, i_7, t_7)))));
               
               variant (K_12 : ((\offset_max(t_7) + 1) - i_7));
               for ( ; (K_18 : (i_7 < (K_17 : java_array_length_intM(t_7)))) ; 
               (K_16 : (i_7 ++)))
               {  (if (K_15 : ((K_14 : (t_7 + i_7).intP) > 0)) then (K_13 : 
                                                                    (count ++)) else ())
               }
            }
         };
         
         {  
            (var intM[0..] u = (K_38 : (new intM[count])));
            
            {  (count = 0);
               
               {  
                  {  
                     (var int32 i_8 = (K_19 : 0));
                     
                     loop 
                     behavior default:
                       invariant (K_28 : ((K_27 : ((K_26 : ((K_25 : (0 <=
                                                                    i_8)) &&
                                                             (K_24 : 
                                                             (i_8 <=
                                                               (\offset_max(t_7) +
                                                                 1))))) &&
                                                    (K_23 : ((K_22 : 
                                                             (0 <=
                                                               count)) &&
                                                              (K_21 : 
                                                              (count <=
                                                                i_8)))))) &&
                                           (K_20 : (count ==
                                                     num_of_pos{Here}(
                                                     0, i_8, t_7)))));
                     
                     variant (K_29 : ((\offset_max(t_7) + 1) - i_8));
                     for ( ; (K_37 : (i_8 <
                                       (K_36 : java_array_length_intM(t_7)))) ; 
                     (K_35 : (i_8 ++)))
                     {  (if (K_34 : ((K_33 : (t_7 + i_8).intP) > 0)) then 
                        (K_32 : ((u + (K_30 : (count ++))).intP = (K_31 : 
                                                                  (t_7 +
                                                                    i_8).intP))) else ())
                     }
                  }
               };
               
               (return u)
            }
         }
      }
   }
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Muller.jloc tests/java/Muller.jc && make -f tests/java/Muller.makefile gui"
End:
*/
========== file tests/java/Muller.jloc ==========
[K_30]
file = "HOME/tests/java/Muller.java"
line = 96
begin = 21
end = 28

[K_23]
file = "HOME/tests/java/Muller.java"
line = 91
begin = 8
end = 23

[K_33]
file = "HOME/tests/java/Muller.java"
line = 96
begin = 9
end = 13

[K_17]
file = "HOME/tests/java/Muller.java"
line = 84
begin = 20
end = 28

[K_11]
file = "HOME/tests/java/Muller.java"
line = 79
begin = 8
end = 91

[K_38]
file = "HOME/tests/java/Muller.java"
line = 86
begin = 11
end = 25

[K_25]
file = "HOME/tests/java/Muller.java"
line = 90
begin = 8
end = 14

[K_13]
file = "HOME/tests/java/Muller.java"
line = 84
begin = 49
end = 56

[num_of_pos_non_negative]
name = "Lemma num_of_pos_non_negative"
file = "HOME/tests/java/Muller.java"
line = 51
begin = 10
end = 33

[K_9]
file = "HOME/tests/java/Muller.java"
line = 79
begin = 8
end = 26

[K_28]
file = "HOME/tests/java/Muller.java"
line = 90
begin = 8
end = 91

[K_1]
file = "HOME/tests/java/Muller.java"
line = 73
begin = 17
end = 26

[K_15]
file = "HOME/tests/java/Muller.java"
line = 84
begin = 39
end = 47

[K_4]
file = "HOME/tests/java/Muller.java"
line = 80
begin = 13
end = 23

[K_12]
file = "HOME/tests/java/Muller.java"
line = 82
begin = 18
end = 30

[K_34]
file = "HOME/tests/java/Muller.java"
line = 96
begin = 9
end = 17

[K_20]
file = "HOME/tests/java/Muller.java"
line = 92
begin = 8
end = 34

[cons_Muller]
name = "Constructor of class Muller"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_2]
file = "HOME/tests/java/Muller.java"
line = 84
begin = 12
end = 13

[K_29]
file = "HOME/tests/java/Muller.java"
line = 93
begin = 18
end = 30

[num_of_pos_false_case]
name = "Lemma num_of_pos_false_case"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_10]
file = "HOME/tests/java/Muller.java"
line = 79
begin = 8
end = 53

[K_35]
file = "HOME/tests/java/Muller.java"
line = 95
begin = 30
end = 33

[K_6]
file = "HOME/tests/java/Muller.java"
line = 80
begin = 8
end = 23

[K_8]
file = "HOME/tests/java/Muller.java"
line = 79
begin = 8
end = 14

[num_of_pos_increasing]
name = "Lemma num_of_pos_increasing"
file = "HOME/tests/java/Muller.java"
line = 60
begin = 10
end = 31

[K_3]
file = "HOME/tests/java/Muller.java"
line = 81
begin = 8
end = 34

[num_of_pos_true_case]
name = "Lemma num_of_pos_true_case"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_31]
file = "HOME/tests/java/Muller.java"
line = 96
begin = 32
end = 36

[K_32]
file = "HOME/tests/java/Muller.java"
line = 96
begin = 19
end = 36

[K_27]
file = "HOME/tests/java/Muller.java"
line = 90
begin = 8
end = 53

[K_21]
file = "HOME/tests/java/Muller.java"
line = 91
begin = 13
end = 23

[num_of_pos_strictly_increasing]
name = "Lemma num_of_pos_strictly_increasing"
file = "HOME/tests/java/Muller.java"
line = 65
begin = 10
end = 40

[K_24]
file = "HOME/tests/java/Muller.java"
line = 90
begin = 13
end = 26

[K_14]
file = "HOME/tests/java/Muller.java"
line = 84
begin = 39
end = 43

[num_of_pos_additive]
name = "Lemma num_of_pos_additive"
file = "HOME/tests/java/Muller.java"
line = 55
begin = 10
end = 29

[K_39]
file = "HOME/tests/java/Muller.java"
line = 76
begin = 13
end = 14

[K_36]
file = "HOME/tests/java/Muller.java"
line = 95
begin = 20
end = 28

[Muller_m]
name = "Method m"
file = "HOME/tests/java/Muller.java"
line = 75
begin = 24
end = 25

[K_37]
file = "HOME/tests/java/Muller.java"
line = 95
begin = 16
end = 28

[num_of_pos_empty]
name = "Lemma num_of_pos_empty"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_19]
file = "HOME/tests/java/Muller.java"
line = 95
begin = 12
end = 13

[K_5]
file = "HOME/tests/java/Muller.java"
line = 80
begin = 8
end = 18

[K_18]
file = "HOME/tests/java/Muller.java"
line = 84
begin = 16
end = 28

[K_7]
file = "HOME/tests/java/Muller.java"
line = 79
begin = 13
end = 26

[K_26]
file = "HOME/tests/java/Muller.java"
line = 90
begin = 8
end = 26

[K_22]
file = "HOME/tests/java/Muller.java"
line = 91
begin = 8
end = 18

[K_16]
file = "HOME/tests/java/Muller.java"
line = 84
begin = 30
end = 33

========== jessie execution ==========
Generating Why function cons_Muller
Generating Why function Muller_m
========== file tests/java/Muller.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Muller.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Muller.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/Muller_why.sx

project: why/Muller.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/Muller_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/Muller_why.vo

coq/Muller_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Muller_why.v: why/Muller.why
	@echo 'why -coq [...] why/Muller.why' && $(WHY) $(JESSIELIBFILES) why/Muller.why && rm -f coq/jessie_why.v

coq-goals: goals coq/Muller_ctx_why.vo
	for f in why/*_po*.why; do make -f Muller.makefile coq/`basename $$f .why`_why.v ; done

coq/Muller_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Muller_ctx_why.v: why/Muller_ctx.why
	@echo 'why -coq [...] why/Muller_ctx.why' && $(WHY) why/Muller_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export Muller_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/Muller_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/Muller_ctx_why.vo

pvs: pvs/Muller_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/Muller_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/Muller_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/Muller_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/Muller_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/Muller_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/Muller_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/Muller_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/Muller_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/Muller_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/Muller_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/Muller_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/Muller_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/Muller_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/Muller_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: Muller.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/Muller_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Muller.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Muller.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Muller.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include Muller.depend

depend: coq/Muller_why.v
	-$(COQDEP) -I coq coq/Muller*_why.v > Muller.depend

clean:
	rm -f coq/*.vo

========== file tests/java/Muller.loc ==========
[JC_94]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_73]
file = "HOME/tests/java/Muller.java"
line = 91
begin = 8
end = 18

[cons_Muller_ensures_default]
name = "Constructor of class Muller"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_63]
file = "HOME/tests/java/Muller.jc"
line = 145
begin = 15
end = 1030

[JC_80]
kind = UserCall
file = "HOME/tests/java/Muller.java"
line = 95
begin = 20
end = 28

[JC_51]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_71]
file = "HOME/tests/java/Muller.java"
line = 90
begin = 8
end = 14

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_106]
file = "HOME/tests/java/Muller.jc"
line = 174
begin = 21
end = 1740

[JC_64]
kind = UserCall
file = "HOME/tests/java/Muller.java"
line = 84
begin = 20
end = 28

[num_of_pos_non_negative]
name = "Lemma num_of_pos_non_negative"
behavior = "lemma"
file = "HOME/tests/java/Muller.java"
line = 51
begin = 10
end = 33

[JC_99]
file = "HOME/tests/java/Muller.java"
line = 90
begin = 8
end = 14

[JC_85]
kind = PointerDeref
file = "HOME/tests/java/Muller.java"
line = 96
begin = 19
end = 36

[Muller_m_ensures_default]
name = "Method m"
behavior = "default behavior"
file = "HOME/tests/java/Muller.java"
line = 75
begin = 24
end = 25

[JC_31]
file = "HOME/tests/java/Muller.jc"
line = 65
begin = 8
end = 23

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
kind = IndexBounds
file = "HOME/tests/java/Muller.java"
line = 95
begin = 20
end = 28

[JC_55]
file = "HOME/tests/java/Muller.java"
line = 79
begin = 8
end = 14

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/tests/java/Muller.jc"
line = 61
begin = 11
end = 103

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
kind = ArithOverflow
file = "HOME/tests/java/Muller.jc"
line = 160
begin = 69
end = 77

[JC_9]
file = "HOME/tests/java/Muller.jc"
line = 52
begin = 8
end = 21

[JC_75]
file = "HOME/tests/java/Muller.java"
line = 92
begin = 8
end = 34

[JC_24]
file = "HOME/tests/java/Muller.jc"
line = 60
begin = 10
end = 18

[JC_25]
file = "HOME/tests/java/Muller.jc"
line = 61
begin = 11
end = 103

[JC_78]
file = "HOME/tests/java/Muller.jc"
line = 174
begin = 21
end = 1740

[JC_41]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_74]
file = "HOME/tests/java/Muller.java"
line = 91
begin = 13
end = 23

[JC_47]
file = "HOME/tests/java/Muller.java"
line = 73
begin = 17
end = 26

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/tests/java/Muller.jc"
line = 60
begin = 10
end = 18

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
file = "HOME/tests/java/Muller.jc"
line = 174
begin = 21
end = 1740

[JC_13]
file = "HOME/tests/java/Muller.jc"
line = 55
begin = 11
end = 66

[JC_82]
kind = PointerDeref
file = "HOME/tests/java/Muller.java"
line = 96
begin = 9
end = 13

[JC_87]
file = "HOME/tests/java/Muller.java"
line = 93
begin = 18
end = 30

[JC_11]
file = "HOME/tests/java/Muller.jc"
line = 52
begin = 8
end = 21

[JC_98]
kind = AllocSize
file = "HOME/tests/java/Muller.java"
line = 86
begin = 11
end = 25

[JC_70]
kind = AllocSize
file = "HOME/tests/java/Muller.java"
line = 86
begin = 11
end = 25

[JC_15]
file = "HOME/tests/java/Muller.jc"
line = 55
begin = 11
end = 66

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_104]
file = "HOME/tests/java/Muller.java"
line = 90
begin = 8
end = 91

[JC_91]
file = "HOME/tests/java/Muller.java"
line = 80
begin = 13
end = 23

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
kind = PointerDeref
file = "HOME/tests/java/Muller.java"
line = 96
begin = 32
end = 36

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[num_of_pos_false_case]
name = "Lemma num_of_pos_false_case"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_107]
file = "HOME/tests/java/Muller.jc"
line = 174
begin = 21
end = 1740

[JC_69]
file = "HOME/tests/java/Muller.java"
line = 82
begin = 18
end = 30

[JC_38]
file = "HOME/tests/java/Muller.jc"
line = 67
begin = 11
end = 65

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[num_of_pos_increasing]
name = "Lemma num_of_pos_increasing"
behavior = "lemma"
file = "HOME/tests/java/Muller.java"
line = 60
begin = 10
end = 31

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[num_of_pos_true_case]
name = "Lemma num_of_pos_true_case"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_62]
file = "HOME/tests/java/Muller.jc"
line = 145
begin = 15
end = 1030

[JC_101]
file = "HOME/tests/java/Muller.java"
line = 91
begin = 8
end = 18

[JC_88]
file = "HOME/tests/java/Muller.java"
line = 79
begin = 8
end = 14

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[Muller_m_safety]
name = "Method m"
behavior = "Safety"
file = "HOME/tests/java/Muller.java"
line = 75
begin = 24
end = 25

[JC_103]
file = "HOME/tests/java/Muller.java"
line = 92
begin = 8
end = 34

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/tests/java/Muller.java"
line = 79
begin = 13
end = 26

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
kind = IndexBounds
file = "HOME/tests/java/Muller.java"
line = 84
begin = 20
end = 28

[num_of_pos_strictly_increasing]
name = "Lemma num_of_pos_strictly_increasing"
behavior = "lemma"
file = "HOME/tests/java/Muller.java"
line = 65
begin = 10
end = 40

[JC_105]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/tests/java/Muller.jc"
line = 65
begin = 8
end = 23

[JC_68]
kind = ArithOverflow
file = "HOME/tests/java/Muller.jc"
line = 158
begin = 24
end = 30

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[num_of_pos_additive]
name = "Lemma num_of_pos_additive"
behavior = "lemma"
file = "HOME/tests/java/Muller.java"
line = 55
begin = 10
end = 29

[JC_16]
file = "HOME/tests/java/Muller.jc"
line = 54
begin = 10
end = 18

[JC_96]
file = "HOME/tests/java/Muller.jc"
line = 145
begin = 15
end = 1030

[cons_Muller_safety]
name = "Constructor of class Muller"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/tests/java/Muller.jc"
line = 145
begin = 15
end = 1030

[JC_93]
file = "HOME/tests/java/Muller.java"
line = 79
begin = 8
end = 91

[JC_97]
kind = UserCall
file = "HOME/tests/java/Muller.java"
line = 84
begin = 20
end = 28

[JC_84]
kind = ArithOverflow
file = "HOME/tests/java/Muller.jc"
line = 197
begin = 47
end = 55

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/tests/java/Muller.jc"
line = 54
begin = 10
end = 18

[JC_90]
file = "HOME/tests/java/Muller.java"
line = 80
begin = 8
end = 18

[JC_53]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/tests/java/Muller.jc"
line = 58
begin = 8
end = 30

[JC_77]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
file = "HOME/tests/java/Muller.java"
line = 73
begin = 17
end = 26

[JC_1]
file = "HOME/tests/java/Muller.jc"
line = 23
begin = 12
end = 22

[num_of_pos_empty]
name = "Lemma num_of_pos_empty"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_102]
file = "HOME/tests/java/Muller.java"
line = 91
begin = 13
end = 23

[JC_37]
file = "HOME/tests/java/Muller.jc"
line = 67
begin = 11
end = 65

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
kind = UserCall
file = "HOME/tests/java/Muller.java"
line = 95
begin = 20
end = 28

[JC_57]
file = "HOME/tests/java/Muller.java"
line = 80
begin = 8
end = 18

[JC_89]
file = "HOME/tests/java/Muller.java"
line = 79
begin = 13
end = 26

[JC_66]
kind = PointerDeref
file = "HOME/tests/java/Muller.java"
line = 84
begin = 39
end = 43

[JC_59]
file = "HOME/tests/java/Muller.java"
line = 81
begin = 8
end = 34

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/java/Muller.jc"
line = 23
begin = 12
end = 22

[JC_92]
file = "HOME/tests/java/Muller.java"
line = 81
begin = 8
end = 34

[JC_86]
kind = ArithOverflow
file = "HOME/tests/java/Muller.jc"
line = 195
begin = 30
end = 36

[JC_60]
file = "HOME/tests/java/Muller.java"
line = 79
begin = 8
end = 91

[JC_72]
file = "HOME/tests/java/Muller.java"
line = 90
begin = 13
end = 26

[JC_19]
file = "HOME/tests/java/Muller.jc"
line = 58
begin = 8
end = 30

[JC_76]
file = "HOME/tests/java/Muller.java"
line = 90
begin = 8
end = 91

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/tests/java/Muller.java"
line = 80
begin = 13
end = 23

[JC_100]
file = "HOME/tests/java/Muller.java"
line = 90
begin = 13
end = 26

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/Muller.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

logic Muller_tag:  -> Object tag_id

axiom Muller_parenttag_Object : parenttag(Muller_tag, Object_tag)

predicate Non_null_Object(x_1:Object pointer,
 Object_x_2_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_x_2_alloc_table, x_1), (0))

predicate Non_null_intM(x_0:Object pointer,
 Object_x_1_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_x_1_alloc_table, x_0), neg_int((1)))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic intM_tag:  -> Object tag_id

axiom intM_parenttag_Object : parenttag(intM_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Muller(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_intM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

logic num_of_pos: int, int, Object pointer, (Object, int32) memory -> int

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Muller(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_intM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Muller(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Muller(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

axiom num_of_pos_false_case :
 (forall intM_intP_t_8_at_L:(Object, int32) memory.
  (forall i_2:int.
   (forall j_2:int.
    (forall t_2:Object pointer.
     ((lt_int(i_2, j_2)
      and (not gt_int(integer_of_int32(select(intM_intP_t_8_at_L,
                                       shift(t_2, sub_int(j_2, (1))))),
               (0)))) ->
      (num_of_pos(i_2, j_2, t_2, intM_intP_t_8_at_L) = num_of_pos(i_2,
                                                       sub_int(j_2, (1)),
                                                       t_2,
                                                       intM_intP_t_8_at_L)))))))

axiom num_of_pos_true_case :
 (forall intM_intP_t_8_at_L:(Object, int32) memory.
  (forall i_1:int.
   (forall j_1:int.
    (forall t_1:Object pointer.
     ((lt_int(i_1, j_1)
      and gt_int(integer_of_int32(select(intM_intP_t_8_at_L,
                                  shift(t_1, sub_int(j_1, (1))))),
          (0))) ->
      (num_of_pos(i_1, j_1, t_1, intM_intP_t_8_at_L) = add_int(num_of_pos(i_1,
                                                               sub_int(j_1,
                                                               (1)), t_1,
                                                               intM_intP_t_8_at_L),
                                                       (1))))))))

axiom num_of_pos_empty :
 (forall intM_intP_t_8_at_L:(Object, int32) memory.
  (forall i_0:int.
   (forall j_0:int.
    (forall t_0:Object pointer.
     (ge_int(i_0, j_0) ->
      (num_of_pos(i_0, j_0, t_0, intM_intP_t_8_at_L) = (0)))))))

lemma num_of_pos_non_negative :
 (forall intM_intP_t_3_18_at_L:(Object, int32) memory.
  (forall i_3:int.
   (forall j_3:int.
    (forall t_3:Object pointer.
     le_int((0), num_of_pos(i_3, j_3, t_3, intM_intP_t_3_18_at_L))))))

lemma num_of_pos_additive :
 (forall intM_intP_t_4_19_at_L:(Object, int32) memory.
  (forall i_4:int.
   (forall j_4:int.
    (forall k:int.
     (forall t_4:Object pointer.
      ((le_int(i_4, j_4) and le_int(j_4, k)) ->
       (num_of_pos(i_4, k, t_4, intM_intP_t_4_19_at_L) = add_int(num_of_pos(i_4,
                                                                 j_4, t_4,
                                                                 intM_intP_t_4_19_at_L),
                                                         num_of_pos(j_4, k,
                                                         t_4,
                                                         intM_intP_t_4_19_at_L)))))))))

lemma num_of_pos_increasing :
 (forall intM_intP_t_5_20_at_L:(Object, int32) memory.
  (forall i_5:int.
   (forall j_5:int.
    (forall k_0:int.
     (forall t_5:Object pointer.
      (le_int(j_5, k_0) ->
       le_int(num_of_pos(i_5, j_5, t_5, intM_intP_t_5_20_at_L),
       num_of_pos(i_5, k_0, t_5, intM_intP_t_5_20_at_L))))))))

lemma num_of_pos_strictly_increasing :
 (forall intM_intP_t_6_21_at_L:(Object, int32) memory.
  (forall i_6:int.
   (forall n:int.
    (forall t_6:Object pointer.
     ((le_int((0), i_6)
      and (lt_int(i_6, n)
          and gt_int(integer_of_int32(select(intM_intP_t_6_21_at_L,
                                      shift(t_6, i_6))),
              (0)))) ->
      lt_int(num_of_pos((0), i_6, t_6, intM_intP_t_6_21_at_L),
      num_of_pos((0), n, t_6, intM_intP_t_6_21_at_L)))))))

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Muller_m :
 t_7:Object pointer ->
  Object_Muller_m_12_alloc_table:Object alloc_table ref ->
   Object_Muller_m_12_tag_table:Object tag_table ref ->
    intM_intP_Muller_m_12:(Object, int32) memory ref ->
     Object_t_7_10_alloc_table:Object alloc_table ->
      intM_intP_t_7_10:(Object, int32) memory ->
       { } Object pointer reads Object_Muller_m_12_alloc_table
       writes Object_Muller_m_12_alloc_table,Object_Muller_m_12_tag_table,intM_intP_Muller_m_12
       { true }

parameter Muller_m_requires :
 t_7:Object pointer ->
  Object_Muller_m_12_alloc_table:Object alloc_table ref ->
   Object_Muller_m_12_tag_table:Object tag_table ref ->
    intM_intP_Muller_m_12:(Object, int32) memory ref ->
     Object_t_7_10_alloc_table:Object alloc_table ->
      intM_intP_t_7_10:(Object, int32) memory ->
       { (JC_47: Non_null_intM(t_7, Object_t_7_10_alloc_table))}
       Object pointer reads Object_Muller_m_12_alloc_table
       writes Object_Muller_m_12_alloc_table,Object_Muller_m_12_tag_table,intM_intP_Muller_m_12
       { true }

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Muller :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Muller(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Muller_tag)))) }

parameter alloc_struct_Muller_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Muller(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Muller_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_intM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter alloc_struct_intM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_Muller :
 this_0:Object pointer ->
  Object_this_0_9_alloc_table:Object alloc_table -> { } unit { true }

parameter cons_Muller_requires :
 this_0:Object pointer ->
  Object_this_0_9_alloc_table:Object alloc_table -> { } unit { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter java_array_length_intM :
 x_3:Object pointer ->
  Object_x_6_alloc_table:Object alloc_table ->
   { } int
   { (JC_25:
     (le_int(result, (2147483647))
     and (ge_int(result, (0))
         and (result = add_int(offset_max(Object_x_6_alloc_table, x_3), (1)))))) }

parameter java_array_length_intM_requires :
 x_3:Object pointer ->
  Object_x_6_alloc_table:Object alloc_table ->
   { } int
   { (JC_25:
     (le_int(result, (2147483647))
     and (ge_int(result, (0))
         and (result = add_int(offset_max(Object_x_6_alloc_table, x_3), (1)))))) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_4:Object pointer ->
  Object_x_7_alloc_table:Object alloc_table ->
   { } bool
   { (JC_38:
     (if result then (offset_max(Object_x_7_alloc_table, x_4) = (0))
      else (x_4 = null))) }

parameter non_null_Object_requires :
 x_4:Object pointer ->
  Object_x_7_alloc_table:Object alloc_table ->
   { } bool
   { (JC_38:
     (if result then (offset_max(Object_x_7_alloc_table, x_4) = (0))
      else (x_4 = null))) }

parameter non_null_intM :
 x_2:Object pointer ->
  Object_x_5_alloc_table:Object alloc_table ->
   { } bool
   { (JC_15:
     (if result
      then ge_int(offset_max(Object_x_5_alloc_table, x_2), neg_int((1)))
      else (x_2 = null))) }

parameter non_null_intM_requires :
 x_2:Object pointer ->
  Object_x_5_alloc_table:Object alloc_table ->
   { } bool
   { (JC_15:
     (if result
      then ge_int(offset_max(Object_x_5_alloc_table, x_2), neg_int((1)))
      else (x_2 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let Muller_m_ensures_default =
 fun (t_7 : Object pointer) (Object_Muller_m_12_alloc_table : Object alloc_table ref) (Object_Muller_m_12_tag_table : Object tag_table ref) (intM_intP_Muller_m_12 : (Object, int32) memory ref) (Object_t_7_10_alloc_table : Object alloc_table) (intM_intP_t_7_10 : (Object, int32) memory) ->
  { (left_valid_struct_intM(t_7, (0), Object_t_7_10_alloc_table)
    and (JC_49: Non_null_intM(t_7, Object_t_7_10_alloc_table))) }
  (init:
  (let return = ref (any_pointer void) in
  try
   begin
     (let count = ref (safe_int32_of_integer_ (K_39: (0))) in
     begin
       (let i_7 = ref (safe_int32_of_integer_ (K_2: (0))) in
       try
        (loop_3:
        while true do
        { invariant
            (JC_93:
            ((JC_88: le_int((0), integer_of_int32(i_7)))
            and ((JC_89:
                 le_int(integer_of_int32(i_7),
                 add_int(offset_max(Object_t_7_10_alloc_table, t_7), (1))))
                and ((JC_90: le_int((0), integer_of_int32(count)))
                    and ((JC_91:
                         le_int(integer_of_int32(count),
                         integer_of_int32(i_7)))
                        and (JC_92:
                            (integer_of_int32(count) = num_of_pos((0),
                                                       integer_of_int32(i_7),
                                                       t_7, intM_intP_t_7_10))))))))
           }
         begin
           [ { } unit { true } ];
          try
           begin
             (if (K_18:
                 ((lt_int_ (integer_of_int32 !i_7)) (K_17:
                                                    (let _jessie_ = t_7 in
                                                    (JC_97:
                                                    ((java_array_length_intM _jessie_) Object_t_7_10_alloc_table))))))
             then
              (if (K_15:
                  ((gt_int_ (integer_of_int32 (K_14:
                                              ((safe_acc_ intM_intP_t_7_10) 
                                               ((shift t_7) (integer_of_int32 !i_7)))))) (0)))
              then
               (let _jessie_ =
               (K_13:
               (let _jessie_ = !count in
               begin
                 (let _jessie_ =
                 (count := (safe_int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1)))) in
                 void); _jessie_ end)) in void) else void)
             else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ ->
           (let _jessie_ =
           (K_16:
           (let _jessie_ = !i_7 in
           begin
             (let _jessie_ =
             (i_7 := (safe_int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1)))) in
             void); _jessie_ end)) in void) end end done) with
        Loop_exit_exc _jessie_ -> void end);
      (let u =
      (K_38:
      (JC_98:
      (((alloc_struct_intM (integer_of_int32 !count)) Object_Muller_m_12_alloc_table) Object_Muller_m_12_tag_table))) in
      begin
        (let _jessie_ = (count := (safe_int32_of_integer_ (0))) in void);
       (let i_8 = ref (safe_int32_of_integer_ (K_19: (0))) in
       try
        (loop_4:
        while true do
        { invariant
            (JC_104:
            ((JC_99: le_int((0), integer_of_int32(i_8)))
            and ((JC_100:
                 le_int(integer_of_int32(i_8),
                 add_int(offset_max(Object_t_7_10_alloc_table, t_7), (1))))
                and ((JC_101: le_int((0), integer_of_int32(count)))
                    and ((JC_102:
                         le_int(integer_of_int32(count),
                         integer_of_int32(i_8)))
                        and (JC_103:
                            (integer_of_int32(count) = num_of_pos((0),
                                                       integer_of_int32(i_8),
                                                       t_7, intM_intP_t_7_10))))))))
           }
         begin
           [ { } unit { true } ];
          try
           begin
             (if (K_37:
                 ((lt_int_ (integer_of_int32 !i_8)) (K_36:
                                                    (let _jessie_ = t_7 in
                                                    (JC_108:
                                                    ((java_array_length_intM _jessie_) Object_t_7_10_alloc_table))))))
             then
              (if (K_34:
                  ((gt_int_ (integer_of_int32 (K_33:
                                              ((safe_acc_ intM_intP_t_7_10) 
                                               ((shift t_7) (integer_of_int32 !i_8)))))) (0)))
              then
               (let _jessie_ =
               (K_32:
               (let _jessie_ =
               (K_31:
               ((safe_acc_ intM_intP_t_7_10) ((shift t_7) (integer_of_int32 !i_8)))) in
               (let _jessie_ = u in
               (let _jessie_ =
               (integer_of_int32 (K_30:
                                 (let _jessie_ = !count in
                                 begin
                                   (let _jessie_ =
                                   (count := (safe_int32_of_integer_ 
                                              ((add_int (integer_of_int32 _jessie_)) (1)))) in
                                   void); _jessie_ end))) in
               (let _jessie_ = ((shift _jessie_) _jessie_) in
               (((safe_upd_ intM_intP_Muller_m_12) _jessie_) _jessie_)))))) in
               void) else void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ ->
           (let _jessie_ =
           (K_35:
           (let _jessie_ = !i_8 in
           begin
             (let _jessie_ =
             (i_8 := (safe_int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1)))) in
             void); _jessie_ end)) in void) end end done) with
        Loop_exit_exc _jessie_ -> void end); (return := u); (raise Return)
      end) end); absurd  end with Return -> !return end)) { (JC_51: true) }

let Muller_m_safety =
 fun (t_7 : Object pointer) (Object_Muller_m_12_alloc_table : Object alloc_table ref) (Object_Muller_m_12_tag_table : Object tag_table ref) (intM_intP_Muller_m_12 : (Object, int32) memory ref) (Object_t_7_10_alloc_table : Object alloc_table) (intM_intP_t_7_10 : (Object, int32) memory) ->
  { (left_valid_struct_intM(t_7, (0), Object_t_7_10_alloc_table)
    and (JC_49: Non_null_intM(t_7, Object_t_7_10_alloc_table))) }
  (init:
  (let return = ref (any_pointer void) in
  try
   begin
     (let count = ref (safe_int32_of_integer_ (K_39: (0))) in
     begin
       (let i_7 = ref (safe_int32_of_integer_ (K_2: (0))) in
       try
        (loop_1:
        while true do
        { invariant (JC_62: true)
          variant (JC_69 : sub_int(add_int(offset_max(Object_t_7_10_alloc_table,
                                           t_7),
                                   (1)),
                           integer_of_int32(i_7))) }
         begin
           [ { } unit reads count,i_7
             { (JC_60:
               ((JC_55: le_int((0), integer_of_int32(i_7)))
               and ((JC_56:
                    le_int(integer_of_int32(i_7),
                    add_int(offset_max(Object_t_7_10_alloc_table, t_7), (1))))
                   and ((JC_57: le_int((0), integer_of_int32(count)))
                       and ((JC_58:
                            le_int(integer_of_int32(count),
                            integer_of_int32(i_7)))
                           and (JC_59:
                               (integer_of_int32(count) = num_of_pos((0),
                                                          integer_of_int32(i_7),
                                                          t_7,
                                                          intM_intP_t_7_10)))))))) } ];
          try
           begin
             (if (K_18:
                 ((lt_int_ (integer_of_int32 !i_7)) (K_17:
                                                    (let _jessie_ = t_7 in
                                                    (JC_65:
                                                    (assert
                                                    { ge_int(offset_max(Object_t_7_10_alloc_table,
                                                             _jessie_),
                                                      (-1)) };
                                                    (JC_64:
                                                    ((java_array_length_intM_requires _jessie_) Object_t_7_10_alloc_table))))))))
             then
              (if (K_15:
                  ((gt_int_ (integer_of_int32 (K_14:
                                              (JC_66:
                                              ((((offset_acc_ Object_t_7_10_alloc_table) intM_intP_t_7_10) t_7) 
                                               (integer_of_int32 !i_7)))))) (0)))
              then
               (let _jessie_ =
               (K_13:
               (let _jessie_ = !count in
               begin
                 (let _jessie_ =
                 (count := (JC_67:
                           (int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1))))) in
                 void); _jessie_ end)) in void) else void)
             else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ ->
           (let _jessie_ =
           (K_16:
           (let _jessie_ = !i_7 in
           begin
             (let _jessie_ =
             (i_7 := (JC_68:
                     (int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1))))) in
             void); _jessie_ end)) in void) end end done) with
        Loop_exit_exc _jessie_ -> void end);
      (let u =
      (K_38:
      (JC_70:
      (((alloc_struct_intM_requires (integer_of_int32 !count)) Object_Muller_m_12_alloc_table) Object_Muller_m_12_tag_table))) in
      begin
        (let _jessie_ = (count := (safe_int32_of_integer_ (0))) in void);
       (let i_8 = ref (safe_int32_of_integer_ (K_19: (0))) in
       try
        (loop_2:
        while true do
        { invariant (JC_78: true)
          variant (JC_87 : sub_int(add_int(offset_max(Object_t_7_10_alloc_table,
                                           t_7),
                                   (1)),
                           integer_of_int32(i_8))) }
         begin
           [ { } unit reads count,i_8
             { (JC_76:
               ((JC_71: le_int((0), integer_of_int32(i_8)))
               and ((JC_72:
                    le_int(integer_of_int32(i_8),
                    add_int(offset_max(Object_t_7_10_alloc_table, t_7), (1))))
                   and ((JC_73: le_int((0), integer_of_int32(count)))
                       and ((JC_74:
                            le_int(integer_of_int32(count),
                            integer_of_int32(i_8)))
                           and (JC_75:
                               (integer_of_int32(count) = num_of_pos((0),
                                                          integer_of_int32(i_8),
                                                          t_7,
                                                          intM_intP_t_7_10)))))))) } ];
          try
           begin
             (if (K_37:
                 ((lt_int_ (integer_of_int32 !i_8)) (K_36:
                                                    (let _jessie_ = t_7 in
                                                    (JC_81:
                                                    (assert
                                                    { ge_int(offset_max(Object_t_7_10_alloc_table,
                                                             _jessie_),
                                                      (-1)) };
                                                    (JC_80:
                                                    ((java_array_length_intM_requires _jessie_) Object_t_7_10_alloc_table))))))))
             then
              (if (K_34:
                  ((gt_int_ (integer_of_int32 (K_33:
                                              (JC_82:
                                              ((((offset_acc_ Object_t_7_10_alloc_table) intM_intP_t_7_10) t_7) 
                                               (integer_of_int32 !i_8)))))) (0)))
              then
               (let _jessie_ =
               (K_32:
               (let _jessie_ =
               (K_31:
               (JC_83:
               ((((offset_acc_ Object_t_7_10_alloc_table) intM_intP_t_7_10) t_7) 
                (integer_of_int32 !i_8)))) in
               (let _jessie_ = u in
               (let _jessie_ =
               (integer_of_int32 (K_30:
                                 (let _jessie_ = !count in
                                 begin
                                   (let _jessie_ =
                                   (count := (JC_84:
                                             (int32_of_integer_ ((add_int 
                                                                  (integer_of_int32 _jessie_)) (1))))) in
                                   void); _jessie_ end))) in
               (let _jessie_ = ((shift _jessie_) _jessie_) in
               (JC_85:
               (((((offset_upd_ !Object_Muller_m_12_alloc_table) intM_intP_Muller_m_12) _jessie_) _jessie_) _jessie_))))))) in
               void) else void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ ->
           (let _jessie_ =
           (K_35:
           (let _jessie_ = !i_8 in
           begin
             (let _jessie_ =
             (i_8 := (JC_86:
                     (int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1))))) in
             void); _jessie_ end)) in void) end end done) with
        Loop_exit_exc _jessie_ -> void end); (return := u); (raise Return)
      end) end); absurd  end with Return -> !return end)) { true }

let cons_Muller_ensures_default =
 fun (this_0 : Object pointer) (Object_this_0_9_alloc_table : Object alloc_table) ->
  { valid_struct_Muller(this_0, (0), (0), Object_this_0_9_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_43: true) }

let cons_Muller_safety =
 fun (this_0 : Object pointer) (Object_this_0_9_alloc_table : Object alloc_table) ->
  { valid_struct_Muller(this_0, (0), (0), Object_this_0_9_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/Muller.why
========== file tests/java/why/Muller.wpr ==========

  
    
    
      
      
    
  
  
    
    
      
      
    
  
  
    
    
      
      
    
  
  
    
    
      
      
    
  
  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  
  
    
  
  
    
  
  
    
  
  
    
  
  
    
  

========== file tests/java/why/Muller_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic Muller_tag : Object tag_id

axiom Muller_parenttag_Object: parenttag(Muller_tag, Object_tag)

predicate Non_null_Object(x_1: Object pointer,
  Object_x_2_alloc_table: Object alloc_table) =
  (offset_max(Object_x_2_alloc_table, x_1) >= 0)

predicate Non_null_intM(x_0: Object pointer,
  Object_x_1_alloc_table: Object alloc_table) =
  (offset_max(Object_x_1_alloc_table, x_0) >= (-1))

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte [(integer_of_byte(x) = integer_of_byte(y))].
      ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char [(integer_of_char(x) = integer_of_char(y))].
      ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32 [(integer_of_int32(x) = integer_of_int32(y))].
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic intM_tag : Object tag_id

axiom intM_parenttag_Object: parenttag(intM_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Muller(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_intM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long [(integer_of_long(x) = integer_of_long(y))].
      ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

logic num_of_pos : int, int, Object pointer, (Object, int32) memory -> int

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Muller(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_intM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short [(integer_of_short(x) = integer_of_short(y))].
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Muller(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Muller(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

axiom num_of_pos_false_case:
  (forall intM_intP_t_8_at_L:(Object, int32) memory.
    (forall i_2:int.
      (forall j_2:int.
        (forall t_2:Object pointer.
          (((i_2 < j_2) and (not (integer_of_int32(select(intM_intP_t_8_at_L,
            shift(t_2, (j_2 - 1)))) > 0))) ->
           (num_of_pos(i_2, j_2, t_2, intM_intP_t_8_at_L) = num_of_pos(i_2,
           (j_2 - 1), t_2, intM_intP_t_8_at_L)))))))

axiom num_of_pos_true_case:
  (forall intM_intP_t_8_at_L:(Object, int32) memory.
    (forall i_1:int.
      (forall j_1:int.
        (forall t_1:Object pointer.
          (((i_1 < j_1) and (integer_of_int32(select(intM_intP_t_8_at_L,
            shift(t_1, (j_1 - 1)))) > 0)) ->
           (num_of_pos(i_1, j_1, t_1, intM_intP_t_8_at_L) = (num_of_pos(i_1,
           (j_1 - 1), t_1, intM_intP_t_8_at_L) + 1)))))))

axiom num_of_pos_empty:
  (forall intM_intP_t_8_at_L:(Object, int32) memory.
    (forall i_0:int.
      (forall j_0:int.
        (forall t_0:Object pointer.
          ((i_0 >= j_0) -> (num_of_pos(i_0, j_0, t_0,
           intM_intP_t_8_at_L) = 0))))))

========== file tests/java/why/Muller_po1.why ==========
lemma num_of_pos_non_negative:
  (forall intM_intP_t_3_18_at_L:(Object, int32) memory.
    (forall i_3:int.
      (forall j_3:int.
        (forall t_3:Object pointer. (0 <= num_of_pos(i_3, j_3, t_3,
          intM_intP_t_3_18_at_L))))))

========== file tests/java/why/Muller_po10.why ==========
goal Muller_m_ensures_default_po_6:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) > 0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(count) + 1)) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(i_7) + 1)) ->
  forall i_7_0:int32.
  (i_7_0 = result4) ->
  ("JC_93": ("JC_88": (0 <= integer_of_int32(i_7_0))))

========== file tests/java/why/Muller_po11.why ==========
goal Muller_m_ensures_default_po_7:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) > 0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(count) + 1)) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(i_7) + 1)) ->
  forall i_7_0:int32.
  (i_7_0 = result4) ->
  ("JC_93":
  ("JC_89":
  (integer_of_int32(i_7_0) <= (offset_max(Object_t_7_10_alloc_table,
  t_7) + 1))))

========== file tests/java/why/Muller_po12.why ==========
goal Muller_m_ensures_default_po_8:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) > 0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(count) + 1)) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(i_7) + 1)) ->
  forall i_7_0:int32.
  (i_7_0 = result4) ->
  ("JC_93": ("JC_90": (0 <= integer_of_int32(count0))))

========== file tests/java/why/Muller_po13.why ==========
goal Muller_m_ensures_default_po_9:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) > 0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(count) + 1)) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(i_7) + 1)) ->
  forall i_7_0:int32.
  (i_7_0 = result4) ->
  ("JC_93": ("JC_91": (integer_of_int32(count0) <= integer_of_int32(i_7_0))))

========== file tests/java/why/Muller_po14.why ==========
goal Muller_m_ensures_default_po_10:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) > 0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(count) + 1)) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(i_7) + 1)) ->
  forall i_7_0:int32.
  (i_7_0 = result4) ->
  ("JC_93":
  ("JC_92": (integer_of_int32(count0) = num_of_pos(0,
  integer_of_int32(i_7_0), t_7, intM_intP_t_7_10))))

========== file tests/java/why/Muller_po15.why ==========
goal Muller_m_ensures_default_po_11:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) <= 0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_7) + 1)) ->
  forall i_7_0:int32.
  (i_7_0 = result3) ->
  ("JC_93": ("JC_88": (0 <= integer_of_int32(i_7_0))))

========== file tests/java/why/Muller_po16.why ==========
goal Muller_m_ensures_default_po_12:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) <= 0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_7) + 1)) ->
  forall i_7_0:int32.
  (i_7_0 = result3) ->
  ("JC_93":
  ("JC_89":
  (integer_of_int32(i_7_0) <= (offset_max(Object_t_7_10_alloc_table,
  t_7) + 1))))

========== file tests/java/why/Muller_po17.why ==========
goal Muller_m_ensures_default_po_13:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) <= 0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_7) + 1)) ->
  forall i_7_0:int32.
  (i_7_0 = result3) ->
  ("JC_93": ("JC_90": (0 <= integer_of_int32(count))))

========== file tests/java/why/Muller_po18.why ==========
goal Muller_m_ensures_default_po_14:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) <= 0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_7) + 1)) ->
  forall i_7_0:int32.
  (i_7_0 = result3) ->
  ("JC_93": ("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7_0))))

========== file tests/java/why/Muller_po19.why ==========
goal Muller_m_ensures_default_po_15:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) <= 0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_7) + 1)) ->
  forall i_7_0:int32.
  (i_7_0 = result3) ->
  ("JC_93":
  ("JC_92": (integer_of_int32(count) = num_of_pos(0, integer_of_int32(i_7_0),
  t_7, intM_intP_t_7_10))))

========== file tests/java/why/Muller_po2.why ==========
lemma num_of_pos_additive:
  (forall intM_intP_t_4_19_at_L:(Object, int32) memory.
    (forall i_4:int.
      (forall j_4:int.
        (forall k:int.
          (forall t_4:Object pointer.
            (((i_4 <= j_4) and (j_4 <= k)) -> (num_of_pos(i_4, k, t_4,
             intM_intP_t_4_19_at_L) = (num_of_pos(i_4, j_4, t_4,
             intM_intP_t_4_19_at_L) + num_of_pos(j_4, k, t_4,
             intM_intP_t_4_19_at_L)))))))))

========== file tests/java/why/Muller_po20.why ==========
goal Muller_m_ensures_default_po_16:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  ("JC_104": ("JC_99": (0 <= integer_of_int32(result4))))

========== file tests/java/why/Muller_po21.why ==========
goal Muller_m_ensures_default_po_17:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  ("JC_104":
  ("JC_100":
  (integer_of_int32(result4) <= (offset_max(Object_t_7_10_alloc_table,
  t_7) + 1))))

========== file tests/java/why/Muller_po22.why ==========
goal Muller_m_ensures_default_po_18:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  ("JC_104": ("JC_101": (0 <= integer_of_int32(count0))))

========== file tests/java/why/Muller_po23.why ==========
goal Muller_m_ensures_default_po_19:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  ("JC_104":
  ("JC_102": (integer_of_int32(count0) <= integer_of_int32(result4))))

========== file tests/java/why/Muller_po24.why ==========
goal Muller_m_ensures_default_po_20:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  ("JC_104":
  ("JC_103": (integer_of_int32(count0) = num_of_pos(0,
  integer_of_int32(result4), t_7, intM_intP_t_7_10))))

========== file tests/java/why/Muller_po25.why ==========
goal Muller_m_ensures_default_po_21:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  forall intM_intP_Muller_m_12:(Object,
  int32) memory.
  ("JC_104":
  (("JC_99": (0 <= integer_of_int32(i_8))) and
   (("JC_100":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_101": (0 <= integer_of_int32(count1))) and
     (("JC_102": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_103": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) > 0) ->
  forall result7:int32.
  (result7 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(count1) + 1)) ->
  forall count2:int32.
  (count2 = result8) ->
  forall intM_intP_Muller_m_12_0:(Object,
  int32) memory.
  (intM_intP_Muller_m_12_0 = store(intM_intP_Muller_m_12, shift(result2,
  integer_of_int32(count1)), result7)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(i_8) + 1)) ->
  forall i_8_0:int32.
  (i_8_0 = result9) ->
  ("JC_104": ("JC_99": (0 <= integer_of_int32(i_8_0))))

========== file tests/java/why/Muller_po26.why ==========
goal Muller_m_ensures_default_po_22:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  forall intM_intP_Muller_m_12:(Object,
  int32) memory.
  ("JC_104":
  (("JC_99": (0 <= integer_of_int32(i_8))) and
   (("JC_100":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_101": (0 <= integer_of_int32(count1))) and
     (("JC_102": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_103": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) > 0) ->
  forall result7:int32.
  (result7 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(count1) + 1)) ->
  forall count2:int32.
  (count2 = result8) ->
  forall intM_intP_Muller_m_12_0:(Object,
  int32) memory.
  (intM_intP_Muller_m_12_0 = store(intM_intP_Muller_m_12, shift(result2,
  integer_of_int32(count1)), result7)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(i_8) + 1)) ->
  forall i_8_0:int32.
  (i_8_0 = result9) ->
  ("JC_104":
  ("JC_100":
  (integer_of_int32(i_8_0) <= (offset_max(Object_t_7_10_alloc_table,
  t_7) + 1))))

========== file tests/java/why/Muller_po27.why ==========
goal Muller_m_ensures_default_po_23:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  forall intM_intP_Muller_m_12:(Object,
  int32) memory.
  ("JC_104":
  (("JC_99": (0 <= integer_of_int32(i_8))) and
   (("JC_100":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_101": (0 <= integer_of_int32(count1))) and
     (("JC_102": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_103": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) > 0) ->
  forall result7:int32.
  (result7 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(count1) + 1)) ->
  forall count2:int32.
  (count2 = result8) ->
  forall intM_intP_Muller_m_12_0:(Object,
  int32) memory.
  (intM_intP_Muller_m_12_0 = store(intM_intP_Muller_m_12, shift(result2,
  integer_of_int32(count1)), result7)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(i_8) + 1)) ->
  forall i_8_0:int32.
  (i_8_0 = result9) ->
  ("JC_104": ("JC_101": (0 <= integer_of_int32(count2))))

========== file tests/java/why/Muller_po28.why ==========
goal Muller_m_ensures_default_po_24:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  forall intM_intP_Muller_m_12:(Object,
  int32) memory.
  ("JC_104":
  (("JC_99": (0 <= integer_of_int32(i_8))) and
   (("JC_100":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_101": (0 <= integer_of_int32(count1))) and
     (("JC_102": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_103": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) > 0) ->
  forall result7:int32.
  (result7 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(count1) + 1)) ->
  forall count2:int32.
  (count2 = result8) ->
  forall intM_intP_Muller_m_12_0:(Object,
  int32) memory.
  (intM_intP_Muller_m_12_0 = store(intM_intP_Muller_m_12, shift(result2,
  integer_of_int32(count1)), result7)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(i_8) + 1)) ->
  forall i_8_0:int32.
  (i_8_0 = result9) ->
  ("JC_104":
  ("JC_102": (integer_of_int32(count2) <= integer_of_int32(i_8_0))))

========== file tests/java/why/Muller_po29.why ==========
goal Muller_m_ensures_default_po_25:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  forall intM_intP_Muller_m_12:(Object,
  int32) memory.
  ("JC_104":
  (("JC_99": (0 <= integer_of_int32(i_8))) and
   (("JC_100":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_101": (0 <= integer_of_int32(count1))) and
     (("JC_102": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_103": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) > 0) ->
  forall result7:int32.
  (result7 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(count1) + 1)) ->
  forall count2:int32.
  (count2 = result8) ->
  forall intM_intP_Muller_m_12_0:(Object,
  int32) memory.
  (intM_intP_Muller_m_12_0 = store(intM_intP_Muller_m_12, shift(result2,
  integer_of_int32(count1)), result7)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(i_8) + 1)) ->
  forall i_8_0:int32.
  (i_8_0 = result9) ->
  ("JC_104":
  ("JC_103": (integer_of_int32(count2) = num_of_pos(0,
  integer_of_int32(i_8_0), t_7, intM_intP_t_7_10))))

========== file tests/java/why/Muller_po3.why ==========
lemma num_of_pos_increasing:
  (forall intM_intP_t_5_20_at_L:(Object, int32) memory.
    (forall i_5:int.
      (forall j_5:int.
        (forall k_0:int.
          (forall t_5:Object pointer.
            ((j_5 <= k_0) -> (num_of_pos(i_5, j_5, t_5,
             intM_intP_t_5_20_at_L) <= num_of_pos(i_5, k_0, t_5,
             intM_intP_t_5_20_at_L))))))))

========== file tests/java/why/Muller_po30.why ==========
goal Muller_m_ensures_default_po_26:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  ("JC_104":
  (("JC_99": (0 <= integer_of_int32(i_8))) and
   (("JC_100":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_101": (0 <= integer_of_int32(count1))) and
     (("JC_102": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_103": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) <= 0) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(i_8) + 1)) ->
  forall i_8_0:int32.
  (i_8_0 = result7) ->
  ("JC_104": ("JC_99": (0 <= integer_of_int32(i_8_0))))

========== file tests/java/why/Muller_po31.why ==========
goal Muller_m_ensures_default_po_27:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  ("JC_104":
  (("JC_99": (0 <= integer_of_int32(i_8))) and
   (("JC_100":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_101": (0 <= integer_of_int32(count1))) and
     (("JC_102": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_103": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) <= 0) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(i_8) + 1)) ->
  forall i_8_0:int32.
  (i_8_0 = result7) ->
  ("JC_104":
  ("JC_100":
  (integer_of_int32(i_8_0) <= (offset_max(Object_t_7_10_alloc_table,
  t_7) + 1))))

========== file tests/java/why/Muller_po32.why ==========
goal Muller_m_ensures_default_po_28:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  ("JC_104":
  (("JC_99": (0 <= integer_of_int32(i_8))) and
   (("JC_100":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_101": (0 <= integer_of_int32(count1))) and
     (("JC_102": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_103": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) <= 0) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(i_8) + 1)) ->
  forall i_8_0:int32.
  (i_8_0 = result7) ->
  ("JC_104": ("JC_101": (0 <= integer_of_int32(count1))))

========== file tests/java/why/Muller_po33.why ==========
goal Muller_m_ensures_default_po_29:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  ("JC_104":
  (("JC_99": (0 <= integer_of_int32(i_8))) and
   (("JC_100":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_101": (0 <= integer_of_int32(count1))) and
     (("JC_102": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_103": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) <= 0) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(i_8) + 1)) ->
  forall i_8_0:int32.
  (i_8_0 = result7) ->
  ("JC_104":
  ("JC_102": (integer_of_int32(count1) <= integer_of_int32(i_8_0))))

========== file tests/java/why/Muller_po34.why ==========
goal Muller_m_ensures_default_po_30:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  ("JC_104":
  (("JC_99": (0 <= integer_of_int32(i_8))) and
   (("JC_100":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_101": (0 <= integer_of_int32(count1))) and
     (("JC_102": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_103": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) <= 0) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(i_8) + 1)) ->
  forall i_8_0:int32.
  (i_8_0 = result7) ->
  ("JC_104":
  ("JC_103": (integer_of_int32(count1) = num_of_pos(0,
  integer_of_int32(i_8_0), t_7, intM_intP_t_7_10))))

========== file tests/java/why/Muller_po35.why ==========
goal Muller_m_safety_po_1:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1))

========== file tests/java/why/Muller_po36.why ==========
goal Muller_m_safety_po_2:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  (offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_7))

========== file tests/java/why/Muller_po37.why ==========
goal Muller_m_safety_po_3:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  (integer_of_int32(i_7) <= offset_max(Object_t_7_10_alloc_table, t_7))

========== file tests/java/why/Muller_po38.why ==========
goal Muller_m_safety_po_4:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_7)) and
   (integer_of_int32(i_7) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) > 0) ->
  ((-2147483648) <= (integer_of_int32(count) + 1))

========== file tests/java/why/Muller_po39.why ==========
goal Muller_m_safety_po_5:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_7)) and
   (integer_of_int32(i_7) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) > 0) ->
  ((integer_of_int32(count) + 1) <= 2147483647)

========== file tests/java/why/Muller_po4.why ==========
lemma num_of_pos_strictly_increasing:
  (forall intM_intP_t_6_21_at_L:(Object, int32) memory.
    (forall i_6:int.
      (forall n:int.
        (forall t_6:Object pointer.
          (((0 <= i_6) and
            ((i_6 < n) and (integer_of_int32(select(intM_intP_t_6_21_at_L,
             shift(t_6, i_6))) > 0))) ->
           (num_of_pos(0, i_6, t_6, intM_intP_t_6_21_at_L) < num_of_pos(0, n,
           t_6, intM_intP_t_6_21_at_L)))))))

========== file tests/java/why/Muller_po40.why ==========
goal Muller_m_safety_po_6:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_7)) and
   (integer_of_int32(i_7) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) > 0) ->
  (((-2147483648) <= (integer_of_int32(count) + 1)) and
   ((integer_of_int32(count) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(count) + 1)) ->
  forall count0:int32.
  (count0 = result3) ->
  ((-2147483648) <= (integer_of_int32(i_7) + 1))

========== file tests/java/why/Muller_po41.why ==========
goal Muller_m_safety_po_7:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_7)) and
   (integer_of_int32(i_7) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) > 0) ->
  (((-2147483648) <= (integer_of_int32(count) + 1)) and
   ((integer_of_int32(count) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(count) + 1)) ->
  forall count0:int32.
  (count0 = result3) ->
  ((integer_of_int32(i_7) + 1) <= 2147483647)

========== file tests/java/why/Muller_po42.why ==========
goal Muller_m_safety_po_8:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_7)) and
   (integer_of_int32(i_7) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) > 0) ->
  (((-2147483648) <= (integer_of_int32(count) + 1)) and
   ((integer_of_int32(count) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(count) + 1)) ->
  forall count0:int32.
  (count0 = result3) ->
  (((-2147483648) <= (integer_of_int32(i_7) + 1)) and
   ((integer_of_int32(i_7) + 1) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(i_7) + 1)) ->
  forall i_7_0:int32.
  (i_7_0 = result4) ->
  (0 <= ("JC_69": ((offset_max(Object_t_7_10_alloc_table,
        t_7) + 1) - integer_of_int32(i_7))))

========== file tests/java/why/Muller_po43.why ==========
goal Muller_m_safety_po_9:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_7)) and
   (integer_of_int32(i_7) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) > 0) ->
  (((-2147483648) <= (integer_of_int32(count) + 1)) and
   ((integer_of_int32(count) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(count) + 1)) ->
  forall count0:int32.
  (count0 = result3) ->
  (((-2147483648) <= (integer_of_int32(i_7) + 1)) and
   ((integer_of_int32(i_7) + 1) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(i_7) + 1)) ->
  forall i_7_0:int32.
  (i_7_0 = result4) ->
  (("JC_69": ((offset_max(Object_t_7_10_alloc_table,
   t_7) + 1) - integer_of_int32(i_7_0))) < ("JC_69":
                                           ((offset_max(Object_t_7_10_alloc_table,
                                           t_7) + 1) - integer_of_int32(i_7))))

========== file tests/java/why/Muller_po44.why ==========
goal Muller_m_safety_po_10:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_7)) and
   (integer_of_int32(i_7) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) <= 0) ->
  ((-2147483648) <= (integer_of_int32(i_7) + 1))

========== file tests/java/why/Muller_po45.why ==========
goal Muller_m_safety_po_11:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_7)) and
   (integer_of_int32(i_7) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) <= 0) ->
  ((integer_of_int32(i_7) + 1) <= 2147483647)

========== file tests/java/why/Muller_po46.why ==========
goal Muller_m_safety_po_12:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_7)) and
   (integer_of_int32(i_7) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) <= 0) ->
  (((-2147483648) <= (integer_of_int32(i_7) + 1)) and
   ((integer_of_int32(i_7) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_7) + 1)) ->
  forall i_7_0:int32.
  (i_7_0 = result3) ->
  (0 <= ("JC_69": ((offset_max(Object_t_7_10_alloc_table,
        t_7) + 1) - integer_of_int32(i_7))))

========== file tests/java/why/Muller_po47.why ==========
goal Muller_m_safety_po_13:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_7)) and
   (integer_of_int32(i_7) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) <= 0) ->
  (((-2147483648) <= (integer_of_int32(i_7) + 1)) and
   ((integer_of_int32(i_7) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_7) + 1)) ->
  forall i_7_0:int32.
  (i_7_0 = result3) ->
  (("JC_69": ((offset_max(Object_t_7_10_alloc_table,
   t_7) + 1) - integer_of_int32(i_7_0))) < ("JC_69":
                                           ((offset_max(Object_t_7_10_alloc_table,
                                           t_7) + 1) - integer_of_int32(i_7))))

========== file tests/java/why/Muller_po48.why ==========
goal Muller_m_safety_po_14:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  (integer_of_int32(count) >= 0)

========== file tests/java/why/Muller_po49.why ==========
goal Muller_m_safety_po_15:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  (integer_of_int32(count) >= 0) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  ("JC_78": true) ->
  ("JC_76":
  (("JC_71": (0 <= integer_of_int32(i_8))) and
   (("JC_72":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_73": (0 <= integer_of_int32(count1))) and
     (("JC_74": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_75": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  (offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8))

========== file tests/java/why/Muller_po5.why ==========
goal Muller_m_ensures_default_po_1:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  ("JC_93": ("JC_88": (0 <= integer_of_int32(result0))))

========== file tests/java/why/Muller_po50.why ==========
goal Muller_m_safety_po_16:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  (integer_of_int32(count) >= 0) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  ("JC_78": true) ->
  ("JC_76":
  (("JC_71": (0 <= integer_of_int32(i_8))) and
   (("JC_72":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_73": (0 <= integer_of_int32(count1))) and
     (("JC_74": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_75": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))

========== file tests/java/why/Muller_po51.why ==========
goal Muller_m_safety_po_17:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  (integer_of_int32(count) >= 0) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  ("JC_78": true) ->
  ("JC_76":
  (("JC_71": (0 <= integer_of_int32(i_8))) and
   (("JC_72":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_73": (0 <= integer_of_int32(count1))) and
     (("JC_74": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_75": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) > 0) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result7:int32.
  (result7 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  ((-2147483648) <= (integer_of_int32(count1) + 1))

========== file tests/java/why/Muller_po52.why ==========
goal Muller_m_safety_po_18:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  (integer_of_int32(count) >= 0) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  ("JC_78": true) ->
  ("JC_76":
  (("JC_71": (0 <= integer_of_int32(i_8))) and
   (("JC_72":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_73": (0 <= integer_of_int32(count1))) and
     (("JC_74": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_75": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) > 0) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result7:int32.
  (result7 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  ((integer_of_int32(count1) + 1) <= 2147483647)

========== file tests/java/why/Muller_po53.why ==========
goal Muller_m_safety_po_19:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  (integer_of_int32(count) >= 0) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  ("JC_78": true) ->
  ("JC_76":
  (("JC_71": (0 <= integer_of_int32(i_8))) and
   (("JC_72":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_73": (0 <= integer_of_int32(count1))) and
     (("JC_74": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_75": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) > 0) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result7:int32.
  (result7 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (((-2147483648) <= (integer_of_int32(count1) + 1)) and
   ((integer_of_int32(count1) + 1) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(count1) + 1)) ->
  forall count2:int32.
  (count2 = result8) ->
  (offset_min(Object_Muller_m_12_alloc_table0,
  result2) <= integer_of_int32(count1))

========== file tests/java/why/Muller_po54.why ==========
goal Muller_m_safety_po_20:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  (integer_of_int32(count) >= 0) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  ("JC_78": true) ->
  ("JC_76":
  (("JC_71": (0 <= integer_of_int32(i_8))) and
   (("JC_72":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_73": (0 <= integer_of_int32(count1))) and
     (("JC_74": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_75": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) > 0) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result7:int32.
  (result7 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (((-2147483648) <= (integer_of_int32(count1) + 1)) and
   ((integer_of_int32(count1) + 1) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(count1) + 1)) ->
  forall count2:int32.
  (count2 = result8) ->
  (integer_of_int32(count1) <= offset_max(Object_Muller_m_12_alloc_table0,
  result2))

========== file tests/java/why/Muller_po55.why ==========
goal Muller_m_safety_po_21:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  (integer_of_int32(count) >= 0) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  forall intM_intP_Muller_m_12:(Object,
  int32) memory.
  ("JC_78": true) ->
  ("JC_76":
  (("JC_71": (0 <= integer_of_int32(i_8))) and
   (("JC_72":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_73": (0 <= integer_of_int32(count1))) and
     (("JC_74": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_75": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) > 0) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result7:int32.
  (result7 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (((-2147483648) <= (integer_of_int32(count1) + 1)) and
   ((integer_of_int32(count1) + 1) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(count1) + 1)) ->
  forall count2:int32.
  (count2 = result8) ->
  ((offset_min(Object_Muller_m_12_alloc_table0,
   result2) <= integer_of_int32(count1)) and
   (integer_of_int32(count1) <= offset_max(Object_Muller_m_12_alloc_table0,
   result2))) ->
  forall intM_intP_Muller_m_12_0:(Object,
  int32) memory.
  (intM_intP_Muller_m_12_0 = store(intM_intP_Muller_m_12, shift(result2,
  integer_of_int32(count1)), result7)) ->
  ((-2147483648) <= (integer_of_int32(i_8) + 1))

========== file tests/java/why/Muller_po56.why ==========
goal Muller_m_safety_po_22:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  (integer_of_int32(count) >= 0) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  forall intM_intP_Muller_m_12:(Object,
  int32) memory.
  ("JC_78": true) ->
  ("JC_76":
  (("JC_71": (0 <= integer_of_int32(i_8))) and
   (("JC_72":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_73": (0 <= integer_of_int32(count1))) and
     (("JC_74": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_75": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) > 0) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result7:int32.
  (result7 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (((-2147483648) <= (integer_of_int32(count1) + 1)) and
   ((integer_of_int32(count1) + 1) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(count1) + 1)) ->
  forall count2:int32.
  (count2 = result8) ->
  ((offset_min(Object_Muller_m_12_alloc_table0,
   result2) <= integer_of_int32(count1)) and
   (integer_of_int32(count1) <= offset_max(Object_Muller_m_12_alloc_table0,
   result2))) ->
  forall intM_intP_Muller_m_12_0:(Object,
  int32) memory.
  (intM_intP_Muller_m_12_0 = store(intM_intP_Muller_m_12, shift(result2,
  integer_of_int32(count1)), result7)) ->
  ((integer_of_int32(i_8) + 1) <= 2147483647)

========== file tests/java/why/Muller_po57.why ==========
goal Muller_m_safety_po_23:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  (integer_of_int32(count) >= 0) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  forall intM_intP_Muller_m_12:(Object,
  int32) memory.
  ("JC_78": true) ->
  ("JC_76":
  (("JC_71": (0 <= integer_of_int32(i_8))) and
   (("JC_72":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_73": (0 <= integer_of_int32(count1))) and
     (("JC_74": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_75": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) > 0) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result7:int32.
  (result7 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (((-2147483648) <= (integer_of_int32(count1) + 1)) and
   ((integer_of_int32(count1) + 1) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(count1) + 1)) ->
  forall count2:int32.
  (count2 = result8) ->
  ((offset_min(Object_Muller_m_12_alloc_table0,
   result2) <= integer_of_int32(count1)) and
   (integer_of_int32(count1) <= offset_max(Object_Muller_m_12_alloc_table0,
   result2))) ->
  forall intM_intP_Muller_m_12_0:(Object,
  int32) memory.
  (intM_intP_Muller_m_12_0 = store(intM_intP_Muller_m_12, shift(result2,
  integer_of_int32(count1)), result7)) ->
  (((-2147483648) <= (integer_of_int32(i_8) + 1)) and
   ((integer_of_int32(i_8) + 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(i_8) + 1)) ->
  forall i_8_0:int32.
  (i_8_0 = result9) ->
  (0 <= ("JC_87": ((offset_max(Object_t_7_10_alloc_table,
        t_7) + 1) - integer_of_int32(i_8))))

========== file tests/java/why/Muller_po58.why ==========
goal Muller_m_safety_po_24:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  (integer_of_int32(count) >= 0) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  forall intM_intP_Muller_m_12:(Object,
  int32) memory.
  ("JC_78": true) ->
  ("JC_76":
  (("JC_71": (0 <= integer_of_int32(i_8))) and
   (("JC_72":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_73": (0 <= integer_of_int32(count1))) and
     (("JC_74": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_75": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) > 0) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result7:int32.
  (result7 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (((-2147483648) <= (integer_of_int32(count1) + 1)) and
   ((integer_of_int32(count1) + 1) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(count1) + 1)) ->
  forall count2:int32.
  (count2 = result8) ->
  ((offset_min(Object_Muller_m_12_alloc_table0,
   result2) <= integer_of_int32(count1)) and
   (integer_of_int32(count1) <= offset_max(Object_Muller_m_12_alloc_table0,
   result2))) ->
  forall intM_intP_Muller_m_12_0:(Object,
  int32) memory.
  (intM_intP_Muller_m_12_0 = store(intM_intP_Muller_m_12, shift(result2,
  integer_of_int32(count1)), result7)) ->
  (((-2147483648) <= (integer_of_int32(i_8) + 1)) and
   ((integer_of_int32(i_8) + 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(i_8) + 1)) ->
  forall i_8_0:int32.
  (i_8_0 = result9) ->
  (("JC_87": ((offset_max(Object_t_7_10_alloc_table,
   t_7) + 1) - integer_of_int32(i_8_0))) < ("JC_87":
                                           ((offset_max(Object_t_7_10_alloc_table,
                                           t_7) + 1) - integer_of_int32(i_8))))

========== file tests/java/why/Muller_po59.why ==========
goal Muller_m_safety_po_25:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  (integer_of_int32(count) >= 0) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  ("JC_78": true) ->
  ("JC_76":
  (("JC_71": (0 <= integer_of_int32(i_8))) and
   (("JC_72":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_73": (0 <= integer_of_int32(count1))) and
     (("JC_74": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_75": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) <= 0) ->
  ((-2147483648) <= (integer_of_int32(i_8) + 1))

========== file tests/java/why/Muller_po6.why ==========
goal Muller_m_ensures_default_po_2:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  ("JC_93":
  ("JC_89":
  (integer_of_int32(result0) <= (offset_max(Object_t_7_10_alloc_table,
  t_7) + 1))))

========== file tests/java/why/Muller_po60.why ==========
goal Muller_m_safety_po_26:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  (integer_of_int32(count) >= 0) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  ("JC_78": true) ->
  ("JC_76":
  (("JC_71": (0 <= integer_of_int32(i_8))) and
   (("JC_72":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_73": (0 <= integer_of_int32(count1))) and
     (("JC_74": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_75": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) <= 0) ->
  ((integer_of_int32(i_8) + 1) <= 2147483647)

========== file tests/java/why/Muller_po61.why ==========
goal Muller_m_safety_po_27:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  (integer_of_int32(count) >= 0) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  ("JC_78": true) ->
  ("JC_76":
  (("JC_71": (0 <= integer_of_int32(i_8))) and
   (("JC_72":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_73": (0 <= integer_of_int32(count1))) and
     (("JC_74": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_75": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) <= 0) ->
  (((-2147483648) <= (integer_of_int32(i_8) + 1)) and
   ((integer_of_int32(i_8) + 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(i_8) + 1)) ->
  forall i_8_0:int32.
  (i_8_0 = result7) ->
  (0 <= ("JC_87": ((offset_max(Object_t_7_10_alloc_table,
        t_7) + 1) - integer_of_int32(i_8))))

========== file tests/java/why/Muller_po62.why ==========
goal Muller_m_safety_po_28:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  (integer_of_int32(count) >= 0) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  ("JC_78": true) ->
  ("JC_76":
  (("JC_71": (0 <= integer_of_int32(i_8))) and
   (("JC_72":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_73": (0 <= integer_of_int32(count1))) and
     (("JC_74": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_75": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) <= 0) ->
  (((-2147483648) <= (integer_of_int32(i_8) + 1)) and
   ((integer_of_int32(i_8) + 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(i_8) + 1)) ->
  forall i_8_0:int32.
  (i_8_0 = result7) ->
  (("JC_87": ((offset_max(Object_t_7_10_alloc_table,
   t_7) + 1) - integer_of_int32(i_8_0))) < ("JC_87":
                                           ((offset_max(Object_t_7_10_alloc_table,
                                           t_7) + 1) - integer_of_int32(i_8))))

========== file tests/java/why/Muller_po7.why ==========
goal Muller_m_ensures_default_po_3:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  ("JC_93": ("JC_90": (0 <= integer_of_int32(result))))

========== file tests/java/why/Muller_po8.why ==========
goal Muller_m_ensures_default_po_4:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  ("JC_93":
  ("JC_91": (integer_of_int32(result) <= integer_of_int32(result0))))

========== file tests/java/why/Muller_po9.why ==========
goal Muller_m_ensures_default_po_5:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  ("JC_93":
  ("JC_92": (integer_of_int32(result) = num_of_pos(0,
  integer_of_int32(result0), t_7, intM_intP_t_7_10))))

========== generation of Simplify VC output ==========
why -simplify [...] why/Muller.why
========== file tests/java/simplify/Muller_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Muller_parenttag_Object
 (EQ (parenttag Muller_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_1 Object_x_2_alloc_table)
  (>= (offset_max Object_x_2_alloc_table x_1) 0))

(DEFPRED (Non_null_intM x_0 Object_x_1_alloc_table)
  (>= (offset_max Object_x_1_alloc_table x_0) (- 0 1)))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom byte_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 128) x) (<= x 127))
 (EQ (integer_of_byte (byte_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom byte_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_byte x) (integer_of_byte y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom byte_range
 (FORALL (x)
 (AND (<= (- 0 128) (integer_of_byte x)) (<= (integer_of_byte x) 127))))

(BG_PUSH
 ;; Why axiom char_coerce
 (FORALL (x)
 (IMPLIES (AND (<= 0 x) (<= x 65535))
 (EQ (integer_of_char (char_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom char_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_char x) (integer_of_char y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom char_range
 (FORALL (x) (AND (<= 0 (integer_of_char x)) (<= (integer_of_char x) 65535))))

(DEFPRED (eq_byte x y) (EQ (integer_of_byte x) (integer_of_byte y)))

(DEFPRED (eq_char x y) (EQ (integer_of_char x) (integer_of_char y)))

(DEFPRED (eq_int32 x y) (EQ (integer_of_int32 x) (integer_of_int32 y)))

(DEFPRED (eq_long x y) (EQ (integer_of_long x) (integer_of_long y)))

(DEFPRED (eq_short x y) (EQ (integer_of_short x) (integer_of_short y)))

(BG_PUSH
 ;; Why axiom int32_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_2147483648) x)
 (<= x constant_too_large_2147483647))
 (EQ (integer_of_int32 (int32_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom int32_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_int32 x) (integer_of_int32 y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom int32_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_2147483648) (integer_of_int32 x))
 (<= (integer_of_int32 x) constant_too_large_2147483647))))

(BG_PUSH
 ;; Why axiom intM_parenttag_Object
 (EQ (parenttag intM_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Muller p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_intM p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom long_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_9223372036854775808) x)
 (<= x constant_too_large_9223372036854775807))
 (EQ (integer_of_long (long_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom long_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_long x) (integer_of_long y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom long_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_9223372036854775808) (integer_of_long x))
 (<= (integer_of_long x) constant_too_large_9223372036854775807))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Muller p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_intM p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(BG_PUSH
 ;; Why axiom short_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 32768) x) (<= x 32767))
 (EQ (integer_of_short (short_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom short_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_short x) (integer_of_short y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom short_range
 (FORALL (x)
 (AND (<= (- 0 32768) (integer_of_short x)) (<= (integer_of_short x) 32767))))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Muller p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_intM p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Muller p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_intM p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(BG_PUSH
 ;; Why axiom num_of_pos_false_case
 (FORALL (intM_intP_t_8_at_L i_2 j_2 t_2)
 (IMPLIES
 (AND (< i_2 j_2)
 (NOT
 (> (integer_of_int32 (select intM_intP_t_8_at_L (shift t_2 (- j_2 1)))) 0)))
 (EQ (num_of_pos i_2 j_2 t_2 intM_intP_t_8_at_L)
 (num_of_pos i_2 (- j_2 1) t_2 intM_intP_t_8_at_L)))))

(BG_PUSH
 ;; Why axiom num_of_pos_true_case
 (FORALL (intM_intP_t_8_at_L i_1 j_1 t_1)
 (IMPLIES
 (AND (< i_1 j_1)
 (> (integer_of_int32 (select intM_intP_t_8_at_L (shift t_1 (- j_1 1)))) 0))
 (EQ (num_of_pos i_1 j_1 t_1 intM_intP_t_8_at_L)
 (+ (num_of_pos i_1 (- j_1 1) t_1 intM_intP_t_8_at_L) 1)))))

(BG_PUSH
 ;; Why axiom num_of_pos_empty
 (FORALL (intM_intP_t_8_at_L i_0 j_0 t_0)
 (IMPLIES (>= i_0 j_0) (EQ (num_of_pos i_0 j_0 t_0 intM_intP_t_8_at_L) 0)))

 (FORALL (i_0 j_0)
 (IMPLIES (>= i_0 j_0)
 (FORALL (intM_intP_t_8_at_L t_0)
 (EQ (num_of_pos i_0 j_0 t_0 intM_intP_t_8_at_L) 0)))))

;; num_of_pos_non_negative, File "HOME/tests/java/Muller.java", line 51, characters 10-33
(FORALL (intM_intP_t_3_18_at_L i_3 j_3 t_3)
(<= 0 (num_of_pos i_3 j_3 t_3 intM_intP_t_3_18_at_L)))

(BG_PUSH
 ;; lemma num_of_pos_non_negative as axiom
(FORALL (intM_intP_t_3_18_at_L i_3 j_3 t_3)
(<= 0 (num_of_pos i_3 j_3 t_3 intM_intP_t_3_18_at_L))))

;; num_of_pos_additive, File "HOME/tests/java/Muller.java", line 55, characters 10-29
(FORALL (intM_intP_t_4_19_at_L i_4 j_4 k t_4)
(IMPLIES (AND (<= i_4 j_4) (<= j_4 k))
(EQ (num_of_pos i_4 k t_4 intM_intP_t_4_19_at_L)
(+ (num_of_pos i_4 j_4 t_4 intM_intP_t_4_19_at_L) (num_of_pos
                                                  j_4 k t_4 intM_intP_t_4_19_at_L)))))

(BG_PUSH
 ;; lemma num_of_pos_additive as axiom
(FORALL (intM_intP_t_4_19_at_L i_4 j_4 k t_4)
(IMPLIES (AND (<= i_4 j_4) (<= j_4 k))
(EQ (num_of_pos i_4 k t_4 intM_intP_t_4_19_at_L)
(+ (num_of_pos i_4 j_4 t_4 intM_intP_t_4_19_at_L) (num_of_pos
                                                  j_4 k t_4 intM_intP_t_4_19_at_L))))))

;; num_of_pos_increasing, File "HOME/tests/java/Muller.java", line 60, characters 10-31
(FORALL (intM_intP_t_5_20_at_L i_5 j_5 k_0 t_5)
(IMPLIES (<= j_5 k_0)
(<= (num_of_pos i_5 j_5 t_5 intM_intP_t_5_20_at_L) (num_of_pos
                                                   i_5 k_0 t_5 intM_intP_t_5_20_at_L))))

(BG_PUSH
 ;; lemma num_of_pos_increasing as axiom
(FORALL (intM_intP_t_5_20_at_L i_5 j_5 k_0 t_5)
(IMPLIES (<= j_5 k_0)
(<= (num_of_pos i_5 j_5 t_5 intM_intP_t_5_20_at_L) (num_of_pos
                                                   i_5 k_0 t_5 intM_intP_t_5_20_at_L)))))

;; num_of_pos_strictly_increasing, File "HOME/tests/java/Muller.java", line 65, characters 10-40
(FORALL (intM_intP_t_6_21_at_L i_6 n t_6)
(IMPLIES
(AND (<= 0 i_6)
(AND (< i_6 n)
(> (integer_of_int32 (select intM_intP_t_6_21_at_L (shift t_6 i_6))) 0)))
(< (num_of_pos 0 i_6 t_6 intM_intP_t_6_21_at_L) (num_of_pos
                                                0 n t_6 intM_intP_t_6_21_at_L))))

(BG_PUSH
 ;; lemma num_of_pos_strictly_increasing as axiom
(FORALL (intM_intP_t_6_21_at_L i_6 n t_6)
(IMPLIES
(AND (<= 0 i_6)
(AND (< i_6 n)
(> (integer_of_int32 (select intM_intP_t_6_21_at_L (shift t_6 i_6))) 0)))
(< (num_of_pos 0 i_6 t_6 intM_intP_t_6_21_at_L) (num_of_pos
                                                0 n t_6 intM_intP_t_6_21_at_L)))))

;; Muller_m_ensures_default_po_1, File "HOME/tests/java/Muller.java", line 79, characters 8-14
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0) (<= 0 (integer_of_int32 result0)))))))))

;; Muller_m_ensures_default_po_2, File "HOME/tests/java/Muller.java", line 79, characters 13-26
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(<= (integer_of_int32 result0) (+ (offset_max Object_t_7_10_alloc_table t_7) 1)))))))))

;; Muller_m_ensures_default_po_3, File "HOME/tests/java/Muller.java", line 80, characters 8-18
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0) (<= 0 (integer_of_int32 result)))))))))

;; Muller_m_ensures_default_po_4, File "HOME/tests/java/Muller.java", line 80, characters 13-23
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(<= (integer_of_int32 result) (integer_of_int32 result0)))))))))

;; Muller_m_ensures_default_po_5, File "HOME/tests/java/Muller.java", line 81, characters 8-34
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(EQ (integer_of_int32 result)
(num_of_pos 0 (integer_of_int32 result0) t_7 intM_intP_t_7_10))))))))))

;; Muller_m_ensures_default_po_6, File "HOME/tests/java/Muller.java", line 79, characters 8-14
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_7) result1)
(FORALL (result2)
(IMPLIES (EQ result2
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_7))))
(IMPLIES (> (integer_of_int32 result2) 0)
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 count) 1))
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) (+ (integer_of_int32 i_7) 1))
(FORALL (i_7_0) (IMPLIES (EQ i_7_0 result4) (<= 0 (integer_of_int32 i_7_0)))))))))))))))))))))))))))

;; Muller_m_ensures_default_po_7, File "HOME/tests/java/Muller.java", line 79, characters 13-26
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_7) result1)
(FORALL (result2)
(IMPLIES (EQ result2
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_7))))
(IMPLIES (> (integer_of_int32 result2) 0)
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 count) 1))
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) (+ (integer_of_int32 i_7) 1))
(FORALL (i_7_0)
(IMPLIES (EQ i_7_0 result4)
(<= (integer_of_int32 i_7_0) (+ (offset_max Object_t_7_10_alloc_table t_7) 1)))))))))))))))))))))))))))

;; Muller_m_ensures_default_po_8, File "HOME/tests/java/Muller.java", line 80, characters 8-18
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_7) result1)
(FORALL (result2)
(IMPLIES (EQ result2
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_7))))
(IMPLIES (> (integer_of_int32 result2) 0)
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 count) 1))
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) (+ (integer_of_int32 i_7) 1))
(FORALL (i_7_0)
(IMPLIES (EQ i_7_0 result4) (<= 0 (integer_of_int32 count0)))))))))))))))))))))))))))

;; Muller_m_ensures_default_po_9, File "HOME/tests/java/Muller.java", line 80, characters 13-23
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_7) result1)
(FORALL (result2)
(IMPLIES (EQ result2
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_7))))
(IMPLIES (> (integer_of_int32 result2) 0)
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 count) 1))
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) (+ (integer_of_int32 i_7) 1))
(FORALL (i_7_0)
(IMPLIES (EQ i_7_0 result4)
(<= (integer_of_int32 count0) (integer_of_int32 i_7_0)))))))))))))))))))))))))))

;; Muller_m_ensures_default_po_10, File "HOME/tests/java/Muller.java", line 81, characters 8-34
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_7) result1)
(FORALL (result2)
(IMPLIES (EQ result2
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_7))))
(IMPLIES (> (integer_of_int32 result2) 0)
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 count) 1))
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) (+ (integer_of_int32 i_7) 1))
(FORALL (i_7_0)
(IMPLIES (EQ i_7_0 result4)
(EQ (integer_of_int32 count0)
(num_of_pos 0 (integer_of_int32 i_7_0) t_7 intM_intP_t_7_10)))))))))))))))))))))))))))

;; Muller_m_ensures_default_po_11, File "HOME/tests/java/Muller.java", line 79, characters 8-14
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_7) result1)
(FORALL (result2)
(IMPLIES (EQ result2
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_7))))
(IMPLIES (<= (integer_of_int32 result2) 0)
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_7) 1))
(FORALL (i_7_0) (IMPLIES (EQ i_7_0 result3) (<= 0 (integer_of_int32 i_7_0)))))))))))))))))))))))

;; Muller_m_ensures_default_po_12, File "HOME/tests/java/Muller.java", line 79, characters 13-26
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_7) result1)
(FORALL (result2)
(IMPLIES (EQ result2
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_7))))
(IMPLIES (<= (integer_of_int32 result2) 0)
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_7) 1))
(FORALL (i_7_0)
(IMPLIES (EQ i_7_0 result3)
(<= (integer_of_int32 i_7_0) (+ (offset_max Object_t_7_10_alloc_table t_7) 1)))))))))))))))))))))))

;; Muller_m_ensures_default_po_13, File "HOME/tests/java/Muller.java", line 80, characters 8-18
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_7) result1)
(FORALL (result2)
(IMPLIES (EQ result2
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_7))))
(IMPLIES (<= (integer_of_int32 result2) 0)
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_7) 1))
(FORALL (i_7_0) (IMPLIES (EQ i_7_0 result3) (<= 0 (integer_of_int32 count)))))))))))))))))))))))

;; Muller_m_ensures_default_po_14, File "HOME/tests/java/Muller.java", line 80, characters 13-23
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_7) result1)
(FORALL (result2)
(IMPLIES (EQ result2
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_7))))
(IMPLIES (<= (integer_of_int32 result2) 0)
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_7) 1))
(FORALL (i_7_0)
(IMPLIES (EQ i_7_0 result3)
(<= (integer_of_int32 count) (integer_of_int32 i_7_0)))))))))))))))))))))))

;; Muller_m_ensures_default_po_15, File "HOME/tests/java/Muller.java", line 81, characters 8-34
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_7) result1)
(FORALL (result2)
(IMPLIES (EQ result2
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_7))))
(IMPLIES (<= (integer_of_int32 result2) 0)
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_7) 1))
(FORALL (i_7_0)
(IMPLIES (EQ i_7_0 result3)
(EQ (integer_of_int32 count)
(num_of_pos 0 (integer_of_int32 i_7_0) t_7 intM_intP_t_7_10)))))))))))))))))))))))

;; Muller_m_ensures_default_po_16, File "HOME/tests/java/Muller.java", line 90, characters 8-14
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(FORALL (Object_Muller_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (>= (integer_of_int32 i_7) result1)
(FORALL (result2)
(FORALL (Object_Muller_m_12_alloc_table0)
(FORALL (Object_Muller_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result2 0 (- (integer_of_int32 count) 1) Object_Muller_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_Muller_m_12_alloc_table Object_Muller_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh
         Object_Muller_m_12_alloc_table result2 (integer_of_int32 count))
         (instanceof Object_Muller_m_12_tag_table result2 intM_tag))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) 0)
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) 0) (<= 0 (integer_of_int32 result4)))))))))))))))))))))))))))

;; Muller_m_ensures_default_po_17, File "HOME/tests/java/Muller.java", line 90, characters 13-26
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(FORALL (Object_Muller_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (>= (integer_of_int32 i_7) result1)
(FORALL (result2)
(FORALL (Object_Muller_m_12_alloc_table0)
(FORALL (Object_Muller_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result2 0 (- (integer_of_int32 count) 1) Object_Muller_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_Muller_m_12_alloc_table Object_Muller_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh
         Object_Muller_m_12_alloc_table result2 (integer_of_int32 count))
         (instanceof Object_Muller_m_12_tag_table result2 intM_tag))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) 0)
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) 0)
(<= (integer_of_int32 result4) (+ (offset_max Object_t_7_10_alloc_table t_7) 1)))))))))))))))))))))))))))

;; Muller_m_ensures_default_po_18, File "HOME/tests/java/Muller.java", line 91, characters 8-18
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(FORALL (Object_Muller_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (>= (integer_of_int32 i_7) result1)
(FORALL (result2)
(FORALL (Object_Muller_m_12_alloc_table0)
(FORALL (Object_Muller_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result2 0 (- (integer_of_int32 count) 1) Object_Muller_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_Muller_m_12_alloc_table Object_Muller_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh
         Object_Muller_m_12_alloc_table result2 (integer_of_int32 count))
         (instanceof Object_Muller_m_12_tag_table result2 intM_tag))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) 0)
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) 0) (<= 0 (integer_of_int32 count0)))))))))))))))))))))))))))

;; Muller_m_ensures_default_po_19, File "HOME/tests/java/Muller.java", line 91, characters 13-23
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(FORALL (Object_Muller_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (>= (integer_of_int32 i_7) result1)
(FORALL (result2)
(FORALL (Object_Muller_m_12_alloc_table0)
(FORALL (Object_Muller_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result2 0 (- (integer_of_int32 count) 1) Object_Muller_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_Muller_m_12_alloc_table Object_Muller_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh
         Object_Muller_m_12_alloc_table result2 (integer_of_int32 count))
         (instanceof Object_Muller_m_12_tag_table result2 intM_tag))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) 0)
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) 0)
(<= (integer_of_int32 count0) (integer_of_int32 result4)))))))))))))))))))))))))))

;; Muller_m_ensures_default_po_20, File "HOME/tests/java/Muller.java", line 92, characters 8-34
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(FORALL (Object_Muller_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (>= (integer_of_int32 i_7) result1)
(FORALL (result2)
(FORALL (Object_Muller_m_12_alloc_table0)
(FORALL (Object_Muller_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result2 0 (- (integer_of_int32 count) 1) Object_Muller_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_Muller_m_12_alloc_table Object_Muller_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh
         Object_Muller_m_12_alloc_table result2 (integer_of_int32 count))
         (instanceof Object_Muller_m_12_tag_table result2 intM_tag))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) 0)
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) 0)
(EQ (integer_of_int32 count0)
(num_of_pos 0 (integer_of_int32 result4) t_7 intM_intP_t_7_10)))))))))))))))))))))))))))

;; Muller_m_ensures_default_po_21, File "HOME/tests/java/Muller.java", line 90, characters 8-14
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(FORALL (Object_Muller_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (>= (integer_of_int32 i_7) result1)
(FORALL (result2)
(FORALL (Object_Muller_m_12_alloc_table0)
(FORALL (Object_Muller_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result2 0 (- (integer_of_int32 count) 1) Object_Muller_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_Muller_m_12_alloc_table Object_Muller_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh
         Object_Muller_m_12_alloc_table result2 (integer_of_int32 count))
         (instanceof Object_Muller_m_12_tag_table result2 intM_tag))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) 0)
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) 0)
(FORALL (count1)
(FORALL (i_8)
(FORALL (intM_intP_Muller_m_12)
(IMPLIES (AND (<= 0 (integer_of_int32 i_8))
         (AND
         (<= (integer_of_int32 i_8) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count1))
         (AND (<= (integer_of_int32 count1) (integer_of_int32 i_8))
         (EQ (integer_of_int32 count1)
         (num_of_pos 0 (integer_of_int32 i_8) t_7 intM_intP_t_7_10))))))
(FORALL (result5)
(IMPLIES (AND (<= result5 constant_too_large_2147483647)
         (AND (>= result5 0)
         (EQ result5 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_8) result5)
(FORALL (result6)
(IMPLIES (EQ result6
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(IMPLIES (> (integer_of_int32 result6) 0)
(FORALL (result7)
(IMPLIES (EQ result7
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(FORALL (result8)
(IMPLIES (EQ (integer_of_int32 result8) (+ (integer_of_int32 count1) 1))
(FORALL (count2)
(IMPLIES (EQ count2 result8)
(FORALL (intM_intP_Muller_m_12_0)
(IMPLIES (EQ intM_intP_Muller_m_12_0
         (|why__store|
         intM_intP_Muller_m_12 (shift result2 (integer_of_int32 count1)) result7))
(FORALL (result9)
(IMPLIES (EQ (integer_of_int32 result9) (+ (integer_of_int32 i_8) 1))
(FORALL (i_8_0) (IMPLIES (EQ i_8_0 result9) (<= 0 (integer_of_int32 i_8_0)))))))))))))))))))))))))))))))))))))))))))))))))

;; Muller_m_ensures_default_po_22, File "HOME/tests/java/Muller.java", line 90, characters 13-26
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(FORALL (Object_Muller_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (>= (integer_of_int32 i_7) result1)
(FORALL (result2)
(FORALL (Object_Muller_m_12_alloc_table0)
(FORALL (Object_Muller_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result2 0 (- (integer_of_int32 count) 1) Object_Muller_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_Muller_m_12_alloc_table Object_Muller_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh
         Object_Muller_m_12_alloc_table result2 (integer_of_int32 count))
         (instanceof Object_Muller_m_12_tag_table result2 intM_tag))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) 0)
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) 0)
(FORALL (count1)
(FORALL (i_8)
(FORALL (intM_intP_Muller_m_12)
(IMPLIES (AND (<= 0 (integer_of_int32 i_8))
         (AND
         (<= (integer_of_int32 i_8) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count1))
         (AND (<= (integer_of_int32 count1) (integer_of_int32 i_8))
         (EQ (integer_of_int32 count1)
         (num_of_pos 0 (integer_of_int32 i_8) t_7 intM_intP_t_7_10))))))
(FORALL (result5)
(IMPLIES (AND (<= result5 constant_too_large_2147483647)
         (AND (>= result5 0)
         (EQ result5 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_8) result5)
(FORALL (result6)
(IMPLIES (EQ result6
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(IMPLIES (> (integer_of_int32 result6) 0)
(FORALL (result7)
(IMPLIES (EQ result7
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(FORALL (result8)
(IMPLIES (EQ (integer_of_int32 result8) (+ (integer_of_int32 count1) 1))
(FORALL (count2)
(IMPLIES (EQ count2 result8)
(FORALL (intM_intP_Muller_m_12_0)
(IMPLIES (EQ intM_intP_Muller_m_12_0
         (|why__store|
         intM_intP_Muller_m_12 (shift result2 (integer_of_int32 count1)) result7))
(FORALL (result9)
(IMPLIES (EQ (integer_of_int32 result9) (+ (integer_of_int32 i_8) 1))
(FORALL (i_8_0)
(IMPLIES (EQ i_8_0 result9)
(<= (integer_of_int32 i_8_0) (+ (offset_max Object_t_7_10_alloc_table t_7) 1)))))))))))))))))))))))))))))))))))))))))))))))))

;; Muller_m_ensures_default_po_23, File "HOME/tests/java/Muller.java", line 91, characters 8-18
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(FORALL (Object_Muller_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (>= (integer_of_int32 i_7) result1)
(FORALL (result2)
(FORALL (Object_Muller_m_12_alloc_table0)
(FORALL (Object_Muller_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result2 0 (- (integer_of_int32 count) 1) Object_Muller_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_Muller_m_12_alloc_table Object_Muller_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh
         Object_Muller_m_12_alloc_table result2 (integer_of_int32 count))
         (instanceof Object_Muller_m_12_tag_table result2 intM_tag))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) 0)
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) 0)
(FORALL (count1)
(FORALL (i_8)
(FORALL (intM_intP_Muller_m_12)
(IMPLIES (AND (<= 0 (integer_of_int32 i_8))
         (AND
         (<= (integer_of_int32 i_8) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count1))
         (AND (<= (integer_of_int32 count1) (integer_of_int32 i_8))
         (EQ (integer_of_int32 count1)
         (num_of_pos 0 (integer_of_int32 i_8) t_7 intM_intP_t_7_10))))))
(FORALL (result5)
(IMPLIES (AND (<= result5 constant_too_large_2147483647)
         (AND (>= result5 0)
         (EQ result5 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_8) result5)
(FORALL (result6)
(IMPLIES (EQ result6
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(IMPLIES (> (integer_of_int32 result6) 0)
(FORALL (result7)
(IMPLIES (EQ result7
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(FORALL (result8)
(IMPLIES (EQ (integer_of_int32 result8) (+ (integer_of_int32 count1) 1))
(FORALL (count2)
(IMPLIES (EQ count2 result8)
(FORALL (intM_intP_Muller_m_12_0)
(IMPLIES (EQ intM_intP_Muller_m_12_0
         (|why__store|
         intM_intP_Muller_m_12 (shift result2 (integer_of_int32 count1)) result7))
(FORALL (result9)
(IMPLIES (EQ (integer_of_int32 result9) (+ (integer_of_int32 i_8) 1))
(FORALL (i_8_0)
(IMPLIES (EQ i_8_0 result9) (<= 0 (integer_of_int32 count2)))))))))))))))))))))))))))))))))))))))))))))))))

;; Muller_m_ensures_default_po_24, File "HOME/tests/java/Muller.java", line 91, characters 13-23
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(FORALL (Object_Muller_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (>= (integer_of_int32 i_7) result1)
(FORALL (result2)
(FORALL (Object_Muller_m_12_alloc_table0)
(FORALL (Object_Muller_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result2 0 (- (integer_of_int32 count) 1) Object_Muller_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_Muller_m_12_alloc_table Object_Muller_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh
         Object_Muller_m_12_alloc_table result2 (integer_of_int32 count))
         (instanceof Object_Muller_m_12_tag_table result2 intM_tag))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) 0)
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) 0)
(FORALL (count1)
(FORALL (i_8)
(FORALL (intM_intP_Muller_m_12)
(IMPLIES (AND (<= 0 (integer_of_int32 i_8))
         (AND
         (<= (integer_of_int32 i_8) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count1))
         (AND (<= (integer_of_int32 count1) (integer_of_int32 i_8))
         (EQ (integer_of_int32 count1)
         (num_of_pos 0 (integer_of_int32 i_8) t_7 intM_intP_t_7_10))))))
(FORALL (result5)
(IMPLIES (AND (<= result5 constant_too_large_2147483647)
         (AND (>= result5 0)
         (EQ result5 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_8) result5)
(FORALL (result6)
(IMPLIES (EQ result6
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(IMPLIES (> (integer_of_int32 result6) 0)
(FORALL (result7)
(IMPLIES (EQ result7
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(FORALL (result8)
(IMPLIES (EQ (integer_of_int32 result8) (+ (integer_of_int32 count1) 1))
(FORALL (count2)
(IMPLIES (EQ count2 result8)
(FORALL (intM_intP_Muller_m_12_0)
(IMPLIES (EQ intM_intP_Muller_m_12_0
         (|why__store|
         intM_intP_Muller_m_12 (shift result2 (integer_of_int32 count1)) result7))
(FORALL (result9)
(IMPLIES (EQ (integer_of_int32 result9) (+ (integer_of_int32 i_8) 1))
(FORALL (i_8_0)
(IMPLIES (EQ i_8_0 result9)
(<= (integer_of_int32 count2) (integer_of_int32 i_8_0)))))))))))))))))))))))))))))))))))))))))))))))))

;; Muller_m_ensures_default_po_25, File "HOME/tests/java/Muller.java", line 92, characters 8-34
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(FORALL (Object_Muller_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (>= (integer_of_int32 i_7) result1)
(FORALL (result2)
(FORALL (Object_Muller_m_12_alloc_table0)
(FORALL (Object_Muller_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result2 0 (- (integer_of_int32 count) 1) Object_Muller_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_Muller_m_12_alloc_table Object_Muller_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh
         Object_Muller_m_12_alloc_table result2 (integer_of_int32 count))
         (instanceof Object_Muller_m_12_tag_table result2 intM_tag))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) 0)
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) 0)
(FORALL (count1)
(FORALL (i_8)
(FORALL (intM_intP_Muller_m_12)
(IMPLIES (AND (<= 0 (integer_of_int32 i_8))
         (AND
         (<= (integer_of_int32 i_8) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count1))
         (AND (<= (integer_of_int32 count1) (integer_of_int32 i_8))
         (EQ (integer_of_int32 count1)
         (num_of_pos 0 (integer_of_int32 i_8) t_7 intM_intP_t_7_10))))))
(FORALL (result5)
(IMPLIES (AND (<= result5 constant_too_large_2147483647)
         (AND (>= result5 0)
         (EQ result5 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_8) result5)
(FORALL (result6)
(IMPLIES (EQ result6
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(IMPLIES (> (integer_of_int32 result6) 0)
(FORALL (result7)
(IMPLIES (EQ result7
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(FORALL (result8)
(IMPLIES (EQ (integer_of_int32 result8) (+ (integer_of_int32 count1) 1))
(FORALL (count2)
(IMPLIES (EQ count2 result8)
(FORALL (intM_intP_Muller_m_12_0)
(IMPLIES (EQ intM_intP_Muller_m_12_0
         (|why__store|
         intM_intP_Muller_m_12 (shift result2 (integer_of_int32 count1)) result7))
(FORALL (result9)
(IMPLIES (EQ (integer_of_int32 result9) (+ (integer_of_int32 i_8) 1))
(FORALL (i_8_0)
(IMPLIES (EQ i_8_0 result9)
(EQ (integer_of_int32 count2)
(num_of_pos 0 (integer_of_int32 i_8_0) t_7 intM_intP_t_7_10)))))))))))))))))))))))))))))))))))))))))))))))))

;; Muller_m_ensures_default_po_26, File "HOME/tests/java/Muller.java", line 90, characters 8-14
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(FORALL (Object_Muller_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (>= (integer_of_int32 i_7) result1)
(FORALL (result2)
(FORALL (Object_Muller_m_12_alloc_table0)
(FORALL (Object_Muller_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result2 0 (- (integer_of_int32 count) 1) Object_Muller_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_Muller_m_12_alloc_table Object_Muller_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh
         Object_Muller_m_12_alloc_table result2 (integer_of_int32 count))
         (instanceof Object_Muller_m_12_tag_table result2 intM_tag))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) 0)
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) 0)
(FORALL (count1)
(FORALL (i_8)
(IMPLIES (AND (<= 0 (integer_of_int32 i_8))
         (AND
         (<= (integer_of_int32 i_8) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count1))
         (AND (<= (integer_of_int32 count1) (integer_of_int32 i_8))
         (EQ (integer_of_int32 count1)
         (num_of_pos 0 (integer_of_int32 i_8) t_7 intM_intP_t_7_10))))))
(FORALL (result5)
(IMPLIES (AND (<= result5 constant_too_large_2147483647)
         (AND (>= result5 0)
         (EQ result5 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_8) result5)
(FORALL (result6)
(IMPLIES (EQ result6
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(IMPLIES (<= (integer_of_int32 result6) 0)
(FORALL (result7)
(IMPLIES (EQ (integer_of_int32 result7) (+ (integer_of_int32 i_8) 1))
(FORALL (i_8_0) (IMPLIES (EQ i_8_0 result7) (<= 0 (integer_of_int32 i_8_0))))))))))))))))))))))))))))))))))))))))

;; Muller_m_ensures_default_po_27, File "HOME/tests/java/Muller.java", line 90, characters 13-26
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(FORALL (Object_Muller_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (>= (integer_of_int32 i_7) result1)
(FORALL (result2)
(FORALL (Object_Muller_m_12_alloc_table0)
(FORALL (Object_Muller_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result2 0 (- (integer_of_int32 count) 1) Object_Muller_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_Muller_m_12_alloc_table Object_Muller_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh
         Object_Muller_m_12_alloc_table result2 (integer_of_int32 count))
         (instanceof Object_Muller_m_12_tag_table result2 intM_tag))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) 0)
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) 0)
(FORALL (count1)
(FORALL (i_8)
(IMPLIES (AND (<= 0 (integer_of_int32 i_8))
         (AND
         (<= (integer_of_int32 i_8) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count1))
         (AND (<= (integer_of_int32 count1) (integer_of_int32 i_8))
         (EQ (integer_of_int32 count1)
         (num_of_pos 0 (integer_of_int32 i_8) t_7 intM_intP_t_7_10))))))
(FORALL (result5)
(IMPLIES (AND (<= result5 constant_too_large_2147483647)
         (AND (>= result5 0)
         (EQ result5 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_8) result5)
(FORALL (result6)
(IMPLIES (EQ result6
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(IMPLIES (<= (integer_of_int32 result6) 0)
(FORALL (result7)
(IMPLIES (EQ (integer_of_int32 result7) (+ (integer_of_int32 i_8) 1))
(FORALL (i_8_0)
(IMPLIES (EQ i_8_0 result7)
(<= (integer_of_int32 i_8_0) (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))))))))))))))))))))))))))))))))))))))

;; Muller_m_ensures_default_po_28, File "HOME/tests/java/Muller.java", line 91, characters 8-18
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(FORALL (Object_Muller_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (>= (integer_of_int32 i_7) result1)
(FORALL (result2)
(FORALL (Object_Muller_m_12_alloc_table0)
(FORALL (Object_Muller_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result2 0 (- (integer_of_int32 count) 1) Object_Muller_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_Muller_m_12_alloc_table Object_Muller_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh
         Object_Muller_m_12_alloc_table result2 (integer_of_int32 count))
         (instanceof Object_Muller_m_12_tag_table result2 intM_tag))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) 0)
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) 0)
(FORALL (count1)
(FORALL (i_8)
(IMPLIES (AND (<= 0 (integer_of_int32 i_8))
         (AND
         (<= (integer_of_int32 i_8) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count1))
         (AND (<= (integer_of_int32 count1) (integer_of_int32 i_8))
         (EQ (integer_of_int32 count1)
         (num_of_pos 0 (integer_of_int32 i_8) t_7 intM_intP_t_7_10))))))
(FORALL (result5)
(IMPLIES (AND (<= result5 constant_too_large_2147483647)
         (AND (>= result5 0)
         (EQ result5 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_8) result5)
(FORALL (result6)
(IMPLIES (EQ result6
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(IMPLIES (<= (integer_of_int32 result6) 0)
(FORALL (result7)
(IMPLIES (EQ (integer_of_int32 result7) (+ (integer_of_int32 i_8) 1))
(FORALL (i_8_0)
(IMPLIES (EQ i_8_0 result7) (<= 0 (integer_of_int32 count1))))))))))))))))))))))))))))))))))))))))

;; Muller_m_ensures_default_po_29, File "HOME/tests/java/Muller.java", line 91, characters 13-23
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(FORALL (Object_Muller_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (>= (integer_of_int32 i_7) result1)
(FORALL (result2)
(FORALL (Object_Muller_m_12_alloc_table0)
(FORALL (Object_Muller_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result2 0 (- (integer_of_int32 count) 1) Object_Muller_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_Muller_m_12_alloc_table Object_Muller_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh
         Object_Muller_m_12_alloc_table result2 (integer_of_int32 count))
         (instanceof Object_Muller_m_12_tag_table result2 intM_tag))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) 0)
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) 0)
(FORALL (count1)
(FORALL (i_8)
(IMPLIES (AND (<= 0 (integer_of_int32 i_8))
         (AND
         (<= (integer_of_int32 i_8) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count1))
         (AND (<= (integer_of_int32 count1) (integer_of_int32 i_8))
         (EQ (integer_of_int32 count1)
         (num_of_pos 0 (integer_of_int32 i_8) t_7 intM_intP_t_7_10))))))
(FORALL (result5)
(IMPLIES (AND (<= result5 constant_too_large_2147483647)
         (AND (>= result5 0)
         (EQ result5 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_8) result5)
(FORALL (result6)
(IMPLIES (EQ result6
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(IMPLIES (<= (integer_of_int32 result6) 0)
(FORALL (result7)
(IMPLIES (EQ (integer_of_int32 result7) (+ (integer_of_int32 i_8) 1))
(FORALL (i_8_0)
(IMPLIES (EQ i_8_0 result7)
(<= (integer_of_int32 count1) (integer_of_int32 i_8_0))))))))))))))))))))))))))))))))))))))))

;; Muller_m_ensures_default_po_30, File "HOME/tests/java/Muller.java", line 92, characters 8-34
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(FORALL (Object_Muller_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (>= (integer_of_int32 i_7) result1)
(FORALL (result2)
(FORALL (Object_Muller_m_12_alloc_table0)
(FORALL (Object_Muller_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result2 0 (- (integer_of_int32 count) 1) Object_Muller_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_Muller_m_12_alloc_table Object_Muller_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh
         Object_Muller_m_12_alloc_table result2 (integer_of_int32 count))
         (instanceof Object_Muller_m_12_tag_table result2 intM_tag))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) 0)
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) 0)
(FORALL (count1)
(FORALL (i_8)
(IMPLIES (AND (<= 0 (integer_of_int32 i_8))
         (AND
         (<= (integer_of_int32 i_8) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count1))
         (AND (<= (integer_of_int32 count1) (integer_of_int32 i_8))
         (EQ (integer_of_int32 count1)
         (num_of_pos 0 (integer_of_int32 i_8) t_7 intM_intP_t_7_10))))))
(FORALL (result5)
(IMPLIES (AND (<= result5 constant_too_large_2147483647)
         (AND (>= result5 0)
         (EQ result5 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_8) result5)
(FORALL (result6)
(IMPLIES (EQ result6
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(IMPLIES (<= (integer_of_int32 result6) 0)
(FORALL (result7)
(IMPLIES (EQ (integer_of_int32 result7) (+ (integer_of_int32 i_8) 1))
(FORALL (i_8_0)
(IMPLIES (EQ i_8_0 result7)
(EQ (integer_of_int32 count1)
(num_of_pos 0 (integer_of_int32 i_8_0) t_7 intM_intP_t_7_10))))))))))))))))))))))))))))))))))))))))

;; Muller_m_safety_po_1, File "why/Muller.why", line 900, characters 54-232
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))))))))))))))

;; Muller_m_safety_po_2, File "HOME/tests/java/Muller.java", line 84, characters 39-43
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_7) result1)
(<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32 i_7))))))))))))))))))

;; Muller_m_safety_po_3, File "HOME/tests/java/Muller.java", line 84, characters 39-43
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_7) result1)
(<= (integer_of_int32 i_7) (offset_max Object_t_7_10_alloc_table t_7))))))))))))))))))

;; Muller_m_safety_po_4, File "HOME/tests/java/Muller.jc", line 160, characters 69-77
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_7) result1)
(IMPLIES (AND
         (<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32
                                                        i_7))
         (<= (integer_of_int32 i_7) (offset_max
                                    Object_t_7_10_alloc_table t_7)))
(FORALL (result2)
(IMPLIES (EQ result2
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_7))))
(IMPLIES (> (integer_of_int32 result2) 0)
(<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 count) 1))))))))))))))))))))))

;; Muller_m_safety_po_5, File "HOME/tests/java/Muller.jc", line 160, characters 69-77
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_7) result1)
(IMPLIES (AND
         (<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32
                                                        i_7))
         (<= (integer_of_int32 i_7) (offset_max
                                    Object_t_7_10_alloc_table t_7)))
(FORALL (result2)
(IMPLIES (EQ result2
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_7))))
(IMPLIES (> (integer_of_int32 result2) 0)
(<= (+ (integer_of_int32 count) 1) constant_too_large_2147483647)))))))))))))))))))))

;; Muller_m_safety_po_6, File "HOME/tests/java/Muller.jc", line 158, characters 24-30
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_7) result1)
(IMPLIES (AND
         (<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32
                                                        i_7))
         (<= (integer_of_int32 i_7) (offset_max
                                    Object_t_7_10_alloc_table t_7)))
(FORALL (result2)
(IMPLIES (EQ result2
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_7))))
(IMPLIES (> (integer_of_int32 result2) 0)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 count) 1))
         (<= (+ (integer_of_int32 count) 1) constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 count) 1))
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_7) 1)))))))))))))))))))))))))))

;; Muller_m_safety_po_7, File "HOME/tests/java/Muller.jc", line 158, characters 24-30
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_7) result1)
(IMPLIES (AND
         (<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32
                                                        i_7))
         (<= (integer_of_int32 i_7) (offset_max
                                    Object_t_7_10_alloc_table t_7)))
(FORALL (result2)
(IMPLIES (EQ result2
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_7))))
(IMPLIES (> (integer_of_int32 result2) 0)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 count) 1))
         (<= (+ (integer_of_int32 count) 1) constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 count) 1))
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(<= (+ (integer_of_int32 i_7) 1) constant_too_large_2147483647))))))))))))))))))))))))))

;; Muller_m_safety_po_8, File "HOME/tests/java/Muller.java", line 82, characters 18-30
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_7) result1)
(IMPLIES (AND
         (<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32
                                                        i_7))
         (<= (integer_of_int32 i_7) (offset_max
                                    Object_t_7_10_alloc_table t_7)))
(FORALL (result2)
(IMPLIES (EQ result2
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_7))))
(IMPLIES (> (integer_of_int32 result2) 0)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 count) 1))
         (<= (+ (integer_of_int32 count) 1) constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 count) 1))
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_7) 1))
         (<= (+ (integer_of_int32 i_7) 1) constant_too_large_2147483647))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) (+ (integer_of_int32 i_7) 1))
(FORALL (i_7_0)
(IMPLIES (EQ i_7_0 result4)
(<= 0 (- (+ (offset_max Object_t_7_10_alloc_table t_7) 1) (integer_of_int32
                                                          i_7)))))))))))))))))))))))))))))))))

;; Muller_m_safety_po_9, File "HOME/tests/java/Muller.java", line 82, characters 18-30
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_7) result1)
(IMPLIES (AND
         (<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32
                                                        i_7))
         (<= (integer_of_int32 i_7) (offset_max
                                    Object_t_7_10_alloc_table t_7)))
(FORALL (result2)
(IMPLIES (EQ result2
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_7))))
(IMPLIES (> (integer_of_int32 result2) 0)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 count) 1))
         (<= (+ (integer_of_int32 count) 1) constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 count) 1))
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_7) 1))
         (<= (+ (integer_of_int32 i_7) 1) constant_too_large_2147483647))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) (+ (integer_of_int32 i_7) 1))
(FORALL (i_7_0)
(IMPLIES (EQ i_7_0 result4)
(< (- (+ (offset_max Object_t_7_10_alloc_table t_7) 1) (integer_of_int32
                                                       i_7_0)) (- (+ 
                                                                  (offset_max
                                                                  Object_t_7_10_alloc_table t_7) 1) 
                                                               (integer_of_int32
                                                               i_7)))))))))))))))))))))))))))))))))

;; Muller_m_safety_po_10, File "HOME/tests/java/Muller.jc", line 158, characters 24-30
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_7) result1)
(IMPLIES (AND
         (<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32
                                                        i_7))
         (<= (integer_of_int32 i_7) (offset_max
                                    Object_t_7_10_alloc_table t_7)))
(FORALL (result2)
(IMPLIES (EQ result2
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_7))))
(IMPLIES (<= (integer_of_int32 result2) 0)
(<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_7) 1))))))))))))))))))))))

;; Muller_m_safety_po_11, File "HOME/tests/java/Muller.jc", line 158, characters 24-30
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_7) result1)
(IMPLIES (AND
         (<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32
                                                        i_7))
         (<= (integer_of_int32 i_7) (offset_max
                                    Object_t_7_10_alloc_table t_7)))
(FORALL (result2)
(IMPLIES (EQ result2
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_7))))
(IMPLIES (<= (integer_of_int32 result2) 0)
(<= (+ (integer_of_int32 i_7) 1) constant_too_large_2147483647)))))))))))))))))))))

;; Muller_m_safety_po_12, File "HOME/tests/java/Muller.java", line 82, characters 18-30
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_7) result1)
(IMPLIES (AND
         (<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32
                                                        i_7))
         (<= (integer_of_int32 i_7) (offset_max
                                    Object_t_7_10_alloc_table t_7)))
(FORALL (result2)
(IMPLIES (EQ result2
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_7))))
(IMPLIES (<= (integer_of_int32 result2) 0)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_7) 1))
         (<= (+ (integer_of_int32 i_7) 1) constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_7) 1))
(FORALL (i_7_0)
(IMPLIES (EQ i_7_0 result3)
(<= 0 (- (+ (offset_max Object_t_7_10_alloc_table t_7) 1) (integer_of_int32
                                                          i_7))))))))))))))))))))))))))))

;; Muller_m_safety_po_13, File "HOME/tests/java/Muller.java", line 82, characters 18-30
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_7) result1)
(IMPLIES (AND
         (<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32
                                                        i_7))
         (<= (integer_of_int32 i_7) (offset_max
                                    Object_t_7_10_alloc_table t_7)))
(FORALL (result2)
(IMPLIES (EQ result2
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_7))))
(IMPLIES (<= (integer_of_int32 result2) 0)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_7) 1))
         (<= (+ (integer_of_int32 i_7) 1) constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_7) 1))
(FORALL (i_7_0)
(IMPLIES (EQ i_7_0 result3)
(< (- (+ (offset_max Object_t_7_10_alloc_table t_7) 1) (integer_of_int32
                                                       i_7_0)) (- (+ 
                                                                  (offset_max
                                                                  Object_t_7_10_alloc_table t_7) 1) 
                                                               (integer_of_int32
                                                               i_7))))))))))))))))))))))))))))

;; Muller_m_safety_po_14, File "HOME/tests/java/Muller.java", line 86, characters 11-25
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (>= (integer_of_int32 i_7) result1) (>= (integer_of_int32 count) 0)))))))))))))))))

;; Muller_m_safety_po_15, File "HOME/tests/java/Muller.java", line 96, characters 9-13
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(FORALL (Object_Muller_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (>= (integer_of_int32 i_7) result1)
(IMPLIES (>= (integer_of_int32 count) 0)
(FORALL (result2)
(FORALL (Object_Muller_m_12_alloc_table0)
(FORALL (Object_Muller_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result2 0 (- (integer_of_int32 count) 1) Object_Muller_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_Muller_m_12_alloc_table Object_Muller_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh
         Object_Muller_m_12_alloc_table result2 (integer_of_int32 count))
         (instanceof Object_Muller_m_12_tag_table result2 intM_tag))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) 0)
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) 0)
(FORALL (count1)
(FORALL (i_8)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_8))
         (AND
         (<= (integer_of_int32 i_8) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count1))
         (AND (<= (integer_of_int32 count1) (integer_of_int32 i_8))
         (EQ (integer_of_int32 count1)
         (num_of_pos 0 (integer_of_int32 i_8) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result5)
(IMPLIES (AND (<= result5 constant_too_large_2147483647)
         (AND (>= result5 0)
         (EQ result5 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_8) result5)
(<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32 i_8))))))))))))))))))))))))))))))))))))))

;; Muller_m_safety_po_16, File "HOME/tests/java/Muller.java", line 96, characters 9-13
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(FORALL (Object_Muller_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (>= (integer_of_int32 i_7) result1)
(IMPLIES (>= (integer_of_int32 count) 0)
(FORALL (result2)
(FORALL (Object_Muller_m_12_alloc_table0)
(FORALL (Object_Muller_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result2 0 (- (integer_of_int32 count) 1) Object_Muller_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_Muller_m_12_alloc_table Object_Muller_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh
         Object_Muller_m_12_alloc_table result2 (integer_of_int32 count))
         (instanceof Object_Muller_m_12_tag_table result2 intM_tag))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) 0)
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) 0)
(FORALL (count1)
(FORALL (i_8)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_8))
         (AND
         (<= (integer_of_int32 i_8) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count1))
         (AND (<= (integer_of_int32 count1) (integer_of_int32 i_8))
         (EQ (integer_of_int32 count1)
         (num_of_pos 0 (integer_of_int32 i_8) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result5)
(IMPLIES (AND (<= result5 constant_too_large_2147483647)
         (AND (>= result5 0)
         (EQ result5 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_8) result5)
(<= (integer_of_int32 i_8) (offset_max Object_t_7_10_alloc_table t_7))))))))))))))))))))))))))))))))))))))

;; Muller_m_safety_po_17, File "HOME/tests/java/Muller.jc", line 197, characters 47-55
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(FORALL (Object_Muller_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (>= (integer_of_int32 i_7) result1)
(IMPLIES (>= (integer_of_int32 count) 0)
(FORALL (result2)
(FORALL (Object_Muller_m_12_alloc_table0)
(FORALL (Object_Muller_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result2 0 (- (integer_of_int32 count) 1) Object_Muller_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_Muller_m_12_alloc_table Object_Muller_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh
         Object_Muller_m_12_alloc_table result2 (integer_of_int32 count))
         (instanceof Object_Muller_m_12_tag_table result2 intM_tag))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) 0)
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) 0)
(FORALL (count1)
(FORALL (i_8)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_8))
         (AND
         (<= (integer_of_int32 i_8) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count1))
         (AND (<= (integer_of_int32 count1) (integer_of_int32 i_8))
         (EQ (integer_of_int32 count1)
         (num_of_pos 0 (integer_of_int32 i_8) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result5)
(IMPLIES (AND (<= result5 constant_too_large_2147483647)
         (AND (>= result5 0)
         (EQ result5 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_8) result5)
(IMPLIES (AND
         (<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32
                                                        i_8))
         (<= (integer_of_int32 i_8) (offset_max
                                    Object_t_7_10_alloc_table t_7)))
(FORALL (result6)
(IMPLIES (EQ result6
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(IMPLIES (> (integer_of_int32 result6) 0)
(IMPLIES (AND
         (<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32
                                                        i_8))
         (<= (integer_of_int32 i_8) (offset_max
                                    Object_t_7_10_alloc_table t_7)))
(FORALL (result7)
(IMPLIES (EQ result7
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 count1) 1)))))))))))))))))))))))))))))))))))))))))))))

;; Muller_m_safety_po_18, File "HOME/tests/java/Muller.jc", line 197, characters 47-55
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(FORALL (Object_Muller_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (>= (integer_of_int32 i_7) result1)
(IMPLIES (>= (integer_of_int32 count) 0)
(FORALL (result2)
(FORALL (Object_Muller_m_12_alloc_table0)
(FORALL (Object_Muller_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result2 0 (- (integer_of_int32 count) 1) Object_Muller_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_Muller_m_12_alloc_table Object_Muller_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh
         Object_Muller_m_12_alloc_table result2 (integer_of_int32 count))
         (instanceof Object_Muller_m_12_tag_table result2 intM_tag))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) 0)
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) 0)
(FORALL (count1)
(FORALL (i_8)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_8))
         (AND
         (<= (integer_of_int32 i_8) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count1))
         (AND (<= (integer_of_int32 count1) (integer_of_int32 i_8))
         (EQ (integer_of_int32 count1)
         (num_of_pos 0 (integer_of_int32 i_8) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result5)
(IMPLIES (AND (<= result5 constant_too_large_2147483647)
         (AND (>= result5 0)
         (EQ result5 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_8) result5)
(IMPLIES (AND
         (<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32
                                                        i_8))
         (<= (integer_of_int32 i_8) (offset_max
                                    Object_t_7_10_alloc_table t_7)))
(FORALL (result6)
(IMPLIES (EQ result6
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(IMPLIES (> (integer_of_int32 result6) 0)
(IMPLIES (AND
         (<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32
                                                        i_8))
         (<= (integer_of_int32 i_8) (offset_max
                                    Object_t_7_10_alloc_table t_7)))
(FORALL (result7)
(IMPLIES (EQ result7
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(<= (+ (integer_of_int32 count1) 1) constant_too_large_2147483647))))))))))))))))))))))))))))))))))))))))))))

;; Muller_m_safety_po_19, File "HOME/tests/java/Muller.java", line 96, characters 19-36
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(FORALL (Object_Muller_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (>= (integer_of_int32 i_7) result1)
(IMPLIES (>= (integer_of_int32 count) 0)
(FORALL (result2)
(FORALL (Object_Muller_m_12_alloc_table0)
(FORALL (Object_Muller_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result2 0 (- (integer_of_int32 count) 1) Object_Muller_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_Muller_m_12_alloc_table Object_Muller_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh
         Object_Muller_m_12_alloc_table result2 (integer_of_int32 count))
         (instanceof Object_Muller_m_12_tag_table result2 intM_tag))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) 0)
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) 0)
(FORALL (count1)
(FORALL (i_8)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_8))
         (AND
         (<= (integer_of_int32 i_8) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count1))
         (AND (<= (integer_of_int32 count1) (integer_of_int32 i_8))
         (EQ (integer_of_int32 count1)
         (num_of_pos 0 (integer_of_int32 i_8) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result5)
(IMPLIES (AND (<= result5 constant_too_large_2147483647)
         (AND (>= result5 0)
         (EQ result5 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_8) result5)
(IMPLIES (AND
         (<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32
                                                        i_8))
         (<= (integer_of_int32 i_8) (offset_max
                                    Object_t_7_10_alloc_table t_7)))
(FORALL (result6)
(IMPLIES (EQ result6
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(IMPLIES (> (integer_of_int32 result6) 0)
(IMPLIES (AND
         (<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32
                                                        i_8))
         (<= (integer_of_int32 i_8) (offset_max
                                    Object_t_7_10_alloc_table t_7)))
(FORALL (result7)
(IMPLIES (EQ result7
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 count1) 1))
         (<= (+ (integer_of_int32 count1) 1) constant_too_large_2147483647))
(FORALL (result8)
(IMPLIES (EQ (integer_of_int32 result8) (+ (integer_of_int32 count1) 1))
(FORALL (count2)
(IMPLIES (EQ count2 result8)
(<= (offset_min Object_Muller_m_12_alloc_table0 result2) (integer_of_int32
                                                         count1))))))))))))))))))))))))))))))))))))))))))))))))))

;; Muller_m_safety_po_20, File "HOME/tests/java/Muller.java", line 96, characters 19-36
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(FORALL (Object_Muller_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (>= (integer_of_int32 i_7) result1)
(IMPLIES (>= (integer_of_int32 count) 0)
(FORALL (result2)
(FORALL (Object_Muller_m_12_alloc_table0)
(FORALL (Object_Muller_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result2 0 (- (integer_of_int32 count) 1) Object_Muller_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_Muller_m_12_alloc_table Object_Muller_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh
         Object_Muller_m_12_alloc_table result2 (integer_of_int32 count))
         (instanceof Object_Muller_m_12_tag_table result2 intM_tag))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) 0)
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) 0)
(FORALL (count1)
(FORALL (i_8)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_8))
         (AND
         (<= (integer_of_int32 i_8) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count1))
         (AND (<= (integer_of_int32 count1) (integer_of_int32 i_8))
         (EQ (integer_of_int32 count1)
         (num_of_pos 0 (integer_of_int32 i_8) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result5)
(IMPLIES (AND (<= result5 constant_too_large_2147483647)
         (AND (>= result5 0)
         (EQ result5 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_8) result5)
(IMPLIES (AND
         (<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32
                                                        i_8))
         (<= (integer_of_int32 i_8) (offset_max
                                    Object_t_7_10_alloc_table t_7)))
(FORALL (result6)
(IMPLIES (EQ result6
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(IMPLIES (> (integer_of_int32 result6) 0)
(IMPLIES (AND
         (<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32
                                                        i_8))
         (<= (integer_of_int32 i_8) (offset_max
                                    Object_t_7_10_alloc_table t_7)))
(FORALL (result7)
(IMPLIES (EQ result7
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 count1) 1))
         (<= (+ (integer_of_int32 count1) 1) constant_too_large_2147483647))
(FORALL (result8)
(IMPLIES (EQ (integer_of_int32 result8) (+ (integer_of_int32 count1) 1))
(FORALL (count2)
(IMPLIES (EQ count2 result8)
(<= (integer_of_int32 count1) (offset_max
                              Object_Muller_m_12_alloc_table0 result2))))))))))))))))))))))))))))))))))))))))))))))))))

;; Muller_m_safety_po_21, File "HOME/tests/java/Muller.jc", line 195, characters 30-36
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(FORALL (Object_Muller_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (>= (integer_of_int32 i_7) result1)
(IMPLIES (>= (integer_of_int32 count) 0)
(FORALL (result2)
(FORALL (Object_Muller_m_12_alloc_table0)
(FORALL (Object_Muller_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result2 0 (- (integer_of_int32 count) 1) Object_Muller_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_Muller_m_12_alloc_table Object_Muller_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh
         Object_Muller_m_12_alloc_table result2 (integer_of_int32 count))
         (instanceof Object_Muller_m_12_tag_table result2 intM_tag))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) 0)
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) 0)
(FORALL (count1)
(FORALL (i_8)
(FORALL (intM_intP_Muller_m_12)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_8))
         (AND
         (<= (integer_of_int32 i_8) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count1))
         (AND (<= (integer_of_int32 count1) (integer_of_int32 i_8))
         (EQ (integer_of_int32 count1)
         (num_of_pos 0 (integer_of_int32 i_8) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result5)
(IMPLIES (AND (<= result5 constant_too_large_2147483647)
         (AND (>= result5 0)
         (EQ result5 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_8) result5)
(IMPLIES (AND
         (<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32
                                                        i_8))
         (<= (integer_of_int32 i_8) (offset_max
                                    Object_t_7_10_alloc_table t_7)))
(FORALL (result6)
(IMPLIES (EQ result6
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(IMPLIES (> (integer_of_int32 result6) 0)
(IMPLIES (AND
         (<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32
                                                        i_8))
         (<= (integer_of_int32 i_8) (offset_max
                                    Object_t_7_10_alloc_table t_7)))
(FORALL (result7)
(IMPLIES (EQ result7
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 count1) 1))
         (<= (+ (integer_of_int32 count1) 1) constant_too_large_2147483647))
(FORALL (result8)
(IMPLIES (EQ (integer_of_int32 result8) (+ (integer_of_int32 count1) 1))
(FORALL (count2)
(IMPLIES (EQ count2 result8)
(IMPLIES (AND
         (<= (offset_min Object_Muller_m_12_alloc_table0 result2) (integer_of_int32
                                                                  count1))
         (<= (integer_of_int32 count1) (offset_max
                                       Object_Muller_m_12_alloc_table0 result2)))
(FORALL (intM_intP_Muller_m_12_0)
(IMPLIES (EQ intM_intP_Muller_m_12_0
         (|why__store|
         intM_intP_Muller_m_12 (shift result2 (integer_of_int32 count1)) result7))
(<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_8) 1))))))))))))))))))))))))))))))))))))))))))))))))))))))

;; Muller_m_safety_po_22, File "HOME/tests/java/Muller.jc", line 195, characters 30-36
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(FORALL (Object_Muller_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (>= (integer_of_int32 i_7) result1)
(IMPLIES (>= (integer_of_int32 count) 0)
(FORALL (result2)
(FORALL (Object_Muller_m_12_alloc_table0)
(FORALL (Object_Muller_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result2 0 (- (integer_of_int32 count) 1) Object_Muller_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_Muller_m_12_alloc_table Object_Muller_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh
         Object_Muller_m_12_alloc_table result2 (integer_of_int32 count))
         (instanceof Object_Muller_m_12_tag_table result2 intM_tag))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) 0)
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) 0)
(FORALL (count1)
(FORALL (i_8)
(FORALL (intM_intP_Muller_m_12)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_8))
         (AND
         (<= (integer_of_int32 i_8) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count1))
         (AND (<= (integer_of_int32 count1) (integer_of_int32 i_8))
         (EQ (integer_of_int32 count1)
         (num_of_pos 0 (integer_of_int32 i_8) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result5)
(IMPLIES (AND (<= result5 constant_too_large_2147483647)
         (AND (>= result5 0)
         (EQ result5 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_8) result5)
(IMPLIES (AND
         (<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32
                                                        i_8))
         (<= (integer_of_int32 i_8) (offset_max
                                    Object_t_7_10_alloc_table t_7)))
(FORALL (result6)
(IMPLIES (EQ result6
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(IMPLIES (> (integer_of_int32 result6) 0)
(IMPLIES (AND
         (<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32
                                                        i_8))
         (<= (integer_of_int32 i_8) (offset_max
                                    Object_t_7_10_alloc_table t_7)))
(FORALL (result7)
(IMPLIES (EQ result7
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 count1) 1))
         (<= (+ (integer_of_int32 count1) 1) constant_too_large_2147483647))
(FORALL (result8)
(IMPLIES (EQ (integer_of_int32 result8) (+ (integer_of_int32 count1) 1))
(FORALL (count2)
(IMPLIES (EQ count2 result8)
(IMPLIES (AND
         (<= (offset_min Object_Muller_m_12_alloc_table0 result2) (integer_of_int32
                                                                  count1))
         (<= (integer_of_int32 count1) (offset_max
                                       Object_Muller_m_12_alloc_table0 result2)))
(FORALL (intM_intP_Muller_m_12_0)
(IMPLIES (EQ intM_intP_Muller_m_12_0
         (|why__store|
         intM_intP_Muller_m_12 (shift result2 (integer_of_int32 count1)) result7))
(<= (+ (integer_of_int32 i_8) 1) constant_too_large_2147483647)))))))))))))))))))))))))))))))))))))))))))))))))))))

;; Muller_m_safety_po_23, File "HOME/tests/java/Muller.java", line 93, characters 18-30
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(FORALL (Object_Muller_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (>= (integer_of_int32 i_7) result1)
(IMPLIES (>= (integer_of_int32 count) 0)
(FORALL (result2)
(FORALL (Object_Muller_m_12_alloc_table0)
(FORALL (Object_Muller_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result2 0 (- (integer_of_int32 count) 1) Object_Muller_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_Muller_m_12_alloc_table Object_Muller_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh
         Object_Muller_m_12_alloc_table result2 (integer_of_int32 count))
         (instanceof Object_Muller_m_12_tag_table result2 intM_tag))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) 0)
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) 0)
(FORALL (count1)
(FORALL (i_8)
(FORALL (intM_intP_Muller_m_12)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_8))
         (AND
         (<= (integer_of_int32 i_8) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count1))
         (AND (<= (integer_of_int32 count1) (integer_of_int32 i_8))
         (EQ (integer_of_int32 count1)
         (num_of_pos 0 (integer_of_int32 i_8) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result5)
(IMPLIES (AND (<= result5 constant_too_large_2147483647)
         (AND (>= result5 0)
         (EQ result5 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_8) result5)
(IMPLIES (AND
         (<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32
                                                        i_8))
         (<= (integer_of_int32 i_8) (offset_max
                                    Object_t_7_10_alloc_table t_7)))
(FORALL (result6)
(IMPLIES (EQ result6
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(IMPLIES (> (integer_of_int32 result6) 0)
(IMPLIES (AND
         (<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32
                                                        i_8))
         (<= (integer_of_int32 i_8) (offset_max
                                    Object_t_7_10_alloc_table t_7)))
(FORALL (result7)
(IMPLIES (EQ result7
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 count1) 1))
         (<= (+ (integer_of_int32 count1) 1) constant_too_large_2147483647))
(FORALL (result8)
(IMPLIES (EQ (integer_of_int32 result8) (+ (integer_of_int32 count1) 1))
(FORALL (count2)
(IMPLIES (EQ count2 result8)
(IMPLIES (AND
         (<= (offset_min Object_Muller_m_12_alloc_table0 result2) (integer_of_int32
                                                                  count1))
         (<= (integer_of_int32 count1) (offset_max
                                       Object_Muller_m_12_alloc_table0 result2)))
(FORALL (intM_intP_Muller_m_12_0)
(IMPLIES (EQ intM_intP_Muller_m_12_0
         (|why__store|
         intM_intP_Muller_m_12 (shift result2 (integer_of_int32 count1)) result7))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_8) 1))
         (<= (+ (integer_of_int32 i_8) 1) constant_too_large_2147483647))
(FORALL (result9)
(IMPLIES (EQ (integer_of_int32 result9) (+ (integer_of_int32 i_8) 1))
(FORALL (i_8_0)
(IMPLIES (EQ i_8_0 result9)
(<= 0 (- (+ (offset_max Object_t_7_10_alloc_table t_7) 1) (integer_of_int32
                                                          i_8))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

;; Muller_m_safety_po_24, File "HOME/tests/java/Muller.java", line 93, characters 18-30
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(FORALL (Object_Muller_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (>= (integer_of_int32 i_7) result1)
(IMPLIES (>= (integer_of_int32 count) 0)
(FORALL (result2)
(FORALL (Object_Muller_m_12_alloc_table0)
(FORALL (Object_Muller_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result2 0 (- (integer_of_int32 count) 1) Object_Muller_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_Muller_m_12_alloc_table Object_Muller_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh
         Object_Muller_m_12_alloc_table result2 (integer_of_int32 count))
         (instanceof Object_Muller_m_12_tag_table result2 intM_tag))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) 0)
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) 0)
(FORALL (count1)
(FORALL (i_8)
(FORALL (intM_intP_Muller_m_12)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_8))
         (AND
         (<= (integer_of_int32 i_8) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count1))
         (AND (<= (integer_of_int32 count1) (integer_of_int32 i_8))
         (EQ (integer_of_int32 count1)
         (num_of_pos 0 (integer_of_int32 i_8) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result5)
(IMPLIES (AND (<= result5 constant_too_large_2147483647)
         (AND (>= result5 0)
         (EQ result5 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_8) result5)
(IMPLIES (AND
         (<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32
                                                        i_8))
         (<= (integer_of_int32 i_8) (offset_max
                                    Object_t_7_10_alloc_table t_7)))
(FORALL (result6)
(IMPLIES (EQ result6
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(IMPLIES (> (integer_of_int32 result6) 0)
(IMPLIES (AND
         (<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32
                                                        i_8))
         (<= (integer_of_int32 i_8) (offset_max
                                    Object_t_7_10_alloc_table t_7)))
(FORALL (result7)
(IMPLIES (EQ result7
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 count1) 1))
         (<= (+ (integer_of_int32 count1) 1) constant_too_large_2147483647))
(FORALL (result8)
(IMPLIES (EQ (integer_of_int32 result8) (+ (integer_of_int32 count1) 1))
(FORALL (count2)
(IMPLIES (EQ count2 result8)
(IMPLIES (AND
         (<= (offset_min Object_Muller_m_12_alloc_table0 result2) (integer_of_int32
                                                                  count1))
         (<= (integer_of_int32 count1) (offset_max
                                       Object_Muller_m_12_alloc_table0 result2)))
(FORALL (intM_intP_Muller_m_12_0)
(IMPLIES (EQ intM_intP_Muller_m_12_0
         (|why__store|
         intM_intP_Muller_m_12 (shift result2 (integer_of_int32 count1)) result7))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_8) 1))
         (<= (+ (integer_of_int32 i_8) 1) constant_too_large_2147483647))
(FORALL (result9)
(IMPLIES (EQ (integer_of_int32 result9) (+ (integer_of_int32 i_8) 1))
(FORALL (i_8_0)
(IMPLIES (EQ i_8_0 result9)
(< (- (+ (offset_max Object_t_7_10_alloc_table t_7) 1) (integer_of_int32
                                                       i_8_0)) (- (+ 
                                                                  (offset_max
                                                                  Object_t_7_10_alloc_table t_7) 1) 
                                                               (integer_of_int32
                                                               i_8))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

;; Muller_m_safety_po_25, File "HOME/tests/java/Muller.jc", line 195, characters 30-36
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(FORALL (Object_Muller_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (>= (integer_of_int32 i_7) result1)
(IMPLIES (>= (integer_of_int32 count) 0)
(FORALL (result2)
(FORALL (Object_Muller_m_12_alloc_table0)
(FORALL (Object_Muller_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result2 0 (- (integer_of_int32 count) 1) Object_Muller_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_Muller_m_12_alloc_table Object_Muller_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh
         Object_Muller_m_12_alloc_table result2 (integer_of_int32 count))
         (instanceof Object_Muller_m_12_tag_table result2 intM_tag))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) 0)
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) 0)
(FORALL (count1)
(FORALL (i_8)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_8))
         (AND
         (<= (integer_of_int32 i_8) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count1))
         (AND (<= (integer_of_int32 count1) (integer_of_int32 i_8))
         (EQ (integer_of_int32 count1)
         (num_of_pos 0 (integer_of_int32 i_8) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result5)
(IMPLIES (AND (<= result5 constant_too_large_2147483647)
         (AND (>= result5 0)
         (EQ result5 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_8) result5)
(IMPLIES (AND
         (<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32
                                                        i_8))
         (<= (integer_of_int32 i_8) (offset_max
                                    Object_t_7_10_alloc_table t_7)))
(FORALL (result6)
(IMPLIES (EQ result6
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(IMPLIES (<= (integer_of_int32 result6) 0)
(<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_8) 1))))))))))))))))))))))))))))))))))))))))))

;; Muller_m_safety_po_26, File "HOME/tests/java/Muller.jc", line 195, characters 30-36
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(FORALL (Object_Muller_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (>= (integer_of_int32 i_7) result1)
(IMPLIES (>= (integer_of_int32 count) 0)
(FORALL (result2)
(FORALL (Object_Muller_m_12_alloc_table0)
(FORALL (Object_Muller_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result2 0 (- (integer_of_int32 count) 1) Object_Muller_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_Muller_m_12_alloc_table Object_Muller_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh
         Object_Muller_m_12_alloc_table result2 (integer_of_int32 count))
         (instanceof Object_Muller_m_12_tag_table result2 intM_tag))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) 0)
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) 0)
(FORALL (count1)
(FORALL (i_8)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_8))
         (AND
         (<= (integer_of_int32 i_8) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count1))
         (AND (<= (integer_of_int32 count1) (integer_of_int32 i_8))
         (EQ (integer_of_int32 count1)
         (num_of_pos 0 (integer_of_int32 i_8) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result5)
(IMPLIES (AND (<= result5 constant_too_large_2147483647)
         (AND (>= result5 0)
         (EQ result5 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_8) result5)
(IMPLIES (AND
         (<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32
                                                        i_8))
         (<= (integer_of_int32 i_8) (offset_max
                                    Object_t_7_10_alloc_table t_7)))
(FORALL (result6)
(IMPLIES (EQ result6
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(IMPLIES (<= (integer_of_int32 result6) 0)
(<= (+ (integer_of_int32 i_8) 1) constant_too_large_2147483647)))))))))))))))))))))))))))))))))))))))))

;; Muller_m_safety_po_27, File "HOME/tests/java/Muller.java", line 93, characters 18-30
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(FORALL (Object_Muller_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (>= (integer_of_int32 i_7) result1)
(IMPLIES (>= (integer_of_int32 count) 0)
(FORALL (result2)
(FORALL (Object_Muller_m_12_alloc_table0)
(FORALL (Object_Muller_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result2 0 (- (integer_of_int32 count) 1) Object_Muller_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_Muller_m_12_alloc_table Object_Muller_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh
         Object_Muller_m_12_alloc_table result2 (integer_of_int32 count))
         (instanceof Object_Muller_m_12_tag_table result2 intM_tag))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) 0)
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) 0)
(FORALL (count1)
(FORALL (i_8)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_8))
         (AND
         (<= (integer_of_int32 i_8) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count1))
         (AND (<= (integer_of_int32 count1) (integer_of_int32 i_8))
         (EQ (integer_of_int32 count1)
         (num_of_pos 0 (integer_of_int32 i_8) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result5)
(IMPLIES (AND (<= result5 constant_too_large_2147483647)
         (AND (>= result5 0)
         (EQ result5 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_8) result5)
(IMPLIES (AND
         (<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32
                                                        i_8))
         (<= (integer_of_int32 i_8) (offset_max
                                    Object_t_7_10_alloc_table t_7)))
(FORALL (result6)
(IMPLIES (EQ result6
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(IMPLIES (<= (integer_of_int32 result6) 0)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_8) 1))
         (<= (+ (integer_of_int32 i_8) 1) constant_too_large_2147483647))
(FORALL (result7)
(IMPLIES (EQ (integer_of_int32 result7) (+ (integer_of_int32 i_8) 1))
(FORALL (i_8_0)
(IMPLIES (EQ i_8_0 result7)
(<= 0 (- (+ (offset_max Object_t_7_10_alloc_table t_7) 1) (integer_of_int32
                                                          i_8))))))))))))))))))))))))))))))))))))))))))))))))

;; Muller_m_safety_po_28, File "HOME/tests/java/Muller.java", line 93, characters 18-30
(FORALL (t_7)
(FORALL (Object_t_7_10_alloc_table)
(FORALL (intM_intP_t_7_10)
(FORALL (Object_Muller_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_7 0 Object_t_7_10_alloc_table)
         (Non_null_intM t_7 Object_t_7_10_alloc_table))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (count)
(FORALL (i_7)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_7))
         (AND
         (<= (integer_of_int32 i_7) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count))
         (AND (<= (integer_of_int32 count) (integer_of_int32 i_7))
         (EQ (integer_of_int32 count)
         (num_of_pos 0 (integer_of_int32 i_7) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (>= (integer_of_int32 i_7) result1)
(IMPLIES (>= (integer_of_int32 count) 0)
(FORALL (result2)
(FORALL (Object_Muller_m_12_alloc_table0)
(FORALL (Object_Muller_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result2 0 (- (integer_of_int32 count) 1) Object_Muller_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_Muller_m_12_alloc_table Object_Muller_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh
         Object_Muller_m_12_alloc_table result2 (integer_of_int32 count))
         (instanceof Object_Muller_m_12_tag_table result2 intM_tag))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) 0)
(FORALL (count0)
(IMPLIES (EQ count0 result3)
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) 0)
(FORALL (count1)
(FORALL (i_8)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 i_8))
         (AND
         (<= (integer_of_int32 i_8) (+ (offset_max
                                       Object_t_7_10_alloc_table t_7) 1))
         (AND (<= 0 (integer_of_int32 count1))
         (AND (<= (integer_of_int32 count1) (integer_of_int32 i_8))
         (EQ (integer_of_int32 count1)
         (num_of_pos 0 (integer_of_int32 i_8) t_7 intM_intP_t_7_10))))))
(IMPLIES (>= (offset_max Object_t_7_10_alloc_table t_7) (- 0 1))
(FORALL (result5)
(IMPLIES (AND (<= result5 constant_too_large_2147483647)
         (AND (>= result5 0)
         (EQ result5 (+ (offset_max Object_t_7_10_alloc_table t_7) 1))))
(IMPLIES (< (integer_of_int32 i_8) result5)
(IMPLIES (AND
         (<= (offset_min Object_t_7_10_alloc_table t_7) (integer_of_int32
                                                        i_8))
         (<= (integer_of_int32 i_8) (offset_max
                                    Object_t_7_10_alloc_table t_7)))
(FORALL (result6)
(IMPLIES (EQ result6
         (select intM_intP_t_7_10 (shift t_7 (integer_of_int32 i_8))))
(IMPLIES (<= (integer_of_int32 result6) 0)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_8) 1))
         (<= (+ (integer_of_int32 i_8) 1) constant_too_large_2147483647))
(FORALL (result7)
(IMPLIES (EQ (integer_of_int32 result7) (+ (integer_of_int32 i_8) 1))
(FORALL (i_8_0)
(IMPLIES (EQ i_8_0 result7)
(< (- (+ (offset_max Object_t_7_10_alloc_table t_7) 1) (integer_of_int32
                                                       i_8_0)) (- (+ 
                                                                  (offset_max
                                                                  Object_t_7_10_alloc_table t_7) 1) 
                                                               (integer_of_int32
                                                               i_8))))))))))))))))))))))))))))))))))))))))))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/Muller_why.sx        : ????.......................................................... (58/0/4/0/0)
total   :  62
valid   :  58 ( 94%)
invalid :   0 (  0%)
unknown :   4 (  6%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/Muller.why
========== file tests/java/why/Muller_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic Muller_tag : Object tag_id

axiom Muller_parenttag_Object: parenttag(Muller_tag, Object_tag)

predicate Non_null_Object(x_1: Object pointer,
  Object_x_2_alloc_table: Object alloc_table) =
  (offset_max(Object_x_2_alloc_table, x_1) >= 0)

predicate Non_null_intM(x_0: Object pointer,
  Object_x_1_alloc_table: Object alloc_table) =
  (offset_max(Object_x_1_alloc_table, x_0) >= (-1))

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte. ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char. ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic intM_tag : Object tag_id

axiom intM_parenttag_Object: parenttag(intM_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Muller(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_intM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long. ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

logic num_of_pos : int, int, Object pointer, (Object, int32) memory -> int

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Muller(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_intM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short.
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Muller(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Muller(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

axiom num_of_pos_false_case:
  (forall intM_intP_t_8_at_L:(Object, int32) memory.
    (forall i_2:int.
      (forall j_2:int.
        (forall t_2:Object pointer.
          (((i_2 < j_2) and (not (integer_of_int32(select(intM_intP_t_8_at_L,
            shift(t_2, (j_2 - 1)))) > 0))) ->
           (num_of_pos(i_2, j_2, t_2, intM_intP_t_8_at_L) = num_of_pos(i_2,
           (j_2 - 1), t_2, intM_intP_t_8_at_L)))))))

axiom num_of_pos_true_case:
  (forall intM_intP_t_8_at_L:(Object, int32) memory.
    (forall i_1:int.
      (forall j_1:int.
        (forall t_1:Object pointer.
          (((i_1 < j_1) and (integer_of_int32(select(intM_intP_t_8_at_L,
            shift(t_1, (j_1 - 1)))) > 0)) ->
           (num_of_pos(i_1, j_1, t_1, intM_intP_t_8_at_L) = (num_of_pos(i_1,
           (j_1 - 1), t_1, intM_intP_t_8_at_L) + 1)))))))

axiom num_of_pos_empty:
  (forall intM_intP_t_8_at_L:(Object, int32) memory.
    (forall i_0:int.
      (forall j_0:int.
        (forall t_0:Object pointer.
          ((i_0 >= j_0) -> (num_of_pos(i_0, j_0, t_0,
           intM_intP_t_8_at_L) = 0))))))

goal num_of_pos_non_negative:
  (forall intM_intP_t_3_18_at_L:(Object, int32) memory.
    (forall i_3:int.
      (forall j_3:int.
        (forall t_3:Object pointer. (0 <= num_of_pos(i_3, j_3, t_3,
          intM_intP_t_3_18_at_L))))))

axiom num_of_pos_non_negative_as_axiom:
  (forall intM_intP_t_3_18_at_L:(Object, int32) memory.
    (forall i_3:int.
      (forall j_3:int.
        (forall t_3:Object pointer. (0 <= num_of_pos(i_3, j_3, t_3,
          intM_intP_t_3_18_at_L))))))

goal num_of_pos_additive:
  (forall intM_intP_t_4_19_at_L:(Object, int32) memory.
    (forall i_4:int.
      (forall j_4:int.
        (forall k:int.
          (forall t_4:Object pointer.
            (((i_4 <= j_4) and (j_4 <= k)) -> (num_of_pos(i_4, k, t_4,
             intM_intP_t_4_19_at_L) = (num_of_pos(i_4, j_4, t_4,
             intM_intP_t_4_19_at_L) + num_of_pos(j_4, k, t_4,
             intM_intP_t_4_19_at_L)))))))))

axiom num_of_pos_additive_as_axiom:
  (forall intM_intP_t_4_19_at_L:(Object, int32) memory.
    (forall i_4:int.
      (forall j_4:int.
        (forall k:int.
          (forall t_4:Object pointer.
            (((i_4 <= j_4) and (j_4 <= k)) -> (num_of_pos(i_4, k, t_4,
             intM_intP_t_4_19_at_L) = (num_of_pos(i_4, j_4, t_4,
             intM_intP_t_4_19_at_L) + num_of_pos(j_4, k, t_4,
             intM_intP_t_4_19_at_L)))))))))

goal num_of_pos_increasing:
  (forall intM_intP_t_5_20_at_L:(Object, int32) memory.
    (forall i_5:int.
      (forall j_5:int.
        (forall k_0:int.
          (forall t_5:Object pointer.
            ((j_5 <= k_0) -> (num_of_pos(i_5, j_5, t_5,
             intM_intP_t_5_20_at_L) <= num_of_pos(i_5, k_0, t_5,
             intM_intP_t_5_20_at_L))))))))

axiom num_of_pos_increasing_as_axiom:
  (forall intM_intP_t_5_20_at_L:(Object, int32) memory.
    (forall i_5:int.
      (forall j_5:int.
        (forall k_0:int.
          (forall t_5:Object pointer.
            ((j_5 <= k_0) -> (num_of_pos(i_5, j_5, t_5,
             intM_intP_t_5_20_at_L) <= num_of_pos(i_5, k_0, t_5,
             intM_intP_t_5_20_at_L))))))))

goal num_of_pos_strictly_increasing:
  (forall intM_intP_t_6_21_at_L:(Object, int32) memory.
    (forall i_6:int.
      (forall n:int.
        (forall t_6:Object pointer.
          (((0 <= i_6) and
            ((i_6 < n) and (integer_of_int32(select(intM_intP_t_6_21_at_L,
             shift(t_6, i_6))) > 0))) ->
           (num_of_pos(0, i_6, t_6, intM_intP_t_6_21_at_L) < num_of_pos(0, n,
           t_6, intM_intP_t_6_21_at_L)))))))

axiom num_of_pos_strictly_increasing_as_axiom:
  (forall intM_intP_t_6_21_at_L:(Object, int32) memory.
    (forall i_6:int.
      (forall n:int.
        (forall t_6:Object pointer.
          (((0 <= i_6) and
            ((i_6 < n) and (integer_of_int32(select(intM_intP_t_6_21_at_L,
             shift(t_6, i_6))) > 0))) ->
           (num_of_pos(0, i_6, t_6, intM_intP_t_6_21_at_L) < num_of_pos(0, n,
           t_6, intM_intP_t_6_21_at_L)))))))

goal Muller_m_ensures_default_po_1:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  ("JC_93": ("JC_88": (0 <= integer_of_int32(result0))))

goal Muller_m_ensures_default_po_2:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  ("JC_93":
  ("JC_89":
  (integer_of_int32(result0) <= (offset_max(Object_t_7_10_alloc_table,
  t_7) + 1))))

goal Muller_m_ensures_default_po_3:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  ("JC_93": ("JC_90": (0 <= integer_of_int32(result))))

goal Muller_m_ensures_default_po_4:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  ("JC_93":
  ("JC_91": (integer_of_int32(result) <= integer_of_int32(result0))))

goal Muller_m_ensures_default_po_5:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  ("JC_93":
  ("JC_92": (integer_of_int32(result) = num_of_pos(0,
  integer_of_int32(result0), t_7, intM_intP_t_7_10))))

goal Muller_m_ensures_default_po_6:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) > 0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(count) + 1)) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(i_7) + 1)) ->
  forall i_7_0:int32.
  (i_7_0 = result4) ->
  ("JC_93": ("JC_88": (0 <= integer_of_int32(i_7_0))))

goal Muller_m_ensures_default_po_7:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) > 0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(count) + 1)) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(i_7) + 1)) ->
  forall i_7_0:int32.
  (i_7_0 = result4) ->
  ("JC_93":
  ("JC_89":
  (integer_of_int32(i_7_0) <= (offset_max(Object_t_7_10_alloc_table,
  t_7) + 1))))

goal Muller_m_ensures_default_po_8:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) > 0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(count) + 1)) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(i_7) + 1)) ->
  forall i_7_0:int32.
  (i_7_0 = result4) ->
  ("JC_93": ("JC_90": (0 <= integer_of_int32(count0))))

goal Muller_m_ensures_default_po_9:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) > 0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(count) + 1)) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(i_7) + 1)) ->
  forall i_7_0:int32.
  (i_7_0 = result4) ->
  ("JC_93": ("JC_91": (integer_of_int32(count0) <= integer_of_int32(i_7_0))))

goal Muller_m_ensures_default_po_10:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) > 0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(count) + 1)) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(i_7) + 1)) ->
  forall i_7_0:int32.
  (i_7_0 = result4) ->
  ("JC_93":
  ("JC_92": (integer_of_int32(count0) = num_of_pos(0,
  integer_of_int32(i_7_0), t_7, intM_intP_t_7_10))))

goal Muller_m_ensures_default_po_11:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) <= 0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_7) + 1)) ->
  forall i_7_0:int32.
  (i_7_0 = result3) ->
  ("JC_93": ("JC_88": (0 <= integer_of_int32(i_7_0))))

goal Muller_m_ensures_default_po_12:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) <= 0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_7) + 1)) ->
  forall i_7_0:int32.
  (i_7_0 = result3) ->
  ("JC_93":
  ("JC_89":
  (integer_of_int32(i_7_0) <= (offset_max(Object_t_7_10_alloc_table,
  t_7) + 1))))

goal Muller_m_ensures_default_po_13:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) <= 0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_7) + 1)) ->
  forall i_7_0:int32.
  (i_7_0 = result3) ->
  ("JC_93": ("JC_90": (0 <= integer_of_int32(count))))

goal Muller_m_ensures_default_po_14:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) <= 0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_7) + 1)) ->
  forall i_7_0:int32.
  (i_7_0 = result3) ->
  ("JC_93": ("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7_0))))

goal Muller_m_ensures_default_po_15:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) <= 0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_7) + 1)) ->
  forall i_7_0:int32.
  (i_7_0 = result3) ->
  ("JC_93":
  ("JC_92": (integer_of_int32(count) = num_of_pos(0, integer_of_int32(i_7_0),
  t_7, intM_intP_t_7_10))))

goal Muller_m_ensures_default_po_16:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  ("JC_104": ("JC_99": (0 <= integer_of_int32(result4))))

goal Muller_m_ensures_default_po_17:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  ("JC_104":
  ("JC_100":
  (integer_of_int32(result4) <= (offset_max(Object_t_7_10_alloc_table,
  t_7) + 1))))

goal Muller_m_ensures_default_po_18:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  ("JC_104": ("JC_101": (0 <= integer_of_int32(count0))))

goal Muller_m_ensures_default_po_19:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  ("JC_104":
  ("JC_102": (integer_of_int32(count0) <= integer_of_int32(result4))))

goal Muller_m_ensures_default_po_20:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  ("JC_104":
  ("JC_103": (integer_of_int32(count0) = num_of_pos(0,
  integer_of_int32(result4), t_7, intM_intP_t_7_10))))

goal Muller_m_ensures_default_po_21:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  forall intM_intP_Muller_m_12:(Object,
  int32) memory.
  ("JC_104":
  (("JC_99": (0 <= integer_of_int32(i_8))) and
   (("JC_100":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_101": (0 <= integer_of_int32(count1))) and
     (("JC_102": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_103": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) > 0) ->
  forall result7:int32.
  (result7 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(count1) + 1)) ->
  forall count2:int32.
  (count2 = result8) ->
  forall intM_intP_Muller_m_12_0:(Object,
  int32) memory.
  (intM_intP_Muller_m_12_0 = store(intM_intP_Muller_m_12, shift(result2,
  integer_of_int32(count1)), result7)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(i_8) + 1)) ->
  forall i_8_0:int32.
  (i_8_0 = result9) ->
  ("JC_104": ("JC_99": (0 <= integer_of_int32(i_8_0))))

goal Muller_m_ensures_default_po_22:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  forall intM_intP_Muller_m_12:(Object,
  int32) memory.
  ("JC_104":
  (("JC_99": (0 <= integer_of_int32(i_8))) and
   (("JC_100":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_101": (0 <= integer_of_int32(count1))) and
     (("JC_102": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_103": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) > 0) ->
  forall result7:int32.
  (result7 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(count1) + 1)) ->
  forall count2:int32.
  (count2 = result8) ->
  forall intM_intP_Muller_m_12_0:(Object,
  int32) memory.
  (intM_intP_Muller_m_12_0 = store(intM_intP_Muller_m_12, shift(result2,
  integer_of_int32(count1)), result7)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(i_8) + 1)) ->
  forall i_8_0:int32.
  (i_8_0 = result9) ->
  ("JC_104":
  ("JC_100":
  (integer_of_int32(i_8_0) <= (offset_max(Object_t_7_10_alloc_table,
  t_7) + 1))))

goal Muller_m_ensures_default_po_23:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  forall intM_intP_Muller_m_12:(Object,
  int32) memory.
  ("JC_104":
  (("JC_99": (0 <= integer_of_int32(i_8))) and
   (("JC_100":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_101": (0 <= integer_of_int32(count1))) and
     (("JC_102": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_103": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) > 0) ->
  forall result7:int32.
  (result7 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(count1) + 1)) ->
  forall count2:int32.
  (count2 = result8) ->
  forall intM_intP_Muller_m_12_0:(Object,
  int32) memory.
  (intM_intP_Muller_m_12_0 = store(intM_intP_Muller_m_12, shift(result2,
  integer_of_int32(count1)), result7)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(i_8) + 1)) ->
  forall i_8_0:int32.
  (i_8_0 = result9) ->
  ("JC_104": ("JC_101": (0 <= integer_of_int32(count2))))

goal Muller_m_ensures_default_po_24:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  forall intM_intP_Muller_m_12:(Object,
  int32) memory.
  ("JC_104":
  (("JC_99": (0 <= integer_of_int32(i_8))) and
   (("JC_100":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_101": (0 <= integer_of_int32(count1))) and
     (("JC_102": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_103": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) > 0) ->
  forall result7:int32.
  (result7 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(count1) + 1)) ->
  forall count2:int32.
  (count2 = result8) ->
  forall intM_intP_Muller_m_12_0:(Object,
  int32) memory.
  (intM_intP_Muller_m_12_0 = store(intM_intP_Muller_m_12, shift(result2,
  integer_of_int32(count1)), result7)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(i_8) + 1)) ->
  forall i_8_0:int32.
  (i_8_0 = result9) ->
  ("JC_104":
  ("JC_102": (integer_of_int32(count2) <= integer_of_int32(i_8_0))))

goal Muller_m_ensures_default_po_25:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  forall intM_intP_Muller_m_12:(Object,
  int32) memory.
  ("JC_104":
  (("JC_99": (0 <= integer_of_int32(i_8))) and
   (("JC_100":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_101": (0 <= integer_of_int32(count1))) and
     (("JC_102": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_103": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) > 0) ->
  forall result7:int32.
  (result7 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(count1) + 1)) ->
  forall count2:int32.
  (count2 = result8) ->
  forall intM_intP_Muller_m_12_0:(Object,
  int32) memory.
  (intM_intP_Muller_m_12_0 = store(intM_intP_Muller_m_12, shift(result2,
  integer_of_int32(count1)), result7)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(i_8) + 1)) ->
  forall i_8_0:int32.
  (i_8_0 = result9) ->
  ("JC_104":
  ("JC_103": (integer_of_int32(count2) = num_of_pos(0,
  integer_of_int32(i_8_0), t_7, intM_intP_t_7_10))))

goal Muller_m_ensures_default_po_26:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  ("JC_104":
  (("JC_99": (0 <= integer_of_int32(i_8))) and
   (("JC_100":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_101": (0 <= integer_of_int32(count1))) and
     (("JC_102": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_103": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) <= 0) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(i_8) + 1)) ->
  forall i_8_0:int32.
  (i_8_0 = result7) ->
  ("JC_104": ("JC_99": (0 <= integer_of_int32(i_8_0))))

goal Muller_m_ensures_default_po_27:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  ("JC_104":
  (("JC_99": (0 <= integer_of_int32(i_8))) and
   (("JC_100":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_101": (0 <= integer_of_int32(count1))) and
     (("JC_102": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_103": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) <= 0) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(i_8) + 1)) ->
  forall i_8_0:int32.
  (i_8_0 = result7) ->
  ("JC_104":
  ("JC_100":
  (integer_of_int32(i_8_0) <= (offset_max(Object_t_7_10_alloc_table,
  t_7) + 1))))

goal Muller_m_ensures_default_po_28:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  ("JC_104":
  (("JC_99": (0 <= integer_of_int32(i_8))) and
   (("JC_100":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_101": (0 <= integer_of_int32(count1))) and
     (("JC_102": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_103": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) <= 0) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(i_8) + 1)) ->
  forall i_8_0:int32.
  (i_8_0 = result7) ->
  ("JC_104": ("JC_101": (0 <= integer_of_int32(count1))))

goal Muller_m_ensures_default_po_29:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  ("JC_104":
  (("JC_99": (0 <= integer_of_int32(i_8))) and
   (("JC_100":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_101": (0 <= integer_of_int32(count1))) and
     (("JC_102": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_103": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) <= 0) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(i_8) + 1)) ->
  forall i_8_0:int32.
  (i_8_0 = result7) ->
  ("JC_104":
  ("JC_102": (integer_of_int32(count1) <= integer_of_int32(i_8_0))))

goal Muller_m_ensures_default_po_30:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_93":
  (("JC_88": (0 <= integer_of_int32(i_7))) and
   (("JC_89":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_90": (0 <= integer_of_int32(count))) and
     (("JC_91": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_92": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  ("JC_104":
  (("JC_99": (0 <= integer_of_int32(i_8))) and
   (("JC_100":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_101": (0 <= integer_of_int32(count1))) and
     (("JC_102": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_103": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) <= 0) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(i_8) + 1)) ->
  forall i_8_0:int32.
  (i_8_0 = result7) ->
  ("JC_104":
  ("JC_103": (integer_of_int32(count1) = num_of_pos(0,
  integer_of_int32(i_8_0), t_7, intM_intP_t_7_10))))

goal Muller_m_safety_po_1:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1))

goal Muller_m_safety_po_2:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  (offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_7))

goal Muller_m_safety_po_3:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  (integer_of_int32(i_7) <= offset_max(Object_t_7_10_alloc_table, t_7))

goal Muller_m_safety_po_4:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_7)) and
   (integer_of_int32(i_7) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) > 0) ->
  ((-2147483648) <= (integer_of_int32(count) + 1))

goal Muller_m_safety_po_5:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_7)) and
   (integer_of_int32(i_7) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) > 0) ->
  ((integer_of_int32(count) + 1) <= 2147483647)

goal Muller_m_safety_po_6:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_7)) and
   (integer_of_int32(i_7) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) > 0) ->
  (((-2147483648) <= (integer_of_int32(count) + 1)) and
   ((integer_of_int32(count) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(count) + 1)) ->
  forall count0:int32.
  (count0 = result3) ->
  ((-2147483648) <= (integer_of_int32(i_7) + 1))

goal Muller_m_safety_po_7:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_7)) and
   (integer_of_int32(i_7) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) > 0) ->
  (((-2147483648) <= (integer_of_int32(count) + 1)) and
   ((integer_of_int32(count) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(count) + 1)) ->
  forall count0:int32.
  (count0 = result3) ->
  ((integer_of_int32(i_7) + 1) <= 2147483647)

goal Muller_m_safety_po_8:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_7)) and
   (integer_of_int32(i_7) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) > 0) ->
  (((-2147483648) <= (integer_of_int32(count) + 1)) and
   ((integer_of_int32(count) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(count) + 1)) ->
  forall count0:int32.
  (count0 = result3) ->
  (((-2147483648) <= (integer_of_int32(i_7) + 1)) and
   ((integer_of_int32(i_7) + 1) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(i_7) + 1)) ->
  forall i_7_0:int32.
  (i_7_0 = result4) ->
  (0 <= ("JC_69": ((offset_max(Object_t_7_10_alloc_table,
        t_7) + 1) - integer_of_int32(i_7))))

goal Muller_m_safety_po_9:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_7)) and
   (integer_of_int32(i_7) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) > 0) ->
  (((-2147483648) <= (integer_of_int32(count) + 1)) and
   ((integer_of_int32(count) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(count) + 1)) ->
  forall count0:int32.
  (count0 = result3) ->
  (((-2147483648) <= (integer_of_int32(i_7) + 1)) and
   ((integer_of_int32(i_7) + 1) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(i_7) + 1)) ->
  forall i_7_0:int32.
  (i_7_0 = result4) ->
  (("JC_69": ((offset_max(Object_t_7_10_alloc_table,
   t_7) + 1) - integer_of_int32(i_7_0))) < ("JC_69":
                                           ((offset_max(Object_t_7_10_alloc_table,
                                           t_7) + 1) - integer_of_int32(i_7))))

goal Muller_m_safety_po_10:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_7)) and
   (integer_of_int32(i_7) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) <= 0) ->
  ((-2147483648) <= (integer_of_int32(i_7) + 1))

goal Muller_m_safety_po_11:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_7)) and
   (integer_of_int32(i_7) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) <= 0) ->
  ((integer_of_int32(i_7) + 1) <= 2147483647)

goal Muller_m_safety_po_12:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_7)) and
   (integer_of_int32(i_7) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) <= 0) ->
  (((-2147483648) <= (integer_of_int32(i_7) + 1)) and
   ((integer_of_int32(i_7) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_7) + 1)) ->
  forall i_7_0:int32.
  (i_7_0 = result3) ->
  (0 <= ("JC_69": ((offset_max(Object_t_7_10_alloc_table,
        t_7) + 1) - integer_of_int32(i_7))))

goal Muller_m_safety_po_13:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) < result1) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_7)) and
   (integer_of_int32(i_7) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result2:int32.
  (result2 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_7)))) ->
  (integer_of_int32(result2) <= 0) ->
  (((-2147483648) <= (integer_of_int32(i_7) + 1)) and
   ((integer_of_int32(i_7) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_7) + 1)) ->
  forall i_7_0:int32.
  (i_7_0 = result3) ->
  (("JC_69": ((offset_max(Object_t_7_10_alloc_table,
   t_7) + 1) - integer_of_int32(i_7_0))) < ("JC_69":
                                           ((offset_max(Object_t_7_10_alloc_table,
                                           t_7) + 1) - integer_of_int32(i_7))))

goal Muller_m_safety_po_14:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  (integer_of_int32(count) >= 0)

goal Muller_m_safety_po_15:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  (integer_of_int32(count) >= 0) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  ("JC_78": true) ->
  ("JC_76":
  (("JC_71": (0 <= integer_of_int32(i_8))) and
   (("JC_72":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_73": (0 <= integer_of_int32(count1))) and
     (("JC_74": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_75": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  (offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8))

goal Muller_m_safety_po_16:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  (integer_of_int32(count) >= 0) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  ("JC_78": true) ->
  ("JC_76":
  (("JC_71": (0 <= integer_of_int32(i_8))) and
   (("JC_72":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_73": (0 <= integer_of_int32(count1))) and
     (("JC_74": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_75": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))

goal Muller_m_safety_po_17:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  (integer_of_int32(count) >= 0) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  ("JC_78": true) ->
  ("JC_76":
  (("JC_71": (0 <= integer_of_int32(i_8))) and
   (("JC_72":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_73": (0 <= integer_of_int32(count1))) and
     (("JC_74": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_75": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) > 0) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result7:int32.
  (result7 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  ((-2147483648) <= (integer_of_int32(count1) + 1))

goal Muller_m_safety_po_18:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  (integer_of_int32(count) >= 0) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  ("JC_78": true) ->
  ("JC_76":
  (("JC_71": (0 <= integer_of_int32(i_8))) and
   (("JC_72":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_73": (0 <= integer_of_int32(count1))) and
     (("JC_74": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_75": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) > 0) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result7:int32.
  (result7 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  ((integer_of_int32(count1) + 1) <= 2147483647)

goal Muller_m_safety_po_19:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  (integer_of_int32(count) >= 0) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  ("JC_78": true) ->
  ("JC_76":
  (("JC_71": (0 <= integer_of_int32(i_8))) and
   (("JC_72":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_73": (0 <= integer_of_int32(count1))) and
     (("JC_74": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_75": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) > 0) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result7:int32.
  (result7 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (((-2147483648) <= (integer_of_int32(count1) + 1)) and
   ((integer_of_int32(count1) + 1) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(count1) + 1)) ->
  forall count2:int32.
  (count2 = result8) ->
  (offset_min(Object_Muller_m_12_alloc_table0,
  result2) <= integer_of_int32(count1))

goal Muller_m_safety_po_20:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  (integer_of_int32(count) >= 0) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  ("JC_78": true) ->
  ("JC_76":
  (("JC_71": (0 <= integer_of_int32(i_8))) and
   (("JC_72":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_73": (0 <= integer_of_int32(count1))) and
     (("JC_74": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_75": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) > 0) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result7:int32.
  (result7 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (((-2147483648) <= (integer_of_int32(count1) + 1)) and
   ((integer_of_int32(count1) + 1) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(count1) + 1)) ->
  forall count2:int32.
  (count2 = result8) ->
  (integer_of_int32(count1) <= offset_max(Object_Muller_m_12_alloc_table0,
  result2))

goal Muller_m_safety_po_21:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  (integer_of_int32(count) >= 0) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  forall intM_intP_Muller_m_12:(Object,
  int32) memory.
  ("JC_78": true) ->
  ("JC_76":
  (("JC_71": (0 <= integer_of_int32(i_8))) and
   (("JC_72":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_73": (0 <= integer_of_int32(count1))) and
     (("JC_74": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_75": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) > 0) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result7:int32.
  (result7 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (((-2147483648) <= (integer_of_int32(count1) + 1)) and
   ((integer_of_int32(count1) + 1) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(count1) + 1)) ->
  forall count2:int32.
  (count2 = result8) ->
  ((offset_min(Object_Muller_m_12_alloc_table0,
   result2) <= integer_of_int32(count1)) and
   (integer_of_int32(count1) <= offset_max(Object_Muller_m_12_alloc_table0,
   result2))) ->
  forall intM_intP_Muller_m_12_0:(Object,
  int32) memory.
  (intM_intP_Muller_m_12_0 = store(intM_intP_Muller_m_12, shift(result2,
  integer_of_int32(count1)), result7)) ->
  ((-2147483648) <= (integer_of_int32(i_8) + 1))

goal Muller_m_safety_po_22:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  (integer_of_int32(count) >= 0) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  forall intM_intP_Muller_m_12:(Object,
  int32) memory.
  ("JC_78": true) ->
  ("JC_76":
  (("JC_71": (0 <= integer_of_int32(i_8))) and
   (("JC_72":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_73": (0 <= integer_of_int32(count1))) and
     (("JC_74": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_75": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) > 0) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result7:int32.
  (result7 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (((-2147483648) <= (integer_of_int32(count1) + 1)) and
   ((integer_of_int32(count1) + 1) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(count1) + 1)) ->
  forall count2:int32.
  (count2 = result8) ->
  ((offset_min(Object_Muller_m_12_alloc_table0,
   result2) <= integer_of_int32(count1)) and
   (integer_of_int32(count1) <= offset_max(Object_Muller_m_12_alloc_table0,
   result2))) ->
  forall intM_intP_Muller_m_12_0:(Object,
  int32) memory.
  (intM_intP_Muller_m_12_0 = store(intM_intP_Muller_m_12, shift(result2,
  integer_of_int32(count1)), result7)) ->
  ((integer_of_int32(i_8) + 1) <= 2147483647)

goal Muller_m_safety_po_23:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  (integer_of_int32(count) >= 0) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  forall intM_intP_Muller_m_12:(Object,
  int32) memory.
  ("JC_78": true) ->
  ("JC_76":
  (("JC_71": (0 <= integer_of_int32(i_8))) and
   (("JC_72":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_73": (0 <= integer_of_int32(count1))) and
     (("JC_74": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_75": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) > 0) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result7:int32.
  (result7 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (((-2147483648) <= (integer_of_int32(count1) + 1)) and
   ((integer_of_int32(count1) + 1) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(count1) + 1)) ->
  forall count2:int32.
  (count2 = result8) ->
  ((offset_min(Object_Muller_m_12_alloc_table0,
   result2) <= integer_of_int32(count1)) and
   (integer_of_int32(count1) <= offset_max(Object_Muller_m_12_alloc_table0,
   result2))) ->
  forall intM_intP_Muller_m_12_0:(Object,
  int32) memory.
  (intM_intP_Muller_m_12_0 = store(intM_intP_Muller_m_12, shift(result2,
  integer_of_int32(count1)), result7)) ->
  (((-2147483648) <= (integer_of_int32(i_8) + 1)) and
   ((integer_of_int32(i_8) + 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(i_8) + 1)) ->
  forall i_8_0:int32.
  (i_8_0 = result9) ->
  (0 <= ("JC_87": ((offset_max(Object_t_7_10_alloc_table,
        t_7) + 1) - integer_of_int32(i_8))))

goal Muller_m_safety_po_24:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  (integer_of_int32(count) >= 0) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  forall intM_intP_Muller_m_12:(Object,
  int32) memory.
  ("JC_78": true) ->
  ("JC_76":
  (("JC_71": (0 <= integer_of_int32(i_8))) and
   (("JC_72":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_73": (0 <= integer_of_int32(count1))) and
     (("JC_74": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_75": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) > 0) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result7:int32.
  (result7 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (((-2147483648) <= (integer_of_int32(count1) + 1)) and
   ((integer_of_int32(count1) + 1) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(count1) + 1)) ->
  forall count2:int32.
  (count2 = result8) ->
  ((offset_min(Object_Muller_m_12_alloc_table0,
   result2) <= integer_of_int32(count1)) and
   (integer_of_int32(count1) <= offset_max(Object_Muller_m_12_alloc_table0,
   result2))) ->
  forall intM_intP_Muller_m_12_0:(Object,
  int32) memory.
  (intM_intP_Muller_m_12_0 = store(intM_intP_Muller_m_12, shift(result2,
  integer_of_int32(count1)), result7)) ->
  (((-2147483648) <= (integer_of_int32(i_8) + 1)) and
   ((integer_of_int32(i_8) + 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(i_8) + 1)) ->
  forall i_8_0:int32.
  (i_8_0 = result9) ->
  (("JC_87": ((offset_max(Object_t_7_10_alloc_table,
   t_7) + 1) - integer_of_int32(i_8_0))) < ("JC_87":
                                           ((offset_max(Object_t_7_10_alloc_table,
                                           t_7) + 1) - integer_of_int32(i_8))))

goal Muller_m_safety_po_25:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  (integer_of_int32(count) >= 0) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  ("JC_78": true) ->
  ("JC_76":
  (("JC_71": (0 <= integer_of_int32(i_8))) and
   (("JC_72":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_73": (0 <= integer_of_int32(count1))) and
     (("JC_74": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_75": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) <= 0) ->
  ((-2147483648) <= (integer_of_int32(i_8) + 1))

goal Muller_m_safety_po_26:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  (integer_of_int32(count) >= 0) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  ("JC_78": true) ->
  ("JC_76":
  (("JC_71": (0 <= integer_of_int32(i_8))) and
   (("JC_72":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_73": (0 <= integer_of_int32(count1))) and
     (("JC_74": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_75": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) <= 0) ->
  ((integer_of_int32(i_8) + 1) <= 2147483647)

goal Muller_m_safety_po_27:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  (integer_of_int32(count) >= 0) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  ("JC_78": true) ->
  ("JC_76":
  (("JC_71": (0 <= integer_of_int32(i_8))) and
   (("JC_72":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_73": (0 <= integer_of_int32(count1))) and
     (("JC_74": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_75": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) <= 0) ->
  (((-2147483648) <= (integer_of_int32(i_8) + 1)) and
   ((integer_of_int32(i_8) + 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(i_8) + 1)) ->
  forall i_8_0:int32.
  (i_8_0 = result7) ->
  (0 <= ("JC_87": ((offset_max(Object_t_7_10_alloc_table,
        t_7) + 1) - integer_of_int32(i_8))))

goal Muller_m_safety_po_28:
  forall t_7:Object pointer.
  forall Object_t_7_10_alloc_table:Object alloc_table.
  forall intM_intP_t_7_10:(Object,
  int32) memory.
  forall Object_Muller_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_7, 0, Object_t_7_10_alloc_table) and
   ("JC_49": Non_null_intM(t_7, Object_t_7_10_alloc_table))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall count:int32.
  forall i_7:int32.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i_7))) and
   (("JC_56":
    (integer_of_int32(i_7) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_57": (0 <= integer_of_int32(count))) and
     (("JC_58": (integer_of_int32(count) <= integer_of_int32(i_7))) and
      ("JC_59": (integer_of_int32(count) = num_of_pos(0,
      integer_of_int32(i_7), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_7) >= result1) ->
  (integer_of_int32(count) >= 0) ->
  forall result2:Object pointer.
  forall Object_Muller_m_12_alloc_table0:Object alloc_table.
  forall Object_Muller_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result2, 0, (integer_of_int32(count) - 1),
   Object_Muller_m_12_alloc_table0) and
   (alloc_extends(Object_Muller_m_12_alloc_table,
    Object_Muller_m_12_alloc_table0) and
    (alloc_fresh(Object_Muller_m_12_alloc_table, result2,
     integer_of_int32(count)) and instanceof(Object_Muller_m_12_tag_table,
     result2, intM_tag)))) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count0:int32.
  (count0 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall count1:int32.
  forall i_8:int32.
  ("JC_78": true) ->
  ("JC_76":
  (("JC_71": (0 <= integer_of_int32(i_8))) and
   (("JC_72":
    (integer_of_int32(i_8) <= (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))) and
    (("JC_73": (0 <= integer_of_int32(count1))) and
     (("JC_74": (integer_of_int32(count1) <= integer_of_int32(i_8))) and
      ("JC_75": (integer_of_int32(count1) = num_of_pos(0,
      integer_of_int32(i_8), t_7, intM_intP_t_7_10)))))))) ->
  (offset_max(Object_t_7_10_alloc_table, t_7) >= (-1)) ->
  forall result5:int.
  ("JC_25":
  ((result5 <= 2147483647) and
   ((result5 >= 0) and (result5 = (offset_max(Object_t_7_10_alloc_table,
    t_7) + 1))))) ->
  (integer_of_int32(i_8) < result5) ->
  ((offset_min(Object_t_7_10_alloc_table, t_7) <= integer_of_int32(i_8)) and
   (integer_of_int32(i_8) <= offset_max(Object_t_7_10_alloc_table, t_7))) ->
  forall result6:int32.
  (result6 = select(intM_intP_t_7_10, shift(t_7, integer_of_int32(i_8)))) ->
  (integer_of_int32(result6) <= 0) ->
  (((-2147483648) <= (integer_of_int32(i_8) + 1)) and
   ((integer_of_int32(i_8) + 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(i_8) + 1)) ->
  forall i_8_0:int32.
  (i_8_0 = result7) ->
  (("JC_87": ((offset_max(Object_t_7_10_alloc_table,
   t_7) + 1) - integer_of_int32(i_8_0))) < ("JC_87":
                                           ((offset_max(Object_t_7_10_alloc_table,
                                           t_7) + 1) - integer_of_int32(i_8))))

why-2.34/tests/java/oracle/Power.err.oracle0000644000175000017500000000000012311670312017205 0ustar  rtuserswhy-2.34/tests/java/oracle/Sort.err.oracle0000644000175000017500000000000012311670312017040 0ustar  rtuserswhy-2.34/tests/java/oracle/Fact.res.oracle0000644000175000017500000041561112311670312017011 0ustar  rtusers========== file tests/java/Fact.java ==========

// int model: unbounded mathematical integers
//@+ CheckArithOverflow = no

/*@ inductive isfact(integer x, integer r) {
  @  case isfact0: isfact(0,1);
  @  case isfactn:
  @   \forall integer n r;
  @     n >= 1 && isfact(n-1,r) ==> isfact(n,r*n);
  @ }
  @*/

public class Fact {

    /*@ requires x >= 0;
      @ ensures isfact(x, \result);
      @*/
    public static int fact(int x) {
        int a = 0, y = 1;
        /*@ loop_invariant 0 <= a <= x && isfact(a,y);
          @ loop_variant x-a;
          @*/
        while (a < x) y = y * ++a;
        return y;
    }

}========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_Fact for constructor Fact
Generating JC function Fact_fact for method Fact.fact
Done.
========== file tests/java/Fact.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Fact = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

predicate isfact(integer x, integer r) {
case isfact0: isfact(0, 1);
  
  case isfactn: (\forall integer n;
                  (\forall integer r_0;
                    (((n >= 1) && isfact((n - 1), r_0)) ==>
                      isfact(n, (r_0 * n)))));
  
}

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_Fact(! Fact[0] this_0){()}

integer Fact_fact(integer x_0)
  requires (K_2 : (x_0 >= 0));
behavior default:
  ensures (K_1 : isfact(x_0, \result));
{  
   {  
      (var integer a = (K_13 : 0));
      
      {  
         (var integer y = (K_12 : 1));
         
         {  
            loop 
            behavior default:
              invariant (K_7 : ((K_6 : ((K_5 : (0 <= a)) &&
                                         (K_4 : (a <= x_0)))) &&
                                 (K_3 : isfact(a, y))));
            variant (K_8 : (x_0 - a));
            while ((K_11 : (a < x_0)))
            {  (y = (K_10 : (y * (K_9 : (++ a)))))
            };
            
            (return y)
         }
      }
   }
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Fact.jloc tests/java/Fact.jc && make -f tests/java/Fact.makefile gui"
End:
*/
========== file tests/java/Fact.jloc ==========
[K_11]
file = "HOME/tests/java/Fact.java"
line = 23
begin = 15
end = 20

[K_13]
file = "HOME/tests/java/Fact.java"
line = 19
begin = 16
end = 17

[K_9]
file = "HOME/tests/java/Fact.java"
line = 23
begin = 30
end = 33

[K_1]
file = "HOME/tests/java/Fact.java"
line = 16
begin = 16
end = 34

[K_4]
file = "HOME/tests/java/Fact.java"
line = 20
begin = 32
end = 38

[K_12]
file = "HOME/tests/java/Fact.java"
line = 19
begin = 23
end = 24

[K_2]
file = "HOME/tests/java/Fact.java"
line = 15
begin = 17
end = 23

[K_10]
file = "HOME/tests/java/Fact.java"
line = 23
begin = 26
end = 33

[K_6]
file = "HOME/tests/java/Fact.java"
line = 20
begin = 27
end = 38

[K_8]
file = "HOME/tests/java/Fact.java"
line = 21
begin = 25
end = 28

[K_3]
file = "HOME/tests/java/Fact.java"
line = 20
begin = 42
end = 53

[cons_Fact]
name = "Constructor of class Fact"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_5]
file = "HOME/tests/java/Fact.java"
line = 20
begin = 27
end = 33

[Fact_fact]
name = "Method fact"
file = "HOME/tests/java/Fact.java"
line = 18
begin = 22
end = 26

[K_7]
file = "HOME/tests/java/Fact.java"
line = 20
begin = 27
end = 53

========== jessie execution ==========
Generating Why function cons_Fact
Generating Why function Fact_fact
========== file tests/java/Fact.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Fact.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Fact.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/Fact_why.sx

project: why/Fact.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/Fact_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/Fact_why.vo

coq/Fact_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Fact_why.v: why/Fact.why
	@echo 'why -coq [...] why/Fact.why' && $(WHY) $(JESSIELIBFILES) why/Fact.why && rm -f coq/jessie_why.v

coq-goals: goals coq/Fact_ctx_why.vo
	for f in why/*_po*.why; do make -f Fact.makefile coq/`basename $$f .why`_why.v ; done

coq/Fact_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Fact_ctx_why.v: why/Fact_ctx.why
	@echo 'why -coq [...] why/Fact_ctx.why' && $(WHY) why/Fact_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export Fact_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/Fact_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/Fact_ctx_why.vo

pvs: pvs/Fact_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/Fact_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/Fact_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/Fact_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/Fact_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/Fact_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/Fact_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/Fact_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/Fact_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/Fact_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/Fact_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/Fact_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/Fact_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/Fact_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/Fact_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: Fact.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/Fact_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Fact.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Fact.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Fact.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include Fact.depend

depend: coq/Fact_why.v
	-$(COQDEP) -I coq coq/Fact*_why.v > Fact.depend

clean:
	rm -f coq/*.vo

========== file tests/java/Fact.loc ==========
[JC_45]
file = "HOME/tests/java/Fact.java"
line = 20
begin = 42
end = 53

[cons_Fact_ensures_default]
name = "Constructor of class Fact"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_31]
file = "HOME/tests/java/Fact.java"
line = 16
begin = 16
end = 34

[cons_Fact_safety]
name = "Constructor of class Fact"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_17]
file = "HOME/tests/java/Fact.jc"
line = 37
begin = 11
end = 65

[JC_48]
file = "HOME/tests/java/Fact.jc"
line = 68
begin = 12
end = 372

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/Fact.jc"
line = 35
begin = 8
end = 23

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/tests/java/Fact.jc"
line = 68
begin = 12
end = 372

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/Fact.jc"
line = 35
begin = 8
end = 23

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/tests/java/Fact.java"
line = 20
begin = 32
end = 38

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/tests/java/Fact.jc"
line = 68
begin = 12
end = 372

[JC_35]
file = "HOME/tests/java/Fact.java"
line = 20
begin = 27
end = 33

[JC_27]
file = "HOME/tests/java/Fact.java"
line = 15
begin = 17
end = 23

[JC_38]
file = "HOME/tests/java/Fact.java"
line = 20
begin = 27
end = 53

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[Fact_fact_ensures_default]
name = "Method fact"
behavior = "default behavior"
file = "HOME/tests/java/Fact.java"
line = 18
begin = 22
end = 26

[JC_44]
file = "HOME/tests/java/Fact.java"
line = 20
begin = 32
end = 38

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/tests/java/Fact.java"
line = 21
begin = 25
end = 28

[JC_46]
file = "HOME/tests/java/Fact.java"
line = 20
begin = 27
end = 53

[JC_32]
file = "HOME/tests/java/Fact.java"
line = 16
begin = 16
end = 34

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[Fact_fact_safety]
name = "Method fact"
behavior = "Safety"
file = "HOME/tests/java/Fact.java"
line = 18
begin = 22
end = 26

[JC_29]
file = "HOME/tests/java/Fact.java"
line = 15
begin = 17
end = 23

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
file = "HOME/tests/java/Fact.java"
line = 20
begin = 27
end = 33

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
file = "HOME/tests/java/Fact.jc"
line = 68
begin = 12
end = 372

[JC_1]
file = "HOME/tests/java/Fact.jc"
line = 10
begin = 12
end = 22

[JC_37]
file = "HOME/tests/java/Fact.java"
line = 20
begin = 42
end = 53

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/Fact.jc"
line = 37
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/Fact.jc"
line = 10
begin = 12
end = 22

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/Fact.why ==========
type Object

type interface

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

logic Fact_tag:  -> Object tag_id

axiom Fact_parenttag_Object : parenttag(Fact_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

inductive isfact: int, int -> prop =
 | isfact0: isfact((0), (1))
 | isfactn: (forall n:int.
             (forall r_0:int.
              ((ge_int(n, (1)) and isfact(sub_int(n, (1)), r_0)) ->
               isfact(n, mul_int(r_0, n)))))
 
predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Fact(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Fact(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Fact(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Fact(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

parameter Fact_fact : x_0_0:int -> { } int { (JC_32: isfact(x_0_0, result)) }

parameter Fact_fact_requires :
 x_0_0:int ->
  { (JC_27: ge_int(x_0_0, (0)))} int { (JC_32: isfact(x_0_0, result)) }

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Fact :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Fact(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Fact_tag)))) }

parameter alloc_struct_Fact_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Fact(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Fact_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_Fact :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Fact_requires :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

let Fact_fact_ensures_default =
 fun (x_0_0 : int) ->
  { (JC_29: ge_int(x_0_0, (0))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let a = ref (K_13: (0)) in
     (let y = ref (K_12: (1)) in
     begin
       try
        (loop_2:
        while true do
        { invariant
            (JC_46:
            ((JC_43: le_int((0), a))
            and ((JC_44: le_int(a, x_0_0)) and (JC_45: isfact(a, y))))) 
           }
         begin
           [ { } unit { true } ];
          try
           begin
             (if (K_11: ((lt_int_ !a) x_0_0))
             then
              (let _jessie_ =
              begin
                (y := (K_10:
                      ((mul_int !y) (K_9:
                                    begin   (a := ((add_int !a) (1))); !a end))));
               !y end in void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end; (return := !y); (raise Return)
     end)); absurd  end with Return -> !return end))
  { (JC_31: isfact(x_0_0, result)) }

let Fact_fact_safety =
 fun (x_0_0 : int) ->
  { (JC_29: ge_int(x_0_0, (0))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let a = ref (K_13: (0)) in
     (let y = ref (K_12: (1)) in
     begin
       try
        (loop_1:
        while true do
        { invariant (JC_40: true) variant (JC_42 : sub_int(x_0_0, a)) }
         begin
           [ { } unit reads a,y
             { (JC_38:
               ((JC_35: le_int((0), a))
               and ((JC_36: le_int(a, x_0_0)) and (JC_37: isfact(a, y))))) } ];
          try
           begin
             (if (K_11: ((lt_int_ !a) x_0_0))
             then
              (let _jessie_ =
              begin
                (y := (K_10:
                      ((mul_int !y) (K_9:
                                    begin   (a := ((add_int !a) (1))); !a end))));
               !y end in void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end; (return := !y); (raise Return)
     end)); absurd  end with Return -> !return end)) { true }

let cons_Fact_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_Fact(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_23: true) }

let cons_Fact_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_Fact(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/Fact.why
========== file tests/java/why/Fact.wpr ==========

  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
  
  
    
  

========== file tests/java/why/Fact_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic Fact_tag : Object tag_id

axiom Fact_parenttag_Object: parenttag(Fact_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

inductive isfact: int, int -> prop =
  | isfact0: isfact(0, 1)
  | isfactn: (forall n:int.
               (forall r_0:int.
                 (((n >= 1) and isfact((n - 1), r_0)) -> isfact(n, (r_0 * n)))))



predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Fact(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Fact(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Fact(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Fact(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

========== file tests/java/why/Fact_po1.why ==========
goal Fact_fact_ensures_default_po_1:
  forall x_0_0:int.
  ("JC_29": (x_0_0 >= 0)) ->
  ("JC_46": ("JC_43": (0 <= 0)))

========== file tests/java/why/Fact_po2.why ==========
goal Fact_fact_ensures_default_po_2:
  forall x_0_0:int.
  ("JC_29": (x_0_0 >= 0)) ->
  ("JC_46": ("JC_44": (0 <= x_0_0)))

========== file tests/java/why/Fact_po3.why ==========
goal Fact_fact_ensures_default_po_3:
  forall x_0_0:int.
  ("JC_29": (x_0_0 >= 0)) ->
  ("JC_46": ("JC_45": isfact(0, 1)))

========== file tests/java/why/Fact_po4.why ==========
goal Fact_fact_ensures_default_po_4:
  forall x_0_0:int.
  ("JC_29": (x_0_0 >= 0)) ->
  forall a:int.
  forall y:int.
  ("JC_46":
  (("JC_43": (0 <= a)) and
   (("JC_44": (a <= x_0_0)) and ("JC_45": isfact(a, y))))) ->
  (a < x_0_0) ->
  forall a0:int.
  (a0 = (a + 1)) ->
  forall y0:int.
  (y0 = (y * a0)) ->
  ("JC_46": ("JC_43": (0 <= a0)))

========== file tests/java/why/Fact_po5.why ==========
goal Fact_fact_ensures_default_po_5:
  forall x_0_0:int.
  ("JC_29": (x_0_0 >= 0)) ->
  forall a:int.
  forall y:int.
  ("JC_46":
  (("JC_43": (0 <= a)) and
   (("JC_44": (a <= x_0_0)) and ("JC_45": isfact(a, y))))) ->
  (a < x_0_0) ->
  forall a0:int.
  (a0 = (a + 1)) ->
  forall y0:int.
  (y0 = (y * a0)) ->
  ("JC_46": ("JC_44": (a0 <= x_0_0)))

========== file tests/java/why/Fact_po6.why ==========
goal Fact_fact_ensures_default_po_6:
  forall x_0_0:int.
  ("JC_29": (x_0_0 >= 0)) ->
  forall a:int.
  forall y:int.
  ("JC_46":
  (("JC_43": (0 <= a)) and
   (("JC_44": (a <= x_0_0)) and ("JC_45": isfact(a, y))))) ->
  (a < x_0_0) ->
  forall a0:int.
  (a0 = (a + 1)) ->
  forall y0:int.
  (y0 = (y * a0)) ->
  ("JC_46": ("JC_45": isfact(a0, y0)))

========== file tests/java/why/Fact_po7.why ==========
goal Fact_fact_ensures_default_po_7:
  forall x_0_0:int.
  ("JC_29": (x_0_0 >= 0)) ->
  forall a:int.
  forall y:int.
  ("JC_46":
  (("JC_43": (0 <= a)) and
   (("JC_44": (a <= x_0_0)) and ("JC_45": isfact(a, y))))) ->
  (a >= x_0_0) ->
  forall return:int.
  (return = y) ->
  ("JC_31": isfact(x_0_0, return))

========== file tests/java/why/Fact_po8.why ==========
goal Fact_fact_safety_po_1:
  forall x_0_0:int.
  ("JC_29": (x_0_0 >= 0)) ->
  forall a:int.
  forall y:int.
  ("JC_40": true) ->
  ("JC_38":
  (("JC_35": (0 <= a)) and
   (("JC_36": (a <= x_0_0)) and ("JC_37": isfact(a, y))))) ->
  (a < x_0_0) ->
  forall a0:int.
  (a0 = (a + 1)) ->
  forall y0:int.
  (y0 = (y * a0)) ->
  (0 <= ("JC_42": (x_0_0 - a)))

========== file tests/java/why/Fact_po9.why ==========
goal Fact_fact_safety_po_2:
  forall x_0_0:int.
  ("JC_29": (x_0_0 >= 0)) ->
  forall a:int.
  forall y:int.
  ("JC_40": true) ->
  ("JC_38":
  (("JC_35": (0 <= a)) and
   (("JC_36": (a <= x_0_0)) and ("JC_37": isfact(a, y))))) ->
  (a < x_0_0) ->
  forall a0:int.
  (a0 = (a + 1)) ->
  forall y0:int.
  (y0 = (y * a0)) ->
  (("JC_42": (x_0_0 - a0)) < ("JC_42": (x_0_0 - a)))

========== generation of Simplify VC output ==========
why -simplify [...] why/Fact.why
========== file tests/java/simplify/Fact_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Fact_parenttag_Object
 (EQ (parenttag Fact_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) 0))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(BG_PUSH
 ;; Why axiom isfact_inversion
 (FORALL (aux_1 aux_2)
 (IMPLIES (EQ (isfact aux_1 aux_2) |@true|)
 (OR (AND (EQ aux_1 0) (EQ aux_2 1))
 (EXISTS (n)
 (EXISTS (r_0)
 (AND (AND (>= n 1) (EQ (isfact (- n 1) r_0) |@true|))
 (AND (EQ aux_1 n) (EQ aux_2 (* r_0 n))))))))))

(BG_PUSH
 ;; Why axiom isfact0
 (EQ (isfact 0 1) |@true|))

(BG_PUSH
 ;; Why axiom isfactn
 (FORALL (n r_0)
 (IMPLIES (AND (>= n 1) (EQ (isfact (- n 1) r_0) |@true|))
 (EQ (isfact n (* r_0 n)) |@true|))))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Fact p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Fact p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Fact p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Fact p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

;; Fact_fact_ensures_default_po_1, File "HOME/tests/java/Fact.java", line 20, characters 27-33
(FORALL (x_0_0) (IMPLIES (>= x_0_0 0) (<= 0 0)))

;; Fact_fact_ensures_default_po_2, File "HOME/tests/java/Fact.java", line 20, characters 32-38
(FORALL (x_0_0) (IMPLIES (>= x_0_0 0) (<= 0 x_0_0)))

;; Fact_fact_ensures_default_po_3, File "HOME/tests/java/Fact.java", line 20, characters 42-53
(FORALL (x_0_0) (IMPLIES (>= x_0_0 0) (EQ (isfact 0 1) |@true|)))

;; Fact_fact_ensures_default_po_4, File "HOME/tests/java/Fact.java", line 20, characters 27-33
(FORALL (x_0_0)
(IMPLIES (>= x_0_0 0)
(FORALL (a)
(FORALL (y)
(IMPLIES (AND (<= 0 a) (AND (<= a x_0_0) (EQ (isfact a y) |@true|)))
(IMPLIES (< a x_0_0)
(FORALL (a0)
(IMPLIES (EQ a0 (+ a 1)) (FORALL (y0) (IMPLIES (EQ y0 (* y a0)) (<= 0 a0)))))))))))

;; Fact_fact_ensures_default_po_5, File "HOME/tests/java/Fact.java", line 20, characters 32-38
(FORALL (x_0_0)
(IMPLIES (>= x_0_0 0)
(FORALL (a)
(FORALL (y)
(IMPLIES (AND (<= 0 a) (AND (<= a x_0_0) (EQ (isfact a y) |@true|)))
(IMPLIES (< a x_0_0)
(FORALL (a0)
(IMPLIES (EQ a0 (+ a 1))
(FORALL (y0) (IMPLIES (EQ y0 (* y a0)) (<= a0 x_0_0)))))))))))

;; Fact_fact_ensures_default_po_6, File "HOME/tests/java/Fact.java", line 20, characters 42-53
(FORALL (x_0_0)
(IMPLIES (>= x_0_0 0)
(FORALL (a)
(FORALL (y)
(IMPLIES (AND (<= 0 a) (AND (<= a x_0_0) (EQ (isfact a y) |@true|)))
(IMPLIES (< a x_0_0)
(FORALL (a0)
(IMPLIES (EQ a0 (+ a 1))
(FORALL (y0) (IMPLIES (EQ y0 (* y a0)) (EQ (isfact a0 y0) |@true|)))))))))))

;; Fact_fact_ensures_default_po_7, File "HOME/tests/java/Fact.java", line 16, characters 16-34
(FORALL (x_0_0)
(IMPLIES (>= x_0_0 0)
(FORALL (a)
(FORALL (y)
(IMPLIES (AND (<= 0 a) (AND (<= a x_0_0) (EQ (isfact a y) |@true|)))
(IMPLIES (>= a x_0_0)
(FORALL (return) (IMPLIES (EQ return y) (EQ (isfact x_0_0 return) |@true|)))))))))

;; Fact_fact_safety_po_1, File "HOME/tests/java/Fact.java", line 21, characters 25-28
(FORALL (x_0_0)
(IMPLIES (>= x_0_0 0)
(FORALL (a)
(FORALL (y)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 a) (AND (<= a x_0_0) (EQ (isfact a y) |@true|)))
(IMPLIES (< a x_0_0)
(FORALL (a0)
(IMPLIES (EQ a0 (+ a 1))
(FORALL (y0) (IMPLIES (EQ y0 (* y a0)) (<= 0 (- x_0_0 a)))))))))))))

;; Fact_fact_safety_po_2, File "HOME/tests/java/Fact.java", line 21, characters 25-28
(FORALL (x_0_0)
(IMPLIES (>= x_0_0 0)
(FORALL (a)
(FORALL (y)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 a) (AND (<= a x_0_0) (EQ (isfact a y) |@true|)))
(IMPLIES (< a x_0_0)
(FORALL (a0)
(IMPLIES (EQ a0 (+ a 1))
(FORALL (y0) (IMPLIES (EQ y0 (* y a0)) (< (- x_0_0 a0) (- x_0_0 a)))))))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/Fact_why.sx          : ......... (9/0/0/0/0)
total   :   9
valid   :   9 (100%)
invalid :   0 (  0%)
unknown :   0 (  0%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/Fact.why
========== file tests/java/why/Fact_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic Fact_tag : Object tag_id

axiom Fact_parenttag_Object: parenttag(Fact_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

logic isfact : int, int -> prop

axiom isfact_inversion:
  (forall aux_1:int.
    (forall aux_2:int [isfact(aux_1, aux_2)].
      (isfact(aux_1, aux_2) ->
       (((aux_1 = 0) and (aux_2 = 1)) or
        (exists n:int.
          (exists r_0:int.
            (((n >= 1) and isfact((n - 1), r_0)) and
             ((aux_1 = n) and (aux_2 = (r_0 * n))))))))))

axiom isfact0: isfact(0, 1)

axiom isfactn:
  (forall n:int.
    (forall r_0:int.
      (((n >= 1) and isfact((n - 1), r_0)) -> isfact(n, (r_0 * n)))))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Fact(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Fact(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Fact(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Fact(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

goal Fact_fact_ensures_default_po_1:
  forall x_0_0:int.
  ("JC_29": (x_0_0 >= 0)) ->
  ("JC_46": ("JC_43": (0 <= 0)))

goal Fact_fact_ensures_default_po_2:
  forall x_0_0:int.
  ("JC_29": (x_0_0 >= 0)) ->
  ("JC_46": ("JC_44": (0 <= x_0_0)))

goal Fact_fact_ensures_default_po_3:
  forall x_0_0:int.
  ("JC_29": (x_0_0 >= 0)) ->
  ("JC_46": ("JC_45": isfact(0, 1)))

goal Fact_fact_ensures_default_po_4:
  forall x_0_0:int.
  ("JC_29": (x_0_0 >= 0)) ->
  forall a:int.
  forall y:int.
  ("JC_46":
  (("JC_43": (0 <= a)) and
   (("JC_44": (a <= x_0_0)) and ("JC_45": isfact(a, y))))) ->
  (a < x_0_0) ->
  forall a0:int.
  (a0 = (a + 1)) ->
  forall y0:int.
  (y0 = (y * a0)) ->
  ("JC_46": ("JC_43": (0 <= a0)))

goal Fact_fact_ensures_default_po_5:
  forall x_0_0:int.
  ("JC_29": (x_0_0 >= 0)) ->
  forall a:int.
  forall y:int.
  ("JC_46":
  (("JC_43": (0 <= a)) and
   (("JC_44": (a <= x_0_0)) and ("JC_45": isfact(a, y))))) ->
  (a < x_0_0) ->
  forall a0:int.
  (a0 = (a + 1)) ->
  forall y0:int.
  (y0 = (y * a0)) ->
  ("JC_46": ("JC_44": (a0 <= x_0_0)))

goal Fact_fact_ensures_default_po_6:
  forall x_0_0:int.
  ("JC_29": (x_0_0 >= 0)) ->
  forall a:int.
  forall y:int.
  ("JC_46":
  (("JC_43": (0 <= a)) and
   (("JC_44": (a <= x_0_0)) and ("JC_45": isfact(a, y))))) ->
  (a < x_0_0) ->
  forall a0:int.
  (a0 = (a + 1)) ->
  forall y0:int.
  (y0 = (y * a0)) ->
  ("JC_46": ("JC_45": isfact(a0, y0)))

goal Fact_fact_ensures_default_po_7:
  forall x_0_0:int.
  ("JC_29": (x_0_0 >= 0)) ->
  forall a:int.
  forall y:int.
  ("JC_46":
  (("JC_43": (0 <= a)) and
   (("JC_44": (a <= x_0_0)) and ("JC_45": isfact(a, y))))) ->
  (a >= x_0_0) ->
  forall return:int.
  (return = y) ->
  ("JC_31": isfact(x_0_0, return))

goal Fact_fact_safety_po_1:
  forall x_0_0:int.
  ("JC_29": (x_0_0 >= 0)) ->
  forall a:int.
  forall y:int.
  ("JC_40": true) ->
  ("JC_38":
  (("JC_35": (0 <= a)) and
   (("JC_36": (a <= x_0_0)) and ("JC_37": isfact(a, y))))) ->
  (a < x_0_0) ->
  forall a0:int.
  (a0 = (a + 1)) ->
  forall y0:int.
  (y0 = (y * a0)) ->
  (0 <= ("JC_42": (x_0_0 - a)))

goal Fact_fact_safety_po_2:
  forall x_0_0:int.
  ("JC_29": (x_0_0 >= 0)) ->
  forall a:int.
  forall y:int.
  ("JC_40": true) ->
  ("JC_38":
  (("JC_35": (0 <= a)) and
   (("JC_36": (a <= x_0_0)) and ("JC_37": isfact(a, y))))) ->
  (a < x_0_0) ->
  forall a0:int.
  (a0 = (a + 1)) ->
  forall y0:int.
  (y0 = (y * a0)) ->
  (("JC_42": (x_0_0 - a0)) < ("JC_42": (x_0_0 - a)))

why-2.34/tests/java/oracle/Counter.res.oracle0000644000175000017500000041441012311670312017547 0ustar  rtusers========== file tests/java/Counter.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = no

/*@ logic integer value{L}(Counter c) = 
  @    \at(c.increments,L) - \at(c.decrements,L);
  @*/

public class Counter {

    private int increments;
    private int decrements;

    //@ ensures value{Here}(this) == value{Old}(this) + 1;
    public void increment() {
        increments++;
    }

    //@ ensures value{Here}(this) == value{Old}(this) - 1;
    public void decrement() {
        decrements++;
    }

}

/*
Local Variables:
compile-command: "make Counter.why3ide"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function Counter_decrement for method Counter.decrement
Generating JC function cons_Counter for constructor Counter
Generating JC function Counter_increment for method Counter.increment
Done.
========== file tests/java/Counter.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Counter = Object with {
  integer increments; 
  integer decrements;
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

logic integer value{L}(Counter[0..] c) =
(\at(c.increments,L) - \at(c.decrements,L))

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit Counter_decrement(Counter[0] this_0)
behavior default:
  ensures (K_1 : (value{Here}(this_0) == (value{Old}(this_0) - 1)));
{  (K_2 : (this_0.decrements ++))
}

unit cons_Counter(! Counter[0] this_2)
{  (this_2.increments = 0);
   (this_2.decrements = 0)
}

unit Counter_increment(Counter[0] this_1)
behavior default:
  ensures (K_3 : (value{Here}(this_1) == (value{Old}(this_1) + 1)));
{  (K_4 : (this_1.increments ++))
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Counter.jloc tests/java/Counter.jc && make -f tests/java/Counter.makefile gui"
End:
*/
========== file tests/java/Counter.jloc ==========
[K_1]
file = "HOME/tests/java/Counter.java"
line = 48
begin = 16
end = 57

[K_4]
file = "HOME/tests/java/Counter.java"
line = 45
begin = 8
end = 20

[Counter_decrement]
name = "Method decrement"
file = "HOME/tests/java/Counter.java"
line = 49
begin = 16
end = 25

[K_2]
file = "HOME/tests/java/Counter.java"
line = 50
begin = 8
end = 20

[K_3]
file = "HOME/tests/java/Counter.java"
line = 43
begin = 16
end = 57

[Counter_increment]
name = "Method increment"
file = "HOME/tests/java/Counter.java"
line = 44
begin = 16
end = 25

[cons_Counter]
name = "Constructor of class Counter"
file = "HOME/"
line = 0
begin = -1
end = -1

========== jessie execution ==========
Generating Why function Counter_decrement
Generating Why function cons_Counter
Generating Why function Counter_increment
========== file tests/java/Counter.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Counter.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Counter.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/Counter_why.sx

project: why/Counter.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/Counter_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/Counter_why.vo

coq/Counter_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Counter_why.v: why/Counter.why
	@echo 'why -coq [...] why/Counter.why' && $(WHY) $(JESSIELIBFILES) why/Counter.why && rm -f coq/jessie_why.v

coq-goals: goals coq/Counter_ctx_why.vo
	for f in why/*_po*.why; do make -f Counter.makefile coq/`basename $$f .why`_why.v ; done

coq/Counter_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Counter_ctx_why.v: why/Counter_ctx.why
	@echo 'why -coq [...] why/Counter_ctx.why' && $(WHY) why/Counter_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export Counter_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/Counter_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/Counter_ctx_why.vo

pvs: pvs/Counter_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/Counter_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/Counter_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/Counter_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/Counter_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/Counter_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/Counter_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/Counter_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/Counter_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/Counter_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/Counter_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/Counter_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/Counter_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/Counter_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/Counter_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: Counter.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/Counter_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Counter.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Counter.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Counter.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include Counter.depend

depend: coq/Counter_why.v
	-$(COQDEP) -I coq coq/Counter*_why.v > Counter.depend

clean:
	rm -f coq/*.vo

========== file tests/java/Counter.loc ==========
[JC_31]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_17]
file = "HOME/tests/java/Counter.jc"
line = 39
begin = 11
end = 65

[cons_Counter_ensures_default]
name = "Constructor of class Counter"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/tests/java/Counter.java"
line = 48
begin = 16
end = 57

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/Counter.jc"
line = 37
begin = 8
end = 23

[JC_24]
file = "HOME/tests/java/Counter.java"
line = 48
begin = 16
end = 57

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[Counter_decrement_ensures_default]
name = "Method decrement"
behavior = "default behavior"
file = "HOME/tests/java/Counter.java"
line = 49
begin = 16
end = 25

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[Counter_decrement_safety]
name = "Method decrement"
behavior = "Safety"
file = "HOME/tests/java/Counter.java"
line = 49
begin = 16
end = 25

[JC_11]
file = "HOME/tests/java/Counter.jc"
line = 37
begin = 8
end = 23

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/tests/java/Counter.java"
line = 43
begin = 16
end = 57

[JC_40]
file = "HOME/tests/java/Counter.java"
line = 43
begin = 16
end = 57

[JC_35]
file = "HOME/tests/java/Counter.java"
line = 44
begin = 16
end = 25

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[Counter_increment_ensures_default]
name = "Method increment"
behavior = "default behavior"
file = "HOME/tests/java/Counter.java"
line = 44
begin = 16
end = 25

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[Counter_increment_safety]
name = "Method increment"
behavior = "Safety"
file = "HOME/tests/java/Counter.java"
line = 44
begin = 16
end = 25

[JC_29]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/tests/java/Counter.java"
line = 49
begin = 16
end = 25

[JC_1]
file = "HOME/tests/java/Counter.jc"
line = 10
begin = 12
end = 22

[JC_37]
file = "HOME/tests/java/Counter.java"
line = 44
begin = 16
end = 25

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Counter_safety]
name = "Constructor of class Counter"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/Counter.jc"
line = 39
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/Counter.jc"
line = 10
begin = 12
end = 22

[JC_19]
file = "HOME/tests/java/Counter.java"
line = 49
begin = 16
end = 25

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/Counter.why ==========
type Object

type interface

logic Counter_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Counter_parenttag_Object : parenttag(Counter_tag, Object_tag)

logic Exception_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Counter(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Counter(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Counter(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Counter(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

function value(c:Object pointer,
 Counter_decrements_at_L:(Object, int) memory,
 Counter_increments_at_L:(Object, int) memory) : int =
 sub_int(select(Counter_increments_at_L, c),
 select(Counter_decrements_at_L, c))

parameter Object_alloc_table : Object alloc_table ref

parameter Counter_decrements : (Object, int) memory ref

parameter Counter_increments : (Object, int) memory ref

parameter Counter_decrement :
 this_0:Object pointer ->
  { } unit reads Counter_decrements,Counter_increments,Object_alloc_table
  writes Counter_decrements
  { (JC_24:
    (value(this_0, Counter_decrements, Counter_increments) = sub_int(
                                                             value(this_0,
                                                             Counter_decrements@,
                                                             Counter_increments@),
                                                             (1)))) }

parameter Counter_decrement_requires :
 this_0:Object pointer ->
  { } unit reads Counter_decrements,Counter_increments,Object_alloc_table
  writes Counter_decrements
  { (JC_24:
    (value(this_0, Counter_decrements, Counter_increments) = sub_int(
                                                             value(this_0,
                                                             Counter_decrements@,
                                                             Counter_increments@),
                                                             (1)))) }

parameter Counter_increment :
 this_1:Object pointer ->
  { } unit reads Counter_decrements,Counter_increments,Object_alloc_table
  writes Counter_increments
  { (JC_40:
    (value(this_1, Counter_decrements, Counter_increments) = add_int(
                                                             value(this_1,
                                                             Counter_decrements@,
                                                             Counter_increments@),
                                                             (1)))) }

parameter Counter_increment_requires :
 this_1:Object pointer ->
  { } unit reads Counter_decrements,Counter_increments,Object_alloc_table
  writes Counter_increments
  { (JC_40:
    (value(this_1, Counter_decrements, Counter_increments) = add_int(
                                                             value(this_1,
                                                             Counter_decrements@,
                                                             Counter_increments@),
                                                             (1)))) }

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Counter :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Counter(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Counter_tag)))) }

parameter alloc_struct_Counter_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Counter(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Counter_tag)))) }

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_Counter :
 this_2:Object pointer ->
  { } unit reads Object_alloc_table
  writes Counter_decrements,Counter_increments { true }

parameter cons_Counter_requires :
 this_2:Object pointer ->
  { } unit reads Object_alloc_table
  writes Counter_decrements,Counter_increments { true }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

let Counter_decrement_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_Counter(this_0, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (K_2:
     (let _jessie_ = ((safe_acc_ !Counter_decrements) this_0) in
     begin
       (let _jessie_ = ((add_int _jessie_) (1)) in
       (let _jessie_ = this_0 in
       (((safe_upd_ Counter_decrements) _jessie_) _jessie_))); _jessie_
     end)) in void); (raise Return) end with Return -> void end)
  { (JC_23:
    (value(this_0, Counter_decrements, Counter_increments) = sub_int(
                                                             value(this_0,
                                                             Counter_decrements@,
                                                             Counter_increments@),
                                                             (1)))) }

let Counter_decrement_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_Counter(this_0, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (K_2:
     (let _jessie_ = ((safe_acc_ !Counter_decrements) this_0) in
     begin
       (let _jessie_ = ((add_int _jessie_) (1)) in
       (let _jessie_ = this_0 in
       (((safe_upd_ Counter_decrements) _jessie_) _jessie_))); _jessie_
     end)) in void); (raise Return) end with Return -> void end) { true }

let Counter_increment_ensures_default =
 fun (this_1 : Object pointer) ->
  { valid_struct_Counter(this_1, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (K_4:
     (let _jessie_ = ((safe_acc_ !Counter_increments) this_1) in
     begin
       (let _jessie_ = ((add_int _jessie_) (1)) in
       (let _jessie_ = this_1 in
       (((safe_upd_ Counter_increments) _jessie_) _jessie_))); _jessie_
     end)) in void); (raise Return) end with Return -> void end)
  { (JC_39:
    (value(this_1, Counter_decrements, Counter_increments) = add_int(
                                                             value(this_1,
                                                             Counter_decrements@,
                                                             Counter_increments@),
                                                             (1)))) }

let Counter_increment_safety =
 fun (this_1 : Object pointer) ->
  { valid_struct_Counter(this_1, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (K_4:
     (let _jessie_ = ((safe_acc_ !Counter_increments) this_1) in
     begin
       (let _jessie_ = ((add_int _jessie_) (1)) in
       (let _jessie_ = this_1 in
       (((safe_upd_ Counter_increments) _jessie_) _jessie_))); _jessie_
     end)) in void); (raise Return) end with Return -> void end) { true }

let cons_Counter_ensures_default =
 fun (this_2 : Object pointer) ->
  { valid_struct_Counter(this_2, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = (0) in
       (let _jessie_ = this_2 in
       (((safe_upd_ Counter_increments) _jessie_) _jessie_)));
      (let _jessie_ = (0) in
      begin
        (let _jessie_ = this_2 in
        (((safe_upd_ Counter_decrements) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end)
  { (JC_31: true) }

let cons_Counter_safety =
 fun (this_2 : Object pointer) ->
  { valid_struct_Counter(this_2, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = (0) in
       (let _jessie_ = this_2 in
       (((safe_upd_ Counter_increments) _jessie_) _jessie_)));
      (let _jessie_ = (0) in
      begin
        (let _jessie_ = this_2 in
        (((safe_upd_ Counter_decrements) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end) 
  { true }


========== make project execution ==========
why --project [...] why/Counter.why
========== file tests/java/why/Counter.wpr ==========

  
    
    
    
      
      
    
    
  
  
    
    
    
      
      
    
    
  
  
    
  

========== file tests/java/why/Counter_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Counter_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Counter_parenttag_Object: parenttag(Counter_tag, Object_tag)

logic Exception_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Counter(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Counter(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Counter(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Counter(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

function value(c: Object pointer, Counter_decrements_at_L: (Object,
  int) memory, Counter_increments_at_L: (Object, int) memory) : int =
  (select(Counter_increments_at_L, c) - select(Counter_decrements_at_L, c))

========== file tests/java/why/Counter_po1.why ==========
goal Counter_decrement_ensures_default_po_1:
  forall this_0:Object pointer.
  forall Counter_decrements:(Object,
  int) memory.
  forall Counter_increments:(Object,
  int) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Counter(this_0, 0, 0, Object_alloc_table) ->
  forall result:int.
  (result = select(Counter_decrements, this_0)) ->
  forall Counter_decrements0:(Object,
  int) memory.
  (Counter_decrements0 = store(Counter_decrements, this_0, (result + 1))) ->
  ("JC_23": (value(this_0, Counter_decrements0,
  Counter_increments) = (value(this_0, Counter_decrements,
  Counter_increments) - 1)))

========== file tests/java/why/Counter_po2.why ==========
goal Counter_increment_ensures_default_po_1:
  forall this_1:Object pointer.
  forall Counter_decrements:(Object,
  int) memory.
  forall Counter_increments:(Object,
  int) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Counter(this_1, 0, 0, Object_alloc_table) ->
  forall result:int.
  (result = select(Counter_increments, this_1)) ->
  forall Counter_increments0:(Object,
  int) memory.
  (Counter_increments0 = store(Counter_increments, this_1, (result + 1))) ->
  ("JC_39": (value(this_1, Counter_decrements,
  Counter_increments0) = (value(this_1, Counter_decrements,
  Counter_increments) + 1)))

========== generation of Simplify VC output ==========
why -simplify [...] why/Counter.why
========== file tests/java/simplify/Counter_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Counter_parenttag_Object
 (EQ (parenttag Counter_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) 0))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Counter p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Counter p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Counter p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Counter p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(BG_PUSH
 ;; Why axiom value_def
 (FORALL (c Counter_decrements_at_L Counter_increments_at_L)
 (EQ (value c Counter_decrements_at_L Counter_increments_at_L)
 (- (select Counter_increments_at_L c) (select Counter_decrements_at_L c)))))

;; Counter_decrement_ensures_default_po_1, File "HOME/tests/java/Counter.java", line 48, characters 16-57
(FORALL (this_0)
(FORALL (Counter_decrements)
(FORALL (Counter_increments)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Counter this_0 0 0 Object_alloc_table)
(FORALL (result)
(IMPLIES (EQ result (select Counter_decrements this_0))
(FORALL (Counter_decrements0)
(IMPLIES (EQ Counter_decrements0
         (|why__store| Counter_decrements this_0 (+ result 1)))
(EQ (value this_0 Counter_decrements0 Counter_increments)
(- (value this_0 Counter_decrements Counter_increments) 1)))))))))))

;; Counter_increment_ensures_default_po_1, File "HOME/tests/java/Counter.java", line 43, characters 16-57
(FORALL (this_1)
(FORALL (Counter_decrements)
(FORALL (Counter_increments)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Counter this_1 0 0 Object_alloc_table)
(FORALL (result)
(IMPLIES (EQ result (select Counter_increments this_1))
(FORALL (Counter_increments0)
(IMPLIES (EQ Counter_increments0
         (|why__store| Counter_increments this_1 (+ result 1)))
(EQ (value this_1 Counter_decrements Counter_increments0)
(+ (value this_1 Counter_decrements Counter_increments) 1)))))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/Counter_why.sx       : .. (2/0/0/0/0)
total   :   2
valid   :   2 (100%)
invalid :   0 (  0%)
unknown :   0 (  0%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/Counter.why
========== file tests/java/why/Counter_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Counter_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Counter_parenttag_Object: parenttag(Counter_tag, Object_tag)

logic Exception_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Counter(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Counter(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Counter(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Counter(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

function value(c: Object pointer, Counter_decrements_at_L: (Object,
  int) memory, Counter_increments_at_L: (Object, int) memory) : int =
  (select(Counter_increments_at_L, c) - select(Counter_decrements_at_L, c))

goal Counter_decrement_ensures_default_po_1:
  forall this_0:Object pointer.
  forall Counter_decrements:(Object,
  int) memory.
  forall Counter_increments:(Object,
  int) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Counter(this_0, 0, 0, Object_alloc_table) ->
  forall result:int.
  (result = select(Counter_decrements, this_0)) ->
  forall Counter_decrements0:(Object,
  int) memory.
  (Counter_decrements0 = store(Counter_decrements, this_0, (result + 1))) ->
  ("JC_23": (value(this_0, Counter_decrements0,
  Counter_increments) = (value(this_0, Counter_decrements,
  Counter_increments) - 1)))

goal Counter_increment_ensures_default_po_1:
  forall this_1:Object pointer.
  forall Counter_decrements:(Object,
  int) memory.
  forall Counter_increments:(Object,
  int) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Counter(this_1, 0, 0, Object_alloc_table) ->
  forall result:int.
  (result = select(Counter_increments, this_1)) ->
  forall Counter_increments0:(Object,
  int) memory.
  (Counter_increments0 = store(Counter_increments, this_1, (result + 1))) ->
  ("JC_39": (value(this_1, Counter_decrements,
  Counter_increments0) = (value(this_1, Counter_decrements,
  Counter_increments) + 1)))

why-2.34/tests/java/oracle/MyCosine.err.oracle0000644000175000017500000000000012311670312017637 0ustar  rtuserswhy-2.34/tests/java/oracle/Gcd.err.oracle0000644000175000017500000000000012311670312016606 0ustar  rtuserswhy-2.34/tests/java/oracle/Fresh3.err.oracle0000644000175000017500000000000012311670312017243 0ustar  rtuserswhy-2.34/tests/java/oracle/ArrayMax.err.oracle0000644000175000017500000000000012311670312017635 0ustar  rtuserswhy-2.34/tests/java/oracle/Duplets.err.oracle0000644000175000017500000000022212311670312017537 0ustar  rtusersFile "jc/jc_pervasives.ml", line 864, characters 6-6:
Uncaught exception: File "jc/jc_pervasives.ml", line 864, characters 6-12: Assertion failed
why-2.34/tests/java/oracle/Creation.res.oracle0000644000175000017500000061133712311670312017703 0ustar  rtusers========== file tests/java/Creation.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = no

class Creation {

    int simple_val;

    /*@ behavior normal:
      @   assigns this.simple_val; // not \nothing 
      @   ensures this.simple_val == 0;
      @*/
    Creation() {
	this(0);
    }

    /*@ behavior normal:
      @   assigns this.simple_val; // not \nothing
      @   ensures this.simple_val == n;
      @*/
    Creation(int n) {
	simple_val = n;
    }

    /*@ behavior normal:
      @   assigns this.simple_val; // not \nothing
      @   ensures this.simple_val == n + m;
      @*/
    Creation(int n,int m) {
	this(n+m); 
    }

    /*@ behavior normal:
      @   ensures \result == 17;
      @*/
    public static int test1() {
	Creation t = new Creation(17);
	return t.simple_val;
    }

    /*@ behavior normal:
      @   ensures \result == 0;
      @*/
    public static int test2() {
	Creation t = new Creation();
	return t.simple_val;
    }

    /*@ behavior normal:
      @   assigns \nothing;             // BUG !!!!!!!!!!!!
      @   ensures \result == 17;
      @*/
    public static int test3() {
	Creation t = new Creation(10,7);
	return t.simple_val;
    }

}


class TestSuperConstructor extends Creation {

    /*@ behavior normal:
      @   assigns simple_val;
      @   ensures simple_val == 12;
      @*/
    TestSuperConstructor() {
	super(12);
    }

}


/*
Local Variables:
compile-command: "make Creation.why3ide"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_Creation_int for constructor Creation
Generating JC function cons_TestSuperConstructor for constructor TestSuperConstructor
Generating JC function cons_Creation for constructor Creation
Generating JC function Creation_test2 for method Creation.test2
Generating JC function cons_Creation_int_int for constructor Creation
Generating JC function Creation_test3 for method Creation.test3
Generating JC function Creation_test1 for method Creation.test1
Done.
========== file tests/java/Creation.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Creation = Object with {
  integer simple_val;
}

tag TestSuperConstructor = Creation with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_Creation_int(! Creation[0] this_1, integer n)
behavior normal:
  assigns this_1.simple_val;
  ensures (K_1 : (this_1.simple_val == n));
{  (this_1.simple_val = 0);
   (K_2 : (this_1.simple_val = n))
}

unit cons_TestSuperConstructor(! TestSuperConstructor[0] this_4)
behavior normal:
  assigns this_4.simple_val;
  ensures (K_3 : (this_4.simple_val == 12));
{  (K_4 : cons_Creation_int(this_4, 12))
}

unit cons_Creation(! Creation[0] this_2)
behavior normal:
  assigns this_2.simple_val;
  ensures (K_5 : (this_2.simple_val == 0));
{  (this_2.simple_val = 0);
   (K_6 : cons_Creation_int(this_2, 0))
}

integer Creation_test2()
behavior normal:
  ensures (K_7 : (\result == 0));
{  
   {  
      (var Creation[0..] t_0 = (K_9 : 
                               {  
                                  (var Creation[0] this = (new Creation[1]));
                                  
                                  {  
                                     (var unit _tt = cons_Creation(this));
                                     this
                                  }
                               }));
      
      (return (K_8 : t_0.simple_val))
   }
}

unit cons_Creation_int_int(! Creation[0] this_0, integer n_0, integer m)
behavior normal:
  assigns this_0.simple_val;
  ensures (K_10 : (this_0.simple_val == (n_0 + m)));
{  (this_0.simple_val = 0);
   (K_12 : cons_Creation_int(this_0, (K_11 : (n_0 + m))))
}

integer Creation_test3()
behavior normal:
  assigns \nothing;
  ensures (K_13 : (\result == 17));
{  
   {  
      (var Creation[0..] t = (K_15 : 
                             {  
                                (var Creation[0] this = (new Creation[1]));
                                
                                {  
                                   (var unit _tt = cons_Creation_int_int(
                                   this, 10, 7));
                                   this
                                }
                             }));
      
      (return (K_14 : t.simple_val))
   }
}

integer Creation_test1()
behavior normal:
  ensures (K_16 : (\result == 17));
{  
   {  
      (var Creation[0..] t_1 = (K_18 : 
                               {  
                                  (var Creation[0] this = (new Creation[1]));
                                  
                                  {  
                                     (var unit _tt = cons_Creation_int(
                                     this, 17));
                                     this
                                  }
                               }));
      
      (return (K_17 : t_1.simple_val))
   }
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Creation.jloc tests/java/Creation.jc && make -f tests/java/Creation.makefile gui"
End:
*/
========== file tests/java/Creation.jloc ==========
[cons_Creation_int]
name = "Constructor of class Creation"
file = "HOME/tests/java/Creation.java"
line = 50
begin = 4
end = 12

[K_17]
file = "HOME/tests/java/Creation.java"
line = 67
begin = 8
end = 20

[K_11]
file = "HOME/tests/java/Creation.java"
line = 59
begin = 6
end = 9

[K_13]
file = "HOME/tests/java/Creation.java"
line = 80
begin = 18
end = 31

[K_9]
file = "HOME/tests/java/Creation.java"
line = 74
begin = 14
end = 28

[K_1]
file = "HOME/tests/java/Creation.java"
line = 48
begin = 18
end = 38

[K_15]
file = "HOME/tests/java/Creation.java"
line = 83
begin = 14
end = 32

[Creation_test3]
name = "Method test3"
file = "HOME/tests/java/Creation.java"
line = 82
begin = 22
end = 27

[K_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[K_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_TestSuperConstructor]
name = "Constructor of class TestSuperConstructor"
file = "HOME/tests/java/Creation.java"
line = 96
begin = 4
end = 24

[K_2]
file = "HOME/tests/java/Creation.java"
line = 51
begin = 1
end = 15

[cons_Creation]
name = "Constructor of class Creation"
file = "HOME/tests/java/Creation.java"
line = 42
begin = 4
end = 12

[K_10]
file = "HOME/tests/java/Creation.java"
line = 56
begin = 18
end = 42

[K_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[Creation_test1]
name = "Method test1"
file = "HOME/tests/java/Creation.java"
line = 65
begin = 22
end = 27

[K_8]
file = "HOME/tests/java/Creation.java"
line = 75
begin = 8
end = 20

[K_3]
file = "HOME/tests/java/Creation.java"
line = 94
begin = 18
end = 34

[Creation_test2]
name = "Method test2"
file = "HOME/tests/java/Creation.java"
line = 73
begin = 22
end = 27

[K_14]
file = "HOME/tests/java/Creation.java"
line = 84
begin = 8
end = 20

[cons_Creation_int_int]
name = "Constructor of class Creation"
file = "HOME/tests/java/Creation.java"
line = 58
begin = 4
end = 12

[K_5]
file = "HOME/tests/java/Creation.java"
line = 40
begin = 18
end = 38

[K_18]
file = "HOME/tests/java/Creation.java"
line = 66
begin = 14
end = 30

[K_7]
file = "HOME/tests/java/Creation.java"
line = 71
begin = 18
end = 30

[K_16]
file = "HOME/tests/java/Creation.java"
line = 63
begin = 18
end = 31

========== jessie execution ==========
Generating Why function cons_Creation_int
Generating Why function cons_TestSuperConstructor
Generating Why function cons_Creation
Generating Why function Creation_test2
Generating Why function cons_Creation_int_int
Generating Why function Creation_test3
Generating Why function Creation_test1
========== file tests/java/Creation.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Creation.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Creation.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/Creation_why.sx

project: why/Creation.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/Creation_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/Creation_why.vo

coq/Creation_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Creation_why.v: why/Creation.why
	@echo 'why -coq [...] why/Creation.why' && $(WHY) $(JESSIELIBFILES) why/Creation.why && rm -f coq/jessie_why.v

coq-goals: goals coq/Creation_ctx_why.vo
	for f in why/*_po*.why; do make -f Creation.makefile coq/`basename $$f .why`_why.v ; done

coq/Creation_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Creation_ctx_why.v: why/Creation_ctx.why
	@echo 'why -coq [...] why/Creation_ctx.why' && $(WHY) why/Creation_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export Creation_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/Creation_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/Creation_ctx_why.vo

pvs: pvs/Creation_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/Creation_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/Creation_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/Creation_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/Creation_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/Creation_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/Creation_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/Creation_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/Creation_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/Creation_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/Creation_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/Creation_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/Creation_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/Creation_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/Creation_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: Creation.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/Creation_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Creation.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Creation.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Creation.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include Creation.depend

depend: coq/Creation_why.v
	-$(COQDEP) -I coq coq/Creation*_why.v > Creation.depend

clean:
	rm -f coq/*.vo

========== file tests/java/Creation.loc ==========
[cons_Creation_ensures_default]
name = "Constructor of class Creation"
behavior = "default behavior"
file = "HOME/tests/java/Creation.java"
line = 42
begin = 4
end = 12

[cons_Creation_safety]
name = "Constructor of class Creation"
behavior = "Safety"
file = "HOME/tests/java/Creation.java"
line = 42
begin = 4
end = 12

[JC_94]
file = "HOME/tests/java/Creation.java"
line = 58
begin = 4
end = 12

[JC_73]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_63]
file = "HOME/tests/java/Creation.jc"
line = 64
begin = 9
end = 15

[JC_80]
kind = IndexBounds
file = "HOME/tests/java/Creation.java"
line = 75
begin = 8
end = 20

[JC_51]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/tests/java/Creation.java"
line = 96
begin = 4
end = 24

[JC_123]
kind = UserCall
file = "HOME/tests/java/Creation.jc"
line = 109
begin = 51
end = 121

[JC_106]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_113]
file = "HOME/tests/java/Creation.java"
line = 80
begin = 18
end = 31

[cons_TestSuperConstructor_ensures_default]
name = "Constructor of class TestSuperConstructor"
behavior = "default behavior"
file = "HOME/tests/java/Creation.java"
line = 96
begin = 4
end = 24

[JC_116]
kind = AllocSize
file = "HOME/tests/java/Creation.jc"
line = 106
begin = 57
end = 72

[JC_64]
kind = UserCall
file = "HOME/tests/java/Creation.jc"
line = 68
begin = 10
end = 38

[JC_133]
file = "HOME/tests/java/Creation.java"
line = 63
begin = 18
end = 31

[cons_Creation_int_ensures_default]
name = "Constructor of class Creation"
behavior = "default behavior"
file = "HOME/tests/java/Creation.java"
line = 50
begin = 4
end = 12

[JC_99]
kind = UserCall
file = "HOME/tests/java/Creation.jc"
line = 95
begin = 11
end = 56

[JC_85]
file = "HOME/tests/java/Creation.java"
line = 58
begin = 4
end = 12

[JC_126]
file = "HOME/tests/java/Creation.java"
line = 65
begin = 22
end = 27

[cons_Creation_ensures_normal]
name = "Constructor of class Creation"
behavior = "Behavior `normal'"
file = "HOME/tests/java/Creation.java"
line = 42
begin = 4
end = 12

[JC_31]
file = "HOME/tests/java/Creation.java"
line = 50
begin = 4
end = 12

[JC_17]
file = "HOME/tests/java/Creation.jc"
line = 41
begin = 11
end = 65

[JC_122]
kind = AllocSize
file = "HOME/tests/java/Creation.jc"
line = 106
begin = 57
end = 72

[JC_81]
kind = AllocSize
file = "HOME/tests/java/Creation.jc"
line = 78
begin = 59
end = 74

[Creation_test2_safety]
name = "Method test2"
behavior = "Safety"
file = "HOME/tests/java/Creation.java"
line = 73
begin = 22
end = 27

[JC_55]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_138]
kind = AllocSize
file = "HOME/tests/java/Creation.jc"
line = 126
begin = 59
end = 74

[JC_134]
kind = AllocSize
file = "HOME/tests/java/Creation.jc"
line = 126
begin = 59
end = 74

[JC_137]
kind = IndexBounds
file = "HOME/tests/java/Creation.java"
line = 67
begin = 8
end = 20

[JC_48]
kind = UserCall
file = "HOME/tests/java/Creation.jc"
line = 60
begin = 10
end = 39

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_121]
kind = UserCall
file = "HOME/tests/java/Creation.jc"
line = 109
begin = 51
end = 121

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_125]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/tests/java/Creation.java"
line = 73
begin = 22
end = 27

[JC_9]
file = "HOME/tests/java/Creation.jc"
line = 39
begin = 8
end = 23

[Creation_test1_ensures_default]
name = "Method test1"
behavior = "default behavior"
file = "HOME/tests/java/Creation.java"
line = 65
begin = 22
end = 27

[JC_75]
file = "HOME/tests/java/Creation.java"
line = 71
begin = 18
end = 30

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_78]
kind = IndexBounds
file = "HOME/tests/java/Creation.jc"
line = 78
begin = 35
end = 75

[JC_41]
file = "HOME/tests/java/Creation.java"
line = 94
begin = 18
end = 34

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
kind = UserCall
file = "HOME/tests/java/Creation.jc"
line = 60
begin = 10
end = 39

[cons_Creation_int_int_ensures_default]
name = "Constructor of class Creation"
behavior = "default behavior"
file = "HOME/tests/java/Creation.java"
line = 58
begin = 4
end = 12

[JC_52]
file = "HOME/tests/java/Creation.java"
line = 42
begin = 4
end = 12

[cons_TestSuperConstructor_ensures_normal]
name = "Constructor of class TestSuperConstructor"
behavior = "Behavior `normal'"
file = "HOME/tests/java/Creation.java"
line = 96
begin = 4
end = 24

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
kind = UserCall
file = "HOME/tests/java/Creation.jc"
line = 81
begin = 53
end = 72

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_130]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_82]
kind = UserCall
file = "HOME/tests/java/Creation.jc"
line = 81
begin = 53
end = 72

[JC_87]
file = "HOME/tests/java/Creation.java"
line = 58
begin = 4
end = 12

[JC_11]
file = "HOME/tests/java/Creation.jc"
line = 39
begin = 8
end = 23

[JC_98]
file = "HOME/tests/java/Creation.jc"
line = 91
begin = 9
end = 15

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[Creation_test3_ensures_normal]
name = "Method test3"
behavior = "Behavior `normal'"
file = "HOME/tests/java/Creation.java"
line = 82
begin = 22
end = 27

[JC_104]
file = "HOME/tests/java/Creation.java"
line = 82
begin = 22
end = 27

[JC_91]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_112]
file = "HOME/tests/java/Creation.jc"
line = 99
begin = 9
end = 15

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_135]
kind = IndexBounds
file = "HOME/tests/java/Creation.jc"
line = 126
begin = 35
end = 75

[Creation_test3_safety]
name = "Method test3"
behavior = "Safety"
file = "HOME/tests/java/Creation.java"
line = 82
begin = 22
end = 27

[JC_83]
kind = AllocSize
file = "HOME/tests/java/Creation.jc"
line = 78
begin = 59
end = 74

[JC_35]
file = "HOME/tests/java/Creation.java"
line = 96
begin = 4
end = 24

[cons_Creation_int_safety]
name = "Constructor of class Creation"
behavior = "Safety"
file = "HOME/tests/java/Creation.java"
line = 50
begin = 4
end = 12

[JC_132]
file = "HOME/tests/java/Creation.java"
line = 63
begin = 18
end = 31

[JC_27]
file = "HOME/tests/java/Creation.java"
line = 48
begin = 18
end = 38

[JC_115]
file = "HOME/tests/java/Creation.jc"
line = 99
begin = 9
end = 15

[JC_109]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_107]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_69]
file = "HOME/tests/java/Creation.java"
line = 73
begin = 22
end = 27

[JC_124]
file = "HOME/tests/java/Creation.java"
line = 65
begin = 22
end = 27

[JC_38]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_127]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/tests/java/Creation.java"
line = 94
begin = 18
end = 34

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/tests/java/Creation.java"
line = 42
begin = 4
end = 12

[JC_101]
kind = UserCall
file = "HOME/tests/java/Creation.jc"
line = 95
begin = 11
end = 56

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_129]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/tests/java/Creation.java"
line = 96
begin = 4
end = 24

[JC_110]
file = "HOME/tests/java/Creation.java"
line = 80
begin = 18
end = 31

[cons_Creation_int_int_safety]
name = "Constructor of class Creation"
behavior = "Safety"
file = "HOME/tests/java/Creation.java"
line = 58
begin = 4
end = 12

[JC_103]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/tests/java/Creation.jc"
line = 57
begin = 9
end = 15

[JC_141]
kind = UserCall
file = "HOME/tests/java/Creation.jc"
line = 129
begin = 53
end = 118

[JC_61]
file = "HOME/tests/java/Creation.java"
line = 40
begin = 18
end = 38

[JC_32]
file = "HOME/tests/java/Creation.jc"
line = 49
begin = 9
end = 15

[JC_56]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_33]
file = "HOME/tests/java/Creation.java"
line = 96
begin = 4
end = 24

[JC_65]
kind = UserCall
file = "HOME/tests/java/Creation.jc"
line = 68
begin = 10
end = 38

[JC_118]
kind = UserCall
file = "HOME/tests/java/Creation.jc"
line = 109
begin = 51
end = 121

[JC_105]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_140]
kind = AllocSize
file = "HOME/tests/java/Creation.jc"
line = 126
begin = 59
end = 74

[JC_29]
file = "HOME/tests/java/Creation.jc"
line = 49
begin = 9
end = 15

[Creation_test2_ensures_default]
name = "Method test2"
behavior = "default behavior"
file = "HOME/tests/java/Creation.java"
line = 73
begin = 22
end = 27

[JC_68]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
file = "HOME/tests/java/Creation.java"
line = 56
begin = 18
end = 42

[JC_43]
file = "HOME/tests/java/Creation.jc"
line = 57
begin = 9
end = 15

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/tests/java/Creation.jc"
line = 91
begin = 9
end = 15

[JC_93]
file = "HOME/tests/java/Creation.java"
line = 56
begin = 18
end = 42

[JC_97]
file = "HOME/tests/java/Creation.java"
line = 58
begin = 4
end = 12

[JC_84]
kind = UserCall
file = "HOME/tests/java/Creation.jc"
line = 81
begin = 53
end = 72

[JC_128]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
file = "HOME/tests/java/Creation.java"
line = 82
begin = 22
end = 27

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_117]
kind = IndexBounds
file = "HOME/tests/java/Creation.jc"
line = 106
begin = 33
end = 73

[JC_90]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/tests/java/Creation.java"
line = 50
begin = 4
end = 12

[JC_111]
file = "HOME/tests/java/Creation.java"
line = 82
begin = 22
end = 27

[JC_77]
kind = AllocSize
file = "HOME/tests/java/Creation.jc"
line = 78
begin = 59
end = 74

[JC_49]
kind = UserCall
file = "HOME/tests/java/Creation.jc"
line = 60
begin = 10
end = 39

[JC_1]
file = "HOME/tests/java/Creation.jc"
line = 10
begin = 12
end = 22

[JC_131]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_102]
file = "HOME/tests/java/Creation.java"
line = 82
begin = 22
end = 27

[JC_37]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_89]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Creation_int_int_ensures_normal]
name = "Constructor of class Creation"
behavior = "Behavior `normal'"
file = "HOME/tests/java/Creation.java"
line = 58
begin = 4
end = 12

[Creation_test1_ensures_normal]
name = "Method test1"
behavior = "Behavior `normal'"
file = "HOME/tests/java/Creation.java"
line = 65
begin = 22
end = 27

[JC_136]
kind = UserCall
file = "HOME/tests/java/Creation.jc"
line = 129
begin = 53
end = 118

[JC_66]
kind = UserCall
file = "HOME/tests/java/Creation.jc"
line = 68
begin = 10
end = 38

[JC_59]
file = "HOME/tests/java/Creation.java"
line = 42
begin = 4
end = 12

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[Creation_test3_ensures_default]
name = "Method test3"
behavior = "default behavior"
file = "HOME/tests/java/Creation.java"
line = 82
begin = 22
end = 27

[cons_TestSuperConstructor_safety]
name = "Constructor of class TestSuperConstructor"
behavior = "Safety"
file = "HOME/tests/java/Creation.java"
line = 96
begin = 4
end = 24

[JC_18]
file = "HOME/tests/java/Creation.jc"
line = 41
begin = 11
end = 65

[Creation_test1_safety]
name = "Method test1"
behavior = "Safety"
file = "HOME/tests/java/Creation.java"
line = 65
begin = 22
end = 27

[JC_3]
file = "HOME/tests/java/Creation.jc"
line = 10
begin = 12
end = 22

[JC_92]
file = "HOME/"
line = 0
begin = -1
end = -1

[Creation_test2_ensures_normal]
name = "Method test2"
behavior = "Behavior `normal'"
file = "HOME/tests/java/Creation.java"
line = 73
begin = 22
end = 27

[JC_86]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_60]
file = "HOME/tests/java/Creation.jc"
line = 64
begin = 9
end = 15

[JC_139]
kind = UserCall
file = "HOME/tests/java/Creation.jc"
line = 129
begin = 53
end = 118

[JC_72]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/tests/java/Creation.java"
line = 50
begin = 4
end = 12

[JC_119]
kind = IndexBounds
file = "HOME/tests/java/Creation.java"
line = 84
begin = 8
end = 20

[JC_76]
file = "HOME/tests/java/Creation.java"
line = 71
begin = 18
end = 30

[JC_50]
file = "HOME/tests/java/Creation.java"
line = 42
begin = 4
end = 12

[cons_Creation_int_ensures_normal]
name = "Constructor of class Creation"
behavior = "Behavior `normal'"
file = "HOME/tests/java/Creation.java"
line = 50
begin = 4
end = 12

[JC_30]
file = "HOME/tests/java/Creation.java"
line = 48
begin = 18
end = 38

[JC_120]
kind = AllocSize
file = "HOME/tests/java/Creation.jc"
line = 106
begin = 57
end = 72

[JC_58]
file = "HOME/tests/java/Creation.java"
line = 40
begin = 18
end = 38

[JC_100]
kind = UserCall
file = "HOME/tests/java/Creation.jc"
line = 95
begin = 11
end = 56

[JC_28]
file = "HOME/tests/java/Creation.java"
line = 50
begin = 4
end = 12

========== file tests/java/why/Creation.why ==========
type Object

type interface

logic Creation_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Creation_parenttag_Object : parenttag(Creation_tag, Object_tag)

logic Exception_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic TestSuperConstructor_tag:  -> Object tag_id

axiom TestSuperConstructor_parenttag_Creation :
 parenttag(TestSuperConstructor_tag, Creation_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Creation(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_TestSuperConstructor(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Creation(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Creation(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_TestSuperConstructor(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Creation(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Creation(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_TestSuperConstructor(p:Object pointer, a:int,
 b:int, Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Creation(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Creation(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_TestSuperConstructor(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Creation(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

parameter Creation_simple_val : (Object, int) memory ref

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

parameter Creation_test1 :
 tt:unit ->
  { } int reads Creation_simple_val,Object_alloc_table
  writes Creation_simple_val,Object_alloc_table,Object_tag_table
  { (JC_133: (result = (17))) }

parameter Creation_test1_requires :
 tt:unit ->
  { } int reads Creation_simple_val,Object_alloc_table
  writes Creation_simple_val,Object_alloc_table,Object_tag_table
  { (JC_133: (result = (17))) }

parameter Creation_test2 :
 tt:unit ->
  { } int reads Creation_simple_val,Object_alloc_table
  writes Creation_simple_val,Object_alloc_table,Object_tag_table
  { (JC_76: (result = (0))) }

parameter Creation_test2_requires :
 tt:unit ->
  { } int reads Creation_simple_val,Object_alloc_table
  writes Creation_simple_val,Object_alloc_table,Object_tag_table
  { (JC_76: (result = (0))) }

parameter Creation_test3 :
 tt:unit ->
  { } int reads Creation_simple_val,Object_alloc_table
  writes Creation_simple_val,Object_alloc_table,Object_tag_table
  { (JC_115:
    ((JC_113: (result = (17)))
    and (JC_114:
        not_assigns(Object_alloc_table@, Creation_simple_val@,
        Creation_simple_val, pset_empty)))) }

parameter Creation_test3_requires :
 tt:unit ->
  { } int reads Creation_simple_val,Object_alloc_table
  writes Creation_simple_val,Object_alloc_table,Object_tag_table
  { (JC_115:
    ((JC_113: (result = (17)))
    and (JC_114:
        not_assigns(Object_alloc_table@, Creation_simple_val@,
        Creation_simple_val, pset_empty)))) }

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Creation :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Creation(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Creation_tag)))) }

parameter alloc_struct_Creation_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Creation(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Creation_tag)))) }

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_TestSuperConstructor :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_TestSuperConstructor(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result,
                  TestSuperConstructor_tag)))) }

parameter alloc_struct_TestSuperConstructor_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_TestSuperConstructor(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result,
                  TestSuperConstructor_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_Creation :
 this_2:Object pointer ->
  { } unit reads Creation_simple_val,Object_alloc_table
  writes Creation_simple_val
  { (JC_63:
    ((JC_61: (select(Creation_simple_val, this_2) = (0)))
    and (JC_62:
        not_assigns(Object_alloc_table@, Creation_simple_val@,
        Creation_simple_val, pset_singleton(this_2))))) }

parameter cons_Creation_int :
 this_1:Object pointer ->
  n:int ->
   { } unit reads Creation_simple_val,Object_alloc_table
   writes Creation_simple_val
   { (JC_32:
     ((JC_30: (select(Creation_simple_val, this_1) = n))
     and (JC_31:
         not_assigns(Object_alloc_table@, Creation_simple_val@,
         Creation_simple_val, pset_singleton(this_1))))) }

parameter cons_Creation_int_int :
 this_0:Object pointer ->
  n_0:int ->
   m:int ->
    { } unit reads Creation_simple_val,Object_alloc_table
    writes Creation_simple_val
    { (JC_98:
      ((JC_96: (select(Creation_simple_val, this_0) = add_int(n_0, m)))
      and (JC_97:
          not_assigns(Object_alloc_table@, Creation_simple_val@,
          Creation_simple_val, pset_singleton(this_0))))) }

parameter cons_Creation_int_int_requires :
 this_0:Object pointer ->
  n_0:int ->
   m:int ->
    { } unit reads Creation_simple_val,Object_alloc_table
    writes Creation_simple_val
    { (JC_98:
      ((JC_96: (select(Creation_simple_val, this_0) = add_int(n_0, m)))
      and (JC_97:
          not_assigns(Object_alloc_table@, Creation_simple_val@,
          Creation_simple_val, pset_singleton(this_0))))) }

parameter cons_Creation_int_requires :
 this_1:Object pointer ->
  n:int ->
   { } unit reads Creation_simple_val,Object_alloc_table
   writes Creation_simple_val
   { (JC_32:
     ((JC_30: (select(Creation_simple_val, this_1) = n))
     and (JC_31:
         not_assigns(Object_alloc_table@, Creation_simple_val@,
         Creation_simple_val, pset_singleton(this_1))))) }

parameter cons_Creation_requires :
 this_2:Object pointer ->
  { } unit reads Creation_simple_val,Object_alloc_table
  writes Creation_simple_val
  { (JC_63:
    ((JC_61: (select(Creation_simple_val, this_2) = (0)))
    and (JC_62:
        not_assigns(Object_alloc_table@, Creation_simple_val@,
        Creation_simple_val, pset_singleton(this_2))))) }

parameter cons_TestSuperConstructor :
 this_4:Object pointer ->
  { } unit reads Creation_simple_val,Object_alloc_table
  writes Creation_simple_val
  { (JC_46:
    ((JC_44: (select(Creation_simple_val, this_4) = (12)))
    and (JC_45:
        not_assigns(Object_alloc_table@, Creation_simple_val@,
        Creation_simple_val, pset_singleton(this_4))))) }

parameter cons_TestSuperConstructor_requires :
 this_4:Object pointer ->
  { } unit reads Creation_simple_val,Object_alloc_table
  writes Creation_simple_val
  { (JC_46:
    ((JC_44: (select(Creation_simple_val, this_4) = (12)))
    and (JC_45:
        not_assigns(Object_alloc_table@, Creation_simple_val@,
        Creation_simple_val, pset_singleton(this_4))))) }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

let Creation_test1_ensures_default =
 fun (tt : unit) ->
  { (JC_127: true) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let t_1 =
     (K_18:
     (let this_5 =
     (JC_138:
     (((alloc_struct_Creation (1)) Object_alloc_table) Object_tag_table)) in
     (let _tt_1 =
     (let _jessie_ = this_5 in
     (let _jessie_ = (17) in
     (JC_139: ((cons_Creation_int _jessie_) _jessie_)))) in this_5))) in
     begin
       (return := (K_17: ((safe_acc_ !Creation_simple_val) t_1)));
      (raise Return) end); absurd  end with Return -> !return end))
  { (JC_128: true) }

let Creation_test1_ensures_normal =
 fun (tt : unit) ->
  { (JC_127: true) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let t_1 =
     (K_18:
     (let this_5 =
     (JC_140:
     (((alloc_struct_Creation (1)) Object_alloc_table) Object_tag_table)) in
     (let _tt_1 =
     (let _jessie_ = this_5 in
     (let _jessie_ = (17) in
     (JC_141: ((cons_Creation_int _jessie_) _jessie_)))) in this_5))) in
     begin
       (return := (K_17: ((safe_acc_ !Creation_simple_val) t_1)));
      (raise Return) end); absurd  end with Return -> !return end))
  { (JC_132: (result = (17))) }

let Creation_test1_safety =
 fun (tt : unit) ->
  { (JC_127: true) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let t_1 =
     (K_18:
     (let this_5 =
     (let _jessie_ =
     (JC_134:
     (((alloc_struct_Creation_requires (1)) Object_alloc_table) Object_tag_table)) in
     (JC_135:
     (assert { ge_int(offset_max(Object_alloc_table, _jessie_), (0)) };
     _jessie_))) in
     (let _tt_1 =
     (let _jessie_ = this_5 in
     (let _jessie_ = (17) in
     (JC_136: ((cons_Creation_int_requires _jessie_) _jessie_)))) in
     this_5))) in
     begin
       (return := (K_17:
                  (JC_137:
                  ((((lsafe_lbound_acc_ !Object_alloc_table) !Creation_simple_val) t_1) (0)))));
      (raise Return) end); absurd  end with Return -> !return end)) { true }

let Creation_test2_ensures_default =
 fun (tt : unit) ->
  { (JC_70: true) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let t_0 =
     (K_9:
     (let this =
     (JC_81:
     (((alloc_struct_Creation (1)) Object_alloc_table) Object_tag_table)) in
     (let _tt =
     (let _jessie_ = this in (JC_82: (cons_Creation _jessie_))) in this))) in
     begin
       (return := (K_8: ((safe_acc_ !Creation_simple_val) t_0)));
      (raise Return) end); absurd  end with Return -> !return end))
  { (JC_71: true) }

let Creation_test2_ensures_normal =
 fun (tt : unit) ->
  { (JC_70: true) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let t_0 =
     (K_9:
     (let this =
     (JC_83:
     (((alloc_struct_Creation (1)) Object_alloc_table) Object_tag_table)) in
     (let _tt =
     (let _jessie_ = this in (JC_84: (cons_Creation _jessie_))) in this))) in
     begin
       (return := (K_8: ((safe_acc_ !Creation_simple_val) t_0)));
      (raise Return) end); absurd  end with Return -> !return end))
  { (JC_75: (result = (0))) }

let Creation_test2_safety =
 fun (tt : unit) ->
  { (JC_70: true) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let t_0 =
     (K_9:
     (let this =
     (let _jessie_ =
     (JC_77:
     (((alloc_struct_Creation_requires (1)) Object_alloc_table) Object_tag_table)) in
     (JC_78:
     (assert { ge_int(offset_max(Object_alloc_table, _jessie_), (0)) };
     _jessie_))) in
     (let _tt =
     (let _jessie_ = this in (JC_79: (cons_Creation_requires _jessie_))) in
     this))) in
     begin
       (return := (K_8:
                  (JC_80:
                  ((((lsafe_lbound_acc_ !Object_alloc_table) !Creation_simple_val) t_0) (0)))));
      (raise Return) end); absurd  end with Return -> !return end)) { true }

let Creation_test3_ensures_default =
 fun (tt : unit) ->
  { (JC_105: true) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let t =
     (K_15:
     (let this_3 =
     (JC_120:
     (((alloc_struct_Creation (1)) Object_alloc_table) Object_tag_table)) in
     (let _tt_0 =
     (let _jessie_ = this_3 in
     (let _jessie_ = (10) in
     (let _jessie_ = (7) in
     (JC_121:
     (((cons_Creation_int_int _jessie_) _jessie_) _jessie_))))) in
     this_3))) in
     begin
       (return := (K_14: ((safe_acc_ !Creation_simple_val) t)));
      (raise Return) end); absurd  end with Return -> !return end))
  { (JC_106: true) }

let Creation_test3_ensures_normal =
 fun (tt : unit) ->
  { (JC_105: true) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let t =
     (K_15:
     (let this_3 =
     (JC_122:
     (((alloc_struct_Creation (1)) Object_alloc_table) Object_tag_table)) in
     (let _tt_0 =
     (let _jessie_ = this_3 in
     (let _jessie_ = (10) in
     (let _jessie_ = (7) in
     (JC_123:
     (((cons_Creation_int_int _jessie_) _jessie_) _jessie_))))) in
     this_3))) in
     begin
       (return := (K_14: ((safe_acc_ !Creation_simple_val) t)));
      (raise Return) end); absurd  end with Return -> !return end))
  { (JC_112:
    ((JC_110: (result = (17)))
    and (JC_111:
        not_assigns(Object_alloc_table@, Creation_simple_val@,
        Creation_simple_val, pset_empty)))) }

let Creation_test3_safety =
 fun (tt : unit) ->
  { (JC_105: true) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let t =
     (K_15:
     (let this_3 =
     (let _jessie_ =
     (JC_116:
     (((alloc_struct_Creation_requires (1)) Object_alloc_table) Object_tag_table)) in
     (JC_117:
     (assert { ge_int(offset_max(Object_alloc_table, _jessie_), (0)) };
     _jessie_))) in
     (let _tt_0 =
     (let _jessie_ = this_3 in
     (let _jessie_ = (10) in
     (let _jessie_ = (7) in
     (JC_118:
     (((cons_Creation_int_int_requires _jessie_) _jessie_) _jessie_))))) in
     this_3))) in
     begin
       (return := (K_14:
                  (JC_119:
                  ((((lsafe_lbound_acc_ !Object_alloc_table) !Creation_simple_val) t) (0)))));
      (raise Return) end); absurd  end with Return -> !return end)) { true }

let cons_Creation_ensures_default =
 fun (this_2 : Object pointer) ->
  { valid_struct_Creation(this_2, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ = (0) in
     (let _jessie_ = this_2 in
     (((safe_upd_ Creation_simple_val) _jessie_) _jessie_)));
    (K_6:
    begin
      (let _jessie_ = this_2 in
      (let _jessie_ = (0) in
      (JC_65: ((cons_Creation_int _jessie_) _jessie_)))); (raise Return)
    end) end with Return -> void end) { (JC_54: true) }

let cons_Creation_ensures_normal =
 fun (this_2 : Object pointer) ->
  { valid_struct_Creation(this_2, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ = (0) in
     (let _jessie_ = this_2 in
     (((safe_upd_ Creation_simple_val) _jessie_) _jessie_)));
    (K_6:
    begin
      (let _jessie_ = this_2 in
      (let _jessie_ = (0) in
      (JC_66: ((cons_Creation_int _jessie_) _jessie_)))); (raise Return)
    end) end with Return -> void end)
  { (JC_60:
    ((JC_58: (select(Creation_simple_val, this_2) = (0)))
    and (JC_59:
        not_assigns(Object_alloc_table@, Creation_simple_val@,
        Creation_simple_val, pset_singleton(this_2))))) }

let cons_Creation_int_ensures_default =
 fun (this_1 : Object pointer) (n : int) ->
  { valid_struct_Creation(this_1, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = (0) in
       (let _jessie_ = this_1 in
       (((safe_upd_ Creation_simple_val) _jessie_) _jessie_)));
      (K_2:
      (let _jessie_ = n in
      begin
        (let _jessie_ = this_1 in
        (((safe_upd_ Creation_simple_val) _jessie_) _jessie_));
       _jessie_ end)) end in void); (raise Return) end with Return ->
   void end) { (JC_23: true) }

let cons_Creation_int_ensures_normal =
 fun (this_1 : Object pointer) (n : int) ->
  { valid_struct_Creation(this_1, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = (0) in
       (let _jessie_ = this_1 in
       (((safe_upd_ Creation_simple_val) _jessie_) _jessie_)));
      (K_2:
      (let _jessie_ = n in
      begin
        (let _jessie_ = this_1 in
        (((safe_upd_ Creation_simple_val) _jessie_) _jessie_));
       _jessie_ end)) end in void); (raise Return) end with Return ->
   void end)
  { (JC_29:
    ((JC_27: (select(Creation_simple_val, this_1) = n))
    and (JC_28:
        not_assigns(Object_alloc_table@, Creation_simple_val@,
        Creation_simple_val, pset_singleton(this_1))))) }

let cons_Creation_int_int_ensures_default =
 fun (this_0 : Object pointer) (n_0 : int) (m : int) ->
  { valid_struct_Creation(this_0, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ = (0) in
     (let _jessie_ = this_0 in
     (((safe_upd_ Creation_simple_val) _jessie_) _jessie_)));
    (K_12:
    begin
      (let _jessie_ = this_0 in
      (let _jessie_ = (K_11: ((add_int n_0) m)) in
      (JC_100: ((cons_Creation_int _jessie_) _jessie_)))); (raise Return)
    end) end with Return -> void end) { (JC_89: true) }

let cons_Creation_int_int_ensures_normal =
 fun (this_0 : Object pointer) (n_0 : int) (m : int) ->
  { valid_struct_Creation(this_0, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ = (0) in
     (let _jessie_ = this_0 in
     (((safe_upd_ Creation_simple_val) _jessie_) _jessie_)));
    (K_12:
    begin
      (let _jessie_ = this_0 in
      (let _jessie_ = (K_11: ((add_int n_0) m)) in
      (JC_101: ((cons_Creation_int _jessie_) _jessie_)))); (raise Return)
    end) end with Return -> void end)
  { (JC_95:
    ((JC_93: (select(Creation_simple_val, this_0) = add_int(n_0, m)))
    and (JC_94:
        not_assigns(Object_alloc_table@, Creation_simple_val@,
        Creation_simple_val, pset_singleton(this_0))))) }

let cons_Creation_int_int_safety =
 fun (this_0 : Object pointer) (n_0 : int) (m : int) ->
  { valid_struct_Creation(this_0, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ = (0) in
     (let _jessie_ = this_0 in
     (((safe_upd_ Creation_simple_val) _jessie_) _jessie_)));
    (K_12:
    begin
      (let _jessie_ = this_0 in
      (let _jessie_ = (K_11: ((add_int n_0) m)) in
      (JC_99: ((cons_Creation_int_requires _jessie_) _jessie_))));
     (raise Return) end) end with Return -> void end) { true }

let cons_Creation_int_safety =
 fun (this_1 : Object pointer) (n : int) ->
  { valid_struct_Creation(this_1, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = (0) in
       (let _jessie_ = this_1 in
       (((safe_upd_ Creation_simple_val) _jessie_) _jessie_)));
      (K_2:
      (let _jessie_ = n in
      begin
        (let _jessie_ = this_1 in
        (((safe_upd_ Creation_simple_val) _jessie_) _jessie_)); _jessie_
      end)) end in void); (raise Return) end with Return -> void end)
  { true }

let cons_Creation_safety =
 fun (this_2 : Object pointer) ->
  { valid_struct_Creation(this_2, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ = (0) in
     (let _jessie_ = this_2 in
     (((safe_upd_ Creation_simple_val) _jessie_) _jessie_)));
    (K_6:
    begin
      (let _jessie_ = this_2 in
      (let _jessie_ = (0) in
      (JC_64: ((cons_Creation_int_requires _jessie_) _jessie_))));
     (raise Return) end) end with Return -> void end) { true }

let cons_TestSuperConstructor_ensures_default =
 fun (this_4 : Object pointer) ->
  { valid_struct_TestSuperConstructor(this_4, (0), (0), Object_alloc_table) }
  (init:
  try
   (K_4:
   begin
     (let _jessie_ = this_4 in
     (let _jessie_ = (12) in
     (JC_48: ((cons_Creation_int _jessie_) _jessie_)))); (raise Return)
   end) with Return -> void end) { (JC_37: true) }

let cons_TestSuperConstructor_ensures_normal =
 fun (this_4 : Object pointer) ->
  { valid_struct_TestSuperConstructor(this_4, (0), (0), Object_alloc_table) }
  (init:
  try
   (K_4:
   begin
     (let _jessie_ = this_4 in
     (let _jessie_ = (12) in
     (JC_49: ((cons_Creation_int _jessie_) _jessie_)))); (raise Return)
   end) with Return -> void end)
  { (JC_43:
    ((JC_41: (select(Creation_simple_val, this_4) = (12)))
    and (JC_42:
        not_assigns(Object_alloc_table@, Creation_simple_val@,
        Creation_simple_val, pset_singleton(this_4))))) }

let cons_TestSuperConstructor_safety =
 fun (this_4 : Object pointer) ->
  { valid_struct_TestSuperConstructor(this_4, (0), (0), Object_alloc_table) }
  (init:
  try
   (K_4:
   begin
     (let _jessie_ = this_4 in
     (let _jessie_ = (12) in
     (JC_47: ((cons_Creation_int_requires _jessie_) _jessie_))));
    (raise Return) end) with Return -> void end) { true }


========== make project execution ==========
why --project [...] why/Creation.why
========== file tests/java/why/Creation.wpr ==========

  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
  
  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
  
  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
  
  
    
  
  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  

========== file tests/java/why/Creation_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Creation_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Creation_parenttag_Object: parenttag(Creation_tag, Object_tag)

logic Exception_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic TestSuperConstructor_tag : Object tag_id

axiom TestSuperConstructor_parenttag_Creation:
  parenttag(TestSuperConstructor_tag, Creation_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Creation(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_TestSuperConstructor(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Creation(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Creation(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_TestSuperConstructor(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Creation(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Creation(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_TestSuperConstructor(p: Object pointer, a: int,
  b: int, Object_alloc_table: Object alloc_table) =
  strict_valid_struct_Creation(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Creation(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_TestSuperConstructor(p: Object pointer, a: int,
  b: int, Object_alloc_table: Object alloc_table) = valid_struct_Creation(p,
  a, b, Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

========== file tests/java/why/Creation_po1.why ==========
goal Creation_test1_ensures_normal_po_1:
  forall Creation_simple_val:(Object,
  int) memory.
  forall Object_alloc_table:Object alloc_table.
  ("JC_127": true) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Creation(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Creation_tag)))) ->
  forall Creation_simple_val0:(Object,
  int) memory.
  ("JC_32":
  (("JC_30": (select(Creation_simple_val0, result) = 17)) and
   ("JC_31": not_assigns(Object_alloc_table0, Creation_simple_val,
   Creation_simple_val0, pset_singleton(result))))) ->
  forall result0:int.
  (result0 = select(Creation_simple_val0, result)) ->
  forall return:int.
  (return = result0) ->
  ("JC_132": (return = 17))

========== file tests/java/why/Creation_po10.why ==========
goal Creation_test3_ensures_normal_po_2:
  forall Creation_simple_val:(Object,
  int) memory.
  forall Object_alloc_table:Object alloc_table.
  ("JC_105": true) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Creation(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Creation_tag)))) ->
  forall Creation_simple_val0:(Object,
  int) memory.
  ("JC_98":
  (("JC_96": (select(Creation_simple_val0, result) = (10 + 7))) and
   ("JC_97": not_assigns(Object_alloc_table0, Creation_simple_val,
   Creation_simple_val0, pset_singleton(result))))) ->
  forall result0:int.
  (result0 = select(Creation_simple_val0, result)) ->
  forall return:int.
  (return = result0) ->
  ("JC_112":
  ("JC_111": not_assigns(Object_alloc_table, Creation_simple_val,
  Creation_simple_val0, pset_empty)))

========== file tests/java/why/Creation_po11.why ==========
goal Creation_test3_safety_po_1:
  ("JC_105": true) ->
  (1 >= 0)

========== file tests/java/why/Creation_po12.why ==========
goal Creation_test3_safety_po_2:
  forall Object_alloc_table:Object alloc_table.
  ("JC_105": true) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Creation(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Creation_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0)

========== file tests/java/why/Creation_po13.why ==========
goal Creation_test3_safety_po_3:
  forall Creation_simple_val:(Object,
  int) memory.
  forall Object_alloc_table:Object alloc_table.
  ("JC_105": true) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Creation(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Creation_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0) ->
  forall Creation_simple_val0:(Object,
  int) memory.
  ("JC_98":
  (("JC_96": (select(Creation_simple_val0, result) = (10 + 7))) and
   ("JC_97": not_assigns(Object_alloc_table0, Creation_simple_val,
   Creation_simple_val0, pset_singleton(result))))) ->
  (0 <= offset_max(Object_alloc_table0, result))

========== file tests/java/why/Creation_po14.why ==========
goal cons_Creation_ensures_normal_po_1:
  forall this_2:Object pointer.
  forall Creation_simple_val:(Object,
  int) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Creation(this_2, 0, 0, Object_alloc_table) ->
  forall Creation_simple_val0:(Object,
  int) memory.
  (Creation_simple_val0 = store(Creation_simple_val, this_2, 0)) ->
  forall Creation_simple_val1:(Object,
  int) memory.
  ("JC_32":
  (("JC_30": (select(Creation_simple_val1, this_2) = 0)) and
   ("JC_31": not_assigns(Object_alloc_table, Creation_simple_val0,
   Creation_simple_val1, pset_singleton(this_2))))) ->
  ("JC_60":
  ("JC_59": not_assigns(Object_alloc_table, Creation_simple_val,
  Creation_simple_val1, pset_singleton(this_2))))

========== file tests/java/why/Creation_po15.why ==========
goal cons_Creation_int_ensures_normal_po_1:
  forall this_1:Object pointer.
  forall n:int.
  forall Creation_simple_val:(Object,
  int) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Creation(this_1, 0, 0, Object_alloc_table) ->
  forall Creation_simple_val0:(Object,
  int) memory.
  (Creation_simple_val0 = store(Creation_simple_val, this_1, 0)) ->
  forall Creation_simple_val1:(Object,
  int) memory.
  (Creation_simple_val1 = store(Creation_simple_val0, this_1, n)) ->
  ("JC_29": ("JC_27": (select(Creation_simple_val1, this_1) = n)))

========== file tests/java/why/Creation_po16.why ==========
goal cons_Creation_int_ensures_normal_po_2:
  forall this_1:Object pointer.
  forall n:int.
  forall Creation_simple_val:(Object,
  int) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Creation(this_1, 0, 0, Object_alloc_table) ->
  forall Creation_simple_val0:(Object,
  int) memory.
  (Creation_simple_val0 = store(Creation_simple_val, this_1, 0)) ->
  forall Creation_simple_val1:(Object,
  int) memory.
  (Creation_simple_val1 = store(Creation_simple_val0, this_1, n)) ->
  ("JC_29":
  ("JC_28": not_assigns(Object_alloc_table, Creation_simple_val,
  Creation_simple_val1, pset_singleton(this_1))))

========== file tests/java/why/Creation_po17.why ==========
goal cons_Creation_int_int_ensures_normal_po_1:
  forall this_0:Object pointer.
  forall n_0:int.
  forall m:int.
  forall Creation_simple_val:(Object,
  int) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Creation(this_0, 0, 0, Object_alloc_table) ->
  forall Creation_simple_val0:(Object,
  int) memory.
  (Creation_simple_val0 = store(Creation_simple_val, this_0, 0)) ->
  forall Creation_simple_val1:(Object,
  int) memory.
  ("JC_32":
  (("JC_30": (select(Creation_simple_val1, this_0) = (n_0 + m))) and
   ("JC_31": not_assigns(Object_alloc_table, Creation_simple_val0,
   Creation_simple_val1, pset_singleton(this_0))))) ->
  ("JC_95":
  ("JC_94": not_assigns(Object_alloc_table, Creation_simple_val,
  Creation_simple_val1, pset_singleton(this_0))))

========== file tests/java/why/Creation_po2.why ==========
goal Creation_test1_safety_po_1:
  ("JC_127": true) ->
  (1 >= 0)

========== file tests/java/why/Creation_po3.why ==========
goal Creation_test1_safety_po_2:
  forall Object_alloc_table:Object alloc_table.
  ("JC_127": true) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Creation(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Creation_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0)

========== file tests/java/why/Creation_po4.why ==========
goal Creation_test1_safety_po_3:
  forall Creation_simple_val:(Object,
  int) memory.
  forall Object_alloc_table:Object alloc_table.
  ("JC_127": true) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Creation(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Creation_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0) ->
  forall Creation_simple_val0:(Object,
  int) memory.
  ("JC_32":
  (("JC_30": (select(Creation_simple_val0, result) = 17)) and
   ("JC_31": not_assigns(Object_alloc_table0, Creation_simple_val,
   Creation_simple_val0, pset_singleton(result))))) ->
  (0 <= offset_max(Object_alloc_table0, result))

========== file tests/java/why/Creation_po5.why ==========
goal Creation_test2_ensures_normal_po_1:
  forall Creation_simple_val:(Object,
  int) memory.
  forall Object_alloc_table:Object alloc_table.
  ("JC_70": true) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Creation(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Creation_tag)))) ->
  forall Creation_simple_val0:(Object,
  int) memory.
  ("JC_63":
  (("JC_61": (select(Creation_simple_val0, result) = 0)) and
   ("JC_62": not_assigns(Object_alloc_table0, Creation_simple_val,
   Creation_simple_val0, pset_singleton(result))))) ->
  forall result0:int.
  (result0 = select(Creation_simple_val0, result)) ->
  forall return:int.
  (return = result0) ->
  ("JC_75": (return = 0))

========== file tests/java/why/Creation_po6.why ==========
goal Creation_test2_safety_po_1:
  ("JC_70": true) ->
  (1 >= 0)

========== file tests/java/why/Creation_po7.why ==========
goal Creation_test2_safety_po_2:
  forall Object_alloc_table:Object alloc_table.
  ("JC_70": true) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Creation(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Creation_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0)

========== file tests/java/why/Creation_po8.why ==========
goal Creation_test2_safety_po_3:
  forall Creation_simple_val:(Object,
  int) memory.
  forall Object_alloc_table:Object alloc_table.
  ("JC_70": true) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Creation(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Creation_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0) ->
  forall Creation_simple_val0:(Object,
  int) memory.
  ("JC_63":
  (("JC_61": (select(Creation_simple_val0, result) = 0)) and
   ("JC_62": not_assigns(Object_alloc_table0, Creation_simple_val,
   Creation_simple_val0, pset_singleton(result))))) ->
  (0 <= offset_max(Object_alloc_table0, result))

========== file tests/java/why/Creation_po9.why ==========
goal Creation_test3_ensures_normal_po_1:
  forall Creation_simple_val:(Object,
  int) memory.
  forall Object_alloc_table:Object alloc_table.
  ("JC_105": true) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Creation(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Creation_tag)))) ->
  forall Creation_simple_val0:(Object,
  int) memory.
  ("JC_98":
  (("JC_96": (select(Creation_simple_val0, result) = (10 + 7))) and
   ("JC_97": not_assigns(Object_alloc_table0, Creation_simple_val,
   Creation_simple_val0, pset_singleton(result))))) ->
  forall result0:int.
  (result0 = select(Creation_simple_val0, result)) ->
  forall return:int.
  (return = result0) ->
  ("JC_112": ("JC_110": (return = 17)))

========== generation of Simplify VC output ==========
why -simplify [...] why/Creation.why
========== file tests/java/simplify/Creation_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Creation_parenttag_Object
 (EQ (parenttag Creation_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) 0))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom TestSuperConstructor_parenttag_Creation
 (EQ (parenttag TestSuperConstructor_tag Creation_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Creation p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_TestSuperConstructor p a Object_alloc_table)
  (left_valid_struct_Creation p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Creation p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_TestSuperConstructor p b Object_alloc_table)
  (right_valid_struct_Creation p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Creation p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_TestSuperConstructor p a b Object_alloc_table)
  (strict_valid_struct_Creation p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Creation p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_TestSuperConstructor p a b Object_alloc_table)
  (valid_struct_Creation p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

;; Creation_test1_ensures_normal_po_1, File "HOME/tests/java/Creation.java", line 63, characters 18-31
(FORALL (Creation_simple_val)
(FORALL (Object_alloc_table)
(IMPLIES TRUE
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND
         (strict_valid_struct_Creation result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Creation_tag))))
(FORALL (Creation_simple_val0)
(IMPLIES (AND (EQ (select Creation_simple_val0 result) 17)
         (not_assigns
         Object_alloc_table0 Creation_simple_val Creation_simple_val0 
         (pset_singleton result)))
(FORALL (result0)
(IMPLIES (EQ result0 (select Creation_simple_val0 result))
(FORALL (return) (IMPLIES (EQ return result0) (EQ return 17))))))))))))))

;; Creation_test1_safety_po_1, File "HOME/tests/java/Creation.jc", line 126, characters 59-74
(IMPLIES TRUE (>= 1 0))

;; Creation_test1_safety_po_2, File "why/Creation.why", line 594, characters 15-71
(FORALL (Object_alloc_table)
(IMPLIES TRUE
(IMPLIES (>= 1 0)
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND
         (strict_valid_struct_Creation result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Creation_tag))))
(>= (offset_max Object_alloc_table0 result) 0))))))))

;; Creation_test1_safety_po_3, File "HOME/tests/java/Creation.java", line 67, characters 8-20
(FORALL (Creation_simple_val)
(FORALL (Object_alloc_table)
(IMPLIES TRUE
(IMPLIES (>= 1 0)
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND
         (strict_valid_struct_Creation result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Creation_tag))))
(IMPLIES (>= (offset_max Object_alloc_table0 result) 0)
(FORALL (Creation_simple_val0)
(IMPLIES (AND (EQ (select Creation_simple_val0 result) 17)
         (not_assigns
         Object_alloc_table0 Creation_simple_val Creation_simple_val0 
         (pset_singleton result)))
(<= 0 (offset_max Object_alloc_table0 result)))))))))))))

;; Creation_test2_ensures_normal_po_1, File "HOME/tests/java/Creation.java", line 71, characters 18-30
(FORALL (Creation_simple_val)
(FORALL (Object_alloc_table)
(IMPLIES TRUE
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND
         (strict_valid_struct_Creation result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Creation_tag))))
(FORALL (Creation_simple_val0)
(IMPLIES (AND (EQ (select Creation_simple_val0 result) 0)
         (not_assigns
         Object_alloc_table0 Creation_simple_val Creation_simple_val0 
         (pset_singleton result)))
(FORALL (result0)
(IMPLIES (EQ result0 (select Creation_simple_val0 result))
(FORALL (return) (IMPLIES (EQ return result0) (EQ return 0))))))))))))))

;; Creation_test2_safety_po_1, File "HOME/tests/java/Creation.jc", line 78, characters 59-74
(IMPLIES TRUE (>= 1 0))

;; Creation_test2_safety_po_2, File "why/Creation.why", line 659, characters 15-70
(FORALL (Object_alloc_table)
(IMPLIES TRUE
(IMPLIES (>= 1 0)
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND
         (strict_valid_struct_Creation result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Creation_tag))))
(>= (offset_max Object_alloc_table0 result) 0))))))))

;; Creation_test2_safety_po_3, File "HOME/tests/java/Creation.java", line 75, characters 8-20
(FORALL (Creation_simple_val)
(FORALL (Object_alloc_table)
(IMPLIES TRUE
(IMPLIES (>= 1 0)
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND
         (strict_valid_struct_Creation result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Creation_tag))))
(IMPLIES (>= (offset_max Object_alloc_table0 result) 0)
(FORALL (Creation_simple_val0)
(IMPLIES (AND (EQ (select Creation_simple_val0 result) 0)
         (not_assigns
         Object_alloc_table0 Creation_simple_val Creation_simple_val0 
         (pset_singleton result)))
(<= 0 (offset_max Object_alloc_table0 result)))))))))))))

;; Creation_test3_ensures_normal_po_1, File "HOME/tests/java/Creation.java", line 80, characters 18-31
(FORALL (Creation_simple_val)
(FORALL (Object_alloc_table)
(IMPLIES TRUE
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND
         (strict_valid_struct_Creation result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Creation_tag))))
(FORALL (Creation_simple_val0)
(IMPLIES (AND (EQ (select Creation_simple_val0 result) (+ 10 7))
         (not_assigns
         Object_alloc_table0 Creation_simple_val Creation_simple_val0 
         (pset_singleton result)))
(FORALL (result0)
(IMPLIES (EQ result0 (select Creation_simple_val0 result))
(FORALL (return) (IMPLIES (EQ return result0) (EQ return 17))))))))))))))

;; Creation_test3_ensures_normal_po_2, File "HOME/tests/java/Creation.java", line 82, characters 22-27
(FORALL (Creation_simple_val)
(FORALL (Object_alloc_table)
(IMPLIES TRUE
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND
         (strict_valid_struct_Creation result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Creation_tag))))
(FORALL (Creation_simple_val0)
(IMPLIES (AND (EQ (select Creation_simple_val0 result) (+ 10 7))
         (not_assigns
         Object_alloc_table0 Creation_simple_val Creation_simple_val0 
         (pset_singleton result)))
(FORALL (result0)
(IMPLIES (EQ result0 (select Creation_simple_val0 result))
(FORALL (return)
(IMPLIES (EQ return result0)
(not_assigns
Object_alloc_table Creation_simple_val Creation_simple_val0 pset_empty))))))))))))))

;; Creation_test3_safety_po_1, File "HOME/tests/java/Creation.jc", line 106, characters 57-72
(IMPLIES TRUE (>= 1 0))

;; Creation_test3_safety_po_2, File "why/Creation.why", line 736, characters 15-70
(FORALL (Object_alloc_table)
(IMPLIES TRUE
(IMPLIES (>= 1 0)
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND
         (strict_valid_struct_Creation result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Creation_tag))))
(>= (offset_max Object_alloc_table0 result) 0))))))))

;; Creation_test3_safety_po_3, File "HOME/tests/java/Creation.java", line 84, characters 8-20
(FORALL (Creation_simple_val)
(FORALL (Object_alloc_table)
(IMPLIES TRUE
(IMPLIES (>= 1 0)
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND
         (strict_valid_struct_Creation result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Creation_tag))))
(IMPLIES (>= (offset_max Object_alloc_table0 result) 0)
(FORALL (Creation_simple_val0)
(IMPLIES (AND (EQ (select Creation_simple_val0 result) (+ 10 7))
         (not_assigns
         Object_alloc_table0 Creation_simple_val Creation_simple_val0 
         (pset_singleton result)))
(<= 0 (offset_max Object_alloc_table0 result)))))))))))))

;; cons_Creation_ensures_normal_po_1, File "HOME/tests/java/Creation.java", line 42, characters 4-12
(FORALL (this_2)
(FORALL (Creation_simple_val)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Creation this_2 0 0 Object_alloc_table)
(FORALL (Creation_simple_val0)
(IMPLIES (EQ Creation_simple_val0
         (|why__store| Creation_simple_val this_2 0))
(FORALL (Creation_simple_val1)
(IMPLIES (AND (EQ (select Creation_simple_val1 this_2) 0)
         (not_assigns
         Object_alloc_table Creation_simple_val0 Creation_simple_val1 
         (pset_singleton this_2)))
(not_assigns
Object_alloc_table Creation_simple_val Creation_simple_val1 (pset_singleton
                                                            this_2))))))))))

;; cons_Creation_int_ensures_normal_po_1, File "HOME/tests/java/Creation.java", line 48, characters 18-38
(FORALL (this_1)
(FORALL (n)
(FORALL (Creation_simple_val)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Creation this_1 0 0 Object_alloc_table)
(FORALL (Creation_simple_val0)
(IMPLIES (EQ Creation_simple_val0
         (|why__store| Creation_simple_val this_1 0))
(FORALL (Creation_simple_val1)
(IMPLIES (EQ Creation_simple_val1
         (|why__store| Creation_simple_val0 this_1 n))
(EQ (select Creation_simple_val1 this_1) n))))))))))

;; cons_Creation_int_ensures_normal_po_2, File "HOME/tests/java/Creation.java", line 50, characters 4-12
(FORALL (this_1)
(FORALL (n)
(FORALL (Creation_simple_val)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Creation this_1 0 0 Object_alloc_table)
(FORALL (Creation_simple_val0)
(IMPLIES (EQ Creation_simple_val0
         (|why__store| Creation_simple_val this_1 0))
(FORALL (Creation_simple_val1)
(IMPLIES (EQ Creation_simple_val1
         (|why__store| Creation_simple_val0 this_1 n))
(not_assigns
Object_alloc_table Creation_simple_val Creation_simple_val1 (pset_singleton
                                                            this_1)))))))))))

;; cons_Creation_int_int_ensures_normal_po_1, File "HOME/tests/java/Creation.java", line 58, characters 4-12
(FORALL (this_0)
(FORALL (n_0)
(FORALL (m)
(FORALL (Creation_simple_val)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Creation this_0 0 0 Object_alloc_table)
(FORALL (Creation_simple_val0)
(IMPLIES (EQ Creation_simple_val0
         (|why__store| Creation_simple_val this_0 0))
(FORALL (Creation_simple_val1)
(IMPLIES (AND (EQ (select Creation_simple_val1 this_0) (+ n_0 m))
         (not_assigns
         Object_alloc_table Creation_simple_val0 Creation_simple_val1 
         (pset_singleton this_0)))
(not_assigns
Object_alloc_table Creation_simple_val Creation_simple_val1 (pset_singleton
                                                            this_0))))))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/Creation_why.sx      : .........?....... (16/0/1/0/0)
total   :  17
valid   :  16 ( 94%)
invalid :   0 (  0%)
unknown :   1 (  6%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/Creation.why
========== file tests/java/why/Creation_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Creation_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Creation_parenttag_Object: parenttag(Creation_tag, Object_tag)

logic Exception_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic TestSuperConstructor_tag : Object tag_id

axiom TestSuperConstructor_parenttag_Creation:
  parenttag(TestSuperConstructor_tag, Creation_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Creation(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_TestSuperConstructor(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Creation(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Creation(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_TestSuperConstructor(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Creation(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Creation(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_TestSuperConstructor(p: Object pointer, a: int,
  b: int, Object_alloc_table: Object alloc_table) =
  strict_valid_struct_Creation(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Creation(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_TestSuperConstructor(p: Object pointer, a: int,
  b: int, Object_alloc_table: Object alloc_table) = valid_struct_Creation(p,
  a, b, Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

goal Creation_test1_ensures_normal_po_1:
  forall Creation_simple_val:(Object,
  int) memory.
  forall Object_alloc_table:Object alloc_table.
  ("JC_127": true) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Creation(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Creation_tag)))) ->
  forall Creation_simple_val0:(Object,
  int) memory.
  ("JC_32":
  (("JC_30": (select(Creation_simple_val0, result) = 17)) and
   ("JC_31": not_assigns(Object_alloc_table0, Creation_simple_val,
   Creation_simple_val0, pset_singleton(result))))) ->
  forall result0:int.
  (result0 = select(Creation_simple_val0, result)) ->
  forall return:int.
  (return = result0) ->
  ("JC_132": (return = 17))

goal Creation_test1_safety_po_1:
  ("JC_127": true) ->
  (1 >= 0)

goal Creation_test1_safety_po_2:
  forall Object_alloc_table:Object alloc_table.
  ("JC_127": true) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Creation(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Creation_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0)

goal Creation_test1_safety_po_3:
  forall Creation_simple_val:(Object,
  int) memory.
  forall Object_alloc_table:Object alloc_table.
  ("JC_127": true) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Creation(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Creation_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0) ->
  forall Creation_simple_val0:(Object,
  int) memory.
  ("JC_32":
  (("JC_30": (select(Creation_simple_val0, result) = 17)) and
   ("JC_31": not_assigns(Object_alloc_table0, Creation_simple_val,
   Creation_simple_val0, pset_singleton(result))))) ->
  (0 <= offset_max(Object_alloc_table0, result))

goal Creation_test2_ensures_normal_po_1:
  forall Creation_simple_val:(Object,
  int) memory.
  forall Object_alloc_table:Object alloc_table.
  ("JC_70": true) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Creation(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Creation_tag)))) ->
  forall Creation_simple_val0:(Object,
  int) memory.
  ("JC_63":
  (("JC_61": (select(Creation_simple_val0, result) = 0)) and
   ("JC_62": not_assigns(Object_alloc_table0, Creation_simple_val,
   Creation_simple_val0, pset_singleton(result))))) ->
  forall result0:int.
  (result0 = select(Creation_simple_val0, result)) ->
  forall return:int.
  (return = result0) ->
  ("JC_75": (return = 0))

goal Creation_test2_safety_po_1:
  ("JC_70": true) ->
  (1 >= 0)

goal Creation_test2_safety_po_2:
  forall Object_alloc_table:Object alloc_table.
  ("JC_70": true) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Creation(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Creation_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0)

goal Creation_test2_safety_po_3:
  forall Creation_simple_val:(Object,
  int) memory.
  forall Object_alloc_table:Object alloc_table.
  ("JC_70": true) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Creation(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Creation_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0) ->
  forall Creation_simple_val0:(Object,
  int) memory.
  ("JC_63":
  (("JC_61": (select(Creation_simple_val0, result) = 0)) and
   ("JC_62": not_assigns(Object_alloc_table0, Creation_simple_val,
   Creation_simple_val0, pset_singleton(result))))) ->
  (0 <= offset_max(Object_alloc_table0, result))

goal Creation_test3_ensures_normal_po_1:
  forall Creation_simple_val:(Object,
  int) memory.
  forall Object_alloc_table:Object alloc_table.
  ("JC_105": true) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Creation(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Creation_tag)))) ->
  forall Creation_simple_val0:(Object,
  int) memory.
  ("JC_98":
  (("JC_96": (select(Creation_simple_val0, result) = (10 + 7))) and
   ("JC_97": not_assigns(Object_alloc_table0, Creation_simple_val,
   Creation_simple_val0, pset_singleton(result))))) ->
  forall result0:int.
  (result0 = select(Creation_simple_val0, result)) ->
  forall return:int.
  (return = result0) ->
  ("JC_112": ("JC_110": (return = 17)))

goal Creation_test3_ensures_normal_po_2:
  forall Creation_simple_val:(Object,
  int) memory.
  forall Object_alloc_table:Object alloc_table.
  ("JC_105": true) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Creation(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Creation_tag)))) ->
  forall Creation_simple_val0:(Object,
  int) memory.
  ("JC_98":
  (("JC_96": (select(Creation_simple_val0, result) = (10 + 7))) and
   ("JC_97": not_assigns(Object_alloc_table0, Creation_simple_val,
   Creation_simple_val0, pset_singleton(result))))) ->
  forall result0:int.
  (result0 = select(Creation_simple_val0, result)) ->
  forall return:int.
  (return = result0) ->
  ("JC_112":
  ("JC_111": not_assigns(Object_alloc_table, Creation_simple_val,
  Creation_simple_val0, pset_empty)))

goal Creation_test3_safety_po_1:
  ("JC_105": true) ->
  (1 >= 0)

goal Creation_test3_safety_po_2:
  forall Object_alloc_table:Object alloc_table.
  ("JC_105": true) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Creation(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Creation_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0)

goal Creation_test3_safety_po_3:
  forall Creation_simple_val:(Object,
  int) memory.
  forall Object_alloc_table:Object alloc_table.
  ("JC_105": true) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Creation(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Creation_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0) ->
  forall Creation_simple_val0:(Object,
  int) memory.
  ("JC_98":
  (("JC_96": (select(Creation_simple_val0, result) = (10 + 7))) and
   ("JC_97": not_assigns(Object_alloc_table0, Creation_simple_val,
   Creation_simple_val0, pset_singleton(result))))) ->
  (0 <= offset_max(Object_alloc_table0, result))

goal cons_Creation_ensures_normal_po_1:
  forall this_2:Object pointer.
  forall Creation_simple_val:(Object,
  int) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Creation(this_2, 0, 0, Object_alloc_table) ->
  forall Creation_simple_val0:(Object,
  int) memory.
  (Creation_simple_val0 = store(Creation_simple_val, this_2, 0)) ->
  forall Creation_simple_val1:(Object,
  int) memory.
  ("JC_32":
  (("JC_30": (select(Creation_simple_val1, this_2) = 0)) and
   ("JC_31": not_assigns(Object_alloc_table, Creation_simple_val0,
   Creation_simple_val1, pset_singleton(this_2))))) ->
  ("JC_60":
  ("JC_59": not_assigns(Object_alloc_table, Creation_simple_val,
  Creation_simple_val1, pset_singleton(this_2))))

goal cons_Creation_int_ensures_normal_po_1:
  forall this_1:Object pointer.
  forall n:int.
  forall Creation_simple_val:(Object,
  int) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Creation(this_1, 0, 0, Object_alloc_table) ->
  forall Creation_simple_val0:(Object,
  int) memory.
  (Creation_simple_val0 = store(Creation_simple_val, this_1, 0)) ->
  forall Creation_simple_val1:(Object,
  int) memory.
  (Creation_simple_val1 = store(Creation_simple_val0, this_1, n)) ->
  ("JC_29": ("JC_27": (select(Creation_simple_val1, this_1) = n)))

goal cons_Creation_int_ensures_normal_po_2:
  forall this_1:Object pointer.
  forall n:int.
  forall Creation_simple_val:(Object,
  int) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Creation(this_1, 0, 0, Object_alloc_table) ->
  forall Creation_simple_val0:(Object,
  int) memory.
  (Creation_simple_val0 = store(Creation_simple_val, this_1, 0)) ->
  forall Creation_simple_val1:(Object,
  int) memory.
  (Creation_simple_val1 = store(Creation_simple_val0, this_1, n)) ->
  ("JC_29":
  ("JC_28": not_assigns(Object_alloc_table, Creation_simple_val,
  Creation_simple_val1, pset_singleton(this_1))))

goal cons_Creation_int_int_ensures_normal_po_1:
  forall this_0:Object pointer.
  forall n_0:int.
  forall m:int.
  forall Creation_simple_val:(Object,
  int) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Creation(this_0, 0, 0, Object_alloc_table) ->
  forall Creation_simple_val0:(Object,
  int) memory.
  (Creation_simple_val0 = store(Creation_simple_val, this_0, 0)) ->
  forall Creation_simple_val1:(Object,
  int) memory.
  ("JC_32":
  (("JC_30": (select(Creation_simple_val1, this_0) = (n_0 + m))) and
   ("JC_31": not_assigns(Object_alloc_table, Creation_simple_val0,
   Creation_simple_val1, pset_singleton(this_0))))) ->
  ("JC_95":
  ("JC_94": not_assigns(Object_alloc_table, Creation_simple_val,
  Creation_simple_val1, pset_singleton(this_0))))

why-2.34/tests/java/oracle/Hello.err.oracle0000644000175000017500000000000012311670312017154 0ustar  rtuserswhy-2.34/tests/java/oracle/bts15964.res.oracle0000644000175000017500000000371412311670312017332 0ustar  rtusers========== file tests/java/bts15964.java ==========

class bts15964 {
        public void f() {
            Object x = null;
        }
}
========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_bts15964 for constructor bts15964
Generating JC function bts15964_f for method bts15964.f
Done.
========== file tests/java/bts15964.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag bts15964 = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_bts15964(! bts15964[0] this_1){()}

unit bts15964_f(bts15964[0] this_0)
{  
   {  
      (var Object[0..] x = (K_1 : null));
      ()
   }
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/bts15964.jloc tests/java/bts15964.jc && make -f tests/java/bts15964.makefile gui"
End:
*/
========== file tests/java/bts15964.jloc ==========
[K_1]
file = "HOME/tests/java/bts15964.java"
line = 4
begin = 23
end = 27

[cons_bts15964]
name = "Constructor of class bts15964"
file = "HOME/"
line = 0
begin = -1
end = -1

[bts15964_f]
name = "Method f"
file = "HOME/tests/java/bts15964.java"
line = 3
begin = 20
end = 21

========== jessie execution ==========
Generating Why function cons_bts15964
Generating Why function bts15964_f
(nulltype)
why-2.34/tests/java/oracle/Booleans.err.oracle0000644000175000017500000000000012311670312017653 0ustar  rtuserswhy-2.34/tests/java/oracle/SimpleAlloc.res.oracle0000644000175000017500000054455512311670312020352 0ustar  rtusers========== file tests/java/SimpleAlloc.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

class Node {
    int val;

    /*@ assigns \nothing;
      @ allocates this;
      @ ensures this.val == 0;
      @*/
    Node(){}
}

class test {
    Node[] x;

    /*@ requires x != null && x.length == 10  ;
      @ assigns x[0];
      @ allocates x[0];
      @ ensures x[0] != null;
      @*/
    void test() {
        x[0]=new Node();
    }
}




/*
Local Variables:
compile-command: "make SimpleAlloc.why3ide"
End:
*/

========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_Node for constructor Node
Generating JC function test_test for method test.test
Generating JC function cons_test for constructor test
Done.
========== file tests/java/SimpleAlloc.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_NodeM{Here}(NodeM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Node = Object with {
  int32 val;
}

tag test = Object with {
  NodeM[0..] x;
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag NodeM = Object with {
  Node[0..] NodeP;
}

boolean non_null_NodeM(! NodeM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_NodeM(! NodeM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_Node(! Node[0] this_0)
behavior default:
  assigns \nothing;
  allocates this_0;
  ensures (K_1 : (this_0.val == 0));
{  (this_0.val = 0)
}

unit test_test(test[0] this_2)
  requires (K_5 : ((K_4 : Non_null_NodeM(this_2.x)) &&
                    (K_3 : ((\offset_max(this_2.x) + 1) == 10))));
behavior default:
  assigns (this_2.x + [0..0]).NodeP;
  allocates (this_2.x + [0..0]).NodeP;
  ensures (K_2 : Non_null_Object((this_2.x + 0).NodeP));
{  (K_7 : (((K_6 : this_2.x) + 0).NodeP = 
   {  
      (var Node[0] this = (new Node[1]));
      
      {  
         (var unit _tt = cons_Node(this));
         this
      }
   }))
}

unit cons_test(! test[0] this_3)
{  (this_3.x = null)
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/SimpleAlloc.jloc tests/java/SimpleAlloc.jc && make -f tests/java/SimpleAlloc.makefile gui"
End:
*/
========== file tests/java/SimpleAlloc.jloc ==========
[test_test]
name = "Method test"
file = "HOME/tests/java/SimpleAlloc.java"
line = 50
begin = 9
end = 13

[K_1]
file = "HOME/tests/java/SimpleAlloc.java"
line = 37
begin = 16
end = 29

[K_4]
file = "HOME/tests/java/SimpleAlloc.java"
line = 45
begin = 17
end = 26

[K_2]
file = "HOME/tests/java/SimpleAlloc.java"
line = 48
begin = 16
end = 28

[K_6]
file = "HOME/tests/java/SimpleAlloc.java"
line = 51
begin = 8
end = 12

[K_3]
file = "HOME/tests/java/SimpleAlloc.java"
line = 45
begin = 30
end = 44

[cons_test]
name = "Constructor of class test"
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Node]
name = "Constructor of class Node"
file = "HOME/tests/java/SimpleAlloc.java"
line = 39
begin = 4
end = 8

[K_5]
file = "HOME/tests/java/SimpleAlloc.java"
line = 45
begin = 17
end = 44

[K_7]
file = "HOME/tests/java/SimpleAlloc.java"
line = 51
begin = 8
end = 23

========== jessie execution ==========
Generating Why function cons_Node
Generating Why function test_test
Generating Why function cons_test
========== file tests/java/SimpleAlloc.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs SimpleAlloc.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs SimpleAlloc.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/SimpleAlloc_why.sx

project: why/SimpleAlloc.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/SimpleAlloc_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/SimpleAlloc_why.vo

coq/SimpleAlloc_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/SimpleAlloc_why.v: why/SimpleAlloc.why
	@echo 'why -coq [...] why/SimpleAlloc.why' && $(WHY) $(JESSIELIBFILES) why/SimpleAlloc.why && rm -f coq/jessie_why.v

coq-goals: goals coq/SimpleAlloc_ctx_why.vo
	for f in why/*_po*.why; do make -f SimpleAlloc.makefile coq/`basename $$f .why`_why.v ; done

coq/SimpleAlloc_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/SimpleAlloc_ctx_why.v: why/SimpleAlloc_ctx.why
	@echo 'why -coq [...] why/SimpleAlloc_ctx.why' && $(WHY) why/SimpleAlloc_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export SimpleAlloc_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/SimpleAlloc_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/SimpleAlloc_ctx_why.vo

pvs: pvs/SimpleAlloc_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/SimpleAlloc_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/SimpleAlloc_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/SimpleAlloc_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/SimpleAlloc_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/SimpleAlloc_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/SimpleAlloc_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/SimpleAlloc_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/SimpleAlloc_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/SimpleAlloc_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/SimpleAlloc_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/SimpleAlloc_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/SimpleAlloc_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/SimpleAlloc_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/SimpleAlloc_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: SimpleAlloc.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/SimpleAlloc_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: SimpleAlloc.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: SimpleAlloc.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: SimpleAlloc.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include SimpleAlloc.depend

depend: coq/SimpleAlloc_why.v
	-$(COQDEP) -I coq coq/SimpleAlloc*_why.v > SimpleAlloc.depend

clean:
	rm -f coq/*.vo

========== file tests/java/SimpleAlloc.loc ==========
[cons_Node_ensures_default]
name = "Constructor of class Node"
behavior = "default behavior"
file = "HOME/tests/java/SimpleAlloc.java"
line = 39
begin = 4
end = 8

[cons_Node_safety]
name = "Constructor of class Node"
behavior = "Safety"
file = "HOME/tests/java/SimpleAlloc.java"
line = 39
begin = 4
end = 8

[JC_73]
kind = UserCall
file = "HOME/tests/java/SimpleAlloc.jc"
line = 99
begin = 25
end = 40

[JC_63]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 90
begin = 9
end = 16

[JC_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_51]
file = "HOME/tests/java/SimpleAlloc.java"
line = 45
begin = 17
end = 26

[JC_71]
kind = AllocSize
file = "HOME/tests/java/SimpleAlloc.jc"
line = 96
begin = 27
end = 38

[JC_45]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 80
begin = 9
end = 16

[test_test_safety]
name = "Method test"
behavior = "Safety"
file = "HOME/tests/java/SimpleAlloc.java"
line = 50
begin = 9
end = 13

[JC_64]
file = "HOME/tests/java/SimpleAlloc.java"
line = 48
begin = 16
end = 28

[JC_31]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 70
begin = 8
end = 23

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
file = "HOME/tests/java/SimpleAlloc.java"
line = 45
begin = 17
end = 26

[JC_48]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 80
begin = 9
end = 16

[JC_23]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 66
begin = 11
end = 103

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_test_ensures_default]
name = "Constructor of class test"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 91
begin = 10
end = 35

[JC_9]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 57
begin = 8
end = 22

[JC_75]
kind = AllocSize
file = "HOME/tests/java/SimpleAlloc.jc"
line = 96
begin = 27
end = 38

[JC_24]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 65
begin = 10
end = 18

[JC_25]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 66
begin = 11
end = 103

[JC_78]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/tests/java/SimpleAlloc.java"
line = 39
begin = 4
end = 8

[JC_74]
kind = IndexBounds
file = "HOME/tests/java/SimpleAlloc.jc"
line = 94
begin = 11
end = 178

[JC_47]
file = "HOME/tests/java/SimpleAlloc.java"
line = 39
begin = 4
end = 8

[JC_52]
file = "HOME/tests/java/SimpleAlloc.java"
line = 45
begin = 30
end = 44

[JC_26]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 65
begin = 10
end = 18

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 60
begin = 11
end = 66

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 57
begin = 8
end = 22

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 60
begin = 11
end = 66

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/tests/java/SimpleAlloc.java"
line = 39
begin = 4
end = 8

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[test_test_ensures_default]
name = "Method test"
behavior = "default behavior"
file = "HOME/tests/java/SimpleAlloc.java"
line = 50
begin = 9
end = 13

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_69]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 72
begin = 11
end = 65

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/tests/java/SimpleAlloc.java"
line = 39
begin = 4
end = 8

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 91
begin = 10
end = 35

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/tests/java/SimpleAlloc.java"
line = 37
begin = 16
end = 29

[JC_61]
file = "HOME/tests/java/SimpleAlloc.java"
line = 50
begin = 9
end = 13

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/tests/java/SimpleAlloc.java"
line = 45
begin = 30
end = 44

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/tests/java/SimpleAlloc.java"
line = 50
begin = 9
end = 13

[cons_test_safety]
name = "Constructor of class test"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 70
begin = 8
end = 23

[JC_68]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 90
begin = 9
end = 16

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 59
begin = 10
end = 18

[JC_43]
file = "HOME/tests/java/SimpleAlloc.java"
line = 37
begin = 16
end = 29

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 59
begin = 10
end = 18

[JC_53]
file = "HOME/tests/java/SimpleAlloc.java"
line = 45
begin = 17
end = 44

[JC_21]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 63
begin = 8
end = 31

[JC_77]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 23
begin = 12
end = 22

[JC_37]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 72
begin = 11
end = 65

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/java/SimpleAlloc.java"
line = 45
begin = 17
end = 44

[JC_66]
file = "HOME/tests/java/SimpleAlloc.java"
line = 50
begin = 9
end = 13

[JC_59]
file = "HOME/tests/java/SimpleAlloc.java"
line = 48
begin = 16
end = 28

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 23
begin = 12
end = 22

[JC_60]
file = "HOME/tests/java/SimpleAlloc.java"
line = 50
begin = 9
end = 13

[JC_72]
kind = IndexBounds
file = "HOME/tests/java/SimpleAlloc.jc"
line = 96
begin = 7
end = 39

[JC_19]
file = "HOME/tests/java/SimpleAlloc.jc"
line = 63
begin = 8
end = 31

[JC_76]
kind = UserCall
file = "HOME/tests/java/SimpleAlloc.jc"
line = 99
begin = 25
end = 40

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/SimpleAlloc.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

logic NodeM_tag:  -> Object tag_id

axiom NodeM_parenttag_Object : parenttag(NodeM_tag, Object_tag)

logic Node_tag:  -> Object tag_id

axiom Node_parenttag_Object : parenttag(Node_tag, Object_tag)

predicate Non_null_NodeM(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), neg_int((1)))

predicate Non_null_Object(x_1:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_1), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Node(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_NodeM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

predicate left_valid_struct_test(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Node(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_NodeM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate right_valid_struct_test(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Node(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_NodeM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_test(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

logic test_tag:  -> Object tag_id

axiom test_parenttag_Object : parenttag(test_tag, Object_tag)

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Node(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_NodeM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_test(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter NodeM_NodeP : (Object, Object pointer) memory ref

parameter Node_val : (Object, int32) memory ref

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Node :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Node(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Node_tag)))) }

parameter alloc_struct_NodeM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_NodeM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, NodeM_tag)))) }

parameter alloc_struct_NodeM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_NodeM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, NodeM_tag)))) }

parameter alloc_struct_Node_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Node(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Node_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_test :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_test(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, test_tag)))) }

parameter alloc_struct_test_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_test(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, test_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_Node :
 this_0:Object pointer ->
  { } unit reads Node_val,Object_alloc_table writes Node_val
  { (JC_48:
    ((JC_46: (integer_of_int32(select(Node_val, this_0)) = (0)))
    and (JC_47:
        not_assigns(Object_alloc_table@, Node_val@, Node_val, pset_empty)))) }

parameter cons_Node_requires :
 this_0:Object pointer ->
  { } unit reads Node_val,Object_alloc_table writes Node_val
  { (JC_48:
    ((JC_46: (integer_of_int32(select(Node_val, this_0)) = (0)))
    and (JC_47:
        not_assigns(Object_alloc_table@, Node_val@, Node_val, pset_empty)))) }

parameter test_x : (Object, Object pointer) memory ref

parameter cons_test :
 this_3:Object pointer ->
  { } unit reads Object_alloc_table writes test_x { true }

parameter cons_test_requires :
 this_3:Object pointer ->
  { } unit reads Object_alloc_table writes test_x { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter java_array_length_NodeM :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter java_array_length_NodeM_requires :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_NodeM :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter non_null_NodeM_requires :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter non_null_Object :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_Object_requires :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

parameter test_test :
 this_2:Object pointer ->
  { } unit reads NodeM_NodeP,Node_val,Object_alloc_table,test_x
  writes NodeM_NodeP,Node_val,Object_alloc_table,Object_tag_table
  { (JC_68:
    ((JC_64:
     Non_null_Object(select(NodeM_NodeP, shift(select(test_x, this_2), (0))),
     Object_alloc_table))
    and (JC_67:
        ((JC_65:
         not_assigns(Object_alloc_table@, Node_val@, Node_val, pset_empty))
        and (JC_66:
            not_assigns(Object_alloc_table@, NodeM_NodeP@, NodeM_NodeP,
            pset_range(pset_deref(test_x@, pset_singleton(this_2)), (0), (0)))))))) }

parameter test_test_requires :
 this_2:Object pointer ->
  { (JC_53:
    ((JC_51: Non_null_NodeM(select(test_x, this_2), Object_alloc_table))
    and (JC_52:
        (add_int(offset_max(Object_alloc_table, select(test_x, this_2)), (1)) = (10)))))}
  unit reads NodeM_NodeP,Node_val,Object_alloc_table,test_x
  writes NodeM_NodeP,Node_val,Object_alloc_table,Object_tag_table
  { (JC_68:
    ((JC_64:
     Non_null_Object(select(NodeM_NodeP, shift(select(test_x, this_2), (0))),
     Object_alloc_table))
    and (JC_67:
        ((JC_65:
         not_assigns(Object_alloc_table@, Node_val@, Node_val, pset_empty))
        and (JC_66:
            not_assigns(Object_alloc_table@, NodeM_NodeP@, NodeM_NodeP,
            pset_range(pset_deref(test_x@, pset_singleton(this_2)), (0), (0)))))))) }

let cons_Node_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_Node(this_0, (0), (0), Object_alloc_table) }
  (let mutable_this_0 = ref this_0 in
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = (safe_int32_of_integer_ (0)) in
     begin
       (let _jessie_ = !mutable_this_0 in
       (((safe_upd_ Node_val) _jessie_) _jessie_)); _jessie_ end) in void);
    (raise Return) end with Return -> void end))
  { (JC_45:
    ((JC_43: (integer_of_int32(select(Node_val, this_0)) = (0)))
    and (JC_44:
        not_assigns(Object_alloc_table@, Node_val@, Node_val, pset_empty)))) }

let cons_Node_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_Node(this_0, (0), (0), Object_alloc_table) }
  (let mutable_this_0 = ref this_0 in
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = (safe_int32_of_integer_ (0)) in
     begin
       (let _jessie_ = !mutable_this_0 in
       (((safe_upd_ Node_val) _jessie_) _jessie_)); _jessie_ end) in void);
    (raise Return) end with Return -> void end)) { true }

let cons_test_ensures_default =
 fun (this_3 : Object pointer) ->
  { valid_struct_test(this_3, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = null in
     begin
       (let _jessie_ = this_3 in
       (((safe_upd_ test_x) _jessie_) _jessie_)); _jessie_ end) in
     void); (raise Return) end with Return -> void end) { (JC_81: true) }

let cons_test_safety =
 fun (this_3 : Object pointer) ->
  { valid_struct_test(this_3, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = null in
     begin
       (let _jessie_ = this_3 in
       (((safe_upd_ test_x) _jessie_) _jessie_)); _jessie_ end) in
     void); (raise Return) end with Return -> void end) { true }

let test_test_ensures_default =
 fun (this_2 : Object pointer) ->
  { (valid_struct_test(this_2, (0), (0), Object_alloc_table)
    and (JC_57:
        ((JC_55: Non_null_NodeM(select(test_x, this_2), Object_alloc_table))
        and (JC_56:
            (add_int(offset_max(Object_alloc_table, select(test_x, this_2)),
             (1)) = (10)))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (K_7:
     (let _jessie_ =
     (let this =
     (JC_75: (((alloc_struct_Node (1)) Object_alloc_table) Object_tag_table)) in
     (let _tt = (let _jessie_ = this in (JC_76: (cons_Node _jessie_))) in
     this)) in
     begin
       (let _jessie_ = (K_6: ((safe_acc_ !test_x) this_2)) in
       (((safe_upd_ NodeM_NodeP) _jessie_) _jessie_)); _jessie_ end)) in
     void); (raise Return) end with Return -> void end)
  { (JC_63:
    ((JC_59:
     Non_null_Object(select(NodeM_NodeP, shift(select(test_x, this_2), (0))),
     Object_alloc_table))
    and (JC_62:
        ((JC_60:
         not_assigns(Object_alloc_table@, Node_val@, Node_val, pset_empty))
        and (JC_61:
            not_assigns(Object_alloc_table@, NodeM_NodeP@, NodeM_NodeP,
            pset_range(pset_deref(test_x@, pset_singleton(this_2)), (0), (0)))))))) }

let test_test_safety =
 fun (this_2 : Object pointer) ->
  { (valid_struct_test(this_2, (0), (0), Object_alloc_table)
    and (JC_57:
        ((JC_55: Non_null_NodeM(select(test_x, this_2), Object_alloc_table))
        and (JC_56:
            (add_int(offset_max(Object_alloc_table, select(test_x, this_2)),
             (1)) = (10)))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (K_7:
     (let _jessie_ =
     (let this =
     (let _jessie_ =
     (JC_71:
     (((alloc_struct_Node_requires (1)) Object_alloc_table) Object_tag_table)) in
     (JC_72:
     (assert { ge_int(offset_max(Object_alloc_table, _jessie_), (0)) };
     _jessie_))) in
     (let _tt =
     (let _jessie_ = this in (JC_73: (cons_Node_requires _jessie_))) in
     this)) in
     begin
       (let _jessie_ = (K_6: ((safe_acc_ !test_x) this_2)) in
       (JC_74:
       (((((lsafe_lbound_upd_ !Object_alloc_table) NodeM_NodeP) _jessie_) (0)) _jessie_)));
      _jessie_ end)) in void); (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/SimpleAlloc.why
========== file tests/java/why/SimpleAlloc.wpr ==========

  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  
  
    
  
  
    
    
    
      
      
    
    
      
      
    
    
  

========== file tests/java/why/SimpleAlloc_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic NodeM_tag : Object tag_id

axiom NodeM_parenttag_Object: parenttag(NodeM_tag, Object_tag)

logic Node_tag : Object tag_id

axiom Node_parenttag_Object: parenttag(Node_tag, Object_tag)

predicate Non_null_NodeM(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= (-1))

predicate Non_null_Object(x_1: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_1) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte [(integer_of_byte(x) = integer_of_byte(y))].
      ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char [(integer_of_char(x) = integer_of_char(y))].
      ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32 [(integer_of_int32(x) = integer_of_int32(y))].
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Node(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_NodeM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

predicate left_valid_struct_test(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long [(integer_of_long(x) = integer_of_long(y))].
      ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Node(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_NodeM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate right_valid_struct_test(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short [(integer_of_short(x) = integer_of_short(y))].
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Node(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_NodeM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_test(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

logic test_tag : Object tag_id

axiom test_parenttag_Object: parenttag(test_tag, Object_tag)

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Node(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_NodeM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_test(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

========== file tests/java/why/SimpleAlloc_po1.why ==========
goal cons_Node_ensures_default_po_1:
  forall this_0:Object pointer.
  forall Node_val:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Node(this_0, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall Node_val0:(Object,
  int32) memory.
  (Node_val0 = store(Node_val, this_0, result)) ->
  ("JC_45": ("JC_43": (integer_of_int32(select(Node_val0, this_0)) = 0)))

========== file tests/java/why/SimpleAlloc_po2.why ==========
goal cons_Node_ensures_default_po_2:
  forall this_0:Object pointer.
  forall Node_val:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Node(this_0, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall Node_val0:(Object,
  int32) memory.
  (Node_val0 = store(Node_val, this_0, result)) ->
  ("JC_45":
  ("JC_44": not_assigns(Object_alloc_table, Node_val, Node_val0, pset_empty)))

========== file tests/java/why/SimpleAlloc_po3.why ==========
goal test_test_ensures_default_po_1:
  forall this_2:Object pointer.
  forall NodeM_NodeP:(Object, Object pointer) memory.
  forall Node_val:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  forall test_x:(Object,
  Object pointer) memory.
  (valid_struct_test(this_2, 0, 0, Object_alloc_table) and
   ("JC_57":
   (("JC_55": Non_null_NodeM(select(test_x, this_2), Object_alloc_table)) and
    ("JC_56": ((offset_max(Object_alloc_table, select(test_x,
    this_2)) + 1) = 10))))) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Node(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Node_tag)))) ->
  forall Node_val0:(Object,
  int32) memory.
  ("JC_48":
  (("JC_46": (integer_of_int32(select(Node_val0, result)) = 0)) and
   ("JC_47": not_assigns(Object_alloc_table0, Node_val, Node_val0,
   pset_empty)))) ->
  forall result0:Object pointer.
  (result0 = select(test_x, this_2)) ->
  forall NodeM_NodeP0:(Object,
  Object pointer) memory.
  (NodeM_NodeP0 = store(NodeM_NodeP, result0, result)) ->
  ("JC_63":
  ("JC_59": Non_null_Object(select(NodeM_NodeP0, shift(select(test_x,
  this_2), 0)), Object_alloc_table0)))

========== file tests/java/why/SimpleAlloc_po4.why ==========
goal test_test_ensures_default_po_2:
  forall this_2:Object pointer.
  forall NodeM_NodeP:(Object, Object pointer) memory.
  forall Node_val:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  forall test_x:(Object,
  Object pointer) memory.
  (valid_struct_test(this_2, 0, 0, Object_alloc_table) and
   ("JC_57":
   (("JC_55": Non_null_NodeM(select(test_x, this_2), Object_alloc_table)) and
    ("JC_56": ((offset_max(Object_alloc_table, select(test_x,
    this_2)) + 1) = 10))))) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Node(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Node_tag)))) ->
  forall Node_val0:(Object,
  int32) memory.
  ("JC_48":
  (("JC_46": (integer_of_int32(select(Node_val0, result)) = 0)) and
   ("JC_47": not_assigns(Object_alloc_table0, Node_val, Node_val0,
   pset_empty)))) ->
  forall result0:Object pointer.
  (result0 = select(test_x, this_2)) ->
  forall NodeM_NodeP0:(Object,
  Object pointer) memory.
  (NodeM_NodeP0 = store(NodeM_NodeP, result0, result)) ->
  ("JC_63":
  ("JC_62":
  ("JC_60": not_assigns(Object_alloc_table, Node_val, Node_val0, pset_empty))))

========== file tests/java/why/SimpleAlloc_po5.why ==========
goal test_test_ensures_default_po_3:
  forall this_2:Object pointer.
  forall NodeM_NodeP:(Object, Object pointer) memory.
  forall Node_val:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  forall test_x:(Object,
  Object pointer) memory.
  (valid_struct_test(this_2, 0, 0, Object_alloc_table) and
   ("JC_57":
   (("JC_55": Non_null_NodeM(select(test_x, this_2), Object_alloc_table)) and
    ("JC_56": ((offset_max(Object_alloc_table, select(test_x,
    this_2)) + 1) = 10))))) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Node(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Node_tag)))) ->
  forall Node_val0:(Object,
  int32) memory.
  ("JC_48":
  (("JC_46": (integer_of_int32(select(Node_val0, result)) = 0)) and
   ("JC_47": not_assigns(Object_alloc_table0, Node_val, Node_val0,
   pset_empty)))) ->
  forall result0:Object pointer.
  (result0 = select(test_x, this_2)) ->
  forall NodeM_NodeP0:(Object,
  Object pointer) memory.
  (NodeM_NodeP0 = store(NodeM_NodeP, result0, result)) ->
  ("JC_63":
  ("JC_62":
  ("JC_61": not_assigns(Object_alloc_table, NodeM_NodeP, NodeM_NodeP0,
  pset_range(pset_deref(test_x, pset_singleton(this_2)), 0, 0)))))

========== file tests/java/why/SimpleAlloc_po6.why ==========
goal test_test_safety_po_1:
  forall this_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall test_x:(Object,
  Object pointer) memory.
  (valid_struct_test(this_2, 0, 0, Object_alloc_table) and
   ("JC_57":
   (("JC_55": Non_null_NodeM(select(test_x, this_2), Object_alloc_table)) and
    ("JC_56": ((offset_max(Object_alloc_table, select(test_x,
    this_2)) + 1) = 10))))) ->
  (1 >= 0)

========== file tests/java/why/SimpleAlloc_po7.why ==========
goal test_test_safety_po_2:
  forall this_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall test_x:(Object,
  Object pointer) memory.
  (valid_struct_test(this_2, 0, 0, Object_alloc_table) and
   ("JC_57":
   (("JC_55": Non_null_NodeM(select(test_x, this_2), Object_alloc_table)) and
    ("JC_56": ((offset_max(Object_alloc_table, select(test_x,
    this_2)) + 1) = 10))))) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Node(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Node_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0)

========== file tests/java/why/SimpleAlloc_po8.why ==========
goal test_test_safety_po_3:
  forall this_2:Object pointer.
  forall Node_val:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  forall test_x:(Object,
  Object pointer) memory.
  (valid_struct_test(this_2, 0, 0, Object_alloc_table) and
   ("JC_57":
   (("JC_55": Non_null_NodeM(select(test_x, this_2), Object_alloc_table)) and
    ("JC_56": ((offset_max(Object_alloc_table, select(test_x,
    this_2)) + 1) = 10))))) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Node(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Node_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0) ->
  forall Node_val0:(Object,
  int32) memory.
  ("JC_48":
  (("JC_46": (integer_of_int32(select(Node_val0, result)) = 0)) and
   ("JC_47": not_assigns(Object_alloc_table0, Node_val, Node_val0,
   pset_empty)))) ->
  forall result0:Object pointer.
  (result0 = select(test_x, this_2)) ->
  (0 <= offset_max(Object_alloc_table0, result0))

========== generation of Simplify VC output ==========
why -simplify [...] why/SimpleAlloc.why
========== file tests/java/simplify/SimpleAlloc_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom NodeM_parenttag_Object
 (EQ (parenttag NodeM_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Node_parenttag_Object
 (EQ (parenttag Node_tag Object_tag) |@true|))

(DEFPRED (Non_null_NodeM x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) (- 0 1)))

(DEFPRED (Non_null_Object x_1 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_1) 0))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom byte_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 128) x) (<= x 127))
 (EQ (integer_of_byte (byte_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom byte_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_byte x) (integer_of_byte y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom byte_range
 (FORALL (x)
 (AND (<= (- 0 128) (integer_of_byte x)) (<= (integer_of_byte x) 127))))

(BG_PUSH
 ;; Why axiom char_coerce
 (FORALL (x)
 (IMPLIES (AND (<= 0 x) (<= x 65535))
 (EQ (integer_of_char (char_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom char_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_char x) (integer_of_char y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom char_range
 (FORALL (x) (AND (<= 0 (integer_of_char x)) (<= (integer_of_char x) 65535))))

(DEFPRED (eq_byte x y) (EQ (integer_of_byte x) (integer_of_byte y)))

(DEFPRED (eq_char x y) (EQ (integer_of_char x) (integer_of_char y)))

(DEFPRED (eq_int32 x y) (EQ (integer_of_int32 x) (integer_of_int32 y)))

(DEFPRED (eq_long x y) (EQ (integer_of_long x) (integer_of_long y)))

(DEFPRED (eq_short x y) (EQ (integer_of_short x) (integer_of_short y)))

(BG_PUSH
 ;; Why axiom int32_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_2147483648) x)
 (<= x constant_too_large_2147483647))
 (EQ (integer_of_int32 (int32_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom int32_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_int32 x) (integer_of_int32 y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom int32_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_2147483648) (integer_of_int32 x))
 (<= (integer_of_int32 x) constant_too_large_2147483647))))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Node p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_NodeM p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(DEFPRED (left_valid_struct_test p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(BG_PUSH
 ;; Why axiom long_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_9223372036854775808) x)
 (<= x constant_too_large_9223372036854775807))
 (EQ (integer_of_long (long_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom long_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_long x) (integer_of_long y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom long_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_9223372036854775808) (integer_of_long x))
 (<= (integer_of_long x) constant_too_large_9223372036854775807))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Node p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_NodeM p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(DEFPRED (right_valid_struct_test p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(BG_PUSH
 ;; Why axiom short_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 32768) x) (<= x 32767))
 (EQ (integer_of_short (short_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom short_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_short x) (integer_of_short y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom short_range
 (FORALL (x)
 (AND (<= (- 0 32768) (integer_of_short x)) (<= (integer_of_short x) 32767))))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Node p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_NodeM p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_test p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(BG_PUSH
 ;; Why axiom test_parenttag_Object
 (EQ (parenttag test_tag Object_tag) |@true|))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Node p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_NodeM p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_test p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

;; cons_Node_ensures_default_po_1, File "HOME/tests/java/SimpleAlloc.java", line 37, characters 16-29
(FORALL (this_0)
(FORALL (Node_val)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Node this_0 0 0 Object_alloc_table)
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (Node_val0)
(IMPLIES (EQ Node_val0 (|why__store| Node_val this_0 result))
(EQ (integer_of_int32 (select Node_val0 this_0)) 0)))))))))

;; cons_Node_ensures_default_po_2, File "HOME/tests/java/SimpleAlloc.java", line 39, characters 4-8
(FORALL (this_0)
(FORALL (Node_val)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Node this_0 0 0 Object_alloc_table)
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (Node_val0)
(IMPLIES (EQ Node_val0 (|why__store| Node_val this_0 result))
(not_assigns Object_alloc_table Node_val Node_val0 pset_empty)))))))))

;; test_test_ensures_default_po_1, File "HOME/tests/java/SimpleAlloc.java", line 48, characters 16-28
(FORALL (this_2)
(FORALL (NodeM_NodeP)
(FORALL (Node_val)
(FORALL (Object_alloc_table)
(FORALL (test_x)
(IMPLIES (AND (valid_struct_test this_2 0 0 Object_alloc_table)
         (AND (Non_null_NodeM (select test_x this_2) Object_alloc_table)
         (EQ (+ (offset_max Object_alloc_table (select test_x this_2)) 1) 10)))
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND (strict_valid_struct_Node result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Node_tag))))
(FORALL (Node_val0)
(IMPLIES (AND (EQ (integer_of_int32 (select Node_val0 result)) 0)
         (not_assigns Object_alloc_table0 Node_val Node_val0 pset_empty))
(FORALL (result0)
(IMPLIES (EQ result0 (select test_x this_2))
(FORALL (NodeM_NodeP0)
(IMPLIES (EQ NodeM_NodeP0 (|why__store| NodeM_NodeP result0 result))
(Non_null_Object
(select NodeM_NodeP0 (shift (select test_x this_2) 0)) Object_alloc_table0)))))))))))))))))

;; test_test_ensures_default_po_2, File "HOME/tests/java/SimpleAlloc.java", line 50, characters 9-13
(FORALL (this_2)
(FORALL (NodeM_NodeP)
(FORALL (Node_val)
(FORALL (Object_alloc_table)
(FORALL (test_x)
(IMPLIES (AND (valid_struct_test this_2 0 0 Object_alloc_table)
         (AND (Non_null_NodeM (select test_x this_2) Object_alloc_table)
         (EQ (+ (offset_max Object_alloc_table (select test_x this_2)) 1) 10)))
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND (strict_valid_struct_Node result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Node_tag))))
(FORALL (Node_val0)
(IMPLIES (AND (EQ (integer_of_int32 (select Node_val0 result)) 0)
         (not_assigns Object_alloc_table0 Node_val Node_val0 pset_empty))
(FORALL (result0)
(IMPLIES (EQ result0 (select test_x this_2))
(FORALL (NodeM_NodeP0)
(IMPLIES (EQ NodeM_NodeP0 (|why__store| NodeM_NodeP result0 result))
(not_assigns Object_alloc_table Node_val Node_val0 pset_empty)))))))))))))))))

;; test_test_ensures_default_po_3, File "HOME/tests/java/SimpleAlloc.java", line 50, characters 9-13
(FORALL (this_2)
(FORALL (NodeM_NodeP)
(FORALL (Node_val)
(FORALL (Object_alloc_table)
(FORALL (test_x)
(IMPLIES (AND (valid_struct_test this_2 0 0 Object_alloc_table)
         (AND (Non_null_NodeM (select test_x this_2) Object_alloc_table)
         (EQ (+ (offset_max Object_alloc_table (select test_x this_2)) 1) 10)))
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND (strict_valid_struct_Node result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Node_tag))))
(FORALL (Node_val0)
(IMPLIES (AND (EQ (integer_of_int32 (select Node_val0 result)) 0)
         (not_assigns Object_alloc_table0 Node_val Node_val0 pset_empty))
(FORALL (result0)
(IMPLIES (EQ result0 (select test_x this_2))
(FORALL (NodeM_NodeP0)
(IMPLIES (EQ NodeM_NodeP0 (|why__store| NodeM_NodeP result0 result))
(not_assigns
Object_alloc_table NodeM_NodeP NodeM_NodeP0 (pset_range
                                            (pset_deref
                                            test_x (pset_singleton this_2)) 0 0))))))))))))))))))

;; test_test_safety_po_1, File "HOME/tests/java/SimpleAlloc.jc", line 96, characters 27-38
(FORALL (this_2)
(FORALL (Object_alloc_table)
(FORALL (test_x)
(IMPLIES (AND (valid_struct_test this_2 0 0 Object_alloc_table)
         (AND (Non_null_NodeM (select test_x this_2) Object_alloc_table)
         (EQ (+ (offset_max Object_alloc_table (select test_x this_2)) 1) 10)))
(>= 1 0)))))

;; test_test_safety_po_2, File "why/SimpleAlloc.why", line 822, characters 15-70
(FORALL (this_2)
(FORALL (Object_alloc_table)
(FORALL (test_x)
(IMPLIES (AND (valid_struct_test this_2 0 0 Object_alloc_table)
         (AND (Non_null_NodeM (select test_x this_2) Object_alloc_table)
         (EQ (+ (offset_max Object_alloc_table (select test_x this_2)) 1) 10)))
(IMPLIES (>= 1 0)
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND (strict_valid_struct_Node result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Node_tag))))
(>= (offset_max Object_alloc_table0 result) 0))))))))))

;; test_test_safety_po_3, File "HOME/tests/java/SimpleAlloc.jc", line 94, characters 11-178
(FORALL (this_2)
(FORALL (Node_val)
(FORALL (Object_alloc_table)
(FORALL (test_x)
(IMPLIES (AND (valid_struct_test this_2 0 0 Object_alloc_table)
         (AND (Non_null_NodeM (select test_x this_2) Object_alloc_table)
         (EQ (+ (offset_max Object_alloc_table (select test_x this_2)) 1) 10)))
(IMPLIES (>= 1 0)
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND (strict_valid_struct_Node result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Node_tag))))
(IMPLIES (>= (offset_max Object_alloc_table0 result) 0)
(FORALL (Node_val0)
(IMPLIES (AND (EQ (integer_of_int32 (select Node_val0 result)) 0)
         (not_assigns Object_alloc_table0 Node_val Node_val0 pset_empty))
(FORALL (result0)
(IMPLIES (EQ result0 (select test_x this_2))
(<= 0 (offset_max Object_alloc_table0 result0)))))))))))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/SimpleAlloc_why.sx   : .?..?..? (5/0/3/0/0)
total   :   8
valid   :   5 ( 62%)
invalid :   0 (  0%)
unknown :   3 ( 38%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/SimpleAlloc.why
========== file tests/java/why/SimpleAlloc_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic NodeM_tag : Object tag_id

axiom NodeM_parenttag_Object: parenttag(NodeM_tag, Object_tag)

logic Node_tag : Object tag_id

axiom Node_parenttag_Object: parenttag(Node_tag, Object_tag)

predicate Non_null_NodeM(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= (-1))

predicate Non_null_Object(x_1: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_1) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte. ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char. ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Node(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_NodeM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

predicate left_valid_struct_test(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long. ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Node(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_NodeM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate right_valid_struct_test(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short.
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Node(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_NodeM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_test(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

logic test_tag : Object tag_id

axiom test_parenttag_Object: parenttag(test_tag, Object_tag)

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Node(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_NodeM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_test(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

goal cons_Node_ensures_default_po_1:
  forall this_0:Object pointer.
  forall Node_val:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Node(this_0, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall Node_val0:(Object,
  int32) memory.
  (Node_val0 = store(Node_val, this_0, result)) ->
  ("JC_45": ("JC_43": (integer_of_int32(select(Node_val0, this_0)) = 0)))

goal cons_Node_ensures_default_po_2:
  forall this_0:Object pointer.
  forall Node_val:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Node(this_0, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall Node_val0:(Object,
  int32) memory.
  (Node_val0 = store(Node_val, this_0, result)) ->
  ("JC_45":
  ("JC_44": not_assigns(Object_alloc_table, Node_val, Node_val0, pset_empty)))

goal test_test_ensures_default_po_1:
  forall this_2:Object pointer.
  forall NodeM_NodeP:(Object, Object pointer) memory.
  forall Node_val:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  forall test_x:(Object,
  Object pointer) memory.
  (valid_struct_test(this_2, 0, 0, Object_alloc_table) and
   ("JC_57":
   (("JC_55": Non_null_NodeM(select(test_x, this_2), Object_alloc_table)) and
    ("JC_56": ((offset_max(Object_alloc_table, select(test_x,
    this_2)) + 1) = 10))))) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Node(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Node_tag)))) ->
  forall Node_val0:(Object,
  int32) memory.
  ("JC_48":
  (("JC_46": (integer_of_int32(select(Node_val0, result)) = 0)) and
   ("JC_47": not_assigns(Object_alloc_table0, Node_val, Node_val0,
   pset_empty)))) ->
  forall result0:Object pointer.
  (result0 = select(test_x, this_2)) ->
  forall NodeM_NodeP0:(Object,
  Object pointer) memory.
  (NodeM_NodeP0 = store(NodeM_NodeP, result0, result)) ->
  ("JC_63":
  ("JC_59": Non_null_Object(select(NodeM_NodeP0, shift(select(test_x,
  this_2), 0)), Object_alloc_table0)))

goal test_test_ensures_default_po_2:
  forall this_2:Object pointer.
  forall NodeM_NodeP:(Object, Object pointer) memory.
  forall Node_val:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  forall test_x:(Object,
  Object pointer) memory.
  (valid_struct_test(this_2, 0, 0, Object_alloc_table) and
   ("JC_57":
   (("JC_55": Non_null_NodeM(select(test_x, this_2), Object_alloc_table)) and
    ("JC_56": ((offset_max(Object_alloc_table, select(test_x,
    this_2)) + 1) = 10))))) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Node(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Node_tag)))) ->
  forall Node_val0:(Object,
  int32) memory.
  ("JC_48":
  (("JC_46": (integer_of_int32(select(Node_val0, result)) = 0)) and
   ("JC_47": not_assigns(Object_alloc_table0, Node_val, Node_val0,
   pset_empty)))) ->
  forall result0:Object pointer.
  (result0 = select(test_x, this_2)) ->
  forall NodeM_NodeP0:(Object,
  Object pointer) memory.
  (NodeM_NodeP0 = store(NodeM_NodeP, result0, result)) ->
  ("JC_63":
  ("JC_62":
  ("JC_60": not_assigns(Object_alloc_table, Node_val, Node_val0, pset_empty))))

goal test_test_ensures_default_po_3:
  forall this_2:Object pointer.
  forall NodeM_NodeP:(Object, Object pointer) memory.
  forall Node_val:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  forall test_x:(Object,
  Object pointer) memory.
  (valid_struct_test(this_2, 0, 0, Object_alloc_table) and
   ("JC_57":
   (("JC_55": Non_null_NodeM(select(test_x, this_2), Object_alloc_table)) and
    ("JC_56": ((offset_max(Object_alloc_table, select(test_x,
    this_2)) + 1) = 10))))) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Node(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Node_tag)))) ->
  forall Node_val0:(Object,
  int32) memory.
  ("JC_48":
  (("JC_46": (integer_of_int32(select(Node_val0, result)) = 0)) and
   ("JC_47": not_assigns(Object_alloc_table0, Node_val, Node_val0,
   pset_empty)))) ->
  forall result0:Object pointer.
  (result0 = select(test_x, this_2)) ->
  forall NodeM_NodeP0:(Object,
  Object pointer) memory.
  (NodeM_NodeP0 = store(NodeM_NodeP, result0, result)) ->
  ("JC_63":
  ("JC_62":
  ("JC_61": not_assigns(Object_alloc_table, NodeM_NodeP, NodeM_NodeP0,
  pset_range(pset_deref(test_x, pset_singleton(this_2)), 0, 0)))))

goal test_test_safety_po_1:
  forall this_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall test_x:(Object,
  Object pointer) memory.
  (valid_struct_test(this_2, 0, 0, Object_alloc_table) and
   ("JC_57":
   (("JC_55": Non_null_NodeM(select(test_x, this_2), Object_alloc_table)) and
    ("JC_56": ((offset_max(Object_alloc_table, select(test_x,
    this_2)) + 1) = 10))))) ->
  (1 >= 0)

goal test_test_safety_po_2:
  forall this_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall test_x:(Object,
  Object pointer) memory.
  (valid_struct_test(this_2, 0, 0, Object_alloc_table) and
   ("JC_57":
   (("JC_55": Non_null_NodeM(select(test_x, this_2), Object_alloc_table)) and
    ("JC_56": ((offset_max(Object_alloc_table, select(test_x,
    this_2)) + 1) = 10))))) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Node(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Node_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0)

goal test_test_safety_po_3:
  forall this_2:Object pointer.
  forall Node_val:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  forall test_x:(Object,
  Object pointer) memory.
  (valid_struct_test(this_2, 0, 0, Object_alloc_table) and
   ("JC_57":
   (("JC_55": Non_null_NodeM(select(test_x, this_2), Object_alloc_table)) and
    ("JC_56": ((offset_max(Object_alloc_table, select(test_x,
    this_2)) + 1) = 10))))) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Node(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Node_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0) ->
  forall Node_val0:(Object,
  int32) memory.
  ("JC_48":
  (("JC_46": (integer_of_int32(select(Node_val0, result)) = 0)) and
   ("JC_47": not_assigns(Object_alloc_table0, Node_val, Node_val0,
   pset_empty)))) ->
  forall result0:Object pointer.
  (result0 = select(test_x, this_2)) ->
  (0 <= offset_max(Object_alloc_table0, result0))

why-2.34/tests/java/oracle/TreeMax.err.oracle0000644000175000017500000000000012311670312017456 0ustar  rtuserswhy-2.34/tests/java/oracle/Purse.res.oracle0000644000175000017500000070102712311670312017231 0ustar  rtusers========== file tests/java/Purse.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = no


class NoCreditException extends Exception {

    public NoCreditException() { }

}

public class Purse {

    private int balance;
    //@ invariant balance_non_negative: balance >= 0;

    /*@ requires true;
      @ assigns balance;
      @ ensures balance == 0;
      @*/
    public Purse() {
        balance = 0;
    }

    /*@ requires s >= 0;
      @ assigns balance;
      @ ensures balance == \old(balance) + s;
      @*/
    public void credit(int s) {
        balance += s;
    }

    /*@ requires s >= 0;
      @ assigns balance;
      @ ensures s <= \old(balance) && balance == \old(balance) - s;
      @ behavior amount_too_large:
      @   assigns \nothing;
      @   signals (NoCreditException) s > \old(balance) ;
      @*/
    public void withdraw(int s) throws NoCreditException {
        if (balance >= s)
            balance = balance - s;
        else
            throw new NoCreditException();
    }

    //@ ensures \result == balance;
    public int getBalance() {
        return balance;
    }

}



/*
Local Variables:
compile-command: "make Purse.why3ide"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_Throwable_String for constructor Throwable
Generating JC function Purse_credit for method Purse.credit
Generating JC function Throwable_getCause for method Throwable.getCause
Generating JC function Throwable_printStackTrace for method Throwable.printStackTrace
Generating JC function Throwable_getMessage for method Throwable.getMessage
Generating JC function Purse_getBalance for method Purse.getBalance
Generating JC function Throwable_getLocalizedMessage for method Throwable.getLocalizedMessage
Generating JC function cons_Exception_Throwable for constructor Exception
Generating JC function cons_Purse for constructor Purse
Generating JC function Throwable_getStackTraceDepth for method Throwable.getStackTraceDepth
Generating JC function Throwable_toString for method Throwable.toString
Generating JC function Throwable_printStackTrace_PrintStream for method Throwable.printStackTrace
Generating JC function cons_NoCreditException for constructor NoCreditException
Generating JC function Purse_withdraw for method Purse.withdraw
Generating JC function cons_Exception_String_Throwable for constructor Exception
Generating JC function cons_Throwable_String_Throwable for constructor Throwable
Generating JC function cons_Throwable for constructor Throwable
Generating JC function Throwable_initCause for method Throwable.initCause
Generating JC function Throwable_fillInStackTrace for method Throwable.fillInStackTrace
Generating JC function cons_Exception_String for constructor Exception
Generating JC function cons_Exception for constructor Exception
Generating JC function cons_Throwable_Throwable for constructor Throwable
Done.
========== file tests/java/Purse.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

logic integer Throwable_serialVersionUID =
-3042686055658047285

logic integer Exception_serialVersionUID =
-3387516993124229948

String[0..] any_string()
;

tag String = Object with {
}

tag NoCreditException = Exception with {
}

tag Purse = Object with {
  integer balance;
  invariant balance_non_negative(this_3) = (this_3.balance >= 0);
}

tag Throwable = Object with {
  Object[0..] backtrace; 
  String[0..] detailMessage; 
  Throwable[0..] cause;
}

tag Object = {
}

tag PrintStream = Object with {
}

tag Exception = Throwable with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception NoCreditException of NoCreditException[0..]

exception Throwable of Throwable[0..]

unit cons_Throwable_String(! Throwable[0] this_17, String[0..] message)
{  (this_17.backtrace = null);
   (this_17.detailMessage = null);
   (this_17.cause = null)
}

unit Purse_credit(Purse[0] this_6, integer s_0)
  requires (K_2 : (s_0 >= 0));
behavior default:
  assigns this_6.balance;
  ensures (K_1 : (this_6.balance == (\at(this_6.balance,Old) + s_0)));
{  (K_3 : this_6.balance += s_0)
}

Throwable[0..] Throwable_getCause(Throwable[0] this_8)
;

unit Throwable_printStackTrace(Throwable[0] this_9)
;

String[0..] Throwable_getMessage(Throwable[0] this_10)
;

integer Purse_getBalance(Purse[0] this_4)
behavior default:
  ensures (K_4 : (\result == this_4.balance));
{  
   (return (K_5 : this_4.balance))
}

String[0..] Throwable_getLocalizedMessage(Throwable[0] this_11)
;

unit cons_Exception_Throwable(! Exception[0] this_18, Throwable[0..] cause_3){()}

unit cons_Purse(! Purse[0] this_7)
  requires (K_6 : true);
behavior default:
  assigns this_7.balance;
  ensures (K_7 : (this_7.balance == 0));
{  (this_7.balance = 0);
   (K_8 : (this_7.balance = 0))
}

integer Throwable_getStackTraceDepth(Throwable[0] this_12)
;

String[0..] Throwable_toString(Throwable[0] this_13)
;

unit Throwable_printStackTrace_PrintStream(Throwable[0] this_14,
                                           PrintStream[0..] s)
;

unit cons_NoCreditException(! NoCreditException[0] this_2){()}

unit Purse_withdraw(Purse[0] this_5, integer s_1)
  requires (K_13 : (s_1 >= 0));
behavior default:
  assigns this_5.balance;
  ensures (K_11 : ((K_10 : (s_1 <= \at(this_5.balance,Old))) &&
                    (K_9 : (this_5.balance ==
                             (\at(this_5.balance,Old) - s_1)))));
behavior amount_too_large:
  throws NoCreditException;
  assigns \nothing;
  ensures (K_12 : (s_1 > \at(this_5.balance,Old)));
{  (if (K_18 : ((K_17 : this_5.balance) >= s_1)) then (K_16 : (this_5.balance = 
                                                      (K_15 : ((K_14 : this_5.balance) -
                                                                s_1)))) else 
   {  
      (var NoCreditException[..] java_thrown_exception = 
      {  
         (var NoCreditException[0] this = (new NoCreditException[1]));
         
         {  
            (var unit _tt = cons_NoCreditException(this));
            this
         }
      });
      
      {  
         (assert Non_null_Object(java_thrown_exception));
         
         (throw NoCreditException java_thrown_exception)
      }
   })
}

unit cons_Exception_String_Throwable(! Exception[0] this_19,
                                     String[0..] message_2,
                                     Throwable[0..] cause_2){()}

unit cons_Throwable_String_Throwable(! Throwable[0] this_20,
                                     String[0..] message_0,
                                     Throwable[0..] cause)
{  (this_20.backtrace = null);
   (this_20.detailMessage = null);
   (this_20.cause = null)
}

unit cons_Throwable(! Throwable[0] this_21)
{  (this_21.backtrace = null);
   (this_21.detailMessage = null);
   (this_21.cause = null)
}

Throwable[0..] Throwable_initCause(Throwable[0] this_15,
                                   Throwable[0..] cause_1)
;

Throwable[0..] Throwable_fillInStackTrace(Throwable[0] this_16)
;

unit cons_Exception_String(! Exception[0] this_22, String[0..] message_1){()}

unit cons_Exception(! Exception[0] this_23){()}

unit cons_Throwable_Throwable(! Throwable[0] this_24, Throwable[0..] cause_0)
{  (this_24.backtrace = null);
   (this_24.detailMessage = null);
   (this_24.cause = null)
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Purse.jloc tests/java/Purse.jc && make -f tests/java/Purse.makefile gui"
End:
*/
========== file tests/java/Purse.jloc ==========
[Throwable_getCause]
name = "Method getCause"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 289
begin = 21
end = 29

[cons_Exception_Throwable]
name = "Constructor of class Exception"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 76
begin = 11
end = 20

[Purse_credit]
name = "Method credit"
file = "HOME/tests/java/Purse.java"
line = 58
begin = 16
end = 22

[K_17]
file = "HOME/tests/java/Purse.java"
line = 70
begin = 12
end = 19

[K_11]
file = "HOME/tests/java/Purse.java"
line = 64
begin = 16
end = 66

[Purse_withdraw]
name = "Method withdraw"
file = "HOME/tests/java/Purse.java"
line = 69
begin = 16
end = 24

[Throwable_initCause]
name = "Method initCause"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 317
begin = 34
end = 43

[K_13]
file = "HOME/tests/java/Purse.java"
line = 62
begin = 17
end = 23

[K_9]
file = "HOME/tests/java/Purse.java"
line = 64
begin = 38
end = 66

[Throwable_getLocalizedMessage]
name = "Method getLocalizedMessage"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 265
begin = 18
end = 37

[cons_Exception_String]
name = "Constructor of class Exception"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 40
begin = 11
end = 20

[Throwable_getMessage]
name = "Method getMessage"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 251
begin = 18
end = 28

[cons_Purse]
name = "Constructor of class Purse"
file = "HOME/tests/java/Purse.java"
line = 50
begin = 11
end = 16

[K_1]
file = "HOME/tests/java/Purse.java"
line = 56
begin = 16
end = 44

[Throwable_printStackTrace_PrintStream]
name = "Method printStackTrace"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 459
begin = 16
end = 31

[cons_Throwable_Throwable]
name = "Constructor of class Throwable"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 239
begin = 11
end = 20

[K_15]
file = "HOME/tests/java/Purse.java"
line = 71
begin = 22
end = 33

[Throwable_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 341
begin = 18
end = 26

[K_4]
file = "HOME/tests/java/Purse.java"
line = 76
begin = 16
end = 34

[K_12]
file = "HOME/tests/java/Purse.java"
line = 67
begin = 38
end = 55

[Throwable_fillInStackTrace]
name = "Method fillInStackTrace"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 562
begin = 41
end = 57

[Purse_getBalance]
name = "Method getBalance"
file = "HOME/tests/java/Purse.java"
line = 77
begin = 15
end = 25

[K_2]
file = "HOME/tests/java/Purse.java"
line = 54
begin = 17
end = 23

[cons_Throwable]
name = "Constructor of class Throwable"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 179
begin = 11
end = 20

[cons_Throwable_String_Throwable]
name = "Constructor of class Throwable"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 216
begin = 11
end = 20

[K_10]
file = "HOME/tests/java/Purse.java"
line = 64
begin = 16
end = 34

[K_6]
file = "HOME/tests/java/Purse.java"
line = 46
begin = 17
end = 21

[K_8]
file = "HOME/tests/java/Purse.java"
line = 51
begin = 8
end = 19

[cons_Exception_String_Throwable]
name = "Constructor of class Exception"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 58
begin = 11
end = 20

[K_3]
file = "HOME/tests/java/Purse.java"
line = 59
begin = 8
end = 20

[cons_Exception]
name = "Constructor of class Exception"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 28
begin = 11
end = 20

[cons_NoCreditException]
name = "Constructor of class NoCreditException"
file = "HOME/tests/java/Purse.java"
line = 37
begin = 11
end = 28

[cons_Throwable_String]
name = "Constructor of class Throwable"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 194
begin = 11
end = 20

[K_14]
file = "HOME/tests/java/Purse.java"
line = 71
begin = 22
end = 29

[Throwable_getStackTraceDepth]
name = "Method getStackTraceDepth"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 645
begin = 23
end = 41

[K_5]
file = "HOME/tests/java/Purse.java"
line = 78
begin = 15
end = 22

[Throwable_printStackTrace]
name = "Method printStackTrace"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 450
begin = 16
end = 31

[K_18]
file = "HOME/tests/java/Purse.java"
line = 70
begin = 12
end = 24

[K_7]
file = "HOME/tests/java/Purse.java"
line = 48
begin = 16
end = 28

[K_16]
file = "HOME/tests/java/Purse.java"
line = 71
begin = 12
end = 33

========== jessie execution ==========
Generating Why function cons_Throwable_String
Generating Why function Purse_credit
Generating Why function Purse_getBalance
Generating Why function cons_Exception_Throwable
Generating Why function cons_Purse
Generating Why function cons_NoCreditException
Generating Why function Purse_withdraw
Generating Why function cons_Exception_String_Throwable
Generating Why function cons_Throwable_String_Throwable
Generating Why function cons_Throwable
Generating Why function cons_Exception_String
Generating Why function cons_Exception
Generating Why function cons_Throwable_Throwable
========== file tests/java/Purse.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Purse.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Purse.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/Purse_why.sx

project: why/Purse.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/Purse_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/Purse_why.vo

coq/Purse_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Purse_why.v: why/Purse.why
	@echo 'why -coq [...] why/Purse.why' && $(WHY) $(JESSIELIBFILES) why/Purse.why && rm -f coq/jessie_why.v

coq-goals: goals coq/Purse_ctx_why.vo
	for f in why/*_po*.why; do make -f Purse.makefile coq/`basename $$f .why`_why.v ; done

coq/Purse_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Purse_ctx_why.v: why/Purse_ctx.why
	@echo 'why -coq [...] why/Purse_ctx.why' && $(WHY) why/Purse_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export Purse_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/Purse_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/Purse_ctx_why.vo

pvs: pvs/Purse_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/Purse_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/Purse_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/Purse_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/Purse_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/Purse_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/Purse_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/Purse_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/Purse_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/Purse_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/Purse_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/Purse_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/Purse_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/Purse_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/Purse_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: Purse.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/Purse_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Purse.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Purse.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Purse.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include Purse.depend

depend: coq/Purse_why.v
	-$(COQDEP) -I coq coq/Purse*_why.v > Purse.depend

clean:
	rm -f coq/*.vo

========== file tests/java/Purse.loc ==========
[JC_176]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_177]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 216
begin = 11
end = 20

[JC_221]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_51]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 450
begin = 16
end = 31

[JC_147]
file = "HOME/tests/java/Purse.java"
line = 69
begin = 16
end = 24

[JC_123]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_143]
file = "HOME/tests/java/Purse.jc"
line = 121
begin = 9
end = 16

[JC_113]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_116]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_64]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Purse_safety]
name = "Constructor of class Purse"
behavior = "Safety"
file = "HOME/tests/java/Purse.java"
line = 50
begin = 11
end = 16

[JC_133]
file = "HOME/tests/java/Purse.java"
line = 62
begin = 17
end = 23

[JC_188]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Throwable_ensures_default]
name = "Constructor of class Throwable"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 179
begin = 11
end = 20

[JC_180]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_99]
file = "HOME/tests/java/Purse.java"
line = 50
begin = 11
end = 16

[JC_200]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_85]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_201]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 562
begin = 41
end = 57

[Purse_getBalance_safety]
name = "Method getBalance"
behavior = "Safety"
file = "HOME/tests/java/Purse.java"
line = 77
begin = 15
end = 25

[JC_31]
file = "HOME/tests/java/Purse.java"
line = 58
begin = 16
end = 22

[JC_17]
file = "HOME/tests/java/Purse.jc"
line = 54
begin = 11
end = 65

[JC_194]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_122]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_205]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 76
begin = 11
end = 20

[JC_55]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_134]
file = "HOME/tests/java/Purse.java"
line = 69
begin = 16
end = 24

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_172]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_121]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_125]
file = "HOME/tests/java/Purse.java"
line = 37
begin = 11
end = 28

[JC_67]
file = "HOME/tests/java/Purse.java"
line = 77
begin = 15
end = 25

[JC_9]
file = "HOME/tests/java/Purse.jc"
line = 52
begin = 8
end = 23

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_189]
file = "HOME/"
line = 0
begin = -1
end = -1

[Purse_withdraw_ensures_default]
name = "Method withdraw"
behavior = "default behavior"
file = "HOME/tests/java/Purse.java"
line = 69
begin = 16
end = 24

[JC_78]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 289
begin = 21
end = 29

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_195]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 317
begin = 34
end = 43

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[Purse_getBalance_ensures_default]
name = "Method getBalance"
behavior = "default behavior"
file = "HOME/tests/java/Purse.java"
line = 77
begin = 15
end = 25

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_163]
kind = AllocSize
file = "HOME/tests/java/Purse.jc"
line = 136
begin = 43
end = 67

[JC_153]
file = "HOME/tests/java/Purse.java"
line = 69
begin = 16
end = 24

[JC_222]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/Purse.jc"
line = 52
begin = 8
end = 23

[JC_185]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 179
begin = 11
end = 20

[JC_167]
kind = UserCall
file = "HOME/tests/java/Purse.jc"
line = 139
begin = 28
end = 56

[JC_98]
file = "HOME/tests/java/Purse.jc"
line = 100
begin = 9
end = 16

[JC_70]
file = "HOME/tests/java/Purse.java"
line = 76
begin = 16
end = 34

[cons_Throwable_String_ensures_default]
name = "Constructor of class Throwable"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 194
begin = 11
end = 20

[JC_36]
file = "HOME/tests/java/Purse.java"
line = 56
begin = 16
end = 44

[JC_104]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/tests/java/Purse.java"
line = 58
begin = 16
end = 22

[JC_112]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_135]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_169]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 58
begin = 11
end = 20

[JC_132]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/tests/java/Purse.java"
line = 54
begin = 17
end = 23

[JC_115]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_109]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 341
begin = 18
end = 26

[JC_69]
file = "HOME/tests/java/Purse.java"
line = 76
begin = 16
end = 34

[JC_219]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 28
begin = 11
end = 20

[JC_124]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_206]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_218]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_191]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_101]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 645
begin = 23
end = 41

[cons_Throwable_String_safety]
name = "Constructor of class Throwable"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 194
begin = 11
end = 20

[JC_223]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_129]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_190]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_110]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_166]
kind = AllocSize
file = "HOME/tests/java/Purse.jc"
line = 136
begin = 43
end = 67

[JC_103]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 645
begin = 23
end = 41

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Throwable_String_Throwable_safety]
name = "Constructor of class Throwable"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 216
begin = 11
end = 20

[Purse_withdraw_safety]
name = "Method withdraw"
behavior = "Safety"
file = "HOME/tests/java/Purse.java"
line = 69
begin = 16
end = 24

[JC_61]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_199]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_33]
file = "HOME/tests/java/Purse.java"
line = 56
begin = 16
end = 44

[JC_173]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_202]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_144]
file = "HOME/tests/java/Purse.java"
line = 64
begin = 16
end = 34

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 289
begin = 21
end = 29

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/tests/java/Purse.jc"
line = 100
begin = 9
end = 16

[JC_97]
file = "HOME/tests/java/Purse.java"
line = 50
begin = 11
end = 16

[JC_84]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_160]
kind = IndexBounds
file = "HOME/tests/java/Purse.jc"
line = 136
begin = 10
end = 68

[JC_128]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/tests/java/Purse.java"
line = 58
begin = 16
end = 22

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_90]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_225]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 239
begin = 11
end = 20

[JC_149]
file = "HOME/tests/java/Purse.java"
line = 69
begin = 16
end = 24

[JC_216]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_131]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_37]
file = "HOME/tests/java/Purse.java"
line = 58
begin = 16
end = 22

[JC_181]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 251
begin = 18
end = 28

[JC_161]
kind = UserCall
file = "HOME/tests/java/Purse.jc"
line = 139
begin = 28
end = 56

[cons_NoCreditException_ensures_default]
name = "Constructor of class NoCreditException"
behavior = "default behavior"
file = "HOME/tests/java/Purse.java"
line = 37
begin = 11
end = 28

[JC_89]
file = "HOME/tests/java/Purse.java"
line = 50
begin = 11
end = 16

[JC_136]
file = "HOME/tests/java/Purse.java"
line = 62
begin = 17
end = 23

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_165]
file = "HOME/tests/java/Purse.jc"
line = 145
begin = 17
end = 55

[JC_213]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_217]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 28
begin = 11
end = 20

[JC_229]
file = "HOME/"
line = 0
begin = -1
end = -1

[Purse_credit_ensures_default]
name = "Method credit"
behavior = "default behavior"
file = "HOME/tests/java/Purse.java"
line = 58
begin = 16
end = 22

[JC_86]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_72]
file = "HOME/tests/java/Purse.java"
line = 77
begin = 15
end = 25

[JC_19]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 194
begin = 11
end = 20

[JC_187]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 179
begin = 11
end = 20

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Throwable_safety]
name = "Constructor of class Throwable"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 179
begin = 11
end = 20

[cons_Exception_ensures_default]
name = "Constructor of class Exception"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 28
begin = 11
end = 20

[cons_Throwable_Throwable_safety]
name = "Constructor of class Throwable"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 239
begin = 11
end = 20

[JC_120]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/tests/java/Purse.java"
line = 58
begin = 16
end = 22

[JC_198]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_94]
file = "HOME/tests/java/Purse.java"
line = 50
begin = 11
end = 16

[JC_73]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 265
begin = 18
end = 37

[JC_158]
file = "HOME/tests/java/Purse.jc"
line = 126
begin = 9
end = 25

[JC_63]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_196]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_71]
file = "HOME/tests/java/Purse.java"
line = 77
begin = 15
end = 25

[JC_197]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_207]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_151]
file = "HOME/tests/java/Purse.java"
line = 67
begin = 38
end = 55

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_106]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Purse_ensures_default]
name = "Constructor of class Purse"
behavior = "default behavior"
file = "HOME/tests/java/Purse.java"
line = 50
begin = 11
end = 16

[JC_203]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 562
begin = 41
end = 57

[JC_227]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 239
begin = 11
end = 20

[JC_126]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_170]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_138]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_148]
file = "HOME/tests/java/Purse.jc"
line = 121
begin = 9
end = 16

[JC_137]
file = "HOME/tests/java/Purse.java"
line = 69
begin = 16
end = 24

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_231]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_75]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 265
begin = 18
end = 37

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_193]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 317
begin = 34
end = 43

[JC_186]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_212]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_175]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_224]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_232]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Throwable_String_Throwable_ensures_default]
name = "Constructor of class Throwable"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 216
begin = 11
end = 20

[JC_154]
file = "HOME/tests/java/Purse.jc"
line = 126
begin = 9
end = 25

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Exception_String_safety]
name = "Constructor of class Exception"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 40
begin = 11
end = 20

[JC_208]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Exception_String_Throwable_ensures_default]
name = "Constructor of class Exception"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 58
begin = 11
end = 20

[cons_Exception_String_ensures_default]
name = "Constructor of class Exception"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 40
begin = 11
end = 20

[JC_130]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_174]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_87]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_184]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_182]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_168]
file = "HOME/tests/java/Purse.jc"
line = 145
begin = 17
end = 55

[JC_91]
file = "HOME/tests/java/Purse.java"
line = 50
begin = 11
end = 16

[cons_NoCreditException_safety]
name = "Constructor of class NoCreditException"
behavior = "Safety"
file = "HOME/tests/java/Purse.java"
line = 37
begin = 11
end = 28

[JC_40]
file = "HOME/tests/java/Purse.java"
line = 58
begin = 16
end = 22

[JC_162]
file = "HOME/tests/java/Purse.jc"
line = 145
begin = 17
end = 55

[cons_Throwable_Throwable_ensures_default]
name = "Constructor of class Throwable"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 239
begin = 11
end = 20

[JC_83]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 76
begin = 11
end = 20

[JC_35]
file = "HOME/tests/java/Purse.jc"
line = 71
begin = 9
end = 16

[JC_215]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_107]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_179]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 216
begin = 11
end = 20

[cons_Exception_Throwable_safety]
name = "Constructor of class Exception"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 76
begin = 11
end = 20

[JC_38]
file = "HOME/tests/java/Purse.jc"
line = 71
begin = 9
end = 16

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_156]
file = "HOME/tests/java/Purse.java"
line = 69
begin = 16
end = 24

[JC_127]
file = "HOME/tests/java/Purse.java"
line = 37
begin = 11
end = 28

[JC_171]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 58
begin = 11
end = 20

[JC_164]
kind = UserCall
file = "HOME/tests/java/Purse.jc"
line = 139
begin = 28
end = 56

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_155]
file = "HOME/tests/java/Purse.java"
line = 67
begin = 38
end = 55

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_178]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_141]
file = "HOME/tests/java/Purse.java"
line = 64
begin = 16
end = 66

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_220]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/tests/java/Purse.java"
line = 77
begin = 15
end = 25

[JC_118]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_105]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_140]
file = "HOME/tests/java/Purse.java"
line = 64
begin = 38
end = 66

[JC_159]
kind = AllocSize
file = "HOME/tests/java/Purse.jc"
line = 136
begin = 43
end = 67

[JC_68]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
file = "HOME/tests/java/Purse.java"
line = 48
begin = 16
end = 28

[JC_93]
file = "HOME/tests/java/Purse.java"
line = 48
begin = 16
end = 28

[JC_214]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_150]
file = "HOME/tests/java/Purse.java"
line = 69
begin = 16
end = 24

[JC_117]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 459
begin = 16
end = 31

[JC_53]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_204]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Exception_String_Throwable_safety]
name = "Constructor of class Exception"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 58
begin = 11
end = 20

[JC_157]
file = "HOME/tests/java/Purse.java"
line = 69
begin = 16
end = 24

[JC_145]
file = "HOME/tests/java/Purse.java"
line = 64
begin = 38
end = 66

[JC_21]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 194
begin = 11
end = 20

[JC_209]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 40
begin = 11
end = 20

[JC_111]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 341
begin = 18
end = 26

[JC_77]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 450
begin = 16
end = 31

[JC_1]
file = "HOME/tests/java/Purse.jc"
line = 16
begin = 12
end = 22

[JC_102]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Exception_safety]
name = "Constructor of class Exception"
behavior = "Safety"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 28
begin = 11
end = 20

[JC_142]
file = "HOME/tests/java/Purse.java"
line = 69
begin = 16
end = 24

[JC_211]
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 40
begin = 11
end = 20

[JC_146]
file = "HOME/tests/java/Purse.java"
line = 64
begin = 16
end = 66

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 251
begin = 18
end = 28

[cons_Exception_Throwable_ensures_default]
name = "Constructor of class Exception"
behavior = "default behavior"
file = "HOME/lib/java_api/java/lang/Exception.java"
line = 76
begin = 11
end = 20

[JC_192]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/Purse.jc"
line = 54
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/Purse.jc"
line = 16
begin = 12
end = 22

[JC_92]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_152]
file = "HOME/tests/java/Purse.java"
line = 69
begin = 16
end = 24

[JC_228]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_60]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_183]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_139]
file = "HOME/tests/java/Purse.java"
line = 64
begin = 16
end = 34

[JC_119]
file = "HOME/lib/java_api/java/lang/Throwable.java"
line = 459
begin = 16
end = 31

[JC_210]
file = "HOME/"
line = 0
begin = -1
end = -1

[Purse_withdraw_exsures_amount_too_large]
name = "Method withdraw"
behavior = "Behavior `amount_too_large'"
file = "HOME/tests/java/Purse.java"
line = 69
begin = 16
end = 24

[JC_76]
file = "HOME/"
line = 0
begin = -1
end = -1

[Purse_credit_safety]
name = "Method credit"
behavior = "Safety"
file = "HOME/tests/java/Purse.java"
line = 58
begin = 16
end = 22

[JC_230]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/tests/java/Purse.java"
line = 54
begin = 17
end = 23

[JC_226]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_100]
file = "HOME/tests/java/Purse.java"
line = 50
begin = 11
end = 16

========== file tests/java/why/Purse.why ==========
type Object

type interface

logic Exception_tag:  -> Object tag_id

logic Throwable_tag:  -> Object tag_id

axiom Exception_parenttag_Throwable : parenttag(Exception_tag, Throwable_tag)

function Exception_serialVersionUID() : int = neg_int((3387516993124229948))

logic NoCreditException_tag:  -> Object tag_id

axiom NoCreditException_parenttag_Exception :
 parenttag(NoCreditException_tag, Exception_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

logic Object_tag:  -> Object tag_id

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic PrintStream_tag:  -> Object tag_id

axiom PrintStream_parenttag_Object : parenttag(PrintStream_tag, Object_tag)

logic Purse_tag:  -> Object tag_id

axiom Purse_parenttag_Object : parenttag(Purse_tag, Object_tag)

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

function Throwable_serialVersionUID() : int = neg_int((3042686055658047285))

predicate balance_non_negative(this_3:Object pointer,
 Purse_balance:(Object, int) memory) =
 ge_int(select(Purse_balance, this_3), (0))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Throwable(p, a, Object_alloc_table)

predicate left_valid_struct_NoCreditException(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Exception(p, a, Object_alloc_table)

predicate left_valid_struct_PrintStream(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Purse(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Throwable(p, b, Object_alloc_table)

predicate right_valid_struct_NoCreditException(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Exception(p, b, Object_alloc_table)

predicate right_valid_struct_PrintStream(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Purse(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Throwable(p, a, b, Object_alloc_table)

predicate strict_valid_struct_NoCreditException(p:Object pointer, a:int,
 b:int, Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Exception(p, a, b, Object_alloc_table)

predicate strict_valid_struct_PrintStream(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Purse(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Throwable(p, a, b, Object_alloc_table)

predicate valid_struct_NoCreditException(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Exception(p, a, b, Object_alloc_table)

predicate valid_struct_PrintStream(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Purse(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception NoCreditException_exc of Object pointer

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

parameter Purse_balance : (Object, int) memory ref

parameter Purse_credit :
 this_6:Object pointer ->
  s_0:int ->
   { } unit reads Object_alloc_table,Purse_balance writes Purse_balance
   { ((JC_40: balance_non_negative(this_6, Purse_balance))
     and (JC_38:
         ((JC_36:
          (select(Purse_balance, this_6) = add_int(select(Purse_balance@,
                                                   this_6),
                                           s_0)))
         and (JC_37:
             not_assigns(Object_alloc_table@, Purse_balance@, Purse_balance,
             pset_singleton(this_6)))))) }

parameter Purse_credit_requires :
 this_6:Object pointer ->
  s_0:int ->
   { (JC_28:
     ((JC_27: ge_int(s_0, (0)))
     and balance_non_negative(this_6, Purse_balance)))}
   unit reads Object_alloc_table,Purse_balance writes Purse_balance
   { ((JC_40: balance_non_negative(this_6, Purse_balance))
     and (JC_38:
         ((JC_36:
          (select(Purse_balance, this_6) = add_int(select(Purse_balance@,
                                                   this_6),
                                           s_0)))
         and (JC_37:
             not_assigns(Object_alloc_table@, Purse_balance@, Purse_balance,
             pset_singleton(this_6)))))) }

parameter Purse_getBalance :
 this_4:Object pointer ->
  { } int reads Object_alloc_table,Purse_balance
  { ((JC_72: balance_non_negative(this_4, Purse_balance))
    and (JC_70: (result = select(Purse_balance, this_4)))) }

parameter Purse_getBalance_requires :
 this_4:Object pointer ->
  { (JC_65: balance_non_negative(this_4, Purse_balance))} int
  reads Object_alloc_table,Purse_balance
  { ((JC_72: balance_non_negative(this_4, Purse_balance))
    and (JC_70: (result = select(Purse_balance, this_4)))) }

parameter Purse_withdraw :
 this_5:Object pointer ->
  s_1_0:int ->
   { } unit reads Object_alloc_table,Purse_balance
   writes Object_alloc_table,Object_tag_table,Purse_balance
   raises NoCreditException_exc
   { ((JC_150: balance_non_negative(this_5, Purse_balance))
     and (JC_148:
         ((JC_146:
          ((JC_144: le_int(s_1_0, select(Purse_balance@, this_5)))
          and (JC_145:
              (select(Purse_balance, this_5) = sub_int(select(Purse_balance@,
                                                       this_5),
                                               s_1_0)))))
         and (JC_147:
             not_assigns(Object_alloc_table@, Purse_balance@, Purse_balance,
             pset_singleton(this_5))))))
     | NoCreditException_exc =>
         (JC_158:
         ((JC_156:
          ((JC_155: gt_int(s_1_0, select(Purse_balance@, this_5)))
          and balance_non_negative(this_5, Purse_balance)))
         and (JC_157:
             not_assigns(Object_alloc_table@, Purse_balance@, Purse_balance,
             pset_empty)))) }

parameter Purse_withdraw_requires :
 this_5:Object pointer ->
  s_1_0:int ->
   { (JC_134:
     ((JC_133: ge_int(s_1_0, (0)))
     and balance_non_negative(this_5, Purse_balance)))}
   unit reads Object_alloc_table,Purse_balance
   writes Object_alloc_table,Object_tag_table,Purse_balance
   raises NoCreditException_exc
   { ((JC_150: balance_non_negative(this_5, Purse_balance))
     and (JC_148:
         ((JC_146:
          ((JC_144: le_int(s_1_0, select(Purse_balance@, this_5)))
          and (JC_145:
              (select(Purse_balance, this_5) = sub_int(select(Purse_balance@,
                                                       this_5),
                                               s_1_0)))))
         and (JC_147:
             not_assigns(Object_alloc_table@, Purse_balance@, Purse_balance,
             pset_singleton(this_5))))))
     | NoCreditException_exc =>
         (JC_158:
         ((JC_156:
          ((JC_155: gt_int(s_1_0, select(Purse_balance@, this_5)))
          and balance_non_negative(this_5, Purse_balance)))
         and (JC_157:
             not_assigns(Object_alloc_table@, Purse_balance@, Purse_balance,
             pset_empty)))) }

exception Return_label_exc of unit

parameter Throwable_backtrace : (Object, Object pointer) memory ref

parameter Throwable_cause : (Object, Object pointer) memory ref

parameter Throwable_detailMessage : (Object, Object pointer) memory ref

exception Throwable_exc of Object pointer

parameter Throwable_fillInStackTrace :
 this_16:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_fillInStackTrace_requires :
 this_16:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_getCause :
 this_8:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_getCause_requires :
 this_8:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_getLocalizedMessage :
 this_11:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_getLocalizedMessage_requires :
 this_11:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_getMessage :
 this_10:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_getMessage_requires :
 this_10:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_getStackTraceDepth :
 this_12:Object pointer -> { } int reads Object_alloc_table { true }

parameter Throwable_getStackTraceDepth_requires :
 this_12:Object pointer -> { } int reads Object_alloc_table { true }

parameter Throwable_initCause :
 this_15:Object pointer ->
  cause_1:Object pointer ->
   { } Object pointer reads Object_alloc_table { true }

parameter Throwable_initCause_requires :
 this_15:Object pointer ->
  cause_1:Object pointer ->
   { } Object pointer reads Object_alloc_table { true }

parameter Throwable_printStackTrace :
 this_9:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Throwable_printStackTrace_PrintStream :
 this_14:Object pointer ->
  s_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Throwable_printStackTrace_PrintStream_requires :
 this_14:Object pointer ->
  s_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Throwable_printStackTrace_requires :
 this_9:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Throwable_toString :
 this_13:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Throwable_toString_requires :
 this_13:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_NoCreditException :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_NoCreditException(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, NoCreditException_tag)))) }

parameter alloc_struct_NoCreditException_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_NoCreditException(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, NoCreditException_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_PrintStream :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_PrintStream(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, PrintStream_tag)))) }

parameter alloc_struct_PrintStream_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_PrintStream(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, PrintStream_tag)))) }

parameter alloc_struct_Purse :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Purse(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Purse_tag)))) }

parameter alloc_struct_Purse_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Purse(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Purse_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_Exception :
 this_23:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception_String :
 this_22:Object pointer ->
  message_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception_String_Throwable :
 this_19:Object pointer ->
  message_2:Object pointer ->
   cause_2:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception_String_Throwable_requires :
 this_19:Object pointer ->
  message_2:Object pointer ->
   cause_2:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception_String_requires :
 this_22:Object pointer ->
  message_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception_Throwable :
 this_18:Object pointer ->
  cause_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception_Throwable_requires :
 this_18:Object pointer ->
  cause_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception_requires :
 this_23:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_NoCreditException :
 this_2:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_NoCreditException_requires :
 this_2:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Purse :
 this_7:Object pointer ->
  { } unit reads Object_alloc_table,Purse_balance writes Purse_balance
  { ((JC_100: balance_non_negative(this_7, Purse_balance))
    and (JC_98:
        ((JC_96: (select(Purse_balance, this_7) = (0)))
        and (JC_97:
            not_assigns(Object_alloc_table@, Purse_balance@, Purse_balance,
            pset_singleton(this_7)))))) }

parameter cons_Purse_requires :
 this_7:Object pointer ->
  { } unit reads Object_alloc_table,Purse_balance writes Purse_balance
  { ((JC_100: balance_non_negative(this_7, Purse_balance))
    and (JC_98:
        ((JC_96: (select(Purse_balance, this_7) = (0)))
        and (JC_97:
            not_assigns(Object_alloc_table@, Purse_balance@, Purse_balance,
            pset_singleton(this_7)))))) }

parameter cons_Throwable :
 this_21:Object pointer ->
  { } unit reads Object_alloc_table
  writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage 
  { true }

parameter cons_Throwable_String :
 this_17:Object pointer ->
  message:Object pointer ->
   { } unit reads Object_alloc_table
   writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage
   { true }

parameter cons_Throwable_String_Throwable :
 this_20:Object pointer ->
  message_0:Object pointer ->
   cause:Object pointer ->
    { } unit reads Object_alloc_table
    writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage
    { true }

parameter cons_Throwable_String_Throwable_requires :
 this_20:Object pointer ->
  message_0:Object pointer ->
   cause:Object pointer ->
    { } unit reads Object_alloc_table
    writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage
    { true }

parameter cons_Throwable_String_requires :
 this_17:Object pointer ->
  message:Object pointer ->
   { } unit reads Object_alloc_table
   writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage
   { true }

parameter cons_Throwable_Throwable :
 this_24:Object pointer ->
  cause_0:Object pointer ->
   { } unit reads Object_alloc_table
   writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage
   { true }

parameter cons_Throwable_Throwable_requires :
 this_24:Object pointer ->
  cause_0:Object pointer ->
   { } unit reads Object_alloc_table
   writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage
   { true }

parameter cons_Throwable_requires :
 this_21:Object pointer ->
  { } unit reads Object_alloc_table
  writes Throwable_backtrace,Throwable_cause,Throwable_detailMessage 
  { true }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

let Purse_credit_ensures_default =
 fun (this_6 : Object pointer) (s_0 : int) ->
  { (valid_struct_Purse(this_6, (0), (0), Object_alloc_table)
    and (JC_31:
        ((JC_30: ge_int(s_0, (0)))
        and balance_non_negative(this_6, Purse_balance)))) }
  (init:
  try
   begin
     (let _jessie_ =
     (K_3:
     (let _jessie_ = ((add_int ((safe_acc_ !Purse_balance) this_6)) s_0) in
     begin
       (let _jessie_ = this_6 in
       (((safe_upd_ Purse_balance) _jessie_) _jessie_)); _jessie_ end)) in
     void); (raise Return) end with Return -> void end)
  { (JC_35:
    ((JC_33:
     (select(Purse_balance, this_6) = add_int(select(Purse_balance@, this_6),
                                      s_0)))
    and (JC_34:
        not_assigns(Object_alloc_table@, Purse_balance@, Purse_balance,
        pset_singleton(this_6))))) }

let Purse_credit_safety =
 fun (this_6 : Object pointer) (s_0 : int) ->
  { (valid_struct_Purse(this_6, (0), (0), Object_alloc_table)
    and (JC_31:
        ((JC_30: ge_int(s_0, (0)))
        and balance_non_negative(this_6, Purse_balance)))) }
  (init:
  try
   begin
     (let _jessie_ =
     (K_3:
     (let _jessie_ = ((add_int ((safe_acc_ !Purse_balance) this_6)) s_0) in
     begin
       (let _jessie_ = this_6 in
       (((safe_upd_ Purse_balance) _jessie_) _jessie_)); _jessie_ end)) in
     void); (raise Return) end with Return -> void end)
  { (JC_39: balance_non_negative(this_6, Purse_balance)) }

let Purse_getBalance_ensures_default =
 fun (this_4 : Object pointer) ->
  { (valid_struct_Purse(this_4, (0), (0), Object_alloc_table)
    and (JC_67: balance_non_negative(this_4, Purse_balance))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (return := (K_5: ((safe_acc_ !Purse_balance) this_4))); (raise Return);
    absurd  end with Return -> !return end))
  { (JC_69: (result = select(Purse_balance, this_4))) }

let Purse_getBalance_safety =
 fun (this_4 : Object pointer) ->
  { (valid_struct_Purse(this_4, (0), (0), Object_alloc_table)
    and (JC_67: balance_non_negative(this_4, Purse_balance))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (return := (K_5: ((safe_acc_ !Purse_balance) this_4))); (raise Return);
    absurd  end with Return -> !return end))
  { (JC_71: balance_non_negative(this_4, Purse_balance)) }

let Purse_withdraw_ensures_default =
 fun (this_5 : Object pointer) (s_1_0 : int) ->
  { (valid_struct_Purse(this_5, (0), (0), Object_alloc_table)
    and (JC_137:
        ((JC_136: ge_int(s_1_0, (0)))
        and balance_non_negative(this_5, Purse_balance)))) }
  (init:
  try
   begin
     (if (K_18:
         ((ge_int_ (K_17: ((safe_acc_ !Purse_balance) this_5))) s_1_0))
     then
      (let _jessie_ =
      (K_15: ((sub_int (K_14: ((safe_acc_ !Purse_balance) this_5))) s_1_0)) in
      (let _jessie_ = this_5 in
      (((safe_upd_ Purse_balance) _jessie_) _jessie_)))
     else
      (let java_thrown_exception =
      (let this =
      (JC_163:
      (((alloc_struct_NoCreditException (1)) Object_alloc_table) Object_tag_table)) in
      (let _tt =
      (let _jessie_ = this in
      (JC_164: (cons_NoCreditException _jessie_))) in this)) in
      begin
        (assert
        { (JC_165:
          Non_null_Object(java_thrown_exception, Object_alloc_table)) };
        void); (raise (NoCreditException_exc java_thrown_exception)) end));
    (raise Return) end with Return -> void end)
  { (JC_143:
    ((JC_141:
     ((JC_139: le_int(s_1_0, select(Purse_balance@, this_5)))
     and (JC_140:
         (select(Purse_balance, this_5) = sub_int(select(Purse_balance@,
                                                  this_5),
                                          s_1_0)))))
    and (JC_142:
        not_assigns(Object_alloc_table@, Purse_balance@, Purse_balance,
        pset_singleton(this_5))))) | NoCreditException_exc => true }

let Purse_withdraw_exsures_amount_too_large =
 fun (this_5 : Object pointer) (s_1_0 : int) ->
  { (valid_struct_Purse(this_5, (0), (0), Object_alloc_table)
    and (JC_137:
        ((JC_136: ge_int(s_1_0, (0)))
        and balance_non_negative(this_5, Purse_balance)))) }
  (init:
  try
   begin
     (if (K_18:
         ((ge_int_ (K_17: ((safe_acc_ !Purse_balance) this_5))) s_1_0))
     then
      (let _jessie_ =
      (K_15: ((sub_int (K_14: ((safe_acc_ !Purse_balance) this_5))) s_1_0)) in
      (let _jessie_ = this_5 in
      (((safe_upd_ Purse_balance) _jessie_) _jessie_)))
     else
      (let java_thrown_exception =
      (let this =
      (JC_166:
      (((alloc_struct_NoCreditException (1)) Object_alloc_table) Object_tag_table)) in
      (let _tt =
      (let _jessie_ = this in
      (JC_167: (cons_NoCreditException _jessie_))) in this)) in
      begin
        [ { } unit reads Object_alloc_table
          { (JC_168:
            Non_null_Object(java_thrown_exception, Object_alloc_table)) } ];
       (raise (NoCreditException_exc java_thrown_exception)) end));
    (raise Return) end with Return -> void end)
  { true
    | NoCreditException_exc =>
        (JC_154:
        ((JC_152:
         ((JC_151: gt_int(s_1_0, select(Purse_balance@, this_5)))
         and balance_non_negative(this_5, Purse_balance)))
        and (JC_153:
            not_assigns(Object_alloc_table@, Purse_balance@, Purse_balance,
            pset_empty)))) }

let Purse_withdraw_safety =
 fun (this_5 : Object pointer) (s_1_0 : int) ->
  { (valid_struct_Purse(this_5, (0), (0), Object_alloc_table)
    and (JC_137:
        ((JC_136: ge_int(s_1_0, (0)))
        and balance_non_negative(this_5, Purse_balance)))) }
  (init:
  try
   begin
     (if (K_18:
         ((ge_int_ (K_17: ((safe_acc_ !Purse_balance) this_5))) s_1_0))
     then
      (let _jessie_ =
      (K_15: ((sub_int (K_14: ((safe_acc_ !Purse_balance) this_5))) s_1_0)) in
      (let _jessie_ = this_5 in
      (((safe_upd_ Purse_balance) _jessie_) _jessie_)))
     else
      (let java_thrown_exception =
      (let this =
      (let _jessie_ =
      (JC_159:
      (((alloc_struct_NoCreditException_requires (1)) Object_alloc_table) Object_tag_table)) in
      (JC_160:
      (assert { ge_int(offset_max(Object_alloc_table, _jessie_), (0)) };
      _jessie_))) in
      (let _tt =
      (let _jessie_ = this in
      (JC_161: (cons_NoCreditException_requires _jessie_))) in this)) in
      begin
        [ { } unit reads Object_alloc_table
          { (JC_162:
            Non_null_Object(java_thrown_exception, Object_alloc_table)) } ];
       (raise (NoCreditException_exc java_thrown_exception)) end));
    (raise Return) end with Return -> void end)
  { (JC_149: balance_non_negative(this_5, Purse_balance))
    | NoCreditException_exc => true }

let cons_Exception_String_Throwable_ensures_default =
 fun (this_19 : Object pointer) (message_2 : Object pointer) (cause_2 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_2, (0), Object_alloc_table)
    and (left_valid_struct_String(message_2, (0), Object_alloc_table)
        and valid_struct_Exception(this_19, (0), (0), Object_alloc_table))) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_173: true) }

let cons_Exception_String_Throwable_safety =
 fun (this_19 : Object pointer) (message_2 : Object pointer) (cause_2 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_2, (0), Object_alloc_table)
    and (left_valid_struct_String(message_2, (0), Object_alloc_table)
        and valid_struct_Exception(this_19, (0), (0), Object_alloc_table))) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_Exception_String_ensures_default =
 fun (this_22 : Object pointer) (message_1 : Object pointer) ->
  { (left_valid_struct_String(message_1, (0), Object_alloc_table)
    and valid_struct_Exception(this_22, (0), (0), Object_alloc_table)) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_213: true) }

let cons_Exception_String_safety =
 fun (this_22 : Object pointer) (message_1 : Object pointer) ->
  { (left_valid_struct_String(message_1, (0), Object_alloc_table)
    and valid_struct_Exception(this_22, (0), (0), Object_alloc_table)) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_Exception_Throwable_ensures_default =
 fun (this_18 : Object pointer) (cause_3 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_3, (0), Object_alloc_table)
    and valid_struct_Exception(this_18, (0), (0), Object_alloc_table)) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_85: true) }

let cons_Exception_Throwable_safety =
 fun (this_18 : Object pointer) (cause_3 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_3, (0), Object_alloc_table)
    and valid_struct_Exception(this_18, (0), (0), Object_alloc_table)) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_Exception_ensures_default =
 fun (this_23 : Object pointer) ->
  { valid_struct_Exception(this_23, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_221: true) }

let cons_Exception_safety =
 fun (this_23 : Object pointer) ->
  { valid_struct_Exception(this_23, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_NoCreditException_ensures_default =
 fun (this_2 : Object pointer) ->
  { valid_struct_NoCreditException(this_2, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_129: true) }

let cons_NoCreditException_safety =
 fun (this_2 : Object pointer) ->
  { valid_struct_NoCreditException(this_2, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_Purse_ensures_default =
 fun (this_7 : Object pointer) ->
  { valid_struct_Purse(this_7, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = (0) in
       (let _jessie_ = this_7 in
       (((safe_upd_ Purse_balance) _jessie_) _jessie_)));
      (K_8:
      (let _jessie_ = (0) in
      begin
        (let _jessie_ = this_7 in
        (((safe_upd_ Purse_balance) _jessie_) _jessie_)); _jessie_ end))
     end in void); (raise Return) end with Return -> void end)
  { (JC_95:
    ((JC_93: (select(Purse_balance, this_7) = (0)))
    and (JC_94:
        not_assigns(Object_alloc_table@, Purse_balance@, Purse_balance,
        pset_singleton(this_7))))) }

let cons_Purse_safety =
 fun (this_7 : Object pointer) ->
  { valid_struct_Purse(this_7, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = (0) in
       (let _jessie_ = this_7 in
       (((safe_upd_ Purse_balance) _jessie_) _jessie_)));
      (K_8:
      (let _jessie_ = (0) in
      begin
        (let _jessie_ = this_7 in
        (((safe_upd_ Purse_balance) _jessie_) _jessie_)); _jessie_ end))
     end in void); (raise Return) end with Return -> void end)
  { (JC_99: balance_non_negative(this_7, Purse_balance)) }

let cons_Throwable_String_Throwable_ensures_default =
 fun (this_20 : Object pointer) (message_0 : Object pointer) (cause : Object pointer) ->
  { (left_valid_struct_Throwable(cause, (0), Object_alloc_table)
    and (left_valid_struct_String(message_0, (0), Object_alloc_table)
        and valid_struct_Throwable(this_20, (0), (0), Object_alloc_table))) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_20 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_20 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_20 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end)
  { (JC_181: true) }

let cons_Throwable_String_Throwable_safety =
 fun (this_20 : Object pointer) (message_0 : Object pointer) (cause : Object pointer) ->
  { (left_valid_struct_Throwable(cause, (0), Object_alloc_table)
    and (left_valid_struct_String(message_0, (0), Object_alloc_table)
        and valid_struct_Throwable(this_20, (0), (0), Object_alloc_table))) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_20 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_20 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_20 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end) 
  { true }

let cons_Throwable_String_ensures_default =
 fun (this_17 : Object pointer) (message : Object pointer) ->
  { (left_valid_struct_String(message, (0), Object_alloc_table)
    and valid_struct_Throwable(this_17, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_17 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_17 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_17 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end)
  { (JC_23: true) }

let cons_Throwable_String_safety =
 fun (this_17 : Object pointer) (message : Object pointer) ->
  { (left_valid_struct_String(message, (0), Object_alloc_table)
    and valid_struct_Throwable(this_17, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_17 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_17 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_17 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end) 
  { true }

let cons_Throwable_Throwable_ensures_default =
 fun (this_24 : Object pointer) (cause_0 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_0, (0), Object_alloc_table)
    and valid_struct_Throwable(this_24, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_24 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_24 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_24 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end)
  { (JC_229: true) }

let cons_Throwable_Throwable_safety =
 fun (this_24 : Object pointer) (cause_0 : Object pointer) ->
  { (left_valid_struct_Throwable(cause_0, (0), Object_alloc_table)
    and valid_struct_Throwable(this_24, (0), (0), Object_alloc_table)) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_24 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_24 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_24 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end) 
  { true }

let cons_Throwable_ensures_default =
 fun (this_21 : Object pointer) ->
  { valid_struct_Throwable(this_21, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_21 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_21 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_21 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end)
  { (JC_189: true) }

let cons_Throwable_safety =
 fun (this_21 : Object pointer) ->
  { valid_struct_Throwable(this_21, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_21 in
       (((safe_upd_ Throwable_backtrace) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_21 in
      (((safe_upd_ Throwable_detailMessage) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_21 in
        (((safe_upd_ Throwable_cause) _jessie_) _jessie_)); _jessie_
      end) end in void); (raise Return) end with Return -> void end) 
  { true }


========== make project execution ==========
why --project [...] why/Purse.why
========== file tests/java/why/Purse.wpr ==========

  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  
  
    
    
    
      
      
    
    
  
  
    
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
  
  
    
  
  
    
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
  
  
    
  
  
    
  

========== file tests/java/why/Purse_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Exception_tag : Object tag_id

logic Throwable_tag : Object tag_id

axiom Exception_parenttag_Throwable: parenttag(Exception_tag, Throwable_tag)

function Exception_serialVersionUID() : int = (-3387516993124229948)

logic NoCreditException_tag : Object tag_id

axiom NoCreditException_parenttag_Exception: parenttag(NoCreditException_tag,
  Exception_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

logic Object_tag : Object tag_id

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic PrintStream_tag : Object tag_id

axiom PrintStream_parenttag_Object: parenttag(PrintStream_tag, Object_tag)

logic Purse_tag : Object tag_id

axiom Purse_parenttag_Object: parenttag(Purse_tag, Object_tag)

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

function Throwable_serialVersionUID() : int = (-3042686055658047285)

predicate balance_non_negative(this_3: Object pointer,
  Purse_balance: (Object, int) memory) = (select(Purse_balance, this_3) >= 0)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Throwable(p, a,
  Object_alloc_table)

predicate left_valid_struct_NoCreditException(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Exception(p, a,
  Object_alloc_table)

predicate left_valid_struct_PrintStream(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Purse(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Throwable(p,
  b, Object_alloc_table)

predicate right_valid_struct_NoCreditException(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Exception(p,
  b, Object_alloc_table)

predicate right_valid_struct_PrintStream(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Purse(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Throwable(p,
  a, b, Object_alloc_table)

predicate strict_valid_struct_NoCreditException(p: Object pointer, a: int,
  b: int, Object_alloc_table: Object alloc_table) =
  strict_valid_struct_Exception(p, a, b, Object_alloc_table)

predicate strict_valid_struct_PrintStream(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Purse(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Throwable(p, a, b,
  Object_alloc_table)

predicate valid_struct_NoCreditException(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Exception(p, a, b,
  Object_alloc_table)

predicate valid_struct_PrintStream(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Purse(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

========== file tests/java/why/Purse_po1.why ==========
goal Purse_credit_ensures_default_po_1:
  forall this_6:Object pointer.
  forall s_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  (valid_struct_Purse(this_6, 0, 0, Object_alloc_table) and
   ("JC_31":
   (("JC_30": (s_0 >= 0)) and balance_non_negative(this_6, Purse_balance)))) ->
  forall result:int.
  (result = select(Purse_balance, this_6)) ->
  forall Purse_balance0:(Object,
  int) memory.
  (Purse_balance0 = store(Purse_balance, this_6, (result + s_0))) ->
  ("JC_35":
  ("JC_33": (select(Purse_balance0, this_6) = (select(Purse_balance,
  this_6) + s_0))))

========== file tests/java/why/Purse_po10.why ==========
goal Purse_withdraw_exsures_amount_too_large_po_2:
  forall this_5:Object pointer.
  forall s_1_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  (valid_struct_Purse(this_5, 0, 0, Object_alloc_table) and
   ("JC_137":
   (("JC_136": (s_1_0 >= 0)) and balance_non_negative(this_5, Purse_balance)))) ->
  forall result:int.
  (result = select(Purse_balance, this_5)) ->
  (result < s_1_0) ->
  forall result0:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_NoCreditException(result0, 0, (1 - 1),
   Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result0, 1) and
     instanceof(Object_tag_table, result0, NoCreditException_tag)))) ->
  ("JC_168": Non_null_Object(result0, Object_alloc_table0)) ->
  ("JC_154": ("JC_152": balance_non_negative(this_5, Purse_balance)))

========== file tests/java/why/Purse_po11.why ==========
goal Purse_withdraw_exsures_amount_too_large_po_3:
  forall this_5:Object pointer.
  forall s_1_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  (valid_struct_Purse(this_5, 0, 0, Object_alloc_table) and
   ("JC_137":
   (("JC_136": (s_1_0 >= 0)) and balance_non_negative(this_5, Purse_balance)))) ->
  forall result:int.
  (result = select(Purse_balance, this_5)) ->
  (result < s_1_0) ->
  forall result0:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_NoCreditException(result0, 0, (1 - 1),
   Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result0, 1) and
     instanceof(Object_tag_table, result0, NoCreditException_tag)))) ->
  ("JC_168": Non_null_Object(result0, Object_alloc_table0)) ->
  ("JC_154":
  ("JC_153": not_assigns(Object_alloc_table, Purse_balance, Purse_balance,
  pset_empty)))

========== file tests/java/why/Purse_po12.why ==========
goal Purse_withdraw_safety_po_1:
  forall this_5:Object pointer.
  forall s_1_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  (valid_struct_Purse(this_5, 0, 0, Object_alloc_table) and
   ("JC_137":
   (("JC_136": (s_1_0 >= 0)) and balance_non_negative(this_5, Purse_balance)))) ->
  forall result:int.
  (result = select(Purse_balance, this_5)) ->
  (result >= s_1_0) ->
  forall result0:int.
  (result0 = select(Purse_balance, this_5)) ->
  forall Purse_balance0:(Object,
  int) memory.
  (Purse_balance0 = store(Purse_balance, this_5, (result0 - s_1_0))) ->
  ("JC_149": balance_non_negative(this_5, Purse_balance0))

========== file tests/java/why/Purse_po13.why ==========
goal Purse_withdraw_safety_po_2:
  forall this_5:Object pointer.
  forall s_1_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  (valid_struct_Purse(this_5, 0, 0, Object_alloc_table) and
   ("JC_137":
   (("JC_136": (s_1_0 >= 0)) and balance_non_negative(this_5, Purse_balance)))) ->
  forall result:int.
  (result = select(Purse_balance, this_5)) ->
  (result < s_1_0) ->
  (1 >= 0)

========== file tests/java/why/Purse_po14.why ==========
goal Purse_withdraw_safety_po_3:
  forall this_5:Object pointer.
  forall s_1_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  (valid_struct_Purse(this_5, 0, 0, Object_alloc_table) and
   ("JC_137":
   (("JC_136": (s_1_0 >= 0)) and balance_non_negative(this_5, Purse_balance)))) ->
  forall result:int.
  (result = select(Purse_balance, this_5)) ->
  (result < s_1_0) ->
  (1 >= 0) ->
  forall result0:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_NoCreditException(result0, 0, (1 - 1),
   Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result0, 1) and
     instanceof(Object_tag_table, result0, NoCreditException_tag)))) ->
  (offset_max(Object_alloc_table0, result0) >= 0)

========== file tests/java/why/Purse_po15.why ==========
goal cons_Purse_ensures_default_po_1:
  forall this_7:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  valid_struct_Purse(this_7, 0, 0, Object_alloc_table) ->
  forall Purse_balance0:(Object,
  int) memory.
  (Purse_balance0 = store(Purse_balance, this_7, 0)) ->
  forall Purse_balance1:(Object,
  int) memory.
  (Purse_balance1 = store(Purse_balance0, this_7, 0)) ->
  ("JC_95": ("JC_93": (select(Purse_balance1, this_7) = 0)))

========== file tests/java/why/Purse_po16.why ==========
goal cons_Purse_ensures_default_po_2:
  forall this_7:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  valid_struct_Purse(this_7, 0, 0, Object_alloc_table) ->
  forall Purse_balance0:(Object,
  int) memory.
  (Purse_balance0 = store(Purse_balance, this_7, 0)) ->
  forall Purse_balance1:(Object,
  int) memory.
  (Purse_balance1 = store(Purse_balance0, this_7, 0)) ->
  ("JC_95":
  ("JC_94": not_assigns(Object_alloc_table, Purse_balance, Purse_balance1,
  pset_singleton(this_7))))

========== file tests/java/why/Purse_po17.why ==========
goal cons_Purse_safety_po_1:
  forall this_7:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  valid_struct_Purse(this_7, 0, 0, Object_alloc_table) ->
  forall Purse_balance0:(Object,
  int) memory.
  (Purse_balance0 = store(Purse_balance, this_7, 0)) ->
  forall Purse_balance1:(Object,
  int) memory.
  (Purse_balance1 = store(Purse_balance0, this_7, 0)) ->
  ("JC_99": balance_non_negative(this_7, Purse_balance1))

========== file tests/java/why/Purse_po2.why ==========
goal Purse_credit_ensures_default_po_2:
  forall this_6:Object pointer.
  forall s_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  (valid_struct_Purse(this_6, 0, 0, Object_alloc_table) and
   ("JC_31":
   (("JC_30": (s_0 >= 0)) and balance_non_negative(this_6, Purse_balance)))) ->
  forall result:int.
  (result = select(Purse_balance, this_6)) ->
  forall Purse_balance0:(Object,
  int) memory.
  (Purse_balance0 = store(Purse_balance, this_6, (result + s_0))) ->
  ("JC_35":
  ("JC_34": not_assigns(Object_alloc_table, Purse_balance, Purse_balance0,
  pset_singleton(this_6))))

========== file tests/java/why/Purse_po3.why ==========
goal Purse_credit_safety_po_1:
  forall this_6:Object pointer.
  forall s_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  (valid_struct_Purse(this_6, 0, 0, Object_alloc_table) and
   ("JC_31":
   (("JC_30": (s_0 >= 0)) and balance_non_negative(this_6, Purse_balance)))) ->
  forall result:int.
  (result = select(Purse_balance, this_6)) ->
  forall Purse_balance0:(Object,
  int) memory.
  (Purse_balance0 = store(Purse_balance, this_6, (result + s_0))) ->
  ("JC_39": balance_non_negative(this_6, Purse_balance0))

========== file tests/java/why/Purse_po4.why ==========
goal Purse_getBalance_ensures_default_po_1:
  forall this_4:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  (valid_struct_Purse(this_4, 0, 0, Object_alloc_table) and
   ("JC_67": balance_non_negative(this_4, Purse_balance))) ->
  forall result:int.
  (result = select(Purse_balance, this_4)) ->
  forall return:int.
  (return = result) ->
  ("JC_69": (return = select(Purse_balance, this_4)))

========== file tests/java/why/Purse_po5.why ==========
goal Purse_withdraw_ensures_default_po_1:
  forall this_5:Object pointer.
  forall s_1_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  (valid_struct_Purse(this_5, 0, 0, Object_alloc_table) and
   ("JC_137":
   (("JC_136": (s_1_0 >= 0)) and balance_non_negative(this_5, Purse_balance)))) ->
  forall result:int.
  (result = select(Purse_balance, this_5)) ->
  (result >= s_1_0) ->
  forall result0:int.
  (result0 = select(Purse_balance, this_5)) ->
  forall Purse_balance0:(Object,
  int) memory.
  (Purse_balance0 = store(Purse_balance, this_5, (result0 - s_1_0))) ->
  ("JC_143":
  ("JC_141": ("JC_139": (s_1_0 <= select(Purse_balance, this_5)))))

========== file tests/java/why/Purse_po6.why ==========
goal Purse_withdraw_ensures_default_po_2:
  forall this_5:Object pointer.
  forall s_1_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  (valid_struct_Purse(this_5, 0, 0, Object_alloc_table) and
   ("JC_137":
   (("JC_136": (s_1_0 >= 0)) and balance_non_negative(this_5, Purse_balance)))) ->
  forall result:int.
  (result = select(Purse_balance, this_5)) ->
  (result >= s_1_0) ->
  forall result0:int.
  (result0 = select(Purse_balance, this_5)) ->
  forall Purse_balance0:(Object,
  int) memory.
  (Purse_balance0 = store(Purse_balance, this_5, (result0 - s_1_0))) ->
  ("JC_143":
  ("JC_141":
  ("JC_140": (select(Purse_balance0, this_5) = (select(Purse_balance,
  this_5) - s_1_0)))))

========== file tests/java/why/Purse_po7.why ==========
goal Purse_withdraw_ensures_default_po_3:
  forall this_5:Object pointer.
  forall s_1_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  (valid_struct_Purse(this_5, 0, 0, Object_alloc_table) and
   ("JC_137":
   (("JC_136": (s_1_0 >= 0)) and balance_non_negative(this_5, Purse_balance)))) ->
  forall result:int.
  (result = select(Purse_balance, this_5)) ->
  (result >= s_1_0) ->
  forall result0:int.
  (result0 = select(Purse_balance, this_5)) ->
  forall Purse_balance0:(Object,
  int) memory.
  (Purse_balance0 = store(Purse_balance, this_5, (result0 - s_1_0))) ->
  ("JC_143":
  ("JC_142": not_assigns(Object_alloc_table, Purse_balance, Purse_balance0,
  pset_singleton(this_5))))

========== file tests/java/why/Purse_po8.why ==========
goal Purse_withdraw_ensures_default_po_4:
  forall this_5:Object pointer.
  forall s_1_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  (valid_struct_Purse(this_5, 0, 0, Object_alloc_table) and
   ("JC_137":
   (("JC_136": (s_1_0 >= 0)) and balance_non_negative(this_5, Purse_balance)))) ->
  forall result:int.
  (result = select(Purse_balance, this_5)) ->
  (result < s_1_0) ->
  forall result0:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_NoCreditException(result0, 0, (1 - 1),
   Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result0, 1) and
     instanceof(Object_tag_table, result0, NoCreditException_tag)))) ->
  ("JC_165": Non_null_Object(result0, Object_alloc_table0))

========== file tests/java/why/Purse_po9.why ==========
goal Purse_withdraw_exsures_amount_too_large_po_1:
  forall this_5:Object pointer.
  forall s_1_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  (valid_struct_Purse(this_5, 0, 0, Object_alloc_table) and
   ("JC_137":
   (("JC_136": (s_1_0 >= 0)) and balance_non_negative(this_5, Purse_balance)))) ->
  forall result:int.
  (result = select(Purse_balance, this_5)) ->
  (result < s_1_0) ->
  forall result0:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_NoCreditException(result0, 0, (1 - 1),
   Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result0, 1) and
     instanceof(Object_tag_table, result0, NoCreditException_tag)))) ->
  ("JC_168": Non_null_Object(result0, Object_alloc_table0)) ->
  ("JC_154": ("JC_152": ("JC_151": (s_1_0 > select(Purse_balance, this_5)))))

========== generation of Simplify VC output ==========
why -simplify [...] why/Purse.why
========== file tests/java/simplify/Purse_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Throwable
 (EQ (parenttag Exception_tag Throwable_tag) |@true|))

(BG_PUSH
 ;; Why axiom Exception_serialVersionUID_def
 (EQ Exception_serialVersionUID (- 0 constant_too_large_3387516993124229948)))

(BG_PUSH
 ;; Why axiom NoCreditException_parenttag_Exception
 (EQ (parenttag NoCreditException_tag Exception_tag) |@true|))

(DEFPRED (Non_null_Object x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) 0))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom PrintStream_parenttag_Object
 (EQ (parenttag PrintStream_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Purse_parenttag_Object
 (EQ (parenttag Purse_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_serialVersionUID_def
 (EQ Throwable_serialVersionUID (- 0 constant_too_large_3042686055658047285)))

(DEFPRED (balance_non_negative this_3 Purse_balance)
  (>= (select Purse_balance this_3) 0))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Throwable p a Object_alloc_table))

(DEFPRED (left_valid_struct_NoCreditException p a Object_alloc_table)
  (left_valid_struct_Exception p a Object_alloc_table))

(DEFPRED (left_valid_struct_PrintStream p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Purse p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Throwable p b Object_alloc_table))

(DEFPRED (right_valid_struct_NoCreditException p b Object_alloc_table)
  (right_valid_struct_Exception p b Object_alloc_table))

(DEFPRED (right_valid_struct_PrintStream p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Purse p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Throwable p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_NoCreditException p a b Object_alloc_table)
  (strict_valid_struct_Exception p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_PrintStream p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Purse p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Throwable p a b Object_alloc_table))

(DEFPRED (valid_struct_NoCreditException p a b Object_alloc_table)
  (valid_struct_Exception p a b Object_alloc_table))

(DEFPRED (valid_struct_PrintStream p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Purse p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

;; Purse_credit_ensures_default_po_1, File "HOME/tests/java/Purse.java", line 56, characters 16-44
(FORALL (this_6)
(FORALL (s_0)
(FORALL (Object_alloc_table)
(FORALL (Purse_balance)
(IMPLIES (AND (valid_struct_Purse this_6 0 0 Object_alloc_table)
         (AND (>= s_0 0) (balance_non_negative this_6 Purse_balance)))
(FORALL (result)
(IMPLIES (EQ result (select Purse_balance this_6))
(FORALL (Purse_balance0)
(IMPLIES (EQ Purse_balance0
         (|why__store| Purse_balance this_6 (+ result s_0)))
(EQ (select Purse_balance0 this_6) (+ (select Purse_balance this_6) s_0)))))))))))

;; Purse_credit_ensures_default_po_2, File "HOME/tests/java/Purse.java", line 58, characters 16-22
(FORALL (this_6)
(FORALL (s_0)
(FORALL (Object_alloc_table)
(FORALL (Purse_balance)
(IMPLIES (AND (valid_struct_Purse this_6 0 0 Object_alloc_table)
         (AND (>= s_0 0) (balance_non_negative this_6 Purse_balance)))
(FORALL (result)
(IMPLIES (EQ result (select Purse_balance this_6))
(FORALL (Purse_balance0)
(IMPLIES (EQ Purse_balance0
         (|why__store| Purse_balance this_6 (+ result s_0)))
(not_assigns
Object_alloc_table Purse_balance Purse_balance0 (pset_singleton this_6)))))))))))

;; Purse_credit_safety_po_1, File "HOME/tests/java/Purse.java", line 58, characters 16-22
(FORALL (this_6)
(FORALL (s_0)
(FORALL (Object_alloc_table)
(FORALL (Purse_balance)
(IMPLIES (AND (valid_struct_Purse this_6 0 0 Object_alloc_table)
         (AND (>= s_0 0) (balance_non_negative this_6 Purse_balance)))
(FORALL (result)
(IMPLIES (EQ result (select Purse_balance this_6))
(FORALL (Purse_balance0)
(IMPLIES (EQ Purse_balance0
         (|why__store| Purse_balance this_6 (+ result s_0)))
(balance_non_negative this_6 Purse_balance0))))))))))

;; Purse_getBalance_ensures_default_po_1, File "HOME/tests/java/Purse.java", line 76, characters 16-34
(FORALL (this_4)
(FORALL (Object_alloc_table)
(FORALL (Purse_balance)
(IMPLIES (AND (valid_struct_Purse this_4 0 0 Object_alloc_table)
         (balance_non_negative this_4 Purse_balance))
(FORALL (result)
(IMPLIES (EQ result (select Purse_balance this_4))
(FORALL (return)
(IMPLIES (EQ return result) (EQ return (select Purse_balance this_4))))))))))

;; Purse_withdraw_ensures_default_po_1, File "HOME/tests/java/Purse.java", line 64, characters 16-34
(FORALL (this_5)
(FORALL (s_1_0)
(FORALL (Object_alloc_table)
(FORALL (Purse_balance)
(IMPLIES (AND (valid_struct_Purse this_5 0 0 Object_alloc_table)
         (AND (>= s_1_0 0) (balance_non_negative this_5 Purse_balance)))
(FORALL (result)
(IMPLIES (EQ result (select Purse_balance this_5))
(IMPLIES (>= result s_1_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select Purse_balance this_5))
(FORALL (Purse_balance0)
(IMPLIES (EQ Purse_balance0
         (|why__store| Purse_balance this_5 (- result0 s_1_0)))
(<= s_1_0 (select Purse_balance this_5))))))))))))))

;; Purse_withdraw_ensures_default_po_2, File "HOME/tests/java/Purse.java", line 64, characters 38-66
(FORALL (this_5)
(FORALL (s_1_0)
(FORALL (Object_alloc_table)
(FORALL (Purse_balance)
(IMPLIES (AND (valid_struct_Purse this_5 0 0 Object_alloc_table)
         (AND (>= s_1_0 0) (balance_non_negative this_5 Purse_balance)))
(FORALL (result)
(IMPLIES (EQ result (select Purse_balance this_5))
(IMPLIES (>= result s_1_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select Purse_balance this_5))
(FORALL (Purse_balance0)
(IMPLIES (EQ Purse_balance0
         (|why__store| Purse_balance this_5 (- result0 s_1_0)))
(EQ (select Purse_balance0 this_5) (- (select Purse_balance this_5) s_1_0))))))))))))))

;; Purse_withdraw_ensures_default_po_3, File "HOME/tests/java/Purse.java", line 69, characters 16-24
(FORALL (this_5)
(FORALL (s_1_0)
(FORALL (Object_alloc_table)
(FORALL (Purse_balance)
(IMPLIES (AND (valid_struct_Purse this_5 0 0 Object_alloc_table)
         (AND (>= s_1_0 0) (balance_non_negative this_5 Purse_balance)))
(FORALL (result)
(IMPLIES (EQ result (select Purse_balance this_5))
(IMPLIES (>= result s_1_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select Purse_balance this_5))
(FORALL (Purse_balance0)
(IMPLIES (EQ Purse_balance0
         (|why__store| Purse_balance this_5 (- result0 s_1_0)))
(not_assigns
Object_alloc_table Purse_balance Purse_balance0 (pset_singleton this_5))))))))))))))

;; Purse_withdraw_ensures_default_po_4, File "HOME/tests/java/Purse.jc", line 145, characters 17-55
(FORALL (this_5)
(FORALL (s_1_0)
(FORALL (Object_alloc_table)
(FORALL (Purse_balance)
(IMPLIES (AND (valid_struct_Purse this_5 0 0 Object_alloc_table)
         (AND (>= s_1_0 0) (balance_non_negative this_5 Purse_balance)))
(FORALL (result)
(IMPLIES (EQ result (select Purse_balance this_5))
(IMPLIES (< result s_1_0)
(FORALL (result0)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND
         (strict_valid_struct_NoCreditException
         result0 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result0 1)
         (instanceof Object_tag_table result0 NoCreditException_tag))))
(Non_null_Object result0 Object_alloc_table0)))))))))))))

;; Purse_withdraw_exsures_amount_too_large_po_1, File "HOME/tests/java/Purse.java", line 67, characters 38-55
(FORALL (this_5)
(FORALL (s_1_0)
(FORALL (Object_alloc_table)
(FORALL (Purse_balance)
(IMPLIES (AND (valid_struct_Purse this_5 0 0 Object_alloc_table)
         (AND (>= s_1_0 0) (balance_non_negative this_5 Purse_balance)))
(FORALL (result)
(IMPLIES (EQ result (select Purse_balance this_5))
(IMPLIES (< result s_1_0)
(FORALL (result0)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND
         (strict_valid_struct_NoCreditException
         result0 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result0 1)
         (instanceof Object_tag_table result0 NoCreditException_tag))))
(IMPLIES (Non_null_Object result0 Object_alloc_table0)
(> s_1_0 (select Purse_balance this_5)))))))))))))))

;; Purse_withdraw_exsures_amount_too_large_po_2, File "HOME/tests/java/Purse.java", line 69, characters 16-24
(FORALL (this_5)
(FORALL (s_1_0)
(FORALL (Object_alloc_table)
(FORALL (Purse_balance)
(IMPLIES (AND (valid_struct_Purse this_5 0 0 Object_alloc_table)
         (AND (>= s_1_0 0) (balance_non_negative this_5 Purse_balance)))
(FORALL (result)
(IMPLIES (EQ result (select Purse_balance this_5))
(IMPLIES (< result s_1_0)
(FORALL (result0)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND
         (strict_valid_struct_NoCreditException
         result0 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result0 1)
         (instanceof Object_tag_table result0 NoCreditException_tag))))
(IMPLIES (Non_null_Object result0 Object_alloc_table0)
(balance_non_negative this_5 Purse_balance))))))))))))))

;; Purse_withdraw_exsures_amount_too_large_po_3, File "HOME/tests/java/Purse.java", line 69, characters 16-24
(FORALL (this_5)
(FORALL (s_1_0)
(FORALL (Object_alloc_table)
(FORALL (Purse_balance)
(IMPLIES (AND (valid_struct_Purse this_5 0 0 Object_alloc_table)
         (AND (>= s_1_0 0) (balance_non_negative this_5 Purse_balance)))
(FORALL (result)
(IMPLIES (EQ result (select Purse_balance this_5))
(IMPLIES (< result s_1_0)
(FORALL (result0)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND
         (strict_valid_struct_NoCreditException
         result0 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result0 1)
         (instanceof Object_tag_table result0 NoCreditException_tag))))
(IMPLIES (Non_null_Object result0 Object_alloc_table0)
(not_assigns Object_alloc_table Purse_balance Purse_balance pset_empty))))))))))))))

;; Purse_withdraw_safety_po_1, File "HOME/tests/java/Purse.java", line 69, characters 16-24
(FORALL (this_5)
(FORALL (s_1_0)
(FORALL (Object_alloc_table)
(FORALL (Purse_balance)
(IMPLIES (AND (valid_struct_Purse this_5 0 0 Object_alloc_table)
         (AND (>= s_1_0 0) (balance_non_negative this_5 Purse_balance)))
(FORALL (result)
(IMPLIES (EQ result (select Purse_balance this_5))
(IMPLIES (>= result s_1_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select Purse_balance this_5))
(FORALL (Purse_balance0)
(IMPLIES (EQ Purse_balance0
         (|why__store| Purse_balance this_5 (- result0 s_1_0)))
(balance_non_negative this_5 Purse_balance0)))))))))))))

;; Purse_withdraw_safety_po_2, File "HOME/tests/java/Purse.jc", line 136, characters 43-67
(FORALL (this_5)
(FORALL (s_1_0)
(FORALL (Object_alloc_table)
(FORALL (Purse_balance)
(IMPLIES (AND (valid_struct_Purse this_5 0 0 Object_alloc_table)
         (AND (>= s_1_0 0) (balance_non_negative this_5 Purse_balance)))
(FORALL (result)
(IMPLIES (EQ result (select Purse_balance this_5))
(IMPLIES (< result s_1_0) (>= 1 0)))))))))

;; Purse_withdraw_safety_po_3, File "why/Purse.why", line 918, characters 16-71
(FORALL (this_5)
(FORALL (s_1_0)
(FORALL (Object_alloc_table)
(FORALL (Purse_balance)
(IMPLIES (AND (valid_struct_Purse this_5 0 0 Object_alloc_table)
         (AND (>= s_1_0 0) (balance_non_negative this_5 Purse_balance)))
(FORALL (result)
(IMPLIES (EQ result (select Purse_balance this_5))
(IMPLIES (< result s_1_0)
(IMPLIES (>= 1 0)
(FORALL (result0)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND
         (strict_valid_struct_NoCreditException
         result0 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result0 1)
         (instanceof Object_tag_table result0 NoCreditException_tag))))
(>= (offset_max Object_alloc_table0 result0) 0))))))))))))))

;; cons_Purse_ensures_default_po_1, File "HOME/tests/java/Purse.java", line 48, characters 16-28
(FORALL (this_7)
(FORALL (Object_alloc_table)
(FORALL (Purse_balance)
(IMPLIES (valid_struct_Purse this_7 0 0 Object_alloc_table)
(FORALL (Purse_balance0)
(IMPLIES (EQ Purse_balance0 (|why__store| Purse_balance this_7 0))
(FORALL (Purse_balance1)
(IMPLIES (EQ Purse_balance1 (|why__store| Purse_balance0 this_7 0))
(EQ (select Purse_balance1 this_7) 0)))))))))

;; cons_Purse_ensures_default_po_2, File "HOME/tests/java/Purse.java", line 50, characters 11-16
(FORALL (this_7)
(FORALL (Object_alloc_table)
(FORALL (Purse_balance)
(IMPLIES (valid_struct_Purse this_7 0 0 Object_alloc_table)
(FORALL (Purse_balance0)
(IMPLIES (EQ Purse_balance0 (|why__store| Purse_balance this_7 0))
(FORALL (Purse_balance1)
(IMPLIES (EQ Purse_balance1 (|why__store| Purse_balance0 this_7 0))
(not_assigns
Object_alloc_table Purse_balance Purse_balance1 (pset_singleton this_7))))))))))

;; cons_Purse_safety_po_1, File "HOME/tests/java/Purse.java", line 50, characters 11-16
(FORALL (this_7)
(FORALL (Object_alloc_table)
(FORALL (Purse_balance)
(IMPLIES (valid_struct_Purse this_7 0 0 Object_alloc_table)
(FORALL (Purse_balance0)
(IMPLIES (EQ Purse_balance0 (|why__store| Purse_balance this_7 0))
(FORALL (Purse_balance1)
(IMPLIES (EQ Purse_balance1 (|why__store| Purse_balance0 this_7 0))
(balance_non_negative this_7 Purse_balance1)))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/Purse_why.sx         : ................. (17/0/0/0/0)
total   :  17
valid   :  17 (100%)
invalid :   0 (  0%)
unknown :   0 (  0%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/Purse.why
========== file tests/java/why/Purse_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Exception_tag : Object tag_id

logic Throwable_tag : Object tag_id

axiom Exception_parenttag_Throwable: parenttag(Exception_tag, Throwable_tag)

function Exception_serialVersionUID() : int = (-3387516993124229948)

logic NoCreditException_tag : Object tag_id

axiom NoCreditException_parenttag_Exception: parenttag(NoCreditException_tag,
  Exception_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

logic Object_tag : Object tag_id

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic PrintStream_tag : Object tag_id

axiom PrintStream_parenttag_Object: parenttag(PrintStream_tag, Object_tag)

logic Purse_tag : Object tag_id

axiom Purse_parenttag_Object: parenttag(Purse_tag, Object_tag)

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

function Throwable_serialVersionUID() : int = (-3042686055658047285)

predicate balance_non_negative(this_3: Object pointer,
  Purse_balance: (Object, int) memory) = (select(Purse_balance, this_3) >= 0)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Throwable(p, a,
  Object_alloc_table)

predicate left_valid_struct_NoCreditException(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Exception(p, a,
  Object_alloc_table)

predicate left_valid_struct_PrintStream(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Purse(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Throwable(p,
  b, Object_alloc_table)

predicate right_valid_struct_NoCreditException(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Exception(p,
  b, Object_alloc_table)

predicate right_valid_struct_PrintStream(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Purse(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Throwable(p,
  a, b, Object_alloc_table)

predicate strict_valid_struct_NoCreditException(p: Object pointer, a: int,
  b: int, Object_alloc_table: Object alloc_table) =
  strict_valid_struct_Exception(p, a, b, Object_alloc_table)

predicate strict_valid_struct_PrintStream(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Purse(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Throwable(p, a, b,
  Object_alloc_table)

predicate valid_struct_NoCreditException(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Exception(p, a, b,
  Object_alloc_table)

predicate valid_struct_PrintStream(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Purse(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

goal Purse_credit_ensures_default_po_1:
  forall this_6:Object pointer.
  forall s_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  (valid_struct_Purse(this_6, 0, 0, Object_alloc_table) and
   ("JC_31":
   (("JC_30": (s_0 >= 0)) and balance_non_negative(this_6, Purse_balance)))) ->
  forall result:int.
  (result = select(Purse_balance, this_6)) ->
  forall Purse_balance0:(Object,
  int) memory.
  (Purse_balance0 = store(Purse_balance, this_6, (result + s_0))) ->
  ("JC_35":
  ("JC_33": (select(Purse_balance0, this_6) = (select(Purse_balance,
  this_6) + s_0))))

goal Purse_credit_ensures_default_po_2:
  forall this_6:Object pointer.
  forall s_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  (valid_struct_Purse(this_6, 0, 0, Object_alloc_table) and
   ("JC_31":
   (("JC_30": (s_0 >= 0)) and balance_non_negative(this_6, Purse_balance)))) ->
  forall result:int.
  (result = select(Purse_balance, this_6)) ->
  forall Purse_balance0:(Object,
  int) memory.
  (Purse_balance0 = store(Purse_balance, this_6, (result + s_0))) ->
  ("JC_35":
  ("JC_34": not_assigns(Object_alloc_table, Purse_balance, Purse_balance0,
  pset_singleton(this_6))))

goal Purse_credit_safety_po_1:
  forall this_6:Object pointer.
  forall s_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  (valid_struct_Purse(this_6, 0, 0, Object_alloc_table) and
   ("JC_31":
   (("JC_30": (s_0 >= 0)) and balance_non_negative(this_6, Purse_balance)))) ->
  forall result:int.
  (result = select(Purse_balance, this_6)) ->
  forall Purse_balance0:(Object,
  int) memory.
  (Purse_balance0 = store(Purse_balance, this_6, (result + s_0))) ->
  ("JC_39": balance_non_negative(this_6, Purse_balance0))

goal Purse_getBalance_ensures_default_po_1:
  forall this_4:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  (valid_struct_Purse(this_4, 0, 0, Object_alloc_table) and
   ("JC_67": balance_non_negative(this_4, Purse_balance))) ->
  forall result:int.
  (result = select(Purse_balance, this_4)) ->
  forall return:int.
  (return = result) ->
  ("JC_69": (return = select(Purse_balance, this_4)))

goal Purse_withdraw_ensures_default_po_1:
  forall this_5:Object pointer.
  forall s_1_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  (valid_struct_Purse(this_5, 0, 0, Object_alloc_table) and
   ("JC_137":
   (("JC_136": (s_1_0 >= 0)) and balance_non_negative(this_5, Purse_balance)))) ->
  forall result:int.
  (result = select(Purse_balance, this_5)) ->
  (result >= s_1_0) ->
  forall result0:int.
  (result0 = select(Purse_balance, this_5)) ->
  forall Purse_balance0:(Object,
  int) memory.
  (Purse_balance0 = store(Purse_balance, this_5, (result0 - s_1_0))) ->
  ("JC_143":
  ("JC_141": ("JC_139": (s_1_0 <= select(Purse_balance, this_5)))))

goal Purse_withdraw_ensures_default_po_2:
  forall this_5:Object pointer.
  forall s_1_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  (valid_struct_Purse(this_5, 0, 0, Object_alloc_table) and
   ("JC_137":
   (("JC_136": (s_1_0 >= 0)) and balance_non_negative(this_5, Purse_balance)))) ->
  forall result:int.
  (result = select(Purse_balance, this_5)) ->
  (result >= s_1_0) ->
  forall result0:int.
  (result0 = select(Purse_balance, this_5)) ->
  forall Purse_balance0:(Object,
  int) memory.
  (Purse_balance0 = store(Purse_balance, this_5, (result0 - s_1_0))) ->
  ("JC_143":
  ("JC_141":
  ("JC_140": (select(Purse_balance0, this_5) = (select(Purse_balance,
  this_5) - s_1_0)))))

goal Purse_withdraw_ensures_default_po_3:
  forall this_5:Object pointer.
  forall s_1_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  (valid_struct_Purse(this_5, 0, 0, Object_alloc_table) and
   ("JC_137":
   (("JC_136": (s_1_0 >= 0)) and balance_non_negative(this_5, Purse_balance)))) ->
  forall result:int.
  (result = select(Purse_balance, this_5)) ->
  (result >= s_1_0) ->
  forall result0:int.
  (result0 = select(Purse_balance, this_5)) ->
  forall Purse_balance0:(Object,
  int) memory.
  (Purse_balance0 = store(Purse_balance, this_5, (result0 - s_1_0))) ->
  ("JC_143":
  ("JC_142": not_assigns(Object_alloc_table, Purse_balance, Purse_balance0,
  pset_singleton(this_5))))

goal Purse_withdraw_ensures_default_po_4:
  forall this_5:Object pointer.
  forall s_1_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  (valid_struct_Purse(this_5, 0, 0, Object_alloc_table) and
   ("JC_137":
   (("JC_136": (s_1_0 >= 0)) and balance_non_negative(this_5, Purse_balance)))) ->
  forall result:int.
  (result = select(Purse_balance, this_5)) ->
  (result < s_1_0) ->
  forall result0:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_NoCreditException(result0, 0, (1 - 1),
   Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result0, 1) and
     instanceof(Object_tag_table, result0, NoCreditException_tag)))) ->
  ("JC_165": Non_null_Object(result0, Object_alloc_table0))

goal Purse_withdraw_exsures_amount_too_large_po_1:
  forall this_5:Object pointer.
  forall s_1_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  (valid_struct_Purse(this_5, 0, 0, Object_alloc_table) and
   ("JC_137":
   (("JC_136": (s_1_0 >= 0)) and balance_non_negative(this_5, Purse_balance)))) ->
  forall result:int.
  (result = select(Purse_balance, this_5)) ->
  (result < s_1_0) ->
  forall result0:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_NoCreditException(result0, 0, (1 - 1),
   Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result0, 1) and
     instanceof(Object_tag_table, result0, NoCreditException_tag)))) ->
  ("JC_168": Non_null_Object(result0, Object_alloc_table0)) ->
  ("JC_154": ("JC_152": ("JC_151": (s_1_0 > select(Purse_balance, this_5)))))

goal Purse_withdraw_exsures_amount_too_large_po_2:
  forall this_5:Object pointer.
  forall s_1_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  (valid_struct_Purse(this_5, 0, 0, Object_alloc_table) and
   ("JC_137":
   (("JC_136": (s_1_0 >= 0)) and balance_non_negative(this_5, Purse_balance)))) ->
  forall result:int.
  (result = select(Purse_balance, this_5)) ->
  (result < s_1_0) ->
  forall result0:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_NoCreditException(result0, 0, (1 - 1),
   Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result0, 1) and
     instanceof(Object_tag_table, result0, NoCreditException_tag)))) ->
  ("JC_168": Non_null_Object(result0, Object_alloc_table0)) ->
  ("JC_154": ("JC_152": balance_non_negative(this_5, Purse_balance)))

goal Purse_withdraw_exsures_amount_too_large_po_3:
  forall this_5:Object pointer.
  forall s_1_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  (valid_struct_Purse(this_5, 0, 0, Object_alloc_table) and
   ("JC_137":
   (("JC_136": (s_1_0 >= 0)) and balance_non_negative(this_5, Purse_balance)))) ->
  forall result:int.
  (result = select(Purse_balance, this_5)) ->
  (result < s_1_0) ->
  forall result0:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_NoCreditException(result0, 0, (1 - 1),
   Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result0, 1) and
     instanceof(Object_tag_table, result0, NoCreditException_tag)))) ->
  ("JC_168": Non_null_Object(result0, Object_alloc_table0)) ->
  ("JC_154":
  ("JC_153": not_assigns(Object_alloc_table, Purse_balance, Purse_balance,
  pset_empty)))

goal Purse_withdraw_safety_po_1:
  forall this_5:Object pointer.
  forall s_1_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  (valid_struct_Purse(this_5, 0, 0, Object_alloc_table) and
   ("JC_137":
   (("JC_136": (s_1_0 >= 0)) and balance_non_negative(this_5, Purse_balance)))) ->
  forall result:int.
  (result = select(Purse_balance, this_5)) ->
  (result >= s_1_0) ->
  forall result0:int.
  (result0 = select(Purse_balance, this_5)) ->
  forall Purse_balance0:(Object,
  int) memory.
  (Purse_balance0 = store(Purse_balance, this_5, (result0 - s_1_0))) ->
  ("JC_149": balance_non_negative(this_5, Purse_balance0))

goal Purse_withdraw_safety_po_2:
  forall this_5:Object pointer.
  forall s_1_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  (valid_struct_Purse(this_5, 0, 0, Object_alloc_table) and
   ("JC_137":
   (("JC_136": (s_1_0 >= 0)) and balance_non_negative(this_5, Purse_balance)))) ->
  forall result:int.
  (result = select(Purse_balance, this_5)) ->
  (result < s_1_0) ->
  (1 >= 0)

goal Purse_withdraw_safety_po_3:
  forall this_5:Object pointer.
  forall s_1_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  (valid_struct_Purse(this_5, 0, 0, Object_alloc_table) and
   ("JC_137":
   (("JC_136": (s_1_0 >= 0)) and balance_non_negative(this_5, Purse_balance)))) ->
  forall result:int.
  (result = select(Purse_balance, this_5)) ->
  (result < s_1_0) ->
  (1 >= 0) ->
  forall result0:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_NoCreditException(result0, 0, (1 - 1),
   Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result0, 1) and
     instanceof(Object_tag_table, result0, NoCreditException_tag)))) ->
  (offset_max(Object_alloc_table0, result0) >= 0)

goal cons_Purse_ensures_default_po_1:
  forall this_7:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  valid_struct_Purse(this_7, 0, 0, Object_alloc_table) ->
  forall Purse_balance0:(Object,
  int) memory.
  (Purse_balance0 = store(Purse_balance, this_7, 0)) ->
  forall Purse_balance1:(Object,
  int) memory.
  (Purse_balance1 = store(Purse_balance0, this_7, 0)) ->
  ("JC_95": ("JC_93": (select(Purse_balance1, this_7) = 0)))

goal cons_Purse_ensures_default_po_2:
  forall this_7:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  valid_struct_Purse(this_7, 0, 0, Object_alloc_table) ->
  forall Purse_balance0:(Object,
  int) memory.
  (Purse_balance0 = store(Purse_balance, this_7, 0)) ->
  forall Purse_balance1:(Object,
  int) memory.
  (Purse_balance1 = store(Purse_balance0, this_7, 0)) ->
  ("JC_95":
  ("JC_94": not_assigns(Object_alloc_table, Purse_balance, Purse_balance1,
  pset_singleton(this_7))))

goal cons_Purse_safety_po_1:
  forall this_7:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall Purse_balance:(Object,
  int) memory.
  valid_struct_Purse(this_7, 0, 0, Object_alloc_table) ->
  forall Purse_balance0:(Object,
  int) memory.
  (Purse_balance0 = store(Purse_balance, this_7, 0)) ->
  forall Purse_balance1:(Object,
  int) memory.
  (Purse_balance1 = store(Purse_balance0, this_7, 0)) ->
  ("JC_99": balance_non_negative(this_7, Purse_balance1))

why-2.34/tests/java/oracle/Arrays.err.oracle0000644000175000017500000000000012311670312017352 0ustar  rtuserswhy-2.34/tests/java/oracle/Creation.err.oracle0000644000175000017500000000000012311670312017655 0ustar  rtuserswhy-2.34/tests/java/oracle/Negate.err.oracle0000644000175000017500000000000712311670312017323 0ustar  rtusersDOTDOT
why-2.34/tests/java/oracle/Muller.err.oracle0000644000175000017500000000000012311670312017351 0ustar  rtuserswhy-2.34/tests/java/oracle/FlagStatic.res.oracle0000644000175000017500000177605412311670312020171 0ustar  rtusers========== file tests/java/FlagStatic.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* Dijkstra's dutch flag */

//@+ CheckArithOverflow = no

/*@ predicate is_color(integer c) =
  @   c == FlagStatic.BLUE || c == FlagStatic.WHITE || c == FlagStatic.RED ;
  @*/

/*@ predicate is_color_array{L}(int t[]) =
  @   t != null &&
  @   \forall integer i; 0 <= i < t.length ==> is_color(t[i]) ;
  @*/

/*@ predicate is_monochrome{L}(int t[],integer i, integer j, int c) =
  @   \forall integer k; i <= k < j ==> t[k] == c ;
  @*/


class FlagStatic {

    public static final int BLUE = 1, WHITE = 2, RED = 3;

    /*@ requires t != null && 0 <= i <= j <= t.length ;
      @ behavior decides_monochromatic:
      @   ensures \result <==> is_monochrome(t,i,j,c);
      @*/
    public static boolean isMonochrome(int t[], int i, int j, int c) {
    	/*@ loop_invariant i <= k &&
	  @   (\forall integer l; i <= l < k ==> t[l]==c);
    	  @ loop_variant j - k;
	  @*/
	for (int k = i; k < j; k++) if (t[k] != c) return false;
	return true;
    }

    /*@ requires 0 <= i < t.length && 0 <= j < t.length;
      @ behavior i_j_swapped:
      @   assigns t[i],t[j];
      @   ensures t[i] == \old(t[j]) && t[j] == \old(t[i]);
      @*/
    private static void swap(int t[], int i, int j) {
	int z = t[i];
	t[i] = t[j];
	t[j] = z;
    }

    /*@ requires
      @   is_color_array(t);
      @ behavior sorts:
      @   ensures
      @     (\exists integer b r;
      @        is_monochrome(t,0,b,BLUE) &&
      @        is_monochrome(t,b,r,WHITE) &&
      @        is_monochrome(t,r,t.length,RED));
      @*/
    public static void flag(int t[]) {
	int b = 0;
	int i = 0;
	int r = t.length;
	/*@ loop_invariant
	  @   is_color_array(t) &&
	  @   0 <= b <= i <= r <= t.length &&
	  @   is_monochrome(t,0,b,BLUE) &&
	  @   is_monochrome(t,b,i,WHITE) &&
          @   is_monochrome(t,r,t.length,RED);
	  @ loop_variant r - i;
	  @*/
	while (i < r) {
	    switch (t[i]) {
	    case BLUE:
		swap(t,b++, i++);
		break;
	    case WHITE:
		i++;
		break;
	    case RED:
		swap(t,--r, i);
		break;
	    }
	}
    }
}



/*
Local Variables:
compile-command: "make FlagStatic.why3ide"
End:
*/
========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function FlagStatic_swap for method FlagStatic.swap
Generating JC function Object_equals for method Object.equals
Generating JC function Object_notify for method Object.notify
Generating JC function Object_registerNatives for method Object.registerNatives
Generating JC function Object_hashCode for method Object.hashCode
Generating JC function Object_wait_long_int for method Object.wait
Generating JC function Object_toString for method Object.toString
Generating JC function Object_notifyAll for method Object.notifyAll
Generating JC function cons_Object for constructor Object
Generating JC function FlagStatic_flag for method FlagStatic.flag
Generating JC function FlagStatic_isMonochrome for method FlagStatic.isMonochrome
Generating JC function Object_clone for method Object.clone
Generating JC function Object_wait_long for method Object.wait
Generating JC function Object_finalize for method Object.finalize
Generating JC function Object_wait for method Object.wait
Generating JC function cons_FlagStatic for constructor FlagStatic
Done.
========== file tests/java/FlagStatic.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_intM{Here}(intM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

logic integer FlagStatic_BLUE =
1

logic integer FlagStatic_WHITE =
2

logic integer FlagStatic_RED =
3

String[0..] any_string()
;

tag String = Object with {
}

tag FlagStatic = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag intM = Object with {
  integer intP;
}

boolean non_null_intM(! intM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_intM(! intM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

predicate is_color(integer c) =
(((c == FlagStatic_BLUE) || (c == FlagStatic_WHITE)) ||
  (c == FlagStatic_RED))

predicate is_color_array{L}(intM[0..] t_2) =
(Non_null_intM(t_2) &&
  (\forall integer i_1;
    (((0 <= i_1) && (i_1 < (\offset_max(t_2) + 1))) ==>
      is_color((t_2 + i_1).intP))))

predicate is_monochrome{L}(intM[0..] t_3, integer i_2, integer j_1,
                           integer c_1) =
(\forall integer k;
  (((i_2 <= k) && (k < j_1)) ==> ((t_3 + k).intP == c_1)))

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit FlagStatic_swap(intM[0..] t_0, integer i_0, integer j_0)
  requires (K_10 : ((K_9 : ((K_8 : (0 <= i_0)) &&
                             (K_7 : (i_0 < (\offset_max(t_0) + 1))))) &&
                     (K_6 : ((K_5 : (0 <= j_0)) &&
                              (K_4 : (j_0 < (\offset_max(t_0) + 1)))))));
behavior i_j_swapped:
  assigns (t_0 + [i_0..i_0]).intP,
  (t_0 + [j_0..j_0]).intP;
  ensures (K_3 : ((K_2 : ((t_0 + i_0).intP == \at((t_0 + j_0).intP,Old))) &&
                   (K_1 : ((t_0 + j_0).intP == \at((t_0 + i_0).intP,Old)))));
{  
   {  
      (var integer z = (K_14 : (t_0 + i_0).intP));
      
      {  (K_12 : ((t_0 + i_0).intP = (K_11 : (t_0 + j_0).intP)));
         (K_13 : ((t_0 + j_0).intP = z))
      }
   }
}

boolean Object_equals(Object[0] this_2, Object[0..] obj)
;

unit Object_notify(Object[0] this_3)
;

unit Object_registerNatives()
;

integer Object_hashCode(Object[0] this_4)
;

unit Object_wait_long_int(Object[0] this_5, integer timeout_0, integer nanos)
;

String[0..] Object_toString(Object[0] this_6)
;

unit Object_notifyAll(Object[0] this_7)
;

unit cons_Object(! Object[0] this_12){()}

unit FlagStatic_flag(intM[0..] t_1)
  requires (K_16 : is_color_array{Here}(t_1));
behavior sorts:
  ensures (K_15 : (\exists integer b;
                    (\exists integer r;
                      ((is_monochrome{Here}(t_1, 0, b, FlagStatic_BLUE) &&
                         is_monochrome{Here}(t_1, b, r, FlagStatic_WHITE)) &&
                        is_monochrome{Here}(t_1, r, (\offset_max(t_1) + 1),
                                            FlagStatic_RED)))));
{  
   {  
      (var integer b_0 = (K_43 : 0));
      
      {  
         (var integer i_3 = (K_42 : 0));
         
         {  
            (var integer r_0 = (K_41 : java_array_length_intM(t_1)));
            
            loop 
            behavior default:
              invariant (K_31 : ((K_30 : ((K_29 : ((K_28 : ((K_27 : is_color_array{Here}(
                                                            t_1)) &&
                                                             (K_26 : 
                                                             ((K_25 : 
                                                              ((K_24 : 
                                                               ((K_23 : 
                                                                (0 <=
                                                                  b_0)) &&
                                                                 (K_22 : 
                                                                 (b_0 <=
                                                                   i_3)))) &&
                                                                (K_21 : 
                                                                (i_3 <=
                                                                  r_0)))) &&
                                                               (K_20 : 
                                                               (r_0 <=
                                                                 (\offset_max(t_1) +
                                                                   1))))))) &&
                                                    (K_19 : is_monochrome{Here}(
                                                    t_1, 0, b_0,
                                                    FlagStatic_BLUE)))) &&
                                           (K_18 : is_monochrome{Here}(
                                           t_1, b_0, i_3, FlagStatic_WHITE)))) &&
                                  (K_17 : is_monochrome{Here}(t_1, r_0,
                                                              (\offset_max(t_1) +
                                                                1),
                                                              FlagStatic_RED))));
            variant (K_32 : (r_0 - i_3));
            while ((K_40 : (i_3 < r_0)))
            {  
               switch ((K_39 : (t_1 + i_3).intP)) {
                 case FlagStatic_BLUE:
                 {  (K_35 : FlagStatic_swap(t_1, (K_33 : (b_0 ++)),
                                            (K_34 : (i_3 ++))));
                    
                    (break )
                 }
                 case FlagStatic_WHITE:
                 {  (K_36 : (i_3 ++));
                    
                    (break )
                 }
                 case FlagStatic_RED:
                 {  (K_38 : FlagStatic_swap(t_1, (K_37 : (-- r_0)), i_3));
                    
                    (break )
                 }
               }
            }
         }
      }
   }
}

boolean FlagStatic_isMonochrome(intM[0..] t, integer i, integer j,
                                integer c_0)
  requires (K_51 : ((K_50 : Non_null_intM(t)) &&
                     (K_49 : ((K_48 : ((K_47 : (0 <= i)) &&
                                        (K_46 : (i <= j)))) &&
                               (K_45 : (j <= (\offset_max(t) + 1)))))));
behavior decides_monochromatic:
  ensures (K_44 : (\result <==> is_monochrome{Here}(t, i, j, c_0)));
{  
   {  
      {  
         (var integer k_0 = (K_52 : i));
         
         loop 
         behavior default:
           invariant (K_55 : ((K_54 : (i <= k_0)) &&
                               (K_53 : (\forall integer l;
                                         (((i <= l) && (l < k_0)) ==>
                                           ((t + l).intP == c_0))))));
         
         variant (K_56 : (j - k_0));
         for ( ; (K_60 : (k_0 < j)) ; (K_59 : (k_0 ++)))
         {  (if (K_58 : ((K_57 : (t + k_0).intP) != c_0)) then 
            (return false) else ())
         }
      }
   };
   
   (return true)
}

Object[0..] Object_clone(Object[0] this_8)
;

unit Object_wait_long(Object[0] this_9, integer timeout)
;

unit Object_finalize(Object[0] this_10)
;

unit Object_wait(Object[0] this_11)
;

unit cons_FlagStatic(! FlagStatic[0] this_1){()}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/FlagStatic.jloc tests/java/FlagStatic.jc && make -f tests/java/FlagStatic.makefile gui"
End:
*/
========== file tests/java/FlagStatic.jloc ==========
[FlagStatic_swap]
name = "Method swap"
file = "HOME/tests/java/FlagStatic.java"
line = 72
begin = 24
end = 28

[K_30]
file = "HOME/tests/java/FlagStatic.java"
line = 92
begin = 7
end = 136

[K_23]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 7
end = 13

[K_33]
file = "HOME/tests/java/FlagStatic.java"
line = 102
begin = 9
end = 12

[K_49]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 30
end = 53

[K_17]
file = "HOME/tests/java/FlagStatic.java"
line = 96
begin = 14
end = 45

[Object_wait_long]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[K_11]
file = "HOME/tests/java/FlagStatic.java"
line = 74
begin = 8
end = 12

[K_38]
file = "HOME/tests/java/FlagStatic.java"
line = 108
begin = 2
end = 16

[K_25]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 7
end = 23

[K_13]
file = "HOME/tests/java/FlagStatic.java"
line = 75
begin = 1
end = 9

[K_60]
file = "HOME/tests/java/FlagStatic.java"
line = 63
begin = 17
end = 22

[Object_finalize]
name = "Method finalize"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[K_9]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 17
end = 34

[Object_wait]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[K_44]
file = "HOME/tests/java/FlagStatic.java"
line = 56
begin = 18
end = 53

[Object_notify]
name = "Method notify"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[Object_clone]
name = "Method clone"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[K_28]
file = "HOME/tests/java/FlagStatic.java"
line = 92
begin = 7
end = 63

[cons_Object]
name = "Constructor of class Object"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_52]
file = "HOME/tests/java/FlagStatic.java"
line = 63
begin = 14
end = 15

[K_1]
file = "HOME/tests/java/FlagStatic.java"
line = 70
begin = 40
end = 58

[cons_FlagStatic]
name = "Constructor of class FlagStatic"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_15]
file = "HOME/tests/java/FlagStatic.java"
line = 82
begin = 13
end = 169

[K_4]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 43
end = 55

[K_12]
file = "HOME/tests/java/FlagStatic.java"
line = 74
begin = 1
end = 12

[K_55]
file = "HOME/tests/java/FlagStatic.java"
line = 59
begin = 24
end = 84

[K_34]
file = "HOME/tests/java/FlagStatic.java"
line = 102
begin = 14
end = 17

[Object_wait_long_int]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[Object_registerNatives]
name = "Method registerNatives"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[K_20]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 22
end = 35

[K_59]
file = "HOME/tests/java/FlagStatic.java"
line = 63
begin = 24
end = 27

[K_58]
file = "HOME/tests/java/FlagStatic.java"
line = 63
begin = 33
end = 42

[K_53]
file = "HOME/tests/java/FlagStatic.java"
line = 60
begin = 8
end = 49

[FlagStatic_flag]
name = "Method flag"
file = "HOME/tests/java/FlagStatic.java"
line = 87
begin = 23
end = 27

[K_2]
file = "HOME/tests/java/FlagStatic.java"
line = 70
begin = 18
end = 36

[K_41]
file = "HOME/tests/java/FlagStatic.java"
line = 90
begin = 9
end = 17

[K_50]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 17
end = 26

[K_47]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 30
end = 36

[K_29]
file = "HOME/tests/java/FlagStatic.java"
line = 92
begin = 7
end = 99

[K_10]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 17
end = 55

[K_35]
file = "HOME/tests/java/FlagStatic.java"
line = 102
begin = 2
end = 18

[K_6]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 38
end = 55

[K_8]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 17
end = 23

[K_48]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 30
end = 41

[K_3]
file = "HOME/tests/java/FlagStatic.java"
line = 70
begin = 18
end = 58

[K_31]
file = "HOME/tests/java/FlagStatic.java"
line = 92
begin = 7
end = 185

[FlagStatic_isMonochrome]
name = "Method isMonochrome"
file = "HOME/tests/java/FlagStatic.java"
line = 58
begin = 26
end = 38

[K_32]
file = "HOME/tests/java/FlagStatic.java"
line = 97
begin = 18
end = 23

[K_27]
file = "HOME/tests/java/FlagStatic.java"
line = 92
begin = 7
end = 24

[K_46]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 35
end = 41

[K_21]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 17
end = 23

[K_42]
file = "HOME/tests/java/FlagStatic.java"
line = 89
begin = 9
end = 10

[K_24]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 7
end = 18

[K_56]
file = "HOME/tests/java/FlagStatic.java"
line = 61
begin = 22
end = 27

[K_14]
file = "HOME/tests/java/FlagStatic.java"
line = 73
begin = 9
end = 13

[K_39]
file = "HOME/tests/java/FlagStatic.java"
line = 100
begin = 13
end = 17

[K_36]
file = "HOME/tests/java/FlagStatic.java"
line = 105
begin = 2
end = 5

[K_57]
file = "HOME/tests/java/FlagStatic.java"
line = 63
begin = 33
end = 37

[Object_notifyAll]
name = "Method notifyAll"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[K_37]
file = "HOME/tests/java/FlagStatic.java"
line = 108
begin = 9
end = 12

[K_54]
file = "HOME/tests/java/FlagStatic.java"
line = 59
begin = 24
end = 30

[K_19]
file = "HOME/tests/java/FlagStatic.java"
line = 94
begin = 7
end = 32

[K_5]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 38
end = 44

[K_51]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 17
end = 53

[K_18]
file = "HOME/tests/java/FlagStatic.java"
line = 95
begin = 7
end = 33

[Object_equals]
name = "Method equals"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[K_7]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 22
end = 34

[K_40]
file = "HOME/tests/java/FlagStatic.java"
line = 99
begin = 8
end = 13

[K_26]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 7
end = 35

[Object_hashCode]
name = "Method hashCode"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[Object_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[K_22]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 12
end = 18

[K_45]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 40
end = 53

[K_16]
file = "HOME/tests/java/FlagStatic.java"
line = 79
begin = 10
end = 27

[K_43]
file = "HOME/tests/java/FlagStatic.java"
line = 88
begin = 9
end = 10

========== jessie execution ==========
Generating Why function FlagStatic_swap
Generating Why function cons_Object
Generating Why function FlagStatic_flag
Generating Why function FlagStatic_isMonochrome
Generating Why function cons_FlagStatic
========== file tests/java/FlagStatic.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs FlagStatic.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs FlagStatic.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/FlagStatic_why.sx

project: why/FlagStatic.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/FlagStatic_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/FlagStatic_why.vo

coq/FlagStatic_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/FlagStatic_why.v: why/FlagStatic.why
	@echo 'why -coq [...] why/FlagStatic.why' && $(WHY) $(JESSIELIBFILES) why/FlagStatic.why && rm -f coq/jessie_why.v

coq-goals: goals coq/FlagStatic_ctx_why.vo
	for f in why/*_po*.why; do make -f FlagStatic.makefile coq/`basename $$f .why`_why.v ; done

coq/FlagStatic_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/FlagStatic_ctx_why.v: why/FlagStatic_ctx.why
	@echo 'why -coq [...] why/FlagStatic_ctx.why' && $(WHY) why/FlagStatic_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export FlagStatic_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/FlagStatic_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/FlagStatic_ctx_why.vo

pvs: pvs/FlagStatic_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/FlagStatic_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/FlagStatic_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/FlagStatic_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/FlagStatic_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/FlagStatic_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/FlagStatic_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/FlagStatic_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/FlagStatic_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/FlagStatic_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/FlagStatic_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/FlagStatic_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/FlagStatic_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/FlagStatic_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/FlagStatic_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: FlagStatic.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/FlagStatic_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: FlagStatic.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: FlagStatic.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: FlagStatic.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include FlagStatic.depend

depend: coq/FlagStatic_why.v
	-$(COQDEP) -I coq coq/FlagStatic*_why.v > FlagStatic.depend

clean:
	rm -f coq/*.vo

========== file tests/java/FlagStatic.loc ==========
[JC_176]
kind = UserCall
file = "HOME/tests/java/FlagStatic.java"
line = 90
begin = 9
end = 17

[JC_233]
file = "HOME/"
line = 0
begin = -1
end = -1

[FlagStatic_isMonochrome_ensures_decides_monochromatic]
name = "Method isMonochrome"
behavior = "Behavior `decides_monochromatic'"
file = "HOME/tests/java/FlagStatic.java"
line = 58
begin = 26
end = 38

[JC_177]
file = "HOME/tests/java/FlagStatic.java"
line = 92
begin = 7
end = 24

[JC_221]
file = "HOME/tests/java/FlagStatic.jc"
line = 219
begin = 9
end = 509

[JC_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_51]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_147]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 12
end = 18

[JC_123]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_143]
kind = UserCall
file = "HOME/tests/java/FlagStatic.java"
line = 90
begin = 9
end = 17

[JC_113]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_248]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_116]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_64]
file = "HOME/tests/java/FlagStatic.jc"
line = 93
begin = 9
end = 20

[JC_133]
file = "HOME/tests/java/FlagStatic.java"
line = 79
begin = 10
end = 27

[JC_261]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_188]
file = "HOME/tests/java/FlagStatic.jc"
line = 150
begin = 12
end = 2823

[JC_180]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 17
end = 23

[JC_99]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_200]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 40
end = 53

[JC_85]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_250]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_201]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 17
end = 53

[JC_31]
file = "HOME/tests/java/FlagStatic.jc"
line = 64
begin = 8
end = 23

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_194]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 40
end = 53

[JC_122]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_205]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
file = "HOME/tests/java/FlagStatic.java"
line = 70
begin = 18
end = 36

[JC_134]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_48]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 43
end = 55

[JC_23]
file = "HOME/tests/java/FlagStatic.jc"
line = 60
begin = 11
end = 103

[JC_241]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_172]
file = "HOME/tests/java/FlagStatic.jc"
line = 150
begin = 12
end = 2823

[JC_121]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_125]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
kind = PointerDeref
file = "HOME/tests/java/FlagStatic.jc"
line = 102
begin = 18
end = 62

[JC_9]
file = "HOME/tests/java/FlagStatic.jc"
line = 51
begin = 8
end = 21

[JC_25]
file = "HOME/tests/java/FlagStatic.jc"
line = 60
begin = 11
end = 103

[JC_189]
kind = UserCall
file = "HOME/tests/java/FlagStatic.jc"
line = 184
begin = 28
end = 130

[JC_78]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 38
end = 44

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[FlagStatic_isMonochrome_ensures_default]
name = "Method isMonochrome"
behavior = "default behavior"
file = "HOME/tests/java/FlagStatic.java"
line = 58
begin = 26
end = 38

[JC_195]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 17
end = 53

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/tests/java/FlagStatic.jc"
line = 59
begin = 10
end = 18

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_256]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/tests/java/FlagStatic.jc"
line = 54
begin = 11
end = 66

[JC_240]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_163]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 7
end = 13

[JC_153]
file = "HOME/tests/java/FlagStatic.java"
line = 92
begin = 7
end = 185

[JC_222]
file = "HOME/tests/java/FlagStatic.jc"
line = 219
begin = 9
end = 509

[JC_246]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/FlagStatic.jc"
line = 51
begin = 8
end = 21

[JC_185]
file = "HOME/tests/java/FlagStatic.java"
line = 92
begin = 7
end = 185

[JC_167]
file = "HOME/tests/java/FlagStatic.java"
line = 94
begin = 7
end = 32

[JC_98]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_104]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 17
end = 23

[JC_112]
file = "HOME/"
line = 0
begin = -1
end = -1

[FlagStatic_flag_safety]
name = "Method flag"
behavior = "Safety"
file = "HOME/tests/java/FlagStatic.java"
line = 87
begin = 23
end = 27

[JC_135]
file = "HOME/tests/java/FlagStatic.java"
line = 79
begin = 10
end = 27

[JC_169]
file = "HOME/tests/java/FlagStatic.java"
line = 96
begin = 14
end = 45

[JC_132]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_115]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_109]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_69]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_219]
file = "HOME/tests/java/FlagStatic.java"
line = 59
begin = 24
end = 84

[JC_124]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_268]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_FlagStatic_ensures_default]
name = "Constructor of class FlagStatic"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_206]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_218]
file = "HOME/tests/java/FlagStatic.java"
line = 60
begin = 8
end = 49

[JC_191]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 17
end = 26

[JC_62]
file = "HOME/tests/java/FlagStatic.java"
line = 70
begin = 18
end = 58

[JC_101]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_264]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_223]
file = "HOME/tests/java/FlagStatic.java"
line = 59
begin = 24
end = 30

[JC_129]
file = "HOME/"
line = 0
begin = -1
end = -1

[FlagStatic_swap_ensures_i_j_swapped]
name = "Method swap"
behavior = "Behavior `i_j_swapped'"
file = "HOME/tests/java/FlagStatic.java"
line = 72
begin = 24
end = 28

[JC_190]
kind = UserCall
file = "HOME/tests/java/FlagStatic.jc"
line = 195
begin = 28
end = 72

[JC_110]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_166]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 22
end = 35

[JC_103]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_46]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 22
end = 34

[JC_61]
file = "HOME/tests/java/FlagStatic.java"
line = 70
begin = 40
end = 58

[JC_254]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_199]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 35
end = 41

[JC_56]
file = "HOME/tests/java/FlagStatic.java"
line = 70
begin = 40
end = 58

[JC_243]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_173]
file = "HOME/tests/java/FlagStatic.jc"
line = 150
begin = 12
end = 2823

[JC_29]
file = "HOME/tests/java/FlagStatic.jc"
line = 64
begin = 8
end = 23

[JC_202]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_144]
kind = IndexBounds
file = "HOME/tests/java/FlagStatic.java"
line = 90
begin = 9
end = 17

[JC_16]
file = "HOME/tests/java/FlagStatic.jc"
line = 53
begin = 10
end = 18

[JC_43]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 17
end = 55

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_267]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_235]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_97]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_160]
file = "HOME/tests/java/FlagStatic.java"
line = 97
begin = 18
end = 23

[JC_128]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/tests/java/FlagStatic.jc"
line = 53
begin = 10
end = 18

[FlagStatic_flag_ensures_default]
name = "Method flag"
behavior = "default behavior"
file = "HOME/tests/java/FlagStatic.java"
line = 87
begin = 23
end = 27

[JC_90]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_225]
file = "HOME/tests/java/FlagStatic.java"
line = 59
begin = 24
end = 84

[JC_149]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 22
end = 35

[JC_216]
file = "HOME/tests/java/FlagStatic.java"
line = 61
begin = 22
end = 27

[JC_131]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_37]
file = "HOME/tests/java/FlagStatic.jc"
line = 66
begin = 11
end = 65

[JC_181]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 22
end = 35

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/java/FlagStatic.java"
line = 70
begin = 18
end = 58

[JC_257]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_161]
kind = UserCall
file = "HOME/tests/java/FlagStatic.java"
line = 90
begin = 9
end = 17

[JC_89]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_136]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_165]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 17
end = 23

[JC_213]
file = "HOME/tests/java/FlagStatic.jc"
line = 219
begin = 9
end = 509

[JC_217]
file = "HOME/tests/java/FlagStatic.java"
line = 59
begin = 24
end = 30

[JC_253]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_229]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_86]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_72]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/tests/java/FlagStatic.jc"
line = 57
begin = 8
end = 30

[JC_187]
file = "HOME/tests/java/FlagStatic.jc"
line = 150
begin = 12
end = 2823

[JC_238]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_120]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/tests/java/FlagStatic.java"
line = 72
begin = 24
end = 28

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_198]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 30
end = 36

[JC_94]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_73]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_158]
kind = UserCall
file = "HOME/tests/java/FlagStatic.jc"
line = 184
begin = 28
end = 130

[JC_63]
file = "HOME/tests/java/FlagStatic.java"
line = 72
begin = 24
end = 28

[JC_196]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_71]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_197]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 17
end = 26

[cons_FlagStatic_safety]
name = "Constructor of class FlagStatic"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_207]
file = "HOME/tests/java/FlagStatic.java"
line = 56
begin = 18
end = 53

[JC_151]
file = "HOME/tests/java/FlagStatic.java"
line = 95
begin = 7
end = 33

[JC_45]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 17
end = 23

[JC_106]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_251]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_203]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_227]
file = "HOME/tests/java/FlagStatic.jc"
line = 219
begin = 9
end = 509

[cons_Object_ensures_default]
name = "Constructor of class Object"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_265]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_126]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_170]
file = "HOME/tests/java/FlagStatic.java"
line = 92
begin = 7
end = 185

[JC_236]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_138]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_247]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_148]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 17
end = 23

[JC_137]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_231]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_75]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/tests/java/FlagStatic.jc"
line = 59
begin = 10
end = 18

[JC_193]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 35
end = 41

[JC_186]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_260]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_212]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_175]
kind = UserCall
file = "HOME/tests/java/FlagStatic.jc"
line = 195
begin = 28
end = 72

[JC_224]
file = "HOME/tests/java/FlagStatic.java"
line = 60
begin = 8
end = 49

[JC_47]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 38
end = 44

[JC_232]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_154]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_237]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_208]
file = "HOME/tests/java/FlagStatic.java"
line = 56
begin = 18
end = 53

[JC_79]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[FlagStatic_swap_ensures_default]
name = "Method swap"
behavior = "default behavior"
file = "HOME/tests/java/FlagStatic.java"
line = 72
begin = 24
end = 28

[JC_130]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_174]
kind = UserCall
file = "HOME/tests/java/FlagStatic.jc"
line = 184
begin = 28
end = 130

[JC_87]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_184]
file = "HOME/tests/java/FlagStatic.java"
line = 96
begin = 14
end = 45

[JC_15]
file = "HOME/tests/java/FlagStatic.jc"
line = 54
begin = 11
end = 66

[JC_182]
file = "HOME/tests/java/FlagStatic.java"
line = 94
begin = 7
end = 32

[JC_168]
file = "HOME/tests/java/FlagStatic.java"
line = 95
begin = 7
end = 33

[JC_91]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 22
end = 34

[JC_162]
file = "HOME/tests/java/FlagStatic.java"
line = 92
begin = 7
end = 24

[JC_83]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_215]
kind = PointerDeref
file = "HOME/tests/java/FlagStatic.java"
line = 63
begin = 33
end = 37

[JC_263]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_107]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_179]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 12
end = 18

[FlagStatic_swap_safety]
name = "Method swap"
behavior = "Safety"
file = "HOME/tests/java/FlagStatic.java"
line = 72
begin = 24
end = 28

[JC_38]
file = "HOME/tests/java/FlagStatic.jc"
line = 66
begin = 11
end = 65

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_242]
file = "HOME/"
line = 0
begin = -1
end = -1

[FlagStatic_flag_ensures_sorts]
name = "Method flag"
behavior = "Behavior `sorts'"
file = "HOME/tests/java/FlagStatic.java"
line = 87
begin = 23
end = 27

[JC_156]
file = "HOME/tests/java/FlagStatic.jc"
line = 150
begin = 12
end = 2823

[JC_127]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_252]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_171]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_164]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 12
end = 18

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_155]
file = "HOME/tests/java/FlagStatic.jc"
line = 150
begin = 12
end = 2823

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 43
end = 55

[FlagStatic_isMonochrome_safety]
name = "Method isMonochrome"
behavior = "Safety"
file = "HOME/tests/java/FlagStatic.java"
line = 58
begin = 26
end = 38

[JC_178]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 7
end = 13

[JC_141]
file = "HOME/tests/java/FlagStatic.java"
line = 82
begin = 13
end = 169

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_220]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
kind = PointerDeref
file = "HOME/tests/java/FlagStatic.java"
line = 73
begin = 9
end = 13

[JC_118]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_105]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_245]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_140]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_159]
kind = UserCall
file = "HOME/tests/java/FlagStatic.jc"
line = 195
begin = 28
end = 72

[cons_Object_safety]
name = "Constructor of class Object"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_68]
kind = PointerDeref
file = "HOME/tests/java/FlagStatic.jc"
line = 103
begin = 18
end = 38

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_93]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_259]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_266]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_255]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_214]
file = "HOME/tests/java/FlagStatic.jc"
line = 219
begin = 9
end = 509

[JC_258]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_150]
file = "HOME/tests/java/FlagStatic.java"
line = 94
begin = 7
end = 32

[JC_117]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_53]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_204]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_157]
kind = PointerDeref
file = "HOME/tests/java/FlagStatic.java"
line = 100
begin = 13
end = 17

[JC_145]
file = "HOME/tests/java/FlagStatic.java"
line = 92
begin = 7
end = 24

[JC_21]
file = "HOME/tests/java/FlagStatic.jc"
line = 57
begin = 8
end = 30

[JC_209]
file = "HOME/tests/java/FlagStatic.java"
line = 59
begin = 24
end = 30

[JC_111]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_77]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_49]
file = "HOME/tests/java/FlagStatic.java"
line = 67
begin = 17
end = 55

[JC_1]
file = "HOME/tests/java/FlagStatic.jc"
line = 22
begin = 12
end = 22

[JC_102]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_142]
file = "HOME/tests/java/FlagStatic.java"
line = 82
begin = 13
end = 169

[JC_211]
file = "HOME/tests/java/FlagStatic.java"
line = 59
begin = 24
end = 84

[JC_146]
file = "HOME/tests/java/FlagStatic.java"
line = 93
begin = 7
end = 13

[JC_262]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_249]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_66]
kind = PointerDeref
file = "HOME/tests/java/FlagStatic.java"
line = 74
begin = 8
end = 12

[JC_59]
file = "HOME/tests/java/FlagStatic.jc"
line = 93
begin = 9
end = 20

[JC_192]
file = "HOME/tests/java/FlagStatic.java"
line = 54
begin = 30
end = 36

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_239]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_3]
file = "HOME/tests/java/FlagStatic.jc"
line = 22
begin = 12
end = 22

[JC_92]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_152]
file = "HOME/tests/java/FlagStatic.java"
line = 96
begin = 14
end = 45

[JC_228]
file = "HOME/tests/java/FlagStatic.jc"
line = 219
begin = 9
end = 509

[JC_60]
file = "HOME/tests/java/FlagStatic.java"
line = 70
begin = 18
end = 36

[JC_183]
file = "HOME/tests/java/FlagStatic.java"
line = 95
begin = 7
end = 33

[JC_139]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_119]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_210]
file = "HOME/tests/java/FlagStatic.java"
line = 60
begin = 8
end = 49

[JC_76]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_244]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_230]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_234]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_226]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_100]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/FlagStatic.why ==========
type Object

type interface

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

function FlagStatic_BLUE() : int = (1)

function FlagStatic_RED() : int = (3)

function FlagStatic_WHITE() : int = (2)

logic FlagStatic_tag:  -> Object tag_id

axiom FlagStatic_parenttag_Object : parenttag(FlagStatic_tag, Object_tag)

predicate Non_null_Object(x_1:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_1), (0))

predicate Non_null_intM(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), neg_int((1)))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic intM_tag:  -> Object tag_id

axiom intM_parenttag_Object : parenttag(intM_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate is_color(c:int) =
 ((c = FlagStatic_BLUE) or ((c = FlagStatic_WHITE) or (c = FlagStatic_RED)))

predicate is_color_array(t_2:Object pointer,
 Object_alloc_table_at_L:Object alloc_table,
 intM_intP_at_L:(Object, int) memory) =
 (Non_null_intM(t_2, Object_alloc_table_at_L)
 and (forall i_1:int.
      ((le_int((0), i_1)
       and lt_int(i_1,
           add_int(offset_max(Object_alloc_table_at_L, t_2), (1)))) ->
       is_color(select(intM_intP_at_L, shift(t_2, i_1))))))

predicate is_monochrome(t_3:Object pointer, i_2:int, j_1:int, c_1:int,
 intM_intP_at_L:(Object, int) memory) =
 (forall k:int.
  ((le_int(i_2, k) and lt_int(k, j_1)) ->
   (select(intM_intP_at_L, shift(t_3, k)) = c_1)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_FlagStatic(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_intM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_FlagStatic(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_intM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_FlagStatic(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_FlagStatic(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

parameter Object_alloc_table : Object alloc_table ref

parameter intM_intP : (Object, int) memory ref

parameter FlagStatic_flag :
 t_1:Object pointer ->
  { } unit reads Object_alloc_table,intM_intP writes intM_intP
  { (JC_142:
    (exists b:int.
     (exists r:int.
      (is_monochrome(t_1, (0), b, FlagStatic_BLUE, intM_intP)
      and (is_monochrome(t_1, b, r, FlagStatic_WHITE, intM_intP)
          and is_monochrome(t_1, r,
              add_int(offset_max(Object_alloc_table, t_1), (1)),
              FlagStatic_RED, intM_intP)))))) }

parameter FlagStatic_flag_requires :
 t_1:Object pointer ->
  { (JC_133: is_color_array(t_1, Object_alloc_table, intM_intP))} unit
  reads Object_alloc_table,intM_intP writes intM_intP
  { (JC_142:
    (exists b:int.
     (exists r:int.
      (is_monochrome(t_1, (0), b, FlagStatic_BLUE, intM_intP)
      and (is_monochrome(t_1, b, r, FlagStatic_WHITE, intM_intP)
          and is_monochrome(t_1, r,
              add_int(offset_max(Object_alloc_table, t_1), (1)),
              FlagStatic_RED, intM_intP)))))) }

parameter FlagStatic_isMonochrome :
 t:Object pointer ->
  i:int ->
   j:int ->
    c_0:int ->
     { } bool reads Object_alloc_table,intM_intP
     { (JC_208: ((result = true) <-> is_monochrome(t, i, j, c_0, intM_intP))) }

parameter FlagStatic_isMonochrome_requires :
 t:Object pointer ->
  i:int ->
   j:int ->
    c_0:int ->
     { (JC_195:
       ((JC_191: Non_null_intM(t, Object_alloc_table))
       and ((JC_192: le_int((0), i))
           and ((JC_193: le_int(i, j))
               and (JC_194:
                   le_int(j, add_int(offset_max(Object_alloc_table, t), (1))))))))}
     bool reads Object_alloc_table,intM_intP
     { (JC_208: ((result = true) <-> is_monochrome(t, i, j, c_0, intM_intP))) }

parameter FlagStatic_swap :
 t_0:Object pointer ->
  i_0:int ->
   j_0:int ->
    { } unit reads Object_alloc_table,intM_intP writes intM_intP
    { (JC_64:
      ((JC_62:
       ((JC_60:
        (select(intM_intP, shift(t_0, i_0)) = select(intM_intP@,
                                              shift(t_0, j_0))))
       and (JC_61:
           (select(intM_intP, shift(t_0, j_0)) = select(intM_intP@,
                                                 shift(t_0, i_0))))))
      and (JC_63:
          not_assigns(Object_alloc_table@, intM_intP@, intM_intP,
          pset_union(pset_range(pset_singleton(t_0), j_0, j_0),
          pset_range(pset_singleton(t_0), i_0, i_0)))))) }

parameter FlagStatic_swap_requires :
 t_0:Object pointer ->
  i_0:int ->
   j_0:int ->
    { (JC_43:
      ((JC_39: le_int((0), i_0))
      and ((JC_40:
           lt_int(i_0, add_int(offset_max(Object_alloc_table, t_0), (1))))
          and ((JC_41: le_int((0), j_0))
              and (JC_42:
                  lt_int(j_0,
                  add_int(offset_max(Object_alloc_table, t_0), (1))))))))}
    unit reads Object_alloc_table,intM_intP writes intM_intP
    { (JC_64:
      ((JC_62:
       ((JC_60:
        (select(intM_intP, shift(t_0, i_0)) = select(intM_intP@,
                                              shift(t_0, j_0))))
       and (JC_61:
           (select(intM_intP, shift(t_0, j_0)) = select(intM_intP@,
                                                 shift(t_0, i_0))))))
      and (JC_63:
          not_assigns(Object_alloc_table@, intM_intP@, intM_intP,
          pset_union(pset_range(pset_singleton(t_0), j_0, j_0),
          pset_range(pset_singleton(t_0), i_0, i_0)))))) }

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_clone :
 this_8:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_clone_requires :
 this_8:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_equals :
 this_2:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_equals_requires :
 this_2:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_finalize :
 this_10:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_finalize_requires :
 this_10:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_hashCode :
 this_4:Object pointer -> { } int reads Object_alloc_table { true }

parameter Object_hashCode_requires :
 this_4:Object pointer -> { } int reads Object_alloc_table { true }

parameter Object_notify :
 this_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll :
 this_7:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll_requires :
 this_7:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notify_requires :
 this_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_registerNatives : tt:unit -> { } unit { true }

parameter Object_registerNatives_requires : tt:unit -> { } unit { true }

parameter Object_tag_table : Object tag_table ref

parameter Object_toString :
 this_6:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_toString_requires :
 this_6:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_wait :
 this_11:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long :
 this_9:Object pointer ->
  timeout:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int :
 this_5:Object pointer ->
  timeout_0:int -> nanos:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int_requires :
 this_5:Object pointer ->
  timeout_0:int -> nanos:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_requires :
 this_9:Object pointer ->
  timeout:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_requires :
 this_11:Object pointer -> { } unit reads Object_alloc_table { true }

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_FlagStatic :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_FlagStatic(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, FlagStatic_tag)))) }

parameter alloc_struct_FlagStatic_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_FlagStatic(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, FlagStatic_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_intM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter alloc_struct_intM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_FlagStatic :
 this_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_FlagStatic_requires :
 this_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object :
 this_12:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object_requires :
 this_12:Object pointer -> { } unit reads Object_alloc_table { true }

parameter java_array_length_intM :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter java_array_length_intM_requires :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter non_null_Object :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_Object_requires :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_intM :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter non_null_intM_requires :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

let FlagStatic_flag_ensures_default =
 fun (t_1 : Object pointer) ->
  { (left_valid_struct_intM(t_1, (0), Object_alloc_table)
    and (JC_135: is_color_array(t_1, Object_alloc_table, intM_intP))) }
  (init:
  try
   begin
     (let b_0 = ref (K_43: (0)) in
     (let i_3 = ref (K_42: (0)) in
     (let r_0 =
     ref (K_41:
         (let _jessie_ = t_1 in
         (JC_161: (java_array_length_intM _jessie_)))) in
     try
      (loop_2:
      while true do
      { invariant
          (JC_170:
          ((JC_162: is_color_array(t_1, Object_alloc_table, intM_intP))
          and ((JC_163: le_int((0), b_0))
              and ((JC_164: le_int(b_0, i_3))
                  and ((JC_165: le_int(i_3, r_0))
                      and ((JC_166:
                           le_int(r_0,
                           add_int(offset_max(Object_alloc_table, t_1), (1))))
                          and ((JC_167:
                               is_monochrome(t_1, (0), b_0, FlagStatic_BLUE,
                               intM_intP))
                              and ((JC_168:
                                   is_monochrome(t_1, b_0, i_3,
                                   FlagStatic_WHITE, intM_intP))
                                  and (JC_169:
                                      is_monochrome(t_1, r_0,
                                      add_int(offset_max(Object_alloc_table,
                                              t_1),
                                      (1)), FlagStatic_RED, intM_intP))))))))))
         }
       begin
         [ { } unit { true } ];
        try
         begin
           (if (K_40: ((lt_int_ !i_3) !r_0))
           then
            (let _jessie_ =
            (K_39: ((safe_acc_ !intM_intP) ((shift t_1) !i_3))) in
            try
             begin
               (if ((eq_int_ _jessie_) FlagStatic_BLUE)
               then
                (K_35:
                begin
                  (let _jessie_ = t_1 in
                  (let _jessie_ =
                  (K_33:
                  (let _jessie_ = !b_0 in
                  begin
                    (let _jessie_ = (b_0 := ((add_int _jessie_) (1))) in
                    void); _jessie_ end)) in
                  (let _jessie_ =
                  (K_34:
                  (let _jessie_ = !i_3 in
                  begin
                    (let _jessie_ = (i_3 := ((add_int _jessie_) (1))) in
                    void); _jessie_ end)) in
                  (JC_174:
                  (((FlagStatic_swap _jessie_) _jessie_) _jessie_)))));
                 (raise (Loop_exit_exc void)) end) else void);
              (if (((eq_int_ _jessie_) FlagStatic_WHITE) || ((eq_int_ _jessie_) FlagStatic_BLUE))
              then
               (K_36:
               begin
                 (let _jessie_ =
                 (let _jessie_ = !i_3 in
                 begin
                   (let _jessie_ = (i_3 := ((add_int _jessie_) (1))) in
                   void); _jessie_ end) in void);
                (raise (Loop_exit_exc void)) end) else void);
              (if (((eq_int_ _jessie_) FlagStatic_RED) || (((eq_int_ _jessie_) FlagStatic_WHITE) || 
                                                           ((eq_int_ _jessie_) FlagStatic_BLUE)))
              then
               (K_38:
               begin
                 (let _jessie_ = t_1 in
                 (let _jessie_ =
                 (K_37: begin   (r_0 := ((sub_int !r_0) (1))); !r_0 end) in
                 (let _jessie_ = !i_3 in
                 (JC_175:
                 (((FlagStatic_swap _jessie_) _jessie_) _jessie_)))));
                (raise (Loop_exit_exc void)) end) else void) end with
             Loop_exit_exc _jessie_ -> void end)
           else (raise (Loop_exit_exc void)));
          (raise (Loop_continue_exc void)) end with
         Loop_continue_exc _jessie_ -> void end end done) with
      Loop_exit_exc _jessie_ -> void end))); (raise Return) end with
   Return -> void end) { (JC_137: true) }

let FlagStatic_flag_ensures_sorts =
 fun (t_1 : Object pointer) ->
  { (left_valid_struct_intM(t_1, (0), Object_alloc_table)
    and (JC_135: is_color_array(t_1, Object_alloc_table, intM_intP))) }
  (init:
  try
   begin
     (let b_0 = ref (K_43: (0)) in
     (let i_3 = ref (K_42: (0)) in
     (let r_0 =
     ref (K_41:
         (let _jessie_ = t_1 in
         (JC_176: (java_array_length_intM _jessie_)))) in
     try
      (loop_3:
      while true do
      { invariant (JC_187: true)  }
       begin
         [ { } unit reads Object_alloc_table,b_0,i_3,intM_intP,r_0
           { (JC_185:
             ((JC_177: is_color_array(t_1, Object_alloc_table, intM_intP))
             and ((JC_178: le_int((0), b_0))
                 and ((JC_179: le_int(b_0, i_3))
                     and ((JC_180: le_int(i_3, r_0))
                         and ((JC_181:
                              le_int(r_0,
                              add_int(offset_max(Object_alloc_table, t_1),
                              (1))))
                             and ((JC_182:
                                  is_monochrome(t_1, (0), b_0,
                                  FlagStatic_BLUE, intM_intP))
                                 and ((JC_183:
                                      is_monochrome(t_1, b_0, i_3,
                                      FlagStatic_WHITE, intM_intP))
                                     and (JC_184:
                                         is_monochrome(t_1, r_0,
                                         add_int(offset_max(Object_alloc_table,
                                                 t_1),
                                         (1)), FlagStatic_RED, intM_intP)))))))))) } ];
        try
         begin
           (if (K_40: ((lt_int_ !i_3) !r_0))
           then
            (let _jessie_ =
            (K_39: ((safe_acc_ !intM_intP) ((shift t_1) !i_3))) in
            try
             begin
               (if ((eq_int_ _jessie_) FlagStatic_BLUE)
               then
                (K_35:
                begin
                  (let _jessie_ = t_1 in
                  (let _jessie_ =
                  (K_33:
                  (let _jessie_ = !b_0 in
                  begin
                    (let _jessie_ = (b_0 := ((add_int _jessie_) (1))) in
                    void); _jessie_ end)) in
                  (let _jessie_ =
                  (K_34:
                  (let _jessie_ = !i_3 in
                  begin
                    (let _jessie_ = (i_3 := ((add_int _jessie_) (1))) in
                    void); _jessie_ end)) in
                  (JC_189:
                  (((FlagStatic_swap _jessie_) _jessie_) _jessie_)))));
                 (raise (Loop_exit_exc void)) end) else void);
              (if (((eq_int_ _jessie_) FlagStatic_WHITE) || ((eq_int_ _jessie_) FlagStatic_BLUE))
              then
               (K_36:
               begin
                 (let _jessie_ =
                 (let _jessie_ = !i_3 in
                 begin
                   (let _jessie_ = (i_3 := ((add_int _jessie_) (1))) in
                   void); _jessie_ end) in void);
                (raise (Loop_exit_exc void)) end) else void);
              (if (((eq_int_ _jessie_) FlagStatic_RED) || (((eq_int_ _jessie_) FlagStatic_WHITE) || 
                                                           ((eq_int_ _jessie_) FlagStatic_BLUE)))
              then
               (K_38:
               begin
                 (let _jessie_ = t_1 in
                 (let _jessie_ =
                 (K_37: begin   (r_0 := ((sub_int !r_0) (1))); !r_0 end) in
                 (let _jessie_ = !i_3 in
                 (JC_190:
                 (((FlagStatic_swap _jessie_) _jessie_) _jessie_)))));
                (raise (Loop_exit_exc void)) end) else void) end with
             Loop_exit_exc _jessie_ -> void end)
           else (raise (Loop_exit_exc void)));
          (raise (Loop_continue_exc void)) end with
         Loop_continue_exc _jessie_ -> void end end done) with
      Loop_exit_exc _jessie_ -> void end))); (raise Return) end with
   Return -> void end)
  { (JC_141:
    (exists b:int.
     (exists r:int.
      (is_monochrome(t_1, (0), b, FlagStatic_BLUE, intM_intP)
      and (is_monochrome(t_1, b, r, FlagStatic_WHITE, intM_intP)
          and is_monochrome(t_1, r,
              add_int(offset_max(Object_alloc_table, t_1), (1)),
              FlagStatic_RED, intM_intP)))))) }

let FlagStatic_flag_safety =
 fun (t_1 : Object pointer) ->
  { (left_valid_struct_intM(t_1, (0), Object_alloc_table)
    and (JC_135: is_color_array(t_1, Object_alloc_table, intM_intP))) }
  (init:
  try
   begin
     (let b_0 = ref (K_43: (0)) in
     (let i_3 = ref (K_42: (0)) in
     (let r_0 =
     ref (K_41:
         (let _jessie_ = t_1 in
         (JC_144:
         (assert
         { ge_int(offset_max(Object_alloc_table, _jessie_), (-1)) };
         (JC_143: (java_array_length_intM_requires _jessie_)))))) in
     try
      (loop_1:
      while true do
      { invariant (JC_155: true) variant (JC_160 : sub_int(r_0, i_3)) }
       begin
         [ { } unit reads Object_alloc_table,b_0,i_3,intM_intP,r_0
           { (JC_153:
             ((JC_145: is_color_array(t_1, Object_alloc_table, intM_intP))
             and ((JC_146: le_int((0), b_0))
                 and ((JC_147: le_int(b_0, i_3))
                     and ((JC_148: le_int(i_3, r_0))
                         and ((JC_149:
                              le_int(r_0,
                              add_int(offset_max(Object_alloc_table, t_1),
                              (1))))
                             and ((JC_150:
                                  is_monochrome(t_1, (0), b_0,
                                  FlagStatic_BLUE, intM_intP))
                                 and ((JC_151:
                                      is_monochrome(t_1, b_0, i_3,
                                      FlagStatic_WHITE, intM_intP))
                                     and (JC_152:
                                         is_monochrome(t_1, r_0,
                                         add_int(offset_max(Object_alloc_table,
                                                 t_1),
                                         (1)), FlagStatic_RED, intM_intP)))))))))) } ];
        try
         begin
           (if (K_40: ((lt_int_ !i_3) !r_0))
           then
            (let _jessie_ =
            (K_39:
            (JC_157:
            ((((offset_acc_ !Object_alloc_table) !intM_intP) t_1) !i_3))) in
            try
             begin
               (if ((eq_int_ _jessie_) FlagStatic_BLUE)
               then
                (K_35:
                begin
                  (let _jessie_ = t_1 in
                  (let _jessie_ =
                  (K_33:
                  (let _jessie_ = !b_0 in
                  begin
                    (let _jessie_ = (b_0 := ((add_int _jessie_) (1))) in
                    void); _jessie_ end)) in
                  (let _jessie_ =
                  (K_34:
                  (let _jessie_ = !i_3 in
                  begin
                    (let _jessie_ = (i_3 := ((add_int _jessie_) (1))) in
                    void); _jessie_ end)) in
                  (JC_158:
                  (((FlagStatic_swap_requires _jessie_) _jessie_) _jessie_)))));
                 (raise (Loop_exit_exc void)) end) else void);
              (if (((eq_int_ _jessie_) FlagStatic_WHITE) || ((eq_int_ _jessie_) FlagStatic_BLUE))
              then
               (K_36:
               begin
                 (let _jessie_ =
                 (let _jessie_ = !i_3 in
                 begin
                   (let _jessie_ = (i_3 := ((add_int _jessie_) (1))) in
                   void); _jessie_ end) in void);
                (raise (Loop_exit_exc void)) end) else void);
              (if (((eq_int_ _jessie_) FlagStatic_RED) || (((eq_int_ _jessie_) FlagStatic_WHITE) || 
                                                           ((eq_int_ _jessie_) FlagStatic_BLUE)))
              then
               (K_38:
               begin
                 (let _jessie_ = t_1 in
                 (let _jessie_ =
                 (K_37: begin   (r_0 := ((sub_int !r_0) (1))); !r_0 end) in
                 (let _jessie_ = !i_3 in
                 (JC_159:
                 (((FlagStatic_swap_requires _jessie_) _jessie_) _jessie_)))));
                (raise (Loop_exit_exc void)) end) else void) end with
             Loop_exit_exc _jessie_ -> void end)
           else (raise (Loop_exit_exc void)));
          (raise (Loop_continue_exc void)) end with
         Loop_continue_exc _jessie_ -> void end end done) with
      Loop_exit_exc _jessie_ -> void end))); (raise Return) end with
   Return -> void end) { true }

let FlagStatic_isMonochrome_ensures_decides_monochromatic =
 fun (t : Object pointer) (i : int) (j : int) (c_0 : int) ->
  { (left_valid_struct_intM(t, (0), Object_alloc_table)
    and (JC_201:
        ((JC_197: Non_null_intM(t, Object_alloc_table))
        and ((JC_198: le_int((0), i))
            and ((JC_199: le_int(i, j))
                and (JC_200:
                    le_int(j,
                    add_int(offset_max(Object_alloc_table, t), (1))))))))) }
  (init:
  (let return = ref (any_bool void) in
  try
   begin
     (let k_0 = ref (K_52: i) in
     try
      (loop_6:
      while true do
      { invariant (JC_227: true)  }
       begin
         [ { } unit reads intM_intP,k_0
           { (JC_225:
             ((JC_223: le_int(i, k_0))
             and (JC_224:
                 (forall l:int.
                  ((le_int(i, l) and lt_int(l, k_0)) ->
                   (select(intM_intP, shift(t, l)) = c_0)))))) } ];
        try
         begin
           (if (K_60: ((lt_int_ !k_0) j))
           then
            (if (K_58:
                ((neq_int_ (K_57: ((safe_acc_ !intM_intP) ((shift t) !k_0)))) c_0))
            then begin   (return := false); (raise Return) end else void)
           else (raise (Loop_exit_exc void)));
          (raise (Loop_continue_exc void)) end with
         Loop_continue_exc _jessie_ ->
         (let _jessie_ =
         (K_59:
         (let _jessie_ = !k_0 in
         begin
           (let _jessie_ = (k_0 := ((add_int _jessie_) (1))) in void);
          _jessie_ end)) in void) end end done) with
      Loop_exit_exc _jessie_ -> void end); (return := true); (raise Return);
    absurd  end with Return -> !return end))
  { (JC_207: ((result = true) <-> is_monochrome(t, i, j, c_0, intM_intP))) }

let FlagStatic_isMonochrome_ensures_default =
 fun (t : Object pointer) (i : int) (j : int) (c_0 : int) ->
  { (left_valid_struct_intM(t, (0), Object_alloc_table)
    and (JC_201:
        ((JC_197: Non_null_intM(t, Object_alloc_table))
        and ((JC_198: le_int((0), i))
            and ((JC_199: le_int(i, j))
                and (JC_200:
                    le_int(j,
                    add_int(offset_max(Object_alloc_table, t), (1))))))))) }
  (init:
  (let return = ref (any_bool void) in
  try
   begin
     (let k_0 = ref (K_52: i) in
     try
      (loop_5:
      while true do
      { invariant
          (JC_219:
          ((JC_217: le_int(i, k_0))
          and (JC_218:
              (forall l:int.
               ((le_int(i, l) and lt_int(l, k_0)) ->
                (select(intM_intP, shift(t, l)) = c_0))))))  }
       begin
         [ { } unit { true } ];
        try
         begin
           (if (K_60: ((lt_int_ !k_0) j))
           then
            (if (K_58:
                ((neq_int_ (K_57: ((safe_acc_ !intM_intP) ((shift t) !k_0)))) c_0))
            then begin   (return := false); (raise Return) end else void)
           else (raise (Loop_exit_exc void)));
          (raise (Loop_continue_exc void)) end with
         Loop_continue_exc _jessie_ ->
         (let _jessie_ =
         (K_59:
         (let _jessie_ = !k_0 in
         begin
           (let _jessie_ = (k_0 := ((add_int _jessie_) (1))) in void);
          _jessie_ end)) in void) end end done) with
      Loop_exit_exc _jessie_ -> void end); (return := true); (raise Return);
    absurd  end with Return -> !return end)) { (JC_203: true) }

let FlagStatic_isMonochrome_safety =
 fun (t : Object pointer) (i : int) (j : int) (c_0 : int) ->
  { (left_valid_struct_intM(t, (0), Object_alloc_table)
    and (JC_201:
        ((JC_197: Non_null_intM(t, Object_alloc_table))
        and ((JC_198: le_int((0), i))
            and ((JC_199: le_int(i, j))
                and (JC_200:
                    le_int(j,
                    add_int(offset_max(Object_alloc_table, t), (1))))))))) }
  (init:
  (let return = ref (any_bool void) in
  try
   begin
     (let k_0 = ref (K_52: i) in
     try
      (loop_4:
      while true do
      { invariant (JC_213: true) variant (JC_216 : sub_int(j, k_0)) }
       begin
         [ { } unit reads intM_intP,k_0
           { (JC_211:
             ((JC_209: le_int(i, k_0))
             and (JC_210:
                 (forall l:int.
                  ((le_int(i, l) and lt_int(l, k_0)) ->
                   (select(intM_intP, shift(t, l)) = c_0)))))) } ];
        try
         begin
           (if (K_60: ((lt_int_ !k_0) j))
           then
            (if (K_58:
                ((neq_int_ (K_57:
                           (JC_215:
                           ((((offset_acc_ !Object_alloc_table) !intM_intP) t) !k_0)))) c_0))
            then begin   (return := false); (raise Return) end else void)
           else (raise (Loop_exit_exc void)));
          (raise (Loop_continue_exc void)) end with
         Loop_continue_exc _jessie_ ->
         (let _jessie_ =
         (K_59:
         (let _jessie_ = !k_0 in
         begin
           (let _jessie_ = (k_0 := ((add_int _jessie_) (1))) in void);
          _jessie_ end)) in void) end end done) with
      Loop_exit_exc _jessie_ -> void end); (return := true); (raise Return);
    absurd  end with Return -> !return end)) { true }

let FlagStatic_swap_ensures_default =
 fun (t_0 : Object pointer) (i_0 : int) (j_0 : int) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (JC_49:
        ((JC_45: le_int((0), i_0))
        and ((JC_46:
             lt_int(i_0, add_int(offset_max(Object_alloc_table, t_0), (1))))
            and ((JC_47: le_int((0), j_0))
                and (JC_48:
                    lt_int(j_0,
                    add_int(offset_max(Object_alloc_table, t_0), (1))))))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (let z = (K_14: ((safe_acc_ !intM_intP) ((shift t_0) i_0))) in
     (K_12:
     begin
       (let _jessie_ =
       (let _jessie_ =
       (K_11: ((safe_acc_ !intM_intP) ((shift t_0) j_0))) in
       (let _jessie_ = t_0 in
       (let _jessie_ = i_0 in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (((safe_upd_ intM_intP) _jessie_) _jessie_))))) in void);
      (K_13:
      (let _jessie_ = z in
      (let _jessie_ = t_0 in
      (let _jessie_ = j_0 in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      begin   (((safe_upd_ intM_intP) _jessie_) _jessie_); _jessie_ end)))))
     end)) in void); (raise Return) end with Return -> void end)
  { (JC_51: true) }

let FlagStatic_swap_ensures_i_j_swapped =
 fun (t_0 : Object pointer) (i_0 : int) (j_0 : int) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (JC_49:
        ((JC_45: le_int((0), i_0))
        and ((JC_46:
             lt_int(i_0, add_int(offset_max(Object_alloc_table, t_0), (1))))
            and ((JC_47: le_int((0), j_0))
                and (JC_48:
                    lt_int(j_0,
                    add_int(offset_max(Object_alloc_table, t_0), (1))))))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (let z = (K_14: ((safe_acc_ !intM_intP) ((shift t_0) i_0))) in
     (K_12:
     begin
       (let _jessie_ =
       (let _jessie_ =
       (K_11: ((safe_acc_ !intM_intP) ((shift t_0) j_0))) in
       (let _jessie_ = t_0 in
       (let _jessie_ = i_0 in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (((safe_upd_ intM_intP) _jessie_) _jessie_))))) in void);
      (K_13:
      (let _jessie_ = z in
      (let _jessie_ = t_0 in
      (let _jessie_ = j_0 in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      begin   (((safe_upd_ intM_intP) _jessie_) _jessie_); _jessie_ end)))))
     end)) in void); (raise Return) end with Return -> void end)
  { (JC_59:
    ((JC_57:
     ((JC_55:
      (select(intM_intP, shift(t_0, i_0)) = select(intM_intP@,
                                            shift(t_0, j_0))))
     and (JC_56:
         (select(intM_intP, shift(t_0, j_0)) = select(intM_intP@,
                                               shift(t_0, i_0))))))
    and (JC_58:
        not_assigns(Object_alloc_table@, intM_intP@, intM_intP,
        pset_union(pset_range(pset_singleton(t_0), j_0, j_0),
        pset_range(pset_singleton(t_0), i_0, i_0)))))) }

let FlagStatic_swap_safety =
 fun (t_0 : Object pointer) (i_0 : int) (j_0 : int) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (JC_49:
        ((JC_45: le_int((0), i_0))
        and ((JC_46:
             lt_int(i_0, add_int(offset_max(Object_alloc_table, t_0), (1))))
            and ((JC_47: le_int((0), j_0))
                and (JC_48:
                    lt_int(j_0,
                    add_int(offset_max(Object_alloc_table, t_0), (1))))))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (let z =
     (K_14:
     (JC_65: ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) i_0))) in
     (K_12:
     begin
       (let _jessie_ =
       (let _jessie_ =
       (K_11:
       (JC_66: ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) j_0))) in
       (let _jessie_ = t_0 in
       (let _jessie_ = i_0 in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (JC_67:
       (((((offset_upd_ !Object_alloc_table) intM_intP) _jessie_) _jessie_) _jessie_)))))) in
       void);
      (K_13:
      (let _jessie_ = z in
      (let _jessie_ = t_0 in
      (let _jessie_ = j_0 in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (JC_68:
      begin
        (((((offset_upd_ !Object_alloc_table) intM_intP) _jessie_) _jessie_) _jessie_);
       _jessie_ end)))))) end)) in void); (raise Return) end with Return ->
   void end) { true }

let cons_FlagStatic_ensures_default =
 fun (this_1 : Object pointer) ->
  { valid_struct_FlagStatic(this_1, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_265: true) }

let cons_FlagStatic_safety =
 fun (this_1 : Object pointer) ->
  { valid_struct_FlagStatic(this_1, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_Object_ensures_default =
 fun (this_12 : Object pointer) ->
  { valid_struct_Object(this_12, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_129: true) }

let cons_Object_safety =
 fun (this_12 : Object pointer) ->
  { valid_struct_Object(this_12, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/FlagStatic.why
========== file tests/java/why/FlagStatic.wpr ==========

  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  
  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  
  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
  
  
    
  
  
    
  

========== file tests/java/why/FlagStatic_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

function FlagStatic_BLUE() : int = 1

function FlagStatic_RED() : int = 3

function FlagStatic_WHITE() : int = 2

logic FlagStatic_tag : Object tag_id

axiom FlagStatic_parenttag_Object: parenttag(FlagStatic_tag, Object_tag)

predicate Non_null_Object(x_1: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_1) >= 0)

predicate Non_null_intM(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= (-1))

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic intM_tag : Object tag_id

axiom intM_parenttag_Object: parenttag(intM_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate is_color(c: int) =
  ((c = FlagStatic_BLUE) or ((c = FlagStatic_WHITE) or (c = FlagStatic_RED)))

predicate is_color_array(t_2: Object pointer,
  Object_alloc_table_at_L: Object alloc_table, intM_intP_at_L: (Object,
  int) memory) =
  (Non_null_intM(t_2, Object_alloc_table_at_L) and
   (forall i_1:int.
     (((0 <= i_1) and (i_1 < (offset_max(Object_alloc_table_at_L, t_2) + 1))) ->
      is_color(select(intM_intP_at_L, shift(t_2, i_1))))))

predicate is_monochrome(t_3: Object pointer, i_2: int, j_1: int, c_1: int,
  intM_intP_at_L: (Object, int) memory) =
  (forall k:int.
    (((i_2 <= k) and (k < j_1)) -> (select(intM_intP_at_L, shift(t_3,
     k)) = c_1)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_FlagStatic(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_intM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_FlagStatic(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_intM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_FlagStatic(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_FlagStatic(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

========== file tests/java/why/FlagStatic_po1.why ==========
goal FlagStatic_flag_ensures_default_po_1:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  ("JC_170": ("JC_163": (0 <= 0)))

========== file tests/java/why/FlagStatic_po10.why ==========
goal FlagStatic_flag_ensures_default_po_10:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 = FlagStatic_BLUE) ->
  forall b_0_0:int.
  (b_0_0 = (b_0 + 1)) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, b_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, b_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), b_0, b_0)))))) ->
  ("JC_170": ("JC_164": (b_0_0 <= i_3_0)))

========== file tests/java/why/FlagStatic_po11.why ==========
goal FlagStatic_flag_ensures_default_po_11:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 = FlagStatic_BLUE) ->
  forall b_0_0:int.
  (b_0_0 = (b_0 + 1)) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, b_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, b_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), b_0, b_0)))))) ->
  ("JC_170": ("JC_165": (i_3_0 <= r_0)))

========== file tests/java/why/FlagStatic_po12.why ==========
goal FlagStatic_flag_ensures_default_po_12:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 = FlagStatic_BLUE) ->
  forall b_0_0:int.
  (b_0_0 = (b_0 + 1)) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, b_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, b_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), b_0, b_0)))))) ->
  ("JC_170": ("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))))

========== file tests/java/why/FlagStatic_po13.why ==========
goal FlagStatic_flag_ensures_default_po_13:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 = FlagStatic_BLUE) ->
  forall b_0_0:int.
  (b_0_0 = (b_0 + 1)) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, b_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, b_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), b_0, b_0)))))) ->
  ("JC_170":
  ("JC_167": is_monochrome(t_1, 0, b_0_0, FlagStatic_BLUE, intM_intP1)))

========== file tests/java/why/FlagStatic_po14.why ==========
goal FlagStatic_flag_ensures_default_po_14:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 = FlagStatic_BLUE) ->
  forall b_0_0:int.
  (b_0_0 = (b_0 + 1)) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, b_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, b_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), b_0, b_0)))))) ->
  ("JC_170":
  ("JC_168": is_monochrome(t_1, b_0_0, i_3_0, FlagStatic_WHITE, intM_intP1)))

========== file tests/java/why/FlagStatic_po15.why ==========
goal FlagStatic_flag_ensures_default_po_15:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 = FlagStatic_BLUE) ->
  forall b_0_0:int.
  (b_0_0 = (b_0 + 1)) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, b_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, b_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), b_0, b_0)))))) ->
  ("JC_170":
  ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
  t_1) + 1), FlagStatic_RED, intM_intP1)))

========== file tests/java/why/FlagStatic_po16.why ==========
goal FlagStatic_flag_ensures_default_po_16:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 = FlagStatic_WHITE) or
   ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_170": ("JC_163": (0 <= b_0)))

========== file tests/java/why/FlagStatic_po17.why ==========
goal FlagStatic_flag_ensures_default_po_17:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 = FlagStatic_WHITE) or
   ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_170": ("JC_164": (b_0 <= i_3_0)))

========== file tests/java/why/FlagStatic_po18.why ==========
goal FlagStatic_flag_ensures_default_po_18:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 = FlagStatic_WHITE) or
   ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_170": ("JC_165": (i_3_0 <= r_0)))

========== file tests/java/why/FlagStatic_po19.why ==========
goal FlagStatic_flag_ensures_default_po_19:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 = FlagStatic_WHITE) or
   ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_170": ("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))))

========== file tests/java/why/FlagStatic_po2.why ==========
goal FlagStatic_flag_ensures_default_po_2:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  ("JC_170": ("JC_164": (0 <= 0)))

========== file tests/java/why/FlagStatic_po20.why ==========
goal FlagStatic_flag_ensures_default_po_20:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 = FlagStatic_WHITE) or
   ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_170":
  ("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)))

========== file tests/java/why/FlagStatic_po21.why ==========
goal FlagStatic_flag_ensures_default_po_21:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 = FlagStatic_WHITE) or
   ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_170":
  ("JC_168": is_monochrome(t_1, b_0, i_3_0, FlagStatic_WHITE, intM_intP0)))

========== file tests/java/why/FlagStatic_po22.why ==========
goal FlagStatic_flag_ensures_default_po_22:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 = FlagStatic_WHITE) or
   ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_170":
  ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
  t_1) + 1), FlagStatic_RED, intM_intP0)))

========== file tests/java/why/FlagStatic_po23.why ==========
goal FlagStatic_flag_ensures_default_po_23:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 = FlagStatic_RED) or
   ((result0 <> FlagStatic_RED) and
    ((result0 = FlagStatic_WHITE) or
     ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))))) ->
  forall r_0_0:int.
  (r_0_0 = (r_0 - 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, r_0_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, r_0_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), r_0_0, r_0_0)))))) ->
  ("JC_170": ("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP1)))

========== file tests/java/why/FlagStatic_po24.why ==========
goal FlagStatic_flag_ensures_default_po_24:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 = FlagStatic_RED) or
   ((result0 <> FlagStatic_RED) and
    ((result0 = FlagStatic_WHITE) or
     ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))))) ->
  forall r_0_0:int.
  (r_0_0 = (r_0 - 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, r_0_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, r_0_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), r_0_0, r_0_0)))))) ->
  ("JC_170": ("JC_163": (0 <= b_0)))

========== file tests/java/why/FlagStatic_po25.why ==========
goal FlagStatic_flag_ensures_default_po_25:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 = FlagStatic_RED) or
   ((result0 <> FlagStatic_RED) and
    ((result0 = FlagStatic_WHITE) or
     ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))))) ->
  forall r_0_0:int.
  (r_0_0 = (r_0 - 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, r_0_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, r_0_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), r_0_0, r_0_0)))))) ->
  ("JC_170": ("JC_164": (b_0 <= i_3)))

========== file tests/java/why/FlagStatic_po26.why ==========
goal FlagStatic_flag_ensures_default_po_26:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 = FlagStatic_RED) or
   ((result0 <> FlagStatic_RED) and
    ((result0 = FlagStatic_WHITE) or
     ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))))) ->
  forall r_0_0:int.
  (r_0_0 = (r_0 - 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, r_0_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, r_0_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), r_0_0, r_0_0)))))) ->
  ("JC_170": ("JC_165": (i_3 <= r_0_0)))

========== file tests/java/why/FlagStatic_po27.why ==========
goal FlagStatic_flag_ensures_default_po_27:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 = FlagStatic_RED) or
   ((result0 <> FlagStatic_RED) and
    ((result0 = FlagStatic_WHITE) or
     ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))))) ->
  forall r_0_0:int.
  (r_0_0 = (r_0 - 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, r_0_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, r_0_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), r_0_0, r_0_0)))))) ->
  ("JC_170":
  ("JC_166": (r_0_0 <= (offset_max(Object_alloc_table, t_1) + 1))))

========== file tests/java/why/FlagStatic_po28.why ==========
goal FlagStatic_flag_ensures_default_po_28:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 = FlagStatic_RED) or
   ((result0 <> FlagStatic_RED) and
    ((result0 = FlagStatic_WHITE) or
     ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))))) ->
  forall r_0_0:int.
  (r_0_0 = (r_0 - 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, r_0_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, r_0_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), r_0_0, r_0_0)))))) ->
  ("JC_170":
  ("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP1)))

========== file tests/java/why/FlagStatic_po29.why ==========
goal FlagStatic_flag_ensures_default_po_29:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 = FlagStatic_RED) or
   ((result0 <> FlagStatic_RED) and
    ((result0 = FlagStatic_WHITE) or
     ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))))) ->
  forall r_0_0:int.
  (r_0_0 = (r_0 - 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, r_0_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, r_0_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), r_0_0, r_0_0)))))) ->
  ("JC_170":
  ("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE, intM_intP1)))

========== file tests/java/why/FlagStatic_po3.why ==========
goal FlagStatic_flag_ensures_default_po_3:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  ("JC_170": ("JC_165": (0 <= result)))

========== file tests/java/why/FlagStatic_po30.why ==========
goal FlagStatic_flag_ensures_default_po_30:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 = FlagStatic_RED) or
   ((result0 <> FlagStatic_RED) and
    ((result0 = FlagStatic_WHITE) or
     ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))))) ->
  forall r_0_0:int.
  (r_0_0 = (r_0 - 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, r_0_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, r_0_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), r_0_0, r_0_0)))))) ->
  ("JC_170":
  ("JC_169": is_monochrome(t_1, r_0_0, (offset_max(Object_alloc_table,
  t_1) + 1), FlagStatic_RED, intM_intP1)))

========== file tests/java/why/FlagStatic_po31.why ==========
goal FlagStatic_flag_ensures_default_po_31:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 <> FlagStatic_RED) and
   ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE))) ->
  ("JC_170": ("JC_163": (0 <= b_0)))

========== file tests/java/why/FlagStatic_po32.why ==========
goal FlagStatic_flag_ensures_default_po_32:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 <> FlagStatic_RED) and
   ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE))) ->
  ("JC_170": ("JC_164": (b_0 <= i_3)))

========== file tests/java/why/FlagStatic_po33.why ==========
goal FlagStatic_flag_ensures_default_po_33:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 <> FlagStatic_RED) and
   ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE))) ->
  ("JC_170": ("JC_165": (i_3 <= r_0)))

========== file tests/java/why/FlagStatic_po34.why ==========
goal FlagStatic_flag_ensures_default_po_34:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 <> FlagStatic_RED) and
   ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE))) ->
  ("JC_170": ("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))))

========== file tests/java/why/FlagStatic_po35.why ==========
goal FlagStatic_flag_ensures_default_po_35:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 <> FlagStatic_RED) and
   ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE))) ->
  ("JC_170":
  ("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)))

========== file tests/java/why/FlagStatic_po36.why ==========
goal FlagStatic_flag_ensures_default_po_36:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 <> FlagStatic_RED) and
   ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE))) ->
  ("JC_170":
  ("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE, intM_intP0)))

========== file tests/java/why/FlagStatic_po37.why ==========
goal FlagStatic_flag_ensures_default_po_37:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 <> FlagStatic_RED) and
   ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE))) ->
  ("JC_170":
  ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
  t_1) + 1), FlagStatic_RED, intM_intP0)))

========== file tests/java/why/FlagStatic_po38.why ==========
goal FlagStatic_flag_ensures_sorts_po_1:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_187": true) ->
  ("JC_185":
  (("JC_177": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_178": (0 <= b_0)) and
    (("JC_179": (b_0 <= i_3)) and
     (("JC_180": (i_3 <= r_0)) and
      (("JC_181": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_182": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_183": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_184": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 >= r_0) ->
  ("JC_141":
  (exists b:int.
    (exists r:int.
      (is_monochrome(t_1, 0, b, FlagStatic_BLUE, intM_intP0) and
       (is_monochrome(t_1, b, r, FlagStatic_WHITE, intM_intP0) and
        is_monochrome(t_1, r, (offset_max(Object_alloc_table, t_1) + 1),
        FlagStatic_RED, intM_intP0))))))

========== file tests/java/why/FlagStatic_po39.why ==========
goal FlagStatic_flag_safety_po_1:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1))

========== file tests/java/why/FlagStatic_po4.why ==========
goal FlagStatic_flag_ensures_default_po_4:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  ("JC_170":
  ("JC_166": (result <= (offset_max(Object_alloc_table, t_1) + 1))))

========== file tests/java/why/FlagStatic_po40.why ==========
goal FlagStatic_flag_safety_po_2:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  (offset_min(Object_alloc_table, t_1) <= i_3)

========== file tests/java/why/FlagStatic_po41.why ==========
goal FlagStatic_flag_safety_po_3:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  (i_3 <= offset_max(Object_alloc_table, t_1))

========== file tests/java/why/FlagStatic_po42.why ==========
goal FlagStatic_flag_safety_po_4:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 = FlagStatic_BLUE) ->
  forall b_0_0:int.
  (b_0_0 = (b_0 + 1)) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_43": ("JC_39": (0 <= b_0)))

========== file tests/java/why/FlagStatic_po43.why ==========
goal FlagStatic_flag_safety_po_5:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 = FlagStatic_BLUE) ->
  forall b_0_0:int.
  (b_0_0 = (b_0 + 1)) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_43": ("JC_40": (b_0 < (offset_max(Object_alloc_table, t_1) + 1))))

========== file tests/java/why/FlagStatic_po44.why ==========
goal FlagStatic_flag_safety_po_6:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 = FlagStatic_BLUE) ->
  forall b_0_0:int.
  (b_0_0 = (b_0 + 1)) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_43": ("JC_41": (0 <= i_3)))

========== file tests/java/why/FlagStatic_po45.why ==========
goal FlagStatic_flag_safety_po_7:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 = FlagStatic_BLUE) ->
  forall b_0_0:int.
  (b_0_0 = (b_0 + 1)) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_43": ("JC_42": (i_3 < (offset_max(Object_alloc_table, t_1) + 1))))

========== file tests/java/why/FlagStatic_po46.why ==========
goal FlagStatic_flag_safety_po_8:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 = FlagStatic_BLUE) ->
  forall b_0_0:int.
  (b_0_0 = (b_0 + 1)) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_43":
  (("JC_39": (0 <= b_0)) and
   (("JC_40": (b_0 < (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_41": (0 <= i_3)) and
     ("JC_42": (i_3 < (offset_max(Object_alloc_table, t_1) + 1))))))) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, b_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, b_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), b_0, b_0)))))) ->
  (0 <= ("JC_160": (r_0 - i_3)))

========== file tests/java/why/FlagStatic_po47.why ==========
goal FlagStatic_flag_safety_po_9:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 = FlagStatic_BLUE) ->
  forall b_0_0:int.
  (b_0_0 = (b_0 + 1)) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_43":
  (("JC_39": (0 <= b_0)) and
   (("JC_40": (b_0 < (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_41": (0 <= i_3)) and
     ("JC_42": (i_3 < (offset_max(Object_alloc_table, t_1) + 1))))))) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, b_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, b_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), b_0, b_0)))))) ->
  (("JC_160": (r_0 - i_3_0)) < ("JC_160": (r_0 - i_3)))

========== file tests/java/why/FlagStatic_po48.why ==========
goal FlagStatic_flag_safety_po_10:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 = FlagStatic_WHITE) or
   ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  (0 <= ("JC_160": (r_0 - i_3)))

========== file tests/java/why/FlagStatic_po49.why ==========
goal FlagStatic_flag_safety_po_11:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 = FlagStatic_WHITE) or
   ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  (("JC_160": (r_0 - i_3_0)) < ("JC_160": (r_0 - i_3)))

========== file tests/java/why/FlagStatic_po5.why ==========
goal FlagStatic_flag_ensures_default_po_5:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  ("JC_170":
  ("JC_167": is_monochrome(t_1, 0, 0, FlagStatic_BLUE, intM_intP)))

========== file tests/java/why/FlagStatic_po50.why ==========
goal FlagStatic_flag_safety_po_12:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 = FlagStatic_RED) or
   ((result0 <> FlagStatic_RED) and
    ((result0 = FlagStatic_WHITE) or
     ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))))) ->
  forall r_0_0:int.
  (r_0_0 = (r_0 - 1)) ->
  ("JC_43": ("JC_39": (0 <= r_0_0)))

========== file tests/java/why/FlagStatic_po51.why ==========
goal FlagStatic_flag_safety_po_13:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 = FlagStatic_RED) or
   ((result0 <> FlagStatic_RED) and
    ((result0 = FlagStatic_WHITE) or
     ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))))) ->
  forall r_0_0:int.
  (r_0_0 = (r_0 - 1)) ->
  ("JC_43": ("JC_40": (r_0_0 < (offset_max(Object_alloc_table, t_1) + 1))))

========== file tests/java/why/FlagStatic_po52.why ==========
goal FlagStatic_flag_safety_po_14:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 = FlagStatic_RED) or
   ((result0 <> FlagStatic_RED) and
    ((result0 = FlagStatic_WHITE) or
     ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))))) ->
  forall r_0_0:int.
  (r_0_0 = (r_0 - 1)) ->
  ("JC_43": ("JC_41": (0 <= i_3)))

========== file tests/java/why/FlagStatic_po53.why ==========
goal FlagStatic_flag_safety_po_15:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 = FlagStatic_RED) or
   ((result0 <> FlagStatic_RED) and
    ((result0 = FlagStatic_WHITE) or
     ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))))) ->
  forall r_0_0:int.
  (r_0_0 = (r_0 - 1)) ->
  ("JC_43": ("JC_42": (i_3 < (offset_max(Object_alloc_table, t_1) + 1))))

========== file tests/java/why/FlagStatic_po54.why ==========
goal FlagStatic_flag_safety_po_16:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 = FlagStatic_RED) or
   ((result0 <> FlagStatic_RED) and
    ((result0 = FlagStatic_WHITE) or
     ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))))) ->
  forall r_0_0:int.
  (r_0_0 = (r_0 - 1)) ->
  ("JC_43":
  (("JC_39": (0 <= r_0_0)) and
   (("JC_40": (r_0_0 < (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_41": (0 <= i_3)) and
     ("JC_42": (i_3 < (offset_max(Object_alloc_table, t_1) + 1))))))) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, r_0_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, r_0_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), r_0_0, r_0_0)))))) ->
  (0 <= ("JC_160": (r_0 - i_3)))

========== file tests/java/why/FlagStatic_po55.why ==========
goal FlagStatic_flag_safety_po_17:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 = FlagStatic_RED) or
   ((result0 <> FlagStatic_RED) and
    ((result0 = FlagStatic_WHITE) or
     ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))))) ->
  forall r_0_0:int.
  (r_0_0 = (r_0 - 1)) ->
  ("JC_43":
  (("JC_39": (0 <= r_0_0)) and
   (("JC_40": (r_0_0 < (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_41": (0 <= i_3)) and
     ("JC_42": (i_3 < (offset_max(Object_alloc_table, t_1) + 1))))))) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, r_0_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, r_0_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), r_0_0, r_0_0)))))) ->
  (("JC_160": (r_0_0 - i_3)) < ("JC_160": (r_0 - i_3)))

========== file tests/java/why/FlagStatic_po56.why ==========
goal FlagStatic_flag_safety_po_18:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 <> FlagStatic_RED) and
   ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE))) ->
  (0 <= ("JC_160": (r_0 - i_3)))

========== file tests/java/why/FlagStatic_po57.why ==========
goal FlagStatic_flag_safety_po_19:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 <> FlagStatic_RED) and
   ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE))) ->
  (("JC_160": (r_0 - i_3)) < ("JC_160": (r_0 - i_3)))

========== file tests/java/why/FlagStatic_po58.why ==========
goal FlagStatic_isMonochrome_ensures_decides_monochromatic_po_1:
  forall t:Object pointer.
  forall i:int.
  forall j:int.
  forall c_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_201":
   (("JC_197": Non_null_intM(t, Object_alloc_table)) and
    (("JC_198": (0 <= i)) and
     (("JC_199": (i <= j)) and
      ("JC_200": (j <= (offset_max(Object_alloc_table, t) + 1)))))))) ->
  forall k_0:int.
  ("JC_227": true) ->
  ("JC_225":
  (("JC_223": (i <= k_0)) and
   ("JC_224":
   (forall l:int.
     (((i <= l) and (l < k_0)) -> (select(intM_intP, shift(t, l)) = c_0)))))) ->
  (k_0 < j) ->
  forall result:int.
  (result = select(intM_intP, shift(t, k_0))) ->
  (result <> c_0) ->
  forall return:bool.
  (return = false) ->
  (return = true) ->
  ("JC_207": is_monochrome(t, i, j, c_0, intM_intP))

========== file tests/java/why/FlagStatic_po59.why ==========
goal FlagStatic_isMonochrome_ensures_decides_monochromatic_po_2:
  forall t:Object pointer.
  forall i:int.
  forall j:int.
  forall c_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_201":
   (("JC_197": Non_null_intM(t, Object_alloc_table)) and
    (("JC_198": (0 <= i)) and
     (("JC_199": (i <= j)) and
      ("JC_200": (j <= (offset_max(Object_alloc_table, t) + 1)))))))) ->
  forall k_0:int.
  ("JC_227": true) ->
  ("JC_225":
  (("JC_223": (i <= k_0)) and
   ("JC_224":
   (forall l:int.
     (((i <= l) and (l < k_0)) -> (select(intM_intP, shift(t, l)) = c_0)))))) ->
  (k_0 < j) ->
  forall result:int.
  (result = select(intM_intP, shift(t, k_0))) ->
  (result <> c_0) ->
  forall return:bool.
  (return = false) ->
  is_monochrome(t, i, j, c_0, intM_intP) ->
  ("JC_207": (return = true))

========== file tests/java/why/FlagStatic_po6.why ==========
goal FlagStatic_flag_ensures_default_po_6:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  ("JC_170":
  ("JC_168": is_monochrome(t_1, 0, 0, FlagStatic_WHITE, intM_intP)))

========== file tests/java/why/FlagStatic_po60.why ==========
goal FlagStatic_isMonochrome_ensures_decides_monochromatic_po_3:
  forall t:Object pointer.
  forall i:int.
  forall j:int.
  forall c_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_201":
   (("JC_197": Non_null_intM(t, Object_alloc_table)) and
    (("JC_198": (0 <= i)) and
     (("JC_199": (i <= j)) and
      ("JC_200": (j <= (offset_max(Object_alloc_table, t) + 1)))))))) ->
  forall k_0:int.
  ("JC_227": true) ->
  ("JC_225":
  (("JC_223": (i <= k_0)) and
   ("JC_224":
   (forall l:int.
     (((i <= l) and (l < k_0)) -> (select(intM_intP, shift(t, l)) = c_0)))))) ->
  (k_0 >= j) ->
  forall return:bool.
  (return = true) ->
  (return = true) ->
  ("JC_207": is_monochrome(t, i, j, c_0, intM_intP))

========== file tests/java/why/FlagStatic_po61.why ==========
goal FlagStatic_isMonochrome_ensures_decides_monochromatic_po_4:
  forall t:Object pointer.
  forall i:int.
  forall j:int.
  forall c_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_201":
   (("JC_197": Non_null_intM(t, Object_alloc_table)) and
    (("JC_198": (0 <= i)) and
     (("JC_199": (i <= j)) and
      ("JC_200": (j <= (offset_max(Object_alloc_table, t) + 1)))))))) ->
  forall k_0:int.
  ("JC_227": true) ->
  ("JC_225":
  (("JC_223": (i <= k_0)) and
   ("JC_224":
   (forall l:int.
     (((i <= l) and (l < k_0)) -> (select(intM_intP, shift(t, l)) = c_0)))))) ->
  (k_0 >= j) ->
  forall return:bool.
  (return = true) ->
  is_monochrome(t, i, j, c_0, intM_intP) ->
  ("JC_207": (return = true))

========== file tests/java/why/FlagStatic_po62.why ==========
goal FlagStatic_isMonochrome_ensures_default_po_1:
  forall t:Object pointer.
  forall i:int.
  forall j:int.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_201":
   (("JC_197": Non_null_intM(t, Object_alloc_table)) and
    (("JC_198": (0 <= i)) and
     (("JC_199": (i <= j)) and
      ("JC_200": (j <= (offset_max(Object_alloc_table, t) + 1)))))))) ->
  ("JC_219": ("JC_217": (i <= i)))

========== file tests/java/why/FlagStatic_po63.why ==========
goal FlagStatic_isMonochrome_ensures_default_po_2:
  forall t:Object pointer.
  forall i:int.
  forall j:int.
  forall c_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_201":
   (("JC_197": Non_null_intM(t, Object_alloc_table)) and
    (("JC_198": (0 <= i)) and
     (("JC_199": (i <= j)) and
      ("JC_200": (j <= (offset_max(Object_alloc_table, t) + 1)))))))) ->
  forall l:int.
  ((i <= l) and (l < i)) ->
  ("JC_219": ("JC_218": (select(intM_intP, shift(t, l)) = c_0)))

========== file tests/java/why/FlagStatic_po64.why ==========
goal FlagStatic_isMonochrome_ensures_default_po_3:
  forall t:Object pointer.
  forall i:int.
  forall j:int.
  forall c_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_201":
   (("JC_197": Non_null_intM(t, Object_alloc_table)) and
    (("JC_198": (0 <= i)) and
     (("JC_199": (i <= j)) and
      ("JC_200": (j <= (offset_max(Object_alloc_table, t) + 1)))))))) ->
  forall k_0:int.
  ("JC_219":
  (("JC_217": (i <= k_0)) and
   ("JC_218":
   (forall l:int.
     (((i <= l) and (l < k_0)) -> (select(intM_intP, shift(t, l)) = c_0)))))) ->
  (k_0 < j) ->
  forall result:int.
  (result = select(intM_intP, shift(t, k_0))) ->
  (result = c_0) ->
  forall k_0_0:int.
  (k_0_0 = (k_0 + 1)) ->
  ("JC_219": ("JC_217": (i <= k_0_0)))

========== file tests/java/why/FlagStatic_po65.why ==========
goal FlagStatic_isMonochrome_ensures_default_po_4:
  forall t:Object pointer.
  forall i:int.
  forall j:int.
  forall c_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_201":
   (("JC_197": Non_null_intM(t, Object_alloc_table)) and
    (("JC_198": (0 <= i)) and
     (("JC_199": (i <= j)) and
      ("JC_200": (j <= (offset_max(Object_alloc_table, t) + 1)))))))) ->
  forall k_0:int.
  ("JC_219":
  (("JC_217": (i <= k_0)) and
   ("JC_218":
   (forall l:int.
     (((i <= l) and (l < k_0)) -> (select(intM_intP, shift(t, l)) = c_0)))))) ->
  (k_0 < j) ->
  forall result:int.
  (result = select(intM_intP, shift(t, k_0))) ->
  (result = c_0) ->
  forall k_0_0:int.
  (k_0_0 = (k_0 + 1)) ->
  forall l:int.
  ((i <= l) and (l < k_0_0)) ->
  ("JC_219": ("JC_218": (select(intM_intP, shift(t, l)) = c_0)))

========== file tests/java/why/FlagStatic_po66.why ==========
goal FlagStatic_isMonochrome_safety_po_1:
  forall t:Object pointer.
  forall i:int.
  forall j:int.
  forall c_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_201":
   (("JC_197": Non_null_intM(t, Object_alloc_table)) and
    (("JC_198": (0 <= i)) and
     (("JC_199": (i <= j)) and
      ("JC_200": (j <= (offset_max(Object_alloc_table, t) + 1)))))))) ->
  forall k_0:int.
  ("JC_213": true) ->
  ("JC_211":
  (("JC_209": (i <= k_0)) and
   ("JC_210":
   (forall l:int.
     (((i <= l) and (l < k_0)) -> (select(intM_intP, shift(t, l)) = c_0)))))) ->
  (k_0 < j) ->
  (offset_min(Object_alloc_table, t) <= k_0)

========== file tests/java/why/FlagStatic_po67.why ==========
goal FlagStatic_isMonochrome_safety_po_2:
  forall t:Object pointer.
  forall i:int.
  forall j:int.
  forall c_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_201":
   (("JC_197": Non_null_intM(t, Object_alloc_table)) and
    (("JC_198": (0 <= i)) and
     (("JC_199": (i <= j)) and
      ("JC_200": (j <= (offset_max(Object_alloc_table, t) + 1)))))))) ->
  forall k_0:int.
  ("JC_213": true) ->
  ("JC_211":
  (("JC_209": (i <= k_0)) and
   ("JC_210":
   (forall l:int.
     (((i <= l) and (l < k_0)) -> (select(intM_intP, shift(t, l)) = c_0)))))) ->
  (k_0 < j) ->
  (k_0 <= offset_max(Object_alloc_table, t))

========== file tests/java/why/FlagStatic_po68.why ==========
goal FlagStatic_isMonochrome_safety_po_3:
  forall t:Object pointer.
  forall i:int.
  forall j:int.
  forall c_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_201":
   (("JC_197": Non_null_intM(t, Object_alloc_table)) and
    (("JC_198": (0 <= i)) and
     (("JC_199": (i <= j)) and
      ("JC_200": (j <= (offset_max(Object_alloc_table, t) + 1)))))))) ->
  forall k_0:int.
  ("JC_213": true) ->
  ("JC_211":
  (("JC_209": (i <= k_0)) and
   ("JC_210":
   (forall l:int.
     (((i <= l) and (l < k_0)) -> (select(intM_intP, shift(t, l)) = c_0)))))) ->
  (k_0 < j) ->
  ((offset_min(Object_alloc_table, t) <= k_0) and
   (k_0 <= offset_max(Object_alloc_table, t))) ->
  forall result:int.
  (result = select(intM_intP, shift(t, k_0))) ->
  (result = c_0) ->
  forall k_0_0:int.
  (k_0_0 = (k_0 + 1)) ->
  (0 <= ("JC_216": (j - k_0)))

========== file tests/java/why/FlagStatic_po69.why ==========
goal FlagStatic_isMonochrome_safety_po_4:
  forall t:Object pointer.
  forall i:int.
  forall j:int.
  forall c_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_201":
   (("JC_197": Non_null_intM(t, Object_alloc_table)) and
    (("JC_198": (0 <= i)) and
     (("JC_199": (i <= j)) and
      ("JC_200": (j <= (offset_max(Object_alloc_table, t) + 1)))))))) ->
  forall k_0:int.
  ("JC_213": true) ->
  ("JC_211":
  (("JC_209": (i <= k_0)) and
   ("JC_210":
   (forall l:int.
     (((i <= l) and (l < k_0)) -> (select(intM_intP, shift(t, l)) = c_0)))))) ->
  (k_0 < j) ->
  ((offset_min(Object_alloc_table, t) <= k_0) and
   (k_0 <= offset_max(Object_alloc_table, t))) ->
  forall result:int.
  (result = select(intM_intP, shift(t, k_0))) ->
  (result = c_0) ->
  forall k_0_0:int.
  (k_0_0 = (k_0 + 1)) ->
  (("JC_216": (j - k_0_0)) < ("JC_216": (j - k_0)))

========== file tests/java/why/FlagStatic_po7.why ==========
goal FlagStatic_flag_ensures_default_po_7:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  ("JC_170":
  ("JC_169": is_monochrome(t_1, result, (offset_max(Object_alloc_table,
  t_1) + 1), FlagStatic_RED, intM_intP)))

========== file tests/java/why/FlagStatic_po70.why ==========
goal FlagStatic_swap_ensures_i_j_swapped_po_1:
  forall t_0:Object pointer.
  forall i_0:int.
  forall j_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49":
   (("JC_45": (0 <= i_0)) and
    (("JC_46": (i_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_47": (0 <= j_0)) and
      ("JC_48": (j_0 < (offset_max(Object_alloc_table, t_0) + 1)))))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, i_0))) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, j_0))) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t_0, i_0), result0)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t_0, j_0), result)) ->
  ("JC_59":
  ("JC_57":
  ("JC_55": (select(intM_intP1, shift(t_0, i_0)) = select(intM_intP,
  shift(t_0, j_0))))))

========== file tests/java/why/FlagStatic_po71.why ==========
goal FlagStatic_swap_ensures_i_j_swapped_po_2:
  forall t_0:Object pointer.
  forall i_0:int.
  forall j_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49":
   (("JC_45": (0 <= i_0)) and
    (("JC_46": (i_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_47": (0 <= j_0)) and
      ("JC_48": (j_0 < (offset_max(Object_alloc_table, t_0) + 1)))))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, i_0))) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, j_0))) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t_0, i_0), result0)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t_0, j_0), result)) ->
  ("JC_59":
  ("JC_57":
  ("JC_56": (select(intM_intP1, shift(t_0, j_0)) = select(intM_intP,
  shift(t_0, i_0))))))

========== file tests/java/why/FlagStatic_po72.why ==========
goal FlagStatic_swap_ensures_i_j_swapped_po_3:
  forall t_0:Object pointer.
  forall i_0:int.
  forall j_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49":
   (("JC_45": (0 <= i_0)) and
    (("JC_46": (i_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_47": (0 <= j_0)) and
      ("JC_48": (j_0 < (offset_max(Object_alloc_table, t_0) + 1)))))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, i_0))) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, j_0))) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t_0, i_0), result0)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t_0, j_0), result)) ->
  ("JC_59":
  ("JC_58": not_assigns(Object_alloc_table, intM_intP, intM_intP1,
  pset_union(pset_range(pset_singleton(t_0), j_0, j_0),
  pset_range(pset_singleton(t_0), i_0, i_0)))))

========== file tests/java/why/FlagStatic_po73.why ==========
goal FlagStatic_swap_safety_po_1:
  forall t_0:Object pointer.
  forall i_0:int.
  forall j_0:int.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49":
   (("JC_45": (0 <= i_0)) and
    (("JC_46": (i_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_47": (0 <= j_0)) and
      ("JC_48": (j_0 < (offset_max(Object_alloc_table, t_0) + 1)))))))) ->
  (offset_min(Object_alloc_table, t_0) <= i_0)

========== file tests/java/why/FlagStatic_po74.why ==========
goal FlagStatic_swap_safety_po_2:
  forall t_0:Object pointer.
  forall i_0:int.
  forall j_0:int.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49":
   (("JC_45": (0 <= i_0)) and
    (("JC_46": (i_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_47": (0 <= j_0)) and
      ("JC_48": (j_0 < (offset_max(Object_alloc_table, t_0) + 1)))))))) ->
  (i_0 <= offset_max(Object_alloc_table, t_0))

========== file tests/java/why/FlagStatic_po75.why ==========
goal FlagStatic_swap_safety_po_3:
  forall t_0:Object pointer.
  forall i_0:int.
  forall j_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49":
   (("JC_45": (0 <= i_0)) and
    (("JC_46": (i_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_47": (0 <= j_0)) and
      ("JC_48": (j_0 < (offset_max(Object_alloc_table, t_0) + 1)))))))) ->
  ((offset_min(Object_alloc_table, t_0) <= i_0) and
   (i_0 <= offset_max(Object_alloc_table, t_0))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, i_0))) ->
  (offset_min(Object_alloc_table, t_0) <= j_0)

========== file tests/java/why/FlagStatic_po76.why ==========
goal FlagStatic_swap_safety_po_4:
  forall t_0:Object pointer.
  forall i_0:int.
  forall j_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49":
   (("JC_45": (0 <= i_0)) and
    (("JC_46": (i_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_47": (0 <= j_0)) and
      ("JC_48": (j_0 < (offset_max(Object_alloc_table, t_0) + 1)))))))) ->
  ((offset_min(Object_alloc_table, t_0) <= i_0) and
   (i_0 <= offset_max(Object_alloc_table, t_0))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, i_0))) ->
  (j_0 <= offset_max(Object_alloc_table, t_0))

========== file tests/java/why/FlagStatic_po8.why ==========
goal FlagStatic_flag_ensures_default_po_8:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 = FlagStatic_BLUE) ->
  forall b_0_0:int.
  (b_0_0 = (b_0 + 1)) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, b_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, b_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), b_0, b_0)))))) ->
  ("JC_170": ("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP1)))

========== file tests/java/why/FlagStatic_po9.why ==========
goal FlagStatic_flag_ensures_default_po_9:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 = FlagStatic_BLUE) ->
  forall b_0_0:int.
  (b_0_0 = (b_0 + 1)) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, b_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, b_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), b_0, b_0)))))) ->
  ("JC_170": ("JC_163": (0 <= b_0_0)))

========== generation of Simplify VC output ==========
why -simplify [...] why/FlagStatic.why
========== file tests/java/simplify/FlagStatic_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom FlagStatic_BLUE_def
 (EQ FlagStatic_BLUE 1))

(BG_PUSH
 ;; Why axiom FlagStatic_RED_def
 (EQ FlagStatic_RED 3))

(BG_PUSH
 ;; Why axiom FlagStatic_WHITE_def
 (EQ FlagStatic_WHITE 2))

(BG_PUSH
 ;; Why axiom FlagStatic_parenttag_Object
 (EQ (parenttag FlagStatic_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_1 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_1) 0))

(DEFPRED (Non_null_intM x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) (- 0 1)))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom intM_parenttag_Object
 (EQ (parenttag intM_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (is_color c)
  (OR (EQ c FlagStatic_BLUE)
  (OR (EQ c FlagStatic_WHITE) (EQ c FlagStatic_RED))))

(DEFPRED (is_color_array t_2 Object_alloc_table_at_L intM_intP_at_L)
  (AND (Non_null_intM t_2 Object_alloc_table_at_L)
  (FORALL (i_1)
  (IMPLIES
  (AND (<= 0 i_1) (< i_1 (+ (offset_max Object_alloc_table_at_L t_2) 1)))
  (is_color (select intM_intP_at_L (shift t_2 i_1)))))))

(DEFPRED (is_monochrome t_3 i_2 j_1 c_1 intM_intP_at_L)
  (FORALL (k)
  (IMPLIES (AND (<= i_2 k) (< k j_1))
  (EQ (select intM_intP_at_L (shift t_3 k)) c_1))))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_FlagStatic p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_intM p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_FlagStatic p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_intM p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_FlagStatic p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_intM p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_FlagStatic p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_intM p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

;; FlagStatic_flag_ensures_default_po_1, File "HOME/tests/java/FlagStatic.java", line 93, characters 7-13
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(<= 0 0)))))))

;; FlagStatic_flag_ensures_default_po_2, File "HOME/tests/java/FlagStatic.java", line 93, characters 12-18
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(<= 0 0)))))))

;; FlagStatic_flag_ensures_default_po_3, File "HOME/tests/java/FlagStatic.java", line 93, characters 17-23
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(<= 0 result)))))))

;; FlagStatic_flag_ensures_default_po_4, File "HOME/tests/java/FlagStatic.java", line 93, characters 22-35
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(<= result (+ (offset_max Object_alloc_table t_1) 1))))))))

;; FlagStatic_flag_ensures_default_po_5, File "HOME/tests/java/FlagStatic.java", line 94, characters 7-32
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(is_monochrome t_1 0 0 FlagStatic_BLUE intM_intP)))))))

;; FlagStatic_flag_ensures_default_po_6, File "HOME/tests/java/FlagStatic.java", line 95, characters 7-33
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(is_monochrome t_1 0 0 FlagStatic_WHITE intM_intP)))))))

;; FlagStatic_flag_ensures_default_po_7, File "HOME/tests/java/FlagStatic.java", line 96, characters 14-45
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(is_monochrome
t_1 result (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP)))))))

;; FlagStatic_flag_ensures_default_po_8, File "HOME/tests/java/FlagStatic.java", line 92, characters 7-24
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (EQ result0 FlagStatic_BLUE)
(FORALL (b_0_0)
(IMPLIES (EQ b_0_0 (+ b_0 1))
(FORALL (i_3_0)
(IMPLIES (EQ i_3_0 (+ i_3 1))
(FORALL (intM_intP1)
(IMPLIES (AND
         (AND
         (EQ (select intM_intP1 (shift t_1 b_0))
         (select intM_intP0 (shift t_1 i_3)))
         (EQ (select intM_intP1 (shift t_1 i_3))
         (select intM_intP0 (shift t_1 b_0))))
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_1) i_3 i_3) 
                                                  (pset_range
                                                  (pset_singleton t_1) b_0 b_0))))
(is_color_array t_1 Object_alloc_table intM_intP1))))))))))))))))))))))

;; FlagStatic_flag_ensures_default_po_9, File "HOME/tests/java/FlagStatic.java", line 93, characters 7-13
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (EQ result0 FlagStatic_BLUE)
(FORALL (b_0_0)
(IMPLIES (EQ b_0_0 (+ b_0 1))
(FORALL (i_3_0)
(IMPLIES (EQ i_3_0 (+ i_3 1))
(FORALL (intM_intP1)
(IMPLIES (AND
         (AND
         (EQ (select intM_intP1 (shift t_1 b_0))
         (select intM_intP0 (shift t_1 i_3)))
         (EQ (select intM_intP1 (shift t_1 i_3))
         (select intM_intP0 (shift t_1 b_0))))
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_1) i_3 i_3) 
                                                  (pset_range
                                                  (pset_singleton t_1) b_0 b_0))))
(<= 0 b_0_0))))))))))))))))))))))

;; FlagStatic_flag_ensures_default_po_10, File "HOME/tests/java/FlagStatic.java", line 93, characters 12-18
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (EQ result0 FlagStatic_BLUE)
(FORALL (b_0_0)
(IMPLIES (EQ b_0_0 (+ b_0 1))
(FORALL (i_3_0)
(IMPLIES (EQ i_3_0 (+ i_3 1))
(FORALL (intM_intP1)
(IMPLIES (AND
         (AND
         (EQ (select intM_intP1 (shift t_1 b_0))
         (select intM_intP0 (shift t_1 i_3)))
         (EQ (select intM_intP1 (shift t_1 i_3))
         (select intM_intP0 (shift t_1 b_0))))
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_1) i_3 i_3) 
                                                  (pset_range
                                                  (pset_singleton t_1) b_0 b_0))))
(<= b_0_0 i_3_0))))))))))))))))))))))

;; FlagStatic_flag_ensures_default_po_11, File "HOME/tests/java/FlagStatic.java", line 93, characters 17-23
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (EQ result0 FlagStatic_BLUE)
(FORALL (b_0_0)
(IMPLIES (EQ b_0_0 (+ b_0 1))
(FORALL (i_3_0)
(IMPLIES (EQ i_3_0 (+ i_3 1))
(FORALL (intM_intP1)
(IMPLIES (AND
         (AND
         (EQ (select intM_intP1 (shift t_1 b_0))
         (select intM_intP0 (shift t_1 i_3)))
         (EQ (select intM_intP1 (shift t_1 i_3))
         (select intM_intP0 (shift t_1 b_0))))
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_1) i_3 i_3) 
                                                  (pset_range
                                                  (pset_singleton t_1) b_0 b_0))))
(<= i_3_0 r_0))))))))))))))))))))))

;; FlagStatic_flag_ensures_default_po_12, File "HOME/tests/java/FlagStatic.java", line 93, characters 22-35
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (EQ result0 FlagStatic_BLUE)
(FORALL (b_0_0)
(IMPLIES (EQ b_0_0 (+ b_0 1))
(FORALL (i_3_0)
(IMPLIES (EQ i_3_0 (+ i_3 1))
(FORALL (intM_intP1)
(IMPLIES (AND
         (AND
         (EQ (select intM_intP1 (shift t_1 b_0))
         (select intM_intP0 (shift t_1 i_3)))
         (EQ (select intM_intP1 (shift t_1 i_3))
         (select intM_intP0 (shift t_1 b_0))))
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_1) i_3 i_3) 
                                                  (pset_range
                                                  (pset_singleton t_1) b_0 b_0))))
(<= r_0 (+ (offset_max Object_alloc_table t_1) 1)))))))))))))))))))))))

;; FlagStatic_flag_ensures_default_po_13, File "HOME/tests/java/FlagStatic.java", line 94, characters 7-32
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (EQ result0 FlagStatic_BLUE)
(FORALL (b_0_0)
(IMPLIES (EQ b_0_0 (+ b_0 1))
(FORALL (i_3_0)
(IMPLIES (EQ i_3_0 (+ i_3 1))
(FORALL (intM_intP1)
(IMPLIES (AND
         (AND
         (EQ (select intM_intP1 (shift t_1 b_0))
         (select intM_intP0 (shift t_1 i_3)))
         (EQ (select intM_intP1 (shift t_1 i_3))
         (select intM_intP0 (shift t_1 b_0))))
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_1) i_3 i_3) 
                                                  (pset_range
                                                  (pset_singleton t_1) b_0 b_0))))
(is_monochrome t_1 0 b_0_0 FlagStatic_BLUE intM_intP1))))))))))))))))))))))

;; FlagStatic_flag_ensures_default_po_14, File "HOME/tests/java/FlagStatic.java", line 95, characters 7-33
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (EQ result0 FlagStatic_BLUE)
(FORALL (b_0_0)
(IMPLIES (EQ b_0_0 (+ b_0 1))
(FORALL (i_3_0)
(IMPLIES (EQ i_3_0 (+ i_3 1))
(FORALL (intM_intP1)
(IMPLIES (AND
         (AND
         (EQ (select intM_intP1 (shift t_1 b_0))
         (select intM_intP0 (shift t_1 i_3)))
         (EQ (select intM_intP1 (shift t_1 i_3))
         (select intM_intP0 (shift t_1 b_0))))
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_1) i_3 i_3) 
                                                  (pset_range
                                                  (pset_singleton t_1) b_0 b_0))))
(is_monochrome t_1 b_0_0 i_3_0 FlagStatic_WHITE intM_intP1))))))))))))))))))))))

;; FlagStatic_flag_ensures_default_po_15, File "HOME/tests/java/FlagStatic.java", line 96, characters 14-45
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (EQ result0 FlagStatic_BLUE)
(FORALL (b_0_0)
(IMPLIES (EQ b_0_0 (+ b_0 1))
(FORALL (i_3_0)
(IMPLIES (EQ i_3_0 (+ i_3 1))
(FORALL (intM_intP1)
(IMPLIES (AND
         (AND
         (EQ (select intM_intP1 (shift t_1 b_0))
         (select intM_intP0 (shift t_1 i_3)))
         (EQ (select intM_intP1 (shift t_1 i_3))
         (select intM_intP0 (shift t_1 b_0))))
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_1) i_3 i_3) 
                                                  (pset_range
                                                  (pset_singleton t_1) b_0 b_0))))
(is_monochrome
t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP1))))))))))))))))))))))

;; FlagStatic_flag_ensures_default_po_16, File "HOME/tests/java/FlagStatic.java", line 93, characters 7-13
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (OR (EQ result0 FlagStatic_WHITE)
         (AND (NEQ result0 FlagStatic_WHITE) (EQ result0 FlagStatic_BLUE)))
(FORALL (i_3_0) (IMPLIES (EQ i_3_0 (+ i_3 1)) (<= 0 b_0)))))))))))))))))))

;; FlagStatic_flag_ensures_default_po_17, File "HOME/tests/java/FlagStatic.java", line 93, characters 12-18
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (OR (EQ result0 FlagStatic_WHITE)
         (AND (NEQ result0 FlagStatic_WHITE) (EQ result0 FlagStatic_BLUE)))
(FORALL (i_3_0) (IMPLIES (EQ i_3_0 (+ i_3 1)) (<= b_0 i_3_0)))))))))))))))))))

;; FlagStatic_flag_ensures_default_po_18, File "HOME/tests/java/FlagStatic.java", line 93, characters 17-23
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (OR (EQ result0 FlagStatic_WHITE)
         (AND (NEQ result0 FlagStatic_WHITE) (EQ result0 FlagStatic_BLUE)))
(FORALL (i_3_0) (IMPLIES (EQ i_3_0 (+ i_3 1)) (<= i_3_0 r_0)))))))))))))))))))

;; FlagStatic_flag_ensures_default_po_19, File "HOME/tests/java/FlagStatic.java", line 93, characters 22-35
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (OR (EQ result0 FlagStatic_WHITE)
         (AND (NEQ result0 FlagStatic_WHITE) (EQ result0 FlagStatic_BLUE)))
(FORALL (i_3_0)
(IMPLIES (EQ i_3_0 (+ i_3 1))
(<= r_0 (+ (offset_max Object_alloc_table t_1) 1))))))))))))))))))))

;; FlagStatic_flag_ensures_default_po_20, File "HOME/tests/java/FlagStatic.java", line 94, characters 7-32
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (OR (EQ result0 FlagStatic_WHITE)
         (AND (NEQ result0 FlagStatic_WHITE) (EQ result0 FlagStatic_BLUE)))
(FORALL (i_3_0)
(IMPLIES (EQ i_3_0 (+ i_3 1))
(is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)))))))))))))))))))

;; FlagStatic_flag_ensures_default_po_21, File "HOME/tests/java/FlagStatic.java", line 95, characters 7-33
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (OR (EQ result0 FlagStatic_WHITE)
         (AND (NEQ result0 FlagStatic_WHITE) (EQ result0 FlagStatic_BLUE)))
(FORALL (i_3_0)
(IMPLIES (EQ i_3_0 (+ i_3 1))
(is_monochrome t_1 b_0 i_3_0 FlagStatic_WHITE intM_intP0)))))))))))))))))))

;; FlagStatic_flag_ensures_default_po_22, File "HOME/tests/java/FlagStatic.java", line 96, characters 14-45
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (OR (EQ result0 FlagStatic_WHITE)
         (AND (NEQ result0 FlagStatic_WHITE) (EQ result0 FlagStatic_BLUE)))
(FORALL (i_3_0)
(IMPLIES (EQ i_3_0 (+ i_3 1))
(is_monochrome
t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0)))))))))))))))))))

;; FlagStatic_flag_ensures_default_po_23, File "HOME/tests/java/FlagStatic.java", line 92, characters 7-24
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE))
(IMPLIES (OR (EQ result0 FlagStatic_RED)
         (AND (NEQ result0 FlagStatic_RED)
         (OR (EQ result0 FlagStatic_WHITE)
         (AND (NEQ result0 FlagStatic_WHITE) (EQ result0 FlagStatic_BLUE)))))
(FORALL (r_0_0)
(IMPLIES (EQ r_0_0 (- r_0 1))
(FORALL (intM_intP1)
(IMPLIES (AND
         (AND
         (EQ (select intM_intP1 (shift t_1 r_0_0))
         (select intM_intP0 (shift t_1 i_3)))
         (EQ (select intM_intP1 (shift t_1 i_3))
         (select intM_intP0 (shift t_1 r_0_0))))
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_1) i_3 i_3) 
                                                  (pset_range
                                                  (pset_singleton t_1) r_0_0 r_0_0))))
(is_color_array t_1 Object_alloc_table intM_intP1))))))))))))))))))))))

;; FlagStatic_flag_ensures_default_po_24, File "HOME/tests/java/FlagStatic.java", line 93, characters 7-13
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE))
(IMPLIES (OR (EQ result0 FlagStatic_RED)
         (AND (NEQ result0 FlagStatic_RED)
         (OR (EQ result0 FlagStatic_WHITE)
         (AND (NEQ result0 FlagStatic_WHITE) (EQ result0 FlagStatic_BLUE)))))
(FORALL (r_0_0)
(IMPLIES (EQ r_0_0 (- r_0 1))
(FORALL (intM_intP1)
(IMPLIES (AND
         (AND
         (EQ (select intM_intP1 (shift t_1 r_0_0))
         (select intM_intP0 (shift t_1 i_3)))
         (EQ (select intM_intP1 (shift t_1 i_3))
         (select intM_intP0 (shift t_1 r_0_0))))
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_1) i_3 i_3) 
                                                  (pset_range
                                                  (pset_singleton t_1) r_0_0 r_0_0))))
(<= 0 b_0))))))))))))))))))))))

;; FlagStatic_flag_ensures_default_po_25, File "HOME/tests/java/FlagStatic.java", line 93, characters 12-18
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE))
(IMPLIES (OR (EQ result0 FlagStatic_RED)
         (AND (NEQ result0 FlagStatic_RED)
         (OR (EQ result0 FlagStatic_WHITE)
         (AND (NEQ result0 FlagStatic_WHITE) (EQ result0 FlagStatic_BLUE)))))
(FORALL (r_0_0)
(IMPLIES (EQ r_0_0 (- r_0 1))
(FORALL (intM_intP1)
(IMPLIES (AND
         (AND
         (EQ (select intM_intP1 (shift t_1 r_0_0))
         (select intM_intP0 (shift t_1 i_3)))
         (EQ (select intM_intP1 (shift t_1 i_3))
         (select intM_intP0 (shift t_1 r_0_0))))
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_1) i_3 i_3) 
                                                  (pset_range
                                                  (pset_singleton t_1) r_0_0 r_0_0))))
(<= b_0 i_3))))))))))))))))))))))

;; FlagStatic_flag_ensures_default_po_26, File "HOME/tests/java/FlagStatic.java", line 93, characters 17-23
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE))
(IMPLIES (OR (EQ result0 FlagStatic_RED)
         (AND (NEQ result0 FlagStatic_RED)
         (OR (EQ result0 FlagStatic_WHITE)
         (AND (NEQ result0 FlagStatic_WHITE) (EQ result0 FlagStatic_BLUE)))))
(FORALL (r_0_0)
(IMPLIES (EQ r_0_0 (- r_0 1))
(FORALL (intM_intP1)
(IMPLIES (AND
         (AND
         (EQ (select intM_intP1 (shift t_1 r_0_0))
         (select intM_intP0 (shift t_1 i_3)))
         (EQ (select intM_intP1 (shift t_1 i_3))
         (select intM_intP0 (shift t_1 r_0_0))))
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_1) i_3 i_3) 
                                                  (pset_range
                                                  (pset_singleton t_1) r_0_0 r_0_0))))
(<= i_3 r_0_0))))))))))))))))))))))

;; FlagStatic_flag_ensures_default_po_27, File "HOME/tests/java/FlagStatic.java", line 93, characters 22-35
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE))
(IMPLIES (OR (EQ result0 FlagStatic_RED)
         (AND (NEQ result0 FlagStatic_RED)
         (OR (EQ result0 FlagStatic_WHITE)
         (AND (NEQ result0 FlagStatic_WHITE) (EQ result0 FlagStatic_BLUE)))))
(FORALL (r_0_0)
(IMPLIES (EQ r_0_0 (- r_0 1))
(FORALL (intM_intP1)
(IMPLIES (AND
         (AND
         (EQ (select intM_intP1 (shift t_1 r_0_0))
         (select intM_intP0 (shift t_1 i_3)))
         (EQ (select intM_intP1 (shift t_1 i_3))
         (select intM_intP0 (shift t_1 r_0_0))))
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_1) i_3 i_3) 
                                                  (pset_range
                                                  (pset_singleton t_1) r_0_0 r_0_0))))
(<= r_0_0 (+ (offset_max Object_alloc_table t_1) 1)))))))))))))))))))))))

;; FlagStatic_flag_ensures_default_po_28, File "HOME/tests/java/FlagStatic.java", line 94, characters 7-32
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE))
(IMPLIES (OR (EQ result0 FlagStatic_RED)
         (AND (NEQ result0 FlagStatic_RED)
         (OR (EQ result0 FlagStatic_WHITE)
         (AND (NEQ result0 FlagStatic_WHITE) (EQ result0 FlagStatic_BLUE)))))
(FORALL (r_0_0)
(IMPLIES (EQ r_0_0 (- r_0 1))
(FORALL (intM_intP1)
(IMPLIES (AND
         (AND
         (EQ (select intM_intP1 (shift t_1 r_0_0))
         (select intM_intP0 (shift t_1 i_3)))
         (EQ (select intM_intP1 (shift t_1 i_3))
         (select intM_intP0 (shift t_1 r_0_0))))
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_1) i_3 i_3) 
                                                  (pset_range
                                                  (pset_singleton t_1) r_0_0 r_0_0))))
(is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP1))))))))))))))))))))))

;; FlagStatic_flag_ensures_default_po_29, File "HOME/tests/java/FlagStatic.java", line 95, characters 7-33
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE))
(IMPLIES (OR (EQ result0 FlagStatic_RED)
         (AND (NEQ result0 FlagStatic_RED)
         (OR (EQ result0 FlagStatic_WHITE)
         (AND (NEQ result0 FlagStatic_WHITE) (EQ result0 FlagStatic_BLUE)))))
(FORALL (r_0_0)
(IMPLIES (EQ r_0_0 (- r_0 1))
(FORALL (intM_intP1)
(IMPLIES (AND
         (AND
         (EQ (select intM_intP1 (shift t_1 r_0_0))
         (select intM_intP0 (shift t_1 i_3)))
         (EQ (select intM_intP1 (shift t_1 i_3))
         (select intM_intP0 (shift t_1 r_0_0))))
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_1) i_3 i_3) 
                                                  (pset_range
                                                  (pset_singleton t_1) r_0_0 r_0_0))))
(is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP1))))))))))))))))))))))

;; FlagStatic_flag_ensures_default_po_30, File "HOME/tests/java/FlagStatic.java", line 96, characters 14-45
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE))
(IMPLIES (OR (EQ result0 FlagStatic_RED)
         (AND (NEQ result0 FlagStatic_RED)
         (OR (EQ result0 FlagStatic_WHITE)
         (AND (NEQ result0 FlagStatic_WHITE) (EQ result0 FlagStatic_BLUE)))))
(FORALL (r_0_0)
(IMPLIES (EQ r_0_0 (- r_0 1))
(FORALL (intM_intP1)
(IMPLIES (AND
         (AND
         (EQ (select intM_intP1 (shift t_1 r_0_0))
         (select intM_intP0 (shift t_1 i_3)))
         (EQ (select intM_intP1 (shift t_1 i_3))
         (select intM_intP0 (shift t_1 r_0_0))))
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_1) i_3 i_3) 
                                                  (pset_range
                                                  (pset_singleton t_1) r_0_0 r_0_0))))
(is_monochrome
t_1 r_0_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP1))))))))))))))))))))))

;; FlagStatic_flag_ensures_default_po_31, File "HOME/tests/java/FlagStatic.java", line 93, characters 7-13
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE))
(IMPLIES (AND (NEQ result0 FlagStatic_RED)
         (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE)))
(<= 0 b_0))))))))))))))))))

;; FlagStatic_flag_ensures_default_po_32, File "HOME/tests/java/FlagStatic.java", line 93, characters 12-18
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE))
(IMPLIES (AND (NEQ result0 FlagStatic_RED)
         (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE)))
(<= b_0 i_3))))))))))))))))))

;; FlagStatic_flag_ensures_default_po_33, File "HOME/tests/java/FlagStatic.java", line 93, characters 17-23
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE))
(IMPLIES (AND (NEQ result0 FlagStatic_RED)
         (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE)))
(<= i_3 r_0))))))))))))))))))

;; FlagStatic_flag_ensures_default_po_34, File "HOME/tests/java/FlagStatic.java", line 93, characters 22-35
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE))
(IMPLIES (AND (NEQ result0 FlagStatic_RED)
         (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE)))
(<= r_0 (+ (offset_max Object_alloc_table t_1) 1)))))))))))))))))))

;; FlagStatic_flag_ensures_default_po_35, File "HOME/tests/java/FlagStatic.java", line 94, characters 7-32
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE))
(IMPLIES (AND (NEQ result0 FlagStatic_RED)
         (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE)))
(is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0))))))))))))))))))

;; FlagStatic_flag_ensures_default_po_36, File "HOME/tests/java/FlagStatic.java", line 95, characters 7-33
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE))
(IMPLIES (AND (NEQ result0 FlagStatic_RED)
         (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE)))
(is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0))))))))))))))))))

;; FlagStatic_flag_ensures_default_po_37, File "HOME/tests/java/FlagStatic.java", line 96, characters 14-45
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE))
(IMPLIES (AND (NEQ result0 FlagStatic_RED)
         (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE)))
(is_monochrome
t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))))))))))))

;; FlagStatic_flag_ensures_sorts_po_1, File "HOME/tests/java/FlagStatic.java", line 82, characters 13-169
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES TRUE
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (>= i_3 r_0)
(EXISTS (b)
(EXISTS (r)
(AND (is_monochrome t_1 0 b FlagStatic_BLUE intM_intP0)
(AND (is_monochrome t_1 b r FlagStatic_WHITE intM_intP0)
(is_monochrome
t_1 r (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))))))))))))

;; FlagStatic_flag_safety_po_1, File "why/FlagStatic.why", line 855, characters 11-67
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(>= (offset_max Object_alloc_table t_1) (- 0 1))))))

;; FlagStatic_flag_safety_po_2, File "HOME/tests/java/FlagStatic.java", line 100, characters 13-17
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(IMPLIES (>= (offset_max Object_alloc_table t_1) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES TRUE
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0) (<= (offset_min Object_alloc_table t_1) i_3)))))))))))))))

;; FlagStatic_flag_safety_po_3, File "HOME/tests/java/FlagStatic.java", line 100, characters 13-17
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(IMPLIES (>= (offset_max Object_alloc_table t_1) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES TRUE
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0) (<= i_3 (offset_max Object_alloc_table t_1))))))))))))))))

;; FlagStatic_flag_safety_po_4, File "HOME/tests/java/FlagStatic.jc", line 184, characters 28-130
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(IMPLIES (>= (offset_max Object_alloc_table t_1) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES TRUE
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_1) i_3)
         (<= i_3 (offset_max Object_alloc_table t_1)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (EQ result0 FlagStatic_BLUE)
(FORALL (b_0_0)
(IMPLIES (EQ b_0_0 (+ b_0 1))
(FORALL (i_3_0) (IMPLIES (EQ i_3_0 (+ i_3 1)) (<= 0 b_0)))))))))))))))))))))))

;; FlagStatic_flag_safety_po_5, File "HOME/tests/java/FlagStatic.jc", line 184, characters 28-130
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(IMPLIES (>= (offset_max Object_alloc_table t_1) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES TRUE
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_1) i_3)
         (<= i_3 (offset_max Object_alloc_table t_1)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (EQ result0 FlagStatic_BLUE)
(FORALL (b_0_0)
(IMPLIES (EQ b_0_0 (+ b_0 1))
(FORALL (i_3_0)
(IMPLIES (EQ i_3_0 (+ i_3 1))
(< b_0 (+ (offset_max Object_alloc_table t_1) 1))))))))))))))))))))))))

;; FlagStatic_flag_safety_po_6, File "HOME/tests/java/FlagStatic.jc", line 184, characters 28-130
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(IMPLIES (>= (offset_max Object_alloc_table t_1) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES TRUE
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_1) i_3)
         (<= i_3 (offset_max Object_alloc_table t_1)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (EQ result0 FlagStatic_BLUE)
(FORALL (b_0_0)
(IMPLIES (EQ b_0_0 (+ b_0 1))
(FORALL (i_3_0) (IMPLIES (EQ i_3_0 (+ i_3 1)) (<= 0 i_3)))))))))))))))))))))))

;; FlagStatic_flag_safety_po_7, File "HOME/tests/java/FlagStatic.jc", line 184, characters 28-130
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(IMPLIES (>= (offset_max Object_alloc_table t_1) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES TRUE
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_1) i_3)
         (<= i_3 (offset_max Object_alloc_table t_1)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (EQ result0 FlagStatic_BLUE)
(FORALL (b_0_0)
(IMPLIES (EQ b_0_0 (+ b_0 1))
(FORALL (i_3_0)
(IMPLIES (EQ i_3_0 (+ i_3 1))
(< i_3 (+ (offset_max Object_alloc_table t_1) 1))))))))))))))))))))))))

;; FlagStatic_flag_safety_po_8, File "HOME/tests/java/FlagStatic.java", line 97, characters 18-23
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(IMPLIES (>= (offset_max Object_alloc_table t_1) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES TRUE
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_1) i_3)
         (<= i_3 (offset_max Object_alloc_table t_1)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (EQ result0 FlagStatic_BLUE)
(FORALL (b_0_0)
(IMPLIES (EQ b_0_0 (+ b_0 1))
(FORALL (i_3_0)
(IMPLIES (EQ i_3_0 (+ i_3 1))
(IMPLIES (AND (<= 0 b_0)
         (AND (< b_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (<= 0 i_3) (< i_3 (+ (offset_max Object_alloc_table t_1) 1)))))
(FORALL (intM_intP1)
(IMPLIES (AND
         (AND
         (EQ (select intM_intP1 (shift t_1 b_0))
         (select intM_intP0 (shift t_1 i_3)))
         (EQ (select intM_intP1 (shift t_1 i_3))
         (select intM_intP0 (shift t_1 b_0))))
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_1) i_3 i_3) 
                                                  (pset_range
                                                  (pset_singleton t_1) b_0 b_0))))
(<= 0 (- r_0 i_3)))))))))))))))))))))))))))

;; FlagStatic_flag_safety_po_9, File "HOME/tests/java/FlagStatic.java", line 97, characters 18-23
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(IMPLIES (>= (offset_max Object_alloc_table t_1) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES TRUE
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_1) i_3)
         (<= i_3 (offset_max Object_alloc_table t_1)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (EQ result0 FlagStatic_BLUE)
(FORALL (b_0_0)
(IMPLIES (EQ b_0_0 (+ b_0 1))
(FORALL (i_3_0)
(IMPLIES (EQ i_3_0 (+ i_3 1))
(IMPLIES (AND (<= 0 b_0)
         (AND (< b_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (<= 0 i_3) (< i_3 (+ (offset_max Object_alloc_table t_1) 1)))))
(FORALL (intM_intP1)
(IMPLIES (AND
         (AND
         (EQ (select intM_intP1 (shift t_1 b_0))
         (select intM_intP0 (shift t_1 i_3)))
         (EQ (select intM_intP1 (shift t_1 i_3))
         (select intM_intP0 (shift t_1 b_0))))
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_1) i_3 i_3) 
                                                  (pset_range
                                                  (pset_singleton t_1) b_0 b_0))))
(< (- r_0 i_3_0) (- r_0 i_3)))))))))))))))))))))))))))

;; FlagStatic_flag_safety_po_10, File "HOME/tests/java/FlagStatic.java", line 97, characters 18-23
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(IMPLIES (>= (offset_max Object_alloc_table t_1) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES TRUE
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_1) i_3)
         (<= i_3 (offset_max Object_alloc_table t_1)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (OR (EQ result0 FlagStatic_WHITE)
         (AND (NEQ result0 FlagStatic_WHITE) (EQ result0 FlagStatic_BLUE)))
(FORALL (i_3_0) (IMPLIES (EQ i_3_0 (+ i_3 1)) (<= 0 (- r_0 i_3)))))))))))))))))))))))

;; FlagStatic_flag_safety_po_11, File "HOME/tests/java/FlagStatic.java", line 97, characters 18-23
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(IMPLIES (>= (offset_max Object_alloc_table t_1) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES TRUE
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_1) i_3)
         (<= i_3 (offset_max Object_alloc_table t_1)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (OR (EQ result0 FlagStatic_WHITE)
         (AND (NEQ result0 FlagStatic_WHITE) (EQ result0 FlagStatic_BLUE)))
(FORALL (i_3_0) (IMPLIES (EQ i_3_0 (+ i_3 1)) (< (- r_0 i_3_0) (- r_0 i_3)))))))))))))))))))))))

;; FlagStatic_flag_safety_po_12, File "HOME/tests/java/FlagStatic.jc", line 195, characters 28-72
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(IMPLIES (>= (offset_max Object_alloc_table t_1) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES TRUE
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_1) i_3)
         (<= i_3 (offset_max Object_alloc_table t_1)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE))
(IMPLIES (OR (EQ result0 FlagStatic_RED)
         (AND (NEQ result0 FlagStatic_RED)
         (OR (EQ result0 FlagStatic_WHITE)
         (AND (NEQ result0 FlagStatic_WHITE) (EQ result0 FlagStatic_BLUE)))))
(FORALL (r_0_0) (IMPLIES (EQ r_0_0 (- r_0 1)) (<= 0 r_0_0)))))))))))))))))))))))

;; FlagStatic_flag_safety_po_13, File "HOME/tests/java/FlagStatic.jc", line 195, characters 28-72
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(IMPLIES (>= (offset_max Object_alloc_table t_1) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES TRUE
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_1) i_3)
         (<= i_3 (offset_max Object_alloc_table t_1)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE))
(IMPLIES (OR (EQ result0 FlagStatic_RED)
         (AND (NEQ result0 FlagStatic_RED)
         (OR (EQ result0 FlagStatic_WHITE)
         (AND (NEQ result0 FlagStatic_WHITE) (EQ result0 FlagStatic_BLUE)))))
(FORALL (r_0_0)
(IMPLIES (EQ r_0_0 (- r_0 1))
(< r_0_0 (+ (offset_max Object_alloc_table t_1) 1))))))))))))))))))))))))

;; FlagStatic_flag_safety_po_14, File "HOME/tests/java/FlagStatic.jc", line 195, characters 28-72
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(IMPLIES (>= (offset_max Object_alloc_table t_1) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES TRUE
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_1) i_3)
         (<= i_3 (offset_max Object_alloc_table t_1)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE))
(IMPLIES (OR (EQ result0 FlagStatic_RED)
         (AND (NEQ result0 FlagStatic_RED)
         (OR (EQ result0 FlagStatic_WHITE)
         (AND (NEQ result0 FlagStatic_WHITE) (EQ result0 FlagStatic_BLUE)))))
(FORALL (r_0_0) (IMPLIES (EQ r_0_0 (- r_0 1)) (<= 0 i_3)))))))))))))))))))))))

;; FlagStatic_flag_safety_po_15, File "HOME/tests/java/FlagStatic.jc", line 195, characters 28-72
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(IMPLIES (>= (offset_max Object_alloc_table t_1) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES TRUE
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_1) i_3)
         (<= i_3 (offset_max Object_alloc_table t_1)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE))
(IMPLIES (OR (EQ result0 FlagStatic_RED)
         (AND (NEQ result0 FlagStatic_RED)
         (OR (EQ result0 FlagStatic_WHITE)
         (AND (NEQ result0 FlagStatic_WHITE) (EQ result0 FlagStatic_BLUE)))))
(FORALL (r_0_0)
(IMPLIES (EQ r_0_0 (- r_0 1))
(< i_3 (+ (offset_max Object_alloc_table t_1) 1))))))))))))))))))))))))

;; FlagStatic_flag_safety_po_16, File "HOME/tests/java/FlagStatic.java", line 97, characters 18-23
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(IMPLIES (>= (offset_max Object_alloc_table t_1) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES TRUE
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_1) i_3)
         (<= i_3 (offset_max Object_alloc_table t_1)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE))
(IMPLIES (OR (EQ result0 FlagStatic_RED)
         (AND (NEQ result0 FlagStatic_RED)
         (OR (EQ result0 FlagStatic_WHITE)
         (AND (NEQ result0 FlagStatic_WHITE) (EQ result0 FlagStatic_BLUE)))))
(FORALL (r_0_0)
(IMPLIES (EQ r_0_0 (- r_0 1))
(IMPLIES (AND (<= 0 r_0_0)
         (AND (< r_0_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (<= 0 i_3) (< i_3 (+ (offset_max Object_alloc_table t_1) 1)))))
(FORALL (intM_intP1)
(IMPLIES (AND
         (AND
         (EQ (select intM_intP1 (shift t_1 r_0_0))
         (select intM_intP0 (shift t_1 i_3)))
         (EQ (select intM_intP1 (shift t_1 i_3))
         (select intM_intP0 (shift t_1 r_0_0))))
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_1) i_3 i_3) 
                                                  (pset_range
                                                  (pset_singleton t_1) r_0_0 r_0_0))))
(<= 0 (- r_0 i_3)))))))))))))))))))))))))))

;; FlagStatic_flag_safety_po_17, File "HOME/tests/java/FlagStatic.java", line 97, characters 18-23
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(IMPLIES (>= (offset_max Object_alloc_table t_1) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES TRUE
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_1) i_3)
         (<= i_3 (offset_max Object_alloc_table t_1)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE))
(IMPLIES (OR (EQ result0 FlagStatic_RED)
         (AND (NEQ result0 FlagStatic_RED)
         (OR (EQ result0 FlagStatic_WHITE)
         (AND (NEQ result0 FlagStatic_WHITE) (EQ result0 FlagStatic_BLUE)))))
(FORALL (r_0_0)
(IMPLIES (EQ r_0_0 (- r_0 1))
(IMPLIES (AND (<= 0 r_0_0)
         (AND (< r_0_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (<= 0 i_3) (< i_3 (+ (offset_max Object_alloc_table t_1) 1)))))
(FORALL (intM_intP1)
(IMPLIES (AND
         (AND
         (EQ (select intM_intP1 (shift t_1 r_0_0))
         (select intM_intP0 (shift t_1 i_3)))
         (EQ (select intM_intP1 (shift t_1 i_3))
         (select intM_intP0 (shift t_1 r_0_0))))
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_1) i_3 i_3) 
                                                  (pset_range
                                                  (pset_singleton t_1) r_0_0 r_0_0))))
(< (- r_0_0 i_3) (- r_0 i_3)))))))))))))))))))))))))))

;; FlagStatic_flag_safety_po_18, File "HOME/tests/java/FlagStatic.java", line 97, characters 18-23
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(IMPLIES (>= (offset_max Object_alloc_table t_1) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES TRUE
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_1) i_3)
         (<= i_3 (offset_max Object_alloc_table t_1)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE))
(IMPLIES (AND (NEQ result0 FlagStatic_RED)
         (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE)))
(<= 0 (- r_0 i_3))))))))))))))))))))))

;; FlagStatic_flag_safety_po_19, File "HOME/tests/java/FlagStatic.java", line 97, characters 18-23
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (is_color_array t_1 Object_alloc_table intM_intP))
(IMPLIES (>= (offset_max Object_alloc_table t_1) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_1) 1))))
(FORALL (b_0)
(FORALL (i_3)
(FORALL (intM_intP0)
(FORALL (r_0)
(IMPLIES TRUE
(IMPLIES (AND (is_color_array t_1 Object_alloc_table intM_intP0)
         (AND (<= 0 b_0)
         (AND (<= b_0 i_3)
         (AND (<= i_3 r_0)
         (AND (<= r_0 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (is_monochrome t_1 0 b_0 FlagStatic_BLUE intM_intP0)
         (AND (is_monochrome t_1 b_0 i_3 FlagStatic_WHITE intM_intP0)
         (is_monochrome
         t_1 r_0 (+ (offset_max Object_alloc_table t_1) 1) FlagStatic_RED intM_intP0))))))))
(IMPLIES (< i_3 r_0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_1) i_3)
         (<= i_3 (offset_max Object_alloc_table t_1)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_1 i_3)))
(IMPLIES (NEQ result0 FlagStatic_BLUE)
(IMPLIES (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE))
(IMPLIES (AND (NEQ result0 FlagStatic_RED)
         (AND (NEQ result0 FlagStatic_WHITE) (NEQ result0 FlagStatic_BLUE)))
(< (- r_0 i_3) (- r_0 i_3))))))))))))))))))))))

;; FlagStatic_isMonochrome_ensures_decides_monochromatic_po_1, File "HOME/tests/java/FlagStatic.java", line 56, characters 18-53
(FORALL (t)
(FORALL (i)
(FORALL (j)
(FORALL (c_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (Non_null_intM t Object_alloc_table)
         (AND (<= 0 i)
         (AND (<= i j) (<= j (+ (offset_max Object_alloc_table t) 1))))))
(FORALL (k_0)
(IMPLIES TRUE
(IMPLIES (AND (<= i k_0)
         (FORALL (l)
         (IMPLIES (AND (<= i l) (< l k_0))
         (EQ (select intM_intP (shift t l)) c_0))))
(IMPLIES (< k_0 j)
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t k_0)))
(IMPLIES (NEQ result c_0)
(FORALL (return)
(IMPLIES (EQ return |@false|)
(IMPLIES (EQ return |@true|) (is_monochrome t i j c_0 intM_intP))))))))))))))))))

;; FlagStatic_isMonochrome_ensures_decides_monochromatic_po_2, File "HOME/tests/java/FlagStatic.java", line 56, characters 18-53
(FORALL (t)
(FORALL (i)
(FORALL (j)
(FORALL (c_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (Non_null_intM t Object_alloc_table)
         (AND (<= 0 i)
         (AND (<= i j) (<= j (+ (offset_max Object_alloc_table t) 1))))))
(FORALL (k_0)
(IMPLIES TRUE
(IMPLIES (AND (<= i k_0)
         (FORALL (l)
         (IMPLIES (AND (<= i l) (< l k_0))
         (EQ (select intM_intP (shift t l)) c_0))))
(IMPLIES (< k_0 j)
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t k_0)))
(IMPLIES (NEQ result c_0)
(FORALL (return)
(IMPLIES (EQ return |@false|)
(IMPLIES (is_monochrome t i j c_0 intM_intP) (EQ return |@true|))))))))))))))))))

;; FlagStatic_isMonochrome_ensures_decides_monochromatic_po_3, File "HOME/tests/java/FlagStatic.java", line 56, characters 18-53
(FORALL (t)
(FORALL (i)
(FORALL (j)
(FORALL (c_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (Non_null_intM t Object_alloc_table)
         (AND (<= 0 i)
         (AND (<= i j) (<= j (+ (offset_max Object_alloc_table t) 1))))))
(FORALL (k_0)
(IMPLIES TRUE
(IMPLIES (AND (<= i k_0)
         (FORALL (l)
         (IMPLIES (AND (<= i l) (< l k_0))
         (EQ (select intM_intP (shift t l)) c_0))))
(IMPLIES (>= k_0 j)
(FORALL (return)
(IMPLIES (EQ return |@true|)
(IMPLIES (EQ return |@true|) (is_monochrome t i j c_0 intM_intP)))))))))))))))

;; FlagStatic_isMonochrome_ensures_decides_monochromatic_po_4, File "HOME/tests/java/FlagStatic.java", line 56, characters 18-53
(FORALL (t)
(FORALL (i)
(FORALL (j)
(FORALL (c_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (Non_null_intM t Object_alloc_table)
         (AND (<= 0 i)
         (AND (<= i j) (<= j (+ (offset_max Object_alloc_table t) 1))))))
(FORALL (k_0)
(IMPLIES TRUE
(IMPLIES (AND (<= i k_0)
         (FORALL (l)
         (IMPLIES (AND (<= i l) (< l k_0))
         (EQ (select intM_intP (shift t l)) c_0))))
(IMPLIES (>= k_0 j)
(FORALL (return)
(IMPLIES (EQ return |@true|)
(IMPLIES (is_monochrome t i j c_0 intM_intP) (EQ return |@true|)))))))))))))))

;; FlagStatic_isMonochrome_ensures_default_po_1, File "HOME/tests/java/FlagStatic.java", line 59, characters 24-30
(FORALL (t)
(FORALL (i)
(FORALL (j)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (Non_null_intM t Object_alloc_table)
         (AND (<= 0 i)
         (AND (<= i j) (<= j (+ (offset_max Object_alloc_table t) 1))))))
(<= i i))))))

;; FlagStatic_isMonochrome_ensures_default_po_2, File "HOME/tests/java/FlagStatic.java", line 60, characters 8-49
(FORALL (t)
(FORALL (i)
(FORALL (j)
(FORALL (c_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (Non_null_intM t Object_alloc_table)
         (AND (<= 0 i)
         (AND (<= i j) (<= j (+ (offset_max Object_alloc_table t) 1))))))
(FORALL (l)
(IMPLIES (AND (<= i l) (< l i)) (EQ (select intM_intP (shift t l)) c_0))))))))))

;; FlagStatic_isMonochrome_ensures_default_po_3, File "HOME/tests/java/FlagStatic.java", line 59, characters 24-30
(FORALL (t)
(FORALL (i)
(FORALL (j)
(FORALL (c_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (Non_null_intM t Object_alloc_table)
         (AND (<= 0 i)
         (AND (<= i j) (<= j (+ (offset_max Object_alloc_table t) 1))))))
(FORALL (k_0)
(IMPLIES (AND (<= i k_0)
         (FORALL (l)
         (IMPLIES (AND (<= i l) (< l k_0))
         (EQ (select intM_intP (shift t l)) c_0))))
(IMPLIES (< k_0 j)
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t k_0)))
(IMPLIES (EQ result c_0)
(FORALL (k_0_0) (IMPLIES (EQ k_0_0 (+ k_0 1)) (<= i k_0_0))))))))))))))))

;; FlagStatic_isMonochrome_ensures_default_po_4, File "HOME/tests/java/FlagStatic.java", line 60, characters 8-49
(FORALL (t)
(FORALL (i)
(FORALL (j)
(FORALL (c_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (Non_null_intM t Object_alloc_table)
         (AND (<= 0 i)
         (AND (<= i j) (<= j (+ (offset_max Object_alloc_table t) 1))))))
(FORALL (k_0)
(IMPLIES (AND (<= i k_0)
         (FORALL (l)
         (IMPLIES (AND (<= i l) (< l k_0))
         (EQ (select intM_intP (shift t l)) c_0))))
(IMPLIES (< k_0 j)
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t k_0)))
(IMPLIES (EQ result c_0)
(FORALL (k_0_0)
(IMPLIES (EQ k_0_0 (+ k_0 1))
(FORALL (l)
(IMPLIES (AND (<= i l) (< l k_0_0)) (EQ (select intM_intP (shift t l)) c_0))))))))))))))))))

;; FlagStatic_isMonochrome_safety_po_1, File "HOME/tests/java/FlagStatic.java", line 63, characters 33-37
(FORALL (t)
(FORALL (i)
(FORALL (j)
(FORALL (c_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (Non_null_intM t Object_alloc_table)
         (AND (<= 0 i)
         (AND (<= i j) (<= j (+ (offset_max Object_alloc_table t) 1))))))
(FORALL (k_0)
(IMPLIES TRUE
(IMPLIES (AND (<= i k_0)
         (FORALL (l)
         (IMPLIES (AND (<= i l) (< l k_0))
         (EQ (select intM_intP (shift t l)) c_0))))
(IMPLIES (< k_0 j) (<= (offset_min Object_alloc_table t) k_0))))))))))))

;; FlagStatic_isMonochrome_safety_po_2, File "HOME/tests/java/FlagStatic.java", line 63, characters 33-37
(FORALL (t)
(FORALL (i)
(FORALL (j)
(FORALL (c_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (Non_null_intM t Object_alloc_table)
         (AND (<= 0 i)
         (AND (<= i j) (<= j (+ (offset_max Object_alloc_table t) 1))))))
(FORALL (k_0)
(IMPLIES TRUE
(IMPLIES (AND (<= i k_0)
         (FORALL (l)
         (IMPLIES (AND (<= i l) (< l k_0))
         (EQ (select intM_intP (shift t l)) c_0))))
(IMPLIES (< k_0 j) (<= k_0 (offset_max Object_alloc_table t)))))))))))))

;; FlagStatic_isMonochrome_safety_po_3, File "HOME/tests/java/FlagStatic.java", line 61, characters 22-27
(FORALL (t)
(FORALL (i)
(FORALL (j)
(FORALL (c_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (Non_null_intM t Object_alloc_table)
         (AND (<= 0 i)
         (AND (<= i j) (<= j (+ (offset_max Object_alloc_table t) 1))))))
(FORALL (k_0)
(IMPLIES TRUE
(IMPLIES (AND (<= i k_0)
         (FORALL (l)
         (IMPLIES (AND (<= i l) (< l k_0))
         (EQ (select intM_intP (shift t l)) c_0))))
(IMPLIES (< k_0 j)
(IMPLIES (AND (<= (offset_min Object_alloc_table t) k_0)
         (<= k_0 (offset_max Object_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t k_0)))
(IMPLIES (EQ result c_0)
(FORALL (k_0_0) (IMPLIES (EQ k_0_0 (+ k_0 1)) (<= 0 (- j k_0)))))))))))))))))))

;; FlagStatic_isMonochrome_safety_po_4, File "HOME/tests/java/FlagStatic.java", line 61, characters 22-27
(FORALL (t)
(FORALL (i)
(FORALL (j)
(FORALL (c_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (Non_null_intM t Object_alloc_table)
         (AND (<= 0 i)
         (AND (<= i j) (<= j (+ (offset_max Object_alloc_table t) 1))))))
(FORALL (k_0)
(IMPLIES TRUE
(IMPLIES (AND (<= i k_0)
         (FORALL (l)
         (IMPLIES (AND (<= i l) (< l k_0))
         (EQ (select intM_intP (shift t l)) c_0))))
(IMPLIES (< k_0 j)
(IMPLIES (AND (<= (offset_min Object_alloc_table t) k_0)
         (<= k_0 (offset_max Object_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t k_0)))
(IMPLIES (EQ result c_0)
(FORALL (k_0_0) (IMPLIES (EQ k_0_0 (+ k_0 1)) (< (- j k_0_0) (- j k_0)))))))))))))))))))

;; FlagStatic_swap_ensures_i_j_swapped_po_1, File "HOME/tests/java/FlagStatic.java", line 70, characters 18-36
(FORALL (t_0)
(FORALL (i_0)
(FORALL (j_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (<= 0 i_0)
         (AND (< i_0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 j_0) (< j_0 (+ (offset_max Object_alloc_table t_0) 1))))))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 i_0)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP (shift t_0 j_0)))
(FORALL (intM_intP0)
(IMPLIES (EQ intM_intP0 (|why__store| intM_intP (shift t_0 i_0) result0))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t_0 j_0) result))
(EQ (select intM_intP1 (shift t_0 i_0)) (select intM_intP (shift t_0 j_0)))))))))))))))))

;; FlagStatic_swap_ensures_i_j_swapped_po_2, File "HOME/tests/java/FlagStatic.java", line 70, characters 40-58
(FORALL (t_0)
(FORALL (i_0)
(FORALL (j_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (<= 0 i_0)
         (AND (< i_0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 j_0) (< j_0 (+ (offset_max Object_alloc_table t_0) 1))))))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 i_0)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP (shift t_0 j_0)))
(FORALL (intM_intP0)
(IMPLIES (EQ intM_intP0 (|why__store| intM_intP (shift t_0 i_0) result0))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t_0 j_0) result))
(EQ (select intM_intP1 (shift t_0 j_0)) (select intM_intP (shift t_0 i_0)))))))))))))))))

;; FlagStatic_swap_ensures_i_j_swapped_po_3, File "HOME/tests/java/FlagStatic.java", line 72, characters 24-28
(FORALL (t_0)
(FORALL (i_0)
(FORALL (j_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (<= 0 i_0)
         (AND (< i_0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 j_0) (< j_0 (+ (offset_max Object_alloc_table t_0) 1))))))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 i_0)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP (shift t_0 j_0)))
(FORALL (intM_intP0)
(IMPLIES (EQ intM_intP0 (|why__store| intM_intP (shift t_0 i_0) result0))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t_0 j_0) result))
(not_assigns
Object_alloc_table intM_intP intM_intP1 (pset_union
                                        (pset_range
                                        (pset_singleton t_0) j_0 j_0) 
                                        (pset_range
                                        (pset_singleton t_0) i_0 i_0)))))))))))))))))

;; FlagStatic_swap_safety_po_1, File "HOME/tests/java/FlagStatic.java", line 73, characters 9-13
(FORALL (t_0)
(FORALL (i_0)
(FORALL (j_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (<= 0 i_0)
         (AND (< i_0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 j_0) (< j_0 (+ (offset_max Object_alloc_table t_0) 1))))))
(<= (offset_min Object_alloc_table t_0) i_0))))))

;; FlagStatic_swap_safety_po_2, File "HOME/tests/java/FlagStatic.java", line 73, characters 9-13
(FORALL (t_0)
(FORALL (i_0)
(FORALL (j_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (<= 0 i_0)
         (AND (< i_0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 j_0) (< j_0 (+ (offset_max Object_alloc_table t_0) 1))))))
(<= i_0 (offset_max Object_alloc_table t_0)))))))

;; FlagStatic_swap_safety_po_3, File "HOME/tests/java/FlagStatic.java", line 74, characters 8-12
(FORALL (t_0)
(FORALL (i_0)
(FORALL (j_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (<= 0 i_0)
         (AND (< i_0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 j_0) (< j_0 (+ (offset_max Object_alloc_table t_0) 1))))))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) i_0)
         (<= i_0 (offset_max Object_alloc_table t_0)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 i_0)))
(<= (offset_min Object_alloc_table t_0) j_0))))))))))

;; FlagStatic_swap_safety_po_4, File "HOME/tests/java/FlagStatic.java", line 74, characters 8-12
(FORALL (t_0)
(FORALL (i_0)
(FORALL (j_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (<= 0 i_0)
         (AND (< i_0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 j_0) (< j_0 (+ (offset_max Object_alloc_table t_0) 1))))))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) i_0)
         (<= i_0 (offset_max Object_alloc_table t_0)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 i_0)))
(<= j_0 (offset_max Object_alloc_table t_0)))))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/FlagStatic_why.sx    : ............................................................................ (76/0/0/0/0)
total   :  76
valid   :  76 (100%)
invalid :   0 (  0%)
unknown :   0 (  0%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/FlagStatic.why
========== file tests/java/why/FlagStatic_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

function FlagStatic_BLUE() : int = 1

function FlagStatic_RED() : int = 3

function FlagStatic_WHITE() : int = 2

logic FlagStatic_tag : Object tag_id

axiom FlagStatic_parenttag_Object: parenttag(FlagStatic_tag, Object_tag)

predicate Non_null_Object(x_1: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_1) >= 0)

predicate Non_null_intM(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= (-1))

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic intM_tag : Object tag_id

axiom intM_parenttag_Object: parenttag(intM_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate is_color(c: int) =
  ((c = FlagStatic_BLUE) or ((c = FlagStatic_WHITE) or (c = FlagStatic_RED)))

predicate is_color_array(t_2: Object pointer,
  Object_alloc_table_at_L: Object alloc_table, intM_intP_at_L: (Object,
  int) memory) =
  (Non_null_intM(t_2, Object_alloc_table_at_L) and
   (forall i_1:int.
     (((0 <= i_1) and (i_1 < (offset_max(Object_alloc_table_at_L, t_2) + 1))) ->
      is_color(select(intM_intP_at_L, shift(t_2, i_1))))))

predicate is_monochrome(t_3: Object pointer, i_2: int, j_1: int, c_1: int,
  intM_intP_at_L: (Object, int) memory) =
  (forall k:int.
    (((i_2 <= k) and (k < j_1)) -> (select(intM_intP_at_L, shift(t_3,
     k)) = c_1)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_FlagStatic(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_intM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_FlagStatic(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_intM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_FlagStatic(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_FlagStatic(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

goal FlagStatic_flag_ensures_default_po_1:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  ("JC_170": ("JC_163": (0 <= 0)))

goal FlagStatic_flag_ensures_default_po_2:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  ("JC_170": ("JC_164": (0 <= 0)))

goal FlagStatic_flag_ensures_default_po_3:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  ("JC_170": ("JC_165": (0 <= result)))

goal FlagStatic_flag_ensures_default_po_4:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  ("JC_170":
  ("JC_166": (result <= (offset_max(Object_alloc_table, t_1) + 1))))

goal FlagStatic_flag_ensures_default_po_5:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  ("JC_170":
  ("JC_167": is_monochrome(t_1, 0, 0, FlagStatic_BLUE, intM_intP)))

goal FlagStatic_flag_ensures_default_po_6:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  ("JC_170":
  ("JC_168": is_monochrome(t_1, 0, 0, FlagStatic_WHITE, intM_intP)))

goal FlagStatic_flag_ensures_default_po_7:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  ("JC_170":
  ("JC_169": is_monochrome(t_1, result, (offset_max(Object_alloc_table,
  t_1) + 1), FlagStatic_RED, intM_intP)))

goal FlagStatic_flag_ensures_default_po_8:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 = FlagStatic_BLUE) ->
  forall b_0_0:int.
  (b_0_0 = (b_0 + 1)) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, b_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, b_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), b_0, b_0)))))) ->
  ("JC_170": ("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP1)))

goal FlagStatic_flag_ensures_default_po_9:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 = FlagStatic_BLUE) ->
  forall b_0_0:int.
  (b_0_0 = (b_0 + 1)) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, b_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, b_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), b_0, b_0)))))) ->
  ("JC_170": ("JC_163": (0 <= b_0_0)))

goal FlagStatic_flag_ensures_default_po_10:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 = FlagStatic_BLUE) ->
  forall b_0_0:int.
  (b_0_0 = (b_0 + 1)) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, b_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, b_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), b_0, b_0)))))) ->
  ("JC_170": ("JC_164": (b_0_0 <= i_3_0)))

goal FlagStatic_flag_ensures_default_po_11:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 = FlagStatic_BLUE) ->
  forall b_0_0:int.
  (b_0_0 = (b_0 + 1)) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, b_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, b_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), b_0, b_0)))))) ->
  ("JC_170": ("JC_165": (i_3_0 <= r_0)))

goal FlagStatic_flag_ensures_default_po_12:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 = FlagStatic_BLUE) ->
  forall b_0_0:int.
  (b_0_0 = (b_0 + 1)) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, b_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, b_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), b_0, b_0)))))) ->
  ("JC_170": ("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))))

goal FlagStatic_flag_ensures_default_po_13:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 = FlagStatic_BLUE) ->
  forall b_0_0:int.
  (b_0_0 = (b_0 + 1)) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, b_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, b_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), b_0, b_0)))))) ->
  ("JC_170":
  ("JC_167": is_monochrome(t_1, 0, b_0_0, FlagStatic_BLUE, intM_intP1)))

goal FlagStatic_flag_ensures_default_po_14:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 = FlagStatic_BLUE) ->
  forall b_0_0:int.
  (b_0_0 = (b_0 + 1)) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, b_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, b_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), b_0, b_0)))))) ->
  ("JC_170":
  ("JC_168": is_monochrome(t_1, b_0_0, i_3_0, FlagStatic_WHITE, intM_intP1)))

goal FlagStatic_flag_ensures_default_po_15:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 = FlagStatic_BLUE) ->
  forall b_0_0:int.
  (b_0_0 = (b_0 + 1)) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, b_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, b_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), b_0, b_0)))))) ->
  ("JC_170":
  ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
  t_1) + 1), FlagStatic_RED, intM_intP1)))

goal FlagStatic_flag_ensures_default_po_16:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 = FlagStatic_WHITE) or
   ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_170": ("JC_163": (0 <= b_0)))

goal FlagStatic_flag_ensures_default_po_17:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 = FlagStatic_WHITE) or
   ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_170": ("JC_164": (b_0 <= i_3_0)))

goal FlagStatic_flag_ensures_default_po_18:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 = FlagStatic_WHITE) or
   ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_170": ("JC_165": (i_3_0 <= r_0)))

goal FlagStatic_flag_ensures_default_po_19:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 = FlagStatic_WHITE) or
   ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_170": ("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))))

goal FlagStatic_flag_ensures_default_po_20:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 = FlagStatic_WHITE) or
   ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_170":
  ("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)))

goal FlagStatic_flag_ensures_default_po_21:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 = FlagStatic_WHITE) or
   ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_170":
  ("JC_168": is_monochrome(t_1, b_0, i_3_0, FlagStatic_WHITE, intM_intP0)))

goal FlagStatic_flag_ensures_default_po_22:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 = FlagStatic_WHITE) or
   ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_170":
  ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
  t_1) + 1), FlagStatic_RED, intM_intP0)))

goal FlagStatic_flag_ensures_default_po_23:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 = FlagStatic_RED) or
   ((result0 <> FlagStatic_RED) and
    ((result0 = FlagStatic_WHITE) or
     ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))))) ->
  forall r_0_0:int.
  (r_0_0 = (r_0 - 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, r_0_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, r_0_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), r_0_0, r_0_0)))))) ->
  ("JC_170": ("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP1)))

goal FlagStatic_flag_ensures_default_po_24:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 = FlagStatic_RED) or
   ((result0 <> FlagStatic_RED) and
    ((result0 = FlagStatic_WHITE) or
     ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))))) ->
  forall r_0_0:int.
  (r_0_0 = (r_0 - 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, r_0_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, r_0_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), r_0_0, r_0_0)))))) ->
  ("JC_170": ("JC_163": (0 <= b_0)))

goal FlagStatic_flag_ensures_default_po_25:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 = FlagStatic_RED) or
   ((result0 <> FlagStatic_RED) and
    ((result0 = FlagStatic_WHITE) or
     ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))))) ->
  forall r_0_0:int.
  (r_0_0 = (r_0 - 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, r_0_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, r_0_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), r_0_0, r_0_0)))))) ->
  ("JC_170": ("JC_164": (b_0 <= i_3)))

goal FlagStatic_flag_ensures_default_po_26:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 = FlagStatic_RED) or
   ((result0 <> FlagStatic_RED) and
    ((result0 = FlagStatic_WHITE) or
     ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))))) ->
  forall r_0_0:int.
  (r_0_0 = (r_0 - 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, r_0_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, r_0_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), r_0_0, r_0_0)))))) ->
  ("JC_170": ("JC_165": (i_3 <= r_0_0)))

goal FlagStatic_flag_ensures_default_po_27:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 = FlagStatic_RED) or
   ((result0 <> FlagStatic_RED) and
    ((result0 = FlagStatic_WHITE) or
     ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))))) ->
  forall r_0_0:int.
  (r_0_0 = (r_0 - 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, r_0_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, r_0_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), r_0_0, r_0_0)))))) ->
  ("JC_170":
  ("JC_166": (r_0_0 <= (offset_max(Object_alloc_table, t_1) + 1))))

goal FlagStatic_flag_ensures_default_po_28:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 = FlagStatic_RED) or
   ((result0 <> FlagStatic_RED) and
    ((result0 = FlagStatic_WHITE) or
     ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))))) ->
  forall r_0_0:int.
  (r_0_0 = (r_0 - 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, r_0_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, r_0_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), r_0_0, r_0_0)))))) ->
  ("JC_170":
  ("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP1)))

goal FlagStatic_flag_ensures_default_po_29:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 = FlagStatic_RED) or
   ((result0 <> FlagStatic_RED) and
    ((result0 = FlagStatic_WHITE) or
     ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))))) ->
  forall r_0_0:int.
  (r_0_0 = (r_0 - 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, r_0_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, r_0_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), r_0_0, r_0_0)))))) ->
  ("JC_170":
  ("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE, intM_intP1)))

goal FlagStatic_flag_ensures_default_po_30:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 = FlagStatic_RED) or
   ((result0 <> FlagStatic_RED) and
    ((result0 = FlagStatic_WHITE) or
     ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))))) ->
  forall r_0_0:int.
  (r_0_0 = (r_0 - 1)) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, r_0_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, r_0_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), r_0_0, r_0_0)))))) ->
  ("JC_170":
  ("JC_169": is_monochrome(t_1, r_0_0, (offset_max(Object_alloc_table,
  t_1) + 1), FlagStatic_RED, intM_intP1)))

goal FlagStatic_flag_ensures_default_po_31:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 <> FlagStatic_RED) and
   ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE))) ->
  ("JC_170": ("JC_163": (0 <= b_0)))

goal FlagStatic_flag_ensures_default_po_32:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 <> FlagStatic_RED) and
   ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE))) ->
  ("JC_170": ("JC_164": (b_0 <= i_3)))

goal FlagStatic_flag_ensures_default_po_33:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 <> FlagStatic_RED) and
   ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE))) ->
  ("JC_170": ("JC_165": (i_3 <= r_0)))

goal FlagStatic_flag_ensures_default_po_34:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 <> FlagStatic_RED) and
   ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE))) ->
  ("JC_170": ("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))))

goal FlagStatic_flag_ensures_default_po_35:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 <> FlagStatic_RED) and
   ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE))) ->
  ("JC_170":
  ("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)))

goal FlagStatic_flag_ensures_default_po_36:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 <> FlagStatic_RED) and
   ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE))) ->
  ("JC_170":
  ("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE, intM_intP0)))

goal FlagStatic_flag_ensures_default_po_37:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_170":
  (("JC_162": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_163": (0 <= b_0)) and
    (("JC_164": (b_0 <= i_3)) and
     (("JC_165": (i_3 <= r_0)) and
      (("JC_166": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_167": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_168": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 <> FlagStatic_RED) and
   ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE))) ->
  ("JC_170":
  ("JC_169": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
  t_1) + 1), FlagStatic_RED, intM_intP0)))

goal FlagStatic_flag_ensures_sorts_po_1:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_187": true) ->
  ("JC_185":
  (("JC_177": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_178": (0 <= b_0)) and
    (("JC_179": (b_0 <= i_3)) and
     (("JC_180": (i_3 <= r_0)) and
      (("JC_181": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_182": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_183": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_184": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 >= r_0) ->
  ("JC_141":
  (exists b:int.
    (exists r:int.
      (is_monochrome(t_1, 0, b, FlagStatic_BLUE, intM_intP0) and
       (is_monochrome(t_1, b, r, FlagStatic_WHITE, intM_intP0) and
        is_monochrome(t_1, r, (offset_max(Object_alloc_table, t_1) + 1),
        FlagStatic_RED, intM_intP0))))))

goal FlagStatic_flag_safety_po_1:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1))

goal FlagStatic_flag_safety_po_2:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  (offset_min(Object_alloc_table, t_1) <= i_3)

goal FlagStatic_flag_safety_po_3:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  (i_3 <= offset_max(Object_alloc_table, t_1))

goal FlagStatic_flag_safety_po_4:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 = FlagStatic_BLUE) ->
  forall b_0_0:int.
  (b_0_0 = (b_0 + 1)) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_43": ("JC_39": (0 <= b_0)))

goal FlagStatic_flag_safety_po_5:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 = FlagStatic_BLUE) ->
  forall b_0_0:int.
  (b_0_0 = (b_0 + 1)) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_43": ("JC_40": (b_0 < (offset_max(Object_alloc_table, t_1) + 1))))

goal FlagStatic_flag_safety_po_6:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 = FlagStatic_BLUE) ->
  forall b_0_0:int.
  (b_0_0 = (b_0 + 1)) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_43": ("JC_41": (0 <= i_3)))

goal FlagStatic_flag_safety_po_7:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 = FlagStatic_BLUE) ->
  forall b_0_0:int.
  (b_0_0 = (b_0 + 1)) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_43": ("JC_42": (i_3 < (offset_max(Object_alloc_table, t_1) + 1))))

goal FlagStatic_flag_safety_po_8:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 = FlagStatic_BLUE) ->
  forall b_0_0:int.
  (b_0_0 = (b_0 + 1)) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_43":
  (("JC_39": (0 <= b_0)) and
   (("JC_40": (b_0 < (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_41": (0 <= i_3)) and
     ("JC_42": (i_3 < (offset_max(Object_alloc_table, t_1) + 1))))))) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, b_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, b_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), b_0, b_0)))))) ->
  (0 <= ("JC_160": (r_0 - i_3)))

goal FlagStatic_flag_safety_po_9:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 = FlagStatic_BLUE) ->
  forall b_0_0:int.
  (b_0_0 = (b_0 + 1)) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_43":
  (("JC_39": (0 <= b_0)) and
   (("JC_40": (b_0 < (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_41": (0 <= i_3)) and
     ("JC_42": (i_3 < (offset_max(Object_alloc_table, t_1) + 1))))))) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, b_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, b_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), b_0, b_0)))))) ->
  (("JC_160": (r_0 - i_3_0)) < ("JC_160": (r_0 - i_3)))

goal FlagStatic_flag_safety_po_10:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 = FlagStatic_WHITE) or
   ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  (0 <= ("JC_160": (r_0 - i_3)))

goal FlagStatic_flag_safety_po_11:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 = FlagStatic_WHITE) or
   ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  (("JC_160": (r_0 - i_3_0)) < ("JC_160": (r_0 - i_3)))

goal FlagStatic_flag_safety_po_12:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 = FlagStatic_RED) or
   ((result0 <> FlagStatic_RED) and
    ((result0 = FlagStatic_WHITE) or
     ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))))) ->
  forall r_0_0:int.
  (r_0_0 = (r_0 - 1)) ->
  ("JC_43": ("JC_39": (0 <= r_0_0)))

goal FlagStatic_flag_safety_po_13:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 = FlagStatic_RED) or
   ((result0 <> FlagStatic_RED) and
    ((result0 = FlagStatic_WHITE) or
     ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))))) ->
  forall r_0_0:int.
  (r_0_0 = (r_0 - 1)) ->
  ("JC_43": ("JC_40": (r_0_0 < (offset_max(Object_alloc_table, t_1) + 1))))

goal FlagStatic_flag_safety_po_14:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 = FlagStatic_RED) or
   ((result0 <> FlagStatic_RED) and
    ((result0 = FlagStatic_WHITE) or
     ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))))) ->
  forall r_0_0:int.
  (r_0_0 = (r_0 - 1)) ->
  ("JC_43": ("JC_41": (0 <= i_3)))

goal FlagStatic_flag_safety_po_15:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 = FlagStatic_RED) or
   ((result0 <> FlagStatic_RED) and
    ((result0 = FlagStatic_WHITE) or
     ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))))) ->
  forall r_0_0:int.
  (r_0_0 = (r_0 - 1)) ->
  ("JC_43": ("JC_42": (i_3 < (offset_max(Object_alloc_table, t_1) + 1))))

goal FlagStatic_flag_safety_po_16:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 = FlagStatic_RED) or
   ((result0 <> FlagStatic_RED) and
    ((result0 = FlagStatic_WHITE) or
     ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))))) ->
  forall r_0_0:int.
  (r_0_0 = (r_0 - 1)) ->
  ("JC_43":
  (("JC_39": (0 <= r_0_0)) and
   (("JC_40": (r_0_0 < (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_41": (0 <= i_3)) and
     ("JC_42": (i_3 < (offset_max(Object_alloc_table, t_1) + 1))))))) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, r_0_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, r_0_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), r_0_0, r_0_0)))))) ->
  (0 <= ("JC_160": (r_0 - i_3)))

goal FlagStatic_flag_safety_po_17:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 = FlagStatic_RED) or
   ((result0 <> FlagStatic_RED) and
    ((result0 = FlagStatic_WHITE) or
     ((result0 <> FlagStatic_WHITE) and (result0 = FlagStatic_BLUE))))) ->
  forall r_0_0:int.
  (r_0_0 = (r_0 - 1)) ->
  ("JC_43":
  (("JC_39": (0 <= r_0_0)) and
   (("JC_40": (r_0_0 < (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_41": (0 <= i_3)) and
     ("JC_42": (i_3 < (offset_max(Object_alloc_table, t_1) + 1))))))) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_64":
  (("JC_62":
   (("JC_60": (select(intM_intP1, shift(t_1, r_0_0)) = select(intM_intP0,
    shift(t_1, i_3)))) and
    ("JC_61": (select(intM_intP1, shift(t_1, i_3)) = select(intM_intP0,
    shift(t_1, r_0_0)))))) and
   ("JC_63": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_1), i_3, i_3),
   pset_range(pset_singleton(t_1), r_0_0, r_0_0)))))) ->
  (("JC_160": (r_0_0 - i_3)) < ("JC_160": (r_0 - i_3)))

goal FlagStatic_flag_safety_po_18:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 <> FlagStatic_RED) and
   ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE))) ->
  (0 <= ("JC_160": (r_0 - i_3)))

goal FlagStatic_flag_safety_po_19:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_135": is_color_array(t_1, Object_alloc_table, intM_intP))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  forall b_0:int.
  forall i_3:int.
  forall intM_intP0:(Object,
  int) memory.
  forall r_0:int.
  ("JC_155": true) ->
  ("JC_153":
  (("JC_145": is_color_array(t_1, Object_alloc_table, intM_intP0)) and
   (("JC_146": (0 <= b_0)) and
    (("JC_147": (b_0 <= i_3)) and
     (("JC_148": (i_3 <= r_0)) and
      (("JC_149": (r_0 <= (offset_max(Object_alloc_table, t_1) + 1))) and
       (("JC_150": is_monochrome(t_1, 0, b_0, FlagStatic_BLUE, intM_intP0)) and
        (("JC_151": is_monochrome(t_1, b_0, i_3, FlagStatic_WHITE,
         intM_intP0)) and
         ("JC_152": is_monochrome(t_1, r_0, (offset_max(Object_alloc_table,
         t_1) + 1), FlagStatic_RED, intM_intP0)))))))))) ->
  (i_3 < r_0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_1, i_3))) ->
  (result0 <> FlagStatic_BLUE) ->
  ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE)) ->
  ((result0 <> FlagStatic_RED) and
   ((result0 <> FlagStatic_WHITE) and (result0 <> FlagStatic_BLUE))) ->
  (("JC_160": (r_0 - i_3)) < ("JC_160": (r_0 - i_3)))

goal FlagStatic_isMonochrome_ensures_decides_monochromatic_po_1:
  forall t:Object pointer.
  forall i:int.
  forall j:int.
  forall c_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_201":
   (("JC_197": Non_null_intM(t, Object_alloc_table)) and
    (("JC_198": (0 <= i)) and
     (("JC_199": (i <= j)) and
      ("JC_200": (j <= (offset_max(Object_alloc_table, t) + 1)))))))) ->
  forall k_0:int.
  ("JC_227": true) ->
  ("JC_225":
  (("JC_223": (i <= k_0)) and
   ("JC_224":
   (forall l:int.
     (((i <= l) and (l < k_0)) -> (select(intM_intP, shift(t, l)) = c_0)))))) ->
  (k_0 < j) ->
  forall result:int.
  (result = select(intM_intP, shift(t, k_0))) ->
  (result <> c_0) ->
  forall return:bool.
  (return = false) ->
  (return = true) ->
  ("JC_207": is_monochrome(t, i, j, c_0, intM_intP))

goal FlagStatic_isMonochrome_ensures_decides_monochromatic_po_2:
  forall t:Object pointer.
  forall i:int.
  forall j:int.
  forall c_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_201":
   (("JC_197": Non_null_intM(t, Object_alloc_table)) and
    (("JC_198": (0 <= i)) and
     (("JC_199": (i <= j)) and
      ("JC_200": (j <= (offset_max(Object_alloc_table, t) + 1)))))))) ->
  forall k_0:int.
  ("JC_227": true) ->
  ("JC_225":
  (("JC_223": (i <= k_0)) and
   ("JC_224":
   (forall l:int.
     (((i <= l) and (l < k_0)) -> (select(intM_intP, shift(t, l)) = c_0)))))) ->
  (k_0 < j) ->
  forall result:int.
  (result = select(intM_intP, shift(t, k_0))) ->
  (result <> c_0) ->
  forall return:bool.
  (return = false) ->
  is_monochrome(t, i, j, c_0, intM_intP) ->
  ("JC_207": (return = true))

goal FlagStatic_isMonochrome_ensures_decides_monochromatic_po_3:
  forall t:Object pointer.
  forall i:int.
  forall j:int.
  forall c_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_201":
   (("JC_197": Non_null_intM(t, Object_alloc_table)) and
    (("JC_198": (0 <= i)) and
     (("JC_199": (i <= j)) and
      ("JC_200": (j <= (offset_max(Object_alloc_table, t) + 1)))))))) ->
  forall k_0:int.
  ("JC_227": true) ->
  ("JC_225":
  (("JC_223": (i <= k_0)) and
   ("JC_224":
   (forall l:int.
     (((i <= l) and (l < k_0)) -> (select(intM_intP, shift(t, l)) = c_0)))))) ->
  (k_0 >= j) ->
  forall return:bool.
  (return = true) ->
  (return = true) ->
  ("JC_207": is_monochrome(t, i, j, c_0, intM_intP))

goal FlagStatic_isMonochrome_ensures_decides_monochromatic_po_4:
  forall t:Object pointer.
  forall i:int.
  forall j:int.
  forall c_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_201":
   (("JC_197": Non_null_intM(t, Object_alloc_table)) and
    (("JC_198": (0 <= i)) and
     (("JC_199": (i <= j)) and
      ("JC_200": (j <= (offset_max(Object_alloc_table, t) + 1)))))))) ->
  forall k_0:int.
  ("JC_227": true) ->
  ("JC_225":
  (("JC_223": (i <= k_0)) and
   ("JC_224":
   (forall l:int.
     (((i <= l) and (l < k_0)) -> (select(intM_intP, shift(t, l)) = c_0)))))) ->
  (k_0 >= j) ->
  forall return:bool.
  (return = true) ->
  is_monochrome(t, i, j, c_0, intM_intP) ->
  ("JC_207": (return = true))

goal FlagStatic_isMonochrome_ensures_default_po_1:
  forall t:Object pointer.
  forall i:int.
  forall j:int.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_201":
   (("JC_197": Non_null_intM(t, Object_alloc_table)) and
    (("JC_198": (0 <= i)) and
     (("JC_199": (i <= j)) and
      ("JC_200": (j <= (offset_max(Object_alloc_table, t) + 1)))))))) ->
  ("JC_219": ("JC_217": (i <= i)))

goal FlagStatic_isMonochrome_ensures_default_po_2:
  forall t:Object pointer.
  forall i:int.
  forall j:int.
  forall c_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_201":
   (("JC_197": Non_null_intM(t, Object_alloc_table)) and
    (("JC_198": (0 <= i)) and
     (("JC_199": (i <= j)) and
      ("JC_200": (j <= (offset_max(Object_alloc_table, t) + 1)))))))) ->
  forall l:int.
  ((i <= l) and (l < i)) ->
  ("JC_219": ("JC_218": (select(intM_intP, shift(t, l)) = c_0)))

goal FlagStatic_isMonochrome_ensures_default_po_3:
  forall t:Object pointer.
  forall i:int.
  forall j:int.
  forall c_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_201":
   (("JC_197": Non_null_intM(t, Object_alloc_table)) and
    (("JC_198": (0 <= i)) and
     (("JC_199": (i <= j)) and
      ("JC_200": (j <= (offset_max(Object_alloc_table, t) + 1)))))))) ->
  forall k_0:int.
  ("JC_219":
  (("JC_217": (i <= k_0)) and
   ("JC_218":
   (forall l:int.
     (((i <= l) and (l < k_0)) -> (select(intM_intP, shift(t, l)) = c_0)))))) ->
  (k_0 < j) ->
  forall result:int.
  (result = select(intM_intP, shift(t, k_0))) ->
  (result = c_0) ->
  forall k_0_0:int.
  (k_0_0 = (k_0 + 1)) ->
  ("JC_219": ("JC_217": (i <= k_0_0)))

goal FlagStatic_isMonochrome_ensures_default_po_4:
  forall t:Object pointer.
  forall i:int.
  forall j:int.
  forall c_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_201":
   (("JC_197": Non_null_intM(t, Object_alloc_table)) and
    (("JC_198": (0 <= i)) and
     (("JC_199": (i <= j)) and
      ("JC_200": (j <= (offset_max(Object_alloc_table, t) + 1)))))))) ->
  forall k_0:int.
  ("JC_219":
  (("JC_217": (i <= k_0)) and
   ("JC_218":
   (forall l:int.
     (((i <= l) and (l < k_0)) -> (select(intM_intP, shift(t, l)) = c_0)))))) ->
  (k_0 < j) ->
  forall result:int.
  (result = select(intM_intP, shift(t, k_0))) ->
  (result = c_0) ->
  forall k_0_0:int.
  (k_0_0 = (k_0 + 1)) ->
  forall l:int.
  ((i <= l) and (l < k_0_0)) ->
  ("JC_219": ("JC_218": (select(intM_intP, shift(t, l)) = c_0)))

goal FlagStatic_isMonochrome_safety_po_1:
  forall t:Object pointer.
  forall i:int.
  forall j:int.
  forall c_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_201":
   (("JC_197": Non_null_intM(t, Object_alloc_table)) and
    (("JC_198": (0 <= i)) and
     (("JC_199": (i <= j)) and
      ("JC_200": (j <= (offset_max(Object_alloc_table, t) + 1)))))))) ->
  forall k_0:int.
  ("JC_213": true) ->
  ("JC_211":
  (("JC_209": (i <= k_0)) and
   ("JC_210":
   (forall l:int.
     (((i <= l) and (l < k_0)) -> (select(intM_intP, shift(t, l)) = c_0)))))) ->
  (k_0 < j) ->
  (offset_min(Object_alloc_table, t) <= k_0)

goal FlagStatic_isMonochrome_safety_po_2:
  forall t:Object pointer.
  forall i:int.
  forall j:int.
  forall c_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_201":
   (("JC_197": Non_null_intM(t, Object_alloc_table)) and
    (("JC_198": (0 <= i)) and
     (("JC_199": (i <= j)) and
      ("JC_200": (j <= (offset_max(Object_alloc_table, t) + 1)))))))) ->
  forall k_0:int.
  ("JC_213": true) ->
  ("JC_211":
  (("JC_209": (i <= k_0)) and
   ("JC_210":
   (forall l:int.
     (((i <= l) and (l < k_0)) -> (select(intM_intP, shift(t, l)) = c_0)))))) ->
  (k_0 < j) ->
  (k_0 <= offset_max(Object_alloc_table, t))

goal FlagStatic_isMonochrome_safety_po_3:
  forall t:Object pointer.
  forall i:int.
  forall j:int.
  forall c_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_201":
   (("JC_197": Non_null_intM(t, Object_alloc_table)) and
    (("JC_198": (0 <= i)) and
     (("JC_199": (i <= j)) and
      ("JC_200": (j <= (offset_max(Object_alloc_table, t) + 1)))))))) ->
  forall k_0:int.
  ("JC_213": true) ->
  ("JC_211":
  (("JC_209": (i <= k_0)) and
   ("JC_210":
   (forall l:int.
     (((i <= l) and (l < k_0)) -> (select(intM_intP, shift(t, l)) = c_0)))))) ->
  (k_0 < j) ->
  ((offset_min(Object_alloc_table, t) <= k_0) and
   (k_0 <= offset_max(Object_alloc_table, t))) ->
  forall result:int.
  (result = select(intM_intP, shift(t, k_0))) ->
  (result = c_0) ->
  forall k_0_0:int.
  (k_0_0 = (k_0 + 1)) ->
  (0 <= ("JC_216": (j - k_0)))

goal FlagStatic_isMonochrome_safety_po_4:
  forall t:Object pointer.
  forall i:int.
  forall j:int.
  forall c_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_201":
   (("JC_197": Non_null_intM(t, Object_alloc_table)) and
    (("JC_198": (0 <= i)) and
     (("JC_199": (i <= j)) and
      ("JC_200": (j <= (offset_max(Object_alloc_table, t) + 1)))))))) ->
  forall k_0:int.
  ("JC_213": true) ->
  ("JC_211":
  (("JC_209": (i <= k_0)) and
   ("JC_210":
   (forall l:int.
     (((i <= l) and (l < k_0)) -> (select(intM_intP, shift(t, l)) = c_0)))))) ->
  (k_0 < j) ->
  ((offset_min(Object_alloc_table, t) <= k_0) and
   (k_0 <= offset_max(Object_alloc_table, t))) ->
  forall result:int.
  (result = select(intM_intP, shift(t, k_0))) ->
  (result = c_0) ->
  forall k_0_0:int.
  (k_0_0 = (k_0 + 1)) ->
  (("JC_216": (j - k_0_0)) < ("JC_216": (j - k_0)))

goal FlagStatic_swap_ensures_i_j_swapped_po_1:
  forall t_0:Object pointer.
  forall i_0:int.
  forall j_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49":
   (("JC_45": (0 <= i_0)) and
    (("JC_46": (i_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_47": (0 <= j_0)) and
      ("JC_48": (j_0 < (offset_max(Object_alloc_table, t_0) + 1)))))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, i_0))) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, j_0))) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t_0, i_0), result0)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t_0, j_0), result)) ->
  ("JC_59":
  ("JC_57":
  ("JC_55": (select(intM_intP1, shift(t_0, i_0)) = select(intM_intP,
  shift(t_0, j_0))))))

goal FlagStatic_swap_ensures_i_j_swapped_po_2:
  forall t_0:Object pointer.
  forall i_0:int.
  forall j_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49":
   (("JC_45": (0 <= i_0)) and
    (("JC_46": (i_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_47": (0 <= j_0)) and
      ("JC_48": (j_0 < (offset_max(Object_alloc_table, t_0) + 1)))))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, i_0))) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, j_0))) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t_0, i_0), result0)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t_0, j_0), result)) ->
  ("JC_59":
  ("JC_57":
  ("JC_56": (select(intM_intP1, shift(t_0, j_0)) = select(intM_intP,
  shift(t_0, i_0))))))

goal FlagStatic_swap_ensures_i_j_swapped_po_3:
  forall t_0:Object pointer.
  forall i_0:int.
  forall j_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49":
   (("JC_45": (0 <= i_0)) and
    (("JC_46": (i_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_47": (0 <= j_0)) and
      ("JC_48": (j_0 < (offset_max(Object_alloc_table, t_0) + 1)))))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, i_0))) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, j_0))) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t_0, i_0), result0)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t_0, j_0), result)) ->
  ("JC_59":
  ("JC_58": not_assigns(Object_alloc_table, intM_intP, intM_intP1,
  pset_union(pset_range(pset_singleton(t_0), j_0, j_0),
  pset_range(pset_singleton(t_0), i_0, i_0)))))

goal FlagStatic_swap_safety_po_1:
  forall t_0:Object pointer.
  forall i_0:int.
  forall j_0:int.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49":
   (("JC_45": (0 <= i_0)) and
    (("JC_46": (i_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_47": (0 <= j_0)) and
      ("JC_48": (j_0 < (offset_max(Object_alloc_table, t_0) + 1)))))))) ->
  (offset_min(Object_alloc_table, t_0) <= i_0)

goal FlagStatic_swap_safety_po_2:
  forall t_0:Object pointer.
  forall i_0:int.
  forall j_0:int.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49":
   (("JC_45": (0 <= i_0)) and
    (("JC_46": (i_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_47": (0 <= j_0)) and
      ("JC_48": (j_0 < (offset_max(Object_alloc_table, t_0) + 1)))))))) ->
  (i_0 <= offset_max(Object_alloc_table, t_0))

goal FlagStatic_swap_safety_po_3:
  forall t_0:Object pointer.
  forall i_0:int.
  forall j_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49":
   (("JC_45": (0 <= i_0)) and
    (("JC_46": (i_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_47": (0 <= j_0)) and
      ("JC_48": (j_0 < (offset_max(Object_alloc_table, t_0) + 1)))))))) ->
  ((offset_min(Object_alloc_table, t_0) <= i_0) and
   (i_0 <= offset_max(Object_alloc_table, t_0))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, i_0))) ->
  (offset_min(Object_alloc_table, t_0) <= j_0)

goal FlagStatic_swap_safety_po_4:
  forall t_0:Object pointer.
  forall i_0:int.
  forall j_0:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_49":
   (("JC_45": (0 <= i_0)) and
    (("JC_46": (i_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
     (("JC_47": (0 <= j_0)) and
      ("JC_48": (j_0 < (offset_max(Object_alloc_table, t_0) + 1)))))))) ->
  ((offset_min(Object_alloc_table, t_0) <= i_0) and
   (i_0 <= offset_max(Object_alloc_table, t_0))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, i_0))) ->
  (j_0 <= offset_max(Object_alloc_table, t_0))

why-2.34/tests/java/oracle/Gcd.res.oracle0000644000175000017500000060331212311670312016626 0ustar  rtusers========== file tests/java/Gcd.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = no

/* complements for non-linear integer arithmetic */

/*@ lemma distr_right:
  @   \forall integer x y z; x*(y+z) == (x*y)+(x*z);
  @*/

/*@ lemma distr_left:
  @   \forall integer x y z; (x+y)*z == (x*z)+(y*z);
  @*/

/*@ lemma distr_right_minus:
  @   \forall integer x y z; x*(y-z) == (x*y)-(x*z);
  @*/

/*@ lemma distr_left_minus:
  @   \forall integer x y z; (x-y)*z == (x*z)-(y*z);
  @*/

/*@ lemma mul_comm:
  @   \forall integer x y; x*y == y*x;
  @*/

/*@ lemma mul_assoc:
  @   \forall integer x y z; x*(y*z) == (x*y)*z;
  @*/

/*@ predicate divides(integer x, integer y) =
  @   \exists integer q; y == q*x ;
  @*/

/*@ lemma div_mod_property:
  @  \forall integer x y;
  @    x >=0 && y > 0 ==> x%y  == x - y*(x/y);
  @*/

/*@ lemma mod_property:
  @  \forall integer x y;
  @    x >=0 && y > 0 ==> 0 <= x%y && x%y < y;
  @*/

/*@ predicate isGcd(integer a, integer b, integer d) =
  @   divides(d,a) && divides(d,b) &&
  @     \forall integer z;
  @     divides(z,a) && divides(z,b) ==> divides(z,d) ;
  @*/

/*@ lemma gcd_zero :
  @   \forall integer a; isGcd(a,0,a) ;
  @*/

/*@ lemma gcd_property :
  @   \forall integer a b d;
  @      a >= 0 && b > 0 && isGcd(b,a % b,d) ==> isGcd(a,b,d) ;
  @*/

class Gcd {

    /*@ requires x >= 0 && y >= 0;
      @ behavior resultIsGcd:
      @   ensures isGcd(x,y,\result) ;
      @ behavior bezoutProperty:
      @   ensures \exists integer a b; a*x+b*y == \result;
      @*/
    static int gcd(int x, int y) {
        //@ ghost integer a = 1, b = 0, c = 0, d = 1;
        /*@ loop_invariant
          @    x >= 0 && y >= 0 &&
	  @    (\forall integer d ;  isGcd(x,y,d) ==>
	  @        \at(isGcd(x,y,d),Pre)) &&
          @    a*\at(x,Pre)+b*\at(y,Pre) == x &&
          @    c*\at(x,Pre)+d*\at(y,Pre) == y ;
          @ loop_variant y;
          @*/
        while (y > 0) {
            int r = x % y;
            //@ ghost integer q = x / y;
            x = y;
            y = r;
            //@ ghost integer ta = a, tb = b;
            //@ ghost a = c;
	    //@ ghost b = d;
            //@ ghost c = ta - c * q;
            //@ ghost d = tb - d * q;
        }
        return x;
    }

}




/*
Local Variables:
compile-command: "make Gcd.why3ide"
End:
*/

========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_Gcd for constructor Gcd
Generating JC function Gcd_gcd for method Gcd.gcd
Done.
========== file tests/java/Gcd.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Gcd = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

predicate divides(integer x_5, integer y_5) =
(\exists integer q;
  (y_5 == (q * x_5)))

predicate isGcd(integer a, integer b, integer d) =
((divides(d, a) && divides(d, b)) &&
  (\forall integer z_4;
    ((divides(z_4, a) && divides(z_4, b)) ==> divides(z_4, d))))

lemma distr_right :
(\forall integer x;
  (\forall integer y;
    (\forall integer z;
      ((x * (y + z)) == ((x * y) + (x * z))))))

lemma distr_left :
(\forall integer x_0;
  (\forall integer y_0;
    (\forall integer z_0;
      (((x_0 + y_0) * z_0) == ((x_0 * z_0) + (y_0 * z_0))))))

lemma distr_right_minus :
(\forall integer x_1;
  (\forall integer y_1;
    (\forall integer z_1;
      ((x_1 * (y_1 - z_1)) == ((x_1 * y_1) - (x_1 * z_1))))))

lemma distr_left_minus :
(\forall integer x_2;
  (\forall integer y_2;
    (\forall integer z_2;
      (((x_2 - y_2) * z_2) == ((x_2 * z_2) - (y_2 * z_2))))))

lemma mul_comm :
(\forall integer x_3;
  (\forall integer y_3;
    ((x_3 * y_3) == (y_3 * x_3))))

lemma mul_assoc :
(\forall integer x_4;
  (\forall integer y_4;
    (\forall integer z_3;
      ((x_4 * (y_4 * z_3)) == ((x_4 * y_4) * z_3)))))

lemma div_mod_property :
(\forall integer x_6;
  (\forall integer y_6;
    (((x_6 >= 0) && (y_6 > 0)) ==>
      ((x_6 % y_6) == (x_6 - (y_6 * (x_6 / y_6)))))))

lemma mod_property :
(\forall integer x_7;
  (\forall integer y_7;
    (((x_7 >= 0) && (y_7 > 0)) ==>
      ((0 <= (x_7 % y_7)) && ((x_7 % y_7) < y_7)))))

lemma gcd_zero :
(\forall integer a_0;
  isGcd(a_0, 0, a_0))

lemma gcd_property :
(\forall integer a_1;
  (\forall integer b_0;
    (\forall integer d_0;
      ((((a_1 >= 0) && (b_0 > 0)) && isGcd(b_0, (a_1 % b_0), d_0)) ==>
        isGcd(a_1, b_0, d_0)))))

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_Gcd(! Gcd[0] this_0){()}

integer Gcd_gcd(integer x_8, integer y_8)
  requires (K_5 : ((K_4 : (x_8 >= 0)) && (K_3 : (y_8 >= 0))));
behavior resultIsGcd:
  ensures (K_1 : isGcd(x_8, y_8, \result));
behavior bezoutProperty:
  ensures (K_2 : (\exists integer a_2;
                   (\exists integer b_1;
                     (((a_2 * x_8) + (b_1 * y_8)) == \result))));
{  
   {  
      (var integer a_3 = (K_28 : 1));
      
      {  
         (var integer b_2 = (K_27 : 0));
         
         {  
            (var integer c = (K_26 : 0));
            
            {  
               (var integer d_1 = (K_25 : 1));
               
               {  
                  loop 
                  behavior default:
                    invariant (K_14 : ((K_13 : ((K_12 : ((K_11 : ((K_10 : 
                                                                  (x_8 >=
                                                                    0)) &&
                                                                   (K_9 : 
                                                                   (y_8 >=
                                                                    0)))) &&
                                                          (K_8 : (\forall integer d_2;
                                                                   (isGcd(
                                                                    x_8, y_8,
                                                                    d_2) ==>
                                                                    \at(isGcd(
                                                                    x_8, y_8,
                                                                    d_2),Pre)))))) &&
                                                 (K_7 : (((a_3 *
                                                            \at(x_8,Pre)) +
                                                           (b_2 *
                                                             \at(y_8,Pre))) ==
                                                          x_8)))) &&
                                        (K_6 : (((c * \at(x_8,Pre)) +
                                                  (d_1 * \at(y_8,Pre))) ==
                                                 y_8))));
                  variant (K_15 : y_8);
                  while ((K_24 : (y_8 > 0)))
                  {  
                     {  
                        (var integer r = (K_23 : (x_8 % y_8)));
                        
                        {  
                           (var integer q_0 = (K_22 : (x_8 / y_8)));
                           
                           {  (x_8 = y_8);
                              (y_8 = r);
                              
                              {  
                                 (var integer ta = (K_21 : a_3));
                                 
                                 {  
                                    (var integer tb = (K_20 : b_2));
                                    
                                    {  (a_3 = c);
                                       (b_2 = d_1);
                                       (c = (K_17 : (ta - (K_16 : (c * q_0)))));
                                       (d_1 = (K_19 : (tb -
                                                        (K_18 : (d_1 * q_0)))))
                                    }
                                 }
                              }
                           }
                        }
                     }
                  };
                  
                  (return x_8)
               }
            }
         }
      }
   }
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Gcd.jloc tests/java/Gcd.jc && make -f tests/java/Gcd.makefile gui"
End:
*/
========== file tests/java/Gcd.jloc ==========
[K_23]
file = "HOME/tests/java/Gcd.java"
line = 108
begin = 20
end = 25

[gcd_property]
name = "Lemma gcd_property"
file = "HOME/tests/java/Gcd.java"
line = 84
begin = 10
end = 22

[K_17]
file = "HOME/tests/java/Gcd.java"
line = 115
begin = 26
end = 36

[K_11]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 15
end = 31

[K_25]
file = "HOME/tests/java/Gcd.java"
line = 98
begin = 51
end = 52

[K_13]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 15
end = 165

[Gcd_gcd]
name = "Method gcd"
file = "HOME/tests/java/Gcd.java"
line = 97
begin = 15
end = 18

[K_9]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 25
end = 31

[mul_assoc]
name = "Lemma mul_assoc"
file = "HOME/tests/java/Gcd.java"
line = 56
begin = 10
end = 19

[distr_right_minus]
name = "Lemma distr_right_minus"
file = "HOME/tests/java/Gcd.java"
line = 44
begin = 10
end = 27

[K_28]
file = "HOME/tests/java/Gcd.java"
line = 98
begin = 30
end = 31

[gcd_zero]
name = "Lemma gcd_zero"
file = "HOME/tests/java/Gcd.java"
line = 80
begin = 10
end = 18

[K_1]
file = "HOME/tests/java/Gcd.java"
line = 93
begin = 18
end = 36

[K_15]
file = "HOME/tests/java/Gcd.java"
line = 105
begin = 25
end = 26

[K_4]
file = "HOME/tests/java/Gcd.java"
line = 91
begin = 17
end = 23

[K_12]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 15
end = 116

[K_20]
file = "HOME/tests/java/Gcd.java"
line = 112
begin = 43
end = 44

[K_2]
file = "HOME/tests/java/Gcd.java"
line = 95
begin = 18
end = 57

[mul_comm]
name = "Lemma mul_comm"
file = "HOME/tests/java/Gcd.java"
line = 52
begin = 10
end = 18

[K_10]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 15
end = 21

[K_6]
file = "HOME/tests/java/Gcd.java"
line = 104
begin = 15
end = 45

[K_8]
file = "HOME/tests/java/Gcd.java"
line = 101
begin = 9
end = 80

[K_3]
file = "HOME/tests/java/Gcd.java"
line = 91
begin = 27
end = 33

[distr_left_minus]
name = "Lemma distr_left_minus"
file = "HOME/tests/java/Gcd.java"
line = 48
begin = 10
end = 26

[K_27]
file = "HOME/tests/java/Gcd.java"
line = 98
begin = 37
end = 38

[K_21]
file = "HOME/tests/java/Gcd.java"
line = 112
begin = 35
end = 36

[K_24]
file = "HOME/tests/java/Gcd.java"
line = 107
begin = 15
end = 20

[K_14]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 15
end = 214

[div_mod_property]
name = "Lemma div_mod_property"
file = "HOME/tests/java/Gcd.java"
line = 64
begin = 10
end = 26

[distr_right]
name = "Lemma distr_right"
file = "HOME/tests/java/Gcd.java"
line = 36
begin = 10
end = 21

[mod_property]
name = "Lemma mod_property"
file = "HOME/tests/java/Gcd.java"
line = 69
begin = 10
end = 22

[K_19]
file = "HOME/tests/java/Gcd.java"
line = 116
begin = 26
end = 36

[K_5]
file = "HOME/tests/java/Gcd.java"
line = 91
begin = 17
end = 33

[cons_Gcd]
name = "Constructor of class Gcd"
file = "HOME/"
line = 0
begin = -1
end = -1

[distr_left]
name = "Lemma distr_left"
file = "HOME/tests/java/Gcd.java"
line = 40
begin = 10
end = 20

[K_18]
file = "HOME/tests/java/Gcd.java"
line = 116
begin = 31
end = 36

[K_7]
file = "HOME/tests/java/Gcd.java"
line = 103
begin = 15
end = 45

[K_26]
file = "HOME/tests/java/Gcd.java"
line = 98
begin = 44
end = 45

[K_22]
file = "HOME/tests/java/Gcd.java"
line = 109
begin = 34
end = 39

[K_16]
file = "HOME/tests/java/Gcd.java"
line = 115
begin = 31
end = 36

========== jessie execution ==========
Generating Why function cons_Gcd
Generating Why function Gcd_gcd
========== file tests/java/Gcd.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Gcd.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Gcd.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/Gcd_why.sx

project: why/Gcd.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/Gcd_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/Gcd_why.vo

coq/Gcd_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Gcd_why.v: why/Gcd.why
	@echo 'why -coq [...] why/Gcd.why' && $(WHY) $(JESSIELIBFILES) why/Gcd.why && rm -f coq/jessie_why.v

coq-goals: goals coq/Gcd_ctx_why.vo
	for f in why/*_po*.why; do make -f Gcd.makefile coq/`basename $$f .why`_why.v ; done

coq/Gcd_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Gcd_ctx_why.v: why/Gcd_ctx.why
	@echo 'why -coq [...] why/Gcd_ctx.why' && $(WHY) why/Gcd_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export Gcd_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/Gcd_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/Gcd_ctx_why.vo

pvs: pvs/Gcd_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/Gcd_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/Gcd_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/Gcd_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/Gcd_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/Gcd_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/Gcd_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/Gcd_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/Gcd_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/Gcd_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/Gcd_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/Gcd_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/Gcd_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/Gcd_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/Gcd_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: Gcd.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/Gcd_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Gcd.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Gcd.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Gcd.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include Gcd.depend

depend: coq/Gcd_why.v
	-$(COQDEP) -I coq coq/Gcd*_why.v > Gcd.depend

clean:
	rm -f coq/*.vo

========== file tests/java/Gcd.loc ==========
[Gcd_gcd_ensures_resultIsGcd]
name = "Method gcd"
behavior = "Behavior `resultIsGcd'"
file = "HOME/tests/java/Gcd.java"
line = 97
begin = 15
end = 18

[JC_73]
file = "HOME/tests/java/Gcd.jc"
line = 135
begin = 18
end = 2892

[JC_63]
file = "HOME/tests/java/Gcd.jc"
line = 135
begin = 18
end = 2892

[JC_80]
file = "HOME/tests/java/Gcd.java"
line = 103
begin = 15
end = 45

[JC_51]
file = "HOME/tests/java/Gcd.jc"
line = 135
begin = 18
end = 2892

[JC_71]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 15
end = 214

[JC_45]
file = "HOME/tests/java/Gcd.java"
line = 101
begin = 9
end = 80

[gcd_property]
name = "Lemma gcd_property"
behavior = "lemma"
file = "HOME/tests/java/Gcd.java"
line = 84
begin = 10
end = 22

[JC_64]
kind = DivByZero
file = "HOME/tests/java/Gcd.java"
line = 108
begin = 20
end = 25

[cons_Gcd_safety]
name = "Constructor of class Gcd"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[Gcd_gcd_ensures_default]
name = "Method gcd"
behavior = "default behavior"
file = "HOME/tests/java/Gcd.java"
line = 97
begin = 15
end = 18

[mul_assoc]
name = "Lemma mul_assoc"
behavior = "lemma"
file = "HOME/tests/java/Gcd.java"
line = 56
begin = 10
end = 19

[JC_85]
file = "HOME/tests/java/Gcd.jc"
line = 135
begin = 18
end = 2892

[distr_right_minus]
name = "Lemma distr_right_minus"
behavior = "lemma"
file = "HOME/tests/java/Gcd.java"
line = 44
begin = 10
end = 27

[JC_31]
file = "HOME/tests/java/Gcd.java"
line = 91
begin = 17
end = 23

[JC_17]
file = "HOME/tests/java/Gcd.jc"
line = 37
begin = 11
end = 65

[gcd_zero]
name = "Lemma gcd_zero"
behavior = "lemma"
file = "HOME/tests/java/Gcd.java"
line = 80
begin = 10
end = 18

[JC_81]
file = "HOME/tests/java/Gcd.java"
line = 104
begin = 15
end = 45

[JC_55]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 15
end = 21

[JC_48]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 15
end = 214

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 25
end = 31

[JC_9]
file = "HOME/tests/java/Gcd.jc"
line = 35
begin = 8
end = 23

[JC_75]
kind = DivByZero
file = "HOME/tests/java/Gcd.java"
line = 108
begin = 20
end = 25

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_78]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 25
end = 31

[JC_41]
file = "HOME/tests/java/Gcd.java"
line = 95
begin = 18
end = 57

[JC_74]
file = "HOME/tests/java/Gcd.jc"
line = 135
begin = 18
end = 2892

[JC_47]
file = "HOME/tests/java/Gcd.java"
line = 104
begin = 15
end = 45

[JC_52]
kind = DivByZero
file = "HOME/tests/java/Gcd.java"
line = 108
begin = 20
end = 25

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Gcd_ensures_default]
name = "Constructor of class Gcd"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/tests/java/Gcd.java"
line = 105
begin = 25
end = 26

[JC_79]
file = "HOME/tests/java/Gcd.java"
line = 101
begin = 9
end = 80

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_82]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 15
end = 214

[JC_87]
kind = DivByZero
file = "HOME/tests/java/Gcd.java"
line = 109
begin = 34
end = 39

[JC_11]
file = "HOME/tests/java/Gcd.jc"
line = 35
begin = 8
end = 23

[JC_70]
file = "HOME/tests/java/Gcd.java"
line = 104
begin = 15
end = 45

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/tests/java/Gcd.java"
line = 93
begin = 18
end = 36

[mul_comm]
name = "Lemma mul_comm"
behavior = "lemma"
file = "HOME/tests/java/Gcd.java"
line = 52
begin = 10
end = 18

[JC_40]
file = "HOME/tests/java/Gcd.java"
line = 93
begin = 18
end = 36

[JC_83]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/tests/java/Gcd.java"
line = 91
begin = 17
end = 23

[JC_69]
file = "HOME/tests/java/Gcd.java"
line = 103
begin = 15
end = 45

[JC_38]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 25
end = 31

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/tests/java/Gcd.jc"
line = 135
begin = 18
end = 2892

[JC_42]
file = "HOME/tests/java/Gcd.java"
line = 95
begin = 18
end = 57

[JC_46]
file = "HOME/tests/java/Gcd.java"
line = 103
begin = 15
end = 45

[distr_left_minus]
name = "Lemma distr_left_minus"
behavior = "lemma"
file = "HOME/tests/java/Gcd.java"
line = 48
begin = 10
end = 26

[JC_61]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/tests/java/Gcd.java"
line = 91
begin = 27
end = 33

[JC_56]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 25
end = 31

[JC_33]
file = "HOME/tests/java/Gcd.java"
line = 91
begin = 17
end = 33

[JC_65]
kind = DivByZero
file = "HOME/tests/java/Gcd.java"
line = 109
begin = 34
end = 39

[Gcd_gcd_safety]
name = "Method gcd"
behavior = "Safety"
file = "HOME/tests/java/Gcd.java"
line = 97
begin = 15
end = 18

[Gcd_gcd_ensures_bezoutProperty]
name = "Method gcd"
behavior = "Behavior `bezoutProperty'"
file = "HOME/tests/java/Gcd.java"
line = 97
begin = 15
end = 18

[JC_29]
file = "HOME/tests/java/Gcd.java"
line = 91
begin = 17
end = 33

[div_mod_property]
name = "Lemma div_mod_property"
behavior = "lemma"
file = "HOME/tests/java/Gcd.java"
line = 64
begin = 10
end = 26

[JC_68]
file = "HOME/tests/java/Gcd.java"
line = 101
begin = 9
end = 80

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[distr_right]
name = "Lemma distr_right"
behavior = "lemma"
file = "HOME/tests/java/Gcd.java"
line = 36
begin = 10
end = 21

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 15
end = 21

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
file = "HOME/tests/java/Gcd.jc"
line = 135
begin = 18
end = 2892

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[mod_property]
name = "Lemma mod_property"
behavior = "lemma"
file = "HOME/tests/java/Gcd.java"
line = 69
begin = 10
end = 22

[JC_53]
kind = DivByZero
file = "HOME/tests/java/Gcd.java"
line = 109
begin = 34
end = 39

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_77]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 15
end = 21

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/java/Gcd.jc"
line = 10
begin = 12
end = 22

[JC_37]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/java/Gcd.java"
line = 101
begin = 9
end = 80

[JC_66]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 15
end = 21

[JC_59]
file = "HOME/tests/java/Gcd.java"
line = 104
begin = 15
end = 45

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/Gcd.jc"
line = 37
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/Gcd.jc"
line = 10
begin = 12
end = 22

[distr_left]
name = "Lemma distr_left"
behavior = "lemma"
file = "HOME/tests/java/Gcd.java"
line = 40
begin = 10
end = 20

[JC_86]
kind = DivByZero
file = "HOME/tests/java/Gcd.java"
line = 108
begin = 20
end = 25

[JC_60]
file = "HOME/tests/java/Gcd.java"
line = 100
begin = 15
end = 214

[JC_72]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_76]
kind = DivByZero
file = "HOME/tests/java/Gcd.java"
line = 109
begin = 34
end = 39

[JC_50]
file = "HOME/tests/java/Gcd.jc"
line = 135
begin = 18
end = 2892

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/tests/java/Gcd.java"
line = 103
begin = 15
end = 45

[JC_28]
file = "HOME/tests/java/Gcd.java"
line = 91
begin = 27
end = 33

========== file tests/java/why/Gcd.why ==========
type Object

type interface

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

logic Gcd_tag:  -> Object tag_id

axiom Gcd_parenttag_Object : parenttag(Gcd_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

predicate divides(x_5:int, y_5:int) = (exists q:int. (y_5 = mul_int(q, x_5)))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate isGcd(a:int, b:int, d:int) =
 (divides(d, a)
 and (divides(d, b)
     and (forall z_4:int.
          ((divides(z_4, a) and divides(z_4, b)) -> divides(z_4, d)))))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Gcd(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Gcd(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Gcd(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Gcd(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

lemma distr_right :
 (forall x_2:int.
  (forall y:int.
   (forall z:int.
    (mul_int(x_2, add_int(y, z)) = add_int(mul_int(x_2, y), mul_int(x_2, z))))))

lemma distr_left :
 (forall x_0_0:int.
  (forall y_0:int.
   (forall z_0:int.
    (mul_int(add_int(x_0_0, y_0), z_0) = add_int(mul_int(x_0_0, z_0),
                                         mul_int(y_0, z_0))))))

lemma distr_right_minus :
 (forall x_1_0:int.
  (forall y_1:int.
   (forall z_1:int.
    (mul_int(x_1_0, sub_int(y_1, z_1)) = sub_int(mul_int(x_1_0, y_1),
                                         mul_int(x_1_0, z_1))))))

lemma distr_left_minus :
 (forall x_2_0:int.
  (forall y_2:int.
   (forall z_2:int.
    (mul_int(sub_int(x_2_0, y_2), z_2) = sub_int(mul_int(x_2_0, z_2),
                                         mul_int(y_2, z_2))))))

lemma mul_comm :
 (forall x_3:int. (forall y_3:int. (mul_int(x_3, y_3) = mul_int(y_3, x_3))))

lemma mul_assoc :
 (forall x_4:int.
  (forall y_4:int.
   (forall z_3:int.
    (mul_int(x_4, mul_int(y_4, z_3)) = mul_int(mul_int(x_4, y_4), z_3)))))

lemma div_mod_property :
 (forall x_6:int.
  (forall y_6:int.
   ((ge_int(x_6, (0)) and gt_int(y_6, (0))) ->
    (computer_mod(x_6, y_6) = sub_int(x_6,
                              mul_int(y_6, computer_div(x_6, y_6)))))))

lemma mod_property :
 (forall x_7:int.
  (forall y_7:int.
   ((ge_int(x_7, (0)) and gt_int(y_7, (0))) ->
    (le_int((0), computer_mod(x_7, y_7))
    and lt_int(computer_mod(x_7, y_7), y_7)))))

lemma gcd_zero : (forall a_0:int. isGcd(a_0, (0), a_0))

lemma gcd_property :
 (forall a_1:int.
  (forall b_0:int.
   (forall d_0:int.
    ((ge_int(a_1, (0))
     and (gt_int(b_0, (0)) and isGcd(b_0, computer_mod(a_1, b_0), d_0))) ->
     isGcd(a_1, b_0, d_0)))))

exception Exception_exc of Object pointer

parameter Gcd_gcd :
 x_8:int ->
  y_8:int ->
   { } int
   { ((JC_42:
      (exists a_2:int.
       (exists b_1:int.
        (add_int(mul_int(a_2, x_8), mul_int(b_1, y_8)) = result))))
     and (JC_40: isGcd(x_8, y_8, result))) }

parameter Gcd_gcd_requires :
 x_8:int ->
  y_8:int ->
   { (JC_29: ((JC_27: ge_int(x_8, (0))) and (JC_28: ge_int(y_8, (0)))))} int
   { ((JC_42:
      (exists a_2:int.
       (exists b_1:int.
        (add_int(mul_int(a_2, x_8), mul_int(b_1, y_8)) = result))))
     and (JC_40: isGcd(x_8, y_8, result))) }

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Gcd :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Gcd(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Gcd_tag)))) }

parameter alloc_struct_Gcd_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Gcd(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Gcd_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_Gcd :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Gcd_requires :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

let Gcd_gcd_ensures_bezoutProperty =
 fun (x_8 : int) (y_8 : int) ->
  { (JC_33: ((JC_31: ge_int(x_8, (0))) and (JC_32: ge_int(y_8, (0))))) }
  (let mutable_x_8 = ref x_8 in
  (let mutable_y_8 = ref y_8 in
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let a_3 = ref (K_28: (1)) in
     (let b_2 = ref (K_27: (0)) in
     (let c = ref (K_26: (0)) in
     (let d_1 = ref (K_25: (1)) in
     begin
       try
        (loop_4:
        while true do
        { invariant (JC_84: true)  }
         begin
           [ { } unit reads a_3,b_2,c,d_1,mutable_x_8,mutable_y_8
             { (JC_82:
               ((JC_77: ge_int(mutable_x_8, (0)))
               and ((JC_78: ge_int(mutable_y_8, (0)))
                   and ((JC_79:
                        (forall d_2:int.
                         (isGcd(mutable_x_8, mutable_y_8, d_2) ->
                          isGcd(mutable_x_8@init, mutable_y_8@init, d_2))))
                       and ((JC_80:
                            (add_int(mul_int(a_3, mutable_x_8@init),
                             mul_int(b_2, mutable_y_8@init)) = mutable_x_8))
                           and (JC_81:
                               (add_int(mul_int(c, mutable_x_8@init),
                                mul_int(d_1, mutable_y_8@init)) = mutable_y_8))))))) } ];
          try
           begin
             (if (K_24: ((gt_int_ !mutable_y_8) (0)))
             then
              (let _jessie_ =
              (let r =
              (K_23: (JC_86: ((computer_mod !mutable_x_8) !mutable_y_8))) in
              (let q_0 =
              (K_22: (JC_87: ((computer_div !mutable_x_8) !mutable_y_8))) in
              begin
                (let _jessie_ = (mutable_x_8 := !mutable_y_8) in void);
               (let _jessie_ = (mutable_y_8 := r) in void);
               (let ta = (K_21: !a_3) in
               (let tb = (K_20: !b_2) in
               begin
                 (let _jessie_ = (a_3 := !c) in void);
                (let _jessie_ = (b_2 := !d_1) in void);
                (let _jessie_ =
                (c := (K_17: ((sub_int ta) (K_16: ((mul_int !c) q_0))))) in
                void);
                (d_1 := (K_19: ((sub_int tb) (K_18: ((mul_int !d_1) q_0)))));
                !d_1 end)) end)) in void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end; (return := !mutable_x_8);
      (raise Return) end)))); absurd  end with Return -> !return end))))
  { (JC_41:
    (exists a_2:int.
     (exists b_1:int.
      (add_int(mul_int(a_2, x_8), mul_int(b_1, y_8)) = result)))) }

let Gcd_gcd_ensures_default =
 fun (x_8 : int) (y_8 : int) ->
  { (JC_33: ((JC_31: ge_int(x_8, (0))) and (JC_32: ge_int(y_8, (0))))) }
  (let mutable_x_8 = ref x_8 in
  (let mutable_y_8 = ref y_8 in
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let a_3 = ref (K_28: (1)) in
     (let b_2 = ref (K_27: (0)) in
     (let c = ref (K_26: (0)) in
     (let d_1 = ref (K_25: (1)) in
     begin
       try
        (loop_2:
        while true do
        { invariant
            (JC_60:
            ((JC_55: ge_int(mutable_x_8, (0)))
            and ((JC_56: ge_int(mutable_y_8, (0)))
                and ((JC_57:
                     (forall d_2:int.
                      (isGcd(mutable_x_8, mutable_y_8, d_2) ->
                       isGcd(mutable_x_8@init, mutable_y_8@init, d_2))))
                    and ((JC_58:
                         (add_int(mul_int(a_3, mutable_x_8@init),
                          mul_int(b_2, mutable_y_8@init)) = mutable_x_8))
                        and (JC_59:
                            (add_int(mul_int(c, mutable_x_8@init),
                             mul_int(d_1, mutable_y_8@init)) = mutable_y_8)))))))
           }
         begin
           [ { } unit { true } ];
          try
           begin
             (if (K_24: ((gt_int_ !mutable_y_8) (0)))
             then
              (let _jessie_ =
              (let r =
              (K_23: (JC_64: ((computer_mod !mutable_x_8) !mutable_y_8))) in
              (let q_0 =
              (K_22: (JC_65: ((computer_div !mutable_x_8) !mutable_y_8))) in
              begin
                (let _jessie_ = (mutable_x_8 := !mutable_y_8) in void);
               (let _jessie_ = (mutable_y_8 := r) in void);
               (let ta = (K_21: !a_3) in
               (let tb = (K_20: !b_2) in
               begin
                 (let _jessie_ = (a_3 := !c) in void);
                (let _jessie_ = (b_2 := !d_1) in void);
                (let _jessie_ =
                (c := (K_17: ((sub_int ta) (K_16: ((mul_int !c) q_0))))) in
                void);
                (d_1 := (K_19: ((sub_int tb) (K_18: ((mul_int !d_1) q_0)))));
                !d_1 end)) end)) in void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end; (return := !mutable_x_8);
      (raise Return) end)))); absurd  end with Return -> !return end))))
  { (JC_35: true) }

let Gcd_gcd_ensures_resultIsGcd =
 fun (x_8 : int) (y_8 : int) ->
  { (JC_33: ((JC_31: ge_int(x_8, (0))) and (JC_32: ge_int(y_8, (0))))) }
  (let mutable_x_8 = ref x_8 in
  (let mutable_y_8 = ref y_8 in
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let a_3 = ref (K_28: (1)) in
     (let b_2 = ref (K_27: (0)) in
     (let c = ref (K_26: (0)) in
     (let d_1 = ref (K_25: (1)) in
     begin
       try
        (loop_3:
        while true do
        { invariant (JC_73: true)  }
         begin
           [ { } unit reads a_3,b_2,c,d_1,mutable_x_8,mutable_y_8
             { (JC_71:
               ((JC_66: ge_int(mutable_x_8, (0)))
               and ((JC_67: ge_int(mutable_y_8, (0)))
                   and ((JC_68:
                        (forall d_2:int.
                         (isGcd(mutable_x_8, mutable_y_8, d_2) ->
                          isGcd(mutable_x_8@init, mutable_y_8@init, d_2))))
                       and ((JC_69:
                            (add_int(mul_int(a_3, mutable_x_8@init),
                             mul_int(b_2, mutable_y_8@init)) = mutable_x_8))
                           and (JC_70:
                               (add_int(mul_int(c, mutable_x_8@init),
                                mul_int(d_1, mutable_y_8@init)) = mutable_y_8))))))) } ];
          try
           begin
             (if (K_24: ((gt_int_ !mutable_y_8) (0)))
             then
              (let _jessie_ =
              (let r =
              (K_23: (JC_75: ((computer_mod !mutable_x_8) !mutable_y_8))) in
              (let q_0 =
              (K_22: (JC_76: ((computer_div !mutable_x_8) !mutable_y_8))) in
              begin
                (let _jessie_ = (mutable_x_8 := !mutable_y_8) in void);
               (let _jessie_ = (mutable_y_8 := r) in void);
               (let ta = (K_21: !a_3) in
               (let tb = (K_20: !b_2) in
               begin
                 (let _jessie_ = (a_3 := !c) in void);
                (let _jessie_ = (b_2 := !d_1) in void);
                (let _jessie_ =
                (c := (K_17: ((sub_int ta) (K_16: ((mul_int !c) q_0))))) in
                void);
                (d_1 := (K_19: ((sub_int tb) (K_18: ((mul_int !d_1) q_0)))));
                !d_1 end)) end)) in void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end; (return := !mutable_x_8);
      (raise Return) end)))); absurd  end with Return -> !return end))))
  { (JC_39: isGcd(x_8, y_8, result)) }

let Gcd_gcd_safety =
 fun (x_8 : int) (y_8 : int) ->
  { (JC_33: ((JC_31: ge_int(x_8, (0))) and (JC_32: ge_int(y_8, (0))))) }
  (let mutable_x_8 = ref x_8 in
  (let mutable_y_8 = ref y_8 in
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let a_3 = ref (K_28: (1)) in
     (let b_2 = ref (K_27: (0)) in
     (let c = ref (K_26: (0)) in
     (let d_1 = ref (K_25: (1)) in
     begin
       try
        (loop_1:
        while true do
        { invariant (JC_50: true) variant (JC_54 : mutable_y_8) }
         begin
           [ { } unit reads a_3,b_2,c,d_1,mutable_x_8,mutable_y_8
             { (JC_48:
               ((JC_43: ge_int(mutable_x_8, (0)))
               and ((JC_44: ge_int(mutable_y_8, (0)))
                   and ((JC_45:
                        (forall d_2:int.
                         (isGcd(mutable_x_8, mutable_y_8, d_2) ->
                          isGcd(mutable_x_8@init, mutable_y_8@init, d_2))))
                       and ((JC_46:
                            (add_int(mul_int(a_3, mutable_x_8@init),
                             mul_int(b_2, mutable_y_8@init)) = mutable_x_8))
                           and (JC_47:
                               (add_int(mul_int(c, mutable_x_8@init),
                                mul_int(d_1, mutable_y_8@init)) = mutable_y_8))))))) } ];
          try
           begin
             (if (K_24: ((gt_int_ !mutable_y_8) (0)))
             then
              (let _jessie_ =
              (let r =
              (K_23: (JC_52: ((computer_mod_ !mutable_x_8) !mutable_y_8))) in
              (let q_0 =
              (K_22: (JC_53: ((computer_div_ !mutable_x_8) !mutable_y_8))) in
              begin
                (let _jessie_ = (mutable_x_8 := !mutable_y_8) in void);
               (let _jessie_ = (mutable_y_8 := r) in void);
               (let ta = (K_21: !a_3) in
               (let tb = (K_20: !b_2) in
               begin
                 (let _jessie_ = (a_3 := !c) in void);
                (let _jessie_ = (b_2 := !d_1) in void);
                (let _jessie_ =
                (c := (K_17: ((sub_int ta) (K_16: ((mul_int !c) q_0))))) in
                void);
                (d_1 := (K_19: ((sub_int tb) (K_18: ((mul_int !d_1) q_0)))));
                !d_1 end)) end)) in void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end; (return := !mutable_x_8);
      (raise Return) end)))); absurd  end with Return -> !return end))))
  { true }

let cons_Gcd_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_Gcd(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_23: true) }

let cons_Gcd_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_Gcd(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/Gcd.why
========== file tests/java/why/Gcd.wpr ==========

  
    
    
      
      
    
  
  
    
    
      
      
    
  
  
    
    
      
      
    
  
  
    
    
      
      
    
  
  
    
    
      
      
    
  
  
    
    
      
      
    
  
  
    
    
      
      
    
  
  
    
    
      
      
    
  
  
    
    
      
      
    
  
  
    
    
      
      
    
  
  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
    
    
      
      
    
    
  
  
    
  
  
    
  
  
    
  
  
    
  
  
    
  
  
    
  
  
    
  
  
    
  
  
    
  
  
    
  
  
    
  

========== file tests/java/why/Gcd_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic Gcd_tag : Object tag_id

axiom Gcd_parenttag_Object: parenttag(Gcd_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

predicate divides(x_5: int, y_5: int) = (exists q:int. (y_5 = (q * x_5)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate isGcd(a: int, b: int, d: int) =
  (divides(d, a) and
   (divides(d, b) and
    (forall z_4:int.
      ((divides(z_4, a) and divides(z_4, b)) -> divides(z_4, d)))))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Gcd(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Gcd(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Gcd(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Gcd(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

========== file tests/java/why/Gcd_po1.why ==========
lemma distr_right:
  (forall x_2:int.
    (forall y:int.
      (forall z:int. ((x_2 * (y + z)) = ((x_2 * y) + (x_2 * z))))))

========== file tests/java/why/Gcd_po10.why ==========
lemma gcd_property:
  (forall a_1:int.
    (forall b_0:int.
      (forall d_0:int.
        (((a_1 >= 0) and
          ((b_0 > 0) and isGcd(b_0, computer_mod(a_1, b_0), d_0))) ->
         isGcd(a_1, b_0, d_0)))))

========== file tests/java/why/Gcd_po11.why ==========
goal Gcd_gcd_ensures_bezoutProperty_po_1:
  forall x_8:int.
  forall y_8:int.
  ("JC_33": (("JC_31": (x_8 >= 0)) and ("JC_32": (y_8 >= 0)))) ->
  forall a_3:int.
  forall b_2:int.
  forall c:int.
  forall d_1:int.
  forall mutable_x_8:int.
  forall mutable_y_8:int.
  ("JC_84": true) ->
  ("JC_82":
  (("JC_77": (mutable_x_8 >= 0)) and
   (("JC_78": (mutable_y_8 >= 0)) and
    (("JC_79":
     (forall d_2:int.
       (isGcd(mutable_x_8, mutable_y_8, d_2) -> isGcd(x_8, y_8, d_2)))) and
     (("JC_80": (((a_3 * x_8) + (b_2 * y_8)) = mutable_x_8)) and
      ("JC_81": (((c * x_8) + (d_1 * y_8)) = mutable_y_8))))))) ->
  (mutable_y_8 <= 0) ->
  forall return:int.
  (return = mutable_x_8) ->
  ("JC_41":
  (exists a_2:int. (exists b_1:int. (((a_2 * x_8) + (b_1 * y_8)) = return))))

========== file tests/java/why/Gcd_po12.why ==========
goal Gcd_gcd_ensures_default_po_1:
  forall x_8:int.
  forall y_8:int.
  ("JC_33": (("JC_31": (x_8 >= 0)) and ("JC_32": (y_8 >= 0)))) ->
  ("JC_60": ("JC_58": (((1 * x_8) + (0 * y_8)) = x_8)))

========== file tests/java/why/Gcd_po13.why ==========
goal Gcd_gcd_ensures_default_po_2:
  forall x_8:int.
  forall y_8:int.
  ("JC_33": (("JC_31": (x_8 >= 0)) and ("JC_32": (y_8 >= 0)))) ->
  ("JC_60": ("JC_59": (((0 * x_8) + (1 * y_8)) = y_8)))

========== file tests/java/why/Gcd_po14.why ==========
goal Gcd_gcd_ensures_default_po_3:
  forall x_8:int.
  forall y_8:int.
  ("JC_33": (("JC_31": (x_8 >= 0)) and ("JC_32": (y_8 >= 0)))) ->
  forall a_3:int.
  forall b_2:int.
  forall c:int.
  forall d_1:int.
  forall mutable_x_8:int.
  forall mutable_y_8:int.
  ("JC_60":
  (("JC_55": (mutable_x_8 >= 0)) and
   (("JC_56": (mutable_y_8 >= 0)) and
    (("JC_57":
     (forall d_2:int.
       (isGcd(mutable_x_8, mutable_y_8, d_2) -> isGcd(x_8, y_8, d_2)))) and
     (("JC_58": (((a_3 * x_8) + (b_2 * y_8)) = mutable_x_8)) and
      ("JC_59": (((c * x_8) + (d_1 * y_8)) = mutable_y_8))))))) ->
  (mutable_y_8 > 0) ->
  forall mutable_x_8_0:int.
  (mutable_x_8_0 = mutable_y_8) ->
  forall mutable_y_8_0:int.
  (mutable_y_8_0 = computer_mod(mutable_x_8, mutable_y_8)) ->
  forall a_3_0:int.
  (a_3_0 = c) ->
  forall b_2_0:int.
  (b_2_0 = d_1) ->
  forall c0:int.
  (c0 = (a_3 - (c * computer_div(mutable_x_8, mutable_y_8)))) ->
  forall d_1_0:int.
  (d_1_0 = (b_2 - (d_1 * computer_div(mutable_x_8, mutable_y_8)))) ->
  ("JC_60": ("JC_55": (mutable_x_8_0 >= 0)))

========== file tests/java/why/Gcd_po15.why ==========
goal Gcd_gcd_ensures_default_po_4:
  forall x_8:int.
  forall y_8:int.
  ("JC_33": (("JC_31": (x_8 >= 0)) and ("JC_32": (y_8 >= 0)))) ->
  forall a_3:int.
  forall b_2:int.
  forall c:int.
  forall d_1:int.
  forall mutable_x_8:int.
  forall mutable_y_8:int.
  ("JC_60":
  (("JC_55": (mutable_x_8 >= 0)) and
   (("JC_56": (mutable_y_8 >= 0)) and
    (("JC_57":
     (forall d_2:int.
       (isGcd(mutable_x_8, mutable_y_8, d_2) -> isGcd(x_8, y_8, d_2)))) and
     (("JC_58": (((a_3 * x_8) + (b_2 * y_8)) = mutable_x_8)) and
      ("JC_59": (((c * x_8) + (d_1 * y_8)) = mutable_y_8))))))) ->
  (mutable_y_8 > 0) ->
  forall mutable_x_8_0:int.
  (mutable_x_8_0 = mutable_y_8) ->
  forall mutable_y_8_0:int.
  (mutable_y_8_0 = computer_mod(mutable_x_8, mutable_y_8)) ->
  forall a_3_0:int.
  (a_3_0 = c) ->
  forall b_2_0:int.
  (b_2_0 = d_1) ->
  forall c0:int.
  (c0 = (a_3 - (c * computer_div(mutable_x_8, mutable_y_8)))) ->
  forall d_1_0:int.
  (d_1_0 = (b_2 - (d_1 * computer_div(mutable_x_8, mutable_y_8)))) ->
  ("JC_60": ("JC_56": (mutable_y_8_0 >= 0)))

========== file tests/java/why/Gcd_po16.why ==========
goal Gcd_gcd_ensures_default_po_5:
  forall x_8:int.
  forall y_8:int.
  ("JC_33": (("JC_31": (x_8 >= 0)) and ("JC_32": (y_8 >= 0)))) ->
  forall a_3:int.
  forall b_2:int.
  forall c:int.
  forall d_1:int.
  forall mutable_x_8:int.
  forall mutable_y_8:int.
  ("JC_60":
  (("JC_55": (mutable_x_8 >= 0)) and
   (("JC_56": (mutable_y_8 >= 0)) and
    (("JC_57":
     (forall d_2:int.
       (isGcd(mutable_x_8, mutable_y_8, d_2) -> isGcd(x_8, y_8, d_2)))) and
     (("JC_58": (((a_3 * x_8) + (b_2 * y_8)) = mutable_x_8)) and
      ("JC_59": (((c * x_8) + (d_1 * y_8)) = mutable_y_8))))))) ->
  (mutable_y_8 > 0) ->
  forall mutable_x_8_0:int.
  (mutable_x_8_0 = mutable_y_8) ->
  forall mutable_y_8_0:int.
  (mutable_y_8_0 = computer_mod(mutable_x_8, mutable_y_8)) ->
  forall a_3_0:int.
  (a_3_0 = c) ->
  forall b_2_0:int.
  (b_2_0 = d_1) ->
  forall c0:int.
  (c0 = (a_3 - (c * computer_div(mutable_x_8, mutable_y_8)))) ->
  forall d_1_0:int.
  (d_1_0 = (b_2 - (d_1 * computer_div(mutable_x_8, mutable_y_8)))) ->
  forall d_2:int.
  isGcd(mutable_x_8_0, mutable_y_8_0, d_2) ->
  ("JC_60": ("JC_57": isGcd(x_8, y_8, d_2)))

========== file tests/java/why/Gcd_po17.why ==========
goal Gcd_gcd_ensures_default_po_6:
  forall x_8:int.
  forall y_8:int.
  ("JC_33": (("JC_31": (x_8 >= 0)) and ("JC_32": (y_8 >= 0)))) ->
  forall a_3:int.
  forall b_2:int.
  forall c:int.
  forall d_1:int.
  forall mutable_x_8:int.
  forall mutable_y_8:int.
  ("JC_60":
  (("JC_55": (mutable_x_8 >= 0)) and
   (("JC_56": (mutable_y_8 >= 0)) and
    (("JC_57":
     (forall d_2:int.
       (isGcd(mutable_x_8, mutable_y_8, d_2) -> isGcd(x_8, y_8, d_2)))) and
     (("JC_58": (((a_3 * x_8) + (b_2 * y_8)) = mutable_x_8)) and
      ("JC_59": (((c * x_8) + (d_1 * y_8)) = mutable_y_8))))))) ->
  (mutable_y_8 > 0) ->
  forall mutable_x_8_0:int.
  (mutable_x_8_0 = mutable_y_8) ->
  forall mutable_y_8_0:int.
  (mutable_y_8_0 = computer_mod(mutable_x_8, mutable_y_8)) ->
  forall a_3_0:int.
  (a_3_0 = c) ->
  forall b_2_0:int.
  (b_2_0 = d_1) ->
  forall c0:int.
  (c0 = (a_3 - (c * computer_div(mutable_x_8, mutable_y_8)))) ->
  forall d_1_0:int.
  (d_1_0 = (b_2 - (d_1 * computer_div(mutable_x_8, mutable_y_8)))) ->
  ("JC_60": ("JC_58": (((a_3_0 * x_8) + (b_2_0 * y_8)) = mutable_x_8_0)))

========== file tests/java/why/Gcd_po18.why ==========
goal Gcd_gcd_ensures_default_po_7:
  forall x_8:int.
  forall y_8:int.
  ("JC_33": (("JC_31": (x_8 >= 0)) and ("JC_32": (y_8 >= 0)))) ->
  forall a_3:int.
  forall b_2:int.
  forall c:int.
  forall d_1:int.
  forall mutable_x_8:int.
  forall mutable_y_8:int.
  ("JC_60":
  (("JC_55": (mutable_x_8 >= 0)) and
   (("JC_56": (mutable_y_8 >= 0)) and
    (("JC_57":
     (forall d_2:int.
       (isGcd(mutable_x_8, mutable_y_8, d_2) -> isGcd(x_8, y_8, d_2)))) and
     (("JC_58": (((a_3 * x_8) + (b_2 * y_8)) = mutable_x_8)) and
      ("JC_59": (((c * x_8) + (d_1 * y_8)) = mutable_y_8))))))) ->
  (mutable_y_8 > 0) ->
  forall mutable_x_8_0:int.
  (mutable_x_8_0 = mutable_y_8) ->
  forall mutable_y_8_0:int.
  (mutable_y_8_0 = computer_mod(mutable_x_8, mutable_y_8)) ->
  forall a_3_0:int.
  (a_3_0 = c) ->
  forall b_2_0:int.
  (b_2_0 = d_1) ->
  forall c0:int.
  (c0 = (a_3 - (c * computer_div(mutable_x_8, mutable_y_8)))) ->
  forall d_1_0:int.
  (d_1_0 = (b_2 - (d_1 * computer_div(mutable_x_8, mutable_y_8)))) ->
  ("JC_60": ("JC_59": (((c0 * x_8) + (d_1_0 * y_8)) = mutable_y_8_0)))

========== file tests/java/why/Gcd_po19.why ==========
goal Gcd_gcd_ensures_resultIsGcd_po_1:
  forall x_8:int.
  forall y_8:int.
  ("JC_33": (("JC_31": (x_8 >= 0)) and ("JC_32": (y_8 >= 0)))) ->
  forall a_3:int.
  forall b_2:int.
  forall c:int.
  forall d_1:int.
  forall mutable_x_8:int.
  forall mutable_y_8:int.
  ("JC_73": true) ->
  ("JC_71":
  (("JC_66": (mutable_x_8 >= 0)) and
   (("JC_67": (mutable_y_8 >= 0)) and
    (("JC_68":
     (forall d_2:int.
       (isGcd(mutable_x_8, mutable_y_8, d_2) -> isGcd(x_8, y_8, d_2)))) and
     (("JC_69": (((a_3 * x_8) + (b_2 * y_8)) = mutable_x_8)) and
      ("JC_70": (((c * x_8) + (d_1 * y_8)) = mutable_y_8))))))) ->
  (mutable_y_8 <= 0) ->
  forall return:int.
  (return = mutable_x_8) ->
  ("JC_39": isGcd(x_8, y_8, return))

========== file tests/java/why/Gcd_po2.why ==========
lemma distr_left:
  (forall x_0_0:int.
    (forall y_0:int.
      (forall z_0:int.
        (((x_0_0 + y_0) * z_0) = ((x_0_0 * z_0) + (y_0 * z_0))))))

========== file tests/java/why/Gcd_po20.why ==========
goal Gcd_gcd_safety_po_1:
  forall x_8:int.
  forall y_8:int.
  ("JC_33": (("JC_31": (x_8 >= 0)) and ("JC_32": (y_8 >= 0)))) ->
  forall a_3:int.
  forall b_2:int.
  forall c:int.
  forall d_1:int.
  forall mutable_x_8:int.
  forall mutable_y_8:int.
  ("JC_50": true) ->
  ("JC_48":
  (("JC_43": (mutable_x_8 >= 0)) and
   (("JC_44": (mutable_y_8 >= 0)) and
    (("JC_45":
     (forall d_2:int.
       (isGcd(mutable_x_8, mutable_y_8, d_2) -> isGcd(x_8, y_8, d_2)))) and
     (("JC_46": (((a_3 * x_8) + (b_2 * y_8)) = mutable_x_8)) and
      ("JC_47": (((c * x_8) + (d_1 * y_8)) = mutable_y_8))))))) ->
  (mutable_y_8 > 0) ->
  (mutable_y_8 <> 0)

========== file tests/java/why/Gcd_po21.why ==========
goal Gcd_gcd_safety_po_2:
  forall x_8:int.
  forall y_8:int.
  ("JC_33": (("JC_31": (x_8 >= 0)) and ("JC_32": (y_8 >= 0)))) ->
  forall a_3:int.
  forall b_2:int.
  forall c:int.
  forall d_1:int.
  forall mutable_x_8:int.
  forall mutable_y_8:int.
  ("JC_50": true) ->
  ("JC_48":
  (("JC_43": (mutable_x_8 >= 0)) and
   (("JC_44": (mutable_y_8 >= 0)) and
    (("JC_45":
     (forall d_2:int.
       (isGcd(mutable_x_8, mutable_y_8, d_2) -> isGcd(x_8, y_8, d_2)))) and
     (("JC_46": (((a_3 * x_8) + (b_2 * y_8)) = mutable_x_8)) and
      ("JC_47": (((c * x_8) + (d_1 * y_8)) = mutable_y_8))))))) ->
  (mutable_y_8 > 0) ->
  (mutable_y_8 <> 0) ->
  forall result:int.
  (result = computer_mod(mutable_x_8, mutable_y_8)) ->
  (mutable_y_8 <> 0) ->
  forall result0:int.
  (result0 = computer_div(mutable_x_8, mutable_y_8)) ->
  forall mutable_x_8_0:int.
  (mutable_x_8_0 = mutable_y_8) ->
  forall mutable_y_8_0:int.
  (mutable_y_8_0 = result) ->
  forall a_3_0:int.
  (a_3_0 = c) ->
  forall b_2_0:int.
  (b_2_0 = d_1) ->
  forall c0:int.
  (c0 = (a_3 - (c * result0))) ->
  forall d_1_0:int.
  (d_1_0 = (b_2 - (d_1 * result0))) ->
  (0 <= ("JC_54": mutable_y_8))

========== file tests/java/why/Gcd_po22.why ==========
goal Gcd_gcd_safety_po_3:
  forall x_8:int.
  forall y_8:int.
  ("JC_33": (("JC_31": (x_8 >= 0)) and ("JC_32": (y_8 >= 0)))) ->
  forall a_3:int.
  forall b_2:int.
  forall c:int.
  forall d_1:int.
  forall mutable_x_8:int.
  forall mutable_y_8:int.
  ("JC_50": true) ->
  ("JC_48":
  (("JC_43": (mutable_x_8 >= 0)) and
   (("JC_44": (mutable_y_8 >= 0)) and
    (("JC_45":
     (forall d_2:int.
       (isGcd(mutable_x_8, mutable_y_8, d_2) -> isGcd(x_8, y_8, d_2)))) and
     (("JC_46": (((a_3 * x_8) + (b_2 * y_8)) = mutable_x_8)) and
      ("JC_47": (((c * x_8) + (d_1 * y_8)) = mutable_y_8))))))) ->
  (mutable_y_8 > 0) ->
  (mutable_y_8 <> 0) ->
  forall result:int.
  (result = computer_mod(mutable_x_8, mutable_y_8)) ->
  (mutable_y_8 <> 0) ->
  forall result0:int.
  (result0 = computer_div(mutable_x_8, mutable_y_8)) ->
  forall mutable_x_8_0:int.
  (mutable_x_8_0 = mutable_y_8) ->
  forall mutable_y_8_0:int.
  (mutable_y_8_0 = result) ->
  forall a_3_0:int.
  (a_3_0 = c) ->
  forall b_2_0:int.
  (b_2_0 = d_1) ->
  forall c0:int.
  (c0 = (a_3 - (c * result0))) ->
  forall d_1_0:int.
  (d_1_0 = (b_2 - (d_1 * result0))) ->
  (("JC_54": mutable_y_8_0) < ("JC_54": mutable_y_8))

========== file tests/java/why/Gcd_po3.why ==========
lemma distr_right_minus:
  (forall x_1_0:int.
    (forall y_1:int.
      (forall z_1:int.
        ((x_1_0 * (y_1 - z_1)) = ((x_1_0 * y_1) - (x_1_0 * z_1))))))

========== file tests/java/why/Gcd_po4.why ==========
lemma distr_left_minus:
  (forall x_2_0:int.
    (forall y_2:int.
      (forall z_2:int.
        (((x_2_0 - y_2) * z_2) = ((x_2_0 * z_2) - (y_2 * z_2))))))

========== file tests/java/why/Gcd_po5.why ==========
lemma mul_comm:
  (forall x_3:int. (forall y_3:int. ((x_3 * y_3) = (y_3 * x_3))))

========== file tests/java/why/Gcd_po6.why ==========
lemma mul_assoc:
  (forall x_4:int.
    (forall y_4:int.
      (forall z_3:int. ((x_4 * (y_4 * z_3)) = ((x_4 * y_4) * z_3)))))

========== file tests/java/why/Gcd_po7.why ==========
lemma div_mod_property:
  (forall x_6:int.
    (forall y_6:int.
      (((x_6 >= 0) and (y_6 > 0)) -> (computer_mod(x_6,
       y_6) = (x_6 - (y_6 * computer_div(x_6, y_6)))))))

========== file tests/java/why/Gcd_po8.why ==========
lemma mod_property:
  (forall x_7:int.
    (forall y_7:int.
      (((x_7 >= 0) and (y_7 > 0)) ->
       ((0 <= computer_mod(x_7, y_7)) and (computer_mod(x_7, y_7) < y_7)))))

========== file tests/java/why/Gcd_po9.why ==========
lemma gcd_zero:
  (forall a_0:int. isGcd(a_0, 0, a_0))

========== generation of Simplify VC output ==========
why -simplify [...] why/Gcd.why
========== file tests/java/simplify/Gcd_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Gcd_parenttag_Object
 (EQ (parenttag Gcd_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) 0))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(DEFPRED (divides x_5 y_5) (EXISTS (q) (EQ y_5 (* q x_5))))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (isGcd a b d)
  (AND (divides d a)
  (AND (divides d b)
  (FORALL (z_4)
  (IMPLIES (AND (divides z_4 a) (divides z_4 b)) (divides z_4 d))))))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Gcd p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Gcd p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Gcd p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Gcd p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

;; distr_right, File "HOME/tests/java/Gcd.java", line 36, characters 10-21
(FORALL (x_2 y z) (EQ (* x_2 (+ y z)) (+ (* x_2 y) (* x_2 z))))

(BG_PUSH
 ;; lemma distr_right as axiom
(FORALL (x_2 y z) (EQ (* x_2 (+ y z)) (+ (* x_2 y) (* x_2 z)))))

;; distr_left, File "HOME/tests/java/Gcd.java", line 40, characters 10-20
(FORALL (x_0_0 y_0 z_0)
(EQ (* (+ x_0_0 y_0) z_0) (+ (* x_0_0 z_0) (* y_0 z_0))))

(BG_PUSH
 ;; lemma distr_left as axiom
(FORALL (x_0_0 y_0 z_0)
(EQ (* (+ x_0_0 y_0) z_0) (+ (* x_0_0 z_0) (* y_0 z_0)))))

;; distr_right_minus, File "HOME/tests/java/Gcd.java", line 44, characters 10-27
(FORALL (x_1_0 y_1 z_1)
(EQ (* x_1_0 (- y_1 z_1)) (- (* x_1_0 y_1) (* x_1_0 z_1))))

(BG_PUSH
 ;; lemma distr_right_minus as axiom
(FORALL (x_1_0 y_1 z_1)
(EQ (* x_1_0 (- y_1 z_1)) (- (* x_1_0 y_1) (* x_1_0 z_1)))))

;; distr_left_minus, File "HOME/tests/java/Gcd.java", line 48, characters 10-26
(FORALL (x_2_0 y_2 z_2)
(EQ (* (- x_2_0 y_2) z_2) (- (* x_2_0 z_2) (* y_2 z_2))))

(BG_PUSH
 ;; lemma distr_left_minus as axiom
(FORALL (x_2_0 y_2 z_2)
(EQ (* (- x_2_0 y_2) z_2) (- (* x_2_0 z_2) (* y_2 z_2)))))

;; mul_comm, File "HOME/tests/java/Gcd.java", line 52, characters 10-18
(FORALL (x_3 y_3) (EQ (* x_3 y_3) (* y_3 x_3)))

(BG_PUSH
 ;; lemma mul_comm as axiom
(FORALL (x_3 y_3) (EQ (* x_3 y_3) (* y_3 x_3))))

;; mul_assoc, File "HOME/tests/java/Gcd.java", line 56, characters 10-19
(FORALL (x_4 y_4 z_3) (EQ (* x_4 (* y_4 z_3)) (* (* x_4 y_4) z_3)))

(BG_PUSH
 ;; lemma mul_assoc as axiom
(FORALL (x_4 y_4 z_3) (EQ (* x_4 (* y_4 z_3)) (* (* x_4 y_4) z_3))))

;; div_mod_property, File "HOME/tests/java/Gcd.java", line 64, characters 10-26
(FORALL (x_6 y_6)
(IMPLIES (AND (>= x_6 0) (> y_6 0))
(EQ (computer_mod x_6 y_6) (- x_6 (* y_6 (computer_div x_6 y_6))))))

(BG_PUSH
 ;; lemma div_mod_property as axiom
(FORALL (x_6 y_6)
(IMPLIES (AND (>= x_6 0) (> y_6 0))
(EQ (computer_mod x_6 y_6) (- x_6 (* y_6 (computer_div x_6 y_6)))))))

;; mod_property, File "HOME/tests/java/Gcd.java", line 69, characters 10-22
(FORALL (x_7 y_7)
(IMPLIES (AND (>= x_7 0) (> y_7 0))
(AND (<= 0 (computer_mod x_7 y_7)) (< (computer_mod x_7 y_7) y_7))))

(BG_PUSH
 ;; lemma mod_property as axiom
(FORALL (x_7 y_7)
(IMPLIES (AND (>= x_7 0) (> y_7 0))
(AND (<= 0 (computer_mod x_7 y_7)) (< (computer_mod x_7 y_7) y_7)))))

;; gcd_zero, File "HOME/tests/java/Gcd.java", line 80, characters 10-18
(FORALL (a_0) (isGcd a_0 0 a_0))

(BG_PUSH
 ;; lemma gcd_zero as axiom
(FORALL (a_0) (isGcd a_0 0 a_0)))

;; gcd_property, File "HOME/tests/java/Gcd.java", line 84, characters 10-22
(FORALL (a_1 b_0 d_0)
(IMPLIES
(AND (>= a_1 0) (AND (> b_0 0) (isGcd b_0 (computer_mod a_1 b_0) d_0)))
(isGcd a_1 b_0 d_0)))

(BG_PUSH
 ;; lemma gcd_property as axiom
(FORALL (a_1 b_0 d_0)
(IMPLIES
(AND (>= a_1 0) (AND (> b_0 0) (isGcd b_0 (computer_mod a_1 b_0) d_0)))
(isGcd a_1 b_0 d_0))))

;; Gcd_gcd_ensures_bezoutProperty_po_1, File "HOME/tests/java/Gcd.java", line 95, characters 18-57
(FORALL (x_8)
(FORALL (y_8)
(IMPLIES (AND (>= x_8 0) (>= y_8 0))
(FORALL (a_3)
(FORALL (b_2)
(FORALL (c)
(FORALL (d_1)
(FORALL (mutable_x_8)
(FORALL (mutable_y_8)
(IMPLIES TRUE
(IMPLIES (AND (>= mutable_x_8 0)
         (AND (>= mutable_y_8 0)
         (AND
         (FORALL (d_2)
         (IMPLIES (isGcd mutable_x_8 mutable_y_8 d_2) (isGcd x_8 y_8 d_2)))
         (AND (EQ (+ (* a_3 x_8) (* b_2 y_8)) mutable_x_8)
         (EQ (+ (* c x_8) (* d_1 y_8)) mutable_y_8)))))
(IMPLIES (<= mutable_y_8 0)
(FORALL (return)
(IMPLIES (EQ return mutable_x_8)
(EXISTS (a_2) (EXISTS (b_1) (EQ (+ (* a_2 x_8) (* b_1 y_8)) return)))))))))))))))))

;; Gcd_gcd_ensures_default_po_1, File "HOME/tests/java/Gcd.java", line 103, characters 15-45
(FORALL (x_8)
(FORALL (y_8)
(IMPLIES (AND (>= x_8 0) (>= y_8 0)) (EQ (+ (* 1 x_8) (* 0 y_8)) x_8))))

;; Gcd_gcd_ensures_default_po_2, File "HOME/tests/java/Gcd.java", line 104, characters 15-45
(FORALL (x_8)
(FORALL (y_8)
(IMPLIES (AND (>= x_8 0) (>= y_8 0)) (EQ (+ (* 0 x_8) (* 1 y_8)) y_8))))

;; Gcd_gcd_ensures_default_po_3, File "HOME/tests/java/Gcd.java", line 100, characters 15-21
(FORALL (x_8)
(FORALL (y_8)
(IMPLIES (AND (>= x_8 0) (>= y_8 0))
(FORALL (a_3)
(FORALL (b_2)
(FORALL (c)
(FORALL (d_1)
(FORALL (mutable_x_8)
(FORALL (mutable_y_8)
(IMPLIES (AND (>= mutable_x_8 0)
         (AND (>= mutable_y_8 0)
         (AND
         (FORALL (d_2)
         (IMPLIES (isGcd mutable_x_8 mutable_y_8 d_2) (isGcd x_8 y_8 d_2)))
         (AND (EQ (+ (* a_3 x_8) (* b_2 y_8)) mutable_x_8)
         (EQ (+ (* c x_8) (* d_1 y_8)) mutable_y_8)))))
(IMPLIES (> mutable_y_8 0)
(FORALL (mutable_x_8_0)
(IMPLIES (EQ mutable_x_8_0 mutable_y_8)
(FORALL (mutable_y_8_0)
(IMPLIES (EQ mutable_y_8_0 (computer_mod mutable_x_8 mutable_y_8))
(FORALL (a_3_0)
(IMPLIES (EQ a_3_0 c)
(FORALL (b_2_0)
(IMPLIES (EQ b_2_0 d_1)
(FORALL (c0)
(IMPLIES (EQ c0 (- a_3 (* c (computer_div mutable_x_8 mutable_y_8))))
(FORALL (d_1_0)
(IMPLIES (EQ d_1_0 (- b_2 (* d_1 (computer_div mutable_x_8 mutable_y_8))))
(>= mutable_x_8_0 0))))))))))))))))))))))))

;; Gcd_gcd_ensures_default_po_4, File "HOME/tests/java/Gcd.java", line 100, characters 25-31
(FORALL (x_8)
(FORALL (y_8)
(IMPLIES (AND (>= x_8 0) (>= y_8 0))
(FORALL (a_3)
(FORALL (b_2)
(FORALL (c)
(FORALL (d_1)
(FORALL (mutable_x_8)
(FORALL (mutable_y_8)
(IMPLIES (AND (>= mutable_x_8 0)
         (AND (>= mutable_y_8 0)
         (AND
         (FORALL (d_2)
         (IMPLIES (isGcd mutable_x_8 mutable_y_8 d_2) (isGcd x_8 y_8 d_2)))
         (AND (EQ (+ (* a_3 x_8) (* b_2 y_8)) mutable_x_8)
         (EQ (+ (* c x_8) (* d_1 y_8)) mutable_y_8)))))
(IMPLIES (> mutable_y_8 0)
(FORALL (mutable_x_8_0)
(IMPLIES (EQ mutable_x_8_0 mutable_y_8)
(FORALL (mutable_y_8_0)
(IMPLIES (EQ mutable_y_8_0 (computer_mod mutable_x_8 mutable_y_8))
(FORALL (a_3_0)
(IMPLIES (EQ a_3_0 c)
(FORALL (b_2_0)
(IMPLIES (EQ b_2_0 d_1)
(FORALL (c0)
(IMPLIES (EQ c0 (- a_3 (* c (computer_div mutable_x_8 mutable_y_8))))
(FORALL (d_1_0)
(IMPLIES (EQ d_1_0 (- b_2 (* d_1 (computer_div mutable_x_8 mutable_y_8))))
(>= mutable_y_8_0 0))))))))))))))))))))))))

;; Gcd_gcd_ensures_default_po_5, File "HOME/tests/java/Gcd.java", line 101, characters 9-80
(FORALL (x_8)
(FORALL (y_8)
(IMPLIES (AND (>= x_8 0) (>= y_8 0))
(FORALL (a_3)
(FORALL (b_2)
(FORALL (c)
(FORALL (d_1)
(FORALL (mutable_x_8)
(FORALL (mutable_y_8)
(IMPLIES (AND (>= mutable_x_8 0)
         (AND (>= mutable_y_8 0)
         (AND
         (FORALL (d_2)
         (IMPLIES (isGcd mutable_x_8 mutable_y_8 d_2) (isGcd x_8 y_8 d_2)))
         (AND (EQ (+ (* a_3 x_8) (* b_2 y_8)) mutable_x_8)
         (EQ (+ (* c x_8) (* d_1 y_8)) mutable_y_8)))))
(IMPLIES (> mutable_y_8 0)
(FORALL (mutable_x_8_0)
(IMPLIES (EQ mutable_x_8_0 mutable_y_8)
(FORALL (mutable_y_8_0)
(IMPLIES (EQ mutable_y_8_0 (computer_mod mutable_x_8 mutable_y_8))
(FORALL (a_3_0)
(IMPLIES (EQ a_3_0 c)
(FORALL (b_2_0)
(IMPLIES (EQ b_2_0 d_1)
(FORALL (c0)
(IMPLIES (EQ c0 (- a_3 (* c (computer_div mutable_x_8 mutable_y_8))))
(FORALL (d_1_0)
(IMPLIES (EQ d_1_0 (- b_2 (* d_1 (computer_div mutable_x_8 mutable_y_8))))
(FORALL (d_2)
(IMPLIES (isGcd mutable_x_8_0 mutable_y_8_0 d_2) (isGcd x_8 y_8 d_2))))))))))))))))))))))))))

;; Gcd_gcd_ensures_default_po_6, File "HOME/tests/java/Gcd.java", line 103, characters 15-45
(FORALL (x_8)
(FORALL (y_8)
(IMPLIES (AND (>= x_8 0) (>= y_8 0))
(FORALL (a_3)
(FORALL (b_2)
(FORALL (c)
(FORALL (d_1)
(FORALL (mutable_x_8)
(FORALL (mutable_y_8)
(IMPLIES (AND (>= mutable_x_8 0)
         (AND (>= mutable_y_8 0)
         (AND
         (FORALL (d_2)
         (IMPLIES (isGcd mutable_x_8 mutable_y_8 d_2) (isGcd x_8 y_8 d_2)))
         (AND (EQ (+ (* a_3 x_8) (* b_2 y_8)) mutable_x_8)
         (EQ (+ (* c x_8) (* d_1 y_8)) mutable_y_8)))))
(IMPLIES (> mutable_y_8 0)
(FORALL (mutable_x_8_0)
(IMPLIES (EQ mutable_x_8_0 mutable_y_8)
(FORALL (mutable_y_8_0)
(IMPLIES (EQ mutable_y_8_0 (computer_mod mutable_x_8 mutable_y_8))
(FORALL (a_3_0)
(IMPLIES (EQ a_3_0 c)
(FORALL (b_2_0)
(IMPLIES (EQ b_2_0 d_1)
(FORALL (c0)
(IMPLIES (EQ c0 (- a_3 (* c (computer_div mutable_x_8 mutable_y_8))))
(FORALL (d_1_0)
(IMPLIES (EQ d_1_0 (- b_2 (* d_1 (computer_div mutable_x_8 mutable_y_8))))
(EQ (+ (* a_3_0 x_8) (* b_2_0 y_8)) mutable_x_8_0))))))))))))))))))))))))

;; Gcd_gcd_ensures_default_po_7, File "HOME/tests/java/Gcd.java", line 104, characters 15-45
(FORALL (x_8)
(FORALL (y_8)
(IMPLIES (AND (>= x_8 0) (>= y_8 0))
(FORALL (a_3)
(FORALL (b_2)
(FORALL (c)
(FORALL (d_1)
(FORALL (mutable_x_8)
(FORALL (mutable_y_8)
(IMPLIES (AND (>= mutable_x_8 0)
         (AND (>= mutable_y_8 0)
         (AND
         (FORALL (d_2)
         (IMPLIES (isGcd mutable_x_8 mutable_y_8 d_2) (isGcd x_8 y_8 d_2)))
         (AND (EQ (+ (* a_3 x_8) (* b_2 y_8)) mutable_x_8)
         (EQ (+ (* c x_8) (* d_1 y_8)) mutable_y_8)))))
(IMPLIES (> mutable_y_8 0)
(FORALL (mutable_x_8_0)
(IMPLIES (EQ mutable_x_8_0 mutable_y_8)
(FORALL (mutable_y_8_0)
(IMPLIES (EQ mutable_y_8_0 (computer_mod mutable_x_8 mutable_y_8))
(FORALL (a_3_0)
(IMPLIES (EQ a_3_0 c)
(FORALL (b_2_0)
(IMPLIES (EQ b_2_0 d_1)
(FORALL (c0)
(IMPLIES (EQ c0 (- a_3 (* c (computer_div mutable_x_8 mutable_y_8))))
(FORALL (d_1_0)
(IMPLIES (EQ d_1_0 (- b_2 (* d_1 (computer_div mutable_x_8 mutable_y_8))))
(EQ (+ (* c0 x_8) (* d_1_0 y_8)) mutable_y_8_0))))))))))))))))))))))))

;; Gcd_gcd_ensures_resultIsGcd_po_1, File "HOME/tests/java/Gcd.java", line 93, characters 18-36
(FORALL (x_8)
(FORALL (y_8)
(IMPLIES (AND (>= x_8 0) (>= y_8 0))
(FORALL (a_3)
(FORALL (b_2)
(FORALL (c)
(FORALL (d_1)
(FORALL (mutable_x_8)
(FORALL (mutable_y_8)
(IMPLIES TRUE
(IMPLIES (AND (>= mutable_x_8 0)
         (AND (>= mutable_y_8 0)
         (AND
         (FORALL (d_2)
         (IMPLIES (isGcd mutable_x_8 mutable_y_8 d_2) (isGcd x_8 y_8 d_2)))
         (AND (EQ (+ (* a_3 x_8) (* b_2 y_8)) mutable_x_8)
         (EQ (+ (* c x_8) (* d_1 y_8)) mutable_y_8)))))
(IMPLIES (<= mutable_y_8 0)
(FORALL (return) (IMPLIES (EQ return mutable_x_8) (isGcd x_8 y_8 return)))))))))))))))

;; Gcd_gcd_safety_po_1, File "HOME/tests/java/Gcd.java", line 108, characters 20-25
(FORALL (x_8)
(FORALL (y_8)
(IMPLIES (AND (>= x_8 0) (>= y_8 0))
(FORALL (a_3)
(FORALL (b_2)
(FORALL (c)
(FORALL (d_1)
(FORALL (mutable_x_8)
(FORALL (mutable_y_8)
(IMPLIES TRUE
(IMPLIES (AND (>= mutable_x_8 0)
         (AND (>= mutable_y_8 0)
         (AND
         (FORALL (d_2)
         (IMPLIES (isGcd mutable_x_8 mutable_y_8 d_2) (isGcd x_8 y_8 d_2)))
         (AND (EQ (+ (* a_3 x_8) (* b_2 y_8)) mutable_x_8)
         (EQ (+ (* c x_8) (* d_1 y_8)) mutable_y_8)))))
(IMPLIES (> mutable_y_8 0) (NEQ mutable_y_8 0)))))))))))))

;; Gcd_gcd_safety_po_2, File "HOME/tests/java/Gcd.java", line 105, characters 25-26
(FORALL (x_8)
(FORALL (y_8)
(IMPLIES (AND (>= x_8 0) (>= y_8 0))
(FORALL (a_3)
(FORALL (b_2)
(FORALL (c)
(FORALL (d_1)
(FORALL (mutable_x_8)
(FORALL (mutable_y_8)
(IMPLIES TRUE
(IMPLIES (AND (>= mutable_x_8 0)
         (AND (>= mutable_y_8 0)
         (AND
         (FORALL (d_2)
         (IMPLIES (isGcd mutable_x_8 mutable_y_8 d_2) (isGcd x_8 y_8 d_2)))
         (AND (EQ (+ (* a_3 x_8) (* b_2 y_8)) mutable_x_8)
         (EQ (+ (* c x_8) (* d_1 y_8)) mutable_y_8)))))
(IMPLIES (> mutable_y_8 0)
(IMPLIES (NEQ mutable_y_8 0)
(FORALL (result)
(IMPLIES (EQ result (computer_mod mutable_x_8 mutable_y_8))
(IMPLIES (NEQ mutable_y_8 0)
(FORALL (result0)
(IMPLIES (EQ result0 (computer_div mutable_x_8 mutable_y_8))
(FORALL (mutable_x_8_0)
(IMPLIES (EQ mutable_x_8_0 mutable_y_8)
(FORALL (mutable_y_8_0)
(IMPLIES (EQ mutable_y_8_0 result)
(FORALL (a_3_0)
(IMPLIES (EQ a_3_0 c)
(FORALL (b_2_0)
(IMPLIES (EQ b_2_0 d_1)
(FORALL (c0)
(IMPLIES (EQ c0 (- a_3 (* c result0)))
(FORALL (d_1_0)
(IMPLIES (EQ d_1_0 (- b_2 (* d_1 result0))) (<= 0 mutable_y_8)))))))))))))))))))))))))))))))

;; Gcd_gcd_safety_po_3, File "HOME/tests/java/Gcd.java", line 105, characters 25-26
(FORALL (x_8)
(FORALL (y_8)
(IMPLIES (AND (>= x_8 0) (>= y_8 0))
(FORALL (a_3)
(FORALL (b_2)
(FORALL (c)
(FORALL (d_1)
(FORALL (mutable_x_8)
(FORALL (mutable_y_8)
(IMPLIES TRUE
(IMPLIES (AND (>= mutable_x_8 0)
         (AND (>= mutable_y_8 0)
         (AND
         (FORALL (d_2)
         (IMPLIES (isGcd mutable_x_8 mutable_y_8 d_2) (isGcd x_8 y_8 d_2)))
         (AND (EQ (+ (* a_3 x_8) (* b_2 y_8)) mutable_x_8)
         (EQ (+ (* c x_8) (* d_1 y_8)) mutable_y_8)))))
(IMPLIES (> mutable_y_8 0)
(IMPLIES (NEQ mutable_y_8 0)
(FORALL (result)
(IMPLIES (EQ result (computer_mod mutable_x_8 mutable_y_8))
(IMPLIES (NEQ mutable_y_8 0)
(FORALL (result0)
(IMPLIES (EQ result0 (computer_div mutable_x_8 mutable_y_8))
(FORALL (mutable_x_8_0)
(IMPLIES (EQ mutable_x_8_0 mutable_y_8)
(FORALL (mutable_y_8_0)
(IMPLIES (EQ mutable_y_8_0 result)
(FORALL (a_3_0)
(IMPLIES (EQ a_3_0 c)
(FORALL (b_2_0)
(IMPLIES (EQ b_2_0 d_1)
(FORALL (c0)
(IMPLIES (EQ c0 (- a_3 (* c result0)))
(FORALL (d_1_0)
(IMPLIES (EQ d_1_0 (- b_2 (* d_1 result0))) (< mutable_y_8_0 mutable_y_8)))))))))))))))))))))))))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/Gcd_why.sx           : ??????..##............ (14/0/6/2/0)
total   :  22
valid   :  14 ( 64%)
invalid :   0 (  0%)
unknown :   6 ( 27%)
timeout :   2 (  9%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/Gcd.why
========== file tests/java/why/Gcd_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic Gcd_tag : Object tag_id

axiom Gcd_parenttag_Object: parenttag(Gcd_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

predicate divides(x_5: int, y_5: int) = (exists q:int. (y_5 = (q * x_5)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate isGcd(a: int, b: int, d: int) =
  (divides(d, a) and
   (divides(d, b) and
    (forall z_4:int.
      ((divides(z_4, a) and divides(z_4, b)) -> divides(z_4, d)))))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Gcd(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Gcd(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Gcd(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Gcd(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

goal distr_right:
  (forall x_2:int.
    (forall y:int.
      (forall z:int. ((x_2 * (y + z)) = ((x_2 * y) + (x_2 * z))))))

axiom distr_right_as_axiom:
  (forall x_2:int.
    (forall y:int.
      (forall z:int. ((x_2 * (y + z)) = ((x_2 * y) + (x_2 * z))))))

goal distr_left:
  (forall x_0_0:int.
    (forall y_0:int.
      (forall z_0:int.
        (((x_0_0 + y_0) * z_0) = ((x_0_0 * z_0) + (y_0 * z_0))))))

axiom distr_left_as_axiom:
  (forall x_0_0:int.
    (forall y_0:int.
      (forall z_0:int.
        (((x_0_0 + y_0) * z_0) = ((x_0_0 * z_0) + (y_0 * z_0))))))

goal distr_right_minus:
  (forall x_1_0:int.
    (forall y_1:int.
      (forall z_1:int.
        ((x_1_0 * (y_1 - z_1)) = ((x_1_0 * y_1) - (x_1_0 * z_1))))))

axiom distr_right_minus_as_axiom:
  (forall x_1_0:int.
    (forall y_1:int.
      (forall z_1:int.
        ((x_1_0 * (y_1 - z_1)) = ((x_1_0 * y_1) - (x_1_0 * z_1))))))

goal distr_left_minus:
  (forall x_2_0:int.
    (forall y_2:int.
      (forall z_2:int.
        (((x_2_0 - y_2) * z_2) = ((x_2_0 * z_2) - (y_2 * z_2))))))

axiom distr_left_minus_as_axiom:
  (forall x_2_0:int.
    (forall y_2:int.
      (forall z_2:int.
        (((x_2_0 - y_2) * z_2) = ((x_2_0 * z_2) - (y_2 * z_2))))))

goal mul_comm:
  (forall x_3:int. (forall y_3:int. ((x_3 * y_3) = (y_3 * x_3))))

axiom mul_comm_as_axiom:
  (forall x_3:int. (forall y_3:int. ((x_3 * y_3) = (y_3 * x_3))))

goal mul_assoc:
  (forall x_4:int.
    (forall y_4:int.
      (forall z_3:int. ((x_4 * (y_4 * z_3)) = ((x_4 * y_4) * z_3)))))

axiom mul_assoc_as_axiom:
  (forall x_4:int.
    (forall y_4:int.
      (forall z_3:int. ((x_4 * (y_4 * z_3)) = ((x_4 * y_4) * z_3)))))

goal div_mod_property:
  (forall x_6:int.
    (forall y_6:int.
      (((x_6 >= 0) and (y_6 > 0)) -> (computer_mod(x_6,
       y_6) = (x_6 - (y_6 * computer_div(x_6, y_6)))))))

axiom div_mod_property_as_axiom:
  (forall x_6:int.
    (forall y_6:int.
      (((x_6 >= 0) and (y_6 > 0)) -> (computer_mod(x_6,
       y_6) = (x_6 - (y_6 * computer_div(x_6, y_6)))))))

goal mod_property:
  (forall x_7:int.
    (forall y_7:int.
      (((x_7 >= 0) and (y_7 > 0)) ->
       ((0 <= computer_mod(x_7, y_7)) and (computer_mod(x_7, y_7) < y_7)))))

axiom mod_property_as_axiom:
  (forall x_7:int.
    (forall y_7:int.
      (((x_7 >= 0) and (y_7 > 0)) ->
       ((0 <= computer_mod(x_7, y_7)) and (computer_mod(x_7, y_7) < y_7)))))

goal gcd_zero:
  (forall a_0:int. isGcd(a_0, 0, a_0))

axiom gcd_zero_as_axiom:
  (forall a_0:int. isGcd(a_0, 0, a_0))

goal gcd_property:
  (forall a_1:int.
    (forall b_0:int.
      (forall d_0:int.
        (((a_1 >= 0) and
          ((b_0 > 0) and isGcd(b_0, computer_mod(a_1, b_0), d_0))) ->
         isGcd(a_1, b_0, d_0)))))

axiom gcd_property_as_axiom:
  (forall a_1:int.
    (forall b_0:int.
      (forall d_0:int.
        (((a_1 >= 0) and
          ((b_0 > 0) and isGcd(b_0, computer_mod(a_1, b_0), d_0))) ->
         isGcd(a_1, b_0, d_0)))))

goal Gcd_gcd_ensures_bezoutProperty_po_1:
  forall x_8:int.
  forall y_8:int.
  ("JC_33": (("JC_31": (x_8 >= 0)) and ("JC_32": (y_8 >= 0)))) ->
  forall a_3:int.
  forall b_2:int.
  forall c:int.
  forall d_1:int.
  forall mutable_x_8:int.
  forall mutable_y_8:int.
  ("JC_84": true) ->
  ("JC_82":
  (("JC_77": (mutable_x_8 >= 0)) and
   (("JC_78": (mutable_y_8 >= 0)) and
    (("JC_79":
     (forall d_2:int.
       (isGcd(mutable_x_8, mutable_y_8, d_2) -> isGcd(x_8, y_8, d_2)))) and
     (("JC_80": (((a_3 * x_8) + (b_2 * y_8)) = mutable_x_8)) and
      ("JC_81": (((c * x_8) + (d_1 * y_8)) = mutable_y_8))))))) ->
  (mutable_y_8 <= 0) ->
  forall return:int.
  (return = mutable_x_8) ->
  ("JC_41":
  (exists a_2:int. (exists b_1:int. (((a_2 * x_8) + (b_1 * y_8)) = return))))

goal Gcd_gcd_ensures_default_po_1:
  forall x_8:int.
  forall y_8:int.
  ("JC_33": (("JC_31": (x_8 >= 0)) and ("JC_32": (y_8 >= 0)))) ->
  ("JC_60": ("JC_58": (((1 * x_8) + (0 * y_8)) = x_8)))

goal Gcd_gcd_ensures_default_po_2:
  forall x_8:int.
  forall y_8:int.
  ("JC_33": (("JC_31": (x_8 >= 0)) and ("JC_32": (y_8 >= 0)))) ->
  ("JC_60": ("JC_59": (((0 * x_8) + (1 * y_8)) = y_8)))

goal Gcd_gcd_ensures_default_po_3:
  forall x_8:int.
  forall y_8:int.
  ("JC_33": (("JC_31": (x_8 >= 0)) and ("JC_32": (y_8 >= 0)))) ->
  forall a_3:int.
  forall b_2:int.
  forall c:int.
  forall d_1:int.
  forall mutable_x_8:int.
  forall mutable_y_8:int.
  ("JC_60":
  (("JC_55": (mutable_x_8 >= 0)) and
   (("JC_56": (mutable_y_8 >= 0)) and
    (("JC_57":
     (forall d_2:int.
       (isGcd(mutable_x_8, mutable_y_8, d_2) -> isGcd(x_8, y_8, d_2)))) and
     (("JC_58": (((a_3 * x_8) + (b_2 * y_8)) = mutable_x_8)) and
      ("JC_59": (((c * x_8) + (d_1 * y_8)) = mutable_y_8))))))) ->
  (mutable_y_8 > 0) ->
  forall mutable_x_8_0:int.
  (mutable_x_8_0 = mutable_y_8) ->
  forall mutable_y_8_0:int.
  (mutable_y_8_0 = computer_mod(mutable_x_8, mutable_y_8)) ->
  forall a_3_0:int.
  (a_3_0 = c) ->
  forall b_2_0:int.
  (b_2_0 = d_1) ->
  forall c0:int.
  (c0 = (a_3 - (c * computer_div(mutable_x_8, mutable_y_8)))) ->
  forall d_1_0:int.
  (d_1_0 = (b_2 - (d_1 * computer_div(mutable_x_8, mutable_y_8)))) ->
  ("JC_60": ("JC_55": (mutable_x_8_0 >= 0)))

goal Gcd_gcd_ensures_default_po_4:
  forall x_8:int.
  forall y_8:int.
  ("JC_33": (("JC_31": (x_8 >= 0)) and ("JC_32": (y_8 >= 0)))) ->
  forall a_3:int.
  forall b_2:int.
  forall c:int.
  forall d_1:int.
  forall mutable_x_8:int.
  forall mutable_y_8:int.
  ("JC_60":
  (("JC_55": (mutable_x_8 >= 0)) and
   (("JC_56": (mutable_y_8 >= 0)) and
    (("JC_57":
     (forall d_2:int.
       (isGcd(mutable_x_8, mutable_y_8, d_2) -> isGcd(x_8, y_8, d_2)))) and
     (("JC_58": (((a_3 * x_8) + (b_2 * y_8)) = mutable_x_8)) and
      ("JC_59": (((c * x_8) + (d_1 * y_8)) = mutable_y_8))))))) ->
  (mutable_y_8 > 0) ->
  forall mutable_x_8_0:int.
  (mutable_x_8_0 = mutable_y_8) ->
  forall mutable_y_8_0:int.
  (mutable_y_8_0 = computer_mod(mutable_x_8, mutable_y_8)) ->
  forall a_3_0:int.
  (a_3_0 = c) ->
  forall b_2_0:int.
  (b_2_0 = d_1) ->
  forall c0:int.
  (c0 = (a_3 - (c * computer_div(mutable_x_8, mutable_y_8)))) ->
  forall d_1_0:int.
  (d_1_0 = (b_2 - (d_1 * computer_div(mutable_x_8, mutable_y_8)))) ->
  ("JC_60": ("JC_56": (mutable_y_8_0 >= 0)))

goal Gcd_gcd_ensures_default_po_5:
  forall x_8:int.
  forall y_8:int.
  ("JC_33": (("JC_31": (x_8 >= 0)) and ("JC_32": (y_8 >= 0)))) ->
  forall a_3:int.
  forall b_2:int.
  forall c:int.
  forall d_1:int.
  forall mutable_x_8:int.
  forall mutable_y_8:int.
  ("JC_60":
  (("JC_55": (mutable_x_8 >= 0)) and
   (("JC_56": (mutable_y_8 >= 0)) and
    (("JC_57":
     (forall d_2:int.
       (isGcd(mutable_x_8, mutable_y_8, d_2) -> isGcd(x_8, y_8, d_2)))) and
     (("JC_58": (((a_3 * x_8) + (b_2 * y_8)) = mutable_x_8)) and
      ("JC_59": (((c * x_8) + (d_1 * y_8)) = mutable_y_8))))))) ->
  (mutable_y_8 > 0) ->
  forall mutable_x_8_0:int.
  (mutable_x_8_0 = mutable_y_8) ->
  forall mutable_y_8_0:int.
  (mutable_y_8_0 = computer_mod(mutable_x_8, mutable_y_8)) ->
  forall a_3_0:int.
  (a_3_0 = c) ->
  forall b_2_0:int.
  (b_2_0 = d_1) ->
  forall c0:int.
  (c0 = (a_3 - (c * computer_div(mutable_x_8, mutable_y_8)))) ->
  forall d_1_0:int.
  (d_1_0 = (b_2 - (d_1 * computer_div(mutable_x_8, mutable_y_8)))) ->
  forall d_2:int.
  isGcd(mutable_x_8_0, mutable_y_8_0, d_2) ->
  ("JC_60": ("JC_57": isGcd(x_8, y_8, d_2)))

goal Gcd_gcd_ensures_default_po_6:
  forall x_8:int.
  forall y_8:int.
  ("JC_33": (("JC_31": (x_8 >= 0)) and ("JC_32": (y_8 >= 0)))) ->
  forall a_3:int.
  forall b_2:int.
  forall c:int.
  forall d_1:int.
  forall mutable_x_8:int.
  forall mutable_y_8:int.
  ("JC_60":
  (("JC_55": (mutable_x_8 >= 0)) and
   (("JC_56": (mutable_y_8 >= 0)) and
    (("JC_57":
     (forall d_2:int.
       (isGcd(mutable_x_8, mutable_y_8, d_2) -> isGcd(x_8, y_8, d_2)))) and
     (("JC_58": (((a_3 * x_8) + (b_2 * y_8)) = mutable_x_8)) and
      ("JC_59": (((c * x_8) + (d_1 * y_8)) = mutable_y_8))))))) ->
  (mutable_y_8 > 0) ->
  forall mutable_x_8_0:int.
  (mutable_x_8_0 = mutable_y_8) ->
  forall mutable_y_8_0:int.
  (mutable_y_8_0 = computer_mod(mutable_x_8, mutable_y_8)) ->
  forall a_3_0:int.
  (a_3_0 = c) ->
  forall b_2_0:int.
  (b_2_0 = d_1) ->
  forall c0:int.
  (c0 = (a_3 - (c * computer_div(mutable_x_8, mutable_y_8)))) ->
  forall d_1_0:int.
  (d_1_0 = (b_2 - (d_1 * computer_div(mutable_x_8, mutable_y_8)))) ->
  ("JC_60": ("JC_58": (((a_3_0 * x_8) + (b_2_0 * y_8)) = mutable_x_8_0)))

goal Gcd_gcd_ensures_default_po_7:
  forall x_8:int.
  forall y_8:int.
  ("JC_33": (("JC_31": (x_8 >= 0)) and ("JC_32": (y_8 >= 0)))) ->
  forall a_3:int.
  forall b_2:int.
  forall c:int.
  forall d_1:int.
  forall mutable_x_8:int.
  forall mutable_y_8:int.
  ("JC_60":
  (("JC_55": (mutable_x_8 >= 0)) and
   (("JC_56": (mutable_y_8 >= 0)) and
    (("JC_57":
     (forall d_2:int.
       (isGcd(mutable_x_8, mutable_y_8, d_2) -> isGcd(x_8, y_8, d_2)))) and
     (("JC_58": (((a_3 * x_8) + (b_2 * y_8)) = mutable_x_8)) and
      ("JC_59": (((c * x_8) + (d_1 * y_8)) = mutable_y_8))))))) ->
  (mutable_y_8 > 0) ->
  forall mutable_x_8_0:int.
  (mutable_x_8_0 = mutable_y_8) ->
  forall mutable_y_8_0:int.
  (mutable_y_8_0 = computer_mod(mutable_x_8, mutable_y_8)) ->
  forall a_3_0:int.
  (a_3_0 = c) ->
  forall b_2_0:int.
  (b_2_0 = d_1) ->
  forall c0:int.
  (c0 = (a_3 - (c * computer_div(mutable_x_8, mutable_y_8)))) ->
  forall d_1_0:int.
  (d_1_0 = (b_2 - (d_1 * computer_div(mutable_x_8, mutable_y_8)))) ->
  ("JC_60": ("JC_59": (((c0 * x_8) + (d_1_0 * y_8)) = mutable_y_8_0)))

goal Gcd_gcd_ensures_resultIsGcd_po_1:
  forall x_8:int.
  forall y_8:int.
  ("JC_33": (("JC_31": (x_8 >= 0)) and ("JC_32": (y_8 >= 0)))) ->
  forall a_3:int.
  forall b_2:int.
  forall c:int.
  forall d_1:int.
  forall mutable_x_8:int.
  forall mutable_y_8:int.
  ("JC_73": true) ->
  ("JC_71":
  (("JC_66": (mutable_x_8 >= 0)) and
   (("JC_67": (mutable_y_8 >= 0)) and
    (("JC_68":
     (forall d_2:int.
       (isGcd(mutable_x_8, mutable_y_8, d_2) -> isGcd(x_8, y_8, d_2)))) and
     (("JC_69": (((a_3 * x_8) + (b_2 * y_8)) = mutable_x_8)) and
      ("JC_70": (((c * x_8) + (d_1 * y_8)) = mutable_y_8))))))) ->
  (mutable_y_8 <= 0) ->
  forall return:int.
  (return = mutable_x_8) ->
  ("JC_39": isGcd(x_8, y_8, return))

goal Gcd_gcd_safety_po_1:
  forall x_8:int.
  forall y_8:int.
  ("JC_33": (("JC_31": (x_8 >= 0)) and ("JC_32": (y_8 >= 0)))) ->
  forall a_3:int.
  forall b_2:int.
  forall c:int.
  forall d_1:int.
  forall mutable_x_8:int.
  forall mutable_y_8:int.
  ("JC_50": true) ->
  ("JC_48":
  (("JC_43": (mutable_x_8 >= 0)) and
   (("JC_44": (mutable_y_8 >= 0)) and
    (("JC_45":
     (forall d_2:int.
       (isGcd(mutable_x_8, mutable_y_8, d_2) -> isGcd(x_8, y_8, d_2)))) and
     (("JC_46": (((a_3 * x_8) + (b_2 * y_8)) = mutable_x_8)) and
      ("JC_47": (((c * x_8) + (d_1 * y_8)) = mutable_y_8))))))) ->
  (mutable_y_8 > 0) ->
  (mutable_y_8 <> 0)

goal Gcd_gcd_safety_po_2:
  forall x_8:int.
  forall y_8:int.
  ("JC_33": (("JC_31": (x_8 >= 0)) and ("JC_32": (y_8 >= 0)))) ->
  forall a_3:int.
  forall b_2:int.
  forall c:int.
  forall d_1:int.
  forall mutable_x_8:int.
  forall mutable_y_8:int.
  ("JC_50": true) ->
  ("JC_48":
  (("JC_43": (mutable_x_8 >= 0)) and
   (("JC_44": (mutable_y_8 >= 0)) and
    (("JC_45":
     (forall d_2:int.
       (isGcd(mutable_x_8, mutable_y_8, d_2) -> isGcd(x_8, y_8, d_2)))) and
     (("JC_46": (((a_3 * x_8) + (b_2 * y_8)) = mutable_x_8)) and
      ("JC_47": (((c * x_8) + (d_1 * y_8)) = mutable_y_8))))))) ->
  (mutable_y_8 > 0) ->
  (mutable_y_8 <> 0) ->
  forall result:int.
  (result = computer_mod(mutable_x_8, mutable_y_8)) ->
  (mutable_y_8 <> 0) ->
  forall result0:int.
  (result0 = computer_div(mutable_x_8, mutable_y_8)) ->
  forall mutable_x_8_0:int.
  (mutable_x_8_0 = mutable_y_8) ->
  forall mutable_y_8_0:int.
  (mutable_y_8_0 = result) ->
  forall a_3_0:int.
  (a_3_0 = c) ->
  forall b_2_0:int.
  (b_2_0 = d_1) ->
  forall c0:int.
  (c0 = (a_3 - (c * result0))) ->
  forall d_1_0:int.
  (d_1_0 = (b_2 - (d_1 * result0))) ->
  (0 <= ("JC_54": mutable_y_8))

goal Gcd_gcd_safety_po_3:
  forall x_8:int.
  forall y_8:int.
  ("JC_33": (("JC_31": (x_8 >= 0)) and ("JC_32": (y_8 >= 0)))) ->
  forall a_3:int.
  forall b_2:int.
  forall c:int.
  forall d_1:int.
  forall mutable_x_8:int.
  forall mutable_y_8:int.
  ("JC_50": true) ->
  ("JC_48":
  (("JC_43": (mutable_x_8 >= 0)) and
   (("JC_44": (mutable_y_8 >= 0)) and
    (("JC_45":
     (forall d_2:int.
       (isGcd(mutable_x_8, mutable_y_8, d_2) -> isGcd(x_8, y_8, d_2)))) and
     (("JC_46": (((a_3 * x_8) + (b_2 * y_8)) = mutable_x_8)) and
      ("JC_47": (((c * x_8) + (d_1 * y_8)) = mutable_y_8))))))) ->
  (mutable_y_8 > 0) ->
  (mutable_y_8 <> 0) ->
  forall result:int.
  (result = computer_mod(mutable_x_8, mutable_y_8)) ->
  (mutable_y_8 <> 0) ->
  forall result0:int.
  (result0 = computer_div(mutable_x_8, mutable_y_8)) ->
  forall mutable_x_8_0:int.
  (mutable_x_8_0 = mutable_y_8) ->
  forall mutable_y_8_0:int.
  (mutable_y_8_0 = result) ->
  forall a_3_0:int.
  (a_3_0 = c) ->
  forall b_2_0:int.
  (b_2_0 = d_1) ->
  forall c0:int.
  (c0 = (a_3 - (c * result0))) ->
  forall d_1_0:int.
  (d_1_0 = (b_2 - (d_1 * result0))) ->
  (("JC_54": mutable_y_8_0) < ("JC_54": mutable_y_8))

why-2.34/tests/java/oracle/NameConflicts.res.oracle0000644000175000017500000043730212311670312020662 0ustar  rtusers========== file tests/java/NameConflicts.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

class NameConflicts {

    int i;

    void setI(int i) {
	this.i = i;
    }

    /*@ behavior normal:
      @   ensures \result == 0;
      @*/
    int m() {
	int result = 0;
	return result;
    }

    int field;

    int field() { return field; }

}


/*
Local Variables:
compile-command: "make NameConflicts.why3ide"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function NameConflicts_m for method NameConflicts.m
Generating JC function NameConflicts_field for method NameConflicts.field
Generating JC function NameConflicts_setI for method NameConflicts.setI
Generating JC function cons_NameConflicts for constructor NameConflicts
Done.
========== file tests/java/NameConflicts.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag NameConflicts = Object with {
  int32 i; 
  int32 field;
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

int32 NameConflicts_m(NameConflicts[0] this_1)
behavior normal:
  ensures (K_1 : (\result == 0));
{  
   {  
      (var int32 result = (K_2 : 0));
      
      (return result)
   }
}

int32 NameConflicts_field(NameConflicts[0] this_0)
{  
   (return (K_3 : this_0.field))
}

unit NameConflicts_setI(NameConflicts[0] this_2, int32 i)
{  (K_4 : (this_2.i = i))
}

unit cons_NameConflicts(! NameConflicts[0] this_3)
{  (this_3.i = 0);
   (this_3.field = 0)
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/NameConflicts.jloc tests/java/NameConflicts.jc && make -f tests/java/NameConflicts.makefile gui"
End:
*/
========== file tests/java/NameConflicts.jloc ==========
[NameConflicts_field]
name = "Method field"
file = "HOME/tests/java/NameConflicts.java"
line = 50
begin = 8
end = 13

[K_1]
file = "HOME/tests/java/NameConflicts.java"
line = 41
begin = 18
end = 30

[K_4]
file = "HOME/tests/java/NameConflicts.java"
line = 37
begin = 1
end = 11

[K_2]
file = "HOME/tests/java/NameConflicts.java"
line = 44
begin = 14
end = 15

[NameConflicts_m]
name = "Method m"
file = "HOME/tests/java/NameConflicts.java"
line = 43
begin = 8
end = 9

[K_3]
file = "HOME/tests/java/NameConflicts.java"
line = 50
begin = 25
end = 30

[cons_NameConflicts]
name = "Constructor of class NameConflicts"
file = "HOME/"
line = 0
begin = -1
end = -1

[NameConflicts_setI]
name = "Method setI"
file = "HOME/tests/java/NameConflicts.java"
line = 36
begin = 9
end = 13

========== jessie execution ==========
Generating Why function NameConflicts_m
Generating Why function NameConflicts_field_0
Generating Why function NameConflicts_setI
Generating Why function cons_NameConflicts
========== file tests/java/NameConflicts.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs NameConflicts.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs NameConflicts.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/NameConflicts_why.sx

project: why/NameConflicts.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/NameConflicts_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/NameConflicts_why.vo

coq/NameConflicts_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/NameConflicts_why.v: why/NameConflicts.why
	@echo 'why -coq [...] why/NameConflicts.why' && $(WHY) $(JESSIELIBFILES) why/NameConflicts.why && rm -f coq/jessie_why.v

coq-goals: goals coq/NameConflicts_ctx_why.vo
	for f in why/*_po*.why; do make -f NameConflicts.makefile coq/`basename $$f .why`_why.v ; done

coq/NameConflicts_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/NameConflicts_ctx_why.v: why/NameConflicts_ctx.why
	@echo 'why -coq [...] why/NameConflicts_ctx.why' && $(WHY) why/NameConflicts_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export NameConflicts_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/NameConflicts_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/NameConflicts_ctx_why.vo

pvs: pvs/NameConflicts_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/NameConflicts_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/NameConflicts_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/NameConflicts_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/NameConflicts_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/NameConflicts_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/NameConflicts_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/NameConflicts_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/NameConflicts_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/NameConflicts_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/NameConflicts_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/NameConflicts_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/NameConflicts_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/NameConflicts_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/NameConflicts_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: NameConflicts.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/NameConflicts_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: NameConflicts.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: NameConflicts.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: NameConflicts.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include NameConflicts.depend

depend: coq/NameConflicts_why.v
	-$(COQDEP) -I coq coq/NameConflicts*_why.v > NameConflicts.depend

clean:
	rm -f coq/*.vo

========== file tests/java/NameConflicts.loc ==========
[JC_51]
file = "HOME/"
line = 0
begin = -1
end = -1

[NameConflicts_m_ensures_default]
name = "Method m"
behavior = "default behavior"
file = "HOME/tests/java/NameConflicts.java"
line = 43
begin = 8
end = 9

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_NameConflicts_safety]
name = "Constructor of class NameConflicts"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_NameConflicts_ensures_default]
name = "Constructor of class NameConflicts"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[NameConflicts_m_ensures_normal]
name = "Method m"
behavior = "Behavior `normal'"
file = "HOME/tests/java/NameConflicts.java"
line = 43
begin = 8
end = 9

[JC_31]
file = "HOME/tests/java/NameConflicts.java"
line = 50
begin = 8
end = 13

[JC_17]
file = "HOME/tests/java/NameConflicts.jc"
line = 49
begin = 11
end = 65

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[NameConflicts_field_safety]
name = "Method field"
behavior = "Safety"
file = "HOME/tests/java/NameConflicts.java"
line = 50
begin = 8
end = 13

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/NameConflicts.jc"
line = 47
begin = 8
end = 23

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/NameConflicts.jc"
line = 47
begin = 8
end = 23

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[NameConflicts_field_ensures_default]
name = "Method field"
behavior = "default behavior"
file = "HOME/tests/java/NameConflicts.java"
line = 50
begin = 8
end = 13

[JC_39]
file = "HOME/tests/java/NameConflicts.java"
line = 36
begin = 9
end = 13

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/tests/java/NameConflicts.java"
line = 41
begin = 18
end = 30

[JC_38]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[NameConflicts_m_safety]
name = "Method m"
behavior = "Safety"
file = "HOME/tests/java/NameConflicts.java"
line = 43
begin = 8
end = 9

[JC_29]
file = "HOME/tests/java/NameConflicts.java"
line = 50
begin = 8
end = 13

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[NameConflicts_setI_safety]
name = "Method setI"
behavior = "Safety"
file = "HOME/tests/java/NameConflicts.java"
line = 36
begin = 9
end = 13

[JC_21]
file = "HOME/tests/java/NameConflicts.java"
line = 43
begin = 8
end = 9

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/java/NameConflicts.jc"
line = 20
begin = 12
end = 22

[JC_37]
file = "HOME/tests/java/NameConflicts.java"
line = 36
begin = 9
end = 13

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[NameConflicts_setI_ensures_default]
name = "Method setI"
behavior = "default behavior"
file = "HOME/tests/java/NameConflicts.java"
line = 36
begin = 9
end = 13

[JC_18]
file = "HOME/tests/java/NameConflicts.jc"
line = 49
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/NameConflicts.jc"
line = 20
begin = 12
end = 22

[JC_19]
file = "HOME/tests/java/NameConflicts.java"
line = 43
begin = 8
end = 9

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/tests/java/NameConflicts.java"
line = 41
begin = 18
end = 30

========== file tests/java/why/NameConflicts.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

logic NameConflicts_tag:  -> Object tag_id

axiom NameConflicts_parenttag_Object :
 parenttag(NameConflicts_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_NameConflicts(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_NameConflicts(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_NameConflicts(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_NameConflicts(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter NameConflicts_field : (Object, int32) memory ref

parameter Object_alloc_table : Object alloc_table ref

parameter NameConflicts_field_0 :
 this_0:Object pointer ->
  { } int32 reads NameConflicts_field,Object_alloc_table { true }

parameter NameConflicts_field_0_requires :
 this_0:Object pointer ->
  { } int32 reads NameConflicts_field,Object_alloc_table { true }

parameter NameConflicts_i : (Object, int32) memory ref

parameter NameConflicts_m :
 this_1:Object pointer ->
  { } int32 reads Object_alloc_table
  { (JC_28: (integer_of_int32(result) = (0))) }

parameter NameConflicts_m_requires :
 this_1:Object pointer ->
  { } int32 reads Object_alloc_table
  { (JC_28: (integer_of_int32(result) = (0))) }

parameter NameConflicts_setI :
 this_2:Object pointer ->
  i:int32 ->
   { } unit reads Object_alloc_table writes NameConflicts_i { true }

parameter NameConflicts_setI_requires :
 this_2:Object pointer ->
  i:int32 ->
   { } unit reads Object_alloc_table writes NameConflicts_i { true }

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_NameConflicts :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_NameConflicts(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, NameConflicts_tag)))) }

parameter alloc_struct_NameConflicts_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_NameConflicts(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, NameConflicts_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_NameConflicts :
 this_3:Object pointer ->
  { } unit reads Object_alloc_table
  writes NameConflicts_field,NameConflicts_i { true }

parameter cons_NameConflicts_requires :
 this_3:Object pointer ->
  { } unit reads Object_alloc_table
  writes NameConflicts_field,NameConflicts_i { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let NameConflicts_field_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_NameConflicts(this_0, (0), (0), Object_alloc_table) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (return := (K_3: ((safe_acc_ !NameConflicts_field) this_0)));
    (raise Return); absurd  end with Return -> !return end))
  { (JC_33: true) }

let NameConflicts_field_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_NameConflicts(this_0, (0), (0), Object_alloc_table) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (return := (K_3: ((safe_acc_ !NameConflicts_field) this_0)));
    (raise Return); absurd  end with Return -> !return end)) { true }

let NameConflicts_m_ensures_default =
 fun (this_1 : Object pointer) ->
  { valid_struct_NameConflicts(this_1, (0), (0), Object_alloc_table) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let result_0 = (safe_int32_of_integer_ (K_2: (0))) in
     begin   (return := result_0); (raise Return) end); absurd  end with
   Return -> !return end)) { (JC_23: true) }

let NameConflicts_m_ensures_normal =
 fun (this_1 : Object pointer) ->
  { valid_struct_NameConflicts(this_1, (0), (0), Object_alloc_table) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let result_0 = (safe_int32_of_integer_ (K_2: (0))) in
     begin   (return := result_0); (raise Return) end); absurd  end with
   Return -> !return end)) { (JC_27: (integer_of_int32(result) = (0))) }

let NameConflicts_m_safety =
 fun (this_1 : Object pointer) ->
  { valid_struct_NameConflicts(this_1, (0), (0), Object_alloc_table) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let result_0 = (safe_int32_of_integer_ (K_2: (0))) in
     begin   (return := result_0); (raise Return) end); absurd  end with
   Return -> !return end)) { true }

let NameConflicts_setI_ensures_default =
 fun (this_2 : Object pointer) (i : int32) ->
  { valid_struct_NameConflicts(this_2, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (K_4:
     (let _jessie_ = i in
     begin
       (let _jessie_ = this_2 in
       (((safe_upd_ NameConflicts_i) _jessie_) _jessie_)); _jessie_ end)) in
     void); (raise Return) end with Return -> void end) { (JC_41: true) }

let NameConflicts_setI_safety =
 fun (this_2 : Object pointer) (i : int32) ->
  { valid_struct_NameConflicts(this_2, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (K_4:
     (let _jessie_ = i in
     begin
       (let _jessie_ = this_2 in
       (((safe_upd_ NameConflicts_i) _jessie_) _jessie_)); _jessie_ end)) in
     void); (raise Return) end with Return -> void end) { true }

let cons_NameConflicts_ensures_default =
 fun (this_3 : Object pointer) ->
  { valid_struct_NameConflicts(this_3, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = (safe_int32_of_integer_ (0)) in
       (let _jessie_ = this_3 in
       (((safe_upd_ NameConflicts_i) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_3 in
        (((safe_upd_ NameConflicts_field) _jessie_) _jessie_));
       _jessie_ end) end in void); (raise Return) end with Return ->
   void end) { (JC_49: true) }

let cons_NameConflicts_safety =
 fun (this_3 : Object pointer) ->
  { valid_struct_NameConflicts(this_3, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = (safe_int32_of_integer_ (0)) in
       (let _jessie_ = this_3 in
       (((safe_upd_ NameConflicts_i) _jessie_) _jessie_)));
      (let _jessie_ = (safe_int32_of_integer_ (0)) in
      begin
        (let _jessie_ = this_3 in
        (((safe_upd_ NameConflicts_field) _jessie_) _jessie_));
       _jessie_ end) end in void); (raise Return) end with Return ->
   void end) { true }


========== make project execution ==========
why --project [...] why/NameConflicts.why
========== file tests/java/why/NameConflicts.wpr ==========

  
    
  
  
    
    
    
      
      
    
    
  
  
    
  
  
    
  

========== file tests/java/why/NameConflicts_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic NameConflicts_tag : Object tag_id

axiom NameConflicts_parenttag_Object: parenttag(NameConflicts_tag,
  Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte [(integer_of_byte(x) = integer_of_byte(y))].
      ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char [(integer_of_char(x) = integer_of_char(y))].
      ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32 [(integer_of_int32(x) = integer_of_int32(y))].
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_NameConflicts(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long [(integer_of_long(x) = integer_of_long(y))].
      ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_NameConflicts(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short [(integer_of_short(x) = integer_of_short(y))].
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_NameConflicts(p: Object pointer, a: int,
  b: int, Object_alloc_table: Object alloc_table) =
  strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_NameConflicts(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

========== file tests/java/why/NameConflicts_po1.why ==========
goal NameConflicts_m_ensures_normal_po_1:
  forall this_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_NameConflicts(this_1, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall return:int32.
  (return = result) ->
  ("JC_27": (integer_of_int32(return) = 0))

========== generation of Simplify VC output ==========
why -simplify [...] why/NameConflicts.why
========== file tests/java/simplify/NameConflicts_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom NameConflicts_parenttag_Object
 (EQ (parenttag NameConflicts_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) 0))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom byte_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 128) x) (<= x 127))
 (EQ (integer_of_byte (byte_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom byte_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_byte x) (integer_of_byte y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom byte_range
 (FORALL (x)
 (AND (<= (- 0 128) (integer_of_byte x)) (<= (integer_of_byte x) 127))))

(BG_PUSH
 ;; Why axiom char_coerce
 (FORALL (x)
 (IMPLIES (AND (<= 0 x) (<= x 65535))
 (EQ (integer_of_char (char_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom char_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_char x) (integer_of_char y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom char_range
 (FORALL (x) (AND (<= 0 (integer_of_char x)) (<= (integer_of_char x) 65535))))

(DEFPRED (eq_byte x y) (EQ (integer_of_byte x) (integer_of_byte y)))

(DEFPRED (eq_char x y) (EQ (integer_of_char x) (integer_of_char y)))

(DEFPRED (eq_int32 x y) (EQ (integer_of_int32 x) (integer_of_int32 y)))

(DEFPRED (eq_long x y) (EQ (integer_of_long x) (integer_of_long y)))

(DEFPRED (eq_short x y) (EQ (integer_of_short x) (integer_of_short y)))

(BG_PUSH
 ;; Why axiom int32_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_2147483648) x)
 (<= x constant_too_large_2147483647))
 (EQ (integer_of_int32 (int32_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom int32_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_int32 x) (integer_of_int32 y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom int32_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_2147483648) (integer_of_int32 x))
 (<= (integer_of_int32 x) constant_too_large_2147483647))))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_NameConflicts p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom long_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_9223372036854775808) x)
 (<= x constant_too_large_9223372036854775807))
 (EQ (integer_of_long (long_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom long_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_long x) (integer_of_long y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom long_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_9223372036854775808) (integer_of_long x))
 (<= (integer_of_long x) constant_too_large_9223372036854775807))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_NameConflicts p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(BG_PUSH
 ;; Why axiom short_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 32768) x) (<= x 32767))
 (EQ (integer_of_short (short_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom short_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_short x) (integer_of_short y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom short_range
 (FORALL (x)
 (AND (<= (- 0 32768) (integer_of_short x)) (<= (integer_of_short x) 32767))))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_NameConflicts p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_NameConflicts p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

;; NameConflicts_m_ensures_normal_po_1, File "HOME/tests/java/NameConflicts.java", line 41, characters 18-30
(FORALL (this_1)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_NameConflicts this_1 0 0 Object_alloc_table)
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (return)
(IMPLIES (EQ return result) (EQ (integer_of_int32 return) 0))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/NameConflicts_why.sx : . (1/0/0/0/0)
total   :   1
valid   :   1 (100%)
invalid :   0 (  0%)
unknown :   0 (  0%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/NameConflicts.why
========== file tests/java/why/NameConflicts_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic NameConflicts_tag : Object tag_id

axiom NameConflicts_parenttag_Object: parenttag(NameConflicts_tag,
  Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte. ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char. ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_NameConflicts(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long. ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_NameConflicts(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short.
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_NameConflicts(p: Object pointer, a: int,
  b: int, Object_alloc_table: Object alloc_table) =
  strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_NameConflicts(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

goal NameConflicts_m_ensures_normal_po_1:
  forall this_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_NameConflicts(this_1, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall return:int32.
  (return = result) ->
  ("JC_27": (integer_of_int32(return) = 0))

why-2.34/tests/java/oracle/Purse.err.oracle0000644000175000017500000000010112311670312017211 0ustar  rtusersgenerating logic fun balance_non_negative with one default label
why-2.34/tests/java/oracle/Arrays.res.oracle0000644000175000017500000157452512311670312017410 0ustar  rtusers========== file tests/java/Arrays.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


//@+ CheckArithOverflow = no

/* is_max(t,i,l) is true whenever t[i] is the maximum of t[0]..t[l-1]
 * l is an integer and not an int, because used as t.length which 
 * (in the logic) returns an integer and not an int 
 */
/*@ predicate is_max{L}(int[] t,int i,integer l) =
  @   t != null && 0 <= i < l <= t.length &&
  @   (\forall integer j; 0 <= j < l ==> t[j] <= t[i]) ;
  @*/

public class Arrays {

    /*@ requires t != null && 1 <= t.length <= 32767;
      @ behavior max_found:
      @   ensures 
      @      0 <= \result < t.length && 
      @      (\forall integer i; 
      @           0 <= i < t.length ==> t[i] <= t[\result]);
      @*/
    public static short findMax(int[] t) {
	int m = t[0];
	short r = 0;
        /*@ loop_invariant 
          @   1 <= i <= t.length && 0 <= r < t.length &&
          @   m == t[r] && (\forall integer j; 0 <= j < i ==> t[j] <= m);
          @ loop_variant t.length-i;
          @*/
	for (short i=1; i < t.length; i++) {
	    if (t[i] > m) {
		r = i; 
		m = t[i];
	    }
	}
	return r;
    }

    /*@ requires t != null && t.length >= 1;
      @ behavior max_found:
      @  ensures 
      @      0 <= \result < t.length && 
      @      is_max(t,\result,t.length) ;
      @*/
    public static int findMax2(int[] t) {
	int m = t[0];
	int r = 0; 
	/*@ loop_invariant 
	  @   1 <= i <= t.length && 0 <= r < t.length &&
          @   m == t[r] && is_max(t,r,i) ;
	  @ loop_variant t.length-i;
	  @*/
	for (int i=1; i < t.length; i++) {
	    if (t[i] > m) {
		r = i; 
		m = t[i];
	    }
	}
	return r;
    }


    /*@ requires t != null ;
      @ ensures 
      @   \forall integer i; 0 < i < t.length ==> t[i] == \old(t[i-1]);
      @*/
    public static void arrayShift(int[] t) {
	/*@ loop_invariant 
	  @   j < t.length &&
	  @   (t.length > 0 ==>
	  @     (0 <= j && 
          @     (\forall integer i; 0 <= i <= j ==> t[i] == \at(t[i],Pre)) &&
          @     (\forall integer i; j < i < t.length ==> t[i] == \at(t[i-1],Pre))));
	  @ loop_variant j;
	  @*/
      for (int j = t.length-1 ; j > 0 ; j--) {
	  t[j] = t[j-1];
	}
    }


}


/*
Local Variables: 
compile-command: "make Arrays.why3ide"
End: 
*/

========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function Arrays_findMax2 for method Arrays.findMax2
Generating JC function Arrays_arrayShift for method Arrays.arrayShift
Generating JC function Arrays_findMax for method Arrays.findMax
Generating JC function cons_Arrays for constructor Arrays
Done.
========== file tests/java/Arrays.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_intM{Here}(intM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Arrays = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag intM = Object with {
  integer intP;
}

boolean non_null_intM(! intM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_intM(! intM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

predicate is_max{L}(intM[0..] t, integer i, integer l) =
((Non_null_intM(t) && (((0 <= i) && (i < l)) && (l <= (\offset_max(t) + 1)))) &&
  (\forall integer j;
    (((0 <= j) && (j < l)) ==> ((t + j).intP <= (t + i).intP))))

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

integer Arrays_findMax2(intM[0..] t_1)
  requires (K_8 : ((K_7 : Non_null_intM(t_1)) &&
                    (K_6 : ((\offset_max(t_1) + 1) >= 1))));
behavior max_found:
  ensures (K_5 : ((K_4 : ((K_3 : (0 <= \result)) &&
                           (K_2 : (\result < (\offset_max(t_1) + 1))))) &&
                   (K_1 : is_max{Here}(t_1, \result, (\offset_max(t_1) + 1)))));
{  
   {  
      (var integer m = (K_29 : (t_1 + 0).intP));
      
      {  
         (var integer r = (K_28 : 0));
         
         {  
            {  
               {  
                  (var integer i_3 = (K_9 : 1));
                  
                  loop 
                  behavior default:
                    invariant (K_20 : ((K_19 : ((K_18 : ((K_17 : ((K_16 : 
                                                                  (1 <=
                                                                    i_3)) &&
                                                                   (K_15 : 
                                                                   (i_3 <=
                                                                    (\offset_max(t_1) +
                                                                    1))))) &&
                                                          (K_14 : ((K_13 : 
                                                                   (0 <=
                                                                    r)) &&
                                                                    (K_12 : 
                                                                    (r <
                                                                    (\offset_max(t_1) +
                                                                    1))))))) &&
                                                 (K_11 : (m ==
                                                           (t_1 + r).intP)))) &&
                                        (K_10 : is_max{Here}(t_1, r, i_3))));
                  
                  variant (K_21 : ((\offset_max(t_1) + 1) - i_3));
                  for ( ; (K_27 : (i_3 <
                                    (K_26 : java_array_length_intM(t_1)))) ; 
                  (K_25 : (i_3 ++)))
                  {  (if (K_24 : ((K_23 : (t_1 + i_3).intP) > m)) then 
                     {  (r = i_3);
                        (m = (K_22 : (t_1 + i_3).intP))
                     } else ())
                  }
               }
            };
            
            (return r)
         }
      }
   }
}

unit Arrays_arrayShift(intM[0..] t_2)
  requires (K_31 : Non_null_intM(t_2));
behavior default:
  ensures (K_30 : (\forall integer i_0;
                    (((0 < i_0) && (i_0 < (\offset_max(t_2) + 1))) ==>
                      ((t_2 + i_0).intP == \at((t_2 + (i_0 - 1)).intP,Old)))));
{  
   {  
      {  
         (var integer j_0 = (K_33 : ((K_32 : java_array_length_intM(t_2)) -
                                      1)));
         
         loop 
         behavior default:
           invariant (K_36 : ((K_35 : (j_0 < (\offset_max(t_2) + 1))) &&
                               (K_34 : (((\offset_max(t_2) + 1) > 0) ==>
                                         (((0 <= j_0) &&
                                            (\forall integer i_1;
                                              (((0 <= i_1) && (i_1 <= j_0)) ==>
                                                ((t_2 + i_1).intP ==
                                                  \at((t_2 + i_1).intP,Pre))))) &&
                                           (\forall integer i_2;
                                             (((j_0 < i_2) &&
                                                (i_2 <
                                                  (\offset_max(t_2) + 1))) ==>
                                               ((t_2 + i_2).intP ==
                                                 \at((t_2 + (i_2 - 1)).intP,Pre)))))))));
         
         variant (K_37 : j_0);
         for ( ; (K_42 : (j_0 > 0)) ; (K_41 : (j_0 --)))
         {  (K_40 : ((t_2 + j_0).intP = (K_39 : (t_2 + (K_38 : (j_0 - 1))).intP)))
         }
      }
   }
}

integer Arrays_findMax(intM[0..] t_0)
  requires (K_52 : ((K_51 : Non_null_intM(t_0)) &&
                     (K_50 : ((K_49 : (1 <= (\offset_max(t_0) + 1))) &&
                               (K_48 : ((\offset_max(t_0) + 1) <= 32767))))));
behavior max_found:
  ensures (K_47 : ((K_46 : ((K_45 : (0 <= \result)) &&
                             (K_44 : (\result < (\offset_max(t_0) + 1))))) &&
                    (K_43 : (\forall integer i_4;
                              (((0 <= i_4) && (i_4 < (\offset_max(t_0) + 1))) ==>
                                ((t_0 + i_4).intP <= (t_0 + \result).intP))))));
{  
   {  
      (var integer m_0 = (K_73 : (t_0 + 0).intP));
      
      {  
         (var integer r_0 = (K_72 : 0));
         
         {  
            {  
               {  
                  (var integer i_5 = (K_53 : 1));
                  
                  loop 
                  behavior default:
                    invariant (K_64 : ((K_63 : ((K_62 : ((K_61 : ((K_60 : 
                                                                  (1 <=
                                                                    i_5)) &&
                                                                   (K_59 : 
                                                                   (i_5 <=
                                                                    (\offset_max(t_0) +
                                                                    1))))) &&
                                                          (K_58 : ((K_57 : 
                                                                   (0 <=
                                                                    r_0)) &&
                                                                    (K_56 : 
                                                                    (r_0 <
                                                                    (\offset_max(t_0) +
                                                                    1))))))) &&
                                                 (K_55 : (m_0 ==
                                                           (t_0 + r_0).intP)))) &&
                                        (K_54 : (\forall integer j_1;
                                                  (((0 <= j_1) &&
                                                     (j_1 < i_5)) ==>
                                                    ((t_0 + j_1).intP <= m_0))))));
                  
                  variant (K_65 : ((\offset_max(t_0) + 1) - i_5));
                  for ( ; (K_71 : (i_5 <
                                    (K_70 : java_array_length_intM(t_0)))) ; 
                  (K_69 : (i_5 ++)))
                  {  (if (K_68 : ((K_67 : (t_0 + i_5).intP) > m_0)) then 
                     {  (r_0 = i_5);
                        (m_0 = (K_66 : (t_0 + i_5).intP))
                     } else ())
                  }
               }
            };
            
            (return r_0)
         }
      }
   }
}

unit cons_Arrays(! Arrays[0] this_0){()}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Arrays.jloc tests/java/Arrays.jc && make -f tests/java/Arrays.makefile gui"
End:
*/
========== file tests/java/Arrays.jloc ==========
[K_73]
file = "HOME/tests/java/Arrays.java"
line = 54
begin = 9
end = 13

[K_30]
file = "HOME/tests/java/Arrays.java"
line = 96
begin = 10
end = 70

[K_23]
file = "HOME/tests/java/Arrays.java"
line = 85
begin = 9
end = 13

[K_33]
file = "HOME/tests/java/Arrays.java"
line = 107
begin = 19
end = 29

[Arrays_findMax2]
name = "Method findMax2"
file = "HOME/tests/java/Arrays.java"
line = 76
begin = 22
end = 30

[K_70]
file = "HOME/tests/java/Arrays.java"
line = 61
begin = 21
end = 29

[K_49]
file = "HOME/tests/java/Arrays.java"
line = 46
begin = 30
end = 43

[K_17]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 7
end = 25

[K_11]
file = "HOME/tests/java/Arrays.java"
line = 81
begin = 14
end = 23

[K_38]
file = "HOME/tests/java/Arrays.java"
line = 108
begin = 12
end = 15

[K_25]
file = "HOME/tests/java/Arrays.java"
line = 84
begin = 29
end = 32

[K_13]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 29
end = 35

[K_60]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 14
end = 20

[K_64]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 14
end = 129

[K_9]
file = "HOME/tests/java/Arrays.java"
line = 84
begin = 12
end = 13

[K_71]
file = "HOME/tests/java/Arrays.java"
line = 61
begin = 17
end = 29

[K_44]
file = "HOME/tests/java/Arrays.java"
line = 49
begin = 18
end = 36

[K_28]
file = "HOME/tests/java/Arrays.java"
line = 78
begin = 9
end = 10

[K_68]
file = "HOME/tests/java/Arrays.java"
line = 62
begin = 9
end = 17

[K_52]
file = "HOME/tests/java/Arrays.java"
line = 46
begin = 17
end = 52

[K_1]
file = "HOME/tests/java/Arrays.java"
line = 74
begin = 13
end = 39

[K_15]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 12
end = 25

[K_4]
file = "HOME/tests/java/Arrays.java"
line = 73
begin = 13
end = 36

[K_12]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 34
end = 46

[K_55]
file = "HOME/tests/java/Arrays.java"
line = 58
begin = 14
end = 23

[K_34]
file = "HOME/tests/java/Arrays.java"
line = 101
begin = 8
end = 206

[K_20]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 7
end = 90

[K_63]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 14
end = 80

[K_59]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 19
end = 32

[K_58]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 36
end = 53

[K_53]
file = "HOME/tests/java/Arrays.java"
line = 61
begin = 14
end = 15

[K_2]
file = "HOME/tests/java/Arrays.java"
line = 73
begin = 18
end = 36

[K_41]
file = "HOME/tests/java/Arrays.java"
line = 107
begin = 40
end = 43

[K_50]
file = "HOME/tests/java/Arrays.java"
line = 46
begin = 30
end = 52

[K_47]
file = "HOME/tests/java/Arrays.java"
line = 49
begin = 13
end = 134

[K_29]
file = "HOME/tests/java/Arrays.java"
line = 77
begin = 9
end = 13

[K_10]
file = "HOME/tests/java/Arrays.java"
line = 81
begin = 27
end = 40

[K_35]
file = "HOME/tests/java/Arrays.java"
line = 100
begin = 7
end = 19

[K_6]
file = "HOME/tests/java/Arrays.java"
line = 70
begin = 30
end = 43

[K_8]
file = "HOME/tests/java/Arrays.java"
line = 70
begin = 17
end = 43

[K_72]
file = "HOME/tests/java/Arrays.java"
line = 55
begin = 11
end = 12

[K_48]
file = "HOME/tests/java/Arrays.java"
line = 46
begin = 35
end = 52

[K_3]
file = "HOME/tests/java/Arrays.java"
line = 73
begin = 13
end = 25

[K_66]
file = "HOME/tests/java/Arrays.java"
line = 64
begin = 6
end = 10

[K_31]
file = "HOME/tests/java/Arrays.java"
line = 94
begin = 17
end = 26

[K_67]
file = "HOME/tests/java/Arrays.java"
line = 62
begin = 9
end = 13

[Arrays_findMax]
name = "Method findMax"
file = "HOME/tests/java/Arrays.java"
line = 53
begin = 24
end = 31

[K_62]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 14
end = 53

[Arrays_arrayShift]
name = "Method arrayShift"
file = "HOME/tests/java/Arrays.java"
line = 98
begin = 23
end = 33

[K_32]
file = "HOME/tests/java/Arrays.java"
line = 107
begin = 19
end = 27

[K_27]
file = "HOME/tests/java/Arrays.java"
line = 84
begin = 15
end = 27

[K_46]
file = "HOME/tests/java/Arrays.java"
line = 49
begin = 13
end = 36

[K_21]
file = "HOME/tests/java/Arrays.java"
line = 82
begin = 18
end = 28

[K_42]
file = "HOME/tests/java/Arrays.java"
line = 107
begin = 32
end = 37

[K_24]
file = "HOME/tests/java/Arrays.java"
line = 85
begin = 9
end = 17

[K_56]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 41
end = 53

[K_14]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 29
end = 46

[K_39]
file = "HOME/tests/java/Arrays.java"
line = 108
begin = 10
end = 16

[K_36]
file = "HOME/tests/java/Arrays.java"
line = 100
begin = 7
end = 230

[K_57]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 36
end = 42

[K_69]
file = "HOME/tests/java/Arrays.java"
line = 61
begin = 31
end = 34

[K_65]
file = "HOME/tests/java/Arrays.java"
line = 59
begin = 25
end = 35

[K_37]
file = "HOME/tests/java/Arrays.java"
line = 105
begin = 18
end = 19

[cons_Arrays]
name = "Constructor of class Arrays"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_54]
file = "HOME/tests/java/Arrays.java"
line = 58
begin = 28
end = 71

[K_19]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 7
end = 73

[K_5]
file = "HOME/tests/java/Arrays.java"
line = 73
begin = 13
end = 80

[K_51]
file = "HOME/tests/java/Arrays.java"
line = 46
begin = 17
end = 26

[K_18]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 7
end = 46

[K_61]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 14
end = 32

[K_7]
file = "HOME/tests/java/Arrays.java"
line = 70
begin = 17
end = 26

[K_40]
file = "HOME/tests/java/Arrays.java"
line = 108
begin = 3
end = 16

[K_26]
file = "HOME/tests/java/Arrays.java"
line = 84
begin = 19
end = 27

[K_22]
file = "HOME/tests/java/Arrays.java"
line = 87
begin = 6
end = 10

[K_45]
file = "HOME/tests/java/Arrays.java"
line = 49
begin = 13
end = 25

[K_16]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 7
end = 13

[K_43]
file = "HOME/tests/java/Arrays.java"
line = 50
begin = 14
end = 92

========== jessie execution ==========
Generating Why function Arrays_findMax2
Generating Why function Arrays_arrayShift
Generating Why function Arrays_findMax
Generating Why function cons_Arrays
========== file tests/java/Arrays.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Arrays.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Arrays.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/Arrays_why.sx

project: why/Arrays.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/Arrays_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/Arrays_why.vo

coq/Arrays_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Arrays_why.v: why/Arrays.why
	@echo 'why -coq [...] why/Arrays.why' && $(WHY) $(JESSIELIBFILES) why/Arrays.why && rm -f coq/jessie_why.v

coq-goals: goals coq/Arrays_ctx_why.vo
	for f in why/*_po*.why; do make -f Arrays.makefile coq/`basename $$f .why`_why.v ; done

coq/Arrays_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Arrays_ctx_why.v: why/Arrays_ctx.why
	@echo 'why -coq [...] why/Arrays_ctx.why' && $(WHY) why/Arrays_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export Arrays_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/Arrays_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/Arrays_ctx_why.vo

pvs: pvs/Arrays_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/Arrays_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/Arrays_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/Arrays_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/Arrays_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/Arrays_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/Arrays_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/Arrays_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/Arrays_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/Arrays_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/Arrays_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/Arrays_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/Arrays_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/Arrays_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/Arrays_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: Arrays.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/Arrays_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Arrays.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Arrays.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Arrays.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include Arrays.depend

depend: coq/Arrays_why.v
	-$(COQDEP) -I coq coq/Arrays*_why.v > Arrays.depend

clean:
	rm -f coq/*.vo

========== file tests/java/Arrays.loc ==========
[JC_176]
file = "HOME/tests/java/Arrays.java"
line = 58
begin = 14
end = 23

[JC_177]
file = "HOME/tests/java/Arrays.java"
line = 58
begin = 28
end = 71

[JC_94]
file = "HOME/tests/java/Arrays.jc"
line = 88
begin = 18
end = 1821

[JC_73]
kind = PointerDeref
file = "HOME/tests/java/Arrays.java"
line = 87
begin = 6
end = 10

[Arrays_findMax_ensures_default]
name = "Method findMax"
behavior = "default behavior"
file = "HOME/tests/java/Arrays.java"
line = 53
begin = 24
end = 31

[JC_158]
kind = PointerDeref
file = "HOME/tests/java/Arrays.java"
line = 62
begin = 9
end = 13

[JC_63]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 34
end = 46

[JC_80]
file = "HOME/tests/java/Arrays.java"
line = 81
begin = 27
end = 40

[JC_51]
file = "HOME/tests/java/Arrays.java"
line = 73
begin = 13
end = 25

[JC_71]
kind = IndexBounds
file = "HOME/tests/java/Arrays.java"
line = 84
begin = 19
end = 27

[JC_147]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 19
end = 32

[JC_151]
file = "HOME/tests/java/Arrays.java"
line = 58
begin = 28
end = 71

[JC_45]
file = "HOME/tests/java/Arrays.java"
line = 70
begin = 17
end = 43

[JC_123]
file = "HOME/tests/java/Arrays.java"
line = 46
begin = 17
end = 26

[JC_106]
kind = IndexBounds
file = "HOME/tests/java/Arrays.java"
line = 107
begin = 19
end = 27

[JC_143]
file = "HOME/tests/java/Arrays.java"
line = 50
begin = 14
end = 92

[JC_113]
kind = PointerDeref
file = "HOME/tests/java/Arrays.java"
line = 108
begin = 10
end = 16

[JC_116]
kind = UserCall
file = "HOME/tests/java/Arrays.java"
line = 107
begin = 19
end = 27

[JC_64]
file = "HOME/tests/java/Arrays.java"
line = 81
begin = 14
end = 23

[Arrays_findMax_safety]
name = "Method findMax"
behavior = "Safety"
file = "HOME/tests/java/Arrays.java"
line = 53
begin = 24
end = 31

[JC_133]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_188]
file = "HOME/"
line = 0
begin = -1
end = -1

[Arrays_findMax_ensures_max_found]
name = "Method findMax"
behavior = "Behavior `max_found'"
file = "HOME/tests/java/Arrays.java"
line = 53
begin = 24
end = 31

[JC_180]
file = "HOME/tests/java/Arrays.jc"
line = 184
begin = 18
end = 2047

[JC_99]
file = "HOME/tests/java/Arrays.java"
line = 94
begin = 17
end = 26

[JC_85]
kind = UserCall
file = "HOME/tests/java/Arrays.java"
line = 84
begin = 19
end = 27

[JC_126]
file = "HOME/tests/java/Arrays.java"
line = 46
begin = 17
end = 52

[JC_170]
file = "HOME/tests/java/Arrays.jc"
line = 184
begin = 18
end = 2047

[JC_31]
file = "HOME/tests/java/Arrays.jc"
line = 55
begin = 8
end = 23

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_122]
file = "HOME/tests/java/Arrays.jc"
line = 138
begin = 9
end = 1153

[JC_81]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 7
end = 90

[JC_55]
file = "HOME/tests/java/Arrays.java"
line = 73
begin = 13
end = 25

[JC_138]
file = "HOME/tests/java/Arrays.java"
line = 49
begin = 18
end = 36

[JC_134]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_148]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 36
end = 42

[JC_137]
file = "HOME/tests/java/Arrays.java"
line = 49
begin = 13
end = 25

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/tests/java/Arrays.jc"
line = 51
begin = 11
end = 103

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_172]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 14
end = 20

[JC_121]
file = "HOME/tests/java/Arrays.jc"
line = 138
begin = 9
end = 1153

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_125]
file = "HOME/tests/java/Arrays.java"
line = 46
begin = 35
end = 52

[JC_67]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/Arrays.jc"
line = 42
begin = 8
end = 21

[JC_75]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 7
end = 13

[JC_24]
file = "HOME/tests/java/Arrays.jc"
line = 50
begin = 10
end = 18

[JC_25]
file = "HOME/tests/java/Arrays.jc"
line = 51
begin = 11
end = 103

[JC_189]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_186]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_78]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 34
end = 46

[JC_175]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 41
end = 53

[JC_41]
file = "HOME/tests/java/Arrays.java"
line = 70
begin = 17
end = 43

[JC_74]
file = "HOME/tests/java/Arrays.java"
line = 82
begin = 18
end = 28

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_52]
file = "HOME/tests/java/Arrays.java"
line = 73
begin = 18
end = 36

[JC_26]
file = "HOME/tests/java/Arrays.jc"
line = 50
begin = 10
end = 18

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[Arrays_findMax2_ensures_default]
name = "Method findMax2"
behavior = "default behavior"
file = "HOME/tests/java/Arrays.java"
line = 76
begin = 22
end = 30

[JC_154]
file = "HOME/tests/java/Arrays.jc"
line = 184
begin = 18
end = 2047

[JC_54]
file = "HOME/tests/java/Arrays.java"
line = 73
begin = 13
end = 80

[JC_79]
file = "HOME/tests/java/Arrays.java"
line = 81
begin = 14
end = 23

[Arrays_findMax2_safety]
name = "Method findMax2"
behavior = "Safety"
file = "HOME/tests/java/Arrays.java"
line = 76
begin = 22
end = 30

[cons_Arrays_ensures_default]
name = "Constructor of class Arrays"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/tests/java/Arrays.jc"
line = 45
begin = 11
end = 66

[JC_130]
file = "HOME/tests/java/Arrays.java"
line = 46
begin = 35
end = 52

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_174]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 36
end = 42

[JC_163]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 36
end = 42

[JC_153]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Arrays_safety]
name = "Constructor of class Arrays"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_87]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 12
end = 25

[JC_11]
file = "HOME/tests/java/Arrays.jc"
line = 42
begin = 8
end = 21

[JC_185]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_184]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_167]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 14
end = 129

[JC_98]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
kind = UserCall
file = "HOME/tests/java/Arrays.java"
line = 84
begin = 19
end = 27

[JC_15]
file = "HOME/tests/java/Arrays.jc"
line = 45
begin = 11
end = 66

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_182]
kind = UserCall
file = "HOME/tests/java/Arrays.java"
line = 61
begin = 21
end = 29

[JC_168]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_104]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_91]
file = "HOME/tests/java/Arrays.java"
line = 81
begin = 27
end = 40

[JC_39]
file = "HOME/tests/java/Arrays.java"
line = 70
begin = 17
end = 26

[JC_112]
file = "HOME/tests/java/Arrays.jc"
line = 138
begin = 9
end = 1153

[JC_40]
file = "HOME/tests/java/Arrays.java"
line = 70
begin = 30
end = 43

[JC_162]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 19
end = 32

[JC_135]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_169]
file = "HOME/tests/java/Arrays.jc"
line = 184
begin = 18
end = 2047

[JC_83]
file = "HOME/tests/java/Arrays.jc"
line = 88
begin = 18
end = 1821

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_132]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_115]
file = "HOME/tests/java/Arrays.java"
line = 105
begin = 18
end = 19

[JC_109]
file = "HOME/tests/java/Arrays.java"
line = 100
begin = 7
end = 230

[JC_107]
file = "HOME/tests/java/Arrays.java"
line = 100
begin = 7
end = 19

[JC_69]
file = "HOME/tests/java/Arrays.jc"
line = 88
begin = 18
end = 1821

[JC_179]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_124]
file = "HOME/tests/java/Arrays.java"
line = 46
begin = 30
end = 43

[JC_38]
file = "HOME/tests/java/Arrays.jc"
line = 57
begin = 11
end = 65

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_156]
kind = UserCall
file = "HOME/tests/java/Arrays.java"
line = 61
begin = 21
end = 29

[JC_127]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_171]
kind = UserCall
file = "HOME/tests/java/Arrays.java"
line = 61
begin = 21
end = 29

[JC_164]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 41
end = 53

[JC_44]
file = "HOME/tests/java/Arrays.java"
line = 70
begin = 30
end = 43

[JC_155]
file = "HOME/tests/java/Arrays.jc"
line = 184
begin = 18
end = 2047

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[Arrays_arrayShift_safety]
name = "Method arrayShift"
behavior = "Safety"
file = "HOME/tests/java/Arrays.java"
line = 98
begin = 23
end = 33

[JC_62]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 29
end = 35

[JC_101]
file = "HOME/tests/java/Arrays.java"
line = 96
begin = 10
end = 70

[JC_88]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 29
end = 35

[JC_129]
file = "HOME/tests/java/Arrays.java"
line = 46
begin = 30
end = 43

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_190]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_178]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 14
end = 129

[JC_110]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_166]
file = "HOME/tests/java/Arrays.java"
line = 58
begin = 28
end = 71

[JC_103]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_141]
file = "HOME/tests/java/Arrays.java"
line = 49
begin = 13
end = 25

[JC_61]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 12
end = 25

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/tests/java/Arrays.java"
line = 73
begin = 18
end = 36

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/tests/java/Arrays.java"
line = 81
begin = 27
end = 40

[JC_118]
file = "HOME/tests/java/Arrays.java"
line = 101
begin = 8
end = 206

[JC_173]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 19
end = 32

[JC_105]
kind = UserCall
file = "HOME/tests/java/Arrays.java"
line = 107
begin = 19
end = 27

[JC_140]
file = "HOME/tests/java/Arrays.java"
line = 49
begin = 13
end = 134

[JC_29]
file = "HOME/tests/java/Arrays.jc"
line = 55
begin = 8
end = 23

[JC_144]
file = "HOME/tests/java/Arrays.java"
line = 49
begin = 13
end = 134

[JC_159]
kind = PointerDeref
file = "HOME/tests/java/Arrays.java"
line = 64
begin = 6
end = 10

[JC_68]
file = "HOME/tests/java/Arrays.jc"
line = 88
begin = 18
end = 1821

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/java/Arrays.jc"
line = 44
begin = 10
end = 18

[JC_96]
kind = UserCall
file = "HOME/tests/java/Arrays.java"
line = 84
begin = 19
end = 27

[JC_43]
file = "HOME/tests/java/Arrays.java"
line = 70
begin = 17
end = 26

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/tests/java/Arrays.jc"
line = 88
begin = 18
end = 1821

[JC_93]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_97]
file = "HOME/tests/java/Arrays.java"
line = 94
begin = 17
end = 26

[JC_84]
file = "HOME/tests/java/Arrays.jc"
line = 88
begin = 18
end = 1821

[JC_160]
file = "HOME/tests/java/Arrays.java"
line = 59
begin = 25
end = 35

[JC_128]
file = "HOME/tests/java/Arrays.java"
line = 46
begin = 17
end = 26

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
kind = PointerDeref
file = "HOME/tests/java/Arrays.jc"
line = 156
begin = 21
end = 80

[JC_14]
file = "HOME/tests/java/Arrays.jc"
line = 44
begin = 10
end = 18

[JC_150]
file = "HOME/tests/java/Arrays.java"
line = 58
begin = 14
end = 23

[JC_117]
file = "HOME/tests/java/Arrays.java"
line = 100
begin = 7
end = 19

[JC_90]
file = "HOME/tests/java/Arrays.java"
line = 81
begin = 14
end = 23

[JC_53]
file = "HOME/tests/java/Arrays.java"
line = 74
begin = 13
end = 39

[JC_157]
kind = IndexBounds
file = "HOME/tests/java/Arrays.java"
line = 61
begin = 21
end = 29

[JC_145]
kind = IndexBounds
file = "HOME/tests/java/Arrays.java"
line = 54
begin = 9
end = 13

[JC_21]
file = "HOME/tests/java/Arrays.jc"
line = 48
begin = 8
end = 30

[JC_149]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 41
end = 53

[JC_111]
file = "HOME/tests/java/Arrays.jc"
line = 138
begin = 9
end = 1153

[JC_77]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 29
end = 35

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/java/Arrays.jc"
line = 13
begin = 12
end = 22

[JC_131]
file = "HOME/tests/java/Arrays.java"
line = 46
begin = 17
end = 52

[JC_102]
file = "HOME/tests/java/Arrays.java"
line = 96
begin = 10
end = 70

[JC_37]
file = "HOME/tests/java/Arrays.jc"
line = 57
begin = 11
end = 65

[JC_181]
file = "HOME/tests/java/Arrays.jc"
line = 184
begin = 18
end = 2047

[JC_142]
file = "HOME/tests/java/Arrays.java"
line = 49
begin = 18
end = 36

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
file = "HOME/tests/java/Arrays.java"
line = 101
begin = 8
end = 206

[JC_57]
file = "HOME/tests/java/Arrays.java"
line = 74
begin = 13
end = 39

[JC_161]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 14
end = 20

[JC_146]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 14
end = 20

[JC_89]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 34
end = 46

[JC_136]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_66]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 7
end = 90

[JC_59]
kind = IndexBounds
file = "HOME/tests/java/Arrays.java"
line = 77
begin = 9
end = 13

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_165]
file = "HOME/tests/java/Arrays.java"
line = 58
begin = 14
end = 23

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/java/Arrays.jc"
line = 13
begin = 12
end = 22

[JC_92]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 7
end = 90

[JC_152]
file = "HOME/tests/java/Arrays.java"
line = 57
begin = 14
end = 129

[JC_86]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 7
end = 13

[JC_60]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 7
end = 13

[JC_183]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_139]
file = "HOME/tests/java/Arrays.java"
line = 50
begin = 14
end = 92

[Arrays_findMax2_ensures_max_found]
name = "Method findMax2"
behavior = "Behavior `max_found'"
file = "HOME/tests/java/Arrays.java"
line = 76
begin = 22
end = 30

[JC_72]
kind = PointerDeref
file = "HOME/tests/java/Arrays.java"
line = 85
begin = 9
end = 13

[JC_19]
file = "HOME/tests/java/Arrays.jc"
line = 48
begin = 8
end = 30

[JC_119]
file = "HOME/tests/java/Arrays.java"
line = 100
begin = 7
end = 230

[JC_187]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_76]
file = "HOME/tests/java/Arrays.java"
line = 80
begin = 12
end = 25

[Arrays_arrayShift_ensures_default]
name = "Method arrayShift"
behavior = "default behavior"
file = "HOME/tests/java/Arrays.java"
line = 98
begin = 23
end = 33

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_120]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/tests/java/Arrays.java"
line = 73
begin = 13
end = 80

[JC_100]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/Arrays.why ==========
type Object

type interface

logic Arrays_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Arrays_parenttag_Object : parenttag(Arrays_tag, Object_tag)

logic Exception_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_1), (0))

predicate Non_null_intM(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), neg_int((1)))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic intM_tag:  -> Object tag_id

axiom intM_parenttag_Object : parenttag(intM_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate is_max(t:Object pointer, i:int, l:int,
 Object_alloc_table_at_L:Object alloc_table,
 intM_intP_at_L:(Object, int) memory) =
 (Non_null_intM(t, Object_alloc_table_at_L)
 and (le_int((0), i)
     and (lt_int(i, l)
         and (le_int(l, add_int(offset_max(Object_alloc_table_at_L, t), (1)))
             and (forall j:int.
                  ((le_int((0), j) and lt_int(j, l)) ->
                   le_int(select(intM_intP_at_L, shift(t, j)),
                   select(intM_intP_at_L, shift(t, i)))))))))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Arrays(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_intM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Arrays(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_intM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Arrays(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Arrays(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

parameter Object_alloc_table : Object alloc_table ref

parameter intM_intP : (Object, int) memory ref

parameter Arrays_arrayShift :
 t_2:Object pointer ->
  { } unit reads Object_alloc_table,intM_intP writes intM_intP
  { (JC_102:
    (forall i_0:int.
     ((lt_int((0), i_0)
      and lt_int(i_0, add_int(offset_max(Object_alloc_table, t_2), (1)))) ->
      (select(intM_intP, shift(t_2, i_0)) = select(intM_intP@,
                                            shift(t_2, sub_int(i_0, (1)))))))) }

parameter Arrays_arrayShift_requires :
 t_2:Object pointer ->
  { (JC_97: Non_null_intM(t_2, Object_alloc_table))} unit
  reads Object_alloc_table,intM_intP writes intM_intP
  { (JC_102:
    (forall i_0:int.
     ((lt_int((0), i_0)
      and lt_int(i_0, add_int(offset_max(Object_alloc_table, t_2), (1)))) ->
      (select(intM_intP, shift(t_2, i_0)) = select(intM_intP@,
                                            shift(t_2, sub_int(i_0, (1)))))))) }

parameter Arrays_findMax :
 t_0:Object pointer ->
  { } int reads Object_alloc_table,intM_intP
  { (JC_144:
    ((JC_141: le_int((0), result))
    and ((JC_142:
         lt_int(result, add_int(offset_max(Object_alloc_table, t_0), (1))))
        and (JC_143:
            (forall i_4:int.
             ((le_int((0), i_4)
              and lt_int(i_4,
                  add_int(offset_max(Object_alloc_table, t_0), (1)))) ->
              le_int(select(intM_intP, shift(t_0, i_4)),
              select(intM_intP, shift(t_0, result))))))))) }

parameter Arrays_findMax2 :
 t_1:Object pointer ->
  { } int reads Object_alloc_table,intM_intP
  { (JC_58:
    ((JC_55: le_int((0), result))
    and ((JC_56:
         lt_int(result, add_int(offset_max(Object_alloc_table, t_1), (1))))
        and (JC_57:
            is_max(t_1, result,
            add_int(offset_max(Object_alloc_table, t_1), (1)),
            Object_alloc_table, intM_intP))))) }

parameter Arrays_findMax2_requires :
 t_1:Object pointer ->
  { (JC_41:
    ((JC_39: Non_null_intM(t_1, Object_alloc_table))
    and (JC_40:
        ge_int(add_int(offset_max(Object_alloc_table, t_1), (1)), (1)))))}
  int reads Object_alloc_table,intM_intP
  { (JC_58:
    ((JC_55: le_int((0), result))
    and ((JC_56:
         lt_int(result, add_int(offset_max(Object_alloc_table, t_1), (1))))
        and (JC_57:
            is_max(t_1, result,
            add_int(offset_max(Object_alloc_table, t_1), (1)),
            Object_alloc_table, intM_intP))))) }

parameter Arrays_findMax_requires :
 t_0:Object pointer ->
  { (JC_126:
    ((JC_123: Non_null_intM(t_0, Object_alloc_table))
    and ((JC_124:
         le_int((1), add_int(offset_max(Object_alloc_table, t_0), (1))))
        and (JC_125:
            le_int(add_int(offset_max(Object_alloc_table, t_0), (1)),
            (32767))))))}
  int reads Object_alloc_table,intM_intP
  { (JC_144:
    ((JC_141: le_int((0), result))
    and ((JC_142:
         lt_int(result, add_int(offset_max(Object_alloc_table, t_0), (1))))
        and (JC_143:
            (forall i_4:int.
             ((le_int((0), i_4)
              and lt_int(i_4,
                  add_int(offset_max(Object_alloc_table, t_0), (1)))) ->
              le_int(select(intM_intP, shift(t_0, i_4)),
              select(intM_intP, shift(t_0, result))))))))) }

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Arrays :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Arrays(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Arrays_tag)))) }

parameter alloc_struct_Arrays_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Arrays(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Arrays_tag)))) }

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_intM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter alloc_struct_intM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_Arrays :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Arrays_requires :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter java_array_length_intM :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter java_array_length_intM_requires :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter non_null_Object :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_Object_requires :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_intM :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter non_null_intM_requires :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

let Arrays_arrayShift_ensures_default =
 fun (t_2 : Object pointer) ->
  { (left_valid_struct_intM(t_2, (0), Object_alloc_table)
    and (JC_99: Non_null_intM(t_2, Object_alloc_table))) }
  (init:
  try
   begin
     (let j_0 =
     ref (K_33:
         ((sub_int (K_32:
                   (let _jessie_ = t_2 in
                   (JC_116: (java_array_length_intM _jessie_))))) (1))) in
     try
      (loop_5:
      while true do
      { invariant
          (JC_119:
          ((JC_117:
           lt_int(j_0, add_int(offset_max(Object_alloc_table, t_2), (1))))
          and (JC_118:
              (gt_int(add_int(offset_max(Object_alloc_table, t_2), (1)), (0)) ->
               (le_int((0), j_0)
               and ((forall i_1:int.
                     ((le_int((0), i_1) and le_int(i_1, j_0)) ->
                      (select(intM_intP, shift(t_2, i_1)) = select(intM_intP@init,
                                                            shift(t_2, i_1)))))
                   and (forall i_2:int.
                        ((lt_int(j_0, i_2)
                         and lt_int(i_2,
                             add_int(offset_max(Object_alloc_table, t_2),
                             (1)))) ->
                         (select(intM_intP, shift(t_2, i_2)) = select(intM_intP@init,
                                                               shift(t_2,
                                                               sub_int(i_2,
                                                               (1)))))))))))))
         }
       begin
         [ { } unit { true } ];
        try
         begin
           (if (K_42: ((gt_int_ !j_0) (0)))
           then
            (let _jessie_ =
            (K_40:
            (let _jessie_ =
            (K_39:
            ((safe_acc_ !intM_intP) ((shift t_2) (K_38: ((sub_int !j_0) (1)))))) in
            (let _jessie_ = t_2 in
            (let _jessie_ = !j_0 in
            (let _jessie_ = ((shift _jessie_) _jessie_) in
            begin
              (((safe_upd_ intM_intP) _jessie_) _jessie_); _jessie_ end))))) in
            void) else (raise (Loop_exit_exc void)));
          (raise (Loop_continue_exc void)) end with
         Loop_continue_exc _jessie_ ->
         (let _jessie_ =
         (K_41:
         (let _jessie_ = !j_0 in
         begin
           (let _jessie_ = (j_0 := ((sub_int _jessie_) (1))) in void);
          _jessie_ end)) in void) end end done) with
      Loop_exit_exc _jessie_ -> void end); (raise Return) end with Return ->
   void end)
  { (JC_101:
    (forall i_0:int.
     ((lt_int((0), i_0)
      and lt_int(i_0, add_int(offset_max(Object_alloc_table, t_2), (1)))) ->
      (select(intM_intP, shift(t_2, i_0)) = select(intM_intP@,
                                            shift(t_2, sub_int(i_0, (1)))))))) }

let Arrays_arrayShift_safety =
 fun (t_2 : Object pointer) ->
  { (left_valid_struct_intM(t_2, (0), Object_alloc_table)
    and (JC_99: Non_null_intM(t_2, Object_alloc_table))) }
  (init:
  try
   begin
     (let j_0 =
     ref (K_33:
         ((sub_int (K_32:
                   (let _jessie_ = t_2 in
                   (JC_106:
                   (assert
                   { ge_int(offset_max(Object_alloc_table, _jessie_), (-1)) };
                   (JC_105: (java_array_length_intM_requires _jessie_))))))) (1))) in
     try
      (loop_4:
      while true do
      { invariant (JC_111: true) variant (JC_115 : j_0) }
       begin
         [ { } unit reads Object_alloc_table,intM_intP,j_0
           { (JC_109:
             ((JC_107:
              lt_int(j_0, add_int(offset_max(Object_alloc_table, t_2), (1))))
             and (JC_108:
                 (gt_int(add_int(offset_max(Object_alloc_table, t_2), (1)),
                  (0)) ->
                  (le_int((0), j_0)
                  and ((forall i_1:int.
                        ((le_int((0), i_1) and le_int(i_1, j_0)) ->
                         (select(intM_intP, shift(t_2, i_1)) = select(intM_intP@init,
                                                               shift(t_2,
                                                               i_1)))))
                      and (forall i_2:int.
                           ((lt_int(j_0, i_2)
                            and lt_int(i_2,
                                add_int(offset_max(Object_alloc_table, t_2),
                                (1)))) ->
                            (select(intM_intP, shift(t_2, i_2)) = select(intM_intP@init,
                                                                  shift(t_2,
                                                                  sub_int(i_2,
                                                                  (1))))))))))))) } ];
        try
         begin
           (if (K_42: ((gt_int_ !j_0) (0)))
           then
            (let _jessie_ =
            (K_40:
            (let _jessie_ =
            (K_39:
            (JC_113:
            ((((offset_acc_ !Object_alloc_table) !intM_intP) t_2) (K_38:
                                                                  ((sub_int !j_0) (1)))))) in
            (let _jessie_ = t_2 in
            (let _jessie_ = !j_0 in
            (let _jessie_ = ((shift _jessie_) _jessie_) in
            (JC_114:
            begin
              (((((offset_upd_ !Object_alloc_table) intM_intP) _jessie_) _jessie_) _jessie_);
             _jessie_ end)))))) in void) else (raise (Loop_exit_exc void)));
          (raise (Loop_continue_exc void)) end with
         Loop_continue_exc _jessie_ ->
         (let _jessie_ =
         (K_41:
         (let _jessie_ = !j_0 in
         begin
           (let _jessie_ = (j_0 := ((sub_int _jessie_) (1))) in void);
          _jessie_ end)) in void) end end done) with
      Loop_exit_exc _jessie_ -> void end); (raise Return) end with Return ->
   void end) { true }

let Arrays_findMax2_ensures_default =
 fun (t_1 : Object pointer) ->
  { (left_valid_struct_intM(t_1, (0), Object_alloc_table)
    and (JC_45:
        ((JC_43: Non_null_intM(t_1, Object_alloc_table))
        and (JC_44:
            ge_int(add_int(offset_max(Object_alloc_table, t_1), (1)), (1)))))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let m = ref (K_29: ((safe_acc_ !intM_intP) ((shift t_1) (0)))) in
     (let r = ref (K_28: (0)) in
     begin
       (let i_3 = ref (K_9: (1)) in
       try
        (loop_2:
        while true do
        { invariant
            (JC_81:
            ((JC_75: le_int((1), i_3))
            and ((JC_76:
                 le_int(i_3,
                 add_int(offset_max(Object_alloc_table, t_1), (1))))
                and ((JC_77: le_int((0), r))
                    and ((JC_78:
                         lt_int(r,
                         add_int(offset_max(Object_alloc_table, t_1), (1))))
                        and ((JC_79: (m = select(intM_intP, shift(t_1, r))))
                            and (JC_80:
                                is_max(t_1, r, i_3, Object_alloc_table,
                                intM_intP))))))))  }
         begin
           [ { } unit { true } ];
          try
           begin
             (if (K_27:
                 ((lt_int_ !i_3) (K_26:
                                 (let _jessie_ = t_1 in
                                 (JC_85: (java_array_length_intM _jessie_))))))
             then
              (if (K_24:
                  ((gt_int_ (K_23:
                            ((safe_acc_ !intM_intP) ((shift t_1) !i_3)))) !m))
              then
               (let _jessie_ =
               begin
                 (let _jessie_ = (r := !i_3) in void);
                (m := (K_22: ((safe_acc_ !intM_intP) ((shift t_1) !i_3))));
                !m end in void) else void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ ->
           (let _jessie_ =
           (K_25:
           (let _jessie_ = !i_3 in
           begin
             (let _jessie_ = (i_3 := ((add_int _jessie_) (1))) in void);
            _jessie_ end)) in void) end end done) with
        Loop_exit_exc _jessie_ -> void end); (return := !r); (raise Return)
     end)); absurd  end with Return -> !return end)) { (JC_47: true) }

let Arrays_findMax2_ensures_max_found =
 fun (t_1 : Object pointer) ->
  { (left_valid_struct_intM(t_1, (0), Object_alloc_table)
    and (JC_45:
        ((JC_43: Non_null_intM(t_1, Object_alloc_table))
        and (JC_44:
            ge_int(add_int(offset_max(Object_alloc_table, t_1), (1)), (1)))))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let m = ref (K_29: ((safe_acc_ !intM_intP) ((shift t_1) (0)))) in
     (let r = ref (K_28: (0)) in
     begin
       (let i_3 = ref (K_9: (1)) in
       try
        (loop_3:
        while true do
        { invariant (JC_94: true)  }
         begin
           [ { } unit reads Object_alloc_table,i_3,intM_intP,m,r
             { (JC_92:
               ((JC_86: le_int((1), i_3))
               and ((JC_87:
                    le_int(i_3,
                    add_int(offset_max(Object_alloc_table, t_1), (1))))
                   and ((JC_88: le_int((0), r))
                       and ((JC_89:
                            lt_int(r,
                            add_int(offset_max(Object_alloc_table, t_1), (1))))
                           and ((JC_90:
                                (m = select(intM_intP, shift(t_1, r))))
                               and (JC_91:
                                   is_max(t_1, r, i_3, Object_alloc_table,
                                   intM_intP)))))))) } ];
          try
           begin
             (if (K_27:
                 ((lt_int_ !i_3) (K_26:
                                 (let _jessie_ = t_1 in
                                 (JC_96: (java_array_length_intM _jessie_))))))
             then
              (if (K_24:
                  ((gt_int_ (K_23:
                            ((safe_acc_ !intM_intP) ((shift t_1) !i_3)))) !m))
              then
               (let _jessie_ =
               begin
                 (let _jessie_ = (r := !i_3) in void);
                (m := (K_22: ((safe_acc_ !intM_intP) ((shift t_1) !i_3))));
                !m end in void) else void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ ->
           (let _jessie_ =
           (K_25:
           (let _jessie_ = !i_3 in
           begin
             (let _jessie_ = (i_3 := ((add_int _jessie_) (1))) in void);
            _jessie_ end)) in void) end end done) with
        Loop_exit_exc _jessie_ -> void end); (return := !r); (raise Return)
     end)); absurd  end with Return -> !return end))
  { (JC_54:
    ((JC_51: le_int((0), result))
    and ((JC_52:
         lt_int(result, add_int(offset_max(Object_alloc_table, t_1), (1))))
        and (JC_53:
            is_max(t_1, result,
            add_int(offset_max(Object_alloc_table, t_1), (1)),
            Object_alloc_table, intM_intP))))) }

let Arrays_findMax2_safety =
 fun (t_1 : Object pointer) ->
  { (left_valid_struct_intM(t_1, (0), Object_alloc_table)
    and (JC_45:
        ((JC_43: Non_null_intM(t_1, Object_alloc_table))
        and (JC_44:
            ge_int(add_int(offset_max(Object_alloc_table, t_1), (1)), (1)))))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let m =
     ref (K_29:
         (JC_59:
         ((((lsafe_lbound_acc_ !Object_alloc_table) !intM_intP) t_1) (0)))) in
     (let r = ref (K_28: (0)) in
     begin
       (let i_3 = ref (K_9: (1)) in
       try
        (loop_1:
        while true do
        { invariant (JC_68: true)
          variant (JC_74 : sub_int(add_int(offset_max(Object_alloc_table,
                                           t_1),
                                   (1)),
                           i_3)) }
         begin
           [ { } unit reads Object_alloc_table,i_3,intM_intP,m,r
             { (JC_66:
               ((JC_60: le_int((1), i_3))
               and ((JC_61:
                    le_int(i_3,
                    add_int(offset_max(Object_alloc_table, t_1), (1))))
                   and ((JC_62: le_int((0), r))
                       and ((JC_63:
                            lt_int(r,
                            add_int(offset_max(Object_alloc_table, t_1), (1))))
                           and ((JC_64:
                                (m = select(intM_intP, shift(t_1, r))))
                               and (JC_65:
                                   is_max(t_1, r, i_3, Object_alloc_table,
                                   intM_intP)))))))) } ];
          try
           begin
             (if (K_27:
                 ((lt_int_ !i_3) (K_26:
                                 (let _jessie_ = t_1 in
                                 (JC_71:
                                 (assert
                                 { ge_int(offset_max(Object_alloc_table,
                                          _jessie_),
                                   (-1)) };
                                 (JC_70:
                                 (java_array_length_intM_requires _jessie_))))))))
             then
              (if (K_24:
                  ((gt_int_ (K_23:
                            (JC_72:
                            ((((offset_acc_ !Object_alloc_table) !intM_intP) t_1) !i_3)))) !m))
              then
               (let _jessie_ =
               begin
                 (let _jessie_ = (r := !i_3) in void);
                (m := (K_22:
                      (JC_73:
                      ((((offset_acc_ !Object_alloc_table) !intM_intP) t_1) !i_3))));
                !m end in void) else void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ ->
           (let _jessie_ =
           (K_25:
           (let _jessie_ = !i_3 in
           begin
             (let _jessie_ = (i_3 := ((add_int _jessie_) (1))) in void);
            _jessie_ end)) in void) end end done) with
        Loop_exit_exc _jessie_ -> void end); (return := !r); (raise Return)
     end)); absurd  end with Return -> !return end)) { true }

let Arrays_findMax_ensures_default =
 fun (t_0 : Object pointer) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (JC_131:
        ((JC_128: Non_null_intM(t_0, Object_alloc_table))
        and ((JC_129:
             le_int((1), add_int(offset_max(Object_alloc_table, t_0), (1))))
            and (JC_130:
                le_int(add_int(offset_max(Object_alloc_table, t_0), (1)),
                (32767))))))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let m_0 = ref (K_73: ((safe_acc_ !intM_intP) ((shift t_0) (0)))) in
     (let r_0 = ref (K_72: (0)) in
     begin
       (let i_5 = ref (K_53: (1)) in
       try
        (loop_7:
        while true do
        { invariant
            (JC_167:
            ((JC_161: le_int((1), i_5))
            and ((JC_162:
                 le_int(i_5,
                 add_int(offset_max(Object_alloc_table, t_0), (1))))
                and ((JC_163: le_int((0), r_0))
                    and ((JC_164:
                         lt_int(r_0,
                         add_int(offset_max(Object_alloc_table, t_0), (1))))
                        and ((JC_165:
                             (m_0 = select(intM_intP, shift(t_0, r_0))))
                            and (JC_166:
                                (forall j_1:int.
                                 ((le_int((0), j_1) and lt_int(j_1, i_5)) ->
                                  le_int(select(intM_intP, shift(t_0, j_1)),
                                  m_0))))))))))  }
         begin
           [ { } unit { true } ];
          try
           begin
             (if (K_71:
                 ((lt_int_ !i_5) (K_70:
                                 (let _jessie_ = t_0 in
                                 (JC_171:
                                 (java_array_length_intM _jessie_))))))
             then
              (if (K_68:
                  ((gt_int_ (K_67:
                            ((safe_acc_ !intM_intP) ((shift t_0) !i_5)))) !m_0))
              then
               (let _jessie_ =
               begin
                 (let _jessie_ = (r_0 := !i_5) in void);
                (m_0 := (K_66: ((safe_acc_ !intM_intP) ((shift t_0) !i_5))));
                !m_0 end in void) else void)
             else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ ->
           (let _jessie_ =
           (K_69:
           (let _jessie_ = !i_5 in
           begin
             (let _jessie_ = (i_5 := ((add_int _jessie_) (1))) in void);
            _jessie_ end)) in void) end end done) with
        Loop_exit_exc _jessie_ -> void end); (return := !r_0);
      (raise Return) end)); absurd  end with Return -> !return end))
  { (JC_133: true) }

let Arrays_findMax_ensures_max_found =
 fun (t_0 : Object pointer) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (JC_131:
        ((JC_128: Non_null_intM(t_0, Object_alloc_table))
        and ((JC_129:
             le_int((1), add_int(offset_max(Object_alloc_table, t_0), (1))))
            and (JC_130:
                le_int(add_int(offset_max(Object_alloc_table, t_0), (1)),
                (32767))))))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let m_0 = ref (K_73: ((safe_acc_ !intM_intP) ((shift t_0) (0)))) in
     (let r_0 = ref (K_72: (0)) in
     begin
       (let i_5 = ref (K_53: (1)) in
       try
        (loop_8:
        while true do
        { invariant (JC_180: true)  }
         begin
           [ { } unit reads Object_alloc_table,i_5,intM_intP,m_0,r_0
             { (JC_178:
               ((JC_172: le_int((1), i_5))
               and ((JC_173:
                    le_int(i_5,
                    add_int(offset_max(Object_alloc_table, t_0), (1))))
                   and ((JC_174: le_int((0), r_0))
                       and ((JC_175:
                            lt_int(r_0,
                            add_int(offset_max(Object_alloc_table, t_0), (1))))
                           and ((JC_176:
                                (m_0 = select(intM_intP, shift(t_0, r_0))))
                               and (JC_177:
                                   (forall j_1:int.
                                    ((le_int((0), j_1) and lt_int(j_1, i_5)) ->
                                     le_int(select(intM_intP,
                                            shift(t_0, j_1)),
                                     m_0)))))))))) } ];
          try
           begin
             (if (K_71:
                 ((lt_int_ !i_5) (K_70:
                                 (let _jessie_ = t_0 in
                                 (JC_182:
                                 (java_array_length_intM _jessie_))))))
             then
              (if (K_68:
                  ((gt_int_ (K_67:
                            ((safe_acc_ !intM_intP) ((shift t_0) !i_5)))) !m_0))
              then
               (let _jessie_ =
               begin
                 (let _jessie_ = (r_0 := !i_5) in void);
                (m_0 := (K_66: ((safe_acc_ !intM_intP) ((shift t_0) !i_5))));
                !m_0 end in void) else void)
             else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ ->
           (let _jessie_ =
           (K_69:
           (let _jessie_ = !i_5 in
           begin
             (let _jessie_ = (i_5 := ((add_int _jessie_) (1))) in void);
            _jessie_ end)) in void) end end done) with
        Loop_exit_exc _jessie_ -> void end); (return := !r_0);
      (raise Return) end)); absurd  end with Return -> !return end))
  { (JC_140:
    ((JC_137: le_int((0), result))
    and ((JC_138:
         lt_int(result, add_int(offset_max(Object_alloc_table, t_0), (1))))
        and (JC_139:
            (forall i_4:int.
             ((le_int((0), i_4)
              and lt_int(i_4,
                  add_int(offset_max(Object_alloc_table, t_0), (1)))) ->
              le_int(select(intM_intP, shift(t_0, i_4)),
              select(intM_intP, shift(t_0, result))))))))) }

let Arrays_findMax_safety =
 fun (t_0 : Object pointer) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (JC_131:
        ((JC_128: Non_null_intM(t_0, Object_alloc_table))
        and ((JC_129:
             le_int((1), add_int(offset_max(Object_alloc_table, t_0), (1))))
            and (JC_130:
                le_int(add_int(offset_max(Object_alloc_table, t_0), (1)),
                (32767))))))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let m_0 =
     ref (K_73:
         (JC_145:
         ((((lsafe_lbound_acc_ !Object_alloc_table) !intM_intP) t_0) (0)))) in
     (let r_0 = ref (K_72: (0)) in
     begin
       (let i_5 = ref (K_53: (1)) in
       try
        (loop_6:
        while true do
        { invariant (JC_154: true)
          variant (JC_160 : sub_int(add_int(offset_max(Object_alloc_table,
                                            t_0),
                                    (1)),
                            i_5)) }
         begin
           [ { } unit reads Object_alloc_table,i_5,intM_intP,m_0,r_0
             { (JC_152:
               ((JC_146: le_int((1), i_5))
               and ((JC_147:
                    le_int(i_5,
                    add_int(offset_max(Object_alloc_table, t_0), (1))))
                   and ((JC_148: le_int((0), r_0))
                       and ((JC_149:
                            lt_int(r_0,
                            add_int(offset_max(Object_alloc_table, t_0), (1))))
                           and ((JC_150:
                                (m_0 = select(intM_intP, shift(t_0, r_0))))
                               and (JC_151:
                                   (forall j_1:int.
                                    ((le_int((0), j_1) and lt_int(j_1, i_5)) ->
                                     le_int(select(intM_intP,
                                            shift(t_0, j_1)),
                                     m_0)))))))))) } ];
          try
           begin
             (if (K_71:
                 ((lt_int_ !i_5) (K_70:
                                 (let _jessie_ = t_0 in
                                 (JC_157:
                                 (assert
                                 { ge_int(offset_max(Object_alloc_table,
                                          _jessie_),
                                   (-1)) };
                                 (JC_156:
                                 (java_array_length_intM_requires _jessie_))))))))
             then
              (if (K_68:
                  ((gt_int_ (K_67:
                            (JC_158:
                            ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) !i_5)))) !m_0))
              then
               (let _jessie_ =
               begin
                 (let _jessie_ = (r_0 := !i_5) in void);
                (m_0 := (K_66:
                        (JC_159:
                        ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) !i_5))));
                !m_0 end in void) else void)
             else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ ->
           (let _jessie_ =
           (K_69:
           (let _jessie_ = !i_5 in
           begin
             (let _jessie_ = (i_5 := ((add_int _jessie_) (1))) in void);
            _jessie_ end)) in void) end end done) with
        Loop_exit_exc _jessie_ -> void end); (return := !r_0);
      (raise Return) end)); absurd  end with Return -> !return end)) 
  { true }

let cons_Arrays_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_Arrays(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_187: true) }

let cons_Arrays_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_Arrays(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/Arrays.why
========== file tests/java/why/Arrays.wpr ==========

  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  
  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  
  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  
  
    
  

========== file tests/java/why/Arrays_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Arrays_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Arrays_parenttag_Object: parenttag(Arrays_tag, Object_tag)

logic Exception_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_1) >= 0)

predicate Non_null_intM(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= (-1))

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic intM_tag : Object tag_id

axiom intM_parenttag_Object: parenttag(intM_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate is_max(t: Object pointer, i: int, l: int,
  Object_alloc_table_at_L: Object alloc_table, intM_intP_at_L: (Object,
  int) memory) =
  (Non_null_intM(t, Object_alloc_table_at_L) and
   ((0 <= i) and
    ((i < l) and
     ((l <= (offset_max(Object_alloc_table_at_L, t) + 1)) and
      (forall j:int.
        (((0 <= j) and (j < l)) -> (select(intM_intP_at_L, shift(t,
         j)) <= select(intM_intP_at_L, shift(t, i)))))))))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Arrays(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_intM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Arrays(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_intM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Arrays(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Arrays(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

========== file tests/java/why/Arrays_po1.why ==========
goal Arrays_arrayShift_ensures_default_po_1:
  forall t_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_2, 0, Object_alloc_table) and
   ("JC_99": Non_null_intM(t_2, Object_alloc_table))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_2) + 1))))) ->
  ("JC_119":
  ("JC_117": ((result - 1) < (offset_max(Object_alloc_table, t_2) + 1))))

========== file tests/java/why/Arrays_po10.why ==========
goal Arrays_arrayShift_safety_po_2:
  forall t_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_2, 0, Object_alloc_table) and
   ("JC_99": Non_null_intM(t_2, Object_alloc_table))) ->
  (offset_max(Object_alloc_table, t_2) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_2) + 1))))) ->
  forall intM_intP0:(Object,
  int) memory.
  forall j_0:int.
  ("JC_111": true) ->
  ("JC_109":
  (("JC_107": (j_0 < (offset_max(Object_alloc_table, t_2) + 1))) and
   ("JC_108":
   (((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
    ((0 <= j_0) and
     ((forall i_1:int.
        (((0 <= i_1) and (i_1 <= j_0)) -> (select(intM_intP0, shift(t_2,
         i_1)) = select(intM_intP, shift(t_2, i_1))))) and
      (forall i_2:int.
        (((j_0 < i_2) and (i_2 < (offset_max(Object_alloc_table, t_2) + 1))) ->
         (select(intM_intP0, shift(t_2, i_2)) = select(intM_intP, shift(t_2,
         (i_2 - 1)))))))))))) ->
  (j_0 > 0) ->
  (offset_min(Object_alloc_table, t_2) <= (j_0 - 1))

========== file tests/java/why/Arrays_po11.why ==========
goal Arrays_arrayShift_safety_po_3:
  forall t_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_2, 0, Object_alloc_table) and
   ("JC_99": Non_null_intM(t_2, Object_alloc_table))) ->
  (offset_max(Object_alloc_table, t_2) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_2) + 1))))) ->
  forall intM_intP0:(Object,
  int) memory.
  forall j_0:int.
  ("JC_111": true) ->
  ("JC_109":
  (("JC_107": (j_0 < (offset_max(Object_alloc_table, t_2) + 1))) and
   ("JC_108":
   (((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
    ((0 <= j_0) and
     ((forall i_1:int.
        (((0 <= i_1) and (i_1 <= j_0)) -> (select(intM_intP0, shift(t_2,
         i_1)) = select(intM_intP, shift(t_2, i_1))))) and
      (forall i_2:int.
        (((j_0 < i_2) and (i_2 < (offset_max(Object_alloc_table, t_2) + 1))) ->
         (select(intM_intP0, shift(t_2, i_2)) = select(intM_intP, shift(t_2,
         (i_2 - 1)))))))))))) ->
  (j_0 > 0) ->
  ((j_0 - 1) <= offset_max(Object_alloc_table, t_2))

========== file tests/java/why/Arrays_po12.why ==========
goal Arrays_arrayShift_safety_po_4:
  forall t_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_2, 0, Object_alloc_table) and
   ("JC_99": Non_null_intM(t_2, Object_alloc_table))) ->
  (offset_max(Object_alloc_table, t_2) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_2) + 1))))) ->
  forall intM_intP0:(Object,
  int) memory.
  forall j_0:int.
  ("JC_111": true) ->
  ("JC_109":
  (("JC_107": (j_0 < (offset_max(Object_alloc_table, t_2) + 1))) and
   ("JC_108":
   (((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
    ((0 <= j_0) and
     ((forall i_1:int.
        (((0 <= i_1) and (i_1 <= j_0)) -> (select(intM_intP0, shift(t_2,
         i_1)) = select(intM_intP, shift(t_2, i_1))))) and
      (forall i_2:int.
        (((j_0 < i_2) and (i_2 < (offset_max(Object_alloc_table, t_2) + 1))) ->
         (select(intM_intP0, shift(t_2, i_2)) = select(intM_intP, shift(t_2,
         (i_2 - 1)))))))))))) ->
  (j_0 > 0) ->
  ((offset_min(Object_alloc_table, t_2) <= (j_0 - 1)) and
   ((j_0 - 1) <= offset_max(Object_alloc_table, t_2))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_2, (j_0 - 1)))) ->
  (offset_min(Object_alloc_table, t_2) <= j_0)

========== file tests/java/why/Arrays_po13.why ==========
goal Arrays_arrayShift_safety_po_5:
  forall t_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_2, 0, Object_alloc_table) and
   ("JC_99": Non_null_intM(t_2, Object_alloc_table))) ->
  (offset_max(Object_alloc_table, t_2) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_2) + 1))))) ->
  forall intM_intP0:(Object,
  int) memory.
  forall j_0:int.
  ("JC_111": true) ->
  ("JC_109":
  (("JC_107": (j_0 < (offset_max(Object_alloc_table, t_2) + 1))) and
   ("JC_108":
   (((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
    ((0 <= j_0) and
     ((forall i_1:int.
        (((0 <= i_1) and (i_1 <= j_0)) -> (select(intM_intP0, shift(t_2,
         i_1)) = select(intM_intP, shift(t_2, i_1))))) and
      (forall i_2:int.
        (((j_0 < i_2) and (i_2 < (offset_max(Object_alloc_table, t_2) + 1))) ->
         (select(intM_intP0, shift(t_2, i_2)) = select(intM_intP, shift(t_2,
         (i_2 - 1)))))))))))) ->
  (j_0 > 0) ->
  ((offset_min(Object_alloc_table, t_2) <= (j_0 - 1)) and
   ((j_0 - 1) <= offset_max(Object_alloc_table, t_2))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_2, (j_0 - 1)))) ->
  (j_0 <= offset_max(Object_alloc_table, t_2))

========== file tests/java/why/Arrays_po14.why ==========
goal Arrays_arrayShift_safety_po_6:
  forall t_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_2, 0, Object_alloc_table) and
   ("JC_99": Non_null_intM(t_2, Object_alloc_table))) ->
  (offset_max(Object_alloc_table, t_2) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_2) + 1))))) ->
  forall intM_intP0:(Object,
  int) memory.
  forall j_0:int.
  ("JC_111": true) ->
  ("JC_109":
  (("JC_107": (j_0 < (offset_max(Object_alloc_table, t_2) + 1))) and
   ("JC_108":
   (((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
    ((0 <= j_0) and
     ((forall i_1:int.
        (((0 <= i_1) and (i_1 <= j_0)) -> (select(intM_intP0, shift(t_2,
         i_1)) = select(intM_intP, shift(t_2, i_1))))) and
      (forall i_2:int.
        (((j_0 < i_2) and (i_2 < (offset_max(Object_alloc_table, t_2) + 1))) ->
         (select(intM_intP0, shift(t_2, i_2)) = select(intM_intP, shift(t_2,
         (i_2 - 1)))))))))))) ->
  (j_0 > 0) ->
  ((offset_min(Object_alloc_table, t_2) <= (j_0 - 1)) and
   ((j_0 - 1) <= offset_max(Object_alloc_table, t_2))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_2, (j_0 - 1)))) ->
  ((offset_min(Object_alloc_table, t_2) <= j_0) and
   (j_0 <= offset_max(Object_alloc_table, t_2))) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t_2, j_0), result0)) ->
  forall j_0_0:int.
  (j_0_0 = (j_0 - 1)) ->
  (0 <= ("JC_115": j_0))

========== file tests/java/why/Arrays_po15.why ==========
goal Arrays_arrayShift_safety_po_7:
  forall t_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_2, 0, Object_alloc_table) and
   ("JC_99": Non_null_intM(t_2, Object_alloc_table))) ->
  (offset_max(Object_alloc_table, t_2) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_2) + 1))))) ->
  forall intM_intP0:(Object,
  int) memory.
  forall j_0:int.
  ("JC_111": true) ->
  ("JC_109":
  (("JC_107": (j_0 < (offset_max(Object_alloc_table, t_2) + 1))) and
   ("JC_108":
   (((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
    ((0 <= j_0) and
     ((forall i_1:int.
        (((0 <= i_1) and (i_1 <= j_0)) -> (select(intM_intP0, shift(t_2,
         i_1)) = select(intM_intP, shift(t_2, i_1))))) and
      (forall i_2:int.
        (((j_0 < i_2) and (i_2 < (offset_max(Object_alloc_table, t_2) + 1))) ->
         (select(intM_intP0, shift(t_2, i_2)) = select(intM_intP, shift(t_2,
         (i_2 - 1)))))))))))) ->
  (j_0 > 0) ->
  ((offset_min(Object_alloc_table, t_2) <= (j_0 - 1)) and
   ((j_0 - 1) <= offset_max(Object_alloc_table, t_2))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_2, (j_0 - 1)))) ->
  ((offset_min(Object_alloc_table, t_2) <= j_0) and
   (j_0 <= offset_max(Object_alloc_table, t_2))) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t_2, j_0), result0)) ->
  forall j_0_0:int.
  (j_0_0 = (j_0 - 1)) ->
  (("JC_115": j_0_0) < ("JC_115": j_0))

========== file tests/java/why/Arrays_po16.why ==========
goal Arrays_findMax2_ensures_default_po_1:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  ("JC_81": ("JC_75": (1 <= 1)))

========== file tests/java/why/Arrays_po17.why ==========
goal Arrays_findMax2_ensures_default_po_2:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  ("JC_81": ("JC_76": (1 <= (offset_max(Object_alloc_table, t_1) + 1))))

========== file tests/java/why/Arrays_po18.why ==========
goal Arrays_findMax2_ensures_default_po_3:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  ("JC_81": ("JC_77": (0 <= 0)))

========== file tests/java/why/Arrays_po19.why ==========
goal Arrays_findMax2_ensures_default_po_4:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  ("JC_81": ("JC_78": (0 < (offset_max(Object_alloc_table, t_1) + 1))))

========== file tests/java/why/Arrays_po2.why ==========
goal Arrays_arrayShift_ensures_default_po_2:
  forall t_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_2, 0, Object_alloc_table) and
   ("JC_99": Non_null_intM(t_2, Object_alloc_table))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_2) + 1))))) ->
  ((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
  ("JC_119": ("JC_118": (0 <= (result - 1))))

========== file tests/java/why/Arrays_po20.why ==========
goal Arrays_findMax2_ensures_default_po_5:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  ("JC_81": ("JC_79": (result = select(intM_intP, shift(t_1, 0)))))

========== file tests/java/why/Arrays_po21.why ==========
goal Arrays_findMax2_ensures_default_po_6:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  ("JC_81": ("JC_80": is_max(t_1, 0, 1, Object_alloc_table, intM_intP)))

========== file tests/java/why/Arrays_po22.why ==========
goal Arrays_findMax2_ensures_default_po_7:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_81":
  (("JC_75": (1 <= i_3)) and
   (("JC_76": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_77": (0 <= r)) and
     (("JC_78": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_79": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_80": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 > m) ->
  forall r0:int.
  (r0 = i_3) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_1, i_3))) ->
  forall m0:int.
  (m0 = result2) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_81": ("JC_75": (1 <= i_3_0)))

========== file tests/java/why/Arrays_po23.why ==========
goal Arrays_findMax2_ensures_default_po_8:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_81":
  (("JC_75": (1 <= i_3)) and
   (("JC_76": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_77": (0 <= r)) and
     (("JC_78": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_79": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_80": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 > m) ->
  forall r0:int.
  (r0 = i_3) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_1, i_3))) ->
  forall m0:int.
  (m0 = result2) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_81": ("JC_76": (i_3_0 <= (offset_max(Object_alloc_table, t_1) + 1))))

========== file tests/java/why/Arrays_po24.why ==========
goal Arrays_findMax2_ensures_default_po_9:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_81":
  (("JC_75": (1 <= i_3)) and
   (("JC_76": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_77": (0 <= r)) and
     (("JC_78": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_79": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_80": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 > m) ->
  forall r0:int.
  (r0 = i_3) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_1, i_3))) ->
  forall m0:int.
  (m0 = result2) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_81": ("JC_77": (0 <= r0)))

========== file tests/java/why/Arrays_po25.why ==========
goal Arrays_findMax2_ensures_default_po_10:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_81":
  (("JC_75": (1 <= i_3)) and
   (("JC_76": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_77": (0 <= r)) and
     (("JC_78": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_79": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_80": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 > m) ->
  forall r0:int.
  (r0 = i_3) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_1, i_3))) ->
  forall m0:int.
  (m0 = result2) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_81": ("JC_78": (r0 < (offset_max(Object_alloc_table, t_1) + 1))))

========== file tests/java/why/Arrays_po26.why ==========
goal Arrays_findMax2_ensures_default_po_11:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_81":
  (("JC_75": (1 <= i_3)) and
   (("JC_76": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_77": (0 <= r)) and
     (("JC_78": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_79": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_80": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 > m) ->
  forall r0:int.
  (r0 = i_3) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_1, i_3))) ->
  forall m0:int.
  (m0 = result2) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_81": ("JC_79": (m0 = select(intM_intP, shift(t_1, r0)))))

========== file tests/java/why/Arrays_po27.why ==========
goal Arrays_findMax2_ensures_default_po_12:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_81":
  (("JC_75": (1 <= i_3)) and
   (("JC_76": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_77": (0 <= r)) and
     (("JC_78": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_79": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_80": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 > m) ->
  forall r0:int.
  (r0 = i_3) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_1, i_3))) ->
  forall m0:int.
  (m0 = result2) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_81": ("JC_80": is_max(t_1, r0, i_3_0, Object_alloc_table, intM_intP)))

========== file tests/java/why/Arrays_po28.why ==========
goal Arrays_findMax2_ensures_default_po_13:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_81":
  (("JC_75": (1 <= i_3)) and
   (("JC_76": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_77": (0 <= r)) and
     (("JC_78": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_79": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_80": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 <= m) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_81": ("JC_75": (1 <= i_3_0)))

========== file tests/java/why/Arrays_po29.why ==========
goal Arrays_findMax2_ensures_default_po_14:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_81":
  (("JC_75": (1 <= i_3)) and
   (("JC_76": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_77": (0 <= r)) and
     (("JC_78": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_79": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_80": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 <= m) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_81": ("JC_76": (i_3_0 <= (offset_max(Object_alloc_table, t_1) + 1))))

========== file tests/java/why/Arrays_po3.why ==========
goal Arrays_arrayShift_ensures_default_po_3:
  forall t_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_2, 0, Object_alloc_table) and
   ("JC_99": Non_null_intM(t_2, Object_alloc_table))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_2) + 1))))) ->
  ((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
  forall i_2:int.
  (((result - 1) < i_2) and (i_2 < (offset_max(Object_alloc_table, t_2) + 1))) ->
  ("JC_119":
  ("JC_118": (select(intM_intP, shift(t_2, i_2)) = select(intM_intP,
  shift(t_2, (i_2 - 1))))))

========== file tests/java/why/Arrays_po30.why ==========
goal Arrays_findMax2_ensures_default_po_15:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_81":
  (("JC_75": (1 <= i_3)) and
   (("JC_76": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_77": (0 <= r)) and
     (("JC_78": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_79": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_80": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 <= m) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_81": ("JC_77": (0 <= r)))

========== file tests/java/why/Arrays_po31.why ==========
goal Arrays_findMax2_ensures_default_po_16:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_81":
  (("JC_75": (1 <= i_3)) and
   (("JC_76": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_77": (0 <= r)) and
     (("JC_78": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_79": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_80": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 <= m) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_81": ("JC_78": (r < (offset_max(Object_alloc_table, t_1) + 1))))

========== file tests/java/why/Arrays_po32.why ==========
goal Arrays_findMax2_ensures_default_po_17:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_81":
  (("JC_75": (1 <= i_3)) and
   (("JC_76": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_77": (0 <= r)) and
     (("JC_78": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_79": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_80": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 <= m) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_81": ("JC_79": (m = select(intM_intP, shift(t_1, r)))))

========== file tests/java/why/Arrays_po33.why ==========
goal Arrays_findMax2_ensures_default_po_18:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_81":
  (("JC_75": (1 <= i_3)) and
   (("JC_76": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_77": (0 <= r)) and
     (("JC_78": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_79": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_80": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 <= m) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_81": ("JC_80": is_max(t_1, r, i_3_0, Object_alloc_table, intM_intP)))

========== file tests/java/why/Arrays_po34.why ==========
goal Arrays_findMax2_ensures_max_found_po_1:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_94": true) ->
  ("JC_92":
  (("JC_86": (1 <= i_3)) and
   (("JC_87": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_88": (0 <= r)) and
     (("JC_89": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_90": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_91": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 >= result0) ->
  forall return:int.
  (return = r) ->
  ("JC_54": ("JC_51": (0 <= return)))

========== file tests/java/why/Arrays_po35.why ==========
goal Arrays_findMax2_ensures_max_found_po_2:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_94": true) ->
  ("JC_92":
  (("JC_86": (1 <= i_3)) and
   (("JC_87": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_88": (0 <= r)) and
     (("JC_89": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_90": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_91": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 >= result0) ->
  forall return:int.
  (return = r) ->
  ("JC_54": ("JC_52": (return < (offset_max(Object_alloc_table, t_1) + 1))))

========== file tests/java/why/Arrays_po36.why ==========
goal Arrays_findMax2_ensures_max_found_po_3:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_94": true) ->
  ("JC_92":
  (("JC_86": (1 <= i_3)) and
   (("JC_87": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_88": (0 <= r)) and
     (("JC_89": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_90": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_91": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 >= result0) ->
  forall return:int.
  (return = r) ->
  ("JC_54":
  ("JC_53": is_max(t_1, return, (offset_max(Object_alloc_table, t_1) + 1),
  Object_alloc_table, intM_intP)))

========== file tests/java/why/Arrays_po37.why ==========
goal Arrays_findMax2_safety_po_1:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  (0 <= offset_max(Object_alloc_table, t_1))

========== file tests/java/why/Arrays_po38.why ==========
goal Arrays_findMax2_safety_po_2:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  (0 <= offset_max(Object_alloc_table, t_1)) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_68": true) ->
  ("JC_66":
  (("JC_60": (1 <= i_3)) and
   (("JC_61": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_62": (0 <= r)) and
     (("JC_63": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_64": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_65": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1))

========== file tests/java/why/Arrays_po39.why ==========
goal Arrays_findMax2_safety_po_3:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  (0 <= offset_max(Object_alloc_table, t_1)) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_68": true) ->
  ("JC_66":
  (("JC_60": (1 <= i_3)) and
   (("JC_61": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_62": (0 <= r)) and
     (("JC_63": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_64": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_65": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  (offset_min(Object_alloc_table, t_1) <= i_3)

========== file tests/java/why/Arrays_po4.why ==========
goal Arrays_arrayShift_ensures_default_po_4:
  forall t_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_2, 0, Object_alloc_table) and
   ("JC_99": Non_null_intM(t_2, Object_alloc_table))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_2) + 1))))) ->
  forall intM_intP0:(Object,
  int) memory.
  forall j_0:int.
  ("JC_119":
  (("JC_117": (j_0 < (offset_max(Object_alloc_table, t_2) + 1))) and
   ("JC_118":
   (((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
    ((0 <= j_0) and
     ((forall i_1:int.
        (((0 <= i_1) and (i_1 <= j_0)) -> (select(intM_intP0, shift(t_2,
         i_1)) = select(intM_intP, shift(t_2, i_1))))) and
      (forall i_2:int.
        (((j_0 < i_2) and (i_2 < (offset_max(Object_alloc_table, t_2) + 1))) ->
         (select(intM_intP0, shift(t_2, i_2)) = select(intM_intP, shift(t_2,
         (i_2 - 1)))))))))))) ->
  (j_0 > 0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_2, (j_0 - 1)))) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t_2, j_0), result0)) ->
  forall j_0_0:int.
  (j_0_0 = (j_0 - 1)) ->
  ("JC_119": ("JC_117": (j_0_0 < (offset_max(Object_alloc_table, t_2) + 1))))

========== file tests/java/why/Arrays_po40.why ==========
goal Arrays_findMax2_safety_po_4:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  (0 <= offset_max(Object_alloc_table, t_1)) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_68": true) ->
  ("JC_66":
  (("JC_60": (1 <= i_3)) and
   (("JC_61": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_62": (0 <= r)) and
     (("JC_63": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_64": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_65": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  (i_3 <= offset_max(Object_alloc_table, t_1))

========== file tests/java/why/Arrays_po41.why ==========
goal Arrays_findMax2_safety_po_5:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  (0 <= offset_max(Object_alloc_table, t_1)) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_68": true) ->
  ("JC_66":
  (("JC_60": (1 <= i_3)) and
   (("JC_61": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_62": (0 <= r)) and
     (("JC_63": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_64": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_65": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 > m) ->
  forall r0:int.
  (r0 = i_3) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_1, i_3))) ->
  forall m0:int.
  (m0 = result2) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  (0 <= ("JC_74": ((offset_max(Object_alloc_table, t_1) + 1) - i_3)))

========== file tests/java/why/Arrays_po42.why ==========
goal Arrays_findMax2_safety_po_6:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  (0 <= offset_max(Object_alloc_table, t_1)) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_68": true) ->
  ("JC_66":
  (("JC_60": (1 <= i_3)) and
   (("JC_61": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_62": (0 <= r)) and
     (("JC_63": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_64": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_65": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 > m) ->
  forall r0:int.
  (r0 = i_3) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_1, i_3))) ->
  forall m0:int.
  (m0 = result2) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  (("JC_74": ((offset_max(Object_alloc_table, t_1) + 1) - i_3_0)) < ("JC_74":
                                                                    ((offset_max(Object_alloc_table,
                                                                    t_1) + 1) - i_3)))

========== file tests/java/why/Arrays_po43.why ==========
goal Arrays_findMax2_safety_po_7:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  (0 <= offset_max(Object_alloc_table, t_1)) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_68": true) ->
  ("JC_66":
  (("JC_60": (1 <= i_3)) and
   (("JC_61": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_62": (0 <= r)) and
     (("JC_63": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_64": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_65": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 <= m) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  (0 <= ("JC_74": ((offset_max(Object_alloc_table, t_1) + 1) - i_3)))

========== file tests/java/why/Arrays_po44.why ==========
goal Arrays_findMax2_safety_po_8:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  (0 <= offset_max(Object_alloc_table, t_1)) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_68": true) ->
  ("JC_66":
  (("JC_60": (1 <= i_3)) and
   (("JC_61": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_62": (0 <= r)) and
     (("JC_63": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_64": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_65": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 <= m) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  (("JC_74": ((offset_max(Object_alloc_table, t_1) + 1) - i_3_0)) < ("JC_74":
                                                                    ((offset_max(Object_alloc_table,
                                                                    t_1) + 1) - i_3)))

========== file tests/java/why/Arrays_po45.why ==========
goal Arrays_findMax_ensures_default_po_1:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  ("JC_167": ("JC_161": (1 <= 1)))

========== file tests/java/why/Arrays_po46.why ==========
goal Arrays_findMax_ensures_default_po_2:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  ("JC_167": ("JC_162": (1 <= (offset_max(Object_alloc_table, t_0) + 1))))

========== file tests/java/why/Arrays_po47.why ==========
goal Arrays_findMax_ensures_default_po_3:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  ("JC_167": ("JC_163": (0 <= 0)))

========== file tests/java/why/Arrays_po48.why ==========
goal Arrays_findMax_ensures_default_po_4:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  ("JC_167": ("JC_164": (0 < (offset_max(Object_alloc_table, t_0) + 1))))

========== file tests/java/why/Arrays_po49.why ==========
goal Arrays_findMax_ensures_default_po_5:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  ("JC_167": ("JC_165": (result = select(intM_intP, shift(t_0, 0)))))

========== file tests/java/why/Arrays_po5.why ==========
goal Arrays_arrayShift_ensures_default_po_5:
  forall t_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_2, 0, Object_alloc_table) and
   ("JC_99": Non_null_intM(t_2, Object_alloc_table))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_2) + 1))))) ->
  forall intM_intP0:(Object,
  int) memory.
  forall j_0:int.
  ("JC_119":
  (("JC_117": (j_0 < (offset_max(Object_alloc_table, t_2) + 1))) and
   ("JC_118":
   (((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
    ((0 <= j_0) and
     ((forall i_1:int.
        (((0 <= i_1) and (i_1 <= j_0)) -> (select(intM_intP0, shift(t_2,
         i_1)) = select(intM_intP, shift(t_2, i_1))))) and
      (forall i_2:int.
        (((j_0 < i_2) and (i_2 < (offset_max(Object_alloc_table, t_2) + 1))) ->
         (select(intM_intP0, shift(t_2, i_2)) = select(intM_intP, shift(t_2,
         (i_2 - 1)))))))))))) ->
  (j_0 > 0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_2, (j_0 - 1)))) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t_2, j_0), result0)) ->
  forall j_0_0:int.
  (j_0_0 = (j_0 - 1)) ->
  ((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
  ("JC_119": ("JC_118": (0 <= j_0_0)))

========== file tests/java/why/Arrays_po50.why ==========
goal Arrays_findMax_ensures_default_po_6:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall j_1:int.
  ((0 <= j_1) and (j_1 < 1)) ->
  ("JC_167": ("JC_166": (select(intM_intP, shift(t_0, j_1)) <= result)))

========== file tests/java/why/Arrays_po51.why ==========
goal Arrays_findMax_ensures_default_po_7:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_167":
  (("JC_161": (1 <= i_5)) and
   (("JC_162": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_163": (0 <= r_0)) and
     (("JC_164": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_165": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_166":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 > m_0) ->
  forall r_0_0:int.
  (r_0_0 = i_5) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_0, i_5))) ->
  forall m_0_0:int.
  (m_0_0 = result2) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_167": ("JC_161": (1 <= i_5_0)))

========== file tests/java/why/Arrays_po52.why ==========
goal Arrays_findMax_ensures_default_po_8:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_167":
  (("JC_161": (1 <= i_5)) and
   (("JC_162": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_163": (0 <= r_0)) and
     (("JC_164": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_165": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_166":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 > m_0) ->
  forall r_0_0:int.
  (r_0_0 = i_5) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_0, i_5))) ->
  forall m_0_0:int.
  (m_0_0 = result2) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_167":
  ("JC_162": (i_5_0 <= (offset_max(Object_alloc_table, t_0) + 1))))

========== file tests/java/why/Arrays_po53.why ==========
goal Arrays_findMax_ensures_default_po_9:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_167":
  (("JC_161": (1 <= i_5)) and
   (("JC_162": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_163": (0 <= r_0)) and
     (("JC_164": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_165": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_166":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 > m_0) ->
  forall r_0_0:int.
  (r_0_0 = i_5) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_0, i_5))) ->
  forall m_0_0:int.
  (m_0_0 = result2) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_167": ("JC_163": (0 <= r_0_0)))

========== file tests/java/why/Arrays_po54.why ==========
goal Arrays_findMax_ensures_default_po_10:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_167":
  (("JC_161": (1 <= i_5)) and
   (("JC_162": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_163": (0 <= r_0)) and
     (("JC_164": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_165": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_166":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 > m_0) ->
  forall r_0_0:int.
  (r_0_0 = i_5) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_0, i_5))) ->
  forall m_0_0:int.
  (m_0_0 = result2) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_167": ("JC_164": (r_0_0 < (offset_max(Object_alloc_table, t_0) + 1))))

========== file tests/java/why/Arrays_po55.why ==========
goal Arrays_findMax_ensures_default_po_11:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_167":
  (("JC_161": (1 <= i_5)) and
   (("JC_162": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_163": (0 <= r_0)) and
     (("JC_164": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_165": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_166":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 > m_0) ->
  forall r_0_0:int.
  (r_0_0 = i_5) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_0, i_5))) ->
  forall m_0_0:int.
  (m_0_0 = result2) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_167": ("JC_165": (m_0_0 = select(intM_intP, shift(t_0, r_0_0)))))

========== file tests/java/why/Arrays_po56.why ==========
goal Arrays_findMax_ensures_default_po_12:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_167":
  (("JC_161": (1 <= i_5)) and
   (("JC_162": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_163": (0 <= r_0)) and
     (("JC_164": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_165": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_166":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 > m_0) ->
  forall r_0_0:int.
  (r_0_0 = i_5) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_0, i_5))) ->
  forall m_0_0:int.
  (m_0_0 = result2) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  forall j_1:int.
  ((0 <= j_1) and (j_1 < i_5_0)) ->
  ("JC_167": ("JC_166": (select(intM_intP, shift(t_0, j_1)) <= m_0_0)))

========== file tests/java/why/Arrays_po57.why ==========
goal Arrays_findMax_ensures_default_po_13:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_167":
  (("JC_161": (1 <= i_5)) and
   (("JC_162": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_163": (0 <= r_0)) and
     (("JC_164": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_165": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_166":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 <= m_0) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_167": ("JC_161": (1 <= i_5_0)))

========== file tests/java/why/Arrays_po58.why ==========
goal Arrays_findMax_ensures_default_po_14:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_167":
  (("JC_161": (1 <= i_5)) and
   (("JC_162": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_163": (0 <= r_0)) and
     (("JC_164": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_165": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_166":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 <= m_0) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_167":
  ("JC_162": (i_5_0 <= (offset_max(Object_alloc_table, t_0) + 1))))

========== file tests/java/why/Arrays_po59.why ==========
goal Arrays_findMax_ensures_default_po_15:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_167":
  (("JC_161": (1 <= i_5)) and
   (("JC_162": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_163": (0 <= r_0)) and
     (("JC_164": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_165": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_166":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 <= m_0) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_167": ("JC_163": (0 <= r_0)))

========== file tests/java/why/Arrays_po6.why ==========
goal Arrays_arrayShift_ensures_default_po_6:
  forall t_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_2, 0, Object_alloc_table) and
   ("JC_99": Non_null_intM(t_2, Object_alloc_table))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_2) + 1))))) ->
  forall intM_intP0:(Object,
  int) memory.
  forall j_0:int.
  ("JC_119":
  (("JC_117": (j_0 < (offset_max(Object_alloc_table, t_2) + 1))) and
   ("JC_118":
   (((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
    ((0 <= j_0) and
     ((forall i_1:int.
        (((0 <= i_1) and (i_1 <= j_0)) -> (select(intM_intP0, shift(t_2,
         i_1)) = select(intM_intP, shift(t_2, i_1))))) and
      (forall i_2:int.
        (((j_0 < i_2) and (i_2 < (offset_max(Object_alloc_table, t_2) + 1))) ->
         (select(intM_intP0, shift(t_2, i_2)) = select(intM_intP, shift(t_2,
         (i_2 - 1)))))))))))) ->
  (j_0 > 0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_2, (j_0 - 1)))) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t_2, j_0), result0)) ->
  forall j_0_0:int.
  (j_0_0 = (j_0 - 1)) ->
  ((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
  forall i_1:int.
  ((0 <= i_1) and (i_1 <= j_0_0)) ->
  ("JC_119":
  ("JC_118": (select(intM_intP1, shift(t_2, i_1)) = select(intM_intP,
  shift(t_2, i_1)))))

========== file tests/java/why/Arrays_po60.why ==========
goal Arrays_findMax_ensures_default_po_16:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_167":
  (("JC_161": (1 <= i_5)) and
   (("JC_162": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_163": (0 <= r_0)) and
     (("JC_164": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_165": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_166":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 <= m_0) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_167": ("JC_164": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))))

========== file tests/java/why/Arrays_po61.why ==========
goal Arrays_findMax_ensures_default_po_17:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_167":
  (("JC_161": (1 <= i_5)) and
   (("JC_162": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_163": (0 <= r_0)) and
     (("JC_164": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_165": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_166":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 <= m_0) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_167": ("JC_165": (m_0 = select(intM_intP, shift(t_0, r_0)))))

========== file tests/java/why/Arrays_po62.why ==========
goal Arrays_findMax_ensures_default_po_18:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_167":
  (("JC_161": (1 <= i_5)) and
   (("JC_162": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_163": (0 <= r_0)) and
     (("JC_164": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_165": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_166":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 <= m_0) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  forall j_1:int.
  ((0 <= j_1) and (j_1 < i_5_0)) ->
  ("JC_167": ("JC_166": (select(intM_intP, shift(t_0, j_1)) <= m_0)))

========== file tests/java/why/Arrays_po63.why ==========
goal Arrays_findMax_ensures_max_found_po_1:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_180": true) ->
  ("JC_178":
  (("JC_172": (1 <= i_5)) and
   (("JC_173": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_174": (0 <= r_0)) and
     (("JC_175": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_176": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_177":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 >= result0) ->
  forall return:int.
  (return = r_0) ->
  ("JC_140": ("JC_137": (0 <= return)))

========== file tests/java/why/Arrays_po64.why ==========
goal Arrays_findMax_ensures_max_found_po_2:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_180": true) ->
  ("JC_178":
  (("JC_172": (1 <= i_5)) and
   (("JC_173": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_174": (0 <= r_0)) and
     (("JC_175": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_176": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_177":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 >= result0) ->
  forall return:int.
  (return = r_0) ->
  ("JC_140":
  ("JC_138": (return < (offset_max(Object_alloc_table, t_0) + 1))))

========== file tests/java/why/Arrays_po65.why ==========
goal Arrays_findMax_ensures_max_found_po_3:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_180": true) ->
  ("JC_178":
  (("JC_172": (1 <= i_5)) and
   (("JC_173": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_174": (0 <= r_0)) and
     (("JC_175": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_176": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_177":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 >= result0) ->
  forall return:int.
  (return = r_0) ->
  forall i_4:int.
  ((0 <= i_4) and (i_4 < (offset_max(Object_alloc_table, t_0) + 1))) ->
  ("JC_140":
  ("JC_139": (select(intM_intP, shift(t_0, i_4)) <= select(intM_intP,
  shift(t_0, return)))))

========== file tests/java/why/Arrays_po66.why ==========
goal Arrays_findMax_safety_po_1:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  (0 <= offset_max(Object_alloc_table, t_0))

========== file tests/java/why/Arrays_po67.why ==========
goal Arrays_findMax_safety_po_2:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  (0 <= offset_max(Object_alloc_table, t_0)) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_154": true) ->
  ("JC_152":
  (("JC_146": (1 <= i_5)) and
   (("JC_147": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_148": (0 <= r_0)) and
     (("JC_149": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_150": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_151":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1))

========== file tests/java/why/Arrays_po68.why ==========
goal Arrays_findMax_safety_po_3:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  (0 <= offset_max(Object_alloc_table, t_0)) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_154": true) ->
  ("JC_152":
  (("JC_146": (1 <= i_5)) and
   (("JC_147": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_148": (0 <= r_0)) and
     (("JC_149": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_150": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_151":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  (offset_min(Object_alloc_table, t_0) <= i_5)

========== file tests/java/why/Arrays_po69.why ==========
goal Arrays_findMax_safety_po_4:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  (0 <= offset_max(Object_alloc_table, t_0)) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_154": true) ->
  ("JC_152":
  (("JC_146": (1 <= i_5)) and
   (("JC_147": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_148": (0 <= r_0)) and
     (("JC_149": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_150": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_151":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  (i_5 <= offset_max(Object_alloc_table, t_0))

========== file tests/java/why/Arrays_po7.why ==========
goal Arrays_arrayShift_ensures_default_po_7:
  forall t_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_2, 0, Object_alloc_table) and
   ("JC_99": Non_null_intM(t_2, Object_alloc_table))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_2) + 1))))) ->
  forall intM_intP0:(Object,
  int) memory.
  forall j_0:int.
  ("JC_119":
  (("JC_117": (j_0 < (offset_max(Object_alloc_table, t_2) + 1))) and
   ("JC_118":
   (((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
    ((0 <= j_0) and
     ((forall i_1:int.
        (((0 <= i_1) and (i_1 <= j_0)) -> (select(intM_intP0, shift(t_2,
         i_1)) = select(intM_intP, shift(t_2, i_1))))) and
      (forall i_2:int.
        (((j_0 < i_2) and (i_2 < (offset_max(Object_alloc_table, t_2) + 1))) ->
         (select(intM_intP0, shift(t_2, i_2)) = select(intM_intP, shift(t_2,
         (i_2 - 1)))))))))))) ->
  (j_0 > 0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_2, (j_0 - 1)))) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t_2, j_0), result0)) ->
  forall j_0_0:int.
  (j_0_0 = (j_0 - 1)) ->
  ((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
  forall i_2:int.
  ((j_0_0 < i_2) and (i_2 < (offset_max(Object_alloc_table, t_2) + 1))) ->
  ("JC_119":
  ("JC_118": (select(intM_intP1, shift(t_2, i_2)) = select(intM_intP,
  shift(t_2, (i_2 - 1))))))

========== file tests/java/why/Arrays_po70.why ==========
goal Arrays_findMax_safety_po_5:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  (0 <= offset_max(Object_alloc_table, t_0)) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_154": true) ->
  ("JC_152":
  (("JC_146": (1 <= i_5)) and
   (("JC_147": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_148": (0 <= r_0)) and
     (("JC_149": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_150": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_151":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  ((offset_min(Object_alloc_table, t_0) <= i_5) and
   (i_5 <= offset_max(Object_alloc_table, t_0))) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 > m_0) ->
  forall r_0_0:int.
  (r_0_0 = i_5) ->
  ((offset_min(Object_alloc_table, t_0) <= i_5) and
   (i_5 <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_0, i_5))) ->
  forall m_0_0:int.
  (m_0_0 = result2) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  (0 <= ("JC_160": ((offset_max(Object_alloc_table, t_0) + 1) - i_5)))

========== file tests/java/why/Arrays_po71.why ==========
goal Arrays_findMax_safety_po_6:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  (0 <= offset_max(Object_alloc_table, t_0)) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_154": true) ->
  ("JC_152":
  (("JC_146": (1 <= i_5)) and
   (("JC_147": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_148": (0 <= r_0)) and
     (("JC_149": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_150": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_151":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  ((offset_min(Object_alloc_table, t_0) <= i_5) and
   (i_5 <= offset_max(Object_alloc_table, t_0))) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 > m_0) ->
  forall r_0_0:int.
  (r_0_0 = i_5) ->
  ((offset_min(Object_alloc_table, t_0) <= i_5) and
   (i_5 <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_0, i_5))) ->
  forall m_0_0:int.
  (m_0_0 = result2) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  (("JC_160": ((offset_max(Object_alloc_table, t_0) + 1) - i_5_0)) < 
  ("JC_160": ((offset_max(Object_alloc_table, t_0) + 1) - i_5)))

========== file tests/java/why/Arrays_po72.why ==========
goal Arrays_findMax_safety_po_7:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  (0 <= offset_max(Object_alloc_table, t_0)) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_154": true) ->
  ("JC_152":
  (("JC_146": (1 <= i_5)) and
   (("JC_147": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_148": (0 <= r_0)) and
     (("JC_149": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_150": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_151":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  ((offset_min(Object_alloc_table, t_0) <= i_5) and
   (i_5 <= offset_max(Object_alloc_table, t_0))) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 <= m_0) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  (0 <= ("JC_160": ((offset_max(Object_alloc_table, t_0) + 1) - i_5)))

========== file tests/java/why/Arrays_po73.why ==========
goal Arrays_findMax_safety_po_8:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  (0 <= offset_max(Object_alloc_table, t_0)) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_154": true) ->
  ("JC_152":
  (("JC_146": (1 <= i_5)) and
   (("JC_147": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_148": (0 <= r_0)) and
     (("JC_149": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_150": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_151":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  ((offset_min(Object_alloc_table, t_0) <= i_5) and
   (i_5 <= offset_max(Object_alloc_table, t_0))) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 <= m_0) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  (("JC_160": ((offset_max(Object_alloc_table, t_0) + 1) - i_5_0)) < 
  ("JC_160": ((offset_max(Object_alloc_table, t_0) + 1) - i_5)))

========== file tests/java/why/Arrays_po8.why ==========
goal Arrays_arrayShift_ensures_default_po_8:
  forall t_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_2, 0, Object_alloc_table) and
   ("JC_99": Non_null_intM(t_2, Object_alloc_table))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_2) + 1))))) ->
  forall intM_intP0:(Object,
  int) memory.
  forall j_0:int.
  ("JC_119":
  (("JC_117": (j_0 < (offset_max(Object_alloc_table, t_2) + 1))) and
   ("JC_118":
   (((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
    ((0 <= j_0) and
     ((forall i_1:int.
        (((0 <= i_1) and (i_1 <= j_0)) -> (select(intM_intP0, shift(t_2,
         i_1)) = select(intM_intP, shift(t_2, i_1))))) and
      (forall i_2:int.
        (((j_0 < i_2) and (i_2 < (offset_max(Object_alloc_table, t_2) + 1))) ->
         (select(intM_intP0, shift(t_2, i_2)) = select(intM_intP, shift(t_2,
         (i_2 - 1)))))))))))) ->
  (j_0 <= 0) ->
  forall i_0:int.
  ((0 < i_0) and (i_0 < (offset_max(Object_alloc_table, t_2) + 1))) ->
  ("JC_101": (select(intM_intP0, shift(t_2, i_0)) = select(intM_intP,
  shift(t_2, (i_0 - 1)))))

========== file tests/java/why/Arrays_po9.why ==========
goal Arrays_arrayShift_safety_po_1:
  forall t_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_2, 0, Object_alloc_table) and
   ("JC_99": Non_null_intM(t_2, Object_alloc_table))) ->
  (offset_max(Object_alloc_table, t_2) >= (-1))

========== generation of Simplify VC output ==========
why -simplify [...] why/Arrays.why
========== file tests/java/simplify/Arrays_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Arrays_parenttag_Object
 (EQ (parenttag Arrays_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_1 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_1) 0))

(DEFPRED (Non_null_intM x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) (- 0 1)))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom intM_parenttag_Object
 (EQ (parenttag intM_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (is_max t i l Object_alloc_table_at_L intM_intP_at_L)
  (AND (Non_null_intM t Object_alloc_table_at_L)
  (AND (<= 0 i)
  (AND (< i l)
  (AND (<= l (+ (offset_max Object_alloc_table_at_L t) 1))
  (FORALL (j)
  (IMPLIES (AND (<= 0 j) (< j l))
  (<= (select intM_intP_at_L (shift t j)) (select intM_intP_at_L (shift t i))))))))))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Arrays p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_intM p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Arrays p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_intM p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Arrays p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_intM p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Arrays p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_intM p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

;; Arrays_arrayShift_ensures_default_po_1, File "HOME/tests/java/Arrays.java", line 100, characters 7-19
(FORALL (t_2)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_2 0 Object_alloc_table)
         (Non_null_intM t_2 Object_alloc_table))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_2) 1))))
(< (- result 1) (+ (offset_max Object_alloc_table t_2) 1)))))))

;; Arrays_arrayShift_ensures_default_po_2, File "HOME/tests/java/Arrays.java", line 101, characters 8-206
(FORALL (t_2)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_2 0 Object_alloc_table)
         (Non_null_intM t_2 Object_alloc_table))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_2) 1))))
(IMPLIES (> (+ (offset_max Object_alloc_table t_2) 1) 0) (<= 0 (- result 1))))))))

;; Arrays_arrayShift_ensures_default_po_3, File "HOME/tests/java/Arrays.java", line 101, characters 8-206
(FORALL (t_2)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_2 0 Object_alloc_table)
         (Non_null_intM t_2 Object_alloc_table))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_2) 1))))
(IMPLIES (> (+ (offset_max Object_alloc_table t_2) 1) 0)
(FORALL (i_2)
(IMPLIES (AND (< (- result 1) i_2)
         (< i_2 (+ (offset_max Object_alloc_table t_2) 1)))
(EQ (select intM_intP (shift t_2 i_2))
(select intM_intP (shift t_2 (- i_2 1)))))))))))))

;; Arrays_arrayShift_ensures_default_po_4, File "HOME/tests/java/Arrays.java", line 100, characters 7-19
(FORALL (t_2)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_2 0 Object_alloc_table)
         (Non_null_intM t_2 Object_alloc_table))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_2) 1))))
(FORALL (intM_intP0)
(FORALL (j_0)
(IMPLIES (AND (< j_0 (+ (offset_max Object_alloc_table t_2) 1))
         (IMPLIES (> (+ (offset_max Object_alloc_table t_2) 1) 0)
         (AND (<= 0 j_0)
         (AND
         (FORALL (i_1)
         (IMPLIES (AND (<= 0 i_1) (<= i_1 j_0))
         (EQ (select intM_intP0 (shift t_2 i_1))
         (select intM_intP (shift t_2 i_1)))))
         (FORALL (i_2)
         (IMPLIES
         (AND (< j_0 i_2) (< i_2 (+ (offset_max Object_alloc_table t_2) 1)))
         (EQ (select intM_intP0 (shift t_2 i_2))
         (select intM_intP (shift t_2 (- i_2 1))))))))))
(IMPLIES (> j_0 0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_2 (- j_0 1))))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t_2 j_0) result0))
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (- j_0 1))
(< j_0_0 (+ (offset_max Object_alloc_table t_2) 1))))))))))))))))))

;; Arrays_arrayShift_ensures_default_po_5, File "HOME/tests/java/Arrays.java", line 101, characters 8-206
(FORALL (t_2)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_2 0 Object_alloc_table)
         (Non_null_intM t_2 Object_alloc_table))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_2) 1))))
(FORALL (intM_intP0)
(FORALL (j_0)
(IMPLIES (AND (< j_0 (+ (offset_max Object_alloc_table t_2) 1))
         (IMPLIES (> (+ (offset_max Object_alloc_table t_2) 1) 0)
         (AND (<= 0 j_0)
         (AND
         (FORALL (i_1)
         (IMPLIES (AND (<= 0 i_1) (<= i_1 j_0))
         (EQ (select intM_intP0 (shift t_2 i_1))
         (select intM_intP (shift t_2 i_1)))))
         (FORALL (i_2)
         (IMPLIES
         (AND (< j_0 i_2) (< i_2 (+ (offset_max Object_alloc_table t_2) 1)))
         (EQ (select intM_intP0 (shift t_2 i_2))
         (select intM_intP (shift t_2 (- i_2 1))))))))))
(IMPLIES (> j_0 0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_2 (- j_0 1))))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t_2 j_0) result0))
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (- j_0 1))
(IMPLIES (> (+ (offset_max Object_alloc_table t_2) 1) 0) (<= 0 j_0_0))))))))))))))))))

;; Arrays_arrayShift_ensures_default_po_6, File "HOME/tests/java/Arrays.java", line 101, characters 8-206
(FORALL (t_2)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_2 0 Object_alloc_table)
         (Non_null_intM t_2 Object_alloc_table))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_2) 1))))
(FORALL (intM_intP0)
(FORALL (j_0)
(IMPLIES (AND (< j_0 (+ (offset_max Object_alloc_table t_2) 1))
         (IMPLIES (> (+ (offset_max Object_alloc_table t_2) 1) 0)
         (AND (<= 0 j_0)
         (AND
         (FORALL (i_1)
         (IMPLIES (AND (<= 0 i_1) (<= i_1 j_0))
         (EQ (select intM_intP0 (shift t_2 i_1))
         (select intM_intP (shift t_2 i_1)))))
         (FORALL (i_2)
         (IMPLIES
         (AND (< j_0 i_2) (< i_2 (+ (offset_max Object_alloc_table t_2) 1)))
         (EQ (select intM_intP0 (shift t_2 i_2))
         (select intM_intP (shift t_2 (- i_2 1))))))))))
(IMPLIES (> j_0 0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_2 (- j_0 1))))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t_2 j_0) result0))
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (- j_0 1))
(IMPLIES (> (+ (offset_max Object_alloc_table t_2) 1) 0)
(FORALL (i_1)
(IMPLIES (AND (<= 0 i_1) (<= i_1 j_0_0))
(EQ (select intM_intP1 (shift t_2 i_1)) (select intM_intP (shift t_2 i_1))))))))))))))))))))))

;; Arrays_arrayShift_ensures_default_po_7, File "HOME/tests/java/Arrays.java", line 101, characters 8-206
(FORALL (t_2)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_2 0 Object_alloc_table)
         (Non_null_intM t_2 Object_alloc_table))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_2) 1))))
(FORALL (intM_intP0)
(FORALL (j_0)
(IMPLIES (AND (< j_0 (+ (offset_max Object_alloc_table t_2) 1))
         (IMPLIES (> (+ (offset_max Object_alloc_table t_2) 1) 0)
         (AND (<= 0 j_0)
         (AND
         (FORALL (i_1)
         (IMPLIES (AND (<= 0 i_1) (<= i_1 j_0))
         (EQ (select intM_intP0 (shift t_2 i_1))
         (select intM_intP (shift t_2 i_1)))))
         (FORALL (i_2)
         (IMPLIES
         (AND (< j_0 i_2) (< i_2 (+ (offset_max Object_alloc_table t_2) 1)))
         (EQ (select intM_intP0 (shift t_2 i_2))
         (select intM_intP (shift t_2 (- i_2 1))))))))))
(IMPLIES (> j_0 0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_2 (- j_0 1))))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t_2 j_0) result0))
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (- j_0 1))
(IMPLIES (> (+ (offset_max Object_alloc_table t_2) 1) 0)
(FORALL (i_2)
(IMPLIES (AND (< j_0_0 i_2)
         (< i_2 (+ (offset_max Object_alloc_table t_2) 1)))
(EQ (select intM_intP1 (shift t_2 i_2))
(select intM_intP (shift t_2 (- i_2 1)))))))))))))))))))))))

;; Arrays_arrayShift_ensures_default_po_8, File "HOME/tests/java/Arrays.java", line 96, characters 10-70
(FORALL (t_2)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_2 0 Object_alloc_table)
         (Non_null_intM t_2 Object_alloc_table))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_2) 1))))
(FORALL (intM_intP0)
(FORALL (j_0)
(IMPLIES (AND (< j_0 (+ (offset_max Object_alloc_table t_2) 1))
         (IMPLIES (> (+ (offset_max Object_alloc_table t_2) 1) 0)
         (AND (<= 0 j_0)
         (AND
         (FORALL (i_1)
         (IMPLIES (AND (<= 0 i_1) (<= i_1 j_0))
         (EQ (select intM_intP0 (shift t_2 i_1))
         (select intM_intP (shift t_2 i_1)))))
         (FORALL (i_2)
         (IMPLIES
         (AND (< j_0 i_2) (< i_2 (+ (offset_max Object_alloc_table t_2) 1)))
         (EQ (select intM_intP0 (shift t_2 i_2))
         (select intM_intP (shift t_2 (- i_2 1))))))))))
(IMPLIES (<= j_0 0)
(FORALL (i_0)
(IMPLIES (AND (< 0 i_0) (< i_0 (+ (offset_max Object_alloc_table t_2) 1)))
(EQ (select intM_intP0 (shift t_2 i_0))
(select intM_intP (shift t_2 (- i_0 1))))))))))))))))

;; Arrays_arrayShift_safety_po_1, File "why/Arrays.why", line 626, characters 21-77
(FORALL (t_2)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_2 0 Object_alloc_table)
         (Non_null_intM t_2 Object_alloc_table))
(>= (offset_max Object_alloc_table t_2) (- 0 1)))))

;; Arrays_arrayShift_safety_po_2, File "HOME/tests/java/Arrays.java", line 108, characters 10-16
(FORALL (t_2)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_2 0 Object_alloc_table)
         (Non_null_intM t_2 Object_alloc_table))
(IMPLIES (>= (offset_max Object_alloc_table t_2) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_2) 1))))
(FORALL (intM_intP0)
(FORALL (j_0)
(IMPLIES TRUE
(IMPLIES (AND (< j_0 (+ (offset_max Object_alloc_table t_2) 1))
         (IMPLIES (> (+ (offset_max Object_alloc_table t_2) 1) 0)
         (AND (<= 0 j_0)
         (AND
         (FORALL (i_1)
         (IMPLIES (AND (<= 0 i_1) (<= i_1 j_0))
         (EQ (select intM_intP0 (shift t_2 i_1))
         (select intM_intP (shift t_2 i_1)))))
         (FORALL (i_2)
         (IMPLIES
         (AND (< j_0 i_2) (< i_2 (+ (offset_max Object_alloc_table t_2) 1)))
         (EQ (select intM_intP0 (shift t_2 i_2))
         (select intM_intP (shift t_2 (- i_2 1))))))))))
(IMPLIES (> j_0 0) (<= (offset_min Object_alloc_table t_2) (- j_0 1))))))))))))))

;; Arrays_arrayShift_safety_po_3, File "HOME/tests/java/Arrays.java", line 108, characters 10-16
(FORALL (t_2)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_2 0 Object_alloc_table)
         (Non_null_intM t_2 Object_alloc_table))
(IMPLIES (>= (offset_max Object_alloc_table t_2) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_2) 1))))
(FORALL (intM_intP0)
(FORALL (j_0)
(IMPLIES TRUE
(IMPLIES (AND (< j_0 (+ (offset_max Object_alloc_table t_2) 1))
         (IMPLIES (> (+ (offset_max Object_alloc_table t_2) 1) 0)
         (AND (<= 0 j_0)
         (AND
         (FORALL (i_1)
         (IMPLIES (AND (<= 0 i_1) (<= i_1 j_0))
         (EQ (select intM_intP0 (shift t_2 i_1))
         (select intM_intP (shift t_2 i_1)))))
         (FORALL (i_2)
         (IMPLIES
         (AND (< j_0 i_2) (< i_2 (+ (offset_max Object_alloc_table t_2) 1)))
         (EQ (select intM_intP0 (shift t_2 i_2))
         (select intM_intP (shift t_2 (- i_2 1))))))))))
(IMPLIES (> j_0 0) (<= (- j_0 1) (offset_max Object_alloc_table t_2))))))))))))))

;; Arrays_arrayShift_safety_po_4, File "why/Arrays.why", line 671, characters 15-97
(FORALL (t_2)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_2 0 Object_alloc_table)
         (Non_null_intM t_2 Object_alloc_table))
(IMPLIES (>= (offset_max Object_alloc_table t_2) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_2) 1))))
(FORALL (intM_intP0)
(FORALL (j_0)
(IMPLIES TRUE
(IMPLIES (AND (< j_0 (+ (offset_max Object_alloc_table t_2) 1))
         (IMPLIES (> (+ (offset_max Object_alloc_table t_2) 1) 0)
         (AND (<= 0 j_0)
         (AND
         (FORALL (i_1)
         (IMPLIES (AND (<= 0 i_1) (<= i_1 j_0))
         (EQ (select intM_intP0 (shift t_2 i_1))
         (select intM_intP (shift t_2 i_1)))))
         (FORALL (i_2)
         (IMPLIES
         (AND (< j_0 i_2) (< i_2 (+ (offset_max Object_alloc_table t_2) 1)))
         (EQ (select intM_intP0 (shift t_2 i_2))
         (select intM_intP (shift t_2 (- i_2 1))))))))))
(IMPLIES (> j_0 0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_2) (- j_0 1))
         (<= (- j_0 1) (offset_max Object_alloc_table t_2)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_2 (- j_0 1))))
(<= (offset_min Object_alloc_table t_2) j_0))))))))))))))))

;; Arrays_arrayShift_safety_po_5, File "why/Arrays.why", line 671, characters 15-97
(FORALL (t_2)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_2 0 Object_alloc_table)
         (Non_null_intM t_2 Object_alloc_table))
(IMPLIES (>= (offset_max Object_alloc_table t_2) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_2) 1))))
(FORALL (intM_intP0)
(FORALL (j_0)
(IMPLIES TRUE
(IMPLIES (AND (< j_0 (+ (offset_max Object_alloc_table t_2) 1))
         (IMPLIES (> (+ (offset_max Object_alloc_table t_2) 1) 0)
         (AND (<= 0 j_0)
         (AND
         (FORALL (i_1)
         (IMPLIES (AND (<= 0 i_1) (<= i_1 j_0))
         (EQ (select intM_intP0 (shift t_2 i_1))
         (select intM_intP (shift t_2 i_1)))))
         (FORALL (i_2)
         (IMPLIES
         (AND (< j_0 i_2) (< i_2 (+ (offset_max Object_alloc_table t_2) 1)))
         (EQ (select intM_intP0 (shift t_2 i_2))
         (select intM_intP (shift t_2 (- i_2 1))))))))))
(IMPLIES (> j_0 0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_2) (- j_0 1))
         (<= (- j_0 1) (offset_max Object_alloc_table t_2)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_2 (- j_0 1))))
(<= j_0 (offset_max Object_alloc_table t_2)))))))))))))))))

;; Arrays_arrayShift_safety_po_6, File "HOME/tests/java/Arrays.java", line 105, characters 18-19
(FORALL (t_2)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_2 0 Object_alloc_table)
         (Non_null_intM t_2 Object_alloc_table))
(IMPLIES (>= (offset_max Object_alloc_table t_2) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_2) 1))))
(FORALL (intM_intP0)
(FORALL (j_0)
(IMPLIES TRUE
(IMPLIES (AND (< j_0 (+ (offset_max Object_alloc_table t_2) 1))
         (IMPLIES (> (+ (offset_max Object_alloc_table t_2) 1) 0)
         (AND (<= 0 j_0)
         (AND
         (FORALL (i_1)
         (IMPLIES (AND (<= 0 i_1) (<= i_1 j_0))
         (EQ (select intM_intP0 (shift t_2 i_1))
         (select intM_intP (shift t_2 i_1)))))
         (FORALL (i_2)
         (IMPLIES
         (AND (< j_0 i_2) (< i_2 (+ (offset_max Object_alloc_table t_2) 1)))
         (EQ (select intM_intP0 (shift t_2 i_2))
         (select intM_intP (shift t_2 (- i_2 1))))))))))
(IMPLIES (> j_0 0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_2) (- j_0 1))
         (<= (- j_0 1) (offset_max Object_alloc_table t_2)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_2 (- j_0 1))))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_2) j_0)
         (<= j_0 (offset_max Object_alloc_table t_2)))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t_2 j_0) result0))
(FORALL (j_0_0) (IMPLIES (EQ j_0_0 (- j_0 1)) (<= 0 j_0)))))))))))))))))))))

;; Arrays_arrayShift_safety_po_7, File "HOME/tests/java/Arrays.java", line 105, characters 18-19
(FORALL (t_2)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_2 0 Object_alloc_table)
         (Non_null_intM t_2 Object_alloc_table))
(IMPLIES (>= (offset_max Object_alloc_table t_2) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_2) 1))))
(FORALL (intM_intP0)
(FORALL (j_0)
(IMPLIES TRUE
(IMPLIES (AND (< j_0 (+ (offset_max Object_alloc_table t_2) 1))
         (IMPLIES (> (+ (offset_max Object_alloc_table t_2) 1) 0)
         (AND (<= 0 j_0)
         (AND
         (FORALL (i_1)
         (IMPLIES (AND (<= 0 i_1) (<= i_1 j_0))
         (EQ (select intM_intP0 (shift t_2 i_1))
         (select intM_intP (shift t_2 i_1)))))
         (FORALL (i_2)
         (IMPLIES
         (AND (< j_0 i_2) (< i_2 (+ (offset_max Object_alloc_table t_2) 1)))
         (EQ (select intM_intP0 (shift t_2 i_2))
         (select intM_intP (shift t_2 (- i_2 1))))))))))
(IMPLIES (> j_0 0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_2) (- j_0 1))
         (<= (- j_0 1) (offset_max Object_alloc_table t_2)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_2 (- j_0 1))))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_2) j_0)
         (<= j_0 (offset_max Object_alloc_table t_2)))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t_2 j_0) result0))
(FORALL (j_0_0) (IMPLIES (EQ j_0_0 (- j_0 1)) (< j_0_0 j_0)))))))))))))))))))))

;; Arrays_findMax2_ensures_default_po_1, File "HOME/tests/java/Arrays.java", line 80, characters 7-13
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (AND (Non_null_intM t_1 Object_alloc_table)
         (>= (+ (offset_max Object_alloc_table t_1) 1) 1)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_1 0))) (<= 1 1)))))))

;; Arrays_findMax2_ensures_default_po_2, File "HOME/tests/java/Arrays.java", line 80, characters 12-25
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (AND (Non_null_intM t_1 Object_alloc_table)
         (>= (+ (offset_max Object_alloc_table t_1) 1) 1)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_1 0)))
(<= 1 (+ (offset_max Object_alloc_table t_1) 1))))))))

;; Arrays_findMax2_ensures_default_po_3, File "HOME/tests/java/Arrays.java", line 80, characters 29-35
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (AND (Non_null_intM t_1 Object_alloc_table)
         (>= (+ (offset_max Object_alloc_table t_1) 1) 1)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_1 0))) (<= 0 0)))))))

;; Arrays_findMax2_ensures_default_po_4, File "HOME/tests/java/Arrays.java", line 80, characters 34-46
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (AND (Non_null_intM t_1 Object_alloc_table)
         (>= (+ (offset_max Object_alloc_table t_1) 1) 1)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_1 0)))
(< 0 (+ (offset_max Object_alloc_table t_1) 1))))))))

;; Arrays_findMax2_ensures_default_po_5, File "HOME/tests/java/Arrays.java", line 81, characters 14-23
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (AND (Non_null_intM t_1 Object_alloc_table)
         (>= (+ (offset_max Object_alloc_table t_1) 1) 1)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_1 0)))
(EQ result (select intM_intP (shift t_1 0)))))))))

;; Arrays_findMax2_ensures_default_po_6, File "HOME/tests/java/Arrays.java", line 81, characters 27-40
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (AND (Non_null_intM t_1 Object_alloc_table)
         (>= (+ (offset_max Object_alloc_table t_1) 1) 1)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_1 0)))
(is_max t_1 0 1 Object_alloc_table intM_intP)))))))

;; Arrays_findMax2_ensures_default_po_7, File "HOME/tests/java/Arrays.java", line 80, characters 7-13
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (AND (Non_null_intM t_1 Object_alloc_table)
         (>= (+ (offset_max Object_alloc_table t_1) 1) 1)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_1 0)))
(FORALL (i_3)
(FORALL (m)
(FORALL (r)
(IMPLIES (AND (<= 1 i_3)
         (AND (<= i_3 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (<= 0 r)
         (AND (< r (+ (offset_max Object_alloc_table t_1) 1))
         (AND (EQ m (select intM_intP (shift t_1 r)))
         (is_max t_1 r i_3 Object_alloc_table intM_intP))))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_1) 1))))
(IMPLIES (< i_3 result0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_1 i_3)))
(IMPLIES (> result1 m)
(FORALL (r0)
(IMPLIES (EQ r0 i_3)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_1 i_3)))
(FORALL (m0)
(IMPLIES (EQ m0 result2)
(FORALL (i_3_0) (IMPLIES (EQ i_3_0 (+ i_3 1)) (<= 1 i_3_0)))))))))))))))))))))))))

;; Arrays_findMax2_ensures_default_po_8, File "HOME/tests/java/Arrays.java", line 80, characters 12-25
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (AND (Non_null_intM t_1 Object_alloc_table)
         (>= (+ (offset_max Object_alloc_table t_1) 1) 1)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_1 0)))
(FORALL (i_3)
(FORALL (m)
(FORALL (r)
(IMPLIES (AND (<= 1 i_3)
         (AND (<= i_3 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (<= 0 r)
         (AND (< r (+ (offset_max Object_alloc_table t_1) 1))
         (AND (EQ m (select intM_intP (shift t_1 r)))
         (is_max t_1 r i_3 Object_alloc_table intM_intP))))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_1) 1))))
(IMPLIES (< i_3 result0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_1 i_3)))
(IMPLIES (> result1 m)
(FORALL (r0)
(IMPLIES (EQ r0 i_3)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_1 i_3)))
(FORALL (m0)
(IMPLIES (EQ m0 result2)
(FORALL (i_3_0)
(IMPLIES (EQ i_3_0 (+ i_3 1))
(<= i_3_0 (+ (offset_max Object_alloc_table t_1) 1))))))))))))))))))))))))))

;; Arrays_findMax2_ensures_default_po_9, File "HOME/tests/java/Arrays.java", line 80, characters 29-35
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (AND (Non_null_intM t_1 Object_alloc_table)
         (>= (+ (offset_max Object_alloc_table t_1) 1) 1)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_1 0)))
(FORALL (i_3)
(FORALL (m)
(FORALL (r)
(IMPLIES (AND (<= 1 i_3)
         (AND (<= i_3 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (<= 0 r)
         (AND (< r (+ (offset_max Object_alloc_table t_1) 1))
         (AND (EQ m (select intM_intP (shift t_1 r)))
         (is_max t_1 r i_3 Object_alloc_table intM_intP))))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_1) 1))))
(IMPLIES (< i_3 result0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_1 i_3)))
(IMPLIES (> result1 m)
(FORALL (r0)
(IMPLIES (EQ r0 i_3)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_1 i_3)))
(FORALL (m0)
(IMPLIES (EQ m0 result2)
(FORALL (i_3_0) (IMPLIES (EQ i_3_0 (+ i_3 1)) (<= 0 r0)))))))))))))))))))))))))

;; Arrays_findMax2_ensures_default_po_10, File "HOME/tests/java/Arrays.java", line 80, characters 34-46
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (AND (Non_null_intM t_1 Object_alloc_table)
         (>= (+ (offset_max Object_alloc_table t_1) 1) 1)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_1 0)))
(FORALL (i_3)
(FORALL (m)
(FORALL (r)
(IMPLIES (AND (<= 1 i_3)
         (AND (<= i_3 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (<= 0 r)
         (AND (< r (+ (offset_max Object_alloc_table t_1) 1))
         (AND (EQ m (select intM_intP (shift t_1 r)))
         (is_max t_1 r i_3 Object_alloc_table intM_intP))))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_1) 1))))
(IMPLIES (< i_3 result0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_1 i_3)))
(IMPLIES (> result1 m)
(FORALL (r0)
(IMPLIES (EQ r0 i_3)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_1 i_3)))
(FORALL (m0)
(IMPLIES (EQ m0 result2)
(FORALL (i_3_0)
(IMPLIES (EQ i_3_0 (+ i_3 1))
(< r0 (+ (offset_max Object_alloc_table t_1) 1))))))))))))))))))))))))))

;; Arrays_findMax2_ensures_default_po_11, File "HOME/tests/java/Arrays.java", line 81, characters 14-23
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (AND (Non_null_intM t_1 Object_alloc_table)
         (>= (+ (offset_max Object_alloc_table t_1) 1) 1)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_1 0)))
(FORALL (i_3)
(FORALL (m)
(FORALL (r)
(IMPLIES (AND (<= 1 i_3)
         (AND (<= i_3 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (<= 0 r)
         (AND (< r (+ (offset_max Object_alloc_table t_1) 1))
         (AND (EQ m (select intM_intP (shift t_1 r)))
         (is_max t_1 r i_3 Object_alloc_table intM_intP))))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_1) 1))))
(IMPLIES (< i_3 result0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_1 i_3)))
(IMPLIES (> result1 m)
(FORALL (r0)
(IMPLIES (EQ r0 i_3)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_1 i_3)))
(FORALL (m0)
(IMPLIES (EQ m0 result2)
(FORALL (i_3_0)
(IMPLIES (EQ i_3_0 (+ i_3 1)) (EQ m0 (select intM_intP (shift t_1 r0)))))))))))))))))))))))))))

;; Arrays_findMax2_ensures_default_po_12, File "HOME/tests/java/Arrays.java", line 81, characters 27-40
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (AND (Non_null_intM t_1 Object_alloc_table)
         (>= (+ (offset_max Object_alloc_table t_1) 1) 1)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_1 0)))
(FORALL (i_3)
(FORALL (m)
(FORALL (r)
(IMPLIES (AND (<= 1 i_3)
         (AND (<= i_3 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (<= 0 r)
         (AND (< r (+ (offset_max Object_alloc_table t_1) 1))
         (AND (EQ m (select intM_intP (shift t_1 r)))
         (is_max t_1 r i_3 Object_alloc_table intM_intP))))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_1) 1))))
(IMPLIES (< i_3 result0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_1 i_3)))
(IMPLIES (> result1 m)
(FORALL (r0)
(IMPLIES (EQ r0 i_3)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_1 i_3)))
(FORALL (m0)
(IMPLIES (EQ m0 result2)
(FORALL (i_3_0)
(IMPLIES (EQ i_3_0 (+ i_3 1))
(is_max t_1 r0 i_3_0 Object_alloc_table intM_intP)))))))))))))))))))))))))

;; Arrays_findMax2_ensures_default_po_13, File "HOME/tests/java/Arrays.java", line 80, characters 7-13
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (AND (Non_null_intM t_1 Object_alloc_table)
         (>= (+ (offset_max Object_alloc_table t_1) 1) 1)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_1 0)))
(FORALL (i_3)
(FORALL (m)
(FORALL (r)
(IMPLIES (AND (<= 1 i_3)
         (AND (<= i_3 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (<= 0 r)
         (AND (< r (+ (offset_max Object_alloc_table t_1) 1))
         (AND (EQ m (select intM_intP (shift t_1 r)))
         (is_max t_1 r i_3 Object_alloc_table intM_intP))))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_1) 1))))
(IMPLIES (< i_3 result0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_1 i_3)))
(IMPLIES (<= result1 m)
(FORALL (i_3_0) (IMPLIES (EQ i_3_0 (+ i_3 1)) (<= 1 i_3_0)))))))))))))))))))

;; Arrays_findMax2_ensures_default_po_14, File "HOME/tests/java/Arrays.java", line 80, characters 12-25
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (AND (Non_null_intM t_1 Object_alloc_table)
         (>= (+ (offset_max Object_alloc_table t_1) 1) 1)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_1 0)))
(FORALL (i_3)
(FORALL (m)
(FORALL (r)
(IMPLIES (AND (<= 1 i_3)
         (AND (<= i_3 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (<= 0 r)
         (AND (< r (+ (offset_max Object_alloc_table t_1) 1))
         (AND (EQ m (select intM_intP (shift t_1 r)))
         (is_max t_1 r i_3 Object_alloc_table intM_intP))))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_1) 1))))
(IMPLIES (< i_3 result0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_1 i_3)))
(IMPLIES (<= result1 m)
(FORALL (i_3_0)
(IMPLIES (EQ i_3_0 (+ i_3 1))
(<= i_3_0 (+ (offset_max Object_alloc_table t_1) 1))))))))))))))))))))

;; Arrays_findMax2_ensures_default_po_15, File "HOME/tests/java/Arrays.java", line 80, characters 29-35
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (AND (Non_null_intM t_1 Object_alloc_table)
         (>= (+ (offset_max Object_alloc_table t_1) 1) 1)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_1 0)))
(FORALL (i_3)
(FORALL (m)
(FORALL (r)
(IMPLIES (AND (<= 1 i_3)
         (AND (<= i_3 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (<= 0 r)
         (AND (< r (+ (offset_max Object_alloc_table t_1) 1))
         (AND (EQ m (select intM_intP (shift t_1 r)))
         (is_max t_1 r i_3 Object_alloc_table intM_intP))))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_1) 1))))
(IMPLIES (< i_3 result0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_1 i_3)))
(IMPLIES (<= result1 m)
(FORALL (i_3_0) (IMPLIES (EQ i_3_0 (+ i_3 1)) (<= 0 r)))))))))))))))))))

;; Arrays_findMax2_ensures_default_po_16, File "HOME/tests/java/Arrays.java", line 80, characters 34-46
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (AND (Non_null_intM t_1 Object_alloc_table)
         (>= (+ (offset_max Object_alloc_table t_1) 1) 1)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_1 0)))
(FORALL (i_3)
(FORALL (m)
(FORALL (r)
(IMPLIES (AND (<= 1 i_3)
         (AND (<= i_3 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (<= 0 r)
         (AND (< r (+ (offset_max Object_alloc_table t_1) 1))
         (AND (EQ m (select intM_intP (shift t_1 r)))
         (is_max t_1 r i_3 Object_alloc_table intM_intP))))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_1) 1))))
(IMPLIES (< i_3 result0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_1 i_3)))
(IMPLIES (<= result1 m)
(FORALL (i_3_0)
(IMPLIES (EQ i_3_0 (+ i_3 1))
(< r (+ (offset_max Object_alloc_table t_1) 1))))))))))))))))))))

;; Arrays_findMax2_ensures_default_po_17, File "HOME/tests/java/Arrays.java", line 81, characters 14-23
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (AND (Non_null_intM t_1 Object_alloc_table)
         (>= (+ (offset_max Object_alloc_table t_1) 1) 1)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_1 0)))
(FORALL (i_3)
(FORALL (m)
(FORALL (r)
(IMPLIES (AND (<= 1 i_3)
         (AND (<= i_3 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (<= 0 r)
         (AND (< r (+ (offset_max Object_alloc_table t_1) 1))
         (AND (EQ m (select intM_intP (shift t_1 r)))
         (is_max t_1 r i_3 Object_alloc_table intM_intP))))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_1) 1))))
(IMPLIES (< i_3 result0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_1 i_3)))
(IMPLIES (<= result1 m)
(FORALL (i_3_0)
(IMPLIES (EQ i_3_0 (+ i_3 1)) (EQ m (select intM_intP (shift t_1 r)))))))))))))))))))))

;; Arrays_findMax2_ensures_default_po_18, File "HOME/tests/java/Arrays.java", line 81, characters 27-40
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (AND (Non_null_intM t_1 Object_alloc_table)
         (>= (+ (offset_max Object_alloc_table t_1) 1) 1)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_1 0)))
(FORALL (i_3)
(FORALL (m)
(FORALL (r)
(IMPLIES (AND (<= 1 i_3)
         (AND (<= i_3 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (<= 0 r)
         (AND (< r (+ (offset_max Object_alloc_table t_1) 1))
         (AND (EQ m (select intM_intP (shift t_1 r)))
         (is_max t_1 r i_3 Object_alloc_table intM_intP))))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_1) 1))))
(IMPLIES (< i_3 result0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_1 i_3)))
(IMPLIES (<= result1 m)
(FORALL (i_3_0)
(IMPLIES (EQ i_3_0 (+ i_3 1))
(is_max t_1 r i_3_0 Object_alloc_table intM_intP)))))))))))))))))))

;; Arrays_findMax2_ensures_max_found_po_1, File "HOME/tests/java/Arrays.java", line 73, characters 13-25
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (AND (Non_null_intM t_1 Object_alloc_table)
         (>= (+ (offset_max Object_alloc_table t_1) 1) 1)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_1 0)))
(FORALL (i_3)
(FORALL (m)
(FORALL (r)
(IMPLIES TRUE
(IMPLIES (AND (<= 1 i_3)
         (AND (<= i_3 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (<= 0 r)
         (AND (< r (+ (offset_max Object_alloc_table t_1) 1))
         (AND (EQ m (select intM_intP (shift t_1 r)))
         (is_max t_1 r i_3 Object_alloc_table intM_intP))))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_1) 1))))
(IMPLIES (>= i_3 result0)
(FORALL (return) (IMPLIES (EQ return r) (<= 0 return)))))))))))))))))

;; Arrays_findMax2_ensures_max_found_po_2, File "HOME/tests/java/Arrays.java", line 73, characters 18-36
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (AND (Non_null_intM t_1 Object_alloc_table)
         (>= (+ (offset_max Object_alloc_table t_1) 1) 1)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_1 0)))
(FORALL (i_3)
(FORALL (m)
(FORALL (r)
(IMPLIES TRUE
(IMPLIES (AND (<= 1 i_3)
         (AND (<= i_3 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (<= 0 r)
         (AND (< r (+ (offset_max Object_alloc_table t_1) 1))
         (AND (EQ m (select intM_intP (shift t_1 r)))
         (is_max t_1 r i_3 Object_alloc_table intM_intP))))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_1) 1))))
(IMPLIES (>= i_3 result0)
(FORALL (return)
(IMPLIES (EQ return r) (< return (+ (offset_max Object_alloc_table t_1) 1))))))))))))))))))

;; Arrays_findMax2_ensures_max_found_po_3, File "HOME/tests/java/Arrays.java", line 74, characters 13-39
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (AND (Non_null_intM t_1 Object_alloc_table)
         (>= (+ (offset_max Object_alloc_table t_1) 1) 1)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_1 0)))
(FORALL (i_3)
(FORALL (m)
(FORALL (r)
(IMPLIES TRUE
(IMPLIES (AND (<= 1 i_3)
         (AND (<= i_3 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (<= 0 r)
         (AND (< r (+ (offset_max Object_alloc_table t_1) 1))
         (AND (EQ m (select intM_intP (shift t_1 r)))
         (is_max t_1 r i_3 Object_alloc_table intM_intP))))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_1) 1))))
(IMPLIES (>= i_3 result0)
(FORALL (return)
(IMPLIES (EQ return r)
(is_max
t_1 return (+ (offset_max Object_alloc_table t_1) 1) Object_alloc_table intM_intP)))))))))))))))))

;; Arrays_findMax2_safety_po_1, File "HOME/tests/java/Arrays.java", line 77, characters 9-13
(FORALL (t_1)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (AND (Non_null_intM t_1 Object_alloc_table)
         (>= (+ (offset_max Object_alloc_table t_1) 1) 1)))
(<= 0 (offset_max Object_alloc_table t_1)))))

;; Arrays_findMax2_safety_po_2, File "why/Arrays.why", line 864, characters 35-168
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (AND (Non_null_intM t_1 Object_alloc_table)
         (>= (+ (offset_max Object_alloc_table t_1) 1) 1)))
(IMPLIES (<= 0 (offset_max Object_alloc_table t_1))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_1 0)))
(FORALL (i_3)
(FORALL (m)
(FORALL (r)
(IMPLIES TRUE
(IMPLIES (AND (<= 1 i_3)
         (AND (<= i_3 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (<= 0 r)
         (AND (< r (+ (offset_max Object_alloc_table t_1) 1))
         (AND (EQ m (select intM_intP (shift t_1 r)))
         (is_max t_1 r i_3 Object_alloc_table intM_intP))))))
(>= (offset_max Object_alloc_table t_1) (- 0 1))))))))))))))

;; Arrays_findMax2_safety_po_3, File "HOME/tests/java/Arrays.java", line 85, characters 9-13
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (AND (Non_null_intM t_1 Object_alloc_table)
         (>= (+ (offset_max Object_alloc_table t_1) 1) 1)))
(IMPLIES (<= 0 (offset_max Object_alloc_table t_1))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_1 0)))
(FORALL (i_3)
(FORALL (m)
(FORALL (r)
(IMPLIES TRUE
(IMPLIES (AND (<= 1 i_3)
         (AND (<= i_3 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (<= 0 r)
         (AND (< r (+ (offset_max Object_alloc_table t_1) 1))
         (AND (EQ m (select intM_intP (shift t_1 r)))
         (is_max t_1 r i_3 Object_alloc_table intM_intP))))))
(IMPLIES (>= (offset_max Object_alloc_table t_1) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_1) 1))))
(IMPLIES (< i_3 result0) (<= (offset_min Object_alloc_table t_1) i_3)))))))))))))))))

;; Arrays_findMax2_safety_po_4, File "HOME/tests/java/Arrays.java", line 85, characters 9-13
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (AND (Non_null_intM t_1 Object_alloc_table)
         (>= (+ (offset_max Object_alloc_table t_1) 1) 1)))
(IMPLIES (<= 0 (offset_max Object_alloc_table t_1))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_1 0)))
(FORALL (i_3)
(FORALL (m)
(FORALL (r)
(IMPLIES TRUE
(IMPLIES (AND (<= 1 i_3)
         (AND (<= i_3 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (<= 0 r)
         (AND (< r (+ (offset_max Object_alloc_table t_1) 1))
         (AND (EQ m (select intM_intP (shift t_1 r)))
         (is_max t_1 r i_3 Object_alloc_table intM_intP))))))
(IMPLIES (>= (offset_max Object_alloc_table t_1) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_1) 1))))
(IMPLIES (< i_3 result0) (<= i_3 (offset_max Object_alloc_table t_1))))))))))))))))))

;; Arrays_findMax2_safety_po_5, File "HOME/tests/java/Arrays.java", line 82, characters 18-28
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (AND (Non_null_intM t_1 Object_alloc_table)
         (>= (+ (offset_max Object_alloc_table t_1) 1) 1)))
(IMPLIES (<= 0 (offset_max Object_alloc_table t_1))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_1 0)))
(FORALL (i_3)
(FORALL (m)
(FORALL (r)
(IMPLIES TRUE
(IMPLIES (AND (<= 1 i_3)
         (AND (<= i_3 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (<= 0 r)
         (AND (< r (+ (offset_max Object_alloc_table t_1) 1))
         (AND (EQ m (select intM_intP (shift t_1 r)))
         (is_max t_1 r i_3 Object_alloc_table intM_intP))))))
(IMPLIES (>= (offset_max Object_alloc_table t_1) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_1) 1))))
(IMPLIES (< i_3 result0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_1) i_3)
         (<= i_3 (offset_max Object_alloc_table t_1)))
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_1 i_3)))
(IMPLIES (> result1 m)
(FORALL (r0)
(IMPLIES (EQ r0 i_3)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_1) i_3)
         (<= i_3 (offset_max Object_alloc_table t_1)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_1 i_3)))
(FORALL (m0)
(IMPLIES (EQ m0 result2)
(FORALL (i_3_0)
(IMPLIES (EQ i_3_0 (+ i_3 1))
(<= 0 (- (+ (offset_max Object_alloc_table t_1) 1) i_3)))))))))))))))))))))))))))))))

;; Arrays_findMax2_safety_po_6, File "HOME/tests/java/Arrays.java", line 82, characters 18-28
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (AND (Non_null_intM t_1 Object_alloc_table)
         (>= (+ (offset_max Object_alloc_table t_1) 1) 1)))
(IMPLIES (<= 0 (offset_max Object_alloc_table t_1))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_1 0)))
(FORALL (i_3)
(FORALL (m)
(FORALL (r)
(IMPLIES TRUE
(IMPLIES (AND (<= 1 i_3)
         (AND (<= i_3 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (<= 0 r)
         (AND (< r (+ (offset_max Object_alloc_table t_1) 1))
         (AND (EQ m (select intM_intP (shift t_1 r)))
         (is_max t_1 r i_3 Object_alloc_table intM_intP))))))
(IMPLIES (>= (offset_max Object_alloc_table t_1) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_1) 1))))
(IMPLIES (< i_3 result0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_1) i_3)
         (<= i_3 (offset_max Object_alloc_table t_1)))
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_1 i_3)))
(IMPLIES (> result1 m)
(FORALL (r0)
(IMPLIES (EQ r0 i_3)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_1) i_3)
         (<= i_3 (offset_max Object_alloc_table t_1)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_1 i_3)))
(FORALL (m0)
(IMPLIES (EQ m0 result2)
(FORALL (i_3_0)
(IMPLIES (EQ i_3_0 (+ i_3 1))
(< (- (+ (offset_max Object_alloc_table t_1) 1) i_3_0) (- (+ (offset_max
                                                             Object_alloc_table t_1) 1) i_3)))))))))))))))))))))))))))))))

;; Arrays_findMax2_safety_po_7, File "HOME/tests/java/Arrays.java", line 82, characters 18-28
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (AND (Non_null_intM t_1 Object_alloc_table)
         (>= (+ (offset_max Object_alloc_table t_1) 1) 1)))
(IMPLIES (<= 0 (offset_max Object_alloc_table t_1))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_1 0)))
(FORALL (i_3)
(FORALL (m)
(FORALL (r)
(IMPLIES TRUE
(IMPLIES (AND (<= 1 i_3)
         (AND (<= i_3 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (<= 0 r)
         (AND (< r (+ (offset_max Object_alloc_table t_1) 1))
         (AND (EQ m (select intM_intP (shift t_1 r)))
         (is_max t_1 r i_3 Object_alloc_table intM_intP))))))
(IMPLIES (>= (offset_max Object_alloc_table t_1) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_1) 1))))
(IMPLIES (< i_3 result0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_1) i_3)
         (<= i_3 (offset_max Object_alloc_table t_1)))
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_1 i_3)))
(IMPLIES (<= result1 m)
(FORALL (i_3_0)
(IMPLIES (EQ i_3_0 (+ i_3 1))
(<= 0 (- (+ (offset_max Object_alloc_table t_1) 1) i_3))))))))))))))))))))))))

;; Arrays_findMax2_safety_po_8, File "HOME/tests/java/Arrays.java", line 82, characters 18-28
(FORALL (t_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_1 0 Object_alloc_table)
         (AND (Non_null_intM t_1 Object_alloc_table)
         (>= (+ (offset_max Object_alloc_table t_1) 1) 1)))
(IMPLIES (<= 0 (offset_max Object_alloc_table t_1))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_1 0)))
(FORALL (i_3)
(FORALL (m)
(FORALL (r)
(IMPLIES TRUE
(IMPLIES (AND (<= 1 i_3)
         (AND (<= i_3 (+ (offset_max Object_alloc_table t_1) 1))
         (AND (<= 0 r)
         (AND (< r (+ (offset_max Object_alloc_table t_1) 1))
         (AND (EQ m (select intM_intP (shift t_1 r)))
         (is_max t_1 r i_3 Object_alloc_table intM_intP))))))
(IMPLIES (>= (offset_max Object_alloc_table t_1) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_1) 1))))
(IMPLIES (< i_3 result0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_1) i_3)
         (<= i_3 (offset_max Object_alloc_table t_1)))
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_1 i_3)))
(IMPLIES (<= result1 m)
(FORALL (i_3_0)
(IMPLIES (EQ i_3_0 (+ i_3 1))
(< (- (+ (offset_max Object_alloc_table t_1) 1) i_3_0) (- (+ (offset_max
                                                             Object_alloc_table t_1) 1) i_3))))))))))))))))))))))))

;; Arrays_findMax_ensures_default_po_1, File "HOME/tests/java/Arrays.java", line 57, characters 14-20
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 1 (+ (offset_max Object_alloc_table t_0) 1))
         (<= (+ (offset_max Object_alloc_table t_0) 1) 32767))))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 0))) (<= 1 1)))))))

;; Arrays_findMax_ensures_default_po_2, File "HOME/tests/java/Arrays.java", line 57, characters 19-32
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 1 (+ (offset_max Object_alloc_table t_0) 1))
         (<= (+ (offset_max Object_alloc_table t_0) 1) 32767))))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 0)))
(<= 1 (+ (offset_max Object_alloc_table t_0) 1))))))))

;; Arrays_findMax_ensures_default_po_3, File "HOME/tests/java/Arrays.java", line 57, characters 36-42
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 1 (+ (offset_max Object_alloc_table t_0) 1))
         (<= (+ (offset_max Object_alloc_table t_0) 1) 32767))))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 0))) (<= 0 0)))))))

;; Arrays_findMax_ensures_default_po_4, File "HOME/tests/java/Arrays.java", line 57, characters 41-53
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 1 (+ (offset_max Object_alloc_table t_0) 1))
         (<= (+ (offset_max Object_alloc_table t_0) 1) 32767))))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 0)))
(< 0 (+ (offset_max Object_alloc_table t_0) 1))))))))

;; Arrays_findMax_ensures_default_po_5, File "HOME/tests/java/Arrays.java", line 58, characters 14-23
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 1 (+ (offset_max Object_alloc_table t_0) 1))
         (<= (+ (offset_max Object_alloc_table t_0) 1) 32767))))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 0)))
(EQ result (select intM_intP (shift t_0 0)))))))))

;; Arrays_findMax_ensures_default_po_6, File "HOME/tests/java/Arrays.java", line 58, characters 28-71
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 1 (+ (offset_max Object_alloc_table t_0) 1))
         (<= (+ (offset_max Object_alloc_table t_0) 1) 32767))))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 0)))
(FORALL (j_1)
(IMPLIES (AND (<= 0 j_1) (< j_1 1))
(<= (select intM_intP (shift t_0 j_1)) result)))))))))

;; Arrays_findMax_ensures_default_po_7, File "HOME/tests/java/Arrays.java", line 57, characters 14-20
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 1 (+ (offset_max Object_alloc_table t_0) 1))
         (<= (+ (offset_max Object_alloc_table t_0) 1) 32767))))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 0)))
(FORALL (i_5)
(FORALL (m_0)
(FORALL (r_0)
(IMPLIES (AND (<= 1 i_5)
         (AND (<= i_5 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 r_0)
         (AND (< r_0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ m_0 (select intM_intP (shift t_0 r_0)))
         (FORALL (j_1)
         (IMPLIES (AND (<= 0 j_1) (< j_1 i_5))
         (<= (select intM_intP (shift t_0 j_1)) m_0))))))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_5 result0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_0 i_5)))
(IMPLIES (> result1 m_0)
(FORALL (r_0_0)
(IMPLIES (EQ r_0_0 i_5)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 i_5)))
(FORALL (m_0_0)
(IMPLIES (EQ m_0_0 result2)
(FORALL (i_5_0) (IMPLIES (EQ i_5_0 (+ i_5 1)) (<= 1 i_5_0)))))))))))))))))))))))))

;; Arrays_findMax_ensures_default_po_8, File "HOME/tests/java/Arrays.java", line 57, characters 19-32
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 1 (+ (offset_max Object_alloc_table t_0) 1))
         (<= (+ (offset_max Object_alloc_table t_0) 1) 32767))))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 0)))
(FORALL (i_5)
(FORALL (m_0)
(FORALL (r_0)
(IMPLIES (AND (<= 1 i_5)
         (AND (<= i_5 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 r_0)
         (AND (< r_0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ m_0 (select intM_intP (shift t_0 r_0)))
         (FORALL (j_1)
         (IMPLIES (AND (<= 0 j_1) (< j_1 i_5))
         (<= (select intM_intP (shift t_0 j_1)) m_0))))))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_5 result0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_0 i_5)))
(IMPLIES (> result1 m_0)
(FORALL (r_0_0)
(IMPLIES (EQ r_0_0 i_5)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 i_5)))
(FORALL (m_0_0)
(IMPLIES (EQ m_0_0 result2)
(FORALL (i_5_0)
(IMPLIES (EQ i_5_0 (+ i_5 1))
(<= i_5_0 (+ (offset_max Object_alloc_table t_0) 1))))))))))))))))))))))))))

;; Arrays_findMax_ensures_default_po_9, File "HOME/tests/java/Arrays.java", line 57, characters 36-42
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 1 (+ (offset_max Object_alloc_table t_0) 1))
         (<= (+ (offset_max Object_alloc_table t_0) 1) 32767))))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 0)))
(FORALL (i_5)
(FORALL (m_0)
(FORALL (r_0)
(IMPLIES (AND (<= 1 i_5)
         (AND (<= i_5 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 r_0)
         (AND (< r_0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ m_0 (select intM_intP (shift t_0 r_0)))
         (FORALL (j_1)
         (IMPLIES (AND (<= 0 j_1) (< j_1 i_5))
         (<= (select intM_intP (shift t_0 j_1)) m_0))))))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_5 result0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_0 i_5)))
(IMPLIES (> result1 m_0)
(FORALL (r_0_0)
(IMPLIES (EQ r_0_0 i_5)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 i_5)))
(FORALL (m_0_0)
(IMPLIES (EQ m_0_0 result2)
(FORALL (i_5_0) (IMPLIES (EQ i_5_0 (+ i_5 1)) (<= 0 r_0_0)))))))))))))))))))))))))

;; Arrays_findMax_ensures_default_po_10, File "HOME/tests/java/Arrays.java", line 57, characters 41-53
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 1 (+ (offset_max Object_alloc_table t_0) 1))
         (<= (+ (offset_max Object_alloc_table t_0) 1) 32767))))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 0)))
(FORALL (i_5)
(FORALL (m_0)
(FORALL (r_0)
(IMPLIES (AND (<= 1 i_5)
         (AND (<= i_5 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 r_0)
         (AND (< r_0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ m_0 (select intM_intP (shift t_0 r_0)))
         (FORALL (j_1)
         (IMPLIES (AND (<= 0 j_1) (< j_1 i_5))
         (<= (select intM_intP (shift t_0 j_1)) m_0))))))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_5 result0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_0 i_5)))
(IMPLIES (> result1 m_0)
(FORALL (r_0_0)
(IMPLIES (EQ r_0_0 i_5)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 i_5)))
(FORALL (m_0_0)
(IMPLIES (EQ m_0_0 result2)
(FORALL (i_5_0)
(IMPLIES (EQ i_5_0 (+ i_5 1))
(< r_0_0 (+ (offset_max Object_alloc_table t_0) 1))))))))))))))))))))))))))

;; Arrays_findMax_ensures_default_po_11, File "HOME/tests/java/Arrays.java", line 58, characters 14-23
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 1 (+ (offset_max Object_alloc_table t_0) 1))
         (<= (+ (offset_max Object_alloc_table t_0) 1) 32767))))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 0)))
(FORALL (i_5)
(FORALL (m_0)
(FORALL (r_0)
(IMPLIES (AND (<= 1 i_5)
         (AND (<= i_5 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 r_0)
         (AND (< r_0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ m_0 (select intM_intP (shift t_0 r_0)))
         (FORALL (j_1)
         (IMPLIES (AND (<= 0 j_1) (< j_1 i_5))
         (<= (select intM_intP (shift t_0 j_1)) m_0))))))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_5 result0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_0 i_5)))
(IMPLIES (> result1 m_0)
(FORALL (r_0_0)
(IMPLIES (EQ r_0_0 i_5)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 i_5)))
(FORALL (m_0_0)
(IMPLIES (EQ m_0_0 result2)
(FORALL (i_5_0)
(IMPLIES (EQ i_5_0 (+ i_5 1))
(EQ m_0_0 (select intM_intP (shift t_0 r_0_0)))))))))))))))))))))))))))

;; Arrays_findMax_ensures_default_po_12, File "HOME/tests/java/Arrays.java", line 58, characters 28-71
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 1 (+ (offset_max Object_alloc_table t_0) 1))
         (<= (+ (offset_max Object_alloc_table t_0) 1) 32767))))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 0)))
(FORALL (i_5)
(FORALL (m_0)
(FORALL (r_0)
(IMPLIES (AND (<= 1 i_5)
         (AND (<= i_5 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 r_0)
         (AND (< r_0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ m_0 (select intM_intP (shift t_0 r_0)))
         (FORALL (j_1)
         (IMPLIES (AND (<= 0 j_1) (< j_1 i_5))
         (<= (select intM_intP (shift t_0 j_1)) m_0))))))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_5 result0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_0 i_5)))
(IMPLIES (> result1 m_0)
(FORALL (r_0_0)
(IMPLIES (EQ r_0_0 i_5)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 i_5)))
(FORALL (m_0_0)
(IMPLIES (EQ m_0_0 result2)
(FORALL (i_5_0)
(IMPLIES (EQ i_5_0 (+ i_5 1))
(FORALL (j_1)
(IMPLIES (AND (<= 0 j_1) (< j_1 i_5_0))
(<= (select intM_intP (shift t_0 j_1)) m_0_0)))))))))))))))))))))))))))

;; Arrays_findMax_ensures_default_po_13, File "HOME/tests/java/Arrays.java", line 57, characters 14-20
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 1 (+ (offset_max Object_alloc_table t_0) 1))
         (<= (+ (offset_max Object_alloc_table t_0) 1) 32767))))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 0)))
(FORALL (i_5)
(FORALL (m_0)
(FORALL (r_0)
(IMPLIES (AND (<= 1 i_5)
         (AND (<= i_5 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 r_0)
         (AND (< r_0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ m_0 (select intM_intP (shift t_0 r_0)))
         (FORALL (j_1)
         (IMPLIES (AND (<= 0 j_1) (< j_1 i_5))
         (<= (select intM_intP (shift t_0 j_1)) m_0))))))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_5 result0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_0 i_5)))
(IMPLIES (<= result1 m_0)
(FORALL (i_5_0) (IMPLIES (EQ i_5_0 (+ i_5 1)) (<= 1 i_5_0)))))))))))))))))))

;; Arrays_findMax_ensures_default_po_14, File "HOME/tests/java/Arrays.java", line 57, characters 19-32
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 1 (+ (offset_max Object_alloc_table t_0) 1))
         (<= (+ (offset_max Object_alloc_table t_0) 1) 32767))))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 0)))
(FORALL (i_5)
(FORALL (m_0)
(FORALL (r_0)
(IMPLIES (AND (<= 1 i_5)
         (AND (<= i_5 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 r_0)
         (AND (< r_0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ m_0 (select intM_intP (shift t_0 r_0)))
         (FORALL (j_1)
         (IMPLIES (AND (<= 0 j_1) (< j_1 i_5))
         (<= (select intM_intP (shift t_0 j_1)) m_0))))))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_5 result0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_0 i_5)))
(IMPLIES (<= result1 m_0)
(FORALL (i_5_0)
(IMPLIES (EQ i_5_0 (+ i_5 1))
(<= i_5_0 (+ (offset_max Object_alloc_table t_0) 1))))))))))))))))))))

;; Arrays_findMax_ensures_default_po_15, File "HOME/tests/java/Arrays.java", line 57, characters 36-42
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 1 (+ (offset_max Object_alloc_table t_0) 1))
         (<= (+ (offset_max Object_alloc_table t_0) 1) 32767))))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 0)))
(FORALL (i_5)
(FORALL (m_0)
(FORALL (r_0)
(IMPLIES (AND (<= 1 i_5)
         (AND (<= i_5 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 r_0)
         (AND (< r_0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ m_0 (select intM_intP (shift t_0 r_0)))
         (FORALL (j_1)
         (IMPLIES (AND (<= 0 j_1) (< j_1 i_5))
         (<= (select intM_intP (shift t_0 j_1)) m_0))))))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_5 result0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_0 i_5)))
(IMPLIES (<= result1 m_0)
(FORALL (i_5_0) (IMPLIES (EQ i_5_0 (+ i_5 1)) (<= 0 r_0)))))))))))))))))))

;; Arrays_findMax_ensures_default_po_16, File "HOME/tests/java/Arrays.java", line 57, characters 41-53
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 1 (+ (offset_max Object_alloc_table t_0) 1))
         (<= (+ (offset_max Object_alloc_table t_0) 1) 32767))))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 0)))
(FORALL (i_5)
(FORALL (m_0)
(FORALL (r_0)
(IMPLIES (AND (<= 1 i_5)
         (AND (<= i_5 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 r_0)
         (AND (< r_0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ m_0 (select intM_intP (shift t_0 r_0)))
         (FORALL (j_1)
         (IMPLIES (AND (<= 0 j_1) (< j_1 i_5))
         (<= (select intM_intP (shift t_0 j_1)) m_0))))))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_5 result0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_0 i_5)))
(IMPLIES (<= result1 m_0)
(FORALL (i_5_0)
(IMPLIES (EQ i_5_0 (+ i_5 1))
(< r_0 (+ (offset_max Object_alloc_table t_0) 1))))))))))))))))))))

;; Arrays_findMax_ensures_default_po_17, File "HOME/tests/java/Arrays.java", line 58, characters 14-23
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 1 (+ (offset_max Object_alloc_table t_0) 1))
         (<= (+ (offset_max Object_alloc_table t_0) 1) 32767))))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 0)))
(FORALL (i_5)
(FORALL (m_0)
(FORALL (r_0)
(IMPLIES (AND (<= 1 i_5)
         (AND (<= i_5 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 r_0)
         (AND (< r_0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ m_0 (select intM_intP (shift t_0 r_0)))
         (FORALL (j_1)
         (IMPLIES (AND (<= 0 j_1) (< j_1 i_5))
         (<= (select intM_intP (shift t_0 j_1)) m_0))))))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_5 result0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_0 i_5)))
(IMPLIES (<= result1 m_0)
(FORALL (i_5_0)
(IMPLIES (EQ i_5_0 (+ i_5 1)) (EQ m_0 (select intM_intP (shift t_0 r_0)))))))))))))))))))))

;; Arrays_findMax_ensures_default_po_18, File "HOME/tests/java/Arrays.java", line 58, characters 28-71
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 1 (+ (offset_max Object_alloc_table t_0) 1))
         (<= (+ (offset_max Object_alloc_table t_0) 1) 32767))))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 0)))
(FORALL (i_5)
(FORALL (m_0)
(FORALL (r_0)
(IMPLIES (AND (<= 1 i_5)
         (AND (<= i_5 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 r_0)
         (AND (< r_0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ m_0 (select intM_intP (shift t_0 r_0)))
         (FORALL (j_1)
         (IMPLIES (AND (<= 0 j_1) (< j_1 i_5))
         (<= (select intM_intP (shift t_0 j_1)) m_0))))))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_5 result0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_0 i_5)))
(IMPLIES (<= result1 m_0)
(FORALL (i_5_0)
(IMPLIES (EQ i_5_0 (+ i_5 1))
(FORALL (j_1)
(IMPLIES (AND (<= 0 j_1) (< j_1 i_5_0))
(<= (select intM_intP (shift t_0 j_1)) m_0)))))))))))))))))))))

;; Arrays_findMax_ensures_max_found_po_1, File "HOME/tests/java/Arrays.java", line 49, characters 13-25
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 1 (+ (offset_max Object_alloc_table t_0) 1))
         (<= (+ (offset_max Object_alloc_table t_0) 1) 32767))))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 0)))
(FORALL (i_5)
(FORALL (m_0)
(FORALL (r_0)
(IMPLIES TRUE
(IMPLIES (AND (<= 1 i_5)
         (AND (<= i_5 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 r_0)
         (AND (< r_0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ m_0 (select intM_intP (shift t_0 r_0)))
         (FORALL (j_1)
         (IMPLIES (AND (<= 0 j_1) (< j_1 i_5))
         (<= (select intM_intP (shift t_0 j_1)) m_0))))))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= i_5 result0)
(FORALL (return) (IMPLIES (EQ return r_0) (<= 0 return)))))))))))))))))

;; Arrays_findMax_ensures_max_found_po_2, File "HOME/tests/java/Arrays.java", line 49, characters 18-36
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 1 (+ (offset_max Object_alloc_table t_0) 1))
         (<= (+ (offset_max Object_alloc_table t_0) 1) 32767))))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 0)))
(FORALL (i_5)
(FORALL (m_0)
(FORALL (r_0)
(IMPLIES TRUE
(IMPLIES (AND (<= 1 i_5)
         (AND (<= i_5 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 r_0)
         (AND (< r_0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ m_0 (select intM_intP (shift t_0 r_0)))
         (FORALL (j_1)
         (IMPLIES (AND (<= 0 j_1) (< j_1 i_5))
         (<= (select intM_intP (shift t_0 j_1)) m_0))))))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= i_5 result0)
(FORALL (return)
(IMPLIES (EQ return r_0)
(< return (+ (offset_max Object_alloc_table t_0) 1))))))))))))))))))

;; Arrays_findMax_ensures_max_found_po_3, File "HOME/tests/java/Arrays.java", line 50, characters 14-92
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 1 (+ (offset_max Object_alloc_table t_0) 1))
         (<= (+ (offset_max Object_alloc_table t_0) 1) 32767))))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 0)))
(FORALL (i_5)
(FORALL (m_0)
(FORALL (r_0)
(IMPLIES TRUE
(IMPLIES (AND (<= 1 i_5)
         (AND (<= i_5 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 r_0)
         (AND (< r_0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ m_0 (select intM_intP (shift t_0 r_0)))
         (FORALL (j_1)
         (IMPLIES (AND (<= 0 j_1) (< j_1 i_5))
         (<= (select intM_intP (shift t_0 j_1)) m_0))))))))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= i_5 result0)
(FORALL (return)
(IMPLIES (EQ return r_0)
(FORALL (i_4)
(IMPLIES (AND (<= 0 i_4) (< i_4 (+ (offset_max Object_alloc_table t_0) 1)))
(<= (select intM_intP (shift t_0 i_4)) (select intM_intP (shift t_0 return)))))))))))))))))))))

;; Arrays_findMax_safety_po_1, File "HOME/tests/java/Arrays.java", line 54, characters 9-13
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 1 (+ (offset_max Object_alloc_table t_0) 1))
         (<= (+ (offset_max Object_alloc_table t_0) 1) 32767))))
(<= 0 (offset_max Object_alloc_table t_0)))))

;; Arrays_findMax_safety_po_2, File "why/Arrays.why", line 1099, characters 35-168
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 1 (+ (offset_max Object_alloc_table t_0) 1))
         (<= (+ (offset_max Object_alloc_table t_0) 1) 32767))))
(IMPLIES (<= 0 (offset_max Object_alloc_table t_0))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 0)))
(FORALL (i_5)
(FORALL (m_0)
(FORALL (r_0)
(IMPLIES TRUE
(IMPLIES (AND (<= 1 i_5)
         (AND (<= i_5 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 r_0)
         (AND (< r_0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ m_0 (select intM_intP (shift t_0 r_0)))
         (FORALL (j_1)
         (IMPLIES (AND (<= 0 j_1) (< j_1 i_5))
         (<= (select intM_intP (shift t_0 j_1)) m_0))))))))
(>= (offset_max Object_alloc_table t_0) (- 0 1))))))))))))))

;; Arrays_findMax_safety_po_3, File "HOME/tests/java/Arrays.java", line 62, characters 9-13
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 1 (+ (offset_max Object_alloc_table t_0) 1))
         (<= (+ (offset_max Object_alloc_table t_0) 1) 32767))))
(IMPLIES (<= 0 (offset_max Object_alloc_table t_0))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 0)))
(FORALL (i_5)
(FORALL (m_0)
(FORALL (r_0)
(IMPLIES TRUE
(IMPLIES (AND (<= 1 i_5)
         (AND (<= i_5 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 r_0)
         (AND (< r_0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ m_0 (select intM_intP (shift t_0 r_0)))
         (FORALL (j_1)
         (IMPLIES (AND (<= 0 j_1) (< j_1 i_5))
         (<= (select intM_intP (shift t_0 j_1)) m_0))))))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_5 result0) (<= (offset_min Object_alloc_table t_0) i_5)))))))))))))))))

;; Arrays_findMax_safety_po_4, File "HOME/tests/java/Arrays.java", line 62, characters 9-13
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 1 (+ (offset_max Object_alloc_table t_0) 1))
         (<= (+ (offset_max Object_alloc_table t_0) 1) 32767))))
(IMPLIES (<= 0 (offset_max Object_alloc_table t_0))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 0)))
(FORALL (i_5)
(FORALL (m_0)
(FORALL (r_0)
(IMPLIES TRUE
(IMPLIES (AND (<= 1 i_5)
         (AND (<= i_5 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 r_0)
         (AND (< r_0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ m_0 (select intM_intP (shift t_0 r_0)))
         (FORALL (j_1)
         (IMPLIES (AND (<= 0 j_1) (< j_1 i_5))
         (<= (select intM_intP (shift t_0 j_1)) m_0))))))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_5 result0) (<= i_5 (offset_max Object_alloc_table t_0))))))))))))))))))

;; Arrays_findMax_safety_po_5, File "HOME/tests/java/Arrays.java", line 59, characters 25-35
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 1 (+ (offset_max Object_alloc_table t_0) 1))
         (<= (+ (offset_max Object_alloc_table t_0) 1) 32767))))
(IMPLIES (<= 0 (offset_max Object_alloc_table t_0))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 0)))
(FORALL (i_5)
(FORALL (m_0)
(FORALL (r_0)
(IMPLIES TRUE
(IMPLIES (AND (<= 1 i_5)
         (AND (<= i_5 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 r_0)
         (AND (< r_0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ m_0 (select intM_intP (shift t_0 r_0)))
         (FORALL (j_1)
         (IMPLIES (AND (<= 0 j_1) (< j_1 i_5))
         (<= (select intM_intP (shift t_0 j_1)) m_0))))))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_5 result0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) i_5)
         (<= i_5 (offset_max Object_alloc_table t_0)))
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_0 i_5)))
(IMPLIES (> result1 m_0)
(FORALL (r_0_0)
(IMPLIES (EQ r_0_0 i_5)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) i_5)
         (<= i_5 (offset_max Object_alloc_table t_0)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 i_5)))
(FORALL (m_0_0)
(IMPLIES (EQ m_0_0 result2)
(FORALL (i_5_0)
(IMPLIES (EQ i_5_0 (+ i_5 1))
(<= 0 (- (+ (offset_max Object_alloc_table t_0) 1) i_5)))))))))))))))))))))))))))))))

;; Arrays_findMax_safety_po_6, File "HOME/tests/java/Arrays.java", line 59, characters 25-35
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 1 (+ (offset_max Object_alloc_table t_0) 1))
         (<= (+ (offset_max Object_alloc_table t_0) 1) 32767))))
(IMPLIES (<= 0 (offset_max Object_alloc_table t_0))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 0)))
(FORALL (i_5)
(FORALL (m_0)
(FORALL (r_0)
(IMPLIES TRUE
(IMPLIES (AND (<= 1 i_5)
         (AND (<= i_5 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 r_0)
         (AND (< r_0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ m_0 (select intM_intP (shift t_0 r_0)))
         (FORALL (j_1)
         (IMPLIES (AND (<= 0 j_1) (< j_1 i_5))
         (<= (select intM_intP (shift t_0 j_1)) m_0))))))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_5 result0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) i_5)
         (<= i_5 (offset_max Object_alloc_table t_0)))
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_0 i_5)))
(IMPLIES (> result1 m_0)
(FORALL (r_0_0)
(IMPLIES (EQ r_0_0 i_5)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) i_5)
         (<= i_5 (offset_max Object_alloc_table t_0)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 i_5)))
(FORALL (m_0_0)
(IMPLIES (EQ m_0_0 result2)
(FORALL (i_5_0)
(IMPLIES (EQ i_5_0 (+ i_5 1))
(< (- (+ (offset_max Object_alloc_table t_0) 1) i_5_0) (- (+ (offset_max
                                                             Object_alloc_table t_0) 1) i_5)))))))))))))))))))))))))))))))

;; Arrays_findMax_safety_po_7, File "HOME/tests/java/Arrays.java", line 59, characters 25-35
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 1 (+ (offset_max Object_alloc_table t_0) 1))
         (<= (+ (offset_max Object_alloc_table t_0) 1) 32767))))
(IMPLIES (<= 0 (offset_max Object_alloc_table t_0))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 0)))
(FORALL (i_5)
(FORALL (m_0)
(FORALL (r_0)
(IMPLIES TRUE
(IMPLIES (AND (<= 1 i_5)
         (AND (<= i_5 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 r_0)
         (AND (< r_0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ m_0 (select intM_intP (shift t_0 r_0)))
         (FORALL (j_1)
         (IMPLIES (AND (<= 0 j_1) (< j_1 i_5))
         (<= (select intM_intP (shift t_0 j_1)) m_0))))))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_5 result0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) i_5)
         (<= i_5 (offset_max Object_alloc_table t_0)))
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_0 i_5)))
(IMPLIES (<= result1 m_0)
(FORALL (i_5_0)
(IMPLIES (EQ i_5_0 (+ i_5 1))
(<= 0 (- (+ (offset_max Object_alloc_table t_0) 1) i_5))))))))))))))))))))))))

;; Arrays_findMax_safety_po_8, File "HOME/tests/java/Arrays.java", line 59, characters 25-35
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 1 (+ (offset_max Object_alloc_table t_0) 1))
         (<= (+ (offset_max Object_alloc_table t_0) 1) 32767))))
(IMPLIES (<= 0 (offset_max Object_alloc_table t_0))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t_0 0)))
(FORALL (i_5)
(FORALL (m_0)
(FORALL (r_0)
(IMPLIES TRUE
(IMPLIES (AND (<= 1 i_5)
         (AND (<= i_5 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 r_0)
         (AND (< r_0 (+ (offset_max Object_alloc_table t_0) 1))
         (AND (EQ m_0 (select intM_intP (shift t_0 r_0)))
         (FORALL (j_1)
         (IMPLIES (AND (<= 0 j_1) (< j_1 i_5))
         (<= (select intM_intP (shift t_0 j_1)) m_0))))))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_5 result0)
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) i_5)
         (<= i_5 (offset_max Object_alloc_table t_0)))
(FORALL (result1)
(IMPLIES (EQ result1 (select intM_intP (shift t_0 i_5)))
(IMPLIES (<= result1 m_0)
(FORALL (i_5_0)
(IMPLIES (EQ i_5_0 (+ i_5 1))
(< (- (+ (offset_max Object_alloc_table t_0) 1) i_5_0) (- (+ (offset_max
                                                             Object_alloc_table t_0) 1) i_5))))))))))))))))))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/Arrays_why.sx        : ......................................................................... (73/0/0/0/0)
total   :  73
valid   :  73 (100%)
invalid :   0 (  0%)
unknown :   0 (  0%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/Arrays.why
========== file tests/java/why/Arrays_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Arrays_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Arrays_parenttag_Object: parenttag(Arrays_tag, Object_tag)

logic Exception_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_1) >= 0)

predicate Non_null_intM(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= (-1))

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic intM_tag : Object tag_id

axiom intM_parenttag_Object: parenttag(intM_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate is_max(t: Object pointer, i: int, l: int,
  Object_alloc_table_at_L: Object alloc_table, intM_intP_at_L: (Object,
  int) memory) =
  (Non_null_intM(t, Object_alloc_table_at_L) and
   ((0 <= i) and
    ((i < l) and
     ((l <= (offset_max(Object_alloc_table_at_L, t) + 1)) and
      (forall j:int.
        (((0 <= j) and (j < l)) -> (select(intM_intP_at_L, shift(t,
         j)) <= select(intM_intP_at_L, shift(t, i)))))))))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Arrays(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_intM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Arrays(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_intM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Arrays(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Arrays(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

goal Arrays_arrayShift_ensures_default_po_1:
  forall t_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_2, 0, Object_alloc_table) and
   ("JC_99": Non_null_intM(t_2, Object_alloc_table))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_2) + 1))))) ->
  ("JC_119":
  ("JC_117": ((result - 1) < (offset_max(Object_alloc_table, t_2) + 1))))

goal Arrays_arrayShift_ensures_default_po_2:
  forall t_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_2, 0, Object_alloc_table) and
   ("JC_99": Non_null_intM(t_2, Object_alloc_table))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_2) + 1))))) ->
  ((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
  ("JC_119": ("JC_118": (0 <= (result - 1))))

goal Arrays_arrayShift_ensures_default_po_3:
  forall t_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_2, 0, Object_alloc_table) and
   ("JC_99": Non_null_intM(t_2, Object_alloc_table))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_2) + 1))))) ->
  ((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
  forall i_2:int.
  (((result - 1) < i_2) and (i_2 < (offset_max(Object_alloc_table, t_2) + 1))) ->
  ("JC_119":
  ("JC_118": (select(intM_intP, shift(t_2, i_2)) = select(intM_intP,
  shift(t_2, (i_2 - 1))))))

goal Arrays_arrayShift_ensures_default_po_4:
  forall t_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_2, 0, Object_alloc_table) and
   ("JC_99": Non_null_intM(t_2, Object_alloc_table))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_2) + 1))))) ->
  forall intM_intP0:(Object,
  int) memory.
  forall j_0:int.
  ("JC_119":
  (("JC_117": (j_0 < (offset_max(Object_alloc_table, t_2) + 1))) and
   ("JC_118":
   (((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
    ((0 <= j_0) and
     ((forall i_1:int.
        (((0 <= i_1) and (i_1 <= j_0)) -> (select(intM_intP0, shift(t_2,
         i_1)) = select(intM_intP, shift(t_2, i_1))))) and
      (forall i_2:int.
        (((j_0 < i_2) and (i_2 < (offset_max(Object_alloc_table, t_2) + 1))) ->
         (select(intM_intP0, shift(t_2, i_2)) = select(intM_intP, shift(t_2,
         (i_2 - 1)))))))))))) ->
  (j_0 > 0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_2, (j_0 - 1)))) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t_2, j_0), result0)) ->
  forall j_0_0:int.
  (j_0_0 = (j_0 - 1)) ->
  ("JC_119": ("JC_117": (j_0_0 < (offset_max(Object_alloc_table, t_2) + 1))))

goal Arrays_arrayShift_ensures_default_po_5:
  forall t_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_2, 0, Object_alloc_table) and
   ("JC_99": Non_null_intM(t_2, Object_alloc_table))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_2) + 1))))) ->
  forall intM_intP0:(Object,
  int) memory.
  forall j_0:int.
  ("JC_119":
  (("JC_117": (j_0 < (offset_max(Object_alloc_table, t_2) + 1))) and
   ("JC_118":
   (((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
    ((0 <= j_0) and
     ((forall i_1:int.
        (((0 <= i_1) and (i_1 <= j_0)) -> (select(intM_intP0, shift(t_2,
         i_1)) = select(intM_intP, shift(t_2, i_1))))) and
      (forall i_2:int.
        (((j_0 < i_2) and (i_2 < (offset_max(Object_alloc_table, t_2) + 1))) ->
         (select(intM_intP0, shift(t_2, i_2)) = select(intM_intP, shift(t_2,
         (i_2 - 1)))))))))))) ->
  (j_0 > 0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_2, (j_0 - 1)))) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t_2, j_0), result0)) ->
  forall j_0_0:int.
  (j_0_0 = (j_0 - 1)) ->
  ((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
  ("JC_119": ("JC_118": (0 <= j_0_0)))

goal Arrays_arrayShift_ensures_default_po_6:
  forall t_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_2, 0, Object_alloc_table) and
   ("JC_99": Non_null_intM(t_2, Object_alloc_table))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_2) + 1))))) ->
  forall intM_intP0:(Object,
  int) memory.
  forall j_0:int.
  ("JC_119":
  (("JC_117": (j_0 < (offset_max(Object_alloc_table, t_2) + 1))) and
   ("JC_118":
   (((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
    ((0 <= j_0) and
     ((forall i_1:int.
        (((0 <= i_1) and (i_1 <= j_0)) -> (select(intM_intP0, shift(t_2,
         i_1)) = select(intM_intP, shift(t_2, i_1))))) and
      (forall i_2:int.
        (((j_0 < i_2) and (i_2 < (offset_max(Object_alloc_table, t_2) + 1))) ->
         (select(intM_intP0, shift(t_2, i_2)) = select(intM_intP, shift(t_2,
         (i_2 - 1)))))))))))) ->
  (j_0 > 0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_2, (j_0 - 1)))) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t_2, j_0), result0)) ->
  forall j_0_0:int.
  (j_0_0 = (j_0 - 1)) ->
  ((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
  forall i_1:int.
  ((0 <= i_1) and (i_1 <= j_0_0)) ->
  ("JC_119":
  ("JC_118": (select(intM_intP1, shift(t_2, i_1)) = select(intM_intP,
  shift(t_2, i_1)))))

goal Arrays_arrayShift_ensures_default_po_7:
  forall t_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_2, 0, Object_alloc_table) and
   ("JC_99": Non_null_intM(t_2, Object_alloc_table))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_2) + 1))))) ->
  forall intM_intP0:(Object,
  int) memory.
  forall j_0:int.
  ("JC_119":
  (("JC_117": (j_0 < (offset_max(Object_alloc_table, t_2) + 1))) and
   ("JC_118":
   (((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
    ((0 <= j_0) and
     ((forall i_1:int.
        (((0 <= i_1) and (i_1 <= j_0)) -> (select(intM_intP0, shift(t_2,
         i_1)) = select(intM_intP, shift(t_2, i_1))))) and
      (forall i_2:int.
        (((j_0 < i_2) and (i_2 < (offset_max(Object_alloc_table, t_2) + 1))) ->
         (select(intM_intP0, shift(t_2, i_2)) = select(intM_intP, shift(t_2,
         (i_2 - 1)))))))))))) ->
  (j_0 > 0) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_2, (j_0 - 1)))) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t_2, j_0), result0)) ->
  forall j_0_0:int.
  (j_0_0 = (j_0 - 1)) ->
  ((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
  forall i_2:int.
  ((j_0_0 < i_2) and (i_2 < (offset_max(Object_alloc_table, t_2) + 1))) ->
  ("JC_119":
  ("JC_118": (select(intM_intP1, shift(t_2, i_2)) = select(intM_intP,
  shift(t_2, (i_2 - 1))))))

goal Arrays_arrayShift_ensures_default_po_8:
  forall t_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_2, 0, Object_alloc_table) and
   ("JC_99": Non_null_intM(t_2, Object_alloc_table))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_2) + 1))))) ->
  forall intM_intP0:(Object,
  int) memory.
  forall j_0:int.
  ("JC_119":
  (("JC_117": (j_0 < (offset_max(Object_alloc_table, t_2) + 1))) and
   ("JC_118":
   (((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
    ((0 <= j_0) and
     ((forall i_1:int.
        (((0 <= i_1) and (i_1 <= j_0)) -> (select(intM_intP0, shift(t_2,
         i_1)) = select(intM_intP, shift(t_2, i_1))))) and
      (forall i_2:int.
        (((j_0 < i_2) and (i_2 < (offset_max(Object_alloc_table, t_2) + 1))) ->
         (select(intM_intP0, shift(t_2, i_2)) = select(intM_intP, shift(t_2,
         (i_2 - 1)))))))))))) ->
  (j_0 <= 0) ->
  forall i_0:int.
  ((0 < i_0) and (i_0 < (offset_max(Object_alloc_table, t_2) + 1))) ->
  ("JC_101": (select(intM_intP0, shift(t_2, i_0)) = select(intM_intP,
  shift(t_2, (i_0 - 1)))))

goal Arrays_arrayShift_safety_po_1:
  forall t_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_2, 0, Object_alloc_table) and
   ("JC_99": Non_null_intM(t_2, Object_alloc_table))) ->
  (offset_max(Object_alloc_table, t_2) >= (-1))

goal Arrays_arrayShift_safety_po_2:
  forall t_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_2, 0, Object_alloc_table) and
   ("JC_99": Non_null_intM(t_2, Object_alloc_table))) ->
  (offset_max(Object_alloc_table, t_2) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_2) + 1))))) ->
  forall intM_intP0:(Object,
  int) memory.
  forall j_0:int.
  ("JC_111": true) ->
  ("JC_109":
  (("JC_107": (j_0 < (offset_max(Object_alloc_table, t_2) + 1))) and
   ("JC_108":
   (((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
    ((0 <= j_0) and
     ((forall i_1:int.
        (((0 <= i_1) and (i_1 <= j_0)) -> (select(intM_intP0, shift(t_2,
         i_1)) = select(intM_intP, shift(t_2, i_1))))) and
      (forall i_2:int.
        (((j_0 < i_2) and (i_2 < (offset_max(Object_alloc_table, t_2) + 1))) ->
         (select(intM_intP0, shift(t_2, i_2)) = select(intM_intP, shift(t_2,
         (i_2 - 1)))))))))))) ->
  (j_0 > 0) ->
  (offset_min(Object_alloc_table, t_2) <= (j_0 - 1))

goal Arrays_arrayShift_safety_po_3:
  forall t_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_2, 0, Object_alloc_table) and
   ("JC_99": Non_null_intM(t_2, Object_alloc_table))) ->
  (offset_max(Object_alloc_table, t_2) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_2) + 1))))) ->
  forall intM_intP0:(Object,
  int) memory.
  forall j_0:int.
  ("JC_111": true) ->
  ("JC_109":
  (("JC_107": (j_0 < (offset_max(Object_alloc_table, t_2) + 1))) and
   ("JC_108":
   (((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
    ((0 <= j_0) and
     ((forall i_1:int.
        (((0 <= i_1) and (i_1 <= j_0)) -> (select(intM_intP0, shift(t_2,
         i_1)) = select(intM_intP, shift(t_2, i_1))))) and
      (forall i_2:int.
        (((j_0 < i_2) and (i_2 < (offset_max(Object_alloc_table, t_2) + 1))) ->
         (select(intM_intP0, shift(t_2, i_2)) = select(intM_intP, shift(t_2,
         (i_2 - 1)))))))))))) ->
  (j_0 > 0) ->
  ((j_0 - 1) <= offset_max(Object_alloc_table, t_2))

goal Arrays_arrayShift_safety_po_4:
  forall t_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_2, 0, Object_alloc_table) and
   ("JC_99": Non_null_intM(t_2, Object_alloc_table))) ->
  (offset_max(Object_alloc_table, t_2) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_2) + 1))))) ->
  forall intM_intP0:(Object,
  int) memory.
  forall j_0:int.
  ("JC_111": true) ->
  ("JC_109":
  (("JC_107": (j_0 < (offset_max(Object_alloc_table, t_2) + 1))) and
   ("JC_108":
   (((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
    ((0 <= j_0) and
     ((forall i_1:int.
        (((0 <= i_1) and (i_1 <= j_0)) -> (select(intM_intP0, shift(t_2,
         i_1)) = select(intM_intP, shift(t_2, i_1))))) and
      (forall i_2:int.
        (((j_0 < i_2) and (i_2 < (offset_max(Object_alloc_table, t_2) + 1))) ->
         (select(intM_intP0, shift(t_2, i_2)) = select(intM_intP, shift(t_2,
         (i_2 - 1)))))))))))) ->
  (j_0 > 0) ->
  ((offset_min(Object_alloc_table, t_2) <= (j_0 - 1)) and
   ((j_0 - 1) <= offset_max(Object_alloc_table, t_2))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_2, (j_0 - 1)))) ->
  (offset_min(Object_alloc_table, t_2) <= j_0)

goal Arrays_arrayShift_safety_po_5:
  forall t_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_2, 0, Object_alloc_table) and
   ("JC_99": Non_null_intM(t_2, Object_alloc_table))) ->
  (offset_max(Object_alloc_table, t_2) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_2) + 1))))) ->
  forall intM_intP0:(Object,
  int) memory.
  forall j_0:int.
  ("JC_111": true) ->
  ("JC_109":
  (("JC_107": (j_0 < (offset_max(Object_alloc_table, t_2) + 1))) and
   ("JC_108":
   (((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
    ((0 <= j_0) and
     ((forall i_1:int.
        (((0 <= i_1) and (i_1 <= j_0)) -> (select(intM_intP0, shift(t_2,
         i_1)) = select(intM_intP, shift(t_2, i_1))))) and
      (forall i_2:int.
        (((j_0 < i_2) and (i_2 < (offset_max(Object_alloc_table, t_2) + 1))) ->
         (select(intM_intP0, shift(t_2, i_2)) = select(intM_intP, shift(t_2,
         (i_2 - 1)))))))))))) ->
  (j_0 > 0) ->
  ((offset_min(Object_alloc_table, t_2) <= (j_0 - 1)) and
   ((j_0 - 1) <= offset_max(Object_alloc_table, t_2))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_2, (j_0 - 1)))) ->
  (j_0 <= offset_max(Object_alloc_table, t_2))

goal Arrays_arrayShift_safety_po_6:
  forall t_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_2, 0, Object_alloc_table) and
   ("JC_99": Non_null_intM(t_2, Object_alloc_table))) ->
  (offset_max(Object_alloc_table, t_2) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_2) + 1))))) ->
  forall intM_intP0:(Object,
  int) memory.
  forall j_0:int.
  ("JC_111": true) ->
  ("JC_109":
  (("JC_107": (j_0 < (offset_max(Object_alloc_table, t_2) + 1))) and
   ("JC_108":
   (((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
    ((0 <= j_0) and
     ((forall i_1:int.
        (((0 <= i_1) and (i_1 <= j_0)) -> (select(intM_intP0, shift(t_2,
         i_1)) = select(intM_intP, shift(t_2, i_1))))) and
      (forall i_2:int.
        (((j_0 < i_2) and (i_2 < (offset_max(Object_alloc_table, t_2) + 1))) ->
         (select(intM_intP0, shift(t_2, i_2)) = select(intM_intP, shift(t_2,
         (i_2 - 1)))))))))))) ->
  (j_0 > 0) ->
  ((offset_min(Object_alloc_table, t_2) <= (j_0 - 1)) and
   ((j_0 - 1) <= offset_max(Object_alloc_table, t_2))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_2, (j_0 - 1)))) ->
  ((offset_min(Object_alloc_table, t_2) <= j_0) and
   (j_0 <= offset_max(Object_alloc_table, t_2))) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t_2, j_0), result0)) ->
  forall j_0_0:int.
  (j_0_0 = (j_0 - 1)) ->
  (0 <= ("JC_115": j_0))

goal Arrays_arrayShift_safety_po_7:
  forall t_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_2, 0, Object_alloc_table) and
   ("JC_99": Non_null_intM(t_2, Object_alloc_table))) ->
  (offset_max(Object_alloc_table, t_2) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_2) + 1))))) ->
  forall intM_intP0:(Object,
  int) memory.
  forall j_0:int.
  ("JC_111": true) ->
  ("JC_109":
  (("JC_107": (j_0 < (offset_max(Object_alloc_table, t_2) + 1))) and
   ("JC_108":
   (((offset_max(Object_alloc_table, t_2) + 1) > 0) ->
    ((0 <= j_0) and
     ((forall i_1:int.
        (((0 <= i_1) and (i_1 <= j_0)) -> (select(intM_intP0, shift(t_2,
         i_1)) = select(intM_intP, shift(t_2, i_1))))) and
      (forall i_2:int.
        (((j_0 < i_2) and (i_2 < (offset_max(Object_alloc_table, t_2) + 1))) ->
         (select(intM_intP0, shift(t_2, i_2)) = select(intM_intP, shift(t_2,
         (i_2 - 1)))))))))))) ->
  (j_0 > 0) ->
  ((offset_min(Object_alloc_table, t_2) <= (j_0 - 1)) and
   ((j_0 - 1) <= offset_max(Object_alloc_table, t_2))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_2, (j_0 - 1)))) ->
  ((offset_min(Object_alloc_table, t_2) <= j_0) and
   (j_0 <= offset_max(Object_alloc_table, t_2))) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t_2, j_0), result0)) ->
  forall j_0_0:int.
  (j_0_0 = (j_0 - 1)) ->
  (("JC_115": j_0_0) < ("JC_115": j_0))

goal Arrays_findMax2_ensures_default_po_1:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  ("JC_81": ("JC_75": (1 <= 1)))

goal Arrays_findMax2_ensures_default_po_2:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  ("JC_81": ("JC_76": (1 <= (offset_max(Object_alloc_table, t_1) + 1))))

goal Arrays_findMax2_ensures_default_po_3:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  ("JC_81": ("JC_77": (0 <= 0)))

goal Arrays_findMax2_ensures_default_po_4:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  ("JC_81": ("JC_78": (0 < (offset_max(Object_alloc_table, t_1) + 1))))

goal Arrays_findMax2_ensures_default_po_5:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  ("JC_81": ("JC_79": (result = select(intM_intP, shift(t_1, 0)))))

goal Arrays_findMax2_ensures_default_po_6:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  ("JC_81": ("JC_80": is_max(t_1, 0, 1, Object_alloc_table, intM_intP)))

goal Arrays_findMax2_ensures_default_po_7:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_81":
  (("JC_75": (1 <= i_3)) and
   (("JC_76": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_77": (0 <= r)) and
     (("JC_78": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_79": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_80": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 > m) ->
  forall r0:int.
  (r0 = i_3) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_1, i_3))) ->
  forall m0:int.
  (m0 = result2) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_81": ("JC_75": (1 <= i_3_0)))

goal Arrays_findMax2_ensures_default_po_8:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_81":
  (("JC_75": (1 <= i_3)) and
   (("JC_76": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_77": (0 <= r)) and
     (("JC_78": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_79": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_80": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 > m) ->
  forall r0:int.
  (r0 = i_3) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_1, i_3))) ->
  forall m0:int.
  (m0 = result2) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_81": ("JC_76": (i_3_0 <= (offset_max(Object_alloc_table, t_1) + 1))))

goal Arrays_findMax2_ensures_default_po_9:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_81":
  (("JC_75": (1 <= i_3)) and
   (("JC_76": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_77": (0 <= r)) and
     (("JC_78": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_79": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_80": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 > m) ->
  forall r0:int.
  (r0 = i_3) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_1, i_3))) ->
  forall m0:int.
  (m0 = result2) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_81": ("JC_77": (0 <= r0)))

goal Arrays_findMax2_ensures_default_po_10:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_81":
  (("JC_75": (1 <= i_3)) and
   (("JC_76": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_77": (0 <= r)) and
     (("JC_78": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_79": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_80": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 > m) ->
  forall r0:int.
  (r0 = i_3) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_1, i_3))) ->
  forall m0:int.
  (m0 = result2) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_81": ("JC_78": (r0 < (offset_max(Object_alloc_table, t_1) + 1))))

goal Arrays_findMax2_ensures_default_po_11:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_81":
  (("JC_75": (1 <= i_3)) and
   (("JC_76": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_77": (0 <= r)) and
     (("JC_78": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_79": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_80": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 > m) ->
  forall r0:int.
  (r0 = i_3) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_1, i_3))) ->
  forall m0:int.
  (m0 = result2) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_81": ("JC_79": (m0 = select(intM_intP, shift(t_1, r0)))))

goal Arrays_findMax2_ensures_default_po_12:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_81":
  (("JC_75": (1 <= i_3)) and
   (("JC_76": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_77": (0 <= r)) and
     (("JC_78": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_79": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_80": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 > m) ->
  forall r0:int.
  (r0 = i_3) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_1, i_3))) ->
  forall m0:int.
  (m0 = result2) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_81": ("JC_80": is_max(t_1, r0, i_3_0, Object_alloc_table, intM_intP)))

goal Arrays_findMax2_ensures_default_po_13:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_81":
  (("JC_75": (1 <= i_3)) and
   (("JC_76": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_77": (0 <= r)) and
     (("JC_78": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_79": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_80": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 <= m) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_81": ("JC_75": (1 <= i_3_0)))

goal Arrays_findMax2_ensures_default_po_14:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_81":
  (("JC_75": (1 <= i_3)) and
   (("JC_76": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_77": (0 <= r)) and
     (("JC_78": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_79": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_80": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 <= m) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_81": ("JC_76": (i_3_0 <= (offset_max(Object_alloc_table, t_1) + 1))))

goal Arrays_findMax2_ensures_default_po_15:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_81":
  (("JC_75": (1 <= i_3)) and
   (("JC_76": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_77": (0 <= r)) and
     (("JC_78": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_79": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_80": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 <= m) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_81": ("JC_77": (0 <= r)))

goal Arrays_findMax2_ensures_default_po_16:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_81":
  (("JC_75": (1 <= i_3)) and
   (("JC_76": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_77": (0 <= r)) and
     (("JC_78": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_79": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_80": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 <= m) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_81": ("JC_78": (r < (offset_max(Object_alloc_table, t_1) + 1))))

goal Arrays_findMax2_ensures_default_po_17:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_81":
  (("JC_75": (1 <= i_3)) and
   (("JC_76": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_77": (0 <= r)) and
     (("JC_78": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_79": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_80": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 <= m) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_81": ("JC_79": (m = select(intM_intP, shift(t_1, r)))))

goal Arrays_findMax2_ensures_default_po_18:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_81":
  (("JC_75": (1 <= i_3)) and
   (("JC_76": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_77": (0 <= r)) and
     (("JC_78": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_79": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_80": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 <= m) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  ("JC_81": ("JC_80": is_max(t_1, r, i_3_0, Object_alloc_table, intM_intP)))

goal Arrays_findMax2_ensures_max_found_po_1:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_94": true) ->
  ("JC_92":
  (("JC_86": (1 <= i_3)) and
   (("JC_87": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_88": (0 <= r)) and
     (("JC_89": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_90": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_91": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 >= result0) ->
  forall return:int.
  (return = r) ->
  ("JC_54": ("JC_51": (0 <= return)))

goal Arrays_findMax2_ensures_max_found_po_2:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_94": true) ->
  ("JC_92":
  (("JC_86": (1 <= i_3)) and
   (("JC_87": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_88": (0 <= r)) and
     (("JC_89": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_90": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_91": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 >= result0) ->
  forall return:int.
  (return = r) ->
  ("JC_54": ("JC_52": (return < (offset_max(Object_alloc_table, t_1) + 1))))

goal Arrays_findMax2_ensures_max_found_po_3:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_94": true) ->
  ("JC_92":
  (("JC_86": (1 <= i_3)) and
   (("JC_87": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_88": (0 <= r)) and
     (("JC_89": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_90": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_91": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 >= result0) ->
  forall return:int.
  (return = r) ->
  ("JC_54":
  ("JC_53": is_max(t_1, return, (offset_max(Object_alloc_table, t_1) + 1),
  Object_alloc_table, intM_intP)))

goal Arrays_findMax2_safety_po_1:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  (0 <= offset_max(Object_alloc_table, t_1))

goal Arrays_findMax2_safety_po_2:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  (0 <= offset_max(Object_alloc_table, t_1)) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_68": true) ->
  ("JC_66":
  (("JC_60": (1 <= i_3)) and
   (("JC_61": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_62": (0 <= r)) and
     (("JC_63": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_64": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_65": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1))

goal Arrays_findMax2_safety_po_3:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  (0 <= offset_max(Object_alloc_table, t_1)) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_68": true) ->
  ("JC_66":
  (("JC_60": (1 <= i_3)) and
   (("JC_61": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_62": (0 <= r)) and
     (("JC_63": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_64": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_65": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  (offset_min(Object_alloc_table, t_1) <= i_3)

goal Arrays_findMax2_safety_po_4:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  (0 <= offset_max(Object_alloc_table, t_1)) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_68": true) ->
  ("JC_66":
  (("JC_60": (1 <= i_3)) and
   (("JC_61": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_62": (0 <= r)) and
     (("JC_63": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_64": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_65": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  (i_3 <= offset_max(Object_alloc_table, t_1))

goal Arrays_findMax2_safety_po_5:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  (0 <= offset_max(Object_alloc_table, t_1)) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_68": true) ->
  ("JC_66":
  (("JC_60": (1 <= i_3)) and
   (("JC_61": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_62": (0 <= r)) and
     (("JC_63": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_64": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_65": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 > m) ->
  forall r0:int.
  (r0 = i_3) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_1, i_3))) ->
  forall m0:int.
  (m0 = result2) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  (0 <= ("JC_74": ((offset_max(Object_alloc_table, t_1) + 1) - i_3)))

goal Arrays_findMax2_safety_po_6:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  (0 <= offset_max(Object_alloc_table, t_1)) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_68": true) ->
  ("JC_66":
  (("JC_60": (1 <= i_3)) and
   (("JC_61": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_62": (0 <= r)) and
     (("JC_63": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_64": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_65": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 > m) ->
  forall r0:int.
  (r0 = i_3) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_1, i_3))) ->
  forall m0:int.
  (m0 = result2) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  (("JC_74": ((offset_max(Object_alloc_table, t_1) + 1) - i_3_0)) < ("JC_74":
                                                                    ((offset_max(Object_alloc_table,
                                                                    t_1) + 1) - i_3)))

goal Arrays_findMax2_safety_po_7:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  (0 <= offset_max(Object_alloc_table, t_1)) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_68": true) ->
  ("JC_66":
  (("JC_60": (1 <= i_3)) and
   (("JC_61": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_62": (0 <= r)) and
     (("JC_63": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_64": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_65": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 <= m) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  (0 <= ("JC_74": ((offset_max(Object_alloc_table, t_1) + 1) - i_3)))

goal Arrays_findMax2_safety_po_8:
  forall t_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_1, 0, Object_alloc_table) and
   ("JC_45":
   (("JC_43": Non_null_intM(t_1, Object_alloc_table)) and
    ("JC_44": ((offset_max(Object_alloc_table, t_1) + 1) >= 1))))) ->
  (0 <= offset_max(Object_alloc_table, t_1)) ->
  forall result:int.
  (result = select(intM_intP, shift(t_1, 0))) ->
  forall i_3:int.
  forall m:int.
  forall r:int.
  ("JC_68": true) ->
  ("JC_66":
  (("JC_60": (1 <= i_3)) and
   (("JC_61": (i_3 <= (offset_max(Object_alloc_table, t_1) + 1))) and
    (("JC_62": (0 <= r)) and
     (("JC_63": (r < (offset_max(Object_alloc_table, t_1) + 1))) and
      (("JC_64": (m = select(intM_intP, shift(t_1, r)))) and
       ("JC_65": is_max(t_1, r, i_3, Object_alloc_table, intM_intP)))))))) ->
  (offset_max(Object_alloc_table, t_1) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_1) + 1))))) ->
  (i_3 < result0) ->
  ((offset_min(Object_alloc_table, t_1) <= i_3) and
   (i_3 <= offset_max(Object_alloc_table, t_1))) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_1, i_3))) ->
  (result1 <= m) ->
  forall i_3_0:int.
  (i_3_0 = (i_3 + 1)) ->
  (("JC_74": ((offset_max(Object_alloc_table, t_1) + 1) - i_3_0)) < ("JC_74":
                                                                    ((offset_max(Object_alloc_table,
                                                                    t_1) + 1) - i_3)))

goal Arrays_findMax_ensures_default_po_1:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  ("JC_167": ("JC_161": (1 <= 1)))

goal Arrays_findMax_ensures_default_po_2:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  ("JC_167": ("JC_162": (1 <= (offset_max(Object_alloc_table, t_0) + 1))))

goal Arrays_findMax_ensures_default_po_3:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  ("JC_167": ("JC_163": (0 <= 0)))

goal Arrays_findMax_ensures_default_po_4:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  ("JC_167": ("JC_164": (0 < (offset_max(Object_alloc_table, t_0) + 1))))

goal Arrays_findMax_ensures_default_po_5:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  ("JC_167": ("JC_165": (result = select(intM_intP, shift(t_0, 0)))))

goal Arrays_findMax_ensures_default_po_6:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall j_1:int.
  ((0 <= j_1) and (j_1 < 1)) ->
  ("JC_167": ("JC_166": (select(intM_intP, shift(t_0, j_1)) <= result)))

goal Arrays_findMax_ensures_default_po_7:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_167":
  (("JC_161": (1 <= i_5)) and
   (("JC_162": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_163": (0 <= r_0)) and
     (("JC_164": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_165": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_166":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 > m_0) ->
  forall r_0_0:int.
  (r_0_0 = i_5) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_0, i_5))) ->
  forall m_0_0:int.
  (m_0_0 = result2) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_167": ("JC_161": (1 <= i_5_0)))

goal Arrays_findMax_ensures_default_po_8:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_167":
  (("JC_161": (1 <= i_5)) and
   (("JC_162": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_163": (0 <= r_0)) and
     (("JC_164": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_165": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_166":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 > m_0) ->
  forall r_0_0:int.
  (r_0_0 = i_5) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_0, i_5))) ->
  forall m_0_0:int.
  (m_0_0 = result2) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_167":
  ("JC_162": (i_5_0 <= (offset_max(Object_alloc_table, t_0) + 1))))

goal Arrays_findMax_ensures_default_po_9:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_167":
  (("JC_161": (1 <= i_5)) and
   (("JC_162": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_163": (0 <= r_0)) and
     (("JC_164": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_165": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_166":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 > m_0) ->
  forall r_0_0:int.
  (r_0_0 = i_5) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_0, i_5))) ->
  forall m_0_0:int.
  (m_0_0 = result2) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_167": ("JC_163": (0 <= r_0_0)))

goal Arrays_findMax_ensures_default_po_10:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_167":
  (("JC_161": (1 <= i_5)) and
   (("JC_162": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_163": (0 <= r_0)) and
     (("JC_164": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_165": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_166":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 > m_0) ->
  forall r_0_0:int.
  (r_0_0 = i_5) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_0, i_5))) ->
  forall m_0_0:int.
  (m_0_0 = result2) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_167": ("JC_164": (r_0_0 < (offset_max(Object_alloc_table, t_0) + 1))))

goal Arrays_findMax_ensures_default_po_11:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_167":
  (("JC_161": (1 <= i_5)) and
   (("JC_162": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_163": (0 <= r_0)) and
     (("JC_164": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_165": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_166":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 > m_0) ->
  forall r_0_0:int.
  (r_0_0 = i_5) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_0, i_5))) ->
  forall m_0_0:int.
  (m_0_0 = result2) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_167": ("JC_165": (m_0_0 = select(intM_intP, shift(t_0, r_0_0)))))

goal Arrays_findMax_ensures_default_po_12:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_167":
  (("JC_161": (1 <= i_5)) and
   (("JC_162": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_163": (0 <= r_0)) and
     (("JC_164": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_165": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_166":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 > m_0) ->
  forall r_0_0:int.
  (r_0_0 = i_5) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_0, i_5))) ->
  forall m_0_0:int.
  (m_0_0 = result2) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  forall j_1:int.
  ((0 <= j_1) and (j_1 < i_5_0)) ->
  ("JC_167": ("JC_166": (select(intM_intP, shift(t_0, j_1)) <= m_0_0)))

goal Arrays_findMax_ensures_default_po_13:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_167":
  (("JC_161": (1 <= i_5)) and
   (("JC_162": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_163": (0 <= r_0)) and
     (("JC_164": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_165": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_166":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 <= m_0) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_167": ("JC_161": (1 <= i_5_0)))

goal Arrays_findMax_ensures_default_po_14:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_167":
  (("JC_161": (1 <= i_5)) and
   (("JC_162": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_163": (0 <= r_0)) and
     (("JC_164": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_165": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_166":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 <= m_0) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_167":
  ("JC_162": (i_5_0 <= (offset_max(Object_alloc_table, t_0) + 1))))

goal Arrays_findMax_ensures_default_po_15:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_167":
  (("JC_161": (1 <= i_5)) and
   (("JC_162": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_163": (0 <= r_0)) and
     (("JC_164": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_165": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_166":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 <= m_0) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_167": ("JC_163": (0 <= r_0)))

goal Arrays_findMax_ensures_default_po_16:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_167":
  (("JC_161": (1 <= i_5)) and
   (("JC_162": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_163": (0 <= r_0)) and
     (("JC_164": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_165": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_166":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 <= m_0) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_167": ("JC_164": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))))

goal Arrays_findMax_ensures_default_po_17:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_167":
  (("JC_161": (1 <= i_5)) and
   (("JC_162": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_163": (0 <= r_0)) and
     (("JC_164": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_165": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_166":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 <= m_0) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_167": ("JC_165": (m_0 = select(intM_intP, shift(t_0, r_0)))))

goal Arrays_findMax_ensures_default_po_18:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_167":
  (("JC_161": (1 <= i_5)) and
   (("JC_162": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_163": (0 <= r_0)) and
     (("JC_164": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_165": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_166":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 <= m_0) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  forall j_1:int.
  ((0 <= j_1) and (j_1 < i_5_0)) ->
  ("JC_167": ("JC_166": (select(intM_intP, shift(t_0, j_1)) <= m_0)))

goal Arrays_findMax_ensures_max_found_po_1:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_180": true) ->
  ("JC_178":
  (("JC_172": (1 <= i_5)) and
   (("JC_173": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_174": (0 <= r_0)) and
     (("JC_175": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_176": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_177":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 >= result0) ->
  forall return:int.
  (return = r_0) ->
  ("JC_140": ("JC_137": (0 <= return)))

goal Arrays_findMax_ensures_max_found_po_2:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_180": true) ->
  ("JC_178":
  (("JC_172": (1 <= i_5)) and
   (("JC_173": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_174": (0 <= r_0)) and
     (("JC_175": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_176": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_177":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 >= result0) ->
  forall return:int.
  (return = r_0) ->
  ("JC_140":
  ("JC_138": (return < (offset_max(Object_alloc_table, t_0) + 1))))

goal Arrays_findMax_ensures_max_found_po_3:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_180": true) ->
  ("JC_178":
  (("JC_172": (1 <= i_5)) and
   (("JC_173": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_174": (0 <= r_0)) and
     (("JC_175": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_176": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_177":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 >= result0) ->
  forall return:int.
  (return = r_0) ->
  forall i_4:int.
  ((0 <= i_4) and (i_4 < (offset_max(Object_alloc_table, t_0) + 1))) ->
  ("JC_140":
  ("JC_139": (select(intM_intP, shift(t_0, i_4)) <= select(intM_intP,
  shift(t_0, return)))))

goal Arrays_findMax_safety_po_1:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  (0 <= offset_max(Object_alloc_table, t_0))

goal Arrays_findMax_safety_po_2:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  (0 <= offset_max(Object_alloc_table, t_0)) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_154": true) ->
  ("JC_152":
  (("JC_146": (1 <= i_5)) and
   (("JC_147": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_148": (0 <= r_0)) and
     (("JC_149": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_150": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_151":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1))

goal Arrays_findMax_safety_po_3:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  (0 <= offset_max(Object_alloc_table, t_0)) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_154": true) ->
  ("JC_152":
  (("JC_146": (1 <= i_5)) and
   (("JC_147": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_148": (0 <= r_0)) and
     (("JC_149": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_150": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_151":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  (offset_min(Object_alloc_table, t_0) <= i_5)

goal Arrays_findMax_safety_po_4:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  (0 <= offset_max(Object_alloc_table, t_0)) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_154": true) ->
  ("JC_152":
  (("JC_146": (1 <= i_5)) and
   (("JC_147": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_148": (0 <= r_0)) and
     (("JC_149": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_150": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_151":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  (i_5 <= offset_max(Object_alloc_table, t_0))

goal Arrays_findMax_safety_po_5:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  (0 <= offset_max(Object_alloc_table, t_0)) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_154": true) ->
  ("JC_152":
  (("JC_146": (1 <= i_5)) and
   (("JC_147": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_148": (0 <= r_0)) and
     (("JC_149": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_150": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_151":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  ((offset_min(Object_alloc_table, t_0) <= i_5) and
   (i_5 <= offset_max(Object_alloc_table, t_0))) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 > m_0) ->
  forall r_0_0:int.
  (r_0_0 = i_5) ->
  ((offset_min(Object_alloc_table, t_0) <= i_5) and
   (i_5 <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_0, i_5))) ->
  forall m_0_0:int.
  (m_0_0 = result2) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  (0 <= ("JC_160": ((offset_max(Object_alloc_table, t_0) + 1) - i_5)))

goal Arrays_findMax_safety_po_6:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  (0 <= offset_max(Object_alloc_table, t_0)) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_154": true) ->
  ("JC_152":
  (("JC_146": (1 <= i_5)) and
   (("JC_147": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_148": (0 <= r_0)) and
     (("JC_149": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_150": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_151":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  ((offset_min(Object_alloc_table, t_0) <= i_5) and
   (i_5 <= offset_max(Object_alloc_table, t_0))) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 > m_0) ->
  forall r_0_0:int.
  (r_0_0 = i_5) ->
  ((offset_min(Object_alloc_table, t_0) <= i_5) and
   (i_5 <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_0, i_5))) ->
  forall m_0_0:int.
  (m_0_0 = result2) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  (("JC_160": ((offset_max(Object_alloc_table, t_0) + 1) - i_5_0)) < 
  ("JC_160": ((offset_max(Object_alloc_table, t_0) + 1) - i_5)))

goal Arrays_findMax_safety_po_7:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  (0 <= offset_max(Object_alloc_table, t_0)) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_154": true) ->
  ("JC_152":
  (("JC_146": (1 <= i_5)) and
   (("JC_147": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_148": (0 <= r_0)) and
     (("JC_149": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_150": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_151":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  ((offset_min(Object_alloc_table, t_0) <= i_5) and
   (i_5 <= offset_max(Object_alloc_table, t_0))) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 <= m_0) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  (0 <= ("JC_160": ((offset_max(Object_alloc_table, t_0) + 1) - i_5)))

goal Arrays_findMax_safety_po_8:
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   ("JC_131":
   (("JC_128": Non_null_intM(t_0, Object_alloc_table)) and
    (("JC_129": (1 <= (offset_max(Object_alloc_table, t_0) + 1))) and
     ("JC_130": ((offset_max(Object_alloc_table, t_0) + 1) <= 32767)))))) ->
  (0 <= offset_max(Object_alloc_table, t_0)) ->
  forall result:int.
  (result = select(intM_intP, shift(t_0, 0))) ->
  forall i_5:int.
  forall m_0:int.
  forall r_0:int.
  ("JC_154": true) ->
  ("JC_152":
  (("JC_146": (1 <= i_5)) and
   (("JC_147": (i_5 <= (offset_max(Object_alloc_table, t_0) + 1))) and
    (("JC_148": (0 <= r_0)) and
     (("JC_149": (r_0 < (offset_max(Object_alloc_table, t_0) + 1))) and
      (("JC_150": (m_0 = select(intM_intP, shift(t_0, r_0)))) and
       ("JC_151":
       (forall j_1:int.
         (((0 <= j_1) and (j_1 < i_5)) -> (select(intM_intP, shift(t_0,
          j_1)) <= m_0)))))))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_5 < result0) ->
  ((offset_min(Object_alloc_table, t_0) <= i_5) and
   (i_5 <= offset_max(Object_alloc_table, t_0))) ->
  forall result1:int.
  (result1 = select(intM_intP, shift(t_0, i_5))) ->
  (result1 <= m_0) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  (("JC_160": ((offset_max(Object_alloc_table, t_0) + 1) - i_5_0)) < 
  ("JC_160": ((offset_max(Object_alloc_table, t_0) + 1) - i_5)))

why-2.34/tests/java/oracle/Bug_sort_exns.err.oracle0000644000175000017500000000000012311670312020732 0ustar  rtuserswhy-2.34/tests/java/oracle/Booleans.res.oracle0000644000175000017500000045124612311670312017702 0ustar  rtusers========== file tests/java/Booleans.java ==========

class Booleans {

    /*@ ensures \result ==  ((e || (t && f)) && (t || f)) ;
      @*/
    static boolean f(boolean e,boolean t,boolean f,boolean r)
    {
        return ( (e || (t && f)) && (t || f) );
    }


}========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function Booleans_f for method Booleans.f
Generating JC function cons_Booleans for constructor Booleans
Done.
========== file tests/java/Booleans.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) == 0)

tag Object = {
}

tag String = Object with {
}

tag Throwable = Object with {
}

tag Exception = Object with {
}

tag Booleans = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Throwable of Throwable[0..]

exception Exception of Exception[0..]

boolean Booleans_f(boolean e, boolean t, boolean f, boolean r)
behavior default:
  ensures (K_1 : (\result == ((e || (t && f)) && (t || f))));
{  
   (return (K_5 : ((K_3 : (e || (K_2 : (t && f)))) && (K_4 : (t || f)))))
}

unit cons_Booleans(! Booleans[0] this_0){()}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Booleans.jloc tests/java/Booleans.jc && make -f tests/java/Booleans.makefile gui"
End:
*/
========== file tests/java/Booleans.jloc ==========
[K_1]
file = "HOME/tests/java/Booleans.java"
line = 4
begin = 16
end = 57

[K_2]
file = "HOME/tests/java/Booleans.java"
line = 8
begin = 24
end = 30

[K_3]
file = "HOME/tests/java/Booleans.java"
line = 8
begin = 18
end = 31

[K_4]
file = "HOME/tests/java/Booleans.java"
line = 8
begin = 37
end = 43

[K_5]
file = "HOME/tests/java/Booleans.java"
line = 8
begin = 17
end = 44

[Booleans_f]
name = "Method f"
file = "HOME/tests/java/Booleans.java"
line = 6
begin = 19
end = 20

[cons_Booleans]
name = "Constructor of class Booleans"
file = "HOME/"
line = 0
begin = -1
end = -1

========== jessie execution ==========
Generating Why function Booleans_f
Generating Why function cons_Booleans
========== file tests/java/Booleans.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT)  -split-user-conj -explain -locs Booleans.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT)  -split-user-conj -explain -locs Booleans.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why

COQDEP = coqdep

.PHONY: all coq pvs simplify cvcl harvey smtlib zenon

all: simplify/Booleans_why.sx

project: why/Booleans.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/Booleans_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/Booleans_why.vo

coq/Booleans_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Booleans_why.v: why/Booleans.why
	@echo 'why -coq [...] why/Booleans.why' && $(WHY) $(JESSIELIBFILES) why/Booleans.why

coq-goals: goals coq/Booleans_ctx_why.vo
	for f in why/*_po*.why; do make -f Booleans.makefile coq/`basename $$f .why`_why.v ; done

coq/Booleans_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Booleans_ctx_why.v: why/Booleans_ctx.why
	@echo 'why -coq [...] why/Booleans_ctx.why' && $(WHY) why/Booleans_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export Booleans_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/Booleans_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<

pvs: pvs/Booleans_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/Booleans_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/Booleans_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/Booleans_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/Booleans_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/Booleans_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/Booleans_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/Booleans_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/Booleans_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/Booleans_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/Booleans_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

gui stat: Booleans.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

-include Booleans.depend

depend: coq/Booleans_why.v
	-$(COQDEP) -I coq coq/Booleans*_why.v > Booleans.depend

clean:
	rm -f coq/*.vo

========== file tests/java/Booleans.loc ==========
[JC_1]
file = "HOME/tests/java/Booleans.jc"
line = 42
begin = 8
end = 23

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/java/Booleans.jc"
line = 42
begin = 8
end = 23

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/Booleans.jc"
line = 44
begin = 11
end = 65

[JC_10]
file = "HOME/tests/java/Booleans.jc"
line = 44
begin = 11
end = 65

[JC_11]
file = "HOME/tests/java/Booleans.java"
line = 6
begin = 19
end = 20

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/tests/java/Booleans.java"
line = 6
begin = 19
end = 20

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/tests/java/Booleans.java"
line = 4
begin = 16
end = 57

[JC_16]
file = "HOME/tests/java/Booleans.java"
line = 4
begin = 16
end = 57

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Booleans_safety]
name = "Constructor of class Booleans"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Booleans_ensures_default]
name = "Constructor of class Booleans"
behavior = "Default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[Booleans_f_ensures_default]
name = "Method f"
behavior = "Default behavior"
file = "HOME/tests/java/Booleans.java"
line = 6
begin = 19
end = 20

[Booleans_f_safety]
name = "Method f"
behavior = "Safety"
file = "HOME/tests/java/Booleans.java"
line = 6
begin = 19
end = 20

========== file tests/java/why/Booleans.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Booleans_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Booleans_parenttag_Object : parenttag(Booleans_tag, Object_tag)

exception Exception_exc of Object pointer

logic Exception_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

predicate Non_null_Object(x:Object pointer,
 Object_alloc_table:Object alloc_table) =
 eq_int(offset_max(Object_alloc_table, x), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_bitvector: bitvector -> Object pointer

logic bitvector_of_Object: Object pointer -> bitvector

axiom Object_of_bitvector_of_bitvector_of_Object :
 (forall x:Object pointer. (Object_of_bitvector(bitvector_of_Object(x)) = x))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

exception Return_label_exc of unit

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

exception Throwable_exc of Object pointer

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

axiom bitvector_of_Object_of_Object_of_bitvector :
 (forall x:bitvector. (bitvector_of_Object(Object_of_bitvector(x)) = x))

logic bitvector_of_byte: byte -> bitvector

logic byte_of_bitvector: bitvector -> byte

axiom bitvector_of_byte_of_byte_of_bitvector :
 (forall x:bitvector. (bitvector_of_byte(byte_of_bitvector(x)) = x))

logic bitvector_of_char: char -> bitvector

logic char_of_bitvector: bitvector -> char

axiom bitvector_of_char_of_char_of_bitvector :
 (forall x:bitvector. (bitvector_of_char(char_of_bitvector(x)) = x))

logic bitvector_of_int32: int32 -> bitvector

logic int32_of_bitvector: bitvector -> int32

axiom bitvector_of_int32_of_int32_of_bitvector :
 (forall x:bitvector. (bitvector_of_int32(int32_of_bitvector(x)) = x))

logic bitvector_of_interface: interface pointer -> bitvector

logic interface_of_bitvector: bitvector -> interface pointer

axiom bitvector_of_interface_of_interface_of_bitvector :
 (forall x:bitvector.
  (bitvector_of_interface(interface_of_bitvector(x)) = x))

logic bitvector_of_long: long -> bitvector

logic long_of_bitvector: bitvector -> long

axiom bitvector_of_long_of_long_of_bitvector :
 (forall x:bitvector. (bitvector_of_long(long_of_bitvector(x)) = x))

logic bitvector_of_short: short -> bitvector

logic short_of_bitvector: bitvector -> short

axiom bitvector_of_short_of_short_of_bitvector :
 (forall x:bitvector. (bitvector_of_short(short_of_bitvector(x)) = x))

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

predicate eq_byte(x:byte,
 y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

axiom byte_of_bitvector_of_bitvector_of_byte :
 (forall x:byte. eq_byte(byte_of_bitvector(bitvector_of_byte(x)), x))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

predicate eq_char(x:char,
 y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

axiom char_of_bitvector_of_bitvector_of_char :
 (forall x:char. eq_char(char_of_bitvector(bitvector_of_char(x)), x))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32,
 y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long,
 y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short,
 y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_of_bitvector_of_bitvector_of_int32 :
 (forall x:int32. eq_int32(int32_of_bitvector(bitvector_of_int32(x)), x))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

axiom interface_of_bitvector_of_bitvector_of_interface :
 (forall x:interface pointer.
  (interface_of_bitvector(bitvector_of_interface(x)) = x))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer,
 a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Booleans(p:Object pointer,
 a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Exception(p:Object pointer,
 a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer,
 a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer,
 a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer,
 a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_of_bitvector_of_bitvector_of_long :
 (forall x:long. eq_long(long_of_bitvector(bitvector_of_long(x)), x))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer,
 b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Booleans(p:Object pointer,
 b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Exception(p:Object pointer,
 b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer,
 b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer,
 b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer,
 b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_of_bitvector_of_bitvector_of_short :
 (forall x:short. eq_short(short_of_bitvector(bitvector_of_short(x)), x))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer,
 a:int,
 b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer,
 a:int,
 b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer,
 a:int,
 b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Booleans(p:Object pointer,
 a:int,
 b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Exception(p:Object pointer,
 a:int,
 b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer,
 a:int,
 b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer,
 a:int,
 b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer,
 a:int,
 b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_bitvector_struct_Object(p:unit pointer,
 a:int,
 b:int,
 bitvector_alloc_table:unit alloc_table) =
 ((offset_min(bitvector_alloc_table, p) = a)
 and (offset_max(bitvector_alloc_table, p) = b))

predicate valid_bitvector_struct_Booleans(p:unit pointer,
 a:int,
 b:int,
 bitvector_alloc_table:unit alloc_table) =
 valid_bitvector_struct_Object(p, a, b, bitvector_alloc_table)

predicate valid_bitvector_struct_Exception(p:unit pointer,
 a:int,
 b:int,
 bitvector_alloc_table:unit alloc_table) =
 valid_bitvector_struct_Object(p, a, b, bitvector_alloc_table)

predicate valid_bitvector_struct_String(p:unit pointer,
 a:int,
 b:int,
 bitvector_alloc_table:unit alloc_table) =
 valid_bitvector_struct_Object(p, a, b, bitvector_alloc_table)

predicate valid_bitvector_struct_Throwable(p:unit pointer,
 a:int,
 b:int,
 bitvector_alloc_table:unit alloc_table) =
 valid_bitvector_struct_Object(p, a, b, bitvector_alloc_table)

predicate valid_bitvector_struct_interface(p:unit pointer,
 a:int,
 b:int,
 bitvector_alloc_table:unit alloc_table) =
 ((offset_min(bitvector_alloc_table, p) = a)
 and (offset_max(bitvector_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer,
 a:int,
 b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer,
 a:int,
 b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer,
 a:int,
 b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Booleans(p:Object pointer,
 a:int,
 b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Exception(p:Object pointer,
 a:int,
 b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer,
 a:int,
 b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer,
 a:int,
 b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer,
 a:int,
 b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

parameter Booleans_f :
 e:bool ->
  t:bool ->
   f:bool ->
    r:bool ->
     { } bool
     { (JC_16:
       eq_bool(result, bool_and(bool_or(e, bool_and(t, f)), bool_or(t, f)))) }

parameter Booleans_f_requires :
 e:bool ->
  t:bool ->
   f:bool ->
    r:bool ->
     { } bool
     { (JC_16:
       eq_bool(result, bool_and(bool_or(e, bool_and(t, f)), bool_or(t, f)))) }

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

parameter alloc_bitvector_struct_Booleans :
 n:int ->
  bitvector_alloc_table:unit alloc_table ref ->
   { } unit pointer writes bitvector_alloc_table
   { (valid_bitvector_struct_Booleans(result, (0), sub_int(n, (1)),
      bitvector_alloc_table)
     and (alloc_extends(bitvector_alloc_table@, bitvector_alloc_table)
         and alloc_fresh(bitvector_alloc_table@, result, n))) }

parameter alloc_bitvector_struct_Booleans_requires :
 n:int ->
  bitvector_alloc_table:unit alloc_table ref ->
   { ge_int(n, (0))} unit pointer writes bitvector_alloc_table
   { (valid_bitvector_struct_Booleans(result, (0), sub_int(n, (1)),
      bitvector_alloc_table)
     and (alloc_extends(bitvector_alloc_table@, bitvector_alloc_table)
         and alloc_fresh(bitvector_alloc_table@, result, n))) }

parameter alloc_bitvector_struct_Exception :
 n:int ->
  bitvector_alloc_table:unit alloc_table ref ->
   { } unit pointer writes bitvector_alloc_table
   { (valid_bitvector_struct_Exception(result, (0), sub_int(n, (1)),
      bitvector_alloc_table)
     and (alloc_extends(bitvector_alloc_table@, bitvector_alloc_table)
         and alloc_fresh(bitvector_alloc_table@, result, n))) }

parameter alloc_bitvector_struct_Exception_requires :
 n:int ->
  bitvector_alloc_table:unit alloc_table ref ->
   { ge_int(n, (0))} unit pointer writes bitvector_alloc_table
   { (valid_bitvector_struct_Exception(result, (0), sub_int(n, (1)),
      bitvector_alloc_table)
     and (alloc_extends(bitvector_alloc_table@, bitvector_alloc_table)
         and alloc_fresh(bitvector_alloc_table@, result, n))) }

parameter alloc_bitvector_struct_Object :
 n:int ->
  bitvector_alloc_table:unit alloc_table ref ->
   { } unit pointer writes bitvector_alloc_table
   { (valid_bitvector_struct_Object(result, (0), sub_int(n, (1)),
      bitvector_alloc_table)
     and (alloc_extends(bitvector_alloc_table@, bitvector_alloc_table)
         and alloc_fresh(bitvector_alloc_table@, result, n))) }

parameter alloc_bitvector_struct_Object_requires :
 n:int ->
  bitvector_alloc_table:unit alloc_table ref ->
   { ge_int(n, (0))} unit pointer writes bitvector_alloc_table
   { (valid_bitvector_struct_Object(result, (0), sub_int(n, (1)),
      bitvector_alloc_table)
     and (alloc_extends(bitvector_alloc_table@, bitvector_alloc_table)
         and alloc_fresh(bitvector_alloc_table@, result, n))) }

parameter alloc_bitvector_struct_String :
 n:int ->
  bitvector_alloc_table:unit alloc_table ref ->
   { } unit pointer writes bitvector_alloc_table
   { (valid_bitvector_struct_String(result, (0), sub_int(n, (1)),
      bitvector_alloc_table)
     and (alloc_extends(bitvector_alloc_table@, bitvector_alloc_table)
         and alloc_fresh(bitvector_alloc_table@, result, n))) }

parameter alloc_bitvector_struct_String_requires :
 n:int ->
  bitvector_alloc_table:unit alloc_table ref ->
   { ge_int(n, (0))} unit pointer writes bitvector_alloc_table
   { (valid_bitvector_struct_String(result, (0), sub_int(n, (1)),
      bitvector_alloc_table)
     and (alloc_extends(bitvector_alloc_table@, bitvector_alloc_table)
         and alloc_fresh(bitvector_alloc_table@, result, n))) }

parameter alloc_bitvector_struct_Throwable :
 n:int ->
  bitvector_alloc_table:unit alloc_table ref ->
   { } unit pointer writes bitvector_alloc_table
   { (valid_bitvector_struct_Throwable(result, (0), sub_int(n, (1)),
      bitvector_alloc_table)
     and (alloc_extends(bitvector_alloc_table@, bitvector_alloc_table)
         and alloc_fresh(bitvector_alloc_table@, result, n))) }

parameter alloc_bitvector_struct_Throwable_requires :
 n:int ->
  bitvector_alloc_table:unit alloc_table ref ->
   { ge_int(n, (0))} unit pointer writes bitvector_alloc_table
   { (valid_bitvector_struct_Throwable(result, (0), sub_int(n, (1)),
      bitvector_alloc_table)
     and (alloc_extends(bitvector_alloc_table@, bitvector_alloc_table)
         and alloc_fresh(bitvector_alloc_table@, result, n))) }

parameter alloc_bitvector_struct_interface :
 n:int ->
  bitvector_alloc_table:unit alloc_table ref ->
   { } unit pointer writes bitvector_alloc_table
   { (valid_bitvector_struct_interface(result, (0), sub_int(n, (1)),
      bitvector_alloc_table)
     and (alloc_extends(bitvector_alloc_table@, bitvector_alloc_table)
         and alloc_fresh(bitvector_alloc_table@, result, n))) }

parameter alloc_bitvector_struct_interface_requires :
 n:int ->
  bitvector_alloc_table:unit alloc_table ref ->
   { ge_int(n, (0))} unit pointer writes bitvector_alloc_table
   { (valid_bitvector_struct_interface(result, (0), sub_int(n, (1)),
      bitvector_alloc_table)
     and (alloc_extends(bitvector_alloc_table@, bitvector_alloc_table)
         and alloc_fresh(bitvector_alloc_table@, result, n))) }

parameter alloc_struct_Booleans :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Booleans(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Booleans_tag)))) }

parameter alloc_struct_Booleans_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Booleans(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Booleans_tag)))) }

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_Booleans :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Booleans_requires :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_0:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_10:
    (if result
     then eq_int(offset_max(Object_alloc_table, x_0), (0))
     else (x_0 = null))) }

parameter non_null_Object_requires :
 x_0:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_10:
    (if result
     then eq_int(offset_max(Object_alloc_table, x_0), (0))
     else (x_0 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let Booleans_f_ensures_default =
 fun (e : bool) (t : bool) (f : bool) (r : bool) ->
  { (JC_14: true) }
  (init:
  (let return = ref (any_bool void) in
  try
   begin
     (return := (K_5: ((K_3: (e || (K_2: (t && f)))) && (K_4: (t || f)))));
    (raise Return);
    absurd 
   end
   with
   Return ->
   !return end))
  { (JC_15:
    eq_bool(result, bool_and(bool_or(e, bool_and(t, f)), bool_or(t, f)))) }

let Booleans_f_safety =
 fun (e : bool) (t : bool) (f : bool) (r : bool) ->
  { (JC_14: true) }
  (init:
  (let return = ref (any_bool void) in
  try
   begin
     (return := (K_5: ((K_3: (e || (K_2: (t && f)))) && (K_4: (t || f)))));
    (raise Return);
    absurd 
   end
   with
   Return ->
   !return end))
  { true }

let cons_Booleans_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_Booleans(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_23: true) }

let cons_Booleans_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_Booleans(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/Booleans.why
========== file tests/java/why/Booleans.wpr ==========

  
    
    
    
      
      
    
    
  
  
    
  

========== file tests/java/why/Booleans_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic div_int : int, int -> int

logic mod_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

logic int_of_real : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

logic sqrt_real : real -> real

logic pow_real : real, real -> real

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type bitvector

logic concat_bitvector : bitvector, bitvector -> bitvector

logic offset_min_bytes : 'a1 alloc_table, 'a1 pointer, int -> int

logic offset_max_bytes : 'a1 alloc_table, 'a1 pointer, int -> int

axiom offset_min_bytes_def:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall s:int [offset_min_bytes(a, p, s)].
        ((0 < s) ->
         ((offset_min(a, p) <= (s * offset_min_bytes(a, p, s))) and
          (((s * offset_min_bytes(a, p, s)) - s) < offset_min(a, p)))))))

axiom offset_max_bytes_def:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall s:int [offset_max_bytes(a, p, s)].
        ((0 < s) ->
         (((((s * offset_max_bytes(a, p, s)) + s) - 1) <= offset_max(a,
          p)) and (offset_max(a, p) < ((((s * offset_max_bytes(a, p,
          s)) + s) + s) - 1)))))))

logic extract_bytes : bitvector, int, int -> bitvector

logic replace_bytes : bitvector, int, int, bitvector -> bitvector

axiom select_store_eq_union:
  (forall o1:int.
    (forall s1:int.
      (forall o2:int.
        (forall s2:int.
          (forall v1:bitvector.
            (forall v2:bitvector [extract_bytes(replace_bytes(v1, o1, s1,
              v2), o2, s2)].
              (((o1 = o2) and (s1 = s2)) -> (extract_bytes(replace_bytes(v1,
               o1, s1, v2), o2, s2) = v2))))))))

axiom select_store_neq_union:
  (forall o1:int.
    (forall s1:int.
      (forall o2:int.
        (forall s2:int.
          (forall v1:bitvector.
            (forall v2:bitvector [extract_bytes(replace_bytes(v1, o1, s1,
              v2), o2, s2)].
              ((((o2 + s2) <= o1) or ((o1 + s2) <= o2)) ->
               (extract_bytes(replace_bytes(v1, o1, s1, v2), o2,
               s2) = extract_bytes(v1, o2, s2)))))))))

axiom concat_replace_bytes_up:
  (forall o1:int.
    (forall s1:int.
      (forall o2:int.
        (forall s2:int.
          (forall v1:bitvector.
            (forall v2:bitvector.
              (forall v3:bitvector [replace_bytes(replace_bytes(v1, o1, s1,
                v2), o2, s2, v3)].
                (((o1 + s1) = o2) -> (replace_bytes(replace_bytes(v1, o1, s1,
                 v2), o2, s2, v3) = replace_bytes(v1, o1, (s1 + s2),
                 concat_bitvector(v2, v3)))))))))))

axiom concat_replace_bytes_down:
  (forall o1:int.
    (forall s1:int.
      (forall o2:int.
        (forall s2:int.
          (forall v1:bitvector.
            (forall v2:bitvector.
              (forall v3:bitvector [replace_bytes(replace_bytes(v1, o1, s1,
                v2), o2, s2, v3)].
                (((o2 + s2) = o1) -> (replace_bytes(replace_bytes(v1, o1, s1,
                 v2), o2, s2, v3) = replace_bytes(v1, o2, (s1 + s2),
                 concat_bitvector(v3, v2)))))))))))

axiom concat_extract_bytes:
  (forall o1:int.
    (forall s1:int.
      (forall o2:int.
        (forall s2:int.
          (forall v:bitvector [concat_bitvector(extract_bytes(v, o1, s1),
            extract_bytes(v, o2, s2))].
            (((o1 + s1) = o2) -> (concat_bitvector(extract_bytes(v, o1, s1),
             extract_bytes(v, o2, s2)) = extract_bytes(v, o1, (s1 + s2)))))))))

logic select_bytes : ('a1, bitvector) memory, 'a1 pointer, int,
int -> bitvector

logic store_bytes : ('a1, bitvector) memory, 'a1 pointer, int, int,
bitvector -> ('a1, bitvector) memory

axiom select_store_eq_bytes:
  (forall m:('a1, bitvector) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall o1:int.
          (forall s1:int.
            (forall o2:int.
              (forall s2:int.
                (forall v:bitvector [select_bytes(store_bytes(m, p1, o1, s1,
                  v), p2, o2, s2)].
                  (((p1 = p2) and ((o1 = o2) and (s1 = s2))) ->
                   (select_bytes(store_bytes(m, p1, o1, s1, v), p2, o2,
                   s2) = v))))))))))

axiom select_store_neq_bytes:
  (forall m:('a1, bitvector) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall o1:int.
          (forall s1:int.
            (forall o2:int.
              (forall s2:int.
                (forall v:bitvector [select_bytes(store_bytes(m, p1, o1, s1,
                  v), p2, o2, s2)].
                  (pset_disjoint(pset_range(pset_singleton(p1), o1,
                   (o1 + s1)), pset_range(pset_singleton(p2), o2,
                   (o2 + s2))) -> (select_bytes(store_bytes(m, p1, o1, s1,
                   v), p2, o2, s2) = select_bytes(m, p2, o2, s2)))))))))))

axiom shift_store_bytes:
  (forall m:('a1, bitvector) memory.
    (forall p:'a1 pointer.
      (forall i:int.
        (forall o:int.
          (forall s:int.
            (forall v:bitvector [store_bytes(m, shift(p, i), o, s, v)].
              (store_bytes(m, shift(p, i), o, s, v) = store_bytes(m, p,
              (o + i), s, v))))))))

axiom shift_select_bytes:
  (forall m:('a1, bitvector) memory.
    (forall p:'a1 pointer.
      (forall i:int.
        (forall o:int.
          (forall s:int.
            (forall v:bitvector [select_bytes(m, shift(p, i), o, s)].
              (select_bytes(m, shift(p, i), o, s) = select_bytes(m, p,
              (o + i), s))))))))

axiom concat_store_bytes_up:
  (forall m:('a1, bitvector) memory.
    (forall p:'a1 pointer.
      (forall o1:int.
        (forall s1:int.
          (forall o2:int.
            (forall s2:int.
              (forall v1:bitvector.
                (forall v2:bitvector [store_bytes(store_bytes(m, p, o1, s1,
                  v1), p, o2, s2, v2)].
                  (((o1 + s1) = o2) -> (store_bytes(store_bytes(m, p, o1, s1,
                   v1), p, o2, s2, v2) = store_bytes(m, p, o1, (s1 + s2),
                   concat_bitvector(v1, v2))))))))))))

axiom concat_store_bytes_down:
  (forall m:('a1, bitvector) memory.
    (forall p:'a1 pointer.
      (forall o1:int.
        (forall s1:int.
          (forall o2:int.
            (forall s2:int.
              (forall v1:bitvector.
                (forall v2:bitvector [store_bytes(store_bytes(m, p, o1, s1,
                  v1), p, o2, s2, v2)].
                  (((o2 + s2) = o1) -> (store_bytes(store_bytes(m, p, o1, s1,
                   v1), p, o2, s2, v2) = store_bytes(m, p, o2, (s1 + s2),
                   concat_bitvector(v2, v1))))))))))))

axiom concat_select_bytes:
  (forall m:('a1, bitvector) memory.
    (forall p:'a1 pointer.
      (forall o1:int.
        (forall s1:int.
          (forall o2:int.
            (forall s2:int [concat_bitvector(select_bytes(m, p, o1, s1),
              select_bytes(m, p, o2, s2))].
              (((o1 + s1) = o2) -> (concat_bitvector(select_bytes(m, p, o1,
               s1), select_bytes(m, p, o2, s2)) = select_bytes(m, p, o1,
               (s1 + s2))))))))))

logic integer_of_bitvector : bitvector -> int

logic bitvector_of_integer : int -> bitvector

logic real_of_bitvector : bitvector -> real

type Object

type byte

type char

type int32

type interface

type long

type short

logic Booleans_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Booleans_parenttag_Object: parenttag(Booleans_tag, Object_tag)

logic Exception_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x) = 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_bitvector : bitvector -> Object pointer

logic bitvector_of_Object : Object pointer -> bitvector

axiom Object_of_bitvector_of_bitvector_of_Object:
  (forall x:Object pointer.
    (Object_of_bitvector(bitvector_of_Object(x)) = x))

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

axiom bitvector_of_Object_of_Object_of_bitvector:
  (forall x:bitvector. (bitvector_of_Object(Object_of_bitvector(x)) = x))

logic bitvector_of_byte : byte -> bitvector

logic byte_of_bitvector : bitvector -> byte

axiom bitvector_of_byte_of_byte_of_bitvector:
  (forall x:bitvector. (bitvector_of_byte(byte_of_bitvector(x)) = x))

logic bitvector_of_char : char -> bitvector

logic char_of_bitvector : bitvector -> char

axiom bitvector_of_char_of_char_of_bitvector:
  (forall x:bitvector. (bitvector_of_char(char_of_bitvector(x)) = x))

logic bitvector_of_int32 : int32 -> bitvector

logic int32_of_bitvector : bitvector -> int32

axiom bitvector_of_int32_of_int32_of_bitvector:
  (forall x:bitvector. (bitvector_of_int32(int32_of_bitvector(x)) = x))

logic bitvector_of_interface : interface pointer -> bitvector

logic interface_of_bitvector : bitvector -> interface pointer

axiom bitvector_of_interface_of_interface_of_bitvector:
  (forall x:bitvector.
    (bitvector_of_interface(interface_of_bitvector(x)) = x))

logic bitvector_of_long : long -> bitvector

logic long_of_bitvector : bitvector -> long

axiom bitvector_of_long_of_long_of_bitvector:
  (forall x:bitvector. (bitvector_of_long(long_of_bitvector(x)) = x))

logic bitvector_of_short : short -> bitvector

logic short_of_bitvector : bitvector -> short

axiom bitvector_of_short_of_short_of_bitvector:
  (forall x:bitvector. (bitvector_of_short(short_of_bitvector(x)) = x))

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

axiom byte_of_bitvector_of_bitvector_of_byte:
  (forall x:byte. eq_byte(byte_of_bitvector(bitvector_of_byte(x)), x))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

axiom char_of_bitvector_of_bitvector_of_char:
  (forall x:char. eq_char(char_of_bitvector(bitvector_of_char(x)), x))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_of_bitvector_of_bitvector_of_int32:
  (forall x:int32. eq_int32(int32_of_bitvector(bitvector_of_int32(x)), x))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

axiom interface_of_bitvector_of_bitvector_of_interface:
  (forall x:interface pointer.
    (interface_of_bitvector(bitvector_of_interface(x)) = x))

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Booleans(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_of_bitvector_of_bitvector_of_long:
  (forall x:long. eq_long(long_of_bitvector(bitvector_of_long(x)), x))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Booleans(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_of_bitvector_of_bitvector_of_short:
  (forall x:short. eq_short(short_of_bitvector(bitvector_of_short(x)), x))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Booleans(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_bitvector_struct_Object(p: unit pointer, a: int, b: int,
  bitvector_alloc_table: unit alloc_table) =
  ((offset_min(bitvector_alloc_table, p) = a) and
   (offset_max(bitvector_alloc_table, p) = b))

predicate valid_bitvector_struct_Booleans(p: unit pointer, a: int, b: int,
  bitvector_alloc_table: unit alloc_table) = valid_bitvector_struct_Object(p,
  a, b, bitvector_alloc_table)

predicate valid_bitvector_struct_Exception(p: unit pointer, a: int, b: int,
  bitvector_alloc_table: unit alloc_table) = valid_bitvector_struct_Object(p,
  a, b, bitvector_alloc_table)

predicate valid_bitvector_struct_String(p: unit pointer, a: int, b: int,
  bitvector_alloc_table: unit alloc_table) = valid_bitvector_struct_Object(p,
  a, b, bitvector_alloc_table)

predicate valid_bitvector_struct_Throwable(p: unit pointer, a: int, b: int,
  bitvector_alloc_table: unit alloc_table) = valid_bitvector_struct_Object(p,
  a, b, bitvector_alloc_table)

predicate valid_bitvector_struct_interface(p: unit pointer, a: int, b: int,
  bitvector_alloc_table: unit alloc_table) =
  ((offset_min(bitvector_alloc_table, p) = a) and
   (offset_max(bitvector_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Booleans(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

========== file tests/java/why/Booleans_po1.why ==========
goal Booleans_f_ensures_default_po_1:
  forall e:bool.
  forall t:bool.
  forall f:bool.
  ("JC_14": true) ->
  forall result:bool.
  (if result then
   (((e = true) or ((e = false) and ((t = true) and (f = true)))) and
    ((t = true) or ((t = false) and (f = true)))) else
   (((e = false) and ((t = false) or ((t = true) and (f = false)))) or
    (((e = true) or ((e = false) and ((t = true) and (f = true)))) and
     ((t = false) and (f = false))))) ->
  forall return:bool.
  (return = result) ->
  ("JC_15": (return = bool_and(bool_or(e, bool_and(t, f)), bool_or(t, f))))

========== generation of Simplify VC output ==========
why -simplify [...] why/Booleans.why
========== file tests/java/simplify/Booleans_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom offset_min_bytes_def
 (FORALL (a p s)
 (IMPLIES (< 0 s)
 (AND (<= (offset_min a p) (* s (offset_min_bytes a p s)))
 (< (- (* s (offset_min_bytes a p s)) s) (offset_min a p)))))

 (FORALL (s)
 (IMPLIES (< 0 s)
 (FORALL (a p)
 (AND (<= (offset_min a p) (* s (offset_min_bytes a p s)))
 (< (- (* s (offset_min_bytes a p s)) s) (offset_min a p)))))))

(BG_PUSH
 ;; Why axiom offset_max_bytes_def
 (FORALL (a p s)
 (IMPLIES (< 0 s)
 (AND (<= (- (+ (* s (offset_max_bytes a p s)) s) 1) (offset_max a p))
 (< (offset_max a p) (- (+ (+ (* s (offset_max_bytes a p s)) s) s) 1)))))

 (FORALL (s)
 (IMPLIES (< 0 s)
 (FORALL (a p)
 (AND (<= (- (+ (* s (offset_max_bytes a p s)) s) 1) (offset_max a p))
 (< (offset_max a p) (- (+ (+ (* s (offset_max_bytes a p s)) s) s) 1)))))))

(BG_PUSH
 ;; Why axiom select_store_eq_union
 (FORALL (o1 s1 o2 s2 v1 v2)
 (IMPLIES (AND (EQ o1 o2) (EQ s1 s2))
 (EQ (extract_bytes (replace_bytes v1 o1 s1 v2) o2 s2) v2)))

 (FORALL (o1 s1 o2 s2)
 (IMPLIES (AND (EQ o1 o2) (EQ s1 s2))
 (FORALL (v1 v2) (EQ (extract_bytes (replace_bytes v1 o1 s1 v2) o2 s2) v2)))))

(BG_PUSH
 ;; Why axiom select_store_neq_union
 (FORALL (o1 s1 o2 s2 v1 v2)
 (IMPLIES (OR (<= (+ o2 s2) o1) (<= (+ o1 s2) o2))
 (EQ (extract_bytes (replace_bytes v1 o1 s1 v2) o2 s2)
 (extract_bytes v1 o2 s2))))

 (FORALL (o1 o2 s2)
 (IMPLIES (OR (<= (+ o2 s2) o1) (<= (+ o1 s2) o2))
 (FORALL (s1 v1 v2)
 (EQ (extract_bytes (replace_bytes v1 o1 s1 v2) o2 s2)
 (extract_bytes v1 o2 s2))))))

(BG_PUSH
 ;; Why axiom concat_replace_bytes_up
 (FORALL (o1 s1 o2 s2 v1 v2 v3)
 (IMPLIES (EQ (+ o1 s1) o2)
 (EQ (replace_bytes (replace_bytes v1 o1 s1 v2) o2 s2 v3)
 (replace_bytes v1 o1 (+ s1 s2) (concat_bitvector v2 v3)))))

 (FORALL (o1 s1 o2)
 (IMPLIES (EQ (+ o1 s1) o2)
 (FORALL (s2 v1 v2 v3)
 (EQ (replace_bytes (replace_bytes v1 o1 s1 v2) o2 s2 v3)
 (replace_bytes v1 o1 (+ s1 s2) (concat_bitvector v2 v3)))))))

(BG_PUSH
 ;; Why axiom concat_replace_bytes_down
 (FORALL (o1 s1 o2 s2 v1 v2 v3)
 (IMPLIES (EQ (+ o2 s2) o1)
 (EQ (replace_bytes (replace_bytes v1 o1 s1 v2) o2 s2 v3)
 (replace_bytes v1 o2 (+ s1 s2) (concat_bitvector v3 v2)))))

 (FORALL (o1 o2 s2)
 (IMPLIES (EQ (+ o2 s2) o1)
 (FORALL (s1 v1 v2 v3)
 (EQ (replace_bytes (replace_bytes v1 o1 s1 v2) o2 s2 v3)
 (replace_bytes v1 o2 (+ s1 s2) (concat_bitvector v3 v2)))))))

(BG_PUSH
 ;; Why axiom concat_extract_bytes
 (FORALL (o1 s1 o2 s2 v)
 (IMPLIES (EQ (+ o1 s1) o2)
 (EQ (concat_bitvector (extract_bytes v o1 s1) (extract_bytes v o2 s2))
 (extract_bytes v o1 (+ s1 s2)))))

 (FORALL (o1 s1 o2)
 (IMPLIES (EQ (+ o1 s1) o2)
 (FORALL (s2 v)
 (EQ (concat_bitvector (extract_bytes v o1 s1) (extract_bytes v o2 s2))
 (extract_bytes v o1 (+ s1 s2)))))))

(BG_PUSH
 ;; Why axiom select_store_eq_bytes
 (FORALL (m p1 p2 o1 s1 o2 s2 v)
 (IMPLIES (AND (EQ p1 p2) (AND (EQ o1 o2) (EQ s1 s2)))
 (EQ (select_bytes (store_bytes m p1 o1 s1 v) p2 o2 s2) v)))

 (FORALL (p1 p2 o1 s1 o2 s2)
 (IMPLIES (AND (EQ p1 p2) (AND (EQ o1 o2) (EQ s1 s2)))
 (FORALL (m v) (EQ (select_bytes (store_bytes m p1 o1 s1 v) p2 o2 s2) v)))))

(BG_PUSH
 ;; Why axiom select_store_neq_bytes
 (FORALL (m p1 p2 o1 s1 o2 s2 v)
 (IMPLIES
 (pset_disjoint
 (pset_range (pset_singleton p1) o1 (+ o1 s1)) (pset_range
                                               (pset_singleton p2) o2 
                                               (+ o2 s2)))
 (EQ (select_bytes (store_bytes m p1 o1 s1 v) p2 o2 s2)
 (select_bytes m p2 o2 s2))))

 (FORALL (p1 p2 o1 s1 o2 s2)
 (IMPLIES
 (pset_disjoint
 (pset_range (pset_singleton p1) o1 (+ o1 s1)) (pset_range
                                               (pset_singleton p2) o2 
                                               (+ o2 s2)))
 (FORALL (m v)
 (EQ (select_bytes (store_bytes m p1 o1 s1 v) p2 o2 s2)
 (select_bytes m p2 o2 s2))))))

(BG_PUSH
 ;; Why axiom shift_store_bytes
 (FORALL (m p i o s v)
 (EQ (store_bytes m (shift p i) o s v) (store_bytes m p (+ o i) s v))))

(BG_PUSH
 ;; Why axiom shift_select_bytes
 (FORALL (m p i o s v)
 (EQ (select_bytes m (shift p i) o s) (select_bytes m p (+ o i) s))))

(BG_PUSH
 ;; Why axiom concat_store_bytes_up
 (FORALL (m p o1 s1 o2 s2 v1 v2)
 (IMPLIES (EQ (+ o1 s1) o2)
 (EQ (store_bytes (store_bytes m p o1 s1 v1) p o2 s2 v2)
 (store_bytes m p o1 (+ s1 s2) (concat_bitvector v1 v2)))))

 (FORALL (o1 s1 o2)
 (IMPLIES (EQ (+ o1 s1) o2)
 (FORALL (m p s2 v1 v2)
 (EQ (store_bytes (store_bytes m p o1 s1 v1) p o2 s2 v2)
 (store_bytes m p o1 (+ s1 s2) (concat_bitvector v1 v2)))))))

(BG_PUSH
 ;; Why axiom concat_store_bytes_down
 (FORALL (m p o1 s1 o2 s2 v1 v2)
 (IMPLIES (EQ (+ o2 s2) o1)
 (EQ (store_bytes (store_bytes m p o1 s1 v1) p o2 s2 v2)
 (store_bytes m p o2 (+ s1 s2) (concat_bitvector v2 v1)))))

 (FORALL (o1 o2 s2)
 (IMPLIES (EQ (+ o2 s2) o1)
 (FORALL (m p s1 v1 v2)
 (EQ (store_bytes (store_bytes m p o1 s1 v1) p o2 s2 v2)
 (store_bytes m p o2 (+ s1 s2) (concat_bitvector v2 v1)))))))

(BG_PUSH
 ;; Why axiom concat_select_bytes
 (FORALL (m p o1 s1 o2 s2)
 (IMPLIES (EQ (+ o1 s1) o2)
 (EQ (concat_bitvector (select_bytes m p o1 s1) (select_bytes m p o2 s2))
 (select_bytes m p o1 (+ s1 s2)))))

 (FORALL (o1 s1 o2)
 (IMPLIES (EQ (+ o1 s1) o2)
 (FORALL (m p s2)
 (EQ (concat_bitvector (select_bytes m p o1 s1) (select_bytes m p o2 s2))
 (select_bytes m p o1 (+ s1 s2)))))))

(BG_PUSH
 ;; Why axiom Booleans_parenttag_Object
 (EQ (parenttag Booleans_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x Object_alloc_table)
  (EQ (offset_max Object_alloc_table x) 0))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_bitvector_of_bitvector_of_Object
 (FORALL (x) (EQ (Object_of_bitvector (bitvector_of_Object x)) x)))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom bitvector_of_Object_of_Object_of_bitvector
 (FORALL (x) (EQ (bitvector_of_Object (Object_of_bitvector x)) x)))

(BG_PUSH
 ;; Why axiom bitvector_of_byte_of_byte_of_bitvector
 (FORALL (x) (EQ (bitvector_of_byte (byte_of_bitvector x)) x)))

(BG_PUSH
 ;; Why axiom bitvector_of_char_of_char_of_bitvector
 (FORALL (x) (EQ (bitvector_of_char (char_of_bitvector x)) x)))

(BG_PUSH
 ;; Why axiom bitvector_of_int32_of_int32_of_bitvector
 (FORALL (x) (EQ (bitvector_of_int32 (int32_of_bitvector x)) x)))

(BG_PUSH
 ;; Why axiom bitvector_of_interface_of_interface_of_bitvector
 (FORALL (x) (EQ (bitvector_of_interface (interface_of_bitvector x)) x)))

(BG_PUSH
 ;; Why axiom bitvector_of_long_of_long_of_bitvector
 (FORALL (x) (EQ (bitvector_of_long (long_of_bitvector x)) x)))

(BG_PUSH
 ;; Why axiom bitvector_of_short_of_short_of_bitvector
 (FORALL (x) (EQ (bitvector_of_short (short_of_bitvector x)) x)))

(BG_PUSH
 ;; Why axiom byte_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 128) x) (<= x 127))
 (EQ (integer_of_byte (byte_of_integer x)) x))))

(DEFPRED (eq_byte x y) (EQ (integer_of_byte x) (integer_of_byte y)))

(BG_PUSH
 ;; Why axiom byte_of_bitvector_of_bitvector_of_byte
 (FORALL (x) (eq_byte (byte_of_bitvector (bitvector_of_byte x)) x)))

(BG_PUSH
 ;; Why axiom byte_range
 (FORALL (x)
 (AND (<= (- 0 128) (integer_of_byte x)) (<= (integer_of_byte x) 127))))

(BG_PUSH
 ;; Why axiom char_coerce
 (FORALL (x)
 (IMPLIES (AND (<= 0 x) (<= x 65535))
 (EQ (integer_of_char (char_of_integer x)) x))))

(DEFPRED (eq_char x y) (EQ (integer_of_char x) (integer_of_char y)))

(BG_PUSH
 ;; Why axiom char_of_bitvector_of_bitvector_of_char
 (FORALL (x) (eq_char (char_of_bitvector (bitvector_of_char x)) x)))

(BG_PUSH
 ;; Why axiom char_range
 (FORALL (x) (AND (<= 0 (integer_of_char x)) (<= (integer_of_char x) 65535))))

(DEFPRED (eq_int32 x y) (EQ (integer_of_int32 x) (integer_of_int32 y)))

(DEFPRED (eq_long x y) (EQ (integer_of_long x) (integer_of_long y)))

(DEFPRED (eq_short x y) (EQ (integer_of_short x) (integer_of_short y)))

(BG_PUSH
 ;; Why axiom int32_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_2147483648) x)
 (<= x constant_too_large_2147483647))
 (EQ (integer_of_int32 (int32_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom int32_of_bitvector_of_bitvector_of_int32
 (FORALL (x) (eq_int32 (int32_of_bitvector (bitvector_of_int32 x)) x)))

(BG_PUSH
 ;; Why axiom int32_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_2147483648) (integer_of_int32 x))
 (<= (integer_of_int32 x) constant_too_large_2147483647))))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_bitvector_of_bitvector_of_interface
 (FORALL (x) (EQ (interface_of_bitvector (bitvector_of_interface x)) x)))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Booleans p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom long_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_9223372036854775808) x)
 (<= x constant_too_large_9223372036854775807))
 (EQ (integer_of_long (long_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom long_of_bitvector_of_bitvector_of_long
 (FORALL (x) (eq_long (long_of_bitvector (bitvector_of_long x)) x)))

(BG_PUSH
 ;; Why axiom long_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_9223372036854775808) (integer_of_long x))
 (<= (integer_of_long x) constant_too_large_9223372036854775807))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Booleans p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(BG_PUSH
 ;; Why axiom short_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 32768) x) (<= x 32767))
 (EQ (integer_of_short (short_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom short_of_bitvector_of_bitvector_of_short
 (FORALL (x) (eq_short (short_of_bitvector (bitvector_of_short x)) x)))

(BG_PUSH
 ;; Why axiom short_range
 (FORALL (x)
 (AND (<= (- 0 32768) (integer_of_short x)) (<= (integer_of_short x) 32767))))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Booleans p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_bitvector_struct_Object p a b bitvector_alloc_table)
  (AND (EQ (offset_min bitvector_alloc_table p) a)
  (EQ (offset_max bitvector_alloc_table p) b)))

(DEFPRED (valid_bitvector_struct_Booleans p a b bitvector_alloc_table)
  (valid_bitvector_struct_Object p a b bitvector_alloc_table))

(DEFPRED (valid_bitvector_struct_Exception p a b bitvector_alloc_table)
  (valid_bitvector_struct_Object p a b bitvector_alloc_table))

(DEFPRED (valid_bitvector_struct_String p a b bitvector_alloc_table)
  (valid_bitvector_struct_Object p a b bitvector_alloc_table))

(DEFPRED (valid_bitvector_struct_Throwable p a b bitvector_alloc_table)
  (valid_bitvector_struct_Object p a b bitvector_alloc_table))

(DEFPRED (valid_bitvector_struct_interface p a b bitvector_alloc_table)
  (AND (EQ (offset_min bitvector_alloc_table p) a)
  (EQ (offset_max bitvector_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Booleans p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

;; Booleans_f_ensures_default_po_1, File "HOME/tests/java/Booleans.java", line 4, characters 16-57
(FORALL (e)
(FORALL (t)
(FORALL (f)
(IMPLIES TRUE
(FORALL (result)
(IMPLIES (AND
         (IMPLIES (EQ result |@true|) (AND
                                      (OR (EQ e |@true|)
                                      (AND (EQ e |@false|)
                                      (AND (EQ t |@true|) (EQ f |@true|))))
                                      (OR (EQ t |@true|)
                                      (AND (EQ t |@false|) (EQ f |@true|)))))
         (IMPLIES (NEQ result |@true|) (OR
                                       (AND (EQ e |@false|)
                                       (OR (EQ t |@false|)
                                       (AND (EQ t |@true|) (EQ f |@false|))))
                                       (AND
                                       (OR (EQ e |@true|)
                                       (AND (EQ e |@false|)
                                       (AND (EQ t |@true|) (EQ f |@true|))))
                                       (AND (EQ t |@false|) (EQ f |@false|))))))
(FORALL (return)
(IMPLIES (EQ return result)
(EQ return (bool_and (bool_or e (bool_and t f)) (bool_or t f)))))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/Booleans_why.sx      : ? (0/0/1/0/0)
total   :   1
valid   :   0 (  0%)
invalid :   0 (  0%)
unknown :   1 (100%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/Booleans.why
========== file tests/java/why/Booleans_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic div_int : int, int -> int

logic mod_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

logic int_of_real : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

logic sqrt_real : real -> real

logic pow_real : real, real -> real

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type bitvector

logic concat_bitvector : bitvector, bitvector -> bitvector

logic offset_min_bytes : 'a1 alloc_table, 'a1 pointer, int -> int

logic offset_max_bytes : 'a1 alloc_table, 'a1 pointer, int -> int

axiom offset_min_bytes_def:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall s:int [offset_min_bytes(a, p, s)].
        ((0 < s) ->
         ((offset_min(a, p) <= (s * offset_min_bytes(a, p, s))) and
          (((s * offset_min_bytes(a, p, s)) - s) < offset_min(a, p)))))))

axiom offset_max_bytes_def:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall s:int [offset_max_bytes(a, p, s)].
        ((0 < s) ->
         (((((s * offset_max_bytes(a, p, s)) + s) - 1) <= offset_max(a,
          p)) and (offset_max(a, p) < ((((s * offset_max_bytes(a, p,
          s)) + s) + s) - 1)))))))

logic extract_bytes : bitvector, int, int -> bitvector

logic replace_bytes : bitvector, int, int, bitvector -> bitvector

axiom select_store_eq_union:
  (forall o1:int.
    (forall s1:int.
      (forall o2:int.
        (forall s2:int.
          (forall v1:bitvector.
            (forall v2:bitvector [extract_bytes(replace_bytes(v1, o1, s1,
              v2), o2, s2)].
              (((o1 = o2) and (s1 = s2)) -> (extract_bytes(replace_bytes(v1,
               o1, s1, v2), o2, s2) = v2))))))))

axiom select_store_neq_union:
  (forall o1:int.
    (forall s1:int.
      (forall o2:int.
        (forall s2:int.
          (forall v1:bitvector.
            (forall v2:bitvector [extract_bytes(replace_bytes(v1, o1, s1,
              v2), o2, s2)].
              ((((o2 + s2) <= o1) or ((o1 + s2) <= o2)) ->
               (extract_bytes(replace_bytes(v1, o1, s1, v2), o2,
               s2) = extract_bytes(v1, o2, s2)))))))))

axiom concat_replace_bytes_up:
  (forall o1:int.
    (forall s1:int.
      (forall o2:int.
        (forall s2:int.
          (forall v1:bitvector.
            (forall v2:bitvector.
              (forall v3:bitvector [replace_bytes(replace_bytes(v1, o1, s1,
                v2), o2, s2, v3)].
                (((o1 + s1) = o2) -> (replace_bytes(replace_bytes(v1, o1, s1,
                 v2), o2, s2, v3) = replace_bytes(v1, o1, (s1 + s2),
                 concat_bitvector(v2, v3)))))))))))

axiom concat_replace_bytes_down:
  (forall o1:int.
    (forall s1:int.
      (forall o2:int.
        (forall s2:int.
          (forall v1:bitvector.
            (forall v2:bitvector.
              (forall v3:bitvector [replace_bytes(replace_bytes(v1, o1, s1,
                v2), o2, s2, v3)].
                (((o2 + s2) = o1) -> (replace_bytes(replace_bytes(v1, o1, s1,
                 v2), o2, s2, v3) = replace_bytes(v1, o2, (s1 + s2),
                 concat_bitvector(v3, v2)))))))))))

axiom concat_extract_bytes:
  (forall o1:int.
    (forall s1:int.
      (forall o2:int.
        (forall s2:int.
          (forall v:bitvector [concat_bitvector(extract_bytes(v, o1, s1),
            extract_bytes(v, o2, s2))].
            (((o1 + s1) = o2) -> (concat_bitvector(extract_bytes(v, o1, s1),
             extract_bytes(v, o2, s2)) = extract_bytes(v, o1, (s1 + s2)))))))))

logic select_bytes : ('a1, bitvector) memory, 'a1 pointer, int,
int -> bitvector

logic store_bytes : ('a1, bitvector) memory, 'a1 pointer, int, int,
bitvector -> ('a1, bitvector) memory

axiom select_store_eq_bytes:
  (forall m:('a1, bitvector) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall o1:int.
          (forall s1:int.
            (forall o2:int.
              (forall s2:int.
                (forall v:bitvector [select_bytes(store_bytes(m, p1, o1, s1,
                  v), p2, o2, s2)].
                  (((p1 = p2) and ((o1 = o2) and (s1 = s2))) ->
                   (select_bytes(store_bytes(m, p1, o1, s1, v), p2, o2,
                   s2) = v))))))))))

axiom select_store_neq_bytes:
  (forall m:('a1, bitvector) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall o1:int.
          (forall s1:int.
            (forall o2:int.
              (forall s2:int.
                (forall v:bitvector [select_bytes(store_bytes(m, p1, o1, s1,
                  v), p2, o2, s2)].
                  (pset_disjoint(pset_range(pset_singleton(p1), o1,
                   (o1 + s1)), pset_range(pset_singleton(p2), o2,
                   (o2 + s2))) -> (select_bytes(store_bytes(m, p1, o1, s1,
                   v), p2, o2, s2) = select_bytes(m, p2, o2, s2)))))))))))

axiom shift_store_bytes:
  (forall m:('a1, bitvector) memory.
    (forall p:'a1 pointer.
      (forall i:int.
        (forall o:int.
          (forall s:int.
            (forall v:bitvector [store_bytes(m, shift(p, i), o, s, v)].
              (store_bytes(m, shift(p, i), o, s, v) = store_bytes(m, p,
              (o + i), s, v))))))))

axiom shift_select_bytes:
  (forall m:('a1, bitvector) memory.
    (forall p:'a1 pointer.
      (forall i:int.
        (forall o:int.
          (forall s:int.
            (forall v:bitvector [select_bytes(m, shift(p, i), o, s)].
              (select_bytes(m, shift(p, i), o, s) = select_bytes(m, p,
              (o + i), s))))))))

axiom concat_store_bytes_up:
  (forall m:('a1, bitvector) memory.
    (forall p:'a1 pointer.
      (forall o1:int.
        (forall s1:int.
          (forall o2:int.
            (forall s2:int.
              (forall v1:bitvector.
                (forall v2:bitvector [store_bytes(store_bytes(m, p, o1, s1,
                  v1), p, o2, s2, v2)].
                  (((o1 + s1) = o2) -> (store_bytes(store_bytes(m, p, o1, s1,
                   v1), p, o2, s2, v2) = store_bytes(m, p, o1, (s1 + s2),
                   concat_bitvector(v1, v2))))))))))))

axiom concat_store_bytes_down:
  (forall m:('a1, bitvector) memory.
    (forall p:'a1 pointer.
      (forall o1:int.
        (forall s1:int.
          (forall o2:int.
            (forall s2:int.
              (forall v1:bitvector.
                (forall v2:bitvector [store_bytes(store_bytes(m, p, o1, s1,
                  v1), p, o2, s2, v2)].
                  (((o2 + s2) = o1) -> (store_bytes(store_bytes(m, p, o1, s1,
                   v1), p, o2, s2, v2) = store_bytes(m, p, o2, (s1 + s2),
                   concat_bitvector(v2, v1))))))))))))

axiom concat_select_bytes:
  (forall m:('a1, bitvector) memory.
    (forall p:'a1 pointer.
      (forall o1:int.
        (forall s1:int.
          (forall o2:int.
            (forall s2:int [concat_bitvector(select_bytes(m, p, o1, s1),
              select_bytes(m, p, o2, s2))].
              (((o1 + s1) = o2) -> (concat_bitvector(select_bytes(m, p, o1,
               s1), select_bytes(m, p, o2, s2)) = select_bytes(m, p, o1,
               (s1 + s2))))))))))

logic integer_of_bitvector : bitvector -> int

logic bitvector_of_integer : int -> bitvector

logic real_of_bitvector : bitvector -> real

type Object

type byte

type char

type int32

type interface

type long

type short

logic Booleans_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Booleans_parenttag_Object: parenttag(Booleans_tag, Object_tag)

logic Exception_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x) = 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_bitvector : bitvector -> Object pointer

logic bitvector_of_Object : Object pointer -> bitvector

axiom Object_of_bitvector_of_bitvector_of_Object:
  (forall x:Object pointer.
    (Object_of_bitvector(bitvector_of_Object(x)) = x))

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

axiom bitvector_of_Object_of_Object_of_bitvector:
  (forall x:bitvector. (bitvector_of_Object(Object_of_bitvector(x)) = x))

logic bitvector_of_byte : byte -> bitvector

logic byte_of_bitvector : bitvector -> byte

axiom bitvector_of_byte_of_byte_of_bitvector:
  (forall x:bitvector. (bitvector_of_byte(byte_of_bitvector(x)) = x))

logic bitvector_of_char : char -> bitvector

logic char_of_bitvector : bitvector -> char

axiom bitvector_of_char_of_char_of_bitvector:
  (forall x:bitvector. (bitvector_of_char(char_of_bitvector(x)) = x))

logic bitvector_of_int32 : int32 -> bitvector

logic int32_of_bitvector : bitvector -> int32

axiom bitvector_of_int32_of_int32_of_bitvector:
  (forall x:bitvector. (bitvector_of_int32(int32_of_bitvector(x)) = x))

logic bitvector_of_interface : interface pointer -> bitvector

logic interface_of_bitvector : bitvector -> interface pointer

axiom bitvector_of_interface_of_interface_of_bitvector:
  (forall x:bitvector.
    (bitvector_of_interface(interface_of_bitvector(x)) = x))

logic bitvector_of_long : long -> bitvector

logic long_of_bitvector : bitvector -> long

axiom bitvector_of_long_of_long_of_bitvector:
  (forall x:bitvector. (bitvector_of_long(long_of_bitvector(x)) = x))

logic bitvector_of_short : short -> bitvector

logic short_of_bitvector : bitvector -> short

axiom bitvector_of_short_of_short_of_bitvector:
  (forall x:bitvector. (bitvector_of_short(short_of_bitvector(x)) = x))

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

axiom byte_of_bitvector_of_bitvector_of_byte:
  (forall x:byte. eq_byte(byte_of_bitvector(bitvector_of_byte(x)), x))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

axiom char_of_bitvector_of_bitvector_of_char:
  (forall x:char. eq_char(char_of_bitvector(bitvector_of_char(x)), x))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_of_bitvector_of_bitvector_of_int32:
  (forall x:int32. eq_int32(int32_of_bitvector(bitvector_of_int32(x)), x))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

axiom interface_of_bitvector_of_bitvector_of_interface:
  (forall x:interface pointer.
    (interface_of_bitvector(bitvector_of_interface(x)) = x))

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Booleans(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_of_bitvector_of_bitvector_of_long:
  (forall x:long. eq_long(long_of_bitvector(bitvector_of_long(x)), x))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Booleans(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_of_bitvector_of_bitvector_of_short:
  (forall x:short. eq_short(short_of_bitvector(bitvector_of_short(x)), x))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Booleans(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_bitvector_struct_Object(p: unit pointer, a: int, b: int,
  bitvector_alloc_table: unit alloc_table) =
  ((offset_min(bitvector_alloc_table, p) = a) and
   (offset_max(bitvector_alloc_table, p) = b))

predicate valid_bitvector_struct_Booleans(p: unit pointer, a: int, b: int,
  bitvector_alloc_table: unit alloc_table) = valid_bitvector_struct_Object(p,
  a, b, bitvector_alloc_table)

predicate valid_bitvector_struct_Exception(p: unit pointer, a: int, b: int,
  bitvector_alloc_table: unit alloc_table) = valid_bitvector_struct_Object(p,
  a, b, bitvector_alloc_table)

predicate valid_bitvector_struct_String(p: unit pointer, a: int, b: int,
  bitvector_alloc_table: unit alloc_table) = valid_bitvector_struct_Object(p,
  a, b, bitvector_alloc_table)

predicate valid_bitvector_struct_Throwable(p: unit pointer, a: int, b: int,
  bitvector_alloc_table: unit alloc_table) = valid_bitvector_struct_Object(p,
  a, b, bitvector_alloc_table)

predicate valid_bitvector_struct_interface(p: unit pointer, a: int, b: int,
  bitvector_alloc_table: unit alloc_table) =
  ((offset_min(bitvector_alloc_table, p) = a) and
   (offset_max(bitvector_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Booleans(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

goal Booleans_f_ensures_default_po_1:
  forall e:bool.
  forall t:bool.
  forall f:bool.
  ("JC_14": true) ->
  forall result:bool.
  (if result then
   (((e = true) or ((e = false) and ((t = true) and (f = true)))) and
    ((t = true) or ((t = false) and (f = true)))) else
   (((e = false) and ((t = false) or ((t = true) and (f = false)))) or
    (((e = true) or ((e = false) and ((t = true) and (f = true)))) and
     ((t = false) and (f = false))))) ->
  forall return:bool.
  (return = result) ->
  ("JC_15": (return = bool_and(bool_or(e, bool_and(t, f)), bool_or(t, f))))

========== running alt-ergo ==========
Running Alt-Ergo on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
why/Booleans_why.why          : . (1/0/0/0/0)
total   :   1
valid   :   1 (100%)
invalid :   0 (  0%)
unknown :   0 (  0%)
timeout :   0 (  0%)
failure :   0 (  0%)
why-2.34/tests/java/oracle/SimpleApplet.res.oracle0000644000175000017500000133537312311670312020542 0ustar  rtusers========== file tests/java/SimpleApplet.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// JAVACARD: will ask regtests to use Java Card API for this program

/*****************************

Very basic Java Card Applet to check non-regression of basic Java Card support

thanks to Peter Trommler 

********************/



import javacard.framework.APDU;
import javacard.framework.Applet;
import javacard.framework.ISO7816;
import javacard.framework.ISOException;
import javacard.framework.JCSystem;
import javacard.framework.OwnerPIN;
import javacard.security.*;

public class Card extends Applet {
	
    //##################################################
    //Instruction Variables
    //##################################################
    final static byte Card_Class = (byte)0x80;
    final static byte Card_Ins_Pin= (byte)0x02;
    final static byte Card_Ins_Auth=(byte)0x01;
    final static byte Card_Ins_Write= (byte) 0x05;
    final static byte Card_Ins_Del = (byte) 0x06;
    final static byte Card_Ins_Read = (byte) 0x07;
	
	
    //##################################################
    //Other Parameters
    //##################################################
    final static byte Key_Length = (byte) 0x84;
    final static short Data_Count = 10; 
    final static short Data_Len = 5;
    final static byte Term_Function_Writer =(byte) 0xAA;
    final static byte Term_Function_Reader = (byte)0x11;
	
    /**
     * Constructor for the Card.
     */
    Card(){
	// nothing to be done
    }

    //#####################################################
    //Applet Card install
    //####################################################
    public static void install(byte[] bArray, short bOffset, byte bLength) {
	// GP-compliant JavaCard applet registration
	new Card().register(bArray, (short) (bOffset + 1), bArray[bOffset]);
    }
	
    //####################################################
    //Here starts the good part.
    //###################################################
    public void process(APDU apdu) {
	//When the applet is selected, the card will be initialised!		
	if (selectingApplet()) {
	    return;
	}
		
	byte[] buf = apdu.getBuffer();
		
	//Returns an error if the Class  is wrong.
	if(buf[ISO7816.OFFSET_CLA]!= Card_Class){
	    ISOException.throwIt(ISO7816.SW_CLA_NOT_SUPPORTED);
	}
		
	switch (buf[ISO7816.OFFSET_INS]) {
	    //Here is where the Signature from the terminal will be checked
	    //and also here is where will be decided to what functions
	    //the Terminal will have access to.
				
	    //Calls the Read Method	
	case Card_Ins_Read:
	    // for now just return OK SW1SW2=0x9000
	    break;
				
	default:
	    // good practice: If you don't know the INStruction, say so:
	    ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
	}
	return;
    }
}


/*
Local Variables:
compile-command: "make SimpleApplet.why3ide"
End:
*/

========== krakatoa execution ==========
// JAVACARD: will ask regtests to use Java Card API for this program
Parsing OK.
Typing OK.
Generating JC function APDU_setLc for method APDU.setLc
Generating JC function Applet_install for method Applet.install
Generating JC function APDU_resetNoGetResponseFlag for method APDU.resetNoGetResponseFlag
Generating JC function APDU_getOutgoingFlag for method APDU.getOutgoingFlag
Generating JC function APDU_getLrIs256Flag for method APDU.getLrIs256Flag
Generating JC function Applet_register for method Applet.register
Generating JC function cons_RuntimeException for constructor RuntimeException
Generating JC function APDU_setNoChainingFlag for method APDU.setNoChainingFlag
Generating JC function APDU_getInBlockSize for method APDU.getInBlockSize
Generating JC function cons_Card for constructor Card
Generating JC function APDU_setNoGetResponseFlag for method APDU.setNoGetResponseFlag
Generating JC function APDU_getNoGetResponseFlag for method APDU.getNoGetResponseFlag
Generating JC function cons_Throwable for constructor Throwable
Generating JC function APDU_resetLrIs256Flag for method APDU.resetLrIs256Flag
Generating JC function APDU_setOutgoingLenSetFlag for method APDU.setOutgoingLenSetFlag
Generating JC function ISOException_throwIt for method ISOException.throwIt
Generating JC function Applet_deselect for method Applet.deselect
Generating JC function cons_APDU for constructor APDU
Generating JC function ISOException_getReason for method ISOException.getReason
Generating JC function APDU_getOutBlockSize for method APDU.getOutBlockSize
Generating JC function cons_Exception for constructor Exception
Generating JC function APDU_setIncoming for method APDU.setIncoming
Generating JC function APDU_resetSendInProgressFlag for method APDU.resetSendInProgressFlag
Generating JC function APDU_setPreReadLength for method APDU.setPreReadLength
Generating JC function cons_ISOException_short for constructor ISOException
Generating JC function APDU_getProtocol for method APDU.getProtocol
Generating JC function ISOException_setReason for method ISOException.setReason
Generating JC function APDU_resetOutgoingLenSetFlag for method APDU.resetOutgoingLenSetFlag
Generating JC function APDU_sendBytesLong for method APDU.sendBytesLong
Generating JC function APDU_complete for method APDU.complete
Generating JC function APDU_getNoChainingFlag for method APDU.getNoChainingFlag
Generating JC function APDU_setSendInProgressFlag for method APDU.setSendInProgressFlag
Generating JC function Applet_getShareableInterfaceObject for method Applet.getShareableInterfaceObject
Generating JC function APDU_setOutgoingAndSend for method APDU.setOutgoingAndSend
Generating JC function APDU_resetAPDU for method APDU.resetAPDU
Generating JC function APDU_setIncomingAndReceive for method APDU.setIncomingAndReceive
Generating JC function cons_CardRuntimeException_short for constructor CardRuntimeException
Generating JC function APDU_resetNoChainingFlag for method APDU.resetNoChainingFlag
Generating JC function APDU_getLr for method APDU.getLr
Generating JC function APDU_getOutgoingLenSetFlag for method APDU.getOutgoingLenSetFlag
Generating JC function APDU_getLc for method APDU.getLc
Generating JC function APDU_setOutgoingNoChaining for method APDU.setOutgoingNoChaining
Generating JC function cons_Object for constructor Object
Generating JC function APDU_waitExtension for method APDU.waitExtension
Generating JC function Applet_selectingApplet for method Applet.selectingApplet
Generating JC function Applet_register_byteA_short_byte for method Applet.register
Generating JC function Card_install for method Card.install
Generating JC function APDU_getSendInProgressFlag for method APDU.getSendInProgressFlag
Generating JC function CardRuntimeException_getReason for method CardRuntimeException.getReason
Generating JC function APDU_sendBytes for method APDU.sendBytes
Generating JC function APDU_setLrIs256Flag for method APDU.setLrIs256Flag
Generating JC function APDU_getPreReadLength for method APDU.getPreReadLength
Generating JC function APDU_setIncomingFlag for method APDU.setIncomingFlag
Generating JC function APDU_setLe for method APDU.setLe
Generating JC function Applet_process for method Applet.process
Generating JC function CardRuntimeException_throwIt for method CardRuntimeException.throwIt
Generating JC function APDU_getIncomingFlag for method APDU.getIncomingFlag
Generating JC function cons_Applet for constructor Applet
Generating JC function APDU_receiveBytes for method APDU.receiveBytes
Generating JC function APDU_getBuffer for method APDU.getBuffer
Generating JC function CardRuntimeException_setReason for method CardRuntimeException.setReason
Generating JC function Card_process for method Card.process
Generating JC function APDU_resetOutgoingFlag for method APDU.resetOutgoingFlag
Generating JC function APDU_send61xx for method APDU.send61xx
Generating JC function APDU_getLe for method APDU.getLe
Generating JC function Object_equals for method Object.equals
Generating JC function APDU_undoIncomingAndReceive for method APDU.undoIncomingAndReceive
Generating JC function APDU_setOutgoingFlag for method APDU.setOutgoingFlag
Generating JC function Applet_select for method Applet.select
Generating JC function APDU_setOutgoingLength for method APDU.setOutgoingLength
Generating JC function APDU_getNAD for method APDU.getNAD
Generating JC function APDU_resetIncomingFlag for method APDU.resetIncomingFlag
Generating JC function APDU_setOutgoing for method APDU.setOutgoing
Generating JC function APDU_setLr for method APDU.setLr
Done.
========== file tests/java/SimpleApplet.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_byteM{Here}(byteM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_shortM{Here}(shortM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

logic short ISO7816_SW_NO_ERROR =
-28672

logic short ISO7816_SW_BYTES_REMAINING_00 =
24832

logic short ISO7816_SW_WRONG_LENGTH =
26368

logic short ISO7816_SW_SECURITY_STATUS_NOT_SATISFIED =
27010

logic short ISO7816_SW_FILE_INVALID =
27011

logic short ISO7816_SW_DATA_INVALID =
27012

logic short ISO7816_SW_CONDITIONS_NOT_SATISFIED =
27013

logic short ISO7816_SW_COMMAND_NOT_ALLOWED =
27014

logic short ISO7816_SW_APPLET_SELECT_FAILED =
27033

logic short ISO7816_SW_WRONG_DATA =
27264

logic short ISO7816_SW_FUNC_NOT_SUPPORTED =
27265

logic short ISO7816_SW_FILE_NOT_FOUND =
27266

logic short ISO7816_SW_RECORD_NOT_FOUND =
27267

logic short ISO7816_SW_INCORRECT_P1P2 =
27270

logic short ISO7816_SW_WRONG_P1P2 =
27392

logic short ISO7816_SW_CORRECT_LENGTH_00 =
27648

logic short ISO7816_SW_INS_NOT_SUPPORTED =
27904

logic short ISO7816_SW_CLA_NOT_SUPPORTED =
28160

logic short ISO7816_SW_UNKNOWN =
28416

logic short ISO7816_SW_FILE_FULL =
27268

logic byte ISO7816_OFFSET_CLA =
0

logic byte ISO7816_OFFSET_INS =
1

logic byte ISO7816_OFFSET_P1 =
2

logic byte ISO7816_OFFSET_P2 =
3

logic byte ISO7816_OFFSET_LC =
4

logic byte ISO7816_OFFSET_CDATA =
5

logic byte ISO7816_CLA_ISO7816 =
0

logic byte ISO7816_INS_SELECT =
-92

logic byte ISO7816_INS_EXTERNAL_AUTHENTICATE =
-126

axiomatic BUFFERSIZE_theory {

  logic short APDU_BUFFERSIZE 
  
}

logic byte APDU_IFSC =
1

logic short APDU_IFSD =
258

logic byte APDU_LE =
0

logic byte APDU_LR =
1

logic byte APDU_LC =
2

logic byte APDU_PRE_READ_LENGTH =
3

logic byte APDU_RAM_VARS_LENGTH =
4

logic short APDU_BUFFER_OVERFLOW =
-16383

logic short APDU_READ_ERROR =
-16381

logic short APDU_WRITE_ERROR =
-16380

logic short APDU_INVALID_GET_RESPONSE =
-16378

logic byte APDU_ACK_NONE =
0

logic byte APDU_ACK_INS =
1

logic byte APDU_ACK_NOT_INS =
2

logic byte APDU_PROTOCOL_T0 =
0

logic byte APDU_PROTOCOL_T1 =
1

logic byte Card_Card_Class =
-128

logic byte Card_Card_Ins_Pin =
2

logic byte Card_Card_Ins_Auth =
1

logic byte Card_Card_Ins_Write =
5

logic byte Card_Card_Ins_Del =
6

logic byte Card_Card_Ins_Read =
7

logic byte Card_Key_Length =
-124

logic short Card_Data_Count =
10

logic short Card_Data_Len =
5

logic byte Card_Term_Function_Writer =
-86

logic byte Card_Term_Function_Reader =
17

tag Throwable = Object with {
}

tag Applet = Object with {
  PrivAccess[0..] thePrivAccess;
}

tag PackedBoolean = Object with {
}

tag NativeMethods = Object with {
}

tag CardRuntimeException = RuntimeException with {
  short reason;
}

tag OwnerPIN = Object with {
}

tag JCSystem = Object with {
}

tag Exception = Throwable with {
}

tag Object = {
}

tag APDU = Object with {
  byteM[0..] buffer; 
  PackedBoolean[0..] thePackedBoolean; 
  byte incomingFlag; 
  byte outgoingFlag; 
  byte outgoingLenSetFlag; 
  byte lrIs256Flag; 
  byte sendInProgressFlag; 
  byte noChainingFlag; 
  byte noGetResponseFlag;
  invariant buffer_inv(this_3) = ((\offset_max(this_3.buffer) + 1) >= 37);
}

tag ISOException = CardRuntimeException with {
  shortM[0..] theSw;
}

tag AID = Object with {
}

tag Card = Applet with {
}

tag PrivAccess = Object with {
}

tag RuntimeException = Exception with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag byteM = Object with {
  byte byteP;
}

tag shortM = Object with {
  short shortP;
}

boolean non_null_byteM(! byteM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_byteM(! byteM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_shortM(! shortM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_shortM(! shortM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

CardRuntimeException[0..] CardRuntimeException_systemInstance;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

APDU[0..] APDU_theAPDU;

byteM[0..] APDU_ramVars;

ISOException[0..] ISOException_systemInstance;

exception ISOException of ISOException[0..]

exception Exception of Exception[0..]

exception RuntimeException of RuntimeException[0..]

exception Throwable of Throwable[0..]

exception CardRuntimeException of CardRuntimeException[0..]

unit APDU_setLc(APDU[0] this_10, byte data_1)
;

unit Applet_install(byteM[0..] bArray, short bOffset, byte bLength)
;

unit APDU_resetNoGetResponseFlag(APDU[0] this_11)
;

boolean APDU_getOutgoingFlag(APDU[0] this_12)
;

boolean APDU_getLrIs256Flag(APDU[0] this_13)
;

unit Applet_register(Applet[0] this_14)
;

unit cons_RuntimeException(! RuntimeException[0] this_66){()}

unit APDU_setNoChainingFlag(APDU[0] this_15)
;

short APDU_getInBlockSize()
;

unit cons_Card(! Card[0] this_9){()}

unit APDU_setNoGetResponseFlag(APDU[0] this_16)
;

boolean APDU_getNoGetResponseFlag(APDU[0] this_17)
;

unit cons_Throwable(! Throwable[0] this_67){()}

unit APDU_resetLrIs256Flag(APDU[0] this_18)
;

unit APDU_setOutgoingLenSetFlag(APDU[0] this_19)
;

unit ISOException_throwIt(short sw_0)
;

unit Applet_deselect(Applet[0] this_20)
;

unit cons_APDU(! APDU[0] this_68)
{  (this_68.buffer = null);
   (this_68.thePackedBoolean = null);
   (this_68.incomingFlag = 0);
   (this_68.outgoingFlag = 0);
   (this_68.outgoingLenSetFlag = 0);
   (this_68.lrIs256Flag = 0);
   (this_68.sendInProgressFlag = 0);
   (this_68.noChainingFlag = 0);
   (this_68.noGetResponseFlag = 0)
}

short ISOException_getReason(ISOException[0] this_21)
;

short APDU_getOutBlockSize()
;

unit cons_Exception(! Exception[0] this_69){()}

unit APDU_setIncoming(APDU[0] this_22)
;

unit APDU_resetSendInProgressFlag(APDU[0] this_23)
;

unit APDU_setPreReadLength(APDU[0] this_24, byte data_2)
;

unit cons_ISOException_short(! ISOException[0] this_70, short sw)
{  (this_70.theSw = null)
}

byte APDU_getProtocol()
;

unit ISOException_setReason(ISOException[0] this_25, short sw_1)
;

unit APDU_resetOutgoingLenSetFlag(APDU[0] this_26)
;

unit APDU_sendBytesLong(APDU[0] this_27, byteM[0..] outData, short bOff_1,
                        short len_2)
;

unit APDU_complete(APDU[0] this_28, short status)
;

boolean APDU_getNoChainingFlag(APDU[0] this_29)
;

unit APDU_setSendInProgressFlag(APDU[0] this_30)
;

Object/*interface*/[0..] Applet_getShareableInterfaceObject(Applet[0] this_31,
                                                            AID[0..] clientAID,
                                                            byte param)
;

unit APDU_setOutgoingAndSend(APDU[0] this_32, short bOff_2, short len_3)
;

unit APDU_resetAPDU(APDU[0] this_33)
;

short APDU_setIncomingAndReceive(APDU[0] this_34)
;

unit cons_CardRuntimeException_short(! CardRuntimeException[0] this_71,
                                     short reason)
{  (this_71.reason = 0)
}

unit APDU_resetNoChainingFlag(APDU[0] this_35)
;

short APDU_getLr(APDU[0] this_36)
;

boolean APDU_getOutgoingLenSetFlag(APDU[0] this_37)
;

byte APDU_getLc(APDU[0] this_38)
;

short APDU_setOutgoingNoChaining(APDU[0] this_39)
;

unit cons_Object(! Object[0] this_72){()}

unit APDU_waitExtension()
;

boolean Applet_selectingApplet(Applet[0] this_40)
;

unit Applet_register_byteA_short_byte(Applet[0] this_52, byteM[0..] bArray_0,
                                      short bOffset_0, byte bLength_0)
;

unit Card_install(byteM[0..] bArray_1, short bOffset_1, byte bLength_1)
{  (K_4 : Applet_register_byteA_short_byte(
                                           {  
                                              (var Card[0] this = (new Card[1]));
                                              
                                              {  
                                                 (var unit _tt = cons_Card(
                                                 this));
                                                 this
                                              }
                                           }, bArray_1,
                                           (K_2 : ((K_1 : ((bOffset_1 + 1) :> int32)) :> short)),
                                           (K_3 : (bArray_1 + bOffset_1).byteP)))
}

boolean APDU_getSendInProgressFlag(APDU[0] this_41)
;

short CardRuntimeException_getReason(CardRuntimeException[0] this_42)
;

unit APDU_sendBytes(APDU[0] this_43, short bOff_0, short len_1)
;

unit APDU_setLrIs256Flag(APDU[0] this_44)
;

byte APDU_getPreReadLength(APDU[0] this_45)
;

unit APDU_setIncomingFlag(APDU[0] this_46)
;

unit APDU_setLe(APDU[0] this_47, byte data)
;

unit Applet_process(Applet[0] this_48, APDU[0..] apdu)
;

unit CardRuntimeException_throwIt(short reason_1)
;

boolean APDU_getIncomingFlag(APDU[0] this_49)
;

unit cons_Applet(! Applet[0] this_73)
{  (this_73.thePrivAccess = null)
}

short APDU_receiveBytes(APDU[0] this_50, short bOff)
;

byteM[0..] APDU_getBuffer(APDU[0] this_51)
behavior normal:
  ensures (K_5 : (\result == this_51.buffer));
;

unit CardRuntimeException_setReason(CardRuntimeException[0] this_53,
                                    short reason_0)
;

unit Card_process(Card[0] this_1, APDU[0..] apdu_0)
{  (if (K_6 : Applet_selectingApplet(this_1)) then 
   (return ()) else ());
   
   {  
      (var byteM[0..] buf = (K_12 : APDU_getBuffer(apdu_0)));
      
      {  (if (K_9 : ((K_8 : (buf + ISO7816_OFFSET_CLA).byteP) !=
                      Card_Card_Class)) then (K_7 : ISOException_throwIt(
                                             ISO7816_SW_CLA_NOT_SUPPORTED)) else ());
         
         switch ((K_11 : (buf + ISO7816_OFFSET_INS).byteP)) {
           case Card_Card_Ins_Read:
           {  
              (break )
           }
           default:
           {  (K_10 : ISOException_throwIt(ISO7816_SW_INS_NOT_SUPPORTED))
           }
         };
         
         (return ())
      }
   }
}

unit APDU_resetOutgoingFlag(APDU[0] this_54)
;

short APDU_send61xx(APDU[0] this_55, short len_0)
;

short APDU_getLe(APDU[0] this_56)
;

boolean Object_equals(Object[0] this_57, Object[0..] obj)
;

unit APDU_undoIncomingAndReceive(APDU[0] this_58)
;

unit APDU_setOutgoingFlag(APDU[0] this_59)
;

boolean Applet_select(Applet[0] this_60)
;

unit APDU_setOutgoingLength(APDU[0] this_61, short len)
;

byte APDU_getNAD(APDU[0] this_62)
;

unit APDU_resetIncomingFlag(APDU[0] this_63)
;

short APDU_setOutgoing(APDU[0] this_64)
;

unit APDU_setLr(APDU[0] this_65, byte data_0)
;

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/SimpleApplet.jloc tests/java/SimpleApplet.jc && make -f tests/java/SimpleApplet.makefile gui"
End:
*/
========== file tests/java/SimpleApplet.jloc ==========
[APDU_send61xx]
name = "Method send61xx"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 520
begin = 16
end = 24

[APDU_complete]
name = "Method complete"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 752
begin = 7
end = 15

[APDU_setOutgoingAndSend]
name = "Method setOutgoingAndSend"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 719
begin = 15
end = 33

[Applet_register_byteA_short_byte]
name = "Method register"
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 281
begin = 25
end = 33

[cons_Applet]
name = "Constructor of class Applet"
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 97
begin = 14
end = 20

[Card_process]
name = "Method process"
file = "HOME/tests/java/SimpleApplet.java"
line = 92
begin = 16
end = 23

[APDU_getNAD]
name = "Method getNAD"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 339
begin = 14
end = 20

[APDU_setOutgoingLenSetFlag]
name = "Method setOutgoingLenSetFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 213
begin = 15
end = 36

[APDU_setOutgoingLength]
name = "Method setOutgoingLength"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 403
begin = 14
end = 31

[Applet_select]
name = "Method select"
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 185
begin = 19
end = 25

[cons_Card]
name = "Constructor of class Card"
file = "HOME/tests/java/SimpleApplet.java"
line = 77
begin = 4
end = 8

[K_11]
file = "HOME/tests/java/SimpleApplet.java"
line = 105
begin = 9
end = 32

[Applet_selectingApplet]
name = "Method selectingApplet"
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 293
begin = 28
end = 43

[APDU_resetLrIs256Flag]
name = "Method resetLrIs256Flag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 219
begin = 15
end = 31

[Applet_deselect]
name = "Method deselect"
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 209
begin = 16
end = 24

[K_9]
file = "HOME/tests/java/SimpleApplet.java"
line = 101
begin = 4
end = 40

[APDU_sendBytes]
name = "Method sendBytes"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 577
begin = 14
end = 23

[Applet_install]
name = "Method install"
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 139
begin = 23
end = 30

[Card_install]
name = "Method install"
file = "HOME/tests/java/SimpleApplet.java"
line = 84
begin = 23
end = 30

[cons_Object]
name = "Constructor of class Object"
file = "HOME/lib/javacard_api/java/lang/Object.java"
line = 47
begin = 9
end = 15

[K_1]
file = "HOME/tests/java/SimpleApplet.java"
line = 86
begin = 38
end = 49

[CardRuntimeException_setReason]
name = "Method setReason"
file = "HOME/lib/javacard_api/javacard/framework/CardRuntimeException.java"
line = 74
begin = 14
end = 23

[K_4]
file = "HOME/tests/java/SimpleApplet.java"
line = 86
begin = 1
end = 68

[K_12]
file = "HOME/tests/java/SimpleApplet.java"
line = 98
begin = 14
end = 30

[APDU_getLr]
name = "Method getLr"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 178
begin = 16
end = 21

[APDU_setOutgoing]
name = "Method setOutgoing"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 354
begin = 15
end = 26

[APDU_getLe]
name = "Method getLe"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 171
begin = 16
end = 21

[APDU_setIncomingAndReceive]
name = "Method setIncomingAndReceive"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 505
begin = 15
end = 36

[APDU_setNoChainingFlag]
name = "Method setNoChainingFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 226
begin = 15
end = 32

[APDU_getOutBlockSize]
name = "Method getOutBlockSize"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 310
begin = 22
end = 37

[APDU_getOutgoingLenSetFlag]
name = "Method getOutgoingLenSetFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 212
begin = 18
end = 39

[ISOException_getReason]
name = "Method getReason"
file = "HOME/lib/javacard_api/javacard/framework/ISOException.java"
line = 106
begin = 28
end = 37

[APDU_getNoGetResponseFlag]
name = "Method getNoGetResponseFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 230
begin = 18
end = 38

[APDU_resetOutgoingLenSetFlag]
name = "Method resetOutgoingLenSetFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 214
begin = 15
end = 38

[K_2]
file = "HOME/tests/java/SimpleApplet.java"
line = 86
begin = 29
end = 50

[APDU_resetNoChainingFlag]
name = "Method resetNoChainingFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 227
begin = 15
end = 34

[APDU_getLrIs256Flag]
name = "Method getLrIs256Flag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 217
begin = 18
end = 32

[APDU_setIncomingFlag]
name = "Method setIncomingFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 198
begin = 15
end = 30

[APDU_setIncoming]
name = "Method setIncoming"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 422
begin = 15
end = 26

[cons_Throwable]
name = "Constructor of class Throwable"
file = "HOME/lib/javacard_api/java/lang/Throwable.java"
line = 48
begin = 9
end = 18

[Applet_register]
name = "Method register"
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 252
begin = 25
end = 33

[Applet_getShareableInterfaceObject]
name = "Method getShareableInterfaceObject"
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 230
begin = 21
end = 48

[K_10]
file = "HOME/tests/java/SimpleApplet.java"
line = 117
begin = 5
end = 55

[APDU_setSendInProgressFlag]
name = "Method setSendInProgressFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 203
begin = 15
end = 36

[K_6]
file = "HOME/tests/java/SimpleApplet.java"
line = 94
begin = 5
end = 22

[K_8]
file = "HOME/tests/java/SimpleApplet.java"
line = 101
begin = 4
end = 27

[APDU_undoIncomingAndReceive]
name = "Method undoIncomingAndReceive"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 793
begin = 7
end = 29

[APDU_waitExtension]
name = "Method waitExtension"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 811
begin = 21
end = 34

[APDU_getOutgoingFlag]
name = "Method getOutgoingFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 207
begin = 18
end = 33

[APDU_getLc]
name = "Method getLc"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 185
begin = 15
end = 20

[K_3]
file = "HOME/tests/java/SimpleApplet.java"
line = 86
begin = 52
end = 67

[cons_Exception]
name = "Constructor of class Exception"
file = "HOME/lib/javacard_api/java/lang/Exception.java"
line = 49
begin = 9
end = 18

[APDU_resetNoGetResponseFlag]
name = "Method resetNoGetResponseFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 232
begin = 15
end = 37

[APDU_setOutgoingFlag]
name = "Method setOutgoingFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 208
begin = 15
end = 30

[APDU_getNoChainingFlag]
name = "Method getNoChainingFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 225
begin = 10
end = 27

[CardRuntimeException_throwIt]
name = "Method throwIt"
file = "HOME/lib/javacard_api/javacard/framework/CardRuntimeException.java"
line = 89
begin = 21
end = 28

[APDU_setLr]
name = "Method setLr"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 182
begin = 15
end = 20

[APDU_getIncomingFlag]
name = "Method getIncomingFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 197
begin = 18
end = 33

[APDU_getInBlockSize]
name = "Method getInBlockSize"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 291
begin = 22
end = 36

[cons_ISOException_short]
name = "Constructor of class ISOException"
file = "HOME/lib/javacard_api/javacard/framework/ISOException.java"
line = 59
begin = 9
end = 21

[APDU_setLrIs256Flag]
name = "Method setLrIs256Flag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 218
begin = 15
end = 29

[APDU_resetOutgoingFlag]
name = "Method resetOutgoingFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 209
begin = 15
end = 32

[APDU_getSendInProgressFlag]
name = "Method getSendInProgressFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 202
begin = 18
end = 39

[APDU_sendBytesLong]
name = "Method sendBytesLong"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 685
begin = 14
end = 27

[APDU_setOutgoingNoChaining]
name = "Method setOutgoingNoChaining"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 381
begin = 15
end = 36

[ISOException_throwIt]
name = "Method throwIt"
file = "HOME/lib/javacard_api/javacard/framework/ISOException.java"
line = 86
begin = 23
end = 30

[cons_CardRuntimeException_short]
name = "Constructor of class CardRuntimeException"
file = "HOME/lib/javacard_api/javacard/framework/CardRuntimeException.java"
line = 56
begin = 9
end = 29

[APDU_resetIncomingFlag]
name = "Method resetIncomingFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 199
begin = 15
end = 32

[APDU_setLc]
name = "Method setLc"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 186
begin = 15
end = 20

[APDU_getProtocol]
name = "Method getProtocol"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 329
begin = 21
end = 32

[cons_RuntimeException]
name = "Constructor of class RuntimeException"
file = "HOME/lib/javacard_api/java/lang/RuntimeException.java"
line = 47
begin = 9
end = 25

[APDU_setLe]
name = "Method setLe"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 175
begin = 15
end = 20

[APDU_getPreReadLength]
name = "Method getPreReadLength"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 189
begin = 15
end = 31

[K_5]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 269
begin = 18
end = 35

[Applet_process]
name = "Method process"
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 166
begin = 25
end = 32

[APDU_resetAPDU]
name = "Method resetAPDU"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 726
begin = 7
end = 16

[cons_APDU]
name = "Constructor of class APDU"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 239
begin = 2
end = 6

[APDU_setNoGetResponseFlag]
name = "Method setNoGetResponseFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 231
begin = 15
end = 35

[Object_equals]
name = "Method equals"
file = "HOME/lib/javacard_api/java/lang/Object.java"
line = 85
begin = 31
end = 37

[K_7]
file = "HOME/tests/java/SimpleApplet.java"
line = 102
begin = 5
end = 55

[APDU_receiveBytes]
name = "Method receiveBytes"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 459
begin = 15
end = 27

[APDU_getBuffer]
name = "Method getBuffer"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 272
begin = 18
end = 27

[CardRuntimeException_getReason]
name = "Method getReason"
file = "HOME/lib/javacard_api/javacard/framework/CardRuntimeException.java"
line = 67
begin = 30
end = 39

[APDU_resetSendInProgressFlag]
name = "Method resetSendInProgressFlag"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 204
begin = 15
end = 38

[APDU_setPreReadLength]
name = "Method setPreReadLength"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 190
begin = 15
end = 31

[ISOException_setReason]
name = "Method setReason"
file = "HOME/lib/javacard_api/javacard/framework/ISOException.java"
line = 119
begin = 14
end = 23

========== jessie execution ==========
Generating Why function cons_RuntimeException
Generating Why function cons_Card
Generating Why function cons_Throwable
Generating Why function cons_APDU
Generating Why function cons_Exception
Generating Why function cons_ISOException_short
Generating Why function cons_CardRuntimeException_short
Generating Why function cons_Object
Generating Why function Card_install
Generating Why function cons_Applet
Generating Why function Card_process
========== file tests/java/SimpleApplet.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs SimpleApplet.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs SimpleApplet.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/SimpleApplet_why.sx

project: why/SimpleApplet.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/SimpleApplet_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/SimpleApplet_why.vo

coq/SimpleApplet_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/SimpleApplet_why.v: why/SimpleApplet.why
	@echo 'why -coq [...] why/SimpleApplet.why' && $(WHY) $(JESSIELIBFILES) why/SimpleApplet.why && rm -f coq/jessie_why.v

coq-goals: goals coq/SimpleApplet_ctx_why.vo
	for f in why/*_po*.why; do make -f SimpleApplet.makefile coq/`basename $$f .why`_why.v ; done

coq/SimpleApplet_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/SimpleApplet_ctx_why.v: why/SimpleApplet_ctx.why
	@echo 'why -coq [...] why/SimpleApplet_ctx.why' && $(WHY) why/SimpleApplet_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export SimpleApplet_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/SimpleApplet_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/SimpleApplet_ctx_why.vo

pvs: pvs/SimpleApplet_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/SimpleApplet_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/SimpleApplet_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/SimpleApplet_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/SimpleApplet_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/SimpleApplet_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/SimpleApplet_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/SimpleApplet_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/SimpleApplet_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/SimpleApplet_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/SimpleApplet_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/SimpleApplet_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/SimpleApplet_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/SimpleApplet_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/SimpleApplet_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: SimpleApplet.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/SimpleApplet_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: SimpleApplet.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: SimpleApplet.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: SimpleApplet.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include SimpleApplet.depend

depend: coq/SimpleApplet_why.v
	-$(COQDEP) -I coq coq/SimpleApplet*_why.v > SimpleApplet.depend

clean:
	rm -f coq/*.vo

========== file tests/java/SimpleApplet.loc ==========
[JC_494]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_451]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_373]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 185
begin = 15
end = 20

[JC_294]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_176]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_453]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 577
begin = 14
end = 23

[JC_421]
file = "HOME/tests/java/SimpleApplet.java"
line = 84
begin = 23
end = 30

[cons_Applet_ensures_default]
name = "Constructor of class Applet"
behavior = "default behavior"
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 97
begin = 14
end = 20

[JC_617]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_143]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_113]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 226
begin = 15
end = 32

[JC_116]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_448]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_404]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_133]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 231
begin = 15
end = 35

[JC_327]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_544]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 272
begin = 18
end = 27

[JC_475]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 189
begin = 15
end = 31

[JC_410]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_320]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_180]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Throwable_ensures_default]
name = "Constructor of class Throwable"
behavior = "default behavior"
file = "HOME/lib/javacard_api/java/lang/Throwable.java"
line = 48
begin = 9
end = 18

[JC_473]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_394]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_502]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_460]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 577
begin = 14
end = 23

[JC_200]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_491]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 175
begin = 15
end = 20

[JC_201]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_536]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_513]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_194]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 239
begin = 2
end = 6

[JC_122]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_642]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 339
begin = 14
end = 20

[JC_323]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 726
begin = 7
end = 16

[JC_280]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_134]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/tests/java/SimpleApplet.jc"
line = 286
begin = 8
end = 23

[cons_Card_ensures_default]
name = "Constructor of class Card"
behavior = "default behavior"
file = "HOME/tests/java/SimpleApplet.java"
line = 77
begin = 4
end = 8

[JC_375]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_125]
file = "HOME/tests/java/SimpleApplet.java"
line = 77
begin = 4
end = 8

[JC_67]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 232
begin = 15
end = 37

[JC_9]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_315]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 719
begin = 15
end = 33

[JC_486]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/tests/java/SimpleApplet.jc"
line = 301
begin = 8
end = 23

[JC_594]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 171
begin = 16
end = 21

[JC_357]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 178
begin = 16
end = 21

[JC_561]
kind = UserCall
file = "HOME/tests/java/SimpleApplet.java"
line = 94
begin = 5
end = 22

[JC_74]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 232
begin = 15
end = 37

[JC_656]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_195]
file = "HOME/lib/javacard_api/javacard/framework/ISOException.java"
line = 106
begin = 28
end = 37

[JC_326]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/tests/java/SimpleApplet.jc"
line = 288
begin = 10
end = 18

[JC_616]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_665]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_430]
kind = AllocSize
file = "HOME/tests/java/SimpleApplet.jc"
line = 474
begin = 67
end = 78

[JC_646]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 199
begin = 15
end = 32

[JC_415]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_405]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 293
begin = 28
end = 43

[JC_403]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 293
begin = 28
end = 43

[JC_82]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 207
begin = 18
end = 33

[JC_411]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 281
begin = 25
end = 33

[JC_163]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 213
begin = 15
end = 36

[JC_634]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 403
begin = 14
end = 31

[JC_359]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_589]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_661]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_417]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/tests/java/SimpleApplet.jc"
line = 294
begin = 10
end = 18

[JC_595]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 171
begin = 16
end = 21

[JC_386]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 381
begin = 15
end = 36

[JC_340]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_291]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 225
begin = 10
end = 27

[JC_112]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_135]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_169]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 213
begin = 15
end = 36

[JC_599]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_420]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_314]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_115]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 291
begin = 22
end = 36

[JC_109]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 226
begin = 15
end = 32

[JC_69]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 232
begin = 15
end = 37

[JC_362]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 178
begin = 16
end = 21

[JC_295]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_268]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_449]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_329]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 726
begin = 7
end = 16

[JC_328]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_304]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_583]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_650]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 199
begin = 15
end = 32

[cons_CardRuntimeException_short_ensures_default]
name = "Constructor of class CardRuntimeException"
behavior = "default behavior"
file = "HOME/lib/javacard_api/javacard/framework/CardRuntimeException.java"
line = 56
begin = 9
end = 29

[JC_218]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_191]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_101]
file = "HOME/lib/javacard_api/java/lang/RuntimeException.java"
line = 47
begin = 9
end = 25

[JC_526]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_387]
file = "HOME/lib/javacard_api/java/lang/Object.java"
line = 47
begin = 9
end = 15

[JC_459]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 577
begin = 14
end = 23

[JC_372]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_440]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_103]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_509]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 197
begin = 18
end = 33

[JC_289]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 752
begin = 7
end = 15

[JC_302]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_199]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_33]
file = "HOME/tests/java/SimpleApplet.jc"
line = 292
begin = 8
end = 32

[JC_296]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_290]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 752
begin = 7
end = 15

[JC_370]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 212
begin = 18
end = 39

[JC_173]
file = "HOME/lib/javacard_api/javacard/framework/ISOException.java"
line = 86
begin = 23
end = 30

[JC_567]
kind = UserCall
file = "HOME/tests/java/SimpleApplet.jc"
line = 549
begin = 22
end = 72

[JC_524]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_144]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_360]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/java/SimpleApplet.jc"
line = 281
begin = 10
end = 18

[JC_335]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
file = "HOME/tests/java/SimpleApplet.jc"
line = 301
begin = 8
end = 23

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_97]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_318]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_343]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_160]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_90]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 217
begin = 18
end = 32

[JC_653]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_504]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_281]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 685
begin = 14
end = 27

[JC_131]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 231
begin = 15
end = 35

[JC_645]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_581]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_181]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 209
begin = 16
end = 24

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_538]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 186
begin = 15
end = 20

[JC_257]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_161]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 219
begin = 15
end = 31

[JC_89]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 217
begin = 18
end = 32

[JC_333]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 505
begin = 15
end = 36

[JC_136]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_605]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_293]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 225
begin = 10
end = 27

[JC_165]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 213
begin = 15
end = 36

[JC_217]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_338]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 505
begin = 15
end = 36

[JC_229]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 204
begin = 15
end = 38

[cons_Card_safety]
name = "Constructor of class Card"
behavior = "Safety"
file = "HOME/tests/java/SimpleApplet.java"
line = 77
begin = 4
end = 8

[JC_564]
kind = IndexBounds
file = "HOME/tests/java/SimpleApplet.java"
line = 101
begin = 4
end = 27

[JC_500]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 166
begin = 25
end = 32

[JC_402]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_364]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
file = "HOME/tests/java/SimpleApplet.jc"
line = 303
begin = 11
end = 65

[JC_633]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_620]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 185
begin = 19
end = 25

[JC_615]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_409]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_479]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 198
begin = 15
end = 30

[cons_Exception_ensures_default]
name = "Constructor of class Exception"
behavior = "default behavior"
file = "HOME/lib/javacard_api/java/lang/Exception.java"
line = 49
begin = 9
end = 18

[JC_120]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_559]
file = "HOME/tests/java/SimpleApplet.java"
line = 92
begin = 16
end = 23

[JC_28]
file = "HOME/tests/java/SimpleApplet.jc"
line = 288
begin = 10
end = 18

[JC_198]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_580]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 520
begin = 16
end = 24

[JC_555]
file = "HOME/tests/java/SimpleApplet.java"
line = 92
begin = 16
end = 23

[JC_285]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 752
begin = 7
end = 15

[JC_483]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 198
begin = 15
end = 30

[cons_ISOException_short_safety]
name = "Constructor of class ISOException"
behavior = "Safety"
file = "HOME/lib/javacard_api/javacard/framework/ISOException.java"
line = 59
begin = 9
end = 21

[JC_604]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 793
begin = 7
end = 29

[JC_94]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_73]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 232
begin = 15
end = 37

[JC_597]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_279]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_422]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_627]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_381]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 381
begin = 15
end = 36

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_306]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 203
begin = 15
end = 36

[JC_380]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_207]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_655]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_611]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 793
begin = 7
end = 29

[JC_365]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 212
begin = 18
end = 39

[JC_251]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 329
begin = 21
end = 32

[JC_203]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 310
begin = 22
end = 37

[JC_376]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_313]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Object_ensures_default]
name = "Constructor of class Object"
behavior = "default behavior"
file = "HOME/lib/javacard_api/java/lang/Object.java"
line = 47
begin = 9
end = 15

[JC_546]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_265]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_170]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 213
begin = 15
end = 36

[JC_593]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_492]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 175
begin = 15
end = 20

[JC_300]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_319]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_635]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 403
begin = 14
end = 31

[JC_493]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 166
begin = 25
end = 32

[JC_347]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 227
begin = 15
end = 34

[JC_247]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_550]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_137]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 231
begin = 15
end = 35

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_466]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_231]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_75]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 207
begin = 18
end = 33

[JC_658]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 354
begin = 15
end = 26

[JC_643]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 339
begin = 14
end = 20

[JC_628]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 403
begin = 14
end = 31

[JC_553]
file = "HOME/tests/java/SimpleApplet.java"
line = 92
begin = 16
end = 23

[JC_641]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_530]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_350]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_528]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_356]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_260]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_212]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_571]
kind = UserCall
file = "HOME/tests/java/SimpleApplet.jc"
line = 549
begin = 22
end = 72

[JC_568]
kind = UserCall
file = "HOME/tests/java/SimpleApplet.java"
line = 94
begin = 5
end = 22

[JC_298]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 225
begin = 10
end = 27

[JC_224]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_474]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_481]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_664]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_542]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 272
begin = 18
end = 27

[JC_427]
kind = PointerDeref
file = "HOME/tests/java/SimpleApplet.java"
line = 86
begin = 52
end = 67

[JC_332]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_278]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_663]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_154]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_237]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 190
begin = 15
end = 31

[JC_367]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_334]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_130]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_174]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_464]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_CardRuntimeException_short_safety]
name = "Constructor of class CardRuntimeException"
behavior = "Safety"
file = "HOME/lib/javacard_api/javacard/framework/CardRuntimeException.java"
line = 56
begin = 9
end = 29

[JC_87]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_578]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 209
begin = 15
end = 32

[JC_560]
file = "HOME/tests/java/SimpleApplet.java"
line = 92
begin = 16
end = 23

[JC_15]
file = "HOME/tests/java/SimpleApplet.jc"
line = 282
begin = 11
end = 103

[JC_182]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_516]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 197
begin = 18
end = 33

[JC_368]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 217
begin = 18
end = 32

[JC_321]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 719
begin = 15
end = 33

[JC_215]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_629]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/tests/java/SimpleApplet.jc"
line = 275
begin = 10
end = 18

[JC_299]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 203
begin = 15
end = 36

[JC_242]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 190
begin = 15
end = 31

[JC_156]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_127]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_305]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 203
begin = 15
end = 36

[JC_252]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_171]
file = "HOME/lib/javacard_api/javacard/framework/ISOException.java"
line = 86
begin = 23
end = 30

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_155]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 219
begin = 15
end = 31

[JC_274]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 214
begin = 15
end = 38

[JC_485]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 175
begin = 15
end = 20

[JC_551]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_540]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 272
begin = 18
end = 27

[JC_477]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 198
begin = 15
end = 30

[JC_446]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_666]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 182
begin = 15
end = 20

[JC_425]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_310]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_471]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 189
begin = 15
end = 31

[JC_648]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_575]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_348]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_490]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_118]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_418]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_105]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_245]
file = "HOME/lib/javacard_api/javacard/framework/ISOException.java"
line = 59
begin = 9
end = 21

[JC_140]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_159]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_68]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_429]
kind = ArithOverflow
file = "HOME/tests/java/SimpleApplet.java"
line = 86
begin = 29
end = 50

[JC_353]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 227
begin = 15
end = 34

[JC_517]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 97
begin = 14
end = 20

[JC_393]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_586]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 520
begin = 16
end = 24

[JC_93]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 252
begin = 25
end = 33

[JC_259]
file = "HOME/lib/javacard_api/javacard/framework/ISOException.java"
line = 119
begin = 14
end = 23

[JC_554]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_532]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 459
begin = 15
end = 27

[JC_277]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 685
begin = 14
end = 27

[JC_288]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_283]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 752
begin = 7
end = 15

[JC_114]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 226
begin = 15
end = 32

[JC_484]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 198
begin = 15
end = 30

[JC_445]
file = "HOME/lib/javacard_api/javacard/framework/CardRuntimeException.java"
line = 67
begin = 30
end = 39

[JC_150]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_117]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 291
begin = 22
end = 36

[JC_53]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 186
begin = 15
end = 20

[JC_414]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/tests/java/SimpleApplet.jc"
line = 286
begin = 8
end = 23

[JC_287]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_77]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 207
begin = 18
end = 33

[JC_49]
file = "HOME/tests/java/SimpleApplet.jc"
line = 303
begin = 11
end = 65

[JC_1]
file = "HOME/tests/java/SimpleApplet.jc"
line = 273
begin = 8
end = 22

[JC_602]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_102]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Exception_safety]
name = "Constructor of class Exception"
behavior = "Safety"
file = "HOME/lib/javacard_api/java/lang/Exception.java"
line = 49
begin = 9
end = 18

[JC_142]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_146]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 230
begin = 18
end = 38

[JC_399]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_249]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 139
begin = 23
end = 30

[JC_355]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 178
begin = 16
end = 21

[JC_342]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_397]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 811
begin = 21
end = 34

[JC_192]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_576]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/java/SimpleApplet.jc"
line = 273
begin = 8
end = 22

[JC_377]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 185
begin = 15
end = 20

[JC_152]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_228]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_60]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_495]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 166
begin = 25
end = 32

[Card_install_ensures_default]
name = "Method install"
behavior = "default behavior"
file = "HOME/tests/java/SimpleApplet.java"
line = 84
begin = 23
end = 30

[JC_384]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_183]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_139]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 230
begin = 18
end = 38

[JC_352]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_119]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_489]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_76]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_462]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_244]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_498]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_311]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_230]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_275]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 685
begin = 14
end = 27

[JC_234]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 204
begin = 15
end = 38

[JC_286]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_534]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_363]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 212
begin = 18
end = 39

[JC_619]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 208
begin = 15
end = 30

[JC_577]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_233]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 204
begin = 15
end = 38

[JC_467]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 218
begin = 15
end = 29

[cons_ISOException_short_ensures_default]
name = "Constructor of class ISOException"
behavior = "default behavior"
file = "HOME/lib/javacard_api/javacard/framework/ISOException.java"
line = 59
begin = 9
end = 21

[JC_177]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_461]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 218
begin = 15
end = 29

[JC_221]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 422
begin = 15
end = 26

[JC_51]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 186
begin = 15
end = 20

[JC_392]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_519]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 97
begin = 14
end = 20

[JC_316]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_565]
kind = UserCall
file = "HOME/tests/java/SimpleApplet.java"
line = 102
begin = 5
end = 55

[JC_382]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_147]
file = "HOME/lib/javacard_api/java/lang/Throwable.java"
line = 48
begin = 9
end = 18

[JC_636]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 339
begin = 14
end = 20

[JC_442]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_436]
kind = UserCall
file = "HOME/tests/java/SimpleApplet.jc"
line = 472
begin = 10
end = 739

[JC_123]
file = "HOME/tests/java/SimpleApplet.java"
line = 77
begin = 4
end = 8

[JC_587]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 520
begin = 16
end = 24

[JC_248]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_64]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_457]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_301]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 203
begin = 15
end = 36

[JC_366]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_452]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_261]
file = "HOME/lib/javacard_api/javacard/framework/ISOException.java"
line = 119
begin = 14
end = 23

[JC_188]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_379]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 381
begin = 15
end = 36

[JC_346]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_99]
file = "HOME/lib/javacard_api/java/lang/RuntimeException.java"
line = 47
begin = 9
end = 25

[JC_632]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_630]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 403
begin = 14
end = 31

[JC_622]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 185
begin = 19
end = 25

[JC_570]
kind = UserCall
file = "HOME/tests/java/SimpleApplet.java"
line = 102
begin = 5
end = 55

[JC_501]
file = "HOME/lib/javacard_api/javacard/framework/CardRuntimeException.java"
line = 89
begin = 21
end = 28

[JC_85]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 217
begin = 18
end = 32

[JC_647]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_250]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_391]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_307]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 230
begin = 21
end = 48

[JC_465]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_31]
file = "HOME/tests/java/SimpleApplet.jc"
line = 292
begin = 8
end = 32

[JC_17]
file = "HOME/tests/java/SimpleApplet.jc"
line = 282
begin = 11
end = 103

[JC_401]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_626]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_205]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 310
begin = 22
end = 37

[JC_81]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 207
begin = 18
end = 33

[JC_55]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_369]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 212
begin = 18
end = 39

[JC_354]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 227
begin = 15
end = 34

[JC_241]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 190
begin = 15
end = 31

[JC_172]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_121]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_518]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_443]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 202
begin = 18
end = 39

[JC_25]
file = "HOME/tests/java/SimpleApplet.jc"
line = 289
begin = 11
end = 66

[JC_480]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_416]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_358]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_189]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 239
begin = 2
end = 6

[JC_563]
kind = IndexBounds
file = "HOME/tests/java/SimpleApplet.java"
line = 98
begin = 14
end = 30

[JC_78]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_447]
file = "HOME/lib/javacard_api/javacard/framework/CardRuntimeException.java"
line = 67
begin = 30
end = 39

[JC_582]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 520
begin = 16
end = 24

[JC_558]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_659]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 354
begin = 15
end = 26

[JC_468]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 218
begin = 15
end = 29

[JC_8]
file = "HOME/tests/java/SimpleApplet.jc"
line = 275
begin = 10
end = 18

[JC_271]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_270]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_547]
file = "HOME/lib/javacard_api/javacard/framework/CardRuntimeException.java"
line = 74
begin = 14
end = 23

[JC_476]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 189
begin = 15
end = 31

[JC_256]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_426]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_385]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 381
begin = 15
end = 36

[JC_13]
file = "HOME/tests/java/SimpleApplet.jc"
line = 279
begin = 8
end = 31

[JC_539]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 272
begin = 18
end = 27

[JC_240]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_153]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_222]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_450]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_246]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/SimpleApplet.jc"
line = 279
begin = 8
end = 31

[JC_569]
kind = UserCall
file = "HOME/tests/java/SimpleApplet.java"
line = 98
begin = 14
end = 30

[JC_185]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_167]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_98]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_639]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_345]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_412]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_RuntimeException_safety]
name = "Constructor of class RuntimeException"
behavior = "Safety"
file = "HOME/lib/javacard_api/java/lang/RuntimeException.java"
line = 47
begin = 9
end = 25

[cons_APDU_safety]
name = "Constructor of class APDU"
behavior = "Safety"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 239
begin = 2
end = 6

[JC_104]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_573]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_496]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_132]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_472]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/tests/java/SimpleApplet.jc"
line = 289
begin = 11
end = 66

[JC_322]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 719
begin = 15
end = 33

[JC_219]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 422
begin = 15
end = 26

[JC_124]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_590]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 171
begin = 16
end = 21

[JC_273]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 214
begin = 15
end = 38

[JC_428]
kind = ArithOverflow
file = "HOME/tests/java/SimpleApplet.java"
line = 86
begin = 38
end = 49

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_206]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_325]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 726
begin = 7
end = 16

[JC_308]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_264]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_433]
kind = UserCall
file = "HOME/tests/java/SimpleApplet.jc"
line = 472
begin = 10
end = 739

[JC_223]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_129]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_601]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_584]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_574]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 209
begin = 15
end = 32

[JC_190]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_110]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_166]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_272]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_613]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 139
begin = 23
end = 30

[JC_497]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_254]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_243]
file = "HOME/lib/javacard_api/javacard/framework/ISOException.java"
line = 59
begin = 9
end = 21

[JC_276]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_557]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_432]
kind = UserCall
file = "HOME/tests/java/SimpleApplet.jc"
line = 477
begin = 65
end = 130

[JC_470]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_202]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_507]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_267]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 214
begin = 15
end = 38

[JC_515]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 197
begin = 18
end = 33

[JC_235]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 190
begin = 15
end = 31

[JC_435]
kind = UserCall
file = "HOME/tests/java/SimpleApplet.jc"
line = 477
begin = 65
end = 130

[JC_128]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_225]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 422
begin = 15
end = 26

[JC_149]
file = "HOME/lib/javacard_api/java/lang/Throwable.java"
line = 48
begin = 9
end = 18

[JC_618]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 208
begin = 15
end = 30

[JC_216]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_324]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_292]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_37]
file = "HOME/tests/java/SimpleApplet.jc"
line = 295
begin = 11
end = 103

[JC_523]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_284]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_503]
file = "HOME/lib/javacard_api/javacard/framework/CardRuntimeException.java"
line = 89
begin = 21
end = 28

[JC_390]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_552]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_441]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_213]
file = "HOME/lib/javacard_api/java/lang/Exception.java"
line = 49
begin = 9
end = 18

[JC_253]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 329
begin = 21
end = 32

[JC_612]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 208
begin = 15
end = 30

[JC_598]
file = "HOME/lib/javacard_api/java/lang/Object.java"
line = 85
begin = 31
end = 37

[JC_86]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_549]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_72]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_606]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 793
begin = 7
end = 29

[JC_652]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 354
begin = 15
end = 26

[JC_407]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_344]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_187]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 239
begin = 2
end = 6

[JC_543]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 269
begin = 18
end = 35

[JC_238]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_309]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 230
begin = 21
end = 48

[JC_591]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_336]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Throwable_safety]
name = "Constructor of class Throwable"
behavior = "Safety"
file = "HOME/lib/javacard_api/java/lang/Throwable.java"
line = 48
begin = 9
end = 18

[JC_488]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_APDU_ensures_default]
name = "Constructor of class APDU"
behavior = "default behavior"
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 239
begin = 2
end = 6

[JC_58]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 186
begin = 15
end = 20

[Card_process_safety]
name = "Method process"
behavior = "Safety"
file = "HOME/tests/java/SimpleApplet.java"
line = 92
begin = 16
end = 23

[JC_378]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 185
begin = 15
end = 20

[JC_531]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 459
begin = 15
end = 27

[JC_383]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_609]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_625]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_158]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_RuntimeException_ensures_default]
name = "Constructor of class RuntimeException"
behavior = "default behavior"
file = "HOME/lib/javacard_api/java/lang/RuntimeException.java"
line = 47
begin = 9
end = 25

[JC_63]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_196]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_520]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_610]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 793
begin = 7
end = 29

[JC_640]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_419]
file = "HOME/tests/java/SimpleApplet.java"
line = 84
begin = 23
end = 30

[JC_197]
file = "HOME/lib/javacard_api/javacard/framework/ISOException.java"
line = 106
begin = 28
end = 37

[JC_579]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 209
begin = 15
end = 32

[JC_438]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_151]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_374]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_106]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_361]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 178
begin = 16
end = 21

[JC_608]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_408]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_339]
file = "HOME/lib/javacard_api/javacard/framework/CardRuntimeException.java"
line = 56
begin = 9
end = 29

[JC_406]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_400]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_487]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 175
begin = 15
end = 20

[JC_463]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 218
begin = 15
end = 29

[JC_337]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 505
begin = 15
end = 36

[JC_522]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_227]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 204
begin = 15
end = 38

[JC_649]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_623]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_527]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 459
begin = 15
end = 27

[JC_434]
kind = AllocSize
file = "HOME/tests/java/SimpleApplet.jc"
line = 474
begin = 67
end = 78

[JC_126]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_533]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 272
begin = 18
end = 27

[JC_607]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_236]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_603]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_138]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 231
begin = 15
end = 35

[JC_541]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 269
begin = 18
end = 35

[JC_269]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 214
begin = 15
end = 38

[JC_556]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_525]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 459
begin = 15
end = 27

[JC_148]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_657]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_458]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/tests/java/SimpleApplet.jc"
line = 276
begin = 11
end = 66

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_193]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 239
begin = 2
end = 6

[JC_282]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 685
begin = 14
end = 27

[JC_186]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_175]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_371]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 185
begin = 15
end = 20

[JC_592]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_232]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_545]
file = "HOME/lib/javacard_api/javacard/framework/CardRuntimeException.java"
line = 74
begin = 14
end = 23

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_654]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 354
begin = 15
end = 26

[JC_330]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 726
begin = 7
end = 16

[JC_208]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_638]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 339
begin = 14
end = 20

[JC_413]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 281
begin = 25
end = 33

[JC_389]
file = "HOME/lib/javacard_api/java/lang/Object.java"
line = 47
begin = 9
end = 15

[JC_455]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 577
begin = 14
end = 23

[JC_644]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 199
begin = 15
end = 32

[JC_512]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_184]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_660]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 182
begin = 15
end = 20

[JC_621]
file = "HOME/"
line = 0
begin = -1
end = -1

[Card_install_safety]
name = "Method install"
behavior = "Safety"
file = "HOME/tests/java/SimpleApplet.java"
line = 84
begin = 23
end = 30

[JC_168]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_91]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 252
begin = 25
end = 33

[JC_662]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 182
begin = 15
end = 20

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_548]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_162]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 219
begin = 15
end = 31

[JC_398]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/tests/java/SimpleApplet.jc"
line = 295
begin = 11
end = 103

[JC_469]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 189
begin = 15
end = 31

[JC_572]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 209
begin = 15
end = 32

[JC_514]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_263]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_107]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 226
begin = 15
end = 32

[JC_508]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_179]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 209
begin = 16
end = 24

[JC_38]
file = "HOME/tests/java/SimpleApplet.jc"
line = 294
begin = 10
end = 18

[JC_651]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 199
begin = 15
end = 32

[JC_600]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_164]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_614]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 208
begin = 15
end = 30

[JC_667]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 182
begin = 15
end = 20

[JC_454]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_439]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 202
begin = 18
end = 39

[JC_341]
file = "HOME/lib/javacard_api/javacard/framework/CardRuntimeException.java"
line = 56
begin = 9
end = 29

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_178]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_506]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_141]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 230
begin = 18
end = 38

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_331]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 505
begin = 15
end = 36

[JC_220]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_596]
file = "HOME/lib/javacard_api/java/lang/Object.java"
line = 85
begin = 31
end = 37

[JC_566]
kind = IndexBounds
file = "HOME/tests/java/SimpleApplet.java"
line = 105
begin = 9
end = 32

[JC_521]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_529]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_312]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_444]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 202
begin = 18
end = 39

[cons_Object_safety]
name = "Constructor of class Object"
behavior = "Safety"
file = "HOME/lib/javacard_api/java/lang/Object.java"
line = 47
begin = 9
end = 15

[JC_7]
file = "HOME/tests/java/SimpleApplet.jc"
line = 276
begin = 11
end = 66

[JC_511]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 197
begin = 18
end = 33

[JC_395]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 811
begin = 21
end = 34

[JC_631]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_585]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_431]
kind = IndexBounds
file = "HOME/tests/java/SimpleApplet.jc"
line = 474
begin = 47
end = 79

[JC_424]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_562]
kind = UserCall
file = "HOME/tests/java/SimpleApplet.java"
line = 98
begin = 14
end = 30

[JC_266]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_255]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_214]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_303]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_258]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_204]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_157]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 219
begin = 15
end = 31

[JC_145]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 230
begin = 18
end = 38

[JC_209]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Applet_safety]
name = "Constructor of class Applet"
behavior = "Safety"
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 97
begin = 14
end = 20

[JC_111]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_349]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 227
begin = 15
end = 34

[JC_396]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_456]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_388]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_211]
file = "HOME/lib/javacard_api/java/lang/Exception.java"
line = 49
begin = 9
end = 18

[JC_588]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 171
begin = 16
end = 21

[JC_262]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_637]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_537]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_535]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 272
begin = 18
end = 27

[JC_18]
file = "HOME/tests/java/SimpleApplet.jc"
line = 281
begin = 10
end = 18

[JC_239]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_92]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_351]
file = "HOME/"
line = 0
begin = -1
end = -1

[Card_process_ensures_default]
name = "Method process"
behavior = "default behavior"
file = "HOME/tests/java/SimpleApplet.java"
line = 92
begin = 16
end = 23

[JC_437]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 202
begin = 18
end = 39

[JC_317]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 719
begin = 15
end = 33

[JC_210]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_423]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_510]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_478]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_624]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_499]
file = "HOME/lib/javacard_api/javacard/framework/Applet.java"
line = 166
begin = 25
end = 32

[JC_482]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_297]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 225
begin = 10
end = 27

[JC_505]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_226]
file = "HOME/lib/javacard_api/javacard/framework/APDU.java"
line = 422
begin = 15
end = 26

[JC_100]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/SimpleApplet.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic AID_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom AID_parenttag_Object : parenttag(AID_tag, Object_tag)

logic byte_of_integer: int -> byte

function APDU_ACK_INS() : byte = byte_of_integer((1))

function APDU_ACK_NONE() : byte = byte_of_integer((0))

function APDU_ACK_NOT_INS() : byte = byte_of_integer((2))

logic APDU_BUFFERSIZE:  -> short

logic short_of_integer: int -> short

function APDU_BUFFER_OVERFLOW() : short = short_of_integer(neg_int((16383)))

function APDU_IFSC() : byte = byte_of_integer((1))

function APDU_IFSD() : short = short_of_integer((258))

function APDU_INVALID_GET_RESPONSE() : short =
 short_of_integer(neg_int((16378)))

function APDU_LC() : byte = byte_of_integer((2))

function APDU_LE() : byte = byte_of_integer((0))

function APDU_LR() : byte = byte_of_integer((1))

function APDU_PRE_READ_LENGTH() : byte = byte_of_integer((3))

function APDU_PROTOCOL_T0() : byte = byte_of_integer((0))

function APDU_PROTOCOL_T1() : byte = byte_of_integer((1))

function APDU_RAM_VARS_LENGTH() : byte = byte_of_integer((4))

function APDU_READ_ERROR() : short = short_of_integer(neg_int((16381)))

function APDU_WRITE_ERROR() : short = short_of_integer(neg_int((16380)))

logic APDU_tag:  -> Object tag_id

axiom APDU_parenttag_Object : parenttag(APDU_tag, Object_tag)

logic APDU_ramVars:  -> Object pointer

logic APDU_theAPDU:  -> Object pointer

logic Applet_tag:  -> Object tag_id

axiom Applet_parenttag_Object : parenttag(Applet_tag, Object_tag)

logic CardRuntimeException_tag:  -> Object tag_id

logic RuntimeException_tag:  -> Object tag_id

axiom CardRuntimeException_parenttag_RuntimeException :
 parenttag(CardRuntimeException_tag, RuntimeException_tag)

logic CardRuntimeException_systemInstance:  -> Object pointer

function Card_Card_Class() : byte = byte_of_integer(neg_int((128)))

function Card_Card_Ins_Auth() : byte = byte_of_integer((1))

function Card_Card_Ins_Del() : byte = byte_of_integer((6))

function Card_Card_Ins_Pin() : byte = byte_of_integer((2))

function Card_Card_Ins_Read() : byte = byte_of_integer((7))

function Card_Card_Ins_Write() : byte = byte_of_integer((5))

function Card_Data_Count() : short = short_of_integer((10))

function Card_Data_Len() : short = short_of_integer((5))

function Card_Key_Length() : byte = byte_of_integer(neg_int((124)))

function Card_Term_Function_Reader() : byte = byte_of_integer((17))

function Card_Term_Function_Writer() : byte = byte_of_integer(neg_int((86)))

logic Card_tag:  -> Object tag_id

axiom Card_parenttag_Applet : parenttag(Card_tag, Applet_tag)

logic Exception_tag:  -> Object tag_id

logic Throwable_tag:  -> Object tag_id

axiom Exception_parenttag_Throwable : parenttag(Exception_tag, Throwable_tag)

function ISO7816_CLA_ISO7816() : byte = byte_of_integer((0))

function ISO7816_INS_EXTERNAL_AUTHENTICATE() : byte =
 byte_of_integer(neg_int((126)))

function ISO7816_INS_SELECT() : byte = byte_of_integer(neg_int((92)))

function ISO7816_OFFSET_CDATA() : byte = byte_of_integer((5))

function ISO7816_OFFSET_CLA() : byte = byte_of_integer((0))

function ISO7816_OFFSET_INS() : byte = byte_of_integer((1))

function ISO7816_OFFSET_LC() : byte = byte_of_integer((4))

function ISO7816_OFFSET_P1() : byte = byte_of_integer((2))

function ISO7816_OFFSET_P2() : byte = byte_of_integer((3))

function ISO7816_SW_APPLET_SELECT_FAILED() : short =
 short_of_integer((27033))

function ISO7816_SW_BYTES_REMAINING_00() : short = short_of_integer((24832))

function ISO7816_SW_CLA_NOT_SUPPORTED() : short = short_of_integer((28160))

function ISO7816_SW_COMMAND_NOT_ALLOWED() : short = short_of_integer((27014))

function ISO7816_SW_CONDITIONS_NOT_SATISFIED() : short =
 short_of_integer((27013))

function ISO7816_SW_CORRECT_LENGTH_00() : short = short_of_integer((27648))

function ISO7816_SW_DATA_INVALID() : short = short_of_integer((27012))

function ISO7816_SW_FILE_FULL() : short = short_of_integer((27268))

function ISO7816_SW_FILE_INVALID() : short = short_of_integer((27011))

function ISO7816_SW_FILE_NOT_FOUND() : short = short_of_integer((27266))

function ISO7816_SW_FUNC_NOT_SUPPORTED() : short = short_of_integer((27265))

function ISO7816_SW_INCORRECT_P1P2() : short = short_of_integer((27270))

function ISO7816_SW_INS_NOT_SUPPORTED() : short = short_of_integer((27904))

function ISO7816_SW_NO_ERROR() : short = short_of_integer(neg_int((28672)))

function ISO7816_SW_RECORD_NOT_FOUND() : short = short_of_integer((27267))

function ISO7816_SW_SECURITY_STATUS_NOT_SATISFIED() : short =
 short_of_integer((27010))

function ISO7816_SW_UNKNOWN() : short = short_of_integer((28416))

function ISO7816_SW_WRONG_DATA() : short = short_of_integer((27264))

function ISO7816_SW_WRONG_LENGTH() : short = short_of_integer((26368))

function ISO7816_SW_WRONG_P1P2() : short = short_of_integer((27392))

logic ISOException_tag:  -> Object tag_id

axiom ISOException_parenttag_CardRuntimeException :
 parenttag(ISOException_tag, CardRuntimeException_tag)

logic ISOException_systemInstance:  -> Object pointer

logic JCSystem_tag:  -> Object tag_id

axiom JCSystem_parenttag_Object : parenttag(JCSystem_tag, Object_tag)

logic NativeMethods_tag:  -> Object tag_id

axiom NativeMethods_parenttag_Object :
 parenttag(NativeMethods_tag, Object_tag)

predicate Non_null_Object(x_2:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_2), (0))

predicate Non_null_byteM(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), neg_int((1)))

predicate Non_null_shortM(x_1:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_1), neg_int((1)))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic OwnerPIN_tag:  -> Object tag_id

axiom OwnerPIN_parenttag_Object : parenttag(OwnerPIN_tag, Object_tag)

logic PackedBoolean_tag:  -> Object tag_id

axiom PackedBoolean_parenttag_Object :
 parenttag(PackedBoolean_tag, Object_tag)

logic PrivAccess_tag:  -> Object tag_id

axiom PrivAccess_parenttag_Object : parenttag(PrivAccess_tag, Object_tag)

axiom RuntimeException_parenttag_Exception :
 parenttag(RuntimeException_tag, Exception_tag)

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

predicate buffer_inv(this_3:Object pointer,
 Object_alloc_table:Object alloc_table,
 APDU_buffer:(Object, Object pointer) memory) =
 ge_int(add_int(offset_max(Object_alloc_table, select(APDU_buffer, this_3)),
        (1)),
 (37))

logic byteM_tag:  -> Object tag_id

axiom byteM_parenttag_Object : parenttag(byteM_tag, Object_tag)

logic integer_of_byte: byte -> int

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_AID(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_APDU(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Applet(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Card(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Applet(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Throwable(p, a, Object_alloc_table)

predicate left_valid_struct_RuntimeException(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Exception(p, a, Object_alloc_table)

predicate left_valid_struct_CardRuntimeException(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_RuntimeException(p, a, Object_alloc_table)

predicate left_valid_struct_ISOException(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_CardRuntimeException(p, a, Object_alloc_table)

predicate left_valid_struct_JCSystem(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_NativeMethods(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_OwnerPIN(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_PackedBoolean(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_PrivAccess(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_byteM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

predicate left_valid_struct_shortM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_AID(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_APDU(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Applet(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Card(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Applet(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Throwable(p, b, Object_alloc_table)

predicate right_valid_struct_RuntimeException(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Exception(p, b, Object_alloc_table)

predicate right_valid_struct_CardRuntimeException(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_RuntimeException(p, b, Object_alloc_table)

predicate right_valid_struct_ISOException(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_CardRuntimeException(p, b, Object_alloc_table)

predicate right_valid_struct_JCSystem(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_NativeMethods(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_OwnerPIN(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_PackedBoolean(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_PrivAccess(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_byteM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate right_valid_struct_shortM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

logic shortM_tag:  -> Object tag_id

axiom shortM_parenttag_Object : parenttag(shortM_tag, Object_tag)

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_AID(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_APDU(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Applet(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Card(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Applet(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Throwable(p, a, b, Object_alloc_table)

predicate strict_valid_struct_RuntimeException(p:Object pointer, a:int,
 b:int, Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Exception(p, a, b, Object_alloc_table)

predicate strict_valid_struct_CardRuntimeException(p:Object pointer, a:int,
 b:int, Object_alloc_table:Object alloc_table) =
 strict_valid_struct_RuntimeException(p, a, b, Object_alloc_table)

predicate strict_valid_struct_ISOException(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_CardRuntimeException(p, a, b, Object_alloc_table)

predicate strict_valid_struct_JCSystem(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_NativeMethods(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_OwnerPIN(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_PackedBoolean(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_PrivAccess(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_byteM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_shortM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_AID(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_APDU(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Applet(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Card(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Applet(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Throwable(p, a, b, Object_alloc_table)

predicate valid_struct_RuntimeException(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Exception(p, a, b, Object_alloc_table)

predicate valid_struct_CardRuntimeException(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_RuntimeException(p, a, b, Object_alloc_table)

predicate valid_struct_ISOException(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_CardRuntimeException(p, a, b, Object_alloc_table)

predicate valid_struct_JCSystem(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_NativeMethods(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_OwnerPIN(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_PackedBoolean(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_PrivAccess(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_byteM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_shortM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

parameter APDU_buffer : (Object, Object pointer) memory ref

parameter Object_alloc_table : Object alloc_table ref

parameter APDU_complete :
 this_28:Object pointer ->
  status:short ->
   { } unit reads APDU_buffer,Object_alloc_table
   { (JC_290: buffer_inv(this_28, Object_alloc_table, APDU_buffer)) }

parameter APDU_complete_requires :
 this_28:Object pointer ->
  status:short ->
   { (JC_283: buffer_inv(this_28, Object_alloc_table, APDU_buffer))} unit
   reads APDU_buffer,Object_alloc_table
   { (JC_290: buffer_inv(this_28, Object_alloc_table, APDU_buffer)) }

parameter APDU_getBuffer :
 this_51:Object pointer ->
  { } Object pointer reads APDU_buffer,Object_alloc_table
  { ((JC_540: buffer_inv(this_51, Object_alloc_table, APDU_buffer))
    and (JC_544:
        ((JC_543: (result = select(APDU_buffer, this_51)))
        and buffer_inv(this_51, Object_alloc_table, APDU_buffer)))) }

parameter APDU_getBuffer_requires :
 this_51:Object pointer ->
  { (JC_533: buffer_inv(this_51, Object_alloc_table, APDU_buffer))}
  Object pointer reads APDU_buffer,Object_alloc_table
  { ((JC_540: buffer_inv(this_51, Object_alloc_table, APDU_buffer))
    and (JC_544:
        ((JC_543: (result = select(APDU_buffer, this_51)))
        and buffer_inv(this_51, Object_alloc_table, APDU_buffer)))) }

parameter APDU_getInBlockSize : tt:unit -> { } short { true }

parameter APDU_getInBlockSize_requires : tt:unit -> { } short { true }

parameter APDU_getIncomingFlag :
 this_49:Object pointer ->
  { } bool reads APDU_buffer,Object_alloc_table
  { (JC_516: buffer_inv(this_49, Object_alloc_table, APDU_buffer)) }

parameter APDU_getIncomingFlag_requires :
 this_49:Object pointer ->
  { (JC_509: buffer_inv(this_49, Object_alloc_table, APDU_buffer))} bool
  reads APDU_buffer,Object_alloc_table
  { (JC_516: buffer_inv(this_49, Object_alloc_table, APDU_buffer)) }

parameter APDU_getLc :
 this_38:Object pointer ->
  { } byte reads APDU_buffer,Object_alloc_table
  { (JC_378: buffer_inv(this_38, Object_alloc_table, APDU_buffer)) }

parameter APDU_getLc_requires :
 this_38:Object pointer ->
  { (JC_371: buffer_inv(this_38, Object_alloc_table, APDU_buffer))} byte
  reads APDU_buffer,Object_alloc_table
  { (JC_378: buffer_inv(this_38, Object_alloc_table, APDU_buffer)) }

parameter APDU_getLe :
 this_56:Object pointer ->
  { } short reads APDU_buffer,Object_alloc_table
  { (JC_595: buffer_inv(this_56, Object_alloc_table, APDU_buffer)) }

parameter APDU_getLe_requires :
 this_56:Object pointer ->
  { (JC_588: buffer_inv(this_56, Object_alloc_table, APDU_buffer))} short
  reads APDU_buffer,Object_alloc_table
  { (JC_595: buffer_inv(this_56, Object_alloc_table, APDU_buffer)) }

parameter APDU_getLr :
 this_36:Object pointer ->
  { } short reads APDU_buffer,Object_alloc_table
  { (JC_362: buffer_inv(this_36, Object_alloc_table, APDU_buffer)) }

parameter APDU_getLrIs256Flag :
 this_13:Object pointer ->
  { } bool reads APDU_buffer,Object_alloc_table
  { (JC_90: buffer_inv(this_13, Object_alloc_table, APDU_buffer)) }

parameter APDU_getLrIs256Flag_requires :
 this_13:Object pointer ->
  { (JC_83: buffer_inv(this_13, Object_alloc_table, APDU_buffer))} bool
  reads APDU_buffer,Object_alloc_table
  { (JC_90: buffer_inv(this_13, Object_alloc_table, APDU_buffer)) }

parameter APDU_getLr_requires :
 this_36:Object pointer ->
  { (JC_355: buffer_inv(this_36, Object_alloc_table, APDU_buffer))} short
  reads APDU_buffer,Object_alloc_table
  { (JC_362: buffer_inv(this_36, Object_alloc_table, APDU_buffer)) }

parameter APDU_getNAD :
 this_62:Object pointer ->
  { } byte reads APDU_buffer,Object_alloc_table
  { (JC_643: buffer_inv(this_62, Object_alloc_table, APDU_buffer)) }

parameter APDU_getNAD_requires :
 this_62:Object pointer ->
  { (JC_636: buffer_inv(this_62, Object_alloc_table, APDU_buffer))} byte
  reads APDU_buffer,Object_alloc_table
  { (JC_643: buffer_inv(this_62, Object_alloc_table, APDU_buffer)) }

parameter APDU_getNoChainingFlag :
 this_29:Object pointer ->
  { } bool reads APDU_buffer,Object_alloc_table
  { (JC_298: buffer_inv(this_29, Object_alloc_table, APDU_buffer)) }

parameter APDU_getNoChainingFlag_requires :
 this_29:Object pointer ->
  { (JC_291: buffer_inv(this_29, Object_alloc_table, APDU_buffer))} bool
  reads APDU_buffer,Object_alloc_table
  { (JC_298: buffer_inv(this_29, Object_alloc_table, APDU_buffer)) }

parameter APDU_getNoGetResponseFlag :
 this_17:Object pointer ->
  { } bool reads APDU_buffer,Object_alloc_table
  { (JC_146: buffer_inv(this_17, Object_alloc_table, APDU_buffer)) }

parameter APDU_getNoGetResponseFlag_requires :
 this_17:Object pointer ->
  { (JC_139: buffer_inv(this_17, Object_alloc_table, APDU_buffer))} bool
  reads APDU_buffer,Object_alloc_table
  { (JC_146: buffer_inv(this_17, Object_alloc_table, APDU_buffer)) }

parameter APDU_getOutBlockSize : tt:unit -> { } short { true }

parameter APDU_getOutBlockSize_requires : tt:unit -> { } short { true }

parameter APDU_getOutgoingFlag :
 this_12:Object pointer ->
  { } bool reads APDU_buffer,Object_alloc_table
  { (JC_82: buffer_inv(this_12, Object_alloc_table, APDU_buffer)) }

parameter APDU_getOutgoingFlag_requires :
 this_12:Object pointer ->
  { (JC_75: buffer_inv(this_12, Object_alloc_table, APDU_buffer))} bool
  reads APDU_buffer,Object_alloc_table
  { (JC_82: buffer_inv(this_12, Object_alloc_table, APDU_buffer)) }

parameter APDU_getOutgoingLenSetFlag :
 this_37:Object pointer ->
  { } bool reads APDU_buffer,Object_alloc_table
  { (JC_370: buffer_inv(this_37, Object_alloc_table, APDU_buffer)) }

parameter APDU_getOutgoingLenSetFlag_requires :
 this_37:Object pointer ->
  { (JC_363: buffer_inv(this_37, Object_alloc_table, APDU_buffer))} bool
  reads APDU_buffer,Object_alloc_table
  { (JC_370: buffer_inv(this_37, Object_alloc_table, APDU_buffer)) }

parameter APDU_getPreReadLength :
 this_45:Object pointer ->
  { } byte reads APDU_buffer,Object_alloc_table
  { (JC_476: buffer_inv(this_45, Object_alloc_table, APDU_buffer)) }

parameter APDU_getPreReadLength_requires :
 this_45:Object pointer ->
  { (JC_469: buffer_inv(this_45, Object_alloc_table, APDU_buffer))} byte
  reads APDU_buffer,Object_alloc_table
  { (JC_476: buffer_inv(this_45, Object_alloc_table, APDU_buffer)) }

parameter APDU_getProtocol : tt:unit -> { } byte { true }

parameter APDU_getProtocol_requires : tt:unit -> { } byte { true }

parameter APDU_getSendInProgressFlag :
 this_41:Object pointer ->
  { } bool reads APDU_buffer,Object_alloc_table
  { (JC_444: buffer_inv(this_41, Object_alloc_table, APDU_buffer)) }

parameter APDU_getSendInProgressFlag_requires :
 this_41:Object pointer ->
  { (JC_437: buffer_inv(this_41, Object_alloc_table, APDU_buffer))} bool
  reads APDU_buffer,Object_alloc_table
  { (JC_444: buffer_inv(this_41, Object_alloc_table, APDU_buffer)) }

parameter APDU_incomingFlag : (Object, byte) memory ref

parameter APDU_lrIs256Flag : (Object, byte) memory ref

parameter APDU_noChainingFlag : (Object, byte) memory ref

parameter APDU_noGetResponseFlag : (Object, byte) memory ref

parameter APDU_outgoingFlag : (Object, byte) memory ref

parameter APDU_outgoingLenSetFlag : (Object, byte) memory ref

parameter APDU_receiveBytes :
 this_50:Object pointer ->
  bOff:short ->
   { } short reads APDU_buffer,Object_alloc_table
   { (JC_532: buffer_inv(this_50, Object_alloc_table, APDU_buffer)) }

parameter APDU_receiveBytes_requires :
 this_50:Object pointer ->
  bOff:short ->
   { (JC_525: buffer_inv(this_50, Object_alloc_table, APDU_buffer))} short
   reads APDU_buffer,Object_alloc_table
   { (JC_532: buffer_inv(this_50, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetAPDU :
 this_33:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_330: buffer_inv(this_33, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetAPDU_requires :
 this_33:Object pointer ->
  { (JC_323: buffer_inv(this_33, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_330: buffer_inv(this_33, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetIncomingFlag :
 this_63:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_651: buffer_inv(this_63, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetIncomingFlag_requires :
 this_63:Object pointer ->
  { (JC_644: buffer_inv(this_63, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_651: buffer_inv(this_63, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetLrIs256Flag :
 this_18:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_162: buffer_inv(this_18, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetLrIs256Flag_requires :
 this_18:Object pointer ->
  { (JC_155: buffer_inv(this_18, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_162: buffer_inv(this_18, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetNoChainingFlag :
 this_35:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_354: buffer_inv(this_35, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetNoChainingFlag_requires :
 this_35:Object pointer ->
  { (JC_347: buffer_inv(this_35, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_354: buffer_inv(this_35, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetNoGetResponseFlag :
 this_11:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_74: buffer_inv(this_11, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetNoGetResponseFlag_requires :
 this_11:Object pointer ->
  { (JC_67: buffer_inv(this_11, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_74: buffer_inv(this_11, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetOutgoingFlag :
 this_54:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_579: buffer_inv(this_54, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetOutgoingFlag_requires :
 this_54:Object pointer ->
  { (JC_572: buffer_inv(this_54, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_579: buffer_inv(this_54, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetOutgoingLenSetFlag :
 this_26:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_274: buffer_inv(this_26, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetOutgoingLenSetFlag_requires :
 this_26:Object pointer ->
  { (JC_267: buffer_inv(this_26, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_274: buffer_inv(this_26, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetSendInProgressFlag :
 this_23:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_234: buffer_inv(this_23, Object_alloc_table, APDU_buffer)) }

parameter APDU_resetSendInProgressFlag_requires :
 this_23:Object pointer ->
  { (JC_227: buffer_inv(this_23, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_234: buffer_inv(this_23, Object_alloc_table, APDU_buffer)) }

parameter APDU_send61xx :
 this_55:Object pointer ->
  len_0:short ->
   { } short reads APDU_buffer,Object_alloc_table
   { (JC_587: buffer_inv(this_55, Object_alloc_table, APDU_buffer)) }

parameter APDU_send61xx_requires :
 this_55:Object pointer ->
  len_0:short ->
   { (JC_580: buffer_inv(this_55, Object_alloc_table, APDU_buffer))} short
   reads APDU_buffer,Object_alloc_table
   { (JC_587: buffer_inv(this_55, Object_alloc_table, APDU_buffer)) }

parameter APDU_sendBytes :
 this_43:Object pointer ->
  bOff_0:short ->
   len_1:short ->
    { } unit reads APDU_buffer,Object_alloc_table
    { (JC_460: buffer_inv(this_43, Object_alloc_table, APDU_buffer)) }

parameter APDU_sendBytesLong :
 this_27:Object pointer ->
  outData:Object pointer ->
   bOff_1:short ->
    len_2:short ->
     { } unit reads APDU_buffer,Object_alloc_table
     { (JC_282: buffer_inv(this_27, Object_alloc_table, APDU_buffer)) }

parameter APDU_sendBytesLong_requires :
 this_27:Object pointer ->
  outData:Object pointer ->
   bOff_1:short ->
    len_2:short ->
     { (JC_275: buffer_inv(this_27, Object_alloc_table, APDU_buffer))} unit
     reads APDU_buffer,Object_alloc_table
     { (JC_282: buffer_inv(this_27, Object_alloc_table, APDU_buffer)) }

parameter APDU_sendBytes_requires :
 this_43:Object pointer ->
  bOff_0:short ->
   len_1:short ->
    { (JC_453: buffer_inv(this_43, Object_alloc_table, APDU_buffer))} unit
    reads APDU_buffer,Object_alloc_table
    { (JC_460: buffer_inv(this_43, Object_alloc_table, APDU_buffer)) }

parameter APDU_sendInProgressFlag : (Object, byte) memory ref

parameter APDU_setIncoming :
 this_22:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_226: buffer_inv(this_22, Object_alloc_table, APDU_buffer)) }

parameter APDU_setIncomingAndReceive :
 this_34:Object pointer ->
  { } short reads APDU_buffer,Object_alloc_table
  { (JC_338: buffer_inv(this_34, Object_alloc_table, APDU_buffer)) }

parameter APDU_setIncomingAndReceive_requires :
 this_34:Object pointer ->
  { (JC_331: buffer_inv(this_34, Object_alloc_table, APDU_buffer))} short
  reads APDU_buffer,Object_alloc_table
  { (JC_338: buffer_inv(this_34, Object_alloc_table, APDU_buffer)) }

parameter APDU_setIncomingFlag :
 this_46:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_484: buffer_inv(this_46, Object_alloc_table, APDU_buffer)) }

parameter APDU_setIncomingFlag_requires :
 this_46:Object pointer ->
  { (JC_477: buffer_inv(this_46, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_484: buffer_inv(this_46, Object_alloc_table, APDU_buffer)) }

parameter APDU_setIncoming_requires :
 this_22:Object pointer ->
  { (JC_219: buffer_inv(this_22, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_226: buffer_inv(this_22, Object_alloc_table, APDU_buffer)) }

parameter APDU_setLc :
 this_10:Object pointer ->
  data_1:byte ->
   { } unit reads APDU_buffer,Object_alloc_table
   { (JC_58: buffer_inv(this_10, Object_alloc_table, APDU_buffer)) }

parameter APDU_setLc_requires :
 this_10:Object pointer ->
  data_1:byte ->
   { (JC_51: buffer_inv(this_10, Object_alloc_table, APDU_buffer))} unit
   reads APDU_buffer,Object_alloc_table
   { (JC_58: buffer_inv(this_10, Object_alloc_table, APDU_buffer)) }

parameter APDU_setLe :
 this_47:Object pointer ->
  data:byte ->
   { } unit reads APDU_buffer,Object_alloc_table
   { (JC_492: buffer_inv(this_47, Object_alloc_table, APDU_buffer)) }

parameter APDU_setLe_requires :
 this_47:Object pointer ->
  data:byte ->
   { (JC_485: buffer_inv(this_47, Object_alloc_table, APDU_buffer))} unit
   reads APDU_buffer,Object_alloc_table
   { (JC_492: buffer_inv(this_47, Object_alloc_table, APDU_buffer)) }

parameter APDU_setLr :
 this_65:Object pointer ->
  data_0:byte ->
   { } unit reads APDU_buffer,Object_alloc_table
   { (JC_667: buffer_inv(this_65, Object_alloc_table, APDU_buffer)) }

parameter APDU_setLrIs256Flag :
 this_44:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_468: buffer_inv(this_44, Object_alloc_table, APDU_buffer)) }

parameter APDU_setLrIs256Flag_requires :
 this_44:Object pointer ->
  { (JC_461: buffer_inv(this_44, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_468: buffer_inv(this_44, Object_alloc_table, APDU_buffer)) }

parameter APDU_setLr_requires :
 this_65:Object pointer ->
  data_0:byte ->
   { (JC_660: buffer_inv(this_65, Object_alloc_table, APDU_buffer))} unit
   reads APDU_buffer,Object_alloc_table
   { (JC_667: buffer_inv(this_65, Object_alloc_table, APDU_buffer)) }

parameter APDU_setNoChainingFlag :
 this_15:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_114: buffer_inv(this_15, Object_alloc_table, APDU_buffer)) }

parameter APDU_setNoChainingFlag_requires :
 this_15:Object pointer ->
  { (JC_107: buffer_inv(this_15, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_114: buffer_inv(this_15, Object_alloc_table, APDU_buffer)) }

parameter APDU_setNoGetResponseFlag :
 this_16:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_138: buffer_inv(this_16, Object_alloc_table, APDU_buffer)) }

parameter APDU_setNoGetResponseFlag_requires :
 this_16:Object pointer ->
  { (JC_131: buffer_inv(this_16, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_138: buffer_inv(this_16, Object_alloc_table, APDU_buffer)) }

parameter APDU_setOutgoing :
 this_64:Object pointer ->
  { } short reads APDU_buffer,Object_alloc_table
  { (JC_659: buffer_inv(this_64, Object_alloc_table, APDU_buffer)) }

parameter APDU_setOutgoingAndSend :
 this_32:Object pointer ->
  bOff_2:short ->
   len_3:short ->
    { } unit reads APDU_buffer,Object_alloc_table
    { (JC_322: buffer_inv(this_32, Object_alloc_table, APDU_buffer)) }

parameter APDU_setOutgoingAndSend_requires :
 this_32:Object pointer ->
  bOff_2:short ->
   len_3:short ->
    { (JC_315: buffer_inv(this_32, Object_alloc_table, APDU_buffer))} unit
    reads APDU_buffer,Object_alloc_table
    { (JC_322: buffer_inv(this_32, Object_alloc_table, APDU_buffer)) }

parameter APDU_setOutgoingFlag :
 this_59:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_619: buffer_inv(this_59, Object_alloc_table, APDU_buffer)) }

parameter APDU_setOutgoingFlag_requires :
 this_59:Object pointer ->
  { (JC_612: buffer_inv(this_59, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_619: buffer_inv(this_59, Object_alloc_table, APDU_buffer)) }

parameter APDU_setOutgoingLenSetFlag :
 this_19:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_170: buffer_inv(this_19, Object_alloc_table, APDU_buffer)) }

parameter APDU_setOutgoingLenSetFlag_requires :
 this_19:Object pointer ->
  { (JC_163: buffer_inv(this_19, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_170: buffer_inv(this_19, Object_alloc_table, APDU_buffer)) }

parameter APDU_setOutgoingLength :
 this_61:Object pointer ->
  len:short ->
   { } unit reads APDU_buffer,Object_alloc_table
   { (JC_635: buffer_inv(this_61, Object_alloc_table, APDU_buffer)) }

parameter APDU_setOutgoingLength_requires :
 this_61:Object pointer ->
  len:short ->
   { (JC_628: buffer_inv(this_61, Object_alloc_table, APDU_buffer))} unit
   reads APDU_buffer,Object_alloc_table
   { (JC_635: buffer_inv(this_61, Object_alloc_table, APDU_buffer)) }

parameter APDU_setOutgoingNoChaining :
 this_39:Object pointer ->
  { } short reads APDU_buffer,Object_alloc_table
  { (JC_386: buffer_inv(this_39, Object_alloc_table, APDU_buffer)) }

parameter APDU_setOutgoingNoChaining_requires :
 this_39:Object pointer ->
  { (JC_379: buffer_inv(this_39, Object_alloc_table, APDU_buffer))} short
  reads APDU_buffer,Object_alloc_table
  { (JC_386: buffer_inv(this_39, Object_alloc_table, APDU_buffer)) }

parameter APDU_setOutgoing_requires :
 this_64:Object pointer ->
  { (JC_652: buffer_inv(this_64, Object_alloc_table, APDU_buffer))} short
  reads APDU_buffer,Object_alloc_table
  { (JC_659: buffer_inv(this_64, Object_alloc_table, APDU_buffer)) }

parameter APDU_setPreReadLength :
 this_24:Object pointer ->
  data_2:byte ->
   { } unit reads APDU_buffer,Object_alloc_table
   { (JC_242: buffer_inv(this_24, Object_alloc_table, APDU_buffer)) }

parameter APDU_setPreReadLength_requires :
 this_24:Object pointer ->
  data_2:byte ->
   { (JC_235: buffer_inv(this_24, Object_alloc_table, APDU_buffer))} unit
   reads APDU_buffer,Object_alloc_table
   { (JC_242: buffer_inv(this_24, Object_alloc_table, APDU_buffer)) }

parameter APDU_setSendInProgressFlag :
 this_30:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_306: buffer_inv(this_30, Object_alloc_table, APDU_buffer)) }

parameter APDU_setSendInProgressFlag_requires :
 this_30:Object pointer ->
  { (JC_299: buffer_inv(this_30, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_306: buffer_inv(this_30, Object_alloc_table, APDU_buffer)) }

parameter APDU_thePackedBoolean : (Object, Object pointer) memory ref

parameter APDU_undoIncomingAndReceive :
 this_58:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  { (JC_611: buffer_inv(this_58, Object_alloc_table, APDU_buffer)) }

parameter APDU_undoIncomingAndReceive_requires :
 this_58:Object pointer ->
  { (JC_604: buffer_inv(this_58, Object_alloc_table, APDU_buffer))} unit
  reads APDU_buffer,Object_alloc_table
  { (JC_611: buffer_inv(this_58, Object_alloc_table, APDU_buffer)) }

parameter APDU_waitExtension : tt:unit -> { } unit { true }

parameter APDU_waitExtension_requires : tt:unit -> { } unit { true }

parameter Applet_deselect :
 this_20:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Applet_deselect_requires :
 this_20:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Applet_getShareableInterfaceObject :
 this_31:Object pointer ->
  clientAID:Object pointer ->
   param:byte -> { } Object pointer reads Object_alloc_table { true }

parameter Applet_getShareableInterfaceObject_requires :
 this_31:Object pointer ->
  clientAID:Object pointer ->
   param:byte -> { } Object pointer reads Object_alloc_table { true }

parameter Applet_install :
 bArray:Object pointer -> bOffset:short -> bLength:byte -> { } unit { true }

parameter Applet_install_requires :
 bArray:Object pointer -> bOffset:short -> bLength:byte -> { } unit { true }

parameter Applet_process :
 this_48:Object pointer ->
  apdu:Object pointer ->
   { } unit reads APDU_buffer,Object_alloc_table
   { (JC_500: buffer_inv(apdu, Object_alloc_table, APDU_buffer)) }

parameter Applet_process_requires :
 this_48:Object pointer ->
  apdu:Object pointer ->
   { (JC_493: buffer_inv(apdu, Object_alloc_table, APDU_buffer))} unit
   reads APDU_buffer,Object_alloc_table
   { (JC_500: buffer_inv(apdu, Object_alloc_table, APDU_buffer)) }

parameter Applet_register :
 this_14:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Applet_register_byteA_short_byte :
 this_52:Object pointer ->
  bArray_0:Object pointer ->
   bOffset_0:short ->
    bLength_0:byte -> { } unit reads Object_alloc_table { true }

parameter Applet_register_byteA_short_byte_requires :
 this_52:Object pointer ->
  bArray_0:Object pointer ->
   bOffset_0:short ->
    bLength_0:byte -> { } unit reads Object_alloc_table { true }

parameter Applet_register_requires :
 this_14:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Applet_select :
 this_60:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Applet_select_requires :
 this_60:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Applet_selectingApplet :
 this_40:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Applet_selectingApplet_requires :
 this_40:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Applet_thePrivAccess : (Object, Object pointer) memory ref

exception CardRuntimeException_exc of Object pointer

parameter CardRuntimeException_getReason :
 this_42:Object pointer -> { } short reads Object_alloc_table { true }

parameter CardRuntimeException_getReason_requires :
 this_42:Object pointer -> { } short reads Object_alloc_table { true }

parameter CardRuntimeException_reason : (Object, short) memory ref

parameter CardRuntimeException_setReason :
 this_53:Object pointer ->
  reason_0:short -> { } unit reads Object_alloc_table { true }

parameter CardRuntimeException_setReason_requires :
 this_53:Object pointer ->
  reason_0:short -> { } unit reads Object_alloc_table { true }

parameter CardRuntimeException_throwIt : reason_1:short -> { } unit { true }

parameter CardRuntimeException_throwIt_requires :
 reason_1:short -> { } unit { true }

parameter byteM_byteP : (Object, byte) memory ref

parameter Object_tag_table : Object tag_table ref

parameter Card_install :
 bArray_1:Object pointer ->
  bOffset_1:short ->
   bLength_1:byte ->
    { } unit reads Object_alloc_table,byteM_byteP
    writes Object_alloc_table,Object_tag_table { true }

parameter Card_install_requires :
 bArray_1:Object pointer ->
  bOffset_1:short ->
   bLength_1:byte ->
    { } unit reads Object_alloc_table,byteM_byteP
    writes Object_alloc_table,Object_tag_table { true }

parameter Card_process :
 this_1:Object pointer ->
  apdu_0:Object pointer ->
   { } unit reads APDU_buffer,Object_alloc_table,byteM_byteP
   { (JC_560: buffer_inv(apdu_0, Object_alloc_table, APDU_buffer)) }

parameter Card_process_requires :
 this_1:Object pointer ->
  apdu_0:Object pointer ->
   { (JC_553: buffer_inv(apdu_0, Object_alloc_table, APDU_buffer))} unit
   reads APDU_buffer,Object_alloc_table,byteM_byteP
   { (JC_560: buffer_inv(apdu_0, Object_alloc_table, APDU_buffer)) }

exception Exception_exc of Object pointer

exception ISOException_exc of Object pointer

parameter ISOException_getReason :
 this_21:Object pointer -> { } short reads Object_alloc_table { true }

parameter ISOException_getReason_requires :
 this_21:Object pointer -> { } short reads Object_alloc_table { true }

parameter ISOException_setReason :
 this_25:Object pointer ->
  sw_1:short -> { } unit reads Object_alloc_table { true }

parameter ISOException_setReason_requires :
 this_25:Object pointer ->
  sw_1:short -> { } unit reads Object_alloc_table { true }

parameter ISOException_theSw : (Object, Object pointer) memory ref

parameter ISOException_throwIt : sw_0:short -> { } unit { true }

parameter ISOException_throwIt_requires : sw_0:short -> { } unit { true }

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_equals :
 this_57:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_equals_requires :
 this_57:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

exception Return_label_exc of unit

exception RuntimeException_exc of Object pointer

exception Throwable_exc of Object pointer

parameter alloc_struct_AID :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_AID(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, AID_tag)))) }

parameter alloc_struct_AID_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_AID(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, AID_tag)))) }

parameter alloc_struct_APDU :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_APDU(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, APDU_tag)))) }

parameter alloc_struct_APDU_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_APDU(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, APDU_tag)))) }

parameter alloc_struct_Applet :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Applet(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Applet_tag)))) }

parameter alloc_struct_Applet_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Applet(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Applet_tag)))) }

parameter alloc_struct_Card :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Card(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Card_tag)))) }

parameter alloc_struct_CardRuntimeException :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_CardRuntimeException(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result,
                  CardRuntimeException_tag)))) }

parameter alloc_struct_CardRuntimeException_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_CardRuntimeException(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result,
                  CardRuntimeException_tag)))) }

parameter alloc_struct_Card_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Card(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Card_tag)))) }

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_ISOException :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_ISOException(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, ISOException_tag)))) }

parameter alloc_struct_ISOException_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_ISOException(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, ISOException_tag)))) }

parameter alloc_struct_JCSystem :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_JCSystem(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, JCSystem_tag)))) }

parameter alloc_struct_JCSystem_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_JCSystem(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, JCSystem_tag)))) }

parameter alloc_struct_NativeMethods :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_NativeMethods(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, NativeMethods_tag)))) }

parameter alloc_struct_NativeMethods_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_NativeMethods(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, NativeMethods_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_OwnerPIN :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_OwnerPIN(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, OwnerPIN_tag)))) }

parameter alloc_struct_OwnerPIN_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_OwnerPIN(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, OwnerPIN_tag)))) }

parameter alloc_struct_PackedBoolean :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_PackedBoolean(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, PackedBoolean_tag)))) }

parameter alloc_struct_PackedBoolean_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_PackedBoolean(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, PackedBoolean_tag)))) }

parameter alloc_struct_PrivAccess :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_PrivAccess(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, PrivAccess_tag)))) }

parameter alloc_struct_PrivAccess_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_PrivAccess(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, PrivAccess_tag)))) }

parameter alloc_struct_RuntimeException :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_RuntimeException(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, RuntimeException_tag)))) }

parameter alloc_struct_RuntimeException_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_RuntimeException(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, RuntimeException_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_byteM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_byteM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, byteM_tag)))) }

parameter alloc_struct_byteM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_byteM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, byteM_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_shortM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_shortM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, shortM_tag)))) }

parameter alloc_struct_shortM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_shortM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, shortM_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_APDU :
 this_68:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  writes APDU_buffer,APDU_incomingFlag,APDU_lrIs256Flag,APDU_noChainingFlag,APDU_noGetResponseFlag,APDU_outgoingFlag,APDU_outgoingLenSetFlag,APDU_sendInProgressFlag,APDU_thePackedBoolean
  { (JC_194: buffer_inv(this_68, Object_alloc_table, APDU_buffer)) }

parameter cons_APDU_requires :
 this_68:Object pointer ->
  { } unit reads APDU_buffer,Object_alloc_table
  writes APDU_buffer,APDU_incomingFlag,APDU_lrIs256Flag,APDU_noChainingFlag,APDU_noGetResponseFlag,APDU_outgoingFlag,APDU_outgoingLenSetFlag,APDU_sendInProgressFlag,APDU_thePackedBoolean
  { (JC_194: buffer_inv(this_68, Object_alloc_table, APDU_buffer)) }

parameter cons_Applet :
 this_73:Object pointer ->
  { } unit reads Object_alloc_table writes Applet_thePrivAccess { true }

parameter cons_Applet_requires :
 this_73:Object pointer ->
  { } unit reads Object_alloc_table writes Applet_thePrivAccess { true }

parameter cons_Card :
 this_9:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_CardRuntimeException_short :
 this_71:Object pointer ->
  reason:short ->
   { } unit reads Object_alloc_table writes CardRuntimeException_reason
   { true }

parameter cons_CardRuntimeException_short_requires :
 this_71:Object pointer ->
  reason:short ->
   { } unit reads Object_alloc_table writes CardRuntimeException_reason
   { true }

parameter cons_Card_requires :
 this_9:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception :
 this_69:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Exception_requires :
 this_69:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_ISOException_short :
 this_70:Object pointer ->
  sw:short ->
   { } unit reads Object_alloc_table writes ISOException_theSw { true }

parameter cons_ISOException_short_requires :
 this_70:Object pointer ->
  sw:short ->
   { } unit reads Object_alloc_table writes ISOException_theSw { true }

parameter cons_Object :
 this_72:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object_requires :
 this_72:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_RuntimeException :
 this_66:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_RuntimeException_requires :
 this_66:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Throwable :
 this_67:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Throwable_requires :
 this_67:Object pointer -> { } unit reads Object_alloc_table { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter java_array_length_byteM :
 x_4:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_17:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_4), (1)))))) }

parameter java_array_length_byteM_requires :
 x_4:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_17:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_4), (1)))))) }

parameter java_array_length_shortM :
 x_6:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_37:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_6), (1)))))) }

parameter java_array_length_shortM_requires :
 x_6:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_37:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_6), (1)))))) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_7:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_50:
    (if result then (offset_max(Object_alloc_table, x_7) = (0))
     else (x_7 = null))) }

parameter non_null_Object_requires :
 x_7:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_50:
    (if result then (offset_max(Object_alloc_table, x_7) = (0))
     else (x_7 = null))) }

parameter non_null_byteM :
 x_3:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_7:
    (if result then ge_int(offset_max(Object_alloc_table, x_3), neg_int((1)))
     else (x_3 = null))) }

parameter non_null_byteM_requires :
 x_3:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_7:
    (if result then ge_int(offset_max(Object_alloc_table, x_3), neg_int((1)))
     else (x_3 = null))) }

parameter non_null_shortM :
 x_5:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_27:
    (if result then ge_int(offset_max(Object_alloc_table, x_5), neg_int((1)))
     else (x_5 = null))) }

parameter non_null_shortM_requires :
 x_5:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_27:
    (if result then ge_int(offset_max(Object_alloc_table, x_5), neg_int((1)))
     else (x_5 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter shortM_shortP : (Object, short) memory ref

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let Card_install_ensures_default =
 fun (bArray_1 : Object pointer) (bOffset_1 : short) (bLength_1 : byte) ->
  { left_valid_struct_byteM(bArray_1, (0), Object_alloc_table) }
  (init:
  try
   (K_4:
   begin
     (let _jessie_ =
     (let this =
     (JC_434:
     (((alloc_struct_Card (1)) Object_alloc_table) Object_tag_table)) in
     (let _tt =
     (let _jessie_ = this in (JC_435: (cons_Card _jessie_))) in this)) in
     (let _jessie_ = bArray_1 in
     (let _jessie_ =
     (K_2:
     (safe_short_of_integer_ (integer_of_int32 (K_1:
                                               (safe_int32_of_integer_ 
                                                ((add_int (integer_of_short bOffset_1)) (1))))))) in
     (let _jessie_ =
     (K_3:
     ((safe_acc_ !byteM_byteP) ((shift bArray_1) (integer_of_short bOffset_1)))) in
     (JC_436:
     ((((Applet_register_byteA_short_byte _jessie_) _jessie_) _jessie_) _jessie_))))));
    (raise Return) end) with Return -> void end) { (JC_423: true) }

let Card_install_safety =
 fun (bArray_1 : Object pointer) (bOffset_1 : short) (bLength_1 : byte) ->
  { left_valid_struct_byteM(bArray_1, (0), Object_alloc_table) }
  (init:
  try
   (K_4:
   begin
     (let _jessie_ =
     (let this =
     (let _jessie_ =
     (JC_430:
     (((alloc_struct_Card_requires (1)) Object_alloc_table) Object_tag_table)) in
     (JC_431:
     (assert { ge_int(offset_max(Object_alloc_table, _jessie_), (0)) };
     _jessie_))) in
     (let _tt =
     (let _jessie_ = this in (JC_432: (cons_Card_requires _jessie_))) in
     this)) in
     (let _jessie_ = bArray_1 in
     (let _jessie_ =
     (K_2:
     (JC_429:
     (short_of_integer_ (integer_of_int32 (K_1:
                                          (JC_428:
                                          (int32_of_integer_ ((add_int 
                                                               (integer_of_short bOffset_1)) (1))))))))) in
     (let _jessie_ =
     (K_3:
     (JC_427:
     ((((offset_acc_ !Object_alloc_table) !byteM_byteP) bArray_1) (integer_of_short bOffset_1)))) in
     (JC_433:
     ((((Applet_register_byteA_short_byte_requires _jessie_) _jessie_) _jessie_) _jessie_))))));
    (raise Return) end) with Return -> void end) { true }

let Card_process_ensures_default =
 fun (this_1 : Object pointer) (apdu_0 : Object pointer) ->
  { (left_valid_struct_APDU(apdu_0, (0), Object_alloc_table)
    and (valid_struct_Card(this_1, (0), (0), Object_alloc_table)
        and (JC_555: buffer_inv(apdu_0, Object_alloc_table, APDU_buffer)))) }
  (init:
  try
   begin
     (if (K_6:
         (let _jessie_ = this_1 in
         (JC_568: (Applet_selectingApplet _jessie_)))) then (raise Return)
     else void);
    (let buf =
    (K_12:
    (let _jessie_ = apdu_0 in (JC_569: (APDU_getBuffer _jessie_)))) in
    begin
      (if (K_9:
          ((neq_int_ (integer_of_byte (K_8:
                                      ((safe_acc_ !byteM_byteP) ((shift buf) 
                                                                 (integer_of_byte ISO7816_OFFSET_CLA)))))) 
           (integer_of_byte Card_Card_Class)))
      then
       (K_7:
       (let _jessie_ = ISO7816_SW_CLA_NOT_SUPPORTED in
       (JC_570: (ISOException_throwIt _jessie_)))) else void);
     (let _jessie_ =
     (K_11:
     ((safe_acc_ !byteM_byteP) ((shift buf) (integer_of_byte ISO7816_OFFSET_INS)))) in
     try
      (if ((eq_int_ (integer_of_byte _jessie_)) (integer_of_byte Card_Card_Ins_Read))
      then (raise (Loop_exit_exc void))
      else
       (if true
       then
        (K_10:
        (let _jessie_ = ISO7816_SW_INS_NOT_SUPPORTED in
        (JC_571: (ISOException_throwIt _jessie_)))) else void)) with
      Loop_exit_exc _jessie_ -> void end); (raise Return) end);
    (raise Return) end with Return -> void end) { (JC_557: true) }

let Card_process_safety =
 fun (this_1 : Object pointer) (apdu_0 : Object pointer) ->
  { (left_valid_struct_APDU(apdu_0, (0), Object_alloc_table)
    and (valid_struct_Card(this_1, (0), (0), Object_alloc_table)
        and (JC_555: buffer_inv(apdu_0, Object_alloc_table, APDU_buffer)))) }
  (init:
  try
   begin
     (if (K_6:
         (let _jessie_ = this_1 in
         (JC_561: (Applet_selectingApplet_requires _jessie_))))
     then (raise Return) else void);
    (let buf =
    (K_12:
    (let _jessie_ = apdu_0 in
    (JC_563:
    (assert { ge_int(offset_max(Object_alloc_table, _jessie_), (0)) };
    (JC_562: (APDU_getBuffer_requires _jessie_)))))) in
    begin
      (if (K_9:
          ((neq_int_ (integer_of_byte (K_8:
                                      (JC_564:
                                      ((((lsafe_lbound_acc_ !Object_alloc_table) !byteM_byteP) buf) (0)))))) 
           (integer_of_byte Card_Card_Class)))
      then
       (K_7:
       (let _jessie_ = ISO7816_SW_CLA_NOT_SUPPORTED in
       (JC_565: (ISOException_throwIt_requires _jessie_)))) else void);
     (let _jessie_ =
     (K_11:
     (JC_566:
     ((((lsafe_lbound_acc_ !Object_alloc_table) !byteM_byteP) buf) (1)))) in
     try
      (if ((eq_int_ (integer_of_byte _jessie_)) (integer_of_byte Card_Card_Ins_Read))
      then (raise (Loop_exit_exc void))
      else
       (if true
       then
        (K_10:
        (let _jessie_ = ISO7816_SW_INS_NOT_SUPPORTED in
        (JC_567: (ISOException_throwIt_requires _jessie_)))) else void))
      with Loop_exit_exc _jessie_ -> void end); (raise Return) end);
    (raise Return) end with Return -> void end)
  { (JC_559: buffer_inv(apdu_0, Object_alloc_table, APDU_buffer)) }

let cons_APDU_ensures_default =
 fun (this_68 : Object pointer) ->
  { valid_struct_APDU(this_68, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_68 in
       (((safe_upd_ APDU_buffer) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_68 in
      (((safe_upd_ APDU_thePackedBoolean) _jessie_) _jessie_)));
      (let _jessie_ = (safe_byte_of_integer_ (0)) in
      (let _jessie_ = this_68 in
      (((safe_upd_ APDU_incomingFlag) _jessie_) _jessie_)));
      (let _jessie_ = (safe_byte_of_integer_ (0)) in
      (let _jessie_ = this_68 in
      (((safe_upd_ APDU_outgoingFlag) _jessie_) _jessie_)));
      (let _jessie_ = (safe_byte_of_integer_ (0)) in
      (let _jessie_ = this_68 in
      (((safe_upd_ APDU_outgoingLenSetFlag) _jessie_) _jessie_)));
      (let _jessie_ = (safe_byte_of_integer_ (0)) in
      (let _jessie_ = this_68 in
      (((safe_upd_ APDU_lrIs256Flag) _jessie_) _jessie_)));
      (let _jessie_ = (safe_byte_of_integer_ (0)) in
      (let _jessie_ = this_68 in
      (((safe_upd_ APDU_sendInProgressFlag) _jessie_) _jessie_)));
      (let _jessie_ = (safe_byte_of_integer_ (0)) in
      (let _jessie_ = this_68 in
      (((safe_upd_ APDU_noChainingFlag) _jessie_) _jessie_)));
      (let _jessie_ = (safe_byte_of_integer_ (0)) in
      begin
        (let _jessie_ = this_68 in
        (((safe_upd_ APDU_noGetResponseFlag) _jessie_) _jessie_));
       _jessie_ end) end in void); (raise Return) end with Return ->
   void end) { (JC_191: true) }

let cons_APDU_safety =
 fun (this_68 : Object pointer) ->
  { valid_struct_APDU(this_68, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = null in
       (let _jessie_ = this_68 in
       (((safe_upd_ APDU_buffer) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_68 in
      (((safe_upd_ APDU_thePackedBoolean) _jessie_) _jessie_)));
      (let _jessie_ = (safe_byte_of_integer_ (0)) in
      (let _jessie_ = this_68 in
      (((safe_upd_ APDU_incomingFlag) _jessie_) _jessie_)));
      (let _jessie_ = (safe_byte_of_integer_ (0)) in
      (let _jessie_ = this_68 in
      (((safe_upd_ APDU_outgoingFlag) _jessie_) _jessie_)));
      (let _jessie_ = (safe_byte_of_integer_ (0)) in
      (let _jessie_ = this_68 in
      (((safe_upd_ APDU_outgoingLenSetFlag) _jessie_) _jessie_)));
      (let _jessie_ = (safe_byte_of_integer_ (0)) in
      (let _jessie_ = this_68 in
      (((safe_upd_ APDU_lrIs256Flag) _jessie_) _jessie_)));
      (let _jessie_ = (safe_byte_of_integer_ (0)) in
      (let _jessie_ = this_68 in
      (((safe_upd_ APDU_sendInProgressFlag) _jessie_) _jessie_)));
      (let _jessie_ = (safe_byte_of_integer_ (0)) in
      (let _jessie_ = this_68 in
      (((safe_upd_ APDU_noChainingFlag) _jessie_) _jessie_)));
      (let _jessie_ = (safe_byte_of_integer_ (0)) in
      begin
        (let _jessie_ = this_68 in
        (((safe_upd_ APDU_noGetResponseFlag) _jessie_) _jessie_));
       _jessie_ end) end in void); (raise Return) end with Return ->
   void end)
  { (JC_193: buffer_inv(this_68, Object_alloc_table, APDU_buffer)) }

let cons_Applet_ensures_default =
 fun (this_73 : Object pointer) ->
  { valid_struct_Applet(this_73, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = null in
     begin
       (let _jessie_ = this_73 in
       (((safe_upd_ Applet_thePrivAccess) _jessie_) _jessie_));
      _jessie_ end) in void); (raise Return) end with Return -> void end)
  { (JC_521: true) }

let cons_Applet_safety =
 fun (this_73 : Object pointer) ->
  { valid_struct_Applet(this_73, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = null in
     begin
       (let _jessie_ = this_73 in
       (((safe_upd_ Applet_thePrivAccess) _jessie_) _jessie_));
      _jessie_ end) in void); (raise Return) end with Return -> void end)
  { true }

let cons_CardRuntimeException_short_ensures_default =
 fun (this_71 : Object pointer) (reason : short) ->
  { valid_struct_CardRuntimeException(this_71, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = (safe_short_of_integer_ (0)) in
     begin
       (let _jessie_ = this_71 in
       (((safe_upd_ CardRuntimeException_reason) _jessie_) _jessie_));
      _jessie_ end) in void); (raise Return) end with Return -> void end)
  { (JC_343: true) }

let cons_CardRuntimeException_short_safety =
 fun (this_71 : Object pointer) (reason : short) ->
  { valid_struct_CardRuntimeException(this_71, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = (safe_short_of_integer_ (0)) in
     begin
       (let _jessie_ = this_71 in
       (((safe_upd_ CardRuntimeException_reason) _jessie_) _jessie_));
      _jessie_ end) in void); (raise Return) end with Return -> void end)
  { true }

let cons_Card_ensures_default =
 fun (this_9 : Object pointer) ->
  { valid_struct_Card(this_9, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_127: true) }

let cons_Card_safety =
 fun (this_9 : Object pointer) ->
  { valid_struct_Card(this_9, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_Exception_ensures_default =
 fun (this_69 : Object pointer) ->
  { valid_struct_Exception(this_69, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_215: true) }

let cons_Exception_safety =
 fun (this_69 : Object pointer) ->
  { valid_struct_Exception(this_69, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_ISOException_short_ensures_default =
 fun (this_70 : Object pointer) (sw : short) ->
  { valid_struct_ISOException(this_70, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = null in
     begin
       (let _jessie_ = this_70 in
       (((safe_upd_ ISOException_theSw) _jessie_) _jessie_));
      _jessie_ end) in void); (raise Return) end with Return -> void end)
  { (JC_247: true) }

let cons_ISOException_short_safety =
 fun (this_70 : Object pointer) (sw : short) ->
  { valid_struct_ISOException(this_70, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = null in
     begin
       (let _jessie_ = this_70 in
       (((safe_upd_ ISOException_theSw) _jessie_) _jessie_)); _jessie_
     end) in void); (raise Return) end with Return -> void end) { true }

let cons_Object_ensures_default =
 fun (this_72 : Object pointer) ->
  { valid_struct_Object(this_72, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_391: true) }

let cons_Object_safety =
 fun (this_72 : Object pointer) ->
  { valid_struct_Object(this_72, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_RuntimeException_ensures_default =
 fun (this_66 : Object pointer) ->
  { valid_struct_RuntimeException(this_66, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_103: true) }

let cons_RuntimeException_safety =
 fun (this_66 : Object pointer) ->
  { valid_struct_RuntimeException(this_66, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_Throwable_ensures_default =
 fun (this_67 : Object pointer) ->
  { valid_struct_Throwable(this_67, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_151: true) }

let cons_Throwable_safety =
 fun (this_67 : Object pointer) ->
  { valid_struct_Throwable(this_67, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/SimpleApplet.why
========== file tests/java/why/SimpleApplet.wpr ==========

  
    
    
    
      
      
    
    
    
    
      
      
    
    
  
  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  
  
    
  
  
    
  
  
    
  
  
    
  
  
    
  
  
    
  
  
    
  
  
    
  
  
    
    
    
      
      
    
    
  

========== file tests/java/why/SimpleApplet_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic AID_tag : Object tag_id

logic Object_tag : Object tag_id

axiom AID_parenttag_Object: parenttag(AID_tag, Object_tag)

logic byte_of_integer : int -> byte

function APDU_ACK_INS() : byte = byte_of_integer(1)

function APDU_ACK_NONE() : byte = byte_of_integer(0)

function APDU_ACK_NOT_INS() : byte = byte_of_integer(2)

logic APDU_BUFFERSIZE : short

logic short_of_integer : int -> short

function APDU_BUFFER_OVERFLOW() : short = short_of_integer((-16383))

function APDU_IFSC() : byte = byte_of_integer(1)

function APDU_IFSD() : short = short_of_integer(258)

function APDU_INVALID_GET_RESPONSE() : short = short_of_integer((-16378))

function APDU_LC() : byte = byte_of_integer(2)

function APDU_LE() : byte = byte_of_integer(0)

function APDU_LR() : byte = byte_of_integer(1)

function APDU_PRE_READ_LENGTH() : byte = byte_of_integer(3)

function APDU_PROTOCOL_T0() : byte = byte_of_integer(0)

function APDU_PROTOCOL_T1() : byte = byte_of_integer(1)

function APDU_RAM_VARS_LENGTH() : byte = byte_of_integer(4)

function APDU_READ_ERROR() : short = short_of_integer((-16381))

function APDU_WRITE_ERROR() : short = short_of_integer((-16380))

logic APDU_tag : Object tag_id

axiom APDU_parenttag_Object: parenttag(APDU_tag, Object_tag)

logic APDU_ramVars : Object pointer

logic APDU_theAPDU : Object pointer

logic Applet_tag : Object tag_id

axiom Applet_parenttag_Object: parenttag(Applet_tag, Object_tag)

logic CardRuntimeException_tag : Object tag_id

logic RuntimeException_tag : Object tag_id

axiom CardRuntimeException_parenttag_RuntimeException:
  parenttag(CardRuntimeException_tag, RuntimeException_tag)

logic CardRuntimeException_systemInstance : Object pointer

function Card_Card_Class() : byte = byte_of_integer((-128))

function Card_Card_Ins_Auth() : byte = byte_of_integer(1)

function Card_Card_Ins_Del() : byte = byte_of_integer(6)

function Card_Card_Ins_Pin() : byte = byte_of_integer(2)

function Card_Card_Ins_Read() : byte = byte_of_integer(7)

function Card_Card_Ins_Write() : byte = byte_of_integer(5)

function Card_Data_Count() : short = short_of_integer(10)

function Card_Data_Len() : short = short_of_integer(5)

function Card_Key_Length() : byte = byte_of_integer((-124))

function Card_Term_Function_Reader() : byte = byte_of_integer(17)

function Card_Term_Function_Writer() : byte = byte_of_integer((-86))

logic Card_tag : Object tag_id

axiom Card_parenttag_Applet: parenttag(Card_tag, Applet_tag)

logic Exception_tag : Object tag_id

logic Throwable_tag : Object tag_id

axiom Exception_parenttag_Throwable: parenttag(Exception_tag, Throwable_tag)

function ISO7816_CLA_ISO7816() : byte = byte_of_integer(0)

function ISO7816_INS_EXTERNAL_AUTHENTICATE() : byte = byte_of_integer((-126))

function ISO7816_INS_SELECT() : byte = byte_of_integer((-92))

function ISO7816_OFFSET_CDATA() : byte = byte_of_integer(5)

function ISO7816_OFFSET_CLA() : byte = byte_of_integer(0)

function ISO7816_OFFSET_INS() : byte = byte_of_integer(1)

function ISO7816_OFFSET_LC() : byte = byte_of_integer(4)

function ISO7816_OFFSET_P1() : byte = byte_of_integer(2)

function ISO7816_OFFSET_P2() : byte = byte_of_integer(3)

function ISO7816_SW_APPLET_SELECT_FAILED() : short = short_of_integer(27033)

function ISO7816_SW_BYTES_REMAINING_00() : short = short_of_integer(24832)

function ISO7816_SW_CLA_NOT_SUPPORTED() : short = short_of_integer(28160)

function ISO7816_SW_COMMAND_NOT_ALLOWED() : short = short_of_integer(27014)

function ISO7816_SW_CONDITIONS_NOT_SATISFIED() : short =
  short_of_integer(27013)

function ISO7816_SW_CORRECT_LENGTH_00() : short = short_of_integer(27648)

function ISO7816_SW_DATA_INVALID() : short = short_of_integer(27012)

function ISO7816_SW_FILE_FULL() : short = short_of_integer(27268)

function ISO7816_SW_FILE_INVALID() : short = short_of_integer(27011)

function ISO7816_SW_FILE_NOT_FOUND() : short = short_of_integer(27266)

function ISO7816_SW_FUNC_NOT_SUPPORTED() : short = short_of_integer(27265)

function ISO7816_SW_INCORRECT_P1P2() : short = short_of_integer(27270)

function ISO7816_SW_INS_NOT_SUPPORTED() : short = short_of_integer(27904)

function ISO7816_SW_NO_ERROR() : short = short_of_integer((-28672))

function ISO7816_SW_RECORD_NOT_FOUND() : short = short_of_integer(27267)

function ISO7816_SW_SECURITY_STATUS_NOT_SATISFIED() : short =
  short_of_integer(27010)

function ISO7816_SW_UNKNOWN() : short = short_of_integer(28416)

function ISO7816_SW_WRONG_DATA() : short = short_of_integer(27264)

function ISO7816_SW_WRONG_LENGTH() : short = short_of_integer(26368)

function ISO7816_SW_WRONG_P1P2() : short = short_of_integer(27392)

logic ISOException_tag : Object tag_id

axiom ISOException_parenttag_CardRuntimeException:
  parenttag(ISOException_tag, CardRuntimeException_tag)

logic ISOException_systemInstance : Object pointer

logic JCSystem_tag : Object tag_id

axiom JCSystem_parenttag_Object: parenttag(JCSystem_tag, Object_tag)

logic NativeMethods_tag : Object tag_id

axiom NativeMethods_parenttag_Object: parenttag(NativeMethods_tag,
  Object_tag)

predicate Non_null_Object(x_2: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_2) >= 0)

predicate Non_null_byteM(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= (-1))

predicate Non_null_shortM(x_1: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_1) >= (-1))

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic OwnerPIN_tag : Object tag_id

axiom OwnerPIN_parenttag_Object: parenttag(OwnerPIN_tag, Object_tag)

logic PackedBoolean_tag : Object tag_id

axiom PackedBoolean_parenttag_Object: parenttag(PackedBoolean_tag,
  Object_tag)

logic PrivAccess_tag : Object tag_id

axiom PrivAccess_parenttag_Object: parenttag(PrivAccess_tag, Object_tag)

axiom RuntimeException_parenttag_Exception: parenttag(RuntimeException_tag,
  Exception_tag)

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

predicate buffer_inv(this_3: Object pointer,
  Object_alloc_table: Object alloc_table, APDU_buffer: (Object,
  Object pointer) memory) = ((offset_max(Object_alloc_table,
  select(APDU_buffer, this_3)) + 1) >= 37)

logic byteM_tag : Object tag_id

axiom byteM_parenttag_Object: parenttag(byteM_tag, Object_tag)

logic integer_of_byte : byte -> int

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte [(integer_of_byte(x) = integer_of_byte(y))].
      ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char [(integer_of_char(x) = integer_of_char(y))].
      ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32 [(integer_of_int32(x) = integer_of_int32(y))].
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_AID(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_APDU(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Applet(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Card(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Applet(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Throwable(p, a,
  Object_alloc_table)

predicate left_valid_struct_RuntimeException(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Exception(p, a,
  Object_alloc_table)

predicate left_valid_struct_CardRuntimeException(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) =
  left_valid_struct_RuntimeException(p, a, Object_alloc_table)

predicate left_valid_struct_ISOException(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) =
  left_valid_struct_CardRuntimeException(p, a, Object_alloc_table)

predicate left_valid_struct_JCSystem(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_NativeMethods(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_OwnerPIN(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_PackedBoolean(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_PrivAccess(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_byteM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

predicate left_valid_struct_shortM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long [(integer_of_long(x) = integer_of_long(y))].
      ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_AID(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_APDU(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Applet(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Card(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Applet(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Throwable(p,
  b, Object_alloc_table)

predicate right_valid_struct_RuntimeException(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Exception(p,
  b, Object_alloc_table)

predicate right_valid_struct_CardRuntimeException(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) =
  right_valid_struct_RuntimeException(p, b, Object_alloc_table)

predicate right_valid_struct_ISOException(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) =
  right_valid_struct_CardRuntimeException(p, b, Object_alloc_table)

predicate right_valid_struct_JCSystem(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_NativeMethods(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_OwnerPIN(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_PackedBoolean(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_PrivAccess(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_byteM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate right_valid_struct_shortM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

logic shortM_tag : Object tag_id

axiom shortM_parenttag_Object: parenttag(shortM_tag, Object_tag)

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short [(integer_of_short(x) = integer_of_short(y))].
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_AID(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_APDU(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Applet(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Card(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Applet(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Throwable(p,
  a, b, Object_alloc_table)

predicate strict_valid_struct_RuntimeException(p: Object pointer, a: int,
  b: int, Object_alloc_table: Object alloc_table) =
  strict_valid_struct_Exception(p, a, b, Object_alloc_table)

predicate strict_valid_struct_CardRuntimeException(p: Object pointer, a: int,
  b: int, Object_alloc_table: Object alloc_table) =
  strict_valid_struct_RuntimeException(p, a, b, Object_alloc_table)

predicate strict_valid_struct_ISOException(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  strict_valid_struct_CardRuntimeException(p, a, b, Object_alloc_table)

predicate strict_valid_struct_JCSystem(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_NativeMethods(p: Object pointer, a: int,
  b: int, Object_alloc_table: Object alloc_table) =
  strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_OwnerPIN(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_PackedBoolean(p: Object pointer, a: int,
  b: int, Object_alloc_table: Object alloc_table) =
  strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_PrivAccess(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_byteM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_shortM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_AID(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_APDU(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Applet(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Card(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Applet(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Throwable(p, a, b,
  Object_alloc_table)

predicate valid_struct_RuntimeException(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Exception(p, a, b,
  Object_alloc_table)

predicate valid_struct_CardRuntimeException(p: Object pointer, a: int,
  b: int, Object_alloc_table: Object alloc_table) =
  valid_struct_RuntimeException(p, a, b, Object_alloc_table)

predicate valid_struct_ISOException(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  valid_struct_CardRuntimeException(p, a, b, Object_alloc_table)

predicate valid_struct_JCSystem(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_NativeMethods(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_OwnerPIN(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_PackedBoolean(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_PrivAccess(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_byteM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_shortM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

========== file tests/java/why/SimpleApplet_po1.why ==========
goal Card_install_safety_po_1:
  forall bArray_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  left_valid_struct_byteM(bArray_1, 0, Object_alloc_table) ->
  (1 >= 0)

========== file tests/java/why/SimpleApplet_po10.why ==========
goal Card_process_safety_po_1:
  forall this_1:Object pointer.
  forall apdu_0:Object pointer.
  forall APDU_buffer:(Object,
  Object pointer) memory.
  forall Object_alloc_table:Object alloc_table.
  forall byteM_byteP:(Object,
  byte) memory.
  (left_valid_struct_APDU(apdu_0, 0, Object_alloc_table) and
   (valid_struct_Card(this_1, 0, 0, Object_alloc_table) and
    ("JC_555": buffer_inv(apdu_0, Object_alloc_table, APDU_buffer)))) ->
  forall result:bool.
  (if result then
   ("JC_559": buffer_inv(apdu_0, Object_alloc_table, APDU_buffer)) else
   ((offset_max(Object_alloc_table, apdu_0) >= 0) and
    (("JC_533": buffer_inv(apdu_0, Object_alloc_table, APDU_buffer)) and
     (forall result:Object pointer.
       ((("JC_540": buffer_inv(apdu_0, Object_alloc_table, APDU_buffer)) and
         ("JC_544":
         (("JC_543": (result = select(APDU_buffer, apdu_0))) and
          buffer_inv(apdu_0, Object_alloc_table, APDU_buffer)))) ->
        ((0 <= offset_max(Object_alloc_table, result)) and
         (forall result0:byte.
           ((result0 = select(byteM_byteP, shift(result, 0))) ->
            (((integer_of_byte(result0) <> integer_of_byte(Card_Card_Class)) ->
              (true ->
               ((1 <= offset_max(Object_alloc_table, result)) and
                (forall result0:byte.
                  ((result0 = select(byteM_byteP, shift(result, 1))) ->
                   (((integer_of_byte(result0) = integer_of_byte(Card_Card_Ins_Read)) ->
                     ("JC_559": buffer_inv(apdu_0, Object_alloc_table,
                     APDU_buffer))) and
                    ((integer_of_byte(result0) <> integer_of_byte(Card_Card_Ins_Read)) ->
                     (true ->
                      ("JC_559": buffer_inv(apdu_0, Object_alloc_table,
                      APDU_buffer)))))))))) and
             ((integer_of_byte(result0) = integer_of_byte(Card_Card_Class)) ->
              ((1 <= offset_max(Object_alloc_table, result)) and
               (forall result0:byte.
                 ((result0 = select(byteM_byteP, shift(result, 1))) ->
                  (((integer_of_byte(result0) = integer_of_byte(Card_Card_Ins_Read)) ->
                    ("JC_559": buffer_inv(apdu_0, Object_alloc_table,
                    APDU_buffer))) and
                   ((integer_of_byte(result0) <> integer_of_byte(Card_Card_Ins_Read)) ->
                    (true ->
                     ("JC_559": buffer_inv(apdu_0, Object_alloc_table,
                     APDU_buffer))))))))))))))))))

========== file tests/java/why/SimpleApplet_po11.why ==========
goal cons_APDU_safety_po_1:
  forall this_68:Object pointer.
  forall APDU_buffer:(Object,
  Object pointer) memory.
  forall APDU_incomingFlag:(Object,
  byte) memory.
  forall APDU_lrIs256Flag:(Object,
  byte) memory.
  forall APDU_noChainingFlag:(Object,
  byte) memory.
  forall APDU_noGetResponseFlag:(Object,
  byte) memory.
  forall APDU_outgoingFlag:(Object,
  byte) memory.
  forall APDU_outgoingLenSetFlag:(Object,
  byte) memory.
  forall APDU_sendInProgressFlag:(Object,
  byte) memory.
  forall APDU_thePackedBoolean:(Object,
  Object pointer) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_APDU(this_68, 0, 0, Object_alloc_table) ->
  forall APDU_buffer0:(Object,
  Object pointer) memory.
  (APDU_buffer0 = store(APDU_buffer, this_68, null)) ->
  forall APDU_thePackedBoolean0:(Object,
  Object pointer) memory.
  (APDU_thePackedBoolean0 = store(APDU_thePackedBoolean, this_68, null)) ->
  forall result:byte.
  (integer_of_byte(result) = 0) ->
  forall APDU_incomingFlag0:(Object,
  byte) memory.
  (APDU_incomingFlag0 = store(APDU_incomingFlag, this_68, result)) ->
  forall result0:byte.
  (integer_of_byte(result0) = 0) ->
  forall APDU_outgoingFlag0:(Object,
  byte) memory.
  (APDU_outgoingFlag0 = store(APDU_outgoingFlag, this_68, result0)) ->
  forall result1:byte.
  (integer_of_byte(result1) = 0) ->
  forall APDU_outgoingLenSetFlag0:(Object,
  byte) memory.
  (APDU_outgoingLenSetFlag0 = store(APDU_outgoingLenSetFlag, this_68,
  result1)) ->
  forall result2:byte.
  (integer_of_byte(result2) = 0) ->
  forall APDU_lrIs256Flag0:(Object,
  byte) memory.
  (APDU_lrIs256Flag0 = store(APDU_lrIs256Flag, this_68, result2)) ->
  forall result3:byte.
  (integer_of_byte(result3) = 0) ->
  forall APDU_sendInProgressFlag0:(Object,
  byte) memory.
  (APDU_sendInProgressFlag0 = store(APDU_sendInProgressFlag, this_68,
  result3)) ->
  forall result4:byte.
  (integer_of_byte(result4) = 0) ->
  forall APDU_noChainingFlag0:(Object,
  byte) memory.
  (APDU_noChainingFlag0 = store(APDU_noChainingFlag, this_68, result4)) ->
  forall result5:byte.
  (integer_of_byte(result5) = 0) ->
  forall APDU_noGetResponseFlag0:(Object,
  byte) memory.
  (APDU_noGetResponseFlag0 = store(APDU_noGetResponseFlag, this_68,
  result5)) ->
  ("JC_193": buffer_inv(this_68, Object_alloc_table, APDU_buffer0))

========== file tests/java/why/SimpleApplet_po2.why ==========
goal Card_install_safety_po_2:
  forall bArray_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  left_valid_struct_byteM(bArray_1, 0, Object_alloc_table) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Card(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Card_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0)

========== file tests/java/why/SimpleApplet_po3.why ==========
goal Card_install_safety_po_3:
  forall bArray_1:Object pointer.
  forall bOffset_1:short.
  forall Object_alloc_table:Object alloc_table.
  left_valid_struct_byteM(bArray_1, 0, Object_alloc_table) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Card(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Card_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0) ->
  ((-2147483648) <= (integer_of_short(bOffset_1) + 1))

========== file tests/java/why/SimpleApplet_po4.why ==========
goal Card_install_safety_po_4:
  forall bArray_1:Object pointer.
  forall bOffset_1:short.
  forall Object_alloc_table:Object alloc_table.
  left_valid_struct_byteM(bArray_1, 0, Object_alloc_table) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Card(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Card_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0) ->
  ((integer_of_short(bOffset_1) + 1) <= 2147483647)

========== file tests/java/why/SimpleApplet_po5.why ==========
goal Card_install_safety_po_5:
  forall bArray_1:Object pointer.
  forall bOffset_1:short.
  forall Object_alloc_table:Object alloc_table.
  left_valid_struct_byteM(bArray_1, 0, Object_alloc_table) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Card(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Card_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0) ->
  (((-2147483648) <= (integer_of_short(bOffset_1) + 1)) and
   ((integer_of_short(bOffset_1) + 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_short(bOffset_1) + 1)) ->
  ((-32768) <= integer_of_int32(result0))

========== file tests/java/why/SimpleApplet_po6.why ==========
goal Card_install_safety_po_6:
  forall bArray_1:Object pointer.
  forall bOffset_1:short.
  forall Object_alloc_table:Object alloc_table.
  left_valid_struct_byteM(bArray_1, 0, Object_alloc_table) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Card(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Card_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0) ->
  (((-2147483648) <= (integer_of_short(bOffset_1) + 1)) and
   ((integer_of_short(bOffset_1) + 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_short(bOffset_1) + 1)) ->
  (integer_of_int32(result0) <= 32767)

========== file tests/java/why/SimpleApplet_po7.why ==========
goal Card_install_safety_po_7:
  forall bArray_1:Object pointer.
  forall bOffset_1:short.
  forall Object_alloc_table:Object alloc_table.
  left_valid_struct_byteM(bArray_1, 0, Object_alloc_table) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Card(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Card_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0) ->
  (((-2147483648) <= (integer_of_short(bOffset_1) + 1)) and
   ((integer_of_short(bOffset_1) + 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_short(bOffset_1) + 1)) ->
  (((-32768) <= integer_of_int32(result0)) and
   (integer_of_int32(result0) <= 32767)) ->
  forall result1:short.
  (integer_of_short(result1) = integer_of_int32(result0)) ->
  (offset_min(Object_alloc_table0, bArray_1) <= integer_of_short(bOffset_1))

========== file tests/java/why/SimpleApplet_po8.why ==========
goal Card_install_safety_po_8:
  forall bArray_1:Object pointer.
  forall bOffset_1:short.
  forall Object_alloc_table:Object alloc_table.
  left_valid_struct_byteM(bArray_1, 0, Object_alloc_table) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Card(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Card_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0) ->
  (((-2147483648) <= (integer_of_short(bOffset_1) + 1)) and
   ((integer_of_short(bOffset_1) + 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_short(bOffset_1) + 1)) ->
  (((-32768) <= integer_of_int32(result0)) and
   (integer_of_int32(result0) <= 32767)) ->
  forall result1:short.
  (integer_of_short(result1) = integer_of_int32(result0)) ->
  (integer_of_short(bOffset_1) <= offset_max(Object_alloc_table0, bArray_1))

========== file tests/java/why/SimpleApplet_po9.why ==========
goal Card_process_ensures_default_po_1:
  forall this_1:Object pointer.
  forall apdu_0:Object pointer.
  forall APDU_buffer:(Object,
  Object pointer) memory.
  forall Object_alloc_table:Object alloc_table.
  forall byteM_byteP:(Object,
  byte) memory.
  (left_valid_struct_APDU(apdu_0, 0, Object_alloc_table) and
   (valid_struct_Card(this_1, 0, 0, Object_alloc_table) and
    ("JC_555": buffer_inv(apdu_0, Object_alloc_table, APDU_buffer)))) ->
  forall result:bool.
  (if result then ("JC_557": true) else
   (forall result:Object pointer.
     ((("JC_540": buffer_inv(apdu_0, Object_alloc_table, APDU_buffer)) and
       ("JC_544":
       (("JC_543": (result = select(APDU_buffer, apdu_0))) and
        buffer_inv(apdu_0, Object_alloc_table, APDU_buffer)))) ->
      (forall result0:byte.
        ((result0 = select(byteM_byteP, shift(result,
         integer_of_byte(ISO7816_OFFSET_CLA)))) ->
         (((integer_of_byte(result0) <> integer_of_byte(Card_Card_Class)) ->
           (true ->
            (forall result0:byte.
              ((result0 = select(byteM_byteP, shift(result,
               integer_of_byte(ISO7816_OFFSET_INS)))) ->
               (((integer_of_byte(result0) = integer_of_byte(Card_Card_Ins_Read)) ->
                 ("JC_557": true)) and
                ((integer_of_byte(result0) <> integer_of_byte(Card_Card_Ins_Read)) ->
                 (true -> ("JC_557": true)))))))) and
          ((integer_of_byte(result0) = integer_of_byte(Card_Card_Class)) ->
           (forall result0:byte.
             ((result0 = select(byteM_byteP, shift(result,
              integer_of_byte(ISO7816_OFFSET_INS)))) ->
              (((integer_of_byte(result0) = integer_of_byte(Card_Card_Ins_Read)) ->
                ("JC_557": true)) and
               ((integer_of_byte(result0) <> integer_of_byte(Card_Card_Ins_Read)) ->
                (true -> ("JC_557": true)))))))))))))

========== generation of Simplify VC output ==========
why -simplify [...] why/SimpleApplet.why
========== file tests/java/simplify/SimpleApplet_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom AID_parenttag_Object
 (EQ (parenttag AID_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom APDU_ACK_INS_def
 (EQ APDU_ACK_INS (byte_of_integer 1)))

(BG_PUSH
 ;; Why axiom APDU_ACK_NONE_def
 (EQ APDU_ACK_NONE (byte_of_integer 0)))

(BG_PUSH
 ;; Why axiom APDU_ACK_NOT_INS_def
 (EQ APDU_ACK_NOT_INS (byte_of_integer 2)))

(BG_PUSH
 ;; Why axiom APDU_BUFFER_OVERFLOW_def
 (EQ APDU_BUFFER_OVERFLOW (short_of_integer (- 0 16383))))

(BG_PUSH
 ;; Why axiom APDU_IFSC_def
 (EQ APDU_IFSC (byte_of_integer 1)))

(BG_PUSH
 ;; Why axiom APDU_IFSD_def
 (EQ APDU_IFSD (short_of_integer 258)))

(BG_PUSH
 ;; Why axiom APDU_INVALID_GET_RESPONSE_def
 (EQ APDU_INVALID_GET_RESPONSE (short_of_integer (- 0 16378))))

(BG_PUSH
 ;; Why axiom APDU_LC_def
 (EQ APDU_LC (byte_of_integer 2)))

(BG_PUSH
 ;; Why axiom APDU_LE_def
 (EQ APDU_LE (byte_of_integer 0)))

(BG_PUSH
 ;; Why axiom APDU_LR_def
 (EQ APDU_LR (byte_of_integer 1)))

(BG_PUSH
 ;; Why axiom APDU_PRE_READ_LENGTH_def
 (EQ APDU_PRE_READ_LENGTH (byte_of_integer 3)))

(BG_PUSH
 ;; Why axiom APDU_PROTOCOL_T0_def
 (EQ APDU_PROTOCOL_T0 (byte_of_integer 0)))

(BG_PUSH
 ;; Why axiom APDU_PROTOCOL_T1_def
 (EQ APDU_PROTOCOL_T1 (byte_of_integer 1)))

(BG_PUSH
 ;; Why axiom APDU_RAM_VARS_LENGTH_def
 (EQ APDU_RAM_VARS_LENGTH (byte_of_integer 4)))

(BG_PUSH
 ;; Why axiom APDU_READ_ERROR_def
 (EQ APDU_READ_ERROR (short_of_integer (- 0 16381))))

(BG_PUSH
 ;; Why axiom APDU_WRITE_ERROR_def
 (EQ APDU_WRITE_ERROR (short_of_integer (- 0 16380))))

(BG_PUSH
 ;; Why axiom APDU_parenttag_Object
 (EQ (parenttag APDU_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Applet_parenttag_Object
 (EQ (parenttag Applet_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom CardRuntimeException_parenttag_RuntimeException
 (EQ (parenttag CardRuntimeException_tag RuntimeException_tag) |@true|))

(BG_PUSH
 ;; Why axiom Card_Card_Class_def
 (EQ Card_Card_Class (byte_of_integer (- 0 128))))

(BG_PUSH
 ;; Why axiom Card_Card_Ins_Auth_def
 (EQ Card_Card_Ins_Auth (byte_of_integer 1)))

(BG_PUSH
 ;; Why axiom Card_Card_Ins_Del_def
 (EQ Card_Card_Ins_Del (byte_of_integer 6)))

(BG_PUSH
 ;; Why axiom Card_Card_Ins_Pin_def
 (EQ Card_Card_Ins_Pin (byte_of_integer 2)))

(BG_PUSH
 ;; Why axiom Card_Card_Ins_Read_def
 (EQ Card_Card_Ins_Read (byte_of_integer 7)))

(BG_PUSH
 ;; Why axiom Card_Card_Ins_Write_def
 (EQ Card_Card_Ins_Write (byte_of_integer 5)))

(BG_PUSH
 ;; Why axiom Card_Data_Count_def
 (EQ Card_Data_Count (short_of_integer 10)))

(BG_PUSH
 ;; Why axiom Card_Data_Len_def
 (EQ Card_Data_Len (short_of_integer 5)))

(BG_PUSH
 ;; Why axiom Card_Key_Length_def
 (EQ Card_Key_Length (byte_of_integer (- 0 124))))

(BG_PUSH
 ;; Why axiom Card_Term_Function_Reader_def
 (EQ Card_Term_Function_Reader (byte_of_integer 17)))

(BG_PUSH
 ;; Why axiom Card_Term_Function_Writer_def
 (EQ Card_Term_Function_Writer (byte_of_integer (- 0 86))))

(BG_PUSH
 ;; Why axiom Card_parenttag_Applet
 (EQ (parenttag Card_tag Applet_tag) |@true|))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Throwable
 (EQ (parenttag Exception_tag Throwable_tag) |@true|))

(BG_PUSH
 ;; Why axiom ISO7816_CLA_ISO7816_def
 (EQ ISO7816_CLA_ISO7816 (byte_of_integer 0)))

(BG_PUSH
 ;; Why axiom ISO7816_INS_EXTERNAL_AUTHENTICATE_def
 (EQ ISO7816_INS_EXTERNAL_AUTHENTICATE (byte_of_integer (- 0 126))))

(BG_PUSH
 ;; Why axiom ISO7816_INS_SELECT_def
 (EQ ISO7816_INS_SELECT (byte_of_integer (- 0 92))))

(BG_PUSH
 ;; Why axiom ISO7816_OFFSET_CDATA_def
 (EQ ISO7816_OFFSET_CDATA (byte_of_integer 5)))

(BG_PUSH
 ;; Why axiom ISO7816_OFFSET_CLA_def
 (EQ ISO7816_OFFSET_CLA (byte_of_integer 0)))

(BG_PUSH
 ;; Why axiom ISO7816_OFFSET_INS_def
 (EQ ISO7816_OFFSET_INS (byte_of_integer 1)))

(BG_PUSH
 ;; Why axiom ISO7816_OFFSET_LC_def
 (EQ ISO7816_OFFSET_LC (byte_of_integer 4)))

(BG_PUSH
 ;; Why axiom ISO7816_OFFSET_P1_def
 (EQ ISO7816_OFFSET_P1 (byte_of_integer 2)))

(BG_PUSH
 ;; Why axiom ISO7816_OFFSET_P2_def
 (EQ ISO7816_OFFSET_P2 (byte_of_integer 3)))

(BG_PUSH
 ;; Why axiom ISO7816_SW_APPLET_SELECT_FAILED_def
 (EQ ISO7816_SW_APPLET_SELECT_FAILED (short_of_integer 27033)))

(BG_PUSH
 ;; Why axiom ISO7816_SW_BYTES_REMAINING_00_def
 (EQ ISO7816_SW_BYTES_REMAINING_00 (short_of_integer 24832)))

(BG_PUSH
 ;; Why axiom ISO7816_SW_CLA_NOT_SUPPORTED_def
 (EQ ISO7816_SW_CLA_NOT_SUPPORTED (short_of_integer 28160)))

(BG_PUSH
 ;; Why axiom ISO7816_SW_COMMAND_NOT_ALLOWED_def
 (EQ ISO7816_SW_COMMAND_NOT_ALLOWED (short_of_integer 27014)))

(BG_PUSH
 ;; Why axiom ISO7816_SW_CONDITIONS_NOT_SATISFIED_def
 (EQ ISO7816_SW_CONDITIONS_NOT_SATISFIED (short_of_integer 27013)))

(BG_PUSH
 ;; Why axiom ISO7816_SW_CORRECT_LENGTH_00_def
 (EQ ISO7816_SW_CORRECT_LENGTH_00 (short_of_integer 27648)))

(BG_PUSH
 ;; Why axiom ISO7816_SW_DATA_INVALID_def
 (EQ ISO7816_SW_DATA_INVALID (short_of_integer 27012)))

(BG_PUSH
 ;; Why axiom ISO7816_SW_FILE_FULL_def
 (EQ ISO7816_SW_FILE_FULL (short_of_integer 27268)))

(BG_PUSH
 ;; Why axiom ISO7816_SW_FILE_INVALID_def
 (EQ ISO7816_SW_FILE_INVALID (short_of_integer 27011)))

(BG_PUSH
 ;; Why axiom ISO7816_SW_FILE_NOT_FOUND_def
 (EQ ISO7816_SW_FILE_NOT_FOUND (short_of_integer 27266)))

(BG_PUSH
 ;; Why axiom ISO7816_SW_FUNC_NOT_SUPPORTED_def
 (EQ ISO7816_SW_FUNC_NOT_SUPPORTED (short_of_integer 27265)))

(BG_PUSH
 ;; Why axiom ISO7816_SW_INCORRECT_P1P2_def
 (EQ ISO7816_SW_INCORRECT_P1P2 (short_of_integer 27270)))

(BG_PUSH
 ;; Why axiom ISO7816_SW_INS_NOT_SUPPORTED_def
 (EQ ISO7816_SW_INS_NOT_SUPPORTED (short_of_integer 27904)))

(BG_PUSH
 ;; Why axiom ISO7816_SW_NO_ERROR_def
 (EQ ISO7816_SW_NO_ERROR (short_of_integer (- 0 28672))))

(BG_PUSH
 ;; Why axiom ISO7816_SW_RECORD_NOT_FOUND_def
 (EQ ISO7816_SW_RECORD_NOT_FOUND (short_of_integer 27267)))

(BG_PUSH
 ;; Why axiom ISO7816_SW_SECURITY_STATUS_NOT_SATISFIED_def
 (EQ ISO7816_SW_SECURITY_STATUS_NOT_SATISFIED (short_of_integer 27010)))

(BG_PUSH
 ;; Why axiom ISO7816_SW_UNKNOWN_def
 (EQ ISO7816_SW_UNKNOWN (short_of_integer 28416)))

(BG_PUSH
 ;; Why axiom ISO7816_SW_WRONG_DATA_def
 (EQ ISO7816_SW_WRONG_DATA (short_of_integer 27264)))

(BG_PUSH
 ;; Why axiom ISO7816_SW_WRONG_LENGTH_def
 (EQ ISO7816_SW_WRONG_LENGTH (short_of_integer 26368)))

(BG_PUSH
 ;; Why axiom ISO7816_SW_WRONG_P1P2_def
 (EQ ISO7816_SW_WRONG_P1P2 (short_of_integer 27392)))

(BG_PUSH
 ;; Why axiom ISOException_parenttag_CardRuntimeException
 (EQ (parenttag ISOException_tag CardRuntimeException_tag) |@true|))

(BG_PUSH
 ;; Why axiom JCSystem_parenttag_Object
 (EQ (parenttag JCSystem_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom NativeMethods_parenttag_Object
 (EQ (parenttag NativeMethods_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_2 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_2) 0))

(DEFPRED (Non_null_byteM x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) (- 0 1)))

(DEFPRED (Non_null_shortM x_1 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_1) (- 0 1)))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom OwnerPIN_parenttag_Object
 (EQ (parenttag OwnerPIN_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom PackedBoolean_parenttag_Object
 (EQ (parenttag PackedBoolean_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom PrivAccess_parenttag_Object
 (EQ (parenttag PrivAccess_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom RuntimeException_parenttag_Exception
 (EQ (parenttag RuntimeException_tag Exception_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(DEFPRED (buffer_inv this_3 Object_alloc_table APDU_buffer)
  (>= (+ (offset_max Object_alloc_table (select APDU_buffer this_3)) 1) 37))

(BG_PUSH
 ;; Why axiom byteM_parenttag_Object
 (EQ (parenttag byteM_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom byte_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 128) x) (<= x 127))
 (EQ (integer_of_byte (byte_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom byte_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_byte x) (integer_of_byte y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom byte_range
 (FORALL (x)
 (AND (<= (- 0 128) (integer_of_byte x)) (<= (integer_of_byte x) 127))))

(BG_PUSH
 ;; Why axiom char_coerce
 (FORALL (x)
 (IMPLIES (AND (<= 0 x) (<= x 65535))
 (EQ (integer_of_char (char_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom char_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_char x) (integer_of_char y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom char_range
 (FORALL (x) (AND (<= 0 (integer_of_char x)) (<= (integer_of_char x) 65535))))

(DEFPRED (eq_byte x y) (EQ (integer_of_byte x) (integer_of_byte y)))

(DEFPRED (eq_char x y) (EQ (integer_of_char x) (integer_of_char y)))

(DEFPRED (eq_int32 x y) (EQ (integer_of_int32 x) (integer_of_int32 y)))

(DEFPRED (eq_long x y) (EQ (integer_of_long x) (integer_of_long y)))

(DEFPRED (eq_short x y) (EQ (integer_of_short x) (integer_of_short y)))

(BG_PUSH
 ;; Why axiom int32_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_2147483648) x)
 (<= x constant_too_large_2147483647))
 (EQ (integer_of_int32 (int32_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom int32_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_int32 x) (integer_of_int32 y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom int32_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_2147483648) (integer_of_int32 x))
 (<= (integer_of_int32 x) constant_too_large_2147483647))))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_AID p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_APDU p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Applet p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Card p a Object_alloc_table)
  (left_valid_struct_Applet p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Throwable p a Object_alloc_table))

(DEFPRED (left_valid_struct_RuntimeException p a Object_alloc_table)
  (left_valid_struct_Exception p a Object_alloc_table))

(DEFPRED (left_valid_struct_CardRuntimeException p a Object_alloc_table)
  (left_valid_struct_RuntimeException p a Object_alloc_table))

(DEFPRED (left_valid_struct_ISOException p a Object_alloc_table)
  (left_valid_struct_CardRuntimeException p a Object_alloc_table))

(DEFPRED (left_valid_struct_JCSystem p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_NativeMethods p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_OwnerPIN p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_PackedBoolean p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_PrivAccess p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_byteM p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(DEFPRED (left_valid_struct_shortM p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(BG_PUSH
 ;; Why axiom long_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_9223372036854775808) x)
 (<= x constant_too_large_9223372036854775807))
 (EQ (integer_of_long (long_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom long_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_long x) (integer_of_long y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom long_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_9223372036854775808) (integer_of_long x))
 (<= (integer_of_long x) constant_too_large_9223372036854775807))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_AID p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_APDU p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Applet p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Card p b Object_alloc_table)
  (right_valid_struct_Applet p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Throwable p b Object_alloc_table))

(DEFPRED (right_valid_struct_RuntimeException p b Object_alloc_table)
  (right_valid_struct_Exception p b Object_alloc_table))

(DEFPRED (right_valid_struct_CardRuntimeException p b Object_alloc_table)
  (right_valid_struct_RuntimeException p b Object_alloc_table))

(DEFPRED (right_valid_struct_ISOException p b Object_alloc_table)
  (right_valid_struct_CardRuntimeException p b Object_alloc_table))

(DEFPRED (right_valid_struct_JCSystem p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_NativeMethods p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_OwnerPIN p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_PackedBoolean p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_PrivAccess p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_byteM p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(DEFPRED (right_valid_struct_shortM p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(BG_PUSH
 ;; Why axiom shortM_parenttag_Object
 (EQ (parenttag shortM_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom short_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 32768) x) (<= x 32767))
 (EQ (integer_of_short (short_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom short_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_short x) (integer_of_short y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom short_range
 (FORALL (x)
 (AND (<= (- 0 32768) (integer_of_short x)) (<= (integer_of_short x) 32767))))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_AID p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_APDU p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Applet p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Card p a b Object_alloc_table)
  (strict_valid_struct_Applet p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Throwable p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_RuntimeException p a b Object_alloc_table)
  (strict_valid_struct_Exception p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_CardRuntimeException p a b Object_alloc_table)
  (strict_valid_struct_RuntimeException p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_ISOException p a b Object_alloc_table)
  (strict_valid_struct_CardRuntimeException p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_JCSystem p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_NativeMethods p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_OwnerPIN p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_PackedBoolean p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_PrivAccess p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_byteM p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_shortM p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_AID p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_APDU p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Applet p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Card p a b Object_alloc_table)
  (valid_struct_Applet p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Throwable p a b Object_alloc_table))

(DEFPRED (valid_struct_RuntimeException p a b Object_alloc_table)
  (valid_struct_Exception p a b Object_alloc_table))

(DEFPRED (valid_struct_CardRuntimeException p a b Object_alloc_table)
  (valid_struct_RuntimeException p a b Object_alloc_table))

(DEFPRED (valid_struct_ISOException p a b Object_alloc_table)
  (valid_struct_CardRuntimeException p a b Object_alloc_table))

(DEFPRED (valid_struct_JCSystem p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_NativeMethods p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_OwnerPIN p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_PackedBoolean p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_PrivAccess p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_byteM p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_shortM p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

;; Card_install_safety_po_1, File "HOME/tests/java/SimpleApplet.jc", line 474, characters 67-78
(FORALL (bArray_1)
(FORALL (Object_alloc_table)
(IMPLIES (left_valid_struct_byteM bArray_1 0 Object_alloc_table) (>= 1 0))))

;; Card_install_safety_po_2, File "why/SimpleApplet.why", line 2067, characters 15-71
(FORALL (bArray_1)
(FORALL (Object_alloc_table)
(IMPLIES (left_valid_struct_byteM bArray_1 0 Object_alloc_table)
(IMPLIES (>= 1 0)
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND (strict_valid_struct_Card result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Card_tag))))
(>= (offset_max Object_alloc_table0 result) 0)))))))))

;; Card_install_safety_po_3, File "HOME/tests/java/SimpleApplet.java", line 86, characters 38-49
(FORALL (bArray_1)
(FORALL (bOffset_1)
(FORALL (Object_alloc_table)
(IMPLIES (left_valid_struct_byteM bArray_1 0 Object_alloc_table)
(IMPLIES (>= 1 0)
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND (strict_valid_struct_Card result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Card_tag))))
(IMPLIES (>= (offset_max Object_alloc_table0 result) 0)
(<= (- 0 constant_too_large_2147483648) (+ (integer_of_short bOffset_1) 1))))))))))))

;; Card_install_safety_po_4, File "HOME/tests/java/SimpleApplet.java", line 86, characters 38-49
(FORALL (bArray_1)
(FORALL (bOffset_1)
(FORALL (Object_alloc_table)
(IMPLIES (left_valid_struct_byteM bArray_1 0 Object_alloc_table)
(IMPLIES (>= 1 0)
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND (strict_valid_struct_Card result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Card_tag))))
(IMPLIES (>= (offset_max Object_alloc_table0 result) 0)
(<= (+ (integer_of_short bOffset_1) 1) constant_too_large_2147483647)))))))))))

;; Card_install_safety_po_5, File "HOME/tests/java/SimpleApplet.java", line 86, characters 29-50
(FORALL (bArray_1)
(FORALL (bOffset_1)
(FORALL (Object_alloc_table)
(IMPLIES (left_valid_struct_byteM bArray_1 0 Object_alloc_table)
(IMPLIES (>= 1 0)
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND (strict_valid_struct_Card result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Card_tag))))
(IMPLIES (>= (offset_max Object_alloc_table0 result) 0)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_short
                                                    bOffset_1) 1))
         (<= (+ (integer_of_short bOffset_1) 1) constant_too_large_2147483647))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (+ (integer_of_short bOffset_1) 1))
(<= (- 0 32768) (integer_of_int32 result0)))))))))))))))

;; Card_install_safety_po_6, File "HOME/tests/java/SimpleApplet.java", line 86, characters 29-50
(FORALL (bArray_1)
(FORALL (bOffset_1)
(FORALL (Object_alloc_table)
(IMPLIES (left_valid_struct_byteM bArray_1 0 Object_alloc_table)
(IMPLIES (>= 1 0)
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND (strict_valid_struct_Card result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Card_tag))))
(IMPLIES (>= (offset_max Object_alloc_table0 result) 0)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_short
                                                    bOffset_1) 1))
         (<= (+ (integer_of_short bOffset_1) 1) constant_too_large_2147483647))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (+ (integer_of_short bOffset_1) 1))
(<= (integer_of_int32 result0) 32767))))))))))))))

;; Card_install_safety_po_7, File "HOME/tests/java/SimpleApplet.java", line 86, characters 52-67
(FORALL (bArray_1)
(FORALL (bOffset_1)
(FORALL (Object_alloc_table)
(IMPLIES (left_valid_struct_byteM bArray_1 0 Object_alloc_table)
(IMPLIES (>= 1 0)
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND (strict_valid_struct_Card result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Card_tag))))
(IMPLIES (>= (offset_max Object_alloc_table0 result) 0)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_short
                                                    bOffset_1) 1))
         (<= (+ (integer_of_short bOffset_1) 1) constant_too_large_2147483647))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (+ (integer_of_short bOffset_1) 1))
(IMPLIES (AND (<= (- 0 32768) (integer_of_int32 result0))
         (<= (integer_of_int32 result0) 32767))
(FORALL (result1)
(IMPLIES (EQ (integer_of_short result1) (integer_of_int32 result0))
(<= (offset_min Object_alloc_table0 bArray_1) (integer_of_short bOffset_1))))))))))))))))))

;; Card_install_safety_po_8, File "HOME/tests/java/SimpleApplet.java", line 86, characters 52-67
(FORALL (bArray_1)
(FORALL (bOffset_1)
(FORALL (Object_alloc_table)
(IMPLIES (left_valid_struct_byteM bArray_1 0 Object_alloc_table)
(IMPLIES (>= 1 0)
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND (strict_valid_struct_Card result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Card_tag))))
(IMPLIES (>= (offset_max Object_alloc_table0 result) 0)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_short
                                                    bOffset_1) 1))
         (<= (+ (integer_of_short bOffset_1) 1) constant_too_large_2147483647))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (+ (integer_of_short bOffset_1) 1))
(IMPLIES (AND (<= (- 0 32768) (integer_of_int32 result0))
         (<= (integer_of_int32 result0) 32767))
(FORALL (result1)
(IMPLIES (EQ (integer_of_short result1) (integer_of_int32 result0))
(<= (integer_of_short bOffset_1) (offset_max Object_alloc_table0 bArray_1))))))))))))))))))

;; Card_process_ensures_default_po_1, File "", line 0, characters 0-0
(FORALL (this_1)
(FORALL (apdu_0)
(FORALL (APDU_buffer)
(FORALL (Object_alloc_table)
(FORALL (byteM_byteP)
(IMPLIES (AND (left_valid_struct_APDU apdu_0 0 Object_alloc_table)
         (AND (valid_struct_Card this_1 0 0 Object_alloc_table)
         (buffer_inv apdu_0 Object_alloc_table APDU_buffer)))
(FORALL (result)
(AND (IMPLIES (EQ result |@true|) TRUE)
(IMPLIES (NEQ result |@true|) (FORALL (result)
                              (IMPLIES
                              (AND
                              (buffer_inv
                              apdu_0 Object_alloc_table APDU_buffer)
                              (AND (EQ result (select APDU_buffer apdu_0))
                              (buffer_inv
                              apdu_0 Object_alloc_table APDU_buffer)))
                              (FORALL (result0)
                              (IMPLIES
                              (EQ result0
                              (select
                              byteM_byteP (shift
                                          result (integer_of_byte
                                                 ISO7816_OFFSET_CLA))))
                              (AND
                              (IMPLIES
                              (NEQ (integer_of_byte result0)
                              (integer_of_byte Card_Card_Class))
                              (IMPLIES TRUE
                              (FORALL (result0)
                              (IMPLIES
                              (EQ result0
                              (select
                              byteM_byteP (shift
                                          result (integer_of_byte
                                                 ISO7816_OFFSET_INS))))
                              (AND
                              (IMPLIES
                              (EQ (integer_of_byte result0)
                              (integer_of_byte Card_Card_Ins_Read)) TRUE)
                              (IMPLIES
                              (NEQ (integer_of_byte result0)
                              (integer_of_byte Card_Card_Ins_Read))
                              (IMPLIES TRUE TRUE)))))))
                              (IMPLIES
                              (EQ (integer_of_byte result0)
                              (integer_of_byte Card_Card_Class))
                              (FORALL (result0)
                              (IMPLIES
                              (EQ result0
                              (select
                              byteM_byteP (shift
                                          result (integer_of_byte
                                                 ISO7816_OFFSET_INS))))
                              (AND
                              (IMPLIES
                              (EQ (integer_of_byte result0)
                              (integer_of_byte Card_Card_Ins_Read)) TRUE)
                              (IMPLIES
                              (NEQ (integer_of_byte result0)
                              (integer_of_byte Card_Card_Ins_Read))
                              (IMPLIES TRUE TRUE))))))))))))))))))))

;; Card_process_safety_po_1, File "", line 0, characters 0-0
(FORALL (this_1)
(FORALL (apdu_0)
(FORALL (APDU_buffer)
(FORALL (Object_alloc_table)
(FORALL (byteM_byteP)
(IMPLIES (AND (left_valid_struct_APDU apdu_0 0 Object_alloc_table)
         (AND (valid_struct_Card this_1 0 0 Object_alloc_table)
         (buffer_inv apdu_0 Object_alloc_table APDU_buffer)))
(FORALL (result)
(AND
(IMPLIES (EQ result |@true|) (buffer_inv
                             apdu_0 Object_alloc_table APDU_buffer))
(IMPLIES (NEQ result |@true|) (AND
                              (>= (offset_max Object_alloc_table apdu_0) 0)
                              (AND
                              (buffer_inv
                              apdu_0 Object_alloc_table APDU_buffer)
                              (FORALL (result)
                              (IMPLIES
                              (AND
                              (buffer_inv
                              apdu_0 Object_alloc_table APDU_buffer)
                              (AND (EQ result (select APDU_buffer apdu_0))
                              (buffer_inv
                              apdu_0 Object_alloc_table APDU_buffer)))
                              (AND
                              (<= 0 (offset_max Object_alloc_table result))
                              (FORALL (result0)
                              (IMPLIES
                              (EQ result0
                              (select byteM_byteP (shift result 0)))
                              (AND
                              (IMPLIES
                              (NEQ (integer_of_byte result0)
                              (integer_of_byte Card_Card_Class))
                              (IMPLIES TRUE
                              (AND
                              (<= 1 (offset_max Object_alloc_table result))
                              (FORALL (result0)
                              (IMPLIES
                              (EQ result0
                              (select byteM_byteP (shift result 1)))
                              (AND
                              (IMPLIES
                              (EQ (integer_of_byte result0)
                              (integer_of_byte Card_Card_Ins_Read))
                              (buffer_inv
                              apdu_0 Object_alloc_table APDU_buffer))
                              (IMPLIES
                              (NEQ (integer_of_byte result0)
                              (integer_of_byte Card_Card_Ins_Read))
                              (IMPLIES TRUE
                              (buffer_inv
                              apdu_0 Object_alloc_table APDU_buffer)))))))))
                              (IMPLIES
                              (EQ (integer_of_byte result0)
                              (integer_of_byte Card_Card_Class))
                              (AND
                              (<= 1 (offset_max Object_alloc_table result))
                              (FORALL (result0)
                              (IMPLIES
                              (EQ result0
                              (select byteM_byteP (shift result 1)))
                              (AND
                              (IMPLIES
                              (EQ (integer_of_byte result0)
                              (integer_of_byte Card_Card_Ins_Read))
                              (buffer_inv
                              apdu_0 Object_alloc_table APDU_buffer))
                              (IMPLIES
                              (NEQ (integer_of_byte result0)
                              (integer_of_byte Card_Card_Ins_Read))
                              (IMPLIES TRUE
                              (buffer_inv
                              apdu_0 Object_alloc_table APDU_buffer)))))))))))))))))))))))))

;; cons_APDU_safety_po_1, File "HOME/lib/javacard_api/javacard/framework/APDU.java", line 239, characters 2-6
(FORALL (this_68)
(FORALL (APDU_buffer)
(FORALL (APDU_incomingFlag)
(FORALL (APDU_lrIs256Flag)
(FORALL (APDU_noChainingFlag)
(FORALL (APDU_noGetResponseFlag)
(FORALL (APDU_outgoingFlag)
(FORALL (APDU_outgoingLenSetFlag)
(FORALL (APDU_sendInProgressFlag)
(FORALL (APDU_thePackedBoolean)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_APDU this_68 0 0 Object_alloc_table)
(FORALL (APDU_buffer0)
(IMPLIES (EQ APDU_buffer0 (|why__store| APDU_buffer this_68 null))
(FORALL (APDU_thePackedBoolean0)
(IMPLIES (EQ APDU_thePackedBoolean0
         (|why__store| APDU_thePackedBoolean this_68 null))
(FORALL (result)
(IMPLIES (EQ (integer_of_byte result) 0)
(FORALL (APDU_incomingFlag0)
(IMPLIES (EQ APDU_incomingFlag0
         (|why__store| APDU_incomingFlag this_68 result))
(FORALL (result0)
(IMPLIES (EQ (integer_of_byte result0) 0)
(FORALL (APDU_outgoingFlag0)
(IMPLIES (EQ APDU_outgoingFlag0
         (|why__store| APDU_outgoingFlag this_68 result0))
(FORALL (result1)
(IMPLIES (EQ (integer_of_byte result1) 0)
(FORALL (APDU_outgoingLenSetFlag0)
(IMPLIES (EQ APDU_outgoingLenSetFlag0
         (|why__store| APDU_outgoingLenSetFlag this_68 result1))
(FORALL (result2)
(IMPLIES (EQ (integer_of_byte result2) 0)
(FORALL (APDU_lrIs256Flag0)
(IMPLIES (EQ APDU_lrIs256Flag0
         (|why__store| APDU_lrIs256Flag this_68 result2))
(FORALL (result3)
(IMPLIES (EQ (integer_of_byte result3) 0)
(FORALL (APDU_sendInProgressFlag0)
(IMPLIES (EQ APDU_sendInProgressFlag0
         (|why__store| APDU_sendInProgressFlag this_68 result3))
(FORALL (result4)
(IMPLIES (EQ (integer_of_byte result4) 0)
(FORALL (APDU_noChainingFlag0)
(IMPLIES (EQ APDU_noChainingFlag0
         (|why__store| APDU_noChainingFlag this_68 result4))
(FORALL (result5)
(IMPLIES (EQ (integer_of_byte result5) 0)
(FORALL (APDU_noGetResponseFlag0)
(IMPLIES (EQ APDU_noGetResponseFlag0
         (|why__store| APDU_noGetResponseFlag this_68 result5))
(buffer_inv this_68 Object_alloc_table APDU_buffer0)))))))))))))))))))))))))))))))))))))))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/SimpleApplet_why.sx  : ..??.???.?? (4/0/7/0/0)
total   :  11
valid   :   4 ( 36%)
invalid :   0 (  0%)
unknown :   7 ( 64%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/SimpleApplet.why
========== file tests/java/why/SimpleApplet_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic AID_tag : Object tag_id

logic Object_tag : Object tag_id

axiom AID_parenttag_Object: parenttag(AID_tag, Object_tag)

logic byte_of_integer : int -> byte

function APDU_ACK_INS() : byte = byte_of_integer(1)

function APDU_ACK_NONE() : byte = byte_of_integer(0)

function APDU_ACK_NOT_INS() : byte = byte_of_integer(2)

logic APDU_BUFFERSIZE : short

logic short_of_integer : int -> short

function APDU_BUFFER_OVERFLOW() : short = short_of_integer((-16383))

function APDU_IFSC() : byte = byte_of_integer(1)

function APDU_IFSD() : short = short_of_integer(258)

function APDU_INVALID_GET_RESPONSE() : short = short_of_integer((-16378))

function APDU_LC() : byte = byte_of_integer(2)

function APDU_LE() : byte = byte_of_integer(0)

function APDU_LR() : byte = byte_of_integer(1)

function APDU_PRE_READ_LENGTH() : byte = byte_of_integer(3)

function APDU_PROTOCOL_T0() : byte = byte_of_integer(0)

function APDU_PROTOCOL_T1() : byte = byte_of_integer(1)

function APDU_RAM_VARS_LENGTH() : byte = byte_of_integer(4)

function APDU_READ_ERROR() : short = short_of_integer((-16381))

function APDU_WRITE_ERROR() : short = short_of_integer((-16380))

logic APDU_tag : Object tag_id

axiom APDU_parenttag_Object: parenttag(APDU_tag, Object_tag)

logic APDU_ramVars : Object pointer

logic APDU_theAPDU : Object pointer

logic Applet_tag : Object tag_id

axiom Applet_parenttag_Object: parenttag(Applet_tag, Object_tag)

logic CardRuntimeException_tag : Object tag_id

logic RuntimeException_tag : Object tag_id

axiom CardRuntimeException_parenttag_RuntimeException:
  parenttag(CardRuntimeException_tag, RuntimeException_tag)

logic CardRuntimeException_systemInstance : Object pointer

function Card_Card_Class() : byte = byte_of_integer((-128))

function Card_Card_Ins_Auth() : byte = byte_of_integer(1)

function Card_Card_Ins_Del() : byte = byte_of_integer(6)

function Card_Card_Ins_Pin() : byte = byte_of_integer(2)

function Card_Card_Ins_Read() : byte = byte_of_integer(7)

function Card_Card_Ins_Write() : byte = byte_of_integer(5)

function Card_Data_Count() : short = short_of_integer(10)

function Card_Data_Len() : short = short_of_integer(5)

function Card_Key_Length() : byte = byte_of_integer((-124))

function Card_Term_Function_Reader() : byte = byte_of_integer(17)

function Card_Term_Function_Writer() : byte = byte_of_integer((-86))

logic Card_tag : Object tag_id

axiom Card_parenttag_Applet: parenttag(Card_tag, Applet_tag)

logic Exception_tag : Object tag_id

logic Throwable_tag : Object tag_id

axiom Exception_parenttag_Throwable: parenttag(Exception_tag, Throwable_tag)

function ISO7816_CLA_ISO7816() : byte = byte_of_integer(0)

function ISO7816_INS_EXTERNAL_AUTHENTICATE() : byte = byte_of_integer((-126))

function ISO7816_INS_SELECT() : byte = byte_of_integer((-92))

function ISO7816_OFFSET_CDATA() : byte = byte_of_integer(5)

function ISO7816_OFFSET_CLA() : byte = byte_of_integer(0)

function ISO7816_OFFSET_INS() : byte = byte_of_integer(1)

function ISO7816_OFFSET_LC() : byte = byte_of_integer(4)

function ISO7816_OFFSET_P1() : byte = byte_of_integer(2)

function ISO7816_OFFSET_P2() : byte = byte_of_integer(3)

function ISO7816_SW_APPLET_SELECT_FAILED() : short = short_of_integer(27033)

function ISO7816_SW_BYTES_REMAINING_00() : short = short_of_integer(24832)

function ISO7816_SW_CLA_NOT_SUPPORTED() : short = short_of_integer(28160)

function ISO7816_SW_COMMAND_NOT_ALLOWED() : short = short_of_integer(27014)

function ISO7816_SW_CONDITIONS_NOT_SATISFIED() : short =
  short_of_integer(27013)

function ISO7816_SW_CORRECT_LENGTH_00() : short = short_of_integer(27648)

function ISO7816_SW_DATA_INVALID() : short = short_of_integer(27012)

function ISO7816_SW_FILE_FULL() : short = short_of_integer(27268)

function ISO7816_SW_FILE_INVALID() : short = short_of_integer(27011)

function ISO7816_SW_FILE_NOT_FOUND() : short = short_of_integer(27266)

function ISO7816_SW_FUNC_NOT_SUPPORTED() : short = short_of_integer(27265)

function ISO7816_SW_INCORRECT_P1P2() : short = short_of_integer(27270)

function ISO7816_SW_INS_NOT_SUPPORTED() : short = short_of_integer(27904)

function ISO7816_SW_NO_ERROR() : short = short_of_integer((-28672))

function ISO7816_SW_RECORD_NOT_FOUND() : short = short_of_integer(27267)

function ISO7816_SW_SECURITY_STATUS_NOT_SATISFIED() : short =
  short_of_integer(27010)

function ISO7816_SW_UNKNOWN() : short = short_of_integer(28416)

function ISO7816_SW_WRONG_DATA() : short = short_of_integer(27264)

function ISO7816_SW_WRONG_LENGTH() : short = short_of_integer(26368)

function ISO7816_SW_WRONG_P1P2() : short = short_of_integer(27392)

logic ISOException_tag : Object tag_id

axiom ISOException_parenttag_CardRuntimeException:
  parenttag(ISOException_tag, CardRuntimeException_tag)

logic ISOException_systemInstance : Object pointer

logic JCSystem_tag : Object tag_id

axiom JCSystem_parenttag_Object: parenttag(JCSystem_tag, Object_tag)

logic NativeMethods_tag : Object tag_id

axiom NativeMethods_parenttag_Object: parenttag(NativeMethods_tag,
  Object_tag)

predicate Non_null_Object(x_2: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_2) >= 0)

predicate Non_null_byteM(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= (-1))

predicate Non_null_shortM(x_1: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_1) >= (-1))

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic OwnerPIN_tag : Object tag_id

axiom OwnerPIN_parenttag_Object: parenttag(OwnerPIN_tag, Object_tag)

logic PackedBoolean_tag : Object tag_id

axiom PackedBoolean_parenttag_Object: parenttag(PackedBoolean_tag,
  Object_tag)

logic PrivAccess_tag : Object tag_id

axiom PrivAccess_parenttag_Object: parenttag(PrivAccess_tag, Object_tag)

axiom RuntimeException_parenttag_Exception: parenttag(RuntimeException_tag,
  Exception_tag)

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

predicate buffer_inv(this_3: Object pointer,
  Object_alloc_table: Object alloc_table, APDU_buffer: (Object,
  Object pointer) memory) = ((offset_max(Object_alloc_table,
  select(APDU_buffer, this_3)) + 1) >= 37)

logic byteM_tag : Object tag_id

axiom byteM_parenttag_Object: parenttag(byteM_tag, Object_tag)

logic integer_of_byte : byte -> int

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte. ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char. ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_AID(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_APDU(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Applet(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Card(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Applet(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Throwable(p, a,
  Object_alloc_table)

predicate left_valid_struct_RuntimeException(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Exception(p, a,
  Object_alloc_table)

predicate left_valid_struct_CardRuntimeException(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) =
  left_valid_struct_RuntimeException(p, a, Object_alloc_table)

predicate left_valid_struct_ISOException(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) =
  left_valid_struct_CardRuntimeException(p, a, Object_alloc_table)

predicate left_valid_struct_JCSystem(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_NativeMethods(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_OwnerPIN(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_PackedBoolean(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_PrivAccess(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_byteM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

predicate left_valid_struct_shortM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long. ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_AID(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_APDU(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Applet(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Card(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Applet(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Throwable(p,
  b, Object_alloc_table)

predicate right_valid_struct_RuntimeException(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Exception(p,
  b, Object_alloc_table)

predicate right_valid_struct_CardRuntimeException(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) =
  right_valid_struct_RuntimeException(p, b, Object_alloc_table)

predicate right_valid_struct_ISOException(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) =
  right_valid_struct_CardRuntimeException(p, b, Object_alloc_table)

predicate right_valid_struct_JCSystem(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_NativeMethods(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_OwnerPIN(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_PackedBoolean(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_PrivAccess(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_byteM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate right_valid_struct_shortM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

logic shortM_tag : Object tag_id

axiom shortM_parenttag_Object: parenttag(shortM_tag, Object_tag)

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short.
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_AID(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_APDU(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Applet(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Card(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Applet(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Throwable(p,
  a, b, Object_alloc_table)

predicate strict_valid_struct_RuntimeException(p: Object pointer, a: int,
  b: int, Object_alloc_table: Object alloc_table) =
  strict_valid_struct_Exception(p, a, b, Object_alloc_table)

predicate strict_valid_struct_CardRuntimeException(p: Object pointer, a: int,
  b: int, Object_alloc_table: Object alloc_table) =
  strict_valid_struct_RuntimeException(p, a, b, Object_alloc_table)

predicate strict_valid_struct_ISOException(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  strict_valid_struct_CardRuntimeException(p, a, b, Object_alloc_table)

predicate strict_valid_struct_JCSystem(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_NativeMethods(p: Object pointer, a: int,
  b: int, Object_alloc_table: Object alloc_table) =
  strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_OwnerPIN(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_PackedBoolean(p: Object pointer, a: int,
  b: int, Object_alloc_table: Object alloc_table) =
  strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_PrivAccess(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_byteM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_shortM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_AID(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_APDU(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Applet(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Card(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Applet(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Throwable(p, a, b,
  Object_alloc_table)

predicate valid_struct_RuntimeException(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Exception(p, a, b,
  Object_alloc_table)

predicate valid_struct_CardRuntimeException(p: Object pointer, a: int,
  b: int, Object_alloc_table: Object alloc_table) =
  valid_struct_RuntimeException(p, a, b, Object_alloc_table)

predicate valid_struct_ISOException(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  valid_struct_CardRuntimeException(p, a, b, Object_alloc_table)

predicate valid_struct_JCSystem(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_NativeMethods(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_OwnerPIN(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_PackedBoolean(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_PrivAccess(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_byteM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_shortM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

goal Card_install_safety_po_1:
  forall bArray_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  left_valid_struct_byteM(bArray_1, 0, Object_alloc_table) ->
  (1 >= 0)

goal Card_install_safety_po_2:
  forall bArray_1:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  left_valid_struct_byteM(bArray_1, 0, Object_alloc_table) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Card(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Card_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0)

goal Card_install_safety_po_3:
  forall bArray_1:Object pointer.
  forall bOffset_1:short.
  forall Object_alloc_table:Object alloc_table.
  left_valid_struct_byteM(bArray_1, 0, Object_alloc_table) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Card(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Card_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0) ->
  ((-2147483648) <= (integer_of_short(bOffset_1) + 1))

goal Card_install_safety_po_4:
  forall bArray_1:Object pointer.
  forall bOffset_1:short.
  forall Object_alloc_table:Object alloc_table.
  left_valid_struct_byteM(bArray_1, 0, Object_alloc_table) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Card(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Card_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0) ->
  ((integer_of_short(bOffset_1) + 1) <= 2147483647)

goal Card_install_safety_po_5:
  forall bArray_1:Object pointer.
  forall bOffset_1:short.
  forall Object_alloc_table:Object alloc_table.
  left_valid_struct_byteM(bArray_1, 0, Object_alloc_table) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Card(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Card_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0) ->
  (((-2147483648) <= (integer_of_short(bOffset_1) + 1)) and
   ((integer_of_short(bOffset_1) + 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_short(bOffset_1) + 1)) ->
  ((-32768) <= integer_of_int32(result0))

goal Card_install_safety_po_6:
  forall bArray_1:Object pointer.
  forall bOffset_1:short.
  forall Object_alloc_table:Object alloc_table.
  left_valid_struct_byteM(bArray_1, 0, Object_alloc_table) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Card(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Card_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0) ->
  (((-2147483648) <= (integer_of_short(bOffset_1) + 1)) and
   ((integer_of_short(bOffset_1) + 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_short(bOffset_1) + 1)) ->
  (integer_of_int32(result0) <= 32767)

goal Card_install_safety_po_7:
  forall bArray_1:Object pointer.
  forall bOffset_1:short.
  forall Object_alloc_table:Object alloc_table.
  left_valid_struct_byteM(bArray_1, 0, Object_alloc_table) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Card(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Card_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0) ->
  (((-2147483648) <= (integer_of_short(bOffset_1) + 1)) and
   ((integer_of_short(bOffset_1) + 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_short(bOffset_1) + 1)) ->
  (((-32768) <= integer_of_int32(result0)) and
   (integer_of_int32(result0) <= 32767)) ->
  forall result1:short.
  (integer_of_short(result1) = integer_of_int32(result0)) ->
  (offset_min(Object_alloc_table0, bArray_1) <= integer_of_short(bOffset_1))

goal Card_install_safety_po_8:
  forall bArray_1:Object pointer.
  forall bOffset_1:short.
  forall Object_alloc_table:Object alloc_table.
  left_valid_struct_byteM(bArray_1, 0, Object_alloc_table) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Card(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Card_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0) ->
  (((-2147483648) <= (integer_of_short(bOffset_1) + 1)) and
   ((integer_of_short(bOffset_1) + 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_short(bOffset_1) + 1)) ->
  (((-32768) <= integer_of_int32(result0)) and
   (integer_of_int32(result0) <= 32767)) ->
  forall result1:short.
  (integer_of_short(result1) = integer_of_int32(result0)) ->
  (integer_of_short(bOffset_1) <= offset_max(Object_alloc_table0, bArray_1))

goal Card_process_ensures_default_po_1:
  forall this_1:Object pointer.
  forall apdu_0:Object pointer.
  forall APDU_buffer:(Object,
  Object pointer) memory.
  forall Object_alloc_table:Object alloc_table.
  forall byteM_byteP:(Object,
  byte) memory.
  (left_valid_struct_APDU(apdu_0, 0, Object_alloc_table) and
   (valid_struct_Card(this_1, 0, 0, Object_alloc_table) and
    ("JC_555": buffer_inv(apdu_0, Object_alloc_table, APDU_buffer)))) ->
  forall result:bool.
  (if result then ("JC_557": true) else
   (forall result:Object pointer.
     ((("JC_540": buffer_inv(apdu_0, Object_alloc_table, APDU_buffer)) and
       ("JC_544":
       (("JC_543": (result = select(APDU_buffer, apdu_0))) and
        buffer_inv(apdu_0, Object_alloc_table, APDU_buffer)))) ->
      (forall result0:byte.
        ((result0 = select(byteM_byteP, shift(result,
         integer_of_byte(ISO7816_OFFSET_CLA)))) ->
         (((integer_of_byte(result0) <> integer_of_byte(Card_Card_Class)) ->
           (true ->
            (forall result0:byte.
              ((result0 = select(byteM_byteP, shift(result,
               integer_of_byte(ISO7816_OFFSET_INS)))) ->
               (((integer_of_byte(result0) = integer_of_byte(Card_Card_Ins_Read)) ->
                 ("JC_557": true)) and
                ((integer_of_byte(result0) <> integer_of_byte(Card_Card_Ins_Read)) ->
                 (true -> ("JC_557": true)))))))) and
          ((integer_of_byte(result0) = integer_of_byte(Card_Card_Class)) ->
           (forall result0:byte.
             ((result0 = select(byteM_byteP, shift(result,
              integer_of_byte(ISO7816_OFFSET_INS)))) ->
              (((integer_of_byte(result0) = integer_of_byte(Card_Card_Ins_Read)) ->
                ("JC_557": true)) and
               ((integer_of_byte(result0) <> integer_of_byte(Card_Card_Ins_Read)) ->
                (true -> ("JC_557": true)))))))))))))

goal Card_process_safety_po_1:
  forall this_1:Object pointer.
  forall apdu_0:Object pointer.
  forall APDU_buffer:(Object,
  Object pointer) memory.
  forall Object_alloc_table:Object alloc_table.
  forall byteM_byteP:(Object,
  byte) memory.
  (left_valid_struct_APDU(apdu_0, 0, Object_alloc_table) and
   (valid_struct_Card(this_1, 0, 0, Object_alloc_table) and
    ("JC_555": buffer_inv(apdu_0, Object_alloc_table, APDU_buffer)))) ->
  forall result:bool.
  (if result then
   ("JC_559": buffer_inv(apdu_0, Object_alloc_table, APDU_buffer)) else
   ((offset_max(Object_alloc_table, apdu_0) >= 0) and
    (("JC_533": buffer_inv(apdu_0, Object_alloc_table, APDU_buffer)) and
     (forall result:Object pointer.
       ((("JC_540": buffer_inv(apdu_0, Object_alloc_table, APDU_buffer)) and
         ("JC_544":
         (("JC_543": (result = select(APDU_buffer, apdu_0))) and
          buffer_inv(apdu_0, Object_alloc_table, APDU_buffer)))) ->
        ((0 <= offset_max(Object_alloc_table, result)) and
         (forall result0:byte.
           ((result0 = select(byteM_byteP, shift(result, 0))) ->
            (((integer_of_byte(result0) <> integer_of_byte(Card_Card_Class)) ->
              (true ->
               ((1 <= offset_max(Object_alloc_table, result)) and
                (forall result0:byte.
                  ((result0 = select(byteM_byteP, shift(result, 1))) ->
                   (((integer_of_byte(result0) = integer_of_byte(Card_Card_Ins_Read)) ->
                     ("JC_559": buffer_inv(apdu_0, Object_alloc_table,
                     APDU_buffer))) and
                    ((integer_of_byte(result0) <> integer_of_byte(Card_Card_Ins_Read)) ->
                     (true ->
                      ("JC_559": buffer_inv(apdu_0, Object_alloc_table,
                      APDU_buffer)))))))))) and
             ((integer_of_byte(result0) = integer_of_byte(Card_Card_Class)) ->
              ((1 <= offset_max(Object_alloc_table, result)) and
               (forall result0:byte.
                 ((result0 = select(byteM_byteP, shift(result, 1))) ->
                  (((integer_of_byte(result0) = integer_of_byte(Card_Card_Ins_Read)) ->
                    ("JC_559": buffer_inv(apdu_0, Object_alloc_table,
                    APDU_buffer))) and
                   ((integer_of_byte(result0) <> integer_of_byte(Card_Card_Ins_Read)) ->
                    (true ->
                     ("JC_559": buffer_inv(apdu_0, Object_alloc_table,
                     APDU_buffer))))))))))))))))))

goal cons_APDU_safety_po_1:
  forall this_68:Object pointer.
  forall APDU_buffer:(Object,
  Object pointer) memory.
  forall APDU_incomingFlag:(Object,
  byte) memory.
  forall APDU_lrIs256Flag:(Object,
  byte) memory.
  forall APDU_noChainingFlag:(Object,
  byte) memory.
  forall APDU_noGetResponseFlag:(Object,
  byte) memory.
  forall APDU_outgoingFlag:(Object,
  byte) memory.
  forall APDU_outgoingLenSetFlag:(Object,
  byte) memory.
  forall APDU_sendInProgressFlag:(Object,
  byte) memory.
  forall APDU_thePackedBoolean:(Object,
  Object pointer) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_APDU(this_68, 0, 0, Object_alloc_table) ->
  forall APDU_buffer0:(Object,
  Object pointer) memory.
  (APDU_buffer0 = store(APDU_buffer, this_68, null)) ->
  forall APDU_thePackedBoolean0:(Object,
  Object pointer) memory.
  (APDU_thePackedBoolean0 = store(APDU_thePackedBoolean, this_68, null)) ->
  forall result:byte.
  (integer_of_byte(result) = 0) ->
  forall APDU_incomingFlag0:(Object,
  byte) memory.
  (APDU_incomingFlag0 = store(APDU_incomingFlag, this_68, result)) ->
  forall result0:byte.
  (integer_of_byte(result0) = 0) ->
  forall APDU_outgoingFlag0:(Object,
  byte) memory.
  (APDU_outgoingFlag0 = store(APDU_outgoingFlag, this_68, result0)) ->
  forall result1:byte.
  (integer_of_byte(result1) = 0) ->
  forall APDU_outgoingLenSetFlag0:(Object,
  byte) memory.
  (APDU_outgoingLenSetFlag0 = store(APDU_outgoingLenSetFlag, this_68,
  result1)) ->
  forall result2:byte.
  (integer_of_byte(result2) = 0) ->
  forall APDU_lrIs256Flag0:(Object,
  byte) memory.
  (APDU_lrIs256Flag0 = store(APDU_lrIs256Flag, this_68, result2)) ->
  forall result3:byte.
  (integer_of_byte(result3) = 0) ->
  forall APDU_sendInProgressFlag0:(Object,
  byte) memory.
  (APDU_sendInProgressFlag0 = store(APDU_sendInProgressFlag, this_68,
  result3)) ->
  forall result4:byte.
  (integer_of_byte(result4) = 0) ->
  forall APDU_noChainingFlag0:(Object,
  byte) memory.
  (APDU_noChainingFlag0 = store(APDU_noChainingFlag, this_68, result4)) ->
  forall result5:byte.
  (integer_of_byte(result5) = 0) ->
  forall APDU_noGetResponseFlag0:(Object,
  byte) memory.
  (APDU_noGetResponseFlag0 = store(APDU_noGetResponseFlag, this_68,
  result5)) ->
  ("JC_193": buffer_inv(this_68, Object_alloc_table, APDU_buffer0))

why-2.34/tests/java/oracle/Fresh2.res.oracle0000644000175000017500000053321112311670312017262 0ustar  rtusers========== file tests/java/Fresh2.java ==========

//@+ SeparationPolicy = None

class Fresh2 {

    int x;

    /*@ assigns \nothing;
      @ allocates this;
      @ ensures \fresh(this);
      @*/
    Fresh2 ();

    /*@ assigns \nothing;
      @ allocates \result;
      @ ensures \result != null && \fresh(\result);
      @*/
    static Fresh2 create() {
        return new Fresh2();
    }

    void test() {
        Fresh2 f;
        f = create ();
        //@ assert this != f;
    }

    static void smoke_detector() {
        Fresh2 _s1 = create ();
        Fresh2 _s2 = create ();
        //@ assert 0 == 1;
    }

}


/*
Local Variables:
compile-command: "LC_ALL=C make Fresh2.why3ide"
End:
*/
========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_Fresh2 for constructor Fresh2
Generating JC function Fresh2_create for method Fresh2.create
Generating JC function Object_equals for method Object.equals
Generating JC function Object_notify for method Object.notify
Generating JC function Object_registerNatives for method Object.registerNatives
Generating JC function Object_hashCode for method Object.hashCode
Generating JC function Object_wait_long_int for method Object.wait
Generating JC function Object_toString for method Object.toString
Generating JC function Object_notifyAll for method Object.notifyAll
Generating JC function cons_Object for constructor Object
Generating JC function Fresh2_test for method Fresh2.test
Generating JC function Object_clone for method Object.clone
Generating JC function Object_wait_long for method Object.wait
Generating JC function Object_finalize for method Object.finalize
Generating JC function Object_wait for method Object.wait
Generating JC function Fresh2_smoke_detector for method Fresh2.smoke_detector
Done.
========== file tests/java/Fresh2.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Fresh2 = Object with {
  int32 x;
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_Fresh2(! Fresh2[0] this_2)
behavior default:
  assigns \nothing;
  allocates this_2;
  ensures (K_1 : \fresh(this_2));
{  (this_2.x = 0)
}

Fresh2[0..] Fresh2_create()
behavior default:
  assigns \nothing;
  allocates \result;
  ensures (K_4 : ((K_3 : Non_null_Object(\result)) &&
                   (K_2 : \fresh(\result))));
{  
   (return 
   {  
      (var Fresh2[0] this = (new Fresh2[1]));
      
      {  
         (var unit _tt = cons_Fresh2(this));
         this
      }
   })
}

boolean Object_equals(Object[0] this_3, Object[0..] obj)
;

unit Object_notify(Object[0] this_4)
;

unit Object_registerNatives()
;

int32 Object_hashCode(Object[0] this_5)
;

unit Object_wait_long_int(Object[0] this_6, long timeout_0, int32 nanos)
;

String[0..] Object_toString(Object[0] this_7)
;

unit Object_notifyAll(Object[0] this_8)
;

unit cons_Object(! Object[0] this_13){()}

unit Fresh2_test(Fresh2[0] this_1)
{  
   {  
      (var Fresh2[0..] f);
      
      {  (f = (K_5 : Fresh2_create()));
         (K_7 : 
         (assert (K_6 : (this_1 != f))))
      }
   }
}

Object[0..] Object_clone(Object[0] this_9)
;

unit Object_wait_long(Object[0] this_10, long timeout)
;

unit Object_finalize(Object[0] this_11)
;

unit Object_wait(Object[0] this_12)
;

unit Fresh2_smoke_detector()
{  
   {  
      (var Fresh2[0..] _s1 = (K_11 : Fresh2_create()));
      
      {  
         (var Fresh2[0..] _s2 = (K_10 : Fresh2_create()));
         (K_9 : 
         (assert (K_8 : (0 == 1))))
      }
   }
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Fresh2.jloc tests/java/Fresh2.jc && make -f tests/java/Fresh2.makefile gui"
End:
*/
========== file tests/java/Fresh2.jloc ==========
[K_11]
file = "HOME/tests/java/Fresh2.java"
line = 29
begin = 21
end = 30

[Object_wait_long]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[Object_finalize]
name = "Method finalize"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[K_9]
file = "HOME/tests/java/Fresh2.java"
line = 31
begin = 19
end = 25

[Object_wait]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[Object_notify]
name = "Method notify"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[Object_clone]
name = "Method clone"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[cons_Object]
name = "Constructor of class Object"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_1]
file = "HOME/tests/java/Fresh2.java"
line = 10
begin = 16
end = 28

[K_4]
file = "HOME/tests/java/Fresh2.java"
line = 16
begin = 16
end = 50

[Object_wait_long_int]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[Object_registerNatives]
name = "Method registerNatives"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[K_2]
file = "HOME/tests/java/Fresh2.java"
line = 16
begin = 35
end = 50

[K_10]
file = "HOME/tests/java/Fresh2.java"
line = 30
begin = 21
end = 30

[cons_Fresh2]
name = "Constructor of class Fresh2"
file = "HOME/tests/java/Fresh2.java"
line = 12
begin = 4
end = 10

[K_6]
file = "HOME/tests/java/Fresh2.java"
line = 25
begin = 19
end = 28

[K_8]
file = "HOME/tests/java/Fresh2.java"
line = 31
begin = 19
end = 25

[K_3]
file = "HOME/tests/java/Fresh2.java"
line = 16
begin = 16
end = 31

[Fresh2_create]
name = "Method create"
file = "HOME/tests/java/Fresh2.java"
line = 18
begin = 18
end = 24

[Object_notifyAll]
name = "Method notifyAll"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[Fresh2_smoke_detector]
name = "Method smoke_detector"
file = "HOME/tests/java/Fresh2.java"
line = 28
begin = 16
end = 30

[K_5]
file = "HOME/tests/java/Fresh2.java"
line = 24
begin = 12
end = 21

[Fresh2_test]
name = "Method test"
file = "HOME/tests/java/Fresh2.java"
line = 22
begin = 9
end = 13

[Object_equals]
name = "Method equals"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[K_7]
file = "HOME/tests/java/Fresh2.java"
line = 25
begin = 19
end = 28

[Object_hashCode]
name = "Method hashCode"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[Object_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

========== jessie execution ==========
Generating Why function cons_Fresh2
Generating Why function Fresh2_create
Generating Why function cons_Object
Generating Why function Fresh2_test
Generating Why function Fresh2_smoke_detector
========== file tests/java/Fresh2.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Fresh2.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Fresh2.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/Fresh2_why.sx

project: why/Fresh2.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/Fresh2_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/Fresh2_why.vo

coq/Fresh2_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Fresh2_why.v: why/Fresh2.why
	@echo 'why -coq [...] why/Fresh2.why' && $(WHY) $(JESSIELIBFILES) why/Fresh2.why && rm -f coq/jessie_why.v

coq-goals: goals coq/Fresh2_ctx_why.vo
	for f in why/*_po*.why; do make -f Fresh2.makefile coq/`basename $$f .why`_why.v ; done

coq/Fresh2_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Fresh2_ctx_why.v: why/Fresh2_ctx.why
	@echo 'why -coq [...] why/Fresh2_ctx.why' && $(WHY) why/Fresh2_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export Fresh2_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/Fresh2_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/Fresh2_ctx_why.vo

pvs: pvs/Fresh2_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/Fresh2_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/Fresh2_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/Fresh2_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/Fresh2_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/Fresh2_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/Fresh2_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/Fresh2_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/Fresh2_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/Fresh2_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/Fresh2_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/Fresh2_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/Fresh2_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/Fresh2_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/Fresh2_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: Fresh2.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/Fresh2_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Fresh2.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Fresh2.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Fresh2.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include Fresh2.depend

depend: coq/Fresh2_why.v
	-$(COQDEP) -I coq coq/Fresh2*_why.v > Fresh2.depend

clean:
	rm -f coq/*.vo

========== file tests/java/Fresh2.loc ==========
[JC_94]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_73]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_158]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_63]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_51]
kind = UserCall
file = "HOME/tests/java/Fresh2.jc"
line = 75
begin = 25
end = 42

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_147]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_151]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_123]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_106]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_143]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_113]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_116]
file = "HOME/tests/java/Fresh2.java"
line = 22
begin = 9
end = 13

[JC_64]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Fresh2_safety]
name = "Constructor of class Fresh2"
behavior = "Safety"
file = "HOME/tests/java/Fresh2.java"
line = 12
begin = 4
end = 10

[JC_133]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Object_ensures_default]
name = "Constructor of class Object"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[Fresh2_test_ensures_default]
name = "Method test"
behavior = "default behavior"
file = "HOME/tests/java/Fresh2.java"
line = 22
begin = 9
end = 13

[JC_99]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_85]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_126]
kind = UserCall
file = "HOME/tests/java/Fresh2.java"
line = 24
begin = 12
end = 21

[JC_170]
file = "HOME/tests/java/Fresh2.java"
line = 31
begin = 19
end = 25

[JC_31]
file = "HOME/tests/java/Fresh2.java"
line = 18
begin = 18
end = 24

[JC_17]
file = "HOME/tests/java/Fresh2.jc"
line = 48
begin = 11
end = 65

[JC_122]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_138]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_134]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_148]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_137]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_48]
kind = IndexBounds
file = "HOME/tests/java/Fresh2.jc"
line = 72
begin = 7
end = 43

[JC_23]
file = "HOME/tests/java/Fresh2.java"
line = 10
begin = 16
end = 28

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_172]
kind = UserCall
file = "HOME/tests/java/Fresh2.java"
line = 30
begin = 21
end = 30

[JC_121]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_125]
file = "HOME/tests/java/Fresh2.java"
line = 25
begin = 19
end = 28

[JC_67]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/Fresh2.jc"
line = 46
begin = 8
end = 23

[JC_75]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/tests/java/Fresh2.java"
line = 12
begin = 4
end = 10

[JC_25]
file = "HOME/tests/java/Fresh2.jc"
line = 56
begin = 9
end = 16

[JC_78]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_41]
file = "HOME/tests/java/Fresh2.java"
line = 16
begin = 35
end = 50

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
kind = AllocSize
file = "HOME/tests/java/Fresh2.jc"
line = 72
begin = 29
end = 42

[JC_52]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_26]
file = "HOME/tests/java/Fresh2.java"
line = 10
begin = 16
end = 28

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_154]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_54]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_79]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_130]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_163]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_153]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_87]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/Fresh2.jc"
line = 46
begin = 8
end = 23

[JC_167]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_98]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[cons_Fresh2_ensures_default]
name = "Constructor of class Fresh2"
behavior = "default behavior"
file = "HOME/tests/java/Fresh2.java"
line = 12
begin = 4
end = 10

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[Fresh2_test_safety]
name = "Method test"
behavior = "Safety"
file = "HOME/tests/java/Fresh2.java"
line = 22
begin = 9
end = 13

[JC_36]
file = "HOME/tests/java/Fresh2.java"
line = 16
begin = 35
end = 50

[JC_168]
kind = UserCall
file = "HOME/tests/java/Fresh2.java"
line = 29
begin = 21
end = 30

[JC_104]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_91]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/tests/java/Fresh2.jc"
line = 64
begin = 9
end = 16

[JC_112]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/tests/java/Fresh2.java"
line = 16
begin = 16
end = 31

[JC_162]
file = "HOME/tests/java/Fresh2.java"
line = 28
begin = 16
end = 30

[JC_135]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_169]
kind = UserCall
file = "HOME/tests/java/Fresh2.java"
line = 30
begin = 21
end = 30

[JC_83]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/tests/java/Fresh2.java"
line = 16
begin = 16
end = 31

[JC_132]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/tests/java/Fresh2.java"
line = 12
begin = 4
end = 10

[JC_115]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_109]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_107]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_69]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_124]
kind = UserCall
file = "HOME/tests/java/Fresh2.java"
line = 24
begin = 12
end = 21

[JC_38]
file = "HOME/tests/java/Fresh2.java"
line = 18
begin = 18
end = 24

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_156]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_127]
file = "HOME/tests/java/Fresh2.java"
line = 25
begin = 19
end = 28

[JC_171]
kind = UserCall
file = "HOME/tests/java/Fresh2.java"
line = 29
begin = 21
end = 30

[JC_164]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/tests/java/Fresh2.jc"
line = 64
begin = 9
end = 16

[JC_155]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_101]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[Fresh2_create_safety]
name = "Method create"
behavior = "Safety"
file = "HOME/tests/java/Fresh2.java"
line = 18
begin = 18
end = 24

[JC_129]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/tests/java/Fresh2.java"
line = 16
begin = 16
end = 50

[JC_110]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_166]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_103]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_141]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_33]
file = "HOME/tests/java/Fresh2.java"
line = 18
begin = 18
end = 24

[JC_65]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_118]
file = "HOME/tests/java/Fresh2.java"
line = 22
begin = 9
end = 13

[JC_173]
file = "HOME/tests/java/Fresh2.java"
line = 31
begin = 19
end = 25

[JC_105]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_140]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_144]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_159]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Object_safety]
name = "Constructor of class Object"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_68]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
file = "HOME/tests/java/Fresh2.java"
line = 18
begin = 18
end = 24

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_93]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_97]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_160]
file = "HOME/tests/java/Fresh2.java"
line = 28
begin = 16
end = 30

[JC_128]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_150]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_117]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_90]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_157]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_145]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/tests/java/Fresh2.java"
line = 12
begin = 4
end = 10

[Fresh2_smoke_detector_ensures_default]
name = "Method smoke_detector"
behavior = "default behavior"
file = "HOME/tests/java/Fresh2.java"
line = 28
begin = 16
end = 30

[JC_149]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_111]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_77]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
kind = UserCall
file = "HOME/tests/java/Fresh2.jc"
line = 75
begin = 25
end = 42

[JC_1]
file = "HOME/tests/java/Fresh2.jc"
line = 20
begin = 12
end = 22

[JC_131]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_102]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_37]
file = "HOME/tests/java/Fresh2.java"
line = 16
begin = 16
end = 50

[JC_142]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_161]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_146]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_89]
file = "HOME/"
line = 0
begin = -1
end = -1

[Fresh2_smoke_detector_safety]
name = "Method smoke_detector"
behavior = "Safety"
file = "HOME/tests/java/Fresh2.java"
line = 28
begin = 16
end = 30

[JC_136]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_165]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/Fresh2.jc"
line = 48
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/Fresh2.jc"
line = 20
begin = 12
end = 22

[JC_92]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_152]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_86]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_60]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_139]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_72]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/tests/java/Fresh2.java"
line = 12
begin = 4
end = 10

[JC_119]
file = "HOME/"
line = 0
begin = -1
end = -1

[Fresh2_create_ensures_default]
name = "Method create"
behavior = "default behavior"
file = "HOME/tests/java/Fresh2.java"
line = 18
begin = 18
end = 24

[JC_76]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_50]
kind = AllocSize
file = "HOME/tests/java/Fresh2.jc"
line = 72
begin = 29
end = 42

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_120]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_100]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_28]
file = "HOME/tests/java/Fresh2.jc"
line = 56
begin = 9
end = 16

========== file tests/java/why/Fresh2.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

logic Fresh2_tag:  -> Object tag_id

axiom Fresh2_parenttag_Object : parenttag(Fresh2_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Fresh2(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Fresh2(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Fresh2(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Fresh2(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

parameter Fresh2_x : (Object, int32) memory ref

parameter Fresh2_create :
 tt:unit ->
  { } Object pointer reads Object_alloc_table
  writes Fresh2_x,Object_alloc_table,Object_tag_table
  { (JC_44:
    ((JC_42:
     ((JC_40: Non_null_Object(result, Object_alloc_table))
     and (JC_41: (not valid(Object_alloc_table@, result)))))
    and (JC_43:
        not_assigns(Object_alloc_table@, Fresh2_x@, Fresh2_x, pset_empty)))) }

parameter Fresh2_create_requires :
 tt:unit ->
  { } Object pointer reads Object_alloc_table
  writes Fresh2_x,Object_alloc_table,Object_tag_table
  { (JC_44:
    ((JC_42:
     ((JC_40: Non_null_Object(result, Object_alloc_table))
     and (JC_41: (not valid(Object_alloc_table@, result)))))
    and (JC_43:
        not_assigns(Object_alloc_table@, Fresh2_x@, Fresh2_x, pset_empty)))) }

parameter Fresh2_smoke_detector :
 tt:unit ->
  { } unit reads Object_alloc_table
  writes Fresh2_x,Object_alloc_table,Object_tag_table { true }

parameter Fresh2_smoke_detector_requires :
 tt:unit ->
  { } unit reads Object_alloc_table
  writes Fresh2_x,Object_alloc_table,Object_tag_table { true }

parameter Fresh2_test :
 this_1:Object pointer ->
  { } unit reads Object_alloc_table
  writes Fresh2_x,Object_alloc_table,Object_tag_table { true }

parameter Fresh2_test_requires :
 this_1:Object pointer ->
  { } unit reads Object_alloc_table
  writes Fresh2_x,Object_alloc_table,Object_tag_table { true }

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_clone :
 this_9:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_clone_requires :
 this_9:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_equals :
 this_3:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_equals_requires :
 this_3:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_finalize :
 this_11:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_finalize_requires :
 this_11:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_hashCode :
 this_5:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter Object_hashCode_requires :
 this_5:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter Object_notify :
 this_4:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll :
 this_8:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll_requires :
 this_8:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notify_requires :
 this_4:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_registerNatives : tt:unit -> { } unit { true }

parameter Object_registerNatives_requires : tt:unit -> { } unit { true }

parameter Object_toString :
 this_7:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_toString_requires :
 this_7:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_wait :
 this_12:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long :
 this_10:Object pointer ->
  timeout:long -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int :
 this_6:Object pointer ->
  timeout_0:long -> nanos:int32 -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int_requires :
 this_6:Object pointer ->
  timeout_0:long -> nanos:int32 -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_requires :
 this_10:Object pointer ->
  timeout:long -> { } unit reads Object_alloc_table { true }

parameter Object_wait_requires :
 this_12:Object pointer -> { } unit reads Object_alloc_table { true }

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Fresh2 :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Fresh2(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Fresh2_tag)))) }

parameter alloc_struct_Fresh2_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Fresh2(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Fresh2_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_Fresh2 :
 this_2:Object pointer ->
  { } unit reads Object_alloc_table writes Fresh2_x
  { (JC_28:
    ((JC_26: (not valid(Object_alloc_table@, this_2)))
    and (JC_27:
        not_assigns(Object_alloc_table@, Fresh2_x@, Fresh2_x, pset_empty)))) }

parameter cons_Fresh2_requires :
 this_2:Object pointer ->
  { } unit reads Object_alloc_table writes Fresh2_x
  { (JC_28:
    ((JC_26: (not valid(Object_alloc_table@, this_2)))
    and (JC_27:
        not_assigns(Object_alloc_table@, Fresh2_x@, Fresh2_x, pset_empty)))) }

parameter cons_Object :
 this_13:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object_requires :
 this_13:Object pointer -> { } unit reads Object_alloc_table { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let Fresh2_create_ensures_default =
 fun (tt : unit) ->
  { (JC_34: true) }
  (init:
  (let return = ref (any_pointer void) in
  try
   begin
     (return := (let this =
                (JC_50:
                (((alloc_struct_Fresh2 (1)) Object_alloc_table) Object_tag_table)) in
                (let _tt =
                (let _jessie_ = this in (JC_51: (cons_Fresh2 _jessie_))) in
                this))); (raise Return); absurd  end with Return ->
   !return end))
  { (JC_39:
    ((JC_37:
     ((JC_35: Non_null_Object(result, Object_alloc_table))
     and (JC_36: (not valid(Object_alloc_table@, result)))))
    and (JC_38:
        not_assigns(Object_alloc_table@, Fresh2_x@, Fresh2_x, pset_empty)))) }

let Fresh2_create_safety =
 fun (tt : unit) ->
  { (JC_34: true) }
  (init:
  (let return = ref (any_pointer void) in
  try
   begin
     (return := (let this =
                (let _jessie_ =
                (JC_47:
                (((alloc_struct_Fresh2_requires (1)) Object_alloc_table) Object_tag_table)) in
                (JC_48:
                (assert
                { ge_int(offset_max(Object_alloc_table, _jessie_), (0)) };
                _jessie_))) in
                (let _tt =
                (let _jessie_ = this in
                (JC_49: (cons_Fresh2_requires _jessie_))) in this)));
    (raise Return); absurd  end with Return -> !return end)) { true }

let Fresh2_smoke_detector_ensures_default =
 fun (tt : unit) ->
  { (JC_163: true) }
  (init:
  try
   begin
     (let _s1 = (K_11: (JC_171: (Fresh2_create void))) in
     (let _s2 = (K_10: (JC_172: (Fresh2_create void))) in
     (K_9: (assert { (JC_173: ((0) = (1))) }; void)))); (raise Return) end
   with Return -> void end) { (JC_164: true) }

let Fresh2_smoke_detector_safety =
 fun (tt : unit) ->
  { (JC_163: true) }
  (init:
  try
   begin
     (let _s1 = (K_11: (JC_168: (Fresh2_create_requires void))) in
     (let _s2 = (K_10: (JC_169: (Fresh2_create_requires void))) in
     (K_9: [ { } unit { (JC_170: ((0) = (1))) } ]))); (raise Return) end with
   Return -> void end) { true }

let Fresh2_test_ensures_default =
 fun (this_1 : Object pointer) ->
  { valid_struct_Fresh2(this_1, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let f = ref (any_pointer void) in
     begin
       (let _jessie_ = (f := (K_5: (JC_126: (Fresh2_create void)))) in
       void); (K_7: (assert { (JC_127: (this_1 <> f)) }; void)) end);
    (raise Return) end with Return -> void end) { (JC_120: true) }

let Fresh2_test_safety =
 fun (this_1 : Object pointer) ->
  { valid_struct_Fresh2(this_1, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let f = ref (any_pointer void) in
     begin
       (let _jessie_ =
       (f := (K_5: (JC_124: (Fresh2_create_requires void)))) in void);
      (K_7: [ { } unit reads f { (JC_125: (this_1 <> f)) } ]) end);
    (raise Return) end with Return -> void end) { true }

let cons_Fresh2_ensures_default =
 fun (this_2 : Object pointer) ->
  { valid_struct_Fresh2(this_2, (0), (0), Object_alloc_table) }
  (let mutable_this_2 = ref this_2 in
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = (safe_int32_of_integer_ (0)) in
     begin
       (let _jessie_ = !mutable_this_2 in
       (((safe_upd_ Fresh2_x) _jessie_) _jessie_)); _jessie_ end) in void);
    (raise Return) end with Return -> void end))
  { (JC_25:
    ((JC_23: (not valid(Object_alloc_table@, this_2)))
    and (JC_24:
        not_assigns(Object_alloc_table@, Fresh2_x@, Fresh2_x, pset_empty)))) }

let cons_Fresh2_safety =
 fun (this_2 : Object pointer) ->
  { valid_struct_Fresh2(this_2, (0), (0), Object_alloc_table) }
  (let mutable_this_2 = ref this_2 in
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = (safe_int32_of_integer_ (0)) in
     begin
       (let _jessie_ = !mutable_this_2 in
       (((safe_upd_ Fresh2_x) _jessie_) _jessie_)); _jessie_ end) in void);
    (raise Return) end with Return -> void end)) { true }

let cons_Object_ensures_default =
 fun (this_13 : Object pointer) ->
  { valid_struct_Object(this_13, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_112: true) }

let cons_Object_safety =
 fun (this_13 : Object pointer) ->
  { valid_struct_Object(this_13, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/Fresh2.why
========== file tests/java/why/Fresh2.wpr ==========

  
    
    
    
      
      
    
    
  
  
    
    
    
      
      
    
    
  
  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
  
  
    
  
  
    
    
    
      
      
    
    
      
      
    
    
  

========== file tests/java/why/Fresh2_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic Fresh2_tag : Object tag_id

axiom Fresh2_parenttag_Object: parenttag(Fresh2_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte [(integer_of_byte(x) = integer_of_byte(y))].
      ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char [(integer_of_char(x) = integer_of_char(y))].
      ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32 [(integer_of_int32(x) = integer_of_int32(y))].
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Fresh2(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long [(integer_of_long(x) = integer_of_long(y))].
      ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Fresh2(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short [(integer_of_short(x) = integer_of_short(y))].
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Fresh2(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Fresh2(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

========== file tests/java/why/Fresh2_po1.why ==========
goal Fresh2_create_ensures_default_po_1:
  forall Fresh2_x:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  ("JC_34": true) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Fresh2(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Fresh2_tag)))) ->
  forall Fresh2_x0:(Object,
  int32) memory.
  ("JC_28":
  (("JC_26": (not valid(Object_alloc_table0, result))) and
   ("JC_27": not_assigns(Object_alloc_table0, Fresh2_x, Fresh2_x0,
   pset_empty)))) ->
  forall return:Object pointer.
  (return = result) ->
  ("JC_39":
  ("JC_37": ("JC_35": Non_null_Object(return, Object_alloc_table0))))

========== file tests/java/why/Fresh2_po2.why ==========
goal Fresh2_create_ensures_default_po_2:
  forall Fresh2_x:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  ("JC_34": true) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Fresh2(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Fresh2_tag)))) ->
  forall Fresh2_x0:(Object,
  int32) memory.
  ("JC_28":
  (("JC_26": (not valid(Object_alloc_table0, result))) and
   ("JC_27": not_assigns(Object_alloc_table0, Fresh2_x, Fresh2_x0,
   pset_empty)))) ->
  forall return:Object pointer.
  (return = result) ->
  ("JC_39": ("JC_37": ("JC_36": (not valid(Object_alloc_table, return)))))

========== file tests/java/why/Fresh2_po3.why ==========
goal Fresh2_create_ensures_default_po_3:
  forall Fresh2_x:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  ("JC_34": true) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Fresh2(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Fresh2_tag)))) ->
  forall Fresh2_x0:(Object,
  int32) memory.
  ("JC_28":
  (("JC_26": (not valid(Object_alloc_table0, result))) and
   ("JC_27": not_assigns(Object_alloc_table0, Fresh2_x, Fresh2_x0,
   pset_empty)))) ->
  forall return:Object pointer.
  (return = result) ->
  ("JC_39":
  ("JC_38": not_assigns(Object_alloc_table, Fresh2_x, Fresh2_x0, pset_empty)))

========== file tests/java/why/Fresh2_po4.why ==========
goal Fresh2_create_safety_po_1:
  ("JC_34": true) ->
  (1 >= 0)

========== file tests/java/why/Fresh2_po5.why ==========
goal Fresh2_create_safety_po_2:
  forall Object_alloc_table:Object alloc_table.
  ("JC_34": true) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Fresh2(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Fresh2_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0)

========== file tests/java/why/Fresh2_po6.why ==========
goal Fresh2_smoke_detector_ensures_default_po_1:
  forall Fresh2_x:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  ("JC_163": true) ->
  forall result:Object pointer.
  forall Fresh2_x0:(Object,
  int32) memory.
  forall Object_alloc_table0:Object alloc_table.
  ("JC_44":
  (("JC_42":
   (("JC_40": Non_null_Object(result, Object_alloc_table0)) and
    ("JC_41": (not valid(Object_alloc_table, result))))) and
   ("JC_43": not_assigns(Object_alloc_table, Fresh2_x, Fresh2_x0,
   pset_empty)))) ->
  forall result0:Object pointer.
  forall Fresh2_x1:(Object,
  int32) memory.
  forall Object_alloc_table1:Object alloc_table.
  ("JC_44":
  (("JC_42":
   (("JC_40": Non_null_Object(result0, Object_alloc_table1)) and
    ("JC_41": (not valid(Object_alloc_table0, result0))))) and
   ("JC_43": not_assigns(Object_alloc_table0, Fresh2_x0, Fresh2_x1,
   pset_empty)))) ->
  ("JC_173": (0 = 1))

========== file tests/java/why/Fresh2_po7.why ==========
goal Fresh2_test_ensures_default_po_1:
  forall this_1:Object pointer.
  forall Fresh2_x:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Fresh2(this_1, 0, 0, Object_alloc_table) ->
  forall result:Object pointer.
  forall Fresh2_x0:(Object,
  int32) memory.
  forall Object_alloc_table0:Object alloc_table.
  ("JC_44":
  (("JC_42":
   (("JC_40": Non_null_Object(result, Object_alloc_table0)) and
    ("JC_41": (not valid(Object_alloc_table, result))))) and
   ("JC_43": not_assigns(Object_alloc_table, Fresh2_x, Fresh2_x0,
   pset_empty)))) ->
  forall f:Object pointer.
  (f = result) ->
  ("JC_127": (this_1 <> f))

========== file tests/java/why/Fresh2_po8.why ==========
goal cons_Fresh2_ensures_default_po_1:
  forall this_2:Object pointer.
  forall Fresh2_x:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Fresh2(this_2, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall Fresh2_x0:(Object,
  int32) memory.
  (Fresh2_x0 = store(Fresh2_x, this_2, result)) ->
  ("JC_25": ("JC_23": (not valid(Object_alloc_table, this_2))))

========== file tests/java/why/Fresh2_po9.why ==========
goal cons_Fresh2_ensures_default_po_2:
  forall this_2:Object pointer.
  forall Fresh2_x:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Fresh2(this_2, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall Fresh2_x0:(Object,
  int32) memory.
  (Fresh2_x0 = store(Fresh2_x, this_2, result)) ->
  ("JC_25":
  ("JC_24": not_assigns(Object_alloc_table, Fresh2_x, Fresh2_x0, pset_empty)))

========== generation of Simplify VC output ==========
why -simplify [...] why/Fresh2.why
========== file tests/java/simplify/Fresh2_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Fresh2_parenttag_Object
 (EQ (parenttag Fresh2_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) 0))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom byte_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 128) x) (<= x 127))
 (EQ (integer_of_byte (byte_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom byte_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_byte x) (integer_of_byte y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom byte_range
 (FORALL (x)
 (AND (<= (- 0 128) (integer_of_byte x)) (<= (integer_of_byte x) 127))))

(BG_PUSH
 ;; Why axiom char_coerce
 (FORALL (x)
 (IMPLIES (AND (<= 0 x) (<= x 65535))
 (EQ (integer_of_char (char_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom char_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_char x) (integer_of_char y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom char_range
 (FORALL (x) (AND (<= 0 (integer_of_char x)) (<= (integer_of_char x) 65535))))

(DEFPRED (eq_byte x y) (EQ (integer_of_byte x) (integer_of_byte y)))

(DEFPRED (eq_char x y) (EQ (integer_of_char x) (integer_of_char y)))

(DEFPRED (eq_int32 x y) (EQ (integer_of_int32 x) (integer_of_int32 y)))

(DEFPRED (eq_long x y) (EQ (integer_of_long x) (integer_of_long y)))

(DEFPRED (eq_short x y) (EQ (integer_of_short x) (integer_of_short y)))

(BG_PUSH
 ;; Why axiom int32_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_2147483648) x)
 (<= x constant_too_large_2147483647))
 (EQ (integer_of_int32 (int32_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom int32_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_int32 x) (integer_of_int32 y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom int32_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_2147483648) (integer_of_int32 x))
 (<= (integer_of_int32 x) constant_too_large_2147483647))))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Fresh2 p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom long_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_9223372036854775808) x)
 (<= x constant_too_large_9223372036854775807))
 (EQ (integer_of_long (long_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom long_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_long x) (integer_of_long y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom long_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_9223372036854775808) (integer_of_long x))
 (<= (integer_of_long x) constant_too_large_9223372036854775807))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Fresh2 p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(BG_PUSH
 ;; Why axiom short_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 32768) x) (<= x 32767))
 (EQ (integer_of_short (short_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom short_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_short x) (integer_of_short y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom short_range
 (FORALL (x)
 (AND (<= (- 0 32768) (integer_of_short x)) (<= (integer_of_short x) 32767))))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Fresh2 p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Fresh2 p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

;; Fresh2_create_ensures_default_po_1, File "HOME/tests/java/Fresh2.java", line 16, characters 16-31
(FORALL (Fresh2_x)
(FORALL (Object_alloc_table)
(IMPLIES TRUE
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND
         (strict_valid_struct_Fresh2 result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Fresh2_tag))))
(FORALL (Fresh2_x0)
(IMPLIES (AND (NOT (valid Object_alloc_table0 result))
         (not_assigns Object_alloc_table0 Fresh2_x Fresh2_x0 pset_empty))
(FORALL (return)
(IMPLIES (EQ return result) (Non_null_Object return Object_alloc_table0))))))))))))

;; Fresh2_create_ensures_default_po_2, File "HOME/tests/java/Fresh2.java", line 16, characters 35-50
(FORALL (Fresh2_x)
(FORALL (Object_alloc_table)
(IMPLIES TRUE
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND
         (strict_valid_struct_Fresh2 result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Fresh2_tag))))
(FORALL (Fresh2_x0)
(IMPLIES (AND (NOT (valid Object_alloc_table0 result))
         (not_assigns Object_alloc_table0 Fresh2_x Fresh2_x0 pset_empty))
(FORALL (return)
(IMPLIES (EQ return result) (NOT (valid Object_alloc_table return)))))))))))))

;; Fresh2_create_ensures_default_po_3, File "HOME/tests/java/Fresh2.java", line 18, characters 18-24
(FORALL (Fresh2_x)
(FORALL (Object_alloc_table)
(IMPLIES TRUE
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND
         (strict_valid_struct_Fresh2 result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Fresh2_tag))))
(FORALL (Fresh2_x0)
(IMPLIES (AND (NOT (valid Object_alloc_table0 result))
         (not_assigns Object_alloc_table0 Fresh2_x Fresh2_x0 pset_empty))
(FORALL (return)
(IMPLIES (EQ return result)
(not_assigns Object_alloc_table Fresh2_x Fresh2_x0 pset_empty))))))))))))

;; Fresh2_create_safety_po_1, File "HOME/tests/java/Fresh2.jc", line 72, characters 29-42
(IMPLIES TRUE (>= 1 0))

;; Fresh2_create_safety_po_2, File "why/Fresh2.why", line 702, characters 18-73
(FORALL (Object_alloc_table)
(IMPLIES TRUE
(IMPLIES (>= 1 0)
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND
         (strict_valid_struct_Fresh2 result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Fresh2_tag))))
(>= (offset_max Object_alloc_table0 result) 0))))))))

;; Fresh2_smoke_detector_ensures_default_po_1, File "HOME/tests/java/Fresh2.java", line 31, characters 19-25
(FORALL (Fresh2_x)
(FORALL (Object_alloc_table)
(IMPLIES TRUE
(FORALL (result)
(FORALL (Fresh2_x0)
(FORALL (Object_alloc_table0)
(IMPLIES (AND
         (AND (Non_null_Object result Object_alloc_table0)
         (NOT (valid Object_alloc_table result)))
         (not_assigns Object_alloc_table Fresh2_x Fresh2_x0 pset_empty))
(FORALL (result0)
(FORALL (Fresh2_x1)
(FORALL (Object_alloc_table1)
(IMPLIES (AND
         (AND (Non_null_Object result0 Object_alloc_table1)
         (NOT (valid Object_alloc_table0 result0)))
         (not_assigns Object_alloc_table0 Fresh2_x0 Fresh2_x1 pset_empty))
(EQ 0 1))))))))))))

;; Fresh2_test_ensures_default_po_1, File "HOME/tests/java/Fresh2.java", line 25, characters 19-28
(FORALL (this_1)
(FORALL (Fresh2_x)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Fresh2 this_1 0 0 Object_alloc_table)
(FORALL (result)
(FORALL (Fresh2_x0)
(FORALL (Object_alloc_table0)
(IMPLIES (AND
         (AND (Non_null_Object result Object_alloc_table0)
         (NOT (valid Object_alloc_table result)))
         (not_assigns Object_alloc_table Fresh2_x Fresh2_x0 pset_empty))
(FORALL (f) (IMPLIES (EQ f result) (NEQ this_1 f)))))))))))

;; cons_Fresh2_ensures_default_po_1, File "HOME/tests/java/Fresh2.java", line 10, characters 16-28
(FORALL (this_2)
(FORALL (Fresh2_x)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Fresh2 this_2 0 0 Object_alloc_table)
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (Fresh2_x0)
(IMPLIES (EQ Fresh2_x0 (|why__store| Fresh2_x this_2 result))
(NOT (valid Object_alloc_table this_2))))))))))

;; cons_Fresh2_ensures_default_po_2, File "HOME/tests/java/Fresh2.java", line 12, characters 4-10
(FORALL (this_2)
(FORALL (Fresh2_x)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Fresh2 this_2 0 0 Object_alloc_table)
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (Fresh2_x0)
(IMPLIES (EQ Fresh2_x0 (|why__store| Fresh2_x this_2 result))
(not_assigns Object_alloc_table Fresh2_x Fresh2_x0 pset_empty)))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/Fresh2_why.sx        : .....?.?? (6/0/3/0/0)
total   :   9
valid   :   6 ( 67%)
invalid :   0 (  0%)
unknown :   3 ( 33%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/Fresh2.why
========== file tests/java/why/Fresh2_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic Fresh2_tag : Object tag_id

axiom Fresh2_parenttag_Object: parenttag(Fresh2_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte. ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char. ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Fresh2(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long. ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Fresh2(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short.
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Fresh2(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Fresh2(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

goal Fresh2_create_ensures_default_po_1:
  forall Fresh2_x:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  ("JC_34": true) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Fresh2(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Fresh2_tag)))) ->
  forall Fresh2_x0:(Object,
  int32) memory.
  ("JC_28":
  (("JC_26": (not valid(Object_alloc_table0, result))) and
   ("JC_27": not_assigns(Object_alloc_table0, Fresh2_x, Fresh2_x0,
   pset_empty)))) ->
  forall return:Object pointer.
  (return = result) ->
  ("JC_39":
  ("JC_37": ("JC_35": Non_null_Object(return, Object_alloc_table0))))

goal Fresh2_create_ensures_default_po_2:
  forall Fresh2_x:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  ("JC_34": true) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Fresh2(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Fresh2_tag)))) ->
  forall Fresh2_x0:(Object,
  int32) memory.
  ("JC_28":
  (("JC_26": (not valid(Object_alloc_table0, result))) and
   ("JC_27": not_assigns(Object_alloc_table0, Fresh2_x, Fresh2_x0,
   pset_empty)))) ->
  forall return:Object pointer.
  (return = result) ->
  ("JC_39": ("JC_37": ("JC_36": (not valid(Object_alloc_table, return)))))

goal Fresh2_create_ensures_default_po_3:
  forall Fresh2_x:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  ("JC_34": true) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Fresh2(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Fresh2_tag)))) ->
  forall Fresh2_x0:(Object,
  int32) memory.
  ("JC_28":
  (("JC_26": (not valid(Object_alloc_table0, result))) and
   ("JC_27": not_assigns(Object_alloc_table0, Fresh2_x, Fresh2_x0,
   pset_empty)))) ->
  forall return:Object pointer.
  (return = result) ->
  ("JC_39":
  ("JC_38": not_assigns(Object_alloc_table, Fresh2_x, Fresh2_x0, pset_empty)))

goal Fresh2_create_safety_po_1:
  ("JC_34": true) ->
  (1 >= 0)

goal Fresh2_create_safety_po_2:
  forall Object_alloc_table:Object alloc_table.
  ("JC_34": true) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Fresh2(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Fresh2_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0)

goal Fresh2_smoke_detector_ensures_default_po_1:
  forall Fresh2_x:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  ("JC_163": true) ->
  forall result:Object pointer.
  forall Fresh2_x0:(Object,
  int32) memory.
  forall Object_alloc_table0:Object alloc_table.
  ("JC_44":
  (("JC_42":
   (("JC_40": Non_null_Object(result, Object_alloc_table0)) and
    ("JC_41": (not valid(Object_alloc_table, result))))) and
   ("JC_43": not_assigns(Object_alloc_table, Fresh2_x, Fresh2_x0,
   pset_empty)))) ->
  forall result0:Object pointer.
  forall Fresh2_x1:(Object,
  int32) memory.
  forall Object_alloc_table1:Object alloc_table.
  ("JC_44":
  (("JC_42":
   (("JC_40": Non_null_Object(result0, Object_alloc_table1)) and
    ("JC_41": (not valid(Object_alloc_table0, result0))))) and
   ("JC_43": not_assigns(Object_alloc_table0, Fresh2_x0, Fresh2_x1,
   pset_empty)))) ->
  ("JC_173": (0 = 1))

goal Fresh2_test_ensures_default_po_1:
  forall this_1:Object pointer.
  forall Fresh2_x:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Fresh2(this_1, 0, 0, Object_alloc_table) ->
  forall result:Object pointer.
  forall Fresh2_x0:(Object,
  int32) memory.
  forall Object_alloc_table0:Object alloc_table.
  ("JC_44":
  (("JC_42":
   (("JC_40": Non_null_Object(result, Object_alloc_table0)) and
    ("JC_41": (not valid(Object_alloc_table, result))))) and
   ("JC_43": not_assigns(Object_alloc_table, Fresh2_x, Fresh2_x0,
   pset_empty)))) ->
  forall f:Object pointer.
  (f = result) ->
  ("JC_127": (this_1 <> f))

goal cons_Fresh2_ensures_default_po_1:
  forall this_2:Object pointer.
  forall Fresh2_x:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Fresh2(this_2, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall Fresh2_x0:(Object,
  int32) memory.
  (Fresh2_x0 = store(Fresh2_x, this_2, result)) ->
  ("JC_25": ("JC_23": (not valid(Object_alloc_table, this_2))))

goal cons_Fresh2_ensures_default_po_2:
  forall this_2:Object pointer.
  forall Fresh2_x:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Fresh2(this_2, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall Fresh2_x0:(Object,
  int32) memory.
  (Fresh2_x0 = store(Fresh2_x, this_2, result)) ->
  ("JC_25":
  ("JC_24": not_assigns(Object_alloc_table, Fresh2_x, Fresh2_x0, pset_empty)))

why-2.34/tests/java/oracle/PreAndOld.err.oracle0000644000175000017500000000000012311670312017721 0ustar  rtuserswhy-2.34/tests/java/oracle/SimpleAlloc.err.oracle0000644000175000017500000000000012311670312020315 0ustar  rtuserswhy-2.34/tests/java/oracle/SimpleApplet.err.oracle0000644000175000017500000000006712311670312020525 0ustar  rtusersgenerating logic fun buffer_inv with one default label
why-2.34/tests/java/oracle/bts15964.err.oracle0000644000175000017500000000022212311670312017320 0ustar  rtusersFile "jc/jc_pervasives.ml", line 864, characters 6-6:
Uncaught exception: File "jc/jc_pervasives.ml", line 864, characters 6-12: Assertion failed
why-2.34/tests/java/oracle/Literals.res.oracle0000644000175000017500000044276512311670312017725 0ustar  rtusers========== file tests/java/Literals.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

class Literals {

    public static final int x = 0xbad;

    /*@ ensures \result == 5991;
      @*/
    int f() {
	int y = 0xbad;
	return y+x+015;
    }

}


/*
Local Variables:
compile-command: "make Literals.why3ide"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_Literals for constructor Literals
Generating JC function Literals_f for method Literals.f
Done.
========== file tests/java/Literals.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

logic int32 Literals_x =
2989

String[0..] any_string()
;

tag String = Object with {
}

tag Literals = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_Literals(! Literals[0] this_1){()}

int32 Literals_f(Literals[0] this_0)
behavior default:
  ensures (K_1 : (\result == 5991));
{  
   {  
      (var int32 y = (K_4 : 0xbad));
      
      (return (K_3 : (((K_2 : ((y + Literals_x) :> int32)) + 015) :> int32)))
   }
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Literals.jloc tests/java/Literals.jc && make -f tests/java/Literals.makefile gui"
End:
*/
========== file tests/java/Literals.jloc ==========
[cons_Literals]
name = "Constructor of class Literals"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_1]
file = "HOME/tests/java/Literals.java"
line = 36
begin = 16
end = 31

[K_4]
file = "HOME/tests/java/Literals.java"
line = 39
begin = 9
end = 14

[Literals_f]
name = "Method f"
file = "HOME/tests/java/Literals.java"
line = 38
begin = 8
end = 9

[K_2]
file = "HOME/tests/java/Literals.java"
line = 40
begin = 8
end = 11

[K_3]
file = "HOME/tests/java/Literals.java"
line = 40
begin = 8
end = 15

========== jessie execution ==========
Generating Why function cons_Literals
Generating Why function Literals_f
========== file tests/java/Literals.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Literals.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Literals.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/Literals_why.sx

project: why/Literals.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/Literals_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/Literals_why.vo

coq/Literals_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Literals_why.v: why/Literals.why
	@echo 'why -coq [...] why/Literals.why' && $(WHY) $(JESSIELIBFILES) why/Literals.why && rm -f coq/jessie_why.v

coq-goals: goals coq/Literals_ctx_why.vo
	for f in why/*_po*.why; do make -f Literals.makefile coq/`basename $$f .why`_why.v ; done

coq/Literals_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Literals_ctx_why.v: why/Literals_ctx.why
	@echo 'why -coq [...] why/Literals_ctx.why' && $(WHY) why/Literals_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export Literals_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/Literals_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/Literals_ctx_why.vo

pvs: pvs/Literals_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/Literals_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/Literals_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/Literals_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/Literals_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/Literals_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/Literals_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/Literals_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/Literals_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/Literals_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/Literals_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/Literals_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/Literals_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/Literals_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/Literals_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: Literals.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/Literals_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Literals.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Literals.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Literals.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include Literals.depend

depend: coq/Literals_why.v
	-$(COQDEP) -I coq coq/Literals*_why.v > Literals.depend

clean:
	rm -f coq/*.vo

========== file tests/java/Literals.loc ==========
[Literals_f_ensures_default]
name = "Method f"
behavior = "default behavior"
file = "HOME/tests/java/Literals.java"
line = 38
begin = 8
end = 9

[JC_31]
file = "HOME/tests/java/Literals.java"
line = 36
begin = 16
end = 31

[JC_17]
file = "HOME/tests/java/Literals.jc"
line = 50
begin = 11
end = 65

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/Literals.jc"
line = 48
begin = 8
end = 23

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/Literals.jc"
line = 48
begin = 8
end = 23

[cons_Literals_safety]
name = "Constructor of class Literals"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[Literals_f_safety]
name = "Method f"
behavior = "Safety"
file = "HOME/tests/java/Literals.java"
line = 38
begin = 8
end = 9

[JC_36]
kind = ArithOverflow
file = "HOME/tests/java/Literals.java"
line = 40
begin = 8
end = 15

[JC_35]
kind = ArithOverflow
file = "HOME/tests/java/Literals.java"
line = 40
begin = 8
end = 11

[JC_27]
file = "HOME/tests/java/Literals.java"
line = 38
begin = 8
end = 9

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/tests/java/Literals.java"
line = 36
begin = 16
end = 31

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/tests/java/Literals.java"
line = 38
begin = 8
end = 9

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/java/Literals.jc"
line = 23
begin = 12
end = 22

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Literals_ensures_default]
name = "Constructor of class Literals"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/Literals.jc"
line = 50
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/Literals.jc"
line = 23
begin = 12
end = 22

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/Literals.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

logic Literals_tag:  -> Object tag_id

axiom Literals_parenttag_Object : parenttag(Literals_tag, Object_tag)

logic int32_of_integer: int -> int32

function Literals_x() : int32 = int32_of_integer((2989))

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Literals(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Literals(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Literals(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Literals(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

parameter Object_alloc_table : Object alloc_table ref

parameter Literals_f :
 this_0:Object pointer ->
  { } int32 reads Object_alloc_table
  { (JC_32: (integer_of_int32(result) = (5991))) }

parameter Literals_f_requires :
 this_0:Object pointer ->
  { } int32 reads Object_alloc_table
  { (JC_32: (integer_of_int32(result) = (5991))) }

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Literals :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Literals(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Literals_tag)))) }

parameter alloc_struct_Literals_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Literals(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Literals_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_Literals :
 this_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Literals_requires :
 this_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let Literals_f_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_Literals(this_0, (0), (0), Object_alloc_table) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let y = (safe_int32_of_integer_ (K_4: (2989))) in
     begin
       (return := (K_3:
                  (safe_int32_of_integer_ ((add_int (integer_of_int32 
                                                     (K_2:
                                                     (safe_int32_of_integer_ 
                                                      ((add_int (integer_of_int32 y)) 
                                                       (integer_of_int32 Literals_x)))))) (13)))));
      (raise Return) end); absurd  end with Return -> !return end))
  { (JC_31: (integer_of_int32(result) = (5991))) }

let Literals_f_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_Literals(this_0, (0), (0), Object_alloc_table) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let y = (safe_int32_of_integer_ (K_4: (2989))) in
     begin
       (return := (K_3:
                  (JC_36:
                  (int32_of_integer_ ((add_int (integer_of_int32 (K_2:
                                                                 (JC_35:
                                                                 (int32_of_integer_ 
                                                                  ((add_int 
                                                                    (integer_of_int32 y)) 
                                                                   (integer_of_int32 Literals_x))))))) (13))))));
      (raise Return) end); absurd  end with Return -> !return end)) { true }

let cons_Literals_ensures_default =
 fun (this_1 : Object pointer) ->
  { valid_struct_Literals(this_1, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_23: true) }

let cons_Literals_safety =
 fun (this_1 : Object pointer) ->
  { valid_struct_Literals(this_1, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/Literals.why
========== file tests/java/why/Literals.wpr ==========

  
    
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  
  
    
  

========== file tests/java/why/Literals_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic Literals_tag : Object tag_id

axiom Literals_parenttag_Object: parenttag(Literals_tag, Object_tag)

logic int32_of_integer : int -> int32

function Literals_x() : int32 = int32_of_integer(2989)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte [(integer_of_byte(x) = integer_of_byte(y))].
      ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char [(integer_of_char(x) = integer_of_char(y))].
      ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32 [(integer_of_int32(x) = integer_of_int32(y))].
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Literals(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long [(integer_of_long(x) = integer_of_long(y))].
      ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Literals(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short [(integer_of_short(x) = integer_of_short(y))].
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Literals(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Literals(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

========== file tests/java/why/Literals_po1.why ==========
goal Literals_f_ensures_default_po_1:
  forall this_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Literals(this_0, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (integer_of_int32(result) = 2989) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(result) + integer_of_int32(Literals_x))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(result0) + 13)) ->
  forall return:int32.
  (return = result1) ->
  ("JC_31": (integer_of_int32(return) = 5991))

========== file tests/java/why/Literals_po2.why ==========
goal Literals_f_safety_po_1:
  forall this_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Literals(this_0, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (integer_of_int32(result) = 2989) ->
  ((-2147483648) <= (integer_of_int32(result) + integer_of_int32(Literals_x)))

========== file tests/java/why/Literals_po3.why ==========
goal Literals_f_safety_po_2:
  forall this_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Literals(this_0, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (integer_of_int32(result) = 2989) ->
  ((integer_of_int32(result) + integer_of_int32(Literals_x)) <= 2147483647)

========== file tests/java/why/Literals_po4.why ==========
goal Literals_f_safety_po_3:
  forall this_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Literals(this_0, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (integer_of_int32(result) = 2989) ->
  (((-2147483648) <= (integer_of_int32(result) + integer_of_int32(Literals_x))) and
   ((integer_of_int32(result) + integer_of_int32(Literals_x)) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(result) + integer_of_int32(Literals_x))) ->
  ((-2147483648) <= (integer_of_int32(result0) + 13))

========== file tests/java/why/Literals_po5.why ==========
goal Literals_f_safety_po_4:
  forall this_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Literals(this_0, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (integer_of_int32(result) = 2989) ->
  (((-2147483648) <= (integer_of_int32(result) + integer_of_int32(Literals_x))) and
   ((integer_of_int32(result) + integer_of_int32(Literals_x)) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(result) + integer_of_int32(Literals_x))) ->
  ((integer_of_int32(result0) + 13) <= 2147483647)

========== generation of Simplify VC output ==========
why -simplify [...] why/Literals.why
========== file tests/java/simplify/Literals_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Literals_parenttag_Object
 (EQ (parenttag Literals_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Literals_x_def
 (EQ Literals_x (int32_of_integer 2989)))

(DEFPRED (Non_null_Object x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) 0))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom byte_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 128) x) (<= x 127))
 (EQ (integer_of_byte (byte_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom byte_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_byte x) (integer_of_byte y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom byte_range
 (FORALL (x)
 (AND (<= (- 0 128) (integer_of_byte x)) (<= (integer_of_byte x) 127))))

(BG_PUSH
 ;; Why axiom char_coerce
 (FORALL (x)
 (IMPLIES (AND (<= 0 x) (<= x 65535))
 (EQ (integer_of_char (char_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom char_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_char x) (integer_of_char y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom char_range
 (FORALL (x) (AND (<= 0 (integer_of_char x)) (<= (integer_of_char x) 65535))))

(DEFPRED (eq_byte x y) (EQ (integer_of_byte x) (integer_of_byte y)))

(DEFPRED (eq_char x y) (EQ (integer_of_char x) (integer_of_char y)))

(DEFPRED (eq_int32 x y) (EQ (integer_of_int32 x) (integer_of_int32 y)))

(DEFPRED (eq_long x y) (EQ (integer_of_long x) (integer_of_long y)))

(DEFPRED (eq_short x y) (EQ (integer_of_short x) (integer_of_short y)))

(BG_PUSH
 ;; Why axiom int32_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_2147483648) x)
 (<= x constant_too_large_2147483647))
 (EQ (integer_of_int32 (int32_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom int32_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_int32 x) (integer_of_int32 y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom int32_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_2147483648) (integer_of_int32 x))
 (<= (integer_of_int32 x) constant_too_large_2147483647))))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Literals p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom long_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_9223372036854775808) x)
 (<= x constant_too_large_9223372036854775807))
 (EQ (integer_of_long (long_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom long_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_long x) (integer_of_long y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom long_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_9223372036854775808) (integer_of_long x))
 (<= (integer_of_long x) constant_too_large_9223372036854775807))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Literals p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(BG_PUSH
 ;; Why axiom short_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 32768) x) (<= x 32767))
 (EQ (integer_of_short (short_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom short_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_short x) (integer_of_short y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom short_range
 (FORALL (x)
 (AND (<= (- 0 32768) (integer_of_short x)) (<= (integer_of_short x) 32767))))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Literals p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Literals p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

;; Literals_f_ensures_default_po_1, File "HOME/tests/java/Literals.java", line 36, characters 16-31
(FORALL (this_0)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Literals this_0 0 0 Object_alloc_table)
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 2989)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0)
         (+ (integer_of_int32 result) (integer_of_int32 Literals_x)))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (+ (integer_of_int32 result0) 13))
(FORALL (return)
(IMPLIES (EQ return result1) (EQ (integer_of_int32 return) 5991))))))))))))

;; Literals_f_safety_po_1, File "HOME/tests/java/Literals.java", line 40, characters 8-11
(FORALL (this_0)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Literals this_0 0 0 Object_alloc_table)
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 2989)
(<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 result) 
                                        (integer_of_int32 Literals_x))))))))

;; Literals_f_safety_po_2, File "HOME/tests/java/Literals.java", line 40, characters 8-11
(FORALL (this_0)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Literals this_0 0 0 Object_alloc_table)
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 2989)
(<= (+ (integer_of_int32 result) (integer_of_int32 Literals_x)) constant_too_large_2147483647))))))

;; Literals_f_safety_po_3, File "HOME/tests/java/Literals.java", line 40, characters 8-15
(FORALL (this_0)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Literals this_0 0 0 Object_alloc_table)
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 2989)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 result) 
                                                 (integer_of_int32
                                                 Literals_x)))
         (<= (+ (integer_of_int32 result) (integer_of_int32 Literals_x)) constant_too_large_2147483647))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0)
         (+ (integer_of_int32 result) (integer_of_int32 Literals_x)))
(<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 result0) 13))))))))))

;; Literals_f_safety_po_4, File "HOME/tests/java/Literals.java", line 40, characters 8-15
(FORALL (this_0)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Literals this_0 0 0 Object_alloc_table)
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 2989)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 result) 
                                                 (integer_of_int32
                                                 Literals_x)))
         (<= (+ (integer_of_int32 result) (integer_of_int32 Literals_x)) constant_too_large_2147483647))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0)
         (+ (integer_of_int32 result) (integer_of_int32 Literals_x)))
(<= (+ (integer_of_int32 result0) 13) constant_too_large_2147483647)))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/Literals_why.sx      : ..?.? (3/0/2/0/0)
total   :   5
valid   :   3 ( 60%)
invalid :   0 (  0%)
unknown :   2 ( 40%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/Literals.why
========== file tests/java/why/Literals_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic Literals_tag : Object tag_id

axiom Literals_parenttag_Object: parenttag(Literals_tag, Object_tag)

logic int32_of_integer : int -> int32

function Literals_x() : int32 = int32_of_integer(2989)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte. ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char. ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Literals(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long. ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Literals(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short.
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Literals(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Literals(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

goal Literals_f_ensures_default_po_1:
  forall this_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Literals(this_0, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (integer_of_int32(result) = 2989) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(result) + integer_of_int32(Literals_x))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(result0) + 13)) ->
  forall return:int32.
  (return = result1) ->
  ("JC_31": (integer_of_int32(return) = 5991))

goal Literals_f_safety_po_1:
  forall this_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Literals(this_0, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (integer_of_int32(result) = 2989) ->
  ((-2147483648) <= (integer_of_int32(result) + integer_of_int32(Literals_x)))

goal Literals_f_safety_po_2:
  forall this_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Literals(this_0, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (integer_of_int32(result) = 2989) ->
  ((integer_of_int32(result) + integer_of_int32(Literals_x)) <= 2147483647)

goal Literals_f_safety_po_3:
  forall this_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Literals(this_0, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (integer_of_int32(result) = 2989) ->
  (((-2147483648) <= (integer_of_int32(result) + integer_of_int32(Literals_x))) and
   ((integer_of_int32(result) + integer_of_int32(Literals_x)) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(result) + integer_of_int32(Literals_x))) ->
  ((-2147483648) <= (integer_of_int32(result0) + 13))

goal Literals_f_safety_po_4:
  forall this_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Literals(this_0, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (integer_of_int32(result) = 2989) ->
  (((-2147483648) <= (integer_of_int32(result) + integer_of_int32(Literals_x))) and
   ((integer_of_int32(result) + integer_of_int32(Literals_x)) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(result) + integer_of_int32(Literals_x))) ->
  ((integer_of_int32(result0) + 13) <= 2147483647)

why-2.34/tests/java/oracle/SelectionSort.res.oracle0000644000175000017500000207147612311670312020742 0ustar  rtusers========== file tests/java/SelectionSort.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*@ predicate Sorted{L}(int a[], integer l, integer h) =
  @   \forall integer i j; l <= i <= j < h ==> a[i] <= a[j] ;
  @*/

/*@ predicate Swap{L1,L2}(int a[], integer i, integer j) =
  @   \at(a[i],L1) == \at(a[j],L2) &&
  @   \at(a[j],L1) == \at(a[i],L2) &&
  @   \forall integer k; k != i && k != j ==> \at(a[k],L1) == \at(a[k],L2);
  @*/

/*@ inductive Permut{L1,L2}(int a[], integer l, integer h) {
  @  case Permut_refl{L}: 
  @   \forall int a[], integer l h; Permut{L,L}(a, l, h) ;
  @  case Permut_sym{L1,L2}: 
  @    \forall int a[], integer l h; 
  @      Permut{L1,L2}(a, l, h) ==> Permut{L2,L1}(a, l, h) ;
  @  case Permut_trans{L1,L2,L3}: 
  @    \forall int a[], integer l h; 
  @      Permut{L1,L2}(a, l, h) && Permut{L2,L3}(a, l, h) ==> 
  @        Permut{L1,L3}(a, l, h) ;
  @  case Permut_swap{L1,L2}: 
  @    \forall int a[], integer l h i j; 
  @       l <= i <= h && l <= j <= h && Swap{L1,L2}(a, i, j) ==> 
  @     Permut{L1,L2}(a, l, h) ;
  @ }
  @*/

class SelectionSort {

    /*@ requires t != null && 
      @    0 <= i < t.length && 0 <= j < t.length;
      @ assigns t[i],t[j];
      @ ensures Swap{Old,Here}(t,i,j);
      @*/
    void swap(int t[], int i, int j) {
	int tmp = t[i];
	t[i] = t[j];
	t[j] = tmp;
    }
    
    /*@ requires t != null;
      @ behavior sorted:
      @   ensures Sorted(t,0,t.length);
      @ behavior permutation:
      @   ensures Permut{Old,Here}(t,0,t.length-1);
      @*/
    void sort(int t[]) {
	int i,j;
	int mi,mv;
	/*@ loop_invariant 0 <= i;
	  @ for sorted: 
	  @  loop_invariant Sorted(t,0,i) && 
	  @   (\forall integer k1 k2 ; 
	  @      0 <= k1 < i <= k2 < t.length ==> t[k1] <= t[k2]) ;
	  @ for permutation:
	  @   loop_invariant Permut{Pre,Here}(t,0,t.length-1);
	  @ loop_variant t.length - i;
	  @*/
	for (i=0; i t[k] >= mv);
	      @ // useless ! for permutation:
	      @ // loop_invariant Permut{Pre,Here}(t,0,t.length-1);
	      @ loop_variant t.length - j;
	      @*/
	    for (j=i+1; j < t.length; j++) {
		if (t[j] < mv) { 
		    mi = j ; mv = t[j]; 
		}
	    }
	    Before: 
	    swap(t,i,mi);
	    //@ for permutation: assert Permut{Before,Here}(t,0,t.length-1);
	}
    }

}



/*
Local Variables:
compile-command: "make SelectionSort.why3ide"
End:
*/


========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function SelectionSort_swap for method SelectionSort.swap
Generating JC function SelectionSort_sort for method SelectionSort.sort
Generating JC function Object_clone for method Object.clone
Generating JC function Object_notifyAll for method Object.notifyAll
Generating JC function Object_hashCode for method Object.hashCode
Generating JC function Object_equals for method Object.equals
Generating JC function Object_wait for method Object.wait
Generating JC function Object_notify for method Object.notify
Generating JC function Object_wait_long for method Object.wait
Generating JC function cons_SelectionSort for constructor SelectionSort
Generating JC function Object_toString for method Object.toString
Generating JC function Object_wait_long_int for method Object.wait
Generating JC function cons_Object for constructor Object
Generating JC function Object_finalize for method Object.finalize
Generating JC function Object_registerNatives for method Object.registerNatives
Done.
========== file tests/java/SelectionSort.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_intM{Here}(intM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag SelectionSort = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag intM = Object with {
  int32 intP;
}

boolean non_null_intM(! intM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_intM(! intM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

predicate Sorted{L}(intM[0..] a, integer l, integer h) =
(\forall integer i;
  (\forall integer j;
    ((((l <= i) && (i <= j)) && (j < h)) ==> ((a + i).intP <= (a + j).intP))))

predicate Swap{L1, L2}(intM[0..] a_0, integer i_0, integer j_0) =
(((\at((a_0 + i_0).intP,L1) == \at((a_0 + j_0).intP,L2)) &&
   (\at((a_0 + j_0).intP,L1) == \at((a_0 + i_0).intP,L2))) &&
  (\forall integer k;
    (((k != i_0) && (k != j_0)) ==>
      (\at((a_0 + k).intP,L1) == \at((a_0 + k).intP,L2)))))

predicate Permut{L1, L2}(intM[0..] a_1, integer l_0, integer h_0) {
case Permut_refl{L}: (\forall intM[0..] a_2;
                       (\forall integer l_1;
                         (\forall integer h_1;
                           Permut{L, L}(a_2, l_1, h_1))));
  
  case Permut_sym{L1, L2}: (\forall intM[0..] a_3;
                             (\forall integer l_2;
                               (\forall integer h_2;
                                 (Permut{L1,
                                   L2}(a_3, l_2, h_2) ==>
                                   Permut{L2,
                                   L1}(a_3, l_2, h_2)))));
  
  case Permut_trans{L1, L2, L3}: (\forall intM[0..] a_4;
                                   (\forall integer l_3;
                                     (\forall integer h_3;
                                       ((Permut{L1,
                                          L2}(a_4, l_3, h_3) &&
                                          Permut{L2,
                                          L3}(a_4, l_3, h_3)) ==>
                                         Permut{L1,
                                         L3}(a_4, l_3, h_3)))));
  
  case Permut_swap{L1, L2}: (\forall intM[0..] a_5;
                              (\forall integer l_4;
                                (\forall integer h_4;
                                  (\forall integer i_1;
                                    (\forall integer j_1;
                                      (((((l_4 <= i_1) && (i_1 <= h_4)) &&
                                          ((l_4 <= j_1) && (j_1 <= h_4))) &&
                                         Swap{L1,
                                         L2}(a_5, i_1, j_1)) ==>
                                        Permut{L1,
                                        L2}(a_5, l_4, h_4)))))));
  
}

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit SelectionSort_swap(SelectionSort[0] this_2, intM[0..] t, int32 i_2,
                        int32 j_2)
  requires (K_10 : ((K_9 : ((K_8 : Non_null_intM(t)) &&
                             (K_7 : ((K_6 : (0 <= i_2)) &&
                                      (K_5 : (i_2 < (\offset_max(t) + 1))))))) &&
                     (K_4 : ((K_3 : (0 <= j_2)) &&
                              (K_2 : (j_2 < (\offset_max(t) + 1)))))));
behavior default:
  assigns (t + [i_2..i_2]).intP,
  (t + [j_2..j_2]).intP;
  ensures (K_1 : Swap{Old, Here}(t, i_2, j_2));
{  
   {  
      (var int32 tmp = (K_14 : (t + i_2).intP));
      
      {  (K_12 : ((t + i_2).intP = (K_11 : (t + j_2).intP)));
         (K_13 : ((t + j_2).intP = tmp))
      }
   }
}

unit SelectionSort_sort(SelectionSort[0] this_0, intM[0..] t_0)
  requires (K_17 : Non_null_intM(t_0));
behavior sorted:
  ensures (K_15 : Sorted{Here}(t_0, 0, (\offset_max(t_0) + 1)));
behavior permutation:
  ensures (K_16 : Permut{Old, Here}(t_0, 0, ((\offset_max(t_0) + 1) - 1)));
{  
   {  
      (var int32 i_3);
      
      {  
         (var int32 j_3);
         
         {  
            (var int32 mi);
            
            {  
               (var int32 mv);
               
               loop 
               behavior default:
                 invariant (K_18 : (0 <= i_3));
               behavior sorted:
                 invariant (K_21 : ((K_20 : Sorted{Here}(t_0, 0, i_3)) &&
                                     (K_19 : (\forall integer k1;
                                               (\forall integer k2;
                                                 (((((0 <= k1) && (k1 < i_3)) &&
                                                     (i_3 <= k2)) &&
                                                    (k2 <
                                                      (\offset_max(t_0) + 1))) ==>
                                                   ((t_0 + k1).intP <=
                                                     (t_0 + k2).intP)))))));
               behavior permutation:
                 invariant (K_22 : Permut{Pre,
                           Here}(t_0, 0, ((\offset_max(t_0) + 1) - 1)));
               
               variant (K_23 : ((\offset_max(t_0) + 1) - i_3));
               for ((i_3 = 0) ; (K_47 : (i_3 <
                                          (K_46 : (((K_45 : java_array_length_intM(
                                                    t_0)) -
                                                     1) :> int32)))) ; 
               (K_44 : (i_3 ++)))
               {  
                  {  (mv = (K_24 : (t_0 + i_3).intP));
                     (mi = i_3);
                     
                     loop 
                     behavior default:
                       invariant (K_29 : ((K_28 : (i_3 < j_3)) &&
                                           (K_27 : ((K_26 : (i_3 <= mi)) &&
                                                     (K_25 : (mi <
                                                               (\offset_max(t_0) +
                                                                 1)))))));
                     behavior sorted:
                       invariant (K_32 : ((K_31 : (mv == (t_0 + mi).intP)) &&
                                           (K_30 : (\forall integer k_0;
                                                     (((i_3 <= k_0) &&
                                                        (k_0 < j_3)) ==>
                                                       ((t_0 + k_0).intP >=
                                                         mv))))));
                     
                     variant (K_33 : ((\offset_max(t_0) + 1) - j_3));
                     for ((j_3 = (K_40 : ((i_3 + 1) :> int32))) ; (K_39 : 
                                                                  (j_3 <
                                                                    (K_38 : java_array_length_intM(
                                                                    t_0)))) ; 
                     (K_37 : (j_3 ++)))
                     {  (if (K_36 : ((K_35 : (t_0 + j_3).intP) < mv)) then 
                        {  (mi = j_3);
                           (mv = (K_34 : (t_0 + j_3).intP))
                        } else ())
                     };
                     (Before : 
                     {  (K_41 : SelectionSort_swap(this_0, t_0, i_3, mi));
                        (K_43 : 
                        (assert for permutation: (K_42 : Permut{Before,
                                                 Here}(t_0, 0,
                                                       ((\offset_max(t_0) +
                                                          1) -
                                                         1)))))
                     })
                  }
               }
            }
         }
      }
   }
}

Object[0..] Object_clone(Object[0] this_4)
;

unit Object_notifyAll(Object[0] this_5)
;

int32 Object_hashCode(Object[0] this_6)
;

boolean Object_equals(Object[0] this_7, Object[0..] obj)
;

unit Object_wait(Object[0] this_8)
;

unit Object_notify(Object[0] this_9)
;

unit Object_wait_long(Object[0] this_10, long timeout)
;

unit cons_SelectionSort(! SelectionSort[0] this_3){()}

String[0..] Object_toString(Object[0] this_11)
;

unit Object_wait_long_int(Object[0] this_12, long timeout_0, int32 nanos)
;

unit cons_Object(! Object[0] this_14){()}

unit Object_finalize(Object[0] this_13)
;

unit Object_registerNatives()
;

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/SelectionSort.jloc tests/java/SelectionSort.jc && make -f tests/java/SelectionSort.makefile gui"
End:
*/
========== file tests/java/SelectionSort.jloc ==========
[K_30]
file = "HOME/tests/java/SelectionSort.java"
line = 96
begin = 12
end = 56

[K_23]
file = "HOME/tests/java/SelectionSort.java"
line = 88
begin = 18
end = 30

[K_33]
file = "HOME/tests/java/SelectionSort.java"
line = 99
begin = 22
end = 34

[K_17]
file = "HOME/tests/java/SelectionSort.java"
line = 72
begin = 17
end = 26

[Object_wait_long]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[K_11]
file = "HOME/tests/java/SelectionSort.java"
line = 68
begin = 8
end = 12

[K_38]
file = "HOME/tests/java/SelectionSort.java"
line = 101
begin = 21
end = 29

[K_25]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 38
end = 51

[K_13]
file = "HOME/tests/java/SelectionSort.java"
line = 69
begin = 1
end = 11

[Object_finalize]
name = "Method finalize"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[K_9]
file = "HOME/tests/java/SelectionSort.java"
line = 61
begin = 17
end = 59

[Object_wait]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[K_44]
file = "HOME/tests/java/SelectionSort.java"
line = 90
begin = 25
end = 28

[Object_notify]
name = "Method notify"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[Object_clone]
name = "Method clone"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[K_28]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 24
end = 29

[cons_Object]
name = "Constructor of class Object"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_1]
file = "HOME/tests/java/SelectionSort.java"
line = 64
begin = 16
end = 37

[K_15]
file = "HOME/tests/java/SelectionSort.java"
line = 74
begin = 18
end = 38

[K_4]
file = "HOME/tests/java/SelectionSort.java"
line = 62
begin = 32
end = 49

[K_12]
file = "HOME/tests/java/SelectionSort.java"
line = 68
begin = 1
end = 12

[Object_wait_long_int]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[K_34]
file = "HOME/tests/java/SelectionSort.java"
line = 103
begin = 20
end = 24

[Object_registerNatives]
name = "Method registerNatives"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[K_20]
file = "HOME/tests/java/SelectionSort.java"
line = 83
begin = 21
end = 34

[cons_SelectionSort]
name = "Constructor of class SelectionSort"
file = "HOME/"
line = 0
begin = -1
end = -1

[SelectionSort_swap]
name = "Method swap"
file = "HOME/tests/java/SelectionSort.java"
line = 66
begin = 9
end = 13

[K_2]
file = "HOME/tests/java/SelectionSort.java"
line = 62
begin = 37
end = 49

[K_41]
file = "HOME/tests/java/SelectionSort.java"
line = 107
begin = 5
end = 17

[K_47]
file = "HOME/tests/java/SelectionSort.java"
line = 90
begin = 11
end = 23

[K_29]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 24
end = 51

[K_10]
file = "HOME/tests/java/SelectionSort.java"
line = 61
begin = 17
end = 80

[K_35]
file = "HOME/tests/java/SelectionSort.java"
line = 102
begin = 6
end = 10

[K_6]
file = "HOME/tests/java/SelectionSort.java"
line = 62
begin = 11
end = 17

[K_8]
file = "HOME/tests/java/SelectionSort.java"
line = 61
begin = 17
end = 26

[K_3]
file = "HOME/tests/java/SelectionSort.java"
line = 62
begin = 32
end = 38

[K_31]
file = "HOME/tests/java/SelectionSort.java"
line = 95
begin = 25
end = 36

[K_32]
file = "HOME/tests/java/SelectionSort.java"
line = 95
begin = 25
end = 97

[K_27]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 33
end = 51

[K_46]
file = "HOME/tests/java/SelectionSort.java"
line = 90
begin = 13
end = 23

[K_21]
file = "HOME/tests/java/SelectionSort.java"
line = 83
begin = 21
end = 130

[K_42]
file = "HOME/tests/java/SelectionSort.java"
line = 108
begin = 33
end = 68

[K_24]
file = "HOME/tests/java/SelectionSort.java"
line = 92
begin = 10
end = 14

[K_14]
file = "HOME/tests/java/SelectionSort.java"
line = 67
begin = 11
end = 15

[K_39]
file = "HOME/tests/java/SelectionSort.java"
line = 101
begin = 17
end = 29

[SelectionSort_sort]
name = "Method sort"
file = "HOME/tests/java/SelectionSort.java"
line = 78
begin = 9
end = 13

[K_36]
file = "HOME/tests/java/SelectionSort.java"
line = 102
begin = 6
end = 15

[Object_notifyAll]
name = "Method notifyAll"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[K_37]
file = "HOME/tests/java/SelectionSort.java"
line = 101
begin = 31
end = 34

[K_19]
file = "HOME/tests/java/SelectionSort.java"
line = 84
begin = 8
end = 90

[K_5]
file = "HOME/tests/java/SelectionSort.java"
line = 62
begin = 16
end = 28

[K_18]
file = "HOME/tests/java/SelectionSort.java"
line = 81
begin = 20
end = 26

[Object_equals]
name = "Method equals"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[K_7]
file = "HOME/tests/java/SelectionSort.java"
line = 62
begin = 11
end = 28

[K_40]
file = "HOME/tests/java/SelectionSort.java"
line = 101
begin = 12
end = 15

[Object_hashCode]
name = "Method hashCode"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[K_26]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 33
end = 40

[Object_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[K_22]
file = "HOME/tests/java/SelectionSort.java"
line = 87
begin = 22
end = 54

[K_45]
file = "HOME/tests/java/SelectionSort.java"
line = 90
begin = 13
end = 21

[K_16]
file = "HOME/tests/java/SelectionSort.java"
line = 76
begin = 18
end = 50

[K_43]
file = "HOME/tests/java/SelectionSort.java"
line = 108
begin = 33
end = 68

========== jessie execution ==========
Generating Why function SelectionSort_swap
Generating Why function SelectionSort_sort
Generating Why function cons_SelectionSort
Generating Why function cons_Object
========== file tests/java/SelectionSort.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs SelectionSort.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs SelectionSort.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/SelectionSort_why.sx

project: why/SelectionSort.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/SelectionSort_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/SelectionSort_why.vo

coq/SelectionSort_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/SelectionSort_why.v: why/SelectionSort.why
	@echo 'why -coq [...] why/SelectionSort.why' && $(WHY) $(JESSIELIBFILES) why/SelectionSort.why && rm -f coq/jessie_why.v

coq-goals: goals coq/SelectionSort_ctx_why.vo
	for f in why/*_po*.why; do make -f SelectionSort.makefile coq/`basename $$f .why`_why.v ; done

coq/SelectionSort_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/SelectionSort_ctx_why.v: why/SelectionSort_ctx.why
	@echo 'why -coq [...] why/SelectionSort_ctx.why' && $(WHY) why/SelectionSort_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export SelectionSort_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/SelectionSort_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/SelectionSort_ctx_why.vo

pvs: pvs/SelectionSort_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/SelectionSort_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/SelectionSort_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/SelectionSort_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/SelectionSort_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/SelectionSort_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/SelectionSort_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/SelectionSort_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/SelectionSort_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/SelectionSort_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/SelectionSort_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/SelectionSort_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/SelectionSort_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/SelectionSort_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/SelectionSort_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: SelectionSort.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/SelectionSort_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: SelectionSort.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: SelectionSort.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: SelectionSort.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include SelectionSort.depend

depend: coq/SelectionSort_why.v
	-$(COQDEP) -I coq coq/SelectionSort*_why.v > SelectionSort.depend

clean:
	rm -f coq/*.vo

========== file tests/java/SelectionSort.loc ==========
[JC_176]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_233]
file = "HOME/"
line = 0
begin = -1
end = -1

[SelectionSort_sort_safety]
name = "Method sort"
behavior = "Safety"
file = "HOME/tests/java/SelectionSort.java"
line = 78
begin = 9
end = 13

[JC_177]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_221]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_80]
file = "HOME/tests/java/SelectionSort.jc"
line = 164
begin = 15
end = 3584

[JC_51]
file = "HOME/tests/java/SelectionSort.java"
line = 61
begin = 17
end = 80

[JC_147]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 38
end = 51

[JC_123]
file = "HOME/tests/java/SelectionSort.jc"
line = 164
begin = 15
end = 3584

[JC_143]
file = "HOME/tests/java/SelectionSort.jc"
line = 164
begin = 15
end = 3584

[SelectionSort_sort_ensures_sorted]
name = "Method sort"
behavior = "Behavior `sorted'"
file = "HOME/tests/java/SelectionSort.java"
line = 78
begin = 9
end = 13

[JC_113]
file = "HOME/tests/java/SelectionSort.jc"
line = 191
begin = 21
end = 1600

[JC_248]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_116]
kind = UserCall
file = "HOME/tests/java/SelectionSort.jc"
line = 218
begin = 32
end = 72

[JC_64]
kind = PointerDeref
file = "HOME/tests/java/SelectionSort.jc"
line = 140
begin = 18
end = 38

[JC_133]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_188]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_180]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_SelectionSort_ensures_default]
name = "Constructor of class SelectionSort"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_99]
kind = UserCall
file = "HOME/tests/java/SelectionSort.jc"
line = 218
begin = 32
end = 72

[JC_200]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_85]
kind = ArithOverflow
file = "HOME/tests/java/SelectionSort.java"
line = 101
begin = 12
end = 15

[JC_250]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_201]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_31]
file = "HOME/tests/java/SelectionSort.jc"
line = 65
begin = 8
end = 23

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_194]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_122]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_205]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_81]
kind = UserCall
file = "HOME/tests/java/SelectionSort.java"
line = 90
begin = 13
end = 21

[JC_55]
file = "HOME/tests/java/SelectionSort.jc"
line = 131
begin = 9
end = 16

[JC_134]
file = "HOME/tests/java/SelectionSort.jc"
line = 191
begin = 21
end = 1600

[SelectionSort_sort_ensures_permutation]
name = "Method sort"
behavior = "Behavior `permutation'"
file = "HOME/tests/java/SelectionSort.java"
line = 78
begin = 9
end = 13

[JC_48]
file = "HOME/tests/java/SelectionSort.java"
line = 62
begin = 16
end = 28

[JC_23]
file = "HOME/tests/java/SelectionSort.jc"
line = 61
begin = 11
end = 103

[JC_241]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_172]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_121]
file = "HOME/tests/java/SelectionSort.java"
line = 81
begin = 20
end = 26

[JC_125]
kind = UserCall
file = "HOME/tests/java/SelectionSort.java"
line = 90
begin = 13
end = 21

[JC_67]
file = "HOME/tests/java/SelectionSort.java"
line = 72
begin = 17
end = 26

[JC_9]
file = "HOME/tests/java/SelectionSort.jc"
line = 52
begin = 8
end = 21

[JC_25]
file = "HOME/tests/java/SelectionSort.jc"
line = 61
begin = 11
end = 103

[JC_189]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_78]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/tests/java/SelectionSort.java"
line = 62
begin = 16
end = 28

[JC_74]
file = "HOME/tests/java/SelectionSort.java"
line = 74
begin = 18
end = 38

[JC_195]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/tests/java/SelectionSort.jc"
line = 60
begin = 10
end = 18

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[SelectionSort_swap_ensures_default]
name = "Method swap"
behavior = "default behavior"
file = "HOME/tests/java/SelectionSort.java"
line = 66
begin = 9
end = 13

[JC_256]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/tests/java/SelectionSort.jc"
line = 55
begin = 11
end = 66

[JC_240]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_82]
kind = IndexBounds
file = "HOME/tests/java/SelectionSort.java"
line = 90
begin = 13
end = 21

[JC_163]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_153]
kind = UserCall
file = "HOME/tests/java/SelectionSort.jc"
line = 218
begin = 32
end = 72

[JC_222]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_246]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/SelectionSort.jc"
line = 52
begin = 8
end = 21

[JC_185]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_167]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_98]
file = "HOME/tests/java/SelectionSort.java"
line = 99
begin = 22
end = 34

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_104]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/tests/java/SelectionSort.java"
line = 61
begin = 17
end = 26

[JC_112]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_135]
file = "HOME/tests/java/SelectionSort.jc"
line = 191
begin = 21
end = 1600

[JC_169]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_132]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 24
end = 51

[cons_SelectionSort_safety]
name = "Constructor of class SelectionSort"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_115]
kind = UserCall
file = "HOME/tests/java/SelectionSort.java"
line = 101
begin = 21
end = 29

[JC_109]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 33
end = 40

[JC_69]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_219]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_124]
file = "HOME/tests/java/SelectionSort.jc"
line = 164
begin = 15
end = 3584

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_206]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_218]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_191]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
kind = PointerDeref
file = "HOME/tests/java/SelectionSort.java"
line = 68
begin = 8
end = 12

[JC_101]
kind = ArithOverflow
file = "HOME/tests/java/SelectionSort.jc"
line = 186
begin = 24
end = 30

[JC_223]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_129]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 24
end = 29

[JC_190]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_110]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 38
end = 51

[JC_166]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_103]
file = "HOME/tests/java/SelectionSort.java"
line = 81
begin = 20
end = 26

[JC_46]
file = "HOME/tests/java/SelectionSort.java"
line = 61
begin = 17
end = 26

[JC_61]
kind = PointerDeref
file = "HOME/tests/java/SelectionSort.java"
line = 67
begin = 11
end = 15

[JC_254]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_199]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/tests/java/SelectionSort.java"
line = 64
begin = 16
end = 37

[JC_243]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_173]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_29]
file = "HOME/tests/java/SelectionSort.jc"
line = 65
begin = 8
end = 23

[JC_202]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_144]
kind = UserCall
file = "HOME/tests/java/SelectionSort.java"
line = 90
begin = 13
end = 21

[JC_16]
file = "HOME/tests/java/SelectionSort.jc"
line = 54
begin = 10
end = 18

[JC_43]
file = "HOME/tests/java/SelectionSort.java"
line = 62
begin = 37
end = 49

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
kind = PointerDeref
file = "HOME/tests/java/SelectionSort.java"
line = 102
begin = 6
end = 10

[JC_235]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_97]
kind = ArithOverflow
file = "HOME/tests/java/SelectionSort.jc"
line = 211
begin = 30
end = 36

[JC_84]
kind = PointerDeref
file = "HOME/tests/java/SelectionSort.java"
line = 92
begin = 10
end = 14

[JC_160]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_128]
file = "HOME/tests/java/SelectionSort.java"
line = 95
begin = 25
end = 97

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/tests/java/SelectionSort.jc"
line = 54
begin = 10
end = 18

[JC_90]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_225]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_149]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_216]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_131]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 38
end = 51

[JC_37]
file = "HOME/tests/java/SelectionSort.jc"
line = 67
begin = 11
end = 65

[JC_181]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 24
end = 29

[JC_57]
file = "HOME/tests/java/SelectionSort.java"
line = 66
begin = 9
end = 13

[JC_257]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_161]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_89]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 24
end = 51

[JC_136]
kind = UserCall
file = "HOME/tests/java/SelectionSort.java"
line = 101
begin = 21
end = 29

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_165]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_213]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_217]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_253]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_229]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_86]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 24
end = 29

[JC_72]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/tests/java/SelectionSort.jc"
line = 58
begin = 8
end = 30

[JC_187]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_238]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
file = "HOME/tests/java/SelectionSort.java"
line = 62
begin = 37
end = 49

[JC_120]
file = "HOME/tests/java/SelectionSort.java"
line = 83
begin = 21
end = 130

[JC_58]
file = "HOME/tests/java/SelectionSort.jc"
line = 131
begin = 9
end = 16

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_198]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_94]
kind = IndexBounds
file = "HOME/tests/java/SelectionSort.java"
line = 101
begin = 21
end = 29

[JC_73]
file = "HOME/tests/java/SelectionSort.java"
line = 74
begin = 18
end = 38

[JC_158]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_63]
kind = PointerDeref
file = "HOME/tests/java/SelectionSort.jc"
line = 139
begin = 18
end = 58

[JC_196]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_197]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_207]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_151]
file = "HOME/tests/java/SelectionSort.jc"
line = 191
begin = 21
end = 1600

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_106]
file = "HOME/tests/java/SelectionSort.jc"
line = 164
begin = 15
end = 3584

[JC_251]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_203]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_227]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[cons_Object_ensures_default]
name = "Constructor of class Object"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_126]
file = "HOME/tests/java/SelectionSort.java"
line = 95
begin = 25
end = 36

[JC_170]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_236]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_138]
file = "HOME/tests/java/SelectionSort.java"
line = 108
begin = 33
end = 68

[JC_247]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_148]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 24
end = 51

[JC_137]
kind = UserCall
file = "HOME/tests/java/SelectionSort.jc"
line = 218
begin = 32
end = 72

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_231]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_75]
file = "HOME/tests/java/SelectionSort.java"
line = 76
begin = 18
end = 50

[JC_24]
file = "HOME/tests/java/SelectionSort.jc"
line = 60
begin = 10
end = 18

[JC_193]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_186]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_212]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_175]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_224]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/tests/java/SelectionSort.java"
line = 62
begin = 11
end = 17

[JC_232]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_154]
file = "HOME/tests/java/SelectionSort.java"
line = 108
begin = 33
end = 68

[JC_54]
file = "HOME/tests/java/SelectionSort.java"
line = 66
begin = 9
end = 13

[JC_237]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_208]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
file = "HOME/tests/java/SelectionSort.jc"
line = 164
begin = 15
end = 3584

[JC_130]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 33
end = 40

[JC_174]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_87]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 33
end = 40

[JC_184]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/tests/java/SelectionSort.jc"
line = 55
begin = 11
end = 66

[JC_182]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_168]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_91]
file = "HOME/tests/java/SelectionSort.jc"
line = 191
begin = 21
end = 1600

[JC_40]
file = "HOME/tests/java/SelectionSort.java"
line = 62
begin = 11
end = 17

[JC_162]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
kind = ArithOverflow
file = "HOME/tests/java/SelectionSort.java"
line = 90
begin = 13
end = 23

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_215]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_107]
kind = UserCall
file = "HOME/tests/java/SelectionSort.java"
line = 90
begin = 13
end = 21

[JC_179]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_38]
file = "HOME/tests/java/SelectionSort.jc"
line = 67
begin = 11
end = 65

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_242]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_156]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_127]
file = "HOME/tests/java/SelectionSort.java"
line = 96
begin = 12
end = 56

[JC_252]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_171]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_164]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/tests/java/SelectionSort.java"
line = 61
begin = 17
end = 80

[JC_155]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_88]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 38
end = 51

[JC_42]
file = "HOME/tests/java/SelectionSort.java"
line = 62
begin = 32
end = 38

[JC_178]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_141]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_220]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/tests/java/SelectionSort.java"
line = 72
begin = 17
end = 26

[JC_118]
file = "HOME/tests/java/SelectionSort.java"
line = 83
begin = 21
end = 34

[JC_105]
file = "HOME/tests/java/SelectionSort.jc"
line = 164
begin = 15
end = 3584

[JC_245]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_140]
file = "HOME/tests/java/SelectionSort.java"
line = 81
begin = 20
end = 26

[cons_Object_safety]
name = "Constructor of class Object"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_159]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_68]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
kind = PointerDeref
file = "HOME/tests/java/SelectionSort.java"
line = 103
begin = 20
end = 24

[JC_93]
kind = UserCall
file = "HOME/tests/java/SelectionSort.java"
line = 101
begin = 21
end = 29

[JC_255]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_214]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_258]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
file = "HOME/tests/java/SelectionSort.jc"
line = 191
begin = 21
end = 1600

[JC_150]
file = "HOME/tests/java/SelectionSort.jc"
line = 191
begin = 21
end = 1600

[JC_117]
file = "HOME/tests/java/SelectionSort.java"
line = 108
begin = 33
end = 68

[JC_53]
file = "HOME/tests/java/SelectionSort.java"
line = 64
begin = 16
end = 37

[JC_204]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_157]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_145]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 24
end = 29

[JC_21]
file = "HOME/tests/java/SelectionSort.jc"
line = 58
begin = 8
end = 30

[JC_209]
file = "HOME/"
line = 0
begin = -1
end = -1

[SelectionSort_swap_safety]
name = "Method swap"
behavior = "Safety"
file = "HOME/tests/java/SelectionSort.java"
line = 66
begin = 9
end = 13

[JC_111]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 24
end = 51

[JC_77]
file = "HOME/tests/java/SelectionSort.java"
line = 81
begin = 20
end = 26

[JC_49]
file = "HOME/tests/java/SelectionSort.java"
line = 62
begin = 32
end = 38

[JC_1]
file = "HOME/tests/java/SelectionSort.jc"
line = 23
begin = 12
end = 22

[JC_102]
file = "HOME/tests/java/SelectionSort.java"
line = 88
begin = 18
end = 30

[JC_142]
file = "HOME/tests/java/SelectionSort.jc"
line = 164
begin = 15
end = 3584

[JC_211]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_146]
file = "HOME/tests/java/SelectionSort.java"
line = 93
begin = 33
end = 40

[JC_249]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_192]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_239]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/java/SelectionSort.jc"
line = 23
begin = 12
end = 22

[JC_92]
file = "HOME/tests/java/SelectionSort.jc"
line = 191
begin = 21
end = 1600

[JC_152]
kind = UserCall
file = "HOME/tests/java/SelectionSort.java"
line = 101
begin = 21
end = 29

[SelectionSort_sort_ensures_default]
name = "Method sort"
behavior = "default behavior"
file = "HOME/tests/java/SelectionSort.java"
line = 78
begin = 9
end = 13

[JC_228]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_60]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_183]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_139]
file = "HOME/tests/java/SelectionSort.java"
line = 87
begin = 22
end = 54

[JC_119]
file = "HOME/tests/java/SelectionSort.java"
line = 84
begin = 8
end = 90

[JC_210]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_76]
file = "HOME/tests/java/SelectionSort.java"
line = 76
begin = 18
end = 50

[JC_244]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_230]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_234]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_226]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_100]
file = "HOME/tests/java/SelectionSort.java"
line = 108
begin = 33
end = 68

========== file tests/java/why/SelectionSort.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_1), (0))

predicate Non_null_intM(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), neg_int((1)))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic integer_of_int32: int32 -> int

predicate Swap(a_0:Object pointer, i_0:int, j_0:int,
 intM_intP_at_L2:(Object, int32) memory,
 intM_intP_at_L1:(Object, int32) memory) =
 ((integer_of_int32(select(intM_intP_at_L1, shift(a_0, i_0))) = integer_of_int32(
                                                                select(intM_intP_at_L2,
                                                                shift(a_0,
                                                                j_0))))
 and ((integer_of_int32(select(intM_intP_at_L1, shift(a_0, j_0))) = integer_of_int32(
                                                                    select(intM_intP_at_L2,
                                                                    shift(a_0,
                                                                    i_0))))
     and (forall k:int.
          (((k <> i_0) and (k <> j_0)) ->
           (integer_of_int32(select(intM_intP_at_L1, shift(a_0, k))) = 
           integer_of_int32(select(intM_intP_at_L2, shift(a_0, k))))))))

inductive Permut: Object pointer, int, int, (Object, int32) memory,
                  (Object, int32) memory -> prop =
 | Permut_refl: (forall intM_intP_at_L:(Object, int32) memory.
                 (forall a_2:Object pointer.
                  (forall l_1:int.
                   (forall h_1:int.
                    Permut(a_2, l_1, h_1, intM_intP_at_L, intM_intP_at_L)))))
 | Permut_sym: (forall intM_intP_at_L2:(Object, int32) memory.
                (forall intM_intP_at_L1:(Object, int32) memory.
                 (forall a_3:Object pointer.
                  (forall l_2:int.
                   (forall h_2:int.
                    (Permut(a_3, l_2, h_2, intM_intP_at_L2, intM_intP_at_L1) ->
                     Permut(a_3, l_2, h_2, intM_intP_at_L1, intM_intP_at_L2)))))))
 | Permut_trans: (forall intM_intP_at_L3:(Object, int32) memory.
                  (forall intM_intP_at_L2:(Object, int32) memory.
                   (forall intM_intP_at_L1:(Object, int32) memory.
                    (forall a_4:Object pointer.
                     (forall l_3:int.
                      (forall h_3:int.
                       ((Permut(a_4, l_3, h_3, intM_intP_at_L2,
                         intM_intP_at_L1)
                        and Permut(a_4, l_3, h_3, intM_intP_at_L3,
                            intM_intP_at_L2)) ->
                        Permut(a_4, l_3, h_3, intM_intP_at_L3,
                        intM_intP_at_L1))))))))
 | Permut_swap: (forall intM_intP_at_L2:(Object, int32) memory.
                 (forall intM_intP_at_L1:(Object, int32) memory.
                  (forall a_5:Object pointer.
                   (forall l_4:int.
                    (forall h_4:int.
                     (forall i_1:int.
                      (forall j_1:int.
                       ((le_int(l_4, i_1)
                        and (le_int(i_1, h_4)
                            and (le_int(l_4, j_1)
                                and (le_int(j_1, h_4)
                                    and Swap(a_5, i_1, j_1, intM_intP_at_L2,
                                        intM_intP_at_L1))))) ->
                        Permut(a_5, l_4, h_4, intM_intP_at_L2,
                        intM_intP_at_L1)))))))))
 
logic SelectionSort_tag:  -> Object tag_id

axiom SelectionSort_parenttag_Object :
 parenttag(SelectionSort_tag, Object_tag)

predicate Sorted(a:Object pointer, l:int, h:int,
 intM_intP_at_L:(Object, int32) memory) =
 (forall i:int.
  (forall j:int.
   ((le_int(l, i) and (le_int(i, j) and lt_int(j, h))) ->
    le_int(integer_of_int32(select(intM_intP_at_L, shift(a, i))),
    integer_of_int32(select(intM_intP_at_L, shift(a, j)))))))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic intM_tag:  -> Object tag_id

axiom intM_parenttag_Object : parenttag(intM_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_SelectionSort(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_intM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_SelectionSort(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_intM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_SelectionSort(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_SelectionSort(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_alloc_table : Object alloc_table ref

parameter Object_clone :
 this_4:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_clone_requires :
 this_4:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_equals :
 this_7:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_equals_requires :
 this_7:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_finalize :
 this_13:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_finalize_requires :
 this_13:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_hashCode :
 this_6:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter Object_hashCode_requires :
 this_6:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter Object_notify :
 this_9:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll :
 this_5:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll_requires :
 this_5:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notify_requires :
 this_9:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_registerNatives : tt:unit -> { } unit { true }

parameter Object_registerNatives_requires : tt:unit -> { } unit { true }

parameter Object_tag_table : Object tag_table ref

parameter Object_toString :
 this_11:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_toString_requires :
 this_11:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_wait :
 this_8:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long :
 this_10:Object pointer ->
  timeout:long -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int :
 this_12:Object pointer ->
  timeout_0:long -> nanos:int32 -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int_requires :
 this_12:Object pointer ->
  timeout_0:long -> nanos:int32 -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_requires :
 this_10:Object pointer ->
  timeout:long -> { } unit reads Object_alloc_table { true }

parameter Object_wait_requires :
 this_8:Object pointer -> { } unit reads Object_alloc_table { true }

exception Return_label_exc of unit

parameter intM_intP : (Object, int32) memory ref

parameter SelectionSort_sort :
 this_0:Object pointer ->
  t_0:Object pointer ->
   { } unit reads Object_alloc_table,intM_intP writes intM_intP
   { ((JC_76:
      Permut(t_0, (0),
      sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
      intM_intP, intM_intP@))
     and (JC_74:
         Sorted(t_0, (0), add_int(offset_max(Object_alloc_table, t_0), (1)),
         intM_intP))) }

parameter SelectionSort_sort_requires :
 this_0:Object pointer ->
  t_0:Object pointer ->
   { (JC_65: Non_null_intM(t_0, Object_alloc_table))} unit
   reads Object_alloc_table,intM_intP writes intM_intP
   { ((JC_76:
      Permut(t_0, (0),
      sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
      intM_intP, intM_intP@))
     and (JC_74:
         Sorted(t_0, (0), add_int(offset_max(Object_alloc_table, t_0), (1)),
         intM_intP))) }

parameter SelectionSort_swap :
 this_2:Object pointer ->
  t:Object pointer ->
   i_2:int32 ->
    j_2:int32 ->
     { } unit reads Object_alloc_table,intM_intP writes intM_intP
     { (JC_58:
       ((JC_56:
        Swap(t, integer_of_int32(i_2), integer_of_int32(j_2), intM_intP,
        intM_intP@))
       and (JC_57:
           not_assigns(Object_alloc_table@, intM_intP@, intM_intP,
           pset_union(pset_range(pset_singleton(t), integer_of_int32(j_2),
                      integer_of_int32(j_2)),
           pset_range(pset_singleton(t), integer_of_int32(i_2),
           integer_of_int32(i_2))))))) }

parameter SelectionSort_swap_requires :
 this_2:Object pointer ->
  t:Object pointer ->
   i_2:int32 ->
    j_2:int32 ->
     { (JC_44:
       ((JC_39: Non_null_intM(t, Object_alloc_table))
       and ((JC_40: le_int((0), integer_of_int32(i_2)))
           and ((JC_41:
                lt_int(integer_of_int32(i_2),
                add_int(offset_max(Object_alloc_table, t), (1))))
               and ((JC_42: le_int((0), integer_of_int32(j_2)))
                   and (JC_43:
                       lt_int(integer_of_int32(j_2),
                       add_int(offset_max(Object_alloc_table, t), (1)))))))))}
     unit reads Object_alloc_table,intM_intP writes intM_intP
     { (JC_58:
       ((JC_56:
        Swap(t, integer_of_int32(i_2), integer_of_int32(j_2), intM_intP,
        intM_intP@))
       and (JC_57:
           not_assigns(Object_alloc_table@, intM_intP@, intM_intP,
           pset_union(pset_range(pset_singleton(t), integer_of_int32(j_2),
                      integer_of_int32(j_2)),
           pset_range(pset_singleton(t), integer_of_int32(i_2),
           integer_of_int32(i_2))))))) }

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_SelectionSort :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_SelectionSort(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, SelectionSort_tag)))) }

parameter alloc_struct_SelectionSort_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_SelectionSort(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, SelectionSort_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_intM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter alloc_struct_intM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_Object :
 this_14:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object_requires :
 this_14:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_SelectionSort :
 this_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_SelectionSort_requires :
 this_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter java_array_length_intM :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter java_array_length_intM_requires :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_Object_requires :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_intM :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter non_null_intM_requires :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let SelectionSort_sort_ensures_default =
 fun (this_0 : Object pointer) (t_0 : Object pointer) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (valid_struct_SelectionSort(this_0, (0), (0), Object_alloc_table)
        and (JC_67: Non_null_intM(t_0, Object_alloc_table)))) }
  (init:
  try
   begin
     (let i_3 = ref (any_int32 void) in
     (let j_3 = ref (any_int32 void) in
     (let mi = ref (any_int32 void) in
     (let mv = ref (any_int32 void) in
     begin
       (let _jessie_ = (i_3 := (safe_int32_of_integer_ (0))) in void);
      try
       (loop_3:
       while true do
       { invariant (JC_103: le_int((0), integer_of_int32(i_3)))  }
        begin
          [ { } unit { true } ];
         try
          begin
            (if (K_47:
                ((lt_int_ (integer_of_int32 !i_3)) (integer_of_int32 
                                                    (K_46:
                                                    (safe_int32_of_integer_ 
                                                     ((sub_int (K_45:
                                                               (let _jessie_ =
                                                               t_0 in
                                                               (JC_107:
                                                               (java_array_length_intM _jessie_))))) (1)))))))
            then
             begin
               (let _jessie_ =
               (mv := (K_24:
                      ((safe_acc_ !intM_intP) ((shift t_0) (integer_of_int32 !i_3))))) in
               void); (let _jessie_ = (mi := !i_3) in void);
              (let _jessie_ =
              (j_3 := (K_40:
                      (safe_int32_of_integer_ ((add_int (integer_of_int32 !i_3)) (1))))) in
              void);
              try
               (loop_4:
               while true do
               { invariant
                   (JC_111:
                   ((JC_108:
                    lt_int(integer_of_int32(i_3), integer_of_int32(j_3)))
                   and ((JC_109:
                        le_int(integer_of_int32(i_3), integer_of_int32(mi)))
                       and (JC_110:
                           lt_int(integer_of_int32(mi),
                           add_int(offset_max(Object_alloc_table, t_0), (1)))))))
                  }
                begin
                  [ { } unit { true } ];
                 try
                  begin
                    (if (K_39:
                        ((lt_int_ (integer_of_int32 !j_3)) (K_38:
                                                           (let _jessie_ =
                                                           t_0 in
                                                           (JC_115:
                                                           (java_array_length_intM _jessie_))))))
                    then
                     (if (K_36:
                         ((lt_int_ (integer_of_int32 (K_35:
                                                     ((safe_acc_ !intM_intP) 
                                                      ((shift t_0) (integer_of_int32 !j_3)))))) 
                          (integer_of_int32 !mv)))
                     then
                      (let _jessie_ =
                      begin
                        (let _jessie_ = (mi := !j_3) in void);
                       (mv := (K_34:
                              ((safe_acc_ !intM_intP) ((shift t_0) (integer_of_int32 !j_3)))));
                       !mv end in void) else void)
                    else (raise (Loop_exit_exc void)));
                   (raise (Loop_continue_exc void)) end with
                  Loop_continue_exc _jessie_ ->
                  (let _jessie_ =
                  (K_37:
                  (let _jessie_ = !j_3 in
                  begin
                    (let _jessie_ =
                    (j_3 := (safe_int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1)))) in
                    void); _jessie_ end)) in void) end end done) with
               Loop_exit_exc _jessie_ -> void end;
              (Before:
              (K_41:
              (let _jessie_ = this_0 in
              (let _jessie_ = t_0 in
              (let _jessie_ = !i_3 in
              (let _jessie_ = !mi in
              (JC_116:
              ((((SelectionSort_swap _jessie_) _jessie_) _jessie_) _jessie_))))))))
             end else (raise (Loop_exit_exc void)));
           (raise (Loop_continue_exc void)) end with
          Loop_continue_exc _jessie_ ->
          (let _jessie_ =
          (K_44:
          (let _jessie_ = !i_3 in
          begin
            (let _jessie_ =
            (i_3 := (safe_int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1)))) in
            void); _jessie_ end)) in void) end end done) with
       Loop_exit_exc _jessie_ -> void end end)))); (raise Return) end with
   Return -> void end) { (JC_69: true) }

let SelectionSort_sort_ensures_permutation =
 fun (this_0 : Object pointer) (t_0 : Object pointer) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (valid_struct_SelectionSort(this_0, (0), (0), Object_alloc_table)
        and (JC_67: Non_null_intM(t_0, Object_alloc_table)))) }
  (init:
  try
   begin
     (let i_3 = ref (any_int32 void) in
     (let j_3 = ref (any_int32 void) in
     (let mi = ref (any_int32 void) in
     (let mv = ref (any_int32 void) in
     begin
       (let _jessie_ = (i_3 := (safe_int32_of_integer_ (0))) in void);
      try
       (loop_7:
       while true do
       { invariant
           (JC_139:
           Permut(t_0, (0),
           sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
           intM_intP, intM_intP@init))  }
        begin
          [ { } unit reads i_3
            { (JC_140: le_int((0), integer_of_int32(i_3))) } ];
         try
          begin
            (if (K_47:
                ((lt_int_ (integer_of_int32 !i_3)) (integer_of_int32 
                                                    (K_46:
                                                    (safe_int32_of_integer_ 
                                                     ((sub_int (K_45:
                                                               (let _jessie_ =
                                                               t_0 in
                                                               (JC_144:
                                                               (java_array_length_intM _jessie_))))) (1)))))))
            then
             begin
               (let _jessie_ =
               (mv := (K_24:
                      ((safe_acc_ !intM_intP) ((shift t_0) (integer_of_int32 !i_3))))) in
               void); (let _jessie_ = (mi := !i_3) in void);
              (let _jessie_ =
              (j_3 := (K_40:
                      (safe_int32_of_integer_ ((add_int (integer_of_int32 !i_3)) (1))))) in
              void);
              begin
                try
                 (loop_8:
                 while true do
                 { invariant (JC_150: true)  }
                  begin
                    [ { } unit reads Object_alloc_table,i_3,j_3,mi
                      { (JC_148:
                        ((JC_145:
                         lt_int(integer_of_int32(i_3), integer_of_int32(j_3)))
                        and ((JC_146:
                             le_int(integer_of_int32(i_3),
                             integer_of_int32(mi)))
                            and (JC_147:
                                lt_int(integer_of_int32(mi),
                                add_int(offset_max(Object_alloc_table, t_0),
                                (1))))))) } ];
                   try
                    begin
                      (if (K_39:
                          ((lt_int_ (integer_of_int32 !j_3)) (K_38:
                                                             (let _jessie_ =
                                                             t_0 in
                                                             (JC_152:
                                                             (java_array_length_intM _jessie_))))))
                      then
                       (if (K_36:
                           ((lt_int_ (integer_of_int32 (K_35:
                                                       ((safe_acc_ !intM_intP) 
                                                        ((shift t_0) 
                                                         (integer_of_int32 !j_3)))))) 
                            (integer_of_int32 !mv)))
                       then
                        (let _jessie_ =
                        begin
                          (let _jessie_ = (mi := !j_3) in void);
                         (mv := (K_34:
                                ((safe_acc_ !intM_intP) ((shift t_0) 
                                                         (integer_of_int32 !j_3)))));
                         !mv end in void) else void)
                      else (raise (Loop_exit_exc void)));
                     (raise (Loop_continue_exc void)) end with
                    Loop_continue_exc _jessie_ ->
                    (let _jessie_ =
                    (K_37:
                    (let _jessie_ = !j_3 in
                    begin
                      (let _jessie_ =
                      (j_3 := (safe_int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1)))) in
                      void); _jessie_ end)) in void) end end done) with
                 Loop_exit_exc _jessie_ -> void end;
               (Before:
               (K_41:
               begin
                 (let _jessie_ = this_0 in
                 (let _jessie_ = t_0 in
                 (let _jessie_ = !i_3 in
                 (let _jessie_ = !mi in
                 (JC_153:
                 ((((SelectionSort_swap _jessie_) _jessie_) _jessie_) _jessie_))))));
                (K_43:
                (assert
                { (JC_154:
                  Permut(t_0, (0),
                  sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)),
                  (1)), intM_intP, intM_intP@Before)) }; void)) end)) end end
            else (raise (Loop_exit_exc void)));
           (raise (Loop_continue_exc void)) end with
          Loop_continue_exc _jessie_ ->
          (let _jessie_ =
          (K_44:
          (let _jessie_ = !i_3 in
          begin
            (let _jessie_ =
            (i_3 := (safe_int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1)))) in
            void); _jessie_ end)) in void) end end done) with
       Loop_exit_exc _jessie_ -> void end end)))); (raise Return) end with
   Return -> void end)
  { (JC_75:
    Permut(t_0, (0),
    sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
    intM_intP, intM_intP@)) }

let SelectionSort_sort_ensures_sorted =
 fun (this_0 : Object pointer) (t_0 : Object pointer) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (valid_struct_SelectionSort(this_0, (0), (0), Object_alloc_table)
        and (JC_67: Non_null_intM(t_0, Object_alloc_table)))) }
  (init:
  try
   begin
     (let i_3 = ref (any_int32 void) in
     (let j_3 = ref (any_int32 void) in
     (let mi = ref (any_int32 void) in
     (let mv = ref (any_int32 void) in
     begin
       (let _jessie_ = (i_3 := (safe_int32_of_integer_ (0))) in void);
      try
       (loop_5:
       while true do
       { invariant
           (JC_120:
           ((JC_118: Sorted(t_0, (0), integer_of_int32(i_3), intM_intP))
           and (JC_119:
               (forall k1:int.
                (forall k2:int.
                 ((le_int((0), k1)
                  and (lt_int(k1, integer_of_int32(i_3))
                      and (le_int(integer_of_int32(i_3), k2)
                          and lt_int(k2,
                              add_int(offset_max(Object_alloc_table, t_0),
                              (1)))))) ->
                  le_int(integer_of_int32(select(intM_intP, shift(t_0, k1))),
                  integer_of_int32(select(intM_intP, shift(t_0, k2))))))))))
          }
        begin
          [ { } unit reads i_3
            { (JC_121: le_int((0), integer_of_int32(i_3))) } ];
         try
          begin
            (if (K_47:
                ((lt_int_ (integer_of_int32 !i_3)) (integer_of_int32 
                                                    (K_46:
                                                    (safe_int32_of_integer_ 
                                                     ((sub_int (K_45:
                                                               (let _jessie_ =
                                                               t_0 in
                                                               (JC_125:
                                                               (java_array_length_intM _jessie_))))) (1)))))))
            then
             begin
               (let _jessie_ =
               (mv := (K_24:
                      ((safe_acc_ !intM_intP) ((shift t_0) (integer_of_int32 !i_3))))) in
               void); (let _jessie_ = (mi := !i_3) in void);
              (let _jessie_ =
              (j_3 := (K_40:
                      (safe_int32_of_integer_ ((add_int (integer_of_int32 !i_3)) (1))))) in
              void);
              try
               (loop_6:
               while true do
               { invariant
                   (JC_128:
                   ((JC_126:
                    (integer_of_int32(mv) = integer_of_int32(select(intM_intP,
                                                             shift(t_0,
                                                             integer_of_int32(mi))))))
                   and (JC_127:
                       (forall k_0:int.
                        ((le_int(integer_of_int32(i_3), k_0)
                         and lt_int(k_0, integer_of_int32(j_3))) ->
                         ge_int(integer_of_int32(select(intM_intP,
                                                 shift(t_0, k_0))),
                         integer_of_int32(mv)))))))  }
                begin
                  [ { } unit reads Object_alloc_table,i_3,j_3,mi
                    { (JC_132:
                      ((JC_129:
                       lt_int(integer_of_int32(i_3), integer_of_int32(j_3)))
                      and ((JC_130:
                           le_int(integer_of_int32(i_3),
                           integer_of_int32(mi)))
                          and (JC_131:
                              lt_int(integer_of_int32(mi),
                              add_int(offset_max(Object_alloc_table, t_0),
                              (1))))))) } ];
                 try
                  begin
                    (if (K_39:
                        ((lt_int_ (integer_of_int32 !j_3)) (K_38:
                                                           (let _jessie_ =
                                                           t_0 in
                                                           (JC_136:
                                                           (java_array_length_intM _jessie_))))))
                    then
                     (if (K_36:
                         ((lt_int_ (integer_of_int32 (K_35:
                                                     ((safe_acc_ !intM_intP) 
                                                      ((shift t_0) (integer_of_int32 !j_3)))))) 
                          (integer_of_int32 !mv)))
                     then
                      (let _jessie_ =
                      begin
                        (let _jessie_ = (mi := !j_3) in void);
                       (mv := (K_34:
                              ((safe_acc_ !intM_intP) ((shift t_0) (integer_of_int32 !j_3)))));
                       !mv end in void) else void)
                    else (raise (Loop_exit_exc void)));
                   (raise (Loop_continue_exc void)) end with
                  Loop_continue_exc _jessie_ ->
                  (let _jessie_ =
                  (K_37:
                  (let _jessie_ = !j_3 in
                  begin
                    (let _jessie_ =
                    (j_3 := (safe_int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1)))) in
                    void); _jessie_ end)) in void) end end done) with
               Loop_exit_exc _jessie_ -> void end;
              (Before:
              (K_41:
              (let _jessie_ = this_0 in
              (let _jessie_ = t_0 in
              (let _jessie_ = !i_3 in
              (let _jessie_ = !mi in
              (JC_137:
              ((((SelectionSort_swap _jessie_) _jessie_) _jessie_) _jessie_))))))))
             end else (raise (Loop_exit_exc void)));
           (raise (Loop_continue_exc void)) end with
          Loop_continue_exc _jessie_ ->
          (let _jessie_ =
          (K_44:
          (let _jessie_ = !i_3 in
          begin
            (let _jessie_ =
            (i_3 := (safe_int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1)))) in
            void); _jessie_ end)) in void) end end done) with
       Loop_exit_exc _jessie_ -> void end end)))); (raise Return) end with
   Return -> void end)
  { (JC_73:
    Sorted(t_0, (0), add_int(offset_max(Object_alloc_table, t_0), (1)),
    intM_intP)) }

let SelectionSort_sort_safety =
 fun (this_0 : Object pointer) (t_0 : Object pointer) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (valid_struct_SelectionSort(this_0, (0), (0), Object_alloc_table)
        and (JC_67: Non_null_intM(t_0, Object_alloc_table)))) }
  (init:
  try
   begin
     (let i_3 = ref (any_int32 void) in
     (let j_3 = ref (any_int32 void) in
     (let mi = ref (any_int32 void) in
     (let mv = ref (any_int32 void) in
     begin
       (let _jessie_ = (i_3 := (safe_int32_of_integer_ (0))) in void);
      try
       (loop_1:
       while true do
       { invariant (JC_79: true)
         variant (JC_102 : sub_int(add_int(offset_max(Object_alloc_table,
                                           t_0),
                                   (1)),
                           integer_of_int32(i_3))) }
        begin
          [ { } unit reads i_3
            { (JC_77: le_int((0), integer_of_int32(i_3))) } ];
         try
          begin
            (if (K_47:
                ((lt_int_ (integer_of_int32 !i_3)) (integer_of_int32 
                                                    (K_46:
                                                    (JC_83:
                                                    (int32_of_integer_ 
                                                     ((sub_int (K_45:
                                                               (let _jessie_ =
                                                               t_0 in
                                                               (JC_82:
                                                               (assert
                                                               { ge_int(
                                                                 offset_max(Object_alloc_table,
                                                                 _jessie_),
                                                                 (-1)) };
                                                               (JC_81:
                                                               (java_array_length_intM_requires _jessie_))))))) (1))))))))
            then
             begin
               (let _jessie_ =
               (mv := (K_24:
                      (JC_84:
                      ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) 
                       (integer_of_int32 !i_3))))) in void);
              (let _jessie_ = (mi := !i_3) in void);
              (let _jessie_ =
              (j_3 := (K_40:
                      (JC_85:
                      (int32_of_integer_ ((add_int (integer_of_int32 !i_3)) (1)))))) in
              void);
              try
               (loop_2:
               while true do
               { invariant (JC_91: true)
                 variant (JC_98 : sub_int(add_int(offset_max(Object_alloc_table,
                                                  t_0),
                                          (1)),
                                  integer_of_int32(j_3))) }
                begin
                  [ { } unit reads Object_alloc_table,i_3,j_3,mi
                    { (JC_89:
                      ((JC_86:
                       lt_int(integer_of_int32(i_3), integer_of_int32(j_3)))
                      and ((JC_87:
                           le_int(integer_of_int32(i_3),
                           integer_of_int32(mi)))
                          and (JC_88:
                              lt_int(integer_of_int32(mi),
                              add_int(offset_max(Object_alloc_table, t_0),
                              (1))))))) } ];
                 try
                  begin
                    (if (K_39:
                        ((lt_int_ (integer_of_int32 !j_3)) (K_38:
                                                           (let _jessie_ =
                                                           t_0 in
                                                           (JC_94:
                                                           (assert
                                                           { ge_int(offset_max(Object_alloc_table,
                                                                    _jessie_),
                                                             (-1)) };
                                                           (JC_93:
                                                           (java_array_length_intM_requires _jessie_))))))))
                    then
                     (if (K_36:
                         ((lt_int_ (integer_of_int32 (K_35:
                                                     (JC_95:
                                                     ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) 
                                                      (integer_of_int32 !j_3)))))) 
                          (integer_of_int32 !mv)))
                     then
                      (let _jessie_ =
                      begin
                        (let _jessie_ = (mi := !j_3) in void);
                       (mv := (K_34:
                              (JC_96:
                              ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) 
                               (integer_of_int32 !j_3))))); !mv end in void)
                     else void) else (raise (Loop_exit_exc void)));
                   (raise (Loop_continue_exc void)) end with
                  Loop_continue_exc _jessie_ ->
                  (let _jessie_ =
                  (K_37:
                  (let _jessie_ = !j_3 in
                  begin
                    (let _jessie_ =
                    (j_3 := (JC_97:
                            (int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1))))) in
                    void); _jessie_ end)) in void) end end done) with
               Loop_exit_exc _jessie_ -> void end;
              (Before:
              (K_41:
              (let _jessie_ = this_0 in
              (let _jessie_ = t_0 in
              (let _jessie_ = !i_3 in
              (let _jessie_ = !mi in
              (JC_99:
              ((((SelectionSort_swap_requires _jessie_) _jessie_) _jessie_) _jessie_))))))))
             end else (raise (Loop_exit_exc void)));
           (raise (Loop_continue_exc void)) end with
          Loop_continue_exc _jessie_ ->
          (let _jessie_ =
          (K_44:
          (let _jessie_ = !i_3 in
          begin
            (let _jessie_ =
            (i_3 := (JC_101:
                    (int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1))))) in
            void); _jessie_ end)) in void) end end done) with
       Loop_exit_exc _jessie_ -> void end end)))); (raise Return) end with
   Return -> void end) { true }

let SelectionSort_swap_ensures_default =
 fun (this_2 : Object pointer) (t : Object pointer) (i_2 : int32) (j_2 : int32) ->
  { (left_valid_struct_intM(t, (0), Object_alloc_table)
    and (valid_struct_SelectionSort(this_2, (0), (0), Object_alloc_table)
        and (JC_51:
            ((JC_46: Non_null_intM(t, Object_alloc_table))
            and ((JC_47: le_int((0), integer_of_int32(i_2)))
                and ((JC_48:
                     lt_int(integer_of_int32(i_2),
                     add_int(offset_max(Object_alloc_table, t), (1))))
                    and ((JC_49: le_int((0), integer_of_int32(j_2)))
                        and (JC_50:
                            lt_int(integer_of_int32(j_2),
                            add_int(offset_max(Object_alloc_table, t), (1))))))))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (let tmp =
     (K_14: ((safe_acc_ !intM_intP) ((shift t) (integer_of_int32 i_2)))) in
     (K_12:
     begin
       (let _jessie_ =
       (let _jessie_ =
       (K_11: ((safe_acc_ !intM_intP) ((shift t) (integer_of_int32 j_2)))) in
       (let _jessie_ = t in
       (let _jessie_ = (integer_of_int32 i_2) in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (((safe_upd_ intM_intP) _jessie_) _jessie_))))) in void);
      (K_13:
      (let _jessie_ = tmp in
      (let _jessie_ = t in
      (let _jessie_ = (integer_of_int32 j_2) in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      begin   (((safe_upd_ intM_intP) _jessie_) _jessie_); _jessie_ end)))))
     end)) in void); (raise Return) end with Return -> void end)
  { (JC_55:
    ((JC_53:
     Swap(t, integer_of_int32(i_2), integer_of_int32(j_2), intM_intP,
     intM_intP@))
    and (JC_54:
        not_assigns(Object_alloc_table@, intM_intP@, intM_intP,
        pset_union(pset_range(pset_singleton(t), integer_of_int32(j_2),
                   integer_of_int32(j_2)),
        pset_range(pset_singleton(t), integer_of_int32(i_2),
        integer_of_int32(i_2))))))) }

let SelectionSort_swap_safety =
 fun (this_2 : Object pointer) (t : Object pointer) (i_2 : int32) (j_2 : int32) ->
  { (left_valid_struct_intM(t, (0), Object_alloc_table)
    and (valid_struct_SelectionSort(this_2, (0), (0), Object_alloc_table)
        and (JC_51:
            ((JC_46: Non_null_intM(t, Object_alloc_table))
            and ((JC_47: le_int((0), integer_of_int32(i_2)))
                and ((JC_48:
                     lt_int(integer_of_int32(i_2),
                     add_int(offset_max(Object_alloc_table, t), (1))))
                    and ((JC_49: le_int((0), integer_of_int32(j_2)))
                        and (JC_50:
                            lt_int(integer_of_int32(j_2),
                            add_int(offset_max(Object_alloc_table, t), (1))))))))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (let tmp =
     (K_14:
     (JC_61:
     ((((offset_acc_ !Object_alloc_table) !intM_intP) t) (integer_of_int32 i_2)))) in
     (K_12:
     begin
       (let _jessie_ =
       (let _jessie_ =
       (K_11:
       (JC_62:
       ((((offset_acc_ !Object_alloc_table) !intM_intP) t) (integer_of_int32 j_2)))) in
       (let _jessie_ = t in
       (let _jessie_ = (integer_of_int32 i_2) in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (JC_63:
       (((((offset_upd_ !Object_alloc_table) intM_intP) _jessie_) _jessie_) _jessie_)))))) in
       void);
      (K_13:
      (let _jessie_ = tmp in
      (let _jessie_ = t in
      (let _jessie_ = (integer_of_int32 j_2) in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (JC_64:
      begin
        (((((offset_upd_ !Object_alloc_table) intM_intP) _jessie_) _jessie_) _jessie_);
       _jessie_ end)))))) end)) in void); (raise Return) end with Return ->
   void end) { true }

let cons_Object_ensures_default =
 fun (this_14 : Object pointer) ->
  { valid_struct_Object(this_14, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_239: true) }

let cons_Object_safety =
 fun (this_14 : Object pointer) ->
  { valid_struct_Object(this_14, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_SelectionSort_ensures_default =
 fun (this_3 : Object pointer) ->
  { valid_struct_SelectionSort(this_3, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_215: true) }

let cons_SelectionSort_safety =
 fun (this_3 : Object pointer) ->
  { valid_struct_SelectionSort(this_3, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/SelectionSort.why
========== file tests/java/why/SelectionSort.wpr ==========

  
    
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  
  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  
  
    
  
  
    
  

========== file tests/java/why/SelectionSort_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_1) >= 0)

predicate Non_null_intM(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= (-1))

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic integer_of_int32 : int32 -> int

predicate Swap(a_0: Object pointer, i_0: int, j_0: int,
  intM_intP_at_L2: (Object, int32) memory, intM_intP_at_L1: (Object,
  int32) memory) =
  ((integer_of_int32(select(intM_intP_at_L1, shift(a_0,
   i_0))) = integer_of_int32(select(intM_intP_at_L2, shift(a_0, j_0)))) and
   ((integer_of_int32(select(intM_intP_at_L1, shift(a_0,
    j_0))) = integer_of_int32(select(intM_intP_at_L2, shift(a_0, i_0)))) and
    (forall k:int.
      (((k <> i_0) and (k <> j_0)) ->
       (integer_of_int32(select(intM_intP_at_L1, shift(a_0,
       k))) = integer_of_int32(select(intM_intP_at_L2, shift(a_0, k))))))))

inductive Permut: Object pointer, int, int, (Object, int32) memory, (Object,
                  int32) memory -> prop =
  | Permut_refl: (forall intM_intP_at_L:(Object, int32) memory.
                   (forall a_2:Object pointer.
                     (forall l_1:int.
                       (forall h_1:int. Permut(a_2, l_1, h_1, intM_intP_at_L,
                         intM_intP_at_L)))))
  | Permut_sym: (forall intM_intP_at_L2:(Object, int32) memory.
                  (forall intM_intP_at_L1:(Object, int32) memory.
                    (forall a_3:Object pointer.
                      (forall l_2:int.
                        (forall h_2:int.
                          (Permut(a_3, l_2, h_2, intM_intP_at_L2,
                           intM_intP_at_L1) -> Permut(a_3, l_2, h_2,
                           intM_intP_at_L1, intM_intP_at_L2)))))))
  | Permut_trans: (forall intM_intP_at_L3:(Object, int32) memory.
                    (forall intM_intP_at_L2:(Object, int32) memory.
                      (forall intM_intP_at_L1:(Object, int32) memory.
                        (forall a_4:Object pointer.
                          (forall l_3:int.
                            (forall h_3:int.
                              ((Permut(a_4, l_3, h_3, intM_intP_at_L2,
                                intM_intP_at_L1) and Permut(a_4, l_3, h_3,
                                intM_intP_at_L3, intM_intP_at_L2)) ->
                               Permut(a_4, l_3, h_3, intM_intP_at_L3,
                               intM_intP_at_L1))))))))
  | Permut_swap: (forall intM_intP_at_L2:(Object, int32) memory.
                   (forall intM_intP_at_L1:(Object, int32) memory.
                     (forall a_5:Object pointer.
                       (forall l_4:int.
                         (forall h_4:int.
                           (forall i_1:int.
                             (forall j_1:int.
                               (((l_4 <= i_1) and
                                 ((i_1 <= h_4) and
                                  ((l_4 <= j_1) and
                                   ((j_1 <= h_4) and Swap(a_5, i_1, j_1,
                                    intM_intP_at_L2, intM_intP_at_L1))))) ->
                                Permut(a_5, l_4, h_4, intM_intP_at_L2,
                                intM_intP_at_L1)))))))))



logic SelectionSort_tag : Object tag_id

axiom SelectionSort_parenttag_Object: parenttag(SelectionSort_tag,
  Object_tag)

predicate Sorted(a: Object pointer, l: int, h: int, intM_intP_at_L: (Object,
  int32) memory) =
  (forall i:int.
    (forall j:int.
      (((l <= i) and ((i <= j) and (j < h))) ->
       (integer_of_int32(select(intM_intP_at_L, shift(a,
       i))) <= integer_of_int32(select(intM_intP_at_L, shift(a, j)))))))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte [(integer_of_byte(x) = integer_of_byte(y))].
      ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char [(integer_of_char(x) = integer_of_char(y))].
      ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32 [(integer_of_int32(x) = integer_of_int32(y))].
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic intM_tag : Object tag_id

axiom intM_parenttag_Object: parenttag(intM_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_SelectionSort(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_intM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long [(integer_of_long(x) = integer_of_long(y))].
      ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_SelectionSort(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_intM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short [(integer_of_short(x) = integer_of_short(y))].
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_SelectionSort(p: Object pointer, a: int,
  b: int, Object_alloc_table: Object alloc_table) =
  strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_SelectionSort(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

========== file tests/java/why/SelectionSort_po1.why ==========
goal SelectionSort_sort_ensures_default_po_1:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  ("JC_103": (0 <= integer_of_int32(i_3)))

========== file tests/java/why/SelectionSort_po10.why ==========
goal SelectionSort_sort_ensures_default_po_10:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_103": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_111":
  (("JC_108": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_109": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_110": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) >= integer_of_int32(mv0)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(j_3_0) + 1)) ->
  forall j_3_1:int32.
  (j_3_1 = result6) ->
  ("JC_111":
  ("JC_110": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
  t_0) + 1))))

========== file tests/java/why/SelectionSort_po11.why ==========
goal SelectionSort_sort_ensures_default_po_11:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_103": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  ("JC_111":
  (("JC_108": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_109": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_110": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) >= result4) ->
  forall intM_intP0:(Object,
  int32) memory.
  ("JC_58":
  (("JC_56": Swap(t_0, integer_of_int32(i_3_0), integer_of_int32(mi0),
   intM_intP0, intM_intP)) and
   ("JC_57": not_assigns(Object_alloc_table, intM_intP, intM_intP0,
   pset_union(pset_range(pset_singleton(t_0), integer_of_int32(mi0),
   integer_of_int32(mi0)), pset_range(pset_singleton(t_0),
   integer_of_int32(i_3_0), integer_of_int32(i_3_0))))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(i_3_0) + 1)) ->
  forall i_3_1:int32.
  (i_3_1 = result5) ->
  ("JC_103": (0 <= integer_of_int32(i_3_1)))

========== file tests/java/why/SelectionSort_po12.why ==========
goal SelectionSort_sort_ensures_permutation_po_1:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  ("JC_139": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP, intM_intP))

========== file tests/java/why/SelectionSort_po13.why ==========
goal SelectionSort_sort_ensures_permutation_po_2:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP0:(Object,
  int32) memory.
  ("JC_139": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP0, intM_intP)) ->
  ("JC_140": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP0, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  ("JC_150": true) ->
  ("JC_148":
  (("JC_145": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_146": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_147": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) >= result4) ->
  forall intM_intP1:(Object,
  int32) memory.
  ("JC_58":
  (("JC_56": Swap(t_0, integer_of_int32(i_3_0), integer_of_int32(mi0),
   intM_intP1, intM_intP0)) and
   ("JC_57": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_0), integer_of_int32(mi0),
   integer_of_int32(mi0)), pset_range(pset_singleton(t_0),
   integer_of_int32(i_3_0), integer_of_int32(i_3_0))))))) ->
  ("JC_154": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP1, intM_intP0))

========== file tests/java/why/SelectionSort_po14.why ==========
goal SelectionSort_sort_ensures_permutation_po_3:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP0:(Object,
  int32) memory.
  ("JC_139": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP0, intM_intP)) ->
  ("JC_140": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP0, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  ("JC_150": true) ->
  ("JC_148":
  (("JC_145": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_146": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_147": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) >= result4) ->
  forall intM_intP1:(Object,
  int32) memory.
  ("JC_58":
  (("JC_56": Swap(t_0, integer_of_int32(i_3_0), integer_of_int32(mi0),
   intM_intP1, intM_intP0)) and
   ("JC_57": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_0), integer_of_int32(mi0),
   integer_of_int32(mi0)), pset_range(pset_singleton(t_0),
   integer_of_int32(i_3_0), integer_of_int32(i_3_0))))))) ->
  ("JC_154": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP1, intM_intP0)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(i_3_0) + 1)) ->
  forall i_3_1:int32.
  (i_3_1 = result5) ->
  ("JC_139": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP1, intM_intP))

========== file tests/java/why/SelectionSort_po15.why ==========
goal SelectionSort_sort_ensures_sorted_po_1:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  ("JC_120": ("JC_118": Sorted(t_0, 0, integer_of_int32(i_3), intM_intP)))

========== file tests/java/why/SelectionSort_po16.why ==========
goal SelectionSort_sort_ensures_sorted_po_2:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall k1:int.
  forall k2:int.
  ((0 <= k1) and
   ((k1 < integer_of_int32(i_3)) and
    ((integer_of_int32(i_3) <= k2) and (k2 < (offset_max(Object_alloc_table,
     t_0) + 1))))) ->
  ("JC_120":
  ("JC_119": (integer_of_int32(select(intM_intP, shift(t_0,
  k1))) <= integer_of_int32(select(intM_intP, shift(t_0, k2))))))

========== file tests/java/why/SelectionSort_po17.why ==========
goal SelectionSort_sort_ensures_sorted_po_3:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP0:(Object,
  int32) memory.
  ("JC_120":
  (("JC_118": Sorted(t_0, 0, integer_of_int32(i_3_0), intM_intP0)) and
   ("JC_119":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < integer_of_int32(i_3_0)) and
          ((integer_of_int32(i_3_0) <= k2) and
           (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (integer_of_int32(select(intM_intP0, shift(t_0,
        k1))) <= integer_of_int32(select(intM_intP0, shift(t_0, k2)))))))))) ->
  ("JC_121": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP0, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  ("JC_128":
  ("JC_126": (integer_of_int32(mv) = integer_of_int32(select(intM_intP0,
  shift(t_0, integer_of_int32(mi)))))))

========== file tests/java/why/SelectionSort_po18.why ==========
goal SelectionSort_sort_ensures_sorted_po_4:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP0:(Object,
  int32) memory.
  ("JC_120":
  (("JC_118": Sorted(t_0, 0, integer_of_int32(i_3_0), intM_intP0)) and
   ("JC_119":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < integer_of_int32(i_3_0)) and
          ((integer_of_int32(i_3_0) <= k2) and
           (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (integer_of_int32(select(intM_intP0, shift(t_0,
        k1))) <= integer_of_int32(select(intM_intP0, shift(t_0, k2)))))))))) ->
  ("JC_121": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP0, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall k_0:int.
  ((integer_of_int32(i_3_0) <= k_0) and (k_0 < integer_of_int32(j_3))) ->
  ("JC_128":
  ("JC_127": (integer_of_int32(select(intM_intP0, shift(t_0,
  k_0))) >= integer_of_int32(mv))))

========== file tests/java/why/SelectionSort_po19.why ==========
goal SelectionSort_sort_ensures_sorted_po_5:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP0:(Object,
  int32) memory.
  ("JC_120":
  (("JC_118": Sorted(t_0, 0, integer_of_int32(i_3_0), intM_intP0)) and
   ("JC_119":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < integer_of_int32(i_3_0)) and
          ((integer_of_int32(i_3_0) <= k2) and
           (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (integer_of_int32(select(intM_intP0, shift(t_0,
        k1))) <= integer_of_int32(select(intM_intP0, shift(t_0, k2)))))))))) ->
  ("JC_121": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP0, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_128":
  (("JC_126": (integer_of_int32(mv0) = integer_of_int32(select(intM_intP0,
   shift(t_0, integer_of_int32(mi0)))))) and
   ("JC_127":
   (forall k_0:int.
     (((integer_of_int32(i_3_0) <= k_0) and (k_0 < integer_of_int32(j_3_0))) ->
      (integer_of_int32(select(intM_intP0, shift(t_0,
      k_0))) >= integer_of_int32(mv0))))))) ->
  ("JC_132":
  (("JC_129": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_130": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_131": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  forall result5:int32.
  (result5 = select(intM_intP0, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) < integer_of_int32(mv0)) ->
  forall mi1:int32.
  (mi1 = j_3_0) ->
  forall result6:int32.
  (result6 = select(intM_intP0, shift(t_0, integer_of_int32(j_3_0)))) ->
  forall mv1:int32.
  (mv1 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(j_3_0) + 1)) ->
  forall j_3_1:int32.
  (j_3_1 = result7) ->
  ("JC_128":
  ("JC_126": (integer_of_int32(mv1) = integer_of_int32(select(intM_intP0,
  shift(t_0, integer_of_int32(mi1)))))))

========== file tests/java/why/SelectionSort_po2.why ==========
goal SelectionSort_sort_ensures_default_po_2:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_103": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  ("JC_111": ("JC_108": (integer_of_int32(i_3_0) < integer_of_int32(j_3))))

========== file tests/java/why/SelectionSort_po20.why ==========
goal SelectionSort_sort_ensures_sorted_po_6:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP0:(Object,
  int32) memory.
  ("JC_120":
  (("JC_118": Sorted(t_0, 0, integer_of_int32(i_3_0), intM_intP0)) and
   ("JC_119":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < integer_of_int32(i_3_0)) and
          ((integer_of_int32(i_3_0) <= k2) and
           (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (integer_of_int32(select(intM_intP0, shift(t_0,
        k1))) <= integer_of_int32(select(intM_intP0, shift(t_0, k2)))))))))) ->
  ("JC_121": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP0, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_128":
  (("JC_126": (integer_of_int32(mv0) = integer_of_int32(select(intM_intP0,
   shift(t_0, integer_of_int32(mi0)))))) and
   ("JC_127":
   (forall k_0:int.
     (((integer_of_int32(i_3_0) <= k_0) and (k_0 < integer_of_int32(j_3_0))) ->
      (integer_of_int32(select(intM_intP0, shift(t_0,
      k_0))) >= integer_of_int32(mv0))))))) ->
  ("JC_132":
  (("JC_129": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_130": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_131": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  forall result5:int32.
  (result5 = select(intM_intP0, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) < integer_of_int32(mv0)) ->
  forall mi1:int32.
  (mi1 = j_3_0) ->
  forall result6:int32.
  (result6 = select(intM_intP0, shift(t_0, integer_of_int32(j_3_0)))) ->
  forall mv1:int32.
  (mv1 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(j_3_0) + 1)) ->
  forall j_3_1:int32.
  (j_3_1 = result7) ->
  forall k_0:int.
  ((integer_of_int32(i_3_0) <= k_0) and (k_0 < integer_of_int32(j_3_1))) ->
  ("JC_128":
  ("JC_127": (integer_of_int32(select(intM_intP0, shift(t_0,
  k_0))) >= integer_of_int32(mv1))))

========== file tests/java/why/SelectionSort_po21.why ==========
goal SelectionSort_sort_ensures_sorted_po_7:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP0:(Object,
  int32) memory.
  ("JC_120":
  (("JC_118": Sorted(t_0, 0, integer_of_int32(i_3_0), intM_intP0)) and
   ("JC_119":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < integer_of_int32(i_3_0)) and
          ((integer_of_int32(i_3_0) <= k2) and
           (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (integer_of_int32(select(intM_intP0, shift(t_0,
        k1))) <= integer_of_int32(select(intM_intP0, shift(t_0, k2)))))))))) ->
  ("JC_121": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP0, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_128":
  (("JC_126": (integer_of_int32(mv0) = integer_of_int32(select(intM_intP0,
   shift(t_0, integer_of_int32(mi0)))))) and
   ("JC_127":
   (forall k_0:int.
     (((integer_of_int32(i_3_0) <= k_0) and (k_0 < integer_of_int32(j_3_0))) ->
      (integer_of_int32(select(intM_intP0, shift(t_0,
      k_0))) >= integer_of_int32(mv0))))))) ->
  ("JC_132":
  (("JC_129": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_130": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_131": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  forall result5:int32.
  (result5 = select(intM_intP0, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) >= integer_of_int32(mv0)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(j_3_0) + 1)) ->
  forall j_3_1:int32.
  (j_3_1 = result6) ->
  forall k_0:int.
  ((integer_of_int32(i_3_0) <= k_0) and (k_0 < integer_of_int32(j_3_1))) ->
  ("JC_128":
  ("JC_127": (integer_of_int32(select(intM_intP0, shift(t_0,
  k_0))) >= integer_of_int32(mv0))))

========== file tests/java/why/SelectionSort_po22.why ==========
goal SelectionSort_sort_ensures_sorted_po_8:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP0:(Object,
  int32) memory.
  ("JC_120":
  (("JC_118": Sorted(t_0, 0, integer_of_int32(i_3_0), intM_intP0)) and
   ("JC_119":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < integer_of_int32(i_3_0)) and
          ((integer_of_int32(i_3_0) <= k2) and
           (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (integer_of_int32(select(intM_intP0, shift(t_0,
        k1))) <= integer_of_int32(select(intM_intP0, shift(t_0, k2)))))))))) ->
  ("JC_121": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP0, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_128":
  (("JC_126": (integer_of_int32(mv0) = integer_of_int32(select(intM_intP0,
   shift(t_0, integer_of_int32(mi0)))))) and
   ("JC_127":
   (forall k_0:int.
     (((integer_of_int32(i_3_0) <= k_0) and (k_0 < integer_of_int32(j_3_0))) ->
      (integer_of_int32(select(intM_intP0, shift(t_0,
      k_0))) >= integer_of_int32(mv0))))))) ->
  ("JC_132":
  (("JC_129": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_130": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_131": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) >= result4) ->
  forall intM_intP1:(Object,
  int32) memory.
  ("JC_58":
  (("JC_56": Swap(t_0, integer_of_int32(i_3_0), integer_of_int32(mi0),
   intM_intP1, intM_intP0)) and
   ("JC_57": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_0), integer_of_int32(mi0),
   integer_of_int32(mi0)), pset_range(pset_singleton(t_0),
   integer_of_int32(i_3_0), integer_of_int32(i_3_0))))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(i_3_0) + 1)) ->
  forall i_3_1:int32.
  (i_3_1 = result5) ->
  ("JC_120": ("JC_118": Sorted(t_0, 0, integer_of_int32(i_3_1), intM_intP1)))

========== file tests/java/why/SelectionSort_po23.why ==========
goal SelectionSort_sort_ensures_sorted_po_9:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP0:(Object,
  int32) memory.
  ("JC_120":
  (("JC_118": Sorted(t_0, 0, integer_of_int32(i_3_0), intM_intP0)) and
   ("JC_119":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < integer_of_int32(i_3_0)) and
          ((integer_of_int32(i_3_0) <= k2) and
           (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (integer_of_int32(select(intM_intP0, shift(t_0,
        k1))) <= integer_of_int32(select(intM_intP0, shift(t_0, k2)))))))))) ->
  ("JC_121": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP0, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_128":
  (("JC_126": (integer_of_int32(mv0) = integer_of_int32(select(intM_intP0,
   shift(t_0, integer_of_int32(mi0)))))) and
   ("JC_127":
   (forall k_0:int.
     (((integer_of_int32(i_3_0) <= k_0) and (k_0 < integer_of_int32(j_3_0))) ->
      (integer_of_int32(select(intM_intP0, shift(t_0,
      k_0))) >= integer_of_int32(mv0))))))) ->
  ("JC_132":
  (("JC_129": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_130": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_131": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) >= result4) ->
  forall intM_intP1:(Object,
  int32) memory.
  ("JC_58":
  (("JC_56": Swap(t_0, integer_of_int32(i_3_0), integer_of_int32(mi0),
   intM_intP1, intM_intP0)) and
   ("JC_57": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_0), integer_of_int32(mi0),
   integer_of_int32(mi0)), pset_range(pset_singleton(t_0),
   integer_of_int32(i_3_0), integer_of_int32(i_3_0))))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(i_3_0) + 1)) ->
  forall i_3_1:int32.
  (i_3_1 = result5) ->
  forall k1:int.
  forall k2:int.
  ((0 <= k1) and
   ((k1 < integer_of_int32(i_3_1)) and
    ((integer_of_int32(i_3_1) <= k2) and
     (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
  ("JC_120":
  ("JC_119": (integer_of_int32(select(intM_intP1, shift(t_0,
  k1))) <= integer_of_int32(select(intM_intP1, shift(t_0, k2))))))

========== file tests/java/why/SelectionSort_po24.why ==========
goal SelectionSort_sort_ensures_sorted_po_10:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP0:(Object,
  int32) memory.
  ("JC_120":
  (("JC_118": Sorted(t_0, 0, integer_of_int32(i_3_0), intM_intP0)) and
   ("JC_119":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < integer_of_int32(i_3_0)) and
          ((integer_of_int32(i_3_0) <= k2) and
           (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (integer_of_int32(select(intM_intP0, shift(t_0,
        k1))) <= integer_of_int32(select(intM_intP0, shift(t_0, k2)))))))))) ->
  ("JC_121": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) >= integer_of_int32(result1)) ->
  ("JC_73": Sorted(t_0, 0, (offset_max(Object_alloc_table, t_0) + 1),
  intM_intP0))

========== file tests/java/why/SelectionSort_po25.why ==========
goal SelectionSort_sort_safety_po_1:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1))

========== file tests/java/why/SelectionSort_po26.why ==========
goal SelectionSort_sort_safety_po_2:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  ((-2147483648) <= (result0 - 1))

========== file tests/java/why/SelectionSort_po27.why ==========
goal SelectionSort_sort_safety_po_3:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  ((result0 - 1) <= 2147483647)

========== file tests/java/why/SelectionSort_po28.why ==========
goal SelectionSort_sort_safety_po_4:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  (offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0))

========== file tests/java/why/SelectionSort_po29.why ==========
goal SelectionSort_sort_safety_po_5:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))

========== file tests/java/why/SelectionSort_po3.why ==========
goal SelectionSort_sort_ensures_default_po_3:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_103": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  ("JC_111": ("JC_109": (integer_of_int32(i_3_0) <= integer_of_int32(mi))))

========== file tests/java/why/SelectionSort_po30.why ==========
goal SelectionSort_sort_safety_po_6:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  ((-2147483648) <= (integer_of_int32(i_3_0) + 1))

========== file tests/java/why/SelectionSort_po31.why ==========
goal SelectionSort_sort_safety_po_7:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  ((integer_of_int32(i_3_0) + 1) <= 2147483647)

========== file tests/java/why/SelectionSort_po32.why ==========
goal SelectionSort_sort_safety_po_8:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  (offset_min(Object_alloc_table, t_0) <= integer_of_int32(j_3_0))

========== file tests/java/why/SelectionSort_po33.why ==========
goal SelectionSort_sort_safety_po_9:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  (integer_of_int32(j_3_0) <= offset_max(Object_alloc_table, t_0))

========== file tests/java/why/SelectionSort_po34.why ==========
goal SelectionSort_sort_safety_po_10:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(j_3_0)) and
   (integer_of_int32(j_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) < integer_of_int32(mv0)) ->
  forall mi1:int32.
  (mi1 = j_3_0) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(j_3_0)) and
   (integer_of_int32(j_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result6:int32.
  (result6 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  forall mv1:int32.
  (mv1 = result6) ->
  ((-2147483648) <= (integer_of_int32(j_3_0) + 1))

========== file tests/java/why/SelectionSort_po35.why ==========
goal SelectionSort_sort_safety_po_11:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(j_3_0)) and
   (integer_of_int32(j_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) < integer_of_int32(mv0)) ->
  forall mi1:int32.
  (mi1 = j_3_0) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(j_3_0)) and
   (integer_of_int32(j_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result6:int32.
  (result6 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  forall mv1:int32.
  (mv1 = result6) ->
  ((integer_of_int32(j_3_0) + 1) <= 2147483647)

========== file tests/java/why/SelectionSort_po36.why ==========
goal SelectionSort_sort_safety_po_12:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(j_3_0)) and
   (integer_of_int32(j_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) < integer_of_int32(mv0)) ->
  forall mi1:int32.
  (mi1 = j_3_0) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(j_3_0)) and
   (integer_of_int32(j_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result6:int32.
  (result6 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  forall mv1:int32.
  (mv1 = result6) ->
  (((-2147483648) <= (integer_of_int32(j_3_0) + 1)) and
   ((integer_of_int32(j_3_0) + 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(j_3_0) + 1)) ->
  forall j_3_1:int32.
  (j_3_1 = result7) ->
  (0 <= ("JC_98": ((offset_max(Object_alloc_table,
        t_0) + 1) - integer_of_int32(j_3_0))))

========== file tests/java/why/SelectionSort_po37.why ==========
goal SelectionSort_sort_safety_po_13:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(j_3_0)) and
   (integer_of_int32(j_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) < integer_of_int32(mv0)) ->
  forall mi1:int32.
  (mi1 = j_3_0) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(j_3_0)) and
   (integer_of_int32(j_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result6:int32.
  (result6 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  forall mv1:int32.
  (mv1 = result6) ->
  (((-2147483648) <= (integer_of_int32(j_3_0) + 1)) and
   ((integer_of_int32(j_3_0) + 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(j_3_0) + 1)) ->
  forall j_3_1:int32.
  (j_3_1 = result7) ->
  (("JC_98": ((offset_max(Object_alloc_table,
   t_0) + 1) - integer_of_int32(j_3_1))) < ("JC_98":
                                           ((offset_max(Object_alloc_table,
                                           t_0) + 1) - integer_of_int32(j_3_0))))

========== file tests/java/why/SelectionSort_po38.why ==========
goal SelectionSort_sort_safety_po_14:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(j_3_0)) and
   (integer_of_int32(j_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) >= integer_of_int32(mv0)) ->
  ((-2147483648) <= (integer_of_int32(j_3_0) + 1))

========== file tests/java/why/SelectionSort_po39.why ==========
goal SelectionSort_sort_safety_po_15:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(j_3_0)) and
   (integer_of_int32(j_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) >= integer_of_int32(mv0)) ->
  ((integer_of_int32(j_3_0) + 1) <= 2147483647)

========== file tests/java/why/SelectionSort_po4.why ==========
goal SelectionSort_sort_ensures_default_po_4:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_103": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  ("JC_111":
  ("JC_110": (integer_of_int32(mi) < (offset_max(Object_alloc_table,
  t_0) + 1))))

========== file tests/java/why/SelectionSort_po40.why ==========
goal SelectionSort_sort_safety_po_16:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(j_3_0)) and
   (integer_of_int32(j_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) >= integer_of_int32(mv0)) ->
  (((-2147483648) <= (integer_of_int32(j_3_0) + 1)) and
   ((integer_of_int32(j_3_0) + 1) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(j_3_0) + 1)) ->
  forall j_3_1:int32.
  (j_3_1 = result6) ->
  (0 <= ("JC_98": ((offset_max(Object_alloc_table,
        t_0) + 1) - integer_of_int32(j_3_0))))

========== file tests/java/why/SelectionSort_po41.why ==========
goal SelectionSort_sort_safety_po_17:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(j_3_0)) and
   (integer_of_int32(j_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) >= integer_of_int32(mv0)) ->
  (((-2147483648) <= (integer_of_int32(j_3_0) + 1)) and
   ((integer_of_int32(j_3_0) + 1) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(j_3_0) + 1)) ->
  forall j_3_1:int32.
  (j_3_1 = result6) ->
  (("JC_98": ((offset_max(Object_alloc_table,
   t_0) + 1) - integer_of_int32(j_3_1))) < ("JC_98":
                                           ((offset_max(Object_alloc_table,
                                           t_0) + 1) - integer_of_int32(j_3_0))))

========== file tests/java/why/SelectionSort_po42.why ==========
goal SelectionSort_sort_safety_po_18:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) >= result4) ->
  ("JC_44": ("JC_39": Non_null_intM(t_0, Object_alloc_table)))

========== file tests/java/why/SelectionSort_po43.why ==========
goal SelectionSort_sort_safety_po_19:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) >= result4) ->
  ("JC_44":
  ("JC_41": (integer_of_int32(i_3_0) < (offset_max(Object_alloc_table,
  t_0) + 1))))

========== file tests/java/why/SelectionSort_po44.why ==========
goal SelectionSort_sort_safety_po_20:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) >= result4) ->
  ("JC_44": ("JC_42": (0 <= integer_of_int32(mi0))))

========== file tests/java/why/SelectionSort_po45.why ==========
goal SelectionSort_sort_safety_po_21:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) >= result4) ->
  ("JC_44":
  ("JC_43": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
  t_0) + 1))))

========== file tests/java/why/SelectionSort_po46.why ==========
goal SelectionSort_sort_safety_po_22:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) >= result4) ->
  ("JC_44":
  (("JC_39": Non_null_intM(t_0, Object_alloc_table)) and
   (("JC_40": (0 <= integer_of_int32(i_3_0))) and
    (("JC_41": (integer_of_int32(i_3_0) < (offset_max(Object_alloc_table,
     t_0) + 1))) and
     (("JC_42": (0 <= integer_of_int32(mi0))) and
      ("JC_43": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
      t_0) + 1)))))))) ->
  forall intM_intP0:(Object,
  int32) memory.
  ("JC_58":
  (("JC_56": Swap(t_0, integer_of_int32(i_3_0), integer_of_int32(mi0),
   intM_intP0, intM_intP)) and
   ("JC_57": not_assigns(Object_alloc_table, intM_intP, intM_intP0,
   pset_union(pset_range(pset_singleton(t_0), integer_of_int32(mi0),
   integer_of_int32(mi0)), pset_range(pset_singleton(t_0),
   integer_of_int32(i_3_0), integer_of_int32(i_3_0))))))) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(i_3_0) + 1)) ->
  forall i_3_1:int32.
  (i_3_1 = result5) ->
  (0 <= ("JC_102": ((offset_max(Object_alloc_table,
        t_0) + 1) - integer_of_int32(i_3_0))))

========== file tests/java/why/SelectionSort_po47.why ==========
goal SelectionSort_sort_safety_po_23:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) >= result4) ->
  ("JC_44":
  (("JC_39": Non_null_intM(t_0, Object_alloc_table)) and
   (("JC_40": (0 <= integer_of_int32(i_3_0))) and
    (("JC_41": (integer_of_int32(i_3_0) < (offset_max(Object_alloc_table,
     t_0) + 1))) and
     (("JC_42": (0 <= integer_of_int32(mi0))) and
      ("JC_43": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
      t_0) + 1)))))))) ->
  forall intM_intP0:(Object,
  int32) memory.
  ("JC_58":
  (("JC_56": Swap(t_0, integer_of_int32(i_3_0), integer_of_int32(mi0),
   intM_intP0, intM_intP)) and
   ("JC_57": not_assigns(Object_alloc_table, intM_intP, intM_intP0,
   pset_union(pset_range(pset_singleton(t_0), integer_of_int32(mi0),
   integer_of_int32(mi0)), pset_range(pset_singleton(t_0),
   integer_of_int32(i_3_0), integer_of_int32(i_3_0))))))) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(i_3_0) + 1)) ->
  forall i_3_1:int32.
  (i_3_1 = result5) ->
  (("JC_102": ((offset_max(Object_alloc_table,
   t_0) + 1) - integer_of_int32(i_3_1))) < ("JC_102":
                                           ((offset_max(Object_alloc_table,
                                           t_0) + 1) - integer_of_int32(i_3_0))))

========== file tests/java/why/SelectionSort_po48.why ==========
goal SelectionSort_swap_ensures_default_po_1:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int32.
  forall j_2:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= integer_of_int32(i_2))) and
      (("JC_48": (integer_of_int32(i_2) < (offset_max(Object_alloc_table,
       t) + 1))) and
       (("JC_49": (0 <= integer_of_int32(j_2))) and
        ("JC_50": (integer_of_int32(j_2) < (offset_max(Object_alloc_table,
        t) + 1)))))))))) ->
  forall result:int32.
  (result = select(intM_intP, shift(t, integer_of_int32(i_2)))) ->
  forall result0:int32.
  (result0 = select(intM_intP, shift(t, integer_of_int32(j_2)))) ->
  forall intM_intP0:(Object,
  int32) memory.
  (intM_intP0 = store(intM_intP, shift(t, integer_of_int32(i_2)),
  result0)) ->
  forall intM_intP1:(Object,
  int32) memory.
  (intM_intP1 = store(intM_intP0, shift(t, integer_of_int32(j_2)),
  result)) ->
  ("JC_55":
  ("JC_53": Swap(t, integer_of_int32(i_2), integer_of_int32(j_2), intM_intP1,
  intM_intP)))

========== file tests/java/why/SelectionSort_po49.why ==========
goal SelectionSort_swap_ensures_default_po_2:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int32.
  forall j_2:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= integer_of_int32(i_2))) and
      (("JC_48": (integer_of_int32(i_2) < (offset_max(Object_alloc_table,
       t) + 1))) and
       (("JC_49": (0 <= integer_of_int32(j_2))) and
        ("JC_50": (integer_of_int32(j_2) < (offset_max(Object_alloc_table,
        t) + 1)))))))))) ->
  forall result:int32.
  (result = select(intM_intP, shift(t, integer_of_int32(i_2)))) ->
  forall result0:int32.
  (result0 = select(intM_intP, shift(t, integer_of_int32(j_2)))) ->
  forall intM_intP0:(Object,
  int32) memory.
  (intM_intP0 = store(intM_intP, shift(t, integer_of_int32(i_2)),
  result0)) ->
  forall intM_intP1:(Object,
  int32) memory.
  (intM_intP1 = store(intM_intP0, shift(t, integer_of_int32(j_2)),
  result)) ->
  ("JC_55":
  ("JC_54": not_assigns(Object_alloc_table, intM_intP, intM_intP1,
  pset_union(pset_range(pset_singleton(t), integer_of_int32(j_2),
  integer_of_int32(j_2)), pset_range(pset_singleton(t),
  integer_of_int32(i_2), integer_of_int32(i_2))))))

========== file tests/java/why/SelectionSort_po5.why ==========
goal SelectionSort_sort_ensures_default_po_5:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_103": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_111":
  (("JC_108": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_109": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_110": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) < integer_of_int32(mv0)) ->
  forall mi1:int32.
  (mi1 = j_3_0) ->
  forall result6:int32.
  (result6 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  forall mv1:int32.
  (mv1 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(j_3_0) + 1)) ->
  forall j_3_1:int32.
  (j_3_1 = result7) ->
  ("JC_111": ("JC_108": (integer_of_int32(i_3_0) < integer_of_int32(j_3_1))))

========== file tests/java/why/SelectionSort_po50.why ==========
goal SelectionSort_swap_safety_po_1:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int32.
  forall j_2:int32.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= integer_of_int32(i_2))) and
      (("JC_48": (integer_of_int32(i_2) < (offset_max(Object_alloc_table,
       t) + 1))) and
       (("JC_49": (0 <= integer_of_int32(j_2))) and
        ("JC_50": (integer_of_int32(j_2) < (offset_max(Object_alloc_table,
        t) + 1)))))))))) ->
  (offset_min(Object_alloc_table, t) <= integer_of_int32(i_2))

========== file tests/java/why/SelectionSort_po51.why ==========
goal SelectionSort_swap_safety_po_2:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int32.
  forall j_2:int32.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= integer_of_int32(i_2))) and
      (("JC_48": (integer_of_int32(i_2) < (offset_max(Object_alloc_table,
       t) + 1))) and
       (("JC_49": (0 <= integer_of_int32(j_2))) and
        ("JC_50": (integer_of_int32(j_2) < (offset_max(Object_alloc_table,
        t) + 1)))))))))) ->
  (integer_of_int32(i_2) <= offset_max(Object_alloc_table, t))

========== file tests/java/why/SelectionSort_po52.why ==========
goal SelectionSort_swap_safety_po_3:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int32.
  forall j_2:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= integer_of_int32(i_2))) and
      (("JC_48": (integer_of_int32(i_2) < (offset_max(Object_alloc_table,
       t) + 1))) and
       (("JC_49": (0 <= integer_of_int32(j_2))) and
        ("JC_50": (integer_of_int32(j_2) < (offset_max(Object_alloc_table,
        t) + 1)))))))))) ->
  ((offset_min(Object_alloc_table, t) <= integer_of_int32(i_2)) and
   (integer_of_int32(i_2) <= offset_max(Object_alloc_table, t))) ->
  forall result:int32.
  (result = select(intM_intP, shift(t, integer_of_int32(i_2)))) ->
  (offset_min(Object_alloc_table, t) <= integer_of_int32(j_2))

========== file tests/java/why/SelectionSort_po53.why ==========
goal SelectionSort_swap_safety_po_4:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int32.
  forall j_2:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= integer_of_int32(i_2))) and
      (("JC_48": (integer_of_int32(i_2) < (offset_max(Object_alloc_table,
       t) + 1))) and
       (("JC_49": (0 <= integer_of_int32(j_2))) and
        ("JC_50": (integer_of_int32(j_2) < (offset_max(Object_alloc_table,
        t) + 1)))))))))) ->
  ((offset_min(Object_alloc_table, t) <= integer_of_int32(i_2)) and
   (integer_of_int32(i_2) <= offset_max(Object_alloc_table, t))) ->
  forall result:int32.
  (result = select(intM_intP, shift(t, integer_of_int32(i_2)))) ->
  (integer_of_int32(j_2) <= offset_max(Object_alloc_table, t))

========== file tests/java/why/SelectionSort_po6.why ==========
goal SelectionSort_sort_ensures_default_po_6:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_103": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_111":
  (("JC_108": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_109": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_110": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) < integer_of_int32(mv0)) ->
  forall mi1:int32.
  (mi1 = j_3_0) ->
  forall result6:int32.
  (result6 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  forall mv1:int32.
  (mv1 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(j_3_0) + 1)) ->
  forall j_3_1:int32.
  (j_3_1 = result7) ->
  ("JC_111": ("JC_109": (integer_of_int32(i_3_0) <= integer_of_int32(mi1))))

========== file tests/java/why/SelectionSort_po7.why ==========
goal SelectionSort_sort_ensures_default_po_7:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_103": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_111":
  (("JC_108": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_109": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_110": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) < integer_of_int32(mv0)) ->
  forall mi1:int32.
  (mi1 = j_3_0) ->
  forall result6:int32.
  (result6 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  forall mv1:int32.
  (mv1 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(j_3_0) + 1)) ->
  forall j_3_1:int32.
  (j_3_1 = result7) ->
  ("JC_111":
  ("JC_110": (integer_of_int32(mi1) < (offset_max(Object_alloc_table,
  t_0) + 1))))

========== file tests/java/why/SelectionSort_po8.why ==========
goal SelectionSort_sort_ensures_default_po_8:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_103": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_111":
  (("JC_108": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_109": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_110": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) >= integer_of_int32(mv0)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(j_3_0) + 1)) ->
  forall j_3_1:int32.
  (j_3_1 = result6) ->
  ("JC_111": ("JC_108": (integer_of_int32(i_3_0) < integer_of_int32(j_3_1))))

========== file tests/java/why/SelectionSort_po9.why ==========
goal SelectionSort_sort_ensures_default_po_9:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_103": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_111":
  (("JC_108": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_109": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_110": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) >= integer_of_int32(mv0)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(j_3_0) + 1)) ->
  forall j_3_1:int32.
  (j_3_1 = result6) ->
  ("JC_111": ("JC_109": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))))

========== generation of Simplify VC output ==========
why -simplify [...] why/SelectionSort.why
========== file tests/java/simplify/SelectionSort_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_1 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_1) 0))

(DEFPRED (Non_null_intM x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) (- 0 1)))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(DEFPRED (Swap a_0 i_0 j_0 intM_intP_at_L2 intM_intP_at_L1)
  (AND
  (EQ (integer_of_int32 (select intM_intP_at_L1 (shift a_0 i_0)))
  (integer_of_int32 (select intM_intP_at_L2 (shift a_0 j_0))))
  (AND
  (EQ (integer_of_int32 (select intM_intP_at_L1 (shift a_0 j_0)))
  (integer_of_int32 (select intM_intP_at_L2 (shift a_0 i_0))))
  (FORALL (k)
  (IMPLIES (AND (NEQ k i_0) (NEQ k j_0))
  (EQ (integer_of_int32 (select intM_intP_at_L1 (shift a_0 k)))
  (integer_of_int32 (select intM_intP_at_L2 (shift a_0 k)))))))))

(BG_PUSH
 ;; Why axiom Permut_inversion
 (FORALL (aux_1 aux_2 aux_3 aux_4 aux_5)
 (IMPLIES (EQ (Permut aux_1 aux_2 aux_3 aux_4 aux_5) |@true|)
 (OR
 (EXISTS (intM_intP_at_L)
 (EXISTS (a_2)
 (EXISTS (l_1)
 (EXISTS (h_1)
 (AND (EQ aux_1 a_2)
 (AND (EQ aux_2 l_1)
 (AND (EQ aux_3 h_1)
 (AND (EQ aux_4 intM_intP_at_L) (EQ aux_5 intM_intP_at_L)))))))))
 (OR
 (EXISTS (intM_intP_at_L2)
 (EXISTS (intM_intP_at_L1)
 (EXISTS (a_3)
 (EXISTS (l_2)
 (EXISTS (h_2)
 (AND (EQ (Permut a_3 l_2 h_2 intM_intP_at_L2 intM_intP_at_L1) |@true|)
 (AND (EQ aux_1 a_3)
 (AND (EQ aux_2 l_2)
 (AND (EQ aux_3 h_2)
 (AND (EQ aux_4 intM_intP_at_L1) (EQ aux_5 intM_intP_at_L2)))))))))))
 (OR
 (EXISTS (intM_intP_at_L3)
 (EXISTS (intM_intP_at_L2)
 (EXISTS (intM_intP_at_L1)
 (EXISTS (a_4)
 (EXISTS (l_3)
 (EXISTS (h_3)
 (AND
 (AND (EQ (Permut a_4 l_3 h_3 intM_intP_at_L2 intM_intP_at_L1) |@true|)
 (EQ (Permut a_4 l_3 h_3 intM_intP_at_L3 intM_intP_at_L2) |@true|))
 (AND (EQ aux_1 a_4)
 (AND (EQ aux_2 l_3)
 (AND (EQ aux_3 h_3)
 (AND (EQ aux_4 intM_intP_at_L3) (EQ aux_5 intM_intP_at_L1))))))))))))
 (EXISTS (intM_intP_at_L2)
 (EXISTS (intM_intP_at_L1)
 (EXISTS (a_5)
 (EXISTS (l_4)
 (EXISTS (h_4)
 (EXISTS (i_1)
 (EXISTS (j_1)
 (AND
 (AND (<= l_4 i_1)
 (AND (<= i_1 h_4)
 (AND (<= l_4 j_1)
 (AND (<= j_1 h_4) (Swap a_5 i_1 j_1 intM_intP_at_L2 intM_intP_at_L1)))))
 (AND (EQ aux_1 a_5)
 (AND (EQ aux_2 l_4)
 (AND (EQ aux_3 h_4)
 (AND (EQ aux_4 intM_intP_at_L2) (EQ aux_5 intM_intP_at_L1)))))))))))))))))))

(BG_PUSH
 ;; Why axiom Permut_refl
 (FORALL (intM_intP_at_L a_2 l_1 h_1)
 (EQ (Permut a_2 l_1 h_1 intM_intP_at_L intM_intP_at_L) |@true|)))

(BG_PUSH
 ;; Why axiom Permut_sym
 (FORALL (intM_intP_at_L2 intM_intP_at_L1 a_3 l_2 h_2)
 (IMPLIES (EQ (Permut a_3 l_2 h_2 intM_intP_at_L2 intM_intP_at_L1) |@true|)
 (EQ (Permut a_3 l_2 h_2 intM_intP_at_L1 intM_intP_at_L2) |@true|))))

(BG_PUSH
 ;; Why axiom Permut_trans
 (FORALL (intM_intP_at_L3 intM_intP_at_L2 intM_intP_at_L1 a_4 l_3 h_3)
 (IMPLIES
 (AND (EQ (Permut a_4 l_3 h_3 intM_intP_at_L2 intM_intP_at_L1) |@true|)
 (EQ (Permut a_4 l_3 h_3 intM_intP_at_L3 intM_intP_at_L2) |@true|))
 (EQ (Permut a_4 l_3 h_3 intM_intP_at_L3 intM_intP_at_L1) |@true|))))

(BG_PUSH
 ;; Why axiom Permut_swap
 (FORALL (intM_intP_at_L2 intM_intP_at_L1 a_5 l_4 h_4 i_1 j_1)
 (IMPLIES
 (AND (<= l_4 i_1)
 (AND (<= i_1 h_4)
 (AND (<= l_4 j_1)
 (AND (<= j_1 h_4) (Swap a_5 i_1 j_1 intM_intP_at_L2 intM_intP_at_L1)))))
 (EQ (Permut a_5 l_4 h_4 intM_intP_at_L2 intM_intP_at_L1) |@true|))))

(BG_PUSH
 ;; Why axiom SelectionSort_parenttag_Object
 (EQ (parenttag SelectionSort_tag Object_tag) |@true|))

(DEFPRED (Sorted a l h intM_intP_at_L)
  (FORALL (i j)
  (IMPLIES (AND (<= l i) (AND (<= i j) (< j h)))
  (<= (integer_of_int32 (select intM_intP_at_L (shift a i))) (integer_of_int32
                                                             (select
                                                             intM_intP_at_L 
                                                             (shift a j)))))))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom byte_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 128) x) (<= x 127))
 (EQ (integer_of_byte (byte_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom byte_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_byte x) (integer_of_byte y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom byte_range
 (FORALL (x)
 (AND (<= (- 0 128) (integer_of_byte x)) (<= (integer_of_byte x) 127))))

(BG_PUSH
 ;; Why axiom char_coerce
 (FORALL (x)
 (IMPLIES (AND (<= 0 x) (<= x 65535))
 (EQ (integer_of_char (char_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom char_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_char x) (integer_of_char y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom char_range
 (FORALL (x) (AND (<= 0 (integer_of_char x)) (<= (integer_of_char x) 65535))))

(DEFPRED (eq_byte x y) (EQ (integer_of_byte x) (integer_of_byte y)))

(DEFPRED (eq_char x y) (EQ (integer_of_char x) (integer_of_char y)))

(DEFPRED (eq_int32 x y) (EQ (integer_of_int32 x) (integer_of_int32 y)))

(DEFPRED (eq_long x y) (EQ (integer_of_long x) (integer_of_long y)))

(DEFPRED (eq_short x y) (EQ (integer_of_short x) (integer_of_short y)))

(BG_PUSH
 ;; Why axiom int32_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_2147483648) x)
 (<= x constant_too_large_2147483647))
 (EQ (integer_of_int32 (int32_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom int32_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_int32 x) (integer_of_int32 y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom int32_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_2147483648) (integer_of_int32 x))
 (<= (integer_of_int32 x) constant_too_large_2147483647))))

(BG_PUSH
 ;; Why axiom intM_parenttag_Object
 (EQ (parenttag intM_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_SelectionSort p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_intM p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom long_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_9223372036854775808) x)
 (<= x constant_too_large_9223372036854775807))
 (EQ (integer_of_long (long_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom long_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_long x) (integer_of_long y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom long_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_9223372036854775808) (integer_of_long x))
 (<= (integer_of_long x) constant_too_large_9223372036854775807))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_SelectionSort p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_intM p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(BG_PUSH
 ;; Why axiom short_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 32768) x) (<= x 32767))
 (EQ (integer_of_short (short_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom short_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_short x) (integer_of_short y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom short_range
 (FORALL (x)
 (AND (<= (- 0 32768) (integer_of_short x)) (<= (integer_of_short x) 32767))))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_SelectionSort p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_intM p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_SelectionSort p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_intM p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

;; SelectionSort_sort_ensures_default_po_1, File "HOME/tests/java/SelectionSort.java", line 81, characters 20-26
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3) (IMPLIES (EQ i_3 result) (<= 0 (integer_of_int32 i_3))))))))))

;; SelectionSort_sort_ensures_default_po_2, File "HOME/tests/java/SelectionSort.java", line 93, characters 24-29
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(< (integer_of_int32 i_3_0) (integer_of_int32 j_3))))))))))))))))))))))))))))

;; SelectionSort_sort_ensures_default_po_3, File "HOME/tests/java/SelectionSort.java", line 93, characters 33-40
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(<= (integer_of_int32 i_3_0) (integer_of_int32 mi))))))))))))))))))))))))))))

;; SelectionSort_sort_ensures_default_po_4, File "HOME/tests/java/SelectionSort.java", line 93, characters 38-51
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(< (integer_of_int32 mi) (+ (offset_max Object_alloc_table t_0) 1))))))))))))))))))))))))))))

;; SelectionSort_sort_ensures_default_po_5, File "HOME/tests/java/SelectionSort.java", line 93, characters 24-29
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (j_3_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< (integer_of_int32 i_3_0) (integer_of_int32 j_3_0))
         (AND (<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result4)
(IMPLIES (AND (<= result4 constant_too_large_2147483647)
         (AND (>= result4 0)
         (EQ result4 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< (integer_of_int32 j_3_0) result4)
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 j_3_0))))
(IMPLIES (< (integer_of_int32 result5) (integer_of_int32 mv0))
(FORALL (mi1)
(IMPLIES (EQ mi1 j_3_0)
(FORALL (result6)
(IMPLIES (EQ result6 (select intM_intP (shift t_0 (integer_of_int32 j_3_0))))
(FORALL (mv1)
(IMPLIES (EQ mv1 result6)
(FORALL (result7)
(IMPLIES (EQ (integer_of_int32 result7) (+ (integer_of_int32 j_3_0) 1))
(FORALL (j_3_1)
(IMPLIES (EQ j_3_1 result7)
(< (integer_of_int32 i_3_0) (integer_of_int32 j_3_1))))))))))))))))))))))))))))))))))))))))))))))))

;; SelectionSort_sort_ensures_default_po_6, File "HOME/tests/java/SelectionSort.java", line 93, characters 33-40
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (j_3_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< (integer_of_int32 i_3_0) (integer_of_int32 j_3_0))
         (AND (<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result4)
(IMPLIES (AND (<= result4 constant_too_large_2147483647)
         (AND (>= result4 0)
         (EQ result4 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< (integer_of_int32 j_3_0) result4)
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 j_3_0))))
(IMPLIES (< (integer_of_int32 result5) (integer_of_int32 mv0))
(FORALL (mi1)
(IMPLIES (EQ mi1 j_3_0)
(FORALL (result6)
(IMPLIES (EQ result6 (select intM_intP (shift t_0 (integer_of_int32 j_3_0))))
(FORALL (mv1)
(IMPLIES (EQ mv1 result6)
(FORALL (result7)
(IMPLIES (EQ (integer_of_int32 result7) (+ (integer_of_int32 j_3_0) 1))
(FORALL (j_3_1)
(IMPLIES (EQ j_3_1 result7)
(<= (integer_of_int32 i_3_0) (integer_of_int32 mi1))))))))))))))))))))))))))))))))))))))))))))))))

;; SelectionSort_sort_ensures_default_po_7, File "HOME/tests/java/SelectionSort.java", line 93, characters 38-51
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (j_3_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< (integer_of_int32 i_3_0) (integer_of_int32 j_3_0))
         (AND (<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result4)
(IMPLIES (AND (<= result4 constant_too_large_2147483647)
         (AND (>= result4 0)
         (EQ result4 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< (integer_of_int32 j_3_0) result4)
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 j_3_0))))
(IMPLIES (< (integer_of_int32 result5) (integer_of_int32 mv0))
(FORALL (mi1)
(IMPLIES (EQ mi1 j_3_0)
(FORALL (result6)
(IMPLIES (EQ result6 (select intM_intP (shift t_0 (integer_of_int32 j_3_0))))
(FORALL (mv1)
(IMPLIES (EQ mv1 result6)
(FORALL (result7)
(IMPLIES (EQ (integer_of_int32 result7) (+ (integer_of_int32 j_3_0) 1))
(FORALL (j_3_1)
(IMPLIES (EQ j_3_1 result7)
(< (integer_of_int32 mi1) (+ (offset_max Object_alloc_table t_0) 1))))))))))))))))))))))))))))))))))))))))))))))))

;; SelectionSort_sort_ensures_default_po_8, File "HOME/tests/java/SelectionSort.java", line 93, characters 24-29
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (j_3_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< (integer_of_int32 i_3_0) (integer_of_int32 j_3_0))
         (AND (<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result4)
(IMPLIES (AND (<= result4 constant_too_large_2147483647)
         (AND (>= result4 0)
         (EQ result4 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< (integer_of_int32 j_3_0) result4)
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 j_3_0))))
(IMPLIES (>= (integer_of_int32 result5) (integer_of_int32 mv0))
(FORALL (result6)
(IMPLIES (EQ (integer_of_int32 result6) (+ (integer_of_int32 j_3_0) 1))
(FORALL (j_3_1)
(IMPLIES (EQ j_3_1 result6)
(< (integer_of_int32 i_3_0) (integer_of_int32 j_3_1))))))))))))))))))))))))))))))))))))))))))

;; SelectionSort_sort_ensures_default_po_9, File "HOME/tests/java/SelectionSort.java", line 93, characters 33-40
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (j_3_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< (integer_of_int32 i_3_0) (integer_of_int32 j_3_0))
         (AND (<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result4)
(IMPLIES (AND (<= result4 constant_too_large_2147483647)
         (AND (>= result4 0)
         (EQ result4 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< (integer_of_int32 j_3_0) result4)
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 j_3_0))))
(IMPLIES (>= (integer_of_int32 result5) (integer_of_int32 mv0))
(FORALL (result6)
(IMPLIES (EQ (integer_of_int32 result6) (+ (integer_of_int32 j_3_0) 1))
(FORALL (j_3_1)
(IMPLIES (EQ j_3_1 result6)
(<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))))))))))))))))))))))))))))))))))))))))))

;; SelectionSort_sort_ensures_default_po_10, File "HOME/tests/java/SelectionSort.java", line 93, characters 38-51
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (j_3_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< (integer_of_int32 i_3_0) (integer_of_int32 j_3_0))
         (AND (<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result4)
(IMPLIES (AND (<= result4 constant_too_large_2147483647)
         (AND (>= result4 0)
         (EQ result4 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< (integer_of_int32 j_3_0) result4)
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 j_3_0))))
(IMPLIES (>= (integer_of_int32 result5) (integer_of_int32 mv0))
(FORALL (result6)
(IMPLIES (EQ (integer_of_int32 result6) (+ (integer_of_int32 j_3_0) 1))
(FORALL (j_3_1)
(IMPLIES (EQ j_3_1 result6)
(< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))))))))))))))))))))))))))))))))))))))))

;; SelectionSort_sort_ensures_default_po_11, File "HOME/tests/java/SelectionSort.java", line 81, characters 20-26
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (j_3_0)
(FORALL (mi0)
(IMPLIES (AND (< (integer_of_int32 i_3_0) (integer_of_int32 j_3_0))
         (AND (<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result4)
(IMPLIES (AND (<= result4 constant_too_large_2147483647)
         (AND (>= result4 0)
         (EQ result4 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (integer_of_int32 j_3_0) result4)
(FORALL (intM_intP0)
(IMPLIES (AND
         (Swap
         t_0 (integer_of_int32 i_3_0) (integer_of_int32 mi0) intM_intP0 intM_intP)
         (not_assigns
         Object_alloc_table intM_intP intM_intP0 (pset_union
                                                 (pset_range
                                                 (pset_singleton t_0) 
                                                 (integer_of_int32 mi0) 
                                                 (integer_of_int32 mi0)) 
                                                 (pset_range
                                                 (pset_singleton t_0) 
                                                 (integer_of_int32 i_3_0) 
                                                 (integer_of_int32 i_3_0)))))
(FORALL (result5)
(IMPLIES (EQ (integer_of_int32 result5) (+ (integer_of_int32 i_3_0) 1))
(FORALL (i_3_1) (IMPLIES (EQ i_3_1 result5) (<= 0 (integer_of_int32 i_3_1))))))))))))))))))))))))))))))))))))))))

;; SelectionSort_sort_ensures_permutation_po_1, File "HOME/tests/java/SelectionSort.java", line 87, characters 22-54
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(EQ (Permut
t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP intM_intP) |@true|))))))))))

;; SelectionSort_sort_ensures_permutation_po_2, File "HOME/tests/java/SelectionSort.java", line 108, characters 33-68
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|)
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(FORALL (result2)
(IMPLIES (EQ result2
         (select intM_intP0 (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (j_3_0)
(FORALL (mi0)
(IMPLIES TRUE
(IMPLIES (AND (< (integer_of_int32 i_3_0) (integer_of_int32 j_3_0))
         (AND (<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result4)
(IMPLIES (AND (<= result4 constant_too_large_2147483647)
         (AND (>= result4 0)
         (EQ result4 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (integer_of_int32 j_3_0) result4)
(FORALL (intM_intP1)
(IMPLIES (AND
         (Swap
         t_0 (integer_of_int32 i_3_0) (integer_of_int32 mi0) intM_intP1 intM_intP0)
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_0) 
                                                  (integer_of_int32 mi0) 
                                                  (integer_of_int32 mi0)) 
                                                  (pset_range
                                                  (pset_singleton t_0) 
                                                  (integer_of_int32 i_3_0) 
                                                  (integer_of_int32 i_3_0)))))
(EQ (Permut
t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP1 intM_intP0) |@true|))))))))))))))))))))))))))))))))))))))

;; SelectionSort_sort_ensures_permutation_po_3, File "HOME/tests/java/SelectionSort.java", line 87, characters 22-54
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|)
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(FORALL (result2)
(IMPLIES (EQ result2
         (select intM_intP0 (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (j_3_0)
(FORALL (mi0)
(IMPLIES TRUE
(IMPLIES (AND (< (integer_of_int32 i_3_0) (integer_of_int32 j_3_0))
         (AND (<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result4)
(IMPLIES (AND (<= result4 constant_too_large_2147483647)
         (AND (>= result4 0)
         (EQ result4 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (integer_of_int32 j_3_0) result4)
(FORALL (intM_intP1)
(IMPLIES (AND
         (Swap
         t_0 (integer_of_int32 i_3_0) (integer_of_int32 mi0) intM_intP1 intM_intP0)
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_0) 
                                                  (integer_of_int32 mi0) 
                                                  (integer_of_int32 mi0)) 
                                                  (pset_range
                                                  (pset_singleton t_0) 
                                                  (integer_of_int32 i_3_0) 
                                                  (integer_of_int32 i_3_0)))))
(IMPLIES (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP1 intM_intP0) |@true|)
(FORALL (result5)
(IMPLIES (EQ (integer_of_int32 result5) (+ (integer_of_int32 i_3_0) 1))
(FORALL (i_3_1)
(IMPLIES (EQ i_3_1 result5)
(EQ (Permut
t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP1 intM_intP) |@true|)))))))))))))))))))))))))))))))))))))))))))

;; SelectionSort_sort_ensures_sorted_po_1, File "HOME/tests/java/SelectionSort.java", line 83, characters 21-34
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result) (Sorted t_0 0 (integer_of_int32 i_3) intM_intP))))))))))

;; SelectionSort_sort_ensures_sorted_po_2, File "HOME/tests/java/SelectionSort.java", line 84, characters 8-90
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (k1)
(FORALL (k2)
(IMPLIES (AND (<= 0 k1)
         (AND (< k1 (integer_of_int32 i_3))
         (AND (<= (integer_of_int32 i_3) k2)
         (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
(<= (integer_of_int32 (select intM_intP (shift t_0 k1))) (integer_of_int32
                                                         (select
                                                         intM_intP (shift
                                                                   t_0 k2))))))))))))))))

;; SelectionSort_sort_ensures_sorted_po_3, File "HOME/tests/java/SelectionSort.java", line 95, characters 25-36
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (Sorted t_0 0 (integer_of_int32 i_3_0) intM_intP0)
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 (integer_of_int32 i_3_0))
         (AND (<= (integer_of_int32 i_3_0) k2)
         (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (integer_of_int32 (select intM_intP0 (shift t_0 k1))) (integer_of_int32
                                                                   (select
                                                                   intM_intP0 
                                                                   (shift
                                                                   t_0 k2)))))))
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(FORALL (result2)
(IMPLIES (EQ result2
         (select intM_intP0 (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(EQ (integer_of_int32 mv)
(integer_of_int32 (select intM_intP0 (shift t_0 (integer_of_int32 mi))))))))))))))))))))))))))))))))

;; SelectionSort_sort_ensures_sorted_po_4, File "HOME/tests/java/SelectionSort.java", line 96, characters 12-56
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (Sorted t_0 0 (integer_of_int32 i_3_0) intM_intP0)
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 (integer_of_int32 i_3_0))
         (AND (<= (integer_of_int32 i_3_0) k2)
         (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (integer_of_int32 (select intM_intP0 (shift t_0 k1))) (integer_of_int32
                                                                   (select
                                                                   intM_intP0 
                                                                   (shift
                                                                   t_0 k2)))))))
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(FORALL (result2)
(IMPLIES (EQ result2
         (select intM_intP0 (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (k_0)
(IMPLIES (AND (<= (integer_of_int32 i_3_0) k_0)
         (< k_0 (integer_of_int32 j_3)))
(>= (integer_of_int32 (select intM_intP0 (shift t_0 k_0))) (integer_of_int32
                                                           mv)))))))))))))))))))))))))))))))

;; SelectionSort_sort_ensures_sorted_po_5, File "HOME/tests/java/SelectionSort.java", line 95, characters 25-36
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (Sorted t_0 0 (integer_of_int32 i_3_0) intM_intP0)
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 (integer_of_int32 i_3_0))
         (AND (<= (integer_of_int32 i_3_0) k2)
         (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (integer_of_int32 (select intM_intP0 (shift t_0 k1))) (integer_of_int32
                                                                   (select
                                                                   intM_intP0 
                                                                   (shift
                                                                   t_0 k2)))))))
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(FORALL (result2)
(IMPLIES (EQ result2
         (select intM_intP0 (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (j_3_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND
         (EQ (integer_of_int32 mv0)
         (integer_of_int32
         (select intM_intP0 (shift t_0 (integer_of_int32 mi0)))))
         (FORALL (k_0)
         (IMPLIES
         (AND (<= (integer_of_int32 i_3_0) k_0)
         (< k_0 (integer_of_int32 j_3_0)))
         (>= (integer_of_int32 (select intM_intP0 (shift t_0 k_0))) (integer_of_int32
                                                                    mv0)))))
(IMPLIES (AND (< (integer_of_int32 i_3_0) (integer_of_int32 j_3_0))
         (AND (<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result4)
(IMPLIES (AND (<= result4 constant_too_large_2147483647)
         (AND (>= result4 0)
         (EQ result4 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< (integer_of_int32 j_3_0) result4)
(FORALL (result5)
(IMPLIES (EQ result5
         (select intM_intP0 (shift t_0 (integer_of_int32 j_3_0))))
(IMPLIES (< (integer_of_int32 result5) (integer_of_int32 mv0))
(FORALL (mi1)
(IMPLIES (EQ mi1 j_3_0)
(FORALL (result6)
(IMPLIES (EQ result6
         (select intM_intP0 (shift t_0 (integer_of_int32 j_3_0))))
(FORALL (mv1)
(IMPLIES (EQ mv1 result6)
(FORALL (result7)
(IMPLIES (EQ (integer_of_int32 result7) (+ (integer_of_int32 j_3_0) 1))
(FORALL (j_3_1)
(IMPLIES (EQ j_3_1 result7)
(EQ (integer_of_int32 mv1)
(integer_of_int32 (select intM_intP0 (shift t_0 (integer_of_int32 mi1)))))))))))))))))))))))))))))))))))))))))))))))))))))

;; SelectionSort_sort_ensures_sorted_po_6, File "HOME/tests/java/SelectionSort.java", line 96, characters 12-56
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (Sorted t_0 0 (integer_of_int32 i_3_0) intM_intP0)
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 (integer_of_int32 i_3_0))
         (AND (<= (integer_of_int32 i_3_0) k2)
         (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (integer_of_int32 (select intM_intP0 (shift t_0 k1))) (integer_of_int32
                                                                   (select
                                                                   intM_intP0 
                                                                   (shift
                                                                   t_0 k2)))))))
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(FORALL (result2)
(IMPLIES (EQ result2
         (select intM_intP0 (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (j_3_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND
         (EQ (integer_of_int32 mv0)
         (integer_of_int32
         (select intM_intP0 (shift t_0 (integer_of_int32 mi0)))))
         (FORALL (k_0)
         (IMPLIES
         (AND (<= (integer_of_int32 i_3_0) k_0)
         (< k_0 (integer_of_int32 j_3_0)))
         (>= (integer_of_int32 (select intM_intP0 (shift t_0 k_0))) (integer_of_int32
                                                                    mv0)))))
(IMPLIES (AND (< (integer_of_int32 i_3_0) (integer_of_int32 j_3_0))
         (AND (<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result4)
(IMPLIES (AND (<= result4 constant_too_large_2147483647)
         (AND (>= result4 0)
         (EQ result4 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< (integer_of_int32 j_3_0) result4)
(FORALL (result5)
(IMPLIES (EQ result5
         (select intM_intP0 (shift t_0 (integer_of_int32 j_3_0))))
(IMPLIES (< (integer_of_int32 result5) (integer_of_int32 mv0))
(FORALL (mi1)
(IMPLIES (EQ mi1 j_3_0)
(FORALL (result6)
(IMPLIES (EQ result6
         (select intM_intP0 (shift t_0 (integer_of_int32 j_3_0))))
(FORALL (mv1)
(IMPLIES (EQ mv1 result6)
(FORALL (result7)
(IMPLIES (EQ (integer_of_int32 result7) (+ (integer_of_int32 j_3_0) 1))
(FORALL (j_3_1)
(IMPLIES (EQ j_3_1 result7)
(FORALL (k_0)
(IMPLIES (AND (<= (integer_of_int32 i_3_0) k_0)
         (< k_0 (integer_of_int32 j_3_1)))
(>= (integer_of_int32 (select intM_intP0 (shift t_0 k_0))) (integer_of_int32
                                                           mv1))))))))))))))))))))))))))))))))))))))))))))))))))))

;; SelectionSort_sort_ensures_sorted_po_7, File "HOME/tests/java/SelectionSort.java", line 96, characters 12-56
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (Sorted t_0 0 (integer_of_int32 i_3_0) intM_intP0)
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 (integer_of_int32 i_3_0))
         (AND (<= (integer_of_int32 i_3_0) k2)
         (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (integer_of_int32 (select intM_intP0 (shift t_0 k1))) (integer_of_int32
                                                                   (select
                                                                   intM_intP0 
                                                                   (shift
                                                                   t_0 k2)))))))
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(FORALL (result2)
(IMPLIES (EQ result2
         (select intM_intP0 (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (j_3_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND
         (EQ (integer_of_int32 mv0)
         (integer_of_int32
         (select intM_intP0 (shift t_0 (integer_of_int32 mi0)))))
         (FORALL (k_0)
         (IMPLIES
         (AND (<= (integer_of_int32 i_3_0) k_0)
         (< k_0 (integer_of_int32 j_3_0)))
         (>= (integer_of_int32 (select intM_intP0 (shift t_0 k_0))) (integer_of_int32
                                                                    mv0)))))
(IMPLIES (AND (< (integer_of_int32 i_3_0) (integer_of_int32 j_3_0))
         (AND (<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result4)
(IMPLIES (AND (<= result4 constant_too_large_2147483647)
         (AND (>= result4 0)
         (EQ result4 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< (integer_of_int32 j_3_0) result4)
(FORALL (result5)
(IMPLIES (EQ result5
         (select intM_intP0 (shift t_0 (integer_of_int32 j_3_0))))
(IMPLIES (>= (integer_of_int32 result5) (integer_of_int32 mv0))
(FORALL (result6)
(IMPLIES (EQ (integer_of_int32 result6) (+ (integer_of_int32 j_3_0) 1))
(FORALL (j_3_1)
(IMPLIES (EQ j_3_1 result6)
(FORALL (k_0)
(IMPLIES (AND (<= (integer_of_int32 i_3_0) k_0)
         (< k_0 (integer_of_int32 j_3_1)))
(>= (integer_of_int32 (select intM_intP0 (shift t_0 k_0))) (integer_of_int32
                                                           mv0))))))))))))))))))))))))))))))))))))))))))))))

;; SelectionSort_sort_ensures_sorted_po_8, File "HOME/tests/java/SelectionSort.java", line 83, characters 21-34
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (Sorted t_0 0 (integer_of_int32 i_3_0) intM_intP0)
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 (integer_of_int32 i_3_0))
         (AND (<= (integer_of_int32 i_3_0) k2)
         (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (integer_of_int32 (select intM_intP0 (shift t_0 k1))) (integer_of_int32
                                                                   (select
                                                                   intM_intP0 
                                                                   (shift
                                                                   t_0 k2)))))))
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(FORALL (result2)
(IMPLIES (EQ result2
         (select intM_intP0 (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (j_3_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND
         (EQ (integer_of_int32 mv0)
         (integer_of_int32
         (select intM_intP0 (shift t_0 (integer_of_int32 mi0)))))
         (FORALL (k_0)
         (IMPLIES
         (AND (<= (integer_of_int32 i_3_0) k_0)
         (< k_0 (integer_of_int32 j_3_0)))
         (>= (integer_of_int32 (select intM_intP0 (shift t_0 k_0))) (integer_of_int32
                                                                    mv0)))))
(IMPLIES (AND (< (integer_of_int32 i_3_0) (integer_of_int32 j_3_0))
         (AND (<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result4)
(IMPLIES (AND (<= result4 constant_too_large_2147483647)
         (AND (>= result4 0)
         (EQ result4 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (integer_of_int32 j_3_0) result4)
(FORALL (intM_intP1)
(IMPLIES (AND
         (Swap
         t_0 (integer_of_int32 i_3_0) (integer_of_int32 mi0) intM_intP1 intM_intP0)
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_0) 
                                                  (integer_of_int32 mi0) 
                                                  (integer_of_int32 mi0)) 
                                                  (pset_range
                                                  (pset_singleton t_0) 
                                                  (integer_of_int32 i_3_0) 
                                                  (integer_of_int32 i_3_0)))))
(FORALL (result5)
(IMPLIES (EQ (integer_of_int32 result5) (+ (integer_of_int32 i_3_0) 1))
(FORALL (i_3_1)
(IMPLIES (EQ i_3_1 result5)
(Sorted t_0 0 (integer_of_int32 i_3_1) intM_intP1))))))))))))))))))))))))))))))))))))))))))

;; SelectionSort_sort_ensures_sorted_po_9, File "HOME/tests/java/SelectionSort.java", line 84, characters 8-90
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (Sorted t_0 0 (integer_of_int32 i_3_0) intM_intP0)
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 (integer_of_int32 i_3_0))
         (AND (<= (integer_of_int32 i_3_0) k2)
         (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (integer_of_int32 (select intM_intP0 (shift t_0 k1))) (integer_of_int32
                                                                   (select
                                                                   intM_intP0 
                                                                   (shift
                                                                   t_0 k2)))))))
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(FORALL (result2)
(IMPLIES (EQ result2
         (select intM_intP0 (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (j_3_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND
         (EQ (integer_of_int32 mv0)
         (integer_of_int32
         (select intM_intP0 (shift t_0 (integer_of_int32 mi0)))))
         (FORALL (k_0)
         (IMPLIES
         (AND (<= (integer_of_int32 i_3_0) k_0)
         (< k_0 (integer_of_int32 j_3_0)))
         (>= (integer_of_int32 (select intM_intP0 (shift t_0 k_0))) (integer_of_int32
                                                                    mv0)))))
(IMPLIES (AND (< (integer_of_int32 i_3_0) (integer_of_int32 j_3_0))
         (AND (<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result4)
(IMPLIES (AND (<= result4 constant_too_large_2147483647)
         (AND (>= result4 0)
         (EQ result4 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (integer_of_int32 j_3_0) result4)
(FORALL (intM_intP1)
(IMPLIES (AND
         (Swap
         t_0 (integer_of_int32 i_3_0) (integer_of_int32 mi0) intM_intP1 intM_intP0)
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_0) 
                                                  (integer_of_int32 mi0) 
                                                  (integer_of_int32 mi0)) 
                                                  (pset_range
                                                  (pset_singleton t_0) 
                                                  (integer_of_int32 i_3_0) 
                                                  (integer_of_int32 i_3_0)))))
(FORALL (result5)
(IMPLIES (EQ (integer_of_int32 result5) (+ (integer_of_int32 i_3_0) 1))
(FORALL (i_3_1)
(IMPLIES (EQ i_3_1 result5)
(FORALL (k1)
(FORALL (k2)
(IMPLIES (AND (<= 0 k1)
         (AND (< k1 (integer_of_int32 i_3_1))
         (AND (<= (integer_of_int32 i_3_1) k2)
         (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
(<= (integer_of_int32 (select intM_intP1 (shift t_0 k1))) (integer_of_int32
                                                          (select
                                                          intM_intP1 
                                                          (shift t_0 k2))))))))))))))))))))))))))))))))))))))))))))))))

;; SelectionSort_sort_ensures_sorted_po_10, File "HOME/tests/java/SelectionSort.java", line 74, characters 18-38
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (Sorted t_0 0 (integer_of_int32 i_3_0) intM_intP0)
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 (integer_of_int32 i_3_0))
         (AND (<= (integer_of_int32 i_3_0) k2)
         (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (integer_of_int32 (select intM_intP0 (shift t_0 k1))) (integer_of_int32
                                                                   (select
                                                                   intM_intP0 
                                                                   (shift
                                                                   t_0 k2)))))))
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (>= (integer_of_int32 i_3_0) (integer_of_int32 result1))
(Sorted t_0 0 (+ (offset_max Object_alloc_table t_0) 1) intM_intP0))))))))))))))))))

;; SelectionSort_sort_safety_po_1, File "why/SelectionSort.why", line 1244, characters 65-317
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(IMPLIES TRUE
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(>= (offset_max Object_alloc_table t_0) (- 0 1)))))))))))))

;; SelectionSort_sort_safety_po_2, File "HOME/tests/java/SelectionSort.java", line 90, characters 13-23
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(IMPLIES TRUE
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(<= (- 0 constant_too_large_2147483648) (- result0 1))))))))))))))))

;; SelectionSort_sort_safety_po_3, File "HOME/tests/java/SelectionSort.java", line 90, characters 13-23
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(IMPLIES TRUE
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(<= (- result0 1) constant_too_large_2147483647)))))))))))))))

;; SelectionSort_sort_safety_po_4, File "HOME/tests/java/SelectionSort.java", line 92, characters 10-14
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(IMPLIES TRUE
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(<= (offset_min Object_alloc_table t_0) (integer_of_int32 i_3_0))))))))))))))))))))

;; SelectionSort_sort_safety_po_5, File "HOME/tests/java/SelectionSort.java", line 92, characters 10-14
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(IMPLIES TRUE
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(<= (integer_of_int32 i_3_0) (offset_max Object_alloc_table t_0))))))))))))))))))))

;; SelectionSort_sort_safety_po_6, File "HOME/tests/java/SelectionSort.java", line 101, characters 12-15
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES TRUE
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(IMPLIES (AND
         (<= (offset_min Object_alloc_table t_0) (integer_of_int32 i_3_0))
         (<= (integer_of_int32 i_3_0) (offset_max Object_alloc_table t_0)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_3_0) 1))))))))))))))))))))))))))))

;; SelectionSort_sort_safety_po_7, File "HOME/tests/java/SelectionSort.java", line 101, characters 12-15
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES TRUE
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(IMPLIES (AND
         (<= (offset_min Object_alloc_table t_0) (integer_of_int32 i_3_0))
         (<= (integer_of_int32 i_3_0) (offset_max Object_alloc_table t_0)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(<= (+ (integer_of_int32 i_3_0) 1) constant_too_large_2147483647)))))))))))))))))))))))))))

;; SelectionSort_sort_safety_po_8, File "HOME/tests/java/SelectionSort.java", line 102, characters 6-10
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES TRUE
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(IMPLIES (AND
         (<= (offset_min Object_alloc_table t_0) (integer_of_int32 i_3_0))
         (<= (integer_of_int32 i_3_0) (offset_max Object_alloc_table t_0)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_3_0) 1))
         (<= (+ (integer_of_int32 i_3_0) 1) constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (j_3_0)
(FORALL (mi0)
(IMPLIES TRUE
(IMPLIES (AND (< (integer_of_int32 i_3_0) (integer_of_int32 j_3_0))
         (AND (<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result4)
(IMPLIES (AND (<= result4 constant_too_large_2147483647)
         (AND (>= result4 0)
         (EQ result4 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< (integer_of_int32 j_3_0) result4)
(<= (offset_min Object_alloc_table t_0) (integer_of_int32 j_3_0)))))))))))))))))))))))))))))))))))))))))

;; SelectionSort_sort_safety_po_9, File "HOME/tests/java/SelectionSort.java", line 102, characters 6-10
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES TRUE
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(IMPLIES (AND
         (<= (offset_min Object_alloc_table t_0) (integer_of_int32 i_3_0))
         (<= (integer_of_int32 i_3_0) (offset_max Object_alloc_table t_0)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_3_0) 1))
         (<= (+ (integer_of_int32 i_3_0) 1) constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (j_3_0)
(FORALL (mi0)
(IMPLIES TRUE
(IMPLIES (AND (< (integer_of_int32 i_3_0) (integer_of_int32 j_3_0))
         (AND (<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result4)
(IMPLIES (AND (<= result4 constant_too_large_2147483647)
         (AND (>= result4 0)
         (EQ result4 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< (integer_of_int32 j_3_0) result4)
(<= (integer_of_int32 j_3_0) (offset_max Object_alloc_table t_0)))))))))))))))))))))))))))))))))))))))))

;; SelectionSort_sort_safety_po_10, File "HOME/tests/java/SelectionSort.jc", line 211, characters 30-36
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES TRUE
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(IMPLIES (AND
         (<= (offset_min Object_alloc_table t_0) (integer_of_int32 i_3_0))
         (<= (integer_of_int32 i_3_0) (offset_max Object_alloc_table t_0)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_3_0) 1))
         (<= (+ (integer_of_int32 i_3_0) 1) constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (j_3_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES TRUE
(IMPLIES (AND (< (integer_of_int32 i_3_0) (integer_of_int32 j_3_0))
         (AND (<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result4)
(IMPLIES (AND (<= result4 constant_too_large_2147483647)
         (AND (>= result4 0)
         (EQ result4 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< (integer_of_int32 j_3_0) result4)
(IMPLIES (AND
         (<= (offset_min Object_alloc_table t_0) (integer_of_int32 j_3_0))
         (<= (integer_of_int32 j_3_0) (offset_max Object_alloc_table t_0)))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 j_3_0))))
(IMPLIES (< (integer_of_int32 result5) (integer_of_int32 mv0))
(FORALL (mi1)
(IMPLIES (EQ mi1 j_3_0)
(IMPLIES (AND
         (<= (offset_min Object_alloc_table t_0) (integer_of_int32 j_3_0))
         (<= (integer_of_int32 j_3_0) (offset_max Object_alloc_table t_0)))
(FORALL (result6)
(IMPLIES (EQ result6 (select intM_intP (shift t_0 (integer_of_int32 j_3_0))))
(FORALL (mv1)
(IMPLIES (EQ mv1 result6)
(<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 j_3_0) 1)))))))))))))))))))))))))))))))))))))))))))))))))))))

;; SelectionSort_sort_safety_po_11, File "HOME/tests/java/SelectionSort.jc", line 211, characters 30-36
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES TRUE
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(IMPLIES (AND
         (<= (offset_min Object_alloc_table t_0) (integer_of_int32 i_3_0))
         (<= (integer_of_int32 i_3_0) (offset_max Object_alloc_table t_0)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_3_0) 1))
         (<= (+ (integer_of_int32 i_3_0) 1) constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (j_3_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES TRUE
(IMPLIES (AND (< (integer_of_int32 i_3_0) (integer_of_int32 j_3_0))
         (AND (<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result4)
(IMPLIES (AND (<= result4 constant_too_large_2147483647)
         (AND (>= result4 0)
         (EQ result4 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< (integer_of_int32 j_3_0) result4)
(IMPLIES (AND
         (<= (offset_min Object_alloc_table t_0) (integer_of_int32 j_3_0))
         (<= (integer_of_int32 j_3_0) (offset_max Object_alloc_table t_0)))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 j_3_0))))
(IMPLIES (< (integer_of_int32 result5) (integer_of_int32 mv0))
(FORALL (mi1)
(IMPLIES (EQ mi1 j_3_0)
(IMPLIES (AND
         (<= (offset_min Object_alloc_table t_0) (integer_of_int32 j_3_0))
         (<= (integer_of_int32 j_3_0) (offset_max Object_alloc_table t_0)))
(FORALL (result6)
(IMPLIES (EQ result6 (select intM_intP (shift t_0 (integer_of_int32 j_3_0))))
(FORALL (mv1)
(IMPLIES (EQ mv1 result6)
(<= (+ (integer_of_int32 j_3_0) 1) constant_too_large_2147483647))))))))))))))))))))))))))))))))))))))))))))))))))))

;; SelectionSort_sort_safety_po_12, File "HOME/tests/java/SelectionSort.java", line 99, characters 22-34
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES TRUE
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(IMPLIES (AND
         (<= (offset_min Object_alloc_table t_0) (integer_of_int32 i_3_0))
         (<= (integer_of_int32 i_3_0) (offset_max Object_alloc_table t_0)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_3_0) 1))
         (<= (+ (integer_of_int32 i_3_0) 1) constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (j_3_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES TRUE
(IMPLIES (AND (< (integer_of_int32 i_3_0) (integer_of_int32 j_3_0))
         (AND (<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result4)
(IMPLIES (AND (<= result4 constant_too_large_2147483647)
         (AND (>= result4 0)
         (EQ result4 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< (integer_of_int32 j_3_0) result4)
(IMPLIES (AND
         (<= (offset_min Object_alloc_table t_0) (integer_of_int32 j_3_0))
         (<= (integer_of_int32 j_3_0) (offset_max Object_alloc_table t_0)))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 j_3_0))))
(IMPLIES (< (integer_of_int32 result5) (integer_of_int32 mv0))
(FORALL (mi1)
(IMPLIES (EQ mi1 j_3_0)
(IMPLIES (AND
         (<= (offset_min Object_alloc_table t_0) (integer_of_int32 j_3_0))
         (<= (integer_of_int32 j_3_0) (offset_max Object_alloc_table t_0)))
(FORALL (result6)
(IMPLIES (EQ result6 (select intM_intP (shift t_0 (integer_of_int32 j_3_0))))
(FORALL (mv1)
(IMPLIES (EQ mv1 result6)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 j_3_0) 1))
         (<= (+ (integer_of_int32 j_3_0) 1) constant_too_large_2147483647))
(FORALL (result7)
(IMPLIES (EQ (integer_of_int32 result7) (+ (integer_of_int32 j_3_0) 1))
(FORALL (j_3_1)
(IMPLIES (EQ j_3_1 result7)
(<= 0 (- (+ (offset_max Object_alloc_table t_0) 1) (integer_of_int32 j_3_0)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

;; SelectionSort_sort_safety_po_13, File "HOME/tests/java/SelectionSort.java", line 99, characters 22-34
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES TRUE
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(IMPLIES (AND
         (<= (offset_min Object_alloc_table t_0) (integer_of_int32 i_3_0))
         (<= (integer_of_int32 i_3_0) (offset_max Object_alloc_table t_0)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_3_0) 1))
         (<= (+ (integer_of_int32 i_3_0) 1) constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (j_3_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES TRUE
(IMPLIES (AND (< (integer_of_int32 i_3_0) (integer_of_int32 j_3_0))
         (AND (<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result4)
(IMPLIES (AND (<= result4 constant_too_large_2147483647)
         (AND (>= result4 0)
         (EQ result4 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< (integer_of_int32 j_3_0) result4)
(IMPLIES (AND
         (<= (offset_min Object_alloc_table t_0) (integer_of_int32 j_3_0))
         (<= (integer_of_int32 j_3_0) (offset_max Object_alloc_table t_0)))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 j_3_0))))
(IMPLIES (< (integer_of_int32 result5) (integer_of_int32 mv0))
(FORALL (mi1)
(IMPLIES (EQ mi1 j_3_0)
(IMPLIES (AND
         (<= (offset_min Object_alloc_table t_0) (integer_of_int32 j_3_0))
         (<= (integer_of_int32 j_3_0) (offset_max Object_alloc_table t_0)))
(FORALL (result6)
(IMPLIES (EQ result6 (select intM_intP (shift t_0 (integer_of_int32 j_3_0))))
(FORALL (mv1)
(IMPLIES (EQ mv1 result6)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 j_3_0) 1))
         (<= (+ (integer_of_int32 j_3_0) 1) constant_too_large_2147483647))
(FORALL (result7)
(IMPLIES (EQ (integer_of_int32 result7) (+ (integer_of_int32 j_3_0) 1))
(FORALL (j_3_1)
(IMPLIES (EQ j_3_1 result7)
(< (- (+ (offset_max Object_alloc_table t_0) 1) (integer_of_int32 j_3_1)) 
(- (+ (offset_max Object_alloc_table t_0) 1) (integer_of_int32 j_3_0)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

;; SelectionSort_sort_safety_po_14, File "HOME/tests/java/SelectionSort.jc", line 211, characters 30-36
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES TRUE
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(IMPLIES (AND
         (<= (offset_min Object_alloc_table t_0) (integer_of_int32 i_3_0))
         (<= (integer_of_int32 i_3_0) (offset_max Object_alloc_table t_0)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_3_0) 1))
         (<= (+ (integer_of_int32 i_3_0) 1) constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (j_3_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES TRUE
(IMPLIES (AND (< (integer_of_int32 i_3_0) (integer_of_int32 j_3_0))
         (AND (<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result4)
(IMPLIES (AND (<= result4 constant_too_large_2147483647)
         (AND (>= result4 0)
         (EQ result4 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< (integer_of_int32 j_3_0) result4)
(IMPLIES (AND
         (<= (offset_min Object_alloc_table t_0) (integer_of_int32 j_3_0))
         (<= (integer_of_int32 j_3_0) (offset_max Object_alloc_table t_0)))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 j_3_0))))
(IMPLIES (>= (integer_of_int32 result5) (integer_of_int32 mv0))
(<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 j_3_0) 1))))))))))))))))))))))))))))))))))))))))))))))

;; SelectionSort_sort_safety_po_15, File "HOME/tests/java/SelectionSort.jc", line 211, characters 30-36
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES TRUE
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(IMPLIES (AND
         (<= (offset_min Object_alloc_table t_0) (integer_of_int32 i_3_0))
         (<= (integer_of_int32 i_3_0) (offset_max Object_alloc_table t_0)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_3_0) 1))
         (<= (+ (integer_of_int32 i_3_0) 1) constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (j_3_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES TRUE
(IMPLIES (AND (< (integer_of_int32 i_3_0) (integer_of_int32 j_3_0))
         (AND (<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result4)
(IMPLIES (AND (<= result4 constant_too_large_2147483647)
         (AND (>= result4 0)
         (EQ result4 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< (integer_of_int32 j_3_0) result4)
(IMPLIES (AND
         (<= (offset_min Object_alloc_table t_0) (integer_of_int32 j_3_0))
         (<= (integer_of_int32 j_3_0) (offset_max Object_alloc_table t_0)))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 j_3_0))))
(IMPLIES (>= (integer_of_int32 result5) (integer_of_int32 mv0))
(<= (+ (integer_of_int32 j_3_0) 1) constant_too_large_2147483647)))))))))))))))))))))))))))))))))))))))))))))

;; SelectionSort_sort_safety_po_16, File "HOME/tests/java/SelectionSort.java", line 99, characters 22-34
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES TRUE
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(IMPLIES (AND
         (<= (offset_min Object_alloc_table t_0) (integer_of_int32 i_3_0))
         (<= (integer_of_int32 i_3_0) (offset_max Object_alloc_table t_0)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_3_0) 1))
         (<= (+ (integer_of_int32 i_3_0) 1) constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (j_3_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES TRUE
(IMPLIES (AND (< (integer_of_int32 i_3_0) (integer_of_int32 j_3_0))
         (AND (<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result4)
(IMPLIES (AND (<= result4 constant_too_large_2147483647)
         (AND (>= result4 0)
         (EQ result4 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< (integer_of_int32 j_3_0) result4)
(IMPLIES (AND
         (<= (offset_min Object_alloc_table t_0) (integer_of_int32 j_3_0))
         (<= (integer_of_int32 j_3_0) (offset_max Object_alloc_table t_0)))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 j_3_0))))
(IMPLIES (>= (integer_of_int32 result5) (integer_of_int32 mv0))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 j_3_0) 1))
         (<= (+ (integer_of_int32 j_3_0) 1) constant_too_large_2147483647))
(FORALL (result6)
(IMPLIES (EQ (integer_of_int32 result6) (+ (integer_of_int32 j_3_0) 1))
(FORALL (j_3_1)
(IMPLIES (EQ j_3_1 result6)
(<= 0 (- (+ (offset_max Object_alloc_table t_0) 1) (integer_of_int32 j_3_0))))))))))))))))))))))))))))))))))))))))))))))))))))

;; SelectionSort_sort_safety_po_17, File "HOME/tests/java/SelectionSort.java", line 99, characters 22-34
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES TRUE
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(IMPLIES (AND
         (<= (offset_min Object_alloc_table t_0) (integer_of_int32 i_3_0))
         (<= (integer_of_int32 i_3_0) (offset_max Object_alloc_table t_0)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_3_0) 1))
         (<= (+ (integer_of_int32 i_3_0) 1) constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (j_3_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES TRUE
(IMPLIES (AND (< (integer_of_int32 i_3_0) (integer_of_int32 j_3_0))
         (AND (<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result4)
(IMPLIES (AND (<= result4 constant_too_large_2147483647)
         (AND (>= result4 0)
         (EQ result4 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< (integer_of_int32 j_3_0) result4)
(IMPLIES (AND
         (<= (offset_min Object_alloc_table t_0) (integer_of_int32 j_3_0))
         (<= (integer_of_int32 j_3_0) (offset_max Object_alloc_table t_0)))
(FORALL (result5)
(IMPLIES (EQ result5 (select intM_intP (shift t_0 (integer_of_int32 j_3_0))))
(IMPLIES (>= (integer_of_int32 result5) (integer_of_int32 mv0))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 j_3_0) 1))
         (<= (+ (integer_of_int32 j_3_0) 1) constant_too_large_2147483647))
(FORALL (result6)
(IMPLIES (EQ (integer_of_int32 result6) (+ (integer_of_int32 j_3_0) 1))
(FORALL (j_3_1)
(IMPLIES (EQ j_3_1 result6)
(< (- (+ (offset_max Object_alloc_table t_0) 1) (integer_of_int32 j_3_1)) 
(- (+ (offset_max Object_alloc_table t_0) 1) (integer_of_int32 j_3_0))))))))))))))))))))))))))))))))))))))))))))))))))))

;; SelectionSort_sort_safety_po_18, File "HOME/tests/java/SelectionSort.jc", line 218, characters 32-72
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES TRUE
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(IMPLIES (AND
         (<= (offset_min Object_alloc_table t_0) (integer_of_int32 i_3_0))
         (<= (integer_of_int32 i_3_0) (offset_max Object_alloc_table t_0)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_3_0) 1))
         (<= (+ (integer_of_int32 i_3_0) 1) constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (j_3_0)
(FORALL (mi0)
(IMPLIES TRUE
(IMPLIES (AND (< (integer_of_int32 i_3_0) (integer_of_int32 j_3_0))
         (AND (<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result4)
(IMPLIES (AND (<= result4 constant_too_large_2147483647)
         (AND (>= result4 0)
         (EQ result4 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (integer_of_int32 j_3_0) result4)
(Non_null_intM t_0 Object_alloc_table))))))))))))))))))))))))))))))))))))))))

;; SelectionSort_sort_safety_po_19, File "HOME/tests/java/SelectionSort.jc", line 218, characters 32-72
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES TRUE
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(IMPLIES (AND
         (<= (offset_min Object_alloc_table t_0) (integer_of_int32 i_3_0))
         (<= (integer_of_int32 i_3_0) (offset_max Object_alloc_table t_0)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_3_0) 1))
         (<= (+ (integer_of_int32 i_3_0) 1) constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (j_3_0)
(FORALL (mi0)
(IMPLIES TRUE
(IMPLIES (AND (< (integer_of_int32 i_3_0) (integer_of_int32 j_3_0))
         (AND (<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result4)
(IMPLIES (AND (<= result4 constant_too_large_2147483647)
         (AND (>= result4 0)
         (EQ result4 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (integer_of_int32 j_3_0) result4)
(< (integer_of_int32 i_3_0) (+ (offset_max Object_alloc_table t_0) 1)))))))))))))))))))))))))))))))))))))))))

;; SelectionSort_sort_safety_po_20, File "HOME/tests/java/SelectionSort.jc", line 218, characters 32-72
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES TRUE
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(IMPLIES (AND
         (<= (offset_min Object_alloc_table t_0) (integer_of_int32 i_3_0))
         (<= (integer_of_int32 i_3_0) (offset_max Object_alloc_table t_0)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_3_0) 1))
         (<= (+ (integer_of_int32 i_3_0) 1) constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (j_3_0)
(FORALL (mi0)
(IMPLIES TRUE
(IMPLIES (AND (< (integer_of_int32 i_3_0) (integer_of_int32 j_3_0))
         (AND (<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result4)
(IMPLIES (AND (<= result4 constant_too_large_2147483647)
         (AND (>= result4 0)
         (EQ result4 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (integer_of_int32 j_3_0) result4) (<= 0 (integer_of_int32 mi0)))))))))))))))))))))))))))))))))))))))))

;; SelectionSort_sort_safety_po_21, File "HOME/tests/java/SelectionSort.jc", line 218, characters 32-72
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES TRUE
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(IMPLIES (AND
         (<= (offset_min Object_alloc_table t_0) (integer_of_int32 i_3_0))
         (<= (integer_of_int32 i_3_0) (offset_max Object_alloc_table t_0)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_3_0) 1))
         (<= (+ (integer_of_int32 i_3_0) 1) constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (j_3_0)
(FORALL (mi0)
(IMPLIES TRUE
(IMPLIES (AND (< (integer_of_int32 i_3_0) (integer_of_int32 j_3_0))
         (AND (<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result4)
(IMPLIES (AND (<= result4 constant_too_large_2147483647)
         (AND (>= result4 0)
         (EQ result4 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (integer_of_int32 j_3_0) result4)
(< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1)))))))))))))))))))))))))))))))))))))))))

;; SelectionSort_sort_safety_po_22, File "HOME/tests/java/SelectionSort.java", line 88, characters 18-30
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES TRUE
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(IMPLIES (AND
         (<= (offset_min Object_alloc_table t_0) (integer_of_int32 i_3_0))
         (<= (integer_of_int32 i_3_0) (offset_max Object_alloc_table t_0)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_3_0) 1))
         (<= (+ (integer_of_int32 i_3_0) 1) constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (j_3_0)
(FORALL (mi0)
(IMPLIES TRUE
(IMPLIES (AND (< (integer_of_int32 i_3_0) (integer_of_int32 j_3_0))
         (AND (<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result4)
(IMPLIES (AND (<= result4 constant_too_large_2147483647)
         (AND (>= result4 0)
         (EQ result4 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (integer_of_int32 j_3_0) result4)
(IMPLIES (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 0 (integer_of_int32 i_3_0))
         (AND
         (< (integer_of_int32 i_3_0) (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))))
(FORALL (intM_intP0)
(IMPLIES (AND
         (Swap
         t_0 (integer_of_int32 i_3_0) (integer_of_int32 mi0) intM_intP0 intM_intP)
         (not_assigns
         Object_alloc_table intM_intP intM_intP0 (pset_union
                                                 (pset_range
                                                 (pset_singleton t_0) 
                                                 (integer_of_int32 mi0) 
                                                 (integer_of_int32 mi0)) 
                                                 (pset_range
                                                 (pset_singleton t_0) 
                                                 (integer_of_int32 i_3_0) 
                                                 (integer_of_int32 i_3_0)))))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_3_0) 1))
         (<= (+ (integer_of_int32 i_3_0) 1) constant_too_large_2147483647))
(FORALL (result5)
(IMPLIES (EQ (integer_of_int32 result5) (+ (integer_of_int32 i_3_0) 1))
(FORALL (i_3_1)
(IMPLIES (EQ i_3_1 result5)
(<= 0 (- (+ (offset_max Object_alloc_table t_0) 1) (integer_of_int32 i_3_0))))))))))))))))))))))))))))))))))))))))))))))))))

;; SelectionSort_sort_safety_po_23, File "HOME/tests/java/SelectionSort.java", line 88, characters 18-30
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (i_3)
(IMPLIES (EQ i_3 result)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES TRUE
(IMPLIES (<= 0 (integer_of_int32 i_3_0))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(IMPLIES (< (integer_of_int32 i_3_0) (integer_of_int32 result1))
(IMPLIES (AND
         (<= (offset_min Object_alloc_table t_0) (integer_of_int32 i_3_0))
         (<= (integer_of_int32 i_3_0) (offset_max Object_alloc_table t_0)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 (integer_of_int32 i_3_0))))
(FORALL (mv)
(IMPLIES (EQ mv result2)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_3_0) 1))
         (<= (+ (integer_of_int32 i_3_0) 1) constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) (+ (integer_of_int32 i_3_0) 1))
(FORALL (j_3)
(IMPLIES (EQ j_3 result3)
(FORALL (j_3_0)
(FORALL (mi0)
(IMPLIES TRUE
(IMPLIES (AND (< (integer_of_int32 i_3_0) (integer_of_int32 j_3_0))
         (AND (<= (integer_of_int32 i_3_0) (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result4)
(IMPLIES (AND (<= result4 constant_too_large_2147483647)
         (AND (>= result4 0)
         (EQ result4 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (integer_of_int32 j_3_0) result4)
(IMPLIES (AND (Non_null_intM t_0 Object_alloc_table)
         (AND (<= 0 (integer_of_int32 i_3_0))
         (AND
         (< (integer_of_int32 i_3_0) (+ (offset_max Object_alloc_table t_0) 1))
         (AND (<= 0 (integer_of_int32 mi0))
         (< (integer_of_int32 mi0) (+ (offset_max Object_alloc_table t_0) 1))))))
(FORALL (intM_intP0)
(IMPLIES (AND
         (Swap
         t_0 (integer_of_int32 i_3_0) (integer_of_int32 mi0) intM_intP0 intM_intP)
         (not_assigns
         Object_alloc_table intM_intP intM_intP0 (pset_union
                                                 (pset_range
                                                 (pset_singleton t_0) 
                                                 (integer_of_int32 mi0) 
                                                 (integer_of_int32 mi0)) 
                                                 (pset_range
                                                 (pset_singleton t_0) 
                                                 (integer_of_int32 i_3_0) 
                                                 (integer_of_int32 i_3_0)))))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 i_3_0) 1))
         (<= (+ (integer_of_int32 i_3_0) 1) constant_too_large_2147483647))
(FORALL (result5)
(IMPLIES (EQ (integer_of_int32 result5) (+ (integer_of_int32 i_3_0) 1))
(FORALL (i_3_1)
(IMPLIES (EQ i_3_1 result5)
(< (- (+ (offset_max Object_alloc_table t_0) 1) (integer_of_int32 i_3_1)) 
(- (+ (offset_max Object_alloc_table t_0) 1) (integer_of_int32 i_3_0))))))))))))))))))))))))))))))))))))))))))))))))))

;; SelectionSort_swap_ensures_default_po_1, File "HOME/tests/java/SelectionSort.java", line 64, characters 16-37
(FORALL (this_2)
(FORALL (t)
(FORALL (i_2)
(FORALL (j_2)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_2 0 0 Object_alloc_table)
         (AND (Non_null_intM t Object_alloc_table)
         (AND (<= 0 (integer_of_int32 i_2))
         (AND
         (< (integer_of_int32 i_2) (+ (offset_max Object_alloc_table t) 1))
         (AND (<= 0 (integer_of_int32 j_2))
         (< (integer_of_int32 j_2) (+ (offset_max Object_alloc_table t) 1))))))))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t (integer_of_int32 i_2))))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP (shift t (integer_of_int32 j_2))))
(FORALL (intM_intP0)
(IMPLIES (EQ intM_intP0
         (|why__store| intM_intP (shift t (integer_of_int32 i_2)) result0))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1
         (|why__store| intM_intP0 (shift t (integer_of_int32 j_2)) result))
(Swap t (integer_of_int32 i_2) (integer_of_int32 j_2) intM_intP1 intM_intP))))))))))))))))

;; SelectionSort_swap_ensures_default_po_2, File "HOME/tests/java/SelectionSort.java", line 66, characters 9-13
(FORALL (this_2)
(FORALL (t)
(FORALL (i_2)
(FORALL (j_2)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_2 0 0 Object_alloc_table)
         (AND (Non_null_intM t Object_alloc_table)
         (AND (<= 0 (integer_of_int32 i_2))
         (AND
         (< (integer_of_int32 i_2) (+ (offset_max Object_alloc_table t) 1))
         (AND (<= 0 (integer_of_int32 j_2))
         (< (integer_of_int32 j_2) (+ (offset_max Object_alloc_table t) 1))))))))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t (integer_of_int32 i_2))))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP (shift t (integer_of_int32 j_2))))
(FORALL (intM_intP0)
(IMPLIES (EQ intM_intP0
         (|why__store| intM_intP (shift t (integer_of_int32 i_2)) result0))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1
         (|why__store| intM_intP0 (shift t (integer_of_int32 j_2)) result))
(not_assigns
Object_alloc_table intM_intP intM_intP1 (pset_union
                                        (pset_range
                                        (pset_singleton t) (integer_of_int32
                                                           j_2) (integer_of_int32
                                                                j_2)) 
                                        (pset_range
                                        (pset_singleton t) (integer_of_int32
                                                           i_2) (integer_of_int32
                                                                i_2)))))))))))))))))))

;; SelectionSort_swap_safety_po_1, File "HOME/tests/java/SelectionSort.java", line 67, characters 11-15
(FORALL (this_2)
(FORALL (t)
(FORALL (i_2)
(FORALL (j_2)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_2 0 0 Object_alloc_table)
         (AND (Non_null_intM t Object_alloc_table)
         (AND (<= 0 (integer_of_int32 i_2))
         (AND
         (< (integer_of_int32 i_2) (+ (offset_max Object_alloc_table t) 1))
         (AND (<= 0 (integer_of_int32 j_2))
         (< (integer_of_int32 j_2) (+ (offset_max Object_alloc_table t) 1))))))))
(<= (offset_min Object_alloc_table t) (integer_of_int32 i_2))))))))

;; SelectionSort_swap_safety_po_2, File "HOME/tests/java/SelectionSort.java", line 67, characters 11-15
(FORALL (this_2)
(FORALL (t)
(FORALL (i_2)
(FORALL (j_2)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_2 0 0 Object_alloc_table)
         (AND (Non_null_intM t Object_alloc_table)
         (AND (<= 0 (integer_of_int32 i_2))
         (AND
         (< (integer_of_int32 i_2) (+ (offset_max Object_alloc_table t) 1))
         (AND (<= 0 (integer_of_int32 j_2))
         (< (integer_of_int32 j_2) (+ (offset_max Object_alloc_table t) 1))))))))
(<= (integer_of_int32 i_2) (offset_max Object_alloc_table t))))))))

;; SelectionSort_swap_safety_po_3, File "HOME/tests/java/SelectionSort.java", line 68, characters 8-12
(FORALL (this_2)
(FORALL (t)
(FORALL (i_2)
(FORALL (j_2)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_2 0 0 Object_alloc_table)
         (AND (Non_null_intM t Object_alloc_table)
         (AND (<= 0 (integer_of_int32 i_2))
         (AND
         (< (integer_of_int32 i_2) (+ (offset_max Object_alloc_table t) 1))
         (AND (<= 0 (integer_of_int32 j_2))
         (< (integer_of_int32 j_2) (+ (offset_max Object_alloc_table t) 1))))))))
(IMPLIES (AND (<= (offset_min Object_alloc_table t) (integer_of_int32 i_2))
         (<= (integer_of_int32 i_2) (offset_max Object_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t (integer_of_int32 i_2))))
(<= (offset_min Object_alloc_table t) (integer_of_int32 j_2))))))))))))

;; SelectionSort_swap_safety_po_4, File "HOME/tests/java/SelectionSort.java", line 68, characters 8-12
(FORALL (this_2)
(FORALL (t)
(FORALL (i_2)
(FORALL (j_2)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_SelectionSort this_2 0 0 Object_alloc_table)
         (AND (Non_null_intM t Object_alloc_table)
         (AND (<= 0 (integer_of_int32 i_2))
         (AND
         (< (integer_of_int32 i_2) (+ (offset_max Object_alloc_table t) 1))
         (AND (<= 0 (integer_of_int32 j_2))
         (< (integer_of_int32 j_2) (+ (offset_max Object_alloc_table t) 1))))))))
(IMPLIES (AND (<= (offset_min Object_alloc_table t) (integer_of_int32 i_2))
         (<= (integer_of_int32 i_2) (offset_max Object_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t (integer_of_int32 i_2))))
(<= (integer_of_int32 j_2) (offset_max Object_alloc_table t))))))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/SelectionSort_why.sx : .........................?........................... (52/0/1/0/0)
total   :  53
valid   :  52 ( 98%)
invalid :   0 (  0%)
unknown :   1 (  2%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/SelectionSort.why
========== file tests/java/why/SelectionSort_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_1) >= 0)

predicate Non_null_intM(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= (-1))

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic integer_of_int32 : int32 -> int

predicate Swap(a_0: Object pointer, i_0: int, j_0: int,
  intM_intP_at_L2: (Object, int32) memory, intM_intP_at_L1: (Object,
  int32) memory) =
  ((integer_of_int32(select(intM_intP_at_L1, shift(a_0,
   i_0))) = integer_of_int32(select(intM_intP_at_L2, shift(a_0, j_0)))) and
   ((integer_of_int32(select(intM_intP_at_L1, shift(a_0,
    j_0))) = integer_of_int32(select(intM_intP_at_L2, shift(a_0, i_0)))) and
    (forall k:int.
      (((k <> i_0) and (k <> j_0)) ->
       (integer_of_int32(select(intM_intP_at_L1, shift(a_0,
       k))) = integer_of_int32(select(intM_intP_at_L2, shift(a_0, k))))))))

logic Permut : Object pointer, int, int, (Object, int32) memory, (Object,
int32) memory -> prop

axiom Permut_inversion:
  (forall aux_1:Object pointer.
    (forall aux_2:int.
      (forall aux_3:int.
        (forall aux_4:(Object, int32) memory.
          (forall aux_5:(Object, int32) memory [Permut(aux_1, aux_2, aux_3,
            aux_4, aux_5)].
            (Permut(aux_1, aux_2, aux_3, aux_4, aux_5) ->
             ((exists intM_intP_at_L:(Object, int32) memory.
                (exists a_2:Object pointer.
                  (exists l_1:int.
                    (exists h_1:int.
                      ((aux_1 = a_2) and
                       ((aux_2 = l_1) and
                        ((aux_3 = h_1) and
                         ((aux_4 = intM_intP_at_L) and
                          (aux_5 = intM_intP_at_L))))))))) or
              ((exists intM_intP_at_L2:(Object, int32) memory.
                 (exists intM_intP_at_L1:(Object, int32) memory.
                   (exists a_3:Object pointer.
                     (exists l_2:int.
                       (exists h_2:int.
                         (Permut(a_3, l_2, h_2, intM_intP_at_L2,
                          intM_intP_at_L1) and
                          ((aux_1 = a_3) and
                           ((aux_2 = l_2) and
                            ((aux_3 = h_2) and
                             ((aux_4 = intM_intP_at_L1) and
                              (aux_5 = intM_intP_at_L2))))))))))) or
               ((exists intM_intP_at_L3:(Object, int32) memory.
                  (exists intM_intP_at_L2:(Object, int32) memory.
                    (exists intM_intP_at_L1:(Object, int32) memory.
                      (exists a_4:Object pointer.
                        (exists l_3:int.
                          (exists h_3:int.
                            ((Permut(a_4, l_3, h_3, intM_intP_at_L2,
                              intM_intP_at_L1) and Permut(a_4, l_3, h_3,
                              intM_intP_at_L3, intM_intP_at_L2)) and
                             ((aux_1 = a_4) and
                              ((aux_2 = l_3) and
                               ((aux_3 = h_3) and
                                ((aux_4 = intM_intP_at_L3) and
                                 (aux_5 = intM_intP_at_L1)))))))))))) or
                (exists intM_intP_at_L2:(Object, int32) memory.
                  (exists intM_intP_at_L1:(Object, int32) memory.
                    (exists a_5:Object pointer.
                      (exists l_4:int.
                        (exists h_4:int.
                          (exists i_1:int.
                            (exists j_1:int.
                              (((l_4 <= i_1) and
                                ((i_1 <= h_4) and
                                 ((l_4 <= j_1) and
                                  ((j_1 <= h_4) and Swap(a_5, i_1, j_1,
                                   intM_intP_at_L2, intM_intP_at_L1))))) and
                               ((aux_1 = a_5) and
                                ((aux_2 = l_4) and
                                 ((aux_3 = h_4) and
                                  ((aux_4 = intM_intP_at_L2) and
                                   (aux_5 = intM_intP_at_L1))))))))))))))))))))))

axiom Permut_refl:
  (forall intM_intP_at_L:(Object, int32) memory.
    (forall a_2:Object pointer.
      (forall l_1:int.
        (forall h_1:int. Permut(a_2, l_1, h_1, intM_intP_at_L,
          intM_intP_at_L)))))

axiom Permut_sym:
  (forall intM_intP_at_L2:(Object, int32) memory.
    (forall intM_intP_at_L1:(Object, int32) memory.
      (forall a_3:Object pointer.
        (forall l_2:int.
          (forall h_2:int.
            (Permut(a_3, l_2, h_2, intM_intP_at_L2, intM_intP_at_L1) ->
             Permut(a_3, l_2, h_2, intM_intP_at_L1, intM_intP_at_L2)))))))

axiom Permut_trans:
  (forall intM_intP_at_L3:(Object, int32) memory.
    (forall intM_intP_at_L2:(Object, int32) memory.
      (forall intM_intP_at_L1:(Object, int32) memory.
        (forall a_4:Object pointer.
          (forall l_3:int.
            (forall h_3:int.
              ((Permut(a_4, l_3, h_3, intM_intP_at_L2, intM_intP_at_L1) and
                Permut(a_4, l_3, h_3, intM_intP_at_L3, intM_intP_at_L2)) ->
               Permut(a_4, l_3, h_3, intM_intP_at_L3, intM_intP_at_L1))))))))

axiom Permut_swap:
  (forall intM_intP_at_L2:(Object, int32) memory.
    (forall intM_intP_at_L1:(Object, int32) memory.
      (forall a_5:Object pointer.
        (forall l_4:int.
          (forall h_4:int.
            (forall i_1:int.
              (forall j_1:int.
                (((l_4 <= i_1) and
                  ((i_1 <= h_4) and
                   ((l_4 <= j_1) and
                    ((j_1 <= h_4) and Swap(a_5, i_1, j_1, intM_intP_at_L2,
                     intM_intP_at_L1))))) ->
                 Permut(a_5, l_4, h_4, intM_intP_at_L2, intM_intP_at_L1)))))))))

logic SelectionSort_tag : Object tag_id

axiom SelectionSort_parenttag_Object: parenttag(SelectionSort_tag,
  Object_tag)

predicate Sorted(a: Object pointer, l: int, h: int, intM_intP_at_L: (Object,
  int32) memory) =
  (forall i:int.
    (forall j:int.
      (((l <= i) and ((i <= j) and (j < h))) ->
       (integer_of_int32(select(intM_intP_at_L, shift(a,
       i))) <= integer_of_int32(select(intM_intP_at_L, shift(a, j)))))))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte. ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char. ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic intM_tag : Object tag_id

axiom intM_parenttag_Object: parenttag(intM_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_SelectionSort(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_intM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long. ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_SelectionSort(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_intM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short.
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_SelectionSort(p: Object pointer, a: int,
  b: int, Object_alloc_table: Object alloc_table) =
  strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_SelectionSort(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

goal SelectionSort_sort_ensures_default_po_1:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  ("JC_103": (0 <= integer_of_int32(i_3)))

goal SelectionSort_sort_ensures_default_po_2:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_103": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  ("JC_111": ("JC_108": (integer_of_int32(i_3_0) < integer_of_int32(j_3))))

goal SelectionSort_sort_ensures_default_po_3:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_103": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  ("JC_111": ("JC_109": (integer_of_int32(i_3_0) <= integer_of_int32(mi))))

goal SelectionSort_sort_ensures_default_po_4:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_103": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  ("JC_111":
  ("JC_110": (integer_of_int32(mi) < (offset_max(Object_alloc_table,
  t_0) + 1))))

goal SelectionSort_sort_ensures_default_po_5:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_103": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_111":
  (("JC_108": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_109": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_110": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) < integer_of_int32(mv0)) ->
  forall mi1:int32.
  (mi1 = j_3_0) ->
  forall result6:int32.
  (result6 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  forall mv1:int32.
  (mv1 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(j_3_0) + 1)) ->
  forall j_3_1:int32.
  (j_3_1 = result7) ->
  ("JC_111": ("JC_108": (integer_of_int32(i_3_0) < integer_of_int32(j_3_1))))

goal SelectionSort_sort_ensures_default_po_6:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_103": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_111":
  (("JC_108": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_109": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_110": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) < integer_of_int32(mv0)) ->
  forall mi1:int32.
  (mi1 = j_3_0) ->
  forall result6:int32.
  (result6 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  forall mv1:int32.
  (mv1 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(j_3_0) + 1)) ->
  forall j_3_1:int32.
  (j_3_1 = result7) ->
  ("JC_111": ("JC_109": (integer_of_int32(i_3_0) <= integer_of_int32(mi1))))

goal SelectionSort_sort_ensures_default_po_7:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_103": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_111":
  (("JC_108": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_109": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_110": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) < integer_of_int32(mv0)) ->
  forall mi1:int32.
  (mi1 = j_3_0) ->
  forall result6:int32.
  (result6 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  forall mv1:int32.
  (mv1 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(j_3_0) + 1)) ->
  forall j_3_1:int32.
  (j_3_1 = result7) ->
  ("JC_111":
  ("JC_110": (integer_of_int32(mi1) < (offset_max(Object_alloc_table,
  t_0) + 1))))

goal SelectionSort_sort_ensures_default_po_8:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_103": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_111":
  (("JC_108": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_109": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_110": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) >= integer_of_int32(mv0)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(j_3_0) + 1)) ->
  forall j_3_1:int32.
  (j_3_1 = result6) ->
  ("JC_111": ("JC_108": (integer_of_int32(i_3_0) < integer_of_int32(j_3_1))))

goal SelectionSort_sort_ensures_default_po_9:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_103": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_111":
  (("JC_108": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_109": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_110": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) >= integer_of_int32(mv0)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(j_3_0) + 1)) ->
  forall j_3_1:int32.
  (j_3_1 = result6) ->
  ("JC_111": ("JC_109": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))))

goal SelectionSort_sort_ensures_default_po_10:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_103": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_111":
  (("JC_108": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_109": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_110": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) >= integer_of_int32(mv0)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(j_3_0) + 1)) ->
  forall j_3_1:int32.
  (j_3_1 = result6) ->
  ("JC_111":
  ("JC_110": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
  t_0) + 1))))

goal SelectionSort_sort_ensures_default_po_11:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_103": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  ("JC_111":
  (("JC_108": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_109": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_110": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) >= result4) ->
  forall intM_intP0:(Object,
  int32) memory.
  ("JC_58":
  (("JC_56": Swap(t_0, integer_of_int32(i_3_0), integer_of_int32(mi0),
   intM_intP0, intM_intP)) and
   ("JC_57": not_assigns(Object_alloc_table, intM_intP, intM_intP0,
   pset_union(pset_range(pset_singleton(t_0), integer_of_int32(mi0),
   integer_of_int32(mi0)), pset_range(pset_singleton(t_0),
   integer_of_int32(i_3_0), integer_of_int32(i_3_0))))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(i_3_0) + 1)) ->
  forall i_3_1:int32.
  (i_3_1 = result5) ->
  ("JC_103": (0 <= integer_of_int32(i_3_1)))

goal SelectionSort_sort_ensures_permutation_po_1:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  ("JC_139": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP, intM_intP))

goal SelectionSort_sort_ensures_permutation_po_2:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP0:(Object,
  int32) memory.
  ("JC_139": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP0, intM_intP)) ->
  ("JC_140": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP0, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  ("JC_150": true) ->
  ("JC_148":
  (("JC_145": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_146": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_147": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) >= result4) ->
  forall intM_intP1:(Object,
  int32) memory.
  ("JC_58":
  (("JC_56": Swap(t_0, integer_of_int32(i_3_0), integer_of_int32(mi0),
   intM_intP1, intM_intP0)) and
   ("JC_57": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_0), integer_of_int32(mi0),
   integer_of_int32(mi0)), pset_range(pset_singleton(t_0),
   integer_of_int32(i_3_0), integer_of_int32(i_3_0))))))) ->
  ("JC_154": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP1, intM_intP0))

goal SelectionSort_sort_ensures_permutation_po_3:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP0:(Object,
  int32) memory.
  ("JC_139": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP0, intM_intP)) ->
  ("JC_140": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP0, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  ("JC_150": true) ->
  ("JC_148":
  (("JC_145": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_146": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_147": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) >= result4) ->
  forall intM_intP1:(Object,
  int32) memory.
  ("JC_58":
  (("JC_56": Swap(t_0, integer_of_int32(i_3_0), integer_of_int32(mi0),
   intM_intP1, intM_intP0)) and
   ("JC_57": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_0), integer_of_int32(mi0),
   integer_of_int32(mi0)), pset_range(pset_singleton(t_0),
   integer_of_int32(i_3_0), integer_of_int32(i_3_0))))))) ->
  ("JC_154": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP1, intM_intP0)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(i_3_0) + 1)) ->
  forall i_3_1:int32.
  (i_3_1 = result5) ->
  ("JC_139": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP1, intM_intP))

goal SelectionSort_sort_ensures_sorted_po_1:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  ("JC_120": ("JC_118": Sorted(t_0, 0, integer_of_int32(i_3), intM_intP)))

goal SelectionSort_sort_ensures_sorted_po_2:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall k1:int.
  forall k2:int.
  ((0 <= k1) and
   ((k1 < integer_of_int32(i_3)) and
    ((integer_of_int32(i_3) <= k2) and (k2 < (offset_max(Object_alloc_table,
     t_0) + 1))))) ->
  ("JC_120":
  ("JC_119": (integer_of_int32(select(intM_intP, shift(t_0,
  k1))) <= integer_of_int32(select(intM_intP, shift(t_0, k2))))))

goal SelectionSort_sort_ensures_sorted_po_3:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP0:(Object,
  int32) memory.
  ("JC_120":
  (("JC_118": Sorted(t_0, 0, integer_of_int32(i_3_0), intM_intP0)) and
   ("JC_119":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < integer_of_int32(i_3_0)) and
          ((integer_of_int32(i_3_0) <= k2) and
           (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (integer_of_int32(select(intM_intP0, shift(t_0,
        k1))) <= integer_of_int32(select(intM_intP0, shift(t_0, k2)))))))))) ->
  ("JC_121": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP0, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  ("JC_128":
  ("JC_126": (integer_of_int32(mv) = integer_of_int32(select(intM_intP0,
  shift(t_0, integer_of_int32(mi)))))))

goal SelectionSort_sort_ensures_sorted_po_4:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP0:(Object,
  int32) memory.
  ("JC_120":
  (("JC_118": Sorted(t_0, 0, integer_of_int32(i_3_0), intM_intP0)) and
   ("JC_119":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < integer_of_int32(i_3_0)) and
          ((integer_of_int32(i_3_0) <= k2) and
           (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (integer_of_int32(select(intM_intP0, shift(t_0,
        k1))) <= integer_of_int32(select(intM_intP0, shift(t_0, k2)))))))))) ->
  ("JC_121": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP0, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall k_0:int.
  ((integer_of_int32(i_3_0) <= k_0) and (k_0 < integer_of_int32(j_3))) ->
  ("JC_128":
  ("JC_127": (integer_of_int32(select(intM_intP0, shift(t_0,
  k_0))) >= integer_of_int32(mv))))

goal SelectionSort_sort_ensures_sorted_po_5:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP0:(Object,
  int32) memory.
  ("JC_120":
  (("JC_118": Sorted(t_0, 0, integer_of_int32(i_3_0), intM_intP0)) and
   ("JC_119":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < integer_of_int32(i_3_0)) and
          ((integer_of_int32(i_3_0) <= k2) and
           (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (integer_of_int32(select(intM_intP0, shift(t_0,
        k1))) <= integer_of_int32(select(intM_intP0, shift(t_0, k2)))))))))) ->
  ("JC_121": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP0, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_128":
  (("JC_126": (integer_of_int32(mv0) = integer_of_int32(select(intM_intP0,
   shift(t_0, integer_of_int32(mi0)))))) and
   ("JC_127":
   (forall k_0:int.
     (((integer_of_int32(i_3_0) <= k_0) and (k_0 < integer_of_int32(j_3_0))) ->
      (integer_of_int32(select(intM_intP0, shift(t_0,
      k_0))) >= integer_of_int32(mv0))))))) ->
  ("JC_132":
  (("JC_129": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_130": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_131": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  forall result5:int32.
  (result5 = select(intM_intP0, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) < integer_of_int32(mv0)) ->
  forall mi1:int32.
  (mi1 = j_3_0) ->
  forall result6:int32.
  (result6 = select(intM_intP0, shift(t_0, integer_of_int32(j_3_0)))) ->
  forall mv1:int32.
  (mv1 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(j_3_0) + 1)) ->
  forall j_3_1:int32.
  (j_3_1 = result7) ->
  ("JC_128":
  ("JC_126": (integer_of_int32(mv1) = integer_of_int32(select(intM_intP0,
  shift(t_0, integer_of_int32(mi1)))))))

goal SelectionSort_sort_ensures_sorted_po_6:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP0:(Object,
  int32) memory.
  ("JC_120":
  (("JC_118": Sorted(t_0, 0, integer_of_int32(i_3_0), intM_intP0)) and
   ("JC_119":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < integer_of_int32(i_3_0)) and
          ((integer_of_int32(i_3_0) <= k2) and
           (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (integer_of_int32(select(intM_intP0, shift(t_0,
        k1))) <= integer_of_int32(select(intM_intP0, shift(t_0, k2)))))))))) ->
  ("JC_121": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP0, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_128":
  (("JC_126": (integer_of_int32(mv0) = integer_of_int32(select(intM_intP0,
   shift(t_0, integer_of_int32(mi0)))))) and
   ("JC_127":
   (forall k_0:int.
     (((integer_of_int32(i_3_0) <= k_0) and (k_0 < integer_of_int32(j_3_0))) ->
      (integer_of_int32(select(intM_intP0, shift(t_0,
      k_0))) >= integer_of_int32(mv0))))))) ->
  ("JC_132":
  (("JC_129": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_130": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_131": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  forall result5:int32.
  (result5 = select(intM_intP0, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) < integer_of_int32(mv0)) ->
  forall mi1:int32.
  (mi1 = j_3_0) ->
  forall result6:int32.
  (result6 = select(intM_intP0, shift(t_0, integer_of_int32(j_3_0)))) ->
  forall mv1:int32.
  (mv1 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(j_3_0) + 1)) ->
  forall j_3_1:int32.
  (j_3_1 = result7) ->
  forall k_0:int.
  ((integer_of_int32(i_3_0) <= k_0) and (k_0 < integer_of_int32(j_3_1))) ->
  ("JC_128":
  ("JC_127": (integer_of_int32(select(intM_intP0, shift(t_0,
  k_0))) >= integer_of_int32(mv1))))

goal SelectionSort_sort_ensures_sorted_po_7:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP0:(Object,
  int32) memory.
  ("JC_120":
  (("JC_118": Sorted(t_0, 0, integer_of_int32(i_3_0), intM_intP0)) and
   ("JC_119":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < integer_of_int32(i_3_0)) and
          ((integer_of_int32(i_3_0) <= k2) and
           (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (integer_of_int32(select(intM_intP0, shift(t_0,
        k1))) <= integer_of_int32(select(intM_intP0, shift(t_0, k2)))))))))) ->
  ("JC_121": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP0, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_128":
  (("JC_126": (integer_of_int32(mv0) = integer_of_int32(select(intM_intP0,
   shift(t_0, integer_of_int32(mi0)))))) and
   ("JC_127":
   (forall k_0:int.
     (((integer_of_int32(i_3_0) <= k_0) and (k_0 < integer_of_int32(j_3_0))) ->
      (integer_of_int32(select(intM_intP0, shift(t_0,
      k_0))) >= integer_of_int32(mv0))))))) ->
  ("JC_132":
  (("JC_129": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_130": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_131": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  forall result5:int32.
  (result5 = select(intM_intP0, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) >= integer_of_int32(mv0)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(j_3_0) + 1)) ->
  forall j_3_1:int32.
  (j_3_1 = result6) ->
  forall k_0:int.
  ((integer_of_int32(i_3_0) <= k_0) and (k_0 < integer_of_int32(j_3_1))) ->
  ("JC_128":
  ("JC_127": (integer_of_int32(select(intM_intP0, shift(t_0,
  k_0))) >= integer_of_int32(mv0))))

goal SelectionSort_sort_ensures_sorted_po_8:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP0:(Object,
  int32) memory.
  ("JC_120":
  (("JC_118": Sorted(t_0, 0, integer_of_int32(i_3_0), intM_intP0)) and
   ("JC_119":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < integer_of_int32(i_3_0)) and
          ((integer_of_int32(i_3_0) <= k2) and
           (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (integer_of_int32(select(intM_intP0, shift(t_0,
        k1))) <= integer_of_int32(select(intM_intP0, shift(t_0, k2)))))))))) ->
  ("JC_121": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP0, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_128":
  (("JC_126": (integer_of_int32(mv0) = integer_of_int32(select(intM_intP0,
   shift(t_0, integer_of_int32(mi0)))))) and
   ("JC_127":
   (forall k_0:int.
     (((integer_of_int32(i_3_0) <= k_0) and (k_0 < integer_of_int32(j_3_0))) ->
      (integer_of_int32(select(intM_intP0, shift(t_0,
      k_0))) >= integer_of_int32(mv0))))))) ->
  ("JC_132":
  (("JC_129": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_130": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_131": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) >= result4) ->
  forall intM_intP1:(Object,
  int32) memory.
  ("JC_58":
  (("JC_56": Swap(t_0, integer_of_int32(i_3_0), integer_of_int32(mi0),
   intM_intP1, intM_intP0)) and
   ("JC_57": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_0), integer_of_int32(mi0),
   integer_of_int32(mi0)), pset_range(pset_singleton(t_0),
   integer_of_int32(i_3_0), integer_of_int32(i_3_0))))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(i_3_0) + 1)) ->
  forall i_3_1:int32.
  (i_3_1 = result5) ->
  ("JC_120": ("JC_118": Sorted(t_0, 0, integer_of_int32(i_3_1), intM_intP1)))

goal SelectionSort_sort_ensures_sorted_po_9:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP0:(Object,
  int32) memory.
  ("JC_120":
  (("JC_118": Sorted(t_0, 0, integer_of_int32(i_3_0), intM_intP0)) and
   ("JC_119":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < integer_of_int32(i_3_0)) and
          ((integer_of_int32(i_3_0) <= k2) and
           (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (integer_of_int32(select(intM_intP0, shift(t_0,
        k1))) <= integer_of_int32(select(intM_intP0, shift(t_0, k2)))))))))) ->
  ("JC_121": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  forall result2:int32.
  (result2 = select(intM_intP0, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_128":
  (("JC_126": (integer_of_int32(mv0) = integer_of_int32(select(intM_intP0,
   shift(t_0, integer_of_int32(mi0)))))) and
   ("JC_127":
   (forall k_0:int.
     (((integer_of_int32(i_3_0) <= k_0) and (k_0 < integer_of_int32(j_3_0))) ->
      (integer_of_int32(select(intM_intP0, shift(t_0,
      k_0))) >= integer_of_int32(mv0))))))) ->
  ("JC_132":
  (("JC_129": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_130": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_131": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) >= result4) ->
  forall intM_intP1:(Object,
  int32) memory.
  ("JC_58":
  (("JC_56": Swap(t_0, integer_of_int32(i_3_0), integer_of_int32(mi0),
   intM_intP1, intM_intP0)) and
   ("JC_57": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_0), integer_of_int32(mi0),
   integer_of_int32(mi0)), pset_range(pset_singleton(t_0),
   integer_of_int32(i_3_0), integer_of_int32(i_3_0))))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(i_3_0) + 1)) ->
  forall i_3_1:int32.
  (i_3_1 = result5) ->
  forall k1:int.
  forall k2:int.
  ((0 <= k1) and
   ((k1 < integer_of_int32(i_3_1)) and
    ((integer_of_int32(i_3_1) <= k2) and
     (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
  ("JC_120":
  ("JC_119": (integer_of_int32(select(intM_intP1, shift(t_0,
  k1))) <= integer_of_int32(select(intM_intP1, shift(t_0, k2))))))

goal SelectionSort_sort_ensures_sorted_po_10:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP0:(Object,
  int32) memory.
  ("JC_120":
  (("JC_118": Sorted(t_0, 0, integer_of_int32(i_3_0), intM_intP0)) and
   ("JC_119":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < integer_of_int32(i_3_0)) and
          ((integer_of_int32(i_3_0) <= k2) and
           (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (integer_of_int32(select(intM_intP0, shift(t_0,
        k1))) <= integer_of_int32(select(intM_intP0, shift(t_0, k2)))))))))) ->
  ("JC_121": (0 <= integer_of_int32(i_3_0))) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) >= integer_of_int32(result1)) ->
  ("JC_73": Sorted(t_0, 0, (offset_max(Object_alloc_table, t_0) + 1),
  intM_intP0))

goal SelectionSort_sort_safety_po_1:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1))

goal SelectionSort_sort_safety_po_2:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  ((-2147483648) <= (result0 - 1))

goal SelectionSort_sort_safety_po_3:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  ((result0 - 1) <= 2147483647)

goal SelectionSort_sort_safety_po_4:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  (offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0))

goal SelectionSort_sort_safety_po_5:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))

goal SelectionSort_sort_safety_po_6:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  ((-2147483648) <= (integer_of_int32(i_3_0) + 1))

goal SelectionSort_sort_safety_po_7:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  ((integer_of_int32(i_3_0) + 1) <= 2147483647)

goal SelectionSort_sort_safety_po_8:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  (offset_min(Object_alloc_table, t_0) <= integer_of_int32(j_3_0))

goal SelectionSort_sort_safety_po_9:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  (integer_of_int32(j_3_0) <= offset_max(Object_alloc_table, t_0))

goal SelectionSort_sort_safety_po_10:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(j_3_0)) and
   (integer_of_int32(j_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) < integer_of_int32(mv0)) ->
  forall mi1:int32.
  (mi1 = j_3_0) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(j_3_0)) and
   (integer_of_int32(j_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result6:int32.
  (result6 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  forall mv1:int32.
  (mv1 = result6) ->
  ((-2147483648) <= (integer_of_int32(j_3_0) + 1))

goal SelectionSort_sort_safety_po_11:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(j_3_0)) and
   (integer_of_int32(j_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) < integer_of_int32(mv0)) ->
  forall mi1:int32.
  (mi1 = j_3_0) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(j_3_0)) and
   (integer_of_int32(j_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result6:int32.
  (result6 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  forall mv1:int32.
  (mv1 = result6) ->
  ((integer_of_int32(j_3_0) + 1) <= 2147483647)

goal SelectionSort_sort_safety_po_12:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(j_3_0)) and
   (integer_of_int32(j_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) < integer_of_int32(mv0)) ->
  forall mi1:int32.
  (mi1 = j_3_0) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(j_3_0)) and
   (integer_of_int32(j_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result6:int32.
  (result6 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  forall mv1:int32.
  (mv1 = result6) ->
  (((-2147483648) <= (integer_of_int32(j_3_0) + 1)) and
   ((integer_of_int32(j_3_0) + 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(j_3_0) + 1)) ->
  forall j_3_1:int32.
  (j_3_1 = result7) ->
  (0 <= ("JC_98": ((offset_max(Object_alloc_table,
        t_0) + 1) - integer_of_int32(j_3_0))))

goal SelectionSort_sort_safety_po_13:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(j_3_0)) and
   (integer_of_int32(j_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) < integer_of_int32(mv0)) ->
  forall mi1:int32.
  (mi1 = j_3_0) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(j_3_0)) and
   (integer_of_int32(j_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result6:int32.
  (result6 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  forall mv1:int32.
  (mv1 = result6) ->
  (((-2147483648) <= (integer_of_int32(j_3_0) + 1)) and
   ((integer_of_int32(j_3_0) + 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(j_3_0) + 1)) ->
  forall j_3_1:int32.
  (j_3_1 = result7) ->
  (("JC_98": ((offset_max(Object_alloc_table,
   t_0) + 1) - integer_of_int32(j_3_1))) < ("JC_98":
                                           ((offset_max(Object_alloc_table,
                                           t_0) + 1) - integer_of_int32(j_3_0))))

goal SelectionSort_sort_safety_po_14:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(j_3_0)) and
   (integer_of_int32(j_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) >= integer_of_int32(mv0)) ->
  ((-2147483648) <= (integer_of_int32(j_3_0) + 1))

goal SelectionSort_sort_safety_po_15:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(j_3_0)) and
   (integer_of_int32(j_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) >= integer_of_int32(mv0)) ->
  ((integer_of_int32(j_3_0) + 1) <= 2147483647)

goal SelectionSort_sort_safety_po_16:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(j_3_0)) and
   (integer_of_int32(j_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) >= integer_of_int32(mv0)) ->
  (((-2147483648) <= (integer_of_int32(j_3_0) + 1)) and
   ((integer_of_int32(j_3_0) + 1) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(j_3_0) + 1)) ->
  forall j_3_1:int32.
  (j_3_1 = result6) ->
  (0 <= ("JC_98": ((offset_max(Object_alloc_table,
        t_0) + 1) - integer_of_int32(j_3_0))))

goal SelectionSort_sort_safety_po_17:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  forall mv0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) < result4) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(j_3_0)) and
   (integer_of_int32(j_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intM_intP, shift(t_0, integer_of_int32(j_3_0)))) ->
  (integer_of_int32(result5) >= integer_of_int32(mv0)) ->
  (((-2147483648) <= (integer_of_int32(j_3_0) + 1)) and
   ((integer_of_int32(j_3_0) + 1) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(j_3_0) + 1)) ->
  forall j_3_1:int32.
  (j_3_1 = result6) ->
  (("JC_98": ((offset_max(Object_alloc_table,
   t_0) + 1) - integer_of_int32(j_3_1))) < ("JC_98":
                                           ((offset_max(Object_alloc_table,
                                           t_0) + 1) - integer_of_int32(j_3_0))))

goal SelectionSort_sort_safety_po_18:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) >= result4) ->
  ("JC_44": ("JC_39": Non_null_intM(t_0, Object_alloc_table)))

goal SelectionSort_sort_safety_po_19:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) >= result4) ->
  ("JC_44":
  ("JC_41": (integer_of_int32(i_3_0) < (offset_max(Object_alloc_table,
  t_0) + 1))))

goal SelectionSort_sort_safety_po_20:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) >= result4) ->
  ("JC_44": ("JC_42": (0 <= integer_of_int32(mi0))))

goal SelectionSort_sort_safety_po_21:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) >= result4) ->
  ("JC_44":
  ("JC_43": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
  t_0) + 1))))

goal SelectionSort_sort_safety_po_22:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) >= result4) ->
  ("JC_44":
  (("JC_39": Non_null_intM(t_0, Object_alloc_table)) and
   (("JC_40": (0 <= integer_of_int32(i_3_0))) and
    (("JC_41": (integer_of_int32(i_3_0) < (offset_max(Object_alloc_table,
     t_0) + 1))) and
     (("JC_42": (0 <= integer_of_int32(mi0))) and
      ("JC_43": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
      t_0) + 1)))))))) ->
  forall intM_intP0:(Object,
  int32) memory.
  ("JC_58":
  (("JC_56": Swap(t_0, integer_of_int32(i_3_0), integer_of_int32(mi0),
   intM_intP0, intM_intP)) and
   ("JC_57": not_assigns(Object_alloc_table, intM_intP, intM_intP0,
   pset_union(pset_range(pset_singleton(t_0), integer_of_int32(mi0),
   integer_of_int32(mi0)), pset_range(pset_singleton(t_0),
   integer_of_int32(i_3_0), integer_of_int32(i_3_0))))))) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(i_3_0) + 1)) ->
  forall i_3_1:int32.
  (i_3_1 = result5) ->
  (0 <= ("JC_102": ((offset_max(Object_alloc_table,
        t_0) + 1) - integer_of_int32(i_3_0))))

goal SelectionSort_sort_safety_po_23:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i_3:int32.
  (i_3 = result) ->
  forall i_3_0:int32.
  forall intM_intP:(Object,
  int32) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= integer_of_int32(i_3_0))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  (integer_of_int32(i_3_0) < integer_of_int32(result1)) ->
  ((offset_min(Object_alloc_table, t_0) <= integer_of_int32(i_3_0)) and
   (integer_of_int32(i_3_0) <= offset_max(Object_alloc_table, t_0))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(t_0, integer_of_int32(i_3_0)))) ->
  forall mv:int32.
  (mv = result2) ->
  forall mi:int32.
  (mi = i_3_0) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i_3_0) + 1)) ->
  forall j_3:int32.
  (j_3 = result3) ->
  forall j_3_0:int32.
  forall mi0:int32.
  ("JC_91": true) ->
  ("JC_89":
  (("JC_86": (integer_of_int32(i_3_0) < integer_of_int32(j_3_0))) and
   (("JC_87": (integer_of_int32(i_3_0) <= integer_of_int32(mi0))) and
    ("JC_88": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
    t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result4:int.
  ("JC_25":
  ((result4 <= 2147483647) and
   ((result4 >= 0) and (result4 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (integer_of_int32(j_3_0) >= result4) ->
  ("JC_44":
  (("JC_39": Non_null_intM(t_0, Object_alloc_table)) and
   (("JC_40": (0 <= integer_of_int32(i_3_0))) and
    (("JC_41": (integer_of_int32(i_3_0) < (offset_max(Object_alloc_table,
     t_0) + 1))) and
     (("JC_42": (0 <= integer_of_int32(mi0))) and
      ("JC_43": (integer_of_int32(mi0) < (offset_max(Object_alloc_table,
      t_0) + 1)))))))) ->
  forall intM_intP0:(Object,
  int32) memory.
  ("JC_58":
  (("JC_56": Swap(t_0, integer_of_int32(i_3_0), integer_of_int32(mi0),
   intM_intP0, intM_intP)) and
   ("JC_57": not_assigns(Object_alloc_table, intM_intP, intM_intP0,
   pset_union(pset_range(pset_singleton(t_0), integer_of_int32(mi0),
   integer_of_int32(mi0)), pset_range(pset_singleton(t_0),
   integer_of_int32(i_3_0), integer_of_int32(i_3_0))))))) ->
  (((-2147483648) <= (integer_of_int32(i_3_0) + 1)) and
   ((integer_of_int32(i_3_0) + 1) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(i_3_0) + 1)) ->
  forall i_3_1:int32.
  (i_3_1 = result5) ->
  (("JC_102": ((offset_max(Object_alloc_table,
   t_0) + 1) - integer_of_int32(i_3_1))) < ("JC_102":
                                           ((offset_max(Object_alloc_table,
                                           t_0) + 1) - integer_of_int32(i_3_0))))

goal SelectionSort_swap_ensures_default_po_1:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int32.
  forall j_2:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= integer_of_int32(i_2))) and
      (("JC_48": (integer_of_int32(i_2) < (offset_max(Object_alloc_table,
       t) + 1))) and
       (("JC_49": (0 <= integer_of_int32(j_2))) and
        ("JC_50": (integer_of_int32(j_2) < (offset_max(Object_alloc_table,
        t) + 1)))))))))) ->
  forall result:int32.
  (result = select(intM_intP, shift(t, integer_of_int32(i_2)))) ->
  forall result0:int32.
  (result0 = select(intM_intP, shift(t, integer_of_int32(j_2)))) ->
  forall intM_intP0:(Object,
  int32) memory.
  (intM_intP0 = store(intM_intP, shift(t, integer_of_int32(i_2)),
  result0)) ->
  forall intM_intP1:(Object,
  int32) memory.
  (intM_intP1 = store(intM_intP0, shift(t, integer_of_int32(j_2)),
  result)) ->
  ("JC_55":
  ("JC_53": Swap(t, integer_of_int32(i_2), integer_of_int32(j_2), intM_intP1,
  intM_intP)))

goal SelectionSort_swap_ensures_default_po_2:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int32.
  forall j_2:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= integer_of_int32(i_2))) and
      (("JC_48": (integer_of_int32(i_2) < (offset_max(Object_alloc_table,
       t) + 1))) and
       (("JC_49": (0 <= integer_of_int32(j_2))) and
        ("JC_50": (integer_of_int32(j_2) < (offset_max(Object_alloc_table,
        t) + 1)))))))))) ->
  forall result:int32.
  (result = select(intM_intP, shift(t, integer_of_int32(i_2)))) ->
  forall result0:int32.
  (result0 = select(intM_intP, shift(t, integer_of_int32(j_2)))) ->
  forall intM_intP0:(Object,
  int32) memory.
  (intM_intP0 = store(intM_intP, shift(t, integer_of_int32(i_2)),
  result0)) ->
  forall intM_intP1:(Object,
  int32) memory.
  (intM_intP1 = store(intM_intP0, shift(t, integer_of_int32(j_2)),
  result)) ->
  ("JC_55":
  ("JC_54": not_assigns(Object_alloc_table, intM_intP, intM_intP1,
  pset_union(pset_range(pset_singleton(t), integer_of_int32(j_2),
  integer_of_int32(j_2)), pset_range(pset_singleton(t),
  integer_of_int32(i_2), integer_of_int32(i_2))))))

goal SelectionSort_swap_safety_po_1:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int32.
  forall j_2:int32.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= integer_of_int32(i_2))) and
      (("JC_48": (integer_of_int32(i_2) < (offset_max(Object_alloc_table,
       t) + 1))) and
       (("JC_49": (0 <= integer_of_int32(j_2))) and
        ("JC_50": (integer_of_int32(j_2) < (offset_max(Object_alloc_table,
        t) + 1)))))))))) ->
  (offset_min(Object_alloc_table, t) <= integer_of_int32(i_2))

goal SelectionSort_swap_safety_po_2:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int32.
  forall j_2:int32.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= integer_of_int32(i_2))) and
      (("JC_48": (integer_of_int32(i_2) < (offset_max(Object_alloc_table,
       t) + 1))) and
       (("JC_49": (0 <= integer_of_int32(j_2))) and
        ("JC_50": (integer_of_int32(j_2) < (offset_max(Object_alloc_table,
        t) + 1)))))))))) ->
  (integer_of_int32(i_2) <= offset_max(Object_alloc_table, t))

goal SelectionSort_swap_safety_po_3:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int32.
  forall j_2:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= integer_of_int32(i_2))) and
      (("JC_48": (integer_of_int32(i_2) < (offset_max(Object_alloc_table,
       t) + 1))) and
       (("JC_49": (0 <= integer_of_int32(j_2))) and
        ("JC_50": (integer_of_int32(j_2) < (offset_max(Object_alloc_table,
        t) + 1)))))))))) ->
  ((offset_min(Object_alloc_table, t) <= integer_of_int32(i_2)) and
   (integer_of_int32(i_2) <= offset_max(Object_alloc_table, t))) ->
  forall result:int32.
  (result = select(intM_intP, shift(t, integer_of_int32(i_2)))) ->
  (offset_min(Object_alloc_table, t) <= integer_of_int32(j_2))

goal SelectionSort_swap_safety_po_4:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int32.
  forall j_2:int32.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_SelectionSort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= integer_of_int32(i_2))) and
      (("JC_48": (integer_of_int32(i_2) < (offset_max(Object_alloc_table,
       t) + 1))) and
       (("JC_49": (0 <= integer_of_int32(j_2))) and
        ("JC_50": (integer_of_int32(j_2) < (offset_max(Object_alloc_table,
        t) + 1)))))))))) ->
  ((offset_min(Object_alloc_table, t) <= integer_of_int32(i_2)) and
   (integer_of_int32(i_2) <= offset_max(Object_alloc_table, t))) ->
  forall result:int32.
  (result = select(intM_intP, shift(t, integer_of_int32(i_2)))) ->
  (integer_of_int32(j_2) <= offset_max(Object_alloc_table, t))

why-2.34/tests/java/oracle/Switch.res.oracle0000644000175000017500000055263312311670312017403 0ustar  rtusers========== file tests/java/Switch.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

public class Switch {

    /*@ behavior normal:
      @   assigns \nothing;
      @   ensures (n==0 || n==1) <==> \result == 0;
      @*/
    public static int test1 (int n) {
	int r;
	switch(n) {
	case 0:
	case 1:
	    r = 0;
	    break;
	default:
	    r = 2;
	}
	return r;
    }

    /*@ behavior normal:
      @   assigns \nothing;
      @   ensures ((n==4 || n==7) <==> \result == 1) &&
      @            ((n==0 || n==1) <==> \result == 0);
      @*/
    public static int test2 (int n) {
	int r;
	switch(n) {
	case 0:
	case 1:
	    r = 0;
	    break;
	case 4:
	case 7:
	    r = 1;
	    break;
	case 12:
	default:
	case 26:
	    r = 2;
	}
	return r;
    }

}

/*
Local Variables:
compile-command: "make Switch.why3ide"
End:
*/

========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function Switch_test2 for method Switch.test2
Generating JC function cons_Switch for constructor Switch
Generating JC function Switch_test1 for method Switch.test1
Done.
========== file tests/java/Switch.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Switch = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

int32 Switch_test2(int32 n_0)
behavior normal:
  assigns \nothing;
  ensures (K_3 : ((K_2 : (((n_0 == 4) || (n_0 == 7)) <==> (\result == 1))) &&
                   (K_1 : (((n_0 == 0) || (n_0 == 1)) <==> (\result == 0)))));
{  
   {  
      (var int32 r);
      
      {  
         switch (n_0) {
           case 0:
           case 1:
           {  (r = 0);
              
              (break )
           }
           case 4:
           case 7:
           {  (r = 1);
              
              (break )
           }
           case 12:
           default:
           case 26:
           {  (r = 2)
           }
         };
         
         (return r)
      }
   }
}

unit cons_Switch(! Switch[0] this_0){()}

int32 Switch_test1(int32 n)
behavior normal:
  assigns \nothing;
  ensures (K_4 : (((n == 0) || (n == 1)) <==> (\result == 0)));
{  
   {  
      (var int32 r_0);
      
      {  
         switch (n) {
           case 0:
           case 1:
           {  (r_0 = 0);
              
              (break )
           }
           default:
           {  (r_0 = 2)
           }
         };
         
         (return r_0)
      }
   }
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Switch.jloc tests/java/Switch.jc && make -f tests/java/Switch.makefile gui"
End:
*/
========== file tests/java/Switch.jloc ==========
[Switch_test1]
name = "Method test1"
file = "HOME/tests/java/Switch.java"
line = 38
begin = 22
end = 27

[K_1]
file = "HOME/tests/java/Switch.java"
line = 54
begin = 20
end = 52

[cons_Switch]
name = "Constructor of class Switch"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_4]
file = "HOME/tests/java/Switch.java"
line = 36
begin = 18
end = 50

[K_2]
file = "HOME/tests/java/Switch.java"
line = 53
begin = 19
end = 51

[K_3]
file = "HOME/tests/java/Switch.java"
line = 53
begin = 18
end = 109

[Switch_test2]
name = "Method test2"
file = "HOME/tests/java/Switch.java"
line = 56
begin = 22
end = 27

========== jessie execution ==========
Generating Why function Switch_test2
Generating Why function cons_Switch
Generating Why function Switch_test1
========== file tests/java/Switch.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Switch.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Switch.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/Switch_why.sx

project: why/Switch.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/Switch_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/Switch_why.vo

coq/Switch_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Switch_why.v: why/Switch.why
	@echo 'why -coq [...] why/Switch.why' && $(WHY) $(JESSIELIBFILES) why/Switch.why && rm -f coq/jessie_why.v

coq-goals: goals coq/Switch_ctx_why.vo
	for f in why/*_po*.why; do make -f Switch.makefile coq/`basename $$f .why`_why.v ; done

coq/Switch_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Switch_ctx_why.v: why/Switch_ctx.why
	@echo 'why -coq [...] why/Switch_ctx.why' && $(WHY) why/Switch_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export Switch_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/Switch_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/Switch_ctx_why.vo

pvs: pvs/Switch_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/Switch_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/Switch_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/Switch_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/Switch_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/Switch_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/Switch_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/Switch_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/Switch_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/Switch_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/Switch_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/Switch_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/Switch_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/Switch_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/Switch_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: Switch.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/Switch_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Switch.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Switch.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Switch.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include Switch.depend

depend: coq/Switch_why.v
	-$(COQDEP) -I coq coq/Switch*_why.v > Switch.depend

clean:
	rm -f coq/*.vo

========== file tests/java/Switch.loc ==========
[JC_51]
file = "HOME/tests/java/Switch.java"
line = 36
begin = 18
end = 50

[JC_45]
file = "HOME/tests/java/Switch.java"
line = 38
begin = 22
end = 27

[Switch_test1_ensures_normal]
name = "Method test1"
behavior = "Behavior `normal'"
file = "HOME/tests/java/Switch.java"
line = 38
begin = 22
end = 27

[JC_31]
file = "HOME/tests/java/Switch.java"
line = 53
begin = 19
end = 51

[JC_17]
file = "HOME/tests/java/Switch.jc"
line = 47
begin = 11
end = 65

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/Switch.jc"
line = 45
begin = 8
end = 23

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_52]
file = "HOME/tests/java/Switch.jc"
line = 93
begin = 10
end = 18

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/tests/java/Switch.jc"
line = 93
begin = 10
end = 18

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[Switch_test2_ensures_normal]
name = "Method test2"
behavior = "Behavior `normal'"
file = "HOME/tests/java/Switch.java"
line = 56
begin = 22
end = 27

[JC_11]
file = "HOME/tests/java/Switch.jc"
line = 45
begin = 8
end = 23

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Switch_safety]
name = "Constructor of class Switch"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[Switch_test2_ensures_default]
name = "Method test2"
behavior = "default behavior"
file = "HOME/tests/java/Switch.java"
line = 56
begin = 22
end = 27

[JC_27]
file = "HOME/tests/java/Switch.java"
line = 53
begin = 19
end = 51

[JC_38]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[Switch_test2_safety]
name = "Method test2"
behavior = "Safety"
file = "HOME/tests/java/Switch.java"
line = 56
begin = 22
end = 27

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/tests/java/Switch.java"
line = 54
begin = 20
end = 52

[JC_33]
file = "HOME/tests/java/Switch.java"
line = 53
begin = 18
end = 109

[cons_Switch_ensures_default]
name = "Constructor of class Switch"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/tests/java/Switch.java"
line = 53
begin = 18
end = 109

[Switch_test1_safety]
name = "Method test1"
behavior = "Safety"
file = "HOME/tests/java/Switch.java"
line = 38
begin = 22
end = 27

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
file = "HOME/tests/java/Switch.java"
line = 38
begin = 22
end = 27

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/tests/java/Switch.jc"
line = 56
begin = 10
end = 18

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
file = "HOME/tests/java/Switch.java"
line = 36
begin = 18
end = 50

[JC_21]
file = "HOME/tests/java/Switch.java"
line = 56
begin = 22
end = 27

[Switch_test1_ensures_default]
name = "Method test1"
behavior = "default behavior"
file = "HOME/tests/java/Switch.java"
line = 38
begin = 22
end = 27

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/java/Switch.jc"
line = 20
begin = 12
end = 22

[JC_37]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/Switch.jc"
line = 47
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/Switch.jc"
line = 20
begin = 12
end = 22

[JC_19]
file = "HOME/tests/java/Switch.java"
line = 56
begin = 22
end = 27

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/tests/java/Switch.jc"
line = 56
begin = 10
end = 18

[JC_28]
file = "HOME/tests/java/Switch.java"
line = 54
begin = 20
end = 52

========== file tests/java/why/Switch.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Switch_tag:  -> Object tag_id

axiom Switch_parenttag_Object : parenttag(Switch_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Switch(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Switch(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Switch(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Switch(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

parameter Switch_test1 :
 n:int32 ->
  { } int32
  { (JC_53:
    (((integer_of_int32(n) = (0)) or (integer_of_int32(n) = (1)))
    <-> (integer_of_int32(result) = (0)))) }

parameter Switch_test1_requires :
 n:int32 ->
  { } int32
  { (JC_53:
    (((integer_of_int32(n) = (0)) or (integer_of_int32(n) = (1)))
    <-> (integer_of_int32(result) = (0)))) }

parameter Switch_test2 :
 n_0:int32 ->
  { } int32
  { (JC_33:
    ((JC_31:
     (((integer_of_int32(n_0) = (4)) or (integer_of_int32(n_0) = (7)))
     <-> (integer_of_int32(result) = (1))))
    and (JC_32:
        (((integer_of_int32(n_0) = (0)) or (integer_of_int32(n_0) = (1)))
        <-> (integer_of_int32(result) = (0)))))) }

parameter Switch_test2_requires :
 n_0:int32 ->
  { } int32
  { (JC_33:
    ((JC_31:
     (((integer_of_int32(n_0) = (4)) or (integer_of_int32(n_0) = (7)))
     <-> (integer_of_int32(result) = (1))))
    and (JC_32:
        (((integer_of_int32(n_0) = (0)) or (integer_of_int32(n_0) = (1)))
        <-> (integer_of_int32(result) = (0)))))) }

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Switch :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Switch(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Switch_tag)))) }

parameter alloc_struct_Switch_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Switch(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Switch_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_Switch :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Switch_requires :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let Switch_test1_ensures_default =
 fun (n : int32) ->
  { (JC_46: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let r_0 = ref (any_int32 void) in
     begin
       (let _jessie_ = n in
       try
        (if (((eq_int_ (integer_of_int32 _jessie_)) (1)) || ((eq_int_ 
                                                               (integer_of_int32 _jessie_)) (0)))
        then
         begin
           (let _jessie_ = (r_0 := (safe_int32_of_integer_ (0))) in void);
          (raise (Loop_exit_exc void)) end
        else
         (if true
         then
          (let _jessie_ =
          begin   (r_0 := (safe_int32_of_integer_ (2))); !r_0 end in void)
         else void)) with Loop_exit_exc _jessie_ -> void end);
      (return := !r_0); (raise Return) end); absurd  end with Return ->
   !return end)) { (JC_47: true) }

let Switch_test1_ensures_normal =
 fun (n : int32) ->
  { (JC_46: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let r_0 = ref (any_int32 void) in
     begin
       (let _jessie_ = n in
       try
        (if (((eq_int_ (integer_of_int32 _jessie_)) (1)) || ((eq_int_ 
                                                               (integer_of_int32 _jessie_)) (0)))
        then
         begin
           (let _jessie_ = (r_0 := (safe_int32_of_integer_ (0))) in void);
          (raise (Loop_exit_exc void)) end
        else
         (if true
         then
          (let _jessie_ =
          begin   (r_0 := (safe_int32_of_integer_ (2))); !r_0 end in void)
         else void)) with Loop_exit_exc _jessie_ -> void end);
      (return := !r_0); (raise Return) end); absurd  end with Return ->
   !return end))
  { (JC_51:
    (((integer_of_int32(n) = (0)) or (integer_of_int32(n) = (1)))
    <-> (integer_of_int32(result) = (0)))) }

let Switch_test1_safety =
 fun (n : int32) ->
  { (JC_46: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let r_0 = ref (any_int32 void) in
     begin
       (let _jessie_ = n in
       try
        (if (((eq_int_ (integer_of_int32 _jessie_)) (1)) || ((eq_int_ 
                                                               (integer_of_int32 _jessie_)) (0)))
        then
         begin
           (let _jessie_ = (r_0 := (safe_int32_of_integer_ (0))) in void);
          (raise (Loop_exit_exc void)) end
        else
         (if true
         then
          (let _jessie_ =
          begin   (r_0 := (safe_int32_of_integer_ (2))); !r_0 end in void)
         else void)) with Loop_exit_exc _jessie_ -> void end);
      (return := !r_0); (raise Return) end); absurd  end with Return ->
   !return end)) { true }

let Switch_test2_ensures_default =
 fun (n_0 : int32) ->
  { (JC_22: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let r = ref (any_int32 void) in
     begin
       (let _jessie_ = n_0 in
       try
        (if (((eq_int_ (integer_of_int32 _jessie_)) (1)) || ((eq_int_ 
                                                               (integer_of_int32 _jessie_)) (0)))
        then
         begin
           (let _jessie_ = (r := (safe_int32_of_integer_ (0))) in void);
          (raise (Loop_exit_exc void)) end
        else
         (if (((eq_int_ (integer_of_int32 _jessie_)) (7)) || ((eq_int_ 
                                                                (integer_of_int32 _jessie_)) (4)))
         then
          begin
            (let _jessie_ = (r := (safe_int32_of_integer_ (1))) in void);
           (raise (Loop_exit_exc void)) end
         else
          (if (((eq_int_ (integer_of_int32 _jessie_)) (26)) || (true || 
                                                                ((eq_int_ 
                                                                  (integer_of_int32 _jessie_)) (12))))
          then
           (let _jessie_ =
           begin   (r := (safe_int32_of_integer_ (2))); !r end in void)
          else void))) with Loop_exit_exc _jessie_ -> void end);
      (return := !r); (raise Return) end); absurd  end with Return ->
   !return end)) { (JC_23: true) }

let Switch_test2_ensures_normal =
 fun (n_0 : int32) ->
  { (JC_22: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let r = ref (any_int32 void) in
     begin
       (let _jessie_ = n_0 in
       try
        (if (((eq_int_ (integer_of_int32 _jessie_)) (1)) || ((eq_int_ 
                                                               (integer_of_int32 _jessie_)) (0)))
        then
         begin
           (let _jessie_ = (r := (safe_int32_of_integer_ (0))) in void);
          (raise (Loop_exit_exc void)) end
        else
         (if (((eq_int_ (integer_of_int32 _jessie_)) (7)) || ((eq_int_ 
                                                                (integer_of_int32 _jessie_)) (4)))
         then
          begin
            (let _jessie_ = (r := (safe_int32_of_integer_ (1))) in void);
           (raise (Loop_exit_exc void)) end
         else
          (if (((eq_int_ (integer_of_int32 _jessie_)) (26)) || (true || 
                                                                ((eq_int_ 
                                                                  (integer_of_int32 _jessie_)) (12))))
          then
           (let _jessie_ =
           begin   (r := (safe_int32_of_integer_ (2))); !r end in void)
          else void))) with Loop_exit_exc _jessie_ -> void end);
      (return := !r); (raise Return) end); absurd  end with Return ->
   !return end))
  { (JC_29:
    ((JC_27:
     (((integer_of_int32(n_0) = (4)) or (integer_of_int32(n_0) = (7)))
     <-> (integer_of_int32(result) = (1))))
    and (JC_28:
        (((integer_of_int32(n_0) = (0)) or (integer_of_int32(n_0) = (1)))
        <-> (integer_of_int32(result) = (0)))))) }

let Switch_test2_safety =
 fun (n_0 : int32) ->
  { (JC_22: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let r = ref (any_int32 void) in
     begin
       (let _jessie_ = n_0 in
       try
        (if (((eq_int_ (integer_of_int32 _jessie_)) (1)) || ((eq_int_ 
                                                               (integer_of_int32 _jessie_)) (0)))
        then
         begin
           (let _jessie_ = (r := (safe_int32_of_integer_ (0))) in void);
          (raise (Loop_exit_exc void)) end
        else
         (if (((eq_int_ (integer_of_int32 _jessie_)) (7)) || ((eq_int_ 
                                                                (integer_of_int32 _jessie_)) (4)))
         then
          begin
            (let _jessie_ = (r := (safe_int32_of_integer_ (1))) in void);
           (raise (Loop_exit_exc void)) end
         else
          (if (((eq_int_ (integer_of_int32 _jessie_)) (26)) || (true || 
                                                                ((eq_int_ 
                                                                  (integer_of_int32 _jessie_)) (12))))
          then
           (let _jessie_ =
           begin   (r := (safe_int32_of_integer_ (2))); !r end in void)
          else void))) with Loop_exit_exc _jessie_ -> void end);
      (return := !r); (raise Return) end); absurd  end with Return ->
   !return end)) { true }

let cons_Switch_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_Switch(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_39: true) }

let cons_Switch_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_Switch(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/Switch.why
========== file tests/java/why/Switch.wpr ==========

  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  
  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  
  
    
  

========== file tests/java/why/Switch_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Switch_tag : Object tag_id

axiom Switch_parenttag_Object: parenttag(Switch_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte [(integer_of_byte(x) = integer_of_byte(y))].
      ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char [(integer_of_char(x) = integer_of_char(y))].
      ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32 [(integer_of_int32(x) = integer_of_int32(y))].
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Switch(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long [(integer_of_long(x) = integer_of_long(y))].
      ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Switch(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short [(integer_of_short(x) = integer_of_short(y))].
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Switch(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Switch(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

========== file tests/java/why/Switch_po1.why ==========
goal Switch_test1_ensures_normal_po_1:
  forall n:int32.
  ("JC_46": true) ->
  ((integer_of_int32(n) = 1) or
   ((integer_of_int32(n) <> 1) and (integer_of_int32(n) = 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall r_0:int32.
  (r_0 = result) ->
  forall return:int32.
  (return = r_0) ->
  ((integer_of_int32(n) = 0) or (integer_of_int32(n) = 1)) ->
  ("JC_51": (integer_of_int32(return) = 0))

========== file tests/java/why/Switch_po10.why ==========
goal Switch_test2_ensures_normal_po_6:
  forall n_0:int32.
  ("JC_22": true) ->
  ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) <> 0)) ->
  ((integer_of_int32(n_0) = 7) or
   ((integer_of_int32(n_0) <> 7) and (integer_of_int32(n_0) = 4))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 1) ->
  forall r:int32.
  (r = result0) ->
  forall return:int32.
  (return = r) ->
  (integer_of_int32(return) = 1) ->
  ("JC_29":
  ("JC_27": ((integer_of_int32(n_0) = 4) or (integer_of_int32(n_0) = 7))))

========== file tests/java/why/Switch_po11.why ==========
goal Switch_test2_ensures_normal_po_7:
  forall n_0:int32.
  ("JC_22": true) ->
  ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) <> 0)) ->
  ((integer_of_int32(n_0) = 7) or
   ((integer_of_int32(n_0) <> 7) and (integer_of_int32(n_0) = 4))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 1) ->
  forall r:int32.
  (r = result0) ->
  forall return:int32.
  (return = r) ->
  ((integer_of_int32(n_0) = 0) or (integer_of_int32(n_0) = 1)) ->
  ("JC_29": ("JC_28": (integer_of_int32(return) = 0)))

========== file tests/java/why/Switch_po12.why ==========
goal Switch_test2_ensures_normal_po_8:
  forall n_0:int32.
  ("JC_22": true) ->
  ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) <> 0)) ->
  ((integer_of_int32(n_0) = 7) or
   ((integer_of_int32(n_0) <> 7) and (integer_of_int32(n_0) = 4))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 1) ->
  forall r:int32.
  (r = result0) ->
  forall return:int32.
  (return = r) ->
  (integer_of_int32(return) = 0) ->
  ("JC_29":
  ("JC_28": ((integer_of_int32(n_0) = 0) or (integer_of_int32(n_0) = 1))))

========== file tests/java/why/Switch_po13.why ==========
goal Switch_test2_ensures_normal_po_9:
  forall n_0:int32.
  ("JC_22": true) ->
  ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) <> 0)) ->
  ((integer_of_int32(n_0) <> 7) and (integer_of_int32(n_0) <> 4)) ->
  ((integer_of_int32(n_0) = 26) or
   ((integer_of_int32(n_0) <> 26) and
    ((true = true) or ((true = false) and (integer_of_int32(n_0) = 12))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 2) ->
  forall r:int32.
  (r = result0) ->
  forall return:int32.
  (return = r) ->
  ((integer_of_int32(n_0) = 4) or (integer_of_int32(n_0) = 7)) ->
  ("JC_29": ("JC_27": (integer_of_int32(return) = 1)))

========== file tests/java/why/Switch_po14.why ==========
goal Switch_test2_ensures_normal_po_10:
  forall n_0:int32.
  ("JC_22": true) ->
  ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) <> 0)) ->
  ((integer_of_int32(n_0) <> 7) and (integer_of_int32(n_0) <> 4)) ->
  ((integer_of_int32(n_0) = 26) or
   ((integer_of_int32(n_0) <> 26) and
    ((true = true) or ((true = false) and (integer_of_int32(n_0) = 12))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 2) ->
  forall r:int32.
  (r = result0) ->
  forall return:int32.
  (return = r) ->
  (integer_of_int32(return) = 1) ->
  ("JC_29":
  ("JC_27": ((integer_of_int32(n_0) = 4) or (integer_of_int32(n_0) = 7))))

========== file tests/java/why/Switch_po15.why ==========
goal Switch_test2_ensures_normal_po_11:
  forall n_0:int32.
  ("JC_22": true) ->
  ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) <> 0)) ->
  ((integer_of_int32(n_0) <> 7) and (integer_of_int32(n_0) <> 4)) ->
  ((integer_of_int32(n_0) = 26) or
   ((integer_of_int32(n_0) <> 26) and
    ((true = true) or ((true = false) and (integer_of_int32(n_0) = 12))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 2) ->
  forall r:int32.
  (r = result0) ->
  forall return:int32.
  (return = r) ->
  ((integer_of_int32(n_0) = 0) or (integer_of_int32(n_0) = 1)) ->
  ("JC_29": ("JC_28": (integer_of_int32(return) = 0)))

========== file tests/java/why/Switch_po16.why ==========
goal Switch_test2_ensures_normal_po_12:
  forall n_0:int32.
  ("JC_22": true) ->
  ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) <> 0)) ->
  ((integer_of_int32(n_0) <> 7) and (integer_of_int32(n_0) <> 4)) ->
  ((integer_of_int32(n_0) = 26) or
   ((integer_of_int32(n_0) <> 26) and
    ((true = true) or ((true = false) and (integer_of_int32(n_0) = 12))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 2) ->
  forall r:int32.
  (r = result0) ->
  forall return:int32.
  (return = r) ->
  (integer_of_int32(return) = 0) ->
  ("JC_29":
  ("JC_28": ((integer_of_int32(n_0) = 0) or (integer_of_int32(n_0) = 1))))

========== file tests/java/why/Switch_po17.why ==========
goal Switch_test2_ensures_normal_po_13:
  forall n_0:int32.
  ("JC_22": true) ->
  forall result:int32.
  ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) <> 0)) ->
  ((integer_of_int32(n_0) <> 7) and (integer_of_int32(n_0) <> 4)) ->
  ((integer_of_int32(n_0) <> 26) and
   ((true = false) and (integer_of_int32(n_0) <> 12))) ->
  forall return:int32.
  (return = result) ->
  ((integer_of_int32(n_0) = 4) or (integer_of_int32(n_0) = 7)) ->
  ("JC_29": ("JC_27": (integer_of_int32(return) = 1)))

========== file tests/java/why/Switch_po18.why ==========
goal Switch_test2_ensures_normal_po_14:
  forall n_0:int32.
  ("JC_22": true) ->
  forall result:int32.
  ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) <> 0)) ->
  ((integer_of_int32(n_0) <> 7) and (integer_of_int32(n_0) <> 4)) ->
  ((integer_of_int32(n_0) <> 26) and
   ((true = false) and (integer_of_int32(n_0) <> 12))) ->
  forall return:int32.
  (return = result) ->
  (integer_of_int32(return) = 1) ->
  ("JC_29":
  ("JC_27": ((integer_of_int32(n_0) = 4) or (integer_of_int32(n_0) = 7))))

========== file tests/java/why/Switch_po19.why ==========
goal Switch_test2_ensures_normal_po_15:
  forall n_0:int32.
  ("JC_22": true) ->
  forall result:int32.
  ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) <> 0)) ->
  ((integer_of_int32(n_0) <> 7) and (integer_of_int32(n_0) <> 4)) ->
  ((integer_of_int32(n_0) <> 26) and
   ((true = false) and (integer_of_int32(n_0) <> 12))) ->
  forall return:int32.
  (return = result) ->
  ((integer_of_int32(n_0) = 0) or (integer_of_int32(n_0) = 1)) ->
  ("JC_29": ("JC_28": (integer_of_int32(return) = 0)))

========== file tests/java/why/Switch_po2.why ==========
goal Switch_test1_ensures_normal_po_2:
  forall n:int32.
  ("JC_46": true) ->
  ((integer_of_int32(n) = 1) or
   ((integer_of_int32(n) <> 1) and (integer_of_int32(n) = 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall r_0:int32.
  (r_0 = result) ->
  forall return:int32.
  (return = r_0) ->
  (integer_of_int32(return) = 0) ->
  ("JC_51": ((integer_of_int32(n) = 0) or (integer_of_int32(n) = 1)))

========== file tests/java/why/Switch_po20.why ==========
goal Switch_test2_ensures_normal_po_16:
  forall n_0:int32.
  ("JC_22": true) ->
  forall result:int32.
  ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) <> 0)) ->
  ((integer_of_int32(n_0) <> 7) and (integer_of_int32(n_0) <> 4)) ->
  ((integer_of_int32(n_0) <> 26) and
   ((true = false) and (integer_of_int32(n_0) <> 12))) ->
  forall return:int32.
  (return = result) ->
  (integer_of_int32(return) = 0) ->
  ("JC_29":
  ("JC_28": ((integer_of_int32(n_0) = 0) or (integer_of_int32(n_0) = 1))))

========== file tests/java/why/Switch_po3.why ==========
goal Switch_test1_ensures_normal_po_3:
  forall n:int32.
  ("JC_46": true) ->
  ((integer_of_int32(n) <> 1) and (integer_of_int32(n) <> 0)) ->
  forall result:int32.
  (integer_of_int32(result) = 2) ->
  forall r_0:int32.
  (r_0 = result) ->
  forall return:int32.
  (return = r_0) ->
  ((integer_of_int32(n) = 0) or (integer_of_int32(n) = 1)) ->
  ("JC_51": (integer_of_int32(return) = 0))

========== file tests/java/why/Switch_po4.why ==========
goal Switch_test1_ensures_normal_po_4:
  forall n:int32.
  ("JC_46": true) ->
  ((integer_of_int32(n) <> 1) and (integer_of_int32(n) <> 0)) ->
  forall result:int32.
  (integer_of_int32(result) = 2) ->
  forall r_0:int32.
  (r_0 = result) ->
  forall return:int32.
  (return = r_0) ->
  (integer_of_int32(return) = 0) ->
  ("JC_51": ((integer_of_int32(n) = 0) or (integer_of_int32(n) = 1)))

========== file tests/java/why/Switch_po5.why ==========
goal Switch_test2_ensures_normal_po_1:
  forall n_0:int32.
  ("JC_22": true) ->
  ((integer_of_int32(n_0) = 1) or
   ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) = 0))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall r:int32.
  (r = result0) ->
  forall return:int32.
  (return = r) ->
  ((integer_of_int32(n_0) = 4) or (integer_of_int32(n_0) = 7)) ->
  ("JC_29": ("JC_27": (integer_of_int32(return) = 1)))

========== file tests/java/why/Switch_po6.why ==========
goal Switch_test2_ensures_normal_po_2:
  forall n_0:int32.
  ("JC_22": true) ->
  ((integer_of_int32(n_0) = 1) or
   ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) = 0))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall r:int32.
  (r = result0) ->
  forall return:int32.
  (return = r) ->
  (integer_of_int32(return) = 1) ->
  ("JC_29":
  ("JC_27": ((integer_of_int32(n_0) = 4) or (integer_of_int32(n_0) = 7))))

========== file tests/java/why/Switch_po7.why ==========
goal Switch_test2_ensures_normal_po_3:
  forall n_0:int32.
  ("JC_22": true) ->
  ((integer_of_int32(n_0) = 1) or
   ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) = 0))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall r:int32.
  (r = result0) ->
  forall return:int32.
  (return = r) ->
  ((integer_of_int32(n_0) = 0) or (integer_of_int32(n_0) = 1)) ->
  ("JC_29": ("JC_28": (integer_of_int32(return) = 0)))

========== file tests/java/why/Switch_po8.why ==========
goal Switch_test2_ensures_normal_po_4:
  forall n_0:int32.
  ("JC_22": true) ->
  ((integer_of_int32(n_0) = 1) or
   ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) = 0))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall r:int32.
  (r = result0) ->
  forall return:int32.
  (return = r) ->
  (integer_of_int32(return) = 0) ->
  ("JC_29":
  ("JC_28": ((integer_of_int32(n_0) = 0) or (integer_of_int32(n_0) = 1))))

========== file tests/java/why/Switch_po9.why ==========
goal Switch_test2_ensures_normal_po_5:
  forall n_0:int32.
  ("JC_22": true) ->
  ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) <> 0)) ->
  ((integer_of_int32(n_0) = 7) or
   ((integer_of_int32(n_0) <> 7) and (integer_of_int32(n_0) = 4))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 1) ->
  forall r:int32.
  (r = result0) ->
  forall return:int32.
  (return = r) ->
  ((integer_of_int32(n_0) = 4) or (integer_of_int32(n_0) = 7)) ->
  ("JC_29": ("JC_27": (integer_of_int32(return) = 1)))

========== generation of Simplify VC output ==========
why -simplify [...] why/Switch.why
========== file tests/java/simplify/Switch_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) 0))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Switch_parenttag_Object
 (EQ (parenttag Switch_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom byte_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 128) x) (<= x 127))
 (EQ (integer_of_byte (byte_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom byte_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_byte x) (integer_of_byte y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom byte_range
 (FORALL (x)
 (AND (<= (- 0 128) (integer_of_byte x)) (<= (integer_of_byte x) 127))))

(BG_PUSH
 ;; Why axiom char_coerce
 (FORALL (x)
 (IMPLIES (AND (<= 0 x) (<= x 65535))
 (EQ (integer_of_char (char_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom char_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_char x) (integer_of_char y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom char_range
 (FORALL (x) (AND (<= 0 (integer_of_char x)) (<= (integer_of_char x) 65535))))

(DEFPRED (eq_byte x y) (EQ (integer_of_byte x) (integer_of_byte y)))

(DEFPRED (eq_char x y) (EQ (integer_of_char x) (integer_of_char y)))

(DEFPRED (eq_int32 x y) (EQ (integer_of_int32 x) (integer_of_int32 y)))

(DEFPRED (eq_long x y) (EQ (integer_of_long x) (integer_of_long y)))

(DEFPRED (eq_short x y) (EQ (integer_of_short x) (integer_of_short y)))

(BG_PUSH
 ;; Why axiom int32_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_2147483648) x)
 (<= x constant_too_large_2147483647))
 (EQ (integer_of_int32 (int32_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom int32_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_int32 x) (integer_of_int32 y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom int32_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_2147483648) (integer_of_int32 x))
 (<= (integer_of_int32 x) constant_too_large_2147483647))))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Switch p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom long_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_9223372036854775808) x)
 (<= x constant_too_large_9223372036854775807))
 (EQ (integer_of_long (long_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom long_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_long x) (integer_of_long y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom long_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_9223372036854775808) (integer_of_long x))
 (<= (integer_of_long x) constant_too_large_9223372036854775807))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Switch p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(BG_PUSH
 ;; Why axiom short_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 32768) x) (<= x 32767))
 (EQ (integer_of_short (short_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom short_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_short x) (integer_of_short y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom short_range
 (FORALL (x)
 (AND (<= (- 0 32768) (integer_of_short x)) (<= (integer_of_short x) 32767))))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Switch p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Switch p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

;; Switch_test1_ensures_normal_po_1, File "HOME/tests/java/Switch.java", line 36, characters 18-50
(FORALL (n)
(IMPLIES TRUE
(IMPLIES (OR (EQ (integer_of_int32 n) 1)
         (AND (NEQ (integer_of_int32 n) 1) (EQ (integer_of_int32 n) 0)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (r_0)
(IMPLIES (EQ r_0 result)
(FORALL (return)
(IMPLIES (EQ return r_0)
(IMPLIES (OR (EQ (integer_of_int32 n) 0) (EQ (integer_of_int32 n) 1))
(EQ (integer_of_int32 return) 0)))))))))))

;; Switch_test1_ensures_normal_po_2, File "HOME/tests/java/Switch.java", line 36, characters 18-50
(FORALL (n)
(IMPLIES TRUE
(IMPLIES (OR (EQ (integer_of_int32 n) 1)
         (AND (NEQ (integer_of_int32 n) 1) (EQ (integer_of_int32 n) 0)))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (r_0)
(IMPLIES (EQ r_0 result)
(FORALL (return)
(IMPLIES (EQ return r_0)
(IMPLIES (EQ (integer_of_int32 return) 0)
(OR (EQ (integer_of_int32 n) 0) (EQ (integer_of_int32 n) 1))))))))))))

;; Switch_test1_ensures_normal_po_3, File "HOME/tests/java/Switch.java", line 36, characters 18-50
(FORALL (n)
(IMPLIES TRUE
(IMPLIES (AND (NEQ (integer_of_int32 n) 1) (NEQ (integer_of_int32 n) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 2)
(FORALL (r_0)
(IMPLIES (EQ r_0 result)
(FORALL (return)
(IMPLIES (EQ return r_0)
(IMPLIES (OR (EQ (integer_of_int32 n) 0) (EQ (integer_of_int32 n) 1))
(EQ (integer_of_int32 return) 0)))))))))))

;; Switch_test1_ensures_normal_po_4, File "HOME/tests/java/Switch.java", line 36, characters 18-50
(FORALL (n)
(IMPLIES TRUE
(IMPLIES (AND (NEQ (integer_of_int32 n) 1) (NEQ (integer_of_int32 n) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 2)
(FORALL (r_0)
(IMPLIES (EQ r_0 result)
(FORALL (return)
(IMPLIES (EQ return r_0)
(IMPLIES (EQ (integer_of_int32 return) 0)
(OR (EQ (integer_of_int32 n) 0) (EQ (integer_of_int32 n) 1))))))))))))

;; Switch_test2_ensures_normal_po_1, File "HOME/tests/java/Switch.java", line 53, characters 19-51
(FORALL (n_0)
(IMPLIES TRUE
(IMPLIES (OR (EQ (integer_of_int32 n_0) 1)
         (AND (NEQ (integer_of_int32 n_0) 1) (EQ (integer_of_int32 n_0) 0)))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (r)
(IMPLIES (EQ r result0)
(FORALL (return)
(IMPLIES (EQ return r)
(IMPLIES (OR (EQ (integer_of_int32 n_0) 4) (EQ (integer_of_int32 n_0) 7))
(EQ (integer_of_int32 return) 1)))))))))))

;; Switch_test2_ensures_normal_po_2, File "HOME/tests/java/Switch.java", line 53, characters 19-51
(FORALL (n_0)
(IMPLIES TRUE
(IMPLIES (OR (EQ (integer_of_int32 n_0) 1)
         (AND (NEQ (integer_of_int32 n_0) 1) (EQ (integer_of_int32 n_0) 0)))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (r)
(IMPLIES (EQ r result0)
(FORALL (return)
(IMPLIES (EQ return r)
(IMPLIES (EQ (integer_of_int32 return) 1)
(OR (EQ (integer_of_int32 n_0) 4) (EQ (integer_of_int32 n_0) 7))))))))))))

;; Switch_test2_ensures_normal_po_3, File "HOME/tests/java/Switch.java", line 54, characters 20-52
(FORALL (n_0)
(IMPLIES TRUE
(IMPLIES (OR (EQ (integer_of_int32 n_0) 1)
         (AND (NEQ (integer_of_int32 n_0) 1) (EQ (integer_of_int32 n_0) 0)))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (r)
(IMPLIES (EQ r result0)
(FORALL (return)
(IMPLIES (EQ return r)
(IMPLIES (OR (EQ (integer_of_int32 n_0) 0) (EQ (integer_of_int32 n_0) 1))
(EQ (integer_of_int32 return) 0)))))))))))

;; Switch_test2_ensures_normal_po_4, File "HOME/tests/java/Switch.java", line 54, characters 20-52
(FORALL (n_0)
(IMPLIES TRUE
(IMPLIES (OR (EQ (integer_of_int32 n_0) 1)
         (AND (NEQ (integer_of_int32 n_0) 1) (EQ (integer_of_int32 n_0) 0)))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 0)
(FORALL (r)
(IMPLIES (EQ r result0)
(FORALL (return)
(IMPLIES (EQ return r)
(IMPLIES (EQ (integer_of_int32 return) 0)
(OR (EQ (integer_of_int32 n_0) 0) (EQ (integer_of_int32 n_0) 1))))))))))))

;; Switch_test2_ensures_normal_po_5, File "HOME/tests/java/Switch.java", line 53, characters 19-51
(FORALL (n_0)
(IMPLIES TRUE
(IMPLIES (AND (NEQ (integer_of_int32 n_0) 1) (NEQ (integer_of_int32 n_0) 0))
(IMPLIES (OR (EQ (integer_of_int32 n_0) 7)
         (AND (NEQ (integer_of_int32 n_0) 7) (EQ (integer_of_int32 n_0) 4)))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 1)
(FORALL (r)
(IMPLIES (EQ r result0)
(FORALL (return)
(IMPLIES (EQ return r)
(IMPLIES (OR (EQ (integer_of_int32 n_0) 4) (EQ (integer_of_int32 n_0) 7))
(EQ (integer_of_int32 return) 1))))))))))))

;; Switch_test2_ensures_normal_po_6, File "HOME/tests/java/Switch.java", line 53, characters 19-51
(FORALL (n_0)
(IMPLIES TRUE
(IMPLIES (AND (NEQ (integer_of_int32 n_0) 1) (NEQ (integer_of_int32 n_0) 0))
(IMPLIES (OR (EQ (integer_of_int32 n_0) 7)
         (AND (NEQ (integer_of_int32 n_0) 7) (EQ (integer_of_int32 n_0) 4)))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 1)
(FORALL (r)
(IMPLIES (EQ r result0)
(FORALL (return)
(IMPLIES (EQ return r)
(IMPLIES (EQ (integer_of_int32 return) 1)
(OR (EQ (integer_of_int32 n_0) 4) (EQ (integer_of_int32 n_0) 7)))))))))))))

;; Switch_test2_ensures_normal_po_7, File "HOME/tests/java/Switch.java", line 54, characters 20-52
(FORALL (n_0)
(IMPLIES TRUE
(IMPLIES (AND (NEQ (integer_of_int32 n_0) 1) (NEQ (integer_of_int32 n_0) 0))
(IMPLIES (OR (EQ (integer_of_int32 n_0) 7)
         (AND (NEQ (integer_of_int32 n_0) 7) (EQ (integer_of_int32 n_0) 4)))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 1)
(FORALL (r)
(IMPLIES (EQ r result0)
(FORALL (return)
(IMPLIES (EQ return r)
(IMPLIES (OR (EQ (integer_of_int32 n_0) 0) (EQ (integer_of_int32 n_0) 1))
(EQ (integer_of_int32 return) 0))))))))))))

;; Switch_test2_ensures_normal_po_8, File "HOME/tests/java/Switch.java", line 54, characters 20-52
(FORALL (n_0)
(IMPLIES TRUE
(IMPLIES (AND (NEQ (integer_of_int32 n_0) 1) (NEQ (integer_of_int32 n_0) 0))
(IMPLIES (OR (EQ (integer_of_int32 n_0) 7)
         (AND (NEQ (integer_of_int32 n_0) 7) (EQ (integer_of_int32 n_0) 4)))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 1)
(FORALL (r)
(IMPLIES (EQ r result0)
(FORALL (return)
(IMPLIES (EQ return r)
(IMPLIES (EQ (integer_of_int32 return) 0)
(OR (EQ (integer_of_int32 n_0) 0) (EQ (integer_of_int32 n_0) 1)))))))))))))

;; Switch_test2_ensures_normal_po_9, File "HOME/tests/java/Switch.java", line 53, characters 19-51
(FORALL (n_0)
(IMPLIES TRUE
(IMPLIES (AND (NEQ (integer_of_int32 n_0) 1) (NEQ (integer_of_int32 n_0) 0))
(IMPLIES (AND (NEQ (integer_of_int32 n_0) 7) (NEQ (integer_of_int32 n_0) 4))
(IMPLIES (OR (EQ (integer_of_int32 n_0) 26)
         (AND (NEQ (integer_of_int32 n_0) 26)
         (OR (EQ |@true| |@true|)
         (AND (EQ |@true| |@false|) (EQ (integer_of_int32 n_0) 12)))))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 2)
(FORALL (r)
(IMPLIES (EQ r result0)
(FORALL (return)
(IMPLIES (EQ return r)
(IMPLIES (OR (EQ (integer_of_int32 n_0) 4) (EQ (integer_of_int32 n_0) 7))
(EQ (integer_of_int32 return) 1)))))))))))))

;; Switch_test2_ensures_normal_po_10, File "HOME/tests/java/Switch.java", line 53, characters 19-51
(FORALL (n_0)
(IMPLIES TRUE
(IMPLIES (AND (NEQ (integer_of_int32 n_0) 1) (NEQ (integer_of_int32 n_0) 0))
(IMPLIES (AND (NEQ (integer_of_int32 n_0) 7) (NEQ (integer_of_int32 n_0) 4))
(IMPLIES (OR (EQ (integer_of_int32 n_0) 26)
         (AND (NEQ (integer_of_int32 n_0) 26)
         (OR (EQ |@true| |@true|)
         (AND (EQ |@true| |@false|) (EQ (integer_of_int32 n_0) 12)))))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 2)
(FORALL (r)
(IMPLIES (EQ r result0)
(FORALL (return)
(IMPLIES (EQ return r)
(IMPLIES (EQ (integer_of_int32 return) 1)
(OR (EQ (integer_of_int32 n_0) 4) (EQ (integer_of_int32 n_0) 7))))))))))))))

;; Switch_test2_ensures_normal_po_11, File "HOME/tests/java/Switch.java", line 54, characters 20-52
(FORALL (n_0)
(IMPLIES TRUE
(IMPLIES (AND (NEQ (integer_of_int32 n_0) 1) (NEQ (integer_of_int32 n_0) 0))
(IMPLIES (AND (NEQ (integer_of_int32 n_0) 7) (NEQ (integer_of_int32 n_0) 4))
(IMPLIES (OR (EQ (integer_of_int32 n_0) 26)
         (AND (NEQ (integer_of_int32 n_0) 26)
         (OR (EQ |@true| |@true|)
         (AND (EQ |@true| |@false|) (EQ (integer_of_int32 n_0) 12)))))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 2)
(FORALL (r)
(IMPLIES (EQ r result0)
(FORALL (return)
(IMPLIES (EQ return r)
(IMPLIES (OR (EQ (integer_of_int32 n_0) 0) (EQ (integer_of_int32 n_0) 1))
(EQ (integer_of_int32 return) 0)))))))))))))

;; Switch_test2_ensures_normal_po_12, File "HOME/tests/java/Switch.java", line 54, characters 20-52
(FORALL (n_0)
(IMPLIES TRUE
(IMPLIES (AND (NEQ (integer_of_int32 n_0) 1) (NEQ (integer_of_int32 n_0) 0))
(IMPLIES (AND (NEQ (integer_of_int32 n_0) 7) (NEQ (integer_of_int32 n_0) 4))
(IMPLIES (OR (EQ (integer_of_int32 n_0) 26)
         (AND (NEQ (integer_of_int32 n_0) 26)
         (OR (EQ |@true| |@true|)
         (AND (EQ |@true| |@false|) (EQ (integer_of_int32 n_0) 12)))))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) 2)
(FORALL (r)
(IMPLIES (EQ r result0)
(FORALL (return)
(IMPLIES (EQ return r)
(IMPLIES (EQ (integer_of_int32 return) 0)
(OR (EQ (integer_of_int32 n_0) 0) (EQ (integer_of_int32 n_0) 1))))))))))))))

;; Switch_test2_ensures_normal_po_13, File "HOME/tests/java/Switch.java", line 53, characters 19-51
(FORALL (n_0)
(IMPLIES TRUE
(FORALL (result)
(IMPLIES (AND (NEQ (integer_of_int32 n_0) 1) (NEQ (integer_of_int32 n_0) 0))
(IMPLIES (AND (NEQ (integer_of_int32 n_0) 7) (NEQ (integer_of_int32 n_0) 4))
(IMPLIES (AND (NEQ (integer_of_int32 n_0) 26)
         (AND (EQ |@true| |@false|) (NEQ (integer_of_int32 n_0) 12)))
(FORALL (return)
(IMPLIES (EQ return result)
(IMPLIES (OR (EQ (integer_of_int32 n_0) 4) (EQ (integer_of_int32 n_0) 7))
(EQ (integer_of_int32 return) 1))))))))))

;; Switch_test2_ensures_normal_po_14, File "HOME/tests/java/Switch.java", line 53, characters 19-51
(FORALL (n_0)
(IMPLIES TRUE
(FORALL (result)
(IMPLIES (AND (NEQ (integer_of_int32 n_0) 1) (NEQ (integer_of_int32 n_0) 0))
(IMPLIES (AND (NEQ (integer_of_int32 n_0) 7) (NEQ (integer_of_int32 n_0) 4))
(IMPLIES (AND (NEQ (integer_of_int32 n_0) 26)
         (AND (EQ |@true| |@false|) (NEQ (integer_of_int32 n_0) 12)))
(FORALL (return)
(IMPLIES (EQ return result)
(IMPLIES (EQ (integer_of_int32 return) 1)
(OR (EQ (integer_of_int32 n_0) 4) (EQ (integer_of_int32 n_0) 7)))))))))))

;; Switch_test2_ensures_normal_po_15, File "HOME/tests/java/Switch.java", line 54, characters 20-52
(FORALL (n_0)
(IMPLIES TRUE
(FORALL (result)
(IMPLIES (AND (NEQ (integer_of_int32 n_0) 1) (NEQ (integer_of_int32 n_0) 0))
(IMPLIES (AND (NEQ (integer_of_int32 n_0) 7) (NEQ (integer_of_int32 n_0) 4))
(IMPLIES (AND (NEQ (integer_of_int32 n_0) 26)
         (AND (EQ |@true| |@false|) (NEQ (integer_of_int32 n_0) 12)))
(FORALL (return)
(IMPLIES (EQ return result)
(IMPLIES (OR (EQ (integer_of_int32 n_0) 0) (EQ (integer_of_int32 n_0) 1))
(EQ (integer_of_int32 return) 0))))))))))

;; Switch_test2_ensures_normal_po_16, File "HOME/tests/java/Switch.java", line 54, characters 20-52
(FORALL (n_0)
(IMPLIES TRUE
(FORALL (result)
(IMPLIES (AND (NEQ (integer_of_int32 n_0) 1) (NEQ (integer_of_int32 n_0) 0))
(IMPLIES (AND (NEQ (integer_of_int32 n_0) 7) (NEQ (integer_of_int32 n_0) 4))
(IMPLIES (AND (NEQ (integer_of_int32 n_0) 26)
         (AND (EQ |@true| |@false|) (NEQ (integer_of_int32 n_0) 12)))
(FORALL (return)
(IMPLIES (EQ return result)
(IMPLIES (EQ (integer_of_int32 return) 0)
(OR (EQ (integer_of_int32 n_0) 0) (EQ (integer_of_int32 n_0) 1)))))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/Switch_why.sx        : .................... (20/0/0/0/0)
total   :  20
valid   :  20 (100%)
invalid :   0 (  0%)
unknown :   0 (  0%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/Switch.why
========== file tests/java/why/Switch_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Switch_tag : Object tag_id

axiom Switch_parenttag_Object: parenttag(Switch_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte. ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char. ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Switch(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long. ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Switch(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short.
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Switch(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Switch(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

goal Switch_test1_ensures_normal_po_1:
  forall n:int32.
  ("JC_46": true) ->
  ((integer_of_int32(n) = 1) or
   ((integer_of_int32(n) <> 1) and (integer_of_int32(n) = 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall r_0:int32.
  (r_0 = result) ->
  forall return:int32.
  (return = r_0) ->
  ((integer_of_int32(n) = 0) or (integer_of_int32(n) = 1)) ->
  ("JC_51": (integer_of_int32(return) = 0))

goal Switch_test1_ensures_normal_po_2:
  forall n:int32.
  ("JC_46": true) ->
  ((integer_of_int32(n) = 1) or
   ((integer_of_int32(n) <> 1) and (integer_of_int32(n) = 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall r_0:int32.
  (r_0 = result) ->
  forall return:int32.
  (return = r_0) ->
  (integer_of_int32(return) = 0) ->
  ("JC_51": ((integer_of_int32(n) = 0) or (integer_of_int32(n) = 1)))

goal Switch_test1_ensures_normal_po_3:
  forall n:int32.
  ("JC_46": true) ->
  ((integer_of_int32(n) <> 1) and (integer_of_int32(n) <> 0)) ->
  forall result:int32.
  (integer_of_int32(result) = 2) ->
  forall r_0:int32.
  (r_0 = result) ->
  forall return:int32.
  (return = r_0) ->
  ((integer_of_int32(n) = 0) or (integer_of_int32(n) = 1)) ->
  ("JC_51": (integer_of_int32(return) = 0))

goal Switch_test1_ensures_normal_po_4:
  forall n:int32.
  ("JC_46": true) ->
  ((integer_of_int32(n) <> 1) and (integer_of_int32(n) <> 0)) ->
  forall result:int32.
  (integer_of_int32(result) = 2) ->
  forall r_0:int32.
  (r_0 = result) ->
  forall return:int32.
  (return = r_0) ->
  (integer_of_int32(return) = 0) ->
  ("JC_51": ((integer_of_int32(n) = 0) or (integer_of_int32(n) = 1)))

goal Switch_test2_ensures_normal_po_1:
  forall n_0:int32.
  ("JC_22": true) ->
  ((integer_of_int32(n_0) = 1) or
   ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) = 0))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall r:int32.
  (r = result0) ->
  forall return:int32.
  (return = r) ->
  ((integer_of_int32(n_0) = 4) or (integer_of_int32(n_0) = 7)) ->
  ("JC_29": ("JC_27": (integer_of_int32(return) = 1)))

goal Switch_test2_ensures_normal_po_2:
  forall n_0:int32.
  ("JC_22": true) ->
  ((integer_of_int32(n_0) = 1) or
   ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) = 0))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall r:int32.
  (r = result0) ->
  forall return:int32.
  (return = r) ->
  (integer_of_int32(return) = 1) ->
  ("JC_29":
  ("JC_27": ((integer_of_int32(n_0) = 4) or (integer_of_int32(n_0) = 7))))

goal Switch_test2_ensures_normal_po_3:
  forall n_0:int32.
  ("JC_22": true) ->
  ((integer_of_int32(n_0) = 1) or
   ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) = 0))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall r:int32.
  (r = result0) ->
  forall return:int32.
  (return = r) ->
  ((integer_of_int32(n_0) = 0) or (integer_of_int32(n_0) = 1)) ->
  ("JC_29": ("JC_28": (integer_of_int32(return) = 0)))

goal Switch_test2_ensures_normal_po_4:
  forall n_0:int32.
  ("JC_22": true) ->
  ((integer_of_int32(n_0) = 1) or
   ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) = 0))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall r:int32.
  (r = result0) ->
  forall return:int32.
  (return = r) ->
  (integer_of_int32(return) = 0) ->
  ("JC_29":
  ("JC_28": ((integer_of_int32(n_0) = 0) or (integer_of_int32(n_0) = 1))))

goal Switch_test2_ensures_normal_po_5:
  forall n_0:int32.
  ("JC_22": true) ->
  ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) <> 0)) ->
  ((integer_of_int32(n_0) = 7) or
   ((integer_of_int32(n_0) <> 7) and (integer_of_int32(n_0) = 4))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 1) ->
  forall r:int32.
  (r = result0) ->
  forall return:int32.
  (return = r) ->
  ((integer_of_int32(n_0) = 4) or (integer_of_int32(n_0) = 7)) ->
  ("JC_29": ("JC_27": (integer_of_int32(return) = 1)))

goal Switch_test2_ensures_normal_po_6:
  forall n_0:int32.
  ("JC_22": true) ->
  ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) <> 0)) ->
  ((integer_of_int32(n_0) = 7) or
   ((integer_of_int32(n_0) <> 7) and (integer_of_int32(n_0) = 4))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 1) ->
  forall r:int32.
  (r = result0) ->
  forall return:int32.
  (return = r) ->
  (integer_of_int32(return) = 1) ->
  ("JC_29":
  ("JC_27": ((integer_of_int32(n_0) = 4) or (integer_of_int32(n_0) = 7))))

goal Switch_test2_ensures_normal_po_7:
  forall n_0:int32.
  ("JC_22": true) ->
  ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) <> 0)) ->
  ((integer_of_int32(n_0) = 7) or
   ((integer_of_int32(n_0) <> 7) and (integer_of_int32(n_0) = 4))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 1) ->
  forall r:int32.
  (r = result0) ->
  forall return:int32.
  (return = r) ->
  ((integer_of_int32(n_0) = 0) or (integer_of_int32(n_0) = 1)) ->
  ("JC_29": ("JC_28": (integer_of_int32(return) = 0)))

goal Switch_test2_ensures_normal_po_8:
  forall n_0:int32.
  ("JC_22": true) ->
  ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) <> 0)) ->
  ((integer_of_int32(n_0) = 7) or
   ((integer_of_int32(n_0) <> 7) and (integer_of_int32(n_0) = 4))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 1) ->
  forall r:int32.
  (r = result0) ->
  forall return:int32.
  (return = r) ->
  (integer_of_int32(return) = 0) ->
  ("JC_29":
  ("JC_28": ((integer_of_int32(n_0) = 0) or (integer_of_int32(n_0) = 1))))

goal Switch_test2_ensures_normal_po_9:
  forall n_0:int32.
  ("JC_22": true) ->
  ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) <> 0)) ->
  ((integer_of_int32(n_0) <> 7) and (integer_of_int32(n_0) <> 4)) ->
  ((integer_of_int32(n_0) = 26) or
   ((integer_of_int32(n_0) <> 26) and
    ((true = true) or ((true = false) and (integer_of_int32(n_0) = 12))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 2) ->
  forall r:int32.
  (r = result0) ->
  forall return:int32.
  (return = r) ->
  ((integer_of_int32(n_0) = 4) or (integer_of_int32(n_0) = 7)) ->
  ("JC_29": ("JC_27": (integer_of_int32(return) = 1)))

goal Switch_test2_ensures_normal_po_10:
  forall n_0:int32.
  ("JC_22": true) ->
  ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) <> 0)) ->
  ((integer_of_int32(n_0) <> 7) and (integer_of_int32(n_0) <> 4)) ->
  ((integer_of_int32(n_0) = 26) or
   ((integer_of_int32(n_0) <> 26) and
    ((true = true) or ((true = false) and (integer_of_int32(n_0) = 12))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 2) ->
  forall r:int32.
  (r = result0) ->
  forall return:int32.
  (return = r) ->
  (integer_of_int32(return) = 1) ->
  ("JC_29":
  ("JC_27": ((integer_of_int32(n_0) = 4) or (integer_of_int32(n_0) = 7))))

goal Switch_test2_ensures_normal_po_11:
  forall n_0:int32.
  ("JC_22": true) ->
  ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) <> 0)) ->
  ((integer_of_int32(n_0) <> 7) and (integer_of_int32(n_0) <> 4)) ->
  ((integer_of_int32(n_0) = 26) or
   ((integer_of_int32(n_0) <> 26) and
    ((true = true) or ((true = false) and (integer_of_int32(n_0) = 12))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 2) ->
  forall r:int32.
  (r = result0) ->
  forall return:int32.
  (return = r) ->
  ((integer_of_int32(n_0) = 0) or (integer_of_int32(n_0) = 1)) ->
  ("JC_29": ("JC_28": (integer_of_int32(return) = 0)))

goal Switch_test2_ensures_normal_po_12:
  forall n_0:int32.
  ("JC_22": true) ->
  ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) <> 0)) ->
  ((integer_of_int32(n_0) <> 7) and (integer_of_int32(n_0) <> 4)) ->
  ((integer_of_int32(n_0) = 26) or
   ((integer_of_int32(n_0) <> 26) and
    ((true = true) or ((true = false) and (integer_of_int32(n_0) = 12))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = 2) ->
  forall r:int32.
  (r = result0) ->
  forall return:int32.
  (return = r) ->
  (integer_of_int32(return) = 0) ->
  ("JC_29":
  ("JC_28": ((integer_of_int32(n_0) = 0) or (integer_of_int32(n_0) = 1))))

goal Switch_test2_ensures_normal_po_13:
  forall n_0:int32.
  ("JC_22": true) ->
  forall result:int32.
  ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) <> 0)) ->
  ((integer_of_int32(n_0) <> 7) and (integer_of_int32(n_0) <> 4)) ->
  ((integer_of_int32(n_0) <> 26) and
   ((true = false) and (integer_of_int32(n_0) <> 12))) ->
  forall return:int32.
  (return = result) ->
  ((integer_of_int32(n_0) = 4) or (integer_of_int32(n_0) = 7)) ->
  ("JC_29": ("JC_27": (integer_of_int32(return) = 1)))

goal Switch_test2_ensures_normal_po_14:
  forall n_0:int32.
  ("JC_22": true) ->
  forall result:int32.
  ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) <> 0)) ->
  ((integer_of_int32(n_0) <> 7) and (integer_of_int32(n_0) <> 4)) ->
  ((integer_of_int32(n_0) <> 26) and
   ((true = false) and (integer_of_int32(n_0) <> 12))) ->
  forall return:int32.
  (return = result) ->
  (integer_of_int32(return) = 1) ->
  ("JC_29":
  ("JC_27": ((integer_of_int32(n_0) = 4) or (integer_of_int32(n_0) = 7))))

goal Switch_test2_ensures_normal_po_15:
  forall n_0:int32.
  ("JC_22": true) ->
  forall result:int32.
  ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) <> 0)) ->
  ((integer_of_int32(n_0) <> 7) and (integer_of_int32(n_0) <> 4)) ->
  ((integer_of_int32(n_0) <> 26) and
   ((true = false) and (integer_of_int32(n_0) <> 12))) ->
  forall return:int32.
  (return = result) ->
  ((integer_of_int32(n_0) = 0) or (integer_of_int32(n_0) = 1)) ->
  ("JC_29": ("JC_28": (integer_of_int32(return) = 0)))

goal Switch_test2_ensures_normal_po_16:
  forall n_0:int32.
  ("JC_22": true) ->
  forall result:int32.
  ((integer_of_int32(n_0) <> 1) and (integer_of_int32(n_0) <> 0)) ->
  ((integer_of_int32(n_0) <> 7) and (integer_of_int32(n_0) <> 4)) ->
  ((integer_of_int32(n_0) <> 26) and
   ((true = false) and (integer_of_int32(n_0) <> 12))) ->
  forall return:int32.
  (return = result) ->
  (integer_of_int32(return) = 0) ->
  ("JC_29":
  ("JC_28": ((integer_of_int32(n_0) = 0) or (integer_of_int32(n_0) = 1))))

why-2.34/tests/java/oracle/Fresh3.res.oracle0000644000175000017500000063427112311670312017273 0ustar  rtusers========== file tests/java/Fresh3.java ==========

//@+ SeparationPolicy = None

class Int { int f; }

class Fresh3 {

  Int i;

/*@ assigns this.i;
  @ allocates this.i;
  @ ensures this.i != null && \fresh(this.i);
  @*/
void create() {
    this.i = new Int();
}

/*@ requires f != null && this.i != null && this != f;
  @*/
void test(Fresh3 f) {
  f.create();
  //@ assert this.i != f.i;
}

static void smoke_detector() {
    Fresh3 s1, s2;
    s1 = new Fresh3();
    s2 = new Fresh3();
    s1.create();
    s2.create();
    //@ assert 0 == 1;
}

}

/*
Local Variables:
compile-command: "LC_ALL=C make Fresh3.why3"
End:
*/
========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_Int for constructor Int
Generating JC function Fresh3_create for method Fresh3.create
Generating JC function Object_hashCode for method Object.hashCode
Generating JC function Object_toString for method Object.toString
Generating JC function cons_Fresh3 for constructor Fresh3
Generating JC function Object_registerNatives for method Object.registerNatives
Generating JC function cons_Object for constructor Object
Generating JC function Object_wait_long for method Object.wait
Generating JC function Object_clone for method Object.clone
Generating JC function Object_notify for method Object.notify
Generating JC function Object_finalize for method Object.finalize
Generating JC function Fresh3_test for method Fresh3.test
Generating JC function Object_equals for method Object.equals
Generating JC function Object_notifyAll for method Object.notifyAll
Generating JC function Object_wait for method Object.wait
Generating JC function Object_wait_long_int for method Object.wait
Generating JC function Fresh3_smoke_detector for method Fresh3.smoke_detector
Done.
========== file tests/java/Fresh3.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Int = Object with {
  int32 f;
}

tag Fresh3 = Object with {
  Int[0..] i;
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_Int(! Int[0] this_0)
{  (this_0.f = 0)
}

unit Fresh3_create(Fresh3[0] this_4)
behavior default:
  assigns this_4.i;
  allocates this_4.i;
  ensures (K_3 : ((K_2 : Non_null_Object(this_4.i)) &&
                   (K_1 : \fresh(this_4.i))));
{  (K_4 : (this_4.i = 
   {  
      (var Int[0] this = (new Int[1]));
      
      {  
         (var unit _tt = cons_Int(this));
         this
      }
   }))
}

int32 Object_hashCode(Object[0] this_6)
;

String[0..] Object_toString(Object[0] this_7)
;

unit cons_Fresh3(! Fresh3[0] this_5)
{  (this_5.i = null)
}

unit Object_registerNatives()
;

unit cons_Object(! Object[0] this_16){()}

unit Object_wait_long(Object[0] this_8, long timeout)
;

Object[0..] Object_clone(Object[0] this_9)
;

unit Object_notify(Object[0] this_10)
;

unit Object_finalize(Object[0] this_11)
;

unit Fresh3_test(Fresh3[0] this_3, Fresh3[0..] f)
  requires (K_9 : ((K_8 : ((K_7 : Non_null_Object(f)) &&
                            (K_6 : Non_null_Object(this_3.i)))) &&
                    (K_5 : (this_3 != f))));
{  (K_10 : Fresh3_create(f));
   (K_12 : 
   (assert (K_11 : (this_3.i != f.i))))
}

boolean Object_equals(Object[0] this_12, Object[0..] obj)
;

unit Object_notifyAll(Object[0] this_13)
;

unit Object_wait(Object[0] this_14)
;

unit Object_wait_long_int(Object[0] this_15, long timeout_0, int32 nanos)
;

unit Fresh3_smoke_detector()
{  
   {  
      (var Fresh3[0..] s1);
      
      {  
         (var Fresh3[0..] s2);
         
         {  (s1 = 
            {  
               (var Fresh3[0] this = (new Fresh3[1]));
               
               {  
                  (var unit _tt = cons_Fresh3(this));
                  this
               }
            });
            (s2 = 
            {  
               (var Fresh3[0] this = (new Fresh3[1]));
               
               {  
                  (var unit _tt = cons_Fresh3(this));
                  this
               }
            });
            (K_13 : Fresh3_create(s1));
            (K_14 : Fresh3_create(s2));
            (K_16 : 
            (assert (K_15 : (0 == 1))))
         }
      }
   }
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Fresh3.jloc tests/java/Fresh3.jc && make -f tests/java/Fresh3.makefile gui"
End:
*/
========== file tests/java/Fresh3.jloc ==========
[Fresh3_create]
name = "Method create"
file = "HOME/tests/java/Fresh3.java"
line = 14
begin = 5
end = 11

[K_11]
file = "HOME/tests/java/Fresh3.java"
line = 22
begin = 13
end = 26

[Object_wait_long]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[K_13]
file = "HOME/tests/java/Fresh3.java"
line = 29
begin = 4
end = 15

[Object_finalize]
name = "Method finalize"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[K_9]
file = "HOME/tests/java/Fresh3.java"
line = 18
begin = 13
end = 53

[Object_wait]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[Object_notify]
name = "Method notify"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[Object_clone]
name = "Method clone"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[cons_Object]
name = "Constructor of class Object"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_1]
file = "HOME/tests/java/Fresh3.java"
line = 12
begin = 30
end = 44

[K_15]
file = "HOME/tests/java/Fresh3.java"
line = 31
begin = 15
end = 21

[K_4]
file = "HOME/tests/java/Fresh3.java"
line = 15
begin = 4
end = 22

[K_12]
file = "HOME/tests/java/Fresh3.java"
line = 22
begin = 13
end = 26

[Object_wait_long_int]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[Object_registerNatives]
name = "Method registerNatives"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[K_2]
file = "HOME/tests/java/Fresh3.java"
line = 12
begin = 12
end = 26

[K_10]
file = "HOME/tests/java/Fresh3.java"
line = 21
begin = 2
end = 12

[Fresh3_smoke_detector]
name = "Method smoke_detector"
file = "HOME/tests/java/Fresh3.java"
line = 25
begin = 12
end = 26

[K_6]
file = "HOME/tests/java/Fresh3.java"
line = 18
begin = 26
end = 40

[cons_Int]
name = "Constructor of class Int"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_8]
file = "HOME/tests/java/Fresh3.java"
line = 18
begin = 13
end = 40

[K_3]
file = "HOME/tests/java/Fresh3.java"
line = 12
begin = 12
end = 44

[cons_Fresh3]
name = "Constructor of class Fresh3"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_14]
file = "HOME/tests/java/Fresh3.java"
line = 30
begin = 4
end = 15

[Object_notifyAll]
name = "Method notifyAll"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[Fresh3_test]
name = "Method test"
file = "HOME/tests/java/Fresh3.java"
line = 20
begin = 5
end = 9

[K_5]
file = "HOME/tests/java/Fresh3.java"
line = 18
begin = 44
end = 53

[Object_equals]
name = "Method equals"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[K_7]
file = "HOME/tests/java/Fresh3.java"
line = 18
begin = 13
end = 22

[Object_hashCode]
name = "Method hashCode"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[Object_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[K_16]
file = "HOME/tests/java/Fresh3.java"
line = 31
begin = 15
end = 21

========== jessie execution ==========
Generating Why function cons_Int
Generating Why function Fresh3_create
Generating Why function cons_Fresh3
Generating Why function cons_Object
Generating Why function Fresh3_test
Generating Why function Fresh3_smoke_detector
========== file tests/java/Fresh3.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Fresh3.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Fresh3.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/Fresh3_why.sx

project: why/Fresh3.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/Fresh3_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/Fresh3_why.vo

coq/Fresh3_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Fresh3_why.v: why/Fresh3.why
	@echo 'why -coq [...] why/Fresh3.why' && $(WHY) $(JESSIELIBFILES) why/Fresh3.why && rm -f coq/jessie_why.v

coq-goals: goals coq/Fresh3_ctx_why.vo
	for f in why/*_po*.why; do make -f Fresh3.makefile coq/`basename $$f .why`_why.v ; done

coq/Fresh3_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Fresh3_ctx_why.v: why/Fresh3_ctx.why
	@echo 'why -coq [...] why/Fresh3_ctx.why' && $(WHY) why/Fresh3_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export Fresh3_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/Fresh3_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/Fresh3_ctx_why.vo

pvs: pvs/Fresh3_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/Fresh3_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/Fresh3_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/Fresh3_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/Fresh3_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/Fresh3_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/Fresh3_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/Fresh3_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/Fresh3_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/Fresh3_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/Fresh3_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/Fresh3_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/Fresh3_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/Fresh3_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/Fresh3_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: Fresh3.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/Fresh3_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Fresh3.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Fresh3.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Fresh3.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include Fresh3.depend

depend: coq/Fresh3_why.v
	-$(COQDEP) -I coq coq/Fresh3*_why.v > Fresh3.depend

clean:
	rm -f coq/*.vo

========== file tests/java/Fresh3.loc ==========
[JC_198]
kind = UserCall
file = "HOME/tests/java/Fresh3.jc"
line = 154
begin = 20
end = 37

[JC_176]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_177]
file = "HOME/tests/java/Fresh3.java"
line = 25
begin = 12
end = 26

[JC_94]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_73]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_158]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_63]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_196]
kind = AllocSize
file = "HOME/tests/java/Fresh3.jc"
line = 147
begin = 38
end = 51

[JC_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_51]
kind = UserCall
file = "HOME/tests/java/Fresh3.jc"
line = 74
begin = 25
end = 39

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_197]
kind = UserCall
file = "HOME/tests/java/Fresh3.jc"
line = 150
begin = 34
end = 51

[JC_147]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_151]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_123]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_106]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Fresh3_ensures_default]
name = "Constructor of class Fresh3"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_143]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_113]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_116]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_64]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_133]
file = "HOME/"
line = 0
begin = -1
end = -1

[Fresh3_smoke_detector_ensures_default]
name = "Method smoke_detector"
behavior = "default behavior"
file = "HOME/tests/java/Fresh3.java"
line = 25
begin = 12
end = 26

[Fresh3_smoke_detector_safety]
name = "Method smoke_detector"
behavior = "Safety"
file = "HOME/tests/java/Fresh3.java"
line = 25
begin = 12
end = 26

[JC_188]
kind = UserCall
file = "HOME/tests/java/Fresh3.jc"
line = 150
begin = 34
end = 51

[JC_180]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Object_ensures_default]
name = "Constructor of class Object"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_99]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_200]
file = "HOME/tests/java/Fresh3.java"
line = 31
begin = 15
end = 21

[JC_85]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_126]
file = "HOME/tests/java/Fresh3.java"
line = 18
begin = 44
end = 53

[JC_170]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_31]
file = "HOME/tests/java/Fresh3.java"
line = 12
begin = 12
end = 26

[cons_Int_ensures_default]
name = "Constructor of class Int"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_17]
file = "HOME/tests/java/Fresh3.jc"
line = 52
begin = 11
end = 65

[JC_194]
kind = AllocSize
file = "HOME/tests/java/Fresh3.jc"
line = 138
begin = 38
end = 51

[JC_122]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_138]
kind = UserCall
file = "HOME/tests/java/Fresh3.jc"
line = 111
begin = 11
end = 27

[JC_134]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_148]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_137]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_48]
kind = IndexBounds
file = "HOME/tests/java/Fresh3.jc"
line = 71
begin = 7
end = 37

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_172]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_121]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_125]
file = "HOME/tests/java/Fresh3.java"
line = 18
begin = 26
end = 40

[JC_67]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/Fresh3.jc"
line = 50
begin = 8
end = 23

[JC_75]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_193]
file = "HOME/tests/java/Fresh3.java"
line = 31
begin = 15
end = 21

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_189]
kind = UserCall
file = "HOME/tests/java/Fresh3.jc"
line = 154
begin = 20
end = 37

[JC_186]
kind = AllocSize
file = "HOME/tests/java/Fresh3.jc"
line = 147
begin = 38
end = 51

[JC_78]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_175]
file = "HOME/tests/java/Fresh3.java"
line = 25
begin = 12
end = 26

[JC_41]
file = "HOME/tests/java/Fresh3.java"
line = 14
begin = 5
end = 11

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_195]
kind = UserCall
file = "HOME/tests/java/Fresh3.jc"
line = 141
begin = 34
end = 51

[JC_47]
kind = AllocSize
file = "HOME/tests/java/Fresh3.jc"
line = 71
begin = 26
end = 36

[JC_52]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_154]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[Fresh3_test_ensures_default]
name = "Method test"
behavior = "default behavior"
file = "HOME/tests/java/Fresh3.java"
line = 20
begin = 5
end = 9

[JC_79]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_130]
file = "HOME/tests/java/Fresh3.java"
line = 18
begin = 26
end = 40

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_174]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_163]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_153]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_87]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/Fresh3.jc"
line = 50
begin = 8
end = 23

[JC_185]
kind = UserCall
file = "HOME/tests/java/Fresh3.jc"
line = 141
begin = 34
end = 51

[JC_184]
kind = IndexBounds
file = "HOME/tests/java/Fresh3.jc"
line = 138
begin = 16
end = 52

[JC_167]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_98]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/tests/java/Fresh3.jc"
line = 65
begin = 10
end = 18

[JC_182]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_168]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_104]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_91]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/tests/java/Fresh3.java"
line = 12
begin = 30
end = 44

[JC_112]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/tests/java/Fresh3.java"
line = 12
begin = 12
end = 44

[JC_162]
file = "HOME/"
line = 0
begin = -1
end = -1

[Fresh3_test_safety]
name = "Method test"
behavior = "Safety"
file = "HOME/tests/java/Fresh3.java"
line = 20
begin = 5
end = 9

[JC_135]
file = "HOME/"
line = 0
begin = -1
end = -1

[Fresh3_create_ensures_default]
name = "Method create"
behavior = "default behavior"
file = "HOME/tests/java/Fresh3.java"
line = 14
begin = 5
end = 11

[JC_169]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_83]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/tests/java/Fresh3.java"
line = 14
begin = 5
end = 11

[JC_132]
file = "HOME/tests/java/Fresh3.java"
line = 18
begin = 13
end = 53

[JC_27]
file = "HOME/tests/java/Fresh3.java"
line = 14
begin = 5
end = 11

[JC_115]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_109]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_107]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_69]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_179]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_124]
file = "HOME/tests/java/Fresh3.java"
line = 18
begin = 13
end = 22

[JC_38]
file = "HOME/tests/java/Fresh3.java"
line = 12
begin = 12
end = 26

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_156]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_127]
file = "HOME/tests/java/Fresh3.java"
line = 18
begin = 13
end = 53

[JC_171]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_164]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/tests/java/Fresh3.jc"
line = 64
begin = 9
end = 16

[JC_155]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_191]
kind = UserCall
file = "HOME/tests/java/Fresh3.jc"
line = 155
begin = 20
end = 37

[JC_62]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_101]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_129]
file = "HOME/tests/java/Fresh3.java"
line = 18
begin = 13
end = 22

[JC_42]
file = "HOME/tests/java/Fresh3.java"
line = 14
begin = 5
end = 11

[JC_190]
kind = IndexBounds
file = "HOME/tests/java/Fresh3.jc"
line = 154
begin = 20
end = 37

[JC_178]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_110]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_166]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_103]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_141]
kind = UserCall
file = "HOME/tests/java/Fresh3.jc"
line = 111
begin = 11
end = 27

[JC_61]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/tests/java/Fresh3.java"
line = 12
begin = 30
end = 44

[JC_199]
kind = UserCall
file = "HOME/tests/java/Fresh3.jc"
line = 155
begin = 20
end = 37

[JC_56]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_33]
file = "HOME/tests/java/Fresh3.java"
line = 12
begin = 12
end = 44

[JC_65]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_118]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_173]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_105]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_140]
file = "HOME/tests/java/Fresh3.java"
line = 22
begin = 13
end = 26

[JC_29]
file = "HOME/tests/java/Fresh3.java"
line = 14
begin = 5
end = 11

[JC_144]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_159]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[cons_Object_safety]
name = "Constructor of class Object"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_68]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
file = "HOME/tests/java/Fresh3.jc"
line = 65
begin = 10
end = 18

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_93]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_97]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Int_safety]
name = "Constructor of class Int"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_160]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_128]
file = "HOME/"
line = 0
begin = -1
end = -1

[Fresh3_create_safety]
name = "Method create"
behavior = "Safety"
file = "HOME/tests/java/Fresh3.java"
line = 14
begin = 5
end = 11

[JC_34]
file = "HOME/tests/java/Fresh3.java"
line = 14
begin = 5
end = 11

[JC_114]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_150]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_117]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_90]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_157]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_145]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_149]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_111]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_77]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
kind = UserCall
file = "HOME/tests/java/Fresh3.jc"
line = 74
begin = 25
end = 39

[JC_1]
file = "HOME/tests/java/Fresh3.jc"
line = 20
begin = 12
end = 22

[JC_131]
file = "HOME/tests/java/Fresh3.java"
line = 18
begin = 44
end = 53

[JC_102]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_37]
file = "HOME/tests/java/Fresh3.jc"
line = 64
begin = 9
end = 16

[JC_181]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_142]
file = "HOME/tests/java/Fresh3.java"
line = 22
begin = 13
end = 26

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_57]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_161]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_146]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_89]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Fresh3_safety]
name = "Constructor of class Fresh3"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_136]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_165]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_192]
kind = IndexBounds
file = "HOME/tests/java/Fresh3.jc"
line = 155
begin = 20
end = 37

[JC_18]
file = "HOME/tests/java/Fresh3.jc"
line = 52
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/Fresh3.jc"
line = 20
begin = 12
end = 22

[JC_92]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_152]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_86]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_60]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_183]
kind = AllocSize
file = "HOME/tests/java/Fresh3.jc"
line = 138
begin = 38
end = 51

[JC_139]
kind = IndexBounds
file = "HOME/tests/java/Fresh3.jc"
line = 111
begin = 11
end = 27

[JC_72]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_119]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_187]
kind = IndexBounds
file = "HOME/tests/java/Fresh3.jc"
line = 147
begin = 16
end = 52

[JC_76]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_50]
kind = AllocSize
file = "HOME/tests/java/Fresh3.jc"
line = 71
begin = 26
end = 36

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_120]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_100]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/Fresh3.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

logic Fresh3_tag:  -> Object tag_id

axiom Fresh3_parenttag_Object : parenttag(Fresh3_tag, Object_tag)

logic Int_tag:  -> Object tag_id

axiom Int_parenttag_Object : parenttag(Int_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Fresh3(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Int(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Fresh3(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Int(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Fresh3(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Int(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Fresh3(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Int(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

exception Exception_exc of Object pointer

parameter Object_alloc_table : Object alloc_table ref

parameter Fresh3_i : (Object, Object pointer) memory ref

parameter Object_tag_table : Object tag_table ref

parameter Int_f : (Object, int32) memory ref

parameter Fresh3_create :
 this_4:Object pointer ->
  { } unit reads Fresh3_i,Object_alloc_table
  writes Fresh3_i,Int_f,Object_alloc_table,Object_tag_table
  { (JC_44:
    ((JC_40:
     ((JC_38: Non_null_Object(select(Fresh3_i, this_4), Object_alloc_table))
     and (JC_39: (not valid(Object_alloc_table@, select(Fresh3_i, this_4))))))
    and (JC_43:
        ((JC_41: not_assigns(Object_alloc_table@, Int_f@, Int_f, pset_empty))
        and (JC_42:
            not_assigns(Object_alloc_table@, Fresh3_i@, Fresh3_i,
            pset_singleton(this_4))))))) }

parameter Fresh3_create_requires :
 this_4:Object pointer ->
  { } unit reads Fresh3_i,Object_alloc_table
  writes Fresh3_i,Int_f,Object_alloc_table,Object_tag_table
  { (JC_44:
    ((JC_40:
     ((JC_38: Non_null_Object(select(Fresh3_i, this_4), Object_alloc_table))
     and (JC_39: (not valid(Object_alloc_table@, select(Fresh3_i, this_4))))))
    and (JC_43:
        ((JC_41: not_assigns(Object_alloc_table@, Int_f@, Int_f, pset_empty))
        and (JC_42:
            not_assigns(Object_alloc_table@, Fresh3_i@, Fresh3_i,
            pset_singleton(this_4))))))) }

parameter Fresh3_smoke_detector :
 tt:unit ->
  { } unit reads Fresh3_i,Object_alloc_table
  writes Fresh3_i,Int_f,Object_alloc_table,Object_tag_table { true }

parameter Fresh3_smoke_detector_requires :
 tt:unit ->
  { } unit reads Fresh3_i,Object_alloc_table
  writes Fresh3_i,Int_f,Object_alloc_table,Object_tag_table { true }

parameter Fresh3_test :
 this_3:Object pointer ->
  f:Object pointer ->
   { } unit reads Fresh3_i,Object_alloc_table
   writes Fresh3_i,Int_f,Object_alloc_table,Object_tag_table { true }

parameter Fresh3_test_requires :
 this_3:Object pointer ->
  f:Object pointer ->
   { (JC_127:
     ((JC_124: Non_null_Object(f, Object_alloc_table))
     and ((JC_125:
          Non_null_Object(select(Fresh3_i, this_3), Object_alloc_table))
         and (JC_126: (this_3 <> f)))))}
   unit reads Fresh3_i,Object_alloc_table
   writes Fresh3_i,Int_f,Object_alloc_table,Object_tag_table { true }

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_clone :
 this_9:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_clone_requires :
 this_9:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_equals :
 this_12:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_equals_requires :
 this_12:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_finalize :
 this_11:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_finalize_requires :
 this_11:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_hashCode :
 this_6:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter Object_hashCode_requires :
 this_6:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter Object_notify :
 this_10:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll :
 this_13:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll_requires :
 this_13:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notify_requires :
 this_10:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_registerNatives : tt:unit -> { } unit { true }

parameter Object_registerNatives_requires : tt:unit -> { } unit { true }

parameter Object_toString :
 this_7:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_toString_requires :
 this_7:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_wait :
 this_14:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long :
 this_8:Object pointer ->
  timeout:long -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int :
 this_15:Object pointer ->
  timeout_0:long -> nanos:int32 -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int_requires :
 this_15:Object pointer ->
  timeout_0:long -> nanos:int32 -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_requires :
 this_8:Object pointer ->
  timeout:long -> { } unit reads Object_alloc_table { true }

parameter Object_wait_requires :
 this_14:Object pointer -> { } unit reads Object_alloc_table { true }

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Fresh3 :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Fresh3(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Fresh3_tag)))) }

parameter alloc_struct_Fresh3_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Fresh3(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Fresh3_tag)))) }

parameter alloc_struct_Int :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Int(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Int_tag)))) }

parameter alloc_struct_Int_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Int(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Int_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_Fresh3 :
 this_5:Object pointer ->
  { } unit reads Object_alloc_table writes Fresh3_i { true }

parameter cons_Fresh3_requires :
 this_5:Object pointer ->
  { } unit reads Object_alloc_table writes Fresh3_i { true }

parameter cons_Int :
 this_0:Object pointer ->
  { } unit reads Object_alloc_table writes Int_f { true }

parameter cons_Int_requires :
 this_0:Object pointer ->
  { } unit reads Object_alloc_table writes Int_f { true }

parameter cons_Object :
 this_16:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object_requires :
 this_16:Object pointer -> { } unit reads Object_alloc_table { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let Fresh3_create_ensures_default =
 fun (this_4 : Object pointer) ->
  { valid_struct_Fresh3(this_4, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (K_4:
     (let _jessie_ =
     (let this =
     (JC_50: (((alloc_struct_Int (1)) Object_alloc_table) Object_tag_table)) in
     (let _tt = (let _jessie_ = this in (JC_51: (cons_Int _jessie_))) in
     this)) in
     begin
       (let _jessie_ = this_4 in
       (((safe_upd_ Fresh3_i) _jessie_) _jessie_)); _jessie_ end)) in
     void); (raise Return) end with Return -> void end)
  { (JC_37:
    ((JC_33:
     ((JC_31: Non_null_Object(select(Fresh3_i, this_4), Object_alloc_table))
     and (JC_32: (not valid(Object_alloc_table@, select(Fresh3_i, this_4))))))
    and (JC_36:
        ((JC_34: not_assigns(Object_alloc_table@, Int_f@, Int_f, pset_empty))
        and (JC_35:
            not_assigns(Object_alloc_table@, Fresh3_i@, Fresh3_i,
            pset_singleton(this_4))))))) }

let Fresh3_create_safety =
 fun (this_4 : Object pointer) ->
  { valid_struct_Fresh3(this_4, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (K_4:
     (let _jessie_ =
     (let this =
     (let _jessie_ =
     (JC_47:
     (((alloc_struct_Int_requires (1)) Object_alloc_table) Object_tag_table)) in
     (JC_48:
     (assert { ge_int(offset_max(Object_alloc_table, _jessie_), (0)) };
     _jessie_))) in
     (let _tt =
     (let _jessie_ = this in (JC_49: (cons_Int_requires _jessie_))) in
     this)) in
     begin
       (let _jessie_ = this_4 in
       (((safe_upd_ Fresh3_i) _jessie_) _jessie_)); _jessie_ end)) in
     void); (raise Return) end with Return -> void end) { true }

let Fresh3_smoke_detector_ensures_default =
 fun (tt : unit) ->
  { (JC_178: true) }
  (init:
  try
   begin
     (let s1_1 = ref (any_pointer void) in
     (let s2_1 = ref (any_pointer void) in
     begin
       (let _jessie_ =
       (s1_1 := (let this_1 =
                (JC_194:
                (((alloc_struct_Fresh3 (1)) Object_alloc_table) Object_tag_table)) in
                (let _tt_0 =
                (let _jessie_ = this_1 in
                (JC_195: (cons_Fresh3 _jessie_))) in this_1))) in void);
      (let _jessie_ =
      (s2_1 := (let this_2 =
               (JC_196:
               (((alloc_struct_Fresh3 (1)) Object_alloc_table) Object_tag_table)) in
               (let _tt_1 =
               (let _jessie_ = this_2 in
               (JC_197: (cons_Fresh3 _jessie_))) in this_2))) in void);
      (K_13:
      begin
        (let _jessie_ = !s1_1 in (JC_198: (Fresh3_create _jessie_)));
       (K_14:
       begin
         (let _jessie_ = !s2_1 in (JC_199: (Fresh3_create _jessie_)));
        (K_16: (assert { (JC_200: ((0) = (1))) }; void)) end) end) end));
    (raise Return) end with Return -> void end) { (JC_179: true) }

let Fresh3_smoke_detector_safety =
 fun (tt : unit) ->
  { (JC_178: true) }
  (init:
  try
   begin
     (let s1_1 = ref (any_pointer void) in
     (let s2_1 = ref (any_pointer void) in
     begin
       (let _jessie_ =
       (s1_1 := (let this_1 =
                (let _jessie_ =
                (JC_183:
                (((alloc_struct_Fresh3_requires (1)) Object_alloc_table) Object_tag_table)) in
                (JC_184:
                (assert
                { ge_int(offset_max(Object_alloc_table, _jessie_), (0)) };
                _jessie_))) in
                (let _tt_0 =
                (let _jessie_ = this_1 in
                (JC_185: (cons_Fresh3_requires _jessie_))) in this_1))) in
       void);
      (let _jessie_ =
      (s2_1 := (let this_2 =
               (let _jessie_ =
               (JC_186:
               (((alloc_struct_Fresh3_requires (1)) Object_alloc_table) Object_tag_table)) in
               (JC_187:
               (assert
               { ge_int(offset_max(Object_alloc_table, _jessie_), (0)) };
               _jessie_))) in
               (let _tt_1 =
               (let _jessie_ = this_2 in
               (JC_188: (cons_Fresh3_requires _jessie_))) in this_2))) in
      void);
      (K_13:
      begin
        (let _jessie_ = !s1_1 in
        (JC_190:
        (assert { ge_int(offset_max(Object_alloc_table, _jessie_), (0)) };
        (JC_189: (Fresh3_create_requires _jessie_)))));
       (K_14:
       begin
         (let _jessie_ = !s2_1 in
         (JC_192:
         (assert { ge_int(offset_max(Object_alloc_table, _jessie_), (0)) };
         (JC_191: (Fresh3_create_requires _jessie_)))));
        (K_16: [ { } unit { (JC_193: ((0) = (1))) } ]) end) end) end));
    (raise Return) end with Return -> void end) { true }

let Fresh3_test_ensures_default =
 fun (this_3 : Object pointer) (f : Object pointer) ->
  { (left_valid_struct_Fresh3(f, (0), Object_alloc_table)
    and (valid_struct_Fresh3(this_3, (0), (0), Object_alloc_table)
        and (JC_132:
            ((JC_129: Non_null_Object(f, Object_alloc_table))
            and ((JC_130:
                 Non_null_Object(select(Fresh3_i, this_3),
                 Object_alloc_table))
                and (JC_131: (this_3 <> f))))))) }
  (init:
  try
   (K_10:
   begin
     (let _jessie_ = f in (JC_141: (Fresh3_create _jessie_)));
    (K_12:
    begin
      (assert
      { (JC_142: (select(Fresh3_i, this_3) <> select(Fresh3_i, f))) }; void);
     (raise Return) end) end) with Return -> void end) { (JC_134: true) }

let Fresh3_test_safety =
 fun (this_3 : Object pointer) (f : Object pointer) ->
  { (left_valid_struct_Fresh3(f, (0), Object_alloc_table)
    and (valid_struct_Fresh3(this_3, (0), (0), Object_alloc_table)
        and (JC_132:
            ((JC_129: Non_null_Object(f, Object_alloc_table))
            and ((JC_130:
                 Non_null_Object(select(Fresh3_i, this_3),
                 Object_alloc_table))
                and (JC_131: (this_3 <> f))))))) }
  (init:
  try
   (K_10:
   begin
     (let _jessie_ = f in
     (JC_139:
     (assert { ge_int(offset_max(Object_alloc_table, _jessie_), (0)) };
     (JC_138: (Fresh3_create_requires _jessie_)))));
    (K_12:
    begin
      [ { } unit reads Fresh3_i
        { (JC_140: (select(Fresh3_i, this_3) <> select(Fresh3_i, f))) } ];
     (raise Return) end) end) with Return -> void end) { true }

let cons_Fresh3_ensures_default =
 fun (this_5 : Object pointer) ->
  { valid_struct_Fresh3(this_5, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = null in
     begin
       (let _jessie_ = this_5 in
       (((safe_upd_ Fresh3_i) _jessie_) _jessie_)); _jessie_ end) in
     void); (raise Return) end with Return -> void end) { (JC_72: true) }

let cons_Fresh3_safety =
 fun (this_5 : Object pointer) ->
  { valid_struct_Fresh3(this_5, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = null in
     begin
       (let _jessie_ = this_5 in
       (((safe_upd_ Fresh3_i) _jessie_) _jessie_)); _jessie_ end) in
     void); (raise Return) end with Return -> void end) { true }

let cons_Int_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_Int(this_0, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = (safe_int32_of_integer_ (0)) in
     begin
       (let _jessie_ = this_0 in (((safe_upd_ Int_f) _jessie_) _jessie_));
      _jessie_ end) in void); (raise Return) end with Return -> void end)
  { (JC_23: true) }

let cons_Int_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_Int(this_0, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     (let _jessie_ = (safe_int32_of_integer_ (0)) in
     begin
       (let _jessie_ = this_0 in (((safe_upd_ Int_f) _jessie_) _jessie_));
      _jessie_ end) in void); (raise Return) end with Return -> void end)
  { true }

let cons_Object_ensures_default =
 fun (this_16 : Object pointer) ->
  { valid_struct_Object(this_16, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_88: true) }

let cons_Object_safety =
 fun (this_16 : Object pointer) ->
  { valid_struct_Object(this_16, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/Fresh3.why
========== file tests/java/why/Fresh3.wpr ==========

  
    
    
    
      
      
    
    
    
    
      
      
    
    
  
  
    
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  
  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
  
  
    
  
  
    
  
  
    
  

========== file tests/java/why/Fresh3_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic Fresh3_tag : Object tag_id

axiom Fresh3_parenttag_Object: parenttag(Fresh3_tag, Object_tag)

logic Int_tag : Object tag_id

axiom Int_parenttag_Object: parenttag(Int_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte [(integer_of_byte(x) = integer_of_byte(y))].
      ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char [(integer_of_char(x) = integer_of_char(y))].
      ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32 [(integer_of_int32(x) = integer_of_int32(y))].
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Fresh3(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Int(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long [(integer_of_long(x) = integer_of_long(y))].
      ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Fresh3(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Int(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short [(integer_of_short(x) = integer_of_short(y))].
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Fresh3(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Int(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Fresh3(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Int(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

========== file tests/java/why/Fresh3_po1.why ==========
goal Fresh3_create_ensures_default_po_1:
  forall this_4:Object pointer.
  forall Fresh3_i:(Object,
  Object pointer) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Fresh3(this_4, 0, 0, Object_alloc_table) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Int(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Int_tag)))) ->
  forall Fresh3_i0:(Object,
  Object pointer) memory.
  (Fresh3_i0 = store(Fresh3_i, this_4, result)) ->
  ("JC_37":
  ("JC_33":
  ("JC_31": Non_null_Object(select(Fresh3_i0, this_4), Object_alloc_table0))))

========== file tests/java/why/Fresh3_po10.why ==========
goal Fresh3_smoke_detector_safety_po_3:
  forall Object_alloc_table:Object alloc_table.
  ("JC_178": true) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Fresh3(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Fresh3_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0) ->
  forall s1_1:Object pointer.
  (s1_1 = result) ->
  (1 >= 0) ->
  forall result0:Object pointer.
  forall Object_alloc_table1:Object alloc_table.
  forall Object_tag_table0:Object tag_table.
  (strict_valid_struct_Fresh3(result0, 0, (1 - 1), Object_alloc_table1) and
   (alloc_extends(Object_alloc_table0, Object_alloc_table1) and
    (alloc_fresh(Object_alloc_table0, result0, 1) and
     instanceof(Object_tag_table0, result0, Fresh3_tag)))) ->
  (offset_max(Object_alloc_table1, result0) >= 0)

========== file tests/java/why/Fresh3_po11.why ==========
goal Fresh3_smoke_detector_safety_po_4:
  forall Object_alloc_table:Object alloc_table.
  ("JC_178": true) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Fresh3(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Fresh3_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0) ->
  forall s1_1:Object pointer.
  (s1_1 = result) ->
  (1 >= 0) ->
  forall result0:Object pointer.
  forall Object_alloc_table1:Object alloc_table.
  forall Object_tag_table0:Object tag_table.
  (strict_valid_struct_Fresh3(result0, 0, (1 - 1), Object_alloc_table1) and
   (alloc_extends(Object_alloc_table0, Object_alloc_table1) and
    (alloc_fresh(Object_alloc_table0, result0, 1) and
     instanceof(Object_tag_table0, result0, Fresh3_tag)))) ->
  (offset_max(Object_alloc_table1, result0) >= 0) ->
  forall s2_1:Object pointer.
  (s2_1 = result0) ->
  (offset_max(Object_alloc_table1, s1_1) >= 0)

========== file tests/java/why/Fresh3_po12.why ==========
goal Fresh3_smoke_detector_safety_po_5:
  forall Int_f:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  ("JC_178": true) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Fresh3(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Fresh3_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0) ->
  forall s1_1:Object pointer.
  (s1_1 = result) ->
  (1 >= 0) ->
  forall result0:Object pointer.
  forall Object_alloc_table1:Object alloc_table.
  forall Object_tag_table0:Object tag_table.
  (strict_valid_struct_Fresh3(result0, 0, (1 - 1), Object_alloc_table1) and
   (alloc_extends(Object_alloc_table0, Object_alloc_table1) and
    (alloc_fresh(Object_alloc_table0, result0, 1) and
     instanceof(Object_tag_table0, result0, Fresh3_tag)))) ->
  (offset_max(Object_alloc_table1, result0) >= 0) ->
  forall Fresh3_i:(Object,
  Object pointer) memory.
  forall s2_1:Object pointer.
  (s2_1 = result0) ->
  (offset_max(Object_alloc_table1, s1_1) >= 0) ->
  forall Fresh3_i0:(Object, Object pointer) memory.
  forall Int_f0:(Object,
  int32) memory.
  forall Object_alloc_table2:Object alloc_table.
  ("JC_44":
  (("JC_40":
   (("JC_38": Non_null_Object(select(Fresh3_i0, s1_1), Object_alloc_table2)) and
    ("JC_39": (not valid(Object_alloc_table1, select(Fresh3_i0, s1_1)))))) and
   ("JC_43":
   (("JC_41": not_assigns(Object_alloc_table1, Int_f, Int_f0, pset_empty)) and
    ("JC_42": not_assigns(Object_alloc_table1, Fresh3_i, Fresh3_i0,
    pset_singleton(s1_1))))))) ->
  (offset_max(Object_alloc_table2, s2_1) >= 0)

========== file tests/java/why/Fresh3_po13.why ==========
goal Fresh3_test_ensures_default_po_1:
  forall this_3:Object pointer.
  forall f:Object pointer.
  forall Fresh3_i:(Object, Object pointer) memory.
  forall Int_f:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_Fresh3(f, 0, Object_alloc_table) and
   (valid_struct_Fresh3(this_3, 0, 0, Object_alloc_table) and
    ("JC_132":
    (("JC_129": Non_null_Object(f, Object_alloc_table)) and
     (("JC_130": Non_null_Object(select(Fresh3_i, this_3),
      Object_alloc_table)) and ("JC_131": (this_3 <> f))))))) ->
  forall Fresh3_i0:(Object, Object pointer) memory.
  forall Int_f0:(Object,
  int32) memory.
  forall Object_alloc_table0:Object alloc_table.
  ("JC_44":
  (("JC_40":
   (("JC_38": Non_null_Object(select(Fresh3_i0, f), Object_alloc_table0)) and
    ("JC_39": (not valid(Object_alloc_table, select(Fresh3_i0, f)))))) and
   ("JC_43":
   (("JC_41": not_assigns(Object_alloc_table, Int_f, Int_f0, pset_empty)) and
    ("JC_42": not_assigns(Object_alloc_table, Fresh3_i, Fresh3_i0,
    pset_singleton(f))))))) ->
  ("JC_142": (select(Fresh3_i0, this_3) <> select(Fresh3_i0, f)))

========== file tests/java/why/Fresh3_po14.why ==========
goal Fresh3_test_safety_po_1:
  forall this_3:Object pointer.
  forall f:Object pointer.
  forall Fresh3_i:(Object,
  Object pointer) memory.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_Fresh3(f, 0, Object_alloc_table) and
   (valid_struct_Fresh3(this_3, 0, 0, Object_alloc_table) and
    ("JC_132":
    (("JC_129": Non_null_Object(f, Object_alloc_table)) and
     (("JC_130": Non_null_Object(select(Fresh3_i, this_3),
      Object_alloc_table)) and ("JC_131": (this_3 <> f))))))) ->
  (offset_max(Object_alloc_table, f) >= 0)

========== file tests/java/why/Fresh3_po2.why ==========
goal Fresh3_create_ensures_default_po_2:
  forall this_4:Object pointer.
  forall Fresh3_i:(Object,
  Object pointer) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Fresh3(this_4, 0, 0, Object_alloc_table) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Int(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Int_tag)))) ->
  forall Fresh3_i0:(Object,
  Object pointer) memory.
  (Fresh3_i0 = store(Fresh3_i, this_4, result)) ->
  ("JC_37":
  ("JC_33":
  ("JC_32": (not valid(Object_alloc_table, select(Fresh3_i0, this_4))))))

========== file tests/java/why/Fresh3_po3.why ==========
goal Fresh3_create_ensures_default_po_3:
  forall this_4:Object pointer.
  forall Fresh3_i:(Object, Object pointer) memory.
  forall Int_f:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Fresh3(this_4, 0, 0, Object_alloc_table) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Int(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Int_tag)))) ->
  forall Int_f0:(Object, int32) memory.
  forall Fresh3_i0:(Object,
  Object pointer) memory.
  (Fresh3_i0 = store(Fresh3_i, this_4, result)) ->
  ("JC_37":
  ("JC_36":
  ("JC_34": not_assigns(Object_alloc_table, Int_f, Int_f0, pset_empty))))

========== file tests/java/why/Fresh3_po4.why ==========
goal Fresh3_create_ensures_default_po_4:
  forall this_4:Object pointer.
  forall Fresh3_i:(Object,
  Object pointer) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Fresh3(this_4, 0, 0, Object_alloc_table) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Int(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Int_tag)))) ->
  forall Fresh3_i0:(Object,
  Object pointer) memory.
  (Fresh3_i0 = store(Fresh3_i, this_4, result)) ->
  ("JC_37":
  ("JC_36":
  ("JC_35": not_assigns(Object_alloc_table, Fresh3_i, Fresh3_i0,
  pset_singleton(this_4)))))

========== file tests/java/why/Fresh3_po5.why ==========
goal Fresh3_create_safety_po_1:
  forall this_4:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Fresh3(this_4, 0, 0, Object_alloc_table) ->
  (1 >= 0)

========== file tests/java/why/Fresh3_po6.why ==========
goal Fresh3_create_safety_po_2:
  forall this_4:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Fresh3(this_4, 0, 0, Object_alloc_table) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Int(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Int_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0)

========== file tests/java/why/Fresh3_po7.why ==========
goal Fresh3_smoke_detector_ensures_default_po_1:
  forall Int_f:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  ("JC_178": true) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Fresh3(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Fresh3_tag)))) ->
  forall s1_1:Object pointer.
  (s1_1 = result) ->
  forall result0:Object pointer.
  forall Object_alloc_table1:Object alloc_table.
  forall Object_tag_table0:Object tag_table.
  (strict_valid_struct_Fresh3(result0, 0, (1 - 1), Object_alloc_table1) and
   (alloc_extends(Object_alloc_table0, Object_alloc_table1) and
    (alloc_fresh(Object_alloc_table0, result0, 1) and
     instanceof(Object_tag_table0, result0, Fresh3_tag)))) ->
  forall Fresh3_i:(Object,
  Object pointer) memory.
  forall s2_1:Object pointer.
  (s2_1 = result0) ->
  forall Fresh3_i0:(Object, Object pointer) memory.
  forall Int_f0:(Object,
  int32) memory.
  forall Object_alloc_table2:Object alloc_table.
  ("JC_44":
  (("JC_40":
   (("JC_38": Non_null_Object(select(Fresh3_i0, s1_1), Object_alloc_table2)) and
    ("JC_39": (not valid(Object_alloc_table1, select(Fresh3_i0, s1_1)))))) and
   ("JC_43":
   (("JC_41": not_assigns(Object_alloc_table1, Int_f, Int_f0, pset_empty)) and
    ("JC_42": not_assigns(Object_alloc_table1, Fresh3_i, Fresh3_i0,
    pset_singleton(s1_1))))))) ->
  forall Fresh3_i1:(Object, Object pointer) memory.
  forall Int_f1:(Object,
  int32) memory.
  forall Object_alloc_table3:Object alloc_table.
  ("JC_44":
  (("JC_40":
   (("JC_38": Non_null_Object(select(Fresh3_i1, s2_1), Object_alloc_table3)) and
    ("JC_39": (not valid(Object_alloc_table2, select(Fresh3_i1, s2_1)))))) and
   ("JC_43":
   (("JC_41": not_assigns(Object_alloc_table2, Int_f0, Int_f1, pset_empty)) and
    ("JC_42": not_assigns(Object_alloc_table2, Fresh3_i0, Fresh3_i1,
    pset_singleton(s2_1))))))) ->
  ("JC_200": (0 = 1))

========== file tests/java/why/Fresh3_po8.why ==========
goal Fresh3_smoke_detector_safety_po_1:
  ("JC_178": true) ->
  (1 >= 0)

========== file tests/java/why/Fresh3_po9.why ==========
goal Fresh3_smoke_detector_safety_po_2:
  forall Object_alloc_table:Object alloc_table.
  ("JC_178": true) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Fresh3(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Fresh3_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0)

========== generation of Simplify VC output ==========
why -simplify [...] why/Fresh3.why
========== file tests/java/simplify/Fresh3_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Fresh3_parenttag_Object
 (EQ (parenttag Fresh3_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Int_parenttag_Object
 (EQ (parenttag Int_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) 0))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom byte_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 128) x) (<= x 127))
 (EQ (integer_of_byte (byte_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom byte_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_byte x) (integer_of_byte y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom byte_range
 (FORALL (x)
 (AND (<= (- 0 128) (integer_of_byte x)) (<= (integer_of_byte x) 127))))

(BG_PUSH
 ;; Why axiom char_coerce
 (FORALL (x)
 (IMPLIES (AND (<= 0 x) (<= x 65535))
 (EQ (integer_of_char (char_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom char_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_char x) (integer_of_char y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom char_range
 (FORALL (x) (AND (<= 0 (integer_of_char x)) (<= (integer_of_char x) 65535))))

(DEFPRED (eq_byte x y) (EQ (integer_of_byte x) (integer_of_byte y)))

(DEFPRED (eq_char x y) (EQ (integer_of_char x) (integer_of_char y)))

(DEFPRED (eq_int32 x y) (EQ (integer_of_int32 x) (integer_of_int32 y)))

(DEFPRED (eq_long x y) (EQ (integer_of_long x) (integer_of_long y)))

(DEFPRED (eq_short x y) (EQ (integer_of_short x) (integer_of_short y)))

(BG_PUSH
 ;; Why axiom int32_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_2147483648) x)
 (<= x constant_too_large_2147483647))
 (EQ (integer_of_int32 (int32_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom int32_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_int32 x) (integer_of_int32 y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom int32_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_2147483648) (integer_of_int32 x))
 (<= (integer_of_int32 x) constant_too_large_2147483647))))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Fresh3 p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Int p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom long_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_9223372036854775808) x)
 (<= x constant_too_large_9223372036854775807))
 (EQ (integer_of_long (long_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom long_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_long x) (integer_of_long y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom long_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_9223372036854775808) (integer_of_long x))
 (<= (integer_of_long x) constant_too_large_9223372036854775807))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Fresh3 p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Int p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(BG_PUSH
 ;; Why axiom short_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 32768) x) (<= x 32767))
 (EQ (integer_of_short (short_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom short_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_short x) (integer_of_short y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom short_range
 (FORALL (x)
 (AND (<= (- 0 32768) (integer_of_short x)) (<= (integer_of_short x) 32767))))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Fresh3 p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Int p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Fresh3 p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Int p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

;; Fresh3_create_ensures_default_po_1, File "HOME/tests/java/Fresh3.java", line 12, characters 12-26
(FORALL (this_4)
(FORALL (Fresh3_i)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Fresh3 this_4 0 0 Object_alloc_table)
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND (strict_valid_struct_Int result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Int_tag))))
(FORALL (Fresh3_i0)
(IMPLIES (EQ Fresh3_i0 (|why__store| Fresh3_i this_4 result))
(Non_null_Object (select Fresh3_i0 this_4) Object_alloc_table0)))))))))))

;; Fresh3_create_ensures_default_po_2, File "HOME/tests/java/Fresh3.java", line 12, characters 30-44
(FORALL (this_4)
(FORALL (Fresh3_i)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Fresh3 this_4 0 0 Object_alloc_table)
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND (strict_valid_struct_Int result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Int_tag))))
(FORALL (Fresh3_i0)
(IMPLIES (EQ Fresh3_i0 (|why__store| Fresh3_i this_4 result))
(NOT (valid Object_alloc_table (select Fresh3_i0 this_4)))))))))))))

;; Fresh3_create_ensures_default_po_3, File "HOME/tests/java/Fresh3.java", line 14, characters 5-11
(FORALL (this_4)
(FORALL (Fresh3_i)
(FORALL (Int_f)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Fresh3 this_4 0 0 Object_alloc_table)
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND (strict_valid_struct_Int result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Int_tag))))
(FORALL (Int_f0)
(FORALL (Fresh3_i0)
(IMPLIES (EQ Fresh3_i0 (|why__store| Fresh3_i this_4 result))
(not_assigns Object_alloc_table Int_f Int_f0 pset_empty)))))))))))))

;; Fresh3_create_ensures_default_po_4, File "HOME/tests/java/Fresh3.java", line 14, characters 5-11
(FORALL (this_4)
(FORALL (Fresh3_i)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Fresh3 this_4 0 0 Object_alloc_table)
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND (strict_valid_struct_Int result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Int_tag))))
(FORALL (Fresh3_i0)
(IMPLIES (EQ Fresh3_i0 (|why__store| Fresh3_i this_4 result))
(not_assigns Object_alloc_table Fresh3_i Fresh3_i0 (pset_singleton this_4))))))))))))

;; Fresh3_create_safety_po_1, File "HOME/tests/java/Fresh3.jc", line 71, characters 26-36
(FORALL (this_4)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Fresh3 this_4 0 0 Object_alloc_table) (>= 1 0))))

;; Fresh3_create_safety_po_2, File "why/Fresh3.why", line 767, characters 15-70
(FORALL (this_4)
(FORALL (Object_alloc_table)
(IMPLIES (valid_struct_Fresh3 this_4 0 0 Object_alloc_table)
(IMPLIES (>= 1 0)
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND (strict_valid_struct_Int result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Int_tag))))
(>= (offset_max Object_alloc_table0 result) 0)))))))))

;; Fresh3_smoke_detector_ensures_default_po_1, File "HOME/tests/java/Fresh3.java", line 31, characters 15-21
(FORALL (Int_f)
(FORALL (Object_alloc_table)
(IMPLIES TRUE
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND
         (strict_valid_struct_Fresh3 result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Fresh3_tag))))
(FORALL (s1_1)
(IMPLIES (EQ s1_1 result)
(FORALL (result0)
(FORALL (Object_alloc_table1)
(FORALL (Object_tag_table0)
(IMPLIES (AND
         (strict_valid_struct_Fresh3 result0 0 (- 1 1) Object_alloc_table1)
         (AND
         (EQ (alloc_extends Object_alloc_table0 Object_alloc_table1) |@true|)
         (AND (alloc_fresh Object_alloc_table0 result0 1)
         (instanceof Object_tag_table0 result0 Fresh3_tag))))
(FORALL (Fresh3_i)
(FORALL (s2_1)
(IMPLIES (EQ s2_1 result0)
(FORALL (Fresh3_i0)
(FORALL (Int_f0)
(FORALL (Object_alloc_table2)
(IMPLIES (AND
         (AND (Non_null_Object (select Fresh3_i0 s1_1) Object_alloc_table2)
         (NOT (valid Object_alloc_table1 (select Fresh3_i0 s1_1))))
         (AND (not_assigns Object_alloc_table1 Int_f Int_f0 pset_empty)
         (not_assigns
         Object_alloc_table1 Fresh3_i Fresh3_i0 (pset_singleton s1_1))))
(FORALL (Fresh3_i1)
(FORALL (Int_f1)
(FORALL (Object_alloc_table3)
(IMPLIES (AND
         (AND (Non_null_Object (select Fresh3_i1 s2_1) Object_alloc_table3)
         (NOT (valid Object_alloc_table2 (select Fresh3_i1 s2_1))))
         (AND (not_assigns Object_alloc_table2 Int_f0 Int_f1 pset_empty)
         (not_assigns
         Object_alloc_table2 Fresh3_i0 Fresh3_i1 (pset_singleton s2_1))))
(EQ 0 1)))))))))))))))))))))))))

;; Fresh3_smoke_detector_safety_po_1, File "HOME/tests/java/Fresh3.jc", line 138, characters 38-51
(IMPLIES TRUE (>= 1 0))

;; Fresh3_smoke_detector_safety_po_2, File "why/Fresh3.why", line 825, characters 18-73
(FORALL (Object_alloc_table)
(IMPLIES TRUE
(IMPLIES (>= 1 0)
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND
         (strict_valid_struct_Fresh3 result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Fresh3_tag))))
(>= (offset_max Object_alloc_table0 result) 0))))))))

;; Fresh3_smoke_detector_safety_po_3, File "why/Fresh3.why", line 838, characters 17-72
(FORALL (Object_alloc_table)
(IMPLIES TRUE
(IMPLIES (>= 1 0)
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND
         (strict_valid_struct_Fresh3 result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Fresh3_tag))))
(IMPLIES (>= (offset_max Object_alloc_table0 result) 0)
(FORALL (s1_1)
(IMPLIES (EQ s1_1 result)
(IMPLIES (>= 1 0)
(FORALL (result0)
(FORALL (Object_alloc_table1)
(FORALL (Object_tag_table0)
(IMPLIES (AND
         (strict_valid_struct_Fresh3 result0 0 (- 1 1) Object_alloc_table1)
         (AND
         (EQ (alloc_extends Object_alloc_table0 Object_alloc_table1) |@true|)
         (AND (alloc_fresh Object_alloc_table0 result0 1)
         (instanceof Object_tag_table0 result0 Fresh3_tag))))
(>= (offset_max Object_alloc_table1 result0) 0))))))))))))))))

;; Fresh3_smoke_detector_safety_po_4, File "why/Fresh3.why", line 848, characters 18-73
(FORALL (Object_alloc_table)
(IMPLIES TRUE
(IMPLIES (>= 1 0)
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND
         (strict_valid_struct_Fresh3 result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Fresh3_tag))))
(IMPLIES (>= (offset_max Object_alloc_table0 result) 0)
(FORALL (s1_1)
(IMPLIES (EQ s1_1 result)
(IMPLIES (>= 1 0)
(FORALL (result0)
(FORALL (Object_alloc_table1)
(FORALL (Object_tag_table0)
(IMPLIES (AND
         (strict_valid_struct_Fresh3 result0 0 (- 1 1) Object_alloc_table1)
         (AND
         (EQ (alloc_extends Object_alloc_table0 Object_alloc_table1) |@true|)
         (AND (alloc_fresh Object_alloc_table0 result0 1)
         (instanceof Object_tag_table0 result0 Fresh3_tag))))
(IMPLIES (>= (offset_max Object_alloc_table1 result0) 0)
(FORALL (s2_1)
(IMPLIES (EQ s2_1 result0) (>= (offset_max Object_alloc_table1 s1_1) 0)))))))))))))))))))

;; Fresh3_smoke_detector_safety_po_5, File "why/Fresh3.why", line 854, characters 19-74
(FORALL (Int_f)
(FORALL (Object_alloc_table)
(IMPLIES TRUE
(IMPLIES (>= 1 0)
(FORALL (result)
(FORALL (Object_alloc_table0)
(FORALL (Object_tag_table)
(IMPLIES (AND
         (strict_valid_struct_Fresh3 result 0 (- 1 1) Object_alloc_table0)
         (AND
         (EQ (alloc_extends Object_alloc_table Object_alloc_table0) |@true|)
         (AND (alloc_fresh Object_alloc_table result 1)
         (instanceof Object_tag_table result Fresh3_tag))))
(IMPLIES (>= (offset_max Object_alloc_table0 result) 0)
(FORALL (s1_1)
(IMPLIES (EQ s1_1 result)
(IMPLIES (>= 1 0)
(FORALL (result0)
(FORALL (Object_alloc_table1)
(FORALL (Object_tag_table0)
(IMPLIES (AND
         (strict_valid_struct_Fresh3 result0 0 (- 1 1) Object_alloc_table1)
         (AND
         (EQ (alloc_extends Object_alloc_table0 Object_alloc_table1) |@true|)
         (AND (alloc_fresh Object_alloc_table0 result0 1)
         (instanceof Object_tag_table0 result0 Fresh3_tag))))
(IMPLIES (>= (offset_max Object_alloc_table1 result0) 0)
(FORALL (Fresh3_i)
(FORALL (s2_1)
(IMPLIES (EQ s2_1 result0)
(IMPLIES (>= (offset_max Object_alloc_table1 s1_1) 0)
(FORALL (Fresh3_i0)
(FORALL (Int_f0)
(FORALL (Object_alloc_table2)
(IMPLIES (AND
         (AND (Non_null_Object (select Fresh3_i0 s1_1) Object_alloc_table2)
         (NOT (valid Object_alloc_table1 (select Fresh3_i0 s1_1))))
         (AND (not_assigns Object_alloc_table1 Int_f Int_f0 pset_empty)
         (not_assigns
         Object_alloc_table1 Fresh3_i Fresh3_i0 (pset_singleton s1_1))))
(>= (offset_max Object_alloc_table2 s2_1) 0))))))))))))))))))))))))))

;; Fresh3_test_ensures_default_po_1, File "HOME/tests/java/Fresh3.java", line 22, characters 13-26
(FORALL (this_3)
(FORALL (f)
(FORALL (Fresh3_i)
(FORALL (Int_f)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_Fresh3 f 0 Object_alloc_table)
         (AND (valid_struct_Fresh3 this_3 0 0 Object_alloc_table)
         (AND (Non_null_Object f Object_alloc_table)
         (AND (Non_null_Object (select Fresh3_i this_3) Object_alloc_table)
         (NEQ this_3 f)))))
(FORALL (Fresh3_i0)
(FORALL (Int_f0)
(FORALL (Object_alloc_table0)
(IMPLIES (AND
         (AND (Non_null_Object (select Fresh3_i0 f) Object_alloc_table0)
         (NOT (valid Object_alloc_table (select Fresh3_i0 f))))
         (AND (not_assigns Object_alloc_table Int_f Int_f0 pset_empty)
         (not_assigns
         Object_alloc_table Fresh3_i Fresh3_i0 (pset_singleton f))))
(NEQ (select Fresh3_i0 this_3) (select Fresh3_i0 f))))))))))))

;; Fresh3_test_safety_po_1, File "why/Fresh3.why", line 896, characters 15-70
(FORALL (this_3)
(FORALL (f)
(FORALL (Fresh3_i)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_Fresh3 f 0 Object_alloc_table)
         (AND (valid_struct_Fresh3 this_3 0 0 Object_alloc_table)
         (AND (Non_null_Object f Object_alloc_table)
         (AND (Non_null_Object (select Fresh3_i this_3) Object_alloc_table)
         (NEQ this_3 f)))))
(>= (offset_max Object_alloc_table f) 0))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/Fresh3_why.sx        : .??...?....??. (9/0/5/0/0)
total   :  14
valid   :   9 ( 64%)
invalid :   0 (  0%)
unknown :   5 ( 36%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/Fresh3.why
========== file tests/java/why/Fresh3_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic Fresh3_tag : Object tag_id

axiom Fresh3_parenttag_Object: parenttag(Fresh3_tag, Object_tag)

logic Int_tag : Object tag_id

axiom Int_parenttag_Object: parenttag(Int_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte. ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char. ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Fresh3(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Int(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long. ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Fresh3(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Int(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short.
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Fresh3(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Int(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Fresh3(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Int(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

goal Fresh3_create_ensures_default_po_1:
  forall this_4:Object pointer.
  forall Fresh3_i:(Object,
  Object pointer) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Fresh3(this_4, 0, 0, Object_alloc_table) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Int(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Int_tag)))) ->
  forall Fresh3_i0:(Object,
  Object pointer) memory.
  (Fresh3_i0 = store(Fresh3_i, this_4, result)) ->
  ("JC_37":
  ("JC_33":
  ("JC_31": Non_null_Object(select(Fresh3_i0, this_4), Object_alloc_table0))))

goal Fresh3_create_ensures_default_po_2:
  forall this_4:Object pointer.
  forall Fresh3_i:(Object,
  Object pointer) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Fresh3(this_4, 0, 0, Object_alloc_table) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Int(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Int_tag)))) ->
  forall Fresh3_i0:(Object,
  Object pointer) memory.
  (Fresh3_i0 = store(Fresh3_i, this_4, result)) ->
  ("JC_37":
  ("JC_33":
  ("JC_32": (not valid(Object_alloc_table, select(Fresh3_i0, this_4))))))

goal Fresh3_create_ensures_default_po_3:
  forall this_4:Object pointer.
  forall Fresh3_i:(Object, Object pointer) memory.
  forall Int_f:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Fresh3(this_4, 0, 0, Object_alloc_table) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Int(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Int_tag)))) ->
  forall Int_f0:(Object, int32) memory.
  forall Fresh3_i0:(Object,
  Object pointer) memory.
  (Fresh3_i0 = store(Fresh3_i, this_4, result)) ->
  ("JC_37":
  ("JC_36":
  ("JC_34": not_assigns(Object_alloc_table, Int_f, Int_f0, pset_empty))))

goal Fresh3_create_ensures_default_po_4:
  forall this_4:Object pointer.
  forall Fresh3_i:(Object,
  Object pointer) memory.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Fresh3(this_4, 0, 0, Object_alloc_table) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Int(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Int_tag)))) ->
  forall Fresh3_i0:(Object,
  Object pointer) memory.
  (Fresh3_i0 = store(Fresh3_i, this_4, result)) ->
  ("JC_37":
  ("JC_36":
  ("JC_35": not_assigns(Object_alloc_table, Fresh3_i, Fresh3_i0,
  pset_singleton(this_4)))))

goal Fresh3_create_safety_po_1:
  forall this_4:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Fresh3(this_4, 0, 0, Object_alloc_table) ->
  (1 >= 0)

goal Fresh3_create_safety_po_2:
  forall this_4:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  valid_struct_Fresh3(this_4, 0, 0, Object_alloc_table) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Int(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Int_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0)

goal Fresh3_smoke_detector_ensures_default_po_1:
  forall Int_f:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  ("JC_178": true) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Fresh3(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Fresh3_tag)))) ->
  forall s1_1:Object pointer.
  (s1_1 = result) ->
  forall result0:Object pointer.
  forall Object_alloc_table1:Object alloc_table.
  forall Object_tag_table0:Object tag_table.
  (strict_valid_struct_Fresh3(result0, 0, (1 - 1), Object_alloc_table1) and
   (alloc_extends(Object_alloc_table0, Object_alloc_table1) and
    (alloc_fresh(Object_alloc_table0, result0, 1) and
     instanceof(Object_tag_table0, result0, Fresh3_tag)))) ->
  forall Fresh3_i:(Object,
  Object pointer) memory.
  forall s2_1:Object pointer.
  (s2_1 = result0) ->
  forall Fresh3_i0:(Object, Object pointer) memory.
  forall Int_f0:(Object,
  int32) memory.
  forall Object_alloc_table2:Object alloc_table.
  ("JC_44":
  (("JC_40":
   (("JC_38": Non_null_Object(select(Fresh3_i0, s1_1), Object_alloc_table2)) and
    ("JC_39": (not valid(Object_alloc_table1, select(Fresh3_i0, s1_1)))))) and
   ("JC_43":
   (("JC_41": not_assigns(Object_alloc_table1, Int_f, Int_f0, pset_empty)) and
    ("JC_42": not_assigns(Object_alloc_table1, Fresh3_i, Fresh3_i0,
    pset_singleton(s1_1))))))) ->
  forall Fresh3_i1:(Object, Object pointer) memory.
  forall Int_f1:(Object,
  int32) memory.
  forall Object_alloc_table3:Object alloc_table.
  ("JC_44":
  (("JC_40":
   (("JC_38": Non_null_Object(select(Fresh3_i1, s2_1), Object_alloc_table3)) and
    ("JC_39": (not valid(Object_alloc_table2, select(Fresh3_i1, s2_1)))))) and
   ("JC_43":
   (("JC_41": not_assigns(Object_alloc_table2, Int_f0, Int_f1, pset_empty)) and
    ("JC_42": not_assigns(Object_alloc_table2, Fresh3_i0, Fresh3_i1,
    pset_singleton(s2_1))))))) ->
  ("JC_200": (0 = 1))

goal Fresh3_smoke_detector_safety_po_1:
  ("JC_178": true) ->
  (1 >= 0)

goal Fresh3_smoke_detector_safety_po_2:
  forall Object_alloc_table:Object alloc_table.
  ("JC_178": true) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Fresh3(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Fresh3_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0)

goal Fresh3_smoke_detector_safety_po_3:
  forall Object_alloc_table:Object alloc_table.
  ("JC_178": true) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Fresh3(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Fresh3_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0) ->
  forall s1_1:Object pointer.
  (s1_1 = result) ->
  (1 >= 0) ->
  forall result0:Object pointer.
  forall Object_alloc_table1:Object alloc_table.
  forall Object_tag_table0:Object tag_table.
  (strict_valid_struct_Fresh3(result0, 0, (1 - 1), Object_alloc_table1) and
   (alloc_extends(Object_alloc_table0, Object_alloc_table1) and
    (alloc_fresh(Object_alloc_table0, result0, 1) and
     instanceof(Object_tag_table0, result0, Fresh3_tag)))) ->
  (offset_max(Object_alloc_table1, result0) >= 0)

goal Fresh3_smoke_detector_safety_po_4:
  forall Object_alloc_table:Object alloc_table.
  ("JC_178": true) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Fresh3(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Fresh3_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0) ->
  forall s1_1:Object pointer.
  (s1_1 = result) ->
  (1 >= 0) ->
  forall result0:Object pointer.
  forall Object_alloc_table1:Object alloc_table.
  forall Object_tag_table0:Object tag_table.
  (strict_valid_struct_Fresh3(result0, 0, (1 - 1), Object_alloc_table1) and
   (alloc_extends(Object_alloc_table0, Object_alloc_table1) and
    (alloc_fresh(Object_alloc_table0, result0, 1) and
     instanceof(Object_tag_table0, result0, Fresh3_tag)))) ->
  (offset_max(Object_alloc_table1, result0) >= 0) ->
  forall s2_1:Object pointer.
  (s2_1 = result0) ->
  (offset_max(Object_alloc_table1, s1_1) >= 0)

goal Fresh3_smoke_detector_safety_po_5:
  forall Int_f:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  ("JC_178": true) ->
  (1 >= 0) ->
  forall result:Object pointer.
  forall Object_alloc_table0:Object alloc_table.
  forall Object_tag_table:Object tag_table.
  (strict_valid_struct_Fresh3(result, 0, (1 - 1), Object_alloc_table0) and
   (alloc_extends(Object_alloc_table, Object_alloc_table0) and
    (alloc_fresh(Object_alloc_table, result, 1) and
     instanceof(Object_tag_table, result, Fresh3_tag)))) ->
  (offset_max(Object_alloc_table0, result) >= 0) ->
  forall s1_1:Object pointer.
  (s1_1 = result) ->
  (1 >= 0) ->
  forall result0:Object pointer.
  forall Object_alloc_table1:Object alloc_table.
  forall Object_tag_table0:Object tag_table.
  (strict_valid_struct_Fresh3(result0, 0, (1 - 1), Object_alloc_table1) and
   (alloc_extends(Object_alloc_table0, Object_alloc_table1) and
    (alloc_fresh(Object_alloc_table0, result0, 1) and
     instanceof(Object_tag_table0, result0, Fresh3_tag)))) ->
  (offset_max(Object_alloc_table1, result0) >= 0) ->
  forall Fresh3_i:(Object,
  Object pointer) memory.
  forall s2_1:Object pointer.
  (s2_1 = result0) ->
  (offset_max(Object_alloc_table1, s1_1) >= 0) ->
  forall Fresh3_i0:(Object, Object pointer) memory.
  forall Int_f0:(Object,
  int32) memory.
  forall Object_alloc_table2:Object alloc_table.
  ("JC_44":
  (("JC_40":
   (("JC_38": Non_null_Object(select(Fresh3_i0, s1_1), Object_alloc_table2)) and
    ("JC_39": (not valid(Object_alloc_table1, select(Fresh3_i0, s1_1)))))) and
   ("JC_43":
   (("JC_41": not_assigns(Object_alloc_table1, Int_f, Int_f0, pset_empty)) and
    ("JC_42": not_assigns(Object_alloc_table1, Fresh3_i, Fresh3_i0,
    pset_singleton(s1_1))))))) ->
  (offset_max(Object_alloc_table2, s2_1) >= 0)

goal Fresh3_test_ensures_default_po_1:
  forall this_3:Object pointer.
  forall f:Object pointer.
  forall Fresh3_i:(Object, Object pointer) memory.
  forall Int_f:(Object,
  int32) memory.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_Fresh3(f, 0, Object_alloc_table) and
   (valid_struct_Fresh3(this_3, 0, 0, Object_alloc_table) and
    ("JC_132":
    (("JC_129": Non_null_Object(f, Object_alloc_table)) and
     (("JC_130": Non_null_Object(select(Fresh3_i, this_3),
      Object_alloc_table)) and ("JC_131": (this_3 <> f))))))) ->
  forall Fresh3_i0:(Object, Object pointer) memory.
  forall Int_f0:(Object,
  int32) memory.
  forall Object_alloc_table0:Object alloc_table.
  ("JC_44":
  (("JC_40":
   (("JC_38": Non_null_Object(select(Fresh3_i0, f), Object_alloc_table0)) and
    ("JC_39": (not valid(Object_alloc_table, select(Fresh3_i0, f)))))) and
   ("JC_43":
   (("JC_41": not_assigns(Object_alloc_table, Int_f, Int_f0, pset_empty)) and
    ("JC_42": not_assigns(Object_alloc_table, Fresh3_i, Fresh3_i0,
    pset_singleton(f))))))) ->
  ("JC_142": (select(Fresh3_i0, this_3) <> select(Fresh3_i0, f)))

goal Fresh3_test_safety_po_1:
  forall this_3:Object pointer.
  forall f:Object pointer.
  forall Fresh3_i:(Object,
  Object pointer) memory.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_Fresh3(f, 0, Object_alloc_table) and
   (valid_struct_Fresh3(this_3, 0, 0, Object_alloc_table) and
    ("JC_132":
    (("JC_129": Non_null_Object(f, Object_alloc_table)) and
     (("JC_130": Non_null_Object(select(Fresh3_i, this_3),
      Object_alloc_table)) and ("JC_131": (this_3 <> f))))))) ->
  (offset_max(Object_alloc_table, f) >= 0)

why-2.34/tests/java/oracle/Fibonacci.err.oracle0000644000175000017500000000043512311670312020002 0ustar  rtusersWarning: recursive definition of isfib in generated file
Warning: recursive definition of isfib in generated file
Warning: recursive definition of isfib in generated file
Warning: recursive definition of isfib in generated file
Warning: recursive definition of isfib in generated file
why-2.34/tests/java/oracle/Fresh2.err.oracle0000644000175000017500000000000012311670312017242 0ustar  rtuserswhy-2.34/tests/java/oracle/Negate.res.oracle0000644000175000017500000060061612311670312017340 0ustar  rtusers========== file tests/java/Negate.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


//@+ CheckArithOverflow = no

public class negate {

    /*@ requires t != null;
      @ assigns t[0..t.length-1];
      @ ensures \forall integer k; 0 <= k < t.length ==> t[k] == -\old(t[k]);
      @*/
    static void negate(int t[]) {
	int i = 0;
	/*@ loop_invariant
	  @   0 <= i <= t.length &&
	  @   (\forall integer k; 0 <= k < i ==> t[k] == -\at(t[k],Pre)) &&
	  @   (\forall integer k; i <= k < t.length ==> t[k] == \at(t[k],Pre)) ;
	  @ // TODO: replace previous invariant by loop_assigns t[0..i-1];
	  @ loop_variant t.length-i;
	  @*/
	while (i < t.length) {
	    t[i] = -t[i];
	    i++;
	}

    }

}



/*
Local Variables:
compile-command: "make Negate.why3ide"
End:
*/

========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_negate for constructor negate
Generating JC function negate_negate for method negate.negate
Done.
========== file tests/java/Negate.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_intM{Here}(intM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag negate = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag intM = Object with {
  integer intP;
}

boolean non_null_intM(! intM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_intM(! intM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_negate(! negate[0] this_0){()}

unit negate_negate(intM[0..] t)
  requires (K_2 : Non_null_intM(t));
behavior default:
  assigns (t + [0..((\offset_max(t) + 1) - 1)]).intP;
  ensures (K_1 : (\forall integer k;
                   (((0 <= k) && (k < (\offset_max(t) + 1))) ==>
                     ((t + k).intP == (- \at((t + k).intP,Old))))));
{  
   {  
      (var integer i = (K_17 : 0));
      
      loop 
      behavior default:
        invariant (K_9 : ((K_8 : ((K_7 : ((K_6 : (0 <= i)) &&
                                           (K_5 : (i <= (\offset_max(t) + 1))))) &&
                                   (K_4 : (\forall integer k_0;
                                            (((0 <= k_0) && (k_0 < i)) ==>
                                              ((t + k_0).intP ==
                                                (- \at((t + k_0).intP,Pre)))))))) &&
                           (K_3 : (\forall integer k_1;
                                    (((i <= k_1) &&
                                       (k_1 < (\offset_max(t) + 1))) ==>
                                      ((t + k_1).intP ==
                                        \at((t + k_1).intP,Pre)))))));
      variant (K_10 : ((\offset_max(t) + 1) - i));
      while ((K_16 : (i < (K_15 : java_array_length_intM(t)))))
      {  
         {  (K_13 : ((t + i).intP = (K_12 : (- (K_11 : (t + i).intP)))));
            (K_14 : (i ++))
         }
      }
   }
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Negate.jloc tests/java/Negate.jc && make -f tests/java/Negate.makefile gui"
End:
*/
========== file tests/java/Negate.jloc ==========
[K_17]
file = "HOME/tests/java/Negate.java"
line = 42
begin = 9
end = 10

[K_11]
file = "HOME/tests/java/Negate.java"
line = 51
begin = 13
end = 17

[K_13]
file = "HOME/tests/java/Negate.java"
line = 51
begin = 5
end = 17

[K_9]
file = "HOME/tests/java/Negate.java"
line = 44
begin = 7
end = 169

[K_1]
file = "HOME/tests/java/Negate.java"
line = 39
begin = 16
end = 76

[K_15]
file = "HOME/tests/java/Negate.java"
line = 50
begin = 12
end = 20

[K_4]
file = "HOME/tests/java/Negate.java"
line = 45
begin = 8
end = 64

[K_12]
file = "HOME/tests/java/Negate.java"
line = 51
begin = 12
end = 17

[K_2]
file = "HOME/tests/java/Negate.java"
line = 37
begin = 17
end = 26

[K_10]
file = "HOME/tests/java/Negate.java"
line = 48
begin = 18
end = 28

[K_6]
file = "HOME/tests/java/Negate.java"
line = 44
begin = 7
end = 13

[K_8]
file = "HOME/tests/java/Negate.java"
line = 44
begin = 7
end = 94

[K_3]
file = "HOME/tests/java/Negate.java"
line = 46
begin = 8
end = 70

[K_14]
file = "HOME/tests/java/Negate.java"
line = 52
begin = 5
end = 8

[negate_negate]
name = "Method negate"
file = "HOME/tests/java/Negate.java"
line = 41
begin = 16
end = 22

[K_5]
file = "HOME/tests/java/Negate.java"
line = 44
begin = 12
end = 25

[cons_negate]
name = "Constructor of class negate"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_7]
file = "HOME/tests/java/Negate.java"
line = 44
begin = 7
end = 25

[K_16]
file = "HOME/tests/java/Negate.java"
line = 50
begin = 8
end = 20

========== jessie execution ==========
Generating Why function cons_negate
Generating Why function negate_negate
========== file tests/java/Negate.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Negate.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Negate.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/Negate_why.sx

project: why/Negate.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/Negate_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/Negate_why.vo

coq/Negate_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Negate_why.v: why/Negate.why
	@echo 'why -coq [...] why/Negate.why' && $(WHY) $(JESSIELIBFILES) why/Negate.why && rm -f coq/jessie_why.v

coq-goals: goals coq/Negate_ctx_why.vo
	for f in why/*_po*.why; do make -f Negate.makefile coq/`basename $$f .why`_why.v ; done

coq/Negate_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Negate_ctx_why.v: why/Negate_ctx.why
	@echo 'why -coq [...] why/Negate_ctx.why' && $(WHY) why/Negate_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export Negate_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/Negate_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/Negate_ctx_why.vo

pvs: pvs/Negate_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/Negate_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/Negate_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/Negate_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/Negate_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/Negate_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/Negate_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/Negate_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/Negate_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/Negate_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/Negate_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/Negate_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/Negate_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/Negate_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/Negate_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: Negate.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/Negate_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Negate.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Negate.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Negate.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include Negate.depend

depend: coq/Negate_why.v
	-$(COQDEP) -I coq coq/Negate*_why.v > Negate.depend

clean:
	rm -f coq/*.vo

========== file tests/java/Negate.loc ==========
[JC_73]
file = "HOME/tests/java/Negate.java"
line = 44
begin = 12
end = 25

[JC_63]
file = "HOME/tests/java/Negate.java"
line = 44
begin = 7
end = 169

[JC_80]
kind = UserCall
file = "HOME/tests/java/Negate.java"
line = 50
begin = 12
end = 20

[JC_51]
file = "HOME/tests/java/Negate.java"
line = 39
begin = 16
end = 76

[JC_71]
file = "HOME/tests/java/Negate.java"
line = 48
begin = 18
end = 28

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_64]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_negate_ensures_default]
name = "Constructor of class negate"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[negate_negate_ensures_default]
name = "Method negate"
behavior = "default behavior"
file = "HOME/tests/java/Negate.java"
line = 41
begin = 16
end = 22

[JC_31]
file = "HOME/tests/java/Negate.jc"
line = 55
begin = 8
end = 23

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
file = "HOME/tests/java/Negate.java"
line = 41
begin = 16
end = 22

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/tests/java/Negate.jc"
line = 51
begin = 11
end = 103

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
kind = UserCall
file = "HOME/tests/java/Negate.java"
line = 50
begin = 12
end = 20

[cons_negate_safety]
name = "Constructor of class negate"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/Negate.jc"
line = 42
begin = 8
end = 21

[JC_75]
file = "HOME/tests/java/Negate.java"
line = 46
begin = 8
end = 70

[JC_24]
file = "HOME/tests/java/Negate.jc"
line = 50
begin = 10
end = 18

[JC_25]
file = "HOME/tests/java/Negate.jc"
line = 51
begin = 11
end = 103

[negate_negate_safety]
name = "Method negate"
behavior = "Safety"
file = "HOME/tests/java/Negate.java"
line = 41
begin = 16
end = 22

[JC_78]
file = "HOME/tests/java/Negate.jc"
line = 77
begin = 6
end = 1025

[JC_41]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_74]
file = "HOME/tests/java/Negate.java"
line = 45
begin = 8
end = 64

[JC_47]
file = "HOME/tests/java/Negate.java"
line = 37
begin = 17
end = 26

[JC_52]
file = "HOME/tests/java/Negate.java"
line = 41
begin = 16
end = 22

[JC_26]
file = "HOME/tests/java/Negate.jc"
line = 50
begin = 10
end = 18

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/tests/java/Negate.java"
line = 39
begin = 16
end = 76

[JC_79]
file = "HOME/tests/java/Negate.jc"
line = 77
begin = 6
end = 1025

[JC_13]
file = "HOME/tests/java/Negate.jc"
line = 45
begin = 11
end = 66

[JC_11]
file = "HOME/tests/java/Negate.jc"
line = 42
begin = 8
end = 21

[JC_70]
kind = PointerDeref
file = "HOME/tests/java/Negate.jc"
line = 93
begin = 21
end = 70

[JC_15]
file = "HOME/tests/java/Negate.jc"
line = 45
begin = 11
end = 66

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_69]
kind = PointerDeref
file = "HOME/tests/java/Negate.java"
line = 51
begin = 13
end = 17

[JC_38]
file = "HOME/tests/java/Negate.jc"
line = 57
begin = 11
end = 65

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/tests/java/Negate.java"
line = 46
begin = 8
end = 70

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/tests/java/Negate.java"
line = 45
begin = 8
end = 64

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/tests/java/Negate.jc"
line = 68
begin = 9
end = 16

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/tests/java/Negate.jc"
line = 77
begin = 6
end = 1025

[JC_29]
file = "HOME/tests/java/Negate.jc"
line = 55
begin = 8
end = 23

[JC_68]
kind = IndexBounds
file = "HOME/tests/java/Negate.java"
line = 50
begin = 12
end = 20

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/java/Negate.jc"
line = 44
begin = 10
end = 18

[JC_43]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/tests/java/Negate.jc"
line = 44
begin = 10
end = 18

[JC_53]
file = "HOME/tests/java/Negate.jc"
line = 68
begin = 9
end = 16

[JC_21]
file = "HOME/tests/java/Negate.jc"
line = 48
begin = 8
end = 30

[JC_77]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
file = "HOME/tests/java/Negate.java"
line = 37
begin = 17
end = 26

[JC_1]
file = "HOME/tests/java/Negate.jc"
line = 13
begin = 12
end = 22

[JC_37]
file = "HOME/tests/java/Negate.jc"
line = 57
begin = 11
end = 65

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_66]
file = "HOME/tests/java/Negate.jc"
line = 77
begin = 6
end = 1025

[JC_59]
file = "HOME/tests/java/Negate.java"
line = 44
begin = 7
end = 13

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/java/Negate.jc"
line = 13
begin = 12
end = 22

[JC_60]
file = "HOME/tests/java/Negate.java"
line = 44
begin = 12
end = 25

[JC_72]
file = "HOME/tests/java/Negate.java"
line = 44
begin = 7
end = 13

[JC_19]
file = "HOME/tests/java/Negate.jc"
line = 48
begin = 8
end = 30

[JC_76]
file = "HOME/tests/java/Negate.java"
line = 44
begin = 7
end = 169

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/Negate.why ==========
type Object

type interface

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_1), (0))

predicate Non_null_intM(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), neg_int((1)))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic intM_tag:  -> Object tag_id

axiom intM_parenttag_Object : parenttag(intM_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_intM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

predicate left_valid_struct_negate(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

logic negate_tag:  -> Object tag_id

axiom negate_parenttag_Object : parenttag(negate_tag, Object_tag)

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_intM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate right_valid_struct_negate(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_negate(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_negate(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_intM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter alloc_struct_intM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_negate :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_negate(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, negate_tag)))) }

parameter alloc_struct_negate_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_negate(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, negate_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_negate :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_negate_requires :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter intM_intP : (Object, int) memory ref

parameter java_array_length_intM :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter java_array_length_intM_requires :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter negate_negate :
 t:Object pointer ->
  { } unit reads Object_alloc_table,intM_intP writes intM_intP
  { (JC_56:
    ((JC_54:
     (forall k:int.
      ((le_int((0), k)
       and lt_int(k, add_int(offset_max(Object_alloc_table, t), (1)))) ->
       (select(intM_intP, shift(t, k)) = neg_int(select(intM_intP@,
                                                 shift(t, k)))))))
    and (JC_55:
        not_assigns(Object_alloc_table@, intM_intP@, intM_intP,
        pset_range(pset_singleton(t), (0),
        sub_int(add_int(offset_max(Object_alloc_table@, t), (1)), (1))))))) }

parameter negate_negate_requires :
 t:Object pointer ->
  { (JC_47: Non_null_intM(t, Object_alloc_table))} unit
  reads Object_alloc_table,intM_intP writes intM_intP
  { (JC_56:
    ((JC_54:
     (forall k:int.
      ((le_int((0), k)
       and lt_int(k, add_int(offset_max(Object_alloc_table, t), (1)))) ->
       (select(intM_intP, shift(t, k)) = neg_int(select(intM_intP@,
                                                 shift(t, k)))))))
    and (JC_55:
        not_assigns(Object_alloc_table@, intM_intP@, intM_intP,
        pset_range(pset_singleton(t), (0),
        sub_int(add_int(offset_max(Object_alloc_table@, t), (1)), (1))))))) }

parameter non_null_Object :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_Object_requires :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_intM :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter non_null_intM_requires :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

let cons_negate_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_negate(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_43: true) }

let cons_negate_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_negate(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let negate_negate_ensures_default =
 fun (t : Object pointer) ->
  { (left_valid_struct_intM(t, (0), Object_alloc_table)
    and (JC_49: Non_null_intM(t, Object_alloc_table))) }
  (init:
  try
   begin
     (let i = ref (K_17: (0)) in
     try
      (loop_2:
      while true do
      { invariant
          ((JC_76:
           ((JC_72: le_int((0), i))
           and ((JC_73:
                le_int(i, add_int(offset_max(Object_alloc_table, t), (1))))
               and ((JC_74:
                    (forall k_0:int.
                     ((le_int((0), k_0) and lt_int(k_0, i)) ->
                      (select(intM_intP, shift(t, k_0)) = neg_int(select(intM_intP@init,
                                                                  shift(t,
                                                                  k_0)))))))
                   and (JC_75:
                       (forall k_1:int.
                        ((le_int(i, k_1)
                         and lt_int(k_1,
                             add_int(offset_max(Object_alloc_table, t), (1)))) ->
                         (select(intM_intP, shift(t, k_1)) = select(intM_intP@init,
                                                             shift(t, k_1))))))))))
          and (JC_78:
              not_assigns(Object_alloc_table@init, intM_intP@init, intM_intP,
              pset_range(pset_singleton(t), (0),
              sub_int(add_int(offset_max(Object_alloc_table@init, t), (1)),
              (1))))))  }
       begin
         [ { } unit { true } ];
        try
         begin
           (if (K_16:
               ((lt_int_ !i) (K_15:
                             (let _jessie_ = t in
                             (JC_80: (java_array_length_intM _jessie_))))))
           then
            (let _jessie_ =
            (K_13:
            begin
              (let _jessie_ =
              (let _jessie_ =
              (K_12:
              (neg_int (K_11: ((safe_acc_ !intM_intP) ((shift t) !i))))) in
              (let _jessie_ = t in
              (let _jessie_ = !i in
              (let _jessie_ = ((shift _jessie_) _jessie_) in
              (((safe_upd_ intM_intP) _jessie_) _jessie_))))) in void);
             (K_14:
             (let _jessie_ = !i in
             begin
               (let _jessie_ = (i := ((add_int _jessie_) (1))) in void);
              _jessie_ end)) end) in void)
           else (raise (Loop_exit_exc void)));
          (raise (Loop_continue_exc void)) end with
         Loop_continue_exc _jessie_ -> void end end done) with
      Loop_exit_exc _jessie_ -> void end); (raise Return) end with Return ->
   void end)
  { (JC_53:
    ((JC_51:
     (forall k:int.
      ((le_int((0), k)
       and lt_int(k, add_int(offset_max(Object_alloc_table, t), (1)))) ->
       (select(intM_intP, shift(t, k)) = neg_int(select(intM_intP@,
                                                 shift(t, k)))))))
    and (JC_52:
        not_assigns(Object_alloc_table@, intM_intP@, intM_intP,
        pset_range(pset_singleton(t), (0),
        sub_int(add_int(offset_max(Object_alloc_table@, t), (1)), (1))))))) }

let negate_negate_safety =
 fun (t : Object pointer) ->
  { (left_valid_struct_intM(t, (0), Object_alloc_table)
    and (JC_49: Non_null_intM(t, Object_alloc_table))) }
  (init:
  try
   begin
     (let i = ref (K_17: (0)) in
     try
      (loop_1:
      while true do
      { invariant (JC_65: true)
        variant (JC_71 : sub_int(add_int(offset_max(Object_alloc_table, t),
                                 (1)),
                         i)) }
       begin
         [ { } unit reads Object_alloc_table,i,intM_intP
           { (JC_63:
             ((JC_59: le_int((0), i))
             and ((JC_60:
                  le_int(i, add_int(offset_max(Object_alloc_table, t), (1))))
                 and ((JC_61:
                      (forall k_0:int.
                       ((le_int((0), k_0) and lt_int(k_0, i)) ->
                        (select(intM_intP, shift(t, k_0)) = neg_int(select(intM_intP@init,
                                                                    shift(t,
                                                                    k_0)))))))
                     and (JC_62:
                         (forall k_1:int.
                          ((le_int(i, k_1)
                           and lt_int(k_1,
                               add_int(offset_max(Object_alloc_table, t),
                               (1)))) ->
                           (select(intM_intP, shift(t, k_1)) = select(intM_intP@init,
                                                               shift(t, k_1)))))))))) } ];
        try
         begin
           (if (K_16:
               ((lt_int_ !i) (K_15:
                             (let _jessie_ = t in
                             (JC_68:
                             (assert
                             { ge_int(offset_max(Object_alloc_table,
                                      _jessie_),
                               (-1)) };
                             (JC_67:
                             (java_array_length_intM_requires _jessie_))))))))
           then
            (let _jessie_ =
            (K_13:
            begin
              (let _jessie_ =
              (let _jessie_ =
              (K_12:
              (neg_int (K_11:
                       (JC_69:
                       ((((offset_acc_ !Object_alloc_table) !intM_intP) t) !i))))) in
              (let _jessie_ = t in
              (let _jessie_ = !i in
              (let _jessie_ = ((shift _jessie_) _jessie_) in
              (JC_70:
              (((((offset_upd_ !Object_alloc_table) intM_intP) _jessie_) _jessie_) _jessie_)))))) in
              void);
             (K_14:
             (let _jessie_ = !i in
             begin
               (let _jessie_ = (i := ((add_int _jessie_) (1))) in void);
              _jessie_ end)) end) in void)
           else (raise (Loop_exit_exc void)));
          (raise (Loop_continue_exc void)) end with
         Loop_continue_exc _jessie_ -> void end end done) with
      Loop_exit_exc _jessie_ -> void end); (raise Return) end with Return ->
   void end) { true }


========== make project execution ==========
why --project [...] why/Negate.why
========== file tests/java/why/Negate.wpr ==========

  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  
  
    
  

========== file tests/java/why/Negate_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_1) >= 0)

predicate Non_null_intM(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= (-1))

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic intM_tag : Object tag_id

axiom intM_parenttag_Object: parenttag(intM_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_intM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

predicate left_valid_struct_negate(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

logic negate_tag : Object tag_id

axiom negate_parenttag_Object: parenttag(negate_tag, Object_tag)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_intM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate right_valid_struct_negate(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_negate(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_negate(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

========== file tests/java/why/Negate_po1.why ==========
goal negate_negate_ensures_default_po_1:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t, Object_alloc_table))) ->
  ("JC_76": ("JC_72": (0 <= 0)))

========== file tests/java/why/Negate_po10.why ==========
goal negate_negate_ensures_default_po_10:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t, Object_alloc_table))) ->
  forall i:int.
  forall intM_intP0:(Object,
  int) memory.
  (("JC_76":
   (("JC_72": (0 <= i)) and
    (("JC_73": (i <= (offset_max(Object_alloc_table, t) + 1))) and
     (("JC_74":
      (forall k_0:int.
        (((0 <= k_0) and (k_0 < i)) -> (select(intM_intP0, shift(t,
         k_0)) = (-select(intM_intP, shift(t, k_0))))))) and
      ("JC_75":
      (forall k_1:int.
        (((i <= k_1) and (k_1 < (offset_max(Object_alloc_table, t) + 1))) ->
         (select(intM_intP0, shift(t, k_1)) = select(intM_intP, shift(t,
         k_1)))))))))) and
   ("JC_78": not_assigns(Object_alloc_table, intM_intP, intM_intP0,
   pset_range(pset_singleton(t), 0, ((offset_max(Object_alloc_table,
   t) + 1) - 1))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t) + 1))))) ->
  (i >= result) ->
  forall k:int.
  ((0 <= k) and (k < (offset_max(Object_alloc_table, t) + 1))) ->
  ("JC_53":
  ("JC_51": (select(intM_intP0, shift(t, k)) = (-select(intM_intP, shift(t,
  k))))))

========== file tests/java/why/Negate_po11.why ==========
goal negate_negate_safety_po_1:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t, Object_alloc_table))) ->
  forall i:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_65": true) ->
  ("JC_63":
  (("JC_59": (0 <= i)) and
   (("JC_60": (i <= (offset_max(Object_alloc_table, t) + 1))) and
    (("JC_61":
     (forall k_0:int.
       (((0 <= k_0) and (k_0 < i)) -> (select(intM_intP0, shift(t,
        k_0)) = (-select(intM_intP, shift(t, k_0))))))) and
     ("JC_62":
     (forall k_1:int.
       (((i <= k_1) and (k_1 < (offset_max(Object_alloc_table, t) + 1))) ->
        (select(intM_intP0, shift(t, k_1)) = select(intM_intP, shift(t,
        k_1)))))))))) ->
  (offset_max(Object_alloc_table, t) >= (-1))

========== file tests/java/why/Negate_po12.why ==========
goal negate_negate_safety_po_2:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t, Object_alloc_table))) ->
  forall i:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_65": true) ->
  ("JC_63":
  (("JC_59": (0 <= i)) and
   (("JC_60": (i <= (offset_max(Object_alloc_table, t) + 1))) and
    (("JC_61":
     (forall k_0:int.
       (((0 <= k_0) and (k_0 < i)) -> (select(intM_intP0, shift(t,
        k_0)) = (-select(intM_intP, shift(t, k_0))))))) and
     ("JC_62":
     (forall k_1:int.
       (((i <= k_1) and (k_1 < (offset_max(Object_alloc_table, t) + 1))) ->
        (select(intM_intP0, shift(t, k_1)) = select(intM_intP, shift(t,
        k_1)))))))))) ->
  (offset_max(Object_alloc_table, t) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t) + 1))))) ->
  (i < result) ->
  (offset_min(Object_alloc_table, t) <= i)

========== file tests/java/why/Negate_po13.why ==========
goal negate_negate_safety_po_3:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t, Object_alloc_table))) ->
  forall i:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_65": true) ->
  ("JC_63":
  (("JC_59": (0 <= i)) and
   (("JC_60": (i <= (offset_max(Object_alloc_table, t) + 1))) and
    (("JC_61":
     (forall k_0:int.
       (((0 <= k_0) and (k_0 < i)) -> (select(intM_intP0, shift(t,
        k_0)) = (-select(intM_intP, shift(t, k_0))))))) and
     ("JC_62":
     (forall k_1:int.
       (((i <= k_1) and (k_1 < (offset_max(Object_alloc_table, t) + 1))) ->
        (select(intM_intP0, shift(t, k_1)) = select(intM_intP, shift(t,
        k_1)))))))))) ->
  (offset_max(Object_alloc_table, t) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t) + 1))))) ->
  (i < result) ->
  (i <= offset_max(Object_alloc_table, t))

========== file tests/java/why/Negate_po14.why ==========
goal negate_negate_safety_po_4:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t, Object_alloc_table))) ->
  forall i:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_65": true) ->
  ("JC_63":
  (("JC_59": (0 <= i)) and
   (("JC_60": (i <= (offset_max(Object_alloc_table, t) + 1))) and
    (("JC_61":
     (forall k_0:int.
       (((0 <= k_0) and (k_0 < i)) -> (select(intM_intP0, shift(t,
        k_0)) = (-select(intM_intP, shift(t, k_0))))))) and
     ("JC_62":
     (forall k_1:int.
       (((i <= k_1) and (k_1 < (offset_max(Object_alloc_table, t) + 1))) ->
        (select(intM_intP0, shift(t, k_1)) = select(intM_intP, shift(t,
        k_1)))))))))) ->
  (offset_max(Object_alloc_table, t) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t) + 1))))) ->
  (i < result) ->
  ((offset_min(Object_alloc_table, t) <= i) and
   (i <= offset_max(Object_alloc_table, t))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t, i))) ->
  ((offset_min(Object_alloc_table, t) <= i) and
   (i <= offset_max(Object_alloc_table, t))) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i), (-result0))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  (0 <= ("JC_71": ((offset_max(Object_alloc_table, t) + 1) - i)))

========== file tests/java/why/Negate_po15.why ==========
goal negate_negate_safety_po_5:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t, Object_alloc_table))) ->
  forall i:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_65": true) ->
  ("JC_63":
  (("JC_59": (0 <= i)) and
   (("JC_60": (i <= (offset_max(Object_alloc_table, t) + 1))) and
    (("JC_61":
     (forall k_0:int.
       (((0 <= k_0) and (k_0 < i)) -> (select(intM_intP0, shift(t,
        k_0)) = (-select(intM_intP, shift(t, k_0))))))) and
     ("JC_62":
     (forall k_1:int.
       (((i <= k_1) and (k_1 < (offset_max(Object_alloc_table, t) + 1))) ->
        (select(intM_intP0, shift(t, k_1)) = select(intM_intP, shift(t,
        k_1)))))))))) ->
  (offset_max(Object_alloc_table, t) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t) + 1))))) ->
  (i < result) ->
  ((offset_min(Object_alloc_table, t) <= i) and
   (i <= offset_max(Object_alloc_table, t))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t, i))) ->
  ((offset_min(Object_alloc_table, t) <= i) and
   (i <= offset_max(Object_alloc_table, t))) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i), (-result0))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  (("JC_71": ((offset_max(Object_alloc_table, t) + 1) - i0)) < ("JC_71":
                                                               ((offset_max(Object_alloc_table,
                                                               t) + 1) - i)))

========== file tests/java/why/Negate_po2.why ==========
goal negate_negate_ensures_default_po_2:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t, Object_alloc_table))) ->
  ("JC_76": ("JC_73": (0 <= (offset_max(Object_alloc_table, t) + 1))))

========== file tests/java/why/Negate_po3.why ==========
goal negate_negate_ensures_default_po_3:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t, Object_alloc_table))) ->
  forall k_0:int.
  ((0 <= k_0) and (k_0 < 0)) ->
  ("JC_76":
  ("JC_74": (select(intM_intP, shift(t, k_0)) = (-select(intM_intP, shift(t,
  k_0))))))

========== file tests/java/why/Negate_po4.why ==========
goal negate_negate_ensures_default_po_4:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t, Object_alloc_table))) ->
  ("JC_78": not_assigns(Object_alloc_table, intM_intP, intM_intP,
  pset_range(pset_singleton(t), 0, ((offset_max(Object_alloc_table,
  t) + 1) - 1))))

========== file tests/java/why/Negate_po5.why ==========
goal negate_negate_ensures_default_po_5:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t, Object_alloc_table))) ->
  forall i:int.
  forall intM_intP0:(Object,
  int) memory.
  (("JC_76":
   (("JC_72": (0 <= i)) and
    (("JC_73": (i <= (offset_max(Object_alloc_table, t) + 1))) and
     (("JC_74":
      (forall k_0:int.
        (((0 <= k_0) and (k_0 < i)) -> (select(intM_intP0, shift(t,
         k_0)) = (-select(intM_intP, shift(t, k_0))))))) and
      ("JC_75":
      (forall k_1:int.
        (((i <= k_1) and (k_1 < (offset_max(Object_alloc_table, t) + 1))) ->
         (select(intM_intP0, shift(t, k_1)) = select(intM_intP, shift(t,
         k_1)))))))))) and
   ("JC_78": not_assigns(Object_alloc_table, intM_intP, intM_intP0,
   pset_range(pset_singleton(t), 0, ((offset_max(Object_alloc_table,
   t) + 1) - 1))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t) + 1))))) ->
  (i < result) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t, i))) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i), (-result0))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  ("JC_76": ("JC_72": (0 <= i0)))

========== file tests/java/why/Negate_po6.why ==========
goal negate_negate_ensures_default_po_6:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t, Object_alloc_table))) ->
  forall i:int.
  forall intM_intP0:(Object,
  int) memory.
  (("JC_76":
   (("JC_72": (0 <= i)) and
    (("JC_73": (i <= (offset_max(Object_alloc_table, t) + 1))) and
     (("JC_74":
      (forall k_0:int.
        (((0 <= k_0) and (k_0 < i)) -> (select(intM_intP0, shift(t,
         k_0)) = (-select(intM_intP, shift(t, k_0))))))) and
      ("JC_75":
      (forall k_1:int.
        (((i <= k_1) and (k_1 < (offset_max(Object_alloc_table, t) + 1))) ->
         (select(intM_intP0, shift(t, k_1)) = select(intM_intP, shift(t,
         k_1)))))))))) and
   ("JC_78": not_assigns(Object_alloc_table, intM_intP, intM_intP0,
   pset_range(pset_singleton(t), 0, ((offset_max(Object_alloc_table,
   t) + 1) - 1))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t) + 1))))) ->
  (i < result) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t, i))) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i), (-result0))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  ("JC_76": ("JC_73": (i0 <= (offset_max(Object_alloc_table, t) + 1))))

========== file tests/java/why/Negate_po7.why ==========
goal negate_negate_ensures_default_po_7:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t, Object_alloc_table))) ->
  forall i:int.
  forall intM_intP0:(Object,
  int) memory.
  (("JC_76":
   (("JC_72": (0 <= i)) and
    (("JC_73": (i <= (offset_max(Object_alloc_table, t) + 1))) and
     (("JC_74":
      (forall k_0:int.
        (((0 <= k_0) and (k_0 < i)) -> (select(intM_intP0, shift(t,
         k_0)) = (-select(intM_intP, shift(t, k_0))))))) and
      ("JC_75":
      (forall k_1:int.
        (((i <= k_1) and (k_1 < (offset_max(Object_alloc_table, t) + 1))) ->
         (select(intM_intP0, shift(t, k_1)) = select(intM_intP, shift(t,
         k_1)))))))))) and
   ("JC_78": not_assigns(Object_alloc_table, intM_intP, intM_intP0,
   pset_range(pset_singleton(t), 0, ((offset_max(Object_alloc_table,
   t) + 1) - 1))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t) + 1))))) ->
  (i < result) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t, i))) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i), (-result0))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  forall k_0:int.
  ((0 <= k_0) and (k_0 < i0)) ->
  ("JC_76":
  ("JC_74": (select(intM_intP1, shift(t, k_0)) = (-select(intM_intP, shift(t,
  k_0))))))

========== file tests/java/why/Negate_po8.why ==========
goal negate_negate_ensures_default_po_8:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t, Object_alloc_table))) ->
  forall i:int.
  forall intM_intP0:(Object,
  int) memory.
  (("JC_76":
   (("JC_72": (0 <= i)) and
    (("JC_73": (i <= (offset_max(Object_alloc_table, t) + 1))) and
     (("JC_74":
      (forall k_0:int.
        (((0 <= k_0) and (k_0 < i)) -> (select(intM_intP0, shift(t,
         k_0)) = (-select(intM_intP, shift(t, k_0))))))) and
      ("JC_75":
      (forall k_1:int.
        (((i <= k_1) and (k_1 < (offset_max(Object_alloc_table, t) + 1))) ->
         (select(intM_intP0, shift(t, k_1)) = select(intM_intP, shift(t,
         k_1)))))))))) and
   ("JC_78": not_assigns(Object_alloc_table, intM_intP, intM_intP0,
   pset_range(pset_singleton(t), 0, ((offset_max(Object_alloc_table,
   t) + 1) - 1))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t) + 1))))) ->
  (i < result) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t, i))) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i), (-result0))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  forall k_1:int.
  ((i0 <= k_1) and (k_1 < (offset_max(Object_alloc_table, t) + 1))) ->
  ("JC_76":
  ("JC_75": (select(intM_intP1, shift(t, k_1)) = select(intM_intP, shift(t,
  k_1)))))

========== file tests/java/why/Negate_po9.why ==========
goal negate_negate_ensures_default_po_9:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t, Object_alloc_table))) ->
  forall i:int.
  forall intM_intP0:(Object,
  int) memory.
  (("JC_76":
   (("JC_72": (0 <= i)) and
    (("JC_73": (i <= (offset_max(Object_alloc_table, t) + 1))) and
     (("JC_74":
      (forall k_0:int.
        (((0 <= k_0) and (k_0 < i)) -> (select(intM_intP0, shift(t,
         k_0)) = (-select(intM_intP, shift(t, k_0))))))) and
      ("JC_75":
      (forall k_1:int.
        (((i <= k_1) and (k_1 < (offset_max(Object_alloc_table, t) + 1))) ->
         (select(intM_intP0, shift(t, k_1)) = select(intM_intP, shift(t,
         k_1)))))))))) and
   ("JC_78": not_assigns(Object_alloc_table, intM_intP, intM_intP0,
   pset_range(pset_singleton(t), 0, ((offset_max(Object_alloc_table,
   t) + 1) - 1))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t) + 1))))) ->
  (i < result) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t, i))) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i), (-result0))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  ("JC_78": not_assigns(Object_alloc_table, intM_intP, intM_intP1,
  pset_range(pset_singleton(t), 0, ((offset_max(Object_alloc_table,
  t) + 1) - 1))))

========== generation of Simplify VC output ==========
why -simplify [...] why/Negate.why
========== file tests/java/simplify/Negate_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_1 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_1) 0))

(DEFPRED (Non_null_intM x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) (- 0 1)))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom intM_parenttag_Object
 (EQ (parenttag intM_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_intM p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(DEFPRED (left_valid_struct_negate p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(BG_PUSH
 ;; Why axiom negate_parenttag_Object
 (EQ (parenttag negate_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_intM p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(DEFPRED (right_valid_struct_negate p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_intM p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_negate p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_intM p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_negate p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

;; negate_negate_ensures_default_po_1, File "HOME/tests/java/Negate.java", line 44, characters 7-13
(FORALL (t)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (Non_null_intM t Object_alloc_table))
(<= 0 0))))

;; negate_negate_ensures_default_po_2, File "HOME/tests/java/Negate.java", line 44, characters 12-25
(FORALL (t)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (Non_null_intM t Object_alloc_table))
(<= 0 (+ (offset_max Object_alloc_table t) 1)))))

;; negate_negate_ensures_default_po_3, File "HOME/tests/java/Negate.java", line 45, characters 8-64
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (Non_null_intM t Object_alloc_table))
(FORALL (k_0)
(IMPLIES (AND (<= 0 k_0) (< k_0 0))
(EQ (select intM_intP (shift t k_0)) (- 0 (select intM_intP (shift t k_0))))))))))

;; negate_negate_ensures_default_po_4, File "HOME/tests/java/Negate.jc", line 77, characters 6-1025
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (Non_null_intM t Object_alloc_table))
(not_assigns
Object_alloc_table intM_intP intM_intP (pset_range
                                       (pset_singleton t) 0 (- (+ (offset_max
                                                                  Object_alloc_table t) 1) 1)))))))

;; negate_negate_ensures_default_po_5, File "HOME/tests/java/Negate.java", line 44, characters 7-13
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (Non_null_intM t Object_alloc_table))
(FORALL (i)
(FORALL (intM_intP0)
(IMPLIES (AND
         (AND (<= 0 i)
         (AND (<= i (+ (offset_max Object_alloc_table t) 1))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= 0 k_0) (< k_0 i))
         (EQ (select intM_intP0 (shift t k_0))
         (- 0 (select intM_intP (shift t k_0))))))
         (FORALL (k_1)
         (IMPLIES
         (AND (<= i k_1) (< k_1 (+ (offset_max Object_alloc_table t) 1)))
         (EQ (select intM_intP0 (shift t k_1))
         (select intM_intP (shift t k_1))))))))
         (not_assigns
         Object_alloc_table intM_intP intM_intP0 (pset_range
                                                 (pset_singleton t) 0 
                                                 (- (+ (offset_max
                                                       Object_alloc_table t) 1) 1))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t) 1))))
(IMPLIES (< i result)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t i)))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t i) (- 0 result0)))
(FORALL (i0) (IMPLIES (EQ i0 (+ i 1)) (<= 0 i0)))))))))))))))))

;; negate_negate_ensures_default_po_6, File "HOME/tests/java/Negate.java", line 44, characters 12-25
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (Non_null_intM t Object_alloc_table))
(FORALL (i)
(FORALL (intM_intP0)
(IMPLIES (AND
         (AND (<= 0 i)
         (AND (<= i (+ (offset_max Object_alloc_table t) 1))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= 0 k_0) (< k_0 i))
         (EQ (select intM_intP0 (shift t k_0))
         (- 0 (select intM_intP (shift t k_0))))))
         (FORALL (k_1)
         (IMPLIES
         (AND (<= i k_1) (< k_1 (+ (offset_max Object_alloc_table t) 1)))
         (EQ (select intM_intP0 (shift t k_1))
         (select intM_intP (shift t k_1))))))))
         (not_assigns
         Object_alloc_table intM_intP intM_intP0 (pset_range
                                                 (pset_singleton t) 0 
                                                 (- (+ (offset_max
                                                       Object_alloc_table t) 1) 1))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t) 1))))
(IMPLIES (< i result)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t i)))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t i) (- 0 result0)))
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1)) (<= i0 (+ (offset_max Object_alloc_table t) 1))))))))))))))))))

;; negate_negate_ensures_default_po_7, File "HOME/tests/java/Negate.java", line 45, characters 8-64
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (Non_null_intM t Object_alloc_table))
(FORALL (i)
(FORALL (intM_intP0)
(IMPLIES (AND
         (AND (<= 0 i)
         (AND (<= i (+ (offset_max Object_alloc_table t) 1))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= 0 k_0) (< k_0 i))
         (EQ (select intM_intP0 (shift t k_0))
         (- 0 (select intM_intP (shift t k_0))))))
         (FORALL (k_1)
         (IMPLIES
         (AND (<= i k_1) (< k_1 (+ (offset_max Object_alloc_table t) 1)))
         (EQ (select intM_intP0 (shift t k_1))
         (select intM_intP (shift t k_1))))))))
         (not_assigns
         Object_alloc_table intM_intP intM_intP0 (pset_range
                                                 (pset_singleton t) 0 
                                                 (- (+ (offset_max
                                                       Object_alloc_table t) 1) 1))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t) 1))))
(IMPLIES (< i result)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t i)))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t i) (- 0 result0)))
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(FORALL (k_0)
(IMPLIES (AND (<= 0 k_0) (< k_0 i0))
(EQ (select intM_intP1 (shift t k_0)) (- 0 (select intM_intP (shift t k_0))))))))))))))))))))))

;; negate_negate_ensures_default_po_8, File "HOME/tests/java/Negate.java", line 46, characters 8-70
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (Non_null_intM t Object_alloc_table))
(FORALL (i)
(FORALL (intM_intP0)
(IMPLIES (AND
         (AND (<= 0 i)
         (AND (<= i (+ (offset_max Object_alloc_table t) 1))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= 0 k_0) (< k_0 i))
         (EQ (select intM_intP0 (shift t k_0))
         (- 0 (select intM_intP (shift t k_0))))))
         (FORALL (k_1)
         (IMPLIES
         (AND (<= i k_1) (< k_1 (+ (offset_max Object_alloc_table t) 1)))
         (EQ (select intM_intP0 (shift t k_1))
         (select intM_intP (shift t k_1))))))))
         (not_assigns
         Object_alloc_table intM_intP intM_intP0 (pset_range
                                                 (pset_singleton t) 0 
                                                 (- (+ (offset_max
                                                       Object_alloc_table t) 1) 1))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t) 1))))
(IMPLIES (< i result)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t i)))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t i) (- 0 result0)))
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(FORALL (k_1)
(IMPLIES (AND (<= i0 k_1) (< k_1 (+ (offset_max Object_alloc_table t) 1)))
(EQ (select intM_intP1 (shift t k_1)) (select intM_intP (shift t k_1)))))))))))))))))))))

;; negate_negate_ensures_default_po_9, File "HOME/tests/java/Negate.jc", line 77, characters 6-1025
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (Non_null_intM t Object_alloc_table))
(FORALL (i)
(FORALL (intM_intP0)
(IMPLIES (AND
         (AND (<= 0 i)
         (AND (<= i (+ (offset_max Object_alloc_table t) 1))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= 0 k_0) (< k_0 i))
         (EQ (select intM_intP0 (shift t k_0))
         (- 0 (select intM_intP (shift t k_0))))))
         (FORALL (k_1)
         (IMPLIES
         (AND (<= i k_1) (< k_1 (+ (offset_max Object_alloc_table t) 1)))
         (EQ (select intM_intP0 (shift t k_1))
         (select intM_intP (shift t k_1))))))))
         (not_assigns
         Object_alloc_table intM_intP intM_intP0 (pset_range
                                                 (pset_singleton t) 0 
                                                 (- (+ (offset_max
                                                       Object_alloc_table t) 1) 1))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t) 1))))
(IMPLIES (< i result)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t i)))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t i) (- 0 result0)))
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(not_assigns
Object_alloc_table intM_intP intM_intP1 (pset_range
                                        (pset_singleton t) 0 (- (+ (offset_max
                                                                   Object_alloc_table t) 1) 1)))))))))))))))))))

;; negate_negate_ensures_default_po_10, File "HOME/tests/java/Negate.java", line 39, characters 16-76
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (Non_null_intM t Object_alloc_table))
(FORALL (i)
(FORALL (intM_intP0)
(IMPLIES (AND
         (AND (<= 0 i)
         (AND (<= i (+ (offset_max Object_alloc_table t) 1))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= 0 k_0) (< k_0 i))
         (EQ (select intM_intP0 (shift t k_0))
         (- 0 (select intM_intP (shift t k_0))))))
         (FORALL (k_1)
         (IMPLIES
         (AND (<= i k_1) (< k_1 (+ (offset_max Object_alloc_table t) 1)))
         (EQ (select intM_intP0 (shift t k_1))
         (select intM_intP (shift t k_1))))))))
         (not_assigns
         Object_alloc_table intM_intP intM_intP0 (pset_range
                                                 (pset_singleton t) 0 
                                                 (- (+ (offset_max
                                                       Object_alloc_table t) 1) 1))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t) 1))))
(IMPLIES (>= i result)
(FORALL (k)
(IMPLIES (AND (<= 0 k) (< k (+ (offset_max Object_alloc_table t) 1)))
(EQ (select intM_intP0 (shift t k)) (- 0 (select intM_intP (shift t k))))))))))))))))

;; negate_negate_safety_po_1, File "why/Negate.why", line 606, characters 31-155
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (Non_null_intM t Object_alloc_table))
(FORALL (i)
(FORALL (intM_intP0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i)
         (AND (<= i (+ (offset_max Object_alloc_table t) 1))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= 0 k_0) (< k_0 i))
         (EQ (select intM_intP0 (shift t k_0))
         (- 0 (select intM_intP (shift t k_0))))))
         (FORALL (k_1)
         (IMPLIES
         (AND (<= i k_1) (< k_1 (+ (offset_max Object_alloc_table t) 1)))
         (EQ (select intM_intP0 (shift t k_1))
         (select intM_intP (shift t k_1))))))))
(>= (offset_max Object_alloc_table t) (- 0 1))))))))))

;; negate_negate_safety_po_2, File "HOME/tests/java/Negate.java", line 51, characters 13-17
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (Non_null_intM t Object_alloc_table))
(FORALL (i)
(FORALL (intM_intP0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i)
         (AND (<= i (+ (offset_max Object_alloc_table t) 1))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= 0 k_0) (< k_0 i))
         (EQ (select intM_intP0 (shift t k_0))
         (- 0 (select intM_intP (shift t k_0))))))
         (FORALL (k_1)
         (IMPLIES
         (AND (<= i k_1) (< k_1 (+ (offset_max Object_alloc_table t) 1)))
         (EQ (select intM_intP0 (shift t k_1))
         (select intM_intP (shift t k_1))))))))
(IMPLIES (>= (offset_max Object_alloc_table t) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t) 1))))
(IMPLIES (< i result) (<= (offset_min Object_alloc_table t) i)))))))))))))

;; negate_negate_safety_po_3, File "HOME/tests/java/Negate.java", line 51, characters 13-17
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (Non_null_intM t Object_alloc_table))
(FORALL (i)
(FORALL (intM_intP0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i)
         (AND (<= i (+ (offset_max Object_alloc_table t) 1))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= 0 k_0) (< k_0 i))
         (EQ (select intM_intP0 (shift t k_0))
         (- 0 (select intM_intP (shift t k_0))))))
         (FORALL (k_1)
         (IMPLIES
         (AND (<= i k_1) (< k_1 (+ (offset_max Object_alloc_table t) 1)))
         (EQ (select intM_intP0 (shift t k_1))
         (select intM_intP (shift t k_1))))))))
(IMPLIES (>= (offset_max Object_alloc_table t) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t) 1))))
(IMPLIES (< i result) (<= i (offset_max Object_alloc_table t))))))))))))))

;; negate_negate_safety_po_4, File "HOME/tests/java/Negate.java", line 48, characters 18-28
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (Non_null_intM t Object_alloc_table))
(FORALL (i)
(FORALL (intM_intP0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i)
         (AND (<= i (+ (offset_max Object_alloc_table t) 1))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= 0 k_0) (< k_0 i))
         (EQ (select intM_intP0 (shift t k_0))
         (- 0 (select intM_intP (shift t k_0))))))
         (FORALL (k_1)
         (IMPLIES
         (AND (<= i k_1) (< k_1 (+ (offset_max Object_alloc_table t) 1)))
         (EQ (select intM_intP0 (shift t k_1))
         (select intM_intP (shift t k_1))))))))
(IMPLIES (>= (offset_max Object_alloc_table t) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t) 1))))
(IMPLIES (< i result)
(IMPLIES (AND (<= (offset_min Object_alloc_table t) i)
         (<= i (offset_max Object_alloc_table t)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t i)))
(IMPLIES (AND (<= (offset_min Object_alloc_table t) i)
         (<= i (offset_max Object_alloc_table t)))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t i) (- 0 result0)))
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(<= 0 (- (+ (offset_max Object_alloc_table t) 1) i))))))))))))))))))))))

;; negate_negate_safety_po_5, File "HOME/tests/java/Negate.java", line 48, characters 18-28
(FORALL (t)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (Non_null_intM t Object_alloc_table))
(FORALL (i)
(FORALL (intM_intP0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i)
         (AND (<= i (+ (offset_max Object_alloc_table t) 1))
         (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= 0 k_0) (< k_0 i))
         (EQ (select intM_intP0 (shift t k_0))
         (- 0 (select intM_intP (shift t k_0))))))
         (FORALL (k_1)
         (IMPLIES
         (AND (<= i k_1) (< k_1 (+ (offset_max Object_alloc_table t) 1)))
         (EQ (select intM_intP0 (shift t k_1))
         (select intM_intP (shift t k_1))))))))
(IMPLIES (>= (offset_max Object_alloc_table t) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t) 1))))
(IMPLIES (< i result)
(IMPLIES (AND (<= (offset_min Object_alloc_table t) i)
         (<= i (offset_max Object_alloc_table t)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t i)))
(IMPLIES (AND (<= (offset_min Object_alloc_table t) i)
         (<= i (offset_max Object_alloc_table t)))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t i) (- 0 result0)))
(FORALL (i0)
(IMPLIES (EQ i0 (+ i 1))
(< (- (+ (offset_max Object_alloc_table t) 1) i0) (- (+ (offset_max
                                                        Object_alloc_table t) 1) i))))))))))))))))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/Negate_why.sx        : ............... (15/0/0/0/0)
total   :  15
valid   :  15 (100%)
invalid :   0 (  0%)
unknown :   0 (  0%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/Negate.why
========== file tests/java/why/Negate_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_1) >= 0)

predicate Non_null_intM(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= (-1))

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic intM_tag : Object tag_id

axiom intM_parenttag_Object: parenttag(intM_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_intM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

predicate left_valid_struct_negate(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

logic negate_tag : Object tag_id

axiom negate_parenttag_Object: parenttag(negate_tag, Object_tag)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_intM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate right_valid_struct_negate(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_negate(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_negate(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

goal negate_negate_ensures_default_po_1:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t, Object_alloc_table))) ->
  ("JC_76": ("JC_72": (0 <= 0)))

goal negate_negate_ensures_default_po_2:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t, Object_alloc_table))) ->
  ("JC_76": ("JC_73": (0 <= (offset_max(Object_alloc_table, t) + 1))))

goal negate_negate_ensures_default_po_3:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t, Object_alloc_table))) ->
  forall k_0:int.
  ((0 <= k_0) and (k_0 < 0)) ->
  ("JC_76":
  ("JC_74": (select(intM_intP, shift(t, k_0)) = (-select(intM_intP, shift(t,
  k_0))))))

goal negate_negate_ensures_default_po_4:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t, Object_alloc_table))) ->
  ("JC_78": not_assigns(Object_alloc_table, intM_intP, intM_intP,
  pset_range(pset_singleton(t), 0, ((offset_max(Object_alloc_table,
  t) + 1) - 1))))

goal negate_negate_ensures_default_po_5:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t, Object_alloc_table))) ->
  forall i:int.
  forall intM_intP0:(Object,
  int) memory.
  (("JC_76":
   (("JC_72": (0 <= i)) and
    (("JC_73": (i <= (offset_max(Object_alloc_table, t) + 1))) and
     (("JC_74":
      (forall k_0:int.
        (((0 <= k_0) and (k_0 < i)) -> (select(intM_intP0, shift(t,
         k_0)) = (-select(intM_intP, shift(t, k_0))))))) and
      ("JC_75":
      (forall k_1:int.
        (((i <= k_1) and (k_1 < (offset_max(Object_alloc_table, t) + 1))) ->
         (select(intM_intP0, shift(t, k_1)) = select(intM_intP, shift(t,
         k_1)))))))))) and
   ("JC_78": not_assigns(Object_alloc_table, intM_intP, intM_intP0,
   pset_range(pset_singleton(t), 0, ((offset_max(Object_alloc_table,
   t) + 1) - 1))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t) + 1))))) ->
  (i < result) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t, i))) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i), (-result0))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  ("JC_76": ("JC_72": (0 <= i0)))

goal negate_negate_ensures_default_po_6:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t, Object_alloc_table))) ->
  forall i:int.
  forall intM_intP0:(Object,
  int) memory.
  (("JC_76":
   (("JC_72": (0 <= i)) and
    (("JC_73": (i <= (offset_max(Object_alloc_table, t) + 1))) and
     (("JC_74":
      (forall k_0:int.
        (((0 <= k_0) and (k_0 < i)) -> (select(intM_intP0, shift(t,
         k_0)) = (-select(intM_intP, shift(t, k_0))))))) and
      ("JC_75":
      (forall k_1:int.
        (((i <= k_1) and (k_1 < (offset_max(Object_alloc_table, t) + 1))) ->
         (select(intM_intP0, shift(t, k_1)) = select(intM_intP, shift(t,
         k_1)))))))))) and
   ("JC_78": not_assigns(Object_alloc_table, intM_intP, intM_intP0,
   pset_range(pset_singleton(t), 0, ((offset_max(Object_alloc_table,
   t) + 1) - 1))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t) + 1))))) ->
  (i < result) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t, i))) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i), (-result0))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  ("JC_76": ("JC_73": (i0 <= (offset_max(Object_alloc_table, t) + 1))))

goal negate_negate_ensures_default_po_7:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t, Object_alloc_table))) ->
  forall i:int.
  forall intM_intP0:(Object,
  int) memory.
  (("JC_76":
   (("JC_72": (0 <= i)) and
    (("JC_73": (i <= (offset_max(Object_alloc_table, t) + 1))) and
     (("JC_74":
      (forall k_0:int.
        (((0 <= k_0) and (k_0 < i)) -> (select(intM_intP0, shift(t,
         k_0)) = (-select(intM_intP, shift(t, k_0))))))) and
      ("JC_75":
      (forall k_1:int.
        (((i <= k_1) and (k_1 < (offset_max(Object_alloc_table, t) + 1))) ->
         (select(intM_intP0, shift(t, k_1)) = select(intM_intP, shift(t,
         k_1)))))))))) and
   ("JC_78": not_assigns(Object_alloc_table, intM_intP, intM_intP0,
   pset_range(pset_singleton(t), 0, ((offset_max(Object_alloc_table,
   t) + 1) - 1))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t) + 1))))) ->
  (i < result) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t, i))) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i), (-result0))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  forall k_0:int.
  ((0 <= k_0) and (k_0 < i0)) ->
  ("JC_76":
  ("JC_74": (select(intM_intP1, shift(t, k_0)) = (-select(intM_intP, shift(t,
  k_0))))))

goal negate_negate_ensures_default_po_8:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t, Object_alloc_table))) ->
  forall i:int.
  forall intM_intP0:(Object,
  int) memory.
  (("JC_76":
   (("JC_72": (0 <= i)) and
    (("JC_73": (i <= (offset_max(Object_alloc_table, t) + 1))) and
     (("JC_74":
      (forall k_0:int.
        (((0 <= k_0) and (k_0 < i)) -> (select(intM_intP0, shift(t,
         k_0)) = (-select(intM_intP, shift(t, k_0))))))) and
      ("JC_75":
      (forall k_1:int.
        (((i <= k_1) and (k_1 < (offset_max(Object_alloc_table, t) + 1))) ->
         (select(intM_intP0, shift(t, k_1)) = select(intM_intP, shift(t,
         k_1)))))))))) and
   ("JC_78": not_assigns(Object_alloc_table, intM_intP, intM_intP0,
   pset_range(pset_singleton(t), 0, ((offset_max(Object_alloc_table,
   t) + 1) - 1))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t) + 1))))) ->
  (i < result) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t, i))) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i), (-result0))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  forall k_1:int.
  ((i0 <= k_1) and (k_1 < (offset_max(Object_alloc_table, t) + 1))) ->
  ("JC_76":
  ("JC_75": (select(intM_intP1, shift(t, k_1)) = select(intM_intP, shift(t,
  k_1)))))

goal negate_negate_ensures_default_po_9:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t, Object_alloc_table))) ->
  forall i:int.
  forall intM_intP0:(Object,
  int) memory.
  (("JC_76":
   (("JC_72": (0 <= i)) and
    (("JC_73": (i <= (offset_max(Object_alloc_table, t) + 1))) and
     (("JC_74":
      (forall k_0:int.
        (((0 <= k_0) and (k_0 < i)) -> (select(intM_intP0, shift(t,
         k_0)) = (-select(intM_intP, shift(t, k_0))))))) and
      ("JC_75":
      (forall k_1:int.
        (((i <= k_1) and (k_1 < (offset_max(Object_alloc_table, t) + 1))) ->
         (select(intM_intP0, shift(t, k_1)) = select(intM_intP, shift(t,
         k_1)))))))))) and
   ("JC_78": not_assigns(Object_alloc_table, intM_intP, intM_intP0,
   pset_range(pset_singleton(t), 0, ((offset_max(Object_alloc_table,
   t) + 1) - 1))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t) + 1))))) ->
  (i < result) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t, i))) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i), (-result0))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  ("JC_78": not_assigns(Object_alloc_table, intM_intP, intM_intP1,
  pset_range(pset_singleton(t), 0, ((offset_max(Object_alloc_table,
  t) + 1) - 1))))

goal negate_negate_ensures_default_po_10:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t, Object_alloc_table))) ->
  forall i:int.
  forall intM_intP0:(Object,
  int) memory.
  (("JC_76":
   (("JC_72": (0 <= i)) and
    (("JC_73": (i <= (offset_max(Object_alloc_table, t) + 1))) and
     (("JC_74":
      (forall k_0:int.
        (((0 <= k_0) and (k_0 < i)) -> (select(intM_intP0, shift(t,
         k_0)) = (-select(intM_intP, shift(t, k_0))))))) and
      ("JC_75":
      (forall k_1:int.
        (((i <= k_1) and (k_1 < (offset_max(Object_alloc_table, t) + 1))) ->
         (select(intM_intP0, shift(t, k_1)) = select(intM_intP, shift(t,
         k_1)))))))))) and
   ("JC_78": not_assigns(Object_alloc_table, intM_intP, intM_intP0,
   pset_range(pset_singleton(t), 0, ((offset_max(Object_alloc_table,
   t) + 1) - 1))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t) + 1))))) ->
  (i >= result) ->
  forall k:int.
  ((0 <= k) and (k < (offset_max(Object_alloc_table, t) + 1))) ->
  ("JC_53":
  ("JC_51": (select(intM_intP0, shift(t, k)) = (-select(intM_intP, shift(t,
  k))))))

goal negate_negate_safety_po_1:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t, Object_alloc_table))) ->
  forall i:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_65": true) ->
  ("JC_63":
  (("JC_59": (0 <= i)) and
   (("JC_60": (i <= (offset_max(Object_alloc_table, t) + 1))) and
    (("JC_61":
     (forall k_0:int.
       (((0 <= k_0) and (k_0 < i)) -> (select(intM_intP0, shift(t,
        k_0)) = (-select(intM_intP, shift(t, k_0))))))) and
     ("JC_62":
     (forall k_1:int.
       (((i <= k_1) and (k_1 < (offset_max(Object_alloc_table, t) + 1))) ->
        (select(intM_intP0, shift(t, k_1)) = select(intM_intP, shift(t,
        k_1)))))))))) ->
  (offset_max(Object_alloc_table, t) >= (-1))

goal negate_negate_safety_po_2:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t, Object_alloc_table))) ->
  forall i:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_65": true) ->
  ("JC_63":
  (("JC_59": (0 <= i)) and
   (("JC_60": (i <= (offset_max(Object_alloc_table, t) + 1))) and
    (("JC_61":
     (forall k_0:int.
       (((0 <= k_0) and (k_0 < i)) -> (select(intM_intP0, shift(t,
        k_0)) = (-select(intM_intP, shift(t, k_0))))))) and
     ("JC_62":
     (forall k_1:int.
       (((i <= k_1) and (k_1 < (offset_max(Object_alloc_table, t) + 1))) ->
        (select(intM_intP0, shift(t, k_1)) = select(intM_intP, shift(t,
        k_1)))))))))) ->
  (offset_max(Object_alloc_table, t) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t) + 1))))) ->
  (i < result) ->
  (offset_min(Object_alloc_table, t) <= i)

goal negate_negate_safety_po_3:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t, Object_alloc_table))) ->
  forall i:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_65": true) ->
  ("JC_63":
  (("JC_59": (0 <= i)) and
   (("JC_60": (i <= (offset_max(Object_alloc_table, t) + 1))) and
    (("JC_61":
     (forall k_0:int.
       (((0 <= k_0) and (k_0 < i)) -> (select(intM_intP0, shift(t,
        k_0)) = (-select(intM_intP, shift(t, k_0))))))) and
     ("JC_62":
     (forall k_1:int.
       (((i <= k_1) and (k_1 < (offset_max(Object_alloc_table, t) + 1))) ->
        (select(intM_intP0, shift(t, k_1)) = select(intM_intP, shift(t,
        k_1)))))))))) ->
  (offset_max(Object_alloc_table, t) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t) + 1))))) ->
  (i < result) ->
  (i <= offset_max(Object_alloc_table, t))

goal negate_negate_safety_po_4:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t, Object_alloc_table))) ->
  forall i:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_65": true) ->
  ("JC_63":
  (("JC_59": (0 <= i)) and
   (("JC_60": (i <= (offset_max(Object_alloc_table, t) + 1))) and
    (("JC_61":
     (forall k_0:int.
       (((0 <= k_0) and (k_0 < i)) -> (select(intM_intP0, shift(t,
        k_0)) = (-select(intM_intP, shift(t, k_0))))))) and
     ("JC_62":
     (forall k_1:int.
       (((i <= k_1) and (k_1 < (offset_max(Object_alloc_table, t) + 1))) ->
        (select(intM_intP0, shift(t, k_1)) = select(intM_intP, shift(t,
        k_1)))))))))) ->
  (offset_max(Object_alloc_table, t) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t) + 1))))) ->
  (i < result) ->
  ((offset_min(Object_alloc_table, t) <= i) and
   (i <= offset_max(Object_alloc_table, t))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t, i))) ->
  ((offset_min(Object_alloc_table, t) <= i) and
   (i <= offset_max(Object_alloc_table, t))) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i), (-result0))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  (0 <= ("JC_71": ((offset_max(Object_alloc_table, t) + 1) - i)))

goal negate_negate_safety_po_5:
  forall t:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   ("JC_49": Non_null_intM(t, Object_alloc_table))) ->
  forall i:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_65": true) ->
  ("JC_63":
  (("JC_59": (0 <= i)) and
   (("JC_60": (i <= (offset_max(Object_alloc_table, t) + 1))) and
    (("JC_61":
     (forall k_0:int.
       (((0 <= k_0) and (k_0 < i)) -> (select(intM_intP0, shift(t,
        k_0)) = (-select(intM_intP, shift(t, k_0))))))) and
     ("JC_62":
     (forall k_1:int.
       (((i <= k_1) and (k_1 < (offset_max(Object_alloc_table, t) + 1))) ->
        (select(intM_intP0, shift(t, k_1)) = select(intM_intP, shift(t,
        k_1)))))))))) ->
  (offset_max(Object_alloc_table, t) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t) + 1))))) ->
  (i < result) ->
  ((offset_min(Object_alloc_table, t) <= i) and
   (i <= offset_max(Object_alloc_table, t))) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t, i))) ->
  ((offset_min(Object_alloc_table, t) <= i) and
   (i <= offset_max(Object_alloc_table, t))) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, i), (-result0))) ->
  forall i0:int.
  (i0 = (i + 1)) ->
  (("JC_71": ((offset_max(Object_alloc_table, t) + 1) - i0)) < ("JC_71":
                                                               ((offset_max(Object_alloc_table,
                                                               t) + 1) - i)))

why-2.34/tests/java/oracle/SideEffects.err.oracle0000644000175000017500000000000012311670312020275 0ustar  rtuserswhy-2.34/tests/java/oracle/Assertion.res.oracle0000644000175000017500000041522412311670312020103 0ustar  rtusers========== file tests/java/Assertion.java ==========
public class Assertion {
         /*@
           @ ensures \result == 5;
           @*/
         public static int max(int x) {
                 /*@ assert x == 5; @*/
                 return x;
         }
} ========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_Assertion for constructor Assertion
Generating JC function Assertion_max for method Assertion.max
Done.
========== file tests/java/Assertion.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Assertion = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_Assertion(! Assertion[0] this_0){()}

int32 Assertion_max(int32 x)
behavior default:
  ensures (K_1 : (\result == 5));
{  (K_3 : 
   (assert (K_2 : (x == 5))));
   
   (return x)
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Assertion.jloc tests/java/Assertion.jc && make -f tests/java/Assertion.makefile gui"
End:
*/
========== file tests/java/Assertion.jloc ==========
[K_1]
file = "HOME/tests/java/Assertion.java"
line = 3
begin = 21
end = 33

[K_2]
file = "HOME/tests/java/Assertion.java"
line = 6
begin = 28
end = 34

[Assertion_max]
name = "Method max"
file = "HOME/tests/java/Assertion.java"
line = 5
begin = 27
end = 30

[K_3]
file = "HOME/tests/java/Assertion.java"
line = 6
begin = 28
end = 34

[cons_Assertion]
name = "Constructor of class Assertion"
file = "HOME/"
line = 0
begin = -1
end = -1

========== jessie execution ==========
Generating Why function cons_Assertion
Generating Why function Assertion_max
========== file tests/java/Assertion.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Assertion.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Assertion.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/Assertion_why.sx

project: why/Assertion.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/Assertion_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/Assertion_why.vo

coq/Assertion_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Assertion_why.v: why/Assertion.why
	@echo 'why -coq [...] why/Assertion.why' && $(WHY) $(JESSIELIBFILES) why/Assertion.why && rm -f coq/jessie_why.v

coq-goals: goals coq/Assertion_ctx_why.vo
	for f in why/*_po*.why; do make -f Assertion.makefile coq/`basename $$f .why`_why.v ; done

coq/Assertion_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Assertion_ctx_why.v: why/Assertion_ctx.why
	@echo 'why -coq [...] why/Assertion_ctx.why' && $(WHY) why/Assertion_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export Assertion_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/Assertion_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/Assertion_ctx_why.vo

pvs: pvs/Assertion_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/Assertion_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/Assertion_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/Assertion_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/Assertion_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/Assertion_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/Assertion_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/Assertion_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/Assertion_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/Assertion_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/Assertion_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/Assertion_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/Assertion_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/Assertion_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/Assertion_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: Assertion.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/Assertion_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Assertion.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Assertion.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Assertion.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include Assertion.depend

depend: coq/Assertion_why.v
	-$(COQDEP) -I coq coq/Assertion*_why.v > Assertion.depend

clean:
	rm -f coq/*.vo

========== file tests/java/Assertion.loc ==========
[JC_31]
file = "HOME/tests/java/Assertion.java"
line = 3
begin = 21
end = 33

[JC_17]
file = "HOME/tests/java/Assertion.jc"
line = 47
begin = 11
end = 65

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/Assertion.jc"
line = 45
begin = 8
end = 23

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[Assertion_max_safety]
name = "Method max"
behavior = "Safety"
file = "HOME/tests/java/Assertion.java"
line = 5
begin = 27
end = 30

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/Assertion.jc"
line = 45
begin = 8
end = 23

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/tests/java/Assertion.java"
line = 6
begin = 28
end = 34

[JC_35]
file = "HOME/tests/java/Assertion.java"
line = 6
begin = 28
end = 34

[JC_27]
file = "HOME/tests/java/Assertion.java"
line = 5
begin = 27
end = 30

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/tests/java/Assertion.java"
line = 3
begin = 21
end = 33

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/tests/java/Assertion.java"
line = 5
begin = 27
end = 30

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/java/Assertion.jc"
line = 20
begin = 12
end = 22

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/Assertion.jc"
line = 47
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/Assertion.jc"
line = 20
begin = 12
end = 22

[Assertion_max_ensures_default]
name = "Method max"
behavior = "default behavior"
file = "HOME/tests/java/Assertion.java"
line = 5
begin = 27
end = 30

[cons_Assertion_ensures_default]
name = "Constructor of class Assertion"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Assertion_safety]
name = "Constructor of class Assertion"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/Assertion.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Assertion_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Assertion_parenttag_Object : parenttag(Assertion_tag, Object_tag)

logic Exception_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Assertion(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Assertion(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Assertion(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Assertion(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

parameter Assertion_max :
 x_2:int32 -> { } int32 { (JC_32: (integer_of_int32(result) = (5))) }

parameter Assertion_max_requires :
 x_2:int32 -> { } int32 { (JC_32: (integer_of_int32(result) = (5))) }

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Assertion :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Assertion(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Assertion_tag)))) }

parameter alloc_struct_Assertion_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Assertion(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Assertion_tag)))) }

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_Assertion :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Assertion_requires :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let Assertion_max_ensures_default =
 fun (x_2 : int32) ->
  { (JC_30: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   (K_3:
   begin
     (assert { (JC_36: (integer_of_int32(x_2) = (5))) }; void);
    (return := x_2); (raise Return); absurd  end) with Return -> !return end))
  { (JC_31: (integer_of_int32(result) = (5))) }

let Assertion_max_safety =
 fun (x_2 : int32) ->
  { (JC_30: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   (K_3:
   begin
     [ { } unit { (JC_35: (integer_of_int32(x_2) = (5))) } ];
    (return := x_2); (raise Return); absurd  end) with Return -> !return end))
  { true }

let cons_Assertion_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_Assertion(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_23: true) }

let cons_Assertion_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_Assertion(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/Assertion.why
========== file tests/java/why/Assertion.wpr ==========

  
    
    
    
      
      
    
    
      
      
    
    
  
  
    
  

========== file tests/java/why/Assertion_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Assertion_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Assertion_parenttag_Object: parenttag(Assertion_tag, Object_tag)

logic Exception_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte [(integer_of_byte(x) = integer_of_byte(y))].
      ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char [(integer_of_char(x) = integer_of_char(y))].
      ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32 [(integer_of_int32(x) = integer_of_int32(y))].
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Assertion(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long [(integer_of_long(x) = integer_of_long(y))].
      ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Assertion(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short [(integer_of_short(x) = integer_of_short(y))].
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Assertion(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Assertion(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

========== file tests/java/why/Assertion_po1.why ==========
goal Assertion_max_ensures_default_po_1:
  forall x_2:int32.
  ("JC_30": true) ->
  ("JC_36": (integer_of_int32(x_2) = 5))

========== file tests/java/why/Assertion_po2.why ==========
goal Assertion_max_ensures_default_po_2:
  forall x_2:int32.
  ("JC_30": true) ->
  ("JC_36": (integer_of_int32(x_2) = 5)) ->
  forall return:int32.
  (return = x_2) ->
  ("JC_31": (integer_of_int32(return) = 5))

========== generation of Simplify VC output ==========
why -simplify [...] why/Assertion.why
========== file tests/java/simplify/Assertion_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Assertion_parenttag_Object
 (EQ (parenttag Assertion_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) 0))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom byte_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 128) x) (<= x 127))
 (EQ (integer_of_byte (byte_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom byte_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_byte x) (integer_of_byte y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom byte_range
 (FORALL (x)
 (AND (<= (- 0 128) (integer_of_byte x)) (<= (integer_of_byte x) 127))))

(BG_PUSH
 ;; Why axiom char_coerce
 (FORALL (x)
 (IMPLIES (AND (<= 0 x) (<= x 65535))
 (EQ (integer_of_char (char_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom char_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_char x) (integer_of_char y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom char_range
 (FORALL (x) (AND (<= 0 (integer_of_char x)) (<= (integer_of_char x) 65535))))

(DEFPRED (eq_byte x y) (EQ (integer_of_byte x) (integer_of_byte y)))

(DEFPRED (eq_char x y) (EQ (integer_of_char x) (integer_of_char y)))

(DEFPRED (eq_int32 x y) (EQ (integer_of_int32 x) (integer_of_int32 y)))

(DEFPRED (eq_long x y) (EQ (integer_of_long x) (integer_of_long y)))

(DEFPRED (eq_short x y) (EQ (integer_of_short x) (integer_of_short y)))

(BG_PUSH
 ;; Why axiom int32_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_2147483648) x)
 (<= x constant_too_large_2147483647))
 (EQ (integer_of_int32 (int32_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom int32_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_int32 x) (integer_of_int32 y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom int32_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_2147483648) (integer_of_int32 x))
 (<= (integer_of_int32 x) constant_too_large_2147483647))))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Assertion p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom long_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_9223372036854775808) x)
 (<= x constant_too_large_9223372036854775807))
 (EQ (integer_of_long (long_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom long_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_long x) (integer_of_long y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom long_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_9223372036854775808) (integer_of_long x))
 (<= (integer_of_long x) constant_too_large_9223372036854775807))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Assertion p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(BG_PUSH
 ;; Why axiom short_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 32768) x) (<= x 32767))
 (EQ (integer_of_short (short_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom short_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_short x) (integer_of_short y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom short_range
 (FORALL (x)
 (AND (<= (- 0 32768) (integer_of_short x)) (<= (integer_of_short x) 32767))))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Assertion p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Assertion p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

;; Assertion_max_ensures_default_po_1, File "HOME/tests/java/Assertion.java", line 6, characters 28-34
(FORALL (x_2) (IMPLIES TRUE (EQ (integer_of_int32 x_2) 5)))

;; Assertion_max_ensures_default_po_2, File "HOME/tests/java/Assertion.java", line 3, characters 21-33
(FORALL (x_2)
(IMPLIES TRUE
(IMPLIES (EQ (integer_of_int32 x_2) 5)
(FORALL (return) (IMPLIES (EQ return x_2) (EQ (integer_of_int32 return) 5))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/Assertion_why.sx     : ?. (1/0/1/0/0)
total   :   2
valid   :   1 ( 50%)
invalid :   0 (  0%)
unknown :   1 ( 50%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/Assertion.why
========== file tests/java/why/Assertion_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Assertion_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Assertion_parenttag_Object: parenttag(Assertion_tag, Object_tag)

logic Exception_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte. ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char. ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Assertion(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long. ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Assertion(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short.
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Assertion(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Assertion(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

goal Assertion_max_ensures_default_po_1:
  forall x_2:int32.
  ("JC_30": true) ->
  ("JC_36": (integer_of_int32(x_2) = 5))

goal Assertion_max_ensures_default_po_2:
  forall x_2:int32.
  ("JC_30": true) ->
  ("JC_36": (integer_of_int32(x_2) = 5)) ->
  forall return:int32.
  (return = x_2) ->
  ("JC_31": (integer_of_int32(return) = 5))

why-2.34/tests/java/oracle/ArrayMax.res.oracle0000644000175000017500000117527612311670312017673 0ustar  rtusers========== file tests/java/ArrayMax.java ==========
/*
COST Verification Competition. vladimir@cost-ic0701.org

Challenge 1: Maximum in an array

Given: A non-empty integer array a.

Verify that the index returned by the method max() given below points to
an element maximal in the array.

*/

/*@ axiomatic integer_max {
  @   logic integer max(integer x, integer y);
  @   axiom max_is_ge : \forall integer x y; max(x,y) >= x && max(x,y) >= y;
  @   axiom max_is_some : \forall integer x y; max(x,y) == x || max(x,y) == y;
  @ }
  @*/

public class ArrayMax {


    /*@ requires a.length > 0;
      @ ensures 0 <= \result < a.length &&
      @   \forall integer i; 0 <= i < a.length ==> a[i] <= a[\result];
      @*/
    public static int max(int[] a) {
        int x = 0;
        int y = a.length-1;
        /*@ loop_invariant 0 <= x <= y < a.length &&
          @      \forall integer i;
          @         0 <= i < x || y < i < a.length ==>
          @         a[i] <= max(a[x],a[y]);
          @ loop_variant y - x;
          @*/
        while (x != y) {
            if (a[x] <= a[y]) x++;
                else y--;
        }
        return x;
    }

}

/*
Local Variables:
compile-command: "make ArrayMax.why3ide"
End:
*/

========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_ArrayMax for constructor ArrayMax
Generating JC function ArrayMax_max for method ArrayMax.max
Done.
========== file tests/java/ArrayMax.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_intM{Here}(intM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag ArrayMax = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag intM = Object with {
  int32 intP;
}

boolean non_null_intM(! intM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_intM(! intM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

axiomatic integer_max {

  logic integer max(integer x, integer y)
   
  axiom max_is_some :
  (\forall integer x_1;
    (\forall integer y_1;
      ((max(x_1, y_1) == x_1) || (max(x_1, y_1) == y_1))))
   
  axiom max_is_ge :
  (\forall integer x_0;
    (\forall integer y_0;
      ((max(x_0, y_0) >= x_0) && (max(x_0, y_0) >= y_0))))
  
}

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_ArrayMax(! ArrayMax[0] this_0){()}

int32 ArrayMax_max(intM[0..] a)
  requires (K_6 : ((\offset_max(a) + 1) > 0));
behavior default:
  ensures (K_5 : ((K_4 : ((K_3 : (0 <= \result)) &&
                           (K_2 : (\result < (\offset_max(a) + 1))))) &&
                   (K_1 : (\forall integer i;
                            (((0 <= i) && (i < (\offset_max(a) + 1))) ==>
                              ((a + i).intP <= (a + \result).intP))))));
{  
   {  
      (var int32 x_2 = (K_23 : 0));
      
      {  
         (var int32 y_2 = (K_22 : (((K_21 : java_array_length_intM(a)) - 1) :> int32)));
         
         {  
            loop 
            behavior default:
              invariant (K_13 : ((K_12 : ((K_11 : ((K_10 : (0 <= x_2)) &&
                                                    (K_9 : (x_2 <= y_2)))) &&
                                           (K_8 : (y_2 <
                                                    (\offset_max(a) + 1))))) &&
                                  (K_7 : (\forall integer i_0;
                                           ((((0 <= i_0) && (i_0 < x_2)) ||
                                              ((y_2 < i_0) &&
                                                (i_0 < (\offset_max(a) + 1)))) ==>
                                             ((a + i_0).intP <=
                                               max((a + x_2).intP,
                                                   (a + y_2).intP)))))));
            variant (K_14 : (y_2 - x_2));
            while ((K_20 : (x_2 != y_2)))
            {  (if (K_19 : ((K_17 : (a + x_2).intP) <=
                             (K_18 : (a + y_2).intP))) then (K_16 : (x_2 ++)) else 
               (K_15 : (y_2 --)))
            };
            
            (return x_2)
         }
      }
   }
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/ArrayMax.jloc tests/java/ArrayMax.jc && make -f tests/java/ArrayMax.makefile gui"
End:
*/
========== file tests/java/ArrayMax.jloc ==========
[ArrayMax_max]
name = "Method max"
file = "HOME/tests/java/ArrayMax.java"
line = 27
begin = 22
end = 25

[K_23]
file = "HOME/tests/java/ArrayMax.java"
line = 28
begin = 16
end = 17

[K_17]
file = "HOME/tests/java/ArrayMax.java"
line = 37
begin = 16
end = 20

[K_11]
file = "HOME/tests/java/ArrayMax.java"
line = 30
begin = 27
end = 38

[K_13]
file = "HOME/tests/java/ArrayMax.java"
line = 30
begin = 27
end = 186

[max_is_some]
name = "Lemma max_is_some"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_9]
file = "HOME/tests/java/ArrayMax.java"
line = 30
begin = 32
end = 38

[K_1]
file = "HOME/tests/java/ArrayMax.java"
line = 25
begin = 10
end = 69

[K_15]
file = "HOME/tests/java/ArrayMax.java"
line = 38
begin = 21
end = 24

[K_4]
file = "HOME/tests/java/ArrayMax.java"
line = 24
begin = 16
end = 39

[K_12]
file = "HOME/tests/java/ArrayMax.java"
line = 30
begin = 27
end = 49

[cons_ArrayMax]
name = "Constructor of class ArrayMax"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_20]
file = "HOME/tests/java/ArrayMax.java"
line = 36
begin = 15
end = 21

[K_2]
file = "HOME/tests/java/ArrayMax.java"
line = 24
begin = 21
end = 39

[K_10]
file = "HOME/tests/java/ArrayMax.java"
line = 30
begin = 27
end = 33

[K_6]
file = "HOME/tests/java/ArrayMax.java"
line = 23
begin = 17
end = 29

[K_8]
file = "HOME/tests/java/ArrayMax.java"
line = 30
begin = 37
end = 49

[K_3]
file = "HOME/tests/java/ArrayMax.java"
line = 24
begin = 16
end = 28

[max_is_ge]
name = "Lemma max_is_ge"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_21]
file = "HOME/tests/java/ArrayMax.java"
line = 29
begin = 16
end = 24

[K_14]
file = "HOME/tests/java/ArrayMax.java"
line = 34
begin = 25
end = 30

[K_19]
file = "HOME/tests/java/ArrayMax.java"
line = 37
begin = 16
end = 28

[K_5]
file = "HOME/tests/java/ArrayMax.java"
line = 24
begin = 16
end = 112

[K_18]
file = "HOME/tests/java/ArrayMax.java"
line = 37
begin = 24
end = 28

[K_7]
file = "HOME/tests/java/ArrayMax.java"
line = 31
begin = 17
end = 133

[K_22]
file = "HOME/tests/java/ArrayMax.java"
line = 29
begin = 16
end = 26

[K_16]
file = "HOME/tests/java/ArrayMax.java"
line = 37
begin = 30
end = 33

========== jessie execution ==========
Generating Why function cons_ArrayMax
Generating Why function ArrayMax_max
========== file tests/java/ArrayMax.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs ArrayMax.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs ArrayMax.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/ArrayMax_why.sx

project: why/ArrayMax.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/ArrayMax_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/ArrayMax_why.vo

coq/ArrayMax_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/ArrayMax_why.v: why/ArrayMax.why
	@echo 'why -coq [...] why/ArrayMax.why' && $(WHY) $(JESSIELIBFILES) why/ArrayMax.why && rm -f coq/jessie_why.v

coq-goals: goals coq/ArrayMax_ctx_why.vo
	for f in why/*_po*.why; do make -f ArrayMax.makefile coq/`basename $$f .why`_why.v ; done

coq/ArrayMax_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/ArrayMax_ctx_why.v: why/ArrayMax_ctx.why
	@echo 'why -coq [...] why/ArrayMax_ctx.why' && $(WHY) why/ArrayMax_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export ArrayMax_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/ArrayMax_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/ArrayMax_ctx_why.vo

pvs: pvs/ArrayMax_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/ArrayMax_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/ArrayMax_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/ArrayMax_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/ArrayMax_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/ArrayMax_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/ArrayMax_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/ArrayMax_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/ArrayMax_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/ArrayMax_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/ArrayMax_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/ArrayMax_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/ArrayMax_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/ArrayMax_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/ArrayMax_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: ArrayMax.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/ArrayMax_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: ArrayMax.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: ArrayMax.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: ArrayMax.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include ArrayMax.depend

depend: coq/ArrayMax_why.v
	-$(COQDEP) -I coq coq/ArrayMax*_why.v > ArrayMax.depend

clean:
	rm -f coq/*.vo

========== file tests/java/ArrayMax.loc ==========
[JC_73]
kind = PointerDeref
file = "HOME/tests/java/ArrayMax.java"
line = 37
begin = 24
end = 28

[JC_63]
kind = ArithOverflow
file = "HOME/tests/java/ArrayMax.java"
line = 29
begin = 16
end = 26

[JC_80]
file = "HOME/tests/java/ArrayMax.java"
line = 30
begin = 37
end = 49

[JC_51]
file = "HOME/tests/java/ArrayMax.java"
line = 24
begin = 16
end = 28

[JC_71]
file = "HOME/tests/java/ArrayMax.jc"
line = 108
begin = 12
end = 1096

[cons_ArrayMax_safety]
name = "Constructor of class ArrayMax"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_64]
file = "HOME/tests/java/ArrayMax.java"
line = 30
begin = 27
end = 33

[max_is_some]
name = "Lemma max_is_some"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_85]
file = "HOME/tests/java/ArrayMax.jc"
line = 108
begin = 12
end = 1096

[JC_31]
file = "HOME/tests/java/ArrayMax.jc"
line = 65
begin = 8
end = 23

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
file = "HOME/tests/java/ArrayMax.java"
line = 31
begin = 17
end = 133

[JC_55]
file = "HOME/tests/java/ArrayMax.java"
line = 24
begin = 16
end = 28

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/tests/java/ArrayMax.jc"
line = 61
begin = 11
end = 103

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/tests/java/ArrayMax.java"
line = 31
begin = 17
end = 133

[JC_9]
file = "HOME/tests/java/ArrayMax.jc"
line = 52
begin = 8
end = 21

[JC_75]
kind = ArithOverflow
file = "HOME/tests/java/ArrayMax.jc"
line = 125
begin = 24
end = 30

[JC_24]
file = "HOME/tests/java/ArrayMax.jc"
line = 60
begin = 10
end = 18

[JC_25]
file = "HOME/tests/java/ArrayMax.jc"
line = 61
begin = 11
end = 103

[JC_78]
file = "HOME/tests/java/ArrayMax.java"
line = 30
begin = 27
end = 33

[JC_41]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_74]
kind = ArithOverflow
file = "HOME/tests/java/ArrayMax.jc"
line = 124
begin = 69
end = 75

[ArrayMax_max_ensures_default]
name = "Method max"
behavior = "default behavior"
file = "HOME/tests/java/ArrayMax.java"
line = 27
begin = 22
end = 25

[JC_47]
file = "HOME/tests/java/ArrayMax.java"
line = 23
begin = 17
end = 29

[JC_52]
file = "HOME/tests/java/ArrayMax.java"
line = 24
begin = 21
end = 39

[JC_26]
file = "HOME/tests/java/ArrayMax.jc"
line = 60
begin = 10
end = 18

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/tests/java/ArrayMax.java"
line = 24
begin = 16
end = 112

[JC_79]
file = "HOME/tests/java/ArrayMax.java"
line = 30
begin = 32
end = 38

[JC_13]
file = "HOME/tests/java/ArrayMax.jc"
line = 55
begin = 11
end = 66

[JC_82]
file = "HOME/tests/java/ArrayMax.java"
line = 30
begin = 27
end = 186

[JC_11]
file = "HOME/tests/java/ArrayMax.jc"
line = 52
begin = 8
end = 21

[JC_70]
file = "HOME/tests/java/ArrayMax.jc"
line = 108
begin = 12
end = 1096

[JC_15]
file = "HOME/tests/java/ArrayMax.jc"
line = 55
begin = 11
end = 66

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_69]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/tests/java/ArrayMax.jc"
line = 67
begin = 11
end = 65

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
kind = IndexBounds
file = "HOME/tests/java/ArrayMax.java"
line = 29
begin = 16
end = 24

[max_is_ge]
name = "Lemma max_is_ge"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
kind = UserCall
file = "HOME/tests/java/ArrayMax.java"
line = 29
begin = 16
end = 24

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/tests/java/ArrayMax.java"
line = 24
begin = 21
end = 39

[cons_ArrayMax_ensures_default]
name = "Constructor of class ArrayMax"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[ArrayMax_max_safety]
name = "Method max"
behavior = "Safety"
file = "HOME/tests/java/ArrayMax.java"
line = 27
begin = 22
end = 25

[JC_65]
file = "HOME/tests/java/ArrayMax.java"
line = 30
begin = 32
end = 38

[JC_29]
file = "HOME/tests/java/ArrayMax.jc"
line = 65
begin = 8
end = 23

[JC_68]
file = "HOME/tests/java/ArrayMax.java"
line = 30
begin = 27
end = 186

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/java/ArrayMax.jc"
line = 54
begin = 10
end = 18

[JC_43]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
file = "HOME/tests/java/ArrayMax.jc"
line = 108
begin = 12
end = 1096

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/tests/java/ArrayMax.jc"
line = 54
begin = 10
end = 18

[JC_53]
file = "HOME/tests/java/ArrayMax.java"
line = 25
begin = 10
end = 69

[JC_21]
file = "HOME/tests/java/ArrayMax.jc"
line = 58
begin = 8
end = 30

[JC_77]
kind = UserCall
file = "HOME/tests/java/ArrayMax.java"
line = 29
begin = 16
end = 24

[JC_49]
file = "HOME/tests/java/ArrayMax.java"
line = 23
begin = 17
end = 29

[JC_1]
file = "HOME/tests/java/ArrayMax.jc"
line = 23
begin = 12
end = 22

[JC_37]
file = "HOME/tests/java/ArrayMax.jc"
line = 67
begin = 11
end = 65

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/java/ArrayMax.java"
line = 25
begin = 10
end = 69

[JC_66]
file = "HOME/tests/java/ArrayMax.java"
line = 30
begin = 37
end = 49

[JC_59]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/java/ArrayMax.jc"
line = 23
begin = 12
end = 22

[JC_60]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_72]
kind = PointerDeref
file = "HOME/tests/java/ArrayMax.java"
line = 37
begin = 16
end = 20

[JC_19]
file = "HOME/tests/java/ArrayMax.jc"
line = 58
begin = 8
end = 30

[JC_76]
file = "HOME/tests/java/ArrayMax.java"
line = 34
begin = 25
end = 30

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/tests/java/ArrayMax.java"
line = 24
begin = 16
end = 112

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/ArrayMax.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic ArrayMax_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom ArrayMax_parenttag_Object : parenttag(ArrayMax_tag, Object_tag)

logic Exception_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_1), (0))

predicate Non_null_intM(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), neg_int((1)))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic intM_tag:  -> Object tag_id

axiom intM_parenttag_Object : parenttag(intM_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_ArrayMax(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_intM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

logic max: int, int -> int

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_ArrayMax(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_intM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_ArrayMax(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_ArrayMax(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

axiom max_is_some :
 (forall x_1_0:int.
  (forall y_1:int. ((max(x_1_0, y_1) = x_1_0) or (max(x_1_0, y_1) = y_1))))

axiom max_is_ge :
 (forall x_0_0:int.
  (forall y_0:int.
   (ge_int(max(x_0_0, y_0), x_0_0) and ge_int(max(x_0_0, y_0), y_0))))

parameter Object_alloc_table : Object alloc_table ref

parameter intM_intP : (Object, int32) memory ref

parameter ArrayMax_max :
 a:Object pointer ->
  { } int32 reads Object_alloc_table,intM_intP
  { (JC_58:
    ((JC_55: le_int((0), integer_of_int32(result)))
    and ((JC_56:
         lt_int(integer_of_int32(result),
         add_int(offset_max(Object_alloc_table, a), (1))))
        and (JC_57:
            (forall i:int.
             ((le_int((0), i)
              and lt_int(i, add_int(offset_max(Object_alloc_table, a), (1)))) ->
              le_int(integer_of_int32(select(intM_intP, shift(a, i))),
              integer_of_int32(select(intM_intP,
                               shift(a, integer_of_int32(result))))))))))) }

parameter ArrayMax_max_requires :
 a:Object pointer ->
  { (JC_47: gt_int(add_int(offset_max(Object_alloc_table, a), (1)), (0)))}
  int32 reads Object_alloc_table,intM_intP
  { (JC_58:
    ((JC_55: le_int((0), integer_of_int32(result)))
    and ((JC_56:
         lt_int(integer_of_int32(result),
         add_int(offset_max(Object_alloc_table, a), (1))))
        and (JC_57:
            (forall i:int.
             ((le_int((0), i)
              and lt_int(i, add_int(offset_max(Object_alloc_table, a), (1)))) ->
              le_int(integer_of_int32(select(intM_intP, shift(a, i))),
              integer_of_int32(select(intM_intP,
                               shift(a, integer_of_int32(result))))))))))) }

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_ArrayMax :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_ArrayMax(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, ArrayMax_tag)))) }

parameter alloc_struct_ArrayMax_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_ArrayMax(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, ArrayMax_tag)))) }

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_intM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter alloc_struct_intM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_ArrayMax :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_ArrayMax_requires :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter java_array_length_intM :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter java_array_length_intM_requires :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_Object_requires :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_intM :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter non_null_intM_requires :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let ArrayMax_max_ensures_default =
 fun (a : Object pointer) ->
  { (left_valid_struct_intM(a, (0), Object_alloc_table)
    and (JC_49: gt_int(add_int(offset_max(Object_alloc_table, a), (1)), (0)))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let x_2_0 = ref (safe_int32_of_integer_ (K_23: (0))) in
     (let y_2 =
     ref (K_22:
         (safe_int32_of_integer_ ((sub_int (K_21:
                                           (let _jessie_ = a in
                                           (JC_77:
                                           (java_array_length_intM _jessie_))))) (1)))) in
     begin
       try
        (loop_2:
        while true do
        { invariant
            (JC_82:
            ((JC_78: le_int((0), integer_of_int32(x_2_0)))
            and ((JC_79:
                 le_int(integer_of_int32(x_2_0), integer_of_int32(y_2)))
                and ((JC_80:
                     lt_int(integer_of_int32(y_2),
                     add_int(offset_max(Object_alloc_table, a), (1))))
                    and (JC_81:
                        (forall i_0:int.
                         (((le_int((0), i_0)
                           and lt_int(i_0, integer_of_int32(x_2_0)))
                          or (lt_int(integer_of_int32(y_2), i_0)
                             and lt_int(i_0,
                                 add_int(offset_max(Object_alloc_table, a),
                                 (1))))) ->
                          le_int(integer_of_int32(select(intM_intP,
                                                  shift(a, i_0))),
                          max(integer_of_int32(select(intM_intP,
                                               shift(a,
                                               integer_of_int32(x_2_0)))),
                          integer_of_int32(select(intM_intP,
                                           shift(a, integer_of_int32(y_2)))))))))))))
           }
         begin
           [ { } unit { true } ];
          try
           begin
             (if (K_20:
                 ((neq_int_ (integer_of_int32 !x_2_0)) (integer_of_int32 !y_2)))
             then
              (let _jessie_ =
              (if (K_19:
                  ((le_int_ (integer_of_int32 (K_17:
                                              ((safe_acc_ !intM_intP) 
                                               ((shift a) (integer_of_int32 !x_2_0)))))) 
                   (integer_of_int32 (K_18:
                                     ((safe_acc_ !intM_intP) ((shift a) 
                                                              (integer_of_int32 !y_2)))))))
              then
               (K_16:
               (let _jessie_ = !x_2_0 in
               begin
                 (let _jessie_ =
                 (x_2_0 := (safe_int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1)))) in
                 void); _jessie_ end))
              else
               (K_15:
               (let _jessie_ = !y_2 in
               begin
                 (let _jessie_ =
                 (y_2 := (safe_int32_of_integer_ ((sub_int (integer_of_int32 _jessie_)) (1)))) in
                 void); _jessie_ end))) in void)
             else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end; (return := !x_2_0);
      (raise Return) end)); absurd  end with Return -> !return end))
  { (JC_54:
    ((JC_51: le_int((0), integer_of_int32(result)))
    and ((JC_52:
         lt_int(integer_of_int32(result),
         add_int(offset_max(Object_alloc_table, a), (1))))
        and (JC_53:
            (forall i:int.
             ((le_int((0), i)
              and lt_int(i, add_int(offset_max(Object_alloc_table, a), (1)))) ->
              le_int(integer_of_int32(select(intM_intP, shift(a, i))),
              integer_of_int32(select(intM_intP,
                               shift(a, integer_of_int32(result))))))))))) }

let ArrayMax_max_safety =
 fun (a : Object pointer) ->
  { (left_valid_struct_intM(a, (0), Object_alloc_table)
    and (JC_49: gt_int(add_int(offset_max(Object_alloc_table, a), (1)), (0)))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let x_2_0 = ref (safe_int32_of_integer_ (K_23: (0))) in
     (let y_2 =
     ref (K_22:
         (JC_63:
         (int32_of_integer_ ((sub_int (K_21:
                                      (let _jessie_ = a in
                                      (JC_62:
                                      (assert
                                      { ge_int(offset_max(Object_alloc_table,
                                               _jessie_),
                                        (-1)) };
                                      (JC_61:
                                      (java_array_length_intM_requires _jessie_))))))) (1))))) in
     begin
       try
        (loop_1:
        while true do
        { invariant (JC_70: true)
          variant (JC_76 : sub_int(integer_of_int32(y_2),
                           integer_of_int32(x_2_0))) }
         begin
           [ { } unit reads Object_alloc_table,intM_intP,x_2_0,y_2
             { (JC_68:
               ((JC_64: le_int((0), integer_of_int32(x_2_0)))
               and ((JC_65:
                    le_int(integer_of_int32(x_2_0), integer_of_int32(y_2)))
                   and ((JC_66:
                        lt_int(integer_of_int32(y_2),
                        add_int(offset_max(Object_alloc_table, a), (1))))
                       and (JC_67:
                           (forall i_0:int.
                            (((le_int((0), i_0)
                              and lt_int(i_0, integer_of_int32(x_2_0)))
                             or (lt_int(integer_of_int32(y_2), i_0)
                                and lt_int(i_0,
                                    add_int(offset_max(Object_alloc_table, a),
                                    (1))))) ->
                             le_int(integer_of_int32(select(intM_intP,
                                                     shift(a, i_0))),
                             max(integer_of_int32(select(intM_intP,
                                                  shift(a,
                                                  integer_of_int32(x_2_0)))),
                             integer_of_int32(select(intM_intP,
                                              shift(a, integer_of_int32(y_2))))))))))))) } ];
          try
           begin
             (if (K_20:
                 ((neq_int_ (integer_of_int32 !x_2_0)) (integer_of_int32 !y_2)))
             then
              (let _jessie_ =
              (if (K_19:
                  ((le_int_ (integer_of_int32 (K_17:
                                              (JC_72:
                                              ((((offset_acc_ !Object_alloc_table) !intM_intP) a) 
                                               (integer_of_int32 !x_2_0)))))) 
                   (integer_of_int32 (K_18:
                                     (JC_73:
                                     ((((offset_acc_ !Object_alloc_table) !intM_intP) a) 
                                      (integer_of_int32 !y_2)))))))
              then
               (K_16:
               (let _jessie_ = !x_2_0 in
               begin
                 (let _jessie_ =
                 (x_2_0 := (JC_74:
                           (int32_of_integer_ ((add_int (integer_of_int32 _jessie_)) (1))))) in
                 void); _jessie_ end))
              else
               (K_15:
               (let _jessie_ = !y_2 in
               begin
                 (let _jessie_ =
                 (y_2 := (JC_75:
                         (int32_of_integer_ ((sub_int (integer_of_int32 _jessie_)) (1))))) in
                 void); _jessie_ end))) in void)
             else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end; (return := !x_2_0);
      (raise Return) end)); absurd  end with Return -> !return end)) 
  { true }

let cons_ArrayMax_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_ArrayMax(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_43: true) }

let cons_ArrayMax_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_ArrayMax(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/ArrayMax.why
========== file tests/java/why/ArrayMax.wpr ==========

  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  
  
    
  

========== file tests/java/why/ArrayMax_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic ArrayMax_tag : Object tag_id

logic Object_tag : Object tag_id

axiom ArrayMax_parenttag_Object: parenttag(ArrayMax_tag, Object_tag)

logic Exception_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_1) >= 0)

predicate Non_null_intM(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= (-1))

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte [(integer_of_byte(x) = integer_of_byte(y))].
      ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char [(integer_of_char(x) = integer_of_char(y))].
      ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32 [(integer_of_int32(x) = integer_of_int32(y))].
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic intM_tag : Object tag_id

axiom intM_parenttag_Object: parenttag(intM_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_ArrayMax(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_intM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long [(integer_of_long(x) = integer_of_long(y))].
      ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

logic max : int, int -> int

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_ArrayMax(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_intM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short [(integer_of_short(x) = integer_of_short(y))].
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_ArrayMax(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_ArrayMax(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

axiom max_is_some:
  (forall x_1_0:int.
    (forall y_1:int. ((max(x_1_0, y_1) = x_1_0) or (max(x_1_0, y_1) = y_1))))

axiom max_is_ge:
  (forall x_0_0:int.
    (forall y_0:int.
      ((max(x_0_0, y_0) >= x_0_0) and (max(x_0_0, y_0) >= y_0))))

========== file tests/java/why/ArrayMax_po1.why ==========
goal ArrayMax_max_ensures_default_po_1:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  ("JC_82": ("JC_78": (0 <= integer_of_int32(result))))

========== file tests/java/why/ArrayMax_po10.why ==========
goal ArrayMax_max_ensures_default_po_10:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_82":
  (("JC_78": (0 <= integer_of_int32(x_2_0))) and
   (("JC_79": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_80": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_81":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  forall result3:int32.
  (result3 = select(intM_intP, shift(a, integer_of_int32(y_2)))) ->
  (integer_of_int32(result2) > integer_of_int32(result3)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(y_2) - 1)) ->
  forall y_2_0:int32.
  (y_2_0 = result4) ->
  ("JC_82":
  ("JC_80": (integer_of_int32(y_2_0) < (offset_max(Object_alloc_table,
  a) + 1))))

========== file tests/java/why/ArrayMax_po11.why ==========
goal ArrayMax_max_ensures_default_po_11:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_82":
  (("JC_78": (0 <= integer_of_int32(x_2_0))) and
   (("JC_79": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_80": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_81":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  forall result3:int32.
  (result3 = select(intM_intP, shift(a, integer_of_int32(y_2)))) ->
  (integer_of_int32(result2) > integer_of_int32(result3)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(y_2) - 1)) ->
  forall y_2_0:int32.
  (y_2_0 = result4) ->
  forall i_0:int.
  (((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
   ((integer_of_int32(y_2_0) < i_0) and
    (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
  ("JC_82":
  ("JC_81": (integer_of_int32(select(intM_intP, shift(a,
  i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
  integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP, shift(a,
  integer_of_int32(y_2_0))))))))

========== file tests/java/why/ArrayMax_po12.why ==========
goal ArrayMax_max_ensures_default_po_12:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_82":
  (("JC_78": (0 <= integer_of_int32(x_2_0))) and
   (("JC_79": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_80": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_81":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) = integer_of_int32(y_2)) ->
  forall return:int32.
  (return = x_2_0) ->
  ("JC_54": ("JC_51": (0 <= integer_of_int32(return))))

========== file tests/java/why/ArrayMax_po13.why ==========
goal ArrayMax_max_ensures_default_po_13:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_82":
  (("JC_78": (0 <= integer_of_int32(x_2_0))) and
   (("JC_79": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_80": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_81":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) = integer_of_int32(y_2)) ->
  forall return:int32.
  (return = x_2_0) ->
  ("JC_54":
  ("JC_52": (integer_of_int32(return) < (offset_max(Object_alloc_table,
  a) + 1))))

========== file tests/java/why/ArrayMax_po14.why ==========
goal ArrayMax_max_ensures_default_po_14:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_82":
  (("JC_78": (0 <= integer_of_int32(x_2_0))) and
   (("JC_79": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_80": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_81":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) = integer_of_int32(y_2)) ->
  forall return:int32.
  (return = x_2_0) ->
  forall i:int.
  ((0 <= i) and (i < (offset_max(Object_alloc_table, a) + 1))) ->
  ("JC_54":
  ("JC_53": (integer_of_int32(select(intM_intP, shift(a,
  i))) <= integer_of_int32(select(intM_intP, shift(a,
  integer_of_int32(return)))))))

========== file tests/java/why/ArrayMax_po15.why ==========
goal ArrayMax_max_safety_po_1:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, a) >= (-1))

========== file tests/java/why/ArrayMax_po16.why ==========
goal ArrayMax_max_safety_po_2:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, a) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  ((-2147483648) <= (result0 - 1))

========== file tests/java/why/ArrayMax_po17.why ==========
goal ArrayMax_max_safety_po_3:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, a) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  ((result0 - 1) <= 2147483647)

========== file tests/java/why/ArrayMax_po18.why ==========
goal ArrayMax_max_safety_po_4:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, a) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_64": (0 <= integer_of_int32(x_2_0))) and
   (("JC_65": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_66": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_67":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  (offset_min(Object_alloc_table, a) <= integer_of_int32(x_2_0))

========== file tests/java/why/ArrayMax_po19.why ==========
goal ArrayMax_max_safety_po_5:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, a) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_64": (0 <= integer_of_int32(x_2_0))) and
   (("JC_65": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_66": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_67":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  (integer_of_int32(x_2_0) <= offset_max(Object_alloc_table, a))

========== file tests/java/why/ArrayMax_po2.why ==========
goal ArrayMax_max_ensures_default_po_2:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  ("JC_82":
  ("JC_79": (integer_of_int32(result) <= integer_of_int32(result1))))

========== file tests/java/why/ArrayMax_po20.why ==========
goal ArrayMax_max_safety_po_6:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, a) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_64": (0 <= integer_of_int32(x_2_0))) and
   (("JC_65": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_66": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_67":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(x_2_0)) and
   (integer_of_int32(x_2_0) <= offset_max(Object_alloc_table, a))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  (offset_min(Object_alloc_table, a) <= integer_of_int32(y_2))

========== file tests/java/why/ArrayMax_po21.why ==========
goal ArrayMax_max_safety_po_7:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, a) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_64": (0 <= integer_of_int32(x_2_0))) and
   (("JC_65": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_66": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_67":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(x_2_0)) and
   (integer_of_int32(x_2_0) <= offset_max(Object_alloc_table, a))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  (integer_of_int32(y_2) <= offset_max(Object_alloc_table, a))

========== file tests/java/why/ArrayMax_po22.why ==========
goal ArrayMax_max_safety_po_8:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, a) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_64": (0 <= integer_of_int32(x_2_0))) and
   (("JC_65": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_66": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_67":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(x_2_0)) and
   (integer_of_int32(x_2_0) <= offset_max(Object_alloc_table, a))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(y_2)) and
   (integer_of_int32(y_2) <= offset_max(Object_alloc_table, a))) ->
  forall result3:int32.
  (result3 = select(intM_intP, shift(a, integer_of_int32(y_2)))) ->
  (integer_of_int32(result2) <= integer_of_int32(result3)) ->
  ((-2147483648) <= (integer_of_int32(x_2_0) + 1))

========== file tests/java/why/ArrayMax_po23.why ==========
goal ArrayMax_max_safety_po_9:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, a) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_64": (0 <= integer_of_int32(x_2_0))) and
   (("JC_65": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_66": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_67":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(x_2_0)) and
   (integer_of_int32(x_2_0) <= offset_max(Object_alloc_table, a))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(y_2)) and
   (integer_of_int32(y_2) <= offset_max(Object_alloc_table, a))) ->
  forall result3:int32.
  (result3 = select(intM_intP, shift(a, integer_of_int32(y_2)))) ->
  (integer_of_int32(result2) <= integer_of_int32(result3)) ->
  ((integer_of_int32(x_2_0) + 1) <= 2147483647)

========== file tests/java/why/ArrayMax_po24.why ==========
goal ArrayMax_max_safety_po_10:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, a) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_64": (0 <= integer_of_int32(x_2_0))) and
   (("JC_65": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_66": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_67":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(x_2_0)) and
   (integer_of_int32(x_2_0) <= offset_max(Object_alloc_table, a))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(y_2)) and
   (integer_of_int32(y_2) <= offset_max(Object_alloc_table, a))) ->
  forall result3:int32.
  (result3 = select(intM_intP, shift(a, integer_of_int32(y_2)))) ->
  (integer_of_int32(result2) <= integer_of_int32(result3)) ->
  (((-2147483648) <= (integer_of_int32(x_2_0) + 1)) and
   ((integer_of_int32(x_2_0) + 1) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(x_2_0) + 1)) ->
  forall x_2_0_0:int32.
  (x_2_0_0 = result4) ->
  (0 <= ("JC_76": (integer_of_int32(y_2) - integer_of_int32(x_2_0))))

========== file tests/java/why/ArrayMax_po25.why ==========
goal ArrayMax_max_safety_po_11:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, a) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_64": (0 <= integer_of_int32(x_2_0))) and
   (("JC_65": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_66": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_67":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(x_2_0)) and
   (integer_of_int32(x_2_0) <= offset_max(Object_alloc_table, a))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(y_2)) and
   (integer_of_int32(y_2) <= offset_max(Object_alloc_table, a))) ->
  forall result3:int32.
  (result3 = select(intM_intP, shift(a, integer_of_int32(y_2)))) ->
  (integer_of_int32(result2) <= integer_of_int32(result3)) ->
  (((-2147483648) <= (integer_of_int32(x_2_0) + 1)) and
   ((integer_of_int32(x_2_0) + 1) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(x_2_0) + 1)) ->
  forall x_2_0_0:int32.
  (x_2_0_0 = result4) ->
  (("JC_76": (integer_of_int32(y_2) - integer_of_int32(x_2_0_0))) < ("JC_76":
                                                                    (integer_of_int32(y_2) - integer_of_int32(x_2_0))))

========== file tests/java/why/ArrayMax_po26.why ==========
goal ArrayMax_max_safety_po_12:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, a) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_64": (0 <= integer_of_int32(x_2_0))) and
   (("JC_65": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_66": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_67":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(x_2_0)) and
   (integer_of_int32(x_2_0) <= offset_max(Object_alloc_table, a))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(y_2)) and
   (integer_of_int32(y_2) <= offset_max(Object_alloc_table, a))) ->
  forall result3:int32.
  (result3 = select(intM_intP, shift(a, integer_of_int32(y_2)))) ->
  (integer_of_int32(result2) > integer_of_int32(result3)) ->
  ((-2147483648) <= (integer_of_int32(y_2) - 1))

========== file tests/java/why/ArrayMax_po27.why ==========
goal ArrayMax_max_safety_po_13:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, a) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_64": (0 <= integer_of_int32(x_2_0))) and
   (("JC_65": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_66": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_67":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(x_2_0)) and
   (integer_of_int32(x_2_0) <= offset_max(Object_alloc_table, a))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(y_2)) and
   (integer_of_int32(y_2) <= offset_max(Object_alloc_table, a))) ->
  forall result3:int32.
  (result3 = select(intM_intP, shift(a, integer_of_int32(y_2)))) ->
  (integer_of_int32(result2) > integer_of_int32(result3)) ->
  ((integer_of_int32(y_2) - 1) <= 2147483647)

========== file tests/java/why/ArrayMax_po28.why ==========
goal ArrayMax_max_safety_po_14:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, a) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_64": (0 <= integer_of_int32(x_2_0))) and
   (("JC_65": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_66": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_67":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(x_2_0)) and
   (integer_of_int32(x_2_0) <= offset_max(Object_alloc_table, a))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(y_2)) and
   (integer_of_int32(y_2) <= offset_max(Object_alloc_table, a))) ->
  forall result3:int32.
  (result3 = select(intM_intP, shift(a, integer_of_int32(y_2)))) ->
  (integer_of_int32(result2) > integer_of_int32(result3)) ->
  (((-2147483648) <= (integer_of_int32(y_2) - 1)) and
   ((integer_of_int32(y_2) - 1) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(y_2) - 1)) ->
  forall y_2_0:int32.
  (y_2_0 = result4) ->
  (0 <= ("JC_76": (integer_of_int32(y_2) - integer_of_int32(x_2_0))))

========== file tests/java/why/ArrayMax_po29.why ==========
goal ArrayMax_max_safety_po_15:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, a) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_64": (0 <= integer_of_int32(x_2_0))) and
   (("JC_65": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_66": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_67":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(x_2_0)) and
   (integer_of_int32(x_2_0) <= offset_max(Object_alloc_table, a))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(y_2)) and
   (integer_of_int32(y_2) <= offset_max(Object_alloc_table, a))) ->
  forall result3:int32.
  (result3 = select(intM_intP, shift(a, integer_of_int32(y_2)))) ->
  (integer_of_int32(result2) > integer_of_int32(result3)) ->
  (((-2147483648) <= (integer_of_int32(y_2) - 1)) and
   ((integer_of_int32(y_2) - 1) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(y_2) - 1)) ->
  forall y_2_0:int32.
  (y_2_0 = result4) ->
  (("JC_76": (integer_of_int32(y_2_0) - integer_of_int32(x_2_0))) < ("JC_76":
                                                                    (integer_of_int32(y_2) - integer_of_int32(x_2_0))))

========== file tests/java/why/ArrayMax_po3.why ==========
goal ArrayMax_max_ensures_default_po_3:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  ("JC_82":
  ("JC_80": (integer_of_int32(result1) < (offset_max(Object_alloc_table,
  a) + 1))))

========== file tests/java/why/ArrayMax_po4.why ==========
goal ArrayMax_max_ensures_default_po_4:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall i_0:int.
  (((0 <= i_0) and (i_0 < integer_of_int32(result))) or
   ((integer_of_int32(result1) < i_0) and
    (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
  ("JC_82":
  ("JC_81": (integer_of_int32(select(intM_intP, shift(a,
  i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
  integer_of_int32(result)))), integer_of_int32(select(intM_intP, shift(a,
  integer_of_int32(result1))))))))

========== file tests/java/why/ArrayMax_po5.why ==========
goal ArrayMax_max_ensures_default_po_5:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_82":
  (("JC_78": (0 <= integer_of_int32(x_2_0))) and
   (("JC_79": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_80": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_81":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  forall result3:int32.
  (result3 = select(intM_intP, shift(a, integer_of_int32(y_2)))) ->
  (integer_of_int32(result2) <= integer_of_int32(result3)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(x_2_0) + 1)) ->
  forall x_2_0_0:int32.
  (x_2_0_0 = result4) ->
  ("JC_82": ("JC_78": (0 <= integer_of_int32(x_2_0_0))))

========== file tests/java/why/ArrayMax_po6.why ==========
goal ArrayMax_max_ensures_default_po_6:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_82":
  (("JC_78": (0 <= integer_of_int32(x_2_0))) and
   (("JC_79": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_80": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_81":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  forall result3:int32.
  (result3 = select(intM_intP, shift(a, integer_of_int32(y_2)))) ->
  (integer_of_int32(result2) <= integer_of_int32(result3)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(x_2_0) + 1)) ->
  forall x_2_0_0:int32.
  (x_2_0_0 = result4) ->
  ("JC_82": ("JC_79": (integer_of_int32(x_2_0_0) <= integer_of_int32(y_2))))

========== file tests/java/why/ArrayMax_po7.why ==========
goal ArrayMax_max_ensures_default_po_7:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_82":
  (("JC_78": (0 <= integer_of_int32(x_2_0))) and
   (("JC_79": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_80": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_81":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  forall result3:int32.
  (result3 = select(intM_intP, shift(a, integer_of_int32(y_2)))) ->
  (integer_of_int32(result2) <= integer_of_int32(result3)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(x_2_0) + 1)) ->
  forall x_2_0_0:int32.
  (x_2_0_0 = result4) ->
  ("JC_82":
  ("JC_80": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
  a) + 1))))

========== file tests/java/why/ArrayMax_po8.why ==========
goal ArrayMax_max_ensures_default_po_8:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_82":
  (("JC_78": (0 <= integer_of_int32(x_2_0))) and
   (("JC_79": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_80": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_81":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  forall result3:int32.
  (result3 = select(intM_intP, shift(a, integer_of_int32(y_2)))) ->
  (integer_of_int32(result2) <= integer_of_int32(result3)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(x_2_0) + 1)) ->
  forall x_2_0_0:int32.
  (x_2_0_0 = result4) ->
  forall i_0:int.
  (((0 <= i_0) and (i_0 < integer_of_int32(x_2_0_0))) or
   ((integer_of_int32(y_2) < i_0) and (i_0 < (offset_max(Object_alloc_table,
    a) + 1)))) ->
  ("JC_82":
  ("JC_81": (integer_of_int32(select(intM_intP, shift(a,
  i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
  integer_of_int32(x_2_0_0)))), integer_of_int32(select(intM_intP, shift(a,
  integer_of_int32(y_2))))))))

========== file tests/java/why/ArrayMax_po9.why ==========
goal ArrayMax_max_ensures_default_po_9:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_82":
  (("JC_78": (0 <= integer_of_int32(x_2_0))) and
   (("JC_79": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_80": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_81":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  forall result3:int32.
  (result3 = select(intM_intP, shift(a, integer_of_int32(y_2)))) ->
  (integer_of_int32(result2) > integer_of_int32(result3)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(y_2) - 1)) ->
  forall y_2_0:int32.
  (y_2_0 = result4) ->
  ("JC_82": ("JC_79": (integer_of_int32(x_2_0) <= integer_of_int32(y_2_0))))

========== generation of Simplify VC output ==========
why -simplify [...] why/ArrayMax.why
========== file tests/java/simplify/ArrayMax_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom ArrayMax_parenttag_Object
 (EQ (parenttag ArrayMax_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_1 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_1) 0))

(DEFPRED (Non_null_intM x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) (- 0 1)))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom byte_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 128) x) (<= x 127))
 (EQ (integer_of_byte (byte_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom byte_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_byte x) (integer_of_byte y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom byte_range
 (FORALL (x)
 (AND (<= (- 0 128) (integer_of_byte x)) (<= (integer_of_byte x) 127))))

(BG_PUSH
 ;; Why axiom char_coerce
 (FORALL (x)
 (IMPLIES (AND (<= 0 x) (<= x 65535))
 (EQ (integer_of_char (char_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom char_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_char x) (integer_of_char y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom char_range
 (FORALL (x) (AND (<= 0 (integer_of_char x)) (<= (integer_of_char x) 65535))))

(DEFPRED (eq_byte x y) (EQ (integer_of_byte x) (integer_of_byte y)))

(DEFPRED (eq_char x y) (EQ (integer_of_char x) (integer_of_char y)))

(DEFPRED (eq_int32 x y) (EQ (integer_of_int32 x) (integer_of_int32 y)))

(DEFPRED (eq_long x y) (EQ (integer_of_long x) (integer_of_long y)))

(DEFPRED (eq_short x y) (EQ (integer_of_short x) (integer_of_short y)))

(BG_PUSH
 ;; Why axiom int32_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_2147483648) x)
 (<= x constant_too_large_2147483647))
 (EQ (integer_of_int32 (int32_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom int32_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_int32 x) (integer_of_int32 y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom int32_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_2147483648) (integer_of_int32 x))
 (<= (integer_of_int32 x) constant_too_large_2147483647))))

(BG_PUSH
 ;; Why axiom intM_parenttag_Object
 (EQ (parenttag intM_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_ArrayMax p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_intM p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom long_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_9223372036854775808) x)
 (<= x constant_too_large_9223372036854775807))
 (EQ (integer_of_long (long_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom long_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_long x) (integer_of_long y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom long_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_9223372036854775808) (integer_of_long x))
 (<= (integer_of_long x) constant_too_large_9223372036854775807))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_ArrayMax p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_intM p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(BG_PUSH
 ;; Why axiom short_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 32768) x) (<= x 32767))
 (EQ (integer_of_short (short_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom short_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_short x) (integer_of_short y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom short_range
 (FORALL (x)
 (AND (<= (- 0 32768) (integer_of_short x)) (<= (integer_of_short x) 32767))))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_ArrayMax p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_intM p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_ArrayMax p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_intM p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(BG_PUSH
 ;; Why axiom max_is_some
 (FORALL (x_1_0 y_1)
 (OR (EQ (max x_1_0 y_1) x_1_0) (EQ (max x_1_0 y_1) y_1))))

(BG_PUSH
 ;; Why axiom max_is_ge
 (FORALL (x_0_0 y_0)
 (AND (>= (max x_0_0 y_0) x_0_0) (>= (max x_0_0 y_0) y_0))))

;; ArrayMax_max_ensures_default_po_1, File "HOME/tests/java/ArrayMax.java", line 30, characters 27-33
(FORALL (a)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM a 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table a) 1) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table a) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(<= 0 (integer_of_int32 result)))))))))))

;; ArrayMax_max_ensures_default_po_2, File "HOME/tests/java/ArrayMax.java", line 30, characters 32-38
(FORALL (a)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM a 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table a) 1) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table a) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(<= (integer_of_int32 result) (integer_of_int32 result1)))))))))))

;; ArrayMax_max_ensures_default_po_3, File "HOME/tests/java/ArrayMax.java", line 30, characters 37-49
(FORALL (a)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM a 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table a) 1) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table a) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(< (integer_of_int32 result1) (+ (offset_max Object_alloc_table a) 1)))))))))))

;; ArrayMax_max_ensures_default_po_4, File "HOME/tests/java/ArrayMax.java", line 31, characters 17-133
(FORALL (a)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM a 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table a) 1) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table a) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (i_0)
(IMPLIES (OR (AND (<= 0 i_0) (< i_0 (integer_of_int32 result)))
         (AND (< (integer_of_int32 result1) i_0)
         (< i_0 (+ (offset_max Object_alloc_table a) 1))))
(<= (integer_of_int32 (select intM_intP (shift a i_0))) (max
                                                        (integer_of_int32
                                                        (select
                                                        intM_intP (shift
                                                                  a (integer_of_int32
                                                                    result)))) 
                                                        (integer_of_int32
                                                        (select
                                                        intM_intP (shift
                                                                  a (integer_of_int32
                                                                    result1))))))))))))))))))

;; ArrayMax_max_ensures_default_po_5, File "HOME/tests/java/ArrayMax.java", line 30, characters 27-33
(FORALL (a)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM a 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table a) 1) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table a) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (x_2_0)
(FORALL (y_2)
(IMPLIES (AND (<= 0 (integer_of_int32 x_2_0))
         (AND (<= (integer_of_int32 x_2_0) (integer_of_int32 y_2))
         (AND
         (< (integer_of_int32 y_2) (+ (offset_max Object_alloc_table a) 1))
         (FORALL (i_0)
         (IMPLIES
         (OR (AND (<= 0 i_0) (< i_0 (integer_of_int32 x_2_0)))
         (AND (< (integer_of_int32 y_2) i_0)
         (< i_0 (+ (offset_max Object_alloc_table a) 1))))
         (<= (integer_of_int32 (select intM_intP (shift a i_0))) (max
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   x_2_0)))) 
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   y_2)))))))))))
(IMPLIES (NEQ (integer_of_int32 x_2_0) (integer_of_int32 y_2))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift a (integer_of_int32 x_2_0))))
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP (shift a (integer_of_int32 y_2))))
(IMPLIES (<= (integer_of_int32 result2) (integer_of_int32 result3))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) (+ (integer_of_int32 x_2_0) 1))
(FORALL (x_2_0_0)
(IMPLIES (EQ x_2_0_0 result4) (<= 0 (integer_of_int32 x_2_0_0)))))))))))))))))))))))))

;; ArrayMax_max_ensures_default_po_6, File "HOME/tests/java/ArrayMax.java", line 30, characters 32-38
(FORALL (a)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM a 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table a) 1) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table a) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (x_2_0)
(FORALL (y_2)
(IMPLIES (AND (<= 0 (integer_of_int32 x_2_0))
         (AND (<= (integer_of_int32 x_2_0) (integer_of_int32 y_2))
         (AND
         (< (integer_of_int32 y_2) (+ (offset_max Object_alloc_table a) 1))
         (FORALL (i_0)
         (IMPLIES
         (OR (AND (<= 0 i_0) (< i_0 (integer_of_int32 x_2_0)))
         (AND (< (integer_of_int32 y_2) i_0)
         (< i_0 (+ (offset_max Object_alloc_table a) 1))))
         (<= (integer_of_int32 (select intM_intP (shift a i_0))) (max
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   x_2_0)))) 
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   y_2)))))))))))
(IMPLIES (NEQ (integer_of_int32 x_2_0) (integer_of_int32 y_2))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift a (integer_of_int32 x_2_0))))
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP (shift a (integer_of_int32 y_2))))
(IMPLIES (<= (integer_of_int32 result2) (integer_of_int32 result3))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) (+ (integer_of_int32 x_2_0) 1))
(FORALL (x_2_0_0)
(IMPLIES (EQ x_2_0_0 result4)
(<= (integer_of_int32 x_2_0_0) (integer_of_int32 y_2)))))))))))))))))))))))))

;; ArrayMax_max_ensures_default_po_7, File "HOME/tests/java/ArrayMax.java", line 30, characters 37-49
(FORALL (a)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM a 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table a) 1) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table a) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (x_2_0)
(FORALL (y_2)
(IMPLIES (AND (<= 0 (integer_of_int32 x_2_0))
         (AND (<= (integer_of_int32 x_2_0) (integer_of_int32 y_2))
         (AND
         (< (integer_of_int32 y_2) (+ (offset_max Object_alloc_table a) 1))
         (FORALL (i_0)
         (IMPLIES
         (OR (AND (<= 0 i_0) (< i_0 (integer_of_int32 x_2_0)))
         (AND (< (integer_of_int32 y_2) i_0)
         (< i_0 (+ (offset_max Object_alloc_table a) 1))))
         (<= (integer_of_int32 (select intM_intP (shift a i_0))) (max
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   x_2_0)))) 
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   y_2)))))))))))
(IMPLIES (NEQ (integer_of_int32 x_2_0) (integer_of_int32 y_2))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift a (integer_of_int32 x_2_0))))
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP (shift a (integer_of_int32 y_2))))
(IMPLIES (<= (integer_of_int32 result2) (integer_of_int32 result3))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) (+ (integer_of_int32 x_2_0) 1))
(FORALL (x_2_0_0)
(IMPLIES (EQ x_2_0_0 result4)
(< (integer_of_int32 y_2) (+ (offset_max Object_alloc_table a) 1)))))))))))))))))))))))))

;; ArrayMax_max_ensures_default_po_8, File "HOME/tests/java/ArrayMax.java", line 31, characters 17-133
(FORALL (a)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM a 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table a) 1) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table a) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (x_2_0)
(FORALL (y_2)
(IMPLIES (AND (<= 0 (integer_of_int32 x_2_0))
         (AND (<= (integer_of_int32 x_2_0) (integer_of_int32 y_2))
         (AND
         (< (integer_of_int32 y_2) (+ (offset_max Object_alloc_table a) 1))
         (FORALL (i_0)
         (IMPLIES
         (OR (AND (<= 0 i_0) (< i_0 (integer_of_int32 x_2_0)))
         (AND (< (integer_of_int32 y_2) i_0)
         (< i_0 (+ (offset_max Object_alloc_table a) 1))))
         (<= (integer_of_int32 (select intM_intP (shift a i_0))) (max
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   x_2_0)))) 
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   y_2)))))))))))
(IMPLIES (NEQ (integer_of_int32 x_2_0) (integer_of_int32 y_2))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift a (integer_of_int32 x_2_0))))
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP (shift a (integer_of_int32 y_2))))
(IMPLIES (<= (integer_of_int32 result2) (integer_of_int32 result3))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) (+ (integer_of_int32 x_2_0) 1))
(FORALL (x_2_0_0)
(IMPLIES (EQ x_2_0_0 result4)
(FORALL (i_0)
(IMPLIES (OR (AND (<= 0 i_0) (< i_0 (integer_of_int32 x_2_0_0)))
         (AND (< (integer_of_int32 y_2) i_0)
         (< i_0 (+ (offset_max Object_alloc_table a) 1))))
(<= (integer_of_int32 (select intM_intP (shift a i_0))) (max
                                                        (integer_of_int32
                                                        (select
                                                        intM_intP (shift
                                                                  a (integer_of_int32
                                                                    x_2_0_0)))) 
                                                        (integer_of_int32
                                                        (select
                                                        intM_intP (shift
                                                                  a (integer_of_int32
                                                                    y_2)))))))))))))))))))))))))))))))

;; ArrayMax_max_ensures_default_po_9, File "HOME/tests/java/ArrayMax.java", line 30, characters 32-38
(FORALL (a)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM a 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table a) 1) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table a) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (x_2_0)
(FORALL (y_2)
(IMPLIES (AND (<= 0 (integer_of_int32 x_2_0))
         (AND (<= (integer_of_int32 x_2_0) (integer_of_int32 y_2))
         (AND
         (< (integer_of_int32 y_2) (+ (offset_max Object_alloc_table a) 1))
         (FORALL (i_0)
         (IMPLIES
         (OR (AND (<= 0 i_0) (< i_0 (integer_of_int32 x_2_0)))
         (AND (< (integer_of_int32 y_2) i_0)
         (< i_0 (+ (offset_max Object_alloc_table a) 1))))
         (<= (integer_of_int32 (select intM_intP (shift a i_0))) (max
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   x_2_0)))) 
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   y_2)))))))))))
(IMPLIES (NEQ (integer_of_int32 x_2_0) (integer_of_int32 y_2))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift a (integer_of_int32 x_2_0))))
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP (shift a (integer_of_int32 y_2))))
(IMPLIES (> (integer_of_int32 result2) (integer_of_int32 result3))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) (- (integer_of_int32 y_2) 1))
(FORALL (y_2_0)
(IMPLIES (EQ y_2_0 result4)
(<= (integer_of_int32 x_2_0) (integer_of_int32 y_2_0)))))))))))))))))))))))))

;; ArrayMax_max_ensures_default_po_10, File "HOME/tests/java/ArrayMax.java", line 30, characters 37-49
(FORALL (a)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM a 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table a) 1) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table a) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (x_2_0)
(FORALL (y_2)
(IMPLIES (AND (<= 0 (integer_of_int32 x_2_0))
         (AND (<= (integer_of_int32 x_2_0) (integer_of_int32 y_2))
         (AND
         (< (integer_of_int32 y_2) (+ (offset_max Object_alloc_table a) 1))
         (FORALL (i_0)
         (IMPLIES
         (OR (AND (<= 0 i_0) (< i_0 (integer_of_int32 x_2_0)))
         (AND (< (integer_of_int32 y_2) i_0)
         (< i_0 (+ (offset_max Object_alloc_table a) 1))))
         (<= (integer_of_int32 (select intM_intP (shift a i_0))) (max
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   x_2_0)))) 
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   y_2)))))))))))
(IMPLIES (NEQ (integer_of_int32 x_2_0) (integer_of_int32 y_2))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift a (integer_of_int32 x_2_0))))
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP (shift a (integer_of_int32 y_2))))
(IMPLIES (> (integer_of_int32 result2) (integer_of_int32 result3))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) (- (integer_of_int32 y_2) 1))
(FORALL (y_2_0)
(IMPLIES (EQ y_2_0 result4)
(< (integer_of_int32 y_2_0) (+ (offset_max Object_alloc_table a) 1)))))))))))))))))))))))))

;; ArrayMax_max_ensures_default_po_11, File "HOME/tests/java/ArrayMax.java", line 31, characters 17-133
(FORALL (a)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM a 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table a) 1) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table a) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (x_2_0)
(FORALL (y_2)
(IMPLIES (AND (<= 0 (integer_of_int32 x_2_0))
         (AND (<= (integer_of_int32 x_2_0) (integer_of_int32 y_2))
         (AND
         (< (integer_of_int32 y_2) (+ (offset_max Object_alloc_table a) 1))
         (FORALL (i_0)
         (IMPLIES
         (OR (AND (<= 0 i_0) (< i_0 (integer_of_int32 x_2_0)))
         (AND (< (integer_of_int32 y_2) i_0)
         (< i_0 (+ (offset_max Object_alloc_table a) 1))))
         (<= (integer_of_int32 (select intM_intP (shift a i_0))) (max
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   x_2_0)))) 
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   y_2)))))))))))
(IMPLIES (NEQ (integer_of_int32 x_2_0) (integer_of_int32 y_2))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift a (integer_of_int32 x_2_0))))
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP (shift a (integer_of_int32 y_2))))
(IMPLIES (> (integer_of_int32 result2) (integer_of_int32 result3))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) (- (integer_of_int32 y_2) 1))
(FORALL (y_2_0)
(IMPLIES (EQ y_2_0 result4)
(FORALL (i_0)
(IMPLIES (OR (AND (<= 0 i_0) (< i_0 (integer_of_int32 x_2_0)))
         (AND (< (integer_of_int32 y_2_0) i_0)
         (< i_0 (+ (offset_max Object_alloc_table a) 1))))
(<= (integer_of_int32 (select intM_intP (shift a i_0))) (max
                                                        (integer_of_int32
                                                        (select
                                                        intM_intP (shift
                                                                  a (integer_of_int32
                                                                    x_2_0)))) 
                                                        (integer_of_int32
                                                        (select
                                                        intM_intP (shift
                                                                  a (integer_of_int32
                                                                    y_2_0)))))))))))))))))))))))))))))))

;; ArrayMax_max_ensures_default_po_12, File "HOME/tests/java/ArrayMax.java", line 24, characters 16-28
(FORALL (a)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM a 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table a) 1) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table a) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (x_2_0)
(FORALL (y_2)
(IMPLIES (AND (<= 0 (integer_of_int32 x_2_0))
         (AND (<= (integer_of_int32 x_2_0) (integer_of_int32 y_2))
         (AND
         (< (integer_of_int32 y_2) (+ (offset_max Object_alloc_table a) 1))
         (FORALL (i_0)
         (IMPLIES
         (OR (AND (<= 0 i_0) (< i_0 (integer_of_int32 x_2_0)))
         (AND (< (integer_of_int32 y_2) i_0)
         (< i_0 (+ (offset_max Object_alloc_table a) 1))))
         (<= (integer_of_int32 (select intM_intP (shift a i_0))) (max
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   x_2_0)))) 
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   y_2)))))))))))
(IMPLIES (EQ (integer_of_int32 x_2_0) (integer_of_int32 y_2))
(FORALL (return)
(IMPLIES (EQ return x_2_0) (<= 0 (integer_of_int32 return))))))))))))))))))

;; ArrayMax_max_ensures_default_po_13, File "HOME/tests/java/ArrayMax.java", line 24, characters 21-39
(FORALL (a)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM a 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table a) 1) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table a) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (x_2_0)
(FORALL (y_2)
(IMPLIES (AND (<= 0 (integer_of_int32 x_2_0))
         (AND (<= (integer_of_int32 x_2_0) (integer_of_int32 y_2))
         (AND
         (< (integer_of_int32 y_2) (+ (offset_max Object_alloc_table a) 1))
         (FORALL (i_0)
         (IMPLIES
         (OR (AND (<= 0 i_0) (< i_0 (integer_of_int32 x_2_0)))
         (AND (< (integer_of_int32 y_2) i_0)
         (< i_0 (+ (offset_max Object_alloc_table a) 1))))
         (<= (integer_of_int32 (select intM_intP (shift a i_0))) (max
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   x_2_0)))) 
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   y_2)))))))))))
(IMPLIES (EQ (integer_of_int32 x_2_0) (integer_of_int32 y_2))
(FORALL (return)
(IMPLIES (EQ return x_2_0)
(< (integer_of_int32 return) (+ (offset_max Object_alloc_table a) 1))))))))))))))))))

;; ArrayMax_max_ensures_default_po_14, File "HOME/tests/java/ArrayMax.java", line 25, characters 10-69
(FORALL (a)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM a 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table a) 1) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table a) 1))))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (x_2_0)
(FORALL (y_2)
(IMPLIES (AND (<= 0 (integer_of_int32 x_2_0))
         (AND (<= (integer_of_int32 x_2_0) (integer_of_int32 y_2))
         (AND
         (< (integer_of_int32 y_2) (+ (offset_max Object_alloc_table a) 1))
         (FORALL (i_0)
         (IMPLIES
         (OR (AND (<= 0 i_0) (< i_0 (integer_of_int32 x_2_0)))
         (AND (< (integer_of_int32 y_2) i_0)
         (< i_0 (+ (offset_max Object_alloc_table a) 1))))
         (<= (integer_of_int32 (select intM_intP (shift a i_0))) (max
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   x_2_0)))) 
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   y_2)))))))))))
(IMPLIES (EQ (integer_of_int32 x_2_0) (integer_of_int32 y_2))
(FORALL (return)
(IMPLIES (EQ return x_2_0)
(FORALL (i)
(IMPLIES (AND (<= 0 i) (< i (+ (offset_max Object_alloc_table a) 1)))
(<= (integer_of_int32 (select intM_intP (shift a i))) (integer_of_int32
                                                      (select
                                                      intM_intP (shift
                                                                a (integer_of_int32
                                                                  return)))))))))))))))))))))))

;; ArrayMax_max_safety_po_1, File "why/ArrayMax.why", line 763, characters 40-182
(FORALL (a)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM a 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table a) 1) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(>= (offset_max Object_alloc_table a) (- 0 1)))))))

;; ArrayMax_max_safety_po_2, File "HOME/tests/java/ArrayMax.java", line 29, characters 16-26
(FORALL (a)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM a 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table a) 1) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table a) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table a) 1))))
(<= (- 0 constant_too_large_2147483648) (- result0 1))))))))))

;; ArrayMax_max_safety_po_3, File "HOME/tests/java/ArrayMax.java", line 29, characters 16-26
(FORALL (a)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM a 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table a) 1) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table a) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table a) 1))))
(<= (- result0 1) constant_too_large_2147483647)))))))))

;; ArrayMax_max_safety_po_4, File "HOME/tests/java/ArrayMax.java", line 37, characters 16-20
(FORALL (a)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM a 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table a) 1) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table a) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table a) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (x_2_0)
(FORALL (y_2)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 x_2_0))
         (AND (<= (integer_of_int32 x_2_0) (integer_of_int32 y_2))
         (AND
         (< (integer_of_int32 y_2) (+ (offset_max Object_alloc_table a) 1))
         (FORALL (i_0)
         (IMPLIES
         (OR (AND (<= 0 i_0) (< i_0 (integer_of_int32 x_2_0)))
         (AND (< (integer_of_int32 y_2) i_0)
         (< i_0 (+ (offset_max Object_alloc_table a) 1))))
         (<= (integer_of_int32 (select intM_intP (shift a i_0))) (max
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   x_2_0)))) 
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   y_2)))))))))))
(IMPLIES (NEQ (integer_of_int32 x_2_0) (integer_of_int32 y_2))
(<= (offset_min Object_alloc_table a) (integer_of_int32 x_2_0)))))))))))))))))))

;; ArrayMax_max_safety_po_5, File "HOME/tests/java/ArrayMax.java", line 37, characters 16-20
(FORALL (a)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM a 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table a) 1) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table a) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table a) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (x_2_0)
(FORALL (y_2)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 x_2_0))
         (AND (<= (integer_of_int32 x_2_0) (integer_of_int32 y_2))
         (AND
         (< (integer_of_int32 y_2) (+ (offset_max Object_alloc_table a) 1))
         (FORALL (i_0)
         (IMPLIES
         (OR (AND (<= 0 i_0) (< i_0 (integer_of_int32 x_2_0)))
         (AND (< (integer_of_int32 y_2) i_0)
         (< i_0 (+ (offset_max Object_alloc_table a) 1))))
         (<= (integer_of_int32 (select intM_intP (shift a i_0))) (max
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   x_2_0)))) 
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   y_2)))))))))))
(IMPLIES (NEQ (integer_of_int32 x_2_0) (integer_of_int32 y_2))
(<= (integer_of_int32 x_2_0) (offset_max Object_alloc_table a)))))))))))))))))))

;; ArrayMax_max_safety_po_6, File "HOME/tests/java/ArrayMax.java", line 37, characters 24-28
(FORALL (a)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM a 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table a) 1) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table a) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table a) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (x_2_0)
(FORALL (y_2)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 x_2_0))
         (AND (<= (integer_of_int32 x_2_0) (integer_of_int32 y_2))
         (AND
         (< (integer_of_int32 y_2) (+ (offset_max Object_alloc_table a) 1))
         (FORALL (i_0)
         (IMPLIES
         (OR (AND (<= 0 i_0) (< i_0 (integer_of_int32 x_2_0)))
         (AND (< (integer_of_int32 y_2) i_0)
         (< i_0 (+ (offset_max Object_alloc_table a) 1))))
         (<= (integer_of_int32 (select intM_intP (shift a i_0))) (max
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   x_2_0)))) 
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   y_2)))))))))))
(IMPLIES (NEQ (integer_of_int32 x_2_0) (integer_of_int32 y_2))
(IMPLIES (AND (<= (offset_min Object_alloc_table a) (integer_of_int32 x_2_0))
         (<= (integer_of_int32 x_2_0) (offset_max Object_alloc_table a)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift a (integer_of_int32 x_2_0))))
(<= (offset_min Object_alloc_table a) (integer_of_int32 y_2))))))))))))))))))))))

;; ArrayMax_max_safety_po_7, File "HOME/tests/java/ArrayMax.java", line 37, characters 24-28
(FORALL (a)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM a 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table a) 1) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table a) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table a) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (x_2_0)
(FORALL (y_2)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 x_2_0))
         (AND (<= (integer_of_int32 x_2_0) (integer_of_int32 y_2))
         (AND
         (< (integer_of_int32 y_2) (+ (offset_max Object_alloc_table a) 1))
         (FORALL (i_0)
         (IMPLIES
         (OR (AND (<= 0 i_0) (< i_0 (integer_of_int32 x_2_0)))
         (AND (< (integer_of_int32 y_2) i_0)
         (< i_0 (+ (offset_max Object_alloc_table a) 1))))
         (<= (integer_of_int32 (select intM_intP (shift a i_0))) (max
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   x_2_0)))) 
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   y_2)))))))))))
(IMPLIES (NEQ (integer_of_int32 x_2_0) (integer_of_int32 y_2))
(IMPLIES (AND (<= (offset_min Object_alloc_table a) (integer_of_int32 x_2_0))
         (<= (integer_of_int32 x_2_0) (offset_max Object_alloc_table a)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift a (integer_of_int32 x_2_0))))
(<= (integer_of_int32 y_2) (offset_max Object_alloc_table a))))))))))))))))))))))

;; ArrayMax_max_safety_po_8, File "HOME/tests/java/ArrayMax.jc", line 124, characters 69-75
(FORALL (a)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM a 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table a) 1) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table a) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table a) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (x_2_0)
(FORALL (y_2)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 x_2_0))
         (AND (<= (integer_of_int32 x_2_0) (integer_of_int32 y_2))
         (AND
         (< (integer_of_int32 y_2) (+ (offset_max Object_alloc_table a) 1))
         (FORALL (i_0)
         (IMPLIES
         (OR (AND (<= 0 i_0) (< i_0 (integer_of_int32 x_2_0)))
         (AND (< (integer_of_int32 y_2) i_0)
         (< i_0 (+ (offset_max Object_alloc_table a) 1))))
         (<= (integer_of_int32 (select intM_intP (shift a i_0))) (max
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   x_2_0)))) 
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   y_2)))))))))))
(IMPLIES (NEQ (integer_of_int32 x_2_0) (integer_of_int32 y_2))
(IMPLIES (AND (<= (offset_min Object_alloc_table a) (integer_of_int32 x_2_0))
         (<= (integer_of_int32 x_2_0) (offset_max Object_alloc_table a)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift a (integer_of_int32 x_2_0))))
(IMPLIES (AND (<= (offset_min Object_alloc_table a) (integer_of_int32 y_2))
         (<= (integer_of_int32 y_2) (offset_max Object_alloc_table a)))
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP (shift a (integer_of_int32 y_2))))
(IMPLIES (<= (integer_of_int32 result2) (integer_of_int32 result3))
(<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 x_2_0) 1))))))))))))))))))))))))))

;; ArrayMax_max_safety_po_9, File "HOME/tests/java/ArrayMax.jc", line 124, characters 69-75
(FORALL (a)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM a 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table a) 1) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table a) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table a) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (x_2_0)
(FORALL (y_2)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 x_2_0))
         (AND (<= (integer_of_int32 x_2_0) (integer_of_int32 y_2))
         (AND
         (< (integer_of_int32 y_2) (+ (offset_max Object_alloc_table a) 1))
         (FORALL (i_0)
         (IMPLIES
         (OR (AND (<= 0 i_0) (< i_0 (integer_of_int32 x_2_0)))
         (AND (< (integer_of_int32 y_2) i_0)
         (< i_0 (+ (offset_max Object_alloc_table a) 1))))
         (<= (integer_of_int32 (select intM_intP (shift a i_0))) (max
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   x_2_0)))) 
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   y_2)))))))))))
(IMPLIES (NEQ (integer_of_int32 x_2_0) (integer_of_int32 y_2))
(IMPLIES (AND (<= (offset_min Object_alloc_table a) (integer_of_int32 x_2_0))
         (<= (integer_of_int32 x_2_0) (offset_max Object_alloc_table a)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift a (integer_of_int32 x_2_0))))
(IMPLIES (AND (<= (offset_min Object_alloc_table a) (integer_of_int32 y_2))
         (<= (integer_of_int32 y_2) (offset_max Object_alloc_table a)))
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP (shift a (integer_of_int32 y_2))))
(IMPLIES (<= (integer_of_int32 result2) (integer_of_int32 result3))
(<= (+ (integer_of_int32 x_2_0) 1) constant_too_large_2147483647)))))))))))))))))))))))))

;; ArrayMax_max_safety_po_10, File "HOME/tests/java/ArrayMax.java", line 34, characters 25-30
(FORALL (a)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM a 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table a) 1) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table a) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table a) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (x_2_0)
(FORALL (y_2)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 x_2_0))
         (AND (<= (integer_of_int32 x_2_0) (integer_of_int32 y_2))
         (AND
         (< (integer_of_int32 y_2) (+ (offset_max Object_alloc_table a) 1))
         (FORALL (i_0)
         (IMPLIES
         (OR (AND (<= 0 i_0) (< i_0 (integer_of_int32 x_2_0)))
         (AND (< (integer_of_int32 y_2) i_0)
         (< i_0 (+ (offset_max Object_alloc_table a) 1))))
         (<= (integer_of_int32 (select intM_intP (shift a i_0))) (max
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   x_2_0)))) 
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   y_2)))))))))))
(IMPLIES (NEQ (integer_of_int32 x_2_0) (integer_of_int32 y_2))
(IMPLIES (AND (<= (offset_min Object_alloc_table a) (integer_of_int32 x_2_0))
         (<= (integer_of_int32 x_2_0) (offset_max Object_alloc_table a)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift a (integer_of_int32 x_2_0))))
(IMPLIES (AND (<= (offset_min Object_alloc_table a) (integer_of_int32 y_2))
         (<= (integer_of_int32 y_2) (offset_max Object_alloc_table a)))
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP (shift a (integer_of_int32 y_2))))
(IMPLIES (<= (integer_of_int32 result2) (integer_of_int32 result3))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 x_2_0) 1))
         (<= (+ (integer_of_int32 x_2_0) 1) constant_too_large_2147483647))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) (+ (integer_of_int32 x_2_0) 1))
(FORALL (x_2_0_0)
(IMPLIES (EQ x_2_0_0 result4)
(<= 0 (- (integer_of_int32 y_2) (integer_of_int32 x_2_0))))))))))))))))))))))))))))))))

;; ArrayMax_max_safety_po_11, File "HOME/tests/java/ArrayMax.java", line 34, characters 25-30
(FORALL (a)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM a 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table a) 1) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table a) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table a) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (x_2_0)
(FORALL (y_2)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 x_2_0))
         (AND (<= (integer_of_int32 x_2_0) (integer_of_int32 y_2))
         (AND
         (< (integer_of_int32 y_2) (+ (offset_max Object_alloc_table a) 1))
         (FORALL (i_0)
         (IMPLIES
         (OR (AND (<= 0 i_0) (< i_0 (integer_of_int32 x_2_0)))
         (AND (< (integer_of_int32 y_2) i_0)
         (< i_0 (+ (offset_max Object_alloc_table a) 1))))
         (<= (integer_of_int32 (select intM_intP (shift a i_0))) (max
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   x_2_0)))) 
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   y_2)))))))))))
(IMPLIES (NEQ (integer_of_int32 x_2_0) (integer_of_int32 y_2))
(IMPLIES (AND (<= (offset_min Object_alloc_table a) (integer_of_int32 x_2_0))
         (<= (integer_of_int32 x_2_0) (offset_max Object_alloc_table a)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift a (integer_of_int32 x_2_0))))
(IMPLIES (AND (<= (offset_min Object_alloc_table a) (integer_of_int32 y_2))
         (<= (integer_of_int32 y_2) (offset_max Object_alloc_table a)))
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP (shift a (integer_of_int32 y_2))))
(IMPLIES (<= (integer_of_int32 result2) (integer_of_int32 result3))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 x_2_0) 1))
         (<= (+ (integer_of_int32 x_2_0) 1) constant_too_large_2147483647))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) (+ (integer_of_int32 x_2_0) 1))
(FORALL (x_2_0_0)
(IMPLIES (EQ x_2_0_0 result4)
(< (- (integer_of_int32 y_2) (integer_of_int32 x_2_0_0)) (- (integer_of_int32
                                                            y_2) (integer_of_int32
                                                                 x_2_0))))))))))))))))))))))))))))))))

;; ArrayMax_max_safety_po_12, File "HOME/tests/java/ArrayMax.jc", line 125, characters 24-30
(FORALL (a)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM a 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table a) 1) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table a) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table a) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (x_2_0)
(FORALL (y_2)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 x_2_0))
         (AND (<= (integer_of_int32 x_2_0) (integer_of_int32 y_2))
         (AND
         (< (integer_of_int32 y_2) (+ (offset_max Object_alloc_table a) 1))
         (FORALL (i_0)
         (IMPLIES
         (OR (AND (<= 0 i_0) (< i_0 (integer_of_int32 x_2_0)))
         (AND (< (integer_of_int32 y_2) i_0)
         (< i_0 (+ (offset_max Object_alloc_table a) 1))))
         (<= (integer_of_int32 (select intM_intP (shift a i_0))) (max
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   x_2_0)))) 
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   y_2)))))))))))
(IMPLIES (NEQ (integer_of_int32 x_2_0) (integer_of_int32 y_2))
(IMPLIES (AND (<= (offset_min Object_alloc_table a) (integer_of_int32 x_2_0))
         (<= (integer_of_int32 x_2_0) (offset_max Object_alloc_table a)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift a (integer_of_int32 x_2_0))))
(IMPLIES (AND (<= (offset_min Object_alloc_table a) (integer_of_int32 y_2))
         (<= (integer_of_int32 y_2) (offset_max Object_alloc_table a)))
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP (shift a (integer_of_int32 y_2))))
(IMPLIES (> (integer_of_int32 result2) (integer_of_int32 result3))
(<= (- 0 constant_too_large_2147483648) (- (integer_of_int32 y_2) 1))))))))))))))))))))))))))

;; ArrayMax_max_safety_po_13, File "HOME/tests/java/ArrayMax.jc", line 125, characters 24-30
(FORALL (a)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM a 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table a) 1) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table a) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table a) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (x_2_0)
(FORALL (y_2)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 x_2_0))
         (AND (<= (integer_of_int32 x_2_0) (integer_of_int32 y_2))
         (AND
         (< (integer_of_int32 y_2) (+ (offset_max Object_alloc_table a) 1))
         (FORALL (i_0)
         (IMPLIES
         (OR (AND (<= 0 i_0) (< i_0 (integer_of_int32 x_2_0)))
         (AND (< (integer_of_int32 y_2) i_0)
         (< i_0 (+ (offset_max Object_alloc_table a) 1))))
         (<= (integer_of_int32 (select intM_intP (shift a i_0))) (max
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   x_2_0)))) 
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   y_2)))))))))))
(IMPLIES (NEQ (integer_of_int32 x_2_0) (integer_of_int32 y_2))
(IMPLIES (AND (<= (offset_min Object_alloc_table a) (integer_of_int32 x_2_0))
         (<= (integer_of_int32 x_2_0) (offset_max Object_alloc_table a)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift a (integer_of_int32 x_2_0))))
(IMPLIES (AND (<= (offset_min Object_alloc_table a) (integer_of_int32 y_2))
         (<= (integer_of_int32 y_2) (offset_max Object_alloc_table a)))
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP (shift a (integer_of_int32 y_2))))
(IMPLIES (> (integer_of_int32 result2) (integer_of_int32 result3))
(<= (- (integer_of_int32 y_2) 1) constant_too_large_2147483647)))))))))))))))))))))))))

;; ArrayMax_max_safety_po_14, File "HOME/tests/java/ArrayMax.java", line 34, characters 25-30
(FORALL (a)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM a 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table a) 1) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table a) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table a) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (x_2_0)
(FORALL (y_2)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 x_2_0))
         (AND (<= (integer_of_int32 x_2_0) (integer_of_int32 y_2))
         (AND
         (< (integer_of_int32 y_2) (+ (offset_max Object_alloc_table a) 1))
         (FORALL (i_0)
         (IMPLIES
         (OR (AND (<= 0 i_0) (< i_0 (integer_of_int32 x_2_0)))
         (AND (< (integer_of_int32 y_2) i_0)
         (< i_0 (+ (offset_max Object_alloc_table a) 1))))
         (<= (integer_of_int32 (select intM_intP (shift a i_0))) (max
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   x_2_0)))) 
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   y_2)))))))))))
(IMPLIES (NEQ (integer_of_int32 x_2_0) (integer_of_int32 y_2))
(IMPLIES (AND (<= (offset_min Object_alloc_table a) (integer_of_int32 x_2_0))
         (<= (integer_of_int32 x_2_0) (offset_max Object_alloc_table a)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift a (integer_of_int32 x_2_0))))
(IMPLIES (AND (<= (offset_min Object_alloc_table a) (integer_of_int32 y_2))
         (<= (integer_of_int32 y_2) (offset_max Object_alloc_table a)))
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP (shift a (integer_of_int32 y_2))))
(IMPLIES (> (integer_of_int32 result2) (integer_of_int32 result3))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (- (integer_of_int32 y_2) 1))
         (<= (- (integer_of_int32 y_2) 1) constant_too_large_2147483647))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) (- (integer_of_int32 y_2) 1))
(FORALL (y_2_0)
(IMPLIES (EQ y_2_0 result4)
(<= 0 (- (integer_of_int32 y_2) (integer_of_int32 x_2_0))))))))))))))))))))))))))))))))

;; ArrayMax_max_safety_po_15, File "HOME/tests/java/ArrayMax.java", line 34, characters 25-30
(FORALL (a)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM a 0 Object_alloc_table)
         (> (+ (offset_max Object_alloc_table a) 1) 0))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(IMPLIES (>= (offset_max Object_alloc_table a) (- 0 1))
(FORALL (result0)
(IMPLIES (AND (<= result0 constant_too_large_2147483647)
         (AND (>= result0 0)
         (EQ result0 (+ (offset_max Object_alloc_table a) 1))))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) (- result0 1))
         (<= (- result0 1) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- result0 1))
(FORALL (x_2_0)
(FORALL (y_2)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 x_2_0))
         (AND (<= (integer_of_int32 x_2_0) (integer_of_int32 y_2))
         (AND
         (< (integer_of_int32 y_2) (+ (offset_max Object_alloc_table a) 1))
         (FORALL (i_0)
         (IMPLIES
         (OR (AND (<= 0 i_0) (< i_0 (integer_of_int32 x_2_0)))
         (AND (< (integer_of_int32 y_2) i_0)
         (< i_0 (+ (offset_max Object_alloc_table a) 1))))
         (<= (integer_of_int32 (select intM_intP (shift a i_0))) (max
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   x_2_0)))) 
                                                                 (integer_of_int32
                                                                 (select
                                                                 intM_intP 
                                                                 (shift
                                                                 a (integer_of_int32
                                                                   y_2)))))))))))
(IMPLIES (NEQ (integer_of_int32 x_2_0) (integer_of_int32 y_2))
(IMPLIES (AND (<= (offset_min Object_alloc_table a) (integer_of_int32 x_2_0))
         (<= (integer_of_int32 x_2_0) (offset_max Object_alloc_table a)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift a (integer_of_int32 x_2_0))))
(IMPLIES (AND (<= (offset_min Object_alloc_table a) (integer_of_int32 y_2))
         (<= (integer_of_int32 y_2) (offset_max Object_alloc_table a)))
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP (shift a (integer_of_int32 y_2))))
(IMPLIES (> (integer_of_int32 result2) (integer_of_int32 result3))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (- (integer_of_int32 y_2) 1))
         (<= (- (integer_of_int32 y_2) 1) constant_too_large_2147483647))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) (- (integer_of_int32 y_2) 1))
(FORALL (y_2_0)
(IMPLIES (EQ y_2_0 result4)
(< (- (integer_of_int32 y_2_0) (integer_of_int32 x_2_0)) (- (integer_of_int32
                                                            y_2) (integer_of_int32
                                                                 x_2_0))))))))))))))))))))))))))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/ArrayMax_why.sx      : ............................. (29/0/0/0/0)
total   :  29
valid   :  29 (100%)
invalid :   0 (  0%)
unknown :   0 (  0%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/ArrayMax.why
========== file tests/java/why/ArrayMax_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic ArrayMax_tag : Object tag_id

logic Object_tag : Object tag_id

axiom ArrayMax_parenttag_Object: parenttag(ArrayMax_tag, Object_tag)

logic Exception_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_1) >= 0)

predicate Non_null_intM(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= (-1))

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte. ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char. ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic intM_tag : Object tag_id

axiom intM_parenttag_Object: parenttag(intM_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_ArrayMax(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_intM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long. ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

logic max : int, int -> int

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_ArrayMax(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_intM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short.
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_ArrayMax(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_ArrayMax(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

axiom max_is_some:
  (forall x_1_0:int.
    (forall y_1:int. ((max(x_1_0, y_1) = x_1_0) or (max(x_1_0, y_1) = y_1))))

axiom max_is_ge:
  (forall x_0_0:int.
    (forall y_0:int.
      ((max(x_0_0, y_0) >= x_0_0) and (max(x_0_0, y_0) >= y_0))))

goal ArrayMax_max_ensures_default_po_1:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  ("JC_82": ("JC_78": (0 <= integer_of_int32(result))))

goal ArrayMax_max_ensures_default_po_2:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  ("JC_82":
  ("JC_79": (integer_of_int32(result) <= integer_of_int32(result1))))

goal ArrayMax_max_ensures_default_po_3:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  ("JC_82":
  ("JC_80": (integer_of_int32(result1) < (offset_max(Object_alloc_table,
  a) + 1))))

goal ArrayMax_max_ensures_default_po_4:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall i_0:int.
  (((0 <= i_0) and (i_0 < integer_of_int32(result))) or
   ((integer_of_int32(result1) < i_0) and
    (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
  ("JC_82":
  ("JC_81": (integer_of_int32(select(intM_intP, shift(a,
  i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
  integer_of_int32(result)))), integer_of_int32(select(intM_intP, shift(a,
  integer_of_int32(result1))))))))

goal ArrayMax_max_ensures_default_po_5:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_82":
  (("JC_78": (0 <= integer_of_int32(x_2_0))) and
   (("JC_79": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_80": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_81":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  forall result3:int32.
  (result3 = select(intM_intP, shift(a, integer_of_int32(y_2)))) ->
  (integer_of_int32(result2) <= integer_of_int32(result3)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(x_2_0) + 1)) ->
  forall x_2_0_0:int32.
  (x_2_0_0 = result4) ->
  ("JC_82": ("JC_78": (0 <= integer_of_int32(x_2_0_0))))

goal ArrayMax_max_ensures_default_po_6:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_82":
  (("JC_78": (0 <= integer_of_int32(x_2_0))) and
   (("JC_79": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_80": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_81":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  forall result3:int32.
  (result3 = select(intM_intP, shift(a, integer_of_int32(y_2)))) ->
  (integer_of_int32(result2) <= integer_of_int32(result3)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(x_2_0) + 1)) ->
  forall x_2_0_0:int32.
  (x_2_0_0 = result4) ->
  ("JC_82": ("JC_79": (integer_of_int32(x_2_0_0) <= integer_of_int32(y_2))))

goal ArrayMax_max_ensures_default_po_7:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_82":
  (("JC_78": (0 <= integer_of_int32(x_2_0))) and
   (("JC_79": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_80": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_81":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  forall result3:int32.
  (result3 = select(intM_intP, shift(a, integer_of_int32(y_2)))) ->
  (integer_of_int32(result2) <= integer_of_int32(result3)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(x_2_0) + 1)) ->
  forall x_2_0_0:int32.
  (x_2_0_0 = result4) ->
  ("JC_82":
  ("JC_80": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
  a) + 1))))

goal ArrayMax_max_ensures_default_po_8:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_82":
  (("JC_78": (0 <= integer_of_int32(x_2_0))) and
   (("JC_79": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_80": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_81":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  forall result3:int32.
  (result3 = select(intM_intP, shift(a, integer_of_int32(y_2)))) ->
  (integer_of_int32(result2) <= integer_of_int32(result3)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(x_2_0) + 1)) ->
  forall x_2_0_0:int32.
  (x_2_0_0 = result4) ->
  forall i_0:int.
  (((0 <= i_0) and (i_0 < integer_of_int32(x_2_0_0))) or
   ((integer_of_int32(y_2) < i_0) and (i_0 < (offset_max(Object_alloc_table,
    a) + 1)))) ->
  ("JC_82":
  ("JC_81": (integer_of_int32(select(intM_intP, shift(a,
  i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
  integer_of_int32(x_2_0_0)))), integer_of_int32(select(intM_intP, shift(a,
  integer_of_int32(y_2))))))))

goal ArrayMax_max_ensures_default_po_9:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_82":
  (("JC_78": (0 <= integer_of_int32(x_2_0))) and
   (("JC_79": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_80": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_81":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  forall result3:int32.
  (result3 = select(intM_intP, shift(a, integer_of_int32(y_2)))) ->
  (integer_of_int32(result2) > integer_of_int32(result3)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(y_2) - 1)) ->
  forall y_2_0:int32.
  (y_2_0 = result4) ->
  ("JC_82": ("JC_79": (integer_of_int32(x_2_0) <= integer_of_int32(y_2_0))))

goal ArrayMax_max_ensures_default_po_10:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_82":
  (("JC_78": (0 <= integer_of_int32(x_2_0))) and
   (("JC_79": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_80": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_81":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  forall result3:int32.
  (result3 = select(intM_intP, shift(a, integer_of_int32(y_2)))) ->
  (integer_of_int32(result2) > integer_of_int32(result3)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(y_2) - 1)) ->
  forall y_2_0:int32.
  (y_2_0 = result4) ->
  ("JC_82":
  ("JC_80": (integer_of_int32(y_2_0) < (offset_max(Object_alloc_table,
  a) + 1))))

goal ArrayMax_max_ensures_default_po_11:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_82":
  (("JC_78": (0 <= integer_of_int32(x_2_0))) and
   (("JC_79": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_80": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_81":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  forall result3:int32.
  (result3 = select(intM_intP, shift(a, integer_of_int32(y_2)))) ->
  (integer_of_int32(result2) > integer_of_int32(result3)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(y_2) - 1)) ->
  forall y_2_0:int32.
  (y_2_0 = result4) ->
  forall i_0:int.
  (((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
   ((integer_of_int32(y_2_0) < i_0) and
    (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
  ("JC_82":
  ("JC_81": (integer_of_int32(select(intM_intP, shift(a,
  i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
  integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP, shift(a,
  integer_of_int32(y_2_0))))))))

goal ArrayMax_max_ensures_default_po_12:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_82":
  (("JC_78": (0 <= integer_of_int32(x_2_0))) and
   (("JC_79": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_80": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_81":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) = integer_of_int32(y_2)) ->
  forall return:int32.
  (return = x_2_0) ->
  ("JC_54": ("JC_51": (0 <= integer_of_int32(return))))

goal ArrayMax_max_ensures_default_po_13:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_82":
  (("JC_78": (0 <= integer_of_int32(x_2_0))) and
   (("JC_79": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_80": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_81":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) = integer_of_int32(y_2)) ->
  forall return:int32.
  (return = x_2_0) ->
  ("JC_54":
  ("JC_52": (integer_of_int32(return) < (offset_max(Object_alloc_table,
  a) + 1))))

goal ArrayMax_max_ensures_default_po_14:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_82":
  (("JC_78": (0 <= integer_of_int32(x_2_0))) and
   (("JC_79": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_80": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_81":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) = integer_of_int32(y_2)) ->
  forall return:int32.
  (return = x_2_0) ->
  forall i:int.
  ((0 <= i) and (i < (offset_max(Object_alloc_table, a) + 1))) ->
  ("JC_54":
  ("JC_53": (integer_of_int32(select(intM_intP, shift(a,
  i))) <= integer_of_int32(select(intM_intP, shift(a,
  integer_of_int32(return)))))))

goal ArrayMax_max_safety_po_1:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, a) >= (-1))

goal ArrayMax_max_safety_po_2:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, a) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  ((-2147483648) <= (result0 - 1))

goal ArrayMax_max_safety_po_3:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, a) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  ((result0 - 1) <= 2147483647)

goal ArrayMax_max_safety_po_4:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, a) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_64": (0 <= integer_of_int32(x_2_0))) and
   (("JC_65": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_66": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_67":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  (offset_min(Object_alloc_table, a) <= integer_of_int32(x_2_0))

goal ArrayMax_max_safety_po_5:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, a) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_64": (0 <= integer_of_int32(x_2_0))) and
   (("JC_65": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_66": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_67":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  (integer_of_int32(x_2_0) <= offset_max(Object_alloc_table, a))

goal ArrayMax_max_safety_po_6:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, a) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_64": (0 <= integer_of_int32(x_2_0))) and
   (("JC_65": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_66": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_67":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(x_2_0)) and
   (integer_of_int32(x_2_0) <= offset_max(Object_alloc_table, a))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  (offset_min(Object_alloc_table, a) <= integer_of_int32(y_2))

goal ArrayMax_max_safety_po_7:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, a) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_64": (0 <= integer_of_int32(x_2_0))) and
   (("JC_65": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_66": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_67":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(x_2_0)) and
   (integer_of_int32(x_2_0) <= offset_max(Object_alloc_table, a))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  (integer_of_int32(y_2) <= offset_max(Object_alloc_table, a))

goal ArrayMax_max_safety_po_8:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, a) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_64": (0 <= integer_of_int32(x_2_0))) and
   (("JC_65": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_66": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_67":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(x_2_0)) and
   (integer_of_int32(x_2_0) <= offset_max(Object_alloc_table, a))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(y_2)) and
   (integer_of_int32(y_2) <= offset_max(Object_alloc_table, a))) ->
  forall result3:int32.
  (result3 = select(intM_intP, shift(a, integer_of_int32(y_2)))) ->
  (integer_of_int32(result2) <= integer_of_int32(result3)) ->
  ((-2147483648) <= (integer_of_int32(x_2_0) + 1))

goal ArrayMax_max_safety_po_9:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, a) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_64": (0 <= integer_of_int32(x_2_0))) and
   (("JC_65": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_66": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_67":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(x_2_0)) and
   (integer_of_int32(x_2_0) <= offset_max(Object_alloc_table, a))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(y_2)) and
   (integer_of_int32(y_2) <= offset_max(Object_alloc_table, a))) ->
  forall result3:int32.
  (result3 = select(intM_intP, shift(a, integer_of_int32(y_2)))) ->
  (integer_of_int32(result2) <= integer_of_int32(result3)) ->
  ((integer_of_int32(x_2_0) + 1) <= 2147483647)

goal ArrayMax_max_safety_po_10:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, a) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_64": (0 <= integer_of_int32(x_2_0))) and
   (("JC_65": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_66": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_67":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(x_2_0)) and
   (integer_of_int32(x_2_0) <= offset_max(Object_alloc_table, a))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(y_2)) and
   (integer_of_int32(y_2) <= offset_max(Object_alloc_table, a))) ->
  forall result3:int32.
  (result3 = select(intM_intP, shift(a, integer_of_int32(y_2)))) ->
  (integer_of_int32(result2) <= integer_of_int32(result3)) ->
  (((-2147483648) <= (integer_of_int32(x_2_0) + 1)) and
   ((integer_of_int32(x_2_0) + 1) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(x_2_0) + 1)) ->
  forall x_2_0_0:int32.
  (x_2_0_0 = result4) ->
  (0 <= ("JC_76": (integer_of_int32(y_2) - integer_of_int32(x_2_0))))

goal ArrayMax_max_safety_po_11:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, a) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_64": (0 <= integer_of_int32(x_2_0))) and
   (("JC_65": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_66": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_67":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(x_2_0)) and
   (integer_of_int32(x_2_0) <= offset_max(Object_alloc_table, a))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(y_2)) and
   (integer_of_int32(y_2) <= offset_max(Object_alloc_table, a))) ->
  forall result3:int32.
  (result3 = select(intM_intP, shift(a, integer_of_int32(y_2)))) ->
  (integer_of_int32(result2) <= integer_of_int32(result3)) ->
  (((-2147483648) <= (integer_of_int32(x_2_0) + 1)) and
   ((integer_of_int32(x_2_0) + 1) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(x_2_0) + 1)) ->
  forall x_2_0_0:int32.
  (x_2_0_0 = result4) ->
  (("JC_76": (integer_of_int32(y_2) - integer_of_int32(x_2_0_0))) < ("JC_76":
                                                                    (integer_of_int32(y_2) - integer_of_int32(x_2_0))))

goal ArrayMax_max_safety_po_12:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, a) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_64": (0 <= integer_of_int32(x_2_0))) and
   (("JC_65": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_66": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_67":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(x_2_0)) and
   (integer_of_int32(x_2_0) <= offset_max(Object_alloc_table, a))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(y_2)) and
   (integer_of_int32(y_2) <= offset_max(Object_alloc_table, a))) ->
  forall result3:int32.
  (result3 = select(intM_intP, shift(a, integer_of_int32(y_2)))) ->
  (integer_of_int32(result2) > integer_of_int32(result3)) ->
  ((-2147483648) <= (integer_of_int32(y_2) - 1))

goal ArrayMax_max_safety_po_13:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, a) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_64": (0 <= integer_of_int32(x_2_0))) and
   (("JC_65": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_66": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_67":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(x_2_0)) and
   (integer_of_int32(x_2_0) <= offset_max(Object_alloc_table, a))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(y_2)) and
   (integer_of_int32(y_2) <= offset_max(Object_alloc_table, a))) ->
  forall result3:int32.
  (result3 = select(intM_intP, shift(a, integer_of_int32(y_2)))) ->
  (integer_of_int32(result2) > integer_of_int32(result3)) ->
  ((integer_of_int32(y_2) - 1) <= 2147483647)

goal ArrayMax_max_safety_po_14:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, a) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_64": (0 <= integer_of_int32(x_2_0))) and
   (("JC_65": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_66": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_67":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(x_2_0)) and
   (integer_of_int32(x_2_0) <= offset_max(Object_alloc_table, a))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(y_2)) and
   (integer_of_int32(y_2) <= offset_max(Object_alloc_table, a))) ->
  forall result3:int32.
  (result3 = select(intM_intP, shift(a, integer_of_int32(y_2)))) ->
  (integer_of_int32(result2) > integer_of_int32(result3)) ->
  (((-2147483648) <= (integer_of_int32(y_2) - 1)) and
   ((integer_of_int32(y_2) - 1) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(y_2) - 1)) ->
  forall y_2_0:int32.
  (y_2_0 = result4) ->
  (0 <= ("JC_76": (integer_of_int32(y_2) - integer_of_int32(x_2_0))))

goal ArrayMax_max_safety_po_15:
  forall a:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int32) memory.
  (left_valid_struct_intM(a, 0, Object_alloc_table) and
   ("JC_49": ((offset_max(Object_alloc_table, a) + 1) > 0))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  (offset_max(Object_alloc_table, a) >= (-1)) ->
  forall result0:int.
  ("JC_25":
  ((result0 <= 2147483647) and
   ((result0 >= 0) and (result0 = (offset_max(Object_alloc_table, a) + 1))))) ->
  (((-2147483648) <= (result0 - 1)) and ((result0 - 1) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (result0 - 1)) ->
  forall x_2_0:int32.
  forall y_2:int32.
  ("JC_70": true) ->
  ("JC_68":
  (("JC_64": (0 <= integer_of_int32(x_2_0))) and
   (("JC_65": (integer_of_int32(x_2_0) <= integer_of_int32(y_2))) and
    (("JC_66": (integer_of_int32(y_2) < (offset_max(Object_alloc_table,
     a) + 1))) and
     ("JC_67":
     (forall i_0:int.
       ((((0 <= i_0) and (i_0 < integer_of_int32(x_2_0))) or
         ((integer_of_int32(y_2) < i_0) and
          (i_0 < (offset_max(Object_alloc_table, a) + 1)))) ->
        (integer_of_int32(select(intM_intP, shift(a,
        i_0))) <= max(integer_of_int32(select(intM_intP, shift(a,
        integer_of_int32(x_2_0)))), integer_of_int32(select(intM_intP,
        shift(a, integer_of_int32(y_2))))))))))))) ->
  (integer_of_int32(x_2_0) <> integer_of_int32(y_2)) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(x_2_0)) and
   (integer_of_int32(x_2_0) <= offset_max(Object_alloc_table, a))) ->
  forall result2:int32.
  (result2 = select(intM_intP, shift(a, integer_of_int32(x_2_0)))) ->
  ((offset_min(Object_alloc_table, a) <= integer_of_int32(y_2)) and
   (integer_of_int32(y_2) <= offset_max(Object_alloc_table, a))) ->
  forall result3:int32.
  (result3 = select(intM_intP, shift(a, integer_of_int32(y_2)))) ->
  (integer_of_int32(result2) > integer_of_int32(result3)) ->
  (((-2147483648) <= (integer_of_int32(y_2) - 1)) and
   ((integer_of_int32(y_2) - 1) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(y_2) - 1)) ->
  forall y_2_0:int32.
  (y_2_0 = result4) ->
  (("JC_76": (integer_of_int32(y_2_0) - integer_of_int32(x_2_0))) < ("JC_76":
                                                                    (integer_of_int32(y_2) - integer_of_int32(x_2_0))))

why-2.34/tests/java/oracle/FlagStatic.err.oracle0000644000175000017500000000000012311670312020132 0ustar  rtuserswhy-2.34/tests/java/oracle/Fact.err.oracle0000644000175000017500000000025612311670312017003 0ustar  rtusersWarning: recursive definition of isfact in generated file
Warning: recursive definition of isfact in generated file
Warning: recursive definition of isfact in generated file
why-2.34/tests/java/oracle/Sort.res.oracle0000644000175000017500000124652712311670312017074 0ustar  rtusers========== file tests/java/Sort.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ TerminationPolicy = user

//@+ CheckArithOverflow = no

/*@ predicate Sorted{L}(int a[], integer l, integer h) =
  @   \forall integer i; l <= i < h ==> a[i] <= a[i+1] ;
  @*/

/*@ predicate Swap{L1,L2}(int a[], integer i, integer j) =
  @   \at(a[i],L1) == \at(a[j],L2) &&
  @   \at(a[j],L1) == \at(a[i],L2) &&
  @   \forall integer k; k != i && k != j ==> \at(a[k],L1) == \at(a[k],L2);
  @*/

/*@ axiomatic Permut {
  @  predicate Permut{L1,L2}(int a[], integer l, integer h);
  @  axiom Permut_refl{L}:
  @   \forall int a[], integer l h; Permut{L,L}(a, l, h) ;
  @  axiom Permut_sym{L1,L2}:
  @    \forall int a[], integer l h;
  @      Permut{L1,L2}(a, l, h) ==> Permut{L2,L1}(a, l, h) ;
  @  axiom Permut_trans{L1,L2,L3}:
  @    \forall int a[], integer l h;
  @      Permut{L1,L2}(a, l, h) && Permut{L2,L3}(a, l, h) ==>
  @        Permut{L1,L3}(a, l, h) ;
  @  axiom Permut_swap{L1,L2}:
  @    \forall int a[], integer l h i j;
  @       l <= i <= h && l <= j <= h && Swap{L1,L2}(a, i, j) ==>
  @     Permut{L1,L2}(a, l, h) ;
  @ }
  @*/

class Sort {

    /*@ requires t != null &&
      @    0 <= i < t.length && 0 <= j < t.length;
      @ assigns t[i],t[j];
      @ ensures Swap{Old,Here}(t,i,j);
      @*/
    void swap(int t[], int i, int j) {
	int tmp = t[i];
	t[i] = t[j];
	t[j] = tmp;
    }

    /*@ requires t != null;
      @ behavior sorted:
      @   ensures Sorted(t,0,t.length-1);
      @ behavior permutation:
      @   ensures Permut{Old,Here}(t,0,t.length-1);
      @*/
    void min_sort(int t[]) {
	int i,j;
	int mi,mv;
	/*@ loop_invariant 0 <= i;
	  @ for sorted:
	  @  loop_invariant Sorted(t,0,i) &&
	  @   (\forall integer k1 k2 ;
	  @      0 <= k1 < i <= k2 < t.length ==> t[k1] <= t[k2]) ;
	  @ for permutation:
	  @   loop_invariant Permut{Pre,Here}(t,0,t.length-1);
	  @*/
	for (i=0; i t[k] >= mv);
	      @ for permutation:
	      @  loop_invariant Permut{Pre,Here}(t,0,t.length-1);
	      @*/
	    for (j=i+1; j < t.length; j++) {
		if (t[j] < mv) {
		    mi = j ; mv = t[j];
		}
	    }
	    swap(t,i,mi);
	}
    }

}
========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function Sort_swap for method Sort.swap
Generating JC function Sort_min_sort for method Sort.min_sort
Generating JC function Object_clone for method Object.clone
Generating JC function Object_notifyAll for method Object.notifyAll
Generating JC function Object_hashCode for method Object.hashCode
Generating JC function Object_equals for method Object.equals
Generating JC function Object_wait for method Object.wait
Generating JC function Object_notify for method Object.notify
Generating JC function Object_wait_long for method Object.wait
Generating JC function cons_Sort for constructor Sort
Generating JC function Object_toString for method Object.toString
Generating JC function Object_wait_long_int for method Object.wait
Generating JC function cons_Object for constructor Object
Generating JC function Object_finalize for method Object.finalize
Generating JC function Object_registerNatives for method Object.registerNatives
Done.
========== file tests/java/Sort.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = user
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_intM{Here}(intM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Sort = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag intM = Object with {
  integer intP;
}

boolean non_null_intM(! intM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_intM(! intM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

predicate Sorted{L}(intM[0..] a, integer l, integer h) =
(\forall integer i;
  (((l <= i) && (i < h)) ==> ((a + i).intP <= (a + (i + 1)).intP)))

predicate Swap{L1, L2}(intM[0..] a_0, integer i_0, integer j) =
(((\at((a_0 + i_0).intP,L1) == \at((a_0 + j).intP,L2)) &&
   (\at((a_0 + j).intP,L1) == \at((a_0 + i_0).intP,L2))) &&
  (\forall integer k;
    (((k != i_0) && (k != j)) ==>
      (\at((a_0 + k).intP,L1) == \at((a_0 + k).intP,L2)))))

axiomatic Permut {

  predicate Permut{L1, L2}(intM[0..] a_1, integer l_0, integer h_0)
   
  axiom Permut_swap{L1, L2} :
  (\forall intM[0..] a_5;
    (\forall integer l_4;
      (\forall integer h_4;
        (\forall integer i_1;
          (\forall integer j_0;
            (((((l_4 <= i_1) && (i_1 <= h_4)) &&
                ((l_4 <= j_0) && (j_0 <= h_4))) &&
               Swap{L1,
               L2}(a_5, i_1, j_0)) ==>
              Permut{L1,
              L2}(a_5, l_4, h_4)))))))
   
  axiom Permut_trans{L1, L2, L3} :
  (\forall intM[0..] a_4;
    (\forall integer l_3;
      (\forall integer h_3;
        ((Permut{L1, L2}(a_4, l_3, h_3) && Permut{L2, L3}(a_4, l_3, h_3)) ==>
          Permut{L1,
          L3}(a_4, l_3, h_3)))))
   
  axiom Permut_sym{L1, L2} :
  (\forall intM[0..] a_3;
    (\forall integer l_2;
      (\forall integer h_2;
        (Permut{L1, L2}(a_3, l_2, h_2) ==> Permut{L2, L1}(a_3, l_2, h_2)))))
   
  axiom Permut_refl{L} :
  (\forall intM[0..] a_2;
    (\forall integer l_1;
      (\forall integer h_1;
        Permut{L, L}(a_2, l_1, h_1))))
  
}

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit Sort_swap(Sort[0] this_2, intM[0..] t, integer i_2, integer j_1)
  requires (K_10 : ((K_9 : ((K_8 : Non_null_intM(t)) &&
                             (K_7 : ((K_6 : (0 <= i_2)) &&
                                      (K_5 : (i_2 < (\offset_max(t) + 1))))))) &&
                     (K_4 : ((K_3 : (0 <= j_1)) &&
                              (K_2 : (j_1 < (\offset_max(t) + 1)))))));
behavior default:
  assigns (t + [i_2..i_2]).intP,
  (t + [j_1..j_1]).intP;
  ensures (K_1 : Swap{Old, Here}(t, i_2, j_1));
{  
   {  
      (var integer tmp = (K_14 : (t + i_2).intP));
      
      {  (K_12 : ((t + i_2).intP = (K_11 : (t + j_1).intP)));
         (K_13 : ((t + j_1).intP = tmp))
      }
   }
}

unit Sort_min_sort(Sort[0] this_0, intM[0..] t_0)
  requires (K_17 : Non_null_intM(t_0));
behavior sorted:
  ensures (K_15 : Sorted{Here}(t_0, 0, ((\offset_max(t_0) + 1) - 1)));
behavior permutation:
  ensures (K_16 : Permut{Old, Here}(t_0, 0, ((\offset_max(t_0) + 1) - 1)));
{  
   {  
      (var integer i_3);
      
      {  
         (var integer j_2);
         
         {  
            (var integer mi);
            
            {  
               (var integer mv);
               
               loop 
               behavior default:
                 invariant (K_18 : (0 <= i_3));
               behavior sorted:
                 invariant (K_21 : ((K_20 : Sorted{Here}(t_0, 0, i_3)) &&
                                     (K_19 : (\forall integer k1;
                                               (\forall integer k2;
                                                 (((((0 <= k1) && (k1 < i_3)) &&
                                                     (i_3 <= k2)) &&
                                                    (k2 <
                                                      (\offset_max(t_0) + 1))) ==>
                                                   ((t_0 + k1).intP <=
                                                     (t_0 + k2).intP)))))));
               behavior permutation:
                 invariant (K_22 : Permut{Pre,
                           Here}(t_0, 0, ((\offset_max(t_0) + 1) - 1)));
               
               for ((i_3 = 0) ; (K_44 : (i_3 <
                                          (K_43 : ((K_42 : java_array_length_intM(
                                                   t_0)) -
                                                    1)))) ; (K_41 : (i_3 ++)))
               {  
                  {  (mv = (K_23 : (t_0 + i_3).intP));
                     (mi = i_3);
                     
                     loop 
                     behavior default:
                       invariant (K_28 : ((K_27 : (i_3 < j_2)) &&
                                           (K_26 : ((K_25 : (i_3 <= mi)) &&
                                                     (K_24 : (mi <
                                                               (\offset_max(t_0) +
                                                                 1)))))));
                     behavior sorted:
                       invariant (K_31 : ((K_30 : (mv == (t_0 + mi).intP)) &&
                                           (K_29 : (\forall integer k_0;
                                                     (((i_3 <= k_0) &&
                                                        (k_0 < j_2)) ==>
                                                       ((t_0 + k_0).intP >=
                                                         mv))))));
                     behavior permutation:
                       invariant (K_32 : Permut{Pre,
                                 Here}(t_0, 0, ((\offset_max(t_0) + 1) - 1)));
                     
                     for ((j_2 = (K_39 : (i_3 + 1))) ; (K_38 : (j_2 <
                                                                 (K_37 : java_array_length_intM(
                                                                 t_0)))) ; 
                     (K_36 : (j_2 ++)))
                     {  (if (K_35 : ((K_34 : (t_0 + j_2).intP) < mv)) then 
                        {  (mi = j_2);
                           (mv = (K_33 : (t_0 + j_2).intP))
                        } else ())
                     };
                     (K_40 : Sort_swap(this_0, t_0, i_3, mi))
                  }
               }
            }
         }
      }
   }
}

Object[0..] Object_clone(Object[0] this_4)
;

unit Object_notifyAll(Object[0] this_5)
;

integer Object_hashCode(Object[0] this_6)
;

boolean Object_equals(Object[0] this_7, Object[0..] obj)
;

unit Object_wait(Object[0] this_8)
;

unit Object_notify(Object[0] this_9)
;

unit Object_wait_long(Object[0] this_10, integer timeout)
;

unit cons_Sort(! Sort[0] this_3){()}

String[0..] Object_toString(Object[0] this_11)
;

unit Object_wait_long_int(Object[0] this_12, integer timeout_0, integer nanos)
;

unit cons_Object(! Object[0] this_14){()}

unit Object_finalize(Object[0] this_13)
;

unit Object_registerNatives()
;

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Sort.jloc tests/java/Sort.jc && make -f tests/java/Sort.makefile gui"
End:
*/
========== file tests/java/Sort.jloc ==========
[Permut_swap]
name = "Lemma Permut_swap"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_30]
file = "HOME/tests/java/Sort.java"
line = 99
begin = 25
end = 36

[K_23]
file = "HOME/tests/java/Sort.java"
line = 96
begin = 10
end = 14

[Permut_refl]
name = "Lemma Permut_refl"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_33]
file = "HOME/tests/java/Sort.java"
line = 106
begin = 20
end = 24

[K_17]
file = "HOME/tests/java/Sort.java"
line = 77
begin = 17
end = 26

[Object_wait_long]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[K_11]
file = "HOME/tests/java/Sort.java"
line = 73
begin = 8
end = 12

[K_38]
file = "HOME/tests/java/Sort.java"
line = 104
begin = 17
end = 29

[K_25]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 33
end = 40

[K_13]
file = "HOME/tests/java/Sort.java"
line = 74
begin = 1
end = 11

[Object_finalize]
name = "Method finalize"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[K_9]
file = "HOME/tests/java/Sort.java"
line = 66
begin = 17
end = 58

[Object_wait]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[K_44]
file = "HOME/tests/java/Sort.java"
line = 94
begin = 11
end = 23

[Object_notify]
name = "Method notify"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[Object_clone]
name = "Method clone"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[K_28]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 24
end = 51

[cons_Object]
name = "Constructor of class Object"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_1]
file = "HOME/tests/java/Sort.java"
line = 69
begin = 16
end = 37

[K_15]
file = "HOME/tests/java/Sort.java"
line = 79
begin = 18
end = 40

[K_4]
file = "HOME/tests/java/Sort.java"
line = 67
begin = 32
end = 49

[K_12]
file = "HOME/tests/java/Sort.java"
line = 73
begin = 1
end = 12

[Object_wait_long_int]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[K_34]
file = "HOME/tests/java/Sort.java"
line = 105
begin = 6
end = 10

[Object_registerNatives]
name = "Method registerNatives"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[K_20]
file = "HOME/tests/java/Sort.java"
line = 88
begin = 21
end = 34

[K_2]
file = "HOME/tests/java/Sort.java"
line = 67
begin = 37
end = 49

[K_41]
file = "HOME/tests/java/Sort.java"
line = 94
begin = 25
end = 28

[K_29]
file = "HOME/tests/java/Sort.java"
line = 100
begin = 12
end = 56

[K_10]
file = "HOME/tests/java/Sort.java"
line = 66
begin = 17
end = 79

[K_35]
file = "HOME/tests/java/Sort.java"
line = 105
begin = 6
end = 15

[K_6]
file = "HOME/tests/java/Sort.java"
line = 67
begin = 11
end = 17

[K_8]
file = "HOME/tests/java/Sort.java"
line = 66
begin = 17
end = 26

[Permut_trans]
name = "Lemma Permut_trans"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_3]
file = "HOME/tests/java/Sort.java"
line = 67
begin = 32
end = 38

[K_31]
file = "HOME/tests/java/Sort.java"
line = 99
begin = 25
end = 97

[K_32]
file = "HOME/tests/java/Sort.java"
line = 102
begin = 25
end = 57

[K_27]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 24
end = 29

[cons_Sort]
name = "Constructor of class Sort"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_21]
file = "HOME/tests/java/Sort.java"
line = 88
begin = 21
end = 128

[K_42]
file = "HOME/tests/java/Sort.java"
line = 94
begin = 13
end = 21

[K_24]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 38
end = 51

[K_14]
file = "HOME/tests/java/Sort.java"
line = 72
begin = 11
end = 15

[K_39]
file = "HOME/tests/java/Sort.java"
line = 104
begin = 12
end = 15

[K_36]
file = "HOME/tests/java/Sort.java"
line = 104
begin = 31
end = 34

[Permut_sym]
name = "Lemma Permut_sym"
file = "HOME/"
line = 0
begin = 0
end = 0

[Object_notifyAll]
name = "Method notifyAll"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[K_37]
file = "HOME/tests/java/Sort.java"
line = 104
begin = 21
end = 29

[K_19]
file = "HOME/tests/java/Sort.java"
line = 89
begin = 8
end = 89

[K_5]
file = "HOME/tests/java/Sort.java"
line = 67
begin = 16
end = 28

[Sort_min_sort]
name = "Method min_sort"
file = "HOME/tests/java/Sort.java"
line = 83
begin = 9
end = 17

[K_18]
file = "HOME/tests/java/Sort.java"
line = 86
begin = 20
end = 26

[Object_equals]
name = "Method equals"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[Sort_swap]
name = "Method swap"
file = "HOME/tests/java/Sort.java"
line = 71
begin = 9
end = 13

[K_7]
file = "HOME/tests/java/Sort.java"
line = 67
begin = 11
end = 28

[K_40]
file = "HOME/tests/java/Sort.java"
line = 109
begin = 5
end = 17

[Object_hashCode]
name = "Method hashCode"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[K_26]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 33
end = 51

[Object_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[K_22]
file = "HOME/tests/java/Sort.java"
line = 92
begin = 22
end = 54

[K_16]
file = "HOME/tests/java/Sort.java"
line = 81
begin = 18
end = 50

[K_43]
file = "HOME/tests/java/Sort.java"
line = 94
begin = 13
end = 23

========== jessie execution ==========
Generating Why function Sort_swap
Generating Why function Sort_min_sort
Generating Why function cons_Sort
Generating Why function cons_Object
========== file tests/java/Sort.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Sort.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Sort.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/Sort_why.sx

project: why/Sort.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/Sort_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/Sort_why.vo

coq/Sort_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Sort_why.v: why/Sort.why
	@echo 'why -coq [...] why/Sort.why' && $(WHY) $(JESSIELIBFILES) why/Sort.why && rm -f coq/jessie_why.v

coq-goals: goals coq/Sort_ctx_why.vo
	for f in why/*_po*.why; do make -f Sort.makefile coq/`basename $$f .why`_why.v ; done

coq/Sort_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Sort_ctx_why.v: why/Sort_ctx.why
	@echo 'why -coq [...] why/Sort_ctx.why' && $(WHY) why/Sort_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export Sort_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/Sort_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/Sort_ctx_why.vo

pvs: pvs/Sort_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/Sort_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/Sort_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/Sort_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/Sort_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/Sort_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/Sort_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/Sort_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/Sort_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/Sort_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/Sort_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/Sort_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/Sort_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/Sort_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/Sort_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: Sort.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/Sort_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Sort.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Sort.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Sort.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include Sort.depend

depend: coq/Sort_why.v
	-$(COQDEP) -I coq coq/Sort*_why.v > Sort.depend

clean:
	rm -f coq/*.vo

========== file tests/java/Sort.loc ==========
[JC_176]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_233]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_177]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_221]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_80]
file = "HOME/tests/java/Sort.jc"
line = 153
begin = 15
end = 3072

[JC_51]
file = "HOME/tests/java/Sort.java"
line = 66
begin = 17
end = 79

[JC_147]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_123]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 38
end = 51

[JC_143]
file = "HOME/tests/java/Sort.jc"
line = 178
begin = 21
end = 1621

[JC_113]
file = "HOME/tests/java/Sort.java"
line = 86
begin = 20
end = 26

[JC_248]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_116]
file = "HOME/tests/java/Sort.jc"
line = 153
begin = 15
end = 3072

[JC_64]
kind = PointerDeref
file = "HOME/tests/java/Sort.jc"
line = 129
begin = 18
end = 38

[JC_133]
file = "HOME/tests/java/Sort.jc"
line = 153
begin = 15
end = 3072

[JC_188]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_180]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_99]
file = "HOME/tests/java/Sort.jc"
line = 153
begin = 15
end = 3072

[JC_200]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_85]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 33
end = 40

[JC_201]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_31]
file = "HOME/tests/java/Sort.jc"
line = 55
begin = 8
end = 23

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_194]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_122]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 33
end = 40

[JC_205]
file = "HOME/"
line = 0
begin = -1
end = -1

[Sort_min_sort_ensures_sorted]
name = "Method min_sort"
behavior = "Behavior `sorted'"
file = "HOME/tests/java/Sort.java"
line = 83
begin = 9
end = 17

[JC_81]
kind = UserCall
file = "HOME/tests/java/Sort.java"
line = 94
begin = 13
end = 21

[JC_55]
file = "HOME/tests/java/Sort.jc"
line = 120
begin = 9
end = 16

[JC_134]
file = "HOME/tests/java/Sort.jc"
line = 153
begin = 15
end = 3072

[Sort_min_sort_ensures_default]
name = "Method min_sort"
behavior = "default behavior"
file = "HOME/tests/java/Sort.java"
line = 83
begin = 9
end = 17

[JC_48]
file = "HOME/tests/java/Sort.java"
line = 67
begin = 16
end = 28

[JC_23]
file = "HOME/tests/java/Sort.jc"
line = 51
begin = 11
end = 103

[JC_241]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_172]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_121]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 24
end = 29

[JC_125]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/tests/java/Sort.java"
line = 77
begin = 17
end = 26

[JC_9]
file = "HOME/tests/java/Sort.jc"
line = 42
begin = 8
end = 21

[JC_25]
file = "HOME/tests/java/Sort.jc"
line = 51
begin = 11
end = 103

[JC_189]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_78]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/tests/java/Sort.java"
line = 67
begin = 16
end = 28

[JC_74]
file = "HOME/tests/java/Sort.java"
line = 79
begin = 18
end = 40

[JC_195]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/tests/java/Sort.jc"
line = 50
begin = 10
end = 18

[Sort_swap_safety]
name = "Method swap"
behavior = "Safety"
file = "HOME/tests/java/Sort.java"
line = 71
begin = 9
end = 13

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Sort_ensures_default]
name = "Constructor of class Sort"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/tests/java/Sort.jc"
line = 45
begin = 11
end = 66

[JC_240]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_82]
kind = IndexBounds
file = "HOME/tests/java/Sort.java"
line = 94
begin = 13
end = 21

[JC_163]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_153]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_222]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_246]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/Sort.jc"
line = 42
begin = 8
end = 21

[JC_185]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_167]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_98]
file = "HOME/tests/java/Sort.jc"
line = 153
begin = 15
end = 3072

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_104]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 24
end = 51

[JC_39]
file = "HOME/tests/java/Sort.java"
line = 66
begin = 17
end = 26

[JC_112]
file = "HOME/tests/java/Sort.java"
line = 88
begin = 21
end = 128

[JC_135]
kind = UserCall
file = "HOME/tests/java/Sort.java"
line = 94
begin = 13
end = 21

[JC_169]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_132]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_115]
file = "HOME/tests/java/Sort.jc"
line = 153
begin = 15
end = 3072

[JC_109]
kind = UserCall
file = "HOME/tests/java/Sort.jc"
line = 205
begin = 29
end = 60

[JC_69]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_219]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_124]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 24
end = 51

[Sort_swap_ensures_default]
name = "Method swap"
behavior = "default behavior"
file = "HOME/tests/java/Sort.java"
line = 71
begin = 9
end = 13

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[Permut_trans]
name = "Lemma Permut_trans"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_206]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_218]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_191]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
kind = PointerDeref
file = "HOME/tests/java/Sort.java"
line = 73
begin = 8
end = 12

[JC_101]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 24
end = 29

[JC_223]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_129]
kind = UserCall
file = "HOME/tests/java/Sort.jc"
line = 205
begin = 29
end = 60

[JC_190]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_110]
file = "HOME/tests/java/Sort.java"
line = 88
begin = 21
end = 34

[JC_166]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_103]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 38
end = 51

[JC_46]
file = "HOME/tests/java/Sort.java"
line = 66
begin = 17
end = 26

[JC_61]
kind = PointerDeref
file = "HOME/tests/java/Sort.java"
line = 72
begin = 11
end = 15

[JC_199]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/tests/java/Sort.java"
line = 69
begin = 16
end = 37

[JC_243]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_173]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/tests/java/Sort.jc"
line = 55
begin = 8
end = 23

[JC_202]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_144]
kind = UserCall
file = "HOME/tests/java/Sort.java"
line = 104
begin = 21
end = 29

[JC_16]
file = "HOME/tests/java/Sort.jc"
line = 44
begin = 10
end = 18

[JC_43]
file = "HOME/tests/java/Sort.java"
line = 67
begin = 37
end = 49

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
kind = UserCall
file = "HOME/tests/java/Sort.jc"
line = 205
begin = 29
end = 60

[JC_235]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_97]
file = "HOME/"
line = 0
begin = -1
end = -1

[Permut_sym]
name = "Lemma Permut_sym"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_84]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 24
end = 29

[JC_160]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_128]
kind = UserCall
file = "HOME/tests/java/Sort.java"
line = 104
begin = 21
end = 29

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/tests/java/Sort.jc"
line = 44
begin = 10
end = 18

[JC_90]
file = "HOME/tests/java/Sort.jc"
line = 178
begin = 21
end = 1621

[JC_225]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_149]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_216]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_131]
file = "HOME/tests/java/Sort.java"
line = 86
begin = 20
end = 26

[JC_37]
file = "HOME/tests/java/Sort.jc"
line = 57
begin = 11
end = 65

[JC_181]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
kind = UserCall
file = "HOME/tests/java/Sort.java"
line = 104
begin = 21
end = 29

[JC_57]
file = "HOME/tests/java/Sort.java"
line = 71
begin = 9
end = 13

[JC_161]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_89]
file = "HOME/tests/java/Sort.jc"
line = 178
begin = 21
end = 1621

[JC_136]
file = "HOME/tests/java/Sort.java"
line = 102
begin = 25
end = 57

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_165]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_213]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_217]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_229]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_86]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 38
end = 51

[JC_72]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/tests/java/Sort.jc"
line = 48
begin = 8
end = 30

[JC_187]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_238]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
file = "HOME/tests/java/Sort.java"
line = 67
begin = 37
end = 49

[JC_120]
file = "HOME/tests/java/Sort.java"
line = 99
begin = 25
end = 97

[JC_58]
file = "HOME/tests/java/Sort.jc"
line = 120
begin = 9
end = 16

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_198]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_94]
kind = PointerDeref
file = "HOME/tests/java/Sort.java"
line = 106
begin = 20
end = 24

[JC_73]
file = "HOME/tests/java/Sort.java"
line = 79
begin = 18
end = 40

[Permut_swap]
name = "Lemma Permut_swap"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_158]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_63]
kind = PointerDeref
file = "HOME/tests/java/Sort.jc"
line = 128
begin = 18
end = 58

[JC_196]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[Permut_refl]
name = "Lemma Permut_refl"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_197]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_207]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_151]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_106]
file = "HOME/tests/java/Sort.jc"
line = 178
begin = 21
end = 1621

[JC_203]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_227]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Object_ensures_default]
name = "Constructor of class Object"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_126]
file = "HOME/tests/java/Sort.jc"
line = 178
begin = 21
end = 1621

[JC_170]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[Sort_min_sort_safety]
name = "Method min_sort"
behavior = "Safety"
file = "HOME/tests/java/Sort.java"
line = 83
begin = 9
end = 17

[JC_236]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_138]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 33
end = 40

[JC_247]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_148]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_137]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 24
end = 29

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_231]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_75]
file = "HOME/tests/java/Sort.java"
line = 81
begin = 18
end = 50

[JC_24]
file = "HOME/tests/java/Sort.jc"
line = 50
begin = 10
end = 18

[JC_193]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_186]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_212]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_175]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_224]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/tests/java/Sort.java"
line = 67
begin = 11
end = 17

[JC_232]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_154]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_54]
file = "HOME/tests/java/Sort.java"
line = 71
begin = 9
end = 13

[JC_237]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_208]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
file = "HOME/tests/java/Sort.jc"
line = 153
begin = 15
end = 3072

[JC_130]
file = "HOME/tests/java/Sort.java"
line = 92
begin = 22
end = 54

[JC_174]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_87]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 24
end = 51

[JC_184]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/tests/java/Sort.jc"
line = 45
begin = 11
end = 66

[JC_182]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_168]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_91]
kind = UserCall
file = "HOME/tests/java/Sort.java"
line = 104
begin = 21
end = 29

[JC_40]
file = "HOME/tests/java/Sort.java"
line = 67
begin = 11
end = 17

[JC_162]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_83]
kind = PointerDeref
file = "HOME/tests/java/Sort.java"
line = 96
begin = 10
end = 14

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_215]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_107]
file = "HOME/tests/java/Sort.jc"
line = 178
begin = 21
end = 1621

[JC_179]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/tests/java/Sort.jc"
line = 57
begin = 11
end = 65

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_242]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_156]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_127]
file = "HOME/tests/java/Sort.jc"
line = 178
begin = 21
end = 1621

[JC_171]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_164]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_44]
file = "HOME/tests/java/Sort.java"
line = 66
begin = 17
end = 79

[JC_155]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/tests/java/Sort.java"
line = 67
begin = 32
end = 38

[JC_178]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[cons_Sort_safety]
name = "Constructor of class Sort"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_141]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_220]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_65]
file = "HOME/tests/java/Sort.java"
line = 77
begin = 17
end = 26

[JC_118]
file = "HOME/tests/java/Sort.java"
line = 99
begin = 25
end = 36

[JC_105]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_245]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_140]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 24
end = 51

[cons_Object_safety]
name = "Constructor of class Object"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_159]
file = "HOME/"
line = 0
begin = -1
end = -1

[Sort_min_sort_ensures_permutation]
name = "Method min_sort"
behavior = "Behavior `permutation'"
file = "HOME/tests/java/Sort.java"
line = 83
begin = 9
end = 17

[JC_68]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
file = "HOME/tests/java/Sort.java"
line = 86
begin = 20
end = 26

[JC_93]
kind = PointerDeref
file = "HOME/tests/java/Sort.java"
line = 105
begin = 6
end = 10

[JC_214]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_150]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_117]
kind = UserCall
file = "HOME/tests/java/Sort.java"
line = 94
begin = 13
end = 21

[JC_53]
file = "HOME/tests/java/Sort.java"
line = 69
begin = 16
end = 37

[JC_204]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_157]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_145]
kind = UserCall
file = "HOME/tests/java/Sort.jc"
line = 205
begin = 29
end = 60

[JC_21]
file = "HOME/tests/java/Sort.jc"
line = 48
begin = 8
end = 30

[JC_209]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_111]
file = "HOME/tests/java/Sort.java"
line = 89
begin = 8
end = 89

[JC_77]
file = "HOME/tests/java/Sort.java"
line = 86
begin = 20
end = 26

[JC_49]
file = "HOME/tests/java/Sort.java"
line = 67
begin = 32
end = 38

[JC_1]
file = "HOME/tests/java/Sort.jc"
line = 13
begin = 12
end = 22

[JC_102]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 33
end = 40

[JC_142]
file = "HOME/tests/java/Sort.jc"
line = 178
begin = 21
end = 1621

[JC_211]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_146]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_249]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_192]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_239]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/java/Sort.jc"
line = 13
begin = 12
end = 22

[JC_92]
kind = IndexBounds
file = "HOME/tests/java/Sort.java"
line = 104
begin = 21
end = 29

[JC_152]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_228]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_60]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_183]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_139]
file = "HOME/tests/java/Sort.java"
line = 97
begin = 38
end = 51

[JC_119]
file = "HOME/tests/java/Sort.java"
line = 100
begin = 12
end = 56

[JC_210]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_76]
file = "HOME/tests/java/Sort.java"
line = 81
begin = 18
end = 50

[JC_244]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_230]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_234]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_226]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_100]
kind = UserCall
file = "HOME/tests/java/Sort.java"
line = 94
begin = 13
end = 21

========== file tests/java/why/Sort.why ==========
type Object

type interface

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_1), (0))

predicate Non_null_intM(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), neg_int((1)))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic Permut: Object pointer, int, int, (Object, int) memory,
 (Object, int) memory -> prop

logic Sort_tag:  -> Object tag_id

axiom Sort_parenttag_Object : parenttag(Sort_tag, Object_tag)

predicate Sorted(a:Object pointer, l:int, h:int,
 intM_intP_at_L:(Object, int) memory) =
 (forall i:int.
  ((le_int(l, i) and lt_int(i, h)) ->
   le_int(select(intM_intP_at_L, shift(a, i)),
   select(intM_intP_at_L, shift(a, add_int(i, (1)))))))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

predicate Swap(a_0:Object pointer, i_0:int, j:int,
 intM_intP_at_L2:(Object, int) memory,
 intM_intP_at_L1:(Object, int) memory) =
 ((select(intM_intP_at_L1, shift(a_0, i_0)) = select(intM_intP_at_L2,
                                              shift(a_0, j)))
 and ((select(intM_intP_at_L1, shift(a_0, j)) = select(intM_intP_at_L2,
                                                shift(a_0, i_0)))
     and (forall k:int.
          (((k <> i_0) and (k <> j)) ->
           (select(intM_intP_at_L1, shift(a_0, k)) = select(intM_intP_at_L2,
                                                     shift(a_0, k)))))))

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic intM_tag:  -> Object tag_id

axiom intM_parenttag_Object : parenttag(intM_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Sort(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_intM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Sort(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_intM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Sort(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Sort(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

axiom Permut_swap :
 (forall intM_intP_at_L2:(Object, int) memory.
  (forall intM_intP_at_L1:(Object, int) memory.
   (forall a_5:Object pointer.
    (forall l_4:int.
     (forall h_4:int.
      (forall i_1:int.
       (forall j_0:int.
        ((le_int(l_4, i_1)
         and (le_int(i_1, h_4)
             and (le_int(l_4, j_0)
                 and (le_int(j_0, h_4)
                     and Swap(a_5, i_1, j_0, intM_intP_at_L2,
                         intM_intP_at_L1))))) ->
         Permut(a_5, l_4, h_4, intM_intP_at_L2, intM_intP_at_L1)))))))))

axiom Permut_trans :
 (forall intM_intP_at_L3:(Object, int) memory.
  (forall intM_intP_at_L2:(Object, int) memory.
   (forall intM_intP_at_L1:(Object, int) memory.
    (forall a_4:Object pointer.
     (forall l_3:int.
      (forall h_3:int.
       ((Permut(a_4, l_3, h_3, intM_intP_at_L2, intM_intP_at_L1)
        and Permut(a_4, l_3, h_3, intM_intP_at_L3, intM_intP_at_L2)) ->
        Permut(a_4, l_3, h_3, intM_intP_at_L3, intM_intP_at_L1))))))))

axiom Permut_sym :
 (forall intM_intP_at_L2:(Object, int) memory.
  (forall intM_intP_at_L1:(Object, int) memory.
   (forall a_3:Object pointer.
    (forall l_2:int.
     (forall h_2:int.
      (Permut(a_3, l_2, h_2, intM_intP_at_L2, intM_intP_at_L1) ->
       Permut(a_3, l_2, h_2, intM_intP_at_L1, intM_intP_at_L2)))))))

axiom Permut_refl :
 (forall intM_intP_at_L:(Object, int) memory.
  (forall a_2:Object pointer.
   (forall l_1:int.
    (forall h_1:int. Permut(a_2, l_1, h_1, intM_intP_at_L, intM_intP_at_L)))))

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_alloc_table : Object alloc_table ref

parameter Object_clone :
 this_4:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_clone_requires :
 this_4:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_equals :
 this_7:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_equals_requires :
 this_7:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_finalize :
 this_13:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_finalize_requires :
 this_13:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_hashCode :
 this_6:Object pointer -> { } int reads Object_alloc_table { true }

parameter Object_hashCode_requires :
 this_6:Object pointer -> { } int reads Object_alloc_table { true }

parameter Object_notify :
 this_9:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll :
 this_5:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll_requires :
 this_5:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notify_requires :
 this_9:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_registerNatives : tt:unit -> { } unit { true }

parameter Object_registerNatives_requires : tt:unit -> { } unit { true }

parameter Object_tag_table : Object tag_table ref

parameter Object_toString :
 this_11:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_toString_requires :
 this_11:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_wait :
 this_8:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long :
 this_10:Object pointer ->
  timeout:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int :
 this_12:Object pointer ->
  timeout_0:int -> nanos:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int_requires :
 this_12:Object pointer ->
  timeout_0:int -> nanos:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_requires :
 this_10:Object pointer ->
  timeout:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_requires :
 this_8:Object pointer -> { } unit reads Object_alloc_table { true }

exception Return_label_exc of unit

parameter intM_intP : (Object, int) memory ref

parameter Sort_min_sort :
 this_0:Object pointer ->
  t_0:Object pointer ->
   { } unit reads Object_alloc_table,intM_intP writes intM_intP
   { ((JC_76:
      Permut(t_0, (0),
      sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
      intM_intP, intM_intP@))
     and (JC_74:
         Sorted(t_0, (0),
         sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
         intM_intP))) }

parameter Sort_min_sort_requires :
 this_0:Object pointer ->
  t_0:Object pointer ->
   { (JC_65: Non_null_intM(t_0, Object_alloc_table))} unit
   reads Object_alloc_table,intM_intP writes intM_intP
   { ((JC_76:
      Permut(t_0, (0),
      sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
      intM_intP, intM_intP@))
     and (JC_74:
         Sorted(t_0, (0),
         sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
         intM_intP))) }

parameter Sort_swap :
 this_2:Object pointer ->
  t:Object pointer ->
   i_2:int ->
    j_1:int ->
     { } unit reads Object_alloc_table,intM_intP writes intM_intP
     { (JC_58:
       ((JC_56: Swap(t, i_2, j_1, intM_intP, intM_intP@))
       and (JC_57:
           not_assigns(Object_alloc_table@, intM_intP@, intM_intP,
           pset_union(pset_range(pset_singleton(t), j_1, j_1),
           pset_range(pset_singleton(t), i_2, i_2)))))) }

parameter Sort_swap_requires :
 this_2:Object pointer ->
  t:Object pointer ->
   i_2:int ->
    j_1:int ->
     { (JC_44:
       ((JC_39: Non_null_intM(t, Object_alloc_table))
       and ((JC_40: le_int((0), i_2))
           and ((JC_41:
                lt_int(i_2, add_int(offset_max(Object_alloc_table, t), (1))))
               and ((JC_42: le_int((0), j_1))
                   and (JC_43:
                       lt_int(j_1,
                       add_int(offset_max(Object_alloc_table, t), (1)))))))))}
     unit reads Object_alloc_table,intM_intP writes intM_intP
     { (JC_58:
       ((JC_56: Swap(t, i_2, j_1, intM_intP, intM_intP@))
       and (JC_57:
           not_assigns(Object_alloc_table@, intM_intP@, intM_intP,
           pset_union(pset_range(pset_singleton(t), j_1, j_1),
           pset_range(pset_singleton(t), i_2, i_2)))))) }

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Sort :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Sort(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Sort_tag)))) }

parameter alloc_struct_Sort_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Sort(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Sort_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_intM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter alloc_struct_intM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_Object :
 this_14:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object_requires :
 this_14:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Sort :
 this_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Sort_requires :
 this_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter java_array_length_intM :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter java_array_length_intM_requires :
 x_3:Object pointer ->
  { } int reads Object_alloc_table
  { (JC_25:
    (le_int(result, (2147483647))
    and (ge_int(result, (0))
        and (result = add_int(offset_max(Object_alloc_table, x_3), (1)))))) }

parameter non_null_Object :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_Object_requires :
 x_4:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_38:
    (if result then (offset_max(Object_alloc_table, x_4) = (0))
     else (x_4 = null))) }

parameter non_null_intM :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

parameter non_null_intM_requires :
 x_2:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_15:
    (if result then ge_int(offset_max(Object_alloc_table, x_2), neg_int((1)))
     else (x_2 = null))) }

let Sort_min_sort_ensures_default =
 fun (this_0 : Object pointer) (t_0 : Object pointer) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (valid_struct_Sort(this_0, (0), (0), Object_alloc_table)
        and (JC_67: Non_null_intM(t_0, Object_alloc_table)))) }
  (init:
  try
   begin
     (let i_3 = ref (any_int void) in
     (let j_2 = ref (any_int void) in
     (let mi = ref (any_int void) in
     (let mv = ref (any_int void) in
     begin
       (let _jessie_ = (i_3 := (0)) in void);
      try
       (loop_3:
       while true do
       { invariant (JC_96: le_int((0), i_3))  }
        begin
          [ { } unit { true } ];
         try
          begin
            (if (K_44:
                ((lt_int_ !i_3) (K_43:
                                ((sub_int (K_42:
                                          (let _jessie_ = t_0 in
                                          (JC_100:
                                          (java_array_length_intM _jessie_))))) (1)))))
            then
             begin
               (let _jessie_ =
               (mv := (K_23: ((safe_acc_ !intM_intP) ((shift t_0) !i_3)))) in
               void); (let _jessie_ = (mi := !i_3) in void);
              (let _jessie_ = (j_2 := (K_39: ((add_int !i_3) (1)))) in
              void);
              try
               (loop_4:
               while true do
               { invariant
                   (JC_104:
                   ((JC_101: lt_int(i_3, j_2))
                   and ((JC_102: le_int(i_3, mi))
                       and (JC_103:
                           lt_int(mi,
                           add_int(offset_max(Object_alloc_table, t_0), (1)))))))
                  }
                begin
                  [ { } unit { true } ];
                 try
                  begin
                    (if (K_38:
                        ((lt_int_ !j_2) (K_37:
                                        (let _jessie_ = t_0 in
                                        (JC_108:
                                        (java_array_length_intM _jessie_))))))
                    then
                     (if (K_35:
                         ((lt_int_ (K_34:
                                   ((safe_acc_ !intM_intP) ((shift t_0) !j_2)))) !mv))
                     then
                      (let _jessie_ =
                      begin
                        (let _jessie_ = (mi := !j_2) in void);
                       (mv := (K_33:
                              ((safe_acc_ !intM_intP) ((shift t_0) !j_2))));
                       !mv end in void) else void)
                    else (raise (Loop_exit_exc void)));
                   (raise (Loop_continue_exc void)) end with
                  Loop_continue_exc _jessie_ ->
                  (let _jessie_ =
                  (K_36:
                  (let _jessie_ = !j_2 in
                  begin
                    (let _jessie_ = (j_2 := ((add_int _jessie_) (1))) in
                    void); _jessie_ end)) in void) end end done) with
               Loop_exit_exc _jessie_ -> void end;
              (K_40:
              (let _jessie_ = this_0 in
              (let _jessie_ = t_0 in
              (let _jessie_ = !i_3 in
              (let _jessie_ = !mi in
              (JC_109:
              ((((Sort_swap _jessie_) _jessie_) _jessie_) _jessie_)))))))
             end else (raise (Loop_exit_exc void)));
           (raise (Loop_continue_exc void)) end with
          Loop_continue_exc _jessie_ ->
          (let _jessie_ =
          (K_41:
          (let _jessie_ = !i_3 in
          begin
            (let _jessie_ = (i_3 := ((add_int _jessie_) (1))) in void);
           _jessie_ end)) in void) end end done) with
       Loop_exit_exc _jessie_ -> void end end)))); (raise Return) end with
   Return -> void end) { (JC_69: true) }

let Sort_min_sort_ensures_permutation =
 fun (this_0 : Object pointer) (t_0 : Object pointer) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (valid_struct_Sort(this_0, (0), (0), Object_alloc_table)
        and (JC_67: Non_null_intM(t_0, Object_alloc_table)))) }
  (init:
  try
   begin
     (let i_3 = ref (any_int void) in
     (let j_2 = ref (any_int void) in
     (let mi = ref (any_int void) in
     (let mv = ref (any_int void) in
     begin
       (let _jessie_ = (i_3 := (0)) in void);
      try
       (loop_7:
       while true do
       { invariant
           (JC_130:
           Permut(t_0, (0),
           sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
           intM_intP, intM_intP@init))  }
        begin
          [ { } unit reads i_3 { (JC_131: le_int((0), i_3)) } ];
         try
          begin
            (if (K_44:
                ((lt_int_ !i_3) (K_43:
                                ((sub_int (K_42:
                                          (let _jessie_ = t_0 in
                                          (JC_135:
                                          (java_array_length_intM _jessie_))))) (1)))))
            then
             begin
               (let _jessie_ =
               (mv := (K_23: ((safe_acc_ !intM_intP) ((shift t_0) !i_3)))) in
               void); (let _jessie_ = (mi := !i_3) in void);
              (let _jessie_ = (j_2 := (K_39: ((add_int !i_3) (1)))) in
              void);
              try
               (loop_8:
               while true do
               { invariant
                   (JC_136:
                   Permut(t_0, (0),
                   sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)),
                   (1)), intM_intP, intM_intP@init))  }
                begin
                  [ { } unit reads Object_alloc_table,i_3,j_2,mi
                    { (JC_140:
                      ((JC_137: lt_int(i_3, j_2))
                      and ((JC_138: le_int(i_3, mi))
                          and (JC_139:
                              lt_int(mi,
                              add_int(offset_max(Object_alloc_table, t_0),
                              (1))))))) } ];
                 try
                  begin
                    (if (K_38:
                        ((lt_int_ !j_2) (K_37:
                                        (let _jessie_ = t_0 in
                                        (JC_144:
                                        (java_array_length_intM _jessie_))))))
                    then
                     (if (K_35:
                         ((lt_int_ (K_34:
                                   ((safe_acc_ !intM_intP) ((shift t_0) !j_2)))) !mv))
                     then
                      (let _jessie_ =
                      begin
                        (let _jessie_ = (mi := !j_2) in void);
                       (mv := (K_33:
                              ((safe_acc_ !intM_intP) ((shift t_0) !j_2))));
                       !mv end in void) else void)
                    else (raise (Loop_exit_exc void)));
                   (raise (Loop_continue_exc void)) end with
                  Loop_continue_exc _jessie_ ->
                  (let _jessie_ =
                  (K_36:
                  (let _jessie_ = !j_2 in
                  begin
                    (let _jessie_ = (j_2 := ((add_int _jessie_) (1))) in
                    void); _jessie_ end)) in void) end end done) with
               Loop_exit_exc _jessie_ -> void end;
              (K_40:
              (let _jessie_ = this_0 in
              (let _jessie_ = t_0 in
              (let _jessie_ = !i_3 in
              (let _jessie_ = !mi in
              (JC_145:
              ((((Sort_swap _jessie_) _jessie_) _jessie_) _jessie_)))))))
             end else (raise (Loop_exit_exc void)));
           (raise (Loop_continue_exc void)) end with
          Loop_continue_exc _jessie_ ->
          (let _jessie_ =
          (K_41:
          (let _jessie_ = !i_3 in
          begin
            (let _jessie_ = (i_3 := ((add_int _jessie_) (1))) in void);
           _jessie_ end)) in void) end end done) with
       Loop_exit_exc _jessie_ -> void end end)))); (raise Return) end with
   Return -> void end)
  { (JC_75:
    Permut(t_0, (0),
    sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
    intM_intP, intM_intP@)) }

let Sort_min_sort_ensures_sorted =
 fun (this_0 : Object pointer) (t_0 : Object pointer) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (valid_struct_Sort(this_0, (0), (0), Object_alloc_table)
        and (JC_67: Non_null_intM(t_0, Object_alloc_table)))) }
  (init:
  try
   begin
     (let i_3 = ref (any_int void) in
     (let j_2 = ref (any_int void) in
     (let mi = ref (any_int void) in
     (let mv = ref (any_int void) in
     begin
       (let _jessie_ = (i_3 := (0)) in void);
      try
       (loop_5:
       while true do
       { invariant
           (JC_112:
           ((JC_110: Sorted(t_0, (0), i_3, intM_intP))
           and (JC_111:
               (forall k1:int.
                (forall k2:int.
                 ((le_int((0), k1)
                  and (lt_int(k1, i_3)
                      and (le_int(i_3, k2)
                          and lt_int(k2,
                              add_int(offset_max(Object_alloc_table, t_0),
                              (1)))))) ->
                  le_int(select(intM_intP, shift(t_0, k1)),
                  select(intM_intP, shift(t_0, k2)))))))))  }
        begin
          [ { } unit reads i_3 { (JC_113: le_int((0), i_3)) } ];
         try
          begin
            (if (K_44:
                ((lt_int_ !i_3) (K_43:
                                ((sub_int (K_42:
                                          (let _jessie_ = t_0 in
                                          (JC_117:
                                          (java_array_length_intM _jessie_))))) (1)))))
            then
             begin
               (let _jessie_ =
               (mv := (K_23: ((safe_acc_ !intM_intP) ((shift t_0) !i_3)))) in
               void); (let _jessie_ = (mi := !i_3) in void);
              (let _jessie_ = (j_2 := (K_39: ((add_int !i_3) (1)))) in
              void);
              try
               (loop_6:
               while true do
               { invariant
                   (JC_120:
                   ((JC_118: (mv = select(intM_intP, shift(t_0, mi))))
                   and (JC_119:
                       (forall k_0:int.
                        ((le_int(i_3, k_0) and lt_int(k_0, j_2)) ->
                         ge_int(select(intM_intP, shift(t_0, k_0)), mv))))))
                  }
                begin
                  [ { } unit reads Object_alloc_table,i_3,j_2,mi
                    { (JC_124:
                      ((JC_121: lt_int(i_3, j_2))
                      and ((JC_122: le_int(i_3, mi))
                          and (JC_123:
                              lt_int(mi,
                              add_int(offset_max(Object_alloc_table, t_0),
                              (1))))))) } ];
                 try
                  begin
                    (if (K_38:
                        ((lt_int_ !j_2) (K_37:
                                        (let _jessie_ = t_0 in
                                        (JC_128:
                                        (java_array_length_intM _jessie_))))))
                    then
                     (if (K_35:
                         ((lt_int_ (K_34:
                                   ((safe_acc_ !intM_intP) ((shift t_0) !j_2)))) !mv))
                     then
                      (let _jessie_ =
                      begin
                        (let _jessie_ = (mi := !j_2) in void);
                       (mv := (K_33:
                              ((safe_acc_ !intM_intP) ((shift t_0) !j_2))));
                       !mv end in void) else void)
                    else (raise (Loop_exit_exc void)));
                   (raise (Loop_continue_exc void)) end with
                  Loop_continue_exc _jessie_ ->
                  (let _jessie_ =
                  (K_36:
                  (let _jessie_ = !j_2 in
                  begin
                    (let _jessie_ = (j_2 := ((add_int _jessie_) (1))) in
                    void); _jessie_ end)) in void) end end done) with
               Loop_exit_exc _jessie_ -> void end;
              (K_40:
              (let _jessie_ = this_0 in
              (let _jessie_ = t_0 in
              (let _jessie_ = !i_3 in
              (let _jessie_ = !mi in
              (JC_129:
              ((((Sort_swap _jessie_) _jessie_) _jessie_) _jessie_)))))))
             end else (raise (Loop_exit_exc void)));
           (raise (Loop_continue_exc void)) end with
          Loop_continue_exc _jessie_ ->
          (let _jessie_ =
          (K_41:
          (let _jessie_ = !i_3 in
          begin
            (let _jessie_ = (i_3 := ((add_int _jessie_) (1))) in void);
           _jessie_ end)) in void) end end done) with
       Loop_exit_exc _jessie_ -> void end end)))); (raise Return) end with
   Return -> void end)
  { (JC_73:
    Sorted(t_0, (0),
    sub_int(add_int(offset_max(Object_alloc_table, t_0), (1)), (1)),
    intM_intP)) }

let Sort_min_sort_safety =
 fun (this_0 : Object pointer) (t_0 : Object pointer) ->
  { (left_valid_struct_intM(t_0, (0), Object_alloc_table)
    and (valid_struct_Sort(this_0, (0), (0), Object_alloc_table)
        and (JC_67: Non_null_intM(t_0, Object_alloc_table)))) }
  (init:
  try
   begin
     (let i_3 = ref (any_int void) in
     (let j_2 = ref (any_int void) in
     (let mi = ref (any_int void) in
     (let mv = ref (any_int void) in
     begin
       (let _jessie_ = (i_3 := (0)) in void);
      try
       (loop_1:
       while true do
       { invariant (JC_79: true)  }
        begin
          [ { } unit reads i_3 { (JC_77: le_int((0), i_3)) } ];
         try
          begin
            (if (K_44:
                ((lt_int_ !i_3) (K_43:
                                ((sub_int (K_42:
                                          (let _jessie_ = t_0 in
                                          (JC_82:
                                          (assert
                                          { ge_int(offset_max(Object_alloc_table,
                                                   _jessie_),
                                            (-1)) };
                                          (JC_81:
                                          (java_array_length_intM_requires _jessie_))))))) (1)))))
            then
             begin
               (let _jessie_ =
               (mv := (K_23:
                      (JC_83:
                      ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) !i_3)))) in
               void); (let _jessie_ = (mi := !i_3) in void);
              (let _jessie_ = (j_2 := (K_39: ((add_int !i_3) (1)))) in
              void);
              try
               (loop_2:
               while true do
               { invariant (JC_89: true)  }
                begin
                  [ { } unit reads Object_alloc_table,i_3,j_2,mi
                    { (JC_87:
                      ((JC_84: lt_int(i_3, j_2))
                      and ((JC_85: le_int(i_3, mi))
                          and (JC_86:
                              lt_int(mi,
                              add_int(offset_max(Object_alloc_table, t_0),
                              (1))))))) } ];
                 try
                  begin
                    (if (K_38:
                        ((lt_int_ !j_2) (K_37:
                                        (let _jessie_ = t_0 in
                                        (JC_92:
                                        (assert
                                        { ge_int(offset_max(Object_alloc_table,
                                                 _jessie_),
                                          (-1)) };
                                        (JC_91:
                                        (java_array_length_intM_requires _jessie_))))))))
                    then
                     (if (K_35:
                         ((lt_int_ (K_34:
                                   (JC_93:
                                   ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) !j_2)))) !mv))
                     then
                      (let _jessie_ =
                      begin
                        (let _jessie_ = (mi := !j_2) in void);
                       (mv := (K_33:
                              (JC_94:
                              ((((offset_acc_ !Object_alloc_table) !intM_intP) t_0) !j_2))));
                       !mv end in void) else void)
                    else (raise (Loop_exit_exc void)));
                   (raise (Loop_continue_exc void)) end with
                  Loop_continue_exc _jessie_ ->
                  (let _jessie_ =
                  (K_36:
                  (let _jessie_ = !j_2 in
                  begin
                    (let _jessie_ = (j_2 := ((add_int _jessie_) (1))) in
                    void); _jessie_ end)) in void) end end done) with
               Loop_exit_exc _jessie_ -> void end;
              (K_40:
              (let _jessie_ = this_0 in
              (let _jessie_ = t_0 in
              (let _jessie_ = !i_3 in
              (let _jessie_ = !mi in
              (JC_95:
              ((((Sort_swap_requires _jessie_) _jessie_) _jessie_) _jessie_)))))))
             end else (raise (Loop_exit_exc void)));
           (raise (Loop_continue_exc void)) end with
          Loop_continue_exc _jessie_ ->
          (let _jessie_ =
          (K_41:
          (let _jessie_ = !i_3 in
          begin
            (let _jessie_ = (i_3 := ((add_int _jessie_) (1))) in void);
           _jessie_ end)) in void) end end done) with
       Loop_exit_exc _jessie_ -> void end end)))); (raise Return) end with
   Return -> void end) { true }

let Sort_swap_ensures_default =
 fun (this_2 : Object pointer) (t : Object pointer) (i_2 : int) (j_1 : int) ->
  { (left_valid_struct_intM(t, (0), Object_alloc_table)
    and (valid_struct_Sort(this_2, (0), (0), Object_alloc_table)
        and (JC_51:
            ((JC_46: Non_null_intM(t, Object_alloc_table))
            and ((JC_47: le_int((0), i_2))
                and ((JC_48:
                     lt_int(i_2,
                     add_int(offset_max(Object_alloc_table, t), (1))))
                    and ((JC_49: le_int((0), j_1))
                        and (JC_50:
                            lt_int(j_1,
                            add_int(offset_max(Object_alloc_table, t), (1))))))))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (let tmp = (K_14: ((safe_acc_ !intM_intP) ((shift t) i_2))) in
     (K_12:
     begin
       (let _jessie_ =
       (let _jessie_ = (K_11: ((safe_acc_ !intM_intP) ((shift t) j_1))) in
       (let _jessie_ = t in
       (let _jessie_ = i_2 in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (((safe_upd_ intM_intP) _jessie_) _jessie_))))) in void);
      (K_13:
      (let _jessie_ = tmp in
      (let _jessie_ = t in
      (let _jessie_ = j_1 in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      begin   (((safe_upd_ intM_intP) _jessie_) _jessie_); _jessie_ end)))))
     end)) in void); (raise Return) end with Return -> void end)
  { (JC_55:
    ((JC_53: Swap(t, i_2, j_1, intM_intP, intM_intP@))
    and (JC_54:
        not_assigns(Object_alloc_table@, intM_intP@, intM_intP,
        pset_union(pset_range(pset_singleton(t), j_1, j_1),
        pset_range(pset_singleton(t), i_2, i_2)))))) }

let Sort_swap_safety =
 fun (this_2 : Object pointer) (t : Object pointer) (i_2 : int) (j_1 : int) ->
  { (left_valid_struct_intM(t, (0), Object_alloc_table)
    and (valid_struct_Sort(this_2, (0), (0), Object_alloc_table)
        and (JC_51:
            ((JC_46: Non_null_intM(t, Object_alloc_table))
            and ((JC_47: le_int((0), i_2))
                and ((JC_48:
                     lt_int(i_2,
                     add_int(offset_max(Object_alloc_table, t), (1))))
                    and ((JC_49: le_int((0), j_1))
                        and (JC_50:
                            lt_int(j_1,
                            add_int(offset_max(Object_alloc_table, t), (1))))))))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (let tmp =
     (K_14:
     (JC_61: ((((offset_acc_ !Object_alloc_table) !intM_intP) t) i_2))) in
     (K_12:
     begin
       (let _jessie_ =
       (let _jessie_ =
       (K_11:
       (JC_62: ((((offset_acc_ !Object_alloc_table) !intM_intP) t) j_1))) in
       (let _jessie_ = t in
       (let _jessie_ = i_2 in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (JC_63:
       (((((offset_upd_ !Object_alloc_table) intM_intP) _jessie_) _jessie_) _jessie_)))))) in
       void);
      (K_13:
      (let _jessie_ = tmp in
      (let _jessie_ = t in
      (let _jessie_ = j_1 in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (JC_64:
      begin
        (((((offset_upd_ !Object_alloc_table) intM_intP) _jessie_) _jessie_) _jessie_);
       _jessie_ end)))))) end)) in void); (raise Return) end with Return ->
   void end) { true }

let cons_Object_ensures_default =
 fun (this_14 : Object pointer) ->
  { valid_struct_Object(this_14, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_230: true) }

let cons_Object_safety =
 fun (this_14 : Object pointer) ->
  { valid_struct_Object(this_14, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_Sort_ensures_default =
 fun (this_3 : Object pointer) ->
  { valid_struct_Sort(this_3, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_206: true) }

let cons_Sort_safety =
 fun (this_3 : Object pointer) ->
  { valid_struct_Sort(this_3, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/Sort.why
========== file tests/java/why/Sort.wpr ==========

  
    
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  
  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
  
  
    
  
  
    
  

========== file tests/java/why/Sort_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_1) >= 0)

predicate Non_null_intM(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= (-1))

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic Permut : Object pointer, int, int, (Object, int) memory, (Object,
int) memory -> prop

logic Sort_tag : Object tag_id

axiom Sort_parenttag_Object: parenttag(Sort_tag, Object_tag)

predicate Sorted(a: Object pointer, l: int, h: int, intM_intP_at_L: (Object,
  int) memory) =
  (forall i:int.
    (((l <= i) and (i < h)) -> (select(intM_intP_at_L, shift(a,
     i)) <= select(intM_intP_at_L, shift(a, (i + 1))))))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

predicate Swap(a_0: Object pointer, i_0: int, j: int,
  intM_intP_at_L2: (Object, int) memory, intM_intP_at_L1: (Object,
  int) memory) =
  ((select(intM_intP_at_L1, shift(a_0, i_0)) = select(intM_intP_at_L2,
   shift(a_0, j))) and
   ((select(intM_intP_at_L1, shift(a_0, j)) = select(intM_intP_at_L2,
    shift(a_0, i_0))) and
    (forall k:int.
      (((k <> i_0) and (k <> j)) -> (select(intM_intP_at_L1, shift(a_0,
       k)) = select(intM_intP_at_L2, shift(a_0, k)))))))

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic intM_tag : Object tag_id

axiom intM_parenttag_Object: parenttag(intM_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Sort(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_intM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Sort(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_intM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Sort(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Sort(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

axiom Permut_swap:
  (forall intM_intP_at_L2:(Object, int) memory.
    (forall intM_intP_at_L1:(Object, int) memory.
      (forall a_5:Object pointer.
        (forall l_4:int.
          (forall h_4:int.
            (forall i_1:int.
              (forall j_0:int.
                (((l_4 <= i_1) and
                  ((i_1 <= h_4) and
                   ((l_4 <= j_0) and
                    ((j_0 <= h_4) and Swap(a_5, i_1, j_0, intM_intP_at_L2,
                     intM_intP_at_L1))))) ->
                 Permut(a_5, l_4, h_4, intM_intP_at_L2, intM_intP_at_L1)))))))))

axiom Permut_trans:
  (forall intM_intP_at_L3:(Object, int) memory.
    (forall intM_intP_at_L2:(Object, int) memory.
      (forall intM_intP_at_L1:(Object, int) memory.
        (forall a_4:Object pointer.
          (forall l_3:int.
            (forall h_3:int.
              ((Permut(a_4, l_3, h_3, intM_intP_at_L2, intM_intP_at_L1) and
                Permut(a_4, l_3, h_3, intM_intP_at_L3, intM_intP_at_L2)) ->
               Permut(a_4, l_3, h_3, intM_intP_at_L3, intM_intP_at_L1))))))))

axiom Permut_sym:
  (forall intM_intP_at_L2:(Object, int) memory.
    (forall intM_intP_at_L1:(Object, int) memory.
      (forall a_3:Object pointer.
        (forall l_2:int.
          (forall h_2:int.
            (Permut(a_3, l_2, h_2, intM_intP_at_L2, intM_intP_at_L1) ->
             Permut(a_3, l_2, h_2, intM_intP_at_L1, intM_intP_at_L2)))))))

axiom Permut_refl:
  (forall intM_intP_at_L:(Object, int) memory.
    (forall a_2:Object pointer.
      (forall l_1:int.
        (forall h_1:int. Permut(a_2, l_1, h_1, intM_intP_at_L,
          intM_intP_at_L)))))

========== file tests/java/why/Sort_po1.why ==========
goal Sort_min_sort_ensures_default_po_1:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  ("JC_96": (0 <= i_3))

========== file tests/java/why/Sort_po10.why ==========
goal Sort_min_sort_ensures_default_po_10:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_96": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_104":
  (("JC_101": (i_3_0 < j_2_0)) and
   (("JC_102": (i_3_0 <= mi0)) and
    ("JC_103": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_0, j_2_0))) ->
  (result2 >= mv0) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_104": ("JC_103": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))))

========== file tests/java/why/Sort_po11.why ==========
goal Sort_min_sort_ensures_default_po_11:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_96": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  ("JC_104":
  (("JC_101": (i_3_0 < j_2_0)) and
   (("JC_102": (i_3_0 <= mi0)) and
    ("JC_103": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  forall intM_intP0:(Object,
  int) memory.
  ("JC_58":
  (("JC_56": Swap(t_0, i_3_0, mi0, intM_intP0, intM_intP)) and
   ("JC_57": not_assigns(Object_alloc_table, intM_intP, intM_intP0,
   pset_union(pset_range(pset_singleton(t_0), mi0, mi0),
   pset_range(pset_singleton(t_0), i_3_0, i_3_0)))))) ->
  forall i_3_1:int.
  (i_3_1 = (i_3_0 + 1)) ->
  ("JC_96": (0 <= i_3_1))

========== file tests/java/why/Sort_po12.why ==========
goal Sort_min_sort_ensures_permutation_po_1:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  ("JC_130": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP, intM_intP))

========== file tests/java/why/Sort_po13.why ==========
goal Sort_min_sort_ensures_permutation_po_2:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_130": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP0, intM_intP)) ->
  ("JC_131": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  ("JC_136": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP0, intM_intP)) ->
  ("JC_140":
  (("JC_137": (i_3_0 < j_2_0)) and
   (("JC_138": (i_3_0 <= mi0)) and
    ("JC_139": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_58":
  (("JC_56": Swap(t_0, i_3_0, mi0, intM_intP1, intM_intP0)) and
   ("JC_57": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_0), mi0, mi0),
   pset_range(pset_singleton(t_0), i_3_0, i_3_0)))))) ->
  forall i_3_1:int.
  (i_3_1 = (i_3_0 + 1)) ->
  ("JC_130": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP1, intM_intP))

========== file tests/java/why/Sort_po14.why ==========
goal Sort_min_sort_ensures_sorted_po_1:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  ("JC_112": ("JC_110": Sorted(t_0, 0, i_3, intM_intP)))

========== file tests/java/why/Sort_po15.why ==========
goal Sort_min_sort_ensures_sorted_po_2:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall k1:int.
  forall k2:int.
  ((0 <= k1) and
   ((k1 < i_3) and
    ((i_3 <= k2) and (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
  ("JC_112":
  ("JC_111": (select(intM_intP, shift(t_0, k1)) <= select(intM_intP,
  shift(t_0, k2)))))

========== file tests/java/why/Sort_po16.why ==========
goal Sort_min_sort_ensures_sorted_po_3:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_112":
  (("JC_110": Sorted(t_0, 0, i_3_0, intM_intP0)) and
   ("JC_111":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < i_3_0) and
          ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0, shift(t_0,
        k2))))))))) ->
  ("JC_113": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  ("JC_120": ("JC_118": (mv = select(intM_intP0, shift(t_0, mi)))))

========== file tests/java/why/Sort_po17.why ==========
goal Sort_min_sort_ensures_sorted_po_4:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_112":
  (("JC_110": Sorted(t_0, 0, i_3_0, intM_intP0)) and
   ("JC_111":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < i_3_0) and
          ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0, shift(t_0,
        k2))))))))) ->
  ("JC_113": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall k_0:int.
  ((i_3_0 <= k_0) and (k_0 < j_2)) ->
  ("JC_120": ("JC_119": (select(intM_intP0, shift(t_0, k_0)) >= mv)))

========== file tests/java/why/Sort_po18.why ==========
goal Sort_min_sort_ensures_sorted_po_5:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_112":
  (("JC_110": Sorted(t_0, 0, i_3_0, intM_intP0)) and
   ("JC_111":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < i_3_0) and
          ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0, shift(t_0,
        k2))))))))) ->
  ("JC_113": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_120":
  (("JC_118": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
   ("JC_119":
   (forall k_0:int.
     (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0, shift(t_0,
      k_0)) >= mv0)))))) ->
  ("JC_124":
  (("JC_121": (i_3_0 < j_2_0)) and
   (("JC_122": (i_3_0 <= mi0)) and
    ("JC_123": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP0, shift(t_0, j_2_0))) ->
  (result2 < mv0) ->
  forall mi1:int.
  (mi1 = j_2_0) ->
  forall result3:int.
  (result3 = select(intM_intP0, shift(t_0, j_2_0))) ->
  forall mv1:int.
  (mv1 = result3) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_120": ("JC_118": (mv1 = select(intM_intP0, shift(t_0, mi1)))))

========== file tests/java/why/Sort_po19.why ==========
goal Sort_min_sort_ensures_sorted_po_6:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_112":
  (("JC_110": Sorted(t_0, 0, i_3_0, intM_intP0)) and
   ("JC_111":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < i_3_0) and
          ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0, shift(t_0,
        k2))))))))) ->
  ("JC_113": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_120":
  (("JC_118": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
   ("JC_119":
   (forall k_0:int.
     (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0, shift(t_0,
      k_0)) >= mv0)))))) ->
  ("JC_124":
  (("JC_121": (i_3_0 < j_2_0)) and
   (("JC_122": (i_3_0 <= mi0)) and
    ("JC_123": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP0, shift(t_0, j_2_0))) ->
  (result2 < mv0) ->
  forall mi1:int.
  (mi1 = j_2_0) ->
  forall result3:int.
  (result3 = select(intM_intP0, shift(t_0, j_2_0))) ->
  forall mv1:int.
  (mv1 = result3) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  forall k_0:int.
  ((i_3_0 <= k_0) and (k_0 < j_2_1)) ->
  ("JC_120": ("JC_119": (select(intM_intP0, shift(t_0, k_0)) >= mv1)))

========== file tests/java/why/Sort_po2.why ==========
goal Sort_min_sort_ensures_default_po_2:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_96": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  ("JC_104": ("JC_101": (i_3_0 < j_2)))

========== file tests/java/why/Sort_po20.why ==========
goal Sort_min_sort_ensures_sorted_po_7:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_112":
  (("JC_110": Sorted(t_0, 0, i_3_0, intM_intP0)) and
   ("JC_111":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < i_3_0) and
          ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0, shift(t_0,
        k2))))))))) ->
  ("JC_113": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_120":
  (("JC_118": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
   ("JC_119":
   (forall k_0:int.
     (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0, shift(t_0,
      k_0)) >= mv0)))))) ->
  ("JC_124":
  (("JC_121": (i_3_0 < j_2_0)) and
   (("JC_122": (i_3_0 <= mi0)) and
    ("JC_123": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP0, shift(t_0, j_2_0))) ->
  (result2 >= mv0) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  forall k_0:int.
  ((i_3_0 <= k_0) and (k_0 < j_2_1)) ->
  ("JC_120": ("JC_119": (select(intM_intP0, shift(t_0, k_0)) >= mv0)))

========== file tests/java/why/Sort_po21.why ==========
goal Sort_min_sort_ensures_sorted_po_8:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_112":
  (("JC_110": Sorted(t_0, 0, i_3_0, intM_intP0)) and
   ("JC_111":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < i_3_0) and
          ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0, shift(t_0,
        k2))))))))) ->
  ("JC_113": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_120":
  (("JC_118": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
   ("JC_119":
   (forall k_0:int.
     (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0, shift(t_0,
      k_0)) >= mv0)))))) ->
  ("JC_124":
  (("JC_121": (i_3_0 < j_2_0)) and
   (("JC_122": (i_3_0 <= mi0)) and
    ("JC_123": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_58":
  (("JC_56": Swap(t_0, i_3_0, mi0, intM_intP1, intM_intP0)) and
   ("JC_57": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_0), mi0, mi0),
   pset_range(pset_singleton(t_0), i_3_0, i_3_0)))))) ->
  forall i_3_1:int.
  (i_3_1 = (i_3_0 + 1)) ->
  ("JC_112": ("JC_110": Sorted(t_0, 0, i_3_1, intM_intP1)))

========== file tests/java/why/Sort_po22.why ==========
goal Sort_min_sort_ensures_sorted_po_9:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_112":
  (("JC_110": Sorted(t_0, 0, i_3_0, intM_intP0)) and
   ("JC_111":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < i_3_0) and
          ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0, shift(t_0,
        k2))))))))) ->
  ("JC_113": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_120":
  (("JC_118": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
   ("JC_119":
   (forall k_0:int.
     (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0, shift(t_0,
      k_0)) >= mv0)))))) ->
  ("JC_124":
  (("JC_121": (i_3_0 < j_2_0)) and
   (("JC_122": (i_3_0 <= mi0)) and
    ("JC_123": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_58":
  (("JC_56": Swap(t_0, i_3_0, mi0, intM_intP1, intM_intP0)) and
   ("JC_57": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_0), mi0, mi0),
   pset_range(pset_singleton(t_0), i_3_0, i_3_0)))))) ->
  forall i_3_1:int.
  (i_3_1 = (i_3_0 + 1)) ->
  forall k1:int.
  forall k2:int.
  ((0 <= k1) and
   ((k1 < i_3_1) and
    ((i_3_1 <= k2) and (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
  ("JC_112":
  ("JC_111": (select(intM_intP1, shift(t_0, k1)) <= select(intM_intP1,
  shift(t_0, k2)))))

========== file tests/java/why/Sort_po23.why ==========
goal Sort_min_sort_ensures_sorted_po_10:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_112":
  (("JC_110": Sorted(t_0, 0, i_3_0, intM_intP0)) and
   ("JC_111":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < i_3_0) and
          ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0, shift(t_0,
        k2))))))))) ->
  ("JC_113": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 >= (result - 1)) ->
  ("JC_73": Sorted(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP0))

========== file tests/java/why/Sort_po24.why ==========
goal Sort_min_sort_safety_po_1:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  ("JC_79": true) ->
  ("JC_77": (0 <= i_3_0)) ->
  (offset_max(Object_alloc_table, t_0) >= (-1))

========== file tests/java/why/Sort_po25.why ==========
goal Sort_min_sort_safety_po_2:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  ("JC_79": true) ->
  ("JC_77": (0 <= i_3_0)) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  (offset_min(Object_alloc_table, t_0) <= i_3_0)

========== file tests/java/why/Sort_po26.why ==========
goal Sort_min_sort_safety_po_3:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  ("JC_79": true) ->
  ("JC_77": (0 <= i_3_0)) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  (i_3_0 <= offset_max(Object_alloc_table, t_0))

========== file tests/java/why/Sort_po27.why ==========
goal Sort_min_sort_safety_po_4:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= i_3_0)) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  ((offset_min(Object_alloc_table, t_0) <= i_3_0) and
   (i_3_0 <= offset_max(Object_alloc_table, t_0))) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  ("JC_89": true) ->
  ("JC_87":
  (("JC_84": (i_3_0 < j_2_0)) and
   (("JC_85": (i_3_0 <= mi0)) and
    ("JC_86": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  (offset_min(Object_alloc_table, t_0) <= j_2_0)

========== file tests/java/why/Sort_po28.why ==========
goal Sort_min_sort_safety_po_5:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= i_3_0)) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  ((offset_min(Object_alloc_table, t_0) <= i_3_0) and
   (i_3_0 <= offset_max(Object_alloc_table, t_0))) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  ("JC_89": true) ->
  ("JC_87":
  (("JC_84": (i_3_0 < j_2_0)) and
   (("JC_85": (i_3_0 <= mi0)) and
    ("JC_86": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  (j_2_0 <= offset_max(Object_alloc_table, t_0))

========== file tests/java/why/Sort_po29.why ==========
goal Sort_min_sort_safety_po_6:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= i_3_0)) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  ((offset_min(Object_alloc_table, t_0) <= i_3_0) and
   (i_3_0 <= offset_max(Object_alloc_table, t_0))) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  ("JC_89": true) ->
  ("JC_87":
  (("JC_84": (i_3_0 < j_2_0)) and
   (("JC_85": (i_3_0 <= mi0)) and
    ("JC_86": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  ("JC_44": ("JC_39": Non_null_intM(t_0, Object_alloc_table)))

========== file tests/java/why/Sort_po3.why ==========
goal Sort_min_sort_ensures_default_po_3:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_96": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  ("JC_104": ("JC_102": (i_3_0 <= mi)))

========== file tests/java/why/Sort_po30.why ==========
goal Sort_min_sort_safety_po_7:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= i_3_0)) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  ((offset_min(Object_alloc_table, t_0) <= i_3_0) and
   (i_3_0 <= offset_max(Object_alloc_table, t_0))) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  ("JC_89": true) ->
  ("JC_87":
  (("JC_84": (i_3_0 < j_2_0)) and
   (("JC_85": (i_3_0 <= mi0)) and
    ("JC_86": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  ("JC_44": ("JC_41": (i_3_0 < (offset_max(Object_alloc_table, t_0) + 1))))

========== file tests/java/why/Sort_po31.why ==========
goal Sort_min_sort_safety_po_8:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= i_3_0)) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  ((offset_min(Object_alloc_table, t_0) <= i_3_0) and
   (i_3_0 <= offset_max(Object_alloc_table, t_0))) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  ("JC_89": true) ->
  ("JC_87":
  (("JC_84": (i_3_0 < j_2_0)) and
   (("JC_85": (i_3_0 <= mi0)) and
    ("JC_86": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  ("JC_44": ("JC_42": (0 <= mi0)))

========== file tests/java/why/Sort_po32.why ==========
goal Sort_min_sort_safety_po_9:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= i_3_0)) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  ((offset_min(Object_alloc_table, t_0) <= i_3_0) and
   (i_3_0 <= offset_max(Object_alloc_table, t_0))) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  ("JC_89": true) ->
  ("JC_87":
  (("JC_84": (i_3_0 < j_2_0)) and
   (("JC_85": (i_3_0 <= mi0)) and
    ("JC_86": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  ("JC_44": ("JC_43": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))))

========== file tests/java/why/Sort_po33.why ==========
goal Sort_swap_ensures_default_po_1:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int.
  forall j_1:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_Sort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= i_2)) and
      (("JC_48": (i_2 < (offset_max(Object_alloc_table, t) + 1))) and
       (("JC_49": (0 <= j_1)) and
        ("JC_50": (j_1 < (offset_max(Object_alloc_table, t) + 1)))))))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t, i_2))) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t, j_1))) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, i_2), result0)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, j_1), result)) ->
  ("JC_55": ("JC_53": Swap(t, i_2, j_1, intM_intP1, intM_intP)))

========== file tests/java/why/Sort_po34.why ==========
goal Sort_swap_ensures_default_po_2:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int.
  forall j_1:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_Sort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= i_2)) and
      (("JC_48": (i_2 < (offset_max(Object_alloc_table, t) + 1))) and
       (("JC_49": (0 <= j_1)) and
        ("JC_50": (j_1 < (offset_max(Object_alloc_table, t) + 1)))))))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t, i_2))) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t, j_1))) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, i_2), result0)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, j_1), result)) ->
  ("JC_55":
  ("JC_54": not_assigns(Object_alloc_table, intM_intP, intM_intP1,
  pset_union(pset_range(pset_singleton(t), j_1, j_1),
  pset_range(pset_singleton(t), i_2, i_2)))))

========== file tests/java/why/Sort_po35.why ==========
goal Sort_swap_safety_po_1:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int.
  forall j_1:int.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_Sort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= i_2)) and
      (("JC_48": (i_2 < (offset_max(Object_alloc_table, t) + 1))) and
       (("JC_49": (0 <= j_1)) and
        ("JC_50": (j_1 < (offset_max(Object_alloc_table, t) + 1)))))))))) ->
  (offset_min(Object_alloc_table, t) <= i_2)

========== file tests/java/why/Sort_po36.why ==========
goal Sort_swap_safety_po_2:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int.
  forall j_1:int.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_Sort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= i_2)) and
      (("JC_48": (i_2 < (offset_max(Object_alloc_table, t) + 1))) and
       (("JC_49": (0 <= j_1)) and
        ("JC_50": (j_1 < (offset_max(Object_alloc_table, t) + 1)))))))))) ->
  (i_2 <= offset_max(Object_alloc_table, t))

========== file tests/java/why/Sort_po37.why ==========
goal Sort_swap_safety_po_3:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int.
  forall j_1:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_Sort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= i_2)) and
      (("JC_48": (i_2 < (offset_max(Object_alloc_table, t) + 1))) and
       (("JC_49": (0 <= j_1)) and
        ("JC_50": (j_1 < (offset_max(Object_alloc_table, t) + 1)))))))))) ->
  ((offset_min(Object_alloc_table, t) <= i_2) and
   (i_2 <= offset_max(Object_alloc_table, t))) ->
  forall result:int.
  (result = select(intM_intP, shift(t, i_2))) ->
  (offset_min(Object_alloc_table, t) <= j_1)

========== file tests/java/why/Sort_po38.why ==========
goal Sort_swap_safety_po_4:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int.
  forall j_1:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_Sort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= i_2)) and
      (("JC_48": (i_2 < (offset_max(Object_alloc_table, t) + 1))) and
       (("JC_49": (0 <= j_1)) and
        ("JC_50": (j_1 < (offset_max(Object_alloc_table, t) + 1)))))))))) ->
  ((offset_min(Object_alloc_table, t) <= i_2) and
   (i_2 <= offset_max(Object_alloc_table, t))) ->
  forall result:int.
  (result = select(intM_intP, shift(t, i_2))) ->
  (j_1 <= offset_max(Object_alloc_table, t))

========== file tests/java/why/Sort_po4.why ==========
goal Sort_min_sort_ensures_default_po_4:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_96": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  ("JC_104": ("JC_103": (mi < (offset_max(Object_alloc_table, t_0) + 1))))

========== file tests/java/why/Sort_po5.why ==========
goal Sort_min_sort_ensures_default_po_5:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_96": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_104":
  (("JC_101": (i_3_0 < j_2_0)) and
   (("JC_102": (i_3_0 <= mi0)) and
    ("JC_103": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_0, j_2_0))) ->
  (result2 < mv0) ->
  forall mi1:int.
  (mi1 = j_2_0) ->
  forall result3:int.
  (result3 = select(intM_intP, shift(t_0, j_2_0))) ->
  forall mv1:int.
  (mv1 = result3) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_104": ("JC_101": (i_3_0 < j_2_1)))

========== file tests/java/why/Sort_po6.why ==========
goal Sort_min_sort_ensures_default_po_6:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_96": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_104":
  (("JC_101": (i_3_0 < j_2_0)) and
   (("JC_102": (i_3_0 <= mi0)) and
    ("JC_103": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_0, j_2_0))) ->
  (result2 < mv0) ->
  forall mi1:int.
  (mi1 = j_2_0) ->
  forall result3:int.
  (result3 = select(intM_intP, shift(t_0, j_2_0))) ->
  forall mv1:int.
  (mv1 = result3) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_104": ("JC_102": (i_3_0 <= mi1)))

========== file tests/java/why/Sort_po7.why ==========
goal Sort_min_sort_ensures_default_po_7:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_96": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_104":
  (("JC_101": (i_3_0 < j_2_0)) and
   (("JC_102": (i_3_0 <= mi0)) and
    ("JC_103": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_0, j_2_0))) ->
  (result2 < mv0) ->
  forall mi1:int.
  (mi1 = j_2_0) ->
  forall result3:int.
  (result3 = select(intM_intP, shift(t_0, j_2_0))) ->
  forall mv1:int.
  (mv1 = result3) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_104": ("JC_103": (mi1 < (offset_max(Object_alloc_table, t_0) + 1))))

========== file tests/java/why/Sort_po8.why ==========
goal Sort_min_sort_ensures_default_po_8:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_96": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_104":
  (("JC_101": (i_3_0 < j_2_0)) and
   (("JC_102": (i_3_0 <= mi0)) and
    ("JC_103": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_0, j_2_0))) ->
  (result2 >= mv0) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_104": ("JC_101": (i_3_0 < j_2_1)))

========== file tests/java/why/Sort_po9.why ==========
goal Sort_min_sort_ensures_default_po_9:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_96": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_104":
  (("JC_101": (i_3_0 < j_2_0)) and
   (("JC_102": (i_3_0 <= mi0)) and
    ("JC_103": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_0, j_2_0))) ->
  (result2 >= mv0) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_104": ("JC_102": (i_3_0 <= mi0)))

========== generation of Simplify VC output ==========
why -simplify [...] why/Sort.why
========== file tests/java/simplify/Sort_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_1 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_1) 0))

(DEFPRED (Non_null_intM x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) (- 0 1)))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom Sort_parenttag_Object
 (EQ (parenttag Sort_tag Object_tag) |@true|))

(DEFPRED (Sorted a l h intM_intP_at_L)
  (FORALL (i)
  (IMPLIES (AND (<= l i) (< i h))
  (<= (select intM_intP_at_L (shift a i)) (select
                                          intM_intP_at_L (shift a (+ i 1)))))))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(DEFPRED (Swap a_0 i_0 j intM_intP_at_L2 intM_intP_at_L1)
  (AND
  (EQ (select intM_intP_at_L1 (shift a_0 i_0))
  (select intM_intP_at_L2 (shift a_0 j)))
  (AND
  (EQ (select intM_intP_at_L1 (shift a_0 j))
  (select intM_intP_at_L2 (shift a_0 i_0)))
  (FORALL (k)
  (IMPLIES (AND (NEQ k i_0) (NEQ k j))
  (EQ (select intM_intP_at_L1 (shift a_0 k))
  (select intM_intP_at_L2 (shift a_0 k))))))))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom intM_parenttag_Object
 (EQ (parenttag intM_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Sort p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_intM p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Sort p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_intM p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Sort p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_intM p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Sort p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_intM p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(BG_PUSH
 ;; Why axiom Permut_swap
 (FORALL (intM_intP_at_L2 intM_intP_at_L1 a_5 l_4 h_4 i_1 j_0)
 (IMPLIES
 (AND (<= l_4 i_1)
 (AND (<= i_1 h_4)
 (AND (<= l_4 j_0)
 (AND (<= j_0 h_4) (Swap a_5 i_1 j_0 intM_intP_at_L2 intM_intP_at_L1)))))
 (EQ (Permut a_5 l_4 h_4 intM_intP_at_L2 intM_intP_at_L1) |@true|))))

(BG_PUSH
 ;; Why axiom Permut_trans
 (FORALL (intM_intP_at_L3 intM_intP_at_L2 intM_intP_at_L1 a_4 l_3 h_3)
 (IMPLIES
 (AND (EQ (Permut a_4 l_3 h_3 intM_intP_at_L2 intM_intP_at_L1) |@true|)
 (EQ (Permut a_4 l_3 h_3 intM_intP_at_L3 intM_intP_at_L2) |@true|))
 (EQ (Permut a_4 l_3 h_3 intM_intP_at_L3 intM_intP_at_L1) |@true|))))

(BG_PUSH
 ;; Why axiom Permut_sym
 (FORALL (intM_intP_at_L2 intM_intP_at_L1 a_3 l_2 h_2)
 (IMPLIES (EQ (Permut a_3 l_2 h_2 intM_intP_at_L2 intM_intP_at_L1) |@true|)
 (EQ (Permut a_3 l_2 h_2 intM_intP_at_L1 intM_intP_at_L2) |@true|))))

(BG_PUSH
 ;; Why axiom Permut_refl
 (FORALL (intM_intP_at_L a_2 l_1 h_1)
 (EQ (Permut a_2 l_1 h_1 intM_intP_at_L intM_intP_at_L) |@true|)))

;; Sort_min_sort_ensures_default_po_1, File "HOME/tests/java/Sort.java", line 86, characters 20-26
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3) (IMPLIES (EQ i_3 0) (<= 0 i_3)))))))

;; Sort_min_sort_ensures_default_po_2, File "HOME/tests/java/Sort.java", line 97, characters 24-29
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES (<= 0 i_3_0)
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2) (IMPLIES (EQ j_2 (+ i_3_0 1)) (< i_3_0 j_2)))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_3, File "HOME/tests/java/Sort.java", line 97, characters 33-40
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES (<= 0 i_3_0)
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2) (IMPLIES (EQ j_2 (+ i_3_0 1)) (<= i_3_0 mi)))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_4, File "HOME/tests/java/Sort.java", line 97, characters 38-51
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES (<= 0 i_3_0)
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(< mi (+ (offset_max Object_alloc_table t_0) 1))))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_5, File "HOME/tests/java/Sort.java", line 97, characters 24-29
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES (<= 0 i_3_0)
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (< mi0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< j_2_0 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 j_2_0)))
(IMPLIES (< result2 mv0)
(FORALL (mi1)
(IMPLIES (EQ mi1 j_2_0)
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP (shift t_0 j_2_0)))
(FORALL (mv1)
(IMPLIES (EQ mv1 result3)
(FORALL (j_2_1) (IMPLIES (EQ j_2_1 (+ j_2_0 1)) (< i_3_0 j_2_1)))))))))))))))))))))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_6, File "HOME/tests/java/Sort.java", line 97, characters 33-40
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES (<= 0 i_3_0)
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (< mi0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< j_2_0 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 j_2_0)))
(IMPLIES (< result2 mv0)
(FORALL (mi1)
(IMPLIES (EQ mi1 j_2_0)
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP (shift t_0 j_2_0)))
(FORALL (mv1)
(IMPLIES (EQ mv1 result3)
(FORALL (j_2_1) (IMPLIES (EQ j_2_1 (+ j_2_0 1)) (<= i_3_0 mi1)))))))))))))))))))))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_7, File "HOME/tests/java/Sort.java", line 97, characters 38-51
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES (<= 0 i_3_0)
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (< mi0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< j_2_0 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 j_2_0)))
(IMPLIES (< result2 mv0)
(FORALL (mi1)
(IMPLIES (EQ mi1 j_2_0)
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP (shift t_0 j_2_0)))
(FORALL (mv1)
(IMPLIES (EQ mv1 result3)
(FORALL (j_2_1)
(IMPLIES (EQ j_2_1 (+ j_2_0 1))
(< mi1 (+ (offset_max Object_alloc_table t_0) 1))))))))))))))))))))))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_8, File "HOME/tests/java/Sort.java", line 97, characters 24-29
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES (<= 0 i_3_0)
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (< mi0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< j_2_0 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 j_2_0)))
(IMPLIES (>= result2 mv0)
(FORALL (j_2_1) (IMPLIES (EQ j_2_1 (+ j_2_0 1)) (< i_3_0 j_2_1)))))))))))))))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_9, File "HOME/tests/java/Sort.java", line 97, characters 33-40
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES (<= 0 i_3_0)
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (< mi0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< j_2_0 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 j_2_0)))
(IMPLIES (>= result2 mv0)
(FORALL (j_2_1) (IMPLIES (EQ j_2_1 (+ j_2_0 1)) (<= i_3_0 mi0)))))))))))))))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_10, File "HOME/tests/java/Sort.java", line 97, characters 38-51
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES (<= 0 i_3_0)
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (< mi0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< j_2_0 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP (shift t_0 j_2_0)))
(IMPLIES (>= result2 mv0)
(FORALL (j_2_1)
(IMPLIES (EQ j_2_1 (+ j_2_0 1))
(< mi0 (+ (offset_max Object_alloc_table t_0) 1))))))))))))))))))))))))))))))))))

;; Sort_min_sort_ensures_default_po_11, File "HOME/tests/java/Sort.java", line 86, characters 20-26
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES (<= 0 i_3_0)
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (< mi0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= j_2_0 result1)
(FORALL (intM_intP0)
(IMPLIES (AND (Swap t_0 i_3_0 mi0 intM_intP0 intM_intP)
         (not_assigns
         Object_alloc_table intM_intP intM_intP0 (pset_union
                                                 (pset_range
                                                 (pset_singleton t_0) mi0 mi0) 
                                                 (pset_range
                                                 (pset_singleton t_0) i_3_0 i_3_0))))
(FORALL (i_3_1) (IMPLIES (EQ i_3_1 (+ i_3_0 1)) (<= 0 i_3_1)))))))))))))))))))))))))))))))

;; Sort_min_sort_ensures_permutation_po_1, File "HOME/tests/java/Sort.java", line 92, characters 22-54
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(EQ (Permut
t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP intM_intP) |@true|))))))))

;; Sort_min_sort_ensures_permutation_po_2, File "HOME/tests/java/Sort.java", line 92, characters 22-54
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|)
(IMPLIES (<= 0 i_3_0)
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(IMPLIES (EQ (Permut
         t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0 intM_intP) |@true|)
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (< mi0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= j_2_0 result1)
(FORALL (intM_intP1)
(IMPLIES (AND (Swap t_0 i_3_0 mi0 intM_intP1 intM_intP0)
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_0) mi0 mi0) 
                                                  (pset_range
                                                  (pset_singleton t_0) i_3_0 i_3_0))))
(FORALL (i_3_1)
(IMPLIES (EQ i_3_1 (+ i_3_0 1))
(EQ (Permut
t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP1 intM_intP) |@true|))))))))))))))))))))))))))))))))))

;; Sort_min_sort_ensures_sorted_po_1, File "HOME/tests/java/Sort.java", line 88, characters 21-34
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3) (IMPLIES (EQ i_3 0) (Sorted t_0 0 i_3 intM_intP))))))))

;; Sort_min_sort_ensures_sorted_po_2, File "HOME/tests/java/Sort.java", line 89, characters 8-89
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (k1)
(FORALL (k2)
(IMPLIES (AND (<= 0 k1)
         (AND (< k1 i_3)
         (AND (<= i_3 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
(<= (select intM_intP (shift t_0 k1)) (select intM_intP (shift t_0 k2)))))))))))))

;; Sort_min_sort_ensures_sorted_po_3, File "HOME/tests/java/Sort.java", line 99, characters 25-36
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2))))))
(IMPLIES (<= 0 i_3_0)
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1)) (EQ mv (select intM_intP0 (shift t_0 mi))))))))))))))))))))))))

;; Sort_min_sort_ensures_sorted_po_4, File "HOME/tests/java/Sort.java", line 100, characters 12-56
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2))))))
(IMPLIES (<= 0 i_3_0)
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (k_0)
(IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2))
(>= (select intM_intP0 (shift t_0 k_0)) mv))))))))))))))))))))))))

;; Sort_min_sort_ensures_sorted_po_5, File "HOME/tests/java/Sort.java", line 99, characters 25-36
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2))))))
(IMPLIES (<= 0 i_3_0)
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (EQ mv0 (select intM_intP0 (shift t_0 mi0)))
         (FORALL (k_0)
         (IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_0))
         (>= (select intM_intP0 (shift t_0 k_0)) mv0))))
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (< mi0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< j_2_0 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP0 (shift t_0 j_2_0)))
(IMPLIES (< result2 mv0)
(FORALL (mi1)
(IMPLIES (EQ mi1 j_2_0)
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP0 (shift t_0 j_2_0)))
(FORALL (mv1)
(IMPLIES (EQ mv1 result3)
(FORALL (j_2_1)
(IMPLIES (EQ j_2_1 (+ j_2_0 1)) (EQ mv1 (select intM_intP0 (shift t_0 mi1)))))))))))))))))))))))))))))))))))))))))))

;; Sort_min_sort_ensures_sorted_po_6, File "HOME/tests/java/Sort.java", line 100, characters 12-56
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2))))))
(IMPLIES (<= 0 i_3_0)
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (EQ mv0 (select intM_intP0 (shift t_0 mi0)))
         (FORALL (k_0)
         (IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_0))
         (>= (select intM_intP0 (shift t_0 k_0)) mv0))))
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (< mi0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< j_2_0 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP0 (shift t_0 j_2_0)))
(IMPLIES (< result2 mv0)
(FORALL (mi1)
(IMPLIES (EQ mi1 j_2_0)
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP0 (shift t_0 j_2_0)))
(FORALL (mv1)
(IMPLIES (EQ mv1 result3)
(FORALL (j_2_1)
(IMPLIES (EQ j_2_1 (+ j_2_0 1))
(FORALL (k_0)
(IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_1))
(>= (select intM_intP0 (shift t_0 k_0)) mv1)))))))))))))))))))))))))))))))))))))))))))

;; Sort_min_sort_ensures_sorted_po_7, File "HOME/tests/java/Sort.java", line 100, characters 12-56
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2))))))
(IMPLIES (<= 0 i_3_0)
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (EQ mv0 (select intM_intP0 (shift t_0 mi0)))
         (FORALL (k_0)
         (IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_0))
         (>= (select intM_intP0 (shift t_0 k_0)) mv0))))
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (< mi0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< j_2_0 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP0 (shift t_0 j_2_0)))
(IMPLIES (>= result2 mv0)
(FORALL (j_2_1)
(IMPLIES (EQ j_2_1 (+ j_2_0 1))
(FORALL (k_0)
(IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_1))
(>= (select intM_intP0 (shift t_0 k_0)) mv0)))))))))))))))))))))))))))))))))))))

;; Sort_min_sort_ensures_sorted_po_8, File "HOME/tests/java/Sort.java", line 88, characters 21-34
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2))))))
(IMPLIES (<= 0 i_3_0)
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (EQ mv0 (select intM_intP0 (shift t_0 mi0)))
         (FORALL (k_0)
         (IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_0))
         (>= (select intM_intP0 (shift t_0 k_0)) mv0))))
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (< mi0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= j_2_0 result1)
(FORALL (intM_intP1)
(IMPLIES (AND (Swap t_0 i_3_0 mi0 intM_intP1 intM_intP0)
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_0) mi0 mi0) 
                                                  (pset_range
                                                  (pset_singleton t_0) i_3_0 i_3_0))))
(FORALL (i_3_1)
(IMPLIES (EQ i_3_1 (+ i_3_0 1)) (Sorted t_0 0 i_3_1 intM_intP1))))))))))))))))))))))))))))))))))

;; Sort_min_sort_ensures_sorted_po_9, File "HOME/tests/java/Sort.java", line 89, characters 8-89
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2))))))
(IMPLIES (<= 0 i_3_0)
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP0 (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (EQ mv0 (select intM_intP0 (shift t_0 mi0)))
         (FORALL (k_0)
         (IMPLIES (AND (<= i_3_0 k_0) (< k_0 j_2_0))
         (>= (select intM_intP0 (shift t_0 k_0)) mv0))))
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (< mi0 (+ (offset_max Object_alloc_table t_0) 1))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= j_2_0 result1)
(FORALL (intM_intP1)
(IMPLIES (AND (Swap t_0 i_3_0 mi0 intM_intP1 intM_intP0)
         (not_assigns
         Object_alloc_table intM_intP0 intM_intP1 (pset_union
                                                  (pset_range
                                                  (pset_singleton t_0) mi0 mi0) 
                                                  (pset_range
                                                  (pset_singleton t_0) i_3_0 i_3_0))))
(FORALL (i_3_1)
(IMPLIES (EQ i_3_1 (+ i_3_0 1))
(FORALL (k1)
(FORALL (k2)
(IMPLIES (AND (<= 0 k1)
         (AND (< k1 i_3_1)
         (AND (<= i_3_1 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
(<= (select intM_intP1 (shift t_0 k1)) (select intM_intP1 (shift t_0 k2)))))))))))))))))))))))))))))))))))))))

;; Sort_min_sort_ensures_sorted_po_10, File "HOME/tests/java/Sort.java", line 79, characters 18-40
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP0)
(IMPLIES (AND (Sorted t_0 0 i_3_0 intM_intP0)
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1)
         (AND (< k1 i_3_0)
         (AND (<= i_3_0 k2) (< k2 (+ (offset_max Object_alloc_table t_0) 1)))))
         (<= (select intM_intP0 (shift t_0 k1)) (select
                                                intM_intP0 (shift t_0 k2))))))
(IMPLIES (<= 0 i_3_0)
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= i_3_0 (- result 1))
(Sorted t_0 0 (- (+ (offset_max Object_alloc_table t_0) 1) 1) intM_intP0))))))))))))))

;; Sort_min_sort_safety_po_1, File "why/Sort.why", line 1000, characters 44-195
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(IMPLIES TRUE
(IMPLIES (<= 0 i_3_0) (>= (offset_max Object_alloc_table t_0) (- 0 1)))))))))))

;; Sort_min_sort_safety_po_2, File "HOME/tests/java/Sort.java", line 96, characters 10-14
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(IMPLIES TRUE
(IMPLIES (<= 0 i_3_0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(<= (offset_min Object_alloc_table t_0) i_3_0))))))))))))))

;; Sort_min_sort_safety_po_3, File "HOME/tests/java/Sort.java", line 96, characters 10-14
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(IMPLIES TRUE
(IMPLIES (<= 0 i_3_0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(<= i_3_0 (offset_max Object_alloc_table t_0)))))))))))))))

;; Sort_min_sort_safety_po_4, File "HOME/tests/java/Sort.java", line 105, characters 6-10
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES TRUE
(IMPLIES (<= 0 i_3_0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) i_3_0)
         (<= i_3_0 (offset_max Object_alloc_table t_0)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(IMPLIES TRUE
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (< mi0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< j_2_0 result1) (<= (offset_min Object_alloc_table t_0) j_2_0))))))))))))))))))))))))))))))))

;; Sort_min_sort_safety_po_5, File "HOME/tests/java/Sort.java", line 105, characters 6-10
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES TRUE
(IMPLIES (<= 0 i_3_0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) i_3_0)
         (<= i_3_0 (offset_max Object_alloc_table t_0)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(IMPLIES TRUE
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (< mi0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< j_2_0 result1) (<= j_2_0 (offset_max Object_alloc_table t_0)))))))))))))))))))))))))))))))))

;; Sort_min_sort_safety_po_6, File "HOME/tests/java/Sort.jc", line 205, characters 29-60
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES TRUE
(IMPLIES (<= 0 i_3_0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) i_3_0)
         (<= i_3_0 (offset_max Object_alloc_table t_0)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(IMPLIES TRUE
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (< mi0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= j_2_0 result1) (Non_null_intM t_0 Object_alloc_table))))))))))))))))))))))))))))))))

;; Sort_min_sort_safety_po_7, File "HOME/tests/java/Sort.jc", line 205, characters 29-60
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES TRUE
(IMPLIES (<= 0 i_3_0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) i_3_0)
         (<= i_3_0 (offset_max Object_alloc_table t_0)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(IMPLIES TRUE
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (< mi0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= j_2_0 result1)
(< i_3_0 (+ (offset_max Object_alloc_table t_0) 1)))))))))))))))))))))))))))))))))

;; Sort_min_sort_safety_po_8, File "HOME/tests/java/Sort.jc", line 205, characters 29-60
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES TRUE
(IMPLIES (<= 0 i_3_0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) i_3_0)
         (<= i_3_0 (offset_max Object_alloc_table t_0)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(IMPLIES TRUE
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (< mi0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= j_2_0 result1) (<= 0 mi0))))))))))))))))))))))))))))))))

;; Sort_min_sort_safety_po_9, File "HOME/tests/java/Sort.jc", line 205, characters 29-60
(FORALL (this_0)
(FORALL (t_0)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_0 0 Object_alloc_table)
         (AND (valid_struct_Sort this_0 0 0 Object_alloc_table)
         (Non_null_intM t_0 Object_alloc_table)))
(FORALL (i_3)
(IMPLIES (EQ i_3 0)
(FORALL (i_3_0)
(FORALL (intM_intP)
(IMPLIES TRUE
(IMPLIES (<= 0 i_3_0)
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (< i_3_0 (- result 1))
(IMPLIES (AND (<= (offset_min Object_alloc_table t_0) i_3_0)
         (<= i_3_0 (offset_max Object_alloc_table t_0)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP (shift t_0 i_3_0)))
(FORALL (mv)
(IMPLIES (EQ mv result0)
(FORALL (mi)
(IMPLIES (EQ mi i_3_0)
(FORALL (j_2)
(IMPLIES (EQ j_2 (+ i_3_0 1))
(FORALL (j_2_0)
(FORALL (mi0)
(IMPLIES TRUE
(IMPLIES (AND (< i_3_0 j_2_0)
         (AND (<= i_3_0 mi0)
         (< mi0 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= (offset_max Object_alloc_table t_0) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_alloc_table t_0) 1))))
(IMPLIES (>= j_2_0 result1)
(< mi0 (+ (offset_max Object_alloc_table t_0) 1)))))))))))))))))))))))))))))))))

;; Sort_swap_ensures_default_po_1, File "HOME/tests/java/Sort.java", line 69, characters 16-37
(FORALL (this_2)
(FORALL (t)
(FORALL (i_2)
(FORALL (j_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_Sort this_2 0 0 Object_alloc_table)
         (AND (Non_null_intM t Object_alloc_table)
         (AND (<= 0 i_2)
         (AND (< i_2 (+ (offset_max Object_alloc_table t) 1))
         (AND (<= 0 j_1) (< j_1 (+ (offset_max Object_alloc_table t) 1))))))))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t i_2)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP (shift t j_1)))
(FORALL (intM_intP0)
(IMPLIES (EQ intM_intP0 (|why__store| intM_intP (shift t i_2) result0))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t j_1) result))
(Swap t i_2 j_1 intM_intP1 intM_intP))))))))))))))))

;; Sort_swap_ensures_default_po_2, File "HOME/tests/java/Sort.java", line 71, characters 9-13
(FORALL (this_2)
(FORALL (t)
(FORALL (i_2)
(FORALL (j_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_Sort this_2 0 0 Object_alloc_table)
         (AND (Non_null_intM t Object_alloc_table)
         (AND (<= 0 i_2)
         (AND (< i_2 (+ (offset_max Object_alloc_table t) 1))
         (AND (<= 0 j_1) (< j_1 (+ (offset_max Object_alloc_table t) 1))))))))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t i_2)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP (shift t j_1)))
(FORALL (intM_intP0)
(IMPLIES (EQ intM_intP0 (|why__store| intM_intP (shift t i_2) result0))
(FORALL (intM_intP1)
(IMPLIES (EQ intM_intP1 (|why__store| intM_intP0 (shift t j_1) result))
(not_assigns
Object_alloc_table intM_intP intM_intP1 (pset_union
                                        (pset_range
                                        (pset_singleton t) j_1 j_1) (pset_range
                                                                    (pset_singleton
                                                                    t) i_2 i_2))))))))))))))))))

;; Sort_swap_safety_po_1, File "HOME/tests/java/Sort.java", line 72, characters 11-15
(FORALL (this_2)
(FORALL (t)
(FORALL (i_2)
(FORALL (j_1)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_Sort this_2 0 0 Object_alloc_table)
         (AND (Non_null_intM t Object_alloc_table)
         (AND (<= 0 i_2)
         (AND (< i_2 (+ (offset_max Object_alloc_table t) 1))
         (AND (<= 0 j_1) (< j_1 (+ (offset_max Object_alloc_table t) 1))))))))
(<= (offset_min Object_alloc_table t) i_2)))))))

;; Sort_swap_safety_po_2, File "HOME/tests/java/Sort.java", line 72, characters 11-15
(FORALL (this_2)
(FORALL (t)
(FORALL (i_2)
(FORALL (j_1)
(FORALL (Object_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_Sort this_2 0 0 Object_alloc_table)
         (AND (Non_null_intM t Object_alloc_table)
         (AND (<= 0 i_2)
         (AND (< i_2 (+ (offset_max Object_alloc_table t) 1))
         (AND (<= 0 j_1) (< j_1 (+ (offset_max Object_alloc_table t) 1))))))))
(<= i_2 (offset_max Object_alloc_table t))))))))

;; Sort_swap_safety_po_3, File "HOME/tests/java/Sort.java", line 73, characters 8-12
(FORALL (this_2)
(FORALL (t)
(FORALL (i_2)
(FORALL (j_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_Sort this_2 0 0 Object_alloc_table)
         (AND (Non_null_intM t Object_alloc_table)
         (AND (<= 0 i_2)
         (AND (< i_2 (+ (offset_max Object_alloc_table t) 1))
         (AND (<= 0 j_1) (< j_1 (+ (offset_max Object_alloc_table t) 1))))))))
(IMPLIES (AND (<= (offset_min Object_alloc_table t) i_2)
         (<= i_2 (offset_max Object_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t i_2)))
(<= (offset_min Object_alloc_table t) j_1)))))))))))

;; Sort_swap_safety_po_4, File "HOME/tests/java/Sort.java", line 73, characters 8-12
(FORALL (this_2)
(FORALL (t)
(FORALL (i_2)
(FORALL (j_1)
(FORALL (Object_alloc_table)
(FORALL (intM_intP)
(IMPLIES (AND (left_valid_struct_intM t 0 Object_alloc_table)
         (AND (valid_struct_Sort this_2 0 0 Object_alloc_table)
         (AND (Non_null_intM t Object_alloc_table)
         (AND (<= 0 i_2)
         (AND (< i_2 (+ (offset_max Object_alloc_table t) 1))
         (AND (<= 0 j_1) (< j_1 (+ (offset_max Object_alloc_table t) 1))))))))
(IMPLIES (AND (<= (offset_min Object_alloc_table t) i_2)
         (<= i_2 (offset_max Object_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intM_intP (shift t i_2)))
(<= j_1 (offset_max Object_alloc_table t))))))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/Sort_why.sx          : ............?......................... (37/0/1/0/0)
total   :  38
valid   :  37 ( 97%)
invalid :   0 (  0%)
unknown :   1 (  3%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/Sort.why
========== file tests/java/why/Sort_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_1: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_1) >= 0)

predicate Non_null_intM(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= (-1))

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic Permut : Object pointer, int, int, (Object, int) memory, (Object,
int) memory -> prop

logic Sort_tag : Object tag_id

axiom Sort_parenttag_Object: parenttag(Sort_tag, Object_tag)

predicate Sorted(a: Object pointer, l: int, h: int, intM_intP_at_L: (Object,
  int) memory) =
  (forall i:int.
    (((l <= i) and (i < h)) -> (select(intM_intP_at_L, shift(a,
     i)) <= select(intM_intP_at_L, shift(a, (i + 1))))))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

predicate Swap(a_0: Object pointer, i_0: int, j: int,
  intM_intP_at_L2: (Object, int) memory, intM_intP_at_L1: (Object,
  int) memory) =
  ((select(intM_intP_at_L1, shift(a_0, i_0)) = select(intM_intP_at_L2,
   shift(a_0, j))) and
   ((select(intM_intP_at_L1, shift(a_0, j)) = select(intM_intP_at_L2,
    shift(a_0, i_0))) and
    (forall k:int.
      (((k <> i_0) and (k <> j)) -> (select(intM_intP_at_L1, shift(a_0,
       k)) = select(intM_intP_at_L2, shift(a_0, k)))))))

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic intM_tag : Object tag_id

axiom intM_parenttag_Object: parenttag(intM_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Sort(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_intM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Sort(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_intM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Sort(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Sort(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

axiom Permut_swap:
  (forall intM_intP_at_L2:(Object, int) memory.
    (forall intM_intP_at_L1:(Object, int) memory.
      (forall a_5:Object pointer.
        (forall l_4:int.
          (forall h_4:int.
            (forall i_1:int.
              (forall j_0:int.
                (((l_4 <= i_1) and
                  ((i_1 <= h_4) and
                   ((l_4 <= j_0) and
                    ((j_0 <= h_4) and Swap(a_5, i_1, j_0, intM_intP_at_L2,
                     intM_intP_at_L1))))) ->
                 Permut(a_5, l_4, h_4, intM_intP_at_L2, intM_intP_at_L1)))))))))

axiom Permut_trans:
  (forall intM_intP_at_L3:(Object, int) memory.
    (forall intM_intP_at_L2:(Object, int) memory.
      (forall intM_intP_at_L1:(Object, int) memory.
        (forall a_4:Object pointer.
          (forall l_3:int.
            (forall h_3:int.
              ((Permut(a_4, l_3, h_3, intM_intP_at_L2, intM_intP_at_L1) and
                Permut(a_4, l_3, h_3, intM_intP_at_L3, intM_intP_at_L2)) ->
               Permut(a_4, l_3, h_3, intM_intP_at_L3, intM_intP_at_L1))))))))

axiom Permut_sym:
  (forall intM_intP_at_L2:(Object, int) memory.
    (forall intM_intP_at_L1:(Object, int) memory.
      (forall a_3:Object pointer.
        (forall l_2:int.
          (forall h_2:int.
            (Permut(a_3, l_2, h_2, intM_intP_at_L2, intM_intP_at_L1) ->
             Permut(a_3, l_2, h_2, intM_intP_at_L1, intM_intP_at_L2)))))))

axiom Permut_refl:
  (forall intM_intP_at_L:(Object, int) memory.
    (forall a_2:Object pointer.
      (forall l_1:int.
        (forall h_1:int. Permut(a_2, l_1, h_1, intM_intP_at_L,
          intM_intP_at_L)))))

goal Sort_min_sort_ensures_default_po_1:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  ("JC_96": (0 <= i_3))

goal Sort_min_sort_ensures_default_po_2:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_96": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  ("JC_104": ("JC_101": (i_3_0 < j_2)))

goal Sort_min_sort_ensures_default_po_3:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_96": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  ("JC_104": ("JC_102": (i_3_0 <= mi)))

goal Sort_min_sort_ensures_default_po_4:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_96": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  ("JC_104": ("JC_103": (mi < (offset_max(Object_alloc_table, t_0) + 1))))

goal Sort_min_sort_ensures_default_po_5:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_96": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_104":
  (("JC_101": (i_3_0 < j_2_0)) and
   (("JC_102": (i_3_0 <= mi0)) and
    ("JC_103": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_0, j_2_0))) ->
  (result2 < mv0) ->
  forall mi1:int.
  (mi1 = j_2_0) ->
  forall result3:int.
  (result3 = select(intM_intP, shift(t_0, j_2_0))) ->
  forall mv1:int.
  (mv1 = result3) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_104": ("JC_101": (i_3_0 < j_2_1)))

goal Sort_min_sort_ensures_default_po_6:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_96": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_104":
  (("JC_101": (i_3_0 < j_2_0)) and
   (("JC_102": (i_3_0 <= mi0)) and
    ("JC_103": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_0, j_2_0))) ->
  (result2 < mv0) ->
  forall mi1:int.
  (mi1 = j_2_0) ->
  forall result3:int.
  (result3 = select(intM_intP, shift(t_0, j_2_0))) ->
  forall mv1:int.
  (mv1 = result3) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_104": ("JC_102": (i_3_0 <= mi1)))

goal Sort_min_sort_ensures_default_po_7:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_96": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_104":
  (("JC_101": (i_3_0 < j_2_0)) and
   (("JC_102": (i_3_0 <= mi0)) and
    ("JC_103": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_0, j_2_0))) ->
  (result2 < mv0) ->
  forall mi1:int.
  (mi1 = j_2_0) ->
  forall result3:int.
  (result3 = select(intM_intP, shift(t_0, j_2_0))) ->
  forall mv1:int.
  (mv1 = result3) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_104": ("JC_103": (mi1 < (offset_max(Object_alloc_table, t_0) + 1))))

goal Sort_min_sort_ensures_default_po_8:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_96": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_104":
  (("JC_101": (i_3_0 < j_2_0)) and
   (("JC_102": (i_3_0 <= mi0)) and
    ("JC_103": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_0, j_2_0))) ->
  (result2 >= mv0) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_104": ("JC_101": (i_3_0 < j_2_1)))

goal Sort_min_sort_ensures_default_po_9:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_96": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_104":
  (("JC_101": (i_3_0 < j_2_0)) and
   (("JC_102": (i_3_0 <= mi0)) and
    ("JC_103": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_0, j_2_0))) ->
  (result2 >= mv0) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_104": ("JC_102": (i_3_0 <= mi0)))

goal Sort_min_sort_ensures_default_po_10:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_96": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_104":
  (("JC_101": (i_3_0 < j_2_0)) and
   (("JC_102": (i_3_0 <= mi0)) and
    ("JC_103": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP, shift(t_0, j_2_0))) ->
  (result2 >= mv0) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_104": ("JC_103": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))))

goal Sort_min_sort_ensures_default_po_11:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_96": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  ("JC_104":
  (("JC_101": (i_3_0 < j_2_0)) and
   (("JC_102": (i_3_0 <= mi0)) and
    ("JC_103": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  forall intM_intP0:(Object,
  int) memory.
  ("JC_58":
  (("JC_56": Swap(t_0, i_3_0, mi0, intM_intP0, intM_intP)) and
   ("JC_57": not_assigns(Object_alloc_table, intM_intP, intM_intP0,
   pset_union(pset_range(pset_singleton(t_0), mi0, mi0),
   pset_range(pset_singleton(t_0), i_3_0, i_3_0)))))) ->
  forall i_3_1:int.
  (i_3_1 = (i_3_0 + 1)) ->
  ("JC_96": (0 <= i_3_1))

goal Sort_min_sort_ensures_permutation_po_1:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  ("JC_130": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP, intM_intP))

goal Sort_min_sort_ensures_permutation_po_2:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_130": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP0, intM_intP)) ->
  ("JC_131": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  ("JC_136": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP0, intM_intP)) ->
  ("JC_140":
  (("JC_137": (i_3_0 < j_2_0)) and
   (("JC_138": (i_3_0 <= mi0)) and
    ("JC_139": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_58":
  (("JC_56": Swap(t_0, i_3_0, mi0, intM_intP1, intM_intP0)) and
   ("JC_57": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_0), mi0, mi0),
   pset_range(pset_singleton(t_0), i_3_0, i_3_0)))))) ->
  forall i_3_1:int.
  (i_3_1 = (i_3_0 + 1)) ->
  ("JC_130": Permut(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP1, intM_intP))

goal Sort_min_sort_ensures_sorted_po_1:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  ("JC_112": ("JC_110": Sorted(t_0, 0, i_3, intM_intP)))

goal Sort_min_sort_ensures_sorted_po_2:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall k1:int.
  forall k2:int.
  ((0 <= k1) and
   ((k1 < i_3) and
    ((i_3 <= k2) and (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
  ("JC_112":
  ("JC_111": (select(intM_intP, shift(t_0, k1)) <= select(intM_intP,
  shift(t_0, k2)))))

goal Sort_min_sort_ensures_sorted_po_3:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_112":
  (("JC_110": Sorted(t_0, 0, i_3_0, intM_intP0)) and
   ("JC_111":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < i_3_0) and
          ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0, shift(t_0,
        k2))))))))) ->
  ("JC_113": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  ("JC_120": ("JC_118": (mv = select(intM_intP0, shift(t_0, mi)))))

goal Sort_min_sort_ensures_sorted_po_4:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_112":
  (("JC_110": Sorted(t_0, 0, i_3_0, intM_intP0)) and
   ("JC_111":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < i_3_0) and
          ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0, shift(t_0,
        k2))))))))) ->
  ("JC_113": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall k_0:int.
  ((i_3_0 <= k_0) and (k_0 < j_2)) ->
  ("JC_120": ("JC_119": (select(intM_intP0, shift(t_0, k_0)) >= mv)))

goal Sort_min_sort_ensures_sorted_po_5:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_112":
  (("JC_110": Sorted(t_0, 0, i_3_0, intM_intP0)) and
   ("JC_111":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < i_3_0) and
          ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0, shift(t_0,
        k2))))))))) ->
  ("JC_113": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_120":
  (("JC_118": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
   ("JC_119":
   (forall k_0:int.
     (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0, shift(t_0,
      k_0)) >= mv0)))))) ->
  ("JC_124":
  (("JC_121": (i_3_0 < j_2_0)) and
   (("JC_122": (i_3_0 <= mi0)) and
    ("JC_123": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP0, shift(t_0, j_2_0))) ->
  (result2 < mv0) ->
  forall mi1:int.
  (mi1 = j_2_0) ->
  forall result3:int.
  (result3 = select(intM_intP0, shift(t_0, j_2_0))) ->
  forall mv1:int.
  (mv1 = result3) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  ("JC_120": ("JC_118": (mv1 = select(intM_intP0, shift(t_0, mi1)))))

goal Sort_min_sort_ensures_sorted_po_6:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_112":
  (("JC_110": Sorted(t_0, 0, i_3_0, intM_intP0)) and
   ("JC_111":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < i_3_0) and
          ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0, shift(t_0,
        k2))))))))) ->
  ("JC_113": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_120":
  (("JC_118": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
   ("JC_119":
   (forall k_0:int.
     (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0, shift(t_0,
      k_0)) >= mv0)))))) ->
  ("JC_124":
  (("JC_121": (i_3_0 < j_2_0)) and
   (("JC_122": (i_3_0 <= mi0)) and
    ("JC_123": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP0, shift(t_0, j_2_0))) ->
  (result2 < mv0) ->
  forall mi1:int.
  (mi1 = j_2_0) ->
  forall result3:int.
  (result3 = select(intM_intP0, shift(t_0, j_2_0))) ->
  forall mv1:int.
  (mv1 = result3) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  forall k_0:int.
  ((i_3_0 <= k_0) and (k_0 < j_2_1)) ->
  ("JC_120": ("JC_119": (select(intM_intP0, shift(t_0, k_0)) >= mv1)))

goal Sort_min_sort_ensures_sorted_po_7:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_112":
  (("JC_110": Sorted(t_0, 0, i_3_0, intM_intP0)) and
   ("JC_111":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < i_3_0) and
          ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0, shift(t_0,
        k2))))))))) ->
  ("JC_113": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_120":
  (("JC_118": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
   ("JC_119":
   (forall k_0:int.
     (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0, shift(t_0,
      k_0)) >= mv0)))))) ->
  ("JC_124":
  (("JC_121": (i_3_0 < j_2_0)) and
   (("JC_122": (i_3_0 <= mi0)) and
    ("JC_123": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP0, shift(t_0, j_2_0))) ->
  (result2 >= mv0) ->
  forall j_2_1:int.
  (j_2_1 = (j_2_0 + 1)) ->
  forall k_0:int.
  ((i_3_0 <= k_0) and (k_0 < j_2_1)) ->
  ("JC_120": ("JC_119": (select(intM_intP0, shift(t_0, k_0)) >= mv0)))

goal Sort_min_sort_ensures_sorted_po_8:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_112":
  (("JC_110": Sorted(t_0, 0, i_3_0, intM_intP0)) and
   ("JC_111":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < i_3_0) and
          ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0, shift(t_0,
        k2))))))))) ->
  ("JC_113": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_120":
  (("JC_118": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
   ("JC_119":
   (forall k_0:int.
     (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0, shift(t_0,
      k_0)) >= mv0)))))) ->
  ("JC_124":
  (("JC_121": (i_3_0 < j_2_0)) and
   (("JC_122": (i_3_0 <= mi0)) and
    ("JC_123": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_58":
  (("JC_56": Swap(t_0, i_3_0, mi0, intM_intP1, intM_intP0)) and
   ("JC_57": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_0), mi0, mi0),
   pset_range(pset_singleton(t_0), i_3_0, i_3_0)))))) ->
  forall i_3_1:int.
  (i_3_1 = (i_3_0 + 1)) ->
  ("JC_112": ("JC_110": Sorted(t_0, 0, i_3_1, intM_intP1)))

goal Sort_min_sort_ensures_sorted_po_9:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_112":
  (("JC_110": Sorted(t_0, 0, i_3_0, intM_intP0)) and
   ("JC_111":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < i_3_0) and
          ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0, shift(t_0,
        k2))))))))) ->
  ("JC_113": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  forall result0:int.
  (result0 = select(intM_intP0, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_120":
  (("JC_118": (mv0 = select(intM_intP0, shift(t_0, mi0)))) and
   ("JC_119":
   (forall k_0:int.
     (((i_3_0 <= k_0) and (k_0 < j_2_0)) -> (select(intM_intP0, shift(t_0,
      k_0)) >= mv0)))))) ->
  ("JC_124":
  (("JC_121": (i_3_0 < j_2_0)) and
   (("JC_122": (i_3_0 <= mi0)) and
    ("JC_123": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  forall intM_intP1:(Object,
  int) memory.
  ("JC_58":
  (("JC_56": Swap(t_0, i_3_0, mi0, intM_intP1, intM_intP0)) and
   ("JC_57": not_assigns(Object_alloc_table, intM_intP0, intM_intP1,
   pset_union(pset_range(pset_singleton(t_0), mi0, mi0),
   pset_range(pset_singleton(t_0), i_3_0, i_3_0)))))) ->
  forall i_3_1:int.
  (i_3_1 = (i_3_0 + 1)) ->
  forall k1:int.
  forall k2:int.
  ((0 <= k1) and
   ((k1 < i_3_1) and
    ((i_3_1 <= k2) and (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
  ("JC_112":
  ("JC_111": (select(intM_intP1, shift(t_0, k1)) <= select(intM_intP1,
  shift(t_0, k2)))))

goal Sort_min_sort_ensures_sorted_po_10:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP0:(Object,
  int) memory.
  ("JC_112":
  (("JC_110": Sorted(t_0, 0, i_3_0, intM_intP0)) and
   ("JC_111":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and
         ((k1 < i_3_0) and
          ((i_3_0 <= k2) and (k2 < (offset_max(Object_alloc_table, t_0) + 1))))) ->
        (select(intM_intP0, shift(t_0, k1)) <= select(intM_intP0, shift(t_0,
        k2))))))))) ->
  ("JC_113": (0 <= i_3_0)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 >= (result - 1)) ->
  ("JC_73": Sorted(t_0, 0, ((offset_max(Object_alloc_table, t_0) + 1) - 1),
  intM_intP0))

goal Sort_min_sort_safety_po_1:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  ("JC_79": true) ->
  ("JC_77": (0 <= i_3_0)) ->
  (offset_max(Object_alloc_table, t_0) >= (-1))

goal Sort_min_sort_safety_po_2:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  ("JC_79": true) ->
  ("JC_77": (0 <= i_3_0)) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  (offset_min(Object_alloc_table, t_0) <= i_3_0)

goal Sort_min_sort_safety_po_3:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  ("JC_79": true) ->
  ("JC_77": (0 <= i_3_0)) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  (i_3_0 <= offset_max(Object_alloc_table, t_0))

goal Sort_min_sort_safety_po_4:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= i_3_0)) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  ((offset_min(Object_alloc_table, t_0) <= i_3_0) and
   (i_3_0 <= offset_max(Object_alloc_table, t_0))) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  ("JC_89": true) ->
  ("JC_87":
  (("JC_84": (i_3_0 < j_2_0)) and
   (("JC_85": (i_3_0 <= mi0)) and
    ("JC_86": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  (offset_min(Object_alloc_table, t_0) <= j_2_0)

goal Sort_min_sort_safety_po_5:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= i_3_0)) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  ((offset_min(Object_alloc_table, t_0) <= i_3_0) and
   (i_3_0 <= offset_max(Object_alloc_table, t_0))) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  ("JC_89": true) ->
  ("JC_87":
  (("JC_84": (i_3_0 < j_2_0)) and
   (("JC_85": (i_3_0 <= mi0)) and
    ("JC_86": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 < result1) ->
  (j_2_0 <= offset_max(Object_alloc_table, t_0))

goal Sort_min_sort_safety_po_6:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= i_3_0)) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  ((offset_min(Object_alloc_table, t_0) <= i_3_0) and
   (i_3_0 <= offset_max(Object_alloc_table, t_0))) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  ("JC_89": true) ->
  ("JC_87":
  (("JC_84": (i_3_0 < j_2_0)) and
   (("JC_85": (i_3_0 <= mi0)) and
    ("JC_86": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  ("JC_44": ("JC_39": Non_null_intM(t_0, Object_alloc_table)))

goal Sort_min_sort_safety_po_7:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= i_3_0)) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  ((offset_min(Object_alloc_table, t_0) <= i_3_0) and
   (i_3_0 <= offset_max(Object_alloc_table, t_0))) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  ("JC_89": true) ->
  ("JC_87":
  (("JC_84": (i_3_0 < j_2_0)) and
   (("JC_85": (i_3_0 <= mi0)) and
    ("JC_86": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  ("JC_44": ("JC_41": (i_3_0 < (offset_max(Object_alloc_table, t_0) + 1))))

goal Sort_min_sort_safety_po_8:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= i_3_0)) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  ((offset_min(Object_alloc_table, t_0) <= i_3_0) and
   (i_3_0 <= offset_max(Object_alloc_table, t_0))) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  ("JC_89": true) ->
  ("JC_87":
  (("JC_84": (i_3_0 < j_2_0)) and
   (("JC_85": (i_3_0 <= mi0)) and
    ("JC_86": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  ("JC_44": ("JC_42": (0 <= mi0)))

goal Sort_min_sort_safety_po_9:
  forall this_0:Object pointer.
  forall t_0:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_0, 0, Object_alloc_table) and
   (valid_struct_Sort(this_0, 0, 0, Object_alloc_table) and
    ("JC_67": Non_null_intM(t_0, Object_alloc_table)))) ->
  forall i_3:int.
  (i_3 = 0) ->
  forall i_3_0:int.
  forall intM_intP:(Object,
  int) memory.
  ("JC_79": true) ->
  ("JC_77": (0 <= i_3_0)) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (i_3_0 < (result - 1)) ->
  ((offset_min(Object_alloc_table, t_0) <= i_3_0) and
   (i_3_0 <= offset_max(Object_alloc_table, t_0))) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t_0, i_3_0))) ->
  forall mv:int.
  (mv = result0) ->
  forall mi:int.
  (mi = i_3_0) ->
  forall j_2:int.
  (j_2 = (i_3_0 + 1)) ->
  forall j_2_0:int.
  forall mi0:int.
  ("JC_89": true) ->
  ("JC_87":
  (("JC_84": (i_3_0 < j_2_0)) and
   (("JC_85": (i_3_0 <= mi0)) and
    ("JC_86": (mi0 < (offset_max(Object_alloc_table, t_0) + 1)))))) ->
  (offset_max(Object_alloc_table, t_0) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_alloc_table, t_0) + 1))))) ->
  (j_2_0 >= result1) ->
  ("JC_44": ("JC_43": (mi0 < (offset_max(Object_alloc_table, t_0) + 1))))

goal Sort_swap_ensures_default_po_1:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int.
  forall j_1:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_Sort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= i_2)) and
      (("JC_48": (i_2 < (offset_max(Object_alloc_table, t) + 1))) and
       (("JC_49": (0 <= j_1)) and
        ("JC_50": (j_1 < (offset_max(Object_alloc_table, t) + 1)))))))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t, i_2))) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t, j_1))) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, i_2), result0)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, j_1), result)) ->
  ("JC_55": ("JC_53": Swap(t, i_2, j_1, intM_intP1, intM_intP)))

goal Sort_swap_ensures_default_po_2:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int.
  forall j_1:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_Sort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= i_2)) and
      (("JC_48": (i_2 < (offset_max(Object_alloc_table, t) + 1))) and
       (("JC_49": (0 <= j_1)) and
        ("JC_50": (j_1 < (offset_max(Object_alloc_table, t) + 1)))))))))) ->
  forall result:int.
  (result = select(intM_intP, shift(t, i_2))) ->
  forall result0:int.
  (result0 = select(intM_intP, shift(t, j_1))) ->
  forall intM_intP0:(Object,
  int) memory.
  (intM_intP0 = store(intM_intP, shift(t, i_2), result0)) ->
  forall intM_intP1:(Object,
  int) memory.
  (intM_intP1 = store(intM_intP0, shift(t, j_1), result)) ->
  ("JC_55":
  ("JC_54": not_assigns(Object_alloc_table, intM_intP, intM_intP1,
  pset_union(pset_range(pset_singleton(t), j_1, j_1),
  pset_range(pset_singleton(t), i_2, i_2)))))

goal Sort_swap_safety_po_1:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int.
  forall j_1:int.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_Sort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= i_2)) and
      (("JC_48": (i_2 < (offset_max(Object_alloc_table, t) + 1))) and
       (("JC_49": (0 <= j_1)) and
        ("JC_50": (j_1 < (offset_max(Object_alloc_table, t) + 1)))))))))) ->
  (offset_min(Object_alloc_table, t) <= i_2)

goal Sort_swap_safety_po_2:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int.
  forall j_1:int.
  forall Object_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_Sort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= i_2)) and
      (("JC_48": (i_2 < (offset_max(Object_alloc_table, t) + 1))) and
       (("JC_49": (0 <= j_1)) and
        ("JC_50": (j_1 < (offset_max(Object_alloc_table, t) + 1)))))))))) ->
  (i_2 <= offset_max(Object_alloc_table, t))

goal Sort_swap_safety_po_3:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int.
  forall j_1:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_Sort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= i_2)) and
      (("JC_48": (i_2 < (offset_max(Object_alloc_table, t) + 1))) and
       (("JC_49": (0 <= j_1)) and
        ("JC_50": (j_1 < (offset_max(Object_alloc_table, t) + 1)))))))))) ->
  ((offset_min(Object_alloc_table, t) <= i_2) and
   (i_2 <= offset_max(Object_alloc_table, t))) ->
  forall result:int.
  (result = select(intM_intP, shift(t, i_2))) ->
  (offset_min(Object_alloc_table, t) <= j_1)

goal Sort_swap_safety_po_4:
  forall this_2:Object pointer.
  forall t:Object pointer.
  forall i_2:int.
  forall j_1:int.
  forall Object_alloc_table:Object alloc_table.
  forall intM_intP:(Object,
  int) memory.
  (left_valid_struct_intM(t, 0, Object_alloc_table) and
   (valid_struct_Sort(this_2, 0, 0, Object_alloc_table) and
    ("JC_51":
    (("JC_46": Non_null_intM(t, Object_alloc_table)) and
     (("JC_47": (0 <= i_2)) and
      (("JC_48": (i_2 < (offset_max(Object_alloc_table, t) + 1))) and
       (("JC_49": (0 <= j_1)) and
        ("JC_50": (j_1 < (offset_max(Object_alloc_table, t) + 1)))))))))) ->
  ((offset_min(Object_alloc_table, t) <= i_2) and
   (i_2 <= offset_max(Object_alloc_table, t))) ->
  forall result:int.
  (result = select(intM_intP, shift(t, i_2))) ->
  (j_1 <= offset_max(Object_alloc_table, t))

why-2.34/tests/java/oracle/Sort2.err.oracle0000644000175000017500000000000012311670312017122 0ustar  rtuserswhy-2.34/tests/java/oracle/MacCarthy.err.oracle0000644000175000017500000000000012311670312017764 0ustar  rtuserswhy-2.34/tests/java/oracle/Duplets.res.oracle0000644000175000017500000004471712311670312017561 0ustar  rtusers========== file tests/java/Duplets.java ==========
/*
COST Verification Competition. vladimir@cost-ic0701.org

Challenge 3: Two equal elements

Given: An integer array a of length n+2 with n>=2. It is known that at
least two values stored in the array appear twice (i.e., there are at
least two duplets).

Implement and verify a program finding such two values.

You may assume that the array contains values between 0 and n-1.
*/


class Integer {
    int value;
    /*@ ensures this.value == a;
      @*/
    Integer(int a) {
        value = a;
    }
}

class Pair {
    int x,y;
    /*@ ensures this.x == a && this.y == b;
      @*/
    Pair(int a,int b) {
        x = a; y = b;
    }
}

class Quadruple {
    int x,y,z,t;
    /*@ ensures this.x == a && this.y == b &&
      @         this.z == c && this.t == d;
      @*/
    Pair(int a,int b,int c,int d) {
        x = a; y = b; z = c; t = d;
    }
}

/* equality between an integer and a possibly null Integer object */
/*@ predicate eq_opt{L}(integer x, Integer o) =
  @   o != null && x == o.value;
  @*/

/* A duplet in array a is a pair of indexes (i,j) in the bounds of array
   a such that a[i] = a[j] */
/*@ predicate is_duplet{L}(int a[], integer i, integer j) =
  @    0 <= i < j < a.length && a[i] == a[j];
  @*/

class Duplets {

    /* duplet(a) returns the indexes (i,j) of a duplet in a.
     * moreover, if except is not null, the value of this duplet must
     * be different from it.
     */
    /*@ requires 2 <= a.length &&
      @   \exists integer i j;
      @     is_duplet(a,i,j) && ! eq_opt(a[i],except) ;
      @ ensures
      @   is_duplet(a,\result.x,\result.y) &&
      @   ! eq_opt(a[\result.x],except); 
      @*/
    Pair duplet(int a[], Integer except) {
        /*@ loop_invariant
          @  \forall integer k l; 0 <= k < i && k < l < a.length ==>
          @    ! eq_opt(a[k],except) ==> ! is_duplet(a,k,l);
          @ loop_variant a.length - i;
          @*/
        for(int i=0; i <= a.length - 2; i++) {
            int v = a[i];
            if (except != null && except.value != v) {
                /*@ loop_invariant
                  @   \forall integer l; i < l < j ==> ! is_duplet(a,i,l);
                  @ loop_variant a.length - j;
                  @*/
                for (int j=i+1; j < a.length; j++) {
                    if (a[j] == v) {
                        return new Pair(i, j);
                    }
                }
            }
        }
        // assert \forall integer i j; ! is_duplet(a,i,j);
        //@ assert false;
        return null;
    }


    /* requires 4 <= a.length && \exists integer i j k l;
      @   is_duplet(a,i,j) && is_duplet(a,k,l) && a[i] != a[k];
      @ ensures is_duplet(a,\result.x,\result.y) &&
      @   is_duplet(a,\result.z,\result.t) &&
      @   a[\result.x] != a[\result.z];
      @*/
    Quadruple duplets(int a[]) {
        Pair p = duplet(a,null);
        Pair q = duplet(a,new Integer(a[p.x]));
        return new Quadruple(p.x,p.y,q.x,q.y);
    }
   

}

/*
Local Variables:
compile-command: "make Duplets.why3ide"
End:
*/

========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_Pair_int_int for constructor Pair
Generating JC function Object_registerNatives for method Object.registerNatives
Generating JC function Object_clone for method Object.clone
Generating JC function cons_Quadruple_int_int_int_int for constructor Quadruple
Generating JC function cons_Integer_int for constructor Integer
Generating JC function Duplets_duplet for method Duplets.duplet
Generating JC function Duplets_duplets for method Duplets.duplets
Generating JC function cons_Duplets for constructor Duplets
Generating JC function Object_finalize for method Object.finalize
Generating JC function Object_notifyAll for method Object.notifyAll
Generating JC function Object_equals for method Object.equals
Generating JC function Object_toString for method Object.toString
Generating JC function Object_wait for method Object.wait
Generating JC function Object_hashCode for method Object.hashCode
Generating JC function Object_notify for method Object.notify
Generating JC function Object_wait_long_int for method Object.wait
Generating JC function Object_wait_long for method Object.wait
Generating JC function cons_Object for constructor Object
Done.
========== file tests/java/Duplets.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_intM{Here}(intM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Quadruple = Object with {
  int32 x; 
  int32 y; 
  int32 z; 
  int32 t;
}

tag Integer = Object with {
  int32 value;
}

tag Pair = Object with {
  int32 x; 
  int32 y;
}

tag Throwable = Object with {
}

tag Object = {
}

tag Duplets = Object with {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag intM = Object with {
  int32 intP;
}

boolean non_null_intM(! intM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_intM(! intM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

predicate eq_opt{L}(integer x, Integer[0..] o) =
(Non_null_Object(o) && (x == o.value))

predicate is_duplet{L}(intM[0..] a_2, integer i, integer j) =
((((0 <= i) && (i < j)) && (j < (\offset_max(a_2) + 1))) &&
  ((a_2 + i).intP == (a_2 + j).intP))

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_Pair_int_int(! Pair[0] this_2, int32 a_0, int32 b)
behavior default:
  ensures (K_3 : ((K_2 : (this_2.x == a_0)) && (K_1 : (this_2.y == b))));
{  (this_2.x = 0);
   (this_2.y = 0);
   (K_4 : (this_2.x = a_0));
   (K_5 : (this_2.y = b))
}

unit Object_registerNatives()
;

Object[0..] Object_clone(Object[0] this_10)
;

unit cons_Quadruple_int_int_int_int(! Quadruple[0] this_4, int32 a_1,
                                    int32 b_0, int32 c, int32 d)
behavior default:
  ensures (K_12 : ((K_11 : ((K_10 : ((K_9 : (this_4.x == a_1)) &&
                                      (K_8 : (this_4.y == b_0)))) &&
                             (K_7 : (this_4.z == c)))) &&
                    (K_6 : (this_4.t == d))));
{  (this_4.x = 0);
   (this_4.y = 0);
   (this_4.z = 0);
   (this_4.t = 0);
   (K_13 : (this_4.x = a_1));
   (K_14 : (this_4.y = b_0));
   (K_15 : (this_4.z = c));
   (K_16 : (this_4.t = d))
}

unit cons_Integer_int(! Integer[0] this_0, int32 a)
behavior default:
  ensures (K_17 : (this_0.value == a));
{  (this_0.value = 0);
   (K_18 : (this_0.value = a))
}

Pair[0..] Duplets_duplet(Duplets[0] this_8, intM[0..] a_3,
                         Integer[0..] except)
  requires (K_24 : ((K_23 : (2 <= (\offset_max(a_3) + 1))) &&
                     (K_22 : (\exists integer i_0;
                               (\exists integer j_0;
                                 (is_duplet{Here}(a_3, i_0, j_0) &&
                                   (! eq_opt{Here}((a_3 + i_0).intP, except))))))));
behavior default:
  ensures (K_21 : ((K_20 : is_duplet{Here}(a_3, \result.x, \result.y)) &&
                    (K_19 : (! eq_opt{Here}((a_3 + \result.x).intP, except)))));
{  
   {  
      {  
         (var int32 i_1 = (K_25 : 0));
         
         loop 
         behavior default:
           invariant (K_26 : (\forall integer k;
                               (\forall integer l;
                                 ((((0 <= k) && (k < i_1)) &&
                                    ((k < l) && (l < (\offset_max(a_3) + 1)))) ==>
                                   ((! eq_opt{Here}((a_3 + k).intP, except)) ==>
                                     (! is_duplet{Here}(a_3, k, l)))))));
         
         variant (K_27 : ((\offset_max(a_3) + 1) - i_1));
         for ( ; (K_43 : (i_1 <=
                           (K_42 : (((K_41 : java_array_length_intM(a_3)) -
                                      2) :> int32)))) ; (K_40 : (i_1 ++)))
         {  
            {  
               (var int32 v = (K_39 : (a_3 + i_1).intP));
               (if (K_38 : (non_null_Object(except) &&
                             (K_37 : ((K_36 : except.value) != v)))) then 
               {  
                  {  
                     (var int32 j_1 = (K_28 : ((i_1 + 1) :> int32)));
                     
                     loop 
                     behavior default:
                       invariant (K_29 : (\forall integer l_0;
                                           (((i_1 < l_0) && (l_0 < j_1)) ==>
                                             (! is_duplet{Here}(a_3, i_1, l_0)))));
                     
                     variant (K_30 : ((\offset_max(a_3) + 1) - j_1));
                     for ( ; (K_35 : (j_1 <
                                       (K_34 : java_array_length_intM(a_3)))) ; 
                     (K_33 : (j_1 ++)))
                     {  (if (K_32 : ((K_31 : (a_3 + j_1).intP) == v)) then 
                        (return 
                        {  
                           (var Pair[0] this = (new Pair[1]));
                           
                           {  
                              (var unit _tt = cons_Pair_int_int(this, i_1,
                                                                j_1));
                              this
                           }
                        }) else ())
                     }
                  }
               } else ())
            }
         }
      }
   };
   (K_45 : 
   (assert (K_44 : false)));
   
   (return null)
}

Quadruple[0..] Duplets_duplets(Duplets[0] this_6, intM[0..] a_4)
{  
   {  
      (var Pair[0..] p = (K_53 : Duplets_duplet(this_6, a_4, null)));
      
      {  
         (var Pair[0..] q = (K_52 : Duplets_duplet(this_6, a_4,
                                                   
                                                   {  
                                                      (var Integer[0] this = (new Integer[1]));
                                                      
                                                      {  
                                                         (var unit _tt = cons_Integer_int(
                                                         this,
                                                         (K_51 : (a_4 +
                                                                   (K_50 : p.x)).intP)));
                                                         this
                                                      }
                                                   })));
         
         (return 
         {  
            (var Quadruple[0] this = (new Quadruple[1]));
            
            {  
               (var unit _tt = cons_Quadruple_int_int_int_int(this,
                                                              (K_46 : p.x),
                                                              (K_47 : p.y),
                                                              (K_48 : q.x),
                                                              (K_49 : q.y)));
               this
            }
         })
      }
   }
}

unit cons_Duplets(! Duplets[0] this_9){()}

unit Object_finalize(Object[0] this_11)
;

unit Object_notifyAll(Object[0] this_12)
;

boolean Object_equals(Object[0] this_13, Object[0..] obj)
;

String[0..] Object_toString(Object[0] this_14)
;

unit Object_wait(Object[0] this_15)
;

int32 Object_hashCode(Object[0] this_16)
;

unit Object_notify(Object[0] this_17)
;

unit Object_wait_long_int(Object[0] this_18, long timeout_0, int32 nanos)
;

unit Object_wait_long(Object[0] this_19, long timeout)
;

unit cons_Object(! Object[0] this_20){()}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Duplets.jloc tests/java/Duplets.jc && make -f tests/java/Duplets.makefile gui"
End:
*/
========== file tests/java/Duplets.jloc ==========
[cons_Pair_int_int]
name = "Constructor of class Pair"
file = "HOME/tests/java/Duplets.java"
line = 29
begin = 4
end = 8

[K_30]
file = "HOME/tests/java/Duplets.java"
line = 79
begin = 33
end = 45

[K_23]
file = "HOME/tests/java/Duplets.java"
line = 61
begin = 17
end = 30

[K_33]
file = "HOME/tests/java/Duplets.java"
line = 81
begin = 46
end = 49

[K_49]
file = "HOME/tests/java/Duplets.java"
line = 103
begin = 41
end = 44

[K_17]
file = "HOME/tests/java/Duplets.java"
line = 18
begin = 16
end = 31

[Object_wait_long]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[cons_Duplets]
name = "Constructor of class Duplets"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_11]
file = "HOME/tests/java/Duplets.java"
line = 36
begin = 16
end = 73

[K_38]
file = "HOME/tests/java/Duplets.java"
line = 76
begin = 16
end = 51

[K_25]
file = "HOME/tests/java/Duplets.java"
line = 74
begin = 18
end = 19

[K_13]
file = "HOME/tests/java/Duplets.java"
line = 40
begin = 8
end = 13

[Object_finalize]
name = "Method finalize"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[K_9]
file = "HOME/tests/java/Duplets.java"
line = 36
begin = 16
end = 27

[Object_wait]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[K_44]
file = "HOME/tests/java/Duplets.java"
line = 89
begin = 19
end = 24

[Object_notify]
name = "Method notify"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[K_28]
file = "HOME/tests/java/Duplets.java"
line = 81
begin = 27
end = 30

[Object_clone]
name = "Method clone"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[cons_Object]
name = "Constructor of class Object"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_52]
file = "HOME/tests/java/Duplets.java"
line = 102
begin = 17
end = 46

[K_1]
file = "HOME/tests/java/Duplets.java"
line = 27
begin = 31
end = 42

[K_15]
file = "HOME/tests/java/Duplets.java"
line = 40
begin = 22
end = 27

[K_4]
file = "HOME/tests/java/Duplets.java"
line = 30
begin = 8
end = 13

[K_12]
file = "HOME/tests/java/Duplets.java"
line = 36
begin = 16
end = 88

[Object_wait_long_int]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[K_34]
file = "HOME/tests/java/Duplets.java"
line = 81
begin = 36
end = 44

[Object_registerNatives]
name = "Method registerNatives"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[K_20]
file = "HOME/tests/java/Duplets.java"
line = 65
begin = 10
end = 42

[K_53]
file = "HOME/tests/java/Duplets.java"
line = 101
begin = 17
end = 31

[K_2]
file = "HOME/tests/java/Duplets.java"
line = 27
begin = 16
end = 27

[Duplets_duplets]
name = "Method duplets"
file = "HOME/tests/java/Duplets.java"
line = 100
begin = 14
end = 21

[K_41]
file = "HOME/tests/java/Duplets.java"
line = 74
begin = 26
end = 34

[K_50]
file = "HOME/tests/java/Duplets.java"
line = 102
begin = 40
end = 43

[K_47]
file = "HOME/tests/java/Duplets.java"
line = 103
begin = 33
end = 36

[K_29]
file = "HOME/tests/java/Duplets.java"
line = 78
begin = 22
end = 73

[K_10]
file = "HOME/tests/java/Duplets.java"
line = 36
begin = 16
end = 42

[K_35]
file = "HOME/tests/java/Duplets.java"
line = 81
begin = 32
end = 44

[K_6]
file = "HOME/tests/java/Duplets.java"
line = 37
begin = 31
end = 42

[K_8]
file = "HOME/tests/java/Duplets.java"
line = 36
begin = 31
end = 42

[K_48]
file = "HOME/tests/java/Duplets.java"
line = 103
begin = 37
end = 40

[cons_Quadruple_int_int_int_int]
name = "Constructor of class Quadruple"
file = "HOME/tests/java/Duplets.java"
line = 39
begin = 4
end = 8

[K_3]
file = "HOME/tests/java/Duplets.java"
line = 27
begin = 16
end = 42

[K_31]
file = "HOME/tests/java/Duplets.java"
line = 82
begin = 24
end = 28

[cons_Integer_int]
name = "Constructor of class Integer"
file = "HOME/tests/java/Duplets.java"
line = 20
begin = 4
end = 11

[K_32]
file = "HOME/tests/java/Duplets.java"
line = 82
begin = 24
end = 33

[K_27]
file = "HOME/tests/java/Duplets.java"
line = 72
begin = 25
end = 37

[K_46]
file = "HOME/tests/java/Duplets.java"
line = 103
begin = 29
end = 32

[K_21]
file = "HOME/tests/java/Duplets.java"
line = 65
begin = 10
end = 85

[K_42]
file = "HOME/tests/java/Duplets.java"
line = 74
begin = 26
end = 38

[K_24]
file = "HOME/tests/java/Duplets.java"
line = 61
begin = 17
end = 118

[Duplets_duplet]
name = "Method duplet"
file = "HOME/tests/java/Duplets.java"
line = 68
begin = 9
end = 15

[K_14]
file = "HOME/tests/java/Duplets.java"
line = 40
begin = 15
end = 20

[K_39]
file = "HOME/tests/java/Duplets.java"
line = 75
begin = 20
end = 24

[K_36]
file = "HOME/tests/java/Duplets.java"
line = 76
begin = 34
end = 46

[Object_notifyAll]
name = "Method notifyAll"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[K_37]
file = "HOME/tests/java/Duplets.java"
line = 76
begin = 34
end = 51

[K_19]
file = "HOME/tests/java/Duplets.java"
line = 66
begin = 10
end = 39

[K_5]
file = "HOME/tests/java/Duplets.java"
line = 30
begin = 15
end = 20

[K_51]
file = "HOME/tests/java/Duplets.java"
line = 102
begin = 38
end = 44

[K_18]
file = "HOME/tests/java/Duplets.java"
line = 21
begin = 8
end = 17

[Object_equals]
name = "Method equals"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[K_7]
file = "HOME/tests/java/Duplets.java"
line = 37
begin = 16
end = 27

[K_40]
file = "HOME/tests/java/Duplets.java"
line = 74
begin = 40
end = 43

[Object_hashCode]
name = "Method hashCode"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[K_26]
file = "HOME/tests/java/Duplets.java"
line = 70
begin = 13
end = 128

[Object_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[K_22]
file = "HOME/tests/java/Duplets.java"
line = 62
begin = 10
end = 84

[K_45]
file = "HOME/tests/java/Duplets.java"
line = 89
begin = 19
end = 24

[K_16]
file = "HOME/tests/java/Duplets.java"
line = 40
begin = 29
end = 34

[K_43]
file = "HOME/tests/java/Duplets.java"
line = 74
begin = 21
end = 38

========== jessie execution ==========
Generating Why function cons_Pair_int_int
Generating Why function cons_Quadruple_int_int_int_int
Generating Why function cons_Integer_int
Generating Why function Duplets_duplet
(nulltype)
why-2.34/tests/java/oracle/Power.res.oracle0000644000175000017500000053241612311670312017233 0ustar  rtusers========== file tests/java/Power.java ==========


// int model: unbounded mathematical integers
//@+ CheckArithOverflow = no


/*@ axiomatic Power {
  @   logic integer power(integer x, integer n);
  @   axiom power_0: \forall integer x; power(x,0) == 1;
  @   axiom power_s: \forall integer x n; power(x,n+1) == x*power(x,n);
  @ }
  @*/

/*@ lemma power_mul:
  @   \forall integer x y n; n >= 0 ==> power(x*y,n) == power(x,n)*power(y,n);
  @*/

/*@ lemma power_even:
  @   \forall integer x n; n >= 0 && n % 2 == 0 ==> power(x,n) == power(x*x,n/2);
  @*/

/*@ lemma power_odd:
  @   \forall integer x n; n >= 0 && n % 2 != 0 ==> power(x,n) == x*power(x*x,n/2);
  @*/


class Power {

    // recursive implementation

    /*@ requires 0 <= n;
      @ decreases n;
      @ ensures \result == power(x,n);
      @*/
    static long rec(long x, int n) {
        if ( n == 0) return 1;
        long r = rec(x, n/2);
        if ( n % 2 == 0 ) return r*r;
        return r*r*x;
    }


    // non-recursive implementation

    /*@ requires 0 <= n;
      @ ensures \result == power(x,n);
      @*/
    static long imp(long x, int n) {
        long r = 1, p = x;
        int e = n;

        /*@ loop_invariant
          @   0 <= e && r * power(p,e) == power(x,n);
          @ loop_variant e;
          @*/
        while (e > 0) {
            if (e % 2 != 0) r *= p;
            p *= p;
            e /= 2;
        }
        return r;
    }

}

========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function Power_imp for method Power.imp
Generating JC function Object_clone for method Object.clone
Generating JC function Object_notifyAll for method Object.notifyAll
Generating JC function Object_hashCode for method Object.hashCode
Generating JC function Object_equals for method Object.equals
Generating JC function Object_wait for method Object.wait
Generating JC function Object_notify for method Object.notify
Generating JC function Object_wait_long for method Object.wait
Generating JC function cons_Power for constructor Power
Generating JC function Power_rec for method Power.rec
Generating JC function Object_toString for method Object.toString
Generating JC function Object_wait_long_int for method Object.wait
Generating JC function cons_Object for constructor Object
Generating JC function Object_finalize for method Object.finalize
Generating JC function Object_registerNatives for method Object.registerNatives
Done.
========== file tests/java/Power.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Power = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

axiomatic Power {

  logic integer power(integer x, integer n)
   
  axiom power_s :
  (\forall integer x_1;
    (\forall integer n_0;
      (power(x_1, (n_0 + 1)) == (x_1 * power(x_1, n_0)))))
   
  axiom power_0 :
  (\forall integer x_0;
    (power(x_0, 0) == 1))
  
}

lemma power_mul :
(\forall integer x_2;
  (\forall integer y;
    (\forall integer n_1;
      ((n_1 >= 0) ==>
        (power((x_2 * y), n_1) == (power(x_2, n_1) * power(y, n_1)))))))

lemma power_even :
(\forall integer x_3;
  (\forall integer n_2;
    (((n_2 >= 0) && ((n_2 % 2) == 0)) ==>
      (power(x_3, n_2) == power((x_3 * x_3), (n_2 / 2))))))

lemma power_odd :
(\forall integer x_4;
  (\forall integer n_3;
    (((n_3 >= 0) && ((n_3 % 2) != 0)) ==>
      (power(x_4, n_3) == (x_4 * power((x_4 * x_4), (n_3 / 2)))))))

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

integer Power_imp(integer x_6, integer n_5)
  requires (K_2 : (0 <= n_5));
behavior default:
  ensures (K_1 : (\result == power(x_6, n_5)));
{  
   {  
      (var integer r = (K_15 : 1));
      
      {  
         (var integer p = (K_14 : x_6));
         
         {  
            (var integer e = (K_13 : n_5));
            
            {  
               loop 
               behavior default:
                 invariant (K_5 : ((K_4 : (0 <= e)) &&
                                    (K_3 : ((r * power(p, e)) ==
                                             power(x_6, n_5)))));
               variant (K_6 : e);
               while ((K_12 : (e > 0)))
               {  
                  {  (if (K_9 : ((K_8 : (e % 2)) != 0)) then (K_7 : r *= p) else ());
                     (K_10 : p *= p);
                     (K_11 : e /= 2)
                  }
               };
               
               (return r)
            }
         }
      }
   }
}

Object[0..] Object_clone(Object[0] this_2)
;

unit Object_notifyAll(Object[0] this_3)
;

integer Object_hashCode(Object[0] this_4)
;

boolean Object_equals(Object[0] this_5, Object[0..] obj)
;

unit Object_wait(Object[0] this_6)
;

unit Object_notify(Object[0] this_7)
;

unit Object_wait_long(Object[0] this_8, integer timeout)
;

unit cons_Power(! Power[0] this_1){()}

integer Power_rec(integer x_5, integer n_4)
  requires (K_17 : (0 <= n_4));
  decreases (K_18 : n_4);
behavior default:
  ensures (K_16 : (\result == power(x_5, n_4)));
{  (if (K_19 : (n_4 == 0)) then 
   (return 1) else ());
   
   {  
      (var integer r_0 = (K_26 : Power_rec(x_5, (K_25 : (n_4 / 2)))));
      
      {  (if (K_22 : ((K_21 : (n_4 % 2)) == 0)) then 
         (return (K_20 : (r_0 * r_0))) else ());
         
         (return (K_24 : ((K_23 : (r_0 * r_0)) * x_5)))
      }
   }
}

String[0..] Object_toString(Object[0] this_9)
;

unit Object_wait_long_int(Object[0] this_10, integer timeout_0, integer nanos)
;

unit cons_Object(! Object[0] this_12){()}

unit Object_finalize(Object[0] this_11)
;

unit Object_registerNatives()
;

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/Power.jloc tests/java/Power.jc && make -f tests/java/Power.makefile gui"
End:
*/
========== file tests/java/Power.jloc ==========
[K_23]
file = "HOME/tests/java/Power.java"
line = 39
begin = 15
end = 18

[K_17]
file = "HOME/tests/java/Power.java"
line = 31
begin = 17
end = 23

[Object_wait_long]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[K_11]
file = "HOME/tests/java/Power.java"
line = 59
begin = 12
end = 18

[K_25]
file = "HOME/tests/java/Power.java"
line = 37
begin = 24
end = 27

[K_13]
file = "HOME/tests/java/Power.java"
line = 50
begin = 16
end = 17

[Object_finalize]
name = "Method finalize"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[K_9]
file = "HOME/tests/java/Power.java"
line = 57
begin = 16
end = 26

[Object_wait]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[Object_notify]
name = "Method notify"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[Object_clone]
name = "Method clone"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[cons_Object]
name = "Constructor of class Object"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_1]
file = "HOME/tests/java/Power.java"
line = 46
begin = 16
end = 37

[K_15]
file = "HOME/tests/java/Power.java"
line = 49
begin = 17
end = 18

[K_4]
file = "HOME/tests/java/Power.java"
line = 53
begin = 14
end = 20

[K_12]
file = "HOME/tests/java/Power.java"
line = 56
begin = 15
end = 20

[Object_wait_long_int]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[Object_registerNatives]
name = "Method registerNatives"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[K_20]
file = "HOME/tests/java/Power.java"
line = 38
begin = 33
end = 36

[power_s]
name = "Lemma power_s"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_2]
file = "HOME/tests/java/Power.java"
line = 45
begin = 17
end = 23

[power_even]
name = "Lemma power_even"
file = "HOME/tests/java/Power.java"
line = 18
begin = 10
end = 20

[K_10]
file = "HOME/tests/java/Power.java"
line = 58
begin = 12
end = 18

[K_6]
file = "HOME/tests/java/Power.java"
line = 54
begin = 25
end = 26

[power_0]
name = "Lemma power_0"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_8]
file = "HOME/tests/java/Power.java"
line = 57
begin = 16
end = 21

[K_3]
file = "HOME/tests/java/Power.java"
line = 53
begin = 24
end = 52

[cons_Power]
name = "Constructor of class Power"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_21]
file = "HOME/tests/java/Power.java"
line = 38
begin = 13
end = 18

[K_24]
file = "HOME/tests/java/Power.java"
line = 39
begin = 15
end = 20

[K_14]
file = "HOME/tests/java/Power.java"
line = 49
begin = 24
end = 25

[Object_notifyAll]
name = "Method notifyAll"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[K_19]
file = "HOME/tests/java/Power.java"
line = 36
begin = 13
end = 19

[power_odd]
name = "Lemma power_odd"
file = "HOME/tests/java/Power.java"
line = 22
begin = 10
end = 19

[K_5]
file = "HOME/tests/java/Power.java"
line = 53
begin = 14
end = 52

[Power_rec]
name = "Method rec"
file = "HOME/tests/java/Power.java"
line = 35
begin = 16
end = 19

[Power_imp]
name = "Method imp"
file = "HOME/tests/java/Power.java"
line = 48
begin = 16
end = 19

[power_mul]
name = "Lemma power_mul"
file = "HOME/tests/java/Power.java"
line = 14
begin = 10
end = 19

[K_18]
file = "HOME/tests/java/Power.java"
line = 32
begin = 18
end = 19

[Object_equals]
name = "Method equals"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[K_7]
file = "HOME/tests/java/Power.java"
line = 57
begin = 28
end = 34

[K_26]
file = "HOME/tests/java/Power.java"
line = 37
begin = 17
end = 28

[Object_hashCode]
name = "Method hashCode"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[Object_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[K_22]
file = "HOME/tests/java/Power.java"
line = 38
begin = 13
end = 23

[K_16]
file = "HOME/tests/java/Power.java"
line = 33
begin = 16
end = 37

========== jessie execution ==========
Generating Why function Power_imp
Generating Why function cons_Power
Generating Why function Power_rec
Generating Why function cons_Object
========== file tests/java/Power.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Power.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Power.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/Power_why.sx

project: why/Power.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/Power_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/Power_why.vo

coq/Power_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Power_why.v: why/Power.why
	@echo 'why -coq [...] why/Power.why' && $(WHY) $(JESSIELIBFILES) why/Power.why && rm -f coq/jessie_why.v

coq-goals: goals coq/Power_ctx_why.vo
	for f in why/*_po*.why; do make -f Power.makefile coq/`basename $$f .why`_why.v ; done

coq/Power_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Power_ctx_why.v: why/Power_ctx.why
	@echo 'why -coq [...] why/Power_ctx.why' && $(WHY) why/Power_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export Power_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/Power_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/Power_ctx_why.vo

pvs: pvs/Power_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/Power_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/Power_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/Power_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/Power_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/Power_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/Power_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/Power_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/Power_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/Power_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/Power_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/Power_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/Power_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/Power_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/Power_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: Power.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/Power_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Power.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Power.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Power.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include Power.depend

depend: coq/Power_why.v
	-$(COQDEP) -I coq coq/Power*_why.v > Power.depend

clean:
	rm -f coq/*.vo

========== file tests/java/Power.loc ==========
[JC_94]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_73]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_158]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_63]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_51]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_147]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_151]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_123]
kind = UserCall
file = "HOME/tests/java/Power.java"
line = 37
begin = 17
end = 28

[JC_106]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_143]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_113]
file = "HOME/tests/java/Power.java"
line = 33
begin = 16
end = 37

[JC_116]
kind = DivByZero
file = "HOME/tests/java/Power.java"
line = 37
begin = 24
end = 27

[JC_64]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_133]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[cons_Object_ensures_default]
name = "Constructor of class Object"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Power_safety]
name = "Constructor of class Power"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_99]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_85]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_126]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_31]
file = "HOME/tests/java/Power.jc"
line = 93
begin = 15
end = 530

[JC_17]
file = "HOME/tests/java/Power.jc"
line = 37
begin = 11
end = 65

[JC_122]
kind = DivByZero
file = "HOME/tests/java/Power.java"
line = 37
begin = 24
end = 27

[JC_81]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_138]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_134]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_148]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_137]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/tests/java/Power.java"
line = 46
begin = 16
end = 37

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_121]
kind = DivByZero
file = "HOME/tests/java/Power.java"
line = 38
begin = 13
end = 18

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_125]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_67]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/java/Power.jc"
line = 35
begin = 8
end = 23

[JC_75]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/tests/java/Power.java"
line = 46
begin = 16
end = 37

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_78]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_41]
file = "HOME/tests/java/Power.jc"
line = 93
begin = 15
end = 530

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[Power_rec_safety]
name = "Method rec"
behavior = "Safety"
file = "HOME/tests/java/Power.java"
line = 35
begin = 16
end = 19

[JC_52]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[power_s]
name = "Lemma power_s"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_154]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_79]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_130]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_163]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_153]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_87]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/Power.jc"
line = 35
begin = 8
end = 23

[JC_98]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/tests/java/Power.java"
line = 53
begin = 14
end = 20

[JC_104]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_91]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_112]
file = "HOME/tests/java/Power.java"
line = 33
begin = 16
end = 37

[JC_40]
file = "HOME/tests/java/Power.jc"
line = 93
begin = 15
end = 530

[JC_162]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_135]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_83]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/tests/java/Power.java"
line = 54
begin = 25
end = 26

[power_even]
name = "Lemma power_even"
behavior = "lemma"
file = "HOME/tests/java/Power.java"
line = 18
begin = 10
end = 20

[JC_132]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/tests/java/Power.java"
line = 53
begin = 14
end = 20

[JC_115]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_109]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_107]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_69]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_124]
kind = DivByZero
file = "HOME/tests/java/Power.java"
line = 38
begin = 13
end = 18

[JC_38]
file = "HOME/tests/java/Power.java"
line = 53
begin = 14
end = 52

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[power_0]
name = "Lemma power_0"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_156]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_127]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_164]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_155]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_101]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[Power_imp_safety]
name = "Method imp"
behavior = "Safety"
file = "HOME/tests/java/Power.java"
line = 48
begin = 16
end = 19

[JC_129]
file = "HOME/"
line = 0
begin = -1
end = -1

[Power_imp_ensures_default]
name = "Method imp"
behavior = "default behavior"
file = "HOME/tests/java/Power.java"
line = 48
begin = 16
end = 19

[JC_42]
kind = DivByZero
file = "HOME/tests/java/Power.java"
line = 57
begin = 16
end = 21

[Power_rec_ensures_default]
name = "Method rec"
behavior = "default behavior"
file = "HOME/tests/java/Power.java"
line = 35
begin = 16
end = 19

[JC_110]
file = "HOME/tests/java/Power.java"
line = 31
begin = 17
end = 23

[JC_103]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_141]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/tests/java/Power.jc"
line = 93
begin = 15
end = 530

[JC_56]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_33]
kind = DivByZero
file = "HOME/tests/java/Power.java"
line = 57
begin = 16
end = 21

[JC_65]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_118]
file = "HOME/tests/java/Power.java"
line = 32
begin = 18
end = 19

[JC_105]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_140]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/tests/java/Power.java"
line = 53
begin = 14
end = 52

[JC_144]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_159]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[cons_Object_safety]
name = "Constructor of class Object"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_68]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
kind = DivByZero
file = "HOME/tests/java/Power.jc"
line = 103
begin = 29
end = 35

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Power_ensures_default]
name = "Constructor of class Power"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_93]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_97]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_160]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_128]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
kind = DivByZero
file = "HOME/tests/java/Power.jc"
line = 103
begin = 29
end = 35

[JC_114]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_150]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_117]
kind = UserCall
file = "HOME/tests/java/Power.java"
line = 37
begin = 17
end = 28

[JC_90]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_157]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_145]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/tests/java/Power.java"
line = 45
begin = 17
end = 23

[JC_149]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_111]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_77]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/java/Power.jc"
line = 10
begin = 12
end = 22

[JC_131]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_102]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_37]
file = "HOME/tests/java/Power.java"
line = 53
begin = 24
end = 52

[JC_142]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[power_odd]
name = "Lemma power_odd"
behavior = "lemma"
file = "HOME/tests/java/Power.java"
line = 22
begin = 10
end = 19

[JC_108]
file = "HOME/tests/java/Power.java"
line = 31
begin = 17
end = 23

[JC_57]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_161]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_146]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_89]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_136]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/Power.jc"
line = 37
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/Power.jc"
line = 10
begin = 12
end = 22

[JC_92]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_152]
file = "HOME/"
line = 0
begin = -1
end = -1

[power_mul]
name = "Lemma power_mul"
behavior = "lemma"
file = "HOME/tests/java/Power.java"
line = 14
begin = 10
end = 19

[JC_86]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_60]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_139]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_72]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/tests/java/Power.java"
line = 45
begin = 17
end = 23

[JC_119]
file = "HOME/tests/java/Power.java"
line = 32
begin = 18
end = 19

[JC_76]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_120]
kind = VarDecr
file = "HOME/tests/java/Power.java"
line = 37
begin = 17
end = 28

[JC_58]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_100]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/tests/java/Power.java"
line = 53
begin = 24
end = 52

========== file tests/java/why/Power.why ==========
type Object

type interface

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic Power_tag:  -> Object tag_id

axiom Power_parenttag_Object : parenttag(Power_tag, Object_tag)

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Power(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

logic power: int, int -> int

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Power(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Power(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Power(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

axiom power_s :
 (forall x_1_0:int.
  (forall n_0:int.
   (power(x_1_0, add_int(n_0, (1))) = mul_int(x_1_0, power(x_1_0, n_0)))))

axiom power_0 : (forall x_0_0:int. (power(x_0_0, (0)) = (1)))

lemma power_mul :
 (forall x_2_0:int.
  (forall y:int.
   (forall n_1:int.
    (ge_int(n_1, (0)) ->
     (power(mul_int(x_2_0, y), n_1) = mul_int(power(x_2_0, n_1),
                                      power(y, n_1)))))))

lemma power_even :
 (forall x_3:int.
  (forall n_2:int.
   ((ge_int(n_2, (0)) and (computer_mod(n_2, (2)) = (0))) ->
    (power(x_3, n_2) = power(mul_int(x_3, x_3), computer_div(n_2, (2)))))))

lemma power_odd :
 (forall x_4:int.
  (forall n_3:int.
   ((ge_int(n_3, (0)) and (computer_mod(n_3, (2)) <> (0))) ->
    (power(x_4, n_3) = mul_int(x_4,
                       power(mul_int(x_4, x_4), computer_div(n_3, (2))))))))

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_alloc_table : Object alloc_table ref

parameter Object_clone :
 this_2:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_clone_requires :
 this_2:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_equals :
 this_5:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_equals_requires :
 this_5:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_finalize :
 this_11:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_finalize_requires :
 this_11:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_hashCode :
 this_4:Object pointer -> { } int reads Object_alloc_table { true }

parameter Object_hashCode_requires :
 this_4:Object pointer -> { } int reads Object_alloc_table { true }

parameter Object_notify :
 this_7:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll :
 this_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll_requires :
 this_3:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notify_requires :
 this_7:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_registerNatives : tt:unit -> { } unit { true }

parameter Object_registerNatives_requires : tt:unit -> { } unit { true }

parameter Object_tag_table : Object tag_table ref

parameter Object_toString :
 this_9:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_toString_requires :
 this_9:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_wait :
 this_6:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long :
 this_8:Object pointer ->
  timeout:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int :
 this_10:Object pointer ->
  timeout_0:int -> nanos:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int_requires :
 this_10:Object pointer ->
  timeout_0:int -> nanos:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_requires :
 this_8:Object pointer ->
  timeout:int -> { } unit reads Object_alloc_table { true }

parameter Object_wait_requires :
 this_6:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Power_imp :
 x_6:int -> n_5:int -> { } int { (JC_24: (result = power(x_6, n_5))) }

parameter Power_imp_requires :
 x_6:int ->
  n_5:int ->
   { (JC_19: le_int((0), n_5))} int { (JC_24: (result = power(x_6, n_5))) }

parameter Power_rec :
 x_5:int -> n_4:int -> { } int { (JC_113: (result = power(x_5, n_4))) }

parameter Power_rec_requires :
 x_5:int ->
  n_4:int ->
   { (JC_108: le_int((0), n_4))} int { (JC_113: (result = power(x_5, n_4))) }

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Power :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Power(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Power_tag)))) }

parameter alloc_struct_Power_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Power(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Power_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_Object :
 this_12:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object_requires :
 this_12:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Power :
 this_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Power_requires :
 this_1:Object pointer -> { } unit reads Object_alloc_table { true }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

let Power_imp_ensures_default =
 fun (x_6 : int) (n_5 : int) ->
  { (JC_21: le_int((0), n_5)) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let r = ref (K_15: (1)) in
     (let p = ref (K_14: x_6) in
     (let e = ref (K_13: n_5) in
     begin
       try
        (loop_2:
        while true do
        { invariant
            (JC_38:
            ((JC_36: le_int((0), e))
            and (JC_37: (mul_int(r, power(p, e)) = power(x_6, n_5))))) 
           }
         begin
           [ { } unit { true } ];
          try
           begin
             (if (K_12: ((gt_int_ !e) (0)))
             then
              (let _jessie_ =
              begin
                (if (K_9:
                    ((neq_int_ (K_8: (JC_42: ((computer_mod !e) (2))))) (0)))
                then
                 (let _jessie_ = (K_7: (r := ((mul_int !r) !p))) in void)
                else void);
               (K_10:
               begin
                 (let _jessie_ = (p := ((mul_int !p) !p)) in void);
                (K_11:
                begin   (e := (JC_43: ((computer_div !e) (2)))); !e end) end)
              end in void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end; (return := !r); (raise Return)
     end))); absurd  end with Return -> !return end))
  { (JC_23: (result = power(x_6, n_5))) }

let Power_imp_safety =
 fun (x_6 : int) (n_5 : int) ->
  { (JC_21: le_int((0), n_5)) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let r = ref (K_15: (1)) in
     (let p = ref (K_14: x_6) in
     (let e = ref (K_13: n_5) in
     begin
       try
        (loop_1:
        while true do
        { invariant (JC_31: true) variant (JC_35 : e) }
         begin
           [ { } unit reads e,p,r
             { (JC_29:
               ((JC_27: le_int((0), e))
               and (JC_28: (mul_int(r, power(p, e)) = power(x_6, n_5))))) } ];
          try
           begin
             (if (K_12: ((gt_int_ !e) (0)))
             then
              (let _jessie_ =
              begin
                (if (K_9:
                    ((neq_int_ (K_8: (JC_33: ((computer_mod_ !e) (2))))) (0)))
                then
                 (let _jessie_ = (K_7: (r := ((mul_int !r) !p))) in void)
                else void);
               (K_10:
               begin
                 (let _jessie_ = (p := ((mul_int !p) !p)) in void);
                (K_11:
                begin   (e := (JC_34: ((computer_div_ !e) (2)))); !e end) end)
              end in void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ -> void end end done) with
        Loop_exit_exc _jessie_ -> void end; (return := !r); (raise Return)
     end))); absurd  end with Return -> !return end)) { true }

let Power_rec_ensures_default =
 fun (x_5 : int) (n_4 : int) ->
  { (JC_110: le_int((0), n_4)) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (if (K_19: ((eq_int_ n_4) (0)))
     then begin   (return := (1)); (raise Return) end else void);
    (let r_0 =
    (K_26:
    (let _jessie_ = x_5 in
    (let _jessie_ = (K_25: (JC_122: ((computer_div n_4) (2)))) in
    (JC_123: ((Power_rec _jessie_) _jessie_))))) in
    begin
      (if (K_22: ((eq_int_ (K_21: (JC_124: ((computer_mod n_4) (2))))) (0)))
      then
       begin   (return := (K_20: ((mul_int r_0) r_0))); (raise Return) end
      else void);
     (return := (K_24: ((mul_int (K_23: ((mul_int r_0) r_0))) x_5)));
     (raise Return) end); absurd  end with Return -> !return end))
  { (JC_112: (result = power(x_5, n_4))) }

let Power_rec_safety =
 fun (x_5 : int) (n_4 : int) ->
  { (JC_110: le_int((0), n_4)) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (if (K_19: ((eq_int_ n_4) (0)))
     then begin   (return := (1)); (raise Return) end else void);
    (let r_0 =
    (K_26:
    (let _jessie_ = x_5 in
    (let _jessie_ = (K_25: (JC_116: ((computer_div_ n_4) (2)))) in
    (JC_120:
    (check { zwf_zero((JC_119 : _jessie_), (JC_118 : n_4)) };
    (JC_117: ((Power_rec_requires _jessie_) _jessie_))))))) in
    begin
      (if (K_22: ((eq_int_ (K_21: (JC_121: ((computer_mod_ n_4) (2))))) (0)))
      then
       begin   (return := (K_20: ((mul_int r_0) r_0))); (raise Return) end
      else void);
     (return := (K_24: ((mul_int (K_23: ((mul_int r_0) r_0))) x_5)));
     (raise Return) end); absurd  end with Return -> !return end)) { true }

let cons_Object_ensures_default =
 fun (this_12 : Object pointer) ->
  { valid_struct_Object(this_12, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_145: true) }

let cons_Object_safety =
 fun (this_12 : Object pointer) ->
  { valid_struct_Object(this_12, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_Power_ensures_default =
 fun (this_1 : Object pointer) ->
  { valid_struct_Power(this_1, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_104: true) }

let cons_Power_safety =
 fun (this_1 : Object pointer) ->
  { valid_struct_Power(this_1, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/Power.why
========== file tests/java/why/Power.wpr ==========

  
    
    
      
      
    
  
  
    
    
      
      
    
  
  
    
    
      
      
    
  
  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  
  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  
  
    
  
  
    
  
  
    
  
  
    
  
  
    
  

========== file tests/java/why/Power_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic Power_tag : Object tag_id

axiom Power_parenttag_Object: parenttag(Power_tag, Object_tag)

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Power(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

logic power : int, int -> int

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Power(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Power(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Power(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

axiom power_s:
  (forall x_1_0:int.
    (forall n_0:int. (power(x_1_0, (n_0 + 1)) = (x_1_0 * power(x_1_0, n_0)))))

axiom power_0: (forall x_0_0:int. (power(x_0_0, 0) = 1))

========== file tests/java/why/Power_po1.why ==========
lemma power_mul:
  (forall x_2_0:int.
    (forall y:int.
      (forall n_1:int.
        ((n_1 >= 0) -> (power((x_2_0 * y), n_1) = (power(x_2_0,
         n_1) * power(y, n_1)))))))

========== file tests/java/why/Power_po10.why ==========
goal Power_imp_safety_po_1:
  forall x_6:int.
  forall n_5:int.
  ("JC_21": (0 <= n_5)) ->
  forall e:int.
  forall p:int.
  forall r:int.
  ("JC_31": true) ->
  ("JC_29":
  (("JC_27": (0 <= e)) and ("JC_28": ((r * power(p, e)) = power(x_6, n_5))))) ->
  (e > 0) ->
  (2 <> 0)

========== file tests/java/why/Power_po11.why ==========
goal Power_imp_safety_po_2:
  forall x_6:int.
  forall n_5:int.
  ("JC_21": (0 <= n_5)) ->
  forall e:int.
  forall p:int.
  forall r:int.
  ("JC_31": true) ->
  ("JC_29":
  (("JC_27": (0 <= e)) and ("JC_28": ((r * power(p, e)) = power(x_6, n_5))))) ->
  (e > 0) ->
  (2 <> 0) ->
  forall result:int.
  (result = computer_mod(e, 2)) ->
  (result <> 0) ->
  forall r0:int.
  (r0 = (r * p)) ->
  forall p0:int.
  (p0 = (p * p)) ->
  (2 <> 0) ->
  forall result0:int.
  (result0 = computer_div(e, 2)) ->
  forall e0:int.
  (e0 = result0) ->
  (0 <= ("JC_35": e))

========== file tests/java/why/Power_po12.why ==========
goal Power_imp_safety_po_3:
  forall x_6:int.
  forall n_5:int.
  ("JC_21": (0 <= n_5)) ->
  forall e:int.
  forall p:int.
  forall r:int.
  ("JC_31": true) ->
  ("JC_29":
  (("JC_27": (0 <= e)) and ("JC_28": ((r * power(p, e)) = power(x_6, n_5))))) ->
  (e > 0) ->
  (2 <> 0) ->
  forall result:int.
  (result = computer_mod(e, 2)) ->
  (result <> 0) ->
  forall r0:int.
  (r0 = (r * p)) ->
  forall p0:int.
  (p0 = (p * p)) ->
  (2 <> 0) ->
  forall result0:int.
  (result0 = computer_div(e, 2)) ->
  forall e0:int.
  (e0 = result0) ->
  (("JC_35": e0) < ("JC_35": e))

========== file tests/java/why/Power_po13.why ==========
goal Power_imp_safety_po_4:
  forall x_6:int.
  forall n_5:int.
  ("JC_21": (0 <= n_5)) ->
  forall e:int.
  forall p:int.
  forall r:int.
  ("JC_31": true) ->
  ("JC_29":
  (("JC_27": (0 <= e)) and ("JC_28": ((r * power(p, e)) = power(x_6, n_5))))) ->
  (e > 0) ->
  (2 <> 0) ->
  forall result:int.
  (result = computer_mod(e, 2)) ->
  (result = 0) ->
  forall p0:int.
  (p0 = (p * p)) ->
  (2 <> 0) ->
  forall result0:int.
  (result0 = computer_div(e, 2)) ->
  forall e0:int.
  (e0 = result0) ->
  (0 <= ("JC_35": e))

========== file tests/java/why/Power_po14.why ==========
goal Power_imp_safety_po_5:
  forall x_6:int.
  forall n_5:int.
  ("JC_21": (0 <= n_5)) ->
  forall e:int.
  forall p:int.
  forall r:int.
  ("JC_31": true) ->
  ("JC_29":
  (("JC_27": (0 <= e)) and ("JC_28": ((r * power(p, e)) = power(x_6, n_5))))) ->
  (e > 0) ->
  (2 <> 0) ->
  forall result:int.
  (result = computer_mod(e, 2)) ->
  (result = 0) ->
  forall p0:int.
  (p0 = (p * p)) ->
  (2 <> 0) ->
  forall result0:int.
  (result0 = computer_div(e, 2)) ->
  forall e0:int.
  (e0 = result0) ->
  (("JC_35": e0) < ("JC_35": e))

========== file tests/java/why/Power_po15.why ==========
goal Power_rec_ensures_default_po_1:
  forall x_5:int.
  forall n_4:int.
  ("JC_110": (0 <= n_4)) ->
  (n_4 = 0) ->
  forall return:int.
  (return = 1) ->
  ("JC_112": (return = power(x_5, n_4)))

========== file tests/java/why/Power_po16.why ==========
goal Power_rec_ensures_default_po_2:
  forall x_5:int.
  forall n_4:int.
  ("JC_110": (0 <= n_4)) ->
  (n_4 <> 0) ->
  forall result:int.
  ("JC_113": (result = power(x_5, computer_div(n_4, 2)))) ->
  (computer_mod(n_4, 2) = 0) ->
  forall return:int.
  (return = (result * result)) ->
  ("JC_112": (return = power(x_5, n_4)))

========== file tests/java/why/Power_po17.why ==========
goal Power_rec_ensures_default_po_3:
  forall x_5:int.
  forall n_4:int.
  ("JC_110": (0 <= n_4)) ->
  (n_4 <> 0) ->
  forall result:int.
  ("JC_113": (result = power(x_5, computer_div(n_4, 2)))) ->
  (computer_mod(n_4, 2) <> 0) ->
  forall return:int.
  (return = ((result * result) * x_5)) ->
  ("JC_112": (return = power(x_5, n_4)))

========== file tests/java/why/Power_po18.why ==========
goal Power_rec_safety_po_1:
  forall n_4:int.
  ("JC_110": (0 <= n_4)) ->
  (n_4 <> 0) ->
  (2 <> 0)

========== file tests/java/why/Power_po19.why ==========
goal Power_rec_safety_po_2:
  forall n_4:int.
  ("JC_110": (0 <= n_4)) ->
  (n_4 <> 0) ->
  (2 <> 0) ->
  forall result:int.
  (result = computer_div(n_4, 2)) ->
  (0 <= ("JC_118": n_4))

========== file tests/java/why/Power_po2.why ==========
lemma power_even:
  (forall x_3:int.
    (forall n_2:int.
      (((n_2 >= 0) and (computer_mod(n_2, 2) = 0)) -> (power(x_3,
       n_2) = power((x_3 * x_3), computer_div(n_2, 2))))))

========== file tests/java/why/Power_po20.why ==========
goal Power_rec_safety_po_3:
  forall n_4:int.
  ("JC_110": (0 <= n_4)) ->
  (n_4 <> 0) ->
  (2 <> 0) ->
  forall result:int.
  (result = computer_div(n_4, 2)) ->
  (("JC_119": result) < ("JC_118": n_4))

========== file tests/java/why/Power_po21.why ==========
goal Power_rec_safety_po_4:
  forall n_4:int.
  ("JC_110": (0 <= n_4)) ->
  (n_4 <> 0) ->
  (2 <> 0) ->
  forall result:int.
  (result = computer_div(n_4, 2)) ->
  ("JC_108": (0 <= result))

========== file tests/java/why/Power_po3.why ==========
lemma power_odd:
  (forall x_4:int.
    (forall n_3:int.
      (((n_3 >= 0) and (computer_mod(n_3, 2) <> 0)) -> (power(x_4,
       n_3) = (x_4 * power((x_4 * x_4), computer_div(n_3, 2)))))))

========== file tests/java/why/Power_po4.why ==========
goal Power_imp_ensures_default_po_1:
  forall x_6:int.
  forall n_5:int.
  ("JC_21": (0 <= n_5)) ->
  ("JC_38": ("JC_37": ((1 * power(x_6, n_5)) = power(x_6, n_5))))

========== file tests/java/why/Power_po5.why ==========
goal Power_imp_ensures_default_po_2:
  forall x_6:int.
  forall n_5:int.
  ("JC_21": (0 <= n_5)) ->
  forall e:int.
  forall p:int.
  forall r:int.
  ("JC_38":
  (("JC_36": (0 <= e)) and ("JC_37": ((r * power(p, e)) = power(x_6, n_5))))) ->
  (e > 0) ->
  (computer_mod(e, 2) <> 0) ->
  forall r0:int.
  (r0 = (r * p)) ->
  forall p0:int.
  (p0 = (p * p)) ->
  forall e0:int.
  (e0 = computer_div(e, 2)) ->
  ("JC_38": ("JC_36": (0 <= e0)))

========== file tests/java/why/Power_po6.why ==========
goal Power_imp_ensures_default_po_3:
  forall x_6:int.
  forall n_5:int.
  ("JC_21": (0 <= n_5)) ->
  forall e:int.
  forall p:int.
  forall r:int.
  ("JC_38":
  (("JC_36": (0 <= e)) and ("JC_37": ((r * power(p, e)) = power(x_6, n_5))))) ->
  (e > 0) ->
  (computer_mod(e, 2) <> 0) ->
  forall r0:int.
  (r0 = (r * p)) ->
  forall p0:int.
  (p0 = (p * p)) ->
  forall e0:int.
  (e0 = computer_div(e, 2)) ->
  ("JC_38": ("JC_37": ((r0 * power(p0, e0)) = power(x_6, n_5))))

========== file tests/java/why/Power_po7.why ==========
goal Power_imp_ensures_default_po_4:
  forall x_6:int.
  forall n_5:int.
  ("JC_21": (0 <= n_5)) ->
  forall e:int.
  forall p:int.
  forall r:int.
  ("JC_38":
  (("JC_36": (0 <= e)) and ("JC_37": ((r * power(p, e)) = power(x_6, n_5))))) ->
  (e > 0) ->
  (computer_mod(e, 2) = 0) ->
  forall p0:int.
  (p0 = (p * p)) ->
  forall e0:int.
  (e0 = computer_div(e, 2)) ->
  ("JC_38": ("JC_36": (0 <= e0)))

========== file tests/java/why/Power_po8.why ==========
goal Power_imp_ensures_default_po_5:
  forall x_6:int.
  forall n_5:int.
  ("JC_21": (0 <= n_5)) ->
  forall e:int.
  forall p:int.
  forall r:int.
  ("JC_38":
  (("JC_36": (0 <= e)) and ("JC_37": ((r * power(p, e)) = power(x_6, n_5))))) ->
  (e > 0) ->
  (computer_mod(e, 2) = 0) ->
  forall p0:int.
  (p0 = (p * p)) ->
  forall e0:int.
  (e0 = computer_div(e, 2)) ->
  ("JC_38": ("JC_37": ((r * power(p0, e0)) = power(x_6, n_5))))

========== file tests/java/why/Power_po9.why ==========
goal Power_imp_ensures_default_po_6:
  forall x_6:int.
  forall n_5:int.
  ("JC_21": (0 <= n_5)) ->
  forall e:int.
  forall p:int.
  forall r:int.
  ("JC_38":
  (("JC_36": (0 <= e)) and ("JC_37": ((r * power(p, e)) = power(x_6, n_5))))) ->
  (e <= 0) ->
  forall return:int.
  (return = r) ->
  ("JC_23": (return = power(x_6, n_5)))

========== generation of Simplify VC output ==========
why -simplify [...] why/Power.why
========== file tests/java/simplify/Power_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) 0))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom Power_parenttag_Object
 (EQ (parenttag Power_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Power p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Power p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Power p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Power p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(BG_PUSH
 ;; Why axiom power_s
 (FORALL (x_1_0 n_0)
 (EQ (power x_1_0 (+ n_0 1)) (* x_1_0 (power x_1_0 n_0)))))

(BG_PUSH
 ;; Why axiom power_0
 (FORALL (x_0_0) (EQ (power x_0_0 0) 1)))

;; power_mul, File "HOME/tests/java/Power.java", line 14, characters 10-19
(FORALL (x_2_0 y n_1)
(IMPLIES (>= n_1 0)
(EQ (power (* x_2_0 y) n_1) (* (power x_2_0 n_1) (power y n_1)))))

(BG_PUSH
 ;; lemma power_mul as axiom
(FORALL (x_2_0 y n_1)
(IMPLIES (>= n_1 0)
(EQ (power (* x_2_0 y) n_1) (* (power x_2_0 n_1) (power y n_1))))))

;; power_even, File "HOME/tests/java/Power.java", line 18, characters 10-20
(FORALL (x_3 n_2)
(IMPLIES (AND (>= n_2 0) (EQ (computer_mod n_2 2) 0))
(EQ (power x_3 n_2) (power (* x_3 x_3) (computer_div n_2 2)))))

(BG_PUSH
 ;; lemma power_even as axiom
(FORALL (x_3 n_2)
(IMPLIES (AND (>= n_2 0) (EQ (computer_mod n_2 2) 0))
(EQ (power x_3 n_2) (power (* x_3 x_3) (computer_div n_2 2))))))

;; power_odd, File "HOME/tests/java/Power.java", line 22, characters 10-19
(FORALL (x_4 n_3)
(IMPLIES (AND (>= n_3 0) (NEQ (computer_mod n_3 2) 0))
(EQ (power x_4 n_3) (* x_4 (power (* x_4 x_4) (computer_div n_3 2))))))

(BG_PUSH
 ;; lemma power_odd as axiom
(FORALL (x_4 n_3)
(IMPLIES (AND (>= n_3 0) (NEQ (computer_mod n_3 2) 0))
(EQ (power x_4 n_3) (* x_4 (power (* x_4 x_4) (computer_div n_3 2)))))))

;; Power_imp_ensures_default_po_1, File "HOME/tests/java/Power.java", line 53, characters 24-52
(FORALL (x_6)
(FORALL (n_5)
(IMPLIES (<= 0 n_5) (EQ (* 1 (power x_6 n_5)) (power x_6 n_5)))))

;; Power_imp_ensures_default_po_2, File "HOME/tests/java/Power.java", line 53, characters 14-20
(FORALL (x_6)
(FORALL (n_5)
(IMPLIES (<= 0 n_5)
(FORALL (e)
(FORALL (p)
(FORALL (r)
(IMPLIES (AND (<= 0 e) (EQ (* r (power p e)) (power x_6 n_5)))
(IMPLIES (> e 0)
(IMPLIES (NEQ (computer_mod e 2) 0)
(FORALL (r0)
(IMPLIES (EQ r0 (* r p))
(FORALL (p0)
(IMPLIES (EQ p0 (* p p))
(FORALL (e0) (IMPLIES (EQ e0 (computer_div e 2)) (<= 0 e0))))))))))))))))

;; Power_imp_ensures_default_po_3, File "HOME/tests/java/Power.java", line 53, characters 24-52
(FORALL (x_6)
(FORALL (n_5)
(IMPLIES (<= 0 n_5)
(FORALL (e)
(FORALL (p)
(FORALL (r)
(IMPLIES (AND (<= 0 e) (EQ (* r (power p e)) (power x_6 n_5)))
(IMPLIES (> e 0)
(IMPLIES (NEQ (computer_mod e 2) 0)
(FORALL (r0)
(IMPLIES (EQ r0 (* r p))
(FORALL (p0)
(IMPLIES (EQ p0 (* p p))
(FORALL (e0)
(IMPLIES (EQ e0 (computer_div e 2))
(EQ (* r0 (power p0 e0)) (power x_6 n_5)))))))))))))))))

;; Power_imp_ensures_default_po_4, File "HOME/tests/java/Power.java", line 53, characters 14-20
(FORALL (x_6)
(FORALL (n_5)
(IMPLIES (<= 0 n_5)
(FORALL (e)
(FORALL (p)
(FORALL (r)
(IMPLIES (AND (<= 0 e) (EQ (* r (power p e)) (power x_6 n_5)))
(IMPLIES (> e 0)
(IMPLIES (EQ (computer_mod e 2) 0)
(FORALL (p0)
(IMPLIES (EQ p0 (* p p))
(FORALL (e0) (IMPLIES (EQ e0 (computer_div e 2)) (<= 0 e0))))))))))))))

;; Power_imp_ensures_default_po_5, File "HOME/tests/java/Power.java", line 53, characters 24-52
(FORALL (x_6)
(FORALL (n_5)
(IMPLIES (<= 0 n_5)
(FORALL (e)
(FORALL (p)
(FORALL (r)
(IMPLIES (AND (<= 0 e) (EQ (* r (power p e)) (power x_6 n_5)))
(IMPLIES (> e 0)
(IMPLIES (EQ (computer_mod e 2) 0)
(FORALL (p0)
(IMPLIES (EQ p0 (* p p))
(FORALL (e0)
(IMPLIES (EQ e0 (computer_div e 2)) (EQ (* r (power p0 e0)) (power x_6 n_5)))))))))))))))

;; Power_imp_ensures_default_po_6, File "HOME/tests/java/Power.java", line 46, characters 16-37
(FORALL (x_6)
(FORALL (n_5)
(IMPLIES (<= 0 n_5)
(FORALL (e)
(FORALL (p)
(FORALL (r)
(IMPLIES (AND (<= 0 e) (EQ (* r (power p e)) (power x_6 n_5)))
(IMPLIES (<= e 0)
(FORALL (return) (IMPLIES (EQ return r) (EQ return (power x_6 n_5))))))))))))

;; Power_imp_safety_po_1, File "HOME/tests/java/Power.java", line 57, characters 16-21
(FORALL (x_6)
(FORALL (n_5)
(IMPLIES (<= 0 n_5)
(FORALL (e)
(FORALL (p)
(FORALL (r)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 e) (EQ (* r (power p e)) (power x_6 n_5)))
(IMPLIES (> e 0) (NEQ 2 0))))))))))

;; Power_imp_safety_po_2, File "HOME/tests/java/Power.java", line 54, characters 25-26
(FORALL (x_6)
(FORALL (n_5)
(IMPLIES (<= 0 n_5)
(FORALL (e)
(FORALL (p)
(FORALL (r)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 e) (EQ (* r (power p e)) (power x_6 n_5)))
(IMPLIES (> e 0)
(IMPLIES (NEQ 2 0)
(FORALL (result)
(IMPLIES (EQ result (computer_mod e 2))
(IMPLIES (NEQ result 0)
(FORALL (r0)
(IMPLIES (EQ r0 (* r p))
(FORALL (p0)
(IMPLIES (EQ p0 (* p p))
(IMPLIES (NEQ 2 0)
(FORALL (result0)
(IMPLIES (EQ result0 (computer_div e 2))
(FORALL (e0) (IMPLIES (EQ e0 result0) (<= 0 e)))))))))))))))))))))))

;; Power_imp_safety_po_3, File "HOME/tests/java/Power.java", line 54, characters 25-26
(FORALL (x_6)
(FORALL (n_5)
(IMPLIES (<= 0 n_5)
(FORALL (e)
(FORALL (p)
(FORALL (r)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 e) (EQ (* r (power p e)) (power x_6 n_5)))
(IMPLIES (> e 0)
(IMPLIES (NEQ 2 0)
(FORALL (result)
(IMPLIES (EQ result (computer_mod e 2))
(IMPLIES (NEQ result 0)
(FORALL (r0)
(IMPLIES (EQ r0 (* r p))
(FORALL (p0)
(IMPLIES (EQ p0 (* p p))
(IMPLIES (NEQ 2 0)
(FORALL (result0)
(IMPLIES (EQ result0 (computer_div e 2))
(FORALL (e0) (IMPLIES (EQ e0 result0) (< e0 e)))))))))))))))))))))))

;; Power_imp_safety_po_4, File "HOME/tests/java/Power.java", line 54, characters 25-26
(FORALL (x_6)
(FORALL (n_5)
(IMPLIES (<= 0 n_5)
(FORALL (e)
(FORALL (p)
(FORALL (r)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 e) (EQ (* r (power p e)) (power x_6 n_5)))
(IMPLIES (> e 0)
(IMPLIES (NEQ 2 0)
(FORALL (result)
(IMPLIES (EQ result (computer_mod e 2))
(IMPLIES (EQ result 0)
(FORALL (p0)
(IMPLIES (EQ p0 (* p p))
(IMPLIES (NEQ 2 0)
(FORALL (result0)
(IMPLIES (EQ result0 (computer_div e 2))
(FORALL (e0) (IMPLIES (EQ e0 result0) (<= 0 e)))))))))))))))))))))

;; Power_imp_safety_po_5, File "HOME/tests/java/Power.java", line 54, characters 25-26
(FORALL (x_6)
(FORALL (n_5)
(IMPLIES (<= 0 n_5)
(FORALL (e)
(FORALL (p)
(FORALL (r)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 e) (EQ (* r (power p e)) (power x_6 n_5)))
(IMPLIES (> e 0)
(IMPLIES (NEQ 2 0)
(FORALL (result)
(IMPLIES (EQ result (computer_mod e 2))
(IMPLIES (EQ result 0)
(FORALL (p0)
(IMPLIES (EQ p0 (* p p))
(IMPLIES (NEQ 2 0)
(FORALL (result0)
(IMPLIES (EQ result0 (computer_div e 2))
(FORALL (e0) (IMPLIES (EQ e0 result0) (< e0 e)))))))))))))))))))))

;; Power_rec_ensures_default_po_1, File "HOME/tests/java/Power.java", line 33, characters 16-37
(FORALL (x_5)
(FORALL (n_4)
(IMPLIES (<= 0 n_4)
(IMPLIES (EQ n_4 0)
(FORALL (return) (IMPLIES (EQ return 1) (EQ return (power x_5 n_4))))))))

;; Power_rec_ensures_default_po_2, File "HOME/tests/java/Power.java", line 33, characters 16-37
(FORALL (x_5)
(FORALL (n_4)
(IMPLIES (<= 0 n_4)
(IMPLIES (NEQ n_4 0)
(FORALL (result)
(IMPLIES (EQ result (power x_5 (computer_div n_4 2)))
(IMPLIES (EQ (computer_mod n_4 2) 0)
(FORALL (return)
(IMPLIES (EQ return (* result result)) (EQ return (power x_5 n_4)))))))))))

;; Power_rec_ensures_default_po_3, File "HOME/tests/java/Power.java", line 33, characters 16-37
(FORALL (x_5)
(FORALL (n_4)
(IMPLIES (<= 0 n_4)
(IMPLIES (NEQ n_4 0)
(FORALL (result)
(IMPLIES (EQ result (power x_5 (computer_div n_4 2)))
(IMPLIES (NEQ (computer_mod n_4 2) 0)
(FORALL (return)
(IMPLIES (EQ return (* (* result result) x_5)) (EQ return (power x_5 n_4)))))))))))

;; Power_rec_safety_po_1, File "HOME/tests/java/Power.java", line 37, characters 24-27
(FORALL (n_4) (IMPLIES (<= 0 n_4) (IMPLIES (NEQ n_4 0) (NEQ 2 0))))

;; Power_rec_safety_po_2, File "why/Power.why", line 615, characters 13-60
(FORALL (n_4)
(IMPLIES (<= 0 n_4)
(IMPLIES (NEQ n_4 0)
(IMPLIES (NEQ 2 0)
(FORALL (result) (IMPLIES (EQ result (computer_div n_4 2)) (<= 0 n_4)))))))

;; Power_rec_safety_po_3, File "why/Power.why", line 615, characters 13-60
(FORALL (n_4)
(IMPLIES (<= 0 n_4)
(IMPLIES (NEQ n_4 0)
(IMPLIES (NEQ 2 0)
(FORALL (result) (IMPLIES (EQ result (computer_div n_4 2)) (< result n_4)))))))

;; Power_rec_safety_po_4, File "HOME/tests/java/Power.java", line 37, characters 17-28
(FORALL (n_4)
(IMPLIES (<= 0 n_4)
(IMPLIES (NEQ n_4 0)
(IMPLIES (NEQ 2 0)
(FORALL (result) (IMPLIES (EQ result (computer_div n_4 2)) (<= 0 result)))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/Power_why.sx         : ###.#####..#.#.##.... (9/0/0/12/0)
total   :  21
valid   :   9 ( 43%)
invalid :   0 (  0%)
unknown :   0 (  0%)
timeout :  12 ( 57%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/Power.why
========== file tests/java/why/Power_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic Power_tag : Object tag_id

axiom Power_parenttag_Object: parenttag(Power_tag, Object_tag)

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Power(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

logic power : int, int -> int

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Power(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Power(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Power(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

axiom power_s:
  (forall x_1_0:int.
    (forall n_0:int. (power(x_1_0, (n_0 + 1)) = (x_1_0 * power(x_1_0, n_0)))))

axiom power_0: (forall x_0_0:int. (power(x_0_0, 0) = 1))

goal power_mul:
  (forall x_2_0:int.
    (forall y:int.
      (forall n_1:int.
        ((n_1 >= 0) -> (power((x_2_0 * y), n_1) = (power(x_2_0,
         n_1) * power(y, n_1)))))))

axiom power_mul_as_axiom:
  (forall x_2_0:int.
    (forall y:int.
      (forall n_1:int.
        ((n_1 >= 0) -> (power((x_2_0 * y), n_1) = (power(x_2_0,
         n_1) * power(y, n_1)))))))

goal power_even:
  (forall x_3:int.
    (forall n_2:int.
      (((n_2 >= 0) and (computer_mod(n_2, 2) = 0)) -> (power(x_3,
       n_2) = power((x_3 * x_3), computer_div(n_2, 2))))))

axiom power_even_as_axiom:
  (forall x_3:int.
    (forall n_2:int.
      (((n_2 >= 0) and (computer_mod(n_2, 2) = 0)) -> (power(x_3,
       n_2) = power((x_3 * x_3), computer_div(n_2, 2))))))

goal power_odd:
  (forall x_4:int.
    (forall n_3:int.
      (((n_3 >= 0) and (computer_mod(n_3, 2) <> 0)) -> (power(x_4,
       n_3) = (x_4 * power((x_4 * x_4), computer_div(n_3, 2)))))))

axiom power_odd_as_axiom:
  (forall x_4:int.
    (forall n_3:int.
      (((n_3 >= 0) and (computer_mod(n_3, 2) <> 0)) -> (power(x_4,
       n_3) = (x_4 * power((x_4 * x_4), computer_div(n_3, 2)))))))

goal Power_imp_ensures_default_po_1:
  forall x_6:int.
  forall n_5:int.
  ("JC_21": (0 <= n_5)) ->
  ("JC_38": ("JC_37": ((1 * power(x_6, n_5)) = power(x_6, n_5))))

goal Power_imp_ensures_default_po_2:
  forall x_6:int.
  forall n_5:int.
  ("JC_21": (0 <= n_5)) ->
  forall e:int.
  forall p:int.
  forall r:int.
  ("JC_38":
  (("JC_36": (0 <= e)) and ("JC_37": ((r * power(p, e)) = power(x_6, n_5))))) ->
  (e > 0) ->
  (computer_mod(e, 2) <> 0) ->
  forall r0:int.
  (r0 = (r * p)) ->
  forall p0:int.
  (p0 = (p * p)) ->
  forall e0:int.
  (e0 = computer_div(e, 2)) ->
  ("JC_38": ("JC_36": (0 <= e0)))

goal Power_imp_ensures_default_po_3:
  forall x_6:int.
  forall n_5:int.
  ("JC_21": (0 <= n_5)) ->
  forall e:int.
  forall p:int.
  forall r:int.
  ("JC_38":
  (("JC_36": (0 <= e)) and ("JC_37": ((r * power(p, e)) = power(x_6, n_5))))) ->
  (e > 0) ->
  (computer_mod(e, 2) <> 0) ->
  forall r0:int.
  (r0 = (r * p)) ->
  forall p0:int.
  (p0 = (p * p)) ->
  forall e0:int.
  (e0 = computer_div(e, 2)) ->
  ("JC_38": ("JC_37": ((r0 * power(p0, e0)) = power(x_6, n_5))))

goal Power_imp_ensures_default_po_4:
  forall x_6:int.
  forall n_5:int.
  ("JC_21": (0 <= n_5)) ->
  forall e:int.
  forall p:int.
  forall r:int.
  ("JC_38":
  (("JC_36": (0 <= e)) and ("JC_37": ((r * power(p, e)) = power(x_6, n_5))))) ->
  (e > 0) ->
  (computer_mod(e, 2) = 0) ->
  forall p0:int.
  (p0 = (p * p)) ->
  forall e0:int.
  (e0 = computer_div(e, 2)) ->
  ("JC_38": ("JC_36": (0 <= e0)))

goal Power_imp_ensures_default_po_5:
  forall x_6:int.
  forall n_5:int.
  ("JC_21": (0 <= n_5)) ->
  forall e:int.
  forall p:int.
  forall r:int.
  ("JC_38":
  (("JC_36": (0 <= e)) and ("JC_37": ((r * power(p, e)) = power(x_6, n_5))))) ->
  (e > 0) ->
  (computer_mod(e, 2) = 0) ->
  forall p0:int.
  (p0 = (p * p)) ->
  forall e0:int.
  (e0 = computer_div(e, 2)) ->
  ("JC_38": ("JC_37": ((r * power(p0, e0)) = power(x_6, n_5))))

goal Power_imp_ensures_default_po_6:
  forall x_6:int.
  forall n_5:int.
  ("JC_21": (0 <= n_5)) ->
  forall e:int.
  forall p:int.
  forall r:int.
  ("JC_38":
  (("JC_36": (0 <= e)) and ("JC_37": ((r * power(p, e)) = power(x_6, n_5))))) ->
  (e <= 0) ->
  forall return:int.
  (return = r) ->
  ("JC_23": (return = power(x_6, n_5)))

goal Power_imp_safety_po_1:
  forall x_6:int.
  forall n_5:int.
  ("JC_21": (0 <= n_5)) ->
  forall e:int.
  forall p:int.
  forall r:int.
  ("JC_31": true) ->
  ("JC_29":
  (("JC_27": (0 <= e)) and ("JC_28": ((r * power(p, e)) = power(x_6, n_5))))) ->
  (e > 0) ->
  (2 <> 0)

goal Power_imp_safety_po_2:
  forall x_6:int.
  forall n_5:int.
  ("JC_21": (0 <= n_5)) ->
  forall e:int.
  forall p:int.
  forall r:int.
  ("JC_31": true) ->
  ("JC_29":
  (("JC_27": (0 <= e)) and ("JC_28": ((r * power(p, e)) = power(x_6, n_5))))) ->
  (e > 0) ->
  (2 <> 0) ->
  forall result:int.
  (result = computer_mod(e, 2)) ->
  (result <> 0) ->
  forall r0:int.
  (r0 = (r * p)) ->
  forall p0:int.
  (p0 = (p * p)) ->
  (2 <> 0) ->
  forall result0:int.
  (result0 = computer_div(e, 2)) ->
  forall e0:int.
  (e0 = result0) ->
  (0 <= ("JC_35": e))

goal Power_imp_safety_po_3:
  forall x_6:int.
  forall n_5:int.
  ("JC_21": (0 <= n_5)) ->
  forall e:int.
  forall p:int.
  forall r:int.
  ("JC_31": true) ->
  ("JC_29":
  (("JC_27": (0 <= e)) and ("JC_28": ((r * power(p, e)) = power(x_6, n_5))))) ->
  (e > 0) ->
  (2 <> 0) ->
  forall result:int.
  (result = computer_mod(e, 2)) ->
  (result <> 0) ->
  forall r0:int.
  (r0 = (r * p)) ->
  forall p0:int.
  (p0 = (p * p)) ->
  (2 <> 0) ->
  forall result0:int.
  (result0 = computer_div(e, 2)) ->
  forall e0:int.
  (e0 = result0) ->
  (("JC_35": e0) < ("JC_35": e))

goal Power_imp_safety_po_4:
  forall x_6:int.
  forall n_5:int.
  ("JC_21": (0 <= n_5)) ->
  forall e:int.
  forall p:int.
  forall r:int.
  ("JC_31": true) ->
  ("JC_29":
  (("JC_27": (0 <= e)) and ("JC_28": ((r * power(p, e)) = power(x_6, n_5))))) ->
  (e > 0) ->
  (2 <> 0) ->
  forall result:int.
  (result = computer_mod(e, 2)) ->
  (result = 0) ->
  forall p0:int.
  (p0 = (p * p)) ->
  (2 <> 0) ->
  forall result0:int.
  (result0 = computer_div(e, 2)) ->
  forall e0:int.
  (e0 = result0) ->
  (0 <= ("JC_35": e))

goal Power_imp_safety_po_5:
  forall x_6:int.
  forall n_5:int.
  ("JC_21": (0 <= n_5)) ->
  forall e:int.
  forall p:int.
  forall r:int.
  ("JC_31": true) ->
  ("JC_29":
  (("JC_27": (0 <= e)) and ("JC_28": ((r * power(p, e)) = power(x_6, n_5))))) ->
  (e > 0) ->
  (2 <> 0) ->
  forall result:int.
  (result = computer_mod(e, 2)) ->
  (result = 0) ->
  forall p0:int.
  (p0 = (p * p)) ->
  (2 <> 0) ->
  forall result0:int.
  (result0 = computer_div(e, 2)) ->
  forall e0:int.
  (e0 = result0) ->
  (("JC_35": e0) < ("JC_35": e))

goal Power_rec_ensures_default_po_1:
  forall x_5:int.
  forall n_4:int.
  ("JC_110": (0 <= n_4)) ->
  (n_4 = 0) ->
  forall return:int.
  (return = 1) ->
  ("JC_112": (return = power(x_5, n_4)))

goal Power_rec_ensures_default_po_2:
  forall x_5:int.
  forall n_4:int.
  ("JC_110": (0 <= n_4)) ->
  (n_4 <> 0) ->
  forall result:int.
  ("JC_113": (result = power(x_5, computer_div(n_4, 2)))) ->
  (computer_mod(n_4, 2) = 0) ->
  forall return:int.
  (return = (result * result)) ->
  ("JC_112": (return = power(x_5, n_4)))

goal Power_rec_ensures_default_po_3:
  forall x_5:int.
  forall n_4:int.
  ("JC_110": (0 <= n_4)) ->
  (n_4 <> 0) ->
  forall result:int.
  ("JC_113": (result = power(x_5, computer_div(n_4, 2)))) ->
  (computer_mod(n_4, 2) <> 0) ->
  forall return:int.
  (return = ((result * result) * x_5)) ->
  ("JC_112": (return = power(x_5, n_4)))

goal Power_rec_safety_po_1:
  forall n_4:int.
  ("JC_110": (0 <= n_4)) ->
  (n_4 <> 0) ->
  (2 <> 0)

goal Power_rec_safety_po_2:
  forall n_4:int.
  ("JC_110": (0 <= n_4)) ->
  (n_4 <> 0) ->
  (2 <> 0) ->
  forall result:int.
  (result = computer_div(n_4, 2)) ->
  (0 <= ("JC_118": n_4))

goal Power_rec_safety_po_3:
  forall n_4:int.
  ("JC_110": (0 <= n_4)) ->
  (n_4 <> 0) ->
  (2 <> 0) ->
  forall result:int.
  (result = computer_div(n_4, 2)) ->
  (("JC_119": result) < ("JC_118": n_4))

goal Power_rec_safety_po_4:
  forall n_4:int.
  ("JC_110": (0 <= n_4)) ->
  (n_4 <> 0) ->
  (2 <> 0) ->
  forall result:int.
  (result = computer_div(n_4, 2)) ->
  ("JC_108": (0 <= result))

why-2.34/tests/java/oracle/MullerTheory.res.oracle0000644000175000017500000137276312311670312020602 0ustar  rtusers========== file tests/java/MullerTheory.java ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* File Muller.java */

//@+ CheckArithOverflow = no
//@+ SeparationPolicy = Regions

//@ import tests.spec.NumOfPos;

/*@ lemma num_of_pos_strictly_increasing{L} :
  @   \forall integer i j k l, int t[];
  @       j < k && k <= l && t[k] > 0 ==> 
  @       num_of_pos(i,j,t) < num_of_pos(i,l,t);
  @*/

public class MullerTheory {

    /*@ requires t!=null;
      @*/
    public static int[] m(int t[]) {
	int count = 0;
	
	/*@ loop_invariant
	  @    0 <= i <= t.length && 
	  @    0 <= count <= i && 
	  @    count == num_of_pos(0,i-1,t) ; 
	  @ loop_variant t.length - i;
	  @*/
	for (int i=0 ; i < t.length; i++) if (t[i] > 0) count++;
	
	int u[] = new int[count];
	count = 0;
	
	/*@ loop_invariant
	  @    0 <= i <= t.length && 
	  @    0 <= count <= i && 
	  @    count == num_of_pos(0,i-1,t);
	  @ loop_variant t.length - i;
	  @*/
	for (int i=0 ; i < t.length; i++) {
	    if (t[i] > 0) u[count++] = t[i];
	}
	return u;
    }
}

/* End of file Muller.java */
========== krakatoa execution ==========
Parsing OK.
Parsing of spec file tests/spec/NumOfPos.spec was OK.
It contains theory 'NumOfPos'
Typing OK.
Generating JC function cons_MullerTheory for constructor MullerTheory
Generating JC function MullerTheory_m for method MullerTheory.m
Done.
========== file tests/java/MullerTheory.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = always
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = None

predicate Non_null_intM{Here}(intM[0..] x) =
(\offset_max(x) >= -1)

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag MullerTheory = Object with {
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

tag intM = Object with {
  integer intP;
}

boolean non_null_intM(! intM[0..] x)
behavior default:
  assigns \nothing;
  ensures (if \result then (\offset_max(x) >= -1) else (x == null));
;

integer java_array_length_intM(! intM[0..-1] x)
behavior default:
  assigns \nothing;
  ensures ((\result <= 2147483647) &&
            ((\result >= 0) && (\result == (\offset_max(x) + 1))));
;

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

axiomatic NumOfPos {

  logic integer num_of_pos{L}(integer i, integer j, intM[0..] t)
   
  axiom num_of_pos_false_case{L} :
  (\forall integer i_2;
    (\forall integer j_2;
      (\forall integer k_0;
        (\forall intM[0..] t_2;
          (((i_2 <= j_2) && (! ((t_2 + j_2).intP > 0))) ==>
            (num_of_pos{L}(i_2, j_2, t_2) ==
              num_of_pos{L}(i_2, (j_2 - 1), t_2)))))))
   
  axiom num_of_pos_true_case{L} :
  (\forall integer i_1;
    (\forall integer j_1;
      (\forall integer k;
        (\forall intM[0..] t_1;
          (((i_1 <= j_1) && ((t_1 + j_1).intP > 0)) ==>
            (num_of_pos{L}(i_1, j_1, t_1) ==
              (num_of_pos{L}(i_1, (j_1 - 1), t_1) + 1)))))))
   
  axiom num_of_pos_empty{L} :
  (\forall integer i_0;
    (\forall integer j_0;
      (\forall intM[0..] t_0;
        ((i_0 > j_0) ==> (num_of_pos{L}(i_0, j_0, t_0) == 0)))))
  
}

lemma num_of_pos_strictly_increasing{L} :
(\forall integer i_3;
  (\forall integer j_3;
    (\forall integer k_1;
      (\forall integer l;
        (\forall intM[0..] t_3;
          ((((j_3 < k_1) && (k_1 <= l)) && ((t_3 + k_1).intP > 0)) ==>
            (num_of_pos{L}(i_3, j_3, t_3) < num_of_pos{L}(i_3, l, t_3))))))))

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_MullerTheory(! MullerTheory[0] this_0){()}

intM[0..] MullerTheory_m(intM[0..] t_4)
  requires (K_1 : Non_null_intM(t_4));
{  
   {  
      (var integer count = (K_39 : 0));
      
      {  
         {  
            {  
               (var integer i_4 = (K_2 : 0));
               
               loop 
               behavior default:
                 invariant (K_11 : ((K_10 : ((K_9 : ((K_8 : (0 <= i_4)) &&
                                                      (K_7 : (i_4 <=
                                                               (\offset_max(t_4) +
                                                                 1))))) &&
                                              (K_6 : ((K_5 : (0 <= count)) &&
                                                       (K_4 : (count <= i_4)))))) &&
                                     (K_3 : (count ==
                                              num_of_pos{Here}(0, (i_4 - 1),
                                                               t_4)))));
               
               variant (K_12 : ((\offset_max(t_4) + 1) - i_4));
               for ( ; (K_18 : (i_4 < (K_17 : java_array_length_intM(t_4)))) ; 
               (K_16 : (i_4 ++)))
               {  (if (K_15 : ((K_14 : (t_4 + i_4).intP) > 0)) then (K_13 : 
                                                                    (count ++)) else ())
               }
            }
         };
         
         {  
            (var intM[0..] u = (K_38 : (new intM[count])));
            
            {  (count = 0);
               
               {  
                  {  
                     (var integer i_5 = (K_19 : 0));
                     
                     loop 
                     behavior default:
                       invariant (K_28 : ((K_27 : ((K_26 : ((K_25 : (0 <=
                                                                    i_5)) &&
                                                             (K_24 : 
                                                             (i_5 <=
                                                               (\offset_max(t_4) +
                                                                 1))))) &&
                                                    (K_23 : ((K_22 : 
                                                             (0 <=
                                                               count)) &&
                                                              (K_21 : 
                                                              (count <=
                                                                i_5)))))) &&
                                           (K_20 : (count ==
                                                     num_of_pos{Here}(
                                                     0, (i_5 - 1), t_4)))));
                     
                     variant (K_29 : ((\offset_max(t_4) + 1) - i_5));
                     for ( ; (K_37 : (i_5 <
                                       (K_36 : java_array_length_intM(t_4)))) ; 
                     (K_35 : (i_5 ++)))
                     {  (if (K_34 : ((K_33 : (t_4 + i_5).intP) > 0)) then 
                        (K_32 : ((u + (K_30 : (count ++))).intP = (K_31 : 
                                                                  (t_4 +
                                                                    i_5).intP))) else ())
                     }
                  }
               };
               
               (return u)
            }
         }
      }
   }
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/MullerTheory.jloc tests/java/MullerTheory.jc && make -f tests/java/MullerTheory.makefile gui"
End:
*/
========== file tests/java/MullerTheory.jloc ==========
[K_30]
file = "HOME/tests/java/MullerTheory.java"
line = 70
begin = 21
end = 28

[K_23]
file = "HOME/tests/java/MullerTheory.java"
line = 65
begin = 8
end = 23

[K_33]
file = "HOME/tests/java/MullerTheory.java"
line = 70
begin = 9
end = 13

[K_17]
file = "HOME/tests/java/MullerTheory.java"
line = 58
begin = 20
end = 28

[K_11]
file = "HOME/tests/java/MullerTheory.java"
line = 53
begin = 8
end = 95

[K_38]
file = "HOME/tests/java/MullerTheory.java"
line = 60
begin = 11
end = 25

[K_25]
file = "HOME/tests/java/MullerTheory.java"
line = 64
begin = 8
end = 14

[K_13]
file = "HOME/tests/java/MullerTheory.java"
line = 58
begin = 49
end = 56

[K_9]
file = "HOME/tests/java/MullerTheory.java"
line = 53
begin = 8
end = 26

[K_28]
file = "HOME/tests/java/MullerTheory.java"
line = 64
begin = 8
end = 95

[K_1]
file = "HOME/tests/java/MullerTheory.java"
line = 47
begin = 17
end = 24

[K_15]
file = "HOME/tests/java/MullerTheory.java"
line = 58
begin = 39
end = 47

[K_4]
file = "HOME/tests/java/MullerTheory.java"
line = 54
begin = 13
end = 23

[K_12]
file = "HOME/tests/java/MullerTheory.java"
line = 56
begin = 18
end = 30

[K_34]
file = "HOME/tests/java/MullerTheory.java"
line = 70
begin = 9
end = 17

[K_20]
file = "HOME/tests/java/MullerTheory.java"
line = 66
begin = 8
end = 36

[MullerTheory_m]
name = "Method m"
file = "HOME/tests/java/MullerTheory.java"
line = 49
begin = 24
end = 25

[cons_MullerTheory]
name = "Constructor of class MullerTheory"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_2]
file = "HOME/tests/java/MullerTheory.java"
line = 58
begin = 12
end = 13

[K_29]
file = "HOME/tests/java/MullerTheory.java"
line = 67
begin = 18
end = 30

[num_of_pos_false_case]
name = "Lemma num_of_pos_false_case"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_10]
file = "HOME/tests/java/MullerTheory.java"
line = 53
begin = 8
end = 54

[K_35]
file = "HOME/tests/java/MullerTheory.java"
line = 69
begin = 30
end = 33

[K_6]
file = "HOME/tests/java/MullerTheory.java"
line = 54
begin = 8
end = 23

[K_8]
file = "HOME/tests/java/MullerTheory.java"
line = 53
begin = 8
end = 14

[K_3]
file = "HOME/tests/java/MullerTheory.java"
line = 55
begin = 8
end = 36

[num_of_pos_true_case]
name = "Lemma num_of_pos_true_case"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_31]
file = "HOME/tests/java/MullerTheory.java"
line = 70
begin = 32
end = 36

[K_32]
file = "HOME/tests/java/MullerTheory.java"
line = 70
begin = 19
end = 36

[K_27]
file = "HOME/tests/java/MullerTheory.java"
line = 64
begin = 8
end = 54

[K_21]
file = "HOME/tests/java/MullerTheory.java"
line = 65
begin = 13
end = 23

[num_of_pos_strictly_increasing]
name = "Lemma num_of_pos_strictly_increasing"
file = "HOME/tests/java/MullerTheory.java"
line = 39
begin = 10
end = 40

[K_24]
file = "HOME/tests/java/MullerTheory.java"
line = 64
begin = 13
end = 26

[K_14]
file = "HOME/tests/java/MullerTheory.java"
line = 58
begin = 39
end = 43

[K_39]
file = "HOME/tests/java/MullerTheory.java"
line = 50
begin = 13
end = 14

[K_36]
file = "HOME/tests/java/MullerTheory.java"
line = 69
begin = 20
end = 28

[K_37]
file = "HOME/tests/java/MullerTheory.java"
line = 69
begin = 16
end = 28

[num_of_pos_empty]
name = "Lemma num_of_pos_empty"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_19]
file = "HOME/tests/java/MullerTheory.java"
line = 69
begin = 12
end = 13

[K_5]
file = "HOME/tests/java/MullerTheory.java"
line = 54
begin = 8
end = 18

[K_18]
file = "HOME/tests/java/MullerTheory.java"
line = 58
begin = 16
end = 28

[K_7]
file = "HOME/tests/java/MullerTheory.java"
line = 53
begin = 13
end = 26

[K_26]
file = "HOME/tests/java/MullerTheory.java"
line = 64
begin = 8
end = 26

[K_22]
file = "HOME/tests/java/MullerTheory.java"
line = 65
begin = 8
end = 18

[K_16]
file = "HOME/tests/java/MullerTheory.java"
line = 58
begin = 30
end = 33

========== jessie execution ==========
Generating Why function cons_MullerTheory
Generating Why function MullerTheory_m
========== file tests/java/MullerTheory.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs MullerTheory.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs MullerTheory.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/MullerTheory_why.sx

project: why/MullerTheory.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/MullerTheory_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/MullerTheory_why.vo

coq/MullerTheory_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/MullerTheory_why.v: why/MullerTheory.why
	@echo 'why -coq [...] why/MullerTheory.why' && $(WHY) $(JESSIELIBFILES) why/MullerTheory.why && rm -f coq/jessie_why.v

coq-goals: goals coq/MullerTheory_ctx_why.vo
	for f in why/*_po*.why; do make -f MullerTheory.makefile coq/`basename $$f .why`_why.v ; done

coq/MullerTheory_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/MullerTheory_ctx_why.v: why/MullerTheory_ctx.why
	@echo 'why -coq [...] why/MullerTheory_ctx.why' && $(WHY) why/MullerTheory_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export MullerTheory_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/MullerTheory_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/MullerTheory_ctx_why.vo

pvs: pvs/MullerTheory_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/MullerTheory_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/MullerTheory_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/MullerTheory_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/MullerTheory_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/MullerTheory_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/MullerTheory_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/MullerTheory_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/MullerTheory_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/MullerTheory_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/MullerTheory_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/MullerTheory_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/MullerTheory_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/MullerTheory_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/MullerTheory_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: MullerTheory.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/MullerTheory_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: MullerTheory.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: MullerTheory.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: MullerTheory.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include MullerTheory.depend

depend: coq/MullerTheory_why.v
	-$(COQDEP) -I coq coq/MullerTheory*_why.v > MullerTheory.depend

clean:
	rm -f coq/*.vo

========== file tests/java/MullerTheory.loc ==========
[JC_94]
kind = AllocSize
file = "HOME/tests/java/MullerTheory.java"
line = 60
begin = 11
end = 25

[JC_73]
file = "HOME/tests/java/MullerTheory.java"
line = 66
begin = 8
end = 36

[JC_63]
file = "HOME/tests/java/MullerTheory.jc"
line = 116
begin = 15
end = 1099

[cons_MullerTheory_ensures_default]
name = "Constructor of class MullerTheory"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_80]
kind = PointerDeref
file = "HOME/tests/java/MullerTheory.java"
line = 70
begin = 9
end = 13

[JC_51]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_71]
file = "HOME/tests/java/MullerTheory.java"
line = 65
begin = 8
end = 18

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_64]
kind = UserCall
file = "HOME/tests/java/MullerTheory.java"
line = 58
begin = 20
end = 28

[JC_99]
file = "HOME/tests/java/MullerTheory.java"
line = 66
begin = 8
end = 36

[JC_85]
file = "HOME/tests/java/MullerTheory.java"
line = 53
begin = 13
end = 26

[JC_31]
file = "HOME/tests/java/MullerTheory.jc"
line = 55
begin = 8
end = 23

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_MullerTheory_safety]
name = "Constructor of class MullerTheory"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
kind = PointerDeref
file = "HOME/tests/java/MullerTheory.java"
line = 70
begin = 32
end = 36

[JC_55]
file = "HOME/tests/java/MullerTheory.java"
line = 53
begin = 8
end = 14

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/tests/java/MullerTheory.jc"
line = 51
begin = 11
end = 103

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/tests/java/MullerTheory.java"
line = 56
begin = 18
end = 30

[JC_9]
file = "HOME/tests/java/MullerTheory.jc"
line = 42
begin = 8
end = 21

[JC_75]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/tests/java/MullerTheory.jc"
line = 50
begin = 10
end = 18

[JC_25]
file = "HOME/tests/java/MullerTheory.jc"
line = 51
begin = 11
end = 103

[JC_78]
kind = UserCall
file = "HOME/tests/java/MullerTheory.java"
line = 69
begin = 20
end = 28

[JC_41]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_74]
file = "HOME/tests/java/MullerTheory.java"
line = 64
begin = 8
end = 95

[JC_47]
file = "HOME/tests/java/MullerTheory.java"
line = 47
begin = 17
end = 24

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/tests/java/MullerTheory.jc"
line = 50
begin = 10
end = 18

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
kind = IndexBounds
file = "HOME/tests/java/MullerTheory.java"
line = 69
begin = 20
end = 28

[JC_13]
file = "HOME/tests/java/MullerTheory.jc"
line = 45
begin = 11
end = 66

[JC_82]
kind = PointerDeref
file = "HOME/tests/java/MullerTheory.java"
line = 70
begin = 19
end = 36

[JC_87]
file = "HOME/tests/java/MullerTheory.java"
line = 54
begin = 13
end = 23

[JC_11]
file = "HOME/tests/java/MullerTheory.jc"
line = 42
begin = 8
end = 21

[JC_98]
file = "HOME/tests/java/MullerTheory.java"
line = 65
begin = 13
end = 23

[JC_70]
file = "HOME/tests/java/MullerTheory.java"
line = 64
begin = 13
end = 26

[JC_15]
file = "HOME/tests/java/MullerTheory.jc"
line = 45
begin = 11
end = 66

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_104]
kind = UserCall
file = "HOME/tests/java/MullerTheory.java"
line = 69
begin = 20
end = 28

[JC_91]
file = "HOME/tests/java/MullerTheory.jc"
line = 116
begin = 15
end = 1099

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
file = "HOME/tests/java/MullerTheory.java"
line = 67
begin = 18
end = 30

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[num_of_pos_false_case]
name = "Lemma num_of_pos_false_case"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_69]
file = "HOME/tests/java/MullerTheory.java"
line = 64
begin = 8
end = 14

[JC_38]
file = "HOME/tests/java/MullerTheory.jc"
line = 57
begin = 11
end = 65

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[num_of_pos_true_case]
name = "Lemma num_of_pos_true_case"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_62]
file = "HOME/tests/java/MullerTheory.jc"
line = 116
begin = 15
end = 1099

[JC_101]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_88]
file = "HOME/tests/java/MullerTheory.java"
line = 55
begin = 8
end = 36

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_103]
file = "HOME/tests/java/MullerTheory.jc"
line = 146
begin = 21
end = 1746

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/tests/java/MullerTheory.java"
line = 53
begin = 13
end = 26

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
kind = IndexBounds
file = "HOME/tests/java/MullerTheory.java"
line = 58
begin = 20
end = 28

[num_of_pos_strictly_increasing]
name = "Lemma num_of_pos_strictly_increasing"
behavior = "lemma"
file = "HOME/tests/java/MullerTheory.java"
line = 39
begin = 10
end = 40

[JC_29]
file = "HOME/tests/java/MullerTheory.jc"
line = 55
begin = 8
end = 23

[JC_68]
kind = AllocSize
file = "HOME/tests/java/MullerTheory.java"
line = 60
begin = 11
end = 25

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/java/MullerTheory.jc"
line = 44
begin = 10
end = 18

[JC_96]
file = "HOME/tests/java/MullerTheory.java"
line = 64
begin = 13
end = 26

[JC_43]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/tests/java/MullerTheory.java"
line = 64
begin = 8
end = 14

[JC_93]
kind = UserCall
file = "HOME/tests/java/MullerTheory.java"
line = 58
begin = 20
end = 28

[JC_97]
file = "HOME/tests/java/MullerTheory.java"
line = 65
begin = 8
end = 18

[JC_84]
file = "HOME/tests/java/MullerTheory.java"
line = 53
begin = 8
end = 14

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/tests/java/MullerTheory.jc"
line = 44
begin = 10
end = 18

[JC_90]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/tests/java/MullerTheory.jc"
line = 48
begin = 8
end = 30

[JC_77]
file = "HOME/tests/java/MullerTheory.jc"
line = 146
begin = 21
end = 1746

[JC_49]
file = "HOME/tests/java/MullerTheory.java"
line = 47
begin = 17
end = 24

[JC_1]
file = "HOME/tests/java/MullerTheory.jc"
line = 13
begin = 12
end = 22

[num_of_pos_empty]
name = "Lemma num_of_pos_empty"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_102]
file = "HOME/tests/java/MullerTheory.jc"
line = 146
begin = 21
end = 1746

[JC_37]
file = "HOME/tests/java/MullerTheory.jc"
line = 57
begin = 11
end = 65

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/java/MullerTheory.java"
line = 54
begin = 8
end = 18

[JC_89]
file = "HOME/tests/java/MullerTheory.java"
line = 53
begin = 8
end = 95

[JC_66]
kind = PointerDeref
file = "HOME/tests/java/MullerTheory.java"
line = 58
begin = 39
end = 43

[JC_59]
file = "HOME/tests/java/MullerTheory.java"
line = 55
begin = 8
end = 36

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[MullerTheory_m_safety]
name = "Method m"
behavior = "Safety"
file = "HOME/tests/java/MullerTheory.java"
line = 49
begin = 24
end = 25

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/java/MullerTheory.jc"
line = 13
begin = 12
end = 22

[JC_92]
file = "HOME/tests/java/MullerTheory.jc"
line = 116
begin = 15
end = 1099

[JC_86]
file = "HOME/tests/java/MullerTheory.java"
line = 54
begin = 8
end = 18

[JC_60]
file = "HOME/tests/java/MullerTheory.java"
line = 53
begin = 8
end = 95

[JC_72]
file = "HOME/tests/java/MullerTheory.java"
line = 65
begin = 13
end = 23

[JC_19]
file = "HOME/tests/java/MullerTheory.jc"
line = 48
begin = 8
end = 30

[JC_76]
file = "HOME/tests/java/MullerTheory.jc"
line = 146
begin = 21
end = 1746

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[MullerTheory_m_ensures_default]
name = "Method m"
behavior = "default behavior"
file = "HOME/tests/java/MullerTheory.java"
line = 49
begin = 24
end = 25

[JC_58]
file = "HOME/tests/java/MullerTheory.java"
line = 54
begin = 13
end = 23

[JC_100]
file = "HOME/tests/java/MullerTheory.java"
line = 64
begin = 8
end = 95

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/MullerTheory.why ==========
type Object

type interface

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

logic MullerTheory_tag:  -> Object tag_id

axiom MullerTheory_parenttag_Object : parenttag(MullerTheory_tag, Object_tag)

predicate Non_null_Object(x_1:Object pointer,
 Object_x_2_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_x_2_alloc_table, x_1), (0))

predicate Non_null_intM(x_0:Object pointer,
 Object_x_1_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_x_1_alloc_table, x_0), neg_int((1)))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic intM_tag:  -> Object tag_id

axiom intM_parenttag_Object : parenttag(intM_tag, Object_tag)

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_MullerTheory(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_intM(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic num_of_pos: int, int, Object pointer, (Object, int) memory -> int

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_MullerTheory(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_intM(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_MullerTheory(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_MullerTheory(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_intM(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

axiom num_of_pos_false_case :
 (forall intM_intP_t_8_at_L:(Object, int) memory.
  (forall i_2:int.
   (forall j_2:int.
    (forall k_0:int.
     (forall t_2:Object pointer.
      ((le_int(i_2, j_2)
       and (not gt_int(select(intM_intP_t_8_at_L, shift(t_2, j_2)), (0)))) ->
       (num_of_pos(i_2, j_2, t_2, intM_intP_t_8_at_L) = num_of_pos(i_2,
                                                        sub_int(j_2, (1)),
                                                        t_2,
                                                        intM_intP_t_8_at_L))))))))

axiom num_of_pos_true_case :
 (forall intM_intP_t_8_at_L:(Object, int) memory.
  (forall i_1:int.
   (forall j_1:int.
    (forall k:int.
     (forall t_1:Object pointer.
      ((le_int(i_1, j_1)
       and gt_int(select(intM_intP_t_8_at_L, shift(t_1, j_1)), (0))) ->
       (num_of_pos(i_1, j_1, t_1, intM_intP_t_8_at_L) = add_int(num_of_pos(i_1,
                                                                sub_int(j_1,
                                                                (1)), t_1,
                                                                intM_intP_t_8_at_L),
                                                        (1)))))))))

axiom num_of_pos_empty :
 (forall intM_intP_t_8_at_L:(Object, int) memory.
  (forall i_0:int.
   (forall j_0:int.
    (forall t_0:Object pointer.
     (gt_int(i_0, j_0) ->
      (num_of_pos(i_0, j_0, t_0, intM_intP_t_8_at_L) = (0)))))))

lemma num_of_pos_strictly_increasing :
 (forall intM_intP_t_3_18_at_L:(Object, int) memory.
  (forall i_3:int.
   (forall j_3:int.
    (forall k_1:int.
     (forall l:int.
      (forall t_3:Object pointer.
       ((lt_int(j_3, k_1)
        and (le_int(k_1, l)
            and gt_int(select(intM_intP_t_3_18_at_L, shift(t_3, k_1)), (0)))) ->
        lt_int(num_of_pos(i_3, j_3, t_3, intM_intP_t_3_18_at_L),
        num_of_pos(i_3, l, t_3, intM_intP_t_3_18_at_L)))))))))

exception Exception_exc of Object pointer

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter MullerTheory_m :
 t_4:Object pointer ->
  Object_MullerTheory_m_12_alloc_table:Object alloc_table ref ->
   Object_MullerTheory_m_12_tag_table:Object tag_table ref ->
    intM_intP_MullerTheory_m_12:(Object, int) memory ref ->
     Object_t_4_10_alloc_table:Object alloc_table ->
      intM_intP_t_4_10:(Object, int) memory ->
       { } Object pointer reads Object_MullerTheory_m_12_alloc_table
       writes Object_MullerTheory_m_12_alloc_table,Object_MullerTheory_m_12_tag_table,intM_intP_MullerTheory_m_12
       { true }

parameter MullerTheory_m_requires :
 t_4:Object pointer ->
  Object_MullerTheory_m_12_alloc_table:Object alloc_table ref ->
   Object_MullerTheory_m_12_tag_table:Object tag_table ref ->
    intM_intP_MullerTheory_m_12:(Object, int) memory ref ->
     Object_t_4_10_alloc_table:Object alloc_table ->
      intM_intP_t_4_10:(Object, int) memory ->
       { (JC_47: Non_null_intM(t_4, Object_t_4_10_alloc_table))}
       Object pointer reads Object_MullerTheory_m_12_alloc_table
       writes Object_MullerTheory_m_12_alloc_table,Object_MullerTheory_m_12_tag_table,intM_intP_MullerTheory_m_12
       { true }

parameter Object_alloc_table : Object alloc_table ref

parameter Object_tag_table : Object tag_table ref

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_MullerTheory :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_MullerTheory(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, MullerTheory_tag)))) }

parameter alloc_struct_MullerTheory_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_MullerTheory(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, MullerTheory_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_intM :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter alloc_struct_intM_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_intM(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, intM_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter cons_MullerTheory :
 this_0:Object pointer ->
  Object_this_0_9_alloc_table:Object alloc_table -> { } unit { true }

parameter cons_MullerTheory_requires :
 this_0:Object pointer ->
  Object_this_0_9_alloc_table:Object alloc_table -> { } unit { true }

parameter java_array_length_intM :
 x_3:Object pointer ->
  Object_x_6_alloc_table:Object alloc_table ->
   { } int
   { (JC_25:
     (le_int(result, (2147483647))
     and (ge_int(result, (0))
         and (result = add_int(offset_max(Object_x_6_alloc_table, x_3), (1)))))) }

parameter java_array_length_intM_requires :
 x_3:Object pointer ->
  Object_x_6_alloc_table:Object alloc_table ->
   { } int
   { (JC_25:
     (le_int(result, (2147483647))
     and (ge_int(result, (0))
         and (result = add_int(offset_max(Object_x_6_alloc_table, x_3), (1)))))) }

parameter non_null_Object :
 x_4:Object pointer ->
  Object_x_7_alloc_table:Object alloc_table ->
   { } bool
   { (JC_38:
     (if result then (offset_max(Object_x_7_alloc_table, x_4) = (0))
      else (x_4 = null))) }

parameter non_null_Object_requires :
 x_4:Object pointer ->
  Object_x_7_alloc_table:Object alloc_table ->
   { } bool
   { (JC_38:
     (if result then (offset_max(Object_x_7_alloc_table, x_4) = (0))
      else (x_4 = null))) }

parameter non_null_intM :
 x_2:Object pointer ->
  Object_x_5_alloc_table:Object alloc_table ->
   { } bool
   { (JC_15:
     (if result
      then ge_int(offset_max(Object_x_5_alloc_table, x_2), neg_int((1)))
      else (x_2 = null))) }

parameter non_null_intM_requires :
 x_2:Object pointer ->
  Object_x_5_alloc_table:Object alloc_table ->
   { } bool
   { (JC_15:
     (if result
      then ge_int(offset_max(Object_x_5_alloc_table, x_2), neg_int((1)))
      else (x_2 = null))) }

let MullerTheory_m_ensures_default =
 fun (t_4 : Object pointer) (Object_MullerTheory_m_12_alloc_table : Object alloc_table ref) (Object_MullerTheory_m_12_tag_table : Object tag_table ref) (intM_intP_MullerTheory_m_12 : (Object, int) memory ref) (Object_t_4_10_alloc_table : Object alloc_table) (intM_intP_t_4_10 : (Object, int) memory) ->
  { (left_valid_struct_intM(t_4, (0), Object_t_4_10_alloc_table)
    and (JC_49: Non_null_intM(t_4, Object_t_4_10_alloc_table))) }
  (init:
  (let return = ref (any_pointer void) in
  try
   begin
     (let count = ref (K_39: (0)) in
     begin
       (let i_4 = ref (K_2: (0)) in
       try
        (loop_3:
        while true do
        { invariant
            (JC_89:
            ((JC_84: le_int((0), i_4))
            and ((JC_85:
                 le_int(i_4,
                 add_int(offset_max(Object_t_4_10_alloc_table, t_4), (1))))
                and ((JC_86: le_int((0), count))
                    and ((JC_87: le_int(count, i_4))
                        and (JC_88:
                            (count = num_of_pos((0), sub_int(i_4, (1)), t_4,
                                     intM_intP_t_4_10))))))))  }
         begin
           [ { } unit { true } ];
          try
           begin
             (if (K_18:
                 ((lt_int_ !i_4) (K_17:
                                 (let _jessie_ = t_4 in
                                 (JC_93:
                                 ((java_array_length_intM _jessie_) Object_t_4_10_alloc_table))))))
             then
              (if (K_15:
                  ((gt_int_ (K_14:
                            ((safe_acc_ intM_intP_t_4_10) ((shift t_4) !i_4)))) (0)))
              then
               (let _jessie_ =
               (K_13:
               (let _jessie_ = !count in
               begin
                 (let _jessie_ = (count := ((add_int _jessie_) (1))) in
                 void); _jessie_ end)) in void) else void)
             else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ ->
           (let _jessie_ =
           (K_16:
           (let _jessie_ = !i_4 in
           begin
             (let _jessie_ = (i_4 := ((add_int _jessie_) (1))) in void);
            _jessie_ end)) in void) end end done) with
        Loop_exit_exc _jessie_ -> void end);
      (let u =
      (K_38:
      (JC_94:
      (((alloc_struct_intM !count) Object_MullerTheory_m_12_alloc_table) Object_MullerTheory_m_12_tag_table))) in
      begin
        (let _jessie_ = (count := (0)) in void);
       (let i_5 = ref (K_19: (0)) in
       try
        (loop_4:
        while true do
        { invariant
            (JC_100:
            ((JC_95: le_int((0), i_5))
            and ((JC_96:
                 le_int(i_5,
                 add_int(offset_max(Object_t_4_10_alloc_table, t_4), (1))))
                and ((JC_97: le_int((0), count))
                    and ((JC_98: le_int(count, i_5))
                        and (JC_99:
                            (count = num_of_pos((0), sub_int(i_5, (1)), t_4,
                                     intM_intP_t_4_10))))))))  }
         begin
           [ { } unit { true } ];
          try
           begin
             (if (K_37:
                 ((lt_int_ !i_5) (K_36:
                                 (let _jessie_ = t_4 in
                                 (JC_104:
                                 ((java_array_length_intM _jessie_) Object_t_4_10_alloc_table))))))
             then
              (if (K_34:
                  ((gt_int_ (K_33:
                            ((safe_acc_ intM_intP_t_4_10) ((shift t_4) !i_5)))) (0)))
              then
               (let _jessie_ =
               (K_32:
               (let _jessie_ =
               (K_31: ((safe_acc_ intM_intP_t_4_10) ((shift t_4) !i_5))) in
               (let _jessie_ = u in
               (let _jessie_ =
               (K_30:
               (let _jessie_ = !count in
               begin
                 (let _jessie_ = (count := ((add_int _jessie_) (1))) in
                 void); _jessie_ end)) in
               (let _jessie_ = ((shift _jessie_) _jessie_) in
               (((safe_upd_ intM_intP_MullerTheory_m_12) _jessie_) _jessie_)))))) in
               void) else void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ ->
           (let _jessie_ =
           (K_35:
           (let _jessie_ = !i_5 in
           begin
             (let _jessie_ = (i_5 := ((add_int _jessie_) (1))) in void);
            _jessie_ end)) in void) end end done) with
        Loop_exit_exc _jessie_ -> void end); (return := u); (raise Return)
      end) end); absurd  end with Return -> !return end)) { (JC_51: true) }

let MullerTheory_m_safety =
 fun (t_4 : Object pointer) (Object_MullerTheory_m_12_alloc_table : Object alloc_table ref) (Object_MullerTheory_m_12_tag_table : Object tag_table ref) (intM_intP_MullerTheory_m_12 : (Object, int) memory ref) (Object_t_4_10_alloc_table : Object alloc_table) (intM_intP_t_4_10 : (Object, int) memory) ->
  { (left_valid_struct_intM(t_4, (0), Object_t_4_10_alloc_table)
    and (JC_49: Non_null_intM(t_4, Object_t_4_10_alloc_table))) }
  (init:
  (let return = ref (any_pointer void) in
  try
   begin
     (let count = ref (K_39: (0)) in
     begin
       (let i_4 = ref (K_2: (0)) in
       try
        (loop_1:
        while true do
        { invariant (JC_62: true)
          variant (JC_67 : sub_int(add_int(offset_max(Object_t_4_10_alloc_table,
                                           t_4),
                                   (1)),
                           i_4)) }
         begin
           [ { } unit reads count,i_4
             { (JC_60:
               ((JC_55: le_int((0), i_4))
               and ((JC_56:
                    le_int(i_4,
                    add_int(offset_max(Object_t_4_10_alloc_table, t_4), (1))))
                   and ((JC_57: le_int((0), count))
                       and ((JC_58: le_int(count, i_4))
                           and (JC_59:
                               (count = num_of_pos((0), sub_int(i_4, (1)),
                                        t_4, intM_intP_t_4_10)))))))) } ];
          try
           begin
             (if (K_18:
                 ((lt_int_ !i_4) (K_17:
                                 (let _jessie_ = t_4 in
                                 (JC_65:
                                 (assert
                                 { ge_int(offset_max(Object_t_4_10_alloc_table,
                                          _jessie_),
                                   (-1)) };
                                 (JC_64:
                                 ((java_array_length_intM_requires _jessie_) Object_t_4_10_alloc_table))))))))
             then
              (if (K_15:
                  ((gt_int_ (K_14:
                            (JC_66:
                            ((((offset_acc_ Object_t_4_10_alloc_table) intM_intP_t_4_10) t_4) !i_4)))) (0)))
              then
               (let _jessie_ =
               (K_13:
               (let _jessie_ = !count in
               begin
                 (let _jessie_ = (count := ((add_int _jessie_) (1))) in
                 void); _jessie_ end)) in void) else void)
             else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ ->
           (let _jessie_ =
           (K_16:
           (let _jessie_ = !i_4 in
           begin
             (let _jessie_ = (i_4 := ((add_int _jessie_) (1))) in void);
            _jessie_ end)) in void) end end done) with
        Loop_exit_exc _jessie_ -> void end);
      (let u =
      (K_38:
      (JC_68:
      (((alloc_struct_intM_requires !count) Object_MullerTheory_m_12_alloc_table) Object_MullerTheory_m_12_tag_table))) in
      begin
        (let _jessie_ = (count := (0)) in void);
       (let i_5 = ref (K_19: (0)) in
       try
        (loop_2:
        while true do
        { invariant (JC_76: true)
          variant (JC_83 : sub_int(add_int(offset_max(Object_t_4_10_alloc_table,
                                           t_4),
                                   (1)),
                           i_5)) }
         begin
           [ { } unit reads count,i_5
             { (JC_74:
               ((JC_69: le_int((0), i_5))
               and ((JC_70:
                    le_int(i_5,
                    add_int(offset_max(Object_t_4_10_alloc_table, t_4), (1))))
                   and ((JC_71: le_int((0), count))
                       and ((JC_72: le_int(count, i_5))
                           and (JC_73:
                               (count = num_of_pos((0), sub_int(i_5, (1)),
                                        t_4, intM_intP_t_4_10)))))))) } ];
          try
           begin
             (if (K_37:
                 ((lt_int_ !i_5) (K_36:
                                 (let _jessie_ = t_4 in
                                 (JC_79:
                                 (assert
                                 { ge_int(offset_max(Object_t_4_10_alloc_table,
                                          _jessie_),
                                   (-1)) };
                                 (JC_78:
                                 ((java_array_length_intM_requires _jessie_) Object_t_4_10_alloc_table))))))))
             then
              (if (K_34:
                  ((gt_int_ (K_33:
                            (JC_80:
                            ((((offset_acc_ Object_t_4_10_alloc_table) intM_intP_t_4_10) t_4) !i_5)))) (0)))
              then
               (let _jessie_ =
               (K_32:
               (let _jessie_ =
               (K_31:
               (JC_81:
               ((((offset_acc_ Object_t_4_10_alloc_table) intM_intP_t_4_10) t_4) !i_5))) in
               (let _jessie_ = u in
               (let _jessie_ =
               (K_30:
               (let _jessie_ = !count in
               begin
                 (let _jessie_ = (count := ((add_int _jessie_) (1))) in
                 void); _jessie_ end)) in
               (let _jessie_ = ((shift _jessie_) _jessie_) in
               (JC_82:
               (((((offset_upd_ !Object_MullerTheory_m_12_alloc_table) intM_intP_MullerTheory_m_12) _jessie_) _jessie_) _jessie_))))))) in
               void) else void) else (raise (Loop_exit_exc void)));
            (raise (Loop_continue_exc void)) end with
           Loop_continue_exc _jessie_ ->
           (let _jessie_ =
           (K_35:
           (let _jessie_ = !i_5 in
           begin
             (let _jessie_ = (i_5 := ((add_int _jessie_) (1))) in void);
            _jessie_ end)) in void) end end done) with
        Loop_exit_exc _jessie_ -> void end); (return := u); (raise Return)
      end) end); absurd  end with Return -> !return end)) { true }

let cons_MullerTheory_ensures_default =
 fun (this_0 : Object pointer) (Object_this_0_9_alloc_table : Object alloc_table) ->
  { valid_struct_MullerTheory(this_0, (0), (0), Object_this_0_9_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_43: true) }

let cons_MullerTheory_safety =
 fun (this_0 : Object pointer) (Object_this_0_9_alloc_table : Object alloc_table) ->
  { valid_struct_MullerTheory(this_0, (0), (0), Object_this_0_9_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }


========== make project execution ==========
why --project [...] why/MullerTheory.why
========== file tests/java/why/MullerTheory.wpr ==========

  
    
    
      
      
    
  
  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  
  
    
  
  
    
  

========== file tests/java/why/MullerTheory_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic MullerTheory_tag : Object tag_id

axiom MullerTheory_parenttag_Object: parenttag(MullerTheory_tag, Object_tag)

predicate Non_null_Object(x_1: Object pointer,
  Object_x_2_alloc_table: Object alloc_table) =
  (offset_max(Object_x_2_alloc_table, x_1) >= 0)

predicate Non_null_intM(x_0: Object pointer,
  Object_x_1_alloc_table: Object alloc_table) =
  (offset_max(Object_x_1_alloc_table, x_0) >= (-1))

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic intM_tag : Object tag_id

axiom intM_parenttag_Object: parenttag(intM_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_MullerTheory(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_intM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic num_of_pos : int, int, Object pointer, (Object, int) memory -> int

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_MullerTheory(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_intM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_MullerTheory(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_MullerTheory(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

axiom num_of_pos_false_case:
  (forall intM_intP_t_8_at_L:(Object, int) memory.
    (forall i_2:int.
      (forall j_2:int.
        (forall k_0:int.
          (forall t_2:Object pointer.
            (((i_2 <= j_2) and (not (select(intM_intP_t_8_at_L, shift(t_2,
              j_2)) > 0))) ->
             (num_of_pos(i_2, j_2, t_2, intM_intP_t_8_at_L) = num_of_pos(i_2,
             (j_2 - 1), t_2, intM_intP_t_8_at_L))))))))

axiom num_of_pos_true_case:
  (forall intM_intP_t_8_at_L:(Object, int) memory.
    (forall i_1:int.
      (forall j_1:int.
        (forall k:int.
          (forall t_1:Object pointer.
            (((i_1 <= j_1) and (select(intM_intP_t_8_at_L, shift(t_1,
              j_1)) > 0)) ->
             (num_of_pos(i_1, j_1, t_1,
             intM_intP_t_8_at_L) = (num_of_pos(i_1, (j_1 - 1), t_1,
             intM_intP_t_8_at_L) + 1))))))))

axiom num_of_pos_empty:
  (forall intM_intP_t_8_at_L:(Object, int) memory.
    (forall i_0:int.
      (forall j_0:int.
        (forall t_0:Object pointer.
          ((i_0 > j_0) -> (num_of_pos(i_0, j_0, t_0, intM_intP_t_8_at_L) = 0))))))

========== file tests/java/why/MullerTheory_po1.why ==========
lemma num_of_pos_strictly_increasing:
  (forall intM_intP_t_3_18_at_L:(Object, int) memory.
    (forall i_3:int.
      (forall j_3:int.
        (forall k_1:int.
          (forall l:int.
            (forall t_3:Object pointer.
              (((j_3 < k_1) and
                ((k_1 <= l) and (select(intM_intP_t_3_18_at_L, shift(t_3,
                 k_1)) > 0))) ->
               (num_of_pos(i_3, j_3, t_3,
               intM_intP_t_3_18_at_L) < num_of_pos(i_3, l, t_3,
               intM_intP_t_3_18_at_L)))))))))

========== file tests/java/why/MullerTheory_po10.why ==========
goal MullerTheory_m_ensures_default_po_9:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  forall result0:int.
  (result0 = select(intM_intP_t_4_10, shift(t_4, i_4))) ->
  (result0 > 0) ->
  forall count0:int.
  (count0 = (count + 1)) ->
  forall i_4_0:int.
  (i_4_0 = (i_4 + 1)) ->
  ("JC_89": ("JC_87": (count0 <= i_4_0)))

========== file tests/java/why/MullerTheory_po11.why ==========
goal MullerTheory_m_ensures_default_po_10:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  forall result0:int.
  (result0 = select(intM_intP_t_4_10, shift(t_4, i_4))) ->
  (result0 > 0) ->
  forall count0:int.
  (count0 = (count + 1)) ->
  forall i_4_0:int.
  (i_4_0 = (i_4 + 1)) ->
  ("JC_89":
  ("JC_88": (count0 = num_of_pos(0, (i_4_0 - 1), t_4, intM_intP_t_4_10))))

========== file tests/java/why/MullerTheory_po12.why ==========
goal MullerTheory_m_ensures_default_po_11:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  forall result0:int.
  (result0 = select(intM_intP_t_4_10, shift(t_4, i_4))) ->
  (result0 <= 0) ->
  forall i_4_0:int.
  (i_4_0 = (i_4 + 1)) ->
  ("JC_89": ("JC_84": (0 <= i_4_0)))

========== file tests/java/why/MullerTheory_po13.why ==========
goal MullerTheory_m_ensures_default_po_12:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  forall result0:int.
  (result0 = select(intM_intP_t_4_10, shift(t_4, i_4))) ->
  (result0 <= 0) ->
  forall i_4_0:int.
  (i_4_0 = (i_4 + 1)) ->
  ("JC_89":
  ("JC_85": (i_4_0 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))))

========== file tests/java/why/MullerTheory_po14.why ==========
goal MullerTheory_m_ensures_default_po_13:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  forall result0:int.
  (result0 = select(intM_intP_t_4_10, shift(t_4, i_4))) ->
  (result0 <= 0) ->
  forall i_4_0:int.
  (i_4_0 = (i_4 + 1)) ->
  ("JC_89": ("JC_86": (0 <= count)))

========== file tests/java/why/MullerTheory_po15.why ==========
goal MullerTheory_m_ensures_default_po_14:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  forall result0:int.
  (result0 = select(intM_intP_t_4_10, shift(t_4, i_4))) ->
  (result0 <= 0) ->
  forall i_4_0:int.
  (i_4_0 = (i_4 + 1)) ->
  ("JC_89": ("JC_87": (count <= i_4_0)))

========== file tests/java/why/MullerTheory_po16.why ==========
goal MullerTheory_m_ensures_default_po_15:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  forall result0:int.
  (result0 = select(intM_intP_t_4_10, shift(t_4, i_4))) ->
  (result0 <= 0) ->
  forall i_4_0:int.
  (i_4_0 = (i_4 + 1)) ->
  ("JC_89":
  ("JC_88": (count = num_of_pos(0, (i_4_0 - 1), t_4, intM_intP_t_4_10))))

========== file tests/java/why/MullerTheory_po17.why ==========
goal MullerTheory_m_ensures_default_po_16:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  ("JC_100": ("JC_95": (0 <= 0)))

========== file tests/java/why/MullerTheory_po18.why ==========
goal MullerTheory_m_ensures_default_po_17:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  ("JC_100":
  ("JC_96": (0 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))))

========== file tests/java/why/MullerTheory_po19.why ==========
goal MullerTheory_m_ensures_default_po_18:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  ("JC_100": ("JC_97": (0 <= count0)))

========== file tests/java/why/MullerTheory_po2.why ==========
goal MullerTheory_m_ensures_default_po_1:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  ("JC_89": ("JC_84": (0 <= 0)))

========== file tests/java/why/MullerTheory_po20.why ==========
goal MullerTheory_m_ensures_default_po_19:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  ("JC_100": ("JC_98": (count0 <= 0)))

========== file tests/java/why/MullerTheory_po21.why ==========
goal MullerTheory_m_ensures_default_po_20:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  ("JC_100":
  ("JC_99": (count0 = num_of_pos(0, (0 - 1), t_4, intM_intP_t_4_10))))

========== file tests/java/why/MullerTheory_po22.why ==========
goal MullerTheory_m_ensures_default_po_21:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  forall intM_intP_MullerTheory_m_12:(Object,
  int) memory.
  ("JC_100":
  (("JC_95": (0 <= i_5)) and
   (("JC_96": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_97": (0 <= count1)) and
     (("JC_98": (count1 <= i_5)) and
      ("JC_99": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 > 0) ->
  forall result3:int.
  (result3 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  forall count2:int.
  (count2 = (count1 + 1)) ->
  forall intM_intP_MullerTheory_m_12_0:(Object,
  int) memory.
  (intM_intP_MullerTheory_m_12_0 = store(intM_intP_MullerTheory_m_12,
  shift(result0, count1), result3)) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_100": ("JC_95": (0 <= i_5_0)))

========== file tests/java/why/MullerTheory_po23.why ==========
goal MullerTheory_m_ensures_default_po_22:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  forall intM_intP_MullerTheory_m_12:(Object,
  int) memory.
  ("JC_100":
  (("JC_95": (0 <= i_5)) and
   (("JC_96": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_97": (0 <= count1)) and
     (("JC_98": (count1 <= i_5)) and
      ("JC_99": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 > 0) ->
  forall result3:int.
  (result3 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  forall count2:int.
  (count2 = (count1 + 1)) ->
  forall intM_intP_MullerTheory_m_12_0:(Object,
  int) memory.
  (intM_intP_MullerTheory_m_12_0 = store(intM_intP_MullerTheory_m_12,
  shift(result0, count1), result3)) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_100":
  ("JC_96": (i_5_0 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))))

========== file tests/java/why/MullerTheory_po24.why ==========
goal MullerTheory_m_ensures_default_po_23:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  forall intM_intP_MullerTheory_m_12:(Object,
  int) memory.
  ("JC_100":
  (("JC_95": (0 <= i_5)) and
   (("JC_96": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_97": (0 <= count1)) and
     (("JC_98": (count1 <= i_5)) and
      ("JC_99": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 > 0) ->
  forall result3:int.
  (result3 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  forall count2:int.
  (count2 = (count1 + 1)) ->
  forall intM_intP_MullerTheory_m_12_0:(Object,
  int) memory.
  (intM_intP_MullerTheory_m_12_0 = store(intM_intP_MullerTheory_m_12,
  shift(result0, count1), result3)) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_100": ("JC_97": (0 <= count2)))

========== file tests/java/why/MullerTheory_po25.why ==========
goal MullerTheory_m_ensures_default_po_24:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  forall intM_intP_MullerTheory_m_12:(Object,
  int) memory.
  ("JC_100":
  (("JC_95": (0 <= i_5)) and
   (("JC_96": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_97": (0 <= count1)) and
     (("JC_98": (count1 <= i_5)) and
      ("JC_99": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 > 0) ->
  forall result3:int.
  (result3 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  forall count2:int.
  (count2 = (count1 + 1)) ->
  forall intM_intP_MullerTheory_m_12_0:(Object,
  int) memory.
  (intM_intP_MullerTheory_m_12_0 = store(intM_intP_MullerTheory_m_12,
  shift(result0, count1), result3)) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_100": ("JC_98": (count2 <= i_5_0)))

========== file tests/java/why/MullerTheory_po26.why ==========
goal MullerTheory_m_ensures_default_po_25:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  forall intM_intP_MullerTheory_m_12:(Object,
  int) memory.
  ("JC_100":
  (("JC_95": (0 <= i_5)) and
   (("JC_96": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_97": (0 <= count1)) and
     (("JC_98": (count1 <= i_5)) and
      ("JC_99": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 > 0) ->
  forall result3:int.
  (result3 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  forall count2:int.
  (count2 = (count1 + 1)) ->
  forall intM_intP_MullerTheory_m_12_0:(Object,
  int) memory.
  (intM_intP_MullerTheory_m_12_0 = store(intM_intP_MullerTheory_m_12,
  shift(result0, count1), result3)) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_100":
  ("JC_99": (count2 = num_of_pos(0, (i_5_0 - 1), t_4, intM_intP_t_4_10))))

========== file tests/java/why/MullerTheory_po27.why ==========
goal MullerTheory_m_ensures_default_po_26:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  ("JC_100":
  (("JC_95": (0 <= i_5)) and
   (("JC_96": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_97": (0 <= count1)) and
     (("JC_98": (count1 <= i_5)) and
      ("JC_99": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 <= 0) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_100": ("JC_95": (0 <= i_5_0)))

========== file tests/java/why/MullerTheory_po28.why ==========
goal MullerTheory_m_ensures_default_po_27:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  ("JC_100":
  (("JC_95": (0 <= i_5)) and
   (("JC_96": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_97": (0 <= count1)) and
     (("JC_98": (count1 <= i_5)) and
      ("JC_99": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 <= 0) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_100":
  ("JC_96": (i_5_0 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))))

========== file tests/java/why/MullerTheory_po29.why ==========
goal MullerTheory_m_ensures_default_po_28:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  ("JC_100":
  (("JC_95": (0 <= i_5)) and
   (("JC_96": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_97": (0 <= count1)) and
     (("JC_98": (count1 <= i_5)) and
      ("JC_99": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 <= 0) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_100": ("JC_97": (0 <= count1)))

========== file tests/java/why/MullerTheory_po3.why ==========
goal MullerTheory_m_ensures_default_po_2:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  ("JC_89":
  ("JC_85": (0 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))))

========== file tests/java/why/MullerTheory_po30.why ==========
goal MullerTheory_m_ensures_default_po_29:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  ("JC_100":
  (("JC_95": (0 <= i_5)) and
   (("JC_96": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_97": (0 <= count1)) and
     (("JC_98": (count1 <= i_5)) and
      ("JC_99": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 <= 0) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_100": ("JC_98": (count1 <= i_5_0)))

========== file tests/java/why/MullerTheory_po31.why ==========
goal MullerTheory_m_ensures_default_po_30:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  ("JC_100":
  (("JC_95": (0 <= i_5)) and
   (("JC_96": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_97": (0 <= count1)) and
     (("JC_98": (count1 <= i_5)) and
      ("JC_99": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 <= 0) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_100":
  ("JC_99": (count1 = num_of_pos(0, (i_5_0 - 1), t_4, intM_intP_t_4_10))))

========== file tests/java/why/MullerTheory_po32.why ==========
goal MullerTheory_m_safety_po_1:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1))

========== file tests/java/why/MullerTheory_po33.why ==========
goal MullerTheory_m_safety_po_2:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  (offset_min(Object_t_4_10_alloc_table, t_4) <= i_4)

========== file tests/java/why/MullerTheory_po34.why ==========
goal MullerTheory_m_safety_po_3:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  (i_4 <= offset_max(Object_t_4_10_alloc_table, t_4))

========== file tests/java/why/MullerTheory_po35.why ==========
goal MullerTheory_m_safety_po_4:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  ((offset_min(Object_t_4_10_alloc_table, t_4) <= i_4) and
   (i_4 <= offset_max(Object_t_4_10_alloc_table, t_4))) ->
  forall result0:int.
  (result0 = select(intM_intP_t_4_10, shift(t_4, i_4))) ->
  (result0 > 0) ->
  forall count0:int.
  (count0 = (count + 1)) ->
  forall i_4_0:int.
  (i_4_0 = (i_4 + 1)) ->
  (0 <= ("JC_67": ((offset_max(Object_t_4_10_alloc_table, t_4) + 1) - i_4)))

========== file tests/java/why/MullerTheory_po36.why ==========
goal MullerTheory_m_safety_po_5:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  ((offset_min(Object_t_4_10_alloc_table, t_4) <= i_4) and
   (i_4 <= offset_max(Object_t_4_10_alloc_table, t_4))) ->
  forall result0:int.
  (result0 = select(intM_intP_t_4_10, shift(t_4, i_4))) ->
  (result0 > 0) ->
  forall count0:int.
  (count0 = (count + 1)) ->
  forall i_4_0:int.
  (i_4_0 = (i_4 + 1)) ->
  (("JC_67": ((offset_max(Object_t_4_10_alloc_table, t_4) + 1) - i_4_0)) < 
  ("JC_67": ((offset_max(Object_t_4_10_alloc_table, t_4) + 1) - i_4)))

========== file tests/java/why/MullerTheory_po37.why ==========
goal MullerTheory_m_safety_po_6:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  ((offset_min(Object_t_4_10_alloc_table, t_4) <= i_4) and
   (i_4 <= offset_max(Object_t_4_10_alloc_table, t_4))) ->
  forall result0:int.
  (result0 = select(intM_intP_t_4_10, shift(t_4, i_4))) ->
  (result0 <= 0) ->
  forall i_4_0:int.
  (i_4_0 = (i_4 + 1)) ->
  (0 <= ("JC_67": ((offset_max(Object_t_4_10_alloc_table, t_4) + 1) - i_4)))

========== file tests/java/why/MullerTheory_po38.why ==========
goal MullerTheory_m_safety_po_7:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  ((offset_min(Object_t_4_10_alloc_table, t_4) <= i_4) and
   (i_4 <= offset_max(Object_t_4_10_alloc_table, t_4))) ->
  forall result0:int.
  (result0 = select(intM_intP_t_4_10, shift(t_4, i_4))) ->
  (result0 <= 0) ->
  forall i_4_0:int.
  (i_4_0 = (i_4 + 1)) ->
  (("JC_67": ((offset_max(Object_t_4_10_alloc_table, t_4) + 1) - i_4_0)) < 
  ("JC_67": ((offset_max(Object_t_4_10_alloc_table, t_4) + 1) - i_4)))

========== file tests/java/why/MullerTheory_po39.why ==========
goal MullerTheory_m_safety_po_8:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  (count >= 0)

========== file tests/java/why/MullerTheory_po4.why ==========
goal MullerTheory_m_ensures_default_po_3:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  ("JC_89": ("JC_86": (0 <= 0)))

========== file tests/java/why/MullerTheory_po40.why ==========
goal MullerTheory_m_safety_po_9:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  (count >= 0) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  ("JC_76": true) ->
  ("JC_74":
  (("JC_69": (0 <= i_5)) and
   (("JC_70": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_71": (0 <= count1)) and
     (("JC_72": (count1 <= i_5)) and
      ("JC_73": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  (offset_min(Object_t_4_10_alloc_table, t_4) <= i_5)

========== file tests/java/why/MullerTheory_po41.why ==========
goal MullerTheory_m_safety_po_10:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  (count >= 0) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  ("JC_76": true) ->
  ("JC_74":
  (("JC_69": (0 <= i_5)) and
   (("JC_70": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_71": (0 <= count1)) and
     (("JC_72": (count1 <= i_5)) and
      ("JC_73": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  (i_5 <= offset_max(Object_t_4_10_alloc_table, t_4))

========== file tests/java/why/MullerTheory_po42.why ==========
goal MullerTheory_m_safety_po_11:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  (count >= 0) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  ("JC_76": true) ->
  ("JC_74":
  (("JC_69": (0 <= i_5)) and
   (("JC_70": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_71": (0 <= count1)) and
     (("JC_72": (count1 <= i_5)) and
      ("JC_73": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  ((offset_min(Object_t_4_10_alloc_table, t_4) <= i_5) and
   (i_5 <= offset_max(Object_t_4_10_alloc_table, t_4))) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 > 0) ->
  ((offset_min(Object_t_4_10_alloc_table, t_4) <= i_5) and
   (i_5 <= offset_max(Object_t_4_10_alloc_table, t_4))) ->
  forall result3:int.
  (result3 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  forall count2:int.
  (count2 = (count1 + 1)) ->
  (offset_min(Object_MullerTheory_m_12_alloc_table0, result0) <= count1)

========== file tests/java/why/MullerTheory_po43.why ==========
goal MullerTheory_m_safety_po_12:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  (count >= 0) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  ("JC_76": true) ->
  ("JC_74":
  (("JC_69": (0 <= i_5)) and
   (("JC_70": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_71": (0 <= count1)) and
     (("JC_72": (count1 <= i_5)) and
      ("JC_73": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  ((offset_min(Object_t_4_10_alloc_table, t_4) <= i_5) and
   (i_5 <= offset_max(Object_t_4_10_alloc_table, t_4))) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 > 0) ->
  ((offset_min(Object_t_4_10_alloc_table, t_4) <= i_5) and
   (i_5 <= offset_max(Object_t_4_10_alloc_table, t_4))) ->
  forall result3:int.
  (result3 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  forall count2:int.
  (count2 = (count1 + 1)) ->
  (count1 <= offset_max(Object_MullerTheory_m_12_alloc_table0, result0))

========== file tests/java/why/MullerTheory_po44.why ==========
goal MullerTheory_m_safety_po_13:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  (count >= 0) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  forall intM_intP_MullerTheory_m_12:(Object,
  int) memory.
  ("JC_76": true) ->
  ("JC_74":
  (("JC_69": (0 <= i_5)) and
   (("JC_70": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_71": (0 <= count1)) and
     (("JC_72": (count1 <= i_5)) and
      ("JC_73": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  ((offset_min(Object_t_4_10_alloc_table, t_4) <= i_5) and
   (i_5 <= offset_max(Object_t_4_10_alloc_table, t_4))) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 > 0) ->
  ((offset_min(Object_t_4_10_alloc_table, t_4) <= i_5) and
   (i_5 <= offset_max(Object_t_4_10_alloc_table, t_4))) ->
  forall result3:int.
  (result3 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  forall count2:int.
  (count2 = (count1 + 1)) ->
  ((offset_min(Object_MullerTheory_m_12_alloc_table0, result0) <= count1) and
   (count1 <= offset_max(Object_MullerTheory_m_12_alloc_table0, result0))) ->
  forall intM_intP_MullerTheory_m_12_0:(Object,
  int) memory.
  (intM_intP_MullerTheory_m_12_0 = store(intM_intP_MullerTheory_m_12,
  shift(result0, count1), result3)) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  (0 <= ("JC_83": ((offset_max(Object_t_4_10_alloc_table, t_4) + 1) - i_5)))

========== file tests/java/why/MullerTheory_po45.why ==========
goal MullerTheory_m_safety_po_14:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  (count >= 0) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  forall intM_intP_MullerTheory_m_12:(Object,
  int) memory.
  ("JC_76": true) ->
  ("JC_74":
  (("JC_69": (0 <= i_5)) and
   (("JC_70": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_71": (0 <= count1)) and
     (("JC_72": (count1 <= i_5)) and
      ("JC_73": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  ((offset_min(Object_t_4_10_alloc_table, t_4) <= i_5) and
   (i_5 <= offset_max(Object_t_4_10_alloc_table, t_4))) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 > 0) ->
  ((offset_min(Object_t_4_10_alloc_table, t_4) <= i_5) and
   (i_5 <= offset_max(Object_t_4_10_alloc_table, t_4))) ->
  forall result3:int.
  (result3 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  forall count2:int.
  (count2 = (count1 + 1)) ->
  ((offset_min(Object_MullerTheory_m_12_alloc_table0, result0) <= count1) and
   (count1 <= offset_max(Object_MullerTheory_m_12_alloc_table0, result0))) ->
  forall intM_intP_MullerTheory_m_12_0:(Object,
  int) memory.
  (intM_intP_MullerTheory_m_12_0 = store(intM_intP_MullerTheory_m_12,
  shift(result0, count1), result3)) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  (("JC_83": ((offset_max(Object_t_4_10_alloc_table, t_4) + 1) - i_5_0)) < 
  ("JC_83": ((offset_max(Object_t_4_10_alloc_table, t_4) + 1) - i_5)))

========== file tests/java/why/MullerTheory_po46.why ==========
goal MullerTheory_m_safety_po_15:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  (count >= 0) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  ("JC_76": true) ->
  ("JC_74":
  (("JC_69": (0 <= i_5)) and
   (("JC_70": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_71": (0 <= count1)) and
     (("JC_72": (count1 <= i_5)) and
      ("JC_73": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  ((offset_min(Object_t_4_10_alloc_table, t_4) <= i_5) and
   (i_5 <= offset_max(Object_t_4_10_alloc_table, t_4))) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 <= 0) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  (0 <= ("JC_83": ((offset_max(Object_t_4_10_alloc_table, t_4) + 1) - i_5)))

========== file tests/java/why/MullerTheory_po47.why ==========
goal MullerTheory_m_safety_po_16:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  (count >= 0) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  ("JC_76": true) ->
  ("JC_74":
  (("JC_69": (0 <= i_5)) and
   (("JC_70": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_71": (0 <= count1)) and
     (("JC_72": (count1 <= i_5)) and
      ("JC_73": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  ((offset_min(Object_t_4_10_alloc_table, t_4) <= i_5) and
   (i_5 <= offset_max(Object_t_4_10_alloc_table, t_4))) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 <= 0) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  (("JC_83": ((offset_max(Object_t_4_10_alloc_table, t_4) + 1) - i_5_0)) < 
  ("JC_83": ((offset_max(Object_t_4_10_alloc_table, t_4) + 1) - i_5)))

========== file tests/java/why/MullerTheory_po5.why ==========
goal MullerTheory_m_ensures_default_po_4:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  ("JC_89": ("JC_87": (0 <= 0)))

========== file tests/java/why/MullerTheory_po6.why ==========
goal MullerTheory_m_ensures_default_po_5:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  ("JC_89": ("JC_88": (0 = num_of_pos(0, (0 - 1), t_4, intM_intP_t_4_10))))

========== file tests/java/why/MullerTheory_po7.why ==========
goal MullerTheory_m_ensures_default_po_6:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  forall result0:int.
  (result0 = select(intM_intP_t_4_10, shift(t_4, i_4))) ->
  (result0 > 0) ->
  forall count0:int.
  (count0 = (count + 1)) ->
  forall i_4_0:int.
  (i_4_0 = (i_4 + 1)) ->
  ("JC_89": ("JC_84": (0 <= i_4_0)))

========== file tests/java/why/MullerTheory_po8.why ==========
goal MullerTheory_m_ensures_default_po_7:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  forall result0:int.
  (result0 = select(intM_intP_t_4_10, shift(t_4, i_4))) ->
  (result0 > 0) ->
  forall count0:int.
  (count0 = (count + 1)) ->
  forall i_4_0:int.
  (i_4_0 = (i_4 + 1)) ->
  ("JC_89":
  ("JC_85": (i_4_0 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))))

========== file tests/java/why/MullerTheory_po9.why ==========
goal MullerTheory_m_ensures_default_po_8:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  forall result0:int.
  (result0 = select(intM_intP_t_4_10, shift(t_4, i_4))) ->
  (result0 > 0) ->
  forall count0:int.
  (count0 = (count + 1)) ->
  forall i_4_0:int.
  (i_4_0 = (i_4 + 1)) ->
  ("JC_89": ("JC_86": (0 <= count0)))

========== generation of Simplify VC output ==========
why -simplify [...] why/MullerTheory.why
========== file tests/java/simplify/MullerTheory_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom MullerTheory_parenttag_Object
 (EQ (parenttag MullerTheory_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_1 Object_x_2_alloc_table)
  (>= (offset_max Object_x_2_alloc_table x_1) 0))

(DEFPRED (Non_null_intM x_0 Object_x_1_alloc_table)
  (>= (offset_max Object_x_1_alloc_table x_0) (- 0 1)))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom intM_parenttag_Object
 (EQ (parenttag intM_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_MullerTheory p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_intM p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_MullerTheory p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_intM p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_MullerTheory p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_intM p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_MullerTheory p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_intM p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(BG_PUSH
 ;; Why axiom num_of_pos_false_case
 (FORALL (intM_intP_t_8_at_L i_2 j_2 k_0 t_2)
 (IMPLIES
 (AND (<= i_2 j_2) (NOT (> (select intM_intP_t_8_at_L (shift t_2 j_2)) 0)))
 (EQ (num_of_pos i_2 j_2 t_2 intM_intP_t_8_at_L)
 (num_of_pos i_2 (- j_2 1) t_2 intM_intP_t_8_at_L))))

 (FORALL (intM_intP_t_8_at_L i_2 j_2 t_2)
 (IMPLIES
 (AND (<= i_2 j_2) (NOT (> (select intM_intP_t_8_at_L (shift t_2 j_2)) 0)))
 (FORALL (k_0)
 (EQ (num_of_pos i_2 j_2 t_2 intM_intP_t_8_at_L)
 (num_of_pos i_2 (- j_2 1) t_2 intM_intP_t_8_at_L))))))

(BG_PUSH
 ;; Why axiom num_of_pos_true_case
 (FORALL (intM_intP_t_8_at_L i_1 j_1 k t_1)
 (IMPLIES
 (AND (<= i_1 j_1) (> (select intM_intP_t_8_at_L (shift t_1 j_1)) 0))
 (EQ (num_of_pos i_1 j_1 t_1 intM_intP_t_8_at_L)
 (+ (num_of_pos i_1 (- j_1 1) t_1 intM_intP_t_8_at_L) 1))))

 (FORALL (intM_intP_t_8_at_L i_1 j_1 t_1)
 (IMPLIES
 (AND (<= i_1 j_1) (> (select intM_intP_t_8_at_L (shift t_1 j_1)) 0))
 (FORALL (k)
 (EQ (num_of_pos i_1 j_1 t_1 intM_intP_t_8_at_L)
 (+ (num_of_pos i_1 (- j_1 1) t_1 intM_intP_t_8_at_L) 1))))))

(BG_PUSH
 ;; Why axiom num_of_pos_empty
 (FORALL (intM_intP_t_8_at_L i_0 j_0 t_0)
 (IMPLIES (> i_0 j_0) (EQ (num_of_pos i_0 j_0 t_0 intM_intP_t_8_at_L) 0)))

 (FORALL (i_0 j_0)
 (IMPLIES (> i_0 j_0)
 (FORALL (intM_intP_t_8_at_L t_0)
 (EQ (num_of_pos i_0 j_0 t_0 intM_intP_t_8_at_L) 0)))))

;; num_of_pos_strictly_increasing, File "HOME/tests/java/MullerTheory.java", line 39, characters 10-40
(FORALL (intM_intP_t_3_18_at_L i_3 j_3 k_1 l t_3)
(IMPLIES
(AND (< j_3 k_1)
(AND (<= k_1 l) (> (select intM_intP_t_3_18_at_L (shift t_3 k_1)) 0)))
(< (num_of_pos i_3 j_3 t_3 intM_intP_t_3_18_at_L) (num_of_pos
                                                  i_3 l t_3 intM_intP_t_3_18_at_L))))

(BG_PUSH
 ;; lemma num_of_pos_strictly_increasing as axiom
(FORALL (intM_intP_t_3_18_at_L i_3 j_3 k_1 l t_3)
(IMPLIES
(AND (< j_3 k_1)
(AND (<= k_1 l) (> (select intM_intP_t_3_18_at_L (shift t_3 k_1)) 0)))
(< (num_of_pos i_3 j_3 t_3 intM_intP_t_3_18_at_L) (num_of_pos
                                                  i_3 l t_3 intM_intP_t_3_18_at_L)))))

;; MullerTheory_m_ensures_default_po_1, File "HOME/tests/java/MullerTheory.java", line 53, characters 8-14
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(<= 0 0))))

;; MullerTheory_m_ensures_default_po_2, File "HOME/tests/java/MullerTheory.java", line 53, characters 13-26
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(<= 0 (+ (offset_max Object_t_4_10_alloc_table t_4) 1)))))

;; MullerTheory_m_ensures_default_po_3, File "HOME/tests/java/MullerTheory.java", line 54, characters 8-18
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(<= 0 0))))

;; MullerTheory_m_ensures_default_po_4, File "HOME/tests/java/MullerTheory.java", line 54, characters 13-23
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(<= 0 0))))

;; MullerTheory_m_ensures_default_po_5, File "HOME/tests/java/MullerTheory.java", line 55, characters 8-36
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(EQ 0 (num_of_pos 0 (- 0 1) t_4 intM_intP_t_4_10))))))

;; MullerTheory_m_ensures_default_po_6, File "HOME/tests/java/MullerTheory.java", line 53, characters 8-14
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_4 result)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP_t_4_10 (shift t_4 i_4)))
(IMPLIES (> result0 0)
(FORALL (count0)
(IMPLIES (EQ count0 (+ count 1))
(FORALL (i_4_0) (IMPLIES (EQ i_4_0 (+ i_4 1)) (<= 0 i_4_0))))))))))))))))))

;; MullerTheory_m_ensures_default_po_7, File "HOME/tests/java/MullerTheory.java", line 53, characters 13-26
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_4 result)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP_t_4_10 (shift t_4 i_4)))
(IMPLIES (> result0 0)
(FORALL (count0)
(IMPLIES (EQ count0 (+ count 1))
(FORALL (i_4_0)
(IMPLIES (EQ i_4_0 (+ i_4 1))
(<= i_4_0 (+ (offset_max Object_t_4_10_alloc_table t_4) 1)))))))))))))))))))

;; MullerTheory_m_ensures_default_po_8, File "HOME/tests/java/MullerTheory.java", line 54, characters 8-18
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_4 result)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP_t_4_10 (shift t_4 i_4)))
(IMPLIES (> result0 0)
(FORALL (count0)
(IMPLIES (EQ count0 (+ count 1))
(FORALL (i_4_0) (IMPLIES (EQ i_4_0 (+ i_4 1)) (<= 0 count0))))))))))))))))))

;; MullerTheory_m_ensures_default_po_9, File "HOME/tests/java/MullerTheory.java", line 54, characters 13-23
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_4 result)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP_t_4_10 (shift t_4 i_4)))
(IMPLIES (> result0 0)
(FORALL (count0)
(IMPLIES (EQ count0 (+ count 1))
(FORALL (i_4_0) (IMPLIES (EQ i_4_0 (+ i_4 1)) (<= count0 i_4_0))))))))))))))))))

;; MullerTheory_m_ensures_default_po_10, File "HOME/tests/java/MullerTheory.java", line 55, characters 8-36
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_4 result)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP_t_4_10 (shift t_4 i_4)))
(IMPLIES (> result0 0)
(FORALL (count0)
(IMPLIES (EQ count0 (+ count 1))
(FORALL (i_4_0)
(IMPLIES (EQ i_4_0 (+ i_4 1))
(EQ count0 (num_of_pos 0 (- i_4_0 1) t_4 intM_intP_t_4_10)))))))))))))))))))

;; MullerTheory_m_ensures_default_po_11, File "HOME/tests/java/MullerTheory.java", line 53, characters 8-14
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_4 result)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP_t_4_10 (shift t_4 i_4)))
(IMPLIES (<= result0 0)
(FORALL (i_4_0) (IMPLIES (EQ i_4_0 (+ i_4 1)) (<= 0 i_4_0))))))))))))))))

;; MullerTheory_m_ensures_default_po_12, File "HOME/tests/java/MullerTheory.java", line 53, characters 13-26
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_4 result)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP_t_4_10 (shift t_4 i_4)))
(IMPLIES (<= result0 0)
(FORALL (i_4_0)
(IMPLIES (EQ i_4_0 (+ i_4 1))
(<= i_4_0 (+ (offset_max Object_t_4_10_alloc_table t_4) 1)))))))))))))))))

;; MullerTheory_m_ensures_default_po_13, File "HOME/tests/java/MullerTheory.java", line 54, characters 8-18
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_4 result)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP_t_4_10 (shift t_4 i_4)))
(IMPLIES (<= result0 0)
(FORALL (i_4_0) (IMPLIES (EQ i_4_0 (+ i_4 1)) (<= 0 count))))))))))))))))

;; MullerTheory_m_ensures_default_po_14, File "HOME/tests/java/MullerTheory.java", line 54, characters 13-23
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_4 result)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP_t_4_10 (shift t_4 i_4)))
(IMPLIES (<= result0 0)
(FORALL (i_4_0) (IMPLIES (EQ i_4_0 (+ i_4 1)) (<= count i_4_0))))))))))))))))

;; MullerTheory_m_ensures_default_po_15, File "HOME/tests/java/MullerTheory.java", line 55, characters 8-36
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_4 result)
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP_t_4_10 (shift t_4 i_4)))
(IMPLIES (<= result0 0)
(FORALL (i_4_0)
(IMPLIES (EQ i_4_0 (+ i_4 1))
(EQ count (num_of_pos 0 (- i_4_0 1) t_4 intM_intP_t_4_10)))))))))))))))))

;; MullerTheory_m_ensures_default_po_16, File "HOME/tests/java/MullerTheory.java", line 64, characters 8-14
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(FORALL (Object_MullerTheory_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (>= i_4 result)
(FORALL (result0)
(FORALL (Object_MullerTheory_m_12_alloc_table0)
(FORALL (Object_MullerTheory_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result0 0 (- count 1) Object_MullerTheory_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_MullerTheory_m_12_alloc_table Object_MullerTheory_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh Object_MullerTheory_m_12_alloc_table result0 count)
         (instanceof Object_MullerTheory_m_12_tag_table result0 intM_tag))))
(FORALL (count0) (IMPLIES (EQ count0 0) (<= 0 0))))))))))))))))))

;; MullerTheory_m_ensures_default_po_17, File "HOME/tests/java/MullerTheory.java", line 64, characters 13-26
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(FORALL (Object_MullerTheory_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (>= i_4 result)
(FORALL (result0)
(FORALL (Object_MullerTheory_m_12_alloc_table0)
(FORALL (Object_MullerTheory_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result0 0 (- count 1) Object_MullerTheory_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_MullerTheory_m_12_alloc_table Object_MullerTheory_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh Object_MullerTheory_m_12_alloc_table result0 count)
         (instanceof Object_MullerTheory_m_12_tag_table result0 intM_tag))))
(FORALL (count0)
(IMPLIES (EQ count0 0)
(<= 0 (+ (offset_max Object_t_4_10_alloc_table t_4) 1)))))))))))))))))))

;; MullerTheory_m_ensures_default_po_18, File "HOME/tests/java/MullerTheory.java", line 65, characters 8-18
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(FORALL (Object_MullerTheory_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (>= i_4 result)
(FORALL (result0)
(FORALL (Object_MullerTheory_m_12_alloc_table0)
(FORALL (Object_MullerTheory_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result0 0 (- count 1) Object_MullerTheory_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_MullerTheory_m_12_alloc_table Object_MullerTheory_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh Object_MullerTheory_m_12_alloc_table result0 count)
         (instanceof Object_MullerTheory_m_12_tag_table result0 intM_tag))))
(FORALL (count0) (IMPLIES (EQ count0 0) (<= 0 count0))))))))))))))))))

;; MullerTheory_m_ensures_default_po_19, File "HOME/tests/java/MullerTheory.java", line 65, characters 13-23
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(FORALL (Object_MullerTheory_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (>= i_4 result)
(FORALL (result0)
(FORALL (Object_MullerTheory_m_12_alloc_table0)
(FORALL (Object_MullerTheory_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result0 0 (- count 1) Object_MullerTheory_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_MullerTheory_m_12_alloc_table Object_MullerTheory_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh Object_MullerTheory_m_12_alloc_table result0 count)
         (instanceof Object_MullerTheory_m_12_tag_table result0 intM_tag))))
(FORALL (count0) (IMPLIES (EQ count0 0) (<= count0 0))))))))))))))))))

;; MullerTheory_m_ensures_default_po_20, File "HOME/tests/java/MullerTheory.java", line 66, characters 8-36
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(FORALL (Object_MullerTheory_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (>= i_4 result)
(FORALL (result0)
(FORALL (Object_MullerTheory_m_12_alloc_table0)
(FORALL (Object_MullerTheory_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result0 0 (- count 1) Object_MullerTheory_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_MullerTheory_m_12_alloc_table Object_MullerTheory_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh Object_MullerTheory_m_12_alloc_table result0 count)
         (instanceof Object_MullerTheory_m_12_tag_table result0 intM_tag))))
(FORALL (count0)
(IMPLIES (EQ count0 0)
(EQ count0 (num_of_pos 0 (- 0 1) t_4 intM_intP_t_4_10)))))))))))))))))))

;; MullerTheory_m_ensures_default_po_21, File "HOME/tests/java/MullerTheory.java", line 64, characters 8-14
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(FORALL (Object_MullerTheory_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (>= i_4 result)
(FORALL (result0)
(FORALL (Object_MullerTheory_m_12_alloc_table0)
(FORALL (Object_MullerTheory_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result0 0 (- count 1) Object_MullerTheory_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_MullerTheory_m_12_alloc_table Object_MullerTheory_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh Object_MullerTheory_m_12_alloc_table result0 count)
         (instanceof Object_MullerTheory_m_12_tag_table result0 intM_tag))))
(FORALL (count0)
(IMPLIES (EQ count0 0)
(FORALL (count1)
(FORALL (i_5)
(FORALL (intM_intP_MullerTheory_m_12)
(IMPLIES (AND (<= 0 i_5)
         (AND (<= i_5 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count1)
         (AND (<= count1 i_5)
         (EQ count1 (num_of_pos 0 (- i_5 1) t_4 intM_intP_t_4_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_5 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP_t_4_10 (shift t_4 i_5)))
(IMPLIES (> result2 0)
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP_t_4_10 (shift t_4 i_5)))
(FORALL (count2)
(IMPLIES (EQ count2 (+ count1 1))
(FORALL (intM_intP_MullerTheory_m_12_0)
(IMPLIES (EQ intM_intP_MullerTheory_m_12_0
         (|why__store|
         intM_intP_MullerTheory_m_12 (shift result0 count1) result3))
(FORALL (i_5_0) (IMPLIES (EQ i_5_0 (+ i_5 1)) (<= 0 i_5_0))))))))))))))))))))))))))))))))))))

;; MullerTheory_m_ensures_default_po_22, File "HOME/tests/java/MullerTheory.java", line 64, characters 13-26
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(FORALL (Object_MullerTheory_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (>= i_4 result)
(FORALL (result0)
(FORALL (Object_MullerTheory_m_12_alloc_table0)
(FORALL (Object_MullerTheory_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result0 0 (- count 1) Object_MullerTheory_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_MullerTheory_m_12_alloc_table Object_MullerTheory_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh Object_MullerTheory_m_12_alloc_table result0 count)
         (instanceof Object_MullerTheory_m_12_tag_table result0 intM_tag))))
(FORALL (count0)
(IMPLIES (EQ count0 0)
(FORALL (count1)
(FORALL (i_5)
(FORALL (intM_intP_MullerTheory_m_12)
(IMPLIES (AND (<= 0 i_5)
         (AND (<= i_5 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count1)
         (AND (<= count1 i_5)
         (EQ count1 (num_of_pos 0 (- i_5 1) t_4 intM_intP_t_4_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_5 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP_t_4_10 (shift t_4 i_5)))
(IMPLIES (> result2 0)
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP_t_4_10 (shift t_4 i_5)))
(FORALL (count2)
(IMPLIES (EQ count2 (+ count1 1))
(FORALL (intM_intP_MullerTheory_m_12_0)
(IMPLIES (EQ intM_intP_MullerTheory_m_12_0
         (|why__store|
         intM_intP_MullerTheory_m_12 (shift result0 count1) result3))
(FORALL (i_5_0)
(IMPLIES (EQ i_5_0 (+ i_5 1))
(<= i_5_0 (+ (offset_max Object_t_4_10_alloc_table t_4) 1)))))))))))))))))))))))))))))))))))))

;; MullerTheory_m_ensures_default_po_23, File "HOME/tests/java/MullerTheory.java", line 65, characters 8-18
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(FORALL (Object_MullerTheory_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (>= i_4 result)
(FORALL (result0)
(FORALL (Object_MullerTheory_m_12_alloc_table0)
(FORALL (Object_MullerTheory_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result0 0 (- count 1) Object_MullerTheory_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_MullerTheory_m_12_alloc_table Object_MullerTheory_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh Object_MullerTheory_m_12_alloc_table result0 count)
         (instanceof Object_MullerTheory_m_12_tag_table result0 intM_tag))))
(FORALL (count0)
(IMPLIES (EQ count0 0)
(FORALL (count1)
(FORALL (i_5)
(FORALL (intM_intP_MullerTheory_m_12)
(IMPLIES (AND (<= 0 i_5)
         (AND (<= i_5 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count1)
         (AND (<= count1 i_5)
         (EQ count1 (num_of_pos 0 (- i_5 1) t_4 intM_intP_t_4_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_5 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP_t_4_10 (shift t_4 i_5)))
(IMPLIES (> result2 0)
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP_t_4_10 (shift t_4 i_5)))
(FORALL (count2)
(IMPLIES (EQ count2 (+ count1 1))
(FORALL (intM_intP_MullerTheory_m_12_0)
(IMPLIES (EQ intM_intP_MullerTheory_m_12_0
         (|why__store|
         intM_intP_MullerTheory_m_12 (shift result0 count1) result3))
(FORALL (i_5_0) (IMPLIES (EQ i_5_0 (+ i_5 1)) (<= 0 count2))))))))))))))))))))))))))))))))))))

;; MullerTheory_m_ensures_default_po_24, File "HOME/tests/java/MullerTheory.java", line 65, characters 13-23
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(FORALL (Object_MullerTheory_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (>= i_4 result)
(FORALL (result0)
(FORALL (Object_MullerTheory_m_12_alloc_table0)
(FORALL (Object_MullerTheory_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result0 0 (- count 1) Object_MullerTheory_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_MullerTheory_m_12_alloc_table Object_MullerTheory_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh Object_MullerTheory_m_12_alloc_table result0 count)
         (instanceof Object_MullerTheory_m_12_tag_table result0 intM_tag))))
(FORALL (count0)
(IMPLIES (EQ count0 0)
(FORALL (count1)
(FORALL (i_5)
(FORALL (intM_intP_MullerTheory_m_12)
(IMPLIES (AND (<= 0 i_5)
         (AND (<= i_5 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count1)
         (AND (<= count1 i_5)
         (EQ count1 (num_of_pos 0 (- i_5 1) t_4 intM_intP_t_4_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_5 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP_t_4_10 (shift t_4 i_5)))
(IMPLIES (> result2 0)
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP_t_4_10 (shift t_4 i_5)))
(FORALL (count2)
(IMPLIES (EQ count2 (+ count1 1))
(FORALL (intM_intP_MullerTheory_m_12_0)
(IMPLIES (EQ intM_intP_MullerTheory_m_12_0
         (|why__store|
         intM_intP_MullerTheory_m_12 (shift result0 count1) result3))
(FORALL (i_5_0) (IMPLIES (EQ i_5_0 (+ i_5 1)) (<= count2 i_5_0))))))))))))))))))))))))))))))))))))

;; MullerTheory_m_ensures_default_po_25, File "HOME/tests/java/MullerTheory.java", line 66, characters 8-36
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(FORALL (Object_MullerTheory_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (>= i_4 result)
(FORALL (result0)
(FORALL (Object_MullerTheory_m_12_alloc_table0)
(FORALL (Object_MullerTheory_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result0 0 (- count 1) Object_MullerTheory_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_MullerTheory_m_12_alloc_table Object_MullerTheory_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh Object_MullerTheory_m_12_alloc_table result0 count)
         (instanceof Object_MullerTheory_m_12_tag_table result0 intM_tag))))
(FORALL (count0)
(IMPLIES (EQ count0 0)
(FORALL (count1)
(FORALL (i_5)
(FORALL (intM_intP_MullerTheory_m_12)
(IMPLIES (AND (<= 0 i_5)
         (AND (<= i_5 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count1)
         (AND (<= count1 i_5)
         (EQ count1 (num_of_pos 0 (- i_5 1) t_4 intM_intP_t_4_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_5 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP_t_4_10 (shift t_4 i_5)))
(IMPLIES (> result2 0)
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP_t_4_10 (shift t_4 i_5)))
(FORALL (count2)
(IMPLIES (EQ count2 (+ count1 1))
(FORALL (intM_intP_MullerTheory_m_12_0)
(IMPLIES (EQ intM_intP_MullerTheory_m_12_0
         (|why__store|
         intM_intP_MullerTheory_m_12 (shift result0 count1) result3))
(FORALL (i_5_0)
(IMPLIES (EQ i_5_0 (+ i_5 1))
(EQ count2 (num_of_pos 0 (- i_5_0 1) t_4 intM_intP_t_4_10)))))))))))))))))))))))))))))))))))))

;; MullerTheory_m_ensures_default_po_26, File "HOME/tests/java/MullerTheory.java", line 64, characters 8-14
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(FORALL (Object_MullerTheory_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (>= i_4 result)
(FORALL (result0)
(FORALL (Object_MullerTheory_m_12_alloc_table0)
(FORALL (Object_MullerTheory_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result0 0 (- count 1) Object_MullerTheory_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_MullerTheory_m_12_alloc_table Object_MullerTheory_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh Object_MullerTheory_m_12_alloc_table result0 count)
         (instanceof Object_MullerTheory_m_12_tag_table result0 intM_tag))))
(FORALL (count0)
(IMPLIES (EQ count0 0)
(FORALL (count1)
(FORALL (i_5)
(IMPLIES (AND (<= 0 i_5)
         (AND (<= i_5 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count1)
         (AND (<= count1 i_5)
         (EQ count1 (num_of_pos 0 (- i_5 1) t_4 intM_intP_t_4_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_5 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP_t_4_10 (shift t_4 i_5)))
(IMPLIES (<= result2 0)
(FORALL (i_5_0) (IMPLIES (EQ i_5_0 (+ i_5 1)) (<= 0 i_5_0)))))))))))))))))))))))))))))

;; MullerTheory_m_ensures_default_po_27, File "HOME/tests/java/MullerTheory.java", line 64, characters 13-26
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(FORALL (Object_MullerTheory_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (>= i_4 result)
(FORALL (result0)
(FORALL (Object_MullerTheory_m_12_alloc_table0)
(FORALL (Object_MullerTheory_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result0 0 (- count 1) Object_MullerTheory_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_MullerTheory_m_12_alloc_table Object_MullerTheory_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh Object_MullerTheory_m_12_alloc_table result0 count)
         (instanceof Object_MullerTheory_m_12_tag_table result0 intM_tag))))
(FORALL (count0)
(IMPLIES (EQ count0 0)
(FORALL (count1)
(FORALL (i_5)
(IMPLIES (AND (<= 0 i_5)
         (AND (<= i_5 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count1)
         (AND (<= count1 i_5)
         (EQ count1 (num_of_pos 0 (- i_5 1) t_4 intM_intP_t_4_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_5 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP_t_4_10 (shift t_4 i_5)))
(IMPLIES (<= result2 0)
(FORALL (i_5_0)
(IMPLIES (EQ i_5_0 (+ i_5 1))
(<= i_5_0 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))))))))))))))))))))))))))))

;; MullerTheory_m_ensures_default_po_28, File "HOME/tests/java/MullerTheory.java", line 65, characters 8-18
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(FORALL (Object_MullerTheory_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (>= i_4 result)
(FORALL (result0)
(FORALL (Object_MullerTheory_m_12_alloc_table0)
(FORALL (Object_MullerTheory_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result0 0 (- count 1) Object_MullerTheory_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_MullerTheory_m_12_alloc_table Object_MullerTheory_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh Object_MullerTheory_m_12_alloc_table result0 count)
         (instanceof Object_MullerTheory_m_12_tag_table result0 intM_tag))))
(FORALL (count0)
(IMPLIES (EQ count0 0)
(FORALL (count1)
(FORALL (i_5)
(IMPLIES (AND (<= 0 i_5)
         (AND (<= i_5 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count1)
         (AND (<= count1 i_5)
         (EQ count1 (num_of_pos 0 (- i_5 1) t_4 intM_intP_t_4_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_5 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP_t_4_10 (shift t_4 i_5)))
(IMPLIES (<= result2 0)
(FORALL (i_5_0) (IMPLIES (EQ i_5_0 (+ i_5 1)) (<= 0 count1)))))))))))))))))))))))))))))

;; MullerTheory_m_ensures_default_po_29, File "HOME/tests/java/MullerTheory.java", line 65, characters 13-23
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(FORALL (Object_MullerTheory_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (>= i_4 result)
(FORALL (result0)
(FORALL (Object_MullerTheory_m_12_alloc_table0)
(FORALL (Object_MullerTheory_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result0 0 (- count 1) Object_MullerTheory_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_MullerTheory_m_12_alloc_table Object_MullerTheory_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh Object_MullerTheory_m_12_alloc_table result0 count)
         (instanceof Object_MullerTheory_m_12_tag_table result0 intM_tag))))
(FORALL (count0)
(IMPLIES (EQ count0 0)
(FORALL (count1)
(FORALL (i_5)
(IMPLIES (AND (<= 0 i_5)
         (AND (<= i_5 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count1)
         (AND (<= count1 i_5)
         (EQ count1 (num_of_pos 0 (- i_5 1) t_4 intM_intP_t_4_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_5 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP_t_4_10 (shift t_4 i_5)))
(IMPLIES (<= result2 0)
(FORALL (i_5_0) (IMPLIES (EQ i_5_0 (+ i_5 1)) (<= count1 i_5_0)))))))))))))))))))))))))))))

;; MullerTheory_m_ensures_default_po_30, File "HOME/tests/java/MullerTheory.java", line 66, characters 8-36
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(FORALL (Object_MullerTheory_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (>= i_4 result)
(FORALL (result0)
(FORALL (Object_MullerTheory_m_12_alloc_table0)
(FORALL (Object_MullerTheory_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result0 0 (- count 1) Object_MullerTheory_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_MullerTheory_m_12_alloc_table Object_MullerTheory_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh Object_MullerTheory_m_12_alloc_table result0 count)
         (instanceof Object_MullerTheory_m_12_tag_table result0 intM_tag))))
(FORALL (count0)
(IMPLIES (EQ count0 0)
(FORALL (count1)
(FORALL (i_5)
(IMPLIES (AND (<= 0 i_5)
         (AND (<= i_5 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count1)
         (AND (<= count1 i_5)
         (EQ count1 (num_of_pos 0 (- i_5 1) t_4 intM_intP_t_4_10))))))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_5 result1)
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP_t_4_10 (shift t_4 i_5)))
(IMPLIES (<= result2 0)
(FORALL (i_5_0)
(IMPLIES (EQ i_5_0 (+ i_5 1))
(EQ count1 (num_of_pos 0 (- i_5_0 1) t_4 intM_intP_t_4_10))))))))))))))))))))))))))))))

;; MullerTheory_m_safety_po_1, File "why/MullerTheory.why", line 679, characters 35-175
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(>= (offset_max Object_t_4_10_alloc_table t_4) (- 0 1))))))))))

;; MullerTheory_m_safety_po_2, File "HOME/tests/java/MullerTheory.java", line 58, characters 39-43
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(IMPLIES (>= (offset_max Object_t_4_10_alloc_table t_4) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_4 result) (<= (offset_min Object_t_4_10_alloc_table t_4) i_4)))))))))))))

;; MullerTheory_m_safety_po_3, File "HOME/tests/java/MullerTheory.java", line 58, characters 39-43
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(IMPLIES (>= (offset_max Object_t_4_10_alloc_table t_4) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_4 result) (<= i_4 (offset_max Object_t_4_10_alloc_table t_4))))))))))))))

;; MullerTheory_m_safety_po_4, File "HOME/tests/java/MullerTheory.java", line 56, characters 18-30
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(IMPLIES (>= (offset_max Object_t_4_10_alloc_table t_4) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_4 result)
(IMPLIES (AND (<= (offset_min Object_t_4_10_alloc_table t_4) i_4)
         (<= i_4 (offset_max Object_t_4_10_alloc_table t_4)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP_t_4_10 (shift t_4 i_4)))
(IMPLIES (> result0 0)
(FORALL (count0)
(IMPLIES (EQ count0 (+ count 1))
(FORALL (i_4_0)
(IMPLIES (EQ i_4_0 (+ i_4 1))
(<= 0 (- (+ (offset_max Object_t_4_10_alloc_table t_4) 1) i_4))))))))))))))))))))))

;; MullerTheory_m_safety_po_5, File "HOME/tests/java/MullerTheory.java", line 56, characters 18-30
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(IMPLIES (>= (offset_max Object_t_4_10_alloc_table t_4) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_4 result)
(IMPLIES (AND (<= (offset_min Object_t_4_10_alloc_table t_4) i_4)
         (<= i_4 (offset_max Object_t_4_10_alloc_table t_4)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP_t_4_10 (shift t_4 i_4)))
(IMPLIES (> result0 0)
(FORALL (count0)
(IMPLIES (EQ count0 (+ count 1))
(FORALL (i_4_0)
(IMPLIES (EQ i_4_0 (+ i_4 1))
(< (- (+ (offset_max Object_t_4_10_alloc_table t_4) 1) i_4_0) (- (+ (offset_max
                                                                    Object_t_4_10_alloc_table t_4) 1) i_4))))))))))))))))))))))

;; MullerTheory_m_safety_po_6, File "HOME/tests/java/MullerTheory.java", line 56, characters 18-30
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(IMPLIES (>= (offset_max Object_t_4_10_alloc_table t_4) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_4 result)
(IMPLIES (AND (<= (offset_min Object_t_4_10_alloc_table t_4) i_4)
         (<= i_4 (offset_max Object_t_4_10_alloc_table t_4)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP_t_4_10 (shift t_4 i_4)))
(IMPLIES (<= result0 0)
(FORALL (i_4_0)
(IMPLIES (EQ i_4_0 (+ i_4 1))
(<= 0 (- (+ (offset_max Object_t_4_10_alloc_table t_4) 1) i_4))))))))))))))))))))

;; MullerTheory_m_safety_po_7, File "HOME/tests/java/MullerTheory.java", line 56, characters 18-30
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(IMPLIES (>= (offset_max Object_t_4_10_alloc_table t_4) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_4 result)
(IMPLIES (AND (<= (offset_min Object_t_4_10_alloc_table t_4) i_4)
         (<= i_4 (offset_max Object_t_4_10_alloc_table t_4)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intM_intP_t_4_10 (shift t_4 i_4)))
(IMPLIES (<= result0 0)
(FORALL (i_4_0)
(IMPLIES (EQ i_4_0 (+ i_4 1))
(< (- (+ (offset_max Object_t_4_10_alloc_table t_4) 1) i_4_0) (- (+ (offset_max
                                                                    Object_t_4_10_alloc_table t_4) 1) i_4))))))))))))))))))))

;; MullerTheory_m_safety_po_8, File "HOME/tests/java/MullerTheory.java", line 60, characters 11-25
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(IMPLIES (>= (offset_max Object_t_4_10_alloc_table t_4) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (>= i_4 result) (>= count 0)))))))))))))

;; MullerTheory_m_safety_po_9, File "HOME/tests/java/MullerTheory.java", line 70, characters 9-13
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(FORALL (Object_MullerTheory_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(IMPLIES (>= (offset_max Object_t_4_10_alloc_table t_4) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (>= i_4 result)
(IMPLIES (>= count 0)
(FORALL (result0)
(FORALL (Object_MullerTheory_m_12_alloc_table0)
(FORALL (Object_MullerTheory_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result0 0 (- count 1) Object_MullerTheory_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_MullerTheory_m_12_alloc_table Object_MullerTheory_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh Object_MullerTheory_m_12_alloc_table result0 count)
         (instanceof Object_MullerTheory_m_12_tag_table result0 intM_tag))))
(FORALL (count0)
(IMPLIES (EQ count0 0)
(FORALL (count1)
(FORALL (i_5)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_5)
         (AND (<= i_5 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count1)
         (AND (<= count1 i_5)
         (EQ count1 (num_of_pos 0 (- i_5 1) t_4 intM_intP_t_4_10))))))
(IMPLIES (>= (offset_max Object_t_4_10_alloc_table t_4) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_5 result1) (<= (offset_min Object_t_4_10_alloc_table t_4) i_5)))))))))))))))))))))))))))))

;; MullerTheory_m_safety_po_10, File "HOME/tests/java/MullerTheory.java", line 70, characters 9-13
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(FORALL (Object_MullerTheory_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(IMPLIES (>= (offset_max Object_t_4_10_alloc_table t_4) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (>= i_4 result)
(IMPLIES (>= count 0)
(FORALL (result0)
(FORALL (Object_MullerTheory_m_12_alloc_table0)
(FORALL (Object_MullerTheory_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result0 0 (- count 1) Object_MullerTheory_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_MullerTheory_m_12_alloc_table Object_MullerTheory_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh Object_MullerTheory_m_12_alloc_table result0 count)
         (instanceof Object_MullerTheory_m_12_tag_table result0 intM_tag))))
(FORALL (count0)
(IMPLIES (EQ count0 0)
(FORALL (count1)
(FORALL (i_5)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_5)
         (AND (<= i_5 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count1)
         (AND (<= count1 i_5)
         (EQ count1 (num_of_pos 0 (- i_5 1) t_4 intM_intP_t_4_10))))))
(IMPLIES (>= (offset_max Object_t_4_10_alloc_table t_4) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_5 result1) (<= i_5 (offset_max Object_t_4_10_alloc_table t_4))))))))))))))))))))))))))))))

;; MullerTheory_m_safety_po_11, File "HOME/tests/java/MullerTheory.java", line 70, characters 19-36
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(FORALL (Object_MullerTheory_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(IMPLIES (>= (offset_max Object_t_4_10_alloc_table t_4) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (>= i_4 result)
(IMPLIES (>= count 0)
(FORALL (result0)
(FORALL (Object_MullerTheory_m_12_alloc_table0)
(FORALL (Object_MullerTheory_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result0 0 (- count 1) Object_MullerTheory_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_MullerTheory_m_12_alloc_table Object_MullerTheory_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh Object_MullerTheory_m_12_alloc_table result0 count)
         (instanceof Object_MullerTheory_m_12_tag_table result0 intM_tag))))
(FORALL (count0)
(IMPLIES (EQ count0 0)
(FORALL (count1)
(FORALL (i_5)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_5)
         (AND (<= i_5 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count1)
         (AND (<= count1 i_5)
         (EQ count1 (num_of_pos 0 (- i_5 1) t_4 intM_intP_t_4_10))))))
(IMPLIES (>= (offset_max Object_t_4_10_alloc_table t_4) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_5 result1)
(IMPLIES (AND (<= (offset_min Object_t_4_10_alloc_table t_4) i_5)
         (<= i_5 (offset_max Object_t_4_10_alloc_table t_4)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP_t_4_10 (shift t_4 i_5)))
(IMPLIES (> result2 0)
(IMPLIES (AND (<= (offset_min Object_t_4_10_alloc_table t_4) i_5)
         (<= i_5 (offset_max Object_t_4_10_alloc_table t_4)))
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP_t_4_10 (shift t_4 i_5)))
(FORALL (count2)
(IMPLIES (EQ count2 (+ count1 1))
(<= (offset_min Object_MullerTheory_m_12_alloc_table0 result0) count1))))))))))))))))))))))))))))))))))))))

;; MullerTheory_m_safety_po_12, File "HOME/tests/java/MullerTheory.java", line 70, characters 19-36
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(FORALL (Object_MullerTheory_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(IMPLIES (>= (offset_max Object_t_4_10_alloc_table t_4) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (>= i_4 result)
(IMPLIES (>= count 0)
(FORALL (result0)
(FORALL (Object_MullerTheory_m_12_alloc_table0)
(FORALL (Object_MullerTheory_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result0 0 (- count 1) Object_MullerTheory_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_MullerTheory_m_12_alloc_table Object_MullerTheory_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh Object_MullerTheory_m_12_alloc_table result0 count)
         (instanceof Object_MullerTheory_m_12_tag_table result0 intM_tag))))
(FORALL (count0)
(IMPLIES (EQ count0 0)
(FORALL (count1)
(FORALL (i_5)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_5)
         (AND (<= i_5 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count1)
         (AND (<= count1 i_5)
         (EQ count1 (num_of_pos 0 (- i_5 1) t_4 intM_intP_t_4_10))))))
(IMPLIES (>= (offset_max Object_t_4_10_alloc_table t_4) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_5 result1)
(IMPLIES (AND (<= (offset_min Object_t_4_10_alloc_table t_4) i_5)
         (<= i_5 (offset_max Object_t_4_10_alloc_table t_4)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP_t_4_10 (shift t_4 i_5)))
(IMPLIES (> result2 0)
(IMPLIES (AND (<= (offset_min Object_t_4_10_alloc_table t_4) i_5)
         (<= i_5 (offset_max Object_t_4_10_alloc_table t_4)))
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP_t_4_10 (shift t_4 i_5)))
(FORALL (count2)
(IMPLIES (EQ count2 (+ count1 1))
(<= count1 (offset_max Object_MullerTheory_m_12_alloc_table0 result0)))))))))))))))))))))))))))))))))))))))

;; MullerTheory_m_safety_po_13, File "HOME/tests/java/MullerTheory.java", line 67, characters 18-30
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(FORALL (Object_MullerTheory_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(IMPLIES (>= (offset_max Object_t_4_10_alloc_table t_4) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (>= i_4 result)
(IMPLIES (>= count 0)
(FORALL (result0)
(FORALL (Object_MullerTheory_m_12_alloc_table0)
(FORALL (Object_MullerTheory_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result0 0 (- count 1) Object_MullerTheory_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_MullerTheory_m_12_alloc_table Object_MullerTheory_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh Object_MullerTheory_m_12_alloc_table result0 count)
         (instanceof Object_MullerTheory_m_12_tag_table result0 intM_tag))))
(FORALL (count0)
(IMPLIES (EQ count0 0)
(FORALL (count1)
(FORALL (i_5)
(FORALL (intM_intP_MullerTheory_m_12)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_5)
         (AND (<= i_5 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count1)
         (AND (<= count1 i_5)
         (EQ count1 (num_of_pos 0 (- i_5 1) t_4 intM_intP_t_4_10))))))
(IMPLIES (>= (offset_max Object_t_4_10_alloc_table t_4) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_5 result1)
(IMPLIES (AND (<= (offset_min Object_t_4_10_alloc_table t_4) i_5)
         (<= i_5 (offset_max Object_t_4_10_alloc_table t_4)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP_t_4_10 (shift t_4 i_5)))
(IMPLIES (> result2 0)
(IMPLIES (AND (<= (offset_min Object_t_4_10_alloc_table t_4) i_5)
         (<= i_5 (offset_max Object_t_4_10_alloc_table t_4)))
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP_t_4_10 (shift t_4 i_5)))
(FORALL (count2)
(IMPLIES (EQ count2 (+ count1 1))
(IMPLIES (AND
         (<= (offset_min Object_MullerTheory_m_12_alloc_table0 result0) count1)
         (<= count1 (offset_max
                    Object_MullerTheory_m_12_alloc_table0 result0)))
(FORALL (intM_intP_MullerTheory_m_12_0)
(IMPLIES (EQ intM_intP_MullerTheory_m_12_0
         (|why__store|
         intM_intP_MullerTheory_m_12 (shift result0 count1) result3))
(FORALL (i_5_0)
(IMPLIES (EQ i_5_0 (+ i_5 1))
(<= 0 (- (+ (offset_max Object_t_4_10_alloc_table t_4) 1) i_5)))))))))))))))))))))))))))))))))))))))))))))

;; MullerTheory_m_safety_po_14, File "HOME/tests/java/MullerTheory.java", line 67, characters 18-30
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(FORALL (Object_MullerTheory_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(IMPLIES (>= (offset_max Object_t_4_10_alloc_table t_4) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (>= i_4 result)
(IMPLIES (>= count 0)
(FORALL (result0)
(FORALL (Object_MullerTheory_m_12_alloc_table0)
(FORALL (Object_MullerTheory_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result0 0 (- count 1) Object_MullerTheory_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_MullerTheory_m_12_alloc_table Object_MullerTheory_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh Object_MullerTheory_m_12_alloc_table result0 count)
         (instanceof Object_MullerTheory_m_12_tag_table result0 intM_tag))))
(FORALL (count0)
(IMPLIES (EQ count0 0)
(FORALL (count1)
(FORALL (i_5)
(FORALL (intM_intP_MullerTheory_m_12)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_5)
         (AND (<= i_5 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count1)
         (AND (<= count1 i_5)
         (EQ count1 (num_of_pos 0 (- i_5 1) t_4 intM_intP_t_4_10))))))
(IMPLIES (>= (offset_max Object_t_4_10_alloc_table t_4) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_5 result1)
(IMPLIES (AND (<= (offset_min Object_t_4_10_alloc_table t_4) i_5)
         (<= i_5 (offset_max Object_t_4_10_alloc_table t_4)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP_t_4_10 (shift t_4 i_5)))
(IMPLIES (> result2 0)
(IMPLIES (AND (<= (offset_min Object_t_4_10_alloc_table t_4) i_5)
         (<= i_5 (offset_max Object_t_4_10_alloc_table t_4)))
(FORALL (result3)
(IMPLIES (EQ result3 (select intM_intP_t_4_10 (shift t_4 i_5)))
(FORALL (count2)
(IMPLIES (EQ count2 (+ count1 1))
(IMPLIES (AND
         (<= (offset_min Object_MullerTheory_m_12_alloc_table0 result0) count1)
         (<= count1 (offset_max
                    Object_MullerTheory_m_12_alloc_table0 result0)))
(FORALL (intM_intP_MullerTheory_m_12_0)
(IMPLIES (EQ intM_intP_MullerTheory_m_12_0
         (|why__store|
         intM_intP_MullerTheory_m_12 (shift result0 count1) result3))
(FORALL (i_5_0)
(IMPLIES (EQ i_5_0 (+ i_5 1))
(< (- (+ (offset_max Object_t_4_10_alloc_table t_4) 1) i_5_0) (- (+ (offset_max
                                                                    Object_t_4_10_alloc_table t_4) 1) i_5)))))))))))))))))))))))))))))))))))))))))))))

;; MullerTheory_m_safety_po_15, File "HOME/tests/java/MullerTheory.java", line 67, characters 18-30
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(FORALL (Object_MullerTheory_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(IMPLIES (>= (offset_max Object_t_4_10_alloc_table t_4) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (>= i_4 result)
(IMPLIES (>= count 0)
(FORALL (result0)
(FORALL (Object_MullerTheory_m_12_alloc_table0)
(FORALL (Object_MullerTheory_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result0 0 (- count 1) Object_MullerTheory_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_MullerTheory_m_12_alloc_table Object_MullerTheory_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh Object_MullerTheory_m_12_alloc_table result0 count)
         (instanceof Object_MullerTheory_m_12_tag_table result0 intM_tag))))
(FORALL (count0)
(IMPLIES (EQ count0 0)
(FORALL (count1)
(FORALL (i_5)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_5)
         (AND (<= i_5 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count1)
         (AND (<= count1 i_5)
         (EQ count1 (num_of_pos 0 (- i_5 1) t_4 intM_intP_t_4_10))))))
(IMPLIES (>= (offset_max Object_t_4_10_alloc_table t_4) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_5 result1)
(IMPLIES (AND (<= (offset_min Object_t_4_10_alloc_table t_4) i_5)
         (<= i_5 (offset_max Object_t_4_10_alloc_table t_4)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP_t_4_10 (shift t_4 i_5)))
(IMPLIES (<= result2 0)
(FORALL (i_5_0)
(IMPLIES (EQ i_5_0 (+ i_5 1))
(<= 0 (- (+ (offset_max Object_t_4_10_alloc_table t_4) 1) i_5))))))))))))))))))))))))))))))))))))

;; MullerTheory_m_safety_po_16, File "HOME/tests/java/MullerTheory.java", line 67, characters 18-30
(FORALL (t_4)
(FORALL (Object_t_4_10_alloc_table)
(FORALL (intM_intP_t_4_10)
(FORALL (Object_MullerTheory_m_12_alloc_table)
(IMPLIES (AND (left_valid_struct_intM t_4 0 Object_t_4_10_alloc_table)
         (Non_null_intM t_4 Object_t_4_10_alloc_table))
(FORALL (count)
(FORALL (i_4)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_4)
         (AND (<= i_4 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count)
         (AND (<= count i_4)
         (EQ count (num_of_pos 0 (- i_4 1) t_4 intM_intP_t_4_10))))))
(IMPLIES (>= (offset_max Object_t_4_10_alloc_table t_4) (- 0 1))
(FORALL (result)
(IMPLIES (AND (<= result constant_too_large_2147483647)
         (AND (>= result 0)
         (EQ result (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (>= i_4 result)
(IMPLIES (>= count 0)
(FORALL (result0)
(FORALL (Object_MullerTheory_m_12_alloc_table0)
(FORALL (Object_MullerTheory_m_12_tag_table)
(IMPLIES (AND
         (strict_valid_struct_intM
         result0 0 (- count 1) Object_MullerTheory_m_12_alloc_table0)
         (AND
         (EQ (alloc_extends
         Object_MullerTheory_m_12_alloc_table Object_MullerTheory_m_12_alloc_table0) |@true|)
         (AND
         (alloc_fresh Object_MullerTheory_m_12_alloc_table result0 count)
         (instanceof Object_MullerTheory_m_12_tag_table result0 intM_tag))))
(FORALL (count0)
(IMPLIES (EQ count0 0)
(FORALL (count1)
(FORALL (i_5)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_5)
         (AND (<= i_5 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))
         (AND (<= 0 count1)
         (AND (<= count1 i_5)
         (EQ count1 (num_of_pos 0 (- i_5 1) t_4 intM_intP_t_4_10))))))
(IMPLIES (>= (offset_max Object_t_4_10_alloc_table t_4) (- 0 1))
(FORALL (result1)
(IMPLIES (AND (<= result1 constant_too_large_2147483647)
         (AND (>= result1 0)
         (EQ result1 (+ (offset_max Object_t_4_10_alloc_table t_4) 1))))
(IMPLIES (< i_5 result1)
(IMPLIES (AND (<= (offset_min Object_t_4_10_alloc_table t_4) i_5)
         (<= i_5 (offset_max Object_t_4_10_alloc_table t_4)))
(FORALL (result2)
(IMPLIES (EQ result2 (select intM_intP_t_4_10 (shift t_4 i_5)))
(IMPLIES (<= result2 0)
(FORALL (i_5_0)
(IMPLIES (EQ i_5_0 (+ i_5 1))
(< (- (+ (offset_max Object_t_4_10_alloc_table t_4) 1) i_5_0) (- (+ (offset_max
                                                                    Object_t_4_10_alloc_table t_4) 1) i_5))))))))))))))))))))))))))))))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/MullerTheory_why.sx  : ?.............................................. (46/0/1/0/0)
total   :  47
valid   :  46 ( 98%)
invalid :   0 (  0%)
unknown :   1 (  2%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/MullerTheory.why
========== file tests/java/why/MullerTheory_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type interface

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic MullerTheory_tag : Object tag_id

axiom MullerTheory_parenttag_Object: parenttag(MullerTheory_tag, Object_tag)

predicate Non_null_Object(x_1: Object pointer,
  Object_x_2_alloc_table: Object alloc_table) =
  (offset_max(Object_x_2_alloc_table, x_1) >= 0)

predicate Non_null_intM(x_0: Object pointer,
  Object_x_1_alloc_table: Object alloc_table) =
  (offset_max(Object_x_1_alloc_table, x_0) >= (-1))

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic intM_tag : Object tag_id

axiom intM_parenttag_Object: parenttag(intM_tag, Object_tag)

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_MullerTheory(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_intM(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic num_of_pos : int, int, Object pointer, (Object, int) memory -> int

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_MullerTheory(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_intM(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_MullerTheory(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_MullerTheory(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_intM(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

axiom num_of_pos_false_case:
  (forall intM_intP_t_8_at_L:(Object, int) memory.
    (forall i_2:int.
      (forall j_2:int.
        (forall k_0:int.
          (forall t_2:Object pointer.
            (((i_2 <= j_2) and (not (select(intM_intP_t_8_at_L, shift(t_2,
              j_2)) > 0))) ->
             (num_of_pos(i_2, j_2, t_2, intM_intP_t_8_at_L) = num_of_pos(i_2,
             (j_2 - 1), t_2, intM_intP_t_8_at_L))))))))

axiom num_of_pos_true_case:
  (forall intM_intP_t_8_at_L:(Object, int) memory.
    (forall i_1:int.
      (forall j_1:int.
        (forall k:int.
          (forall t_1:Object pointer.
            (((i_1 <= j_1) and (select(intM_intP_t_8_at_L, shift(t_1,
              j_1)) > 0)) ->
             (num_of_pos(i_1, j_1, t_1,
             intM_intP_t_8_at_L) = (num_of_pos(i_1, (j_1 - 1), t_1,
             intM_intP_t_8_at_L) + 1))))))))

axiom num_of_pos_empty:
  (forall intM_intP_t_8_at_L:(Object, int) memory.
    (forall i_0:int.
      (forall j_0:int.
        (forall t_0:Object pointer.
          ((i_0 > j_0) -> (num_of_pos(i_0, j_0, t_0, intM_intP_t_8_at_L) = 0))))))

goal num_of_pos_strictly_increasing:
  (forall intM_intP_t_3_18_at_L:(Object, int) memory.
    (forall i_3:int.
      (forall j_3:int.
        (forall k_1:int.
          (forall l:int.
            (forall t_3:Object pointer.
              (((j_3 < k_1) and
                ((k_1 <= l) and (select(intM_intP_t_3_18_at_L, shift(t_3,
                 k_1)) > 0))) ->
               (num_of_pos(i_3, j_3, t_3,
               intM_intP_t_3_18_at_L) < num_of_pos(i_3, l, t_3,
               intM_intP_t_3_18_at_L)))))))))

axiom num_of_pos_strictly_increasing_as_axiom:
  (forall intM_intP_t_3_18_at_L:(Object, int) memory.
    (forall i_3:int.
      (forall j_3:int.
        (forall k_1:int.
          (forall l:int.
            (forall t_3:Object pointer.
              (((j_3 < k_1) and
                ((k_1 <= l) and (select(intM_intP_t_3_18_at_L, shift(t_3,
                 k_1)) > 0))) ->
               (num_of_pos(i_3, j_3, t_3,
               intM_intP_t_3_18_at_L) < num_of_pos(i_3, l, t_3,
               intM_intP_t_3_18_at_L)))))))))

goal MullerTheory_m_ensures_default_po_1:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  ("JC_89": ("JC_84": (0 <= 0)))

goal MullerTheory_m_ensures_default_po_2:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  ("JC_89":
  ("JC_85": (0 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))))

goal MullerTheory_m_ensures_default_po_3:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  ("JC_89": ("JC_86": (0 <= 0)))

goal MullerTheory_m_ensures_default_po_4:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  ("JC_89": ("JC_87": (0 <= 0)))

goal MullerTheory_m_ensures_default_po_5:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  ("JC_89": ("JC_88": (0 = num_of_pos(0, (0 - 1), t_4, intM_intP_t_4_10))))

goal MullerTheory_m_ensures_default_po_6:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  forall result0:int.
  (result0 = select(intM_intP_t_4_10, shift(t_4, i_4))) ->
  (result0 > 0) ->
  forall count0:int.
  (count0 = (count + 1)) ->
  forall i_4_0:int.
  (i_4_0 = (i_4 + 1)) ->
  ("JC_89": ("JC_84": (0 <= i_4_0)))

goal MullerTheory_m_ensures_default_po_7:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  forall result0:int.
  (result0 = select(intM_intP_t_4_10, shift(t_4, i_4))) ->
  (result0 > 0) ->
  forall count0:int.
  (count0 = (count + 1)) ->
  forall i_4_0:int.
  (i_4_0 = (i_4 + 1)) ->
  ("JC_89":
  ("JC_85": (i_4_0 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))))

goal MullerTheory_m_ensures_default_po_8:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  forall result0:int.
  (result0 = select(intM_intP_t_4_10, shift(t_4, i_4))) ->
  (result0 > 0) ->
  forall count0:int.
  (count0 = (count + 1)) ->
  forall i_4_0:int.
  (i_4_0 = (i_4 + 1)) ->
  ("JC_89": ("JC_86": (0 <= count0)))

goal MullerTheory_m_ensures_default_po_9:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  forall result0:int.
  (result0 = select(intM_intP_t_4_10, shift(t_4, i_4))) ->
  (result0 > 0) ->
  forall count0:int.
  (count0 = (count + 1)) ->
  forall i_4_0:int.
  (i_4_0 = (i_4 + 1)) ->
  ("JC_89": ("JC_87": (count0 <= i_4_0)))

goal MullerTheory_m_ensures_default_po_10:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  forall result0:int.
  (result0 = select(intM_intP_t_4_10, shift(t_4, i_4))) ->
  (result0 > 0) ->
  forall count0:int.
  (count0 = (count + 1)) ->
  forall i_4_0:int.
  (i_4_0 = (i_4 + 1)) ->
  ("JC_89":
  ("JC_88": (count0 = num_of_pos(0, (i_4_0 - 1), t_4, intM_intP_t_4_10))))

goal MullerTheory_m_ensures_default_po_11:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  forall result0:int.
  (result0 = select(intM_intP_t_4_10, shift(t_4, i_4))) ->
  (result0 <= 0) ->
  forall i_4_0:int.
  (i_4_0 = (i_4 + 1)) ->
  ("JC_89": ("JC_84": (0 <= i_4_0)))

goal MullerTheory_m_ensures_default_po_12:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  forall result0:int.
  (result0 = select(intM_intP_t_4_10, shift(t_4, i_4))) ->
  (result0 <= 0) ->
  forall i_4_0:int.
  (i_4_0 = (i_4 + 1)) ->
  ("JC_89":
  ("JC_85": (i_4_0 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))))

goal MullerTheory_m_ensures_default_po_13:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  forall result0:int.
  (result0 = select(intM_intP_t_4_10, shift(t_4, i_4))) ->
  (result0 <= 0) ->
  forall i_4_0:int.
  (i_4_0 = (i_4 + 1)) ->
  ("JC_89": ("JC_86": (0 <= count)))

goal MullerTheory_m_ensures_default_po_14:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  forall result0:int.
  (result0 = select(intM_intP_t_4_10, shift(t_4, i_4))) ->
  (result0 <= 0) ->
  forall i_4_0:int.
  (i_4_0 = (i_4 + 1)) ->
  ("JC_89": ("JC_87": (count <= i_4_0)))

goal MullerTheory_m_ensures_default_po_15:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  forall result0:int.
  (result0 = select(intM_intP_t_4_10, shift(t_4, i_4))) ->
  (result0 <= 0) ->
  forall i_4_0:int.
  (i_4_0 = (i_4 + 1)) ->
  ("JC_89":
  ("JC_88": (count = num_of_pos(0, (i_4_0 - 1), t_4, intM_intP_t_4_10))))

goal MullerTheory_m_ensures_default_po_16:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  ("JC_100": ("JC_95": (0 <= 0)))

goal MullerTheory_m_ensures_default_po_17:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  ("JC_100":
  ("JC_96": (0 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))))

goal MullerTheory_m_ensures_default_po_18:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  ("JC_100": ("JC_97": (0 <= count0)))

goal MullerTheory_m_ensures_default_po_19:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  ("JC_100": ("JC_98": (count0 <= 0)))

goal MullerTheory_m_ensures_default_po_20:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  ("JC_100":
  ("JC_99": (count0 = num_of_pos(0, (0 - 1), t_4, intM_intP_t_4_10))))

goal MullerTheory_m_ensures_default_po_21:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  forall intM_intP_MullerTheory_m_12:(Object,
  int) memory.
  ("JC_100":
  (("JC_95": (0 <= i_5)) and
   (("JC_96": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_97": (0 <= count1)) and
     (("JC_98": (count1 <= i_5)) and
      ("JC_99": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 > 0) ->
  forall result3:int.
  (result3 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  forall count2:int.
  (count2 = (count1 + 1)) ->
  forall intM_intP_MullerTheory_m_12_0:(Object,
  int) memory.
  (intM_intP_MullerTheory_m_12_0 = store(intM_intP_MullerTheory_m_12,
  shift(result0, count1), result3)) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_100": ("JC_95": (0 <= i_5_0)))

goal MullerTheory_m_ensures_default_po_22:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  forall intM_intP_MullerTheory_m_12:(Object,
  int) memory.
  ("JC_100":
  (("JC_95": (0 <= i_5)) and
   (("JC_96": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_97": (0 <= count1)) and
     (("JC_98": (count1 <= i_5)) and
      ("JC_99": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 > 0) ->
  forall result3:int.
  (result3 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  forall count2:int.
  (count2 = (count1 + 1)) ->
  forall intM_intP_MullerTheory_m_12_0:(Object,
  int) memory.
  (intM_intP_MullerTheory_m_12_0 = store(intM_intP_MullerTheory_m_12,
  shift(result0, count1), result3)) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_100":
  ("JC_96": (i_5_0 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))))

goal MullerTheory_m_ensures_default_po_23:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  forall intM_intP_MullerTheory_m_12:(Object,
  int) memory.
  ("JC_100":
  (("JC_95": (0 <= i_5)) and
   (("JC_96": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_97": (0 <= count1)) and
     (("JC_98": (count1 <= i_5)) and
      ("JC_99": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 > 0) ->
  forall result3:int.
  (result3 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  forall count2:int.
  (count2 = (count1 + 1)) ->
  forall intM_intP_MullerTheory_m_12_0:(Object,
  int) memory.
  (intM_intP_MullerTheory_m_12_0 = store(intM_intP_MullerTheory_m_12,
  shift(result0, count1), result3)) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_100": ("JC_97": (0 <= count2)))

goal MullerTheory_m_ensures_default_po_24:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  forall intM_intP_MullerTheory_m_12:(Object,
  int) memory.
  ("JC_100":
  (("JC_95": (0 <= i_5)) and
   (("JC_96": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_97": (0 <= count1)) and
     (("JC_98": (count1 <= i_5)) and
      ("JC_99": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 > 0) ->
  forall result3:int.
  (result3 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  forall count2:int.
  (count2 = (count1 + 1)) ->
  forall intM_intP_MullerTheory_m_12_0:(Object,
  int) memory.
  (intM_intP_MullerTheory_m_12_0 = store(intM_intP_MullerTheory_m_12,
  shift(result0, count1), result3)) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_100": ("JC_98": (count2 <= i_5_0)))

goal MullerTheory_m_ensures_default_po_25:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  forall intM_intP_MullerTheory_m_12:(Object,
  int) memory.
  ("JC_100":
  (("JC_95": (0 <= i_5)) and
   (("JC_96": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_97": (0 <= count1)) and
     (("JC_98": (count1 <= i_5)) and
      ("JC_99": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 > 0) ->
  forall result3:int.
  (result3 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  forall count2:int.
  (count2 = (count1 + 1)) ->
  forall intM_intP_MullerTheory_m_12_0:(Object,
  int) memory.
  (intM_intP_MullerTheory_m_12_0 = store(intM_intP_MullerTheory_m_12,
  shift(result0, count1), result3)) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_100":
  ("JC_99": (count2 = num_of_pos(0, (i_5_0 - 1), t_4, intM_intP_t_4_10))))

goal MullerTheory_m_ensures_default_po_26:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  ("JC_100":
  (("JC_95": (0 <= i_5)) and
   (("JC_96": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_97": (0 <= count1)) and
     (("JC_98": (count1 <= i_5)) and
      ("JC_99": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 <= 0) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_100": ("JC_95": (0 <= i_5_0)))

goal MullerTheory_m_ensures_default_po_27:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  ("JC_100":
  (("JC_95": (0 <= i_5)) and
   (("JC_96": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_97": (0 <= count1)) and
     (("JC_98": (count1 <= i_5)) and
      ("JC_99": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 <= 0) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_100":
  ("JC_96": (i_5_0 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))))

goal MullerTheory_m_ensures_default_po_28:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  ("JC_100":
  (("JC_95": (0 <= i_5)) and
   (("JC_96": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_97": (0 <= count1)) and
     (("JC_98": (count1 <= i_5)) and
      ("JC_99": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 <= 0) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_100": ("JC_97": (0 <= count1)))

goal MullerTheory_m_ensures_default_po_29:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  ("JC_100":
  (("JC_95": (0 <= i_5)) and
   (("JC_96": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_97": (0 <= count1)) and
     (("JC_98": (count1 <= i_5)) and
      ("JC_99": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 <= 0) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_100": ("JC_98": (count1 <= i_5_0)))

goal MullerTheory_m_ensures_default_po_30:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_89":
  (("JC_84": (0 <= i_4)) and
   (("JC_85": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_86": (0 <= count)) and
     (("JC_87": (count <= i_4)) and
      ("JC_88": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  ("JC_100":
  (("JC_95": (0 <= i_5)) and
   (("JC_96": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_97": (0 <= count1)) and
     (("JC_98": (count1 <= i_5)) and
      ("JC_99": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 <= 0) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  ("JC_100":
  ("JC_99": (count1 = num_of_pos(0, (i_5_0 - 1), t_4, intM_intP_t_4_10))))

goal MullerTheory_m_safety_po_1:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1))

goal MullerTheory_m_safety_po_2:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  (offset_min(Object_t_4_10_alloc_table, t_4) <= i_4)

goal MullerTheory_m_safety_po_3:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  (i_4 <= offset_max(Object_t_4_10_alloc_table, t_4))

goal MullerTheory_m_safety_po_4:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  ((offset_min(Object_t_4_10_alloc_table, t_4) <= i_4) and
   (i_4 <= offset_max(Object_t_4_10_alloc_table, t_4))) ->
  forall result0:int.
  (result0 = select(intM_intP_t_4_10, shift(t_4, i_4))) ->
  (result0 > 0) ->
  forall count0:int.
  (count0 = (count + 1)) ->
  forall i_4_0:int.
  (i_4_0 = (i_4 + 1)) ->
  (0 <= ("JC_67": ((offset_max(Object_t_4_10_alloc_table, t_4) + 1) - i_4)))

goal MullerTheory_m_safety_po_5:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  ((offset_min(Object_t_4_10_alloc_table, t_4) <= i_4) and
   (i_4 <= offset_max(Object_t_4_10_alloc_table, t_4))) ->
  forall result0:int.
  (result0 = select(intM_intP_t_4_10, shift(t_4, i_4))) ->
  (result0 > 0) ->
  forall count0:int.
  (count0 = (count + 1)) ->
  forall i_4_0:int.
  (i_4_0 = (i_4 + 1)) ->
  (("JC_67": ((offset_max(Object_t_4_10_alloc_table, t_4) + 1) - i_4_0)) < 
  ("JC_67": ((offset_max(Object_t_4_10_alloc_table, t_4) + 1) - i_4)))

goal MullerTheory_m_safety_po_6:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  ((offset_min(Object_t_4_10_alloc_table, t_4) <= i_4) and
   (i_4 <= offset_max(Object_t_4_10_alloc_table, t_4))) ->
  forall result0:int.
  (result0 = select(intM_intP_t_4_10, shift(t_4, i_4))) ->
  (result0 <= 0) ->
  forall i_4_0:int.
  (i_4_0 = (i_4 + 1)) ->
  (0 <= ("JC_67": ((offset_max(Object_t_4_10_alloc_table, t_4) + 1) - i_4)))

goal MullerTheory_m_safety_po_7:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 < result) ->
  ((offset_min(Object_t_4_10_alloc_table, t_4) <= i_4) and
   (i_4 <= offset_max(Object_t_4_10_alloc_table, t_4))) ->
  forall result0:int.
  (result0 = select(intM_intP_t_4_10, shift(t_4, i_4))) ->
  (result0 <= 0) ->
  forall i_4_0:int.
  (i_4_0 = (i_4 + 1)) ->
  (("JC_67": ((offset_max(Object_t_4_10_alloc_table, t_4) + 1) - i_4_0)) < 
  ("JC_67": ((offset_max(Object_t_4_10_alloc_table, t_4) + 1) - i_4)))

goal MullerTheory_m_safety_po_8:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  (count >= 0)

goal MullerTheory_m_safety_po_9:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  (count >= 0) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  ("JC_76": true) ->
  ("JC_74":
  (("JC_69": (0 <= i_5)) and
   (("JC_70": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_71": (0 <= count1)) and
     (("JC_72": (count1 <= i_5)) and
      ("JC_73": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  (offset_min(Object_t_4_10_alloc_table, t_4) <= i_5)

goal MullerTheory_m_safety_po_10:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  (count >= 0) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  ("JC_76": true) ->
  ("JC_74":
  (("JC_69": (0 <= i_5)) and
   (("JC_70": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_71": (0 <= count1)) and
     (("JC_72": (count1 <= i_5)) and
      ("JC_73": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  (i_5 <= offset_max(Object_t_4_10_alloc_table, t_4))

goal MullerTheory_m_safety_po_11:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  (count >= 0) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  ("JC_76": true) ->
  ("JC_74":
  (("JC_69": (0 <= i_5)) and
   (("JC_70": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_71": (0 <= count1)) and
     (("JC_72": (count1 <= i_5)) and
      ("JC_73": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  ((offset_min(Object_t_4_10_alloc_table, t_4) <= i_5) and
   (i_5 <= offset_max(Object_t_4_10_alloc_table, t_4))) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 > 0) ->
  ((offset_min(Object_t_4_10_alloc_table, t_4) <= i_5) and
   (i_5 <= offset_max(Object_t_4_10_alloc_table, t_4))) ->
  forall result3:int.
  (result3 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  forall count2:int.
  (count2 = (count1 + 1)) ->
  (offset_min(Object_MullerTheory_m_12_alloc_table0, result0) <= count1)

goal MullerTheory_m_safety_po_12:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  (count >= 0) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  ("JC_76": true) ->
  ("JC_74":
  (("JC_69": (0 <= i_5)) and
   (("JC_70": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_71": (0 <= count1)) and
     (("JC_72": (count1 <= i_5)) and
      ("JC_73": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  ((offset_min(Object_t_4_10_alloc_table, t_4) <= i_5) and
   (i_5 <= offset_max(Object_t_4_10_alloc_table, t_4))) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 > 0) ->
  ((offset_min(Object_t_4_10_alloc_table, t_4) <= i_5) and
   (i_5 <= offset_max(Object_t_4_10_alloc_table, t_4))) ->
  forall result3:int.
  (result3 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  forall count2:int.
  (count2 = (count1 + 1)) ->
  (count1 <= offset_max(Object_MullerTheory_m_12_alloc_table0, result0))

goal MullerTheory_m_safety_po_13:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  (count >= 0) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  forall intM_intP_MullerTheory_m_12:(Object,
  int) memory.
  ("JC_76": true) ->
  ("JC_74":
  (("JC_69": (0 <= i_5)) and
   (("JC_70": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_71": (0 <= count1)) and
     (("JC_72": (count1 <= i_5)) and
      ("JC_73": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  ((offset_min(Object_t_4_10_alloc_table, t_4) <= i_5) and
   (i_5 <= offset_max(Object_t_4_10_alloc_table, t_4))) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 > 0) ->
  ((offset_min(Object_t_4_10_alloc_table, t_4) <= i_5) and
   (i_5 <= offset_max(Object_t_4_10_alloc_table, t_4))) ->
  forall result3:int.
  (result3 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  forall count2:int.
  (count2 = (count1 + 1)) ->
  ((offset_min(Object_MullerTheory_m_12_alloc_table0, result0) <= count1) and
   (count1 <= offset_max(Object_MullerTheory_m_12_alloc_table0, result0))) ->
  forall intM_intP_MullerTheory_m_12_0:(Object,
  int) memory.
  (intM_intP_MullerTheory_m_12_0 = store(intM_intP_MullerTheory_m_12,
  shift(result0, count1), result3)) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  (0 <= ("JC_83": ((offset_max(Object_t_4_10_alloc_table, t_4) + 1) - i_5)))

goal MullerTheory_m_safety_po_14:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  (count >= 0) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  forall intM_intP_MullerTheory_m_12:(Object,
  int) memory.
  ("JC_76": true) ->
  ("JC_74":
  (("JC_69": (0 <= i_5)) and
   (("JC_70": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_71": (0 <= count1)) and
     (("JC_72": (count1 <= i_5)) and
      ("JC_73": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  ((offset_min(Object_t_4_10_alloc_table, t_4) <= i_5) and
   (i_5 <= offset_max(Object_t_4_10_alloc_table, t_4))) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 > 0) ->
  ((offset_min(Object_t_4_10_alloc_table, t_4) <= i_5) and
   (i_5 <= offset_max(Object_t_4_10_alloc_table, t_4))) ->
  forall result3:int.
  (result3 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  forall count2:int.
  (count2 = (count1 + 1)) ->
  ((offset_min(Object_MullerTheory_m_12_alloc_table0, result0) <= count1) and
   (count1 <= offset_max(Object_MullerTheory_m_12_alloc_table0, result0))) ->
  forall intM_intP_MullerTheory_m_12_0:(Object,
  int) memory.
  (intM_intP_MullerTheory_m_12_0 = store(intM_intP_MullerTheory_m_12,
  shift(result0, count1), result3)) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  (("JC_83": ((offset_max(Object_t_4_10_alloc_table, t_4) + 1) - i_5_0)) < 
  ("JC_83": ((offset_max(Object_t_4_10_alloc_table, t_4) + 1) - i_5)))

goal MullerTheory_m_safety_po_15:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  (count >= 0) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  ("JC_76": true) ->
  ("JC_74":
  (("JC_69": (0 <= i_5)) and
   (("JC_70": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_71": (0 <= count1)) and
     (("JC_72": (count1 <= i_5)) and
      ("JC_73": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  ((offset_min(Object_t_4_10_alloc_table, t_4) <= i_5) and
   (i_5 <= offset_max(Object_t_4_10_alloc_table, t_4))) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 <= 0) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  (0 <= ("JC_83": ((offset_max(Object_t_4_10_alloc_table, t_4) + 1) - i_5)))

goal MullerTheory_m_safety_po_16:
  forall t_4:Object pointer.
  forall Object_t_4_10_alloc_table:Object alloc_table.
  forall intM_intP_t_4_10:(Object,
  int) memory.
  forall Object_MullerTheory_m_12_alloc_table:Object alloc_table.
  (left_valid_struct_intM(t_4, 0, Object_t_4_10_alloc_table) and
   ("JC_49": Non_null_intM(t_4, Object_t_4_10_alloc_table))) ->
  forall count:int.
  forall i_4:int.
  ("JC_62": true) ->
  ("JC_60":
  (("JC_55": (0 <= i_4)) and
   (("JC_56": (i_4 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_57": (0 <= count)) and
     (("JC_58": (count <= i_4)) and
      ("JC_59": (count = num_of_pos(0, (i_4 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result:int.
  ("JC_25":
  ((result <= 2147483647) and
   ((result >= 0) and (result = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_4 >= result) ->
  (count >= 0) ->
  forall result0:Object pointer.
  forall Object_MullerTheory_m_12_alloc_table0:Object alloc_table.
  forall Object_MullerTheory_m_12_tag_table:Object tag_table.
  (strict_valid_struct_intM(result0, 0, (count - 1),
   Object_MullerTheory_m_12_alloc_table0) and
   (alloc_extends(Object_MullerTheory_m_12_alloc_table,
    Object_MullerTheory_m_12_alloc_table0) and
    (alloc_fresh(Object_MullerTheory_m_12_alloc_table, result0, count) and
     instanceof(Object_MullerTheory_m_12_tag_table, result0, intM_tag)))) ->
  forall count0:int.
  (count0 = 0) ->
  forall count1:int.
  forall i_5:int.
  ("JC_76": true) ->
  ("JC_74":
  (("JC_69": (0 <= i_5)) and
   (("JC_70": (i_5 <= (offset_max(Object_t_4_10_alloc_table, t_4) + 1))) and
    (("JC_71": (0 <= count1)) and
     (("JC_72": (count1 <= i_5)) and
      ("JC_73": (count1 = num_of_pos(0, (i_5 - 1), t_4, intM_intP_t_4_10)))))))) ->
  (offset_max(Object_t_4_10_alloc_table, t_4) >= (-1)) ->
  forall result1:int.
  ("JC_25":
  ((result1 <= 2147483647) and
   ((result1 >= 0) and (result1 = (offset_max(Object_t_4_10_alloc_table,
    t_4) + 1))))) ->
  (i_5 < result1) ->
  ((offset_min(Object_t_4_10_alloc_table, t_4) <= i_5) and
   (i_5 <= offset_max(Object_t_4_10_alloc_table, t_4))) ->
  forall result2:int.
  (result2 = select(intM_intP_t_4_10, shift(t_4, i_5))) ->
  (result2 <= 0) ->
  forall i_5_0:int.
  (i_5_0 = (i_5 + 1)) ->
  (("JC_83": ((offset_max(Object_t_4_10_alloc_table, t_4) + 1) - i_5_0)) < 
  ("JC_83": ((offset_max(Object_t_4_10_alloc_table, t_4) + 1) - i_5)))

why-2.34/tests/java/oracle/TreeMax.res.oracle0000644000175000017500000067373612311670312017517 0ustar  rtusers========== file tests/java/TreeMax.java ==========

//@+ TerminationPolicy = user

/*@ axiomatic integer_max {
  @   logic integer max(integer x, integer y);
  @   axiom max_is_ge : \forall integer x y; max(x,y) >= x && max(x,y) >= y;
  @   axiom max_is_some : \forall integer x y; max(x,y) == x || max(x,y) == y;
  @ }
  @*/

class Int {
    //@ ensures \result == max(x,y);
    public static int max(int x, int y);
}

/*@ axiomatic Mem {
  @   predicate mem{L}(int x, Tree t);
  @   axiom mem_null{L}: \forall int x; ! mem(x,null);
  @   axiom mem_root{L}: \forall Tree t; t != null ==>
  @     mem(t.value,t);
  @   axiom mem_root_eq{L}: \forall int x, Tree t; t != null ==>
  @     x==t.value ==> mem(x,t);
  @   axiom mem_left{L}: \forall int x, Tree t; t != null ==>
  @     mem(x,t.left) ==> mem(x,t);
  @   axiom mem_right{L}: \forall int x, Tree t; t != null ==>
  @     mem(x,t.right) ==> mem(x,t);
  @   axiom mem_inversion{L}: \forall int x, Tree t;
  @     mem(x,t) ==> t != null &&
  @       (x==t.value || mem(x,t.left) || mem(x,t.right));
  @ }
  @*/

/* attempt to prove termination, not succesful yet */
/* axiomatic Finite {
  @   predicate has_size{L}(Tree t, integer s);
  @   axiom has_size_null{L}: has_size(null,0);
  @   axiom has_size_non_null{L}: \forall Tree t; t != null ==>
  @     \forall integer s1 s2;
  @     has_size(t.left,s1) && has_size(t.right,s2) ==>
  @     has_size(t,s1+s2+1) ;
  @   axiom has_size_inversion{L}: \forall Tree t, integer s;
  @     has_size(t,s) ==>
  @       (t == null && s == 0) ||
  @       (t != null && \exists integer s1 s2;
  @            has_size(t.left,s1) && has_size(t.right,s2) &&
  @            0 <= s1 && 0 <= s2 && s == s1+s2+1) ;
  @   predicate size_decreases{L}(Tree t1, Tree t2) =
  @     \exists integer s1 s2; has_size(t1,s1) && has_size(t2,s2) && s1 > s2;
  @ }
  @*/

class Tree {

    int value;
    Tree left;
    Tree right;

    /*@ // requires \exists integer s; has_size(this,s);
      @ // decreases this for size_decreases;
      @ ensures mem(\result,this) &&
      @   \forall int x; mem(x,this) ==> \result >= x;
      @*/
    int tree_max() {
        int m = value;
        if (left != null) m = Int.max(m,left.tree_max());
        if (right != null) m = Int.max(m,right.tree_max());
        return m;
    }

}

========== krakatoa execution ==========
Parsing OK.
Typing OK.
Generating JC function cons_Int for constructor Int
Generating JC function Object_equals for method Object.equals
Generating JC function Object_notify for method Object.notify
Generating JC function Object_registerNatives for method Object.registerNatives
Generating JC function Object_hashCode for method Object.hashCode
Generating JC function Object_wait_long_int for method Object.wait
Generating JC function Object_toString for method Object.toString
Generating JC function Object_notifyAll for method Object.notifyAll
Generating JC function cons_Object for constructor Object
Generating JC function Int_max for method Int.max
Generating JC function Tree_tree_max for method Tree.tree_max
Generating JC function Object_clone for method Object.clone
Generating JC function Object_wait_long for method Object.wait
Generating JC function Object_finalize for method Object.finalize
Generating JC function Object_wait for method Object.wait
Generating JC function cons_Tree for constructor Tree
Done.
========== file tests/java/TreeMax.jc ==========
# InvariantPolicy = Arguments
# TerminationPolicy = user
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = None

type byte = -128..127

type short = -32768..32767

type int32 = -2147483648..2147483647

type long = -9223372036854775808..9223372036854775807

type char = 0..65535

predicate Non_null_Object{Here}(Object[0..] x) =
(\offset_max(x) >= 0)

String[0..] any_string()
;

tag String = Object with {
}

tag Int = Object with {
}

tag Tree = Object with {
  int32 value; 
  Tree[0..] left; 
  Tree[0..] right;
}

tag Throwable = Object with {
}

tag Object = {
}

tag Exception = Object with {
}

type Object = [Object]

type interface = [interface]

tag interface = {
}

boolean non_null_Object(! Object[0..] x)
behavior normal:
  ensures (if \result then (\offset_max(x) == 0) else (x == null));
;

axiomatic Mem {

  predicate mem{L}(int32 x_3, Tree[0..] t)
   
  axiom mem_inversion{L} :
  (\forall int32 x_8;
    (\forall Tree[0] t_4;
      (mem{L}(x_8, t_4) ==>
        (Non_null_Object(t_4) &&
          (((x_8 == t_4.value) || mem{L}(x_8, t_4.left)) ||
            mem{L}(x_8, t_4.right))))))
   
  axiom mem_right{L} :
  (\forall int32 x_7;
    (\forall Tree[0] t_3;
      (Non_null_Object(t_3) ==>
        (mem{L}(x_7, t_3.right) ==> mem{L}(x_7, t_3)))))
   
  axiom mem_left{L} :
  (\forall int32 x_6;
    (\forall Tree[0] t_2;
      (Non_null_Object(t_2) ==> (mem{L}(x_6, t_2.left) ==> mem{L}(x_6, t_2)))))
   
  axiom mem_root_eq{L} :
  (\forall int32 x_5;
    (\forall Tree[0] t_1;
      (Non_null_Object(t_1) ==> ((x_5 == t_1.value) ==> mem{L}(x_5, t_1)))))
   
  axiom mem_root{L} :
  (\forall Tree[0] t_0;
    (Non_null_Object(t_0) ==> mem{L}(t_0.value, t_0)))
   
  axiom mem_null{L} :
  (\forall int32 x_4;
    (! mem{L}(x_4, null)))
  
}

axiomatic integer_max {

  logic integer max(integer x, integer y)
   
  axiom max_is_some :
  (\forall integer x_1;
    (\forall integer y_1;
      ((max(x_1, y_1) == x_1) || (max(x_1, y_1) == y_1))))
   
  axiom max_is_ge :
  (\forall integer x_0;
    (\forall integer y_0;
      ((max(x_0, y_0) >= x_0) && (max(x_0, y_0) >= y_0))))
  
}

exception Exception of Exception[0..]

exception Throwable of Throwable[0..]

unit cons_Int(! Int[0] this_0){()}

boolean Object_equals(Object[0] this_5, Object[0..] obj)
;

unit Object_notify(Object[0] this_6)
;

unit Object_registerNatives()
;

int32 Object_hashCode(Object[0] this_7)
;

unit Object_wait_long_int(Object[0] this_8, long timeout_0, int32 nanos)
;

String[0..] Object_toString(Object[0] this_9)
;

unit Object_notifyAll(Object[0] this_10)
;

unit cons_Object(! Object[0] this_15){()}

int32 Int_max(int32 x_2, int32 y_2)
behavior default:
  ensures (K_1 : (\result == max(x_2, y_2)));
;

int32 Tree_tree_max(Tree[0] this_2)
behavior default:
  ensures (K_4 : ((K_3 : mem{Here}(\result, this_2)) &&
                   (K_2 : (\forall int32 x_9;
                            (mem{Here}(x_9, this_2) ==> (\result >= x_9))))));
{  
   {  
      (var int32 m = (K_13 : this_2.value));
      
      {  (if non_null_Object((K_8 : this_2.left)) then (m = (K_7 : Int_max(
                                                            m,
                                                            (K_6 : Tree_tree_max(
                                                            (K_5 : this_2.left)))))) else ());
         (if non_null_Object((K_12 : this_2.right)) then (m = (K_11 : Int_max(
                                                              m,
                                                              (K_10 : Tree_tree_max(
                                                              (K_9 : this_2.right)))))) else ());
         
         (return m)
      }
   }
}

Object[0..] Object_clone(Object[0] this_11)
;

unit Object_wait_long(Object[0] this_12, long timeout)
;

unit Object_finalize(Object[0] this_13)
;

unit Object_wait(Object[0] this_14)
;

unit cons_Tree(! Tree[0] this_4)
{  (this_4.value = 0);
   (this_4.left = null);
   (this_4.right = null)
}

/*
Local Variables:
mode: java
compile-command: "jessie -why-opt -split-user-conj -locs tests/java/TreeMax.jloc tests/java/TreeMax.jc && make -f tests/java/TreeMax.makefile gui"
End:
*/
========== file tests/java/TreeMax.jloc ==========
[cons_Tree]
name = "Constructor of class Tree"
file = "HOME/"
line = 0
begin = -1
end = -1

[Object_wait_long]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[K_11]
file = "HOME/tests/java/TreeMax.java"
line = 66
begin = 31
end = 58

[mem_left]
name = "Lemma mem_left"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_13]
file = "HOME/tests/java/TreeMax.java"
line = 64
begin = 16
end = 21

[max_is_some]
name = "Lemma max_is_some"
file = "HOME/"
line = 0
begin = 0
end = 0

[Object_finalize]
name = "Method finalize"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[K_9]
file = "HOME/tests/java/TreeMax.java"
line = 66
begin = 41
end = 46

[Object_wait]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[Object_notify]
name = "Method notify"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[Object_clone]
name = "Method clone"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[cons_Object]
name = "Constructor of class Object"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_1]
file = "HOME/tests/java/TreeMax.java"
line = 12
begin = 16
end = 35

[Int_max]
name = "Method max"
file = "HOME/tests/java/TreeMax.java"
line = 13
begin = 22
end = 25

[K_4]
file = "HOME/tests/java/TreeMax.java"
line = 60
begin = 16
end = 90

[K_12]
file = "HOME/tests/java/TreeMax.java"
line = 66
begin = 12
end = 17

[Object_wait_long_int]
name = "Method wait"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[Object_registerNatives]
name = "Method registerNatives"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[mem_root]
name = "Lemma mem_root"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_2]
file = "HOME/tests/java/TreeMax.java"
line = 61
begin = 10
end = 53

[mem_null]
name = "Lemma mem_null"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_10]
file = "HOME/tests/java/TreeMax.java"
line = 66
begin = 41
end = 57

[K_6]
file = "HOME/tests/java/TreeMax.java"
line = 65
begin = 40
end = 55

[cons_Int]
name = "Constructor of class Int"
file = "HOME/"
line = 0
begin = -1
end = -1

[K_8]
file = "HOME/tests/java/TreeMax.java"
line = 65
begin = 12
end = 16

[K_3]
file = "HOME/tests/java/TreeMax.java"
line = 60
begin = 16
end = 33

[max_is_ge]
name = "Lemma max_is_ge"
file = "HOME/"
line = 0
begin = 0
end = 0

[mem_inversion]
name = "Lemma mem_inversion"
file = "HOME/"
line = 0
begin = 0
end = 0

[Tree_tree_max]
name = "Method tree_max"
file = "HOME/tests/java/TreeMax.java"
line = 63
begin = 8
end = 16

[Object_notifyAll]
name = "Method notifyAll"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[mem_root_eq]
name = "Lemma mem_root_eq"
file = "HOME/"
line = 0
begin = 0
end = 0

[mem_right]
name = "Lemma mem_right"
file = "HOME/"
line = 0
begin = 0
end = 0

[K_5]
file = "HOME/tests/java/TreeMax.java"
line = 65
begin = 40
end = 44

[Object_equals]
name = "Method equals"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[K_7]
file = "HOME/tests/java/TreeMax.java"
line = 65
begin = 30
end = 56

[Object_hashCode]
name = "Method hashCode"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[Object_toString]
name = "Method toString"
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

========== jessie execution ==========
Generating Why function cons_Int
Generating Why function cons_Object
Generating Why function Tree_tree_max
Generating Why function cons_Tree
========== file tests/java/TreeMax.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs TreeMax.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs TreeMax.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/TreeMax_why.sx

project: why/TreeMax.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/TreeMax_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/TreeMax_why.vo

coq/TreeMax_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/TreeMax_why.v: why/TreeMax.why
	@echo 'why -coq [...] why/TreeMax.why' && $(WHY) $(JESSIELIBFILES) why/TreeMax.why && rm -f coq/jessie_why.v

coq-goals: goals coq/TreeMax_ctx_why.vo
	for f in why/*_po*.why; do make -f TreeMax.makefile coq/`basename $$f .why`_why.v ; done

coq/TreeMax_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/TreeMax_ctx_why.v: why/TreeMax_ctx.why
	@echo 'why -coq [...] why/TreeMax_ctx.why' && $(WHY) why/TreeMax_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export TreeMax_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/TreeMax_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/TreeMax_ctx_why.vo

pvs: pvs/TreeMax_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/TreeMax_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/TreeMax_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/TreeMax_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/TreeMax_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/TreeMax_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/TreeMax_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/TreeMax_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/TreeMax_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/TreeMax_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/TreeMax_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/TreeMax_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/TreeMax_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/TreeMax_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/TreeMax_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: TreeMax.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/TreeMax_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: TreeMax.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: TreeMax.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: TreeMax.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include TreeMax.depend

depend: coq/TreeMax_why.v
	-$(COQDEP) -I coq coq/TreeMax*_why.v > TreeMax.depend

clean:
	rm -f coq/*.vo

========== file tests/java/TreeMax.loc ==========
[JC_94]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_73]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_158]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_63]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_51]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Tree_safety]
name = "Constructor of class Tree"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_147]
file = "HOME/"
line = 0
begin = -1
end = -1

[Tree_tree_max_safety]
name = "Method tree_max"
behavior = "Safety"
file = "HOME/tests/java/TreeMax.java"
line = 63
begin = 8
end = 16

[JC_151]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_45]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_123]
kind = UserCall
file = "HOME/tests/java/TreeMax.java"
line = 66
begin = 41
end = 57

[JC_106]
file = "HOME/tests/java/TreeMax.java"
line = 60
begin = 16
end = 33

[JC_143]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_113]
kind = IndexBounds
file = "HOME/tests/java/TreeMax.java"
line = 65
begin = 40
end = 55

[JC_116]
kind = UserCall
file = "HOME/tests/java/TreeMax.java"
line = 66
begin = 41
end = 57

[JC_64]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_133]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[mem_left]
name = "Lemma mem_left"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[max_is_some]
name = "Lemma max_is_some"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[cons_Object_ensures_default]
name = "Constructor of class Object"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_99]
file = "HOME/tests/java/TreeMax.java"
line = 63
begin = 8
end = 16

[JC_85]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_126]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_31]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Int_ensures_default]
name = "Constructor of class Int"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_17]
file = "HOME/tests/java/TreeMax.jc"
line = 53
begin = 11
end = 65

[JC_122]
kind = UserCall
file = "HOME/tests/java/TreeMax.jc"
line = 157
begin = 13
end = 51

[JC_81]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_138]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_134]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_148]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_137]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_121]
kind = UserCall
file = "HOME/tests/java/TreeMax.java"
line = 65
begin = 30
end = 56

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_125]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_67]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_9]
file = "HOME/tests/java/TreeMax.jc"
line = 51
begin = 8
end = 23

[JC_75]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_78]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[mem_root]
name = "Lemma mem_root"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_154]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_130]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_163]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_153]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_87]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/java/TreeMax.jc"
line = 51
begin = 8
end = 23

[JC_98]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_104]
file = "HOME/tests/java/TreeMax.java"
line = 61
begin = 10
end = 53

[JC_91]
file = "HOME/tests/java/TreeMax.java"
line = 13
begin = 22
end = 25

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_112]
kind = UserCall
file = "HOME/tests/java/TreeMax.java"
line = 65
begin = 40
end = 55

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_162]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_135]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 333
begin = 29
end = 33

[JC_83]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[mem_null]
name = "Lemma mem_null"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_132]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[JC_115]
kind = UserCall
file = "HOME/tests/java/TreeMax.jc"
line = 157
begin = 13
end = 51

[JC_109]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_107]
file = "HOME/tests/java/TreeMax.java"
line = 61
begin = 10
end = 53

[JC_69]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 207
begin = 18
end = 26

[JC_124]
kind = UserCall
file = "HOME/tests/java/TreeMax.java"
line = 66
begin = 31
end = 58

[JC_38]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_156]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_127]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 184
begin = 28
end = 33

[JC_164]
file = "HOME/"
line = 0
begin = -1
end = -1

[Tree_tree_max_ensures_default]
name = "Method tree_max"
behavior = "default behavior"
file = "HOME/tests/java/TreeMax.java"
line = 63
begin = 8
end = 16

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_155]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/"
line = 0
begin = -1
end = -1

[max_is_ge]
name = "Lemma max_is_ge"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_101]
file = "HOME/tests/java/TreeMax.java"
line = 63
begin = 8
end = 16

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_129]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_110]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_103]
file = "HOME/tests/java/TreeMax.java"
line = 60
begin = 16
end = 33

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_141]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 481
begin = 19
end = 27

[JC_61]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/"
line = 0
begin = -1
end = -1

[mem_inversion]
name = "Lemma mem_inversion"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_118]
kind = UserCall
file = "HOME/tests/java/TreeMax.java"
line = 66
begin = 31
end = 58

[JC_105]
file = "HOME/tests/java/TreeMax.java"
line = 60
begin = 16
end = 90

[JC_140]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 122
begin = 19
end = 25

[cons_Tree_ensures_default]
name = "Constructor of class Tree"
behavior = "default behavior"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_144]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_159]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Object_safety]
name = "Constructor of class Object"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_68]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
file = "HOME/tests/java/TreeMax.java"
line = 12
begin = 16
end = 35

[JC_43]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 22
begin = 31
end = 46

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/tests/java/TreeMax.java"
line = 12
begin = 16
end = 35

[JC_93]
file = "HOME/tests/java/TreeMax.java"
line = 13
begin = 22
end = 25

[JC_97]
file = "HOME/"
line = 0
begin = -1
end = -1

[cons_Int_safety]
name = "Constructor of class Int"
behavior = "Safety"
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_160]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_128]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
kind = UserCall
file = "HOME/tests/java/TreeMax.java"
line = 65
begin = 30
end = 56

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[mem_root_eq]
name = "Lemma mem_root_eq"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_150]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_117]
kind = IndexBounds
file = "HOME/tests/java/TreeMax.java"
line = 66
begin = 41
end = 57

[JC_90]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 74
begin = 22
end = 30

[JC_157]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_145]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_149]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 430
begin = 22
end = 26

[JC_111]
kind = UserCall
file = "HOME/tests/java/TreeMax.jc"
line = 153
begin = 13
end = 49

[JC_77]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 267
begin = 29
end = 38

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/java/TreeMax.jc"
line = 20
begin = 12
end = 22

[JC_131]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_102]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_37]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 243
begin = 29
end = 35

[JC_142]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[mem_right]
name = "Lemma mem_right"
behavior = "axiom"
file = "HOME/"
line = 0
begin = 0
end = 0

[JC_108]
file = "HOME/tests/java/TreeMax.java"
line = 60
begin = 16
end = 90

[JC_57]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_161]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_146]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_89]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_136]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
file = "HOME/lib/java_api/java/lang/Object.java"
line = 386
begin = 22
end = 26

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/java/TreeMax.jc"
line = 53
begin = 11
end = 65

[JC_3]
file = "HOME/tests/java/TreeMax.jc"
line = 20
begin = 12
end = 22

[JC_92]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_152]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_86]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_60]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_139]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_72]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_119]
kind = UserCall
file = "HOME/tests/java/TreeMax.jc"
line = 153
begin = 13
end = 49

[JC_76]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_120]
kind = UserCall
file = "HOME/tests/java/TreeMax.java"
line = 65
begin = 40
end = 55

[JC_58]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_100]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/java/why/TreeMax.why ==========
type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag:  -> Object tag_id

logic Object_tag:  -> Object tag_id

axiom Exception_parenttag_Object : parenttag(Exception_tag, Object_tag)

logic Int_tag:  -> Object tag_id

axiom Int_parenttag_Object : parenttag(Int_tag, Object_tag)

predicate Non_null_Object(x_0:Object pointer,
 Object_alloc_table:Object alloc_table) =
 ge_int(offset_max(Object_alloc_table, x_0), (0))

axiom Object_int : (int_of_tag(Object_tag) = (1))

logic Object_of_pointer_address: unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr :
 (forall p:Object pointer.
  (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom : parenttag(Object_tag, bottom_tag)

axiom Object_tags :
 (forall x:Object pointer.
  (forall Object_tag_table:Object tag_table.
   instanceof(Object_tag_table, x, Object_tag)))

logic String_tag:  -> Object tag_id

axiom String_parenttag_Object : parenttag(String_tag, Object_tag)

logic Throwable_tag:  -> Object tag_id

axiom Throwable_parenttag_Object : parenttag(Throwable_tag, Object_tag)

logic Tree_tag:  -> Object tag_id

axiom Tree_parenttag_Object : parenttag(Tree_tag, Object_tag)

logic integer_of_byte: byte -> int

logic byte_of_integer: int -> byte

axiom byte_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_byte(byte_of_integer(x)), x)))

axiom byte_extensionality :
 (forall x:byte.
  (forall y:byte[eq_int(integer_of_byte(x), integer_of_byte(y))].
   (eq_int(integer_of_byte(x), integer_of_byte(y)) -> (x = y))))

axiom byte_range :
 (forall x:byte.
  (le_int((-128), integer_of_byte(x)) and le_int(integer_of_byte(x), (127))))

logic integer_of_char: char -> int

logic char_of_integer: int -> char

axiom char_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (65535))) ->
   eq_int(integer_of_char(char_of_integer(x)), x)))

axiom char_extensionality :
 (forall x:char.
  (forall y:char[eq_int(integer_of_char(x), integer_of_char(y))].
   (eq_int(integer_of_char(x), integer_of_char(y)) -> (x = y))))

axiom char_range :
 (forall x:char.
  (le_int((0), integer_of_char(x)) and le_int(integer_of_char(x), (65535))))

predicate eq_byte(x:byte, y:byte) =
 eq_int(integer_of_byte(x), integer_of_byte(y))

predicate eq_char(x:char, y:char) =
 eq_int(integer_of_char(x), integer_of_char(y))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_long: long -> int

predicate eq_long(x:long, y:long) =
 eq_int(integer_of_long(x), integer_of_long(y))

logic integer_of_short: short -> int

predicate eq_short(x:short, y:short) =
 eq_int(integer_of_short(x), integer_of_short(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic interface_tag:  -> interface tag_id

axiom interface_int : (int_of_tag(interface_tag) = (1))

logic interface_of_pointer_address: unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr :
 (forall p:interface pointer.
  (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom : parenttag(interface_tag, bottom_tag)

axiom interface_tags :
 (forall x:interface pointer.
  (forall interface_tag_table:interface tag_table.
   instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 (offset_min(Object_alloc_table, p) <= a)

predicate left_valid_struct_Exception(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Int(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_String(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Throwable(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_Tree(p:Object pointer, a:int,
 Object_alloc_table:Object alloc_table) =
 left_valid_struct_Object(p, a, Object_alloc_table)

predicate left_valid_struct_interface(p:interface pointer, a:int,
 interface_alloc_table:interface alloc_table) =
 (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer: int -> long

axiom long_coerce :
 (forall x:int.
  ((le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807))) ->
   eq_int(integer_of_long(long_of_integer(x)), x)))

axiom long_extensionality :
 (forall x:long.
  (forall y:long[eq_int(integer_of_long(x), integer_of_long(y))].
   (eq_int(integer_of_long(x), integer_of_long(y)) -> (x = y))))

axiom long_range :
 (forall x:long.
  (le_int((-9223372036854775808), integer_of_long(x))
  and le_int(integer_of_long(x), (9223372036854775807))))

logic max: int, int -> int

logic mem: int32, Object pointer, Object alloc_table,
 (Object, Object pointer) memory, (Object, Object pointer) memory,
 (Object, int32) memory -> prop

axiom pointer_addr_of_Object_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 (offset_max(Object_alloc_table, p) >= b)

predicate right_valid_struct_Exception(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Int(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_String(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Throwable(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_Tree(p:Object pointer, b:int,
 Object_alloc_table:Object alloc_table) =
 right_valid_struct_Object(p, b, Object_alloc_table)

predicate right_valid_struct_interface(p:interface pointer, b:int,
 interface_alloc_table:interface alloc_table) =
 (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer: int -> short

axiom short_coerce :
 (forall x:int.
  ((le_int((-32768), x) and le_int(x, (32767))) ->
   eq_int(integer_of_short(short_of_integer(x)), x)))

axiom short_extensionality :
 (forall x:short.
  (forall y:short[eq_int(integer_of_short(x), integer_of_short(y))].
   (eq_int(integer_of_short(x), integer_of_short(y)) -> (x = y))))

axiom short_range :
 (forall x:short.
  (le_int((-32768), integer_of_short(x))
  and le_int(integer_of_short(x), (32767))))

predicate strict_valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) = a)
 and (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Int(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_Tree(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 strict_valid_struct_Object(p, a, b, Object_alloc_table)

predicate strict_valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) = a)
 and (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 ((offset_min(Object_alloc_table, p) <= a)
 and (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Int(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_String(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Throwable(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_Tree(p:Object pointer, a:int, b:int,
 Object_alloc_table:Object alloc_table) =
 valid_struct_Object(p, a, b, Object_alloc_table)

predicate valid_struct_interface(p:interface pointer, a:int, b:int,
 interface_alloc_table:interface alloc_table) =
 ((offset_min(interface_alloc_table, p) <= a)
 and (offset_max(interface_alloc_table, p) >= b))

axiom mem_inversion :
 (forall Object_alloc_table_at_L:Object alloc_table.
  (forall Tree_right_at_L:(Object, Object pointer) memory.
   (forall Tree_left_at_L:(Object, Object pointer) memory.
    (forall Tree_value_at_L:(Object, int32) memory.
     (forall x_8:int32.
      (forall t_4:Object pointer.
       (mem(x_8, t_4, Object_alloc_table_at_L, Tree_right_at_L,
        Tree_left_at_L, Tree_value_at_L) ->
        (Non_null_Object(t_4, Object_alloc_table_at_L)
        and ((integer_of_int32(x_8) = integer_of_int32(select(Tree_value_at_L,
                                                       t_4)))
            or (mem(x_8, select(Tree_left_at_L, t_4),
                Object_alloc_table_at_L, Tree_right_at_L, Tree_left_at_L,
                Tree_value_at_L)
               or mem(x_8, select(Tree_right_at_L, t_4),
                  Object_alloc_table_at_L, Tree_right_at_L, Tree_left_at_L,
                  Tree_value_at_L)))))))))))

axiom mem_right :
 (forall Object_alloc_table_at_L:Object alloc_table.
  (forall Tree_right_at_L:(Object, Object pointer) memory.
   (forall Tree_left_at_L:(Object, Object pointer) memory.
    (forall Tree_value_at_L:(Object, int32) memory.
     (forall x_7:int32.
      (forall t_3:Object pointer.
       (Non_null_Object(t_3, Object_alloc_table_at_L) ->
        (mem(x_7, select(Tree_right_at_L, t_3), Object_alloc_table_at_L,
         Tree_right_at_L, Tree_left_at_L, Tree_value_at_L) ->
         mem(x_7, t_3, Object_alloc_table_at_L, Tree_right_at_L,
         Tree_left_at_L, Tree_value_at_L)))))))))

axiom mem_left :
 (forall Object_alloc_table_at_L:Object alloc_table.
  (forall Tree_right_at_L:(Object, Object pointer) memory.
   (forall Tree_left_at_L:(Object, Object pointer) memory.
    (forall Tree_value_at_L:(Object, int32) memory.
     (forall x_6:int32.
      (forall t_2:Object pointer.
       (Non_null_Object(t_2, Object_alloc_table_at_L) ->
        (mem(x_6, select(Tree_left_at_L, t_2), Object_alloc_table_at_L,
         Tree_right_at_L, Tree_left_at_L, Tree_value_at_L) ->
         mem(x_6, t_2, Object_alloc_table_at_L, Tree_right_at_L,
         Tree_left_at_L, Tree_value_at_L)))))))))

axiom mem_root_eq :
 (forall Object_alloc_table_at_L:Object alloc_table.
  (forall Tree_right_at_L:(Object, Object pointer) memory.
   (forall Tree_left_at_L:(Object, Object pointer) memory.
    (forall Tree_value_at_L:(Object, int32) memory.
     (forall x_5:int32.
      (forall t_1:Object pointer.
       (Non_null_Object(t_1, Object_alloc_table_at_L) ->
        ((integer_of_int32(x_5) = integer_of_int32(select(Tree_value_at_L,
                                                   t_1))) ->
         mem(x_5, t_1, Object_alloc_table_at_L, Tree_right_at_L,
         Tree_left_at_L, Tree_value_at_L)))))))))

axiom mem_root :
 (forall Object_alloc_table_at_L:Object alloc_table.
  (forall Tree_right_at_L:(Object, Object pointer) memory.
   (forall Tree_left_at_L:(Object, Object pointer) memory.
    (forall Tree_value_at_L:(Object, int32) memory.
     (forall t_0:Object pointer.
      (Non_null_Object(t_0, Object_alloc_table_at_L) ->
       mem(select(Tree_value_at_L, t_0), t_0, Object_alloc_table_at_L,
       Tree_right_at_L, Tree_left_at_L, Tree_value_at_L)))))))

axiom mem_null :
 (forall Object_alloc_table_at_L:Object alloc_table.
  (forall Tree_right_at_L:(Object, Object pointer) memory.
   (forall Tree_left_at_L:(Object, Object pointer) memory.
    (forall Tree_value_at_L:(Object, int32) memory.
     (forall x_4:int32.
      (not mem(x_4, null, Object_alloc_table_at_L, Tree_right_at_L,
           Tree_left_at_L, Tree_value_at_L)))))))

axiom max_is_some :
 (forall x_1_0:int.
  (forall y_1:int. ((max(x_1_0, y_1) = x_1_0) or (max(x_1_0, y_1) = y_1))))

axiom max_is_ge :
 (forall x_0_0:int.
  (forall y_0:int.
   (ge_int(max(x_0_0, y_0), x_0_0) and ge_int(max(x_0_0, y_0), y_0))))

exception Exception_exc of Object pointer

parameter Int_max :
 x_2_0:int32 ->
  y_2:int32 ->
   { } int32
   { (JC_96:
     (integer_of_int32(result) = max(integer_of_int32(x_2_0),
                                 integer_of_int32(y_2)))) }

parameter Int_max_requires :
 x_2_0:int32 ->
  y_2:int32 ->
   { } int32
   { (JC_96:
     (integer_of_int32(result) = max(integer_of_int32(x_2_0),
                                 integer_of_int32(y_2)))) }

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

parameter Object_alloc_table : Object alloc_table ref

parameter Object_clone :
 this_11:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_clone_requires :
 this_11:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_equals :
 this_5:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_equals_requires :
 this_5:Object pointer ->
  obj:Object pointer -> { } bool reads Object_alloc_table { true }

parameter Object_finalize :
 this_13:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_finalize_requires :
 this_13:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_hashCode :
 this_7:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter Object_hashCode_requires :
 this_7:Object pointer -> { } int32 reads Object_alloc_table { true }

parameter Object_notify :
 this_6:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll :
 this_10:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notifyAll_requires :
 this_10:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_notify_requires :
 this_6:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_registerNatives : tt:unit -> { } unit { true }

parameter Object_registerNatives_requires : tt:unit -> { } unit { true }

parameter Object_tag_table : Object tag_table ref

parameter Object_toString :
 this_9:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_toString_requires :
 this_9:Object pointer ->
  { } Object pointer reads Object_alloc_table { true }

parameter Object_wait :
 this_14:Object pointer -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long :
 this_12:Object pointer ->
  timeout:long -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int :
 this_8:Object pointer ->
  timeout_0:long -> nanos:int32 -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_int_requires :
 this_8:Object pointer ->
  timeout_0:long -> nanos:int32 -> { } unit reads Object_alloc_table { true }

parameter Object_wait_long_requires :
 this_12:Object pointer ->
  timeout:long -> { } unit reads Object_alloc_table { true }

parameter Object_wait_requires :
 this_14:Object pointer -> { } unit reads Object_alloc_table { true }

exception Return_label_exc of unit

exception Throwable_exc of Object pointer

parameter Tree_left : (Object, Object pointer) memory ref

parameter Tree_right : (Object, Object pointer) memory ref

parameter Tree_value : (Object, int32) memory ref

parameter Tree_tree_max :
 this_2:Object pointer ->
  { } int32 reads Object_alloc_table,Tree_left,Tree_right,Tree_value
  { (JC_108:
    ((JC_106:
     mem(result, this_2, Object_alloc_table, Tree_right, Tree_left,
     Tree_value))
    and (JC_107:
        (forall x_9:int32.
         (mem(x_9, this_2, Object_alloc_table, Tree_right, Tree_left,
          Tree_value) ->
          ge_int(integer_of_int32(result), integer_of_int32(x_9))))))) }

parameter Tree_tree_max_requires :
 this_2:Object pointer ->
  { } int32 reads Object_alloc_table,Tree_left,Tree_right,Tree_value
  { (JC_108:
    ((JC_106:
     mem(result, this_2, Object_alloc_table, Tree_right, Tree_left,
     Tree_value))
    and (JC_107:
        (forall x_9:int32.
         (mem(x_9, this_2, Object_alloc_table, Tree_right, Tree_left,
          Tree_value) ->
          ge_int(integer_of_int32(result), integer_of_int32(x_9))))))) }

parameter alloc_struct_Exception :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Exception_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Exception(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Exception_tag)))) }

parameter alloc_struct_Int :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Int(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Int_tag)))) }

parameter alloc_struct_Int_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Int(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Int_tag)))) }

parameter alloc_struct_Object :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_Object_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Object(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Object_tag)))) }

parameter alloc_struct_String :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_String_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_String(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, String_tag)))) }

parameter alloc_struct_Throwable :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Throwable_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Throwable(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Throwable_tag)))) }

parameter alloc_struct_Tree :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { } Object pointer writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Tree(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Tree_tag)))) }

parameter alloc_struct_Tree_requires :
 n:int ->
  Object_alloc_table:Object alloc_table ref ->
   Object_tag_table:Object tag_table ref ->
    { ge_int(n, (0))} Object pointer
    writes Object_alloc_table,Object_tag_table
    { (strict_valid_struct_Tree(result, (0), sub_int(n, (1)),
       Object_alloc_table)
      and (alloc_extends(Object_alloc_table@, Object_alloc_table)
          and (alloc_fresh(Object_alloc_table@, result, n)
              and instanceof(Object_tag_table, result, Tree_tag)))) }

parameter interface_alloc_table : interface alloc_table ref

parameter interface_tag_table : interface tag_table ref

parameter alloc_struct_interface :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { } interface pointer writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter alloc_struct_interface_requires :
 n:int ->
  interface_alloc_table:interface alloc_table ref ->
   interface_tag_table:interface tag_table ref ->
    { ge_int(n, (0))} interface pointer
    writes interface_alloc_table,interface_tag_table
    { (strict_valid_struct_interface(result, (0), sub_int(n, (1)),
       interface_alloc_table)
      and (alloc_extends(interface_alloc_table@, interface_alloc_table)
          and (alloc_fresh(interface_alloc_table@, result, n)
              and instanceof(interface_tag_table, result, interface_tag)))) }

parameter any_byte : unit -> { } byte { true }

parameter any_char : unit -> { } char { true }

parameter any_int32 : unit -> { } int32 { true }

parameter any_long : unit -> { } long { true }

parameter any_short : unit -> { } short { true }

parameter any_string_0 : tt:unit -> { } Object pointer { true }

parameter any_string_0_requires : tt:unit -> { } Object pointer { true }

parameter byte_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} byte
  { eq_int(integer_of_byte(result), x) }

parameter char_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (65535)))} char
  { eq_int(integer_of_char(result), x) }

parameter cons_Int :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Int_requires :
 this_0:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object :
 this_15:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Object_requires :
 this_15:Object pointer -> { } unit reads Object_alloc_table { true }

parameter cons_Tree :
 this_4:Object pointer ->
  { } unit reads Object_alloc_table writes Tree_left,Tree_right,Tree_value
  { true }

parameter cons_Tree_requires :
 this_4:Object pointer ->
  { } unit reads Object_alloc_table writes Tree_left,Tree_right,Tree_value
  { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter long_of_integer_ :
 x:int ->
  { (le_int((-9223372036854775808), x) and le_int(x, (9223372036854775807)))}
  long { eq_int(integer_of_long(result), x) }

parameter non_null_Object :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter non_null_Object_requires :
 x_1:Object pointer ->
  { } bool reads Object_alloc_table
  { (JC_18:
    (if result then (offset_max(Object_alloc_table, x_1) = (0))
     else (x_1 = null))) }

parameter safe_byte_of_integer_ :
 x:int -> { } byte { eq_int(integer_of_byte(result), x) }

parameter safe_char_of_integer_ :
 x:int -> { } char { eq_int(integer_of_char(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_long_of_integer_ :
 x:int -> { } long { eq_int(integer_of_long(result), x) }

parameter safe_short_of_integer_ :
 x:int -> { } short { eq_int(integer_of_short(result), x) }

parameter short_of_integer_ :
 x:int ->
  { (le_int((-32768), x) and le_int(x, (32767)))} short
  { eq_int(integer_of_short(result), x) }

let Tree_tree_max_ensures_default =
 fun (this_2 : Object pointer) ->
  { valid_struct_Tree(this_2, (0), (0), Object_alloc_table) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let m = ref (K_13: ((safe_acc_ !Tree_value) this_2)) in
     begin
       (if (let _jessie_ = (K_8: ((safe_acc_ !Tree_left) this_2)) in
           (JC_119: (non_null_Object _jessie_)))
       then
        (let _jessie_ =
        (m := (K_7:
              (let _jessie_ = !m in
              (let _jessie_ =
              (K_6:
              (let _jessie_ = (K_5: ((safe_acc_ !Tree_left) this_2)) in
              (JC_120: (Tree_tree_max _jessie_)))) in
              (JC_121: ((Int_max _jessie_) _jessie_)))))) in void)
       else void);
      (if (let _jessie_ = (K_12: ((safe_acc_ !Tree_right) this_2)) in
          (JC_122: (non_null_Object _jessie_)))
      then
       (let _jessie_ =
       (m := (K_11:
             (let _jessie_ = !m in
             (let _jessie_ =
             (K_10:
             (let _jessie_ = (K_9: ((safe_acc_ !Tree_right) this_2)) in
             (JC_123: (Tree_tree_max _jessie_)))) in
             (JC_124: ((Int_max _jessie_) _jessie_)))))) in void)
      else void); (return := !m); (raise Return) end); absurd  end with
   Return -> !return end))
  { (JC_105:
    ((JC_103:
     mem(result, this_2, Object_alloc_table, Tree_right, Tree_left,
     Tree_value))
    and (JC_104:
        (forall x_9:int32.
         (mem(x_9, this_2, Object_alloc_table, Tree_right, Tree_left,
          Tree_value) ->
          ge_int(integer_of_int32(result), integer_of_int32(x_9))))))) }

let Tree_tree_max_safety =
 fun (this_2 : Object pointer) ->
  { valid_struct_Tree(this_2, (0), (0), Object_alloc_table) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let m = ref (K_13: ((safe_acc_ !Tree_value) this_2)) in
     begin
       (if (let _jessie_ = (K_8: ((safe_acc_ !Tree_left) this_2)) in
           (JC_111: (non_null_Object_requires _jessie_)))
       then
        (let _jessie_ =
        (m := (K_7:
              (let _jessie_ = !m in
              (let _jessie_ =
              (K_6:
              (let _jessie_ = (K_5: ((safe_acc_ !Tree_left) this_2)) in
              (JC_113:
              (assert
              { ge_int(offset_max(Object_alloc_table, _jessie_), (0)) };
              (JC_112: (Tree_tree_max_requires _jessie_)))))) in
              (JC_114: ((Int_max_requires _jessie_) _jessie_)))))) in void)
       else void);
      (if (let _jessie_ = (K_12: ((safe_acc_ !Tree_right) this_2)) in
          (JC_115: (non_null_Object_requires _jessie_)))
      then
       (let _jessie_ =
       (m := (K_11:
             (let _jessie_ = !m in
             (let _jessie_ =
             (K_10:
             (let _jessie_ = (K_9: ((safe_acc_ !Tree_right) this_2)) in
             (JC_117:
             (assert
             { ge_int(offset_max(Object_alloc_table, _jessie_), (0)) };
             (JC_116: (Tree_tree_max_requires _jessie_)))))) in
             (JC_118: ((Int_max_requires _jessie_) _jessie_)))))) in
       void) else void); (return := !m); (raise Return) end); absurd  end
   with Return -> !return end)) { true }

let cons_Int_ensures_default =
 fun (this_0 : Object pointer) ->
  { valid_struct_Int(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_23: true) }

let cons_Int_safety =
 fun (this_0 : Object pointer) ->
  { valid_struct_Int(this_0, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_Object_ensures_default =
 fun (this_15 : Object pointer) ->
  { valid_struct_Object(this_15, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { (JC_87: true) }

let cons_Object_safety =
 fun (this_15 : Object pointer) ->
  { valid_struct_Object(this_15, (0), (0), Object_alloc_table) }
  (init: try begin   void; (raise Return) end with Return -> void end)
  { true }

let cons_Tree_ensures_default =
 fun (this_4 : Object pointer) ->
  { valid_struct_Tree(this_4, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = (safe_int32_of_integer_ (0)) in
       (let _jessie_ = this_4 in
       (((safe_upd_ Tree_value) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_4 in
      (((safe_upd_ Tree_left) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_4 in
        (((safe_upd_ Tree_right) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end)
  { (JC_161: true) }

let cons_Tree_safety =
 fun (this_4 : Object pointer) ->
  { valid_struct_Tree(this_4, (0), (0), Object_alloc_table) }
  (init:
  try
   begin
     (let _jessie_ =
     begin
       (let _jessie_ = (safe_int32_of_integer_ (0)) in
       (let _jessie_ = this_4 in
       (((safe_upd_ Tree_value) _jessie_) _jessie_)));
      (let _jessie_ = null in
      (let _jessie_ = this_4 in
      (((safe_upd_ Tree_left) _jessie_) _jessie_)));
      (let _jessie_ = null in
      begin
        (let _jessie_ = this_4 in
        (((safe_upd_ Tree_right) _jessie_) _jessie_)); _jessie_ end)
     end in void); (raise Return) end with Return -> void end) { true }


========== make project execution ==========
why --project [...] why/TreeMax.why
========== file tests/java/why/TreeMax.wpr ==========

  
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
      
      
    
    
    
    
      
      
    
    
      
      
    
    
      
      
    
    
  
  
    
  
  
    
  
  
    
  

========== file tests/java/why/TreeMax_ctx.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic Int_tag : Object tag_id

axiom Int_parenttag_Object: parenttag(Int_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic Tree_tag : Object tag_id

axiom Tree_parenttag_Object: parenttag(Tree_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte [(integer_of_byte(x) = integer_of_byte(y))].
      ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char [(integer_of_char(x) = integer_of_char(y))].
      ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32 [(integer_of_int32(x) = integer_of_int32(y))].
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Int(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Tree(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long [(integer_of_long(x) = integer_of_long(y))].
      ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

logic max : int, int -> int

logic mem : int32, Object pointer, Object alloc_table, (Object,
Object pointer) memory, (Object, Object pointer) memory, (Object,
int32) memory -> prop

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Int(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Tree(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short [(integer_of_short(x) = integer_of_short(y))].
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Int(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Tree(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Int(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Tree(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

axiom mem_inversion:
  (forall Object_alloc_table_at_L:Object alloc_table.
    (forall Tree_right_at_L:(Object, Object pointer) memory.
      (forall Tree_left_at_L:(Object, Object pointer) memory.
        (forall Tree_value_at_L:(Object, int32) memory.
          (forall x_8:int32.
            (forall t_4:Object pointer.
              (mem(x_8, t_4, Object_alloc_table_at_L, Tree_right_at_L,
               Tree_left_at_L, Tree_value_at_L) ->
               (Non_null_Object(t_4, Object_alloc_table_at_L) and
                ((integer_of_int32(x_8) = integer_of_int32(select(Tree_value_at_L,
                 t_4))) or
                 (mem(x_8, select(Tree_left_at_L, t_4),
                  Object_alloc_table_at_L, Tree_right_at_L, Tree_left_at_L,
                  Tree_value_at_L) or mem(x_8, select(Tree_right_at_L, t_4),
                  Object_alloc_table_at_L, Tree_right_at_L, Tree_left_at_L,
                  Tree_value_at_L)))))))))))

axiom mem_right:
  (forall Object_alloc_table_at_L:Object alloc_table.
    (forall Tree_right_at_L:(Object, Object pointer) memory.
      (forall Tree_left_at_L:(Object, Object pointer) memory.
        (forall Tree_value_at_L:(Object, int32) memory.
          (forall x_7:int32.
            (forall t_3:Object pointer.
              (Non_null_Object(t_3, Object_alloc_table_at_L) ->
               (mem(x_7, select(Tree_right_at_L, t_3),
                Object_alloc_table_at_L, Tree_right_at_L, Tree_left_at_L,
                Tree_value_at_L) -> mem(x_7, t_3, Object_alloc_table_at_L,
                Tree_right_at_L, Tree_left_at_L, Tree_value_at_L)))))))))

axiom mem_left:
  (forall Object_alloc_table_at_L:Object alloc_table.
    (forall Tree_right_at_L:(Object, Object pointer) memory.
      (forall Tree_left_at_L:(Object, Object pointer) memory.
        (forall Tree_value_at_L:(Object, int32) memory.
          (forall x_6:int32.
            (forall t_2:Object pointer.
              (Non_null_Object(t_2, Object_alloc_table_at_L) ->
               (mem(x_6, select(Tree_left_at_L, t_2),
                Object_alloc_table_at_L, Tree_right_at_L, Tree_left_at_L,
                Tree_value_at_L) -> mem(x_6, t_2, Object_alloc_table_at_L,
                Tree_right_at_L, Tree_left_at_L, Tree_value_at_L)))))))))

axiom mem_root_eq:
  (forall Object_alloc_table_at_L:Object alloc_table.
    (forall Tree_right_at_L:(Object, Object pointer) memory.
      (forall Tree_left_at_L:(Object, Object pointer) memory.
        (forall Tree_value_at_L:(Object, int32) memory.
          (forall x_5:int32.
            (forall t_1:Object pointer.
              (Non_null_Object(t_1, Object_alloc_table_at_L) ->
               ((integer_of_int32(x_5) = integer_of_int32(select(Tree_value_at_L,
                t_1))) -> mem(x_5, t_1, Object_alloc_table_at_L,
                Tree_right_at_L, Tree_left_at_L, Tree_value_at_L)))))))))

axiom mem_root:
  (forall Object_alloc_table_at_L:Object alloc_table.
    (forall Tree_right_at_L:(Object, Object pointer) memory.
      (forall Tree_left_at_L:(Object, Object pointer) memory.
        (forall Tree_value_at_L:(Object, int32) memory.
          (forall t_0:Object pointer.
            (Non_null_Object(t_0, Object_alloc_table_at_L) ->
             mem(select(Tree_value_at_L, t_0), t_0, Object_alloc_table_at_L,
             Tree_right_at_L, Tree_left_at_L, Tree_value_at_L)))))))

axiom mem_null:
  (forall Object_alloc_table_at_L:Object alloc_table.
    (forall Tree_right_at_L:(Object, Object pointer) memory.
      (forall Tree_left_at_L:(Object, Object pointer) memory.
        (forall Tree_value_at_L:(Object, int32) memory.
          (forall x_4:int32. (not mem(x_4, null, Object_alloc_table_at_L,
            Tree_right_at_L, Tree_left_at_L, Tree_value_at_L)))))))

axiom max_is_some:
  (forall x_1_0:int.
    (forall y_1:int. ((max(x_1_0, y_1) = x_1_0) or (max(x_1_0, y_1) = y_1))))

axiom max_is_ge:
  (forall x_0_0:int.
    (forall y_0:int.
      ((max(x_0_0, y_0) >= x_0_0) and (max(x_0_0, y_0) >= y_0))))

========== file tests/java/why/TreeMax_po1.why ==========
goal Tree_tree_max_ensures_default_po_1:
  forall this_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall Tree_left:(Object, Object pointer) memory.
  forall Tree_right:(Object,
  Object pointer) memory.
  forall Tree_value:(Object,
  int32) memory.
  valid_struct_Tree(this_2, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (result = select(Tree_value, this_2)) ->
  forall result0:Object pointer.
  (result0 = select(Tree_left, this_2)) ->
  ("JC_18": (offset_max(Object_alloc_table, result0) = 0)) ->
  forall result1:Object pointer.
  (result1 = select(Tree_left, this_2)) ->
  forall result2:int32.
  ("JC_108":
  (("JC_106": mem(result2, result1, Object_alloc_table, Tree_right,
   Tree_left, Tree_value)) and
   ("JC_107":
   (forall x_9:int32.
     (mem(x_9, result1, Object_alloc_table, Tree_right, Tree_left,
      Tree_value) -> (integer_of_int32(result2) >= integer_of_int32(x_9))))))) ->
  forall result3:int32.
  ("JC_96": (integer_of_int32(result3) = max(integer_of_int32(result),
  integer_of_int32(result2)))) ->
  forall m:int32.
  (m = result3) ->
  forall result4:Object pointer.
  (result4 = select(Tree_right, this_2)) ->
  ("JC_18": (offset_max(Object_alloc_table, result4) = 0)) ->
  forall result5:Object pointer.
  (result5 = select(Tree_right, this_2)) ->
  forall result6:int32.
  ("JC_108":
  (("JC_106": mem(result6, result5, Object_alloc_table, Tree_right,
   Tree_left, Tree_value)) and
   ("JC_107":
   (forall x_9:int32.
     (mem(x_9, result5, Object_alloc_table, Tree_right, Tree_left,
      Tree_value) -> (integer_of_int32(result6) >= integer_of_int32(x_9))))))) ->
  forall result7:int32.
  ("JC_96": (integer_of_int32(result7) = max(integer_of_int32(m),
  integer_of_int32(result6)))) ->
  forall m0:int32.
  (m0 = result7) ->
  forall return:int32.
  (return = m0) ->
  ("JC_105":
  ("JC_103": mem(return, this_2, Object_alloc_table, Tree_right, Tree_left,
  Tree_value)))

========== file tests/java/why/TreeMax_po10.why ==========
goal Tree_tree_max_safety_po_2:
  forall this_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall Tree_left:(Object, Object pointer) memory.
  forall Tree_right:(Object,
  Object pointer) memory.
  forall Tree_value:(Object,
  int32) memory.
  valid_struct_Tree(this_2, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (result = select(Tree_value, this_2)) ->
  forall result0:Object pointer.
  (result0 = select(Tree_left, this_2)) ->
  ("JC_18": (offset_max(Object_alloc_table, result0) = 0)) ->
  forall result1:Object pointer.
  (result1 = select(Tree_left, this_2)) ->
  (offset_max(Object_alloc_table, result1) >= 0) ->
  forall result2:int32.
  ("JC_108":
  (("JC_106": mem(result2, result1, Object_alloc_table, Tree_right,
   Tree_left, Tree_value)) and
   ("JC_107":
   (forall x_9:int32.
     (mem(x_9, result1, Object_alloc_table, Tree_right, Tree_left,
      Tree_value) -> (integer_of_int32(result2) >= integer_of_int32(x_9))))))) ->
  forall result3:int32.
  ("JC_96": (integer_of_int32(result3) = max(integer_of_int32(result),
  integer_of_int32(result2)))) ->
  forall m:int32.
  (m = result3) ->
  forall result4:Object pointer.
  (result4 = select(Tree_right, this_2)) ->
  ("JC_18": (offset_max(Object_alloc_table, result4) = 0)) ->
  forall result5:Object pointer.
  (result5 = select(Tree_right, this_2)) ->
  (offset_max(Object_alloc_table, result5) >= 0)

========== file tests/java/why/TreeMax_po11.why ==========
goal Tree_tree_max_safety_po_3:
  forall this_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall Tree_left:(Object, Object pointer) memory.
  forall Tree_right:(Object,
  Object pointer) memory.
  forall Tree_value:(Object,
  int32) memory.
  valid_struct_Tree(this_2, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (result = select(Tree_value, this_2)) ->
  forall result0:Object pointer.
  (result0 = select(Tree_left, this_2)) ->
  ("JC_18": (result0 = null)) ->
  forall result1:Object pointer.
  (result1 = select(Tree_right, this_2)) ->
  ("JC_18": (offset_max(Object_alloc_table, result1) = 0)) ->
  forall result2:Object pointer.
  (result2 = select(Tree_right, this_2)) ->
  (offset_max(Object_alloc_table, result2) >= 0)

========== file tests/java/why/TreeMax_po2.why ==========
goal Tree_tree_max_ensures_default_po_2:
  forall this_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall Tree_left:(Object, Object pointer) memory.
  forall Tree_right:(Object,
  Object pointer) memory.
  forall Tree_value:(Object,
  int32) memory.
  valid_struct_Tree(this_2, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (result = select(Tree_value, this_2)) ->
  forall result0:Object pointer.
  (result0 = select(Tree_left, this_2)) ->
  ("JC_18": (offset_max(Object_alloc_table, result0) = 0)) ->
  forall result1:Object pointer.
  (result1 = select(Tree_left, this_2)) ->
  forall result2:int32.
  ("JC_108":
  (("JC_106": mem(result2, result1, Object_alloc_table, Tree_right,
   Tree_left, Tree_value)) and
   ("JC_107":
   (forall x_9:int32.
     (mem(x_9, result1, Object_alloc_table, Tree_right, Tree_left,
      Tree_value) -> (integer_of_int32(result2) >= integer_of_int32(x_9))))))) ->
  forall result3:int32.
  ("JC_96": (integer_of_int32(result3) = max(integer_of_int32(result),
  integer_of_int32(result2)))) ->
  forall m:int32.
  (m = result3) ->
  forall result4:Object pointer.
  (result4 = select(Tree_right, this_2)) ->
  ("JC_18": (offset_max(Object_alloc_table, result4) = 0)) ->
  forall result5:Object pointer.
  (result5 = select(Tree_right, this_2)) ->
  forall result6:int32.
  ("JC_108":
  (("JC_106": mem(result6, result5, Object_alloc_table, Tree_right,
   Tree_left, Tree_value)) and
   ("JC_107":
   (forall x_9:int32.
     (mem(x_9, result5, Object_alloc_table, Tree_right, Tree_left,
      Tree_value) -> (integer_of_int32(result6) >= integer_of_int32(x_9))))))) ->
  forall result7:int32.
  ("JC_96": (integer_of_int32(result7) = max(integer_of_int32(m),
  integer_of_int32(result6)))) ->
  forall m0:int32.
  (m0 = result7) ->
  forall return:int32.
  (return = m0) ->
  forall x_9:int32.
  mem(x_9, this_2, Object_alloc_table, Tree_right, Tree_left, Tree_value) ->
  ("JC_105": ("JC_104": (integer_of_int32(return) >= integer_of_int32(x_9))))

========== file tests/java/why/TreeMax_po3.why ==========
goal Tree_tree_max_ensures_default_po_3:
  forall this_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall Tree_left:(Object, Object pointer) memory.
  forall Tree_right:(Object,
  Object pointer) memory.
  forall Tree_value:(Object,
  int32) memory.
  valid_struct_Tree(this_2, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (result = select(Tree_value, this_2)) ->
  forall result0:Object pointer.
  (result0 = select(Tree_left, this_2)) ->
  ("JC_18": (offset_max(Object_alloc_table, result0) = 0)) ->
  forall result1:Object pointer.
  (result1 = select(Tree_left, this_2)) ->
  forall result2:int32.
  ("JC_108":
  (("JC_106": mem(result2, result1, Object_alloc_table, Tree_right,
   Tree_left, Tree_value)) and
   ("JC_107":
   (forall x_9:int32.
     (mem(x_9, result1, Object_alloc_table, Tree_right, Tree_left,
      Tree_value) -> (integer_of_int32(result2) >= integer_of_int32(x_9))))))) ->
  forall result3:int32.
  ("JC_96": (integer_of_int32(result3) = max(integer_of_int32(result),
  integer_of_int32(result2)))) ->
  forall m:int32.
  (m = result3) ->
  forall result4:Object pointer.
  (result4 = select(Tree_right, this_2)) ->
  ("JC_18": (result4 = null)) ->
  forall return:int32.
  (return = m) ->
  ("JC_105":
  ("JC_103": mem(return, this_2, Object_alloc_table, Tree_right, Tree_left,
  Tree_value)))

========== file tests/java/why/TreeMax_po4.why ==========
goal Tree_tree_max_ensures_default_po_4:
  forall this_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall Tree_left:(Object, Object pointer) memory.
  forall Tree_right:(Object,
  Object pointer) memory.
  forall Tree_value:(Object,
  int32) memory.
  valid_struct_Tree(this_2, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (result = select(Tree_value, this_2)) ->
  forall result0:Object pointer.
  (result0 = select(Tree_left, this_2)) ->
  ("JC_18": (offset_max(Object_alloc_table, result0) = 0)) ->
  forall result1:Object pointer.
  (result1 = select(Tree_left, this_2)) ->
  forall result2:int32.
  ("JC_108":
  (("JC_106": mem(result2, result1, Object_alloc_table, Tree_right,
   Tree_left, Tree_value)) and
   ("JC_107":
   (forall x_9:int32.
     (mem(x_9, result1, Object_alloc_table, Tree_right, Tree_left,
      Tree_value) -> (integer_of_int32(result2) >= integer_of_int32(x_9))))))) ->
  forall result3:int32.
  ("JC_96": (integer_of_int32(result3) = max(integer_of_int32(result),
  integer_of_int32(result2)))) ->
  forall m:int32.
  (m = result3) ->
  forall result4:Object pointer.
  (result4 = select(Tree_right, this_2)) ->
  ("JC_18": (result4 = null)) ->
  forall return:int32.
  (return = m) ->
  forall x_9:int32.
  mem(x_9, this_2, Object_alloc_table, Tree_right, Tree_left, Tree_value) ->
  ("JC_105": ("JC_104": (integer_of_int32(return) >= integer_of_int32(x_9))))

========== file tests/java/why/TreeMax_po5.why ==========
goal Tree_tree_max_ensures_default_po_5:
  forall this_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall Tree_left:(Object, Object pointer) memory.
  forall Tree_right:(Object,
  Object pointer) memory.
  forall Tree_value:(Object,
  int32) memory.
  valid_struct_Tree(this_2, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (result = select(Tree_value, this_2)) ->
  forall result0:Object pointer.
  (result0 = select(Tree_left, this_2)) ->
  ("JC_18": (result0 = null)) ->
  forall result1:Object pointer.
  (result1 = select(Tree_right, this_2)) ->
  ("JC_18": (offset_max(Object_alloc_table, result1) = 0)) ->
  forall result2:Object pointer.
  (result2 = select(Tree_right, this_2)) ->
  forall result3:int32.
  ("JC_108":
  (("JC_106": mem(result3, result2, Object_alloc_table, Tree_right,
   Tree_left, Tree_value)) and
   ("JC_107":
   (forall x_9:int32.
     (mem(x_9, result2, Object_alloc_table, Tree_right, Tree_left,
      Tree_value) -> (integer_of_int32(result3) >= integer_of_int32(x_9))))))) ->
  forall result4:int32.
  ("JC_96": (integer_of_int32(result4) = max(integer_of_int32(result),
  integer_of_int32(result3)))) ->
  forall m:int32.
  (m = result4) ->
  forall return:int32.
  (return = m) ->
  ("JC_105":
  ("JC_103": mem(return, this_2, Object_alloc_table, Tree_right, Tree_left,
  Tree_value)))

========== file tests/java/why/TreeMax_po6.why ==========
goal Tree_tree_max_ensures_default_po_6:
  forall this_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall Tree_left:(Object, Object pointer) memory.
  forall Tree_right:(Object,
  Object pointer) memory.
  forall Tree_value:(Object,
  int32) memory.
  valid_struct_Tree(this_2, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (result = select(Tree_value, this_2)) ->
  forall result0:Object pointer.
  (result0 = select(Tree_left, this_2)) ->
  ("JC_18": (result0 = null)) ->
  forall result1:Object pointer.
  (result1 = select(Tree_right, this_2)) ->
  ("JC_18": (offset_max(Object_alloc_table, result1) = 0)) ->
  forall result2:Object pointer.
  (result2 = select(Tree_right, this_2)) ->
  forall result3:int32.
  ("JC_108":
  (("JC_106": mem(result3, result2, Object_alloc_table, Tree_right,
   Tree_left, Tree_value)) and
   ("JC_107":
   (forall x_9:int32.
     (mem(x_9, result2, Object_alloc_table, Tree_right, Tree_left,
      Tree_value) -> (integer_of_int32(result3) >= integer_of_int32(x_9))))))) ->
  forall result4:int32.
  ("JC_96": (integer_of_int32(result4) = max(integer_of_int32(result),
  integer_of_int32(result3)))) ->
  forall m:int32.
  (m = result4) ->
  forall return:int32.
  (return = m) ->
  forall x_9:int32.
  mem(x_9, this_2, Object_alloc_table, Tree_right, Tree_left, Tree_value) ->
  ("JC_105": ("JC_104": (integer_of_int32(return) >= integer_of_int32(x_9))))

========== file tests/java/why/TreeMax_po7.why ==========
goal Tree_tree_max_ensures_default_po_7:
  forall this_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall Tree_left:(Object, Object pointer) memory.
  forall Tree_right:(Object,
  Object pointer) memory.
  forall Tree_value:(Object,
  int32) memory.
  valid_struct_Tree(this_2, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (result = select(Tree_value, this_2)) ->
  forall result0:Object pointer.
  (result0 = select(Tree_left, this_2)) ->
  ("JC_18": (result0 = null)) ->
  forall result1:Object pointer.
  (result1 = select(Tree_right, this_2)) ->
  ("JC_18": (result1 = null)) ->
  forall return:int32.
  (return = result) ->
  ("JC_105":
  ("JC_103": mem(return, this_2, Object_alloc_table, Tree_right, Tree_left,
  Tree_value)))

========== file tests/java/why/TreeMax_po8.why ==========
goal Tree_tree_max_ensures_default_po_8:
  forall this_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall Tree_left:(Object, Object pointer) memory.
  forall Tree_right:(Object,
  Object pointer) memory.
  forall Tree_value:(Object,
  int32) memory.
  valid_struct_Tree(this_2, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (result = select(Tree_value, this_2)) ->
  forall result0:Object pointer.
  (result0 = select(Tree_left, this_2)) ->
  ("JC_18": (result0 = null)) ->
  forall result1:Object pointer.
  (result1 = select(Tree_right, this_2)) ->
  ("JC_18": (result1 = null)) ->
  forall return:int32.
  (return = result) ->
  forall x_9:int32.
  mem(x_9, this_2, Object_alloc_table, Tree_right, Tree_left, Tree_value) ->
  ("JC_105": ("JC_104": (integer_of_int32(return) >= integer_of_int32(x_9))))

========== file tests/java/why/TreeMax_po9.why ==========
goal Tree_tree_max_safety_po_1:
  forall this_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall Tree_left:(Object, Object pointer) memory.
  forall Tree_value:(Object,
  int32) memory.
  valid_struct_Tree(this_2, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (result = select(Tree_value, this_2)) ->
  forall result0:Object pointer.
  (result0 = select(Tree_left, this_2)) ->
  ("JC_18": (offset_max(Object_alloc_table, result0) = 0)) ->
  forall result1:Object pointer.
  (result1 = select(Tree_left, this_2)) ->
  (offset_max(Object_alloc_table, result1) >= 0)

========== generation of Simplify VC output ==========
why -simplify [...] why/TreeMax.why
========== file tests/java/simplify/TreeMax_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom Exception_parenttag_Object
 (EQ (parenttag Exception_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Int_parenttag_Object
 (EQ (parenttag Int_tag Object_tag) |@true|))

(DEFPRED (Non_null_Object x_0 Object_alloc_table)
  (>= (offset_max Object_alloc_table x_0) 0))

(BG_PUSH
 ;; Why axiom Object_int
 (EQ (int_of_tag Object_tag) 1))

(BG_PUSH
 ;; Why axiom Object_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (Object_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom Object_parenttag_bottom
 (EQ (parenttag Object_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom Object_tags
 (FORALL (x Object_tag_table) (instanceof Object_tag_table x Object_tag)))

(BG_PUSH
 ;; Why axiom String_parenttag_Object
 (EQ (parenttag String_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Throwable_parenttag_Object
 (EQ (parenttag Throwable_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom Tree_parenttag_Object
 (EQ (parenttag Tree_tag Object_tag) |@true|))

(BG_PUSH
 ;; Why axiom byte_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 128) x) (<= x 127))
 (EQ (integer_of_byte (byte_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom byte_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_byte x) (integer_of_byte y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom byte_range
 (FORALL (x)
 (AND (<= (- 0 128) (integer_of_byte x)) (<= (integer_of_byte x) 127))))

(BG_PUSH
 ;; Why axiom char_coerce
 (FORALL (x)
 (IMPLIES (AND (<= 0 x) (<= x 65535))
 (EQ (integer_of_char (char_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom char_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_char x) (integer_of_char y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom char_range
 (FORALL (x) (AND (<= 0 (integer_of_char x)) (<= (integer_of_char x) 65535))))

(DEFPRED (eq_byte x y) (EQ (integer_of_byte x) (integer_of_byte y)))

(DEFPRED (eq_char x y) (EQ (integer_of_char x) (integer_of_char y)))

(DEFPRED (eq_int32 x y) (EQ (integer_of_int32 x) (integer_of_int32 y)))

(DEFPRED (eq_long x y) (EQ (integer_of_long x) (integer_of_long y)))

(DEFPRED (eq_short x y) (EQ (integer_of_short x) (integer_of_short y)))

(BG_PUSH
 ;; Why axiom int32_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_2147483648) x)
 (<= x constant_too_large_2147483647))
 (EQ (integer_of_int32 (int32_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom int32_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_int32 x) (integer_of_int32 y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom int32_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_2147483648) (integer_of_int32 x))
 (<= (integer_of_int32 x) constant_too_large_2147483647))))

(BG_PUSH
 ;; Why axiom interface_int
 (EQ (int_of_tag interface_tag) 1))

(BG_PUSH
 ;; Why axiom interface_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (interface_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom interface_parenttag_bottom
 (EQ (parenttag interface_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom interface_tags
 (FORALL (x interface_tag_table)
 (instanceof interface_tag_table x interface_tag)))

(DEFPRED (left_valid_struct_Object p a Object_alloc_table)
  (<= (offset_min Object_alloc_table p) a))

(DEFPRED (left_valid_struct_Exception p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Int p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_String p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Throwable p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_Tree p a Object_alloc_table)
  (left_valid_struct_Object p a Object_alloc_table))

(DEFPRED (left_valid_struct_interface p a interface_alloc_table)
  (<= (offset_min interface_alloc_table p) a))

(BG_PUSH
 ;; Why axiom long_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_9223372036854775808) x)
 (<= x constant_too_large_9223372036854775807))
 (EQ (integer_of_long (long_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom long_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_long x) (integer_of_long y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom long_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_9223372036854775808) (integer_of_long x))
 (<= (integer_of_long x) constant_too_large_9223372036854775807))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_Object_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (Object_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_interface_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (interface_of_pointer_address p)))))

(DEFPRED (right_valid_struct_Object p b Object_alloc_table)
  (>= (offset_max Object_alloc_table p) b))

(DEFPRED (right_valid_struct_Exception p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Int p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_String p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Throwable p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_Tree p b Object_alloc_table)
  (right_valid_struct_Object p b Object_alloc_table))

(DEFPRED (right_valid_struct_interface p b interface_alloc_table)
  (>= (offset_max interface_alloc_table p) b))

(BG_PUSH
 ;; Why axiom short_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 32768) x) (<= x 32767))
 (EQ (integer_of_short (short_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom short_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_short x) (integer_of_short y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom short_range
 (FORALL (x)
 (AND (<= (- 0 32768) (integer_of_short x)) (<= (integer_of_short x) 32767))))

(DEFPRED (strict_valid_root_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_root_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Object p a b Object_alloc_table)
  (AND (EQ (offset_min Object_alloc_table p) a)
  (EQ (offset_max Object_alloc_table p) b)))

(DEFPRED (strict_valid_struct_Exception p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Int p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_String p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Throwable p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_Tree p a b Object_alloc_table)
  (strict_valid_struct_Object p a b Object_alloc_table))

(DEFPRED (strict_valid_struct_interface p a b interface_alloc_table)
  (AND (EQ (offset_min interface_alloc_table p) a)
  (EQ (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_root_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_root_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(DEFPRED (valid_struct_Object p a b Object_alloc_table)
  (AND (<= (offset_min Object_alloc_table p) a)
  (>= (offset_max Object_alloc_table p) b)))

(DEFPRED (valid_struct_Exception p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Int p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_String p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Throwable p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_Tree p a b Object_alloc_table)
  (valid_struct_Object p a b Object_alloc_table))

(DEFPRED (valid_struct_interface p a b interface_alloc_table)
  (AND (<= (offset_min interface_alloc_table p) a)
  (>= (offset_max interface_alloc_table p) b)))

(BG_PUSH
 ;; Why axiom mem_inversion
 (FORALL (Object_alloc_table_at_L Tree_right_at_L Tree_left_at_L Tree_value_at_L x_8 t_4)
 (IMPLIES
 (EQ (mem
 x_8 t_4 Object_alloc_table_at_L Tree_right_at_L Tree_left_at_L Tree_value_at_L) |@true|)
 (AND (Non_null_Object t_4 Object_alloc_table_at_L)
 (OR
 (EQ (integer_of_int32 x_8) (integer_of_int32 (select Tree_value_at_L t_4)))
 (OR
 (EQ (mem
 x_8 (select Tree_left_at_L t_4) Object_alloc_table_at_L Tree_right_at_L Tree_left_at_L Tree_value_at_L) |@true|)
 (EQ (mem
 x_8 (select Tree_right_at_L t_4) Object_alloc_table_at_L Tree_right_at_L Tree_left_at_L Tree_value_at_L) |@true|)))))))

(BG_PUSH
 ;; Why axiom mem_right
 (FORALL (Object_alloc_table_at_L Tree_right_at_L Tree_left_at_L Tree_value_at_L x_7 t_3)
 (IMPLIES (Non_null_Object t_3 Object_alloc_table_at_L)
 (IMPLIES
 (EQ (mem
 x_7 (select Tree_right_at_L t_3) Object_alloc_table_at_L Tree_right_at_L Tree_left_at_L Tree_value_at_L) |@true|)
 (EQ (mem
 x_7 t_3 Object_alloc_table_at_L Tree_right_at_L Tree_left_at_L Tree_value_at_L) |@true|))))

 (FORALL (Object_alloc_table_at_L t_3)
 (IMPLIES (Non_null_Object t_3 Object_alloc_table_at_L)
 (FORALL (x_7 Tree_value_at_L Tree_left_at_L Tree_right_at_L)
 (IMPLIES
 (EQ (mem
 x_7 (select Tree_right_at_L t_3) Object_alloc_table_at_L Tree_right_at_L Tree_left_at_L Tree_value_at_L) |@true|)
 (EQ (mem
 x_7 t_3 Object_alloc_table_at_L Tree_right_at_L Tree_left_at_L Tree_value_at_L) |@true|))))))

(BG_PUSH
 ;; Why axiom mem_left
 (FORALL (Object_alloc_table_at_L Tree_right_at_L Tree_left_at_L Tree_value_at_L x_6 t_2)
 (IMPLIES (Non_null_Object t_2 Object_alloc_table_at_L)
 (IMPLIES
 (EQ (mem
 x_6 (select Tree_left_at_L t_2) Object_alloc_table_at_L Tree_right_at_L Tree_left_at_L Tree_value_at_L) |@true|)
 (EQ (mem
 x_6 t_2 Object_alloc_table_at_L Tree_right_at_L Tree_left_at_L Tree_value_at_L) |@true|))))

 (FORALL (Object_alloc_table_at_L t_2)
 (IMPLIES (Non_null_Object t_2 Object_alloc_table_at_L)
 (FORALL (x_6 Tree_value_at_L Tree_left_at_L Tree_right_at_L)
 (IMPLIES
 (EQ (mem
 x_6 (select Tree_left_at_L t_2) Object_alloc_table_at_L Tree_right_at_L Tree_left_at_L Tree_value_at_L) |@true|)
 (EQ (mem
 x_6 t_2 Object_alloc_table_at_L Tree_right_at_L Tree_left_at_L Tree_value_at_L) |@true|))))))

(BG_PUSH
 ;; Why axiom mem_root_eq
 (FORALL (Object_alloc_table_at_L Tree_right_at_L Tree_left_at_L Tree_value_at_L x_5 t_1)
 (IMPLIES (Non_null_Object t_1 Object_alloc_table_at_L)
 (IMPLIES
 (EQ (integer_of_int32 x_5) (integer_of_int32 (select Tree_value_at_L t_1)))
 (EQ (mem
 x_5 t_1 Object_alloc_table_at_L Tree_right_at_L Tree_left_at_L Tree_value_at_L) |@true|))))

 (FORALL (Object_alloc_table_at_L t_1)
 (IMPLIES (Non_null_Object t_1 Object_alloc_table_at_L)
 (FORALL (x_5 Tree_value_at_L)
 (IMPLIES
 (EQ (integer_of_int32 x_5) (integer_of_int32 (select Tree_value_at_L t_1)))
 (FORALL (Tree_left_at_L Tree_right_at_L)
 (EQ (mem
 x_5 t_1 Object_alloc_table_at_L Tree_right_at_L Tree_left_at_L Tree_value_at_L) |@true|)))))))

(BG_PUSH
 ;; Why axiom mem_root
 (FORALL (Object_alloc_table_at_L Tree_right_at_L Tree_left_at_L Tree_value_at_L t_0)
 (IMPLIES (Non_null_Object t_0 Object_alloc_table_at_L)
 (EQ (mem
 (select Tree_value_at_L t_0) t_0 Object_alloc_table_at_L Tree_right_at_L Tree_left_at_L Tree_value_at_L) |@true|)))

 (FORALL (Object_alloc_table_at_L t_0)
 (IMPLIES (Non_null_Object t_0 Object_alloc_table_at_L)
 (FORALL (Tree_right_at_L Tree_left_at_L Tree_value_at_L)
 (EQ (mem
 (select Tree_value_at_L t_0) t_0 Object_alloc_table_at_L Tree_right_at_L Tree_left_at_L Tree_value_at_L) |@true|)))))

(BG_PUSH
 ;; Why axiom mem_null
 (FORALL (Object_alloc_table_at_L Tree_right_at_L Tree_left_at_L Tree_value_at_L x_4)
 (NOT
 (EQ (mem
 x_4 null Object_alloc_table_at_L Tree_right_at_L Tree_left_at_L Tree_value_at_L) |@true|))))

(BG_PUSH
 ;; Why axiom max_is_some
 (FORALL (x_1_0 y_1)
 (OR (EQ (max x_1_0 y_1) x_1_0) (EQ (max x_1_0 y_1) y_1))))

(BG_PUSH
 ;; Why axiom max_is_ge
 (FORALL (x_0_0 y_0)
 (AND (>= (max x_0_0 y_0) x_0_0) (>= (max x_0_0 y_0) y_0))))

;; Tree_tree_max_ensures_default_po_1, File "HOME/tests/java/TreeMax.java", line 60, characters 16-33
(FORALL (this_2)
(FORALL (Object_alloc_table)
(FORALL (Tree_left)
(FORALL (Tree_right)
(FORALL (Tree_value)
(IMPLIES (valid_struct_Tree this_2 0 0 Object_alloc_table)
(FORALL (result)
(IMPLIES (EQ result (select Tree_value this_2))
(FORALL (result0)
(IMPLIES (EQ result0 (select Tree_left this_2))
(IMPLIES (EQ (offset_max Object_alloc_table result0) 0)
(FORALL (result1)
(IMPLIES (EQ result1 (select Tree_left this_2))
(FORALL (result2)
(IMPLIES (AND
         (EQ (mem
         result2 result1 Object_alloc_table Tree_right Tree_left Tree_value) |@true|)
         (FORALL (x_9)
         (IMPLIES
         (EQ (mem
         x_9 result1 Object_alloc_table Tree_right Tree_left Tree_value) |@true|)
         (>= (integer_of_int32 result2) (integer_of_int32 x_9)))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3)
         (max (integer_of_int32 result) (integer_of_int32 result2)))
(FORALL (m)
(IMPLIES (EQ m result3)
(FORALL (result4)
(IMPLIES (EQ result4 (select Tree_right this_2))
(IMPLIES (EQ (offset_max Object_alloc_table result4) 0)
(FORALL (result5)
(IMPLIES (EQ result5 (select Tree_right this_2))
(FORALL (result6)
(IMPLIES (AND
         (EQ (mem
         result6 result5 Object_alloc_table Tree_right Tree_left Tree_value) |@true|)
         (FORALL (x_9)
         (IMPLIES
         (EQ (mem
         x_9 result5 Object_alloc_table Tree_right Tree_left Tree_value) |@true|)
         (>= (integer_of_int32 result6) (integer_of_int32 x_9)))))
(FORALL (result7)
(IMPLIES (EQ (integer_of_int32 result7)
         (max (integer_of_int32 m) (integer_of_int32 result6)))
(FORALL (m0)
(IMPLIES (EQ m0 result7)
(FORALL (return)
(IMPLIES (EQ return m0)
(EQ (mem
return this_2 Object_alloc_table Tree_right Tree_left Tree_value) |@true|)))))))))))))))))))))))))))))))))

;; Tree_tree_max_ensures_default_po_2, File "HOME/tests/java/TreeMax.java", line 61, characters 10-53
(FORALL (this_2)
(FORALL (Object_alloc_table)
(FORALL (Tree_left)
(FORALL (Tree_right)
(FORALL (Tree_value)
(IMPLIES (valid_struct_Tree this_2 0 0 Object_alloc_table)
(FORALL (result)
(IMPLIES (EQ result (select Tree_value this_2))
(FORALL (result0)
(IMPLIES (EQ result0 (select Tree_left this_2))
(IMPLIES (EQ (offset_max Object_alloc_table result0) 0)
(FORALL (result1)
(IMPLIES (EQ result1 (select Tree_left this_2))
(FORALL (result2)
(IMPLIES (AND
         (EQ (mem
         result2 result1 Object_alloc_table Tree_right Tree_left Tree_value) |@true|)
         (FORALL (x_9)
         (IMPLIES
         (EQ (mem
         x_9 result1 Object_alloc_table Tree_right Tree_left Tree_value) |@true|)
         (>= (integer_of_int32 result2) (integer_of_int32 x_9)))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3)
         (max (integer_of_int32 result) (integer_of_int32 result2)))
(FORALL (m)
(IMPLIES (EQ m result3)
(FORALL (result4)
(IMPLIES (EQ result4 (select Tree_right this_2))
(IMPLIES (EQ (offset_max Object_alloc_table result4) 0)
(FORALL (result5)
(IMPLIES (EQ result5 (select Tree_right this_2))
(FORALL (result6)
(IMPLIES (AND
         (EQ (mem
         result6 result5 Object_alloc_table Tree_right Tree_left Tree_value) |@true|)
         (FORALL (x_9)
         (IMPLIES
         (EQ (mem
         x_9 result5 Object_alloc_table Tree_right Tree_left Tree_value) |@true|)
         (>= (integer_of_int32 result6) (integer_of_int32 x_9)))))
(FORALL (result7)
(IMPLIES (EQ (integer_of_int32 result7)
         (max (integer_of_int32 m) (integer_of_int32 result6)))
(FORALL (m0)
(IMPLIES (EQ m0 result7)
(FORALL (return)
(IMPLIES (EQ return m0)
(FORALL (x_9)
(IMPLIES (EQ (mem
         x_9 this_2 Object_alloc_table Tree_right Tree_left Tree_value) |@true|)
(>= (integer_of_int32 return) (integer_of_int32 x_9))))))))))))))))))))))))))))))))))))

;; Tree_tree_max_ensures_default_po_3, File "HOME/tests/java/TreeMax.java", line 60, characters 16-33
(FORALL (this_2)
(FORALL (Object_alloc_table)
(FORALL (Tree_left)
(FORALL (Tree_right)
(FORALL (Tree_value)
(IMPLIES (valid_struct_Tree this_2 0 0 Object_alloc_table)
(FORALL (result)
(IMPLIES (EQ result (select Tree_value this_2))
(FORALL (result0)
(IMPLIES (EQ result0 (select Tree_left this_2))
(IMPLIES (EQ (offset_max Object_alloc_table result0) 0)
(FORALL (result1)
(IMPLIES (EQ result1 (select Tree_left this_2))
(FORALL (result2)
(IMPLIES (AND
         (EQ (mem
         result2 result1 Object_alloc_table Tree_right Tree_left Tree_value) |@true|)
         (FORALL (x_9)
         (IMPLIES
         (EQ (mem
         x_9 result1 Object_alloc_table Tree_right Tree_left Tree_value) |@true|)
         (>= (integer_of_int32 result2) (integer_of_int32 x_9)))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3)
         (max (integer_of_int32 result) (integer_of_int32 result2)))
(FORALL (m)
(IMPLIES (EQ m result3)
(FORALL (result4)
(IMPLIES (EQ result4 (select Tree_right this_2))
(IMPLIES (EQ result4 null)
(FORALL (return)
(IMPLIES (EQ return m)
(EQ (mem
return this_2 Object_alloc_table Tree_right Tree_left Tree_value) |@true|)))))))))))))))))))))))))

;; Tree_tree_max_ensures_default_po_4, File "HOME/tests/java/TreeMax.java", line 61, characters 10-53
(FORALL (this_2)
(FORALL (Object_alloc_table)
(FORALL (Tree_left)
(FORALL (Tree_right)
(FORALL (Tree_value)
(IMPLIES (valid_struct_Tree this_2 0 0 Object_alloc_table)
(FORALL (result)
(IMPLIES (EQ result (select Tree_value this_2))
(FORALL (result0)
(IMPLIES (EQ result0 (select Tree_left this_2))
(IMPLIES (EQ (offset_max Object_alloc_table result0) 0)
(FORALL (result1)
(IMPLIES (EQ result1 (select Tree_left this_2))
(FORALL (result2)
(IMPLIES (AND
         (EQ (mem
         result2 result1 Object_alloc_table Tree_right Tree_left Tree_value) |@true|)
         (FORALL (x_9)
         (IMPLIES
         (EQ (mem
         x_9 result1 Object_alloc_table Tree_right Tree_left Tree_value) |@true|)
         (>= (integer_of_int32 result2) (integer_of_int32 x_9)))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3)
         (max (integer_of_int32 result) (integer_of_int32 result2)))
(FORALL (m)
(IMPLIES (EQ m result3)
(FORALL (result4)
(IMPLIES (EQ result4 (select Tree_right this_2))
(IMPLIES (EQ result4 null)
(FORALL (return)
(IMPLIES (EQ return m)
(FORALL (x_9)
(IMPLIES (EQ (mem
         x_9 this_2 Object_alloc_table Tree_right Tree_left Tree_value) |@true|)
(>= (integer_of_int32 return) (integer_of_int32 x_9))))))))))))))))))))))))))))

;; Tree_tree_max_ensures_default_po_5, File "HOME/tests/java/TreeMax.java", line 60, characters 16-33
(FORALL (this_2)
(FORALL (Object_alloc_table)
(FORALL (Tree_left)
(FORALL (Tree_right)
(FORALL (Tree_value)
(IMPLIES (valid_struct_Tree this_2 0 0 Object_alloc_table)
(FORALL (result)
(IMPLIES (EQ result (select Tree_value this_2))
(FORALL (result0)
(IMPLIES (EQ result0 (select Tree_left this_2))
(IMPLIES (EQ result0 null)
(FORALL (result1)
(IMPLIES (EQ result1 (select Tree_right this_2))
(IMPLIES (EQ (offset_max Object_alloc_table result1) 0)
(FORALL (result2)
(IMPLIES (EQ result2 (select Tree_right this_2))
(FORALL (result3)
(IMPLIES (AND
         (EQ (mem
         result3 result2 Object_alloc_table Tree_right Tree_left Tree_value) |@true|)
         (FORALL (x_9)
         (IMPLIES
         (EQ (mem
         x_9 result2 Object_alloc_table Tree_right Tree_left Tree_value) |@true|)
         (>= (integer_of_int32 result3) (integer_of_int32 x_9)))))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4)
         (max (integer_of_int32 result) (integer_of_int32 result3)))
(FORALL (m)
(IMPLIES (EQ m result4)
(FORALL (return)
(IMPLIES (EQ return m)
(EQ (mem
return this_2 Object_alloc_table Tree_right Tree_left Tree_value) |@true|)))))))))))))))))))))))))

;; Tree_tree_max_ensures_default_po_6, File "HOME/tests/java/TreeMax.java", line 61, characters 10-53
(FORALL (this_2)
(FORALL (Object_alloc_table)
(FORALL (Tree_left)
(FORALL (Tree_right)
(FORALL (Tree_value)
(IMPLIES (valid_struct_Tree this_2 0 0 Object_alloc_table)
(FORALL (result)
(IMPLIES (EQ result (select Tree_value this_2))
(FORALL (result0)
(IMPLIES (EQ result0 (select Tree_left this_2))
(IMPLIES (EQ result0 null)
(FORALL (result1)
(IMPLIES (EQ result1 (select Tree_right this_2))
(IMPLIES (EQ (offset_max Object_alloc_table result1) 0)
(FORALL (result2)
(IMPLIES (EQ result2 (select Tree_right this_2))
(FORALL (result3)
(IMPLIES (AND
         (EQ (mem
         result3 result2 Object_alloc_table Tree_right Tree_left Tree_value) |@true|)
         (FORALL (x_9)
         (IMPLIES
         (EQ (mem
         x_9 result2 Object_alloc_table Tree_right Tree_left Tree_value) |@true|)
         (>= (integer_of_int32 result3) (integer_of_int32 x_9)))))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4)
         (max (integer_of_int32 result) (integer_of_int32 result3)))
(FORALL (m)
(IMPLIES (EQ m result4)
(FORALL (return)
(IMPLIES (EQ return m)
(FORALL (x_9)
(IMPLIES (EQ (mem
         x_9 this_2 Object_alloc_table Tree_right Tree_left Tree_value) |@true|)
(>= (integer_of_int32 return) (integer_of_int32 x_9))))))))))))))))))))))))))))

;; Tree_tree_max_ensures_default_po_7, File "HOME/tests/java/TreeMax.java", line 60, characters 16-33
(FORALL (this_2)
(FORALL (Object_alloc_table)
(FORALL (Tree_left)
(FORALL (Tree_right)
(FORALL (Tree_value)
(IMPLIES (valid_struct_Tree this_2 0 0 Object_alloc_table)
(FORALL (result)
(IMPLIES (EQ result (select Tree_value this_2))
(FORALL (result0)
(IMPLIES (EQ result0 (select Tree_left this_2))
(IMPLIES (EQ result0 null)
(FORALL (result1)
(IMPLIES (EQ result1 (select Tree_right this_2))
(IMPLIES (EQ result1 null)
(FORALL (return)
(IMPLIES (EQ return result)
(EQ (mem
return this_2 Object_alloc_table Tree_right Tree_left Tree_value) |@true|)))))))))))))))))

;; Tree_tree_max_ensures_default_po_8, File "HOME/tests/java/TreeMax.java", line 61, characters 10-53
(FORALL (this_2)
(FORALL (Object_alloc_table)
(FORALL (Tree_left)
(FORALL (Tree_right)
(FORALL (Tree_value)
(IMPLIES (valid_struct_Tree this_2 0 0 Object_alloc_table)
(FORALL (result)
(IMPLIES (EQ result (select Tree_value this_2))
(FORALL (result0)
(IMPLIES (EQ result0 (select Tree_left this_2))
(IMPLIES (EQ result0 null)
(FORALL (result1)
(IMPLIES (EQ result1 (select Tree_right this_2))
(IMPLIES (EQ result1 null)
(FORALL (return)
(IMPLIES (EQ return result)
(FORALL (x_9)
(IMPLIES (EQ (mem
         x_9 this_2 Object_alloc_table Tree_right Tree_left Tree_value) |@true|)
(>= (integer_of_int32 return) (integer_of_int32 x_9))))))))))))))))))))

;; Tree_tree_max_safety_po_1, File "why/TreeMax.why", line 871, characters 16-70
(FORALL (this_2)
(FORALL (Object_alloc_table)
(FORALL (Tree_left)
(FORALL (Tree_value)
(IMPLIES (valid_struct_Tree this_2 0 0 Object_alloc_table)
(FORALL (result)
(IMPLIES (EQ result (select Tree_value this_2))
(FORALL (result0)
(IMPLIES (EQ result0 (select Tree_left this_2))
(IMPLIES (EQ (offset_max Object_alloc_table result0) 0)
(FORALL (result1)
(IMPLIES (EQ result1 (select Tree_left this_2))
(>= (offset_max Object_alloc_table result1) 0)))))))))))))

;; Tree_tree_max_safety_po_2, File "why/TreeMax.why", line 886, characters 15-70
(FORALL (this_2)
(FORALL (Object_alloc_table)
(FORALL (Tree_left)
(FORALL (Tree_right)
(FORALL (Tree_value)
(IMPLIES (valid_struct_Tree this_2 0 0 Object_alloc_table)
(FORALL (result)
(IMPLIES (EQ result (select Tree_value this_2))
(FORALL (result0)
(IMPLIES (EQ result0 (select Tree_left this_2))
(IMPLIES (EQ (offset_max Object_alloc_table result0) 0)
(FORALL (result1)
(IMPLIES (EQ result1 (select Tree_left this_2))
(IMPLIES (>= (offset_max Object_alloc_table result1) 0)
(FORALL (result2)
(IMPLIES (AND
         (EQ (mem
         result2 result1 Object_alloc_table Tree_right Tree_left Tree_value) |@true|)
         (FORALL (x_9)
         (IMPLIES
         (EQ (mem
         x_9 result1 Object_alloc_table Tree_right Tree_left Tree_value) |@true|)
         (>= (integer_of_int32 result2) (integer_of_int32 x_9)))))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3)
         (max (integer_of_int32 result) (integer_of_int32 result2)))
(FORALL (m)
(IMPLIES (EQ m result3)
(FORALL (result4)
(IMPLIES (EQ result4 (select Tree_right this_2))
(IMPLIES (EQ (offset_max Object_alloc_table result4) 0)
(FORALL (result5)
(IMPLIES (EQ result5 (select Tree_right this_2))
(>= (offset_max Object_alloc_table result5) 0))))))))))))))))))))))))))

;; Tree_tree_max_safety_po_3, File "why/TreeMax.why", line 886, characters 15-70
(FORALL (this_2)
(FORALL (Object_alloc_table)
(FORALL (Tree_left)
(FORALL (Tree_right)
(FORALL (Tree_value)
(IMPLIES (valid_struct_Tree this_2 0 0 Object_alloc_table)
(FORALL (result)
(IMPLIES (EQ result (select Tree_value this_2))
(FORALL (result0)
(IMPLIES (EQ result0 (select Tree_left this_2))
(IMPLIES (EQ result0 null)
(FORALL (result1)
(IMPLIES (EQ result1 (select Tree_right this_2))
(IMPLIES (EQ (offset_max Object_alloc_table result1) 0)
(FORALL (result2)
(IMPLIES (EQ result2 (select Tree_right this_2))
(>= (offset_max Object_alloc_table result2) 0)))))))))))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/TreeMax_why.sx       : .......?... (10/0/1/0/0)
total   :  11
valid   :  10 ( 91%)
invalid :   0 (  0%)
unknown :   1 (  9%)
timeout :   0 (  0%)
failure :   0 (  0%)
========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/TreeMax.why
========== file tests/java/why/TreeMax_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Object

type byte

type char

type int32

type interface

type long

type short

logic Exception_tag : Object tag_id

logic Object_tag : Object tag_id

axiom Exception_parenttag_Object: parenttag(Exception_tag, Object_tag)

logic Int_tag : Object tag_id

axiom Int_parenttag_Object: parenttag(Int_tag, Object_tag)

predicate Non_null_Object(x_0: Object pointer,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  x_0) >= 0)

axiom Object_int: (int_of_tag(Object_tag) = 1)

logic Object_of_pointer_address : unit pointer -> Object pointer

axiom Object_of_pointer_address_of_pointer_addr:
  (forall p:Object pointer.
    (p = Object_of_pointer_address(pointer_address(p))))

axiom Object_parenttag_bottom: parenttag(Object_tag, bottom_tag)

axiom Object_tags:
  (forall x:Object pointer.
    (forall Object_tag_table:Object tag_table. instanceof(Object_tag_table,
      x, Object_tag)))

logic String_tag : Object tag_id

axiom String_parenttag_Object: parenttag(String_tag, Object_tag)

logic Throwable_tag : Object tag_id

axiom Throwable_parenttag_Object: parenttag(Throwable_tag, Object_tag)

logic Tree_tag : Object tag_id

axiom Tree_parenttag_Object: parenttag(Tree_tag, Object_tag)

logic integer_of_byte : byte -> int

logic byte_of_integer : int -> byte

axiom byte_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_byte(byte_of_integer(x)) = x)))

axiom byte_extensionality:
  (forall x:byte.
    (forall y:byte. ((integer_of_byte(x) = integer_of_byte(y)) -> (x = y))))

axiom byte_range:
  (forall x:byte.
    (((-128) <= integer_of_byte(x)) and (integer_of_byte(x) <= 127)))

logic integer_of_char : char -> int

logic char_of_integer : int -> char

axiom char_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 65535)) -> (integer_of_char(char_of_integer(x)) = x)))

axiom char_extensionality:
  (forall x:char.
    (forall y:char. ((integer_of_char(x) = integer_of_char(y)) -> (x = y))))

axiom char_range:
  (forall x:char.
    ((0 <= integer_of_char(x)) and (integer_of_char(x) <= 65535)))

predicate eq_byte(x: byte, y: byte) =
  (integer_of_byte(x) = integer_of_byte(y))

predicate eq_char(x: char, y: char) =
  (integer_of_char(x) = integer_of_char(y))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_long : long -> int

predicate eq_long(x: long, y: long) =
  (integer_of_long(x) = integer_of_long(y))

logic integer_of_short : short -> int

predicate eq_short(x: short, y: short) =
  (integer_of_short(x) = integer_of_short(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic interface_tag : interface tag_id

axiom interface_int: (int_of_tag(interface_tag) = 1)

logic interface_of_pointer_address : unit pointer -> interface pointer

axiom interface_of_pointer_address_of_pointer_addr:
  (forall p:interface pointer.
    (p = interface_of_pointer_address(pointer_address(p))))

axiom interface_parenttag_bottom: parenttag(interface_tag, bottom_tag)

axiom interface_tags:
  (forall x:interface pointer.
    (forall interface_tag_table:interface tag_table.
      instanceof(interface_tag_table, x, interface_tag)))

predicate left_valid_struct_Object(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = (offset_min(Object_alloc_table,
  p) <= a)

predicate left_valid_struct_Exception(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Int(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_String(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Throwable(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_Tree(p: Object pointer, a: int,
  Object_alloc_table: Object alloc_table) = left_valid_struct_Object(p, a,
  Object_alloc_table)

predicate left_valid_struct_interface(p: interface pointer, a: int,
  interface_alloc_table: interface alloc_table) =
  (offset_min(interface_alloc_table, p) <= a)

logic long_of_integer : int -> long

axiom long_coerce:
  (forall x:int.
    ((((-9223372036854775808) <= x) and (x <= 9223372036854775807)) ->
     (integer_of_long(long_of_integer(x)) = x)))

axiom long_extensionality:
  (forall x:long.
    (forall y:long. ((integer_of_long(x) = integer_of_long(y)) -> (x = y))))

axiom long_range:
  (forall x:long.
    (((-9223372036854775808) <= integer_of_long(x)) and
     (integer_of_long(x) <= 9223372036854775807)))

logic max : int, int -> int

logic mem : int32, Object pointer, Object alloc_table, (Object,
Object pointer) memory, (Object, Object pointer) memory, (Object,
int32) memory -> prop

axiom pointer_addr_of_Object_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(Object_of_pointer_address(p))))

axiom pointer_addr_of_interface_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(interface_of_pointer_address(p))))

predicate right_valid_struct_Object(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = (offset_max(Object_alloc_table,
  p) >= b)

predicate right_valid_struct_Exception(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Int(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_String(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Throwable(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_Tree(p: Object pointer, b: int,
  Object_alloc_table: Object alloc_table) = right_valid_struct_Object(p, b,
  Object_alloc_table)

predicate right_valid_struct_interface(p: interface pointer, b: int,
  interface_alloc_table: interface alloc_table) =
  (offset_max(interface_alloc_table, p) >= b)

logic short_of_integer : int -> short

axiom short_coerce:
  (forall x:int.
    ((((-32768) <= x) and (x <= 32767)) ->
     (integer_of_short(short_of_integer(x)) = x)))

axiom short_extensionality:
  (forall x:short.
    (forall y:short.
      ((integer_of_short(x) = integer_of_short(y)) -> (x = y))))

axiom short_range:
  (forall x:short.
    (((-32768) <= integer_of_short(x)) and (integer_of_short(x) <= 32767)))

predicate strict_valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate strict_valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) = a) and
   (offset_max(Object_alloc_table, p) = b))

predicate strict_valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Int(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_Tree(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = strict_valid_struct_Object(p, a,
  b, Object_alloc_table)

predicate strict_valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) = a) and
   (offset_max(interface_alloc_table, p) = b))

predicate valid_root_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_root_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

predicate valid_struct_Object(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) =
  ((offset_min(Object_alloc_table, p) <= a) and
   (offset_max(Object_alloc_table, p) >= b))

predicate valid_struct_Exception(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Int(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_String(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Throwable(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_Tree(p: Object pointer, a: int, b: int,
  Object_alloc_table: Object alloc_table) = valid_struct_Object(p, a, b,
  Object_alloc_table)

predicate valid_struct_interface(p: interface pointer, a: int, b: int,
  interface_alloc_table: interface alloc_table) =
  ((offset_min(interface_alloc_table, p) <= a) and
   (offset_max(interface_alloc_table, p) >= b))

axiom mem_inversion:
  (forall Object_alloc_table_at_L:Object alloc_table.
    (forall Tree_right_at_L:(Object, Object pointer) memory.
      (forall Tree_left_at_L:(Object, Object pointer) memory.
        (forall Tree_value_at_L:(Object, int32) memory.
          (forall x_8:int32.
            (forall t_4:Object pointer.
              (mem(x_8, t_4, Object_alloc_table_at_L, Tree_right_at_L,
               Tree_left_at_L, Tree_value_at_L) ->
               (Non_null_Object(t_4, Object_alloc_table_at_L) and
                ((integer_of_int32(x_8) = integer_of_int32(select(Tree_value_at_L,
                 t_4))) or
                 (mem(x_8, select(Tree_left_at_L, t_4),
                  Object_alloc_table_at_L, Tree_right_at_L, Tree_left_at_L,
                  Tree_value_at_L) or mem(x_8, select(Tree_right_at_L, t_4),
                  Object_alloc_table_at_L, Tree_right_at_L, Tree_left_at_L,
                  Tree_value_at_L)))))))))))

axiom mem_right:
  (forall Object_alloc_table_at_L:Object alloc_table.
    (forall Tree_right_at_L:(Object, Object pointer) memory.
      (forall Tree_left_at_L:(Object, Object pointer) memory.
        (forall Tree_value_at_L:(Object, int32) memory.
          (forall x_7:int32.
            (forall t_3:Object pointer.
              (Non_null_Object(t_3, Object_alloc_table_at_L) ->
               (mem(x_7, select(Tree_right_at_L, t_3),
                Object_alloc_table_at_L, Tree_right_at_L, Tree_left_at_L,
                Tree_value_at_L) -> mem(x_7, t_3, Object_alloc_table_at_L,
                Tree_right_at_L, Tree_left_at_L, Tree_value_at_L)))))))))

axiom mem_left:
  (forall Object_alloc_table_at_L:Object alloc_table.
    (forall Tree_right_at_L:(Object, Object pointer) memory.
      (forall Tree_left_at_L:(Object, Object pointer) memory.
        (forall Tree_value_at_L:(Object, int32) memory.
          (forall x_6:int32.
            (forall t_2:Object pointer.
              (Non_null_Object(t_2, Object_alloc_table_at_L) ->
               (mem(x_6, select(Tree_left_at_L, t_2),
                Object_alloc_table_at_L, Tree_right_at_L, Tree_left_at_L,
                Tree_value_at_L) -> mem(x_6, t_2, Object_alloc_table_at_L,
                Tree_right_at_L, Tree_left_at_L, Tree_value_at_L)))))))))

axiom mem_root_eq:
  (forall Object_alloc_table_at_L:Object alloc_table.
    (forall Tree_right_at_L:(Object, Object pointer) memory.
      (forall Tree_left_at_L:(Object, Object pointer) memory.
        (forall Tree_value_at_L:(Object, int32) memory.
          (forall x_5:int32.
            (forall t_1:Object pointer.
              (Non_null_Object(t_1, Object_alloc_table_at_L) ->
               ((integer_of_int32(x_5) = integer_of_int32(select(Tree_value_at_L,
                t_1))) -> mem(x_5, t_1, Object_alloc_table_at_L,
                Tree_right_at_L, Tree_left_at_L, Tree_value_at_L)))))))))

axiom mem_root:
  (forall Object_alloc_table_at_L:Object alloc_table.
    (forall Tree_right_at_L:(Object, Object pointer) memory.
      (forall Tree_left_at_L:(Object, Object pointer) memory.
        (forall Tree_value_at_L:(Object, int32) memory.
          (forall t_0:Object pointer.
            (Non_null_Object(t_0, Object_alloc_table_at_L) ->
             mem(select(Tree_value_at_L, t_0), t_0, Object_alloc_table_at_L,
             Tree_right_at_L, Tree_left_at_L, Tree_value_at_L)))))))

axiom mem_null:
  (forall Object_alloc_table_at_L:Object alloc_table.
    (forall Tree_right_at_L:(Object, Object pointer) memory.
      (forall Tree_left_at_L:(Object, Object pointer) memory.
        (forall Tree_value_at_L:(Object, int32) memory.
          (forall x_4:int32. (not mem(x_4, null, Object_alloc_table_at_L,
            Tree_right_at_L, Tree_left_at_L, Tree_value_at_L)))))))

axiom max_is_some:
  (forall x_1_0:int.
    (forall y_1:int. ((max(x_1_0, y_1) = x_1_0) or (max(x_1_0, y_1) = y_1))))

axiom max_is_ge:
  (forall x_0_0:int.
    (forall y_0:int.
      ((max(x_0_0, y_0) >= x_0_0) and (max(x_0_0, y_0) >= y_0))))

goal Tree_tree_max_ensures_default_po_1:
  forall this_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall Tree_left:(Object, Object pointer) memory.
  forall Tree_right:(Object,
  Object pointer) memory.
  forall Tree_value:(Object,
  int32) memory.
  valid_struct_Tree(this_2, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (result = select(Tree_value, this_2)) ->
  forall result0:Object pointer.
  (result0 = select(Tree_left, this_2)) ->
  ("JC_18": (offset_max(Object_alloc_table, result0) = 0)) ->
  forall result1:Object pointer.
  (result1 = select(Tree_left, this_2)) ->
  forall result2:int32.
  ("JC_108":
  (("JC_106": mem(result2, result1, Object_alloc_table, Tree_right,
   Tree_left, Tree_value)) and
   ("JC_107":
   (forall x_9:int32.
     (mem(x_9, result1, Object_alloc_table, Tree_right, Tree_left,
      Tree_value) -> (integer_of_int32(result2) >= integer_of_int32(x_9))))))) ->
  forall result3:int32.
  ("JC_96": (integer_of_int32(result3) = max(integer_of_int32(result),
  integer_of_int32(result2)))) ->
  forall m:int32.
  (m = result3) ->
  forall result4:Object pointer.
  (result4 = select(Tree_right, this_2)) ->
  ("JC_18": (offset_max(Object_alloc_table, result4) = 0)) ->
  forall result5:Object pointer.
  (result5 = select(Tree_right, this_2)) ->
  forall result6:int32.
  ("JC_108":
  (("JC_106": mem(result6, result5, Object_alloc_table, Tree_right,
   Tree_left, Tree_value)) and
   ("JC_107":
   (forall x_9:int32.
     (mem(x_9, result5, Object_alloc_table, Tree_right, Tree_left,
      Tree_value) -> (integer_of_int32(result6) >= integer_of_int32(x_9))))))) ->
  forall result7:int32.
  ("JC_96": (integer_of_int32(result7) = max(integer_of_int32(m),
  integer_of_int32(result6)))) ->
  forall m0:int32.
  (m0 = result7) ->
  forall return:int32.
  (return = m0) ->
  ("JC_105":
  ("JC_103": mem(return, this_2, Object_alloc_table, Tree_right, Tree_left,
  Tree_value)))

goal Tree_tree_max_ensures_default_po_2:
  forall this_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall Tree_left:(Object, Object pointer) memory.
  forall Tree_right:(Object,
  Object pointer) memory.
  forall Tree_value:(Object,
  int32) memory.
  valid_struct_Tree(this_2, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (result = select(Tree_value, this_2)) ->
  forall result0:Object pointer.
  (result0 = select(Tree_left, this_2)) ->
  ("JC_18": (offset_max(Object_alloc_table, result0) = 0)) ->
  forall result1:Object pointer.
  (result1 = select(Tree_left, this_2)) ->
  forall result2:int32.
  ("JC_108":
  (("JC_106": mem(result2, result1, Object_alloc_table, Tree_right,
   Tree_left, Tree_value)) and
   ("JC_107":
   (forall x_9:int32.
     (mem(x_9, result1, Object_alloc_table, Tree_right, Tree_left,
      Tree_value) -> (integer_of_int32(result2) >= integer_of_int32(x_9))))))) ->
  forall result3:int32.
  ("JC_96": (integer_of_int32(result3) = max(integer_of_int32(result),
  integer_of_int32(result2)))) ->
  forall m:int32.
  (m = result3) ->
  forall result4:Object pointer.
  (result4 = select(Tree_right, this_2)) ->
  ("JC_18": (offset_max(Object_alloc_table, result4) = 0)) ->
  forall result5:Object pointer.
  (result5 = select(Tree_right, this_2)) ->
  forall result6:int32.
  ("JC_108":
  (("JC_106": mem(result6, result5, Object_alloc_table, Tree_right,
   Tree_left, Tree_value)) and
   ("JC_107":
   (forall x_9:int32.
     (mem(x_9, result5, Object_alloc_table, Tree_right, Tree_left,
      Tree_value) -> (integer_of_int32(result6) >= integer_of_int32(x_9))))))) ->
  forall result7:int32.
  ("JC_96": (integer_of_int32(result7) = max(integer_of_int32(m),
  integer_of_int32(result6)))) ->
  forall m0:int32.
  (m0 = result7) ->
  forall return:int32.
  (return = m0) ->
  forall x_9:int32.
  mem(x_9, this_2, Object_alloc_table, Tree_right, Tree_left, Tree_value) ->
  ("JC_105": ("JC_104": (integer_of_int32(return) >= integer_of_int32(x_9))))

goal Tree_tree_max_ensures_default_po_3:
  forall this_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall Tree_left:(Object, Object pointer) memory.
  forall Tree_right:(Object,
  Object pointer) memory.
  forall Tree_value:(Object,
  int32) memory.
  valid_struct_Tree(this_2, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (result = select(Tree_value, this_2)) ->
  forall result0:Object pointer.
  (result0 = select(Tree_left, this_2)) ->
  ("JC_18": (offset_max(Object_alloc_table, result0) = 0)) ->
  forall result1:Object pointer.
  (result1 = select(Tree_left, this_2)) ->
  forall result2:int32.
  ("JC_108":
  (("JC_106": mem(result2, result1, Object_alloc_table, Tree_right,
   Tree_left, Tree_value)) and
   ("JC_107":
   (forall x_9:int32.
     (mem(x_9, result1, Object_alloc_table, Tree_right, Tree_left,
      Tree_value) -> (integer_of_int32(result2) >= integer_of_int32(x_9))))))) ->
  forall result3:int32.
  ("JC_96": (integer_of_int32(result3) = max(integer_of_int32(result),
  integer_of_int32(result2)))) ->
  forall m:int32.
  (m = result3) ->
  forall result4:Object pointer.
  (result4 = select(Tree_right, this_2)) ->
  ("JC_18": (result4 = null)) ->
  forall return:int32.
  (return = m) ->
  ("JC_105":
  ("JC_103": mem(return, this_2, Object_alloc_table, Tree_right, Tree_left,
  Tree_value)))

goal Tree_tree_max_ensures_default_po_4:
  forall this_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall Tree_left:(Object, Object pointer) memory.
  forall Tree_right:(Object,
  Object pointer) memory.
  forall Tree_value:(Object,
  int32) memory.
  valid_struct_Tree(this_2, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (result = select(Tree_value, this_2)) ->
  forall result0:Object pointer.
  (result0 = select(Tree_left, this_2)) ->
  ("JC_18": (offset_max(Object_alloc_table, result0) = 0)) ->
  forall result1:Object pointer.
  (result1 = select(Tree_left, this_2)) ->
  forall result2:int32.
  ("JC_108":
  (("JC_106": mem(result2, result1, Object_alloc_table, Tree_right,
   Tree_left, Tree_value)) and
   ("JC_107":
   (forall x_9:int32.
     (mem(x_9, result1, Object_alloc_table, Tree_right, Tree_left,
      Tree_value) -> (integer_of_int32(result2) >= integer_of_int32(x_9))))))) ->
  forall result3:int32.
  ("JC_96": (integer_of_int32(result3) = max(integer_of_int32(result),
  integer_of_int32(result2)))) ->
  forall m:int32.
  (m = result3) ->
  forall result4:Object pointer.
  (result4 = select(Tree_right, this_2)) ->
  ("JC_18": (result4 = null)) ->
  forall return:int32.
  (return = m) ->
  forall x_9:int32.
  mem(x_9, this_2, Object_alloc_table, Tree_right, Tree_left, Tree_value) ->
  ("JC_105": ("JC_104": (integer_of_int32(return) >= integer_of_int32(x_9))))

goal Tree_tree_max_ensures_default_po_5:
  forall this_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall Tree_left:(Object, Object pointer) memory.
  forall Tree_right:(Object,
  Object pointer) memory.
  forall Tree_value:(Object,
  int32) memory.
  valid_struct_Tree(this_2, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (result = select(Tree_value, this_2)) ->
  forall result0:Object pointer.
  (result0 = select(Tree_left, this_2)) ->
  ("JC_18": (result0 = null)) ->
  forall result1:Object pointer.
  (result1 = select(Tree_right, this_2)) ->
  ("JC_18": (offset_max(Object_alloc_table, result1) = 0)) ->
  forall result2:Object pointer.
  (result2 = select(Tree_right, this_2)) ->
  forall result3:int32.
  ("JC_108":
  (("JC_106": mem(result3, result2, Object_alloc_table, Tree_right,
   Tree_left, Tree_value)) and
   ("JC_107":
   (forall x_9:int32.
     (mem(x_9, result2, Object_alloc_table, Tree_right, Tree_left,
      Tree_value) -> (integer_of_int32(result3) >= integer_of_int32(x_9))))))) ->
  forall result4:int32.
  ("JC_96": (integer_of_int32(result4) = max(integer_of_int32(result),
  integer_of_int32(result3)))) ->
  forall m:int32.
  (m = result4) ->
  forall return:int32.
  (return = m) ->
  ("JC_105":
  ("JC_103": mem(return, this_2, Object_alloc_table, Tree_right, Tree_left,
  Tree_value)))

goal Tree_tree_max_ensures_default_po_6:
  forall this_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall Tree_left:(Object, Object pointer) memory.
  forall Tree_right:(Object,
  Object pointer) memory.
  forall Tree_value:(Object,
  int32) memory.
  valid_struct_Tree(this_2, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (result = select(Tree_value, this_2)) ->
  forall result0:Object pointer.
  (result0 = select(Tree_left, this_2)) ->
  ("JC_18": (result0 = null)) ->
  forall result1:Object pointer.
  (result1 = select(Tree_right, this_2)) ->
  ("JC_18": (offset_max(Object_alloc_table, result1) = 0)) ->
  forall result2:Object pointer.
  (result2 = select(Tree_right, this_2)) ->
  forall result3:int32.
  ("JC_108":
  (("JC_106": mem(result3, result2, Object_alloc_table, Tree_right,
   Tree_left, Tree_value)) and
   ("JC_107":
   (forall x_9:int32.
     (mem(x_9, result2, Object_alloc_table, Tree_right, Tree_left,
      Tree_value) -> (integer_of_int32(result3) >= integer_of_int32(x_9))))))) ->
  forall result4:int32.
  ("JC_96": (integer_of_int32(result4) = max(integer_of_int32(result),
  integer_of_int32(result3)))) ->
  forall m:int32.
  (m = result4) ->
  forall return:int32.
  (return = m) ->
  forall x_9:int32.
  mem(x_9, this_2, Object_alloc_table, Tree_right, Tree_left, Tree_value) ->
  ("JC_105": ("JC_104": (integer_of_int32(return) >= integer_of_int32(x_9))))

goal Tree_tree_max_ensures_default_po_7:
  forall this_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall Tree_left:(Object, Object pointer) memory.
  forall Tree_right:(Object,
  Object pointer) memory.
  forall Tree_value:(Object,
  int32) memory.
  valid_struct_Tree(this_2, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (result = select(Tree_value, this_2)) ->
  forall result0:Object pointer.
  (result0 = select(Tree_left, this_2)) ->
  ("JC_18": (result0 = null)) ->
  forall result1:Object pointer.
  (result1 = select(Tree_right, this_2)) ->
  ("JC_18": (result1 = null)) ->
  forall return:int32.
  (return = result) ->
  ("JC_105":
  ("JC_103": mem(return, this_2, Object_alloc_table, Tree_right, Tree_left,
  Tree_value)))

goal Tree_tree_max_ensures_default_po_8:
  forall this_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall Tree_left:(Object, Object pointer) memory.
  forall Tree_right:(Object,
  Object pointer) memory.
  forall Tree_value:(Object,
  int32) memory.
  valid_struct_Tree(this_2, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (result = select(Tree_value, this_2)) ->
  forall result0:Object pointer.
  (result0 = select(Tree_left, this_2)) ->
  ("JC_18": (result0 = null)) ->
  forall result1:Object pointer.
  (result1 = select(Tree_right, this_2)) ->
  ("JC_18": (result1 = null)) ->
  forall return:int32.
  (return = result) ->
  forall x_9:int32.
  mem(x_9, this_2, Object_alloc_table, Tree_right, Tree_left, Tree_value) ->
  ("JC_105": ("JC_104": (integer_of_int32(return) >= integer_of_int32(x_9))))

goal Tree_tree_max_safety_po_1:
  forall this_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall Tree_left:(Object, Object pointer) memory.
  forall Tree_value:(Object,
  int32) memory.
  valid_struct_Tree(this_2, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (result = select(Tree_value, this_2)) ->
  forall result0:Object pointer.
  (result0 = select(Tree_left, this_2)) ->
  ("JC_18": (offset_max(Object_alloc_table, result0) = 0)) ->
  forall result1:Object pointer.
  (result1 = select(Tree_left, this_2)) ->
  (offset_max(Object_alloc_table, result1) >= 0)

goal Tree_tree_max_safety_po_2:
  forall this_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall Tree_left:(Object, Object pointer) memory.
  forall Tree_right:(Object,
  Object pointer) memory.
  forall Tree_value:(Object,
  int32) memory.
  valid_struct_Tree(this_2, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (result = select(Tree_value, this_2)) ->
  forall result0:Object pointer.
  (result0 = select(Tree_left, this_2)) ->
  ("JC_18": (offset_max(Object_alloc_table, result0) = 0)) ->
  forall result1:Object pointer.
  (result1 = select(Tree_left, this_2)) ->
  (offset_max(Object_alloc_table, result1) >= 0) ->
  forall result2:int32.
  ("JC_108":
  (("JC_106": mem(result2, result1, Object_alloc_table, Tree_right,
   Tree_left, Tree_value)) and
   ("JC_107":
   (forall x_9:int32.
     (mem(x_9, result1, Object_alloc_table, Tree_right, Tree_left,
      Tree_value) -> (integer_of_int32(result2) >= integer_of_int32(x_9))))))) ->
  forall result3:int32.
  ("JC_96": (integer_of_int32(result3) = max(integer_of_int32(result),
  integer_of_int32(result2)))) ->
  forall m:int32.
  (m = result3) ->
  forall result4:Object pointer.
  (result4 = select(Tree_right, this_2)) ->
  ("JC_18": (offset_max(Object_alloc_table, result4) = 0)) ->
  forall result5:Object pointer.
  (result5 = select(Tree_right, this_2)) ->
  (offset_max(Object_alloc_table, result5) >= 0)

goal Tree_tree_max_safety_po_3:
  forall this_2:Object pointer.
  forall Object_alloc_table:Object alloc_table.
  forall Tree_left:(Object, Object pointer) memory.
  forall Tree_right:(Object,
  Object pointer) memory.
  forall Tree_value:(Object,
  int32) memory.
  valid_struct_Tree(this_2, 0, 0, Object_alloc_table) ->
  forall result:int32.
  (result = select(Tree_value, this_2)) ->
  forall result0:Object pointer.
  (result0 = select(Tree_left, this_2)) ->
  ("JC_18": (result0 = null)) ->
  forall result1:Object pointer.
  (result1 = select(Tree_right, this_2)) ->
  ("JC_18": (offset_max(Object_alloc_table, result1) = 0)) ->
  forall result2:Object pointer.
  (result2 = select(Tree_right, this_2)) ->
  (offset_max(Object_alloc_table, result2) >= 0)

why-2.34/tests/java/oracle/SelectionSort.err.oracle0000644000175000017500000000062612311670312020724 0ustar  rtusersWarning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
why-2.34/tests/java/oracle/Switch.err.oracle0000644000175000017500000000000012311670312017352 0ustar  rtuserswhy-2.34/tests/java/oracle/AllZeros.err.oracle0000644000175000017500000000000012311670312017644 0ustar  rtuserswhy-2.34/tests/java/oracle/Counter.err.oracle0000644000175000017500000000000012311670312017530 0ustar  rtuserswhy-2.34/tests/java/bts15964.java0000644000175000017500000000453312311670312014751 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

class bts15964 {
        public void f() {
            Object x = null;
        }
}
why-2.34/tests/java/PreAndOld.java0000644000175000017500000000524212311670312015356 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


//@+ CheckArithOverflow = no

//@ logic integer f{L}(integer n) = n+PreAndOld.y;


class PreAndOld {

    static int y;

    /*@ ensures \result == \old(f(x))
      @      && \result == f{Old}(x)
      @      && \result == \at(f(x),Pre);
      @*/
    int g(int x) {
        int tmp = y;
        y = 12;
        return x+tmp;
    }
}





/*
Local Variables:
compile-command: "make PreAndOld.why3ide"
End:
*/

why-2.34/tests/java/coq/0000755000175000017500000000000012311670312013462 5ustar  rtuserswhy-2.34/tests/java/coq/Fibonacci_why.v0000644000175000017500000003666312311670312016433 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)
Require Export jessie_why.

(*Why type*) Definition Object: Set.
Admitted.

(*Why type*) Definition interface: Set.
Admitted.

(*Why logic*) Definition Exception_tag : (tag_id Object).
Admitted.

(*Why logic*) Definition Object_tag : (tag_id Object).
Admitted.

(*Why axiom*) Lemma Exception_parenttag_Object :
  (parenttag Exception_tag Object_tag).
Admitted.

(*Why logic*) Definition Fibonacci_tag : (tag_id Object).
Admitted.

(*Why axiom*) Lemma Fibonacci_parenttag_Object :
  (parenttag Fibonacci_tag Object_tag).
Admitted.

(*Why predicate*) Definition Non_null_Object  (x_0:(pointer Object)) (Object_alloc_table:(alloc_table Object))
  := (offset_max Object_alloc_table x_0) >= 0.

(*Why axiom*) Lemma Object_int : (int_of_tag Object_tag) = 1.
Admitted.

(*Why logic*) Definition Object_of_pointer_address :
  (pointer unit) -> (pointer Object).
Admitted.

(*Why axiom*) Lemma Object_of_pointer_address_of_pointer_addr :
  (forall (p:(pointer Object)),
   p = (Object_of_pointer_address (pointer_address p))).
Admitted.

(*Why axiom*) Lemma Object_parenttag_bottom :
  (parenttag Object_tag (@bottom_tag Object)).
Admitted.

(*Why axiom*) Lemma Object_tags :
  (forall (x:(pointer Object)),
   (forall (Object_tag_table:(tag_table Object)),
    (instanceof Object_tag_table x Object_tag))).
Admitted.

(*Why logic*) Definition String_tag : (tag_id Object).
Admitted.

(*Why axiom*) Lemma String_parenttag_Object :
  (parenttag String_tag Object_tag).
Admitted.

(*Why logic*) Definition Throwable_tag : (tag_id Object).
Admitted.

(*Why axiom*) Lemma Throwable_parenttag_Object :
  (parenttag Throwable_tag Object_tag).
Admitted.


(*Why logic*) Definition interface_tag : (tag_id interface).
Admitted.

(*Why axiom*) Lemma interface_int : (int_of_tag interface_tag) = 1.
Admitted.

(*Why logic*) Definition interface_of_pointer_address :
  (pointer unit) -> (pointer interface).
Admitted.

(*Why axiom*) Lemma interface_of_pointer_address_of_pointer_addr :
  (forall (p:(pointer interface)),
   p = (interface_of_pointer_address (pointer_address p))).
Admitted.

(*Why axiom*) Lemma interface_parenttag_bottom :
  (parenttag interface_tag (@bottom_tag interface)).
Admitted.

(*Why axiom*) Lemma interface_tags :
  (forall (x:(pointer interface)),
   (forall (interface_tag_table:(tag_table interface)),
    (instanceof interface_tag_table x interface_tag))).
Admitted.

(*Why inductive*) Inductive isfib  : Z -> Z -> Prop 
  := | isfib0 : (isfib 0 0)
     
     | isfib1 : (isfib 1 1)
     
     | isfibn : (forall (n:Z),
                 (forall (r_0:Z),
                  (forall (p:Z),
                   (n >= 2 /\ (isfib (n - 2) r_0) /\ (isfib (n - 1) p) ->
                    (isfib n (p + r_0))))))
     .

(*Why predicate*) Definition left_valid_struct_Object  (p:(pointer Object)) (a:Z) (Object_alloc_table:(alloc_table Object))
  := (offset_min Object_alloc_table p) <= a.

(*Why predicate*) Definition left_valid_struct_Exception  (p:(pointer Object)) (a:Z) (Object_alloc_table:(alloc_table Object))
  := (left_valid_struct_Object p a Object_alloc_table).

(*Why predicate*) Definition left_valid_struct_Fibonacci  (p:(pointer Object)) (a:Z) (Object_alloc_table:(alloc_table Object))
  := (left_valid_struct_Object p a Object_alloc_table).

(*Why predicate*) Definition left_valid_struct_String  (p:(pointer Object)) (a:Z) (Object_alloc_table:(alloc_table Object))
  := (left_valid_struct_Object p a Object_alloc_table).

(*Why predicate*) Definition left_valid_struct_Throwable  (p:(pointer Object)) (a:Z) (Object_alloc_table:(alloc_table Object))
  := (left_valid_struct_Object p a Object_alloc_table).

(*Why predicate*) Definition left_valid_struct_interface  (p:(pointer interface)) (a:Z) (interface_alloc_table:(alloc_table interface))
  := (offset_min interface_alloc_table p) <= a.

(*Why axiom*) Lemma pointer_addr_of_Object_of_pointer_address :
  (forall (p:(pointer unit)),
   p = (pointer_address (Object_of_pointer_address p))).
Admitted.

(*Why axiom*) Lemma pointer_addr_of_interface_of_pointer_address :
  (forall (p:(pointer unit)),
   p = (pointer_address (interface_of_pointer_address p))).
Admitted.

(*Why predicate*) Definition right_valid_struct_Object  (p:(pointer Object)) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (offset_max Object_alloc_table p) >= b.

(*Why predicate*) Definition right_valid_struct_Exception  (p:(pointer Object)) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (right_valid_struct_Object p b Object_alloc_table).

(*Why predicate*) Definition right_valid_struct_Fibonacci  (p:(pointer Object)) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (right_valid_struct_Object p b Object_alloc_table).

(*Why predicate*) Definition right_valid_struct_String  (p:(pointer Object)) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (right_valid_struct_Object p b Object_alloc_table).

(*Why predicate*) Definition right_valid_struct_Throwable  (p:(pointer Object)) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (right_valid_struct_Object p b Object_alloc_table).

(*Why predicate*) Definition right_valid_struct_interface  (p:(pointer interface)) (b:Z) (interface_alloc_table:(alloc_table interface))
  := (offset_max interface_alloc_table p) >= b.

(*Why predicate*) Definition strict_valid_root_Object  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (offset_min Object_alloc_table p) = a /\
     (offset_max Object_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_root_interface  (p:(pointer interface)) (a:Z) (b:Z) (interface_alloc_table:(alloc_table interface))
  := (offset_min interface_alloc_table p) = a /\
     (offset_max interface_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_struct_Object  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (offset_min Object_alloc_table p) = a /\
     (offset_max Object_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_struct_Exception  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (strict_valid_struct_Object p a b Object_alloc_table).

(*Why predicate*) Definition strict_valid_struct_Fibonacci  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (strict_valid_struct_Object p a b Object_alloc_table).

(*Why predicate*) Definition strict_valid_struct_String  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (strict_valid_struct_Object p a b Object_alloc_table).

(*Why predicate*) Definition strict_valid_struct_Throwable  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (strict_valid_struct_Object p a b Object_alloc_table).

(*Why predicate*) Definition strict_valid_struct_interface  (p:(pointer interface)) (a:Z) (b:Z) (interface_alloc_table:(alloc_table interface))
  := (offset_min interface_alloc_table p) = a /\
     (offset_max interface_alloc_table p) = b.







(*Why predicate*) Definition valid_root_Object  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (offset_min Object_alloc_table p) <= a /\
     (offset_max Object_alloc_table p) >= b.

(*Why predicate*) Definition valid_root_interface  (p:(pointer interface)) (a:Z) (b:Z) (interface_alloc_table:(alloc_table interface))
  := (offset_min interface_alloc_table p) <= a /\
     (offset_max interface_alloc_table p) >= b.

(*Why predicate*) Definition valid_struct_Object  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (offset_min Object_alloc_table p) <= a /\
     (offset_max Object_alloc_table p) >= b.

(*Why predicate*) Definition valid_struct_Exception  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (valid_struct_Object p a b Object_alloc_table).

(*Why predicate*) Definition valid_struct_Fibonacci  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (valid_struct_Object p a b Object_alloc_table).

(*Why predicate*) Definition valid_struct_String  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (valid_struct_Object p a b Object_alloc_table).

(*Why predicate*) Definition valid_struct_Throwable  (p:(pointer Object)) (a:Z) (b:Z) (Object_alloc_table:(alloc_table Object))
  := (valid_struct_Object p a b Object_alloc_table).

(*Why predicate*) Definition valid_struct_interface  (p:(pointer interface)) (a:Z) (b:Z) (interface_alloc_table:(alloc_table interface))
  := (offset_min interface_alloc_table p) <= a /\
     (offset_max interface_alloc_table p) >= b.

(* Why obligation from file "Fibonacci.java", line 46, characters 10-19: *)
(*Why goal*) Lemma isfib_2_1 : 
  (isfib 2 1).
Proof.
apply isfibn with (r_0:=0) (p:=1); intuition.
apply isfib0.
apply isfib1.
Save.

(* Why obligation from file "Fibonacci.java", line 47, characters 10-19: *)
(*Why goal*) Lemma isfib_6_8 : 
  (isfib 6 8).
Proof.
assert (isfib3: isfib 3 2).
apply isfibn with (r_0:=1) (p:=1); intuition.
apply isfib1.
apply isfib_2_1.
assert (isfib4: isfib 4 3).
apply isfibn with (r_0:=1) (p:=2); intuition.
apply isfib_2_1.
assert (isfib5: isfib 5 5).
apply isfibn with (r_0:=2) (p:=3); intuition.
apply isfibn with (r_0:=3) (p:=5); intuition.
Save.

(* Why obligation from file "Fibonacci.java", line 50, characters 10-23: *)
(*Why goal*) Lemma not_isfib_2_2 : 
  ~(isfib 2 2).
Proof.
intro h; inversion h; intuition.
replace (p + r_0 - (p + r_0)) with 0 in H1 by omega.
inversion H1; auto with zarith.
assert (p=2) by omega.
subst.
replace (2 + 0 - 1) with 1 in H4 by omega.
inversion H4; auto with zarith.
Save.




































(* Why obligation from file "Fibonacci.java", line 60, characters 20-26: *)
(*Why goal*) Lemma Fibonacci_Fib_ensures_default_po_1 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  (* JC_48 *) (* JC_44 *) 0 <= 0.
Proof.
intuition.
Save.

(* Why obligation from file "Fibonacci.java", line 60, characters 25-31: *)
(*Why goal*) Lemma Fibonacci_Fib_ensures_default_po_2 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  (* JC_48 *) (* JC_45 *) 0 <= n_0.
Proof.
intuition.
Save.

(* Why obligation from file "Fibonacci.java", line 60, characters 35-47: *)
(*Why goal*) Lemma Fibonacci_Fib_ensures_default_po_3 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  (* JC_48 *) (* JC_46 *) (isfib (0 + 1) 1).
Proof.
intros; apply isfib1.
Save.

(* Why obligation from file "Fibonacci.java", line 60, characters 51-61: *)
(*Why goal*) Lemma Fibonacci_Fib_ensures_default_po_4 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  (* JC_48 *) (* JC_47 *) (isfib 0 0).
Proof.
intros; apply isfib0.
Save.

(* Why obligation from file "Fibonacci.java", line 60, characters 20-26: *)
(*Why goal*) Lemma Fibonacci_Fib_ensures_default_po_5 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  forall (i: Z),
  forall (x_0_0: Z),
  forall (y: Z),
  forall (HW_4: (* JC_48 *) ((* JC_44 *) 0 <= i /\ (* JC_45 *) i <= n_0 /\
                (* JC_46 *) (isfib (i + 1) x_0_0) /\ (* JC_47 *) (isfib i y))),
  forall (HW_6: i < n_0),
  forall (aux: Z),
  forall (HW_7: aux = y),
  forall (y0: Z),
  forall (HW_8: y0 = x_0_0),
  forall (x_0_0_0: Z),
  forall (HW_9: x_0_0_0 = (x_0_0 + aux)),
  forall (i0: Z),
  forall (HW_10: i0 = (i + 1)),
  (* JC_48 *) (* JC_44 *) 0 <= i0.
Proof.
intuition.
Save.

(* Why obligation from file "Fibonacci.java", line 60, characters 25-31: *)
(*Why goal*) Lemma Fibonacci_Fib_ensures_default_po_6 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  forall (i: Z),
  forall (x_0_0: Z),
  forall (y: Z),
  forall (HW_4: (* JC_48 *) ((* JC_44 *) 0 <= i /\ (* JC_45 *) i <= n_0 /\
                (* JC_46 *) (isfib (i + 1) x_0_0) /\ (* JC_47 *) (isfib i y))),
  forall (HW_6: i < n_0),
  forall (aux: Z),
  forall (HW_7: aux = y),
  forall (y0: Z),
  forall (HW_8: y0 = x_0_0),
  forall (x_0_0_0: Z),
  forall (HW_9: x_0_0_0 = (x_0_0 + aux)),
  forall (i0: Z),
  forall (HW_10: i0 = (i + 1)),
  (* JC_48 *) (* JC_45 *) i0 <= n_0.
Proof.
intuition.
Save.

(* Why obligation from file "Fibonacci.java", line 60, characters 35-47: *)
(*Why goal*) Lemma Fibonacci_Fib_ensures_default_po_7 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  forall (i: Z),
  forall (x_0_0: Z),
  forall (y: Z),
  forall (HW_4: (* JC_48 *) ((* JC_44 *) 0 <= i /\ (* JC_45 *) i <= n_0 /\
                (* JC_46 *) (isfib (i + 1) x_0_0) /\ (* JC_47 *) (isfib i y))),
  forall (HW_6: i < n_0),
  forall (aux: Z),
  forall (HW_7: aux = y),
  forall (y0: Z),
  forall (HW_8: y0 = x_0_0),
  forall (x_0_0_0: Z),
  forall (HW_9: x_0_0_0 = (x_0_0 + aux)),
  forall (i0: Z),
  forall (HW_10: i0 = (i + 1)),
  (* JC_48 *) (* JC_46 *) (isfib (i0 + 1) x_0_0_0).
Proof.
intuition;subst; auto.
apply isfibn; intuition.
replace (i+1+1-2) with i; auto with zarith.
replace (i+1+1-1) with (i+1); auto with zarith.
Save.

(* Why obligation from file "Fibonacci.java", line 60, characters 51-61: *)
(*Why goal*) Lemma Fibonacci_Fib_ensures_default_po_8 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  forall (i: Z),
  forall (x_0_0: Z),
  forall (y: Z),
  forall (HW_4: (* JC_48 *) ((* JC_44 *) 0 <= i /\ (* JC_45 *) i <= n_0 /\
                (* JC_46 *) (isfib (i + 1) x_0_0) /\ (* JC_47 *) (isfib i y))),
  forall (HW_6: i < n_0),
  forall (aux: Z),
  forall (HW_7: aux = y),
  forall (y0: Z),
  forall (HW_8: y0 = x_0_0),
  forall (x_0_0_0: Z),
  forall (HW_9: x_0_0_0 = (x_0_0 + aux)),
  forall (i0: Z),
  forall (HW_10: i0 = (i + 1)),
  (* JC_48 *) (* JC_47 *) (isfib i0 y0).
Proof.
intuition; subst; auto.
Save.

(* Why obligation from file "Fibonacci.java", line 55, characters 16-33: *)
(*Why goal*) Lemma Fibonacci_Fib_ensures_default_po_9 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  forall (i: Z),
  forall (x_0_0: Z),
  forall (y: Z),
  forall (HW_4: (* JC_48 *) ((* JC_44 *) 0 <= i /\ (* JC_45 *) i <= n_0 /\
                (* JC_46 *) (isfib (i + 1) x_0_0) /\ (* JC_47 *) (isfib i y))),
  forall (HW_11: i >= n_0),
  forall (why__return: Z),
  forall (HW_12: why__return = y),
  (* JC_31 *) (isfib n_0 why__return).
Proof.
intuition.
assert (i=n_0) by omega.
subst; auto.
Save.

(* Why obligation from file "Fibonacci.java", line 61, characters 18-21: *)
(*Why goal*) Lemma Fibonacci_Fib_safety_po_1 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  forall (i: Z),
  forall (x_0_0: Z),
  forall (y: Z),
  forall (HW_4: (* JC_41 *) True),
  forall (HW_5: (* JC_39 *) ((* JC_35 *) 0 <= i /\ (* JC_36 *) i <= n_0 /\
                (* JC_37 *) (isfib (i + 1) x_0_0) /\ (* JC_38 *) (isfib i y))),
  forall (HW_6: i < n_0),
  forall (aux: Z),
  forall (HW_7: aux = y),
  forall (y0: Z),
  forall (HW_8: y0 = x_0_0),
  forall (x_0_0_0: Z),
  forall (HW_9: x_0_0_0 = (x_0_0 + aux)),
  forall (i0: Z),
  forall (HW_10: i0 = (i + 1)),
  0 <= ((* JC_43 *) (n_0 - i)).
Proof.
intuition.
Save.

(* Why obligation from file "Fibonacci.java", line 61, characters 18-21: *)
(*Why goal*) Lemma Fibonacci_Fib_safety_po_2 : 
  forall (n_0: Z),
  forall (HW_1: (* JC_29 *) n_0 >= 0),
  forall (i: Z),
  forall (x_0_0: Z),
  forall (y: Z),
  forall (HW_4: (* JC_41 *) True),
  forall (HW_5: (* JC_39 *) ((* JC_35 *) 0 <= i /\ (* JC_36 *) i <= n_0 /\
                (* JC_37 *) (isfib (i + 1) x_0_0) /\ (* JC_38 *) (isfib i y))),
  forall (HW_6: i < n_0),
  forall (aux: Z),
  forall (HW_7: aux = y),
  forall (y0: Z),
  forall (HW_8: y0 = x_0_0),
  forall (x_0_0_0: Z),
  forall (HW_9: x_0_0_0 = (x_0_0 + aux)),
  forall (i0: Z),
  forall (HW_10: i0 = (i + 1)),
  ((* JC_43 *) (n_0 - i0)) < ((* JC_43 *) (n_0 - i)).
Proof.
intuition.
Save.

why-2.34/tests/java/Isqrt.java0000644000175000017500000000560212311670312014650 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


//@+ CheckArithOverflow = no

//@ logic integer sqr(integer x) = x * x;

class Isqrt {

/*@ requires x >= 0;
  @ ensures \result >= 0 && sqr(\result) <= x && x < sqr(\result + 1);
  @*/
static int isqrt(int x) {
  int count = 0, sum = 1;
  /*@ loop_invariant count >= 0 && x >= sqr(count) && sum == sqr(count+1);
    @ loop_variant  x - count; 
    @*/
  while (sum <= x) sum += 2 * ++count + 1;
  return count;
}

//@ ensures \result == 4;
static int main () {
  int r;
  r = isqrt(17);
  //@ assert r < 4 ==> false;
  //@ assert r > 4 ==> false;
  return r;
}

}

/*
Local Variables:
compile-command: "make Isqrt.why3ide"
End:
*/


why-2.34/tests/java/Negate.java0000644000175000017500000000566312311670312014760 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


//@+ CheckArithOverflow = no

public class negate {

    /*@ requires t != null;
      @ assigns t[0..t.length-1];
      @ ensures \forall integer k; 0 <= k < t.length ==> t[k] == -\old(t[k]);
      @*/
    static void negate(int t[]) {
	int i = 0;
	/*@ loop_invariant
	  @   0 <= i <= t.length &&
	  @   (\forall integer k; 0 <= k < i ==> t[k] == -\at(t[k],Pre)) &&
	  @   (\forall integer k; i <= k < t.length ==> t[k] == \at(t[k],Pre)) ;
	  @ // TODO: replace previous invariant by loop_assigns t[0..i-1];
	  @ loop_variant t.length-i;
	  @*/
	while (i < t.length) {
	    t[i] = -t[i];
	    i++;
	}

    }

}



/*
Local Variables:
compile-command: "make Negate.why3ide"
End:
*/

why-2.34/tests/java/ArrayMax.java0000644000175000017500000000664212311670312015277 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*
COST Verification Competition. vladimir@cost-ic0701.org

Challenge 1: Maximum in an array

Given: A non-empty integer array a.

Verify that the index returned by the method max() given below points to
an element maximal in the array.

*/

/*@ axiomatic integer_max {
  @   logic integer max(integer x, integer y);
  @   axiom max_is_ge : \forall integer x y; max(x,y) >= x && max(x,y) >= y;
  @   axiom max_is_some : \forall integer x y; max(x,y) == x || max(x,y) == y;
  @ }
  @*/

public class ArrayMax {


    /*@ requires a.length > 0;
      @ ensures 0 <= \result < a.length &&
      @   \forall integer i; 0 <= i < a.length ==> a[i] <= a[\result];
      @*/
    public static int max(int[] a) {
        int x = 0;
        int y = a.length-1;
        /*@ loop_invariant 0 <= x <= y < a.length &&
          @      \forall integer i;
          @         0 <= i < x || y < i < a.length ==>
          @         a[i] <= max(a[x],a[y]);
          @ loop_variant y - x;
          @*/
        while (x != y) {
            if (a[x] <= a[y]) x++;
                else y--;
        }
        return x;
    }

}

/*
Local Variables:
compile-command: "make ArrayMax.why3ide"
End:
*/

why-2.34/tests/java/Fact.java0000644000175000017500000000551012311670312014421 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// int model: unbounded mathematical integers
//@+ CheckArithOverflow = no

/*@ inductive isfact(integer x, integer r) {
  @  case isfact0: isfact(0,1);
  @  case isfactn:
  @   \forall integer n r;
  @     n >= 1 && isfact(n-1,r) ==> isfact(n,r*n);
  @ }
  @*/

public class Fact {

    /*@ requires x >= 0;
      @ ensures isfact(x, \result);
      @*/
    public static int fact(int x) {
        int a = 0, y = 1;
        /*@ loop_invariant 0 <= a <= x && isfact(a,y);
          @ loop_variant x-a;
          @*/
        while (a < x) y = y * ++a;
        return y;
    }

}why-2.34/tests/java/Assertion.java0000644000175000017500000000472712311670312015524 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

public class Assertion {
         /*@
           @ ensures \result == 5;
           @*/
         public static int max(int x) {
                 /*@ assert x == 5; @*/
                 return x;
         }
} why-2.34/tests/java/Counter.java0000644000175000017500000000541512311670312015167 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = no

/*@ logic integer value{L}(Counter c) = 
  @    \at(c.increments,L) - \at(c.decrements,L);
  @*/

public class Counter {

    private int increments;
    private int decrements;

    //@ ensures value{Here}(this) == value{Old}(this) + 1;
    public void increment() {
        increments++;
    }

    //@ ensures value{Here}(this) == value{Old}(this) - 1;
    public void decrement() {
        decrements++;
    }

}

/*
Local Variables:
compile-command: "make Counter.why3ide"
End:
*/


why-2.34/tests/java/result/0000755000175000017500000000000012311670312014216 5ustar  rtuserswhy-2.34/tests/java/result/README0000644000175000017500000000013312311670312015073 0ustar  rtusersthis directory is to store results of tests. There is
intentionally no file managed by SVN
why-2.34/tests/java/Creation.java0000644000175000017500000000717412311670312015320 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@+ CheckArithOverflow = no

class Creation {

    int simple_val;

    /*@ behavior normal:
      @   assigns this.simple_val; // not \nothing 
      @   ensures this.simple_val == 0;
      @*/
    Creation() {
	this(0);
    }

    /*@ behavior normal:
      @   assigns this.simple_val; // not \nothing
      @   ensures this.simple_val == n;
      @*/
    Creation(int n) {
	simple_val = n;
    }

    /*@ behavior normal:
      @   assigns this.simple_val; // not \nothing
      @   ensures this.simple_val == n + m;
      @*/
    Creation(int n,int m) {
	this(n+m); 
    }

    /*@ behavior normal:
      @   ensures \result == 17;
      @*/
    public static int test1() {
	Creation t = new Creation(17);
	return t.simple_val;
    }

    /*@ behavior normal:
      @   ensures \result == 0;
      @*/
    public static int test2() {
	Creation t = new Creation();
	return t.simple_val;
    }

    /*@ behavior normal:
      @   assigns \nothing;             // BUG !!!!!!!!!!!!
      @   ensures \result == 17;
      @*/
    public static int test3() {
	Creation t = new Creation(10,7);
	return t.simple_val;
    }

}


class TestSuperConstructor extends Creation {

    /*@ behavior normal:
      @   assigns simple_val;
      @   ensures simple_val == 12;
      @*/
    TestSuperConstructor() {
	super(12);
    }

}


/*
Local Variables:
compile-command: "make Creation.why3ide"
End:
*/


why-2.34/tests/java/NameConflicts.java0000644000175000017500000000512112311670312016267 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

class NameConflicts {

    int i;

    void setI(int i) {
	this.i = i;
    }

    /*@ behavior normal:
      @   ensures \result == 0;
      @*/
    int m() {
	int result = 0;
	return result;
    }

    int field;

    int field() { return field; }

}


/*
Local Variables:
compile-command: "make NameConflicts.why3ide"
End:
*/


why-2.34/tests/java/MacCarthy.java0000644000175000017500000000535312311670312015424 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


/* McCarthy's ``91'' function. */

public class MacCarthy {

    /*@ decreases 101-n ;
      @ behavior less_than_101:
      @   assumes n <= 100;
      @   ensures \result == 91;
      @ behavior greater_than_100:
      @   assumes n >= 101;
      @   ensures \result == n - 10;
      @*/
    public static int f91(int n) {
	if (n <= 100) {
	    return f91(f91(n + 11));
	}
	else
	    return n - 10;
    }

}

/*
Local Variables:
compile-command: "make MacCarthy.why3ide"
End:
*/


why-2.34/tests/java/SelectionSort.java0000644000175000017500000001130412311670312016337 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*@ predicate Sorted{L}(int a[], integer l, integer h) =
  @   \forall integer i j; l <= i <= j < h ==> a[i] <= a[j] ;
  @*/

/*@ predicate Swap{L1,L2}(int a[], integer i, integer j) =
  @   \at(a[i],L1) == \at(a[j],L2) &&
  @   \at(a[j],L1) == \at(a[i],L2) &&
  @   \forall integer k; k != i && k != j ==> \at(a[k],L1) == \at(a[k],L2);
  @*/

/*@ inductive Permut{L1,L2}(int a[], integer l, integer h) {
  @  case Permut_refl{L}: 
  @   \forall int a[], integer l h; Permut{L,L}(a, l, h) ;
  @  case Permut_sym{L1,L2}: 
  @    \forall int a[], integer l h; 
  @      Permut{L1,L2}(a, l, h) ==> Permut{L2,L1}(a, l, h) ;
  @  case Permut_trans{L1,L2,L3}: 
  @    \forall int a[], integer l h; 
  @      Permut{L1,L2}(a, l, h) && Permut{L2,L3}(a, l, h) ==> 
  @        Permut{L1,L3}(a, l, h) ;
  @  case Permut_swap{L1,L2}: 
  @    \forall int a[], integer l h i j; 
  @       l <= i <= h && l <= j <= h && Swap{L1,L2}(a, i, j) ==> 
  @     Permut{L1,L2}(a, l, h) ;
  @ }
  @*/

class SelectionSort {

    /*@ requires t != null && 
      @    0 <= i < t.length && 0 <= j < t.length;
      @ assigns t[i],t[j];
      @ ensures Swap{Old,Here}(t,i,j);
      @*/
    void swap(int t[], int i, int j) {
	int tmp = t[i];
	t[i] = t[j];
	t[j] = tmp;
    }
    
    /*@ requires t != null;
      @ behavior sorted:
      @   ensures Sorted(t,0,t.length);
      @ behavior permutation:
      @   ensures Permut{Old,Here}(t,0,t.length-1);
      @*/
    void sort(int t[]) {
	int i,j;
	int mi,mv;
	/*@ loop_invariant 0 <= i;
	  @ for sorted: 
	  @  loop_invariant Sorted(t,0,i) && 
	  @   (\forall integer k1 k2 ; 
	  @      0 <= k1 < i <= k2 < t.length ==> t[k1] <= t[k2]) ;
	  @ for permutation:
	  @   loop_invariant Permut{Pre,Here}(t,0,t.length-1);
	  @ loop_variant t.length - i;
	  @*/
	for (i=0; i t[k] >= mv);
	      @ // useless ! for permutation:
	      @ // loop_invariant Permut{Pre,Here}(t,0,t.length-1);
	      @ loop_variant t.length - j;
	      @*/
	    for (j=i+1; j < t.length; j++) {
		if (t[j] < mv) { 
		    mi = j ; mv = t[j]; 
		}
	    }
	    Before: 
	    swap(t,i,mi);
	    //@ for permutation: assert Permut{Before,Here}(t,0,t.length-1);
	}
    }

}



/*
Local Variables:
compile-command: "make SelectionSort.why3ide"
End:
*/


why-2.34/tests/java/Fresh.java0000644000175000017500000000507312311670312014617 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


class Fresh {

    /*@ allocates \result;
      @ ensures \fresh(\result);
      @*/
    static Fresh create() {
        return new Fresh ();
    }

    void test () {
        Fresh f = create ();
        //@ assert this != f;
    }
}




/*
Local Variables:
compile-command: "make Fresh.why3ide"
End:
*/


why-2.34/tests/java/FlagStatic.java0000644000175000017500000001045112311670312015565 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* Dijkstra's dutch flag */

//@+ CheckArithOverflow = no

/*@ predicate is_color(integer c) =
  @   c == FlagStatic.BLUE || c == FlagStatic.WHITE || c == FlagStatic.RED ;
  @*/

/*@ predicate is_color_array{L}(int t[]) =
  @   t != null &&
  @   \forall integer i; 0 <= i < t.length ==> is_color(t[i]) ;
  @*/

/*@ predicate is_monochrome{L}(int t[],integer i, integer j, int c) =
  @   \forall integer k; i <= k < j ==> t[k] == c ;
  @*/


class FlagStatic {

    public static final int BLUE = 1, WHITE = 2, RED = 3;

    /*@ requires t != null && 0 <= i <= j <= t.length ;
      @ behavior decides_monochromatic:
      @   ensures \result <==> is_monochrome(t,i,j,c);
      @*/
    public static boolean isMonochrome(int t[], int i, int j, int c) {
    	/*@ loop_invariant i <= k &&
	  @   (\forall integer l; i <= l < k ==> t[l]==c);
    	  @ loop_variant j - k;
	  @*/
	for (int k = i; k < j; k++) if (t[k] != c) return false;
	return true;
    }

    /*@ requires 0 <= i < t.length && 0 <= j < t.length;
      @ behavior i_j_swapped:
      @   assigns t[i],t[j];
      @   ensures t[i] == \old(t[j]) && t[j] == \old(t[i]);
      @*/
    private static void swap(int t[], int i, int j) {
	int z = t[i];
	t[i] = t[j];
	t[j] = z;
    }

    /*@ requires
      @   is_color_array(t);
      @ behavior sorts:
      @   ensures
      @     (\exists integer b r;
      @        is_monochrome(t,0,b,BLUE) &&
      @        is_monochrome(t,b,r,WHITE) &&
      @        is_monochrome(t,r,t.length,RED));
      @*/
    public static void flag(int t[]) {
	int b = 0;
	int i = 0;
	int r = t.length;
	/*@ loop_invariant
	  @   is_color_array(t) &&
	  @   0 <= b <= i <= r <= t.length &&
	  @   is_monochrome(t,0,b,BLUE) &&
	  @   is_monochrome(t,b,i,WHITE) &&
          @   is_monochrome(t,r,t.length,RED);
	  @ loop_variant r - i;
	  @*/
	while (i < r) {
	    switch (t[i]) {
	    case BLUE:
		swap(t,b++, i++);
		break;
	    case WHITE:
		i++;
		break;
	    case RED:
		swap(t,--r, i);
		break;
	    }
	}
    }
}



/*
Local Variables:
compile-command: "make FlagStatic.why3ide"
End:
*/
why-2.34/tests/c/0000755000175000017500000000000012311670312012201 5ustar  rtuserswhy-2.34/tests/c/interval_arith.c0000644000175000017500000002427212311670312015367 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

#pragma JessieFloatModel(full)
#pragma JessieFloatRoundingMode(down)


/*@ requires !\is_NaN(x) && !\is_NaN(y);
  @ ensures \le_float(\result,x) && \le_float(\result,y);
  @ ensures \eq_float(\result,x) || \eq_float(\result,y);
  @*/
double min(double x, double y)
{
  return x < y ? x : y;
}


/*@ requires !\is_NaN(x) && !\is_NaN(y);
  @ ensures \le_float(x,\result) && \le_float(y,\result);
  @ ensures \eq_float(\result,x) || \eq_float(\result,y);
  @*/
double max(double x, double y)
{
  return x > y ? x : y;
}


//@ predicate dif_sign(double x, double y) = \sign(x) != \sign(y);
//@ predicate sam_sign(double x, double y) = \sign(x) == \sign(y);

/*@ predicate double_le_real(double x,real y) =
  @           (\is_finite(x) && x <= y) || \is_minus_infinity(x);
  @*/

/*@ predicate real_le_double(real x,double y) =
  @           (\is_finite(y) && x <= y) || \is_plus_infinity(y);
  @*/

/*@ predicate in_interval(real a,double l,double u) =
  @           double_le_real(l,a) && real_le_double(a,u);
  @*/



/*@ requires ! \is_NaN(x) && ! \is_NaN(y);
  @ requires \is_infinite(x) || \is_infinite(y) ==> dif_sign(x,y);
  @ requires \is_infinite(x) && \is_finite(y) ==> y != 0.0;
  @ requires \is_finite(x) && \is_infinite(y) ==> x != 0.0;
  @ assigns \nothing;
  @ ensures double_le_real(\result,x*y);
  @*/
double mul_dn(double x, double y)
{
  double z = x*y;
  /* @ assert \is_finite(x) && \is_finite(y)
    @     && \no_overflow_double(\Down,x*y) ==> double_le_real(z,x*y);
    @*/
  /* @ assert \is_finite(x) && \is_finite(y)
    @     && ! \no_overflow_double(\Down,x*y) && \sign(x) == \sign(y) ==> double_le_real(z,x*y);
    @*/
  /* @ assert \is_finite(x) && \is_finite(y)
    @     && ! \no_overflow_double(\Down,x*y) && \sign(x) != \sign(y)  ==> double_le_real(z,x*y);
    @*/
  /* @ assert \is_infinite(x) || \is_infinite(y) ==> double_le_real(z,x*y);
    @*/
  return z;
}



/*@ requires !\is_NaN(x) && !\is_NaN(y);
  @ requires \is_infinite(x) || \is_infinite(y) ==> sam_sign(x,y);
  @ requires \is_infinite(x) && \is_finite(y) ==> y != 0.0;
  @ requires \is_infinite(y) && \is_finite(x) ==> x != 0.0;
  @ requires \is_finite(x) && \is_finite(y) &&
  @          !\no_overflow_double(\Down,-y) && \sign(y) == \Positive
  @          ==> x > 0.0 ;
  @ ensures  real_le_double(x * y,\result);
  @*/
double mul_up(double x, double y) {
  double a=-y;
  double b=x*a;
  double z=-b;
  /*  double z = -(x * -y);*/

  /*@ assert \is_infinite(x) || \is_infinite(y) ==> real_le_double(x * y,z);
    @*/


  /*@ assert \is_finite(x) && \is_infinite(y) ==> real_le_double(x * y,z) ;
    @*/
  /*@ assert \is_infinite(x) && \is_finite(y) &&
    @    \no_overflow_double(\Down,-y) ==> real_le_double(x * y,z);
    @*/
  /*@ assert \is_infinite(x) && \is_finite(y) &&
    @    ! \no_overflow_double(\Down,-y) ==> real_le_double(x * y,z);
    @*/
  /*@ assert \is_infinite(x) && \is_infinite(y) ==> real_le_double(x * y,z);
    @*/



  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     \no_overflow_double(\Down,-y) &&
    @     \no_overflow_double(\Down,x*a) &&
    @     !\no_overflow_double(\Down,-b) ==> real_le_double(x * y,z) ;
    @*/
  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     \no_overflow_double(\Down,-y) &&
    @     !\no_overflow_double(\Down,x*a) ==> real_le_double(x * y,z) ;
    @*/
  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     !\no_overflow_double(\Down,-y) && \sign(y) == \Positive
    @                                     ==> real_le_double(x * y,z) ;
    @*/
  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     !\no_overflow_double(\Down,-y) && \sign(y) == \Negative &&
    @     !\no_overflow_double(\Down,x*a) ==> real_le_double(x * y,z) ;
    @*/
  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     !\no_overflow_double(\Down,-y) && \sign(y) == \Negative &&
    @     \no_overflow_double(\Down,x*a) &&
    @     !\no_overflow_double(\Down,-b)  ==> real_le_double(x * y,z) ;
    @*/
  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     !\no_overflow_double(\Down,-y) && \sign(y) == \Negative &&
    @     \no_overflow_double(\Down,x*a) &&
    @     \no_overflow_double(\Down,-b) ==> real_le_double(x * y,z);
    @*/
  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     \no_overflow_double(\Down,-y) &&
    @     \no_overflow_double(\Down,x*a) &&
    @     \no_overflow_double(\Down,-b) && x > 0.0 ==> \is_finite(z) && real_le_double(x * y,z) ;
    @*/
  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     \no_overflow_double(\Down,-y) &&
    @     \no_overflow_double(\Down,x*a) &&
    @     \no_overflow_double(\Down,-b) && x < 0.0 ==> \is_finite(z) && real_le_double(x * y,z) ;
    @*/

   return z;
}


double zl, zu;

/*@ predicate is_interval(double xl, double xu) =
  @       (\is_finite(xl) || \is_minus_infinity(xl))
  @       &&
  @       (\is_finite(xu) || \is_plus_infinity(xu));
  @*/

/*@ requires is_interval(xl,xu) && is_interval(yl,yu);
  @ ensures is_interval(zl,zu);
  @ ensures \forall real a,b;
  @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
  @    in_interval(a+b,zl,zu);
  @*/
void add(double xl, double xu, double yl, double yu)
{
  zl = xl + yl;
  /* @ assert
    @  \forall real a,b;
    @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
    @      double_le_real(zl,a+b)  ;
    @*/
  zu = -((-xu) - yu);
  /* @ assert caseuii: \is_infinite(xu) && \is_infinite(yu) ==>
    @  \forall real a,b;
    @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
    @      real_le_double(a+b,zu)  ;
    @*/
  /* @ assert caseuif: \is_infinite(xu) && \is_finite(yu) ==>
    @  \forall real a,b;
    @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
    @      real_le_double(a+b,zu)  ;
    @*/
  /* @ assert caseufi: \is_finite(xu) && \is_infinite(yu) ==>
    @  \forall real a,b;
    @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
    @      real_le_double(a+b,zu)  ;
    @*/
  /* @ assert caseufff: \is_finite(xu) && \is_finite(yu) && \is_infinite(zu) ==>
    @  \forall real a,b;
    @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
    @      real_le_double(a+b,zu)  ;
    @*/
  /* @ assert caseufff: \is_finite(xu) && \is_finite(yu) && \is_finite(zu) ==>
    @  \forall real a,b;
    @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
    @      real_le_double(a+b,zu)  ;
    @*/
}





/*@ requires is_interval(xl,xu) && is_interval(yl,yu);
  @ ensures is_interval(zl,zu);
  @ ensures \forall real a,b;
  @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
  @    in_interval(a*b,zl,zu);
  @*/
void mul(double xl, double xu, double yl, double yu)
{
  if (xl < 0.0)
    if (xu > 0.0)
      if (yl < 0.0)
        if (yu > 0.0) // M * M
          { zl = min(mul_dn(xl, yu), mul_dn(xu, yl));
            zu = max(mul_up(xl, yl), mul_up(xu, yu)); }
        else           // M * Neg
          { zl = mul_dn(xu, yl);
            zu = mul_up(xl, yl); }
      else
        if (yu > 0.0) // M * Pos
          { zl = mul_dn(xl, yu);
            zu = mul_up(xu, yu); }
        else           // M * Zero
          { zl = 0.0;
            zu = 0.0; }
    else
      if (yl < 0.0)
        if (yu > 0.0) // Neg * M
          { zl = mul_dn(xl, yu);
            zu = mul_up(xl, yl); }
        else           // Neg * Neg
          { zl = mul_dn(xu, yu);
            zu = mul_up(xl, yl); }
      else
        if (yu > 0.0) // Neg * Pos
          { zl = mul_dn(xl, yu);
            zu = mul_up(xu, yl); }
        else           // Neg * Zero
          { zl = 0.0;
            zu = 0.0; }
  else
    if (xu > 0.0)
      if (yl < 0.0)
        if (yu > 0.0) // Pos * M
          { zl = mul_dn(xu, yl);
            zu = mul_up(xu, yu); }
        else           // Pos * Neg
          { zl = mul_dn(xu, yl);
            zu = mul_up(xl, yu); }
      else
        if (yu > 0.0) // Pos * Pos
          { zl = mul_dn(xl, yl);
            zu = mul_up(xu, yu); }
        else           // Pos * Zero
          { zl = 0.0;
            zu = 0.0; }
    else               // Zero * M
      { zl = 0.0;
        zu = 0.0; }
}




/*
Local Variables:
compile-command: "LC_ALL=C make interval_arith.why3ide"
End:
*/
why-2.34/tests/c/swap.c0000644000175000017500000000457112311670312013326 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

int a;
int b;

/*@ ensures a == \old(b) && b == \old(a);
  @*/
void swap() {
  int tmp = a;
  a = b;
  b = tmp;
}
why-2.34/tests/c/exp.c0000644000175000017500000000514712311670312013150 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*@ requires \abs(x) <= 1.0;
  @ ensures \abs(\result - \exp(x)) <= 0x1p-4; */
double my_exp(double x) {
  /*@ assert \abs(0.9890365552 + 1.130258690*x + 
    @          0.5540440796*x*x - \exp(x)) <= 0x0.FFFFp-4; */
  return 0.9890365552 + 1.130258690 * x + 0.5540440796 * x * x;
}



/*
Local Variables:
compile-command: "make exp.why3ide"
End:
*/


why-2.34/tests/c/maze.c0000644000175000017500000000563412311670312013311 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


void buildMaze(uint n) {

  union_find u = create(n*n);

  //@ ghost integer num_edges = 0;

  /*@ loop invariant num_edges + NumClasses(u) == n*n;
    @*/
  while (num_classes(u) > 1) {
    uint x = rand() % n;
    uint y = rand() % n;
    uint d = rand() % 2;
    uint w = x, z = y;
    id (d == 0) w++; else z++;
    if (w < n && z < n) {
      int a = y*n+x, b = w*n+z;
      if (find(u,a) != find(u,b)) {
	// output_edge(x,y,w,z);
	//@ ghost num_edges++;
	union(a,b);
      }
    }
  }
  // nombre d'aretes = n*n - 1
  //@ assert num_edges == n*n - 1

  // each node is reachable from origin
  //@ assert \forall int x; 0 <= x < n*n ==> same(u,x,0);
}



why-2.34/tests/c/isqrt.c0000644000175000017500000000555012311670312013514 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


#pragma JessieIntegerModel(math)

//@ logic integer sqr(integer x) = x * x;

/*@ requires x >= 0;
  @ ensures \result >= 0 && sqr(\result) <= x && x < sqr(\result + 1);
  @*/
int isqrt(int x) {
  int count = 0, sum = 1;
  /*@ loop invariant count >= 0 && x >= sqr(count) && sum == sqr(count+1);
    @ loop variant  x - count; 
    @*/
  while (sum <= x) sum += 2 * ++count + 1;
  return count;
}

//@ ensures \result == 4;
int main () {
  int r;
  r = isqrt(17);
  //@ assert r < 4 ==> \false;
  //@ assert r > 4 ==> \false;
  return r;
}

/*
Local Variables:
compile-command: "make isqrt.why3ide"
End:
*/


why-2.34/tests/c/find_array.c0000644000175000017500000000665512311670312014477 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/** from Julien Signoles' tutorial
 **/

/*@
  predicate sorted{L}(int* arr, integer length) =
  \forall integer i, j; 0 <= i <= j < length ==> arr[i] <= arr[j];

  predicate mem{L}(int elt, int* arr, integer length) =
  \exists integer i; 0 <= i = 0;
  requires \valid(arr+(0..(length-1)));

  assigns \nothing;

  behavior exists:
    assumes mem(query, arr, length);
    ensures arr[\result] == query;

  behavior not_exists:
    assumes ! mem(query, arr, length);
    ensures \result == -1;
*/
int find_array(int* arr, int length, int query) {
  int low = 0;
  int high = length - 1;
  /*@
    loop invariant 0 <= low;
    loop invariant high < length;
    loop invariant \forall integer i; 0 <= i < low ==> arr[i] < query;
    loop invariant \forall integer i; high < i < length ==> arr[i] > query;
    loop variant high - low;
  */
  while (low <= high) {
    int mean = low + (high -low) / 2;
    if (arr[mean] == query) return mean;
    if (arr[mean] < query) low = mean + 1;
    else high = mean - 1;
  }
  return -1;
}

/*
Local Variables:
compile-command: "frama-c -jessie find_array.c"
End:
*/
why-2.34/tests/c/floats_bsearch.c0000644000175000017500000000706412311670312015333 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

#pragma JessieFloatModel(full)

/*@ predicate sorted{L}(double *t, integer a, integer b) =
  @    \forall integer i,j; a <= i <= j <= b ==> \le_float(t[i],t[j]);
  @*/

/*@ requires n >= 0 && \valid(t + (0 .. n-1));
  @ requires ! \is_NaN(v);
  @ requires \forall integer i; 0 <= i <= n-1 ==> ! \is_NaN(t[i]);
  @ ensures -1 <= \result < n;
  @ behavior success:
  @   ensures \result >= 0 ==> \eq_float(t[\result],v);
  @ behavior failure:
  @   assumes sorted(t,0,n-1);
  @   ensures \result == -1 ==>
  @     \forall integer k; 0 <= k < n ==> \ne_float(t[k],v);
  @*/
int binary_search(double t[], int n, double v) {
  int l = 0, u = n-1;
  /*@ loop invariant
    @   0 <= l && u <= n-1;
    @ for failure:
    @   loop invariant
    @     \forall integer k;
    @      0 <= k < l ==> \lt_float(t[k],v);
    @   loop invariant
    @     \forall integer k;
    @      u < k <= n-1 ==> \lt_float(v,t[k]);
    @ loop variant u-l;
    @*/
  while (l <= u ) {
    int m = l + (u - l) / 2;
    //@ assert l <= m <= u;
    if (t[m] < v) l = m + 1;
    else if (t[m] > v) u = m - 1;
    else
      {
        // assert ! \is_NaN(t[m]);
        // assert \le_float(t[m],v);
        // assert \ge_float(t[m],v);
        return m;
      }
  }
  return -1;
}

/*
Local Variables:
compile-command: "make floats_bsearch.why3ide"
End:
*/
why-2.34/tests/c/flag.c0000644000175000017500000001023212311670312013254 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* Dijkstra's dutch flag */

#pragma JessieIntegerModel(math)

typedef char color;

#define BLUE (color)1
#define WHITE (color)2
#define RED (color)3

/*@ predicate is_color(color c) =
  @   c == BLUE || c == WHITE || c == RED ;
  @*/

/*@ predicate is_color_array{L}(color *t, integer l) =
  @   \valid_range(t,0,l-1) &&
  @   \forall integer i; 0 <= i < l ==> is_color(t[i]) ;
  @*/

/*@ predicate is_monochrome{L}(color *t,integer i, integer j, color c) =
  @   \forall integer k; i <= k < j ==> t[k] == c ;
  @*/


/*@ requires \valid_range(t,i,j);
  @ behavior decides_monochromatic:
  @   ensures \result <==> is_monochrome(t,i,j,c);
  @*/
int isMonochrome(color t[], int i, int j, color c) {
  /*@ loop invariant i <= k &&
    @   \forall integer l; i <= l < k ==> t[l] == c;
    @ loop variant j - k;
    @*/
  for (int k = i; k < j; k++) if (t[k] != c) return 0;
  return 1;
}

/*@ requires \valid_index(t,i);
  @ requires \valid_index(t,j);
  @ behavior i_j_swapped:
  @   assigns t[i],t[j];
  @   ensures t[i] == \old(t[j]) && t[j] == \old(t[i]);
  @*/
void swap(color t[], int i, int j) {
  color z = t[i];
  t[i] = t[j];
  t[j] = z;
}

/*@ requires l >= 0 && is_color_array(t, l);
  @ behavior sorts:
  @   ensures
  @     (\exists integer b,r;
  @        is_monochrome(t,0,b,BLUE) &&
  @        is_monochrome(t,b,r,WHITE) &&
  @        is_monochrome(t,r,l,RED));
  @*/
void flag(color t[], int l) {
  int b = 0;
  int i = 0;
  int r = l;
  /*@ loop invariant
    @   is_color_array(t,l) &&
    @   0 <= b <= i <= r <= l &&
    @   is_monochrome(t,0,b,BLUE) &&
    @   is_monochrome(t,b,i,WHITE) &&
    @   is_monochrome(t,r,l,RED);
    @ loop variant r - i;
    @*/
  while (i < r) {
    switch (t[i]) {
    case BLUE:
      swap(t,b++, i++);
      break;
    case WHITE:
      i++;
      break;
    case RED:
      swap(t,--r, i);
      break;
    }
  }
}



/*
Local Variables:
compile-command: "make flag.why3ide"
End:
*/
why-2.34/tests/c/duplets.c0000644000175000017500000001132412311670312014026 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*
COST Verification Competition. vladimir@cost-ic0701.org

Challenge 3: Two equal elements

Given: An integer array a of length n+2 with n>=2. It is known that at
least two values stored in the array appear twice (i.e., there are at
least two duplets).

Implement and verify a program finding such two values.

You may assume that the array contains values between 0 and n-1.
*/

#define NULL (void*)0

/* equality between an integer and a possibly null int* */
/*@ predicate eq_opt{L}(integer x, int *o) =
  @   o != \null && x == *o ;
  @*/

/* A duplet in array a is a pair of indexes (i,j) in the bounds of array
   a such that a[i] = a[j] */
/*@ predicate is_duplet{L}(int *a, integer len, integer i, integer j) =
  @    0 <= i < j < len && a[i] == a[j];
  @*/

/* duplet(a) returns the indexes (i,j) of a duplet in a.
 * moreover, if except is not null, the value of this duplet must
 * be different from it.
 */
/*@ requires 2 <= len &&
  @   \valid_range(a,0,len-1) && \valid(pi) && \valid(pj) &&
  @   ( except == \null || \valid(except)) &&
  @   \exists integer i,j;
  @     is_duplet(a,len,i,j) && ! eq_opt(a[i],except) ;
  @ assigns *pi,*pj;
  @ ensures
  @   is_duplet(a,len,*pi,*pj) &&
  @   ! eq_opt(a[*pi],except);
  @*/
void duplet(int *a, int len, int *except, int *pi, int *pj) {
  /*@ loop invariant 0 <= i <= len-1 &&
    @  \forall integer k,l; 0 <= k < i && k < l < len ==>
    @    ! eq_opt(a[k],except) ==> ! is_duplet(a,len,k,l);
    @ loop variant len - i;
    @*/
  for(int i=0; i <= len - 2; i++) {
    int v = a[i];
    if (except == NULL || *except != v) {
      /*@ loop invariant i+1 <= j <= len &&
        @   \forall integer l; i < l < j ==> ! is_duplet(a,len,i,l);
        @ loop variant len - j;
        @*/
      for (int j=i+1; j < len; j++) {
        if (a[j] == v) {
          *pi = i; *pj = j; return;
        }
      }
    }
  }
  // assert \forall integer i j; ! is_duplet(a,i,j);
  //@ assert \false;
}



/*@ requires 4 <= len && 
  @   \valid_range(a,0,len-1) && \valid(pi) && \valid(pj) &&
  @   \valid(pk) && \valid(pl) &&
  @   \exists integer i,j,k,l;
  @     is_duplet(a,len,i,j) && is_duplet(a,len,k,l) && a[i] != a[k];
  @ assigns *pi,*pj,*pk,*pl;
  @ ensures is_duplet(a,len,*pi,*pj) &&
  @   is_duplet(a,len,*pk,*pl) &&
  @   a[*pi] != a[*pk];
  @*/
void duplets(int a[], int len, int *pi, int *pj, int *pk, int *pl) {
  duplet(a,len,NULL,pi,pj);
  duplet(a,len,&a[*pi],pk,pl);
}


/*
Local Variables:
compile-command: "make duplets.why3ide"
End:
*/

why-2.34/tests/c/array_max.c0000644000175000017500000000603412311670312014333 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*
COST Verification Competition. vladimir@cost-ic0701.org

Challenge 1: Maximum in an array

Given: A non-empty integer array a.

Verify that the index returned by the method max() given below points to
an element maximal in the array.

*/

/*@ requires len > 0 && \valid_range(a,0,len-1);
  @ ensures 0 <= \result < len &&
  @   \forall integer i; 0 <= i < len ==> a[i] <= a[\result];
  @*/
int max(int *a, int len) {
  int x = 0;
  int y = len-1;
  /*@ loop invariant 0 <= x <= y < len &&
    @      \forall integer i;
    @         0 <= i < x || y < i < len ==>
    @         a[i] <= \max(a[x],a[y]);
    @ loop variant y - x;
    @*/
  while (x != y) {
    if (a[x] <= a[y]) x++;
    else y--;
  }
  return x;
}

/*
Local Variables:
compile-command: "make array_max.why3ide"
End:
*/

why-2.34/tests/c/array_double.c0000644000175000017500000000525312311670312015022 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/



double a[2];
double b[2];
double c[2];


/*@ requires
  \valid(a+(0..1)) &&
  \valid(b+(0..1)) &&
  \valid(c+(0..1)) &&
      \abs(b[0]) <= 1.0 &&
      \abs(b[1]) <= 1.0 &&
      \abs(c[0]) <= 1.0 &&
      \abs(c[1]) <= 1.0 ;
*/
void test() {
  a[0] = b[0] + c[0];
  a[1] = b[1] + c[1];
  //@ assert \abs(a[0] - (b[0] + c[0])) <= 0x1p-53;

}


/*
Local Variables:
compile-command: "make array_double.why3ide"
End:
*/
why-2.34/tests/c/rec.c0000644000175000017500000000601612311670312013121 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@ logic integer sum_upto(integer n) = n*(n+1) / 2;

/*@ lemma sum_rec: \forall integer n; n >=0 ==>
  @     sum_upto(n+1) == sum_upto(n)+n+1;
  @*/

/*@ requires x >= 0;
  @ requires x <= 1000;
  @ decreases x;
  @ ensures \result == sum_upto(x);
  @*/
long sum(int x) {
  if (x == 0) return 0;
  else return x + sum (x-1);
}


/*@ ensures \result == 36; 
  @*/
long main () {
  long i = sum(8);
  return i;
}



/*@ decreases 101-n ;
  @ behavior less_than_101:
  @   assumes n <= 100;
  @   ensures \result == 91;
  @ behavior greater_than_100:
  @   assumes n >= 101;
  @   ensures \result == n - 10;
  @*/
int f91(int n) {
  if (n <= 100) {
    return f91(f91(n + 11));
  }
  else
    return n - 10;
}

/*
Local Variables:
compile-command: "make rec.why3ide"
End:
*/


why-2.34/tests/c/selection_sort.c0000644000175000017500000000730712311670312015410 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// RUNSIMPLIFY: will ask regtests to run Simplify on this program

#pragma JessieIntegerModel(math)

#include "sorting.h"

/*@ requires \valid(t+i) && \valid(t+j);
  @ assigns t[i],t[j];
  @ ensures Swap{Old,Here}(t,i,j);
  @*/
void swap(int t[], int i, int j) {
  int tmp = t[i];
  t[i] = t[j];
  t[j] = tmp;
}

/*@ requires \valid_range(t,0,n-1);
  @ behavior sorted:
  @   ensures Sorted(t,0,n);
  @ behavior permutation:
  @   ensures Permut{Old,Here}(t,0,n-1);
  @*/
void sel_sort(int t[], int n) {
  int i,j;
  int mi,mv;
  if (n <= 0) return;
  /*@ loop invariant 0 <= i < n;
    @ for sorted:
    @  loop invariant
    @   Sorted(t,0,i) &&
    @   (\forall integer k1, k2 ;
    @      0 <= k1 < i <= k2 < n ==> t[k1] <= t[k2]) ;
    @ for permutation:
    @  loop invariant Permut{Pre,Here}(t,0,n-1);
    @ loop variant n-i;
    @*/
  for (i=0; i t[k] >= mv);
      @ for permutation:
      @  loop invariant
      @   Permut{Pre,Here}(t,0,n-1);
      @ loop variant n-j;
      @*/
    for (j=i+1; j < n; j++) {
      if (t[j] < mv) {
	mi = j ; mv = t[j];
      }
    }
  L:
    swap(t,i,mi);
    //@ assert Permut{L,Here}(t,0,n-1);
  }
}


/*
Local Variables:
compile-command: "frama-c -jessie selection_sort.c"
End:
*/
why-2.34/tests/c/minmax.c0000644000175000017500000000560512311670312013644 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


//@ ensures \result == \max(x,y);
int max(int x, int y) {
  return (x <= y) ? y : x;
}


//@ ensures \result == \min(x,y);
int min(int x, int y) {
  return (x <= y) ? x : y;
}


//@ ensures \result == \max(x,y);
float fmax(float x, float y) {
  return (x <= y) ? y : x;
}


//@ ensures \result == \min(x,y);
float fmin(float x, float y) {
  return (x <= y) ? x : y;
}


//@ ensures \result == \max(x,y);
double dmax(double x, double y) {
  return (x <= y) ? y : x;
}


//@ ensures \result == \min(x,y);
double dmin(double x, double y) {
  return (x <= y) ? x : y;
}



/*
Local Variables:
compile-command: "make minmax.why3ide"
End:
*/

why-2.34/tests/c/sparse_array2.c0000644000175000017500000001161612311670312015127 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

typedef unsigned int size_t;
void *malloc(size_t size);
void *calloc(size_t nmemb, size_t size);

typedef unsigned int uint;

#define DEFAULT 0

typedef struct SparseArray {
  int *val;
  uint *idx, *back;
  uint n;
  uint sz; // inutile ?
} *sparse_array;

/*@ predicate is_elt{L}(sparse_array a, integer i) =
  @      0 <= a->idx[i] < a->n
  @   && a->back[a->idx[i]] == i
  @ ;
  @*/

/*@ axiomatic Model {
  @   logic integer model{L}(sparse_array a,integer i);
  @   axiom model_in: \forall sparse_array a, integer i;
  @     is_elt(a,i) ==> model(a,i) == a->val[i];
  @   axiom model_out: \forall sparse_array a, integer i;
  @     !is_elt(a,i) ==> model(a,i) == DEFAULT;
  @}
  @*/

/*@ predicate inv(sparse_array a) =
  @   \valid(a) &&
  @   0 <= a->n <= a-> sz &&
  @   \valid(a->val+(0..a->sz-1)) &&
  @   \valid(a->idx+(0..a->sz-1)) &&
  @   \valid(a->back+(0..a->sz-1)) &&
  @   \forall integer i; 0 <= i < a->n ==>  
  @      0 <= a->back[i] < a->sz && a->idx[a->back[i]] == i;
  @*/


/*@ requires sz >= 0;
  @ assigns \nothing;
  @ ensures \fresh(\result,sizeof(struct Sparse_array));
  @ ensures inv(\result);
  @ ensures \result->sz == sz;
  @ ensures \forall integer i; model(\result,i) == DEFAULT;
  @*/
sparse_array create(uint sz) {
  sparse_array a = (sparse_array)malloc(sizeof(struct SparseArray));
  a->val = (int*)calloc(sz,sizeof(int));
  a->idx = (uint*)calloc(sz,sizeof(uint));
  a->back = (uint*)calloc(sz,sizeof(uint));
  a->n = 0;
  a->sz = sz; // inutile ?
  return a;
}

/*@ requires \valid(a);
  @ requires inv(a);
  @ requires i <= a->sz - 1;
  @ assigns \nothing;
  @ ensures \result == model(a,i);
  @*/
int get(sparse_array a, uint i) {
  // note: 0 <= a->idx[i] holds because of type uint
  //@ assert 0 <= a->idx[i];
  if (a->idx[i] < a->n && 
      a->back[a->idx[i]] == i) return a->val[i];
  else return 0;
}

/*@ requires \valid(a);
  @ requires inv(a);
  @ requires i <= a->sz - 1;
  @ assigns a->val[i],a->idx[..],a->back[..], a->n;
  @ ensures inv(a);
  @ ensures model(a,i) == v;
  @ ensures \forall integer j; j != i ==> 
  @    model(a,j) == \old(model(a,j)); 
  @*/
void set(sparse_array a, uint i, int v) {
  a->val[i] = v;
  if (!(a->idx[i] < a->n && a-> back[a->idx[i]] == i)) {
    //@ assert a->n < a->sz;
    a->idx[i] = a->n; a->back[a->n] = i; a->n++;
  }
}



int main() {
  sparse_array a = create(10), b = create(20);
  int x,y;
  x = get(a,5); y = get(b,7);
  //@ assert x == 0 && y == 0;
  set(a,5,1); set(b,7,2);
  x = get(a,5); y = get(b,7);
  //@ assert x == 1 && y == 2;
  x = get(a,0); y = get(b,0);
  //@ assert x == 0 && y == 0;
  return 0;
}





/*
Local Variables:
compile-command: "make sparse_array2.why3ide"
End:
*/
why-2.34/tests/c/float_array.c0000644000175000017500000000721512311670312014655 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

#define EPS1 0x1p-53
#define UPPER 0x1p0
#define n 10

//@ predicate bounded(real z, real bound) = \abs(z) <= bound;

double x;

/*@
  @ requires bounded(d, UPPER);
  @ requires \round_error(d) == 0;
  @
  @ ensures \abs(x - (d + 1.0)) <= EPS1;
  @ ensures \round_error(x) <= EPS1;
*/
void AffectDoubleDansX(double d) {
        x=d+1.0;
}

/*@
  @ requires \valid_range(X,0,n);
  @ requires bounded(d, UPPER);
  @ requires \round_error(d) == 0;
  @
  @ ensures \abs(X[1] - (d + 1.0)) <= EPS1;
  @ ensures \round_error(X[1]) <= EPS1;
  @ ensures \abs(X[2] - (d + 1.0)) <= EPS1;
  @ ensures \round_error(X[2]) <= EPS1;
*/
void AffectDoubleDansTab(double d, double X[]) {
        X[1]=d+1.0;
        X[2]=d+1.0;
        // assert X[1] == \round_double(\NearestEven,d+1.0);
}

/*@
  @ requires \valid_range(X,0,n);
  @ requires bounded(d, UPPER);
  @ requires \round_error(d) == 0;
  @
  @ ensures \abs(X[1] - (d + 1.0)) <= EPS1;
  @ ensures \round_error(X[1]) <= EPS1;
*/
void AffectDoubleDansTab1(double d, double X[]) {
        X[1]=d+1.0;
}

/*@
  @ requires \valid_range(X,0,n);
  @ requires bounded(d, UPPER);
  @ requires \round_error(d) == 0;
  @
  @ ensures \abs(X[0] - (d + 1.0)) <= EPS1;
  @ ensures \round_error(X[0]) <= EPS1;
*/
void AffectDoubleDansTab0(double d, double X[]) {
        X[0]=d+1.0;
        //@ assert X[0] == \round_double(\NearestEven,d+1.0);
        //@ assert \exact(X[0]) == d+1.0;
}
why-2.34/tests/c/my_cosine.c0000644000175000017500000000711312311670312014334 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// does not work: RUN GAPPA: will ask regtests to run Gappa on this program
// does not work anymore: RUN COQ: use why3 instead


/*@ lemma method_error: \forall real x;
  @     \abs(x) <= 0x1p-5 ==> \abs(1.0 - x*x*0.5 - \cos(x)) <= 0x1p-24;
  @*/

/*@ requires \abs(x) <= 0x1p-5;
  @ ensures \abs(\result - \cos(x)) <= 0x1p-23;
  @*/
float my_cos1(float x) {
  //@ assert \abs(1.0 - x*x*0.5 - \cos(x)) <= 0x1p-24;
  return 1.0f - x * x * 0.5f;
}


/*@ requires \abs(x) <= 0x1p-5 && \round_error(x) == 0.0;
  @ ensures \abs(\result - \cos(x)) <= 0x1p-23;
  @*/
float my_cos2(float x) {
  //@ assert \exact(x) == x;
  float r = 1.0f - x * x * 0.5f;
  //@ assert \abs(\exact(r) - \cos(x)) <= 0x1p-24;
  return r;
}


/*@ requires \abs(\exact(x)) <= 0x1p-5
  @     && \round_error(x) <= 0x1p-20;
  @ ensures \abs(\exact(\result) - \cos(\exact(x))) <= 0x1p-24
  @     && \round_error(\result) <= \round_error(x) + 0x3p-24;
  @*/
float my_cos3(float x) {
  float r = 1.0f - x * x * 0.5f;
  //@ assert \abs(\exact(r) - \cos(\exact(x))) <= 0x1p-24;  // by interval
  return r;
}

/*@ requires \abs(x) <= 0.07 ;
  @ ensures \abs(\result - \cos(x)) <= 0x1.3p-20;
  @*/
float my_cos4(float x) {
  //@ assert \abs(1.0 - x*x*0.5 - \cos(x)) <= 0x1.2p-20;
  return 1.0f - x * x * 0.5f;
}


/*
Local Variables:
compile-command: "make my_cosine.why3ide"
End:
*/


why-2.34/tests/c/cd1d.c0000644000175000017500000000543012311670312013162 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

#define D 10.0
#define T 1.0

/*@ predicate conflict(real s, real v) =
      \exists real t; 0<=t<=T && s - t * v < D;
*/

/*@ predicate cd1d(real s, real v) = D + T * v > s ; */

/*@ lemma completeness: \forall real s, v; v >= 0.0 ==>
             conflict(s,v) ==> cd1d(s,v); */

#define eps 0x1p-49

#define Dp (D+eps)

/*@ requires 100.>=s>=0. && 1. >=v >= 0.;
       behavior completeness:
          assumes cd1d(s,v);
          ensures \result == 1;
 */
int cd1d_double(double s, double v) {
  return (Dp+T*v>s) ? 1 : 0;
}
why-2.34/tests/c/overflow_level.c0000644000175000017500000000456212311670312015406 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

double x;

void f() {
double y;
/*0*/	y = x+1.e291;
/*1*/	y = x+1.e292;
/*2*/	y = x+x;
/*3*/	y = x+1e-6;
}
why-2.34/tests/c/my_cosine.jessie/0000755000175000017500000000000012311670312015447 5ustar  rtuserswhy-2.34/tests/c/my_cosine.jessie/coq/0000755000175000017500000000000012311670312016231 5ustar  rtuserswhy-2.34/tests/c/my_cosine.jessie/coq/my_cosine_why.v0000644000175000017500000010361612311670312021303 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)
Require Export jessie_why. 
Require Import WhyFloatsStrict.
Require Import Interval_tactic.
Require Import Rtrigo_def.

(*Why type*) Definition charP: Set.
Admitted.

(*Why type*) Definition int8: Set.
Admitted.

(*Why type*) Definition padding: Set.
Admitted.

(*Why type*) Definition uint8: Set.
Admitted.

(*Why type*) Definition unsigned_charP: Set.
Admitted.

(*Why type*) Definition voidP: Set.
Admitted.

(*Why logic*) Definition charP_tag : (tag_id charP).
Admitted.

(*Why axiom*) Lemma charP_int : (int_of_tag charP_tag) = 1.
Admitted.
Dp_hint charP_int.

(*Why logic*) Definition charP_of_pointer_address :
  (pointer unit) -> (pointer charP).
Admitted.

(*Why axiom*) Lemma charP_of_pointer_address_of_pointer_addr :
  (forall (p:(pointer charP)),
   p = (charP_of_pointer_address (pointer_address p))).
Admitted.
Dp_hint charP_of_pointer_address_of_pointer_addr.

(*Why axiom*) Lemma charP_parenttag_bottom :
  (parenttag charP_tag (@bottom_tag charP)).
Admitted.
Dp_hint charP_parenttag_bottom.

(*Why axiom*) Lemma charP_tags :
  (forall (x:(pointer charP)),
   (forall (charP_tag_table:(tag_table charP)),
    (instanceof charP_tag_table x charP_tag))).
Admitted.
Dp_hint charP_tags.

(*Why logic*) Definition integer_of_int8 : int8 -> Z.
Admitted.

(*Why predicate*) Definition eq_int8  (x:int8) (y:int8)
  := (integer_of_int8 x) = (integer_of_int8 y).

(*Why logic*) Definition integer_of_uint8 : uint8 -> Z.
Admitted.

(*Why predicate*) Definition eq_uint8  (x:uint8) (y:uint8)
  := (integer_of_uint8 x) = (integer_of_uint8 y).

(*Why logic*) Definition int8_of_integer : Z -> int8.
Admitted.

(*Why axiom*) Lemma int8_coerce :
  (forall (x:Z),
   ((-128) <= x /\ x <= 127 -> (integer_of_int8 (int8_of_integer x)) = x)).
Admitted.

(*Why axiom*) Lemma int8_extensionality :
  (forall (x:int8),
   (forall (y:int8), ((integer_of_int8 x) = (integer_of_int8 y) -> x = y))).
Admitted.
Dp_hint int8_extensionality.

(*Why axiom*) Lemma int8_range :
  (forall (x:int8), (-128) <= (integer_of_int8 x) /\ (integer_of_int8 x) <=
   127).
Admitted.

(*Why predicate*) Definition left_valid_struct_charP  (p:(pointer charP)) (a:Z) (charP_alloc_table:(alloc_table charP))
  := (offset_min charP_alloc_table p) <= a.

(*Why predicate*) Definition left_valid_struct_unsigned_charP  (p:(pointer unsigned_charP)) (a:Z) (unsigned_charP_alloc_table:(alloc_table unsigned_charP))
  := (offset_min unsigned_charP_alloc_table p) <= a.

(*Why predicate*) Definition left_valid_struct_voidP  (p:(pointer voidP)) (a:Z) (voidP_alloc_table:(alloc_table voidP))
  := (offset_min voidP_alloc_table p) <= a.

(*Why axiom*) Lemma pointer_addr_of_charP_of_pointer_address :
  (forall (p:(pointer unit)),
   p = (pointer_address (charP_of_pointer_address p))).
Admitted.
Dp_hint pointer_addr_of_charP_of_pointer_address.

(*Why logic*) Definition unsigned_charP_of_pointer_address :
  (pointer unit) -> (pointer unsigned_charP).
Admitted.

(*Why axiom*) Lemma pointer_addr_of_unsigned_charP_of_pointer_address :
  (forall (p:(pointer unit)),
   p = (pointer_address (unsigned_charP_of_pointer_address p))).
Admitted.
Dp_hint pointer_addr_of_unsigned_charP_of_pointer_address.

(*Why logic*) Definition voidP_of_pointer_address :
  (pointer unit) -> (pointer voidP).
Admitted.

(*Why axiom*) Lemma pointer_addr_of_voidP_of_pointer_address :
  (forall (p:(pointer unit)),
   p = (pointer_address (voidP_of_pointer_address p))).
Admitted.
Dp_hint pointer_addr_of_voidP_of_pointer_address.

(*Why predicate*) Definition right_valid_struct_charP  (p:(pointer charP)) (b:Z) (charP_alloc_table:(alloc_table charP))
  := (offset_max charP_alloc_table p) >= b.

(*Why predicate*) Definition right_valid_struct_unsigned_charP  (p:(pointer unsigned_charP)) (b:Z) (unsigned_charP_alloc_table:(alloc_table unsigned_charP))
  := (offset_max unsigned_charP_alloc_table p) >= b.

(*Why predicate*) Definition right_valid_struct_voidP  (p:(pointer voidP)) (b:Z) (voidP_alloc_table:(alloc_table voidP))
  := (offset_max voidP_alloc_table p) >= b.

(*Why predicate*) Definition strict_valid_root_charP  (p:(pointer charP)) (a:Z) (b:Z) (charP_alloc_table:(alloc_table charP))
  := (offset_min charP_alloc_table p) = a /\
     (offset_max charP_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_root_unsigned_charP  (p:(pointer unsigned_charP)) (a:Z) (b:Z) (unsigned_charP_alloc_table:(alloc_table unsigned_charP))
  := (offset_min unsigned_charP_alloc_table p) = a /\
     (offset_max unsigned_charP_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_root_voidP  (p:(pointer voidP)) (a:Z) (b:Z) (voidP_alloc_table:(alloc_table voidP))
  := (offset_min voidP_alloc_table p) = a /\
     (offset_max voidP_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_struct_charP  (p:(pointer charP)) (a:Z) (b:Z) (charP_alloc_table:(alloc_table charP))
  := (offset_min charP_alloc_table p) = a /\
     (offset_max charP_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_struct_unsigned_charP  (p:(pointer unsigned_charP)) (a:Z) (b:Z) (unsigned_charP_alloc_table:(alloc_table unsigned_charP))
  := (offset_min unsigned_charP_alloc_table p) = a /\
     (offset_max unsigned_charP_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_struct_voidP  (p:(pointer voidP)) (a:Z) (b:Z) (voidP_alloc_table:(alloc_table voidP))
  := (offset_min voidP_alloc_table p) = a /\
     (offset_max voidP_alloc_table p) = b.

(*Why logic*) Definition uint8_of_integer : Z -> uint8.
Admitted.

(*Why axiom*) Lemma uint8_coerce :
  (forall (x:Z),
   (0 <= x /\ x <= 255 -> (integer_of_uint8 (uint8_of_integer x)) = x)).
Admitted.
Dp_hint uint8_coerce.

(*Why axiom*) Lemma uint8_extensionality :
  (forall (x:uint8),
   (forall (y:uint8), ((integer_of_uint8 x) = (integer_of_uint8 y) -> x = y))).
Admitted.
Dp_hint uint8_extensionality.

(*Why axiom*) Lemma uint8_range :
  (forall (x:uint8), 0 <= (integer_of_uint8 x) /\ (integer_of_uint8 x) <= 255).
Admitted.
Dp_hint uint8_range.

(*Why logic*) Definition unsigned_charP_tag : (tag_id unsigned_charP).
Admitted.

(*Why axiom*) Lemma unsigned_charP_int : (int_of_tag unsigned_charP_tag) = 1.
Admitted.
Dp_hint unsigned_charP_int.

(*Why axiom*) Lemma unsigned_charP_of_pointer_address_of_pointer_addr :
  (forall (p:(pointer unsigned_charP)),
   p = (unsigned_charP_of_pointer_address (pointer_address p))).
Admitted.
Dp_hint unsigned_charP_of_pointer_address_of_pointer_addr.

(*Why axiom*) Lemma unsigned_charP_parenttag_bottom :
  (parenttag unsigned_charP_tag (@bottom_tag unsigned_charP)).
Admitted.
Dp_hint unsigned_charP_parenttag_bottom.

(*Why axiom*) Lemma unsigned_charP_tags :
  (forall (x:(pointer unsigned_charP)),
   (forall (unsigned_charP_tag_table:(tag_table unsigned_charP)),
    (instanceof unsigned_charP_tag_table x unsigned_charP_tag))).
Admitted.
Dp_hint unsigned_charP_tags.

(*Why predicate*) Definition valid_root_charP  (p:(pointer charP)) (a:Z) (b:Z) (charP_alloc_table:(alloc_table charP))
  := (offset_min charP_alloc_table p) <= a /\
     (offset_max charP_alloc_table p) >= b.

(*Why predicate*) Definition valid_root_unsigned_charP  (p:(pointer unsigned_charP)) (a:Z) (b:Z) (unsigned_charP_alloc_table:(alloc_table unsigned_charP))
  := (offset_min unsigned_charP_alloc_table p) <= a /\
     (offset_max unsigned_charP_alloc_table p) >= b.

(*Why predicate*) Definition valid_root_voidP  (p:(pointer voidP)) (a:Z) (b:Z) (voidP_alloc_table:(alloc_table voidP))
  := (offset_min voidP_alloc_table p) <= a /\
     (offset_max voidP_alloc_table p) >= b.

(*Why predicate*) Definition valid_struct_charP  (p:(pointer charP)) (a:Z) (b:Z) (charP_alloc_table:(alloc_table charP))
  := (offset_min charP_alloc_table p) <= a /\
     (offset_max charP_alloc_table p) >= b.

(*Why predicate*) Definition valid_struct_unsigned_charP  (p:(pointer unsigned_charP)) (a:Z) (b:Z) (unsigned_charP_alloc_table:(alloc_table unsigned_charP))
  := (offset_min unsigned_charP_alloc_table p) <= a /\
     (offset_max unsigned_charP_alloc_table p) >= b.

(*Why predicate*) Definition valid_struct_voidP  (p:(pointer voidP)) (a:Z) (b:Z) (voidP_alloc_table:(alloc_table voidP))
  := (offset_min voidP_alloc_table p) <= a /\
     (offset_max voidP_alloc_table p) >= b.

(*Why logic*) Definition voidP_tag : (tag_id voidP).
Admitted.

(*Why axiom*) Lemma voidP_int : (int_of_tag voidP_tag) = 1.
Admitted.
Dp_hint voidP_int.

(*Why axiom*) Lemma voidP_of_pointer_address_of_pointer_addr :
  (forall (p:(pointer voidP)),
   p = (voidP_of_pointer_address (pointer_address p))).
Admitted.
Dp_hint voidP_of_pointer_address_of_pointer_addr.

(*Why axiom*) Lemma voidP_parenttag_bottom :
  (parenttag voidP_tag (@bottom_tag voidP)).
Admitted.
Dp_hint voidP_parenttag_bottom.

(*Why axiom*) Lemma voidP_tags :
  (forall (x:(pointer voidP)),
   (forall (voidP_tag_table:(tag_table voidP)),
    (instanceof voidP_tag_table x voidP_tag))).
Admitted.
Dp_hint voidP_tags.

(* Why obligation from file "my_cosine.c", line 36, characters 4-111: *)
(*Why goal*) Lemma method_error : 
  (forall (x_3:R),
   ((Rle (Rabs x_3) (1 / 32)%R) ->
    (Rle
     (Rabs
      (Rminus (Rminus (1)%R (Rmult (Rmult x_3 x_3) (05 / 10)%R)) (cos x_3)))
     (1 / 16777216)%R))).
Proof.
intros x H.

interval with (i_bisect_diff x).
Save.

Dp_hint method_error.

(* Why obligation from file "my_cosine.c", line 44, characters 13-53: *)
(*Why goal*) Lemma my_cos1_ensures_default_po_1 : 
  forall (x_0: single),
  forall (HW_1: (* JC_3 *) (Rle (Rabs (single_value x_0)) (1 / 32)%R)),
  (* JC_13 *)
  (Rle
   (Rabs
    (Rminus
     (Rminus
      (1)%R (Rmult (Rmult (single_value x_0) (single_value x_0)) (05 / 10)%R)) (
     cos (single_value x_0))))
   (1 / 16777216)%R).
Proof.
intros x H.
interval with (i_bisect_diff (single_value x)).
Save.

(* Why obligation from file "my_cosine.c", line 41, characters 12-46: *)
(*Why goal*) Lemma my_cos1_ensures_default_po_2 : 
  forall (x_0: single),
  forall (HW_1: (* JC_3 *) (Rle (Rabs (single_value x_0)) (1 / 32)%R)),
  forall (HW_4: (* JC_13 *)
                (Rle
                 (Rabs
                  (Rminus
                   (Rminus
                    (1)%R (Rmult
                           (Rmult (single_value x_0) (single_value x_0)) (05 / 10)%R)) (
                   cos (single_value x_0))))
                 (1 / 16777216)%R)),
  forall (result: single),
  forall (HW_5: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  forall (result0: single),
  forall (HW_6: (mul_single_post nearest_even x_0 x_0 result0)),
  forall (result1: single),
  forall (HW_7: (eq (single_value result1) (05 / 10)%R) /\
                (eq (single_exact result1) (05 / 10)%R) /\
                (eq (single_model result1) (05 / 10)%R)),
  forall (result2: single),
  forall (HW_8: (mul_single_post nearest_even result0 result1 result2)),
  forall (result3: single),
  forall (HW_9: (sub_single_post nearest_even result result2 result3)),
  forall (__retres: single),
  forall (HW_10: __retres = result3),
  forall (why__return: single),
  forall (HW_11: why__return = __retres),
  (* JC_5 *)
  (Rle (Rabs (Rminus (single_value why__return) (cos (single_value x_0))))
   (1 / 8388608)%R).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 45, characters 16-21: *)
(*Why goal*) Lemma my_cos1_safety_po_1 : 
  forall (x_0: single),
  forall (HW_1: (* JC_3 *) (Rle (Rabs (single_value x_0)) (1 / 32)%R)),
  forall (HW_4: (* JC_9 *)
                (Rle
                 (Rabs
                  (Rminus
                   (Rminus
                    (1)%R (Rmult
                           (Rmult (single_value x_0) (single_value x_0)) (05 / 10)%R)) (
                   cos (single_value x_0))))
                 (1 / 16777216)%R)),
  forall (result: single),
  forall (HW_5: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  (no_overflow_single
   nearest_even (Rmult (single_value x_0) (single_value x_0))).
Proof.
admit.
Save.

(* Why obligation from file "my_cosine.c", line 45, characters 16-28: *)
(*Why goal*) Lemma my_cos1_safety_po_2 : 
  forall (x_0: single),
  forall (HW_1: (* JC_3 *) (Rle (Rabs (single_value x_0)) (1 / 32)%R)),
  forall (HW_4: (* JC_9 *)
                (Rle
                 (Rabs
                  (Rminus
                   (Rminus
                    (1)%R (Rmult
                           (Rmult (single_value x_0) (single_value x_0)) (05 / 10)%R)) (
                   cos (single_value x_0))))
                 (1 / 16777216)%R)),
  forall (result: single),
  forall (HW_5: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  forall (HW_6: (no_overflow_single
                 nearest_even (Rmult (single_value x_0) (single_value x_0)))),
  forall (result0: single),
  forall (HW_7: (mul_single_post nearest_even x_0 x_0 result0)),
  forall (result1: single),
  forall (HW_8: (eq (single_value result1) (05 / 10)%R) /\
                (eq (single_exact result1) (05 / 10)%R) /\
                (eq (single_model result1) (05 / 10)%R)),
  (no_overflow_single
   nearest_even (Rmult (single_value result0) (single_value result1))).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 45, characters 9-28: *)
(*Why goal*) Lemma my_cos1_safety_po_3 : 
  forall (x_0: single),
  forall (HW_1: (* JC_3 *) (Rle (Rabs (single_value x_0)) (1 / 32)%R)),
  forall (HW_4: (* JC_9 *)
                (Rle
                 (Rabs
                  (Rminus
                   (Rminus
                    (1)%R (Rmult
                           (Rmult (single_value x_0) (single_value x_0)) (05 / 10)%R)) (
                   cos (single_value x_0))))
                 (1 / 16777216)%R)),
  forall (result: single),
  forall (HW_5: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  forall (HW_6: (no_overflow_single
                 nearest_even (Rmult (single_value x_0) (single_value x_0)))),
  forall (result0: single),
  forall (HW_7: (mul_single_post nearest_even x_0 x_0 result0)),
  forall (result1: single),
  forall (HW_8: (eq (single_value result1) (05 / 10)%R) /\
                (eq (single_exact result1) (05 / 10)%R) /\
                (eq (single_model result1) (05 / 10)%R)),
  forall (HW_9: (no_overflow_single
                 nearest_even (Rmult
                               (single_value result0) (single_value result1)))),
  forall (result2: single),
  forall (HW_10: (mul_single_post nearest_even result0 result1 result2)),
  (no_overflow_single
   nearest_even (Rminus (single_value result) (single_value result2))).
Proof.
admit.
Save.

(* Why obligation from file "my_cosine.c", line 53, characters 13-27: *)
(*Why goal*) Lemma my_cos2_ensures_default_po_1 : 
  forall (x_0_0: single),
  forall (HW_1: (* JC_23 *)
                ((* JC_21 *) (Rle (Rabs (single_value x_0_0)) (1 / 32)%R) /\
                (* JC_22 *) (eq (single_round_error x_0_0) (0)%R))),
  (* JC_34 *) (eq (single_exact x_0_0) (single_value x_0_0)).
Proof.
admit.
Save.

(* Why obligation from file "my_cosine.c", line 55, characters 13-49: *)
(*Why goal*) Lemma my_cos2_ensures_default_po_2 : 
  forall (x_0_0: single),
  forall (HW_1: (* JC_23 *)
                ((* JC_21 *) (Rle (Rabs (single_value x_0_0)) (1 / 32)%R) /\
                (* JC_22 *) (eq (single_round_error x_0_0) (0)%R))),
  forall (HW_4: (* JC_34 *) (eq (single_exact x_0_0) (single_value x_0_0))),
  forall (result: single),
  forall (HW_5: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  forall (result0: single),
  forall (HW_6: (mul_single_post nearest_even x_0_0 x_0_0 result0)),
  forall (result1: single),
  forall (HW_7: (eq (single_value result1) (05 / 10)%R) /\
                (eq (single_exact result1) (05 / 10)%R) /\
                (eq (single_model result1) (05 / 10)%R)),
  forall (result2: single),
  forall (HW_8: (mul_single_post nearest_even result0 result1 result2)),
  forall (result3: single),
  forall (HW_9: (sub_single_post nearest_even result result2 result3)),
  forall (r: single),
  forall (HW_10: r = result3),
  (* JC_38 *)
  (Rle (Rabs (Rminus (single_exact r) (cos (single_value x_0_0))))
   (1 / 16777216)%R).
Proof.
intros x (H1,H2) Heq.
intros r (_,(exa_r,_)).
intros r0 (_,(exa_r0,_)).
intros r1 (_,(exa_r1,_)).
intros r2 (_,(exa_r2,_)).
intros r3 (_,(exa_r3,_)).
intros r4 r4_eq.
subst r4.
rewrite exa_r3; clear exa_r3 r3.
rewrite exa_r2; clear exa_r2 r2.
rewrite exa_r1; clear exa_r1 r1.
rewrite exa_r0; clear exa_r0 r0.
rewrite exa_r; clear exa_r r.
unfold single_round_error in H2.
rewrite Heq.
interval with (i_bisect_diff (single_value x)).
Save.

(* Why obligation from file "my_cosine.c", line 50, characters 12-46: *)
(*Why goal*) Lemma my_cos2_ensures_default_po_3 : 
  forall (x_0_0: single),
  forall (HW_1: (* JC_23 *)
                ((* JC_21 *) (Rle (Rabs (single_value x_0_0)) (1 / 32)%R) /\
                (* JC_22 *) (eq (single_round_error x_0_0) (0)%R))),
  forall (HW_4: (* JC_34 *) (eq (single_exact x_0_0) (single_value x_0_0))),
  forall (result: single),
  forall (HW_5: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  forall (result0: single),
  forall (HW_6: (mul_single_post nearest_even x_0_0 x_0_0 result0)),
  forall (result1: single),
  forall (HW_7: (eq (single_value result1) (05 / 10)%R) /\
                (eq (single_exact result1) (05 / 10)%R) /\
                (eq (single_model result1) (05 / 10)%R)),
  forall (result2: single),
  forall (HW_8: (mul_single_post nearest_even result0 result1 result2)),
  forall (result3: single),
  forall (HW_9: (sub_single_post nearest_even result result2 result3)),
  forall (r: single),
  forall (HW_10: r = result3),
  forall (HW_11: (* JC_38 *)
                 (Rle
                  (Rabs (Rminus (single_exact r) (cos (single_value x_0_0))))
                  (1 / 16777216)%R)),
  forall (why__return: single),
  forall (HW_12: why__return = r),
  (* JC_25 *)
  (Rle (Rabs (Rminus (single_value why__return) (cos (single_value x_0_0))))
   (1 / 8388608)%R).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 54, characters 19-24: *)
(*Why goal*) Lemma my_cos2_safety_po_1 : 
  forall (x_0_0: single),
  forall (HW_1: (* JC_23 *)
                ((* JC_21 *) (Rle (Rabs (single_value x_0_0)) (1 / 32)%R) /\
                (* JC_22 *) (eq (single_round_error x_0_0) (0)%R))),
  forall (HW_4: (* JC_29 *) (eq (single_exact x_0_0) (single_value x_0_0))),
  forall (result: single),
  forall (HW_5: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  (no_overflow_single
   nearest_even (Rmult (single_value x_0_0) (single_value x_0_0))).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 54, characters 19-31: *)
(*Why goal*) Lemma my_cos2_safety_po_2 : 
  forall (x_0_0: single),
  forall (HW_1: (* JC_23 *)
                ((* JC_21 *) (Rle (Rabs (single_value x_0_0)) (1 / 32)%R) /\
                (* JC_22 *) (eq (single_round_error x_0_0) (0)%R))),
  forall (HW_4: (* JC_29 *) (eq (single_exact x_0_0) (single_value x_0_0))),
  forall (result: single),
  forall (HW_5: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  forall (HW_6: (no_overflow_single
                 nearest_even (Rmult
                               (single_value x_0_0) (single_value x_0_0)))),
  forall (result0: single),
  forall (HW_7: (mul_single_post nearest_even x_0_0 x_0_0 result0)),
  forall (result1: single),
  forall (HW_8: (eq (single_value result1) (05 / 10)%R) /\
                (eq (single_exact result1) (05 / 10)%R) /\
                (eq (single_model result1) (05 / 10)%R)),
  (no_overflow_single
   nearest_even (Rmult (single_value result0) (single_value result1))).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 54, characters 12-31: *)
(*Why goal*) Lemma my_cos2_safety_po_3 : 
  forall (x_0_0: single),
  forall (HW_1: (* JC_23 *)
                ((* JC_21 *) (Rle (Rabs (single_value x_0_0)) (1 / 32)%R) /\
                (* JC_22 *) (eq (single_round_error x_0_0) (0)%R))),
  forall (HW_4: (* JC_29 *) (eq (single_exact x_0_0) (single_value x_0_0))),
  forall (result: single),
  forall (HW_5: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  forall (HW_6: (no_overflow_single
                 nearest_even (Rmult
                               (single_value x_0_0) (single_value x_0_0)))),
  forall (result0: single),
  forall (HW_7: (mul_single_post nearest_even x_0_0 x_0_0 result0)),
  forall (result1: single),
  forall (HW_8: (eq (single_value result1) (05 / 10)%R) /\
                (eq (single_exact result1) (05 / 10)%R) /\
                (eq (single_model result1) (05 / 10)%R)),
  forall (HW_9: (no_overflow_single
                 nearest_even (Rmult
                               (single_value result0) (single_value result1)))),
  forall (result2: single),
  forall (HW_10: (mul_single_post nearest_even result0 result1 result2)),
  (no_overflow_single
   nearest_even (Rminus (single_value result) (single_value result2))).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 67, characters 13-57: *)
(*Why goal*) Lemma my_cos3_ensures_default_po_1 : 
  forall (x_1: single),
  forall (HW_1: (* JC_45 *)
                ((* JC_43 *) (Rle (Rabs (single_exact x_1)) (1 / 32)%R) /\
                (* JC_44 *) (Rle (single_round_error x_1) (1 / 1048576)%R))),
  forall (result: single),
  forall (HW_4: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  forall (result0: single),
  forall (HW_5: (mul_single_post nearest_even x_1 x_1 result0)),
  forall (result1: single),
  forall (HW_6: (eq (single_value result1) (05 / 10)%R) /\
                (eq (single_exact result1) (05 / 10)%R) /\
                (eq (single_model result1) (05 / 10)%R)),
  forall (result2: single),
  forall (HW_7: (mul_single_post nearest_even result0 result1 result2)),
  forall (result3: single),
  forall (HW_8: (sub_single_post nearest_even result result2 result3)),
  forall (r_0: single),
  forall (HW_9: r_0 = result3),
  (* JC_62 *)
  (Rle (Rabs (Rminus (single_exact r_0) (cos (single_exact x_1))))
   (1 / 16777216)%R).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 62, characters 12-62: *)
(*Why goal*) Lemma my_cos3_ensures_default_po_2 : 
  forall (x_1: single),
  forall (HW_1: (* JC_45 *)
                ((* JC_43 *) (Rle (Rabs (single_exact x_1)) (1 / 32)%R) /\
                (* JC_44 *) (Rle (single_round_error x_1) (1 / 1048576)%R))),
  forall (result: single),
  forall (HW_4: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  forall (result0: single),
  forall (HW_5: (mul_single_post nearest_even x_1 x_1 result0)),
  forall (result1: single),
  forall (HW_6: (eq (single_value result1) (05 / 10)%R) /\
                (eq (single_exact result1) (05 / 10)%R) /\
                (eq (single_model result1) (05 / 10)%R)),
  forall (result2: single),
  forall (HW_7: (mul_single_post nearest_even result0 result1 result2)),
  forall (result3: single),
  forall (HW_8: (sub_single_post nearest_even result result2 result3)),
  forall (r_0: single),
  forall (HW_9: r_0 = result3),
  forall (HW_10: (* JC_62 *)
                 (Rle
                  (Rabs (Rminus (single_exact r_0) (cos (single_exact x_1))))
                  (1 / 16777216)%R)),
  forall (why__return: single),
  forall (HW_11: why__return = r_0),
  (* JC_49 *)
  (* JC_47 *)
  (Rle (Rabs (Rminus (single_exact why__return) (cos (single_exact x_1))))
   (1 / 16777216)%R).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 63, characters 11-61: *)
(*Why goal*) Lemma my_cos3_ensures_default_po_3 : 
  forall (x_1: single),
  forall (HW_1: (* JC_45 *)
                ((* JC_43 *) (Rle (Rabs (single_exact x_1)) (1 / 32)%R) /\
                (* JC_44 *) (Rle (single_round_error x_1) (1 / 1048576)%R))),
  forall (result: single),
  forall (HW_4: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  forall (result0: single),
  forall (HW_5: (mul_single_post nearest_even x_1 x_1 result0)),
  forall (result1: single),
  forall (HW_6: (eq (single_value result1) (05 / 10)%R) /\
                (eq (single_exact result1) (05 / 10)%R) /\
                (eq (single_model result1) (05 / 10)%R)),
  forall (result2: single),
  forall (HW_7: (mul_single_post nearest_even result0 result1 result2)),
  forall (result3: single),
  forall (HW_8: (sub_single_post nearest_even result result2 result3)),
  forall (r_0: single),
  forall (HW_9: r_0 = result3),
  forall (HW_10: (* JC_62 *)
                 (Rle
                  (Rabs (Rminus (single_exact r_0) (cos (single_exact x_1))))
                  (1 / 16777216)%R)),
  forall (why__return: single),
  forall (HW_11: why__return = r_0),
  (* JC_49 *)
  (* JC_48 *)
  (Rle (single_round_error why__return)
   (Rplus (single_round_error x_1) (3 / 16777216)%R)).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 66, characters 19-24: *)
(*Why goal*) Lemma my_cos3_safety_po_1 : 
  forall (x_1: single),
  forall (HW_1: (* JC_45 *)
                ((* JC_43 *) (Rle (Rabs (single_exact x_1)) (1 / 32)%R) /\
                (* JC_44 *) (Rle (single_round_error x_1) (1 / 1048576)%R))),
  forall (result: single),
  forall (HW_4: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  (no_overflow_single
   nearest_even (Rmult (single_value x_1) (single_value x_1))).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 66, characters 19-31: *)
(*Why goal*) Lemma my_cos3_safety_po_2 : 
  forall (x_1: single),
  forall (HW_1: (* JC_45 *)
                ((* JC_43 *) (Rle (Rabs (single_exact x_1)) (1 / 32)%R) /\
                (* JC_44 *) (Rle (single_round_error x_1) (1 / 1048576)%R))),
  forall (result: single),
  forall (HW_4: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  forall (HW_5: (no_overflow_single
                 nearest_even (Rmult (single_value x_1) (single_value x_1)))),
  forall (result0: single),
  forall (HW_6: (mul_single_post nearest_even x_1 x_1 result0)),
  forall (result1: single),
  forall (HW_7: (eq (single_value result1) (05 / 10)%R) /\
                (eq (single_exact result1) (05 / 10)%R) /\
                (eq (single_model result1) (05 / 10)%R)),
  (no_overflow_single
   nearest_even (Rmult (single_value result0) (single_value result1))).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 66, characters 12-31: *)
(*Why goal*) Lemma my_cos3_safety_po_3 : 
  forall (x_1: single),
  forall (HW_1: (* JC_45 *)
                ((* JC_43 *) (Rle (Rabs (single_exact x_1)) (1 / 32)%R) /\
                (* JC_44 *) (Rle (single_round_error x_1) (1 / 1048576)%R))),
  forall (result: single),
  forall (HW_4: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  forall (HW_5: (no_overflow_single
                 nearest_even (Rmult (single_value x_1) (single_value x_1)))),
  forall (result0: single),
  forall (HW_6: (mul_single_post nearest_even x_1 x_1 result0)),
  forall (result1: single),
  forall (HW_7: (eq (single_value result1) (05 / 10)%R) /\
                (eq (single_exact result1) (05 / 10)%R) /\
                (eq (single_model result1) (05 / 10)%R)),
  forall (HW_8: (no_overflow_single
                 nearest_even (Rmult
                               (single_value result0) (single_value result1)))),
  forall (result2: single),
  forall (HW_9: (mul_single_post nearest_even result0 result1 result2)),
  (no_overflow_single
   nearest_even (Rminus (single_value result) (single_value result2))).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 75, characters 13-55: *)
(*Why goal*) Lemma my_cos4_ensures_default_po_1 : 
  forall (x_2: single),
  forall (HW_1: (* JC_65 *) (Rle (Rabs (single_value x_2)) (007 / 100)%R)),
  (* JC_75 *)
  (Rle
   (Rabs
    (Rminus
     (Rminus
      (1)%R (Rmult (Rmult (single_value x_2) (single_value x_2)) (05 / 10)%R)) (
     cos (single_value x_2))))
   (18 / 16777216)%R).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 72, characters 12-48: *)
(*Why goal*) Lemma my_cos4_ensures_default_po_2 : 
  forall (x_2: single),
  forall (HW_1: (* JC_65 *) (Rle (Rabs (single_value x_2)) (007 / 100)%R)),
  forall (HW_4: (* JC_75 *)
                (Rle
                 (Rabs
                  (Rminus
                   (Rminus
                    (1)%R (Rmult
                           (Rmult (single_value x_2) (single_value x_2)) (05 / 10)%R)) (
                   cos (single_value x_2))))
                 (18 / 16777216)%R)),
  forall (result: single),
  forall (HW_5: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  forall (result0: single),
  forall (HW_6: (mul_single_post nearest_even x_2 x_2 result0)),
  forall (result1: single),
  forall (HW_7: (eq (single_value result1) (05 / 10)%R) /\
                (eq (single_exact result1) (05 / 10)%R) /\
                (eq (single_model result1) (05 / 10)%R)),
  forall (result2: single),
  forall (HW_8: (mul_single_post nearest_even result0 result1 result2)),
  forall (result3: single),
  forall (HW_9: (sub_single_post nearest_even result result2 result3)),
  forall (__retres_0: single),
  forall (HW_10: __retres_0 = result3),
  forall (why__return: single),
  forall (HW_11: why__return = __retres_0),
  (* JC_67 *)
  (Rle (Rabs (Rminus (single_value why__return) (cos (single_value x_2))))
   (19 / 16777216)%R).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 76, characters 16-21: *)
(*Why goal*) Lemma my_cos4_safety_po_1 : 
  forall (x_2: single),
  forall (HW_1: (* JC_65 *) (Rle (Rabs (single_value x_2)) (007 / 100)%R)),
  forall (HW_4: (* JC_71 *)
                (Rle
                 (Rabs
                  (Rminus
                   (Rminus
                    (1)%R (Rmult
                           (Rmult (single_value x_2) (single_value x_2)) (05 / 10)%R)) (
                   cos (single_value x_2))))
                 (18 / 16777216)%R)),
  forall (result: single),
  forall (HW_5: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  (no_overflow_single
   nearest_even (Rmult (single_value x_2) (single_value x_2))).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 76, characters 16-28: *)
(*Why goal*) Lemma my_cos4_safety_po_2 : 
  forall (x_2: single),
  forall (HW_1: (* JC_65 *) (Rle (Rabs (single_value x_2)) (007 / 100)%R)),
  forall (HW_4: (* JC_71 *)
                (Rle
                 (Rabs
                  (Rminus
                   (Rminus
                    (1)%R (Rmult
                           (Rmult (single_value x_2) (single_value x_2)) (05 / 10)%R)) (
                   cos (single_value x_2))))
                 (18 / 16777216)%R)),
  forall (result: single),
  forall (HW_5: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  forall (HW_6: (no_overflow_single
                 nearest_even (Rmult (single_value x_2) (single_value x_2)))),
  forall (result0: single),
  forall (HW_7: (mul_single_post nearest_even x_2 x_2 result0)),
  forall (result1: single),
  forall (HW_8: (eq (single_value result1) (05 / 10)%R) /\
                (eq (single_exact result1) (05 / 10)%R) /\
                (eq (single_model result1) (05 / 10)%R)),
  (no_overflow_single
   nearest_even (Rmult (single_value result0) (single_value result1))).
Proof.
admit.
(* FILL PROOF HERE *)
Save.

(* Why obligation from file "my_cosine.c", line 76, characters 9-28: *)
(*Why goal*) Lemma my_cos4_safety_po_3 : 
  forall (x_2: single),
  forall (HW_1: (* JC_65 *) (Rle (Rabs (single_value x_2)) (007 / 100)%R)),
  forall (HW_4: (* JC_71 *)
                (Rle
                 (Rabs
                  (Rminus
                   (Rminus
                    (1)%R (Rmult
                           (Rmult (single_value x_2) (single_value x_2)) (05 / 10)%R)) (
                   cos (single_value x_2))))
                 (18 / 16777216)%R)),
  forall (result: single),
  forall (HW_5: (eq (single_value result) (1)%R) /\
                (eq (single_exact result) (1)%R) /\
                (eq (single_model result) (1)%R)),
  forall (HW_6: (no_overflow_single
                 nearest_even (Rmult (single_value x_2) (single_value x_2)))),
  forall (result0: single),
  forall (HW_7: (mul_single_post nearest_even x_2 x_2 result0)),
  forall (result1: single),
  forall (HW_8: (eq (single_value result1) (05 / 10)%R) /\
                (eq (single_exact result1) (05 / 10)%R) /\
                (eq (single_model result1) (05 / 10)%R)),
  forall (HW_9: (no_overflow_single
                 nearest_even (Rmult
                               (single_value result0) (single_value result1)))),
  forall (result2: single),
  forall (HW_10: (mul_single_post nearest_even result0 result1 result2)),
  (no_overflow_single
   nearest_even (Rminus (single_value result) (single_value result2))).
Proof.
admit.
(* FILL PROOF HERE *)
Save.


why-2.34/tests/c/float_sqrt.c0000644000175000017500000001107112311670312014523 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


/* contribution by Guillaume Melquiond */

// RUN GAPPA (does not work)

#pragma JessieFloatModel(defensive)

/*
 With some help, the Gappa tool is able to prove the postcondition of the
 sqrt function.

 First, it needs to know that Newton's iteration converges quadratically.
 This formula on relative errors is denoted by the newton_rel predicate.
 The newton states its general expression and it is proved by a short Coq
 script performing algebraic manipulations. The newton lemma is then
 instantiated by Alt-Ergo at each iteration of the loop to solve the
 three assertions about the predicate.

 In order to prove the postcondition, Gappa also needs to be told that
 the value computed after an iteration is close to both sqrt(x) and the
 value that would have been computed with an infinite precision. This is
 done by putting distance expressions into the context through three
 other assertions about the closeness predicate. They are much weaker
 than what Gappa will end up proving; they are only here to guide its
 heuristics.

 Finally, Gappa also needs to know about the inverse square root trick.
 That is what the assertion is for, and it is proved in Coq.
*/

/*@
 predicate newton_rel(real t, real x) =
   (0.5 * t * (3 - t * t * x) - 1/\sqrt(x)) / (1/\sqrt(x)) ==
     - (1.5 + 0.5 * ((t - 1/\sqrt(x)) / (1/\sqrt(x)))) *
     (((t - 1/\sqrt(x)) / (1/\sqrt(x))) * ((t - 1/\sqrt(x)) / (1/\sqrt(x))));

 lemma newton: \forall real t, x; x > 0. ==> newton_rel(t, x);

 predicate closeness(real u, real t, real x) =
   \abs(u - 0.5 * t * (3 - t * t * x)) <= 1 &&
   \abs(u - 1/\sqrt(x)) <= 1;
*/

/*@
 requires 0.5 <= x <= 2;
 ensures \abs(\result - 1/\sqrt(x)) <= 0x1p-6 * \abs(1/\sqrt(x));
*/
double sqrt_init(double x);

/*@
 requires 0.5 <= x <= 2;
 ensures \abs(\result - \sqrt(x)) <= 0x1p-43 * \abs(\sqrt(x));
*/
double sqrt(double x)
{
  double t, u;
  t = sqrt_init(x);

  u = 0.5 * t * (3 - t * t * x);
  //@ assert newton_rel(t, x);
  //@ assert closeness(u, t, x);
  t = u;

  u = 0.5 * t * (3 - t * t * x);
  //@ assert newton_rel(t, x);
  //@ assert closeness(u, t, x);
  t = u;

  u = 0.5 * t * (3 - t * t * x);
  //@ assert newton_rel(t, x);
  //@ assert closeness(u, t, x);
  t = u;

  //@ assert x * (1/\sqrt(x)) == \sqrt(x);
  return x * t;
}



/*
Local Variables:
compile-command: "make float_sqrt.why3ide"
End:
*/


why-2.34/tests/c/sum_array.c0000644000175000017500000000733212311670312014354 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

#pragma JessieIntegerModel(math)

/*@ axiomatic Sum {
  @   // sum(t,i,j) denotes t[i]+...+t[j-1]
  @   logic integer sum{L}(int *t, integer i, integer j)
  @        reads i,j,t, t[..] ;
  @   axiom sum1{L} :
  @     \forall int *t, integer i; sum(t,i,i) == 0;
  @   axiom sum2{L} :
  @     \forall int *t, integer i, j;
  @       sum(t,i,j+1) == sum(t,i,j) + t[j];
  @ }
  @*/

/*@ lemma sum3{L} :
  @     \forall int *t, integer i, j, k;
  @       i <= j <= k ==>
  @         sum(t,i,k) == sum(t,i,j) + sum(t,j,k);
  @*/

/*@ lemma sum_footprint{L} :
  @     \forall int *t1,*t2, integer i, j;
  @       (\forall integer k; i<=k t1[k] == t2[k]) ==>
  @       sum(t1,i,j) == sum(t2,i,j);
  @*/

/*@ requires n >= 1 && \valid_range(t,0,n-1) ;
  @ ensures \result == sum(t,0,n);
  @*/
int test1(int t[],int n) {
  int i,s = 0;

  /*@ loop invariant 0 <= i <= n && s == sum(t,0,i);
    @ loop variant n-i;
  */
  for(i=0; i < n; i++)
  {
    s += t[i];
  }
  return s;
}


/*@ requires n >= 1 && \valid_range(t,0,n-1);
  @ assigns t[..];
  @ ensures sum(t,0,n) == \old(sum(t,0,n))+n;
  @*/
void test2(int t[],int n) {
  int i;
  /*@ loop invariant 0 <= i <= n &&
    @     sum(t,0,n) == \at(sum(t,0,n),Pre)+i;
    @ loop variant n-i;
    @*/
  for(i=0; i < n; i++)
  {
    //@ assert sum(t,0,n) == sum(t,0,i) + t[i] + sum(t,i+1,n);
    t[i] += 1;
    //@ assert sum(t,0,n) == sum(t,0,i) + t[i] + sum(t,i+1,n);
  }
}

/*
Local Variables:
compile-command: "make sum_array.why3ide"
End:
*/
why-2.34/tests/c/binary_search.c0000644000175000017500000000645212311670312015165 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// RUNSIMPLIFY this tells regtests to run Simplify in this example

//@ lemma mean: \forall integer x, y; x <= y ==> x <= (x+y)/2 <= y;

/*@ predicate sorted{L}(long *t, integer a, integer b) =
  @    \forall integer i,j; a <= i <= j <= b ==> t[i] <= t[j];
  @*/

/*@ requires n >= 0 && \valid(t+(0..n-1));
  @ ensures -1 <= \result < n;
  @ behavior success:
  @   ensures \result >= 0 ==> t[\result] == v;
  @ behavior failure:
  @   assumes sorted(t,0,n-1);
  @   ensures \result == -1 ==>
  @     \forall integer k; 0 <= k < n ==> t[k] != v;
  @*/
int binary_search(long t[], int n, long v) {
  int l = 0, u = n-1;
  /*@ loop invariant
    @   0 <= l && u <= n-1;
    @ for failure:
    @   loop invariant
    @   \forall integer k; 0 <= k < n && t[k] == v ==> l <= k <= u;
    @ loop variant u-l;
    @*/
  while (l <= u ) {
    int m = (l + u) / 2;
    //@ assert l <= m <= u;
    if (t[m] < v) l = m + 1;
    else if (t[m] > v) u = m - 1;
    else return m;
  }
  return -1;
}

/*
Local Variables:
compile-command: "make binary_search.why3ide"
End:
*/
why-2.34/tests/c/popHeap.c0000644000175000017500000002127312311670312013746 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/**
Extract from
http://www.first.fraunhofer.de/fileadmin/FIRST/ACSL-by-Example.pdf
*/

#pragma SeparationPolicy(none)


typedef int bool;
#define false		((bool)0)
#define true		((bool)1)

typedef int value_type;

typedef int size_type; 




/*@
  predicate IsValidRange(value_type* a, integer n) =
    (0 <= n) && \valid_range(a, 0, n-1);
*/

/*@
  predicate
    IsEqual{A,B}(value_type* a, integer n, value_type* b) =
      \forall integer i; 0 <= i < n ==> 
        \at(a[i], A) == \at(b[i], B);
*/



/*@
  axiomatic ParentChildAxioms
  {
    predicate ParentChild(integer i, integer j);

    axiom ParentChild_1:
      \forall integer i, j; ParentChild(i, j) <==>
         0 <= i < j && (j == 2*i+1 || j == 2*i+2);

    axiom ParentChild_2:
      \forall integer i, j; ParentChild(i, j) <==>
        0 < j && i == (j-1)/2;
  }

  lemma ParentChild_3:
    \forall integer i; 0 < i ==>
      ParentChild((i-1)/2, i) && 0 <= (i-1)/2 < i;

  predicate IsHeap{L}(value_type* c, integer n) = 
    \forall integer i, j;
      j < n && ParentChild(i, j) ==> c[i] >= c[j];
*/

/*@
  predicate IsMaximum{L}(value_type* a, integer n, integer max) =
     \forall integer i; 0 <= i < n ==> a[max] >= a[i];

  predicate IsFirstMaximum{L}(value_type* a, integer max) =
    \forall integer i; 0 <= i < max ==> a[i] < a[max];
*/

/*@
  axiomatic CountAxiomatic
  {
    logic integer Count{L}(value_type* a, value_type v,
                           integer i, integer j) reads a[i..(j-1)];

    axiom Count0:
      \forall value_type *a, v, integer i,j;
        i >= j ==> Count(a, v, i, j) == 0;

    axiom Count1:
      \forall value_type *a, v, integer i, j, k;
        0 <= i <= j <= k ==> Count(a, v, i ,k) ==
                             Count(a, v, i, j) + Count(a, v, j, k);

    axiom Count2:
      \forall value_type *a, v, integer i;
        (a[i] != v ==> Count(a, v, i, i+1) == 0) &&
        (a[i] == v ==> Count(a, v, i, i+1) == 1);

  logic integer CountWithHole{L}(value_type* c, value_type v, integer i, integer h,  integer j) =
      Count{L}(c, v, i, h) + Count{L}(c, v, h+1, j);

  logic integer CountWithoutHole{L}(value_type* c, value_type v, integer i, integer h,  integer j) =
      Count{L}(c, v, i, h) + Count{L}(c, v, h, j);
  }

  lemma CountLemma: \forall value_type *a, v, integer i;
    0 <= i ==> Count(a, v, 0, i+1) ==
               Count(a, v, 0, i) + Count(a, v, i, i+1);
*/

/*@
  predicate
    Permutation{A,B}(value_type* c, size_type n) = 
      \forall value_type x; 
        Count{A}(c, x, 0, n) == Count{B}(c, x, 0, n);
*/

/*@
  requires 0 < n && IsValidRange(a, n);
  requires IsHeap(a, n);

  assigns \nothing;

  ensures \forall integer i; 0 <= i < n ==> a[0] >= a[i];
*/
void pop_heap_induction(const value_type* a, size_type n);


/*@
  requires 0 < n && IsValidRange(a, n);
  requires 0 <= parent < child < n;
  requires a[parent] == a[child];

  assigns \nothing;

  ensures \forall value_type x; 
    CountWithHole(a, x, 0, child, n) == CountWithHole(a, x, 0, parent, n);
*/
void pop_push_heap_copy(value_type* a, size_type n, size_type parent, size_type child);

#define INT_MAX			2147483647

/*@
   requires 0 < n <  (INT_MAX-2)/2;
   requires IsValidRange(a, n);
   requires IsHeap(a, n);

   assigns a[0..(n-1)];

   ensures IsHeap(a, n-1);
   ensures a[n-1] == \old(a[0]);
   ensures IsMaximum(a, n, n-1);
   ensures Permutation{Old, Here}(a, n);
*/
void pop_heap(value_type* a, size_type n);


void pop_heap(value_type* a, size_type n)
{
  //@ ghost pop_heap_induction(a,n);
  //@ assert \forall integer i; 0 < i < n ==> a[0] >= a[i];
  value_type tmp = 0, max = 0;
  size_type hole = 0;
  tmp = a[n-1];
  max  = a[0];
  /*@ assert \forall value_type x;
        CountWithHole(a,x,0,hole,n) == Count{Pre}(a,x,1,n);
  */
  /*@
     loop invariant 0 <= hole < n;
     loop invariant IsHeap(a,n-1);
     loop invariant \forall integer i; 0 <= i < n ==> a[i] <= max;
     loop invariant \forall integer i;
        hole < n-1 && ParentChild(i,hole) ==> a[i] >= tmp;
     loop invariant \forall value_type x;
        CountWithHole(a,x,0,hole,n) == Count{Pre}(a,x,1,n);
     loop invariant \at(a[n-1],Pre) == a[n-1];

     loop assigns a[0..hole],hole;
     loop   variant n - hole;
  */
  while (true)
  {
    size_type child = 2*hole + 2;
    if (child < n-1)
    {
      if (a[child] < a[child-1]) child--;
      //@ assert ParentChild(hole,child);
      if (a[child] > tmp)
      {
        //@ assert hole < n-1;
        a[hole] = a[child];
        //@ assert \at(a[n-1],Pre) == a[n-1];
        //@ ghost pop_push_heap_copy(a,n,hole,child);
        hole = child;
      }
      else break;
    }
    else
    {
      child = 2*hole + 1;
      if (child == n-2 && a[child] > tmp)
      {
        //@ assert hole < n-1;
        a[hole] = a[child];
        //@ assert \at(a[n-1],Pre) == a[n-1];
        //@ ghost pop_push_heap_copy(a,n,hole,child);
        hole = child;
      }
      break;
    }
  }
  /*@  assert \forall integer i;
    hole < n-1 && ParentChild(i,hole) ==> a[i] >= tmp;
  */

  a[hole] = tmp;
  /*@ assert \forall value_type x;
        CountWithHole(a,x,0,hole,n) == Count{Pre}(a,x,1,n);
  */
  //@ assert hole a[hole] ==tmp== \at(a[n-1],Pre) == a[n-1];
  /*@ assert \forall value_type x; hole < n-1 ==>
        Count(a,x,hole+1,(n-1)+1)==CountWithoutHole(a,x,hole+1,n-1,n);
  */

  /*@ assert \forall value_type x;
      (hole < n-1 ==> CountWithHole(a,x,0,hole,n) ==
        CountWithHole(a,x,0,hole,n-1) +  Count(a,x,n-1 ,(n-1)+1) ==
        CountWithoutHole(a,x,0,hole,hole+1) + Count(a,x,hole+1,n-1) ==
        CountWithoutHole(a,x,0,hole,n-1) ==
        Count(a,x,0,n-1)) &&
      (hole == n-1 ==> CountWithHole(a,x,0,hole,n) ==
        CountWithHole(a,x,0,n-1,n) == Count(a,x,0,n-1));
  */
  /*@ assert \forall value_type x; Count(a,x,0,n-1) ==
        CountWithHole(a,x,0,hole,n) == Count{Pre}(a,x,1,n);
  */

  a[n-1]  = max;
  /*@ assert \forall value_type x;
        Count(a,x,n-1,(n-1)+1) == Count{Pre}(a,x,0,1);
  */
  /*@ assert \forall value_type x; CountWithoutHole(a,x,0,n-1,n) 
        == CountWithoutHole{Pre}(a,x,0,1,n);
  */
  /*@ assert \forall value_type x;
        Count(a,x,0,n) == CountWithoutHole(a,x,0,n-1,n) ==
        CountWithoutHole{Pre}(a,x,0,1,n) == Count{Pre}(a,x,0,n);
  */
}



void pop_heap_induction(const value_type* a, size_type n)
{
  /*@
  loop invariant 0 <= i <= n;
  loop invariant  \forall integer j;
     0 <= j < i <= n ==> a[0] >= a[j];
  loop   variant n - i;
  */
  for (size_type i = 1; i < n; i++)
  {
    //@ assert 0 < i ==> ParentChild((i-1)/2, i);
  }
}



why-2.34/tests/c/clock_drift.c0000644000175000017500000000727612311670312014644 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// RUNGAPPA: will ask regtests to run gappa on VCs of this program

#define NMAX 1000000
#define NMAXR 1000000.0

// this one is needed by Gappa to prove the assertion on the rounding error
/*@ lemma real_of_int_inf_NMAX:
  @   \forall integer i; i <= NMAX ==> i <= NMAXR;
  @*/

// this one does not seem useful for Alt-Ergo
// but it is for CVC3, to prove preservation of the loop
// invariant. Z3 does not prove it either
//@ lemma real_of_int_succ: \forall integer n; n+1 == n + 1.0;

// this one does not seem to be needed anymore
/* lemma inf_mult : 
  @    \forall real x,y,z; x<=y && 0<=z ==> x*z <= y*z;
  @*/

#define A 1.49012e-09 
// A is a bound of (float)0.1 - 0.1

// this one is not needed anymore since (float)0.1 is evaluated
// at compile-time
// lemma round01: \abs((float)0.1 - 0.1) <=  A;

// B is a bound of round_error(t+(float)0.1) for 0 <= t <= 0.1*NMAXR
// NMAX = 100 -> #define B 4.76838e-07
// NMAX = 1000000 ->
#define B 0x1p-8

#define C (B + A)

/*@ requires 0 <= n <= NMAX;
  @ ensures \abs(\result - n*0.1) <= n * C;
  @*/
float f_single(int n)
{
  float t = 0.0f;
  int i;

  /*@ loop invariant 0 <= i <= n;
    @ loop invariant \abs(t - i * 0.1) <= i * C ;
    @ loop variant n-i;
    @*/
  for(i=0;i= r) return;
  v = t[l];
  m = l; 
  /*@ loop invariant 
    @   \forall integer j; l < j <= m ==> t[j] < v;
    @ loop invariant
    @   \forall integer j; m < j <  i ==> t[j] >= v;
    @ loop invariant  
    @   Permut{Pre,Here}(t,l,r);
    @ loop invariant t[l] == v && l <= m < i <= r+1;
    @ loop variant r-i;
    @*/
  for (i = l + 1; i <= r; i++) {
    if (t[i] < v) {
    L1:
      swap(t,i,++m);
      //@ assert Permut{L1,Here}(t,l,r);
    }
  }
  //@ assert l <= m <= r;
 L: swap(t,l,m);
  //@ assert Permut{L,Here}(t,l,r);
  quick_rec(t,l,m-1);
  quick_rec(t,m+1,r);
}

/*@ requires \valid_range(t,0,n-1);
  @ behavior sorted:
  @   ensures Sorted(t,0,n);
  @ behavior permutation:
  @   ensures Permut{Old,Here}(t,0,n-1);
  @*/
void quick_sort(int t[], int n) {
  quick_rec(t,0,n-1);
}


/*
Local Variables:
compile-command: "make quick_sort.why3ide"
End:
*/
why-2.34/tests/c/heap_sort.c0000644000175000017500000000566712311670312014347 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

#include "binary_heap.h"


/*@ requires len >= 0;
  @ requires \valid_range(arr,0,len-1);
  @ // assigns arr[..];
  @ ensures \forall integer i,j; 0 <= i <= j < len ==> arr[i] <= arr[j]; 
  @*/
void heap_sort(int *arr, uint len) {
  uint i;
  heap h = create(len);
  /*@ loop invariant 0 <= i <= len;
    @ loop variant len - i;
    @*/
  for (i = 0; i < len; ++i) insert(h,arr[i]);
  /*@ loop invariant 0 <= i <= len;
    @ loop variant len - i;
    @*/
  for (i = 0; i < len; ++i) arr[i] = extract_min(h);
}



void main() {
  int arr[] = {42, 13, 42};
  heap_sort(arr,3);
  //@ assert arr[0] <= arr[1] && arr[1] <= arr[2];
  //@ assert arr[0] == 13 && arr[1] == 42 && arr[2] == 42;
}

why-2.34/tests/c/oracle/0000755000175000017500000000000012311670312013446 5ustar  rtuserswhy-2.34/tests/c/oracle/minmax.err.oracle0000644000175000017500000000000012311670312016703 0ustar  rtuserswhy-2.34/tests/c/oracle/rec.err.oracle0000644000175000017500000000000012311670312016163 0ustar  rtuserswhy-2.34/tests/c/oracle/interval_arith.err.oracle0000644000175000017500000000000012311670312020425 0ustar  rtuserswhy-2.34/tests/c/oracle/duplets.res.oracle0000644000175000017500000205262512311670312017121 0ustar  rtusers========== file tests/c/duplets.c ==========
/*
COST Verification Competition. vladimir@cost-ic0701.org

Challenge 3: Two equal elements

Given: An integer array a of length n+2 with n>=2. It is known that at
least two values stored in the array appear twice (i.e., there are at
least two duplets).

Implement and verify a program finding such two values.

You may assume that the array contains values between 0 and n-1.
*/

#define NULL (void*)0

/* equality between an integer and a possibly null int* */
/*@ predicate eq_opt{L}(integer x, int *o) =
  @   o != \null && x == *o ;
  @*/

/* A duplet in array a is a pair of indexes (i,j) in the bounds of array
   a such that a[i] = a[j] */
/*@ predicate is_duplet{L}(int *a, integer len, integer i, integer j) =
  @    0 <= i < j < len && a[i] == a[j];
  @*/

/* duplet(a) returns the indexes (i,j) of a duplet in a.
 * moreover, if except is not null, the value of this duplet must
 * be different from it.
 */
/*@ requires 2 <= len &&
  @   \valid_range(a,0,len-1) && \valid(pi) && \valid(pj) &&
  @   ( except == \null || \valid(except)) &&
  @   \exists integer i,j;
  @     is_duplet(a,len,i,j) && ! eq_opt(a[i],except) ;
  @ assigns *pi,*pj;
  @ ensures
  @   is_duplet(a,len,*pi,*pj) &&
  @   ! eq_opt(a[*pi],except);
  @*/
void duplet(int *a, int len, int *except, int *pi, int *pj) {
  /*@ loop invariant 0 <= i <= len-1 &&
    @  \forall integer k,l; 0 <= k < i && k < l < len ==>
    @    ! eq_opt(a[k],except) ==> ! is_duplet(a,len,k,l);
    @ loop variant len - i;
    @*/
  for(int i=0; i <= len - 2; i++) {
    int v = a[i];
    if (except == NULL || *except != v) {
      /*@ loop invariant i+1 <= j <= len &&
        @   \forall integer l; i < l < j ==> ! is_duplet(a,len,i,l);
        @ loop variant len - j;
        @*/
      for (int j=i+1; j < len; j++) {
        if (a[j] == v) {
          *pi = i; *pj = j; return;
        }
      }
    }
  }
  // assert \forall integer i j; ! is_duplet(a,i,j);
  //@ assert \false;
}



/*@ requires 4 <= len && 
  @   \valid_range(a,0,len-1) && \valid(pi) && \valid(pj) &&
  @   \valid(pk) && \valid(pl) &&
  @   \exists integer i,j,k,l;
  @     is_duplet(a,len,i,j) && is_duplet(a,len,k,l) && a[i] != a[k];
  @ assigns *pi,*pj,*pk,*pl;
  @ ensures is_duplet(a,len,*pi,*pj) &&
  @   is_duplet(a,len,*pk,*pl) &&
  @   a[*pi] != a[*pk];
  @*/
void duplets(int a[], int len, int *pi, int *pj, int *pk, int *pl) {
  duplet(a,len,NULL,pi,pj);
  duplet(a,len,&a[*pi],pk,pl);
}


/*
Local Variables:
compile-command: "make duplets.why3ide"
End:
*/

========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/duplets.c"
tests/c/duplets.c:33:[kernel] warning: parsing obsolete ACSL construct '\valid_range(addr,min,max)'. '\valid(addr+(min..max))' should be used instead.
tests/c/duplets.c:69:[kernel] warning: parsing obsolete ACSL construct '\valid_range(addr,min,max)'. '\valid(addr+(min..max))' should be used instead.
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/duplets.jessie
[jessie] File tests/c/duplets.jessie/duplets.jc written.
[jessie] File tests/c/duplets.jessie/duplets.cloc written.
========== file tests/c/duplets.jessie/duplets.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag intP = {
  int32 intM: 32;
}

type intP = [intP]

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

predicate eq_opt{L}(integer x, intP[..] o) =
((o != null) && (x == o.intM))

predicate is_duplet{L}(intP[..] a, integer len, integer i_1, integer j_0) =
(((0 <= i_1) && ((i_1 < j_0) && (j_0 < len))) &&
  ((a + i_1).intM == (a + j_0).intM))

unit duplet(intP[..] a, int32 len, intP[..] except, intP[..] pi, intP[..] pj)
  requires (_C_39 : ((((((_C_44 : (2 <= len)) &&
                          ((_C_46 : (\offset_min(a) <= 0)) &&
                            (_C_47 : (\offset_max(a) >= (len - 1))))) &&
                         ((_C_49 : (\offset_min(pi) <= 0)) &&
                           (_C_50 : (\offset_max(pi) >= 0)))) &&
                        ((_C_52 : (\offset_min(pj) <= 0)) &&
                          (_C_53 : (\offset_max(pj) >= 0)))) &&
                       (_C_54 : ((except == null) ||
                                  ((\offset_min(except) <= 0) &&
                                    (\offset_max(except) >= 0))))) &&
                      (_C_55 : (\exists integer i_2;
                                 (\exists integer j_1;
                                   (is_duplet{Here}(a, len, i_2, j_1) &&
                                     (! eq_opt{Here}((a + i_2).intM, except))))))));
behavior default:
  assigns pi.intM,
  pj.intM;
  ensures (_C_36 : ((_C_37 : is_duplet{Here}(\at(a,Old), \at(len,Old),
                                             \at(pi,Old).intM,
                                             \at(pj,Old).intM)) &&
                     (_C_38 : (! eq_opt{Here}((\at(a,Old) + \at(pi,Old).intM).intM,
                                              \at(except,Old))))));
{  
   (var int32 i);
   
   (var int32 v);
   
   (var int32 j);
   
   {  
      {  (_C_1 : (i = 0));
         
         loop 
         behavior default:
           invariant (_C_3 : (((_C_5 : (0 <= i)) &&
                                (_C_6 : (i <= (len - 1)))) &&
                               (_C_7 : (\forall integer k;
                                         (\forall integer l_0;
                                           ((((0 <= k) && (k < i)) &&
                                              ((k < l_0) && (l_0 < len))) ==>
                                             ((! eq_opt{Here}((a + k).intM,
                                                              except)) ==>
                                               (! is_duplet{Here}(a, len, k,
                                                                  l_0)))))))));
         variant (_C_2 : (len - i));
         while (true)
         {  
            {  (if (i <= (_C_9 : ((_C_8 : (len - 2)) :> int32))) then () else 
               (goto while_0_break));
               
               {  (_C_12 : (v = (_C_11 : (_C_10 : (a + i)).intM)));
                  (if (except == null) then 
                  (goto _LOR) else (if ((_C_13 : except.intM) != v) then 
                                   (goto _LOR) else ()));
                  
                  (goto _LOR_0);
                  (_LOR : 
                  {  (_C_16 : (j = (_C_15 : ((_C_14 : (i + 1)) :> int32))));
                     
                     loop 
                     behavior default:
                       invariant (_C_18 : (((_C_20 : ((i + 1) <= j)) &&
                                             (_C_21 : (j <= len))) &&
                                            (_C_22 : (\forall integer l;
                                                       (((i < l) && (l < j)) ==>
                                                         (! is_duplet{Here}(
                                                         a, len, i, l)))))));
                     variant (_C_17 : (len - j));
                     while (true)
                     {  
                        {  (if (j < len) then () else 
                           (goto while_1_break));
                           
                           {  (if ((_C_28 : (_C_27 : (a + j)).intM) == v) then 
                              {  (_C_24 : ((_C_23 : pi.intM) = i));
                                 (_C_26 : ((_C_25 : pj.intM) = j));
                                 
                                 (goto return_label)
                              } else ())
                           };
                           (_C_31 : (j = (_C_30 : ((_C_29 : (j + 1)) :> int32))))
                        }
                     };
                     (while_1_break : ())
                  });
                  (_LOR_0 : ())
               };
               (_C_34 : (i = (_C_33 : ((_C_32 : (i + 1)) :> int32))))
            }
         };
         (while_0_break : ())
      };
      
      {  
         (assert for default: (_C_35 : (jessie : false)));
         ()
      };
      (return_label : 
      (return ()))
   }
}

unit duplets(intP[..] a_0, int32 len_0, intP[..] pi_0, intP[..] pj_0,
             intP[..] pk, intP[..] pl)
  requires (_C_65 : (((((((_C_71 : (4 <= len_0)) &&
                           ((_C_73 : (\offset_min(a_0) <= 0)) &&
                             (_C_74 : (\offset_max(a_0) >= (len_0 - 1))))) &&
                          ((_C_76 : (\offset_min(pi_0) <= 0)) &&
                            (_C_77 : (\offset_max(pi_0) >= 0)))) &&
                         ((_C_79 : (\offset_min(pj_0) <= 0)) &&
                           (_C_80 : (\offset_max(pj_0) >= 0)))) &&
                        ((_C_82 : (\offset_min(pk) <= 0)) &&
                          (_C_83 : (\offset_max(pk) >= 0)))) &&
                       ((_C_85 : (\offset_min(pl) <= 0)) &&
                         (_C_86 : (\offset_max(pl) >= 0)))) &&
                      (_C_87 : (\exists integer i_3;
                                 (\exists integer j_2;
                                   (\exists integer k_0;
                                     (\exists integer l_1;
                                       ((is_duplet{Here}(a_0, len_0, i_3, j_2) &&
                                          is_duplet{Here}(a_0, len_0, k_0,
                                                          l_1)) &&
                                         ((a_0 + i_3).intM !=
                                           (a_0 + k_0).intM)))))))));
behavior default:
  assigns pi_0.intM,
  pj_0.intM,
  pk.intM,
  pl.intM;
  ensures (_C_60 : (((_C_62 : is_duplet{Here}(\at(a_0,Old), \at(len_0,Old),
                                              \at(pi_0,Old).intM,
                                              \at(pj_0,Old).intM)) &&
                      (_C_63 : is_duplet{Here}(\at(a_0,Old), \at(len_0,Old),
                                               \at(pk,Old).intM,
                                               \at(pl,Old).intM))) &&
                     (_C_64 : ((\at(a_0,Old) + \at(pi_0,Old).intM).intM !=
                                (\at(a_0,Old) + \at(pk,Old).intM).intM))));
{  
   {  (_C_56 : duplet(a_0, len_0, null, pi_0, pj_0));
      (_C_59 : duplet(a_0, len_0, (_C_58 : (a_0 + (_C_57 : pi_0.intM))), pk,
                      pl));
      
      (return ())
   }
}
========== file tests/c/duplets.jessie/duplets.cloc ==========
[duplet]
name = "Function duplet"
file = "HOME/tests/c/duplets.c"
line = 42
begin = 5
end = 11

[_C_52]
file = "HOME/tests/c/duplets.c"
line = 33
begin = 47
end = 57

[_C_35]
file = "HOME/tests/c/duplets.c"
line = 63
begin = 13
end = 19

[_C_56]
file = "HOME/tests/c/duplets.c"
line = 79
begin = 2
end = 30

[_C_28]
file = "HOME/tests/c/duplets.c"
line = 56
begin = 12
end = 16

[_C_72]
file = "HOME/tests/c/duplets.c"
line = 69
begin = 6
end = 29

[_C_59]
file = "HOME/tests/c/duplets.c"
line = 80
begin = 2
end = 29

[_C_48]
file = "HOME/tests/c/duplets.c"
line = 33
begin = 33
end = 43

[_C_51]
file = "HOME/tests/c/duplets.c"
line = 33
begin = 47
end = 57

[_C_31]
file = "HOME/tests/c/duplets.c"
line = 55
begin = 31
end = 34

[duplets]
name = "Function duplets"
file = "HOME/tests/c/duplets.c"
line = 78
begin = 5
end = 12

[_C_77]
file = "HOME/tests/c/duplets.c"
line = 69
begin = 33
end = 43

[_C_83]
file = "HOME/tests/c/duplets.c"
line = 70
begin = 6
end = 16

[_C_41]
file = "HOME/tests/c/duplets.c"
line = 32
begin = 13
end = 82

[_C_4]
file = "HOME/tests/c/duplets.c"
line = 43
begin = 21
end = 36

[_C_71]
file = "HOME/tests/c/duplets.c"
line = 68
begin = 13
end = 21

[_C_70]
file = "HOME/tests/c/duplets.c"
line = 68
begin = 13
end = 54

[_C_61]
file = "HOME/tests/c/duplets.c"
line = 74
begin = 12
end = 70

[_C_69]
file = "HOME/tests/c/duplets.c"
line = 68
begin = 13
end = 68

[_C_32]
file = "HOME/tests/c/duplets.c"
line = 48
begin = 29
end = 32

[_C_23]
file = "HOME/tests/c/duplets.c"
line = 57
begin = 16
end = 17

[_C_19]
file = "HOME/tests/c/duplets.c"
line = 51
begin = 25
end = 40

[_C_42]
file = "HOME/tests/c/duplets.c"
line = 32
begin = 13
end = 68

[_C_82]
file = "HOME/tests/c/duplets.c"
line = 70
begin = 6
end = 16

[_C_84]
file = "HOME/tests/c/duplets.c"
line = 70
begin = 20
end = 30

[_C_13]
file = "HOME/tests/c/duplets.c"
line = 50
begin = 30
end = 37

[_C_5]
file = "HOME/tests/c/duplets.c"
line = 43
begin = 21
end = 27

[_C_36]
file = "HOME/tests/c/duplets.c"
line = 39
begin = 6
end = 63

[_C_12]
file = "HOME/tests/c/duplets.c"
line = 49
begin = 4
end = 7

[_C_33]
file = "HOME/tests/c/duplets.c"
line = 48
begin = 29
end = 32

[_C_79]
file = "HOME/tests/c/duplets.c"
line = 69
begin = 47
end = 57

[_C_85]
file = "HOME/tests/c/duplets.c"
line = 70
begin = 20
end = 30

[_C_22]
file = "HOME/tests/c/duplets.c"
line = 52
begin = 12
end = 67

[_C_65]
file = "HOME/tests/c/duplets.c"
line = 68
begin = 13
end = 219

[_C_9]
file = "HOME/tests/c/duplets.c"
line = 48
begin = 20
end = 27

[_C_57]
file = "HOME/tests/c/duplets.c"
line = 80
begin = 18
end = 21

[_C_54]
file = "HOME/tests/c/duplets.c"
line = 34
begin = 6
end = 42

[_C_30]
file = "HOME/tests/c/duplets.c"
line = 55
begin = 31
end = 34

[_C_63]
file = "HOME/tests/c/duplets.c"
line = 75
begin = 6
end = 30

[_C_6]
file = "HOME/tests/c/duplets.c"
line = 43
begin = 26
end = 36

[_C_64]
file = "HOME/tests/c/duplets.c"
line = 76
begin = 6
end = 22

[_C_49]
file = "HOME/tests/c/duplets.c"
line = 33
begin = 33
end = 43

[_C_24]
file = "HOME/tests/c/duplets.c"
line = 57
begin = 16
end = 17

[_C_45]
file = "HOME/tests/c/duplets.c"
line = 33
begin = 6
end = 29

[_C_20]
file = "HOME/tests/c/duplets.c"
line = 51
begin = 25
end = 33

[_C_73]
file = "HOME/tests/c/duplets.c"
line = 69
begin = 6
end = 29

[_C_38]
file = "HOME/tests/c/duplets.c"
line = 40
begin = 6
end = 29

[_C_3]
file = "HOME/tests/c/duplets.c"
line = 43
begin = 21
end = 155

[_C_81]
file = "HOME/tests/c/duplets.c"
line = 70
begin = 6
end = 16

[_C_17]
file = "HOME/tests/c/duplets.c"
line = 53
begin = 23
end = 30

[_C_7]
file = "HOME/tests/c/duplets.c"
line = 44
begin = 7
end = 115

[_C_86]
file = "HOME/tests/c/duplets.c"
line = 70
begin = 20
end = 30

[_C_62]
file = "HOME/tests/c/duplets.c"
line = 74
begin = 12
end = 36

[_C_55]
file = "HOME/tests/c/duplets.c"
line = 35
begin = 6
end = 80

[_C_27]
file = "HOME/tests/c/duplets.c"
line = 56
begin = 12
end = 13

[_C_87]
file = "HOME/tests/c/duplets.c"
line = 71
begin = 6
end = 99

[_C_46]
file = "HOME/tests/c/duplets.c"
line = 33
begin = 6
end = 29

[_C_44]
file = "HOME/tests/c/duplets.c"
line = 32
begin = 13
end = 21

[_C_15]
file = "HOME/tests/c/duplets.c"
line = 55
begin = 17
end = 20

[_C_26]
file = "HOME/tests/c/duplets.c"
line = 57
begin = 25
end = 26

[_C_47]
file = "HOME/tests/c/duplets.c"
line = 33
begin = 6
end = 29

[_C_10]
file = "HOME/tests/c/duplets.c"
line = 49
begin = 12
end = 13

[_C_68]
file = "HOME/tests/c/duplets.c"
line = 68
begin = 13
end = 82

[_C_60]
file = "HOME/tests/c/duplets.c"
line = 74
begin = 12
end = 96

[_C_53]
file = "HOME/tests/c/duplets.c"
line = 33
begin = 47
end = 57

[_C_40]
file = "HOME/tests/c/duplets.c"
line = 32
begin = 13
end = 128

[_C_58]
file = "HOME/tests/c/duplets.c"
line = 80
begin = 16
end = 17

[_C_8]
file = "HOME/tests/c/duplets.c"
line = 48
begin = 20
end = 27

[_C_66]
file = "HOME/tests/c/duplets.c"
line = 68
begin = 13
end = 116

[_C_18]
file = "HOME/tests/c/duplets.c"
line = 51
begin = 25
end = 111

[_C_29]
file = "HOME/tests/c/duplets.c"
line = 55
begin = 31
end = 34

[_C_75]
file = "HOME/tests/c/duplets.c"
line = 69
begin = 33
end = 43

[_C_14]
file = "HOME/tests/c/duplets.c"
line = 55
begin = 17
end = 20

[_C_50]
file = "HOME/tests/c/duplets.c"
line = 33
begin = 33
end = 43

[_C_37]
file = "HOME/tests/c/duplets.c"
line = 39
begin = 6
end = 30

[_C_43]
file = "HOME/tests/c/duplets.c"
line = 32
begin = 13
end = 54

[_C_2]
file = "HOME/tests/c/duplets.c"
line = 46
begin = 19
end = 26

[_C_34]
file = "HOME/tests/c/duplets.c"
line = 48
begin = 29
end = 32

[_C_67]
file = "HOME/tests/c/duplets.c"
line = 68
begin = 13
end = 102

[_C_16]
file = "HOME/tests/c/duplets.c"
line = 55
begin = 11
end = 14

[_C_1]
file = "HOME/tests/c/duplets.c"
line = 48
begin = 6
end = 9

[_C_76]
file = "HOME/tests/c/duplets.c"
line = 69
begin = 33
end = 43

[_C_25]
file = "HOME/tests/c/duplets.c"
line = 57
begin = 25
end = 26

[_C_39]
file = "HOME/tests/c/duplets.c"
line = 32
begin = 13
end = 212

[_C_80]
file = "HOME/tests/c/duplets.c"
line = 69
begin = 47
end = 57

[_C_74]
file = "HOME/tests/c/duplets.c"
line = 69
begin = 6
end = 29

[_C_78]
file = "HOME/tests/c/duplets.c"
line = 69
begin = 47
end = 57

[_C_11]
file = "HOME/tests/c/duplets.c"
line = 49
begin = 12
end = 16

[_C_21]
file = "HOME/tests/c/duplets.c"
line = 51
begin = 32
end = 40

========== jessie execution ==========
Generating Why function duplet
Generating Why function duplets
========== file tests/c/duplets.jessie/duplets.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs duplets.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs duplets.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/duplets_why.sx

project: why/duplets.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/duplets_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/duplets_why.vo

coq/duplets_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/duplets_why.v: why/duplets.why
	@echo 'why -coq [...] why/duplets.why' && $(WHY) $(JESSIELIBFILES) why/duplets.why && rm -f coq/jessie_why.v

coq-goals: goals coq/duplets_ctx_why.vo
	for f in why/*_po*.why; do make -f duplets.makefile coq/`basename $$f .why`_why.v ; done

coq/duplets_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/duplets_ctx_why.v: why/duplets_ctx.why
	@echo 'why -coq [...] why/duplets_ctx.why' && $(WHY) why/duplets_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export duplets_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/duplets_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/duplets_ctx_why.vo

pvs: pvs/duplets_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/duplets_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/duplets_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/duplets_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/duplets_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/duplets_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/duplets_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/duplets_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/duplets_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/duplets_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/duplets_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/duplets_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/duplets_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/duplets_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/duplets_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: duplets.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/duplets_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: duplets.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: duplets.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: duplets.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include duplets.depend

depend: coq/duplets_why.v
	-$(COQDEP) -I coq coq/duplets*_why.v > duplets.depend

clean:
	rm -f coq/*.vo

========== file tests/c/duplets.jessie/duplets.loc ==========
[JC_94]
file = "HOME/tests/c/duplets.c"
line = 70
begin = 20
end = 30

[JC_73]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 82
begin = 9
end = 2835

[JC_63]
kind = PointerDeref
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 124
begin = 43
end = 64

[JC_80]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 109
begin = 21
end = 1263

[JC_51]
file = "HOME/tests/c/duplets.c"
line = 51
begin = 32
end = 40

[duplet_ensures_default]
name = "Function duplet"
behavior = "default behavior"
file = "HOME/tests/c/duplets.c"
line = 42
begin = 5
end = 11

[JC_71]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 82
begin = 9
end = 2835

[JC_45]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 82
begin = 9
end = 2835

[JC_123]
file = "HOME/tests/c/duplets.c"
line = 75
begin = 6
end = 30

[JC_106]
file = "HOME/tests/c/duplets.c"
line = 70
begin = 6
end = 16

[JC_113]
file = "HOME/tests/c/duplets.c"
line = 75
begin = 6
end = 30

[JC_116]
file = "HOME/tests/c/duplets.c"
line = 78
begin = 5
end = 12

[JC_64]
kind = PointerDeref
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 125
begin = 43
end = 64

[JC_133]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_99]
file = "HOME/tests/c/duplets.c"
line = 69
begin = 6
end = 29

[JC_85]
file = "HOME/tests/c/duplets.c"
line = 69
begin = 6
end = 29

[JC_126]
file = "HOME/tests/c/duplets.c"
line = 78
begin = 5
end = 12

[JC_31]
file = "HOME/tests/c/duplets.c"
line = 40
begin = 6
end = 29

[JC_17]
file = "HOME/tests/c/duplets.c"
line = 33
begin = 47
end = 57

[JC_122]
file = "HOME/tests/c/duplets.c"
line = 74
begin = 12
end = 36

[JC_81]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 109
begin = 21
end = 1263

[JC_55]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 109
begin = 21
end = 1263

[JC_138]
kind = UserCall
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 189
begin = 15
end = 102

[JC_134]
kind = UserCall
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 188
begin = 15
end = 51

[JC_137]
kind = UserCall
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 188
begin = 15
end = 51

[JC_48]
kind = PointerDeref
file = "HOME/tests/c/duplets.c"
line = 50
begin = 30
end = 37

[JC_23]
file = "HOME/tests/c/duplets.c"
line = 39
begin = 6
end = 30

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_121]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 174
begin = 9
end = 16

[JC_5]
file = "HOME/tests/c/duplets.c"
line = 33
begin = 33
end = 43

[JC_125]
file = "HOME/tests/c/duplets.c"
line = 74
begin = 12
end = 96

[JC_67]
file = "HOME/tests/c/duplets.c"
line = 44
begin = 7
end = 115

[JC_9]
file = "HOME/tests/c/duplets.c"
line = 35
begin = 6
end = 80

[JC_75]
file = "HOME/tests/c/duplets.c"
line = 51
begin = 32
end = 40

[JC_24]
file = "HOME/tests/c/duplets.c"
line = 40
begin = 6
end = 29

[JC_25]
file = "HOME/tests/c/duplets.c"
line = 39
begin = 6
end = 63

[duplet_safety]
name = "Function duplet"
behavior = "Safety"
file = "HOME/tests/c/duplets.c"
line = 42
begin = 5
end = 11

[JC_78]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/tests/c/duplets.c"
line = 44
begin = 7
end = 115

[JC_74]
file = "HOME/tests/c/duplets.c"
line = 51
begin = 25
end = 33

[JC_47]
kind = PointerDeref
file = "HOME/tests/c/duplets.c"
line = 49
begin = 12
end = 16

[JC_52]
file = "HOME/tests/c/duplets.c"
line = 52
begin = 12
end = 67

[JC_26]
file = "HOME/tests/c/duplets.c"
line = 42
begin = 5
end = 11

[JC_8]
file = "HOME/tests/c/duplets.c"
line = 34
begin = 6
end = 42

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_79]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 109
begin = 21
end = 1263

[JC_13]
file = "HOME/tests/c/duplets.c"
line = 33
begin = 6
end = 29

[JC_130]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 175
begin = 10
end = 54

[JC_82]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 109
begin = 21
end = 1263

[JC_87]
file = "HOME/tests/c/duplets.c"
line = 69
begin = 33
end = 43

[JC_11]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_98]
file = "HOME/tests/c/duplets.c"
line = 68
begin = 13
end = 21

[JC_70]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 82
begin = 9
end = 2835

[JC_15]
file = "HOME/tests/c/duplets.c"
line = 33
begin = 33
end = 43

[JC_36]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 64
begin = 9
end = 16

[JC_104]
file = "HOME/tests/c/duplets.c"
line = 69
begin = 47
end = 57

[JC_91]
file = "HOME/tests/c/duplets.c"
line = 70
begin = 6
end = 16

[JC_39]
file = "HOME/tests/c/duplets.c"
line = 43
begin = 21
end = 27

[JC_112]
file = "HOME/tests/c/duplets.c"
line = 74
begin = 12
end = 36

[JC_40]
file = "HOME/tests/c/duplets.c"
line = 43
begin = 26
end = 36

[JC_135]
kind = PointerDeref
file = "HOME/tests/c/duplets.c"
line = 80
begin = 18
end = 21

[JC_83]
file = "HOME/tests/c/duplets.c"
line = 63
begin = 13
end = 19

[JC_35]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 65
begin = 10
end = 28

[JC_132]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/tests/c/duplets.c"
line = 42
begin = 5
end = 11

[JC_115]
file = "HOME/tests/c/duplets.c"
line = 74
begin = 12
end = 96

[JC_109]
file = "HOME/tests/c/duplets.c"
line = 71
begin = 6
end = 99

[JC_107]
file = "HOME/tests/c/duplets.c"
line = 70
begin = 20
end = 30

[JC_69]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_124]
file = "HOME/tests/c/duplets.c"
line = 76
begin = 6
end = 22

[JC_38]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/tests/c/duplets.c"
line = 32
begin = 13
end = 21

[JC_6]
file = "HOME/tests/c/duplets.c"
line = 33
begin = 47
end = 57

[JC_127]
file = "HOME/tests/c/duplets.c"
line = 78
begin = 5
end = 12

[JC_44]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 82
begin = 9
end = 2835

[JC_4]
file = "HOME/tests/c/duplets.c"
line = 33
begin = 33
end = 43

[JC_62]
file = "HOME/tests/c/duplets.c"
line = 63
begin = 13
end = 19

[JC_101]
file = "HOME/tests/c/duplets.c"
line = 69
begin = 33
end = 43

[JC_88]
file = "HOME/tests/c/duplets.c"
line = 69
begin = 33
end = 43

[JC_129]
file = "HOME/tests/c/duplets.c"
line = 78
begin = 5
end = 12

[JC_42]
file = "HOME/tests/c/duplets.c"
line = 43
begin = 21
end = 155

[JC_110]
file = "HOME/tests/c/duplets.c"
line = 68
begin = 13
end = 219

[JC_103]
file = "HOME/tests/c/duplets.c"
line = 69
begin = 47
end = 57

[JC_46]
kind = ArithOverflow
file = "HOME/tests/c/duplets.c"
line = 48
begin = 20
end = 27

[JC_61]
file = "HOME/tests/c/duplets.c"
line = 46
begin = 19
end = 26

[JC_32]
file = "HOME/tests/c/duplets.c"
line = 39
begin = 6
end = 63

[JC_56]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 109
begin = 21
end = 1263

[duplets_safety]
name = "Function duplets"
behavior = "Safety"
file = "HOME/tests/c/duplets.c"
line = 78
begin = 5
end = 12

[JC_33]
file = "HOME/tests/c/duplets.c"
line = 42
begin = 5
end = 11

[JC_65]
file = "HOME/tests/c/duplets.c"
line = 43
begin = 21
end = 27

[JC_118]
file = "HOME/tests/c/duplets.c"
line = 78
begin = 5
end = 12

[JC_105]
file = "HOME/tests/c/duplets.c"
line = 70
begin = 6
end = 16

[JC_29]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 64
begin = 9
end = 16

[JC_68]
file = "HOME/tests/c/duplets.c"
line = 43
begin = 21
end = 155

[JC_7]
file = "HOME/tests/c/duplets.c"
line = 33
begin = 47
end = 57

[JC_16]
file = "HOME/tests/c/duplets.c"
line = 33
begin = 33
end = 43

[JC_96]
file = "HOME/tests/c/duplets.c"
line = 68
begin = 13
end = 219

[JC_43]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/tests/c/duplets.c"
line = 33
begin = 6
end = 29

[JC_95]
file = "HOME/tests/c/duplets.c"
line = 71
begin = 6
end = 99

[JC_93]
file = "HOME/tests/c/duplets.c"
line = 70
begin = 20
end = 30

[JC_97]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_84]
file = "HOME/tests/c/duplets.c"
line = 68
begin = 13
end = 21

[JC_128]
file = "HOME/tests/c/duplets.c"
line = 78
begin = 5
end = 12

[JC_34]
file = "HOME/tests/c/duplets.c"
line = 42
begin = 5
end = 11

[JC_114]
file = "HOME/tests/c/duplets.c"
line = 76
begin = 6
end = 22

[JC_14]
file = "HOME/tests/c/duplets.c"
line = 33
begin = 6
end = 29

[JC_117]
file = "HOME/tests/c/duplets.c"
line = 78
begin = 5
end = 12

[JC_90]
file = "HOME/tests/c/duplets.c"
line = 69
begin = 47
end = 57

[JC_53]
file = "HOME/tests/c/duplets.c"
line = 51
begin = 25
end = 111

[JC_21]
file = "HOME/tests/c/duplets.c"
line = 32
begin = 13
end = 212

[JC_111]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_77]
file = "HOME/tests/c/duplets.c"
line = 51
begin = 25
end = 111

[JC_49]
kind = ArithOverflow
file = "HOME/tests/c/duplets.c"
line = 55
begin = 17
end = 20

[JC_1]
file = "HOME/tests/c/duplets.c"
line = 32
begin = 13
end = 21

[JC_131]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 174
begin = 9
end = 16

[JC_102]
file = "HOME/tests/c/duplets.c"
line = 69
begin = 33
end = 43

[JC_37]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/tests/c/duplets.c"
line = 32
begin = 13
end = 212

[JC_108]
file = "HOME/tests/c/duplets.c"
line = 70
begin = 20
end = 30

[JC_57]
kind = PointerDeref
file = "HOME/tests/c/duplets.c"
line = 56
begin = 12
end = 16

[JC_89]
file = "HOME/tests/c/duplets.c"
line = 69
begin = 47
end = 57

[JC_136]
kind = UserCall
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 189
begin = 15
end = 102

[JC_66]
file = "HOME/tests/c/duplets.c"
line = 43
begin = 26
end = 36

[JC_59]
file = "HOME/tests/c/duplets.c"
line = 53
begin = 23
end = 30

[JC_20]
file = "HOME/tests/c/duplets.c"
line = 35
begin = 6
end = 80

[JC_18]
file = "HOME/tests/c/duplets.c"
line = 33
begin = 47
end = 57

[JC_3]
file = "HOME/tests/c/duplets.c"
line = 33
begin = 6
end = 29

[JC_92]
file = "HOME/tests/c/duplets.c"
line = 70
begin = 6
end = 16

[duplets_ensures_default]
name = "Function duplets"
behavior = "default behavior"
file = "HOME/tests/c/duplets.c"
line = 78
begin = 5
end = 12

[JC_86]
file = "HOME/tests/c/duplets.c"
line = 69
begin = 6
end = 29

[JC_60]
kind = ArithOverflow
file = "HOME/tests/c/duplets.c"
line = 48
begin = 29
end = 32

[JC_72]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 82
begin = 9
end = 2835

[JC_19]
file = "HOME/tests/c/duplets.c"
line = 34
begin = 6
end = 42

[JC_119]
file = "HOME/tests/c/duplets.c"
line = 78
begin = 5
end = 12

[JC_76]
file = "HOME/tests/c/duplets.c"
line = 52
begin = 12
end = 67

[JC_50]
file = "HOME/tests/c/duplets.c"
line = 51
begin = 25
end = 33

[JC_30]
file = "HOME/tests/c/duplets.c"
line = 39
begin = 6
end = 30

[JC_120]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 175
begin = 10
end = 54

[JC_58]
kind = ArithOverflow
file = "HOME/tests/c/duplets.c"
line = 55
begin = 31
end = 34

[JC_100]
file = "HOME/tests/c/duplets.c"
line = 69
begin = 6
end = 29

[JC_28]
file = "HOME/tests/c/duplets.jessie/duplets.jc"
line = 65
begin = 10
end = 28

========== file tests/c/duplets.jessie/why/duplets.why ==========
type charP

type int32

type int8

type intP

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

predicate eq_opt(x_0:int, o:intP pointer,
 intP_intM_o_1_at_L:(intP, int32) memory) =
 ((o <> null) and (x_0 = integer_of_int32(select(intP_intM_o_1_at_L, o))))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

logic intP_tag:  -> intP tag_id

axiom intP_int : (int_of_tag(intP_tag) = (1))

logic intP_of_pointer_address: unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr :
 (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom : parenttag(intP_tag, bottom_tag)

axiom intP_tags :
 (forall x:intP pointer.
  (forall intP_tag_table:intP tag_table.
   instanceof(intP_tag_table, x, intP_tag)))

predicate is_duplet(a:intP pointer, len:int, i_1:int, j_0:int,
 intP_intM_a_2_at_L:(intP, int32) memory) =
 (le_int((0), i_1)
 and (lt_int(i_1, j_0)
     and (lt_int(j_0, len)
         and (integer_of_int32(select(intP_intM_a_2_at_L, shift(a, i_1))) = 
             integer_of_int32(select(intP_intM_a_2_at_L, shift(a, j_0)))))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_intP(p:intP pointer, a:int,
 intP_alloc_table:intP alloc_table) = (offset_min(intP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_intP(p:intP pointer, b:int,
 intP_alloc_table:intP alloc_table) = (offset_max(intP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Goto__LOR_0_exc of unit

exception Goto__LOR_exc of unit

exception Goto_while_0_break_exc of unit

exception Goto_while_1_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter intP_alloc_table : intP alloc_table ref

parameter intP_tag_table : intP tag_table ref

parameter alloc_struct_intP :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { } intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter alloc_struct_intP_requires :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { ge_int(n, (0))} intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter duplet :
 a_0:intP pointer ->
  len_0:int32 ->
   except:intP pointer ->
    pi:intP pointer ->
     pj:intP pointer ->
      intP_intM_pj_6:(intP, int32) memory ref ->
       intP_intM_pi_5:(intP, int32) memory ref ->
        intP_pj_6_alloc_table:intP alloc_table ->
         intP_pi_5_alloc_table:intP alloc_table ->
          intP_except_4_alloc_table:intP alloc_table ->
           intP_a_3_alloc_table:intP alloc_table ->
            intP_intM_except_4:(intP, int32) memory ->
             intP_intM_a_3:(intP, int32) memory ->
              { } unit reads intP_intM_pi_5,intP_intM_pj_6
              writes intP_intM_pi_5,intP_intM_pj_6
              { (JC_36:
                ((JC_32:
                 ((JC_30:
                  is_duplet(a_0, integer_of_int32(len_0),
                  integer_of_int32(select(intP_intM_pi_5, pi)),
                  integer_of_int32(select(intP_intM_pj_6, pj)),
                  intP_intM_a_3))
                 and (JC_31:
                     (not eq_opt(integer_of_int32(select(intP_intM_a_3,
                                                  shift(a_0,
                                                  integer_of_int32(select(intP_intM_pi_5,
                                                                   pi))))),
                          except, intP_intM_except_4)))))
                and (JC_35:
                    ((JC_33:
                     not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5@,
                     intP_intM_pi_5, pset_singleton(pi)))
                    and (JC_34:
                        not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6@,
                        intP_intM_pj_6, pset_singleton(pj))))))) }

parameter duplet_requires :
 a_0:intP pointer ->
  len_0:int32 ->
   except:intP pointer ->
    pi:intP pointer ->
     pj:intP pointer ->
      intP_intM_pj_6:(intP, int32) memory ref ->
       intP_intM_pi_5:(intP, int32) memory ref ->
        intP_pj_6_alloc_table:intP alloc_table ->
         intP_pi_5_alloc_table:intP alloc_table ->
          intP_except_4_alloc_table:intP alloc_table ->
           intP_a_3_alloc_table:intP alloc_table ->
            intP_intM_except_4:(intP, int32) memory ->
             intP_intM_a_3:(intP, int32) memory ->
              { (JC_10:
                ((JC_1: le_int((2), integer_of_int32(len_0)))
                and ((JC_2:
                     le_int(offset_min(intP_a_3_alloc_table, a_0), (0)))
                    and ((JC_3:
                         ge_int(offset_max(intP_a_3_alloc_table, a_0),
                         sub_int(integer_of_int32(len_0), (1))))
                        and ((JC_4:
                             le_int(offset_min(intP_pi_5_alloc_table, pi),
                             (0)))
                            and ((JC_5:
                                 ge_int(offset_max(intP_pi_5_alloc_table, pi),
                                 (0)))
                                and ((JC_6:
                                     le_int(offset_min(intP_pj_6_alloc_table,
                                            pj),
                                     (0)))
                                    and ((JC_7:
                                         ge_int(offset_max(intP_pj_6_alloc_table,
                                                pj),
                                         (0)))
                                        and ((JC_8:
                                             ((except = null)
                                             or (le_int(offset_min(intP_except_4_alloc_table,
                                                        except),
                                                 (0))
                                                and ge_int(offset_max(intP_except_4_alloc_table,
                                                           except),
                                                    (0)))))
                                            and (JC_9:
                                                (exists i_2:int.
                                                 (exists j_1:int.
                                                  (is_duplet(a_0,
                                                   integer_of_int32(len_0),
                                                   i_2, j_1, intP_intM_a_3)
                                                  and (not eq_opt(integer_of_int32(
                                                                  select(intP_intM_a_3,
                                                                  shift(a_0,
                                                                  i_2))),
                                                           except,
                                                           intP_intM_except_4)))))))))))))))}
              unit reads intP_intM_pi_5,intP_intM_pj_6
              writes intP_intM_pi_5,intP_intM_pj_6
              { (JC_36:
                ((JC_32:
                 ((JC_30:
                  is_duplet(a_0, integer_of_int32(len_0),
                  integer_of_int32(select(intP_intM_pi_5, pi)),
                  integer_of_int32(select(intP_intM_pj_6, pj)),
                  intP_intM_a_3))
                 and (JC_31:
                     (not eq_opt(integer_of_int32(select(intP_intM_a_3,
                                                  shift(a_0,
                                                  integer_of_int32(select(intP_intM_pi_5,
                                                                   pi))))),
                          except, intP_intM_except_4)))))
                and (JC_35:
                    ((JC_33:
                     not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5@,
                     intP_intM_pi_5, pset_singleton(pi)))
                    and (JC_34:
                        not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6@,
                        intP_intM_pj_6, pset_singleton(pj))))))) }

parameter duplets :
 a_0_0:intP pointer ->
  len_0_0:int32 ->
   pi_0:intP pointer ->
    pj_0:intP pointer ->
     pk:intP pointer ->
      pl:intP pointer ->
       intP_intM_pl_11:(intP, int32) memory ref ->
        intP_intM_pk_10:(intP, int32) memory ref ->
         intP_intM_pj_0_9:(intP, int32) memory ref ->
          intP_intM_pi_0_8:(intP, int32) memory ref ->
           intP_pl_11_alloc_table:intP alloc_table ->
            intP_pk_10_alloc_table:intP alloc_table ->
             intP_pj_0_9_alloc_table:intP alloc_table ->
              intP_pi_0_8_alloc_table:intP alloc_table ->
               intP_a_0_7_alloc_table:intP alloc_table ->
                intP_intM_a_0_7:(intP, int32) memory ->
                 { } unit
                 reads intP_intM_pi_0_8,intP_intM_pj_0_9,intP_intM_pk_10,intP_intM_pl_11
                 writes intP_intM_pi_0_8,intP_intM_pj_0_9,intP_intM_pk_10,intP_intM_pl_11
                 { (JC_131:
                   ((JC_125:
                    ((JC_122:
                     is_duplet(a_0_0, integer_of_int32(len_0_0),
                     integer_of_int32(select(intP_intM_pi_0_8, pi_0)),
                     integer_of_int32(select(intP_intM_pj_0_9, pj_0)),
                     intP_intM_a_0_7))
                    and ((JC_123:
                         is_duplet(a_0_0, integer_of_int32(len_0_0),
                         integer_of_int32(select(intP_intM_pk_10, pk)),
                         integer_of_int32(select(intP_intM_pl_11, pl)),
                         intP_intM_a_0_7))
                        and (JC_124:
                            (integer_of_int32(select(intP_intM_a_0_7,
                                              shift(a_0_0,
                                              integer_of_int32(select(intP_intM_pi_0_8,
                                                               pi_0))))) <> 
                            integer_of_int32(select(intP_intM_a_0_7,
                                             shift(a_0_0,
                                             integer_of_int32(select(intP_intM_pk_10,
                                                              pk))))))))))
                   and (JC_130:
                       ((((JC_126:
                          not_assigns(intP_pi_0_8_alloc_table,
                          intP_intM_pi_0_8@, intP_intM_pi_0_8,
                          pset_singleton(pi_0)))
                         and (JC_127:
                             not_assigns(intP_pj_0_9_alloc_table,
                             intP_intM_pj_0_9@, intP_intM_pj_0_9,
                             pset_singleton(pj_0))))
                        and (JC_128:
                            not_assigns(intP_pk_10_alloc_table,
                            intP_intM_pk_10@, intP_intM_pk_10,
                            pset_singleton(pk))))
                       and (JC_129:
                           not_assigns(intP_pl_11_alloc_table,
                           intP_intM_pl_11@, intP_intM_pl_11,
                           pset_singleton(pl))))))) }

parameter duplets_requires :
 a_0_0:intP pointer ->
  len_0_0:int32 ->
   pi_0:intP pointer ->
    pj_0:intP pointer ->
     pk:intP pointer ->
      pl:intP pointer ->
       intP_intM_pl_11:(intP, int32) memory ref ->
        intP_intM_pk_10:(intP, int32) memory ref ->
         intP_intM_pj_0_9:(intP, int32) memory ref ->
          intP_intM_pi_0_8:(intP, int32) memory ref ->
           intP_pl_11_alloc_table:intP alloc_table ->
            intP_pk_10_alloc_table:intP alloc_table ->
             intP_pj_0_9_alloc_table:intP alloc_table ->
              intP_pi_0_8_alloc_table:intP alloc_table ->
               intP_a_0_7_alloc_table:intP alloc_table ->
                intP_intM_a_0_7:(intP, int32) memory ->
                 { (JC_96:
                   ((JC_84: le_int((4), integer_of_int32(len_0_0)))
                   and ((JC_85:
                        le_int(offset_min(intP_a_0_7_alloc_table, a_0_0),
                        (0)))
                       and ((JC_86:
                            ge_int(offset_max(intP_a_0_7_alloc_table, a_0_0),
                            sub_int(integer_of_int32(len_0_0), (1))))
                           and ((JC_87:
                                le_int(offset_min(intP_pi_0_8_alloc_table,
                                       pi_0),
                                (0)))
                               and ((JC_88:
                                    ge_int(offset_max(intP_pi_0_8_alloc_table,
                                           pi_0),
                                    (0)))
                                   and ((JC_89:
                                        le_int(offset_min(intP_pj_0_9_alloc_table,
                                               pj_0),
                                        (0)))
                                       and ((JC_90:
                                            ge_int(offset_max(intP_pj_0_9_alloc_table,
                                                   pj_0),
                                            (0)))
                                           and ((JC_91:
                                                le_int(offset_min(intP_pk_10_alloc_table,
                                                       pk),
                                                (0)))
                                               and ((JC_92:
                                                    ge_int(offset_max(intP_pk_10_alloc_table,
                                                           pk),
                                                    (0)))
                                                   and ((JC_93:
                                                        le_int(offset_min(intP_pl_11_alloc_table,
                                                               pl),
                                                        (0)))
                                                       and ((JC_94:
                                                            ge_int(offset_max(intP_pl_11_alloc_table,
                                                                   pl),
                                                            (0)))
                                                           and (JC_95:
                                                               (exists i_3:int.
                                                                (exists j_2:int.
                                                                 (exists k_0:int.
                                                                  (exists l_1:int.
                                                                   (is_duplet(a_0_0,
                                                                    integer_of_int32(len_0_0),
                                                                    i_3, j_2,
                                                                    intP_intM_a_0_7)
                                                                   and 
                                                                   (is_duplet(a_0_0,
                                                                    integer_of_int32(len_0_0),
                                                                    k_0, l_1,
                                                                    intP_intM_a_0_7)
                                                                   and 
                                                                   (integer_of_int32(
                                                                    select(intP_intM_a_0_7,
                                                                    shift(a_0_0,
                                                                    i_3))) <> 
                                                                   integer_of_int32(
                                                                   select(intP_intM_a_0_7,
                                                                   shift(a_0_0,
                                                                   k_0)))))))))))))))))))))))}
                 unit
                 reads intP_intM_pi_0_8,intP_intM_pj_0_9,intP_intM_pk_10,intP_intM_pl_11
                 writes intP_intM_pi_0_8,intP_intM_pj_0_9,intP_intM_pk_10,intP_intM_pl_11
                 { (JC_131:
                   ((JC_125:
                    ((JC_122:
                     is_duplet(a_0_0, integer_of_int32(len_0_0),
                     integer_of_int32(select(intP_intM_pi_0_8, pi_0)),
                     integer_of_int32(select(intP_intM_pj_0_9, pj_0)),
                     intP_intM_a_0_7))
                    and ((JC_123:
                         is_duplet(a_0_0, integer_of_int32(len_0_0),
                         integer_of_int32(select(intP_intM_pk_10, pk)),
                         integer_of_int32(select(intP_intM_pl_11, pl)),
                         intP_intM_a_0_7))
                        and (JC_124:
                            (integer_of_int32(select(intP_intM_a_0_7,
                                              shift(a_0_0,
                                              integer_of_int32(select(intP_intM_pi_0_8,
                                                               pi_0))))) <> 
                            integer_of_int32(select(intP_intM_a_0_7,
                                             shift(a_0_0,
                                             integer_of_int32(select(intP_intM_pk_10,
                                                              pk))))))))))
                   and (JC_130:
                       ((((JC_126:
                          not_assigns(intP_pi_0_8_alloc_table,
                          intP_intM_pi_0_8@, intP_intM_pi_0_8,
                          pset_singleton(pi_0)))
                         and (JC_127:
                             not_assigns(intP_pj_0_9_alloc_table,
                             intP_intM_pj_0_9@, intP_intM_pj_0_9,
                             pset_singleton(pj_0))))
                        and (JC_128:
                            not_assigns(intP_pk_10_alloc_table,
                            intP_intM_pk_10@, intP_intM_pk_10,
                            pset_singleton(pk))))
                       and (JC_129:
                           not_assigns(intP_pl_11_alloc_table,
                           intP_intM_pl_11@, intP_intM_pl_11,
                           pset_singleton(pl))))))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let duplet_ensures_default =
 fun (a_0 : intP pointer) (len_0 : int32) (except : intP pointer) (pi : intP pointer) (pj : intP pointer) (intP_intM_pi_5 : (intP, int32) memory ref) (intP_intM_pj_6 : (intP, int32) memory ref) (intP_a_3_alloc_table : intP alloc_table) (intP_except_4_alloc_table : intP alloc_table) (intP_pi_5_alloc_table : intP alloc_table) (intP_pj_6_alloc_table : intP alloc_table) (intP_intM_a_3 : (intP, int32) memory) (intP_intM_except_4 : (intP, int32) memory) ->
  { (JC_21:
    ((JC_12: le_int((2), integer_of_int32(len_0)))
    and ((JC_13: le_int(offset_min(intP_a_3_alloc_table, a_0), (0)))
        and ((JC_14:
             ge_int(offset_max(intP_a_3_alloc_table, a_0),
             sub_int(integer_of_int32(len_0), (1))))
            and ((JC_15: le_int(offset_min(intP_pi_5_alloc_table, pi), (0)))
                and ((JC_16:
                     ge_int(offset_max(intP_pi_5_alloc_table, pi), (0)))
                    and ((JC_17:
                         le_int(offset_min(intP_pj_6_alloc_table, pj), (0)))
                        and ((JC_18:
                             ge_int(offset_max(intP_pj_6_alloc_table, pj),
                             (0)))
                            and ((JC_19:
                                 ((except = null)
                                 or (le_int(offset_min(intP_except_4_alloc_table,
                                            except),
                                     (0))
                                    and ge_int(offset_max(intP_except_4_alloc_table,
                                               except),
                                        (0)))))
                                and (JC_20:
                                    (exists i_2:int.
                                     (exists j_1:int.
                                      (is_duplet(a_0,
                                       integer_of_int32(len_0), i_2, j_1,
                                       intP_intM_a_3)
                                      and (not eq_opt(integer_of_int32(
                                                      select(intP_intM_a_3,
                                                      shift(a_0, i_2))),
                                               except, intP_intM_except_4))))))))))))))) }
  (init:
  try
   begin
     (let i = ref (any_int32 void) in
     (let v = ref (any_int32 void) in
     (let j = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (i := (safe_int32_of_integer_ (0))) in void);
          (loop_3:
          begin
            while true do
            { invariant
                ((JC_68:
                 ((JC_65: le_int((0), integer_of_int32(i)))
                 and ((JC_66:
                      le_int(integer_of_int32(i),
                      sub_int(integer_of_int32(len_0), (1))))
                     and (JC_67:
                         (forall k:int.
                          (forall l_0:int.
                           ((le_int((0), k)
                            and (lt_int(k, integer_of_int32(i))
                                and (lt_int(k, l_0)
                                    and lt_int(l_0, integer_of_int32(len_0))))) ->
                            ((not eq_opt(integer_of_int32(select(intP_intM_a_3,
                                                          shift(a_0, k))),
                                  except, intP_intM_except_4)) ->
                             (not is_duplet(a_0, integer_of_int32(len_0), k,
                                  l_0, intP_intM_a_3))))))))))
                and (JC_72:
                    ((JC_70:
                     not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5@init,
                     intP_intM_pi_5, pset_singleton(pi)))
                    and (JC_71:
                        not_assigns(intP_pj_6_alloc_table,
                        intP_intM_pj_6@init, intP_intM_pj_6,
                        pset_singleton(pj))))))  }
             begin
               [ { } unit { true } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((le_int_ (integer_of_int32 !i)) (integer_of_int32 
                                                         (safe_int32_of_integer_ 
                                                          ((sub_int (integer_of_int32 len_0)) (2)))))
                   then void else (raise (Goto_while_0_break_exc void)));
                  try
                   begin
                     try
                      begin
                        (let _jessie_ =
                        (v := ((safe_acc_ intP_intM_a_3) ((shift a_0) 
                                                          (integer_of_int32 !i)))) in
                        void);
                       (if ((safe_eq_pointer except) null)
                       then (raise (Goto__LOR_exc void))
                       else
                        (if ((neq_int_ (integer_of_int32 ((safe_acc_ intP_intM_except_4) except))) 
                             (integer_of_int32 !v))
                        then (raise (Goto__LOR_exc void)) else void));
                       (raise (Goto__LOR_0_exc void));
                       (raise (Goto__LOR_exc void)) end with
                      Goto__LOR_exc _jessie_ ->
                      try
                       begin
                         (let _jessie_ =
                         (j := (safe_int32_of_integer_ ((add_int (integer_of_int32 !i)) (1)))) in
                         void);
                        (loop_4:
                        begin
                          while true do
                          { invariant
                              ((JC_77:
                               ((JC_74:
                                le_int(add_int(integer_of_int32(i), (1)),
                                integer_of_int32(j)))
                               and ((JC_75:
                                    le_int(integer_of_int32(j),
                                    integer_of_int32(len_0)))
                                   and (JC_76:
                                       (forall l:int.
                                        ((lt_int(integer_of_int32(i), l)
                                         and lt_int(l, integer_of_int32(j))) ->
                                         (not is_duplet(a_0,
                                              integer_of_int32(len_0),
                                              integer_of_int32(i), l,
                                              intP_intM_a_3))))))))
                              and (JC_81:
                                  ((JC_79:
                                   not_assigns(intP_pi_5_alloc_table,
                                   intP_intM_pi_5@init, intP_intM_pi_5,
                                   pset_singleton(pi)))
                                  and (JC_80:
                                      not_assigns(intP_pj_6_alloc_table,
                                      intP_intM_pj_6@init, intP_intM_pj_6,
                                      pset_singleton(pj))))))  }
                           begin
                             [ { } unit { true } ];
                            try
                             begin
                               (let _jessie_ =
                               begin
                                 (if ((lt_int_ (integer_of_int32 !j)) 
                                      (integer_of_int32 len_0)) then void
                                 else (raise (Goto_while_1_break_exc void)));
                                (if ((eq_int_ (integer_of_int32 ((safe_acc_ intP_intM_a_3) 
                                                                 ((shift a_0) 
                                                                  (integer_of_int32 !j))))) 
                                     (integer_of_int32 !v))
                                then
                                 begin
                                   (let _jessie_ = !i in
                                   (let _jessie_ = pi in
                                   (((safe_upd_ intP_intM_pi_5) _jessie_) _jessie_)));
                                  (let _jessie_ = !j in
                                  (let _jessie_ = pj in
                                  (((safe_upd_ intP_intM_pj_6) _jessie_) _jessie_)));
                                  (raise (Return_label_exc void)) end
                                else void);
                                (j := (safe_int32_of_integer_ ((add_int 
                                                                (integer_of_int32 !j)) (1))));
                                !j end in void);
                              (raise (Loop_continue_exc void)) end with
                             Loop_continue_exc _jessie_ -> void end end done;
                         (raise (Goto_while_1_break_exc void)) end) end with
                       Goto_while_1_break_exc _jessie_ ->
                       (while_1_break: void) end end;
                    (raise (Goto__LOR_0_exc void)) end with
                   Goto__LOR_0_exc _jessie_ -> void end;
                  (i := (safe_int32_of_integer_ ((add_int (integer_of_int32 !i)) (1))));
                  !i end in void); (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ -> (while_0_break: void) end;
       (assert { (JC_83: (false = true)) }; void); void;
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: (raise Return)) end))); (raise Return) end with
   Return -> void end)
  { (JC_29:
    ((JC_25:
     ((JC_23:
      is_duplet(a_0, integer_of_int32(len_0),
      integer_of_int32(select(intP_intM_pi_5, pi)),
      integer_of_int32(select(intP_intM_pj_6, pj)), intP_intM_a_3))
     and (JC_24:
         (not eq_opt(integer_of_int32(select(intP_intM_a_3,
                                      shift(a_0,
                                      integer_of_int32(select(intP_intM_pi_5,
                                                       pi))))),
              except, intP_intM_except_4)))))
    and (JC_28:
        ((JC_26:
         not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5@, intP_intM_pi_5,
         pset_singleton(pi)))
        and (JC_27:
            not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6@,
            intP_intM_pj_6, pset_singleton(pj))))))) }

let duplet_safety =
 fun (a_0 : intP pointer) (len_0 : int32) (except : intP pointer) (pi : intP pointer) (pj : intP pointer) (intP_intM_pi_5 : (intP, int32) memory ref) (intP_intM_pj_6 : (intP, int32) memory ref) (intP_a_3_alloc_table : intP alloc_table) (intP_except_4_alloc_table : intP alloc_table) (intP_pi_5_alloc_table : intP alloc_table) (intP_pj_6_alloc_table : intP alloc_table) (intP_intM_a_3 : (intP, int32) memory) (intP_intM_except_4 : (intP, int32) memory) ->
  { (JC_21:
    ((JC_12: le_int((2), integer_of_int32(len_0)))
    and ((JC_13: le_int(offset_min(intP_a_3_alloc_table, a_0), (0)))
        and ((JC_14:
             ge_int(offset_max(intP_a_3_alloc_table, a_0),
             sub_int(integer_of_int32(len_0), (1))))
            and ((JC_15: le_int(offset_min(intP_pi_5_alloc_table, pi), (0)))
                and ((JC_16:
                     ge_int(offset_max(intP_pi_5_alloc_table, pi), (0)))
                    and ((JC_17:
                         le_int(offset_min(intP_pj_6_alloc_table, pj), (0)))
                        and ((JC_18:
                             ge_int(offset_max(intP_pj_6_alloc_table, pj),
                             (0)))
                            and ((JC_19:
                                 ((except = null)
                                 or (le_int(offset_min(intP_except_4_alloc_table,
                                            except),
                                     (0))
                                    and ge_int(offset_max(intP_except_4_alloc_table,
                                               except),
                                        (0)))))
                                and (JC_20:
                                    (exists i_2:int.
                                     (exists j_1:int.
                                      (is_duplet(a_0,
                                       integer_of_int32(len_0), i_2, j_1,
                                       intP_intM_a_3)
                                      and (not eq_opt(integer_of_int32(
                                                      select(intP_intM_a_3,
                                                      shift(a_0, i_2))),
                                               except, intP_intM_except_4))))))))))))))) }
  (init:
  try
   begin
     (let i = ref (any_int32 void) in
     (let v = ref (any_int32 void) in
     (let j = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (i := (safe_int32_of_integer_ (0))) in void);
          (loop_1:
          begin
            while true do
            { invariant (JC_44: true)
              variant (JC_61 : sub_int(integer_of_int32(len_0),
                               integer_of_int32(i))) }
             begin
               [ { } unit reads i
                 { (JC_42:
                   ((JC_39: le_int((0), integer_of_int32(i)))
                   and ((JC_40:
                        le_int(integer_of_int32(i),
                        sub_int(integer_of_int32(len_0), (1))))
                       and (JC_41:
                           (forall k:int.
                            (forall l_0:int.
                             ((le_int((0), k)
                              and (lt_int(k, integer_of_int32(i))
                                  and (lt_int(k, l_0)
                                      and lt_int(l_0,
                                          integer_of_int32(len_0))))) ->
                              ((not eq_opt(integer_of_int32(select(intP_intM_a_3,
                                                            shift(a_0, k))),
                                    except, intP_intM_except_4)) ->
                               (not is_duplet(a_0, integer_of_int32(len_0),
                                    k, l_0, intP_intM_a_3)))))))))) } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((le_int_ (integer_of_int32 !i)) (integer_of_int32 
                                                         (JC_46:
                                                         (int32_of_integer_ 
                                                          ((sub_int (integer_of_int32 len_0)) (2))))))
                   then void else (raise (Goto_while_0_break_exc void)));
                  try
                   begin
                     try
                      begin
                        (let _jessie_ =
                        (v := (JC_47:
                              ((((offset_acc_ intP_a_3_alloc_table) intP_intM_a_3) a_0) 
                               (integer_of_int32 !i)))) in void);
                       (if ((eq_pointer except) null)
                       then (raise (Goto__LOR_exc void))
                       else
                        (if ((neq_int_ (integer_of_int32 (JC_48:
                                                         (((acc_ intP_except_4_alloc_table) intP_intM_except_4) except)))) 
                             (integer_of_int32 !v))
                        then (raise (Goto__LOR_exc void)) else void));
                       (raise (Goto__LOR_0_exc void));
                       (raise (Goto__LOR_exc void)) end with
                      Goto__LOR_exc _jessie_ ->
                      try
                       begin
                         (let _jessie_ =
                         (j := (JC_49:
                               (int32_of_integer_ ((add_int (integer_of_int32 !i)) (1))))) in
                         void);
                        (loop_2:
                        begin
                          while true do
                          { invariant (JC_55: true)
                            variant (JC_59 : sub_int(integer_of_int32(len_0),
                                             integer_of_int32(j))) }
                           begin
                             [ { } unit reads i,j
                               { (JC_53:
                                 ((JC_50:
                                  le_int(add_int(integer_of_int32(i), (1)),
                                  integer_of_int32(j)))
                                 and ((JC_51:
                                      le_int(integer_of_int32(j),
                                      integer_of_int32(len_0)))
                                     and (JC_52:
                                         (forall l:int.
                                          ((lt_int(integer_of_int32(i), l)
                                           and lt_int(l, integer_of_int32(j))) ->
                                           (not is_duplet(a_0,
                                                integer_of_int32(len_0),
                                                integer_of_int32(i), l,
                                                intP_intM_a_3)))))))) } ];
                            try
                             begin
                               (let _jessie_ =
                               begin
                                 (if ((lt_int_ (integer_of_int32 !j)) 
                                      (integer_of_int32 len_0)) then void
                                 else (raise (Goto_while_1_break_exc void)));
                                (if ((eq_int_ (integer_of_int32 (JC_57:
                                                                ((((offset_acc_ intP_a_3_alloc_table) intP_intM_a_3) a_0) 
                                                                 (integer_of_int32 !j))))) 
                                     (integer_of_int32 !v))
                                then
                                 begin
                                   (let _jessie_ = !i in
                                   (let _jessie_ = pi in
                                   (JC_63:
                                   ((((upd_ intP_pi_5_alloc_table) intP_intM_pi_5) _jessie_) _jessie_))));
                                  (let _jessie_ = !j in
                                  (let _jessie_ = pj in
                                  (JC_64:
                                  ((((upd_ intP_pj_6_alloc_table) intP_intM_pj_6) _jessie_) _jessie_))));
                                  (raise (Return_label_exc void)) end
                                else void);
                                (j := (JC_58:
                                      (int32_of_integer_ ((add_int (integer_of_int32 !j)) (1)))));
                                !j end in void);
                              (raise (Loop_continue_exc void)) end with
                             Loop_continue_exc _jessie_ -> void end end done;
                         (raise (Goto_while_1_break_exc void)) end) end with
                       Goto_while_1_break_exc _jessie_ ->
                       (while_1_break: void) end end;
                    (raise (Goto__LOR_0_exc void)) end with
                   Goto__LOR_0_exc _jessie_ -> void end;
                  (i := (JC_60:
                        (int32_of_integer_ ((add_int (integer_of_int32 !i)) (1)))));
                  !i end in void); (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ -> (while_0_break: void) end;
       [ { } unit { (JC_62: (false = true)) } ]; void;
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: (raise Return)) end))); (raise Return) end with
   Return -> void end) { true }

let duplets_ensures_default =
 fun (a_0_0 : intP pointer) (len_0_0 : int32) (pi_0 : intP pointer) (pj_0 : intP pointer) (pk : intP pointer) (pl : intP pointer) (intP_intM_pi_0_8 : (intP, int32) memory ref) (intP_intM_pj_0_9 : (intP, int32) memory ref) (intP_intM_pk_10 : (intP, int32) memory ref) (intP_intM_pl_11 : (intP, int32) memory ref) (intP_a_0_7_alloc_table : intP alloc_table) (intP_pi_0_8_alloc_table : intP alloc_table) (intP_pj_0_9_alloc_table : intP alloc_table) (intP_pk_10_alloc_table : intP alloc_table) (intP_pl_11_alloc_table : intP alloc_table) (intP_intM_a_0_7 : (intP, int32) memory) ->
  { (JC_110:
    ((JC_98: le_int((4), integer_of_int32(len_0_0)))
    and ((JC_99: le_int(offset_min(intP_a_0_7_alloc_table, a_0_0), (0)))
        and ((JC_100:
             ge_int(offset_max(intP_a_0_7_alloc_table, a_0_0),
             sub_int(integer_of_int32(len_0_0), (1))))
            and ((JC_101:
                 le_int(offset_min(intP_pi_0_8_alloc_table, pi_0), (0)))
                and ((JC_102:
                     ge_int(offset_max(intP_pi_0_8_alloc_table, pi_0), (0)))
                    and ((JC_103:
                         le_int(offset_min(intP_pj_0_9_alloc_table, pj_0),
                         (0)))
                        and ((JC_104:
                             ge_int(offset_max(intP_pj_0_9_alloc_table, pj_0),
                             (0)))
                            and ((JC_105:
                                 le_int(offset_min(intP_pk_10_alloc_table,
                                        pk),
                                 (0)))
                                and ((JC_106:
                                     ge_int(offset_max(intP_pk_10_alloc_table,
                                            pk),
                                     (0)))
                                    and ((JC_107:
                                         le_int(offset_min(intP_pl_11_alloc_table,
                                                pl),
                                         (0)))
                                        and ((JC_108:
                                             ge_int(offset_max(intP_pl_11_alloc_table,
                                                    pl),
                                             (0)))
                                            and (JC_109:
                                                (exists i_3:int.
                                                 (exists j_2:int.
                                                  (exists k_0:int.
                                                   (exists l_1:int.
                                                    (is_duplet(a_0_0,
                                                     integer_of_int32(len_0_0),
                                                     i_3, j_2,
                                                     intP_intM_a_0_7)
                                                    and (is_duplet(a_0_0,
                                                         integer_of_int32(len_0_0),
                                                         k_0, l_1,
                                                         intP_intM_a_0_7)
                                                        and (integer_of_int32(
                                                             select(intP_intM_a_0_7,
                                                             shift(a_0_0,
                                                             i_3))) <> 
                                                            integer_of_int32(
                                                            select(intP_intM_a_0_7,
                                                            shift(a_0_0, k_0))))))))))))))))))))))) }
  (init:
  try
   begin
     (let intP_intM_null_15 = (any_memory void) in
     (let intP_null_15_alloc_table = (any_alloc_table void) in
     begin
       (let _jessie_ = a_0_0 in
       (let _jessie_ = len_0_0 in
       (let _jessie_ = null in
       (let _jessie_ = pi_0 in
       (let _jessie_ = pj_0 in
       (JC_137:
       (((((((((((((duplet _jessie_) _jessie_) _jessie_) _jessie_) _jessie_) intP_intM_pj_0_9) intP_intM_pi_0_8) intP_pj_0_9_alloc_table) intP_pi_0_8_alloc_table) intP_null_15_alloc_table) intP_a_0_7_alloc_table) intP_intM_null_15) intP_intM_a_0_7)))))));
      (let _jessie_ = a_0_0 in
      (let _jessie_ = len_0_0 in
      (let _jessie_ =
      ((shift a_0_0) (integer_of_int32 ((safe_acc_ !intP_intM_pi_0_8) pi_0))) in
      (let _jessie_ = pk in
      (let _jessie_ = pl in
      (JC_138:
      (((((((((((((duplet _jessie_) _jessie_) _jessie_) _jessie_) _jessie_) intP_intM_pl_11) intP_intM_pk_10) intP_pl_11_alloc_table) intP_pk_10_alloc_table) intP_a_0_7_alloc_table) intP_a_0_7_alloc_table) intP_intM_a_0_7) intP_intM_a_0_7)))))));
      (raise Return) end)); (raise Return) end with Return -> void end)
  { (JC_121:
    ((JC_115:
     ((JC_112:
      is_duplet(a_0_0, integer_of_int32(len_0_0),
      integer_of_int32(select(intP_intM_pi_0_8, pi_0)),
      integer_of_int32(select(intP_intM_pj_0_9, pj_0)), intP_intM_a_0_7))
     and ((JC_113:
          is_duplet(a_0_0, integer_of_int32(len_0_0),
          integer_of_int32(select(intP_intM_pk_10, pk)),
          integer_of_int32(select(intP_intM_pl_11, pl)), intP_intM_a_0_7))
         and (JC_114:
             (integer_of_int32(select(intP_intM_a_0_7,
                               shift(a_0_0,
                               integer_of_int32(select(intP_intM_pi_0_8,
                                                pi_0))))) <> integer_of_int32(
                                                             select(intP_intM_a_0_7,
                                                             shift(a_0_0,
                                                             integer_of_int32(
                                                             select(intP_intM_pk_10,
                                                             pk))))))))))
    and (JC_120:
        ((((JC_116:
           not_assigns(intP_pi_0_8_alloc_table, intP_intM_pi_0_8@,
           intP_intM_pi_0_8, pset_singleton(pi_0)))
          and (JC_117:
              not_assigns(intP_pj_0_9_alloc_table, intP_intM_pj_0_9@,
              intP_intM_pj_0_9, pset_singleton(pj_0))))
         and (JC_118:
             not_assigns(intP_pk_10_alloc_table, intP_intM_pk_10@,
             intP_intM_pk_10, pset_singleton(pk))))
        and (JC_119:
            not_assigns(intP_pl_11_alloc_table, intP_intM_pl_11@,
            intP_intM_pl_11, pset_singleton(pl))))))) }

let duplets_safety =
 fun (a_0_0 : intP pointer) (len_0_0 : int32) (pi_0 : intP pointer) (pj_0 : intP pointer) (pk : intP pointer) (pl : intP pointer) (intP_intM_pi_0_8 : (intP, int32) memory ref) (intP_intM_pj_0_9 : (intP, int32) memory ref) (intP_intM_pk_10 : (intP, int32) memory ref) (intP_intM_pl_11 : (intP, int32) memory ref) (intP_a_0_7_alloc_table : intP alloc_table) (intP_pi_0_8_alloc_table : intP alloc_table) (intP_pj_0_9_alloc_table : intP alloc_table) (intP_pk_10_alloc_table : intP alloc_table) (intP_pl_11_alloc_table : intP alloc_table) (intP_intM_a_0_7 : (intP, int32) memory) ->
  { (JC_110:
    ((JC_98: le_int((4), integer_of_int32(len_0_0)))
    and ((JC_99: le_int(offset_min(intP_a_0_7_alloc_table, a_0_0), (0)))
        and ((JC_100:
             ge_int(offset_max(intP_a_0_7_alloc_table, a_0_0),
             sub_int(integer_of_int32(len_0_0), (1))))
            and ((JC_101:
                 le_int(offset_min(intP_pi_0_8_alloc_table, pi_0), (0)))
                and ((JC_102:
                     ge_int(offset_max(intP_pi_0_8_alloc_table, pi_0), (0)))
                    and ((JC_103:
                         le_int(offset_min(intP_pj_0_9_alloc_table, pj_0),
                         (0)))
                        and ((JC_104:
                             ge_int(offset_max(intP_pj_0_9_alloc_table, pj_0),
                             (0)))
                            and ((JC_105:
                                 le_int(offset_min(intP_pk_10_alloc_table,
                                        pk),
                                 (0)))
                                and ((JC_106:
                                     ge_int(offset_max(intP_pk_10_alloc_table,
                                            pk),
                                     (0)))
                                    and ((JC_107:
                                         le_int(offset_min(intP_pl_11_alloc_table,
                                                pl),
                                         (0)))
                                        and ((JC_108:
                                             ge_int(offset_max(intP_pl_11_alloc_table,
                                                    pl),
                                             (0)))
                                            and (JC_109:
                                                (exists i_3:int.
                                                 (exists j_2:int.
                                                  (exists k_0:int.
                                                   (exists l_1:int.
                                                    (is_duplet(a_0_0,
                                                     integer_of_int32(len_0_0),
                                                     i_3, j_2,
                                                     intP_intM_a_0_7)
                                                    and (is_duplet(a_0_0,
                                                         integer_of_int32(len_0_0),
                                                         k_0, l_1,
                                                         intP_intM_a_0_7)
                                                        and (integer_of_int32(
                                                             select(intP_intM_a_0_7,
                                                             shift(a_0_0,
                                                             i_3))) <> 
                                                            integer_of_int32(
                                                            select(intP_intM_a_0_7,
                                                            shift(a_0_0, k_0))))))))))))))))))))))) }
  (init:
  try
   begin
     (let intP_intM_null_15 = (any_memory void) in
     (let intP_null_15_alloc_table = (any_alloc_table void) in
     begin
       (let _jessie_ = a_0_0 in
       (let _jessie_ = len_0_0 in
       (let _jessie_ = null in
       (let _jessie_ = pi_0 in
       (let _jessie_ = pj_0 in
       (JC_134:
       (((((((((((((duplet_requires _jessie_) _jessie_) _jessie_) _jessie_) _jessie_) intP_intM_pj_0_9) intP_intM_pi_0_8) intP_pj_0_9_alloc_table) intP_pi_0_8_alloc_table) intP_null_15_alloc_table) intP_a_0_7_alloc_table) intP_intM_null_15) intP_intM_a_0_7)))))));
      (let _jessie_ = a_0_0 in
      (let _jessie_ = len_0_0 in
      (let _jessie_ =
      ((shift a_0_0) (integer_of_int32 (JC_135:
                                       (((acc_ intP_pi_0_8_alloc_table) !intP_intM_pi_0_8) pi_0)))) in
      (let _jessie_ = pk in
      (let _jessie_ = pl in
      (JC_136:
      (((((((((((((duplet_requires _jessie_) _jessie_) _jessie_) _jessie_) _jessie_) intP_intM_pl_11) intP_intM_pk_10) intP_pl_11_alloc_table) intP_pk_10_alloc_table) intP_a_0_7_alloc_table) intP_a_0_7_alloc_table) intP_intM_a_0_7) intP_intM_a_0_7)))))));
      (raise Return) end)); (raise Return) end with Return -> void end)
  { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/duplets.why
========== file tests/c/duplets.jessie/why/duplets_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type charP

type int32

type int8

type intP

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_int8 : int8 -> int

predicate eq_int8(x: int8, y: int8) =
  (integer_of_int8(x) = integer_of_int8(y))

predicate eq_opt(x_0: int, o: intP pointer, intP_intM_o_1_at_L: (intP,
  int32) memory) =
  ((o <> null) and (x_0 = integer_of_int32(select(intP_intM_o_1_at_L, o))))

logic integer_of_uint8 : uint8 -> int

predicate eq_uint8(x: uint8, y: uint8) =
  (integer_of_uint8(x) = integer_of_uint8(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic int8_of_integer : int -> int8

axiom int8_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_int8(int8_of_integer(x)) = x)))

axiom int8_extensionality:
  (forall x:int8.
    (forall y:int8. ((integer_of_int8(x) = integer_of_int8(y)) -> (x = y))))

axiom int8_range:
  (forall x:int8.
    (((-128) <= integer_of_int8(x)) and (integer_of_int8(x) <= 127)))

logic intP_tag : intP tag_id

axiom intP_int: (int_of_tag(intP_tag) = 1)

logic intP_of_pointer_address : unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr:
  (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom: parenttag(intP_tag, bottom_tag)

axiom intP_tags:
  (forall x:intP pointer.
    (forall intP_tag_table:intP tag_table. instanceof(intP_tag_table, x,
      intP_tag)))

predicate is_duplet(a: intP pointer, len: int, i_1: int, j_0: int,
  intP_intM_a_2_at_L: (intP, int32) memory) =
  ((0 <= i_1) and
   ((i_1 < j_0) and
    ((j_0 < len) and (integer_of_int32(select(intP_intM_a_2_at_L, shift(a,
     i_1))) = integer_of_int32(select(intP_intM_a_2_at_L, shift(a, j_0)))))))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_intP(p: intP pointer, a: int,
  intP_alloc_table: intP alloc_table) = (offset_min(intP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_intP(p: intP pointer, b: int,
  intP_alloc_table: intP alloc_table) = (offset_max(intP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) = a) and (offset_max(intP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) = a) and (offset_max(intP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic uint8_of_integer : int -> uint8

axiom uint8_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 255)) -> (integer_of_uint8(uint8_of_integer(x)) = x)))

axiom uint8_extensionality:
  (forall x:uint8.
    (forall y:uint8.
      ((integer_of_uint8(x) = integer_of_uint8(y)) -> (x = y))))

axiom uint8_range:
  (forall x:uint8.
    ((0 <= integer_of_uint8(x)) and (integer_of_uint8(x) <= 255)))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) <= a) and (offset_max(intP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) <= a) and (offset_max(intP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

goal duplet_ensures_default_po_1:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  ("JC_68": ("JC_65": (0 <= integer_of_int32(i))))

goal duplet_ensures_default_po_2:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  ("JC_68":
  ("JC_66": (integer_of_int32(i) <= (integer_of_int32(len_0) - 1))))

goal duplet_ensures_default_po_3:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall k:int.
  forall l_0:int.
  ((0 <= k) and
   ((k < integer_of_int32(i)) and
    ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
  (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))), except,
  intP_intM_except_4)) ->
  ("JC_68":
  ("JC_67": (not is_duplet(a_0, integer_of_int32(len_0), k, l_0,
  intP_intM_a_3))))

goal duplet_ensures_default_po_4:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  ("JC_72":
  ("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
  intP_intM_pi_5, pset_singleton(pi))))

goal duplet_ensures_default_po_5:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  ("JC_72":
  ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
  intP_intM_pj_6, pset_singleton(pj))))

goal duplet_ensures_default_po_6:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except = null) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  ("JC_77": ("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j))))

goal duplet_ensures_default_po_7:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except = null) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  ("JC_77": ("JC_75": (integer_of_int32(j) <= integer_of_int32(len_0))))

goal duplet_ensures_default_po_8:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except = null) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  forall l:int.
  ((integer_of_int32(i0) < l) and (l < integer_of_int32(j))) ->
  ("JC_77":
  ("JC_76": (not is_duplet(a_0, integer_of_int32(len_0),
  integer_of_int32(i0), l, intP_intM_a_3))))

goal duplet_ensures_default_po_9:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except = null) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  ("JC_81":
  ("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
  intP_intM_pi_5_0, pset_singleton(pi))))

goal duplet_ensures_default_po_10:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except = null) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  ("JC_81":
  ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
  intP_intM_pj_6_0, pset_singleton(pj))))

goal duplet_ensures_default_po_11:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except = null) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  forall intP_intM_pi_5_1:(intP, int32) memory.
  forall intP_intM_pj_6_1:(intP,
  int32) memory.
  forall j0:int32.
  (("JC_77":
   (("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
    (("JC_75": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
     ("JC_76":
     (forall l:int.
       (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
        (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
        intP_intM_a_3)))))))) and
   ("JC_81":
   (("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_1, pset_singleton(pi))) and
    ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_1, pset_singleton(pj)))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  forall result3:int32.
  (result3 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result3) = integer_of_int32(v)) ->
  forall intP_intM_pi_5_2:(intP,
  int32) memory.
  (intP_intM_pi_5_2 = store(intP_intM_pi_5_1, pi, i0)) ->
  forall intP_intM_pj_6_2:(intP,
  int32) memory.
  (intP_intM_pj_6_2 = store(intP_intM_pj_6_1, pj, j0)) ->
  ("JC_29":
  ("JC_25":
  ("JC_23": is_duplet(a_0, integer_of_int32(len_0),
  integer_of_int32(select(intP_intM_pi_5_2, pi)),
  integer_of_int32(select(intP_intM_pj_6_2, pj)), intP_intM_a_3))))

goal duplet_ensures_default_po_12:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except = null) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  forall intP_intM_pi_5_1:(intP, int32) memory.
  forall intP_intM_pj_6_1:(intP,
  int32) memory.
  forall j0:int32.
  (("JC_77":
   (("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
    (("JC_75": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
     ("JC_76":
     (forall l:int.
       (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
        (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
        intP_intM_a_3)))))))) and
   ("JC_81":
   (("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_1, pset_singleton(pi))) and
    ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_1, pset_singleton(pj)))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  forall result3:int32.
  (result3 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result3) = integer_of_int32(v)) ->
  forall intP_intM_pi_5_2:(intP,
  int32) memory.
  (intP_intM_pi_5_2 = store(intP_intM_pi_5_1, pi, i0)) ->
  forall intP_intM_pj_6_2:(intP,
  int32) memory.
  (intP_intM_pj_6_2 = store(intP_intM_pj_6_1, pj, j0)) ->
  ("JC_29":
  ("JC_25":
  ("JC_24": (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
  integer_of_int32(select(intP_intM_pi_5_2, pi))))), except,
  intP_intM_except_4)))))

goal duplet_ensures_default_po_13:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except = null) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  forall intP_intM_pi_5_1:(intP, int32) memory.
  forall intP_intM_pj_6_1:(intP,
  int32) memory.
  forall j0:int32.
  (("JC_77":
   (("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
    (("JC_75": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
     ("JC_76":
     (forall l:int.
       (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
        (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
        intP_intM_a_3)))))))) and
   ("JC_81":
   (("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_1, pset_singleton(pi))) and
    ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_1, pset_singleton(pj)))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  forall result3:int32.
  (result3 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result3) = integer_of_int32(v)) ->
  forall intP_intM_pi_5_2:(intP,
  int32) memory.
  (intP_intM_pi_5_2 = store(intP_intM_pi_5_1, pi, i0)) ->
  forall intP_intM_pj_6_2:(intP,
  int32) memory.
  (intP_intM_pj_6_2 = store(intP_intM_pj_6_1, pj, j0)) ->
  ("JC_29":
  ("JC_28":
  ("JC_26": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
  intP_intM_pi_5_2, pset_singleton(pi)))))

goal duplet_ensures_default_po_14:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except = null) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  forall intP_intM_pi_5_1:(intP, int32) memory.
  forall intP_intM_pj_6_1:(intP,
  int32) memory.
  forall j0:int32.
  (("JC_77":
   (("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
    (("JC_75": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
     ("JC_76":
     (forall l:int.
       (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
        (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
        intP_intM_a_3)))))))) and
   ("JC_81":
   (("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_1, pset_singleton(pi))) and
    ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_1, pset_singleton(pj)))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  forall result3:int32.
  (result3 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result3) = integer_of_int32(v)) ->
  forall intP_intM_pi_5_2:(intP,
  int32) memory.
  (intP_intM_pi_5_2 = store(intP_intM_pi_5_1, pi, i0)) ->
  forall intP_intM_pj_6_2:(intP,
  int32) memory.
  (intP_intM_pj_6_2 = store(intP_intM_pj_6_1, pj, j0)) ->
  ("JC_29":
  ("JC_28":
  ("JC_27": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
  intP_intM_pj_6_2, pset_singleton(pj)))))

goal duplet_ensures_default_po_15:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except = null) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  forall intP_intM_pi_5_1:(intP, int32) memory.
  forall intP_intM_pj_6_1:(intP,
  int32) memory.
  forall j0:int32.
  (("JC_77":
   (("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
    (("JC_75": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
     ("JC_76":
     (forall l:int.
       (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
        (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
        intP_intM_a_3)))))))) and
   ("JC_81":
   (("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_1, pset_singleton(pi))) and
    ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_1, pset_singleton(pj)))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  forall result3:int32.
  (result3 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result3) <> integer_of_int32(v)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(j0) + 1)) ->
  forall j1:int32.
  (j1 = result4) ->
  ("JC_77": ("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j1))))

goal duplet_ensures_default_po_16:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except = null) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  forall intP_intM_pi_5_1:(intP, int32) memory.
  forall intP_intM_pj_6_1:(intP,
  int32) memory.
  forall j0:int32.
  (("JC_77":
   (("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
    (("JC_75": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
     ("JC_76":
     (forall l:int.
       (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
        (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
        intP_intM_a_3)))))))) and
   ("JC_81":
   (("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_1, pset_singleton(pi))) and
    ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_1, pset_singleton(pj)))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  forall result3:int32.
  (result3 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result3) <> integer_of_int32(v)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(j0) + 1)) ->
  forall j1:int32.
  (j1 = result4) ->
  ("JC_77": ("JC_75": (integer_of_int32(j1) <= integer_of_int32(len_0))))

goal duplet_ensures_default_po_17:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except = null) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  forall intP_intM_pi_5_1:(intP, int32) memory.
  forall intP_intM_pj_6_1:(intP,
  int32) memory.
  forall j0:int32.
  (("JC_77":
   (("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
    (("JC_75": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
     ("JC_76":
     (forall l:int.
       (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
        (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
        intP_intM_a_3)))))))) and
   ("JC_81":
   (("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_1, pset_singleton(pi))) and
    ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_1, pset_singleton(pj)))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  forall result3:int32.
  (result3 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result3) <> integer_of_int32(v)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(j0) + 1)) ->
  forall j1:int32.
  (j1 = result4) ->
  forall l:int.
  ((integer_of_int32(i0) < l) and (l < integer_of_int32(j1))) ->
  ("JC_77":
  ("JC_76": (not is_duplet(a_0, integer_of_int32(len_0),
  integer_of_int32(i0), l, intP_intM_a_3))))

goal duplet_ensures_default_po_18:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except = null) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  forall intP_intM_pi_5_1:(intP, int32) memory.
  forall intP_intM_pj_6_1:(intP,
  int32) memory.
  forall j0:int32.
  (("JC_77":
   (("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
    (("JC_75": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
     ("JC_76":
     (forall l:int.
       (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
        (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
        intP_intM_a_3)))))))) and
   ("JC_81":
   (("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_1, pset_singleton(pi))) and
    ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_1, pset_singleton(pj)))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  forall result3:int32.
  (result3 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result3) <> integer_of_int32(v)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(j0) + 1)) ->
  forall j1:int32.
  (j1 = result4) ->
  ("JC_81":
  ("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
  intP_intM_pi_5_1, pset_singleton(pi))))

goal duplet_ensures_default_po_19:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except = null) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  forall intP_intM_pi_5_1:(intP, int32) memory.
  forall intP_intM_pj_6_1:(intP,
  int32) memory.
  forall j0:int32.
  (("JC_77":
   (("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
    (("JC_75": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
     ("JC_76":
     (forall l:int.
       (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
        (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
        intP_intM_a_3)))))))) and
   ("JC_81":
   (("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_1, pset_singleton(pi))) and
    ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_1, pset_singleton(pj)))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  forall result3:int32.
  (result3 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result3) <> integer_of_int32(v)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(j0) + 1)) ->
  forall j1:int32.
  (j1 = result4) ->
  ("JC_81":
  ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
  intP_intM_pj_6_1, pset_singleton(pj))))

goal duplet_ensures_default_po_20:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except = null) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  forall intP_intM_pi_5_1:(intP, int32) memory.
  forall intP_intM_pj_6_1:(intP,
  int32) memory.
  forall j0:int32.
  (("JC_77":
   (("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
    (("JC_75": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
     ("JC_76":
     (forall l:int.
       (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
        (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
        intP_intM_a_3)))))))) and
   ("JC_81":
   (("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_1, pset_singleton(pi))) and
    ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_1, pset_singleton(pj)))))) ->
  (integer_of_int32(j0) >= integer_of_int32(len_0)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result3) ->
  ("JC_68": ("JC_65": (0 <= integer_of_int32(i1))))

goal duplet_ensures_default_po_21:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except = null) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  forall intP_intM_pi_5_1:(intP, int32) memory.
  forall intP_intM_pj_6_1:(intP,
  int32) memory.
  forall j0:int32.
  (("JC_77":
   (("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
    (("JC_75": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
     ("JC_76":
     (forall l:int.
       (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
        (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
        intP_intM_a_3)))))))) and
   ("JC_81":
   (("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_1, pset_singleton(pi))) and
    ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_1, pset_singleton(pj)))))) ->
  (integer_of_int32(j0) >= integer_of_int32(len_0)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result3) ->
  ("JC_68":
  ("JC_66": (integer_of_int32(i1) <= (integer_of_int32(len_0) - 1))))

goal duplet_ensures_default_po_22:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except = null) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  forall intP_intM_pi_5_1:(intP, int32) memory.
  forall intP_intM_pj_6_1:(intP,
  int32) memory.
  forall j0:int32.
  (("JC_77":
   (("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
    (("JC_75": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
     ("JC_76":
     (forall l:int.
       (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
        (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
        intP_intM_a_3)))))))) and
   ("JC_81":
   (("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_1, pset_singleton(pi))) and
    ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_1, pset_singleton(pj)))))) ->
  (integer_of_int32(j0) >= integer_of_int32(len_0)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result3) ->
  forall k:int.
  forall l_0:int.
  ((0 <= k) and
   ((k < integer_of_int32(i1)) and
    ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
  (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))), except,
  intP_intM_except_4)) ->
  ("JC_68":
  ("JC_67": (not is_duplet(a_0, integer_of_int32(len_0), k, l_0,
  intP_intM_a_3))))

goal duplet_ensures_default_po_23:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except = null) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  forall intP_intM_pi_5_1:(intP, int32) memory.
  forall intP_intM_pj_6_1:(intP,
  int32) memory.
  forall j0:int32.
  (("JC_77":
   (("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
    (("JC_75": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
     ("JC_76":
     (forall l:int.
       (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
        (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
        intP_intM_a_3)))))))) and
   ("JC_81":
   (("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_1, pset_singleton(pi))) and
    ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_1, pset_singleton(pj)))))) ->
  (integer_of_int32(j0) >= integer_of_int32(len_0)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result3) ->
  ("JC_72":
  ("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
  intP_intM_pi_5_1, pset_singleton(pi))))

goal duplet_ensures_default_po_24:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except = null) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  forall intP_intM_pi_5_1:(intP, int32) memory.
  forall intP_intM_pj_6_1:(intP,
  int32) memory.
  forall j0:int32.
  (("JC_77":
   (("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
    (("JC_75": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
     ("JC_76":
     (forall l:int.
       (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
        (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
        intP_intM_a_3)))))))) and
   ("JC_81":
   (("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_1, pset_singleton(pi))) and
    ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_1, pset_singleton(pj)))))) ->
  (integer_of_int32(j0) >= integer_of_int32(len_0)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result3) ->
  ("JC_72":
  ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
  intP_intM_pj_6_1, pset_singleton(pj))))

goal duplet_ensures_default_po_25:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except <> null) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  ("JC_77": ("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j))))

goal duplet_ensures_default_po_26:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except <> null) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  ("JC_77": ("JC_75": (integer_of_int32(j) <= integer_of_int32(len_0))))

goal duplet_ensures_default_po_27:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except <> null) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  forall l:int.
  ((integer_of_int32(i0) < l) and (l < integer_of_int32(j))) ->
  ("JC_77":
  ("JC_76": (not is_duplet(a_0, integer_of_int32(len_0),
  integer_of_int32(i0), l, intP_intM_a_3))))

goal duplet_ensures_default_po_28:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except <> null) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  ("JC_81":
  ("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
  intP_intM_pi_5_0, pset_singleton(pi))))

goal duplet_ensures_default_po_29:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except <> null) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  ("JC_81":
  ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
  intP_intM_pj_6_0, pset_singleton(pj))))

goal duplet_ensures_default_po_30:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except <> null) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  forall intP_intM_pi_5_1:(intP, int32) memory.
  forall intP_intM_pj_6_1:(intP,
  int32) memory.
  forall j0:int32.
  (("JC_77":
   (("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
    (("JC_75": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
     ("JC_76":
     (forall l:int.
       (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
        (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
        intP_intM_a_3)))))))) and
   ("JC_81":
   (("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_1, pset_singleton(pi))) and
    ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_1, pset_singleton(pj)))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  forall result4:int32.
  (result4 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result4) = integer_of_int32(v)) ->
  forall intP_intM_pi_5_2:(intP,
  int32) memory.
  (intP_intM_pi_5_2 = store(intP_intM_pi_5_1, pi, i0)) ->
  forall intP_intM_pj_6_2:(intP,
  int32) memory.
  (intP_intM_pj_6_2 = store(intP_intM_pj_6_1, pj, j0)) ->
  ("JC_29":
  ("JC_25":
  ("JC_23": is_duplet(a_0, integer_of_int32(len_0),
  integer_of_int32(select(intP_intM_pi_5_2, pi)),
  integer_of_int32(select(intP_intM_pj_6_2, pj)), intP_intM_a_3))))

goal duplet_ensures_default_po_31:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except <> null) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  forall intP_intM_pi_5_1:(intP, int32) memory.
  forall intP_intM_pj_6_1:(intP,
  int32) memory.
  forall j0:int32.
  (("JC_77":
   (("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
    (("JC_75": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
     ("JC_76":
     (forall l:int.
       (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
        (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
        intP_intM_a_3)))))))) and
   ("JC_81":
   (("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_1, pset_singleton(pi))) and
    ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_1, pset_singleton(pj)))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  forall result4:int32.
  (result4 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result4) = integer_of_int32(v)) ->
  forall intP_intM_pi_5_2:(intP,
  int32) memory.
  (intP_intM_pi_5_2 = store(intP_intM_pi_5_1, pi, i0)) ->
  forall intP_intM_pj_6_2:(intP,
  int32) memory.
  (intP_intM_pj_6_2 = store(intP_intM_pj_6_1, pj, j0)) ->
  ("JC_29":
  ("JC_25":
  ("JC_24": (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
  integer_of_int32(select(intP_intM_pi_5_2, pi))))), except,
  intP_intM_except_4)))))

goal duplet_ensures_default_po_32:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except <> null) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  forall intP_intM_pi_5_1:(intP, int32) memory.
  forall intP_intM_pj_6_1:(intP,
  int32) memory.
  forall j0:int32.
  (("JC_77":
   (("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
    (("JC_75": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
     ("JC_76":
     (forall l:int.
       (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
        (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
        intP_intM_a_3)))))))) and
   ("JC_81":
   (("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_1, pset_singleton(pi))) and
    ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_1, pset_singleton(pj)))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  forall result4:int32.
  (result4 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result4) = integer_of_int32(v)) ->
  forall intP_intM_pi_5_2:(intP,
  int32) memory.
  (intP_intM_pi_5_2 = store(intP_intM_pi_5_1, pi, i0)) ->
  forall intP_intM_pj_6_2:(intP,
  int32) memory.
  (intP_intM_pj_6_2 = store(intP_intM_pj_6_1, pj, j0)) ->
  ("JC_29":
  ("JC_28":
  ("JC_26": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
  intP_intM_pi_5_2, pset_singleton(pi)))))

goal duplet_ensures_default_po_33:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except <> null) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  forall intP_intM_pi_5_1:(intP, int32) memory.
  forall intP_intM_pj_6_1:(intP,
  int32) memory.
  forall j0:int32.
  (("JC_77":
   (("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
    (("JC_75": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
     ("JC_76":
     (forall l:int.
       (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
        (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
        intP_intM_a_3)))))))) and
   ("JC_81":
   (("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_1, pset_singleton(pi))) and
    ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_1, pset_singleton(pj)))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  forall result4:int32.
  (result4 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result4) = integer_of_int32(v)) ->
  forall intP_intM_pi_5_2:(intP,
  int32) memory.
  (intP_intM_pi_5_2 = store(intP_intM_pi_5_1, pi, i0)) ->
  forall intP_intM_pj_6_2:(intP,
  int32) memory.
  (intP_intM_pj_6_2 = store(intP_intM_pj_6_1, pj, j0)) ->
  ("JC_29":
  ("JC_28":
  ("JC_27": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
  intP_intM_pj_6_2, pset_singleton(pj)))))

goal duplet_ensures_default_po_34:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except <> null) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  forall intP_intM_pi_5_1:(intP, int32) memory.
  forall intP_intM_pj_6_1:(intP,
  int32) memory.
  forall j0:int32.
  (("JC_77":
   (("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
    (("JC_75": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
     ("JC_76":
     (forall l:int.
       (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
        (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
        intP_intM_a_3)))))))) and
   ("JC_81":
   (("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_1, pset_singleton(pi))) and
    ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_1, pset_singleton(pj)))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  forall result4:int32.
  (result4 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result4) <> integer_of_int32(v)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(j0) + 1)) ->
  forall j1:int32.
  (j1 = result5) ->
  ("JC_77": ("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j1))))

goal duplet_ensures_default_po_35:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except <> null) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  forall intP_intM_pi_5_1:(intP, int32) memory.
  forall intP_intM_pj_6_1:(intP,
  int32) memory.
  forall j0:int32.
  (("JC_77":
   (("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
    (("JC_75": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
     ("JC_76":
     (forall l:int.
       (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
        (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
        intP_intM_a_3)))))))) and
   ("JC_81":
   (("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_1, pset_singleton(pi))) and
    ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_1, pset_singleton(pj)))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  forall result4:int32.
  (result4 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result4) <> integer_of_int32(v)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(j0) + 1)) ->
  forall j1:int32.
  (j1 = result5) ->
  ("JC_77": ("JC_75": (integer_of_int32(j1) <= integer_of_int32(len_0))))

goal duplet_ensures_default_po_36:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except <> null) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  forall intP_intM_pi_5_1:(intP, int32) memory.
  forall intP_intM_pj_6_1:(intP,
  int32) memory.
  forall j0:int32.
  (("JC_77":
   (("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
    (("JC_75": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
     ("JC_76":
     (forall l:int.
       (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
        (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
        intP_intM_a_3)))))))) and
   ("JC_81":
   (("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_1, pset_singleton(pi))) and
    ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_1, pset_singleton(pj)))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  forall result4:int32.
  (result4 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result4) <> integer_of_int32(v)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(j0) + 1)) ->
  forall j1:int32.
  (j1 = result5) ->
  forall l:int.
  ((integer_of_int32(i0) < l) and (l < integer_of_int32(j1))) ->
  ("JC_77":
  ("JC_76": (not is_duplet(a_0, integer_of_int32(len_0),
  integer_of_int32(i0), l, intP_intM_a_3))))

goal duplet_ensures_default_po_37:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except <> null) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  forall intP_intM_pi_5_1:(intP, int32) memory.
  forall intP_intM_pj_6_1:(intP,
  int32) memory.
  forall j0:int32.
  (("JC_77":
   (("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
    (("JC_75": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
     ("JC_76":
     (forall l:int.
       (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
        (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
        intP_intM_a_3)))))))) and
   ("JC_81":
   (("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_1, pset_singleton(pi))) and
    ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_1, pset_singleton(pj)))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  forall result4:int32.
  (result4 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result4) <> integer_of_int32(v)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(j0) + 1)) ->
  forall j1:int32.
  (j1 = result5) ->
  ("JC_81":
  ("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
  intP_intM_pi_5_1, pset_singleton(pi))))

goal duplet_ensures_default_po_38:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except <> null) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  forall intP_intM_pi_5_1:(intP, int32) memory.
  forall intP_intM_pj_6_1:(intP,
  int32) memory.
  forall j0:int32.
  (("JC_77":
   (("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
    (("JC_75": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
     ("JC_76":
     (forall l:int.
       (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
        (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
        intP_intM_a_3)))))))) and
   ("JC_81":
   (("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_1, pset_singleton(pi))) and
    ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_1, pset_singleton(pj)))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  forall result4:int32.
  (result4 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result4) <> integer_of_int32(v)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(j0) + 1)) ->
  forall j1:int32.
  (j1 = result5) ->
  ("JC_81":
  ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
  intP_intM_pj_6_1, pset_singleton(pj))))

goal duplet_ensures_default_po_39:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except <> null) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  forall intP_intM_pi_5_1:(intP, int32) memory.
  forall intP_intM_pj_6_1:(intP,
  int32) memory.
  forall j0:int32.
  (("JC_77":
   (("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
    (("JC_75": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
     ("JC_76":
     (forall l:int.
       (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
        (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
        intP_intM_a_3)))))))) and
   ("JC_81":
   (("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_1, pset_singleton(pi))) and
    ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_1, pset_singleton(pj)))))) ->
  (integer_of_int32(j0) >= integer_of_int32(len_0)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result4) ->
  ("JC_68": ("JC_65": (0 <= integer_of_int32(i1))))

goal duplet_ensures_default_po_40:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except <> null) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  forall intP_intM_pi_5_1:(intP, int32) memory.
  forall intP_intM_pj_6_1:(intP,
  int32) memory.
  forall j0:int32.
  (("JC_77":
   (("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
    (("JC_75": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
     ("JC_76":
     (forall l:int.
       (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
        (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
        intP_intM_a_3)))))))) and
   ("JC_81":
   (("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_1, pset_singleton(pi))) and
    ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_1, pset_singleton(pj)))))) ->
  (integer_of_int32(j0) >= integer_of_int32(len_0)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result4) ->
  ("JC_68":
  ("JC_66": (integer_of_int32(i1) <= (integer_of_int32(len_0) - 1))))

goal duplet_ensures_default_po_41:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except <> null) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  forall intP_intM_pi_5_1:(intP, int32) memory.
  forall intP_intM_pj_6_1:(intP,
  int32) memory.
  forall j0:int32.
  (("JC_77":
   (("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
    (("JC_75": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
     ("JC_76":
     (forall l:int.
       (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
        (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
        intP_intM_a_3)))))))) and
   ("JC_81":
   (("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_1, pset_singleton(pi))) and
    ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_1, pset_singleton(pj)))))) ->
  (integer_of_int32(j0) >= integer_of_int32(len_0)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result4) ->
  forall k:int.
  forall l_0:int.
  ((0 <= k) and
   ((k < integer_of_int32(i1)) and
    ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
  (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))), except,
  intP_intM_except_4)) ->
  ("JC_68":
  ("JC_67": (not is_duplet(a_0, integer_of_int32(len_0), k, l_0,
  intP_intM_a_3))))

goal duplet_ensures_default_po_42:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except <> null) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  forall intP_intM_pi_5_1:(intP, int32) memory.
  forall intP_intM_pj_6_1:(intP,
  int32) memory.
  forall j0:int32.
  (("JC_77":
   (("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
    (("JC_75": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
     ("JC_76":
     (forall l:int.
       (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
        (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
        intP_intM_a_3)))))))) and
   ("JC_81":
   (("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_1, pset_singleton(pi))) and
    ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_1, pset_singleton(pj)))))) ->
  (integer_of_int32(j0) >= integer_of_int32(len_0)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result4) ->
  ("JC_72":
  ("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
  intP_intM_pi_5_1, pset_singleton(pi))))

goal duplet_ensures_default_po_43:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except <> null) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  forall intP_intM_pi_5_1:(intP, int32) memory.
  forall intP_intM_pj_6_1:(intP,
  int32) memory.
  forall j0:int32.
  (("JC_77":
   (("JC_74": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
    (("JC_75": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
     ("JC_76":
     (forall l:int.
       (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
        (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
        intP_intM_a_3)))))))) and
   ("JC_81":
   (("JC_79": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_1, pset_singleton(pi))) and
    ("JC_80": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_1, pset_singleton(pj)))))) ->
  (integer_of_int32(j0) >= integer_of_int32(len_0)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result4) ->
  ("JC_72":
  ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
  intP_intM_pj_6_1, pset_singleton(pj))))

goal duplet_ensures_default_po_44:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except <> null) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) = integer_of_int32(v)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result3) ->
  ("JC_68": ("JC_65": (0 <= integer_of_int32(i1))))

goal duplet_ensures_default_po_45:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except <> null) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) = integer_of_int32(v)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result3) ->
  ("JC_68":
  ("JC_66": (integer_of_int32(i1) <= (integer_of_int32(len_0) - 1))))

goal duplet_ensures_default_po_46:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except <> null) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) = integer_of_int32(v)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result3) ->
  forall k:int.
  forall l_0:int.
  ((0 <= k) and
   ((k < integer_of_int32(i1)) and
    ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
  (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))), except,
  intP_intM_except_4)) ->
  ("JC_68":
  ("JC_67": (not is_duplet(a_0, integer_of_int32(len_0), k, l_0,
  intP_intM_a_3))))

goal duplet_ensures_default_po_47:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except <> null) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) = integer_of_int32(v)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result3) ->
  ("JC_72":
  ("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
  intP_intM_pi_5_0, pset_singleton(pi))))

goal duplet_ensures_default_po_48:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (except <> null) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) = integer_of_int32(v)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result3) ->
  ("JC_72":
  ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
  intP_intM_pj_6_0, pset_singleton(pj))))

goal duplet_ensures_default_po_49:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) > integer_of_int32(result0)) ->
  ("JC_83": (false = true))

goal duplet_ensures_default_po_50:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) > integer_of_int32(result0)) ->
  ("JC_83": (false = true)) ->
  ("JC_29":
  ("JC_25":
  ("JC_23": is_duplet(a_0, integer_of_int32(len_0),
  integer_of_int32(select(intP_intM_pi_5_0, pi)),
  integer_of_int32(select(intP_intM_pj_6_0, pj)), intP_intM_a_3))))

goal duplet_ensures_default_po_51:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) > integer_of_int32(result0)) ->
  ("JC_83": (false = true)) ->
  ("JC_29":
  ("JC_25":
  ("JC_24": (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
  integer_of_int32(select(intP_intM_pi_5_0, pi))))), except,
  intP_intM_except_4)))))

goal duplet_ensures_default_po_52:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) > integer_of_int32(result0)) ->
  ("JC_83": (false = true)) ->
  ("JC_29":
  ("JC_28":
  ("JC_26": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
  intP_intM_pi_5_0, pset_singleton(pi)))))

goal duplet_ensures_default_po_53:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP, int32) memory.
  forall intP_intM_pi_5:(intP, int32) memory.
  forall intP_intM_pj_6:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  forall intP_intM_pi_5_0:(intP, int32) memory.
  forall intP_intM_pj_6_0:(intP,
  int32) memory.
  (("JC_68":
   (("JC_65": (0 <= integer_of_int32(i0))) and
    (("JC_66": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
     ("JC_67":
     (forall k:int.
       (forall l_0:int.
         (((0 <= k) and
           ((k < integer_of_int32(i0)) and
            ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
          ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
           k))), except, intP_intM_except_4)) -> (not is_duplet(a_0,
           integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) and
   ("JC_72":
   (("JC_70": not_assigns(intP_pi_5_alloc_table, intP_intM_pi_5,
    intP_intM_pi_5_0, pset_singleton(pi))) and
    ("JC_71": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
    intP_intM_pj_6_0, pset_singleton(pj)))))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) > integer_of_int32(result0)) ->
  ("JC_83": (false = true)) ->
  ("JC_29":
  ("JC_28":
  ("JC_27": not_assigns(intP_pj_6_alloc_table, intP_intM_pj_6,
  intP_intM_pj_6_0, pset_singleton(pj)))))

goal duplet_safety_po_1:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  ((-2147483648) <= (integer_of_int32(len_0) - 2))

goal duplet_safety_po_2:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  ((integer_of_int32(len_0) - 2) <= 2147483647)

goal duplet_safety_po_3:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  (offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0))

goal duplet_safety_po_4:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))

goal duplet_safety_po_5:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null)))

goal duplet_safety_po_6:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except = null) ->
  ((-2147483648) <= (integer_of_int32(i0) + 1))

goal duplet_safety_po_7:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except = null) ->
  ((integer_of_int32(i0) + 1) <= 2147483647)

goal duplet_safety_po_8:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except = null) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  forall j0:int32.
  ("JC_55": true) ->
  ("JC_53":
  (("JC_50": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
   (("JC_51": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
    ("JC_52":
    (forall l:int.
      (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
       (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
       intP_intM_a_3)))))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  (offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(j0))

goal duplet_safety_po_9:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except = null) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  forall j0:int32.
  ("JC_55": true) ->
  ("JC_53":
  (("JC_50": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
   (("JC_51": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
    ("JC_52":
    (forall l:int.
      (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
       (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
       intP_intM_a_3)))))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  (integer_of_int32(j0) <= offset_max(intP_a_3_alloc_table, a_0))

goal duplet_safety_po_10:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except = null) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  forall j0:int32.
  ("JC_55": true) ->
  ("JC_53":
  (("JC_50": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
   (("JC_51": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
    ("JC_52":
    (forall l:int.
      (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
       (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
       intP_intM_a_3)))))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(j0)) and
   (integer_of_int32(j0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result3:int32.
  (result3 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result3) = integer_of_int32(v)) ->
  (offset_min(intP_pi_5_alloc_table, pi) <= 0)

goal duplet_safety_po_11:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except = null) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  forall j0:int32.
  ("JC_55": true) ->
  ("JC_53":
  (("JC_50": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
   (("JC_51": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
    ("JC_52":
    (forall l:int.
      (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
       (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
       intP_intM_a_3)))))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(j0)) and
   (integer_of_int32(j0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result3:int32.
  (result3 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result3) = integer_of_int32(v)) ->
  (0 <= offset_max(intP_pi_5_alloc_table, pi))

goal duplet_safety_po_12:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except = null) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  forall intP_intM_pi_5:(intP,
  int32) memory.
  forall j0:int32.
  ("JC_55": true) ->
  ("JC_53":
  (("JC_50": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
   (("JC_51": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
    ("JC_52":
    (forall l:int.
      (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
       (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
       intP_intM_a_3)))))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(j0)) and
   (integer_of_int32(j0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result3:int32.
  (result3 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result3) = integer_of_int32(v)) ->
  ((offset_min(intP_pi_5_alloc_table, pi) <= 0) and
   (0 <= offset_max(intP_pi_5_alloc_table, pi))) ->
  forall intP_intM_pi_5_0:(intP,
  int32) memory.
  (intP_intM_pi_5_0 = store(intP_intM_pi_5, pi, i0)) ->
  (offset_min(intP_pj_6_alloc_table, pj) <= 0)

goal duplet_safety_po_13:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except = null) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  forall intP_intM_pi_5:(intP,
  int32) memory.
  forall j0:int32.
  ("JC_55": true) ->
  ("JC_53":
  (("JC_50": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
   (("JC_51": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
    ("JC_52":
    (forall l:int.
      (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
       (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
       intP_intM_a_3)))))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(j0)) and
   (integer_of_int32(j0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result3:int32.
  (result3 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result3) = integer_of_int32(v)) ->
  ((offset_min(intP_pi_5_alloc_table, pi) <= 0) and
   (0 <= offset_max(intP_pi_5_alloc_table, pi))) ->
  forall intP_intM_pi_5_0:(intP,
  int32) memory.
  (intP_intM_pi_5_0 = store(intP_intM_pi_5, pi, i0)) ->
  (0 <= offset_max(intP_pj_6_alloc_table, pj))

goal duplet_safety_po_14:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except = null) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  forall j0:int32.
  ("JC_55": true) ->
  ("JC_53":
  (("JC_50": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
   (("JC_51": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
    ("JC_52":
    (forall l:int.
      (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
       (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
       intP_intM_a_3)))))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(j0)) and
   (integer_of_int32(j0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result3:int32.
  (result3 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result3) <> integer_of_int32(v)) ->
  ((-2147483648) <= (integer_of_int32(j0) + 1))

goal duplet_safety_po_15:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except = null) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  forall j0:int32.
  ("JC_55": true) ->
  ("JC_53":
  (("JC_50": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
   (("JC_51": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
    ("JC_52":
    (forall l:int.
      (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
       (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
       intP_intM_a_3)))))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(j0)) and
   (integer_of_int32(j0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result3:int32.
  (result3 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result3) <> integer_of_int32(v)) ->
  ((integer_of_int32(j0) + 1) <= 2147483647)

goal duplet_safety_po_16:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except = null) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  forall j0:int32.
  ("JC_55": true) ->
  ("JC_53":
  (("JC_50": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
   (("JC_51": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
    ("JC_52":
    (forall l:int.
      (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
       (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
       intP_intM_a_3)))))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(j0)) and
   (integer_of_int32(j0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result3:int32.
  (result3 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result3) <> integer_of_int32(v)) ->
  (((-2147483648) <= (integer_of_int32(j0) + 1)) and
   ((integer_of_int32(j0) + 1) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(j0) + 1)) ->
  forall j1:int32.
  (j1 = result4) ->
  (0 <= ("JC_59": (integer_of_int32(len_0) - integer_of_int32(j0))))

goal duplet_safety_po_17:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except = null) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  forall j0:int32.
  ("JC_55": true) ->
  ("JC_53":
  (("JC_50": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
   (("JC_51": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
    ("JC_52":
    (forall l:int.
      (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
       (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
       intP_intM_a_3)))))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(j0)) and
   (integer_of_int32(j0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result3:int32.
  (result3 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result3) <> integer_of_int32(v)) ->
  (((-2147483648) <= (integer_of_int32(j0) + 1)) and
   ((integer_of_int32(j0) + 1) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(j0) + 1)) ->
  forall j1:int32.
  (j1 = result4) ->
  (("JC_59": (integer_of_int32(len_0) - integer_of_int32(j1))) < ("JC_59":
                                                                 (integer_of_int32(len_0) - integer_of_int32(j0))))

goal duplet_safety_po_18:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except = null) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  forall j0:int32.
  ("JC_55": true) ->
  ("JC_53":
  (("JC_50": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
   (("JC_51": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
    ("JC_52":
    (forall l:int.
      (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
       (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
       intP_intM_a_3)))))))) ->
  (integer_of_int32(j0) >= integer_of_int32(len_0)) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result3) ->
  (0 <= ("JC_61": (integer_of_int32(len_0) - integer_of_int32(i0))))

goal duplet_safety_po_19:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except = null) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result2) ->
  forall j0:int32.
  ("JC_55": true) ->
  ("JC_53":
  (("JC_50": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
   (("JC_51": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
    ("JC_52":
    (forall l:int.
      (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
       (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
       intP_intM_a_3)))))))) ->
  (integer_of_int32(j0) >= integer_of_int32(len_0)) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result3) ->
  (("JC_61": (integer_of_int32(len_0) - integer_of_int32(i1))) < ("JC_61":
                                                                 (integer_of_int32(len_0) - integer_of_int32(i0))))

goal duplet_safety_po_20:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except <> null) ->
  (offset_min(intP_except_4_alloc_table, except) <= 0)

goal duplet_safety_po_21:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except <> null) ->
  (0 <= offset_max(intP_except_4_alloc_table, except))

goal duplet_safety_po_22:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except <> null) ->
  ((offset_min(intP_except_4_alloc_table, except) <= 0) and
   (0 <= offset_max(intP_except_4_alloc_table, except))) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  ((-2147483648) <= (integer_of_int32(i0) + 1))

goal duplet_safety_po_23:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except <> null) ->
  ((offset_min(intP_except_4_alloc_table, except) <= 0) and
   (0 <= offset_max(intP_except_4_alloc_table, except))) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  ((integer_of_int32(i0) + 1) <= 2147483647)

goal duplet_safety_po_24:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except <> null) ->
  ((offset_min(intP_except_4_alloc_table, except) <= 0) and
   (0 <= offset_max(intP_except_4_alloc_table, except))) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  forall j0:int32.
  ("JC_55": true) ->
  ("JC_53":
  (("JC_50": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
   (("JC_51": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
    ("JC_52":
    (forall l:int.
      (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
       (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
       intP_intM_a_3)))))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  (offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(j0))

goal duplet_safety_po_25:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except <> null) ->
  ((offset_min(intP_except_4_alloc_table, except) <= 0) and
   (0 <= offset_max(intP_except_4_alloc_table, except))) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  forall j0:int32.
  ("JC_55": true) ->
  ("JC_53":
  (("JC_50": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
   (("JC_51": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
    ("JC_52":
    (forall l:int.
      (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
       (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
       intP_intM_a_3)))))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  (integer_of_int32(j0) <= offset_max(intP_a_3_alloc_table, a_0))

goal duplet_safety_po_26:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except <> null) ->
  ((offset_min(intP_except_4_alloc_table, except) <= 0) and
   (0 <= offset_max(intP_except_4_alloc_table, except))) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  forall j0:int32.
  ("JC_55": true) ->
  ("JC_53":
  (("JC_50": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
   (("JC_51": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
    ("JC_52":
    (forall l:int.
      (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
       (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
       intP_intM_a_3)))))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(j0)) and
   (integer_of_int32(j0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result4:int32.
  (result4 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result4) = integer_of_int32(v)) ->
  (offset_min(intP_pi_5_alloc_table, pi) <= 0)

goal duplet_safety_po_27:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except <> null) ->
  ((offset_min(intP_except_4_alloc_table, except) <= 0) and
   (0 <= offset_max(intP_except_4_alloc_table, except))) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  forall j0:int32.
  ("JC_55": true) ->
  ("JC_53":
  (("JC_50": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
   (("JC_51": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
    ("JC_52":
    (forall l:int.
      (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
       (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
       intP_intM_a_3)))))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(j0)) and
   (integer_of_int32(j0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result4:int32.
  (result4 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result4) = integer_of_int32(v)) ->
  (0 <= offset_max(intP_pi_5_alloc_table, pi))

goal duplet_safety_po_28:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except <> null) ->
  ((offset_min(intP_except_4_alloc_table, except) <= 0) and
   (0 <= offset_max(intP_except_4_alloc_table, except))) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  forall intP_intM_pi_5:(intP,
  int32) memory.
  forall j0:int32.
  ("JC_55": true) ->
  ("JC_53":
  (("JC_50": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
   (("JC_51": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
    ("JC_52":
    (forall l:int.
      (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
       (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
       intP_intM_a_3)))))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(j0)) and
   (integer_of_int32(j0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result4:int32.
  (result4 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result4) = integer_of_int32(v)) ->
  ((offset_min(intP_pi_5_alloc_table, pi) <= 0) and
   (0 <= offset_max(intP_pi_5_alloc_table, pi))) ->
  forall intP_intM_pi_5_0:(intP,
  int32) memory.
  (intP_intM_pi_5_0 = store(intP_intM_pi_5, pi, i0)) ->
  (offset_min(intP_pj_6_alloc_table, pj) <= 0)

goal duplet_safety_po_29:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except <> null) ->
  ((offset_min(intP_except_4_alloc_table, except) <= 0) and
   (0 <= offset_max(intP_except_4_alloc_table, except))) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  forall intP_intM_pi_5:(intP,
  int32) memory.
  forall j0:int32.
  ("JC_55": true) ->
  ("JC_53":
  (("JC_50": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
   (("JC_51": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
    ("JC_52":
    (forall l:int.
      (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
       (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
       intP_intM_a_3)))))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(j0)) and
   (integer_of_int32(j0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result4:int32.
  (result4 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result4) = integer_of_int32(v)) ->
  ((offset_min(intP_pi_5_alloc_table, pi) <= 0) and
   (0 <= offset_max(intP_pi_5_alloc_table, pi))) ->
  forall intP_intM_pi_5_0:(intP,
  int32) memory.
  (intP_intM_pi_5_0 = store(intP_intM_pi_5, pi, i0)) ->
  (0 <= offset_max(intP_pj_6_alloc_table, pj))

goal duplet_safety_po_30:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except <> null) ->
  ((offset_min(intP_except_4_alloc_table, except) <= 0) and
   (0 <= offset_max(intP_except_4_alloc_table, except))) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  forall j0:int32.
  ("JC_55": true) ->
  ("JC_53":
  (("JC_50": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
   (("JC_51": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
    ("JC_52":
    (forall l:int.
      (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
       (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
       intP_intM_a_3)))))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(j0)) and
   (integer_of_int32(j0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result4:int32.
  (result4 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result4) <> integer_of_int32(v)) ->
  ((-2147483648) <= (integer_of_int32(j0) + 1))

goal duplet_safety_po_31:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except <> null) ->
  ((offset_min(intP_except_4_alloc_table, except) <= 0) and
   (0 <= offset_max(intP_except_4_alloc_table, except))) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  forall j0:int32.
  ("JC_55": true) ->
  ("JC_53":
  (("JC_50": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
   (("JC_51": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
    ("JC_52":
    (forall l:int.
      (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
       (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
       intP_intM_a_3)))))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(j0)) and
   (integer_of_int32(j0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result4:int32.
  (result4 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result4) <> integer_of_int32(v)) ->
  ((integer_of_int32(j0) + 1) <= 2147483647)

goal duplet_safety_po_32:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except <> null) ->
  ((offset_min(intP_except_4_alloc_table, except) <= 0) and
   (0 <= offset_max(intP_except_4_alloc_table, except))) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  forall j0:int32.
  ("JC_55": true) ->
  ("JC_53":
  (("JC_50": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
   (("JC_51": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
    ("JC_52":
    (forall l:int.
      (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
       (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
       intP_intM_a_3)))))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(j0)) and
   (integer_of_int32(j0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result4:int32.
  (result4 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result4) <> integer_of_int32(v)) ->
  (((-2147483648) <= (integer_of_int32(j0) + 1)) and
   ((integer_of_int32(j0) + 1) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(j0) + 1)) ->
  forall j1:int32.
  (j1 = result5) ->
  (0 <= ("JC_59": (integer_of_int32(len_0) - integer_of_int32(j0))))

goal duplet_safety_po_33:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except <> null) ->
  ((offset_min(intP_except_4_alloc_table, except) <= 0) and
   (0 <= offset_max(intP_except_4_alloc_table, except))) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  forall j0:int32.
  ("JC_55": true) ->
  ("JC_53":
  (("JC_50": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
   (("JC_51": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
    ("JC_52":
    (forall l:int.
      (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
       (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
       intP_intM_a_3)))))))) ->
  (integer_of_int32(j0) < integer_of_int32(len_0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(j0)) and
   (integer_of_int32(j0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result4:int32.
  (result4 = select(intP_intM_a_3, shift(a_0, integer_of_int32(j0)))) ->
  (integer_of_int32(result4) <> integer_of_int32(v)) ->
  (((-2147483648) <= (integer_of_int32(j0) + 1)) and
   ((integer_of_int32(j0) + 1) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(j0) + 1)) ->
  forall j1:int32.
  (j1 = result5) ->
  (("JC_59": (integer_of_int32(len_0) - integer_of_int32(j1))) < ("JC_59":
                                                                 (integer_of_int32(len_0) - integer_of_int32(j0))))

goal duplet_safety_po_34:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except <> null) ->
  ((offset_min(intP_except_4_alloc_table, except) <= 0) and
   (0 <= offset_max(intP_except_4_alloc_table, except))) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  forall j0:int32.
  ("JC_55": true) ->
  ("JC_53":
  (("JC_50": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
   (("JC_51": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
    ("JC_52":
    (forall l:int.
      (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
       (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
       intP_intM_a_3)))))))) ->
  (integer_of_int32(j0) >= integer_of_int32(len_0)) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result4) ->
  (0 <= ("JC_61": (integer_of_int32(len_0) - integer_of_int32(i0))))

goal duplet_safety_po_35:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except <> null) ->
  ((offset_min(intP_except_4_alloc_table, except) <= 0) and
   (0 <= offset_max(intP_except_4_alloc_table, except))) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) <> integer_of_int32(v)) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall j:int32.
  (j = result3) ->
  forall j0:int32.
  ("JC_55": true) ->
  ("JC_53":
  (("JC_50": ((integer_of_int32(i0) + 1) <= integer_of_int32(j0))) and
   (("JC_51": (integer_of_int32(j0) <= integer_of_int32(len_0))) and
    ("JC_52":
    (forall l:int.
      (((integer_of_int32(i0) < l) and (l < integer_of_int32(j0))) ->
       (not is_duplet(a_0, integer_of_int32(len_0), integer_of_int32(i0), l,
       intP_intM_a_3)))))))) ->
  (integer_of_int32(j0) >= integer_of_int32(len_0)) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result4) ->
  (("JC_61": (integer_of_int32(len_0) - integer_of_int32(i1))) < ("JC_61":
                                                                 (integer_of_int32(len_0) - integer_of_int32(i0))))

goal duplet_safety_po_36:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except <> null) ->
  ((offset_min(intP_except_4_alloc_table, except) <= 0) and
   (0 <= offset_max(intP_except_4_alloc_table, except))) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) = integer_of_int32(v)) ->
  ((-2147483648) <= (integer_of_int32(i0) + 1))

goal duplet_safety_po_37:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except <> null) ->
  ((offset_min(intP_except_4_alloc_table, except) <= 0) and
   (0 <= offset_max(intP_except_4_alloc_table, except))) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) = integer_of_int32(v)) ->
  ((integer_of_int32(i0) + 1) <= 2147483647)

goal duplet_safety_po_38:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except <> null) ->
  ((offset_min(intP_except_4_alloc_table, except) <= 0) and
   (0 <= offset_max(intP_except_4_alloc_table, except))) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) = integer_of_int32(v)) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result3) ->
  (0 <= ("JC_61": (integer_of_int32(len_0) - integer_of_int32(i0))))

goal duplet_safety_po_39:
  forall a_0:intP pointer.
  forall len_0:int32.
  forall except:intP pointer.
  forall pi:intP pointer.
  forall pj:intP pointer.
  forall intP_a_3_alloc_table:intP alloc_table.
  forall intP_except_4_alloc_table:intP alloc_table.
  forall intP_pi_5_alloc_table:intP alloc_table.
  forall intP_pj_6_alloc_table:intP alloc_table.
  forall intP_intM_a_3:(intP, int32) memory.
  forall intP_intM_except_4:(intP,
  int32) memory.
  ("JC_21":
  (("JC_12": (2 <= integer_of_int32(len_0))) and
   (("JC_13": (offset_min(intP_a_3_alloc_table, a_0) <= 0)) and
    (("JC_14": (offset_max(intP_a_3_alloc_table,
     a_0) >= (integer_of_int32(len_0) - 1))) and
     (("JC_15": (offset_min(intP_pi_5_alloc_table, pi) <= 0)) and
      (("JC_16": (offset_max(intP_pi_5_alloc_table, pi) >= 0)) and
       (("JC_17": (offset_min(intP_pj_6_alloc_table, pj) <= 0)) and
        (("JC_18": (offset_max(intP_pj_6_alloc_table, pj) >= 0)) and
         (("JC_19":
          ((except = null) or
           ((offset_min(intP_except_4_alloc_table, except) <= 0) and
            (offset_max(intP_except_4_alloc_table, except) >= 0)))) and
          ("JC_20":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0, integer_of_int32(len_0), i_2, j_1,
               intP_intM_a_3) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0,
               i_2))), except, intP_intM_except_4))))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_44": true) ->
  ("JC_42":
  (("JC_39": (0 <= integer_of_int32(i0))) and
   (("JC_40": (integer_of_int32(i0) <= (integer_of_int32(len_0) - 1))) and
    ("JC_41":
    (forall k:int.
      (forall l_0:int.
        (((0 <= k) and
          ((k < integer_of_int32(i0)) and
           ((k < l_0) and (l_0 < integer_of_int32(len_0))))) ->
         ((not eq_opt(integer_of_int32(select(intP_intM_a_3, shift(a_0, k))),
          except, intP_intM_except_4)) -> (not is_duplet(a_0,
          integer_of_int32(len_0), k, l_0, intP_intM_a_3)))))))))) ->
  (((-2147483648) <= (integer_of_int32(len_0) - 2)) and
   ((integer_of_int32(len_0) - 2) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len_0) - 2)) ->
  (integer_of_int32(i0) <= integer_of_int32(result0)) ->
  ((offset_min(intP_a_3_alloc_table, a_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_a_3_alloc_table, a_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_3, shift(a_0, integer_of_int32(i0)))) ->
  forall v:int32.
  (v = result1) ->
  (same_block(except, null) or ((except = null) or (null = null))) ->
  (except <> null) ->
  ((offset_min(intP_except_4_alloc_table, except) <= 0) and
   (0 <= offset_max(intP_except_4_alloc_table, except))) ->
  forall result2:int32.
  (result2 = select(intP_intM_except_4, except)) ->
  (integer_of_int32(result2) = integer_of_int32(v)) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result3) ->
  (("JC_61": (integer_of_int32(len_0) - integer_of_int32(i1))) < ("JC_61":
                                                                 (integer_of_int32(len_0) - integer_of_int32(i0))))

goal duplets_ensures_default_po_1:
  forall a_0_0:intP pointer.
  forall len_0_0:int32.
  forall pi_0:intP pointer.
  forall pj_0:intP pointer.
  forall pk:intP pointer.
  forall pl:intP pointer.
  forall intP_a_0_7_alloc_table:intP alloc_table.
  forall intP_pi_0_8_alloc_table:intP alloc_table.
  forall intP_pj_0_9_alloc_table:intP alloc_table.
  forall intP_pk_10_alloc_table:intP alloc_table.
  forall intP_pl_11_alloc_table:intP alloc_table.
  forall intP_intM_a_0_7:(intP, int32) memory.
  forall intP_intM_pi_0_8:(intP, int32) memory.
  forall intP_intM_pj_0_9:(intP, int32) memory.
  forall intP_intM_pk_10:(intP, int32) memory.
  forall intP_intM_pl_11:(intP,
  int32) memory.
  ("JC_110":
  (("JC_98": (4 <= integer_of_int32(len_0_0))) and
   (("JC_99": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_100": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_101": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_102": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_103": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_104": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_105": (offset_min(intP_pk_10_alloc_table, pk) <= 0)) and
          (("JC_106": (offset_max(intP_pk_10_alloc_table, pk) >= 0)) and
           (("JC_107": (offset_min(intP_pl_11_alloc_table, pl) <= 0)) and
            (("JC_108": (offset_max(intP_pl_11_alloc_table, pl) >= 0)) and
             ("JC_109":
             (exists i_3:int.
               (exists j_2:int.
                 (exists k_0:int.
                   (exists l_1:int.
                     (is_duplet(a_0_0, integer_of_int32(len_0_0), i_3, j_2,
                      intP_intM_a_0_7) and
                      (is_duplet(a_0_0, integer_of_int32(len_0_0), k_0, l_1,
                       intP_intM_a_0_7) and
                       (integer_of_int32(select(intP_intM_a_0_7, shift(a_0_0,
                       i_3))) <> integer_of_int32(select(intP_intM_a_0_7,
                       shift(a_0_0, k_0))))))))))))))))))))))) ->
  forall result:(intP, int32) memory.
  forall intP_intM_pi_0_8_0:(intP,
  int32) memory.
  forall intP_intM_pj_0_9_0:(intP,
  int32) memory.
  ("JC_36":
  (("JC_32":
   (("JC_30": is_duplet(a_0_0, integer_of_int32(len_0_0),
    integer_of_int32(select(intP_intM_pi_0_8_0, pi_0)),
    integer_of_int32(select(intP_intM_pj_0_9_0, pj_0)), intP_intM_a_0_7)) and
    ("JC_31": (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
    shift(a_0_0, integer_of_int32(select(intP_intM_pi_0_8_0, pi_0))))), null,
    result))))) and
   ("JC_35":
   (("JC_33": not_assigns(intP_pi_0_8_alloc_table, intP_intM_pi_0_8,
    intP_intM_pi_0_8_0, pset_singleton(pi_0))) and
    ("JC_34": not_assigns(intP_pj_0_9_alloc_table, intP_intM_pj_0_9,
    intP_intM_pj_0_9_0, pset_singleton(pj_0))))))) ->
  forall result0:int32.
  (result0 = select(intP_intM_pi_0_8_0, pi_0)) ->
  forall intP_intM_pk_10_0:(intP,
  int32) memory.
  forall intP_intM_pl_11_0:(intP,
  int32) memory.
  ("JC_36":
  (("JC_32":
   (("JC_30": is_duplet(a_0_0, integer_of_int32(len_0_0),
    integer_of_int32(select(intP_intM_pk_10_0, pk)),
    integer_of_int32(select(intP_intM_pl_11_0, pl)), intP_intM_a_0_7)) and
    ("JC_31": (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
    shift(a_0_0, integer_of_int32(select(intP_intM_pk_10_0, pk))))),
    shift(a_0_0, integer_of_int32(result0)), intP_intM_a_0_7))))) and
   ("JC_35":
   (("JC_33": not_assigns(intP_pk_10_alloc_table, intP_intM_pk_10,
    intP_intM_pk_10_0, pset_singleton(pk))) and
    ("JC_34": not_assigns(intP_pl_11_alloc_table, intP_intM_pl_11,
    intP_intM_pl_11_0, pset_singleton(pl))))))) ->
  ("JC_121":
  ("JC_115":
  ("JC_112": is_duplet(a_0_0, integer_of_int32(len_0_0),
  integer_of_int32(select(intP_intM_pi_0_8_0, pi_0)),
  integer_of_int32(select(intP_intM_pj_0_9_0, pj_0)), intP_intM_a_0_7))))

goal duplets_ensures_default_po_2:
  forall a_0_0:intP pointer.
  forall len_0_0:int32.
  forall pi_0:intP pointer.
  forall pj_0:intP pointer.
  forall pk:intP pointer.
  forall pl:intP pointer.
  forall intP_a_0_7_alloc_table:intP alloc_table.
  forall intP_pi_0_8_alloc_table:intP alloc_table.
  forall intP_pj_0_9_alloc_table:intP alloc_table.
  forall intP_pk_10_alloc_table:intP alloc_table.
  forall intP_pl_11_alloc_table:intP alloc_table.
  forall intP_intM_a_0_7:(intP, int32) memory.
  forall intP_intM_pi_0_8:(intP, int32) memory.
  forall intP_intM_pj_0_9:(intP, int32) memory.
  forall intP_intM_pk_10:(intP, int32) memory.
  forall intP_intM_pl_11:(intP,
  int32) memory.
  ("JC_110":
  (("JC_98": (4 <= integer_of_int32(len_0_0))) and
   (("JC_99": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_100": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_101": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_102": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_103": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_104": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_105": (offset_min(intP_pk_10_alloc_table, pk) <= 0)) and
          (("JC_106": (offset_max(intP_pk_10_alloc_table, pk) >= 0)) and
           (("JC_107": (offset_min(intP_pl_11_alloc_table, pl) <= 0)) and
            (("JC_108": (offset_max(intP_pl_11_alloc_table, pl) >= 0)) and
             ("JC_109":
             (exists i_3:int.
               (exists j_2:int.
                 (exists k_0:int.
                   (exists l_1:int.
                     (is_duplet(a_0_0, integer_of_int32(len_0_0), i_3, j_2,
                      intP_intM_a_0_7) and
                      (is_duplet(a_0_0, integer_of_int32(len_0_0), k_0, l_1,
                       intP_intM_a_0_7) and
                       (integer_of_int32(select(intP_intM_a_0_7, shift(a_0_0,
                       i_3))) <> integer_of_int32(select(intP_intM_a_0_7,
                       shift(a_0_0, k_0))))))))))))))))))))))) ->
  forall result:(intP, int32) memory.
  forall intP_intM_pi_0_8_0:(intP,
  int32) memory.
  forall intP_intM_pj_0_9_0:(intP,
  int32) memory.
  ("JC_36":
  (("JC_32":
   (("JC_30": is_duplet(a_0_0, integer_of_int32(len_0_0),
    integer_of_int32(select(intP_intM_pi_0_8_0, pi_0)),
    integer_of_int32(select(intP_intM_pj_0_9_0, pj_0)), intP_intM_a_0_7)) and
    ("JC_31": (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
    shift(a_0_0, integer_of_int32(select(intP_intM_pi_0_8_0, pi_0))))), null,
    result))))) and
   ("JC_35":
   (("JC_33": not_assigns(intP_pi_0_8_alloc_table, intP_intM_pi_0_8,
    intP_intM_pi_0_8_0, pset_singleton(pi_0))) and
    ("JC_34": not_assigns(intP_pj_0_9_alloc_table, intP_intM_pj_0_9,
    intP_intM_pj_0_9_0, pset_singleton(pj_0))))))) ->
  forall result0:int32.
  (result0 = select(intP_intM_pi_0_8_0, pi_0)) ->
  forall intP_intM_pk_10_0:(intP,
  int32) memory.
  forall intP_intM_pl_11_0:(intP,
  int32) memory.
  ("JC_36":
  (("JC_32":
   (("JC_30": is_duplet(a_0_0, integer_of_int32(len_0_0),
    integer_of_int32(select(intP_intM_pk_10_0, pk)),
    integer_of_int32(select(intP_intM_pl_11_0, pl)), intP_intM_a_0_7)) and
    ("JC_31": (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
    shift(a_0_0, integer_of_int32(select(intP_intM_pk_10_0, pk))))),
    shift(a_0_0, integer_of_int32(result0)), intP_intM_a_0_7))))) and
   ("JC_35":
   (("JC_33": not_assigns(intP_pk_10_alloc_table, intP_intM_pk_10,
    intP_intM_pk_10_0, pset_singleton(pk))) and
    ("JC_34": not_assigns(intP_pl_11_alloc_table, intP_intM_pl_11,
    intP_intM_pl_11_0, pset_singleton(pl))))))) ->
  ("JC_121":
  ("JC_115":
  ("JC_113": is_duplet(a_0_0, integer_of_int32(len_0_0),
  integer_of_int32(select(intP_intM_pk_10_0, pk)),
  integer_of_int32(select(intP_intM_pl_11_0, pl)), intP_intM_a_0_7))))

goal duplets_ensures_default_po_3:
  forall a_0_0:intP pointer.
  forall len_0_0:int32.
  forall pi_0:intP pointer.
  forall pj_0:intP pointer.
  forall pk:intP pointer.
  forall pl:intP pointer.
  forall intP_a_0_7_alloc_table:intP alloc_table.
  forall intP_pi_0_8_alloc_table:intP alloc_table.
  forall intP_pj_0_9_alloc_table:intP alloc_table.
  forall intP_pk_10_alloc_table:intP alloc_table.
  forall intP_pl_11_alloc_table:intP alloc_table.
  forall intP_intM_a_0_7:(intP, int32) memory.
  forall intP_intM_pi_0_8:(intP, int32) memory.
  forall intP_intM_pj_0_9:(intP, int32) memory.
  forall intP_intM_pk_10:(intP, int32) memory.
  forall intP_intM_pl_11:(intP,
  int32) memory.
  ("JC_110":
  (("JC_98": (4 <= integer_of_int32(len_0_0))) and
   (("JC_99": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_100": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_101": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_102": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_103": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_104": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_105": (offset_min(intP_pk_10_alloc_table, pk) <= 0)) and
          (("JC_106": (offset_max(intP_pk_10_alloc_table, pk) >= 0)) and
           (("JC_107": (offset_min(intP_pl_11_alloc_table, pl) <= 0)) and
            (("JC_108": (offset_max(intP_pl_11_alloc_table, pl) >= 0)) and
             ("JC_109":
             (exists i_3:int.
               (exists j_2:int.
                 (exists k_0:int.
                   (exists l_1:int.
                     (is_duplet(a_0_0, integer_of_int32(len_0_0), i_3, j_2,
                      intP_intM_a_0_7) and
                      (is_duplet(a_0_0, integer_of_int32(len_0_0), k_0, l_1,
                       intP_intM_a_0_7) and
                       (integer_of_int32(select(intP_intM_a_0_7, shift(a_0_0,
                       i_3))) <> integer_of_int32(select(intP_intM_a_0_7,
                       shift(a_0_0, k_0))))))))))))))))))))))) ->
  forall result:(intP, int32) memory.
  forall intP_intM_pi_0_8_0:(intP,
  int32) memory.
  forall intP_intM_pj_0_9_0:(intP,
  int32) memory.
  ("JC_36":
  (("JC_32":
   (("JC_30": is_duplet(a_0_0, integer_of_int32(len_0_0),
    integer_of_int32(select(intP_intM_pi_0_8_0, pi_0)),
    integer_of_int32(select(intP_intM_pj_0_9_0, pj_0)), intP_intM_a_0_7)) and
    ("JC_31": (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
    shift(a_0_0, integer_of_int32(select(intP_intM_pi_0_8_0, pi_0))))), null,
    result))))) and
   ("JC_35":
   (("JC_33": not_assigns(intP_pi_0_8_alloc_table, intP_intM_pi_0_8,
    intP_intM_pi_0_8_0, pset_singleton(pi_0))) and
    ("JC_34": not_assigns(intP_pj_0_9_alloc_table, intP_intM_pj_0_9,
    intP_intM_pj_0_9_0, pset_singleton(pj_0))))))) ->
  forall result0:int32.
  (result0 = select(intP_intM_pi_0_8_0, pi_0)) ->
  forall intP_intM_pk_10_0:(intP,
  int32) memory.
  forall intP_intM_pl_11_0:(intP,
  int32) memory.
  ("JC_36":
  (("JC_32":
   (("JC_30": is_duplet(a_0_0, integer_of_int32(len_0_0),
    integer_of_int32(select(intP_intM_pk_10_0, pk)),
    integer_of_int32(select(intP_intM_pl_11_0, pl)), intP_intM_a_0_7)) and
    ("JC_31": (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
    shift(a_0_0, integer_of_int32(select(intP_intM_pk_10_0, pk))))),
    shift(a_0_0, integer_of_int32(result0)), intP_intM_a_0_7))))) and
   ("JC_35":
   (("JC_33": not_assigns(intP_pk_10_alloc_table, intP_intM_pk_10,
    intP_intM_pk_10_0, pset_singleton(pk))) and
    ("JC_34": not_assigns(intP_pl_11_alloc_table, intP_intM_pl_11,
    intP_intM_pl_11_0, pset_singleton(pl))))))) ->
  ("JC_121":
  ("JC_115":
  ("JC_114": (integer_of_int32(select(intP_intM_a_0_7, shift(a_0_0,
  integer_of_int32(select(intP_intM_pi_0_8_0,
  pi_0))))) <> integer_of_int32(select(intP_intM_a_0_7, shift(a_0_0,
  integer_of_int32(select(intP_intM_pk_10_0, pk)))))))))

goal duplets_ensures_default_po_4:
  forall a_0_0:intP pointer.
  forall len_0_0:int32.
  forall pi_0:intP pointer.
  forall pj_0:intP pointer.
  forall pk:intP pointer.
  forall pl:intP pointer.
  forall intP_a_0_7_alloc_table:intP alloc_table.
  forall intP_pi_0_8_alloc_table:intP alloc_table.
  forall intP_pj_0_9_alloc_table:intP alloc_table.
  forall intP_pk_10_alloc_table:intP alloc_table.
  forall intP_pl_11_alloc_table:intP alloc_table.
  forall intP_intM_a_0_7:(intP, int32) memory.
  forall intP_intM_pi_0_8:(intP, int32) memory.
  forall intP_intM_pj_0_9:(intP, int32) memory.
  forall intP_intM_pk_10:(intP, int32) memory.
  forall intP_intM_pl_11:(intP,
  int32) memory.
  ("JC_110":
  (("JC_98": (4 <= integer_of_int32(len_0_0))) and
   (("JC_99": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_100": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_101": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_102": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_103": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_104": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_105": (offset_min(intP_pk_10_alloc_table, pk) <= 0)) and
          (("JC_106": (offset_max(intP_pk_10_alloc_table, pk) >= 0)) and
           (("JC_107": (offset_min(intP_pl_11_alloc_table, pl) <= 0)) and
            (("JC_108": (offset_max(intP_pl_11_alloc_table, pl) >= 0)) and
             ("JC_109":
             (exists i_3:int.
               (exists j_2:int.
                 (exists k_0:int.
                   (exists l_1:int.
                     (is_duplet(a_0_0, integer_of_int32(len_0_0), i_3, j_2,
                      intP_intM_a_0_7) and
                      (is_duplet(a_0_0, integer_of_int32(len_0_0), k_0, l_1,
                       intP_intM_a_0_7) and
                       (integer_of_int32(select(intP_intM_a_0_7, shift(a_0_0,
                       i_3))) <> integer_of_int32(select(intP_intM_a_0_7,
                       shift(a_0_0, k_0))))))))))))))))))))))) ->
  forall result:(intP, int32) memory.
  forall intP_intM_pi_0_8_0:(intP,
  int32) memory.
  forall intP_intM_pj_0_9_0:(intP,
  int32) memory.
  ("JC_36":
  (("JC_32":
   (("JC_30": is_duplet(a_0_0, integer_of_int32(len_0_0),
    integer_of_int32(select(intP_intM_pi_0_8_0, pi_0)),
    integer_of_int32(select(intP_intM_pj_0_9_0, pj_0)), intP_intM_a_0_7)) and
    ("JC_31": (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
    shift(a_0_0, integer_of_int32(select(intP_intM_pi_0_8_0, pi_0))))), null,
    result))))) and
   ("JC_35":
   (("JC_33": not_assigns(intP_pi_0_8_alloc_table, intP_intM_pi_0_8,
    intP_intM_pi_0_8_0, pset_singleton(pi_0))) and
    ("JC_34": not_assigns(intP_pj_0_9_alloc_table, intP_intM_pj_0_9,
    intP_intM_pj_0_9_0, pset_singleton(pj_0))))))) ->
  forall result0:int32.
  (result0 = select(intP_intM_pi_0_8_0, pi_0)) ->
  forall intP_intM_pk_10_0:(intP,
  int32) memory.
  forall intP_intM_pl_11_0:(intP,
  int32) memory.
  ("JC_36":
  (("JC_32":
   (("JC_30": is_duplet(a_0_0, integer_of_int32(len_0_0),
    integer_of_int32(select(intP_intM_pk_10_0, pk)),
    integer_of_int32(select(intP_intM_pl_11_0, pl)), intP_intM_a_0_7)) and
    ("JC_31": (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
    shift(a_0_0, integer_of_int32(select(intP_intM_pk_10_0, pk))))),
    shift(a_0_0, integer_of_int32(result0)), intP_intM_a_0_7))))) and
   ("JC_35":
   (("JC_33": not_assigns(intP_pk_10_alloc_table, intP_intM_pk_10,
    intP_intM_pk_10_0, pset_singleton(pk))) and
    ("JC_34": not_assigns(intP_pl_11_alloc_table, intP_intM_pl_11,
    intP_intM_pl_11_0, pset_singleton(pl))))))) ->
  ("JC_121":
  ("JC_120":
  ("JC_116": not_assigns(intP_pi_0_8_alloc_table, intP_intM_pi_0_8,
  intP_intM_pi_0_8_0, pset_singleton(pi_0)))))

goal duplets_ensures_default_po_5:
  forall a_0_0:intP pointer.
  forall len_0_0:int32.
  forall pi_0:intP pointer.
  forall pj_0:intP pointer.
  forall pk:intP pointer.
  forall pl:intP pointer.
  forall intP_a_0_7_alloc_table:intP alloc_table.
  forall intP_pi_0_8_alloc_table:intP alloc_table.
  forall intP_pj_0_9_alloc_table:intP alloc_table.
  forall intP_pk_10_alloc_table:intP alloc_table.
  forall intP_pl_11_alloc_table:intP alloc_table.
  forall intP_intM_a_0_7:(intP, int32) memory.
  forall intP_intM_pi_0_8:(intP, int32) memory.
  forall intP_intM_pj_0_9:(intP, int32) memory.
  forall intP_intM_pk_10:(intP, int32) memory.
  forall intP_intM_pl_11:(intP,
  int32) memory.
  ("JC_110":
  (("JC_98": (4 <= integer_of_int32(len_0_0))) and
   (("JC_99": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_100": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_101": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_102": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_103": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_104": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_105": (offset_min(intP_pk_10_alloc_table, pk) <= 0)) and
          (("JC_106": (offset_max(intP_pk_10_alloc_table, pk) >= 0)) and
           (("JC_107": (offset_min(intP_pl_11_alloc_table, pl) <= 0)) and
            (("JC_108": (offset_max(intP_pl_11_alloc_table, pl) >= 0)) and
             ("JC_109":
             (exists i_3:int.
               (exists j_2:int.
                 (exists k_0:int.
                   (exists l_1:int.
                     (is_duplet(a_0_0, integer_of_int32(len_0_0), i_3, j_2,
                      intP_intM_a_0_7) and
                      (is_duplet(a_0_0, integer_of_int32(len_0_0), k_0, l_1,
                       intP_intM_a_0_7) and
                       (integer_of_int32(select(intP_intM_a_0_7, shift(a_0_0,
                       i_3))) <> integer_of_int32(select(intP_intM_a_0_7,
                       shift(a_0_0, k_0))))))))))))))))))))))) ->
  forall result:(intP, int32) memory.
  forall intP_intM_pi_0_8_0:(intP,
  int32) memory.
  forall intP_intM_pj_0_9_0:(intP,
  int32) memory.
  ("JC_36":
  (("JC_32":
   (("JC_30": is_duplet(a_0_0, integer_of_int32(len_0_0),
    integer_of_int32(select(intP_intM_pi_0_8_0, pi_0)),
    integer_of_int32(select(intP_intM_pj_0_9_0, pj_0)), intP_intM_a_0_7)) and
    ("JC_31": (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
    shift(a_0_0, integer_of_int32(select(intP_intM_pi_0_8_0, pi_0))))), null,
    result))))) and
   ("JC_35":
   (("JC_33": not_assigns(intP_pi_0_8_alloc_table, intP_intM_pi_0_8,
    intP_intM_pi_0_8_0, pset_singleton(pi_0))) and
    ("JC_34": not_assigns(intP_pj_0_9_alloc_table, intP_intM_pj_0_9,
    intP_intM_pj_0_9_0, pset_singleton(pj_0))))))) ->
  forall result0:int32.
  (result0 = select(intP_intM_pi_0_8_0, pi_0)) ->
  forall intP_intM_pk_10_0:(intP,
  int32) memory.
  forall intP_intM_pl_11_0:(intP,
  int32) memory.
  ("JC_36":
  (("JC_32":
   (("JC_30": is_duplet(a_0_0, integer_of_int32(len_0_0),
    integer_of_int32(select(intP_intM_pk_10_0, pk)),
    integer_of_int32(select(intP_intM_pl_11_0, pl)), intP_intM_a_0_7)) and
    ("JC_31": (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
    shift(a_0_0, integer_of_int32(select(intP_intM_pk_10_0, pk))))),
    shift(a_0_0, integer_of_int32(result0)), intP_intM_a_0_7))))) and
   ("JC_35":
   (("JC_33": not_assigns(intP_pk_10_alloc_table, intP_intM_pk_10,
    intP_intM_pk_10_0, pset_singleton(pk))) and
    ("JC_34": not_assigns(intP_pl_11_alloc_table, intP_intM_pl_11,
    intP_intM_pl_11_0, pset_singleton(pl))))))) ->
  ("JC_121":
  ("JC_120":
  ("JC_117": not_assigns(intP_pj_0_9_alloc_table, intP_intM_pj_0_9,
  intP_intM_pj_0_9_0, pset_singleton(pj_0)))))

goal duplets_ensures_default_po_6:
  forall a_0_0:intP pointer.
  forall len_0_0:int32.
  forall pi_0:intP pointer.
  forall pj_0:intP pointer.
  forall pk:intP pointer.
  forall pl:intP pointer.
  forall intP_a_0_7_alloc_table:intP alloc_table.
  forall intP_pi_0_8_alloc_table:intP alloc_table.
  forall intP_pj_0_9_alloc_table:intP alloc_table.
  forall intP_pk_10_alloc_table:intP alloc_table.
  forall intP_pl_11_alloc_table:intP alloc_table.
  forall intP_intM_a_0_7:(intP, int32) memory.
  forall intP_intM_pi_0_8:(intP, int32) memory.
  forall intP_intM_pj_0_9:(intP, int32) memory.
  forall intP_intM_pk_10:(intP, int32) memory.
  forall intP_intM_pl_11:(intP,
  int32) memory.
  ("JC_110":
  (("JC_98": (4 <= integer_of_int32(len_0_0))) and
   (("JC_99": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_100": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_101": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_102": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_103": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_104": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_105": (offset_min(intP_pk_10_alloc_table, pk) <= 0)) and
          (("JC_106": (offset_max(intP_pk_10_alloc_table, pk) >= 0)) and
           (("JC_107": (offset_min(intP_pl_11_alloc_table, pl) <= 0)) and
            (("JC_108": (offset_max(intP_pl_11_alloc_table, pl) >= 0)) and
             ("JC_109":
             (exists i_3:int.
               (exists j_2:int.
                 (exists k_0:int.
                   (exists l_1:int.
                     (is_duplet(a_0_0, integer_of_int32(len_0_0), i_3, j_2,
                      intP_intM_a_0_7) and
                      (is_duplet(a_0_0, integer_of_int32(len_0_0), k_0, l_1,
                       intP_intM_a_0_7) and
                       (integer_of_int32(select(intP_intM_a_0_7, shift(a_0_0,
                       i_3))) <> integer_of_int32(select(intP_intM_a_0_7,
                       shift(a_0_0, k_0))))))))))))))))))))))) ->
  forall result:(intP, int32) memory.
  forall intP_intM_pi_0_8_0:(intP,
  int32) memory.
  forall intP_intM_pj_0_9_0:(intP,
  int32) memory.
  ("JC_36":
  (("JC_32":
   (("JC_30": is_duplet(a_0_0, integer_of_int32(len_0_0),
    integer_of_int32(select(intP_intM_pi_0_8_0, pi_0)),
    integer_of_int32(select(intP_intM_pj_0_9_0, pj_0)), intP_intM_a_0_7)) and
    ("JC_31": (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
    shift(a_0_0, integer_of_int32(select(intP_intM_pi_0_8_0, pi_0))))), null,
    result))))) and
   ("JC_35":
   (("JC_33": not_assigns(intP_pi_0_8_alloc_table, intP_intM_pi_0_8,
    intP_intM_pi_0_8_0, pset_singleton(pi_0))) and
    ("JC_34": not_assigns(intP_pj_0_9_alloc_table, intP_intM_pj_0_9,
    intP_intM_pj_0_9_0, pset_singleton(pj_0))))))) ->
  forall result0:int32.
  (result0 = select(intP_intM_pi_0_8_0, pi_0)) ->
  forall intP_intM_pk_10_0:(intP,
  int32) memory.
  forall intP_intM_pl_11_0:(intP,
  int32) memory.
  ("JC_36":
  (("JC_32":
   (("JC_30": is_duplet(a_0_0, integer_of_int32(len_0_0),
    integer_of_int32(select(intP_intM_pk_10_0, pk)),
    integer_of_int32(select(intP_intM_pl_11_0, pl)), intP_intM_a_0_7)) and
    ("JC_31": (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
    shift(a_0_0, integer_of_int32(select(intP_intM_pk_10_0, pk))))),
    shift(a_0_0, integer_of_int32(result0)), intP_intM_a_0_7))))) and
   ("JC_35":
   (("JC_33": not_assigns(intP_pk_10_alloc_table, intP_intM_pk_10,
    intP_intM_pk_10_0, pset_singleton(pk))) and
    ("JC_34": not_assigns(intP_pl_11_alloc_table, intP_intM_pl_11,
    intP_intM_pl_11_0, pset_singleton(pl))))))) ->
  ("JC_121":
  ("JC_120":
  ("JC_118": not_assigns(intP_pk_10_alloc_table, intP_intM_pk_10,
  intP_intM_pk_10_0, pset_singleton(pk)))))

goal duplets_ensures_default_po_7:
  forall a_0_0:intP pointer.
  forall len_0_0:int32.
  forall pi_0:intP pointer.
  forall pj_0:intP pointer.
  forall pk:intP pointer.
  forall pl:intP pointer.
  forall intP_a_0_7_alloc_table:intP alloc_table.
  forall intP_pi_0_8_alloc_table:intP alloc_table.
  forall intP_pj_0_9_alloc_table:intP alloc_table.
  forall intP_pk_10_alloc_table:intP alloc_table.
  forall intP_pl_11_alloc_table:intP alloc_table.
  forall intP_intM_a_0_7:(intP, int32) memory.
  forall intP_intM_pi_0_8:(intP, int32) memory.
  forall intP_intM_pj_0_9:(intP, int32) memory.
  forall intP_intM_pk_10:(intP, int32) memory.
  forall intP_intM_pl_11:(intP,
  int32) memory.
  ("JC_110":
  (("JC_98": (4 <= integer_of_int32(len_0_0))) and
   (("JC_99": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_100": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_101": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_102": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_103": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_104": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_105": (offset_min(intP_pk_10_alloc_table, pk) <= 0)) and
          (("JC_106": (offset_max(intP_pk_10_alloc_table, pk) >= 0)) and
           (("JC_107": (offset_min(intP_pl_11_alloc_table, pl) <= 0)) and
            (("JC_108": (offset_max(intP_pl_11_alloc_table, pl) >= 0)) and
             ("JC_109":
             (exists i_3:int.
               (exists j_2:int.
                 (exists k_0:int.
                   (exists l_1:int.
                     (is_duplet(a_0_0, integer_of_int32(len_0_0), i_3, j_2,
                      intP_intM_a_0_7) and
                      (is_duplet(a_0_0, integer_of_int32(len_0_0), k_0, l_1,
                       intP_intM_a_0_7) and
                       (integer_of_int32(select(intP_intM_a_0_7, shift(a_0_0,
                       i_3))) <> integer_of_int32(select(intP_intM_a_0_7,
                       shift(a_0_0, k_0))))))))))))))))))))))) ->
  forall result:(intP, int32) memory.
  forall intP_intM_pi_0_8_0:(intP,
  int32) memory.
  forall intP_intM_pj_0_9_0:(intP,
  int32) memory.
  ("JC_36":
  (("JC_32":
   (("JC_30": is_duplet(a_0_0, integer_of_int32(len_0_0),
    integer_of_int32(select(intP_intM_pi_0_8_0, pi_0)),
    integer_of_int32(select(intP_intM_pj_0_9_0, pj_0)), intP_intM_a_0_7)) and
    ("JC_31": (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
    shift(a_0_0, integer_of_int32(select(intP_intM_pi_0_8_0, pi_0))))), null,
    result))))) and
   ("JC_35":
   (("JC_33": not_assigns(intP_pi_0_8_alloc_table, intP_intM_pi_0_8,
    intP_intM_pi_0_8_0, pset_singleton(pi_0))) and
    ("JC_34": not_assigns(intP_pj_0_9_alloc_table, intP_intM_pj_0_9,
    intP_intM_pj_0_9_0, pset_singleton(pj_0))))))) ->
  forall result0:int32.
  (result0 = select(intP_intM_pi_0_8_0, pi_0)) ->
  forall intP_intM_pk_10_0:(intP,
  int32) memory.
  forall intP_intM_pl_11_0:(intP,
  int32) memory.
  ("JC_36":
  (("JC_32":
   (("JC_30": is_duplet(a_0_0, integer_of_int32(len_0_0),
    integer_of_int32(select(intP_intM_pk_10_0, pk)),
    integer_of_int32(select(intP_intM_pl_11_0, pl)), intP_intM_a_0_7)) and
    ("JC_31": (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
    shift(a_0_0, integer_of_int32(select(intP_intM_pk_10_0, pk))))),
    shift(a_0_0, integer_of_int32(result0)), intP_intM_a_0_7))))) and
   ("JC_35":
   (("JC_33": not_assigns(intP_pk_10_alloc_table, intP_intM_pk_10,
    intP_intM_pk_10_0, pset_singleton(pk))) and
    ("JC_34": not_assigns(intP_pl_11_alloc_table, intP_intM_pl_11,
    intP_intM_pl_11_0, pset_singleton(pl))))))) ->
  ("JC_121":
  ("JC_120":
  ("JC_119": not_assigns(intP_pl_11_alloc_table, intP_intM_pl_11,
  intP_intM_pl_11_0, pset_singleton(pl)))))

goal duplets_safety_po_1:
  forall a_0_0:intP pointer.
  forall len_0_0:int32.
  forall pi_0:intP pointer.
  forall pj_0:intP pointer.
  forall pk:intP pointer.
  forall pl:intP pointer.
  forall intP_a_0_7_alloc_table:intP alloc_table.
  forall intP_pi_0_8_alloc_table:intP alloc_table.
  forall intP_pj_0_9_alloc_table:intP alloc_table.
  forall intP_pk_10_alloc_table:intP alloc_table.
  forall intP_pl_11_alloc_table:intP alloc_table.
  forall intP_intM_a_0_7:(intP,
  int32) memory.
  ("JC_110":
  (("JC_98": (4 <= integer_of_int32(len_0_0))) and
   (("JC_99": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_100": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_101": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_102": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_103": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_104": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_105": (offset_min(intP_pk_10_alloc_table, pk) <= 0)) and
          (("JC_106": (offset_max(intP_pk_10_alloc_table, pk) >= 0)) and
           (("JC_107": (offset_min(intP_pl_11_alloc_table, pl) <= 0)) and
            (("JC_108": (offset_max(intP_pl_11_alloc_table, pl) >= 0)) and
             ("JC_109":
             (exists i_3:int.
               (exists j_2:int.
                 (exists k_0:int.
                   (exists l_1:int.
                     (is_duplet(a_0_0, integer_of_int32(len_0_0), i_3, j_2,
                      intP_intM_a_0_7) and
                      (is_duplet(a_0_0, integer_of_int32(len_0_0), k_0, l_1,
                       intP_intM_a_0_7) and
                       (integer_of_int32(select(intP_intM_a_0_7, shift(a_0_0,
                       i_3))) <> integer_of_int32(select(intP_intM_a_0_7,
                       shift(a_0_0, k_0))))))))))))))))))))))) ->
  ("JC_10": ("JC_1": (2 <= integer_of_int32(len_0_0))))

goal duplets_safety_po_2:
  forall a_0_0:intP pointer.
  forall len_0_0:int32.
  forall pi_0:intP pointer.
  forall pj_0:intP pointer.
  forall pk:intP pointer.
  forall pl:intP pointer.
  forall intP_a_0_7_alloc_table:intP alloc_table.
  forall intP_pi_0_8_alloc_table:intP alloc_table.
  forall intP_pj_0_9_alloc_table:intP alloc_table.
  forall intP_pk_10_alloc_table:intP alloc_table.
  forall intP_pl_11_alloc_table:intP alloc_table.
  forall intP_intM_a_0_7:(intP,
  int32) memory.
  ("JC_110":
  (("JC_98": (4 <= integer_of_int32(len_0_0))) and
   (("JC_99": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_100": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_101": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_102": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_103": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_104": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_105": (offset_min(intP_pk_10_alloc_table, pk) <= 0)) and
          (("JC_106": (offset_max(intP_pk_10_alloc_table, pk) >= 0)) and
           (("JC_107": (offset_min(intP_pl_11_alloc_table, pl) <= 0)) and
            (("JC_108": (offset_max(intP_pl_11_alloc_table, pl) >= 0)) and
             ("JC_109":
             (exists i_3:int.
               (exists j_2:int.
                 (exists k_0:int.
                   (exists l_1:int.
                     (is_duplet(a_0_0, integer_of_int32(len_0_0), i_3, j_2,
                      intP_intM_a_0_7) and
                      (is_duplet(a_0_0, integer_of_int32(len_0_0), k_0, l_1,
                       intP_intM_a_0_7) and
                       (integer_of_int32(select(intP_intM_a_0_7, shift(a_0_0,
                       i_3))) <> integer_of_int32(select(intP_intM_a_0_7,
                       shift(a_0_0, k_0))))))))))))))))))))))) ->
  ("JC_10": ("JC_2": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)))

goal duplets_safety_po_3:
  forall a_0_0:intP pointer.
  forall len_0_0:int32.
  forall pi_0:intP pointer.
  forall pj_0:intP pointer.
  forall pk:intP pointer.
  forall pl:intP pointer.
  forall intP_a_0_7_alloc_table:intP alloc_table.
  forall intP_pi_0_8_alloc_table:intP alloc_table.
  forall intP_pj_0_9_alloc_table:intP alloc_table.
  forall intP_pk_10_alloc_table:intP alloc_table.
  forall intP_pl_11_alloc_table:intP alloc_table.
  forall intP_intM_a_0_7:(intP,
  int32) memory.
  ("JC_110":
  (("JC_98": (4 <= integer_of_int32(len_0_0))) and
   (("JC_99": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_100": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_101": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_102": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_103": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_104": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_105": (offset_min(intP_pk_10_alloc_table, pk) <= 0)) and
          (("JC_106": (offset_max(intP_pk_10_alloc_table, pk) >= 0)) and
           (("JC_107": (offset_min(intP_pl_11_alloc_table, pl) <= 0)) and
            (("JC_108": (offset_max(intP_pl_11_alloc_table, pl) >= 0)) and
             ("JC_109":
             (exists i_3:int.
               (exists j_2:int.
                 (exists k_0:int.
                   (exists l_1:int.
                     (is_duplet(a_0_0, integer_of_int32(len_0_0), i_3, j_2,
                      intP_intM_a_0_7) and
                      (is_duplet(a_0_0, integer_of_int32(len_0_0), k_0, l_1,
                       intP_intM_a_0_7) and
                       (integer_of_int32(select(intP_intM_a_0_7, shift(a_0_0,
                       i_3))) <> integer_of_int32(select(intP_intM_a_0_7,
                       shift(a_0_0, k_0))))))))))))))))))))))) ->
  ("JC_10":
  ("JC_3": (offset_max(intP_a_0_7_alloc_table,
  a_0_0) >= (integer_of_int32(len_0_0) - 1))))

goal duplets_safety_po_4:
  forall a_0_0:intP pointer.
  forall len_0_0:int32.
  forall pi_0:intP pointer.
  forall pj_0:intP pointer.
  forall pk:intP pointer.
  forall pl:intP pointer.
  forall intP_a_0_7_alloc_table:intP alloc_table.
  forall intP_pi_0_8_alloc_table:intP alloc_table.
  forall intP_pj_0_9_alloc_table:intP alloc_table.
  forall intP_pk_10_alloc_table:intP alloc_table.
  forall intP_pl_11_alloc_table:intP alloc_table.
  forall intP_intM_a_0_7:(intP,
  int32) memory.
  ("JC_110":
  (("JC_98": (4 <= integer_of_int32(len_0_0))) and
   (("JC_99": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_100": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_101": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_102": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_103": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_104": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_105": (offset_min(intP_pk_10_alloc_table, pk) <= 0)) and
          (("JC_106": (offset_max(intP_pk_10_alloc_table, pk) >= 0)) and
           (("JC_107": (offset_min(intP_pl_11_alloc_table, pl) <= 0)) and
            (("JC_108": (offset_max(intP_pl_11_alloc_table, pl) >= 0)) and
             ("JC_109":
             (exists i_3:int.
               (exists j_2:int.
                 (exists k_0:int.
                   (exists l_1:int.
                     (is_duplet(a_0_0, integer_of_int32(len_0_0), i_3, j_2,
                      intP_intM_a_0_7) and
                      (is_duplet(a_0_0, integer_of_int32(len_0_0), k_0, l_1,
                       intP_intM_a_0_7) and
                       (integer_of_int32(select(intP_intM_a_0_7, shift(a_0_0,
                       i_3))) <> integer_of_int32(select(intP_intM_a_0_7,
                       shift(a_0_0, k_0))))))))))))))))))))))) ->
  ("JC_10": ("JC_4": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)))

goal duplets_safety_po_5:
  forall a_0_0:intP pointer.
  forall len_0_0:int32.
  forall pi_0:intP pointer.
  forall pj_0:intP pointer.
  forall pk:intP pointer.
  forall pl:intP pointer.
  forall intP_a_0_7_alloc_table:intP alloc_table.
  forall intP_pi_0_8_alloc_table:intP alloc_table.
  forall intP_pj_0_9_alloc_table:intP alloc_table.
  forall intP_pk_10_alloc_table:intP alloc_table.
  forall intP_pl_11_alloc_table:intP alloc_table.
  forall intP_intM_a_0_7:(intP,
  int32) memory.
  ("JC_110":
  (("JC_98": (4 <= integer_of_int32(len_0_0))) and
   (("JC_99": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_100": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_101": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_102": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_103": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_104": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_105": (offset_min(intP_pk_10_alloc_table, pk) <= 0)) and
          (("JC_106": (offset_max(intP_pk_10_alloc_table, pk) >= 0)) and
           (("JC_107": (offset_min(intP_pl_11_alloc_table, pl) <= 0)) and
            (("JC_108": (offset_max(intP_pl_11_alloc_table, pl) >= 0)) and
             ("JC_109":
             (exists i_3:int.
               (exists j_2:int.
                 (exists k_0:int.
                   (exists l_1:int.
                     (is_duplet(a_0_0, integer_of_int32(len_0_0), i_3, j_2,
                      intP_intM_a_0_7) and
                      (is_duplet(a_0_0, integer_of_int32(len_0_0), k_0, l_1,
                       intP_intM_a_0_7) and
                       (integer_of_int32(select(intP_intM_a_0_7, shift(a_0_0,
                       i_3))) <> integer_of_int32(select(intP_intM_a_0_7,
                       shift(a_0_0, k_0))))))))))))))))))))))) ->
  ("JC_10": ("JC_5": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)))

goal duplets_safety_po_6:
  forall a_0_0:intP pointer.
  forall len_0_0:int32.
  forall pi_0:intP pointer.
  forall pj_0:intP pointer.
  forall pk:intP pointer.
  forall pl:intP pointer.
  forall intP_a_0_7_alloc_table:intP alloc_table.
  forall intP_pi_0_8_alloc_table:intP alloc_table.
  forall intP_pj_0_9_alloc_table:intP alloc_table.
  forall intP_pk_10_alloc_table:intP alloc_table.
  forall intP_pl_11_alloc_table:intP alloc_table.
  forall intP_intM_a_0_7:(intP,
  int32) memory.
  ("JC_110":
  (("JC_98": (4 <= integer_of_int32(len_0_0))) and
   (("JC_99": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_100": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_101": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_102": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_103": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_104": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_105": (offset_min(intP_pk_10_alloc_table, pk) <= 0)) and
          (("JC_106": (offset_max(intP_pk_10_alloc_table, pk) >= 0)) and
           (("JC_107": (offset_min(intP_pl_11_alloc_table, pl) <= 0)) and
            (("JC_108": (offset_max(intP_pl_11_alloc_table, pl) >= 0)) and
             ("JC_109":
             (exists i_3:int.
               (exists j_2:int.
                 (exists k_0:int.
                   (exists l_1:int.
                     (is_duplet(a_0_0, integer_of_int32(len_0_0), i_3, j_2,
                      intP_intM_a_0_7) and
                      (is_duplet(a_0_0, integer_of_int32(len_0_0), k_0, l_1,
                       intP_intM_a_0_7) and
                       (integer_of_int32(select(intP_intM_a_0_7, shift(a_0_0,
                       i_3))) <> integer_of_int32(select(intP_intM_a_0_7,
                       shift(a_0_0, k_0))))))))))))))))))))))) ->
  ("JC_10": ("JC_6": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)))

goal duplets_safety_po_7:
  forall a_0_0:intP pointer.
  forall len_0_0:int32.
  forall pi_0:intP pointer.
  forall pj_0:intP pointer.
  forall pk:intP pointer.
  forall pl:intP pointer.
  forall intP_a_0_7_alloc_table:intP alloc_table.
  forall intP_pi_0_8_alloc_table:intP alloc_table.
  forall intP_pj_0_9_alloc_table:intP alloc_table.
  forall intP_pk_10_alloc_table:intP alloc_table.
  forall intP_pl_11_alloc_table:intP alloc_table.
  forall intP_intM_a_0_7:(intP,
  int32) memory.
  ("JC_110":
  (("JC_98": (4 <= integer_of_int32(len_0_0))) and
   (("JC_99": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_100": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_101": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_102": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_103": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_104": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_105": (offset_min(intP_pk_10_alloc_table, pk) <= 0)) and
          (("JC_106": (offset_max(intP_pk_10_alloc_table, pk) >= 0)) and
           (("JC_107": (offset_min(intP_pl_11_alloc_table, pl) <= 0)) and
            (("JC_108": (offset_max(intP_pl_11_alloc_table, pl) >= 0)) and
             ("JC_109":
             (exists i_3:int.
               (exists j_2:int.
                 (exists k_0:int.
                   (exists l_1:int.
                     (is_duplet(a_0_0, integer_of_int32(len_0_0), i_3, j_2,
                      intP_intM_a_0_7) and
                      (is_duplet(a_0_0, integer_of_int32(len_0_0), k_0, l_1,
                       intP_intM_a_0_7) and
                       (integer_of_int32(select(intP_intM_a_0_7, shift(a_0_0,
                       i_3))) <> integer_of_int32(select(intP_intM_a_0_7,
                       shift(a_0_0, k_0))))))))))))))))))))))) ->
  ("JC_10": ("JC_7": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)))

goal duplets_safety_po_8:
  forall a_0_0:intP pointer.
  forall len_0_0:int32.
  forall pi_0:intP pointer.
  forall pj_0:intP pointer.
  forall pk:intP pointer.
  forall pl:intP pointer.
  forall intP_a_0_7_alloc_table:intP alloc_table.
  forall intP_pi_0_8_alloc_table:intP alloc_table.
  forall intP_pj_0_9_alloc_table:intP alloc_table.
  forall intP_pk_10_alloc_table:intP alloc_table.
  forall intP_pl_11_alloc_table:intP alloc_table.
  forall intP_intM_a_0_7:(intP,
  int32) memory.
  ("JC_110":
  (("JC_98": (4 <= integer_of_int32(len_0_0))) and
   (("JC_99": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_100": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_101": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_102": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_103": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_104": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_105": (offset_min(intP_pk_10_alloc_table, pk) <= 0)) and
          (("JC_106": (offset_max(intP_pk_10_alloc_table, pk) >= 0)) and
           (("JC_107": (offset_min(intP_pl_11_alloc_table, pl) <= 0)) and
            (("JC_108": (offset_max(intP_pl_11_alloc_table, pl) >= 0)) and
             ("JC_109":
             (exists i_3:int.
               (exists j_2:int.
                 (exists k_0:int.
                   (exists l_1:int.
                     (is_duplet(a_0_0, integer_of_int32(len_0_0), i_3, j_2,
                      intP_intM_a_0_7) and
                      (is_duplet(a_0_0, integer_of_int32(len_0_0), k_0, l_1,
                       intP_intM_a_0_7) and
                       (integer_of_int32(select(intP_intM_a_0_7, shift(a_0_0,
                       i_3))) <> integer_of_int32(select(intP_intM_a_0_7,
                       shift(a_0_0, k_0))))))))))))))))))))))) ->
  forall result0:intP alloc_table.
  ("JC_10":
  ("JC_8":
  ((null = null) or
   ((offset_min(result0, null) <= 0) and (offset_max(result0, null) >= 0)))))

goal duplets_safety_po_9:
  forall a_0_0:intP pointer.
  forall len_0_0:int32.
  forall pi_0:intP pointer.
  forall pj_0:intP pointer.
  forall pk:intP pointer.
  forall pl:intP pointer.
  forall intP_a_0_7_alloc_table:intP alloc_table.
  forall intP_pi_0_8_alloc_table:intP alloc_table.
  forall intP_pj_0_9_alloc_table:intP alloc_table.
  forall intP_pk_10_alloc_table:intP alloc_table.
  forall intP_pl_11_alloc_table:intP alloc_table.
  forall intP_intM_a_0_7:(intP,
  int32) memory.
  ("JC_110":
  (("JC_98": (4 <= integer_of_int32(len_0_0))) and
   (("JC_99": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_100": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_101": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_102": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_103": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_104": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_105": (offset_min(intP_pk_10_alloc_table, pk) <= 0)) and
          (("JC_106": (offset_max(intP_pk_10_alloc_table, pk) >= 0)) and
           (("JC_107": (offset_min(intP_pl_11_alloc_table, pl) <= 0)) and
            (("JC_108": (offset_max(intP_pl_11_alloc_table, pl) >= 0)) and
             ("JC_109":
             (exists i_3:int.
               (exists j_2:int.
                 (exists k_0:int.
                   (exists l_1:int.
                     (is_duplet(a_0_0, integer_of_int32(len_0_0), i_3, j_2,
                      intP_intM_a_0_7) and
                      (is_duplet(a_0_0, integer_of_int32(len_0_0), k_0, l_1,
                       intP_intM_a_0_7) and
                       (integer_of_int32(select(intP_intM_a_0_7, shift(a_0_0,
                       i_3))) <> integer_of_int32(select(intP_intM_a_0_7,
                       shift(a_0_0, k_0))))))))))))))))))))))) ->
  forall result:(intP,
  int32) memory.
  ("JC_10":
  ("JC_9":
  (exists i_2:int.
    (exists j_1:int.
      (is_duplet(a_0_0, integer_of_int32(len_0_0), i_2, j_1,
       intP_intM_a_0_7) and
       (not eq_opt(integer_of_int32(select(intP_intM_a_0_7, shift(a_0_0,
       i_2))), null, result)))))))

goal duplets_safety_po_10:
  forall a_0_0:intP pointer.
  forall len_0_0:int32.
  forall pi_0:intP pointer.
  forall pj_0:intP pointer.
  forall pk:intP pointer.
  forall pl:intP pointer.
  forall intP_a_0_7_alloc_table:intP alloc_table.
  forall intP_pi_0_8_alloc_table:intP alloc_table.
  forall intP_pj_0_9_alloc_table:intP alloc_table.
  forall intP_pk_10_alloc_table:intP alloc_table.
  forall intP_pl_11_alloc_table:intP alloc_table.
  forall intP_intM_a_0_7:(intP, int32) memory.
  forall intP_intM_pi_0_8:(intP, int32) memory.
  forall intP_intM_pj_0_9:(intP,
  int32) memory.
  ("JC_110":
  (("JC_98": (4 <= integer_of_int32(len_0_0))) and
   (("JC_99": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_100": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_101": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_102": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_103": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_104": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_105": (offset_min(intP_pk_10_alloc_table, pk) <= 0)) and
          (("JC_106": (offset_max(intP_pk_10_alloc_table, pk) >= 0)) and
           (("JC_107": (offset_min(intP_pl_11_alloc_table, pl) <= 0)) and
            (("JC_108": (offset_max(intP_pl_11_alloc_table, pl) >= 0)) and
             ("JC_109":
             (exists i_3:int.
               (exists j_2:int.
                 (exists k_0:int.
                   (exists l_1:int.
                     (is_duplet(a_0_0, integer_of_int32(len_0_0), i_3, j_2,
                      intP_intM_a_0_7) and
                      (is_duplet(a_0_0, integer_of_int32(len_0_0), k_0, l_1,
                       intP_intM_a_0_7) and
                       (integer_of_int32(select(intP_intM_a_0_7, shift(a_0_0,
                       i_3))) <> integer_of_int32(select(intP_intM_a_0_7,
                       shift(a_0_0, k_0))))))))))))))))))))))) ->
  forall result:(intP,
  int32) memory.
  forall result0:intP alloc_table.
  ("JC_10":
  (("JC_1": (2 <= integer_of_int32(len_0_0))) and
   (("JC_2": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_3": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_4": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_5": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_6": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_7": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_8":
          ((null = null) or
           ((offset_min(result0, null) <= 0) and (offset_max(result0,
            null) >= 0)))) and
          ("JC_9":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0_0, integer_of_int32(len_0_0), i_2, j_1,
               intP_intM_a_0_7) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
               shift(a_0_0, i_2))), null, result))))))))))))))) ->
  forall intP_intM_pi_0_8_0:(intP,
  int32) memory.
  forall intP_intM_pj_0_9_0:(intP,
  int32) memory.
  ("JC_36":
  (("JC_32":
   (("JC_30": is_duplet(a_0_0, integer_of_int32(len_0_0),
    integer_of_int32(select(intP_intM_pi_0_8_0, pi_0)),
    integer_of_int32(select(intP_intM_pj_0_9_0, pj_0)), intP_intM_a_0_7)) and
    ("JC_31": (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
    shift(a_0_0, integer_of_int32(select(intP_intM_pi_0_8_0, pi_0))))), null,
    result))))) and
   ("JC_35":
   (("JC_33": not_assigns(intP_pi_0_8_alloc_table, intP_intM_pi_0_8,
    intP_intM_pi_0_8_0, pset_singleton(pi_0))) and
    ("JC_34": not_assigns(intP_pj_0_9_alloc_table, intP_intM_pj_0_9,
    intP_intM_pj_0_9_0, pset_singleton(pj_0))))))) ->
  (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)

goal duplets_safety_po_11:
  forall a_0_0:intP pointer.
  forall len_0_0:int32.
  forall pi_0:intP pointer.
  forall pj_0:intP pointer.
  forall pk:intP pointer.
  forall pl:intP pointer.
  forall intP_a_0_7_alloc_table:intP alloc_table.
  forall intP_pi_0_8_alloc_table:intP alloc_table.
  forall intP_pj_0_9_alloc_table:intP alloc_table.
  forall intP_pk_10_alloc_table:intP alloc_table.
  forall intP_pl_11_alloc_table:intP alloc_table.
  forall intP_intM_a_0_7:(intP, int32) memory.
  forall intP_intM_pi_0_8:(intP, int32) memory.
  forall intP_intM_pj_0_9:(intP,
  int32) memory.
  ("JC_110":
  (("JC_98": (4 <= integer_of_int32(len_0_0))) and
   (("JC_99": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_100": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_101": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_102": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_103": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_104": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_105": (offset_min(intP_pk_10_alloc_table, pk) <= 0)) and
          (("JC_106": (offset_max(intP_pk_10_alloc_table, pk) >= 0)) and
           (("JC_107": (offset_min(intP_pl_11_alloc_table, pl) <= 0)) and
            (("JC_108": (offset_max(intP_pl_11_alloc_table, pl) >= 0)) and
             ("JC_109":
             (exists i_3:int.
               (exists j_2:int.
                 (exists k_0:int.
                   (exists l_1:int.
                     (is_duplet(a_0_0, integer_of_int32(len_0_0), i_3, j_2,
                      intP_intM_a_0_7) and
                      (is_duplet(a_0_0, integer_of_int32(len_0_0), k_0, l_1,
                       intP_intM_a_0_7) and
                       (integer_of_int32(select(intP_intM_a_0_7, shift(a_0_0,
                       i_3))) <> integer_of_int32(select(intP_intM_a_0_7,
                       shift(a_0_0, k_0))))))))))))))))))))))) ->
  forall result:(intP,
  int32) memory.
  forall result0:intP alloc_table.
  ("JC_10":
  (("JC_1": (2 <= integer_of_int32(len_0_0))) and
   (("JC_2": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_3": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_4": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_5": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_6": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_7": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_8":
          ((null = null) or
           ((offset_min(result0, null) <= 0) and (offset_max(result0,
            null) >= 0)))) and
          ("JC_9":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0_0, integer_of_int32(len_0_0), i_2, j_1,
               intP_intM_a_0_7) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
               shift(a_0_0, i_2))), null, result))))))))))))))) ->
  forall intP_intM_pi_0_8_0:(intP,
  int32) memory.
  forall intP_intM_pj_0_9_0:(intP,
  int32) memory.
  ("JC_36":
  (("JC_32":
   (("JC_30": is_duplet(a_0_0, integer_of_int32(len_0_0),
    integer_of_int32(select(intP_intM_pi_0_8_0, pi_0)),
    integer_of_int32(select(intP_intM_pj_0_9_0, pj_0)), intP_intM_a_0_7)) and
    ("JC_31": (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
    shift(a_0_0, integer_of_int32(select(intP_intM_pi_0_8_0, pi_0))))), null,
    result))))) and
   ("JC_35":
   (("JC_33": not_assigns(intP_pi_0_8_alloc_table, intP_intM_pi_0_8,
    intP_intM_pi_0_8_0, pset_singleton(pi_0))) and
    ("JC_34": not_assigns(intP_pj_0_9_alloc_table, intP_intM_pj_0_9,
    intP_intM_pj_0_9_0, pset_singleton(pj_0))))))) ->
  (0 <= offset_max(intP_pi_0_8_alloc_table, pi_0))

goal duplets_safety_po_12:
  forall a_0_0:intP pointer.
  forall len_0_0:int32.
  forall pi_0:intP pointer.
  forall pj_0:intP pointer.
  forall pk:intP pointer.
  forall pl:intP pointer.
  forall intP_a_0_7_alloc_table:intP alloc_table.
  forall intP_pi_0_8_alloc_table:intP alloc_table.
  forall intP_pj_0_9_alloc_table:intP alloc_table.
  forall intP_pk_10_alloc_table:intP alloc_table.
  forall intP_pl_11_alloc_table:intP alloc_table.
  forall intP_intM_a_0_7:(intP, int32) memory.
  forall intP_intM_pi_0_8:(intP, int32) memory.
  forall intP_intM_pj_0_9:(intP,
  int32) memory.
  ("JC_110":
  (("JC_98": (4 <= integer_of_int32(len_0_0))) and
   (("JC_99": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_100": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_101": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_102": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_103": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_104": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_105": (offset_min(intP_pk_10_alloc_table, pk) <= 0)) and
          (("JC_106": (offset_max(intP_pk_10_alloc_table, pk) >= 0)) and
           (("JC_107": (offset_min(intP_pl_11_alloc_table, pl) <= 0)) and
            (("JC_108": (offset_max(intP_pl_11_alloc_table, pl) >= 0)) and
             ("JC_109":
             (exists i_3:int.
               (exists j_2:int.
                 (exists k_0:int.
                   (exists l_1:int.
                     (is_duplet(a_0_0, integer_of_int32(len_0_0), i_3, j_2,
                      intP_intM_a_0_7) and
                      (is_duplet(a_0_0, integer_of_int32(len_0_0), k_0, l_1,
                       intP_intM_a_0_7) and
                       (integer_of_int32(select(intP_intM_a_0_7, shift(a_0_0,
                       i_3))) <> integer_of_int32(select(intP_intM_a_0_7,
                       shift(a_0_0, k_0))))))))))))))))))))))) ->
  forall result:(intP,
  int32) memory.
  forall result0:intP alloc_table.
  ("JC_10":
  (("JC_1": (2 <= integer_of_int32(len_0_0))) and
   (("JC_2": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_3": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_4": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_5": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_6": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_7": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_8":
          ((null = null) or
           ((offset_min(result0, null) <= 0) and (offset_max(result0,
            null) >= 0)))) and
          ("JC_9":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0_0, integer_of_int32(len_0_0), i_2, j_1,
               intP_intM_a_0_7) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
               shift(a_0_0, i_2))), null, result))))))))))))))) ->
  forall intP_intM_pi_0_8_0:(intP,
  int32) memory.
  forall intP_intM_pj_0_9_0:(intP,
  int32) memory.
  ("JC_36":
  (("JC_32":
   (("JC_30": is_duplet(a_0_0, integer_of_int32(len_0_0),
    integer_of_int32(select(intP_intM_pi_0_8_0, pi_0)),
    integer_of_int32(select(intP_intM_pj_0_9_0, pj_0)), intP_intM_a_0_7)) and
    ("JC_31": (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
    shift(a_0_0, integer_of_int32(select(intP_intM_pi_0_8_0, pi_0))))), null,
    result))))) and
   ("JC_35":
   (("JC_33": not_assigns(intP_pi_0_8_alloc_table, intP_intM_pi_0_8,
    intP_intM_pi_0_8_0, pset_singleton(pi_0))) and
    ("JC_34": not_assigns(intP_pj_0_9_alloc_table, intP_intM_pj_0_9,
    intP_intM_pj_0_9_0, pset_singleton(pj_0))))))) ->
  ((offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0) and
   (0 <= offset_max(intP_pi_0_8_alloc_table, pi_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_pi_0_8_0, pi_0)) ->
  ("JC_10": ("JC_2": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)))

goal duplets_safety_po_13:
  forall a_0_0:intP pointer.
  forall len_0_0:int32.
  forall pi_0:intP pointer.
  forall pj_0:intP pointer.
  forall pk:intP pointer.
  forall pl:intP pointer.
  forall intP_a_0_7_alloc_table:intP alloc_table.
  forall intP_pi_0_8_alloc_table:intP alloc_table.
  forall intP_pj_0_9_alloc_table:intP alloc_table.
  forall intP_pk_10_alloc_table:intP alloc_table.
  forall intP_pl_11_alloc_table:intP alloc_table.
  forall intP_intM_a_0_7:(intP, int32) memory.
  forall intP_intM_pi_0_8:(intP, int32) memory.
  forall intP_intM_pj_0_9:(intP,
  int32) memory.
  ("JC_110":
  (("JC_98": (4 <= integer_of_int32(len_0_0))) and
   (("JC_99": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_100": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_101": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_102": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_103": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_104": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_105": (offset_min(intP_pk_10_alloc_table, pk) <= 0)) and
          (("JC_106": (offset_max(intP_pk_10_alloc_table, pk) >= 0)) and
           (("JC_107": (offset_min(intP_pl_11_alloc_table, pl) <= 0)) and
            (("JC_108": (offset_max(intP_pl_11_alloc_table, pl) >= 0)) and
             ("JC_109":
             (exists i_3:int.
               (exists j_2:int.
                 (exists k_0:int.
                   (exists l_1:int.
                     (is_duplet(a_0_0, integer_of_int32(len_0_0), i_3, j_2,
                      intP_intM_a_0_7) and
                      (is_duplet(a_0_0, integer_of_int32(len_0_0), k_0, l_1,
                       intP_intM_a_0_7) and
                       (integer_of_int32(select(intP_intM_a_0_7, shift(a_0_0,
                       i_3))) <> integer_of_int32(select(intP_intM_a_0_7,
                       shift(a_0_0, k_0))))))))))))))))))))))) ->
  forall result:(intP,
  int32) memory.
  forall result0:intP alloc_table.
  ("JC_10":
  (("JC_1": (2 <= integer_of_int32(len_0_0))) and
   (("JC_2": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_3": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_4": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_5": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_6": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_7": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_8":
          ((null = null) or
           ((offset_min(result0, null) <= 0) and (offset_max(result0,
            null) >= 0)))) and
          ("JC_9":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0_0, integer_of_int32(len_0_0), i_2, j_1,
               intP_intM_a_0_7) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
               shift(a_0_0, i_2))), null, result))))))))))))))) ->
  forall intP_intM_pi_0_8_0:(intP,
  int32) memory.
  forall intP_intM_pj_0_9_0:(intP,
  int32) memory.
  ("JC_36":
  (("JC_32":
   (("JC_30": is_duplet(a_0_0, integer_of_int32(len_0_0),
    integer_of_int32(select(intP_intM_pi_0_8_0, pi_0)),
    integer_of_int32(select(intP_intM_pj_0_9_0, pj_0)), intP_intM_a_0_7)) and
    ("JC_31": (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
    shift(a_0_0, integer_of_int32(select(intP_intM_pi_0_8_0, pi_0))))), null,
    result))))) and
   ("JC_35":
   (("JC_33": not_assigns(intP_pi_0_8_alloc_table, intP_intM_pi_0_8,
    intP_intM_pi_0_8_0, pset_singleton(pi_0))) and
    ("JC_34": not_assigns(intP_pj_0_9_alloc_table, intP_intM_pj_0_9,
    intP_intM_pj_0_9_0, pset_singleton(pj_0))))))) ->
  ((offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0) and
   (0 <= offset_max(intP_pi_0_8_alloc_table, pi_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_pi_0_8_0, pi_0)) ->
  ("JC_10":
  ("JC_3": (offset_max(intP_a_0_7_alloc_table,
  a_0_0) >= (integer_of_int32(len_0_0) - 1))))

goal duplets_safety_po_14:
  forall a_0_0:intP pointer.
  forall len_0_0:int32.
  forall pi_0:intP pointer.
  forall pj_0:intP pointer.
  forall pk:intP pointer.
  forall pl:intP pointer.
  forall intP_a_0_7_alloc_table:intP alloc_table.
  forall intP_pi_0_8_alloc_table:intP alloc_table.
  forall intP_pj_0_9_alloc_table:intP alloc_table.
  forall intP_pk_10_alloc_table:intP alloc_table.
  forall intP_pl_11_alloc_table:intP alloc_table.
  forall intP_intM_a_0_7:(intP, int32) memory.
  forall intP_intM_pi_0_8:(intP, int32) memory.
  forall intP_intM_pj_0_9:(intP,
  int32) memory.
  ("JC_110":
  (("JC_98": (4 <= integer_of_int32(len_0_0))) and
   (("JC_99": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_100": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_101": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_102": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_103": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_104": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_105": (offset_min(intP_pk_10_alloc_table, pk) <= 0)) and
          (("JC_106": (offset_max(intP_pk_10_alloc_table, pk) >= 0)) and
           (("JC_107": (offset_min(intP_pl_11_alloc_table, pl) <= 0)) and
            (("JC_108": (offset_max(intP_pl_11_alloc_table, pl) >= 0)) and
             ("JC_109":
             (exists i_3:int.
               (exists j_2:int.
                 (exists k_0:int.
                   (exists l_1:int.
                     (is_duplet(a_0_0, integer_of_int32(len_0_0), i_3, j_2,
                      intP_intM_a_0_7) and
                      (is_duplet(a_0_0, integer_of_int32(len_0_0), k_0, l_1,
                       intP_intM_a_0_7) and
                       (integer_of_int32(select(intP_intM_a_0_7, shift(a_0_0,
                       i_3))) <> integer_of_int32(select(intP_intM_a_0_7,
                       shift(a_0_0, k_0))))))))))))))))))))))) ->
  forall result:(intP,
  int32) memory.
  forall result0:intP alloc_table.
  ("JC_10":
  (("JC_1": (2 <= integer_of_int32(len_0_0))) and
   (("JC_2": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_3": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_4": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_5": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_6": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_7": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_8":
          ((null = null) or
           ((offset_min(result0, null) <= 0) and (offset_max(result0,
            null) >= 0)))) and
          ("JC_9":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0_0, integer_of_int32(len_0_0), i_2, j_1,
               intP_intM_a_0_7) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
               shift(a_0_0, i_2))), null, result))))))))))))))) ->
  forall intP_intM_pi_0_8_0:(intP,
  int32) memory.
  forall intP_intM_pj_0_9_0:(intP,
  int32) memory.
  ("JC_36":
  (("JC_32":
   (("JC_30": is_duplet(a_0_0, integer_of_int32(len_0_0),
    integer_of_int32(select(intP_intM_pi_0_8_0, pi_0)),
    integer_of_int32(select(intP_intM_pj_0_9_0, pj_0)), intP_intM_a_0_7)) and
    ("JC_31": (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
    shift(a_0_0, integer_of_int32(select(intP_intM_pi_0_8_0, pi_0))))), null,
    result))))) and
   ("JC_35":
   (("JC_33": not_assigns(intP_pi_0_8_alloc_table, intP_intM_pi_0_8,
    intP_intM_pi_0_8_0, pset_singleton(pi_0))) and
    ("JC_34": not_assigns(intP_pj_0_9_alloc_table, intP_intM_pj_0_9,
    intP_intM_pj_0_9_0, pset_singleton(pj_0))))))) ->
  ((offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0) and
   (0 <= offset_max(intP_pi_0_8_alloc_table, pi_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_pi_0_8_0, pi_0)) ->
  ("JC_10": ("JC_4": (offset_min(intP_pk_10_alloc_table, pk) <= 0)))

goal duplets_safety_po_15:
  forall a_0_0:intP pointer.
  forall len_0_0:int32.
  forall pi_0:intP pointer.
  forall pj_0:intP pointer.
  forall pk:intP pointer.
  forall pl:intP pointer.
  forall intP_a_0_7_alloc_table:intP alloc_table.
  forall intP_pi_0_8_alloc_table:intP alloc_table.
  forall intP_pj_0_9_alloc_table:intP alloc_table.
  forall intP_pk_10_alloc_table:intP alloc_table.
  forall intP_pl_11_alloc_table:intP alloc_table.
  forall intP_intM_a_0_7:(intP, int32) memory.
  forall intP_intM_pi_0_8:(intP, int32) memory.
  forall intP_intM_pj_0_9:(intP,
  int32) memory.
  ("JC_110":
  (("JC_98": (4 <= integer_of_int32(len_0_0))) and
   (("JC_99": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_100": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_101": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_102": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_103": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_104": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_105": (offset_min(intP_pk_10_alloc_table, pk) <= 0)) and
          (("JC_106": (offset_max(intP_pk_10_alloc_table, pk) >= 0)) and
           (("JC_107": (offset_min(intP_pl_11_alloc_table, pl) <= 0)) and
            (("JC_108": (offset_max(intP_pl_11_alloc_table, pl) >= 0)) and
             ("JC_109":
             (exists i_3:int.
               (exists j_2:int.
                 (exists k_0:int.
                   (exists l_1:int.
                     (is_duplet(a_0_0, integer_of_int32(len_0_0), i_3, j_2,
                      intP_intM_a_0_7) and
                      (is_duplet(a_0_0, integer_of_int32(len_0_0), k_0, l_1,
                       intP_intM_a_0_7) and
                       (integer_of_int32(select(intP_intM_a_0_7, shift(a_0_0,
                       i_3))) <> integer_of_int32(select(intP_intM_a_0_7,
                       shift(a_0_0, k_0))))))))))))))))))))))) ->
  forall result:(intP,
  int32) memory.
  forall result0:intP alloc_table.
  ("JC_10":
  (("JC_1": (2 <= integer_of_int32(len_0_0))) and
   (("JC_2": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_3": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_4": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_5": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_6": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_7": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_8":
          ((null = null) or
           ((offset_min(result0, null) <= 0) and (offset_max(result0,
            null) >= 0)))) and
          ("JC_9":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0_0, integer_of_int32(len_0_0), i_2, j_1,
               intP_intM_a_0_7) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
               shift(a_0_0, i_2))), null, result))))))))))))))) ->
  forall intP_intM_pi_0_8_0:(intP,
  int32) memory.
  forall intP_intM_pj_0_9_0:(intP,
  int32) memory.
  ("JC_36":
  (("JC_32":
   (("JC_30": is_duplet(a_0_0, integer_of_int32(len_0_0),
    integer_of_int32(select(intP_intM_pi_0_8_0, pi_0)),
    integer_of_int32(select(intP_intM_pj_0_9_0, pj_0)), intP_intM_a_0_7)) and
    ("JC_31": (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
    shift(a_0_0, integer_of_int32(select(intP_intM_pi_0_8_0, pi_0))))), null,
    result))))) and
   ("JC_35":
   (("JC_33": not_assigns(intP_pi_0_8_alloc_table, intP_intM_pi_0_8,
    intP_intM_pi_0_8_0, pset_singleton(pi_0))) and
    ("JC_34": not_assigns(intP_pj_0_9_alloc_table, intP_intM_pj_0_9,
    intP_intM_pj_0_9_0, pset_singleton(pj_0))))))) ->
  ((offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0) and
   (0 <= offset_max(intP_pi_0_8_alloc_table, pi_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_pi_0_8_0, pi_0)) ->
  ("JC_10": ("JC_5": (offset_max(intP_pk_10_alloc_table, pk) >= 0)))

goal duplets_safety_po_16:
  forall a_0_0:intP pointer.
  forall len_0_0:int32.
  forall pi_0:intP pointer.
  forall pj_0:intP pointer.
  forall pk:intP pointer.
  forall pl:intP pointer.
  forall intP_a_0_7_alloc_table:intP alloc_table.
  forall intP_pi_0_8_alloc_table:intP alloc_table.
  forall intP_pj_0_9_alloc_table:intP alloc_table.
  forall intP_pk_10_alloc_table:intP alloc_table.
  forall intP_pl_11_alloc_table:intP alloc_table.
  forall intP_intM_a_0_7:(intP, int32) memory.
  forall intP_intM_pi_0_8:(intP, int32) memory.
  forall intP_intM_pj_0_9:(intP,
  int32) memory.
  ("JC_110":
  (("JC_98": (4 <= integer_of_int32(len_0_0))) and
   (("JC_99": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_100": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_101": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_102": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_103": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_104": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_105": (offset_min(intP_pk_10_alloc_table, pk) <= 0)) and
          (("JC_106": (offset_max(intP_pk_10_alloc_table, pk) >= 0)) and
           (("JC_107": (offset_min(intP_pl_11_alloc_table, pl) <= 0)) and
            (("JC_108": (offset_max(intP_pl_11_alloc_table, pl) >= 0)) and
             ("JC_109":
             (exists i_3:int.
               (exists j_2:int.
                 (exists k_0:int.
                   (exists l_1:int.
                     (is_duplet(a_0_0, integer_of_int32(len_0_0), i_3, j_2,
                      intP_intM_a_0_7) and
                      (is_duplet(a_0_0, integer_of_int32(len_0_0), k_0, l_1,
                       intP_intM_a_0_7) and
                       (integer_of_int32(select(intP_intM_a_0_7, shift(a_0_0,
                       i_3))) <> integer_of_int32(select(intP_intM_a_0_7,
                       shift(a_0_0, k_0))))))))))))))))))))))) ->
  forall result:(intP,
  int32) memory.
  forall result0:intP alloc_table.
  ("JC_10":
  (("JC_1": (2 <= integer_of_int32(len_0_0))) and
   (("JC_2": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_3": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_4": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_5": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_6": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_7": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_8":
          ((null = null) or
           ((offset_min(result0, null) <= 0) and (offset_max(result0,
            null) >= 0)))) and
          ("JC_9":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0_0, integer_of_int32(len_0_0), i_2, j_1,
               intP_intM_a_0_7) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
               shift(a_0_0, i_2))), null, result))))))))))))))) ->
  forall intP_intM_pi_0_8_0:(intP,
  int32) memory.
  forall intP_intM_pj_0_9_0:(intP,
  int32) memory.
  ("JC_36":
  (("JC_32":
   (("JC_30": is_duplet(a_0_0, integer_of_int32(len_0_0),
    integer_of_int32(select(intP_intM_pi_0_8_0, pi_0)),
    integer_of_int32(select(intP_intM_pj_0_9_0, pj_0)), intP_intM_a_0_7)) and
    ("JC_31": (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
    shift(a_0_0, integer_of_int32(select(intP_intM_pi_0_8_0, pi_0))))), null,
    result))))) and
   ("JC_35":
   (("JC_33": not_assigns(intP_pi_0_8_alloc_table, intP_intM_pi_0_8,
    intP_intM_pi_0_8_0, pset_singleton(pi_0))) and
    ("JC_34": not_assigns(intP_pj_0_9_alloc_table, intP_intM_pj_0_9,
    intP_intM_pj_0_9_0, pset_singleton(pj_0))))))) ->
  ((offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0) and
   (0 <= offset_max(intP_pi_0_8_alloc_table, pi_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_pi_0_8_0, pi_0)) ->
  ("JC_10": ("JC_6": (offset_min(intP_pl_11_alloc_table, pl) <= 0)))

goal duplets_safety_po_17:
  forall a_0_0:intP pointer.
  forall len_0_0:int32.
  forall pi_0:intP pointer.
  forall pj_0:intP pointer.
  forall pk:intP pointer.
  forall pl:intP pointer.
  forall intP_a_0_7_alloc_table:intP alloc_table.
  forall intP_pi_0_8_alloc_table:intP alloc_table.
  forall intP_pj_0_9_alloc_table:intP alloc_table.
  forall intP_pk_10_alloc_table:intP alloc_table.
  forall intP_pl_11_alloc_table:intP alloc_table.
  forall intP_intM_a_0_7:(intP, int32) memory.
  forall intP_intM_pi_0_8:(intP, int32) memory.
  forall intP_intM_pj_0_9:(intP,
  int32) memory.
  ("JC_110":
  (("JC_98": (4 <= integer_of_int32(len_0_0))) and
   (("JC_99": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_100": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_101": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_102": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_103": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_104": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_105": (offset_min(intP_pk_10_alloc_table, pk) <= 0)) and
          (("JC_106": (offset_max(intP_pk_10_alloc_table, pk) >= 0)) and
           (("JC_107": (offset_min(intP_pl_11_alloc_table, pl) <= 0)) and
            (("JC_108": (offset_max(intP_pl_11_alloc_table, pl) >= 0)) and
             ("JC_109":
             (exists i_3:int.
               (exists j_2:int.
                 (exists k_0:int.
                   (exists l_1:int.
                     (is_duplet(a_0_0, integer_of_int32(len_0_0), i_3, j_2,
                      intP_intM_a_0_7) and
                      (is_duplet(a_0_0, integer_of_int32(len_0_0), k_0, l_1,
                       intP_intM_a_0_7) and
                       (integer_of_int32(select(intP_intM_a_0_7, shift(a_0_0,
                       i_3))) <> integer_of_int32(select(intP_intM_a_0_7,
                       shift(a_0_0, k_0))))))))))))))))))))))) ->
  forall result:(intP,
  int32) memory.
  forall result0:intP alloc_table.
  ("JC_10":
  (("JC_1": (2 <= integer_of_int32(len_0_0))) and
   (("JC_2": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_3": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_4": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_5": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_6": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_7": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_8":
          ((null = null) or
           ((offset_min(result0, null) <= 0) and (offset_max(result0,
            null) >= 0)))) and
          ("JC_9":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0_0, integer_of_int32(len_0_0), i_2, j_1,
               intP_intM_a_0_7) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
               shift(a_0_0, i_2))), null, result))))))))))))))) ->
  forall intP_intM_pi_0_8_0:(intP,
  int32) memory.
  forall intP_intM_pj_0_9_0:(intP,
  int32) memory.
  ("JC_36":
  (("JC_32":
   (("JC_30": is_duplet(a_0_0, integer_of_int32(len_0_0),
    integer_of_int32(select(intP_intM_pi_0_8_0, pi_0)),
    integer_of_int32(select(intP_intM_pj_0_9_0, pj_0)), intP_intM_a_0_7)) and
    ("JC_31": (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
    shift(a_0_0, integer_of_int32(select(intP_intM_pi_0_8_0, pi_0))))), null,
    result))))) and
   ("JC_35":
   (("JC_33": not_assigns(intP_pi_0_8_alloc_table, intP_intM_pi_0_8,
    intP_intM_pi_0_8_0, pset_singleton(pi_0))) and
    ("JC_34": not_assigns(intP_pj_0_9_alloc_table, intP_intM_pj_0_9,
    intP_intM_pj_0_9_0, pset_singleton(pj_0))))))) ->
  ((offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0) and
   (0 <= offset_max(intP_pi_0_8_alloc_table, pi_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_pi_0_8_0, pi_0)) ->
  ("JC_10": ("JC_7": (offset_max(intP_pl_11_alloc_table, pl) >= 0)))

goal duplets_safety_po_18:
  forall a_0_0:intP pointer.
  forall len_0_0:int32.
  forall pi_0:intP pointer.
  forall pj_0:intP pointer.
  forall pk:intP pointer.
  forall pl:intP pointer.
  forall intP_a_0_7_alloc_table:intP alloc_table.
  forall intP_pi_0_8_alloc_table:intP alloc_table.
  forall intP_pj_0_9_alloc_table:intP alloc_table.
  forall intP_pk_10_alloc_table:intP alloc_table.
  forall intP_pl_11_alloc_table:intP alloc_table.
  forall intP_intM_a_0_7:(intP, int32) memory.
  forall intP_intM_pi_0_8:(intP, int32) memory.
  forall intP_intM_pj_0_9:(intP,
  int32) memory.
  ("JC_110":
  (("JC_98": (4 <= integer_of_int32(len_0_0))) and
   (("JC_99": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_100": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_101": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_102": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_103": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_104": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_105": (offset_min(intP_pk_10_alloc_table, pk) <= 0)) and
          (("JC_106": (offset_max(intP_pk_10_alloc_table, pk) >= 0)) and
           (("JC_107": (offset_min(intP_pl_11_alloc_table, pl) <= 0)) and
            (("JC_108": (offset_max(intP_pl_11_alloc_table, pl) >= 0)) and
             ("JC_109":
             (exists i_3:int.
               (exists j_2:int.
                 (exists k_0:int.
                   (exists l_1:int.
                     (is_duplet(a_0_0, integer_of_int32(len_0_0), i_3, j_2,
                      intP_intM_a_0_7) and
                      (is_duplet(a_0_0, integer_of_int32(len_0_0), k_0, l_1,
                       intP_intM_a_0_7) and
                       (integer_of_int32(select(intP_intM_a_0_7, shift(a_0_0,
                       i_3))) <> integer_of_int32(select(intP_intM_a_0_7,
                       shift(a_0_0, k_0))))))))))))))))))))))) ->
  forall result:(intP,
  int32) memory.
  forall result0:intP alloc_table.
  ("JC_10":
  (("JC_1": (2 <= integer_of_int32(len_0_0))) and
   (("JC_2": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_3": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_4": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_5": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_6": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_7": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_8":
          ((null = null) or
           ((offset_min(result0, null) <= 0) and (offset_max(result0,
            null) >= 0)))) and
          ("JC_9":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0_0, integer_of_int32(len_0_0), i_2, j_1,
               intP_intM_a_0_7) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
               shift(a_0_0, i_2))), null, result))))))))))))))) ->
  forall intP_intM_pi_0_8_0:(intP,
  int32) memory.
  forall intP_intM_pj_0_9_0:(intP,
  int32) memory.
  ("JC_36":
  (("JC_32":
   (("JC_30": is_duplet(a_0_0, integer_of_int32(len_0_0),
    integer_of_int32(select(intP_intM_pi_0_8_0, pi_0)),
    integer_of_int32(select(intP_intM_pj_0_9_0, pj_0)), intP_intM_a_0_7)) and
    ("JC_31": (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
    shift(a_0_0, integer_of_int32(select(intP_intM_pi_0_8_0, pi_0))))), null,
    result))))) and
   ("JC_35":
   (("JC_33": not_assigns(intP_pi_0_8_alloc_table, intP_intM_pi_0_8,
    intP_intM_pi_0_8_0, pset_singleton(pi_0))) and
    ("JC_34": not_assigns(intP_pj_0_9_alloc_table, intP_intM_pj_0_9,
    intP_intM_pj_0_9_0, pset_singleton(pj_0))))))) ->
  ((offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0) and
   (0 <= offset_max(intP_pi_0_8_alloc_table, pi_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_pi_0_8_0, pi_0)) ->
  ("JC_10":
  ("JC_8":
  ((shift(a_0_0, integer_of_int32(result1)) = null) or
   ((offset_min(intP_a_0_7_alloc_table, shift(a_0_0,
    integer_of_int32(result1))) <= 0) and (offset_max(intP_a_0_7_alloc_table,
    shift(a_0_0, integer_of_int32(result1))) >= 0)))))

goal duplets_safety_po_19:
  forall a_0_0:intP pointer.
  forall len_0_0:int32.
  forall pi_0:intP pointer.
  forall pj_0:intP pointer.
  forall pk:intP pointer.
  forall pl:intP pointer.
  forall intP_a_0_7_alloc_table:intP alloc_table.
  forall intP_pi_0_8_alloc_table:intP alloc_table.
  forall intP_pj_0_9_alloc_table:intP alloc_table.
  forall intP_pk_10_alloc_table:intP alloc_table.
  forall intP_pl_11_alloc_table:intP alloc_table.
  forall intP_intM_a_0_7:(intP, int32) memory.
  forall intP_intM_pi_0_8:(intP, int32) memory.
  forall intP_intM_pj_0_9:(intP,
  int32) memory.
  ("JC_110":
  (("JC_98": (4 <= integer_of_int32(len_0_0))) and
   (("JC_99": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_100": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_101": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_102": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_103": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_104": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_105": (offset_min(intP_pk_10_alloc_table, pk) <= 0)) and
          (("JC_106": (offset_max(intP_pk_10_alloc_table, pk) >= 0)) and
           (("JC_107": (offset_min(intP_pl_11_alloc_table, pl) <= 0)) and
            (("JC_108": (offset_max(intP_pl_11_alloc_table, pl) >= 0)) and
             ("JC_109":
             (exists i_3:int.
               (exists j_2:int.
                 (exists k_0:int.
                   (exists l_1:int.
                     (is_duplet(a_0_0, integer_of_int32(len_0_0), i_3, j_2,
                      intP_intM_a_0_7) and
                      (is_duplet(a_0_0, integer_of_int32(len_0_0), k_0, l_1,
                       intP_intM_a_0_7) and
                       (integer_of_int32(select(intP_intM_a_0_7, shift(a_0_0,
                       i_3))) <> integer_of_int32(select(intP_intM_a_0_7,
                       shift(a_0_0, k_0))))))))))))))))))))))) ->
  forall result:(intP,
  int32) memory.
  forall result0:intP alloc_table.
  ("JC_10":
  (("JC_1": (2 <= integer_of_int32(len_0_0))) and
   (("JC_2": (offset_min(intP_a_0_7_alloc_table, a_0_0) <= 0)) and
    (("JC_3": (offset_max(intP_a_0_7_alloc_table,
     a_0_0) >= (integer_of_int32(len_0_0) - 1))) and
     (("JC_4": (offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0)) and
      (("JC_5": (offset_max(intP_pi_0_8_alloc_table, pi_0) >= 0)) and
       (("JC_6": (offset_min(intP_pj_0_9_alloc_table, pj_0) <= 0)) and
        (("JC_7": (offset_max(intP_pj_0_9_alloc_table, pj_0) >= 0)) and
         (("JC_8":
          ((null = null) or
           ((offset_min(result0, null) <= 0) and (offset_max(result0,
            null) >= 0)))) and
          ("JC_9":
          (exists i_2:int.
            (exists j_1:int.
              (is_duplet(a_0_0, integer_of_int32(len_0_0), i_2, j_1,
               intP_intM_a_0_7) and
               (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
               shift(a_0_0, i_2))), null, result))))))))))))))) ->
  forall intP_intM_pi_0_8_0:(intP,
  int32) memory.
  forall intP_intM_pj_0_9_0:(intP,
  int32) memory.
  ("JC_36":
  (("JC_32":
   (("JC_30": is_duplet(a_0_0, integer_of_int32(len_0_0),
    integer_of_int32(select(intP_intM_pi_0_8_0, pi_0)),
    integer_of_int32(select(intP_intM_pj_0_9_0, pj_0)), intP_intM_a_0_7)) and
    ("JC_31": (not eq_opt(integer_of_int32(select(intP_intM_a_0_7,
    shift(a_0_0, integer_of_int32(select(intP_intM_pi_0_8_0, pi_0))))), null,
    result))))) and
   ("JC_35":
   (("JC_33": not_assigns(intP_pi_0_8_alloc_table, intP_intM_pi_0_8,
    intP_intM_pi_0_8_0, pset_singleton(pi_0))) and
    ("JC_34": not_assigns(intP_pj_0_9_alloc_table, intP_intM_pj_0_9,
    intP_intM_pj_0_9_0, pset_singleton(pj_0))))))) ->
  ((offset_min(intP_pi_0_8_alloc_table, pi_0) <= 0) and
   (0 <= offset_max(intP_pi_0_8_alloc_table, pi_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_pi_0_8_0, pi_0)) ->
  ("JC_10":
  ("JC_9":
  (exists i_2:int.
    (exists j_1:int.
      (is_duplet(a_0_0, integer_of_int32(len_0_0), i_2, j_1,
       intP_intM_a_0_7) and
       (not eq_opt(integer_of_int32(select(intP_intM_a_0_7, shift(a_0_0,
       i_2))), shift(a_0_0, integer_of_int32(result1)), intP_intM_a_0_7)))))))

why-2.34/tests/c/oracle/eps_line1.res.oracle0000644000175000017500000035000612311670312017310 0ustar  rtusers========== file tests/c/eps_line1.c ==========

#define E 0x1p-45


//@ logic integer l_sign(real x) = (x >= 0.0) ? 1 : -1;

/*@ requires e1<= x-\exact(x) <= e2;
  @ ensures  (\result != 0 ==> \result == l_sign(\exact(x))) &&
  @          \abs(\result) <= 1 ;
  @*/
int sign(double x, double e1, double e2) {

  if (x > e2)
    return 1;
  if (x < e1)
    return -1;
  return 0;
}

/*@ requires
  @   sx == \exact(sx)  && sy == \exact(sy) &&
  @   vx == \exact(vx)  && vy == \exact(vy) &&
  @   \abs(sx) <= 100.0 && \abs(sy) <= 100.0 &&
  @   \abs(vx) <= 1.0   && \abs(vy) <= 1.0;
  @ ensures
  @    \result != 0
  @      ==> \result == l_sign(\exact(sx)*\exact(vx)+\exact(sy)*\exact(vy))
  @            * l_sign(\exact(sx)*\exact(vy)-\exact(sy)*\exact(vx));
  @*/
int eps_line(double sx, double sy,double vx, double vy){
  int s1,s2;

  s1=sign(sx*vx+sy*vy, -E, E);
  s2=sign(sx*vy-sy*vx, -E, E);

  return s1*s2;
}

/*
Local Variables:
compile-command: "LC_ALL=C make eps_line1.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/eps_line1.c"
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/eps_line1.jessie
[jessie] File tests/c/eps_line1.jessie/eps_line1.jc written.
[jessie] File tests/c/eps_line1.jessie/eps_line1.cloc written.
========== file tests/c/eps_line1.jessie/eps_line1.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

logic integer l_sign(real x) =
(if (x >= 0.0) then 1 else (- 1))

int32 sign(double x, double e1, double e2)
  requires (_C_7 : ((_C_8 : ((e1 :> real) <=
                              ((x :> real) - \double_exact(x)))) &&
                     (_C_9 : (((x :> real) - \double_exact(x)) <=
                               (e2 :> real)))));
behavior default:
  ensures (_C_4 : ((_C_5 : ((\result != 0) ==>
                             (\result == l_sign(\double_exact(\at(x,Old)))))) &&
                    (_C_6 : (\integer_abs(\result) <= 1))));
{  
   (var int32 __retres);
   
   {  (if (x > e2) then 
      {  (_C_1 : (__retres = 1));
         
         (goto return_label)
      } else ());
      (if (x < e1) then 
      {  (_C_2 : (__retres = -1));
         
         (goto return_label)
      } else ());
      (_C_3 : (__retres = 0));
      (return_label : 
      (return __retres))
   }
}

int32 eps_line(double sx, double sy, double vx, double vy)
  requires (_C_26 : ((((((((_C_33 : ((sx :> real) == \double_exact(sx))) &&
                            (_C_34 : ((sy :> real) == \double_exact(sy)))) &&
                           (_C_35 : ((vx :> real) == \double_exact(vx)))) &&
                          (_C_36 : ((vy :> real) == \double_exact(vy)))) &&
                         (_C_37 : (\real_abs((sx :> real)) <= 100.0))) &&
                        (_C_38 : (\real_abs((sy :> real)) <= 100.0))) &&
                       (_C_39 : (\real_abs((vx :> real)) <= 1.0))) &&
                      (_C_40 : (\real_abs((vy :> real)) <= 1.0))));
behavior default:
  ensures (_C_25 : ((\result != 0) ==>
                     (\result ==
                       (l_sign(((\double_exact(\at(sx,Old)) *
                                  \double_exact(\at(vx,Old))) +
                                 (\double_exact(\at(sy,Old)) *
                                   \double_exact(\at(vy,Old))))) *
                         l_sign(((\double_exact(\at(sx,Old)) *
                                   \double_exact(\at(vy,Old))) -
                                  (\double_exact(\at(sy,Old)) *
                                    \double_exact(\at(vx,Old)))))))));
{  
   (var int32 s1);
   
   (var int32 s2);
   
   (var int32 __retres_0);
   
   {  (_C_15 : (s1 = (_C_14 : sign((_C_12 : ((_C_11 : (sx * vx)) +
                                              (_C_10 : (sy * vy)))),
                                   (_C_13 : (- (0x1p-45 :> double))),
                                   (0x1p-45 :> double)))));
      (_C_21 : (s2 = (_C_20 : sign((_C_18 : ((_C_17 : (sx * vy)) -
                                              (_C_16 : (sy * vx)))),
                                   (_C_19 : (- (0x1p-45 :> double))),
                                   (0x1p-45 :> double)))));
      (_C_24 : (__retres_0 = (_C_23 : ((_C_22 : (s1 * s2)) :> int32))));
      
      (return __retres_0)
   }
}
========== file tests/c/eps_line1.jessie/eps_line1.cloc ==========
[sign]
name = "Function sign"
file = "HOME/tests/c/eps_line1.c"
line = 11
begin = 4
end = 8

[_C_35]
file = "HOME/tests/c/eps_line1.c"
line = 22
begin = 6
end = 22

[_C_28]
file = "HOME/tests/c/eps_line1.c"
line = 21
begin = 6
end = 136

[_C_31]
file = "HOME/tests/c/eps_line1.c"
line = 21
begin = 6
end = 68

[_C_4]
file = "HOME/tests/c/eps_line1.c"
line = 8
begin = 12
end = 94

[_C_32]
file = "HOME/tests/c/eps_line1.c"
line = 21
begin = 6
end = 42

[_C_23]
file = "HOME/tests/c/eps_line1.c"
line = 36
begin = 9
end = 14

[_C_19]
file = "HOME/tests/c/eps_line1.c"
line = 34
begin = 24
end = 31

[_C_13]
file = "HOME/tests/c/eps_line1.c"
line = 33
begin = 24
end = 31

[_C_5]
file = "HOME/tests/c/eps_line1.c"
line = 8
begin = 12
end = 59

[_C_36]
file = "HOME/tests/c/eps_line1.c"
line = 22
begin = 26
end = 42

[_C_12]
file = "HOME/tests/c/eps_line1.c"
line = 33
begin = 10
end = 21

[_C_33]
file = "HOME/tests/c/eps_line1.c"
line = 21
begin = 6
end = 22

[_C_22]
file = "HOME/tests/c/eps_line1.c"
line = 36
begin = 9
end = 14

[_C_9]
file = "HOME/tests/c/eps_line1.c"
line = 7
begin = 18
end = 35

[_C_30]
file = "HOME/tests/c/eps_line1.c"
line = 21
begin = 6
end = 88

[_C_6]
file = "HOME/tests/c/eps_line1.c"
line = 9
begin = 13
end = 31

[_C_24]
file = "HOME/tests/c/eps_line1.c"
line = 36
begin = 2
end = 15

[_C_20]
file = "HOME/tests/c/eps_line1.c"
line = 34
begin = 5
end = 41

[_C_38]
file = "HOME/tests/c/eps_line1.c"
line = 23
begin = 27
end = 44

[_C_3]
file = "HOME/tests/c/eps_line1.c"
line = 17
begin = 2
end = 11

[_C_17]
file = "HOME/tests/c/eps_line1.c"
line = 34
begin = 10
end = 15

[_C_7]
file = "HOME/tests/c/eps_line1.c"
line = 7
begin = 13
end = 35

[_C_27]
file = "HOME/tests/c/eps_line1.c"
line = 21
begin = 6
end = 161

[_C_15]
file = "HOME/tests/c/eps_line1.c"
line = 33
begin = 5
end = 41

[_C_26]
file = "HOME/tests/c/eps_line1.c"
line = 21
begin = 6
end = 180

[_C_10]
file = "HOME/tests/c/eps_line1.c"
line = 33
begin = 16
end = 21

[_C_40]
file = "HOME/tests/c/eps_line1.c"
line = 24
begin = 25
end = 40

[_C_8]
file = "HOME/tests/c/eps_line1.c"
line = 7
begin = 13
end = 29

[_C_18]
file = "HOME/tests/c/eps_line1.c"
line = 34
begin = 10
end = 21

[_C_29]
file = "HOME/tests/c/eps_line1.c"
line = 21
begin = 6
end = 115

[_C_14]
file = "HOME/tests/c/eps_line1.c"
line = 33
begin = 5
end = 41

[_C_37]
file = "HOME/tests/c/eps_line1.c"
line = 23
begin = 6
end = 23

[_C_2]
file = "HOME/tests/c/eps_line1.c"
line = 16
begin = 4
end = 14

[_C_34]
file = "HOME/tests/c/eps_line1.c"
line = 21
begin = 26
end = 42

[_C_16]
file = "HOME/tests/c/eps_line1.c"
line = 34
begin = 16
end = 21

[eps_line]
name = "Function eps_line"
file = "HOME/tests/c/eps_line1.c"
line = 30
begin = 4
end = 12

[_C_1]
file = "HOME/tests/c/eps_line1.c"
line = 14
begin = 4
end = 13

[_C_25]
file = "HOME/tests/c/eps_line1.c"
line = 26
begin = 7
end = 164

[_C_39]
file = "HOME/tests/c/eps_line1.c"
line = 24
begin = 6
end = 21

[_C_11]
file = "HOME/tests/c/eps_line1.c"
line = 33
begin = 10
end = 15

[_C_21]
file = "HOME/tests/c/eps_line1.c"
line = 34
begin = 5
end = 41

========== jessie execution ==========
Generating Why function sign
Generating Why function eps_line
========== file tests/c/eps_line1.jessie/eps_line1.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs eps_line1.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs eps_line1.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_strict.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/eps_line1_why.sx

project: why/eps_line1.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/eps_line1_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/eps_line1_why.vo

coq/eps_line1_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/eps_line1_why.v: why/eps_line1.why
	@echo 'why -coq [...] why/eps_line1.why' && $(WHY) $(JESSIELIBFILES) why/eps_line1.why && rm -f coq/jessie_why.v

coq-goals: goals coq/eps_line1_ctx_why.vo
	for f in why/*_po*.why; do make -f eps_line1.makefile coq/`basename $$f .why`_why.v ; done

coq/eps_line1_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/eps_line1_ctx_why.v: why/eps_line1_ctx.why
	@echo 'why -coq [...] why/eps_line1_ctx.why' && $(WHY) why/eps_line1_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export eps_line1_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/eps_line1_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/eps_line1_ctx_why.vo

pvs: pvs/eps_line1_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/eps_line1_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/eps_line1_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/eps_line1_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/eps_line1_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/eps_line1_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/eps_line1_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/eps_line1_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/eps_line1_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/eps_line1_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/eps_line1_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/eps_line1_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/eps_line1_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/eps_line1_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/eps_line1_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: eps_line1.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/eps_line1_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: eps_line1.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: eps_line1.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: eps_line1.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include eps_line1.depend

depend: coq/eps_line1_why.v
	-$(COQDEP) -I coq coq/eps_line1*_why.v > eps_line1.depend

clean:
	rm -f coq/*.vo

========== file tests/c/eps_line1.jessie/eps_line1.loc ==========
[JC_63]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 34
begin = 16
end = 21

[JC_51]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 34
begin = 10
end = 15

[JC_45]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 33
begin = 16
end = 21

[JC_64]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 34
begin = 10
end = 21

[eps_line_safety]
name = "Function eps_line"
behavior = "Safety"
file = "HOME/tests/c/eps_line1.c"
line = 30
begin = 4
end = 12

[JC_31]
file = "HOME/tests/c/eps_line1.c"
line = 23
begin = 6
end = 23

[JC_17]
file = "HOME/tests/c/eps_line1.c"
line = 21
begin = 6
end = 22

[JC_55]
kind = ArithOverflow
file = "HOME/tests/c/eps_line1.c"
line = 36
begin = 9
end = 14

[JC_48]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.jessie/eps_line1.jc"
line = 101
begin = 35
end = 54

[JC_23]
file = "HOME/tests/c/eps_line1.c"
line = 24
begin = 6
end = 21

[JC_22]
file = "HOME/tests/c/eps_line1.c"
line = 23
begin = 27
end = 44

[JC_5]
file = "HOME/tests/c/eps_line1.c"
line = 7
begin = 13
end = 29

[JC_9]
file = "HOME/tests/c/eps_line1.c"
line = 8
begin = 12
end = 59

[JC_24]
file = "HOME/tests/c/eps_line1.c"
line = 24
begin = 25
end = 40

[JC_25]
file = "HOME/tests/c/eps_line1.c"
line = 21
begin = 6
end = 180

[JC_41]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.jessie/eps_line1.jc"
line = 97
begin = 35
end = 54

[JC_47]
kind = UserCall
file = "HOME/tests/c/eps_line1.c"
line = 33
begin = 5
end = 41

[JC_52]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 34
begin = 16
end = 21

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
kind = UserCall
file = "HOME/tests/c/eps_line1.c"
line = 34
begin = 5
end = 41

[JC_13]
file = "HOME/tests/c/eps_line1.c"
line = 9
begin = 13
end = 31

[JC_11]
file = "HOME/tests/c/eps_line1.c"
line = 8
begin = 12
end = 94

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[sign_ensures_default]
name = "Function sign"
behavior = "default behavior"
file = "HOME/tests/c/eps_line1.c"
line = 11
begin = 4
end = 8

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/tests/c/eps_line1.c"
line = 21
begin = 6
end = 180

[sign_safety]
name = "Function sign"
behavior = "Safety"
file = "HOME/tests/c/eps_line1.c"
line = 11
begin = 4
end = 8

[JC_27]
file = "HOME/tests/c/eps_line1.c"
line = 21
begin = 6
end = 22

[JC_38]
file = "HOME/tests/c/eps_line1.c"
line = 26
begin = 7
end = 164

[JC_12]
file = "HOME/tests/c/eps_line1.c"
line = 8
begin = 12
end = 59

[JC_6]
file = "HOME/tests/c/eps_line1.c"
line = 7
begin = 18
end = 35

[JC_44]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 33
begin = 10
end = 15

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 34
begin = 10
end = 15

[JC_42]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.jessie/eps_line1.jc"
line = 96
begin = 47
end = 66

[JC_46]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 33
begin = 10
end = 21

[JC_61]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 34
begin = 24
end = 31

[JC_32]
file = "HOME/tests/c/eps_line1.c"
line = 23
begin = 27
end = 44

[JC_56]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 33
begin = 24
end = 31

[JC_33]
file = "HOME/tests/c/eps_line1.c"
line = 24
begin = 6
end = 21

[JC_65]
kind = UserCall
file = "HOME/tests/c/eps_line1.c"
line = 34
begin = 5
end = 41

[JC_29]
file = "HOME/tests/c/eps_line1.c"
line = 22
begin = 6
end = 22

[JC_7]
file = "HOME/tests/c/eps_line1.c"
line = 7
begin = 13
end = 35

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 33
begin = 24
end = 31

[JC_2]
file = "HOME/tests/c/eps_line1.c"
line = 7
begin = 18
end = 35

[JC_34]
file = "HOME/tests/c/eps_line1.c"
line = 24
begin = 25
end = 40

[JC_14]
file = "HOME/tests/c/eps_line1.c"
line = 8
begin = 12
end = 94

[JC_53]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 34
begin = 10
end = 21

[JC_21]
file = "HOME/tests/c/eps_line1.c"
line = 23
begin = 6
end = 23

[JC_49]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.jessie/eps_line1.jc"
line = 100
begin = 47
end = 66

[JC_1]
file = "HOME/tests/c/eps_line1.c"
line = 7
begin = 13
end = 29

[JC_37]
file = "HOME/tests/c/eps_line1.c"
line = 26
begin = 7
end = 164

[JC_10]
file = "HOME/tests/c/eps_line1.c"
line = 9
begin = 13
end = 31

[JC_57]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 33
begin = 10
end = 15

[JC_59]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 33
begin = 10
end = 21

[JC_20]
file = "HOME/tests/c/eps_line1.c"
line = 22
begin = 26
end = 42

[JC_18]
file = "HOME/tests/c/eps_line1.c"
line = 21
begin = 26
end = 42

[JC_3]
file = "HOME/tests/c/eps_line1.c"
line = 7
begin = 13
end = 35

[JC_60]
kind = UserCall
file = "HOME/tests/c/eps_line1.c"
line = 33
begin = 5
end = 41

[JC_19]
file = "HOME/tests/c/eps_line1.c"
line = 22
begin = 6
end = 22

[JC_50]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 34
begin = 24
end = 31

[JC_30]
file = "HOME/tests/c/eps_line1.c"
line = 22
begin = 26
end = 42

[eps_line_ensures_default]
name = "Function eps_line"
behavior = "default behavior"
file = "HOME/tests/c/eps_line1.c"
line = 30
begin = 4
end = 12

[JC_58]
kind = FPOverflow
file = "HOME/tests/c/eps_line1.c"
line = 33
begin = 16
end = 21

[JC_28]
file = "HOME/tests/c/eps_line1.c"
line = 21
begin = 26
end = 42

========== file tests/c/eps_line1.jessie/why/eps_line1.why ==========
type charP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

function l_sign(x_0:real) : int =
 (if ge_real_bool(x_0, 0.0) then (1) else neg_int((1)))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter eps_line :
 sx:double ->
  sy:double ->
   vx:double ->
    vy:double ->
     { } int32
     { (JC_38:
       ((integer_of_int32(result) <> (0)) ->
        (integer_of_int32(result) = mul_int(l_sign(add_real(mul_real(
                                                            double_exact(sx),
                                                            double_exact(vx)),
                                                   mul_real(double_exact(sy),
                                                   double_exact(vy)))),
                                    l_sign(sub_real(mul_real(double_exact(sx),
                                                    double_exact(vy)),
                                           mul_real(double_exact(sy),
                                           double_exact(vx)))))))) }

parameter eps_line_requires :
 sx:double ->
  sy:double ->
   vx:double ->
    vy:double ->
     { (JC_25:
       ((JC_17: (double_value(sx) = double_exact(sx)))
       and ((JC_18: (double_value(sy) = double_exact(sy)))
           and ((JC_19: (double_value(vx) = double_exact(vx)))
               and ((JC_20: (double_value(vy) = double_exact(vy)))
                   and ((JC_21: le_real(abs_real(double_value(sx)), 100.0))
                       and ((JC_22:
                            le_real(abs_real(double_value(sy)), 100.0))
                           and ((JC_23:
                                le_real(abs_real(double_value(vx)), 1.0))
                               and (JC_24:
                                   le_real(abs_real(double_value(vy)), 1.0))))))))))}
     int32
     { (JC_38:
       ((integer_of_int32(result) <> (0)) ->
        (integer_of_int32(result) = mul_int(l_sign(add_real(mul_real(
                                                            double_exact(sx),
                                                            double_exact(vx)),
                                                   mul_real(double_exact(sy),
                                                   double_exact(vy)))),
                                    l_sign(sub_real(mul_real(double_exact(sx),
                                                    double_exact(vy)),
                                           mul_real(double_exact(sy),
                                           double_exact(vx)))))))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter sign :
 x_1:double ->
  e1:double ->
   e2:double ->
    { } int32
    { (JC_14:
      ((JC_12:
       ((integer_of_int32(result) <> (0)) ->
        (integer_of_int32(result) = l_sign(double_exact(x_1)))))
      and (JC_13: le_int(abs_int(integer_of_int32(result)), (1))))) }

parameter sign_requires :
 x_1:double ->
  e1:double ->
   e2:double ->
    { (JC_3:
      ((JC_1:
       le_real(double_value(e1),
       sub_real(double_value(x_1), double_exact(x_1))))
      and (JC_2:
          le_real(sub_real(double_value(x_1), double_exact(x_1)),
          double_value(e2)))))}
    int32
    { (JC_14:
      ((JC_12:
       ((integer_of_int32(result) <> (0)) ->
        (integer_of_int32(result) = l_sign(double_exact(x_1)))))
      and (JC_13: le_int(abs_int(integer_of_int32(result)), (1))))) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let eps_line_ensures_default =
 fun (sx : double) (sy : double) (vx : double) (vy : double) ->
  { (JC_35:
    ((JC_27: (double_value(sx) = double_exact(sx)))
    and ((JC_28: (double_value(sy) = double_exact(sy)))
        and ((JC_29: (double_value(vx) = double_exact(vx)))
            and ((JC_30: (double_value(vy) = double_exact(vy)))
                and ((JC_31: le_real(abs_real(double_value(sx)), 100.0))
                    and ((JC_32: le_real(abs_real(double_value(sy)), 100.0))
                        and ((JC_33:
                             le_real(abs_real(double_value(vx)), 1.0))
                            and (JC_34:
                                le_real(abs_real(double_value(vy)), 1.0)))))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let s1_1 = ref (any_int32 void) in
     (let s2_1 = ref (any_int32 void) in
     (let __retres_0 = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (s1_1 := (let _jessie_ =
                (JC_59:
                (((add_double_safe nearest_even) (JC_57:
                                                 (((mul_double_safe nearest_even) sx) vx))) 
                 (JC_58: (((mul_double_safe nearest_even) sy) vy)))) in
                (let _jessie_ =
                (JC_56:
                (neg_double ((double_of_real_safe nearest_even) 0x1p-45))) in
                (let _jessie_ =
                ((double_of_real_safe nearest_even) 0x1p-45) in
                (JC_60: (((sign _jessie_) _jessie_) _jessie_)))))) in
       void);
      (let _jessie_ =
      (s2_1 := (let _jessie_ =
               (JC_64:
               (((sub_double_safe nearest_even) (JC_62:
                                                (((mul_double_safe nearest_even) sx) vy))) 
                (JC_63: (((mul_double_safe nearest_even) sy) vx)))) in
               (let _jessie_ =
               (JC_61:
               (neg_double ((double_of_real_safe nearest_even) 0x1p-45))) in
               (let _jessie_ =
               ((double_of_real_safe nearest_even) 0x1p-45) in
               (JC_65: (((sign _jessie_) _jessie_) _jessie_)))))) in
      void);
      (let _jessie_ =
      (__retres_0 := (safe_int32_of_integer_ ((mul_int (integer_of_int32 !s1_1)) 
                                              (integer_of_int32 !s2_1)))) in
      void); (return := !__retres_0); (raise Return) end))); absurd  end with
   Return -> !return end))
  { (JC_37:
    ((integer_of_int32(result) <> (0)) ->
     (integer_of_int32(result) = mul_int(l_sign(add_real(mul_real(double_exact(sx),
                                                         double_exact(vx)),
                                                mul_real(double_exact(sy),
                                                double_exact(vy)))),
                                 l_sign(sub_real(mul_real(double_exact(sx),
                                                 double_exact(vy)),
                                        mul_real(double_exact(sy),
                                        double_exact(vx)))))))) }

let eps_line_safety =
 fun (sx : double) (sy : double) (vx : double) (vy : double) ->
  { (JC_35:
    ((JC_27: (double_value(sx) = double_exact(sx)))
    and ((JC_28: (double_value(sy) = double_exact(sy)))
        and ((JC_29: (double_value(vx) = double_exact(vx)))
            and ((JC_30: (double_value(vy) = double_exact(vy)))
                and ((JC_31: le_real(abs_real(double_value(sx)), 100.0))
                    and ((JC_32: le_real(abs_real(double_value(sy)), 100.0))
                        and ((JC_33:
                             le_real(abs_real(double_value(vx)), 1.0))
                            and (JC_34:
                                le_real(abs_real(double_value(vy)), 1.0)))))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let s1_1 = ref (any_int32 void) in
     (let s2_1 = ref (any_int32 void) in
     (let __retres_0 = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (s1_1 := (let _jessie_ =
                (JC_46:
                (((add_double nearest_even) (JC_44:
                                            (((mul_double nearest_even) sx) vx))) 
                 (JC_45: (((mul_double nearest_even) sy) vy)))) in
                (let _jessie_ =
                (JC_43:
                (neg_double (JC_42: ((double_of_real nearest_even) 0x1p-45)))) in
                (let _jessie_ =
                (JC_41: ((double_of_real nearest_even) 0x1p-45)) in
                (JC_47: (((sign_requires _jessie_) _jessie_) _jessie_)))))) in
       void);
      (let _jessie_ =
      (s2_1 := (let _jessie_ =
               (JC_53:
               (((sub_double nearest_even) (JC_51:
                                           (((mul_double nearest_even) sx) vy))) 
                (JC_52: (((mul_double nearest_even) sy) vx)))) in
               (let _jessie_ =
               (JC_50:
               (neg_double (JC_49: ((double_of_real nearest_even) 0x1p-45)))) in
               (let _jessie_ =
               (JC_48: ((double_of_real nearest_even) 0x1p-45)) in
               (JC_54: (((sign_requires _jessie_) _jessie_) _jessie_)))))) in
      void);
      (let _jessie_ =
      (__retres_0 := (JC_55:
                     (int32_of_integer_ ((mul_int (integer_of_int32 !s1_1)) 
                                         (integer_of_int32 !s2_1))))) in
      void); (return := !__retres_0); (raise Return) end))); absurd  end with
   Return -> !return end)) { true }

let sign_ensures_default =
 fun (x_1 : double) (e1 : double) (e2 : double) ->
  { (JC_7:
    ((JC_5:
     le_real(double_value(e1),
     sub_real(double_value(x_1), double_exact(x_1))))
    and (JC_6:
        le_real(sub_real(double_value(x_1), double_exact(x_1)),
        double_value(e2))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let __retres = ref (any_int32 void) in
     try
      begin
        (if ((gt_double_ x_1) e2)
        then
         begin
           (let _jessie_ = (__retres := (safe_int32_of_integer_ (1))) in
           void); (raise (Return_label_exc void)) end else void);
       (if ((lt_double_ x_1) e1)
       then
        begin
          (let _jessie_ =
          (__retres := (safe_int32_of_integer_ (neg_int (1)))) in void);
         (raise (Return_label_exc void)) end else void);
       (let _jessie_ = (__retres := (safe_int32_of_integer_ (0))) in void);
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end);
    absurd  end with Return -> !return end))
  { (JC_11:
    ((JC_9:
     ((integer_of_int32(result) <> (0)) ->
      (integer_of_int32(result) = l_sign(double_exact(x_1)))))
    and (JC_10: le_int(abs_int(integer_of_int32(result)), (1))))) }

let sign_safety =
 fun (x_1 : double) (e1 : double) (e2 : double) ->
  { (JC_7:
    ((JC_5:
     le_real(double_value(e1),
     sub_real(double_value(x_1), double_exact(x_1))))
    and (JC_6:
        le_real(sub_real(double_value(x_1), double_exact(x_1)),
        double_value(e2))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let __retres = ref (any_int32 void) in
     try
      begin
        (if ((gt_double_ x_1) e2)
        then
         begin
           (let _jessie_ = (__retres := (safe_int32_of_integer_ (1))) in
           void); (raise (Return_label_exc void)) end else void);
       (if ((lt_double_ x_1) e1)
       then
        begin
          (let _jessie_ =
          (__retres := (safe_int32_of_integer_ (neg_int (1)))) in void);
         (raise (Return_label_exc void)) end else void);
       (let _jessie_ = (__retres := (safe_int32_of_integer_ (0))) in void);
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end);
    absurd  end with Return -> !return end)) { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/eps_line1.why
========== file tests/c/eps_line1.jessie/why/eps_line1_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type mode

logic nearest_even : mode

logic to_zero : mode

logic up : mode

logic down : mode

logic nearest_away : mode

logic mode_match : mode, 'a1, 'a1, 'a1, 'a1, 'a1 -> 'a1

axiom mode_match_nearest_even:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_2))))))

axiom mode_match_to_zero:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_3))))))

axiom mode_match_up:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_4))))))

axiom mode_match_down:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_5))))))

axiom mode_match_nearest_away:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_6))))))

axiom mode_inversion:
  (forall aux_1:mode.
    (((((aux_1 = nearest_even) or (aux_1 = to_zero)) or (aux_1 = up)) or
      (aux_1 = down)) or
     (aux_1 = nearest_away)))

logic mode_to_int : mode -> int

axiom mode_to_int_nearest_even: (mode_to_int(nearest_even) = 0)

axiom mode_to_int_to_zero: (mode_to_int(to_zero) = 1)

axiom mode_to_int_up: (mode_to_int(up) = 2)

axiom mode_to_int_down: (mode_to_int(down) = 3)

axiom mode_to_int_nearest_away: (mode_to_int(nearest_away) = 4)

type double

logic round_double : mode, real -> real

logic round_double_logic : mode, real -> double

logic double_value : double -> real

logic double_exact : double -> real

logic double_model : double -> real

function double_round_error(x: double) : real =
  abs_real((double_value(x) - double_exact(x)))

function double_total_error(x: double) : real =
  abs_real((double_value(x) - double_model(x)))

function max_double() : real = 0x1.FFFFFFFFFFFFFp1023

predicate no_overflow_double(m: mode, x: real) = (abs_real(round_double(m,
  x)) <= max_double)

axiom bounded_real_no_overflow_double:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_double) -> no_overflow_double(m, x))))

axiom round_double_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_double(m, x) <= round_double(m, y))))))

axiom exact_round_double_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-9007199254740992) <= i) and (i <= 9007199254740992)) ->
       (round_double(m, real_of_int(i)) = real_of_int(i)))))

axiom exact_round_double_for_doubles:
  (forall x:double.
    (forall m:mode. (round_double(m, double_value(x)) = double_value(x))))

axiom round_double_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_double(m1, round_double(m2,
        x)) = round_double(m2, x)))))

axiom round_down_double_neg:
  (forall x:real. (round_double(down, (-x)) = (-round_double(up, x))))

axiom round_up_double_neg:
  (forall x:real. (round_double(up, (-x)) = (-round_double(down, x))))

axiom round_double_down_le: (forall x:real. (round_double(down, x) <= x))

axiom round_up_double_ge: (forall x:real. (round_double(up, x) >= x))

type single

logic round_single : mode, real -> real

logic round_single_logic : mode, real -> single

logic single_value : single -> real

logic single_exact : single -> real

logic single_model : single -> real

function single_round_error(x: single) : real =
  abs_real((single_value(x) - single_exact(x)))

function single_total_error(x: single) : real =
  abs_real((single_value(x) - single_model(x)))

function max_single() : real = 0x1.FFFFFEp127

predicate no_overflow_single(m: mode, x: real) = (abs_real(round_single(m,
  x)) <= max_single)

axiom bounded_real_no_overflow_single:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_single) -> no_overflow_single(m, x))))

axiom round_single_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_single(m, x) <= round_single(m, y))))))

axiom exact_round_single_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-16777216) <= i) and (i <= 16777216)) -> (round_single(m,
       real_of_int(i)) = real_of_int(i)))))

axiom exact_round_single_for_singles:
  (forall x:single.
    (forall m:mode. (round_single(m, single_value(x)) = single_value(x))))

axiom round_single_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_single(m1, round_single(m2,
        x)) = round_single(m2, x)))))

axiom round_down_single_neg:
  (forall x:real. (round_single(down, (-x)) = (-round_single(up, x))))

axiom round_up_single_neg:
  (forall x:real. (round_single(up, (-x)) = (-round_single(down, x))))

axiom round_single_down_le: (forall x:real. (round_single(down, x) <= x))

axiom round_up_single_ge: (forall x:real. (round_single(up, x) >= x))

axiom single_value_is_bounded:
  (forall x:single. (abs_real(single_value(x)) <= max_single))

axiom double_value_is_bounded:
  (forall x:double. (abs_real(double_value(x)) <= max_double))

predicate single_of_real_post(m: mode, x: real, res: single) =
  ((single_value(res) = round_single(m, x)) and
   ((single_exact(res) = x) and (single_model(res) = x)))

predicate single_of_double_post(m: mode, x: double, res: single) =
  ((single_value(res) = round_single(m, double_value(x))) and
   ((single_exact(res) = double_exact(x)) and
    (single_model(res) = double_model(x))))

predicate add_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) + single_value(y)))) and
   ((single_exact(res) = (single_exact(x) + single_exact(y))) and
    (single_model(res) = (single_model(x) + single_model(y)))))

predicate sub_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) - single_value(y)))) and
   ((single_exact(res) = (single_exact(x) - single_exact(y))) and
    (single_model(res) = (single_model(x) - single_model(y)))))

predicate mul_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) * single_value(y)))) and
   ((single_exact(res) = (single_exact(x) * single_exact(y))) and
    (single_model(res) = (single_model(x) * single_model(y)))))

predicate div_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m, div_real(single_value(x),
   single_value(y)))) and
   ((single_exact(res) = div_real(single_exact(x), single_exact(y))) and
    (single_model(res) = div_real(single_model(x), single_model(y)))))

predicate sqrt_single_post(m: mode, x: single, res: single) =
  ((single_value(res) = round_single(m, sqrt_real(single_value(x)))) and
   ((single_exact(res) = sqrt_real(single_exact(x))) and
    (single_model(res) = sqrt_real(single_model(x)))))

predicate neg_single_post(x: single, res: single) =
  ((single_value(res) = (-single_value(x))) and
   ((single_exact(res) = (-single_exact(x))) and
    (single_model(res) = (-single_model(x)))))

predicate abs_single_post(x: single, res: single) =
  ((single_value(res) = abs_real(single_value(x))) and
   ((single_exact(res) = abs_real(single_exact(x))) and
    (single_model(res) = abs_real(single_model(x)))))

predicate double_of_real_post(m: mode, x: real, res: double) =
  ((double_value(res) = round_double(m, x)) and
   ((double_exact(res) = x) and (double_model(res) = x)))

predicate double_of_single_post(x: single, res: double) =
  ((double_value(res) = single_value(x)) and
   ((double_exact(res) = single_exact(x)) and
    (double_model(res) = single_model(x))))

predicate add_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) + double_value(y)))) and
   ((double_exact(res) = (double_exact(x) + double_exact(y))) and
    (double_model(res) = (double_model(x) + double_model(y)))))

predicate sub_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) - double_value(y)))) and
   ((double_exact(res) = (double_exact(x) - double_exact(y))) and
    (double_model(res) = (double_model(x) - double_model(y)))))

predicate mul_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) * double_value(y)))) and
   ((double_exact(res) = (double_exact(x) * double_exact(y))) and
    (double_model(res) = (double_model(x) * double_model(y)))))

predicate div_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m, div_real(double_value(x),
   double_value(y)))) and
   ((double_exact(res) = div_real(double_exact(x), double_exact(y))) and
    (double_model(res) = div_real(double_model(x), double_model(y)))))

predicate sqrt_double_post(m: mode, x: double, res: double) =
  ((double_value(res) = round_double(m, sqrt_real(double_value(x)))) and
   ((double_exact(res) = sqrt_real(double_exact(x))) and
    (double_model(res) = sqrt_real(double_model(x)))))

predicate neg_double_post(x: double, res: double) =
  ((double_value(res) = (-double_value(x))) and
   ((double_exact(res) = (-double_exact(x))) and
    (double_model(res) = (-double_model(x)))))

predicate abs_double_post(x: double, res: double) =
  ((double_value(res) = abs_real(double_value(x))) and
   ((double_exact(res) = abs_real(double_exact(x))) and
    (double_model(res) = abs_real(double_model(x)))))

type charP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_int8 : int8 -> int

predicate eq_int8(x: int8, y: int8) =
  (integer_of_int8(x) = integer_of_int8(y))

logic integer_of_uint8 : uint8 -> int

predicate eq_uint8(x: uint8, y: uint8) =
  (integer_of_uint8(x) = integer_of_uint8(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic int8_of_integer : int -> int8

axiom int8_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_int8(int8_of_integer(x)) = x)))

axiom int8_extensionality:
  (forall x:int8.
    (forall y:int8. ((integer_of_int8(x) = integer_of_int8(y)) -> (x = y))))

axiom int8_range:
  (forall x:int8.
    (((-128) <= integer_of_int8(x)) and (integer_of_int8(x) <= 127)))

function l_sign(x_0: real) : int = ite(ge_real_bool(x_0, 0.0), 1, (-1))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic uint8_of_integer : int -> uint8

axiom uint8_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 255)) -> (integer_of_uint8(uint8_of_integer(x)) = x)))

axiom uint8_extensionality:
  (forall x:uint8.
    (forall y:uint8.
      ((integer_of_uint8(x) = integer_of_uint8(y)) -> (x = y))))

axiom uint8_range:
  (forall x:uint8.
    ((0 <= integer_of_uint8(x)) and (integer_of_uint8(x) <= 255)))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

goal eps_line_ensures_default_po_1:
  forall sx:double.
  forall sy:double.
  forall vx:double.
  forall vy:double.
  ("JC_35":
  (("JC_27": (double_value(sx) = double_exact(sx))) and
   (("JC_28": (double_value(sy) = double_exact(sy))) and
    (("JC_29": (double_value(vx) = double_exact(vx))) and
     (("JC_30": (double_value(vy) = double_exact(vy))) and
      (("JC_31": (abs_real(double_value(sx)) <= 100.0)) and
       (("JC_32": (abs_real(double_value(sy)) <= 100.0)) and
        (("JC_33": (abs_real(double_value(vx)) <= 1.0)) and
         ("JC_34": (abs_real(double_value(vy)) <= 1.0)))))))))) ->
  forall result:double.
  mul_double_post(nearest_even, sx, vx, result) ->
  forall result0:double.
  mul_double_post(nearest_even, sy, vy, result0) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  forall result2:double.
  double_of_real_post(nearest_even, 0x1.p-45, result2) ->
  forall result3:double.
  neg_double_post(result2, result3) ->
  forall result4:double.
  double_of_real_post(nearest_even, 0x1.p-45, result4) ->
  forall result5:int32.
  ("JC_14":
  (("JC_12":
   ((integer_of_int32(result5) <> 0) ->
    (integer_of_int32(result5) = l_sign(double_exact(result1))))) and
   ("JC_13": (abs_int(integer_of_int32(result5)) <= 1)))) ->
  forall s1_1:int32.
  (s1_1 = result5) ->
  forall result6:double.
  mul_double_post(nearest_even, sx, vy, result6) ->
  forall result7:double.
  mul_double_post(nearest_even, sy, vx, result7) ->
  forall result8:double.
  sub_double_post(nearest_even, result6, result7, result8) ->
  forall result9:double.
  double_of_real_post(nearest_even, 0x1.p-45, result9) ->
  forall result10:double.
  neg_double_post(result9, result10) ->
  forall result11:double.
  double_of_real_post(nearest_even, 0x1.p-45, result11) ->
  forall result12:int32.
  ("JC_14":
  (("JC_12":
   ((integer_of_int32(result12) <> 0) ->
    (integer_of_int32(result12) = l_sign(double_exact(result8))))) and
   ("JC_13": (abs_int(integer_of_int32(result12)) <= 1)))) ->
  forall s2_1:int32.
  (s2_1 = result12) ->
  forall result13:int32.
  (integer_of_int32(result13) = (integer_of_int32(s1_1) * integer_of_int32(s2_1))) ->
  forall __retres_0:int32.
  (__retres_0 = result13) ->
  forall return:int32.
  (return = __retres_0) ->
  (integer_of_int32(return) <> 0) ->
  ("JC_37":
  (integer_of_int32(return) = (l_sign(((double_exact(sx) * double_exact(vx)) + (double_exact(sy) * double_exact(vy)))) * l_sign(((double_exact(sx) * double_exact(vy)) - (double_exact(sy) * double_exact(vx)))))))

goal eps_line_safety_po_1:
  forall sx:double.
  forall sy:double.
  forall vx:double.
  forall vy:double.
  ("JC_35":
  (("JC_27": (double_value(sx) = double_exact(sx))) and
   (("JC_28": (double_value(sy) = double_exact(sy))) and
    (("JC_29": (double_value(vx) = double_exact(vx))) and
     (("JC_30": (double_value(vy) = double_exact(vy))) and
      (("JC_31": (abs_real(double_value(sx)) <= 100.0)) and
       (("JC_32": (abs_real(double_value(sy)) <= 100.0)) and
        (("JC_33": (abs_real(double_value(vx)) <= 1.0)) and
         ("JC_34": (abs_real(double_value(vy)) <= 1.0)))))))))) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vx)))

goal eps_line_safety_po_2:
  forall sx:double.
  forall sy:double.
  forall vx:double.
  forall vy:double.
  ("JC_35":
  (("JC_27": (double_value(sx) = double_exact(sx))) and
   (("JC_28": (double_value(sy) = double_exact(sy))) and
    (("JC_29": (double_value(vx) = double_exact(vx))) and
     (("JC_30": (double_value(vy) = double_exact(vy))) and
      (("JC_31": (abs_real(double_value(sx)) <= 100.0)) and
       (("JC_32": (abs_real(double_value(sy)) <= 100.0)) and
        (("JC_33": (abs_real(double_value(vx)) <= 1.0)) and
         ("JC_34": (abs_real(double_value(vy)) <= 1.0)))))))))) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vx))) ->
  forall result:double.
  mul_double_post(nearest_even, sx, vx, result) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vy)))

goal eps_line_safety_po_3:
  forall sx:double.
  forall sy:double.
  forall vx:double.
  forall vy:double.
  ("JC_35":
  (("JC_27": (double_value(sx) = double_exact(sx))) and
   (("JC_28": (double_value(sy) = double_exact(sy))) and
    (("JC_29": (double_value(vx) = double_exact(vx))) and
     (("JC_30": (double_value(vy) = double_exact(vy))) and
      (("JC_31": (abs_real(double_value(sx)) <= 100.0)) and
       (("JC_32": (abs_real(double_value(sy)) <= 100.0)) and
        (("JC_33": (abs_real(double_value(vx)) <= 1.0)) and
         ("JC_34": (abs_real(double_value(vy)) <= 1.0)))))))))) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vx))) ->
  forall result:double.
  mul_double_post(nearest_even, sx, vx, result) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vy))) ->
  forall result0:double.
  mul_double_post(nearest_even, sy, vy, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0)))

goal eps_line_safety_po_4:
  forall sx:double.
  forall sy:double.
  forall vx:double.
  forall vy:double.
  ("JC_35":
  (("JC_27": (double_value(sx) = double_exact(sx))) and
   (("JC_28": (double_value(sy) = double_exact(sy))) and
    (("JC_29": (double_value(vx) = double_exact(vx))) and
     (("JC_30": (double_value(vy) = double_exact(vy))) and
      (("JC_31": (abs_real(double_value(sx)) <= 100.0)) and
       (("JC_32": (abs_real(double_value(sy)) <= 100.0)) and
        (("JC_33": (abs_real(double_value(vx)) <= 1.0)) and
         ("JC_34": (abs_real(double_value(vy)) <= 1.0)))))))))) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vx))) ->
  forall result:double.
  mul_double_post(nearest_even, sx, vx, result) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vy))) ->
  forall result0:double.
  mul_double_post(nearest_even, sy, vy, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0))) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  no_overflow_double(nearest_even, 0x1.p-45)

goal eps_line_safety_po_5:
  forall sx:double.
  forall sy:double.
  forall vx:double.
  forall vy:double.
  ("JC_35":
  (("JC_27": (double_value(sx) = double_exact(sx))) and
   (("JC_28": (double_value(sy) = double_exact(sy))) and
    (("JC_29": (double_value(vx) = double_exact(vx))) and
     (("JC_30": (double_value(vy) = double_exact(vy))) and
      (("JC_31": (abs_real(double_value(sx)) <= 100.0)) and
       (("JC_32": (abs_real(double_value(sy)) <= 100.0)) and
        (("JC_33": (abs_real(double_value(vx)) <= 1.0)) and
         ("JC_34": (abs_real(double_value(vy)) <= 1.0)))))))))) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vx))) ->
  forall result:double.
  mul_double_post(nearest_even, sx, vx, result) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vy))) ->
  forall result0:double.
  mul_double_post(nearest_even, sy, vy, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0))) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  no_overflow_double(nearest_even, 0x1.p-45) ->
  forall result2:double.
  double_of_real_post(nearest_even, 0x1.p-45, result2) ->
  forall result3:double.
  neg_double_post(result2, result3) ->
  no_overflow_double(nearest_even, 0x1.p-45) ->
  forall result4:double.
  double_of_real_post(nearest_even, 0x1.p-45, result4) ->
  ("JC_3":
  ("JC_1":
  (double_value(result3) <= (double_value(result1) - double_exact(result1)))))

goal eps_line_safety_po_6:
  forall sx:double.
  forall sy:double.
  forall vx:double.
  forall vy:double.
  ("JC_35":
  (("JC_27": (double_value(sx) = double_exact(sx))) and
   (("JC_28": (double_value(sy) = double_exact(sy))) and
    (("JC_29": (double_value(vx) = double_exact(vx))) and
     (("JC_30": (double_value(vy) = double_exact(vy))) and
      (("JC_31": (abs_real(double_value(sx)) <= 100.0)) and
       (("JC_32": (abs_real(double_value(sy)) <= 100.0)) and
        (("JC_33": (abs_real(double_value(vx)) <= 1.0)) and
         ("JC_34": (abs_real(double_value(vy)) <= 1.0)))))))))) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vx))) ->
  forall result:double.
  mul_double_post(nearest_even, sx, vx, result) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vy))) ->
  forall result0:double.
  mul_double_post(nearest_even, sy, vy, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0))) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  no_overflow_double(nearest_even, 0x1.p-45) ->
  forall result2:double.
  double_of_real_post(nearest_even, 0x1.p-45, result2) ->
  forall result3:double.
  neg_double_post(result2, result3) ->
  no_overflow_double(nearest_even, 0x1.p-45) ->
  forall result4:double.
  double_of_real_post(nearest_even, 0x1.p-45, result4) ->
  ("JC_3":
  ("JC_2":
  ((double_value(result1) - double_exact(result1)) <= double_value(result4))))

goal eps_line_safety_po_7:
  forall sx:double.
  forall sy:double.
  forall vx:double.
  forall vy:double.
  ("JC_35":
  (("JC_27": (double_value(sx) = double_exact(sx))) and
   (("JC_28": (double_value(sy) = double_exact(sy))) and
    (("JC_29": (double_value(vx) = double_exact(vx))) and
     (("JC_30": (double_value(vy) = double_exact(vy))) and
      (("JC_31": (abs_real(double_value(sx)) <= 100.0)) and
       (("JC_32": (abs_real(double_value(sy)) <= 100.0)) and
        (("JC_33": (abs_real(double_value(vx)) <= 1.0)) and
         ("JC_34": (abs_real(double_value(vy)) <= 1.0)))))))))) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vx))) ->
  forall result:double.
  mul_double_post(nearest_even, sx, vx, result) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vy))) ->
  forall result0:double.
  mul_double_post(nearest_even, sy, vy, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0))) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  no_overflow_double(nearest_even, 0x1.p-45) ->
  forall result2:double.
  double_of_real_post(nearest_even, 0x1.p-45, result2) ->
  forall result3:double.
  neg_double_post(result2, result3) ->
  no_overflow_double(nearest_even, 0x1.p-45) ->
  forall result4:double.
  double_of_real_post(nearest_even, 0x1.p-45, result4) ->
  ("JC_3":
  (("JC_1":
   (double_value(result3) <= (double_value(result1) - double_exact(result1)))) and
   ("JC_2":
   ((double_value(result1) - double_exact(result1)) <= double_value(result4))))) ->
  forall result5:int32.
  ("JC_14":
  (("JC_12":
   ((integer_of_int32(result5) <> 0) ->
    (integer_of_int32(result5) = l_sign(double_exact(result1))))) and
   ("JC_13": (abs_int(integer_of_int32(result5)) <= 1)))) ->
  forall s1_1:int32.
  (s1_1 = result5) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vy)))

goal eps_line_safety_po_8:
  forall sx:double.
  forall sy:double.
  forall vx:double.
  forall vy:double.
  ("JC_35":
  (("JC_27": (double_value(sx) = double_exact(sx))) and
   (("JC_28": (double_value(sy) = double_exact(sy))) and
    (("JC_29": (double_value(vx) = double_exact(vx))) and
     (("JC_30": (double_value(vy) = double_exact(vy))) and
      (("JC_31": (abs_real(double_value(sx)) <= 100.0)) and
       (("JC_32": (abs_real(double_value(sy)) <= 100.0)) and
        (("JC_33": (abs_real(double_value(vx)) <= 1.0)) and
         ("JC_34": (abs_real(double_value(vy)) <= 1.0)))))))))) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vx))) ->
  forall result:double.
  mul_double_post(nearest_even, sx, vx, result) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vy))) ->
  forall result0:double.
  mul_double_post(nearest_even, sy, vy, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0))) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  no_overflow_double(nearest_even, 0x1.p-45) ->
  forall result2:double.
  double_of_real_post(nearest_even, 0x1.p-45, result2) ->
  forall result3:double.
  neg_double_post(result2, result3) ->
  no_overflow_double(nearest_even, 0x1.p-45) ->
  forall result4:double.
  double_of_real_post(nearest_even, 0x1.p-45, result4) ->
  ("JC_3":
  (("JC_1":
   (double_value(result3) <= (double_value(result1) - double_exact(result1)))) and
   ("JC_2":
   ((double_value(result1) - double_exact(result1)) <= double_value(result4))))) ->
  forall result5:int32.
  ("JC_14":
  (("JC_12":
   ((integer_of_int32(result5) <> 0) ->
    (integer_of_int32(result5) = l_sign(double_exact(result1))))) and
   ("JC_13": (abs_int(integer_of_int32(result5)) <= 1)))) ->
  forall s1_1:int32.
  (s1_1 = result5) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vy))) ->
  forall result6:double.
  mul_double_post(nearest_even, sx, vy, result6) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vx)))

goal eps_line_safety_po_9:
  forall sx:double.
  forall sy:double.
  forall vx:double.
  forall vy:double.
  ("JC_35":
  (("JC_27": (double_value(sx) = double_exact(sx))) and
   (("JC_28": (double_value(sy) = double_exact(sy))) and
    (("JC_29": (double_value(vx) = double_exact(vx))) and
     (("JC_30": (double_value(vy) = double_exact(vy))) and
      (("JC_31": (abs_real(double_value(sx)) <= 100.0)) and
       (("JC_32": (abs_real(double_value(sy)) <= 100.0)) and
        (("JC_33": (abs_real(double_value(vx)) <= 1.0)) and
         ("JC_34": (abs_real(double_value(vy)) <= 1.0)))))))))) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vx))) ->
  forall result:double.
  mul_double_post(nearest_even, sx, vx, result) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vy))) ->
  forall result0:double.
  mul_double_post(nearest_even, sy, vy, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0))) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  no_overflow_double(nearest_even, 0x1.p-45) ->
  forall result2:double.
  double_of_real_post(nearest_even, 0x1.p-45, result2) ->
  forall result3:double.
  neg_double_post(result2, result3) ->
  no_overflow_double(nearest_even, 0x1.p-45) ->
  forall result4:double.
  double_of_real_post(nearest_even, 0x1.p-45, result4) ->
  ("JC_3":
  (("JC_1":
   (double_value(result3) <= (double_value(result1) - double_exact(result1)))) and
   ("JC_2":
   ((double_value(result1) - double_exact(result1)) <= double_value(result4))))) ->
  forall result5:int32.
  ("JC_14":
  (("JC_12":
   ((integer_of_int32(result5) <> 0) ->
    (integer_of_int32(result5) = l_sign(double_exact(result1))))) and
   ("JC_13": (abs_int(integer_of_int32(result5)) <= 1)))) ->
  forall s1_1:int32.
  (s1_1 = result5) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vy))) ->
  forall result6:double.
  mul_double_post(nearest_even, sx, vy, result6) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vx))) ->
  forall result7:double.
  mul_double_post(nearest_even, sy, vx, result7) ->
  no_overflow_double(nearest_even,
  (double_value(result6) - double_value(result7)))

goal eps_line_safety_po_10:
  forall sx:double.
  forall sy:double.
  forall vx:double.
  forall vy:double.
  ("JC_35":
  (("JC_27": (double_value(sx) = double_exact(sx))) and
   (("JC_28": (double_value(sy) = double_exact(sy))) and
    (("JC_29": (double_value(vx) = double_exact(vx))) and
     (("JC_30": (double_value(vy) = double_exact(vy))) and
      (("JC_31": (abs_real(double_value(sx)) <= 100.0)) and
       (("JC_32": (abs_real(double_value(sy)) <= 100.0)) and
        (("JC_33": (abs_real(double_value(vx)) <= 1.0)) and
         ("JC_34": (abs_real(double_value(vy)) <= 1.0)))))))))) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vx))) ->
  forall result:double.
  mul_double_post(nearest_even, sx, vx, result) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vy))) ->
  forall result0:double.
  mul_double_post(nearest_even, sy, vy, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0))) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  no_overflow_double(nearest_even, 0x1.p-45) ->
  forall result2:double.
  double_of_real_post(nearest_even, 0x1.p-45, result2) ->
  forall result3:double.
  neg_double_post(result2, result3) ->
  no_overflow_double(nearest_even, 0x1.p-45) ->
  forall result4:double.
  double_of_real_post(nearest_even, 0x1.p-45, result4) ->
  ("JC_3":
  (("JC_1":
   (double_value(result3) <= (double_value(result1) - double_exact(result1)))) and
   ("JC_2":
   ((double_value(result1) - double_exact(result1)) <= double_value(result4))))) ->
  forall result5:int32.
  ("JC_14":
  (("JC_12":
   ((integer_of_int32(result5) <> 0) ->
    (integer_of_int32(result5) = l_sign(double_exact(result1))))) and
   ("JC_13": (abs_int(integer_of_int32(result5)) <= 1)))) ->
  forall s1_1:int32.
  (s1_1 = result5) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vy))) ->
  forall result6:double.
  mul_double_post(nearest_even, sx, vy, result6) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vx))) ->
  forall result7:double.
  mul_double_post(nearest_even, sy, vx, result7) ->
  no_overflow_double(nearest_even,
  (double_value(result6) - double_value(result7))) ->
  forall result8:double.
  sub_double_post(nearest_even, result6, result7, result8) ->
  no_overflow_double(nearest_even, 0x1.p-45) ->
  forall result9:double.
  double_of_real_post(nearest_even, 0x1.p-45, result9) ->
  forall result10:double.
  neg_double_post(result9, result10) ->
  no_overflow_double(nearest_even, 0x1.p-45) ->
  forall result11:double.
  double_of_real_post(nearest_even, 0x1.p-45, result11) ->
  ("JC_3":
  ("JC_1":
  (double_value(result10) <= (double_value(result8) - double_exact(result8)))))

goal eps_line_safety_po_11:
  forall sx:double.
  forall sy:double.
  forall vx:double.
  forall vy:double.
  ("JC_35":
  (("JC_27": (double_value(sx) = double_exact(sx))) and
   (("JC_28": (double_value(sy) = double_exact(sy))) and
    (("JC_29": (double_value(vx) = double_exact(vx))) and
     (("JC_30": (double_value(vy) = double_exact(vy))) and
      (("JC_31": (abs_real(double_value(sx)) <= 100.0)) and
       (("JC_32": (abs_real(double_value(sy)) <= 100.0)) and
        (("JC_33": (abs_real(double_value(vx)) <= 1.0)) and
         ("JC_34": (abs_real(double_value(vy)) <= 1.0)))))))))) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vx))) ->
  forall result:double.
  mul_double_post(nearest_even, sx, vx, result) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vy))) ->
  forall result0:double.
  mul_double_post(nearest_even, sy, vy, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0))) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  no_overflow_double(nearest_even, 0x1.p-45) ->
  forall result2:double.
  double_of_real_post(nearest_even, 0x1.p-45, result2) ->
  forall result3:double.
  neg_double_post(result2, result3) ->
  no_overflow_double(nearest_even, 0x1.p-45) ->
  forall result4:double.
  double_of_real_post(nearest_even, 0x1.p-45, result4) ->
  ("JC_3":
  (("JC_1":
   (double_value(result3) <= (double_value(result1) - double_exact(result1)))) and
   ("JC_2":
   ((double_value(result1) - double_exact(result1)) <= double_value(result4))))) ->
  forall result5:int32.
  ("JC_14":
  (("JC_12":
   ((integer_of_int32(result5) <> 0) ->
    (integer_of_int32(result5) = l_sign(double_exact(result1))))) and
   ("JC_13": (abs_int(integer_of_int32(result5)) <= 1)))) ->
  forall s1_1:int32.
  (s1_1 = result5) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vy))) ->
  forall result6:double.
  mul_double_post(nearest_even, sx, vy, result6) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vx))) ->
  forall result7:double.
  mul_double_post(nearest_even, sy, vx, result7) ->
  no_overflow_double(nearest_even,
  (double_value(result6) - double_value(result7))) ->
  forall result8:double.
  sub_double_post(nearest_even, result6, result7, result8) ->
  no_overflow_double(nearest_even, 0x1.p-45) ->
  forall result9:double.
  double_of_real_post(nearest_even, 0x1.p-45, result9) ->
  forall result10:double.
  neg_double_post(result9, result10) ->
  no_overflow_double(nearest_even, 0x1.p-45) ->
  forall result11:double.
  double_of_real_post(nearest_even, 0x1.p-45, result11) ->
  ("JC_3":
  ("JC_2":
  ((double_value(result8) - double_exact(result8)) <= double_value(result11))))

goal eps_line_safety_po_12:
  forall sx:double.
  forall sy:double.
  forall vx:double.
  forall vy:double.
  ("JC_35":
  (("JC_27": (double_value(sx) = double_exact(sx))) and
   (("JC_28": (double_value(sy) = double_exact(sy))) and
    (("JC_29": (double_value(vx) = double_exact(vx))) and
     (("JC_30": (double_value(vy) = double_exact(vy))) and
      (("JC_31": (abs_real(double_value(sx)) <= 100.0)) and
       (("JC_32": (abs_real(double_value(sy)) <= 100.0)) and
        (("JC_33": (abs_real(double_value(vx)) <= 1.0)) and
         ("JC_34": (abs_real(double_value(vy)) <= 1.0)))))))))) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vx))) ->
  forall result:double.
  mul_double_post(nearest_even, sx, vx, result) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vy))) ->
  forall result0:double.
  mul_double_post(nearest_even, sy, vy, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0))) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  no_overflow_double(nearest_even, 0x1.p-45) ->
  forall result2:double.
  double_of_real_post(nearest_even, 0x1.p-45, result2) ->
  forall result3:double.
  neg_double_post(result2, result3) ->
  no_overflow_double(nearest_even, 0x1.p-45) ->
  forall result4:double.
  double_of_real_post(nearest_even, 0x1.p-45, result4) ->
  ("JC_3":
  (("JC_1":
   (double_value(result3) <= (double_value(result1) - double_exact(result1)))) and
   ("JC_2":
   ((double_value(result1) - double_exact(result1)) <= double_value(result4))))) ->
  forall result5:int32.
  ("JC_14":
  (("JC_12":
   ((integer_of_int32(result5) <> 0) ->
    (integer_of_int32(result5) = l_sign(double_exact(result1))))) and
   ("JC_13": (abs_int(integer_of_int32(result5)) <= 1)))) ->
  forall s1_1:int32.
  (s1_1 = result5) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vy))) ->
  forall result6:double.
  mul_double_post(nearest_even, sx, vy, result6) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vx))) ->
  forall result7:double.
  mul_double_post(nearest_even, sy, vx, result7) ->
  no_overflow_double(nearest_even,
  (double_value(result6) - double_value(result7))) ->
  forall result8:double.
  sub_double_post(nearest_even, result6, result7, result8) ->
  no_overflow_double(nearest_even, 0x1.p-45) ->
  forall result9:double.
  double_of_real_post(nearest_even, 0x1.p-45, result9) ->
  forall result10:double.
  neg_double_post(result9, result10) ->
  no_overflow_double(nearest_even, 0x1.p-45) ->
  forall result11:double.
  double_of_real_post(nearest_even, 0x1.p-45, result11) ->
  ("JC_3":
  (("JC_1":
   (double_value(result10) <= (double_value(result8) - double_exact(result8)))) and
   ("JC_2":
   ((double_value(result8) - double_exact(result8)) <= double_value(result11))))) ->
  forall result12:int32.
  ("JC_14":
  (("JC_12":
   ((integer_of_int32(result12) <> 0) ->
    (integer_of_int32(result12) = l_sign(double_exact(result8))))) and
   ("JC_13": (abs_int(integer_of_int32(result12)) <= 1)))) ->
  forall s2_1:int32.
  (s2_1 = result12) ->
  ((-2147483648) <= (integer_of_int32(s1_1) * integer_of_int32(s2_1)))

goal eps_line_safety_po_13:
  forall sx:double.
  forall sy:double.
  forall vx:double.
  forall vy:double.
  ("JC_35":
  (("JC_27": (double_value(sx) = double_exact(sx))) and
   (("JC_28": (double_value(sy) = double_exact(sy))) and
    (("JC_29": (double_value(vx) = double_exact(vx))) and
     (("JC_30": (double_value(vy) = double_exact(vy))) and
      (("JC_31": (abs_real(double_value(sx)) <= 100.0)) and
       (("JC_32": (abs_real(double_value(sy)) <= 100.0)) and
        (("JC_33": (abs_real(double_value(vx)) <= 1.0)) and
         ("JC_34": (abs_real(double_value(vy)) <= 1.0)))))))))) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vx))) ->
  forall result:double.
  mul_double_post(nearest_even, sx, vx, result) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vy))) ->
  forall result0:double.
  mul_double_post(nearest_even, sy, vy, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0))) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  no_overflow_double(nearest_even, 0x1.p-45) ->
  forall result2:double.
  double_of_real_post(nearest_even, 0x1.p-45, result2) ->
  forall result3:double.
  neg_double_post(result2, result3) ->
  no_overflow_double(nearest_even, 0x1.p-45) ->
  forall result4:double.
  double_of_real_post(nearest_even, 0x1.p-45, result4) ->
  ("JC_3":
  (("JC_1":
   (double_value(result3) <= (double_value(result1) - double_exact(result1)))) and
   ("JC_2":
   ((double_value(result1) - double_exact(result1)) <= double_value(result4))))) ->
  forall result5:int32.
  ("JC_14":
  (("JC_12":
   ((integer_of_int32(result5) <> 0) ->
    (integer_of_int32(result5) = l_sign(double_exact(result1))))) and
   ("JC_13": (abs_int(integer_of_int32(result5)) <= 1)))) ->
  forall s1_1:int32.
  (s1_1 = result5) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vy))) ->
  forall result6:double.
  mul_double_post(nearest_even, sx, vy, result6) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vx))) ->
  forall result7:double.
  mul_double_post(nearest_even, sy, vx, result7) ->
  no_overflow_double(nearest_even,
  (double_value(result6) - double_value(result7))) ->
  forall result8:double.
  sub_double_post(nearest_even, result6, result7, result8) ->
  no_overflow_double(nearest_even, 0x1.p-45) ->
  forall result9:double.
  double_of_real_post(nearest_even, 0x1.p-45, result9) ->
  forall result10:double.
  neg_double_post(result9, result10) ->
  no_overflow_double(nearest_even, 0x1.p-45) ->
  forall result11:double.
  double_of_real_post(nearest_even, 0x1.p-45, result11) ->
  ("JC_3":
  (("JC_1":
   (double_value(result10) <= (double_value(result8) - double_exact(result8)))) and
   ("JC_2":
   ((double_value(result8) - double_exact(result8)) <= double_value(result11))))) ->
  forall result12:int32.
  ("JC_14":
  (("JC_12":
   ((integer_of_int32(result12) <> 0) ->
    (integer_of_int32(result12) = l_sign(double_exact(result8))))) and
   ("JC_13": (abs_int(integer_of_int32(result12)) <= 1)))) ->
  forall s2_1:int32.
  (s2_1 = result12) ->
  ((integer_of_int32(s1_1) * integer_of_int32(s2_1)) <= 2147483647)

goal sign_ensures_default_po_1:
  forall x_1:double.
  forall e1:double.
  forall e2:double.
  ("JC_7":
  (("JC_5": (double_value(e1) <= (double_value(x_1) - double_exact(x_1)))) and
   ("JC_6": ((double_value(x_1) - double_exact(x_1)) <= double_value(e2))))) ->
  (double_value(x_1) > double_value(e2)) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall __retres:int32.
  (__retres = result) ->
  forall return:int32.
  (return = __retres) ->
  (integer_of_int32(return) <> 0) ->
  ("JC_11": ("JC_9": (integer_of_int32(return) = l_sign(double_exact(x_1)))))

goal sign_ensures_default_po_2:
  forall x_1:double.
  forall e1:double.
  forall e2:double.
  ("JC_7":
  (("JC_5": (double_value(e1) <= (double_value(x_1) - double_exact(x_1)))) and
   ("JC_6": ((double_value(x_1) - double_exact(x_1)) <= double_value(e2))))) ->
  (double_value(x_1) > double_value(e2)) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall __retres:int32.
  (__retres = result) ->
  forall return:int32.
  (return = __retres) ->
  ("JC_11": ("JC_10": (abs_int(integer_of_int32(return)) <= 1)))

goal sign_ensures_default_po_3:
  forall x_1:double.
  forall e1:double.
  forall e2:double.
  ("JC_7":
  (("JC_5": (double_value(e1) <= (double_value(x_1) - double_exact(x_1)))) and
   ("JC_6": ((double_value(x_1) - double_exact(x_1)) <= double_value(e2))))) ->
  (double_value(x_1) <= double_value(e2)) ->
  (double_value(x_1) < double_value(e1)) ->
  forall result:int32.
  (integer_of_int32(result) = (-1)) ->
  forall __retres:int32.
  (__retres = result) ->
  forall return:int32.
  (return = __retres) ->
  (integer_of_int32(return) <> 0) ->
  ("JC_11": ("JC_9": (integer_of_int32(return) = l_sign(double_exact(x_1)))))

goal sign_ensures_default_po_4:
  forall x_1:double.
  forall e1:double.
  forall e2:double.
  ("JC_7":
  (("JC_5": (double_value(e1) <= (double_value(x_1) - double_exact(x_1)))) and
   ("JC_6": ((double_value(x_1) - double_exact(x_1)) <= double_value(e2))))) ->
  (double_value(x_1) <= double_value(e2)) ->
  (double_value(x_1) < double_value(e1)) ->
  forall result:int32.
  (integer_of_int32(result) = (-1)) ->
  forall __retres:int32.
  (__retres = result) ->
  forall return:int32.
  (return = __retres) ->
  ("JC_11": ("JC_10": (abs_int(integer_of_int32(return)) <= 1)))

goal sign_ensures_default_po_5:
  forall x_1:double.
  forall e1:double.
  forall e2:double.
  ("JC_7":
  (("JC_5": (double_value(e1) <= (double_value(x_1) - double_exact(x_1)))) and
   ("JC_6": ((double_value(x_1) - double_exact(x_1)) <= double_value(e2))))) ->
  (double_value(x_1) <= double_value(e2)) ->
  (double_value(x_1) >= double_value(e1)) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall __retres:int32.
  (__retres = result) ->
  forall return:int32.
  (return = __retres) ->
  (integer_of_int32(return) <> 0) ->
  ("JC_11": ("JC_9": (integer_of_int32(return) = l_sign(double_exact(x_1)))))

goal sign_ensures_default_po_6:
  forall x_1:double.
  forall e1:double.
  forall e2:double.
  ("JC_7":
  (("JC_5": (double_value(e1) <= (double_value(x_1) - double_exact(x_1)))) and
   ("JC_6": ((double_value(x_1) - double_exact(x_1)) <= double_value(e2))))) ->
  (double_value(x_1) <= double_value(e2)) ->
  (double_value(x_1) >= double_value(e1)) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall __retres:int32.
  (__retres = result) ->
  forall return:int32.
  (return = __retres) ->
  ("JC_11": ("JC_10": (abs_int(integer_of_int32(return)) <= 1)))

why-2.34/tests/c/oracle/isqrt.err.oracle0000644000175000017500000000000012311670312016554 0ustar  rtuserswhy-2.34/tests/c/oracle/overflow_level.res.oracle0000644000175000017500000021410312311670312020460 0ustar  rtusers========== file tests/c/overflow_level.c ==========
double x;

void f() {
double y;
/*0*/	y = x+1.e291;
/*1*/	y = x+1.e292;
/*2*/	y = x+x;
/*3*/	y = x+1e-6;
}
========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/overflow_level.c"
tests/c/overflow_level.c:5:[kernel] warning: Floating-point constant 1.e291 is not represented exactly. Will use 0x1.9a742461887f6p966. See documentation for option -warn-decimal-float
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/overflow_level.jessie
[jessie] File tests/c/overflow_level.jessie/overflow_level.jc written.
[jessie] File tests/c/overflow_level.jessie/overflow_level.cloc written.
========== file tests/c/overflow_level.jessie/overflow_level.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

double x;

unit f()
behavior default:
  ensures (_C_9 : true);
{  
   (var double y);
   
   {  (_C_2 : (y = (_C_1 : (x + (1.e291 :> double)))));
      (_C_4 : (y = (_C_3 : (x + (1.e292 :> double)))));
      (_C_6 : (y = (_C_5 : (x + x))));
      (_C_8 : (y = (_C_7 : (x + (1e-6 :> double)))));
      
      (return ())
   }
}
========== file tests/c/overflow_level.jessie/overflow_level.cloc ==========
[_C_4]
file = "HOME/tests/c/overflow_level.c"
line = 6
begin = 10
end = 18

[_C_5]
file = "HOME/tests/c/overflow_level.c"
line = 7
begin = 10
end = 13

[_C_9]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_6]
file = "HOME/tests/c/overflow_level.c"
line = 7
begin = 10
end = 13

[_C_3]
file = "HOME/tests/c/overflow_level.c"
line = 6
begin = 10
end = 18

[_C_7]
file = "HOME/tests/c/overflow_level.c"
line = 8
begin = 10
end = 16

[_C_8]
file = "HOME/tests/c/overflow_level.c"
line = 8
begin = 10
end = 16

[_C_2]
file = "HOME/tests/c/overflow_level.c"
line = 5
begin = 10
end = 18

[_C_1]
file = "HOME/tests/c/overflow_level.c"
line = 5
begin = 10
end = 18

[f]
name = "Function f"
file = "HOME/tests/c/overflow_level.c"
line = 3
begin = 5
end = 6

========== jessie execution ==========
Generating Why function f
========== file tests/c/overflow_level.jessie/overflow_level.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs overflow_level.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs overflow_level.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_strict.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/overflow_level_why.sx

project: why/overflow_level.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/overflow_level_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/overflow_level_why.vo

coq/overflow_level_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/overflow_level_why.v: why/overflow_level.why
	@echo 'why -coq [...] why/overflow_level.why' && $(WHY) $(JESSIELIBFILES) why/overflow_level.why && rm -f coq/jessie_why.v

coq-goals: goals coq/overflow_level_ctx_why.vo
	for f in why/*_po*.why; do make -f overflow_level.makefile coq/`basename $$f .why`_why.v ; done

coq/overflow_level_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/overflow_level_ctx_why.v: why/overflow_level_ctx.why
	@echo 'why -coq [...] why/overflow_level_ctx.why' && $(WHY) why/overflow_level_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export overflow_level_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/overflow_level_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/overflow_level_ctx_why.vo

pvs: pvs/overflow_level_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/overflow_level_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/overflow_level_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/overflow_level_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/overflow_level_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/overflow_level_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/overflow_level_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/overflow_level_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/overflow_level_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/overflow_level_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/overflow_level_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/overflow_level_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/overflow_level_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/overflow_level_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/overflow_level_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: overflow_level.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/overflow_level_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: overflow_level.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: overflow_level.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: overflow_level.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include overflow_level.depend

depend: coq/overflow_level_why.v
	-$(COQDEP) -I coq coq/overflow_level*_why.v > overflow_level.depend

clean:
	rm -f coq/*.vo

========== file tests/c/overflow_level.jessie/overflow_level.loc ==========
[f_safety]
name = "Function f"
behavior = "Safety"
file = "HOME/tests/c/overflow_level.c"
line = 3
begin = 5
end = 6

[JC_17]
kind = FPOverflow
file = "HOME/tests/c/overflow_level.c"
line = 6
begin = 10
end = 18

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
kind = FPOverflow
file = "HOME/tests/c/overflow_level.jessie/overflow_level.jc"
line = 42
begin = 32
end = 50

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
kind = FPOverflow
file = "HOME/tests/c/overflow_level.c"
line = 7
begin = 10
end = 13

[JC_11]
kind = FPOverflow
file = "HOME/tests/c/overflow_level.jessie/overflow_level.jc"
line = 43
begin = 32
end = 50

[JC_15]
kind = FPOverflow
file = "HOME/tests/c/overflow_level.c"
line = 8
begin = 10
end = 16

[JC_12]
kind = FPOverflow
file = "HOME/tests/c/overflow_level.c"
line = 6
begin = 10
end = 18

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
kind = FPOverflow
file = "HOME/tests/c/overflow_level.c"
line = 5
begin = 10
end = 18

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
kind = FPOverflow
file = "HOME/tests/c/overflow_level.jessie/overflow_level.jc"
line = 45
begin = 32
end = 48

[JC_1]
file = "HOME/tests/c/overflow_level.c"
line = 3
begin = 5
end = 6

[JC_10]
kind = FPOverflow
file = "HOME/tests/c/overflow_level.c"
line = 5
begin = 10
end = 18

[JC_18]
kind = FPOverflow
file = "HOME/tests/c/overflow_level.c"
line = 7
begin = 10
end = 13

[JC_3]
file = "HOME/tests/c/overflow_level.c"
line = 3
begin = 5
end = 6

[JC_19]
kind = FPOverflow
file = "HOME/tests/c/overflow_level.c"
line = 8
begin = 10
end = 16

[f_ensures_default]
name = "Function f"
behavior = "default behavior"
file = "HOME/tests/c/overflow_level.c"
line = 3
begin = 5
end = 6

========== file tests/c/overflow_level.jessie/why/overflow_level.why ==========
type charP

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

logic x_0:  -> double

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter f : tt:unit -> { } unit { true }

parameter f_requires : tt:unit -> { } unit { true }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let f_ensures_default =
 fun (tt : unit) ->
  { (JC_4: true) }
  (init:
  try
   begin
     (let y = ref (any_double void) in
     begin
       (let _jessie_ =
       (y := (JC_16:
             (((add_double_safe nearest_even) x_0) ((double_of_real_safe nearest_even) 1.e291)))) in
       void);
      (let _jessie_ =
      (y := (JC_17:
            (((add_double_safe nearest_even) x_0) ((double_of_real_safe nearest_even) 1.e292)))) in
      void);
      (let _jessie_ =
      (y := (JC_18: (((add_double_safe nearest_even) x_0) x_0))) in void);
      (let _jessie_ =
      (y := (JC_19:
            (((add_double_safe nearest_even) x_0) ((double_of_real_safe nearest_even) 1e-6)))) in
      void); (raise Return) end); (raise Return) end with Return -> void end)
  { (JC_5: true) }

let f_safety =
 fun (tt : unit) ->
  { (JC_4: true) }
  (init:
  try
   begin
     (let y = ref (any_double void) in
     begin
       (let _jessie_ =
       (y := (JC_10:
             (((add_double nearest_even) x_0) (JC_9:
                                              ((double_of_real nearest_even) 1.e291))))) in
       void);
      (let _jessie_ =
      (y := (JC_12:
            (((add_double nearest_even) x_0) (JC_11:
                                             ((double_of_real nearest_even) 1.e292))))) in
      void);
      (let _jessie_ =
      (y := (JC_13: (((add_double nearest_even) x_0) x_0))) in void);
      (let _jessie_ =
      (y := (JC_15:
            (((add_double nearest_even) x_0) (JC_14:
                                             ((double_of_real nearest_even) 1e-6))))) in
      void); (raise Return) end); (raise Return) end with Return -> void end)
  { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/overflow_level.why
========== file tests/c/overflow_level.jessie/why/overflow_level_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type mode

logic nearest_even : mode

logic to_zero : mode

logic up : mode

logic down : mode

logic nearest_away : mode

logic mode_match : mode, 'a1, 'a1, 'a1, 'a1, 'a1 -> 'a1

axiom mode_match_nearest_even:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_2))))))

axiom mode_match_to_zero:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_3))))))

axiom mode_match_up:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_4))))))

axiom mode_match_down:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_5))))))

axiom mode_match_nearest_away:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_6))))))

axiom mode_inversion:
  (forall aux_1:mode.
    (((((aux_1 = nearest_even) or (aux_1 = to_zero)) or (aux_1 = up)) or
      (aux_1 = down)) or
     (aux_1 = nearest_away)))

logic mode_to_int : mode -> int

axiom mode_to_int_nearest_even: (mode_to_int(nearest_even) = 0)

axiom mode_to_int_to_zero: (mode_to_int(to_zero) = 1)

axiom mode_to_int_up: (mode_to_int(up) = 2)

axiom mode_to_int_down: (mode_to_int(down) = 3)

axiom mode_to_int_nearest_away: (mode_to_int(nearest_away) = 4)

type double

logic round_double : mode, real -> real

logic round_double_logic : mode, real -> double

logic double_value : double -> real

logic double_exact : double -> real

logic double_model : double -> real

function double_round_error(x: double) : real =
  abs_real((double_value(x) - double_exact(x)))

function double_total_error(x: double) : real =
  abs_real((double_value(x) - double_model(x)))

function max_double() : real = 0x1.FFFFFFFFFFFFFp1023

predicate no_overflow_double(m: mode, x: real) = (abs_real(round_double(m,
  x)) <= max_double)

axiom bounded_real_no_overflow_double:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_double) -> no_overflow_double(m, x))))

axiom round_double_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_double(m, x) <= round_double(m, y))))))

axiom exact_round_double_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-9007199254740992) <= i) and (i <= 9007199254740992)) ->
       (round_double(m, real_of_int(i)) = real_of_int(i)))))

axiom exact_round_double_for_doubles:
  (forall x:double.
    (forall m:mode. (round_double(m, double_value(x)) = double_value(x))))

axiom round_double_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_double(m1, round_double(m2,
        x)) = round_double(m2, x)))))

axiom round_down_double_neg:
  (forall x:real. (round_double(down, (-x)) = (-round_double(up, x))))

axiom round_up_double_neg:
  (forall x:real. (round_double(up, (-x)) = (-round_double(down, x))))

axiom round_double_down_le: (forall x:real. (round_double(down, x) <= x))

axiom round_up_double_ge: (forall x:real. (round_double(up, x) >= x))

type single

logic round_single : mode, real -> real

logic round_single_logic : mode, real -> single

logic single_value : single -> real

logic single_exact : single -> real

logic single_model : single -> real

function single_round_error(x: single) : real =
  abs_real((single_value(x) - single_exact(x)))

function single_total_error(x: single) : real =
  abs_real((single_value(x) - single_model(x)))

function max_single() : real = 0x1.FFFFFEp127

predicate no_overflow_single(m: mode, x: real) = (abs_real(round_single(m,
  x)) <= max_single)

axiom bounded_real_no_overflow_single:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_single) -> no_overflow_single(m, x))))

axiom round_single_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_single(m, x) <= round_single(m, y))))))

axiom exact_round_single_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-16777216) <= i) and (i <= 16777216)) -> (round_single(m,
       real_of_int(i)) = real_of_int(i)))))

axiom exact_round_single_for_singles:
  (forall x:single.
    (forall m:mode. (round_single(m, single_value(x)) = single_value(x))))

axiom round_single_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_single(m1, round_single(m2,
        x)) = round_single(m2, x)))))

axiom round_down_single_neg:
  (forall x:real. (round_single(down, (-x)) = (-round_single(up, x))))

axiom round_up_single_neg:
  (forall x:real. (round_single(up, (-x)) = (-round_single(down, x))))

axiom round_single_down_le: (forall x:real. (round_single(down, x) <= x))

axiom round_up_single_ge: (forall x:real. (round_single(up, x) >= x))

axiom single_value_is_bounded:
  (forall x:single. (abs_real(single_value(x)) <= max_single))

axiom double_value_is_bounded:
  (forall x:double. (abs_real(double_value(x)) <= max_double))

predicate single_of_real_post(m: mode, x: real, res: single) =
  ((single_value(res) = round_single(m, x)) and
   ((single_exact(res) = x) and (single_model(res) = x)))

predicate single_of_double_post(m: mode, x: double, res: single) =
  ((single_value(res) = round_single(m, double_value(x))) and
   ((single_exact(res) = double_exact(x)) and
    (single_model(res) = double_model(x))))

predicate add_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) + single_value(y)))) and
   ((single_exact(res) = (single_exact(x) + single_exact(y))) and
    (single_model(res) = (single_model(x) + single_model(y)))))

predicate sub_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) - single_value(y)))) and
   ((single_exact(res) = (single_exact(x) - single_exact(y))) and
    (single_model(res) = (single_model(x) - single_model(y)))))

predicate mul_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) * single_value(y)))) and
   ((single_exact(res) = (single_exact(x) * single_exact(y))) and
    (single_model(res) = (single_model(x) * single_model(y)))))

predicate div_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m, div_real(single_value(x),
   single_value(y)))) and
   ((single_exact(res) = div_real(single_exact(x), single_exact(y))) and
    (single_model(res) = div_real(single_model(x), single_model(y)))))

predicate sqrt_single_post(m: mode, x: single, res: single) =
  ((single_value(res) = round_single(m, sqrt_real(single_value(x)))) and
   ((single_exact(res) = sqrt_real(single_exact(x))) and
    (single_model(res) = sqrt_real(single_model(x)))))

predicate neg_single_post(x: single, res: single) =
  ((single_value(res) = (-single_value(x))) and
   ((single_exact(res) = (-single_exact(x))) and
    (single_model(res) = (-single_model(x)))))

predicate abs_single_post(x: single, res: single) =
  ((single_value(res) = abs_real(single_value(x))) and
   ((single_exact(res) = abs_real(single_exact(x))) and
    (single_model(res) = abs_real(single_model(x)))))

predicate double_of_real_post(m: mode, x: real, res: double) =
  ((double_value(res) = round_double(m, x)) and
   ((double_exact(res) = x) and (double_model(res) = x)))

predicate double_of_single_post(x: single, res: double) =
  ((double_value(res) = single_value(x)) and
   ((double_exact(res) = single_exact(x)) and
    (double_model(res) = single_model(x))))

predicate add_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) + double_value(y)))) and
   ((double_exact(res) = (double_exact(x) + double_exact(y))) and
    (double_model(res) = (double_model(x) + double_model(y)))))

predicate sub_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) - double_value(y)))) and
   ((double_exact(res) = (double_exact(x) - double_exact(y))) and
    (double_model(res) = (double_model(x) - double_model(y)))))

predicate mul_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) * double_value(y)))) and
   ((double_exact(res) = (double_exact(x) * double_exact(y))) and
    (double_model(res) = (double_model(x) * double_model(y)))))

predicate div_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m, div_real(double_value(x),
   double_value(y)))) and
   ((double_exact(res) = div_real(double_exact(x), double_exact(y))) and
    (double_model(res) = div_real(double_model(x), double_model(y)))))

predicate sqrt_double_post(m: mode, x: double, res: double) =
  ((double_value(res) = round_double(m, sqrt_real(double_value(x)))) and
   ((double_exact(res) = sqrt_real(double_exact(x))) and
    (double_model(res) = sqrt_real(double_model(x)))))

predicate neg_double_post(x: double, res: double) =
  ((double_value(res) = (-double_value(x))) and
   ((double_exact(res) = (-double_exact(x))) and
    (double_model(res) = (-double_model(x)))))

predicate abs_double_post(x: double, res: double) =
  ((double_value(res) = abs_real(double_value(x))) and
   ((double_exact(res) = abs_real(double_exact(x))) and
    (double_model(res) = abs_real(double_model(x)))))

type charP

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

logic integer_of_int8 : int8 -> int

predicate eq_int8(x: int8, y: int8) =
  (integer_of_int8(x) = integer_of_int8(y))

logic integer_of_uint8 : uint8 -> int

predicate eq_uint8(x: uint8, y: uint8) =
  (integer_of_uint8(x) = integer_of_uint8(y))

logic int8_of_integer : int -> int8

axiom int8_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_int8(int8_of_integer(x)) = x)))

axiom int8_extensionality:
  (forall x:int8.
    (forall y:int8. ((integer_of_int8(x) = integer_of_int8(y)) -> (x = y))))

axiom int8_range:
  (forall x:int8.
    (((-128) <= integer_of_int8(x)) and (integer_of_int8(x) <= 127)))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic uint8_of_integer : int -> uint8

axiom uint8_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 255)) -> (integer_of_uint8(uint8_of_integer(x)) = x)))

axiom uint8_extensionality:
  (forall x:uint8.
    (forall y:uint8.
      ((integer_of_uint8(x) = integer_of_uint8(y)) -> (x = y))))

axiom uint8_range:
  (forall x:uint8.
    ((0 <= integer_of_uint8(x)) and (integer_of_uint8(x) <= 255)))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

logic x_0 : double

goal f_safety_po_1:
  ("JC_4": true) ->
  no_overflow_double(nearest_even, 1.e291)

goal f_safety_po_2:
  ("JC_4": true) ->
  no_overflow_double(nearest_even, 1.e291) ->
  forall result:double.
  double_of_real_post(nearest_even, 1.e291, result) ->
  no_overflow_double(nearest_even,
  (double_value(x_0) + double_value(result)))

goal f_safety_po_3:
  ("JC_4": true) ->
  no_overflow_double(nearest_even, 1.e291) ->
  forall result:double.
  double_of_real_post(nearest_even, 1.e291, result) ->
  no_overflow_double(nearest_even,
  (double_value(x_0) + double_value(result))) ->
  forall result0:double.
  add_double_post(nearest_even, x_0, result, result0) ->
  forall y:double.
  (y = result0) ->
  no_overflow_double(nearest_even, 1.e292)

goal f_safety_po_4:
  ("JC_4": true) ->
  no_overflow_double(nearest_even, 1.e291) ->
  forall result:double.
  double_of_real_post(nearest_even, 1.e291, result) ->
  no_overflow_double(nearest_even,
  (double_value(x_0) + double_value(result))) ->
  forall result0:double.
  add_double_post(nearest_even, x_0, result, result0) ->
  forall y:double.
  (y = result0) ->
  no_overflow_double(nearest_even, 1.e292) ->
  forall result1:double.
  double_of_real_post(nearest_even, 1.e292, result1) ->
  no_overflow_double(nearest_even,
  (double_value(x_0) + double_value(result1)))

goal f_safety_po_5:
  ("JC_4": true) ->
  no_overflow_double(nearest_even, 1.e291) ->
  forall result:double.
  double_of_real_post(nearest_even, 1.e291, result) ->
  no_overflow_double(nearest_even,
  (double_value(x_0) + double_value(result))) ->
  forall result0:double.
  add_double_post(nearest_even, x_0, result, result0) ->
  forall y:double.
  (y = result0) ->
  no_overflow_double(nearest_even, 1.e292) ->
  forall result1:double.
  double_of_real_post(nearest_even, 1.e292, result1) ->
  no_overflow_double(nearest_even,
  (double_value(x_0) + double_value(result1))) ->
  forall result2:double.
  add_double_post(nearest_even, x_0, result1, result2) ->
  forall y0:double.
  (y0 = result2) ->
  no_overflow_double(nearest_even, (double_value(x_0) + double_value(x_0)))

goal f_safety_po_6:
  ("JC_4": true) ->
  no_overflow_double(nearest_even, 1.e291) ->
  forall result:double.
  double_of_real_post(nearest_even, 1.e291, result) ->
  no_overflow_double(nearest_even,
  (double_value(x_0) + double_value(result))) ->
  forall result0:double.
  add_double_post(nearest_even, x_0, result, result0) ->
  forall y:double.
  (y = result0) ->
  no_overflow_double(nearest_even, 1.e292) ->
  forall result1:double.
  double_of_real_post(nearest_even, 1.e292, result1) ->
  no_overflow_double(nearest_even,
  (double_value(x_0) + double_value(result1))) ->
  forall result2:double.
  add_double_post(nearest_even, x_0, result1, result2) ->
  forall y0:double.
  (y0 = result2) ->
  no_overflow_double(nearest_even,
  (double_value(x_0) + double_value(x_0))) ->
  forall result3:double.
  add_double_post(nearest_even, x_0, x_0, result3) ->
  forall y1:double.
  (y1 = result3) ->
  no_overflow_double(nearest_even, 1.e-6)

goal f_safety_po_7:
  ("JC_4": true) ->
  no_overflow_double(nearest_even, 1.e291) ->
  forall result:double.
  double_of_real_post(nearest_even, 1.e291, result) ->
  no_overflow_double(nearest_even,
  (double_value(x_0) + double_value(result))) ->
  forall result0:double.
  add_double_post(nearest_even, x_0, result, result0) ->
  forall y:double.
  (y = result0) ->
  no_overflow_double(nearest_even, 1.e292) ->
  forall result1:double.
  double_of_real_post(nearest_even, 1.e292, result1) ->
  no_overflow_double(nearest_even,
  (double_value(x_0) + double_value(result1))) ->
  forall result2:double.
  add_double_post(nearest_even, x_0, result1, result2) ->
  forall y0:double.
  (y0 = result2) ->
  no_overflow_double(nearest_even,
  (double_value(x_0) + double_value(x_0))) ->
  forall result3:double.
  add_double_post(nearest_even, x_0, x_0, result3) ->
  forall y1:double.
  (y1 = result3) ->
  no_overflow_double(nearest_even, 1.e-6) ->
  forall result4:double.
  double_of_real_post(nearest_even, 1.e-6, result4) ->
  no_overflow_double(nearest_even,
  (double_value(x_0) + double_value(result4)))

why-2.34/tests/c/oracle/rec.res.oracle0000644000175000017500000025254312311670312016211 0ustar  rtusers========== file tests/c/rec.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

//@ logic integer sum_upto(integer n) = n*(n+1) / 2;

/*@ lemma sum_rec: \forall integer n; n >=0 ==>
  @     sum_upto(n+1) == sum_upto(n)+n+1;
  @*/

/*@ requires x >= 0;
  @ requires x <= 1000;
  @ decreases x;
  @ ensures \result == sum_upto(x);
  @*/
long sum(int x) {
  if (x == 0) return 0;
  else return x + sum (x-1);
}


/*@ ensures \result == 36; 
  @*/
long main () {
  long i = sum(8);
  return i;
}



/*@ decreases 101-n ;
  @ behavior less_than_101:
  @   assumes n <= 100;
  @   ensures \result == 91;
  @ behavior greater_than_100:
  @   assumes n >= 101;
  @   ensures \result == n - 10;
  @*/
int f91(int n) {
  if (n <= 100) {
    return f91(f91(n + 11));
  }
  else
    return n - 10;
}

/*
Local Variables:
compile-command: "make rec.why3ide"
End:
*/


========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/rec.c"
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/rec.jessie
[jessie] File tests/c/rec.jessie/rec.jc written.
[jessie] File tests/c/rec.jessie/rec.cloc written.
========== file tests/c/rec.jessie/rec.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

logic integer sum_upto(integer n) =
((n * (n + 1)) / 2)

lemma sum_rec :
(\forall integer n_0;
  ((n_0 >= 0) ==> (sum_upto((n_0 + 1)) == ((sum_upto(n_0) + n_0) + 1))))

int32 sum(int32 x)
  requires (_C_12 : (x >= 0));
  requires (_C_11 : (x <= 1000));
  decreases (_C_13 : x);
behavior default:
  ensures (_C_10 : (\result == sum_upto(\at(x,Old))));
{  
   (var int32 tmp);
   
   (var int32 __retres);
   
   {  (if (x == 0) then 
      {  (_C_9 : (__retres = 0));
         
         (goto return_label)
      } else 
      {  
         {  (_C_4 : (tmp = (_C_3 : sum((_C_2 : ((_C_1 : (x - 1)) :> int32))))));
            ()
         };
         (_C_8 : (__retres = (_C_7 : ((_C_6 : ((_C_5 : (x :> int32)) + tmp)) :> int32))));
         
         (goto return_label)
      });
      (return_label : 
      (return __retres))
   }
}

int32 main()
behavior default:
  ensures (_C_16 : (\result == 36));
{  
   (var int32 i);
   
   {  (_C_15 : (i = (_C_14 : sum(8))));
      
      (return i)
   }
}

int32 f91(int32 n_1)
  decreases (_C_30 : (101 - n_1));
behavior less_than_101:
  assumes (n_1 <= 100);
  ensures (_C_27 : (\result == 91));
behavior greater_than_100:
  assumes (n_1 >= 101);
  ensures (_C_28 : (\result == (\at(n_1,Old) - 10)));
behavior default:
  ensures (_C_29 : true);
{  
   (var int32 tmp_0);
   
   (var int32 tmp_0_0);
   
   (var int32 __retres_0);
   
   {  (if (n_1 <= 100) then 
      {  (_C_23 : (tmp_0 = (_C_22 : f91((_C_21 : ((_C_20 : (n_1 + 11)) :> int32))))));
         (_C_25 : (tmp_0_0 = (_C_24 : f91(tmp_0))));
         (_C_26 : (__retres_0 = tmp_0_0));
         
         (goto return_label)
      } else 
      {  (_C_19 : (__retres_0 = (_C_18 : ((_C_17 : (n_1 - 10)) :> int32))));
         
         (goto return_label)
      });
      (return_label : 
      (return __retres_0))
   }
}
========== file tests/c/rec.jessie/rec.cloc ==========
[_C_28]
file = "HOME/tests/c/rec.c"
line = 64
begin = 14
end = 31

[f91]
name = "Function f91"
file = "HOME/tests/c/rec.c"
line = 66
begin = 4
end = 7

[main]
name = "Function main"
file = "HOME/tests/c/rec.c"
line = 51
begin = 5
end = 9

[_C_4]
file = "HOME/tests/c/rec.c"
line = 45
begin = 18
end = 27

[_C_23]
file = "HOME/tests/c/rec.c"
line = 68
begin = 15
end = 26

[_C_19]
file = "HOME/tests/c/rec.c"
line = 71
begin = 4
end = 18

[_C_13]
file = "HOME/tests/c/rec.c"
line = 40
begin = 14
end = 15

[_C_5]
file = "HOME/tests/c/rec.c"
line = 45
begin = 14
end = 15

[_C_12]
file = "HOME/tests/c/rec.c"
line = 38
begin = 13
end = 19

[_C_22]
file = "HOME/tests/c/rec.c"
line = 68
begin = 15
end = 26

[_C_9]
file = "HOME/tests/c/rec.c"
line = 44
begin = 14
end = 23

[_C_30]
file = "HOME/tests/c/rec.c"
line = 58
begin = 14
end = 19

[_C_6]
file = "HOME/tests/c/rec.c"
line = 45
begin = 14
end = 27

[_C_24]
file = "HOME/tests/c/rec.c"
line = 68
begin = 11
end = 27

[_C_20]
file = "HOME/tests/c/rec.c"
line = 68
begin = 19
end = 25

[_C_3]
file = "HOME/tests/c/rec.c"
line = 45
begin = 18
end = 27

[_C_17]
file = "HOME/tests/c/rec.c"
line = 71
begin = 11
end = 17

[_C_7]
file = "HOME/tests/c/rec.c"
line = 45
begin = 14
end = 27

[_C_27]
file = "HOME/tests/c/rec.c"
line = 61
begin = 14
end = 27

[_C_15]
file = "HOME/tests/c/rec.c"
line = 52
begin = 11
end = 17

[_C_26]
file = "HOME/tests/c/rec.c"
line = 68
begin = 4
end = 28

[_C_10]
file = "HOME/tests/c/rec.c"
line = 41
begin = 12
end = 34

[_C_8]
file = "HOME/tests/c/rec.c"
line = 45
begin = 7
end = 28

[_C_18]
file = "HOME/tests/c/rec.c"
line = 71
begin = 11
end = 17

[_C_29]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_14]
file = "HOME/tests/c/rec.c"
line = 52
begin = 11
end = 17

[_C_2]
file = "HOME/tests/c/rec.c"
line = 45
begin = 23
end = 26

[_C_16]
file = "HOME/tests/c/rec.c"
line = 49
begin = 12
end = 25

[_C_1]
file = "HOME/tests/c/rec.c"
line = 45
begin = 23
end = 26

[_C_25]
file = "HOME/tests/c/rec.c"
line = 68
begin = 11
end = 27

[_C_11]
file = "HOME/tests/c/rec.c"
line = 39
begin = 13
end = 22

[sum]
name = "Function sum"
file = "HOME/tests/c/rec.c"
line = 43
begin = 5
end = 8

[sum_rec]
name = "Lemma sum_rec"
file = "HOME/tests/c/rec.c"
line = 34
begin = 4
end = 89

[_C_21]
file = "HOME/tests/c/rec.c"
line = 68
begin = 19
end = 25

========== jessie execution ==========
Generating Why function sum
Generating Why function main
Generating Why function f91
========== file tests/c/rec.jessie/rec.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs rec.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs rec.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/rec_why.sx

project: why/rec.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/rec_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/rec_why.vo

coq/rec_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/rec_why.v: why/rec.why
	@echo 'why -coq [...] why/rec.why' && $(WHY) $(JESSIELIBFILES) why/rec.why && rm -f coq/jessie_why.v

coq-goals: goals coq/rec_ctx_why.vo
	for f in why/*_po*.why; do make -f rec.makefile coq/`basename $$f .why`_why.v ; done

coq/rec_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/rec_ctx_why.v: why/rec_ctx.why
	@echo 'why -coq [...] why/rec_ctx.why' && $(WHY) why/rec_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export rec_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/rec_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/rec_ctx_why.vo

pvs: pvs/rec_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/rec_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/rec_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/rec_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/rec_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/rec_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/rec_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/rec_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/rec_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/rec_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/rec_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/rec_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/rec_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/rec_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/rec_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: rec.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/rec_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: rec.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: rec.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: rec.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include rec.depend

depend: coq/rec_why.v
	-$(COQDEP) -I coq coq/rec*_why.v > rec.depend

clean:
	rm -f coq/*.vo

========== file tests/c/rec.jessie/rec.loc ==========
[main_safety]
name = "Function main"
behavior = "Safety"
file = "HOME/tests/c/rec.c"
line = 51
begin = 5
end = 9

[JC_51]
kind = ArithOverflow
file = "HOME/tests/c/rec.c"
line = 71
begin = 11
end = 17

[JC_45]
file = "HOME/tests/c/rec.c"
line = 58
begin = 14
end = 19

[JC_31]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_17]
kind = VarDecr
file = "HOME/tests/c/rec.c"
line = 45
begin = 18
end = 27

[sum_safety]
name = "Function sum"
behavior = "Safety"
file = "HOME/tests/c/rec.c"
line = 43
begin = 5
end = 8

[JC_55]
kind = UserCall
file = "HOME/tests/c/rec.c"
line = 68
begin = 11
end = 27

[f91_safety]
name = "Function f91"
behavior = "Safety"
file = "HOME/tests/c/rec.c"
line = 66
begin = 4
end = 7

[JC_48]
file = "HOME/tests/c/rec.c"
line = 58
begin = 14
end = 19

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/tests/c/rec.c"
line = 51
begin = 5
end = 9

[JC_5]
file = "HOME/tests/c/rec.c"
line = 38
begin = 13
end = 19

[JC_9]
file = "HOME/tests/c/rec.c"
line = 41
begin = 12
end = 34

[JC_24]
file = "HOME/tests/c/rec.c"
line = 49
begin = 12
end = 25

[JC_25]
file = "HOME/tests/c/rec.c"
line = 49
begin = 12
end = 25

[JC_41]
file = "HOME/tests/c/rec.c"
line = 64
begin = 14
end = 31

[JC_47]
kind = UserCall
file = "HOME/tests/c/rec.c"
line = 68
begin = 11
end = 27

[JC_52]
kind = UserCall
file = "HOME/tests/c/rec.c"
line = 68
begin = 15
end = 26

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
kind = UserCall
file = "HOME/tests/c/rec.c"
line = 68
begin = 15
end = 26

[JC_13]
kind = ArithOverflow
file = "HOME/tests/c/rec.c"
line = 45
begin = 23
end = 26

[f91_ensures_greater_than_100]
name = "Function f91"
behavior = "Behavior `greater_than_100'"
file = "HOME/tests/c/rec.c"
line = 66
begin = 4
end = 7

[JC_11]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/tests/c/rec.c"
line = 40
begin = 14
end = 15

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/tests/c/rec.c"
line = 61
begin = 14
end = 27

[JC_40]
file = "HOME/tests/c/rec.c"
line = 64
begin = 14
end = 31

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/tests/c/rec.c"
line = 61
begin = 14
end = 27

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/tests/c/rec.c"
line = 39
begin = 13
end = 22

[JC_44]
file = "HOME/tests/c/rec.c"
line = 58
begin = 14
end = 19

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
kind = ArithOverflow
file = "HOME/tests/c/rec.c"
line = 68
begin = 19
end = 25

[JC_46]
kind = VarDecr
file = "HOME/tests/c/rec.c"
line = 68
begin = 15
end = 26

[main_ensures_default]
name = "Function main"
behavior = "default behavior"
file = "HOME/tests/c/rec.c"
line = 51
begin = 5
end = 9

[JC_32]
file = "HOME/tests/c/rec.c"
line = 66
begin = 4
end = 7

[JC_56]
kind = UserCall
file = "HOME/tests/c/rec.c"
line = 68
begin = 15
end = 26

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[f91_ensures_less_than_101]
name = "Function f91"
behavior = "Behavior `less_than_101'"
file = "HOME/tests/c/rec.c"
line = 66
begin = 4
end = 7

[JC_29]
kind = UserCall
file = "HOME/tests/c/rec.c"
line = 52
begin = 11
end = 17

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[sum_ensures_default]
name = "Function sum"
behavior = "default behavior"
file = "HOME/tests/c/rec.c"
line = 43
begin = 5
end = 8

[JC_16]
file = "HOME/tests/c/rec.c"
line = 40
begin = 14
end = 15

[JC_43]
kind = UserCall
file = "HOME/tests/c/rec.c"
line = 68
begin = 15
end = 26

[JC_2]
file = "HOME/tests/c/rec.c"
line = 39
begin = 13
end = 22

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
kind = UserCall
file = "HOME/tests/c/rec.c"
line = 45
begin = 18
end = 27

[JC_53]
kind = UserCall
file = "HOME/tests/c/rec.c"
line = 68
begin = 11
end = 27

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
file = "HOME/tests/c/rec.c"
line = 58
begin = 14
end = 19

[JC_1]
file = "HOME/tests/c/rec.c"
line = 38
begin = 13
end = 19

[JC_37]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/tests/c/rec.c"
line = 41
begin = 12
end = 34

[JC_57]
kind = UserCall
file = "HOME/tests/c/rec.c"
line = 68
begin = 11
end = 27

[JC_20]
file = "HOME/tests/c/rec.c"
line = 51
begin = 5
end = 9

[JC_18]
kind = ArithOverflow
file = "HOME/tests/c/rec.c"
line = 45
begin = 14
end = 27

[JC_3]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
kind = UserCall
file = "HOME/tests/c/rec.c"
line = 45
begin = 18
end = 27

[JC_50]
kind = VarDecr
file = "HOME/tests/c/rec.c"
line = 68
begin = 11
end = 27

[JC_30]
file = "HOME/tests/c/rec.c"
line = 66
begin = 4
end = 7

[sum_rec]
name = "Lemma sum_rec"
behavior = "lemma"
file = "HOME/tests/c/rec.c"
line = 34
begin = 4
end = 89

[f91_ensures_default]
name = "Function f91"
behavior = "default behavior"
file = "HOME/tests/c/rec.c"
line = 66
begin = 4
end = 7

[JC_28]
kind = UserCall
file = "HOME/tests/c/rec.c"
line = 52
begin = 11
end = 17

========== file tests/c/rec.jessie/why/rec.why ==========
type charP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

function sum_upto(n:int) : int =
 computer_div(mul_int(n, add_int(n, (1))), (2))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

lemma sum_rec :
 (forall n_0:int.
  (ge_int(n_0, (0)) ->
   (sum_upto(add_int(n_0, (1))) = add_int(add_int(sum_upto(n_0), n_0), (1)))))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter f91 :
 n_1:int32 ->
  { } int32
  { ((ge_int(integer_of_int32(n_1), (101)) ->
      (JC_41:
      (integer_of_int32(result) = sub_int(integer_of_int32(n_1), (10)))))
    and (le_int(integer_of_int32(n_1), (100)) ->
         (JC_39: (integer_of_int32(result) = (91))))) }

parameter f91_requires :
 n_1:int32 ->
  { } int32
  { ((ge_int(integer_of_int32(n_1), (101)) ->
      (JC_41:
      (integer_of_int32(result) = sub_int(integer_of_int32(n_1), (10)))))
    and (le_int(integer_of_int32(n_1), (100)) ->
         (JC_39: (integer_of_int32(result) = (91))))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter main :
 tt:unit -> { } int32 { (JC_25: (integer_of_int32(result) = (36))) }

parameter main_requires :
 tt:unit -> { } int32 { (JC_25: (integer_of_int32(result) = (36))) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter sum :
 x_0:int32 ->
  { } int32
  { (JC_10: (integer_of_int32(result) = sum_upto(integer_of_int32(x_0)))) }

parameter sum_requires :
 x_0:int32 ->
  { (JC_3:
    ((JC_1: ge_int(integer_of_int32(x_0), (0)))
    and (JC_2: le_int(integer_of_int32(x_0), (1000)))))}
  int32
  { (JC_10: (integer_of_int32(result) = sum_upto(integer_of_int32(x_0)))) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let f91_ensures_default =
 fun (n_1 : int32) ->
  { (JC_33: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let tmp_0 = ref (any_int32 void) in
     (let tmp_0_0 = ref (any_int32 void) in
     (let __retres_0 = ref (any_int32 void) in
     try
      begin
        (if ((le_int_ (integer_of_int32 n_1)) (100))
        then
         begin
           (let _jessie_ =
           (tmp_0 := (let _jessie_ =
                     (safe_int32_of_integer_ ((add_int (integer_of_int32 n_1)) (11))) in
                     (JC_52: (f91 _jessie_)))) in void);
          (let _jessie_ =
          (tmp_0_0 := (let _jessie_ = !tmp_0 in (JC_53: (f91 _jessie_)))) in
          void); (let _jessie_ = (__retres_0 := !tmp_0_0) in void);
          (raise (Return_label_exc void)) end
        else
         begin
           (let _jessie_ =
           (__retres_0 := (safe_int32_of_integer_ ((sub_int (integer_of_int32 n_1)) (10)))) in
           void); (raise (Return_label_exc void)) end);
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres_0); (raise Return) end) end)));
    absurd  end with Return -> !return end)) { (JC_34: true) }

let f91_ensures_greater_than_100 =
 fun (n_1 : int32) ->
  { ge_int(integer_of_int32(n_1), (101)) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let tmp_0 = ref (any_int32 void) in
     (let tmp_0_0 = ref (any_int32 void) in
     (let __retres_0 = ref (any_int32 void) in
     try
      begin
        (if ((le_int_ (integer_of_int32 n_1)) (100))
        then
         begin
           (let _jessie_ =
           (tmp_0 := (let _jessie_ =
                     (safe_int32_of_integer_ ((add_int (integer_of_int32 n_1)) (11))) in
                     (JC_56: (f91 _jessie_)))) in void);
          (let _jessie_ =
          (tmp_0_0 := (let _jessie_ = !tmp_0 in (JC_57: (f91 _jessie_)))) in
          void); (let _jessie_ = (__retres_0 := !tmp_0_0) in void);
          (raise (Return_label_exc void)) end
        else
         begin
           (let _jessie_ =
           (__retres_0 := (safe_int32_of_integer_ ((sub_int (integer_of_int32 n_1)) (10)))) in
           void); (raise (Return_label_exc void)) end);
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres_0); (raise Return) end) end)));
    absurd  end with Return -> !return end))
  { (JC_40:
    (integer_of_int32(result) = sub_int(integer_of_int32(n_1), (10)))) }

let f91_ensures_less_than_101 =
 fun (n_1 : int32) ->
  { le_int(integer_of_int32(n_1), (100)) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let tmp_0 = ref (any_int32 void) in
     (let tmp_0_0 = ref (any_int32 void) in
     (let __retres_0 = ref (any_int32 void) in
     try
      begin
        (if ((le_int_ (integer_of_int32 n_1)) (100))
        then
         begin
           (let _jessie_ =
           (tmp_0 := (let _jessie_ =
                     (safe_int32_of_integer_ ((add_int (integer_of_int32 n_1)) (11))) in
                     (JC_54: (f91 _jessie_)))) in void);
          (let _jessie_ =
          (tmp_0_0 := (let _jessie_ = !tmp_0 in (JC_55: (f91 _jessie_)))) in
          void); (let _jessie_ = (__retres_0 := !tmp_0_0) in void);
          (raise (Return_label_exc void)) end
        else
         begin
           (let _jessie_ =
           (__retres_0 := (safe_int32_of_integer_ ((sub_int (integer_of_int32 n_1)) (10)))) in
           void); (raise (Return_label_exc void)) end);
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres_0); (raise Return) end) end)));
    absurd  end with Return -> !return end))
  { (JC_38: (integer_of_int32(result) = (91))) }

let f91_safety =
 fun (n_1 : int32) ->
  { (JC_33: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let tmp_0 = ref (any_int32 void) in
     (let tmp_0_0 = ref (any_int32 void) in
     (let __retres_0 = ref (any_int32 void) in
     try
      begin
        (if ((le_int_ (integer_of_int32 n_1)) (100))
        then
         begin
           (let _jessie_ =
           (tmp_0 := (let _jessie_ =
                     (JC_42:
                     (int32_of_integer_ ((add_int (integer_of_int32 n_1)) (11)))) in
                     (JC_46:
                     (check
                     { zwf_zero((JC_45 : sub_int((101),
                                         integer_of_int32(_jessie_))),
                       (JC_44 : sub_int((101), integer_of_int32(n_1)))) };
                     (JC_43: (f91_requires _jessie_)))))) in void);
          (let _jessie_ =
          (tmp_0_0 := (let _jessie_ = !tmp_0 in
                      (JC_50:
                      (check
                      { zwf_zero((JC_49 : sub_int((101),
                                          integer_of_int32(_jessie_))),
                        (JC_48 : sub_int((101), integer_of_int32(n_1)))) };
                      (JC_47: (f91_requires _jessie_)))))) in void);
          (let _jessie_ = (__retres_0 := !tmp_0_0) in void);
          (raise (Return_label_exc void)) end
        else
         begin
           (let _jessie_ =
           (__retres_0 := (JC_51:
                          (int32_of_integer_ ((sub_int (integer_of_int32 n_1)) (10))))) in
           void); (raise (Return_label_exc void)) end);
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres_0); (raise Return) end) end)));
    absurd  end with Return -> !return end)) { true }

let main_ensures_default =
 fun (tt : unit) ->
  { (JC_23: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let i = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (i := (let _jessie_ = (safe_int32_of_integer_ (8)) in
             (JC_29: (sum _jessie_)))) in void); (return := !i);
      (raise Return) end); absurd  end with Return -> !return end))
  { (JC_24: (integer_of_int32(result) = (36))) }

let main_safety =
 fun (tt : unit) ->
  { (JC_23: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let i = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (i := (let _jessie_ = (safe_int32_of_integer_ (8)) in
             (JC_28: (sum_requires _jessie_)))) in void); (return := !i);
      (raise Return) end); absurd  end with Return -> !return end)) { true }

let sum_ensures_default =
 fun (x_0 : int32) ->
  { (JC_7:
    ((JC_5: ge_int(integer_of_int32(x_0), (0)))
    and (JC_6: le_int(integer_of_int32(x_0), (1000))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let tmp = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        (if ((eq_int_ (integer_of_int32 x_0)) (0))
        then
         begin
           (let _jessie_ = (__retres := (safe_int32_of_integer_ (0))) in
           void); (raise (Return_label_exc void)) end
        else
         begin
           (let _jessie_ =
           (tmp := (let _jessie_ =
                   (safe_int32_of_integer_ ((sub_int (integer_of_int32 x_0)) (1))) in
                   (JC_19: (sum _jessie_)))) in void); void;
          (let _jessie_ =
          (__retres := (safe_int32_of_integer_ ((add_int (integer_of_int32 x_0)) 
                                                (integer_of_int32 !tmp)))) in
          void); (raise (Return_label_exc void)) end);
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end));
    absurd  end with Return -> !return end))
  { (JC_9: (integer_of_int32(result) = sum_upto(integer_of_int32(x_0)))) }

let sum_safety =
 fun (x_0 : int32) ->
  { (JC_7:
    ((JC_5: ge_int(integer_of_int32(x_0), (0)))
    and (JC_6: le_int(integer_of_int32(x_0), (1000))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let tmp = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        (if ((eq_int_ (integer_of_int32 x_0)) (0))
        then
         begin
           (let _jessie_ = (__retres := (safe_int32_of_integer_ (0))) in
           void); (raise (Return_label_exc void)) end
        else
         begin
           (let _jessie_ =
           (tmp := (let _jessie_ =
                   (JC_13:
                   (int32_of_integer_ ((sub_int (integer_of_int32 x_0)) (1)))) in
                   (JC_17:
                   (check
                   { zwf_zero(integer_of_int32((JC_16 : _jessie_)),
                     integer_of_int32((JC_15 : x_0))) };
                   (JC_14: (sum_requires _jessie_)))))) in void); void;
          (let _jessie_ =
          (__retres := (JC_18:
                       (int32_of_integer_ ((add_int (integer_of_int32 x_0)) 
                                           (integer_of_int32 !tmp))))) in
          void); (raise (Return_label_exc void)) end);
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end));
    absurd  end with Return -> !return end)) { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/rec.why
========== file tests/c/rec.jessie/why/rec_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type charP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_int8 : int8 -> int

predicate eq_int8(x: int8, y: int8) =
  (integer_of_int8(x) = integer_of_int8(y))

logic integer_of_uint8 : uint8 -> int

predicate eq_uint8(x: uint8, y: uint8) =
  (integer_of_uint8(x) = integer_of_uint8(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic int8_of_integer : int -> int8

axiom int8_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_int8(int8_of_integer(x)) = x)))

axiom int8_extensionality:
  (forall x:int8.
    (forall y:int8. ((integer_of_int8(x) = integer_of_int8(y)) -> (x = y))))

axiom int8_range:
  (forall x:int8.
    (((-128) <= integer_of_int8(x)) and (integer_of_int8(x) <= 127)))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

function sum_upto(n: int) : int = computer_div((n * (n + 1)), 2)

logic uint8_of_integer : int -> uint8

axiom uint8_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 255)) -> (integer_of_uint8(uint8_of_integer(x)) = x)))

axiom uint8_extensionality:
  (forall x:uint8.
    (forall y:uint8.
      ((integer_of_uint8(x) = integer_of_uint8(y)) -> (x = y))))

axiom uint8_range:
  (forall x:uint8.
    ((0 <= integer_of_uint8(x)) and (integer_of_uint8(x) <= 255)))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

goal sum_rec:
  (forall n_0:int.
    ((n_0 >= 0) -> (sum_upto((n_0 + 1)) = ((sum_upto(n_0) + n_0) + 1))))

axiom sum_rec_as_axiom:
  (forall n_0:int.
    ((n_0 >= 0) -> (sum_upto((n_0 + 1)) = ((sum_upto(n_0) + n_0) + 1))))

goal f91_ensures_greater_than_100_po_1:
  forall n_1:int32.
  (integer_of_int32(n_1) >= 101) ->
  (integer_of_int32(n_1) <= 100) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(n_1) + 11)) ->
  forall result0:int32.
  (((integer_of_int32(result) >= 101) ->
    ("JC_41": (integer_of_int32(result0) = (integer_of_int32(result) - 10)))) and
   ((integer_of_int32(result) <= 100) ->
    ("JC_39": (integer_of_int32(result0) = 91)))) ->
  forall tmp_0:int32.
  (tmp_0 = result0) ->
  forall result1:int32.
  (((integer_of_int32(tmp_0) >= 101) ->
    ("JC_41": (integer_of_int32(result1) = (integer_of_int32(tmp_0) - 10)))) and
   ((integer_of_int32(tmp_0) <= 100) ->
    ("JC_39": (integer_of_int32(result1) = 91)))) ->
  forall tmp_0_0:int32.
  (tmp_0_0 = result1) ->
  forall __retres_0:int32.
  (__retres_0 = tmp_0_0) ->
  forall return:int32.
  (return = __retres_0) ->
  ("JC_40": (integer_of_int32(return) = (integer_of_int32(n_1) - 10)))

goal f91_ensures_greater_than_100_po_2:
  forall n_1:int32.
  (integer_of_int32(n_1) >= 101) ->
  (integer_of_int32(n_1) > 100) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(n_1) - 10)) ->
  forall __retres_0:int32.
  (__retres_0 = result) ->
  forall return:int32.
  (return = __retres_0) ->
  ("JC_40": (integer_of_int32(return) = (integer_of_int32(n_1) - 10)))

goal f91_ensures_less_than_101_po_1:
  forall n_1:int32.
  (integer_of_int32(n_1) <= 100) ->
  (integer_of_int32(n_1) <= 100) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(n_1) + 11)) ->
  forall result0:int32.
  (((integer_of_int32(result) >= 101) ->
    ("JC_41": (integer_of_int32(result0) = (integer_of_int32(result) - 10)))) and
   ((integer_of_int32(result) <= 100) ->
    ("JC_39": (integer_of_int32(result0) = 91)))) ->
  forall tmp_0:int32.
  (tmp_0 = result0) ->
  forall result1:int32.
  (((integer_of_int32(tmp_0) >= 101) ->
    ("JC_41": (integer_of_int32(result1) = (integer_of_int32(tmp_0) - 10)))) and
   ((integer_of_int32(tmp_0) <= 100) ->
    ("JC_39": (integer_of_int32(result1) = 91)))) ->
  forall tmp_0_0:int32.
  (tmp_0_0 = result1) ->
  forall __retres_0:int32.
  (__retres_0 = tmp_0_0) ->
  forall return:int32.
  (return = __retres_0) ->
  ("JC_38": (integer_of_int32(return) = 91))

goal f91_ensures_less_than_101_po_2:
  forall n_1:int32.
  (integer_of_int32(n_1) <= 100) ->
  (integer_of_int32(n_1) > 100) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(n_1) - 10)) ->
  forall __retres_0:int32.
  (__retres_0 = result) ->
  forall return:int32.
  (return = __retres_0) ->
  ("JC_38": (integer_of_int32(return) = 91))

goal f91_safety_po_1:
  forall n_1:int32.
  ("JC_33": true) ->
  (integer_of_int32(n_1) <= 100) ->
  ((-2147483648) <= (integer_of_int32(n_1) + 11))

goal f91_safety_po_2:
  forall n_1:int32.
  ("JC_33": true) ->
  (integer_of_int32(n_1) <= 100) ->
  ((integer_of_int32(n_1) + 11) <= 2147483647)

goal f91_safety_po_3:
  forall n_1:int32.
  ("JC_33": true) ->
  (integer_of_int32(n_1) <= 100) ->
  (((-2147483648) <= (integer_of_int32(n_1) + 11)) and
   ((integer_of_int32(n_1) + 11) <= 2147483647)) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(n_1) + 11)) ->
  (0 <= ("JC_44": (101 - integer_of_int32(n_1))))

goal f91_safety_po_4:
  forall n_1:int32.
  ("JC_33": true) ->
  (integer_of_int32(n_1) <= 100) ->
  (((-2147483648) <= (integer_of_int32(n_1) + 11)) and
   ((integer_of_int32(n_1) + 11) <= 2147483647)) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(n_1) + 11)) ->
  (("JC_45": (101 - integer_of_int32(result))) < ("JC_44":
                                                 (101 - integer_of_int32(n_1))))

goal f91_safety_po_5:
  forall n_1:int32.
  ("JC_33": true) ->
  (integer_of_int32(n_1) <= 100) ->
  (((-2147483648) <= (integer_of_int32(n_1) + 11)) and
   ((integer_of_int32(n_1) + 11) <= 2147483647)) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(n_1) + 11)) ->
  forall result0:int32.
  (((integer_of_int32(result) >= 101) ->
    ("JC_41": (integer_of_int32(result0) = (integer_of_int32(result) - 10)))) and
   ((integer_of_int32(result) <= 100) ->
    ("JC_39": (integer_of_int32(result0) = 91)))) ->
  forall tmp_0:int32.
  (tmp_0 = result0) ->
  (0 <= ("JC_48": (101 - integer_of_int32(n_1))))

goal f91_safety_po_6:
  forall n_1:int32.
  ("JC_33": true) ->
  (integer_of_int32(n_1) <= 100) ->
  (((-2147483648) <= (integer_of_int32(n_1) + 11)) and
   ((integer_of_int32(n_1) + 11) <= 2147483647)) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(n_1) + 11)) ->
  forall result0:int32.
  (((integer_of_int32(result) >= 101) ->
    ("JC_41": (integer_of_int32(result0) = (integer_of_int32(result) - 10)))) and
   ((integer_of_int32(result) <= 100) ->
    ("JC_39": (integer_of_int32(result0) = 91)))) ->
  forall tmp_0:int32.
  (tmp_0 = result0) ->
  (("JC_49": (101 - integer_of_int32(tmp_0))) < ("JC_48":
                                                (101 - integer_of_int32(n_1))))

goal f91_safety_po_7:
  forall n_1:int32.
  ("JC_33": true) ->
  (integer_of_int32(n_1) > 100) ->
  ((-2147483648) <= (integer_of_int32(n_1) - 10))

goal f91_safety_po_8:
  forall n_1:int32.
  ("JC_33": true) ->
  (integer_of_int32(n_1) > 100) ->
  ((integer_of_int32(n_1) - 10) <= 2147483647)

goal main_ensures_default_po_1:
  ("JC_23": true) ->
  forall result:int32.
  (integer_of_int32(result) = 8) ->
  forall result0:int32.
  ("JC_10": (integer_of_int32(result0) = sum_upto(integer_of_int32(result)))) ->
  forall i:int32.
  (i = result0) ->
  forall return:int32.
  (return = i) ->
  ("JC_24": (integer_of_int32(return) = 36))

goal main_safety_po_1:
  ("JC_23": true) ->
  forall result:int32.
  (integer_of_int32(result) = 8) ->
  ("JC_3": ("JC_1": (integer_of_int32(result) >= 0)))

goal main_safety_po_2:
  ("JC_23": true) ->
  forall result:int32.
  (integer_of_int32(result) = 8) ->
  ("JC_3": ("JC_2": (integer_of_int32(result) <= 1000)))

goal sum_ensures_default_po_1:
  forall x_0:int32.
  ("JC_7":
  (("JC_5": (integer_of_int32(x_0) >= 0)) and
   ("JC_6": (integer_of_int32(x_0) <= 1000)))) ->
  (integer_of_int32(x_0) = 0) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall __retres:int32.
  (__retres = result) ->
  forall return:int32.
  (return = __retres) ->
  ("JC_9": (integer_of_int32(return) = sum_upto(integer_of_int32(x_0))))

goal sum_ensures_default_po_2:
  forall x_0:int32.
  ("JC_7":
  (("JC_5": (integer_of_int32(x_0) >= 0)) and
   ("JC_6": (integer_of_int32(x_0) <= 1000)))) ->
  (integer_of_int32(x_0) <> 0) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(x_0) - 1)) ->
  forall result0:int32.
  ("JC_10": (integer_of_int32(result0) = sum_upto(integer_of_int32(result)))) ->
  forall tmp:int32.
  (tmp = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(x_0) + integer_of_int32(tmp))) ->
  forall __retres:int32.
  (__retres = result1) ->
  forall return:int32.
  (return = __retres) ->
  ("JC_9": (integer_of_int32(return) = sum_upto(integer_of_int32(x_0))))

goal sum_safety_po_1:
  forall x_0:int32.
  ("JC_7":
  (("JC_5": (integer_of_int32(x_0) >= 0)) and
   ("JC_6": (integer_of_int32(x_0) <= 1000)))) ->
  (integer_of_int32(x_0) <> 0) ->
  ((-2147483648) <= (integer_of_int32(x_0) - 1))

goal sum_safety_po_2:
  forall x_0:int32.
  ("JC_7":
  (("JC_5": (integer_of_int32(x_0) >= 0)) and
   ("JC_6": (integer_of_int32(x_0) <= 1000)))) ->
  (integer_of_int32(x_0) <> 0) ->
  ((integer_of_int32(x_0) - 1) <= 2147483647)

goal sum_safety_po_3:
  forall x_0:int32.
  ("JC_7":
  (("JC_5": (integer_of_int32(x_0) >= 0)) and
   ("JC_6": (integer_of_int32(x_0) <= 1000)))) ->
  (integer_of_int32(x_0) <> 0) ->
  (((-2147483648) <= (integer_of_int32(x_0) - 1)) and
   ((integer_of_int32(x_0) - 1) <= 2147483647)) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(x_0) - 1)) ->
  (0 <= integer_of_int32(("JC_15": x_0)))

goal sum_safety_po_4:
  forall x_0:int32.
  ("JC_7":
  (("JC_5": (integer_of_int32(x_0) >= 0)) and
   ("JC_6": (integer_of_int32(x_0) <= 1000)))) ->
  (integer_of_int32(x_0) <> 0) ->
  (((-2147483648) <= (integer_of_int32(x_0) - 1)) and
   ((integer_of_int32(x_0) - 1) <= 2147483647)) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(x_0) - 1)) ->
  (integer_of_int32(("JC_16": result)) < integer_of_int32(("JC_15": x_0)))

goal sum_safety_po_5:
  forall x_0:int32.
  ("JC_7":
  (("JC_5": (integer_of_int32(x_0) >= 0)) and
   ("JC_6": (integer_of_int32(x_0) <= 1000)))) ->
  (integer_of_int32(x_0) <> 0) ->
  (((-2147483648) <= (integer_of_int32(x_0) - 1)) and
   ((integer_of_int32(x_0) - 1) <= 2147483647)) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(x_0) - 1)) ->
  ("JC_3": ("JC_1": (integer_of_int32(result) >= 0)))

goal sum_safety_po_6:
  forall x_0:int32.
  ("JC_7":
  (("JC_5": (integer_of_int32(x_0) >= 0)) and
   ("JC_6": (integer_of_int32(x_0) <= 1000)))) ->
  (integer_of_int32(x_0) <> 0) ->
  (((-2147483648) <= (integer_of_int32(x_0) - 1)) and
   ((integer_of_int32(x_0) - 1) <= 2147483647)) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(x_0) - 1)) ->
  ("JC_3": ("JC_2": (integer_of_int32(result) <= 1000)))

goal sum_safety_po_7:
  forall x_0:int32.
  ("JC_7":
  (("JC_5": (integer_of_int32(x_0) >= 0)) and
   ("JC_6": (integer_of_int32(x_0) <= 1000)))) ->
  (integer_of_int32(x_0) <> 0) ->
  (((-2147483648) <= (integer_of_int32(x_0) - 1)) and
   ((integer_of_int32(x_0) - 1) <= 2147483647)) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(x_0) - 1)) ->
  ("JC_3":
  (("JC_1": (integer_of_int32(result) >= 0)) and
   ("JC_2": (integer_of_int32(result) <= 1000)))) ->
  forall result0:int32.
  ("JC_10": (integer_of_int32(result0) = sum_upto(integer_of_int32(result)))) ->
  forall tmp:int32.
  (tmp = result0) ->
  ((-2147483648) <= (integer_of_int32(x_0) + integer_of_int32(tmp)))

goal sum_safety_po_8:
  forall x_0:int32.
  ("JC_7":
  (("JC_5": (integer_of_int32(x_0) >= 0)) and
   ("JC_6": (integer_of_int32(x_0) <= 1000)))) ->
  (integer_of_int32(x_0) <> 0) ->
  (((-2147483648) <= (integer_of_int32(x_0) - 1)) and
   ((integer_of_int32(x_0) - 1) <= 2147483647)) ->
  forall result:int32.
  (integer_of_int32(result) = (integer_of_int32(x_0) - 1)) ->
  ("JC_3":
  (("JC_1": (integer_of_int32(result) >= 0)) and
   ("JC_2": (integer_of_int32(result) <= 1000)))) ->
  forall result0:int32.
  ("JC_10": (integer_of_int32(result0) = sum_upto(integer_of_int32(result)))) ->
  forall tmp:int32.
  (tmp = result0) ->
  ((integer_of_int32(x_0) + integer_of_int32(tmp)) <= 2147483647)

why-2.34/tests/c/oracle/isqrt2.err.oracle0000644000175000017500000000000012311670312016636 0ustar  rtuserswhy-2.34/tests/c/oracle/quick_sort.res.oracle0000644000175000017500000117343312311670312017624 0ustar  rtusers========== file tests/c/quick_sort.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// RUNSIMPLIFY: will ask regtests to run Simplify on this program

#pragma JessieIntegerModel(math)

#include "sorting.h"

/*@ requires \valid(t+i) && \valid(t+j);
  @ assigns t[i],t[j];
  @ ensures Swap{Old,Here}(t,i,j);
  @*/
void swap(int t[], int i, int j) {
  int tmp = t[i];
  t[i] = t[j];
  t[j] = tmp;
}

// quick_rec sorts t[l..r]
/*@ requires \valid_range(t,l,r);
  @ decreases r-l;
  @ assigns t[l..r];
  @ behavior sorted:
  @   ensures Sorted(t,l,r+1);
  @ behavior permutation:
  @   ensures Permut{Old,Here}(t,l,r);
  @*/
void quick_rec(int t[], int l, int r) {
  int v,m,i;
  if (l >= r) return;
  v = t[l];
  m = l; 
  /*@ loop invariant 
    @   \forall integer j; l < j <= m ==> t[j] < v;
    @ loop invariant
    @   \forall integer j; m < j <  i ==> t[j] >= v;
    @ loop invariant  
    @   Permut{Pre,Here}(t,l,r);
    @ loop invariant t[l] == v && l <= m < i <= r+1;
    @ loop variant r-i;
    @*/
  for (i = l + 1; i <= r; i++) {
    if (t[i] < v) {
    L1:
      swap(t,i,++m);
      //@ assert Permut{L1,Here}(t,l,r);
    }
  }
  //@ assert l <= m <= r;
 L: swap(t,l,m);
  //@ assert Permut{L,Here}(t,l,r);
  quick_rec(t,l,m-1);
  quick_rec(t,m+1,r);
}

/*@ requires \valid_range(t,0,n-1);
  @ behavior sorted:
  @   ensures Sorted(t,0,n);
  @ behavior permutation:
  @   ensures Permut{Old,Here}(t,0,n-1);
  @*/
void quick_sort(int t[], int n) {
  quick_rec(t,0,n-1);
}


/*
Local Variables:
compile-command: "make quick_sort.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/quick_sort.c"
tests/c/quick_sort.c:49:[kernel] warning: parsing obsolete ACSL construct '\valid_range(addr,min,max)'. '\valid(addr+(min..max))' should be used instead.
tests/c/quick_sort.c:85:[kernel] warning: parsing obsolete ACSL construct '\valid_range(addr,min,max)'. '\valid(addr+(min..max))' should be used instead.
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/quick_sort.jessie
[jessie] File tests/c/quick_sort.jessie/quick_sort.jc written.
[jessie] File tests/c/quick_sort.jessie/quick_sort.cloc written.
========== file tests/c/quick_sort.jessie/quick_sort.jc ==========
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

tag intP = {
  integer intM: 32;
}

type intP = [intP]

tag unsigned_charP = {
  integer unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  integer charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

predicate Swap{L1, L2}(intP[..] a, integer i_1, integer j_0) =
(((\at((a + i_1).intM,L1) == \at((a + j_0).intM,L2)) &&
   (\at((a + j_0).intM,L1) == \at((a + i_1).intM,L2))) &&
  (\forall integer k;
    (((k != i_1) && (k != j_0)) ==>
      (\at((a + k).intM,L1) == \at((a + k).intM,L2)))))

predicate Permut{L1, L2}(intP[..] a_0, integer l, integer h) {
case Permut_refl{L}: \at((\forall intP[..] a_1;
                           (\forall integer l_0;
                             (\forall integer h_0;
                               Permut{L,
                               L}(a_1, l_0, h_0)))),L);
  
  case Permut_sym{L1, L2}: (\forall intP[..] a_2;
                             (\forall integer l_1;
                               (\forall integer h_1;
                                 (Permut{L1,
                                   L2}(a_2, l_1, h_1) ==>
                                   Permut{L2,
                                   L1}(a_2, l_1, h_1)))));
  
  case Permut_trans{L1, L2, L3}: (\forall intP[..] a_3;
                                   (\forall integer l_2;
                                     (\forall integer h_2;
                                       ((Permut{L1,
                                          L2}(a_3, l_2, h_2) &&
                                          Permut{L2,
                                          L3}(a_3, l_2, h_2)) ==>
                                         Permut{L1,
                                         L3}(a_3, l_2, h_2)))));
  
  case Permut_swap{L1, L2}: (\forall intP[..] a_4;
                              (\forall integer l_3;
                                (\forall integer h_3;
                                  (\forall integer i_2;
                                    (\forall integer j_1;
                                      (((((l_3 <= i_2) && (i_2 <= h_3)) &&
                                          ((l_3 <= j_1) && (j_1 <= h_3))) &&
                                         Swap{L1,
                                         L2}(a_4, i_2, j_1)) ==>
                                        Permut{L1,
                                        L2}(a_4, l_3, h_3)))))));
  
}

predicate Sorted{L}(intP[..] a_5, integer l_4, integer h_4) =
(\forall integer i_3;
  (\forall integer j_2;
    (((l_4 <= i_3) && ((i_3 <= j_2) && (j_2 < h_4))) ==>
      ((a_5 + i_3).intM <= (a_5 + j_2).intM))))

unit swap(intP[..] t_1, integer i, integer j)
  requires (_C_13 : (((_C_15 : (\offset_min(t_1) <= i)) &&
                       (_C_16 : (\offset_max(t_1) >= i))) &&
                      ((_C_18 : (\offset_min(t_1) <= j)) &&
                        (_C_19 : (\offset_max(t_1) >= j)))));
behavior default:
  assigns (t_1 + i).intM,
  (t_1 + j).intM;
  ensures (_C_12 : Swap{Old, Here}(\at(t_1,Old), \at(i,Old), \at(j,Old)));
{  
   (var integer tmp);
   
   {  (_C_3 : (tmp = (_C_2 : (_C_1 : (t_1 + i)).intM)));
      (_C_8 : ((_C_7 : (_C_6 : (t_1 + i)).intM) = (_C_5 : (_C_4 : (t_1 + j)).intM)));
      (_C_11 : ((_C_10 : (_C_9 : (t_1 + j)).intM) = tmp));
      
      (return ())
   }
}

unit quick_rec(intP[..] t, integer l, integer r)
  requires (_C_55 : ((_C_56 : (\offset_min(t) <= l)) &&
                      (_C_57 : (\offset_max(t) >= r))));
  decreases (_C_58 : (r - l));
behavior default:
  assigns (t + [l..r]).intM;
  ensures (_C_52 : true);
behavior sorted:
  ensures (_C_53 : Sorted{Here}(\at(t,Old), \at(l,Old), (\at(r,Old) + 1)));
behavior permutation:
  ensures (_C_54 : Permut{Old, Here}(\at(t,Old), \at(l,Old), \at(r,Old)));
{  
   (var integer v);
   
   (var integer m);
   
   (var integer i_0);
   
   {  (if (l >= r) then 
      (goto return_label) else ());
      (_C_22 : (v = (_C_21 : (_C_20 : (t + l)).intM)));
      (_C_23 : (m = l));
      (_C_25 : (i_0 = (_C_24 : (l + 1))));
      
      loop 
      behavior default:
        invariant (_C_36 : (\forall integer j_3;
                             (((l < j_3) && (j_3 <= m)) ==>
                               ((t + j_3).intM < v))));
      behavior default:
        invariant (_C_35 : (\forall integer j_4;
                             (((m < j_4) && (j_4 < i_0)) ==>
                               ((t + j_4).intM >= v))));
      behavior default:
        invariant (_C_34 : Permut{Pre, Here}(t, l, r));
      behavior default:
        invariant (_C_27 : ((_C_28 : ((t + l).intM == v)) &&
                             ((_C_30 : (l <= m)) &&
                               ((_C_32 : (m < i_0)) &&
                                 (_C_33 : (i_0 <= (r + 1)))))));
      variant (_C_26 : (r - i_0));
      while (true)
      {  
         {  (if (i_0 <= r) then () else 
            (goto while_0_break));
            
            {  (if ((_C_42 : (_C_41 : (t + i_0)).intM) < v) then 
               {  (L1 : 
                  {  (_C_38 : (m = (_C_37 : (m + 1))));
                     ();
                     ()
                  });
                  (_C_39 : swap(t, i_0, m));
                  
                  {  
                     (assert for default: (_C_40 : (jessie : Permut{L1,
                                                   Here}(t, l, r))));
                     ()
                  }
               } else ())
            };
            (_C_44 : (i_0 = (_C_43 : (i_0 + 1))))
         }
      };
      (while_0_break : ());
      
      {  
         (assert for default: (_C_45 : (jessie : ((l <= m) && (m <= r)))));
         ()
      };
      (L : (_C_46 : swap(t, l, m)));
      
      {  
         (assert for default: (_C_47 : (jessie : Permut{L, Here}(t, l, r))));
         ()
      };
      (_C_49 : quick_rec(t, l, (_C_48 : (m - 1))));
      (_C_51 : quick_rec(t, (_C_50 : (m + 1)), r));
      (return_label : 
      (return ()))
   }
}

unit quick_sort(intP[..] t_0, integer n_1)
  requires (_C_64 : ((_C_65 : (\offset_min(t_0) <= 0)) &&
                      (_C_66 : (\offset_max(t_0) >= (n_1 - 1)))));
behavior default:
  ensures (_C_61 : true);
behavior sorted:
  ensures (_C_62 : Sorted{Here}(\at(t_0,Old), 0, \at(n_1,Old)));
behavior permutation:
  ensures (_C_63 : Permut{Old, Here}(\at(t_0,Old), 0, (\at(n_1,Old) - 1)));
{  
   {  (_C_60 : quick_rec(t_0, 0, (_C_59 : (n_1 - 1))));
      
      (return ())
   }
}
========== file tests/c/quick_sort.jessie/quick_sort.cloc ==========
[quick_sort]
name = "Function quick_sort"
file = "HOME/tests/c/quick_sort.c"
line = 91
begin = 5
end = 15

[_C_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_35]
file = "HOME/tests/c/quick_sort.c"
line = 65
begin = 8
end = 50

[_C_56]
file = "HOME/tests/c/quick_sort.c"
line = 49
begin = 13
end = 32

[_C_28]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 21
end = 30

[_C_59]
file = "HOME/tests/c/quick_sort.c"
line = 92
begin = 16
end = 19

[_C_48]
file = "HOME/tests/c/quick_sort.c"
line = 81
begin = 16
end = 19

[_C_51]
file = "HOME/tests/c/quick_sort.c"
line = 82
begin = 2
end = 20

[_C_31]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 39
end = 51

[quick_rec]
name = "Function quick_rec"
file = "HOME/tests/c/quick_sort.c"
line = 57
begin = 5
end = 14

[_C_41]
file = "HOME/tests/c/quick_sort.c"
line = 72
begin = 8
end = 9

[_C_4]
file = "HOME/tests/c/quick_sort.c"
line = 44
begin = 9
end = 10

[_C_61]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_32]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 39
end = 44

[_C_23]
file = "HOME/tests/c/quick_sort.c"
line = 61
begin = 6
end = 7

[_C_19]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 28
end = 39

[_C_42]
file = "HOME/tests/c/quick_sort.c"
line = 72
begin = 8
end = 12

[_C_13]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 13
end = 39

[_C_5]
file = "HOME/tests/c/quick_sort.c"
line = 44
begin = 9
end = 13

[_C_36]
file = "HOME/tests/c/quick_sort.c"
line = 63
begin = 8
end = 50

[_C_12]
file = "HOME/tests/c/quick_sort.c"
line = 40
begin = 12
end = 33

[_C_33]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 43
end = 51

[_C_22]
file = "HOME/tests/c/quick_sort.c"
line = 60
begin = 6
end = 10

[_C_65]
file = "HOME/tests/c/quick_sort.c"
line = 85
begin = 13
end = 34

[_C_9]
file = "HOME/tests/c/quick_sort.c"
line = 45
begin = 2
end = 3

[_C_57]
file = "HOME/tests/c/quick_sort.c"
line = 49
begin = 13
end = 32

[_C_54]
file = "HOME/tests/c/quick_sort.c"
line = 55
begin = 14
end = 37

[_C_30]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 34
end = 40

[_C_63]
file = "HOME/tests/c/quick_sort.c"
line = 89
begin = 14
end = 39

[_C_6]
file = "HOME/tests/c/quick_sort.c"
line = 44
begin = 2
end = 3

[_C_64]
file = "HOME/tests/c/quick_sort.c"
line = 85
begin = 13
end = 34

[_C_49]
file = "HOME/tests/c/quick_sort.c"
line = 81
begin = 2
end = 20

[_C_24]
file = "HOME/tests/c/quick_sort.c"
line = 71
begin = 11
end = 16

[_C_45]
file = "HOME/tests/c/quick_sort.c"
line = 78
begin = 13
end = 24

[_C_20]
file = "HOME/tests/c/quick_sort.c"
line = 60
begin = 6
end = 7

[_C_38]
file = "HOME/tests/c/quick_sort.c"
line = 74
begin = 15
end = 18

[_C_3]
file = "HOME/tests/c/quick_sort.c"
line = 43
begin = 2
end = 5

[_C_17]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 28
end = 39

[_C_7]
file = "HOME/tests/c/quick_sort.c"
line = 44
begin = 9
end = 13

[_C_62]
file = "HOME/tests/c/quick_sort.c"
line = 87
begin = 14
end = 27

[_C_55]
file = "HOME/tests/c/quick_sort.c"
line = 49
begin = 13
end = 32

[_C_27]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 21
end = 51

[_C_46]
file = "HOME/tests/c/quick_sort.c"
line = 79
begin = 4
end = 15

[_C_44]
file = "HOME/tests/c/quick_sort.c"
line = 71
begin = 26
end = 29

[_C_15]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 13
end = 24

[_C_26]
file = "HOME/tests/c/quick_sort.c"
line = 69
begin = 19
end = 22

[_C_47]
file = "HOME/tests/c/quick_sort.c"
line = 80
begin = 13
end = 34

[_C_10]
file = "HOME/tests/c/quick_sort.c"
line = 45
begin = 9
end = 12

[_C_60]
file = "HOME/tests/c/quick_sort.c"
line = 92
begin = 2
end = 20

[_C_53]
file = "HOME/tests/c/quick_sort.c"
line = 53
begin = 14
end = 29

[_C_40]
file = "HOME/tests/c/quick_sort.c"
line = 75
begin = 17
end = 39

[_C_58]
file = "HOME/tests/c/quick_sort.c"
line = 50
begin = 14
end = 17

[swap]
name = "Function swap"
file = "HOME/tests/c/quick_sort.c"
line = 42
begin = 5
end = 9

[_C_8]
file = "HOME/tests/c/quick_sort.c"
line = 44
begin = 9
end = 13

[_C_66]
file = "HOME/tests/c/quick_sort.c"
line = 85
begin = 13
end = 34

[_C_18]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 28
end = 39

[_C_29]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 34
end = 51

[_C_14]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 13
end = 24

[_C_50]
file = "HOME/tests/c/quick_sort.c"
line = 82
begin = 14
end = 17

[_C_37]
file = "HOME/tests/c/quick_sort.c"
line = 74
begin = 15
end = 18

[_C_43]
file = "HOME/tests/c/quick_sort.c"
line = 71
begin = 26
end = 29

[_C_2]
file = "HOME/tests/c/quick_sort.c"
line = 43
begin = 12
end = 16

[_C_34]
file = "HOME/tests/c/quick_sort.c"
line = 67
begin = 8
end = 31

[_C_16]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 13
end = 24

[_C_1]
file = "HOME/tests/c/quick_sort.c"
line = 43
begin = 12
end = 13

[_C_25]
file = "HOME/tests/c/quick_sort.c"
line = 71
begin = 11
end = 16

[_C_39]
file = "HOME/tests/c/quick_sort.c"
line = 74
begin = 6
end = 19

[_C_11]
file = "HOME/tests/c/quick_sort.c"
line = 45
begin = 9
end = 12

[_C_21]
file = "HOME/tests/c/quick_sort.c"
line = 60
begin = 6
end = 10

========== jessie execution ==========
Generating Why function swap
Generating Why function quick_rec
Generating Why function quick_sort
========== file tests/c/quick_sort.jessie/quick_sort.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs quick_sort.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs quick_sort.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/quick_sort_why.sx

project: why/quick_sort.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/quick_sort_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/quick_sort_why.vo

coq/quick_sort_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/quick_sort_why.v: why/quick_sort.why
	@echo 'why -coq [...] why/quick_sort.why' && $(WHY) $(JESSIELIBFILES) why/quick_sort.why && rm -f coq/jessie_why.v

coq-goals: goals coq/quick_sort_ctx_why.vo
	for f in why/*_po*.why; do make -f quick_sort.makefile coq/`basename $$f .why`_why.v ; done

coq/quick_sort_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/quick_sort_ctx_why.v: why/quick_sort_ctx.why
	@echo 'why -coq [...] why/quick_sort_ctx.why' && $(WHY) why/quick_sort_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export quick_sort_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/quick_sort_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/quick_sort_ctx_why.vo

pvs: pvs/quick_sort_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/quick_sort_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/quick_sort_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/quick_sort_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/quick_sort_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/quick_sort_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/quick_sort_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/quick_sort_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/quick_sort_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/quick_sort_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/quick_sort_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/quick_sort_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/quick_sort_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/quick_sort_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/quick_sort_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: quick_sort.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/quick_sort_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: quick_sort.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: quick_sort.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: quick_sort.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include quick_sort.depend

depend: coq/quick_sort_why.v
	-$(COQDEP) -I coq coq/quick_sort*_why.v > quick_sort.depend

clean:
	rm -f coq/*.vo

========== file tests/c/quick_sort.jessie/quick_sort.loc ==========
[JC_94]
file = "HOME/tests/c/quick_sort.c"
line = 65
begin = 8
end = 50

[JC_73]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 43
end = 51

[JC_63]
file = "HOME/tests/c/quick_sort.c"
line = 50
begin = 14
end = 17

[JC_80]
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 131
begin = 6
end = 1481

[JC_51]
file = "HOME/tests/c/quick_sort.c"
line = 63
begin = 8
end = 50

[JC_71]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 34
end = 40

[JC_45]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 34
end = 40

[JC_123]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 184
begin = 15
end = 49

[JC_106]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 21
end = 30

[JC_143]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 200
begin = 15
end = 53

[JC_113]
file = "HOME/tests/c/quick_sort.c"
line = 63
begin = 8
end = 50

[JC_116]
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 131
begin = 6
end = 1481

[JC_64]
file = "HOME/tests/c/quick_sort.c"
line = 50
begin = 14
end = 17

[JC_133]
file = "HOME/"
line = 0
begin = -1
end = -1

[quick_sort_ensures_default]
name = "Function quick_sort"
behavior = "default behavior"
file = "HOME/tests/c/quick_sort.c"
line = 91
begin = 5
end = 15

[quick_rec_ensures_sorted]
name = "Function quick_rec"
behavior = "Behavior `sorted'"
file = "HOME/tests/c/quick_sort.c"
line = 57
begin = 5
end = 14

[JC_99]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 159
begin = 27
end = 42

[JC_85]
file = "HOME/tests/c/quick_sort.c"
line = 80
begin = 13
end = 34

[JC_126]
file = "HOME/tests/c/quick_sort.c"
line = 85
begin = 13
end = 34

[JC_31]
file = "HOME/tests/c/quick_sort.c"
line = 49
begin = 13
end = 32

[JC_17]
file = "HOME/tests/c/quick_sort.c"
line = 42
begin = 5
end = 9

[JC_122]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 183
begin = 15
end = 49

[JC_81]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 159
begin = 27
end = 42

[JC_55]
kind = PointerDeref
file = "HOME/tests/c/quick_sort.c"
line = 72
begin = 8
end = 12

[JC_138]
file = "HOME/tests/c/quick_sort.c"
line = 89
begin = 14
end = 39

[JC_134]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_137]
file = "HOME/tests/c/quick_sort.c"
line = 87
begin = 14
end = 27

[JC_48]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 21
end = 51

[JC_23]
kind = PointerDeref
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 100
begin = 15
end = 82

[JC_22]
kind = PointerDeref
file = "HOME/tests/c/quick_sort.c"
line = 44
begin = 9
end = 13

[JC_121]
file = "HOME/tests/c/quick_sort.c"
line = 80
begin = 13
end = 34

[JC_5]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 13
end = 39

[JC_125]
file = "HOME/tests/c/quick_sort.c"
line = 85
begin = 13
end = 34

[JC_67]
file = "HOME/tests/c/quick_sort.c"
line = 50
begin = 14
end = 17

[JC_9]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 28
end = 39

[JC_75]
file = "HOME/tests/c/quick_sort.c"
line = 67
begin = 8
end = 31

[JC_24]
kind = PointerDeref
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 101
begin = 16
end = 55

[JC_25]
file = "HOME/tests/c/quick_sort.c"
line = 49
begin = 13
end = 32

[JC_78]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/tests/c/quick_sort.c"
line = 55
begin = 14
end = 37

[JC_74]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 21
end = 51

[JC_47]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 43
end = 51

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/tests/c/quick_sort.c"
line = 49
begin = 13
end = 32

[JC_8]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 13
end = 24

[JC_54]
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 131
begin = 6
end = 1481

[JC_79]
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 131
begin = 6
end = 1481

[quick_sort_ensures_sorted]
name = "Function quick_sort"
behavior = "Behavior `sorted'"
file = "HOME/tests/c/quick_sort.c"
line = 91
begin = 5
end = 15

[JC_13]
file = "HOME/tests/c/quick_sort.c"
line = 40
begin = 12
end = 33

[JC_130]
file = "HOME/tests/c/quick_sort.c"
line = 85
begin = 13
end = 34

[JC_82]
file = "HOME/tests/c/quick_sort.c"
line = 75
begin = 17
end = 39

[JC_87]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 184
begin = 15
end = 49

[JC_11]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 13
end = 39

[JC_98]
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 131
begin = 6
end = 1481

[JC_70]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 21
end = 30

[quick_rec_safety]
name = "Function quick_rec"
behavior = "Safety"
file = "HOME/tests/c/quick_sort.c"
line = 57
begin = 5
end = 14

[quick_rec_ensures_default]
name = "Function quick_rec"
behavior = "default behavior"
file = "HOME/tests/c/quick_sort.c"
line = 57
begin = 5
end = 14

[JC_15]
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 92
begin = 9
end = 16

[JC_36]
file = "HOME/tests/c/quick_sort.c"
line = 57
begin = 5
end = 14

[JC_104]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 183
begin = 15
end = 49

[JC_91]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 43
end = 51

[JC_39]
file = "HOME/tests/c/quick_sort.c"
line = 53
begin = 14
end = 29

[JC_112]
file = "HOME/tests/c/quick_sort.c"
line = 65
begin = 8
end = 50

[JC_40]
file = "HOME/tests/c/quick_sort.c"
line = 53
begin = 14
end = 29

[JC_135]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
file = "HOME/tests/c/quick_sort.c"
line = 78
begin = 13
end = 24

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_132]
file = "HOME/"
line = 0
begin = -1
end = -1

[quick_rec_ensures_permutation]
name = "Function quick_rec"
behavior = "Behavior `permutation'"
file = "HOME/tests/c/quick_sort.c"
line = 57
begin = 5
end = 14

[JC_27]
file = "HOME/tests/c/quick_sort.c"
line = 49
begin = 13
end = 32

[JC_115]
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 131
begin = 6
end = 1481

[JC_109]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 43
end = 51

[JC_107]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 34
end = 40

[JC_69]
kind = VarDecr
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 184
begin = 15
end = 49

[JC_124]
file = "HOME/tests/c/quick_sort.c"
line = 85
begin = 13
end = 34

[JC_38]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_127]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 21
end = 30

[JC_4]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 28
end = 39

[JC_62]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 183
begin = 15
end = 49

[JC_101]
file = "HOME/tests/c/quick_sort.c"
line = 78
begin = 13
end = 24

[JC_88]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 21
end = 30

[JC_129]
file = "HOME/tests/c/quick_sort.c"
line = 85
begin = 13
end = 34

[JC_42]
file = "HOME/tests/c/quick_sort.c"
line = 55
begin = 14
end = 37

[swap_ensures_default]
name = "Function swap"
behavior = "default behavior"
file = "HOME/tests/c/quick_sort.c"
line = 42
begin = 5
end = 9

[JC_110]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 21
end = 51

[JC_103]
file = "HOME/tests/c/quick_sort.c"
line = 80
begin = 13
end = 34

[JC_46]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 39
end = 44

[swap_safety]
name = "Function swap"
behavior = "Safety"
file = "HOME/tests/c/quick_sort.c"
line = 42
begin = 5
end = 9

[JC_141]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 200
begin = 15
end = 53

[JC_61]
file = "HOME/tests/c/quick_sort.c"
line = 80
begin = 13
end = 34

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 159
begin = 27
end = 42

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
kind = VarDecr
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 183
begin = 15
end = 49

[JC_118]
file = "HOME/tests/c/quick_sort.c"
line = 75
begin = 17
end = 39

[quick_sort_safety]
name = "Function quick_sort"
behavior = "Safety"
file = "HOME/tests/c/quick_sort.c"
line = 91
begin = 5
end = 15

[JC_105]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 184
begin = 15
end = 49

[JC_140]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 200
begin = 15
end = 53

[JC_29]
file = "HOME/tests/c/quick_sort.c"
line = 49
begin = 13
end = 32

[JC_68]
file = "HOME/tests/c/quick_sort.c"
line = 50
begin = 14
end = 17

[JC_7]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 13
end = 24

[JC_16]
file = "HOME/tests/c/quick_sort.c"
line = 40
begin = 12
end = 33

[JC_96]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
kind = PointerDeref
file = "HOME/tests/c/quick_sort.c"
line = 60
begin = 6
end = 10

[JC_2]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 13
end = 24

[quick_sort_ensures_permutation]
name = "Function quick_sort"
behavior = "Behavior `permutation'"
file = "HOME/tests/c/quick_sort.c"
line = 91
begin = 5
end = 15

[JC_95]
file = "HOME/tests/c/quick_sort.c"
line = 63
begin = 8
end = 50

[JC_93]
file = "HOME/tests/c/quick_sort.c"
line = 67
begin = 8
end = 31

[JC_97]
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 131
begin = 6
end = 1481

[JC_84]
kind = UserCall
file = "HOME/tests/c/quick_sort.c"
line = 79
begin = 4
end = 15

[JC_128]
file = "HOME/tests/c/quick_sort.c"
line = 85
begin = 13
end = 34

[JC_34]
file = "HOME/tests/c/quick_sort.c"
line = 57
begin = 5
end = 14

[JC_114]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/tests/c/quick_sort.c"
line = 42
begin = 5
end = 9

[JC_117]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 159
begin = 27
end = 42

[JC_90]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 39
end = 44

[JC_53]
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 131
begin = 6
end = 1481

[JC_21]
kind = PointerDeref
file = "HOME/tests/c/quick_sort.c"
line = 43
begin = 12
end = 16

[JC_111]
file = "HOME/tests/c/quick_sort.c"
line = 67
begin = 8
end = 31

[JC_77]
file = "HOME/tests/c/quick_sort.c"
line = 63
begin = 8
end = 50

[JC_49]
file = "HOME/tests/c/quick_sort.c"
line = 67
begin = 8
end = 31

[JC_1]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 13
end = 24

[JC_131]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_102]
kind = UserCall
file = "HOME/tests/c/quick_sort.c"
line = 79
begin = 4
end = 15

[JC_37]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_142]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 200
begin = 15
end = 53

[JC_10]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 28
end = 39

[JC_108]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 39
end = 44

[JC_57]
file = "HOME/tests/c/quick_sort.c"
line = 75
begin = 17
end = 39

[JC_89]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 34
end = 40

[JC_136]
file = "HOME/tests/c/quick_sort.c"
line = 87
begin = 14
end = 27

[JC_66]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 184
begin = 15
end = 49

[JC_59]
file = "HOME/tests/c/quick_sort.c"
line = 78
begin = 13
end = 24

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 92
begin = 9
end = 16

[JC_3]
file = "HOME/tests/c/quick_sort.c"
line = 38
begin = 28
end = 39

[JC_92]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 21
end = 51

[JC_86]
kind = UserCall
file = "HOME/tests/c/quick_sort.jessie/quick_sort.jc"
line = 183
begin = 15
end = 49

[JC_60]
kind = UserCall
file = "HOME/tests/c/quick_sort.c"
line = 79
begin = 4
end = 15

[JC_139]
file = "HOME/tests/c/quick_sort.c"
line = 89
begin = 14
end = 39

[JC_72]
file = "HOME/tests/c/quick_sort.c"
line = 68
begin = 39
end = 44

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_119]
file = "HOME/tests/c/quick_sort.c"
line = 78
begin = 13
end = 24

[JC_76]
file = "HOME/tests/c/quick_sort.c"
line = 65
begin = 8
end = 50

[JC_50]
file = "HOME/tests/c/quick_sort.c"
line = 65
begin = 8
end = 50

[JC_30]
file = "HOME/tests/c/quick_sort.c"
line = 49
begin = 13
end = 32

[JC_120]
kind = UserCall
file = "HOME/tests/c/quick_sort.c"
line = 79
begin = 4
end = 15

[JC_58]
file = "HOME/tests/c/quick_sort.c"
line = 69
begin = 19
end = 22

[JC_100]
file = "HOME/tests/c/quick_sort.c"
line = 75
begin = 17
end = 39

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/c/quick_sort.jessie/why/quick_sort.why ==========
type charP

type intP

type padding

type unsigned_charP

type voidP

predicate Swap(a:intP pointer, i_1:int, j_0:int,
 intP_intM_a_1_at_L2:(intP, int) memory,
 intP_intM_a_1_at_L1:(intP, int) memory) =
 ((select(intP_intM_a_1_at_L1, shift(a, i_1)) = select(intP_intM_a_1_at_L2,
                                                shift(a, j_0)))
 and ((select(intP_intM_a_1_at_L1, shift(a, j_0)) = select(intP_intM_a_1_at_L2,
                                                    shift(a, i_1)))
     and (forall k:int.
          (((k <> i_1) and (k <> j_0)) ->
           (select(intP_intM_a_1_at_L1, shift(a, k)) = select(intP_intM_a_1_at_L2,
                                                       shift(a, k)))))))

inductive Permut: intP pointer, int, int, (intP, int) memory,
                  (intP, int) memory -> prop =
 | Permut_refl: (forall intP_intM_a_0_2_at_L:(intP, int) memory.
                 (forall a_1:intP pointer.
                  (forall l_0_0:int.
                   (forall h_0:int.
                    Permut(a_1, l_0_0, h_0, intP_intM_a_0_2_at_L,
                    intP_intM_a_0_2_at_L)))))
 | Permut_sym: (forall intP_intM_a_0_2_at_L2:(intP, int) memory.
                (forall intP_intM_a_0_2_at_L1:(intP, int) memory.
                 (forall a_2:intP pointer.
                  (forall l_1:int.
                   (forall h_1:int.
                    (Permut(a_2, l_1, h_1, intP_intM_a_0_2_at_L2,
                     intP_intM_a_0_2_at_L1) ->
                     Permut(a_2, l_1, h_1, intP_intM_a_0_2_at_L1,
                     intP_intM_a_0_2_at_L2)))))))
 | Permut_trans: (forall intP_intM_a_0_2_at_L3:(intP, int) memory.
                  (forall intP_intM_a_0_2_at_L2:(intP, int) memory.
                   (forall intP_intM_a_0_2_at_L1:(intP, int) memory.
                    (forall a_3:intP pointer.
                     (forall l_2:int.
                      (forall h_2:int.
                       ((Permut(a_3, l_2, h_2, intP_intM_a_0_2_at_L2,
                         intP_intM_a_0_2_at_L1)
                        and Permut(a_3, l_2, h_2, intP_intM_a_0_2_at_L3,
                            intP_intM_a_0_2_at_L2)) ->
                        Permut(a_3, l_2, h_2, intP_intM_a_0_2_at_L3,
                        intP_intM_a_0_2_at_L1))))))))
 | Permut_swap: (forall intP_intM_a_0_2_at_L2:(intP, int) memory.
                 (forall intP_intM_a_0_2_at_L1:(intP, int) memory.
                  (forall a_4:intP pointer.
                   (forall l_3:int.
                    (forall h_3:int.
                     (forall i_2:int.
                      (forall j_1:int.
                       ((le_int(l_3, i_2)
                        and (le_int(i_2, h_3)
                            and (le_int(l_3, j_1)
                                and (le_int(j_1, h_3)
                                    and Swap(a_4, i_2, j_1,
                                        intP_intM_a_0_2_at_L2,
                                        intP_intM_a_0_2_at_L1))))) ->
                        Permut(a_4, l_3, h_3, intP_intM_a_0_2_at_L2,
                        intP_intM_a_0_2_at_L1)))))))))
 
predicate Sorted(a_5:intP pointer, l_4:int, h_4:int,
 intP_intM_a_5_3_at_L:(intP, int) memory) =
 (forall i_3:int.
  (forall j_2:int.
   ((le_int(l_4, i_3) and (le_int(i_3, j_2) and lt_int(j_2, h_4))) ->
    le_int(select(intP_intM_a_5_3_at_L, shift(a_5, i_3)),
    select(intP_intM_a_5_3_at_L, shift(a_5, j_2))))))

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic intP_tag:  -> intP tag_id

axiom intP_int : (int_of_tag(intP_tag) = (1))

logic intP_of_pointer_address: unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr :
 (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom : parenttag(intP_tag, bottom_tag)

axiom intP_tags :
 (forall x:intP pointer.
  (forall intP_tag_table:intP tag_table.
   instanceof(intP_tag_table, x, intP_tag)))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_intP(p:intP pointer, a:int,
 intP_alloc_table:intP alloc_table) = (offset_min(intP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_intP(p:intP pointer, b:int,
 intP_alloc_table:intP alloc_table) = (offset_max(intP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Goto_while_0_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter intP_alloc_table : intP alloc_table ref

parameter intP_tag_table : intP tag_table ref

parameter alloc_struct_intP :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { } intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter alloc_struct_intP_requires :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { ge_int(n, (0))} intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter quick_rec :
 t:intP pointer ->
  l_0:int ->
   r:int ->
    intP_intM_t_5:(intP, int) memory ref ->
     intP_t_5_alloc_table:intP alloc_table ->
      { } unit reads intP_intM_t_5 writes intP_intM_t_5
      { ((JC_42: Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5@))
        and ((JC_40: Sorted(t, l_0, add_int(r, (1)), intP_intM_t_5))
            and (JC_36:
                not_assigns(intP_t_5_alloc_table, intP_intM_t_5@,
                intP_intM_t_5, pset_range(pset_singleton(t), l_0, r))))) }

parameter quick_rec_requires :
 t:intP pointer ->
  l_0:int ->
   r:int ->
    intP_intM_t_5:(intP, int) memory ref ->
     intP_t_5_alloc_table:intP alloc_table ->
      { (JC_27:
        ((JC_25: le_int(offset_min(intP_t_5_alloc_table, t), l_0))
        and (JC_26: ge_int(offset_max(intP_t_5_alloc_table, t), r))))}
      unit reads intP_intM_t_5 writes intP_intM_t_5
      { ((JC_42: Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5@))
        and ((JC_40: Sorted(t, l_0, add_int(r, (1)), intP_intM_t_5))
            and (JC_36:
                not_assigns(intP_t_5_alloc_table, intP_intM_t_5@,
                intP_intM_t_5, pset_range(pset_singleton(t), l_0, r))))) }

parameter quick_sort :
 t_0:intP pointer ->
  n_1:int ->
   intP_intM_t_0_6:(intP, int) memory ref ->
    intP_t_0_6_alloc_table:intP alloc_table ->
     { } unit reads intP_intM_t_0_6 writes intP_intM_t_0_6
     { ((JC_139:
        Permut(t_0, (0), sub_int(n_1, (1)), intP_intM_t_0_6,
        intP_intM_t_0_6@))
       and (JC_137: Sorted(t_0, (0), n_1, intP_intM_t_0_6))) }

parameter quick_sort_requires :
 t_0:intP pointer ->
  n_1:int ->
   intP_intM_t_0_6:(intP, int) memory ref ->
    intP_t_0_6_alloc_table:intP alloc_table ->
     { (JC_126:
       ((JC_124: le_int(offset_min(intP_t_0_6_alloc_table, t_0), (0)))
       and (JC_125:
           ge_int(offset_max(intP_t_0_6_alloc_table, t_0), sub_int(n_1, (1))))))}
     unit reads intP_intM_t_0_6 writes intP_intM_t_0_6
     { ((JC_139:
        Permut(t_0, (0), sub_int(n_1, (1)), intP_intM_t_0_6,
        intP_intM_t_0_6@))
       and (JC_137: Sorted(t_0, (0), n_1, intP_intM_t_0_6))) }

parameter swap :
 t_1:intP pointer ->
  i:int ->
   j:int ->
    intP_intM_t_1_4:(intP, int) memory ref ->
     intP_t_1_4_alloc_table:intP alloc_table ->
      { } unit reads intP_intM_t_1_4 writes intP_intM_t_1_4
      { (JC_18:
        ((JC_16: Swap(t_1, i, j, intP_intM_t_1_4, intP_intM_t_1_4@))
        and (JC_17:
            not_assigns(intP_t_1_4_alloc_table, intP_intM_t_1_4@,
            intP_intM_t_1_4,
            pset_union(pset_range(pset_singleton(t_1), j, j),
            pset_range(pset_singleton(t_1), i, i)))))) }

parameter swap_requires :
 t_1:intP pointer ->
  i:int ->
   j:int ->
    intP_intM_t_1_4:(intP, int) memory ref ->
     intP_t_1_4_alloc_table:intP alloc_table ->
      { (JC_5:
        ((JC_1: le_int(offset_min(intP_t_1_4_alloc_table, t_1), i))
        and ((JC_2: ge_int(offset_max(intP_t_1_4_alloc_table, t_1), i))
            and ((JC_3: le_int(offset_min(intP_t_1_4_alloc_table, t_1), j))
                and (JC_4:
                    ge_int(offset_max(intP_t_1_4_alloc_table, t_1), j))))))}
      unit reads intP_intM_t_1_4 writes intP_intM_t_1_4
      { (JC_18:
        ((JC_16: Swap(t_1, i, j, intP_intM_t_1_4, intP_intM_t_1_4@))
        and (JC_17:
            not_assigns(intP_t_1_4_alloc_table, intP_intM_t_1_4@,
            intP_intM_t_1_4,
            pset_union(pset_range(pset_singleton(t_1), j, j),
            pset_range(pset_singleton(t_1), i, i)))))) }

let quick_rec_ensures_default =
 fun (t : intP pointer) (l_0 : int) (r : int) (intP_intM_t_5 : (intP, int) memory ref) (intP_t_5_alloc_table : intP alloc_table) ->
  { (JC_31:
    ((JC_29: le_int(offset_min(intP_t_5_alloc_table, t), l_0))
    and (JC_30: ge_int(offset_max(intP_t_5_alloc_table, t), r)))) }
  (init:
  try
   begin
     (let v = ref (any_int void) in
     (let m = ref (any_int void) in
     (let i_0 = ref (any_int void) in
     try
      begin
        try
         begin
           (if ((ge_int_ l_0) r) then (raise (Return_label_exc void))
           else void);
          (let _jessie_ =
          (v := ((safe_acc_ !intP_intM_t_5) ((shift t) l_0))) in void);
          (let _jessie_ = (m := l_0) in void);
          (let _jessie_ = (i_0 := ((add_int l_0) (1))) in void);
          (loop_2:
          begin
            while true do
            { invariant
                (((JC_74:
                  ((JC_70: (select(intP_intM_t_5, shift(t, l_0)) = v))
                  and ((JC_71: le_int(l_0, m))
                      and ((JC_72: lt_int(m, i_0))
                          and (JC_73: le_int(i_0, add_int(r, (1))))))))
                 and ((JC_75:
                      Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5@init))
                     and ((JC_76:
                          (forall j_4:int.
                           ((lt_int(m, j_4) and lt_int(j_4, i_0)) ->
                            ge_int(select(intP_intM_t_5, shift(t, j_4)), v))))
                         and (JC_77:
                             (forall j_3:int.
                              ((lt_int(l_0, j_3) and le_int(j_3, m)) ->
                               lt_int(select(intP_intM_t_5, shift(t, j_3)),
                               v)))))))
                and (JC_79:
                    not_assigns(intP_t_5_alloc_table, intP_intM_t_5@init,
                    intP_intM_t_5, pset_range(pset_singleton(t), l_0, r))))
               }
             begin
               [ { } unit { true } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((le_int_ !i_0) r) then void
                   else (raise (Goto_while_0_break_exc void)));
                  (if ((lt_int_ ((safe_acc_ !intP_intM_t_5) ((shift t) !i_0))) !v)
                  then
                   (L1:
                   begin
                     (let _jessie_ = (m := ((add_int !m) (1))) in void);
                    void; void;
                    (let _jessie_ = t in
                    (let _jessie_ = !i_0 in
                    (let _jessie_ = !m in
                    (JC_81:
                    (((((swap _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))));
                    (assert
                    { (JC_82:
                      Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5@L1)) };
                    void); void end) else void);
                  (i_0 := ((add_int !i_0) (1))); !i_0 end in void);
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (while_0_break:
         begin
           void;
          (assert { (JC_83: (le_int(l_0, m) and le_int(m, r))) }; void);
          begin
            void;
           (L:
           begin
             (let _jessie_ = t in
             (let _jessie_ = l_0 in
             (let _jessie_ = !m in
             (JC_84:
             (((((swap _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))));
            (assert
            { (JC_85: Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5@L)) };
            void); void;
            (let _jessie_ = t in
            (let _jessie_ = l_0 in
            (let _jessie_ = ((sub_int !m) (1)) in
            (JC_86:
            (((((quick_rec _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))));
            (let _jessie_ = t in
            (let _jessie_ = ((add_int !m) (1)) in
            (let _jessie_ = r in
            (JC_87:
            (((((quick_rec _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))))
           end) end end) end; (raise (Return_label_exc void)) end with
      Return_label_exc _jessie_ -> (return_label: (raise Return)) end)));
    (raise Return) end with Return -> void end)
  { (JC_34:
    not_assigns(intP_t_5_alloc_table, intP_intM_t_5@, intP_intM_t_5,
    pset_range(pset_singleton(t), l_0, r))) }

let quick_rec_ensures_permutation =
 fun (t : intP pointer) (l_0 : int) (r : int) (intP_intM_t_5 : (intP, int) memory ref) (intP_t_5_alloc_table : intP alloc_table) ->
  { (JC_31:
    ((JC_29: le_int(offset_min(intP_t_5_alloc_table, t), l_0))
    and (JC_30: ge_int(offset_max(intP_t_5_alloc_table, t), r)))) }
  (init:
  try
   begin
     (let v = ref (any_int void) in
     (let m = ref (any_int void) in
     (let i_0 = ref (any_int void) in
     try
      begin
        try
         begin
           (if ((ge_int_ l_0) r) then (raise (Return_label_exc void))
           else void);
          (let _jessie_ =
          (v := ((safe_acc_ !intP_intM_t_5) ((shift t) l_0))) in void);
          (let _jessie_ = (m := l_0) in void);
          (let _jessie_ = (i_0 := ((add_int l_0) (1))) in void);
          (loop_4:
          begin
            while true do
            { invariant (JC_115: true)  }
             begin
               [ { } unit reads i_0,intP_intM_t_5,m,v
                 { ((JC_110:
                    ((JC_106: (select(intP_intM_t_5, shift(t, l_0)) = v))
                    and ((JC_107: le_int(l_0, m))
                        and ((JC_108: lt_int(m, i_0))
                            and (JC_109: le_int(i_0, add_int(r, (1))))))))
                   and ((JC_111:
                        Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5@init))
                       and ((JC_112:
                            (forall j_4:int.
                             ((lt_int(m, j_4) and lt_int(j_4, i_0)) ->
                              ge_int(select(intP_intM_t_5, shift(t, j_4)), v))))
                           and (JC_113:
                               (forall j_3:int.
                                ((lt_int(l_0, j_3) and le_int(j_3, m)) ->
                                 lt_int(select(intP_intM_t_5, shift(t, j_3)),
                                 v))))))) } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((le_int_ !i_0) r) then void
                   else (raise (Goto_while_0_break_exc void)));
                  (if ((lt_int_ ((safe_acc_ !intP_intM_t_5) ((shift t) !i_0))) !v)
                  then
                   (L1:
                   begin
                     (let _jessie_ = (m := ((add_int !m) (1))) in void);
                    void; void;
                    (let _jessie_ = t in
                    (let _jessie_ = !i_0 in
                    (let _jessie_ = !m in
                    (JC_117:
                    (((((swap _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))));
                    [ { } unit reads intP_intM_t_5
                      { (JC_118:
                        Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5@L1)) } ];
                    void end) else void); (i_0 := ((add_int !i_0) (1))); !i_0
                 end in void); (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (while_0_break:
         begin
           void;
          [ { } unit reads m { (JC_119: (le_int(l_0, m) and le_int(m, r))) } ];
          begin
            void;
           (L:
           begin
             (let _jessie_ = t in
             (let _jessie_ = l_0 in
             (let _jessie_ = !m in
             (JC_120:
             (((((swap _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))));
            [ { } unit reads intP_intM_t_5
              { (JC_121: Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5@L)) } ];
            void;
            (let _jessie_ = t in
            (let _jessie_ = l_0 in
            (let _jessie_ = ((sub_int !m) (1)) in
            (JC_122:
            (((((quick_rec _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))));
            (let _jessie_ = t in
            (let _jessie_ = ((add_int !m) (1)) in
            (let _jessie_ = r in
            (JC_123:
            (((((quick_rec _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))))
           end) end end) end; (raise (Return_label_exc void)) end with
      Return_label_exc _jessie_ -> (return_label: (raise Return)) end)));
    (raise Return) end with Return -> void end)
  { (JC_41: Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5@)) }

let quick_rec_ensures_sorted =
 fun (t : intP pointer) (l_0 : int) (r : int) (intP_intM_t_5 : (intP, int) memory ref) (intP_t_5_alloc_table : intP alloc_table) ->
  { (JC_31:
    ((JC_29: le_int(offset_min(intP_t_5_alloc_table, t), l_0))
    and (JC_30: ge_int(offset_max(intP_t_5_alloc_table, t), r)))) }
  (init:
  try
   begin
     (let v = ref (any_int void) in
     (let m = ref (any_int void) in
     (let i_0 = ref (any_int void) in
     try
      begin
        try
         begin
           (if ((ge_int_ l_0) r) then (raise (Return_label_exc void))
           else void);
          (let _jessie_ =
          (v := ((safe_acc_ !intP_intM_t_5) ((shift t) l_0))) in void);
          (let _jessie_ = (m := l_0) in void);
          (let _jessie_ = (i_0 := ((add_int l_0) (1))) in void);
          (loop_3:
          begin
            while true do
            { invariant (JC_97: true)  }
             begin
               [ { } unit reads i_0,intP_intM_t_5,m,v
                 { ((JC_92:
                    ((JC_88: (select(intP_intM_t_5, shift(t, l_0)) = v))
                    and ((JC_89: le_int(l_0, m))
                        and ((JC_90: lt_int(m, i_0))
                            and (JC_91: le_int(i_0, add_int(r, (1))))))))
                   and ((JC_93:
                        Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5@init))
                       and ((JC_94:
                            (forall j_4:int.
                             ((lt_int(m, j_4) and lt_int(j_4, i_0)) ->
                              ge_int(select(intP_intM_t_5, shift(t, j_4)), v))))
                           and (JC_95:
                               (forall j_3:int.
                                ((lt_int(l_0, j_3) and le_int(j_3, m)) ->
                                 lt_int(select(intP_intM_t_5, shift(t, j_3)),
                                 v))))))) } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((le_int_ !i_0) r) then void
                   else (raise (Goto_while_0_break_exc void)));
                  (if ((lt_int_ ((safe_acc_ !intP_intM_t_5) ((shift t) !i_0))) !v)
                  then
                   (L1:
                   begin
                     (let _jessie_ = (m := ((add_int !m) (1))) in void);
                    void; void;
                    (let _jessie_ = t in
                    (let _jessie_ = !i_0 in
                    (let _jessie_ = !m in
                    (JC_99:
                    (((((swap _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))));
                    [ { } unit reads intP_intM_t_5
                      { (JC_100:
                        Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5@L1)) } ];
                    void end) else void); (i_0 := ((add_int !i_0) (1))); !i_0
                 end in void); (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (while_0_break:
         begin
           void;
          [ { } unit reads m { (JC_101: (le_int(l_0, m) and le_int(m, r))) } ];
          begin
            void;
           (L:
           begin
             (let _jessie_ = t in
             (let _jessie_ = l_0 in
             (let _jessie_ = !m in
             (JC_102:
             (((((swap _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))));
            [ { } unit reads intP_intM_t_5
              { (JC_103: Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5@L)) } ];
            void;
            (let _jessie_ = t in
            (let _jessie_ = l_0 in
            (let _jessie_ = ((sub_int !m) (1)) in
            (JC_104:
            (((((quick_rec _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))));
            (let _jessie_ = t in
            (let _jessie_ = ((add_int !m) (1)) in
            (let _jessie_ = r in
            (JC_105:
            (((((quick_rec _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))))
           end) end end) end; (raise (Return_label_exc void)) end with
      Return_label_exc _jessie_ -> (return_label: (raise Return)) end)));
    (raise Return) end with Return -> void end)
  { (JC_39: Sorted(t, l_0, add_int(r, (1)), intP_intM_t_5)) }

let quick_rec_safety =
 fun (t : intP pointer) (l_0 : int) (r : int) (intP_intM_t_5 : (intP, int) memory ref) (intP_t_5_alloc_table : intP alloc_table) ->
  { (JC_31:
    ((JC_29: le_int(offset_min(intP_t_5_alloc_table, t), l_0))
    and (JC_30: ge_int(offset_max(intP_t_5_alloc_table, t), r)))) }
  (init:
  try
   begin
     (let v = ref (any_int void) in
     (let m = ref (any_int void) in
     (let i_0 = ref (any_int void) in
     try
      begin
        try
         begin
           (if ((ge_int_ l_0) r) then (raise (Return_label_exc void))
           else void);
          (let _jessie_ =
          (v := (JC_43:
                ((((offset_acc_ intP_t_5_alloc_table) !intP_intM_t_5) t) l_0))) in
          void); (let _jessie_ = (m := l_0) in void);
          (let _jessie_ = (i_0 := ((add_int l_0) (1))) in void);
          (loop_1:
          begin
            while true do
            { invariant (JC_53: true) variant (JC_58 : sub_int(r, i_0)) }
             begin
               [ { } unit reads i_0,intP_intM_t_5,m,v
                 { ((JC_48:
                    ((JC_44: (select(intP_intM_t_5, shift(t, l_0)) = v))
                    and ((JC_45: le_int(l_0, m))
                        and ((JC_46: lt_int(m, i_0))
                            and (JC_47: le_int(i_0, add_int(r, (1))))))))
                   and ((JC_49:
                        Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5@init))
                       and ((JC_50:
                            (forall j_4:int.
                             ((lt_int(m, j_4) and lt_int(j_4, i_0)) ->
                              ge_int(select(intP_intM_t_5, shift(t, j_4)), v))))
                           and (JC_51:
                               (forall j_3:int.
                                ((lt_int(l_0, j_3) and le_int(j_3, m)) ->
                                 lt_int(select(intP_intM_t_5, shift(t, j_3)),
                                 v))))))) } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((le_int_ !i_0) r) then void
                   else (raise (Goto_while_0_break_exc void)));
                  (if ((lt_int_ (JC_55:
                                ((((offset_acc_ intP_t_5_alloc_table) !intP_intM_t_5) t) !i_0))) !v)
                  then
                   (L1:
                   begin
                     (let _jessie_ = (m := ((add_int !m) (1))) in void);
                    void; void;
                    (let _jessie_ = t in
                    (let _jessie_ = !i_0 in
                    (let _jessie_ = !m in
                    (JC_56:
                    (((((swap_requires _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))));
                    [ { } unit reads intP_intM_t_5
                      { (JC_57:
                        Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5@L1)) } ];
                    void end) else void); (i_0 := ((add_int !i_0) (1))); !i_0
                 end in void); (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (while_0_break:
         begin
           void;
          [ { } unit reads m { (JC_59: (le_int(l_0, m) and le_int(m, r))) } ];
          begin
            void;
           (L:
           begin
             (let _jessie_ = t in
             (let _jessie_ = l_0 in
             (let _jessie_ = !m in
             (JC_60:
             (((((swap_requires _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))));
            [ { } unit reads intP_intM_t_5
              { (JC_61: Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5@L)) } ];
            void;
            (let _jessie_ = t in
            (let _jessie_ = l_0 in
            (let _jessie_ = ((sub_int !m) (1)) in
            (JC_65:
            (check
            { zwf_zero((JC_64 : sub_int(_jessie_, _jessie_)),
              (JC_63 : sub_int(r, l_0))) };
            (JC_62:
            (((((quick_rec_requires _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))))));
            (let _jessie_ = t in
            (let _jessie_ = ((add_int !m) (1)) in
            (let _jessie_ = r in
            (JC_69:
            (check
            { zwf_zero((JC_68 : sub_int(_jessie_, _jessie_)),
              (JC_67 : sub_int(r, l_0))) };
            (JC_66:
            (((((quick_rec_requires _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))))))
           end) end end) end; (raise (Return_label_exc void)) end with
      Return_label_exc _jessie_ -> (return_label: (raise Return)) end)));
    (raise Return) end with Return -> void end) { true }

let quick_sort_ensures_default =
 fun (t_0 : intP pointer) (n_1 : int) (intP_intM_t_0_6 : (intP, int) memory ref) (intP_t_0_6_alloc_table : intP alloc_table) ->
  { (JC_130:
    ((JC_128: le_int(offset_min(intP_t_0_6_alloc_table, t_0), (0)))
    and (JC_129:
        ge_int(offset_max(intP_t_0_6_alloc_table, t_0), sub_int(n_1, (1)))))) }
  (init:
  try
   begin
     (let _jessie_ = t_0 in
     (let _jessie_ = (0) in
     (let _jessie_ = ((sub_int n_1) (1)) in
     (JC_141:
     (((((quick_rec _jessie_) _jessie_) _jessie_) intP_intM_t_0_6) intP_t_0_6_alloc_table)))));
    (raise Return); (raise Return) end with Return -> void end)
  { (JC_132: true) }

let quick_sort_ensures_permutation =
 fun (t_0 : intP pointer) (n_1 : int) (intP_intM_t_0_6 : (intP, int) memory ref) (intP_t_0_6_alloc_table : intP alloc_table) ->
  { (JC_130:
    ((JC_128: le_int(offset_min(intP_t_0_6_alloc_table, t_0), (0)))
    and (JC_129:
        ge_int(offset_max(intP_t_0_6_alloc_table, t_0), sub_int(n_1, (1)))))) }
  (init:
  try
   begin
     (let _jessie_ = t_0 in
     (let _jessie_ = (0) in
     (let _jessie_ = ((sub_int n_1) (1)) in
     (JC_143:
     (((((quick_rec _jessie_) _jessie_) _jessie_) intP_intM_t_0_6) intP_t_0_6_alloc_table)))));
    (raise Return); (raise Return) end with Return -> void end)
  { (JC_138:
    Permut(t_0, (0), sub_int(n_1, (1)), intP_intM_t_0_6, intP_intM_t_0_6@)) }

let quick_sort_ensures_sorted =
 fun (t_0 : intP pointer) (n_1 : int) (intP_intM_t_0_6 : (intP, int) memory ref) (intP_t_0_6_alloc_table : intP alloc_table) ->
  { (JC_130:
    ((JC_128: le_int(offset_min(intP_t_0_6_alloc_table, t_0), (0)))
    and (JC_129:
        ge_int(offset_max(intP_t_0_6_alloc_table, t_0), sub_int(n_1, (1)))))) }
  (init:
  try
   begin
     (let _jessie_ = t_0 in
     (let _jessie_ = (0) in
     (let _jessie_ = ((sub_int n_1) (1)) in
     (JC_142:
     (((((quick_rec _jessie_) _jessie_) _jessie_) intP_intM_t_0_6) intP_t_0_6_alloc_table)))));
    (raise Return); (raise Return) end with Return -> void end)
  { (JC_136: Sorted(t_0, (0), n_1, intP_intM_t_0_6)) }

let quick_sort_safety =
 fun (t_0 : intP pointer) (n_1 : int) (intP_intM_t_0_6 : (intP, int) memory ref) (intP_t_0_6_alloc_table : intP alloc_table) ->
  { (JC_130:
    ((JC_128: le_int(offset_min(intP_t_0_6_alloc_table, t_0), (0)))
    and (JC_129:
        ge_int(offset_max(intP_t_0_6_alloc_table, t_0), sub_int(n_1, (1)))))) }
  (init:
  try
   begin
     (let _jessie_ = t_0 in
     (let _jessie_ = (0) in
     (let _jessie_ = ((sub_int n_1) (1)) in
     (JC_140:
     (((((quick_rec_requires _jessie_) _jessie_) _jessie_) intP_intM_t_0_6) intP_t_0_6_alloc_table)))));
    (raise Return); (raise Return) end with Return -> void end) { true }

let swap_ensures_default =
 fun (t_1 : intP pointer) (i : int) (j : int) (intP_intM_t_1_4 : (intP, int) memory ref) (intP_t_1_4_alloc_table : intP alloc_table) ->
  { (JC_11:
    ((JC_7: le_int(offset_min(intP_t_1_4_alloc_table, t_1), i))
    and ((JC_8: ge_int(offset_max(intP_t_1_4_alloc_table, t_1), i))
        and ((JC_9: le_int(offset_min(intP_t_1_4_alloc_table, t_1), j))
            and (JC_10: ge_int(offset_max(intP_t_1_4_alloc_table, t_1), j)))))) }
  (init:
  try
   begin
     (let tmp = ref (any_int void) in
     begin
       (let _jessie_ =
       (tmp := ((safe_acc_ !intP_intM_t_1_4) ((shift t_1) i))) in void);
      (let _jessie_ =
      (let _jessie_ = ((safe_acc_ !intP_intM_t_1_4) ((shift t_1) j)) in
      (let _jessie_ = t_1 in
      (let _jessie_ = i in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (((safe_upd_ intP_intM_t_1_4) _jessie_) _jessie_))))) in void);
      (let _jessie_ =
      (let _jessie_ = !tmp in
      (let _jessie_ = t_1 in
      (let _jessie_ = j in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (((safe_upd_ intP_intM_t_1_4) _jessie_) _jessie_))))) in void);
      (raise Return) end); (raise Return) end with Return -> void end)
  { (JC_15:
    ((JC_13: Swap(t_1, i, j, intP_intM_t_1_4, intP_intM_t_1_4@))
    and (JC_14:
        not_assigns(intP_t_1_4_alloc_table, intP_intM_t_1_4@,
        intP_intM_t_1_4,
        pset_union(pset_range(pset_singleton(t_1), j, j),
        pset_range(pset_singleton(t_1), i, i)))))) }

let swap_safety =
 fun (t_1 : intP pointer) (i : int) (j : int) (intP_intM_t_1_4 : (intP, int) memory ref) (intP_t_1_4_alloc_table : intP alloc_table) ->
  { (JC_11:
    ((JC_7: le_int(offset_min(intP_t_1_4_alloc_table, t_1), i))
    and ((JC_8: ge_int(offset_max(intP_t_1_4_alloc_table, t_1), i))
        and ((JC_9: le_int(offset_min(intP_t_1_4_alloc_table, t_1), j))
            and (JC_10: ge_int(offset_max(intP_t_1_4_alloc_table, t_1), j)))))) }
  (init:
  try
   begin
     (let tmp = ref (any_int void) in
     begin
       (let _jessie_ =
       (tmp := (JC_21:
               ((((offset_acc_ intP_t_1_4_alloc_table) !intP_intM_t_1_4) t_1) i))) in
       void);
      (let _jessie_ =
      (let _jessie_ =
      (JC_22:
      ((((offset_acc_ intP_t_1_4_alloc_table) !intP_intM_t_1_4) t_1) j)) in
      (let _jessie_ = t_1 in
      (let _jessie_ = i in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (JC_23:
      (((((offset_upd_ intP_t_1_4_alloc_table) intP_intM_t_1_4) _jessie_) _jessie_) _jessie_)))))) in
      void);
      (let _jessie_ =
      (let _jessie_ = !tmp in
      (let _jessie_ = t_1 in
      (let _jessie_ = j in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (JC_24:
      (((((offset_upd_ intP_t_1_4_alloc_table) intP_intM_t_1_4) _jessie_) _jessie_) _jessie_)))))) in
      void); (raise Return) end); (raise Return) end with Return -> void end)
  { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/quick_sort.why
========== file tests/c/quick_sort.jessie/why/quick_sort_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type charP

type intP

type padding

type unsigned_charP

type voidP

predicate Swap(a: intP pointer, i_1: int, j_0: int,
  intP_intM_a_1_at_L2: (intP, int) memory, intP_intM_a_1_at_L1: (intP,
  int) memory) =
  ((select(intP_intM_a_1_at_L1, shift(a, i_1)) = select(intP_intM_a_1_at_L2,
   shift(a, j_0))) and
   ((select(intP_intM_a_1_at_L1, shift(a, j_0)) = select(intP_intM_a_1_at_L2,
    shift(a, i_1))) and
    (forall k:int.
      (((k <> i_1) and (k <> j_0)) -> (select(intP_intM_a_1_at_L1, shift(a,
       k)) = select(intP_intM_a_1_at_L2, shift(a, k)))))))

logic Permut : intP pointer, int, int, (intP, int) memory, (intP,
int) memory -> prop

axiom Permut_inversion:
  (forall aux_1:intP pointer.
    (forall aux_2:int.
      (forall aux_3:int.
        (forall aux_4:(intP, int) memory.
          (forall aux_5:(intP, int) memory [Permut(aux_1, aux_2, aux_3,
            aux_4, aux_5)].
            (Permut(aux_1, aux_2, aux_3, aux_4, aux_5) ->
             ((exists intP_intM_a_0_2_at_L:(intP, int) memory.
                (exists a_1:intP pointer.
                  (exists l_0_0:int.
                    (exists h_0:int.
                      ((aux_1 = a_1) and
                       ((aux_2 = l_0_0) and
                        ((aux_3 = h_0) and
                         ((aux_4 = intP_intM_a_0_2_at_L) and
                          (aux_5 = intP_intM_a_0_2_at_L))))))))) or
              ((exists intP_intM_a_0_2_at_L2:(intP, int) memory.
                 (exists intP_intM_a_0_2_at_L1:(intP, int) memory.
                   (exists a_2:intP pointer.
                     (exists l_1:int.
                       (exists h_1:int.
                         (Permut(a_2, l_1, h_1, intP_intM_a_0_2_at_L2,
                          intP_intM_a_0_2_at_L1) and
                          ((aux_1 = a_2) and
                           ((aux_2 = l_1) and
                            ((aux_3 = h_1) and
                             ((aux_4 = intP_intM_a_0_2_at_L1) and
                              (aux_5 = intP_intM_a_0_2_at_L2))))))))))) or
               ((exists intP_intM_a_0_2_at_L3:(intP, int) memory.
                  (exists intP_intM_a_0_2_at_L2:(intP, int) memory.
                    (exists intP_intM_a_0_2_at_L1:(intP, int) memory.
                      (exists a_3:intP pointer.
                        (exists l_2:int.
                          (exists h_2:int.
                            ((Permut(a_3, l_2, h_2, intP_intM_a_0_2_at_L2,
                              intP_intM_a_0_2_at_L1) and Permut(a_3, l_2,
                              h_2, intP_intM_a_0_2_at_L3,
                              intP_intM_a_0_2_at_L2)) and
                             ((aux_1 = a_3) and
                              ((aux_2 = l_2) and
                               ((aux_3 = h_2) and
                                ((aux_4 = intP_intM_a_0_2_at_L3) and
                                 (aux_5 = intP_intM_a_0_2_at_L1)))))))))))) or
                (exists intP_intM_a_0_2_at_L2:(intP, int) memory.
                  (exists intP_intM_a_0_2_at_L1:(intP, int) memory.
                    (exists a_4:intP pointer.
                      (exists l_3:int.
                        (exists h_3:int.
                          (exists i_2:int.
                            (exists j_1:int.
                              (((l_3 <= i_2) and
                                ((i_2 <= h_3) and
                                 ((l_3 <= j_1) and
                                  ((j_1 <= h_3) and Swap(a_4, i_2, j_1,
                                   intP_intM_a_0_2_at_L2,
                                   intP_intM_a_0_2_at_L1))))) and
                               ((aux_1 = a_4) and
                                ((aux_2 = l_3) and
                                 ((aux_3 = h_3) and
                                  ((aux_4 = intP_intM_a_0_2_at_L2) and
                                   (aux_5 = intP_intM_a_0_2_at_L1))))))))))))))))))))))

axiom Permut_refl:
  (forall intP_intM_a_0_2_at_L:(intP, int) memory.
    (forall a_1:intP pointer.
      (forall l_0_0:int.
        (forall h_0:int. Permut(a_1, l_0_0, h_0, intP_intM_a_0_2_at_L,
          intP_intM_a_0_2_at_L)))))

axiom Permut_sym:
  (forall intP_intM_a_0_2_at_L2:(intP, int) memory.
    (forall intP_intM_a_0_2_at_L1:(intP, int) memory.
      (forall a_2:intP pointer.
        (forall l_1:int.
          (forall h_1:int.
            (Permut(a_2, l_1, h_1, intP_intM_a_0_2_at_L2,
             intP_intM_a_0_2_at_L1) -> Permut(a_2, l_1, h_1,
             intP_intM_a_0_2_at_L1, intP_intM_a_0_2_at_L2)))))))

axiom Permut_trans:
  (forall intP_intM_a_0_2_at_L3:(intP, int) memory.
    (forall intP_intM_a_0_2_at_L2:(intP, int) memory.
      (forall intP_intM_a_0_2_at_L1:(intP, int) memory.
        (forall a_3:intP pointer.
          (forall l_2:int.
            (forall h_2:int.
              ((Permut(a_3, l_2, h_2, intP_intM_a_0_2_at_L2,
                intP_intM_a_0_2_at_L1) and Permut(a_3, l_2, h_2,
                intP_intM_a_0_2_at_L3, intP_intM_a_0_2_at_L2)) ->
               Permut(a_3, l_2, h_2, intP_intM_a_0_2_at_L3,
               intP_intM_a_0_2_at_L1))))))))

axiom Permut_swap:
  (forall intP_intM_a_0_2_at_L2:(intP, int) memory.
    (forall intP_intM_a_0_2_at_L1:(intP, int) memory.
      (forall a_4:intP pointer.
        (forall l_3:int.
          (forall h_3:int.
            (forall i_2:int.
              (forall j_1:int.
                (((l_3 <= i_2) and
                  ((i_2 <= h_3) and
                   ((l_3 <= j_1) and
                    ((j_1 <= h_3) and Swap(a_4, i_2, j_1,
                     intP_intM_a_0_2_at_L2, intP_intM_a_0_2_at_L1))))) ->
                 Permut(a_4, l_3, h_3, intP_intM_a_0_2_at_L2,
                 intP_intM_a_0_2_at_L1)))))))))

predicate Sorted(a_5: intP pointer, l_4: int, h_4: int,
  intP_intM_a_5_3_at_L: (intP, int) memory) =
  (forall i_3:int.
    (forall j_2:int.
      (((l_4 <= i_3) and ((i_3 <= j_2) and (j_2 < h_4))) ->
       (select(intP_intM_a_5_3_at_L, shift(a_5,
       i_3)) <= select(intP_intM_a_5_3_at_L, shift(a_5, j_2))))))

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

logic intP_tag : intP tag_id

axiom intP_int: (int_of_tag(intP_tag) = 1)

logic intP_of_pointer_address : unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr:
  (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom: parenttag(intP_tag, bottom_tag)

axiom intP_tags:
  (forall x:intP pointer.
    (forall intP_tag_table:intP tag_table. instanceof(intP_tag_table, x,
      intP_tag)))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_intP(p: intP pointer, a: int,
  intP_alloc_table: intP alloc_table) = (offset_min(intP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_intP(p: intP pointer, b: int,
  intP_alloc_table: intP alloc_table) = (offset_max(intP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) = a) and (offset_max(intP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) = a) and (offset_max(intP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) <= a) and (offset_max(intP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) <= a) and (offset_max(intP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

goal quick_rec_ensures_default_po_1:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 >= r) ->
  ("JC_34": not_assigns(intP_t_5_alloc_table, intP_intM_t_5, intP_intM_t_5,
  pset_range(pset_singleton(t), l_0, r)))

goal quick_rec_ensures_default_po_2:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  ("JC_74": ("JC_70": (select(intP_intM_t_5, shift(t, l_0)) = v)))

goal quick_rec_ensures_default_po_3:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  ("JC_74": ("JC_71": (l_0 <= m)))

goal quick_rec_ensures_default_po_4:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  ("JC_74": ("JC_72": (m < i_0)))

goal quick_rec_ensures_default_po_5:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  ("JC_74": ("JC_73": (i_0 <= (r + 1))))

goal quick_rec_ensures_default_po_6:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  ("JC_75": Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5))

goal quick_rec_ensures_default_po_7:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall j_4:int.
  ((m < j_4) and (j_4 < i_0)) ->
  ("JC_76": (select(intP_intM_t_5, shift(t, j_4)) >= v))

goal quick_rec_ensures_default_po_8:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall j_3:int.
  ((l_0 < j_3) and (j_3 <= m)) ->
  ("JC_77": (select(intP_intM_t_5, shift(t, j_3)) < v))

goal quick_rec_ensures_default_po_9:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  ("JC_79": not_assigns(intP_t_5_alloc_table, intP_intM_t_5, intP_intM_t_5,
  pset_range(pset_singleton(t), l_0, r)))

goal quick_rec_ensures_default_po_10:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ((("JC_74":
    (("JC_70": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
     (("JC_71": (l_0 <= m0)) and
      (("JC_72": (m0 < i_0_0)) and ("JC_73": (i_0_0 <= (r + 1))))))) and
    (("JC_75": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
     (("JC_76":
      (forall j_4:int.
        (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
         j_4)) >= v)))) and
      ("JC_77":
      (forall j_3:int.
        (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
         j_3)) < v))))))) and
   ("JC_79": not_assigns(intP_t_5_alloc_table, intP_intM_t_5,
   intP_intM_t_5_0, pset_range(pset_singleton(t), l_0, r)))) ->
  (i_0_0 <= r) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  (result0 < v) ->
  forall m1:int.
  (m1 = (m0 + 1)) ->
  forall intP_intM_t_5_1:(intP,
  int) memory.
  ("JC_18":
  (("JC_16": Swap(t, i_0_0, m1, intP_intM_t_5_1, intP_intM_t_5_0)) and
   ("JC_17": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_0,
   intP_intM_t_5_1, pset_union(pset_range(pset_singleton(t), m1, m1),
   pset_range(pset_singleton(t), i_0_0, i_0_0)))))) ->
  ("JC_82": Permut(t, l_0, r, intP_intM_t_5_1, intP_intM_t_5_0))

goal quick_rec_ensures_default_po_11:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ((("JC_74":
    (("JC_70": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
     (("JC_71": (l_0 <= m0)) and
      (("JC_72": (m0 < i_0_0)) and ("JC_73": (i_0_0 <= (r + 1))))))) and
    (("JC_75": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
     (("JC_76":
      (forall j_4:int.
        (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
         j_4)) >= v)))) and
      ("JC_77":
      (forall j_3:int.
        (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
         j_3)) < v))))))) and
   ("JC_79": not_assigns(intP_t_5_alloc_table, intP_intM_t_5,
   intP_intM_t_5_0, pset_range(pset_singleton(t), l_0, r)))) ->
  (i_0_0 <= r) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  (result0 < v) ->
  forall m1:int.
  (m1 = (m0 + 1)) ->
  forall intP_intM_t_5_1:(intP,
  int) memory.
  ("JC_18":
  (("JC_16": Swap(t, i_0_0, m1, intP_intM_t_5_1, intP_intM_t_5_0)) and
   ("JC_17": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_0,
   intP_intM_t_5_1, pset_union(pset_range(pset_singleton(t), m1, m1),
   pset_range(pset_singleton(t), i_0_0, i_0_0)))))) ->
  ("JC_82": Permut(t, l_0, r, intP_intM_t_5_1, intP_intM_t_5_0)) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  ("JC_74": ("JC_70": (select(intP_intM_t_5_1, shift(t, l_0)) = v)))

goal quick_rec_ensures_default_po_12:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ((("JC_74":
    (("JC_70": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
     (("JC_71": (l_0 <= m0)) and
      (("JC_72": (m0 < i_0_0)) and ("JC_73": (i_0_0 <= (r + 1))))))) and
    (("JC_75": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
     (("JC_76":
      (forall j_4:int.
        (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
         j_4)) >= v)))) and
      ("JC_77":
      (forall j_3:int.
        (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
         j_3)) < v))))))) and
   ("JC_79": not_assigns(intP_t_5_alloc_table, intP_intM_t_5,
   intP_intM_t_5_0, pset_range(pset_singleton(t), l_0, r)))) ->
  (i_0_0 <= r) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  (result0 < v) ->
  forall m1:int.
  (m1 = (m0 + 1)) ->
  forall intP_intM_t_5_1:(intP,
  int) memory.
  ("JC_18":
  (("JC_16": Swap(t, i_0_0, m1, intP_intM_t_5_1, intP_intM_t_5_0)) and
   ("JC_17": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_0,
   intP_intM_t_5_1, pset_union(pset_range(pset_singleton(t), m1, m1),
   pset_range(pset_singleton(t), i_0_0, i_0_0)))))) ->
  ("JC_82": Permut(t, l_0, r, intP_intM_t_5_1, intP_intM_t_5_0)) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  ("JC_74": ("JC_71": (l_0 <= m1)))

goal quick_rec_ensures_default_po_13:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ((("JC_74":
    (("JC_70": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
     (("JC_71": (l_0 <= m0)) and
      (("JC_72": (m0 < i_0_0)) and ("JC_73": (i_0_0 <= (r + 1))))))) and
    (("JC_75": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
     (("JC_76":
      (forall j_4:int.
        (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
         j_4)) >= v)))) and
      ("JC_77":
      (forall j_3:int.
        (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
         j_3)) < v))))))) and
   ("JC_79": not_assigns(intP_t_5_alloc_table, intP_intM_t_5,
   intP_intM_t_5_0, pset_range(pset_singleton(t), l_0, r)))) ->
  (i_0_0 <= r) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  (result0 < v) ->
  forall m1:int.
  (m1 = (m0 + 1)) ->
  forall intP_intM_t_5_1:(intP,
  int) memory.
  ("JC_18":
  (("JC_16": Swap(t, i_0_0, m1, intP_intM_t_5_1, intP_intM_t_5_0)) and
   ("JC_17": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_0,
   intP_intM_t_5_1, pset_union(pset_range(pset_singleton(t), m1, m1),
   pset_range(pset_singleton(t), i_0_0, i_0_0)))))) ->
  ("JC_82": Permut(t, l_0, r, intP_intM_t_5_1, intP_intM_t_5_0)) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  ("JC_74": ("JC_72": (m1 < i_0_1)))

goal quick_rec_ensures_default_po_14:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ((("JC_74":
    (("JC_70": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
     (("JC_71": (l_0 <= m0)) and
      (("JC_72": (m0 < i_0_0)) and ("JC_73": (i_0_0 <= (r + 1))))))) and
    (("JC_75": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
     (("JC_76":
      (forall j_4:int.
        (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
         j_4)) >= v)))) and
      ("JC_77":
      (forall j_3:int.
        (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
         j_3)) < v))))))) and
   ("JC_79": not_assigns(intP_t_5_alloc_table, intP_intM_t_5,
   intP_intM_t_5_0, pset_range(pset_singleton(t), l_0, r)))) ->
  (i_0_0 <= r) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  (result0 < v) ->
  forall m1:int.
  (m1 = (m0 + 1)) ->
  forall intP_intM_t_5_1:(intP,
  int) memory.
  ("JC_18":
  (("JC_16": Swap(t, i_0_0, m1, intP_intM_t_5_1, intP_intM_t_5_0)) and
   ("JC_17": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_0,
   intP_intM_t_5_1, pset_union(pset_range(pset_singleton(t), m1, m1),
   pset_range(pset_singleton(t), i_0_0, i_0_0)))))) ->
  ("JC_82": Permut(t, l_0, r, intP_intM_t_5_1, intP_intM_t_5_0)) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  ("JC_74": ("JC_73": (i_0_1 <= (r + 1))))

goal quick_rec_ensures_default_po_15:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ((("JC_74":
    (("JC_70": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
     (("JC_71": (l_0 <= m0)) and
      (("JC_72": (m0 < i_0_0)) and ("JC_73": (i_0_0 <= (r + 1))))))) and
    (("JC_75": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
     (("JC_76":
      (forall j_4:int.
        (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
         j_4)) >= v)))) and
      ("JC_77":
      (forall j_3:int.
        (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
         j_3)) < v))))))) and
   ("JC_79": not_assigns(intP_t_5_alloc_table, intP_intM_t_5,
   intP_intM_t_5_0, pset_range(pset_singleton(t), l_0, r)))) ->
  (i_0_0 <= r) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  (result0 < v) ->
  forall m1:int.
  (m1 = (m0 + 1)) ->
  forall intP_intM_t_5_1:(intP,
  int) memory.
  ("JC_18":
  (("JC_16": Swap(t, i_0_0, m1, intP_intM_t_5_1, intP_intM_t_5_0)) and
   ("JC_17": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_0,
   intP_intM_t_5_1, pset_union(pset_range(pset_singleton(t), m1, m1),
   pset_range(pset_singleton(t), i_0_0, i_0_0)))))) ->
  ("JC_82": Permut(t, l_0, r, intP_intM_t_5_1, intP_intM_t_5_0)) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  ("JC_75": Permut(t, l_0, r, intP_intM_t_5_1, intP_intM_t_5))

goal quick_rec_ensures_default_po_16:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ((("JC_74":
    (("JC_70": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
     (("JC_71": (l_0 <= m0)) and
      (("JC_72": (m0 < i_0_0)) and ("JC_73": (i_0_0 <= (r + 1))))))) and
    (("JC_75": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
     (("JC_76":
      (forall j_4:int.
        (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
         j_4)) >= v)))) and
      ("JC_77":
      (forall j_3:int.
        (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
         j_3)) < v))))))) and
   ("JC_79": not_assigns(intP_t_5_alloc_table, intP_intM_t_5,
   intP_intM_t_5_0, pset_range(pset_singleton(t), l_0, r)))) ->
  (i_0_0 <= r) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  (result0 < v) ->
  forall m1:int.
  (m1 = (m0 + 1)) ->
  forall intP_intM_t_5_1:(intP,
  int) memory.
  ("JC_18":
  (("JC_16": Swap(t, i_0_0, m1, intP_intM_t_5_1, intP_intM_t_5_0)) and
   ("JC_17": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_0,
   intP_intM_t_5_1, pset_union(pset_range(pset_singleton(t), m1, m1),
   pset_range(pset_singleton(t), i_0_0, i_0_0)))))) ->
  ("JC_82": Permut(t, l_0, r, intP_intM_t_5_1, intP_intM_t_5_0)) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  forall j_4:int.
  ((m1 < j_4) and (j_4 < i_0_1)) ->
  ("JC_76": (select(intP_intM_t_5_1, shift(t, j_4)) >= v))

goal quick_rec_ensures_default_po_17:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ((("JC_74":
    (("JC_70": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
     (("JC_71": (l_0 <= m0)) and
      (("JC_72": (m0 < i_0_0)) and ("JC_73": (i_0_0 <= (r + 1))))))) and
    (("JC_75": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
     (("JC_76":
      (forall j_4:int.
        (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
         j_4)) >= v)))) and
      ("JC_77":
      (forall j_3:int.
        (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
         j_3)) < v))))))) and
   ("JC_79": not_assigns(intP_t_5_alloc_table, intP_intM_t_5,
   intP_intM_t_5_0, pset_range(pset_singleton(t), l_0, r)))) ->
  (i_0_0 <= r) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  (result0 < v) ->
  forall m1:int.
  (m1 = (m0 + 1)) ->
  forall intP_intM_t_5_1:(intP,
  int) memory.
  ("JC_18":
  (("JC_16": Swap(t, i_0_0, m1, intP_intM_t_5_1, intP_intM_t_5_0)) and
   ("JC_17": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_0,
   intP_intM_t_5_1, pset_union(pset_range(pset_singleton(t), m1, m1),
   pset_range(pset_singleton(t), i_0_0, i_0_0)))))) ->
  ("JC_82": Permut(t, l_0, r, intP_intM_t_5_1, intP_intM_t_5_0)) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  forall j_3:int.
  ((l_0 < j_3) and (j_3 <= m1)) ->
  ("JC_77": (select(intP_intM_t_5_1, shift(t, j_3)) < v))

goal quick_rec_ensures_default_po_18:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ((("JC_74":
    (("JC_70": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
     (("JC_71": (l_0 <= m0)) and
      (("JC_72": (m0 < i_0_0)) and ("JC_73": (i_0_0 <= (r + 1))))))) and
    (("JC_75": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
     (("JC_76":
      (forall j_4:int.
        (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
         j_4)) >= v)))) and
      ("JC_77":
      (forall j_3:int.
        (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
         j_3)) < v))))))) and
   ("JC_79": not_assigns(intP_t_5_alloc_table, intP_intM_t_5,
   intP_intM_t_5_0, pset_range(pset_singleton(t), l_0, r)))) ->
  (i_0_0 <= r) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  (result0 < v) ->
  forall m1:int.
  (m1 = (m0 + 1)) ->
  forall intP_intM_t_5_1:(intP,
  int) memory.
  ("JC_18":
  (("JC_16": Swap(t, i_0_0, m1, intP_intM_t_5_1, intP_intM_t_5_0)) and
   ("JC_17": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_0,
   intP_intM_t_5_1, pset_union(pset_range(pset_singleton(t), m1, m1),
   pset_range(pset_singleton(t), i_0_0, i_0_0)))))) ->
  ("JC_82": Permut(t, l_0, r, intP_intM_t_5_1, intP_intM_t_5_0)) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  ("JC_79": not_assigns(intP_t_5_alloc_table, intP_intM_t_5, intP_intM_t_5_1,
  pset_range(pset_singleton(t), l_0, r)))

goal quick_rec_ensures_default_po_19:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ((("JC_74":
    (("JC_70": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
     (("JC_71": (l_0 <= m0)) and
      (("JC_72": (m0 < i_0_0)) and ("JC_73": (i_0_0 <= (r + 1))))))) and
    (("JC_75": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
     (("JC_76":
      (forall j_4:int.
        (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
         j_4)) >= v)))) and
      ("JC_77":
      (forall j_3:int.
        (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
         j_3)) < v))))))) and
   ("JC_79": not_assigns(intP_t_5_alloc_table, intP_intM_t_5,
   intP_intM_t_5_0, pset_range(pset_singleton(t), l_0, r)))) ->
  (i_0_0 <= r) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  (result0 >= v) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  ("JC_74": ("JC_70": (select(intP_intM_t_5_0, shift(t, l_0)) = v)))

goal quick_rec_ensures_default_po_20:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ((("JC_74":
    (("JC_70": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
     (("JC_71": (l_0 <= m0)) and
      (("JC_72": (m0 < i_0_0)) and ("JC_73": (i_0_0 <= (r + 1))))))) and
    (("JC_75": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
     (("JC_76":
      (forall j_4:int.
        (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
         j_4)) >= v)))) and
      ("JC_77":
      (forall j_3:int.
        (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
         j_3)) < v))))))) and
   ("JC_79": not_assigns(intP_t_5_alloc_table, intP_intM_t_5,
   intP_intM_t_5_0, pset_range(pset_singleton(t), l_0, r)))) ->
  (i_0_0 <= r) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  (result0 >= v) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  ("JC_74": ("JC_71": (l_0 <= m0)))

goal quick_rec_ensures_default_po_21:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ((("JC_74":
    (("JC_70": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
     (("JC_71": (l_0 <= m0)) and
      (("JC_72": (m0 < i_0_0)) and ("JC_73": (i_0_0 <= (r + 1))))))) and
    (("JC_75": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
     (("JC_76":
      (forall j_4:int.
        (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
         j_4)) >= v)))) and
      ("JC_77":
      (forall j_3:int.
        (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
         j_3)) < v))))))) and
   ("JC_79": not_assigns(intP_t_5_alloc_table, intP_intM_t_5,
   intP_intM_t_5_0, pset_range(pset_singleton(t), l_0, r)))) ->
  (i_0_0 <= r) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  (result0 >= v) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  ("JC_74": ("JC_72": (m0 < i_0_1)))

goal quick_rec_ensures_default_po_22:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ((("JC_74":
    (("JC_70": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
     (("JC_71": (l_0 <= m0)) and
      (("JC_72": (m0 < i_0_0)) and ("JC_73": (i_0_0 <= (r + 1))))))) and
    (("JC_75": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
     (("JC_76":
      (forall j_4:int.
        (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
         j_4)) >= v)))) and
      ("JC_77":
      (forall j_3:int.
        (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
         j_3)) < v))))))) and
   ("JC_79": not_assigns(intP_t_5_alloc_table, intP_intM_t_5,
   intP_intM_t_5_0, pset_range(pset_singleton(t), l_0, r)))) ->
  (i_0_0 <= r) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  (result0 >= v) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  ("JC_74": ("JC_73": (i_0_1 <= (r + 1))))

goal quick_rec_ensures_default_po_23:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ((("JC_74":
    (("JC_70": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
     (("JC_71": (l_0 <= m0)) and
      (("JC_72": (m0 < i_0_0)) and ("JC_73": (i_0_0 <= (r + 1))))))) and
    (("JC_75": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
     (("JC_76":
      (forall j_4:int.
        (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
         j_4)) >= v)))) and
      ("JC_77":
      (forall j_3:int.
        (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
         j_3)) < v))))))) and
   ("JC_79": not_assigns(intP_t_5_alloc_table, intP_intM_t_5,
   intP_intM_t_5_0, pset_range(pset_singleton(t), l_0, r)))) ->
  (i_0_0 <= r) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  (result0 >= v) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  ("JC_75": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5))

goal quick_rec_ensures_default_po_24:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ((("JC_74":
    (("JC_70": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
     (("JC_71": (l_0 <= m0)) and
      (("JC_72": (m0 < i_0_0)) and ("JC_73": (i_0_0 <= (r + 1))))))) and
    (("JC_75": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
     (("JC_76":
      (forall j_4:int.
        (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
         j_4)) >= v)))) and
      ("JC_77":
      (forall j_3:int.
        (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
         j_3)) < v))))))) and
   ("JC_79": not_assigns(intP_t_5_alloc_table, intP_intM_t_5,
   intP_intM_t_5_0, pset_range(pset_singleton(t), l_0, r)))) ->
  (i_0_0 <= r) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  (result0 >= v) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  forall j_4:int.
  ((m0 < j_4) and (j_4 < i_0_1)) ->
  ("JC_76": (select(intP_intM_t_5_0, shift(t, j_4)) >= v))

goal quick_rec_ensures_default_po_25:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ((("JC_74":
    (("JC_70": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
     (("JC_71": (l_0 <= m0)) and
      (("JC_72": (m0 < i_0_0)) and ("JC_73": (i_0_0 <= (r + 1))))))) and
    (("JC_75": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
     (("JC_76":
      (forall j_4:int.
        (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
         j_4)) >= v)))) and
      ("JC_77":
      (forall j_3:int.
        (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
         j_3)) < v))))))) and
   ("JC_79": not_assigns(intP_t_5_alloc_table, intP_intM_t_5,
   intP_intM_t_5_0, pset_range(pset_singleton(t), l_0, r)))) ->
  (i_0_0 <= r) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  (result0 >= v) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  forall j_3:int.
  ((l_0 < j_3) and (j_3 <= m0)) ->
  ("JC_77": (select(intP_intM_t_5_0, shift(t, j_3)) < v))

goal quick_rec_ensures_default_po_26:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ((("JC_74":
    (("JC_70": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
     (("JC_71": (l_0 <= m0)) and
      (("JC_72": (m0 < i_0_0)) and ("JC_73": (i_0_0 <= (r + 1))))))) and
    (("JC_75": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
     (("JC_76":
      (forall j_4:int.
        (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
         j_4)) >= v)))) and
      ("JC_77":
      (forall j_3:int.
        (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
         j_3)) < v))))))) and
   ("JC_79": not_assigns(intP_t_5_alloc_table, intP_intM_t_5,
   intP_intM_t_5_0, pset_range(pset_singleton(t), l_0, r)))) ->
  (i_0_0 > r) ->
  ("JC_83": (l_0 <= m0))

goal quick_rec_ensures_default_po_27:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ((("JC_74":
    (("JC_70": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
     (("JC_71": (l_0 <= m0)) and
      (("JC_72": (m0 < i_0_0)) and ("JC_73": (i_0_0 <= (r + 1))))))) and
    (("JC_75": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
     (("JC_76":
      (forall j_4:int.
        (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
         j_4)) >= v)))) and
      ("JC_77":
      (forall j_3:int.
        (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
         j_3)) < v))))))) and
   ("JC_79": not_assigns(intP_t_5_alloc_table, intP_intM_t_5,
   intP_intM_t_5_0, pset_range(pset_singleton(t), l_0, r)))) ->
  (i_0_0 > r) ->
  ("JC_83": (m0 <= r))

goal quick_rec_ensures_default_po_28:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ((("JC_74":
    (("JC_70": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
     (("JC_71": (l_0 <= m0)) and
      (("JC_72": (m0 < i_0_0)) and ("JC_73": (i_0_0 <= (r + 1))))))) and
    (("JC_75": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
     (("JC_76":
      (forall j_4:int.
        (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
         j_4)) >= v)))) and
      ("JC_77":
      (forall j_3:int.
        (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
         j_3)) < v))))))) and
   ("JC_79": not_assigns(intP_t_5_alloc_table, intP_intM_t_5,
   intP_intM_t_5_0, pset_range(pset_singleton(t), l_0, r)))) ->
  (i_0_0 > r) ->
  ("JC_83": ((l_0 <= m0) and (m0 <= r))) ->
  forall intP_intM_t_5_1:(intP,
  int) memory.
  ("JC_18":
  (("JC_16": Swap(t, l_0, m0, intP_intM_t_5_1, intP_intM_t_5_0)) and
   ("JC_17": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_0,
   intP_intM_t_5_1, pset_union(pset_range(pset_singleton(t), m0, m0),
   pset_range(pset_singleton(t), l_0, l_0)))))) ->
  ("JC_85": Permut(t, l_0, r, intP_intM_t_5_1, intP_intM_t_5_0))

goal quick_rec_ensures_default_po_29:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ((("JC_74":
    (("JC_70": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
     (("JC_71": (l_0 <= m0)) and
      (("JC_72": (m0 < i_0_0)) and ("JC_73": (i_0_0 <= (r + 1))))))) and
    (("JC_75": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
     (("JC_76":
      (forall j_4:int.
        (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
         j_4)) >= v)))) and
      ("JC_77":
      (forall j_3:int.
        (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
         j_3)) < v))))))) and
   ("JC_79": not_assigns(intP_t_5_alloc_table, intP_intM_t_5,
   intP_intM_t_5_0, pset_range(pset_singleton(t), l_0, r)))) ->
  (i_0_0 > r) ->
  ("JC_83": ((l_0 <= m0) and (m0 <= r))) ->
  forall intP_intM_t_5_1:(intP,
  int) memory.
  ("JC_18":
  (("JC_16": Swap(t, l_0, m0, intP_intM_t_5_1, intP_intM_t_5_0)) and
   ("JC_17": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_0,
   intP_intM_t_5_1, pset_union(pset_range(pset_singleton(t), m0, m0),
   pset_range(pset_singleton(t), l_0, l_0)))))) ->
  ("JC_85": Permut(t, l_0, r, intP_intM_t_5_1, intP_intM_t_5_0)) ->
  forall intP_intM_t_5_2:(intP,
  int) memory.
  (("JC_42": Permut(t, l_0, (m0 - 1), intP_intM_t_5_2, intP_intM_t_5_1)) and
   (("JC_40": Sorted(t, l_0, ((m0 - 1) + 1), intP_intM_t_5_2)) and
    ("JC_36": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_1,
    intP_intM_t_5_2, pset_range(pset_singleton(t), l_0, (m0 - 1)))))) ->
  forall intP_intM_t_5_3:(intP,
  int) memory.
  (("JC_42": Permut(t, (m0 + 1), r, intP_intM_t_5_3, intP_intM_t_5_2)) and
   (("JC_40": Sorted(t, (m0 + 1), (r + 1), intP_intM_t_5_3)) and
    ("JC_36": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_2,
    intP_intM_t_5_3, pset_range(pset_singleton(t), (m0 + 1), r))))) ->
  ("JC_34": not_assigns(intP_t_5_alloc_table, intP_intM_t_5, intP_intM_t_5_3,
  pset_range(pset_singleton(t), l_0, r)))

goal quick_rec_ensures_permutation_po_1:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 >= r) ->
  ("JC_41": Permut(t, l_0, r, intP_intM_t_5, intP_intM_t_5))

goal quick_rec_ensures_permutation_po_2:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ("JC_115": true) ->
  (("JC_110":
   (("JC_106": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
    (("JC_107": (l_0 <= m0)) and
     (("JC_108": (m0 < i_0_0)) and ("JC_109": (i_0_0 <= (r + 1))))))) and
   (("JC_111": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
    (("JC_112":
     (forall j_4:int.
       (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
        j_4)) >= v)))) and
     ("JC_113":
     (forall j_3:int.
       (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
        j_3)) < v))))))) ->
  (i_0_0 > r) ->
  ("JC_119": ((l_0 <= m0) and (m0 <= r))) ->
  forall intP_intM_t_5_1:(intP,
  int) memory.
  ("JC_18":
  (("JC_16": Swap(t, l_0, m0, intP_intM_t_5_1, intP_intM_t_5_0)) and
   ("JC_17": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_0,
   intP_intM_t_5_1, pset_union(pset_range(pset_singleton(t), m0, m0),
   pset_range(pset_singleton(t), l_0, l_0)))))) ->
  ("JC_121": Permut(t, l_0, r, intP_intM_t_5_1, intP_intM_t_5_0)) ->
  forall intP_intM_t_5_2:(intP,
  int) memory.
  (("JC_42": Permut(t, l_0, (m0 - 1), intP_intM_t_5_2, intP_intM_t_5_1)) and
   (("JC_40": Sorted(t, l_0, ((m0 - 1) + 1), intP_intM_t_5_2)) and
    ("JC_36": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_1,
    intP_intM_t_5_2, pset_range(pset_singleton(t), l_0, (m0 - 1)))))) ->
  forall intP_intM_t_5_3:(intP,
  int) memory.
  (("JC_42": Permut(t, (m0 + 1), r, intP_intM_t_5_3, intP_intM_t_5_2)) and
   (("JC_40": Sorted(t, (m0 + 1), (r + 1), intP_intM_t_5_3)) and
    ("JC_36": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_2,
    intP_intM_t_5_3, pset_range(pset_singleton(t), (m0 + 1), r))))) ->
  ("JC_41": Permut(t, l_0, r, intP_intM_t_5_3, intP_intM_t_5))

goal quick_rec_ensures_sorted_po_1:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 >= r) ->
  ("JC_39": Sorted(t, l_0, (r + 1), intP_intM_t_5))

goal quick_rec_ensures_sorted_po_2:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ("JC_97": true) ->
  (("JC_92":
   (("JC_88": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
    (("JC_89": (l_0 <= m0)) and
     (("JC_90": (m0 < i_0_0)) and ("JC_91": (i_0_0 <= (r + 1))))))) and
   (("JC_93": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
    (("JC_94":
     (forall j_4:int.
       (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
        j_4)) >= v)))) and
     ("JC_95":
     (forall j_3:int.
       (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
        j_3)) < v))))))) ->
  (i_0_0 > r) ->
  ("JC_101": ((l_0 <= m0) and (m0 <= r))) ->
  forall intP_intM_t_5_1:(intP,
  int) memory.
  ("JC_18":
  (("JC_16": Swap(t, l_0, m0, intP_intM_t_5_1, intP_intM_t_5_0)) and
   ("JC_17": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_0,
   intP_intM_t_5_1, pset_union(pset_range(pset_singleton(t), m0, m0),
   pset_range(pset_singleton(t), l_0, l_0)))))) ->
  ("JC_103": Permut(t, l_0, r, intP_intM_t_5_1, intP_intM_t_5_0)) ->
  forall intP_intM_t_5_2:(intP,
  int) memory.
  (("JC_42": Permut(t, l_0, (m0 - 1), intP_intM_t_5_2, intP_intM_t_5_1)) and
   (("JC_40": Sorted(t, l_0, ((m0 - 1) + 1), intP_intM_t_5_2)) and
    ("JC_36": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_1,
    intP_intM_t_5_2, pset_range(pset_singleton(t), l_0, (m0 - 1)))))) ->
  forall intP_intM_t_5_3:(intP,
  int) memory.
  (("JC_42": Permut(t, (m0 + 1), r, intP_intM_t_5_3, intP_intM_t_5_2)) and
   (("JC_40": Sorted(t, (m0 + 1), (r + 1), intP_intM_t_5_3)) and
    ("JC_36": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_2,
    intP_intM_t_5_3, pset_range(pset_singleton(t), (m0 + 1), r))))) ->
  ("JC_39": Sorted(t, l_0, (r + 1), intP_intM_t_5_3))

goal quick_rec_safety_po_1:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  (l_0 <= offset_max(intP_t_5_alloc_table, t))

goal quick_rec_safety_po_2:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  ((offset_min(intP_t_5_alloc_table, t) <= l_0) and
   (l_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ("JC_53": true) ->
  (("JC_48":
   (("JC_44": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
    (("JC_45": (l_0 <= m0)) and
     (("JC_46": (m0 < i_0_0)) and ("JC_47": (i_0_0 <= (r + 1))))))) and
   (("JC_49": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
    (("JC_50":
     (forall j_4:int.
       (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
        j_4)) >= v)))) and
     ("JC_51":
     (forall j_3:int.
       (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
        j_3)) < v))))))) ->
  (i_0_0 <= r) ->
  (offset_min(intP_t_5_alloc_table, t) <= i_0_0)

goal quick_rec_safety_po_3:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  ((offset_min(intP_t_5_alloc_table, t) <= l_0) and
   (l_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ("JC_53": true) ->
  (("JC_48":
   (("JC_44": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
    (("JC_45": (l_0 <= m0)) and
     (("JC_46": (m0 < i_0_0)) and ("JC_47": (i_0_0 <= (r + 1))))))) and
   (("JC_49": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
    (("JC_50":
     (forall j_4:int.
       (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
        j_4)) >= v)))) and
     ("JC_51":
     (forall j_3:int.
       (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
        j_3)) < v))))))) ->
  (i_0_0 <= r) ->
  (i_0_0 <= offset_max(intP_t_5_alloc_table, t))

goal quick_rec_safety_po_4:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  ((offset_min(intP_t_5_alloc_table, t) <= l_0) and
   (l_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ("JC_53": true) ->
  (("JC_48":
   (("JC_44": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
    (("JC_45": (l_0 <= m0)) and
     (("JC_46": (m0 < i_0_0)) and ("JC_47": (i_0_0 <= (r + 1))))))) and
   (("JC_49": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
    (("JC_50":
     (forall j_4:int.
       (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
        j_4)) >= v)))) and
     ("JC_51":
     (forall j_3:int.
       (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
        j_3)) < v))))))) ->
  (i_0_0 <= r) ->
  ((offset_min(intP_t_5_alloc_table, t) <= i_0_0) and
   (i_0_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  (result0 < v) ->
  forall m1:int.
  (m1 = (m0 + 1)) ->
  ("JC_5": ("JC_2": (offset_max(intP_t_5_alloc_table, t) >= i_0_0)))

goal quick_rec_safety_po_5:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  ((offset_min(intP_t_5_alloc_table, t) <= l_0) and
   (l_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ("JC_53": true) ->
  (("JC_48":
   (("JC_44": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
    (("JC_45": (l_0 <= m0)) and
     (("JC_46": (m0 < i_0_0)) and ("JC_47": (i_0_0 <= (r + 1))))))) and
   (("JC_49": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
    (("JC_50":
     (forall j_4:int.
       (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
        j_4)) >= v)))) and
     ("JC_51":
     (forall j_3:int.
       (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
        j_3)) < v))))))) ->
  (i_0_0 <= r) ->
  ((offset_min(intP_t_5_alloc_table, t) <= i_0_0) and
   (i_0_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  (result0 < v) ->
  forall m1:int.
  (m1 = (m0 + 1)) ->
  ("JC_5": ("JC_3": (offset_min(intP_t_5_alloc_table, t) <= m1)))

goal quick_rec_safety_po_6:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  ((offset_min(intP_t_5_alloc_table, t) <= l_0) and
   (l_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ("JC_53": true) ->
  (("JC_48":
   (("JC_44": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
    (("JC_45": (l_0 <= m0)) and
     (("JC_46": (m0 < i_0_0)) and ("JC_47": (i_0_0 <= (r + 1))))))) and
   (("JC_49": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
    (("JC_50":
     (forall j_4:int.
       (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
        j_4)) >= v)))) and
     ("JC_51":
     (forall j_3:int.
       (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
        j_3)) < v))))))) ->
  (i_0_0 <= r) ->
  ((offset_min(intP_t_5_alloc_table, t) <= i_0_0) and
   (i_0_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  (result0 < v) ->
  forall m1:int.
  (m1 = (m0 + 1)) ->
  ("JC_5": ("JC_4": (offset_max(intP_t_5_alloc_table, t) >= m1)))

goal quick_rec_safety_po_7:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  ((offset_min(intP_t_5_alloc_table, t) <= l_0) and
   (l_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ("JC_53": true) ->
  (("JC_48":
   (("JC_44": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
    (("JC_45": (l_0 <= m0)) and
     (("JC_46": (m0 < i_0_0)) and ("JC_47": (i_0_0 <= (r + 1))))))) and
   (("JC_49": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
    (("JC_50":
     (forall j_4:int.
       (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
        j_4)) >= v)))) and
     ("JC_51":
     (forall j_3:int.
       (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
        j_3)) < v))))))) ->
  (i_0_0 <= r) ->
  ((offset_min(intP_t_5_alloc_table, t) <= i_0_0) and
   (i_0_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  (result0 < v) ->
  forall m1:int.
  (m1 = (m0 + 1)) ->
  ("JC_5":
  (("JC_1": (offset_min(intP_t_5_alloc_table, t) <= i_0_0)) and
   (("JC_2": (offset_max(intP_t_5_alloc_table, t) >= i_0_0)) and
    (("JC_3": (offset_min(intP_t_5_alloc_table, t) <= m1)) and
     ("JC_4": (offset_max(intP_t_5_alloc_table, t) >= m1)))))) ->
  forall intP_intM_t_5_1:(intP,
  int) memory.
  ("JC_18":
  (("JC_16": Swap(t, i_0_0, m1, intP_intM_t_5_1, intP_intM_t_5_0)) and
   ("JC_17": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_0,
   intP_intM_t_5_1, pset_union(pset_range(pset_singleton(t), m1, m1),
   pset_range(pset_singleton(t), i_0_0, i_0_0)))))) ->
  ("JC_57": Permut(t, l_0, r, intP_intM_t_5_1, intP_intM_t_5_0)) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  (0 <= ("JC_58": (r - i_0_0)))

goal quick_rec_safety_po_8:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  ((offset_min(intP_t_5_alloc_table, t) <= l_0) and
   (l_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ("JC_53": true) ->
  (("JC_48":
   (("JC_44": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
    (("JC_45": (l_0 <= m0)) and
     (("JC_46": (m0 < i_0_0)) and ("JC_47": (i_0_0 <= (r + 1))))))) and
   (("JC_49": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
    (("JC_50":
     (forall j_4:int.
       (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
        j_4)) >= v)))) and
     ("JC_51":
     (forall j_3:int.
       (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
        j_3)) < v))))))) ->
  (i_0_0 <= r) ->
  ((offset_min(intP_t_5_alloc_table, t) <= i_0_0) and
   (i_0_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  (result0 < v) ->
  forall m1:int.
  (m1 = (m0 + 1)) ->
  ("JC_5":
  (("JC_1": (offset_min(intP_t_5_alloc_table, t) <= i_0_0)) and
   (("JC_2": (offset_max(intP_t_5_alloc_table, t) >= i_0_0)) and
    (("JC_3": (offset_min(intP_t_5_alloc_table, t) <= m1)) and
     ("JC_4": (offset_max(intP_t_5_alloc_table, t) >= m1)))))) ->
  forall intP_intM_t_5_1:(intP,
  int) memory.
  ("JC_18":
  (("JC_16": Swap(t, i_0_0, m1, intP_intM_t_5_1, intP_intM_t_5_0)) and
   ("JC_17": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_0,
   intP_intM_t_5_1, pset_union(pset_range(pset_singleton(t), m1, m1),
   pset_range(pset_singleton(t), i_0_0, i_0_0)))))) ->
  ("JC_57": Permut(t, l_0, r, intP_intM_t_5_1, intP_intM_t_5_0)) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  (("JC_58": (r - i_0_1)) < ("JC_58": (r - i_0_0)))

goal quick_rec_safety_po_9:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  ((offset_min(intP_t_5_alloc_table, t) <= l_0) and
   (l_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ("JC_53": true) ->
  (("JC_48":
   (("JC_44": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
    (("JC_45": (l_0 <= m0)) and
     (("JC_46": (m0 < i_0_0)) and ("JC_47": (i_0_0 <= (r + 1))))))) and
   (("JC_49": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
    (("JC_50":
     (forall j_4:int.
       (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
        j_4)) >= v)))) and
     ("JC_51":
     (forall j_3:int.
       (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
        j_3)) < v))))))) ->
  (i_0_0 <= r) ->
  ((offset_min(intP_t_5_alloc_table, t) <= i_0_0) and
   (i_0_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  (result0 >= v) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  (0 <= ("JC_58": (r - i_0_0)))

goal quick_rec_safety_po_10:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  ((offset_min(intP_t_5_alloc_table, t) <= l_0) and
   (l_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ("JC_53": true) ->
  (("JC_48":
   (("JC_44": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
    (("JC_45": (l_0 <= m0)) and
     (("JC_46": (m0 < i_0_0)) and ("JC_47": (i_0_0 <= (r + 1))))))) and
   (("JC_49": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
    (("JC_50":
     (forall j_4:int.
       (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
        j_4)) >= v)))) and
     ("JC_51":
     (forall j_3:int.
       (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
        j_3)) < v))))))) ->
  (i_0_0 <= r) ->
  ((offset_min(intP_t_5_alloc_table, t) <= i_0_0) and
   (i_0_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  (result0 >= v) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  (("JC_58": (r - i_0_1)) < ("JC_58": (r - i_0_0)))

goal quick_rec_safety_po_11:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  ((offset_min(intP_t_5_alloc_table, t) <= l_0) and
   (l_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ("JC_53": true) ->
  (("JC_48":
   (("JC_44": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
    (("JC_45": (l_0 <= m0)) and
     (("JC_46": (m0 < i_0_0)) and ("JC_47": (i_0_0 <= (r + 1))))))) and
   (("JC_49": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
    (("JC_50":
     (forall j_4:int.
       (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
        j_4)) >= v)))) and
     ("JC_51":
     (forall j_3:int.
       (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
        j_3)) < v))))))) ->
  (i_0_0 > r) ->
  ("JC_59": ((l_0 <= m0) and (m0 <= r))) ->
  ("JC_5": ("JC_2": (offset_max(intP_t_5_alloc_table, t) >= l_0)))

goal quick_rec_safety_po_12:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  ((offset_min(intP_t_5_alloc_table, t) <= l_0) and
   (l_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ("JC_53": true) ->
  (("JC_48":
   (("JC_44": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
    (("JC_45": (l_0 <= m0)) and
     (("JC_46": (m0 < i_0_0)) and ("JC_47": (i_0_0 <= (r + 1))))))) and
   (("JC_49": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
    (("JC_50":
     (forall j_4:int.
       (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
        j_4)) >= v)))) and
     ("JC_51":
     (forall j_3:int.
       (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
        j_3)) < v))))))) ->
  (i_0_0 > r) ->
  ("JC_59": ((l_0 <= m0) and (m0 <= r))) ->
  ("JC_5": ("JC_3": (offset_min(intP_t_5_alloc_table, t) <= m0)))

goal quick_rec_safety_po_13:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  ((offset_min(intP_t_5_alloc_table, t) <= l_0) and
   (l_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ("JC_53": true) ->
  (("JC_48":
   (("JC_44": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
    (("JC_45": (l_0 <= m0)) and
     (("JC_46": (m0 < i_0_0)) and ("JC_47": (i_0_0 <= (r + 1))))))) and
   (("JC_49": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
    (("JC_50":
     (forall j_4:int.
       (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
        j_4)) >= v)))) and
     ("JC_51":
     (forall j_3:int.
       (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
        j_3)) < v))))))) ->
  (i_0_0 > r) ->
  ("JC_59": ((l_0 <= m0) and (m0 <= r))) ->
  ("JC_5": ("JC_4": (offset_max(intP_t_5_alloc_table, t) >= m0)))

goal quick_rec_safety_po_14:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  ((offset_min(intP_t_5_alloc_table, t) <= l_0) and
   (l_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ("JC_53": true) ->
  (("JC_48":
   (("JC_44": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
    (("JC_45": (l_0 <= m0)) and
     (("JC_46": (m0 < i_0_0)) and ("JC_47": (i_0_0 <= (r + 1))))))) and
   (("JC_49": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
    (("JC_50":
     (forall j_4:int.
       (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
        j_4)) >= v)))) and
     ("JC_51":
     (forall j_3:int.
       (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
        j_3)) < v))))))) ->
  (i_0_0 > r) ->
  ("JC_59": ((l_0 <= m0) and (m0 <= r))) ->
  ("JC_5":
  (("JC_1": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   (("JC_2": (offset_max(intP_t_5_alloc_table, t) >= l_0)) and
    (("JC_3": (offset_min(intP_t_5_alloc_table, t) <= m0)) and
     ("JC_4": (offset_max(intP_t_5_alloc_table, t) >= m0)))))) ->
  forall intP_intM_t_5_1:(intP,
  int) memory.
  ("JC_18":
  (("JC_16": Swap(t, l_0, m0, intP_intM_t_5_1, intP_intM_t_5_0)) and
   ("JC_17": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_0,
   intP_intM_t_5_1, pset_union(pset_range(pset_singleton(t), m0, m0),
   pset_range(pset_singleton(t), l_0, l_0)))))) ->
  ("JC_61": Permut(t, l_0, r, intP_intM_t_5_1, intP_intM_t_5_0)) ->
  (0 <= ("JC_63": (r - l_0)))

goal quick_rec_safety_po_15:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  ((offset_min(intP_t_5_alloc_table, t) <= l_0) and
   (l_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ("JC_53": true) ->
  (("JC_48":
   (("JC_44": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
    (("JC_45": (l_0 <= m0)) and
     (("JC_46": (m0 < i_0_0)) and ("JC_47": (i_0_0 <= (r + 1))))))) and
   (("JC_49": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
    (("JC_50":
     (forall j_4:int.
       (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
        j_4)) >= v)))) and
     ("JC_51":
     (forall j_3:int.
       (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
        j_3)) < v))))))) ->
  (i_0_0 > r) ->
  ("JC_59": ((l_0 <= m0) and (m0 <= r))) ->
  ("JC_5":
  (("JC_1": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   (("JC_2": (offset_max(intP_t_5_alloc_table, t) >= l_0)) and
    (("JC_3": (offset_min(intP_t_5_alloc_table, t) <= m0)) and
     ("JC_4": (offset_max(intP_t_5_alloc_table, t) >= m0)))))) ->
  forall intP_intM_t_5_1:(intP,
  int) memory.
  ("JC_18":
  (("JC_16": Swap(t, l_0, m0, intP_intM_t_5_1, intP_intM_t_5_0)) and
   ("JC_17": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_0,
   intP_intM_t_5_1, pset_union(pset_range(pset_singleton(t), m0, m0),
   pset_range(pset_singleton(t), l_0, l_0)))))) ->
  ("JC_61": Permut(t, l_0, r, intP_intM_t_5_1, intP_intM_t_5_0)) ->
  (("JC_64": ((m0 - 1) - l_0)) < ("JC_63": (r - l_0)))

goal quick_rec_safety_po_16:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  ((offset_min(intP_t_5_alloc_table, t) <= l_0) and
   (l_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ("JC_53": true) ->
  (("JC_48":
   (("JC_44": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
    (("JC_45": (l_0 <= m0)) and
     (("JC_46": (m0 < i_0_0)) and ("JC_47": (i_0_0 <= (r + 1))))))) and
   (("JC_49": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
    (("JC_50":
     (forall j_4:int.
       (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
        j_4)) >= v)))) and
     ("JC_51":
     (forall j_3:int.
       (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
        j_3)) < v))))))) ->
  (i_0_0 > r) ->
  ("JC_59": ((l_0 <= m0) and (m0 <= r))) ->
  ("JC_5":
  (("JC_1": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   (("JC_2": (offset_max(intP_t_5_alloc_table, t) >= l_0)) and
    (("JC_3": (offset_min(intP_t_5_alloc_table, t) <= m0)) and
     ("JC_4": (offset_max(intP_t_5_alloc_table, t) >= m0)))))) ->
  forall intP_intM_t_5_1:(intP,
  int) memory.
  ("JC_18":
  (("JC_16": Swap(t, l_0, m0, intP_intM_t_5_1, intP_intM_t_5_0)) and
   ("JC_17": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_0,
   intP_intM_t_5_1, pset_union(pset_range(pset_singleton(t), m0, m0),
   pset_range(pset_singleton(t), l_0, l_0)))))) ->
  ("JC_61": Permut(t, l_0, r, intP_intM_t_5_1, intP_intM_t_5_0)) ->
  ("JC_27": ("JC_26": (offset_max(intP_t_5_alloc_table, t) >= (m0 - 1))))

goal quick_rec_safety_po_17:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  ((offset_min(intP_t_5_alloc_table, t) <= l_0) and
   (l_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ("JC_53": true) ->
  (("JC_48":
   (("JC_44": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
    (("JC_45": (l_0 <= m0)) and
     (("JC_46": (m0 < i_0_0)) and ("JC_47": (i_0_0 <= (r + 1))))))) and
   (("JC_49": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
    (("JC_50":
     (forall j_4:int.
       (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
        j_4)) >= v)))) and
     ("JC_51":
     (forall j_3:int.
       (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
        j_3)) < v))))))) ->
  (i_0_0 > r) ->
  ("JC_59": ((l_0 <= m0) and (m0 <= r))) ->
  ("JC_5":
  (("JC_1": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   (("JC_2": (offset_max(intP_t_5_alloc_table, t) >= l_0)) and
    (("JC_3": (offset_min(intP_t_5_alloc_table, t) <= m0)) and
     ("JC_4": (offset_max(intP_t_5_alloc_table, t) >= m0)))))) ->
  forall intP_intM_t_5_1:(intP,
  int) memory.
  ("JC_18":
  (("JC_16": Swap(t, l_0, m0, intP_intM_t_5_1, intP_intM_t_5_0)) and
   ("JC_17": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_0,
   intP_intM_t_5_1, pset_union(pset_range(pset_singleton(t), m0, m0),
   pset_range(pset_singleton(t), l_0, l_0)))))) ->
  ("JC_61": Permut(t, l_0, r, intP_intM_t_5_1, intP_intM_t_5_0)) ->
  ("JC_27":
  (("JC_25": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_26": (offset_max(intP_t_5_alloc_table, t) >= (m0 - 1))))) ->
  forall intP_intM_t_5_2:(intP,
  int) memory.
  (("JC_42": Permut(t, l_0, (m0 - 1), intP_intM_t_5_2, intP_intM_t_5_1)) and
   (("JC_40": Sorted(t, l_0, ((m0 - 1) + 1), intP_intM_t_5_2)) and
    ("JC_36": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_1,
    intP_intM_t_5_2, pset_range(pset_singleton(t), l_0, (m0 - 1)))))) ->
  (0 <= ("JC_67": (r - l_0)))

goal quick_rec_safety_po_18:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  ((offset_min(intP_t_5_alloc_table, t) <= l_0) and
   (l_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ("JC_53": true) ->
  (("JC_48":
   (("JC_44": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
    (("JC_45": (l_0 <= m0)) and
     (("JC_46": (m0 < i_0_0)) and ("JC_47": (i_0_0 <= (r + 1))))))) and
   (("JC_49": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
    (("JC_50":
     (forall j_4:int.
       (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
        j_4)) >= v)))) and
     ("JC_51":
     (forall j_3:int.
       (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
        j_3)) < v))))))) ->
  (i_0_0 > r) ->
  ("JC_59": ((l_0 <= m0) and (m0 <= r))) ->
  ("JC_5":
  (("JC_1": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   (("JC_2": (offset_max(intP_t_5_alloc_table, t) >= l_0)) and
    (("JC_3": (offset_min(intP_t_5_alloc_table, t) <= m0)) and
     ("JC_4": (offset_max(intP_t_5_alloc_table, t) >= m0)))))) ->
  forall intP_intM_t_5_1:(intP,
  int) memory.
  ("JC_18":
  (("JC_16": Swap(t, l_0, m0, intP_intM_t_5_1, intP_intM_t_5_0)) and
   ("JC_17": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_0,
   intP_intM_t_5_1, pset_union(pset_range(pset_singleton(t), m0, m0),
   pset_range(pset_singleton(t), l_0, l_0)))))) ->
  ("JC_61": Permut(t, l_0, r, intP_intM_t_5_1, intP_intM_t_5_0)) ->
  ("JC_27":
  (("JC_25": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_26": (offset_max(intP_t_5_alloc_table, t) >= (m0 - 1))))) ->
  forall intP_intM_t_5_2:(intP,
  int) memory.
  (("JC_42": Permut(t, l_0, (m0 - 1), intP_intM_t_5_2, intP_intM_t_5_1)) and
   (("JC_40": Sorted(t, l_0, ((m0 - 1) + 1), intP_intM_t_5_2)) and
    ("JC_36": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_1,
    intP_intM_t_5_2, pset_range(pset_singleton(t), l_0, (m0 - 1)))))) ->
  (("JC_68": (r - (m0 + 1))) < ("JC_67": (r - l_0)))

goal quick_rec_safety_po_19:
  forall t:intP pointer.
  forall l_0:int.
  forall r:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= r)))) ->
  (l_0 < r) ->
  ((offset_min(intP_t_5_alloc_table, t) <= l_0) and
   (l_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, l_0))) ->
  forall v:int.
  (v = result) ->
  forall m:int.
  (m = l_0) ->
  forall i_0:int.
  (i_0 = (l_0 + 1)) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  forall m0:int.
  ("JC_53": true) ->
  (("JC_48":
   (("JC_44": (select(intP_intM_t_5_0, shift(t, l_0)) = v)) and
    (("JC_45": (l_0 <= m0)) and
     (("JC_46": (m0 < i_0_0)) and ("JC_47": (i_0_0 <= (r + 1))))))) and
   (("JC_49": Permut(t, l_0, r, intP_intM_t_5_0, intP_intM_t_5)) and
    (("JC_50":
     (forall j_4:int.
       (((m0 < j_4) and (j_4 < i_0_0)) -> (select(intP_intM_t_5_0, shift(t,
        j_4)) >= v)))) and
     ("JC_51":
     (forall j_3:int.
       (((l_0 < j_3) and (j_3 <= m0)) -> (select(intP_intM_t_5_0, shift(t,
        j_3)) < v))))))) ->
  (i_0_0 > r) ->
  ("JC_59": ((l_0 <= m0) and (m0 <= r))) ->
  ("JC_5":
  (("JC_1": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   (("JC_2": (offset_max(intP_t_5_alloc_table, t) >= l_0)) and
    (("JC_3": (offset_min(intP_t_5_alloc_table, t) <= m0)) and
     ("JC_4": (offset_max(intP_t_5_alloc_table, t) >= m0)))))) ->
  forall intP_intM_t_5_1:(intP,
  int) memory.
  ("JC_18":
  (("JC_16": Swap(t, l_0, m0, intP_intM_t_5_1, intP_intM_t_5_0)) and
   ("JC_17": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_0,
   intP_intM_t_5_1, pset_union(pset_range(pset_singleton(t), m0, m0),
   pset_range(pset_singleton(t), l_0, l_0)))))) ->
  ("JC_61": Permut(t, l_0, r, intP_intM_t_5_1, intP_intM_t_5_0)) ->
  ("JC_27":
  (("JC_25": (offset_min(intP_t_5_alloc_table, t) <= l_0)) and
   ("JC_26": (offset_max(intP_t_5_alloc_table, t) >= (m0 - 1))))) ->
  forall intP_intM_t_5_2:(intP,
  int) memory.
  (("JC_42": Permut(t, l_0, (m0 - 1), intP_intM_t_5_2, intP_intM_t_5_1)) and
   (("JC_40": Sorted(t, l_0, ((m0 - 1) + 1), intP_intM_t_5_2)) and
    ("JC_36": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_1,
    intP_intM_t_5_2, pset_range(pset_singleton(t), l_0, (m0 - 1)))))) ->
  ("JC_27": ("JC_25": (offset_min(intP_t_5_alloc_table, t) <= (m0 + 1))))

goal quick_sort_ensures_sorted_po_1:
  forall t_0:intP pointer.
  forall n_1:int.
  forall intP_t_0_6_alloc_table:intP alloc_table.
  forall intP_intM_t_0_6:(intP,
  int) memory.
  ("JC_130":
  (("JC_128": (offset_min(intP_t_0_6_alloc_table, t_0) <= 0)) and
   ("JC_129": (offset_max(intP_t_0_6_alloc_table, t_0) >= (n_1 - 1))))) ->
  forall intP_intM_t_0_6_0:(intP,
  int) memory.
  (("JC_42": Permut(t_0, 0, (n_1 - 1), intP_intM_t_0_6_0, intP_intM_t_0_6)) and
   (("JC_40": Sorted(t_0, 0, ((n_1 - 1) + 1), intP_intM_t_0_6_0)) and
    ("JC_36": not_assigns(intP_t_0_6_alloc_table, intP_intM_t_0_6,
    intP_intM_t_0_6_0, pset_range(pset_singleton(t_0), 0, (n_1 - 1)))))) ->
  ("JC_136": Sorted(t_0, 0, n_1, intP_intM_t_0_6_0))

goal swap_ensures_default_po_1:
  forall t_1:intP pointer.
  forall i:int.
  forall j:int.
  forall intP_t_1_4_alloc_table:intP alloc_table.
  forall intP_intM_t_1_4:(intP,
  int) memory.
  ("JC_11":
  (("JC_7": (offset_min(intP_t_1_4_alloc_table, t_1) <= i)) and
   (("JC_8": (offset_max(intP_t_1_4_alloc_table, t_1) >= i)) and
    (("JC_9": (offset_min(intP_t_1_4_alloc_table, t_1) <= j)) and
     ("JC_10": (offset_max(intP_t_1_4_alloc_table, t_1) >= j)))))) ->
  forall result:int.
  (result = select(intP_intM_t_1_4, shift(t_1, i))) ->
  forall tmp:int.
  (tmp = result) ->
  forall result0:int.
  (result0 = select(intP_intM_t_1_4, shift(t_1, j))) ->
  forall intP_intM_t_1_4_0:(intP,
  int) memory.
  (intP_intM_t_1_4_0 = store(intP_intM_t_1_4, shift(t_1, i), result0)) ->
  forall intP_intM_t_1_4_1:(intP,
  int) memory.
  (intP_intM_t_1_4_1 = store(intP_intM_t_1_4_0, shift(t_1, j), tmp)) ->
  ("JC_15": ("JC_13": Swap(t_1, i, j, intP_intM_t_1_4_1, intP_intM_t_1_4)))

goal swap_ensures_default_po_2:
  forall t_1:intP pointer.
  forall i:int.
  forall j:int.
  forall intP_t_1_4_alloc_table:intP alloc_table.
  forall intP_intM_t_1_4:(intP,
  int) memory.
  ("JC_11":
  (("JC_7": (offset_min(intP_t_1_4_alloc_table, t_1) <= i)) and
   (("JC_8": (offset_max(intP_t_1_4_alloc_table, t_1) >= i)) and
    (("JC_9": (offset_min(intP_t_1_4_alloc_table, t_1) <= j)) and
     ("JC_10": (offset_max(intP_t_1_4_alloc_table, t_1) >= j)))))) ->
  forall result:int.
  (result = select(intP_intM_t_1_4, shift(t_1, i))) ->
  forall tmp:int.
  (tmp = result) ->
  forall result0:int.
  (result0 = select(intP_intM_t_1_4, shift(t_1, j))) ->
  forall intP_intM_t_1_4_0:(intP,
  int) memory.
  (intP_intM_t_1_4_0 = store(intP_intM_t_1_4, shift(t_1, i), result0)) ->
  forall intP_intM_t_1_4_1:(intP,
  int) memory.
  (intP_intM_t_1_4_1 = store(intP_intM_t_1_4_0, shift(t_1, j), tmp)) ->
  ("JC_15":
  ("JC_14": not_assigns(intP_t_1_4_alloc_table, intP_intM_t_1_4,
  intP_intM_t_1_4_1, pset_union(pset_range(pset_singleton(t_1), j, j),
  pset_range(pset_singleton(t_1), i, i)))))

goal swap_safety_po_1:
  forall t_1:intP pointer.
  forall i:int.
  forall j:int.
  forall intP_t_1_4_alloc_table:intP alloc_table.
  ("JC_11":
  (("JC_7": (offset_min(intP_t_1_4_alloc_table, t_1) <= i)) and
   (("JC_8": (offset_max(intP_t_1_4_alloc_table, t_1) >= i)) and
    (("JC_9": (offset_min(intP_t_1_4_alloc_table, t_1) <= j)) and
     ("JC_10": (offset_max(intP_t_1_4_alloc_table, t_1) >= j)))))) ->
  (i <= offset_max(intP_t_1_4_alloc_table, t_1))

goal swap_safety_po_2:
  forall t_1:intP pointer.
  forall i:int.
  forall j:int.
  forall intP_t_1_4_alloc_table:intP alloc_table.
  forall intP_intM_t_1_4:(intP,
  int) memory.
  ("JC_11":
  (("JC_7": (offset_min(intP_t_1_4_alloc_table, t_1) <= i)) and
   (("JC_8": (offset_max(intP_t_1_4_alloc_table, t_1) >= i)) and
    (("JC_9": (offset_min(intP_t_1_4_alloc_table, t_1) <= j)) and
     ("JC_10": (offset_max(intP_t_1_4_alloc_table, t_1) >= j)))))) ->
  ((offset_min(intP_t_1_4_alloc_table, t_1) <= i) and
   (i <= offset_max(intP_t_1_4_alloc_table, t_1))) ->
  forall result:int.
  (result = select(intP_intM_t_1_4, shift(t_1, i))) ->
  forall tmp:int.
  (tmp = result) ->
  (offset_min(intP_t_1_4_alloc_table, t_1) <= j)

goal swap_safety_po_3:
  forall t_1:intP pointer.
  forall i:int.
  forall j:int.
  forall intP_t_1_4_alloc_table:intP alloc_table.
  forall intP_intM_t_1_4:(intP,
  int) memory.
  ("JC_11":
  (("JC_7": (offset_min(intP_t_1_4_alloc_table, t_1) <= i)) and
   (("JC_8": (offset_max(intP_t_1_4_alloc_table, t_1) >= i)) and
    (("JC_9": (offset_min(intP_t_1_4_alloc_table, t_1) <= j)) and
     ("JC_10": (offset_max(intP_t_1_4_alloc_table, t_1) >= j)))))) ->
  ((offset_min(intP_t_1_4_alloc_table, t_1) <= i) and
   (i <= offset_max(intP_t_1_4_alloc_table, t_1))) ->
  forall result:int.
  (result = select(intP_intM_t_1_4, shift(t_1, i))) ->
  forall tmp:int.
  (tmp = result) ->
  (j <= offset_max(intP_t_1_4_alloc_table, t_1))

// RUNSIMPLIFY: will ask regtests to run Simplify on this program
========== generation of Simplify VC output ==========
why -simplify [...] why/quick_sort.why
========== file tests/c/quick_sort.jessie/simplify/quick_sort_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(DEFPRED (Swap a i_1 j_0 intP_intM_a_1_at_L2 intP_intM_a_1_at_L1)
  (AND
  (EQ (select intP_intM_a_1_at_L1 (shift a i_1))
  (select intP_intM_a_1_at_L2 (shift a j_0)))
  (AND
  (EQ (select intP_intM_a_1_at_L1 (shift a j_0))
  (select intP_intM_a_1_at_L2 (shift a i_1)))
  (FORALL (k)
  (IMPLIES (AND (NEQ k i_1) (NEQ k j_0))
  (EQ (select intP_intM_a_1_at_L1 (shift a k))
  (select intP_intM_a_1_at_L2 (shift a k))))))))

(BG_PUSH
 ;; Why axiom Permut_inversion
 (FORALL (aux_1 aux_2 aux_3 aux_4 aux_5)
 (IMPLIES (EQ (Permut aux_1 aux_2 aux_3 aux_4 aux_5) |@true|)
 (OR
 (EXISTS (intP_intM_a_0_2_at_L)
 (EXISTS (a_1)
 (EXISTS (l_0_0)
 (EXISTS (h_0)
 (AND (EQ aux_1 a_1)
 (AND (EQ aux_2 l_0_0)
 (AND (EQ aux_3 h_0)
 (AND (EQ aux_4 intP_intM_a_0_2_at_L) (EQ aux_5 intP_intM_a_0_2_at_L)))))))))
 (OR
 (EXISTS (intP_intM_a_0_2_at_L2)
 (EXISTS (intP_intM_a_0_2_at_L1)
 (EXISTS (a_2)
 (EXISTS (l_1)
 (EXISTS (h_1)
 (AND
 (EQ (Permut
 a_2 l_1 h_1 intP_intM_a_0_2_at_L2 intP_intM_a_0_2_at_L1) |@true|)
 (AND (EQ aux_1 a_2)
 (AND (EQ aux_2 l_1)
 (AND (EQ aux_3 h_1)
 (AND (EQ aux_4 intP_intM_a_0_2_at_L1) (EQ aux_5 intP_intM_a_0_2_at_L2)))))))))))
 (OR
 (EXISTS (intP_intM_a_0_2_at_L3)
 (EXISTS (intP_intM_a_0_2_at_L2)
 (EXISTS (intP_intM_a_0_2_at_L1)
 (EXISTS (a_3)
 (EXISTS (l_2)
 (EXISTS (h_2)
 (AND
 (AND
 (EQ (Permut
 a_3 l_2 h_2 intP_intM_a_0_2_at_L2 intP_intM_a_0_2_at_L1) |@true|)
 (EQ (Permut
 a_3 l_2 h_2 intP_intM_a_0_2_at_L3 intP_intM_a_0_2_at_L2) |@true|))
 (AND (EQ aux_1 a_3)
 (AND (EQ aux_2 l_2)
 (AND (EQ aux_3 h_2)
 (AND (EQ aux_4 intP_intM_a_0_2_at_L3) (EQ aux_5 intP_intM_a_0_2_at_L1))))))))))))
 (EXISTS (intP_intM_a_0_2_at_L2)
 (EXISTS (intP_intM_a_0_2_at_L1)
 (EXISTS (a_4)
 (EXISTS (l_3)
 (EXISTS (h_3)
 (EXISTS (i_2)
 (EXISTS (j_1)
 (AND
 (AND (<= l_3 i_2)
 (AND (<= i_2 h_3)
 (AND (<= l_3 j_1)
 (AND (<= j_1 h_3)
 (Swap a_4 i_2 j_1 intP_intM_a_0_2_at_L2 intP_intM_a_0_2_at_L1)))))
 (AND (EQ aux_1 a_4)
 (AND (EQ aux_2 l_3)
 (AND (EQ aux_3 h_3)
 (AND (EQ aux_4 intP_intM_a_0_2_at_L2) (EQ aux_5 intP_intM_a_0_2_at_L1)))))))))))))))))))

(BG_PUSH
 ;; Why axiom Permut_refl
 (FORALL (intP_intM_a_0_2_at_L a_1 l_0_0 h_0)
 (EQ (Permut
 a_1 l_0_0 h_0 intP_intM_a_0_2_at_L intP_intM_a_0_2_at_L) |@true|)))

(BG_PUSH
 ;; Why axiom Permut_sym
 (FORALL (intP_intM_a_0_2_at_L2 intP_intM_a_0_2_at_L1 a_2 l_1 h_1)
 (IMPLIES
 (EQ (Permut
 a_2 l_1 h_1 intP_intM_a_0_2_at_L2 intP_intM_a_0_2_at_L1) |@true|)
 (EQ (Permut
 a_2 l_1 h_1 intP_intM_a_0_2_at_L1 intP_intM_a_0_2_at_L2) |@true|))))

(BG_PUSH
 ;; Why axiom Permut_trans
 (FORALL (intP_intM_a_0_2_at_L3 intP_intM_a_0_2_at_L2 intP_intM_a_0_2_at_L1 a_3 l_2 h_2)
 (IMPLIES
 (AND
 (EQ (Permut
 a_3 l_2 h_2 intP_intM_a_0_2_at_L2 intP_intM_a_0_2_at_L1) |@true|)
 (EQ (Permut
 a_3 l_2 h_2 intP_intM_a_0_2_at_L3 intP_intM_a_0_2_at_L2) |@true|))
 (EQ (Permut
 a_3 l_2 h_2 intP_intM_a_0_2_at_L3 intP_intM_a_0_2_at_L1) |@true|))))

(BG_PUSH
 ;; Why axiom Permut_swap
 (FORALL (intP_intM_a_0_2_at_L2 intP_intM_a_0_2_at_L1 a_4 l_3 h_3 i_2 j_1)
 (IMPLIES
 (AND (<= l_3 i_2)
 (AND (<= i_2 h_3)
 (AND (<= l_3 j_1)
 (AND (<= j_1 h_3)
 (Swap a_4 i_2 j_1 intP_intM_a_0_2_at_L2 intP_intM_a_0_2_at_L1)))))
 (EQ (Permut
 a_4 l_3 h_3 intP_intM_a_0_2_at_L2 intP_intM_a_0_2_at_L1) |@true|))))

(DEFPRED (Sorted a_5 l_4 h_4 intP_intM_a_5_3_at_L)
  (FORALL (i_3 j_2)
  (IMPLIES (AND (<= l_4 i_3) (AND (<= i_3 j_2) (< j_2 h_4)))
  (<= (select intP_intM_a_5_3_at_L (shift a_5 i_3)) (select
                                                    intP_intM_a_5_3_at_L 
                                                    (shift a_5 j_2))))))

(BG_PUSH
 ;; Why axiom charP_int
 (EQ (int_of_tag charP_tag) 1))

(BG_PUSH
 ;; Why axiom charP_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (charP_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom charP_parenttag_bottom
 (EQ (parenttag charP_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom charP_tags
 (FORALL (x charP_tag_table) (instanceof charP_tag_table x charP_tag)))

(BG_PUSH
 ;; Why axiom intP_int
 (EQ (int_of_tag intP_tag) 1))

(BG_PUSH
 ;; Why axiom intP_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (intP_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom intP_parenttag_bottom
 (EQ (parenttag intP_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom intP_tags
 (FORALL (x intP_tag_table) (instanceof intP_tag_table x intP_tag)))

(DEFPRED (left_valid_struct_charP p a charP_alloc_table)
  (<= (offset_min charP_alloc_table p) a))

(DEFPRED (left_valid_struct_intP p a intP_alloc_table)
  (<= (offset_min intP_alloc_table p) a))

(DEFPRED (left_valid_struct_unsigned_charP p a unsigned_charP_alloc_table)
  (<= (offset_min unsigned_charP_alloc_table p) a))

(DEFPRED (left_valid_struct_voidP p a voidP_alloc_table)
  (<= (offset_min voidP_alloc_table p) a))

(BG_PUSH
 ;; Why axiom pointer_addr_of_charP_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (charP_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_intP_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (intP_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_unsigned_charP_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (unsigned_charP_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_voidP_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (voidP_of_pointer_address p)))))

(DEFPRED (right_valid_struct_charP p b charP_alloc_table)
  (>= (offset_max charP_alloc_table p) b))

(DEFPRED (right_valid_struct_intP p b intP_alloc_table)
  (>= (offset_max intP_alloc_table p) b))

(DEFPRED (right_valid_struct_unsigned_charP p b unsigned_charP_alloc_table)
  (>= (offset_max unsigned_charP_alloc_table p) b))

(DEFPRED (right_valid_struct_voidP p b voidP_alloc_table)
  (>= (offset_max voidP_alloc_table p) b))

(DEFPRED (strict_valid_root_charP p a b charP_alloc_table)
  (AND (EQ (offset_min charP_alloc_table p) a)
  (EQ (offset_max charP_alloc_table p) b)))

(DEFPRED (strict_valid_root_intP p a b intP_alloc_table)
  (AND (EQ (offset_min intP_alloc_table p) a)
  (EQ (offset_max intP_alloc_table p) b)))

(DEFPRED (strict_valid_root_unsigned_charP p a b unsigned_charP_alloc_table)
  (AND (EQ (offset_min unsigned_charP_alloc_table p) a)
  (EQ (offset_max unsigned_charP_alloc_table p) b)))

(DEFPRED (strict_valid_root_voidP p a b voidP_alloc_table)
  (AND (EQ (offset_min voidP_alloc_table p) a)
  (EQ (offset_max voidP_alloc_table p) b)))

(DEFPRED (strict_valid_struct_charP p a b charP_alloc_table)
  (AND (EQ (offset_min charP_alloc_table p) a)
  (EQ (offset_max charP_alloc_table p) b)))

(DEFPRED (strict_valid_struct_intP p a b intP_alloc_table)
  (AND (EQ (offset_min intP_alloc_table p) a)
  (EQ (offset_max intP_alloc_table p) b)))

(DEFPRED (strict_valid_struct_unsigned_charP p a b unsigned_charP_alloc_table)
  (AND (EQ (offset_min unsigned_charP_alloc_table p) a)
  (EQ (offset_max unsigned_charP_alloc_table p) b)))

(DEFPRED (strict_valid_struct_voidP p a b voidP_alloc_table)
  (AND (EQ (offset_min voidP_alloc_table p) a)
  (EQ (offset_max voidP_alloc_table p) b)))

(BG_PUSH
 ;; Why axiom unsigned_charP_int
 (EQ (int_of_tag unsigned_charP_tag) 1))

(BG_PUSH
 ;; Why axiom unsigned_charP_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (unsigned_charP_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom unsigned_charP_parenttag_bottom
 (EQ (parenttag unsigned_charP_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom unsigned_charP_tags
 (FORALL (x unsigned_charP_tag_table)
 (instanceof unsigned_charP_tag_table x unsigned_charP_tag)))

(DEFPRED (valid_root_charP p a b charP_alloc_table)
  (AND (<= (offset_min charP_alloc_table p) a)
  (>= (offset_max charP_alloc_table p) b)))

(DEFPRED (valid_root_intP p a b intP_alloc_table)
  (AND (<= (offset_min intP_alloc_table p) a)
  (>= (offset_max intP_alloc_table p) b)))

(DEFPRED (valid_root_unsigned_charP p a b unsigned_charP_alloc_table)
  (AND (<= (offset_min unsigned_charP_alloc_table p) a)
  (>= (offset_max unsigned_charP_alloc_table p) b)))

(DEFPRED (valid_root_voidP p a b voidP_alloc_table)
  (AND (<= (offset_min voidP_alloc_table p) a)
  (>= (offset_max voidP_alloc_table p) b)))

(DEFPRED (valid_struct_charP p a b charP_alloc_table)
  (AND (<= (offset_min charP_alloc_table p) a)
  (>= (offset_max charP_alloc_table p) b)))

(DEFPRED (valid_struct_intP p a b intP_alloc_table)
  (AND (<= (offset_min intP_alloc_table p) a)
  (>= (offset_max intP_alloc_table p) b)))

(DEFPRED (valid_struct_unsigned_charP p a b unsigned_charP_alloc_table)
  (AND (<= (offset_min unsigned_charP_alloc_table p) a)
  (>= (offset_max unsigned_charP_alloc_table p) b)))

(DEFPRED (valid_struct_voidP p a b voidP_alloc_table)
  (AND (<= (offset_min voidP_alloc_table p) a)
  (>= (offset_max voidP_alloc_table p) b)))

(BG_PUSH
 ;; Why axiom voidP_int
 (EQ (int_of_tag voidP_tag) 1))

(BG_PUSH
 ;; Why axiom voidP_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (voidP_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom voidP_parenttag_bottom
 (EQ (parenttag voidP_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom voidP_tags
 (FORALL (x voidP_tag_table) (instanceof voidP_tag_table x voidP_tag)))

;; quick_rec_ensures_default_po_1, File "HOME/tests/c/quick_sort.c", line 57, characters 5-14
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (>= l_0 r)
(not_assigns
intP_t_5_alloc_table intP_intM_t_5 intP_intM_t_5 (pset_range
                                                 (pset_singleton t) l_0 r)))))))))

;; quick_rec_ensures_default_po_2, File "HOME/tests/c/quick_sort.c", line 68, characters 21-30
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1)) (EQ (select intP_intM_t_5 (shift t l_0)) v))))))))))))))))

;; quick_rec_ensures_default_po_3, File "HOME/tests/c/quick_sort.c", line 68, characters 34-40
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0) (FORALL (i_0) (IMPLIES (EQ i_0 (+ l_0 1)) (<= l_0 m))))))))))))))))

;; quick_rec_ensures_default_po_4, File "HOME/tests/c/quick_sort.c", line 68, characters 39-44
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0) (FORALL (i_0) (IMPLIES (EQ i_0 (+ l_0 1)) (< m i_0))))))))))))))))

;; quick_rec_ensures_default_po_5, File "HOME/tests/c/quick_sort.c", line 68, characters 43-51
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0) (IMPLIES (EQ i_0 (+ l_0 1)) (<= i_0 (+ r 1)))))))))))))))))

;; quick_rec_ensures_default_po_6, File "HOME/tests/c/quick_sort.c", line 67, characters 8-31
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(EQ (Permut t l_0 r intP_intM_t_5 intP_intM_t_5) |@true|))))))))))))))))

;; quick_rec_ensures_default_po_7, File "HOME/tests/c/quick_sort.c", line 65, characters 8-50
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (j_4)
(IMPLIES (AND (< m j_4) (< j_4 i_0))
(>= (select intP_intM_t_5 (shift t j_4)) v))))))))))))))))))

;; quick_rec_ensures_default_po_8, File "HOME/tests/c/quick_sort.c", line 63, characters 8-50
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (j_3)
(IMPLIES (AND (< l_0 j_3) (<= j_3 m))
(< (select intP_intM_t_5 (shift t j_3)) v))))))))))))))))))

;; quick_rec_ensures_default_po_9, File "HOME/tests/c/quick_sort.jessie/quick_sort.jc", line 131, characters 6-1481
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(not_assigns
intP_t_5_alloc_table intP_intM_t_5 intP_intM_t_5 (pset_range
                                                 (pset_singleton t) l_0 r)))))))))))))))))

;; quick_rec_ensures_default_po_10, File "HOME/tests/c/quick_sort.c", line 75, characters 17-39
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES (AND
         (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5 intP_intM_t_5_0 (pset_range
                                                            (pset_singleton
                                                            t) l_0 r)))
(IMPLIES (<= i_0_0 r)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5_0 (shift t i_0_0)))
(IMPLIES (< result0 v)
(FORALL (m1)
(IMPLIES (EQ m1 (+ m0 1))
(FORALL (intP_intM_t_5_1)
(IMPLIES (AND (Swap t i_0_0 m1 intP_intM_t_5_1 intP_intM_t_5_0)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_0 intP_intM_t_5_1 (pset_union
                                                              (pset_range
                                                              (pset_singleton
                                                              t) m1 m1) 
                                                              (pset_range
                                                              (pset_singleton
                                                              t) i_0_0 i_0_0))))
(EQ (Permut t l_0 r intP_intM_t_5_1 intP_intM_t_5_0) |@true|))))))))))))))))))))))))))))

;; quick_rec_ensures_default_po_11, File "HOME/tests/c/quick_sort.c", line 68, characters 21-30
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES (AND
         (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5 intP_intM_t_5_0 (pset_range
                                                            (pset_singleton
                                                            t) l_0 r)))
(IMPLIES (<= i_0_0 r)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5_0 (shift t i_0_0)))
(IMPLIES (< result0 v)
(FORALL (m1)
(IMPLIES (EQ m1 (+ m0 1))
(FORALL (intP_intM_t_5_1)
(IMPLIES (AND (Swap t i_0_0 m1 intP_intM_t_5_1 intP_intM_t_5_0)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_0 intP_intM_t_5_1 (pset_union
                                                              (pset_range
                                                              (pset_singleton
                                                              t) m1 m1) 
                                                              (pset_range
                                                              (pset_singleton
                                                              t) i_0_0 i_0_0))))
(IMPLIES (EQ (Permut t l_0 r intP_intM_t_5_1 intP_intM_t_5_0) |@true|)
(FORALL (i_0_1)
(IMPLIES (EQ i_0_1 (+ i_0_0 1))
(EQ (select intP_intM_t_5_1 (shift t l_0)) v)))))))))))))))))))))))))))))))

;; quick_rec_ensures_default_po_12, File "HOME/tests/c/quick_sort.c", line 68, characters 34-40
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES (AND
         (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5 intP_intM_t_5_0 (pset_range
                                                            (pset_singleton
                                                            t) l_0 r)))
(IMPLIES (<= i_0_0 r)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5_0 (shift t i_0_0)))
(IMPLIES (< result0 v)
(FORALL (m1)
(IMPLIES (EQ m1 (+ m0 1))
(FORALL (intP_intM_t_5_1)
(IMPLIES (AND (Swap t i_0_0 m1 intP_intM_t_5_1 intP_intM_t_5_0)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_0 intP_intM_t_5_1 (pset_union
                                                              (pset_range
                                                              (pset_singleton
                                                              t) m1 m1) 
                                                              (pset_range
                                                              (pset_singleton
                                                              t) i_0_0 i_0_0))))
(IMPLIES (EQ (Permut t l_0 r intP_intM_t_5_1 intP_intM_t_5_0) |@true|)
(FORALL (i_0_1) (IMPLIES (EQ i_0_1 (+ i_0_0 1)) (<= l_0 m1)))))))))))))))))))))))))))))))

;; quick_rec_ensures_default_po_13, File "HOME/tests/c/quick_sort.c", line 68, characters 39-44
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES (AND
         (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5 intP_intM_t_5_0 (pset_range
                                                            (pset_singleton
                                                            t) l_0 r)))
(IMPLIES (<= i_0_0 r)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5_0 (shift t i_0_0)))
(IMPLIES (< result0 v)
(FORALL (m1)
(IMPLIES (EQ m1 (+ m0 1))
(FORALL (intP_intM_t_5_1)
(IMPLIES (AND (Swap t i_0_0 m1 intP_intM_t_5_1 intP_intM_t_5_0)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_0 intP_intM_t_5_1 (pset_union
                                                              (pset_range
                                                              (pset_singleton
                                                              t) m1 m1) 
                                                              (pset_range
                                                              (pset_singleton
                                                              t) i_0_0 i_0_0))))
(IMPLIES (EQ (Permut t l_0 r intP_intM_t_5_1 intP_intM_t_5_0) |@true|)
(FORALL (i_0_1) (IMPLIES (EQ i_0_1 (+ i_0_0 1)) (< m1 i_0_1)))))))))))))))))))))))))))))))

;; quick_rec_ensures_default_po_14, File "HOME/tests/c/quick_sort.c", line 68, characters 43-51
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES (AND
         (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5 intP_intM_t_5_0 (pset_range
                                                            (pset_singleton
                                                            t) l_0 r)))
(IMPLIES (<= i_0_0 r)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5_0 (shift t i_0_0)))
(IMPLIES (< result0 v)
(FORALL (m1)
(IMPLIES (EQ m1 (+ m0 1))
(FORALL (intP_intM_t_5_1)
(IMPLIES (AND (Swap t i_0_0 m1 intP_intM_t_5_1 intP_intM_t_5_0)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_0 intP_intM_t_5_1 (pset_union
                                                              (pset_range
                                                              (pset_singleton
                                                              t) m1 m1) 
                                                              (pset_range
                                                              (pset_singleton
                                                              t) i_0_0 i_0_0))))
(IMPLIES (EQ (Permut t l_0 r intP_intM_t_5_1 intP_intM_t_5_0) |@true|)
(FORALL (i_0_1) (IMPLIES (EQ i_0_1 (+ i_0_0 1)) (<= i_0_1 (+ r 1))))))))))))))))))))))))))))))))

;; quick_rec_ensures_default_po_15, File "HOME/tests/c/quick_sort.c", line 67, characters 8-31
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES (AND
         (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5 intP_intM_t_5_0 (pset_range
                                                            (pset_singleton
                                                            t) l_0 r)))
(IMPLIES (<= i_0_0 r)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5_0 (shift t i_0_0)))
(IMPLIES (< result0 v)
(FORALL (m1)
(IMPLIES (EQ m1 (+ m0 1))
(FORALL (intP_intM_t_5_1)
(IMPLIES (AND (Swap t i_0_0 m1 intP_intM_t_5_1 intP_intM_t_5_0)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_0 intP_intM_t_5_1 (pset_union
                                                              (pset_range
                                                              (pset_singleton
                                                              t) m1 m1) 
                                                              (pset_range
                                                              (pset_singleton
                                                              t) i_0_0 i_0_0))))
(IMPLIES (EQ (Permut t l_0 r intP_intM_t_5_1 intP_intM_t_5_0) |@true|)
(FORALL (i_0_1)
(IMPLIES (EQ i_0_1 (+ i_0_0 1))
(EQ (Permut t l_0 r intP_intM_t_5_1 intP_intM_t_5) |@true|)))))))))))))))))))))))))))))))

;; quick_rec_ensures_default_po_16, File "HOME/tests/c/quick_sort.c", line 65, characters 8-50
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES (AND
         (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5 intP_intM_t_5_0 (pset_range
                                                            (pset_singleton
                                                            t) l_0 r)))
(IMPLIES (<= i_0_0 r)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5_0 (shift t i_0_0)))
(IMPLIES (< result0 v)
(FORALL (m1)
(IMPLIES (EQ m1 (+ m0 1))
(FORALL (intP_intM_t_5_1)
(IMPLIES (AND (Swap t i_0_0 m1 intP_intM_t_5_1 intP_intM_t_5_0)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_0 intP_intM_t_5_1 (pset_union
                                                              (pset_range
                                                              (pset_singleton
                                                              t) m1 m1) 
                                                              (pset_range
                                                              (pset_singleton
                                                              t) i_0_0 i_0_0))))
(IMPLIES (EQ (Permut t l_0 r intP_intM_t_5_1 intP_intM_t_5_0) |@true|)
(FORALL (i_0_1)
(IMPLIES (EQ i_0_1 (+ i_0_0 1))
(FORALL (j_4)
(IMPLIES (AND (< m1 j_4) (< j_4 i_0_1))
(>= (select intP_intM_t_5_1 (shift t j_4)) v)))))))))))))))))))))))))))))))))

;; quick_rec_ensures_default_po_17, File "HOME/tests/c/quick_sort.c", line 63, characters 8-50
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES (AND
         (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5 intP_intM_t_5_0 (pset_range
                                                            (pset_singleton
                                                            t) l_0 r)))
(IMPLIES (<= i_0_0 r)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5_0 (shift t i_0_0)))
(IMPLIES (< result0 v)
(FORALL (m1)
(IMPLIES (EQ m1 (+ m0 1))
(FORALL (intP_intM_t_5_1)
(IMPLIES (AND (Swap t i_0_0 m1 intP_intM_t_5_1 intP_intM_t_5_0)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_0 intP_intM_t_5_1 (pset_union
                                                              (pset_range
                                                              (pset_singleton
                                                              t) m1 m1) 
                                                              (pset_range
                                                              (pset_singleton
                                                              t) i_0_0 i_0_0))))
(IMPLIES (EQ (Permut t l_0 r intP_intM_t_5_1 intP_intM_t_5_0) |@true|)
(FORALL (i_0_1)
(IMPLIES (EQ i_0_1 (+ i_0_0 1))
(FORALL (j_3)
(IMPLIES (AND (< l_0 j_3) (<= j_3 m1))
(< (select intP_intM_t_5_1 (shift t j_3)) v)))))))))))))))))))))))))))))))))

;; quick_rec_ensures_default_po_18, File "HOME/tests/c/quick_sort.jessie/quick_sort.jc", line 131, characters 6-1481
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES (AND
         (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5 intP_intM_t_5_0 (pset_range
                                                            (pset_singleton
                                                            t) l_0 r)))
(IMPLIES (<= i_0_0 r)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5_0 (shift t i_0_0)))
(IMPLIES (< result0 v)
(FORALL (m1)
(IMPLIES (EQ m1 (+ m0 1))
(FORALL (intP_intM_t_5_1)
(IMPLIES (AND (Swap t i_0_0 m1 intP_intM_t_5_1 intP_intM_t_5_0)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_0 intP_intM_t_5_1 (pset_union
                                                              (pset_range
                                                              (pset_singleton
                                                              t) m1 m1) 
                                                              (pset_range
                                                              (pset_singleton
                                                              t) i_0_0 i_0_0))))
(IMPLIES (EQ (Permut t l_0 r intP_intM_t_5_1 intP_intM_t_5_0) |@true|)
(FORALL (i_0_1)
(IMPLIES (EQ i_0_1 (+ i_0_0 1))
(not_assigns
intP_t_5_alloc_table intP_intM_t_5 intP_intM_t_5_1 (pset_range
                                                   (pset_singleton t) l_0 r))))))))))))))))))))))))))))))))

;; quick_rec_ensures_default_po_19, File "HOME/tests/c/quick_sort.c", line 68, characters 21-30
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES (AND
         (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5 intP_intM_t_5_0 (pset_range
                                                            (pset_singleton
                                                            t) l_0 r)))
(IMPLIES (<= i_0_0 r)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5_0 (shift t i_0_0)))
(IMPLIES (>= result0 v)
(FORALL (i_0_1)
(IMPLIES (EQ i_0_1 (+ i_0_0 1))
(EQ (select intP_intM_t_5_0 (shift t l_0)) v))))))))))))))))))))))))))

;; quick_rec_ensures_default_po_20, File "HOME/tests/c/quick_sort.c", line 68, characters 34-40
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES (AND
         (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5 intP_intM_t_5_0 (pset_range
                                                            (pset_singleton
                                                            t) l_0 r)))
(IMPLIES (<= i_0_0 r)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5_0 (shift t i_0_0)))
(IMPLIES (>= result0 v)
(FORALL (i_0_1) (IMPLIES (EQ i_0_1 (+ i_0_0 1)) (<= l_0 m0))))))))))))))))))))))))))

;; quick_rec_ensures_default_po_21, File "HOME/tests/c/quick_sort.c", line 68, characters 39-44
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES (AND
         (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5 intP_intM_t_5_0 (pset_range
                                                            (pset_singleton
                                                            t) l_0 r)))
(IMPLIES (<= i_0_0 r)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5_0 (shift t i_0_0)))
(IMPLIES (>= result0 v)
(FORALL (i_0_1) (IMPLIES (EQ i_0_1 (+ i_0_0 1)) (< m0 i_0_1))))))))))))))))))))))))))

;; quick_rec_ensures_default_po_22, File "HOME/tests/c/quick_sort.c", line 68, characters 43-51
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES (AND
         (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5 intP_intM_t_5_0 (pset_range
                                                            (pset_singleton
                                                            t) l_0 r)))
(IMPLIES (<= i_0_0 r)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5_0 (shift t i_0_0)))
(IMPLIES (>= result0 v)
(FORALL (i_0_1) (IMPLIES (EQ i_0_1 (+ i_0_0 1)) (<= i_0_1 (+ r 1)))))))))))))))))))))))))))

;; quick_rec_ensures_default_po_23, File "HOME/tests/c/quick_sort.c", line 67, characters 8-31
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES (AND
         (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5 intP_intM_t_5_0 (pset_range
                                                            (pset_singleton
                                                            t) l_0 r)))
(IMPLIES (<= i_0_0 r)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5_0 (shift t i_0_0)))
(IMPLIES (>= result0 v)
(FORALL (i_0_1)
(IMPLIES (EQ i_0_1 (+ i_0_0 1))
(EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|))))))))))))))))))))))))))

;; quick_rec_ensures_default_po_24, File "HOME/tests/c/quick_sort.c", line 65, characters 8-50
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES (AND
         (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5 intP_intM_t_5_0 (pset_range
                                                            (pset_singleton
                                                            t) l_0 r)))
(IMPLIES (<= i_0_0 r)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5_0 (shift t i_0_0)))
(IMPLIES (>= result0 v)
(FORALL (i_0_1)
(IMPLIES (EQ i_0_1 (+ i_0_0 1))
(FORALL (j_4)
(IMPLIES (AND (< m0 j_4) (< j_4 i_0_1))
(>= (select intP_intM_t_5_0 (shift t j_4)) v))))))))))))))))))))))))))))

;; quick_rec_ensures_default_po_25, File "HOME/tests/c/quick_sort.c", line 63, characters 8-50
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES (AND
         (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5 intP_intM_t_5_0 (pset_range
                                                            (pset_singleton
                                                            t) l_0 r)))
(IMPLIES (<= i_0_0 r)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5_0 (shift t i_0_0)))
(IMPLIES (>= result0 v)
(FORALL (i_0_1)
(IMPLIES (EQ i_0_1 (+ i_0_0 1))
(FORALL (j_3)
(IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
(< (select intP_intM_t_5_0 (shift t j_3)) v))))))))))))))))))))))))))))

;; quick_rec_ensures_default_po_26, File "HOME/tests/c/quick_sort.c", line 78, characters 13-24
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES (AND
         (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5 intP_intM_t_5_0 (pset_range
                                                            (pset_singleton
                                                            t) l_0 r)))
(IMPLIES (> i_0_0 r) (<= l_0 m0)))))))))))))))))))))

;; quick_rec_ensures_default_po_27, File "HOME/tests/c/quick_sort.c", line 78, characters 13-24
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES (AND
         (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5 intP_intM_t_5_0 (pset_range
                                                            (pset_singleton
                                                            t) l_0 r)))
(IMPLIES (> i_0_0 r) (<= m0 r)))))))))))))))))))))

;; quick_rec_ensures_default_po_28, File "HOME/tests/c/quick_sort.c", line 80, characters 13-34
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES (AND
         (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5 intP_intM_t_5_0 (pset_range
                                                            (pset_singleton
                                                            t) l_0 r)))
(IMPLIES (> i_0_0 r)
(IMPLIES (AND (<= l_0 m0) (<= m0 r))
(FORALL (intP_intM_t_5_1)
(IMPLIES (AND (Swap t l_0 m0 intP_intM_t_5_1 intP_intM_t_5_0)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_0 intP_intM_t_5_1 (pset_union
                                                              (pset_range
                                                              (pset_singleton
                                                              t) m0 m0) 
                                                              (pset_range
                                                              (pset_singleton
                                                              t) l_0 l_0))))
(EQ (Permut t l_0 r intP_intM_t_5_1 intP_intM_t_5_0) |@true|))))))))))))))))))))))))

;; quick_rec_ensures_default_po_29, File "HOME/tests/c/quick_sort.c", line 57, characters 5-14
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES (AND
         (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5 intP_intM_t_5_0 (pset_range
                                                            (pset_singleton
                                                            t) l_0 r)))
(IMPLIES (> i_0_0 r)
(IMPLIES (AND (<= l_0 m0) (<= m0 r))
(FORALL (intP_intM_t_5_1)
(IMPLIES (AND (Swap t l_0 m0 intP_intM_t_5_1 intP_intM_t_5_0)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_0 intP_intM_t_5_1 (pset_union
                                                              (pset_range
                                                              (pset_singleton
                                                              t) m0 m0) 
                                                              (pset_range
                                                              (pset_singleton
                                                              t) l_0 l_0))))
(IMPLIES (EQ (Permut t l_0 r intP_intM_t_5_1 intP_intM_t_5_0) |@true|)
(FORALL (intP_intM_t_5_2)
(IMPLIES (AND
         (EQ (Permut t l_0 (- m0 1) intP_intM_t_5_2 intP_intM_t_5_1) |@true|)
         (AND (Sorted t l_0 (+ (- m0 1) 1) intP_intM_t_5_2)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_1 intP_intM_t_5_2 (pset_range
                                                              (pset_singleton
                                                              t) l_0 
                                                              (- m0 1)))))
(FORALL (intP_intM_t_5_3)
(IMPLIES (AND
         (EQ (Permut t (+ m0 1) r intP_intM_t_5_3 intP_intM_t_5_2) |@true|)
         (AND (Sorted t (+ m0 1) (+ r 1) intP_intM_t_5_3)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_2 intP_intM_t_5_3 (pset_range
                                                              (pset_singleton
                                                              t) (+ m0 1) r))))
(not_assigns
intP_t_5_alloc_table intP_intM_t_5 intP_intM_t_5_3 (pset_range
                                                   (pset_singleton t) l_0 r))))))))))))))))))))))))))))))

;; quick_rec_ensures_permutation_po_1, File "HOME/tests/c/quick_sort.c", line 55, characters 14-37
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (>= l_0 r)
(EQ (Permut t l_0 r intP_intM_t_5 intP_intM_t_5) |@true|))))))))

;; quick_rec_ensures_permutation_po_2, File "HOME/tests/c/quick_sort.c", line 55, characters 14-37
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES TRUE
(IMPLIES (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
(IMPLIES (> i_0_0 r)
(IMPLIES (AND (<= l_0 m0) (<= m0 r))
(FORALL (intP_intM_t_5_1)
(IMPLIES (AND (Swap t l_0 m0 intP_intM_t_5_1 intP_intM_t_5_0)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_0 intP_intM_t_5_1 (pset_union
                                                              (pset_range
                                                              (pset_singleton
                                                              t) m0 m0) 
                                                              (pset_range
                                                              (pset_singleton
                                                              t) l_0 l_0))))
(IMPLIES (EQ (Permut t l_0 r intP_intM_t_5_1 intP_intM_t_5_0) |@true|)
(FORALL (intP_intM_t_5_2)
(IMPLIES (AND
         (EQ (Permut t l_0 (- m0 1) intP_intM_t_5_2 intP_intM_t_5_1) |@true|)
         (AND (Sorted t l_0 (+ (- m0 1) 1) intP_intM_t_5_2)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_1 intP_intM_t_5_2 (pset_range
                                                              (pset_singleton
                                                              t) l_0 
                                                              (- m0 1)))))
(FORALL (intP_intM_t_5_3)
(IMPLIES (AND
         (EQ (Permut t (+ m0 1) r intP_intM_t_5_3 intP_intM_t_5_2) |@true|)
         (AND (Sorted t (+ m0 1) (+ r 1) intP_intM_t_5_3)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_2 intP_intM_t_5_3 (pset_range
                                                              (pset_singleton
                                                              t) (+ m0 1) r))))
(EQ (Permut t l_0 r intP_intM_t_5_3 intP_intM_t_5) |@true|))))))))))))))))))))))))))))))

;; quick_rec_ensures_sorted_po_1, File "HOME/tests/c/quick_sort.c", line 53, characters 14-29
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (>= l_0 r) (Sorted t l_0 (+ r 1) intP_intM_t_5))))))))

;; quick_rec_ensures_sorted_po_2, File "HOME/tests/c/quick_sort.c", line 53, characters 14-29
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES TRUE
(IMPLIES (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
(IMPLIES (> i_0_0 r)
(IMPLIES (AND (<= l_0 m0) (<= m0 r))
(FORALL (intP_intM_t_5_1)
(IMPLIES (AND (Swap t l_0 m0 intP_intM_t_5_1 intP_intM_t_5_0)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_0 intP_intM_t_5_1 (pset_union
                                                              (pset_range
                                                              (pset_singleton
                                                              t) m0 m0) 
                                                              (pset_range
                                                              (pset_singleton
                                                              t) l_0 l_0))))
(IMPLIES (EQ (Permut t l_0 r intP_intM_t_5_1 intP_intM_t_5_0) |@true|)
(FORALL (intP_intM_t_5_2)
(IMPLIES (AND
         (EQ (Permut t l_0 (- m0 1) intP_intM_t_5_2 intP_intM_t_5_1) |@true|)
         (AND (Sorted t l_0 (+ (- m0 1) 1) intP_intM_t_5_2)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_1 intP_intM_t_5_2 (pset_range
                                                              (pset_singleton
                                                              t) l_0 
                                                              (- m0 1)))))
(FORALL (intP_intM_t_5_3)
(IMPLIES (AND
         (EQ (Permut t (+ m0 1) r intP_intM_t_5_3 intP_intM_t_5_2) |@true|)
         (AND (Sorted t (+ m0 1) (+ r 1) intP_intM_t_5_3)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_2 intP_intM_t_5_3 (pset_range
                                                              (pset_singleton
                                                              t) (+ m0 1) r))))
(Sorted t l_0 (+ r 1) intP_intM_t_5_3))))))))))))))))))))))))))))))

;; quick_rec_safety_po_1, File "HOME/tests/c/quick_sort.c", line 60, characters 6-10
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r) (<= l_0 (offset_max intP_t_5_alloc_table t))))))))

;; quick_rec_safety_po_2, File "HOME/tests/c/quick_sort.c", line 72, characters 8-12
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (<= l_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES TRUE
(IMPLIES (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
(IMPLIES (<= i_0_0 r) (<= (offset_min intP_t_5_alloc_table t) i_0_0)))))))))))))))))))))))

;; quick_rec_safety_po_3, File "HOME/tests/c/quick_sort.c", line 72, characters 8-12
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (<= l_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES TRUE
(IMPLIES (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
(IMPLIES (<= i_0_0 r) (<= i_0_0 (offset_max intP_t_5_alloc_table t))))))))))))))))))))))))

;; quick_rec_safety_po_4, File "HOME/tests/c/quick_sort.jessie/quick_sort.jc", line 159, characters 27-42
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (<= l_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES TRUE
(IMPLIES (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
(IMPLIES (<= i_0_0 r)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) i_0_0)
         (<= i_0_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5_0 (shift t i_0_0)))
(IMPLIES (< result0 v)
(FORALL (m1)
(IMPLIES (EQ m1 (+ m0 1)) (>= (offset_max intP_t_5_alloc_table t) i_0_0)))))))))))))))))))))))))))))

;; quick_rec_safety_po_5, File "HOME/tests/c/quick_sort.jessie/quick_sort.jc", line 159, characters 27-42
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (<= l_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES TRUE
(IMPLIES (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
(IMPLIES (<= i_0_0 r)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) i_0_0)
         (<= i_0_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5_0 (shift t i_0_0)))
(IMPLIES (< result0 v)
(FORALL (m1)
(IMPLIES (EQ m1 (+ m0 1)) (<= (offset_min intP_t_5_alloc_table t) m1)))))))))))))))))))))))))))))

;; quick_rec_safety_po_6, File "HOME/tests/c/quick_sort.jessie/quick_sort.jc", line 159, characters 27-42
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (<= l_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES TRUE
(IMPLIES (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
(IMPLIES (<= i_0_0 r)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) i_0_0)
         (<= i_0_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5_0 (shift t i_0_0)))
(IMPLIES (< result0 v)
(FORALL (m1)
(IMPLIES (EQ m1 (+ m0 1)) (>= (offset_max intP_t_5_alloc_table t) m1)))))))))))))))))))))))))))))

;; quick_rec_safety_po_7, File "HOME/tests/c/quick_sort.c", line 69, characters 19-22
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (<= l_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES TRUE
(IMPLIES (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
(IMPLIES (<= i_0_0 r)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) i_0_0)
         (<= i_0_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5_0 (shift t i_0_0)))
(IMPLIES (< result0 v)
(FORALL (m1)
(IMPLIES (EQ m1 (+ m0 1))
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) i_0_0)
         (AND (>= (offset_max intP_t_5_alloc_table t) i_0_0)
         (AND (<= (offset_min intP_t_5_alloc_table t) m1)
         (>= (offset_max intP_t_5_alloc_table t) m1))))
(FORALL (intP_intM_t_5_1)
(IMPLIES (AND (Swap t i_0_0 m1 intP_intM_t_5_1 intP_intM_t_5_0)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_0 intP_intM_t_5_1 (pset_union
                                                              (pset_range
                                                              (pset_singleton
                                                              t) m1 m1) 
                                                              (pset_range
                                                              (pset_singleton
                                                              t) i_0_0 i_0_0))))
(IMPLIES (EQ (Permut t l_0 r intP_intM_t_5_1 intP_intM_t_5_0) |@true|)
(FORALL (i_0_1) (IMPLIES (EQ i_0_1 (+ i_0_0 1)) (<= 0 (- r i_0_0))))))))))))))))))))))))))))))))))))

;; quick_rec_safety_po_8, File "HOME/tests/c/quick_sort.c", line 69, characters 19-22
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (<= l_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES TRUE
(IMPLIES (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
(IMPLIES (<= i_0_0 r)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) i_0_0)
         (<= i_0_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5_0 (shift t i_0_0)))
(IMPLIES (< result0 v)
(FORALL (m1)
(IMPLIES (EQ m1 (+ m0 1))
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) i_0_0)
         (AND (>= (offset_max intP_t_5_alloc_table t) i_0_0)
         (AND (<= (offset_min intP_t_5_alloc_table t) m1)
         (>= (offset_max intP_t_5_alloc_table t) m1))))
(FORALL (intP_intM_t_5_1)
(IMPLIES (AND (Swap t i_0_0 m1 intP_intM_t_5_1 intP_intM_t_5_0)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_0 intP_intM_t_5_1 (pset_union
                                                              (pset_range
                                                              (pset_singleton
                                                              t) m1 m1) 
                                                              (pset_range
                                                              (pset_singleton
                                                              t) i_0_0 i_0_0))))
(IMPLIES (EQ (Permut t l_0 r intP_intM_t_5_1 intP_intM_t_5_0) |@true|)
(FORALL (i_0_1) (IMPLIES (EQ i_0_1 (+ i_0_0 1)) (< (- r i_0_1) (- r i_0_0))))))))))))))))))))))))))))))))))))

;; quick_rec_safety_po_9, File "HOME/tests/c/quick_sort.c", line 69, characters 19-22
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (<= l_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES TRUE
(IMPLIES (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
(IMPLIES (<= i_0_0 r)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) i_0_0)
         (<= i_0_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5_0 (shift t i_0_0)))
(IMPLIES (>= result0 v)
(FORALL (i_0_1) (IMPLIES (EQ i_0_1 (+ i_0_0 1)) (<= 0 (- r i_0_0))))))))))))))))))))))))))))))

;; quick_rec_safety_po_10, File "HOME/tests/c/quick_sort.c", line 69, characters 19-22
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (<= l_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES TRUE
(IMPLIES (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
(IMPLIES (<= i_0_0 r)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) i_0_0)
         (<= i_0_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5_0 (shift t i_0_0)))
(IMPLIES (>= result0 v)
(FORALL (i_0_1) (IMPLIES (EQ i_0_1 (+ i_0_0 1)) (< (- r i_0_1) (- r i_0_0))))))))))))))))))))))))))))))

;; quick_rec_safety_po_11, File "HOME/tests/c/quick_sort.c", line 79, characters 4-15
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (<= l_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES TRUE
(IMPLIES (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
(IMPLIES (> i_0_0 r)
(IMPLIES (AND (<= l_0 m0) (<= m0 r))
(>= (offset_max intP_t_5_alloc_table t) l_0))))))))))))))))))))))))

;; quick_rec_safety_po_12, File "HOME/tests/c/quick_sort.c", line 79, characters 4-15
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (<= l_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES TRUE
(IMPLIES (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
(IMPLIES (> i_0_0 r)
(IMPLIES (AND (<= l_0 m0) (<= m0 r))
(<= (offset_min intP_t_5_alloc_table t) m0))))))))))))))))))))))))

;; quick_rec_safety_po_13, File "HOME/tests/c/quick_sort.c", line 79, characters 4-15
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (<= l_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES TRUE
(IMPLIES (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
(IMPLIES (> i_0_0 r)
(IMPLIES (AND (<= l_0 m0) (<= m0 r))
(>= (offset_max intP_t_5_alloc_table t) m0))))))))))))))))))))))))

;; quick_rec_safety_po_14, File "why/quick_sort.why", line 870, characters 14-106
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (<= l_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES TRUE
(IMPLIES (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
(IMPLIES (> i_0_0 r)
(IMPLIES (AND (<= l_0 m0) (<= m0 r))
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (AND (>= (offset_max intP_t_5_alloc_table t) l_0)
         (AND (<= (offset_min intP_t_5_alloc_table t) m0)
         (>= (offset_max intP_t_5_alloc_table t) m0))))
(FORALL (intP_intM_t_5_1)
(IMPLIES (AND (Swap t l_0 m0 intP_intM_t_5_1 intP_intM_t_5_0)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_0 intP_intM_t_5_1 (pset_union
                                                              (pset_range
                                                              (pset_singleton
                                                              t) m0 m0) 
                                                              (pset_range
                                                              (pset_singleton
                                                              t) l_0 l_0))))
(IMPLIES (EQ (Permut t l_0 r intP_intM_t_5_1 intP_intM_t_5_0) |@true|)
(<= 0 (- r l_0)))))))))))))))))))))))))))))

;; quick_rec_safety_po_15, File "why/quick_sort.why", line 870, characters 14-106
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (<= l_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES TRUE
(IMPLIES (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
(IMPLIES (> i_0_0 r)
(IMPLIES (AND (<= l_0 m0) (<= m0 r))
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (AND (>= (offset_max intP_t_5_alloc_table t) l_0)
         (AND (<= (offset_min intP_t_5_alloc_table t) m0)
         (>= (offset_max intP_t_5_alloc_table t) m0))))
(FORALL (intP_intM_t_5_1)
(IMPLIES (AND (Swap t l_0 m0 intP_intM_t_5_1 intP_intM_t_5_0)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_0 intP_intM_t_5_1 (pset_union
                                                              (pset_range
                                                              (pset_singleton
                                                              t) m0 m0) 
                                                              (pset_range
                                                              (pset_singleton
                                                              t) l_0 l_0))))
(IMPLIES (EQ (Permut t l_0 r intP_intM_t_5_1 intP_intM_t_5_0) |@true|)
(< (- (- m0 1) l_0) (- r l_0)))))))))))))))))))))))))))))

;; quick_rec_safety_po_16, File "HOME/tests/c/quick_sort.jessie/quick_sort.jc", line 183, characters 15-49
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (<= l_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES TRUE
(IMPLIES (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
(IMPLIES (> i_0_0 r)
(IMPLIES (AND (<= l_0 m0) (<= m0 r))
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (AND (>= (offset_max intP_t_5_alloc_table t) l_0)
         (AND (<= (offset_min intP_t_5_alloc_table t) m0)
         (>= (offset_max intP_t_5_alloc_table t) m0))))
(FORALL (intP_intM_t_5_1)
(IMPLIES (AND (Swap t l_0 m0 intP_intM_t_5_1 intP_intM_t_5_0)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_0 intP_intM_t_5_1 (pset_union
                                                              (pset_range
                                                              (pset_singleton
                                                              t) m0 m0) 
                                                              (pset_range
                                                              (pset_singleton
                                                              t) l_0 l_0))))
(IMPLIES (EQ (Permut t l_0 r intP_intM_t_5_1 intP_intM_t_5_0) |@true|)
(>= (offset_max intP_t_5_alloc_table t) (- m0 1)))))))))))))))))))))))))))))

;; quick_rec_safety_po_17, File "why/quick_sort.why", line 879, characters 14-106
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (<= l_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES TRUE
(IMPLIES (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
(IMPLIES (> i_0_0 r)
(IMPLIES (AND (<= l_0 m0) (<= m0 r))
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (AND (>= (offset_max intP_t_5_alloc_table t) l_0)
         (AND (<= (offset_min intP_t_5_alloc_table t) m0)
         (>= (offset_max intP_t_5_alloc_table t) m0))))
(FORALL (intP_intM_t_5_1)
(IMPLIES (AND (Swap t l_0 m0 intP_intM_t_5_1 intP_intM_t_5_0)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_0 intP_intM_t_5_1 (pset_union
                                                              (pset_range
                                                              (pset_singleton
                                                              t) m0 m0) 
                                                              (pset_range
                                                              (pset_singleton
                                                              t) l_0 l_0))))
(IMPLIES (EQ (Permut t l_0 r intP_intM_t_5_1 intP_intM_t_5_0) |@true|)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) (- m0 1)))
(FORALL (intP_intM_t_5_2)
(IMPLIES (AND
         (EQ (Permut t l_0 (- m0 1) intP_intM_t_5_2 intP_intM_t_5_1) |@true|)
         (AND (Sorted t l_0 (+ (- m0 1) 1) intP_intM_t_5_2)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_1 intP_intM_t_5_2 (pset_range
                                                              (pset_singleton
                                                              t) l_0 
                                                              (- m0 1)))))
(<= 0 (- r l_0))))))))))))))))))))))))))))))))

;; quick_rec_safety_po_18, File "why/quick_sort.why", line 879, characters 14-106
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (<= l_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES TRUE
(IMPLIES (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
(IMPLIES (> i_0_0 r)
(IMPLIES (AND (<= l_0 m0) (<= m0 r))
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (AND (>= (offset_max intP_t_5_alloc_table t) l_0)
         (AND (<= (offset_min intP_t_5_alloc_table t) m0)
         (>= (offset_max intP_t_5_alloc_table t) m0))))
(FORALL (intP_intM_t_5_1)
(IMPLIES (AND (Swap t l_0 m0 intP_intM_t_5_1 intP_intM_t_5_0)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_0 intP_intM_t_5_1 (pset_union
                                                              (pset_range
                                                              (pset_singleton
                                                              t) m0 m0) 
                                                              (pset_range
                                                              (pset_singleton
                                                              t) l_0 l_0))))
(IMPLIES (EQ (Permut t l_0 r intP_intM_t_5_1 intP_intM_t_5_0) |@true|)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) (- m0 1)))
(FORALL (intP_intM_t_5_2)
(IMPLIES (AND
         (EQ (Permut t l_0 (- m0 1) intP_intM_t_5_2 intP_intM_t_5_1) |@true|)
         (AND (Sorted t l_0 (+ (- m0 1) 1) intP_intM_t_5_2)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_1 intP_intM_t_5_2 (pset_range
                                                              (pset_singleton
                                                              t) l_0 
                                                              (- m0 1)))))
(< (- r (+ m0 1)) (- r l_0))))))))))))))))))))))))))))))))

;; quick_rec_safety_po_19, File "HOME/tests/c/quick_sort.jessie/quick_sort.jc", line 184, characters 15-49
(FORALL (t)
(FORALL (l_0)
(FORALL (r)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) r))
(IMPLIES (< l_0 r)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (<= l_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t l_0)))
(FORALL (v)
(IMPLIES (EQ v result)
(FORALL (m)
(IMPLIES (EQ m l_0)
(FORALL (i_0)
(IMPLIES (EQ i_0 (+ l_0 1))
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(FORALL (m0)
(IMPLIES TRUE
(IMPLIES (AND
         (AND (EQ (select intP_intM_t_5_0 (shift t l_0)) v)
         (AND (<= l_0 m0) (AND (< m0 i_0_0) (<= i_0_0 (+ r 1)))))
         (AND (EQ (Permut t l_0 r intP_intM_t_5_0 intP_intM_t_5) |@true|)
         (AND
         (FORALL (j_4)
         (IMPLIES (AND (< m0 j_4) (< j_4 i_0_0))
         (>= (select intP_intM_t_5_0 (shift t j_4)) v)))
         (FORALL (j_3)
         (IMPLIES (AND (< l_0 j_3) (<= j_3 m0))
         (< (select intP_intM_t_5_0 (shift t j_3)) v))))))
(IMPLIES (> i_0_0 r)
(IMPLIES (AND (<= l_0 m0) (<= m0 r))
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (AND (>= (offset_max intP_t_5_alloc_table t) l_0)
         (AND (<= (offset_min intP_t_5_alloc_table t) m0)
         (>= (offset_max intP_t_5_alloc_table t) m0))))
(FORALL (intP_intM_t_5_1)
(IMPLIES (AND (Swap t l_0 m0 intP_intM_t_5_1 intP_intM_t_5_0)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_0 intP_intM_t_5_1 (pset_union
                                                              (pset_range
                                                              (pset_singleton
                                                              t) m0 m0) 
                                                              (pset_range
                                                              (pset_singleton
                                                              t) l_0 l_0))))
(IMPLIES (EQ (Permut t l_0 r intP_intM_t_5_1 intP_intM_t_5_0) |@true|)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) l_0)
         (>= (offset_max intP_t_5_alloc_table t) (- m0 1)))
(FORALL (intP_intM_t_5_2)
(IMPLIES (AND
         (EQ (Permut t l_0 (- m0 1) intP_intM_t_5_2 intP_intM_t_5_1) |@true|)
         (AND (Sorted t l_0 (+ (- m0 1) 1) intP_intM_t_5_2)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_1 intP_intM_t_5_2 (pset_range
                                                              (pset_singleton
                                                              t) l_0 
                                                              (- m0 1)))))
(<= (offset_min intP_t_5_alloc_table t) (+ m0 1))))))))))))))))))))))))))))))))

;; quick_sort_ensures_sorted_po_1, File "HOME/tests/c/quick_sort.c", line 87, characters 14-27
(FORALL (t_0)
(FORALL (n_1)
(FORALL (intP_t_0_6_alloc_table)
(FORALL (intP_intM_t_0_6)
(IMPLIES (AND (<= (offset_min intP_t_0_6_alloc_table t_0) 0)
         (>= (offset_max intP_t_0_6_alloc_table t_0) (- n_1 1)))
(FORALL (intP_intM_t_0_6_0)
(IMPLIES (AND
         (EQ (Permut
         t_0 0 (- n_1 1) intP_intM_t_0_6_0 intP_intM_t_0_6) |@true|)
         (AND (Sorted t_0 0 (+ (- n_1 1) 1) intP_intM_t_0_6_0)
         (not_assigns
         intP_t_0_6_alloc_table intP_intM_t_0_6 intP_intM_t_0_6_0 (pset_range
                                                                  (pset_singleton
                                                                  t_0) 0 
                                                                  (- n_1 1)))))
(Sorted t_0 0 n_1 intP_intM_t_0_6_0))))))))

;; swap_ensures_default_po_1, File "HOME/tests/c/quick_sort.c", line 40, characters 12-33
(FORALL (t_1)
(FORALL (i)
(FORALL (j)
(FORALL (intP_t_1_4_alloc_table)
(FORALL (intP_intM_t_1_4)
(IMPLIES (AND (<= (offset_min intP_t_1_4_alloc_table t_1) i)
         (AND (>= (offset_max intP_t_1_4_alloc_table t_1) i)
         (AND (<= (offset_min intP_t_1_4_alloc_table t_1) j)
         (>= (offset_max intP_t_1_4_alloc_table t_1) j))))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_1_4 (shift t_1 i)))
(FORALL (tmp)
(IMPLIES (EQ tmp result)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_1_4 (shift t_1 j)))
(FORALL (intP_intM_t_1_4_0)
(IMPLIES (EQ intP_intM_t_1_4_0
         (|why__store| intP_intM_t_1_4 (shift t_1 i) result0))
(FORALL (intP_intM_t_1_4_1)
(IMPLIES (EQ intP_intM_t_1_4_1
         (|why__store| intP_intM_t_1_4_0 (shift t_1 j) tmp))
(Swap t_1 i j intP_intM_t_1_4_1 intP_intM_t_1_4)))))))))))))))))

;; swap_ensures_default_po_2, File "HOME/tests/c/quick_sort.c", line 42, characters 5-9
(FORALL (t_1)
(FORALL (i)
(FORALL (j)
(FORALL (intP_t_1_4_alloc_table)
(FORALL (intP_intM_t_1_4)
(IMPLIES (AND (<= (offset_min intP_t_1_4_alloc_table t_1) i)
         (AND (>= (offset_max intP_t_1_4_alloc_table t_1) i)
         (AND (<= (offset_min intP_t_1_4_alloc_table t_1) j)
         (>= (offset_max intP_t_1_4_alloc_table t_1) j))))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_1_4 (shift t_1 i)))
(FORALL (tmp)
(IMPLIES (EQ tmp result)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_1_4 (shift t_1 j)))
(FORALL (intP_intM_t_1_4_0)
(IMPLIES (EQ intP_intM_t_1_4_0
         (|why__store| intP_intM_t_1_4 (shift t_1 i) result0))
(FORALL (intP_intM_t_1_4_1)
(IMPLIES (EQ intP_intM_t_1_4_1
         (|why__store| intP_intM_t_1_4_0 (shift t_1 j) tmp))
(not_assigns
intP_t_1_4_alloc_table intP_intM_t_1_4 intP_intM_t_1_4_1 (pset_union
                                                         (pset_range
                                                         (pset_singleton t_1) j j) 
                                                         (pset_range
                                                         (pset_singleton t_1) i i)))))))))))))))))))

;; swap_safety_po_1, File "HOME/tests/c/quick_sort.c", line 43, characters 12-16
(FORALL (t_1)
(FORALL (i)
(FORALL (j)
(FORALL (intP_t_1_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_1_4_alloc_table t_1) i)
         (AND (>= (offset_max intP_t_1_4_alloc_table t_1) i)
         (AND (<= (offset_min intP_t_1_4_alloc_table t_1) j)
         (>= (offset_max intP_t_1_4_alloc_table t_1) j))))
(<= i (offset_max intP_t_1_4_alloc_table t_1)))))))

;; swap_safety_po_2, File "HOME/tests/c/quick_sort.c", line 44, characters 9-13
(FORALL (t_1)
(FORALL (i)
(FORALL (j)
(FORALL (intP_t_1_4_alloc_table)
(FORALL (intP_intM_t_1_4)
(IMPLIES (AND (<= (offset_min intP_t_1_4_alloc_table t_1) i)
         (AND (>= (offset_max intP_t_1_4_alloc_table t_1) i)
         (AND (<= (offset_min intP_t_1_4_alloc_table t_1) j)
         (>= (offset_max intP_t_1_4_alloc_table t_1) j))))
(IMPLIES (AND (<= (offset_min intP_t_1_4_alloc_table t_1) i)
         (<= i (offset_max intP_t_1_4_alloc_table t_1)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_1_4 (shift t_1 i)))
(FORALL (tmp)
(IMPLIES (EQ tmp result) (<= (offset_min intP_t_1_4_alloc_table t_1) j))))))))))))

;; swap_safety_po_3, File "HOME/tests/c/quick_sort.c", line 44, characters 9-13
(FORALL (t_1)
(FORALL (i)
(FORALL (j)
(FORALL (intP_t_1_4_alloc_table)
(FORALL (intP_intM_t_1_4)
(IMPLIES (AND (<= (offset_min intP_t_1_4_alloc_table t_1) i)
         (AND (>= (offset_max intP_t_1_4_alloc_table t_1) i)
         (AND (<= (offset_min intP_t_1_4_alloc_table t_1) j)
         (>= (offset_max intP_t_1_4_alloc_table t_1) j))))
(IMPLIES (AND (<= (offset_min intP_t_1_4_alloc_table t_1) i)
         (<= i (offset_max intP_t_1_4_alloc_table t_1)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_1_4 (shift t_1 i)))
(FORALL (tmp)
(IMPLIES (EQ tmp result) (<= j (offset_max intP_t_1_4_alloc_table t_1)))))))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/quick_sort_why.sx    : ..............................?.#......................... (56/0/1/1/0)
total   :  58
valid   :  56 ( 97%)
invalid :   0 (  0%)
unknown :   1 (  2%)
timeout :   1 (  2%)
failure :   0 (  0%)
why-2.34/tests/c/oracle/tree_max.res.oracle0000644000175000017500000034146212311670312017243 0ustar  rtusers========== file tests/c/tree_max.c ==========

#pragma JessieTerminationPolicy(user)

#define NULL (void*)0

//@ ensures \result == \max(x,y);
int max(int x, int y);

typedef struct Tree *tree;
struct Tree {
  int value;
  tree left;
  tree right;
};

/* not accepted by Why3 (termination not proved) 
  @ predicate mem(int x, tree t) =
  @  (t==\null) ? \false : (x==t->value) || mem(x,t->left) || mem(x,t->right);
  @*/

/*@ axiomatic Mem {
  @   predicate mem{L}(int x, tree t);
  @   axiom mem_null{L}: \forall int x; ! mem(x,\null);
  @   axiom mem_root{L}: \forall tree t; t != \null ==>
  @     mem(t->value,t);
  @   axiom mem_root_eq{L}: \forall int x, tree t; t != \null ==>
  @     x==t->value ==> mem(x,t);
  @   axiom mem_left{L}: \forall int x, tree t; t != \null ==>
  @     mem(x,t->left) ==> mem(x,t);
  @   axiom mem_right{L}: \forall int x, tree t; t != \null ==>
  @     mem(x,t->right) ==> mem(x,t);
  @   axiom mem_inversion{L}: \forall int x, tree t;
  @     mem(x,t) ==> t != \null &&
  @       (x==t->value || mem(x,t->left) || mem(x,t->right));
  @ }
  @*/

/*@ axiomatic WellFormedTree {
  @   predicate has_size{L}(tree t, integer s);
  @   axiom has_size_null{L}: has_size(\null,0);
  @   axiom has_size_non_null{L}: \forall tree t; \valid(t) ==>
  @     \forall integer s1,s2;
  @     has_size(t->left,s1) && has_size(t->right,s2) ==>
  @     has_size(t,s1+s2+1) ;
  @   axiom has_size_inversion{L}: \forall tree t, integer s;
  @     has_size(t,s) ==>
  @       (t == \null && s == 0) ||
  @       (\valid(t) && \exists integer s1,s2;
  @            has_size(t->left,s1) && has_size(t->right,s2) &&
  @            0 <= s1 && 0 <= s2 && s == s1+s2+1) ;
  @  predicate size_decreases{L}(tree t1, tree t2) =
  @    \exists integer s1,s2; has_size(t1,s1) && has_size(t2,s2) && s1 > s2;
  @   predicate valid_tree{L}(tree t) =
  @     \exists integer s; has_size(t,s);
  @ }
  @*/

/*@ requires t != \null && valid_tree(t);
  @ // decreases t for size_decreases;
  @ ensures mem(\result,t) && \forall int x; mem(x,t) ==> \result >= x;
  @*/
int tree_max(tree t) {
  int m = t->value;
  if (t->left != NULL) m = max(m,tree_max(t->left));
  if (t->right != NULL) m = max(m,tree_max(t->right));
  return m;
  }



/*
Local Variables:
compile-command: "make tree_max.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/tree_max.c"
[jessie] Starting Jessie translation
tests/c/tree_max.c:62:[kernel] warning: No code nor implicit assigns clause for function max, generating default assigns from the prototype
[jessie] Producing Jessie files in subdir tests/c/tree_max.jessie
[jessie] File tests/c/tree_max.jessie/tree_max.jc written.
[jessie] File tests/c/tree_max.jessie/tree_max.cloc written.
========== file tests/c/tree_max.jessie/tree_max.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol
# TerminationPolicy = user

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

tag Tree = {
  int32 value: 32; 
  Tree[..] left: 32; 
  Tree[..] right: 32;
}

type Tree = [Tree]

int32 max(int32 x, int32 y)
behavior default:
  assigns \nothing;
  ensures (_C_1 : (\result == \integer_max(\at(x,Old), \at(y,Old))));
;

axiomatic Mem {

  predicate mem{L}(int32 x, Tree[..] t)
   
  axiom mem_null{L} :
  (\forall int32 x_0;
    (! mem{L}(x_0, null)))
   
  axiom mem_root{L} :
  (\forall Tree[..] t_0;
    ((t_0 != null) ==> mem{L}(t_0.value, t_0)))
   
  axiom mem_root_eq{L} :
  (\forall int32 x_1;
    (\forall Tree[..] t_1;
      ((t_1 != null) ==> ((x_1 == t_1.value) ==> mem{L}(x_1, t_1)))))
   
  axiom mem_left{L} :
  (\forall int32 x_2;
    (\forall Tree[..] t_2;
      ((t_2 != null) ==> (mem{L}(x_2, t_2.left) ==> mem{L}(x_2, t_2)))))
   
  axiom mem_right{L} :
  (\forall int32 x_3;
    (\forall Tree[..] t_3;
      ((t_3 != null) ==> (mem{L}(x_3, t_3.right) ==> mem{L}(x_3, t_3)))))
   
  axiom mem_inversion{L} :
  (\forall int32 x_4;
    (\forall Tree[..] t_4;
      (mem{L}(x_4, t_4) ==>
        ((t_4 != null) &&
          (((x_4 == t_4.value) || mem{L}(x_4, t_4.left)) ||
            mem{L}(x_4, t_4.right))))))
  
}

axiomatic WellFormedTree {

  predicate has_size{L}(Tree[..] t_5, integer s)
   
  axiom has_size_null{L} :
  has_size{L}(null, 0)
   
  axiom has_size_non_null{L} :
  (\forall Tree[..] t_6;
    (((\offset_min(t_6) <= 0) && (\offset_max(t_6) >= 0)) ==>
      (\forall integer s1;
        (\forall integer s2;
          ((has_size{L}(t_6.left, s1) && has_size{L}(t_6.right, s2)) ==>
            has_size{L}(t_6, ((s1 + s2) + 1)))))))
   
  axiom has_size_inversion{L} :
  (\forall Tree[..] t_7;
    (\forall integer s_0;
      (has_size{L}(t_7, s_0) ==>
        (((t_7 == null) && (s_0 == 0)) ||
          (((\offset_min(t_7) <= 0) && (\offset_max(t_7) >= 0)) &&
            (\exists integer s1_0;
              (\exists integer s2_0;
                ((((has_size{L}(t_7.left, s1_0) &&
                     has_size{L}(t_7.right, s2_0)) &&
                    (0 <= s1_0)) &&
                   (0 <= s2_0)) &&
                  (s_0 == ((s1_0 + s2_0) + 1))))))))))
   
  predicate size_decreases{L}(Tree[..] t1, Tree[..] t2) =
  (\exists integer s1_1;
    (\exists integer s2_1;
      ((has_size{L}(t1, s1_1) && has_size{L}(t2, s2_1)) && (s1_1 > s2_1))))
   
  predicate valid_tree{L}(Tree[..] t_8) =
  (\exists integer s_1;
    has_size{L}(t_8, s_1))
  
}

int32 tree_max(Tree[..] t)
  requires (_C_19 : ((_C_20 : (t != null)) && (_C_21 : valid_tree{Here}(t))));
behavior default:
  ensures (_C_16 : ((_C_17 : mem{Here}(\result, \at(t,Old))) &&
                     (_C_18 : (\forall int32 x_5;
                                (mem{Here}(x_5, \at(t,Old)) ==>
                                  (\result >= x_5))))));
{  
   (var int32 m);
   
   (var int32 tmp);
   
   (var int32 tmp_0);
   
   {  (_C_3 : (m = (_C_2 : t.value)));
      (if ((_C_9 : t.left) != null) then 
      {  (_C_6 : (tmp = (_C_5 : tree_max((_C_4 : t.left)))));
         (_C_8 : (m = (_C_7 : max(m, tmp))))
      } else ());
      (if ((_C_15 : t.right) != null) then 
      {  (_C_12 : (tmp_0 = (_C_11 : tree_max((_C_10 : t.right)))));
         (_C_14 : (m = (_C_13 : max(m, tmp_0))))
      } else ());
      
      (return m)
   }
}
========== file tests/c/tree_max.jessie/tree_max.cloc ==========
[has_size_null]
name = "Lemma has_size_null"
file = "HOME/tests/c/tree_max.c"
line = 40
begin = 6
end = 48

[tree_max]
name = "Function tree_max"
file = "HOME/tests/c/tree_max.c"
line = 62
begin = 4
end = 12

[mem_left]
name = "Lemma mem_left"
file = "HOME/tests/c/tree_max.c"
line = 28
begin = 6
end = 99

[_C_4]
file = "HOME/tests/c/tree_max.c"
line = 64
begin = 46
end = 53

[_C_19]
file = "HOME/tests/c/tree_max.c"
line = 58
begin = 13
end = 40

[_C_13]
file = "HOME/tests/c/tree_max.c"
line = 65
begin = 32
end = 57

[_C_5]
file = "HOME/tests/c/tree_max.c"
line = 64
begin = 37
end = 54

[_C_12]
file = "HOME/tests/c/tree_max.c"
line = 65
begin = 38
end = 56

[mem_root]
name = "Lemma mem_root"
file = "HOME/tests/c/tree_max.c"
line = 24
begin = 6
end = 80

[_C_9]
file = "HOME/tests/c/tree_max.c"
line = 64
begin = 6
end = 13

[_C_6]
file = "HOME/tests/c/tree_max.c"
line = 64
begin = 37
end = 54

[_C_20]
file = "HOME/tests/c/tree_max.c"
line = 58
begin = 13
end = 23

[mem_null]
name = "Lemma mem_null"
file = "HOME/tests/c/tree_max.c"
line = 23
begin = 6
end = 55

[_C_3]
file = "HOME/tests/c/tree_max.c"
line = 63
begin = 2
end = 5

[_C_17]
file = "HOME/tests/c/tree_max.c"
line = 60
begin = 12
end = 26

[_C_7]
file = "HOME/tests/c/tree_max.c"
line = 64
begin = 31
end = 55

[_C_15]
file = "HOME/tests/c/tree_max.c"
line = 65
begin = 6
end = 14

[mem_inversion]
name = "Lemma mem_inversion"
file = "HOME/tests/c/tree_max.c"
line = 32
begin = 6
end = 149

[has_size_non_null]
name = "Lemma has_size_non_null"
file = "HOME/tests/c/tree_max.c"
line = 41
begin = 6
end = 182

[_C_10]
file = "HOME/tests/c/tree_max.c"
line = 65
begin = 47
end = 55

[_C_8]
file = "HOME/tests/c/tree_max.c"
line = 64
begin = 31
end = 55

[_C_18]
file = "HOME/tests/c/tree_max.c"
line = 60
begin = 30
end = 70

[_C_14]
file = "HOME/tests/c/tree_max.c"
line = 65
begin = 32
end = 57

[mem_root_eq]
name = "Lemma mem_root_eq"
file = "HOME/tests/c/tree_max.c"
line = 26
begin = 6
end = 99

[has_size_inversion]
name = "Lemma has_size_inversion"
file = "HOME/tests/c/tree_max.c"
line = 45
begin = 6
end = 287

[_C_2]
file = "HOME/tests/c/tree_max.c"
line = 63
begin = 10
end = 18

[mem_right]
name = "Lemma mem_right"
file = "HOME/tests/c/tree_max.c"
line = 30
begin = 6
end = 101

[_C_16]
file = "HOME/tests/c/tree_max.c"
line = 60
begin = 12
end = 70

[_C_1]
file = "HOME/tests/c/tree_max.c"
line = 6
begin = 12
end = 32

[_C_11]
file = "HOME/tests/c/tree_max.c"
line = 65
begin = 38
end = 56

[_C_21]
file = "HOME/tests/c/tree_max.c"
line = 58
begin = 27
end = 40

========== jessie execution ==========
Generating Why function tree_max
========== file tests/c/tree_max.jessie/tree_max.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs tree_max.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs tree_max.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/tree_max_why.sx

project: why/tree_max.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/tree_max_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/tree_max_why.vo

coq/tree_max_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/tree_max_why.v: why/tree_max.why
	@echo 'why -coq [...] why/tree_max.why' && $(WHY) $(JESSIELIBFILES) why/tree_max.why && rm -f coq/jessie_why.v

coq-goals: goals coq/tree_max_ctx_why.vo
	for f in why/*_po*.why; do make -f tree_max.makefile coq/`basename $$f .why`_why.v ; done

coq/tree_max_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/tree_max_ctx_why.v: why/tree_max_ctx.why
	@echo 'why -coq [...] why/tree_max_ctx.why' && $(WHY) why/tree_max_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export tree_max_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/tree_max_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/tree_max_ctx_why.vo

pvs: pvs/tree_max_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/tree_max_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/tree_max_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/tree_max_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/tree_max_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/tree_max_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/tree_max_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/tree_max_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/tree_max_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/tree_max_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/tree_max_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/tree_max_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/tree_max_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/tree_max_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/tree_max_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: tree_max.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/tree_max_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: tree_max.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: tree_max.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: tree_max.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include tree_max.depend

depend: coq/tree_max_why.v
	-$(COQDEP) -I coq coq/tree_max*_why.v > tree_max.depend

clean:
	rm -f coq/*.vo

========== file tests/c/tree_max.jessie/tree_max.loc ==========
[has_size_null]
name = "Lemma has_size_null"
behavior = "axiom"
file = "HOME/tests/c/tree_max.c"
line = 40
begin = 6
end = 48

[mem_left]
name = "Lemma mem_left"
behavior = "axiom"
file = "HOME/tests/c/tree_max.c"
line = 28
begin = 6
end = 99

[JC_31]
kind = UserCall
file = "HOME/tests/c/tree_max.c"
line = 64
begin = 31
end = 55

[JC_17]
file = "HOME/tests/c/tree_max.c"
line = 58
begin = 13
end = 40

[JC_23]
file = "HOME/tests/c/tree_max.c"
line = 60
begin = 30
end = 70

[JC_22]
file = "HOME/tests/c/tree_max.c"
line = 60
begin = 12
end = 26

[JC_5]
file = "HOME/tests/c/tree_max.c"
line = 6
begin = 12
end = 32

[JC_9]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/tests/c/tree_max.c"
line = 60
begin = 12
end = 70

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[tree_max_ensures_default]
name = "Function tree_max"
behavior = "default behavior"
file = "HOME/tests/c/tree_max.c"
line = 62
begin = 4
end = 12

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/tests/c/tree_max.jessie/tree_max.jc"
line = 47
begin = 10
end = 18

[mem_root]
name = "Lemma mem_root"
behavior = "axiom"
file = "HOME/tests/c/tree_max.c"
line = 24
begin = 6
end = 80

[JC_13]
file = "HOME/tests/c/tree_max.c"
line = 58
begin = 13
end = 40

[JC_11]
file = "HOME/tests/c/tree_max.c"
line = 58
begin = 13
end = 23

[JC_15]
file = "HOME/tests/c/tree_max.c"
line = 58
begin = 13
end = 23

[JC_36]
kind = UserCall
file = "HOME/tests/c/tree_max.c"
line = 64
begin = 37
end = 54

[JC_39]
kind = UserCall
file = "HOME/tests/c/tree_max.c"
line = 65
begin = 32
end = 57

[JC_35]
kind = UserCall
file = "HOME/tests/c/tree_max.c"
line = 65
begin = 32
end = 57

[mem_null]
name = "Lemma mem_null"
behavior = "axiom"
file = "HOME/tests/c/tree_max.c"
line = 23
begin = 6
end = 55

[JC_27]
kind = PointerDeref
file = "HOME/tests/c/tree_max.c"
line = 63
begin = 10
end = 18

[JC_38]
kind = UserCall
file = "HOME/tests/c/tree_max.c"
line = 65
begin = 38
end = 56

[JC_12]
file = "HOME/tests/c/tree_max.c"
line = 58
begin = 27
end = 40

[JC_6]
file = "HOME/tests/c/tree_max.jessie/tree_max.jc"
line = 47
begin = 10
end = 18

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
kind = PointerDeref
file = "HOME/tests/c/tree_max.c"
line = 65
begin = 6
end = 14

[JC_33]
kind = PointerDeref
file = "HOME/tests/c/tree_max.c"
line = 65
begin = 47
end = 55

[mem_inversion]
name = "Lemma mem_inversion"
behavior = "axiom"
file = "HOME/tests/c/tree_max.c"
line = 32
begin = 6
end = 149

[has_size_non_null]
name = "Lemma has_size_non_null"
behavior = "axiom"
file = "HOME/tests/c/tree_max.c"
line = 41
begin = 6
end = 182

[tree_max_safety]
name = "Function tree_max"
behavior = "Safety"
file = "HOME/tests/c/tree_max.c"
line = 62
begin = 4
end = 12

[JC_29]
kind = PointerDeref
file = "HOME/tests/c/tree_max.c"
line = 64
begin = 46
end = 53

[JC_7]
file = "HOME/tests/c/tree_max.c"
line = 6
begin = 12
end = 32

[JC_16]
file = "HOME/tests/c/tree_max.c"
line = 58
begin = 27
end = 40

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
kind = UserCall
file = "HOME/tests/c/tree_max.c"
line = 65
begin = 38
end = 56

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[mem_root_eq]
name = "Lemma mem_root_eq"
behavior = "axiom"
file = "HOME/tests/c/tree_max.c"
line = 26
begin = 6
end = 99

[has_size_inversion]
name = "Lemma has_size_inversion"
behavior = "axiom"
file = "HOME/tests/c/tree_max.c"
line = 45
begin = 6
end = 287

[JC_21]
file = "HOME/tests/c/tree_max.c"
line = 60
begin = 12
end = 70

[JC_1]
file = "HOME/tests/c/tree_max.jessie/tree_max.jc"
line = 45
begin = 6
end = 9

[JC_37]
kind = UserCall
file = "HOME/tests/c/tree_max.c"
line = 64
begin = 31
end = 55

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[mem_right]
name = "Lemma mem_right"
behavior = "axiom"
file = "HOME/tests/c/tree_max.c"
line = 30
begin = 6
end = 101

[JC_20]
file = "HOME/tests/c/tree_max.c"
line = 60
begin = 30
end = 70

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/c/tree_max.jessie/tree_max.jc"
line = 45
begin = 6
end = 9

[JC_19]
file = "HOME/tests/c/tree_max.c"
line = 60
begin = 12
end = 26

[JC_30]
kind = UserCall
file = "HOME/tests/c/tree_max.c"
line = 64
begin = 37
end = 54

[JC_28]
kind = PointerDeref
file = "HOME/tests/c/tree_max.c"
line = 64
begin = 6
end = 13

========== file tests/c/tree_max.jessie/why/tree_max.why ==========
type Tree

type charP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic Tree_tag:  -> Tree tag_id

axiom Tree_int : (int_of_tag(Tree_tag) = (1))

logic Tree_of_pointer_address: unit pointer -> Tree pointer

axiom Tree_of_pointer_address_of_pointer_addr :
 (forall p:Tree pointer. (p = Tree_of_pointer_address(pointer_address(p))))

axiom Tree_parenttag_bottom : parenttag(Tree_tag, bottom_tag)

axiom Tree_tags :
 (forall x:Tree pointer.
  (forall Tree_tag_table:Tree tag_table.
   instanceof(Tree_tag_table, x, Tree_tag)))

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic has_size: Tree pointer, int, Tree alloc_table,
 (Tree, Tree pointer) memory, (Tree, Tree pointer) memory -> prop

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_Tree(p:Tree pointer, a:int,
 Tree_alloc_table:Tree alloc_table) = (offset_min(Tree_alloc_table, p) <= a)

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

logic mem: int32, Tree pointer, (Tree, Tree pointer) memory,
 (Tree, Tree pointer) memory, (Tree, int32) memory -> prop

axiom pointer_addr_of_Tree_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Tree_of_pointer_address(p))))

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_Tree(p:Tree pointer, b:int,
 Tree_alloc_table:Tree alloc_table) = (offset_max(Tree_alloc_table, p) >= b)

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate size_decreases(t1:Tree pointer, t2:Tree pointer,
 Tree_t2_4_alloc_table_at_L:Tree alloc_table,
 Tree_t1_3_alloc_table_at_L:Tree alloc_table,
 Tree_right_t2_4_at_L:(Tree, Tree pointer) memory,
 Tree_right_t1_3_at_L:(Tree, Tree pointer) memory,
 Tree_left_t2_4_at_L:(Tree, Tree pointer) memory,
 Tree_left_t1_3_at_L:(Tree, Tree pointer) memory) =
 (exists s1_1_0:int.
  (exists s2_1_0:int.
   (has_size(t1, s1_1_0, Tree_t1_3_alloc_table_at_L, Tree_right_t1_3_at_L,
    Tree_left_t1_3_at_L)
   and (has_size(t2, s2_1_0, Tree_t2_4_alloc_table_at_L,
        Tree_right_t2_4_at_L, Tree_left_t2_4_at_L)
       and gt_int(s1_1_0, s2_1_0)))))

predicate strict_valid_root_Tree(p:Tree pointer, a:int, b:int,
 Tree_alloc_table:Tree alloc_table) =
 ((offset_min(Tree_alloc_table, p) = a)
 and (offset_max(Tree_alloc_table, p) = b))

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_Tree(p:Tree pointer, a:int, b:int,
 Tree_alloc_table:Tree alloc_table) =
 ((offset_min(Tree_alloc_table, p) = a)
 and (offset_max(Tree_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_Tree(p:Tree pointer, a:int, b:int,
 Tree_alloc_table:Tree alloc_table) =
 ((offset_min(Tree_alloc_table, p) <= a)
 and (offset_max(Tree_alloc_table, p) >= b))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_Tree(p:Tree pointer, a:int, b:int,
 Tree_alloc_table:Tree alloc_table) =
 ((offset_min(Tree_alloc_table, p) <= a)
 and (offset_max(Tree_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_tree(t_8:Tree pointer,
 Tree_t_8_5_alloc_table_at_L:Tree alloc_table,
 Tree_right_t_8_5_at_L:(Tree, Tree pointer) memory,
 Tree_left_t_8_5_at_L:(Tree, Tree pointer) memory) =
 (exists s_1:int.
  has_size(t_8, s_1, Tree_t_8_5_alloc_table_at_L, Tree_right_t_8_5_at_L,
  Tree_left_t_8_5_at_L))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

axiom mem_null :
 (forall Tree_right_t_1_at_L:(Tree, Tree pointer) memory.
  (forall Tree_left_t_1_at_L:(Tree, Tree pointer) memory.
   (forall Tree_value_t_1_at_L:(Tree, int32) memory.
    (forall x_0_0:int32.
     (not mem(x_0_0, null, Tree_right_t_1_at_L, Tree_left_t_1_at_L,
          Tree_value_t_1_at_L))))))

axiom mem_root :
 (forall Tree_right_t_1_at_L:(Tree, Tree pointer) memory.
  (forall Tree_left_t_1_at_L:(Tree, Tree pointer) memory.
   (forall Tree_value_t_1_at_L:(Tree, int32) memory.
    (forall t_0_0:Tree pointer.
     ((t_0_0 <> null) ->
      mem(select(Tree_value_t_1_at_L, t_0_0), t_0_0, Tree_right_t_1_at_L,
      Tree_left_t_1_at_L, Tree_value_t_1_at_L))))))

axiom mem_root_eq :
 (forall Tree_right_t_1_at_L:(Tree, Tree pointer) memory.
  (forall Tree_left_t_1_at_L:(Tree, Tree pointer) memory.
   (forall Tree_value_t_1_at_L:(Tree, int32) memory.
    (forall x_1_0:int32.
     (forall t_1:Tree pointer.
      ((t_1 <> null) ->
       ((integer_of_int32(x_1_0) = integer_of_int32(select(Tree_value_t_1_at_L,
                                                    t_1))) ->
        mem(x_1_0, t_1, Tree_right_t_1_at_L, Tree_left_t_1_at_L,
        Tree_value_t_1_at_L))))))))

axiom mem_left :
 (forall Tree_right_t_1_at_L:(Tree, Tree pointer) memory.
  (forall Tree_left_t_1_at_L:(Tree, Tree pointer) memory.
   (forall Tree_value_t_1_at_L:(Tree, int32) memory.
    (forall x_2:int32.
     (forall t_2:Tree pointer.
      ((t_2 <> null) ->
       (mem(x_2, select(Tree_left_t_1_at_L, t_2), Tree_right_t_1_at_L,
        Tree_left_t_1_at_L, Tree_value_t_1_at_L) ->
        mem(x_2, t_2, Tree_right_t_1_at_L, Tree_left_t_1_at_L,
        Tree_value_t_1_at_L))))))))

axiom mem_right :
 (forall Tree_right_t_1_at_L:(Tree, Tree pointer) memory.
  (forall Tree_left_t_1_at_L:(Tree, Tree pointer) memory.
   (forall Tree_value_t_1_at_L:(Tree, int32) memory.
    (forall x_3:int32.
     (forall t_3:Tree pointer.
      ((t_3 <> null) ->
       (mem(x_3, select(Tree_right_t_1_at_L, t_3), Tree_right_t_1_at_L,
        Tree_left_t_1_at_L, Tree_value_t_1_at_L) ->
        mem(x_3, t_3, Tree_right_t_1_at_L, Tree_left_t_1_at_L,
        Tree_value_t_1_at_L))))))))

axiom mem_inversion :
 (forall Tree_right_t_1_at_L:(Tree, Tree pointer) memory.
  (forall Tree_left_t_1_at_L:(Tree, Tree pointer) memory.
   (forall Tree_value_t_1_at_L:(Tree, int32) memory.
    (forall x_4:int32.
     (forall t_4:Tree pointer.
      (mem(x_4, t_4, Tree_right_t_1_at_L, Tree_left_t_1_at_L,
       Tree_value_t_1_at_L) ->
       ((t_4 <> null)
       and ((integer_of_int32(x_4) = integer_of_int32(select(Tree_value_t_1_at_L,
                                                      t_4)))
           or (mem(x_4, select(Tree_left_t_1_at_L, t_4), Tree_right_t_1_at_L,
               Tree_left_t_1_at_L, Tree_value_t_1_at_L)
              or mem(x_4, select(Tree_right_t_1_at_L, t_4),
                 Tree_right_t_1_at_L, Tree_left_t_1_at_L,
                 Tree_value_t_1_at_L))))))))))

axiom has_size_null :
 (forall Tree_t_5_2_alloc_table_at_L:Tree alloc_table.
  (forall Tree_right_t_5_2_at_L:(Tree, Tree pointer) memory.
   (forall Tree_left_t_5_2_at_L:(Tree, Tree pointer) memory.
    has_size(null, (0), Tree_t_5_2_alloc_table_at_L, Tree_right_t_5_2_at_L,
    Tree_left_t_5_2_at_L))))

axiom has_size_non_null :
 (forall Tree_t_5_2_alloc_table_at_L:Tree alloc_table.
  (forall Tree_right_t_5_2_at_L:(Tree, Tree pointer) memory.
   (forall Tree_left_t_5_2_at_L:(Tree, Tree pointer) memory.
    (forall t_6:Tree pointer.
     ((le_int(offset_min(Tree_t_5_2_alloc_table_at_L, t_6), (0))
      and ge_int(offset_max(Tree_t_5_2_alloc_table_at_L, t_6), (0))) ->
      (forall s1_1:int.
       (forall s2_1:int.
        ((has_size(select(Tree_left_t_5_2_at_L, t_6), s1_1,
          Tree_t_5_2_alloc_table_at_L, Tree_right_t_5_2_at_L,
          Tree_left_t_5_2_at_L)
         and has_size(select(Tree_right_t_5_2_at_L, t_6), s2_1,
             Tree_t_5_2_alloc_table_at_L, Tree_right_t_5_2_at_L,
             Tree_left_t_5_2_at_L)) ->
         has_size(t_6, add_int(add_int(s1_1, s2_1), (1)),
         Tree_t_5_2_alloc_table_at_L, Tree_right_t_5_2_at_L,
         Tree_left_t_5_2_at_L)))))))))

axiom has_size_inversion :
 (forall Tree_t_5_2_alloc_table_at_L:Tree alloc_table.
  (forall Tree_right_t_5_2_at_L:(Tree, Tree pointer) memory.
   (forall Tree_left_t_5_2_at_L:(Tree, Tree pointer) memory.
    (forall t_7:Tree pointer.
     (forall s_0_0:int.
      (has_size(t_7, s_0_0, Tree_t_5_2_alloc_table_at_L,
       Tree_right_t_5_2_at_L, Tree_left_t_5_2_at_L) ->
       (((t_7 = null) and (s_0_0 = (0)))
       or (le_int(offset_min(Tree_t_5_2_alloc_table_at_L, t_7), (0))
          and (ge_int(offset_max(Tree_t_5_2_alloc_table_at_L, t_7), (0))
              and (exists s1_0_0:int.
                   (exists s2_0_0:int.
                    (has_size(select(Tree_left_t_5_2_at_L, t_7), s1_0_0,
                     Tree_t_5_2_alloc_table_at_L, Tree_right_t_5_2_at_L,
                     Tree_left_t_5_2_at_L)
                    and (has_size(select(Tree_right_t_5_2_at_L, t_7), s2_0_0,
                         Tree_t_5_2_alloc_table_at_L, Tree_right_t_5_2_at_L,
                         Tree_left_t_5_2_at_L)
                        and (le_int((0), s1_0_0)
                            and (le_int((0), s2_0_0)
                                and (s_0_0 = add_int(add_int(s1_0_0, s2_0_0),
                                             (1))))))))))))))))))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter Tree_alloc_table : Tree alloc_table ref

parameter Tree_tag_table : Tree tag_table ref

parameter alloc_struct_Tree :
 n:int ->
  Tree_alloc_table:Tree alloc_table ref ->
   Tree_tag_table:Tree tag_table ref ->
    { } Tree pointer writes Tree_alloc_table,Tree_tag_table
    { (strict_valid_struct_Tree(result, (0), sub_int(n, (1)),
       Tree_alloc_table)
      and (alloc_extends(Tree_alloc_table@, Tree_alloc_table)
          and (alloc_fresh(Tree_alloc_table@, result, n)
              and instanceof(Tree_tag_table, result, Tree_tag)))) }

parameter alloc_struct_Tree_requires :
 n:int ->
  Tree_alloc_table:Tree alloc_table ref ->
   Tree_tag_table:Tree tag_table ref ->
    { ge_int(n, (0))} Tree pointer writes Tree_alloc_table,Tree_tag_table
    { (strict_valid_struct_Tree(result, (0), sub_int(n, (1)),
       Tree_alloc_table)
      and (alloc_extends(Tree_alloc_table@, Tree_alloc_table)
          and (alloc_fresh(Tree_alloc_table@, result, n)
              and instanceof(Tree_tag_table, result, Tree_tag)))) }

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter max :
 x_0:int32 ->
  y:int32 ->
   { } int32
   { (JC_7:
     (integer_of_int32(result) = int_max(integer_of_int32(x_0),
                                 integer_of_int32(y)))) }

parameter max_requires :
 x_0:int32 ->
  y:int32 ->
   { } int32
   { (JC_7:
     (integer_of_int32(result) = int_max(integer_of_int32(x_0),
                                 integer_of_int32(y)))) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter tree_max :
 t_0:Tree pointer ->
  Tree_t_6_alloc_table:Tree alloc_table ->
   Tree_right_t_6:(Tree, Tree pointer) memory ->
    Tree_left_t_6:(Tree, Tree pointer) memory ->
     Tree_value_t_6:(Tree, int32) memory ->
      { } int32
      { (JC_24:
        ((JC_22:
         mem(result, t_0, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6))
        and (JC_23:
            (forall x_5:int32.
             (mem(x_5, t_0, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6) ->
              ge_int(integer_of_int32(result), integer_of_int32(x_5))))))) }

parameter tree_max_requires :
 t_0:Tree pointer ->
  Tree_t_6_alloc_table:Tree alloc_table ->
   Tree_right_t_6:(Tree, Tree pointer) memory ->
    Tree_left_t_6:(Tree, Tree pointer) memory ->
     Tree_value_t_6:(Tree, int32) memory ->
      { (JC_13:
        ((JC_11: (t_0 <> null))
        and (JC_12:
            valid_tree(t_0, Tree_t_6_alloc_table, Tree_right_t_6,
            Tree_left_t_6))))}
      int32
      { (JC_24:
        ((JC_22:
         mem(result, t_0, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6))
        and (JC_23:
            (forall x_5:int32.
             (mem(x_5, t_0, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6) ->
              ge_int(integer_of_int32(result), integer_of_int32(x_5))))))) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let tree_max_ensures_default =
 fun (t_0 : Tree pointer) (Tree_t_6_alloc_table : Tree alloc_table) (Tree_value_t_6 : (Tree, int32) memory) (Tree_left_t_6 : (Tree, Tree pointer) memory) (Tree_right_t_6 : (Tree, Tree pointer) memory) ->
  { (JC_17:
    ((JC_15: (t_0 <> null))
    and (JC_16:
        valid_tree(t_0, Tree_t_6_alloc_table, Tree_right_t_6, Tree_left_t_6)))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let m = ref (any_int32 void) in
     (let tmp = ref (any_int32 void) in
     (let tmp_0 = ref (any_int32 void) in
     begin
       (let _jessie_ = (m := ((safe_acc_ Tree_value_t_6) t_0)) in void);
      (if ((safe_neq_pointer ((safe_acc_ Tree_left_t_6) t_0)) null)
      then
       (let _jessie_ =
       begin
         (let _jessie_ =
         (tmp := (let _jessie_ = ((safe_acc_ Tree_left_t_6) t_0) in
                 (JC_36:
                 (((((tree_max _jessie_) Tree_t_6_alloc_table) Tree_right_t_6) Tree_left_t_6) Tree_value_t_6)))) in
         void);
        (m := (let _jessie_ = !m in
              (let _jessie_ = !tmp in
              (JC_37: ((max _jessie_) _jessie_))))); !m end in void)
      else void);
      (if ((safe_neq_pointer ((safe_acc_ Tree_right_t_6) t_0)) null)
      then
       (let _jessie_ =
       begin
         (let _jessie_ =
         (tmp_0 := (let _jessie_ = ((safe_acc_ Tree_right_t_6) t_0) in
                   (JC_38:
                   (((((tree_max _jessie_) Tree_t_6_alloc_table) Tree_right_t_6) Tree_left_t_6) Tree_value_t_6)))) in
         void);
        (m := (let _jessie_ = !m in
              (let _jessie_ = !tmp_0 in
              (JC_39: ((max _jessie_) _jessie_))))); !m end in void)
      else void); (return := !m); (raise Return) end))); absurd  end with
   Return -> !return end))
  { (JC_21:
    ((JC_19: mem(result, t_0, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6))
    and (JC_20:
        (forall x_5:int32.
         (mem(x_5, t_0, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6) ->
          ge_int(integer_of_int32(result), integer_of_int32(x_5))))))) }

let tree_max_safety =
 fun (t_0 : Tree pointer) (Tree_t_6_alloc_table : Tree alloc_table) (Tree_value_t_6 : (Tree, int32) memory) (Tree_left_t_6 : (Tree, Tree pointer) memory) (Tree_right_t_6 : (Tree, Tree pointer) memory) ->
  { (JC_17:
    ((JC_15: (t_0 <> null))
    and (JC_16:
        valid_tree(t_0, Tree_t_6_alloc_table, Tree_right_t_6, Tree_left_t_6)))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let m = ref (any_int32 void) in
     (let tmp = ref (any_int32 void) in
     (let tmp_0 = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (m := (JC_27: (((acc_ Tree_t_6_alloc_table) Tree_value_t_6) t_0))) in
       void);
      (if ((neq_pointer (JC_28:
                        (((acc_ Tree_t_6_alloc_table) Tree_left_t_6) t_0))) null)
      then
       (let _jessie_ =
       begin
         (let _jessie_ =
         (tmp := (let _jessie_ =
                 (JC_29: (((acc_ Tree_t_6_alloc_table) Tree_left_t_6) t_0)) in
                 (JC_30:
                 (((((tree_max_requires _jessie_) Tree_t_6_alloc_table) Tree_right_t_6) Tree_left_t_6) Tree_value_t_6)))) in
         void);
        (m := (let _jessie_ = !m in
              (let _jessie_ = !tmp in
              (JC_31: ((max_requires _jessie_) _jessie_))))); !m end in
       void) else void);
      (if ((neq_pointer (JC_32:
                        (((acc_ Tree_t_6_alloc_table) Tree_right_t_6) t_0))) null)
      then
       (let _jessie_ =
       begin
         (let _jessie_ =
         (tmp_0 := (let _jessie_ =
                   (JC_33:
                   (((acc_ Tree_t_6_alloc_table) Tree_right_t_6) t_0)) in
                   (JC_34:
                   (((((tree_max_requires _jessie_) Tree_t_6_alloc_table) Tree_right_t_6) Tree_left_t_6) Tree_value_t_6)))) in
         void);
        (m := (let _jessie_ = !m in
              (let _jessie_ = !tmp_0 in
              (JC_35: ((max_requires _jessie_) _jessie_))))); !m end in
       void) else void); (return := !m); (raise Return) end))); absurd  end
   with Return -> !return end)) { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/tree_max.why
========== file tests/c/tree_max.jessie/why/tree_max_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Tree

type charP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic Tree_tag : Tree tag_id

axiom Tree_int: (int_of_tag(Tree_tag) = 1)

logic Tree_of_pointer_address : unit pointer -> Tree pointer

axiom Tree_of_pointer_address_of_pointer_addr:
  (forall p:Tree pointer. (p = Tree_of_pointer_address(pointer_address(p))))

axiom Tree_parenttag_bottom: parenttag(Tree_tag, bottom_tag)

axiom Tree_tags:
  (forall x:Tree pointer.
    (forall Tree_tag_table:Tree tag_table. instanceof(Tree_tag_table, x,
      Tree_tag)))

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_int8 : int8 -> int

predicate eq_int8(x: int8, y: int8) =
  (integer_of_int8(x) = integer_of_int8(y))

logic integer_of_uint8 : uint8 -> int

predicate eq_uint8(x: uint8, y: uint8) =
  (integer_of_uint8(x) = integer_of_uint8(y))

logic has_size : Tree pointer, int, Tree alloc_table, (Tree,
Tree pointer) memory, (Tree, Tree pointer) memory -> prop

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic int8_of_integer : int -> int8

axiom int8_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_int8(int8_of_integer(x)) = x)))

axiom int8_extensionality:
  (forall x:int8.
    (forall y:int8. ((integer_of_int8(x) = integer_of_int8(y)) -> (x = y))))

axiom int8_range:
  (forall x:int8.
    (((-128) <= integer_of_int8(x)) and (integer_of_int8(x) <= 127)))

predicate left_valid_struct_Tree(p: Tree pointer, a: int,
  Tree_alloc_table: Tree alloc_table) = (offset_min(Tree_alloc_table,
  p) <= a)

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

logic mem : int32, Tree pointer, (Tree, Tree pointer) memory, (Tree,
Tree pointer) memory, (Tree, int32) memory -> prop

axiom pointer_addr_of_Tree_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(Tree_of_pointer_address(p))))

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_Tree(p: Tree pointer, b: int,
  Tree_alloc_table: Tree alloc_table) = (offset_max(Tree_alloc_table,
  p) >= b)

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate size_decreases(t1: Tree pointer, t2: Tree pointer,
  Tree_t2_4_alloc_table_at_L: Tree alloc_table,
  Tree_t1_3_alloc_table_at_L: Tree alloc_table, Tree_right_t2_4_at_L: (Tree,
  Tree pointer) memory, Tree_right_t1_3_at_L: (Tree, Tree pointer) memory,
  Tree_left_t2_4_at_L: (Tree, Tree pointer) memory,
  Tree_left_t1_3_at_L: (Tree, Tree pointer) memory) =
  (exists s1_1_0:int.
    (exists s2_1_0:int.
      (has_size(t1, s1_1_0, Tree_t1_3_alloc_table_at_L, Tree_right_t1_3_at_L,
       Tree_left_t1_3_at_L) and
       (has_size(t2, s2_1_0, Tree_t2_4_alloc_table_at_L,
        Tree_right_t2_4_at_L, Tree_left_t2_4_at_L) and (s1_1_0 > s2_1_0)))))

predicate strict_valid_root_Tree(p: Tree pointer, a: int, b: int,
  Tree_alloc_table: Tree alloc_table) =
  ((offset_min(Tree_alloc_table, p) = a) and (offset_max(Tree_alloc_table,
   p) = b))

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_Tree(p: Tree pointer, a: int, b: int,
  Tree_alloc_table: Tree alloc_table) =
  ((offset_min(Tree_alloc_table, p) = a) and (offset_max(Tree_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic uint8_of_integer : int -> uint8

axiom uint8_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 255)) -> (integer_of_uint8(uint8_of_integer(x)) = x)))

axiom uint8_extensionality:
  (forall x:uint8.
    (forall y:uint8.
      ((integer_of_uint8(x) = integer_of_uint8(y)) -> (x = y))))

axiom uint8_range:
  (forall x:uint8.
    ((0 <= integer_of_uint8(x)) and (integer_of_uint8(x) <= 255)))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_Tree(p: Tree pointer, a: int, b: int,
  Tree_alloc_table: Tree alloc_table) =
  ((offset_min(Tree_alloc_table, p) <= a) and (offset_max(Tree_alloc_table,
   p) >= b))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_Tree(p: Tree pointer, a: int, b: int,
  Tree_alloc_table: Tree alloc_table) =
  ((offset_min(Tree_alloc_table, p) <= a) and (offset_max(Tree_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_tree(t_8: Tree pointer,
  Tree_t_8_5_alloc_table_at_L: Tree alloc_table,
  Tree_right_t_8_5_at_L: (Tree, Tree pointer) memory,
  Tree_left_t_8_5_at_L: (Tree, Tree pointer) memory) =
  (exists s_1:int. has_size(t_8, s_1, Tree_t_8_5_alloc_table_at_L,
    Tree_right_t_8_5_at_L, Tree_left_t_8_5_at_L))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

axiom mem_null:
  (forall Tree_right_t_1_at_L:(Tree, Tree pointer) memory.
    (forall Tree_left_t_1_at_L:(Tree, Tree pointer) memory.
      (forall Tree_value_t_1_at_L:(Tree, int32) memory.
        (forall x_0_0:int32. (not mem(x_0_0, null, Tree_right_t_1_at_L,
          Tree_left_t_1_at_L, Tree_value_t_1_at_L))))))

axiom mem_root:
  (forall Tree_right_t_1_at_L:(Tree, Tree pointer) memory.
    (forall Tree_left_t_1_at_L:(Tree, Tree pointer) memory.
      (forall Tree_value_t_1_at_L:(Tree, int32) memory.
        (forall t_0_0:Tree pointer.
          ((t_0_0 <> null) -> mem(select(Tree_value_t_1_at_L, t_0_0), t_0_0,
           Tree_right_t_1_at_L, Tree_left_t_1_at_L, Tree_value_t_1_at_L))))))

axiom mem_root_eq:
  (forall Tree_right_t_1_at_L:(Tree, Tree pointer) memory.
    (forall Tree_left_t_1_at_L:(Tree, Tree pointer) memory.
      (forall Tree_value_t_1_at_L:(Tree, int32) memory.
        (forall x_1_0:int32.
          (forall t_1:Tree pointer.
            ((t_1 <> null) ->
             ((integer_of_int32(x_1_0) = integer_of_int32(select(Tree_value_t_1_at_L,
              t_1))) -> mem(x_1_0, t_1, Tree_right_t_1_at_L,
              Tree_left_t_1_at_L, Tree_value_t_1_at_L))))))))

axiom mem_left:
  (forall Tree_right_t_1_at_L:(Tree, Tree pointer) memory.
    (forall Tree_left_t_1_at_L:(Tree, Tree pointer) memory.
      (forall Tree_value_t_1_at_L:(Tree, int32) memory.
        (forall x_2:int32.
          (forall t_2:Tree pointer.
            ((t_2 <> null) ->
             (mem(x_2, select(Tree_left_t_1_at_L, t_2), Tree_right_t_1_at_L,
              Tree_left_t_1_at_L, Tree_value_t_1_at_L) -> mem(x_2, t_2,
              Tree_right_t_1_at_L, Tree_left_t_1_at_L, Tree_value_t_1_at_L))))))))

axiom mem_right:
  (forall Tree_right_t_1_at_L:(Tree, Tree pointer) memory.
    (forall Tree_left_t_1_at_L:(Tree, Tree pointer) memory.
      (forall Tree_value_t_1_at_L:(Tree, int32) memory.
        (forall x_3:int32.
          (forall t_3:Tree pointer.
            ((t_3 <> null) ->
             (mem(x_3, select(Tree_right_t_1_at_L, t_3), Tree_right_t_1_at_L,
              Tree_left_t_1_at_L, Tree_value_t_1_at_L) -> mem(x_3, t_3,
              Tree_right_t_1_at_L, Tree_left_t_1_at_L, Tree_value_t_1_at_L))))))))

axiom mem_inversion:
  (forall Tree_right_t_1_at_L:(Tree, Tree pointer) memory.
    (forall Tree_left_t_1_at_L:(Tree, Tree pointer) memory.
      (forall Tree_value_t_1_at_L:(Tree, int32) memory.
        (forall x_4:int32.
          (forall t_4:Tree pointer.
            (mem(x_4, t_4, Tree_right_t_1_at_L, Tree_left_t_1_at_L,
             Tree_value_t_1_at_L) ->
             ((t_4 <> null) and
              ((integer_of_int32(x_4) = integer_of_int32(select(Tree_value_t_1_at_L,
               t_4))) or
               (mem(x_4, select(Tree_left_t_1_at_L, t_4),
                Tree_right_t_1_at_L, Tree_left_t_1_at_L,
                Tree_value_t_1_at_L) or mem(x_4, select(Tree_right_t_1_at_L,
                t_4), Tree_right_t_1_at_L, Tree_left_t_1_at_L,
                Tree_value_t_1_at_L))))))))))

axiom has_size_null:
  (forall Tree_t_5_2_alloc_table_at_L:Tree alloc_table.
    (forall Tree_right_t_5_2_at_L:(Tree, Tree pointer) memory.
      (forall Tree_left_t_5_2_at_L:(Tree, Tree pointer) memory.
        has_size(null, 0, Tree_t_5_2_alloc_table_at_L, Tree_right_t_5_2_at_L,
        Tree_left_t_5_2_at_L))))

axiom has_size_non_null:
  (forall Tree_t_5_2_alloc_table_at_L:Tree alloc_table.
    (forall Tree_right_t_5_2_at_L:(Tree, Tree pointer) memory.
      (forall Tree_left_t_5_2_at_L:(Tree, Tree pointer) memory.
        (forall t_6:Tree pointer.
          (((offset_min(Tree_t_5_2_alloc_table_at_L, t_6) <= 0) and
            (offset_max(Tree_t_5_2_alloc_table_at_L, t_6) >= 0)) ->
           (forall s1_1:int.
             (forall s2_1:int.
               ((has_size(select(Tree_left_t_5_2_at_L, t_6), s1_1,
                 Tree_t_5_2_alloc_table_at_L, Tree_right_t_5_2_at_L,
                 Tree_left_t_5_2_at_L) and
                 has_size(select(Tree_right_t_5_2_at_L, t_6), s2_1,
                 Tree_t_5_2_alloc_table_at_L, Tree_right_t_5_2_at_L,
                 Tree_left_t_5_2_at_L)) ->
                has_size(t_6, ((s1_1 + s2_1) + 1),
                Tree_t_5_2_alloc_table_at_L, Tree_right_t_5_2_at_L,
                Tree_left_t_5_2_at_L)))))))))

axiom has_size_inversion:
  (forall Tree_t_5_2_alloc_table_at_L:Tree alloc_table.
    (forall Tree_right_t_5_2_at_L:(Tree, Tree pointer) memory.
      (forall Tree_left_t_5_2_at_L:(Tree, Tree pointer) memory.
        (forall t_7:Tree pointer.
          (forall s_0_0:int.
            (has_size(t_7, s_0_0, Tree_t_5_2_alloc_table_at_L,
             Tree_right_t_5_2_at_L, Tree_left_t_5_2_at_L) ->
             (((t_7 = null) and (s_0_0 = 0)) or
              ((offset_min(Tree_t_5_2_alloc_table_at_L, t_7) <= 0) and
               ((offset_max(Tree_t_5_2_alloc_table_at_L, t_7) >= 0) and
                (exists s1_0_0:int.
                  (exists s2_0_0:int.
                    (has_size(select(Tree_left_t_5_2_at_L, t_7), s1_0_0,
                     Tree_t_5_2_alloc_table_at_L, Tree_right_t_5_2_at_L,
                     Tree_left_t_5_2_at_L) and
                     (has_size(select(Tree_right_t_5_2_at_L, t_7), s2_0_0,
                      Tree_t_5_2_alloc_table_at_L, Tree_right_t_5_2_at_L,
                      Tree_left_t_5_2_at_L) and
                      ((0 <= s1_0_0) and
                       ((0 <= s2_0_0) and (s_0_0 = ((s1_0_0 + s2_0_0) + 1)))))))))))))))))

goal tree_max_ensures_default_po_1:
  forall t_0:Tree pointer.
  forall Tree_t_6_alloc_table:Tree alloc_table.
  forall Tree_value_t_6:(Tree, int32) memory.
  forall Tree_left_t_6:(Tree,
  Tree pointer) memory.
  forall Tree_right_t_6:(Tree,
  Tree pointer) memory.
  ("JC_17":
  (("JC_15": (t_0 <> null)) and
   ("JC_16": valid_tree(t_0, Tree_t_6_alloc_table, Tree_right_t_6,
   Tree_left_t_6)))) ->
  forall result:int32.
  (result = select(Tree_value_t_6, t_0)) ->
  forall m:int32.
  (m = result) ->
  forall result0:Tree pointer.
  (result0 = select(Tree_left_t_6, t_0)) ->
  (result0 <> null) ->
  forall result1:Tree pointer.
  (result1 = select(Tree_left_t_6, t_0)) ->
  forall result2:int32.
  ("JC_24":
  (("JC_22": mem(result2, result1, Tree_right_t_6, Tree_left_t_6,
   Tree_value_t_6)) and
   ("JC_23":
   (forall x_5:int32.
     (mem(x_5, result1, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6) ->
      (integer_of_int32(result2) >= integer_of_int32(x_5))))))) ->
  forall tmp:int32.
  (tmp = result2) ->
  forall result3:int32.
  ("JC_7": (integer_of_int32(result3) = int_max(integer_of_int32(m),
  integer_of_int32(tmp)))) ->
  forall m0:int32.
  (m0 = result3) ->
  forall result4:Tree pointer.
  (result4 = select(Tree_right_t_6, t_0)) ->
  (result4 <> null) ->
  forall result5:Tree pointer.
  (result5 = select(Tree_right_t_6, t_0)) ->
  forall result6:int32.
  ("JC_24":
  (("JC_22": mem(result6, result5, Tree_right_t_6, Tree_left_t_6,
   Tree_value_t_6)) and
   ("JC_23":
   (forall x_5:int32.
     (mem(x_5, result5, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6) ->
      (integer_of_int32(result6) >= integer_of_int32(x_5))))))) ->
  forall tmp_0:int32.
  (tmp_0 = result6) ->
  forall result7:int32.
  ("JC_7": (integer_of_int32(result7) = int_max(integer_of_int32(m0),
  integer_of_int32(tmp_0)))) ->
  forall m1:int32.
  (m1 = result7) ->
  forall return:int32.
  (return = m1) ->
  ("JC_21":
  ("JC_19": mem(return, t_0, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6)))

goal tree_max_ensures_default_po_2:
  forall t_0:Tree pointer.
  forall Tree_t_6_alloc_table:Tree alloc_table.
  forall Tree_value_t_6:(Tree, int32) memory.
  forall Tree_left_t_6:(Tree,
  Tree pointer) memory.
  forall Tree_right_t_6:(Tree,
  Tree pointer) memory.
  ("JC_17":
  (("JC_15": (t_0 <> null)) and
   ("JC_16": valid_tree(t_0, Tree_t_6_alloc_table, Tree_right_t_6,
   Tree_left_t_6)))) ->
  forall result:int32.
  (result = select(Tree_value_t_6, t_0)) ->
  forall m:int32.
  (m = result) ->
  forall result0:Tree pointer.
  (result0 = select(Tree_left_t_6, t_0)) ->
  (result0 <> null) ->
  forall result1:Tree pointer.
  (result1 = select(Tree_left_t_6, t_0)) ->
  forall result2:int32.
  ("JC_24":
  (("JC_22": mem(result2, result1, Tree_right_t_6, Tree_left_t_6,
   Tree_value_t_6)) and
   ("JC_23":
   (forall x_5:int32.
     (mem(x_5, result1, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6) ->
      (integer_of_int32(result2) >= integer_of_int32(x_5))))))) ->
  forall tmp:int32.
  (tmp = result2) ->
  forall result3:int32.
  ("JC_7": (integer_of_int32(result3) = int_max(integer_of_int32(m),
  integer_of_int32(tmp)))) ->
  forall m0:int32.
  (m0 = result3) ->
  forall result4:Tree pointer.
  (result4 = select(Tree_right_t_6, t_0)) ->
  (result4 <> null) ->
  forall result5:Tree pointer.
  (result5 = select(Tree_right_t_6, t_0)) ->
  forall result6:int32.
  ("JC_24":
  (("JC_22": mem(result6, result5, Tree_right_t_6, Tree_left_t_6,
   Tree_value_t_6)) and
   ("JC_23":
   (forall x_5:int32.
     (mem(x_5, result5, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6) ->
      (integer_of_int32(result6) >= integer_of_int32(x_5))))))) ->
  forall tmp_0:int32.
  (tmp_0 = result6) ->
  forall result7:int32.
  ("JC_7": (integer_of_int32(result7) = int_max(integer_of_int32(m0),
  integer_of_int32(tmp_0)))) ->
  forall m1:int32.
  (m1 = result7) ->
  forall return:int32.
  (return = m1) ->
  forall x_5:int32.
  mem(x_5, t_0, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6) ->
  ("JC_21": ("JC_20": (integer_of_int32(return) >= integer_of_int32(x_5))))

goal tree_max_ensures_default_po_3:
  forall t_0:Tree pointer.
  forall Tree_t_6_alloc_table:Tree alloc_table.
  forall Tree_value_t_6:(Tree, int32) memory.
  forall Tree_left_t_6:(Tree,
  Tree pointer) memory.
  forall Tree_right_t_6:(Tree,
  Tree pointer) memory.
  ("JC_17":
  (("JC_15": (t_0 <> null)) and
   ("JC_16": valid_tree(t_0, Tree_t_6_alloc_table, Tree_right_t_6,
   Tree_left_t_6)))) ->
  forall result:int32.
  (result = select(Tree_value_t_6, t_0)) ->
  forall m:int32.
  (m = result) ->
  forall result0:Tree pointer.
  (result0 = select(Tree_left_t_6, t_0)) ->
  (result0 <> null) ->
  forall result1:Tree pointer.
  (result1 = select(Tree_left_t_6, t_0)) ->
  forall result2:int32.
  ("JC_24":
  (("JC_22": mem(result2, result1, Tree_right_t_6, Tree_left_t_6,
   Tree_value_t_6)) and
   ("JC_23":
   (forall x_5:int32.
     (mem(x_5, result1, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6) ->
      (integer_of_int32(result2) >= integer_of_int32(x_5))))))) ->
  forall tmp:int32.
  (tmp = result2) ->
  forall result3:int32.
  ("JC_7": (integer_of_int32(result3) = int_max(integer_of_int32(m),
  integer_of_int32(tmp)))) ->
  forall m0:int32.
  (m0 = result3) ->
  forall result4:Tree pointer.
  (result4 = select(Tree_right_t_6, t_0)) ->
  (result4 = null) ->
  forall return:int32.
  (return = m0) ->
  ("JC_21":
  ("JC_19": mem(return, t_0, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6)))

goal tree_max_ensures_default_po_4:
  forall t_0:Tree pointer.
  forall Tree_t_6_alloc_table:Tree alloc_table.
  forall Tree_value_t_6:(Tree, int32) memory.
  forall Tree_left_t_6:(Tree,
  Tree pointer) memory.
  forall Tree_right_t_6:(Tree,
  Tree pointer) memory.
  ("JC_17":
  (("JC_15": (t_0 <> null)) and
   ("JC_16": valid_tree(t_0, Tree_t_6_alloc_table, Tree_right_t_6,
   Tree_left_t_6)))) ->
  forall result:int32.
  (result = select(Tree_value_t_6, t_0)) ->
  forall m:int32.
  (m = result) ->
  forall result0:Tree pointer.
  (result0 = select(Tree_left_t_6, t_0)) ->
  (result0 <> null) ->
  forall result1:Tree pointer.
  (result1 = select(Tree_left_t_6, t_0)) ->
  forall result2:int32.
  ("JC_24":
  (("JC_22": mem(result2, result1, Tree_right_t_6, Tree_left_t_6,
   Tree_value_t_6)) and
   ("JC_23":
   (forall x_5:int32.
     (mem(x_5, result1, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6) ->
      (integer_of_int32(result2) >= integer_of_int32(x_5))))))) ->
  forall tmp:int32.
  (tmp = result2) ->
  forall result3:int32.
  ("JC_7": (integer_of_int32(result3) = int_max(integer_of_int32(m),
  integer_of_int32(tmp)))) ->
  forall m0:int32.
  (m0 = result3) ->
  forall result4:Tree pointer.
  (result4 = select(Tree_right_t_6, t_0)) ->
  (result4 = null) ->
  forall return:int32.
  (return = m0) ->
  forall x_5:int32.
  mem(x_5, t_0, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6) ->
  ("JC_21": ("JC_20": (integer_of_int32(return) >= integer_of_int32(x_5))))

goal tree_max_ensures_default_po_5:
  forall t_0:Tree pointer.
  forall Tree_t_6_alloc_table:Tree alloc_table.
  forall Tree_value_t_6:(Tree, int32) memory.
  forall Tree_left_t_6:(Tree,
  Tree pointer) memory.
  forall Tree_right_t_6:(Tree,
  Tree pointer) memory.
  ("JC_17":
  (("JC_15": (t_0 <> null)) and
   ("JC_16": valid_tree(t_0, Tree_t_6_alloc_table, Tree_right_t_6,
   Tree_left_t_6)))) ->
  forall result:int32.
  (result = select(Tree_value_t_6, t_0)) ->
  forall m:int32.
  (m = result) ->
  forall result0:Tree pointer.
  (result0 = select(Tree_left_t_6, t_0)) ->
  (result0 = null) ->
  forall result1:Tree pointer.
  (result1 = select(Tree_right_t_6, t_0)) ->
  (result1 <> null) ->
  forall result2:Tree pointer.
  (result2 = select(Tree_right_t_6, t_0)) ->
  forall result3:int32.
  ("JC_24":
  (("JC_22": mem(result3, result2, Tree_right_t_6, Tree_left_t_6,
   Tree_value_t_6)) and
   ("JC_23":
   (forall x_5:int32.
     (mem(x_5, result2, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6) ->
      (integer_of_int32(result3) >= integer_of_int32(x_5))))))) ->
  forall tmp_0:int32.
  (tmp_0 = result3) ->
  forall result4:int32.
  ("JC_7": (integer_of_int32(result4) = int_max(integer_of_int32(m),
  integer_of_int32(tmp_0)))) ->
  forall m0:int32.
  (m0 = result4) ->
  forall return:int32.
  (return = m0) ->
  ("JC_21":
  ("JC_19": mem(return, t_0, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6)))

goal tree_max_ensures_default_po_6:
  forall t_0:Tree pointer.
  forall Tree_t_6_alloc_table:Tree alloc_table.
  forall Tree_value_t_6:(Tree, int32) memory.
  forall Tree_left_t_6:(Tree,
  Tree pointer) memory.
  forall Tree_right_t_6:(Tree,
  Tree pointer) memory.
  ("JC_17":
  (("JC_15": (t_0 <> null)) and
   ("JC_16": valid_tree(t_0, Tree_t_6_alloc_table, Tree_right_t_6,
   Tree_left_t_6)))) ->
  forall result:int32.
  (result = select(Tree_value_t_6, t_0)) ->
  forall m:int32.
  (m = result) ->
  forall result0:Tree pointer.
  (result0 = select(Tree_left_t_6, t_0)) ->
  (result0 = null) ->
  forall result1:Tree pointer.
  (result1 = select(Tree_right_t_6, t_0)) ->
  (result1 <> null) ->
  forall result2:Tree pointer.
  (result2 = select(Tree_right_t_6, t_0)) ->
  forall result3:int32.
  ("JC_24":
  (("JC_22": mem(result3, result2, Tree_right_t_6, Tree_left_t_6,
   Tree_value_t_6)) and
   ("JC_23":
   (forall x_5:int32.
     (mem(x_5, result2, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6) ->
      (integer_of_int32(result3) >= integer_of_int32(x_5))))))) ->
  forall tmp_0:int32.
  (tmp_0 = result3) ->
  forall result4:int32.
  ("JC_7": (integer_of_int32(result4) = int_max(integer_of_int32(m),
  integer_of_int32(tmp_0)))) ->
  forall m0:int32.
  (m0 = result4) ->
  forall return:int32.
  (return = m0) ->
  forall x_5:int32.
  mem(x_5, t_0, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6) ->
  ("JC_21": ("JC_20": (integer_of_int32(return) >= integer_of_int32(x_5))))

goal tree_max_ensures_default_po_7:
  forall t_0:Tree pointer.
  forall Tree_t_6_alloc_table:Tree alloc_table.
  forall Tree_value_t_6:(Tree, int32) memory.
  forall Tree_left_t_6:(Tree,
  Tree pointer) memory.
  forall Tree_right_t_6:(Tree,
  Tree pointer) memory.
  ("JC_17":
  (("JC_15": (t_0 <> null)) and
   ("JC_16": valid_tree(t_0, Tree_t_6_alloc_table, Tree_right_t_6,
   Tree_left_t_6)))) ->
  forall result:int32.
  (result = select(Tree_value_t_6, t_0)) ->
  forall m:int32.
  (m = result) ->
  forall result0:Tree pointer.
  (result0 = select(Tree_left_t_6, t_0)) ->
  (result0 = null) ->
  forall result1:Tree pointer.
  (result1 = select(Tree_right_t_6, t_0)) ->
  (result1 = null) ->
  forall return:int32.
  (return = m) ->
  ("JC_21":
  ("JC_19": mem(return, t_0, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6)))

goal tree_max_ensures_default_po_8:
  forall t_0:Tree pointer.
  forall Tree_t_6_alloc_table:Tree alloc_table.
  forall Tree_value_t_6:(Tree, int32) memory.
  forall Tree_left_t_6:(Tree,
  Tree pointer) memory.
  forall Tree_right_t_6:(Tree,
  Tree pointer) memory.
  ("JC_17":
  (("JC_15": (t_0 <> null)) and
   ("JC_16": valid_tree(t_0, Tree_t_6_alloc_table, Tree_right_t_6,
   Tree_left_t_6)))) ->
  forall result:int32.
  (result = select(Tree_value_t_6, t_0)) ->
  forall m:int32.
  (m = result) ->
  forall result0:Tree pointer.
  (result0 = select(Tree_left_t_6, t_0)) ->
  (result0 = null) ->
  forall result1:Tree pointer.
  (result1 = select(Tree_right_t_6, t_0)) ->
  (result1 = null) ->
  forall return:int32.
  (return = m) ->
  forall x_5:int32.
  mem(x_5, t_0, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6) ->
  ("JC_21": ("JC_20": (integer_of_int32(return) >= integer_of_int32(x_5))))

goal tree_max_safety_po_1:
  forall t_0:Tree pointer.
  forall Tree_t_6_alloc_table:Tree alloc_table.
  forall Tree_left_t_6:(Tree,
  Tree pointer) memory.
  forall Tree_right_t_6:(Tree,
  Tree pointer) memory.
  ("JC_17":
  (("JC_15": (t_0 <> null)) and
   ("JC_16": valid_tree(t_0, Tree_t_6_alloc_table, Tree_right_t_6,
   Tree_left_t_6)))) ->
  (offset_min(Tree_t_6_alloc_table, t_0) <= 0)

goal tree_max_safety_po_2:
  forall t_0:Tree pointer.
  forall Tree_t_6_alloc_table:Tree alloc_table.
  forall Tree_left_t_6:(Tree,
  Tree pointer) memory.
  forall Tree_right_t_6:(Tree,
  Tree pointer) memory.
  ("JC_17":
  (("JC_15": (t_0 <> null)) and
   ("JC_16": valid_tree(t_0, Tree_t_6_alloc_table, Tree_right_t_6,
   Tree_left_t_6)))) ->
  (0 <= offset_max(Tree_t_6_alloc_table, t_0))

goal tree_max_safety_po_3:
  forall t_0:Tree pointer.
  forall Tree_t_6_alloc_table:Tree alloc_table.
  forall Tree_value_t_6:(Tree, int32) memory.
  forall Tree_left_t_6:(Tree,
  Tree pointer) memory.
  forall Tree_right_t_6:(Tree,
  Tree pointer) memory.
  ("JC_17":
  (("JC_15": (t_0 <> null)) and
   ("JC_16": valid_tree(t_0, Tree_t_6_alloc_table, Tree_right_t_6,
   Tree_left_t_6)))) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result:int32.
  (result = select(Tree_value_t_6, t_0)) ->
  forall m:int32.
  (m = result) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result0:Tree pointer.
  (result0 = select(Tree_left_t_6, t_0)) ->
  (same_block(result0, null) or ((result0 = null) or (null = null)))

goal tree_max_safety_po_4:
  forall t_0:Tree pointer.
  forall Tree_t_6_alloc_table:Tree alloc_table.
  forall Tree_value_t_6:(Tree, int32) memory.
  forall Tree_left_t_6:(Tree,
  Tree pointer) memory.
  forall Tree_right_t_6:(Tree,
  Tree pointer) memory.
  ("JC_17":
  (("JC_15": (t_0 <> null)) and
   ("JC_16": valid_tree(t_0, Tree_t_6_alloc_table, Tree_right_t_6,
   Tree_left_t_6)))) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result:int32.
  (result = select(Tree_value_t_6, t_0)) ->
  forall m:int32.
  (m = result) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result0:Tree pointer.
  (result0 = select(Tree_left_t_6, t_0)) ->
  (same_block(result0, null) or ((result0 = null) or (null = null))) ->
  (result0 <> null) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result1:Tree pointer.
  (result1 = select(Tree_left_t_6, t_0)) ->
  ("JC_13": ("JC_11": (result1 <> null)))

goal tree_max_safety_po_5:
  forall t_0:Tree pointer.
  forall Tree_t_6_alloc_table:Tree alloc_table.
  forall Tree_value_t_6:(Tree, int32) memory.
  forall Tree_left_t_6:(Tree,
  Tree pointer) memory.
  forall Tree_right_t_6:(Tree,
  Tree pointer) memory.
  ("JC_17":
  (("JC_15": (t_0 <> null)) and
   ("JC_16": valid_tree(t_0, Tree_t_6_alloc_table, Tree_right_t_6,
   Tree_left_t_6)))) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result:int32.
  (result = select(Tree_value_t_6, t_0)) ->
  forall m:int32.
  (m = result) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result0:Tree pointer.
  (result0 = select(Tree_left_t_6, t_0)) ->
  (same_block(result0, null) or ((result0 = null) or (null = null))) ->
  (result0 <> null) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result1:Tree pointer.
  (result1 = select(Tree_left_t_6, t_0)) ->
  ("JC_13":
  ("JC_12": valid_tree(result1, Tree_t_6_alloc_table, Tree_right_t_6,
  Tree_left_t_6)))

goal tree_max_safety_po_6:
  forall t_0:Tree pointer.
  forall Tree_t_6_alloc_table:Tree alloc_table.
  forall Tree_value_t_6:(Tree, int32) memory.
  forall Tree_left_t_6:(Tree,
  Tree pointer) memory.
  forall Tree_right_t_6:(Tree,
  Tree pointer) memory.
  ("JC_17":
  (("JC_15": (t_0 <> null)) and
   ("JC_16": valid_tree(t_0, Tree_t_6_alloc_table, Tree_right_t_6,
   Tree_left_t_6)))) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result:int32.
  (result = select(Tree_value_t_6, t_0)) ->
  forall m:int32.
  (m = result) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result0:Tree pointer.
  (result0 = select(Tree_left_t_6, t_0)) ->
  (same_block(result0, null) or ((result0 = null) or (null = null))) ->
  (result0 <> null) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result1:Tree pointer.
  (result1 = select(Tree_left_t_6, t_0)) ->
  ("JC_13":
  (("JC_11": (result1 <> null)) and
   ("JC_12": valid_tree(result1, Tree_t_6_alloc_table, Tree_right_t_6,
   Tree_left_t_6)))) ->
  forall result2:int32.
  ("JC_24":
  (("JC_22": mem(result2, result1, Tree_right_t_6, Tree_left_t_6,
   Tree_value_t_6)) and
   ("JC_23":
   (forall x_5:int32.
     (mem(x_5, result1, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6) ->
      (integer_of_int32(result2) >= integer_of_int32(x_5))))))) ->
  forall tmp:int32.
  (tmp = result2) ->
  forall result3:int32.
  ("JC_7": (integer_of_int32(result3) = int_max(integer_of_int32(m),
  integer_of_int32(tmp)))) ->
  forall m0:int32.
  (m0 = result3) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result4:Tree pointer.
  (result4 = select(Tree_right_t_6, t_0)) ->
  (same_block(result4, null) or ((result4 = null) or (null = null)))

goal tree_max_safety_po_7:
  forall t_0:Tree pointer.
  forall Tree_t_6_alloc_table:Tree alloc_table.
  forall Tree_value_t_6:(Tree, int32) memory.
  forall Tree_left_t_6:(Tree,
  Tree pointer) memory.
  forall Tree_right_t_6:(Tree,
  Tree pointer) memory.
  ("JC_17":
  (("JC_15": (t_0 <> null)) and
   ("JC_16": valid_tree(t_0, Tree_t_6_alloc_table, Tree_right_t_6,
   Tree_left_t_6)))) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result:int32.
  (result = select(Tree_value_t_6, t_0)) ->
  forall m:int32.
  (m = result) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result0:Tree pointer.
  (result0 = select(Tree_left_t_6, t_0)) ->
  (same_block(result0, null) or ((result0 = null) or (null = null))) ->
  (result0 <> null) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result1:Tree pointer.
  (result1 = select(Tree_left_t_6, t_0)) ->
  ("JC_13":
  (("JC_11": (result1 <> null)) and
   ("JC_12": valid_tree(result1, Tree_t_6_alloc_table, Tree_right_t_6,
   Tree_left_t_6)))) ->
  forall result2:int32.
  ("JC_24":
  (("JC_22": mem(result2, result1, Tree_right_t_6, Tree_left_t_6,
   Tree_value_t_6)) and
   ("JC_23":
   (forall x_5:int32.
     (mem(x_5, result1, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6) ->
      (integer_of_int32(result2) >= integer_of_int32(x_5))))))) ->
  forall tmp:int32.
  (tmp = result2) ->
  forall result3:int32.
  ("JC_7": (integer_of_int32(result3) = int_max(integer_of_int32(m),
  integer_of_int32(tmp)))) ->
  forall m0:int32.
  (m0 = result3) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result4:Tree pointer.
  (result4 = select(Tree_right_t_6, t_0)) ->
  (same_block(result4, null) or ((result4 = null) or (null = null))) ->
  (result4 <> null) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result5:Tree pointer.
  (result5 = select(Tree_right_t_6, t_0)) ->
  ("JC_13": ("JC_11": (result5 <> null)))

goal tree_max_safety_po_8:
  forall t_0:Tree pointer.
  forall Tree_t_6_alloc_table:Tree alloc_table.
  forall Tree_value_t_6:(Tree, int32) memory.
  forall Tree_left_t_6:(Tree,
  Tree pointer) memory.
  forall Tree_right_t_6:(Tree,
  Tree pointer) memory.
  ("JC_17":
  (("JC_15": (t_0 <> null)) and
   ("JC_16": valid_tree(t_0, Tree_t_6_alloc_table, Tree_right_t_6,
   Tree_left_t_6)))) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result:int32.
  (result = select(Tree_value_t_6, t_0)) ->
  forall m:int32.
  (m = result) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result0:Tree pointer.
  (result0 = select(Tree_left_t_6, t_0)) ->
  (same_block(result0, null) or ((result0 = null) or (null = null))) ->
  (result0 <> null) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result1:Tree pointer.
  (result1 = select(Tree_left_t_6, t_0)) ->
  ("JC_13":
  (("JC_11": (result1 <> null)) and
   ("JC_12": valid_tree(result1, Tree_t_6_alloc_table, Tree_right_t_6,
   Tree_left_t_6)))) ->
  forall result2:int32.
  ("JC_24":
  (("JC_22": mem(result2, result1, Tree_right_t_6, Tree_left_t_6,
   Tree_value_t_6)) and
   ("JC_23":
   (forall x_5:int32.
     (mem(x_5, result1, Tree_right_t_6, Tree_left_t_6, Tree_value_t_6) ->
      (integer_of_int32(result2) >= integer_of_int32(x_5))))))) ->
  forall tmp:int32.
  (tmp = result2) ->
  forall result3:int32.
  ("JC_7": (integer_of_int32(result3) = int_max(integer_of_int32(m),
  integer_of_int32(tmp)))) ->
  forall m0:int32.
  (m0 = result3) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result4:Tree pointer.
  (result4 = select(Tree_right_t_6, t_0)) ->
  (same_block(result4, null) or ((result4 = null) or (null = null))) ->
  (result4 <> null) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result5:Tree pointer.
  (result5 = select(Tree_right_t_6, t_0)) ->
  ("JC_13":
  ("JC_12": valid_tree(result5, Tree_t_6_alloc_table, Tree_right_t_6,
  Tree_left_t_6)))

goal tree_max_safety_po_9:
  forall t_0:Tree pointer.
  forall Tree_t_6_alloc_table:Tree alloc_table.
  forall Tree_value_t_6:(Tree, int32) memory.
  forall Tree_left_t_6:(Tree,
  Tree pointer) memory.
  forall Tree_right_t_6:(Tree,
  Tree pointer) memory.
  ("JC_17":
  (("JC_15": (t_0 <> null)) and
   ("JC_16": valid_tree(t_0, Tree_t_6_alloc_table, Tree_right_t_6,
   Tree_left_t_6)))) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result:int32.
  (result = select(Tree_value_t_6, t_0)) ->
  forall m:int32.
  (m = result) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result0:Tree pointer.
  (result0 = select(Tree_left_t_6, t_0)) ->
  (same_block(result0, null) or ((result0 = null) or (null = null))) ->
  (result0 = null) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result1:Tree pointer.
  (result1 = select(Tree_right_t_6, t_0)) ->
  (same_block(result1, null) or ((result1 = null) or (null = null)))

goal tree_max_safety_po_10:
  forall t_0:Tree pointer.
  forall Tree_t_6_alloc_table:Tree alloc_table.
  forall Tree_value_t_6:(Tree, int32) memory.
  forall Tree_left_t_6:(Tree,
  Tree pointer) memory.
  forall Tree_right_t_6:(Tree,
  Tree pointer) memory.
  ("JC_17":
  (("JC_15": (t_0 <> null)) and
   ("JC_16": valid_tree(t_0, Tree_t_6_alloc_table, Tree_right_t_6,
   Tree_left_t_6)))) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result:int32.
  (result = select(Tree_value_t_6, t_0)) ->
  forall m:int32.
  (m = result) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result0:Tree pointer.
  (result0 = select(Tree_left_t_6, t_0)) ->
  (same_block(result0, null) or ((result0 = null) or (null = null))) ->
  (result0 = null) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result1:Tree pointer.
  (result1 = select(Tree_right_t_6, t_0)) ->
  (same_block(result1, null) or ((result1 = null) or (null = null))) ->
  (result1 <> null) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result2:Tree pointer.
  (result2 = select(Tree_right_t_6, t_0)) ->
  ("JC_13": ("JC_11": (result2 <> null)))

goal tree_max_safety_po_11:
  forall t_0:Tree pointer.
  forall Tree_t_6_alloc_table:Tree alloc_table.
  forall Tree_value_t_6:(Tree, int32) memory.
  forall Tree_left_t_6:(Tree,
  Tree pointer) memory.
  forall Tree_right_t_6:(Tree,
  Tree pointer) memory.
  ("JC_17":
  (("JC_15": (t_0 <> null)) and
   ("JC_16": valid_tree(t_0, Tree_t_6_alloc_table, Tree_right_t_6,
   Tree_left_t_6)))) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result:int32.
  (result = select(Tree_value_t_6, t_0)) ->
  forall m:int32.
  (m = result) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result0:Tree pointer.
  (result0 = select(Tree_left_t_6, t_0)) ->
  (same_block(result0, null) or ((result0 = null) or (null = null))) ->
  (result0 = null) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result1:Tree pointer.
  (result1 = select(Tree_right_t_6, t_0)) ->
  (same_block(result1, null) or ((result1 = null) or (null = null))) ->
  (result1 <> null) ->
  ((offset_min(Tree_t_6_alloc_table, t_0) <= 0) and
   (0 <= offset_max(Tree_t_6_alloc_table, t_0))) ->
  forall result2:Tree pointer.
  (result2 = select(Tree_right_t_6, t_0)) ->
  ("JC_13":
  ("JC_12": valid_tree(result2, Tree_t_6_alloc_table, Tree_right_t_6,
  Tree_left_t_6)))

why-2.34/tests/c/oracle/eps_line1.err.oracle0000644000175000017500000000000012311670312017271 0ustar  rtuserswhy-2.34/tests/c/oracle/sum_array.res.oracle0000644000175000017500000034031512311670312017435 0ustar  rtusers========== file tests/c/sum_array.c ==========

#pragma JessieIntegerModel(math)

/*@ axiomatic Sum {
  @   // sum(t,i,j) denotes t[i]+...+t[j-1]
  @   logic integer sum{L}(int *t, integer i, integer j)
  @        reads i,j,t, t[..] ;
  @   axiom sum1{L} :
  @     \forall int *t, integer i; sum(t,i,i) == 0;
  @   axiom sum2{L} :
  @     \forall int *t, integer i, j;
  @       sum(t,i,j+1) == sum(t,i,j) + t[j];
  @ }
  @*/

/*@ lemma sum3{L} :
  @     \forall int *t, integer i, j, k;
  @       i <= j <= k ==>
  @         sum(t,i,k) == sum(t,i,j) + sum(t,j,k);
  @*/

/*@ lemma sum_footprint{L} :
  @     \forall int *t1,*t2, integer i, j;
  @       (\forall integer k; i<=k t1[k] == t2[k]) ==>
  @       sum(t1,i,j) == sum(t2,i,j);
  @*/

/*@ requires n >= 1 && \valid_range(t,0,n-1) ;
  @ ensures \result == sum(t,0,n);
  @*/
int test1(int t[],int n) {
  int i,s = 0;

  /*@ loop invariant 0 <= i <= n && s == sum(t,0,i);
    @ loop variant n-i;
  */
  for(i=0; i < n; i++)
  {
    s += t[i];
  }
  return s;
}


/*@ requires n >= 1 && \valid_range(t,0,n-1);
  @ assigns t[..];
  @ ensures sum(t,0,n) == \old(sum(t,0,n))+n;
  @*/
void test2(int t[],int n) {
  int i;
  /*@ loop invariant 0 <= i <= n &&
    @     sum(t,0,n) == \at(sum(t,0,n),Pre)+i;
    @ loop variant n-i;
    @*/
  for(i=0; i < n; i++)
  {
    //@ assert sum(t,0,n) == sum(t,0,i) + t[i] + sum(t,i+1,n);
    t[i] += 1;
    //@ assert sum(t,0,n) == sum(t,0,i) + t[i] + sum(t,i+1,n);
  }
}

/*
Local Variables:
compile-command: "make sum_array.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/sum_array.c"
tests/c/sum_array.c:28:[kernel] warning: parsing obsolete ACSL construct '\valid_range(addr,min,max)'. '\valid(addr+(min..max))' should be used instead.
tests/c/sum_array.c:45:[kernel] warning: parsing obsolete ACSL construct '\valid_range(addr,min,max)'. '\valid(addr+(min..max))' should be used instead.
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/sum_array.jessie
[jessie] File tests/c/sum_array.jessie/sum_array.jc written.
[jessie] File tests/c/sum_array.jessie/sum_array.cloc written.
========== file tests/c/sum_array.jessie/sum_array.jc ==========
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

tag intP = {
  integer intM: 32;
}

type intP = [intP]

tag unsigned_charP = {
  integer unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  integer charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

axiomatic Sum {

  logic integer sum{L}(intP[..] t, integer i_1, integer j_0) reads i_1, j_0,
  t, (t + [..]).intM;
   
  axiom sum1{L} :
  (\forall intP[..] t_0;
    (\forall integer i_2;
      (sum{L}(t_0, i_2, i_2) == 0)))
   
  axiom sum2{L} :
  (\forall intP[..] t_1;
    (\forall integer i_3;
      (\forall integer j_1;
        (sum{L}(t_1, i_3, (j_1 + 1)) ==
          (sum{L}(t_1, i_3, j_1) + (t_1 + j_1).intM)))))
  
}

lemma sum3{L} :
(\forall intP[..] t_2;
  (\forall integer i_4;
    (\forall integer j_2;
      (\forall integer k;
        (((i_4 <= j_2) && (j_2 <= k)) ==>
          (sum{L}(t_2, i_4, k) ==
            (sum{L}(t_2, i_4, j_2) + sum{L}(t_2, j_2, k))))))))

lemma sum_footprint{L} :
(\forall intP[..] t1;
  (\forall intP[..] t2;
    (\forall integer i_5;
      (\forall integer j_3;
        ((\forall integer k_0;
           (((i_5 <= k_0) && (k_0 < j_3)) ==>
             ((t1 + k_0).intM == (t2 + k_0).intM))) ==>
          (sum{L}(t1, i_5, j_3) == sum{L}(t2, i_5, j_3)))))))

integer test1(intP[..] t, integer n_1)
  requires (_C_16 : ((_C_17 : (n_1 >= 1)) &&
                      ((_C_19 : (\offset_min(t) <= 0)) &&
                        (_C_20 : (\offset_max(t) >= (n_1 - 1))))));
behavior default:
  ensures (_C_15 : (\result == sum{Here}(\at(t,Old), 0, \at(n_1,Old))));
{  
   (var integer i);
   
   (var integer s);
   
   {  (_C_1 : (s = 0));
      (_C_2 : (i = 0));
      
      loop 
      behavior default:
        invariant (_C_4 : (((_C_6 : (0 <= i)) && (_C_7 : (i <= n_1))) &&
                            (_C_8 : (s == sum{Here}(t, 0, i)))));
      variant (_C_3 : (n_1 - i));
      while (true)
      {  
         {  (if (i < n_1) then () else 
            (goto while_0_break));
            
            {  (_C_12 : (s = (_C_11 : (s + (_C_10 : (_C_9 : (t + i)).intM)))))
            };
            (_C_14 : (i = (_C_13 : (i + 1))))
         }
      };
      (while_0_break : ());
      
      (return s)
   }
}

unit test2(intP[..] t_0, integer n_2)
  requires (_C_39 : ((_C_40 : (n_2 >= 1)) &&
                      ((_C_42 : (\offset_min(t_0) <= 0)) &&
                        (_C_43 : (\offset_max(t_0) >= (n_2 - 1))))));
behavior default:
  assigns (t_0 + [..]).intM;
  ensures (_C_38 : (sum{Here}(\at(t_0,Old), 0, \at(n_2,Old)) ==
                     (\at(sum{Old}(t_0, 0, n_2),Old) + \at(n_2,Old))));
{  
   (var integer i_0);
   
   {  (_C_21 : (i_0 = 0));
      
      loop 
      behavior default:
        invariant (_C_23 : (((_C_25 : (0 <= i_0)) && (_C_26 : (i_0 <= n_2))) &&
                             (_C_27 : (sum{Here}(t_0, 0, n_2) ==
                                        (\at(sum{Pre}(t_0, 0, n_2),Pre) +
                                          i_0)))));
      variant (_C_22 : (n_2 - i_0));
      while (true)
      {  
         {  (if (i_0 < n_2) then () else 
            (goto while_0_break));
            
            {  
               {  
                  (assert for default: (_C_28 : (jessie : (sum{Here}(
                                                            t_0, 0, n_2) ==
                                                            ((sum{Here}(
                                                               t_0, 0, i_0) +
                                                               (t_0 + i_0).intM) +
                                                              sum{Here}(
                                                              t_0, (i_0 + 1),
                                                              n_2))))));
                  ()
               };
               (_C_34 : ((_C_33 : (_C_32 : (t_0 + i_0)).intM) = (_C_31 : 
                                                                ((_C_30 : 
                                                                 (_C_29 : 
                                                                 (t_0 +
                                                                   i_0)).intM) +
                                                                  1))));
               
               {  
                  (assert for default: (_C_35 : (jessie : (sum{Here}(
                                                            t_0, 0, n_2) ==
                                                            ((sum{Here}(
                                                               t_0, 0, i_0) +
                                                               (t_0 + i_0).intM) +
                                                              sum{Here}(
                                                              t_0, (i_0 + 1),
                                                              n_2))))));
                  ()
               }
            };
            (_C_37 : (i_0 = (_C_36 : (i_0 + 1))))
         }
      };
      (while_0_break : ());
      
      (return ())
   }
}
========== file tests/c/sum_array.jessie/sum_array.cloc ==========
[_C_35]
file = "HOME/tests/c/sum_array.c"
line = 59
begin = 15
end = 61

[_C_28]
file = "HOME/tests/c/sum_array.c"
line = 57
begin = 15
end = 61

[_C_31]
file = "HOME/tests/c/sum_array.c"
line = 58
begin = 4
end = 13

[_C_41]
file = "HOME/tests/c/sum_array.c"
line = 45
begin = 23
end = 44

[_C_4]
file = "HOME/tests/c/sum_array.c"
line = 34
begin = 21
end = 51

[_C_32]
file = "HOME/tests/c/sum_array.c"
line = 58
begin = 4
end = 5

[_C_23]
file = "HOME/tests/c/sum_array.c"
line = 51
begin = 21
end = 81

[_C_19]
file = "HOME/tests/c/sum_array.c"
line = 28
begin = 23
end = 44

[_C_42]
file = "HOME/tests/c/sum_array.c"
line = 45
begin = 23
end = 44

[test1]
name = "Function test1"
file = "HOME/tests/c/sum_array.c"
line = 31
begin = 4
end = 9

[_C_13]
file = "HOME/tests/c/sum_array.c"
line = 37
begin = 18
end = 21

[_C_5]
file = "HOME/tests/c/sum_array.c"
line = 34
begin = 21
end = 32

[_C_36]
file = "HOME/tests/c/sum_array.c"
line = 55
begin = 18
end = 21

[_C_12]
file = "HOME/tests/c/sum_array.c"
line = 39
begin = 4
end = 13

[_C_33]
file = "HOME/tests/c/sum_array.c"
line = 58
begin = 4
end = 13

[_C_22]
file = "HOME/tests/c/sum_array.c"
line = 53
begin = 19
end = 22

[_C_9]
file = "HOME/tests/c/sum_array.c"
line = 39
begin = 9
end = 10

[_C_30]
file = "HOME/tests/c/sum_array.c"
line = 58
begin = 4
end = 8

[_C_6]
file = "HOME/tests/c/sum_array.c"
line = 34
begin = 21
end = 27

[_C_24]
file = "HOME/tests/c/sum_array.c"
line = 51
begin = 21
end = 32

[_C_20]
file = "HOME/tests/c/sum_array.c"
line = 28
begin = 23
end = 44

[test2]
name = "Function test2"
file = "HOME/tests/c/sum_array.c"
line = 49
begin = 5
end = 10

[_C_38]
file = "HOME/tests/c/sum_array.c"
line = 47
begin = 12
end = 44

[_C_3]
file = "HOME/tests/c/sum_array.c"
line = 35
begin = 19
end = 22

[sum_footprint]
name = "Lemma sum_footprint"
file = "HOME/tests/c/sum_array.c"
line = 22
begin = 4
end = 170

[_C_17]
file = "HOME/tests/c/sum_array.c"
line = 28
begin = 13
end = 19

[sum3]
name = "Lemma sum3"
file = "HOME/tests/c/sum_array.c"
line = 16
begin = 4
end = 137

[_C_7]
file = "HOME/tests/c/sum_array.c"
line = 34
begin = 26
end = 32

[_C_27]
file = "HOME/tests/c/sum_array.c"
line = 52
begin = 10
end = 45

[_C_15]
file = "HOME/tests/c/sum_array.c"
line = 29
begin = 12
end = 33

[_C_26]
file = "HOME/tests/c/sum_array.c"
line = 51
begin = 26
end = 32

[sum2]
name = "Lemma sum2"
file = "HOME/tests/c/sum_array.c"
line = 10
begin = 6
end = 104

[_C_10]
file = "HOME/tests/c/sum_array.c"
line = 39
begin = 9
end = 13

[_C_40]
file = "HOME/tests/c/sum_array.c"
line = 45
begin = 13
end = 19

[_C_8]
file = "HOME/tests/c/sum_array.c"
line = 34
begin = 36
end = 51

[_C_18]
file = "HOME/tests/c/sum_array.c"
line = 28
begin = 23
end = 44

[_C_29]
file = "HOME/tests/c/sum_array.c"
line = 58
begin = 4
end = 5

[_C_14]
file = "HOME/tests/c/sum_array.c"
line = 37
begin = 18
end = 21

[_C_37]
file = "HOME/tests/c/sum_array.c"
line = 55
begin = 18
end = 21

[_C_43]
file = "HOME/tests/c/sum_array.c"
line = 45
begin = 23
end = 44

[_C_2]
file = "HOME/tests/c/sum_array.c"
line = 37
begin = 8
end = 9

[_C_34]
file = "HOME/tests/c/sum_array.c"
line = 58
begin = 4
end = 13

[_C_16]
file = "HOME/tests/c/sum_array.c"
line = 28
begin = 13
end = 44

[_C_1]
file = "HOME/tests/c/sum_array.c"
line = 32
begin = 2
end = 5

[_C_25]
file = "HOME/tests/c/sum_array.c"
line = 51
begin = 21
end = 27

[_C_39]
file = "HOME/tests/c/sum_array.c"
line = 45
begin = 13
end = 44

[_C_11]
file = "HOME/tests/c/sum_array.c"
line = 39
begin = 4
end = 13

[sum1]
name = "Lemma sum1"
file = "HOME/tests/c/sum_array.c"
line = 8
begin = 6
end = 73

[_C_21]
file = "HOME/tests/c/sum_array.c"
line = 55
begin = 8
end = 9

========== jessie execution ==========
Generating Why function test1
Generating Why function test2
========== file tests/c/sum_array.jessie/sum_array.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs sum_array.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs sum_array.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/sum_array_why.sx

project: why/sum_array.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/sum_array_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/sum_array_why.vo

coq/sum_array_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/sum_array_why.v: why/sum_array.why
	@echo 'why -coq [...] why/sum_array.why' && $(WHY) $(JESSIELIBFILES) why/sum_array.why && rm -f coq/jessie_why.v

coq-goals: goals coq/sum_array_ctx_why.vo
	for f in why/*_po*.why; do make -f sum_array.makefile coq/`basename $$f .why`_why.v ; done

coq/sum_array_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/sum_array_ctx_why.v: why/sum_array_ctx.why
	@echo 'why -coq [...] why/sum_array_ctx.why' && $(WHY) why/sum_array_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export sum_array_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/sum_array_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/sum_array_ctx_why.vo

pvs: pvs/sum_array_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/sum_array_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/sum_array_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/sum_array_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/sum_array_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/sum_array_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/sum_array_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/sum_array_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/sum_array_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/sum_array_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/sum_array_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/sum_array_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/sum_array_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/sum_array_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/sum_array_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: sum_array.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/sum_array_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: sum_array.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: sum_array.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: sum_array.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include sum_array.depend

depend: coq/sum_array_why.v
	-$(COQDEP) -I coq coq/sum_array*_why.v > sum_array.depend

clean:
	rm -f coq/*.vo

========== file tests/c/sum_array.jessie/sum_array.loc ==========
[JC_63]
file = "HOME/tests/c/sum_array.c"
line = 52
begin = 10
end = 45

[JC_51]
file = "HOME/tests/c/sum_array.c"
line = 52
begin = 10
end = 45

[JC_45]
file = "HOME/tests/c/sum_array.c"
line = 49
begin = 5
end = 10

[JC_64]
file = "HOME/tests/c/sum_array.c"
line = 51
begin = 21
end = 81

[JC_31]
file = "HOME/tests/c/sum_array.c"
line = 45
begin = 13
end = 19

[JC_17]
file = "HOME/tests/c/sum_array.c"
line = 34
begin = 36
end = 51

[JC_55]
file = "HOME/tests/c/sum_array.jessie/sum_array.jc"
line = 121
begin = 6
end = 2351

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/tests/c/sum_array.c"
line = 35
begin = 19
end = 22

[JC_22]
kind = PointerDeref
file = "HOME/tests/c/sum_array.c"
line = 39
begin = 9
end = 13

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/tests/c/sum_array.jessie/sum_array.jc"
line = 121
begin = 6
end = 2351

[test1_safety]
name = "Function test1"
behavior = "Safety"
file = "HOME/tests/c/sum_array.c"
line = 31
begin = 4
end = 9

[JC_9]
file = "HOME/tests/c/sum_array.c"
line = 28
begin = 13
end = 44

[JC_24]
file = "HOME/tests/c/sum_array.c"
line = 34
begin = 21
end = 27

[JC_25]
file = "HOME/tests/c/sum_array.c"
line = 34
begin = 26
end = 32

[JC_41]
file = "HOME/tests/c/sum_array.c"
line = 47
begin = 12
end = 44

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_52]
file = "HOME/tests/c/sum_array.c"
line = 51
begin = 21
end = 81

[JC_26]
file = "HOME/tests/c/sum_array.c"
line = 34
begin = 36
end = 51

[JC_8]
file = "HOME/tests/c/sum_array.c"
line = 28
begin = 23
end = 44

[JC_54]
file = "HOME/tests/c/sum_array.jessie/sum_array.jc"
line = 121
begin = 6
end = 2351

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/c/sum_array.c"
line = 29
begin = 12
end = 33

[test2_safety]
name = "Function test2"
behavior = "Safety"
file = "HOME/tests/c/sum_array.c"
line = 49
begin = 5
end = 10

[JC_15]
file = "HOME/tests/c/sum_array.c"
line = 34
begin = 21
end = 27

[JC_36]
file = "HOME/tests/c/sum_array.c"
line = 45
begin = 13
end = 19

[JC_39]
file = "HOME/tests/c/sum_array.c"
line = 45
begin = 13
end = 44

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/tests/c/sum_array.c"
line = 34
begin = 21
end = 51

[JC_69]
file = "HOME/tests/c/sum_array.c"
line = 59
begin = 15
end = 61

[JC_38]
file = "HOME/tests/c/sum_array.c"
line = 45
begin = 23
end = 44

[JC_12]
file = "HOME/tests/c/sum_array.c"
line = 29
begin = 12
end = 33

[JC_6]
file = "HOME/tests/c/sum_array.c"
line = 28
begin = 13
end = 19

[sum_footprint]
name = "Lemma sum_footprint"
behavior = "lemma"
file = "HOME/tests/c/sum_array.c"
line = 22
begin = 4
end = 170

[JC_44]
file = "HOME/tests/c/sum_array.c"
line = 47
begin = 12
end = 44

[JC_4]
file = "HOME/tests/c/sum_array.c"
line = 28
begin = 13
end = 44

[JC_62]
file = "HOME/tests/c/sum_array.c"
line = 51
begin = 26
end = 32

[sum3]
name = "Lemma sum3"
behavior = "lemma"
file = "HOME/tests/c/sum_array.c"
line = 16
begin = 4
end = 137

[JC_42]
file = "HOME/tests/c/sum_array.c"
line = 49
begin = 5
end = 10

[JC_46]
file = "HOME/tests/c/sum_array.jessie/sum_array.jc"
line = 112
begin = 9
end = 16

[test2_ensures_default]
name = "Function test2"
behavior = "default behavior"
file = "HOME/tests/c/sum_array.c"
line = 49
begin = 5
end = 10

[JC_61]
file = "HOME/tests/c/sum_array.c"
line = 51
begin = 21
end = 27

[JC_32]
file = "HOME/tests/c/sum_array.c"
line = 45
begin = 23
end = 44

[JC_56]
file = "HOME/tests/c/sum_array.c"
line = 57
begin = 15
end = 61

[JC_33]
file = "HOME/tests/c/sum_array.c"
line = 45
begin = 23
end = 44

[JC_65]
file = "HOME/"
line = 0
begin = -1
end = -1

[sum2]
name = "Lemma sum2"
behavior = "axiom"
file = "HOME/tests/c/sum_array.c"
line = 10
begin = 6
end = 104

[JC_29]
file = "HOME/tests/c/sum_array.jessie/sum_array.jc"
line = 87
begin = 6
end = 484

[JC_68]
file = "HOME/tests/c/sum_array.c"
line = 57
begin = 15
end = 61

[JC_7]
file = "HOME/tests/c/sum_array.c"
line = 28
begin = 23
end = 44

[JC_16]
file = "HOME/tests/c/sum_array.c"
line = 34
begin = 26
end = 32

[JC_43]
file = "HOME/tests/c/sum_array.jessie/sum_array.jc"
line = 112
begin = 9
end = 16

[JC_2]
file = "HOME/tests/c/sum_array.c"
line = 28
begin = 23
end = 44

[JC_34]
file = "HOME/tests/c/sum_array.c"
line = 45
begin = 13
end = 44

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/tests/c/sum_array.jessie/sum_array.jc"
line = 87
begin = 6
end = 484

[JC_49]
file = "HOME/tests/c/sum_array.c"
line = 51
begin = 21
end = 27

[test1_ensures_default]
name = "Function test1"
behavior = "default behavior"
file = "HOME/tests/c/sum_array.c"
line = 31
begin = 4
end = 9

[JC_1]
file = "HOME/tests/c/sum_array.c"
line = 28
begin = 13
end = 19

[JC_37]
file = "HOME/tests/c/sum_array.c"
line = 45
begin = 23
end = 44

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
kind = PointerDeref
file = "HOME/tests/c/sum_array.c"
line = 58
begin = 4
end = 8

[JC_66]
file = "HOME/tests/c/sum_array.jessie/sum_array.jc"
line = 121
begin = 6
end = 2351

[JC_59]
file = "HOME/tests/c/sum_array.c"
line = 59
begin = 15
end = 61

[JC_20]
file = "HOME/tests/c/sum_array.jessie/sum_array.jc"
line = 87
begin = 6
end = 484

[JC_18]
file = "HOME/tests/c/sum_array.c"
line = 34
begin = 21
end = 51

[JC_3]
file = "HOME/tests/c/sum_array.c"
line = 28
begin = 23
end = 44

[JC_60]
file = "HOME/tests/c/sum_array.c"
line = 53
begin = 19
end = 22

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
file = "HOME/tests/c/sum_array.c"
line = 51
begin = 26
end = 32

[JC_30]
file = "HOME/tests/c/sum_array.jessie/sum_array.jc"
line = 87
begin = 6
end = 484

[sum1]
name = "Lemma sum1"
behavior = "axiom"
file = "HOME/tests/c/sum_array.c"
line = 8
begin = 6
end = 73

[JC_58]
kind = PointerDeref
file = "HOME/tests/c/sum_array.jessie/sum_array.jc"
line = 145
begin = 25
end = 446

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/c/sum_array.jessie/why/sum_array.why ==========
type charP

type intP

type padding

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic intP_tag:  -> intP tag_id

axiom intP_int : (int_of_tag(intP_tag) = (1))

logic intP_of_pointer_address: unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr :
 (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom : parenttag(intP_tag, bottom_tag)

axiom intP_tags :
 (forall x:intP pointer.
  (forall intP_tag_table:intP tag_table.
   instanceof(intP_tag_table, x, intP_tag)))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_intP(p:intP pointer, a:int,
 intP_alloc_table:intP alloc_table) = (offset_min(intP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

logic sum: intP pointer, int, int, (intP, int) memory -> int

axiom no_assign_sum_0 :
 (forall tmp:intP pset.
  (forall tmpmem:(intP, int) memory.
   (forall tmpalloc:intP alloc_table.
    (forall intP_intM_t_1_at_L:(intP, int) memory.
     (forall j_0:int.
      (forall i_1:int.
       (forall t:intP pointer.
        ((pset_disjoint(tmp, pset_all(pset_singleton(t)))
         and not_assigns(tmpalloc, intP_intM_t_1_at_L, tmpmem, tmp)) ->
         (sum(t, i_1, j_0, intP_intM_t_1_at_L) = sum(t, i_1, j_0, tmpmem))))))))))

axiom no_update_sum_0 :
 (forall tmp:intP pointer.
  (forall tmpval:int.
   (forall intP_intM_t_1_at_L:(intP, int) memory.
    (forall j_0:int.
     (forall i_1:int.
      (forall t:intP pointer.
       ((not in_pset(tmp, pset_all(pset_singleton(t)))) ->
        (sum(t, i_1, j_0, intP_intM_t_1_at_L) = sum(t, i_1, j_0,
                                                store(intP_intM_t_1_at_L,
                                                tmp, tmpval))))))))))

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_intP(p:intP pointer, b:int,
 intP_alloc_table:intP alloc_table) = (offset_max(intP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

axiom sum1 :
 (forall intP_intM_t_1_at_L:(intP, int) memory.
  (forall t_0_1:intP pointer.
   (forall i_2:int. (sum(t_0_1, i_2, i_2, intP_intM_t_1_at_L) = (0)))))

axiom sum2 :
 (forall intP_intM_t_1_at_L:(intP, int) memory.
  (forall t_1:intP pointer.
   (forall i_3:int.
    (forall j_1:int.
     (sum(t_1, i_3, add_int(j_1, (1)), intP_intM_t_1_at_L) = add_int(
                                                             sum(t_1, i_3,
                                                             j_1,
                                                             intP_intM_t_1_at_L),
                                                             select(intP_intM_t_1_at_L,
                                                             shift(t_1, j_1))))))))

lemma sum3 :
 (forall intP_intM_t_2_6_at_L:(intP, int) memory.
  (forall t_2:intP pointer.
   (forall i_4:int.
    (forall j_2:int.
     (forall k:int.
      ((le_int(i_4, j_2) and le_int(j_2, k)) ->
       (sum(t_2, i_4, k, intP_intM_t_2_6_at_L) = add_int(sum(t_2, i_4, j_2,
                                                         intP_intM_t_2_6_at_L),
                                                 sum(t_2, j_2, k,
                                                 intP_intM_t_2_6_at_L)))))))))

lemma sum_footprint :
 (forall intP_intM_t2_8_at_L:(intP, int) memory.
  (forall intP_intM_t1_7_at_L:(intP, int) memory.
   (forall t1:intP pointer.
    (forall t2:intP pointer.
     (forall i_5:int.
      (forall j_3:int.
       ((forall k_0:int.
         ((le_int(i_5, k_0) and lt_int(k_0, j_3)) ->
          (select(intP_intM_t1_7_at_L, shift(t1, k_0)) = select(intP_intM_t2_8_at_L,
                                                         shift(t2, k_0))))) ->
        (sum(t1, i_5, j_3, intP_intM_t1_7_at_L) = sum(t2, i_5, j_3,
                                                  intP_intM_t2_8_at_L)))))))))

exception Goto_while_0_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter intP_alloc_table : intP alloc_table ref

parameter intP_tag_table : intP tag_table ref

parameter alloc_struct_intP :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { } intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter alloc_struct_intP_requires :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { ge_int(n, (0))} intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter test1 :
 t_0:intP pointer ->
  n_1:int ->
   intP_t_2_alloc_table:intP alloc_table ->
    intP_intM_t_2:(intP, int) memory ->
     { } int { (JC_12: (result = sum(t_0, (0), n_1, intP_intM_t_2))) }

parameter test1_requires :
 t_0:intP pointer ->
  n_1:int ->
   intP_t_2_alloc_table:intP alloc_table ->
    intP_intM_t_2:(intP, int) memory ->
     { (JC_4:
       ((JC_1: ge_int(n_1, (1)))
       and ((JC_2: le_int(offset_min(intP_t_2_alloc_table, t_0), (0)))
           and (JC_3:
               ge_int(offset_max(intP_t_2_alloc_table, t_0),
               sub_int(n_1, (1)))))))}
     int { (JC_12: (result = sum(t_0, (0), n_1, intP_intM_t_2))) }

parameter test2 :
 t_0_0:intP pointer ->
  n_2:int ->
   intP_intM_t_0_3:(intP, int) memory ref ->
    intP_t_0_3_alloc_table:intP alloc_table ->
     { } unit reads intP_intM_t_0_3 writes intP_intM_t_0_3
     { (JC_46:
       ((JC_44:
        (sum(t_0_0, (0), n_2, intP_intM_t_0_3) = add_int(sum(t_0_0, (0), n_2,
                                                         intP_intM_t_0_3@),
                                                 n_2)))
       and (JC_45:
           not_assigns(intP_t_0_3_alloc_table, intP_intM_t_0_3@,
           intP_intM_t_0_3, pset_all(pset_singleton(t_0_0)))))) }

parameter test2_requires :
 t_0_0:intP pointer ->
  n_2:int ->
   intP_intM_t_0_3:(intP, int) memory ref ->
    intP_t_0_3_alloc_table:intP alloc_table ->
     { (JC_34:
       ((JC_31: ge_int(n_2, (1)))
       and ((JC_32: le_int(offset_min(intP_t_0_3_alloc_table, t_0_0), (0)))
           and (JC_33:
               ge_int(offset_max(intP_t_0_3_alloc_table, t_0_0),
               sub_int(n_2, (1)))))))}
     unit reads intP_intM_t_0_3 writes intP_intM_t_0_3
     { (JC_46:
       ((JC_44:
        (sum(t_0_0, (0), n_2, intP_intM_t_0_3) = add_int(sum(t_0_0, (0), n_2,
                                                         intP_intM_t_0_3@),
                                                 n_2)))
       and (JC_45:
           not_assigns(intP_t_0_3_alloc_table, intP_intM_t_0_3@,
           intP_intM_t_0_3, pset_all(pset_singleton(t_0_0)))))) }

let test1_ensures_default =
 fun (t_0 : intP pointer) (n_1 : int) (intP_t_2_alloc_table : intP alloc_table) (intP_intM_t_2 : (intP, int) memory) ->
  { (JC_9:
    ((JC_6: ge_int(n_1, (1)))
    and ((JC_7: le_int(offset_min(intP_t_2_alloc_table, t_0), (0)))
        and (JC_8:
            ge_int(offset_max(intP_t_2_alloc_table, t_0), sub_int(n_1, (1))))))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let i = ref (any_int void) in
     (let s_0 = ref (any_int void) in
     try
      begin
        (let _jessie_ = (s_0 := (0)) in void);
       (let _jessie_ = (i := (0)) in void);
       (loop_2:
       begin
         while true do
         { invariant
             (JC_27:
             ((JC_24: le_int((0), i))
             and ((JC_25: le_int(i, n_1))
                 and (JC_26: (s_0 = sum(t_0, (0), i, intP_intM_t_2)))))) 
            }
          begin
            [ { } unit { true } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((lt_int_ !i) n_1) then void
                else (raise (Goto_while_0_break_exc void)));
               (let _jessie_ =
               begin
                 (s_0 := ((add_int !s_0) ((safe_acc_ intP_intM_t_2) ((shift t_0) !i))));
                !s_0 end in void); (i := ((add_int !i) (1))); !i end in void);
             (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (return := !s_0); (raise Return) end) end));
    absurd  end with Return -> !return end))
  { (JC_11: (result = sum(t_0, (0), n_1, intP_intM_t_2))) }

let test1_safety =
 fun (t_0 : intP pointer) (n_1 : int) (intP_t_2_alloc_table : intP alloc_table) (intP_intM_t_2 : (intP, int) memory) ->
  { (JC_9:
    ((JC_6: ge_int(n_1, (1)))
    and ((JC_7: le_int(offset_min(intP_t_2_alloc_table, t_0), (0)))
        and (JC_8:
            ge_int(offset_max(intP_t_2_alloc_table, t_0), sub_int(n_1, (1))))))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let i = ref (any_int void) in
     (let s_0 = ref (any_int void) in
     try
      begin
        (let _jessie_ = (s_0 := (0)) in void);
       (let _jessie_ = (i := (0)) in void);
       (loop_1:
       begin
         while true do
         { invariant (JC_20: true) variant (JC_23 : sub_int(n_1, i)) }
          begin
            [ { } unit reads i,s_0
              { (JC_18:
                ((JC_15: le_int((0), i))
                and ((JC_16: le_int(i, n_1))
                    and (JC_17: (s_0 = sum(t_0, (0), i, intP_intM_t_2)))))) } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((lt_int_ !i) n_1) then void
                else (raise (Goto_while_0_break_exc void)));
               (let _jessie_ =
               begin
                 (s_0 := ((add_int !s_0) (JC_22:
                                         ((((offset_acc_ intP_t_2_alloc_table) intP_intM_t_2) t_0) !i))));
                !s_0 end in void); (i := ((add_int !i) (1))); !i end in void);
             (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (return := !s_0); (raise Return) end) end));
    absurd  end with Return -> !return end)) { true }

let test2_ensures_default =
 fun (t_0_0 : intP pointer) (n_2 : int) (intP_intM_t_0_3 : (intP, int) memory ref) (intP_t_0_3_alloc_table : intP alloc_table) ->
  { (JC_39:
    ((JC_36: ge_int(n_2, (1)))
    and ((JC_37: le_int(offset_min(intP_t_0_3_alloc_table, t_0_0), (0)))
        and (JC_38:
            ge_int(offset_max(intP_t_0_3_alloc_table, t_0_0),
            sub_int(n_2, (1))))))) }
  (init:
  try
   begin
     (let i_0 = ref (any_int void) in
     try
      begin
        (let _jessie_ = (i_0 := (0)) in void);
       (loop_4:
       begin
         while true do
         { invariant
             ((JC_64:
              ((JC_61: le_int((0), i_0))
              and ((JC_62: le_int(i_0, n_2))
                  and (JC_63:
                      (sum(t_0_0, (0), n_2, intP_intM_t_0_3) = add_int(
                                                               sum(t_0_0,
                                                               (0), n_2,
                                                               intP_intM_t_0_3@init),
                                                               i_0))))))
             and (JC_66:
                 not_assigns(intP_t_0_3_alloc_table, intP_intM_t_0_3@init,
                 intP_intM_t_0_3, pset_all(pset_singleton(t_0_0))))) 
            }
          begin
            [ { } unit { true } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((lt_int_ !i_0) n_2) then void
                else (raise (Goto_while_0_break_exc void)));
               (assert
               { (JC_68:
                 (sum(t_0_0, (0), n_2, intP_intM_t_0_3) = add_int(add_int(
                                                                  sum(t_0_0,
                                                                  (0), i_0,
                                                                  intP_intM_t_0_3),
                                                                  select(intP_intM_t_0_3,
                                                                  shift(t_0_0,
                                                                  i_0))),
                                                          sum(t_0_0,
                                                          add_int(i_0, (1)),
                                                          n_2,
                                                          intP_intM_t_0_3)))) };
               void); void;
               (let _jessie_ =
               (let _jessie_ =
               ((add_int ((safe_acc_ !intP_intM_t_0_3) ((shift t_0_0) !i_0))) (1)) in
               (let _jessie_ = t_0_0 in
               (let _jessie_ = !i_0 in
               (let _jessie_ = ((shift _jessie_) _jessie_) in
               (((safe_upd_ intP_intM_t_0_3) _jessie_) _jessie_))))) in
               void);
               (assert
               { (JC_69:
                 (sum(t_0_0, (0), n_2, intP_intM_t_0_3) = add_int(add_int(
                                                                  sum(t_0_0,
                                                                  (0), i_0,
                                                                  intP_intM_t_0_3),
                                                                  select(intP_intM_t_0_3,
                                                                  shift(t_0_0,
                                                                  i_0))),
                                                          sum(t_0_0,
                                                          add_int(i_0, (1)),
                                                          n_2,
                                                          intP_intM_t_0_3)))) };
               void); void; (i_0 := ((add_int !i_0) (1))); !i_0 end in void);
             (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (raise Return) end) end); (raise Return)
   end with Return -> void end)
  { (JC_43:
    ((JC_41:
     (sum(t_0_0, (0), n_2, intP_intM_t_0_3) = add_int(sum(t_0_0, (0), n_2,
                                                      intP_intM_t_0_3@),
                                              n_2)))
    and (JC_42:
        not_assigns(intP_t_0_3_alloc_table, intP_intM_t_0_3@,
        intP_intM_t_0_3, pset_all(pset_singleton(t_0_0)))))) }

let test2_safety =
 fun (t_0_0 : intP pointer) (n_2 : int) (intP_intM_t_0_3 : (intP, int) memory ref) (intP_t_0_3_alloc_table : intP alloc_table) ->
  { (JC_39:
    ((JC_36: ge_int(n_2, (1)))
    and ((JC_37: le_int(offset_min(intP_t_0_3_alloc_table, t_0_0), (0)))
        and (JC_38:
            ge_int(offset_max(intP_t_0_3_alloc_table, t_0_0),
            sub_int(n_2, (1))))))) }
  (init:
  try
   begin
     (let i_0 = ref (any_int void) in
     try
      begin
        (let _jessie_ = (i_0 := (0)) in void);
       (loop_3:
       begin
         while true do
         { invariant (JC_54: true) variant (JC_60 : sub_int(n_2, i_0)) }
          begin
            [ { } unit reads i_0,intP_intM_t_0_3
              { (JC_52:
                ((JC_49: le_int((0), i_0))
                and ((JC_50: le_int(i_0, n_2))
                    and (JC_51:
                        (sum(t_0_0, (0), n_2, intP_intM_t_0_3) = add_int(
                                                                 sum(t_0_0,
                                                                 (0), n_2,
                                                                 intP_intM_t_0_3@init),
                                                                 i_0)))))) } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((lt_int_ !i_0) n_2) then void
                else (raise (Goto_while_0_break_exc void)));
               [ { } unit reads i_0,intP_intM_t_0_3
                 { (JC_56:
                   (sum(t_0_0, (0), n_2, intP_intM_t_0_3) = add_int(add_int(
                                                                    sum(t_0_0,
                                                                    (0), i_0,
                                                                    intP_intM_t_0_3),
                                                                    select(intP_intM_t_0_3,
                                                                    shift(t_0_0,
                                                                    i_0))),
                                                            sum(t_0_0,
                                                            add_int(i_0, (1)),
                                                            n_2,
                                                            intP_intM_t_0_3)))) } ];
               void;
               (let _jessie_ =
               (let _jessie_ =
               ((add_int (JC_57:
                         ((((offset_acc_ intP_t_0_3_alloc_table) !intP_intM_t_0_3) t_0_0) !i_0))) (1)) in
               (let _jessie_ = t_0_0 in
               (let _jessie_ = !i_0 in
               (let _jessie_ = ((shift _jessie_) _jessie_) in
               (JC_58:
               (((((offset_upd_ intP_t_0_3_alloc_table) intP_intM_t_0_3) _jessie_) _jessie_) _jessie_)))))) in
               void);
               [ { } unit reads i_0,intP_intM_t_0_3
                 { (JC_59:
                   (sum(t_0_0, (0), n_2, intP_intM_t_0_3) = add_int(add_int(
                                                                    sum(t_0_0,
                                                                    (0), i_0,
                                                                    intP_intM_t_0_3),
                                                                    select(intP_intM_t_0_3,
                                                                    shift(t_0_0,
                                                                    i_0))),
                                                            sum(t_0_0,
                                                            add_int(i_0, (1)),
                                                            n_2,
                                                            intP_intM_t_0_3)))) } ];
               void; (i_0 := ((add_int !i_0) (1))); !i_0 end in void);
             (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (raise Return) end) end); (raise Return)
   end with Return -> void end) { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/sum_array.why
========== file tests/c/sum_array.jessie/why/sum_array_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type charP

type intP

type padding

type unsigned_charP

type voidP

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

logic intP_tag : intP tag_id

axiom intP_int: (int_of_tag(intP_tag) = 1)

logic intP_of_pointer_address : unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr:
  (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom: parenttag(intP_tag, bottom_tag)

axiom intP_tags:
  (forall x:intP pointer.
    (forall intP_tag_table:intP tag_table. instanceof(intP_tag_table, x,
      intP_tag)))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_intP(p: intP pointer, a: int,
  intP_alloc_table: intP alloc_table) = (offset_min(intP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

logic sum : intP pointer, int, int, (intP, int) memory -> int

axiom no_assign_sum_0:
  (forall tmp:intP pset.
    (forall tmpmem:(intP, int) memory.
      (forall tmpalloc:intP alloc_table.
        (forall intP_intM_t_1_at_L:(intP, int) memory.
          (forall j_0:int.
            (forall i_1:int.
              (forall t:intP pointer.
                ((pset_disjoint(tmp, pset_all(pset_singleton(t))) and
                  not_assigns(tmpalloc, intP_intM_t_1_at_L, tmpmem, tmp)) ->
                 (sum(t, i_1, j_0, intP_intM_t_1_at_L) = sum(t, i_1, j_0,
                 tmpmem))))))))))

axiom no_update_sum_0:
  (forall tmp:intP pointer.
    (forall tmpval:int.
      (forall intP_intM_t_1_at_L:(intP, int) memory.
        (forall j_0:int.
          (forall i_1:int.
            (forall t:intP pointer.
              ((not in_pset(tmp, pset_all(pset_singleton(t)))) -> (sum(t,
               i_1, j_0, intP_intM_t_1_at_L) = sum(t, i_1, j_0,
               store(intP_intM_t_1_at_L, tmp, tmpval))))))))))

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_intP(p: intP pointer, b: int,
  intP_alloc_table: intP alloc_table) = (offset_max(intP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) = a) and (offset_max(intP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) = a) and (offset_max(intP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) <= a) and (offset_max(intP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) <= a) and (offset_max(intP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

axiom sum1:
  (forall intP_intM_t_1_at_L:(intP, int) memory.
    (forall t_0_1:intP pointer.
      (forall i_2:int. (sum(t_0_1, i_2, i_2, intP_intM_t_1_at_L) = 0))))

axiom sum2:
  (forall intP_intM_t_1_at_L:(intP, int) memory.
    (forall t_1:intP pointer.
      (forall i_3:int.
        (forall j_1:int. (sum(t_1, i_3, (j_1 + 1),
          intP_intM_t_1_at_L) = (sum(t_1, i_3, j_1,
          intP_intM_t_1_at_L) + select(intP_intM_t_1_at_L, shift(t_1,
          j_1))))))))

goal sum3:
  (forall intP_intM_t_2_6_at_L:(intP, int) memory.
    (forall t_2:intP pointer.
      (forall i_4:int.
        (forall j_2:int.
          (forall k:int.
            (((i_4 <= j_2) and (j_2 <= k)) -> (sum(t_2, i_4, k,
             intP_intM_t_2_6_at_L) = (sum(t_2, i_4, j_2,
             intP_intM_t_2_6_at_L) + sum(t_2, j_2, k, intP_intM_t_2_6_at_L)))))))))

axiom sum3_as_axiom:
  (forall intP_intM_t_2_6_at_L:(intP, int) memory.
    (forall t_2:intP pointer.
      (forall i_4:int.
        (forall j_2:int.
          (forall k:int.
            (((i_4 <= j_2) and (j_2 <= k)) -> (sum(t_2, i_4, k,
             intP_intM_t_2_6_at_L) = (sum(t_2, i_4, j_2,
             intP_intM_t_2_6_at_L) + sum(t_2, j_2, k, intP_intM_t_2_6_at_L)))))))))

goal sum_footprint:
  (forall intP_intM_t2_8_at_L:(intP, int) memory.
    (forall intP_intM_t1_7_at_L:(intP, int) memory.
      (forall t1:intP pointer.
        (forall t2:intP pointer.
          (forall i_5:int.
            (forall j_3:int.
              ((forall k_0:int.
                 (((i_5 <= k_0) and (k_0 < j_3)) ->
                  (select(intP_intM_t1_7_at_L, shift(t1,
                  k_0)) = select(intP_intM_t2_8_at_L, shift(t2, k_0))))) ->
               (sum(t1, i_5, j_3, intP_intM_t1_7_at_L) = sum(t2, i_5, j_3,
               intP_intM_t2_8_at_L)))))))))

axiom sum_footprint_as_axiom:
  (forall intP_intM_t2_8_at_L:(intP, int) memory.
    (forall intP_intM_t1_7_at_L:(intP, int) memory.
      (forall t1:intP pointer.
        (forall t2:intP pointer.
          (forall i_5:int.
            (forall j_3:int.
              ((forall k_0:int.
                 (((i_5 <= k_0) and (k_0 < j_3)) ->
                  (select(intP_intM_t1_7_at_L, shift(t1,
                  k_0)) = select(intP_intM_t2_8_at_L, shift(t2, k_0))))) ->
               (sum(t1, i_5, j_3, intP_intM_t1_7_at_L) = sum(t2, i_5, j_3,
               intP_intM_t2_8_at_L)))))))))

goal test1_ensures_default_po_1:
  forall t_0:intP pointer.
  forall n_1:int.
  forall intP_t_2_alloc_table:intP alloc_table.
  ("JC_9":
  (("JC_6": (n_1 >= 1)) and
   (("JC_7": (offset_min(intP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(intP_t_2_alloc_table, t_0) >= (n_1 - 1)))))) ->
  forall s_0:int.
  (s_0 = 0) ->
  forall i:int.
  (i = 0) ->
  ("JC_27": ("JC_24": (0 <= i)))

goal test1_ensures_default_po_2:
  forall t_0:intP pointer.
  forall n_1:int.
  forall intP_t_2_alloc_table:intP alloc_table.
  ("JC_9":
  (("JC_6": (n_1 >= 1)) and
   (("JC_7": (offset_min(intP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(intP_t_2_alloc_table, t_0) >= (n_1 - 1)))))) ->
  forall s_0:int.
  (s_0 = 0) ->
  forall i:int.
  (i = 0) ->
  ("JC_27": ("JC_25": (i <= n_1)))

goal test1_ensures_default_po_3:
  forall t_0:intP pointer.
  forall n_1:int.
  forall intP_t_2_alloc_table:intP alloc_table.
  forall intP_intM_t_2:(intP,
  int) memory.
  ("JC_9":
  (("JC_6": (n_1 >= 1)) and
   (("JC_7": (offset_min(intP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(intP_t_2_alloc_table, t_0) >= (n_1 - 1)))))) ->
  forall s_0:int.
  (s_0 = 0) ->
  forall i:int.
  (i = 0) ->
  ("JC_27": ("JC_26": (s_0 = sum(t_0, 0, i, intP_intM_t_2))))

goal test1_ensures_default_po_4:
  forall t_0:intP pointer.
  forall n_1:int.
  forall intP_t_2_alloc_table:intP alloc_table.
  forall intP_intM_t_2:(intP,
  int) memory.
  ("JC_9":
  (("JC_6": (n_1 >= 1)) and
   (("JC_7": (offset_min(intP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(intP_t_2_alloc_table, t_0) >= (n_1 - 1)))))) ->
  forall s_0:int.
  (s_0 = 0) ->
  forall i:int.
  (i = 0) ->
  forall i0:int.
  forall s_0_0:int.
  ("JC_27":
  (("JC_24": (0 <= i0)) and
   (("JC_25": (i0 <= n_1)) and
    ("JC_26": (s_0_0 = sum(t_0, 0, i0, intP_intM_t_2)))))) ->
  (i0 < n_1) ->
  forall result:int.
  (result = select(intP_intM_t_2, shift(t_0, i0))) ->
  forall s_0_1:int.
  (s_0_1 = (s_0_0 + result)) ->
  forall i1:int.
  (i1 = (i0 + 1)) ->
  ("JC_27": ("JC_24": (0 <= i1)))

goal test1_ensures_default_po_5:
  forall t_0:intP pointer.
  forall n_1:int.
  forall intP_t_2_alloc_table:intP alloc_table.
  forall intP_intM_t_2:(intP,
  int) memory.
  ("JC_9":
  (("JC_6": (n_1 >= 1)) and
   (("JC_7": (offset_min(intP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(intP_t_2_alloc_table, t_0) >= (n_1 - 1)))))) ->
  forall s_0:int.
  (s_0 = 0) ->
  forall i:int.
  (i = 0) ->
  forall i0:int.
  forall s_0_0:int.
  ("JC_27":
  (("JC_24": (0 <= i0)) and
   (("JC_25": (i0 <= n_1)) and
    ("JC_26": (s_0_0 = sum(t_0, 0, i0, intP_intM_t_2)))))) ->
  (i0 < n_1) ->
  forall result:int.
  (result = select(intP_intM_t_2, shift(t_0, i0))) ->
  forall s_0_1:int.
  (s_0_1 = (s_0_0 + result)) ->
  forall i1:int.
  (i1 = (i0 + 1)) ->
  ("JC_27": ("JC_25": (i1 <= n_1)))

goal test1_ensures_default_po_6:
  forall t_0:intP pointer.
  forall n_1:int.
  forall intP_t_2_alloc_table:intP alloc_table.
  forall intP_intM_t_2:(intP,
  int) memory.
  ("JC_9":
  (("JC_6": (n_1 >= 1)) and
   (("JC_7": (offset_min(intP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(intP_t_2_alloc_table, t_0) >= (n_1 - 1)))))) ->
  forall s_0:int.
  (s_0 = 0) ->
  forall i:int.
  (i = 0) ->
  forall i0:int.
  forall s_0_0:int.
  ("JC_27":
  (("JC_24": (0 <= i0)) and
   (("JC_25": (i0 <= n_1)) and
    ("JC_26": (s_0_0 = sum(t_0, 0, i0, intP_intM_t_2)))))) ->
  (i0 < n_1) ->
  forall result:int.
  (result = select(intP_intM_t_2, shift(t_0, i0))) ->
  forall s_0_1:int.
  (s_0_1 = (s_0_0 + result)) ->
  forall i1:int.
  (i1 = (i0 + 1)) ->
  ("JC_27": ("JC_26": (s_0_1 = sum(t_0, 0, i1, intP_intM_t_2))))

goal test1_ensures_default_po_7:
  forall t_0:intP pointer.
  forall n_1:int.
  forall intP_t_2_alloc_table:intP alloc_table.
  forall intP_intM_t_2:(intP,
  int) memory.
  ("JC_9":
  (("JC_6": (n_1 >= 1)) and
   (("JC_7": (offset_min(intP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(intP_t_2_alloc_table, t_0) >= (n_1 - 1)))))) ->
  forall s_0:int.
  (s_0 = 0) ->
  forall i:int.
  (i = 0) ->
  forall i0:int.
  forall s_0_0:int.
  ("JC_27":
  (("JC_24": (0 <= i0)) and
   (("JC_25": (i0 <= n_1)) and
    ("JC_26": (s_0_0 = sum(t_0, 0, i0, intP_intM_t_2)))))) ->
  (i0 >= n_1) ->
  forall return:int.
  (return = s_0_0) ->
  ("JC_11": (return = sum(t_0, 0, n_1, intP_intM_t_2)))

goal test1_safety_po_1:
  forall t_0:intP pointer.
  forall n_1:int.
  forall intP_t_2_alloc_table:intP alloc_table.
  forall intP_intM_t_2:(intP,
  int) memory.
  ("JC_9":
  (("JC_6": (n_1 >= 1)) and
   (("JC_7": (offset_min(intP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(intP_t_2_alloc_table, t_0) >= (n_1 - 1)))))) ->
  forall s_0:int.
  (s_0 = 0) ->
  forall i:int.
  (i = 0) ->
  forall i0:int.
  forall s_0_0:int.
  ("JC_20": true) ->
  ("JC_18":
  (("JC_15": (0 <= i0)) and
   (("JC_16": (i0 <= n_1)) and
    ("JC_17": (s_0_0 = sum(t_0, 0, i0, intP_intM_t_2)))))) ->
  (i0 < n_1) ->
  (offset_min(intP_t_2_alloc_table, t_0) <= i0)

goal test1_safety_po_2:
  forall t_0:intP pointer.
  forall n_1:int.
  forall intP_t_2_alloc_table:intP alloc_table.
  forall intP_intM_t_2:(intP,
  int) memory.
  ("JC_9":
  (("JC_6": (n_1 >= 1)) and
   (("JC_7": (offset_min(intP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(intP_t_2_alloc_table, t_0) >= (n_1 - 1)))))) ->
  forall s_0:int.
  (s_0 = 0) ->
  forall i:int.
  (i = 0) ->
  forall i0:int.
  forall s_0_0:int.
  ("JC_20": true) ->
  ("JC_18":
  (("JC_15": (0 <= i0)) and
   (("JC_16": (i0 <= n_1)) and
    ("JC_17": (s_0_0 = sum(t_0, 0, i0, intP_intM_t_2)))))) ->
  (i0 < n_1) ->
  (i0 <= offset_max(intP_t_2_alloc_table, t_0))

goal test1_safety_po_3:
  forall t_0:intP pointer.
  forall n_1:int.
  forall intP_t_2_alloc_table:intP alloc_table.
  forall intP_intM_t_2:(intP,
  int) memory.
  ("JC_9":
  (("JC_6": (n_1 >= 1)) and
   (("JC_7": (offset_min(intP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(intP_t_2_alloc_table, t_0) >= (n_1 - 1)))))) ->
  forall s_0:int.
  (s_0 = 0) ->
  forall i:int.
  (i = 0) ->
  forall i0:int.
  forall s_0_0:int.
  ("JC_20": true) ->
  ("JC_18":
  (("JC_15": (0 <= i0)) and
   (("JC_16": (i0 <= n_1)) and
    ("JC_17": (s_0_0 = sum(t_0, 0, i0, intP_intM_t_2)))))) ->
  (i0 < n_1) ->
  ((offset_min(intP_t_2_alloc_table, t_0) <= i0) and
   (i0 <= offset_max(intP_t_2_alloc_table, t_0))) ->
  forall result:int.
  (result = select(intP_intM_t_2, shift(t_0, i0))) ->
  forall s_0_1:int.
  (s_0_1 = (s_0_0 + result)) ->
  forall i1:int.
  (i1 = (i0 + 1)) ->
  (0 <= ("JC_23": (n_1 - i0)))

goal test1_safety_po_4:
  forall t_0:intP pointer.
  forall n_1:int.
  forall intP_t_2_alloc_table:intP alloc_table.
  forall intP_intM_t_2:(intP,
  int) memory.
  ("JC_9":
  (("JC_6": (n_1 >= 1)) and
   (("JC_7": (offset_min(intP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(intP_t_2_alloc_table, t_0) >= (n_1 - 1)))))) ->
  forall s_0:int.
  (s_0 = 0) ->
  forall i:int.
  (i = 0) ->
  forall i0:int.
  forall s_0_0:int.
  ("JC_20": true) ->
  ("JC_18":
  (("JC_15": (0 <= i0)) and
   (("JC_16": (i0 <= n_1)) and
    ("JC_17": (s_0_0 = sum(t_0, 0, i0, intP_intM_t_2)))))) ->
  (i0 < n_1) ->
  ((offset_min(intP_t_2_alloc_table, t_0) <= i0) and
   (i0 <= offset_max(intP_t_2_alloc_table, t_0))) ->
  forall result:int.
  (result = select(intP_intM_t_2, shift(t_0, i0))) ->
  forall s_0_1:int.
  (s_0_1 = (s_0_0 + result)) ->
  forall i1:int.
  (i1 = (i0 + 1)) ->
  (("JC_23": (n_1 - i1)) < ("JC_23": (n_1 - i0)))

goal test2_ensures_default_po_1:
  forall t_0_0:intP pointer.
  forall n_2:int.
  forall intP_t_0_3_alloc_table:intP alloc_table.
  ("JC_39":
  (("JC_36": (n_2 >= 1)) and
   (("JC_37": (offset_min(intP_t_0_3_alloc_table, t_0_0) <= 0)) and
    ("JC_38": (offset_max(intP_t_0_3_alloc_table, t_0_0) >= (n_2 - 1)))))) ->
  forall i_0:int.
  (i_0 = 0) ->
  ("JC_64": ("JC_61": (0 <= i_0)))

goal test2_ensures_default_po_2:
  forall t_0_0:intP pointer.
  forall n_2:int.
  forall intP_t_0_3_alloc_table:intP alloc_table.
  ("JC_39":
  (("JC_36": (n_2 >= 1)) and
   (("JC_37": (offset_min(intP_t_0_3_alloc_table, t_0_0) <= 0)) and
    ("JC_38": (offset_max(intP_t_0_3_alloc_table, t_0_0) >= (n_2 - 1)))))) ->
  forall i_0:int.
  (i_0 = 0) ->
  ("JC_64": ("JC_62": (i_0 <= n_2)))

goal test2_ensures_default_po_3:
  forall t_0_0:intP pointer.
  forall n_2:int.
  forall intP_t_0_3_alloc_table:intP alloc_table.
  forall intP_intM_t_0_3:(intP,
  int) memory.
  ("JC_39":
  (("JC_36": (n_2 >= 1)) and
   (("JC_37": (offset_min(intP_t_0_3_alloc_table, t_0_0) <= 0)) and
    ("JC_38": (offset_max(intP_t_0_3_alloc_table, t_0_0) >= (n_2 - 1)))))) ->
  forall i_0:int.
  (i_0 = 0) ->
  ("JC_64":
  ("JC_63": (sum(t_0_0, 0, n_2, intP_intM_t_0_3) = (sum(t_0_0, 0, n_2,
  intP_intM_t_0_3) + i_0))))

goal test2_ensures_default_po_4:
  forall t_0_0:intP pointer.
  forall n_2:int.
  forall intP_t_0_3_alloc_table:intP alloc_table.
  forall intP_intM_t_0_3:(intP,
  int) memory.
  ("JC_39":
  (("JC_36": (n_2 >= 1)) and
   (("JC_37": (offset_min(intP_t_0_3_alloc_table, t_0_0) <= 0)) and
    ("JC_38": (offset_max(intP_t_0_3_alloc_table, t_0_0) >= (n_2 - 1)))))) ->
  forall i_0:int.
  (i_0 = 0) ->
  ("JC_66": not_assigns(intP_t_0_3_alloc_table, intP_intM_t_0_3,
  intP_intM_t_0_3, pset_all(pset_singleton(t_0_0))))

goal test2_ensures_default_po_5:
  forall t_0_0:intP pointer.
  forall n_2:int.
  forall intP_t_0_3_alloc_table:intP alloc_table.
  forall intP_intM_t_0_3:(intP,
  int) memory.
  ("JC_39":
  (("JC_36": (n_2 >= 1)) and
   (("JC_37": (offset_min(intP_t_0_3_alloc_table, t_0_0) <= 0)) and
    ("JC_38": (offset_max(intP_t_0_3_alloc_table, t_0_0) >= (n_2 - 1)))))) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_0_3_0:(intP,
  int) memory.
  (("JC_64":
   (("JC_61": (0 <= i_0_0)) and
    (("JC_62": (i_0_0 <= n_2)) and
     ("JC_63": (sum(t_0_0, 0, n_2, intP_intM_t_0_3_0) = (sum(t_0_0, 0, n_2,
     intP_intM_t_0_3) + i_0_0)))))) and
   ("JC_66": not_assigns(intP_t_0_3_alloc_table, intP_intM_t_0_3,
   intP_intM_t_0_3_0, pset_all(pset_singleton(t_0_0))))) ->
  (i_0_0 < n_2) ->
  ("JC_68": (sum(t_0_0, 0, n_2, intP_intM_t_0_3_0) = ((sum(t_0_0, 0, i_0_0,
  intP_intM_t_0_3_0) + select(intP_intM_t_0_3_0, shift(t_0_0,
  i_0_0))) + sum(t_0_0, (i_0_0 + 1), n_2, intP_intM_t_0_3_0))))

goal test2_ensures_default_po_6:
  forall t_0_0:intP pointer.
  forall n_2:int.
  forall intP_t_0_3_alloc_table:intP alloc_table.
  forall intP_intM_t_0_3:(intP,
  int) memory.
  ("JC_39":
  (("JC_36": (n_2 >= 1)) and
   (("JC_37": (offset_min(intP_t_0_3_alloc_table, t_0_0) <= 0)) and
    ("JC_38": (offset_max(intP_t_0_3_alloc_table, t_0_0) >= (n_2 - 1)))))) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_0_3_0:(intP,
  int) memory.
  (("JC_64":
   (("JC_61": (0 <= i_0_0)) and
    (("JC_62": (i_0_0 <= n_2)) and
     ("JC_63": (sum(t_0_0, 0, n_2, intP_intM_t_0_3_0) = (sum(t_0_0, 0, n_2,
     intP_intM_t_0_3) + i_0_0)))))) and
   ("JC_66": not_assigns(intP_t_0_3_alloc_table, intP_intM_t_0_3,
   intP_intM_t_0_3_0, pset_all(pset_singleton(t_0_0))))) ->
  (i_0_0 < n_2) ->
  ("JC_68": (sum(t_0_0, 0, n_2, intP_intM_t_0_3_0) = ((sum(t_0_0, 0, i_0_0,
  intP_intM_t_0_3_0) + select(intP_intM_t_0_3_0, shift(t_0_0,
  i_0_0))) + sum(t_0_0, (i_0_0 + 1), n_2, intP_intM_t_0_3_0)))) ->
  forall result:int.
  (result = select(intP_intM_t_0_3_0, shift(t_0_0, i_0_0))) ->
  forall intP_intM_t_0_3_1:(intP,
  int) memory.
  (intP_intM_t_0_3_1 = store(intP_intM_t_0_3_0, shift(t_0_0, i_0_0),
  (result + 1))) ->
  ("JC_69": (sum(t_0_0, 0, n_2, intP_intM_t_0_3_1) = ((sum(t_0_0, 0, i_0_0,
  intP_intM_t_0_3_1) + select(intP_intM_t_0_3_1, shift(t_0_0,
  i_0_0))) + sum(t_0_0, (i_0_0 + 1), n_2, intP_intM_t_0_3_1))))

goal test2_ensures_default_po_7:
  forall t_0_0:intP pointer.
  forall n_2:int.
  forall intP_t_0_3_alloc_table:intP alloc_table.
  forall intP_intM_t_0_3:(intP,
  int) memory.
  ("JC_39":
  (("JC_36": (n_2 >= 1)) and
   (("JC_37": (offset_min(intP_t_0_3_alloc_table, t_0_0) <= 0)) and
    ("JC_38": (offset_max(intP_t_0_3_alloc_table, t_0_0) >= (n_2 - 1)))))) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_0_3_0:(intP,
  int) memory.
  (("JC_64":
   (("JC_61": (0 <= i_0_0)) and
    (("JC_62": (i_0_0 <= n_2)) and
     ("JC_63": (sum(t_0_0, 0, n_2, intP_intM_t_0_3_0) = (sum(t_0_0, 0, n_2,
     intP_intM_t_0_3) + i_0_0)))))) and
   ("JC_66": not_assigns(intP_t_0_3_alloc_table, intP_intM_t_0_3,
   intP_intM_t_0_3_0, pset_all(pset_singleton(t_0_0))))) ->
  (i_0_0 < n_2) ->
  ("JC_68": (sum(t_0_0, 0, n_2, intP_intM_t_0_3_0) = ((sum(t_0_0, 0, i_0_0,
  intP_intM_t_0_3_0) + select(intP_intM_t_0_3_0, shift(t_0_0,
  i_0_0))) + sum(t_0_0, (i_0_0 + 1), n_2, intP_intM_t_0_3_0)))) ->
  forall result:int.
  (result = select(intP_intM_t_0_3_0, shift(t_0_0, i_0_0))) ->
  forall intP_intM_t_0_3_1:(intP,
  int) memory.
  (intP_intM_t_0_3_1 = store(intP_intM_t_0_3_0, shift(t_0_0, i_0_0),
  (result + 1))) ->
  ("JC_69": (sum(t_0_0, 0, n_2, intP_intM_t_0_3_1) = ((sum(t_0_0, 0, i_0_0,
  intP_intM_t_0_3_1) + select(intP_intM_t_0_3_1, shift(t_0_0,
  i_0_0))) + sum(t_0_0, (i_0_0 + 1), n_2, intP_intM_t_0_3_1)))) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  ("JC_64": ("JC_61": (0 <= i_0_1)))

goal test2_ensures_default_po_8:
  forall t_0_0:intP pointer.
  forall n_2:int.
  forall intP_t_0_3_alloc_table:intP alloc_table.
  forall intP_intM_t_0_3:(intP,
  int) memory.
  ("JC_39":
  (("JC_36": (n_2 >= 1)) and
   (("JC_37": (offset_min(intP_t_0_3_alloc_table, t_0_0) <= 0)) and
    ("JC_38": (offset_max(intP_t_0_3_alloc_table, t_0_0) >= (n_2 - 1)))))) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_0_3_0:(intP,
  int) memory.
  (("JC_64":
   (("JC_61": (0 <= i_0_0)) and
    (("JC_62": (i_0_0 <= n_2)) and
     ("JC_63": (sum(t_0_0, 0, n_2, intP_intM_t_0_3_0) = (sum(t_0_0, 0, n_2,
     intP_intM_t_0_3) + i_0_0)))))) and
   ("JC_66": not_assigns(intP_t_0_3_alloc_table, intP_intM_t_0_3,
   intP_intM_t_0_3_0, pset_all(pset_singleton(t_0_0))))) ->
  (i_0_0 < n_2) ->
  ("JC_68": (sum(t_0_0, 0, n_2, intP_intM_t_0_3_0) = ((sum(t_0_0, 0, i_0_0,
  intP_intM_t_0_3_0) + select(intP_intM_t_0_3_0, shift(t_0_0,
  i_0_0))) + sum(t_0_0, (i_0_0 + 1), n_2, intP_intM_t_0_3_0)))) ->
  forall result:int.
  (result = select(intP_intM_t_0_3_0, shift(t_0_0, i_0_0))) ->
  forall intP_intM_t_0_3_1:(intP,
  int) memory.
  (intP_intM_t_0_3_1 = store(intP_intM_t_0_3_0, shift(t_0_0, i_0_0),
  (result + 1))) ->
  ("JC_69": (sum(t_0_0, 0, n_2, intP_intM_t_0_3_1) = ((sum(t_0_0, 0, i_0_0,
  intP_intM_t_0_3_1) + select(intP_intM_t_0_3_1, shift(t_0_0,
  i_0_0))) + sum(t_0_0, (i_0_0 + 1), n_2, intP_intM_t_0_3_1)))) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  ("JC_64": ("JC_62": (i_0_1 <= n_2)))

goal test2_ensures_default_po_9:
  forall t_0_0:intP pointer.
  forall n_2:int.
  forall intP_t_0_3_alloc_table:intP alloc_table.
  forall intP_intM_t_0_3:(intP,
  int) memory.
  ("JC_39":
  (("JC_36": (n_2 >= 1)) and
   (("JC_37": (offset_min(intP_t_0_3_alloc_table, t_0_0) <= 0)) and
    ("JC_38": (offset_max(intP_t_0_3_alloc_table, t_0_0) >= (n_2 - 1)))))) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_0_3_0:(intP,
  int) memory.
  (("JC_64":
   (("JC_61": (0 <= i_0_0)) and
    (("JC_62": (i_0_0 <= n_2)) and
     ("JC_63": (sum(t_0_0, 0, n_2, intP_intM_t_0_3_0) = (sum(t_0_0, 0, n_2,
     intP_intM_t_0_3) + i_0_0)))))) and
   ("JC_66": not_assigns(intP_t_0_3_alloc_table, intP_intM_t_0_3,
   intP_intM_t_0_3_0, pset_all(pset_singleton(t_0_0))))) ->
  (i_0_0 < n_2) ->
  ("JC_68": (sum(t_0_0, 0, n_2, intP_intM_t_0_3_0) = ((sum(t_0_0, 0, i_0_0,
  intP_intM_t_0_3_0) + select(intP_intM_t_0_3_0, shift(t_0_0,
  i_0_0))) + sum(t_0_0, (i_0_0 + 1), n_2, intP_intM_t_0_3_0)))) ->
  forall result:int.
  (result = select(intP_intM_t_0_3_0, shift(t_0_0, i_0_0))) ->
  forall intP_intM_t_0_3_1:(intP,
  int) memory.
  (intP_intM_t_0_3_1 = store(intP_intM_t_0_3_0, shift(t_0_0, i_0_0),
  (result + 1))) ->
  ("JC_69": (sum(t_0_0, 0, n_2, intP_intM_t_0_3_1) = ((sum(t_0_0, 0, i_0_0,
  intP_intM_t_0_3_1) + select(intP_intM_t_0_3_1, shift(t_0_0,
  i_0_0))) + sum(t_0_0, (i_0_0 + 1), n_2, intP_intM_t_0_3_1)))) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  ("JC_64":
  ("JC_63": (sum(t_0_0, 0, n_2, intP_intM_t_0_3_1) = (sum(t_0_0, 0, n_2,
  intP_intM_t_0_3) + i_0_1))))

goal test2_ensures_default_po_10:
  forall t_0_0:intP pointer.
  forall n_2:int.
  forall intP_t_0_3_alloc_table:intP alloc_table.
  forall intP_intM_t_0_3:(intP,
  int) memory.
  ("JC_39":
  (("JC_36": (n_2 >= 1)) and
   (("JC_37": (offset_min(intP_t_0_3_alloc_table, t_0_0) <= 0)) and
    ("JC_38": (offset_max(intP_t_0_3_alloc_table, t_0_0) >= (n_2 - 1)))))) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_0_3_0:(intP,
  int) memory.
  (("JC_64":
   (("JC_61": (0 <= i_0_0)) and
    (("JC_62": (i_0_0 <= n_2)) and
     ("JC_63": (sum(t_0_0, 0, n_2, intP_intM_t_0_3_0) = (sum(t_0_0, 0, n_2,
     intP_intM_t_0_3) + i_0_0)))))) and
   ("JC_66": not_assigns(intP_t_0_3_alloc_table, intP_intM_t_0_3,
   intP_intM_t_0_3_0, pset_all(pset_singleton(t_0_0))))) ->
  (i_0_0 < n_2) ->
  ("JC_68": (sum(t_0_0, 0, n_2, intP_intM_t_0_3_0) = ((sum(t_0_0, 0, i_0_0,
  intP_intM_t_0_3_0) + select(intP_intM_t_0_3_0, shift(t_0_0,
  i_0_0))) + sum(t_0_0, (i_0_0 + 1), n_2, intP_intM_t_0_3_0)))) ->
  forall result:int.
  (result = select(intP_intM_t_0_3_0, shift(t_0_0, i_0_0))) ->
  forall intP_intM_t_0_3_1:(intP,
  int) memory.
  (intP_intM_t_0_3_1 = store(intP_intM_t_0_3_0, shift(t_0_0, i_0_0),
  (result + 1))) ->
  ("JC_69": (sum(t_0_0, 0, n_2, intP_intM_t_0_3_1) = ((sum(t_0_0, 0, i_0_0,
  intP_intM_t_0_3_1) + select(intP_intM_t_0_3_1, shift(t_0_0,
  i_0_0))) + sum(t_0_0, (i_0_0 + 1), n_2, intP_intM_t_0_3_1)))) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  ("JC_66": not_assigns(intP_t_0_3_alloc_table, intP_intM_t_0_3,
  intP_intM_t_0_3_1, pset_all(pset_singleton(t_0_0))))

goal test2_ensures_default_po_11:
  forall t_0_0:intP pointer.
  forall n_2:int.
  forall intP_t_0_3_alloc_table:intP alloc_table.
  forall intP_intM_t_0_3:(intP,
  int) memory.
  ("JC_39":
  (("JC_36": (n_2 >= 1)) and
   (("JC_37": (offset_min(intP_t_0_3_alloc_table, t_0_0) <= 0)) and
    ("JC_38": (offset_max(intP_t_0_3_alloc_table, t_0_0) >= (n_2 - 1)))))) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_0_3_0:(intP,
  int) memory.
  (("JC_64":
   (("JC_61": (0 <= i_0_0)) and
    (("JC_62": (i_0_0 <= n_2)) and
     ("JC_63": (sum(t_0_0, 0, n_2, intP_intM_t_0_3_0) = (sum(t_0_0, 0, n_2,
     intP_intM_t_0_3) + i_0_0)))))) and
   ("JC_66": not_assigns(intP_t_0_3_alloc_table, intP_intM_t_0_3,
   intP_intM_t_0_3_0, pset_all(pset_singleton(t_0_0))))) ->
  (i_0_0 >= n_2) ->
  ("JC_43":
  ("JC_41": (sum(t_0_0, 0, n_2, intP_intM_t_0_3_0) = (sum(t_0_0, 0, n_2,
  intP_intM_t_0_3) + n_2))))

goal test2_safety_po_1:
  forall t_0_0:intP pointer.
  forall n_2:int.
  forall intP_t_0_3_alloc_table:intP alloc_table.
  forall intP_intM_t_0_3:(intP,
  int) memory.
  ("JC_39":
  (("JC_36": (n_2 >= 1)) and
   (("JC_37": (offset_min(intP_t_0_3_alloc_table, t_0_0) <= 0)) and
    ("JC_38": (offset_max(intP_t_0_3_alloc_table, t_0_0) >= (n_2 - 1)))))) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_0_3_0:(intP,
  int) memory.
  ("JC_54": true) ->
  ("JC_52":
  (("JC_49": (0 <= i_0_0)) and
   (("JC_50": (i_0_0 <= n_2)) and
    ("JC_51": (sum(t_0_0, 0, n_2, intP_intM_t_0_3_0) = (sum(t_0_0, 0, n_2,
    intP_intM_t_0_3) + i_0_0)))))) ->
  (i_0_0 < n_2) ->
  ("JC_56": (sum(t_0_0, 0, n_2, intP_intM_t_0_3_0) = ((sum(t_0_0, 0, i_0_0,
  intP_intM_t_0_3_0) + select(intP_intM_t_0_3_0, shift(t_0_0,
  i_0_0))) + sum(t_0_0, (i_0_0 + 1), n_2, intP_intM_t_0_3_0)))) ->
  (offset_min(intP_t_0_3_alloc_table, t_0_0) <= i_0_0)

goal test2_safety_po_2:
  forall t_0_0:intP pointer.
  forall n_2:int.
  forall intP_t_0_3_alloc_table:intP alloc_table.
  forall intP_intM_t_0_3:(intP,
  int) memory.
  ("JC_39":
  (("JC_36": (n_2 >= 1)) and
   (("JC_37": (offset_min(intP_t_0_3_alloc_table, t_0_0) <= 0)) and
    ("JC_38": (offset_max(intP_t_0_3_alloc_table, t_0_0) >= (n_2 - 1)))))) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_0_3_0:(intP,
  int) memory.
  ("JC_54": true) ->
  ("JC_52":
  (("JC_49": (0 <= i_0_0)) and
   (("JC_50": (i_0_0 <= n_2)) and
    ("JC_51": (sum(t_0_0, 0, n_2, intP_intM_t_0_3_0) = (sum(t_0_0, 0, n_2,
    intP_intM_t_0_3) + i_0_0)))))) ->
  (i_0_0 < n_2) ->
  ("JC_56": (sum(t_0_0, 0, n_2, intP_intM_t_0_3_0) = ((sum(t_0_0, 0, i_0_0,
  intP_intM_t_0_3_0) + select(intP_intM_t_0_3_0, shift(t_0_0,
  i_0_0))) + sum(t_0_0, (i_0_0 + 1), n_2, intP_intM_t_0_3_0)))) ->
  (i_0_0 <= offset_max(intP_t_0_3_alloc_table, t_0_0))

goal test2_safety_po_3:
  forall t_0_0:intP pointer.
  forall n_2:int.
  forall intP_t_0_3_alloc_table:intP alloc_table.
  forall intP_intM_t_0_3:(intP,
  int) memory.
  ("JC_39":
  (("JC_36": (n_2 >= 1)) and
   (("JC_37": (offset_min(intP_t_0_3_alloc_table, t_0_0) <= 0)) and
    ("JC_38": (offset_max(intP_t_0_3_alloc_table, t_0_0) >= (n_2 - 1)))))) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_0_3_0:(intP,
  int) memory.
  ("JC_54": true) ->
  ("JC_52":
  (("JC_49": (0 <= i_0_0)) and
   (("JC_50": (i_0_0 <= n_2)) and
    ("JC_51": (sum(t_0_0, 0, n_2, intP_intM_t_0_3_0) = (sum(t_0_0, 0, n_2,
    intP_intM_t_0_3) + i_0_0)))))) ->
  (i_0_0 < n_2) ->
  ("JC_56": (sum(t_0_0, 0, n_2, intP_intM_t_0_3_0) = ((sum(t_0_0, 0, i_0_0,
  intP_intM_t_0_3_0) + select(intP_intM_t_0_3_0, shift(t_0_0,
  i_0_0))) + sum(t_0_0, (i_0_0 + 1), n_2, intP_intM_t_0_3_0)))) ->
  ((offset_min(intP_t_0_3_alloc_table, t_0_0) <= i_0_0) and
   (i_0_0 <= offset_max(intP_t_0_3_alloc_table, t_0_0))) ->
  forall result:int.
  (result = select(intP_intM_t_0_3_0, shift(t_0_0, i_0_0))) ->
  ((offset_min(intP_t_0_3_alloc_table, t_0_0) <= i_0_0) and
   (i_0_0 <= offset_max(intP_t_0_3_alloc_table, t_0_0))) ->
  forall intP_intM_t_0_3_1:(intP,
  int) memory.
  (intP_intM_t_0_3_1 = store(intP_intM_t_0_3_0, shift(t_0_0, i_0_0),
  (result + 1))) ->
  ("JC_59": (sum(t_0_0, 0, n_2, intP_intM_t_0_3_1) = ((sum(t_0_0, 0, i_0_0,
  intP_intM_t_0_3_1) + select(intP_intM_t_0_3_1, shift(t_0_0,
  i_0_0))) + sum(t_0_0, (i_0_0 + 1), n_2, intP_intM_t_0_3_1)))) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  (0 <= ("JC_60": (n_2 - i_0_0)))

goal test2_safety_po_4:
  forall t_0_0:intP pointer.
  forall n_2:int.
  forall intP_t_0_3_alloc_table:intP alloc_table.
  forall intP_intM_t_0_3:(intP,
  int) memory.
  ("JC_39":
  (("JC_36": (n_2 >= 1)) and
   (("JC_37": (offset_min(intP_t_0_3_alloc_table, t_0_0) <= 0)) and
    ("JC_38": (offset_max(intP_t_0_3_alloc_table, t_0_0) >= (n_2 - 1)))))) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_0_3_0:(intP,
  int) memory.
  ("JC_54": true) ->
  ("JC_52":
  (("JC_49": (0 <= i_0_0)) and
   (("JC_50": (i_0_0 <= n_2)) and
    ("JC_51": (sum(t_0_0, 0, n_2, intP_intM_t_0_3_0) = (sum(t_0_0, 0, n_2,
    intP_intM_t_0_3) + i_0_0)))))) ->
  (i_0_0 < n_2) ->
  ("JC_56": (sum(t_0_0, 0, n_2, intP_intM_t_0_3_0) = ((sum(t_0_0, 0, i_0_0,
  intP_intM_t_0_3_0) + select(intP_intM_t_0_3_0, shift(t_0_0,
  i_0_0))) + sum(t_0_0, (i_0_0 + 1), n_2, intP_intM_t_0_3_0)))) ->
  ((offset_min(intP_t_0_3_alloc_table, t_0_0) <= i_0_0) and
   (i_0_0 <= offset_max(intP_t_0_3_alloc_table, t_0_0))) ->
  forall result:int.
  (result = select(intP_intM_t_0_3_0, shift(t_0_0, i_0_0))) ->
  ((offset_min(intP_t_0_3_alloc_table, t_0_0) <= i_0_0) and
   (i_0_0 <= offset_max(intP_t_0_3_alloc_table, t_0_0))) ->
  forall intP_intM_t_0_3_1:(intP,
  int) memory.
  (intP_intM_t_0_3_1 = store(intP_intM_t_0_3_0, shift(t_0_0, i_0_0),
  (result + 1))) ->
  ("JC_59": (sum(t_0_0, 0, n_2, intP_intM_t_0_3_1) = ((sum(t_0_0, 0, i_0_0,
  intP_intM_t_0_3_1) + select(intP_intM_t_0_3_1, shift(t_0_0,
  i_0_0))) + sum(t_0_0, (i_0_0 + 1), n_2, intP_intM_t_0_3_1)))) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  (("JC_60": (n_2 - i_0_1)) < ("JC_60": (n_2 - i_0_0)))

why-2.34/tests/c/oracle/muller.res.oracle0000644000175000017500000066547512311670312016754 0ustar  rtusers========== file tests/c/muller.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

typedef unsigned int size_t;
void *malloc(size_t size);
void *calloc(size_t nmemb, size_t size);

/*@ axiomatic NumOfPos {
  @  logic integer num_of_pos{L}(integer i,integer j,int *t);
  @  axiom num_of_pos_empty{L} :
  @   \forall integer i, j, int *t;
  @    i >= j ==> num_of_pos(i,j,t) == 0;
  @  axiom num_of_pos_true_case{L} :
  @   \forall integer i, j, int *t;
  @       i < j && t[j-1] > 0 ==>
  @         num_of_pos(i,j,t) == num_of_pos(i,j-1,t) + 1;
  @  axiom num_of_pos_false_case{L} :
  @   \forall integer i, j, int *t;
  @       i < j && ! (t[j-1] > 0) ==>
  @         num_of_pos(i,j,t) == num_of_pos(i,j-1,t);
  @ }
  @*/


/*@ lemma num_of_pos_non_negative{L} :
  @   \forall integer i, j, int *t; 0 <= num_of_pos(i,j,t);
  @*/

/*@ lemma num_of_pos_additive{L} :
  @   \forall integer i, j, k, int *t; i <= j <= k ==>
  @       num_of_pos(i,k,t) == num_of_pos(i,j,t) + num_of_pos(j,k,t);
  @*/

/*@ lemma num_of_pos_increasing{L} :
  @   \forall integer i, j, k, int *t;
  @       j <= k ==> num_of_pos(i,j,t) <= num_of_pos(i,k,t);
  @*/

/*@ lemma num_of_pos_strictly_increasing{L} :
  @   \forall integer i, n, int *t;
  @       0 <= i < n && t[i] > 0 ==>
  @       num_of_pos(0,i,t) < num_of_pos(0,n,t);
  @*/

/*@ requires l >= 0 && \valid_range(t,0,l-1);
  @*/
int* m(int *t, int l) {
  int i, count = 0;
  int *u;

  /*@ loop invariant
    @    0 <= i <= l &&
    @    0 <= count <= i &&
    @    count == num_of_pos(0,i,t) ;
    @ loop variant l - i;
    @*/
  for (i=0 ; i < l; i++) if (t[i] > 0) count++;

  u = (int*)calloc(count,sizeof(int));
  count = 0;

  /*@ loop invariant
    @    0 <= i <= l &&
    @    0 <= count <= i &&
    @    count == num_of_pos(0,i,t);
    @ loop variant l - i;
    @*/
  for (int i=0 ; i < l; i++) {
    if (t[i] > 0) u[count++] = t[i];
  }
  return u;
}


/*
Local Variables:
compile-command: "make muller.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/muller.c"
tests/c/muller.c:73:[kernel] warning: parsing obsolete ACSL construct '\valid_range(addr,min,max)'. '\valid(addr+(min..max))' should be used instead.
[jessie] Starting Jessie translation
tests/c/muller.c:75:[kernel] warning: Neither code nor specification for function calloc, generating default assigns from the prototype
[jessie] Producing Jessie files in subdir tests/c/muller.jessie
[jessie] File tests/c/muller.jessie/muller.jc written.
[jessie] File tests/c/muller.jessie/muller.cloc written.
========== file tests/c/muller.jessie/muller.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type uint32 = 0..4294967295

type int8 = -128..127

type int32 = -2147483648..2147483647

tag intP = {
  int32 intM: 32;
}

type intP = [intP]

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

charP[..] calloc(uint32 nmemb, uint32 size_0)
behavior default:
  assigns \nothing;
  ensures (_C_1 : true);
;

axiomatic NumOfPos {

  logic integer num_of_pos{L}(integer i_1, integer j_0, intP[..] t)
   
  axiom num_of_pos_empty{L} :
  (\forall integer i_2;
    (\forall integer j_1;
      (\forall intP[..] t_0;
        ((i_2 >= j_1) ==> (num_of_pos{L}(i_2, j_1, t_0) == 0)))))
   
  axiom num_of_pos_true_case{L} :
  (\forall integer i_3;
    (\forall integer j_2;
      (\forall intP[..] t_1;
        (((i_3 < j_2) && ((t_1 + (j_2 - 1)).intM > 0)) ==>
          (num_of_pos{L}(i_3, j_2, t_1) ==
            (num_of_pos{L}(i_3, (j_2 - 1), t_1) + 1))))))
   
  axiom num_of_pos_false_case{L} :
  (\forall integer i_4;
    (\forall integer j_3;
      (\forall intP[..] t_2;
        (((i_4 < j_3) && (! ((t_2 + (j_3 - 1)).intM > 0))) ==>
          (num_of_pos{L}(i_4, j_3, t_2) ==
            num_of_pos{L}(i_4, (j_3 - 1), t_2))))))
  
}

lemma num_of_pos_non_negative{L} :
(\forall integer i_5;
  (\forall integer j_4;
    (\forall intP[..] t_3;
      (0 <= num_of_pos{L}(i_5, j_4, t_3)))))

lemma num_of_pos_additive{L} :
(\forall integer i_6;
  (\forall integer j_5;
    (\forall integer k;
      (\forall intP[..] t_4;
        (((i_6 <= j_5) && (j_5 <= k)) ==>
          (num_of_pos{L}(i_6, k, t_4) ==
            (num_of_pos{L}(i_6, j_5, t_4) + num_of_pos{L}(j_5, k, t_4))))))))

lemma num_of_pos_increasing{L} :
(\forall integer i_7;
  (\forall integer j_6;
    (\forall integer k_0;
      (\forall intP[..] t_5;
        ((j_6 <= k_0) ==>
          (num_of_pos{L}(i_7, j_6, t_5) <= num_of_pos{L}(i_7, k_0, t_5)))))))

lemma num_of_pos_strictly_increasing{L} :
(\forall integer i_8;
  (\forall integer n;
    (\forall intP[..] t_6;
      ((((0 <= i_8) && (i_8 < n)) && ((t_6 + i_8).intM > 0)) ==>
        (num_of_pos{L}(0, i_8, t_6) < num_of_pos{L}(0, n, t_6))))))

intP[..] m(intP[..] t, int32 l)
  requires (_C_52 : ((_C_53 : (l >= 0)) &&
                      ((_C_55 : (\offset_min(t) <= 0)) &&
                        (_C_56 : (\offset_max(t) >= (l - 1))))));
behavior default:
  ensures (_C_51 : true);
{  
   (var int32 i);
   
   (var int32 count);
   
   (var intP[..] u);
   
   (var int32 i_0);
   
   (var int32 tmp_0);
   
   {  (_C_2 : (count = 0));
      (_C_3 : (i = 0));
      
      loop 
      behavior default:
        invariant (_C_5 : ((((_C_8 : (0 <= i)) && (_C_9 : (i <= l))) &&
                             ((_C_11 : (0 <= count)) &&
                               (_C_12 : (count <= i)))) &&
                            (_C_13 : (count == num_of_pos{Here}(0, i, t)))));
      variant (_C_4 : (l - i));
      while (true)
      {  
         {  (if (i < l) then () else 
            (goto while_0_break));
            (if ((_C_18 : (_C_17 : (t + i)).intM) > 0) then (_C_16 : (count = 
                                                            (_C_15 : (
                                                            (_C_14 : 
                                                            (count +
                                                              1)) :> int32)))) else ());
            (_C_21 : (i = (_C_20 : ((_C_19 : (i + 1)) :> int32))))
         }
      };
      (while_0_break : ());
      (_C_24 : (u = (_C_23 : (new intP[(_C_22 : (count :> uint32))]))));
      (_C_25 : (count = 0));
      
      {  (_C_26 : (i_0 = 0));
         
         loop 
         behavior default:
           invariant (_C_28 : ((((_C_31 : (0 <= i_0)) &&
                                  (_C_32 : (i_0 <= l))) &&
                                 ((_C_34 : (0 <= count)) &&
                                   (_C_35 : (count <= i_0)))) &&
                                (_C_36 : (count ==
                                           num_of_pos{Here}(0, i_0, t)))));
         variant (_C_27 : (l - i_0));
         while (true)
         {  
            {  (if (i_0 < l) then () else 
               (goto while_1_break));
               
               {  (if ((_C_47 : (_C_46 : (t + i_0)).intM) > 0) then 
                  {  (_C_37 : (tmp_0 = count));
                     (_C_40 : (count = (_C_39 : ((_C_38 : (count + 1)) :> int32))));
                     (_C_45 : ((_C_44 : (_C_43 : (u + tmp_0)).intM) = 
                     (_C_42 : (_C_41 : (t + i_0)).intM)))
                  } else ())
               };
               (_C_50 : (i_0 = (_C_49 : ((_C_48 : (i_0 + 1)) :> int32))))
            }
         };
         (while_1_break : ())
      };
      
      (return u)
   }
}
========== file tests/c/muller.jessie/muller.cloc ==========
[_C_52]
file = "HOME/tests/c/muller.c"
line = 73
begin = 13
end = 44

[_C_35]
file = "HOME/tests/c/muller.c"
line = 92
begin = 14
end = 24

[_C_56]
file = "HOME/tests/c/muller.c"
line = 73
begin = 23
end = 44

[_C_28]
file = "HOME/tests/c/muller.c"
line = 91
begin = 9
end = 87

[_C_48]
file = "HOME/tests/c/muller.c"
line = 96
begin = 24
end = 27

[_C_51]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_31]
file = "HOME/tests/c/muller.c"
line = 91
begin = 9
end = 15

[num_of_pos_non_negative]
name = "Lemma num_of_pos_non_negative"
file = "HOME/tests/c/muller.c"
line = 53
begin = 4
end = 98

[_C_41]
file = "HOME/tests/c/muller.c"
line = 97
begin = 31
end = 32

[_C_4]
file = "HOME/tests/c/muller.c"
line = 83
begin = 19
end = 24

[_C_32]
file = "HOME/tests/c/muller.c"
line = 91
begin = 14
end = 20

[_C_23]
file = "HOME/tests/c/muller.c"
line = 87
begin = 12
end = 37

[_C_19]
file = "HOME/tests/c/muller.c"
line = 85
begin = 20
end = 23

[_C_42]
file = "HOME/tests/c/muller.c"
line = 97
begin = 31
end = 35

[_C_13]
file = "HOME/tests/c/muller.c"
line = 82
begin = 9
end = 35

[_C_5]
file = "HOME/tests/c/muller.c"
line = 80
begin = 9
end = 87

[_C_36]
file = "HOME/tests/c/muller.c"
line = 93
begin = 9
end = 35

[_C_12]
file = "HOME/tests/c/muller.c"
line = 81
begin = 14
end = 24

[_C_33]
file = "HOME/tests/c/muller.c"
line = 92
begin = 9
end = 24

[_C_22]
file = "HOME/tests/c/muller.c"
line = 87
begin = 19
end = 24

[_C_9]
file = "HOME/tests/c/muller.c"
line = 80
begin = 14
end = 20

[_C_54]
file = "HOME/tests/c/muller.c"
line = 73
begin = 23
end = 44

[_C_30]
file = "HOME/tests/c/muller.c"
line = 91
begin = 9
end = 20

[_C_6]
file = "HOME/tests/c/muller.c"
line = 80
begin = 9
end = 48

[_C_49]
file = "HOME/tests/c/muller.c"
line = 96
begin = 24
end = 27

[_C_24]
file = "HOME/tests/c/muller.c"
line = 87
begin = 12
end = 37

[_C_45]
file = "HOME/tests/c/muller.c"
line = 97
begin = 31
end = 35

[_C_20]
file = "HOME/tests/c/muller.c"
line = 85
begin = 20
end = 23

[num_of_pos_false_case]
name = "Lemma num_of_pos_false_case"
file = "HOME/tests/c/muller.c"
line = 45
begin = 5
end = 165

[_C_38]
file = "HOME/tests/c/muller.c"
line = 97
begin = 20
end = 27

[_C_3]
file = "HOME/tests/c/muller.c"
line = 85
begin = 9
end = 10

[num_of_pos_increasing]
name = "Lemma num_of_pos_increasing"
file = "HOME/tests/c/muller.c"
line = 62
begin = 4
end = 136

[num_of_pos_true_case]
name = "Lemma num_of_pos_true_case"
file = "HOME/tests/c/muller.c"
line = 41
begin = 5
end = 164

[_C_17]
file = "HOME/tests/c/muller.c"
line = 85
begin = 29
end = 30

[_C_7]
file = "HOME/tests/c/muller.c"
line = 80
begin = 9
end = 20

[_C_55]
file = "HOME/tests/c/muller.c"
line = 73
begin = 23
end = 44

[_C_27]
file = "HOME/tests/c/muller.c"
line = 94
begin = 19
end = 24

[_C_46]
file = "HOME/tests/c/muller.c"
line = 97
begin = 8
end = 9

[_C_44]
file = "HOME/tests/c/muller.c"
line = 97
begin = 31
end = 35

[_C_15]
file = "HOME/tests/c/muller.c"
line = 85
begin = 39
end = 46

[num_of_pos_strictly_increasing]
name = "Lemma num_of_pos_strictly_increasing"
file = "HOME/tests/c/muller.c"
line = 67
begin = 4
end = 167

[_C_26]
file = "HOME/tests/c/muller.c"
line = 96
begin = 7
end = 10

[_C_47]
file = "HOME/tests/c/muller.c"
line = 97
begin = 8
end = 12

[_C_10]
file = "HOME/tests/c/muller.c"
line = 81
begin = 9
end = 24

[_C_53]
file = "HOME/tests/c/muller.c"
line = 73
begin = 13
end = 19

[_C_40]
file = "HOME/tests/c/muller.c"
line = 97
begin = 20
end = 27

[num_of_pos_additive]
name = "Lemma num_of_pos_additive"
file = "HOME/tests/c/muller.c"
line = 57
begin = 4
end = 159

[_C_8]
file = "HOME/tests/c/muller.c"
line = 80
begin = 9
end = 15

[_C_18]
file = "HOME/tests/c/muller.c"
line = 85
begin = 29
end = 33

[_C_29]
file = "HOME/tests/c/muller.c"
line = 91
begin = 9
end = 48

[_C_14]
file = "HOME/tests/c/muller.c"
line = 85
begin = 39
end = 46

[_C_50]
file = "HOME/tests/c/muller.c"
line = 96
begin = 24
end = 27

[_C_37]
file = "HOME/tests/c/muller.c"
line = 97
begin = 20
end = 27

[_C_43]
file = "HOME/tests/c/muller.c"
line = 97
begin = 18
end = 19

[num_of_pos_empty]
name = "Lemma num_of_pos_empty"
file = "HOME/tests/c/muller.c"
line = 38
begin = 5
end = 110

[_C_2]
file = "HOME/tests/c/muller.c"
line = 76
begin = 2
end = 5

[_C_34]
file = "HOME/tests/c/muller.c"
line = 92
begin = 9
end = 19

[_C_16]
file = "HOME/tests/c/muller.c"
line = 85
begin = 39
end = 46

[_C_1]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_25]
file = "HOME/tests/c/muller.c"
line = 88
begin = 10
end = 11

[_C_39]
file = "HOME/tests/c/muller.c"
line = 97
begin = 20
end = 27

[_C_11]
file = "HOME/tests/c/muller.c"
line = 81
begin = 9
end = 19

[m]
name = "Function m"
file = "HOME/tests/c/muller.c"
line = 75
begin = 3
end = 4

[_C_21]
file = "HOME/tests/c/muller.c"
line = 85
begin = 20
end = 23

========== jessie execution ==========
Generating Why function m
========== file tests/c/muller.jessie/muller.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs muller.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs muller.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/muller_why.sx

project: why/muller.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/muller_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/muller_why.vo

coq/muller_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/muller_why.v: why/muller.why
	@echo 'why -coq [...] why/muller.why' && $(WHY) $(JESSIELIBFILES) why/muller.why && rm -f coq/jessie_why.v

coq-goals: goals coq/muller_ctx_why.vo
	for f in why/*_po*.why; do make -f muller.makefile coq/`basename $$f .why`_why.v ; done

coq/muller_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/muller_ctx_why.v: why/muller_ctx.why
	@echo 'why -coq [...] why/muller_ctx.why' && $(WHY) why/muller_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export muller_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/muller_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/muller_ctx_why.vo

pvs: pvs/muller_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/muller_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/muller_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/muller_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/muller_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/muller_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/muller_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/muller_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/muller_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/muller_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/muller_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/muller_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/muller_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/muller_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/muller_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: muller.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/muller_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: muller.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: muller.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: muller.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include muller.depend

depend: coq/muller_why.v
	-$(COQDEP) -I coq coq/muller*_why.v > muller.depend

clean:
	rm -f coq/*.vo

========== file tests/c/muller.jessie/muller.loc ==========
[JC_73]
file = "HOME/tests/c/muller.jessie/muller.jc"
line = 153
begin = 9
end = 1056

[JC_63]
file = "HOME/tests/c/muller.jessie/muller.jc"
line = 128
begin = 6
end = 898

[JC_51]
kind = PointerDeref
file = "HOME/tests/c/muller.c"
line = 97
begin = 31
end = 35

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/tests/c/muller.c"
line = 91
begin = 9
end = 87

[JC_64]
kind = AllocSize
file = "HOME/tests/c/muller.c"
line = 87
begin = 12
end = 37

[num_of_pos_non_negative]
name = "Lemma num_of_pos_non_negative"
behavior = "lemma"
file = "HOME/tests/c/muller.c"
line = 53
begin = 4
end = 98

[JC_31]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_17]
file = "HOME/tests/c/muller.c"
line = 73
begin = 23
end = 44

[JC_55]
file = "HOME/tests/c/muller.c"
line = 80
begin = 9
end = 15

[JC_48]
file = "HOME/tests/c/muller.jessie/muller.jc"
line = 153
begin = 9
end = 1056

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/tests/c/muller.c"
line = 92
begin = 9
end = 19

[JC_9]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/tests/c/muller.c"
line = 80
begin = 9
end = 15

[JC_41]
file = "HOME/tests/c/muller.c"
line = 91
begin = 14
end = 20

[JC_47]
file = "HOME/tests/c/muller.jessie/muller.jc"
line = 153
begin = 9
end = 1056

[JC_52]
kind = PointerDeref
file = "HOME/tests/c/muller.jessie/muller.jc"
line = 170
begin = 31
end = 126

[JC_26]
file = "HOME/tests/c/muller.c"
line = 80
begin = 14
end = 20

[JC_8]
file = "HOME/tests/c/muller.jessie/muller.jc"
line = 46
begin = 10
end = 18

[JC_54]
file = "HOME/tests/c/muller.c"
line = 94
begin = 19
end = 24

[JC_13]
file = "HOME/tests/c/muller.c"
line = 73
begin = 23
end = 44

[JC_11]
file = "HOME/tests/c/muller.c"
line = 73
begin = 13
end = 19

[JC_70]
file = "HOME/tests/c/muller.c"
line = 91
begin = 9
end = 87

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
kind = ArithOverflow
file = "HOME/tests/c/muller.c"
line = 85
begin = 20
end = 23

[JC_39]
kind = AllocSize
file = "HOME/tests/c/muller.c"
line = 87
begin = 12
end = 37

[JC_40]
file = "HOME/tests/c/muller.c"
line = 91
begin = 9
end = 15

[JC_35]
kind = ArithOverflow
file = "HOME/tests/c/muller.c"
line = 85
begin = 39
end = 46

[num_of_pos_false_case]
name = "Lemma num_of_pos_false_case"
behavior = "axiom"
file = "HOME/tests/c/muller.c"
line = 45
begin = 5
end = 165

[JC_27]
file = "HOME/tests/c/muller.c"
line = 81
begin = 9
end = 19

[JC_69]
file = "HOME/tests/c/muller.c"
line = 93
begin = 9
end = 35

[JC_38]
kind = ArithOverflow
file = "HOME/tests/c/muller.c"
line = 87
begin = 19
end = 24

[JC_12]
file = "HOME/tests/c/muller.c"
line = 73
begin = 23
end = 44

[JC_6]
file = "HOME/tests/c/muller.jessie/muller.jc"
line = 46
begin = 10
end = 18

[num_of_pos_increasing]
name = "Lemma num_of_pos_increasing"
behavior = "lemma"
file = "HOME/tests/c/muller.c"
line = 62
begin = 4
end = 136

[JC_44]
file = "HOME/tests/c/muller.c"
line = 93
begin = 9
end = 35

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[num_of_pos_true_case]
name = "Lemma num_of_pos_true_case"
behavior = "axiom"
file = "HOME/tests/c/muller.c"
line = 41
begin = 5
end = 164

[JC_62]
file = "HOME/tests/c/muller.jessie/muller.jc"
line = 128
begin = 6
end = 898

[JC_42]
file = "HOME/tests/c/muller.c"
line = 92
begin = 9
end = 19

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/tests/c/muller.jessie/muller.jc"
line = 128
begin = 6
end = 898

[JC_56]
file = "HOME/tests/c/muller.c"
line = 80
begin = 14
end = 20

[m_safety]
name = "Function m"
behavior = "Safety"
file = "HOME/tests/c/muller.c"
line = 75
begin = 3
end = 4

[JC_33]
file = "HOME/tests/c/muller.jessie/muller.jc"
line = 128
begin = 6
end = 898

[JC_65]
file = "HOME/tests/c/muller.c"
line = 91
begin = 9
end = 15

[num_of_pos_strictly_increasing]
name = "Lemma num_of_pos_strictly_increasing"
behavior = "lemma"
file = "HOME/tests/c/muller.c"
line = 67
begin = 4
end = 167

[m_ensures_default]
name = "Function m"
behavior = "default behavior"
file = "HOME/tests/c/muller.c"
line = 75
begin = 3
end = 4

[JC_29]
file = "HOME/tests/c/muller.c"
line = 82
begin = 9
end = 35

[JC_68]
file = "HOME/tests/c/muller.c"
line = 92
begin = 14
end = 24

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[num_of_pos_additive]
name = "Lemma num_of_pos_additive"
behavior = "lemma"
file = "HOME/tests/c/muller.c"
line = 57
begin = 4
end = 159

[JC_16]
file = "HOME/tests/c/muller.c"
line = 73
begin = 13
end = 19

[JC_43]
file = "HOME/tests/c/muller.c"
line = 92
begin = 14
end = 24

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
kind = PointerDeref
file = "HOME/tests/c/muller.c"
line = 85
begin = 29
end = 33

[JC_14]
file = "HOME/tests/c/muller.c"
line = 73
begin = 13
end = 44

[JC_53]
kind = ArithOverflow
file = "HOME/tests/c/muller.c"
line = 96
begin = 24
end = 27

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
kind = PointerDeref
file = "HOME/tests/c/muller.c"
line = 97
begin = 8
end = 12

[JC_1]
file = "HOME/tests/c/muller.jessie/muller.jc"
line = 44
begin = 10
end = 16

[num_of_pos_empty]
name = "Lemma num_of_pos_empty"
behavior = "axiom"
file = "HOME/tests/c/muller.c"
line = 38
begin = 5
end = 110

[JC_37]
file = "HOME/tests/c/muller.c"
line = 83
begin = 19
end = 24

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/c/muller.c"
line = 81
begin = 9
end = 19

[JC_66]
file = "HOME/tests/c/muller.c"
line = 91
begin = 14
end = 20

[JC_59]
file = "HOME/tests/c/muller.c"
line = 82
begin = 9
end = 35

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/c/muller.c"
line = 73
begin = 23
end = 44

[JC_3]
file = "HOME/tests/c/muller.jessie/muller.jc"
line = 44
begin = 10
end = 16

[JC_60]
file = "HOME/tests/c/muller.c"
line = 80
begin = 9
end = 87

[JC_72]
file = "HOME/tests/c/muller.jessie/muller.jc"
line = 153
begin = 9
end = 1056

[JC_19]
file = "HOME/tests/c/muller.c"
line = 73
begin = 13
end = 44

[JC_50]
kind = ArithOverflow
file = "HOME/tests/c/muller.c"
line = 97
begin = 20
end = 27

[JC_30]
file = "HOME/tests/c/muller.c"
line = 80
begin = 9
end = 87

[JC_58]
file = "HOME/tests/c/muller.c"
line = 81
begin = 14
end = 24

[JC_28]
file = "HOME/tests/c/muller.c"
line = 81
begin = 14
end = 24

========== file tests/c/muller.jessie/why/muller.why ==========
type charP

type int32

type int8

type intP

type padding

type uint32

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint32: uint32 -> int

predicate eq_uint32(x:uint32, y:uint32) =
 eq_int(integer_of_uint32(x), integer_of_uint32(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

logic intP_tag:  -> intP tag_id

axiom intP_int : (int_of_tag(intP_tag) = (1))

logic intP_of_pointer_address: unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr :
 (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom : parenttag(intP_tag, bottom_tag)

axiom intP_tags :
 (forall x:intP pointer.
  (forall intP_tag_table:intP tag_table.
   instanceof(intP_tag_table, x, intP_tag)))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_intP(p:intP pointer, a:int,
 intP_alloc_table:intP alloc_table) = (offset_min(intP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

logic num_of_pos: int, int, intP pointer, (intP, int32) memory -> int

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_intP(p:intP pointer, b:int,
 intP_alloc_table:intP alloc_table) = (offset_max(intP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint32_of_integer: int -> uint32

axiom uint32_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (4294967295))) ->
   eq_int(integer_of_uint32(uint32_of_integer(x)), x)))

axiom uint32_extensionality :
 (forall x:uint32.
  (forall y:uint32[eq_int(integer_of_uint32(x), integer_of_uint32(y))].
   (eq_int(integer_of_uint32(x), integer_of_uint32(y)) -> (x = y))))

axiom uint32_range :
 (forall x:uint32.
  (le_int((0), integer_of_uint32(x))
  and le_int(integer_of_uint32(x), (4294967295))))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

axiom num_of_pos_empty :
 (forall intP_intM_t_3_at_L:(intP, int32) memory.
  (forall i_2:int.
   (forall j_1:int.
    (forall t_0_0:intP pointer.
     (ge_int(i_2, j_1) ->
      (num_of_pos(i_2, j_1, t_0_0, intP_intM_t_3_at_L) = (0)))))))

axiom num_of_pos_true_case :
 (forall intP_intM_t_3_at_L:(intP, int32) memory.
  (forall i_3:int.
   (forall j_2:int.
    (forall t_1:intP pointer.
     ((lt_int(i_3, j_2)
      and gt_int(integer_of_int32(select(intP_intM_t_3_at_L,
                                  shift(t_1, sub_int(j_2, (1))))),
          (0))) ->
      (num_of_pos(i_3, j_2, t_1, intP_intM_t_3_at_L) = add_int(num_of_pos(i_3,
                                                               sub_int(j_2,
                                                               (1)), t_1,
                                                               intP_intM_t_3_at_L),
                                                       (1))))))))

axiom num_of_pos_false_case :
 (forall intP_intM_t_3_at_L:(intP, int32) memory.
  (forall i_4:int.
   (forall j_3:int.
    (forall t_2:intP pointer.
     ((lt_int(i_4, j_3)
      and (not gt_int(integer_of_int32(select(intP_intM_t_3_at_L,
                                       shift(t_2, sub_int(j_3, (1))))),
               (0)))) ->
      (num_of_pos(i_4, j_3, t_2, intP_intM_t_3_at_L) = num_of_pos(i_4,
                                                       sub_int(j_3, (1)),
                                                       t_2,
                                                       intP_intM_t_3_at_L)))))))

lemma num_of_pos_non_negative :
 (forall intP_intM_t_3_10_at_L:(intP, int32) memory.
  (forall i_5:int.
   (forall j_4:int.
    (forall t_3:intP pointer.
     le_int((0), num_of_pos(i_5, j_4, t_3, intP_intM_t_3_10_at_L))))))

lemma num_of_pos_additive :
 (forall intP_intM_t_4_11_at_L:(intP, int32) memory.
  (forall i_6:int.
   (forall j_5:int.
    (forall k:int.
     (forall t_4:intP pointer.
      ((le_int(i_6, j_5) and le_int(j_5, k)) ->
       (num_of_pos(i_6, k, t_4, intP_intM_t_4_11_at_L) = add_int(num_of_pos(i_6,
                                                                 j_5, t_4,
                                                                 intP_intM_t_4_11_at_L),
                                                         num_of_pos(j_5, k,
                                                         t_4,
                                                         intP_intM_t_4_11_at_L)))))))))

lemma num_of_pos_increasing :
 (forall intP_intM_t_5_12_at_L:(intP, int32) memory.
  (forall i_7:int.
   (forall j_6:int.
    (forall k_0:int.
     (forall t_5:intP pointer.
      (le_int(j_6, k_0) ->
       le_int(num_of_pos(i_7, j_6, t_5, intP_intM_t_5_12_at_L),
       num_of_pos(i_7, k_0, t_5, intP_intM_t_5_12_at_L))))))))

lemma num_of_pos_strictly_increasing :
 (forall intP_intM_t_6_13_at_L:(intP, int32) memory.
  (forall i_8:int.
   (forall n:int.
    (forall t_6:intP pointer.
     ((le_int((0), i_8)
      and (lt_int(i_8, n)
          and gt_int(integer_of_int32(select(intP_intM_t_6_13_at_L,
                                      shift(t_6, i_8))),
              (0)))) ->
      lt_int(num_of_pos((0), i_8, t_6, intP_intM_t_6_13_at_L),
      num_of_pos((0), n, t_6, intP_intM_t_6_13_at_L)))))))

exception Goto_while_0_break_exc of unit

exception Goto_while_1_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter intP_alloc_table : intP alloc_table ref

parameter intP_tag_table : intP tag_table ref

parameter alloc_struct_intP :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { } intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter alloc_struct_intP_requires :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { ge_int(n, (0))} intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint32 : unit -> { } uint32 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter calloc :
 nmemb:uint32 -> size_0:uint32 -> { } charP pointer { true }

parameter calloc_requires :
 nmemb:uint32 -> size_0:uint32 -> { } charP pointer { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter m :
 t_0:intP pointer ->
  l:int32 ->
   intP_m_6_alloc_table:intP alloc_table ref ->
    intP_m_6_tag_table:intP tag_table ref ->
     intP_intM_m_6:(intP, int32) memory ref ->
      intP_t_4_alloc_table:intP alloc_table ->
       intP_intM_t_4:(intP, int32) memory ->
        { } intP pointer reads intP_m_6_alloc_table
        writes intP_intM_m_6,intP_m_6_alloc_table,intP_m_6_tag_table 
        { true }

parameter m_requires :
 t_0:intP pointer ->
  l:int32 ->
   intP_m_6_alloc_table:intP alloc_table ref ->
    intP_m_6_tag_table:intP tag_table ref ->
     intP_intM_m_6:(intP, int32) memory ref ->
      intP_t_4_alloc_table:intP alloc_table ->
       intP_intM_t_4:(intP, int32) memory ->
        { (JC_14:
          ((JC_11: ge_int(integer_of_int32(l), (0)))
          and ((JC_12: le_int(offset_min(intP_t_4_alloc_table, t_0), (0)))
              and (JC_13:
                  ge_int(offset_max(intP_t_4_alloc_table, t_0),
                  sub_int(integer_of_int32(l), (1)))))))}
        intP pointer reads intP_m_6_alloc_table
        writes intP_intM_m_6,intP_m_6_alloc_table,intP_m_6_tag_table 
        { true }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint32_of_integer_ :
 x:int -> { } uint32 { eq_int(integer_of_uint32(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint32_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (4294967295)))} uint32
  { eq_int(integer_of_uint32(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let m_ensures_default =
 fun (t_0 : intP pointer) (l : int32) (intP_m_6_alloc_table : intP alloc_table ref) (intP_m_6_tag_table : intP tag_table ref) (intP_intM_m_6 : (intP, int32) memory ref) (intP_t_4_alloc_table : intP alloc_table) (intP_intM_t_4 : (intP, int32) memory) ->
  { (JC_19:
    ((JC_16: ge_int(integer_of_int32(l), (0)))
    and ((JC_17: le_int(offset_min(intP_t_4_alloc_table, t_0), (0)))
        and (JC_18:
            ge_int(offset_max(intP_t_4_alloc_table, t_0),
            sub_int(integer_of_int32(l), (1))))))) }
  (init:
  (let return = ref (any_pointer void) in
  try
   begin
     (let i = ref (any_int32 void) in
     (let count = ref (any_int32 void) in
     (let u = ref (any_pointer void) in
     (let i_0 = ref (any_int32 void) in
     (let tmp_0 = ref (any_int32 void) in
     try
      begin
        (let _jessie_ = (count := (safe_int32_of_integer_ (0))) in void);
       (let _jessie_ = (i := (safe_int32_of_integer_ (0))) in void);
       (loop_3:
       begin
         while true do
         { invariant
             (JC_60:
             ((JC_55: le_int((0), integer_of_int32(i)))
             and ((JC_56: le_int(integer_of_int32(i), integer_of_int32(l)))
                 and ((JC_57: le_int((0), integer_of_int32(count)))
                     and ((JC_58:
                          le_int(integer_of_int32(count),
                          integer_of_int32(i)))
                         and (JC_59:
                             (integer_of_int32(count) = num_of_pos((0),
                                                        integer_of_int32(i),
                                                        t_0, intP_intM_t_4))))))))
            }
          begin
            [ { } unit { true } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((lt_int_ (integer_of_int32 !i)) (integer_of_int32 l))
                then void else (raise (Goto_while_0_break_exc void)));
               (if ((gt_int_ (integer_of_int32 ((safe_acc_ intP_intM_t_4) 
                                                ((shift t_0) (integer_of_int32 !i))))) (0))
               then
                (let _jessie_ =
                (count := (safe_int32_of_integer_ ((add_int (integer_of_int32 !count)) (1)))) in
                void) else void);
               (i := (safe_int32_of_integer_ ((add_int (integer_of_int32 !i)) (1))));
               !i end in void); (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break:
      begin
        void;
       (let _jessie_ =
       (u := (JC_64:
             (((alloc_struct_intP (integer_of_uint32 (safe_uint32_of_integer_ 
                                                      (integer_of_int32 !count)))) intP_m_6_alloc_table) intP_m_6_tag_table))) in
       void);
       (let _jessie_ = (count := (safe_int32_of_integer_ (0))) in void);
       try
        begin
          (let _jessie_ = (i_0 := (safe_int32_of_integer_ (0))) in void);
         (loop_4:
         begin
           while true do
           { invariant
               (JC_70:
               ((JC_65: le_int((0), integer_of_int32(i_0)))
               and ((JC_66:
                    le_int(integer_of_int32(i_0), integer_of_int32(l)))
                   and ((JC_67: le_int((0), integer_of_int32(count)))
                       and ((JC_68:
                            le_int(integer_of_int32(count),
                            integer_of_int32(i_0)))
                           and (JC_69:
                               (integer_of_int32(count) = num_of_pos((0),
                                                          integer_of_int32(i_0),
                                                          t_0, intP_intM_t_4))))))))
              }
            begin
              [ { } unit { true } ];
             try
              begin
                (let _jessie_ =
                begin
                  (if ((lt_int_ (integer_of_int32 !i_0)) (integer_of_int32 l))
                  then void else (raise (Goto_while_1_break_exc void)));
                 (if ((gt_int_ (integer_of_int32 ((safe_acc_ intP_intM_t_4) 
                                                  ((shift t_0) (integer_of_int32 !i_0))))) (0))
                 then
                  (let _jessie_ =
                  begin
                    (let _jessie_ = (tmp_0 := !count) in void);
                   (let _jessie_ =
                   (count := (safe_int32_of_integer_ ((add_int (integer_of_int32 !count)) (1)))) in
                   void);
                   (let _jessie_ =
                   ((safe_acc_ intP_intM_t_4) ((shift t_0) (integer_of_int32 !i_0))) in
                   (let _jessie_ = !u in
                   (let _jessie_ = (integer_of_int32 !tmp_0) in
                   (let _jessie_ = ((shift _jessie_) _jessie_) in
                   begin
                     (((safe_upd_ intP_intM_m_6) _jessie_) _jessie_);
                    _jessie_ end)))) end in void) else void);
                 (i_0 := (safe_int32_of_integer_ ((add_int (integer_of_int32 !i_0)) (1))));
                 !i_0 end in void); (raise (Loop_continue_exc void)) end with
              Loop_continue_exc _jessie_ -> void end end done;
          (raise (Goto_while_1_break_exc void)) end) end with
        Goto_while_1_break_exc _jessie_ -> (while_1_break: void) end;
       (return := !u); (raise Return) end) end))))); absurd  end with
   Return -> !return end)) { (JC_21: true) }

let m_safety =
 fun (t_0 : intP pointer) (l : int32) (intP_m_6_alloc_table : intP alloc_table ref) (intP_m_6_tag_table : intP tag_table ref) (intP_intM_m_6 : (intP, int32) memory ref) (intP_t_4_alloc_table : intP alloc_table) (intP_intM_t_4 : (intP, int32) memory) ->
  { (JC_19:
    ((JC_16: ge_int(integer_of_int32(l), (0)))
    and ((JC_17: le_int(offset_min(intP_t_4_alloc_table, t_0), (0)))
        and (JC_18:
            ge_int(offset_max(intP_t_4_alloc_table, t_0),
            sub_int(integer_of_int32(l), (1))))))) }
  (init:
  (let return = ref (any_pointer void) in
  try
   begin
     (let i = ref (any_int32 void) in
     (let count = ref (any_int32 void) in
     (let u = ref (any_pointer void) in
     (let i_0 = ref (any_int32 void) in
     (let tmp_0 = ref (any_int32 void) in
     try
      begin
        (let _jessie_ = (count := (safe_int32_of_integer_ (0))) in void);
       (let _jessie_ = (i := (safe_int32_of_integer_ (0))) in void);
       (loop_1:
       begin
         while true do
         { invariant (JC_32: true)
           variant (JC_37 : sub_int(integer_of_int32(l), integer_of_int32(i))) }
          begin
            [ { } unit reads count,i
              { (JC_30:
                ((JC_25: le_int((0), integer_of_int32(i)))
                and ((JC_26:
                     le_int(integer_of_int32(i), integer_of_int32(l)))
                    and ((JC_27: le_int((0), integer_of_int32(count)))
                        and ((JC_28:
                             le_int(integer_of_int32(count),
                             integer_of_int32(i)))
                            and (JC_29:
                                (integer_of_int32(count) = num_of_pos((0),
                                                           integer_of_int32(i),
                                                           t_0,
                                                           intP_intM_t_4)))))))) } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((lt_int_ (integer_of_int32 !i)) (integer_of_int32 l))
                then void else (raise (Goto_while_0_break_exc void)));
               (if ((gt_int_ (integer_of_int32 (JC_34:
                                               ((((offset_acc_ intP_t_4_alloc_table) intP_intM_t_4) t_0) 
                                                (integer_of_int32 !i))))) (0))
               then
                (let _jessie_ =
                (count := (JC_35:
                          (int32_of_integer_ ((add_int (integer_of_int32 !count)) (1))))) in
                void) else void);
               (i := (JC_36:
                     (int32_of_integer_ ((add_int (integer_of_int32 !i)) (1)))));
               !i end in void); (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break:
      begin
        void;
       (let _jessie_ =
       (u := (JC_39:
             (((alloc_struct_intP_requires (integer_of_uint32 (JC_38:
                                                              (uint32_of_integer_ 
                                                               (integer_of_int32 !count))))) intP_m_6_alloc_table) intP_m_6_tag_table))) in
       void);
       (let _jessie_ = (count := (safe_int32_of_integer_ (0))) in void);
       try
        begin
          (let _jessie_ = (i_0 := (safe_int32_of_integer_ (0))) in void);
         (loop_2:
         begin
           while true do
           { invariant (JC_47: true)
             variant (JC_54 : sub_int(integer_of_int32(l),
                              integer_of_int32(i_0))) }
            begin
              [ { } unit reads count,i_0
                { (JC_45:
                  ((JC_40: le_int((0), integer_of_int32(i_0)))
                  and ((JC_41:
                       le_int(integer_of_int32(i_0), integer_of_int32(l)))
                      and ((JC_42: le_int((0), integer_of_int32(count)))
                          and ((JC_43:
                               le_int(integer_of_int32(count),
                               integer_of_int32(i_0)))
                              and (JC_44:
                                  (integer_of_int32(count) = num_of_pos((0),
                                                             integer_of_int32(i_0),
                                                             t_0,
                                                             intP_intM_t_4)))))))) } ];
             try
              begin
                (let _jessie_ =
                begin
                  (if ((lt_int_ (integer_of_int32 !i_0)) (integer_of_int32 l))
                  then void else (raise (Goto_while_1_break_exc void)));
                 (if ((gt_int_ (integer_of_int32 (JC_49:
                                                 ((((offset_acc_ intP_t_4_alloc_table) intP_intM_t_4) t_0) 
                                                  (integer_of_int32 !i_0))))) (0))
                 then
                  (let _jessie_ =
                  begin
                    (let _jessie_ = (tmp_0 := !count) in void);
                   (let _jessie_ =
                   (count := (JC_50:
                             (int32_of_integer_ ((add_int (integer_of_int32 !count)) (1))))) in
                   void);
                   (let _jessie_ =
                   (JC_51:
                   ((((offset_acc_ intP_t_4_alloc_table) intP_intM_t_4) t_0) 
                    (integer_of_int32 !i_0))) in
                   (let _jessie_ = !u in
                   (let _jessie_ = (integer_of_int32 !tmp_0) in
                   (let _jessie_ = ((shift _jessie_) _jessie_) in
                   (JC_52:
                   begin
                     (((((offset_upd_ !intP_m_6_alloc_table) intP_intM_m_6) _jessie_) _jessie_) _jessie_);
                    _jessie_ end))))) end in void) else void);
                 (i_0 := (JC_53:
                         (int32_of_integer_ ((add_int (integer_of_int32 !i_0)) (1)))));
                 !i_0 end in void); (raise (Loop_continue_exc void)) end with
              Loop_continue_exc _jessie_ -> void end end done;
          (raise (Goto_while_1_break_exc void)) end) end with
        Goto_while_1_break_exc _jessie_ -> (while_1_break: void) end;
       (return := !u); (raise Return) end) end))))); absurd  end with
   Return -> !return end)) { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/muller.why
========== file tests/c/muller.jessie/why/muller_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type charP

type int32

type int8

type intP

type padding

type uint32

type uint8

type unsigned_charP

type voidP

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_int8 : int8 -> int

predicate eq_int8(x: int8, y: int8) =
  (integer_of_int8(x) = integer_of_int8(y))

logic integer_of_uint32 : uint32 -> int

predicate eq_uint32(x: uint32, y: uint32) =
  (integer_of_uint32(x) = integer_of_uint32(y))

logic integer_of_uint8 : uint8 -> int

predicate eq_uint8(x: uint8, y: uint8) =
  (integer_of_uint8(x) = integer_of_uint8(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic int8_of_integer : int -> int8

axiom int8_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_int8(int8_of_integer(x)) = x)))

axiom int8_extensionality:
  (forall x:int8.
    (forall y:int8. ((integer_of_int8(x) = integer_of_int8(y)) -> (x = y))))

axiom int8_range:
  (forall x:int8.
    (((-128) <= integer_of_int8(x)) and (integer_of_int8(x) <= 127)))

logic intP_tag : intP tag_id

axiom intP_int: (int_of_tag(intP_tag) = 1)

logic intP_of_pointer_address : unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr:
  (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom: parenttag(intP_tag, bottom_tag)

axiom intP_tags:
  (forall x:intP pointer.
    (forall intP_tag_table:intP tag_table. instanceof(intP_tag_table, x,
      intP_tag)))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_intP(p: intP pointer, a: int,
  intP_alloc_table: intP alloc_table) = (offset_min(intP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

logic num_of_pos : int, int, intP pointer, (intP, int32) memory -> int

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_intP(p: intP pointer, b: int,
  intP_alloc_table: intP alloc_table) = (offset_max(intP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) = a) and (offset_max(intP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) = a) and (offset_max(intP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic uint32_of_integer : int -> uint32

axiom uint32_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 4294967295)) ->
     (integer_of_uint32(uint32_of_integer(x)) = x)))

axiom uint32_extensionality:
  (forall x:uint32.
    (forall y:uint32.
      ((integer_of_uint32(x) = integer_of_uint32(y)) -> (x = y))))

axiom uint32_range:
  (forall x:uint32.
    ((0 <= integer_of_uint32(x)) and (integer_of_uint32(x) <= 4294967295)))

logic uint8_of_integer : int -> uint8

axiom uint8_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 255)) -> (integer_of_uint8(uint8_of_integer(x)) = x)))

axiom uint8_extensionality:
  (forall x:uint8.
    (forall y:uint8.
      ((integer_of_uint8(x) = integer_of_uint8(y)) -> (x = y))))

axiom uint8_range:
  (forall x:uint8.
    ((0 <= integer_of_uint8(x)) and (integer_of_uint8(x) <= 255)))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) <= a) and (offset_max(intP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) <= a) and (offset_max(intP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

axiom num_of_pos_empty:
  (forall intP_intM_t_3_at_L:(intP, int32) memory.
    (forall i_2:int.
      (forall j_1:int.
        (forall t_0_0:intP pointer.
          ((i_2 >= j_1) -> (num_of_pos(i_2, j_1, t_0_0,
           intP_intM_t_3_at_L) = 0))))))

axiom num_of_pos_true_case:
  (forall intP_intM_t_3_at_L:(intP, int32) memory.
    (forall i_3:int.
      (forall j_2:int.
        (forall t_1:intP pointer.
          (((i_3 < j_2) and (integer_of_int32(select(intP_intM_t_3_at_L,
            shift(t_1, (j_2 - 1)))) > 0)) ->
           (num_of_pos(i_3, j_2, t_1, intP_intM_t_3_at_L) = (num_of_pos(i_3,
           (j_2 - 1), t_1, intP_intM_t_3_at_L) + 1)))))))

axiom num_of_pos_false_case:
  (forall intP_intM_t_3_at_L:(intP, int32) memory.
    (forall i_4:int.
      (forall j_3:int.
        (forall t_2:intP pointer.
          (((i_4 < j_3) and (not (integer_of_int32(select(intP_intM_t_3_at_L,
            shift(t_2, (j_3 - 1)))) > 0))) ->
           (num_of_pos(i_4, j_3, t_2, intP_intM_t_3_at_L) = num_of_pos(i_4,
           (j_3 - 1), t_2, intP_intM_t_3_at_L)))))))

goal num_of_pos_non_negative:
  (forall intP_intM_t_3_10_at_L:(intP, int32) memory.
    (forall i_5:int.
      (forall j_4:int.
        (forall t_3:intP pointer. (0 <= num_of_pos(i_5, j_4, t_3,
          intP_intM_t_3_10_at_L))))))

axiom num_of_pos_non_negative_as_axiom:
  (forall intP_intM_t_3_10_at_L:(intP, int32) memory.
    (forall i_5:int.
      (forall j_4:int.
        (forall t_3:intP pointer. (0 <= num_of_pos(i_5, j_4, t_3,
          intP_intM_t_3_10_at_L))))))

goal num_of_pos_additive:
  (forall intP_intM_t_4_11_at_L:(intP, int32) memory.
    (forall i_6:int.
      (forall j_5:int.
        (forall k:int.
          (forall t_4:intP pointer.
            (((i_6 <= j_5) and (j_5 <= k)) -> (num_of_pos(i_6, k, t_4,
             intP_intM_t_4_11_at_L) = (num_of_pos(i_6, j_5, t_4,
             intP_intM_t_4_11_at_L) + num_of_pos(j_5, k, t_4,
             intP_intM_t_4_11_at_L)))))))))

axiom num_of_pos_additive_as_axiom:
  (forall intP_intM_t_4_11_at_L:(intP, int32) memory.
    (forall i_6:int.
      (forall j_5:int.
        (forall k:int.
          (forall t_4:intP pointer.
            (((i_6 <= j_5) and (j_5 <= k)) -> (num_of_pos(i_6, k, t_4,
             intP_intM_t_4_11_at_L) = (num_of_pos(i_6, j_5, t_4,
             intP_intM_t_4_11_at_L) + num_of_pos(j_5, k, t_4,
             intP_intM_t_4_11_at_L)))))))))

goal num_of_pos_increasing:
  (forall intP_intM_t_5_12_at_L:(intP, int32) memory.
    (forall i_7:int.
      (forall j_6:int.
        (forall k_0:int.
          (forall t_5:intP pointer.
            ((j_6 <= k_0) -> (num_of_pos(i_7, j_6, t_5,
             intP_intM_t_5_12_at_L) <= num_of_pos(i_7, k_0, t_5,
             intP_intM_t_5_12_at_L))))))))

axiom num_of_pos_increasing_as_axiom:
  (forall intP_intM_t_5_12_at_L:(intP, int32) memory.
    (forall i_7:int.
      (forall j_6:int.
        (forall k_0:int.
          (forall t_5:intP pointer.
            ((j_6 <= k_0) -> (num_of_pos(i_7, j_6, t_5,
             intP_intM_t_5_12_at_L) <= num_of_pos(i_7, k_0, t_5,
             intP_intM_t_5_12_at_L))))))))

goal num_of_pos_strictly_increasing:
  (forall intP_intM_t_6_13_at_L:(intP, int32) memory.
    (forall i_8:int.
      (forall n:int.
        (forall t_6:intP pointer.
          (((0 <= i_8) and
            ((i_8 < n) and (integer_of_int32(select(intP_intM_t_6_13_at_L,
             shift(t_6, i_8))) > 0))) ->
           (num_of_pos(0, i_8, t_6, intP_intM_t_6_13_at_L) < num_of_pos(0, n,
           t_6, intP_intM_t_6_13_at_L)))))))

axiom num_of_pos_strictly_increasing_as_axiom:
  (forall intP_intM_t_6_13_at_L:(intP, int32) memory.
    (forall i_8:int.
      (forall n:int.
        (forall t_6:intP pointer.
          (((0 <= i_8) and
            ((i_8 < n) and (integer_of_int32(select(intP_intM_t_6_13_at_L,
             shift(t_6, i_8))) > 0))) ->
           (num_of_pos(0, i_8, t_6, intP_intM_t_6_13_at_L) < num_of_pos(0, n,
           t_6, intP_intM_t_6_13_at_L)))))))

goal m_ensures_default_po_1:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  ("JC_60": ("JC_55": (0 <= integer_of_int32(i))))

goal m_ensures_default_po_2:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  ("JC_60": ("JC_56": (integer_of_int32(i) <= integer_of_int32(l))))

goal m_ensures_default_po_3:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  ("JC_60": ("JC_57": (0 <= integer_of_int32(count))))

goal m_ensures_default_po_4:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  ("JC_60": ("JC_58": (integer_of_int32(count) <= integer_of_int32(i))))

goal m_ensures_default_po_5:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  ("JC_60":
  ("JC_59": (integer_of_int32(count) = num_of_pos(0, integer_of_int32(i),
  t_0, intP_intM_t_4))))

goal m_ensures_default_po_6:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i0))) and
   (("JC_56": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_57": (0 <= integer_of_int32(count0))) and
     (("JC_58": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_59": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) < integer_of_int32(l)) ->
  forall result1:int32.
  (result1 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i0)))) ->
  (integer_of_int32(result1) > 0) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(count0) + 1)) ->
  forall count1:int32.
  (count1 = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result3) ->
  ("JC_60": ("JC_55": (0 <= integer_of_int32(i1))))

goal m_ensures_default_po_7:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i0))) and
   (("JC_56": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_57": (0 <= integer_of_int32(count0))) and
     (("JC_58": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_59": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) < integer_of_int32(l)) ->
  forall result1:int32.
  (result1 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i0)))) ->
  (integer_of_int32(result1) > 0) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(count0) + 1)) ->
  forall count1:int32.
  (count1 = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result3) ->
  ("JC_60": ("JC_56": (integer_of_int32(i1) <= integer_of_int32(l))))

goal m_ensures_default_po_8:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i0))) and
   (("JC_56": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_57": (0 <= integer_of_int32(count0))) and
     (("JC_58": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_59": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) < integer_of_int32(l)) ->
  forall result1:int32.
  (result1 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i0)))) ->
  (integer_of_int32(result1) > 0) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(count0) + 1)) ->
  forall count1:int32.
  (count1 = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result3) ->
  ("JC_60": ("JC_57": (0 <= integer_of_int32(count1))))

goal m_ensures_default_po_9:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i0))) and
   (("JC_56": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_57": (0 <= integer_of_int32(count0))) and
     (("JC_58": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_59": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) < integer_of_int32(l)) ->
  forall result1:int32.
  (result1 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i0)))) ->
  (integer_of_int32(result1) > 0) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(count0) + 1)) ->
  forall count1:int32.
  (count1 = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result3) ->
  ("JC_60": ("JC_58": (integer_of_int32(count1) <= integer_of_int32(i1))))

goal m_ensures_default_po_10:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i0))) and
   (("JC_56": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_57": (0 <= integer_of_int32(count0))) and
     (("JC_58": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_59": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) < integer_of_int32(l)) ->
  forall result1:int32.
  (result1 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i0)))) ->
  (integer_of_int32(result1) > 0) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(count0) + 1)) ->
  forall count1:int32.
  (count1 = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result3) ->
  ("JC_60":
  ("JC_59": (integer_of_int32(count1) = num_of_pos(0, integer_of_int32(i1),
  t_0, intP_intM_t_4))))

goal m_ensures_default_po_11:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i0))) and
   (("JC_56": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_57": (0 <= integer_of_int32(count0))) and
     (("JC_58": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_59": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) < integer_of_int32(l)) ->
  forall result1:int32.
  (result1 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i0)))) ->
  (integer_of_int32(result1) <= 0) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result2) ->
  ("JC_60": ("JC_55": (0 <= integer_of_int32(i1))))

goal m_ensures_default_po_12:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i0))) and
   (("JC_56": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_57": (0 <= integer_of_int32(count0))) and
     (("JC_58": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_59": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) < integer_of_int32(l)) ->
  forall result1:int32.
  (result1 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i0)))) ->
  (integer_of_int32(result1) <= 0) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result2) ->
  ("JC_60": ("JC_56": (integer_of_int32(i1) <= integer_of_int32(l))))

goal m_ensures_default_po_13:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i0))) and
   (("JC_56": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_57": (0 <= integer_of_int32(count0))) and
     (("JC_58": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_59": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) < integer_of_int32(l)) ->
  forall result1:int32.
  (result1 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i0)))) ->
  (integer_of_int32(result1) <= 0) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result2) ->
  ("JC_60": ("JC_57": (0 <= integer_of_int32(count0))))

goal m_ensures_default_po_14:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i0))) and
   (("JC_56": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_57": (0 <= integer_of_int32(count0))) and
     (("JC_58": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_59": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) < integer_of_int32(l)) ->
  forall result1:int32.
  (result1 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i0)))) ->
  (integer_of_int32(result1) <= 0) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result2) ->
  ("JC_60": ("JC_58": (integer_of_int32(count0) <= integer_of_int32(i1))))

goal m_ensures_default_po_15:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i0))) and
   (("JC_56": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_57": (0 <= integer_of_int32(count0))) and
     (("JC_58": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_59": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) < integer_of_int32(l)) ->
  forall result1:int32.
  (result1 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i0)))) ->
  (integer_of_int32(result1) <= 0) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result2) ->
  ("JC_60":
  ("JC_59": (integer_of_int32(count0) = num_of_pos(0, integer_of_int32(i1),
  t_0, intP_intM_t_4))))

goal m_ensures_default_po_16:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  forall intP_m_6_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i0))) and
   (("JC_56": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_57": (0 <= integer_of_int32(count0))) and
     (("JC_58": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_59": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = integer_of_int32(count0)) ->
  forall result2:intP pointer.
  forall intP_m_6_alloc_table0:intP alloc_table.
  forall intP_m_6_tag_table:intP tag_table.
  (strict_valid_struct_intP(result2, 0, (integer_of_uint32(result1) - 1),
   intP_m_6_alloc_table0) and
   (alloc_extends(intP_m_6_alloc_table, intP_m_6_alloc_table0) and
    (alloc_fresh(intP_m_6_alloc_table, result2,
     integer_of_uint32(result1)) and instanceof(intP_m_6_tag_table, result2,
     intP_tag)))) ->
  forall u:intP pointer.
  (u = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count1:int32.
  (count1 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall i_0:int32.
  (i_0 = result4) ->
  ("JC_70": ("JC_65": (0 <= integer_of_int32(i_0))))

goal m_ensures_default_po_17:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  forall intP_m_6_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i0))) and
   (("JC_56": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_57": (0 <= integer_of_int32(count0))) and
     (("JC_58": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_59": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = integer_of_int32(count0)) ->
  forall result2:intP pointer.
  forall intP_m_6_alloc_table0:intP alloc_table.
  forall intP_m_6_tag_table:intP tag_table.
  (strict_valid_struct_intP(result2, 0, (integer_of_uint32(result1) - 1),
   intP_m_6_alloc_table0) and
   (alloc_extends(intP_m_6_alloc_table, intP_m_6_alloc_table0) and
    (alloc_fresh(intP_m_6_alloc_table, result2,
     integer_of_uint32(result1)) and instanceof(intP_m_6_tag_table, result2,
     intP_tag)))) ->
  forall u:intP pointer.
  (u = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count1:int32.
  (count1 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall i_0:int32.
  (i_0 = result4) ->
  ("JC_70": ("JC_66": (integer_of_int32(i_0) <= integer_of_int32(l))))

goal m_ensures_default_po_18:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  forall intP_m_6_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i0))) and
   (("JC_56": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_57": (0 <= integer_of_int32(count0))) and
     (("JC_58": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_59": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = integer_of_int32(count0)) ->
  forall result2:intP pointer.
  forall intP_m_6_alloc_table0:intP alloc_table.
  forall intP_m_6_tag_table:intP tag_table.
  (strict_valid_struct_intP(result2, 0, (integer_of_uint32(result1) - 1),
   intP_m_6_alloc_table0) and
   (alloc_extends(intP_m_6_alloc_table, intP_m_6_alloc_table0) and
    (alloc_fresh(intP_m_6_alloc_table, result2,
     integer_of_uint32(result1)) and instanceof(intP_m_6_tag_table, result2,
     intP_tag)))) ->
  forall u:intP pointer.
  (u = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count1:int32.
  (count1 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall i_0:int32.
  (i_0 = result4) ->
  ("JC_70": ("JC_67": (0 <= integer_of_int32(count1))))

goal m_ensures_default_po_19:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  forall intP_m_6_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i0))) and
   (("JC_56": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_57": (0 <= integer_of_int32(count0))) and
     (("JC_58": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_59": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = integer_of_int32(count0)) ->
  forall result2:intP pointer.
  forall intP_m_6_alloc_table0:intP alloc_table.
  forall intP_m_6_tag_table:intP tag_table.
  (strict_valid_struct_intP(result2, 0, (integer_of_uint32(result1) - 1),
   intP_m_6_alloc_table0) and
   (alloc_extends(intP_m_6_alloc_table, intP_m_6_alloc_table0) and
    (alloc_fresh(intP_m_6_alloc_table, result2,
     integer_of_uint32(result1)) and instanceof(intP_m_6_tag_table, result2,
     intP_tag)))) ->
  forall u:intP pointer.
  (u = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count1:int32.
  (count1 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall i_0:int32.
  (i_0 = result4) ->
  ("JC_70": ("JC_68": (integer_of_int32(count1) <= integer_of_int32(i_0))))

goal m_ensures_default_po_20:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  forall intP_m_6_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i0))) and
   (("JC_56": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_57": (0 <= integer_of_int32(count0))) and
     (("JC_58": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_59": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = integer_of_int32(count0)) ->
  forall result2:intP pointer.
  forall intP_m_6_alloc_table0:intP alloc_table.
  forall intP_m_6_tag_table:intP tag_table.
  (strict_valid_struct_intP(result2, 0, (integer_of_uint32(result1) - 1),
   intP_m_6_alloc_table0) and
   (alloc_extends(intP_m_6_alloc_table, intP_m_6_alloc_table0) and
    (alloc_fresh(intP_m_6_alloc_table, result2,
     integer_of_uint32(result1)) and instanceof(intP_m_6_tag_table, result2,
     intP_tag)))) ->
  forall u:intP pointer.
  (u = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count1:int32.
  (count1 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall i_0:int32.
  (i_0 = result4) ->
  ("JC_70":
  ("JC_69": (integer_of_int32(count1) = num_of_pos(0, integer_of_int32(i_0),
  t_0, intP_intM_t_4))))

goal m_ensures_default_po_21:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  forall intP_m_6_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i0))) and
   (("JC_56": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_57": (0 <= integer_of_int32(count0))) and
     (("JC_58": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_59": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = integer_of_int32(count0)) ->
  forall result2:intP pointer.
  forall intP_m_6_alloc_table0:intP alloc_table.
  forall intP_m_6_tag_table:intP tag_table.
  (strict_valid_struct_intP(result2, 0, (integer_of_uint32(result1) - 1),
   intP_m_6_alloc_table0) and
   (alloc_extends(intP_m_6_alloc_table, intP_m_6_alloc_table0) and
    (alloc_fresh(intP_m_6_alloc_table, result2,
     integer_of_uint32(result1)) and instanceof(intP_m_6_tag_table, result2,
     intP_tag)))) ->
  forall u:intP pointer.
  (u = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count1:int32.
  (count1 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall i_0:int32.
  (i_0 = result4) ->
  forall count2:int32.
  forall i_0_0:int32.
  forall intP_intM_m_6:(intP,
  int32) memory.
  ("JC_70":
  (("JC_65": (0 <= integer_of_int32(i_0_0))) and
   (("JC_66": (integer_of_int32(i_0_0) <= integer_of_int32(l))) and
    (("JC_67": (0 <= integer_of_int32(count2))) and
     (("JC_68": (integer_of_int32(count2) <= integer_of_int32(i_0_0))) and
      ("JC_69": (integer_of_int32(count2) = num_of_pos(0,
      integer_of_int32(i_0_0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i_0_0) < integer_of_int32(l)) ->
  forall result5:int32.
  (result5 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  (integer_of_int32(result5) > 0) ->
  forall tmp_0:int32.
  (tmp_0 = count2) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(count2) + 1)) ->
  forall count3:int32.
  (count3 = result6) ->
  forall result7:int32.
  (result7 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  forall intP_intM_m_6_0:(intP,
  int32) memory.
  (intP_intM_m_6_0 = store(intP_intM_m_6, shift(u, integer_of_int32(tmp_0)),
  result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(i_0_0) + 1)) ->
  forall i_0_1:int32.
  (i_0_1 = result8) ->
  ("JC_70": ("JC_65": (0 <= integer_of_int32(i_0_1))))

goal m_ensures_default_po_22:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  forall intP_m_6_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i0))) and
   (("JC_56": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_57": (0 <= integer_of_int32(count0))) and
     (("JC_58": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_59": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = integer_of_int32(count0)) ->
  forall result2:intP pointer.
  forall intP_m_6_alloc_table0:intP alloc_table.
  forall intP_m_6_tag_table:intP tag_table.
  (strict_valid_struct_intP(result2, 0, (integer_of_uint32(result1) - 1),
   intP_m_6_alloc_table0) and
   (alloc_extends(intP_m_6_alloc_table, intP_m_6_alloc_table0) and
    (alloc_fresh(intP_m_6_alloc_table, result2,
     integer_of_uint32(result1)) and instanceof(intP_m_6_tag_table, result2,
     intP_tag)))) ->
  forall u:intP pointer.
  (u = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count1:int32.
  (count1 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall i_0:int32.
  (i_0 = result4) ->
  forall count2:int32.
  forall i_0_0:int32.
  forall intP_intM_m_6:(intP,
  int32) memory.
  ("JC_70":
  (("JC_65": (0 <= integer_of_int32(i_0_0))) and
   (("JC_66": (integer_of_int32(i_0_0) <= integer_of_int32(l))) and
    (("JC_67": (0 <= integer_of_int32(count2))) and
     (("JC_68": (integer_of_int32(count2) <= integer_of_int32(i_0_0))) and
      ("JC_69": (integer_of_int32(count2) = num_of_pos(0,
      integer_of_int32(i_0_0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i_0_0) < integer_of_int32(l)) ->
  forall result5:int32.
  (result5 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  (integer_of_int32(result5) > 0) ->
  forall tmp_0:int32.
  (tmp_0 = count2) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(count2) + 1)) ->
  forall count3:int32.
  (count3 = result6) ->
  forall result7:int32.
  (result7 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  forall intP_intM_m_6_0:(intP,
  int32) memory.
  (intP_intM_m_6_0 = store(intP_intM_m_6, shift(u, integer_of_int32(tmp_0)),
  result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(i_0_0) + 1)) ->
  forall i_0_1:int32.
  (i_0_1 = result8) ->
  ("JC_70": ("JC_66": (integer_of_int32(i_0_1) <= integer_of_int32(l))))

goal m_ensures_default_po_23:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  forall intP_m_6_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i0))) and
   (("JC_56": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_57": (0 <= integer_of_int32(count0))) and
     (("JC_58": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_59": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = integer_of_int32(count0)) ->
  forall result2:intP pointer.
  forall intP_m_6_alloc_table0:intP alloc_table.
  forall intP_m_6_tag_table:intP tag_table.
  (strict_valid_struct_intP(result2, 0, (integer_of_uint32(result1) - 1),
   intP_m_6_alloc_table0) and
   (alloc_extends(intP_m_6_alloc_table, intP_m_6_alloc_table0) and
    (alloc_fresh(intP_m_6_alloc_table, result2,
     integer_of_uint32(result1)) and instanceof(intP_m_6_tag_table, result2,
     intP_tag)))) ->
  forall u:intP pointer.
  (u = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count1:int32.
  (count1 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall i_0:int32.
  (i_0 = result4) ->
  forall count2:int32.
  forall i_0_0:int32.
  forall intP_intM_m_6:(intP,
  int32) memory.
  ("JC_70":
  (("JC_65": (0 <= integer_of_int32(i_0_0))) and
   (("JC_66": (integer_of_int32(i_0_0) <= integer_of_int32(l))) and
    (("JC_67": (0 <= integer_of_int32(count2))) and
     (("JC_68": (integer_of_int32(count2) <= integer_of_int32(i_0_0))) and
      ("JC_69": (integer_of_int32(count2) = num_of_pos(0,
      integer_of_int32(i_0_0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i_0_0) < integer_of_int32(l)) ->
  forall result5:int32.
  (result5 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  (integer_of_int32(result5) > 0) ->
  forall tmp_0:int32.
  (tmp_0 = count2) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(count2) + 1)) ->
  forall count3:int32.
  (count3 = result6) ->
  forall result7:int32.
  (result7 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  forall intP_intM_m_6_0:(intP,
  int32) memory.
  (intP_intM_m_6_0 = store(intP_intM_m_6, shift(u, integer_of_int32(tmp_0)),
  result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(i_0_0) + 1)) ->
  forall i_0_1:int32.
  (i_0_1 = result8) ->
  ("JC_70": ("JC_67": (0 <= integer_of_int32(count3))))

goal m_ensures_default_po_24:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  forall intP_m_6_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i0))) and
   (("JC_56": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_57": (0 <= integer_of_int32(count0))) and
     (("JC_58": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_59": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = integer_of_int32(count0)) ->
  forall result2:intP pointer.
  forall intP_m_6_alloc_table0:intP alloc_table.
  forall intP_m_6_tag_table:intP tag_table.
  (strict_valid_struct_intP(result2, 0, (integer_of_uint32(result1) - 1),
   intP_m_6_alloc_table0) and
   (alloc_extends(intP_m_6_alloc_table, intP_m_6_alloc_table0) and
    (alloc_fresh(intP_m_6_alloc_table, result2,
     integer_of_uint32(result1)) and instanceof(intP_m_6_tag_table, result2,
     intP_tag)))) ->
  forall u:intP pointer.
  (u = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count1:int32.
  (count1 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall i_0:int32.
  (i_0 = result4) ->
  forall count2:int32.
  forall i_0_0:int32.
  forall intP_intM_m_6:(intP,
  int32) memory.
  ("JC_70":
  (("JC_65": (0 <= integer_of_int32(i_0_0))) and
   (("JC_66": (integer_of_int32(i_0_0) <= integer_of_int32(l))) and
    (("JC_67": (0 <= integer_of_int32(count2))) and
     (("JC_68": (integer_of_int32(count2) <= integer_of_int32(i_0_0))) and
      ("JC_69": (integer_of_int32(count2) = num_of_pos(0,
      integer_of_int32(i_0_0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i_0_0) < integer_of_int32(l)) ->
  forall result5:int32.
  (result5 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  (integer_of_int32(result5) > 0) ->
  forall tmp_0:int32.
  (tmp_0 = count2) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(count2) + 1)) ->
  forall count3:int32.
  (count3 = result6) ->
  forall result7:int32.
  (result7 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  forall intP_intM_m_6_0:(intP,
  int32) memory.
  (intP_intM_m_6_0 = store(intP_intM_m_6, shift(u, integer_of_int32(tmp_0)),
  result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(i_0_0) + 1)) ->
  forall i_0_1:int32.
  (i_0_1 = result8) ->
  ("JC_70": ("JC_68": (integer_of_int32(count3) <= integer_of_int32(i_0_1))))

goal m_ensures_default_po_25:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  forall intP_m_6_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i0))) and
   (("JC_56": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_57": (0 <= integer_of_int32(count0))) and
     (("JC_58": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_59": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = integer_of_int32(count0)) ->
  forall result2:intP pointer.
  forall intP_m_6_alloc_table0:intP alloc_table.
  forall intP_m_6_tag_table:intP tag_table.
  (strict_valid_struct_intP(result2, 0, (integer_of_uint32(result1) - 1),
   intP_m_6_alloc_table0) and
   (alloc_extends(intP_m_6_alloc_table, intP_m_6_alloc_table0) and
    (alloc_fresh(intP_m_6_alloc_table, result2,
     integer_of_uint32(result1)) and instanceof(intP_m_6_tag_table, result2,
     intP_tag)))) ->
  forall u:intP pointer.
  (u = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count1:int32.
  (count1 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall i_0:int32.
  (i_0 = result4) ->
  forall count2:int32.
  forall i_0_0:int32.
  forall intP_intM_m_6:(intP,
  int32) memory.
  ("JC_70":
  (("JC_65": (0 <= integer_of_int32(i_0_0))) and
   (("JC_66": (integer_of_int32(i_0_0) <= integer_of_int32(l))) and
    (("JC_67": (0 <= integer_of_int32(count2))) and
     (("JC_68": (integer_of_int32(count2) <= integer_of_int32(i_0_0))) and
      ("JC_69": (integer_of_int32(count2) = num_of_pos(0,
      integer_of_int32(i_0_0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i_0_0) < integer_of_int32(l)) ->
  forall result5:int32.
  (result5 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  (integer_of_int32(result5) > 0) ->
  forall tmp_0:int32.
  (tmp_0 = count2) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(count2) + 1)) ->
  forall count3:int32.
  (count3 = result6) ->
  forall result7:int32.
  (result7 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  forall intP_intM_m_6_0:(intP,
  int32) memory.
  (intP_intM_m_6_0 = store(intP_intM_m_6, shift(u, integer_of_int32(tmp_0)),
  result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(i_0_0) + 1)) ->
  forall i_0_1:int32.
  (i_0_1 = result8) ->
  ("JC_70":
  ("JC_69": (integer_of_int32(count3) = num_of_pos(0,
  integer_of_int32(i_0_1), t_0, intP_intM_t_4))))

goal m_ensures_default_po_26:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  forall intP_m_6_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i0))) and
   (("JC_56": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_57": (0 <= integer_of_int32(count0))) and
     (("JC_58": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_59": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = integer_of_int32(count0)) ->
  forall result2:intP pointer.
  forall intP_m_6_alloc_table0:intP alloc_table.
  forall intP_m_6_tag_table:intP tag_table.
  (strict_valid_struct_intP(result2, 0, (integer_of_uint32(result1) - 1),
   intP_m_6_alloc_table0) and
   (alloc_extends(intP_m_6_alloc_table, intP_m_6_alloc_table0) and
    (alloc_fresh(intP_m_6_alloc_table, result2,
     integer_of_uint32(result1)) and instanceof(intP_m_6_tag_table, result2,
     intP_tag)))) ->
  forall u:intP pointer.
  (u = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count1:int32.
  (count1 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall i_0:int32.
  (i_0 = result4) ->
  forall count2:int32.
  forall i_0_0:int32.
  ("JC_70":
  (("JC_65": (0 <= integer_of_int32(i_0_0))) and
   (("JC_66": (integer_of_int32(i_0_0) <= integer_of_int32(l))) and
    (("JC_67": (0 <= integer_of_int32(count2))) and
     (("JC_68": (integer_of_int32(count2) <= integer_of_int32(i_0_0))) and
      ("JC_69": (integer_of_int32(count2) = num_of_pos(0,
      integer_of_int32(i_0_0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i_0_0) < integer_of_int32(l)) ->
  forall result5:int32.
  (result5 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  (integer_of_int32(result5) <= 0) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(i_0_0) + 1)) ->
  forall i_0_1:int32.
  (i_0_1 = result6) ->
  ("JC_70": ("JC_65": (0 <= integer_of_int32(i_0_1))))

goal m_ensures_default_po_27:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  forall intP_m_6_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i0))) and
   (("JC_56": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_57": (0 <= integer_of_int32(count0))) and
     (("JC_58": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_59": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = integer_of_int32(count0)) ->
  forall result2:intP pointer.
  forall intP_m_6_alloc_table0:intP alloc_table.
  forall intP_m_6_tag_table:intP tag_table.
  (strict_valid_struct_intP(result2, 0, (integer_of_uint32(result1) - 1),
   intP_m_6_alloc_table0) and
   (alloc_extends(intP_m_6_alloc_table, intP_m_6_alloc_table0) and
    (alloc_fresh(intP_m_6_alloc_table, result2,
     integer_of_uint32(result1)) and instanceof(intP_m_6_tag_table, result2,
     intP_tag)))) ->
  forall u:intP pointer.
  (u = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count1:int32.
  (count1 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall i_0:int32.
  (i_0 = result4) ->
  forall count2:int32.
  forall i_0_0:int32.
  ("JC_70":
  (("JC_65": (0 <= integer_of_int32(i_0_0))) and
   (("JC_66": (integer_of_int32(i_0_0) <= integer_of_int32(l))) and
    (("JC_67": (0 <= integer_of_int32(count2))) and
     (("JC_68": (integer_of_int32(count2) <= integer_of_int32(i_0_0))) and
      ("JC_69": (integer_of_int32(count2) = num_of_pos(0,
      integer_of_int32(i_0_0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i_0_0) < integer_of_int32(l)) ->
  forall result5:int32.
  (result5 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  (integer_of_int32(result5) <= 0) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(i_0_0) + 1)) ->
  forall i_0_1:int32.
  (i_0_1 = result6) ->
  ("JC_70": ("JC_66": (integer_of_int32(i_0_1) <= integer_of_int32(l))))

goal m_ensures_default_po_28:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  forall intP_m_6_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i0))) and
   (("JC_56": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_57": (0 <= integer_of_int32(count0))) and
     (("JC_58": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_59": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = integer_of_int32(count0)) ->
  forall result2:intP pointer.
  forall intP_m_6_alloc_table0:intP alloc_table.
  forall intP_m_6_tag_table:intP tag_table.
  (strict_valid_struct_intP(result2, 0, (integer_of_uint32(result1) - 1),
   intP_m_6_alloc_table0) and
   (alloc_extends(intP_m_6_alloc_table, intP_m_6_alloc_table0) and
    (alloc_fresh(intP_m_6_alloc_table, result2,
     integer_of_uint32(result1)) and instanceof(intP_m_6_tag_table, result2,
     intP_tag)))) ->
  forall u:intP pointer.
  (u = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count1:int32.
  (count1 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall i_0:int32.
  (i_0 = result4) ->
  forall count2:int32.
  forall i_0_0:int32.
  ("JC_70":
  (("JC_65": (0 <= integer_of_int32(i_0_0))) and
   (("JC_66": (integer_of_int32(i_0_0) <= integer_of_int32(l))) and
    (("JC_67": (0 <= integer_of_int32(count2))) and
     (("JC_68": (integer_of_int32(count2) <= integer_of_int32(i_0_0))) and
      ("JC_69": (integer_of_int32(count2) = num_of_pos(0,
      integer_of_int32(i_0_0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i_0_0) < integer_of_int32(l)) ->
  forall result5:int32.
  (result5 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  (integer_of_int32(result5) <= 0) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(i_0_0) + 1)) ->
  forall i_0_1:int32.
  (i_0_1 = result6) ->
  ("JC_70": ("JC_67": (0 <= integer_of_int32(count2))))

goal m_ensures_default_po_29:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  forall intP_m_6_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i0))) and
   (("JC_56": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_57": (0 <= integer_of_int32(count0))) and
     (("JC_58": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_59": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = integer_of_int32(count0)) ->
  forall result2:intP pointer.
  forall intP_m_6_alloc_table0:intP alloc_table.
  forall intP_m_6_tag_table:intP tag_table.
  (strict_valid_struct_intP(result2, 0, (integer_of_uint32(result1) - 1),
   intP_m_6_alloc_table0) and
   (alloc_extends(intP_m_6_alloc_table, intP_m_6_alloc_table0) and
    (alloc_fresh(intP_m_6_alloc_table, result2,
     integer_of_uint32(result1)) and instanceof(intP_m_6_tag_table, result2,
     intP_tag)))) ->
  forall u:intP pointer.
  (u = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count1:int32.
  (count1 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall i_0:int32.
  (i_0 = result4) ->
  forall count2:int32.
  forall i_0_0:int32.
  ("JC_70":
  (("JC_65": (0 <= integer_of_int32(i_0_0))) and
   (("JC_66": (integer_of_int32(i_0_0) <= integer_of_int32(l))) and
    (("JC_67": (0 <= integer_of_int32(count2))) and
     (("JC_68": (integer_of_int32(count2) <= integer_of_int32(i_0_0))) and
      ("JC_69": (integer_of_int32(count2) = num_of_pos(0,
      integer_of_int32(i_0_0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i_0_0) < integer_of_int32(l)) ->
  forall result5:int32.
  (result5 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  (integer_of_int32(result5) <= 0) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(i_0_0) + 1)) ->
  forall i_0_1:int32.
  (i_0_1 = result6) ->
  ("JC_70": ("JC_68": (integer_of_int32(count2) <= integer_of_int32(i_0_1))))

goal m_ensures_default_po_30:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  forall intP_m_6_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_60":
  (("JC_55": (0 <= integer_of_int32(i0))) and
   (("JC_56": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_57": (0 <= integer_of_int32(count0))) and
     (("JC_58": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_59": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = integer_of_int32(count0)) ->
  forall result2:intP pointer.
  forall intP_m_6_alloc_table0:intP alloc_table.
  forall intP_m_6_tag_table:intP tag_table.
  (strict_valid_struct_intP(result2, 0, (integer_of_uint32(result1) - 1),
   intP_m_6_alloc_table0) and
   (alloc_extends(intP_m_6_alloc_table, intP_m_6_alloc_table0) and
    (alloc_fresh(intP_m_6_alloc_table, result2,
     integer_of_uint32(result1)) and instanceof(intP_m_6_tag_table, result2,
     intP_tag)))) ->
  forall u:intP pointer.
  (u = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count1:int32.
  (count1 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall i_0:int32.
  (i_0 = result4) ->
  forall count2:int32.
  forall i_0_0:int32.
  ("JC_70":
  (("JC_65": (0 <= integer_of_int32(i_0_0))) and
   (("JC_66": (integer_of_int32(i_0_0) <= integer_of_int32(l))) and
    (("JC_67": (0 <= integer_of_int32(count2))) and
     (("JC_68": (integer_of_int32(count2) <= integer_of_int32(i_0_0))) and
      ("JC_69": (integer_of_int32(count2) = num_of_pos(0,
      integer_of_int32(i_0_0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i_0_0) < integer_of_int32(l)) ->
  forall result5:int32.
  (result5 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  (integer_of_int32(result5) <= 0) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(i_0_0) + 1)) ->
  forall i_0_1:int32.
  (i_0_1 = result6) ->
  ("JC_70":
  ("JC_69": (integer_of_int32(count2) = num_of_pos(0,
  integer_of_int32(i_0_1), t_0, intP_intM_t_4))))

goal m_safety_po_1:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_25": (0 <= integer_of_int32(i0))) and
   (("JC_26": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_27": (0 <= integer_of_int32(count0))) and
     (("JC_28": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_29": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) < integer_of_int32(l)) ->
  (offset_min(intP_t_4_alloc_table, t_0) <= integer_of_int32(i0))

goal m_safety_po_2:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_25": (0 <= integer_of_int32(i0))) and
   (("JC_26": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_27": (0 <= integer_of_int32(count0))) and
     (("JC_28": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_29": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) < integer_of_int32(l)) ->
  (integer_of_int32(i0) <= offset_max(intP_t_4_alloc_table, t_0))

goal m_safety_po_3:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_25": (0 <= integer_of_int32(i0))) and
   (("JC_26": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_27": (0 <= integer_of_int32(count0))) and
     (("JC_28": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_29": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) < integer_of_int32(l)) ->
  ((offset_min(intP_t_4_alloc_table, t_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_t_4_alloc_table, t_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i0)))) ->
  (integer_of_int32(result1) > 0) ->
  ((-2147483648) <= (integer_of_int32(count0) + 1))

goal m_safety_po_4:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_25": (0 <= integer_of_int32(i0))) and
   (("JC_26": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_27": (0 <= integer_of_int32(count0))) and
     (("JC_28": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_29": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) < integer_of_int32(l)) ->
  ((offset_min(intP_t_4_alloc_table, t_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_t_4_alloc_table, t_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i0)))) ->
  (integer_of_int32(result1) > 0) ->
  ((integer_of_int32(count0) + 1) <= 2147483647)

goal m_safety_po_5:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_25": (0 <= integer_of_int32(i0))) and
   (("JC_26": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_27": (0 <= integer_of_int32(count0))) and
     (("JC_28": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_29": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) < integer_of_int32(l)) ->
  ((offset_min(intP_t_4_alloc_table, t_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_t_4_alloc_table, t_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i0)))) ->
  (integer_of_int32(result1) > 0) ->
  (((-2147483648) <= (integer_of_int32(count0) + 1)) and
   ((integer_of_int32(count0) + 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(count0) + 1)) ->
  forall count1:int32.
  (count1 = result2) ->
  ((-2147483648) <= (integer_of_int32(i0) + 1))

goal m_safety_po_6:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_25": (0 <= integer_of_int32(i0))) and
   (("JC_26": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_27": (0 <= integer_of_int32(count0))) and
     (("JC_28": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_29": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) < integer_of_int32(l)) ->
  ((offset_min(intP_t_4_alloc_table, t_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_t_4_alloc_table, t_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i0)))) ->
  (integer_of_int32(result1) > 0) ->
  (((-2147483648) <= (integer_of_int32(count0) + 1)) and
   ((integer_of_int32(count0) + 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(count0) + 1)) ->
  forall count1:int32.
  (count1 = result2) ->
  ((integer_of_int32(i0) + 1) <= 2147483647)

goal m_safety_po_7:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_25": (0 <= integer_of_int32(i0))) and
   (("JC_26": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_27": (0 <= integer_of_int32(count0))) and
     (("JC_28": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_29": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) < integer_of_int32(l)) ->
  ((offset_min(intP_t_4_alloc_table, t_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_t_4_alloc_table, t_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i0)))) ->
  (integer_of_int32(result1) > 0) ->
  (((-2147483648) <= (integer_of_int32(count0) + 1)) and
   ((integer_of_int32(count0) + 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(count0) + 1)) ->
  forall count1:int32.
  (count1 = result2) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result3) ->
  (0 <= ("JC_37": (integer_of_int32(l) - integer_of_int32(i0))))

goal m_safety_po_8:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_25": (0 <= integer_of_int32(i0))) and
   (("JC_26": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_27": (0 <= integer_of_int32(count0))) and
     (("JC_28": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_29": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) < integer_of_int32(l)) ->
  ((offset_min(intP_t_4_alloc_table, t_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_t_4_alloc_table, t_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i0)))) ->
  (integer_of_int32(result1) > 0) ->
  (((-2147483648) <= (integer_of_int32(count0) + 1)) and
   ((integer_of_int32(count0) + 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(count0) + 1)) ->
  forall count1:int32.
  (count1 = result2) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result3) ->
  (("JC_37": (integer_of_int32(l) - integer_of_int32(i1))) < ("JC_37":
                                                             (integer_of_int32(l) - integer_of_int32(i0))))

goal m_safety_po_9:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_25": (0 <= integer_of_int32(i0))) and
   (("JC_26": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_27": (0 <= integer_of_int32(count0))) and
     (("JC_28": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_29": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) < integer_of_int32(l)) ->
  ((offset_min(intP_t_4_alloc_table, t_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_t_4_alloc_table, t_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i0)))) ->
  (integer_of_int32(result1) <= 0) ->
  ((-2147483648) <= (integer_of_int32(i0) + 1))

goal m_safety_po_10:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_25": (0 <= integer_of_int32(i0))) and
   (("JC_26": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_27": (0 <= integer_of_int32(count0))) and
     (("JC_28": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_29": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) < integer_of_int32(l)) ->
  ((offset_min(intP_t_4_alloc_table, t_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_t_4_alloc_table, t_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i0)))) ->
  (integer_of_int32(result1) <= 0) ->
  ((integer_of_int32(i0) + 1) <= 2147483647)

goal m_safety_po_11:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_25": (0 <= integer_of_int32(i0))) and
   (("JC_26": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_27": (0 <= integer_of_int32(count0))) and
     (("JC_28": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_29": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) < integer_of_int32(l)) ->
  ((offset_min(intP_t_4_alloc_table, t_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_t_4_alloc_table, t_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i0)))) ->
  (integer_of_int32(result1) <= 0) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result2) ->
  (0 <= ("JC_37": (integer_of_int32(l) - integer_of_int32(i0))))

goal m_safety_po_12:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_25": (0 <= integer_of_int32(i0))) and
   (("JC_26": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_27": (0 <= integer_of_int32(count0))) and
     (("JC_28": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_29": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) < integer_of_int32(l)) ->
  ((offset_min(intP_t_4_alloc_table, t_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_t_4_alloc_table, t_0))) ->
  forall result1:int32.
  (result1 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i0)))) ->
  (integer_of_int32(result1) <= 0) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result2) ->
  (("JC_37": (integer_of_int32(l) - integer_of_int32(i1))) < ("JC_37":
                                                             (integer_of_int32(l) - integer_of_int32(i0))))

goal m_safety_po_13:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_25": (0 <= integer_of_int32(i0))) and
   (("JC_26": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_27": (0 <= integer_of_int32(count0))) and
     (("JC_28": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_29": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  (0 <= integer_of_int32(count0))

goal m_safety_po_14:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_25": (0 <= integer_of_int32(i0))) and
   (("JC_26": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_27": (0 <= integer_of_int32(count0))) and
     (("JC_28": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_29": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  (integer_of_int32(count0) <= 4294967295)

goal m_safety_po_15:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_25": (0 <= integer_of_int32(i0))) and
   (("JC_26": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_27": (0 <= integer_of_int32(count0))) and
     (("JC_28": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_29": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  ((0 <= integer_of_int32(count0)) and
   (integer_of_int32(count0) <= 4294967295)) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = integer_of_int32(count0)) ->
  (integer_of_uint32(result1) >= 0)

goal m_safety_po_16:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  forall intP_m_6_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_25": (0 <= integer_of_int32(i0))) and
   (("JC_26": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_27": (0 <= integer_of_int32(count0))) and
     (("JC_28": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_29": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  ((0 <= integer_of_int32(count0)) and
   (integer_of_int32(count0) <= 4294967295)) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = integer_of_int32(count0)) ->
  (integer_of_uint32(result1) >= 0) ->
  forall result2:intP pointer.
  forall intP_m_6_alloc_table0:intP alloc_table.
  forall intP_m_6_tag_table:intP tag_table.
  (strict_valid_struct_intP(result2, 0, (integer_of_uint32(result1) - 1),
   intP_m_6_alloc_table0) and
   (alloc_extends(intP_m_6_alloc_table, intP_m_6_alloc_table0) and
    (alloc_fresh(intP_m_6_alloc_table, result2,
     integer_of_uint32(result1)) and instanceof(intP_m_6_tag_table, result2,
     intP_tag)))) ->
  forall u:intP pointer.
  (u = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count1:int32.
  (count1 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall i_0:int32.
  (i_0 = result4) ->
  forall count2:int32.
  forall i_0_0:int32.
  ("JC_47": true) ->
  ("JC_45":
  (("JC_40": (0 <= integer_of_int32(i_0_0))) and
   (("JC_41": (integer_of_int32(i_0_0) <= integer_of_int32(l))) and
    (("JC_42": (0 <= integer_of_int32(count2))) and
     (("JC_43": (integer_of_int32(count2) <= integer_of_int32(i_0_0))) and
      ("JC_44": (integer_of_int32(count2) = num_of_pos(0,
      integer_of_int32(i_0_0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i_0_0) < integer_of_int32(l)) ->
  (offset_min(intP_t_4_alloc_table, t_0) <= integer_of_int32(i_0_0))

goal m_safety_po_17:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  forall intP_m_6_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_25": (0 <= integer_of_int32(i0))) and
   (("JC_26": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_27": (0 <= integer_of_int32(count0))) and
     (("JC_28": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_29": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  ((0 <= integer_of_int32(count0)) and
   (integer_of_int32(count0) <= 4294967295)) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = integer_of_int32(count0)) ->
  (integer_of_uint32(result1) >= 0) ->
  forall result2:intP pointer.
  forall intP_m_6_alloc_table0:intP alloc_table.
  forall intP_m_6_tag_table:intP tag_table.
  (strict_valid_struct_intP(result2, 0, (integer_of_uint32(result1) - 1),
   intP_m_6_alloc_table0) and
   (alloc_extends(intP_m_6_alloc_table, intP_m_6_alloc_table0) and
    (alloc_fresh(intP_m_6_alloc_table, result2,
     integer_of_uint32(result1)) and instanceof(intP_m_6_tag_table, result2,
     intP_tag)))) ->
  forall u:intP pointer.
  (u = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count1:int32.
  (count1 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall i_0:int32.
  (i_0 = result4) ->
  forall count2:int32.
  forall i_0_0:int32.
  ("JC_47": true) ->
  ("JC_45":
  (("JC_40": (0 <= integer_of_int32(i_0_0))) and
   (("JC_41": (integer_of_int32(i_0_0) <= integer_of_int32(l))) and
    (("JC_42": (0 <= integer_of_int32(count2))) and
     (("JC_43": (integer_of_int32(count2) <= integer_of_int32(i_0_0))) and
      ("JC_44": (integer_of_int32(count2) = num_of_pos(0,
      integer_of_int32(i_0_0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i_0_0) < integer_of_int32(l)) ->
  (integer_of_int32(i_0_0) <= offset_max(intP_t_4_alloc_table, t_0))

goal m_safety_po_18:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  forall intP_m_6_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_25": (0 <= integer_of_int32(i0))) and
   (("JC_26": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_27": (0 <= integer_of_int32(count0))) and
     (("JC_28": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_29": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  ((0 <= integer_of_int32(count0)) and
   (integer_of_int32(count0) <= 4294967295)) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = integer_of_int32(count0)) ->
  (integer_of_uint32(result1) >= 0) ->
  forall result2:intP pointer.
  forall intP_m_6_alloc_table0:intP alloc_table.
  forall intP_m_6_tag_table:intP tag_table.
  (strict_valid_struct_intP(result2, 0, (integer_of_uint32(result1) - 1),
   intP_m_6_alloc_table0) and
   (alloc_extends(intP_m_6_alloc_table, intP_m_6_alloc_table0) and
    (alloc_fresh(intP_m_6_alloc_table, result2,
     integer_of_uint32(result1)) and instanceof(intP_m_6_tag_table, result2,
     intP_tag)))) ->
  forall u:intP pointer.
  (u = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count1:int32.
  (count1 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall i_0:int32.
  (i_0 = result4) ->
  forall count2:int32.
  forall i_0_0:int32.
  ("JC_47": true) ->
  ("JC_45":
  (("JC_40": (0 <= integer_of_int32(i_0_0))) and
   (("JC_41": (integer_of_int32(i_0_0) <= integer_of_int32(l))) and
    (("JC_42": (0 <= integer_of_int32(count2))) and
     (("JC_43": (integer_of_int32(count2) <= integer_of_int32(i_0_0))) and
      ("JC_44": (integer_of_int32(count2) = num_of_pos(0,
      integer_of_int32(i_0_0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i_0_0) < integer_of_int32(l)) ->
  ((offset_min(intP_t_4_alloc_table, t_0) <= integer_of_int32(i_0_0)) and
   (integer_of_int32(i_0_0) <= offset_max(intP_t_4_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  (integer_of_int32(result5) > 0) ->
  forall tmp_0:int32.
  (tmp_0 = count2) ->
  ((-2147483648) <= (integer_of_int32(count2) + 1))

goal m_safety_po_19:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  forall intP_m_6_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_25": (0 <= integer_of_int32(i0))) and
   (("JC_26": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_27": (0 <= integer_of_int32(count0))) and
     (("JC_28": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_29": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  ((0 <= integer_of_int32(count0)) and
   (integer_of_int32(count0) <= 4294967295)) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = integer_of_int32(count0)) ->
  (integer_of_uint32(result1) >= 0) ->
  forall result2:intP pointer.
  forall intP_m_6_alloc_table0:intP alloc_table.
  forall intP_m_6_tag_table:intP tag_table.
  (strict_valid_struct_intP(result2, 0, (integer_of_uint32(result1) - 1),
   intP_m_6_alloc_table0) and
   (alloc_extends(intP_m_6_alloc_table, intP_m_6_alloc_table0) and
    (alloc_fresh(intP_m_6_alloc_table, result2,
     integer_of_uint32(result1)) and instanceof(intP_m_6_tag_table, result2,
     intP_tag)))) ->
  forall u:intP pointer.
  (u = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count1:int32.
  (count1 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall i_0:int32.
  (i_0 = result4) ->
  forall count2:int32.
  forall i_0_0:int32.
  ("JC_47": true) ->
  ("JC_45":
  (("JC_40": (0 <= integer_of_int32(i_0_0))) and
   (("JC_41": (integer_of_int32(i_0_0) <= integer_of_int32(l))) and
    (("JC_42": (0 <= integer_of_int32(count2))) and
     (("JC_43": (integer_of_int32(count2) <= integer_of_int32(i_0_0))) and
      ("JC_44": (integer_of_int32(count2) = num_of_pos(0,
      integer_of_int32(i_0_0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i_0_0) < integer_of_int32(l)) ->
  ((offset_min(intP_t_4_alloc_table, t_0) <= integer_of_int32(i_0_0)) and
   (integer_of_int32(i_0_0) <= offset_max(intP_t_4_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  (integer_of_int32(result5) > 0) ->
  forall tmp_0:int32.
  (tmp_0 = count2) ->
  ((integer_of_int32(count2) + 1) <= 2147483647)

goal m_safety_po_20:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  forall intP_m_6_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_25": (0 <= integer_of_int32(i0))) and
   (("JC_26": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_27": (0 <= integer_of_int32(count0))) and
     (("JC_28": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_29": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  ((0 <= integer_of_int32(count0)) and
   (integer_of_int32(count0) <= 4294967295)) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = integer_of_int32(count0)) ->
  (integer_of_uint32(result1) >= 0) ->
  forall result2:intP pointer.
  forall intP_m_6_alloc_table0:intP alloc_table.
  forall intP_m_6_tag_table:intP tag_table.
  (strict_valid_struct_intP(result2, 0, (integer_of_uint32(result1) - 1),
   intP_m_6_alloc_table0) and
   (alloc_extends(intP_m_6_alloc_table, intP_m_6_alloc_table0) and
    (alloc_fresh(intP_m_6_alloc_table, result2,
     integer_of_uint32(result1)) and instanceof(intP_m_6_tag_table, result2,
     intP_tag)))) ->
  forall u:intP pointer.
  (u = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count1:int32.
  (count1 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall i_0:int32.
  (i_0 = result4) ->
  forall count2:int32.
  forall i_0_0:int32.
  ("JC_47": true) ->
  ("JC_45":
  (("JC_40": (0 <= integer_of_int32(i_0_0))) and
   (("JC_41": (integer_of_int32(i_0_0) <= integer_of_int32(l))) and
    (("JC_42": (0 <= integer_of_int32(count2))) and
     (("JC_43": (integer_of_int32(count2) <= integer_of_int32(i_0_0))) and
      ("JC_44": (integer_of_int32(count2) = num_of_pos(0,
      integer_of_int32(i_0_0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i_0_0) < integer_of_int32(l)) ->
  ((offset_min(intP_t_4_alloc_table, t_0) <= integer_of_int32(i_0_0)) and
   (integer_of_int32(i_0_0) <= offset_max(intP_t_4_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  (integer_of_int32(result5) > 0) ->
  forall tmp_0:int32.
  (tmp_0 = count2) ->
  (((-2147483648) <= (integer_of_int32(count2) + 1)) and
   ((integer_of_int32(count2) + 1) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(count2) + 1)) ->
  forall count3:int32.
  (count3 = result6) ->
  ((offset_min(intP_t_4_alloc_table, t_0) <= integer_of_int32(i_0_0)) and
   (integer_of_int32(i_0_0) <= offset_max(intP_t_4_alloc_table, t_0))) ->
  forall result7:int32.
  (result7 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  (offset_min(intP_m_6_alloc_table0, u) <= integer_of_int32(tmp_0))

goal m_safety_po_21:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  forall intP_m_6_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_25": (0 <= integer_of_int32(i0))) and
   (("JC_26": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_27": (0 <= integer_of_int32(count0))) and
     (("JC_28": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_29": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  ((0 <= integer_of_int32(count0)) and
   (integer_of_int32(count0) <= 4294967295)) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = integer_of_int32(count0)) ->
  (integer_of_uint32(result1) >= 0) ->
  forall result2:intP pointer.
  forall intP_m_6_alloc_table0:intP alloc_table.
  forall intP_m_6_tag_table:intP tag_table.
  (strict_valid_struct_intP(result2, 0, (integer_of_uint32(result1) - 1),
   intP_m_6_alloc_table0) and
   (alloc_extends(intP_m_6_alloc_table, intP_m_6_alloc_table0) and
    (alloc_fresh(intP_m_6_alloc_table, result2,
     integer_of_uint32(result1)) and instanceof(intP_m_6_tag_table, result2,
     intP_tag)))) ->
  forall u:intP pointer.
  (u = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count1:int32.
  (count1 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall i_0:int32.
  (i_0 = result4) ->
  forall count2:int32.
  forall i_0_0:int32.
  ("JC_47": true) ->
  ("JC_45":
  (("JC_40": (0 <= integer_of_int32(i_0_0))) and
   (("JC_41": (integer_of_int32(i_0_0) <= integer_of_int32(l))) and
    (("JC_42": (0 <= integer_of_int32(count2))) and
     (("JC_43": (integer_of_int32(count2) <= integer_of_int32(i_0_0))) and
      ("JC_44": (integer_of_int32(count2) = num_of_pos(0,
      integer_of_int32(i_0_0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i_0_0) < integer_of_int32(l)) ->
  ((offset_min(intP_t_4_alloc_table, t_0) <= integer_of_int32(i_0_0)) and
   (integer_of_int32(i_0_0) <= offset_max(intP_t_4_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  (integer_of_int32(result5) > 0) ->
  forall tmp_0:int32.
  (tmp_0 = count2) ->
  (((-2147483648) <= (integer_of_int32(count2) + 1)) and
   ((integer_of_int32(count2) + 1) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(count2) + 1)) ->
  forall count3:int32.
  (count3 = result6) ->
  ((offset_min(intP_t_4_alloc_table, t_0) <= integer_of_int32(i_0_0)) and
   (integer_of_int32(i_0_0) <= offset_max(intP_t_4_alloc_table, t_0))) ->
  forall result7:int32.
  (result7 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  (integer_of_int32(tmp_0) <= offset_max(intP_m_6_alloc_table0, u))

goal m_safety_po_22:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  forall intP_m_6_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_25": (0 <= integer_of_int32(i0))) and
   (("JC_26": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_27": (0 <= integer_of_int32(count0))) and
     (("JC_28": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_29": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  ((0 <= integer_of_int32(count0)) and
   (integer_of_int32(count0) <= 4294967295)) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = integer_of_int32(count0)) ->
  (integer_of_uint32(result1) >= 0) ->
  forall result2:intP pointer.
  forall intP_m_6_alloc_table0:intP alloc_table.
  forall intP_m_6_tag_table:intP tag_table.
  (strict_valid_struct_intP(result2, 0, (integer_of_uint32(result1) - 1),
   intP_m_6_alloc_table0) and
   (alloc_extends(intP_m_6_alloc_table, intP_m_6_alloc_table0) and
    (alloc_fresh(intP_m_6_alloc_table, result2,
     integer_of_uint32(result1)) and instanceof(intP_m_6_tag_table, result2,
     intP_tag)))) ->
  forall u:intP pointer.
  (u = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count1:int32.
  (count1 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall i_0:int32.
  (i_0 = result4) ->
  forall count2:int32.
  forall i_0_0:int32.
  forall intP_intM_m_6:(intP,
  int32) memory.
  ("JC_47": true) ->
  ("JC_45":
  (("JC_40": (0 <= integer_of_int32(i_0_0))) and
   (("JC_41": (integer_of_int32(i_0_0) <= integer_of_int32(l))) and
    (("JC_42": (0 <= integer_of_int32(count2))) and
     (("JC_43": (integer_of_int32(count2) <= integer_of_int32(i_0_0))) and
      ("JC_44": (integer_of_int32(count2) = num_of_pos(0,
      integer_of_int32(i_0_0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i_0_0) < integer_of_int32(l)) ->
  ((offset_min(intP_t_4_alloc_table, t_0) <= integer_of_int32(i_0_0)) and
   (integer_of_int32(i_0_0) <= offset_max(intP_t_4_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  (integer_of_int32(result5) > 0) ->
  forall tmp_0:int32.
  (tmp_0 = count2) ->
  (((-2147483648) <= (integer_of_int32(count2) + 1)) and
   ((integer_of_int32(count2) + 1) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(count2) + 1)) ->
  forall count3:int32.
  (count3 = result6) ->
  ((offset_min(intP_t_4_alloc_table, t_0) <= integer_of_int32(i_0_0)) and
   (integer_of_int32(i_0_0) <= offset_max(intP_t_4_alloc_table, t_0))) ->
  forall result7:int32.
  (result7 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  ((offset_min(intP_m_6_alloc_table0, u) <= integer_of_int32(tmp_0)) and
   (integer_of_int32(tmp_0) <= offset_max(intP_m_6_alloc_table0, u))) ->
  forall intP_intM_m_6_0:(intP,
  int32) memory.
  (intP_intM_m_6_0 = store(intP_intM_m_6, shift(u, integer_of_int32(tmp_0)),
  result7)) ->
  ((-2147483648) <= (integer_of_int32(i_0_0) + 1))

goal m_safety_po_23:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  forall intP_m_6_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_25": (0 <= integer_of_int32(i0))) and
   (("JC_26": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_27": (0 <= integer_of_int32(count0))) and
     (("JC_28": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_29": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  ((0 <= integer_of_int32(count0)) and
   (integer_of_int32(count0) <= 4294967295)) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = integer_of_int32(count0)) ->
  (integer_of_uint32(result1) >= 0) ->
  forall result2:intP pointer.
  forall intP_m_6_alloc_table0:intP alloc_table.
  forall intP_m_6_tag_table:intP tag_table.
  (strict_valid_struct_intP(result2, 0, (integer_of_uint32(result1) - 1),
   intP_m_6_alloc_table0) and
   (alloc_extends(intP_m_6_alloc_table, intP_m_6_alloc_table0) and
    (alloc_fresh(intP_m_6_alloc_table, result2,
     integer_of_uint32(result1)) and instanceof(intP_m_6_tag_table, result2,
     intP_tag)))) ->
  forall u:intP pointer.
  (u = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count1:int32.
  (count1 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall i_0:int32.
  (i_0 = result4) ->
  forall count2:int32.
  forall i_0_0:int32.
  forall intP_intM_m_6:(intP,
  int32) memory.
  ("JC_47": true) ->
  ("JC_45":
  (("JC_40": (0 <= integer_of_int32(i_0_0))) and
   (("JC_41": (integer_of_int32(i_0_0) <= integer_of_int32(l))) and
    (("JC_42": (0 <= integer_of_int32(count2))) and
     (("JC_43": (integer_of_int32(count2) <= integer_of_int32(i_0_0))) and
      ("JC_44": (integer_of_int32(count2) = num_of_pos(0,
      integer_of_int32(i_0_0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i_0_0) < integer_of_int32(l)) ->
  ((offset_min(intP_t_4_alloc_table, t_0) <= integer_of_int32(i_0_0)) and
   (integer_of_int32(i_0_0) <= offset_max(intP_t_4_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  (integer_of_int32(result5) > 0) ->
  forall tmp_0:int32.
  (tmp_0 = count2) ->
  (((-2147483648) <= (integer_of_int32(count2) + 1)) and
   ((integer_of_int32(count2) + 1) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(count2) + 1)) ->
  forall count3:int32.
  (count3 = result6) ->
  ((offset_min(intP_t_4_alloc_table, t_0) <= integer_of_int32(i_0_0)) and
   (integer_of_int32(i_0_0) <= offset_max(intP_t_4_alloc_table, t_0))) ->
  forall result7:int32.
  (result7 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  ((offset_min(intP_m_6_alloc_table0, u) <= integer_of_int32(tmp_0)) and
   (integer_of_int32(tmp_0) <= offset_max(intP_m_6_alloc_table0, u))) ->
  forall intP_intM_m_6_0:(intP,
  int32) memory.
  (intP_intM_m_6_0 = store(intP_intM_m_6, shift(u, integer_of_int32(tmp_0)),
  result7)) ->
  ((integer_of_int32(i_0_0) + 1) <= 2147483647)

goal m_safety_po_24:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  forall intP_m_6_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_25": (0 <= integer_of_int32(i0))) and
   (("JC_26": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_27": (0 <= integer_of_int32(count0))) and
     (("JC_28": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_29": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  ((0 <= integer_of_int32(count0)) and
   (integer_of_int32(count0) <= 4294967295)) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = integer_of_int32(count0)) ->
  (integer_of_uint32(result1) >= 0) ->
  forall result2:intP pointer.
  forall intP_m_6_alloc_table0:intP alloc_table.
  forall intP_m_6_tag_table:intP tag_table.
  (strict_valid_struct_intP(result2, 0, (integer_of_uint32(result1) - 1),
   intP_m_6_alloc_table0) and
   (alloc_extends(intP_m_6_alloc_table, intP_m_6_alloc_table0) and
    (alloc_fresh(intP_m_6_alloc_table, result2,
     integer_of_uint32(result1)) and instanceof(intP_m_6_tag_table, result2,
     intP_tag)))) ->
  forall u:intP pointer.
  (u = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count1:int32.
  (count1 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall i_0:int32.
  (i_0 = result4) ->
  forall count2:int32.
  forall i_0_0:int32.
  forall intP_intM_m_6:(intP,
  int32) memory.
  ("JC_47": true) ->
  ("JC_45":
  (("JC_40": (0 <= integer_of_int32(i_0_0))) and
   (("JC_41": (integer_of_int32(i_0_0) <= integer_of_int32(l))) and
    (("JC_42": (0 <= integer_of_int32(count2))) and
     (("JC_43": (integer_of_int32(count2) <= integer_of_int32(i_0_0))) and
      ("JC_44": (integer_of_int32(count2) = num_of_pos(0,
      integer_of_int32(i_0_0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i_0_0) < integer_of_int32(l)) ->
  ((offset_min(intP_t_4_alloc_table, t_0) <= integer_of_int32(i_0_0)) and
   (integer_of_int32(i_0_0) <= offset_max(intP_t_4_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  (integer_of_int32(result5) > 0) ->
  forall tmp_0:int32.
  (tmp_0 = count2) ->
  (((-2147483648) <= (integer_of_int32(count2) + 1)) and
   ((integer_of_int32(count2) + 1) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(count2) + 1)) ->
  forall count3:int32.
  (count3 = result6) ->
  ((offset_min(intP_t_4_alloc_table, t_0) <= integer_of_int32(i_0_0)) and
   (integer_of_int32(i_0_0) <= offset_max(intP_t_4_alloc_table, t_0))) ->
  forall result7:int32.
  (result7 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  ((offset_min(intP_m_6_alloc_table0, u) <= integer_of_int32(tmp_0)) and
   (integer_of_int32(tmp_0) <= offset_max(intP_m_6_alloc_table0, u))) ->
  forall intP_intM_m_6_0:(intP,
  int32) memory.
  (intP_intM_m_6_0 = store(intP_intM_m_6, shift(u, integer_of_int32(tmp_0)),
  result7)) ->
  (((-2147483648) <= (integer_of_int32(i_0_0) + 1)) and
   ((integer_of_int32(i_0_0) + 1) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(i_0_0) + 1)) ->
  forall i_0_1:int32.
  (i_0_1 = result8) ->
  (0 <= ("JC_54": (integer_of_int32(l) - integer_of_int32(i_0_0))))

goal m_safety_po_25:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  forall intP_m_6_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_25": (0 <= integer_of_int32(i0))) and
   (("JC_26": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_27": (0 <= integer_of_int32(count0))) and
     (("JC_28": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_29": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  ((0 <= integer_of_int32(count0)) and
   (integer_of_int32(count0) <= 4294967295)) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = integer_of_int32(count0)) ->
  (integer_of_uint32(result1) >= 0) ->
  forall result2:intP pointer.
  forall intP_m_6_alloc_table0:intP alloc_table.
  forall intP_m_6_tag_table:intP tag_table.
  (strict_valid_struct_intP(result2, 0, (integer_of_uint32(result1) - 1),
   intP_m_6_alloc_table0) and
   (alloc_extends(intP_m_6_alloc_table, intP_m_6_alloc_table0) and
    (alloc_fresh(intP_m_6_alloc_table, result2,
     integer_of_uint32(result1)) and instanceof(intP_m_6_tag_table, result2,
     intP_tag)))) ->
  forall u:intP pointer.
  (u = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count1:int32.
  (count1 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall i_0:int32.
  (i_0 = result4) ->
  forall count2:int32.
  forall i_0_0:int32.
  forall intP_intM_m_6:(intP,
  int32) memory.
  ("JC_47": true) ->
  ("JC_45":
  (("JC_40": (0 <= integer_of_int32(i_0_0))) and
   (("JC_41": (integer_of_int32(i_0_0) <= integer_of_int32(l))) and
    (("JC_42": (0 <= integer_of_int32(count2))) and
     (("JC_43": (integer_of_int32(count2) <= integer_of_int32(i_0_0))) and
      ("JC_44": (integer_of_int32(count2) = num_of_pos(0,
      integer_of_int32(i_0_0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i_0_0) < integer_of_int32(l)) ->
  ((offset_min(intP_t_4_alloc_table, t_0) <= integer_of_int32(i_0_0)) and
   (integer_of_int32(i_0_0) <= offset_max(intP_t_4_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  (integer_of_int32(result5) > 0) ->
  forall tmp_0:int32.
  (tmp_0 = count2) ->
  (((-2147483648) <= (integer_of_int32(count2) + 1)) and
   ((integer_of_int32(count2) + 1) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(count2) + 1)) ->
  forall count3:int32.
  (count3 = result6) ->
  ((offset_min(intP_t_4_alloc_table, t_0) <= integer_of_int32(i_0_0)) and
   (integer_of_int32(i_0_0) <= offset_max(intP_t_4_alloc_table, t_0))) ->
  forall result7:int32.
  (result7 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  ((offset_min(intP_m_6_alloc_table0, u) <= integer_of_int32(tmp_0)) and
   (integer_of_int32(tmp_0) <= offset_max(intP_m_6_alloc_table0, u))) ->
  forall intP_intM_m_6_0:(intP,
  int32) memory.
  (intP_intM_m_6_0 = store(intP_intM_m_6, shift(u, integer_of_int32(tmp_0)),
  result7)) ->
  (((-2147483648) <= (integer_of_int32(i_0_0) + 1)) and
   ((integer_of_int32(i_0_0) + 1) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(i_0_0) + 1)) ->
  forall i_0_1:int32.
  (i_0_1 = result8) ->
  (("JC_54": (integer_of_int32(l) - integer_of_int32(i_0_1))) < ("JC_54":
                                                                (integer_of_int32(l) - integer_of_int32(i_0_0))))

goal m_safety_po_26:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  forall intP_m_6_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_25": (0 <= integer_of_int32(i0))) and
   (("JC_26": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_27": (0 <= integer_of_int32(count0))) and
     (("JC_28": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_29": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  ((0 <= integer_of_int32(count0)) and
   (integer_of_int32(count0) <= 4294967295)) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = integer_of_int32(count0)) ->
  (integer_of_uint32(result1) >= 0) ->
  forall result2:intP pointer.
  forall intP_m_6_alloc_table0:intP alloc_table.
  forall intP_m_6_tag_table:intP tag_table.
  (strict_valid_struct_intP(result2, 0, (integer_of_uint32(result1) - 1),
   intP_m_6_alloc_table0) and
   (alloc_extends(intP_m_6_alloc_table, intP_m_6_alloc_table0) and
    (alloc_fresh(intP_m_6_alloc_table, result2,
     integer_of_uint32(result1)) and instanceof(intP_m_6_tag_table, result2,
     intP_tag)))) ->
  forall u:intP pointer.
  (u = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count1:int32.
  (count1 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall i_0:int32.
  (i_0 = result4) ->
  forall count2:int32.
  forall i_0_0:int32.
  ("JC_47": true) ->
  ("JC_45":
  (("JC_40": (0 <= integer_of_int32(i_0_0))) and
   (("JC_41": (integer_of_int32(i_0_0) <= integer_of_int32(l))) and
    (("JC_42": (0 <= integer_of_int32(count2))) and
     (("JC_43": (integer_of_int32(count2) <= integer_of_int32(i_0_0))) and
      ("JC_44": (integer_of_int32(count2) = num_of_pos(0,
      integer_of_int32(i_0_0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i_0_0) < integer_of_int32(l)) ->
  ((offset_min(intP_t_4_alloc_table, t_0) <= integer_of_int32(i_0_0)) and
   (integer_of_int32(i_0_0) <= offset_max(intP_t_4_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  (integer_of_int32(result5) <= 0) ->
  ((-2147483648) <= (integer_of_int32(i_0_0) + 1))

goal m_safety_po_27:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  forall intP_m_6_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_25": (0 <= integer_of_int32(i0))) and
   (("JC_26": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_27": (0 <= integer_of_int32(count0))) and
     (("JC_28": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_29": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  ((0 <= integer_of_int32(count0)) and
   (integer_of_int32(count0) <= 4294967295)) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = integer_of_int32(count0)) ->
  (integer_of_uint32(result1) >= 0) ->
  forall result2:intP pointer.
  forall intP_m_6_alloc_table0:intP alloc_table.
  forall intP_m_6_tag_table:intP tag_table.
  (strict_valid_struct_intP(result2, 0, (integer_of_uint32(result1) - 1),
   intP_m_6_alloc_table0) and
   (alloc_extends(intP_m_6_alloc_table, intP_m_6_alloc_table0) and
    (alloc_fresh(intP_m_6_alloc_table, result2,
     integer_of_uint32(result1)) and instanceof(intP_m_6_tag_table, result2,
     intP_tag)))) ->
  forall u:intP pointer.
  (u = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count1:int32.
  (count1 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall i_0:int32.
  (i_0 = result4) ->
  forall count2:int32.
  forall i_0_0:int32.
  ("JC_47": true) ->
  ("JC_45":
  (("JC_40": (0 <= integer_of_int32(i_0_0))) and
   (("JC_41": (integer_of_int32(i_0_0) <= integer_of_int32(l))) and
    (("JC_42": (0 <= integer_of_int32(count2))) and
     (("JC_43": (integer_of_int32(count2) <= integer_of_int32(i_0_0))) and
      ("JC_44": (integer_of_int32(count2) = num_of_pos(0,
      integer_of_int32(i_0_0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i_0_0) < integer_of_int32(l)) ->
  ((offset_min(intP_t_4_alloc_table, t_0) <= integer_of_int32(i_0_0)) and
   (integer_of_int32(i_0_0) <= offset_max(intP_t_4_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  (integer_of_int32(result5) <= 0) ->
  ((integer_of_int32(i_0_0) + 1) <= 2147483647)

goal m_safety_po_28:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  forall intP_m_6_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_25": (0 <= integer_of_int32(i0))) and
   (("JC_26": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_27": (0 <= integer_of_int32(count0))) and
     (("JC_28": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_29": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  ((0 <= integer_of_int32(count0)) and
   (integer_of_int32(count0) <= 4294967295)) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = integer_of_int32(count0)) ->
  (integer_of_uint32(result1) >= 0) ->
  forall result2:intP pointer.
  forall intP_m_6_alloc_table0:intP alloc_table.
  forall intP_m_6_tag_table:intP tag_table.
  (strict_valid_struct_intP(result2, 0, (integer_of_uint32(result1) - 1),
   intP_m_6_alloc_table0) and
   (alloc_extends(intP_m_6_alloc_table, intP_m_6_alloc_table0) and
    (alloc_fresh(intP_m_6_alloc_table, result2,
     integer_of_uint32(result1)) and instanceof(intP_m_6_tag_table, result2,
     intP_tag)))) ->
  forall u:intP pointer.
  (u = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count1:int32.
  (count1 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall i_0:int32.
  (i_0 = result4) ->
  forall count2:int32.
  forall i_0_0:int32.
  ("JC_47": true) ->
  ("JC_45":
  (("JC_40": (0 <= integer_of_int32(i_0_0))) and
   (("JC_41": (integer_of_int32(i_0_0) <= integer_of_int32(l))) and
    (("JC_42": (0 <= integer_of_int32(count2))) and
     (("JC_43": (integer_of_int32(count2) <= integer_of_int32(i_0_0))) and
      ("JC_44": (integer_of_int32(count2) = num_of_pos(0,
      integer_of_int32(i_0_0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i_0_0) < integer_of_int32(l)) ->
  ((offset_min(intP_t_4_alloc_table, t_0) <= integer_of_int32(i_0_0)) and
   (integer_of_int32(i_0_0) <= offset_max(intP_t_4_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  (integer_of_int32(result5) <= 0) ->
  (((-2147483648) <= (integer_of_int32(i_0_0) + 1)) and
   ((integer_of_int32(i_0_0) + 1) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(i_0_0) + 1)) ->
  forall i_0_1:int32.
  (i_0_1 = result6) ->
  (0 <= ("JC_54": (integer_of_int32(l) - integer_of_int32(i_0_0))))

goal m_safety_po_29:
  forall t_0:intP pointer.
  forall l:int32.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int32) memory.
  forall intP_m_6_alloc_table:intP alloc_table.
  ("JC_19":
  (("JC_16": (integer_of_int32(l) >= 0)) and
   (("JC_17": (offset_min(intP_t_4_alloc_table, t_0) <= 0)) and
    ("JC_18": (offset_max(intP_t_4_alloc_table,
    t_0) >= (integer_of_int32(l) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall count:int32.
  (count = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall count0:int32.
  forall i0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_25": (0 <= integer_of_int32(i0))) and
   (("JC_26": (integer_of_int32(i0) <= integer_of_int32(l))) and
    (("JC_27": (0 <= integer_of_int32(count0))) and
     (("JC_28": (integer_of_int32(count0) <= integer_of_int32(i0))) and
      ("JC_29": (integer_of_int32(count0) = num_of_pos(0,
      integer_of_int32(i0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(l)) ->
  ((0 <= integer_of_int32(count0)) and
   (integer_of_int32(count0) <= 4294967295)) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = integer_of_int32(count0)) ->
  (integer_of_uint32(result1) >= 0) ->
  forall result2:intP pointer.
  forall intP_m_6_alloc_table0:intP alloc_table.
  forall intP_m_6_tag_table:intP tag_table.
  (strict_valid_struct_intP(result2, 0, (integer_of_uint32(result1) - 1),
   intP_m_6_alloc_table0) and
   (alloc_extends(intP_m_6_alloc_table, intP_m_6_alloc_table0) and
    (alloc_fresh(intP_m_6_alloc_table, result2,
     integer_of_uint32(result1)) and instanceof(intP_m_6_tag_table, result2,
     intP_tag)))) ->
  forall u:intP pointer.
  (u = result2) ->
  forall result3:int32.
  (integer_of_int32(result3) = 0) ->
  forall count1:int32.
  (count1 = result3) ->
  forall result4:int32.
  (integer_of_int32(result4) = 0) ->
  forall i_0:int32.
  (i_0 = result4) ->
  forall count2:int32.
  forall i_0_0:int32.
  ("JC_47": true) ->
  ("JC_45":
  (("JC_40": (0 <= integer_of_int32(i_0_0))) and
   (("JC_41": (integer_of_int32(i_0_0) <= integer_of_int32(l))) and
    (("JC_42": (0 <= integer_of_int32(count2))) and
     (("JC_43": (integer_of_int32(count2) <= integer_of_int32(i_0_0))) and
      ("JC_44": (integer_of_int32(count2) = num_of_pos(0,
      integer_of_int32(i_0_0), t_0, intP_intM_t_4)))))))) ->
  (integer_of_int32(i_0_0) < integer_of_int32(l)) ->
  ((offset_min(intP_t_4_alloc_table, t_0) <= integer_of_int32(i_0_0)) and
   (integer_of_int32(i_0_0) <= offset_max(intP_t_4_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(intP_intM_t_4, shift(t_0, integer_of_int32(i_0_0)))) ->
  (integer_of_int32(result5) <= 0) ->
  (((-2147483648) <= (integer_of_int32(i_0_0) + 1)) and
   ((integer_of_int32(i_0_0) + 1) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(i_0_0) + 1)) ->
  forall i_0_1:int32.
  (i_0_1 = result6) ->
  (("JC_54": (integer_of_int32(l) - integer_of_int32(i_0_1))) < ("JC_54":
                                                                (integer_of_int32(l) - integer_of_int32(i_0_0))))

why-2.34/tests/c/oracle/isqrt.res.oracle0000644000175000017500000020623012311670312016572 0ustar  rtusers========== file tests/c/isqrt.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


#pragma JessieIntegerModel(math)

//@ logic integer sqr(integer x) = x * x;

/*@ requires x >= 0;
  @ ensures \result >= 0 && sqr(\result) <= x && x < sqr(\result + 1);
  @*/
int isqrt(int x) {
  int count = 0, sum = 1;
  /*@ loop invariant count >= 0 && x >= sqr(count) && sum == sqr(count+1);
    @ loop variant  x - count; 
    @*/
  while (sum <= x) sum += 2 * ++count + 1;
  return count;
}

//@ ensures \result == 4;
int main () {
  int r;
  r = isqrt(17);
  //@ assert r < 4 ==> \false;
  //@ assert r > 4 ==> \false;
  return r;
}

/*
Local Variables:
compile-command: "make isqrt.why3ide"
End:
*/


========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/isqrt.c"
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/isqrt.jessie
[jessie] File tests/c/isqrt.jessie/isqrt.jc written.
[jessie] File tests/c/isqrt.jessie/isqrt.cloc written.
========== file tests/c/isqrt.jessie/isqrt.jc ==========
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

tag unsigned_charP = {
  integer unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  integer charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

logic integer sqr(integer x) =
(x * x)

integer isqrt(integer x)
  requires (_C_20 : (x >= 0));
behavior default:
  ensures (_C_15 : (((_C_17 : (\result >= 0)) &&
                      (_C_18 : (sqr(\result) <= \at(x,Old)))) &&
                     (_C_19 : (\at(x,Old) < sqr((\result + 1))))));
{  
   (var integer count);
   
   (var integer sum);
   
   {  (_C_1 : (count = 0));
      (_C_2 : (sum = 1));
      
      loop 
      behavior default:
        invariant (_C_4 : (((_C_6 : (count >= 0)) &&
                             (_C_7 : (x >= sqr(count)))) &&
                            (_C_8 : (sum == sqr((count + 1))))));
      variant (_C_3 : (x - count));
      while (true)
      {  
         {  (if (sum <= x) then () else 
            (goto while_0_break));
            
            {  (_C_10 : (count = (_C_9 : (count + 1))));
               (_C_14 : (sum = (_C_13 : (sum +
                                          (_C_12 : ((_C_11 : (2 * count)) +
                                                     1))))))
            }
         }
      };
      (while_0_break : ());
      
      (return count)
   }
}

integer main()
behavior default:
  ensures (_C_25 : (\result == 4));
{  
   (var integer r);
   
   {  (_C_22 : (r = (_C_21 : isqrt(17))));
      
      {  
         (assert for default: (_C_23 : (jessie : ((r < 4) ==> false))));
         ()
      };
      
      {  
         (assert for default: (_C_24 : (jessie : ((r > 4) ==> false))));
         ()
      };
      
      {  
         (return r)
      }
   }
}
========== file tests/c/isqrt.jessie/isqrt.cloc ==========
[main]
name = "Function main"
file = "HOME/tests/c/isqrt.c"
line = 50
begin = 4
end = 8

[_C_4]
file = "HOME/tests/c/isqrt.c"
line = 42
begin = 21
end = 73

[_C_23]
file = "HOME/tests/c/isqrt.c"
line = 53
begin = 13
end = 29

[_C_19]
file = "HOME/tests/c/isqrt.c"
line = 38
begin = 49
end = 69

[_C_13]
file = "HOME/tests/c/isqrt.c"
line = 45
begin = 19
end = 41

[_C_5]
file = "HOME/tests/c/isqrt.c"
line = 42
begin = 21
end = 50

[_C_12]
file = "HOME/tests/c/isqrt.c"
line = 45
begin = 26
end = 41

[_C_22]
file = "HOME/tests/c/isqrt.c"
line = 52
begin = 6
end = 15

[_C_9]
file = "HOME/tests/c/isqrt.c"
line = 45
begin = 30
end = 37

[_C_6]
file = "HOME/tests/c/isqrt.c"
line = 42
begin = 21
end = 31

[_C_24]
file = "HOME/tests/c/isqrt.c"
line = 54
begin = 13
end = 29

[_C_20]
file = "HOME/tests/c/isqrt.c"
line = 37
begin = 13
end = 19

[_C_3]
file = "HOME/tests/c/isqrt.c"
line = 43
begin = 19
end = 28

[_C_17]
file = "HOME/tests/c/isqrt.c"
line = 38
begin = 12
end = 24

[_C_7]
file = "HOME/tests/c/isqrt.c"
line = 42
begin = 35
end = 50

[_C_15]
file = "HOME/tests/c/isqrt.c"
line = 38
begin = 12
end = 69

[_C_10]
file = "HOME/tests/c/isqrt.c"
line = 45
begin = 30
end = 37

[_C_8]
file = "HOME/tests/c/isqrt.c"
line = 42
begin = 54
end = 73

[_C_18]
file = "HOME/tests/c/isqrt.c"
line = 38
begin = 28
end = 45

[_C_14]
file = "HOME/tests/c/isqrt.c"
line = 45
begin = 19
end = 41

[_C_2]
file = "HOME/tests/c/isqrt.c"
line = 41
begin = 2
end = 5

[_C_16]
file = "HOME/tests/c/isqrt.c"
line = 38
begin = 12
end = 45

[isqrt]
name = "Function isqrt"
file = "HOME/tests/c/isqrt.c"
line = 40
begin = 4
end = 9

[_C_1]
file = "HOME/tests/c/isqrt.c"
line = 41
begin = 2
end = 5

[_C_25]
file = "HOME/tests/c/isqrt.c"
line = 49
begin = 12
end = 24

[_C_11]
file = "HOME/tests/c/isqrt.c"
line = 45
begin = 26
end = 37

[_C_21]
file = "HOME/tests/c/isqrt.c"
line = 52
begin = 6
end = 15

========== jessie execution ==========
Generating Why function isqrt
Generating Why function main
========== file tests/c/isqrt.jessie/isqrt.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs isqrt.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs isqrt.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/isqrt_why.sx

project: why/isqrt.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/isqrt_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/isqrt_why.vo

coq/isqrt_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/isqrt_why.v: why/isqrt.why
	@echo 'why -coq [...] why/isqrt.why' && $(WHY) $(JESSIELIBFILES) why/isqrt.why && rm -f coq/jessie_why.v

coq-goals: goals coq/isqrt_ctx_why.vo
	for f in why/*_po*.why; do make -f isqrt.makefile coq/`basename $$f .why`_why.v ; done

coq/isqrt_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/isqrt_ctx_why.v: why/isqrt_ctx.why
	@echo 'why -coq [...] why/isqrt_ctx.why' && $(WHY) why/isqrt_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export isqrt_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/isqrt_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/isqrt_ctx_why.vo

pvs: pvs/isqrt_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/isqrt_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/isqrt_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/isqrt_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/isqrt_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/isqrt_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/isqrt_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/isqrt_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/isqrt_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/isqrt_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/isqrt_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/isqrt_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/isqrt_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/isqrt_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/isqrt_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: isqrt.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/isqrt_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: isqrt.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: isqrt.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: isqrt.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include isqrt.depend

depend: coq/isqrt_why.v
	-$(COQDEP) -I coq coq/isqrt*_why.v > isqrt.depend

clean:
	rm -f coq/*.vo

========== file tests/c/isqrt.jessie/isqrt.loc ==========
[main_safety]
name = "Function main"
behavior = "Safety"
file = "HOME/tests/c/isqrt.c"
line = 50
begin = 4
end = 8

[JC_31]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_17]
file = "HOME/tests/c/isqrt.c"
line = 42
begin = 54
end = 73

[JC_23]
file = "HOME/tests/c/isqrt.c"
line = 42
begin = 21
end = 31

[JC_22]
file = "HOME/tests/c/isqrt.c"
line = 43
begin = 19
end = 28

[JC_5]
file = "HOME/tests/c/isqrt.c"
line = 38
begin = 12
end = 24

[JC_9]
file = "HOME/tests/c/isqrt.c"
line = 38
begin = 12
end = 24

[JC_24]
file = "HOME/tests/c/isqrt.c"
line = 42
begin = 35
end = 50

[JC_25]
file = "HOME/tests/c/isqrt.c"
line = 42
begin = 54
end = 73

[JC_41]
kind = UserCall
file = "HOME/tests/c/isqrt.c"
line = 52
begin = 6
end = 15

[JC_26]
file = "HOME/tests/c/isqrt.c"
line = 42
begin = 21
end = 73

[JC_8]
file = "HOME/tests/c/isqrt.c"
line = 38
begin = 12
end = 69

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[isqrt_ensures_default]
name = "Function isqrt"
behavior = "default behavior"
file = "HOME/tests/c/isqrt.c"
line = 40
begin = 4
end = 9

[JC_11]
file = "HOME/tests/c/isqrt.c"
line = 38
begin = 49
end = 69

[JC_15]
file = "HOME/tests/c/isqrt.c"
line = 42
begin = 21
end = 31

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/tests/c/isqrt.c"
line = 53
begin = 13
end = 29

[JC_40]
file = "HOME/tests/c/isqrt.c"
line = 54
begin = 13
end = 29

[JC_35]
file = "HOME/tests/c/isqrt.c"
line = 49
begin = 12
end = 24

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
kind = UserCall
file = "HOME/tests/c/isqrt.c"
line = 52
begin = 6
end = 15

[JC_12]
file = "HOME/tests/c/isqrt.c"
line = 38
begin = 12
end = 69

[JC_6]
file = "HOME/tests/c/isqrt.c"
line = 38
begin = 28
end = 45

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/tests/c/isqrt.c"
line = 53
begin = 13
end = 29

[main_ensures_default]
name = "Function main"
behavior = "default behavior"
file = "HOME/tests/c/isqrt.c"
line = 50
begin = 4
end = 8

[JC_32]
file = "HOME/tests/c/isqrt.c"
line = 50
begin = 4
end = 8

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/tests/c/isqrt.jessie/isqrt.jc"
line = 46
begin = 6
end = 642

[JC_7]
file = "HOME/tests/c/isqrt.c"
line = 38
begin = 49
end = 69

[JC_16]
file = "HOME/tests/c/isqrt.c"
line = 42
begin = 35
end = 50

[JC_43]
file = "HOME/tests/c/isqrt.c"
line = 54
begin = 13
end = 29

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/tests/c/isqrt.c"
line = 49
begin = 12
end = 24

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/tests/c/isqrt.jessie/isqrt.jc"
line = 46
begin = 6
end = 642

[JC_1]
file = "HOME/tests/c/isqrt.c"
line = 37
begin = 13
end = 19

[JC_37]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/tests/c/isqrt.c"
line = 38
begin = 28
end = 45

[isqrt_safety]
name = "Function isqrt"
behavior = "Safety"
file = "HOME/tests/c/isqrt.c"
line = 40
begin = 4
end = 9

[JC_20]
file = "HOME/tests/c/isqrt.jessie/isqrt.jc"
line = 46
begin = 6
end = 642

[JC_18]
file = "HOME/tests/c/isqrt.c"
line = 42
begin = 21
end = 73

[JC_3]
file = "HOME/tests/c/isqrt.c"
line = 37
begin = 13
end = 19

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/tests/c/isqrt.c"
line = 50
begin = 4
end = 8

[JC_28]
file = "HOME/tests/c/isqrt.jessie/isqrt.jc"
line = 46
begin = 6
end = 642

========== file tests/c/isqrt.jessie/why/isqrt.why ==========
type charP

type padding

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

function sqr(x_0:int) : int = mul_int(x_0, x_0)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Goto_while_0_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter isqrt :
 x_1:int ->
  { } int
  { (JC_12:
    ((JC_9: ge_int(result, (0)))
    and ((JC_10: le_int(sqr(result), x_1))
        and (JC_11: lt_int(x_1, sqr(add_int(result, (1)))))))) }

parameter isqrt_requires :
 x_1:int ->
  { (JC_1: ge_int(x_1, (0)))} int
  { (JC_12:
    ((JC_9: ge_int(result, (0)))
    and ((JC_10: le_int(sqr(result), x_1))
        and (JC_11: lt_int(x_1, sqr(add_int(result, (1)))))))) }

parameter main : tt:unit -> { } int { (JC_35: (result = (4))) }

parameter main_requires : tt:unit -> { } int { (JC_35: (result = (4))) }

let isqrt_ensures_default =
 fun (x_1 : int) ->
  { (JC_3: ge_int(x_1, (0))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let count = ref (any_int void) in
     (let sum = ref (any_int void) in
     try
      begin
        (let _jessie_ = (count := (0)) in void);
       (let _jessie_ = (sum := (1)) in void);
       (loop_2:
       begin
         while true do
         { invariant
             (JC_26:
             ((JC_23: ge_int(count, (0)))
             and ((JC_24: ge_int(x_1, sqr(count)))
                 and (JC_25: (sum = sqr(add_int(count, (1))))))))  }
          begin
            [ { } unit { true } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((le_int_ !sum) x_1) then void
                else (raise (Goto_while_0_break_exc void)));
               (let _jessie_ = (count := ((add_int !count) (1))) in void);
               (sum := ((add_int !sum) ((add_int ((mul_int (2)) !count)) (1))));
               !sum end in void); (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (return := !count); (raise Return) end) end));
    absurd  end with Return -> !return end))
  { (JC_8:
    ((JC_5: ge_int(result, (0)))
    and ((JC_6: le_int(sqr(result), x_1))
        and (JC_7: lt_int(x_1, sqr(add_int(result, (1)))))))) }

let isqrt_safety =
 fun (x_1 : int) ->
  { (JC_3: ge_int(x_1, (0))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let count = ref (any_int void) in
     (let sum = ref (any_int void) in
     try
      begin
        (let _jessie_ = (count := (0)) in void);
       (let _jessie_ = (sum := (1)) in void);
       (loop_1:
       begin
         while true do
         { invariant (JC_20: true) variant (JC_22 : sub_int(x_1, count)) }
          begin
            [ { } unit reads count,sum
              { (JC_18:
                ((JC_15: ge_int(count, (0)))
                and ((JC_16: ge_int(x_1, sqr(count)))
                    and (JC_17: (sum = sqr(add_int(count, (1)))))))) } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((le_int_ !sum) x_1) then void
                else (raise (Goto_while_0_break_exc void)));
               (let _jessie_ = (count := ((add_int !count) (1))) in void);
               (sum := ((add_int !sum) ((add_int ((mul_int (2)) !count)) (1))));
               !sum end in void); (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (return := !count); (raise Return) end) end));
    absurd  end with Return -> !return end)) { true }

let main_ensures_default =
 fun (tt : unit) ->
  { (JC_33: true) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let r = ref (any_int void) in
     begin
       (let _jessie_ =
       (r := (let _jessie_ = (17) in (JC_41: (isqrt _jessie_)))) in void);
      (assert { (JC_42: (lt_int(r, (4)) -> (false = true))) }; void); void;
      (assert { (JC_43: (gt_int(r, (4)) -> (false = true))) }; void); void;
      (return := !r); (raise Return) end); absurd  end with Return ->
   !return end)) { (JC_34: (result = (4))) }

let main_safety =
 fun (tt : unit) ->
  { (JC_33: true) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let r = ref (any_int void) in
     begin
       (let _jessie_ =
       (r := (let _jessie_ = (17) in (JC_38: (isqrt_requires _jessie_)))) in
       void);
      [ { } unit reads r { (JC_39: (lt_int(r, (4)) -> (false = true))) } ];
      void;
      [ { } unit reads r { (JC_40: (gt_int(r, (4)) -> (false = true))) } ];
      void; (return := !r); (raise Return) end); absurd  end with Return ->
   !return end)) { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/isqrt.why
========== file tests/c/isqrt.jessie/why/isqrt_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type charP

type padding

type unsigned_charP

type voidP

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

function sqr(x_0: int) : int = (x_0 * x_0)

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

goal isqrt_ensures_default_po_1:
  forall x_1:int.
  ("JC_3": (x_1 >= 0)) ->
  forall count:int.
  (count = 0) ->
  forall sum:int.
  (sum = 1) ->
  ("JC_26": ("JC_23": (count >= 0)))

goal isqrt_ensures_default_po_2:
  forall x_1:int.
  ("JC_3": (x_1 >= 0)) ->
  forall count:int.
  (count = 0) ->
  forall sum:int.
  (sum = 1) ->
  ("JC_26": ("JC_24": (x_1 >= sqr(count))))

goal isqrt_ensures_default_po_3:
  forall x_1:int.
  ("JC_3": (x_1 >= 0)) ->
  forall count:int.
  (count = 0) ->
  forall sum:int.
  (sum = 1) ->
  ("JC_26": ("JC_25": (sum = sqr((count + 1)))))

goal isqrt_ensures_default_po_4:
  forall x_1:int.
  ("JC_3": (x_1 >= 0)) ->
  forall count:int.
  (count = 0) ->
  forall sum:int.
  (sum = 1) ->
  forall count0:int.
  forall sum0:int.
  ("JC_26":
  (("JC_23": (count0 >= 0)) and
   (("JC_24": (x_1 >= sqr(count0))) and ("JC_25": (sum0 = sqr((count0 + 1))))))) ->
  (sum0 <= x_1) ->
  forall count1:int.
  (count1 = (count0 + 1)) ->
  forall sum1:int.
  (sum1 = (sum0 + ((2 * count1) + 1))) ->
  ("JC_26": ("JC_23": (count1 >= 0)))

goal isqrt_ensures_default_po_5:
  forall x_1:int.
  ("JC_3": (x_1 >= 0)) ->
  forall count:int.
  (count = 0) ->
  forall sum:int.
  (sum = 1) ->
  forall count0:int.
  forall sum0:int.
  ("JC_26":
  (("JC_23": (count0 >= 0)) and
   (("JC_24": (x_1 >= sqr(count0))) and ("JC_25": (sum0 = sqr((count0 + 1))))))) ->
  (sum0 <= x_1) ->
  forall count1:int.
  (count1 = (count0 + 1)) ->
  forall sum1:int.
  (sum1 = (sum0 + ((2 * count1) + 1))) ->
  ("JC_26": ("JC_24": (x_1 >= sqr(count1))))

goal isqrt_ensures_default_po_6:
  forall x_1:int.
  ("JC_3": (x_1 >= 0)) ->
  forall count:int.
  (count = 0) ->
  forall sum:int.
  (sum = 1) ->
  forall count0:int.
  forall sum0:int.
  ("JC_26":
  (("JC_23": (count0 >= 0)) and
   (("JC_24": (x_1 >= sqr(count0))) and ("JC_25": (sum0 = sqr((count0 + 1))))))) ->
  (sum0 <= x_1) ->
  forall count1:int.
  (count1 = (count0 + 1)) ->
  forall sum1:int.
  (sum1 = (sum0 + ((2 * count1) + 1))) ->
  ("JC_26": ("JC_25": (sum1 = sqr((count1 + 1)))))

goal isqrt_ensures_default_po_7:
  forall x_1:int.
  ("JC_3": (x_1 >= 0)) ->
  forall count:int.
  (count = 0) ->
  forall sum:int.
  (sum = 1) ->
  forall count0:int.
  forall sum0:int.
  ("JC_26":
  (("JC_23": (count0 >= 0)) and
   (("JC_24": (x_1 >= sqr(count0))) and ("JC_25": (sum0 = sqr((count0 + 1))))))) ->
  (sum0 > x_1) ->
  forall return:int.
  (return = count0) ->
  ("JC_8": ("JC_5": (return >= 0)))

goal isqrt_ensures_default_po_8:
  forall x_1:int.
  ("JC_3": (x_1 >= 0)) ->
  forall count:int.
  (count = 0) ->
  forall sum:int.
  (sum = 1) ->
  forall count0:int.
  forall sum0:int.
  ("JC_26":
  (("JC_23": (count0 >= 0)) and
   (("JC_24": (x_1 >= sqr(count0))) and ("JC_25": (sum0 = sqr((count0 + 1))))))) ->
  (sum0 > x_1) ->
  forall return:int.
  (return = count0) ->
  ("JC_8": ("JC_6": (sqr(return) <= x_1)))

goal isqrt_ensures_default_po_9:
  forall x_1:int.
  ("JC_3": (x_1 >= 0)) ->
  forall count:int.
  (count = 0) ->
  forall sum:int.
  (sum = 1) ->
  forall count0:int.
  forall sum0:int.
  ("JC_26":
  (("JC_23": (count0 >= 0)) and
   (("JC_24": (x_1 >= sqr(count0))) and ("JC_25": (sum0 = sqr((count0 + 1))))))) ->
  (sum0 > x_1) ->
  forall return:int.
  (return = count0) ->
  ("JC_8": ("JC_7": (x_1 < sqr((return + 1)))))

goal isqrt_safety_po_1:
  forall x_1:int.
  ("JC_3": (x_1 >= 0)) ->
  forall count:int.
  (count = 0) ->
  forall sum:int.
  (sum = 1) ->
  forall count0:int.
  forall sum0:int.
  ("JC_20": true) ->
  ("JC_18":
  (("JC_15": (count0 >= 0)) and
   (("JC_16": (x_1 >= sqr(count0))) and ("JC_17": (sum0 = sqr((count0 + 1))))))) ->
  (sum0 <= x_1) ->
  forall count1:int.
  (count1 = (count0 + 1)) ->
  forall sum1:int.
  (sum1 = (sum0 + ((2 * count1) + 1))) ->
  (0 <= ("JC_22": (x_1 - count0)))

goal isqrt_safety_po_2:
  forall x_1:int.
  ("JC_3": (x_1 >= 0)) ->
  forall count:int.
  (count = 0) ->
  forall sum:int.
  (sum = 1) ->
  forall count0:int.
  forall sum0:int.
  ("JC_20": true) ->
  ("JC_18":
  (("JC_15": (count0 >= 0)) and
   (("JC_16": (x_1 >= sqr(count0))) and ("JC_17": (sum0 = sqr((count0 + 1))))))) ->
  (sum0 <= x_1) ->
  forall count1:int.
  (count1 = (count0 + 1)) ->
  forall sum1:int.
  (sum1 = (sum0 + ((2 * count1) + 1))) ->
  (("JC_22": (x_1 - count1)) < ("JC_22": (x_1 - count0)))

goal main_ensures_default_po_1:
  ("JC_33": true) ->
  forall result:int.
  ("JC_12":
  (("JC_9": (result >= 0)) and
   (("JC_10": (sqr(result) <= 17)) and ("JC_11": (17 < sqr((result + 1))))))) ->
  forall r:int.
  (r = result) ->
  (r < 4) ->
  ("JC_42": (false = true))

goal main_ensures_default_po_2:
  ("JC_33": true) ->
  forall result:int.
  ("JC_12":
  (("JC_9": (result >= 0)) and
   (("JC_10": (sqr(result) <= 17)) and ("JC_11": (17 < sqr((result + 1))))))) ->
  forall r:int.
  (r = result) ->
  ("JC_42": ((r < 4) -> (false = true))) ->
  (r > 4) ->
  ("JC_43": (false = true))

goal main_ensures_default_po_3:
  ("JC_33": true) ->
  forall result:int.
  ("JC_12":
  (("JC_9": (result >= 0)) and
   (("JC_10": (sqr(result) <= 17)) and ("JC_11": (17 < sqr((result + 1))))))) ->
  forall r:int.
  (r = result) ->
  ("JC_42": ((r < 4) -> (false = true))) ->
  ("JC_43": ((r > 4) -> (false = true))) ->
  forall return:int.
  (return = r) ->
  ("JC_34": (return = 4))

goal main_safety_po_1:
  ("JC_33": true) ->
  ("JC_1": (17 >= 0))

why-2.34/tests/c/oracle/double_rounding_strict_model.err.oracle0000644000175000017500000000000012311670312023341 0ustar  rtuserswhy-2.34/tests/c/oracle/sparse_array2.res.oracle0000644000175000017500000274664212311670312020227 0ustar  rtusers========== file tests/c/sparse_array2.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

typedef unsigned int size_t;
void *malloc(size_t size);
void *calloc(size_t nmemb, size_t size);

typedef unsigned int uint;

#define DEFAULT 0

typedef struct SparseArray {
  int *val;
  uint *idx, *back;
  uint n;
  uint sz; // inutile ?
} *sparse_array;

/*@ predicate is_elt{L}(sparse_array a, integer i) =
  @      0 <= a->idx[i] < a->n
  @   && a->back[a->idx[i]] == i
  @ ;
  @*/

/*@ axiomatic Model {
  @   logic integer model{L}(sparse_array a,integer i);
  @   axiom model_in: \forall sparse_array a, integer i;
  @     is_elt(a,i) ==> model(a,i) == a->val[i];
  @   axiom model_out: \forall sparse_array a, integer i;
  @     !is_elt(a,i) ==> model(a,i) == DEFAULT;
  @}
  @*/

/*@ predicate inv(sparse_array a) =
  @   \valid(a) &&
  @   0 <= a->n <= a-> sz &&
  @   \valid(a->val+(0..a->sz-1)) &&
  @   \valid(a->idx+(0..a->sz-1)) &&
  @   \valid(a->back+(0..a->sz-1)) &&
  @   \forall integer i; 0 <= i < a->n ==>  
  @      0 <= a->back[i] < a->sz && a->idx[a->back[i]] == i;
  @*/


/*@ requires sz >= 0;
  @ assigns \nothing;
  @ ensures \fresh(\result,sizeof(struct Sparse_array));
  @ ensures inv(\result);
  @ ensures \result->sz == sz;
  @ ensures \forall integer i; model(\result,i) == DEFAULT;
  @*/
sparse_array create(uint sz) {
  sparse_array a = (sparse_array)malloc(sizeof(struct SparseArray));
  a->val = (int*)calloc(sz,sizeof(int));
  a->idx = (uint*)calloc(sz,sizeof(uint));
  a->back = (uint*)calloc(sz,sizeof(uint));
  a->n = 0;
  a->sz = sz; // inutile ?
  return a;
}

/*@ requires \valid(a);
  @ requires inv(a);
  @ requires i <= a->sz - 1;
  @ assigns \nothing;
  @ ensures \result == model(a,i);
  @*/
int get(sparse_array a, uint i) {
  // note: 0 <= a->idx[i] holds because of type uint
  //@ assert 0 <= a->idx[i];
  if (a->idx[i] < a->n && 
      a->back[a->idx[i]] == i) return a->val[i];
  else return 0;
}

/*@ requires \valid(a);
  @ requires inv(a);
  @ requires i <= a->sz - 1;
  @ assigns a->val[i],a->idx[..],a->back[..], a->n;
  @ ensures inv(a);
  @ ensures model(a,i) == v;
  @ ensures \forall integer j; j != i ==> 
  @    model(a,j) == \old(model(a,j)); 
  @*/
void set(sparse_array a, uint i, int v) {
  a->val[i] = v;
  if (!(a->idx[i] < a->n && a-> back[a->idx[i]] == i)) {
    //@ assert a->n < a->sz;
    a->idx[i] = a->n; a->back[a->n] = i; a->n++;
  }
}



int main() {
  sparse_array a = create(10), b = create(20);
  int x,y;
  x = get(a,5); y = get(b,7);
  //@ assert x == 0 && y == 0;
  set(a,5,1); set(b,7,2);
  x = get(a,5); y = get(b,7);
  //@ assert x == 1 && y == 2;
  x = get(a,0); y = get(b,0);
  //@ assert x == 0 && y == 0;
  return 0;
}





/*
Local Variables:
compile-command: "make sparse_array2.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/sparse_array2.c"
[jessie] Starting Jessie translation
tests/c/sparse_array2.c:123:[kernel] warning: Neither code nor specification for function calloc, generating default assigns from the prototype
tests/c/sparse_array2.c:123:[kernel] warning: Neither code nor specification for function malloc, generating default assigns from the prototype
[jessie] Producing Jessie files in subdir tests/c/sparse_array2.jessie
[jessie] File tests/c/sparse_array2.jessie/sparse_array2.jc written.
[jessie] File tests/c/sparse_array2.jessie/sparse_array2.cloc written.
========== file tests/c/sparse_array2.jessie/sparse_array2.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type uint32 = 0..4294967295

type int8 = -128..127

type int32 = -2147483648..2147483647

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag unsigned_intP = {
  uint32 unsigned_intM: 32;
}

type unsigned_intP = [unsigned_intP]

tag intP = {
  int32 intM: 32;
}

type intP = [intP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

tag SparseArray = {
  intP[..] val: 32; 
  unsigned_intP[..] idx: 32; 
  unsigned_intP[..] back: 32; 
  uint32 n_1: 32; 
  uint32 sz_0: 32;
}

type SparseArray = [SparseArray]

charP[..] calloc(uint32 nmemb, uint32 size_0)
behavior default:
  assigns \nothing;
  ensures (_C_1 : true);
;

predicate is_elt{L}(SparseArray[..] a, integer i_1) =
(((0 <= (a.idx + i_1).unsigned_intM) &&
   ((a.idx + i_1).unsigned_intM < a.n_1)) &&
  ((a.back + (a.idx + i_1).unsigned_intM).unsigned_intM == i_1))

axiomatic Model {

  logic integer model{L}(SparseArray[..] a_0, integer i_2)
   
  axiom model_in{L} :
  (\forall SparseArray[..] a_1;
    (\forall integer i_3;
      (is_elt{L}(a_1, i_3) ==> (model{L}(a_1, i_3) == (a_1.val + i_3).intM))))
   
  axiom model_out{L} :
  (\forall SparseArray[..] a_2;
    (\forall integer i_4;
      ((! is_elt{L}(a_2, i_4)) ==> (model{L}(a_2, i_4) == 0))))
  
}

predicate inv{L}(SparseArray[..] a_3) =
\at((((((((\offset_min(a_3) <= 0) && (\offset_max(a_3) >= 0)) &&
          ((0 <= a_3.n_1) && (a_3.n_1 <= a_3.sz_0))) &&
         ((\offset_min(a_3.val) <= 0) &&
           (\offset_max(a_3.val) >= (a_3.sz_0 - 1)))) &&
        ((\offset_min(a_3.idx) <= 0) &&
          (\offset_max(a_3.idx) >= (a_3.sz_0 - 1)))) &&
       ((\offset_min(a_3.back) <= 0) &&
         (\offset_max(a_3.back) >= (a_3.sz_0 - 1)))) &&
      (\forall integer i_5;
        (((0 <= i_5) && (i_5 < a_3.n_1)) ==>
          (((0 <= (a_3.back + i_5).unsigned_intM) &&
             ((a_3.back + i_5).unsigned_intM < a_3.sz_0)) &&
            ((a_3.idx + (a_3.back + i_5).unsigned_intM).unsigned_intM == i_5))))),L)

SparseArray[..] create(uint32 sz)
  requires (_C_24 : (sz >= 0));
behavior default:
  assigns \nothing;
  ensures (_C_17 : ((_C_18 : \fresh(\result)) &&
                     ((_C_20 : inv{Here}(\result)) &&
                       ((_C_22 : (\result.sz_0 == \at(sz,Old))) &&
                         (_C_23 : (\forall integer i_6;
                                    (model{Here}(\result, i_6) == 0)))))));
{  
   (var SparseArray[..] a_1);
   
   {  (_C_3 : (a_1 = (_C_2 : (new SparseArray[1]))));
      (_C_6 : ((_C_5 : a_1.val) = (_C_4 : (new intP[sz]))));
      (_C_9 : ((_C_8 : a_1.idx) = (_C_7 : (new unsigned_intP[sz]))));
      (_C_12 : ((_C_11 : a_1.back) = (_C_10 : (new unsigned_intP[sz]))));
      (_C_14 : ((_C_13 : a_1.n_1) = 0));
      (_C_16 : ((_C_15 : a_1.sz_0) = sz));
      
      (return a_1)
   }
}

int32 get(SparseArray[..] a, uint32 i)
  requires (_C_45 : ((_C_46 : (\offset_min(a) <= 0)) &&
                      (_C_47 : (\offset_max(a) >= 0))));
  requires (_C_44 : inv{Here}(a));
  requires (_C_43 : (i <= (a.sz_0 - 1)));
behavior default:
  assigns \nothing;
  ensures (_C_42 : (\result == model{Here}(\at(a,Old), \at(i,Old))));
{  
   (var int32 __retres);
   
   {  
      {  
         (assert for default: (_C_25 : (jessie : (0 <=
                                                   (a.idx + i).unsigned_intM))));
         ()
      };
      
      {  (if ((_C_41 : (_C_40 : ((_C_39 : a.idx) + i)).unsigned_intM) <
               (_C_38 : a.n_1)) then (if ((_C_37 : (_C_36 : ((_C_35 : a.back) +
                                                              (_C_34 : 
                                                              (_C_33 : 
                                                              ((_C_32 : a.idx) +
                                                                i)).unsigned_intM))).unsigned_intM) ==
                                           i) then 
                                     {  (_C_31 : (__retres = (_C_30 : 
                                                             (_C_29 : 
                                                             ((_C_28 : a.val) +
                                                               i)).intM)));
                                        
                                        (goto return_label)
                                     } else 
                                     {  (_C_27 : (__retres = 0));
                                        
                                        (goto return_label)
                                     }) else 
         {  (_C_26 : (__retres = 0));
            
            (goto return_label)
         });
         (return_label : 
         (return __retres))
      }
   }
}

unit set(SparseArray[..] a_0, uint32 i_0, int32 v)
  requires (_C_85 : ((_C_86 : (\offset_min(a_0) <= 0)) &&
                      (_C_87 : (\offset_max(a_0) >= 0))));
  requires (_C_84 : inv{Here}(a_0));
  requires (_C_83 : (i_0 <= (a_0.sz_0 - 1)));
behavior default:
  assigns (a_0.val + i_0).intM,
  (a_0.idx + [..]).unsigned_intM,
  (a_0.back + [..]).unsigned_intM,
  a_0.n_1;
  ensures (_C_78 : ((_C_79 : inv{Here}(\at(a_0,Old))) &&
                     ((_C_81 : (model{Here}(\at(a_0,Old), \at(i_0,Old)) ==
                                 \at(v,Old))) &&
                       (_C_82 : (\forall integer j_0;
                                  ((j_0 != \at(i_0,Old)) ==>
                                    (model{Here}(\at(a_0,Old), j_0) ==
                                      \at(model{Old}(a_0, j_0),Old))))))));
{  
   {  (_C_51 : ((_C_50 : (_C_49 : ((_C_48 : a_0.val) + i_0)).intM) = v));
      (if ((_C_61 : (_C_60 : ((_C_59 : a_0.idx) + i_0)).unsigned_intM) <
            (_C_58 : a_0.n_1)) then (if ((_C_57 : (_C_56 : ((_C_55 : a_0.back) +
                                                             (_C_54 : 
                                                             (_C_53 : 
                                                             ((_C_52 : a_0.idx) +
                                                               i_0)).unsigned_intM))).unsigned_intM) ==
                                          i_0) then () else 
                                    (goto _LAND)) else 
      (goto _LAND));
      
      (goto _LAND_0);
      (_LAND : 
      {  
         {  
            (assert for default: (_C_62 : (jessie : (a_0.n_1 < a_0.sz_0))));
            ()
         };
         (_C_67 : ((_C_66 : (_C_65 : ((_C_64 : a_0.idx) + i_0)).unsigned_intM) = 
         (_C_63 : a_0.n_1)));
         (_C_72 : ((_C_71 : (_C_70 : ((_C_69 : a_0.back) + (_C_68 : a_0.n_1))).unsigned_intM) = i_0));
         (_C_77 : ((_C_76 : a_0.n_1) = (_C_75 : ((_C_74 : ((_C_73 : a_0.n_1) +
                                                            1)) :> uint32))))
      });
      (_LAND_0 : ());
      
      (return ())
   }
}

int32 main()
behavior default:
  ensures (_C_110 : true);
{  
   (var SparseArray[..] a_2);
   
   (var SparseArray[..] b);
   
   (var int32 x);
   
   (var int32 y);
   
   (var int32 __retres_0);
   
   {  (_C_89 : (a_2 = (_C_88 : create(10))));
      (_C_91 : (b = (_C_90 : create(20))));
      (_C_93 : (x = (_C_92 : get(a_2, 5))));
      (_C_95 : (y = (_C_94 : get(b, 7))));
      
      {  
         (assert for default: (_C_96 : (jessie : ((x == 0) && (y == 0)))));
         ()
      };
      (_C_97 : set(a_2, 5, 1));
      (_C_98 : set(b, 7, 2));
      (_C_100 : (x = (_C_99 : get(a_2, 5))));
      (_C_102 : (y = (_C_101 : get(b, 7))));
      
      {  
         (assert for default: (_C_103 : (jessie : ((x == 1) && (y == 2)))));
         ()
      };
      (_C_105 : (x = (_C_104 : get(a_2, 0))));
      (_C_107 : (y = (_C_106 : get(b, 0))));
      
      {  
         (assert for default: (_C_108 : (jessie : ((x == 0) && (y == 0)))));
         ()
      };
      (_C_109 : (__retres_0 = 0));
      
      (return __retres_0)
   }
}
========== file tests/c/sparse_array2.jessie/sparse_array2.cloc ==========
[_C_52]
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 37
end = 43

[_C_35]
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 6
end = 13

[_C_56]
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 28
end = 36

[_C_28]
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 38
end = 44

[_C_72]
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 38
end = 39

[_C_59]
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 8
end = 14

[_C_48]
file = "HOME/tests/c/sparse_array2.c"
line = 114
begin = 2
end = 8

[_C_51]
file = "HOME/tests/c/sparse_array2.c"
line = 114
begin = 14
end = 15

[model_out]
name = "Lemma model_out"
file = "HOME/tests/c/sparse_array2.c"
line = 57
begin = 6
end = 99

[main]
name = "Function main"
file = "HOME/tests/c/sparse_array2.c"
line = 123
begin = 4
end = 8

[_C_103]
file = "HOME/tests/c/sparse_array2.c"
line = 130
begin = 13
end = 29

[_C_31]
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 31
end = 48

[_C_108]
file = "HOME/tests/c/sparse_array2.c"
line = 132
begin = 13
end = 29

[_C_77]
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 41
end = 47

[_C_83]
file = "HOME/tests/c/sparse_array2.c"
line = 106
begin = 13
end = 27

[_C_41]
file = "HOME/tests/c/sparse_array2.c"
line = 99
begin = 6
end = 15

[_C_4]
file = "HOME/tests/c/sparse_array2.c"
line = 82
begin = 17
end = 39

[_C_101]
file = "HOME/tests/c/sparse_array2.c"
line = 129
begin = 20
end = 28

[_C_71]
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 38
end = 39

[_C_70]
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 22
end = 29

[_C_89]
file = "HOME/tests/c/sparse_array2.c"
line = 124
begin = 19
end = 29

[_C_90]
file = "HOME/tests/c/sparse_array2.c"
line = 124
begin = 35
end = 45

[_C_61]
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 8
end = 17

[_C_69]
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 22
end = 29

[_C_32]
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 14
end = 20

[_C_23]
file = "HOME/tests/c/sparse_array2.c"
line = 78
begin = 12
end = 52

[_C_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_42]
file = "HOME/tests/c/sparse_array2.c"
line = 94
begin = 12
end = 33

[_C_82]
file = "HOME/tests/c/sparse_array2.c"
line = 110
begin = 12
end = 79

[_C_110]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_94]
file = "HOME/tests/c/sparse_array2.c"
line = 126
begin = 20
end = 28

[_C_84]
file = "HOME/tests/c/sparse_array2.c"
line = 105
begin = 13
end = 19

[_C_13]
file = "HOME/tests/c/sparse_array2.c"
line = 85
begin = 9
end = 10

[_C_5]
file = "HOME/tests/c/sparse_array2.c"
line = 82
begin = 17
end = 39

[_C_91]
file = "HOME/tests/c/sparse_array2.c"
line = 124
begin = 35
end = 45

[_C_36]
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 6
end = 13

[_C_12]
file = "HOME/tests/c/sparse_array2.c"
line = 84
begin = 19
end = 42

[_C_33]
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 14
end = 20

[_C_79]
file = "HOME/tests/c/sparse_array2.c"
line = 108
begin = 12
end = 18

[_C_104]
file = "HOME/tests/c/sparse_array2.c"
line = 131
begin = 6
end = 14

[_C_85]
file = "HOME/tests/c/sparse_array2.c"
line = 104
begin = 13
end = 22

[_C_22]
file = "HOME/tests/c/sparse_array2.c"
line = 77
begin = 12
end = 29

[_C_65]
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 4
end = 10

[_C_9]
file = "HOME/tests/c/sparse_array2.c"
line = 83
begin = 18
end = 41

[_C_57]
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 28
end = 47

[_C_54]
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 37
end = 46

[_C_30]
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 38
end = 47

[_C_63]
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 16
end = 20

[_C_6]
file = "HOME/tests/c/sparse_array2.c"
line = 82
begin = 17
end = 39

[model_in]
name = "Lemma model_in"
file = "HOME/tests/c/sparse_array2.c"
line = 55
begin = 6
end = 105

[_C_64]
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 4
end = 10

[_C_95]
file = "HOME/tests/c/sparse_array2.c"
line = 126
begin = 20
end = 28

[_C_93]
file = "HOME/tests/c/sparse_array2.c"
line = 126
begin = 6
end = 14

[_C_102]
file = "HOME/tests/c/sparse_array2.c"
line = 129
begin = 20
end = 28

[_C_49]
file = "HOME/tests/c/sparse_array2.c"
line = 114
begin = 2
end = 8

[_C_24]
file = "HOME/tests/c/sparse_array2.c"
line = 73
begin = 13
end = 20

[_C_45]
file = "HOME/tests/c/sparse_array2.c"
line = 90
begin = 13
end = 22

[_C_97]
file = "HOME/tests/c/sparse_array2.c"
line = 128
begin = 2
end = 12

[_C_20]
file = "HOME/tests/c/sparse_array2.c"
line = 76
begin = 12
end = 24

[_C_73]
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 41
end = 45

[_C_96]
file = "HOME/tests/c/sparse_array2.c"
line = 127
begin = 13
end = 29

[_C_38]
file = "HOME/tests/c/sparse_array2.c"
line = 99
begin = 18
end = 22

[_C_3]
file = "HOME/tests/c/sparse_array2.c"
line = 81
begin = 33
end = 67

[_C_98]
file = "HOME/tests/c/sparse_array2.c"
line = 128
begin = 14
end = 24

[_C_109]
file = "HOME/tests/c/sparse_array2.c"
line = 133
begin = 2
end = 11

[_C_92]
file = "HOME/tests/c/sparse_array2.c"
line = 126
begin = 6
end = 14

[_C_81]
file = "HOME/tests/c/sparse_array2.c"
line = 109
begin = 12
end = 27

[get]
name = "Function get"
file = "HOME/tests/c/sparse_array2.c"
line = 96
begin = 4
end = 7

[_C_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_7]
file = "HOME/tests/c/sparse_array2.c"
line = 83
begin = 18
end = 41

[_C_86]
file = "HOME/tests/c/sparse_array2.c"
line = 104
begin = 13
end = 22

[_C_62]
file = "HOME/tests/c/sparse_array2.c"
line = 116
begin = 15
end = 27

[_C_55]
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 28
end = 36

[_C_27]
file = "HOME/tests/c/sparse_array2.c"
line = 101
begin = 7
end = 16

[set]
name = "Function set"
file = "HOME/tests/c/sparse_array2.c"
line = 113
begin = 5
end = 8

[_C_105]
file = "HOME/tests/c/sparse_array2.c"
line = 131
begin = 6
end = 14

[_C_87]
file = "HOME/tests/c/sparse_array2.c"
line = 104
begin = 13
end = 22

[_C_46]
file = "HOME/tests/c/sparse_array2.c"
line = 90
begin = 13
end = 22

[_C_44]
file = "HOME/tests/c/sparse_array2.c"
line = 91
begin = 13
end = 19

[_C_15]
file = "HOME/tests/c/sparse_array2.c"
line = 86
begin = 10
end = 12

[_C_99]
file = "HOME/tests/c/sparse_array2.c"
line = 129
begin = 6
end = 14

[_C_26]
file = "HOME/tests/c/sparse_array2.c"
line = 101
begin = 7
end = 16

[_C_47]
file = "HOME/tests/c/sparse_array2.c"
line = 90
begin = 13
end = 22

[_C_10]
file = "HOME/tests/c/sparse_array2.c"
line = 84
begin = 19
end = 42

[_C_68]
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 30
end = 34

[_C_60]
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 8
end = 14

[_C_53]
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 37
end = 43

[_C_40]
file = "HOME/tests/c/sparse_array2.c"
line = 99
begin = 6
end = 12

[_C_58]
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 20
end = 24

[_C_8]
file = "HOME/tests/c/sparse_array2.c"
line = 83
begin = 18
end = 41

[_C_66]
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 16
end = 20

[_C_18]
file = "HOME/tests/c/sparse_array2.c"
line = 75
begin = 12
end = 55

[_C_29]
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 38
end = 44

[_C_75]
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 41
end = 47

[create]
name = "Function create"
file = "HOME/tests/c/sparse_array2.c"
line = 80
begin = 13
end = 19

[_C_14]
file = "HOME/tests/c/sparse_array2.c"
line = 85
begin = 9
end = 10

[_C_106]
file = "HOME/tests/c/sparse_array2.c"
line = 131
begin = 20
end = 28

[_C_50]
file = "HOME/tests/c/sparse_array2.c"
line = 114
begin = 14
end = 15

[_C_37]
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 6
end = 24

[_C_43]
file = "HOME/tests/c/sparse_array2.c"
line = 92
begin = 13
end = 27

[_C_107]
file = "HOME/tests/c/sparse_array2.c"
line = 131
begin = 20
end = 28

[_C_88]
file = "HOME/tests/c/sparse_array2.c"
line = 124
begin = 19
end = 29

[_C_100]
file = "HOME/tests/c/sparse_array2.c"
line = 129
begin = 6
end = 14

[_C_2]
file = "HOME/tests/c/sparse_array2.c"
line = 81
begin = 33
end = 67

[_C_34]
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 14
end = 23

[_C_67]
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 16
end = 20

[_C_16]
file = "HOME/tests/c/sparse_array2.c"
line = 86
begin = 10
end = 12

[_C_1]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_76]
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 41
end = 47

[_C_25]
file = "HOME/tests/c/sparse_array2.c"
line = 98
begin = 13
end = 27

[_C_39]
file = "HOME/tests/c/sparse_array2.c"
line = 99
begin = 6
end = 12

[_C_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_74]
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 41
end = 47

[_C_78]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_11]
file = "HOME/tests/c/sparse_array2.c"
line = 84
begin = 19
end = 42

[_C_21]
file = "HOME/"
line = 0
begin = -1
end = -1

========== jessie execution ==========
Generating Why function create
Generating Why function get
Generating Why function set
Generating Why function main
========== file tests/c/sparse_array2.jessie/sparse_array2.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs sparse_array2.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs sparse_array2.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/sparse_array2_why.sx

project: why/sparse_array2.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/sparse_array2_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/sparse_array2_why.vo

coq/sparse_array2_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/sparse_array2_why.v: why/sparse_array2.why
	@echo 'why -coq [...] why/sparse_array2.why' && $(WHY) $(JESSIELIBFILES) why/sparse_array2.why && rm -f coq/jessie_why.v

coq-goals: goals coq/sparse_array2_ctx_why.vo
	for f in why/*_po*.why; do make -f sparse_array2.makefile coq/`basename $$f .why`_why.v ; done

coq/sparse_array2_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/sparse_array2_ctx_why.v: why/sparse_array2_ctx.why
	@echo 'why -coq [...] why/sparse_array2_ctx.why' && $(WHY) why/sparse_array2_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export sparse_array2_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/sparse_array2_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/sparse_array2_ctx_why.vo

pvs: pvs/sparse_array2_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/sparse_array2_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/sparse_array2_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/sparse_array2_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/sparse_array2_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/sparse_array2_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/sparse_array2_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/sparse_array2_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/sparse_array2_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/sparse_array2_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/sparse_array2_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/sparse_array2_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/sparse_array2_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/sparse_array2_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/sparse_array2_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: sparse_array2.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/sparse_array2_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: sparse_array2.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: sparse_array2.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: sparse_array2.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include sparse_array2.depend

depend: coq/sparse_array2_why.v
	-$(COQDEP) -I coq coq/sparse_array2*_why.v > sparse_array2.depend

clean:
	rm -f coq/*.vo

========== file tests/c/sparse_array2.jessie/sparse_array2.loc ==========
[main_safety]
name = "Function main"
behavior = "Safety"
file = "HOME/tests/c/sparse_array2.c"
line = 123
begin = 4
end = 8

[JC_94]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_73]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 99
begin = 6
end = 12

[JC_158]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 124
begin = 19
end = 29

[JC_63]
file = "HOME/tests/c/sparse_array2.c"
line = 92
begin = 13
end = 27

[JC_80]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 38
end = 44

[JC_51]
kind = AllocSize
file = "HOME/tests/c/sparse_array2.c"
line = 82
begin = 17
end = 39

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_147]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 126
begin = 6
end = 14

[JC_151]
kind = UserCall
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 243
begin = 15
end = 27

[JC_45]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 115
begin = 15
end = 57

[JC_123]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 37
end = 46

[JC_106]
file = "HOME/tests/c/sparse_array2.c"
line = 109
begin = 12
end = 27

[JC_143]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_113]
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 177
begin = 10
end = 110

[set_safety]
name = "Function set"
behavior = "Safety"
file = "HOME/tests/c/sparse_array2.c"
line = 113
begin = 5
end = 8

[JC_116]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_64]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_133]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 41
end = 45

[model_out]
name = "Lemma model_out"
behavior = "axiom"
file = "HOME/tests/c/sparse_array2.c"
line = 57
begin = 6
end = 99

[JC_99]
file = "HOME/tests/c/sparse_array2.c"
line = 113
begin = 5
end = 8

[JC_85]
file = "HOME/tests/c/sparse_array2.c"
line = 105
begin = 13
end = 19

[JC_126]
file = "HOME/tests/c/sparse_array2.c"
line = 116
begin = 15
end = 27

[JC_170]
file = "HOME/tests/c/sparse_array2.c"
line = 132
begin = 13
end = 29

[JC_31]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_17]
file = "HOME/tests/c/sparse_array2.c"
line = 77
begin = 12
end = 29

[JC_122]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 37
end = 43

[create_safety]
name = "Function create"
behavior = "Safety"
file = "HOME/tests/c/sparse_array2.c"
line = 80
begin = 13
end = 19

[JC_81]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 38
end = 47

[JC_55]
file = "HOME/tests/c/sparse_array2.c"
line = 90
begin = 13
end = 22

[JC_138]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_134]
kind = ArithOverflow
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 41
end = 47

[JC_148]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 126
begin = 20
end = 28

[JC_137]
file = "HOME/tests/c/sparse_array2.c"
line = 123
begin = 4
end = 8

[JC_48]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 118
begin = 16
end = 37

[JC_23]
file = "HOME/tests/c/sparse_array2.c"
line = 80
begin = 13
end = 19

[JC_22]
file = "HOME/tests/c/sparse_array2.c"
line = 80
begin = 13
end = 19

[JC_121]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 20
end = 24

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_125]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 28
end = 47

[JC_67]
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 131
begin = 10
end = 18

[JC_9]
file = "HOME/"
line = 0
begin = -1
end = -1

[set_ensures_default]
name = "Function set"
behavior = "default behavior"
file = "HOME/tests/c/sparse_array2.c"
line = 113
begin = 5
end = 8

[JC_75]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 99
begin = 18
end = 22

[JC_24]
file = "HOME/tests/c/sparse_array2.c"
line = 80
begin = 13
end = 19

[JC_25]
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 105
begin = 10
end = 18

[JC_78]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 6
end = 13

[JC_41]
kind = AllocSize
file = "HOME/tests/c/sparse_array2.c"
line = 81
begin = 33
end = 67

[JC_74]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 99
begin = 6
end = 15

[JC_47]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 117
begin = 16
end = 70

[JC_52]
kind = AllocSize
file = "HOME/tests/c/sparse_array2.c"
line = 83
begin = 18
end = 41

[JC_26]
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 104
begin = 9
end = 16

[JC_8]
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 62
begin = 10
end = 18

[JC_154]
file = "HOME/tests/c/sparse_array2.c"
line = 130
begin = 13
end = 29

[JC_54]
file = "HOME/tests/c/sparse_array2.c"
line = 90
begin = 13
end = 22

[JC_79]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 6
end = 24

[JC_13]
file = "HOME/tests/c/sparse_array2.c"
line = 73
begin = 13
end = 20

[JC_130]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 22
end = 29

[JC_82]
file = "HOME/tests/c/sparse_array2.c"
line = 98
begin = 13
end = 27

[JC_163]
kind = UserCall
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 242
begin = 15
end = 29

[JC_153]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 129
begin = 20
end = 28

[model_in]
name = "Lemma model_in"
behavior = "axiom"
file = "HOME/tests/c/sparse_array2.c"
line = 55
begin = 6
end = 105

[JC_87]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/c/sparse_array2.c"
line = 73
begin = 13
end = 20

[JC_167]
file = "HOME/tests/c/sparse_array2.c"
line = 130
begin = 13
end = 29

[JC_98]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/tests/c/sparse_array2.c"
line = 75
begin = 12
end = 55

[JC_36]
file = "HOME/tests/c/sparse_array2.c"
line = 80
begin = 13
end = 19

[JC_168]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 131
begin = 6
end = 14

[JC_104]
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 176
begin = 9
end = 16

[JC_91]
file = "HOME/tests/c/sparse_array2.c"
line = 105
begin = 13
end = 19

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_112]
file = "HOME/tests/c/sparse_array2.c"
line = 113
begin = 5
end = 8

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_162]
file = "HOME/tests/c/sparse_array2.c"
line = 127
begin = 13
end = 29

[JC_135]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 210
begin = 19
end = 154

[JC_169]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 131
begin = 20
end = 28

[JC_83]
file = "HOME/tests/c/sparse_array2.c"
line = 104
begin = 13
end = 22

[JC_35]
file = "HOME/tests/c/sparse_array2.c"
line = 80
begin = 13
end = 19

[JC_132]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 209
begin = 19
end = 99

[JC_27]
file = "HOME/tests/c/sparse_array2.c"
line = 75
begin = 12
end = 55

[JC_115]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_109]
file = "HOME/tests/c/sparse_array2.c"
line = 113
begin = 5
end = 8

[JC_107]
file = "HOME/tests/c/sparse_array2.c"
line = 110
begin = 12
end = 79

[JC_69]
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 131
begin = 10
end = 18

[JC_124]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 28
end = 36

[JC_38]
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 104
begin = 9
end = 16

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 62
begin = 10
end = 18

[JC_156]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 131
begin = 20
end = 28

[JC_127]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 16
end = 20

[JC_164]
kind = UserCall
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 243
begin = 15
end = 27

[JC_44]
kind = AllocSize
file = "HOME/tests/c/sparse_array2.c"
line = 84
begin = 19
end = 42

[JC_155]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 131
begin = 6
end = 14

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/tests/c/sparse_array2.c"
line = 91
begin = 13
end = 19

[JC_101]
file = "HOME/tests/c/sparse_array2.c"
line = 113
begin = 5
end = 8

[get_ensures_default]
name = "Function get"
behavior = "default behavior"
file = "HOME/tests/c/sparse_array2.c"
line = 96
begin = 4
end = 7

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_129]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 207
begin = 19
end = 108

[JC_42]
kind = AllocSize
file = "HOME/tests/c/sparse_array2.c"
line = 82
begin = 17
end = 39

[JC_110]
file = "HOME/tests/c/sparse_array2.c"
line = 113
begin = 5
end = 8

[main_ensures_default]
name = "Function main"
behavior = "default behavior"
file = "HOME/tests/c/sparse_array2.c"
line = 123
begin = 4
end = 8

[JC_166]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 129
begin = 20
end = 28

[JC_103]
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 177
begin = 10
end = 110

[JC_46]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 116
begin = 15
end = 66

[JC_141]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_61]
file = "HOME/tests/c/sparse_array2.c"
line = 90
begin = 13
end = 22

[JC_32]
file = "HOME/tests/c/sparse_array2.c"
line = 80
begin = 13
end = 19

[JC_56]
file = "HOME/tests/c/sparse_array2.c"
line = 91
begin = 13
end = 19

[JC_33]
file = "HOME/tests/c/sparse_array2.c"
line = 80
begin = 13
end = 19

[JC_65]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_118]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 189
begin = 16
end = 70

[JC_105]
file = "HOME/tests/c/sparse_array2.c"
line = 108
begin = 12
end = 18

[JC_140]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/tests/c/sparse_array2.c"
line = 77
begin = 12
end = 29

[JC_144]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_159]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 124
begin = 35
end = 45

[JC_68]
file = "HOME/tests/c/sparse_array2.c"
line = 94
begin = 12
end = 33

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/c/sparse_array2.c"
line = 76
begin = 12
end = 24

[JC_96]
file = "HOME/tests/c/sparse_array2.c"
line = 109
begin = 12
end = 27

[JC_43]
kind = AllocSize
file = "HOME/tests/c/sparse_array2.c"
line = 83
begin = 18
end = 41

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
file = "HOME/tests/c/sparse_array2.c"
line = 108
begin = 12
end = 18

[JC_93]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_97]
file = "HOME/tests/c/sparse_array2.c"
line = 110
begin = 12
end = 79

[JC_84]
file = "HOME/tests/c/sparse_array2.c"
line = 104
begin = 13
end = 22

[JC_160]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 126
begin = 6
end = 14

[JC_128]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 4
end = 10

[JC_34]
file = "HOME/tests/c/sparse_array2.c"
line = 80
begin = 13
end = 19

[JC_114]
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 176
begin = 9
end = 16

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_150]
kind = UserCall
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 242
begin = 15
end = 29

[JC_117]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 114
begin = 2
end = 8

[JC_90]
file = "HOME/tests/c/sparse_array2.c"
line = 104
begin = 13
end = 22

[JC_53]
kind = AllocSize
file = "HOME/tests/c/sparse_array2.c"
line = 84
begin = 19
end = 42

[JC_157]
file = "HOME/tests/c/sparse_array2.c"
line = 132
begin = 13
end = 29

[JC_145]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 124
begin = 19
end = 29

[JC_21]
file = "HOME/tests/c/sparse_array2.c"
line = 80
begin = 13
end = 19

[JC_149]
file = "HOME/tests/c/sparse_array2.c"
line = 127
begin = 13
end = 29

[JC_111]
file = "HOME/tests/c/sparse_array2.c"
line = 113
begin = 5
end = 8

[JC_77]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 14
end = 23

[JC_49]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 119
begin = 16
end = 39

[JC_1]
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 60
begin = 10
end = 16

[JC_131]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 117
begin = 30
end = 34

[JC_102]
file = "HOME/tests/c/sparse_array2.c"
line = 113
begin = 5
end = 8

[JC_37]
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 105
begin = 10
end = 18

[JC_142]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/c/sparse_array2.c"
line = 92
begin = 13
end = 27

[JC_161]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 126
begin = 20
end = 28

[JC_146]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 124
begin = 35
end = 45

[JC_89]
file = "HOME/tests/c/sparse_array2.c"
line = 104
begin = 13
end = 22

[create_ensures_default]
name = "Function create"
behavior = "default behavior"
file = "HOME/tests/c/sparse_array2.c"
line = 80
begin = 13
end = 19

[JC_136]
file = "HOME/tests/c/sparse_array2.c"
line = 116
begin = 15
end = 27

[JC_66]
file = "HOME/tests/c/sparse_array2.c"
line = 94
begin = 12
end = 33

[JC_59]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/tests/c/sparse_array2.c"
line = 80
begin = 13
end = 19

[JC_165]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 129
begin = 6
end = 14

[JC_18]
file = "HOME/tests/c/sparse_array2.c"
line = 78
begin = 12
end = 52

[JC_3]
file = "HOME/tests/c/sparse_array2.jessie/sparse_array2.jc"
line = 60
begin = 10
end = 16

[JC_92]
file = "HOME/tests/c/sparse_array2.c"
line = 106
begin = 13
end = 27

[JC_152]
kind = UserCall
file = "HOME/tests/c/sparse_array2.c"
line = 129
begin = 6
end = 14

[JC_86]
file = "HOME/tests/c/sparse_array2.c"
line = 106
begin = 13
end = 27

[JC_60]
file = "HOME/tests/c/sparse_array2.c"
line = 90
begin = 13
end = 22

[JC_139]
file = "HOME/tests/c/sparse_array2.c"
line = 123
begin = 4
end = 8

[get_safety]
name = "Function get"
behavior = "Safety"
file = "HOME/tests/c/sparse_array2.c"
line = 96
begin = 4
end = 7

[JC_72]
file = "HOME/tests/c/sparse_array2.c"
line = 98
begin = 13
end = 27

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_119]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 8
end = 14

[JC_76]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 100
begin = 14
end = 20

[JC_50]
kind = AllocSize
file = "HOME/tests/c/sparse_array2.c"
line = 81
begin = 33
end = 67

[JC_30]
file = "HOME/tests/c/sparse_array2.c"
line = 78
begin = 12
end = 52

[JC_120]
kind = PointerDeref
file = "HOME/tests/c/sparse_array2.c"
line = 115
begin = 8
end = 17

[JC_58]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_100]
file = "HOME/tests/c/sparse_array2.c"
line = 113
begin = 5
end = 8

[JC_28]
file = "HOME/tests/c/sparse_array2.c"
line = 76
begin = 12
end = 24

========== file tests/c/sparse_array2.jessie/why/sparse_array2.why ==========
type SparseArray

type charP

type int32

type int8

type intP

type padding

type uint32

type uint8

type unsigned_charP

type unsigned_intP

type voidP

logic SparseArray_tag:  -> SparseArray tag_id

axiom SparseArray_int : (int_of_tag(SparseArray_tag) = (1))

logic SparseArray_of_pointer_address: unit pointer -> SparseArray pointer

axiom SparseArray_of_pointer_address_of_pointer_addr :
 (forall p:SparseArray pointer.
  (p = SparseArray_of_pointer_address(pointer_address(p))))

axiom SparseArray_parenttag_bottom : parenttag(SparseArray_tag, bottom_tag)

axiom SparseArray_tags :
 (forall x:SparseArray pointer.
  (forall SparseArray_tag_table:SparseArray tag_table.
   instanceof(SparseArray_tag_table, x, SparseArray_tag)))

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint32: uint32 -> int

predicate eq_uint32(x:uint32, y:uint32) =
 eq_int(integer_of_uint32(x), integer_of_uint32(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

logic intP_tag:  -> intP tag_id

axiom intP_int : (int_of_tag(intP_tag) = (1))

logic intP_of_pointer_address: unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr :
 (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom : parenttag(intP_tag, bottom_tag)

axiom intP_tags :
 (forall x:intP pointer.
  (forall intP_tag_table:intP tag_table.
   instanceof(intP_tag_table, x, intP_tag)))

predicate inv(a_3:SparseArray pointer,
 unsigned_intP_back_17_alloc_table_at_L:unsigned_intP alloc_table,
 unsigned_intP_idx_16_alloc_table_at_L:unsigned_intP alloc_table,
 intP_val_15_alloc_table_at_L:intP alloc_table,
 SparseArray_a_3_5_alloc_table_at_L:SparseArray alloc_table,
 SparseArray_sz_0_a_3_5_at_L:(SparseArray, uint32) memory,
 SparseArray_n_1_a_3_5_at_L:(SparseArray, uint32) memory,
 SparseArray_back_a_3_5_at_L:(SparseArray, unsigned_intP pointer) memory,
 SparseArray_idx_a_3_5_at_L:(SparseArray, unsigned_intP pointer) memory,
 SparseArray_val_a_3_5_at_L:(SparseArray, intP pointer) memory,
 unsigned_intP_unsigned_intM_back_17_at_L:(unsigned_intP, uint32) memory,
 unsigned_intP_unsigned_intM_idx_16_at_L:(unsigned_intP, uint32) memory) =
 (le_int(offset_min(SparseArray_a_3_5_alloc_table_at_L, a_3), (0))
 and (ge_int(offset_max(SparseArray_a_3_5_alloc_table_at_L, a_3), (0))
     and (le_int((0),
          integer_of_uint32(select(SparseArray_n_1_a_3_5_at_L, a_3)))
         and (le_int(integer_of_uint32(select(SparseArray_n_1_a_3_5_at_L,
                                       a_3)),
              integer_of_uint32(select(SparseArray_sz_0_a_3_5_at_L, a_3)))
             and (le_int(offset_min(intP_val_15_alloc_table_at_L,
                         select(SparseArray_val_a_3_5_at_L, a_3)),
                  (0))
                 and (ge_int(offset_max(intP_val_15_alloc_table_at_L,
                             select(SparseArray_val_a_3_5_at_L, a_3)),
                      sub_int(integer_of_uint32(select(SparseArray_sz_0_a_3_5_at_L,
                                                a_3)),
                      (1)))
                     and (le_int(offset_min(unsigned_intP_idx_16_alloc_table_at_L,
                                 select(SparseArray_idx_a_3_5_at_L, a_3)),
                          (0))
                         and (ge_int(offset_max(unsigned_intP_idx_16_alloc_table_at_L,
                                     select(SparseArray_idx_a_3_5_at_L, a_3)),
                              sub_int(integer_of_uint32(select(SparseArray_sz_0_a_3_5_at_L,
                                                        a_3)),
                              (1)))
                             and (le_int(offset_min(unsigned_intP_back_17_alloc_table_at_L,
                                         select(SparseArray_back_a_3_5_at_L,
                                         a_3)),
                                  (0))
                                 and (ge_int(offset_max(unsigned_intP_back_17_alloc_table_at_L,
                                             select(SparseArray_back_a_3_5_at_L,
                                             a_3)),
                                      sub_int(integer_of_uint32(select(SparseArray_sz_0_a_3_5_at_L,
                                                                a_3)),
                                      (1)))
                                     and (forall i_5:int.
                                          ((le_int((0), i_5)
                                           and lt_int(i_5,
                                               integer_of_uint32(select(SparseArray_n_1_a_3_5_at_L,
                                                                 a_3)))) ->
                                           (le_int((0),
                                            integer_of_uint32(select(unsigned_intP_unsigned_intM_back_17_at_L,
                                                              shift(select(SparseArray_back_a_3_5_at_L,
                                                                    a_3),
                                                              i_5))))
                                           and (lt_int(integer_of_uint32(
                                                       select(unsigned_intP_unsigned_intM_back_17_at_L,
                                                       shift(select(SparseArray_back_a_3_5_at_L,
                                                             a_3),
                                                       i_5))),
                                                integer_of_uint32(select(SparseArray_sz_0_a_3_5_at_L,
                                                                  a_3)))
                                               and (integer_of_uint32(
                                                    select(unsigned_intP_unsigned_intM_idx_16_at_L,
                                                    shift(select(SparseArray_idx_a_3_5_at_L,
                                                          a_3),
                                                    integer_of_uint32(
                                                    select(unsigned_intP_unsigned_intM_back_17_at_L,
                                                    shift(select(SparseArray_back_a_3_5_at_L,
                                                          a_3),
                                                    i_5)))))) = i_5)))))))))))))))

predicate is_elt(a:SparseArray pointer, i_1:int,
 SparseArray_n_1_a_3_at_L:(SparseArray, uint32) memory,
 SparseArray_back_a_3_at_L:(SparseArray, unsigned_intP pointer) memory,
 SparseArray_idx_a_3_at_L:(SparseArray, unsigned_intP pointer) memory,
 unsigned_intP_unsigned_intM_back_11_at_L:(unsigned_intP, uint32) memory,
 unsigned_intP_unsigned_intM_idx_10_at_L:(unsigned_intP, uint32) memory) =
 (le_int((0),
  integer_of_uint32(select(unsigned_intP_unsigned_intM_idx_10_at_L,
                    shift(select(SparseArray_idx_a_3_at_L, a), i_1))))
 and (lt_int(integer_of_uint32(select(unsigned_intP_unsigned_intM_idx_10_at_L,
                               shift(select(SparseArray_idx_a_3_at_L, a),
                               i_1))),
      integer_of_uint32(select(SparseArray_n_1_a_3_at_L, a)))
     and (integer_of_uint32(select(unsigned_intP_unsigned_intM_back_11_at_L,
                            shift(select(SparseArray_back_a_3_at_L, a),
                            integer_of_uint32(select(unsigned_intP_unsigned_intM_idx_10_at_L,
                                              shift(select(SparseArray_idx_a_3_at_L,
                                                    a),
                                              i_1)))))) = i_1)))

predicate left_valid_struct_SparseArray(p:SparseArray pointer, a:int,
 SparseArray_alloc_table:SparseArray alloc_table) =
 (offset_min(SparseArray_alloc_table, p) <= a)

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_intP(p:intP pointer, a:int,
 intP_alloc_table:intP alloc_table) = (offset_min(intP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_intP(p:unsigned_intP pointer, a:int,
 unsigned_intP_alloc_table:unsigned_intP alloc_table) =
 (offset_min(unsigned_intP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

logic model: SparseArray pointer, int, (SparseArray, uint32) memory,
 (SparseArray, unsigned_intP pointer) memory,
 (SparseArray, unsigned_intP pointer) memory,
 (SparseArray, intP pointer) memory, (intP, int32) memory,
 (unsigned_intP, uint32) memory, (unsigned_intP, uint32) memory -> int

axiom pointer_addr_of_SparseArray_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(SparseArray_of_pointer_address(p))))

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic unsigned_intP_of_pointer_address: unit pointer -> unsigned_intP pointer

axiom pointer_addr_of_unsigned_intP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_intP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_SparseArray(p:SparseArray pointer, b:int,
 SparseArray_alloc_table:SparseArray alloc_table) =
 (offset_max(SparseArray_alloc_table, p) >= b)

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_intP(p:intP pointer, b:int,
 intP_alloc_table:intP alloc_table) = (offset_max(intP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_intP(p:unsigned_intP pointer, b:int,
 unsigned_intP_alloc_table:unsigned_intP alloc_table) =
 (offset_max(unsigned_intP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_SparseArray(p:SparseArray pointer, a:int, b:int,
 SparseArray_alloc_table:SparseArray alloc_table) =
 ((offset_min(SparseArray_alloc_table, p) = a)
 and (offset_max(SparseArray_alloc_table, p) = b))

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_intP(p:unsigned_intP pointer, a:int,
 b:int, unsigned_intP_alloc_table:unsigned_intP alloc_table) =
 ((offset_min(unsigned_intP_alloc_table, p) = a)
 and (offset_max(unsigned_intP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_SparseArray(p:SparseArray pointer, a:int,
 b:int, SparseArray_alloc_table:SparseArray alloc_table) =
 ((offset_min(SparseArray_alloc_table, p) = a)
 and (offset_max(SparseArray_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_intP(p:unsigned_intP pointer, a:int,
 b:int, unsigned_intP_alloc_table:unsigned_intP alloc_table) =
 ((offset_min(unsigned_intP_alloc_table, p) = a)
 and (offset_max(unsigned_intP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint32_of_integer: int -> uint32

axiom uint32_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (4294967295))) ->
   eq_int(integer_of_uint32(uint32_of_integer(x)), x)))

axiom uint32_extensionality :
 (forall x:uint32.
  (forall y:uint32[eq_int(integer_of_uint32(x), integer_of_uint32(y))].
   (eq_int(integer_of_uint32(x), integer_of_uint32(y)) -> (x = y))))

axiom uint32_range :
 (forall x:uint32.
  (le_int((0), integer_of_uint32(x))
  and le_int(integer_of_uint32(x), (4294967295))))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

logic unsigned_intP_tag:  -> unsigned_intP tag_id

axiom unsigned_intP_int : (int_of_tag(unsigned_intP_tag) = (1))

axiom unsigned_intP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_intP pointer.
  (p = unsigned_intP_of_pointer_address(pointer_address(p))))

axiom unsigned_intP_parenttag_bottom :
 parenttag(unsigned_intP_tag, bottom_tag)

axiom unsigned_intP_tags :
 (forall x:unsigned_intP pointer.
  (forall unsigned_intP_tag_table:unsigned_intP tag_table.
   instanceof(unsigned_intP_tag_table, x, unsigned_intP_tag)))

predicate valid_root_SparseArray(p:SparseArray pointer, a:int, b:int,
 SparseArray_alloc_table:SparseArray alloc_table) =
 ((offset_min(SparseArray_alloc_table, p) <= a)
 and (offset_max(SparseArray_alloc_table, p) >= b))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_unsigned_intP(p:unsigned_intP pointer, a:int, b:int,
 unsigned_intP_alloc_table:unsigned_intP alloc_table) =
 ((offset_min(unsigned_intP_alloc_table, p) <= a)
 and (offset_max(unsigned_intP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_SparseArray(p:SparseArray pointer, a:int, b:int,
 SparseArray_alloc_table:SparseArray alloc_table) =
 ((offset_min(SparseArray_alloc_table, p) <= a)
 and (offset_max(SparseArray_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_intP(p:unsigned_intP pointer, a:int, b:int,
 unsigned_intP_alloc_table:unsigned_intP alloc_table) =
 ((offset_min(unsigned_intP_alloc_table, p) <= a)
 and (offset_max(unsigned_intP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

axiom model_in :
 (forall SparseArray_n_1_a_0_4_at_L:(SparseArray, uint32) memory.
  (forall SparseArray_back_a_0_4_at_L:
   (SparseArray, unsigned_intP pointer) memory.
   (forall SparseArray_idx_a_0_4_at_L:
    (SparseArray, unsigned_intP pointer) memory.
    (forall SparseArray_val_a_0_4_at_L:(SparseArray, intP pointer) memory.
     (forall intP_intM_val_13_at_L:(intP, int32) memory.
      (forall unsigned_intP_unsigned_intM_idx_37_at_L:
       (unsigned_intP, uint32) memory.
       (forall unsigned_intP_unsigned_intM_back_36_at_L:
        (unsigned_intP, uint32) memory.
        (forall a_1_0:SparseArray pointer.
         (forall i_3:int.
          (is_elt(a_1_0, i_3, SparseArray_n_1_a_0_4_at_L,
           SparseArray_back_a_0_4_at_L, SparseArray_idx_a_0_4_at_L,
           unsigned_intP_unsigned_intM_back_36_at_L,
           unsigned_intP_unsigned_intM_idx_37_at_L) ->
           (model(a_1_0, i_3, SparseArray_n_1_a_0_4_at_L,
            SparseArray_back_a_0_4_at_L, SparseArray_idx_a_0_4_at_L,
            SparseArray_val_a_0_4_at_L, intP_intM_val_13_at_L,
            unsigned_intP_unsigned_intM_idx_37_at_L,
            unsigned_intP_unsigned_intM_back_36_at_L) = integer_of_int32(
                                                        select(intP_intM_val_13_at_L,
                                                        shift(select(SparseArray_val_a_0_4_at_L,
                                                              a_1_0),
                                                        i_3))))))))))))))

axiom model_out :
 (forall SparseArray_n_1_a_0_4_at_L:(SparseArray, uint32) memory.
  (forall SparseArray_back_a_0_4_at_L:
   (SparseArray, unsigned_intP pointer) memory.
   (forall SparseArray_idx_a_0_4_at_L:
    (SparseArray, unsigned_intP pointer) memory.
    (forall SparseArray_val_a_0_4_at_L:(SparseArray, intP pointer) memory.
     (forall intP_intM_val_13_at_L:(intP, int32) memory.
      (forall unsigned_intP_unsigned_intM_idx_37_at_L:
       (unsigned_intP, uint32) memory.
       (forall unsigned_intP_unsigned_intM_back_36_at_L:
        (unsigned_intP, uint32) memory.
        (forall a_2:SparseArray pointer.
         (forall i_4:int.
          ((not is_elt(a_2, i_4, SparseArray_n_1_a_0_4_at_L,
                SparseArray_back_a_0_4_at_L, SparseArray_idx_a_0_4_at_L,
                unsigned_intP_unsigned_intM_back_36_at_L,
                unsigned_intP_unsigned_intM_idx_37_at_L)) ->
           (model(a_2, i_4, SparseArray_n_1_a_0_4_at_L,
            SparseArray_back_a_0_4_at_L, SparseArray_idx_a_0_4_at_L,
            SparseArray_val_a_0_4_at_L, intP_intM_val_13_at_L,
            unsigned_intP_unsigned_intM_idx_37_at_L,
            unsigned_intP_unsigned_intM_back_36_at_L) = (0))))))))))))

exception Goto__LAND_0_exc of unit

exception Goto__LAND_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter SparseArray_alloc_table : SparseArray alloc_table ref

parameter SparseArray_tag_table : SparseArray tag_table ref

parameter alloc_struct_SparseArray :
 n:int ->
  SparseArray_alloc_table:SparseArray alloc_table ref ->
   SparseArray_tag_table:SparseArray tag_table ref ->
    { } SparseArray pointer
    writes SparseArray_alloc_table,SparseArray_tag_table
    { (strict_valid_struct_SparseArray(result, (0), sub_int(n, (1)),
       SparseArray_alloc_table)
      and (alloc_extends(SparseArray_alloc_table@, SparseArray_alloc_table)
          and (alloc_fresh(SparseArray_alloc_table@, result, n)
              and instanceof(SparseArray_tag_table, result, SparseArray_tag)))) }

parameter alloc_struct_SparseArray_requires :
 n:int ->
  SparseArray_alloc_table:SparseArray alloc_table ref ->
   SparseArray_tag_table:SparseArray tag_table ref ->
    { ge_int(n, (0))} SparseArray pointer
    writes SparseArray_alloc_table,SparseArray_tag_table
    { (strict_valid_struct_SparseArray(result, (0), sub_int(n, (1)),
       SparseArray_alloc_table)
      and (alloc_extends(SparseArray_alloc_table@, SparseArray_alloc_table)
          and (alloc_fresh(SparseArray_alloc_table@, result, n)
              and instanceof(SparseArray_tag_table, result, SparseArray_tag)))) }

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter intP_alloc_table : intP alloc_table ref

parameter intP_tag_table : intP tag_table ref

parameter alloc_struct_intP :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { } intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter alloc_struct_intP_requires :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { ge_int(n, (0))} intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter unsigned_intP_alloc_table : unsigned_intP alloc_table ref

parameter unsigned_intP_tag_table : unsigned_intP tag_table ref

parameter alloc_struct_unsigned_intP :
 n:int ->
  unsigned_intP_alloc_table:unsigned_intP alloc_table ref ->
   unsigned_intP_tag_table:unsigned_intP tag_table ref ->
    { } unsigned_intP pointer
    writes unsigned_intP_alloc_table,unsigned_intP_tag_table
    { (strict_valid_struct_unsigned_intP(result, (0), sub_int(n, (1)),
       unsigned_intP_alloc_table)
      and (alloc_extends(unsigned_intP_alloc_table@,
           unsigned_intP_alloc_table)
          and (alloc_fresh(unsigned_intP_alloc_table@, result, n)
              and instanceof(unsigned_intP_tag_table, result,
                  unsigned_intP_tag)))) }

parameter alloc_struct_unsigned_intP_requires :
 n:int ->
  unsigned_intP_alloc_table:unsigned_intP alloc_table ref ->
   unsigned_intP_tag_table:unsigned_intP tag_table ref ->
    { ge_int(n, (0))} unsigned_intP pointer
    writes unsigned_intP_alloc_table,unsigned_intP_tag_table
    { (strict_valid_struct_unsigned_intP(result, (0), sub_int(n, (1)),
       unsigned_intP_alloc_table)
      and (alloc_extends(unsigned_intP_alloc_table@,
           unsigned_intP_alloc_table)
          and (alloc_fresh(unsigned_intP_alloc_table@, result, n)
              and instanceof(unsigned_intP_tag_table, result,
                  unsigned_intP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint32 : unit -> { } uint32 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter calloc :
 nmemb:uint32 -> size_0:uint32 -> { } charP pointer { true }

parameter calloc_requires :
 nmemb:uint32 -> size_0:uint32 -> { } charP pointer { true }

parameter create :
 sz:uint32 ->
  unsigned_intP_back_24_alloc_table:unsigned_intP alloc_table ref ->
   unsigned_intP_idx_22_alloc_table:unsigned_intP alloc_table ref ->
    intP_val_20_alloc_table:intP alloc_table ref ->
     SparseArray_result_6_alloc_table:SparseArray alloc_table ref ->
      unsigned_intP_back_24_tag_table:unsigned_intP tag_table ref ->
       unsigned_intP_idx_22_tag_table:unsigned_intP tag_table ref ->
        intP_val_20_tag_table:intP tag_table ref ->
         SparseArray_result_6_tag_table:SparseArray tag_table ref ->
          SparseArray_sz_0_result_6:(SparseArray, uint32) memory ref ->
           SparseArray_n_1_result_6:(SparseArray, uint32) memory ref ->
            SparseArray_back_result_6:(SparseArray, unsigned_intP pointer) memory ref ->
             SparseArray_idx_result_6:(SparseArray, unsigned_intP pointer) memory ref ->
              SparseArray_val_result_6:(SparseArray, intP pointer) memory ref ->
               intP_intM_val_20:(intP, int32) memory ->
                unsigned_intP_unsigned_intM_back_24:(unsigned_intP, uint32) memory ->
                 unsigned_intP_unsigned_intM_idx_22:(unsigned_intP, uint32) memory ->
                  { } SparseArray pointer
                  reads SparseArray_back_result_6,SparseArray_idx_result_6,SparseArray_n_1_result_6,SparseArray_result_6_alloc_table,SparseArray_sz_0_result_6,SparseArray_val_result_6,intP_val_20_alloc_table,unsigned_intP_back_24_alloc_table,unsigned_intP_idx_22_alloc_table
                  writes SparseArray_back_result_6,SparseArray_idx_result_6,SparseArray_n_1_result_6,SparseArray_result_6_alloc_table,SparseArray_result_6_tag_table,SparseArray_sz_0_result_6,SparseArray_val_result_6,intP_val_20_alloc_table,intP_val_20_tag_table,unsigned_intP_back_24_alloc_table,unsigned_intP_back_24_tag_table,unsigned_intP_idx_22_alloc_table,unsigned_intP_idx_22_tag_table
                  { (JC_38:
                    ((JC_31:
                     ((JC_27:
                      (not valid(SparseArray_result_6_alloc_table@, result)))
                     and ((JC_28:
                          inv(result, unsigned_intP_back_24_alloc_table,
                          unsigned_intP_idx_22_alloc_table,
                          intP_val_20_alloc_table,
                          SparseArray_result_6_alloc_table,
                          SparseArray_sz_0_result_6,
                          SparseArray_n_1_result_6,
                          SparseArray_back_result_6,
                          SparseArray_idx_result_6, SparseArray_val_result_6,
                          unsigned_intP_unsigned_intM_back_24,
                          unsigned_intP_unsigned_intM_idx_22))
                         and ((JC_29:
                              (integer_of_uint32(select(SparseArray_sz_0_result_6,
                                                 result)) = integer_of_uint32(sz)))
                             and (JC_30:
                                 (forall i_6:int.
                                  (model(result, i_6,
                                   SparseArray_n_1_result_6,
                                   SparseArray_back_result_6,
                                   SparseArray_idx_result_6,
                                   SparseArray_val_result_6,
                                   intP_intM_val_20,
                                   unsigned_intP_unsigned_intM_idx_22,
                                   unsigned_intP_unsigned_intM_back_24) = (0))))))))
                    and (JC_37:
                        (((((JC_32:
                            not_assigns(SparseArray_result_6_alloc_table@,
                            SparseArray_val_result_6@,
                            SparseArray_val_result_6, pset_empty))
                           and (JC_33:
                               not_assigns(SparseArray_result_6_alloc_table@,
                               SparseArray_idx_result_6@,
                               SparseArray_idx_result_6, pset_empty)))
                          and (JC_34:
                              not_assigns(SparseArray_result_6_alloc_table@,
                              SparseArray_back_result_6@,
                              SparseArray_back_result_6, pset_empty)))
                         and (JC_35:
                             not_assigns(SparseArray_result_6_alloc_table@,
                             SparseArray_n_1_result_6@,
                             SparseArray_n_1_result_6, pset_empty)))
                        and (JC_36:
                            not_assigns(SparseArray_result_6_alloc_table@,
                            SparseArray_sz_0_result_6@,
                            SparseArray_sz_0_result_6, pset_empty)))))) }

parameter create_requires :
 sz:uint32 ->
  unsigned_intP_back_24_alloc_table:unsigned_intP alloc_table ref ->
   unsigned_intP_idx_22_alloc_table:unsigned_intP alloc_table ref ->
    intP_val_20_alloc_table:intP alloc_table ref ->
     SparseArray_result_6_alloc_table:SparseArray alloc_table ref ->
      unsigned_intP_back_24_tag_table:unsigned_intP tag_table ref ->
       unsigned_intP_idx_22_tag_table:unsigned_intP tag_table ref ->
        intP_val_20_tag_table:intP tag_table ref ->
         SparseArray_result_6_tag_table:SparseArray tag_table ref ->
          SparseArray_sz_0_result_6:(SparseArray, uint32) memory ref ->
           SparseArray_n_1_result_6:(SparseArray, uint32) memory ref ->
            SparseArray_back_result_6:(SparseArray, unsigned_intP pointer) memory ref ->
             SparseArray_idx_result_6:(SparseArray, unsigned_intP pointer) memory ref ->
              SparseArray_val_result_6:(SparseArray, intP pointer) memory ref ->
               intP_intM_val_20:(intP, int32) memory ->
                unsigned_intP_unsigned_intM_back_24:(unsigned_intP, uint32) memory ->
                 unsigned_intP_unsigned_intM_idx_22:(unsigned_intP, uint32) memory ->
                  { (JC_11: ge_int(integer_of_uint32(sz), (0)))}
                  SparseArray pointer
                  reads SparseArray_back_result_6,SparseArray_idx_result_6,SparseArray_n_1_result_6,SparseArray_result_6_alloc_table,SparseArray_sz_0_result_6,SparseArray_val_result_6,intP_val_20_alloc_table,unsigned_intP_back_24_alloc_table,unsigned_intP_idx_22_alloc_table
                  writes SparseArray_back_result_6,SparseArray_idx_result_6,SparseArray_n_1_result_6,SparseArray_result_6_alloc_table,SparseArray_result_6_tag_table,SparseArray_sz_0_result_6,SparseArray_val_result_6,intP_val_20_alloc_table,intP_val_20_tag_table,unsigned_intP_back_24_alloc_table,unsigned_intP_back_24_tag_table,unsigned_intP_idx_22_alloc_table,unsigned_intP_idx_22_tag_table
                  { (JC_38:
                    ((JC_31:
                     ((JC_27:
                      (not valid(SparseArray_result_6_alloc_table@, result)))
                     and ((JC_28:
                          inv(result, unsigned_intP_back_24_alloc_table,
                          unsigned_intP_idx_22_alloc_table,
                          intP_val_20_alloc_table,
                          SparseArray_result_6_alloc_table,
                          SparseArray_sz_0_result_6,
                          SparseArray_n_1_result_6,
                          SparseArray_back_result_6,
                          SparseArray_idx_result_6, SparseArray_val_result_6,
                          unsigned_intP_unsigned_intM_back_24,
                          unsigned_intP_unsigned_intM_idx_22))
                         and ((JC_29:
                              (integer_of_uint32(select(SparseArray_sz_0_result_6,
                                                 result)) = integer_of_uint32(sz)))
                             and (JC_30:
                                 (forall i_6:int.
                                  (model(result, i_6,
                                   SparseArray_n_1_result_6,
                                   SparseArray_back_result_6,
                                   SparseArray_idx_result_6,
                                   SparseArray_val_result_6,
                                   intP_intM_val_20,
                                   unsigned_intP_unsigned_intM_idx_22,
                                   unsigned_intP_unsigned_intM_back_24) = (0))))))))
                    and (JC_37:
                        (((((JC_32:
                            not_assigns(SparseArray_result_6_alloc_table@,
                            SparseArray_val_result_6@,
                            SparseArray_val_result_6, pset_empty))
                           and (JC_33:
                               not_assigns(SparseArray_result_6_alloc_table@,
                               SparseArray_idx_result_6@,
                               SparseArray_idx_result_6, pset_empty)))
                          and (JC_34:
                              not_assigns(SparseArray_result_6_alloc_table@,
                              SparseArray_back_result_6@,
                              SparseArray_back_result_6, pset_empty)))
                         and (JC_35:
                             not_assigns(SparseArray_result_6_alloc_table@,
                             SparseArray_n_1_result_6@,
                             SparseArray_n_1_result_6, pset_empty)))
                        and (JC_36:
                            not_assigns(SparseArray_result_6_alloc_table@,
                            SparseArray_sz_0_result_6@,
                            SparseArray_sz_0_result_6, pset_empty)))))) }

parameter get :
 a_1:SparseArray pointer ->
  i:uint32 ->
   unsigned_intP_back_27_alloc_table:unsigned_intP alloc_table ->
    unsigned_intP_idx_26_alloc_table:unsigned_intP alloc_table ->
     intP_val_28_alloc_table:intP alloc_table ->
      SparseArray_a_8_alloc_table:SparseArray alloc_table ->
       SparseArray_sz_0_a_8:(SparseArray, uint32) memory ->
        SparseArray_n_1_a_8:(SparseArray, uint32) memory ->
         SparseArray_back_a_8:(SparseArray, unsigned_intP pointer) memory ->
          SparseArray_idx_a_8:(SparseArray, unsigned_intP pointer) memory ->
           SparseArray_val_a_8:(SparseArray, intP pointer) memory ->
            intP_intM_val_28:(intP, int32) memory ->
             unsigned_intP_unsigned_intM_back_27:(unsigned_intP, uint32) memory ->
              unsigned_intP_unsigned_intM_idx_26:(unsigned_intP, uint32) memory ->
               { } int32
               { (JC_68:
                 (integer_of_int32(result) = model(a_1, integer_of_uint32(i),
                                             SparseArray_n_1_a_8,
                                             SparseArray_back_a_8,
                                             SparseArray_idx_a_8,
                                             SparseArray_val_a_8,
                                             intP_intM_val_28,
                                             unsigned_intP_unsigned_intM_idx_26,
                                             unsigned_intP_unsigned_intM_back_27))) }

parameter get_requires :
 a_1:SparseArray pointer ->
  i:uint32 ->
   unsigned_intP_back_27_alloc_table:unsigned_intP alloc_table ->
    unsigned_intP_idx_26_alloc_table:unsigned_intP alloc_table ->
     intP_val_28_alloc_table:intP alloc_table ->
      SparseArray_a_8_alloc_table:SparseArray alloc_table ->
       SparseArray_sz_0_a_8:(SparseArray, uint32) memory ->
        SparseArray_n_1_a_8:(SparseArray, uint32) memory ->
         SparseArray_back_a_8:(SparseArray, unsigned_intP pointer) memory ->
          SparseArray_idx_a_8:(SparseArray, unsigned_intP pointer) memory ->
           SparseArray_val_a_8:(SparseArray, intP pointer) memory ->
            intP_intM_val_28:(intP, int32) memory ->
             unsigned_intP_unsigned_intM_back_27:(unsigned_intP, uint32) memory ->
              unsigned_intP_unsigned_intM_idx_26:(unsigned_intP, uint32) memory ->
               { (JC_58:
                 ((JC_54:
                  le_int(offset_min(SparseArray_a_8_alloc_table, a_1), (0)))
                 and ((JC_55:
                      ge_int(offset_max(SparseArray_a_8_alloc_table, a_1),
                      (0)))
                     and ((JC_56:
                          inv(a_1, unsigned_intP_back_27_alloc_table,
                          unsigned_intP_idx_26_alloc_table,
                          intP_val_28_alloc_table,
                          SparseArray_a_8_alloc_table, SparseArray_sz_0_a_8,
                          SparseArray_n_1_a_8, SparseArray_back_a_8,
                          SparseArray_idx_a_8, SparseArray_val_a_8,
                          unsigned_intP_unsigned_intM_back_27,
                          unsigned_intP_unsigned_intM_idx_26))
                         and (JC_57:
                             le_int(integer_of_uint32(i),
                             sub_int(integer_of_uint32(select(SparseArray_sz_0_a_8,
                                                       a_1)),
                             (1))))))))}
               int32
               { (JC_68:
                 (integer_of_int32(result) = model(a_1, integer_of_uint32(i),
                                             SparseArray_n_1_a_8,
                                             SparseArray_back_a_8,
                                             SparseArray_idx_a_8,
                                             SparseArray_val_a_8,
                                             intP_intM_val_28,
                                             unsigned_intP_unsigned_intM_idx_26,
                                             unsigned_intP_unsigned_intM_back_27))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter main : tt:unit -> { } int32 { true }

parameter main_requires : tt:unit -> { } int32 { true }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint32_of_integer_ :
 x:int -> { } uint32 { eq_int(integer_of_uint32(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter set :
 a_0_0:SparseArray pointer ->
  i_0:uint32 ->
   v:int32 ->
    SparseArray_n_1_a_0_9:(SparseArray, uint32) memory ref ->
     intP_intM_val_29:(intP, int32) memory ref ->
      unsigned_intP_unsigned_intM_back_31:(unsigned_intP, uint32) memory ref ->
       unsigned_intP_unsigned_intM_idx_30:(unsigned_intP, uint32) memory ref ->
        unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table ->
         unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table ->
          intP_val_29_alloc_table:intP alloc_table ->
           SparseArray_a_0_9_alloc_table:SparseArray alloc_table ->
            SparseArray_sz_0_a_0_9:(SparseArray, uint32) memory ->
             SparseArray_back_a_0_9:(SparseArray, unsigned_intP pointer) memory ->
              SparseArray_idx_a_0_9:(SparseArray, unsigned_intP pointer) memory ->
               SparseArray_val_a_0_9:(SparseArray, intP pointer) memory ->
                { } unit
                reads SparseArray_n_1_a_0_9,intP_intM_val_29,unsigned_intP_unsigned_intM_back_31,unsigned_intP_unsigned_intM_idx_30
                writes SparseArray_n_1_a_0_9,intP_intM_val_29,unsigned_intP_unsigned_intM_back_31,unsigned_intP_unsigned_intM_idx_30
                { (JC_114:
                  ((JC_108:
                   ((JC_105:
                    inv(a_0_0, unsigned_intP_back_31_alloc_table,
                    unsigned_intP_idx_30_alloc_table,
                    intP_val_29_alloc_table, SparseArray_a_0_9_alloc_table,
                    SparseArray_sz_0_a_0_9, SparseArray_n_1_a_0_9,
                    SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
                    SparseArray_val_a_0_9,
                    unsigned_intP_unsigned_intM_back_31,
                    unsigned_intP_unsigned_intM_idx_30))
                   and ((JC_106:
                        (model(a_0_0, integer_of_uint32(i_0),
                         SparseArray_n_1_a_0_9, SparseArray_back_a_0_9,
                         SparseArray_idx_a_0_9, SparseArray_val_a_0_9,
                         intP_intM_val_29,
                         unsigned_intP_unsigned_intM_idx_30,
                         unsigned_intP_unsigned_intM_back_31) = integer_of_int32(v)))
                       and (JC_107:
                           (forall j_0:int.
                            ((j_0 <> integer_of_uint32(i_0)) ->
                             (model(a_0_0, j_0, SparseArray_n_1_a_0_9,
                              SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
                              SparseArray_val_a_0_9, intP_intM_val_29,
                              unsigned_intP_unsigned_intM_idx_30,
                              unsigned_intP_unsigned_intM_back_31) = 
                             model(a_0_0, j_0, SparseArray_n_1_a_0_9@,
                             SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
                             SparseArray_val_a_0_9, intP_intM_val_29@,
                             unsigned_intP_unsigned_intM_idx_30@,
                             unsigned_intP_unsigned_intM_back_31@))))))))
                  and (JC_113:
                      ((((JC_109:
                         not_assigns(unsigned_intP_idx_30_alloc_table,
                         unsigned_intP_unsigned_intM_idx_30@,
                         unsigned_intP_unsigned_intM_idx_30,
                         pset_all(pset_deref(SparseArray_idx_a_0_9,
                                  pset_singleton(a_0_0)))))
                        and (JC_110:
                            not_assigns(unsigned_intP_back_31_alloc_table,
                            unsigned_intP_unsigned_intM_back_31@,
                            unsigned_intP_unsigned_intM_back_31,
                            pset_all(pset_deref(SparseArray_back_a_0_9,
                                     pset_singleton(a_0_0))))))
                       and (JC_111:
                           not_assigns(intP_val_29_alloc_table,
                           intP_intM_val_29@, intP_intM_val_29,
                           pset_range(pset_deref(SparseArray_val_a_0_9,
                                      pset_singleton(a_0_0)),
                           integer_of_uint32(i_0), integer_of_uint32(i_0)))))
                      and (JC_112:
                          not_assigns(SparseArray_a_0_9_alloc_table,
                          SparseArray_n_1_a_0_9@, SparseArray_n_1_a_0_9,
                          pset_singleton(a_0_0))))))) }

parameter set_requires :
 a_0_0:SparseArray pointer ->
  i_0:uint32 ->
   v:int32 ->
    SparseArray_n_1_a_0_9:(SparseArray, uint32) memory ref ->
     intP_intM_val_29:(intP, int32) memory ref ->
      unsigned_intP_unsigned_intM_back_31:(unsigned_intP, uint32) memory ref ->
       unsigned_intP_unsigned_intM_idx_30:(unsigned_intP, uint32) memory ref ->
        unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table ->
         unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table ->
          intP_val_29_alloc_table:intP alloc_table ->
           SparseArray_a_0_9_alloc_table:SparseArray alloc_table ->
            SparseArray_sz_0_a_0_9:(SparseArray, uint32) memory ->
             SparseArray_back_a_0_9:(SparseArray, unsigned_intP pointer) memory ->
              SparseArray_idx_a_0_9:(SparseArray, unsigned_intP pointer) memory ->
               SparseArray_val_a_0_9:(SparseArray, intP pointer) memory ->
                { (JC_87:
                  ((JC_83:
                   le_int(offset_min(SparseArray_a_0_9_alloc_table, a_0_0),
                   (0)))
                  and ((JC_84:
                       ge_int(offset_max(SparseArray_a_0_9_alloc_table,
                              a_0_0),
                       (0)))
                      and ((JC_85:
                           inv(a_0_0, unsigned_intP_back_31_alloc_table,
                           unsigned_intP_idx_30_alloc_table,
                           intP_val_29_alloc_table,
                           SparseArray_a_0_9_alloc_table,
                           SparseArray_sz_0_a_0_9, SparseArray_n_1_a_0_9,
                           SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
                           SparseArray_val_a_0_9,
                           unsigned_intP_unsigned_intM_back_31,
                           unsigned_intP_unsigned_intM_idx_30))
                          and (JC_86:
                              le_int(integer_of_uint32(i_0),
                              sub_int(integer_of_uint32(select(SparseArray_sz_0_a_0_9,
                                                        a_0_0)),
                              (1))))))))}
                unit
                reads SparseArray_n_1_a_0_9,intP_intM_val_29,unsigned_intP_unsigned_intM_back_31,unsigned_intP_unsigned_intM_idx_30
                writes SparseArray_n_1_a_0_9,intP_intM_val_29,unsigned_intP_unsigned_intM_back_31,unsigned_intP_unsigned_intM_idx_30
                { (JC_114:
                  ((JC_108:
                   ((JC_105:
                    inv(a_0_0, unsigned_intP_back_31_alloc_table,
                    unsigned_intP_idx_30_alloc_table,
                    intP_val_29_alloc_table, SparseArray_a_0_9_alloc_table,
                    SparseArray_sz_0_a_0_9, SparseArray_n_1_a_0_9,
                    SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
                    SparseArray_val_a_0_9,
                    unsigned_intP_unsigned_intM_back_31,
                    unsigned_intP_unsigned_intM_idx_30))
                   and ((JC_106:
                        (model(a_0_0, integer_of_uint32(i_0),
                         SparseArray_n_1_a_0_9, SparseArray_back_a_0_9,
                         SparseArray_idx_a_0_9, SparseArray_val_a_0_9,
                         intP_intM_val_29,
                         unsigned_intP_unsigned_intM_idx_30,
                         unsigned_intP_unsigned_intM_back_31) = integer_of_int32(v)))
                       and (JC_107:
                           (forall j_0:int.
                            ((j_0 <> integer_of_uint32(i_0)) ->
                             (model(a_0_0, j_0, SparseArray_n_1_a_0_9,
                              SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
                              SparseArray_val_a_0_9, intP_intM_val_29,
                              unsigned_intP_unsigned_intM_idx_30,
                              unsigned_intP_unsigned_intM_back_31) = 
                             model(a_0_0, j_0, SparseArray_n_1_a_0_9@,
                             SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
                             SparseArray_val_a_0_9, intP_intM_val_29@,
                             unsigned_intP_unsigned_intM_idx_30@,
                             unsigned_intP_unsigned_intM_back_31@))))))))
                  and (JC_113:
                      ((((JC_109:
                         not_assigns(unsigned_intP_idx_30_alloc_table,
                         unsigned_intP_unsigned_intM_idx_30@,
                         unsigned_intP_unsigned_intM_idx_30,
                         pset_all(pset_deref(SparseArray_idx_a_0_9,
                                  pset_singleton(a_0_0)))))
                        and (JC_110:
                            not_assigns(unsigned_intP_back_31_alloc_table,
                            unsigned_intP_unsigned_intM_back_31@,
                            unsigned_intP_unsigned_intM_back_31,
                            pset_all(pset_deref(SparseArray_back_a_0_9,
                                     pset_singleton(a_0_0))))))
                       and (JC_111:
                           not_assigns(intP_val_29_alloc_table,
                           intP_intM_val_29@, intP_intM_val_29,
                           pset_range(pset_deref(SparseArray_val_a_0_9,
                                      pset_singleton(a_0_0)),
                           integer_of_uint32(i_0), integer_of_uint32(i_0)))))
                      and (JC_112:
                          not_assigns(SparseArray_a_0_9_alloc_table,
                          SparseArray_n_1_a_0_9@, SparseArray_n_1_a_0_9,
                          pset_singleton(a_0_0))))))) }

parameter uint32_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (4294967295)))} uint32
  { eq_int(integer_of_uint32(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let create_ensures_default =
 fun (sz : uint32) (SparseArray_result_6_alloc_table : SparseArray alloc_table ref) (intP_val_20_alloc_table : intP alloc_table ref) (unsigned_intP_idx_22_alloc_table : unsigned_intP alloc_table ref) (unsigned_intP_back_24_alloc_table : unsigned_intP alloc_table ref) (unsigned_intP_back_24_tag_table : unsigned_intP tag_table ref) (unsigned_intP_idx_22_tag_table : unsigned_intP tag_table ref) (intP_val_20_tag_table : intP tag_table ref) (SparseArray_result_6_tag_table : SparseArray tag_table ref) (SparseArray_val_result_6 : (SparseArray, intP pointer) memory ref) (SparseArray_idx_result_6 : (SparseArray, unsigned_intP pointer) memory ref) (SparseArray_back_result_6 : (SparseArray, unsigned_intP pointer) memory ref) (SparseArray_n_1_result_6 : (SparseArray, uint32) memory ref) (SparseArray_sz_0_result_6 : (SparseArray, uint32) memory ref) (unsigned_intP_unsigned_intM_idx_22 : (unsigned_intP, uint32) memory) (unsigned_intP_unsigned_intM_back_24 : (unsigned_intP, uint32) memory) (intP_intM_val_20 : (intP, int32) memory) ->
  { (JC_13: ge_int(integer_of_uint32(sz), (0))) }
  (init:
  (let return = ref (any_pointer void) in
  try
   begin
     (let a_1_1 = ref (any_pointer void) in
     begin
       (let _jessie_ =
       (a_1_1 := (JC_50:
                 (((alloc_struct_SparseArray (1)) SparseArray_result_6_alloc_table) SparseArray_result_6_tag_table))) in
       void);
      (let _jessie_ =
      (JC_51:
      (((alloc_struct_intP (integer_of_uint32 sz)) intP_val_20_alloc_table) intP_val_20_tag_table)) in
      (let _jessie_ = !a_1_1 in
      (((safe_upd_ SparseArray_val_result_6) _jessie_) _jessie_)));
      (let _jessie_ =
      (JC_52:
      (((alloc_struct_unsigned_intP (integer_of_uint32 sz)) unsigned_intP_idx_22_alloc_table) unsigned_intP_idx_22_tag_table)) in
      (let _jessie_ = !a_1_1 in
      (((safe_upd_ SparseArray_idx_result_6) _jessie_) _jessie_)));
      (let _jessie_ =
      (JC_53:
      (((alloc_struct_unsigned_intP (integer_of_uint32 sz)) unsigned_intP_back_24_alloc_table) unsigned_intP_back_24_tag_table)) in
      (let _jessie_ = !a_1_1 in
      (((safe_upd_ SparseArray_back_result_6) _jessie_) _jessie_)));
      (let _jessie_ = (safe_uint32_of_integer_ (0)) in
      (let _jessie_ = !a_1_1 in
      (((safe_upd_ SparseArray_n_1_result_6) _jessie_) _jessie_)));
      (let _jessie_ = sz in
      (let _jessie_ = !a_1_1 in
      (((safe_upd_ SparseArray_sz_0_result_6) _jessie_) _jessie_)));
      (return := !a_1_1); (raise Return) end); absurd  end with Return ->
   !return end))
  { (JC_26:
    ((JC_19:
     ((JC_15: (not valid(SparseArray_result_6_alloc_table@, result)))
     and ((JC_16:
          inv(result, unsigned_intP_back_24_alloc_table,
          unsigned_intP_idx_22_alloc_table, intP_val_20_alloc_table,
          SparseArray_result_6_alloc_table, SparseArray_sz_0_result_6,
          SparseArray_n_1_result_6, SparseArray_back_result_6,
          SparseArray_idx_result_6, SparseArray_val_result_6,
          unsigned_intP_unsigned_intM_back_24,
          unsigned_intP_unsigned_intM_idx_22))
         and ((JC_17:
              (integer_of_uint32(select(SparseArray_sz_0_result_6, result)) = 
              integer_of_uint32(sz)))
             and (JC_18:
                 (forall i_6:int.
                  (model(result, i_6, SparseArray_n_1_result_6,
                   SparseArray_back_result_6, SparseArray_idx_result_6,
                   SparseArray_val_result_6, intP_intM_val_20,
                   unsigned_intP_unsigned_intM_idx_22,
                   unsigned_intP_unsigned_intM_back_24) = (0))))))))
    and (JC_25:
        (((((JC_20:
            not_assigns(SparseArray_result_6_alloc_table@,
            SparseArray_val_result_6@, SparseArray_val_result_6, pset_empty))
           and (JC_21:
               not_assigns(SparseArray_result_6_alloc_table@,
               SparseArray_idx_result_6@, SparseArray_idx_result_6,
               pset_empty)))
          and (JC_22:
              not_assigns(SparseArray_result_6_alloc_table@,
              SparseArray_back_result_6@, SparseArray_back_result_6,
              pset_empty)))
         and (JC_23:
             not_assigns(SparseArray_result_6_alloc_table@,
             SparseArray_n_1_result_6@, SparseArray_n_1_result_6, pset_empty)))
        and (JC_24:
            not_assigns(SparseArray_result_6_alloc_table@,
            SparseArray_sz_0_result_6@, SparseArray_sz_0_result_6,
            pset_empty)))))) }

let create_safety =
 fun (sz : uint32) (SparseArray_result_6_alloc_table : SparseArray alloc_table ref) (intP_val_20_alloc_table : intP alloc_table ref) (unsigned_intP_idx_22_alloc_table : unsigned_intP alloc_table ref) (unsigned_intP_back_24_alloc_table : unsigned_intP alloc_table ref) (unsigned_intP_back_24_tag_table : unsigned_intP tag_table ref) (unsigned_intP_idx_22_tag_table : unsigned_intP tag_table ref) (intP_val_20_tag_table : intP tag_table ref) (SparseArray_result_6_tag_table : SparseArray tag_table ref) (SparseArray_val_result_6 : (SparseArray, intP pointer) memory ref) (SparseArray_idx_result_6 : (SparseArray, unsigned_intP pointer) memory ref) (SparseArray_back_result_6 : (SparseArray, unsigned_intP pointer) memory ref) (SparseArray_n_1_result_6 : (SparseArray, uint32) memory ref) (SparseArray_sz_0_result_6 : (SparseArray, uint32) memory ref) (unsigned_intP_unsigned_intM_idx_22 : (unsigned_intP, uint32) memory) (unsigned_intP_unsigned_intM_back_24 : (unsigned_intP, uint32) memory) (intP_intM_val_20 : (intP, int32) memory) ->
  { (JC_13: ge_int(integer_of_uint32(sz), (0))) }
  (init:
  (let return = ref (any_pointer void) in
  try
   begin
     (let a_1_1 = ref (any_pointer void) in
     begin
       (let _jessie_ =
       (a_1_1 := (JC_41:
                 (((alloc_struct_SparseArray_requires (1)) SparseArray_result_6_alloc_table) SparseArray_result_6_tag_table))) in
       void);
      (let _jessie_ =
      (JC_42:
      (((alloc_struct_intP_requires (integer_of_uint32 sz)) intP_val_20_alloc_table) intP_val_20_tag_table)) in
      (let _jessie_ = !a_1_1 in
      (JC_45:
      ((((upd_ !SparseArray_result_6_alloc_table) SparseArray_val_result_6) _jessie_) _jessie_))));
      (let _jessie_ =
      (JC_43:
      (((alloc_struct_unsigned_intP_requires (integer_of_uint32 sz)) unsigned_intP_idx_22_alloc_table) unsigned_intP_idx_22_tag_table)) in
      (let _jessie_ = !a_1_1 in
      (JC_46:
      ((((upd_ !SparseArray_result_6_alloc_table) SparseArray_idx_result_6) _jessie_) _jessie_))));
      (let _jessie_ =
      (JC_44:
      (((alloc_struct_unsigned_intP_requires (integer_of_uint32 sz)) unsigned_intP_back_24_alloc_table) unsigned_intP_back_24_tag_table)) in
      (let _jessie_ = !a_1_1 in
      (JC_47:
      ((((upd_ !SparseArray_result_6_alloc_table) SparseArray_back_result_6) _jessie_) _jessie_))));
      (let _jessie_ = (safe_uint32_of_integer_ (0)) in
      (let _jessie_ = !a_1_1 in
      (JC_48:
      ((((upd_ !SparseArray_result_6_alloc_table) SparseArray_n_1_result_6) _jessie_) _jessie_))));
      (let _jessie_ = sz in
      (let _jessie_ = !a_1_1 in
      (JC_49:
      ((((upd_ !SparseArray_result_6_alloc_table) SparseArray_sz_0_result_6) _jessie_) _jessie_))));
      (return := !a_1_1); (raise Return) end); absurd  end with Return ->
   !return end)) { true }

let get_ensures_default =
 fun (a_1 : SparseArray pointer) (i : uint32) (SparseArray_a_8_alloc_table : SparseArray alloc_table) (intP_val_28_alloc_table : intP alloc_table) (unsigned_intP_idx_26_alloc_table : unsigned_intP alloc_table) (unsigned_intP_back_27_alloc_table : unsigned_intP alloc_table) (unsigned_intP_unsigned_intM_idx_26 : (unsigned_intP, uint32) memory) (unsigned_intP_unsigned_intM_back_27 : (unsigned_intP, uint32) memory) (intP_intM_val_28 : (intP, int32) memory) (SparseArray_val_a_8 : (SparseArray, intP pointer) memory) (SparseArray_idx_a_8 : (SparseArray, unsigned_intP pointer) memory) (SparseArray_back_a_8 : (SparseArray, unsigned_intP pointer) memory) (SparseArray_n_1_a_8 : (SparseArray, uint32) memory) (SparseArray_sz_0_a_8 : (SparseArray, uint32) memory) ->
  { (JC_64:
    ((JC_60: le_int(offset_min(SparseArray_a_8_alloc_table, a_1), (0)))
    and ((JC_61: ge_int(offset_max(SparseArray_a_8_alloc_table, a_1), (0)))
        and ((JC_62:
             inv(a_1, unsigned_intP_back_27_alloc_table,
             unsigned_intP_idx_26_alloc_table, intP_val_28_alloc_table,
             SparseArray_a_8_alloc_table, SparseArray_sz_0_a_8,
             SparseArray_n_1_a_8, SparseArray_back_a_8, SparseArray_idx_a_8,
             SparseArray_val_a_8, unsigned_intP_unsigned_intM_back_27,
             unsigned_intP_unsigned_intM_idx_26))
            and (JC_63:
                le_int(integer_of_uint32(i),
                sub_int(integer_of_uint32(select(SparseArray_sz_0_a_8, a_1)),
                (1)))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let __retres = ref (any_int32 void) in
     begin
       (assert
       { (JC_82:
         le_int((0),
         integer_of_uint32(select(unsigned_intP_unsigned_intM_idx_26,
                           shift(select(SparseArray_idx_a_8, a_1),
                           integer_of_uint32(i)))))) }; void); void;
      try
       begin
         (if ((lt_int_ (integer_of_uint32 ((safe_acc_ unsigned_intP_unsigned_intM_idx_26) 
                                           ((shift ((safe_acc_ SparseArray_idx_a_8) a_1)) 
                                            (integer_of_uint32 i))))) 
              (integer_of_uint32 ((safe_acc_ SparseArray_n_1_a_8) a_1)))
         then
          (if ((eq_int_ (integer_of_uint32 ((safe_acc_ unsigned_intP_unsigned_intM_back_27) 
                                            ((shift ((safe_acc_ SparseArray_back_a_8) a_1)) 
                                             (integer_of_uint32 ((safe_acc_ unsigned_intP_unsigned_intM_idx_26) 
                                                                 ((shift 
                                                                   ((safe_acc_ SparseArray_idx_a_8) a_1)) 
                                                                  (integer_of_uint32 i)))))))) 
               (integer_of_uint32 i))
          then
           begin
             (let _jessie_ =
             (__retres := ((safe_acc_ intP_intM_val_28) ((shift ((safe_acc_ SparseArray_val_a_8) a_1)) 
                                                         (integer_of_uint32 i)))) in
             void); (raise (Return_label_exc void)) end
          else
           begin
             (let _jessie_ = (__retres := (safe_int32_of_integer_ (0))) in
             void); (raise (Return_label_exc void)) end)
         else
          begin
            (let _jessie_ = (__retres := (safe_int32_of_integer_ (0))) in
            void); (raise (Return_label_exc void)) end);
        (raise (Return_label_exc void)) end with
       Return_label_exc _jessie_ ->
       (return_label: begin   (return := !__retres); (raise Return) end) end
     end); absurd  end with Return -> !return end))
  { (JC_66:
    (integer_of_int32(result) = model(a_1, integer_of_uint32(i),
                                SparseArray_n_1_a_8, SparseArray_back_a_8,
                                SparseArray_idx_a_8, SparseArray_val_a_8,
                                intP_intM_val_28,
                                unsigned_intP_unsigned_intM_idx_26,
                                unsigned_intP_unsigned_intM_back_27))) }

let get_safety =
 fun (a_1 : SparseArray pointer) (i : uint32) (SparseArray_a_8_alloc_table : SparseArray alloc_table) (intP_val_28_alloc_table : intP alloc_table) (unsigned_intP_idx_26_alloc_table : unsigned_intP alloc_table) (unsigned_intP_back_27_alloc_table : unsigned_intP alloc_table) (unsigned_intP_unsigned_intM_idx_26 : (unsigned_intP, uint32) memory) (unsigned_intP_unsigned_intM_back_27 : (unsigned_intP, uint32) memory) (intP_intM_val_28 : (intP, int32) memory) (SparseArray_val_a_8 : (SparseArray, intP pointer) memory) (SparseArray_idx_a_8 : (SparseArray, unsigned_intP pointer) memory) (SparseArray_back_a_8 : (SparseArray, unsigned_intP pointer) memory) (SparseArray_n_1_a_8 : (SparseArray, uint32) memory) (SparseArray_sz_0_a_8 : (SparseArray, uint32) memory) ->
  { (JC_64:
    ((JC_60: le_int(offset_min(SparseArray_a_8_alloc_table, a_1), (0)))
    and ((JC_61: ge_int(offset_max(SparseArray_a_8_alloc_table, a_1), (0)))
        and ((JC_62:
             inv(a_1, unsigned_intP_back_27_alloc_table,
             unsigned_intP_idx_26_alloc_table, intP_val_28_alloc_table,
             SparseArray_a_8_alloc_table, SparseArray_sz_0_a_8,
             SparseArray_n_1_a_8, SparseArray_back_a_8, SparseArray_idx_a_8,
             SparseArray_val_a_8, unsigned_intP_unsigned_intM_back_27,
             unsigned_intP_unsigned_intM_idx_26))
            and (JC_63:
                le_int(integer_of_uint32(i),
                sub_int(integer_of_uint32(select(SparseArray_sz_0_a_8, a_1)),
                (1)))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let __retres = ref (any_int32 void) in
     begin
       [ { } unit
         { (JC_72:
           le_int((0),
           integer_of_uint32(select(unsigned_intP_unsigned_intM_idx_26,
                             shift(select(SparseArray_idx_a_8, a_1),
                             integer_of_uint32(i)))))) } ]; void;
      try
       begin
         (if ((lt_int_ (integer_of_uint32 (JC_74:
                                          ((((offset_acc_ unsigned_intP_idx_26_alloc_table) unsigned_intP_unsigned_intM_idx_26) 
                                            (JC_73:
                                            (((acc_ SparseArray_a_8_alloc_table) SparseArray_idx_a_8) a_1))) 
                                           (integer_of_uint32 i))))) 
              (integer_of_uint32 (JC_75:
                                 (((acc_ SparseArray_a_8_alloc_table) SparseArray_n_1_a_8) a_1))))
         then
          (if ((eq_int_ (integer_of_uint32 (JC_79:
                                           ((((offset_acc_ unsigned_intP_back_27_alloc_table) unsigned_intP_unsigned_intM_back_27) 
                                             (JC_78:
                                             (((acc_ SparseArray_a_8_alloc_table) SparseArray_back_a_8) a_1))) 
                                            (integer_of_uint32 (JC_77:
                                                               ((((offset_acc_ unsigned_intP_idx_26_alloc_table) unsigned_intP_unsigned_intM_idx_26) 
                                                                 (JC_76:
                                                                 (((acc_ SparseArray_a_8_alloc_table) SparseArray_idx_a_8) a_1))) 
                                                                (integer_of_uint32 i)))))))) 
               (integer_of_uint32 i))
          then
           begin
             (let _jessie_ =
             (__retres := (JC_81:
                          ((((offset_acc_ intP_val_28_alloc_table) intP_intM_val_28) 
                            (JC_80:
                            (((acc_ SparseArray_a_8_alloc_table) SparseArray_val_a_8) a_1))) 
                           (integer_of_uint32 i)))) in void);
            (raise (Return_label_exc void)) end
          else
           begin
             (let _jessie_ = (__retres := (safe_int32_of_integer_ (0))) in
             void); (raise (Return_label_exc void)) end)
         else
          begin
            (let _jessie_ = (__retres := (safe_int32_of_integer_ (0))) in
            void); (raise (Return_label_exc void)) end);
        (raise (Return_label_exc void)) end with
       Return_label_exc _jessie_ ->
       (return_label: begin   (return := !__retres); (raise Return) end) end
     end); absurd  end with Return -> !return end)) { true }

let main_ensures_default =
 fun (tt : unit) ->
  { (JC_140: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let SparseArray_sz_0_b_33 = ref (any_memory void) in
     (let SparseArray_sz_0_a_2_32 = ref (any_memory void) in
     (let SparseArray_n_1_b_33 = ref (any_memory void) in
     (let SparseArray_n_1_a_2_32 = ref (any_memory void) in
     (let SparseArray_back_b_33 = ref (any_memory void) in
     (let SparseArray_back_a_2_32 = ref (any_memory void) in
     (let SparseArray_idx_b_33 = ref (any_memory void) in
     (let SparseArray_idx_a_2_32 = ref (any_memory void) in
     (let SparseArray_val_b_33 = ref (any_memory void) in
     (let SparseArray_val_a_2_32 = ref (any_memory void) in
     (let intP_intM_val_146 = ref (any_memory void) in
     (let intP_intM_val_142 = ref (any_memory void) in
     (let unsigned_intP_unsigned_intM_idx_148 = ref (any_memory void) in
     (let unsigned_intP_unsigned_intM_back_147 = ref (any_memory void) in
     (let unsigned_intP_unsigned_intM_idx_144 = ref (any_memory void) in
     (let unsigned_intP_unsigned_intM_back_143 = ref (any_memory void) in
     (let SparseArray_a_2_32_tag_table = ref (any_tag_table void) in
     (let SparseArray_b_33_tag_table = ref (any_tag_table void) in
     (let intP_val_142_tag_table = ref (any_tag_table void) in
     (let intP_val_146_tag_table = ref (any_tag_table void) in
     (let unsigned_intP_back_143_tag_table = ref (any_tag_table void) in
     (let unsigned_intP_idx_144_tag_table = ref (any_tag_table void) in
     (let unsigned_intP_back_147_tag_table = ref (any_tag_table void) in
     (let unsigned_intP_idx_148_tag_table = ref (any_tag_table void) in
     (let unsigned_intP_idx_148_alloc_table = ref (any_alloc_table void) in
     (let unsigned_intP_back_147_alloc_table = ref (any_alloc_table void) in
     (let unsigned_intP_idx_144_alloc_table = ref (any_alloc_table void) in
     (let unsigned_intP_back_143_alloc_table = ref (any_alloc_table void) in
     (let intP_val_146_alloc_table = ref (any_alloc_table void) in
     (let intP_val_142_alloc_table = ref (any_alloc_table void) in
     (let SparseArray_b_33_alloc_table = ref (any_alloc_table void) in
     (let SparseArray_a_2_32_alloc_table = ref (any_alloc_table void) in
     (let a_2_0 = ref (any_pointer void) in
     (let b = ref (any_pointer void) in
     (let x_0 = ref (any_int32 void) in
     (let y = ref (any_int32 void) in
     (let __retres_0 = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (a_2_0 := (let _jessie_ = (safe_uint32_of_integer_ (10)) in
                 (JC_158:
                 (((((((((((((((((create _jessie_) unsigned_intP_back_143_alloc_table) unsigned_intP_idx_144_alloc_table) intP_val_142_alloc_table) SparseArray_a_2_32_alloc_table) unsigned_intP_back_143_tag_table) unsigned_intP_idx_144_tag_table) intP_val_142_tag_table) SparseArray_a_2_32_tag_table) SparseArray_sz_0_a_2_32) SparseArray_n_1_a_2_32) SparseArray_back_a_2_32) SparseArray_idx_a_2_32) SparseArray_val_a_2_32) !intP_intM_val_142) !unsigned_intP_unsigned_intM_back_143) !unsigned_intP_unsigned_intM_idx_144)))) in
       void);
      (let _jessie_ =
      (b := (let _jessie_ = (safe_uint32_of_integer_ (20)) in
            (JC_159:
            (((((((((((((((((create _jessie_) unsigned_intP_back_147_alloc_table) unsigned_intP_idx_148_alloc_table) intP_val_146_alloc_table) SparseArray_b_33_alloc_table) unsigned_intP_back_147_tag_table) unsigned_intP_idx_148_tag_table) intP_val_146_tag_table) SparseArray_b_33_tag_table) SparseArray_sz_0_b_33) SparseArray_n_1_b_33) SparseArray_back_b_33) SparseArray_idx_b_33) SparseArray_val_b_33) !intP_intM_val_146) !unsigned_intP_unsigned_intM_back_147) !unsigned_intP_unsigned_intM_idx_148)))) in
      void);
      (let _jessie_ =
      (x_0 := (let _jessie_ = !a_2_0 in
              (let _jessie_ = (safe_uint32_of_integer_ (5)) in
              (JC_160:
              ((((((((((((((get _jessie_) _jessie_) !unsigned_intP_back_143_alloc_table) !unsigned_intP_idx_144_alloc_table) !intP_val_142_alloc_table) !SparseArray_a_2_32_alloc_table) !SparseArray_sz_0_a_2_32) !SparseArray_n_1_a_2_32) !SparseArray_back_a_2_32) !SparseArray_idx_a_2_32) !SparseArray_val_a_2_32) !intP_intM_val_142) !unsigned_intP_unsigned_intM_back_143) !unsigned_intP_unsigned_intM_idx_144))))) in
      void);
      (let _jessie_ =
      (y := (let _jessie_ = !b in
            (let _jessie_ = (safe_uint32_of_integer_ (7)) in
            (JC_161:
            ((((((((((((((get _jessie_) _jessie_) !unsigned_intP_back_147_alloc_table) !unsigned_intP_idx_148_alloc_table) !intP_val_146_alloc_table) !SparseArray_b_33_alloc_table) !SparseArray_sz_0_b_33) !SparseArray_n_1_b_33) !SparseArray_back_b_33) !SparseArray_idx_b_33) !SparseArray_val_b_33) !intP_intM_val_146) !unsigned_intP_unsigned_intM_back_147) !unsigned_intP_unsigned_intM_idx_148))))) in
      void);
      (assert
      { (JC_162:
        ((integer_of_int32(x_0) = (0)) and (integer_of_int32(y) = (0)))) };
      void); void;
      (let _jessie_ = !a_2_0 in
      (let _jessie_ = (safe_uint32_of_integer_ (5)) in
      (let _jessie_ = (safe_int32_of_integer_ (1)) in
      (JC_163:
      (((((((((((((((set _jessie_) _jessie_) _jessie_) SparseArray_n_1_a_2_32) intP_intM_val_142) unsigned_intP_unsigned_intM_back_143) unsigned_intP_unsigned_intM_idx_144) !unsigned_intP_back_143_alloc_table) !unsigned_intP_idx_144_alloc_table) !intP_val_142_alloc_table) !SparseArray_a_2_32_alloc_table) !SparseArray_sz_0_a_2_32) !SparseArray_back_a_2_32) !SparseArray_idx_a_2_32) !SparseArray_val_a_2_32)))));
      (let _jessie_ = !b in
      (let _jessie_ = (safe_uint32_of_integer_ (7)) in
      (let _jessie_ = (safe_int32_of_integer_ (2)) in
      (JC_164:
      (((((((((((((((set _jessie_) _jessie_) _jessie_) SparseArray_n_1_b_33) intP_intM_val_146) unsigned_intP_unsigned_intM_back_147) unsigned_intP_unsigned_intM_idx_148) !unsigned_intP_back_147_alloc_table) !unsigned_intP_idx_148_alloc_table) !intP_val_146_alloc_table) !SparseArray_b_33_alloc_table) !SparseArray_sz_0_b_33) !SparseArray_back_b_33) !SparseArray_idx_b_33) !SparseArray_val_b_33)))));
      (let _jessie_ =
      (x_0 := (let _jessie_ = !a_2_0 in
              (let _jessie_ = (safe_uint32_of_integer_ (5)) in
              (JC_165:
              ((((((((((((((get _jessie_) _jessie_) !unsigned_intP_back_143_alloc_table) !unsigned_intP_idx_144_alloc_table) !intP_val_142_alloc_table) !SparseArray_a_2_32_alloc_table) !SparseArray_sz_0_a_2_32) !SparseArray_n_1_a_2_32) !SparseArray_back_a_2_32) !SparseArray_idx_a_2_32) !SparseArray_val_a_2_32) !intP_intM_val_142) !unsigned_intP_unsigned_intM_back_143) !unsigned_intP_unsigned_intM_idx_144))))) in
      void);
      (let _jessie_ =
      (y := (let _jessie_ = !b in
            (let _jessie_ = (safe_uint32_of_integer_ (7)) in
            (JC_166:
            ((((((((((((((get _jessie_) _jessie_) !unsigned_intP_back_147_alloc_table) !unsigned_intP_idx_148_alloc_table) !intP_val_146_alloc_table) !SparseArray_b_33_alloc_table) !SparseArray_sz_0_b_33) !SparseArray_n_1_b_33) !SparseArray_back_b_33) !SparseArray_idx_b_33) !SparseArray_val_b_33) !intP_intM_val_146) !unsigned_intP_unsigned_intM_back_147) !unsigned_intP_unsigned_intM_idx_148))))) in
      void);
      (assert
      { (JC_167:
        ((integer_of_int32(x_0) = (1)) and (integer_of_int32(y) = (2)))) };
      void); void;
      (let _jessie_ =
      (x_0 := (let _jessie_ = !a_2_0 in
              (let _jessie_ = (safe_uint32_of_integer_ (0)) in
              (JC_168:
              ((((((((((((((get _jessie_) _jessie_) !unsigned_intP_back_143_alloc_table) !unsigned_intP_idx_144_alloc_table) !intP_val_142_alloc_table) !SparseArray_a_2_32_alloc_table) !SparseArray_sz_0_a_2_32) !SparseArray_n_1_a_2_32) !SparseArray_back_a_2_32) !SparseArray_idx_a_2_32) !SparseArray_val_a_2_32) !intP_intM_val_142) !unsigned_intP_unsigned_intM_back_143) !unsigned_intP_unsigned_intM_idx_144))))) in
      void);
      (let _jessie_ =
      (y := (let _jessie_ = !b in
            (let _jessie_ = (safe_uint32_of_integer_ (0)) in
            (JC_169:
            ((((((((((((((get _jessie_) _jessie_) !unsigned_intP_back_147_alloc_table) !unsigned_intP_idx_148_alloc_table) !intP_val_146_alloc_table) !SparseArray_b_33_alloc_table) !SparseArray_sz_0_b_33) !SparseArray_n_1_b_33) !SparseArray_back_b_33) !SparseArray_idx_b_33) !SparseArray_val_b_33) !intP_intM_val_146) !unsigned_intP_unsigned_intM_back_147) !unsigned_intP_unsigned_intM_idx_148))))) in
      void);
      (assert
      { (JC_170:
        ((integer_of_int32(x_0) = (0)) and (integer_of_int32(y) = (0)))) };
      void); void;
      (let _jessie_ = (__retres_0 := (safe_int32_of_integer_ (0))) in
      void); (return := !__retres_0); (raise Return) end)))))))))))))))))))))))))))))))))))));
    absurd  end with Return -> !return end)) { (JC_141: true) }

let main_safety =
 fun (tt : unit) ->
  { (JC_140: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let SparseArray_sz_0_b_33 = ref (any_memory void) in
     (let SparseArray_sz_0_a_2_32 = ref (any_memory void) in
     (let SparseArray_n_1_b_33 = ref (any_memory void) in
     (let SparseArray_n_1_a_2_32 = ref (any_memory void) in
     (let SparseArray_back_b_33 = ref (any_memory void) in
     (let SparseArray_back_a_2_32 = ref (any_memory void) in
     (let SparseArray_idx_b_33 = ref (any_memory void) in
     (let SparseArray_idx_a_2_32 = ref (any_memory void) in
     (let SparseArray_val_b_33 = ref (any_memory void) in
     (let SparseArray_val_a_2_32 = ref (any_memory void) in
     (let intP_intM_val_146 = ref (any_memory void) in
     (let intP_intM_val_142 = ref (any_memory void) in
     (let unsigned_intP_unsigned_intM_idx_148 = ref (any_memory void) in
     (let unsigned_intP_unsigned_intM_back_147 = ref (any_memory void) in
     (let unsigned_intP_unsigned_intM_idx_144 = ref (any_memory void) in
     (let unsigned_intP_unsigned_intM_back_143 = ref (any_memory void) in
     (let SparseArray_a_2_32_tag_table = ref (any_tag_table void) in
     (let SparseArray_b_33_tag_table = ref (any_tag_table void) in
     (let intP_val_142_tag_table = ref (any_tag_table void) in
     (let intP_val_146_tag_table = ref (any_tag_table void) in
     (let unsigned_intP_back_143_tag_table = ref (any_tag_table void) in
     (let unsigned_intP_idx_144_tag_table = ref (any_tag_table void) in
     (let unsigned_intP_back_147_tag_table = ref (any_tag_table void) in
     (let unsigned_intP_idx_148_tag_table = ref (any_tag_table void) in
     (let unsigned_intP_idx_148_alloc_table = ref (any_alloc_table void) in
     (let unsigned_intP_back_147_alloc_table = ref (any_alloc_table void) in
     (let unsigned_intP_idx_144_alloc_table = ref (any_alloc_table void) in
     (let unsigned_intP_back_143_alloc_table = ref (any_alloc_table void) in
     (let intP_val_146_alloc_table = ref (any_alloc_table void) in
     (let intP_val_142_alloc_table = ref (any_alloc_table void) in
     (let SparseArray_b_33_alloc_table = ref (any_alloc_table void) in
     (let SparseArray_a_2_32_alloc_table = ref (any_alloc_table void) in
     (let a_2_0 = ref (any_pointer void) in
     (let b = ref (any_pointer void) in
     (let x_0 = ref (any_int32 void) in
     (let y = ref (any_int32 void) in
     (let __retres_0 = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (a_2_0 := (let _jessie_ = (safe_uint32_of_integer_ (10)) in
                 (JC_145:
                 (((((((((((((((((create_requires _jessie_) unsigned_intP_back_143_alloc_table) unsigned_intP_idx_144_alloc_table) intP_val_142_alloc_table) SparseArray_a_2_32_alloc_table) unsigned_intP_back_143_tag_table) unsigned_intP_idx_144_tag_table) intP_val_142_tag_table) SparseArray_a_2_32_tag_table) SparseArray_sz_0_a_2_32) SparseArray_n_1_a_2_32) SparseArray_back_a_2_32) SparseArray_idx_a_2_32) SparseArray_val_a_2_32) !intP_intM_val_142) !unsigned_intP_unsigned_intM_back_143) !unsigned_intP_unsigned_intM_idx_144)))) in
       void);
      (let _jessie_ =
      (b := (let _jessie_ = (safe_uint32_of_integer_ (20)) in
            (JC_146:
            (((((((((((((((((create_requires _jessie_) unsigned_intP_back_147_alloc_table) unsigned_intP_idx_148_alloc_table) intP_val_146_alloc_table) SparseArray_b_33_alloc_table) unsigned_intP_back_147_tag_table) unsigned_intP_idx_148_tag_table) intP_val_146_tag_table) SparseArray_b_33_tag_table) SparseArray_sz_0_b_33) SparseArray_n_1_b_33) SparseArray_back_b_33) SparseArray_idx_b_33) SparseArray_val_b_33) !intP_intM_val_146) !unsigned_intP_unsigned_intM_back_147) !unsigned_intP_unsigned_intM_idx_148)))) in
      void);
      (let _jessie_ =
      (x_0 := (let _jessie_ = !a_2_0 in
              (let _jessie_ = (safe_uint32_of_integer_ (5)) in
              (JC_147:
              ((((((((((((((get_requires _jessie_) _jessie_) !unsigned_intP_back_143_alloc_table) !unsigned_intP_idx_144_alloc_table) !intP_val_142_alloc_table) !SparseArray_a_2_32_alloc_table) !SparseArray_sz_0_a_2_32) !SparseArray_n_1_a_2_32) !SparseArray_back_a_2_32) !SparseArray_idx_a_2_32) !SparseArray_val_a_2_32) !intP_intM_val_142) !unsigned_intP_unsigned_intM_back_143) !unsigned_intP_unsigned_intM_idx_144))))) in
      void);
      (let _jessie_ =
      (y := (let _jessie_ = !b in
            (let _jessie_ = (safe_uint32_of_integer_ (7)) in
            (JC_148:
            ((((((((((((((get_requires _jessie_) _jessie_) !unsigned_intP_back_147_alloc_table) !unsigned_intP_idx_148_alloc_table) !intP_val_146_alloc_table) !SparseArray_b_33_alloc_table) !SparseArray_sz_0_b_33) !SparseArray_n_1_b_33) !SparseArray_back_b_33) !SparseArray_idx_b_33) !SparseArray_val_b_33) !intP_intM_val_146) !unsigned_intP_unsigned_intM_back_147) !unsigned_intP_unsigned_intM_idx_148))))) in
      void);
      [ { } unit reads x_0,y
        { (JC_149:
          ((integer_of_int32(x_0) = (0)) and (integer_of_int32(y) = (0)))) } ];
      void;
      (let _jessie_ = !a_2_0 in
      (let _jessie_ = (safe_uint32_of_integer_ (5)) in
      (let _jessie_ = (safe_int32_of_integer_ (1)) in
      (JC_150:
      (((((((((((((((set_requires _jessie_) _jessie_) _jessie_) SparseArray_n_1_a_2_32) intP_intM_val_142) unsigned_intP_unsigned_intM_back_143) unsigned_intP_unsigned_intM_idx_144) !unsigned_intP_back_143_alloc_table) !unsigned_intP_idx_144_alloc_table) !intP_val_142_alloc_table) !SparseArray_a_2_32_alloc_table) !SparseArray_sz_0_a_2_32) !SparseArray_back_a_2_32) !SparseArray_idx_a_2_32) !SparseArray_val_a_2_32)))));
      (let _jessie_ = !b in
      (let _jessie_ = (safe_uint32_of_integer_ (7)) in
      (let _jessie_ = (safe_int32_of_integer_ (2)) in
      (JC_151:
      (((((((((((((((set_requires _jessie_) _jessie_) _jessie_) SparseArray_n_1_b_33) intP_intM_val_146) unsigned_intP_unsigned_intM_back_147) unsigned_intP_unsigned_intM_idx_148) !unsigned_intP_back_147_alloc_table) !unsigned_intP_idx_148_alloc_table) !intP_val_146_alloc_table) !SparseArray_b_33_alloc_table) !SparseArray_sz_0_b_33) !SparseArray_back_b_33) !SparseArray_idx_b_33) !SparseArray_val_b_33)))));
      (let _jessie_ =
      (x_0 := (let _jessie_ = !a_2_0 in
              (let _jessie_ = (safe_uint32_of_integer_ (5)) in
              (JC_152:
              ((((((((((((((get_requires _jessie_) _jessie_) !unsigned_intP_back_143_alloc_table) !unsigned_intP_idx_144_alloc_table) !intP_val_142_alloc_table) !SparseArray_a_2_32_alloc_table) !SparseArray_sz_0_a_2_32) !SparseArray_n_1_a_2_32) !SparseArray_back_a_2_32) !SparseArray_idx_a_2_32) !SparseArray_val_a_2_32) !intP_intM_val_142) !unsigned_intP_unsigned_intM_back_143) !unsigned_intP_unsigned_intM_idx_144))))) in
      void);
      (let _jessie_ =
      (y := (let _jessie_ = !b in
            (let _jessie_ = (safe_uint32_of_integer_ (7)) in
            (JC_153:
            ((((((((((((((get_requires _jessie_) _jessie_) !unsigned_intP_back_147_alloc_table) !unsigned_intP_idx_148_alloc_table) !intP_val_146_alloc_table) !SparseArray_b_33_alloc_table) !SparseArray_sz_0_b_33) !SparseArray_n_1_b_33) !SparseArray_back_b_33) !SparseArray_idx_b_33) !SparseArray_val_b_33) !intP_intM_val_146) !unsigned_intP_unsigned_intM_back_147) !unsigned_intP_unsigned_intM_idx_148))))) in
      void);
      [ { } unit reads x_0,y
        { (JC_154:
          ((integer_of_int32(x_0) = (1)) and (integer_of_int32(y) = (2)))) } ];
      void;
      (let _jessie_ =
      (x_0 := (let _jessie_ = !a_2_0 in
              (let _jessie_ = (safe_uint32_of_integer_ (0)) in
              (JC_155:
              ((((((((((((((get_requires _jessie_) _jessie_) !unsigned_intP_back_143_alloc_table) !unsigned_intP_idx_144_alloc_table) !intP_val_142_alloc_table) !SparseArray_a_2_32_alloc_table) !SparseArray_sz_0_a_2_32) !SparseArray_n_1_a_2_32) !SparseArray_back_a_2_32) !SparseArray_idx_a_2_32) !SparseArray_val_a_2_32) !intP_intM_val_142) !unsigned_intP_unsigned_intM_back_143) !unsigned_intP_unsigned_intM_idx_144))))) in
      void);
      (let _jessie_ =
      (y := (let _jessie_ = !b in
            (let _jessie_ = (safe_uint32_of_integer_ (0)) in
            (JC_156:
            ((((((((((((((get_requires _jessie_) _jessie_) !unsigned_intP_back_147_alloc_table) !unsigned_intP_idx_148_alloc_table) !intP_val_146_alloc_table) !SparseArray_b_33_alloc_table) !SparseArray_sz_0_b_33) !SparseArray_n_1_b_33) !SparseArray_back_b_33) !SparseArray_idx_b_33) !SparseArray_val_b_33) !intP_intM_val_146) !unsigned_intP_unsigned_intM_back_147) !unsigned_intP_unsigned_intM_idx_148))))) in
      void);
      [ { } unit reads x_0,y
        { (JC_157:
          ((integer_of_int32(x_0) = (0)) and (integer_of_int32(y) = (0)))) } ];
      void;
      (let _jessie_ = (__retres_0 := (safe_int32_of_integer_ (0))) in
      void); (return := !__retres_0); (raise Return) end)))))))))))))))))))))))))))))))))))));
    absurd  end with Return -> !return end)) { true }

let set_ensures_default =
 fun (a_0_0 : SparseArray pointer) (i_0 : uint32) (v : int32) (unsigned_intP_unsigned_intM_idx_30 : (unsigned_intP, uint32) memory ref) (unsigned_intP_unsigned_intM_back_31 : (unsigned_intP, uint32) memory ref) (intP_intM_val_29 : (intP, int32) memory ref) (SparseArray_n_1_a_0_9 : (SparseArray, uint32) memory ref) (SparseArray_a_0_9_alloc_table : SparseArray alloc_table) (intP_val_29_alloc_table : intP alloc_table) (unsigned_intP_idx_30_alloc_table : unsigned_intP alloc_table) (unsigned_intP_back_31_alloc_table : unsigned_intP alloc_table) (SparseArray_val_a_0_9 : (SparseArray, intP pointer) memory) (SparseArray_idx_a_0_9 : (SparseArray, unsigned_intP pointer) memory) (SparseArray_back_a_0_9 : (SparseArray, unsigned_intP pointer) memory) (SparseArray_sz_0_a_0_9 : (SparseArray, uint32) memory) ->
  { (JC_93:
    ((JC_89: le_int(offset_min(SparseArray_a_0_9_alloc_table, a_0_0), (0)))
    and ((JC_90:
         ge_int(offset_max(SparseArray_a_0_9_alloc_table, a_0_0), (0)))
        and ((JC_91:
             inv(a_0_0, unsigned_intP_back_31_alloc_table,
             unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
             SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
             SparseArray_n_1_a_0_9, SparseArray_back_a_0_9,
             SparseArray_idx_a_0_9, SparseArray_val_a_0_9,
             unsigned_intP_unsigned_intM_back_31,
             unsigned_intP_unsigned_intM_idx_30))
            and (JC_92:
                le_int(integer_of_uint32(i_0),
                sub_int(integer_of_uint32(select(SparseArray_sz_0_a_0_9,
                                          a_0_0)),
                (1)))))))) }
  (init:
  try
   begin
     try
      begin
        try
         begin
           (let _jessie_ =
           (let _jessie_ = v in
           (let _jessie_ = ((safe_acc_ SparseArray_val_a_0_9) a_0_0) in
           (let _jessie_ = (integer_of_uint32 i_0) in
           (let _jessie_ = ((shift _jessie_) _jessie_) in
           (((safe_upd_ intP_intM_val_29) _jessie_) _jessie_))))) in
           void);
          (if ((lt_int_ (integer_of_uint32 ((safe_acc_ !unsigned_intP_unsigned_intM_idx_30) 
                                            ((shift ((safe_acc_ SparseArray_idx_a_0_9) a_0_0)) 
                                             (integer_of_uint32 i_0))))) 
               (integer_of_uint32 ((safe_acc_ !SparseArray_n_1_a_0_9) a_0_0)))
          then
           (if ((eq_int_ (integer_of_uint32 ((safe_acc_ !unsigned_intP_unsigned_intM_back_31) 
                                             ((shift ((safe_acc_ SparseArray_back_a_0_9) a_0_0)) 
                                              (integer_of_uint32 ((safe_acc_ !unsigned_intP_unsigned_intM_idx_30) 
                                                                  ((shift 
                                                                    ((safe_acc_ SparseArray_idx_a_0_9) a_0_0)) 
                                                                   (integer_of_uint32 i_0)))))))) 
                (integer_of_uint32 i_0)) then void
           else (raise (Goto__LAND_exc void)))
          else (raise (Goto__LAND_exc void)));
          (raise (Goto__LAND_0_exc void)); (raise (Goto__LAND_exc void)) end
         with Goto__LAND_exc _jessie_ ->
         (let _jessie_ =
         begin
           (assert
           { (JC_136:
             lt_int(integer_of_uint32(select(SparseArray_n_1_a_0_9, a_0_0)),
             integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0)))) };
           void); void;
          (let _jessie_ =
          (let _jessie_ = ((safe_acc_ !SparseArray_n_1_a_0_9) a_0_0) in
          (let _jessie_ = ((safe_acc_ SparseArray_idx_a_0_9) a_0_0) in
          (let _jessie_ = (integer_of_uint32 i_0) in
          (let _jessie_ = ((shift _jessie_) _jessie_) in
          (((safe_upd_ unsigned_intP_unsigned_intM_idx_30) _jessie_) _jessie_))))) in
          void);
          (let _jessie_ =
          (let _jessie_ = i_0 in
          (let _jessie_ = ((safe_acc_ SparseArray_back_a_0_9) a_0_0) in
          (let _jessie_ =
          (integer_of_uint32 ((safe_acc_ !SparseArray_n_1_a_0_9) a_0_0)) in
          (let _jessie_ = ((shift _jessie_) _jessie_) in
          (((safe_upd_ unsigned_intP_unsigned_intM_back_31) _jessie_) _jessie_))))) in
          void);
          (let _jessie_ =
          (safe_uint32_of_integer_ ((add_int (integer_of_uint32 ((safe_acc_ !SparseArray_n_1_a_0_9) a_0_0))) (1))) in
          begin
            (let _jessie_ = a_0_0 in
            (((safe_upd_ SparseArray_n_1_a_0_9) _jessie_) _jessie_));
           _jessie_ end) end in void) end; (raise (Goto__LAND_0_exc void))
      end with Goto__LAND_0_exc _jessie_ ->
      begin   void; (raise Return) end end; (raise Return) end with Return ->
   void end)
  { (JC_104:
    ((JC_98:
     ((JC_95:
      inv(a_0_0, unsigned_intP_back_31_alloc_table,
      unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
      SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
      SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
      SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
      unsigned_intP_unsigned_intM_idx_30))
     and ((JC_96:
          (model(a_0_0, integer_of_uint32(i_0), SparseArray_n_1_a_0_9,
           SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
           SparseArray_val_a_0_9, intP_intM_val_29,
           unsigned_intP_unsigned_intM_idx_30,
           unsigned_intP_unsigned_intM_back_31) = integer_of_int32(v)))
         and (JC_97:
             (forall j_0:int.
              ((j_0 <> integer_of_uint32(i_0)) ->
               (model(a_0_0, j_0, SparseArray_n_1_a_0_9,
                SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
                SparseArray_val_a_0_9, intP_intM_val_29,
                unsigned_intP_unsigned_intM_idx_30,
                unsigned_intP_unsigned_intM_back_31) = model(a_0_0, j_0,
                                                       SparseArray_n_1_a_0_9@,
                                                       SparseArray_back_a_0_9,
                                                       SparseArray_idx_a_0_9,
                                                       SparseArray_val_a_0_9,
                                                       intP_intM_val_29@,
                                                       unsigned_intP_unsigned_intM_idx_30@,
                                                       unsigned_intP_unsigned_intM_back_31@))))))))
    and (JC_103:
        ((((JC_99:
           not_assigns(unsigned_intP_idx_30_alloc_table,
           unsigned_intP_unsigned_intM_idx_30@,
           unsigned_intP_unsigned_intM_idx_30,
           pset_all(pset_deref(SparseArray_idx_a_0_9, pset_singleton(a_0_0)))))
          and (JC_100:
              not_assigns(unsigned_intP_back_31_alloc_table,
              unsigned_intP_unsigned_intM_back_31@,
              unsigned_intP_unsigned_intM_back_31,
              pset_all(pset_deref(SparseArray_back_a_0_9,
                       pset_singleton(a_0_0))))))
         and (JC_101:
             not_assigns(intP_val_29_alloc_table, intP_intM_val_29@,
             intP_intM_val_29,
             pset_range(pset_deref(SparseArray_val_a_0_9,
                        pset_singleton(a_0_0)),
             integer_of_uint32(i_0), integer_of_uint32(i_0)))))
        and (JC_102:
            not_assigns(SparseArray_a_0_9_alloc_table,
            SparseArray_n_1_a_0_9@, SparseArray_n_1_a_0_9,
            pset_singleton(a_0_0))))))) }

let set_safety =
 fun (a_0_0 : SparseArray pointer) (i_0 : uint32) (v : int32) (unsigned_intP_unsigned_intM_idx_30 : (unsigned_intP, uint32) memory ref) (unsigned_intP_unsigned_intM_back_31 : (unsigned_intP, uint32) memory ref) (intP_intM_val_29 : (intP, int32) memory ref) (SparseArray_n_1_a_0_9 : (SparseArray, uint32) memory ref) (SparseArray_a_0_9_alloc_table : SparseArray alloc_table) (intP_val_29_alloc_table : intP alloc_table) (unsigned_intP_idx_30_alloc_table : unsigned_intP alloc_table) (unsigned_intP_back_31_alloc_table : unsigned_intP alloc_table) (SparseArray_val_a_0_9 : (SparseArray, intP pointer) memory) (SparseArray_idx_a_0_9 : (SparseArray, unsigned_intP pointer) memory) (SparseArray_back_a_0_9 : (SparseArray, unsigned_intP pointer) memory) (SparseArray_sz_0_a_0_9 : (SparseArray, uint32) memory) ->
  { (JC_93:
    ((JC_89: le_int(offset_min(SparseArray_a_0_9_alloc_table, a_0_0), (0)))
    and ((JC_90:
         ge_int(offset_max(SparseArray_a_0_9_alloc_table, a_0_0), (0)))
        and ((JC_91:
             inv(a_0_0, unsigned_intP_back_31_alloc_table,
             unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
             SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
             SparseArray_n_1_a_0_9, SparseArray_back_a_0_9,
             SparseArray_idx_a_0_9, SparseArray_val_a_0_9,
             unsigned_intP_unsigned_intM_back_31,
             unsigned_intP_unsigned_intM_idx_30))
            and (JC_92:
                le_int(integer_of_uint32(i_0),
                sub_int(integer_of_uint32(select(SparseArray_sz_0_a_0_9,
                                          a_0_0)),
                (1)))))))) }
  (init:
  try
   begin
     try
      begin
        try
         begin
           (let _jessie_ =
           (let _jessie_ = v in
           (let _jessie_ =
           (JC_117:
           (((acc_ SparseArray_a_0_9_alloc_table) SparseArray_val_a_0_9) a_0_0)) in
           (let _jessie_ = (integer_of_uint32 i_0) in
           (let _jessie_ = ((shift _jessie_) _jessie_) in
           (JC_118:
           (((((offset_upd_ intP_val_29_alloc_table) intP_intM_val_29) _jessie_) _jessie_) _jessie_)))))) in
           void);
          (if ((lt_int_ (integer_of_uint32 (JC_120:
                                           ((((offset_acc_ unsigned_intP_idx_30_alloc_table) !unsigned_intP_unsigned_intM_idx_30) 
                                             (JC_119:
                                             (((acc_ SparseArray_a_0_9_alloc_table) SparseArray_idx_a_0_9) a_0_0))) 
                                            (integer_of_uint32 i_0))))) 
               (integer_of_uint32 (JC_121:
                                  (((acc_ SparseArray_a_0_9_alloc_table) !SparseArray_n_1_a_0_9) a_0_0))))
          then
           (if ((eq_int_ (integer_of_uint32 (JC_125:
                                            ((((offset_acc_ unsigned_intP_back_31_alloc_table) !unsigned_intP_unsigned_intM_back_31) 
                                              (JC_124:
                                              (((acc_ SparseArray_a_0_9_alloc_table) SparseArray_back_a_0_9) a_0_0))) 
                                             (integer_of_uint32 (JC_123:
                                                                ((((offset_acc_ unsigned_intP_idx_30_alloc_table) !unsigned_intP_unsigned_intM_idx_30) 
                                                                  (JC_122:
                                                                  (((acc_ SparseArray_a_0_9_alloc_table) SparseArray_idx_a_0_9) a_0_0))) 
                                                                 (integer_of_uint32 i_0)))))))) 
                (integer_of_uint32 i_0)) then void
           else (raise (Goto__LAND_exc void)))
          else (raise (Goto__LAND_exc void)));
          (raise (Goto__LAND_0_exc void)); (raise (Goto__LAND_exc void)) end
         with Goto__LAND_exc _jessie_ ->
         (let _jessie_ =
         begin
           [ { } unit reads SparseArray_n_1_a_0_9
             { (JC_126:
               lt_int(integer_of_uint32(select(SparseArray_n_1_a_0_9, a_0_0)),
               integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0)))) } ];
          void;
          (let _jessie_ =
          (let _jessie_ =
          (JC_127:
          (((acc_ SparseArray_a_0_9_alloc_table) !SparseArray_n_1_a_0_9) a_0_0)) in
          (let _jessie_ =
          (JC_128:
          (((acc_ SparseArray_a_0_9_alloc_table) SparseArray_idx_a_0_9) a_0_0)) in
          (let _jessie_ = (integer_of_uint32 i_0) in
          (let _jessie_ = ((shift _jessie_) _jessie_) in
          (JC_129:
          (((((offset_upd_ unsigned_intP_idx_30_alloc_table) unsigned_intP_unsigned_intM_idx_30) _jessie_) _jessie_) _jessie_)))))) in
          void);
          (let _jessie_ =
          (let _jessie_ = i_0 in
          (let _jessie_ =
          (JC_130:
          (((acc_ SparseArray_a_0_9_alloc_table) SparseArray_back_a_0_9) a_0_0)) in
          (let _jessie_ =
          (integer_of_uint32 (JC_131:
                             (((acc_ SparseArray_a_0_9_alloc_table) !SparseArray_n_1_a_0_9) a_0_0))) in
          (let _jessie_ = ((shift _jessie_) _jessie_) in
          (JC_132:
          (((((offset_upd_ unsigned_intP_back_31_alloc_table) unsigned_intP_unsigned_intM_back_31) _jessie_) _jessie_) _jessie_)))))) in
          void);
          (let _jessie_ =
          (JC_134:
          (uint32_of_integer_ ((add_int (integer_of_uint32 (JC_133:
                                                           (((acc_ SparseArray_a_0_9_alloc_table) !SparseArray_n_1_a_0_9) a_0_0)))) (1)))) in
          begin
            (let _jessie_ = a_0_0 in
            (JC_135:
            ((((upd_ SparseArray_a_0_9_alloc_table) SparseArray_n_1_a_0_9) _jessie_) _jessie_)));
           _jessie_ end) end in void) end; (raise (Goto__LAND_0_exc void))
      end with Goto__LAND_0_exc _jessie_ ->
      begin   void; (raise Return) end end; (raise Return) end with Return ->
   void end) { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/sparse_array2.why
========== file tests/c/sparse_array2.jessie/why/sparse_array2_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type SparseArray

type charP

type int32

type int8

type intP

type padding

type uint32

type uint8

type unsigned_charP

type unsigned_intP

type voidP

logic SparseArray_tag : SparseArray tag_id

axiom SparseArray_int: (int_of_tag(SparseArray_tag) = 1)

logic SparseArray_of_pointer_address : unit pointer -> SparseArray pointer

axiom SparseArray_of_pointer_address_of_pointer_addr:
  (forall p:SparseArray pointer.
    (p = SparseArray_of_pointer_address(pointer_address(p))))

axiom SparseArray_parenttag_bottom: parenttag(SparseArray_tag, bottom_tag)

axiom SparseArray_tags:
  (forall x:SparseArray pointer.
    (forall SparseArray_tag_table:SparseArray tag_table.
      instanceof(SparseArray_tag_table, x, SparseArray_tag)))

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_int8 : int8 -> int

predicate eq_int8(x: int8, y: int8) =
  (integer_of_int8(x) = integer_of_int8(y))

logic integer_of_uint32 : uint32 -> int

predicate eq_uint32(x: uint32, y: uint32) =
  (integer_of_uint32(x) = integer_of_uint32(y))

logic integer_of_uint8 : uint8 -> int

predicate eq_uint8(x: uint8, y: uint8) =
  (integer_of_uint8(x) = integer_of_uint8(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic int8_of_integer : int -> int8

axiom int8_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_int8(int8_of_integer(x)) = x)))

axiom int8_extensionality:
  (forall x:int8.
    (forall y:int8. ((integer_of_int8(x) = integer_of_int8(y)) -> (x = y))))

axiom int8_range:
  (forall x:int8.
    (((-128) <= integer_of_int8(x)) and (integer_of_int8(x) <= 127)))

logic intP_tag : intP tag_id

axiom intP_int: (int_of_tag(intP_tag) = 1)

logic intP_of_pointer_address : unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr:
  (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom: parenttag(intP_tag, bottom_tag)

axiom intP_tags:
  (forall x:intP pointer.
    (forall intP_tag_table:intP tag_table. instanceof(intP_tag_table, x,
      intP_tag)))

predicate inv(a_3: SparseArray pointer,
  unsigned_intP_back_17_alloc_table_at_L: unsigned_intP alloc_table,
  unsigned_intP_idx_16_alloc_table_at_L: unsigned_intP alloc_table,
  intP_val_15_alloc_table_at_L: intP alloc_table,
  SparseArray_a_3_5_alloc_table_at_L: SparseArray alloc_table,
  SparseArray_sz_0_a_3_5_at_L: (SparseArray, uint32) memory,
  SparseArray_n_1_a_3_5_at_L: (SparseArray, uint32) memory,
  SparseArray_back_a_3_5_at_L: (SparseArray, unsigned_intP pointer) memory,
  SparseArray_idx_a_3_5_at_L: (SparseArray, unsigned_intP pointer) memory,
  SparseArray_val_a_3_5_at_L: (SparseArray, intP pointer) memory,
  unsigned_intP_unsigned_intM_back_17_at_L: (unsigned_intP, uint32) memory,
  unsigned_intP_unsigned_intM_idx_16_at_L: (unsigned_intP, uint32) memory) =
  ((offset_min(SparseArray_a_3_5_alloc_table_at_L, a_3) <= 0) and
   ((offset_max(SparseArray_a_3_5_alloc_table_at_L, a_3) >= 0) and
    ((0 <= integer_of_uint32(select(SparseArray_n_1_a_3_5_at_L, a_3))) and
     ((integer_of_uint32(select(SparseArray_n_1_a_3_5_at_L,
      a_3)) <= integer_of_uint32(select(SparseArray_sz_0_a_3_5_at_L,
      a_3))) and
      ((offset_min(intP_val_15_alloc_table_at_L,
       select(SparseArray_val_a_3_5_at_L, a_3)) <= 0) and
       ((offset_max(intP_val_15_alloc_table_at_L,
        select(SparseArray_val_a_3_5_at_L,
        a_3)) >= (integer_of_uint32(select(SparseArray_sz_0_a_3_5_at_L,
        a_3)) - 1)) and
        ((offset_min(unsigned_intP_idx_16_alloc_table_at_L,
         select(SparseArray_idx_a_3_5_at_L, a_3)) <= 0) and
         ((offset_max(unsigned_intP_idx_16_alloc_table_at_L,
          select(SparseArray_idx_a_3_5_at_L,
          a_3)) >= (integer_of_uint32(select(SparseArray_sz_0_a_3_5_at_L,
          a_3)) - 1)) and
          ((offset_min(unsigned_intP_back_17_alloc_table_at_L,
           select(SparseArray_back_a_3_5_at_L, a_3)) <= 0) and
           ((offset_max(unsigned_intP_back_17_alloc_table_at_L,
            select(SparseArray_back_a_3_5_at_L,
            a_3)) >= (integer_of_uint32(select(SparseArray_sz_0_a_3_5_at_L,
            a_3)) - 1)) and
            (forall i_5:int.
              (((0 <= i_5) and
                (i_5 < integer_of_uint32(select(SparseArray_n_1_a_3_5_at_L,
                a_3)))) ->
               ((0 <= integer_of_uint32(select(unsigned_intP_unsigned_intM_back_17_at_L,
                shift(select(SparseArray_back_a_3_5_at_L, a_3), i_5)))) and
                ((integer_of_uint32(select(unsigned_intP_unsigned_intM_back_17_at_L,
                 shift(select(SparseArray_back_a_3_5_at_L, a_3),
                 i_5))) < integer_of_uint32(select(SparseArray_sz_0_a_3_5_at_L,
                 a_3))) and
                 (integer_of_uint32(select(unsigned_intP_unsigned_intM_idx_16_at_L,
                 shift(select(SparseArray_idx_a_3_5_at_L, a_3),
                 integer_of_uint32(select(unsigned_intP_unsigned_intM_back_17_at_L,
                 shift(select(SparseArray_back_a_3_5_at_L, a_3),
                 i_5)))))) = i_5)))))))))))))))

predicate is_elt(a: SparseArray pointer, i_1: int,
  SparseArray_n_1_a_3_at_L: (SparseArray, uint32) memory,
  SparseArray_back_a_3_at_L: (SparseArray, unsigned_intP pointer) memory,
  SparseArray_idx_a_3_at_L: (SparseArray, unsigned_intP pointer) memory,
  unsigned_intP_unsigned_intM_back_11_at_L: (unsigned_intP, uint32) memory,
  unsigned_intP_unsigned_intM_idx_10_at_L: (unsigned_intP, uint32) memory) =
  ((0 <= integer_of_uint32(select(unsigned_intP_unsigned_intM_idx_10_at_L,
   shift(select(SparseArray_idx_a_3_at_L, a), i_1)))) and
   ((integer_of_uint32(select(unsigned_intP_unsigned_intM_idx_10_at_L,
    shift(select(SparseArray_idx_a_3_at_L, a),
    i_1))) < integer_of_uint32(select(SparseArray_n_1_a_3_at_L, a))) and
    (integer_of_uint32(select(unsigned_intP_unsigned_intM_back_11_at_L,
    shift(select(SparseArray_back_a_3_at_L, a),
    integer_of_uint32(select(unsigned_intP_unsigned_intM_idx_10_at_L,
    shift(select(SparseArray_idx_a_3_at_L, a), i_1)))))) = i_1)))

predicate left_valid_struct_SparseArray(p: SparseArray pointer, a: int,
  SparseArray_alloc_table: SparseArray alloc_table) =
  (offset_min(SparseArray_alloc_table, p) <= a)

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_intP(p: intP pointer, a: int,
  intP_alloc_table: intP alloc_table) = (offset_min(intP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_intP(p: unsigned_intP pointer, a: int,
  unsigned_intP_alloc_table: unsigned_intP alloc_table) =
  (offset_min(unsigned_intP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

logic model : SparseArray pointer, int, (SparseArray, uint32) memory,
(SparseArray, unsigned_intP pointer) memory, (SparseArray,
unsigned_intP pointer) memory, (SparseArray, intP pointer) memory, (intP,
int32) memory, (unsigned_intP, uint32) memory, (unsigned_intP,
uint32) memory -> int

axiom pointer_addr_of_SparseArray_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(SparseArray_of_pointer_address(p))))

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic unsigned_intP_of_pointer_address : unit pointer -> unsigned_intP pointer

axiom pointer_addr_of_unsigned_intP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_intP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_SparseArray(p: SparseArray pointer, b: int,
  SparseArray_alloc_table: SparseArray alloc_table) =
  (offset_max(SparseArray_alloc_table, p) >= b)

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_intP(p: intP pointer, b: int,
  intP_alloc_table: intP alloc_table) = (offset_max(intP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_intP(p: unsigned_intP pointer, b: int,
  unsigned_intP_alloc_table: unsigned_intP alloc_table) =
  (offset_max(unsigned_intP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate strict_valid_root_SparseArray(p: SparseArray pointer, a: int,
  b: int, SparseArray_alloc_table: SparseArray alloc_table) =
  ((offset_min(SparseArray_alloc_table, p) = a) and
   (offset_max(SparseArray_alloc_table, p) = b))

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) = a) and (offset_max(intP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_intP(p: unsigned_intP pointer, a: int,
  b: int, unsigned_intP_alloc_table: unsigned_intP alloc_table) =
  ((offset_min(unsigned_intP_alloc_table, p) = a) and
   (offset_max(unsigned_intP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_SparseArray(p: SparseArray pointer, a: int,
  b: int, SparseArray_alloc_table: SparseArray alloc_table) =
  ((offset_min(SparseArray_alloc_table, p) = a) and
   (offset_max(SparseArray_alloc_table, p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) = a) and (offset_max(intP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_intP(p: unsigned_intP pointer, a: int,
  b: int, unsigned_intP_alloc_table: unsigned_intP alloc_table) =
  ((offset_min(unsigned_intP_alloc_table, p) = a) and
   (offset_max(unsigned_intP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic uint32_of_integer : int -> uint32

axiom uint32_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 4294967295)) ->
     (integer_of_uint32(uint32_of_integer(x)) = x)))

axiom uint32_extensionality:
  (forall x:uint32.
    (forall y:uint32.
      ((integer_of_uint32(x) = integer_of_uint32(y)) -> (x = y))))

axiom uint32_range:
  (forall x:uint32.
    ((0 <= integer_of_uint32(x)) and (integer_of_uint32(x) <= 4294967295)))

logic uint8_of_integer : int -> uint8

axiom uint8_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 255)) -> (integer_of_uint8(uint8_of_integer(x)) = x)))

axiom uint8_extensionality:
  (forall x:uint8.
    (forall y:uint8.
      ((integer_of_uint8(x) = integer_of_uint8(y)) -> (x = y))))

axiom uint8_range:
  (forall x:uint8.
    ((0 <= integer_of_uint8(x)) and (integer_of_uint8(x) <= 255)))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

logic unsigned_intP_tag : unsigned_intP tag_id

axiom unsigned_intP_int: (int_of_tag(unsigned_intP_tag) = 1)

axiom unsigned_intP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_intP pointer.
    (p = unsigned_intP_of_pointer_address(pointer_address(p))))

axiom unsigned_intP_parenttag_bottom: parenttag(unsigned_intP_tag,
  bottom_tag)

axiom unsigned_intP_tags:
  (forall x:unsigned_intP pointer.
    (forall unsigned_intP_tag_table:unsigned_intP tag_table.
      instanceof(unsigned_intP_tag_table, x, unsigned_intP_tag)))

predicate valid_root_SparseArray(p: SparseArray pointer, a: int, b: int,
  SparseArray_alloc_table: SparseArray alloc_table) =
  ((offset_min(SparseArray_alloc_table, p) <= a) and
   (offset_max(SparseArray_alloc_table, p) >= b))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) <= a) and (offset_max(intP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_unsigned_intP(p: unsigned_intP pointer, a: int, b: int,
  unsigned_intP_alloc_table: unsigned_intP alloc_table) =
  ((offset_min(unsigned_intP_alloc_table, p) <= a) and
   (offset_max(unsigned_intP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_SparseArray(p: SparseArray pointer, a: int, b: int,
  SparseArray_alloc_table: SparseArray alloc_table) =
  ((offset_min(SparseArray_alloc_table, p) <= a) and
   (offset_max(SparseArray_alloc_table, p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) <= a) and (offset_max(intP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_intP(p: unsigned_intP pointer, a: int,
  b: int, unsigned_intP_alloc_table: unsigned_intP alloc_table) =
  ((offset_min(unsigned_intP_alloc_table, p) <= a) and
   (offset_max(unsigned_intP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

axiom model_in:
  (forall SparseArray_n_1_a_0_4_at_L:(SparseArray, uint32) memory.
    (forall SparseArray_back_a_0_4_at_L:(SparseArray,
      unsigned_intP pointer) memory.
      (forall SparseArray_idx_a_0_4_at_L:(SparseArray,
        unsigned_intP pointer) memory.
        (forall SparseArray_val_a_0_4_at_L:(SparseArray,
          intP pointer) memory.
          (forall intP_intM_val_13_at_L:(intP, int32) memory.
            (forall unsigned_intP_unsigned_intM_idx_37_at_L:(unsigned_intP,
              uint32) memory.
              (forall unsigned_intP_unsigned_intM_back_36_at_L:(unsigned_intP,
                uint32) memory.
                (forall a_1_0:SparseArray pointer.
                  (forall i_3:int.
                    (is_elt(a_1_0, i_3, SparseArray_n_1_a_0_4_at_L,
                     SparseArray_back_a_0_4_at_L, SparseArray_idx_a_0_4_at_L,
                     unsigned_intP_unsigned_intM_back_36_at_L,
                     unsigned_intP_unsigned_intM_idx_37_at_L) ->
                     (model(a_1_0, i_3, SparseArray_n_1_a_0_4_at_L,
                     SparseArray_back_a_0_4_at_L, SparseArray_idx_a_0_4_at_L,
                     SparseArray_val_a_0_4_at_L, intP_intM_val_13_at_L,
                     unsigned_intP_unsigned_intM_idx_37_at_L,
                     unsigned_intP_unsigned_intM_back_36_at_L) = integer_of_int32(select(intP_intM_val_13_at_L,
                     shift(select(SparseArray_val_a_0_4_at_L, a_1_0), i_3))))))))))))))

axiom model_out:
  (forall SparseArray_n_1_a_0_4_at_L:(SparseArray, uint32) memory.
    (forall SparseArray_back_a_0_4_at_L:(SparseArray,
      unsigned_intP pointer) memory.
      (forall SparseArray_idx_a_0_4_at_L:(SparseArray,
        unsigned_intP pointer) memory.
        (forall SparseArray_val_a_0_4_at_L:(SparseArray,
          intP pointer) memory.
          (forall intP_intM_val_13_at_L:(intP, int32) memory.
            (forall unsigned_intP_unsigned_intM_idx_37_at_L:(unsigned_intP,
              uint32) memory.
              (forall unsigned_intP_unsigned_intM_back_36_at_L:(unsigned_intP,
                uint32) memory.
                (forall a_2:SparseArray pointer.
                  (forall i_4:int.
                    ((not is_elt(a_2, i_4, SparseArray_n_1_a_0_4_at_L,
                     SparseArray_back_a_0_4_at_L, SparseArray_idx_a_0_4_at_L,
                     unsigned_intP_unsigned_intM_back_36_at_L,
                     unsigned_intP_unsigned_intM_idx_37_at_L)) -> (model(a_2,
                     i_4, SparseArray_n_1_a_0_4_at_L,
                     SparseArray_back_a_0_4_at_L, SparseArray_idx_a_0_4_at_L,
                     SparseArray_val_a_0_4_at_L, intP_intM_val_13_at_L,
                     unsigned_intP_unsigned_intM_idx_37_at_L,
                     unsigned_intP_unsigned_intM_back_36_at_L) = 0)))))))))))

goal create_ensures_default_po_1:
  forall sz:uint32.
  forall SparseArray_back_result_6:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_result_6:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_result_6:(SparseArray,
  uint32) memory.
  forall SparseArray_result_6_alloc_table:SparseArray alloc_table.
  forall SparseArray_sz_0_result_6:(SparseArray,
  uint32) memory.
  forall SparseArray_val_result_6:(SparseArray,
  intP pointer) memory.
  forall intP_val_20_alloc_table:intP alloc_table.
  forall unsigned_intP_back_24_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_22_alloc_table:unsigned_intP alloc_table.
  ("JC_13": (integer_of_uint32(sz) >= 0)) ->
  forall result:SparseArray pointer.
  forall SparseArray_result_6_alloc_table0:SparseArray alloc_table.
  forall SparseArray_result_6_tag_table:SparseArray tag_table.
  (strict_valid_struct_SparseArray(result, 0, (1 - 1),
   SparseArray_result_6_alloc_table0) and
   (alloc_extends(SparseArray_result_6_alloc_table,
    SparseArray_result_6_alloc_table0) and
    (alloc_fresh(SparseArray_result_6_alloc_table, result, 1) and
     instanceof(SparseArray_result_6_tag_table, result, SparseArray_tag)))) ->
  forall a_1_1:SparseArray pointer.
  (a_1_1 = result) ->
  forall result0:intP pointer.
  forall intP_val_20_alloc_table0:intP alloc_table.
  forall intP_val_20_tag_table:intP tag_table.
  (strict_valid_struct_intP(result0, 0, (integer_of_uint32(sz) - 1),
   intP_val_20_alloc_table0) and
   (alloc_extends(intP_val_20_alloc_table, intP_val_20_alloc_table0) and
    (alloc_fresh(intP_val_20_alloc_table, result0, integer_of_uint32(sz)) and
     instanceof(intP_val_20_tag_table, result0, intP_tag)))) ->
  forall SparseArray_val_result_6_0:(SparseArray,
  intP pointer) memory.
  (SparseArray_val_result_6_0 = store(SparseArray_val_result_6, a_1_1,
  result0)) ->
  forall result1:unsigned_intP pointer.
  forall unsigned_intP_idx_22_alloc_table0:unsigned_intP alloc_table.
  forall unsigned_intP_idx_22_tag_table:unsigned_intP tag_table.
  (strict_valid_struct_unsigned_intP(result1, 0, (integer_of_uint32(sz) - 1),
   unsigned_intP_idx_22_alloc_table0) and
   (alloc_extends(unsigned_intP_idx_22_alloc_table,
    unsigned_intP_idx_22_alloc_table0) and
    (alloc_fresh(unsigned_intP_idx_22_alloc_table, result1,
     integer_of_uint32(sz)) and instanceof(unsigned_intP_idx_22_tag_table,
     result1, unsigned_intP_tag)))) ->
  forall SparseArray_idx_result_6_0:(SparseArray,
  unsigned_intP pointer) memory.
  (SparseArray_idx_result_6_0 = store(SparseArray_idx_result_6, a_1_1,
  result1)) ->
  forall result2:unsigned_intP pointer.
  forall unsigned_intP_back_24_alloc_table0:unsigned_intP alloc_table.
  forall unsigned_intP_back_24_tag_table:unsigned_intP tag_table.
  (strict_valid_struct_unsigned_intP(result2, 0, (integer_of_uint32(sz) - 1),
   unsigned_intP_back_24_alloc_table0) and
   (alloc_extends(unsigned_intP_back_24_alloc_table,
    unsigned_intP_back_24_alloc_table0) and
    (alloc_fresh(unsigned_intP_back_24_alloc_table, result2,
     integer_of_uint32(sz)) and instanceof(unsigned_intP_back_24_tag_table,
     result2, unsigned_intP_tag)))) ->
  forall SparseArray_back_result_6_0:(SparseArray,
  unsigned_intP pointer) memory.
  (SparseArray_back_result_6_0 = store(SparseArray_back_result_6, a_1_1,
  result2)) ->
  forall result3:uint32.
  (integer_of_uint32(result3) = 0) ->
  forall SparseArray_n_1_result_6_0:(SparseArray,
  uint32) memory.
  (SparseArray_n_1_result_6_0 = store(SparseArray_n_1_result_6, a_1_1,
  result3)) ->
  forall SparseArray_sz_0_result_6_0:(SparseArray,
  uint32) memory.
  (SparseArray_sz_0_result_6_0 = store(SparseArray_sz_0_result_6, a_1_1,
  sz)) ->
  forall return:SparseArray pointer.
  (return = a_1_1) ->
  ("JC_26":
  ("JC_19": ("JC_15": (not valid(SparseArray_result_6_alloc_table, return)))))

goal create_ensures_default_po_2:
  forall sz:uint32.
  forall unsigned_intP_unsigned_intM_idx_22:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_back_24:(unsigned_intP,
  uint32) memory.
  forall SparseArray_back_result_6:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_result_6:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_result_6:(SparseArray,
  uint32) memory.
  forall SparseArray_result_6_alloc_table:SparseArray alloc_table.
  forall SparseArray_sz_0_result_6:(SparseArray,
  uint32) memory.
  forall SparseArray_val_result_6:(SparseArray,
  intP pointer) memory.
  forall intP_val_20_alloc_table:intP alloc_table.
  forall unsigned_intP_back_24_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_22_alloc_table:unsigned_intP alloc_table.
  ("JC_13": (integer_of_uint32(sz) >= 0)) ->
  forall result:SparseArray pointer.
  forall SparseArray_result_6_alloc_table0:SparseArray alloc_table.
  forall SparseArray_result_6_tag_table:SparseArray tag_table.
  (strict_valid_struct_SparseArray(result, 0, (1 - 1),
   SparseArray_result_6_alloc_table0) and
   (alloc_extends(SparseArray_result_6_alloc_table,
    SparseArray_result_6_alloc_table0) and
    (alloc_fresh(SparseArray_result_6_alloc_table, result, 1) and
     instanceof(SparseArray_result_6_tag_table, result, SparseArray_tag)))) ->
  forall a_1_1:SparseArray pointer.
  (a_1_1 = result) ->
  forall result0:intP pointer.
  forall intP_val_20_alloc_table0:intP alloc_table.
  forall intP_val_20_tag_table:intP tag_table.
  (strict_valid_struct_intP(result0, 0, (integer_of_uint32(sz) - 1),
   intP_val_20_alloc_table0) and
   (alloc_extends(intP_val_20_alloc_table, intP_val_20_alloc_table0) and
    (alloc_fresh(intP_val_20_alloc_table, result0, integer_of_uint32(sz)) and
     instanceof(intP_val_20_tag_table, result0, intP_tag)))) ->
  forall SparseArray_val_result_6_0:(SparseArray,
  intP pointer) memory.
  (SparseArray_val_result_6_0 = store(SparseArray_val_result_6, a_1_1,
  result0)) ->
  forall result1:unsigned_intP pointer.
  forall unsigned_intP_idx_22_alloc_table0:unsigned_intP alloc_table.
  forall unsigned_intP_idx_22_tag_table:unsigned_intP tag_table.
  (strict_valid_struct_unsigned_intP(result1, 0, (integer_of_uint32(sz) - 1),
   unsigned_intP_idx_22_alloc_table0) and
   (alloc_extends(unsigned_intP_idx_22_alloc_table,
    unsigned_intP_idx_22_alloc_table0) and
    (alloc_fresh(unsigned_intP_idx_22_alloc_table, result1,
     integer_of_uint32(sz)) and instanceof(unsigned_intP_idx_22_tag_table,
     result1, unsigned_intP_tag)))) ->
  forall SparseArray_idx_result_6_0:(SparseArray,
  unsigned_intP pointer) memory.
  (SparseArray_idx_result_6_0 = store(SparseArray_idx_result_6, a_1_1,
  result1)) ->
  forall result2:unsigned_intP pointer.
  forall unsigned_intP_back_24_alloc_table0:unsigned_intP alloc_table.
  forall unsigned_intP_back_24_tag_table:unsigned_intP tag_table.
  (strict_valid_struct_unsigned_intP(result2, 0, (integer_of_uint32(sz) - 1),
   unsigned_intP_back_24_alloc_table0) and
   (alloc_extends(unsigned_intP_back_24_alloc_table,
    unsigned_intP_back_24_alloc_table0) and
    (alloc_fresh(unsigned_intP_back_24_alloc_table, result2,
     integer_of_uint32(sz)) and instanceof(unsigned_intP_back_24_tag_table,
     result2, unsigned_intP_tag)))) ->
  forall SparseArray_back_result_6_0:(SparseArray,
  unsigned_intP pointer) memory.
  (SparseArray_back_result_6_0 = store(SparseArray_back_result_6, a_1_1,
  result2)) ->
  forall result3:uint32.
  (integer_of_uint32(result3) = 0) ->
  forall SparseArray_n_1_result_6_0:(SparseArray,
  uint32) memory.
  (SparseArray_n_1_result_6_0 = store(SparseArray_n_1_result_6, a_1_1,
  result3)) ->
  forall SparseArray_sz_0_result_6_0:(SparseArray,
  uint32) memory.
  (SparseArray_sz_0_result_6_0 = store(SparseArray_sz_0_result_6, a_1_1,
  sz)) ->
  forall return:SparseArray pointer.
  (return = a_1_1) ->
  ("JC_26":
  ("JC_19":
  ("JC_16": inv(return, unsigned_intP_back_24_alloc_table0,
  unsigned_intP_idx_22_alloc_table0, intP_val_20_alloc_table0,
  SparseArray_result_6_alloc_table0, SparseArray_sz_0_result_6_0,
  SparseArray_n_1_result_6_0, SparseArray_back_result_6_0,
  SparseArray_idx_result_6_0, SparseArray_val_result_6_0,
  unsigned_intP_unsigned_intM_back_24, unsigned_intP_unsigned_intM_idx_22))))

goal create_ensures_default_po_3:
  forall sz:uint32.
  forall SparseArray_back_result_6:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_result_6:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_result_6:(SparseArray,
  uint32) memory.
  forall SparseArray_result_6_alloc_table:SparseArray alloc_table.
  forall SparseArray_sz_0_result_6:(SparseArray,
  uint32) memory.
  forall SparseArray_val_result_6:(SparseArray,
  intP pointer) memory.
  forall intP_val_20_alloc_table:intP alloc_table.
  forall unsigned_intP_back_24_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_22_alloc_table:unsigned_intP alloc_table.
  ("JC_13": (integer_of_uint32(sz) >= 0)) ->
  forall result:SparseArray pointer.
  forall SparseArray_result_6_alloc_table0:SparseArray alloc_table.
  forall SparseArray_result_6_tag_table:SparseArray tag_table.
  (strict_valid_struct_SparseArray(result, 0, (1 - 1),
   SparseArray_result_6_alloc_table0) and
   (alloc_extends(SparseArray_result_6_alloc_table,
    SparseArray_result_6_alloc_table0) and
    (alloc_fresh(SparseArray_result_6_alloc_table, result, 1) and
     instanceof(SparseArray_result_6_tag_table, result, SparseArray_tag)))) ->
  forall a_1_1:SparseArray pointer.
  (a_1_1 = result) ->
  forall result0:intP pointer.
  forall intP_val_20_alloc_table0:intP alloc_table.
  forall intP_val_20_tag_table:intP tag_table.
  (strict_valid_struct_intP(result0, 0, (integer_of_uint32(sz) - 1),
   intP_val_20_alloc_table0) and
   (alloc_extends(intP_val_20_alloc_table, intP_val_20_alloc_table0) and
    (alloc_fresh(intP_val_20_alloc_table, result0, integer_of_uint32(sz)) and
     instanceof(intP_val_20_tag_table, result0, intP_tag)))) ->
  forall SparseArray_val_result_6_0:(SparseArray,
  intP pointer) memory.
  (SparseArray_val_result_6_0 = store(SparseArray_val_result_6, a_1_1,
  result0)) ->
  forall result1:unsigned_intP pointer.
  forall unsigned_intP_idx_22_alloc_table0:unsigned_intP alloc_table.
  forall unsigned_intP_idx_22_tag_table:unsigned_intP tag_table.
  (strict_valid_struct_unsigned_intP(result1, 0, (integer_of_uint32(sz) - 1),
   unsigned_intP_idx_22_alloc_table0) and
   (alloc_extends(unsigned_intP_idx_22_alloc_table,
    unsigned_intP_idx_22_alloc_table0) and
    (alloc_fresh(unsigned_intP_idx_22_alloc_table, result1,
     integer_of_uint32(sz)) and instanceof(unsigned_intP_idx_22_tag_table,
     result1, unsigned_intP_tag)))) ->
  forall SparseArray_idx_result_6_0:(SparseArray,
  unsigned_intP pointer) memory.
  (SparseArray_idx_result_6_0 = store(SparseArray_idx_result_6, a_1_1,
  result1)) ->
  forall result2:unsigned_intP pointer.
  forall unsigned_intP_back_24_alloc_table0:unsigned_intP alloc_table.
  forall unsigned_intP_back_24_tag_table:unsigned_intP tag_table.
  (strict_valid_struct_unsigned_intP(result2, 0, (integer_of_uint32(sz) - 1),
   unsigned_intP_back_24_alloc_table0) and
   (alloc_extends(unsigned_intP_back_24_alloc_table,
    unsigned_intP_back_24_alloc_table0) and
    (alloc_fresh(unsigned_intP_back_24_alloc_table, result2,
     integer_of_uint32(sz)) and instanceof(unsigned_intP_back_24_tag_table,
     result2, unsigned_intP_tag)))) ->
  forall SparseArray_back_result_6_0:(SparseArray,
  unsigned_intP pointer) memory.
  (SparseArray_back_result_6_0 = store(SparseArray_back_result_6, a_1_1,
  result2)) ->
  forall result3:uint32.
  (integer_of_uint32(result3) = 0) ->
  forall SparseArray_n_1_result_6_0:(SparseArray,
  uint32) memory.
  (SparseArray_n_1_result_6_0 = store(SparseArray_n_1_result_6, a_1_1,
  result3)) ->
  forall SparseArray_sz_0_result_6_0:(SparseArray,
  uint32) memory.
  (SparseArray_sz_0_result_6_0 = store(SparseArray_sz_0_result_6, a_1_1,
  sz)) ->
  forall return:SparseArray pointer.
  (return = a_1_1) ->
  ("JC_26":
  ("JC_19":
  ("JC_17": (integer_of_uint32(select(SparseArray_sz_0_result_6_0,
  return)) = integer_of_uint32(sz)))))

goal create_ensures_default_po_4:
  forall sz:uint32.
  forall unsigned_intP_unsigned_intM_idx_22:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_back_24:(unsigned_intP,
  uint32) memory.
  forall intP_intM_val_20:(intP,
  int32) memory.
  forall SparseArray_back_result_6:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_result_6:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_result_6:(SparseArray,
  uint32) memory.
  forall SparseArray_result_6_alloc_table:SparseArray alloc_table.
  forall SparseArray_sz_0_result_6:(SparseArray,
  uint32) memory.
  forall SparseArray_val_result_6:(SparseArray,
  intP pointer) memory.
  forall intP_val_20_alloc_table:intP alloc_table.
  forall unsigned_intP_back_24_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_22_alloc_table:unsigned_intP alloc_table.
  ("JC_13": (integer_of_uint32(sz) >= 0)) ->
  forall result:SparseArray pointer.
  forall SparseArray_result_6_alloc_table0:SparseArray alloc_table.
  forall SparseArray_result_6_tag_table:SparseArray tag_table.
  (strict_valid_struct_SparseArray(result, 0, (1 - 1),
   SparseArray_result_6_alloc_table0) and
   (alloc_extends(SparseArray_result_6_alloc_table,
    SparseArray_result_6_alloc_table0) and
    (alloc_fresh(SparseArray_result_6_alloc_table, result, 1) and
     instanceof(SparseArray_result_6_tag_table, result, SparseArray_tag)))) ->
  forall a_1_1:SparseArray pointer.
  (a_1_1 = result) ->
  forall result0:intP pointer.
  forall intP_val_20_alloc_table0:intP alloc_table.
  forall intP_val_20_tag_table:intP tag_table.
  (strict_valid_struct_intP(result0, 0, (integer_of_uint32(sz) - 1),
   intP_val_20_alloc_table0) and
   (alloc_extends(intP_val_20_alloc_table, intP_val_20_alloc_table0) and
    (alloc_fresh(intP_val_20_alloc_table, result0, integer_of_uint32(sz)) and
     instanceof(intP_val_20_tag_table, result0, intP_tag)))) ->
  forall SparseArray_val_result_6_0:(SparseArray,
  intP pointer) memory.
  (SparseArray_val_result_6_0 = store(SparseArray_val_result_6, a_1_1,
  result0)) ->
  forall result1:unsigned_intP pointer.
  forall unsigned_intP_idx_22_alloc_table0:unsigned_intP alloc_table.
  forall unsigned_intP_idx_22_tag_table:unsigned_intP tag_table.
  (strict_valid_struct_unsigned_intP(result1, 0, (integer_of_uint32(sz) - 1),
   unsigned_intP_idx_22_alloc_table0) and
   (alloc_extends(unsigned_intP_idx_22_alloc_table,
    unsigned_intP_idx_22_alloc_table0) and
    (alloc_fresh(unsigned_intP_idx_22_alloc_table, result1,
     integer_of_uint32(sz)) and instanceof(unsigned_intP_idx_22_tag_table,
     result1, unsigned_intP_tag)))) ->
  forall SparseArray_idx_result_6_0:(SparseArray,
  unsigned_intP pointer) memory.
  (SparseArray_idx_result_6_0 = store(SparseArray_idx_result_6, a_1_1,
  result1)) ->
  forall result2:unsigned_intP pointer.
  forall unsigned_intP_back_24_alloc_table0:unsigned_intP alloc_table.
  forall unsigned_intP_back_24_tag_table:unsigned_intP tag_table.
  (strict_valid_struct_unsigned_intP(result2, 0, (integer_of_uint32(sz) - 1),
   unsigned_intP_back_24_alloc_table0) and
   (alloc_extends(unsigned_intP_back_24_alloc_table,
    unsigned_intP_back_24_alloc_table0) and
    (alloc_fresh(unsigned_intP_back_24_alloc_table, result2,
     integer_of_uint32(sz)) and instanceof(unsigned_intP_back_24_tag_table,
     result2, unsigned_intP_tag)))) ->
  forall SparseArray_back_result_6_0:(SparseArray,
  unsigned_intP pointer) memory.
  (SparseArray_back_result_6_0 = store(SparseArray_back_result_6, a_1_1,
  result2)) ->
  forall result3:uint32.
  (integer_of_uint32(result3) = 0) ->
  forall SparseArray_n_1_result_6_0:(SparseArray,
  uint32) memory.
  (SparseArray_n_1_result_6_0 = store(SparseArray_n_1_result_6, a_1_1,
  result3)) ->
  forall SparseArray_sz_0_result_6_0:(SparseArray,
  uint32) memory.
  (SparseArray_sz_0_result_6_0 = store(SparseArray_sz_0_result_6, a_1_1,
  sz)) ->
  forall return:SparseArray pointer.
  (return = a_1_1) ->
  forall i_6:int.
  ("JC_26":
  ("JC_19":
  ("JC_18": (model(return, i_6, SparseArray_n_1_result_6_0,
  SparseArray_back_result_6_0, SparseArray_idx_result_6_0,
  SparseArray_val_result_6_0, intP_intM_val_20,
  unsigned_intP_unsigned_intM_idx_22,
  unsigned_intP_unsigned_intM_back_24) = 0))))

goal create_ensures_default_po_5:
  forall sz:uint32.
  forall SparseArray_back_result_6:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_result_6:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_result_6:(SparseArray,
  uint32) memory.
  forall SparseArray_result_6_alloc_table:SparseArray alloc_table.
  forall SparseArray_sz_0_result_6:(SparseArray,
  uint32) memory.
  forall SparseArray_val_result_6:(SparseArray,
  intP pointer) memory.
  forall intP_val_20_alloc_table:intP alloc_table.
  forall unsigned_intP_back_24_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_22_alloc_table:unsigned_intP alloc_table.
  ("JC_13": (integer_of_uint32(sz) >= 0)) ->
  forall result:SparseArray pointer.
  forall SparseArray_result_6_alloc_table0:SparseArray alloc_table.
  forall SparseArray_result_6_tag_table:SparseArray tag_table.
  (strict_valid_struct_SparseArray(result, 0, (1 - 1),
   SparseArray_result_6_alloc_table0) and
   (alloc_extends(SparseArray_result_6_alloc_table,
    SparseArray_result_6_alloc_table0) and
    (alloc_fresh(SparseArray_result_6_alloc_table, result, 1) and
     instanceof(SparseArray_result_6_tag_table, result, SparseArray_tag)))) ->
  forall a_1_1:SparseArray pointer.
  (a_1_1 = result) ->
  forall result0:intP pointer.
  forall intP_val_20_alloc_table0:intP alloc_table.
  forall intP_val_20_tag_table:intP tag_table.
  (strict_valid_struct_intP(result0, 0, (integer_of_uint32(sz) - 1),
   intP_val_20_alloc_table0) and
   (alloc_extends(intP_val_20_alloc_table, intP_val_20_alloc_table0) and
    (alloc_fresh(intP_val_20_alloc_table, result0, integer_of_uint32(sz)) and
     instanceof(intP_val_20_tag_table, result0, intP_tag)))) ->
  forall SparseArray_val_result_6_0:(SparseArray,
  intP pointer) memory.
  (SparseArray_val_result_6_0 = store(SparseArray_val_result_6, a_1_1,
  result0)) ->
  forall result1:unsigned_intP pointer.
  forall unsigned_intP_idx_22_alloc_table0:unsigned_intP alloc_table.
  forall unsigned_intP_idx_22_tag_table:unsigned_intP tag_table.
  (strict_valid_struct_unsigned_intP(result1, 0, (integer_of_uint32(sz) - 1),
   unsigned_intP_idx_22_alloc_table0) and
   (alloc_extends(unsigned_intP_idx_22_alloc_table,
    unsigned_intP_idx_22_alloc_table0) and
    (alloc_fresh(unsigned_intP_idx_22_alloc_table, result1,
     integer_of_uint32(sz)) and instanceof(unsigned_intP_idx_22_tag_table,
     result1, unsigned_intP_tag)))) ->
  forall SparseArray_idx_result_6_0:(SparseArray,
  unsigned_intP pointer) memory.
  (SparseArray_idx_result_6_0 = store(SparseArray_idx_result_6, a_1_1,
  result1)) ->
  forall result2:unsigned_intP pointer.
  forall unsigned_intP_back_24_alloc_table0:unsigned_intP alloc_table.
  forall unsigned_intP_back_24_tag_table:unsigned_intP tag_table.
  (strict_valid_struct_unsigned_intP(result2, 0, (integer_of_uint32(sz) - 1),
   unsigned_intP_back_24_alloc_table0) and
   (alloc_extends(unsigned_intP_back_24_alloc_table,
    unsigned_intP_back_24_alloc_table0) and
    (alloc_fresh(unsigned_intP_back_24_alloc_table, result2,
     integer_of_uint32(sz)) and instanceof(unsigned_intP_back_24_tag_table,
     result2, unsigned_intP_tag)))) ->
  forall SparseArray_back_result_6_0:(SparseArray,
  unsigned_intP pointer) memory.
  (SparseArray_back_result_6_0 = store(SparseArray_back_result_6, a_1_1,
  result2)) ->
  forall result3:uint32.
  (integer_of_uint32(result3) = 0) ->
  forall SparseArray_n_1_result_6_0:(SparseArray,
  uint32) memory.
  (SparseArray_n_1_result_6_0 = store(SparseArray_n_1_result_6, a_1_1,
  result3)) ->
  forall SparseArray_sz_0_result_6_0:(SparseArray,
  uint32) memory.
  (SparseArray_sz_0_result_6_0 = store(SparseArray_sz_0_result_6, a_1_1,
  sz)) ->
  forall return:SparseArray pointer.
  (return = a_1_1) ->
  ("JC_26":
  ("JC_25":
  ("JC_20": not_assigns(SparseArray_result_6_alloc_table,
  SparseArray_val_result_6, SparseArray_val_result_6_0, pset_empty))))

goal create_ensures_default_po_6:
  forall sz:uint32.
  forall SparseArray_back_result_6:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_result_6:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_result_6:(SparseArray,
  uint32) memory.
  forall SparseArray_result_6_alloc_table:SparseArray alloc_table.
  forall SparseArray_sz_0_result_6:(SparseArray,
  uint32) memory.
  forall SparseArray_val_result_6:(SparseArray,
  intP pointer) memory.
  forall intP_val_20_alloc_table:intP alloc_table.
  forall unsigned_intP_back_24_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_22_alloc_table:unsigned_intP alloc_table.
  ("JC_13": (integer_of_uint32(sz) >= 0)) ->
  forall result:SparseArray pointer.
  forall SparseArray_result_6_alloc_table0:SparseArray alloc_table.
  forall SparseArray_result_6_tag_table:SparseArray tag_table.
  (strict_valid_struct_SparseArray(result, 0, (1 - 1),
   SparseArray_result_6_alloc_table0) and
   (alloc_extends(SparseArray_result_6_alloc_table,
    SparseArray_result_6_alloc_table0) and
    (alloc_fresh(SparseArray_result_6_alloc_table, result, 1) and
     instanceof(SparseArray_result_6_tag_table, result, SparseArray_tag)))) ->
  forall a_1_1:SparseArray pointer.
  (a_1_1 = result) ->
  forall result0:intP pointer.
  forall intP_val_20_alloc_table0:intP alloc_table.
  forall intP_val_20_tag_table:intP tag_table.
  (strict_valid_struct_intP(result0, 0, (integer_of_uint32(sz) - 1),
   intP_val_20_alloc_table0) and
   (alloc_extends(intP_val_20_alloc_table, intP_val_20_alloc_table0) and
    (alloc_fresh(intP_val_20_alloc_table, result0, integer_of_uint32(sz)) and
     instanceof(intP_val_20_tag_table, result0, intP_tag)))) ->
  forall SparseArray_val_result_6_0:(SparseArray,
  intP pointer) memory.
  (SparseArray_val_result_6_0 = store(SparseArray_val_result_6, a_1_1,
  result0)) ->
  forall result1:unsigned_intP pointer.
  forall unsigned_intP_idx_22_alloc_table0:unsigned_intP alloc_table.
  forall unsigned_intP_idx_22_tag_table:unsigned_intP tag_table.
  (strict_valid_struct_unsigned_intP(result1, 0, (integer_of_uint32(sz) - 1),
   unsigned_intP_idx_22_alloc_table0) and
   (alloc_extends(unsigned_intP_idx_22_alloc_table,
    unsigned_intP_idx_22_alloc_table0) and
    (alloc_fresh(unsigned_intP_idx_22_alloc_table, result1,
     integer_of_uint32(sz)) and instanceof(unsigned_intP_idx_22_tag_table,
     result1, unsigned_intP_tag)))) ->
  forall SparseArray_idx_result_6_0:(SparseArray,
  unsigned_intP pointer) memory.
  (SparseArray_idx_result_6_0 = store(SparseArray_idx_result_6, a_1_1,
  result1)) ->
  forall result2:unsigned_intP pointer.
  forall unsigned_intP_back_24_alloc_table0:unsigned_intP alloc_table.
  forall unsigned_intP_back_24_tag_table:unsigned_intP tag_table.
  (strict_valid_struct_unsigned_intP(result2, 0, (integer_of_uint32(sz) - 1),
   unsigned_intP_back_24_alloc_table0) and
   (alloc_extends(unsigned_intP_back_24_alloc_table,
    unsigned_intP_back_24_alloc_table0) and
    (alloc_fresh(unsigned_intP_back_24_alloc_table, result2,
     integer_of_uint32(sz)) and instanceof(unsigned_intP_back_24_tag_table,
     result2, unsigned_intP_tag)))) ->
  forall SparseArray_back_result_6_0:(SparseArray,
  unsigned_intP pointer) memory.
  (SparseArray_back_result_6_0 = store(SparseArray_back_result_6, a_1_1,
  result2)) ->
  forall result3:uint32.
  (integer_of_uint32(result3) = 0) ->
  forall SparseArray_n_1_result_6_0:(SparseArray,
  uint32) memory.
  (SparseArray_n_1_result_6_0 = store(SparseArray_n_1_result_6, a_1_1,
  result3)) ->
  forall SparseArray_sz_0_result_6_0:(SparseArray,
  uint32) memory.
  (SparseArray_sz_0_result_6_0 = store(SparseArray_sz_0_result_6, a_1_1,
  sz)) ->
  forall return:SparseArray pointer.
  (return = a_1_1) ->
  ("JC_26":
  ("JC_25":
  ("JC_21": not_assigns(SparseArray_result_6_alloc_table,
  SparseArray_idx_result_6, SparseArray_idx_result_6_0, pset_empty))))

goal create_ensures_default_po_7:
  forall sz:uint32.
  forall SparseArray_back_result_6:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_result_6:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_result_6:(SparseArray,
  uint32) memory.
  forall SparseArray_result_6_alloc_table:SparseArray alloc_table.
  forall SparseArray_sz_0_result_6:(SparseArray,
  uint32) memory.
  forall SparseArray_val_result_6:(SparseArray,
  intP pointer) memory.
  forall intP_val_20_alloc_table:intP alloc_table.
  forall unsigned_intP_back_24_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_22_alloc_table:unsigned_intP alloc_table.
  ("JC_13": (integer_of_uint32(sz) >= 0)) ->
  forall result:SparseArray pointer.
  forall SparseArray_result_6_alloc_table0:SparseArray alloc_table.
  forall SparseArray_result_6_tag_table:SparseArray tag_table.
  (strict_valid_struct_SparseArray(result, 0, (1 - 1),
   SparseArray_result_6_alloc_table0) and
   (alloc_extends(SparseArray_result_6_alloc_table,
    SparseArray_result_6_alloc_table0) and
    (alloc_fresh(SparseArray_result_6_alloc_table, result, 1) and
     instanceof(SparseArray_result_6_tag_table, result, SparseArray_tag)))) ->
  forall a_1_1:SparseArray pointer.
  (a_1_1 = result) ->
  forall result0:intP pointer.
  forall intP_val_20_alloc_table0:intP alloc_table.
  forall intP_val_20_tag_table:intP tag_table.
  (strict_valid_struct_intP(result0, 0, (integer_of_uint32(sz) - 1),
   intP_val_20_alloc_table0) and
   (alloc_extends(intP_val_20_alloc_table, intP_val_20_alloc_table0) and
    (alloc_fresh(intP_val_20_alloc_table, result0, integer_of_uint32(sz)) and
     instanceof(intP_val_20_tag_table, result0, intP_tag)))) ->
  forall SparseArray_val_result_6_0:(SparseArray,
  intP pointer) memory.
  (SparseArray_val_result_6_0 = store(SparseArray_val_result_6, a_1_1,
  result0)) ->
  forall result1:unsigned_intP pointer.
  forall unsigned_intP_idx_22_alloc_table0:unsigned_intP alloc_table.
  forall unsigned_intP_idx_22_tag_table:unsigned_intP tag_table.
  (strict_valid_struct_unsigned_intP(result1, 0, (integer_of_uint32(sz) - 1),
   unsigned_intP_idx_22_alloc_table0) and
   (alloc_extends(unsigned_intP_idx_22_alloc_table,
    unsigned_intP_idx_22_alloc_table0) and
    (alloc_fresh(unsigned_intP_idx_22_alloc_table, result1,
     integer_of_uint32(sz)) and instanceof(unsigned_intP_idx_22_tag_table,
     result1, unsigned_intP_tag)))) ->
  forall SparseArray_idx_result_6_0:(SparseArray,
  unsigned_intP pointer) memory.
  (SparseArray_idx_result_6_0 = store(SparseArray_idx_result_6, a_1_1,
  result1)) ->
  forall result2:unsigned_intP pointer.
  forall unsigned_intP_back_24_alloc_table0:unsigned_intP alloc_table.
  forall unsigned_intP_back_24_tag_table:unsigned_intP tag_table.
  (strict_valid_struct_unsigned_intP(result2, 0, (integer_of_uint32(sz) - 1),
   unsigned_intP_back_24_alloc_table0) and
   (alloc_extends(unsigned_intP_back_24_alloc_table,
    unsigned_intP_back_24_alloc_table0) and
    (alloc_fresh(unsigned_intP_back_24_alloc_table, result2,
     integer_of_uint32(sz)) and instanceof(unsigned_intP_back_24_tag_table,
     result2, unsigned_intP_tag)))) ->
  forall SparseArray_back_result_6_0:(SparseArray,
  unsigned_intP pointer) memory.
  (SparseArray_back_result_6_0 = store(SparseArray_back_result_6, a_1_1,
  result2)) ->
  forall result3:uint32.
  (integer_of_uint32(result3) = 0) ->
  forall SparseArray_n_1_result_6_0:(SparseArray,
  uint32) memory.
  (SparseArray_n_1_result_6_0 = store(SparseArray_n_1_result_6, a_1_1,
  result3)) ->
  forall SparseArray_sz_0_result_6_0:(SparseArray,
  uint32) memory.
  (SparseArray_sz_0_result_6_0 = store(SparseArray_sz_0_result_6, a_1_1,
  sz)) ->
  forall return:SparseArray pointer.
  (return = a_1_1) ->
  ("JC_26":
  ("JC_25":
  ("JC_22": not_assigns(SparseArray_result_6_alloc_table,
  SparseArray_back_result_6, SparseArray_back_result_6_0, pset_empty))))

goal create_ensures_default_po_8:
  forall sz:uint32.
  forall SparseArray_back_result_6:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_result_6:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_result_6:(SparseArray,
  uint32) memory.
  forall SparseArray_result_6_alloc_table:SparseArray alloc_table.
  forall SparseArray_sz_0_result_6:(SparseArray,
  uint32) memory.
  forall SparseArray_val_result_6:(SparseArray,
  intP pointer) memory.
  forall intP_val_20_alloc_table:intP alloc_table.
  forall unsigned_intP_back_24_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_22_alloc_table:unsigned_intP alloc_table.
  ("JC_13": (integer_of_uint32(sz) >= 0)) ->
  forall result:SparseArray pointer.
  forall SparseArray_result_6_alloc_table0:SparseArray alloc_table.
  forall SparseArray_result_6_tag_table:SparseArray tag_table.
  (strict_valid_struct_SparseArray(result, 0, (1 - 1),
   SparseArray_result_6_alloc_table0) and
   (alloc_extends(SparseArray_result_6_alloc_table,
    SparseArray_result_6_alloc_table0) and
    (alloc_fresh(SparseArray_result_6_alloc_table, result, 1) and
     instanceof(SparseArray_result_6_tag_table, result, SparseArray_tag)))) ->
  forall a_1_1:SparseArray pointer.
  (a_1_1 = result) ->
  forall result0:intP pointer.
  forall intP_val_20_alloc_table0:intP alloc_table.
  forall intP_val_20_tag_table:intP tag_table.
  (strict_valid_struct_intP(result0, 0, (integer_of_uint32(sz) - 1),
   intP_val_20_alloc_table0) and
   (alloc_extends(intP_val_20_alloc_table, intP_val_20_alloc_table0) and
    (alloc_fresh(intP_val_20_alloc_table, result0, integer_of_uint32(sz)) and
     instanceof(intP_val_20_tag_table, result0, intP_tag)))) ->
  forall SparseArray_val_result_6_0:(SparseArray,
  intP pointer) memory.
  (SparseArray_val_result_6_0 = store(SparseArray_val_result_6, a_1_1,
  result0)) ->
  forall result1:unsigned_intP pointer.
  forall unsigned_intP_idx_22_alloc_table0:unsigned_intP alloc_table.
  forall unsigned_intP_idx_22_tag_table:unsigned_intP tag_table.
  (strict_valid_struct_unsigned_intP(result1, 0, (integer_of_uint32(sz) - 1),
   unsigned_intP_idx_22_alloc_table0) and
   (alloc_extends(unsigned_intP_idx_22_alloc_table,
    unsigned_intP_idx_22_alloc_table0) and
    (alloc_fresh(unsigned_intP_idx_22_alloc_table, result1,
     integer_of_uint32(sz)) and instanceof(unsigned_intP_idx_22_tag_table,
     result1, unsigned_intP_tag)))) ->
  forall SparseArray_idx_result_6_0:(SparseArray,
  unsigned_intP pointer) memory.
  (SparseArray_idx_result_6_0 = store(SparseArray_idx_result_6, a_1_1,
  result1)) ->
  forall result2:unsigned_intP pointer.
  forall unsigned_intP_back_24_alloc_table0:unsigned_intP alloc_table.
  forall unsigned_intP_back_24_tag_table:unsigned_intP tag_table.
  (strict_valid_struct_unsigned_intP(result2, 0, (integer_of_uint32(sz) - 1),
   unsigned_intP_back_24_alloc_table0) and
   (alloc_extends(unsigned_intP_back_24_alloc_table,
    unsigned_intP_back_24_alloc_table0) and
    (alloc_fresh(unsigned_intP_back_24_alloc_table, result2,
     integer_of_uint32(sz)) and instanceof(unsigned_intP_back_24_tag_table,
     result2, unsigned_intP_tag)))) ->
  forall SparseArray_back_result_6_0:(SparseArray,
  unsigned_intP pointer) memory.
  (SparseArray_back_result_6_0 = store(SparseArray_back_result_6, a_1_1,
  result2)) ->
  forall result3:uint32.
  (integer_of_uint32(result3) = 0) ->
  forall SparseArray_n_1_result_6_0:(SparseArray,
  uint32) memory.
  (SparseArray_n_1_result_6_0 = store(SparseArray_n_1_result_6, a_1_1,
  result3)) ->
  forall SparseArray_sz_0_result_6_0:(SparseArray,
  uint32) memory.
  (SparseArray_sz_0_result_6_0 = store(SparseArray_sz_0_result_6, a_1_1,
  sz)) ->
  forall return:SparseArray pointer.
  (return = a_1_1) ->
  ("JC_26":
  ("JC_25":
  ("JC_23": not_assigns(SparseArray_result_6_alloc_table,
  SparseArray_n_1_result_6, SparseArray_n_1_result_6_0, pset_empty))))

goal create_ensures_default_po_9:
  forall sz:uint32.
  forall SparseArray_back_result_6:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_result_6:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_result_6:(SparseArray,
  uint32) memory.
  forall SparseArray_result_6_alloc_table:SparseArray alloc_table.
  forall SparseArray_sz_0_result_6:(SparseArray,
  uint32) memory.
  forall SparseArray_val_result_6:(SparseArray,
  intP pointer) memory.
  forall intP_val_20_alloc_table:intP alloc_table.
  forall unsigned_intP_back_24_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_22_alloc_table:unsigned_intP alloc_table.
  ("JC_13": (integer_of_uint32(sz) >= 0)) ->
  forall result:SparseArray pointer.
  forall SparseArray_result_6_alloc_table0:SparseArray alloc_table.
  forall SparseArray_result_6_tag_table:SparseArray tag_table.
  (strict_valid_struct_SparseArray(result, 0, (1 - 1),
   SparseArray_result_6_alloc_table0) and
   (alloc_extends(SparseArray_result_6_alloc_table,
    SparseArray_result_6_alloc_table0) and
    (alloc_fresh(SparseArray_result_6_alloc_table, result, 1) and
     instanceof(SparseArray_result_6_tag_table, result, SparseArray_tag)))) ->
  forall a_1_1:SparseArray pointer.
  (a_1_1 = result) ->
  forall result0:intP pointer.
  forall intP_val_20_alloc_table0:intP alloc_table.
  forall intP_val_20_tag_table:intP tag_table.
  (strict_valid_struct_intP(result0, 0, (integer_of_uint32(sz) - 1),
   intP_val_20_alloc_table0) and
   (alloc_extends(intP_val_20_alloc_table, intP_val_20_alloc_table0) and
    (alloc_fresh(intP_val_20_alloc_table, result0, integer_of_uint32(sz)) and
     instanceof(intP_val_20_tag_table, result0, intP_tag)))) ->
  forall SparseArray_val_result_6_0:(SparseArray,
  intP pointer) memory.
  (SparseArray_val_result_6_0 = store(SparseArray_val_result_6, a_1_1,
  result0)) ->
  forall result1:unsigned_intP pointer.
  forall unsigned_intP_idx_22_alloc_table0:unsigned_intP alloc_table.
  forall unsigned_intP_idx_22_tag_table:unsigned_intP tag_table.
  (strict_valid_struct_unsigned_intP(result1, 0, (integer_of_uint32(sz) - 1),
   unsigned_intP_idx_22_alloc_table0) and
   (alloc_extends(unsigned_intP_idx_22_alloc_table,
    unsigned_intP_idx_22_alloc_table0) and
    (alloc_fresh(unsigned_intP_idx_22_alloc_table, result1,
     integer_of_uint32(sz)) and instanceof(unsigned_intP_idx_22_tag_table,
     result1, unsigned_intP_tag)))) ->
  forall SparseArray_idx_result_6_0:(SparseArray,
  unsigned_intP pointer) memory.
  (SparseArray_idx_result_6_0 = store(SparseArray_idx_result_6, a_1_1,
  result1)) ->
  forall result2:unsigned_intP pointer.
  forall unsigned_intP_back_24_alloc_table0:unsigned_intP alloc_table.
  forall unsigned_intP_back_24_tag_table:unsigned_intP tag_table.
  (strict_valid_struct_unsigned_intP(result2, 0, (integer_of_uint32(sz) - 1),
   unsigned_intP_back_24_alloc_table0) and
   (alloc_extends(unsigned_intP_back_24_alloc_table,
    unsigned_intP_back_24_alloc_table0) and
    (alloc_fresh(unsigned_intP_back_24_alloc_table, result2,
     integer_of_uint32(sz)) and instanceof(unsigned_intP_back_24_tag_table,
     result2, unsigned_intP_tag)))) ->
  forall SparseArray_back_result_6_0:(SparseArray,
  unsigned_intP pointer) memory.
  (SparseArray_back_result_6_0 = store(SparseArray_back_result_6, a_1_1,
  result2)) ->
  forall result3:uint32.
  (integer_of_uint32(result3) = 0) ->
  forall SparseArray_n_1_result_6_0:(SparseArray,
  uint32) memory.
  (SparseArray_n_1_result_6_0 = store(SparseArray_n_1_result_6, a_1_1,
  result3)) ->
  forall SparseArray_sz_0_result_6_0:(SparseArray,
  uint32) memory.
  (SparseArray_sz_0_result_6_0 = store(SparseArray_sz_0_result_6, a_1_1,
  sz)) ->
  forall return:SparseArray pointer.
  (return = a_1_1) ->
  ("JC_26":
  ("JC_25":
  ("JC_24": not_assigns(SparseArray_result_6_alloc_table,
  SparseArray_sz_0_result_6, SparseArray_sz_0_result_6_0, pset_empty))))

goal create_safety_po_1:
  forall sz:uint32.
  ("JC_13": (integer_of_uint32(sz) >= 0)) ->
  (1 >= 0)

goal create_safety_po_2:
  forall sz:uint32.
  forall SparseArray_result_6_alloc_table:SparseArray alloc_table.
  forall intP_val_20_alloc_table:intP alloc_table.
  ("JC_13": (integer_of_uint32(sz) >= 0)) ->
  (1 >= 0) ->
  forall result:SparseArray pointer.
  forall SparseArray_result_6_alloc_table0:SparseArray alloc_table.
  forall SparseArray_result_6_tag_table:SparseArray tag_table.
  (strict_valid_struct_SparseArray(result, 0, (1 - 1),
   SparseArray_result_6_alloc_table0) and
   (alloc_extends(SparseArray_result_6_alloc_table,
    SparseArray_result_6_alloc_table0) and
    (alloc_fresh(SparseArray_result_6_alloc_table, result, 1) and
     instanceof(SparseArray_result_6_tag_table, result, SparseArray_tag)))) ->
  forall a_1_1:SparseArray pointer.
  (a_1_1 = result) ->
  (integer_of_uint32(sz) >= 0) ->
  forall result0:intP pointer.
  forall intP_val_20_alloc_table0:intP alloc_table.
  forall intP_val_20_tag_table:intP tag_table.
  (strict_valid_struct_intP(result0, 0, (integer_of_uint32(sz) - 1),
   intP_val_20_alloc_table0) and
   (alloc_extends(intP_val_20_alloc_table, intP_val_20_alloc_table0) and
    (alloc_fresh(intP_val_20_alloc_table, result0, integer_of_uint32(sz)) and
     instanceof(intP_val_20_tag_table, result0, intP_tag)))) ->
  (offset_min(SparseArray_result_6_alloc_table0, a_1_1) <= 0)

goal create_safety_po_3:
  forall sz:uint32.
  forall SparseArray_result_6_alloc_table:SparseArray alloc_table.
  forall intP_val_20_alloc_table:intP alloc_table.
  ("JC_13": (integer_of_uint32(sz) >= 0)) ->
  (1 >= 0) ->
  forall result:SparseArray pointer.
  forall SparseArray_result_6_alloc_table0:SparseArray alloc_table.
  forall SparseArray_result_6_tag_table:SparseArray tag_table.
  (strict_valid_struct_SparseArray(result, 0, (1 - 1),
   SparseArray_result_6_alloc_table0) and
   (alloc_extends(SparseArray_result_6_alloc_table,
    SparseArray_result_6_alloc_table0) and
    (alloc_fresh(SparseArray_result_6_alloc_table, result, 1) and
     instanceof(SparseArray_result_6_tag_table, result, SparseArray_tag)))) ->
  forall a_1_1:SparseArray pointer.
  (a_1_1 = result) ->
  (integer_of_uint32(sz) >= 0) ->
  forall result0:intP pointer.
  forall intP_val_20_alloc_table0:intP alloc_table.
  forall intP_val_20_tag_table:intP tag_table.
  (strict_valid_struct_intP(result0, 0, (integer_of_uint32(sz) - 1),
   intP_val_20_alloc_table0) and
   (alloc_extends(intP_val_20_alloc_table, intP_val_20_alloc_table0) and
    (alloc_fresh(intP_val_20_alloc_table, result0, integer_of_uint32(sz)) and
     instanceof(intP_val_20_tag_table, result0, intP_tag)))) ->
  (0 <= offset_max(SparseArray_result_6_alloc_table0, a_1_1))

goal get_ensures_default_po_1:
  forall a_1:SparseArray pointer.
  forall i:uint32.
  forall SparseArray_a_8_alloc_table:SparseArray alloc_table.
  forall intP_val_28_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_26_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_27_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_unsigned_intM_idx_26:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_back_27:(unsigned_intP,
  uint32) memory.
  forall SparseArray_val_a_8:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_8:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_8:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_8:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_8:(SparseArray,
  uint32) memory.
  ("JC_64":
  (("JC_60": (offset_min(SparseArray_a_8_alloc_table, a_1) <= 0)) and
   (("JC_61": (offset_max(SparseArray_a_8_alloc_table, a_1) >= 0)) and
    (("JC_62": inv(a_1, unsigned_intP_back_27_alloc_table,
     unsigned_intP_idx_26_alloc_table, intP_val_28_alloc_table,
     SparseArray_a_8_alloc_table, SparseArray_sz_0_a_8, SparseArray_n_1_a_8,
     SparseArray_back_a_8, SparseArray_idx_a_8, SparseArray_val_a_8,
     unsigned_intP_unsigned_intM_back_27,
     unsigned_intP_unsigned_intM_idx_26)) and
     ("JC_63":
     (integer_of_uint32(i) <= (integer_of_uint32(select(SparseArray_sz_0_a_8,
     a_1)) - 1))))))) ->
  ("JC_82":
  (0 <= integer_of_uint32(select(unsigned_intP_unsigned_intM_idx_26,
  shift(select(SparseArray_idx_a_8, a_1), integer_of_uint32(i))))))

goal get_ensures_default_po_2:
  forall a_1:SparseArray pointer.
  forall i:uint32.
  forall SparseArray_a_8_alloc_table:SparseArray alloc_table.
  forall intP_val_28_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_26_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_27_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_unsigned_intM_idx_26:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_back_27:(unsigned_intP,
  uint32) memory.
  forall intP_intM_val_28:(intP,
  int32) memory.
  forall SparseArray_val_a_8:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_8:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_8:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_8:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_8:(SparseArray,
  uint32) memory.
  ("JC_64":
  (("JC_60": (offset_min(SparseArray_a_8_alloc_table, a_1) <= 0)) and
   (("JC_61": (offset_max(SparseArray_a_8_alloc_table, a_1) >= 0)) and
    (("JC_62": inv(a_1, unsigned_intP_back_27_alloc_table,
     unsigned_intP_idx_26_alloc_table, intP_val_28_alloc_table,
     SparseArray_a_8_alloc_table, SparseArray_sz_0_a_8, SparseArray_n_1_a_8,
     SparseArray_back_a_8, SparseArray_idx_a_8, SparseArray_val_a_8,
     unsigned_intP_unsigned_intM_back_27,
     unsigned_intP_unsigned_intM_idx_26)) and
     ("JC_63":
     (integer_of_uint32(i) <= (integer_of_uint32(select(SparseArray_sz_0_a_8,
     a_1)) - 1))))))) ->
  ("JC_82":
  (0 <= integer_of_uint32(select(unsigned_intP_unsigned_intM_idx_26,
  shift(select(SparseArray_idx_a_8, a_1), integer_of_uint32(i)))))) ->
  forall result:unsigned_intP pointer.
  (result = select(SparseArray_idx_a_8, a_1)) ->
  forall result0:uint32.
  (result0 = select(unsigned_intP_unsigned_intM_idx_26, shift(result,
  integer_of_uint32(i)))) ->
  forall result1:uint32.
  (result1 = select(SparseArray_n_1_a_8, a_1)) ->
  (integer_of_uint32(result0) < integer_of_uint32(result1)) ->
  forall result2:unsigned_intP pointer.
  (result2 = select(SparseArray_back_a_8, a_1)) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_idx_a_8, a_1)) ->
  forall result4:uint32.
  (result4 = select(unsigned_intP_unsigned_intM_idx_26, shift(result3,
  integer_of_uint32(i)))) ->
  forall result5:uint32.
  (result5 = select(unsigned_intP_unsigned_intM_back_27, shift(result2,
  integer_of_uint32(result4)))) ->
  (integer_of_uint32(result5) = integer_of_uint32(i)) ->
  forall result6:intP pointer.
  (result6 = select(SparseArray_val_a_8, a_1)) ->
  forall result7:int32.
  (result7 = select(intP_intM_val_28, shift(result6,
  integer_of_uint32(i)))) ->
  forall __retres:int32.
  (__retres = result7) ->
  forall return:int32.
  (return = __retres) ->
  ("JC_66": (integer_of_int32(return) = model(a_1, integer_of_uint32(i),
  SparseArray_n_1_a_8, SparseArray_back_a_8, SparseArray_idx_a_8,
  SparseArray_val_a_8, intP_intM_val_28, unsigned_intP_unsigned_intM_idx_26,
  unsigned_intP_unsigned_intM_back_27)))

goal get_ensures_default_po_3:
  forall a_1:SparseArray pointer.
  forall i:uint32.
  forall SparseArray_a_8_alloc_table:SparseArray alloc_table.
  forall intP_val_28_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_26_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_27_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_unsigned_intM_idx_26:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_back_27:(unsigned_intP,
  uint32) memory.
  forall intP_intM_val_28:(intP,
  int32) memory.
  forall SparseArray_val_a_8:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_8:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_8:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_8:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_8:(SparseArray,
  uint32) memory.
  ("JC_64":
  (("JC_60": (offset_min(SparseArray_a_8_alloc_table, a_1) <= 0)) and
   (("JC_61": (offset_max(SparseArray_a_8_alloc_table, a_1) >= 0)) and
    (("JC_62": inv(a_1, unsigned_intP_back_27_alloc_table,
     unsigned_intP_idx_26_alloc_table, intP_val_28_alloc_table,
     SparseArray_a_8_alloc_table, SparseArray_sz_0_a_8, SparseArray_n_1_a_8,
     SparseArray_back_a_8, SparseArray_idx_a_8, SparseArray_val_a_8,
     unsigned_intP_unsigned_intM_back_27,
     unsigned_intP_unsigned_intM_idx_26)) and
     ("JC_63":
     (integer_of_uint32(i) <= (integer_of_uint32(select(SparseArray_sz_0_a_8,
     a_1)) - 1))))))) ->
  ("JC_82":
  (0 <= integer_of_uint32(select(unsigned_intP_unsigned_intM_idx_26,
  shift(select(SparseArray_idx_a_8, a_1), integer_of_uint32(i)))))) ->
  forall result:unsigned_intP pointer.
  (result = select(SparseArray_idx_a_8, a_1)) ->
  forall result0:uint32.
  (result0 = select(unsigned_intP_unsigned_intM_idx_26, shift(result,
  integer_of_uint32(i)))) ->
  forall result1:uint32.
  (result1 = select(SparseArray_n_1_a_8, a_1)) ->
  (integer_of_uint32(result0) < integer_of_uint32(result1)) ->
  forall result2:unsigned_intP pointer.
  (result2 = select(SparseArray_back_a_8, a_1)) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_idx_a_8, a_1)) ->
  forall result4:uint32.
  (result4 = select(unsigned_intP_unsigned_intM_idx_26, shift(result3,
  integer_of_uint32(i)))) ->
  forall result5:uint32.
  (result5 = select(unsigned_intP_unsigned_intM_back_27, shift(result2,
  integer_of_uint32(result4)))) ->
  (integer_of_uint32(result5) <> integer_of_uint32(i)) ->
  forall result6:int32.
  (integer_of_int32(result6) = 0) ->
  forall __retres:int32.
  (__retres = result6) ->
  forall return:int32.
  (return = __retres) ->
  ("JC_66": (integer_of_int32(return) = model(a_1, integer_of_uint32(i),
  SparseArray_n_1_a_8, SparseArray_back_a_8, SparseArray_idx_a_8,
  SparseArray_val_a_8, intP_intM_val_28, unsigned_intP_unsigned_intM_idx_26,
  unsigned_intP_unsigned_intM_back_27)))

goal get_ensures_default_po_4:
  forall a_1:SparseArray pointer.
  forall i:uint32.
  forall SparseArray_a_8_alloc_table:SparseArray alloc_table.
  forall intP_val_28_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_26_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_27_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_unsigned_intM_idx_26:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_back_27:(unsigned_intP,
  uint32) memory.
  forall intP_intM_val_28:(intP,
  int32) memory.
  forall SparseArray_val_a_8:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_8:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_8:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_8:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_8:(SparseArray,
  uint32) memory.
  ("JC_64":
  (("JC_60": (offset_min(SparseArray_a_8_alloc_table, a_1) <= 0)) and
   (("JC_61": (offset_max(SparseArray_a_8_alloc_table, a_1) >= 0)) and
    (("JC_62": inv(a_1, unsigned_intP_back_27_alloc_table,
     unsigned_intP_idx_26_alloc_table, intP_val_28_alloc_table,
     SparseArray_a_8_alloc_table, SparseArray_sz_0_a_8, SparseArray_n_1_a_8,
     SparseArray_back_a_8, SparseArray_idx_a_8, SparseArray_val_a_8,
     unsigned_intP_unsigned_intM_back_27,
     unsigned_intP_unsigned_intM_idx_26)) and
     ("JC_63":
     (integer_of_uint32(i) <= (integer_of_uint32(select(SparseArray_sz_0_a_8,
     a_1)) - 1))))))) ->
  ("JC_82":
  (0 <= integer_of_uint32(select(unsigned_intP_unsigned_intM_idx_26,
  shift(select(SparseArray_idx_a_8, a_1), integer_of_uint32(i)))))) ->
  forall result:unsigned_intP pointer.
  (result = select(SparseArray_idx_a_8, a_1)) ->
  forall result0:uint32.
  (result0 = select(unsigned_intP_unsigned_intM_idx_26, shift(result,
  integer_of_uint32(i)))) ->
  forall result1:uint32.
  (result1 = select(SparseArray_n_1_a_8, a_1)) ->
  (integer_of_uint32(result0) >= integer_of_uint32(result1)) ->
  forall result2:int32.
  (integer_of_int32(result2) = 0) ->
  forall __retres:int32.
  (__retres = result2) ->
  forall return:int32.
  (return = __retres) ->
  ("JC_66": (integer_of_int32(return) = model(a_1, integer_of_uint32(i),
  SparseArray_n_1_a_8, SparseArray_back_a_8, SparseArray_idx_a_8,
  SparseArray_val_a_8, intP_intM_val_28, unsigned_intP_unsigned_intM_idx_26,
  unsigned_intP_unsigned_intM_back_27)))

goal get_safety_po_1:
  forall a_1:SparseArray pointer.
  forall i:uint32.
  forall SparseArray_a_8_alloc_table:SparseArray alloc_table.
  forall intP_val_28_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_26_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_27_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_unsigned_intM_idx_26:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_back_27:(unsigned_intP,
  uint32) memory.
  forall SparseArray_val_a_8:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_8:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_8:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_8:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_8:(SparseArray,
  uint32) memory.
  ("JC_64":
  (("JC_60": (offset_min(SparseArray_a_8_alloc_table, a_1) <= 0)) and
   (("JC_61": (offset_max(SparseArray_a_8_alloc_table, a_1) >= 0)) and
    (("JC_62": inv(a_1, unsigned_intP_back_27_alloc_table,
     unsigned_intP_idx_26_alloc_table, intP_val_28_alloc_table,
     SparseArray_a_8_alloc_table, SparseArray_sz_0_a_8, SparseArray_n_1_a_8,
     SparseArray_back_a_8, SparseArray_idx_a_8, SparseArray_val_a_8,
     unsigned_intP_unsigned_intM_back_27,
     unsigned_intP_unsigned_intM_idx_26)) and
     ("JC_63":
     (integer_of_uint32(i) <= (integer_of_uint32(select(SparseArray_sz_0_a_8,
     a_1)) - 1))))))) ->
  ("JC_72":
  (0 <= integer_of_uint32(select(unsigned_intP_unsigned_intM_idx_26,
  shift(select(SparseArray_idx_a_8, a_1), integer_of_uint32(i)))))) ->
  (0 <= offset_max(SparseArray_a_8_alloc_table, a_1))

goal get_safety_po_2:
  forall a_1:SparseArray pointer.
  forall i:uint32.
  forall SparseArray_a_8_alloc_table:SparseArray alloc_table.
  forall intP_val_28_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_26_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_27_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_unsigned_intM_idx_26:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_back_27:(unsigned_intP,
  uint32) memory.
  forall SparseArray_val_a_8:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_8:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_8:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_8:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_8:(SparseArray,
  uint32) memory.
  ("JC_64":
  (("JC_60": (offset_min(SparseArray_a_8_alloc_table, a_1) <= 0)) and
   (("JC_61": (offset_max(SparseArray_a_8_alloc_table, a_1) >= 0)) and
    (("JC_62": inv(a_1, unsigned_intP_back_27_alloc_table,
     unsigned_intP_idx_26_alloc_table, intP_val_28_alloc_table,
     SparseArray_a_8_alloc_table, SparseArray_sz_0_a_8, SparseArray_n_1_a_8,
     SparseArray_back_a_8, SparseArray_idx_a_8, SparseArray_val_a_8,
     unsigned_intP_unsigned_intM_back_27,
     unsigned_intP_unsigned_intM_idx_26)) and
     ("JC_63":
     (integer_of_uint32(i) <= (integer_of_uint32(select(SparseArray_sz_0_a_8,
     a_1)) - 1))))))) ->
  ("JC_72":
  (0 <= integer_of_uint32(select(unsigned_intP_unsigned_intM_idx_26,
  shift(select(SparseArray_idx_a_8, a_1), integer_of_uint32(i)))))) ->
  ((offset_min(SparseArray_a_8_alloc_table, a_1) <= 0) and
   (0 <= offset_max(SparseArray_a_8_alloc_table, a_1))) ->
  forall result:unsigned_intP pointer.
  (result = select(SparseArray_idx_a_8, a_1)) ->
  (offset_min(unsigned_intP_idx_26_alloc_table,
  result) <= integer_of_uint32(i))

goal get_safety_po_3:
  forall a_1:SparseArray pointer.
  forall i:uint32.
  forall SparseArray_a_8_alloc_table:SparseArray alloc_table.
  forall intP_val_28_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_26_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_27_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_unsigned_intM_idx_26:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_back_27:(unsigned_intP,
  uint32) memory.
  forall SparseArray_val_a_8:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_8:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_8:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_8:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_8:(SparseArray,
  uint32) memory.
  ("JC_64":
  (("JC_60": (offset_min(SparseArray_a_8_alloc_table, a_1) <= 0)) and
   (("JC_61": (offset_max(SparseArray_a_8_alloc_table, a_1) >= 0)) and
    (("JC_62": inv(a_1, unsigned_intP_back_27_alloc_table,
     unsigned_intP_idx_26_alloc_table, intP_val_28_alloc_table,
     SparseArray_a_8_alloc_table, SparseArray_sz_0_a_8, SparseArray_n_1_a_8,
     SparseArray_back_a_8, SparseArray_idx_a_8, SparseArray_val_a_8,
     unsigned_intP_unsigned_intM_back_27,
     unsigned_intP_unsigned_intM_idx_26)) and
     ("JC_63":
     (integer_of_uint32(i) <= (integer_of_uint32(select(SparseArray_sz_0_a_8,
     a_1)) - 1))))))) ->
  ("JC_72":
  (0 <= integer_of_uint32(select(unsigned_intP_unsigned_intM_idx_26,
  shift(select(SparseArray_idx_a_8, a_1), integer_of_uint32(i)))))) ->
  ((offset_min(SparseArray_a_8_alloc_table, a_1) <= 0) and
   (0 <= offset_max(SparseArray_a_8_alloc_table, a_1))) ->
  forall result:unsigned_intP pointer.
  (result = select(SparseArray_idx_a_8, a_1)) ->
  (integer_of_uint32(i) <= offset_max(unsigned_intP_idx_26_alloc_table,
  result))

goal get_safety_po_4:
  forall a_1:SparseArray pointer.
  forall i:uint32.
  forall SparseArray_a_8_alloc_table:SparseArray alloc_table.
  forall intP_val_28_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_26_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_27_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_unsigned_intM_idx_26:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_back_27:(unsigned_intP,
  uint32) memory.
  forall SparseArray_val_a_8:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_8:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_8:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_8:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_8:(SparseArray,
  uint32) memory.
  ("JC_64":
  (("JC_60": (offset_min(SparseArray_a_8_alloc_table, a_1) <= 0)) and
   (("JC_61": (offset_max(SparseArray_a_8_alloc_table, a_1) >= 0)) and
    (("JC_62": inv(a_1, unsigned_intP_back_27_alloc_table,
     unsigned_intP_idx_26_alloc_table, intP_val_28_alloc_table,
     SparseArray_a_8_alloc_table, SparseArray_sz_0_a_8, SparseArray_n_1_a_8,
     SparseArray_back_a_8, SparseArray_idx_a_8, SparseArray_val_a_8,
     unsigned_intP_unsigned_intM_back_27,
     unsigned_intP_unsigned_intM_idx_26)) and
     ("JC_63":
     (integer_of_uint32(i) <= (integer_of_uint32(select(SparseArray_sz_0_a_8,
     a_1)) - 1))))))) ->
  ("JC_72":
  (0 <= integer_of_uint32(select(unsigned_intP_unsigned_intM_idx_26,
  shift(select(SparseArray_idx_a_8, a_1), integer_of_uint32(i)))))) ->
  ((offset_min(SparseArray_a_8_alloc_table, a_1) <= 0) and
   (0 <= offset_max(SparseArray_a_8_alloc_table, a_1))) ->
  forall result:unsigned_intP pointer.
  (result = select(SparseArray_idx_a_8, a_1)) ->
  ((offset_min(unsigned_intP_idx_26_alloc_table,
   result) <= integer_of_uint32(i)) and
   (integer_of_uint32(i) <= offset_max(unsigned_intP_idx_26_alloc_table,
   result))) ->
  forall result0:uint32.
  (result0 = select(unsigned_intP_unsigned_intM_idx_26, shift(result,
  integer_of_uint32(i)))) ->
  ((offset_min(SparseArray_a_8_alloc_table, a_1) <= 0) and
   (0 <= offset_max(SparseArray_a_8_alloc_table, a_1))) ->
  forall result1:uint32.
  (result1 = select(SparseArray_n_1_a_8, a_1)) ->
  (integer_of_uint32(result0) < integer_of_uint32(result1)) ->
  ((offset_min(SparseArray_a_8_alloc_table, a_1) <= 0) and
   (0 <= offset_max(SparseArray_a_8_alloc_table, a_1))) ->
  forall result2:unsigned_intP pointer.
  (result2 = select(SparseArray_back_a_8, a_1)) ->
  ((offset_min(SparseArray_a_8_alloc_table, a_1) <= 0) and
   (0 <= offset_max(SparseArray_a_8_alloc_table, a_1))) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_idx_a_8, a_1)) ->
  (offset_min(unsigned_intP_idx_26_alloc_table,
  result3) <= integer_of_uint32(i))

goal get_safety_po_5:
  forall a_1:SparseArray pointer.
  forall i:uint32.
  forall SparseArray_a_8_alloc_table:SparseArray alloc_table.
  forall intP_val_28_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_26_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_27_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_unsigned_intM_idx_26:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_back_27:(unsigned_intP,
  uint32) memory.
  forall SparseArray_val_a_8:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_8:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_8:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_8:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_8:(SparseArray,
  uint32) memory.
  ("JC_64":
  (("JC_60": (offset_min(SparseArray_a_8_alloc_table, a_1) <= 0)) and
   (("JC_61": (offset_max(SparseArray_a_8_alloc_table, a_1) >= 0)) and
    (("JC_62": inv(a_1, unsigned_intP_back_27_alloc_table,
     unsigned_intP_idx_26_alloc_table, intP_val_28_alloc_table,
     SparseArray_a_8_alloc_table, SparseArray_sz_0_a_8, SparseArray_n_1_a_8,
     SparseArray_back_a_8, SparseArray_idx_a_8, SparseArray_val_a_8,
     unsigned_intP_unsigned_intM_back_27,
     unsigned_intP_unsigned_intM_idx_26)) and
     ("JC_63":
     (integer_of_uint32(i) <= (integer_of_uint32(select(SparseArray_sz_0_a_8,
     a_1)) - 1))))))) ->
  ("JC_72":
  (0 <= integer_of_uint32(select(unsigned_intP_unsigned_intM_idx_26,
  shift(select(SparseArray_idx_a_8, a_1), integer_of_uint32(i)))))) ->
  ((offset_min(SparseArray_a_8_alloc_table, a_1) <= 0) and
   (0 <= offset_max(SparseArray_a_8_alloc_table, a_1))) ->
  forall result:unsigned_intP pointer.
  (result = select(SparseArray_idx_a_8, a_1)) ->
  ((offset_min(unsigned_intP_idx_26_alloc_table,
   result) <= integer_of_uint32(i)) and
   (integer_of_uint32(i) <= offset_max(unsigned_intP_idx_26_alloc_table,
   result))) ->
  forall result0:uint32.
  (result0 = select(unsigned_intP_unsigned_intM_idx_26, shift(result,
  integer_of_uint32(i)))) ->
  ((offset_min(SparseArray_a_8_alloc_table, a_1) <= 0) and
   (0 <= offset_max(SparseArray_a_8_alloc_table, a_1))) ->
  forall result1:uint32.
  (result1 = select(SparseArray_n_1_a_8, a_1)) ->
  (integer_of_uint32(result0) < integer_of_uint32(result1)) ->
  ((offset_min(SparseArray_a_8_alloc_table, a_1) <= 0) and
   (0 <= offset_max(SparseArray_a_8_alloc_table, a_1))) ->
  forall result2:unsigned_intP pointer.
  (result2 = select(SparseArray_back_a_8, a_1)) ->
  ((offset_min(SparseArray_a_8_alloc_table, a_1) <= 0) and
   (0 <= offset_max(SparseArray_a_8_alloc_table, a_1))) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_idx_a_8, a_1)) ->
  (integer_of_uint32(i) <= offset_max(unsigned_intP_idx_26_alloc_table,
  result3))

goal get_safety_po_6:
  forall a_1:SparseArray pointer.
  forall i:uint32.
  forall SparseArray_a_8_alloc_table:SparseArray alloc_table.
  forall intP_val_28_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_26_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_27_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_unsigned_intM_idx_26:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_back_27:(unsigned_intP,
  uint32) memory.
  forall SparseArray_val_a_8:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_8:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_8:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_8:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_8:(SparseArray,
  uint32) memory.
  ("JC_64":
  (("JC_60": (offset_min(SparseArray_a_8_alloc_table, a_1) <= 0)) and
   (("JC_61": (offset_max(SparseArray_a_8_alloc_table, a_1) >= 0)) and
    (("JC_62": inv(a_1, unsigned_intP_back_27_alloc_table,
     unsigned_intP_idx_26_alloc_table, intP_val_28_alloc_table,
     SparseArray_a_8_alloc_table, SparseArray_sz_0_a_8, SparseArray_n_1_a_8,
     SparseArray_back_a_8, SparseArray_idx_a_8, SparseArray_val_a_8,
     unsigned_intP_unsigned_intM_back_27,
     unsigned_intP_unsigned_intM_idx_26)) and
     ("JC_63":
     (integer_of_uint32(i) <= (integer_of_uint32(select(SparseArray_sz_0_a_8,
     a_1)) - 1))))))) ->
  ("JC_72":
  (0 <= integer_of_uint32(select(unsigned_intP_unsigned_intM_idx_26,
  shift(select(SparseArray_idx_a_8, a_1), integer_of_uint32(i)))))) ->
  ((offset_min(SparseArray_a_8_alloc_table, a_1) <= 0) and
   (0 <= offset_max(SparseArray_a_8_alloc_table, a_1))) ->
  forall result:unsigned_intP pointer.
  (result = select(SparseArray_idx_a_8, a_1)) ->
  ((offset_min(unsigned_intP_idx_26_alloc_table,
   result) <= integer_of_uint32(i)) and
   (integer_of_uint32(i) <= offset_max(unsigned_intP_idx_26_alloc_table,
   result))) ->
  forall result0:uint32.
  (result0 = select(unsigned_intP_unsigned_intM_idx_26, shift(result,
  integer_of_uint32(i)))) ->
  ((offset_min(SparseArray_a_8_alloc_table, a_1) <= 0) and
   (0 <= offset_max(SparseArray_a_8_alloc_table, a_1))) ->
  forall result1:uint32.
  (result1 = select(SparseArray_n_1_a_8, a_1)) ->
  (integer_of_uint32(result0) < integer_of_uint32(result1)) ->
  ((offset_min(SparseArray_a_8_alloc_table, a_1) <= 0) and
   (0 <= offset_max(SparseArray_a_8_alloc_table, a_1))) ->
  forall result2:unsigned_intP pointer.
  (result2 = select(SparseArray_back_a_8, a_1)) ->
  ((offset_min(SparseArray_a_8_alloc_table, a_1) <= 0) and
   (0 <= offset_max(SparseArray_a_8_alloc_table, a_1))) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_idx_a_8, a_1)) ->
  ((offset_min(unsigned_intP_idx_26_alloc_table,
   result3) <= integer_of_uint32(i)) and
   (integer_of_uint32(i) <= offset_max(unsigned_intP_idx_26_alloc_table,
   result3))) ->
  forall result4:uint32.
  (result4 = select(unsigned_intP_unsigned_intM_idx_26, shift(result3,
  integer_of_uint32(i)))) ->
  (offset_min(unsigned_intP_back_27_alloc_table,
  result2) <= integer_of_uint32(result4))

goal get_safety_po_7:
  forall a_1:SparseArray pointer.
  forall i:uint32.
  forall SparseArray_a_8_alloc_table:SparseArray alloc_table.
  forall intP_val_28_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_26_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_27_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_unsigned_intM_idx_26:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_back_27:(unsigned_intP,
  uint32) memory.
  forall SparseArray_val_a_8:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_8:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_8:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_8:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_8:(SparseArray,
  uint32) memory.
  ("JC_64":
  (("JC_60": (offset_min(SparseArray_a_8_alloc_table, a_1) <= 0)) and
   (("JC_61": (offset_max(SparseArray_a_8_alloc_table, a_1) >= 0)) and
    (("JC_62": inv(a_1, unsigned_intP_back_27_alloc_table,
     unsigned_intP_idx_26_alloc_table, intP_val_28_alloc_table,
     SparseArray_a_8_alloc_table, SparseArray_sz_0_a_8, SparseArray_n_1_a_8,
     SparseArray_back_a_8, SparseArray_idx_a_8, SparseArray_val_a_8,
     unsigned_intP_unsigned_intM_back_27,
     unsigned_intP_unsigned_intM_idx_26)) and
     ("JC_63":
     (integer_of_uint32(i) <= (integer_of_uint32(select(SparseArray_sz_0_a_8,
     a_1)) - 1))))))) ->
  ("JC_72":
  (0 <= integer_of_uint32(select(unsigned_intP_unsigned_intM_idx_26,
  shift(select(SparseArray_idx_a_8, a_1), integer_of_uint32(i)))))) ->
  ((offset_min(SparseArray_a_8_alloc_table, a_1) <= 0) and
   (0 <= offset_max(SparseArray_a_8_alloc_table, a_1))) ->
  forall result:unsigned_intP pointer.
  (result = select(SparseArray_idx_a_8, a_1)) ->
  ((offset_min(unsigned_intP_idx_26_alloc_table,
   result) <= integer_of_uint32(i)) and
   (integer_of_uint32(i) <= offset_max(unsigned_intP_idx_26_alloc_table,
   result))) ->
  forall result0:uint32.
  (result0 = select(unsigned_intP_unsigned_intM_idx_26, shift(result,
  integer_of_uint32(i)))) ->
  ((offset_min(SparseArray_a_8_alloc_table, a_1) <= 0) and
   (0 <= offset_max(SparseArray_a_8_alloc_table, a_1))) ->
  forall result1:uint32.
  (result1 = select(SparseArray_n_1_a_8, a_1)) ->
  (integer_of_uint32(result0) < integer_of_uint32(result1)) ->
  ((offset_min(SparseArray_a_8_alloc_table, a_1) <= 0) and
   (0 <= offset_max(SparseArray_a_8_alloc_table, a_1))) ->
  forall result2:unsigned_intP pointer.
  (result2 = select(SparseArray_back_a_8, a_1)) ->
  ((offset_min(SparseArray_a_8_alloc_table, a_1) <= 0) and
   (0 <= offset_max(SparseArray_a_8_alloc_table, a_1))) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_idx_a_8, a_1)) ->
  ((offset_min(unsigned_intP_idx_26_alloc_table,
   result3) <= integer_of_uint32(i)) and
   (integer_of_uint32(i) <= offset_max(unsigned_intP_idx_26_alloc_table,
   result3))) ->
  forall result4:uint32.
  (result4 = select(unsigned_intP_unsigned_intM_idx_26, shift(result3,
  integer_of_uint32(i)))) ->
  (integer_of_uint32(result4) <= offset_max(unsigned_intP_back_27_alloc_table,
  result2))

goal get_safety_po_8:
  forall a_1:SparseArray pointer.
  forall i:uint32.
  forall SparseArray_a_8_alloc_table:SparseArray alloc_table.
  forall intP_val_28_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_26_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_27_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_unsigned_intM_idx_26:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_back_27:(unsigned_intP,
  uint32) memory.
  forall SparseArray_val_a_8:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_8:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_8:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_8:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_8:(SparseArray,
  uint32) memory.
  ("JC_64":
  (("JC_60": (offset_min(SparseArray_a_8_alloc_table, a_1) <= 0)) and
   (("JC_61": (offset_max(SparseArray_a_8_alloc_table, a_1) >= 0)) and
    (("JC_62": inv(a_1, unsigned_intP_back_27_alloc_table,
     unsigned_intP_idx_26_alloc_table, intP_val_28_alloc_table,
     SparseArray_a_8_alloc_table, SparseArray_sz_0_a_8, SparseArray_n_1_a_8,
     SparseArray_back_a_8, SparseArray_idx_a_8, SparseArray_val_a_8,
     unsigned_intP_unsigned_intM_back_27,
     unsigned_intP_unsigned_intM_idx_26)) and
     ("JC_63":
     (integer_of_uint32(i) <= (integer_of_uint32(select(SparseArray_sz_0_a_8,
     a_1)) - 1))))))) ->
  ("JC_72":
  (0 <= integer_of_uint32(select(unsigned_intP_unsigned_intM_idx_26,
  shift(select(SparseArray_idx_a_8, a_1), integer_of_uint32(i)))))) ->
  ((offset_min(SparseArray_a_8_alloc_table, a_1) <= 0) and
   (0 <= offset_max(SparseArray_a_8_alloc_table, a_1))) ->
  forall result:unsigned_intP pointer.
  (result = select(SparseArray_idx_a_8, a_1)) ->
  ((offset_min(unsigned_intP_idx_26_alloc_table,
   result) <= integer_of_uint32(i)) and
   (integer_of_uint32(i) <= offset_max(unsigned_intP_idx_26_alloc_table,
   result))) ->
  forall result0:uint32.
  (result0 = select(unsigned_intP_unsigned_intM_idx_26, shift(result,
  integer_of_uint32(i)))) ->
  ((offset_min(SparseArray_a_8_alloc_table, a_1) <= 0) and
   (0 <= offset_max(SparseArray_a_8_alloc_table, a_1))) ->
  forall result1:uint32.
  (result1 = select(SparseArray_n_1_a_8, a_1)) ->
  (integer_of_uint32(result0) < integer_of_uint32(result1)) ->
  ((offset_min(SparseArray_a_8_alloc_table, a_1) <= 0) and
   (0 <= offset_max(SparseArray_a_8_alloc_table, a_1))) ->
  forall result2:unsigned_intP pointer.
  (result2 = select(SparseArray_back_a_8, a_1)) ->
  ((offset_min(SparseArray_a_8_alloc_table, a_1) <= 0) and
   (0 <= offset_max(SparseArray_a_8_alloc_table, a_1))) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_idx_a_8, a_1)) ->
  ((offset_min(unsigned_intP_idx_26_alloc_table,
   result3) <= integer_of_uint32(i)) and
   (integer_of_uint32(i) <= offset_max(unsigned_intP_idx_26_alloc_table,
   result3))) ->
  forall result4:uint32.
  (result4 = select(unsigned_intP_unsigned_intM_idx_26, shift(result3,
  integer_of_uint32(i)))) ->
  ((offset_min(unsigned_intP_back_27_alloc_table,
   result2) <= integer_of_uint32(result4)) and
   (integer_of_uint32(result4) <= offset_max(unsigned_intP_back_27_alloc_table,
   result2))) ->
  forall result5:uint32.
  (result5 = select(unsigned_intP_unsigned_intM_back_27, shift(result2,
  integer_of_uint32(result4)))) ->
  (integer_of_uint32(result5) = integer_of_uint32(i)) ->
  ((offset_min(SparseArray_a_8_alloc_table, a_1) <= 0) and
   (0 <= offset_max(SparseArray_a_8_alloc_table, a_1))) ->
  forall result6:intP pointer.
  (result6 = select(SparseArray_val_a_8, a_1)) ->
  (offset_min(intP_val_28_alloc_table, result6) <= integer_of_uint32(i))

goal get_safety_po_9:
  forall a_1:SparseArray pointer.
  forall i:uint32.
  forall SparseArray_a_8_alloc_table:SparseArray alloc_table.
  forall intP_val_28_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_26_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_27_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_unsigned_intM_idx_26:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_back_27:(unsigned_intP,
  uint32) memory.
  forall SparseArray_val_a_8:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_8:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_8:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_8:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_8:(SparseArray,
  uint32) memory.
  ("JC_64":
  (("JC_60": (offset_min(SparseArray_a_8_alloc_table, a_1) <= 0)) and
   (("JC_61": (offset_max(SparseArray_a_8_alloc_table, a_1) >= 0)) and
    (("JC_62": inv(a_1, unsigned_intP_back_27_alloc_table,
     unsigned_intP_idx_26_alloc_table, intP_val_28_alloc_table,
     SparseArray_a_8_alloc_table, SparseArray_sz_0_a_8, SparseArray_n_1_a_8,
     SparseArray_back_a_8, SparseArray_idx_a_8, SparseArray_val_a_8,
     unsigned_intP_unsigned_intM_back_27,
     unsigned_intP_unsigned_intM_idx_26)) and
     ("JC_63":
     (integer_of_uint32(i) <= (integer_of_uint32(select(SparseArray_sz_0_a_8,
     a_1)) - 1))))))) ->
  ("JC_72":
  (0 <= integer_of_uint32(select(unsigned_intP_unsigned_intM_idx_26,
  shift(select(SparseArray_idx_a_8, a_1), integer_of_uint32(i)))))) ->
  ((offset_min(SparseArray_a_8_alloc_table, a_1) <= 0) and
   (0 <= offset_max(SparseArray_a_8_alloc_table, a_1))) ->
  forall result:unsigned_intP pointer.
  (result = select(SparseArray_idx_a_8, a_1)) ->
  ((offset_min(unsigned_intP_idx_26_alloc_table,
   result) <= integer_of_uint32(i)) and
   (integer_of_uint32(i) <= offset_max(unsigned_intP_idx_26_alloc_table,
   result))) ->
  forall result0:uint32.
  (result0 = select(unsigned_intP_unsigned_intM_idx_26, shift(result,
  integer_of_uint32(i)))) ->
  ((offset_min(SparseArray_a_8_alloc_table, a_1) <= 0) and
   (0 <= offset_max(SparseArray_a_8_alloc_table, a_1))) ->
  forall result1:uint32.
  (result1 = select(SparseArray_n_1_a_8, a_1)) ->
  (integer_of_uint32(result0) < integer_of_uint32(result1)) ->
  ((offset_min(SparseArray_a_8_alloc_table, a_1) <= 0) and
   (0 <= offset_max(SparseArray_a_8_alloc_table, a_1))) ->
  forall result2:unsigned_intP pointer.
  (result2 = select(SparseArray_back_a_8, a_1)) ->
  ((offset_min(SparseArray_a_8_alloc_table, a_1) <= 0) and
   (0 <= offset_max(SparseArray_a_8_alloc_table, a_1))) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_idx_a_8, a_1)) ->
  ((offset_min(unsigned_intP_idx_26_alloc_table,
   result3) <= integer_of_uint32(i)) and
   (integer_of_uint32(i) <= offset_max(unsigned_intP_idx_26_alloc_table,
   result3))) ->
  forall result4:uint32.
  (result4 = select(unsigned_intP_unsigned_intM_idx_26, shift(result3,
  integer_of_uint32(i)))) ->
  ((offset_min(unsigned_intP_back_27_alloc_table,
   result2) <= integer_of_uint32(result4)) and
   (integer_of_uint32(result4) <= offset_max(unsigned_intP_back_27_alloc_table,
   result2))) ->
  forall result5:uint32.
  (result5 = select(unsigned_intP_unsigned_intM_back_27, shift(result2,
  integer_of_uint32(result4)))) ->
  (integer_of_uint32(result5) = integer_of_uint32(i)) ->
  ((offset_min(SparseArray_a_8_alloc_table, a_1) <= 0) and
   (0 <= offset_max(SparseArray_a_8_alloc_table, a_1))) ->
  forall result6:intP pointer.
  (result6 = select(SparseArray_val_a_8, a_1)) ->
  (integer_of_uint32(i) <= offset_max(intP_val_28_alloc_table, result6))

goal main_ensures_default_po_1:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  forall result22:int32.
  ("JC_68": (integer_of_int32(result22) = model(a_2_0,
  integer_of_uint32(result21), SparseArray_n_1_a_2_32,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  result10, result13, result14))) ->
  forall x_0:int32.
  (x_0 = result22) ->
  forall result23:uint32.
  (integer_of_uint32(result23) = 7) ->
  forall result24:int32.
  ("JC_68": (integer_of_int32(result24) = model(b,
  integer_of_uint32(result23), SparseArray_n_1_b_33, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, result9, result11, result12))) ->
  forall y:int32.
  (y = result24) ->
  ("JC_162": (integer_of_int32(x_0) = 0))

goal main_ensures_default_po_2:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  forall result22:int32.
  ("JC_68": (integer_of_int32(result22) = model(a_2_0,
  integer_of_uint32(result21), SparseArray_n_1_a_2_32,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  result10, result13, result14))) ->
  forall x_0:int32.
  (x_0 = result22) ->
  forall result23:uint32.
  (integer_of_uint32(result23) = 7) ->
  forall result24:int32.
  ("JC_68": (integer_of_int32(result24) = model(b,
  integer_of_uint32(result23), SparseArray_n_1_b_33, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, result9, result11, result12))) ->
  forall y:int32.
  (y = result24) ->
  ("JC_162": (integer_of_int32(y) = 0))

goal main_ensures_default_po_3:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  forall result22:int32.
  ("JC_68": (integer_of_int32(result22) = model(a_2_0,
  integer_of_uint32(result21), SparseArray_n_1_a_2_32,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  result10, result13, result14))) ->
  forall x_0:int32.
  (x_0 = result22) ->
  forall result23:uint32.
  (integer_of_uint32(result23) = 7) ->
  forall result24:int32.
  ("JC_68": (integer_of_int32(result24) = model(b,
  integer_of_uint32(result23), SparseArray_n_1_b_33, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, result9, result11, result12))) ->
  forall y:int32.
  (y = result24) ->
  ("JC_162": ((integer_of_int32(x_0) = 0) and (integer_of_int32(y) = 0))) ->
  forall result25:uint32.
  (integer_of_uint32(result25) = 5) ->
  forall result26:int32.
  (integer_of_int32(result26) = 1) ->
  forall SparseArray_n_1_a_2_32_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_142:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_143:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_144:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(a_2_0, unsigned_intP_back_143_alloc_table,
    unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
    SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
    SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
    SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
    unsigned_intP_unsigned_intM_back_143,
    unsigned_intP_unsigned_intM_idx_144)) and
    (("JC_106": (model(a_2_0, integer_of_uint32(result25),
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
     unsigned_intP_unsigned_intM_idx_144,
     unsigned_intP_unsigned_intM_back_143) = integer_of_int32(result26))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result25)) -> (model(a_2_0, j_0,
        SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
        unsigned_intP_unsigned_intM_idx_144,
        unsigned_intP_unsigned_intM_back_143) = model(a_2_0, j_0,
        SparseArray_n_1_a_2_32, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, result10, result13,
        result14)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_144_alloc_table, result13,
      unsigned_intP_unsigned_intM_idx_144,
      pset_all(pset_deref(SparseArray_idx_a_2_32, pset_singleton(a_2_0))))) and
      ("JC_110": not_assigns(unsigned_intP_back_143_alloc_table, result14,
      unsigned_intP_unsigned_intM_back_143,
      pset_all(pset_deref(SparseArray_back_a_2_32, pset_singleton(a_2_0)))))) and
     ("JC_111": not_assigns(intP_val_142_alloc_table, result10,
     intP_intM_val_142, pset_range(pset_deref(SparseArray_val_a_2_32,
     pset_singleton(a_2_0)), integer_of_uint32(result25),
     integer_of_uint32(result25))))) and
    ("JC_112": not_assigns(SparseArray_a_2_32_alloc_table,
    SparseArray_n_1_a_2_32, SparseArray_n_1_a_2_32_0, pset_singleton(a_2_0))))))) ->
  forall result27:uint32.
  (integer_of_uint32(result27) = 7) ->
  forall result28:int32.
  (integer_of_int32(result28) = 2) ->
  forall SparseArray_n_1_b_33_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_146:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_147:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_148:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(b, unsigned_intP_back_147_alloc_table,
    unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
    SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
    SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
    SparseArray_val_b_33, unsigned_intP_unsigned_intM_back_147,
    unsigned_intP_unsigned_intM_idx_148)) and
    (("JC_106": (model(b, integer_of_uint32(result27),
     SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, intP_intM_val_146,
     unsigned_intP_unsigned_intM_idx_148,
     unsigned_intP_unsigned_intM_back_147) = integer_of_int32(result28))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result27)) -> (model(b, j_0,
        SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, intP_intM_val_146,
        unsigned_intP_unsigned_intM_idx_148,
        unsigned_intP_unsigned_intM_back_147) = model(b, j_0,
        SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, result9, result11, result12)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_148_alloc_table, result11,
      unsigned_intP_unsigned_intM_idx_148,
      pset_all(pset_deref(SparseArray_idx_b_33, pset_singleton(b))))) and
      ("JC_110": not_assigns(unsigned_intP_back_147_alloc_table, result12,
      unsigned_intP_unsigned_intM_back_147,
      pset_all(pset_deref(SparseArray_back_b_33, pset_singleton(b)))))) and
     ("JC_111": not_assigns(intP_val_146_alloc_table, result9,
     intP_intM_val_146, pset_range(pset_deref(SparseArray_val_b_33,
     pset_singleton(b)), integer_of_uint32(result27),
     integer_of_uint32(result27))))) and
    ("JC_112": not_assigns(SparseArray_b_33_alloc_table,
    SparseArray_n_1_b_33, SparseArray_n_1_b_33_0, pset_singleton(b))))))) ->
  forall result29:uint32.
  (integer_of_uint32(result29) = 5) ->
  forall result30:int32.
  ("JC_68": (integer_of_int32(result30) = model(a_2_0,
  integer_of_uint32(result29), SparseArray_n_1_a_2_32_0,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  intP_intM_val_142, unsigned_intP_unsigned_intM_idx_144,
  unsigned_intP_unsigned_intM_back_143))) ->
  forall x_0_0:int32.
  (x_0_0 = result30) ->
  forall result31:uint32.
  (integer_of_uint32(result31) = 7) ->
  forall result32:int32.
  ("JC_68": (integer_of_int32(result32) = model(b,
  integer_of_uint32(result31), SparseArray_n_1_b_33_0, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, intP_intM_val_146,
  unsigned_intP_unsigned_intM_idx_148,
  unsigned_intP_unsigned_intM_back_147))) ->
  forall y0:int32.
  (y0 = result32) ->
  ("JC_167": (integer_of_int32(x_0_0) = 1))

goal main_ensures_default_po_4:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  forall result22:int32.
  ("JC_68": (integer_of_int32(result22) = model(a_2_0,
  integer_of_uint32(result21), SparseArray_n_1_a_2_32,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  result10, result13, result14))) ->
  forall x_0:int32.
  (x_0 = result22) ->
  forall result23:uint32.
  (integer_of_uint32(result23) = 7) ->
  forall result24:int32.
  ("JC_68": (integer_of_int32(result24) = model(b,
  integer_of_uint32(result23), SparseArray_n_1_b_33, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, result9, result11, result12))) ->
  forall y:int32.
  (y = result24) ->
  ("JC_162": ((integer_of_int32(x_0) = 0) and (integer_of_int32(y) = 0))) ->
  forall result25:uint32.
  (integer_of_uint32(result25) = 5) ->
  forall result26:int32.
  (integer_of_int32(result26) = 1) ->
  forall SparseArray_n_1_a_2_32_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_142:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_143:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_144:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(a_2_0, unsigned_intP_back_143_alloc_table,
    unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
    SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
    SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
    SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
    unsigned_intP_unsigned_intM_back_143,
    unsigned_intP_unsigned_intM_idx_144)) and
    (("JC_106": (model(a_2_0, integer_of_uint32(result25),
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
     unsigned_intP_unsigned_intM_idx_144,
     unsigned_intP_unsigned_intM_back_143) = integer_of_int32(result26))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result25)) -> (model(a_2_0, j_0,
        SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
        unsigned_intP_unsigned_intM_idx_144,
        unsigned_intP_unsigned_intM_back_143) = model(a_2_0, j_0,
        SparseArray_n_1_a_2_32, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, result10, result13,
        result14)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_144_alloc_table, result13,
      unsigned_intP_unsigned_intM_idx_144,
      pset_all(pset_deref(SparseArray_idx_a_2_32, pset_singleton(a_2_0))))) and
      ("JC_110": not_assigns(unsigned_intP_back_143_alloc_table, result14,
      unsigned_intP_unsigned_intM_back_143,
      pset_all(pset_deref(SparseArray_back_a_2_32, pset_singleton(a_2_0)))))) and
     ("JC_111": not_assigns(intP_val_142_alloc_table, result10,
     intP_intM_val_142, pset_range(pset_deref(SparseArray_val_a_2_32,
     pset_singleton(a_2_0)), integer_of_uint32(result25),
     integer_of_uint32(result25))))) and
    ("JC_112": not_assigns(SparseArray_a_2_32_alloc_table,
    SparseArray_n_1_a_2_32, SparseArray_n_1_a_2_32_0, pset_singleton(a_2_0))))))) ->
  forall result27:uint32.
  (integer_of_uint32(result27) = 7) ->
  forall result28:int32.
  (integer_of_int32(result28) = 2) ->
  forall SparseArray_n_1_b_33_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_146:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_147:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_148:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(b, unsigned_intP_back_147_alloc_table,
    unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
    SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
    SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
    SparseArray_val_b_33, unsigned_intP_unsigned_intM_back_147,
    unsigned_intP_unsigned_intM_idx_148)) and
    (("JC_106": (model(b, integer_of_uint32(result27),
     SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, intP_intM_val_146,
     unsigned_intP_unsigned_intM_idx_148,
     unsigned_intP_unsigned_intM_back_147) = integer_of_int32(result28))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result27)) -> (model(b, j_0,
        SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, intP_intM_val_146,
        unsigned_intP_unsigned_intM_idx_148,
        unsigned_intP_unsigned_intM_back_147) = model(b, j_0,
        SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, result9, result11, result12)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_148_alloc_table, result11,
      unsigned_intP_unsigned_intM_idx_148,
      pset_all(pset_deref(SparseArray_idx_b_33, pset_singleton(b))))) and
      ("JC_110": not_assigns(unsigned_intP_back_147_alloc_table, result12,
      unsigned_intP_unsigned_intM_back_147,
      pset_all(pset_deref(SparseArray_back_b_33, pset_singleton(b)))))) and
     ("JC_111": not_assigns(intP_val_146_alloc_table, result9,
     intP_intM_val_146, pset_range(pset_deref(SparseArray_val_b_33,
     pset_singleton(b)), integer_of_uint32(result27),
     integer_of_uint32(result27))))) and
    ("JC_112": not_assigns(SparseArray_b_33_alloc_table,
    SparseArray_n_1_b_33, SparseArray_n_1_b_33_0, pset_singleton(b))))))) ->
  forall result29:uint32.
  (integer_of_uint32(result29) = 5) ->
  forall result30:int32.
  ("JC_68": (integer_of_int32(result30) = model(a_2_0,
  integer_of_uint32(result29), SparseArray_n_1_a_2_32_0,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  intP_intM_val_142, unsigned_intP_unsigned_intM_idx_144,
  unsigned_intP_unsigned_intM_back_143))) ->
  forall x_0_0:int32.
  (x_0_0 = result30) ->
  forall result31:uint32.
  (integer_of_uint32(result31) = 7) ->
  forall result32:int32.
  ("JC_68": (integer_of_int32(result32) = model(b,
  integer_of_uint32(result31), SparseArray_n_1_b_33_0, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, intP_intM_val_146,
  unsigned_intP_unsigned_intM_idx_148,
  unsigned_intP_unsigned_intM_back_147))) ->
  forall y0:int32.
  (y0 = result32) ->
  ("JC_167": (integer_of_int32(y0) = 2))

goal main_ensures_default_po_5:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  forall result22:int32.
  ("JC_68": (integer_of_int32(result22) = model(a_2_0,
  integer_of_uint32(result21), SparseArray_n_1_a_2_32,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  result10, result13, result14))) ->
  forall x_0:int32.
  (x_0 = result22) ->
  forall result23:uint32.
  (integer_of_uint32(result23) = 7) ->
  forall result24:int32.
  ("JC_68": (integer_of_int32(result24) = model(b,
  integer_of_uint32(result23), SparseArray_n_1_b_33, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, result9, result11, result12))) ->
  forall y:int32.
  (y = result24) ->
  ("JC_162": ((integer_of_int32(x_0) = 0) and (integer_of_int32(y) = 0))) ->
  forall result25:uint32.
  (integer_of_uint32(result25) = 5) ->
  forall result26:int32.
  (integer_of_int32(result26) = 1) ->
  forall SparseArray_n_1_a_2_32_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_142:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_143:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_144:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(a_2_0, unsigned_intP_back_143_alloc_table,
    unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
    SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
    SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
    SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
    unsigned_intP_unsigned_intM_back_143,
    unsigned_intP_unsigned_intM_idx_144)) and
    (("JC_106": (model(a_2_0, integer_of_uint32(result25),
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
     unsigned_intP_unsigned_intM_idx_144,
     unsigned_intP_unsigned_intM_back_143) = integer_of_int32(result26))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result25)) -> (model(a_2_0, j_0,
        SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
        unsigned_intP_unsigned_intM_idx_144,
        unsigned_intP_unsigned_intM_back_143) = model(a_2_0, j_0,
        SparseArray_n_1_a_2_32, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, result10, result13,
        result14)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_144_alloc_table, result13,
      unsigned_intP_unsigned_intM_idx_144,
      pset_all(pset_deref(SparseArray_idx_a_2_32, pset_singleton(a_2_0))))) and
      ("JC_110": not_assigns(unsigned_intP_back_143_alloc_table, result14,
      unsigned_intP_unsigned_intM_back_143,
      pset_all(pset_deref(SparseArray_back_a_2_32, pset_singleton(a_2_0)))))) and
     ("JC_111": not_assigns(intP_val_142_alloc_table, result10,
     intP_intM_val_142, pset_range(pset_deref(SparseArray_val_a_2_32,
     pset_singleton(a_2_0)), integer_of_uint32(result25),
     integer_of_uint32(result25))))) and
    ("JC_112": not_assigns(SparseArray_a_2_32_alloc_table,
    SparseArray_n_1_a_2_32, SparseArray_n_1_a_2_32_0, pset_singleton(a_2_0))))))) ->
  forall result27:uint32.
  (integer_of_uint32(result27) = 7) ->
  forall result28:int32.
  (integer_of_int32(result28) = 2) ->
  forall SparseArray_n_1_b_33_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_146:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_147:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_148:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(b, unsigned_intP_back_147_alloc_table,
    unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
    SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
    SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
    SparseArray_val_b_33, unsigned_intP_unsigned_intM_back_147,
    unsigned_intP_unsigned_intM_idx_148)) and
    (("JC_106": (model(b, integer_of_uint32(result27),
     SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, intP_intM_val_146,
     unsigned_intP_unsigned_intM_idx_148,
     unsigned_intP_unsigned_intM_back_147) = integer_of_int32(result28))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result27)) -> (model(b, j_0,
        SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, intP_intM_val_146,
        unsigned_intP_unsigned_intM_idx_148,
        unsigned_intP_unsigned_intM_back_147) = model(b, j_0,
        SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, result9, result11, result12)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_148_alloc_table, result11,
      unsigned_intP_unsigned_intM_idx_148,
      pset_all(pset_deref(SparseArray_idx_b_33, pset_singleton(b))))) and
      ("JC_110": not_assigns(unsigned_intP_back_147_alloc_table, result12,
      unsigned_intP_unsigned_intM_back_147,
      pset_all(pset_deref(SparseArray_back_b_33, pset_singleton(b)))))) and
     ("JC_111": not_assigns(intP_val_146_alloc_table, result9,
     intP_intM_val_146, pset_range(pset_deref(SparseArray_val_b_33,
     pset_singleton(b)), integer_of_uint32(result27),
     integer_of_uint32(result27))))) and
    ("JC_112": not_assigns(SparseArray_b_33_alloc_table,
    SparseArray_n_1_b_33, SparseArray_n_1_b_33_0, pset_singleton(b))))))) ->
  forall result29:uint32.
  (integer_of_uint32(result29) = 5) ->
  forall result30:int32.
  ("JC_68": (integer_of_int32(result30) = model(a_2_0,
  integer_of_uint32(result29), SparseArray_n_1_a_2_32_0,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  intP_intM_val_142, unsigned_intP_unsigned_intM_idx_144,
  unsigned_intP_unsigned_intM_back_143))) ->
  forall x_0_0:int32.
  (x_0_0 = result30) ->
  forall result31:uint32.
  (integer_of_uint32(result31) = 7) ->
  forall result32:int32.
  ("JC_68": (integer_of_int32(result32) = model(b,
  integer_of_uint32(result31), SparseArray_n_1_b_33_0, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, intP_intM_val_146,
  unsigned_intP_unsigned_intM_idx_148,
  unsigned_intP_unsigned_intM_back_147))) ->
  forall y0:int32.
  (y0 = result32) ->
  ("JC_167": ((integer_of_int32(x_0_0) = 1) and (integer_of_int32(y0) = 2))) ->
  forall result33:uint32.
  (integer_of_uint32(result33) = 0) ->
  forall result34:int32.
  ("JC_68": (integer_of_int32(result34) = model(a_2_0,
  integer_of_uint32(result33), SparseArray_n_1_a_2_32_0,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  intP_intM_val_142, unsigned_intP_unsigned_intM_idx_144,
  unsigned_intP_unsigned_intM_back_143))) ->
  forall x_0_1:int32.
  (x_0_1 = result34) ->
  forall result35:uint32.
  (integer_of_uint32(result35) = 0) ->
  forall result36:int32.
  ("JC_68": (integer_of_int32(result36) = model(b,
  integer_of_uint32(result35), SparseArray_n_1_b_33_0, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, intP_intM_val_146,
  unsigned_intP_unsigned_intM_idx_148,
  unsigned_intP_unsigned_intM_back_147))) ->
  forall y1:int32.
  (y1 = result36) ->
  ("JC_170": (integer_of_int32(x_0_1) = 0))

goal main_ensures_default_po_6:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  forall result22:int32.
  ("JC_68": (integer_of_int32(result22) = model(a_2_0,
  integer_of_uint32(result21), SparseArray_n_1_a_2_32,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  result10, result13, result14))) ->
  forall x_0:int32.
  (x_0 = result22) ->
  forall result23:uint32.
  (integer_of_uint32(result23) = 7) ->
  forall result24:int32.
  ("JC_68": (integer_of_int32(result24) = model(b,
  integer_of_uint32(result23), SparseArray_n_1_b_33, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, result9, result11, result12))) ->
  forall y:int32.
  (y = result24) ->
  ("JC_162": ((integer_of_int32(x_0) = 0) and (integer_of_int32(y) = 0))) ->
  forall result25:uint32.
  (integer_of_uint32(result25) = 5) ->
  forall result26:int32.
  (integer_of_int32(result26) = 1) ->
  forall SparseArray_n_1_a_2_32_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_142:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_143:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_144:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(a_2_0, unsigned_intP_back_143_alloc_table,
    unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
    SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
    SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
    SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
    unsigned_intP_unsigned_intM_back_143,
    unsigned_intP_unsigned_intM_idx_144)) and
    (("JC_106": (model(a_2_0, integer_of_uint32(result25),
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
     unsigned_intP_unsigned_intM_idx_144,
     unsigned_intP_unsigned_intM_back_143) = integer_of_int32(result26))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result25)) -> (model(a_2_0, j_0,
        SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
        unsigned_intP_unsigned_intM_idx_144,
        unsigned_intP_unsigned_intM_back_143) = model(a_2_0, j_0,
        SparseArray_n_1_a_2_32, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, result10, result13,
        result14)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_144_alloc_table, result13,
      unsigned_intP_unsigned_intM_idx_144,
      pset_all(pset_deref(SparseArray_idx_a_2_32, pset_singleton(a_2_0))))) and
      ("JC_110": not_assigns(unsigned_intP_back_143_alloc_table, result14,
      unsigned_intP_unsigned_intM_back_143,
      pset_all(pset_deref(SparseArray_back_a_2_32, pset_singleton(a_2_0)))))) and
     ("JC_111": not_assigns(intP_val_142_alloc_table, result10,
     intP_intM_val_142, pset_range(pset_deref(SparseArray_val_a_2_32,
     pset_singleton(a_2_0)), integer_of_uint32(result25),
     integer_of_uint32(result25))))) and
    ("JC_112": not_assigns(SparseArray_a_2_32_alloc_table,
    SparseArray_n_1_a_2_32, SparseArray_n_1_a_2_32_0, pset_singleton(a_2_0))))))) ->
  forall result27:uint32.
  (integer_of_uint32(result27) = 7) ->
  forall result28:int32.
  (integer_of_int32(result28) = 2) ->
  forall SparseArray_n_1_b_33_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_146:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_147:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_148:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(b, unsigned_intP_back_147_alloc_table,
    unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
    SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
    SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
    SparseArray_val_b_33, unsigned_intP_unsigned_intM_back_147,
    unsigned_intP_unsigned_intM_idx_148)) and
    (("JC_106": (model(b, integer_of_uint32(result27),
     SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, intP_intM_val_146,
     unsigned_intP_unsigned_intM_idx_148,
     unsigned_intP_unsigned_intM_back_147) = integer_of_int32(result28))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result27)) -> (model(b, j_0,
        SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, intP_intM_val_146,
        unsigned_intP_unsigned_intM_idx_148,
        unsigned_intP_unsigned_intM_back_147) = model(b, j_0,
        SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, result9, result11, result12)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_148_alloc_table, result11,
      unsigned_intP_unsigned_intM_idx_148,
      pset_all(pset_deref(SparseArray_idx_b_33, pset_singleton(b))))) and
      ("JC_110": not_assigns(unsigned_intP_back_147_alloc_table, result12,
      unsigned_intP_unsigned_intM_back_147,
      pset_all(pset_deref(SparseArray_back_b_33, pset_singleton(b)))))) and
     ("JC_111": not_assigns(intP_val_146_alloc_table, result9,
     intP_intM_val_146, pset_range(pset_deref(SparseArray_val_b_33,
     pset_singleton(b)), integer_of_uint32(result27),
     integer_of_uint32(result27))))) and
    ("JC_112": not_assigns(SparseArray_b_33_alloc_table,
    SparseArray_n_1_b_33, SparseArray_n_1_b_33_0, pset_singleton(b))))))) ->
  forall result29:uint32.
  (integer_of_uint32(result29) = 5) ->
  forall result30:int32.
  ("JC_68": (integer_of_int32(result30) = model(a_2_0,
  integer_of_uint32(result29), SparseArray_n_1_a_2_32_0,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  intP_intM_val_142, unsigned_intP_unsigned_intM_idx_144,
  unsigned_intP_unsigned_intM_back_143))) ->
  forall x_0_0:int32.
  (x_0_0 = result30) ->
  forall result31:uint32.
  (integer_of_uint32(result31) = 7) ->
  forall result32:int32.
  ("JC_68": (integer_of_int32(result32) = model(b,
  integer_of_uint32(result31), SparseArray_n_1_b_33_0, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, intP_intM_val_146,
  unsigned_intP_unsigned_intM_idx_148,
  unsigned_intP_unsigned_intM_back_147))) ->
  forall y0:int32.
  (y0 = result32) ->
  ("JC_167": ((integer_of_int32(x_0_0) = 1) and (integer_of_int32(y0) = 2))) ->
  forall result33:uint32.
  (integer_of_uint32(result33) = 0) ->
  forall result34:int32.
  ("JC_68": (integer_of_int32(result34) = model(a_2_0,
  integer_of_uint32(result33), SparseArray_n_1_a_2_32_0,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  intP_intM_val_142, unsigned_intP_unsigned_intM_idx_144,
  unsigned_intP_unsigned_intM_back_143))) ->
  forall x_0_1:int32.
  (x_0_1 = result34) ->
  forall result35:uint32.
  (integer_of_uint32(result35) = 0) ->
  forall result36:int32.
  ("JC_68": (integer_of_int32(result36) = model(b,
  integer_of_uint32(result35), SparseArray_n_1_b_33_0, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, intP_intM_val_146,
  unsigned_intP_unsigned_intM_idx_148,
  unsigned_intP_unsigned_intM_back_147))) ->
  forall y1:int32.
  (y1 = result36) ->
  ("JC_170": (integer_of_int32(y1) = 0))

goal main_safety_po_1:
  ("JC_140": true) ->
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  ("JC_11": (integer_of_uint32(result17) >= 0))

goal main_safety_po_2:
  ("JC_140": true) ->
  forall result0:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result10:(intP, int32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  ("JC_11": (integer_of_uint32(result17) >= 0)) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  ("JC_11": (integer_of_uint32(result19) >= 0))

goal main_safety_po_3:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  ("JC_11": (integer_of_uint32(result17) >= 0)) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  ("JC_11": (integer_of_uint32(result19) >= 0)) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  ("JC_58":
  ("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)))

goal main_safety_po_4:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  ("JC_11": (integer_of_uint32(result17) >= 0)) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  ("JC_11": (integer_of_uint32(result19) >= 0)) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  ("JC_58":
  ("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)))

goal main_safety_po_5:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  ("JC_11": (integer_of_uint32(result17) >= 0)) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  ("JC_11": (integer_of_uint32(result19) >= 0)) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  ("JC_58":
  ("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
  unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
  SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
  SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
  SparseArray_val_a_2_32, result14, result13)))

goal main_safety_po_6:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  ("JC_11": (integer_of_uint32(result17) >= 0)) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  ("JC_11": (integer_of_uint32(result19) >= 0)) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  ("JC_58":
  ("JC_57":
  (integer_of_uint32(result21) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
  a_2_0)) - 1))))

goal main_safety_po_7:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  ("JC_11": (integer_of_uint32(result17) >= 0)) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  ("JC_11": (integer_of_uint32(result19) >= 0)) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_57":
     (integer_of_uint32(result21) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result22:int32.
  ("JC_68": (integer_of_int32(result22) = model(a_2_0,
  integer_of_uint32(result21), SparseArray_n_1_a_2_32,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  result10, result13, result14))) ->
  forall x_0:int32.
  (x_0 = result22) ->
  forall result23:uint32.
  (integer_of_uint32(result23) = 7) ->
  ("JC_58": ("JC_54": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)))

goal main_safety_po_8:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  ("JC_11": (integer_of_uint32(result17) >= 0)) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  ("JC_11": (integer_of_uint32(result19) >= 0)) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_57":
     (integer_of_uint32(result21) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result22:int32.
  ("JC_68": (integer_of_int32(result22) = model(a_2_0,
  integer_of_uint32(result21), SparseArray_n_1_a_2_32,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  result10, result13, result14))) ->
  forall x_0:int32.
  (x_0 = result22) ->
  forall result23:uint32.
  (integer_of_uint32(result23) = 7) ->
  ("JC_58": ("JC_55": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)))

goal main_safety_po_9:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  ("JC_11": (integer_of_uint32(result17) >= 0)) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  ("JC_11": (integer_of_uint32(result19) >= 0)) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_57":
     (integer_of_uint32(result21) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result22:int32.
  ("JC_68": (integer_of_int32(result22) = model(a_2_0,
  integer_of_uint32(result21), SparseArray_n_1_a_2_32,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  result10, result13, result14))) ->
  forall x_0:int32.
  (x_0 = result22) ->
  forall result23:uint32.
  (integer_of_uint32(result23) = 7) ->
  ("JC_58":
  ("JC_56": inv(b, unsigned_intP_back_147_alloc_table,
  unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
  SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33, SparseArray_n_1_b_33,
  SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
  result12, result11)))

goal main_safety_po_10:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  ("JC_11": (integer_of_uint32(result17) >= 0)) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  ("JC_11": (integer_of_uint32(result19) >= 0)) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_57":
     (integer_of_uint32(result21) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result22:int32.
  ("JC_68": (integer_of_int32(result22) = model(a_2_0,
  integer_of_uint32(result21), SparseArray_n_1_a_2_32,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  result10, result13, result14))) ->
  forall x_0:int32.
  (x_0 = result22) ->
  forall result23:uint32.
  (integer_of_uint32(result23) = 7) ->
  ("JC_58":
  ("JC_57":
  (integer_of_uint32(result23) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
  b)) - 1))))

goal main_safety_po_11:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  ("JC_11": (integer_of_uint32(result17) >= 0)) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  ("JC_11": (integer_of_uint32(result19) >= 0)) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_57":
     (integer_of_uint32(result21) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result22:int32.
  ("JC_68": (integer_of_int32(result22) = model(a_2_0,
  integer_of_uint32(result21), SparseArray_n_1_a_2_32,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  result10, result13, result14))) ->
  forall x_0:int32.
  (x_0 = result22) ->
  forall result23:uint32.
  (integer_of_uint32(result23) = 7) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_55": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_56": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     ("JC_57":
     (integer_of_uint32(result23) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall result24:int32.
  ("JC_68": (integer_of_int32(result24) = model(b,
  integer_of_uint32(result23), SparseArray_n_1_b_33, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, result9, result11, result12))) ->
  forall y:int32.
  (y = result24) ->
  ("JC_149": ((integer_of_int32(x_0) = 0) and (integer_of_int32(y) = 0))) ->
  forall result25:uint32.
  (integer_of_uint32(result25) = 5) ->
  forall result26:int32.
  (integer_of_int32(result26) = 1) ->
  ("JC_87":
  ("JC_84": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)))

goal main_safety_po_12:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  ("JC_11": (integer_of_uint32(result17) >= 0)) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  ("JC_11": (integer_of_uint32(result19) >= 0)) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_57":
     (integer_of_uint32(result21) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result22:int32.
  ("JC_68": (integer_of_int32(result22) = model(a_2_0,
  integer_of_uint32(result21), SparseArray_n_1_a_2_32,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  result10, result13, result14))) ->
  forall x_0:int32.
  (x_0 = result22) ->
  forall result23:uint32.
  (integer_of_uint32(result23) = 7) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_55": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_56": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     ("JC_57":
     (integer_of_uint32(result23) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall result24:int32.
  ("JC_68": (integer_of_int32(result24) = model(b,
  integer_of_uint32(result23), SparseArray_n_1_b_33, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, result9, result11, result12))) ->
  forall y:int32.
  (y = result24) ->
  ("JC_149": ((integer_of_int32(x_0) = 0) and (integer_of_int32(y) = 0))) ->
  forall result25:uint32.
  (integer_of_uint32(result25) = 5) ->
  forall result26:int32.
  (integer_of_int32(result26) = 1) ->
  ("JC_87":
  ("JC_85": inv(a_2_0, unsigned_intP_back_143_alloc_table,
  unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
  SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
  SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
  SparseArray_val_a_2_32, result14, result13)))

goal main_safety_po_13:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  ("JC_11": (integer_of_uint32(result17) >= 0)) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  ("JC_11": (integer_of_uint32(result19) >= 0)) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_57":
     (integer_of_uint32(result21) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result22:int32.
  ("JC_68": (integer_of_int32(result22) = model(a_2_0,
  integer_of_uint32(result21), SparseArray_n_1_a_2_32,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  result10, result13, result14))) ->
  forall x_0:int32.
  (x_0 = result22) ->
  forall result23:uint32.
  (integer_of_uint32(result23) = 7) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_55": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_56": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     ("JC_57":
     (integer_of_uint32(result23) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall result24:int32.
  ("JC_68": (integer_of_int32(result24) = model(b,
  integer_of_uint32(result23), SparseArray_n_1_b_33, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, result9, result11, result12))) ->
  forall y:int32.
  (y = result24) ->
  ("JC_149": ((integer_of_int32(x_0) = 0) and (integer_of_int32(y) = 0))) ->
  forall result25:uint32.
  (integer_of_uint32(result25) = 5) ->
  forall result26:int32.
  (integer_of_int32(result26) = 1) ->
  ("JC_87":
  ("JC_86":
  (integer_of_uint32(result25) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
  a_2_0)) - 1))))

goal main_safety_po_14:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  ("JC_11": (integer_of_uint32(result17) >= 0)) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  ("JC_11": (integer_of_uint32(result19) >= 0)) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_57":
     (integer_of_uint32(result21) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result22:int32.
  ("JC_68": (integer_of_int32(result22) = model(a_2_0,
  integer_of_uint32(result21), SparseArray_n_1_a_2_32,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  result10, result13, result14))) ->
  forall x_0:int32.
  (x_0 = result22) ->
  forall result23:uint32.
  (integer_of_uint32(result23) = 7) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_55": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_56": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     ("JC_57":
     (integer_of_uint32(result23) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall result24:int32.
  ("JC_68": (integer_of_int32(result24) = model(b,
  integer_of_uint32(result23), SparseArray_n_1_b_33, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, result9, result11, result12))) ->
  forall y:int32.
  (y = result24) ->
  ("JC_149": ((integer_of_int32(x_0) = 0) and (integer_of_int32(y) = 0))) ->
  forall result25:uint32.
  (integer_of_uint32(result25) = 5) ->
  forall result26:int32.
  (integer_of_int32(result26) = 1) ->
  ("JC_87":
  (("JC_83": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_84": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_85": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_86":
     (integer_of_uint32(result25) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall SparseArray_n_1_a_2_32_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_142:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_143:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_144:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(a_2_0, unsigned_intP_back_143_alloc_table,
    unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
    SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
    SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
    SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
    unsigned_intP_unsigned_intM_back_143,
    unsigned_intP_unsigned_intM_idx_144)) and
    (("JC_106": (model(a_2_0, integer_of_uint32(result25),
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
     unsigned_intP_unsigned_intM_idx_144,
     unsigned_intP_unsigned_intM_back_143) = integer_of_int32(result26))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result25)) -> (model(a_2_0, j_0,
        SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
        unsigned_intP_unsigned_intM_idx_144,
        unsigned_intP_unsigned_intM_back_143) = model(a_2_0, j_0,
        SparseArray_n_1_a_2_32, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, result10, result13,
        result14)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_144_alloc_table, result13,
      unsigned_intP_unsigned_intM_idx_144,
      pset_all(pset_deref(SparseArray_idx_a_2_32, pset_singleton(a_2_0))))) and
      ("JC_110": not_assigns(unsigned_intP_back_143_alloc_table, result14,
      unsigned_intP_unsigned_intM_back_143,
      pset_all(pset_deref(SparseArray_back_a_2_32, pset_singleton(a_2_0)))))) and
     ("JC_111": not_assigns(intP_val_142_alloc_table, result10,
     intP_intM_val_142, pset_range(pset_deref(SparseArray_val_a_2_32,
     pset_singleton(a_2_0)), integer_of_uint32(result25),
     integer_of_uint32(result25))))) and
    ("JC_112": not_assigns(SparseArray_a_2_32_alloc_table,
    SparseArray_n_1_a_2_32, SparseArray_n_1_a_2_32_0, pset_singleton(a_2_0))))))) ->
  forall result27:uint32.
  (integer_of_uint32(result27) = 7) ->
  forall result28:int32.
  (integer_of_int32(result28) = 2) ->
  ("JC_87": ("JC_84": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)))

goal main_safety_po_15:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  ("JC_11": (integer_of_uint32(result17) >= 0)) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  ("JC_11": (integer_of_uint32(result19) >= 0)) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_57":
     (integer_of_uint32(result21) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result22:int32.
  ("JC_68": (integer_of_int32(result22) = model(a_2_0,
  integer_of_uint32(result21), SparseArray_n_1_a_2_32,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  result10, result13, result14))) ->
  forall x_0:int32.
  (x_0 = result22) ->
  forall result23:uint32.
  (integer_of_uint32(result23) = 7) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_55": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_56": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     ("JC_57":
     (integer_of_uint32(result23) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall result24:int32.
  ("JC_68": (integer_of_int32(result24) = model(b,
  integer_of_uint32(result23), SparseArray_n_1_b_33, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, result9, result11, result12))) ->
  forall y:int32.
  (y = result24) ->
  ("JC_149": ((integer_of_int32(x_0) = 0) and (integer_of_int32(y) = 0))) ->
  forall result25:uint32.
  (integer_of_uint32(result25) = 5) ->
  forall result26:int32.
  (integer_of_int32(result26) = 1) ->
  ("JC_87":
  (("JC_83": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_84": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_85": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_86":
     (integer_of_uint32(result25) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall SparseArray_n_1_a_2_32_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_142:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_143:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_144:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(a_2_0, unsigned_intP_back_143_alloc_table,
    unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
    SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
    SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
    SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
    unsigned_intP_unsigned_intM_back_143,
    unsigned_intP_unsigned_intM_idx_144)) and
    (("JC_106": (model(a_2_0, integer_of_uint32(result25),
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
     unsigned_intP_unsigned_intM_idx_144,
     unsigned_intP_unsigned_intM_back_143) = integer_of_int32(result26))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result25)) -> (model(a_2_0, j_0,
        SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
        unsigned_intP_unsigned_intM_idx_144,
        unsigned_intP_unsigned_intM_back_143) = model(a_2_0, j_0,
        SparseArray_n_1_a_2_32, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, result10, result13,
        result14)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_144_alloc_table, result13,
      unsigned_intP_unsigned_intM_idx_144,
      pset_all(pset_deref(SparseArray_idx_a_2_32, pset_singleton(a_2_0))))) and
      ("JC_110": not_assigns(unsigned_intP_back_143_alloc_table, result14,
      unsigned_intP_unsigned_intM_back_143,
      pset_all(pset_deref(SparseArray_back_a_2_32, pset_singleton(a_2_0)))))) and
     ("JC_111": not_assigns(intP_val_142_alloc_table, result10,
     intP_intM_val_142, pset_range(pset_deref(SparseArray_val_a_2_32,
     pset_singleton(a_2_0)), integer_of_uint32(result25),
     integer_of_uint32(result25))))) and
    ("JC_112": not_assigns(SparseArray_a_2_32_alloc_table,
    SparseArray_n_1_a_2_32, SparseArray_n_1_a_2_32_0, pset_singleton(a_2_0))))))) ->
  forall result27:uint32.
  (integer_of_uint32(result27) = 7) ->
  forall result28:int32.
  (integer_of_int32(result28) = 2) ->
  ("JC_87":
  ("JC_85": inv(b, unsigned_intP_back_147_alloc_table,
  unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
  SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33, SparseArray_n_1_b_33,
  SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
  result12, result11)))

goal main_safety_po_16:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  ("JC_11": (integer_of_uint32(result17) >= 0)) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  ("JC_11": (integer_of_uint32(result19) >= 0)) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_57":
     (integer_of_uint32(result21) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result22:int32.
  ("JC_68": (integer_of_int32(result22) = model(a_2_0,
  integer_of_uint32(result21), SparseArray_n_1_a_2_32,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  result10, result13, result14))) ->
  forall x_0:int32.
  (x_0 = result22) ->
  forall result23:uint32.
  (integer_of_uint32(result23) = 7) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_55": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_56": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     ("JC_57":
     (integer_of_uint32(result23) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall result24:int32.
  ("JC_68": (integer_of_int32(result24) = model(b,
  integer_of_uint32(result23), SparseArray_n_1_b_33, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, result9, result11, result12))) ->
  forall y:int32.
  (y = result24) ->
  ("JC_149": ((integer_of_int32(x_0) = 0) and (integer_of_int32(y) = 0))) ->
  forall result25:uint32.
  (integer_of_uint32(result25) = 5) ->
  forall result26:int32.
  (integer_of_int32(result26) = 1) ->
  ("JC_87":
  (("JC_83": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_84": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_85": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_86":
     (integer_of_uint32(result25) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall SparseArray_n_1_a_2_32_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_142:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_143:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_144:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(a_2_0, unsigned_intP_back_143_alloc_table,
    unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
    SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
    SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
    SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
    unsigned_intP_unsigned_intM_back_143,
    unsigned_intP_unsigned_intM_idx_144)) and
    (("JC_106": (model(a_2_0, integer_of_uint32(result25),
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
     unsigned_intP_unsigned_intM_idx_144,
     unsigned_intP_unsigned_intM_back_143) = integer_of_int32(result26))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result25)) -> (model(a_2_0, j_0,
        SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
        unsigned_intP_unsigned_intM_idx_144,
        unsigned_intP_unsigned_intM_back_143) = model(a_2_0, j_0,
        SparseArray_n_1_a_2_32, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, result10, result13,
        result14)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_144_alloc_table, result13,
      unsigned_intP_unsigned_intM_idx_144,
      pset_all(pset_deref(SparseArray_idx_a_2_32, pset_singleton(a_2_0))))) and
      ("JC_110": not_assigns(unsigned_intP_back_143_alloc_table, result14,
      unsigned_intP_unsigned_intM_back_143,
      pset_all(pset_deref(SparseArray_back_a_2_32, pset_singleton(a_2_0)))))) and
     ("JC_111": not_assigns(intP_val_142_alloc_table, result10,
     intP_intM_val_142, pset_range(pset_deref(SparseArray_val_a_2_32,
     pset_singleton(a_2_0)), integer_of_uint32(result25),
     integer_of_uint32(result25))))) and
    ("JC_112": not_assigns(SparseArray_a_2_32_alloc_table,
    SparseArray_n_1_a_2_32, SparseArray_n_1_a_2_32_0, pset_singleton(a_2_0))))))) ->
  forall result27:uint32.
  (integer_of_uint32(result27) = 7) ->
  forall result28:int32.
  (integer_of_int32(result28) = 2) ->
  ("JC_87":
  ("JC_86":
  (integer_of_uint32(result27) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
  b)) - 1))))

goal main_safety_po_17:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  ("JC_11": (integer_of_uint32(result17) >= 0)) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  ("JC_11": (integer_of_uint32(result19) >= 0)) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_57":
     (integer_of_uint32(result21) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result22:int32.
  ("JC_68": (integer_of_int32(result22) = model(a_2_0,
  integer_of_uint32(result21), SparseArray_n_1_a_2_32,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  result10, result13, result14))) ->
  forall x_0:int32.
  (x_0 = result22) ->
  forall result23:uint32.
  (integer_of_uint32(result23) = 7) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_55": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_56": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     ("JC_57":
     (integer_of_uint32(result23) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall result24:int32.
  ("JC_68": (integer_of_int32(result24) = model(b,
  integer_of_uint32(result23), SparseArray_n_1_b_33, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, result9, result11, result12))) ->
  forall y:int32.
  (y = result24) ->
  ("JC_149": ((integer_of_int32(x_0) = 0) and (integer_of_int32(y) = 0))) ->
  forall result25:uint32.
  (integer_of_uint32(result25) = 5) ->
  forall result26:int32.
  (integer_of_int32(result26) = 1) ->
  ("JC_87":
  (("JC_83": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_84": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_85": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_86":
     (integer_of_uint32(result25) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall SparseArray_n_1_a_2_32_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_142:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_143:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_144:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(a_2_0, unsigned_intP_back_143_alloc_table,
    unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
    SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
    SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
    SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
    unsigned_intP_unsigned_intM_back_143,
    unsigned_intP_unsigned_intM_idx_144)) and
    (("JC_106": (model(a_2_0, integer_of_uint32(result25),
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
     unsigned_intP_unsigned_intM_idx_144,
     unsigned_intP_unsigned_intM_back_143) = integer_of_int32(result26))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result25)) -> (model(a_2_0, j_0,
        SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
        unsigned_intP_unsigned_intM_idx_144,
        unsigned_intP_unsigned_intM_back_143) = model(a_2_0, j_0,
        SparseArray_n_1_a_2_32, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, result10, result13,
        result14)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_144_alloc_table, result13,
      unsigned_intP_unsigned_intM_idx_144,
      pset_all(pset_deref(SparseArray_idx_a_2_32, pset_singleton(a_2_0))))) and
      ("JC_110": not_assigns(unsigned_intP_back_143_alloc_table, result14,
      unsigned_intP_unsigned_intM_back_143,
      pset_all(pset_deref(SparseArray_back_a_2_32, pset_singleton(a_2_0)))))) and
     ("JC_111": not_assigns(intP_val_142_alloc_table, result10,
     intP_intM_val_142, pset_range(pset_deref(SparseArray_val_a_2_32,
     pset_singleton(a_2_0)), integer_of_uint32(result25),
     integer_of_uint32(result25))))) and
    ("JC_112": not_assigns(SparseArray_a_2_32_alloc_table,
    SparseArray_n_1_a_2_32, SparseArray_n_1_a_2_32_0, pset_singleton(a_2_0))))))) ->
  forall result27:uint32.
  (integer_of_uint32(result27) = 7) ->
  forall result28:int32.
  (integer_of_int32(result28) = 2) ->
  ("JC_87":
  (("JC_83": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_84": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_85": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     ("JC_86":
     (integer_of_uint32(result27) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall SparseArray_n_1_b_33_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_146:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_147:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_148:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(b, unsigned_intP_back_147_alloc_table,
    unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
    SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
    SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
    SparseArray_val_b_33, unsigned_intP_unsigned_intM_back_147,
    unsigned_intP_unsigned_intM_idx_148)) and
    (("JC_106": (model(b, integer_of_uint32(result27),
     SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, intP_intM_val_146,
     unsigned_intP_unsigned_intM_idx_148,
     unsigned_intP_unsigned_intM_back_147) = integer_of_int32(result28))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result27)) -> (model(b, j_0,
        SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, intP_intM_val_146,
        unsigned_intP_unsigned_intM_idx_148,
        unsigned_intP_unsigned_intM_back_147) = model(b, j_0,
        SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, result9, result11, result12)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_148_alloc_table, result11,
      unsigned_intP_unsigned_intM_idx_148,
      pset_all(pset_deref(SparseArray_idx_b_33, pset_singleton(b))))) and
      ("JC_110": not_assigns(unsigned_intP_back_147_alloc_table, result12,
      unsigned_intP_unsigned_intM_back_147,
      pset_all(pset_deref(SparseArray_back_b_33, pset_singleton(b)))))) and
     ("JC_111": not_assigns(intP_val_146_alloc_table, result9,
     intP_intM_val_146, pset_range(pset_deref(SparseArray_val_b_33,
     pset_singleton(b)), integer_of_uint32(result27),
     integer_of_uint32(result27))))) and
    ("JC_112": not_assigns(SparseArray_b_33_alloc_table,
    SparseArray_n_1_b_33, SparseArray_n_1_b_33_0, pset_singleton(b))))))) ->
  forall result29:uint32.
  (integer_of_uint32(result29) = 5) ->
  ("JC_58":
  ("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)))

goal main_safety_po_18:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  ("JC_11": (integer_of_uint32(result17) >= 0)) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  ("JC_11": (integer_of_uint32(result19) >= 0)) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_57":
     (integer_of_uint32(result21) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result22:int32.
  ("JC_68": (integer_of_int32(result22) = model(a_2_0,
  integer_of_uint32(result21), SparseArray_n_1_a_2_32,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  result10, result13, result14))) ->
  forall x_0:int32.
  (x_0 = result22) ->
  forall result23:uint32.
  (integer_of_uint32(result23) = 7) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_55": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_56": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     ("JC_57":
     (integer_of_uint32(result23) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall result24:int32.
  ("JC_68": (integer_of_int32(result24) = model(b,
  integer_of_uint32(result23), SparseArray_n_1_b_33, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, result9, result11, result12))) ->
  forall y:int32.
  (y = result24) ->
  ("JC_149": ((integer_of_int32(x_0) = 0) and (integer_of_int32(y) = 0))) ->
  forall result25:uint32.
  (integer_of_uint32(result25) = 5) ->
  forall result26:int32.
  (integer_of_int32(result26) = 1) ->
  ("JC_87":
  (("JC_83": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_84": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_85": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_86":
     (integer_of_uint32(result25) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall SparseArray_n_1_a_2_32_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_142:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_143:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_144:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(a_2_0, unsigned_intP_back_143_alloc_table,
    unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
    SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
    SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
    SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
    unsigned_intP_unsigned_intM_back_143,
    unsigned_intP_unsigned_intM_idx_144)) and
    (("JC_106": (model(a_2_0, integer_of_uint32(result25),
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
     unsigned_intP_unsigned_intM_idx_144,
     unsigned_intP_unsigned_intM_back_143) = integer_of_int32(result26))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result25)) -> (model(a_2_0, j_0,
        SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
        unsigned_intP_unsigned_intM_idx_144,
        unsigned_intP_unsigned_intM_back_143) = model(a_2_0, j_0,
        SparseArray_n_1_a_2_32, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, result10, result13,
        result14)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_144_alloc_table, result13,
      unsigned_intP_unsigned_intM_idx_144,
      pset_all(pset_deref(SparseArray_idx_a_2_32, pset_singleton(a_2_0))))) and
      ("JC_110": not_assigns(unsigned_intP_back_143_alloc_table, result14,
      unsigned_intP_unsigned_intM_back_143,
      pset_all(pset_deref(SparseArray_back_a_2_32, pset_singleton(a_2_0)))))) and
     ("JC_111": not_assigns(intP_val_142_alloc_table, result10,
     intP_intM_val_142, pset_range(pset_deref(SparseArray_val_a_2_32,
     pset_singleton(a_2_0)), integer_of_uint32(result25),
     integer_of_uint32(result25))))) and
    ("JC_112": not_assigns(SparseArray_a_2_32_alloc_table,
    SparseArray_n_1_a_2_32, SparseArray_n_1_a_2_32_0, pset_singleton(a_2_0))))))) ->
  forall result27:uint32.
  (integer_of_uint32(result27) = 7) ->
  forall result28:int32.
  (integer_of_int32(result28) = 2) ->
  ("JC_87":
  (("JC_83": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_84": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_85": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     ("JC_86":
     (integer_of_uint32(result27) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall SparseArray_n_1_b_33_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_146:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_147:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_148:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(b, unsigned_intP_back_147_alloc_table,
    unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
    SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
    SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
    SparseArray_val_b_33, unsigned_intP_unsigned_intM_back_147,
    unsigned_intP_unsigned_intM_idx_148)) and
    (("JC_106": (model(b, integer_of_uint32(result27),
     SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, intP_intM_val_146,
     unsigned_intP_unsigned_intM_idx_148,
     unsigned_intP_unsigned_intM_back_147) = integer_of_int32(result28))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result27)) -> (model(b, j_0,
        SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, intP_intM_val_146,
        unsigned_intP_unsigned_intM_idx_148,
        unsigned_intP_unsigned_intM_back_147) = model(b, j_0,
        SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, result9, result11, result12)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_148_alloc_table, result11,
      unsigned_intP_unsigned_intM_idx_148,
      pset_all(pset_deref(SparseArray_idx_b_33, pset_singleton(b))))) and
      ("JC_110": not_assigns(unsigned_intP_back_147_alloc_table, result12,
      unsigned_intP_unsigned_intM_back_147,
      pset_all(pset_deref(SparseArray_back_b_33, pset_singleton(b)))))) and
     ("JC_111": not_assigns(intP_val_146_alloc_table, result9,
     intP_intM_val_146, pset_range(pset_deref(SparseArray_val_b_33,
     pset_singleton(b)), integer_of_uint32(result27),
     integer_of_uint32(result27))))) and
    ("JC_112": not_assigns(SparseArray_b_33_alloc_table,
    SparseArray_n_1_b_33, SparseArray_n_1_b_33_0, pset_singleton(b))))))) ->
  forall result29:uint32.
  (integer_of_uint32(result29) = 5) ->
  ("JC_58":
  ("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
  unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
  SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
  SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
  SparseArray_val_a_2_32, unsigned_intP_unsigned_intM_back_143,
  unsigned_intP_unsigned_intM_idx_144)))

goal main_safety_po_19:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  ("JC_11": (integer_of_uint32(result17) >= 0)) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  ("JC_11": (integer_of_uint32(result19) >= 0)) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_57":
     (integer_of_uint32(result21) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result22:int32.
  ("JC_68": (integer_of_int32(result22) = model(a_2_0,
  integer_of_uint32(result21), SparseArray_n_1_a_2_32,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  result10, result13, result14))) ->
  forall x_0:int32.
  (x_0 = result22) ->
  forall result23:uint32.
  (integer_of_uint32(result23) = 7) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_55": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_56": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     ("JC_57":
     (integer_of_uint32(result23) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall result24:int32.
  ("JC_68": (integer_of_int32(result24) = model(b,
  integer_of_uint32(result23), SparseArray_n_1_b_33, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, result9, result11, result12))) ->
  forall y:int32.
  (y = result24) ->
  ("JC_149": ((integer_of_int32(x_0) = 0) and (integer_of_int32(y) = 0))) ->
  forall result25:uint32.
  (integer_of_uint32(result25) = 5) ->
  forall result26:int32.
  (integer_of_int32(result26) = 1) ->
  ("JC_87":
  (("JC_83": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_84": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_85": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_86":
     (integer_of_uint32(result25) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall SparseArray_n_1_a_2_32_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_142:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_143:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_144:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(a_2_0, unsigned_intP_back_143_alloc_table,
    unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
    SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
    SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
    SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
    unsigned_intP_unsigned_intM_back_143,
    unsigned_intP_unsigned_intM_idx_144)) and
    (("JC_106": (model(a_2_0, integer_of_uint32(result25),
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
     unsigned_intP_unsigned_intM_idx_144,
     unsigned_intP_unsigned_intM_back_143) = integer_of_int32(result26))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result25)) -> (model(a_2_0, j_0,
        SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
        unsigned_intP_unsigned_intM_idx_144,
        unsigned_intP_unsigned_intM_back_143) = model(a_2_0, j_0,
        SparseArray_n_1_a_2_32, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, result10, result13,
        result14)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_144_alloc_table, result13,
      unsigned_intP_unsigned_intM_idx_144,
      pset_all(pset_deref(SparseArray_idx_a_2_32, pset_singleton(a_2_0))))) and
      ("JC_110": not_assigns(unsigned_intP_back_143_alloc_table, result14,
      unsigned_intP_unsigned_intM_back_143,
      pset_all(pset_deref(SparseArray_back_a_2_32, pset_singleton(a_2_0)))))) and
     ("JC_111": not_assigns(intP_val_142_alloc_table, result10,
     intP_intM_val_142, pset_range(pset_deref(SparseArray_val_a_2_32,
     pset_singleton(a_2_0)), integer_of_uint32(result25),
     integer_of_uint32(result25))))) and
    ("JC_112": not_assigns(SparseArray_a_2_32_alloc_table,
    SparseArray_n_1_a_2_32, SparseArray_n_1_a_2_32_0, pset_singleton(a_2_0))))))) ->
  forall result27:uint32.
  (integer_of_uint32(result27) = 7) ->
  forall result28:int32.
  (integer_of_int32(result28) = 2) ->
  ("JC_87":
  (("JC_83": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_84": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_85": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     ("JC_86":
     (integer_of_uint32(result27) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall SparseArray_n_1_b_33_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_146:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_147:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_148:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(b, unsigned_intP_back_147_alloc_table,
    unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
    SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
    SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
    SparseArray_val_b_33, unsigned_intP_unsigned_intM_back_147,
    unsigned_intP_unsigned_intM_idx_148)) and
    (("JC_106": (model(b, integer_of_uint32(result27),
     SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, intP_intM_val_146,
     unsigned_intP_unsigned_intM_idx_148,
     unsigned_intP_unsigned_intM_back_147) = integer_of_int32(result28))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result27)) -> (model(b, j_0,
        SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, intP_intM_val_146,
        unsigned_intP_unsigned_intM_idx_148,
        unsigned_intP_unsigned_intM_back_147) = model(b, j_0,
        SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, result9, result11, result12)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_148_alloc_table, result11,
      unsigned_intP_unsigned_intM_idx_148,
      pset_all(pset_deref(SparseArray_idx_b_33, pset_singleton(b))))) and
      ("JC_110": not_assigns(unsigned_intP_back_147_alloc_table, result12,
      unsigned_intP_unsigned_intM_back_147,
      pset_all(pset_deref(SparseArray_back_b_33, pset_singleton(b)))))) and
     ("JC_111": not_assigns(intP_val_146_alloc_table, result9,
     intP_intM_val_146, pset_range(pset_deref(SparseArray_val_b_33,
     pset_singleton(b)), integer_of_uint32(result27),
     integer_of_uint32(result27))))) and
    ("JC_112": not_assigns(SparseArray_b_33_alloc_table,
    SparseArray_n_1_b_33, SparseArray_n_1_b_33_0, pset_singleton(b))))))) ->
  forall result29:uint32.
  (integer_of_uint32(result29) = 5) ->
  ("JC_58":
  ("JC_57":
  (integer_of_uint32(result29) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
  a_2_0)) - 1))))

goal main_safety_po_20:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  ("JC_11": (integer_of_uint32(result17) >= 0)) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  ("JC_11": (integer_of_uint32(result19) >= 0)) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_57":
     (integer_of_uint32(result21) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result22:int32.
  ("JC_68": (integer_of_int32(result22) = model(a_2_0,
  integer_of_uint32(result21), SparseArray_n_1_a_2_32,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  result10, result13, result14))) ->
  forall x_0:int32.
  (x_0 = result22) ->
  forall result23:uint32.
  (integer_of_uint32(result23) = 7) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_55": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_56": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     ("JC_57":
     (integer_of_uint32(result23) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall result24:int32.
  ("JC_68": (integer_of_int32(result24) = model(b,
  integer_of_uint32(result23), SparseArray_n_1_b_33, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, result9, result11, result12))) ->
  forall y:int32.
  (y = result24) ->
  ("JC_149": ((integer_of_int32(x_0) = 0) and (integer_of_int32(y) = 0))) ->
  forall result25:uint32.
  (integer_of_uint32(result25) = 5) ->
  forall result26:int32.
  (integer_of_int32(result26) = 1) ->
  ("JC_87":
  (("JC_83": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_84": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_85": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_86":
     (integer_of_uint32(result25) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall SparseArray_n_1_a_2_32_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_142:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_143:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_144:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(a_2_0, unsigned_intP_back_143_alloc_table,
    unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
    SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
    SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
    SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
    unsigned_intP_unsigned_intM_back_143,
    unsigned_intP_unsigned_intM_idx_144)) and
    (("JC_106": (model(a_2_0, integer_of_uint32(result25),
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
     unsigned_intP_unsigned_intM_idx_144,
     unsigned_intP_unsigned_intM_back_143) = integer_of_int32(result26))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result25)) -> (model(a_2_0, j_0,
        SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
        unsigned_intP_unsigned_intM_idx_144,
        unsigned_intP_unsigned_intM_back_143) = model(a_2_0, j_0,
        SparseArray_n_1_a_2_32, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, result10, result13,
        result14)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_144_alloc_table, result13,
      unsigned_intP_unsigned_intM_idx_144,
      pset_all(pset_deref(SparseArray_idx_a_2_32, pset_singleton(a_2_0))))) and
      ("JC_110": not_assigns(unsigned_intP_back_143_alloc_table, result14,
      unsigned_intP_unsigned_intM_back_143,
      pset_all(pset_deref(SparseArray_back_a_2_32, pset_singleton(a_2_0)))))) and
     ("JC_111": not_assigns(intP_val_142_alloc_table, result10,
     intP_intM_val_142, pset_range(pset_deref(SparseArray_val_a_2_32,
     pset_singleton(a_2_0)), integer_of_uint32(result25),
     integer_of_uint32(result25))))) and
    ("JC_112": not_assigns(SparseArray_a_2_32_alloc_table,
    SparseArray_n_1_a_2_32, SparseArray_n_1_a_2_32_0, pset_singleton(a_2_0))))))) ->
  forall result27:uint32.
  (integer_of_uint32(result27) = 7) ->
  forall result28:int32.
  (integer_of_int32(result28) = 2) ->
  ("JC_87":
  (("JC_83": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_84": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_85": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     ("JC_86":
     (integer_of_uint32(result27) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall SparseArray_n_1_b_33_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_146:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_147:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_148:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(b, unsigned_intP_back_147_alloc_table,
    unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
    SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
    SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
    SparseArray_val_b_33, unsigned_intP_unsigned_intM_back_147,
    unsigned_intP_unsigned_intM_idx_148)) and
    (("JC_106": (model(b, integer_of_uint32(result27),
     SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, intP_intM_val_146,
     unsigned_intP_unsigned_intM_idx_148,
     unsigned_intP_unsigned_intM_back_147) = integer_of_int32(result28))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result27)) -> (model(b, j_0,
        SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, intP_intM_val_146,
        unsigned_intP_unsigned_intM_idx_148,
        unsigned_intP_unsigned_intM_back_147) = model(b, j_0,
        SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, result9, result11, result12)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_148_alloc_table, result11,
      unsigned_intP_unsigned_intM_idx_148,
      pset_all(pset_deref(SparseArray_idx_b_33, pset_singleton(b))))) and
      ("JC_110": not_assigns(unsigned_intP_back_147_alloc_table, result12,
      unsigned_intP_unsigned_intM_back_147,
      pset_all(pset_deref(SparseArray_back_b_33, pset_singleton(b)))))) and
     ("JC_111": not_assigns(intP_val_146_alloc_table, result9,
     intP_intM_val_146, pset_range(pset_deref(SparseArray_val_b_33,
     pset_singleton(b)), integer_of_uint32(result27),
     integer_of_uint32(result27))))) and
    ("JC_112": not_assigns(SparseArray_b_33_alloc_table,
    SparseArray_n_1_b_33, SparseArray_n_1_b_33_0, pset_singleton(b))))))) ->
  forall result29:uint32.
  (integer_of_uint32(result29) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
     unsigned_intP_unsigned_intM_back_143,
     unsigned_intP_unsigned_intM_idx_144)) and
     ("JC_57":
     (integer_of_uint32(result29) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result30:int32.
  ("JC_68": (integer_of_int32(result30) = model(a_2_0,
  integer_of_uint32(result29), SparseArray_n_1_a_2_32_0,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  intP_intM_val_142, unsigned_intP_unsigned_intM_idx_144,
  unsigned_intP_unsigned_intM_back_143))) ->
  forall x_0_0:int32.
  (x_0_0 = result30) ->
  forall result31:uint32.
  (integer_of_uint32(result31) = 7) ->
  ("JC_58": ("JC_55": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)))

goal main_safety_po_21:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  ("JC_11": (integer_of_uint32(result17) >= 0)) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  ("JC_11": (integer_of_uint32(result19) >= 0)) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_57":
     (integer_of_uint32(result21) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result22:int32.
  ("JC_68": (integer_of_int32(result22) = model(a_2_0,
  integer_of_uint32(result21), SparseArray_n_1_a_2_32,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  result10, result13, result14))) ->
  forall x_0:int32.
  (x_0 = result22) ->
  forall result23:uint32.
  (integer_of_uint32(result23) = 7) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_55": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_56": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     ("JC_57":
     (integer_of_uint32(result23) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall result24:int32.
  ("JC_68": (integer_of_int32(result24) = model(b,
  integer_of_uint32(result23), SparseArray_n_1_b_33, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, result9, result11, result12))) ->
  forall y:int32.
  (y = result24) ->
  ("JC_149": ((integer_of_int32(x_0) = 0) and (integer_of_int32(y) = 0))) ->
  forall result25:uint32.
  (integer_of_uint32(result25) = 5) ->
  forall result26:int32.
  (integer_of_int32(result26) = 1) ->
  ("JC_87":
  (("JC_83": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_84": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_85": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_86":
     (integer_of_uint32(result25) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall SparseArray_n_1_a_2_32_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_142:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_143:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_144:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(a_2_0, unsigned_intP_back_143_alloc_table,
    unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
    SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
    SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
    SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
    unsigned_intP_unsigned_intM_back_143,
    unsigned_intP_unsigned_intM_idx_144)) and
    (("JC_106": (model(a_2_0, integer_of_uint32(result25),
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
     unsigned_intP_unsigned_intM_idx_144,
     unsigned_intP_unsigned_intM_back_143) = integer_of_int32(result26))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result25)) -> (model(a_2_0, j_0,
        SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
        unsigned_intP_unsigned_intM_idx_144,
        unsigned_intP_unsigned_intM_back_143) = model(a_2_0, j_0,
        SparseArray_n_1_a_2_32, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, result10, result13,
        result14)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_144_alloc_table, result13,
      unsigned_intP_unsigned_intM_idx_144,
      pset_all(pset_deref(SparseArray_idx_a_2_32, pset_singleton(a_2_0))))) and
      ("JC_110": not_assigns(unsigned_intP_back_143_alloc_table, result14,
      unsigned_intP_unsigned_intM_back_143,
      pset_all(pset_deref(SparseArray_back_a_2_32, pset_singleton(a_2_0)))))) and
     ("JC_111": not_assigns(intP_val_142_alloc_table, result10,
     intP_intM_val_142, pset_range(pset_deref(SparseArray_val_a_2_32,
     pset_singleton(a_2_0)), integer_of_uint32(result25),
     integer_of_uint32(result25))))) and
    ("JC_112": not_assigns(SparseArray_a_2_32_alloc_table,
    SparseArray_n_1_a_2_32, SparseArray_n_1_a_2_32_0, pset_singleton(a_2_0))))))) ->
  forall result27:uint32.
  (integer_of_uint32(result27) = 7) ->
  forall result28:int32.
  (integer_of_int32(result28) = 2) ->
  ("JC_87":
  (("JC_83": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_84": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_85": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     ("JC_86":
     (integer_of_uint32(result27) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall SparseArray_n_1_b_33_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_146:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_147:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_148:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(b, unsigned_intP_back_147_alloc_table,
    unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
    SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
    SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
    SparseArray_val_b_33, unsigned_intP_unsigned_intM_back_147,
    unsigned_intP_unsigned_intM_idx_148)) and
    (("JC_106": (model(b, integer_of_uint32(result27),
     SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, intP_intM_val_146,
     unsigned_intP_unsigned_intM_idx_148,
     unsigned_intP_unsigned_intM_back_147) = integer_of_int32(result28))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result27)) -> (model(b, j_0,
        SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, intP_intM_val_146,
        unsigned_intP_unsigned_intM_idx_148,
        unsigned_intP_unsigned_intM_back_147) = model(b, j_0,
        SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, result9, result11, result12)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_148_alloc_table, result11,
      unsigned_intP_unsigned_intM_idx_148,
      pset_all(pset_deref(SparseArray_idx_b_33, pset_singleton(b))))) and
      ("JC_110": not_assigns(unsigned_intP_back_147_alloc_table, result12,
      unsigned_intP_unsigned_intM_back_147,
      pset_all(pset_deref(SparseArray_back_b_33, pset_singleton(b)))))) and
     ("JC_111": not_assigns(intP_val_146_alloc_table, result9,
     intP_intM_val_146, pset_range(pset_deref(SparseArray_val_b_33,
     pset_singleton(b)), integer_of_uint32(result27),
     integer_of_uint32(result27))))) and
    ("JC_112": not_assigns(SparseArray_b_33_alloc_table,
    SparseArray_n_1_b_33, SparseArray_n_1_b_33_0, pset_singleton(b))))))) ->
  forall result29:uint32.
  (integer_of_uint32(result29) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
     unsigned_intP_unsigned_intM_back_143,
     unsigned_intP_unsigned_intM_idx_144)) and
     ("JC_57":
     (integer_of_uint32(result29) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result30:int32.
  ("JC_68": (integer_of_int32(result30) = model(a_2_0,
  integer_of_uint32(result29), SparseArray_n_1_a_2_32_0,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  intP_intM_val_142, unsigned_intP_unsigned_intM_idx_144,
  unsigned_intP_unsigned_intM_back_143))) ->
  forall x_0_0:int32.
  (x_0_0 = result30) ->
  forall result31:uint32.
  (integer_of_uint32(result31) = 7) ->
  ("JC_58":
  ("JC_56": inv(b, unsigned_intP_back_147_alloc_table,
  unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
  SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
  SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
  SparseArray_val_b_33, unsigned_intP_unsigned_intM_back_147,
  unsigned_intP_unsigned_intM_idx_148)))

goal main_safety_po_22:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  ("JC_11": (integer_of_uint32(result17) >= 0)) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  ("JC_11": (integer_of_uint32(result19) >= 0)) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_57":
     (integer_of_uint32(result21) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result22:int32.
  ("JC_68": (integer_of_int32(result22) = model(a_2_0,
  integer_of_uint32(result21), SparseArray_n_1_a_2_32,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  result10, result13, result14))) ->
  forall x_0:int32.
  (x_0 = result22) ->
  forall result23:uint32.
  (integer_of_uint32(result23) = 7) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_55": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_56": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     ("JC_57":
     (integer_of_uint32(result23) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall result24:int32.
  ("JC_68": (integer_of_int32(result24) = model(b,
  integer_of_uint32(result23), SparseArray_n_1_b_33, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, result9, result11, result12))) ->
  forall y:int32.
  (y = result24) ->
  ("JC_149": ((integer_of_int32(x_0) = 0) and (integer_of_int32(y) = 0))) ->
  forall result25:uint32.
  (integer_of_uint32(result25) = 5) ->
  forall result26:int32.
  (integer_of_int32(result26) = 1) ->
  ("JC_87":
  (("JC_83": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_84": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_85": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_86":
     (integer_of_uint32(result25) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall SparseArray_n_1_a_2_32_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_142:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_143:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_144:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(a_2_0, unsigned_intP_back_143_alloc_table,
    unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
    SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
    SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
    SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
    unsigned_intP_unsigned_intM_back_143,
    unsigned_intP_unsigned_intM_idx_144)) and
    (("JC_106": (model(a_2_0, integer_of_uint32(result25),
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
     unsigned_intP_unsigned_intM_idx_144,
     unsigned_intP_unsigned_intM_back_143) = integer_of_int32(result26))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result25)) -> (model(a_2_0, j_0,
        SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
        unsigned_intP_unsigned_intM_idx_144,
        unsigned_intP_unsigned_intM_back_143) = model(a_2_0, j_0,
        SparseArray_n_1_a_2_32, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, result10, result13,
        result14)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_144_alloc_table, result13,
      unsigned_intP_unsigned_intM_idx_144,
      pset_all(pset_deref(SparseArray_idx_a_2_32, pset_singleton(a_2_0))))) and
      ("JC_110": not_assigns(unsigned_intP_back_143_alloc_table, result14,
      unsigned_intP_unsigned_intM_back_143,
      pset_all(pset_deref(SparseArray_back_a_2_32, pset_singleton(a_2_0)))))) and
     ("JC_111": not_assigns(intP_val_142_alloc_table, result10,
     intP_intM_val_142, pset_range(pset_deref(SparseArray_val_a_2_32,
     pset_singleton(a_2_0)), integer_of_uint32(result25),
     integer_of_uint32(result25))))) and
    ("JC_112": not_assigns(SparseArray_a_2_32_alloc_table,
    SparseArray_n_1_a_2_32, SparseArray_n_1_a_2_32_0, pset_singleton(a_2_0))))))) ->
  forall result27:uint32.
  (integer_of_uint32(result27) = 7) ->
  forall result28:int32.
  (integer_of_int32(result28) = 2) ->
  ("JC_87":
  (("JC_83": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_84": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_85": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     ("JC_86":
     (integer_of_uint32(result27) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall SparseArray_n_1_b_33_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_146:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_147:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_148:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(b, unsigned_intP_back_147_alloc_table,
    unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
    SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
    SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
    SparseArray_val_b_33, unsigned_intP_unsigned_intM_back_147,
    unsigned_intP_unsigned_intM_idx_148)) and
    (("JC_106": (model(b, integer_of_uint32(result27),
     SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, intP_intM_val_146,
     unsigned_intP_unsigned_intM_idx_148,
     unsigned_intP_unsigned_intM_back_147) = integer_of_int32(result28))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result27)) -> (model(b, j_0,
        SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, intP_intM_val_146,
        unsigned_intP_unsigned_intM_idx_148,
        unsigned_intP_unsigned_intM_back_147) = model(b, j_0,
        SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, result9, result11, result12)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_148_alloc_table, result11,
      unsigned_intP_unsigned_intM_idx_148,
      pset_all(pset_deref(SparseArray_idx_b_33, pset_singleton(b))))) and
      ("JC_110": not_assigns(unsigned_intP_back_147_alloc_table, result12,
      unsigned_intP_unsigned_intM_back_147,
      pset_all(pset_deref(SparseArray_back_b_33, pset_singleton(b)))))) and
     ("JC_111": not_assigns(intP_val_146_alloc_table, result9,
     intP_intM_val_146, pset_range(pset_deref(SparseArray_val_b_33,
     pset_singleton(b)), integer_of_uint32(result27),
     integer_of_uint32(result27))))) and
    ("JC_112": not_assigns(SparseArray_b_33_alloc_table,
    SparseArray_n_1_b_33, SparseArray_n_1_b_33_0, pset_singleton(b))))))) ->
  forall result29:uint32.
  (integer_of_uint32(result29) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
     unsigned_intP_unsigned_intM_back_143,
     unsigned_intP_unsigned_intM_idx_144)) and
     ("JC_57":
     (integer_of_uint32(result29) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result30:int32.
  ("JC_68": (integer_of_int32(result30) = model(a_2_0,
  integer_of_uint32(result29), SparseArray_n_1_a_2_32_0,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  intP_intM_val_142, unsigned_intP_unsigned_intM_idx_144,
  unsigned_intP_unsigned_intM_back_143))) ->
  forall x_0_0:int32.
  (x_0_0 = result30) ->
  forall result31:uint32.
  (integer_of_uint32(result31) = 7) ->
  ("JC_58":
  ("JC_57":
  (integer_of_uint32(result31) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
  b)) - 1))))

goal main_safety_po_23:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  ("JC_11": (integer_of_uint32(result17) >= 0)) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  ("JC_11": (integer_of_uint32(result19) >= 0)) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_57":
     (integer_of_uint32(result21) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result22:int32.
  ("JC_68": (integer_of_int32(result22) = model(a_2_0,
  integer_of_uint32(result21), SparseArray_n_1_a_2_32,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  result10, result13, result14))) ->
  forall x_0:int32.
  (x_0 = result22) ->
  forall result23:uint32.
  (integer_of_uint32(result23) = 7) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_55": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_56": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     ("JC_57":
     (integer_of_uint32(result23) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall result24:int32.
  ("JC_68": (integer_of_int32(result24) = model(b,
  integer_of_uint32(result23), SparseArray_n_1_b_33, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, result9, result11, result12))) ->
  forall y:int32.
  (y = result24) ->
  ("JC_149": ((integer_of_int32(x_0) = 0) and (integer_of_int32(y) = 0))) ->
  forall result25:uint32.
  (integer_of_uint32(result25) = 5) ->
  forall result26:int32.
  (integer_of_int32(result26) = 1) ->
  ("JC_87":
  (("JC_83": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_84": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_85": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_86":
     (integer_of_uint32(result25) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall SparseArray_n_1_a_2_32_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_142:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_143:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_144:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(a_2_0, unsigned_intP_back_143_alloc_table,
    unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
    SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
    SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
    SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
    unsigned_intP_unsigned_intM_back_143,
    unsigned_intP_unsigned_intM_idx_144)) and
    (("JC_106": (model(a_2_0, integer_of_uint32(result25),
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
     unsigned_intP_unsigned_intM_idx_144,
     unsigned_intP_unsigned_intM_back_143) = integer_of_int32(result26))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result25)) -> (model(a_2_0, j_0,
        SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
        unsigned_intP_unsigned_intM_idx_144,
        unsigned_intP_unsigned_intM_back_143) = model(a_2_0, j_0,
        SparseArray_n_1_a_2_32, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, result10, result13,
        result14)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_144_alloc_table, result13,
      unsigned_intP_unsigned_intM_idx_144,
      pset_all(pset_deref(SparseArray_idx_a_2_32, pset_singleton(a_2_0))))) and
      ("JC_110": not_assigns(unsigned_intP_back_143_alloc_table, result14,
      unsigned_intP_unsigned_intM_back_143,
      pset_all(pset_deref(SparseArray_back_a_2_32, pset_singleton(a_2_0)))))) and
     ("JC_111": not_assigns(intP_val_142_alloc_table, result10,
     intP_intM_val_142, pset_range(pset_deref(SparseArray_val_a_2_32,
     pset_singleton(a_2_0)), integer_of_uint32(result25),
     integer_of_uint32(result25))))) and
    ("JC_112": not_assigns(SparseArray_a_2_32_alloc_table,
    SparseArray_n_1_a_2_32, SparseArray_n_1_a_2_32_0, pset_singleton(a_2_0))))))) ->
  forall result27:uint32.
  (integer_of_uint32(result27) = 7) ->
  forall result28:int32.
  (integer_of_int32(result28) = 2) ->
  ("JC_87":
  (("JC_83": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_84": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_85": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     ("JC_86":
     (integer_of_uint32(result27) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall SparseArray_n_1_b_33_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_146:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_147:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_148:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(b, unsigned_intP_back_147_alloc_table,
    unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
    SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
    SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
    SparseArray_val_b_33, unsigned_intP_unsigned_intM_back_147,
    unsigned_intP_unsigned_intM_idx_148)) and
    (("JC_106": (model(b, integer_of_uint32(result27),
     SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, intP_intM_val_146,
     unsigned_intP_unsigned_intM_idx_148,
     unsigned_intP_unsigned_intM_back_147) = integer_of_int32(result28))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result27)) -> (model(b, j_0,
        SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, intP_intM_val_146,
        unsigned_intP_unsigned_intM_idx_148,
        unsigned_intP_unsigned_intM_back_147) = model(b, j_0,
        SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, result9, result11, result12)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_148_alloc_table, result11,
      unsigned_intP_unsigned_intM_idx_148,
      pset_all(pset_deref(SparseArray_idx_b_33, pset_singleton(b))))) and
      ("JC_110": not_assigns(unsigned_intP_back_147_alloc_table, result12,
      unsigned_intP_unsigned_intM_back_147,
      pset_all(pset_deref(SparseArray_back_b_33, pset_singleton(b)))))) and
     ("JC_111": not_assigns(intP_val_146_alloc_table, result9,
     intP_intM_val_146, pset_range(pset_deref(SparseArray_val_b_33,
     pset_singleton(b)), integer_of_uint32(result27),
     integer_of_uint32(result27))))) and
    ("JC_112": not_assigns(SparseArray_b_33_alloc_table,
    SparseArray_n_1_b_33, SparseArray_n_1_b_33_0, pset_singleton(b))))))) ->
  forall result29:uint32.
  (integer_of_uint32(result29) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
     unsigned_intP_unsigned_intM_back_143,
     unsigned_intP_unsigned_intM_idx_144)) and
     ("JC_57":
     (integer_of_uint32(result29) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result30:int32.
  ("JC_68": (integer_of_int32(result30) = model(a_2_0,
  integer_of_uint32(result29), SparseArray_n_1_a_2_32_0,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  intP_intM_val_142, unsigned_intP_unsigned_intM_idx_144,
  unsigned_intP_unsigned_intM_back_143))) ->
  forall x_0_0:int32.
  (x_0_0 = result30) ->
  forall result31:uint32.
  (integer_of_uint32(result31) = 7) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_55": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_56": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, unsigned_intP_unsigned_intM_back_147,
     unsigned_intP_unsigned_intM_idx_148)) and
     ("JC_57":
     (integer_of_uint32(result31) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall result32:int32.
  ("JC_68": (integer_of_int32(result32) = model(b,
  integer_of_uint32(result31), SparseArray_n_1_b_33_0, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, intP_intM_val_146,
  unsigned_intP_unsigned_intM_idx_148,
  unsigned_intP_unsigned_intM_back_147))) ->
  forall y0:int32.
  (y0 = result32) ->
  ("JC_154": ((integer_of_int32(x_0_0) = 1) and (integer_of_int32(y0) = 2))) ->
  forall result33:uint32.
  (integer_of_uint32(result33) = 0) ->
  ("JC_58":
  ("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)))

goal main_safety_po_24:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  ("JC_11": (integer_of_uint32(result17) >= 0)) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  ("JC_11": (integer_of_uint32(result19) >= 0)) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_57":
     (integer_of_uint32(result21) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result22:int32.
  ("JC_68": (integer_of_int32(result22) = model(a_2_0,
  integer_of_uint32(result21), SparseArray_n_1_a_2_32,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  result10, result13, result14))) ->
  forall x_0:int32.
  (x_0 = result22) ->
  forall result23:uint32.
  (integer_of_uint32(result23) = 7) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_55": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_56": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     ("JC_57":
     (integer_of_uint32(result23) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall result24:int32.
  ("JC_68": (integer_of_int32(result24) = model(b,
  integer_of_uint32(result23), SparseArray_n_1_b_33, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, result9, result11, result12))) ->
  forall y:int32.
  (y = result24) ->
  ("JC_149": ((integer_of_int32(x_0) = 0) and (integer_of_int32(y) = 0))) ->
  forall result25:uint32.
  (integer_of_uint32(result25) = 5) ->
  forall result26:int32.
  (integer_of_int32(result26) = 1) ->
  ("JC_87":
  (("JC_83": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_84": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_85": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_86":
     (integer_of_uint32(result25) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall SparseArray_n_1_a_2_32_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_142:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_143:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_144:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(a_2_0, unsigned_intP_back_143_alloc_table,
    unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
    SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
    SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
    SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
    unsigned_intP_unsigned_intM_back_143,
    unsigned_intP_unsigned_intM_idx_144)) and
    (("JC_106": (model(a_2_0, integer_of_uint32(result25),
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
     unsigned_intP_unsigned_intM_idx_144,
     unsigned_intP_unsigned_intM_back_143) = integer_of_int32(result26))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result25)) -> (model(a_2_0, j_0,
        SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
        unsigned_intP_unsigned_intM_idx_144,
        unsigned_intP_unsigned_intM_back_143) = model(a_2_0, j_0,
        SparseArray_n_1_a_2_32, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, result10, result13,
        result14)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_144_alloc_table, result13,
      unsigned_intP_unsigned_intM_idx_144,
      pset_all(pset_deref(SparseArray_idx_a_2_32, pset_singleton(a_2_0))))) and
      ("JC_110": not_assigns(unsigned_intP_back_143_alloc_table, result14,
      unsigned_intP_unsigned_intM_back_143,
      pset_all(pset_deref(SparseArray_back_a_2_32, pset_singleton(a_2_0)))))) and
     ("JC_111": not_assigns(intP_val_142_alloc_table, result10,
     intP_intM_val_142, pset_range(pset_deref(SparseArray_val_a_2_32,
     pset_singleton(a_2_0)), integer_of_uint32(result25),
     integer_of_uint32(result25))))) and
    ("JC_112": not_assigns(SparseArray_a_2_32_alloc_table,
    SparseArray_n_1_a_2_32, SparseArray_n_1_a_2_32_0, pset_singleton(a_2_0))))))) ->
  forall result27:uint32.
  (integer_of_uint32(result27) = 7) ->
  forall result28:int32.
  (integer_of_int32(result28) = 2) ->
  ("JC_87":
  (("JC_83": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_84": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_85": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     ("JC_86":
     (integer_of_uint32(result27) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall SparseArray_n_1_b_33_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_146:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_147:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_148:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(b, unsigned_intP_back_147_alloc_table,
    unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
    SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
    SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
    SparseArray_val_b_33, unsigned_intP_unsigned_intM_back_147,
    unsigned_intP_unsigned_intM_idx_148)) and
    (("JC_106": (model(b, integer_of_uint32(result27),
     SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, intP_intM_val_146,
     unsigned_intP_unsigned_intM_idx_148,
     unsigned_intP_unsigned_intM_back_147) = integer_of_int32(result28))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result27)) -> (model(b, j_0,
        SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, intP_intM_val_146,
        unsigned_intP_unsigned_intM_idx_148,
        unsigned_intP_unsigned_intM_back_147) = model(b, j_0,
        SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, result9, result11, result12)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_148_alloc_table, result11,
      unsigned_intP_unsigned_intM_idx_148,
      pset_all(pset_deref(SparseArray_idx_b_33, pset_singleton(b))))) and
      ("JC_110": not_assigns(unsigned_intP_back_147_alloc_table, result12,
      unsigned_intP_unsigned_intM_back_147,
      pset_all(pset_deref(SparseArray_back_b_33, pset_singleton(b)))))) and
     ("JC_111": not_assigns(intP_val_146_alloc_table, result9,
     intP_intM_val_146, pset_range(pset_deref(SparseArray_val_b_33,
     pset_singleton(b)), integer_of_uint32(result27),
     integer_of_uint32(result27))))) and
    ("JC_112": not_assigns(SparseArray_b_33_alloc_table,
    SparseArray_n_1_b_33, SparseArray_n_1_b_33_0, pset_singleton(b))))))) ->
  forall result29:uint32.
  (integer_of_uint32(result29) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
     unsigned_intP_unsigned_intM_back_143,
     unsigned_intP_unsigned_intM_idx_144)) and
     ("JC_57":
     (integer_of_uint32(result29) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result30:int32.
  ("JC_68": (integer_of_int32(result30) = model(a_2_0,
  integer_of_uint32(result29), SparseArray_n_1_a_2_32_0,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  intP_intM_val_142, unsigned_intP_unsigned_intM_idx_144,
  unsigned_intP_unsigned_intM_back_143))) ->
  forall x_0_0:int32.
  (x_0_0 = result30) ->
  forall result31:uint32.
  (integer_of_uint32(result31) = 7) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_55": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_56": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, unsigned_intP_unsigned_intM_back_147,
     unsigned_intP_unsigned_intM_idx_148)) and
     ("JC_57":
     (integer_of_uint32(result31) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall result32:int32.
  ("JC_68": (integer_of_int32(result32) = model(b,
  integer_of_uint32(result31), SparseArray_n_1_b_33_0, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, intP_intM_val_146,
  unsigned_intP_unsigned_intM_idx_148,
  unsigned_intP_unsigned_intM_back_147))) ->
  forall y0:int32.
  (y0 = result32) ->
  ("JC_154": ((integer_of_int32(x_0_0) = 1) and (integer_of_int32(y0) = 2))) ->
  forall result33:uint32.
  (integer_of_uint32(result33) = 0) ->
  ("JC_58":
  ("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
  unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
  SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
  SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
  SparseArray_val_a_2_32, unsigned_intP_unsigned_intM_back_143,
  unsigned_intP_unsigned_intM_idx_144)))

goal main_safety_po_25:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  ("JC_11": (integer_of_uint32(result17) >= 0)) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  ("JC_11": (integer_of_uint32(result19) >= 0)) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_57":
     (integer_of_uint32(result21) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result22:int32.
  ("JC_68": (integer_of_int32(result22) = model(a_2_0,
  integer_of_uint32(result21), SparseArray_n_1_a_2_32,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  result10, result13, result14))) ->
  forall x_0:int32.
  (x_0 = result22) ->
  forall result23:uint32.
  (integer_of_uint32(result23) = 7) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_55": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_56": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     ("JC_57":
     (integer_of_uint32(result23) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall result24:int32.
  ("JC_68": (integer_of_int32(result24) = model(b,
  integer_of_uint32(result23), SparseArray_n_1_b_33, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, result9, result11, result12))) ->
  forall y:int32.
  (y = result24) ->
  ("JC_149": ((integer_of_int32(x_0) = 0) and (integer_of_int32(y) = 0))) ->
  forall result25:uint32.
  (integer_of_uint32(result25) = 5) ->
  forall result26:int32.
  (integer_of_int32(result26) = 1) ->
  ("JC_87":
  (("JC_83": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_84": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_85": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_86":
     (integer_of_uint32(result25) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall SparseArray_n_1_a_2_32_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_142:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_143:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_144:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(a_2_0, unsigned_intP_back_143_alloc_table,
    unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
    SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
    SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
    SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
    unsigned_intP_unsigned_intM_back_143,
    unsigned_intP_unsigned_intM_idx_144)) and
    (("JC_106": (model(a_2_0, integer_of_uint32(result25),
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
     unsigned_intP_unsigned_intM_idx_144,
     unsigned_intP_unsigned_intM_back_143) = integer_of_int32(result26))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result25)) -> (model(a_2_0, j_0,
        SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
        unsigned_intP_unsigned_intM_idx_144,
        unsigned_intP_unsigned_intM_back_143) = model(a_2_0, j_0,
        SparseArray_n_1_a_2_32, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, result10, result13,
        result14)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_144_alloc_table, result13,
      unsigned_intP_unsigned_intM_idx_144,
      pset_all(pset_deref(SparseArray_idx_a_2_32, pset_singleton(a_2_0))))) and
      ("JC_110": not_assigns(unsigned_intP_back_143_alloc_table, result14,
      unsigned_intP_unsigned_intM_back_143,
      pset_all(pset_deref(SparseArray_back_a_2_32, pset_singleton(a_2_0)))))) and
     ("JC_111": not_assigns(intP_val_142_alloc_table, result10,
     intP_intM_val_142, pset_range(pset_deref(SparseArray_val_a_2_32,
     pset_singleton(a_2_0)), integer_of_uint32(result25),
     integer_of_uint32(result25))))) and
    ("JC_112": not_assigns(SparseArray_a_2_32_alloc_table,
    SparseArray_n_1_a_2_32, SparseArray_n_1_a_2_32_0, pset_singleton(a_2_0))))))) ->
  forall result27:uint32.
  (integer_of_uint32(result27) = 7) ->
  forall result28:int32.
  (integer_of_int32(result28) = 2) ->
  ("JC_87":
  (("JC_83": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_84": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_85": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     ("JC_86":
     (integer_of_uint32(result27) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall SparseArray_n_1_b_33_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_146:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_147:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_148:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(b, unsigned_intP_back_147_alloc_table,
    unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
    SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
    SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
    SparseArray_val_b_33, unsigned_intP_unsigned_intM_back_147,
    unsigned_intP_unsigned_intM_idx_148)) and
    (("JC_106": (model(b, integer_of_uint32(result27),
     SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, intP_intM_val_146,
     unsigned_intP_unsigned_intM_idx_148,
     unsigned_intP_unsigned_intM_back_147) = integer_of_int32(result28))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result27)) -> (model(b, j_0,
        SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, intP_intM_val_146,
        unsigned_intP_unsigned_intM_idx_148,
        unsigned_intP_unsigned_intM_back_147) = model(b, j_0,
        SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, result9, result11, result12)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_148_alloc_table, result11,
      unsigned_intP_unsigned_intM_idx_148,
      pset_all(pset_deref(SparseArray_idx_b_33, pset_singleton(b))))) and
      ("JC_110": not_assigns(unsigned_intP_back_147_alloc_table, result12,
      unsigned_intP_unsigned_intM_back_147,
      pset_all(pset_deref(SparseArray_back_b_33, pset_singleton(b)))))) and
     ("JC_111": not_assigns(intP_val_146_alloc_table, result9,
     intP_intM_val_146, pset_range(pset_deref(SparseArray_val_b_33,
     pset_singleton(b)), integer_of_uint32(result27),
     integer_of_uint32(result27))))) and
    ("JC_112": not_assigns(SparseArray_b_33_alloc_table,
    SparseArray_n_1_b_33, SparseArray_n_1_b_33_0, pset_singleton(b))))))) ->
  forall result29:uint32.
  (integer_of_uint32(result29) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
     unsigned_intP_unsigned_intM_back_143,
     unsigned_intP_unsigned_intM_idx_144)) and
     ("JC_57":
     (integer_of_uint32(result29) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result30:int32.
  ("JC_68": (integer_of_int32(result30) = model(a_2_0,
  integer_of_uint32(result29), SparseArray_n_1_a_2_32_0,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  intP_intM_val_142, unsigned_intP_unsigned_intM_idx_144,
  unsigned_intP_unsigned_intM_back_143))) ->
  forall x_0_0:int32.
  (x_0_0 = result30) ->
  forall result31:uint32.
  (integer_of_uint32(result31) = 7) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_55": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_56": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, unsigned_intP_unsigned_intM_back_147,
     unsigned_intP_unsigned_intM_idx_148)) and
     ("JC_57":
     (integer_of_uint32(result31) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall result32:int32.
  ("JC_68": (integer_of_int32(result32) = model(b,
  integer_of_uint32(result31), SparseArray_n_1_b_33_0, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, intP_intM_val_146,
  unsigned_intP_unsigned_intM_idx_148,
  unsigned_intP_unsigned_intM_back_147))) ->
  forall y0:int32.
  (y0 = result32) ->
  ("JC_154": ((integer_of_int32(x_0_0) = 1) and (integer_of_int32(y0) = 2))) ->
  forall result33:uint32.
  (integer_of_uint32(result33) = 0) ->
  ("JC_58":
  ("JC_57":
  (integer_of_uint32(result33) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
  a_2_0)) - 1))))

goal main_safety_po_26:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  ("JC_11": (integer_of_uint32(result17) >= 0)) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  ("JC_11": (integer_of_uint32(result19) >= 0)) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_57":
     (integer_of_uint32(result21) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result22:int32.
  ("JC_68": (integer_of_int32(result22) = model(a_2_0,
  integer_of_uint32(result21), SparseArray_n_1_a_2_32,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  result10, result13, result14))) ->
  forall x_0:int32.
  (x_0 = result22) ->
  forall result23:uint32.
  (integer_of_uint32(result23) = 7) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_55": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_56": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     ("JC_57":
     (integer_of_uint32(result23) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall result24:int32.
  ("JC_68": (integer_of_int32(result24) = model(b,
  integer_of_uint32(result23), SparseArray_n_1_b_33, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, result9, result11, result12))) ->
  forall y:int32.
  (y = result24) ->
  ("JC_149": ((integer_of_int32(x_0) = 0) and (integer_of_int32(y) = 0))) ->
  forall result25:uint32.
  (integer_of_uint32(result25) = 5) ->
  forall result26:int32.
  (integer_of_int32(result26) = 1) ->
  ("JC_87":
  (("JC_83": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_84": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_85": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_86":
     (integer_of_uint32(result25) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall SparseArray_n_1_a_2_32_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_142:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_143:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_144:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(a_2_0, unsigned_intP_back_143_alloc_table,
    unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
    SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
    SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
    SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
    unsigned_intP_unsigned_intM_back_143,
    unsigned_intP_unsigned_intM_idx_144)) and
    (("JC_106": (model(a_2_0, integer_of_uint32(result25),
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
     unsigned_intP_unsigned_intM_idx_144,
     unsigned_intP_unsigned_intM_back_143) = integer_of_int32(result26))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result25)) -> (model(a_2_0, j_0,
        SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
        unsigned_intP_unsigned_intM_idx_144,
        unsigned_intP_unsigned_intM_back_143) = model(a_2_0, j_0,
        SparseArray_n_1_a_2_32, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, result10, result13,
        result14)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_144_alloc_table, result13,
      unsigned_intP_unsigned_intM_idx_144,
      pset_all(pset_deref(SparseArray_idx_a_2_32, pset_singleton(a_2_0))))) and
      ("JC_110": not_assigns(unsigned_intP_back_143_alloc_table, result14,
      unsigned_intP_unsigned_intM_back_143,
      pset_all(pset_deref(SparseArray_back_a_2_32, pset_singleton(a_2_0)))))) and
     ("JC_111": not_assigns(intP_val_142_alloc_table, result10,
     intP_intM_val_142, pset_range(pset_deref(SparseArray_val_a_2_32,
     pset_singleton(a_2_0)), integer_of_uint32(result25),
     integer_of_uint32(result25))))) and
    ("JC_112": not_assigns(SparseArray_a_2_32_alloc_table,
    SparseArray_n_1_a_2_32, SparseArray_n_1_a_2_32_0, pset_singleton(a_2_0))))))) ->
  forall result27:uint32.
  (integer_of_uint32(result27) = 7) ->
  forall result28:int32.
  (integer_of_int32(result28) = 2) ->
  ("JC_87":
  (("JC_83": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_84": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_85": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     ("JC_86":
     (integer_of_uint32(result27) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall SparseArray_n_1_b_33_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_146:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_147:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_148:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(b, unsigned_intP_back_147_alloc_table,
    unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
    SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
    SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
    SparseArray_val_b_33, unsigned_intP_unsigned_intM_back_147,
    unsigned_intP_unsigned_intM_idx_148)) and
    (("JC_106": (model(b, integer_of_uint32(result27),
     SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, intP_intM_val_146,
     unsigned_intP_unsigned_intM_idx_148,
     unsigned_intP_unsigned_intM_back_147) = integer_of_int32(result28))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result27)) -> (model(b, j_0,
        SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, intP_intM_val_146,
        unsigned_intP_unsigned_intM_idx_148,
        unsigned_intP_unsigned_intM_back_147) = model(b, j_0,
        SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, result9, result11, result12)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_148_alloc_table, result11,
      unsigned_intP_unsigned_intM_idx_148,
      pset_all(pset_deref(SparseArray_idx_b_33, pset_singleton(b))))) and
      ("JC_110": not_assigns(unsigned_intP_back_147_alloc_table, result12,
      unsigned_intP_unsigned_intM_back_147,
      pset_all(pset_deref(SparseArray_back_b_33, pset_singleton(b)))))) and
     ("JC_111": not_assigns(intP_val_146_alloc_table, result9,
     intP_intM_val_146, pset_range(pset_deref(SparseArray_val_b_33,
     pset_singleton(b)), integer_of_uint32(result27),
     integer_of_uint32(result27))))) and
    ("JC_112": not_assigns(SparseArray_b_33_alloc_table,
    SparseArray_n_1_b_33, SparseArray_n_1_b_33_0, pset_singleton(b))))))) ->
  forall result29:uint32.
  (integer_of_uint32(result29) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
     unsigned_intP_unsigned_intM_back_143,
     unsigned_intP_unsigned_intM_idx_144)) and
     ("JC_57":
     (integer_of_uint32(result29) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result30:int32.
  ("JC_68": (integer_of_int32(result30) = model(a_2_0,
  integer_of_uint32(result29), SparseArray_n_1_a_2_32_0,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  intP_intM_val_142, unsigned_intP_unsigned_intM_idx_144,
  unsigned_intP_unsigned_intM_back_143))) ->
  forall x_0_0:int32.
  (x_0_0 = result30) ->
  forall result31:uint32.
  (integer_of_uint32(result31) = 7) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_55": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_56": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, unsigned_intP_unsigned_intM_back_147,
     unsigned_intP_unsigned_intM_idx_148)) and
     ("JC_57":
     (integer_of_uint32(result31) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall result32:int32.
  ("JC_68": (integer_of_int32(result32) = model(b,
  integer_of_uint32(result31), SparseArray_n_1_b_33_0, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, intP_intM_val_146,
  unsigned_intP_unsigned_intM_idx_148,
  unsigned_intP_unsigned_intM_back_147))) ->
  forall y0:int32.
  (y0 = result32) ->
  ("JC_154": ((integer_of_int32(x_0_0) = 1) and (integer_of_int32(y0) = 2))) ->
  forall result33:uint32.
  (integer_of_uint32(result33) = 0) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
     unsigned_intP_unsigned_intM_back_143,
     unsigned_intP_unsigned_intM_idx_144)) and
     ("JC_57":
     (integer_of_uint32(result33) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result34:int32.
  ("JC_68": (integer_of_int32(result34) = model(a_2_0,
  integer_of_uint32(result33), SparseArray_n_1_a_2_32_0,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  intP_intM_val_142, unsigned_intP_unsigned_intM_idx_144,
  unsigned_intP_unsigned_intM_back_143))) ->
  forall x_0_1:int32.
  (x_0_1 = result34) ->
  forall result35:uint32.
  (integer_of_uint32(result35) = 0) ->
  ("JC_58": ("JC_55": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)))

goal main_safety_po_27:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  ("JC_11": (integer_of_uint32(result17) >= 0)) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  ("JC_11": (integer_of_uint32(result19) >= 0)) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_57":
     (integer_of_uint32(result21) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result22:int32.
  ("JC_68": (integer_of_int32(result22) = model(a_2_0,
  integer_of_uint32(result21), SparseArray_n_1_a_2_32,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  result10, result13, result14))) ->
  forall x_0:int32.
  (x_0 = result22) ->
  forall result23:uint32.
  (integer_of_uint32(result23) = 7) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_55": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_56": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     ("JC_57":
     (integer_of_uint32(result23) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall result24:int32.
  ("JC_68": (integer_of_int32(result24) = model(b,
  integer_of_uint32(result23), SparseArray_n_1_b_33, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, result9, result11, result12))) ->
  forall y:int32.
  (y = result24) ->
  ("JC_149": ((integer_of_int32(x_0) = 0) and (integer_of_int32(y) = 0))) ->
  forall result25:uint32.
  (integer_of_uint32(result25) = 5) ->
  forall result26:int32.
  (integer_of_int32(result26) = 1) ->
  ("JC_87":
  (("JC_83": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_84": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_85": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_86":
     (integer_of_uint32(result25) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall SparseArray_n_1_a_2_32_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_142:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_143:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_144:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(a_2_0, unsigned_intP_back_143_alloc_table,
    unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
    SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
    SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
    SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
    unsigned_intP_unsigned_intM_back_143,
    unsigned_intP_unsigned_intM_idx_144)) and
    (("JC_106": (model(a_2_0, integer_of_uint32(result25),
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
     unsigned_intP_unsigned_intM_idx_144,
     unsigned_intP_unsigned_intM_back_143) = integer_of_int32(result26))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result25)) -> (model(a_2_0, j_0,
        SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
        unsigned_intP_unsigned_intM_idx_144,
        unsigned_intP_unsigned_intM_back_143) = model(a_2_0, j_0,
        SparseArray_n_1_a_2_32, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, result10, result13,
        result14)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_144_alloc_table, result13,
      unsigned_intP_unsigned_intM_idx_144,
      pset_all(pset_deref(SparseArray_idx_a_2_32, pset_singleton(a_2_0))))) and
      ("JC_110": not_assigns(unsigned_intP_back_143_alloc_table, result14,
      unsigned_intP_unsigned_intM_back_143,
      pset_all(pset_deref(SparseArray_back_a_2_32, pset_singleton(a_2_0)))))) and
     ("JC_111": not_assigns(intP_val_142_alloc_table, result10,
     intP_intM_val_142, pset_range(pset_deref(SparseArray_val_a_2_32,
     pset_singleton(a_2_0)), integer_of_uint32(result25),
     integer_of_uint32(result25))))) and
    ("JC_112": not_assigns(SparseArray_a_2_32_alloc_table,
    SparseArray_n_1_a_2_32, SparseArray_n_1_a_2_32_0, pset_singleton(a_2_0))))))) ->
  forall result27:uint32.
  (integer_of_uint32(result27) = 7) ->
  forall result28:int32.
  (integer_of_int32(result28) = 2) ->
  ("JC_87":
  (("JC_83": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_84": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_85": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     ("JC_86":
     (integer_of_uint32(result27) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall SparseArray_n_1_b_33_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_146:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_147:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_148:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(b, unsigned_intP_back_147_alloc_table,
    unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
    SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
    SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
    SparseArray_val_b_33, unsigned_intP_unsigned_intM_back_147,
    unsigned_intP_unsigned_intM_idx_148)) and
    (("JC_106": (model(b, integer_of_uint32(result27),
     SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, intP_intM_val_146,
     unsigned_intP_unsigned_intM_idx_148,
     unsigned_intP_unsigned_intM_back_147) = integer_of_int32(result28))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result27)) -> (model(b, j_0,
        SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, intP_intM_val_146,
        unsigned_intP_unsigned_intM_idx_148,
        unsigned_intP_unsigned_intM_back_147) = model(b, j_0,
        SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, result9, result11, result12)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_148_alloc_table, result11,
      unsigned_intP_unsigned_intM_idx_148,
      pset_all(pset_deref(SparseArray_idx_b_33, pset_singleton(b))))) and
      ("JC_110": not_assigns(unsigned_intP_back_147_alloc_table, result12,
      unsigned_intP_unsigned_intM_back_147,
      pset_all(pset_deref(SparseArray_back_b_33, pset_singleton(b)))))) and
     ("JC_111": not_assigns(intP_val_146_alloc_table, result9,
     intP_intM_val_146, pset_range(pset_deref(SparseArray_val_b_33,
     pset_singleton(b)), integer_of_uint32(result27),
     integer_of_uint32(result27))))) and
    ("JC_112": not_assigns(SparseArray_b_33_alloc_table,
    SparseArray_n_1_b_33, SparseArray_n_1_b_33_0, pset_singleton(b))))))) ->
  forall result29:uint32.
  (integer_of_uint32(result29) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
     unsigned_intP_unsigned_intM_back_143,
     unsigned_intP_unsigned_intM_idx_144)) and
     ("JC_57":
     (integer_of_uint32(result29) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result30:int32.
  ("JC_68": (integer_of_int32(result30) = model(a_2_0,
  integer_of_uint32(result29), SparseArray_n_1_a_2_32_0,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  intP_intM_val_142, unsigned_intP_unsigned_intM_idx_144,
  unsigned_intP_unsigned_intM_back_143))) ->
  forall x_0_0:int32.
  (x_0_0 = result30) ->
  forall result31:uint32.
  (integer_of_uint32(result31) = 7) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_55": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_56": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, unsigned_intP_unsigned_intM_back_147,
     unsigned_intP_unsigned_intM_idx_148)) and
     ("JC_57":
     (integer_of_uint32(result31) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall result32:int32.
  ("JC_68": (integer_of_int32(result32) = model(b,
  integer_of_uint32(result31), SparseArray_n_1_b_33_0, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, intP_intM_val_146,
  unsigned_intP_unsigned_intM_idx_148,
  unsigned_intP_unsigned_intM_back_147))) ->
  forall y0:int32.
  (y0 = result32) ->
  ("JC_154": ((integer_of_int32(x_0_0) = 1) and (integer_of_int32(y0) = 2))) ->
  forall result33:uint32.
  (integer_of_uint32(result33) = 0) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
     unsigned_intP_unsigned_intM_back_143,
     unsigned_intP_unsigned_intM_idx_144)) and
     ("JC_57":
     (integer_of_uint32(result33) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result34:int32.
  ("JC_68": (integer_of_int32(result34) = model(a_2_0,
  integer_of_uint32(result33), SparseArray_n_1_a_2_32_0,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  intP_intM_val_142, unsigned_intP_unsigned_intM_idx_144,
  unsigned_intP_unsigned_intM_back_143))) ->
  forall x_0_1:int32.
  (x_0_1 = result34) ->
  forall result35:uint32.
  (integer_of_uint32(result35) = 0) ->
  ("JC_58":
  ("JC_56": inv(b, unsigned_intP_back_147_alloc_table,
  unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
  SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
  SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
  SparseArray_val_b_33, unsigned_intP_unsigned_intM_back_147,
  unsigned_intP_unsigned_intM_idx_148)))

goal main_safety_po_28:
  ("JC_140": true) ->
  forall result:(SparseArray, uint32) memory.
  forall result0:(SparseArray, uint32) memory.
  forall result1:(SparseArray, uint32) memory.
  forall result2:(SparseArray, uint32) memory.
  forall result3:(SparseArray,
  unsigned_intP pointer) memory.
  forall result4:(SparseArray,
  unsigned_intP pointer) memory.
  forall result5:(SparseArray,
  unsigned_intP pointer) memory.
  forall result6:(SparseArray,
  unsigned_intP pointer) memory.
  forall result7:(SparseArray,
  intP pointer) memory.
  forall result8:(SparseArray, intP pointer) memory.
  forall result9:(intP, int32) memory.
  forall result10:(intP, int32) memory.
  forall result11:(unsigned_intP,
  uint32) memory.
  forall result12:(unsigned_intP,
  uint32) memory.
  forall result13:(unsigned_intP,
  uint32) memory.
  forall result14:(unsigned_intP,
  uint32) memory.
  forall result15:SparseArray alloc_table.
  forall result16:SparseArray alloc_table.
  forall result17:uint32.
  (integer_of_uint32(result17) = 10) ->
  ("JC_11": (integer_of_uint32(result17) >= 0)) ->
  forall result18:SparseArray pointer.
  forall SparseArray_a_2_32_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_a_2_32:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_a_2_32:(SparseArray,
  uint32) memory.
  forall SparseArray_val_a_2_32:(SparseArray,
  intP pointer) memory.
  forall intP_val_142_alloc_table:intP alloc_table.
  forall unsigned_intP_back_143_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_144_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result16, result18))) and
    (("JC_28": inv(result18, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
      result18)) = integer_of_uint32(result17))) and
      ("JC_30":
      (forall i_6:int. (model(result18, i_6, SparseArray_n_1_a_2_32,
        SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
        SparseArray_val_a_2_32, result10, result13, result14) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result16, result8, SparseArray_val_a_2_32,
       pset_empty)) and
       ("JC_33": not_assigns(result16, result6, SparseArray_idx_a_2_32,
       pset_empty))) and
      ("JC_34": not_assigns(result16, result4, SparseArray_back_a_2_32,
      pset_empty))) and
     ("JC_35": not_assigns(result16, result2, SparseArray_n_1_a_2_32,
     pset_empty))) and
    ("JC_36": not_assigns(result16, result0, SparseArray_sz_0_a_2_32,
    pset_empty)))))) ->
  forall a_2_0:SparseArray pointer.
  (a_2_0 = result18) ->
  forall result19:uint32.
  (integer_of_uint32(result19) = 20) ->
  ("JC_11": (integer_of_uint32(result19) >= 0)) ->
  forall result20:SparseArray pointer.
  forall SparseArray_b_33_alloc_table:SparseArray alloc_table.
  forall SparseArray_back_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_idx_b_33:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_n_1_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_sz_0_b_33:(SparseArray,
  uint32) memory.
  forall SparseArray_val_b_33:(SparseArray,
  intP pointer) memory.
  forall intP_val_146_alloc_table:intP alloc_table.
  forall unsigned_intP_back_147_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_idx_148_alloc_table:unsigned_intP alloc_table.
  ("JC_38":
  (("JC_31":
   (("JC_27": (not valid(result15, result20))) and
    (("JC_28": inv(result20, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     (("JC_29": (integer_of_uint32(select(SparseArray_sz_0_b_33,
      result20)) = integer_of_uint32(result19))) and
      ("JC_30":
      (forall i_6:int. (model(result20, i_6, SparseArray_n_1_b_33,
        SparseArray_back_b_33, SparseArray_idx_b_33, SparseArray_val_b_33,
        result9, result11, result12) = 0))))))) and
   ("JC_37":
   ((((("JC_32": not_assigns(result15, result7, SparseArray_val_b_33,
       pset_empty)) and
       ("JC_33": not_assigns(result15, result5, SparseArray_idx_b_33,
       pset_empty))) and
      ("JC_34": not_assigns(result15, result3, SparseArray_back_b_33,
      pset_empty))) and
     ("JC_35": not_assigns(result15, result1, SparseArray_n_1_b_33,
     pset_empty))) and
    ("JC_36": not_assigns(result15, result, SparseArray_sz_0_b_33,
    pset_empty)))))) ->
  forall b:SparseArray pointer.
  (b = result20) ->
  forall result21:uint32.
  (integer_of_uint32(result21) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_57":
     (integer_of_uint32(result21) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result22:int32.
  ("JC_68": (integer_of_int32(result22) = model(a_2_0,
  integer_of_uint32(result21), SparseArray_n_1_a_2_32,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  result10, result13, result14))) ->
  forall x_0:int32.
  (x_0 = result22) ->
  forall result23:uint32.
  (integer_of_uint32(result23) = 7) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_55": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_56": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     ("JC_57":
     (integer_of_uint32(result23) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall result24:int32.
  ("JC_68": (integer_of_int32(result24) = model(b,
  integer_of_uint32(result23), SparseArray_n_1_b_33, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, result9, result11, result12))) ->
  forall y:int32.
  (y = result24) ->
  ("JC_149": ((integer_of_int32(x_0) = 0) and (integer_of_int32(y) = 0))) ->
  forall result25:uint32.
  (integer_of_uint32(result25) = 5) ->
  forall result26:int32.
  (integer_of_int32(result26) = 1) ->
  ("JC_87":
  (("JC_83": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_84": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_85": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32, SparseArray_back_a_2_32, SparseArray_idx_a_2_32,
     SparseArray_val_a_2_32, result14, result13)) and
     ("JC_86":
     (integer_of_uint32(result25) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall SparseArray_n_1_a_2_32_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_142:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_143:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_144:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(a_2_0, unsigned_intP_back_143_alloc_table,
    unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
    SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
    SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
    SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
    unsigned_intP_unsigned_intM_back_143,
    unsigned_intP_unsigned_intM_idx_144)) and
    (("JC_106": (model(a_2_0, integer_of_uint32(result25),
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
     unsigned_intP_unsigned_intM_idx_144,
     unsigned_intP_unsigned_intM_back_143) = integer_of_int32(result26))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result25)) -> (model(a_2_0, j_0,
        SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, intP_intM_val_142,
        unsigned_intP_unsigned_intM_idx_144,
        unsigned_intP_unsigned_intM_back_143) = model(a_2_0, j_0,
        SparseArray_n_1_a_2_32, SparseArray_back_a_2_32,
        SparseArray_idx_a_2_32, SparseArray_val_a_2_32, result10, result13,
        result14)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_144_alloc_table, result13,
      unsigned_intP_unsigned_intM_idx_144,
      pset_all(pset_deref(SparseArray_idx_a_2_32, pset_singleton(a_2_0))))) and
      ("JC_110": not_assigns(unsigned_intP_back_143_alloc_table, result14,
      unsigned_intP_unsigned_intM_back_143,
      pset_all(pset_deref(SparseArray_back_a_2_32, pset_singleton(a_2_0)))))) and
     ("JC_111": not_assigns(intP_val_142_alloc_table, result10,
     intP_intM_val_142, pset_range(pset_deref(SparseArray_val_a_2_32,
     pset_singleton(a_2_0)), integer_of_uint32(result25),
     integer_of_uint32(result25))))) and
    ("JC_112": not_assigns(SparseArray_a_2_32_alloc_table,
    SparseArray_n_1_a_2_32, SparseArray_n_1_a_2_32_0, pset_singleton(a_2_0))))))) ->
  forall result27:uint32.
  (integer_of_uint32(result27) = 7) ->
  forall result28:int32.
  (integer_of_int32(result28) = 2) ->
  ("JC_87":
  (("JC_83": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_84": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_85": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, result12, result11)) and
     ("JC_86":
     (integer_of_uint32(result27) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall SparseArray_n_1_b_33_0:(SparseArray,
  uint32) memory.
  forall intP_intM_val_146:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_147:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_148:(unsigned_intP,
  uint32) memory.
  ("JC_114":
  (("JC_108":
   (("JC_105": inv(b, unsigned_intP_back_147_alloc_table,
    unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
    SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
    SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
    SparseArray_val_b_33, unsigned_intP_unsigned_intM_back_147,
    unsigned_intP_unsigned_intM_idx_148)) and
    (("JC_106": (model(b, integer_of_uint32(result27),
     SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, intP_intM_val_146,
     unsigned_intP_unsigned_intM_idx_148,
     unsigned_intP_unsigned_intM_back_147) = integer_of_int32(result28))) and
     ("JC_107":
     (forall j_0:int.
       ((j_0 <> integer_of_uint32(result27)) -> (model(b, j_0,
        SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, intP_intM_val_146,
        unsigned_intP_unsigned_intM_idx_148,
        unsigned_intP_unsigned_intM_back_147) = model(b, j_0,
        SparseArray_n_1_b_33, SparseArray_back_b_33, SparseArray_idx_b_33,
        SparseArray_val_b_33, result9, result11, result12)))))))) and
   ("JC_113":
   (((("JC_109": not_assigns(unsigned_intP_idx_148_alloc_table, result11,
      unsigned_intP_unsigned_intM_idx_148,
      pset_all(pset_deref(SparseArray_idx_b_33, pset_singleton(b))))) and
      ("JC_110": not_assigns(unsigned_intP_back_147_alloc_table, result12,
      unsigned_intP_unsigned_intM_back_147,
      pset_all(pset_deref(SparseArray_back_b_33, pset_singleton(b)))))) and
     ("JC_111": not_assigns(intP_val_146_alloc_table, result9,
     intP_intM_val_146, pset_range(pset_deref(SparseArray_val_b_33,
     pset_singleton(b)), integer_of_uint32(result27),
     integer_of_uint32(result27))))) and
    ("JC_112": not_assigns(SparseArray_b_33_alloc_table,
    SparseArray_n_1_b_33, SparseArray_n_1_b_33_0, pset_singleton(b))))))) ->
  forall result29:uint32.
  (integer_of_uint32(result29) = 5) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
     unsigned_intP_unsigned_intM_back_143,
     unsigned_intP_unsigned_intM_idx_144)) and
     ("JC_57":
     (integer_of_uint32(result29) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result30:int32.
  ("JC_68": (integer_of_int32(result30) = model(a_2_0,
  integer_of_uint32(result29), SparseArray_n_1_a_2_32_0,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  intP_intM_val_142, unsigned_intP_unsigned_intM_idx_144,
  unsigned_intP_unsigned_intM_back_143))) ->
  forall x_0_0:int32.
  (x_0_0 = result30) ->
  forall result31:uint32.
  (integer_of_uint32(result31) = 7) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_b_33_alloc_table, b) <= 0)) and
   (("JC_55": (offset_max(SparseArray_b_33_alloc_table, b) >= 0)) and
    (("JC_56": inv(b, unsigned_intP_back_147_alloc_table,
     unsigned_intP_idx_148_alloc_table, intP_val_146_alloc_table,
     SparseArray_b_33_alloc_table, SparseArray_sz_0_b_33,
     SparseArray_n_1_b_33_0, SparseArray_back_b_33, SparseArray_idx_b_33,
     SparseArray_val_b_33, unsigned_intP_unsigned_intM_back_147,
     unsigned_intP_unsigned_intM_idx_148)) and
     ("JC_57":
     (integer_of_uint32(result31) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
     b)) - 1))))))) ->
  forall result32:int32.
  ("JC_68": (integer_of_int32(result32) = model(b,
  integer_of_uint32(result31), SparseArray_n_1_b_33_0, SparseArray_back_b_33,
  SparseArray_idx_b_33, SparseArray_val_b_33, intP_intM_val_146,
  unsigned_intP_unsigned_intM_idx_148,
  unsigned_intP_unsigned_intM_back_147))) ->
  forall y0:int32.
  (y0 = result32) ->
  ("JC_154": ((integer_of_int32(x_0_0) = 1) and (integer_of_int32(y0) = 2))) ->
  forall result33:uint32.
  (integer_of_uint32(result33) = 0) ->
  ("JC_58":
  (("JC_54": (offset_min(SparseArray_a_2_32_alloc_table, a_2_0) <= 0)) and
   (("JC_55": (offset_max(SparseArray_a_2_32_alloc_table, a_2_0) >= 0)) and
    (("JC_56": inv(a_2_0, unsigned_intP_back_143_alloc_table,
     unsigned_intP_idx_144_alloc_table, intP_val_142_alloc_table,
     SparseArray_a_2_32_alloc_table, SparseArray_sz_0_a_2_32,
     SparseArray_n_1_a_2_32_0, SparseArray_back_a_2_32,
     SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
     unsigned_intP_unsigned_intM_back_143,
     unsigned_intP_unsigned_intM_idx_144)) and
     ("JC_57":
     (integer_of_uint32(result33) <= (integer_of_uint32(select(SparseArray_sz_0_a_2_32,
     a_2_0)) - 1))))))) ->
  forall result34:int32.
  ("JC_68": (integer_of_int32(result34) = model(a_2_0,
  integer_of_uint32(result33), SparseArray_n_1_a_2_32_0,
  SparseArray_back_a_2_32, SparseArray_idx_a_2_32, SparseArray_val_a_2_32,
  intP_intM_val_142, unsigned_intP_unsigned_intM_idx_144,
  unsigned_intP_unsigned_intM_back_143))) ->
  forall x_0_1:int32.
  (x_0_1 = result34) ->
  forall result35:uint32.
  (integer_of_uint32(result35) = 0) ->
  ("JC_58":
  ("JC_57":
  (integer_of_uint32(result35) <= (integer_of_uint32(select(SparseArray_sz_0_b_33,
  b)) - 1))))

goal set_ensures_default_po_1:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) < integer_of_uint32(result2)) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_back_a_0_9, a_0_0)) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result5:uint32.
  (result5 = select(unsigned_intP_unsigned_intM_idx_30, shift(result4,
  integer_of_uint32(i_0)))) ->
  forall result6:uint32.
  (result6 = select(unsigned_intP_unsigned_intM_back_31, shift(result3,
  integer_of_uint32(result5)))) ->
  (integer_of_uint32(result6) = integer_of_uint32(i_0)) ->
  ("JC_104":
  ("JC_98":
  ("JC_95": inv(a_0_0, unsigned_intP_back_31_alloc_table,
  unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
  SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
  SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
  SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
  unsigned_intP_unsigned_intM_idx_30))))

goal set_ensures_default_po_2:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) < integer_of_uint32(result2)) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_back_a_0_9, a_0_0)) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result5:uint32.
  (result5 = select(unsigned_intP_unsigned_intM_idx_30, shift(result4,
  integer_of_uint32(i_0)))) ->
  forall result6:uint32.
  (result6 = select(unsigned_intP_unsigned_intM_back_31, shift(result3,
  integer_of_uint32(result5)))) ->
  (integer_of_uint32(result6) = integer_of_uint32(i_0)) ->
  ("JC_104":
  ("JC_98":
  ("JC_96": (model(a_0_0, integer_of_uint32(i_0), SparseArray_n_1_a_0_9,
  SparseArray_back_a_0_9, SparseArray_idx_a_0_9, SparseArray_val_a_0_9,
  intP_intM_val_29_0, unsigned_intP_unsigned_intM_idx_30,
  unsigned_intP_unsigned_intM_back_31) = integer_of_int32(v)))))

goal set_ensures_default_po_3:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) < integer_of_uint32(result2)) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_back_a_0_9, a_0_0)) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result5:uint32.
  (result5 = select(unsigned_intP_unsigned_intM_idx_30, shift(result4,
  integer_of_uint32(i_0)))) ->
  forall result6:uint32.
  (result6 = select(unsigned_intP_unsigned_intM_back_31, shift(result3,
  integer_of_uint32(result5)))) ->
  (integer_of_uint32(result6) = integer_of_uint32(i_0)) ->
  forall j_0:int.
  (j_0 <> integer_of_uint32(i_0)) ->
  ("JC_104":
  ("JC_98":
  ("JC_97": (model(a_0_0, j_0, SparseArray_n_1_a_0_9, SparseArray_back_a_0_9,
  SparseArray_idx_a_0_9, SparseArray_val_a_0_9, intP_intM_val_29_0,
  unsigned_intP_unsigned_intM_idx_30,
  unsigned_intP_unsigned_intM_back_31) = model(a_0_0, j_0,
  SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
  SparseArray_val_a_0_9, intP_intM_val_29,
  unsigned_intP_unsigned_intM_idx_30, unsigned_intP_unsigned_intM_back_31)))))

goal set_ensures_default_po_4:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) < integer_of_uint32(result2)) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_back_a_0_9, a_0_0)) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result5:uint32.
  (result5 = select(unsigned_intP_unsigned_intM_idx_30, shift(result4,
  integer_of_uint32(i_0)))) ->
  forall result6:uint32.
  (result6 = select(unsigned_intP_unsigned_intM_back_31, shift(result3,
  integer_of_uint32(result5)))) ->
  (integer_of_uint32(result6) = integer_of_uint32(i_0)) ->
  ("JC_104":
  ("JC_103":
  ("JC_99": not_assigns(unsigned_intP_idx_30_alloc_table,
  unsigned_intP_unsigned_intM_idx_30, unsigned_intP_unsigned_intM_idx_30,
  pset_all(pset_deref(SparseArray_idx_a_0_9, pset_singleton(a_0_0)))))))

goal set_ensures_default_po_5:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) < integer_of_uint32(result2)) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_back_a_0_9, a_0_0)) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result5:uint32.
  (result5 = select(unsigned_intP_unsigned_intM_idx_30, shift(result4,
  integer_of_uint32(i_0)))) ->
  forall result6:uint32.
  (result6 = select(unsigned_intP_unsigned_intM_back_31, shift(result3,
  integer_of_uint32(result5)))) ->
  (integer_of_uint32(result6) = integer_of_uint32(i_0)) ->
  ("JC_104":
  ("JC_103":
  ("JC_100": not_assigns(unsigned_intP_back_31_alloc_table,
  unsigned_intP_unsigned_intM_back_31, unsigned_intP_unsigned_intM_back_31,
  pset_all(pset_deref(SparseArray_back_a_0_9, pset_singleton(a_0_0)))))))

goal set_ensures_default_po_6:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) < integer_of_uint32(result2)) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_back_a_0_9, a_0_0)) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result5:uint32.
  (result5 = select(unsigned_intP_unsigned_intM_idx_30, shift(result4,
  integer_of_uint32(i_0)))) ->
  forall result6:uint32.
  (result6 = select(unsigned_intP_unsigned_intM_back_31, shift(result3,
  integer_of_uint32(result5)))) ->
  (integer_of_uint32(result6) = integer_of_uint32(i_0)) ->
  ("JC_104":
  ("JC_103":
  ("JC_101": not_assigns(intP_val_29_alloc_table, intP_intM_val_29,
  intP_intM_val_29_0, pset_range(pset_deref(SparseArray_val_a_0_9,
  pset_singleton(a_0_0)), integer_of_uint32(i_0), integer_of_uint32(i_0))))))

goal set_ensures_default_po_7:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) < integer_of_uint32(result2)) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_back_a_0_9, a_0_0)) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result5:uint32.
  (result5 = select(unsigned_intP_unsigned_intM_idx_30, shift(result4,
  integer_of_uint32(i_0)))) ->
  forall result6:uint32.
  (result6 = select(unsigned_intP_unsigned_intM_back_31, shift(result3,
  integer_of_uint32(result5)))) ->
  (integer_of_uint32(result6) = integer_of_uint32(i_0)) ->
  ("JC_104":
  ("JC_103":
  ("JC_102": not_assigns(SparseArray_a_0_9_alloc_table,
  SparseArray_n_1_a_0_9, SparseArray_n_1_a_0_9, pset_singleton(a_0_0)))))

goal set_ensures_default_po_8:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) < integer_of_uint32(result2)) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_back_a_0_9, a_0_0)) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result5:uint32.
  (result5 = select(unsigned_intP_unsigned_intM_idx_30, shift(result4,
  integer_of_uint32(i_0)))) ->
  forall result6:uint32.
  (result6 = select(unsigned_intP_unsigned_intM_back_31, shift(result3,
  integer_of_uint32(result5)))) ->
  (integer_of_uint32(result6) <> integer_of_uint32(i_0)) ->
  ("JC_136": (integer_of_uint32(select(SparseArray_n_1_a_0_9,
  a_0_0)) < integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0))))

goal set_ensures_default_po_9:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) < integer_of_uint32(result2)) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_back_a_0_9, a_0_0)) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result5:uint32.
  (result5 = select(unsigned_intP_unsigned_intM_idx_30, shift(result4,
  integer_of_uint32(i_0)))) ->
  forall result6:uint32.
  (result6 = select(unsigned_intP_unsigned_intM_back_31, shift(result3,
  integer_of_uint32(result5)))) ->
  (integer_of_uint32(result6) <> integer_of_uint32(i_0)) ->
  ("JC_136": (integer_of_uint32(select(SparseArray_n_1_a_0_9,
  a_0_0)) < integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0)))) ->
  forall result7:uint32.
  (result7 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall result8:unsigned_intP pointer.
  (result8 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall unsigned_intP_unsigned_intM_idx_30_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_idx_30_0 = store(unsigned_intP_unsigned_intM_idx_30,
  shift(result8, integer_of_uint32(i_0)), result7)) ->
  forall result9:unsigned_intP pointer.
  (result9 = select(SparseArray_back_a_0_9, a_0_0)) ->
  forall result10:uint32.
  (result10 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall unsigned_intP_unsigned_intM_back_31_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_back_31_0 = store(unsigned_intP_unsigned_intM_back_31,
  shift(result9, integer_of_uint32(result10)), i_0)) ->
  forall result11:uint32.
  (result11 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall result12:uint32.
  (integer_of_uint32(result12) = (integer_of_uint32(result11) + 1)) ->
  forall SparseArray_n_1_a_0_9_0:(SparseArray,
  uint32) memory.
  (SparseArray_n_1_a_0_9_0 = store(SparseArray_n_1_a_0_9, a_0_0,
  result12)) ->
  ("JC_104":
  ("JC_98":
  ("JC_95": inv(a_0_0, unsigned_intP_back_31_alloc_table,
  unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
  SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
  SparseArray_n_1_a_0_9_0, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
  SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31_0,
  unsigned_intP_unsigned_intM_idx_30_0))))

goal set_ensures_default_po_10:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) < integer_of_uint32(result2)) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_back_a_0_9, a_0_0)) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result5:uint32.
  (result5 = select(unsigned_intP_unsigned_intM_idx_30, shift(result4,
  integer_of_uint32(i_0)))) ->
  forall result6:uint32.
  (result6 = select(unsigned_intP_unsigned_intM_back_31, shift(result3,
  integer_of_uint32(result5)))) ->
  (integer_of_uint32(result6) <> integer_of_uint32(i_0)) ->
  ("JC_136": (integer_of_uint32(select(SparseArray_n_1_a_0_9,
  a_0_0)) < integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0)))) ->
  forall result7:uint32.
  (result7 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall result8:unsigned_intP pointer.
  (result8 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall unsigned_intP_unsigned_intM_idx_30_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_idx_30_0 = store(unsigned_intP_unsigned_intM_idx_30,
  shift(result8, integer_of_uint32(i_0)), result7)) ->
  forall result9:unsigned_intP pointer.
  (result9 = select(SparseArray_back_a_0_9, a_0_0)) ->
  forall result10:uint32.
  (result10 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall unsigned_intP_unsigned_intM_back_31_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_back_31_0 = store(unsigned_intP_unsigned_intM_back_31,
  shift(result9, integer_of_uint32(result10)), i_0)) ->
  forall result11:uint32.
  (result11 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall result12:uint32.
  (integer_of_uint32(result12) = (integer_of_uint32(result11) + 1)) ->
  forall SparseArray_n_1_a_0_9_0:(SparseArray,
  uint32) memory.
  (SparseArray_n_1_a_0_9_0 = store(SparseArray_n_1_a_0_9, a_0_0,
  result12)) ->
  ("JC_104":
  ("JC_98":
  ("JC_96": (model(a_0_0, integer_of_uint32(i_0), SparseArray_n_1_a_0_9_0,
  SparseArray_back_a_0_9, SparseArray_idx_a_0_9, SparseArray_val_a_0_9,
  intP_intM_val_29_0, unsigned_intP_unsigned_intM_idx_30_0,
  unsigned_intP_unsigned_intM_back_31_0) = integer_of_int32(v)))))

goal set_ensures_default_po_11:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) < integer_of_uint32(result2)) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_back_a_0_9, a_0_0)) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result5:uint32.
  (result5 = select(unsigned_intP_unsigned_intM_idx_30, shift(result4,
  integer_of_uint32(i_0)))) ->
  forall result6:uint32.
  (result6 = select(unsigned_intP_unsigned_intM_back_31, shift(result3,
  integer_of_uint32(result5)))) ->
  (integer_of_uint32(result6) <> integer_of_uint32(i_0)) ->
  ("JC_136": (integer_of_uint32(select(SparseArray_n_1_a_0_9,
  a_0_0)) < integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0)))) ->
  forall result7:uint32.
  (result7 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall result8:unsigned_intP pointer.
  (result8 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall unsigned_intP_unsigned_intM_idx_30_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_idx_30_0 = store(unsigned_intP_unsigned_intM_idx_30,
  shift(result8, integer_of_uint32(i_0)), result7)) ->
  forall result9:unsigned_intP pointer.
  (result9 = select(SparseArray_back_a_0_9, a_0_0)) ->
  forall result10:uint32.
  (result10 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall unsigned_intP_unsigned_intM_back_31_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_back_31_0 = store(unsigned_intP_unsigned_intM_back_31,
  shift(result9, integer_of_uint32(result10)), i_0)) ->
  forall result11:uint32.
  (result11 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall result12:uint32.
  (integer_of_uint32(result12) = (integer_of_uint32(result11) + 1)) ->
  forall SparseArray_n_1_a_0_9_0:(SparseArray,
  uint32) memory.
  (SparseArray_n_1_a_0_9_0 = store(SparseArray_n_1_a_0_9, a_0_0,
  result12)) ->
  forall j_0:int.
  (j_0 <> integer_of_uint32(i_0)) ->
  ("JC_104":
  ("JC_98":
  ("JC_97": (model(a_0_0, j_0, SparseArray_n_1_a_0_9_0,
  SparseArray_back_a_0_9, SparseArray_idx_a_0_9, SparseArray_val_a_0_9,
  intP_intM_val_29_0, unsigned_intP_unsigned_intM_idx_30_0,
  unsigned_intP_unsigned_intM_back_31_0) = model(a_0_0, j_0,
  SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
  SparseArray_val_a_0_9, intP_intM_val_29,
  unsigned_intP_unsigned_intM_idx_30, unsigned_intP_unsigned_intM_back_31)))))

goal set_ensures_default_po_12:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) < integer_of_uint32(result2)) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_back_a_0_9, a_0_0)) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result5:uint32.
  (result5 = select(unsigned_intP_unsigned_intM_idx_30, shift(result4,
  integer_of_uint32(i_0)))) ->
  forall result6:uint32.
  (result6 = select(unsigned_intP_unsigned_intM_back_31, shift(result3,
  integer_of_uint32(result5)))) ->
  (integer_of_uint32(result6) <> integer_of_uint32(i_0)) ->
  ("JC_136": (integer_of_uint32(select(SparseArray_n_1_a_0_9,
  a_0_0)) < integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0)))) ->
  forall result7:uint32.
  (result7 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall result8:unsigned_intP pointer.
  (result8 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall unsigned_intP_unsigned_intM_idx_30_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_idx_30_0 = store(unsigned_intP_unsigned_intM_idx_30,
  shift(result8, integer_of_uint32(i_0)), result7)) ->
  forall result9:unsigned_intP pointer.
  (result9 = select(SparseArray_back_a_0_9, a_0_0)) ->
  forall result10:uint32.
  (result10 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall unsigned_intP_unsigned_intM_back_31_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_back_31_0 = store(unsigned_intP_unsigned_intM_back_31,
  shift(result9, integer_of_uint32(result10)), i_0)) ->
  forall result11:uint32.
  (result11 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall result12:uint32.
  (integer_of_uint32(result12) = (integer_of_uint32(result11) + 1)) ->
  forall SparseArray_n_1_a_0_9_0:(SparseArray,
  uint32) memory.
  (SparseArray_n_1_a_0_9_0 = store(SparseArray_n_1_a_0_9, a_0_0,
  result12)) ->
  ("JC_104":
  ("JC_103":
  ("JC_99": not_assigns(unsigned_intP_idx_30_alloc_table,
  unsigned_intP_unsigned_intM_idx_30, unsigned_intP_unsigned_intM_idx_30_0,
  pset_all(pset_deref(SparseArray_idx_a_0_9, pset_singleton(a_0_0)))))))

goal set_ensures_default_po_13:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) < integer_of_uint32(result2)) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_back_a_0_9, a_0_0)) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result5:uint32.
  (result5 = select(unsigned_intP_unsigned_intM_idx_30, shift(result4,
  integer_of_uint32(i_0)))) ->
  forall result6:uint32.
  (result6 = select(unsigned_intP_unsigned_intM_back_31, shift(result3,
  integer_of_uint32(result5)))) ->
  (integer_of_uint32(result6) <> integer_of_uint32(i_0)) ->
  ("JC_136": (integer_of_uint32(select(SparseArray_n_1_a_0_9,
  a_0_0)) < integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0)))) ->
  forall result7:uint32.
  (result7 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall result8:unsigned_intP pointer.
  (result8 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall unsigned_intP_unsigned_intM_idx_30_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_idx_30_0 = store(unsigned_intP_unsigned_intM_idx_30,
  shift(result8, integer_of_uint32(i_0)), result7)) ->
  forall result9:unsigned_intP pointer.
  (result9 = select(SparseArray_back_a_0_9, a_0_0)) ->
  forall result10:uint32.
  (result10 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall unsigned_intP_unsigned_intM_back_31_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_back_31_0 = store(unsigned_intP_unsigned_intM_back_31,
  shift(result9, integer_of_uint32(result10)), i_0)) ->
  forall result11:uint32.
  (result11 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall result12:uint32.
  (integer_of_uint32(result12) = (integer_of_uint32(result11) + 1)) ->
  forall SparseArray_n_1_a_0_9_0:(SparseArray,
  uint32) memory.
  (SparseArray_n_1_a_0_9_0 = store(SparseArray_n_1_a_0_9, a_0_0,
  result12)) ->
  ("JC_104":
  ("JC_103":
  ("JC_100": not_assigns(unsigned_intP_back_31_alloc_table,
  unsigned_intP_unsigned_intM_back_31, unsigned_intP_unsigned_intM_back_31_0,
  pset_all(pset_deref(SparseArray_back_a_0_9, pset_singleton(a_0_0)))))))

goal set_ensures_default_po_14:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) < integer_of_uint32(result2)) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_back_a_0_9, a_0_0)) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result5:uint32.
  (result5 = select(unsigned_intP_unsigned_intM_idx_30, shift(result4,
  integer_of_uint32(i_0)))) ->
  forall result6:uint32.
  (result6 = select(unsigned_intP_unsigned_intM_back_31, shift(result3,
  integer_of_uint32(result5)))) ->
  (integer_of_uint32(result6) <> integer_of_uint32(i_0)) ->
  ("JC_136": (integer_of_uint32(select(SparseArray_n_1_a_0_9,
  a_0_0)) < integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0)))) ->
  forall result7:uint32.
  (result7 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall result8:unsigned_intP pointer.
  (result8 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall unsigned_intP_unsigned_intM_idx_30_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_idx_30_0 = store(unsigned_intP_unsigned_intM_idx_30,
  shift(result8, integer_of_uint32(i_0)), result7)) ->
  forall result9:unsigned_intP pointer.
  (result9 = select(SparseArray_back_a_0_9, a_0_0)) ->
  forall result10:uint32.
  (result10 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall unsigned_intP_unsigned_intM_back_31_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_back_31_0 = store(unsigned_intP_unsigned_intM_back_31,
  shift(result9, integer_of_uint32(result10)), i_0)) ->
  forall result11:uint32.
  (result11 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall result12:uint32.
  (integer_of_uint32(result12) = (integer_of_uint32(result11) + 1)) ->
  forall SparseArray_n_1_a_0_9_0:(SparseArray,
  uint32) memory.
  (SparseArray_n_1_a_0_9_0 = store(SparseArray_n_1_a_0_9, a_0_0,
  result12)) ->
  ("JC_104":
  ("JC_103":
  ("JC_101": not_assigns(intP_val_29_alloc_table, intP_intM_val_29,
  intP_intM_val_29_0, pset_range(pset_deref(SparseArray_val_a_0_9,
  pset_singleton(a_0_0)), integer_of_uint32(i_0), integer_of_uint32(i_0))))))

goal set_ensures_default_po_15:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) < integer_of_uint32(result2)) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_back_a_0_9, a_0_0)) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result5:uint32.
  (result5 = select(unsigned_intP_unsigned_intM_idx_30, shift(result4,
  integer_of_uint32(i_0)))) ->
  forall result6:uint32.
  (result6 = select(unsigned_intP_unsigned_intM_back_31, shift(result3,
  integer_of_uint32(result5)))) ->
  (integer_of_uint32(result6) <> integer_of_uint32(i_0)) ->
  ("JC_136": (integer_of_uint32(select(SparseArray_n_1_a_0_9,
  a_0_0)) < integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0)))) ->
  forall result7:uint32.
  (result7 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall result8:unsigned_intP pointer.
  (result8 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall unsigned_intP_unsigned_intM_idx_30_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_idx_30_0 = store(unsigned_intP_unsigned_intM_idx_30,
  shift(result8, integer_of_uint32(i_0)), result7)) ->
  forall result9:unsigned_intP pointer.
  (result9 = select(SparseArray_back_a_0_9, a_0_0)) ->
  forall result10:uint32.
  (result10 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall unsigned_intP_unsigned_intM_back_31_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_back_31_0 = store(unsigned_intP_unsigned_intM_back_31,
  shift(result9, integer_of_uint32(result10)), i_0)) ->
  forall result11:uint32.
  (result11 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall result12:uint32.
  (integer_of_uint32(result12) = (integer_of_uint32(result11) + 1)) ->
  forall SparseArray_n_1_a_0_9_0:(SparseArray,
  uint32) memory.
  (SparseArray_n_1_a_0_9_0 = store(SparseArray_n_1_a_0_9, a_0_0,
  result12)) ->
  ("JC_104":
  ("JC_103":
  ("JC_102": not_assigns(SparseArray_a_0_9_alloc_table,
  SparseArray_n_1_a_0_9, SparseArray_n_1_a_0_9_0, pset_singleton(a_0_0)))))

goal set_ensures_default_po_16:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) >= integer_of_uint32(result2)) ->
  ("JC_136": (integer_of_uint32(select(SparseArray_n_1_a_0_9,
  a_0_0)) < integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0))))

goal set_ensures_default_po_17:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) >= integer_of_uint32(result2)) ->
  ("JC_136": (integer_of_uint32(select(SparseArray_n_1_a_0_9,
  a_0_0)) < integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0)))) ->
  forall result3:uint32.
  (result3 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall unsigned_intP_unsigned_intM_idx_30_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_idx_30_0 = store(unsigned_intP_unsigned_intM_idx_30,
  shift(result4, integer_of_uint32(i_0)), result3)) ->
  forall result5:unsigned_intP pointer.
  (result5 = select(SparseArray_back_a_0_9, a_0_0)) ->
  forall result6:uint32.
  (result6 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall unsigned_intP_unsigned_intM_back_31_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_back_31_0 = store(unsigned_intP_unsigned_intM_back_31,
  shift(result5, integer_of_uint32(result6)), i_0)) ->
  forall result7:uint32.
  (result7 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall result8:uint32.
  (integer_of_uint32(result8) = (integer_of_uint32(result7) + 1)) ->
  forall SparseArray_n_1_a_0_9_0:(SparseArray,
  uint32) memory.
  (SparseArray_n_1_a_0_9_0 = store(SparseArray_n_1_a_0_9, a_0_0, result8)) ->
  ("JC_104":
  ("JC_98":
  ("JC_95": inv(a_0_0, unsigned_intP_back_31_alloc_table,
  unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
  SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
  SparseArray_n_1_a_0_9_0, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
  SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31_0,
  unsigned_intP_unsigned_intM_idx_30_0))))

goal set_ensures_default_po_18:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) >= integer_of_uint32(result2)) ->
  ("JC_136": (integer_of_uint32(select(SparseArray_n_1_a_0_9,
  a_0_0)) < integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0)))) ->
  forall result3:uint32.
  (result3 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall unsigned_intP_unsigned_intM_idx_30_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_idx_30_0 = store(unsigned_intP_unsigned_intM_idx_30,
  shift(result4, integer_of_uint32(i_0)), result3)) ->
  forall result5:unsigned_intP pointer.
  (result5 = select(SparseArray_back_a_0_9, a_0_0)) ->
  forall result6:uint32.
  (result6 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall unsigned_intP_unsigned_intM_back_31_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_back_31_0 = store(unsigned_intP_unsigned_intM_back_31,
  shift(result5, integer_of_uint32(result6)), i_0)) ->
  forall result7:uint32.
  (result7 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall result8:uint32.
  (integer_of_uint32(result8) = (integer_of_uint32(result7) + 1)) ->
  forall SparseArray_n_1_a_0_9_0:(SparseArray,
  uint32) memory.
  (SparseArray_n_1_a_0_9_0 = store(SparseArray_n_1_a_0_9, a_0_0, result8)) ->
  ("JC_104":
  ("JC_98":
  ("JC_96": (model(a_0_0, integer_of_uint32(i_0), SparseArray_n_1_a_0_9_0,
  SparseArray_back_a_0_9, SparseArray_idx_a_0_9, SparseArray_val_a_0_9,
  intP_intM_val_29_0, unsigned_intP_unsigned_intM_idx_30_0,
  unsigned_intP_unsigned_intM_back_31_0) = integer_of_int32(v)))))

goal set_ensures_default_po_19:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) >= integer_of_uint32(result2)) ->
  ("JC_136": (integer_of_uint32(select(SparseArray_n_1_a_0_9,
  a_0_0)) < integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0)))) ->
  forall result3:uint32.
  (result3 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall unsigned_intP_unsigned_intM_idx_30_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_idx_30_0 = store(unsigned_intP_unsigned_intM_idx_30,
  shift(result4, integer_of_uint32(i_0)), result3)) ->
  forall result5:unsigned_intP pointer.
  (result5 = select(SparseArray_back_a_0_9, a_0_0)) ->
  forall result6:uint32.
  (result6 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall unsigned_intP_unsigned_intM_back_31_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_back_31_0 = store(unsigned_intP_unsigned_intM_back_31,
  shift(result5, integer_of_uint32(result6)), i_0)) ->
  forall result7:uint32.
  (result7 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall result8:uint32.
  (integer_of_uint32(result8) = (integer_of_uint32(result7) + 1)) ->
  forall SparseArray_n_1_a_0_9_0:(SparseArray,
  uint32) memory.
  (SparseArray_n_1_a_0_9_0 = store(SparseArray_n_1_a_0_9, a_0_0, result8)) ->
  forall j_0:int.
  (j_0 <> integer_of_uint32(i_0)) ->
  ("JC_104":
  ("JC_98":
  ("JC_97": (model(a_0_0, j_0, SparseArray_n_1_a_0_9_0,
  SparseArray_back_a_0_9, SparseArray_idx_a_0_9, SparseArray_val_a_0_9,
  intP_intM_val_29_0, unsigned_intP_unsigned_intM_idx_30_0,
  unsigned_intP_unsigned_intM_back_31_0) = model(a_0_0, j_0,
  SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
  SparseArray_val_a_0_9, intP_intM_val_29,
  unsigned_intP_unsigned_intM_idx_30, unsigned_intP_unsigned_intM_back_31)))))

goal set_ensures_default_po_20:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) >= integer_of_uint32(result2)) ->
  ("JC_136": (integer_of_uint32(select(SparseArray_n_1_a_0_9,
  a_0_0)) < integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0)))) ->
  forall result3:uint32.
  (result3 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall unsigned_intP_unsigned_intM_idx_30_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_idx_30_0 = store(unsigned_intP_unsigned_intM_idx_30,
  shift(result4, integer_of_uint32(i_0)), result3)) ->
  forall result5:unsigned_intP pointer.
  (result5 = select(SparseArray_back_a_0_9, a_0_0)) ->
  forall result6:uint32.
  (result6 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall unsigned_intP_unsigned_intM_back_31_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_back_31_0 = store(unsigned_intP_unsigned_intM_back_31,
  shift(result5, integer_of_uint32(result6)), i_0)) ->
  forall result7:uint32.
  (result7 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall result8:uint32.
  (integer_of_uint32(result8) = (integer_of_uint32(result7) + 1)) ->
  forall SparseArray_n_1_a_0_9_0:(SparseArray,
  uint32) memory.
  (SparseArray_n_1_a_0_9_0 = store(SparseArray_n_1_a_0_9, a_0_0, result8)) ->
  ("JC_104":
  ("JC_103":
  ("JC_99": not_assigns(unsigned_intP_idx_30_alloc_table,
  unsigned_intP_unsigned_intM_idx_30, unsigned_intP_unsigned_intM_idx_30_0,
  pset_all(pset_deref(SparseArray_idx_a_0_9, pset_singleton(a_0_0)))))))

goal set_ensures_default_po_21:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) >= integer_of_uint32(result2)) ->
  ("JC_136": (integer_of_uint32(select(SparseArray_n_1_a_0_9,
  a_0_0)) < integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0)))) ->
  forall result3:uint32.
  (result3 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall unsigned_intP_unsigned_intM_idx_30_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_idx_30_0 = store(unsigned_intP_unsigned_intM_idx_30,
  shift(result4, integer_of_uint32(i_0)), result3)) ->
  forall result5:unsigned_intP pointer.
  (result5 = select(SparseArray_back_a_0_9, a_0_0)) ->
  forall result6:uint32.
  (result6 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall unsigned_intP_unsigned_intM_back_31_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_back_31_0 = store(unsigned_intP_unsigned_intM_back_31,
  shift(result5, integer_of_uint32(result6)), i_0)) ->
  forall result7:uint32.
  (result7 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall result8:uint32.
  (integer_of_uint32(result8) = (integer_of_uint32(result7) + 1)) ->
  forall SparseArray_n_1_a_0_9_0:(SparseArray,
  uint32) memory.
  (SparseArray_n_1_a_0_9_0 = store(SparseArray_n_1_a_0_9, a_0_0, result8)) ->
  ("JC_104":
  ("JC_103":
  ("JC_100": not_assigns(unsigned_intP_back_31_alloc_table,
  unsigned_intP_unsigned_intM_back_31, unsigned_intP_unsigned_intM_back_31_0,
  pset_all(pset_deref(SparseArray_back_a_0_9, pset_singleton(a_0_0)))))))

goal set_ensures_default_po_22:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) >= integer_of_uint32(result2)) ->
  ("JC_136": (integer_of_uint32(select(SparseArray_n_1_a_0_9,
  a_0_0)) < integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0)))) ->
  forall result3:uint32.
  (result3 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall unsigned_intP_unsigned_intM_idx_30_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_idx_30_0 = store(unsigned_intP_unsigned_intM_idx_30,
  shift(result4, integer_of_uint32(i_0)), result3)) ->
  forall result5:unsigned_intP pointer.
  (result5 = select(SparseArray_back_a_0_9, a_0_0)) ->
  forall result6:uint32.
  (result6 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall unsigned_intP_unsigned_intM_back_31_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_back_31_0 = store(unsigned_intP_unsigned_intM_back_31,
  shift(result5, integer_of_uint32(result6)), i_0)) ->
  forall result7:uint32.
  (result7 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall result8:uint32.
  (integer_of_uint32(result8) = (integer_of_uint32(result7) + 1)) ->
  forall SparseArray_n_1_a_0_9_0:(SparseArray,
  uint32) memory.
  (SparseArray_n_1_a_0_9_0 = store(SparseArray_n_1_a_0_9, a_0_0, result8)) ->
  ("JC_104":
  ("JC_103":
  ("JC_101": not_assigns(intP_val_29_alloc_table, intP_intM_val_29,
  intP_intM_val_29_0, pset_range(pset_deref(SparseArray_val_a_0_9,
  pset_singleton(a_0_0)), integer_of_uint32(i_0), integer_of_uint32(i_0))))))

goal set_ensures_default_po_23:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) >= integer_of_uint32(result2)) ->
  ("JC_136": (integer_of_uint32(select(SparseArray_n_1_a_0_9,
  a_0_0)) < integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0)))) ->
  forall result3:uint32.
  (result3 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  forall unsigned_intP_unsigned_intM_idx_30_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_idx_30_0 = store(unsigned_intP_unsigned_intM_idx_30,
  shift(result4, integer_of_uint32(i_0)), result3)) ->
  forall result5:unsigned_intP pointer.
  (result5 = select(SparseArray_back_a_0_9, a_0_0)) ->
  forall result6:uint32.
  (result6 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall unsigned_intP_unsigned_intM_back_31_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_back_31_0 = store(unsigned_intP_unsigned_intM_back_31,
  shift(result5, integer_of_uint32(result6)), i_0)) ->
  forall result7:uint32.
  (result7 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  forall result8:uint32.
  (integer_of_uint32(result8) = (integer_of_uint32(result7) + 1)) ->
  forall SparseArray_n_1_a_0_9_0:(SparseArray,
  uint32) memory.
  (SparseArray_n_1_a_0_9_0 = store(SparseArray_n_1_a_0_9, a_0_0, result8)) ->
  ("JC_104":
  ("JC_103":
  ("JC_102": not_assigns(SparseArray_a_0_9_alloc_table,
  SparseArray_n_1_a_0_9, SparseArray_n_1_a_0_9_0, pset_singleton(a_0_0)))))

goal set_safety_po_1:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))

goal set_safety_po_2:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  (offset_min(intP_val_29_alloc_table, result) <= integer_of_uint32(i_0))

goal set_safety_po_3:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  (integer_of_uint32(i_0) <= offset_max(intP_val_29_alloc_table, result))

goal set_safety_po_4:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  ((offset_min(intP_val_29_alloc_table,
   result) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(intP_val_29_alloc_table, result))) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  (offset_min(unsigned_intP_idx_30_alloc_table,
  result0) <= integer_of_uint32(i_0))

goal set_safety_po_5:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  ((offset_min(intP_val_29_alloc_table,
   result) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(intP_val_29_alloc_table, result))) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
  result0))

goal set_safety_po_6:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  ((offset_min(intP_val_29_alloc_table,
   result) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(intP_val_29_alloc_table, result))) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result0) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result0))) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) < integer_of_uint32(result2)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_back_a_0_9, a_0_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  (offset_min(unsigned_intP_idx_30_alloc_table,
  result4) <= integer_of_uint32(i_0))

goal set_safety_po_7:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  ((offset_min(intP_val_29_alloc_table,
   result) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(intP_val_29_alloc_table, result))) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result0) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result0))) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) < integer_of_uint32(result2)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_back_a_0_9, a_0_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
  result4))

goal set_safety_po_8:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  ((offset_min(intP_val_29_alloc_table,
   result) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(intP_val_29_alloc_table, result))) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result0) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result0))) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) < integer_of_uint32(result2)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_back_a_0_9, a_0_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result4) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result4))) ->
  forall result5:uint32.
  (result5 = select(unsigned_intP_unsigned_intM_idx_30, shift(result4,
  integer_of_uint32(i_0)))) ->
  (offset_min(unsigned_intP_back_31_alloc_table,
  result3) <= integer_of_uint32(result5))

goal set_safety_po_9:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  ((offset_min(intP_val_29_alloc_table,
   result) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(intP_val_29_alloc_table, result))) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result0) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result0))) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) < integer_of_uint32(result2)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_back_a_0_9, a_0_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result4) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result4))) ->
  forall result5:uint32.
  (result5 = select(unsigned_intP_unsigned_intM_idx_30, shift(result4,
  integer_of_uint32(i_0)))) ->
  (integer_of_uint32(result5) <= offset_max(unsigned_intP_back_31_alloc_table,
  result3))

goal set_safety_po_10:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  ((offset_min(intP_val_29_alloc_table,
   result) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(intP_val_29_alloc_table, result))) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result0) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result0))) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) < integer_of_uint32(result2)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_back_a_0_9, a_0_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result4) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result4))) ->
  forall result5:uint32.
  (result5 = select(unsigned_intP_unsigned_intM_idx_30, shift(result4,
  integer_of_uint32(i_0)))) ->
  ((offset_min(unsigned_intP_back_31_alloc_table,
   result3) <= integer_of_uint32(result5)) and
   (integer_of_uint32(result5) <= offset_max(unsigned_intP_back_31_alloc_table,
   result3))) ->
  forall result6:uint32.
  (result6 = select(unsigned_intP_unsigned_intM_back_31, shift(result3,
  integer_of_uint32(result5)))) ->
  (integer_of_uint32(result6) <> integer_of_uint32(i_0)) ->
  ("JC_126": (integer_of_uint32(select(SparseArray_n_1_a_0_9,
  a_0_0)) < integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0)))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result7:uint32.
  (result7 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result8:unsigned_intP pointer.
  (result8 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  (offset_min(unsigned_intP_idx_30_alloc_table,
  result8) <= integer_of_uint32(i_0))

goal set_safety_po_11:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  ((offset_min(intP_val_29_alloc_table,
   result) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(intP_val_29_alloc_table, result))) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result0) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result0))) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) < integer_of_uint32(result2)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_back_a_0_9, a_0_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result4) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result4))) ->
  forall result5:uint32.
  (result5 = select(unsigned_intP_unsigned_intM_idx_30, shift(result4,
  integer_of_uint32(i_0)))) ->
  ((offset_min(unsigned_intP_back_31_alloc_table,
   result3) <= integer_of_uint32(result5)) and
   (integer_of_uint32(result5) <= offset_max(unsigned_intP_back_31_alloc_table,
   result3))) ->
  forall result6:uint32.
  (result6 = select(unsigned_intP_unsigned_intM_back_31, shift(result3,
  integer_of_uint32(result5)))) ->
  (integer_of_uint32(result6) <> integer_of_uint32(i_0)) ->
  ("JC_126": (integer_of_uint32(select(SparseArray_n_1_a_0_9,
  a_0_0)) < integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0)))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result7:uint32.
  (result7 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result8:unsigned_intP pointer.
  (result8 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
  result8))

goal set_safety_po_12:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  ((offset_min(intP_val_29_alloc_table,
   result) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(intP_val_29_alloc_table, result))) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result0) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result0))) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) < integer_of_uint32(result2)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_back_a_0_9, a_0_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result4) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result4))) ->
  forall result5:uint32.
  (result5 = select(unsigned_intP_unsigned_intM_idx_30, shift(result4,
  integer_of_uint32(i_0)))) ->
  ((offset_min(unsigned_intP_back_31_alloc_table,
   result3) <= integer_of_uint32(result5)) and
   (integer_of_uint32(result5) <= offset_max(unsigned_intP_back_31_alloc_table,
   result3))) ->
  forall result6:uint32.
  (result6 = select(unsigned_intP_unsigned_intM_back_31, shift(result3,
  integer_of_uint32(result5)))) ->
  (integer_of_uint32(result6) <> integer_of_uint32(i_0)) ->
  ("JC_126": (integer_of_uint32(select(SparseArray_n_1_a_0_9,
  a_0_0)) < integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0)))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result7:uint32.
  (result7 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result8:unsigned_intP pointer.
  (result8 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result8) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result8))) ->
  forall unsigned_intP_unsigned_intM_idx_30_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_idx_30_0 = store(unsigned_intP_unsigned_intM_idx_30,
  shift(result8, integer_of_uint32(i_0)), result7)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result9:unsigned_intP pointer.
  (result9 = select(SparseArray_back_a_0_9, a_0_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result10:uint32.
  (result10 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (offset_min(unsigned_intP_back_31_alloc_table,
  result9) <= integer_of_uint32(result10))

goal set_safety_po_13:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  ((offset_min(intP_val_29_alloc_table,
   result) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(intP_val_29_alloc_table, result))) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result0) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result0))) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) < integer_of_uint32(result2)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_back_a_0_9, a_0_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result4) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result4))) ->
  forall result5:uint32.
  (result5 = select(unsigned_intP_unsigned_intM_idx_30, shift(result4,
  integer_of_uint32(i_0)))) ->
  ((offset_min(unsigned_intP_back_31_alloc_table,
   result3) <= integer_of_uint32(result5)) and
   (integer_of_uint32(result5) <= offset_max(unsigned_intP_back_31_alloc_table,
   result3))) ->
  forall result6:uint32.
  (result6 = select(unsigned_intP_unsigned_intM_back_31, shift(result3,
  integer_of_uint32(result5)))) ->
  (integer_of_uint32(result6) <> integer_of_uint32(i_0)) ->
  ("JC_126": (integer_of_uint32(select(SparseArray_n_1_a_0_9,
  a_0_0)) < integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0)))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result7:uint32.
  (result7 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result8:unsigned_intP pointer.
  (result8 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result8) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result8))) ->
  forall unsigned_intP_unsigned_intM_idx_30_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_idx_30_0 = store(unsigned_intP_unsigned_intM_idx_30,
  shift(result8, integer_of_uint32(i_0)), result7)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result9:unsigned_intP pointer.
  (result9 = select(SparseArray_back_a_0_9, a_0_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result10:uint32.
  (result10 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result10) <= offset_max(unsigned_intP_back_31_alloc_table,
  result9))

goal set_safety_po_14:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  ((offset_min(intP_val_29_alloc_table,
   result) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(intP_val_29_alloc_table, result))) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result0) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result0))) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) < integer_of_uint32(result2)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_back_a_0_9, a_0_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result4) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result4))) ->
  forall result5:uint32.
  (result5 = select(unsigned_intP_unsigned_intM_idx_30, shift(result4,
  integer_of_uint32(i_0)))) ->
  ((offset_min(unsigned_intP_back_31_alloc_table,
   result3) <= integer_of_uint32(result5)) and
   (integer_of_uint32(result5) <= offset_max(unsigned_intP_back_31_alloc_table,
   result3))) ->
  forall result6:uint32.
  (result6 = select(unsigned_intP_unsigned_intM_back_31, shift(result3,
  integer_of_uint32(result5)))) ->
  (integer_of_uint32(result6) <> integer_of_uint32(i_0)) ->
  ("JC_126": (integer_of_uint32(select(SparseArray_n_1_a_0_9,
  a_0_0)) < integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0)))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result7:uint32.
  (result7 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result8:unsigned_intP pointer.
  (result8 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result8) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result8))) ->
  forall unsigned_intP_unsigned_intM_idx_30_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_idx_30_0 = store(unsigned_intP_unsigned_intM_idx_30,
  shift(result8, integer_of_uint32(i_0)), result7)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result9:unsigned_intP pointer.
  (result9 = select(SparseArray_back_a_0_9, a_0_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result10:uint32.
  (result10 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_back_31_alloc_table,
   result9) <= integer_of_uint32(result10)) and
   (integer_of_uint32(result10) <= offset_max(unsigned_intP_back_31_alloc_table,
   result9))) ->
  forall unsigned_intP_unsigned_intM_back_31_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_back_31_0 = store(unsigned_intP_unsigned_intM_back_31,
  shift(result9, integer_of_uint32(result10)), i_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result11:uint32.
  (result11 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (0 <= (integer_of_uint32(result11) + 1))

goal set_safety_po_15:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  ((offset_min(intP_val_29_alloc_table,
   result) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(intP_val_29_alloc_table, result))) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result0) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result0))) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) < integer_of_uint32(result2)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result3:unsigned_intP pointer.
  (result3 = select(SparseArray_back_a_0_9, a_0_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result4) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result4))) ->
  forall result5:uint32.
  (result5 = select(unsigned_intP_unsigned_intM_idx_30, shift(result4,
  integer_of_uint32(i_0)))) ->
  ((offset_min(unsigned_intP_back_31_alloc_table,
   result3) <= integer_of_uint32(result5)) and
   (integer_of_uint32(result5) <= offset_max(unsigned_intP_back_31_alloc_table,
   result3))) ->
  forall result6:uint32.
  (result6 = select(unsigned_intP_unsigned_intM_back_31, shift(result3,
  integer_of_uint32(result5)))) ->
  (integer_of_uint32(result6) <> integer_of_uint32(i_0)) ->
  ("JC_126": (integer_of_uint32(select(SparseArray_n_1_a_0_9,
  a_0_0)) < integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0)))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result7:uint32.
  (result7 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result8:unsigned_intP pointer.
  (result8 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result8) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result8))) ->
  forall unsigned_intP_unsigned_intM_idx_30_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_idx_30_0 = store(unsigned_intP_unsigned_intM_idx_30,
  shift(result8, integer_of_uint32(i_0)), result7)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result9:unsigned_intP pointer.
  (result9 = select(SparseArray_back_a_0_9, a_0_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result10:uint32.
  (result10 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_back_31_alloc_table,
   result9) <= integer_of_uint32(result10)) and
   (integer_of_uint32(result10) <= offset_max(unsigned_intP_back_31_alloc_table,
   result9))) ->
  forall unsigned_intP_unsigned_intM_back_31_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_back_31_0 = store(unsigned_intP_unsigned_intM_back_31,
  shift(result9, integer_of_uint32(result10)), i_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result11:uint32.
  (result11 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  ((integer_of_uint32(result11) + 1) <= 4294967295)

goal set_safety_po_16:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  ((offset_min(intP_val_29_alloc_table,
   result) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(intP_val_29_alloc_table, result))) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result0) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result0))) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) >= integer_of_uint32(result2)) ->
  ("JC_126": (integer_of_uint32(select(SparseArray_n_1_a_0_9,
  a_0_0)) < integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0)))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result3:uint32.
  (result3 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  (offset_min(unsigned_intP_idx_30_alloc_table,
  result4) <= integer_of_uint32(i_0))

goal set_safety_po_17:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  ((offset_min(intP_val_29_alloc_table,
   result) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(intP_val_29_alloc_table, result))) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result0) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result0))) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) >= integer_of_uint32(result2)) ->
  ("JC_126": (integer_of_uint32(select(SparseArray_n_1_a_0_9,
  a_0_0)) < integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0)))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result3:uint32.
  (result3 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
  result4))

goal set_safety_po_18:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  ((offset_min(intP_val_29_alloc_table,
   result) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(intP_val_29_alloc_table, result))) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result0) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result0))) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) >= integer_of_uint32(result2)) ->
  ("JC_126": (integer_of_uint32(select(SparseArray_n_1_a_0_9,
  a_0_0)) < integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0)))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result3:uint32.
  (result3 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result4) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result4))) ->
  forall unsigned_intP_unsigned_intM_idx_30_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_idx_30_0 = store(unsigned_intP_unsigned_intM_idx_30,
  shift(result4, integer_of_uint32(i_0)), result3)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result5:unsigned_intP pointer.
  (result5 = select(SparseArray_back_a_0_9, a_0_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result6:uint32.
  (result6 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (offset_min(unsigned_intP_back_31_alloc_table,
  result5) <= integer_of_uint32(result6))

goal set_safety_po_19:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  ((offset_min(intP_val_29_alloc_table,
   result) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(intP_val_29_alloc_table, result))) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result0) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result0))) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) >= integer_of_uint32(result2)) ->
  ("JC_126": (integer_of_uint32(select(SparseArray_n_1_a_0_9,
  a_0_0)) < integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0)))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result3:uint32.
  (result3 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result4) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result4))) ->
  forall unsigned_intP_unsigned_intM_idx_30_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_idx_30_0 = store(unsigned_intP_unsigned_intM_idx_30,
  shift(result4, integer_of_uint32(i_0)), result3)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result5:unsigned_intP pointer.
  (result5 = select(SparseArray_back_a_0_9, a_0_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result6:uint32.
  (result6 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result6) <= offset_max(unsigned_intP_back_31_alloc_table,
  result5))

goal set_safety_po_20:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  ((offset_min(intP_val_29_alloc_table,
   result) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(intP_val_29_alloc_table, result))) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result0) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result0))) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) >= integer_of_uint32(result2)) ->
  ("JC_126": (integer_of_uint32(select(SparseArray_n_1_a_0_9,
  a_0_0)) < integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0)))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result3:uint32.
  (result3 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result4) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result4))) ->
  forall unsigned_intP_unsigned_intM_idx_30_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_idx_30_0 = store(unsigned_intP_unsigned_intM_idx_30,
  shift(result4, integer_of_uint32(i_0)), result3)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result5:unsigned_intP pointer.
  (result5 = select(SparseArray_back_a_0_9, a_0_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result6:uint32.
  (result6 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_back_31_alloc_table,
   result5) <= integer_of_uint32(result6)) and
   (integer_of_uint32(result6) <= offset_max(unsigned_intP_back_31_alloc_table,
   result5))) ->
  forall unsigned_intP_unsigned_intM_back_31_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_back_31_0 = store(unsigned_intP_unsigned_intM_back_31,
  shift(result5, integer_of_uint32(result6)), i_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result7:uint32.
  (result7 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (0 <= (integer_of_uint32(result7) + 1))

goal set_safety_po_21:
  forall a_0_0:SparseArray pointer.
  forall i_0:uint32.
  forall v:int32.
  forall SparseArray_a_0_9_alloc_table:SparseArray alloc_table.
  forall intP_val_29_alloc_table:intP alloc_table.
  forall unsigned_intP_idx_30_alloc_table:unsigned_intP alloc_table.
  forall unsigned_intP_back_31_alloc_table:unsigned_intP alloc_table.
  forall SparseArray_val_a_0_9:(SparseArray,
  intP pointer) memory.
  forall SparseArray_idx_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_back_a_0_9:(SparseArray,
  unsigned_intP pointer) memory.
  forall SparseArray_sz_0_a_0_9:(SparseArray,
  uint32) memory.
  forall SparseArray_n_1_a_0_9:(SparseArray,
  uint32) memory.
  forall intP_intM_val_29:(intP,
  int32) memory.
  forall unsigned_intP_unsigned_intM_back_31:(unsigned_intP,
  uint32) memory.
  forall unsigned_intP_unsigned_intM_idx_30:(unsigned_intP,
  uint32) memory.
  ("JC_93":
  (("JC_89": (offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0)) and
   (("JC_90": (offset_max(SparseArray_a_0_9_alloc_table, a_0_0) >= 0)) and
    (("JC_91": inv(a_0_0, unsigned_intP_back_31_alloc_table,
     unsigned_intP_idx_30_alloc_table, intP_val_29_alloc_table,
     SparseArray_a_0_9_alloc_table, SparseArray_sz_0_a_0_9,
     SparseArray_n_1_a_0_9, SparseArray_back_a_0_9, SparseArray_idx_a_0_9,
     SparseArray_val_a_0_9, unsigned_intP_unsigned_intM_back_31,
     unsigned_intP_unsigned_intM_idx_30)) and
     ("JC_92":
     (integer_of_uint32(i_0) <= (integer_of_uint32(select(SparseArray_sz_0_a_0_9,
     a_0_0)) - 1))))))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result:intP pointer.
  (result = select(SparseArray_val_a_0_9, a_0_0)) ->
  ((offset_min(intP_val_29_alloc_table,
   result) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(intP_val_29_alloc_table, result))) ->
  forall intP_intM_val_29_0:(intP,
  int32) memory.
  (intP_intM_val_29_0 = store(intP_intM_val_29, shift(result,
  integer_of_uint32(i_0)), v)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result0:unsigned_intP pointer.
  (result0 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result0) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result0))) ->
  forall result1:uint32.
  (result1 = select(unsigned_intP_unsigned_intM_idx_30, shift(result0,
  integer_of_uint32(i_0)))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result2:uint32.
  (result2 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  (integer_of_uint32(result1) >= integer_of_uint32(result2)) ->
  ("JC_126": (integer_of_uint32(select(SparseArray_n_1_a_0_9,
  a_0_0)) < integer_of_uint32(select(SparseArray_sz_0_a_0_9, a_0_0)))) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result3:uint32.
  (result3 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result4:unsigned_intP pointer.
  (result4 = select(SparseArray_idx_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_idx_30_alloc_table,
   result4) <= integer_of_uint32(i_0)) and
   (integer_of_uint32(i_0) <= offset_max(unsigned_intP_idx_30_alloc_table,
   result4))) ->
  forall unsigned_intP_unsigned_intM_idx_30_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_idx_30_0 = store(unsigned_intP_unsigned_intM_idx_30,
  shift(result4, integer_of_uint32(i_0)), result3)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result5:unsigned_intP pointer.
  (result5 = select(SparseArray_back_a_0_9, a_0_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result6:uint32.
  (result6 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  ((offset_min(unsigned_intP_back_31_alloc_table,
   result5) <= integer_of_uint32(result6)) and
   (integer_of_uint32(result6) <= offset_max(unsigned_intP_back_31_alloc_table,
   result5))) ->
  forall unsigned_intP_unsigned_intM_back_31_0:(unsigned_intP,
  uint32) memory.
  (unsigned_intP_unsigned_intM_back_31_0 = store(unsigned_intP_unsigned_intM_back_31,
  shift(result5, integer_of_uint32(result6)), i_0)) ->
  ((offset_min(SparseArray_a_0_9_alloc_table, a_0_0) <= 0) and
   (0 <= offset_max(SparseArray_a_0_9_alloc_table, a_0_0))) ->
  forall result7:uint32.
  (result7 = select(SparseArray_n_1_a_0_9, a_0_0)) ->
  ((integer_of_uint32(result7) + 1) <= 4294967295)

why-2.34/tests/c/oracle/insertion_sort.res.oracle0000644000175000017500000062140312311670312020514 0ustar  rtusers========== file tests/c/insertion_sort.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// RUNSIMPLIFY: will ask regtests to run Simplify on this program

#pragma JessieIntegerModel(math)

#include "sorting.h"

/*@ requires \valid(t+(0..n-1));
  @ ensures Sorted(t,0,n-1);
  @*/
void insert_sort(int t[], int n) {
  int i,j;
  int mv;
  if (n <= 1) return;
  /*@ loop invariant 0 <= i <= n;
    @ loop invariant Sorted(t,0,i);
    @ loop variant n-i;
    @*/
  for (i=1; i Sorted(t,0,i);
      @ loop invariant j < i ==> Sorted(t,0,i+1);
      @ loop invariant \forall integer k; j <= k < i ==> t[k] > mv;
      @ loop variant j;
      @*/
    // look for the right index j to put t[i]
    for (j=i; j > 0; j--) {
      if (t[j-1] <= mv) break;
      t[j] = t[j-1];
    }
    t[j] = mv;
  }
}


/*
Local Variables:
compile-command: "make insertion_sort.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/insertion_sort.c"
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/insertion_sort.jessie
[jessie] File tests/c/insertion_sort.jessie/insertion_sort.jc written.
[jessie] File tests/c/insertion_sort.jessie/insertion_sort.cloc written.
========== file tests/c/insertion_sort.jessie/insertion_sort.jc ==========
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

tag intP = {
  integer intM: 32;
}

type intP = [intP]

tag unsigned_charP = {
  integer unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  integer charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

predicate Swap{L1, L2}(intP[..] a, integer i_1, integer j_0) =
(((\at((a + i_1).intM,L1) == \at((a + j_0).intM,L2)) &&
   (\at((a + j_0).intM,L1) == \at((a + i_1).intM,L2))) &&
  (\forall integer k;
    (((k != i_1) && (k != j_0)) ==>
      (\at((a + k).intM,L1) == \at((a + k).intM,L2)))))

predicate Permut{L1, L2}(intP[..] a_0, integer l, integer h) {
case Permut_refl{L}: \at((\forall intP[..] a_1;
                           (\forall integer l_0;
                             (\forall integer h_0;
                               Permut{L,
                               L}(a_1, l_0, h_0)))),L);
  
  case Permut_sym{L1, L2}: (\forall intP[..] a_2;
                             (\forall integer l_1;
                               (\forall integer h_1;
                                 (Permut{L1,
                                   L2}(a_2, l_1, h_1) ==>
                                   Permut{L2,
                                   L1}(a_2, l_1, h_1)))));
  
  case Permut_trans{L1, L2, L3}: (\forall intP[..] a_3;
                                   (\forall integer l_2;
                                     (\forall integer h_2;
                                       ((Permut{L1,
                                          L2}(a_3, l_2, h_2) &&
                                          Permut{L2,
                                          L3}(a_3, l_2, h_2)) ==>
                                         Permut{L1,
                                         L3}(a_3, l_2, h_2)))));
  
  case Permut_swap{L1, L2}: (\forall intP[..] a_4;
                              (\forall integer l_3;
                                (\forall integer h_3;
                                  (\forall integer i_2;
                                    (\forall integer j_1;
                                      (((((l_3 <= i_2) && (i_2 <= h_3)) &&
                                          ((l_3 <= j_1) && (j_1 <= h_3))) &&
                                         Swap{L1,
                                         L2}(a_4, i_2, j_1)) ==>
                                        Permut{L1,
                                        L2}(a_4, l_3, h_3)))))));
  
}

predicate Sorted{L}(intP[..] a_5, integer l_4, integer h_4) =
(\forall integer i_3;
  (\forall integer j_2;
    (((l_4 <= i_3) && ((i_3 <= j_2) && (j_2 < h_4))) ==>
      ((a_5 + i_3).intM <= (a_5 + j_2).intM))))

unit insert_sort(intP[..] t, integer n_1)
  requires (_C_35 : ((_C_36 : (\offset_min(t) <= 0)) &&
                      (_C_37 : (\offset_max(t) >= (n_1 - 1)))));
behavior default:
  ensures (_C_34 : Sorted{Here}(\at(t,Old), 0, (\at(n_1,Old) - 1)));
{  
   (var integer i);
   
   (var integer j);
   
   (var integer mv);
   
   {  (if (n_1 <= 1) then 
      (goto return_label) else ());
      (_C_1 : (i = 1));
      
      loop 
      behavior default:
        invariant (_C_4 : ((_C_5 : (0 <= i)) && (_C_6 : (i <= n_1))));
      behavior default:
        invariant (_C_3 : Sorted{Here}(t, 0, i));
      variant (_C_2 : (n_1 - i));
      while (true)
      {  
         {  (if (i < n_1) then () else 
            (goto while_0_break));
            
            {  (_C_9 : (mv = (_C_8 : (_C_7 : (t + i)).intM)));
               (_C_10 : (j = i));
               
               loop 
               behavior default:
                 invariant (_C_15 : ((_C_16 : (0 <= j)) &&
                                      (_C_17 : (j <= i))));
               behavior default:
                 invariant (_C_14 : ((j == i) ==> Sorted{Here}(t, 0, i)));
               behavior default:
                 invariant (_C_13 : ((j < i) ==> Sorted{Here}(t, 0, (i + 1))));
               behavior default:
                 invariant (_C_12 : (\forall integer k_0;
                                      (((j <= k_0) && (k_0 < i)) ==>
                                        ((t + k_0).intM > mv))));
               variant (_C_11 : j);
               while (true)
               {  
                  {  (if (j > 0) then () else 
                     (goto while_1_break));
                     
                     {  (if ((_C_20 : (_C_19 : (t + (_C_18 : (j - 1)))).intM) <=
                              mv) then 
                        (goto while_1_break) else ());
                        (_C_26 : ((_C_25 : (_C_24 : (t + j)).intM) = 
                        (_C_23 : (_C_22 : (t + (_C_21 : (j - 1)))).intM)))
                     };
                     (_C_28 : (j = (_C_27 : (j - 1))))
                  }
               };
               (while_1_break : ());
               (_C_31 : ((_C_30 : (_C_29 : (t + j)).intM) = mv))
            };
            (_C_33 : (i = (_C_32 : (i + 1))))
         }
      };
      (while_0_break : ());
      (return_label : 
      (return ()))
   }
}
========== file tests/c/insertion_sort.jessie/insertion_sort.cloc ==========
[_C_35]
file = "HOME/tests/c/insertion_sort.c"
line = 38
begin = 13
end = 31

[_C_28]
file = "HOME/tests/c/insertion_sort.c"
line = 59
begin = 21
end = 24

[_C_31]
file = "HOME/tests/c/insertion_sort.c"
line = 63
begin = 11
end = 13

[_C_4]
file = "HOME/tests/c/insertion_sort.c"
line = 45
begin = 21
end = 32

[_C_32]
file = "HOME/tests/c/insertion_sort.c"
line = 49
begin = 17
end = 20

[_C_23]
file = "HOME/tests/c/insertion_sort.c"
line = 61
begin = 13
end = 19

[_C_19]
file = "HOME/tests/c/insertion_sort.c"
line = 60
begin = 10
end = 11

[_C_13]
file = "HOME/tests/c/insertion_sort.c"
line = 54
begin = 23
end = 48

[_C_5]
file = "HOME/tests/c/insertion_sort.c"
line = 45
begin = 21
end = 27

[_C_36]
file = "HOME/tests/c/insertion_sort.c"
line = 38
begin = 13
end = 31

[_C_12]
file = "HOME/tests/c/insertion_sort.c"
line = 55
begin = 23
end = 66

[_C_33]
file = "HOME/tests/c/insertion_sort.c"
line = 49
begin = 17
end = 20

[_C_22]
file = "HOME/tests/c/insertion_sort.c"
line = 61
begin = 13
end = 14

[_C_9]
file = "HOME/tests/c/insertion_sort.c"
line = 51
begin = 9
end = 13

[_C_30]
file = "HOME/tests/c/insertion_sort.c"
line = 63
begin = 11
end = 13

[_C_6]
file = "HOME/tests/c/insertion_sort.c"
line = 45
begin = 26
end = 32

[_C_24]
file = "HOME/tests/c/insertion_sort.c"
line = 61
begin = 6
end = 7

[_C_20]
file = "HOME/tests/c/insertion_sort.c"
line = 60
begin = 10
end = 16

[_C_3]
file = "HOME/tests/c/insertion_sort.c"
line = 46
begin = 21
end = 34

[_C_17]
file = "HOME/tests/c/insertion_sort.c"
line = 52
begin = 28
end = 34

[_C_7]
file = "HOME/tests/c/insertion_sort.c"
line = 51
begin = 9
end = 10

[insert_sort]
name = "Function insert_sort"
file = "HOME/tests/c/insertion_sort.c"
line = 41
begin = 5
end = 16

[_C_27]
file = "HOME/tests/c/insertion_sort.c"
line = 59
begin = 21
end = 24

[_C_15]
file = "HOME/tests/c/insertion_sort.c"
line = 52
begin = 23
end = 34

[_C_26]
file = "HOME/tests/c/insertion_sort.c"
line = 61
begin = 13
end = 19

[_C_10]
file = "HOME/tests/c/insertion_sort.c"
line = 59
begin = 11
end = 12

[_C_8]
file = "HOME/tests/c/insertion_sort.c"
line = 51
begin = 9
end = 13

[_C_18]
file = "HOME/tests/c/insertion_sort.c"
line = 60
begin = 12
end = 15

[_C_29]
file = "HOME/tests/c/insertion_sort.c"
line = 63
begin = 4
end = 5

[_C_14]
file = "HOME/tests/c/insertion_sort.c"
line = 53
begin = 23
end = 47

[_C_37]
file = "HOME/tests/c/insertion_sort.c"
line = 38
begin = 13
end = 31

[_C_2]
file = "HOME/tests/c/insertion_sort.c"
line = 47
begin = 19
end = 22

[_C_34]
file = "HOME/tests/c/insertion_sort.c"
line = 39
begin = 12
end = 27

[_C_16]
file = "HOME/tests/c/insertion_sort.c"
line = 52
begin = 23
end = 29

[_C_1]
file = "HOME/tests/c/insertion_sort.c"
line = 49
begin = 9
end = 10

[_C_25]
file = "HOME/tests/c/insertion_sort.c"
line = 61
begin = 13
end = 19

[_C_11]
file = "HOME/tests/c/insertion_sort.c"
line = 56
begin = 21
end = 22

[_C_21]
file = "HOME/tests/c/insertion_sort.c"
line = 61
begin = 15
end = 18

========== jessie execution ==========
Generating Why function insert_sort
========== file tests/c/insertion_sort.jessie/insertion_sort.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs insertion_sort.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs insertion_sort.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/insertion_sort_why.sx

project: why/insertion_sort.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/insertion_sort_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/insertion_sort_why.vo

coq/insertion_sort_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/insertion_sort_why.v: why/insertion_sort.why
	@echo 'why -coq [...] why/insertion_sort.why' && $(WHY) $(JESSIELIBFILES) why/insertion_sort.why && rm -f coq/jessie_why.v

coq-goals: goals coq/insertion_sort_ctx_why.vo
	for f in why/*_po*.why; do make -f insertion_sort.makefile coq/`basename $$f .why`_why.v ; done

coq/insertion_sort_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/insertion_sort_ctx_why.v: why/insertion_sort_ctx.why
	@echo 'why -coq [...] why/insertion_sort_ctx.why' && $(WHY) why/insertion_sort_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export insertion_sort_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/insertion_sort_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/insertion_sort_ctx_why.vo

pvs: pvs/insertion_sort_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/insertion_sort_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/insertion_sort_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/insertion_sort_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/insertion_sort_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/insertion_sort_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/insertion_sort_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/insertion_sort_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/insertion_sort_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/insertion_sort_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/insertion_sort_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/insertion_sort_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/insertion_sort_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/insertion_sort_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/insertion_sort_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: insertion_sort.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/insertion_sort_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: insertion_sort.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: insertion_sort.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: insertion_sort.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include insertion_sort.depend

depend: coq/insertion_sort_why.v
	-$(COQDEP) -I coq coq/insertion_sort*_why.v > insertion_sort.depend

clean:
	rm -f coq/*.vo

========== file tests/c/insertion_sort.jessie/insertion_sort.loc ==========
[JC_51]
file = "HOME/tests/c/insertion_sort.jessie/insertion_sort.jc"
line = 117
begin = 15
end = 1252

[JC_45]
file = "HOME/tests/c/insertion_sort.c"
line = 53
begin = 23
end = 47

[JC_31]
kind = PointerDeref
file = "HOME/tests/c/insertion_sort.c"
line = 61
begin = 13
end = 19

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_48]
file = "HOME/tests/c/insertion_sort.c"
line = 52
begin = 23
end = 34

[JC_23]
file = "HOME/tests/c/insertion_sort.c"
line = 53
begin = 23
end = 47

[JC_22]
file = "HOME/tests/c/insertion_sort.c"
line = 54
begin = 23
end = 48

[JC_5]
file = "HOME/tests/c/insertion_sort.c"
line = 38
begin = 13
end = 31

[JC_9]
file = "HOME/tests/c/insertion_sort.c"
line = 39
begin = 12
end = 27

[JC_24]
file = "HOME/tests/c/insertion_sort.c"
line = 52
begin = 23
end = 29

[JC_25]
file = "HOME/tests/c/insertion_sort.c"
line = 52
begin = 28
end = 34

[JC_41]
file = "HOME/tests/c/insertion_sort.jessie/insertion_sort.jc"
line = 103
begin = 6
end = 1880

[JC_47]
file = "HOME/tests/c/insertion_sort.c"
line = 52
begin = 28
end = 34

[JC_26]
file = "HOME/tests/c/insertion_sort.c"
line = 52
begin = 23
end = 34

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/tests/c/insertion_sort.c"
line = 46
begin = 21
end = 34

[insert_sort_ensures_default]
name = "Function insert_sort"
behavior = "default behavior"
file = "HOME/tests/c/insertion_sort.c"
line = 41
begin = 5
end = 16

[JC_11]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/tests/c/insertion_sort.c"
line = 45
begin = 26
end = 32

[JC_36]
file = "HOME/tests/c/insertion_sort.c"
line = 46
begin = 21
end = 34

[JC_39]
file = "HOME/tests/c/insertion_sort.c"
line = 45
begin = 21
end = 32

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/tests/c/insertion_sort.c"
line = 47
begin = 19
end = 22

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/tests/c/insertion_sort.c"
line = 45
begin = 26
end = 32

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/tests/c/insertion_sort.c"
line = 38
begin = 13
end = 31

[JC_44]
file = "HOME/tests/c/insertion_sort.c"
line = 54
begin = 23
end = 48

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/tests/c/insertion_sort.jessie/insertion_sort.jc"
line = 103
begin = 6
end = 1880

[JC_46]
file = "HOME/tests/c/insertion_sort.c"
line = 52
begin = 23
end = 29

[JC_32]
kind = PointerDeref
file = "HOME/tests/c/insertion_sort.jessie/insertion_sort.jc"
line = 138
begin = 34
end = 142

[JC_33]
file = "HOME/tests/c/insertion_sort.c"
line = 56
begin = 21
end = 22

[JC_29]
file = "HOME/tests/c/insertion_sort.jessie/insertion_sort.jc"
line = 117
begin = 15
end = 1252

[JC_7]
file = "HOME/tests/c/insertion_sort.c"
line = 38
begin = 13
end = 31

[JC_16]
file = "HOME/tests/c/insertion_sort.c"
line = 45
begin = 21
end = 32

[JC_43]
file = "HOME/tests/c/insertion_sort.c"
line = 55
begin = 23
end = 66

[JC_2]
file = "HOME/tests/c/insertion_sort.c"
line = 38
begin = 13
end = 31

[JC_34]
kind = PointerDeref
file = "HOME/tests/c/insertion_sort.jessie/insertion_sort.jc"
line = 145
begin = 25
end = 62

[JC_14]
file = "HOME/tests/c/insertion_sort.c"
line = 45
begin = 21
end = 27

[JC_21]
file = "HOME/tests/c/insertion_sort.c"
line = 55
begin = 23
end = 66

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/c/insertion_sort.c"
line = 38
begin = 13
end = 31

[JC_37]
file = "HOME/tests/c/insertion_sort.c"
line = 45
begin = 21
end = 27

[insert_sort_safety]
name = "Function insert_sort"
behavior = "Safety"
file = "HOME/tests/c/insertion_sort.c"
line = 41
begin = 5
end = 16

[JC_10]
file = "HOME/tests/c/insertion_sort.c"
line = 39
begin = 12
end = 27

[JC_20]
kind = PointerDeref
file = "HOME/tests/c/insertion_sort.c"
line = 51
begin = 9
end = 13

[JC_18]
file = "HOME/tests/c/insertion_sort.jessie/insertion_sort.jc"
line = 103
begin = 6
end = 1880

[JC_3]
file = "HOME/tests/c/insertion_sort.c"
line = 38
begin = 13
end = 31

[JC_19]
file = "HOME/tests/c/insertion_sort.jessie/insertion_sort.jc"
line = 103
begin = 6
end = 1880

[JC_50]
file = "HOME/tests/c/insertion_sort.jessie/insertion_sort.jc"
line = 117
begin = 15
end = 1252

[JC_30]
kind = PointerDeref
file = "HOME/tests/c/insertion_sort.c"
line = 60
begin = 10
end = 16

[JC_28]
file = "HOME/tests/c/insertion_sort.jessie/insertion_sort.jc"
line = 117
begin = 15
end = 1252

========== file tests/c/insertion_sort.jessie/why/insertion_sort.why ==========
type charP

type intP

type padding

type unsigned_charP

type voidP

predicate Swap(a:intP pointer, i_1:int, j_0:int,
 intP_intM_a_1_at_L2:(intP, int) memory,
 intP_intM_a_1_at_L1:(intP, int) memory) =
 ((select(intP_intM_a_1_at_L1, shift(a, i_1)) = select(intP_intM_a_1_at_L2,
                                                shift(a, j_0)))
 and ((select(intP_intM_a_1_at_L1, shift(a, j_0)) = select(intP_intM_a_1_at_L2,
                                                    shift(a, i_1)))
     and (forall k:int.
          (((k <> i_1) and (k <> j_0)) ->
           (select(intP_intM_a_1_at_L1, shift(a, k)) = select(intP_intM_a_1_at_L2,
                                                       shift(a, k)))))))

inductive Permut: intP pointer, int, int, (intP, int) memory,
                  (intP, int) memory -> prop =
 | Permut_refl: (forall intP_intM_a_0_2_at_L:(intP, int) memory.
                 (forall a_1:intP pointer.
                  (forall l_0:int.
                   (forall h_0:int.
                    Permut(a_1, l_0, h_0, intP_intM_a_0_2_at_L,
                    intP_intM_a_0_2_at_L)))))
 | Permut_sym: (forall intP_intM_a_0_2_at_L2:(intP, int) memory.
                (forall intP_intM_a_0_2_at_L1:(intP, int) memory.
                 (forall a_2:intP pointer.
                  (forall l_1:int.
                   (forall h_1:int.
                    (Permut(a_2, l_1, h_1, intP_intM_a_0_2_at_L2,
                     intP_intM_a_0_2_at_L1) ->
                     Permut(a_2, l_1, h_1, intP_intM_a_0_2_at_L1,
                     intP_intM_a_0_2_at_L2)))))))
 | Permut_trans: (forall intP_intM_a_0_2_at_L3:(intP, int) memory.
                  (forall intP_intM_a_0_2_at_L2:(intP, int) memory.
                   (forall intP_intM_a_0_2_at_L1:(intP, int) memory.
                    (forall a_3:intP pointer.
                     (forall l_2:int.
                      (forall h_2:int.
                       ((Permut(a_3, l_2, h_2, intP_intM_a_0_2_at_L2,
                         intP_intM_a_0_2_at_L1)
                        and Permut(a_3, l_2, h_2, intP_intM_a_0_2_at_L3,
                            intP_intM_a_0_2_at_L2)) ->
                        Permut(a_3, l_2, h_2, intP_intM_a_0_2_at_L3,
                        intP_intM_a_0_2_at_L1))))))))
 | Permut_swap: (forall intP_intM_a_0_2_at_L2:(intP, int) memory.
                 (forall intP_intM_a_0_2_at_L1:(intP, int) memory.
                  (forall a_4:intP pointer.
                   (forall l_3:int.
                    (forall h_3:int.
                     (forall i_2:int.
                      (forall j_1:int.
                       ((le_int(l_3, i_2)
                        and (le_int(i_2, h_3)
                            and (le_int(l_3, j_1)
                                and (le_int(j_1, h_3)
                                    and Swap(a_4, i_2, j_1,
                                        intP_intM_a_0_2_at_L2,
                                        intP_intM_a_0_2_at_L1))))) ->
                        Permut(a_4, l_3, h_3, intP_intM_a_0_2_at_L2,
                        intP_intM_a_0_2_at_L1)))))))))
 
predicate Sorted(a_5:intP pointer, l_4:int, h_4:int,
 intP_intM_a_5_3_at_L:(intP, int) memory) =
 (forall i_3:int.
  (forall j_2:int.
   ((le_int(l_4, i_3) and (le_int(i_3, j_2) and lt_int(j_2, h_4))) ->
    le_int(select(intP_intM_a_5_3_at_L, shift(a_5, i_3)),
    select(intP_intM_a_5_3_at_L, shift(a_5, j_2))))))

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic intP_tag:  -> intP tag_id

axiom intP_int : (int_of_tag(intP_tag) = (1))

logic intP_of_pointer_address: unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr :
 (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom : parenttag(intP_tag, bottom_tag)

axiom intP_tags :
 (forall x:intP pointer.
  (forall intP_tag_table:intP tag_table.
   instanceof(intP_tag_table, x, intP_tag)))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_intP(p:intP pointer, a:int,
 intP_alloc_table:intP alloc_table) = (offset_min(intP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_intP(p:intP pointer, b:int,
 intP_alloc_table:intP alloc_table) = (offset_max(intP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Goto_while_0_break_exc of unit

exception Goto_while_1_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter intP_alloc_table : intP alloc_table ref

parameter intP_tag_table : intP tag_table ref

parameter alloc_struct_intP :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { } intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter alloc_struct_intP_requires :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { ge_int(n, (0))} intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter insert_sort :
 t:intP pointer ->
  n_1:int ->
   intP_intM_t_4:(intP, int) memory ref ->
    intP_t_4_alloc_table:intP alloc_table ->
     { } unit reads intP_intM_t_4 writes intP_intM_t_4
     { (JC_10: Sorted(t, (0), sub_int(n_1, (1)), intP_intM_t_4)) }

parameter insert_sort_requires :
 t:intP pointer ->
  n_1:int ->
   intP_intM_t_4:(intP, int) memory ref ->
    intP_t_4_alloc_table:intP alloc_table ->
     { (JC_3:
       ((JC_1: le_int(offset_min(intP_t_4_alloc_table, t), (0)))
       and (JC_2:
           ge_int(offset_max(intP_t_4_alloc_table, t), sub_int(n_1, (1))))))}
     unit reads intP_intM_t_4 writes intP_intM_t_4
     { (JC_10: Sorted(t, (0), sub_int(n_1, (1)), intP_intM_t_4)) }

let insert_sort_ensures_default =
 fun (t : intP pointer) (n_1 : int) (intP_intM_t_4 : (intP, int) memory ref) (intP_t_4_alloc_table : intP alloc_table) ->
  { (JC_7:
    ((JC_5: le_int(offset_min(intP_t_4_alloc_table, t), (0)))
    and (JC_6:
        ge_int(offset_max(intP_t_4_alloc_table, t), sub_int(n_1, (1)))))) }
  (init:
  try
   begin
     (let i = ref (any_int void) in
     (let j = ref (any_int void) in
     (let mv = ref (any_int void) in
     try
      begin
        try
         begin
           (if ((le_int_ n_1) (1)) then (raise (Return_label_exc void))
           else void); (let _jessie_ = (i := (1)) in void);
          (loop_3:
          begin
            while true do
            { invariant
                ((JC_36: Sorted(t, (0), i, intP_intM_t_4))
                and (JC_39:
                    ((JC_37: le_int((0), i)) and (JC_38: le_int(i, n_1)))))
               }
             begin
               [ { } unit { true } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((lt_int_ !i) n_1) then void
                   else (raise (Goto_while_0_break_exc void)));
                  try
                   begin
                     (let _jessie_ =
                     (mv := ((safe_acc_ !intP_intM_t_4) ((shift t) !i))) in
                     void); (let _jessie_ = (j := !i) in void);
                    (loop_4:
                    begin
                      while true do
                      { invariant
                          ((JC_43:
                           (forall k_0:int.
                            ((le_int(j, k_0) and lt_int(k_0, i)) ->
                             gt_int(select(intP_intM_t_4, shift(t, k_0)), mv))))
                          and ((JC_44:
                               (lt_int(j, i) ->
                                Sorted(t, (0), add_int(i, (1)),
                                intP_intM_t_4)))
                              and ((JC_45:
                                   ((j = i) ->
                                    Sorted(t, (0), i, intP_intM_t_4)))
                                  and (JC_48:
                                      ((JC_46: le_int((0), j))
                                      and (JC_47: le_int(j, i))))))) 
                         }
                       begin
                         [ { } unit { true } ];
                        try
                         begin
                           (let _jessie_ =
                           begin
                             (if ((gt_int_ !j) (0)) then void
                             else (raise (Goto_while_1_break_exc void)));
                            (let _jessie_ =
                            begin
                              (if ((le_int_ ((safe_acc_ !intP_intM_t_4) 
                                             ((shift t) ((sub_int !j) (1))))) !mv)
                              then (raise (Goto_while_1_break_exc void))
                              else void);
                             (let _jessie_ =
                             ((safe_acc_ !intP_intM_t_4) ((shift t) ((sub_int !j) (1)))) in
                             (let _jessie_ = t in
                             (let _jessie_ = !j in
                             (let _jessie_ =
                             ((shift _jessie_) _jessie_) in
                             begin
                               (((safe_upd_ intP_intM_t_4) _jessie_) _jessie_);
                              _jessie_ end)))) end in void);
                            (j := ((sub_int !j) (1))); !j end in void);
                          (raise (Loop_continue_exc void)) end with
                         Loop_continue_exc _jessie_ -> void end end done;
                     (raise (Goto_while_1_break_exc void)) end) end with
                   Goto_while_1_break_exc _jessie_ ->
                   (let _jessie_ =
                   (while_1_break:
                   begin
                     void;
                    (let _jessie_ = !mv in
                    (let _jessie_ = t in
                    (let _jessie_ = !j in
                    (let _jessie_ = ((shift _jessie_) _jessie_) in
                    begin
                      (((safe_upd_ intP_intM_t_4) _jessie_) _jessie_);
                     _jessie_ end)))) end) in void) end;
                  (i := ((add_int !i) (1))); !i end in void);
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ -> (while_0_break: void) end;
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: (raise Return)) end))); (raise Return) end with
   Return -> void end)
  { (JC_9: Sorted(t, (0), sub_int(n_1, (1)), intP_intM_t_4)) }

let insert_sort_safety =
 fun (t : intP pointer) (n_1 : int) (intP_intM_t_4 : (intP, int) memory ref) (intP_t_4_alloc_table : intP alloc_table) ->
  { (JC_7:
    ((JC_5: le_int(offset_min(intP_t_4_alloc_table, t), (0)))
    and (JC_6:
        ge_int(offset_max(intP_t_4_alloc_table, t), sub_int(n_1, (1)))))) }
  (init:
  try
   begin
     (let i = ref (any_int void) in
     (let j = ref (any_int void) in
     (let mv = ref (any_int void) in
     try
      begin
        try
         begin
           (if ((le_int_ n_1) (1)) then (raise (Return_label_exc void))
           else void); (let _jessie_ = (i := (1)) in void);
          (loop_1:
          begin
            while true do
            { invariant (JC_18: true) variant (JC_35 : sub_int(n_1, i)) }
             begin
               [ { } unit reads i,intP_intM_t_4
                 { ((JC_13: Sorted(t, (0), i, intP_intM_t_4))
                   and (JC_16:
                       ((JC_14: le_int((0), i)) and (JC_15: le_int(i, n_1))))) } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((lt_int_ !i) n_1) then void
                   else (raise (Goto_while_0_break_exc void)));
                  try
                   begin
                     (let _jessie_ =
                     (mv := (JC_20:
                            ((((offset_acc_ intP_t_4_alloc_table) !intP_intM_t_4) t) !i))) in
                     void); (let _jessie_ = (j := !i) in void);
                    (loop_2:
                    begin
                      while true do
                      { invariant (JC_28: true) variant (JC_33 : j) }
                       begin
                         [ { } unit reads i,intP_intM_t_4,j,mv
                           { ((JC_21:
                              (forall k_0:int.
                               ((le_int(j, k_0) and lt_int(k_0, i)) ->
                                gt_int(select(intP_intM_t_4, shift(t, k_0)),
                                mv))))
                             and ((JC_22:
                                  (lt_int(j, i) ->
                                   Sorted(t, (0), add_int(i, (1)),
                                   intP_intM_t_4)))
                                 and ((JC_23:
                                      ((j = i) ->
                                       Sorted(t, (0), i, intP_intM_t_4)))
                                     and (JC_26:
                                         ((JC_24: le_int((0), j))
                                         and (JC_25: le_int(j, i))))))) } ];
                        try
                         begin
                           (let _jessie_ =
                           begin
                             (if ((gt_int_ !j) (0)) then void
                             else (raise (Goto_while_1_break_exc void)));
                            (let _jessie_ =
                            begin
                              (if ((le_int_ (JC_30:
                                            ((((offset_acc_ intP_t_4_alloc_table) !intP_intM_t_4) t) 
                                             ((sub_int !j) (1))))) !mv)
                              then (raise (Goto_while_1_break_exc void))
                              else void);
                             (let _jessie_ =
                             (JC_31:
                             ((((offset_acc_ intP_t_4_alloc_table) !intP_intM_t_4) t) 
                              ((sub_int !j) (1)))) in
                             (let _jessie_ = t in
                             (let _jessie_ = !j in
                             (let _jessie_ =
                             ((shift _jessie_) _jessie_) in
                             (JC_32:
                             begin
                               (((((offset_upd_ intP_t_4_alloc_table) intP_intM_t_4) _jessie_) _jessie_) _jessie_);
                              _jessie_ end))))) end in void);
                            (j := ((sub_int !j) (1))); !j end in void);
                          (raise (Loop_continue_exc void)) end with
                         Loop_continue_exc _jessie_ -> void end end done;
                     (raise (Goto_while_1_break_exc void)) end) end with
                   Goto_while_1_break_exc _jessie_ ->
                   (let _jessie_ =
                   (while_1_break:
                   begin
                     void;
                    (let _jessie_ = !mv in
                    (let _jessie_ = t in
                    (let _jessie_ = !j in
                    (let _jessie_ = ((shift _jessie_) _jessie_) in
                    (JC_34:
                    begin
                      (((((offset_upd_ intP_t_4_alloc_table) intP_intM_t_4) _jessie_) _jessie_) _jessie_);
                     _jessie_ end))))) end) in void) end;
                  (i := ((add_int !i) (1))); !i end in void);
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ -> (while_0_break: void) end;
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: (raise Return)) end))); (raise Return) end with
   Return -> void end) { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/insertion_sort.why
========== file tests/c/insertion_sort.jessie/why/insertion_sort_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type charP

type intP

type padding

type unsigned_charP

type voidP

predicate Swap(a: intP pointer, i_1: int, j_0: int,
  intP_intM_a_1_at_L2: (intP, int) memory, intP_intM_a_1_at_L1: (intP,
  int) memory) =
  ((select(intP_intM_a_1_at_L1, shift(a, i_1)) = select(intP_intM_a_1_at_L2,
   shift(a, j_0))) and
   ((select(intP_intM_a_1_at_L1, shift(a, j_0)) = select(intP_intM_a_1_at_L2,
    shift(a, i_1))) and
    (forall k:int.
      (((k <> i_1) and (k <> j_0)) -> (select(intP_intM_a_1_at_L1, shift(a,
       k)) = select(intP_intM_a_1_at_L2, shift(a, k)))))))

logic Permut : intP pointer, int, int, (intP, int) memory, (intP,
int) memory -> prop

axiom Permut_inversion:
  (forall aux_1:intP pointer.
    (forall aux_2:int.
      (forall aux_3:int.
        (forall aux_4:(intP, int) memory.
          (forall aux_5:(intP, int) memory [Permut(aux_1, aux_2, aux_3,
            aux_4, aux_5)].
            (Permut(aux_1, aux_2, aux_3, aux_4, aux_5) ->
             ((exists intP_intM_a_0_2_at_L:(intP, int) memory.
                (exists a_1:intP pointer.
                  (exists l_0:int.
                    (exists h_0:int.
                      ((aux_1 = a_1) and
                       ((aux_2 = l_0) and
                        ((aux_3 = h_0) and
                         ((aux_4 = intP_intM_a_0_2_at_L) and
                          (aux_5 = intP_intM_a_0_2_at_L))))))))) or
              ((exists intP_intM_a_0_2_at_L2:(intP, int) memory.
                 (exists intP_intM_a_0_2_at_L1:(intP, int) memory.
                   (exists a_2:intP pointer.
                     (exists l_1:int.
                       (exists h_1:int.
                         (Permut(a_2, l_1, h_1, intP_intM_a_0_2_at_L2,
                          intP_intM_a_0_2_at_L1) and
                          ((aux_1 = a_2) and
                           ((aux_2 = l_1) and
                            ((aux_3 = h_1) and
                             ((aux_4 = intP_intM_a_0_2_at_L1) and
                              (aux_5 = intP_intM_a_0_2_at_L2))))))))))) or
               ((exists intP_intM_a_0_2_at_L3:(intP, int) memory.
                  (exists intP_intM_a_0_2_at_L2:(intP, int) memory.
                    (exists intP_intM_a_0_2_at_L1:(intP, int) memory.
                      (exists a_3:intP pointer.
                        (exists l_2:int.
                          (exists h_2:int.
                            ((Permut(a_3, l_2, h_2, intP_intM_a_0_2_at_L2,
                              intP_intM_a_0_2_at_L1) and Permut(a_3, l_2,
                              h_2, intP_intM_a_0_2_at_L3,
                              intP_intM_a_0_2_at_L2)) and
                             ((aux_1 = a_3) and
                              ((aux_2 = l_2) and
                               ((aux_3 = h_2) and
                                ((aux_4 = intP_intM_a_0_2_at_L3) and
                                 (aux_5 = intP_intM_a_0_2_at_L1)))))))))))) or
                (exists intP_intM_a_0_2_at_L2:(intP, int) memory.
                  (exists intP_intM_a_0_2_at_L1:(intP, int) memory.
                    (exists a_4:intP pointer.
                      (exists l_3:int.
                        (exists h_3:int.
                          (exists i_2:int.
                            (exists j_1:int.
                              (((l_3 <= i_2) and
                                ((i_2 <= h_3) and
                                 ((l_3 <= j_1) and
                                  ((j_1 <= h_3) and Swap(a_4, i_2, j_1,
                                   intP_intM_a_0_2_at_L2,
                                   intP_intM_a_0_2_at_L1))))) and
                               ((aux_1 = a_4) and
                                ((aux_2 = l_3) and
                                 ((aux_3 = h_3) and
                                  ((aux_4 = intP_intM_a_0_2_at_L2) and
                                   (aux_5 = intP_intM_a_0_2_at_L1))))))))))))))))))))))

axiom Permut_refl:
  (forall intP_intM_a_0_2_at_L:(intP, int) memory.
    (forall a_1:intP pointer.
      (forall l_0:int.
        (forall h_0:int. Permut(a_1, l_0, h_0, intP_intM_a_0_2_at_L,
          intP_intM_a_0_2_at_L)))))

axiom Permut_sym:
  (forall intP_intM_a_0_2_at_L2:(intP, int) memory.
    (forall intP_intM_a_0_2_at_L1:(intP, int) memory.
      (forall a_2:intP pointer.
        (forall l_1:int.
          (forall h_1:int.
            (Permut(a_2, l_1, h_1, intP_intM_a_0_2_at_L2,
             intP_intM_a_0_2_at_L1) -> Permut(a_2, l_1, h_1,
             intP_intM_a_0_2_at_L1, intP_intM_a_0_2_at_L2)))))))

axiom Permut_trans:
  (forall intP_intM_a_0_2_at_L3:(intP, int) memory.
    (forall intP_intM_a_0_2_at_L2:(intP, int) memory.
      (forall intP_intM_a_0_2_at_L1:(intP, int) memory.
        (forall a_3:intP pointer.
          (forall l_2:int.
            (forall h_2:int.
              ((Permut(a_3, l_2, h_2, intP_intM_a_0_2_at_L2,
                intP_intM_a_0_2_at_L1) and Permut(a_3, l_2, h_2,
                intP_intM_a_0_2_at_L3, intP_intM_a_0_2_at_L2)) ->
               Permut(a_3, l_2, h_2, intP_intM_a_0_2_at_L3,
               intP_intM_a_0_2_at_L1))))))))

axiom Permut_swap:
  (forall intP_intM_a_0_2_at_L2:(intP, int) memory.
    (forall intP_intM_a_0_2_at_L1:(intP, int) memory.
      (forall a_4:intP pointer.
        (forall l_3:int.
          (forall h_3:int.
            (forall i_2:int.
              (forall j_1:int.
                (((l_3 <= i_2) and
                  ((i_2 <= h_3) and
                   ((l_3 <= j_1) and
                    ((j_1 <= h_3) and Swap(a_4, i_2, j_1,
                     intP_intM_a_0_2_at_L2, intP_intM_a_0_2_at_L1))))) ->
                 Permut(a_4, l_3, h_3, intP_intM_a_0_2_at_L2,
                 intP_intM_a_0_2_at_L1)))))))))

predicate Sorted(a_5: intP pointer, l_4: int, h_4: int,
  intP_intM_a_5_3_at_L: (intP, int) memory) =
  (forall i_3:int.
    (forall j_2:int.
      (((l_4 <= i_3) and ((i_3 <= j_2) and (j_2 < h_4))) ->
       (select(intP_intM_a_5_3_at_L, shift(a_5,
       i_3)) <= select(intP_intM_a_5_3_at_L, shift(a_5, j_2))))))

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

logic intP_tag : intP tag_id

axiom intP_int: (int_of_tag(intP_tag) = 1)

logic intP_of_pointer_address : unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr:
  (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom: parenttag(intP_tag, bottom_tag)

axiom intP_tags:
  (forall x:intP pointer.
    (forall intP_tag_table:intP tag_table. instanceof(intP_tag_table, x,
      intP_tag)))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_intP(p: intP pointer, a: int,
  intP_alloc_table: intP alloc_table) = (offset_min(intP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_intP(p: intP pointer, b: int,
  intP_alloc_table: intP alloc_table) = (offset_max(intP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) = a) and (offset_max(intP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) = a) and (offset_max(intP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) <= a) and (offset_max(intP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) <= a) and (offset_max(intP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

goal insert_sort_ensures_default_po_1:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int) memory.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 <= 1) ->
  ("JC_9": Sorted(t, 0, (n_1 - 1), intP_intM_t_4))

goal insert_sort_ensures_default_po_2:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  forall intP_intM_t_4:(intP,
  int) memory.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  ("JC_36": Sorted(t, 0, i, intP_intM_t_4))

goal insert_sort_ensures_default_po_3:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  ("JC_39": ("JC_37": (0 <= i)))

goal insert_sort_ensures_default_po_4:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  ("JC_39": ("JC_38": (i <= n_1)))

goal insert_sort_ensures_default_po_5:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4_0:(intP,
  int) memory.
  (("JC_36": Sorted(t, 0, i0, intP_intM_t_4_0)) and
   ("JC_39": (("JC_37": (0 <= i0)) and ("JC_38": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  forall result:int.
  (result = select(intP_intM_t_4_0, shift(t, i0))) ->
  forall mv:int.
  (mv = result) ->
  forall j:int.
  (j = i0) ->
  forall k_0:int.
  ((j <= k_0) and (k_0 < i0)) ->
  ("JC_43": (select(intP_intM_t_4_0, shift(t, k_0)) > mv))

goal insert_sort_ensures_default_po_6:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4_0:(intP,
  int) memory.
  (("JC_36": Sorted(t, 0, i0, intP_intM_t_4_0)) and
   ("JC_39": (("JC_37": (0 <= i0)) and ("JC_38": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  forall result:int.
  (result = select(intP_intM_t_4_0, shift(t, i0))) ->
  forall mv:int.
  (mv = result) ->
  forall j:int.
  (j = i0) ->
  (j < i0) ->
  ("JC_44": Sorted(t, 0, (i0 + 1), intP_intM_t_4_0))

goal insert_sort_ensures_default_po_7:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4_0:(intP,
  int) memory.
  (("JC_36": Sorted(t, 0, i0, intP_intM_t_4_0)) and
   ("JC_39": (("JC_37": (0 <= i0)) and ("JC_38": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  forall result:int.
  (result = select(intP_intM_t_4_0, shift(t, i0))) ->
  forall mv:int.
  (mv = result) ->
  forall j:int.
  (j = i0) ->
  ("JC_48": ("JC_46": (0 <= j)))

goal insert_sort_ensures_default_po_8:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4_0:(intP,
  int) memory.
  (("JC_36": Sorted(t, 0, i0, intP_intM_t_4_0)) and
   ("JC_39": (("JC_37": (0 <= i0)) and ("JC_38": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  forall result:int.
  (result = select(intP_intM_t_4_0, shift(t, i0))) ->
  forall mv:int.
  (mv = result) ->
  forall j:int.
  (j = i0) ->
  ("JC_48": ("JC_47": (j <= i0)))

goal insert_sort_ensures_default_po_9:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4_0:(intP,
  int) memory.
  (("JC_36": Sorted(t, 0, i0, intP_intM_t_4_0)) and
   ("JC_39": (("JC_37": (0 <= i0)) and ("JC_38": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  forall result:int.
  (result = select(intP_intM_t_4_0, shift(t, i0))) ->
  forall mv:int.
  (mv = result) ->
  forall j:int.
  (j = i0) ->
  forall intP_intM_t_4_1:(intP,
  int) memory.
  forall j0:int.
  (("JC_43":
   (forall k_0:int.
     (((j0 <= k_0) and (k_0 < i0)) -> (select(intP_intM_t_4_1, shift(t,
      k_0)) > mv)))) and
   (("JC_44": ((j0 < i0) -> Sorted(t, 0, (i0 + 1), intP_intM_t_4_1))) and
    (("JC_45": ((j0 = i0) -> Sorted(t, 0, i0, intP_intM_t_4_1))) and
     ("JC_48": (("JC_46": (0 <= j0)) and ("JC_47": (j0 <= i0))))))) ->
  (j0 > 0) ->
  forall result0:int.
  (result0 = select(intP_intM_t_4_1, shift(t, (j0 - 1)))) ->
  (result0 <= mv) ->
  forall intP_intM_t_4_2:(intP,
  int) memory.
  (intP_intM_t_4_2 = store(intP_intM_t_4_1, shift(t, j0), mv)) ->
  forall i1:int.
  (i1 = (i0 + 1)) ->
  ("JC_36": Sorted(t, 0, i1, intP_intM_t_4_2))

goal insert_sort_ensures_default_po_10:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4_0:(intP,
  int) memory.
  (("JC_36": Sorted(t, 0, i0, intP_intM_t_4_0)) and
   ("JC_39": (("JC_37": (0 <= i0)) and ("JC_38": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  forall result:int.
  (result = select(intP_intM_t_4_0, shift(t, i0))) ->
  forall mv:int.
  (mv = result) ->
  forall j:int.
  (j = i0) ->
  forall intP_intM_t_4_1:(intP,
  int) memory.
  forall j0:int.
  (("JC_43":
   (forall k_0:int.
     (((j0 <= k_0) and (k_0 < i0)) -> (select(intP_intM_t_4_1, shift(t,
      k_0)) > mv)))) and
   (("JC_44": ((j0 < i0) -> Sorted(t, 0, (i0 + 1), intP_intM_t_4_1))) and
    (("JC_45": ((j0 = i0) -> Sorted(t, 0, i0, intP_intM_t_4_1))) and
     ("JC_48": (("JC_46": (0 <= j0)) and ("JC_47": (j0 <= i0))))))) ->
  (j0 > 0) ->
  forall result0:int.
  (result0 = select(intP_intM_t_4_1, shift(t, (j0 - 1)))) ->
  (result0 <= mv) ->
  forall intP_intM_t_4_2:(intP,
  int) memory.
  (intP_intM_t_4_2 = store(intP_intM_t_4_1, shift(t, j0), mv)) ->
  forall i1:int.
  (i1 = (i0 + 1)) ->
  ("JC_39": ("JC_37": (0 <= i1)))

goal insert_sort_ensures_default_po_11:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4_0:(intP,
  int) memory.
  (("JC_36": Sorted(t, 0, i0, intP_intM_t_4_0)) and
   ("JC_39": (("JC_37": (0 <= i0)) and ("JC_38": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  forall result:int.
  (result = select(intP_intM_t_4_0, shift(t, i0))) ->
  forall mv:int.
  (mv = result) ->
  forall j:int.
  (j = i0) ->
  forall intP_intM_t_4_1:(intP,
  int) memory.
  forall j0:int.
  (("JC_43":
   (forall k_0:int.
     (((j0 <= k_0) and (k_0 < i0)) -> (select(intP_intM_t_4_1, shift(t,
      k_0)) > mv)))) and
   (("JC_44": ((j0 < i0) -> Sorted(t, 0, (i0 + 1), intP_intM_t_4_1))) and
    (("JC_45": ((j0 = i0) -> Sorted(t, 0, i0, intP_intM_t_4_1))) and
     ("JC_48": (("JC_46": (0 <= j0)) and ("JC_47": (j0 <= i0))))))) ->
  (j0 > 0) ->
  forall result0:int.
  (result0 = select(intP_intM_t_4_1, shift(t, (j0 - 1)))) ->
  (result0 <= mv) ->
  forall intP_intM_t_4_2:(intP,
  int) memory.
  (intP_intM_t_4_2 = store(intP_intM_t_4_1, shift(t, j0), mv)) ->
  forall i1:int.
  (i1 = (i0 + 1)) ->
  ("JC_39": ("JC_38": (i1 <= n_1)))

goal insert_sort_ensures_default_po_12:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4_0:(intP,
  int) memory.
  (("JC_36": Sorted(t, 0, i0, intP_intM_t_4_0)) and
   ("JC_39": (("JC_37": (0 <= i0)) and ("JC_38": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  forall result:int.
  (result = select(intP_intM_t_4_0, shift(t, i0))) ->
  forall mv:int.
  (mv = result) ->
  forall j:int.
  (j = i0) ->
  forall intP_intM_t_4_1:(intP,
  int) memory.
  forall j0:int.
  (("JC_43":
   (forall k_0:int.
     (((j0 <= k_0) and (k_0 < i0)) -> (select(intP_intM_t_4_1, shift(t,
      k_0)) > mv)))) and
   (("JC_44": ((j0 < i0) -> Sorted(t, 0, (i0 + 1), intP_intM_t_4_1))) and
    (("JC_45": ((j0 = i0) -> Sorted(t, 0, i0, intP_intM_t_4_1))) and
     ("JC_48": (("JC_46": (0 <= j0)) and ("JC_47": (j0 <= i0))))))) ->
  (j0 > 0) ->
  forall result0:int.
  (result0 = select(intP_intM_t_4_1, shift(t, (j0 - 1)))) ->
  (result0 > mv) ->
  forall result1:int.
  (result1 = select(intP_intM_t_4_1, shift(t, (j0 - 1)))) ->
  forall intP_intM_t_4_2:(intP,
  int) memory.
  (intP_intM_t_4_2 = store(intP_intM_t_4_1, shift(t, j0), result1)) ->
  forall j1:int.
  (j1 = (j0 - 1)) ->
  forall k_0:int.
  ((j1 <= k_0) and (k_0 < i0)) ->
  ("JC_43": (select(intP_intM_t_4_2, shift(t, k_0)) > mv))

goal insert_sort_ensures_default_po_13:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4_0:(intP,
  int) memory.
  (("JC_36": Sorted(t, 0, i0, intP_intM_t_4_0)) and
   ("JC_39": (("JC_37": (0 <= i0)) and ("JC_38": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  forall result:int.
  (result = select(intP_intM_t_4_0, shift(t, i0))) ->
  forall mv:int.
  (mv = result) ->
  forall j:int.
  (j = i0) ->
  forall intP_intM_t_4_1:(intP,
  int) memory.
  forall j0:int.
  (("JC_43":
   (forall k_0:int.
     (((j0 <= k_0) and (k_0 < i0)) -> (select(intP_intM_t_4_1, shift(t,
      k_0)) > mv)))) and
   (("JC_44": ((j0 < i0) -> Sorted(t, 0, (i0 + 1), intP_intM_t_4_1))) and
    (("JC_45": ((j0 = i0) -> Sorted(t, 0, i0, intP_intM_t_4_1))) and
     ("JC_48": (("JC_46": (0 <= j0)) and ("JC_47": (j0 <= i0))))))) ->
  (j0 > 0) ->
  forall result0:int.
  (result0 = select(intP_intM_t_4_1, shift(t, (j0 - 1)))) ->
  (result0 > mv) ->
  forall result1:int.
  (result1 = select(intP_intM_t_4_1, shift(t, (j0 - 1)))) ->
  forall intP_intM_t_4_2:(intP,
  int) memory.
  (intP_intM_t_4_2 = store(intP_intM_t_4_1, shift(t, j0), result1)) ->
  forall j1:int.
  (j1 = (j0 - 1)) ->
  (j1 < i0) ->
  ("JC_44": Sorted(t, 0, (i0 + 1), intP_intM_t_4_2))

goal insert_sort_ensures_default_po_14:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4_0:(intP,
  int) memory.
  (("JC_36": Sorted(t, 0, i0, intP_intM_t_4_0)) and
   ("JC_39": (("JC_37": (0 <= i0)) and ("JC_38": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  forall result:int.
  (result = select(intP_intM_t_4_0, shift(t, i0))) ->
  forall mv:int.
  (mv = result) ->
  forall j:int.
  (j = i0) ->
  forall intP_intM_t_4_1:(intP,
  int) memory.
  forall j0:int.
  (("JC_43":
   (forall k_0:int.
     (((j0 <= k_0) and (k_0 < i0)) -> (select(intP_intM_t_4_1, shift(t,
      k_0)) > mv)))) and
   (("JC_44": ((j0 < i0) -> Sorted(t, 0, (i0 + 1), intP_intM_t_4_1))) and
    (("JC_45": ((j0 = i0) -> Sorted(t, 0, i0, intP_intM_t_4_1))) and
     ("JC_48": (("JC_46": (0 <= j0)) and ("JC_47": (j0 <= i0))))))) ->
  (j0 > 0) ->
  forall result0:int.
  (result0 = select(intP_intM_t_4_1, shift(t, (j0 - 1)))) ->
  (result0 > mv) ->
  forall result1:int.
  (result1 = select(intP_intM_t_4_1, shift(t, (j0 - 1)))) ->
  forall intP_intM_t_4_2:(intP,
  int) memory.
  (intP_intM_t_4_2 = store(intP_intM_t_4_1, shift(t, j0), result1)) ->
  forall j1:int.
  (j1 = (j0 - 1)) ->
  (j1 = i0) ->
  ("JC_45": Sorted(t, 0, i0, intP_intM_t_4_2))

goal insert_sort_ensures_default_po_15:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4_0:(intP,
  int) memory.
  (("JC_36": Sorted(t, 0, i0, intP_intM_t_4_0)) and
   ("JC_39": (("JC_37": (0 <= i0)) and ("JC_38": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  forall result:int.
  (result = select(intP_intM_t_4_0, shift(t, i0))) ->
  forall mv:int.
  (mv = result) ->
  forall j:int.
  (j = i0) ->
  forall intP_intM_t_4_1:(intP,
  int) memory.
  forall j0:int.
  (("JC_43":
   (forall k_0:int.
     (((j0 <= k_0) and (k_0 < i0)) -> (select(intP_intM_t_4_1, shift(t,
      k_0)) > mv)))) and
   (("JC_44": ((j0 < i0) -> Sorted(t, 0, (i0 + 1), intP_intM_t_4_1))) and
    (("JC_45": ((j0 = i0) -> Sorted(t, 0, i0, intP_intM_t_4_1))) and
     ("JC_48": (("JC_46": (0 <= j0)) and ("JC_47": (j0 <= i0))))))) ->
  (j0 > 0) ->
  forall result0:int.
  (result0 = select(intP_intM_t_4_1, shift(t, (j0 - 1)))) ->
  (result0 > mv) ->
  forall result1:int.
  (result1 = select(intP_intM_t_4_1, shift(t, (j0 - 1)))) ->
  forall intP_intM_t_4_2:(intP,
  int) memory.
  (intP_intM_t_4_2 = store(intP_intM_t_4_1, shift(t, j0), result1)) ->
  forall j1:int.
  (j1 = (j0 - 1)) ->
  ("JC_48": ("JC_46": (0 <= j1)))

goal insert_sort_ensures_default_po_16:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4_0:(intP,
  int) memory.
  (("JC_36": Sorted(t, 0, i0, intP_intM_t_4_0)) and
   ("JC_39": (("JC_37": (0 <= i0)) and ("JC_38": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  forall result:int.
  (result = select(intP_intM_t_4_0, shift(t, i0))) ->
  forall mv:int.
  (mv = result) ->
  forall j:int.
  (j = i0) ->
  forall intP_intM_t_4_1:(intP,
  int) memory.
  forall j0:int.
  (("JC_43":
   (forall k_0:int.
     (((j0 <= k_0) and (k_0 < i0)) -> (select(intP_intM_t_4_1, shift(t,
      k_0)) > mv)))) and
   (("JC_44": ((j0 < i0) -> Sorted(t, 0, (i0 + 1), intP_intM_t_4_1))) and
    (("JC_45": ((j0 = i0) -> Sorted(t, 0, i0, intP_intM_t_4_1))) and
     ("JC_48": (("JC_46": (0 <= j0)) and ("JC_47": (j0 <= i0))))))) ->
  (j0 > 0) ->
  forall result0:int.
  (result0 = select(intP_intM_t_4_1, shift(t, (j0 - 1)))) ->
  (result0 > mv) ->
  forall result1:int.
  (result1 = select(intP_intM_t_4_1, shift(t, (j0 - 1)))) ->
  forall intP_intM_t_4_2:(intP,
  int) memory.
  (intP_intM_t_4_2 = store(intP_intM_t_4_1, shift(t, j0), result1)) ->
  forall j1:int.
  (j1 = (j0 - 1)) ->
  ("JC_48": ("JC_47": (j1 <= i0)))

goal insert_sort_ensures_default_po_17:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4_0:(intP,
  int) memory.
  (("JC_36": Sorted(t, 0, i0, intP_intM_t_4_0)) and
   ("JC_39": (("JC_37": (0 <= i0)) and ("JC_38": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  forall result:int.
  (result = select(intP_intM_t_4_0, shift(t, i0))) ->
  forall mv:int.
  (mv = result) ->
  forall j:int.
  (j = i0) ->
  forall intP_intM_t_4_1:(intP,
  int) memory.
  forall j0:int.
  (("JC_43":
   (forall k_0:int.
     (((j0 <= k_0) and (k_0 < i0)) -> (select(intP_intM_t_4_1, shift(t,
      k_0)) > mv)))) and
   (("JC_44": ((j0 < i0) -> Sorted(t, 0, (i0 + 1), intP_intM_t_4_1))) and
    (("JC_45": ((j0 = i0) -> Sorted(t, 0, i0, intP_intM_t_4_1))) and
     ("JC_48": (("JC_46": (0 <= j0)) and ("JC_47": (j0 <= i0))))))) ->
  (j0 <= 0) ->
  forall intP_intM_t_4_2:(intP,
  int) memory.
  (intP_intM_t_4_2 = store(intP_intM_t_4_1, shift(t, j0), mv)) ->
  forall i1:int.
  (i1 = (i0 + 1)) ->
  ("JC_36": Sorted(t, 0, i1, intP_intM_t_4_2))

goal insert_sort_ensures_default_po_18:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4_0:(intP,
  int) memory.
  (("JC_36": Sorted(t, 0, i0, intP_intM_t_4_0)) and
   ("JC_39": (("JC_37": (0 <= i0)) and ("JC_38": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  forall result:int.
  (result = select(intP_intM_t_4_0, shift(t, i0))) ->
  forall mv:int.
  (mv = result) ->
  forall j:int.
  (j = i0) ->
  forall intP_intM_t_4_1:(intP,
  int) memory.
  forall j0:int.
  (("JC_43":
   (forall k_0:int.
     (((j0 <= k_0) and (k_0 < i0)) -> (select(intP_intM_t_4_1, shift(t,
      k_0)) > mv)))) and
   (("JC_44": ((j0 < i0) -> Sorted(t, 0, (i0 + 1), intP_intM_t_4_1))) and
    (("JC_45": ((j0 = i0) -> Sorted(t, 0, i0, intP_intM_t_4_1))) and
     ("JC_48": (("JC_46": (0 <= j0)) and ("JC_47": (j0 <= i0))))))) ->
  (j0 <= 0) ->
  forall intP_intM_t_4_2:(intP,
  int) memory.
  (intP_intM_t_4_2 = store(intP_intM_t_4_1, shift(t, j0), mv)) ->
  forall i1:int.
  (i1 = (i0 + 1)) ->
  ("JC_39": ("JC_37": (0 <= i1)))

goal insert_sort_ensures_default_po_19:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4_0:(intP,
  int) memory.
  (("JC_36": Sorted(t, 0, i0, intP_intM_t_4_0)) and
   ("JC_39": (("JC_37": (0 <= i0)) and ("JC_38": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  forall result:int.
  (result = select(intP_intM_t_4_0, shift(t, i0))) ->
  forall mv:int.
  (mv = result) ->
  forall j:int.
  (j = i0) ->
  forall intP_intM_t_4_1:(intP,
  int) memory.
  forall j0:int.
  (("JC_43":
   (forall k_0:int.
     (((j0 <= k_0) and (k_0 < i0)) -> (select(intP_intM_t_4_1, shift(t,
      k_0)) > mv)))) and
   (("JC_44": ((j0 < i0) -> Sorted(t, 0, (i0 + 1), intP_intM_t_4_1))) and
    (("JC_45": ((j0 = i0) -> Sorted(t, 0, i0, intP_intM_t_4_1))) and
     ("JC_48": (("JC_46": (0 <= j0)) and ("JC_47": (j0 <= i0))))))) ->
  (j0 <= 0) ->
  forall intP_intM_t_4_2:(intP,
  int) memory.
  (intP_intM_t_4_2 = store(intP_intM_t_4_1, shift(t, j0), mv)) ->
  forall i1:int.
  (i1 = (i0 + 1)) ->
  ("JC_39": ("JC_38": (i1 <= n_1)))

goal insert_sort_ensures_default_po_20:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4_0:(intP,
  int) memory.
  (("JC_36": Sorted(t, 0, i0, intP_intM_t_4_0)) and
   ("JC_39": (("JC_37": (0 <= i0)) and ("JC_38": (i0 <= n_1))))) ->
  (i0 >= n_1) ->
  ("JC_9": Sorted(t, 0, (n_1 - 1), intP_intM_t_4_0))

goal insert_sort_safety_po_1:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4:(intP,
  int) memory.
  ("JC_18": true) ->
  (("JC_13": Sorted(t, 0, i0, intP_intM_t_4)) and
   ("JC_16": (("JC_14": (0 <= i0)) and ("JC_15": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  (offset_min(intP_t_4_alloc_table, t) <= i0)

goal insert_sort_safety_po_2:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4:(intP,
  int) memory.
  ("JC_18": true) ->
  (("JC_13": Sorted(t, 0, i0, intP_intM_t_4)) and
   ("JC_16": (("JC_14": (0 <= i0)) and ("JC_15": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  (i0 <= offset_max(intP_t_4_alloc_table, t))

goal insert_sort_safety_po_3:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4:(intP,
  int) memory.
  ("JC_18": true) ->
  (("JC_13": Sorted(t, 0, i0, intP_intM_t_4)) and
   ("JC_16": (("JC_14": (0 <= i0)) and ("JC_15": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  ((offset_min(intP_t_4_alloc_table, t) <= i0) and
   (i0 <= offset_max(intP_t_4_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_4, shift(t, i0))) ->
  forall mv:int.
  (mv = result) ->
  forall j:int.
  (j = i0) ->
  forall intP_intM_t_4_0:(intP,
  int) memory.
  forall j0:int.
  ("JC_28": true) ->
  (("JC_21":
   (forall k_0:int.
     (((j0 <= k_0) and (k_0 < i0)) -> (select(intP_intM_t_4_0, shift(t,
      k_0)) > mv)))) and
   (("JC_22": ((j0 < i0) -> Sorted(t, 0, (i0 + 1), intP_intM_t_4_0))) and
    (("JC_23": ((j0 = i0) -> Sorted(t, 0, i0, intP_intM_t_4_0))) and
     ("JC_26": (("JC_24": (0 <= j0)) and ("JC_25": (j0 <= i0))))))) ->
  (j0 > 0) ->
  (offset_min(intP_t_4_alloc_table, t) <= (j0 - 1))

goal insert_sort_safety_po_4:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4:(intP,
  int) memory.
  ("JC_18": true) ->
  (("JC_13": Sorted(t, 0, i0, intP_intM_t_4)) and
   ("JC_16": (("JC_14": (0 <= i0)) and ("JC_15": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  ((offset_min(intP_t_4_alloc_table, t) <= i0) and
   (i0 <= offset_max(intP_t_4_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_4, shift(t, i0))) ->
  forall mv:int.
  (mv = result) ->
  forall j:int.
  (j = i0) ->
  forall intP_intM_t_4_0:(intP,
  int) memory.
  forall j0:int.
  ("JC_28": true) ->
  (("JC_21":
   (forall k_0:int.
     (((j0 <= k_0) and (k_0 < i0)) -> (select(intP_intM_t_4_0, shift(t,
      k_0)) > mv)))) and
   (("JC_22": ((j0 < i0) -> Sorted(t, 0, (i0 + 1), intP_intM_t_4_0))) and
    (("JC_23": ((j0 = i0) -> Sorted(t, 0, i0, intP_intM_t_4_0))) and
     ("JC_26": (("JC_24": (0 <= j0)) and ("JC_25": (j0 <= i0))))))) ->
  (j0 > 0) ->
  ((j0 - 1) <= offset_max(intP_t_4_alloc_table, t))

goal insert_sort_safety_po_5:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4:(intP,
  int) memory.
  ("JC_18": true) ->
  (("JC_13": Sorted(t, 0, i0, intP_intM_t_4)) and
   ("JC_16": (("JC_14": (0 <= i0)) and ("JC_15": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  ((offset_min(intP_t_4_alloc_table, t) <= i0) and
   (i0 <= offset_max(intP_t_4_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_4, shift(t, i0))) ->
  forall mv:int.
  (mv = result) ->
  forall j:int.
  (j = i0) ->
  forall intP_intM_t_4_0:(intP,
  int) memory.
  forall j0:int.
  ("JC_28": true) ->
  (("JC_21":
   (forall k_0:int.
     (((j0 <= k_0) and (k_0 < i0)) -> (select(intP_intM_t_4_0, shift(t,
      k_0)) > mv)))) and
   (("JC_22": ((j0 < i0) -> Sorted(t, 0, (i0 + 1), intP_intM_t_4_0))) and
    (("JC_23": ((j0 = i0) -> Sorted(t, 0, i0, intP_intM_t_4_0))) and
     ("JC_26": (("JC_24": (0 <= j0)) and ("JC_25": (j0 <= i0))))))) ->
  (j0 > 0) ->
  ((offset_min(intP_t_4_alloc_table, t) <= (j0 - 1)) and
   ((j0 - 1) <= offset_max(intP_t_4_alloc_table, t))) ->
  forall result0:int.
  (result0 = select(intP_intM_t_4_0, shift(t, (j0 - 1)))) ->
  (result0 <= mv) ->
  (offset_min(intP_t_4_alloc_table, t) <= j0)

goal insert_sort_safety_po_6:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4:(intP,
  int) memory.
  ("JC_18": true) ->
  (("JC_13": Sorted(t, 0, i0, intP_intM_t_4)) and
   ("JC_16": (("JC_14": (0 <= i0)) and ("JC_15": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  ((offset_min(intP_t_4_alloc_table, t) <= i0) and
   (i0 <= offset_max(intP_t_4_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_4, shift(t, i0))) ->
  forall mv:int.
  (mv = result) ->
  forall j:int.
  (j = i0) ->
  forall intP_intM_t_4_0:(intP,
  int) memory.
  forall j0:int.
  ("JC_28": true) ->
  (("JC_21":
   (forall k_0:int.
     (((j0 <= k_0) and (k_0 < i0)) -> (select(intP_intM_t_4_0, shift(t,
      k_0)) > mv)))) and
   (("JC_22": ((j0 < i0) -> Sorted(t, 0, (i0 + 1), intP_intM_t_4_0))) and
    (("JC_23": ((j0 = i0) -> Sorted(t, 0, i0, intP_intM_t_4_0))) and
     ("JC_26": (("JC_24": (0 <= j0)) and ("JC_25": (j0 <= i0))))))) ->
  (j0 > 0) ->
  ((offset_min(intP_t_4_alloc_table, t) <= (j0 - 1)) and
   ((j0 - 1) <= offset_max(intP_t_4_alloc_table, t))) ->
  forall result0:int.
  (result0 = select(intP_intM_t_4_0, shift(t, (j0 - 1)))) ->
  (result0 <= mv) ->
  (j0 <= offset_max(intP_t_4_alloc_table, t))

goal insert_sort_safety_po_7:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4:(intP,
  int) memory.
  ("JC_18": true) ->
  (("JC_13": Sorted(t, 0, i0, intP_intM_t_4)) and
   ("JC_16": (("JC_14": (0 <= i0)) and ("JC_15": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  ((offset_min(intP_t_4_alloc_table, t) <= i0) and
   (i0 <= offset_max(intP_t_4_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_4, shift(t, i0))) ->
  forall mv:int.
  (mv = result) ->
  forall j:int.
  (j = i0) ->
  forall intP_intM_t_4_0:(intP,
  int) memory.
  forall j0:int.
  ("JC_28": true) ->
  (("JC_21":
   (forall k_0:int.
     (((j0 <= k_0) and (k_0 < i0)) -> (select(intP_intM_t_4_0, shift(t,
      k_0)) > mv)))) and
   (("JC_22": ((j0 < i0) -> Sorted(t, 0, (i0 + 1), intP_intM_t_4_0))) and
    (("JC_23": ((j0 = i0) -> Sorted(t, 0, i0, intP_intM_t_4_0))) and
     ("JC_26": (("JC_24": (0 <= j0)) and ("JC_25": (j0 <= i0))))))) ->
  (j0 > 0) ->
  ((offset_min(intP_t_4_alloc_table, t) <= (j0 - 1)) and
   ((j0 - 1) <= offset_max(intP_t_4_alloc_table, t))) ->
  forall result0:int.
  (result0 = select(intP_intM_t_4_0, shift(t, (j0 - 1)))) ->
  (result0 <= mv) ->
  ((offset_min(intP_t_4_alloc_table, t) <= j0) and
   (j0 <= offset_max(intP_t_4_alloc_table, t))) ->
  forall intP_intM_t_4_1:(intP,
  int) memory.
  (intP_intM_t_4_1 = store(intP_intM_t_4_0, shift(t, j0), mv)) ->
  forall i1:int.
  (i1 = (i0 + 1)) ->
  (0 <= ("JC_35": (n_1 - i0)))

goal insert_sort_safety_po_8:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4:(intP,
  int) memory.
  ("JC_18": true) ->
  (("JC_13": Sorted(t, 0, i0, intP_intM_t_4)) and
   ("JC_16": (("JC_14": (0 <= i0)) and ("JC_15": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  ((offset_min(intP_t_4_alloc_table, t) <= i0) and
   (i0 <= offset_max(intP_t_4_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_4, shift(t, i0))) ->
  forall mv:int.
  (mv = result) ->
  forall j:int.
  (j = i0) ->
  forall intP_intM_t_4_0:(intP,
  int) memory.
  forall j0:int.
  ("JC_28": true) ->
  (("JC_21":
   (forall k_0:int.
     (((j0 <= k_0) and (k_0 < i0)) -> (select(intP_intM_t_4_0, shift(t,
      k_0)) > mv)))) and
   (("JC_22": ((j0 < i0) -> Sorted(t, 0, (i0 + 1), intP_intM_t_4_0))) and
    (("JC_23": ((j0 = i0) -> Sorted(t, 0, i0, intP_intM_t_4_0))) and
     ("JC_26": (("JC_24": (0 <= j0)) and ("JC_25": (j0 <= i0))))))) ->
  (j0 > 0) ->
  ((offset_min(intP_t_4_alloc_table, t) <= (j0 - 1)) and
   ((j0 - 1) <= offset_max(intP_t_4_alloc_table, t))) ->
  forall result0:int.
  (result0 = select(intP_intM_t_4_0, shift(t, (j0 - 1)))) ->
  (result0 <= mv) ->
  ((offset_min(intP_t_4_alloc_table, t) <= j0) and
   (j0 <= offset_max(intP_t_4_alloc_table, t))) ->
  forall intP_intM_t_4_1:(intP,
  int) memory.
  (intP_intM_t_4_1 = store(intP_intM_t_4_0, shift(t, j0), mv)) ->
  forall i1:int.
  (i1 = (i0 + 1)) ->
  (("JC_35": (n_1 - i1)) < ("JC_35": (n_1 - i0)))

goal insert_sort_safety_po_9:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4:(intP,
  int) memory.
  ("JC_18": true) ->
  (("JC_13": Sorted(t, 0, i0, intP_intM_t_4)) and
   ("JC_16": (("JC_14": (0 <= i0)) and ("JC_15": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  ((offset_min(intP_t_4_alloc_table, t) <= i0) and
   (i0 <= offset_max(intP_t_4_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_4, shift(t, i0))) ->
  forall mv:int.
  (mv = result) ->
  forall j:int.
  (j = i0) ->
  forall intP_intM_t_4_0:(intP,
  int) memory.
  forall j0:int.
  ("JC_28": true) ->
  (("JC_21":
   (forall k_0:int.
     (((j0 <= k_0) and (k_0 < i0)) -> (select(intP_intM_t_4_0, shift(t,
      k_0)) > mv)))) and
   (("JC_22": ((j0 < i0) -> Sorted(t, 0, (i0 + 1), intP_intM_t_4_0))) and
    (("JC_23": ((j0 = i0) -> Sorted(t, 0, i0, intP_intM_t_4_0))) and
     ("JC_26": (("JC_24": (0 <= j0)) and ("JC_25": (j0 <= i0))))))) ->
  (j0 > 0) ->
  ((offset_min(intP_t_4_alloc_table, t) <= (j0 - 1)) and
   ((j0 - 1) <= offset_max(intP_t_4_alloc_table, t))) ->
  forall result0:int.
  (result0 = select(intP_intM_t_4_0, shift(t, (j0 - 1)))) ->
  (result0 > mv) ->
  ((offset_min(intP_t_4_alloc_table, t) <= (j0 - 1)) and
   ((j0 - 1) <= offset_max(intP_t_4_alloc_table, t))) ->
  forall result1:int.
  (result1 = select(intP_intM_t_4_0, shift(t, (j0 - 1)))) ->
  (offset_min(intP_t_4_alloc_table, t) <= j0)

goal insert_sort_safety_po_10:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4:(intP,
  int) memory.
  ("JC_18": true) ->
  (("JC_13": Sorted(t, 0, i0, intP_intM_t_4)) and
   ("JC_16": (("JC_14": (0 <= i0)) and ("JC_15": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  ((offset_min(intP_t_4_alloc_table, t) <= i0) and
   (i0 <= offset_max(intP_t_4_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_4, shift(t, i0))) ->
  forall mv:int.
  (mv = result) ->
  forall j:int.
  (j = i0) ->
  forall intP_intM_t_4_0:(intP,
  int) memory.
  forall j0:int.
  ("JC_28": true) ->
  (("JC_21":
   (forall k_0:int.
     (((j0 <= k_0) and (k_0 < i0)) -> (select(intP_intM_t_4_0, shift(t,
      k_0)) > mv)))) and
   (("JC_22": ((j0 < i0) -> Sorted(t, 0, (i0 + 1), intP_intM_t_4_0))) and
    (("JC_23": ((j0 = i0) -> Sorted(t, 0, i0, intP_intM_t_4_0))) and
     ("JC_26": (("JC_24": (0 <= j0)) and ("JC_25": (j0 <= i0))))))) ->
  (j0 > 0) ->
  ((offset_min(intP_t_4_alloc_table, t) <= (j0 - 1)) and
   ((j0 - 1) <= offset_max(intP_t_4_alloc_table, t))) ->
  forall result0:int.
  (result0 = select(intP_intM_t_4_0, shift(t, (j0 - 1)))) ->
  (result0 > mv) ->
  ((offset_min(intP_t_4_alloc_table, t) <= (j0 - 1)) and
   ((j0 - 1) <= offset_max(intP_t_4_alloc_table, t))) ->
  forall result1:int.
  (result1 = select(intP_intM_t_4_0, shift(t, (j0 - 1)))) ->
  (j0 <= offset_max(intP_t_4_alloc_table, t))

goal insert_sort_safety_po_11:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4:(intP,
  int) memory.
  ("JC_18": true) ->
  (("JC_13": Sorted(t, 0, i0, intP_intM_t_4)) and
   ("JC_16": (("JC_14": (0 <= i0)) and ("JC_15": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  ((offset_min(intP_t_4_alloc_table, t) <= i0) and
   (i0 <= offset_max(intP_t_4_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_4, shift(t, i0))) ->
  forall mv:int.
  (mv = result) ->
  forall j:int.
  (j = i0) ->
  forall intP_intM_t_4_0:(intP,
  int) memory.
  forall j0:int.
  ("JC_28": true) ->
  (("JC_21":
   (forall k_0:int.
     (((j0 <= k_0) and (k_0 < i0)) -> (select(intP_intM_t_4_0, shift(t,
      k_0)) > mv)))) and
   (("JC_22": ((j0 < i0) -> Sorted(t, 0, (i0 + 1), intP_intM_t_4_0))) and
    (("JC_23": ((j0 = i0) -> Sorted(t, 0, i0, intP_intM_t_4_0))) and
     ("JC_26": (("JC_24": (0 <= j0)) and ("JC_25": (j0 <= i0))))))) ->
  (j0 > 0) ->
  ((offset_min(intP_t_4_alloc_table, t) <= (j0 - 1)) and
   ((j0 - 1) <= offset_max(intP_t_4_alloc_table, t))) ->
  forall result0:int.
  (result0 = select(intP_intM_t_4_0, shift(t, (j0 - 1)))) ->
  (result0 > mv) ->
  ((offset_min(intP_t_4_alloc_table, t) <= (j0 - 1)) and
   ((j0 - 1) <= offset_max(intP_t_4_alloc_table, t))) ->
  forall result1:int.
  (result1 = select(intP_intM_t_4_0, shift(t, (j0 - 1)))) ->
  ((offset_min(intP_t_4_alloc_table, t) <= j0) and
   (j0 <= offset_max(intP_t_4_alloc_table, t))) ->
  forall intP_intM_t_4_1:(intP,
  int) memory.
  (intP_intM_t_4_1 = store(intP_intM_t_4_0, shift(t, j0), result1)) ->
  forall j1:int.
  (j1 = (j0 - 1)) ->
  (0 <= ("JC_33": j0))

goal insert_sort_safety_po_12:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4:(intP,
  int) memory.
  ("JC_18": true) ->
  (("JC_13": Sorted(t, 0, i0, intP_intM_t_4)) and
   ("JC_16": (("JC_14": (0 <= i0)) and ("JC_15": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  ((offset_min(intP_t_4_alloc_table, t) <= i0) and
   (i0 <= offset_max(intP_t_4_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_4, shift(t, i0))) ->
  forall mv:int.
  (mv = result) ->
  forall j:int.
  (j = i0) ->
  forall intP_intM_t_4_0:(intP,
  int) memory.
  forall j0:int.
  ("JC_28": true) ->
  (("JC_21":
   (forall k_0:int.
     (((j0 <= k_0) and (k_0 < i0)) -> (select(intP_intM_t_4_0, shift(t,
      k_0)) > mv)))) and
   (("JC_22": ((j0 < i0) -> Sorted(t, 0, (i0 + 1), intP_intM_t_4_0))) and
    (("JC_23": ((j0 = i0) -> Sorted(t, 0, i0, intP_intM_t_4_0))) and
     ("JC_26": (("JC_24": (0 <= j0)) and ("JC_25": (j0 <= i0))))))) ->
  (j0 > 0) ->
  ((offset_min(intP_t_4_alloc_table, t) <= (j0 - 1)) and
   ((j0 - 1) <= offset_max(intP_t_4_alloc_table, t))) ->
  forall result0:int.
  (result0 = select(intP_intM_t_4_0, shift(t, (j0 - 1)))) ->
  (result0 > mv) ->
  ((offset_min(intP_t_4_alloc_table, t) <= (j0 - 1)) and
   ((j0 - 1) <= offset_max(intP_t_4_alloc_table, t))) ->
  forall result1:int.
  (result1 = select(intP_intM_t_4_0, shift(t, (j0 - 1)))) ->
  ((offset_min(intP_t_4_alloc_table, t) <= j0) and
   (j0 <= offset_max(intP_t_4_alloc_table, t))) ->
  forall intP_intM_t_4_1:(intP,
  int) memory.
  (intP_intM_t_4_1 = store(intP_intM_t_4_0, shift(t, j0), result1)) ->
  forall j1:int.
  (j1 = (j0 - 1)) ->
  (("JC_33": j1) < ("JC_33": j0))

goal insert_sort_safety_po_13:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4:(intP,
  int) memory.
  ("JC_18": true) ->
  (("JC_13": Sorted(t, 0, i0, intP_intM_t_4)) and
   ("JC_16": (("JC_14": (0 <= i0)) and ("JC_15": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  ((offset_min(intP_t_4_alloc_table, t) <= i0) and
   (i0 <= offset_max(intP_t_4_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_4, shift(t, i0))) ->
  forall mv:int.
  (mv = result) ->
  forall j:int.
  (j = i0) ->
  forall intP_intM_t_4_0:(intP,
  int) memory.
  forall j0:int.
  ("JC_28": true) ->
  (("JC_21":
   (forall k_0:int.
     (((j0 <= k_0) and (k_0 < i0)) -> (select(intP_intM_t_4_0, shift(t,
      k_0)) > mv)))) and
   (("JC_22": ((j0 < i0) -> Sorted(t, 0, (i0 + 1), intP_intM_t_4_0))) and
    (("JC_23": ((j0 = i0) -> Sorted(t, 0, i0, intP_intM_t_4_0))) and
     ("JC_26": (("JC_24": (0 <= j0)) and ("JC_25": (j0 <= i0))))))) ->
  (j0 <= 0) ->
  (offset_min(intP_t_4_alloc_table, t) <= j0)

goal insert_sort_safety_po_14:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4:(intP,
  int) memory.
  ("JC_18": true) ->
  (("JC_13": Sorted(t, 0, i0, intP_intM_t_4)) and
   ("JC_16": (("JC_14": (0 <= i0)) and ("JC_15": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  ((offset_min(intP_t_4_alloc_table, t) <= i0) and
   (i0 <= offset_max(intP_t_4_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_4, shift(t, i0))) ->
  forall mv:int.
  (mv = result) ->
  forall j:int.
  (j = i0) ->
  forall intP_intM_t_4_0:(intP,
  int) memory.
  forall j0:int.
  ("JC_28": true) ->
  (("JC_21":
   (forall k_0:int.
     (((j0 <= k_0) and (k_0 < i0)) -> (select(intP_intM_t_4_0, shift(t,
      k_0)) > mv)))) and
   (("JC_22": ((j0 < i0) -> Sorted(t, 0, (i0 + 1), intP_intM_t_4_0))) and
    (("JC_23": ((j0 = i0) -> Sorted(t, 0, i0, intP_intM_t_4_0))) and
     ("JC_26": (("JC_24": (0 <= j0)) and ("JC_25": (j0 <= i0))))))) ->
  (j0 <= 0) ->
  (j0 <= offset_max(intP_t_4_alloc_table, t))

goal insert_sort_safety_po_15:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4:(intP,
  int) memory.
  ("JC_18": true) ->
  (("JC_13": Sorted(t, 0, i0, intP_intM_t_4)) and
   ("JC_16": (("JC_14": (0 <= i0)) and ("JC_15": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  ((offset_min(intP_t_4_alloc_table, t) <= i0) and
   (i0 <= offset_max(intP_t_4_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_4, shift(t, i0))) ->
  forall mv:int.
  (mv = result) ->
  forall j:int.
  (j = i0) ->
  forall intP_intM_t_4_0:(intP,
  int) memory.
  forall j0:int.
  ("JC_28": true) ->
  (("JC_21":
   (forall k_0:int.
     (((j0 <= k_0) and (k_0 < i0)) -> (select(intP_intM_t_4_0, shift(t,
      k_0)) > mv)))) and
   (("JC_22": ((j0 < i0) -> Sorted(t, 0, (i0 + 1), intP_intM_t_4_0))) and
    (("JC_23": ((j0 = i0) -> Sorted(t, 0, i0, intP_intM_t_4_0))) and
     ("JC_26": (("JC_24": (0 <= j0)) and ("JC_25": (j0 <= i0))))))) ->
  (j0 <= 0) ->
  ((offset_min(intP_t_4_alloc_table, t) <= j0) and
   (j0 <= offset_max(intP_t_4_alloc_table, t))) ->
  forall intP_intM_t_4_1:(intP,
  int) memory.
  (intP_intM_t_4_1 = store(intP_intM_t_4_0, shift(t, j0), mv)) ->
  forall i1:int.
  (i1 = (i0 + 1)) ->
  (0 <= ("JC_35": (n_1 - i0)))

goal insert_sort_safety_po_16:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_4_alloc_table:intP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(intP_t_4_alloc_table, t) <= 0)) and
   ("JC_6": (offset_max(intP_t_4_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 1) ->
  forall i:int.
  (i = 1) ->
  forall i0:int.
  forall intP_intM_t_4:(intP,
  int) memory.
  ("JC_18": true) ->
  (("JC_13": Sorted(t, 0, i0, intP_intM_t_4)) and
   ("JC_16": (("JC_14": (0 <= i0)) and ("JC_15": (i0 <= n_1))))) ->
  (i0 < n_1) ->
  ((offset_min(intP_t_4_alloc_table, t) <= i0) and
   (i0 <= offset_max(intP_t_4_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_4, shift(t, i0))) ->
  forall mv:int.
  (mv = result) ->
  forall j:int.
  (j = i0) ->
  forall intP_intM_t_4_0:(intP,
  int) memory.
  forall j0:int.
  ("JC_28": true) ->
  (("JC_21":
   (forall k_0:int.
     (((j0 <= k_0) and (k_0 < i0)) -> (select(intP_intM_t_4_0, shift(t,
      k_0)) > mv)))) and
   (("JC_22": ((j0 < i0) -> Sorted(t, 0, (i0 + 1), intP_intM_t_4_0))) and
    (("JC_23": ((j0 = i0) -> Sorted(t, 0, i0, intP_intM_t_4_0))) and
     ("JC_26": (("JC_24": (0 <= j0)) and ("JC_25": (j0 <= i0))))))) ->
  (j0 <= 0) ->
  ((offset_min(intP_t_4_alloc_table, t) <= j0) and
   (j0 <= offset_max(intP_t_4_alloc_table, t))) ->
  forall intP_intM_t_4_1:(intP,
  int) memory.
  (intP_intM_t_4_1 = store(intP_intM_t_4_0, shift(t, j0), mv)) ->
  forall i1:int.
  (i1 = (i0 + 1)) ->
  (("JC_35": (n_1 - i1)) < ("JC_35": (n_1 - i0)))

// RUNSIMPLIFY: will ask regtests to run Simplify on this program
========== generation of Simplify VC output ==========
why -simplify [...] why/insertion_sort.why
========== file tests/c/insertion_sort.jessie/simplify/insertion_sort_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(DEFPRED (Swap a i_1 j_0 intP_intM_a_1_at_L2 intP_intM_a_1_at_L1)
  (AND
  (EQ (select intP_intM_a_1_at_L1 (shift a i_1))
  (select intP_intM_a_1_at_L2 (shift a j_0)))
  (AND
  (EQ (select intP_intM_a_1_at_L1 (shift a j_0))
  (select intP_intM_a_1_at_L2 (shift a i_1)))
  (FORALL (k)
  (IMPLIES (AND (NEQ k i_1) (NEQ k j_0))
  (EQ (select intP_intM_a_1_at_L1 (shift a k))
  (select intP_intM_a_1_at_L2 (shift a k))))))))

(BG_PUSH
 ;; Why axiom Permut_inversion
 (FORALL (aux_1 aux_2 aux_3 aux_4 aux_5)
 (IMPLIES (EQ (Permut aux_1 aux_2 aux_3 aux_4 aux_5) |@true|)
 (OR
 (EXISTS (intP_intM_a_0_2_at_L)
 (EXISTS (a_1)
 (EXISTS (l_0)
 (EXISTS (h_0)
 (AND (EQ aux_1 a_1)
 (AND (EQ aux_2 l_0)
 (AND (EQ aux_3 h_0)
 (AND (EQ aux_4 intP_intM_a_0_2_at_L) (EQ aux_5 intP_intM_a_0_2_at_L)))))))))
 (OR
 (EXISTS (intP_intM_a_0_2_at_L2)
 (EXISTS (intP_intM_a_0_2_at_L1)
 (EXISTS (a_2)
 (EXISTS (l_1)
 (EXISTS (h_1)
 (AND
 (EQ (Permut
 a_2 l_1 h_1 intP_intM_a_0_2_at_L2 intP_intM_a_0_2_at_L1) |@true|)
 (AND (EQ aux_1 a_2)
 (AND (EQ aux_2 l_1)
 (AND (EQ aux_3 h_1)
 (AND (EQ aux_4 intP_intM_a_0_2_at_L1) (EQ aux_5 intP_intM_a_0_2_at_L2)))))))))))
 (OR
 (EXISTS (intP_intM_a_0_2_at_L3)
 (EXISTS (intP_intM_a_0_2_at_L2)
 (EXISTS (intP_intM_a_0_2_at_L1)
 (EXISTS (a_3)
 (EXISTS (l_2)
 (EXISTS (h_2)
 (AND
 (AND
 (EQ (Permut
 a_3 l_2 h_2 intP_intM_a_0_2_at_L2 intP_intM_a_0_2_at_L1) |@true|)
 (EQ (Permut
 a_3 l_2 h_2 intP_intM_a_0_2_at_L3 intP_intM_a_0_2_at_L2) |@true|))
 (AND (EQ aux_1 a_3)
 (AND (EQ aux_2 l_2)
 (AND (EQ aux_3 h_2)
 (AND (EQ aux_4 intP_intM_a_0_2_at_L3) (EQ aux_5 intP_intM_a_0_2_at_L1))))))))))))
 (EXISTS (intP_intM_a_0_2_at_L2)
 (EXISTS (intP_intM_a_0_2_at_L1)
 (EXISTS (a_4)
 (EXISTS (l_3)
 (EXISTS (h_3)
 (EXISTS (i_2)
 (EXISTS (j_1)
 (AND
 (AND (<= l_3 i_2)
 (AND (<= i_2 h_3)
 (AND (<= l_3 j_1)
 (AND (<= j_1 h_3)
 (Swap a_4 i_2 j_1 intP_intM_a_0_2_at_L2 intP_intM_a_0_2_at_L1)))))
 (AND (EQ aux_1 a_4)
 (AND (EQ aux_2 l_3)
 (AND (EQ aux_3 h_3)
 (AND (EQ aux_4 intP_intM_a_0_2_at_L2) (EQ aux_5 intP_intM_a_0_2_at_L1)))))))))))))))))))

(BG_PUSH
 ;; Why axiom Permut_refl
 (FORALL (intP_intM_a_0_2_at_L a_1 l_0 h_0)
 (EQ (Permut a_1 l_0 h_0 intP_intM_a_0_2_at_L intP_intM_a_0_2_at_L) |@true|)))

(BG_PUSH
 ;; Why axiom Permut_sym
 (FORALL (intP_intM_a_0_2_at_L2 intP_intM_a_0_2_at_L1 a_2 l_1 h_1)
 (IMPLIES
 (EQ (Permut
 a_2 l_1 h_1 intP_intM_a_0_2_at_L2 intP_intM_a_0_2_at_L1) |@true|)
 (EQ (Permut
 a_2 l_1 h_1 intP_intM_a_0_2_at_L1 intP_intM_a_0_2_at_L2) |@true|))))

(BG_PUSH
 ;; Why axiom Permut_trans
 (FORALL (intP_intM_a_0_2_at_L3 intP_intM_a_0_2_at_L2 intP_intM_a_0_2_at_L1 a_3 l_2 h_2)
 (IMPLIES
 (AND
 (EQ (Permut
 a_3 l_2 h_2 intP_intM_a_0_2_at_L2 intP_intM_a_0_2_at_L1) |@true|)
 (EQ (Permut
 a_3 l_2 h_2 intP_intM_a_0_2_at_L3 intP_intM_a_0_2_at_L2) |@true|))
 (EQ (Permut
 a_3 l_2 h_2 intP_intM_a_0_2_at_L3 intP_intM_a_0_2_at_L1) |@true|))))

(BG_PUSH
 ;; Why axiom Permut_swap
 (FORALL (intP_intM_a_0_2_at_L2 intP_intM_a_0_2_at_L1 a_4 l_3 h_3 i_2 j_1)
 (IMPLIES
 (AND (<= l_3 i_2)
 (AND (<= i_2 h_3)
 (AND (<= l_3 j_1)
 (AND (<= j_1 h_3)
 (Swap a_4 i_2 j_1 intP_intM_a_0_2_at_L2 intP_intM_a_0_2_at_L1)))))
 (EQ (Permut
 a_4 l_3 h_3 intP_intM_a_0_2_at_L2 intP_intM_a_0_2_at_L1) |@true|))))

(DEFPRED (Sorted a_5 l_4 h_4 intP_intM_a_5_3_at_L)
  (FORALL (i_3 j_2)
  (IMPLIES (AND (<= l_4 i_3) (AND (<= i_3 j_2) (< j_2 h_4)))
  (<= (select intP_intM_a_5_3_at_L (shift a_5 i_3)) (select
                                                    intP_intM_a_5_3_at_L 
                                                    (shift a_5 j_2))))))

(BG_PUSH
 ;; Why axiom charP_int
 (EQ (int_of_tag charP_tag) 1))

(BG_PUSH
 ;; Why axiom charP_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (charP_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom charP_parenttag_bottom
 (EQ (parenttag charP_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom charP_tags
 (FORALL (x charP_tag_table) (instanceof charP_tag_table x charP_tag)))

(BG_PUSH
 ;; Why axiom intP_int
 (EQ (int_of_tag intP_tag) 1))

(BG_PUSH
 ;; Why axiom intP_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (intP_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom intP_parenttag_bottom
 (EQ (parenttag intP_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom intP_tags
 (FORALL (x intP_tag_table) (instanceof intP_tag_table x intP_tag)))

(DEFPRED (left_valid_struct_charP p a charP_alloc_table)
  (<= (offset_min charP_alloc_table p) a))

(DEFPRED (left_valid_struct_intP p a intP_alloc_table)
  (<= (offset_min intP_alloc_table p) a))

(DEFPRED (left_valid_struct_unsigned_charP p a unsigned_charP_alloc_table)
  (<= (offset_min unsigned_charP_alloc_table p) a))

(DEFPRED (left_valid_struct_voidP p a voidP_alloc_table)
  (<= (offset_min voidP_alloc_table p) a))

(BG_PUSH
 ;; Why axiom pointer_addr_of_charP_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (charP_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_intP_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (intP_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_unsigned_charP_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (unsigned_charP_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_voidP_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (voidP_of_pointer_address p)))))

(DEFPRED (right_valid_struct_charP p b charP_alloc_table)
  (>= (offset_max charP_alloc_table p) b))

(DEFPRED (right_valid_struct_intP p b intP_alloc_table)
  (>= (offset_max intP_alloc_table p) b))

(DEFPRED (right_valid_struct_unsigned_charP p b unsigned_charP_alloc_table)
  (>= (offset_max unsigned_charP_alloc_table p) b))

(DEFPRED (right_valid_struct_voidP p b voidP_alloc_table)
  (>= (offset_max voidP_alloc_table p) b))

(DEFPRED (strict_valid_root_charP p a b charP_alloc_table)
  (AND (EQ (offset_min charP_alloc_table p) a)
  (EQ (offset_max charP_alloc_table p) b)))

(DEFPRED (strict_valid_root_intP p a b intP_alloc_table)
  (AND (EQ (offset_min intP_alloc_table p) a)
  (EQ (offset_max intP_alloc_table p) b)))

(DEFPRED (strict_valid_root_unsigned_charP p a b unsigned_charP_alloc_table)
  (AND (EQ (offset_min unsigned_charP_alloc_table p) a)
  (EQ (offset_max unsigned_charP_alloc_table p) b)))

(DEFPRED (strict_valid_root_voidP p a b voidP_alloc_table)
  (AND (EQ (offset_min voidP_alloc_table p) a)
  (EQ (offset_max voidP_alloc_table p) b)))

(DEFPRED (strict_valid_struct_charP p a b charP_alloc_table)
  (AND (EQ (offset_min charP_alloc_table p) a)
  (EQ (offset_max charP_alloc_table p) b)))

(DEFPRED (strict_valid_struct_intP p a b intP_alloc_table)
  (AND (EQ (offset_min intP_alloc_table p) a)
  (EQ (offset_max intP_alloc_table p) b)))

(DEFPRED (strict_valid_struct_unsigned_charP p a b unsigned_charP_alloc_table)
  (AND (EQ (offset_min unsigned_charP_alloc_table p) a)
  (EQ (offset_max unsigned_charP_alloc_table p) b)))

(DEFPRED (strict_valid_struct_voidP p a b voidP_alloc_table)
  (AND (EQ (offset_min voidP_alloc_table p) a)
  (EQ (offset_max voidP_alloc_table p) b)))

(BG_PUSH
 ;; Why axiom unsigned_charP_int
 (EQ (int_of_tag unsigned_charP_tag) 1))

(BG_PUSH
 ;; Why axiom unsigned_charP_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (unsigned_charP_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom unsigned_charP_parenttag_bottom
 (EQ (parenttag unsigned_charP_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom unsigned_charP_tags
 (FORALL (x unsigned_charP_tag_table)
 (instanceof unsigned_charP_tag_table x unsigned_charP_tag)))

(DEFPRED (valid_root_charP p a b charP_alloc_table)
  (AND (<= (offset_min charP_alloc_table p) a)
  (>= (offset_max charP_alloc_table p) b)))

(DEFPRED (valid_root_intP p a b intP_alloc_table)
  (AND (<= (offset_min intP_alloc_table p) a)
  (>= (offset_max intP_alloc_table p) b)))

(DEFPRED (valid_root_unsigned_charP p a b unsigned_charP_alloc_table)
  (AND (<= (offset_min unsigned_charP_alloc_table p) a)
  (>= (offset_max unsigned_charP_alloc_table p) b)))

(DEFPRED (valid_root_voidP p a b voidP_alloc_table)
  (AND (<= (offset_min voidP_alloc_table p) a)
  (>= (offset_max voidP_alloc_table p) b)))

(DEFPRED (valid_struct_charP p a b charP_alloc_table)
  (AND (<= (offset_min charP_alloc_table p) a)
  (>= (offset_max charP_alloc_table p) b)))

(DEFPRED (valid_struct_intP p a b intP_alloc_table)
  (AND (<= (offset_min intP_alloc_table p) a)
  (>= (offset_max intP_alloc_table p) b)))

(DEFPRED (valid_struct_unsigned_charP p a b unsigned_charP_alloc_table)
  (AND (<= (offset_min unsigned_charP_alloc_table p) a)
  (>= (offset_max unsigned_charP_alloc_table p) b)))

(DEFPRED (valid_struct_voidP p a b voidP_alloc_table)
  (AND (<= (offset_min voidP_alloc_table p) a)
  (>= (offset_max voidP_alloc_table p) b)))

(BG_PUSH
 ;; Why axiom voidP_int
 (EQ (int_of_tag voidP_tag) 1))

(BG_PUSH
 ;; Why axiom voidP_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (voidP_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom voidP_parenttag_bottom
 (EQ (parenttag voidP_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom voidP_tags
 (FORALL (x voidP_tag_table) (instanceof voidP_tag_table x voidP_tag)))

;; insert_sort_ensures_default_po_1, File "HOME/tests/c/insertion_sort.c", line 39, characters 12-27
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(FORALL (intP_intM_t_4)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (<= n_1 1) (Sorted t 0 (- n_1 1) intP_intM_t_4)))))))

;; insert_sort_ensures_default_po_2, File "HOME/tests/c/insertion_sort.c", line 46, characters 21-34
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(FORALL (intP_intM_t_4)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i) (IMPLIES (EQ i 1) (Sorted t 0 i intP_intM_t_4)))))))))

;; insert_sort_ensures_default_po_3, File "HOME/tests/c/insertion_sort.c", line 45, characters 21-27
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1) (FORALL (i) (IMPLIES (EQ i 1) (<= 0 i))))))))

;; insert_sort_ensures_default_po_4, File "HOME/tests/c/insertion_sort.c", line 45, characters 26-32
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1) (FORALL (i) (IMPLIES (EQ i 1) (<= i n_1))))))))

;; insert_sort_ensures_default_po_5, File "HOME/tests/c/insertion_sort.c", line 55, characters 23-66
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4_0)
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4_0) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_4_0 (shift t i0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (j)
(IMPLIES (EQ j i0)
(FORALL (k_0)
(IMPLIES (AND (<= j k_0) (< k_0 i0))
(> (select intP_intM_t_4_0 (shift t k_0)) mv))))))))))))))))))))

;; insert_sort_ensures_default_po_6, File "HOME/tests/c/insertion_sort.c", line 54, characters 23-48
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4_0)
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4_0) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_4_0 (shift t i0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (j)
(IMPLIES (EQ j i0) (IMPLIES (< j i0) (Sorted t 0 (+ i0 1) intP_intM_t_4_0)))))))))))))))))))

;; insert_sort_ensures_default_po_7, File "HOME/tests/c/insertion_sort.c", line 52, characters 23-29
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4_0)
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4_0) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_4_0 (shift t i0)))
(FORALL (mv)
(IMPLIES (EQ mv result) (FORALL (j) (IMPLIES (EQ j i0) (<= 0 j))))))))))))))))))

;; insert_sort_ensures_default_po_8, File "HOME/tests/c/insertion_sort.c", line 52, characters 28-34
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4_0)
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4_0) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_4_0 (shift t i0)))
(FORALL (mv)
(IMPLIES (EQ mv result) (FORALL (j) (IMPLIES (EQ j i0) (<= j i0))))))))))))))))))

;; insert_sort_ensures_default_po_9, File "HOME/tests/c/insertion_sort.c", line 46, characters 21-34
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4_0)
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4_0) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_4_0 (shift t i0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (j)
(IMPLIES (EQ j i0)
(FORALL (intP_intM_t_4_1)
(FORALL (j0)
(IMPLIES (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= j0 k_0) (< k_0 i0))
         (> (select intP_intM_t_4_1 (shift t k_0)) mv)))
         (AND (IMPLIES (< j0 i0) (Sorted t 0 (+ i0 1) intP_intM_t_4_1))
         (AND (IMPLIES (EQ j0 i0) (Sorted t 0 i0 intP_intM_t_4_1))
         (AND (<= 0 j0) (<= j0 i0)))))
(IMPLIES (> j0 0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_4_1 (shift t (- j0 1))))
(IMPLIES (<= result0 mv)
(FORALL (intP_intM_t_4_2)
(IMPLIES (EQ intP_intM_t_4_2 (|why__store| intP_intM_t_4_1 (shift t j0) mv))
(FORALL (i1) (IMPLIES (EQ i1 (+ i0 1)) (Sorted t 0 i1 intP_intM_t_4_2)))))))))))))))))))))))))))))

;; insert_sort_ensures_default_po_10, File "HOME/tests/c/insertion_sort.c", line 45, characters 21-27
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4_0)
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4_0) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_4_0 (shift t i0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (j)
(IMPLIES (EQ j i0)
(FORALL (intP_intM_t_4_1)
(FORALL (j0)
(IMPLIES (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= j0 k_0) (< k_0 i0))
         (> (select intP_intM_t_4_1 (shift t k_0)) mv)))
         (AND (IMPLIES (< j0 i0) (Sorted t 0 (+ i0 1) intP_intM_t_4_1))
         (AND (IMPLIES (EQ j0 i0) (Sorted t 0 i0 intP_intM_t_4_1))
         (AND (<= 0 j0) (<= j0 i0)))))
(IMPLIES (> j0 0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_4_1 (shift t (- j0 1))))
(IMPLIES (<= result0 mv)
(FORALL (intP_intM_t_4_2)
(IMPLIES (EQ intP_intM_t_4_2 (|why__store| intP_intM_t_4_1 (shift t j0) mv))
(FORALL (i1) (IMPLIES (EQ i1 (+ i0 1)) (<= 0 i1)))))))))))))))))))))))))))))

;; insert_sort_ensures_default_po_11, File "HOME/tests/c/insertion_sort.c", line 45, characters 26-32
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4_0)
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4_0) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_4_0 (shift t i0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (j)
(IMPLIES (EQ j i0)
(FORALL (intP_intM_t_4_1)
(FORALL (j0)
(IMPLIES (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= j0 k_0) (< k_0 i0))
         (> (select intP_intM_t_4_1 (shift t k_0)) mv)))
         (AND (IMPLIES (< j0 i0) (Sorted t 0 (+ i0 1) intP_intM_t_4_1))
         (AND (IMPLIES (EQ j0 i0) (Sorted t 0 i0 intP_intM_t_4_1))
         (AND (<= 0 j0) (<= j0 i0)))))
(IMPLIES (> j0 0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_4_1 (shift t (- j0 1))))
(IMPLIES (<= result0 mv)
(FORALL (intP_intM_t_4_2)
(IMPLIES (EQ intP_intM_t_4_2 (|why__store| intP_intM_t_4_1 (shift t j0) mv))
(FORALL (i1) (IMPLIES (EQ i1 (+ i0 1)) (<= i1 n_1)))))))))))))))))))))))))))))

;; insert_sort_ensures_default_po_12, File "HOME/tests/c/insertion_sort.c", line 55, characters 23-66
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4_0)
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4_0) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_4_0 (shift t i0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (j)
(IMPLIES (EQ j i0)
(FORALL (intP_intM_t_4_1)
(FORALL (j0)
(IMPLIES (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= j0 k_0) (< k_0 i0))
         (> (select intP_intM_t_4_1 (shift t k_0)) mv)))
         (AND (IMPLIES (< j0 i0) (Sorted t 0 (+ i0 1) intP_intM_t_4_1))
         (AND (IMPLIES (EQ j0 i0) (Sorted t 0 i0 intP_intM_t_4_1))
         (AND (<= 0 j0) (<= j0 i0)))))
(IMPLIES (> j0 0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_4_1 (shift t (- j0 1))))
(IMPLIES (> result0 mv)
(FORALL (result1)
(IMPLIES (EQ result1 (select intP_intM_t_4_1 (shift t (- j0 1))))
(FORALL (intP_intM_t_4_2)
(IMPLIES (EQ intP_intM_t_4_2
         (|why__store| intP_intM_t_4_1 (shift t j0) result1))
(FORALL (j1)
(IMPLIES (EQ j1 (- j0 1))
(FORALL (k_0)
(IMPLIES (AND (<= j1 k_0) (< k_0 i0))
(> (select intP_intM_t_4_2 (shift t k_0)) mv)))))))))))))))))))))))))))))))))

;; insert_sort_ensures_default_po_13, File "HOME/tests/c/insertion_sort.c", line 54, characters 23-48
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4_0)
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4_0) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_4_0 (shift t i0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (j)
(IMPLIES (EQ j i0)
(FORALL (intP_intM_t_4_1)
(FORALL (j0)
(IMPLIES (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= j0 k_0) (< k_0 i0))
         (> (select intP_intM_t_4_1 (shift t k_0)) mv)))
         (AND (IMPLIES (< j0 i0) (Sorted t 0 (+ i0 1) intP_intM_t_4_1))
         (AND (IMPLIES (EQ j0 i0) (Sorted t 0 i0 intP_intM_t_4_1))
         (AND (<= 0 j0) (<= j0 i0)))))
(IMPLIES (> j0 0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_4_1 (shift t (- j0 1))))
(IMPLIES (> result0 mv)
(FORALL (result1)
(IMPLIES (EQ result1 (select intP_intM_t_4_1 (shift t (- j0 1))))
(FORALL (intP_intM_t_4_2)
(IMPLIES (EQ intP_intM_t_4_2
         (|why__store| intP_intM_t_4_1 (shift t j0) result1))
(FORALL (j1)
(IMPLIES (EQ j1 (- j0 1))
(IMPLIES (< j1 i0) (Sorted t 0 (+ i0 1) intP_intM_t_4_2))))))))))))))))))))))))))))))))

;; insert_sort_ensures_default_po_14, File "HOME/tests/c/insertion_sort.c", line 53, characters 23-47
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4_0)
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4_0) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_4_0 (shift t i0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (j)
(IMPLIES (EQ j i0)
(FORALL (intP_intM_t_4_1)
(FORALL (j0)
(IMPLIES (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= j0 k_0) (< k_0 i0))
         (> (select intP_intM_t_4_1 (shift t k_0)) mv)))
         (AND (IMPLIES (< j0 i0) (Sorted t 0 (+ i0 1) intP_intM_t_4_1))
         (AND (IMPLIES (EQ j0 i0) (Sorted t 0 i0 intP_intM_t_4_1))
         (AND (<= 0 j0) (<= j0 i0)))))
(IMPLIES (> j0 0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_4_1 (shift t (- j0 1))))
(IMPLIES (> result0 mv)
(FORALL (result1)
(IMPLIES (EQ result1 (select intP_intM_t_4_1 (shift t (- j0 1))))
(FORALL (intP_intM_t_4_2)
(IMPLIES (EQ intP_intM_t_4_2
         (|why__store| intP_intM_t_4_1 (shift t j0) result1))
(FORALL (j1)
(IMPLIES (EQ j1 (- j0 1))
(IMPLIES (EQ j1 i0) (Sorted t 0 i0 intP_intM_t_4_2))))))))))))))))))))))))))))))))

;; insert_sort_ensures_default_po_15, File "HOME/tests/c/insertion_sort.c", line 52, characters 23-29
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4_0)
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4_0) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_4_0 (shift t i0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (j)
(IMPLIES (EQ j i0)
(FORALL (intP_intM_t_4_1)
(FORALL (j0)
(IMPLIES (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= j0 k_0) (< k_0 i0))
         (> (select intP_intM_t_4_1 (shift t k_0)) mv)))
         (AND (IMPLIES (< j0 i0) (Sorted t 0 (+ i0 1) intP_intM_t_4_1))
         (AND (IMPLIES (EQ j0 i0) (Sorted t 0 i0 intP_intM_t_4_1))
         (AND (<= 0 j0) (<= j0 i0)))))
(IMPLIES (> j0 0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_4_1 (shift t (- j0 1))))
(IMPLIES (> result0 mv)
(FORALL (result1)
(IMPLIES (EQ result1 (select intP_intM_t_4_1 (shift t (- j0 1))))
(FORALL (intP_intM_t_4_2)
(IMPLIES (EQ intP_intM_t_4_2
         (|why__store| intP_intM_t_4_1 (shift t j0) result1))
(FORALL (j1) (IMPLIES (EQ j1 (- j0 1)) (<= 0 j1)))))))))))))))))))))))))))))))

;; insert_sort_ensures_default_po_16, File "HOME/tests/c/insertion_sort.c", line 52, characters 28-34
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4_0)
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4_0) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_4_0 (shift t i0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (j)
(IMPLIES (EQ j i0)
(FORALL (intP_intM_t_4_1)
(FORALL (j0)
(IMPLIES (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= j0 k_0) (< k_0 i0))
         (> (select intP_intM_t_4_1 (shift t k_0)) mv)))
         (AND (IMPLIES (< j0 i0) (Sorted t 0 (+ i0 1) intP_intM_t_4_1))
         (AND (IMPLIES (EQ j0 i0) (Sorted t 0 i0 intP_intM_t_4_1))
         (AND (<= 0 j0) (<= j0 i0)))))
(IMPLIES (> j0 0)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_4_1 (shift t (- j0 1))))
(IMPLIES (> result0 mv)
(FORALL (result1)
(IMPLIES (EQ result1 (select intP_intM_t_4_1 (shift t (- j0 1))))
(FORALL (intP_intM_t_4_2)
(IMPLIES (EQ intP_intM_t_4_2
         (|why__store| intP_intM_t_4_1 (shift t j0) result1))
(FORALL (j1) (IMPLIES (EQ j1 (- j0 1)) (<= j1 i0)))))))))))))))))))))))))))))))

;; insert_sort_ensures_default_po_17, File "HOME/tests/c/insertion_sort.c", line 46, characters 21-34
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4_0)
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4_0) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_4_0 (shift t i0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (j)
(IMPLIES (EQ j i0)
(FORALL (intP_intM_t_4_1)
(FORALL (j0)
(IMPLIES (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= j0 k_0) (< k_0 i0))
         (> (select intP_intM_t_4_1 (shift t k_0)) mv)))
         (AND (IMPLIES (< j0 i0) (Sorted t 0 (+ i0 1) intP_intM_t_4_1))
         (AND (IMPLIES (EQ j0 i0) (Sorted t 0 i0 intP_intM_t_4_1))
         (AND (<= 0 j0) (<= j0 i0)))))
(IMPLIES (<= j0 0)
(FORALL (intP_intM_t_4_2)
(IMPLIES (EQ intP_intM_t_4_2 (|why__store| intP_intM_t_4_1 (shift t j0) mv))
(FORALL (i1) (IMPLIES (EQ i1 (+ i0 1)) (Sorted t 0 i1 intP_intM_t_4_2))))))))))))))))))))))))))

;; insert_sort_ensures_default_po_18, File "HOME/tests/c/insertion_sort.c", line 45, characters 21-27
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4_0)
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4_0) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_4_0 (shift t i0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (j)
(IMPLIES (EQ j i0)
(FORALL (intP_intM_t_4_1)
(FORALL (j0)
(IMPLIES (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= j0 k_0) (< k_0 i0))
         (> (select intP_intM_t_4_1 (shift t k_0)) mv)))
         (AND (IMPLIES (< j0 i0) (Sorted t 0 (+ i0 1) intP_intM_t_4_1))
         (AND (IMPLIES (EQ j0 i0) (Sorted t 0 i0 intP_intM_t_4_1))
         (AND (<= 0 j0) (<= j0 i0)))))
(IMPLIES (<= j0 0)
(FORALL (intP_intM_t_4_2)
(IMPLIES (EQ intP_intM_t_4_2 (|why__store| intP_intM_t_4_1 (shift t j0) mv))
(FORALL (i1) (IMPLIES (EQ i1 (+ i0 1)) (<= 0 i1))))))))))))))))))))))))))

;; insert_sort_ensures_default_po_19, File "HOME/tests/c/insertion_sort.c", line 45, characters 26-32
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4_0)
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4_0) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1)
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_4_0 (shift t i0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (j)
(IMPLIES (EQ j i0)
(FORALL (intP_intM_t_4_1)
(FORALL (j0)
(IMPLIES (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= j0 k_0) (< k_0 i0))
         (> (select intP_intM_t_4_1 (shift t k_0)) mv)))
         (AND (IMPLIES (< j0 i0) (Sorted t 0 (+ i0 1) intP_intM_t_4_1))
         (AND (IMPLIES (EQ j0 i0) (Sorted t 0 i0 intP_intM_t_4_1))
         (AND (<= 0 j0) (<= j0 i0)))))
(IMPLIES (<= j0 0)
(FORALL (intP_intM_t_4_2)
(IMPLIES (EQ intP_intM_t_4_2 (|why__store| intP_intM_t_4_1 (shift t j0) mv))
(FORALL (i1) (IMPLIES (EQ i1 (+ i0 1)) (<= i1 n_1))))))))))))))))))))))))))

;; insert_sort_ensures_default_po_20, File "HOME/tests/c/insertion_sort.c", line 39, characters 12-27
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4_0)
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4_0) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (>= i0 n_1) (Sorted t 0 (- n_1 1) intP_intM_t_4_0))))))))))))

;; insert_sort_safety_po_1, File "HOME/tests/c/insertion_sort.c", line 51, characters 9-13
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4)
(IMPLIES TRUE
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1) (<= (offset_min intP_t_4_alloc_table t) i0)))))))))))))

;; insert_sort_safety_po_2, File "HOME/tests/c/insertion_sort.c", line 51, characters 9-13
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4)
(IMPLIES TRUE
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1) (<= i0 (offset_max intP_t_4_alloc_table t))))))))))))))

;; insert_sort_safety_po_3, File "HOME/tests/c/insertion_sort.c", line 60, characters 10-16
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4)
(IMPLIES TRUE
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) i0)
         (<= i0 (offset_max intP_t_4_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_4 (shift t i0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (j)
(IMPLIES (EQ j i0)
(FORALL (intP_intM_t_4_0)
(FORALL (j0)
(IMPLIES TRUE
(IMPLIES (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= j0 k_0) (< k_0 i0))
         (> (select intP_intM_t_4_0 (shift t k_0)) mv)))
         (AND (IMPLIES (< j0 i0) (Sorted t 0 (+ i0 1) intP_intM_t_4_0))
         (AND (IMPLIES (EQ j0 i0) (Sorted t 0 i0 intP_intM_t_4_0))
         (AND (<= 0 j0) (<= j0 i0)))))
(IMPLIES (> j0 0) (<= (offset_min intP_t_4_alloc_table t) (- j0 1))))))))))))))))))))))))))

;; insert_sort_safety_po_4, File "HOME/tests/c/insertion_sort.c", line 60, characters 10-16
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4)
(IMPLIES TRUE
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) i0)
         (<= i0 (offset_max intP_t_4_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_4 (shift t i0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (j)
(IMPLIES (EQ j i0)
(FORALL (intP_intM_t_4_0)
(FORALL (j0)
(IMPLIES TRUE
(IMPLIES (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= j0 k_0) (< k_0 i0))
         (> (select intP_intM_t_4_0 (shift t k_0)) mv)))
         (AND (IMPLIES (< j0 i0) (Sorted t 0 (+ i0 1) intP_intM_t_4_0))
         (AND (IMPLIES (EQ j0 i0) (Sorted t 0 i0 intP_intM_t_4_0))
         (AND (<= 0 j0) (<= j0 i0)))))
(IMPLIES (> j0 0) (<= (- j0 1) (offset_max intP_t_4_alloc_table t))))))))))))))))))))))))))

;; insert_sort_safety_po_5, File "why/insertion_sort.why", line 613, characters 23-110
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4)
(IMPLIES TRUE
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) i0)
         (<= i0 (offset_max intP_t_4_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_4 (shift t i0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (j)
(IMPLIES (EQ j i0)
(FORALL (intP_intM_t_4_0)
(FORALL (j0)
(IMPLIES TRUE
(IMPLIES (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= j0 k_0) (< k_0 i0))
         (> (select intP_intM_t_4_0 (shift t k_0)) mv)))
         (AND (IMPLIES (< j0 i0) (Sorted t 0 (+ i0 1) intP_intM_t_4_0))
         (AND (IMPLIES (EQ j0 i0) (Sorted t 0 i0 intP_intM_t_4_0))
         (AND (<= 0 j0) (<= j0 i0)))))
(IMPLIES (> j0 0)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) (- j0 1))
         (<= (- j0 1) (offset_max intP_t_4_alloc_table t)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_4_0 (shift t (- j0 1))))
(IMPLIES (<= result0 mv) (<= (offset_min intP_t_4_alloc_table t) j0)))))))))))))))))))))))))))))

;; insert_sort_safety_po_6, File "why/insertion_sort.why", line 613, characters 23-110
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4)
(IMPLIES TRUE
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) i0)
         (<= i0 (offset_max intP_t_4_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_4 (shift t i0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (j)
(IMPLIES (EQ j i0)
(FORALL (intP_intM_t_4_0)
(FORALL (j0)
(IMPLIES TRUE
(IMPLIES (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= j0 k_0) (< k_0 i0))
         (> (select intP_intM_t_4_0 (shift t k_0)) mv)))
         (AND (IMPLIES (< j0 i0) (Sorted t 0 (+ i0 1) intP_intM_t_4_0))
         (AND (IMPLIES (EQ j0 i0) (Sorted t 0 i0 intP_intM_t_4_0))
         (AND (<= 0 j0) (<= j0 i0)))))
(IMPLIES (> j0 0)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) (- j0 1))
         (<= (- j0 1) (offset_max intP_t_4_alloc_table t)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_4_0 (shift t (- j0 1))))
(IMPLIES (<= result0 mv) (<= j0 (offset_max intP_t_4_alloc_table t))))))))))))))))))))))))))))))

;; insert_sort_safety_po_7, File "HOME/tests/c/insertion_sort.c", line 47, characters 19-22
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4)
(IMPLIES TRUE
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) i0)
         (<= i0 (offset_max intP_t_4_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_4 (shift t i0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (j)
(IMPLIES (EQ j i0)
(FORALL (intP_intM_t_4_0)
(FORALL (j0)
(IMPLIES TRUE
(IMPLIES (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= j0 k_0) (< k_0 i0))
         (> (select intP_intM_t_4_0 (shift t k_0)) mv)))
         (AND (IMPLIES (< j0 i0) (Sorted t 0 (+ i0 1) intP_intM_t_4_0))
         (AND (IMPLIES (EQ j0 i0) (Sorted t 0 i0 intP_intM_t_4_0))
         (AND (<= 0 j0) (<= j0 i0)))))
(IMPLIES (> j0 0)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) (- j0 1))
         (<= (- j0 1) (offset_max intP_t_4_alloc_table t)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_4_0 (shift t (- j0 1))))
(IMPLIES (<= result0 mv)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) j0)
         (<= j0 (offset_max intP_t_4_alloc_table t)))
(FORALL (intP_intM_t_4_1)
(IMPLIES (EQ intP_intM_t_4_1 (|why__store| intP_intM_t_4_0 (shift t j0) mv))
(FORALL (i1) (IMPLIES (EQ i1 (+ i0 1)) (<= 0 (- n_1 i0)))))))))))))))))))))))))))))))))))

;; insert_sort_safety_po_8, File "HOME/tests/c/insertion_sort.c", line 47, characters 19-22
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4)
(IMPLIES TRUE
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) i0)
         (<= i0 (offset_max intP_t_4_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_4 (shift t i0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (j)
(IMPLIES (EQ j i0)
(FORALL (intP_intM_t_4_0)
(FORALL (j0)
(IMPLIES TRUE
(IMPLIES (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= j0 k_0) (< k_0 i0))
         (> (select intP_intM_t_4_0 (shift t k_0)) mv)))
         (AND (IMPLIES (< j0 i0) (Sorted t 0 (+ i0 1) intP_intM_t_4_0))
         (AND (IMPLIES (EQ j0 i0) (Sorted t 0 i0 intP_intM_t_4_0))
         (AND (<= 0 j0) (<= j0 i0)))))
(IMPLIES (> j0 0)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) (- j0 1))
         (<= (- j0 1) (offset_max intP_t_4_alloc_table t)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_4_0 (shift t (- j0 1))))
(IMPLIES (<= result0 mv)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) j0)
         (<= j0 (offset_max intP_t_4_alloc_table t)))
(FORALL (intP_intM_t_4_1)
(IMPLIES (EQ intP_intM_t_4_1 (|why__store| intP_intM_t_4_0 (shift t j0) mv))
(FORALL (i1) (IMPLIES (EQ i1 (+ i0 1)) (< (- n_1 i1) (- n_1 i0)))))))))))))))))))))))))))))))))))

;; insert_sort_safety_po_9, File "why/insertion_sort.why", line 596, characters 32-119
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4)
(IMPLIES TRUE
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) i0)
         (<= i0 (offset_max intP_t_4_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_4 (shift t i0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (j)
(IMPLIES (EQ j i0)
(FORALL (intP_intM_t_4_0)
(FORALL (j0)
(IMPLIES TRUE
(IMPLIES (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= j0 k_0) (< k_0 i0))
         (> (select intP_intM_t_4_0 (shift t k_0)) mv)))
         (AND (IMPLIES (< j0 i0) (Sorted t 0 (+ i0 1) intP_intM_t_4_0))
         (AND (IMPLIES (EQ j0 i0) (Sorted t 0 i0 intP_intM_t_4_0))
         (AND (<= 0 j0) (<= j0 i0)))))
(IMPLIES (> j0 0)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) (- j0 1))
         (<= (- j0 1) (offset_max intP_t_4_alloc_table t)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_4_0 (shift t (- j0 1))))
(IMPLIES (> result0 mv)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) (- j0 1))
         (<= (- j0 1) (offset_max intP_t_4_alloc_table t)))
(FORALL (result1)
(IMPLIES (EQ result1 (select intP_intM_t_4_0 (shift t (- j0 1))))
(<= (offset_min intP_t_4_alloc_table t) j0))))))))))))))))))))))))))))))))

;; insert_sort_safety_po_10, File "why/insertion_sort.why", line 596, characters 32-119
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4)
(IMPLIES TRUE
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) i0)
         (<= i0 (offset_max intP_t_4_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_4 (shift t i0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (j)
(IMPLIES (EQ j i0)
(FORALL (intP_intM_t_4_0)
(FORALL (j0)
(IMPLIES TRUE
(IMPLIES (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= j0 k_0) (< k_0 i0))
         (> (select intP_intM_t_4_0 (shift t k_0)) mv)))
         (AND (IMPLIES (< j0 i0) (Sorted t 0 (+ i0 1) intP_intM_t_4_0))
         (AND (IMPLIES (EQ j0 i0) (Sorted t 0 i0 intP_intM_t_4_0))
         (AND (<= 0 j0) (<= j0 i0)))))
(IMPLIES (> j0 0)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) (- j0 1))
         (<= (- j0 1) (offset_max intP_t_4_alloc_table t)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_4_0 (shift t (- j0 1))))
(IMPLIES (> result0 mv)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) (- j0 1))
         (<= (- j0 1) (offset_max intP_t_4_alloc_table t)))
(FORALL (result1)
(IMPLIES (EQ result1 (select intP_intM_t_4_0 (shift t (- j0 1))))
(<= j0 (offset_max intP_t_4_alloc_table t)))))))))))))))))))))))))))))))))

;; insert_sort_safety_po_11, File "HOME/tests/c/insertion_sort.c", line 56, characters 21-22
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4)
(IMPLIES TRUE
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) i0)
         (<= i0 (offset_max intP_t_4_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_4 (shift t i0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (j)
(IMPLIES (EQ j i0)
(FORALL (intP_intM_t_4_0)
(FORALL (j0)
(IMPLIES TRUE
(IMPLIES (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= j0 k_0) (< k_0 i0))
         (> (select intP_intM_t_4_0 (shift t k_0)) mv)))
         (AND (IMPLIES (< j0 i0) (Sorted t 0 (+ i0 1) intP_intM_t_4_0))
         (AND (IMPLIES (EQ j0 i0) (Sorted t 0 i0 intP_intM_t_4_0))
         (AND (<= 0 j0) (<= j0 i0)))))
(IMPLIES (> j0 0)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) (- j0 1))
         (<= (- j0 1) (offset_max intP_t_4_alloc_table t)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_4_0 (shift t (- j0 1))))
(IMPLIES (> result0 mv)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) (- j0 1))
         (<= (- j0 1) (offset_max intP_t_4_alloc_table t)))
(FORALL (result1)
(IMPLIES (EQ result1 (select intP_intM_t_4_0 (shift t (- j0 1))))
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) j0)
         (<= j0 (offset_max intP_t_4_alloc_table t)))
(FORALL (intP_intM_t_4_1)
(IMPLIES (EQ intP_intM_t_4_1
         (|why__store| intP_intM_t_4_0 (shift t j0) result1))
(FORALL (j1) (IMPLIES (EQ j1 (- j0 1)) (<= 0 j0)))))))))))))))))))))))))))))))))))))

;; insert_sort_safety_po_12, File "HOME/tests/c/insertion_sort.c", line 56, characters 21-22
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4)
(IMPLIES TRUE
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) i0)
         (<= i0 (offset_max intP_t_4_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_4 (shift t i0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (j)
(IMPLIES (EQ j i0)
(FORALL (intP_intM_t_4_0)
(FORALL (j0)
(IMPLIES TRUE
(IMPLIES (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= j0 k_0) (< k_0 i0))
         (> (select intP_intM_t_4_0 (shift t k_0)) mv)))
         (AND (IMPLIES (< j0 i0) (Sorted t 0 (+ i0 1) intP_intM_t_4_0))
         (AND (IMPLIES (EQ j0 i0) (Sorted t 0 i0 intP_intM_t_4_0))
         (AND (<= 0 j0) (<= j0 i0)))))
(IMPLIES (> j0 0)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) (- j0 1))
         (<= (- j0 1) (offset_max intP_t_4_alloc_table t)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_4_0 (shift t (- j0 1))))
(IMPLIES (> result0 mv)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) (- j0 1))
         (<= (- j0 1) (offset_max intP_t_4_alloc_table t)))
(FORALL (result1)
(IMPLIES (EQ result1 (select intP_intM_t_4_0 (shift t (- j0 1))))
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) j0)
         (<= j0 (offset_max intP_t_4_alloc_table t)))
(FORALL (intP_intM_t_4_1)
(IMPLIES (EQ intP_intM_t_4_1
         (|why__store| intP_intM_t_4_0 (shift t j0) result1))
(FORALL (j1) (IMPLIES (EQ j1 (- j0 1)) (< j1 j0)))))))))))))))))))))))))))))))))))))

;; insert_sort_safety_po_13, File "why/insertion_sort.why", line 613, characters 23-110
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4)
(IMPLIES TRUE
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) i0)
         (<= i0 (offset_max intP_t_4_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_4 (shift t i0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (j)
(IMPLIES (EQ j i0)
(FORALL (intP_intM_t_4_0)
(FORALL (j0)
(IMPLIES TRUE
(IMPLIES (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= j0 k_0) (< k_0 i0))
         (> (select intP_intM_t_4_0 (shift t k_0)) mv)))
         (AND (IMPLIES (< j0 i0) (Sorted t 0 (+ i0 1) intP_intM_t_4_0))
         (AND (IMPLIES (EQ j0 i0) (Sorted t 0 i0 intP_intM_t_4_0))
         (AND (<= 0 j0) (<= j0 i0)))))
(IMPLIES (<= j0 0) (<= (offset_min intP_t_4_alloc_table t) j0)))))))))))))))))))))))))

;; insert_sort_safety_po_14, File "why/insertion_sort.why", line 613, characters 23-110
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4)
(IMPLIES TRUE
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) i0)
         (<= i0 (offset_max intP_t_4_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_4 (shift t i0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (j)
(IMPLIES (EQ j i0)
(FORALL (intP_intM_t_4_0)
(FORALL (j0)
(IMPLIES TRUE
(IMPLIES (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= j0 k_0) (< k_0 i0))
         (> (select intP_intM_t_4_0 (shift t k_0)) mv)))
         (AND (IMPLIES (< j0 i0) (Sorted t 0 (+ i0 1) intP_intM_t_4_0))
         (AND (IMPLIES (EQ j0 i0) (Sorted t 0 i0 intP_intM_t_4_0))
         (AND (<= 0 j0) (<= j0 i0)))))
(IMPLIES (<= j0 0) (<= j0 (offset_max intP_t_4_alloc_table t))))))))))))))))))))))))))

;; insert_sort_safety_po_15, File "HOME/tests/c/insertion_sort.c", line 47, characters 19-22
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4)
(IMPLIES TRUE
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) i0)
         (<= i0 (offset_max intP_t_4_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_4 (shift t i0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (j)
(IMPLIES (EQ j i0)
(FORALL (intP_intM_t_4_0)
(FORALL (j0)
(IMPLIES TRUE
(IMPLIES (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= j0 k_0) (< k_0 i0))
         (> (select intP_intM_t_4_0 (shift t k_0)) mv)))
         (AND (IMPLIES (< j0 i0) (Sorted t 0 (+ i0 1) intP_intM_t_4_0))
         (AND (IMPLIES (EQ j0 i0) (Sorted t 0 i0 intP_intM_t_4_0))
         (AND (<= 0 j0) (<= j0 i0)))))
(IMPLIES (<= j0 0)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) j0)
         (<= j0 (offset_max intP_t_4_alloc_table t)))
(FORALL (intP_intM_t_4_1)
(IMPLIES (EQ intP_intM_t_4_1 (|why__store| intP_intM_t_4_0 (shift t j0) mv))
(FORALL (i1) (IMPLIES (EQ i1 (+ i0 1)) (<= 0 (- n_1 i0)))))))))))))))))))))))))))))))

;; insert_sort_safety_po_16, File "HOME/tests/c/insertion_sort.c", line 47, characters 19-22
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) 0)
         (>= (offset_max intP_t_4_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 1)
(FORALL (i)
(IMPLIES (EQ i 1)
(FORALL (i0)
(FORALL (intP_intM_t_4)
(IMPLIES TRUE
(IMPLIES (AND (Sorted t 0 i0 intP_intM_t_4) (AND (<= 0 i0) (<= i0 n_1)))
(IMPLIES (< i0 n_1)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) i0)
         (<= i0 (offset_max intP_t_4_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_4 (shift t i0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (j)
(IMPLIES (EQ j i0)
(FORALL (intP_intM_t_4_0)
(FORALL (j0)
(IMPLIES TRUE
(IMPLIES (AND
         (FORALL (k_0)
         (IMPLIES (AND (<= j0 k_0) (< k_0 i0))
         (> (select intP_intM_t_4_0 (shift t k_0)) mv)))
         (AND (IMPLIES (< j0 i0) (Sorted t 0 (+ i0 1) intP_intM_t_4_0))
         (AND (IMPLIES (EQ j0 i0) (Sorted t 0 i0 intP_intM_t_4_0))
         (AND (<= 0 j0) (<= j0 i0)))))
(IMPLIES (<= j0 0)
(IMPLIES (AND (<= (offset_min intP_t_4_alloc_table t) j0)
         (<= j0 (offset_max intP_t_4_alloc_table t)))
(FORALL (intP_intM_t_4_1)
(IMPLIES (EQ intP_intM_t_4_1 (|why__store| intP_intM_t_4_0 (shift t j0) mv))
(FORALL (i1) (IMPLIES (EQ i1 (+ i0 1)) (< (- n_1 i1) (- n_1 i0)))))))))))))))))))))))))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/insertion_sort_why.sx: .................................... (36/0/0/0/0)
total   :  36
valid   :  36 (100%)
invalid :   0 (  0%)
unknown :   0 (  0%)
timeout :   0 (  0%)
failure :   0 (  0%)
why-2.34/tests/c/oracle/swap.res.oracle0000644000175000017500000016346212311670312016413 0ustar  rtusers========== file tests/c/swap.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

int a;
int b;

/*@ ensures a == \old(b) && b == \old(a);
  @*/
void swap() {
  int tmp = a;
  a = b;
  b = tmp;
}
========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/swap.c"
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/swap.jessie
[jessie] File tests/c/swap.jessie/swap.jc written.
[jessie] File tests/c/swap.jessie/swap.cloc written.
========== file tests/c/swap.jessie/swap.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

int32 a;

int32 b;

unit swap()
behavior default:
  ensures (_C_4 : ((_C_5 : (a == \at(b,Old))) && (_C_6 : (b == \at(a,Old)))));
{  
   (var int32 tmp);
   
   {  (_C_1 : (tmp = a));
      (_C_2 : (a = b));
      (_C_3 : (b = tmp));
      
      (return ())
   }
}
========== file tests/c/swap.jessie/swap.cloc ==========
[_C_4]
file = "HOME/tests/c/swap.c"
line = 35
begin = 12
end = 40

[_C_5]
file = "HOME/tests/c/swap.c"
line = 35
begin = 12
end = 24

[_C_6]
file = "HOME/tests/c/swap.c"
line = 35
begin = 28
end = 40

[_C_3]
file = "HOME/tests/c/swap.c"
line = 40
begin = 6
end = 9

[swap]
name = "Function swap"
file = "HOME/tests/c/swap.c"
line = 37
begin = 5
end = 9

[_C_2]
file = "HOME/tests/c/swap.c"
line = 39
begin = 6
end = 7

[_C_1]
file = "HOME/tests/c/swap.c"
line = 38
begin = 2
end = 5

========== jessie execution ==========
Generating Why function swap
========== file tests/c/swap.jessie/swap.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs swap.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs swap.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/swap_why.sx

project: why/swap.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/swap_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/swap_why.vo

coq/swap_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/swap_why.v: why/swap.why
	@echo 'why -coq [...] why/swap.why' && $(WHY) $(JESSIELIBFILES) why/swap.why && rm -f coq/jessie_why.v

coq-goals: goals coq/swap_ctx_why.vo
	for f in why/*_po*.why; do make -f swap.makefile coq/`basename $$f .why`_why.v ; done

coq/swap_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/swap_ctx_why.v: why/swap_ctx.why
	@echo 'why -coq [...] why/swap_ctx.why' && $(WHY) why/swap_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export swap_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/swap_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/swap_ctx_why.vo

pvs: pvs/swap_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/swap_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/swap_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/swap_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/swap_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/swap_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/swap_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/swap_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/swap_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/swap_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/swap_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/swap_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/swap_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/swap_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/swap_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: swap.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/swap_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: swap.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: swap.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: swap.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include swap.depend

depend: coq/swap_why.v
	-$(COQDEP) -I coq coq/swap*_why.v > swap.depend

clean:
	rm -f coq/*.vo

========== file tests/c/swap.jessie/swap.loc ==========
[JC_5]
file = "HOME/tests/c/swap.c"
line = 35
begin = 12
end = 24

[JC_9]
file = "HOME/tests/c/swap.c"
line = 35
begin = 28
end = 40

[JC_8]
file = "HOME/tests/c/swap.c"
line = 35
begin = 12
end = 24

[JC_11]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/tests/c/swap.c"
line = 35
begin = 28
end = 40

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[swap_ensures_default]
name = "Function swap"
behavior = "default behavior"
file = "HOME/tests/c/swap.c"
line = 37
begin = 5
end = 9

[swap_safety]
name = "Function swap"
behavior = "Safety"
file = "HOME/tests/c/swap.c"
line = 37
begin = 5
end = 9

[JC_7]
file = "HOME/tests/c/swap.c"
line = 35
begin = 12
end = 40

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/c/swap.c"
line = 37
begin = 5
end = 9

[JC_10]
file = "HOME/tests/c/swap.c"
line = 35
begin = 12
end = 40

[JC_3]
file = "HOME/tests/c/swap.c"
line = 37
begin = 5
end = 9

========== file tests/c/swap.jessie/why/swap.why ==========
type charP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter a : int32 ref

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter b : int32 ref

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter swap :
 tt:unit ->
  { } unit reads a,b writes a,b
  { (JC_10:
    ((JC_8: (integer_of_int32(a) = integer_of_int32(b@)))
    and (JC_9: (integer_of_int32(b) = integer_of_int32(a@))))) }

parameter swap_requires :
 tt:unit ->
  { } unit reads a,b writes a,b
  { (JC_10:
    ((JC_8: (integer_of_int32(a) = integer_of_int32(b@)))
    and (JC_9: (integer_of_int32(b) = integer_of_int32(a@))))) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let swap_ensures_default =
 fun (tt : unit) ->
  { (JC_4: true) }
  (init:
  try
   begin
     (let tmp = ref (any_int32 void) in
     begin
       (let _jessie_ = (tmp := !a) in void);
      (let _jessie_ = (a := !b) in void);
      (let _jessie_ = (b := !tmp) in void); (raise Return) end);
    (raise Return) end with Return -> void end)
  { (JC_7:
    ((JC_5: (integer_of_int32(a) = integer_of_int32(b@)))
    and (JC_6: (integer_of_int32(b) = integer_of_int32(a@))))) }

let swap_safety =
 fun (tt : unit) ->
  { (JC_4: true) }
  (init:
  try
   begin
     (let tmp = ref (any_int32 void) in
     begin
       (let _jessie_ = (tmp := !a) in void);
      (let _jessie_ = (a := !b) in void);
      (let _jessie_ = (b := !tmp) in void); (raise Return) end);
    (raise Return) end with Return -> void end) { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/swap.why
========== file tests/c/swap.jessie/why/swap_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type charP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_int8 : int8 -> int

predicate eq_int8(x: int8, y: int8) =
  (integer_of_int8(x) = integer_of_int8(y))

logic integer_of_uint8 : uint8 -> int

predicate eq_uint8(x: uint8, y: uint8) =
  (integer_of_uint8(x) = integer_of_uint8(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic int8_of_integer : int -> int8

axiom int8_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_int8(int8_of_integer(x)) = x)))

axiom int8_extensionality:
  (forall x:int8.
    (forall y:int8. ((integer_of_int8(x) = integer_of_int8(y)) -> (x = y))))

axiom int8_range:
  (forall x:int8.
    (((-128) <= integer_of_int8(x)) and (integer_of_int8(x) <= 127)))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic uint8_of_integer : int -> uint8

axiom uint8_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 255)) -> (integer_of_uint8(uint8_of_integer(x)) = x)))

axiom uint8_extensionality:
  (forall x:uint8.
    (forall y:uint8.
      ((integer_of_uint8(x) = integer_of_uint8(y)) -> (x = y))))

axiom uint8_range:
  (forall x:uint8.
    ((0 <= integer_of_uint8(x)) and (integer_of_uint8(x) <= 255)))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

goal swap_ensures_default_po_1:
  forall a:int32.
  forall b:int32.
  ("JC_4": true) ->
  forall tmp:int32.
  (tmp = a) ->
  forall a0:int32.
  (a0 = b) ->
  forall b0:int32.
  (b0 = tmp) ->
  ("JC_7": ("JC_5": (integer_of_int32(a0) = integer_of_int32(b))))

goal swap_ensures_default_po_2:
  forall a:int32.
  forall b:int32.
  ("JC_4": true) ->
  forall tmp:int32.
  (tmp = a) ->
  forall a0:int32.
  (a0 = b) ->
  forall b0:int32.
  (b0 = tmp) ->
  ("JC_7": ("JC_6": (integer_of_int32(b0) = integer_of_int32(a))))

why-2.34/tests/c/oracle/muller.err.oracle0000644000175000017500000000000012311670312016712 0ustar  rtuserswhy-2.34/tests/c/oracle/floats_bsearch.res.oracle0000644000175000017500000060277012311670312020420 0ustar  rtusers========== file tests/c/floats_bsearch.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

#pragma JessieFloatModel(full)

/*@ predicate sorted{L}(double *t, integer a, integer b) =
  @    \forall integer i,j; a <= i <= j <= b ==> \le_float(t[i],t[j]);
  @*/

/*@ requires n >= 0 && \valid(t + (0 .. n-1));
  @ requires ! \is_NaN(v);
  @ requires \forall integer i; 0 <= i <= n-1 ==> ! \is_NaN(t[i]);
  @ ensures -1 <= \result < n;
  @ behavior success:
  @   ensures \result >= 0 ==> \eq_float(t[\result],v);
  @ behavior failure:
  @   assumes sorted(t,0,n-1);
  @   ensures \result == -1 ==>
  @     \forall integer k; 0 <= k < n ==> \ne_float(t[k],v);
  @*/
int binary_search(double t[], int n, double v) {
  int l = 0, u = n-1;
  /*@ loop invariant
    @   0 <= l && u <= n-1;
    @ for failure:
    @   loop invariant
    @     \forall integer k;
    @      0 <= k < l ==> \lt_float(t[k],v);
    @   loop invariant
    @     \forall integer k;
    @      u < k <= n-1 ==> \lt_float(v,t[k]);
    @ loop variant u-l;
    @*/
  while (l <= u ) {
    int m = l + (u - l) / 2;
    //@ assert l <= m <= u;
    if (t[m] < v) l = m + 1;
    else if (t[m] > v) u = m - 1;
    else
      {
        // assert ! \is_NaN(t[m]);
        // assert \le_float(t[m],v);
        // assert \ge_float(t[m],v);
        return m;
      }
  }
  return -1;
}

/*
Local Variables:
compile-command: "make floats_bsearch.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/floats_bsearch.c"
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/floats_bsearch.jessie
[jessie] File tests/c/floats_bsearch.jessie/floats_bsearch.jc written.
[jessie] File tests/c/floats_bsearch.jessie/floats_bsearch.cloc written.
========== file tests/c/floats_bsearch.jessie/floats_bsearch.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol
# FloatModel = full

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag doubleP = {
  double doubleM: 64;
}

type doubleP = [doubleP]

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

predicate sorted{L}(doubleP[..] t, integer a, integer b) =
(\forall integer i_1;
  (\forall integer j_0;
    (((a <= i_1) && ((i_1 <= j_0) && (j_0 <= b))) ==>
      \le_double((t + i_1).doubleM, (t + j_0).doubleM))))

int32 binary_search(doubleP[..] t, int32 n_1, double v)
  requires (_C_38 : ((_C_39 : (n_1 >= 0)) &&
                      ((_C_41 : (\offset_min(t) <= 0)) &&
                        (_C_42 : (\offset_max(t) >= (n_1 - 1))))));
  requires (_C_37 : (! \double_is_NaN(v)));
  requires (_C_36 : (\forall integer i_2;
                      (((0 <= i_2) && (i_2 <= (n_1 - 1))) ==>
                        (! \double_is_NaN((t + i_2).doubleM)))));
behavior default:
  ensures (_C_31 : ((_C_32 : ((- 1) <= \result)) &&
                     (_C_33 : (\result < \at(n_1,Old)))));
behavior success:
  ensures (_C_34 : ((\result >= 0) ==>
                     \eq_double((\at(t,Old) + \result).doubleM, \at(v,Old))));
behavior failure:
  assumes sorted{Here}(t, 0, (n_1 - 1));
  ensures (_C_35 : ((\result == (- 1)) ==>
                     (\forall integer k_1;
                       (((0 <= k_1) && (k_1 < \at(n_1,Old))) ==>
                         \ne_double((\at(t,Old) + k_1).doubleM, \at(v,Old))))));
{  
   (var int32 l);
   
   (var int32 u);
   
   (var int32 m);
   
   (var int32 __retres);
   
   {  (_C_1 : (l = 0));
      (_C_4 : (u = (_C_3 : ((_C_2 : (n_1 - 1)) :> int32))));
      
      loop 
      behavior default:
        invariant (_C_8 : ((_C_9 : (0 <= l)) && (_C_10 : (u <= (n_1 - 1)))));
      behavior failure:
        invariant (_C_7 : (\forall integer k;
                            (((0 <= k) && (k < l)) ==>
                              \lt_double((t + k).doubleM, v))));
      behavior failure:
        invariant (_C_6 : (\forall integer k_0;
                            (((u < k_0) && (k_0 <= (n_1 - 1))) ==>
                              \lt_double(v, (t + k_0).doubleM))));
      variant (_C_5 : (u - l));
      while (true)
      {  
         {  (if (l <= u) then () else 
            (goto while_0_break));
            
            {  (_C_17 : (m = (_C_16 : ((_C_15 : (l +
                                                  (_C_14 : ((_C_13 : 
                                                            ((_C_12 : (
                                                             (_C_11 : 
                                                             (u - l)) :> int32)) /
                                                              2)) :> int32)))) :> int32))));
               
               {  
                  (assert for default: (_C_18 : (jessie : ((l <= m) &&
                                                            (m <= u)))));
                  ()
               };
               
               {  (if ((_C_29 : (_C_28 : (t + m)).doubleM) < v) then 
                  (_C_27 : (l = (_C_26 : ((_C_25 : (m + 1)) :> int32)))) else 
                  (if ((_C_24 : (_C_23 : (t + m)).doubleM) > v) then 
                  (_C_22 : (u = (_C_21 : ((_C_20 : (m - 1)) :> int32)))) else 
                  {  (_C_19 : (__retres = m));
                     
                     (goto return_label)
                  }))
               }
            }
         }
      };
      (while_0_break : ());
      (_C_30 : (__retres = -1));
      (return_label : 
      (return __retres))
   }
}
========== file tests/c/floats_bsearch.jessie/floats_bsearch.cloc ==========
[_C_35]
file = "HOME/tests/c/floats_bsearch.c"
line = 46
begin = 14
end = 91

[_C_28]
file = "HOME/tests/c/floats_bsearch.c"
line = 65
begin = 8
end = 9

[_C_31]
file = "HOME/tests/c/floats_bsearch.c"
line = 41
begin = 12
end = 29

[_C_41]
file = "HOME/tests/c/floats_bsearch.c"
line = 38
begin = 23
end = 45

[_C_4]
file = "HOME/tests/c/floats_bsearch.c"
line = 50
begin = 2
end = 5

[_C_32]
file = "HOME/tests/c/floats_bsearch.c"
line = 41
begin = 12
end = 25

[_C_23]
file = "HOME/tests/c/floats_bsearch.c"
line = 66
begin = 13
end = 14

[_C_19]
file = "HOME/tests/c/floats_bsearch.c"
line = 72
begin = 8
end = 17

[_C_42]
file = "HOME/tests/c/floats_bsearch.c"
line = 38
begin = 23
end = 45

[_C_13]
file = "HOME/tests/c/floats_bsearch.c"
line = 63
begin = 16
end = 27

[_C_5]
file = "HOME/tests/c/floats_bsearch.c"
line = 60
begin = 19
end = 22

[_C_36]
file = "HOME/tests/c/floats_bsearch.c"
line = 40
begin = 13
end = 65

[_C_12]
file = "HOME/tests/c/floats_bsearch.c"
line = 63
begin = 17
end = 22

[_C_33]
file = "HOME/tests/c/floats_bsearch.c"
line = 41
begin = 18
end = 29

[_C_22]
file = "HOME/tests/c/floats_bsearch.c"
line = 66
begin = 27
end = 32

[binary_search]
name = "Function binary_search"
file = "HOME/tests/c/floats_bsearch.c"
line = 49
begin = 4
end = 17

[_C_9]
file = "HOME/tests/c/floats_bsearch.c"
line = 52
begin = 8
end = 14

[_C_30]
file = "HOME/tests/c/floats_bsearch.c"
line = 75
begin = 2
end = 12

[_C_6]
file = "HOME/tests/c/floats_bsearch.c"
line = 58
begin = 10
end = 74

[_C_24]
file = "HOME/tests/c/floats_bsearch.c"
line = 66
begin = 13
end = 17

[_C_20]
file = "HOME/tests/c/floats_bsearch.c"
line = 66
begin = 27
end = 32

[_C_38]
file = "HOME/tests/c/floats_bsearch.c"
line = 38
begin = 13
end = 45

[_C_3]
file = "HOME/tests/c/floats_bsearch.c"
line = 50
begin = 17
end = 20

[_C_17]
file = "HOME/tests/c/floats_bsearch.c"
line = 63
begin = 4
end = 7

[_C_7]
file = "HOME/tests/c/floats_bsearch.c"
line = 55
begin = 10
end = 72

[_C_27]
file = "HOME/tests/c/floats_bsearch.c"
line = 65
begin = 22
end = 27

[_C_15]
file = "HOME/tests/c/floats_bsearch.c"
line = 63
begin = 12
end = 27

[_C_26]
file = "HOME/tests/c/floats_bsearch.c"
line = 65
begin = 22
end = 27

[_C_10]
file = "HOME/tests/c/floats_bsearch.c"
line = 52
begin = 18
end = 26

[_C_40]
file = "HOME/tests/c/floats_bsearch.c"
line = 38
begin = 23
end = 45

[_C_8]
file = "HOME/tests/c/floats_bsearch.c"
line = 52
begin = 8
end = 26

[_C_18]
file = "HOME/tests/c/floats_bsearch.c"
line = 64
begin = 15
end = 26

[_C_29]
file = "HOME/tests/c/floats_bsearch.c"
line = 65
begin = 8
end = 12

[_C_14]
file = "HOME/tests/c/floats_bsearch.c"
line = 63
begin = 16
end = 27

[_C_37]
file = "HOME/tests/c/floats_bsearch.c"
line = 39
begin = 13
end = 25

[_C_2]
file = "HOME/tests/c/floats_bsearch.c"
line = 50
begin = 17
end = 20

[_C_34]
file = "HOME/tests/c/floats_bsearch.c"
line = 43
begin = 14
end = 54

[_C_16]
file = "HOME/tests/c/floats_bsearch.c"
line = 63
begin = 12
end = 27

[_C_1]
file = "HOME/tests/c/floats_bsearch.c"
line = 50
begin = 2
end = 5

[_C_25]
file = "HOME/tests/c/floats_bsearch.c"
line = 65
begin = 22
end = 27

[_C_39]
file = "HOME/tests/c/floats_bsearch.c"
line = 38
begin = 13
end = 19

[_C_11]
file = "HOME/tests/c/floats_bsearch.c"
line = 63
begin = 17
end = 22

[_C_21]
file = "HOME/tests/c/floats_bsearch.c"
line = 66
begin = 27
end = 32

========== jessie execution ==========
Generating Why function binary_search
========== file tests/c/floats_bsearch.jessie/floats_bsearch.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs floats_bsearch.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs floats_bsearch.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_full.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/floats_bsearch_why.sx

project: why/floats_bsearch.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/floats_bsearch_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/floats_bsearch_why.vo

coq/floats_bsearch_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/floats_bsearch_why.v: why/floats_bsearch.why
	@echo 'why -coq [...] why/floats_bsearch.why' && $(WHY) $(JESSIELIBFILES) why/floats_bsearch.why && rm -f coq/jessie_why.v

coq-goals: goals coq/floats_bsearch_ctx_why.vo
	for f in why/*_po*.why; do make -f floats_bsearch.makefile coq/`basename $$f .why`_why.v ; done

coq/floats_bsearch_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/floats_bsearch_ctx_why.v: why/floats_bsearch_ctx.why
	@echo 'why -coq [...] why/floats_bsearch_ctx.why' && $(WHY) why/floats_bsearch_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export floats_bsearch_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/floats_bsearch_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/floats_bsearch_ctx_why.vo

pvs: pvs/floats_bsearch_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/floats_bsearch_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/floats_bsearch_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/floats_bsearch_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/floats_bsearch_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/floats_bsearch_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/floats_bsearch_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/floats_bsearch_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/floats_bsearch_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/floats_bsearch_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/floats_bsearch_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/floats_bsearch_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/floats_bsearch_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/floats_bsearch_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/floats_bsearch_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: floats_bsearch.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/floats_bsearch_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: floats_bsearch.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: floats_bsearch.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: floats_bsearch.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include floats_bsearch.depend

depend: coq/floats_bsearch_why.v
	-$(COQDEP) -I coq coq/floats_bsearch*_why.v > floats_bsearch.depend

clean:
	rm -f coq/*.vo

========== file tests/c/floats_bsearch.jessie/floats_bsearch.loc ==========
[JC_63]
file = "HOME/tests/c/floats_bsearch.c"
line = 52
begin = 18
end = 26

[JC_51]
file = "HOME/tests/c/floats_bsearch.c"
line = 64
begin = 15
end = 26

[binary_search_ensures_default]
name = "Function binary_search"
behavior = "default behavior"
file = "HOME/tests/c/floats_bsearch.c"
line = 49
begin = 4
end = 17

[JC_45]
file = "HOME/tests/c/floats_bsearch.c"
line = 52
begin = 18
end = 26

[JC_64]
file = "HOME/tests/c/floats_bsearch.c"
line = 52
begin = 8
end = 26

[JC_31]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_17]
file = "HOME/tests/c/floats_bsearch.c"
line = 41
begin = 12
end = 29

[JC_55]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_48]
file = "HOME/tests/c/floats_bsearch.jessie/floats_bsearch.jc"
line = 81
begin = 6
end = 1814

[JC_23]
file = "HOME/tests/c/floats_bsearch.c"
line = 43
begin = 14
end = 54

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/tests/c/floats_bsearch.c"
line = 40
begin = 13
end = 65

[JC_67]
file = "HOME/tests/c/floats_bsearch.jessie/floats_bsearch.jc"
line = 81
begin = 6
end = 1814

[JC_9]
file = "HOME/tests/c/floats_bsearch.c"
line = 38
begin = 23
end = 45

[JC_24]
file = "HOME/tests/c/floats_bsearch.c"
line = 43
begin = 14
end = 54

[JC_25]
file = "HOME/tests/c/floats_bsearch.c"
line = 46
begin = 14
end = 91

[JC_41]
kind = PointerDeref
file = "HOME/tests/c/floats_bsearch.c"
line = 66
begin = 13
end = 17

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_52]
file = "HOME/tests/c/floats_bsearch.c"
line = 52
begin = 8
end = 14

[JC_26]
file = "HOME/tests/c/floats_bsearch.c"
line = 46
begin = 14
end = 91

[JC_8]
file = "HOME/tests/c/floats_bsearch.c"
line = 38
begin = 13
end = 19

[JC_54]
file = "HOME/tests/c/floats_bsearch.c"
line = 52
begin = 8
end = 26

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[binary_search_ensures_success]
name = "Function binary_search"
behavior = "Behavior `success'"
file = "HOME/tests/c/floats_bsearch.c"
line = 49
begin = 4
end = 17

[binary_search_ensures_failure]
name = "Function binary_search"
behavior = "Behavior `failure'"
file = "HOME/tests/c/floats_bsearch.c"
line = 49
begin = 4
end = 17

[JC_11]
file = "HOME/tests/c/floats_bsearch.c"
line = 39
begin = 13
end = 25

[JC_15]
file = "HOME/tests/c/floats_bsearch.c"
line = 41
begin = 12
end = 25

[JC_36]
kind = ArithOverflow
file = "HOME/tests/c/floats_bsearch.c"
line = 63
begin = 16
end = 27

[JC_39]
kind = PointerDeref
file = "HOME/tests/c/floats_bsearch.c"
line = 65
begin = 8
end = 12

[JC_40]
kind = ArithOverflow
file = "HOME/tests/c/floats_bsearch.c"
line = 65
begin = 22
end = 27

[JC_35]
kind = DivByZero
file = "HOME/tests/c/floats_bsearch.c"
line = 63
begin = 16
end = 27

[JC_27]
kind = ArithOverflow
file = "HOME/tests/c/floats_bsearch.c"
line = 50
begin = 17
end = 20

[JC_69]
file = "HOME/tests/c/floats_bsearch.c"
line = 64
begin = 15
end = 26

[JC_38]
file = "HOME/tests/c/floats_bsearch.c"
line = 64
begin = 15
end = 26

[JC_12]
file = "HOME/tests/c/floats_bsearch.c"
line = 40
begin = 13
end = 65

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/tests/c/floats_bsearch.c"
line = 52
begin = 8
end = 14

[JC_4]
file = "HOME/tests/c/floats_bsearch.c"
line = 39
begin = 13
end = 25

[JC_62]
file = "HOME/tests/c/floats_bsearch.c"
line = 52
begin = 8
end = 14

[JC_42]
kind = ArithOverflow
file = "HOME/tests/c/floats_bsearch.c"
line = 66
begin = 27
end = 32

[JC_46]
file = "HOME/tests/c/floats_bsearch.c"
line = 52
begin = 8
end = 26

[JC_61]
file = "HOME/tests/c/floats_bsearch.c"
line = 55
begin = 10
end = 72

[JC_32]
file = "HOME/tests/c/floats_bsearch.jessie/floats_bsearch.jc"
line = 81
begin = 6
end = 1814

[JC_56]
file = "HOME/tests/c/floats_bsearch.jessie/floats_bsearch.jc"
line = 81
begin = 6
end = 1814

[JC_33]
file = "HOME/tests/c/floats_bsearch.jessie/floats_bsearch.jc"
line = 81
begin = 6
end = 1814

[JC_65]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/tests/c/floats_bsearch.c"
line = 52
begin = 18
end = 26

[JC_68]
kind = DivByZero
file = "HOME/tests/c/floats_bsearch.c"
line = 63
begin = 16
end = 27

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/c/floats_bsearch.c"
line = 41
begin = 18
end = 29

[JC_43]
file = "HOME/tests/c/floats_bsearch.c"
line = 60
begin = 19
end = 22

[JC_2]
file = "HOME/tests/c/floats_bsearch.c"
line = 38
begin = 23
end = 45

[JC_34]
kind = ArithOverflow
file = "HOME/tests/c/floats_bsearch.c"
line = 63
begin = 17
end = 22

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
file = "HOME/tests/c/floats_bsearch.c"
line = 52
begin = 18
end = 26

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
file = "HOME/tests/c/floats_bsearch.jessie/floats_bsearch.jc"
line = 81
begin = 6
end = 1814

[JC_1]
file = "HOME/tests/c/floats_bsearch.c"
line = 38
begin = 13
end = 19

[JC_37]
kind = ArithOverflow
file = "HOME/tests/c/floats_bsearch.c"
line = 63
begin = 12
end = 27

[JC_10]
file = "HOME/tests/c/floats_bsearch.c"
line = 38
begin = 23
end = 45

[JC_57]
file = "HOME/tests/c/floats_bsearch.jessie/floats_bsearch.jc"
line = 81
begin = 6
end = 1814

[JC_66]
file = "HOME/tests/c/floats_bsearch.jessie/floats_bsearch.jc"
line = 81
begin = 6
end = 1814

[JC_59]
file = "HOME/tests/c/floats_bsearch.c"
line = 64
begin = 15
end = 26

[JC_20]
file = "HOME/tests/c/floats_bsearch.c"
line = 41
begin = 12
end = 29

[JC_18]
file = "HOME/tests/c/floats_bsearch.c"
line = 41
begin = 12
end = 25

[JC_3]
file = "HOME/tests/c/floats_bsearch.c"
line = 38
begin = 23
end = 45

[JC_60]
file = "HOME/tests/c/floats_bsearch.c"
line = 58
begin = 10
end = 74

[JC_19]
file = "HOME/tests/c/floats_bsearch.c"
line = 41
begin = 18
end = 29

[JC_50]
kind = DivByZero
file = "HOME/tests/c/floats_bsearch.c"
line = 63
begin = 16
end = 27

[binary_search_safety]
name = "Function binary_search"
behavior = "Safety"
file = "HOME/tests/c/floats_bsearch.c"
line = 49
begin = 4
end = 17

[JC_30]
file = "HOME/tests/c/floats_bsearch.c"
line = 52
begin = 8
end = 26

[JC_58]
kind = DivByZero
file = "HOME/tests/c/floats_bsearch.c"
line = 63
begin = 16
end = 27

[JC_28]
file = "HOME/tests/c/floats_bsearch.c"
line = 52
begin = 8
end = 14

========== file tests/c/floats_bsearch.jessie/why/floats_bsearch.why ==========
type charP

type doubleP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic doubleP_tag:  -> doubleP tag_id

axiom doubleP_int : (int_of_tag(doubleP_tag) = (1))

logic doubleP_of_pointer_address: unit pointer -> doubleP pointer

axiom doubleP_of_pointer_address_of_pointer_addr :
 (forall p:doubleP pointer.
  (p = doubleP_of_pointer_address(pointer_address(p))))

axiom doubleP_parenttag_bottom : parenttag(doubleP_tag, bottom_tag)

axiom doubleP_tags :
 (forall x:doubleP pointer.
  (forall doubleP_tag_table:doubleP tag_table.
   instanceof(doubleP_tag_table, x, doubleP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_doubleP(p:doubleP pointer, a:int,
 doubleP_alloc_table:doubleP alloc_table) =
 (offset_min(doubleP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_doubleP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(doubleP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_doubleP(p:doubleP pointer, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 (offset_max(doubleP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate sorted(t:doubleP pointer, a:int, b:int,
 doubleP_doubleM_t_1_at_L:(doubleP, double) memory) =
 (forall i_1:int.
  (forall j_0:int.
   ((le_int(a, i_1) and (le_int(i_1, j_0) and le_int(j_0, b))) ->
    le_double_full(select(doubleP_doubleM_t_1_at_L, shift(t, i_1)),
    select(doubleP_doubleM_t_1_at_L, shift(t, j_0))))))

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) = a)
 and (offset_max(doubleP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) = a)
 and (offset_max(doubleP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) <= a)
 and (offset_max(doubleP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) <= a)
 and (offset_max(doubleP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Goto_while_0_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter doubleP_alloc_table : doubleP alloc_table ref

parameter doubleP_tag_table : doubleP tag_table ref

parameter alloc_struct_doubleP :
 n:int ->
  doubleP_alloc_table:doubleP alloc_table ref ->
   doubleP_tag_table:doubleP tag_table ref ->
    { } doubleP pointer writes doubleP_alloc_table,doubleP_tag_table
    { (strict_valid_struct_doubleP(result, (0), sub_int(n, (1)),
       doubleP_alloc_table)
      and (alloc_extends(doubleP_alloc_table@, doubleP_alloc_table)
          and (alloc_fresh(doubleP_alloc_table@, result, n)
              and instanceof(doubleP_tag_table, result, doubleP_tag)))) }

parameter alloc_struct_doubleP_requires :
 n:int ->
  doubleP_alloc_table:doubleP alloc_table ref ->
   doubleP_tag_table:doubleP tag_table ref ->
    { ge_int(n, (0))} doubleP pointer
    writes doubleP_alloc_table,doubleP_tag_table
    { (strict_valid_struct_doubleP(result, (0), sub_int(n, (1)),
       doubleP_alloc_table)
      and (alloc_extends(doubleP_alloc_table@, doubleP_alloc_table)
          and (alloc_fresh(doubleP_alloc_table@, result, n)
              and instanceof(doubleP_tag_table, result, doubleP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter binary_search :
 t_0:doubleP pointer ->
  n_1:int32 ->
   v:double ->
    doubleP_t_2_alloc_table:doubleP alloc_table ->
     doubleP_doubleM_t_2:(doubleP, double) memory ->
      { } int32
      { ((sorted(t_0, (0), sub_int(integer_of_int32(n_1), (1)),
          doubleP_doubleM_t_2) ->
          (JC_26:
          ((integer_of_int32(result) = neg_int((1))) ->
           (forall k_1:int.
            ((le_int((0), k_1) and lt_int(k_1, integer_of_int32(n_1))) ->
             ne_double_full(select(doubleP_doubleM_t_2, shift(t_0, k_1)), v))))))
        and ((JC_24:
             (ge_int(integer_of_int32(result), (0)) ->
              eq_double_full(select(doubleP_doubleM_t_2,
                             shift(t_0, integer_of_int32(result))),
              v)))
            and (JC_20:
                ((JC_18: le_int(neg_int((1)), integer_of_int32(result)))
                and (JC_19:
                    lt_int(integer_of_int32(result), integer_of_int32(n_1))))))) }

parameter binary_search_requires :
 t_0:doubleP pointer ->
  n_1:int32 ->
   v:double ->
    doubleP_t_2_alloc_table:doubleP alloc_table ->
     doubleP_doubleM_t_2:(doubleP, double) memory ->
      { (JC_6:
        ((JC_1: ge_int(integer_of_int32(n_1), (0)))
        and ((JC_2: le_int(offset_min(doubleP_t_2_alloc_table, t_0), (0)))
            and ((JC_3:
                 ge_int(offset_max(doubleP_t_2_alloc_table, t_0),
                 sub_int(integer_of_int32(n_1), (1))))
                and ((JC_4: (not double_is_NaN(v)))
                    and (JC_5:
                        (forall i_2:int.
                         ((le_int((0), i_2)
                          and le_int(i_2,
                              sub_int(integer_of_int32(n_1), (1)))) ->
                          (not double_is_NaN(select(doubleP_doubleM_t_2,
                                             shift(t_0, i_2))))))))))))}
      int32
      { ((sorted(t_0, (0), sub_int(integer_of_int32(n_1), (1)),
          doubleP_doubleM_t_2) ->
          (JC_26:
          ((integer_of_int32(result) = neg_int((1))) ->
           (forall k_1:int.
            ((le_int((0), k_1) and lt_int(k_1, integer_of_int32(n_1))) ->
             ne_double_full(select(doubleP_doubleM_t_2, shift(t_0, k_1)), v))))))
        and ((JC_24:
             (ge_int(integer_of_int32(result), (0)) ->
              eq_double_full(select(doubleP_doubleM_t_2,
                             shift(t_0, integer_of_int32(result))),
              v)))
            and (JC_20:
                ((JC_18: le_int(neg_int((1)), integer_of_int32(result)))
                and (JC_19:
                    lt_int(integer_of_int32(result), integer_of_int32(n_1))))))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let binary_search_ensures_default =
 fun (t_0 : doubleP pointer) (n_1 : int32) (v : double) (doubleP_t_2_alloc_table : doubleP alloc_table) (doubleP_doubleM_t_2 : (doubleP, double) memory) ->
  { (JC_13:
    ((JC_8: ge_int(integer_of_int32(n_1), (0)))
    and ((JC_9: le_int(offset_min(doubleP_t_2_alloc_table, t_0), (0)))
        and ((JC_10:
             ge_int(offset_max(doubleP_t_2_alloc_table, t_0),
             sub_int(integer_of_int32(n_1), (1))))
            and ((JC_11: (not double_is_NaN(v)))
                and (JC_12:
                    (forall i_2:int.
                     ((le_int((0), i_2)
                      and le_int(i_2, sub_int(integer_of_int32(n_1), (1)))) ->
                      (not double_is_NaN(select(doubleP_doubleM_t_2,
                                         shift(t_0, i_2)))))))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let l = ref (any_int32 void) in
     (let u = ref (any_int32 void) in
     (let m = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (l := (safe_int32_of_integer_ (0))) in void);
          (let _jessie_ =
          (u := (safe_int32_of_integer_ ((sub_int (integer_of_int32 n_1)) (1)))) in
          void);
          (loop_2:
          begin
            while true do
            { invariant
                (JC_46:
                ((JC_44: le_int((0), integer_of_int32(l)))
                and (JC_45:
                    le_int(integer_of_int32(u),
                    sub_int(integer_of_int32(n_1), (1))))))  }
             begin
               [ { } unit { true } ];
              try
               begin
                 (if ((le_int_ (integer_of_int32 !l)) (integer_of_int32 !u))
                 then void else (raise (Goto_while_0_break_exc void)));
                (let _jessie_ =
                (m := (safe_int32_of_integer_ ((add_int (integer_of_int32 !l)) 
                                               (integer_of_int32 (safe_int32_of_integer_ 
                                                                  (JC_50:
                                                                  ((computer_div 
                                                                    (integer_of_int32 
                                                                    (safe_int32_of_integer_ 
                                                                    ((sub_int 
                                                                    (integer_of_int32 !u)) 
                                                                    (integer_of_int32 !l))))) (2)))))))) in
                void);
                (assert
                { (JC_51:
                  (le_int(integer_of_int32(l), integer_of_int32(m))
                  and le_int(integer_of_int32(m), integer_of_int32(u)))) };
                void); void;
                (if ((lt_double_ ((safe_acc_ doubleP_doubleM_t_2) ((shift t_0) 
                                                                   (integer_of_int32 !m)))) v)
                then
                 (let _jessie_ =
                 (l := (safe_int32_of_integer_ ((add_int (integer_of_int32 !m)) (1)))) in
                 void)
                else
                 (if ((gt_double_ ((safe_acc_ doubleP_doubleM_t_2) ((shift t_0) 
                                                                    (integer_of_int32 !m)))) v)
                 then
                  (let _jessie_ =
                  (u := (safe_int32_of_integer_ ((sub_int (integer_of_int32 !m)) (1)))) in
                  void)
                 else
                  begin
                    (let _jessie_ = (__retres := !m) in void);
                   (raise (Return_label_exc void)) end));
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (let _jessie_ =
         (while_0_break:
         begin
           void; (__retres := (safe_int32_of_integer_ (neg_int (1))));
          !__retres end) in void) end; (raise (Return_label_exc void)) end
      with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end))));
    absurd  end with Return -> !return end))
  { (JC_17:
    ((JC_15: le_int(neg_int((1)), integer_of_int32(result)))
    and (JC_16: lt_int(integer_of_int32(result), integer_of_int32(n_1))))) }

let binary_search_ensures_failure =
 fun (t_0 : doubleP pointer) (n_1 : int32) (v : double) (doubleP_t_2_alloc_table : doubleP alloc_table) (doubleP_doubleM_t_2 : (doubleP, double) memory) ->
  { (sorted(t_0, (0), sub_int(integer_of_int32(n_1), (1)),
     doubleP_doubleM_t_2)
    and (JC_13:
        ((JC_8: ge_int(integer_of_int32(n_1), (0)))
        and ((JC_9: le_int(offset_min(doubleP_t_2_alloc_table, t_0), (0)))
            and ((JC_10:
                 ge_int(offset_max(doubleP_t_2_alloc_table, t_0),
                 sub_int(integer_of_int32(n_1), (1))))
                and ((JC_11: (not double_is_NaN(v)))
                    and (JC_12:
                        (forall i_2:int.
                         ((le_int((0), i_2)
                          and le_int(i_2,
                              sub_int(integer_of_int32(n_1), (1)))) ->
                          (not double_is_NaN(select(doubleP_doubleM_t_2,
                                             shift(t_0, i_2))))))))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let l = ref (any_int32 void) in
     (let u = ref (any_int32 void) in
     (let m = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (l := (safe_int32_of_integer_ (0))) in void);
          (let _jessie_ =
          (u := (safe_int32_of_integer_ ((sub_int (integer_of_int32 n_1)) (1)))) in
          void);
          (loop_4:
          begin
            while true do
            { invariant
                ((JC_60:
                 (forall k_0:int.
                  ((lt_int(integer_of_int32(u), k_0)
                   and le_int(k_0, sub_int(integer_of_int32(n_1), (1)))) ->
                   lt_double_full(v,
                   select(doubleP_doubleM_t_2, shift(t_0, k_0))))))
                and (JC_61:
                    (forall k:int.
                     ((le_int((0), k) and lt_int(k, integer_of_int32(l))) ->
                      lt_double_full(select(doubleP_doubleM_t_2,
                                     shift(t_0, k)),
                      v)))))  }
             begin
               [ { } unit reads l,u
                 { (JC_64:
                   ((JC_62: le_int((0), integer_of_int32(l)))
                   and (JC_63:
                       le_int(integer_of_int32(u),
                       sub_int(integer_of_int32(n_1), (1)))))) } ];
              try
               begin
                 (if ((le_int_ (integer_of_int32 !l)) (integer_of_int32 !u))
                 then void else (raise (Goto_while_0_break_exc void)));
                (let _jessie_ =
                (m := (safe_int32_of_integer_ ((add_int (integer_of_int32 !l)) 
                                               (integer_of_int32 (safe_int32_of_integer_ 
                                                                  (JC_68:
                                                                  ((computer_div 
                                                                    (integer_of_int32 
                                                                    (safe_int32_of_integer_ 
                                                                    ((sub_int 
                                                                    (integer_of_int32 !u)) 
                                                                    (integer_of_int32 !l))))) (2)))))))) in
                void);
                [ { } unit reads l,m,u
                  { (JC_69:
                    (le_int(integer_of_int32(l), integer_of_int32(m))
                    and le_int(integer_of_int32(m), integer_of_int32(u)))) } ];
                void;
                (if ((lt_double_ ((safe_acc_ doubleP_doubleM_t_2) ((shift t_0) 
                                                                   (integer_of_int32 !m)))) v)
                then
                 (let _jessie_ =
                 (l := (safe_int32_of_integer_ ((add_int (integer_of_int32 !m)) (1)))) in
                 void)
                else
                 (if ((gt_double_ ((safe_acc_ doubleP_doubleM_t_2) ((shift t_0) 
                                                                    (integer_of_int32 !m)))) v)
                 then
                  (let _jessie_ =
                  (u := (safe_int32_of_integer_ ((sub_int (integer_of_int32 !m)) (1)))) in
                  void)
                 else
                  begin
                    (let _jessie_ = (__retres := !m) in void);
                   (raise (Return_label_exc void)) end));
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (let _jessie_ =
         (while_0_break:
         begin
           void; (__retres := (safe_int32_of_integer_ (neg_int (1))));
          !__retres end) in void) end; (raise (Return_label_exc void)) end
      with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end))));
    absurd  end with Return -> !return end))
  { (JC_25:
    ((integer_of_int32(result) = neg_int((1))) ->
     (forall k_1:int.
      ((le_int((0), k_1) and lt_int(k_1, integer_of_int32(n_1))) ->
       ne_double_full(select(doubleP_doubleM_t_2, shift(t_0, k_1)), v))))) }

let binary_search_ensures_success =
 fun (t_0 : doubleP pointer) (n_1 : int32) (v : double) (doubleP_t_2_alloc_table : doubleP alloc_table) (doubleP_doubleM_t_2 : (doubleP, double) memory) ->
  { (JC_13:
    ((JC_8: ge_int(integer_of_int32(n_1), (0)))
    and ((JC_9: le_int(offset_min(doubleP_t_2_alloc_table, t_0), (0)))
        and ((JC_10:
             ge_int(offset_max(doubleP_t_2_alloc_table, t_0),
             sub_int(integer_of_int32(n_1), (1))))
            and ((JC_11: (not double_is_NaN(v)))
                and (JC_12:
                    (forall i_2:int.
                     ((le_int((0), i_2)
                      and le_int(i_2, sub_int(integer_of_int32(n_1), (1)))) ->
                      (not double_is_NaN(select(doubleP_doubleM_t_2,
                                         shift(t_0, i_2)))))))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let l = ref (any_int32 void) in
     (let u = ref (any_int32 void) in
     (let m = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (l := (safe_int32_of_integer_ (0))) in void);
          (let _jessie_ =
          (u := (safe_int32_of_integer_ ((sub_int (integer_of_int32 n_1)) (1)))) in
          void);
          (loop_3:
          begin
            while true do
            { invariant (JC_56: true)  }
             begin
               [ { } unit reads l,u
                 { (JC_54:
                   ((JC_52: le_int((0), integer_of_int32(l)))
                   and (JC_53:
                       le_int(integer_of_int32(u),
                       sub_int(integer_of_int32(n_1), (1)))))) } ];
              try
               begin
                 (if ((le_int_ (integer_of_int32 !l)) (integer_of_int32 !u))
                 then void else (raise (Goto_while_0_break_exc void)));
                (let _jessie_ =
                (m := (safe_int32_of_integer_ ((add_int (integer_of_int32 !l)) 
                                               (integer_of_int32 (safe_int32_of_integer_ 
                                                                  (JC_58:
                                                                  ((computer_div 
                                                                    (integer_of_int32 
                                                                    (safe_int32_of_integer_ 
                                                                    ((sub_int 
                                                                    (integer_of_int32 !u)) 
                                                                    (integer_of_int32 !l))))) (2)))))))) in
                void);
                [ { } unit reads l,m,u
                  { (JC_59:
                    (le_int(integer_of_int32(l), integer_of_int32(m))
                    and le_int(integer_of_int32(m), integer_of_int32(u)))) } ];
                void;
                (if ((lt_double_ ((safe_acc_ doubleP_doubleM_t_2) ((shift t_0) 
                                                                   (integer_of_int32 !m)))) v)
                then
                 (let _jessie_ =
                 (l := (safe_int32_of_integer_ ((add_int (integer_of_int32 !m)) (1)))) in
                 void)
                else
                 (if ((gt_double_ ((safe_acc_ doubleP_doubleM_t_2) ((shift t_0) 
                                                                    (integer_of_int32 !m)))) v)
                 then
                  (let _jessie_ =
                  (u := (safe_int32_of_integer_ ((sub_int (integer_of_int32 !m)) (1)))) in
                  void)
                 else
                  begin
                    (let _jessie_ = (__retres := !m) in void);
                   (raise (Return_label_exc void)) end));
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (let _jessie_ =
         (while_0_break:
         begin
           void; (__retres := (safe_int32_of_integer_ (neg_int (1))));
          !__retres end) in void) end; (raise (Return_label_exc void)) end
      with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end))));
    absurd  end with Return -> !return end))
  { (JC_23:
    (ge_int(integer_of_int32(result), (0)) ->
     eq_double_full(select(doubleP_doubleM_t_2,
                    shift(t_0, integer_of_int32(result))),
     v))) }

let binary_search_safety =
 fun (t_0 : doubleP pointer) (n_1 : int32) (v : double) (doubleP_t_2_alloc_table : doubleP alloc_table) (doubleP_doubleM_t_2 : (doubleP, double) memory) ->
  { (JC_13:
    ((JC_8: ge_int(integer_of_int32(n_1), (0)))
    and ((JC_9: le_int(offset_min(doubleP_t_2_alloc_table, t_0), (0)))
        and ((JC_10:
             ge_int(offset_max(doubleP_t_2_alloc_table, t_0),
             sub_int(integer_of_int32(n_1), (1))))
            and ((JC_11: (not double_is_NaN(v)))
                and (JC_12:
                    (forall i_2:int.
                     ((le_int((0), i_2)
                      and le_int(i_2, sub_int(integer_of_int32(n_1), (1)))) ->
                      (not double_is_NaN(select(doubleP_doubleM_t_2,
                                         shift(t_0, i_2)))))))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let l = ref (any_int32 void) in
     (let u = ref (any_int32 void) in
     (let m = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (l := (safe_int32_of_integer_ (0))) in void);
          (let _jessie_ =
          (u := (JC_27:
                (int32_of_integer_ ((sub_int (integer_of_int32 n_1)) (1))))) in
          void);
          (loop_1:
          begin
            while true do
            { invariant (JC_32: true)
              variant (JC_43 : sub_int(integer_of_int32(u),
                               integer_of_int32(l))) }
             begin
               [ { } unit reads l,u
                 { (JC_30:
                   ((JC_28: le_int((0), integer_of_int32(l)))
                   and (JC_29:
                       le_int(integer_of_int32(u),
                       sub_int(integer_of_int32(n_1), (1)))))) } ];
              try
               begin
                 (if ((le_int_ (integer_of_int32 !l)) (integer_of_int32 !u))
                 then void else (raise (Goto_while_0_break_exc void)));
                (let _jessie_ =
                (m := (JC_37:
                      (int32_of_integer_ ((add_int (integer_of_int32 !l)) 
                                          (integer_of_int32 (JC_36:
                                                            (int32_of_integer_ 
                                                             (JC_35:
                                                             ((computer_div_ 
                                                               (integer_of_int32 
                                                                (JC_34:
                                                                (int32_of_integer_ 
                                                                 ((sub_int 
                                                                   (integer_of_int32 !u)) 
                                                                  (integer_of_int32 !l)))))) (2)))))))))) in
                void);
                [ { } unit reads l,m,u
                  { (JC_38:
                    (le_int(integer_of_int32(l), integer_of_int32(m))
                    and le_int(integer_of_int32(m), integer_of_int32(u)))) } ];
                void;
                (if ((lt_double_ (JC_39:
                                 ((((offset_acc_ doubleP_t_2_alloc_table) doubleP_doubleM_t_2) t_0) 
                                  (integer_of_int32 !m)))) v)
                then
                 (let _jessie_ =
                 (l := (JC_40:
                       (int32_of_integer_ ((add_int (integer_of_int32 !m)) (1))))) in
                 void)
                else
                 (if ((gt_double_ (JC_41:
                                  ((((offset_acc_ doubleP_t_2_alloc_table) doubleP_doubleM_t_2) t_0) 
                                   (integer_of_int32 !m)))) v)
                 then
                  (let _jessie_ =
                  (u := (JC_42:
                        (int32_of_integer_ ((sub_int (integer_of_int32 !m)) (1))))) in
                  void)
                 else
                  begin
                    (let _jessie_ = (__retres := !m) in void);
                   (raise (Return_label_exc void)) end));
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (let _jessie_ =
         (while_0_break:
         begin
           void; (__retres := (safe_int32_of_integer_ (neg_int (1))));
          !__retres end) in void) end; (raise (Return_label_exc void)) end
      with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end))));
    absurd  end with Return -> !return end)) { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/floats_bsearch.why
========== file tests/c/floats_bsearch.jessie/why/floats_bsearch_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type mode

logic nearest_even : mode

logic to_zero : mode

logic up : mode

logic down : mode

logic nearest_away : mode

logic mode_match : mode, 'a1, 'a1, 'a1, 'a1, 'a1 -> 'a1

axiom mode_match_nearest_even:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_2))))))

axiom mode_match_to_zero:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_3))))))

axiom mode_match_up:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_4))))))

axiom mode_match_down:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_5))))))

axiom mode_match_nearest_away:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_6))))))

axiom mode_inversion:
  (forall aux_1:mode.
    (((((aux_1 = nearest_even) or (aux_1 = to_zero)) or (aux_1 = up)) or
      (aux_1 = down)) or
     (aux_1 = nearest_away)))

logic mode_to_int : mode -> int

axiom mode_to_int_nearest_even: (mode_to_int(nearest_even) = 0)

axiom mode_to_int_to_zero: (mode_to_int(to_zero) = 1)

axiom mode_to_int_up: (mode_to_int(up) = 2)

axiom mode_to_int_down: (mode_to_int(down) = 3)

axiom mode_to_int_nearest_away: (mode_to_int(nearest_away) = 4)

type double

logic round_double : mode, real -> real

logic round_double_logic : mode, real -> double

logic double_value : double -> real

logic double_exact : double -> real

logic double_model : double -> real

function double_round_error(x: double) : real =
  abs_real((double_value(x) - double_exact(x)))

function double_total_error(x: double) : real =
  abs_real((double_value(x) - double_model(x)))

function max_double() : real = 0x1.FFFFFFFFFFFFFp1023

predicate no_overflow_double(m: mode, x: real) = (abs_real(round_double(m,
  x)) <= max_double)

axiom bounded_real_no_overflow_double:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_double) -> no_overflow_double(m, x))))

axiom round_double_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_double(m, x) <= round_double(m, y))))))

axiom exact_round_double_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-9007199254740992) <= i) and (i <= 9007199254740992)) ->
       (round_double(m, real_of_int(i)) = real_of_int(i)))))

axiom exact_round_double_for_doubles:
  (forall x:double.
    (forall m:mode. (round_double(m, double_value(x)) = double_value(x))))

axiom round_double_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_double(m1, round_double(m2,
        x)) = round_double(m2, x)))))

axiom round_down_double_neg:
  (forall x:real. (round_double(down, (-x)) = (-round_double(up, x))))

axiom round_up_double_neg:
  (forall x:real. (round_double(up, (-x)) = (-round_double(down, x))))

axiom round_double_down_le: (forall x:real. (round_double(down, x) <= x))

axiom round_up_double_ge: (forall x:real. (round_double(up, x) >= x))

type single

logic round_single : mode, real -> real

logic round_single_logic : mode, real -> single

logic single_value : single -> real

logic single_exact : single -> real

logic single_model : single -> real

function single_round_error(x: single) : real =
  abs_real((single_value(x) - single_exact(x)))

function single_total_error(x: single) : real =
  abs_real((single_value(x) - single_model(x)))

function max_single() : real = 0x1.FFFFFEp127

predicate no_overflow_single(m: mode, x: real) = (abs_real(round_single(m,
  x)) <= max_single)

axiom bounded_real_no_overflow_single:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_single) -> no_overflow_single(m, x))))

axiom round_single_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_single(m, x) <= round_single(m, y))))))

axiom exact_round_single_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-16777216) <= i) and (i <= 16777216)) -> (round_single(m,
       real_of_int(i)) = real_of_int(i)))))

axiom exact_round_single_for_singles:
  (forall x:single.
    (forall m:mode. (round_single(m, single_value(x)) = single_value(x))))

axiom round_single_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_single(m1, round_single(m2,
        x)) = round_single(m2, x)))))

axiom round_down_single_neg:
  (forall x:real. (round_single(down, (-x)) = (-round_single(up, x))))

axiom round_up_single_neg:
  (forall x:real. (round_single(up, (-x)) = (-round_single(down, x))))

axiom round_single_down_le: (forall x:real. (round_single(down, x) <= x))

axiom round_up_single_ge: (forall x:real. (round_single(up, x) >= x))

function min_single() : real = 0x1.p-149

function min_double() : real = 0x1.p-1074

type Float_class

logic Finite : Float_class

logic Infinite : Float_class

logic NaN : Float_class

logic Float_class_match : Float_class, 'a1, 'a1, 'a1 -> 'a1

axiom Float_class_match_Finite:
  (forall aux_8:'a1.
    (forall aux_9:'a1.
      (forall aux_10:'a1 [Float_class_match(Finite, aux_8, aux_9, aux_10)].
        (Float_class_match(Finite, aux_8, aux_9, aux_10) = aux_8))))

axiom Float_class_match_Infinite:
  (forall aux_8:'a1.
    (forall aux_9:'a1.
      (forall aux_10:'a1 [Float_class_match(Infinite, aux_8, aux_9, aux_10)].
        (Float_class_match(Infinite, aux_8, aux_9, aux_10) = aux_9))))

axiom Float_class_match_NaN:
  (forall aux_8:'a1.
    (forall aux_9:'a1.
      (forall aux_10:'a1 [Float_class_match(NaN, aux_8, aux_9, aux_10)].
        (Float_class_match(NaN, aux_8, aux_9, aux_10) = aux_10))))

axiom Float_class_inversion:
  (forall aux_7:Float_class.
    (((aux_7 = Finite) or (aux_7 = Infinite)) or (aux_7 = NaN)))

logic Float_class_to_int : Float_class -> int

axiom Float_class_to_int_Finite: (Float_class_to_int(Finite) = 0)

axiom Float_class_to_int_Infinite: (Float_class_to_int(Infinite) = 1)

axiom Float_class_to_int_NaN: (Float_class_to_int(NaN) = 2)

type sign

logic Negative : sign

logic Positive : sign

logic sign_match : sign, 'a1, 'a1 -> 'a1

axiom sign_match_Negative:
  (forall aux_12:'a1.
    (forall aux_13:'a1 [sign_match(Negative, aux_12, aux_13)].
      (sign_match(Negative, aux_12, aux_13) = aux_12)))

axiom sign_match_Positive:
  (forall aux_12:'a1.
    (forall aux_13:'a1 [sign_match(Positive, aux_12, aux_13)].
      (sign_match(Positive, aux_12, aux_13) = aux_13)))

axiom sign_inversion:
  (forall aux_11:sign. ((aux_11 = Negative) or (aux_11 = Positive)))

logic sign_to_int : sign -> int

axiom sign_to_int_Negative: (sign_to_int(Negative) = 0)

axiom sign_to_int_Positive: (sign_to_int(Positive) = 1)

logic single_class : single -> Float_class

logic double_class : double -> Float_class

logic single_sign : single -> sign

logic double_sign : double -> sign

logic same_sign_real_bool : sign, real -> prop

axiom same_sign_real_bool_inversion:
  (forall aux_14:sign.
    (forall aux_15:real [same_sign_real_bool(aux_14, aux_15)].
      (same_sign_real_bool(aux_14, aux_15) ->
       ((exists x:real.
          ((x < 0.0) and ((aux_14 = Negative) and (aux_15 = x)))) or
        (exists x:real.
          ((x > 0.0) and ((aux_14 = Positive) and (aux_15 = x))))))))

axiom neg_case:
  (forall x:real. ((x < 0.0) -> same_sign_real_bool(Negative, x)))

axiom pos_case:
  (forall x:real. ((x > 0.0) -> same_sign_real_bool(Positive, x)))

axiom same_sign_real_bool_zero1:
  (forall b:sign. (not same_sign_real_bool(b, 0.0)))

axiom same_sign_real_bool_zero2:
  (forall x:real.
    ((same_sign_real_bool(Negative, x) and same_sign_real_bool(Positive, x)) ->
     false))

axiom same_sign_real_bool_zero3:
  (forall b:sign. (forall x:real. (same_sign_real_bool(b, x) -> (x <> 0.0))))

axiom same_sign_real_bool_correct2:
  (forall b:sign.
    (forall x:real.
      (same_sign_real_bool(b, x) -> ((x < 0.0) <-> (b = Negative)))))

axiom same_sign_real_bool_correct3:
  (forall b:sign.
    (forall x:real.
      (same_sign_real_bool(b, x) -> ((x > 0.0) <-> (b = Positive)))))

predicate single_same_sign_real(x: single, y: real) =
  same_sign_real_bool(single_sign(x), y)

predicate single_same_sign(x: single, y: single) =
  (single_sign(x) = single_sign(y))

predicate single_diff_sign(x: single, y: single) =
  (single_sign(x) <> single_sign(y))

predicate single_product_sign(z: single, x: single, y: single) =
  ((single_same_sign(x, y) -> (single_sign(z) = Positive)) and
   (single_diff_sign(x, y) -> (single_sign(z) = Negative)))

predicate double_same_sign_real(x: double, y: real) =
  same_sign_real_bool(double_sign(x), y)

predicate double_same_sign(x: double, y: double) =
  (double_sign(x) = double_sign(y))

predicate double_diff_sign(x: double, y: double) =
  (double_sign(x) <> double_sign(y))

predicate double_product_sign(z: double, x: double, y: double) =
  ((double_same_sign(x, y) -> (double_sign(z) = Positive)) and
   (double_diff_sign(x, y) -> (double_sign(z) = Negative)))

predicate single_same_class(x: single, y: single) =
  (single_class(x) = single_class(y))

predicate singlediff_class(x: single, y: single) =
  (single_class(x) <> single_class(y))

predicate double_same_class(x: double, y: double) =
  (double_class(x) = double_class(y))

predicate doublediff_class(x: double, y: double) =
  (double_class(x) <> double_class(y))

axiom single_finite_sign:
  (forall x:single.
    (((single_class(x) = Finite) and (single_value(x) <> 0.0)) ->
     single_same_sign_real(x, single_value(x))))

axiom single_finite_sign_neg1:
  (forall x:single.
    (((single_class(x) = Finite) and (single_value(x) < 0.0)) ->
     (single_sign(x) = Negative)))

axiom single_finite_sign_neg2:
  (forall x:single.
    (((single_class(x) = Finite) and
      ((single_value(x) <> 0.0) and (single_sign(x) = Negative))) ->
     (single_value(x) < 0.0)))

axiom single_finite_sign_pos1:
  (forall x:single.
    (((single_class(x) = Finite) and (single_value(x) > 0.0)) ->
     (single_sign(x) = Positive)))

axiom single_finite_sign_pos2:
  (forall x:single.
    (((single_class(x) = Finite) and
      ((single_value(x) <> 0.0) and (single_sign(x) = Positive))) ->
     (single_value(x) > 0.0)))

axiom single_diff_sign_trans:
  (forall x:single.
    (forall y:single.
      (forall z:single.
        ((single_diff_sign(x, y) and single_diff_sign(y, z)) ->
         single_same_sign(x, z)))))

axiom single_same_sign_product:
  (forall x:single.
    (forall y:single.
      (((single_class(x) = Finite) and
        ((single_class(y) = Finite) and single_same_sign(x, y))) ->
       ((single_value(x) * single_value(y)) >= 0.0))))

axiom single_diff_sign_product:
  (forall x:single.
    (forall y:single.
      (((single_class(x) = Finite) and
        ((single_class(y) = Finite) and
         ((single_value(x) * single_value(y)) < 0.0))) ->
       single_diff_sign(x, y))))

axiom double_finite_sign:
  (forall x:double.
    (((double_class(x) = Finite) and (double_value(x) <> 0.0)) ->
     double_same_sign_real(x, double_value(x))))

axiom double_finite_sign_neg1:
  (forall x:double.
    (((double_class(x) = Finite) and (double_value(x) < 0.0)) ->
     (double_sign(x) = Negative)))

axiom double_finite_sign_neg2:
  (forall x:double.
    (((double_class(x) = Finite) and
      ((double_value(x) <> 0.0) and (double_sign(x) = Negative))) ->
     (double_value(x) < 0.0)))

axiom double_finite_sign_pos1:
  (forall x:double.
    (((double_class(x) = Finite) and (double_value(x) > 0.0)) ->
     (double_sign(x) = Positive)))

axiom double_finite_sign_pos2:
  (forall x:double.
    (((double_class(x) = Finite) and
      ((double_value(x) <> 0.0) and (double_sign(x) = Positive))) ->
     (double_value(x) > 0.0)))

axiom double_diff_sign_trans:
  (forall x:double.
    (forall y:double.
      (forall z:double.
        ((double_diff_sign(x, y) and double_diff_sign(y, z)) ->
         double_same_sign(x, z)))))

axiom double_same_sign_product:
  (forall x:double.
    (forall y:double.
      (((double_class(x) = Finite) and
        ((double_class(y) = Finite) and double_same_sign(x, y))) ->
       ((double_value(x) * double_value(y)) >= 0.0))))

axiom double_diff_sign_product:
  (forall x:double.
    (forall y:double.
      (((double_class(x) = Finite) and
        ((double_class(y) = Finite) and
         ((double_value(x) * double_value(y)) < 0.0))) ->
       double_diff_sign(x, y))))

predicate single_is_finite(x: single) = (single_class(x) = Finite)

predicate single_is_infinite(x: single) = (single_class(x) = Infinite)

predicate single_is_NaN(x: single) = (single_class(x) = NaN)

predicate single_is_not_NaN(x: single) =
  (single_is_finite(x) or single_is_infinite(x))

predicate single_is_minus_infinity(x: single) =
  (single_is_infinite(x) and (single_sign(x) = Negative))

predicate single_is_plus_infinity(x: single) =
  (single_is_infinite(x) and (single_sign(x) = Positive))

predicate single_is_gen_zero(x: single) =
  (single_is_finite(x) and (single_value(x) = 0.0))

predicate single_is_gen_zero_plus(x: single) =
  (single_is_gen_zero(x) and (single_sign(x) = Positive))

predicate single_is_gen_zero_minus(x: single) =
  (single_is_gen_zero(x) and (single_sign(x) = Negative))

predicate double_is_finite(x: double) = (double_class(x) = Finite)

predicate double_is_infinite(x: double) = (double_class(x) = Infinite)

predicate double_is_NaN(x: double) = (double_class(x) = NaN)

predicate double_is_not_NaN(x: double) =
  (double_is_finite(x) or double_is_infinite(x))

predicate double_is_minus_infinity(x: double) =
  (double_is_infinite(x) and (double_sign(x) = Negative))

predicate double_is_plus_infinity(x: double) =
  (double_is_infinite(x) and (double_sign(x) = Positive))

predicate double_is_gen_zero(x: double) =
  (double_is_finite(x) and (double_value(x) = 0.0))

predicate double_is_gen_zero_plus(x: double) =
  (double_is_gen_zero(x) and (double_sign(x) = Positive))

predicate double_is_gen_zero_minus(x: double) =
  (double_is_gen_zero(x) and (double_sign(x) = Negative))

predicate single_overflow_value(m: mode, x: single) =
  (((m = down) ->
    (((single_sign(x) = Negative) -> single_is_infinite(x)) and
     ((single_sign(x) = Positive) ->
      (single_is_finite(x) and (single_value(x) = max_single))))) and
   (((m = up) ->
     (((single_sign(x) = Negative) ->
       (single_is_finite(x) and (single_value(x) = (-max_single)))) and
      ((single_sign(x) = Positive) -> single_is_infinite(x)))) and
    (((m = to_zero) ->
      (single_is_finite(x) and
       (((single_sign(x) = Negative) -> (single_value(x) = (-max_single))) and
        ((single_sign(x) = Positive) -> (single_value(x) = max_single))))) and
     (((m = nearest_away) or (m = nearest_even)) -> single_is_infinite(x)))))

predicate double_overflow_value(m: mode, x: double) =
  (((m = down) ->
    (((double_sign(x) = Negative) -> double_is_infinite(x)) and
     ((double_sign(x) = Positive) ->
      (double_is_finite(x) and (double_value(x) = max_double))))) and
   (((m = up) ->
     (((double_sign(x) = Negative) ->
       (double_is_finite(x) and (double_value(x) = (-max_double)))) and
      ((double_sign(x) = Positive) -> double_is_infinite(x)))) and
    (((m = to_zero) ->
      (double_is_finite(x) and
       (((double_sign(x) = Negative) -> (double_value(x) = (-max_double))) and
        ((double_sign(x) = Positive) -> (double_value(x) = max_double))))) and
     (((m = nearest_away) or (m = nearest_even)) -> double_is_infinite(x)))))

predicate single_underflow_value(m: mode, x: single) =
  (single_is_finite(x) and
   (((single_sign(x) = Positive) ->
     ((((m = down) or
        ((m = to_zero) or ((m = nearest_even) or (m = nearest_away)))) ->
       (single_value(x) = 0.0)) and
      ((m = up) -> (single_value(x) = min_single)))) and
    ((single_sign(x) = Negative) ->
     ((((m = up) or
        ((m = to_zero) or ((m = nearest_even) or (m = nearest_away)))) ->
       (single_value(x) = 0.0)) and
      ((m = down) -> (single_value(x) = (-min_single)))))))

predicate double_underflow_value(m: mode, x: double) =
  (double_is_finite(x) and
   (((double_sign(x) = Positive) ->
     ((((m = down) or
        ((m = to_zero) or ((m = nearest_even) or (m = nearest_away)))) ->
       (double_value(x) = 0.0)) and
      ((m = up) -> (double_value(x) = min_double)))) and
    ((double_sign(x) = Negative) ->
     ((((m = up) or
        ((m = to_zero) or ((m = nearest_even) or (m = nearest_away)))) ->
       (double_value(x) = 0.0)) and
      ((m = down) -> (double_value(x) = (-min_double)))))))

predicate single_sign_zero_result(m: mode, x: single) =
  ((single_value(x) = 0.0) ->
   (((m = down) -> (single_sign(x) = Negative)) and
    ((m <> down) -> (single_sign(x) = Positive))))

predicate double_sign_zero_result(m: mode, x: double) =
  ((double_value(x) = 0.0) ->
   (((m = down) -> (double_sign(x) = Negative)) and
    ((m <> down) -> (double_sign(x) = Positive))))

predicate le_single_full(x: single, y: single) =
  ((single_is_finite(x) and
    (single_is_finite(y) and (single_value(x) <= single_value(y)))) or
   ((single_is_minus_infinity(x) and single_is_not_NaN(y)) or
    (single_is_not_NaN(x) and single_is_plus_infinity(y))))

predicate lt_single_full(x: single, y: single) =
  ((single_is_finite(x) and
    (single_is_finite(y) and (single_value(x) < single_value(y)))) or
   ((single_is_minus_infinity(x) and
     (single_is_not_NaN(y) and (not single_is_minus_infinity(y)))) or
    (single_is_not_NaN(x) and
     ((not single_is_plus_infinity(x)) and single_is_plus_infinity(y)))))

predicate ge_single_full(x: single, y: single) = le_single_full(y, x)

predicate gt_single_full(x: single, y: single) = lt_single_full(y, x)

predicate eq_single_full(x: single, y: single) =
  (single_is_not_NaN(x) and
   (single_is_not_NaN(y) and
    ((single_is_finite(x) and
      (single_is_finite(y) and (single_value(x) = single_value(y)))) or
     (single_is_infinite(x) and
      (single_is_infinite(y) and single_same_sign(x, y))))))

predicate ne_single_full(x: single, y: single) = (not eq_single_full(x, y))

predicate le_double_full(x: double, y: double) =
  ((double_is_finite(x) and
    (double_is_finite(y) and (double_value(x) <= double_value(y)))) or
   ((double_is_minus_infinity(x) and double_is_not_NaN(y)) or
    (double_is_not_NaN(x) and double_is_plus_infinity(y))))

predicate lt_double_full(x: double, y: double) =
  ((double_is_finite(x) and
    (double_is_finite(y) and (double_value(x) < double_value(y)))) or
   ((double_is_minus_infinity(x) and
     (double_is_not_NaN(y) and (not double_is_minus_infinity(y)))) or
    (double_is_not_NaN(x) and
     ((not double_is_plus_infinity(x)) and double_is_plus_infinity(y)))))

predicate ge_double_full(x: double, y: double) = le_double_full(y, x)

predicate gt_double_full(x: double, y: double) = lt_double_full(y, x)

predicate eq_double_full(x: double, y: double) =
  (double_is_not_NaN(x) and
   (double_is_not_NaN(y) and
    ((double_is_finite(x) and
      (double_is_finite(y) and (double_value(x) = double_value(y)))) or
     (double_is_infinite(x) and
      (double_is_infinite(y) and double_same_sign(x, y))))))

predicate ne_double_full(x: double, y: double) = (not eq_double_full(x, y))

axiom le_lt_double_trans:
  (forall x:double.
    (forall y:double.
      (forall z:double.
        ((le_double_full(x, y) and lt_double_full(y, z)) -> lt_double_full(x,
         z)))))

axiom lt_le_double_trans:
  (forall x:double.
    (forall y:double.
      (forall z:double.
        ((lt_double_full(x, y) and le_double_full(y, z)) -> lt_double_full(x,
         z)))))

axiom round_single1:
  (forall m:mode.
    (forall x:real.
      (no_overflow_single(m, x) ->
       (single_is_finite(round_single_logic(m, x)) and
        (single_value(round_single_logic(m, x)) = round_single(m, x))))))

axiom round_single2:
  (forall m:mode.
    (forall x:real.
      ((not no_overflow_single(m, x)) ->
       (single_same_sign_real(round_single_logic(m, x), x) and
        single_overflow_value(m, round_single_logic(m, x))))))

axiom round_single3:
  (forall m:mode.
    (forall x:real. (single_exact(round_single_logic(m, x)) = x)))

axiom round_single4:
  (forall m:mode.
    (forall x:real. (single_model(round_single_logic(m, x)) = x)))

axiom single_of_zero:
  (forall m:mode. single_is_gen_zero(round_single_logic(m, 0.0)))

axiom round_single_logic_le:
  (forall m:mode.
    (forall x:real.
      (single_is_finite(round_single_logic(m, x)) ->
       (abs_real(single_value(round_single_logic(m, x))) <= max_single))))

axiom round_single_no_overflow:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_single) ->
       (single_is_finite(round_single_logic(m, x)) and
        (single_value(round_single_logic(m, x)) = round_single(m, x))))))

axiom single_positive_constant:
  (forall m:mode.
    (forall x:real.
      (((min_single <= x) and (x <= max_single)) ->
       (single_is_finite(round_single_logic(m, x)) and
        ((single_value(round_single_logic(m, x)) > 0.0) and
         (single_sign(round_single_logic(m, x)) = Positive))))))

axiom single_negative_constant:
  (forall m:mode.
    (forall x:real.
      ((((-max_single) <= x) and (x <= (-min_single))) ->
       (single_is_finite(round_single_logic(m, x)) and
        ((single_value(round_single_logic(m, x)) < 0.0) and
         (single_sign(round_single_logic(m, x)) = Negative))))))

axiom round_double1:
  (forall m:mode.
    (forall x:real.
      (no_overflow_double(m, x) ->
       (double_is_finite(round_double_logic(m, x)) and
        (double_value(round_double_logic(m, x)) = round_double(m, x))))))

axiom round_double2:
  (forall m:mode.
    (forall x:real.
      ((not no_overflow_double(m, x)) ->
       (double_same_sign_real(round_double_logic(m, x), x) and
        double_overflow_value(m, round_double_logic(m, x))))))

axiom round_double3:
  (forall m:mode.
    (forall x:real. (double_exact(round_double_logic(m, x)) = x)))

axiom round_double4:
  (forall m:mode.
    (forall x:real. (double_model(round_double_logic(m, x)) = x)))

axiom double_of_zero:
  (forall m:mode. double_is_gen_zero(round_double_logic(m, 0.0)))

axiom round_double_logic_le:
  (forall m:mode.
    (forall x:real.
      (double_is_finite(round_double_logic(m, x)) ->
       (abs_real(double_value(round_double_logic(m, x))) <= max_double))))

axiom round_double_no_overflow:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_double) ->
       (double_is_finite(round_double_logic(m, x)) and
        (double_value(round_double_logic(m, x)) = round_double(m, x))))))

axiom double_positive_constant:
  (forall m:mode.
    (forall x:real.
      (((min_double <= x) and (x <= max_double)) ->
       (double_is_finite(round_double_logic(m, x)) and
        ((double_value(round_double_logic(m, x)) > 0.0) and
         (double_sign(round_double_logic(m, x)) = Positive))))))

axiom double_negative_constant:
  (forall m:mode.
    (forall x:real.
      ((((-max_double) <= x) and (x <= (-min_double))) ->
       (double_is_finite(round_double_logic(m, x)) and
        ((double_value(round_double_logic(m, x)) < 0.0) and
         (double_sign(round_double_logic(m, x)) = Negative))))))

axiom single_is_gen_zero_comp1:
  (forall x:single.
    (forall y:single.
      ((single_is_gen_zero(x) and
        ((single_value(x) = single_value(y)) and single_is_finite(y))) ->
       single_is_gen_zero(y))))

axiom single_is_gen_zero_comp2:
  (forall x:single.
    (forall y:single.
      ((single_is_finite(x) and
        ((not single_is_gen_zero(x)) and (single_value(x) = single_value(y)))) ->
       (not single_is_gen_zero(y)))))

axiom double_is_gen_zero_comp1:
  (forall x:double.
    (forall y:double.
      ((double_is_gen_zero(x) and
        ((double_value(x) = double_value(y)) and double_is_finite(y))) ->
       double_is_gen_zero(y))))

axiom double_is_gen_zero_comp2:
  (forall x:double.
    (forall y:double.
      ((double_is_finite(x) and
        ((not double_is_gen_zero(x)) and (double_value(x) = double_value(y)))) ->
       (not double_is_gen_zero(y)))))

type charP

type doubleP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

logic doubleP_tag : doubleP tag_id

axiom doubleP_int: (int_of_tag(doubleP_tag) = 1)

logic doubleP_of_pointer_address : unit pointer -> doubleP pointer

axiom doubleP_of_pointer_address_of_pointer_addr:
  (forall p:doubleP pointer.
    (p = doubleP_of_pointer_address(pointer_address(p))))

axiom doubleP_parenttag_bottom: parenttag(doubleP_tag, bottom_tag)

axiom doubleP_tags:
  (forall x:doubleP pointer.
    (forall doubleP_tag_table:doubleP tag_table.
      instanceof(doubleP_tag_table, x, doubleP_tag)))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_int8 : int8 -> int

predicate eq_int8(x: int8, y: int8) =
  (integer_of_int8(x) = integer_of_int8(y))

logic integer_of_uint8 : uint8 -> int

predicate eq_uint8(x: uint8, y: uint8) =
  (integer_of_uint8(x) = integer_of_uint8(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic int8_of_integer : int -> int8

axiom int8_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_int8(int8_of_integer(x)) = x)))

axiom int8_extensionality:
  (forall x:int8.
    (forall y:int8. ((integer_of_int8(x) = integer_of_int8(y)) -> (x = y))))

axiom int8_range:
  (forall x:int8.
    (((-128) <= integer_of_int8(x)) and (integer_of_int8(x) <= 127)))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_doubleP(p: doubleP pointer, a: int,
  doubleP_alloc_table: doubleP alloc_table) =
  (offset_min(doubleP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_doubleP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(doubleP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_doubleP(p: doubleP pointer, b: int,
  doubleP_alloc_table: doubleP alloc_table) =
  (offset_max(doubleP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate sorted(t: doubleP pointer, a: int, b: int,
  doubleP_doubleM_t_1_at_L: (doubleP, double) memory) =
  (forall i_1:int.
    (forall j_0:int.
      (((a <= i_1) and ((i_1 <= j_0) and (j_0 <= b))) ->
       le_double_full(select(doubleP_doubleM_t_1_at_L, shift(t, i_1)),
       select(doubleP_doubleM_t_1_at_L, shift(t, j_0))))))

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_doubleP(p: doubleP pointer, a: int, b: int,
  doubleP_alloc_table: doubleP alloc_table) =
  ((offset_min(doubleP_alloc_table, p) = a) and
   (offset_max(doubleP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_doubleP(p: doubleP pointer, a: int, b: int,
  doubleP_alloc_table: doubleP alloc_table) =
  ((offset_min(doubleP_alloc_table, p) = a) and
   (offset_max(doubleP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic uint8_of_integer : int -> uint8

axiom uint8_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 255)) -> (integer_of_uint8(uint8_of_integer(x)) = x)))

axiom uint8_extensionality:
  (forall x:uint8.
    (forall y:uint8.
      ((integer_of_uint8(x) = integer_of_uint8(y)) -> (x = y))))

axiom uint8_range:
  (forall x:uint8.
    ((0 <= integer_of_uint8(x)) and (integer_of_uint8(x) <= 255)))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_doubleP(p: doubleP pointer, a: int, b: int,
  doubleP_alloc_table: doubleP alloc_table) =
  ((offset_min(doubleP_alloc_table, p) <= a) and
   (offset_max(doubleP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_doubleP(p: doubleP pointer, a: int, b: int,
  doubleP_alloc_table: doubleP alloc_table) =
  ((offset_min(doubleP_alloc_table, p) <= a) and
   (offset_max(doubleP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

goal binary_search_ensures_default_po_1:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  ("JC_46": ("JC_44": (0 <= integer_of_int32(l))))

goal binary_search_ensures_default_po_2:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  ("JC_46": ("JC_45": (integer_of_int32(u) <= (integer_of_int32(n_1) - 1))))

goal binary_search_ensures_default_po_3:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_46":
  (("JC_44": (0 <= integer_of_int32(l0))) and
   ("JC_45": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(u0) - integer_of_int32(l0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(l0) + integer_of_int32(result2))) ->
  forall m:int32.
  (m = result3) ->
  ("JC_51": (integer_of_int32(l0) <= integer_of_int32(m)))

goal binary_search_ensures_default_po_4:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_46":
  (("JC_44": (0 <= integer_of_int32(l0))) and
   ("JC_45": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(u0) - integer_of_int32(l0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(l0) + integer_of_int32(result2))) ->
  forall m:int32.
  (m = result3) ->
  ("JC_51": (integer_of_int32(m) <= integer_of_int32(u0)))

goal binary_search_ensures_default_po_5:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_46":
  (("JC_44": (0 <= integer_of_int32(l0))) and
   ("JC_45": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(u0) - integer_of_int32(l0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(l0) + integer_of_int32(result2))) ->
  forall m:int32.
  (m = result3) ->
  ("JC_51":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  forall result4:double.
  (result4 = select(doubleP_doubleM_t_2, shift(t_0, integer_of_int32(m)))) ->
  lt_double_full(result4, v) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(m) + 1)) ->
  forall l1:int32.
  (l1 = result5) ->
  ("JC_46": ("JC_44": (0 <= integer_of_int32(l1))))

goal binary_search_ensures_default_po_6:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_46":
  (("JC_44": (0 <= integer_of_int32(l0))) and
   ("JC_45": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(u0) - integer_of_int32(l0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(l0) + integer_of_int32(result2))) ->
  forall m:int32.
  (m = result3) ->
  ("JC_51":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  forall result4:double.
  (result4 = select(doubleP_doubleM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (not lt_double_full(result4, v)) ->
  forall result5:double.
  (result5 = select(doubleP_doubleM_t_2, shift(t_0, integer_of_int32(m)))) ->
  gt_double_full(result5, v) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(m) - 1)) ->
  forall u1:int32.
  (u1 = result6) ->
  ("JC_46": ("JC_45": (integer_of_int32(u1) <= (integer_of_int32(n_1) - 1))))

goal binary_search_ensures_default_po_7:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_46":
  (("JC_44": (0 <= integer_of_int32(l0))) and
   ("JC_45": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(u0) - integer_of_int32(l0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(l0) + integer_of_int32(result2))) ->
  forall m:int32.
  (m = result3) ->
  ("JC_51":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  forall result4:double.
  (result4 = select(doubleP_doubleM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (not lt_double_full(result4, v)) ->
  forall result5:double.
  (result5 = select(doubleP_doubleM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (not gt_double_full(result5, v)) ->
  forall __retres:int32.
  (__retres = m) ->
  forall return:int32.
  (return = __retres) ->
  ("JC_17": ("JC_15": ((-1) <= integer_of_int32(return))))

goal binary_search_ensures_default_po_8:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_46":
  (("JC_44": (0 <= integer_of_int32(l0))) and
   ("JC_45": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(u0) - integer_of_int32(l0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(l0) + integer_of_int32(result2))) ->
  forall m:int32.
  (m = result3) ->
  ("JC_51":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  forall result4:double.
  (result4 = select(doubleP_doubleM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (not lt_double_full(result4, v)) ->
  forall result5:double.
  (result5 = select(doubleP_doubleM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (not gt_double_full(result5, v)) ->
  forall __retres:int32.
  (__retres = m) ->
  forall return:int32.
  (return = __retres) ->
  ("JC_17": ("JC_16": (integer_of_int32(return) < integer_of_int32(n_1))))

goal binary_search_ensures_default_po_9:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_46":
  (("JC_44": (0 <= integer_of_int32(l0))) and
   ("JC_45": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) > integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (-1)) ->
  forall __retres:int32.
  (__retres = result1) ->
  forall return:int32.
  (return = __retres) ->
  ("JC_17": ("JC_15": ((-1) <= integer_of_int32(return))))

goal binary_search_ensures_default_po_10:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_46":
  (("JC_44": (0 <= integer_of_int32(l0))) and
   ("JC_45": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) > integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (-1)) ->
  forall __retres:int32.
  (__retres = result1) ->
  forall return:int32.
  (return = __retres) ->
  ("JC_17": ("JC_16": (integer_of_int32(return) < integer_of_int32(n_1))))

goal binary_search_ensures_failure_po_1:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  (sorted(t_0, 0, (integer_of_int32(n_1) - 1), doubleP_doubleM_t_2) and
   ("JC_13":
   (("JC_8": (integer_of_int32(n_1) >= 0)) and
    (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
     (("JC_10": (offset_max(doubleP_t_2_alloc_table,
      t_0) >= (integer_of_int32(n_1) - 1))) and
      (("JC_11": (not double_is_NaN(v))) and
       ("JC_12":
       (forall i_2:int.
         (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
          (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall k_0:int.
  ((integer_of_int32(u) < k_0) and (k_0 <= (integer_of_int32(n_1) - 1))) ->
  ("JC_60": lt_double_full(v, select(doubleP_doubleM_t_2, shift(t_0, k_0))))

goal binary_search_ensures_failure_po_2:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  (sorted(t_0, 0, (integer_of_int32(n_1) - 1), doubleP_doubleM_t_2) and
   ("JC_13":
   (("JC_8": (integer_of_int32(n_1) >= 0)) and
    (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
     (("JC_10": (offset_max(doubleP_t_2_alloc_table,
      t_0) >= (integer_of_int32(n_1) - 1))) and
      (("JC_11": (not double_is_NaN(v))) and
       ("JC_12":
       (forall i_2:int.
         (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
          (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall k:int.
  ((0 <= k) and (k < integer_of_int32(l))) ->
  ("JC_61": lt_double_full(select(doubleP_doubleM_t_2, shift(t_0, k)), v))

goal binary_search_ensures_failure_po_3:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  (sorted(t_0, 0, (integer_of_int32(n_1) - 1), doubleP_doubleM_t_2) and
   ("JC_13":
   (("JC_8": (integer_of_int32(n_1) >= 0)) and
    (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
     (("JC_10": (offset_max(doubleP_t_2_alloc_table,
      t_0) >= (integer_of_int32(n_1) - 1))) and
      (("JC_11": (not double_is_NaN(v))) and
       ("JC_12":
       (forall i_2:int.
         (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
          (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  (("JC_60":
   (forall k_0:int.
     (((integer_of_int32(u0) < k_0) and (k_0 <= (integer_of_int32(n_1) - 1))) ->
      lt_double_full(v, select(doubleP_doubleM_t_2, shift(t_0, k_0)))))) and
   ("JC_61":
   (forall k:int.
     (((0 <= k) and (k < integer_of_int32(l0))) ->
      lt_double_full(select(doubleP_doubleM_t_2, shift(t_0, k)), v))))) ->
  ("JC_64":
  (("JC_62": (0 <= integer_of_int32(l0))) and
   ("JC_63": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(u0) - integer_of_int32(l0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(l0) + integer_of_int32(result2))) ->
  forall m:int32.
  (m = result3) ->
  ("JC_69":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  forall result4:double.
  (result4 = select(doubleP_doubleM_t_2, shift(t_0, integer_of_int32(m)))) ->
  lt_double_full(result4, v) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(m) + 1)) ->
  forall l1:int32.
  (l1 = result5) ->
  forall k_0:int.
  ((integer_of_int32(u0) < k_0) and (k_0 <= (integer_of_int32(n_1) - 1))) ->
  ("JC_60": lt_double_full(v, select(doubleP_doubleM_t_2, shift(t_0, k_0))))

goal binary_search_ensures_failure_po_4:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  (sorted(t_0, 0, (integer_of_int32(n_1) - 1), doubleP_doubleM_t_2) and
   ("JC_13":
   (("JC_8": (integer_of_int32(n_1) >= 0)) and
    (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
     (("JC_10": (offset_max(doubleP_t_2_alloc_table,
      t_0) >= (integer_of_int32(n_1) - 1))) and
      (("JC_11": (not double_is_NaN(v))) and
       ("JC_12":
       (forall i_2:int.
         (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
          (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  (("JC_60":
   (forall k_0:int.
     (((integer_of_int32(u0) < k_0) and (k_0 <= (integer_of_int32(n_1) - 1))) ->
      lt_double_full(v, select(doubleP_doubleM_t_2, shift(t_0, k_0)))))) and
   ("JC_61":
   (forall k:int.
     (((0 <= k) and (k < integer_of_int32(l0))) ->
      lt_double_full(select(doubleP_doubleM_t_2, shift(t_0, k)), v))))) ->
  ("JC_64":
  (("JC_62": (0 <= integer_of_int32(l0))) and
   ("JC_63": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(u0) - integer_of_int32(l0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(l0) + integer_of_int32(result2))) ->
  forall m:int32.
  (m = result3) ->
  ("JC_69":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  forall result4:double.
  (result4 = select(doubleP_doubleM_t_2, shift(t_0, integer_of_int32(m)))) ->
  lt_double_full(result4, v) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(m) + 1)) ->
  forall l1:int32.
  (l1 = result5) ->
  forall k:int.
  ((0 <= k) and (k < integer_of_int32(l1))) ->
  ("JC_61": lt_double_full(select(doubleP_doubleM_t_2, shift(t_0, k)), v))

goal binary_search_ensures_failure_po_5:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  (sorted(t_0, 0, (integer_of_int32(n_1) - 1), doubleP_doubleM_t_2) and
   ("JC_13":
   (("JC_8": (integer_of_int32(n_1) >= 0)) and
    (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
     (("JC_10": (offset_max(doubleP_t_2_alloc_table,
      t_0) >= (integer_of_int32(n_1) - 1))) and
      (("JC_11": (not double_is_NaN(v))) and
       ("JC_12":
       (forall i_2:int.
         (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
          (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  (("JC_60":
   (forall k_0:int.
     (((integer_of_int32(u0) < k_0) and (k_0 <= (integer_of_int32(n_1) - 1))) ->
      lt_double_full(v, select(doubleP_doubleM_t_2, shift(t_0, k_0)))))) and
   ("JC_61":
   (forall k:int.
     (((0 <= k) and (k < integer_of_int32(l0))) ->
      lt_double_full(select(doubleP_doubleM_t_2, shift(t_0, k)), v))))) ->
  ("JC_64":
  (("JC_62": (0 <= integer_of_int32(l0))) and
   ("JC_63": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(u0) - integer_of_int32(l0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(l0) + integer_of_int32(result2))) ->
  forall m:int32.
  (m = result3) ->
  ("JC_69":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  forall result4:double.
  (result4 = select(doubleP_doubleM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (not lt_double_full(result4, v)) ->
  forall result5:double.
  (result5 = select(doubleP_doubleM_t_2, shift(t_0, integer_of_int32(m)))) ->
  gt_double_full(result5, v) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(m) - 1)) ->
  forall u1:int32.
  (u1 = result6) ->
  forall k_0:int.
  ((integer_of_int32(u1) < k_0) and (k_0 <= (integer_of_int32(n_1) - 1))) ->
  ("JC_60": lt_double_full(v, select(doubleP_doubleM_t_2, shift(t_0, k_0))))

goal binary_search_ensures_failure_po_6:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  (sorted(t_0, 0, (integer_of_int32(n_1) - 1), doubleP_doubleM_t_2) and
   ("JC_13":
   (("JC_8": (integer_of_int32(n_1) >= 0)) and
    (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
     (("JC_10": (offset_max(doubleP_t_2_alloc_table,
      t_0) >= (integer_of_int32(n_1) - 1))) and
      (("JC_11": (not double_is_NaN(v))) and
       ("JC_12":
       (forall i_2:int.
         (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
          (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  (("JC_60":
   (forall k_0:int.
     (((integer_of_int32(u0) < k_0) and (k_0 <= (integer_of_int32(n_1) - 1))) ->
      lt_double_full(v, select(doubleP_doubleM_t_2, shift(t_0, k_0)))))) and
   ("JC_61":
   (forall k:int.
     (((0 <= k) and (k < integer_of_int32(l0))) ->
      lt_double_full(select(doubleP_doubleM_t_2, shift(t_0, k)), v))))) ->
  ("JC_64":
  (("JC_62": (0 <= integer_of_int32(l0))) and
   ("JC_63": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(u0) - integer_of_int32(l0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(l0) + integer_of_int32(result2))) ->
  forall m:int32.
  (m = result3) ->
  ("JC_69":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  forall result4:double.
  (result4 = select(doubleP_doubleM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (not lt_double_full(result4, v)) ->
  forall result5:double.
  (result5 = select(doubleP_doubleM_t_2, shift(t_0, integer_of_int32(m)))) ->
  gt_double_full(result5, v) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(m) - 1)) ->
  forall u1:int32.
  (u1 = result6) ->
  forall k:int.
  ((0 <= k) and (k < integer_of_int32(l0))) ->
  ("JC_61": lt_double_full(select(doubleP_doubleM_t_2, shift(t_0, k)), v))

goal binary_search_ensures_failure_po_7:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  (sorted(t_0, 0, (integer_of_int32(n_1) - 1), doubleP_doubleM_t_2) and
   ("JC_13":
   (("JC_8": (integer_of_int32(n_1) >= 0)) and
    (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
     (("JC_10": (offset_max(doubleP_t_2_alloc_table,
      t_0) >= (integer_of_int32(n_1) - 1))) and
      (("JC_11": (not double_is_NaN(v))) and
       ("JC_12":
       (forall i_2:int.
         (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
          (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  (("JC_60":
   (forall k_0:int.
     (((integer_of_int32(u0) < k_0) and (k_0 <= (integer_of_int32(n_1) - 1))) ->
      lt_double_full(v, select(doubleP_doubleM_t_2, shift(t_0, k_0)))))) and
   ("JC_61":
   (forall k:int.
     (((0 <= k) and (k < integer_of_int32(l0))) ->
      lt_double_full(select(doubleP_doubleM_t_2, shift(t_0, k)), v))))) ->
  ("JC_64":
  (("JC_62": (0 <= integer_of_int32(l0))) and
   ("JC_63": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(u0) - integer_of_int32(l0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(l0) + integer_of_int32(result2))) ->
  forall m:int32.
  (m = result3) ->
  ("JC_69":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  forall result4:double.
  (result4 = select(doubleP_doubleM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (not lt_double_full(result4, v)) ->
  forall result5:double.
  (result5 = select(doubleP_doubleM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (not gt_double_full(result5, v)) ->
  forall __retres:int32.
  (__retres = m) ->
  forall return:int32.
  (return = __retres) ->
  (integer_of_int32(return) = (-1)) ->
  forall k_1:int.
  ((0 <= k_1) and (k_1 < integer_of_int32(n_1))) ->
  ("JC_25": ne_double_full(select(doubleP_doubleM_t_2, shift(t_0, k_1)), v))

goal binary_search_ensures_failure_po_8:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  (sorted(t_0, 0, (integer_of_int32(n_1) - 1), doubleP_doubleM_t_2) and
   ("JC_13":
   (("JC_8": (integer_of_int32(n_1) >= 0)) and
    (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
     (("JC_10": (offset_max(doubleP_t_2_alloc_table,
      t_0) >= (integer_of_int32(n_1) - 1))) and
      (("JC_11": (not double_is_NaN(v))) and
       ("JC_12":
       (forall i_2:int.
         (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
          (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2))))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  (("JC_60":
   (forall k_0:int.
     (((integer_of_int32(u0) < k_0) and (k_0 <= (integer_of_int32(n_1) - 1))) ->
      lt_double_full(v, select(doubleP_doubleM_t_2, shift(t_0, k_0)))))) and
   ("JC_61":
   (forall k:int.
     (((0 <= k) and (k < integer_of_int32(l0))) ->
      lt_double_full(select(doubleP_doubleM_t_2, shift(t_0, k)), v))))) ->
  ("JC_64":
  (("JC_62": (0 <= integer_of_int32(l0))) and
   ("JC_63": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) > integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (-1)) ->
  forall __retres:int32.
  (__retres = result1) ->
  forall return:int32.
  (return = __retres) ->
  (integer_of_int32(return) = (-1)) ->
  forall k_1:int.
  ((0 <= k_1) and (k_1 < integer_of_int32(n_1))) ->
  ("JC_25": ne_double_full(select(doubleP_doubleM_t_2, shift(t_0, k_1)), v))

goal binary_search_ensures_success_po_1:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_56": true) ->
  ("JC_54":
  (("JC_52": (0 <= integer_of_int32(l0))) and
   ("JC_53": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(u0) - integer_of_int32(l0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(l0) + integer_of_int32(result2))) ->
  forall m:int32.
  (m = result3) ->
  ("JC_59":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  forall result4:double.
  (result4 = select(doubleP_doubleM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (not lt_double_full(result4, v)) ->
  forall result5:double.
  (result5 = select(doubleP_doubleM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (not gt_double_full(result5, v)) ->
  forall __retres:int32.
  (__retres = m) ->
  forall return:int32.
  (return = __retres) ->
  (integer_of_int32(return) >= 0) ->
  ("JC_23": eq_double_full(select(doubleP_doubleM_t_2, shift(t_0,
  integer_of_int32(return))), v))

goal binary_search_ensures_success_po_2:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_56": true) ->
  ("JC_54":
  (("JC_52": (0 <= integer_of_int32(l0))) and
   ("JC_53": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) > integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (-1)) ->
  forall __retres:int32.
  (__retres = result1) ->
  forall return:int32.
  (return = __retres) ->
  (integer_of_int32(return) >= 0) ->
  ("JC_23": eq_double_full(select(doubleP_doubleM_t_2, shift(t_0,
  integer_of_int32(return))), v))

goal binary_search_safety_po_1:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  ((-2147483648) <= (integer_of_int32(n_1) - 1))

goal binary_search_safety_po_2:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  ((integer_of_int32(n_1) - 1) <= 2147483647)

goal binary_search_safety_po_3:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_28": (0 <= integer_of_int32(l0))) and
   ("JC_29": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  ((-2147483648) <= (integer_of_int32(u0) - integer_of_int32(l0)))

goal binary_search_safety_po_4:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_28": (0 <= integer_of_int32(l0))) and
   ("JC_29": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  ((integer_of_int32(u0) - integer_of_int32(l0)) <= 2147483647)

goal binary_search_safety_po_5:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_28": (0 <= integer_of_int32(l0))) and
   ("JC_29": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  (((-2147483648) <= (integer_of_int32(u0) - integer_of_int32(l0))) and
   ((integer_of_int32(u0) - integer_of_int32(l0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(u0) - integer_of_int32(l0))) ->
  (2 <> 0)

goal binary_search_safety_po_6:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_28": (0 <= integer_of_int32(l0))) and
   ("JC_29": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  (((-2147483648) <= (integer_of_int32(u0) - integer_of_int32(l0))) and
   ((integer_of_int32(u0) - integer_of_int32(l0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(u0) - integer_of_int32(l0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  ((-2147483648) <= result2)

goal binary_search_safety_po_7:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_28": (0 <= integer_of_int32(l0))) and
   ("JC_29": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  (((-2147483648) <= (integer_of_int32(u0) - integer_of_int32(l0))) and
   ((integer_of_int32(u0) - integer_of_int32(l0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(u0) - integer_of_int32(l0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (result2 <= 2147483647)

goal binary_search_safety_po_8:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_28": (0 <= integer_of_int32(l0))) and
   ("JC_29": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  (((-2147483648) <= (integer_of_int32(u0) - integer_of_int32(l0))) and
   ((integer_of_int32(u0) - integer_of_int32(l0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(u0) - integer_of_int32(l0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  ((-2147483648) <= (integer_of_int32(l0) + integer_of_int32(result3)))

goal binary_search_safety_po_9:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_28": (0 <= integer_of_int32(l0))) and
   ("JC_29": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  (((-2147483648) <= (integer_of_int32(u0) - integer_of_int32(l0))) and
   ((integer_of_int32(u0) - integer_of_int32(l0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(u0) - integer_of_int32(l0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  ((integer_of_int32(l0) + integer_of_int32(result3)) <= 2147483647)

goal binary_search_safety_po_10:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_28": (0 <= integer_of_int32(l0))) and
   ("JC_29": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  (((-2147483648) <= (integer_of_int32(u0) - integer_of_int32(l0))) and
   ((integer_of_int32(u0) - integer_of_int32(l0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(u0) - integer_of_int32(l0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  (((-2147483648) <= (integer_of_int32(l0) + integer_of_int32(result3))) and
   ((integer_of_int32(l0) + integer_of_int32(result3)) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(l0) + integer_of_int32(result3))) ->
  forall m:int32.
  (m = result4) ->
  ("JC_38":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  (offset_min(doubleP_t_2_alloc_table, t_0) <= integer_of_int32(m))

goal binary_search_safety_po_11:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_28": (0 <= integer_of_int32(l0))) and
   ("JC_29": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  (((-2147483648) <= (integer_of_int32(u0) - integer_of_int32(l0))) and
   ((integer_of_int32(u0) - integer_of_int32(l0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(u0) - integer_of_int32(l0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  (((-2147483648) <= (integer_of_int32(l0) + integer_of_int32(result3))) and
   ((integer_of_int32(l0) + integer_of_int32(result3)) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(l0) + integer_of_int32(result3))) ->
  forall m:int32.
  (m = result4) ->
  ("JC_38":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  (integer_of_int32(m) <= offset_max(doubleP_t_2_alloc_table, t_0))

goal binary_search_safety_po_12:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_28": (0 <= integer_of_int32(l0))) and
   ("JC_29": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  (((-2147483648) <= (integer_of_int32(u0) - integer_of_int32(l0))) and
   ((integer_of_int32(u0) - integer_of_int32(l0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(u0) - integer_of_int32(l0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  (((-2147483648) <= (integer_of_int32(l0) + integer_of_int32(result3))) and
   ((integer_of_int32(l0) + integer_of_int32(result3)) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(l0) + integer_of_int32(result3))) ->
  forall m:int32.
  (m = result4) ->
  ("JC_38":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  ((offset_min(doubleP_t_2_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(doubleP_t_2_alloc_table, t_0))) ->
  forall result5:double.
  (result5 = select(doubleP_doubleM_t_2, shift(t_0, integer_of_int32(m)))) ->
  lt_double_full(result5, v) ->
  ((-2147483648) <= (integer_of_int32(m) + 1))

goal binary_search_safety_po_13:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_28": (0 <= integer_of_int32(l0))) and
   ("JC_29": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  (((-2147483648) <= (integer_of_int32(u0) - integer_of_int32(l0))) and
   ((integer_of_int32(u0) - integer_of_int32(l0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(u0) - integer_of_int32(l0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  (((-2147483648) <= (integer_of_int32(l0) + integer_of_int32(result3))) and
   ((integer_of_int32(l0) + integer_of_int32(result3)) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(l0) + integer_of_int32(result3))) ->
  forall m:int32.
  (m = result4) ->
  ("JC_38":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  ((offset_min(doubleP_t_2_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(doubleP_t_2_alloc_table, t_0))) ->
  forall result5:double.
  (result5 = select(doubleP_doubleM_t_2, shift(t_0, integer_of_int32(m)))) ->
  lt_double_full(result5, v) ->
  ((integer_of_int32(m) + 1) <= 2147483647)

goal binary_search_safety_po_14:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_28": (0 <= integer_of_int32(l0))) and
   ("JC_29": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  (((-2147483648) <= (integer_of_int32(u0) - integer_of_int32(l0))) and
   ((integer_of_int32(u0) - integer_of_int32(l0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(u0) - integer_of_int32(l0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  (((-2147483648) <= (integer_of_int32(l0) + integer_of_int32(result3))) and
   ((integer_of_int32(l0) + integer_of_int32(result3)) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(l0) + integer_of_int32(result3))) ->
  forall m:int32.
  (m = result4) ->
  ("JC_38":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  ((offset_min(doubleP_t_2_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(doubleP_t_2_alloc_table, t_0))) ->
  forall result5:double.
  (result5 = select(doubleP_doubleM_t_2, shift(t_0, integer_of_int32(m)))) ->
  lt_double_full(result5, v) ->
  (((-2147483648) <= (integer_of_int32(m) + 1)) and
   ((integer_of_int32(m) + 1) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(m) + 1)) ->
  forall l1:int32.
  (l1 = result6) ->
  (0 <= ("JC_43": (integer_of_int32(u0) - integer_of_int32(l0))))

goal binary_search_safety_po_15:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_28": (0 <= integer_of_int32(l0))) and
   ("JC_29": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  (((-2147483648) <= (integer_of_int32(u0) - integer_of_int32(l0))) and
   ((integer_of_int32(u0) - integer_of_int32(l0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(u0) - integer_of_int32(l0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  (((-2147483648) <= (integer_of_int32(l0) + integer_of_int32(result3))) and
   ((integer_of_int32(l0) + integer_of_int32(result3)) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(l0) + integer_of_int32(result3))) ->
  forall m:int32.
  (m = result4) ->
  ("JC_38":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  ((offset_min(doubleP_t_2_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(doubleP_t_2_alloc_table, t_0))) ->
  forall result5:double.
  (result5 = select(doubleP_doubleM_t_2, shift(t_0, integer_of_int32(m)))) ->
  lt_double_full(result5, v) ->
  (((-2147483648) <= (integer_of_int32(m) + 1)) and
   ((integer_of_int32(m) + 1) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(m) + 1)) ->
  forall l1:int32.
  (l1 = result6) ->
  (("JC_43": (integer_of_int32(u0) - integer_of_int32(l1))) < ("JC_43":
                                                              (integer_of_int32(u0) - integer_of_int32(l0))))

goal binary_search_safety_po_16:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_28": (0 <= integer_of_int32(l0))) and
   ("JC_29": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  (((-2147483648) <= (integer_of_int32(u0) - integer_of_int32(l0))) and
   ((integer_of_int32(u0) - integer_of_int32(l0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(u0) - integer_of_int32(l0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  (((-2147483648) <= (integer_of_int32(l0) + integer_of_int32(result3))) and
   ((integer_of_int32(l0) + integer_of_int32(result3)) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(l0) + integer_of_int32(result3))) ->
  forall m:int32.
  (m = result4) ->
  ("JC_38":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  ((offset_min(doubleP_t_2_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(doubleP_t_2_alloc_table, t_0))) ->
  forall result5:double.
  (result5 = select(doubleP_doubleM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (not lt_double_full(result5, v)) ->
  ((offset_min(doubleP_t_2_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(doubleP_t_2_alloc_table, t_0))) ->
  forall result6:double.
  (result6 = select(doubleP_doubleM_t_2, shift(t_0, integer_of_int32(m)))) ->
  gt_double_full(result6, v) ->
  ((-2147483648) <= (integer_of_int32(m) - 1))

goal binary_search_safety_po_17:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_28": (0 <= integer_of_int32(l0))) and
   ("JC_29": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  (((-2147483648) <= (integer_of_int32(u0) - integer_of_int32(l0))) and
   ((integer_of_int32(u0) - integer_of_int32(l0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(u0) - integer_of_int32(l0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  (((-2147483648) <= (integer_of_int32(l0) + integer_of_int32(result3))) and
   ((integer_of_int32(l0) + integer_of_int32(result3)) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(l0) + integer_of_int32(result3))) ->
  forall m:int32.
  (m = result4) ->
  ("JC_38":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  ((offset_min(doubleP_t_2_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(doubleP_t_2_alloc_table, t_0))) ->
  forall result5:double.
  (result5 = select(doubleP_doubleM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (not lt_double_full(result5, v)) ->
  ((offset_min(doubleP_t_2_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(doubleP_t_2_alloc_table, t_0))) ->
  forall result6:double.
  (result6 = select(doubleP_doubleM_t_2, shift(t_0, integer_of_int32(m)))) ->
  gt_double_full(result6, v) ->
  ((integer_of_int32(m) - 1) <= 2147483647)

goal binary_search_safety_po_18:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_28": (0 <= integer_of_int32(l0))) and
   ("JC_29": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  (((-2147483648) <= (integer_of_int32(u0) - integer_of_int32(l0))) and
   ((integer_of_int32(u0) - integer_of_int32(l0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(u0) - integer_of_int32(l0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  (((-2147483648) <= (integer_of_int32(l0) + integer_of_int32(result3))) and
   ((integer_of_int32(l0) + integer_of_int32(result3)) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(l0) + integer_of_int32(result3))) ->
  forall m:int32.
  (m = result4) ->
  ("JC_38":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  ((offset_min(doubleP_t_2_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(doubleP_t_2_alloc_table, t_0))) ->
  forall result5:double.
  (result5 = select(doubleP_doubleM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (not lt_double_full(result5, v)) ->
  ((offset_min(doubleP_t_2_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(doubleP_t_2_alloc_table, t_0))) ->
  forall result6:double.
  (result6 = select(doubleP_doubleM_t_2, shift(t_0, integer_of_int32(m)))) ->
  gt_double_full(result6, v) ->
  (((-2147483648) <= (integer_of_int32(m) - 1)) and
   ((integer_of_int32(m) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(m) - 1)) ->
  forall u1:int32.
  (u1 = result7) ->
  (0 <= ("JC_43": (integer_of_int32(u0) - integer_of_int32(l0))))

goal binary_search_safety_po_19:
  forall t_0:doubleP pointer.
  forall n_1:int32.
  forall v:double.
  forall doubleP_t_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_t_2:(doubleP,
  double) memory.
  ("JC_13":
  (("JC_8": (integer_of_int32(n_1) >= 0)) and
   (("JC_9": (offset_min(doubleP_t_2_alloc_table, t_0) <= 0)) and
    (("JC_10": (offset_max(doubleP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))) and
     (("JC_11": (not double_is_NaN(v))) and
      ("JC_12":
      (forall i_2:int.
        (((0 <= i_2) and (i_2 <= (integer_of_int32(n_1) - 1))) ->
         (not double_is_NaN(select(doubleP_doubleM_t_2, shift(t_0, i_2)))))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_32": true) ->
  ("JC_30":
  (("JC_28": (0 <= integer_of_int32(l0))) and
   ("JC_29": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  (((-2147483648) <= (integer_of_int32(u0) - integer_of_int32(l0))) and
   ((integer_of_int32(u0) - integer_of_int32(l0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(u0) - integer_of_int32(l0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  (((-2147483648) <= (integer_of_int32(l0) + integer_of_int32(result3))) and
   ((integer_of_int32(l0) + integer_of_int32(result3)) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(l0) + integer_of_int32(result3))) ->
  forall m:int32.
  (m = result4) ->
  ("JC_38":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  ((offset_min(doubleP_t_2_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(doubleP_t_2_alloc_table, t_0))) ->
  forall result5:double.
  (result5 = select(doubleP_doubleM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (not lt_double_full(result5, v)) ->
  ((offset_min(doubleP_t_2_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(doubleP_t_2_alloc_table, t_0))) ->
  forall result6:double.
  (result6 = select(doubleP_doubleM_t_2, shift(t_0, integer_of_int32(m)))) ->
  gt_double_full(result6, v) ->
  (((-2147483648) <= (integer_of_int32(m) - 1)) and
   ((integer_of_int32(m) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(m) - 1)) ->
  forall u1:int32.
  (u1 = result7) ->
  (("JC_43": (integer_of_int32(u1) - integer_of_int32(l0))) < ("JC_43":
                                                              (integer_of_int32(u0) - integer_of_int32(l0))))

why-2.34/tests/c/oracle/clock_drift.res.oracle0000644000175000017500000030406612311670312017721 0ustar  rtusers========== file tests/c/clock_drift.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// RUNGAPPA: will ask regtests to run gappa on VCs of this program

#define NMAX 1000000
#define NMAXR 1000000.0

// this one is needed by Gappa to prove the assertion on the rounding error
/*@ lemma real_of_int_inf_NMAX:
  @   \forall integer i; i <= NMAX ==> i <= NMAXR;
  @*/

// this one does not seem useful for Alt-Ergo
// but it is for CVC3, to prove preservation of the loop
// invariant. Z3 does not prove it either
//@ lemma real_of_int_succ: \forall integer n; n+1 == n + 1.0;

// this one does not seem to be needed anymore
/* lemma inf_mult : 
  @    \forall real x,y,z; x<=y && 0<=z ==> x*z <= y*z;
  @*/

#define A 1.49012e-09 
// A is a bound of (float)0.1 - 0.1

// this one is not needed anymore since (float)0.1 is evaluated
// at compile-time
// lemma round01: \abs((float)0.1 - 0.1) <=  A;

// B is a bound of round_error(t+(float)0.1) for 0 <= t <= 0.1*NMAXR
// NMAX = 100 -> #define B 4.76838e-07
// NMAX = 1000000 ->
#define B 0x1p-8

#define C (B + A)

/*@ requires 0 <= n <= NMAX;
  @ ensures \abs(\result - n*0.1) <= n * C;
  @*/
float f_single(int n)
{
  float t = 0.0f;
  int i;

  /*@ loop invariant 0 <= i <= n;
    @ loop invariant \abs(t - i * 0.1) <= i * C ;
    @ loop variant n-i;
    @*/
  for(i=0;i (i_1 <= 1000000.0)))

lemma real_of_int_succ :
(\forall integer n;
  ((n + 1) == (n + 1.0)))

float f_single(int32 n_1)
  requires (_C_16 : ((_C_17 : (0 <= n_1)) && (_C_18 : (n_1 <= 1000000))));
behavior default:
  ensures (_C_15 : (\real_abs(((\result :> real) - (\at(n_1,Old) * 0.1))) <=
                     (\at(n_1,Old) * (0x1p-8 + 1.49012e-09))));
{  
   (var float t);
   
   (var int32 i);
   
   {  (_C_1 : (t = (0.0 :> float)));
      (_C_2 : (i = 0));
      
      loop 
      behavior default:
        invariant (_C_5 : ((_C_6 : (0 <= i)) && (_C_7 : (i <= n_1))));
      behavior default:
        invariant (_C_4 : (\real_abs(((t :> real) - (i * 0.1))) <=
                            (i * (0x1p-8 + 1.49012e-09))));
      variant (_C_3 : (n_1 - i));
      while (true)
      {  
         {  (if (i < n_1) then () else 
            (goto while_0_break));
            
            {  (L : 
               {  
                  {  
                     (assert for default: (_C_8 : (jessie : ((0.0 <=
                                                               (t :> real)) &&
                                                              ((t :> real) <=
                                                                (1000000.0 *
                                                                  (0.1 +
                                                                    (0x1p-8 +
                                                                    1.49012e-09))))))));
                     ()
                  };
                  (_C_10 : (t = (_C_9 : (t + (0.1 :> float)))))
               });
               
               {  
                  (assert for default: (_C_11 : (jessie : (\real_abs(
                                                            ((t :> real) -
                                                              ((\at(t,L) :> real) +
                                                                ((0.1 :> float) :> real)))) <=
                                                            0x1p-8))));
                  ()
               }
            };
            (_C_14 : (i = (_C_13 : ((_C_12 : (i + 1)) :> int32))))
         }
      };
      (while_0_break : ());
      
      (return t)
   }
}
========== file tests/c/clock_drift.jessie/clock_drift.cloc ==========
[real_of_int_succ]
name = "Lemma real_of_int_succ"
file = "HOME/tests/c/clock_drift.c"
line = 45
begin = 4
end = 62

[_C_4]
file = "HOME/tests/c/clock_drift.c"
line = 75
begin = 21
end = 68

[_C_13]
file = "HOME/tests/c/clock_drift.c"
line = 78
begin = 14
end = 17

[_C_5]
file = "HOME/tests/c/clock_drift.c"
line = 74
begin = 21
end = 32

[_C_12]
file = "HOME/tests/c/clock_drift.c"
line = 78
begin = 14
end = 17

[real_of_int_inf_NMAX]
name = "Lemma real_of_int_inf_NMAX"
file = "HOME/tests/c/clock_drift.c"
line = 38
begin = 4
end = 89

[_C_9]
file = "HOME/tests/c/clock_drift.c"
line = 81
begin = 8
end = 16

[_C_6]
file = "HOME/tests/c/clock_drift.c"
line = 74
begin = 21
end = 27

[_C_3]
file = "HOME/tests/c/clock_drift.c"
line = 76
begin = 19
end = 22

[_C_17]
file = "HOME/tests/c/clock_drift.c"
line = 66
begin = 13
end = 19

[f_single]
name = "Function f_single"
file = "HOME/tests/c/clock_drift.c"
line = 69
begin = 6
end = 14

[_C_7]
file = "HOME/tests/c/clock_drift.c"
line = 74
begin = 26
end = 32

[_C_15]
file = "HOME/tests/c/clock_drift.c"
line = 67
begin = 12
end = 63

[_C_10]
file = "HOME/tests/c/clock_drift.c"
line = 81
begin = 8
end = 16

[_C_8]
file = "HOME/tests/c/clock_drift.c"
line = 80
begin = 15
end = 65

[_C_18]
file = "HOME/tests/c/clock_drift.c"
line = 66
begin = 18
end = 30

[_C_14]
file = "HOME/tests/c/clock_drift.c"
line = 78
begin = 14
end = 17

[_C_2]
file = "HOME/tests/c/clock_drift.c"
line = 78
begin = 8
end = 9

[_C_16]
file = "HOME/tests/c/clock_drift.c"
line = 66
begin = 13
end = 30

[_C_1]
file = "HOME/tests/c/clock_drift.c"
line = 71
begin = 2
end = 7

[_C_11]
file = "HOME/tests/c/clock_drift.c"
line = 82
begin = 15
end = 58

========== jessie execution ==========
Generating Why function f_single
========== file tests/c/clock_drift.jessie/clock_drift.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs clock_drift.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs clock_drift.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_strict.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/clock_drift_why.sx

project: why/clock_drift.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/clock_drift_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/clock_drift_why.vo

coq/clock_drift_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/clock_drift_why.v: why/clock_drift.why
	@echo 'why -coq [...] why/clock_drift.why' && $(WHY) $(JESSIELIBFILES) why/clock_drift.why && rm -f coq/jessie_why.v

coq-goals: goals coq/clock_drift_ctx_why.vo
	for f in why/*_po*.why; do make -f clock_drift.makefile coq/`basename $$f .why`_why.v ; done

coq/clock_drift_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/clock_drift_ctx_why.v: why/clock_drift_ctx.why
	@echo 'why -coq [...] why/clock_drift_ctx.why' && $(WHY) why/clock_drift_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export clock_drift_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/clock_drift_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/clock_drift_ctx_why.vo

pvs: pvs/clock_drift_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/clock_drift_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/clock_drift_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/clock_drift_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/clock_drift_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/clock_drift_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/clock_drift_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/clock_drift_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/clock_drift_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/clock_drift_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/clock_drift_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/clock_drift_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/clock_drift_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/clock_drift_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/clock_drift_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: clock_drift.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/clock_drift_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: clock_drift.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: clock_drift.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: clock_drift.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include clock_drift.depend

depend: coq/clock_drift_why.v
	-$(COQDEP) -I coq coq/clock_drift*_why.v > clock_drift.depend

clean:
	rm -f coq/*.vo

========== file tests/c/clock_drift.jessie/clock_drift.loc ==========
[real_of_int_succ]
name = "Lemma real_of_int_succ"
behavior = "lemma"
file = "HOME/tests/c/clock_drift.c"
line = 45
begin = 4
end = 62

[JC_31]
file = "HOME/tests/c/clock_drift.jessie/clock_drift.jc"
line = 57
begin = 6
end = 1711

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[f_single_safety]
name = "Function f_single"
behavior = "Safety"
file = "HOME/tests/c/clock_drift.c"
line = 69
begin = 6
end = 14

[JC_23]
kind = ArithOverflow
file = "HOME/tests/c/clock_drift.c"
line = 78
begin = 14
end = 17

[JC_22]
file = "HOME/tests/c/clock_drift.c"
line = 82
begin = 15
end = 58

[JC_5]
file = "HOME/tests/c/clock_drift.c"
line = 66
begin = 13
end = 19

[JC_9]
file = "HOME/tests/c/clock_drift.c"
line = 67
begin = 12
end = 63

[JC_24]
file = "HOME/tests/c/clock_drift.c"
line = 76
begin = 19
end = 22

[JC_25]
file = "HOME/tests/c/clock_drift.c"
line = 75
begin = 21
end = 68

[JC_26]
file = "HOME/tests/c/clock_drift.c"
line = 74
begin = 21
end = 27

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[real_of_int_inf_NMAX]
name = "Lemma real_of_int_inf_NMAX"
behavior = "lemma"
file = "HOME/tests/c/clock_drift.c"
line = 38
begin = 4
end = 89

[JC_13]
file = "HOME/tests/c/clock_drift.c"
line = 75
begin = 21
end = 68

[JC_11]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/tests/c/clock_drift.c"
line = 74
begin = 26
end = 32

[f_single_ensures_default]
name = "Function f_single"
behavior = "default behavior"
file = "HOME/tests/c/clock_drift.c"
line = 69
begin = 6
end = 14

[JC_27]
file = "HOME/tests/c/clock_drift.c"
line = 74
begin = 26
end = 32

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/tests/c/clock_drift.c"
line = 66
begin = 18
end = 30

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/tests/c/clock_drift.c"
line = 80
begin = 15
end = 65

[JC_33]
kind = FPOverflow
file = "HOME/tests/c/clock_drift.c"
line = 81
begin = 8
end = 16

[JC_29]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/tests/c/clock_drift.c"
line = 66
begin = 13
end = 30

[JC_16]
file = "HOME/tests/c/clock_drift.c"
line = 74
begin = 21
end = 32

[JC_2]
file = "HOME/tests/c/clock_drift.c"
line = 66
begin = 18
end = 30

[JC_34]
file = "HOME/tests/c/clock_drift.c"
line = 82
begin = 15
end = 58

[JC_14]
file = "HOME/tests/c/clock_drift.c"
line = 74
begin = 21
end = 27

[JC_21]
kind = FPOverflow
file = "HOME/tests/c/clock_drift.c"
line = 81
begin = 8
end = 16

[JC_1]
file = "HOME/tests/c/clock_drift.c"
line = 66
begin = 13
end = 19

[JC_10]
file = "HOME/tests/c/clock_drift.c"
line = 67
begin = 12
end = 63

[JC_20]
file = "HOME/tests/c/clock_drift.c"
line = 80
begin = 15
end = 65

[JC_18]
file = "HOME/tests/c/clock_drift.jessie/clock_drift.jc"
line = 57
begin = 6
end = 1711

[JC_3]
file = "HOME/tests/c/clock_drift.c"
line = 66
begin = 13
end = 30

[JC_19]
file = "HOME/tests/c/clock_drift.jessie/clock_drift.jc"
line = 57
begin = 6
end = 1711

[JC_30]
file = "HOME/tests/c/clock_drift.jessie/clock_drift.jc"
line = 57
begin = 6
end = 1711

[JC_28]
file = "HOME/tests/c/clock_drift.c"
line = 74
begin = 21
end = 32

========== file tests/c/clock_drift.jessie/why/clock_drift.why ==========
type charP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

lemma real_of_int_inf_NMAX :
 (forall i_1:int.
  (le_int(i_1, (1000000)) -> le_real(real_of_int(i_1), 1000000.0)))

lemma real_of_int_succ :
 (forall n:int.
  (real_of_int(add_int(n, (1))) = add_real(real_of_int(n), 1.0)))

exception Goto_while_0_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter f_single :
 n_1:int32 ->
  { } single
  { (JC_10:
    le_real(abs_real(sub_real(single_value(result),
                     mul_real(real_of_int(integer_of_int32(n_1)), 0.1))),
    mul_real(real_of_int(integer_of_int32(n_1)),
    add_real(0x1p-8, 1.49012e-09)))) }

parameter f_single_requires :
 n_1:int32 ->
  { (JC_3:
    ((JC_1: le_int((0), integer_of_int32(n_1)))
    and (JC_2: le_int(integer_of_int32(n_1), (1000000)))))}
  single
  { (JC_10:
    le_real(abs_real(sub_real(single_value(result),
                     mul_real(real_of_int(integer_of_int32(n_1)), 0.1))),
    mul_real(real_of_int(integer_of_int32(n_1)),
    add_real(0x1p-8, 1.49012e-09)))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let f_single_ensures_default =
 fun (n_1 : int32) ->
  { (JC_7:
    ((JC_5: le_int((0), integer_of_int32(n_1)))
    and (JC_6: le_int(integer_of_int32(n_1), (1000000))))) }
  (init:
  (let return = ref (any_single void) in
  try
   begin
     (let t = ref (any_single void) in
     (let i = ref (any_int32 void) in
     try
      begin
        (let _jessie_ = (t := (single_of_real_exact 0.0)) in void);
       (let _jessie_ = (i := (safe_int32_of_integer_ (0))) in void);
       (loop_2:
       begin
         while true do
         { invariant
             ((JC_25:
              le_real(abs_real(sub_real(single_value(t),
                               mul_real(real_of_int(integer_of_int32(i)),
                               0.1))),
              mul_real(real_of_int(integer_of_int32(i)),
              add_real(0x1p-8, 1.49012e-09))))
             and (JC_28:
                 ((JC_26: le_int((0), integer_of_int32(i)))
                 and (JC_27:
                     le_int(integer_of_int32(i), integer_of_int32(n_1))))))
            }
          begin
            [ { } unit { true } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((lt_int_ (integer_of_int32 !i)) (integer_of_int32 n_1))
                then void else (raise (Goto_while_0_break_exc void)));
               (L:
               begin
                 (let _jessie_ =
                 begin
                   (assert
                   { (JC_32:
                     (le_real(0.0, single_value(t))
                     and le_real(single_value(t),
                         mul_real(1000000.0,
                         add_real(0.1, add_real(0x1p-8, 1.49012e-09)))))) };
                   void); void;
                  (t := (JC_33:
                        (((add_single_safe nearest_even) !t) (single_of_real_exact 0x1.99999ap-4))));
                  !t end in void);
                (assert
                { (JC_34:
                  le_real(abs_real(sub_real(single_value(t),
                                   add_real(single_value(t@L), 0x1.99999ap-4))),
                  0x1p-8)) }; void); void;
                (i := (safe_int32_of_integer_ ((add_int (integer_of_int32 !i)) (1))));
                !i end) end in void); (raise (Loop_continue_exc void)) end
            with Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (return := !t); (raise Return) end) end));
    absurd  end with Return -> !return end))
  { (JC_9:
    le_real(abs_real(sub_real(single_value(result),
                     mul_real(real_of_int(integer_of_int32(n_1)), 0.1))),
    mul_real(real_of_int(integer_of_int32(n_1)),
    add_real(0x1p-8, 1.49012e-09)))) }

let f_single_safety =
 fun (n_1 : int32) ->
  { (JC_7:
    ((JC_5: le_int((0), integer_of_int32(n_1)))
    and (JC_6: le_int(integer_of_int32(n_1), (1000000))))) }
  (init:
  (let return = ref (any_single void) in
  try
   begin
     (let t = ref (any_single void) in
     (let i = ref (any_int32 void) in
     try
      begin
        (let _jessie_ = (t := (single_of_real_exact 0.0)) in void);
       (let _jessie_ = (i := (safe_int32_of_integer_ (0))) in void);
       (loop_1:
       begin
         while true do
         { invariant (JC_18: true)
           variant (JC_24 : sub_int(integer_of_int32(n_1),
                            integer_of_int32(i))) }
          begin
            [ { } unit reads i,t
              { ((JC_13:
                 le_real(abs_real(sub_real(single_value(t),
                                  mul_real(real_of_int(integer_of_int32(i)),
                                  0.1))),
                 mul_real(real_of_int(integer_of_int32(i)),
                 add_real(0x1p-8, 1.49012e-09))))
                and (JC_16:
                    ((JC_14: le_int((0), integer_of_int32(i)))
                    and (JC_15:
                        le_int(integer_of_int32(i), integer_of_int32(n_1)))))) } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((lt_int_ (integer_of_int32 !i)) (integer_of_int32 n_1))
                then void else (raise (Goto_while_0_break_exc void)));
               (L:
               begin
                 (let _jessie_ =
                 begin
                   [ { } unit reads t
                     { (JC_20:
                       (le_real(0.0, single_value(t))
                       and le_real(single_value(t),
                           mul_real(1000000.0,
                           add_real(0.1, add_real(0x1p-8, 1.49012e-09)))))) } ];
                  void;
                  (t := (JC_21:
                        (((add_single nearest_even) !t) (single_of_real_exact 0x1.99999ap-4))));
                  !t end in void);
                [ { } unit reads t
                  { (JC_22:
                    le_real(abs_real(sub_real(single_value(t),
                                     add_real(single_value(t@L),
                                     0x1.99999ap-4))),
                    0x1p-8)) } ]; void;
                (i := (JC_23:
                      (int32_of_integer_ ((add_int (integer_of_int32 !i)) (1)))));
                !i end) end in void); (raise (Loop_continue_exc void)) end
            with Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (return := !t); (raise Return) end) end));
    absurd  end with Return -> !return end)) { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/clock_drift.why
========== file tests/c/clock_drift.jessie/why/clock_drift_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type mode

logic nearest_even : mode

logic to_zero : mode

logic up : mode

logic down : mode

logic nearest_away : mode

logic mode_match : mode, 'a1, 'a1, 'a1, 'a1, 'a1 -> 'a1

axiom mode_match_nearest_even:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_2))))))

axiom mode_match_to_zero:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_3))))))

axiom mode_match_up:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_4))))))

axiom mode_match_down:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_5))))))

axiom mode_match_nearest_away:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_6))))))

axiom mode_inversion:
  (forall aux_1:mode.
    (((((aux_1 = nearest_even) or (aux_1 = to_zero)) or (aux_1 = up)) or
      (aux_1 = down)) or
     (aux_1 = nearest_away)))

logic mode_to_int : mode -> int

axiom mode_to_int_nearest_even: (mode_to_int(nearest_even) = 0)

axiom mode_to_int_to_zero: (mode_to_int(to_zero) = 1)

axiom mode_to_int_up: (mode_to_int(up) = 2)

axiom mode_to_int_down: (mode_to_int(down) = 3)

axiom mode_to_int_nearest_away: (mode_to_int(nearest_away) = 4)

type double

logic round_double : mode, real -> real

logic round_double_logic : mode, real -> double

logic double_value : double -> real

logic double_exact : double -> real

logic double_model : double -> real

function double_round_error(x: double) : real =
  abs_real((double_value(x) - double_exact(x)))

function double_total_error(x: double) : real =
  abs_real((double_value(x) - double_model(x)))

function max_double() : real = 0x1.FFFFFFFFFFFFFp1023

predicate no_overflow_double(m: mode, x: real) = (abs_real(round_double(m,
  x)) <= max_double)

axiom bounded_real_no_overflow_double:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_double) -> no_overflow_double(m, x))))

axiom round_double_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_double(m, x) <= round_double(m, y))))))

axiom exact_round_double_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-9007199254740992) <= i) and (i <= 9007199254740992)) ->
       (round_double(m, real_of_int(i)) = real_of_int(i)))))

axiom exact_round_double_for_doubles:
  (forall x:double.
    (forall m:mode. (round_double(m, double_value(x)) = double_value(x))))

axiom round_double_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_double(m1, round_double(m2,
        x)) = round_double(m2, x)))))

axiom round_down_double_neg:
  (forall x:real. (round_double(down, (-x)) = (-round_double(up, x))))

axiom round_up_double_neg:
  (forall x:real. (round_double(up, (-x)) = (-round_double(down, x))))

axiom round_double_down_le: (forall x:real. (round_double(down, x) <= x))

axiom round_up_double_ge: (forall x:real. (round_double(up, x) >= x))

type single

logic round_single : mode, real -> real

logic round_single_logic : mode, real -> single

logic single_value : single -> real

logic single_exact : single -> real

logic single_model : single -> real

function single_round_error(x: single) : real =
  abs_real((single_value(x) - single_exact(x)))

function single_total_error(x: single) : real =
  abs_real((single_value(x) - single_model(x)))

function max_single() : real = 0x1.FFFFFEp127

predicate no_overflow_single(m: mode, x: real) = (abs_real(round_single(m,
  x)) <= max_single)

axiom bounded_real_no_overflow_single:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_single) -> no_overflow_single(m, x))))

axiom round_single_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_single(m, x) <= round_single(m, y))))))

axiom exact_round_single_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-16777216) <= i) and (i <= 16777216)) -> (round_single(m,
       real_of_int(i)) = real_of_int(i)))))

axiom exact_round_single_for_singles:
  (forall x:single.
    (forall m:mode. (round_single(m, single_value(x)) = single_value(x))))

axiom round_single_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_single(m1, round_single(m2,
        x)) = round_single(m2, x)))))

axiom round_down_single_neg:
  (forall x:real. (round_single(down, (-x)) = (-round_single(up, x))))

axiom round_up_single_neg:
  (forall x:real. (round_single(up, (-x)) = (-round_single(down, x))))

axiom round_single_down_le: (forall x:real. (round_single(down, x) <= x))

axiom round_up_single_ge: (forall x:real. (round_single(up, x) >= x))

axiom single_value_is_bounded:
  (forall x:single. (abs_real(single_value(x)) <= max_single))

axiom double_value_is_bounded:
  (forall x:double. (abs_real(double_value(x)) <= max_double))

predicate single_of_real_post(m: mode, x: real, res: single) =
  ((single_value(res) = round_single(m, x)) and
   ((single_exact(res) = x) and (single_model(res) = x)))

predicate single_of_double_post(m: mode, x: double, res: single) =
  ((single_value(res) = round_single(m, double_value(x))) and
   ((single_exact(res) = double_exact(x)) and
    (single_model(res) = double_model(x))))

predicate add_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) + single_value(y)))) and
   ((single_exact(res) = (single_exact(x) + single_exact(y))) and
    (single_model(res) = (single_model(x) + single_model(y)))))

predicate sub_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) - single_value(y)))) and
   ((single_exact(res) = (single_exact(x) - single_exact(y))) and
    (single_model(res) = (single_model(x) - single_model(y)))))

predicate mul_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) * single_value(y)))) and
   ((single_exact(res) = (single_exact(x) * single_exact(y))) and
    (single_model(res) = (single_model(x) * single_model(y)))))

predicate div_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m, div_real(single_value(x),
   single_value(y)))) and
   ((single_exact(res) = div_real(single_exact(x), single_exact(y))) and
    (single_model(res) = div_real(single_model(x), single_model(y)))))

predicate sqrt_single_post(m: mode, x: single, res: single) =
  ((single_value(res) = round_single(m, sqrt_real(single_value(x)))) and
   ((single_exact(res) = sqrt_real(single_exact(x))) and
    (single_model(res) = sqrt_real(single_model(x)))))

predicate neg_single_post(x: single, res: single) =
  ((single_value(res) = (-single_value(x))) and
   ((single_exact(res) = (-single_exact(x))) and
    (single_model(res) = (-single_model(x)))))

predicate abs_single_post(x: single, res: single) =
  ((single_value(res) = abs_real(single_value(x))) and
   ((single_exact(res) = abs_real(single_exact(x))) and
    (single_model(res) = abs_real(single_model(x)))))

predicate double_of_real_post(m: mode, x: real, res: double) =
  ((double_value(res) = round_double(m, x)) and
   ((double_exact(res) = x) and (double_model(res) = x)))

predicate double_of_single_post(x: single, res: double) =
  ((double_value(res) = single_value(x)) and
   ((double_exact(res) = single_exact(x)) and
    (double_model(res) = single_model(x))))

predicate add_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) + double_value(y)))) and
   ((double_exact(res) = (double_exact(x) + double_exact(y))) and
    (double_model(res) = (double_model(x) + double_model(y)))))

predicate sub_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) - double_value(y)))) and
   ((double_exact(res) = (double_exact(x) - double_exact(y))) and
    (double_model(res) = (double_model(x) - double_model(y)))))

predicate mul_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) * double_value(y)))) and
   ((double_exact(res) = (double_exact(x) * double_exact(y))) and
    (double_model(res) = (double_model(x) * double_model(y)))))

predicate div_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m, div_real(double_value(x),
   double_value(y)))) and
   ((double_exact(res) = div_real(double_exact(x), double_exact(y))) and
    (double_model(res) = div_real(double_model(x), double_model(y)))))

predicate sqrt_double_post(m: mode, x: double, res: double) =
  ((double_value(res) = round_double(m, sqrt_real(double_value(x)))) and
   ((double_exact(res) = sqrt_real(double_exact(x))) and
    (double_model(res) = sqrt_real(double_model(x)))))

predicate neg_double_post(x: double, res: double) =
  ((double_value(res) = (-double_value(x))) and
   ((double_exact(res) = (-double_exact(x))) and
    (double_model(res) = (-double_model(x)))))

predicate abs_double_post(x: double, res: double) =
  ((double_value(res) = abs_real(double_value(x))) and
   ((double_exact(res) = abs_real(double_exact(x))) and
    (double_model(res) = abs_real(double_model(x)))))

type charP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_int8 : int8 -> int

predicate eq_int8(x: int8, y: int8) =
  (integer_of_int8(x) = integer_of_int8(y))

logic integer_of_uint8 : uint8 -> int

predicate eq_uint8(x: uint8, y: uint8) =
  (integer_of_uint8(x) = integer_of_uint8(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic int8_of_integer : int -> int8

axiom int8_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_int8(int8_of_integer(x)) = x)))

axiom int8_extensionality:
  (forall x:int8.
    (forall y:int8. ((integer_of_int8(x) = integer_of_int8(y)) -> (x = y))))

axiom int8_range:
  (forall x:int8.
    (((-128) <= integer_of_int8(x)) and (integer_of_int8(x) <= 127)))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic uint8_of_integer : int -> uint8

axiom uint8_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 255)) -> (integer_of_uint8(uint8_of_integer(x)) = x)))

axiom uint8_extensionality:
  (forall x:uint8.
    (forall y:uint8.
      ((integer_of_uint8(x) = integer_of_uint8(y)) -> (x = y))))

axiom uint8_range:
  (forall x:uint8.
    ((0 <= integer_of_uint8(x)) and (integer_of_uint8(x) <= 255)))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

goal real_of_int_inf_NMAX:
  (forall i_1:int. ((i_1 <= 1000000) -> (real_of_int(i_1) <= 1000000.0)))

axiom real_of_int_inf_NMAX_as_axiom:
  (forall i_1:int. ((i_1 <= 1000000) -> (real_of_int(i_1) <= 1000000.0)))

goal real_of_int_succ:
  (forall n:int. (real_of_int((n + 1)) = (real_of_int(n) + 1.0)))

axiom real_of_int_succ_as_axiom:
  (forall n:int. (real_of_int((n + 1)) = (real_of_int(n) + 1.0)))

goal f_single_ensures_default_po_1:
  forall n_1:int32.
  ("JC_7":
  (("JC_5": (0 <= integer_of_int32(n_1))) and
   ("JC_6": (integer_of_int32(n_1) <= 1000000)))) ->
  forall result:single.
  ((single_value(result) = 0.0) and
   ((single_exact(result) = 0.0) and (single_model(result) = 0.0))) ->
  forall t:single.
  (t = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  ("JC_25":
  (abs_real((single_value(t) - (real_of_int(integer_of_int32(i)) * 0.1))) <= (real_of_int(integer_of_int32(i)) * (0x1.p-8 + 1.49012e-09))))

goal f_single_ensures_default_po_2:
  forall n_1:int32.
  ("JC_7":
  (("JC_5": (0 <= integer_of_int32(n_1))) and
   ("JC_6": (integer_of_int32(n_1) <= 1000000)))) ->
  forall result:single.
  ((single_value(result) = 0.0) and
   ((single_exact(result) = 0.0) and (single_model(result) = 0.0))) ->
  forall t:single.
  (t = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  ("JC_28": ("JC_26": (0 <= integer_of_int32(i))))

goal f_single_ensures_default_po_3:
  forall n_1:int32.
  ("JC_7":
  (("JC_5": (0 <= integer_of_int32(n_1))) and
   ("JC_6": (integer_of_int32(n_1) <= 1000000)))) ->
  forall result:single.
  ((single_value(result) = 0.0) and
   ((single_exact(result) = 0.0) and (single_model(result) = 0.0))) ->
  forall t:single.
  (t = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  ("JC_28": ("JC_27": (integer_of_int32(i) <= integer_of_int32(n_1))))

goal f_single_ensures_default_po_4:
  forall n_1:int32.
  ("JC_7":
  (("JC_5": (0 <= integer_of_int32(n_1))) and
   ("JC_6": (integer_of_int32(n_1) <= 1000000)))) ->
  forall result:single.
  ((single_value(result) = 0.0) and
   ((single_exact(result) = 0.0) and (single_model(result) = 0.0))) ->
  forall t:single.
  (t = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall t0:single.
  (("JC_25":
   (abs_real((single_value(t0) - (real_of_int(integer_of_int32(i0)) * 0.1))) <= (real_of_int(integer_of_int32(i0)) * (0x1.p-8 + 1.49012e-09)))) and
   ("JC_28":
   (("JC_26": (0 <= integer_of_int32(i0))) and
    ("JC_27": (integer_of_int32(i0) <= integer_of_int32(n_1)))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_32": (0.0 <= single_value(t0)))

goal f_single_ensures_default_po_5:
  forall n_1:int32.
  ("JC_7":
  (("JC_5": (0 <= integer_of_int32(n_1))) and
   ("JC_6": (integer_of_int32(n_1) <= 1000000)))) ->
  forall result:single.
  ((single_value(result) = 0.0) and
   ((single_exact(result) = 0.0) and (single_model(result) = 0.0))) ->
  forall t:single.
  (t = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall t0:single.
  (("JC_25":
   (abs_real((single_value(t0) - (real_of_int(integer_of_int32(i0)) * 0.1))) <= (real_of_int(integer_of_int32(i0)) * (0x1.p-8 + 1.49012e-09)))) and
   ("JC_28":
   (("JC_26": (0 <= integer_of_int32(i0))) and
    ("JC_27": (integer_of_int32(i0) <= integer_of_int32(n_1)))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_32":
  (single_value(t0) <= (1000000.0 * (0.1 + (0x1.p-8 + 1.49012e-09)))))

goal f_single_ensures_default_po_6:
  forall n_1:int32.
  ("JC_7":
  (("JC_5": (0 <= integer_of_int32(n_1))) and
   ("JC_6": (integer_of_int32(n_1) <= 1000000)))) ->
  forall result:single.
  ((single_value(result) = 0.0) and
   ((single_exact(result) = 0.0) and (single_model(result) = 0.0))) ->
  forall t:single.
  (t = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall t0:single.
  (("JC_25":
   (abs_real((single_value(t0) - (real_of_int(integer_of_int32(i0)) * 0.1))) <= (real_of_int(integer_of_int32(i0)) * (0x1.p-8 + 1.49012e-09)))) and
   ("JC_28":
   (("JC_26": (0 <= integer_of_int32(i0))) and
    ("JC_27": (integer_of_int32(i0) <= integer_of_int32(n_1)))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_32":
  ((0.0 <= single_value(t0)) and
   (single_value(t0) <= (1000000.0 * (0.1 + (0x1.p-8 + 1.49012e-09)))))) ->
  forall result1:single.
  ((single_value(result1) = 0x1.99999ap-4) and
   ((single_exact(result1) = 0x1.99999ap-4) and
    (single_model(result1) = 0x1.99999ap-4))) ->
  forall result2:single.
  add_single_post(nearest_even, t0, result1, result2) ->
  forall t1:single.
  (t1 = result2) ->
  ("JC_34":
  (abs_real((single_value(t1) - (single_value(t0) + 0x1.99999ap-4))) <= 0x1.p-8))

goal f_single_ensures_default_po_7:
  forall n_1:int32.
  ("JC_7":
  (("JC_5": (0 <= integer_of_int32(n_1))) and
   ("JC_6": (integer_of_int32(n_1) <= 1000000)))) ->
  forall result:single.
  ((single_value(result) = 0.0) and
   ((single_exact(result) = 0.0) and (single_model(result) = 0.0))) ->
  forall t:single.
  (t = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall t0:single.
  (("JC_25":
   (abs_real((single_value(t0) - (real_of_int(integer_of_int32(i0)) * 0.1))) <= (real_of_int(integer_of_int32(i0)) * (0x1.p-8 + 1.49012e-09)))) and
   ("JC_28":
   (("JC_26": (0 <= integer_of_int32(i0))) and
    ("JC_27": (integer_of_int32(i0) <= integer_of_int32(n_1)))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_32":
  ((0.0 <= single_value(t0)) and
   (single_value(t0) <= (1000000.0 * (0.1 + (0x1.p-8 + 1.49012e-09)))))) ->
  forall result1:single.
  ((single_value(result1) = 0x1.99999ap-4) and
   ((single_exact(result1) = 0x1.99999ap-4) and
    (single_model(result1) = 0x1.99999ap-4))) ->
  forall result2:single.
  add_single_post(nearest_even, t0, result1, result2) ->
  forall t1:single.
  (t1 = result2) ->
  ("JC_34":
  (abs_real((single_value(t1) - (single_value(t0) + 0x1.99999ap-4))) <= 0x1.p-8)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result3) ->
  ("JC_25":
  (abs_real((single_value(t1) - (real_of_int(integer_of_int32(i1)) * 0.1))) <= (real_of_int(integer_of_int32(i1)) * (0x1.p-8 + 1.49012e-09))))

goal f_single_ensures_default_po_8:
  forall n_1:int32.
  ("JC_7":
  (("JC_5": (0 <= integer_of_int32(n_1))) and
   ("JC_6": (integer_of_int32(n_1) <= 1000000)))) ->
  forall result:single.
  ((single_value(result) = 0.0) and
   ((single_exact(result) = 0.0) and (single_model(result) = 0.0))) ->
  forall t:single.
  (t = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall t0:single.
  (("JC_25":
   (abs_real((single_value(t0) - (real_of_int(integer_of_int32(i0)) * 0.1))) <= (real_of_int(integer_of_int32(i0)) * (0x1.p-8 + 1.49012e-09)))) and
   ("JC_28":
   (("JC_26": (0 <= integer_of_int32(i0))) and
    ("JC_27": (integer_of_int32(i0) <= integer_of_int32(n_1)))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_32":
  ((0.0 <= single_value(t0)) and
   (single_value(t0) <= (1000000.0 * (0.1 + (0x1.p-8 + 1.49012e-09)))))) ->
  forall result1:single.
  ((single_value(result1) = 0x1.99999ap-4) and
   ((single_exact(result1) = 0x1.99999ap-4) and
    (single_model(result1) = 0x1.99999ap-4))) ->
  forall result2:single.
  add_single_post(nearest_even, t0, result1, result2) ->
  forall t1:single.
  (t1 = result2) ->
  ("JC_34":
  (abs_real((single_value(t1) - (single_value(t0) + 0x1.99999ap-4))) <= 0x1.p-8)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result3) ->
  ("JC_28": ("JC_26": (0 <= integer_of_int32(i1))))

goal f_single_ensures_default_po_9:
  forall n_1:int32.
  ("JC_7":
  (("JC_5": (0 <= integer_of_int32(n_1))) and
   ("JC_6": (integer_of_int32(n_1) <= 1000000)))) ->
  forall result:single.
  ((single_value(result) = 0.0) and
   ((single_exact(result) = 0.0) and (single_model(result) = 0.0))) ->
  forall t:single.
  (t = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall t0:single.
  (("JC_25":
   (abs_real((single_value(t0) - (real_of_int(integer_of_int32(i0)) * 0.1))) <= (real_of_int(integer_of_int32(i0)) * (0x1.p-8 + 1.49012e-09)))) and
   ("JC_28":
   (("JC_26": (0 <= integer_of_int32(i0))) and
    ("JC_27": (integer_of_int32(i0) <= integer_of_int32(n_1)))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_32":
  ((0.0 <= single_value(t0)) and
   (single_value(t0) <= (1000000.0 * (0.1 + (0x1.p-8 + 1.49012e-09)))))) ->
  forall result1:single.
  ((single_value(result1) = 0x1.99999ap-4) and
   ((single_exact(result1) = 0x1.99999ap-4) and
    (single_model(result1) = 0x1.99999ap-4))) ->
  forall result2:single.
  add_single_post(nearest_even, t0, result1, result2) ->
  forall t1:single.
  (t1 = result2) ->
  ("JC_34":
  (abs_real((single_value(t1) - (single_value(t0) + 0x1.99999ap-4))) <= 0x1.p-8)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result3) ->
  ("JC_28": ("JC_27": (integer_of_int32(i1) <= integer_of_int32(n_1))))

goal f_single_ensures_default_po_10:
  forall n_1:int32.
  ("JC_7":
  (("JC_5": (0 <= integer_of_int32(n_1))) and
   ("JC_6": (integer_of_int32(n_1) <= 1000000)))) ->
  forall result:single.
  ((single_value(result) = 0.0) and
   ((single_exact(result) = 0.0) and (single_model(result) = 0.0))) ->
  forall t:single.
  (t = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall t0:single.
  (("JC_25":
   (abs_real((single_value(t0) - (real_of_int(integer_of_int32(i0)) * 0.1))) <= (real_of_int(integer_of_int32(i0)) * (0x1.p-8 + 1.49012e-09)))) and
   ("JC_28":
   (("JC_26": (0 <= integer_of_int32(i0))) and
    ("JC_27": (integer_of_int32(i0) <= integer_of_int32(n_1)))))) ->
  (integer_of_int32(i0) >= integer_of_int32(n_1)) ->
  forall return:single.
  (return = t0) ->
  ("JC_9":
  (abs_real((single_value(return) - (real_of_int(integer_of_int32(n_1)) * 0.1))) <= (real_of_int(integer_of_int32(n_1)) * (0x1.p-8 + 1.49012e-09))))

goal f_single_safety_po_1:
  forall n_1:int32.
  ("JC_7":
  (("JC_5": (0 <= integer_of_int32(n_1))) and
   ("JC_6": (integer_of_int32(n_1) <= 1000000)))) ->
  forall result:single.
  ((single_value(result) = 0.0) and
   ((single_exact(result) = 0.0) and (single_model(result) = 0.0))) ->
  forall t:single.
  (t = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall t0:single.
  ("JC_18": true) ->
  (("JC_13":
   (abs_real((single_value(t0) - (real_of_int(integer_of_int32(i0)) * 0.1))) <= (real_of_int(integer_of_int32(i0)) * (0x1.p-8 + 1.49012e-09)))) and
   ("JC_16":
   (("JC_14": (0 <= integer_of_int32(i0))) and
    ("JC_15": (integer_of_int32(i0) <= integer_of_int32(n_1)))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_20":
  ((0.0 <= single_value(t0)) and
   (single_value(t0) <= (1000000.0 * (0.1 + (0x1.p-8 + 1.49012e-09)))))) ->
  forall result1:single.
  ((single_value(result1) = 0x1.99999ap-4) and
   ((single_exact(result1) = 0x1.99999ap-4) and
    (single_model(result1) = 0x1.99999ap-4))) ->
  no_overflow_single(nearest_even,
  (single_value(t0) + single_value(result1)))

goal f_single_safety_po_2:
  forall n_1:int32.
  ("JC_7":
  (("JC_5": (0 <= integer_of_int32(n_1))) and
   ("JC_6": (integer_of_int32(n_1) <= 1000000)))) ->
  forall result:single.
  ((single_value(result) = 0.0) and
   ((single_exact(result) = 0.0) and (single_model(result) = 0.0))) ->
  forall t:single.
  (t = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall t0:single.
  ("JC_18": true) ->
  (("JC_13":
   (abs_real((single_value(t0) - (real_of_int(integer_of_int32(i0)) * 0.1))) <= (real_of_int(integer_of_int32(i0)) * (0x1.p-8 + 1.49012e-09)))) and
   ("JC_16":
   (("JC_14": (0 <= integer_of_int32(i0))) and
    ("JC_15": (integer_of_int32(i0) <= integer_of_int32(n_1)))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_20":
  ((0.0 <= single_value(t0)) and
   (single_value(t0) <= (1000000.0 * (0.1 + (0x1.p-8 + 1.49012e-09)))))) ->
  forall result1:single.
  ((single_value(result1) = 0x1.99999ap-4) and
   ((single_exact(result1) = 0x1.99999ap-4) and
    (single_model(result1) = 0x1.99999ap-4))) ->
  no_overflow_single(nearest_even,
  (single_value(t0) + single_value(result1))) ->
  forall result2:single.
  add_single_post(nearest_even, t0, result1, result2) ->
  forall t1:single.
  (t1 = result2) ->
  ("JC_22":
  (abs_real((single_value(t1) - (single_value(t0) + 0x1.99999ap-4))) <= 0x1.p-8)) ->
  ((-2147483648) <= (integer_of_int32(i0) + 1))

goal f_single_safety_po_3:
  forall n_1:int32.
  ("JC_7":
  (("JC_5": (0 <= integer_of_int32(n_1))) and
   ("JC_6": (integer_of_int32(n_1) <= 1000000)))) ->
  forall result:single.
  ((single_value(result) = 0.0) and
   ((single_exact(result) = 0.0) and (single_model(result) = 0.0))) ->
  forall t:single.
  (t = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall t0:single.
  ("JC_18": true) ->
  (("JC_13":
   (abs_real((single_value(t0) - (real_of_int(integer_of_int32(i0)) * 0.1))) <= (real_of_int(integer_of_int32(i0)) * (0x1.p-8 + 1.49012e-09)))) and
   ("JC_16":
   (("JC_14": (0 <= integer_of_int32(i0))) and
    ("JC_15": (integer_of_int32(i0) <= integer_of_int32(n_1)))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_20":
  ((0.0 <= single_value(t0)) and
   (single_value(t0) <= (1000000.0 * (0.1 + (0x1.p-8 + 1.49012e-09)))))) ->
  forall result1:single.
  ((single_value(result1) = 0x1.99999ap-4) and
   ((single_exact(result1) = 0x1.99999ap-4) and
    (single_model(result1) = 0x1.99999ap-4))) ->
  no_overflow_single(nearest_even,
  (single_value(t0) + single_value(result1))) ->
  forall result2:single.
  add_single_post(nearest_even, t0, result1, result2) ->
  forall t1:single.
  (t1 = result2) ->
  ("JC_22":
  (abs_real((single_value(t1) - (single_value(t0) + 0x1.99999ap-4))) <= 0x1.p-8)) ->
  ((integer_of_int32(i0) + 1) <= 2147483647)

goal f_single_safety_po_4:
  forall n_1:int32.
  ("JC_7":
  (("JC_5": (0 <= integer_of_int32(n_1))) and
   ("JC_6": (integer_of_int32(n_1) <= 1000000)))) ->
  forall result:single.
  ((single_value(result) = 0.0) and
   ((single_exact(result) = 0.0) and (single_model(result) = 0.0))) ->
  forall t:single.
  (t = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall t0:single.
  ("JC_18": true) ->
  (("JC_13":
   (abs_real((single_value(t0) - (real_of_int(integer_of_int32(i0)) * 0.1))) <= (real_of_int(integer_of_int32(i0)) * (0x1.p-8 + 1.49012e-09)))) and
   ("JC_16":
   (("JC_14": (0 <= integer_of_int32(i0))) and
    ("JC_15": (integer_of_int32(i0) <= integer_of_int32(n_1)))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_20":
  ((0.0 <= single_value(t0)) and
   (single_value(t0) <= (1000000.0 * (0.1 + (0x1.p-8 + 1.49012e-09)))))) ->
  forall result1:single.
  ((single_value(result1) = 0x1.99999ap-4) and
   ((single_exact(result1) = 0x1.99999ap-4) and
    (single_model(result1) = 0x1.99999ap-4))) ->
  no_overflow_single(nearest_even,
  (single_value(t0) + single_value(result1))) ->
  forall result2:single.
  add_single_post(nearest_even, t0, result1, result2) ->
  forall t1:single.
  (t1 = result2) ->
  ("JC_22":
  (abs_real((single_value(t1) - (single_value(t0) + 0x1.99999ap-4))) <= 0x1.p-8)) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result3) ->
  (0 <= ("JC_24": (integer_of_int32(n_1) - integer_of_int32(i0))))

goal f_single_safety_po_5:
  forall n_1:int32.
  ("JC_7":
  (("JC_5": (0 <= integer_of_int32(n_1))) and
   ("JC_6": (integer_of_int32(n_1) <= 1000000)))) ->
  forall result:single.
  ((single_value(result) = 0.0) and
   ((single_exact(result) = 0.0) and (single_model(result) = 0.0))) ->
  forall t:single.
  (t = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall t0:single.
  ("JC_18": true) ->
  (("JC_13":
   (abs_real((single_value(t0) - (real_of_int(integer_of_int32(i0)) * 0.1))) <= (real_of_int(integer_of_int32(i0)) * (0x1.p-8 + 1.49012e-09)))) and
   ("JC_16":
   (("JC_14": (0 <= integer_of_int32(i0))) and
    ("JC_15": (integer_of_int32(i0) <= integer_of_int32(n_1)))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_20":
  ((0.0 <= single_value(t0)) and
   (single_value(t0) <= (1000000.0 * (0.1 + (0x1.p-8 + 1.49012e-09)))))) ->
  forall result1:single.
  ((single_value(result1) = 0x1.99999ap-4) and
   ((single_exact(result1) = 0x1.99999ap-4) and
    (single_model(result1) = 0x1.99999ap-4))) ->
  no_overflow_single(nearest_even,
  (single_value(t0) + single_value(result1))) ->
  forall result2:single.
  add_single_post(nearest_even, t0, result1, result2) ->
  forall t1:single.
  (t1 = result2) ->
  ("JC_22":
  (abs_real((single_value(t1) - (single_value(t0) + 0x1.99999ap-4))) <= 0x1.p-8)) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result3) ->
  (("JC_24": (integer_of_int32(n_1) - integer_of_int32(i1))) < ("JC_24":
                                                               (integer_of_int32(n_1) - integer_of_int32(i0))))

// RUNGAPPA: will ask regtests to run gappa on VCs of this program
========== generation of Gappa VC output ==========
why -gappa [...] why/clock_drift.why
========== file tests/c/clock_drift.jessie/gappa/clock_drift_why.gappa ==========
========== running Gappa ==========
why -gappa [...] why/clock_drift.why
Running Gappa on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
gappa/clock_drift_why.gappa   : why-2.34/tests/c/oracle/duplets.err.oracle0000644000175000017500000000000012311670312017072 0ustar  rtuserswhy-2.34/tests/c/oracle/insertion_sort.err.oracle0000644000175000017500000000062612311670312020511 0ustar  rtusersWarning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
why-2.34/tests/c/oracle/my_cosine.err.oracle0000644000175000017500000000000012311670312017377 0ustar  rtuserswhy-2.34/tests/c/oracle/find_array.err.oracle0000644000175000017500000000000012311670312017530 0ustar  rtuserswhy-2.34/tests/c/oracle/swap.err.oracle0000644000175000017500000000000012311670312016364 0ustar  rtuserswhy-2.34/tests/c/oracle/selection_sort.err.oracle0000644000175000017500000000062612311670312020464 0ustar  rtusersWarning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
why-2.34/tests/c/oracle/interval_arith.res.oracle0000644000175000017500000174217612311670312020462 0ustar  rtusers========== file tests/c/interval_arith.c ==========
#pragma JessieFloatModel(full)
#pragma JessieFloatRoundingMode(down)


/*@ requires !\is_NaN(x) && !\is_NaN(y);
  @ ensures \le_float(\result,x) && \le_float(\result,y);
  @ ensures \eq_float(\result,x) || \eq_float(\result,y);
  @*/
double min(double x, double y)
{
  return x < y ? x : y;
}


/*@ requires !\is_NaN(x) && !\is_NaN(y);
  @ ensures \le_float(x,\result) && \le_float(y,\result);
  @ ensures \eq_float(\result,x) || \eq_float(\result,y);
  @*/
double max(double x, double y)
{
  return x > y ? x : y;
}


//@ predicate dif_sign(double x, double y) = \sign(x) != \sign(y);
//@ predicate sam_sign(double x, double y) = \sign(x) == \sign(y);

/*@ predicate double_le_real(double x,real y) =
  @           (\is_finite(x) && x <= y) || \is_minus_infinity(x);
  @*/

/*@ predicate real_le_double(real x,double y) =
  @           (\is_finite(y) && x <= y) || \is_plus_infinity(y);
  @*/

/*@ predicate in_interval(real a,double l,double u) =
  @           double_le_real(l,a) && real_le_double(a,u);
  @*/



/*@ requires ! \is_NaN(x) && ! \is_NaN(y);
  @ requires \is_infinite(x) || \is_infinite(y) ==> dif_sign(x,y);
  @ requires \is_infinite(x) && \is_finite(y) ==> y != 0.0;
  @ requires \is_finite(x) && \is_infinite(y) ==> x != 0.0;
  @ assigns \nothing;
  @ ensures double_le_real(\result,x*y);
  @*/
double mul_dn(double x, double y)
{
  double z = x*y;
  /* @ assert \is_finite(x) && \is_finite(y)
    @     && \no_overflow_double(\Down,x*y) ==> double_le_real(z,x*y);
    @*/
  /* @ assert \is_finite(x) && \is_finite(y)
    @     && ! \no_overflow_double(\Down,x*y) && \sign(x) == \sign(y) ==> double_le_real(z,x*y);
    @*/
  /* @ assert \is_finite(x) && \is_finite(y)
    @     && ! \no_overflow_double(\Down,x*y) && \sign(x) != \sign(y)  ==> double_le_real(z,x*y);
    @*/
  /* @ assert \is_infinite(x) || \is_infinite(y) ==> double_le_real(z,x*y);
    @*/
  return z;
}



/*@ requires !\is_NaN(x) && !\is_NaN(y);
  @ requires \is_infinite(x) || \is_infinite(y) ==> sam_sign(x,y);
  @ requires \is_infinite(x) && \is_finite(y) ==> y != 0.0;
  @ requires \is_infinite(y) && \is_finite(x) ==> x != 0.0;
  @ requires \is_finite(x) && \is_finite(y) &&
  @          !\no_overflow_double(\Down,-y) && \sign(y) == \Positive
  @          ==> x > 0.0 ;
  @ ensures  real_le_double(x * y,\result);
  @*/
double mul_up(double x, double y) {
  double a=-y;
  double b=x*a;
  double z=-b;
  /*  double z = -(x * -y);*/

  /*@ assert \is_infinite(x) || \is_infinite(y) ==> real_le_double(x * y,z);
    @*/


  /*@ assert \is_finite(x) && \is_infinite(y) ==> real_le_double(x * y,z) ;
    @*/
  /*@ assert \is_infinite(x) && \is_finite(y) &&
    @    \no_overflow_double(\Down,-y) ==> real_le_double(x * y,z);
    @*/
  /*@ assert \is_infinite(x) && \is_finite(y) &&
    @    ! \no_overflow_double(\Down,-y) ==> real_le_double(x * y,z);
    @*/
  /*@ assert \is_infinite(x) && \is_infinite(y) ==> real_le_double(x * y,z);
    @*/



  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     \no_overflow_double(\Down,-y) &&
    @     \no_overflow_double(\Down,x*a) &&
    @     !\no_overflow_double(\Down,-b) ==> real_le_double(x * y,z) ;
    @*/
  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     \no_overflow_double(\Down,-y) &&
    @     !\no_overflow_double(\Down,x*a) ==> real_le_double(x * y,z) ;
    @*/
  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     !\no_overflow_double(\Down,-y) && \sign(y) == \Positive
    @                                     ==> real_le_double(x * y,z) ;
    @*/
  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     !\no_overflow_double(\Down,-y) && \sign(y) == \Negative &&
    @     !\no_overflow_double(\Down,x*a) ==> real_le_double(x * y,z) ;
    @*/
  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     !\no_overflow_double(\Down,-y) && \sign(y) == \Negative &&
    @     \no_overflow_double(\Down,x*a) &&
    @     !\no_overflow_double(\Down,-b)  ==> real_le_double(x * y,z) ;
    @*/
  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     !\no_overflow_double(\Down,-y) && \sign(y) == \Negative &&
    @     \no_overflow_double(\Down,x*a) &&
    @     \no_overflow_double(\Down,-b) ==> real_le_double(x * y,z);
    @*/
  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     \no_overflow_double(\Down,-y) &&
    @     \no_overflow_double(\Down,x*a) &&
    @     \no_overflow_double(\Down,-b) && x > 0.0 ==> \is_finite(z) && real_le_double(x * y,z) ;
    @*/
  /*@ assert \is_finite(x) && \is_finite(y) &&
    @     \no_overflow_double(\Down,-y) &&
    @     \no_overflow_double(\Down,x*a) &&
    @     \no_overflow_double(\Down,-b) && x < 0.0 ==> \is_finite(z) && real_le_double(x * y,z) ;
    @*/

   return z;
}


double zl, zu;

/*@ predicate is_interval(double xl, double xu) =
  @       (\is_finite(xl) || \is_minus_infinity(xl))
  @       &&
  @       (\is_finite(xu) || \is_plus_infinity(xu));
  @*/

/*@ requires is_interval(xl,xu) && is_interval(yl,yu);
  @ ensures is_interval(zl,zu);
  @ ensures \forall real a,b;
  @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
  @    in_interval(a+b,zl,zu);
  @*/
void add(double xl, double xu, double yl, double yu)
{
  zl = xl + yl;
  /* @ assert
    @  \forall real a,b;
    @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
    @      double_le_real(zl,a+b)  ;
    @*/
  zu = -((-xu) - yu);
  /* @ assert caseuii: \is_infinite(xu) && \is_infinite(yu) ==>
    @  \forall real a,b;
    @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
    @      real_le_double(a+b,zu)  ;
    @*/
  /* @ assert caseuif: \is_infinite(xu) && \is_finite(yu) ==>
    @  \forall real a,b;
    @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
    @      real_le_double(a+b,zu)  ;
    @*/
  /* @ assert caseufi: \is_finite(xu) && \is_infinite(yu) ==>
    @  \forall real a,b;
    @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
    @      real_le_double(a+b,zu)  ;
    @*/
  /* @ assert caseufff: \is_finite(xu) && \is_finite(yu) && \is_infinite(zu) ==>
    @  \forall real a,b;
    @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
    @      real_le_double(a+b,zu)  ;
    @*/
  /* @ assert caseufff: \is_finite(xu) && \is_finite(yu) && \is_finite(zu) ==>
    @  \forall real a,b;
    @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
    @      real_le_double(a+b,zu)  ;
    @*/
}





/*@ requires is_interval(xl,xu) && is_interval(yl,yu);
  @ ensures is_interval(zl,zu);
  @ ensures \forall real a,b;
  @    in_interval(a,xl,xu) && in_interval(b,yl,yu) ==>
  @    in_interval(a*b,zl,zu);
  @*/
void mul(double xl, double xu, double yl, double yu)
{
  if (xl < 0.0)
    if (xu > 0.0)
      if (yl < 0.0)
        if (yu > 0.0) // M * M
          { zl = min(mul_dn(xl, yu), mul_dn(xu, yl));
            zu = max(mul_up(xl, yl), mul_up(xu, yu)); }
        else           // M * Neg
          { zl = mul_dn(xu, yl);
            zu = mul_up(xl, yl); }
      else
        if (yu > 0.0) // M * Pos
          { zl = mul_dn(xl, yu);
            zu = mul_up(xu, yu); }
        else           // M * Zero
          { zl = 0.0;
            zu = 0.0; }
    else
      if (yl < 0.0)
        if (yu > 0.0) // Neg * M
          { zl = mul_dn(xl, yu);
            zu = mul_up(xl, yl); }
        else           // Neg * Neg
          { zl = mul_dn(xu, yu);
            zu = mul_up(xl, yl); }
      else
        if (yu > 0.0) // Neg * Pos
          { zl = mul_dn(xl, yu);
            zu = mul_up(xu, yl); }
        else           // Neg * Zero
          { zl = 0.0;
            zu = 0.0; }
  else
    if (xu > 0.0)
      if (yl < 0.0)
        if (yu > 0.0) // Pos * M
          { zl = mul_dn(xu, yl);
            zu = mul_up(xu, yu); }
        else           // Pos * Neg
          { zl = mul_dn(xu, yl);
            zu = mul_up(xl, yu); }
      else
        if (yu > 0.0) // Pos * Pos
          { zl = mul_dn(xl, yl);
            zu = mul_up(xu, yu); }
        else           // Pos * Zero
          { zl = 0.0;
            zu = 0.0; }
    else               // Zero * M
      { zl = 0.0;
        zu = 0.0; }
}




/*
Local Variables:
compile-command: "LC_ALL=C make interval_arith.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/interval_arith.c"
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/interval_arith.jessie
[jessie] File tests/c/interval_arith.jessie/interval_arith.jc written.
[jessie] File tests/c/interval_arith.jessie/interval_arith.cloc written.
========== file tests/c/interval_arith.jessie/interval_arith.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol
# FloatModel = full
# FloatRoundingMode = down

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

double min(double x_0, double y_0)
  requires (_C_8 : ((_C_9 : (! \double_is_NaN(x_0))) &&
                     (_C_10 : (! \double_is_NaN(y_0)))));
behavior default:
  ensures (_C_3 : (((_C_5 : \le_double(\result, \at(x_0,Old))) &&
                     (_C_6 : \le_double(\result, \at(y_0,Old)))) &&
                    (_C_7 : (\eq_double(\result, \at(x_0,Old)) ||
                              \eq_double(\result, \at(y_0,Old))))));
{  
   (var double tmp);
   
   {  (if (x_0 < y_0) then (_C_2 : (tmp = x_0)) else (_C_1 : (tmp = y_0)));
      
      (return tmp)
   }
}

double max(double x, double y)
  requires (_C_18 : ((_C_19 : (! \double_is_NaN(x))) &&
                      (_C_20 : (! \double_is_NaN(y)))));
behavior default:
  ensures (_C_13 : (((_C_15 : \le_double(\at(x,Old), \result)) &&
                      (_C_16 : \le_double(\at(y,Old), \result))) &&
                     (_C_17 : (\eq_double(\result, \at(x,Old)) ||
                                \eq_double(\result, \at(y,Old))))));
{  
   (var double tmp_0);
   
   {  (if (x > y) then (_C_12 : (tmp_0 = x)) else (_C_11 : (tmp_0 = y)));
      
      (return tmp_0)
   }
}

predicate dif_sign(double x, double y) =
(\double_sign(x) != \double_sign(y))

predicate sam_sign(double x_0, double y_0) =
(\double_sign(x_0) == \double_sign(y_0))

predicate double_le_real(double x_1, real y_1) =
((\double_is_finite(x_1) && ((x_1 :> real) <= y_1)) ||
  \double_is_minus_infinity(x_1))

predicate real_le_double(real x_2, double y_2) =
((\double_is_finite(y_2) && (x_2 <= (y_2 :> real))) ||
  \double_is_plus_infinity(y_2))

predicate in_interval(real a, double l, double u) =
(double_le_real(l, a) && real_le_double(a, u))

double mul_dn(double x_1, double y_1)
  requires (_C_27 : ((_C_28 : (! \double_is_NaN(x_1))) &&
                      (_C_29 : (! \double_is_NaN(y_1)))));
  requires (_C_26 : ((\double_is_infinite(x_1) || \double_is_infinite(y_1)) ==>
                      dif_sign(x_1, y_1)));
  requires (_C_25 : ((\double_is_infinite(x_1) && \double_is_finite(y_1)) ==>
                      ((y_1 :> real) != 0.0)));
  requires (_C_24 : ((\double_is_finite(x_1) && \double_is_infinite(y_1)) ==>
                      ((x_1 :> real) != 0.0)));
behavior default:
  assigns \nothing;
  ensures (_C_23 : double_le_real(\result,
                                  ((\at(x_1,Old) :> real) *
                                    (\at(y_1,Old) :> real))));
{  
   (var double z);
   
   {  (_C_22 : (z = (_C_21 : (x_1 * y_1))));
      
      (return z)
   }
}

double mul_up(double x_2, double y_2)
  requires (_C_54 : ((_C_55 : (! \double_is_NaN(x_2))) &&
                      (_C_56 : (! \double_is_NaN(y_2)))));
  requires (_C_53 : ((\double_is_infinite(x_2) || \double_is_infinite(y_2)) ==>
                      sam_sign(x_2, y_2)));
  requires (_C_52 : ((\double_is_infinite(x_2) && \double_is_finite(y_2)) ==>
                      ((y_2 :> real) != 0.0)));
  requires (_C_51 : ((\double_is_infinite(y_2) && \double_is_finite(x_2)) ==>
                      ((x_2 :> real) != 0.0)));
  requires (_C_50 : ((((\double_is_finite(x_2) && \double_is_finite(y_2)) &&
                        (! \no_overflow_double(\Down(), (- (y_2 :> real))))) &&
                       (\double_sign(y_2) == \Positive())) ==>
                      ((x_2 :> real) > 0.0)));
behavior default:
  ensures (_C_49 : real_le_double(((\at(x_2,Old) :> real) *
                                    (\at(y_2,Old) :> real)),
                                  \result));
{  
   (var double a);
   
   (var double b);
   
   (var double z_0);
   
   {  (_C_31 : (a = (_C_30 : (- y_2))));
      (_C_33 : (b = (_C_32 : (x_2 * a))));
      (_C_35 : (z_0 = (_C_34 : (- b))));
      
      {  
         (assert for default: (_C_36 : (jessie : ((\double_is_infinite(
                                                    x_2) ||
                                                    \double_is_infinite(
                                                    y_2)) ==>
                                                   real_le_double(((x_2 :> real) *
                                                                    (y_2 :> real)),
                                                                  z_0)))));
         ()
      };
      
      {  
         (assert for default: (_C_37 : (jessie : ((\double_is_finite(
                                                    x_2) &&
                                                    \double_is_infinite(
                                                    y_2)) ==>
                                                   real_le_double(((x_2 :> real) *
                                                                    (y_2 :> real)),
                                                                  z_0)))));
         ()
      };
      
      {  
         (assert for default: (_C_38 : (jessie : (((\double_is_infinite(
                                                     x_2) &&
                                                     \double_is_finite(
                                                     y_2)) &&
                                                    \no_overflow_double(
                                                    \Down(),
                                                    (- (y_2 :> real)))) ==>
                                                   real_le_double(((x_2 :> real) *
                                                                    (y_2 :> real)),
                                                                  z_0)))));
         ()
      };
      
      {  
         (assert for default: (_C_39 : (jessie : (((\double_is_infinite(
                                                     x_2) &&
                                                     \double_is_finite(
                                                     y_2)) &&
                                                    (! \no_overflow_double(
                                                    \Down(),
                                                    (- (y_2 :> real))))) ==>
                                                   real_le_double(((x_2 :> real) *
                                                                    (y_2 :> real)),
                                                                  z_0)))));
         ()
      };
      
      {  
         (assert for default: (_C_40 : (jessie : ((\double_is_infinite(
                                                    x_2) &&
                                                    \double_is_infinite(
                                                    y_2)) ==>
                                                   real_le_double(((x_2 :> real) *
                                                                    (y_2 :> real)),
                                                                  z_0)))));
         ()
      };
      
      {  
         (assert for default: (_C_41 : (jessie : (((((\double_is_finite(
                                                       x_2) &&
                                                       \double_is_finite(
                                                       y_2)) &&
                                                      \no_overflow_double(
                                                      \Down(),
                                                      (- (y_2 :> real)))) &&
                                                     \no_overflow_double(
                                                     \Down(),
                                                     ((x_2 :> real) *
                                                       (a :> real)))) &&
                                                    (! \no_overflow_double(
                                                    \Down(), (- (b :> real))))) ==>
                                                   real_le_double(((x_2 :> real) *
                                                                    (y_2 :> real)),
                                                                  z_0)))));
         ()
      };
      
      {  
         (assert for default: (_C_42 : (jessie : ((((\double_is_finite(
                                                      x_2) &&
                                                      \double_is_finite(
                                                      y_2)) &&
                                                     \no_overflow_double(
                                                     \Down(),
                                                     (- (y_2 :> real)))) &&
                                                    (! \no_overflow_double(
                                                    \Down(),
                                                    ((x_2 :> real) *
                                                      (a :> real))))) ==>
                                                   real_le_double(((x_2 :> real) *
                                                                    (y_2 :> real)),
                                                                  z_0)))));
         ()
      };
      
      {  
         (assert for default: (_C_43 : (jessie : ((((\double_is_finite(
                                                      x_2) &&
                                                      \double_is_finite(
                                                      y_2)) &&
                                                     (! \no_overflow_double(
                                                     \Down(),
                                                     (- (y_2 :> real))))) &&
                                                    (\double_sign(y_2) ==
                                                      \Positive())) ==>
                                                   real_le_double(((x_2 :> real) *
                                                                    (y_2 :> real)),
                                                                  z_0)))));
         ()
      };
      
      {  
         (assert for default: (_C_44 : (jessie : (((((\double_is_finite(
                                                       x_2) &&
                                                       \double_is_finite(
                                                       y_2)) &&
                                                      (! \no_overflow_double(
                                                      \Down(),
                                                      (- (y_2 :> real))))) &&
                                                     (\double_sign(y_2) ==
                                                       \Negative())) &&
                                                    (! \no_overflow_double(
                                                    \Down(),
                                                    ((x_2 :> real) *
                                                      (a :> real))))) ==>
                                                   real_le_double(((x_2 :> real) *
                                                                    (y_2 :> real)),
                                                                  z_0)))));
         ()
      };
      
      {  
         (assert for default: (_C_45 : (jessie : ((((((\double_is_finite(
                                                        x_2) &&
                                                        \double_is_finite(
                                                        y_2)) &&
                                                       (! \no_overflow_double(
                                                       \Down(),
                                                       (- (y_2 :> real))))) &&
                                                      (\double_sign(y_2) ==
                                                        \Negative())) &&
                                                     \no_overflow_double(
                                                     \Down(),
                                                     ((x_2 :> real) *
                                                       (a :> real)))) &&
                                                    (! \no_overflow_double(
                                                    \Down(), (- (b :> real))))) ==>
                                                   real_le_double(((x_2 :> real) *
                                                                    (y_2 :> real)),
                                                                  z_0)))));
         ()
      };
      
      {  
         (assert for default: (_C_46 : (jessie : ((((((\double_is_finite(
                                                        x_2) &&
                                                        \double_is_finite(
                                                        y_2)) &&
                                                       (! \no_overflow_double(
                                                       \Down(),
                                                       (- (y_2 :> real))))) &&
                                                      (\double_sign(y_2) ==
                                                        \Negative())) &&
                                                     \no_overflow_double(
                                                     \Down(),
                                                     ((x_2 :> real) *
                                                       (a :> real)))) &&
                                                    \no_overflow_double(
                                                    \Down(), (- (b :> real)))) ==>
                                                   real_le_double(((x_2 :> real) *
                                                                    (y_2 :> real)),
                                                                  z_0)))));
         ()
      };
      
      {  
         (assert for default: (_C_47 : (jessie : ((((((\double_is_finite(
                                                        x_2) &&
                                                        \double_is_finite(
                                                        y_2)) &&
                                                       \no_overflow_double(
                                                       \Down(),
                                                       (- (y_2 :> real)))) &&
                                                      \no_overflow_double(
                                                      \Down(),
                                                      ((x_2 :> real) *
                                                        (a :> real)))) &&
                                                     \no_overflow_double(
                                                     \Down(), (- (b :> real)))) &&
                                                    ((x_2 :> real) > 0.0)) ==>
                                                   (\double_is_finite(
                                                     z_0) &&
                                                     real_le_double(((x_2 :> real) *
                                                                    (y_2 :> real)),
                                                                    z_0))))));
         ()
      };
      
      {  
         (assert for default: (_C_48 : (jessie : ((((((\double_is_finite(
                                                        x_2) &&
                                                        \double_is_finite(
                                                        y_2)) &&
                                                       \no_overflow_double(
                                                       \Down(),
                                                       (- (y_2 :> real)))) &&
                                                      \no_overflow_double(
                                                      \Down(),
                                                      ((x_2 :> real) *
                                                        (a :> real)))) &&
                                                     \no_overflow_double(
                                                     \Down(), (- (b :> real)))) &&
                                                    ((x_2 :> real) < 0.0)) ==>
                                                   (\double_is_finite(
                                                     z_0) &&
                                                     real_le_double(((x_2 :> real) *
                                                                    (y_2 :> real)),
                                                                    z_0))))));
         ()
      };
      
      {  
         (return z_0)
      }
   }
}

double zl;

double zu;

predicate is_interval(double xl, double xu) =
((\double_is_finite(xl) || \double_is_minus_infinity(xl)) &&
  (\double_is_finite(xu) || \double_is_plus_infinity(xu)))

unit add(double xl, double xu, double yl, double yu)
  requires (_C_66 : ((_C_67 : is_interval(xl, xu)) &&
                      (_C_68 : is_interval(yl, yu))));
behavior default:
  ensures (_C_63 : ((_C_64 : is_interval(zl, zu)) &&
                     (_C_65 : (\forall real a_0;
                                (\forall real b;
                                  ((in_interval(a_0, \at(xl,Old), \at(xu,Old)) &&
                                     in_interval(b, \at(yl,Old), \at(yu,Old))) ==>
                                    in_interval((a_0 + b), zl, zu)))))));
{  
   {  (_C_58 : (zl = (_C_57 : (xl + yl))));
      (_C_62 : (zu = (_C_61 : (- (_C_60 : ((_C_59 : (- xu)) - yu))))));
      
      (return ())
   }
}

unit mul(double xl_0, double xu_0, double yl_0, double yu_0)
  requires (_C_124 : ((_C_125 : is_interval(xl_0, xu_0)) &&
                       (_C_126 : is_interval(yl_0, yu_0))));
behavior default:
  ensures (_C_121 : ((_C_122 : is_interval(zl, zu)) &&
                      (_C_123 : (\forall real a_1;
                                  (\forall real b_0;
                                    ((in_interval(a_1, \at(xl_0,Old),
                                                  \at(xu_0,Old)) &&
                                       in_interval(b_0, \at(yl_0,Old),
                                                   \at(yu_0,Old))) ==>
                                      in_interval((a_1 * b_0), zl, zu)))))));
{  
   (var double tmp_1);
   
   (var double tmp_0_0);
   
   (var double tmp_1_0);
   
   (var double tmp_2);
   
   {  (if (xl_0 < (0.0 :> double)) then (if (xu_0 > (0.0 :> double)) then 
                                        (if (yl_0 < (0.0 :> double)) then 
                                        (if (yu_0 > (0.0 :> double)) then 
                                        {  
                                           {  (_C_110 : (tmp_1 = (_C_109 : mul_dn(
                                                                 xu_0, yl_0))));
                                              (_C_112 : (tmp_0_0 = (_C_111 : mul_dn(
                                                                   xl_0, yu_0))))
                                           };
                                           (_C_114 : (zl = (_C_113 : min(
                                                           tmp_0_0, tmp_1))));
                                           
                                           {  (_C_116 : (tmp_1_0 = (_C_115 : mul_up(
                                                                   xu_0, yu_0))));
                                              (_C_118 : (tmp_2 = (_C_117 : mul_up(
                                                                 xl_0, yl_0))))
                                           };
                                           (_C_120 : (zu = (_C_119 : max(
                                                           tmp_2, tmp_1_0))))
                                        } else 
                                        {  (_C_106 : (zl = (_C_105 : mul_dn(
                                                           xu_0, yl_0))));
                                           (_C_108 : (zu = (_C_107 : mul_up(
                                                           xl_0, yl_0))))
                                        }) else (if (yu_0 > (0.0 :> double)) then 
                                                {  (_C_102 : (zl = (_C_101 : mul_dn(
                                                                   xl_0, yu_0))));
                                                   (_C_104 : (zu = (_C_103 : mul_up(
                                                                   xu_0, yu_0))))
                                                } else 
                                                {  (_C_99 : (zl = (0.0 :> double)));
                                                   (_C_100 : (zu = (0.0 :> double)))
                                                })) else (if (yl_0 <
                                                               (0.0 :> double)) then 
                                                         (if (yu_0 >
                                                               (0.0 :> double)) then 
                                                         {  (_C_96 : (zl = 
                                                            (_C_95 : mul_dn(
                                                            xl_0, yu_0))));
                                                            (_C_98 : (zu = 
                                                            (_C_97 : mul_up(
                                                            xl_0, yl_0))))
                                                         } else 
                                                         {  (_C_92 : (zl = 
                                                            (_C_91 : mul_dn(
                                                            xu_0, yu_0))));
                                                            (_C_94 : (zu = 
                                                            (_C_93 : mul_up(
                                                            xl_0, yl_0))))
                                                         }) else (if 
                                                                 (yu_0 >
                                                                   (0.0 :> double)) then 
                                                                 {  (_C_88 : (zl = 
                                                                    (_C_87 : mul_dn(
                                                                    xl_0,
                                                                    yu_0))));
                                                                    (_C_90 : (zu = 
                                                                    (_C_89 : mul_up(
                                                                    xu_0,
                                                                    yl_0))))
                                                                 } else 
                                                                 {  (_C_85 : (zl = (0.0 :> double)));
                                                                    (_C_86 : (zu = (0.0 :> double)))
                                                                 }))) else 
      (if (xu_0 > (0.0 :> double)) then (if (yl_0 < (0.0 :> double)) then 
                                        (if (yu_0 > (0.0 :> double)) then 
                                        {  (_C_82 : (zl = (_C_81 : mul_dn(
                                                          xu_0, yl_0))));
                                           (_C_84 : (zu = (_C_83 : mul_up(
                                                          xu_0, yu_0))))
                                        } else 
                                        {  (_C_78 : (zl = (_C_77 : mul_dn(
                                                          xu_0, yl_0))));
                                           (_C_80 : (zu = (_C_79 : mul_up(
                                                          xl_0, yu_0))))
                                        }) else (if (yu_0 > (0.0 :> double)) then 
                                                {  (_C_74 : (zl = (_C_73 : mul_dn(
                                                                  xl_0, yl_0))));
                                                   (_C_76 : (zu = (_C_75 : mul_up(
                                                                  xu_0, yu_0))))
                                                } else 
                                                {  (_C_71 : (zl = (0.0 :> double)));
                                                   (_C_72 : (zu = (0.0 :> double)))
                                                })) else 
      {  (_C_69 : (zl = (0.0 :> double)));
         (_C_70 : (zu = (0.0 :> double)))
      }));
      
      (return ())
   }
}
========== file tests/c/interval_arith.jessie/interval_arith.cloc ==========
[_C_115]
file = "HOME/tests/c/interval_arith.c"
line = 209
begin = 37
end = 51

[_C_52]
file = "HOME/tests/c/interval_arith.c"
line = 70
begin = 13
end = 58

[_C_121]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_35]
file = "HOME/tests/c/interval_arith.c"
line = 80
begin = 2
end = 8

[_C_117]
file = "HOME/tests/c/interval_arith.c"
line = 209
begin = 21
end = 35

[_C_120]
file = "HOME/tests/c/interval_arith.c"
line = 209
begin = 17
end = 52

[mul]
name = "Function mul"
file = "HOME/tests/c/interval_arith.c"
line = 202
begin = 5
end = 8

[_C_56]
file = "HOME/tests/c/interval_arith.c"
line = 68
begin = 28
end = 39

[_C_28]
file = "HOME/tests/c/interval_arith.c"
line = 42
begin = 13
end = 25

[_C_72]
file = "HOME/tests/c/interval_arith.c"
line = 250
begin = 17
end = 20

[_C_59]
file = "HOME/tests/c/interval_arith.c"
line = 164
begin = 11
end = 13

[_C_48]
file = "HOME/tests/c/interval_arith.c"
line = 132
begin = 13
end = 229

[_C_116]
file = "HOME/tests/c/interval_arith.c"
line = 209
begin = 37
end = 51

[_C_51]
file = "HOME/tests/c/interval_arith.c"
line = 71
begin = 13
end = 58

[_C_103]
file = "HOME/tests/c/interval_arith.c"
line = 216
begin = 17
end = 31

[_C_31]
file = "HOME/tests/c/interval_arith.c"
line = 78
begin = 2
end = 8

[_C_108]
file = "HOME/tests/c/interval_arith.c"
line = 212
begin = 17
end = 31

[_C_77]
file = "HOME/tests/c/interval_arith.c"
line = 242
begin = 17
end = 31

[_C_83]
file = "HOME/tests/c/interval_arith.c"
line = 240
begin = 17
end = 31

[max]
name = "Function max"
file = "HOME/tests/c/interval_arith.c"
line = 19
begin = 7
end = 10

[_C_41]
file = "HOME/tests/c/interval_arith.c"
line = 100
begin = 13
end = 202

[_C_4]
file = "HOME/tests/c/interval_arith.c"
line = 6
begin = 12
end = 56

[_C_101]
file = "HOME/tests/c/interval_arith.c"
line = 215
begin = 17
end = 31

[_C_71]
file = "HOME/tests/c/interval_arith.c"
line = 249
begin = 17
end = 20

[_C_70]
file = "HOME/tests/c/interval_arith.c"
line = 253
begin = 13
end = 16

[_C_89]
file = "HOME/tests/c/interval_arith.c"
line = 231
begin = 17
end = 31

[mul_dn]
name = "Function mul_dn"
file = "HOME/tests/c/interval_arith.c"
line = 49
begin = 7
end = 13

[_C_90]
file = "HOME/tests/c/interval_arith.c"
line = 231
begin = 17
end = 31

[_C_61]
file = "HOME/tests/c/interval_arith.c"
line = 164
begin = 9
end = 19

[_C_69]
file = "HOME/tests/c/interval_arith.c"
line = 252
begin = 13
end = 16

[_C_32]
file = "HOME/tests/c/interval_arith.c"
line = 79
begin = 11
end = 14

[_C_23]
file = "HOME/tests/c/interval_arith.c"
line = 47
begin = 12
end = 39

[_C_19]
file = "HOME/tests/c/interval_arith.c"
line = 15
begin = 13
end = 24

[_C_42]
file = "HOME/tests/c/interval_arith.c"
line = 105
begin = 13
end = 159

[_C_82]
file = "HOME/tests/c/interval_arith.c"
line = 239
begin = 17
end = 31

[_C_110]
file = "HOME/tests/c/interval_arith.c"
line = 208
begin = 37
end = 51

[mul_up]
name = "Function mul_up"
file = "HOME/tests/c/interval_arith.c"
line = 77
begin = 7
end = 13

[_C_94]
file = "HOME/tests/c/interval_arith.c"
line = 227
begin = 17
end = 31

[_C_84]
file = "HOME/tests/c/interval_arith.c"
line = 240
begin = 17
end = 31

[_C_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_5]
file = "HOME/tests/c/interval_arith.c"
line = 6
begin = 12
end = 32

[_C_91]
file = "HOME/tests/c/interval_arith.c"
line = 226
begin = 17
end = 31

[_C_36]
file = "HOME/tests/c/interval_arith.c"
line = 83
begin = 13
end = 75

[_C_12]
file = "HOME/tests/c/interval_arith.c"
line = 21
begin = 13
end = 14

[_C_33]
file = "HOME/tests/c/interval_arith.c"
line = 79
begin = 2
end = 8

[_C_111]
file = "HOME/tests/c/interval_arith.c"
line = 208
begin = 21
end = 35

[_C_79]
file = "HOME/tests/c/interval_arith.c"
line = 243
begin = 17
end = 31

[_C_104]
file = "HOME/tests/c/interval_arith.c"
line = 216
begin = 17
end = 31

[_C_85]
file = "HOME/tests/c/interval_arith.c"
line = 233
begin = 17
end = 20

[_C_22]
file = "HOME/tests/c/interval_arith.c"
line = 51
begin = 2
end = 8

[_C_65]
file = "HOME/tests/c/interval_arith.c"
line = 152
begin = 12
end = 115

[_C_9]
file = "HOME/tests/c/interval_arith.c"
line = 5
begin = 13
end = 24

[_C_57]
file = "HOME/tests/c/interval_arith.c"
line = 158
begin = 7
end = 14

[_C_54]
file = "HOME/tests/c/interval_arith.c"
line = 68
begin = 13
end = 39

[_C_30]
file = "HOME/tests/c/interval_arith.c"
line = 78
begin = 12
end = 13

[_C_63]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_6]
file = "HOME/tests/c/interval_arith.c"
line = 6
begin = 36
end = 56

[_C_64]
file = "HOME/tests/c/interval_arith.c"
line = 151
begin = 12
end = 30

[_C_122]
file = "HOME/tests/c/interval_arith.c"
line = 197
begin = 12
end = 30

[_C_95]
file = "HOME/tests/c/interval_arith.c"
line = 223
begin = 17
end = 31

[_C_93]
file = "HOME/tests/c/interval_arith.c"
line = 227
begin = 17
end = 31

[_C_102]
file = "HOME/tests/c/interval_arith.c"
line = 215
begin = 17
end = 31

[_C_49]
file = "HOME/tests/c/interval_arith.c"
line = 75
begin = 12
end = 41

[_C_24]
file = "HOME/tests/c/interval_arith.c"
line = 45
begin = 13
end = 58

[_C_45]
file = "HOME/tests/c/interval_arith.c"
line = 117
begin = 13
end = 228

[_C_97]
file = "HOME/tests/c/interval_arith.c"
line = 224
begin = 17
end = 31

[_C_20]
file = "HOME/tests/c/interval_arith.c"
line = 15
begin = 28
end = 39

[_C_73]
file = "HOME/tests/c/interval_arith.c"
line = 246
begin = 17
end = 31

[_C_96]
file = "HOME/tests/c/interval_arith.c"
line = 223
begin = 17
end = 31

[_C_38]
file = "HOME/tests/c/interval_arith.c"
line = 89
begin = 13
end = 115

[min]
name = "Function min"
file = "HOME/tests/c/interval_arith.c"
line = 9
begin = 7
end = 10

[_C_3]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_98]
file = "HOME/tests/c/interval_arith.c"
line = 224
begin = 17
end = 31

[_C_109]
file = "HOME/tests/c/interval_arith.c"
line = 208
begin = 37
end = 51

[_C_124]
file = "HOME/tests/c/interval_arith.c"
line = 196
begin = 13
end = 53

[_C_114]
file = "HOME/tests/c/interval_arith.c"
line = 208
begin = 17
end = 52

[_C_92]
file = "HOME/tests/c/interval_arith.c"
line = 226
begin = 17
end = 31

[_C_81]
file = "HOME/tests/c/interval_arith.c"
line = 239
begin = 17
end = 31

[_C_17]
file = "HOME/tests/c/interval_arith.c"
line = 17
begin = 12
end = 56

[_C_112]
file = "HOME/tests/c/interval_arith.c"
line = 208
begin = 21
end = 35

[_C_7]
file = "HOME/tests/c/interval_arith.c"
line = 7
begin = 12
end = 56

[_C_86]
file = "HOME/tests/c/interval_arith.c"
line = 234
begin = 17
end = 20

[_C_62]
file = "HOME/tests/c/interval_arith.c"
line = 164
begin = 7
end = 20

[_C_55]
file = "HOME/tests/c/interval_arith.c"
line = 68
begin = 13
end = 24

[_C_27]
file = "HOME/tests/c/interval_arith.c"
line = 42
begin = 13
end = 41

[_C_105]
file = "HOME/tests/c/interval_arith.c"
line = 211
begin = 17
end = 31

[_C_87]
file = "HOME/tests/c/interval_arith.c"
line = 230
begin = 17
end = 31

[add]
name = "Function add"
file = "HOME/tests/c/interval_arith.c"
line = 156
begin = 5
end = 8

[_C_46]
file = "HOME/tests/c/interval_arith.c"
line = 122
begin = 13
end = 227

[_C_44]
file = "HOME/tests/c/interval_arith.c"
line = 113
begin = 13
end = 185

[_C_15]
file = "HOME/tests/c/interval_arith.c"
line = 16
begin = 12
end = 32

[_C_99]
file = "HOME/tests/c/interval_arith.c"
line = 218
begin = 17
end = 20

[_C_26]
file = "HOME/tests/c/interval_arith.c"
line = 43
begin = 13
end = 65

[_C_47]
file = "HOME/tests/c/interval_arith.c"
line = 127
begin = 13
end = 229

[_C_10]
file = "HOME/tests/c/interval_arith.c"
line = 5
begin = 28
end = 39

[_C_68]
file = "HOME/tests/c/interval_arith.c"
line = 150
begin = 35
end = 53

[_C_60]
file = "HOME/tests/c/interval_arith.c"
line = 164
begin = 9
end = 19

[_C_53]
file = "HOME/tests/c/interval_arith.c"
line = 69
begin = 13
end = 65

[_C_40]
file = "HOME/tests/c/interval_arith.c"
line = 95
begin = 13
end = 75

[_C_58]
file = "HOME/tests/c/interval_arith.c"
line = 158
begin = 7
end = 14

[_C_8]
file = "HOME/tests/c/interval_arith.c"
line = 5
begin = 13
end = 39

[_C_119]
file = "HOME/tests/c/interval_arith.c"
line = 209
begin = 17
end = 52

[_C_66]
file = "HOME/tests/c/interval_arith.c"
line = 150
begin = 13
end = 53

[_C_18]
file = "HOME/tests/c/interval_arith.c"
line = 15
begin = 13
end = 39

[_C_29]
file = "HOME/tests/c/interval_arith.c"
line = 42
begin = 29
end = 41

[_C_75]
file = "HOME/tests/c/interval_arith.c"
line = 247
begin = 17
end = 31

[_C_14]
file = "HOME/tests/c/interval_arith.c"
line = 16
begin = 12
end = 56

[_C_123]
file = "HOME/tests/c/interval_arith.c"
line = 198
begin = 12
end = 115

[_C_106]
file = "HOME/tests/c/interval_arith.c"
line = 211
begin = 17
end = 31

[_C_50]
file = "HOME/tests/c/interval_arith.c"
line = 72
begin = 13
end = 140

[_C_37]
file = "HOME/tests/c/interval_arith.c"
line = 87
begin = 13
end = 73

[_C_43]
file = "HOME/tests/c/interval_arith.c"
line = 109
begin = 13
end = 182

[_C_107]
file = "HOME/tests/c/interval_arith.c"
line = 212
begin = 17
end = 31

[_C_88]
file = "HOME/tests/c/interval_arith.c"
line = 230
begin = 17
end = 31

[_C_100]
file = "HOME/tests/c/interval_arith.c"
line = 219
begin = 17
end = 20

[_C_2]
file = "HOME/tests/c/interval_arith.c"
line = 11
begin = 13
end = 14

[_C_34]
file = "HOME/tests/c/interval_arith.c"
line = 80
begin = 12
end = 13

[_C_67]
file = "HOME/tests/c/interval_arith.c"
line = 150
begin = 13
end = 31

[_C_16]
file = "HOME/tests/c/interval_arith.c"
line = 16
begin = 36
end = 56

[_C_125]
file = "HOME/tests/c/interval_arith.c"
line = 196
begin = 13
end = 31

[_C_113]
file = "HOME/tests/c/interval_arith.c"
line = 208
begin = 17
end = 52

[_C_126]
file = "HOME/tests/c/interval_arith.c"
line = 196
begin = 35
end = 53

[_C_1]
file = "HOME/tests/c/interval_arith.c"
line = 11
begin = 13
end = 14

[_C_76]
file = "HOME/tests/c/interval_arith.c"
line = 247
begin = 17
end = 31

[_C_25]
file = "HOME/tests/c/interval_arith.c"
line = 44
begin = 13
end = 58

[_C_39]
file = "HOME/tests/c/interval_arith.c"
line = 92
begin = 13
end = 117

[_C_80]
file = "HOME/tests/c/interval_arith.c"
line = 243
begin = 17
end = 31

[_C_74]
file = "HOME/tests/c/interval_arith.c"
line = 246
begin = 17
end = 31

[_C_78]
file = "HOME/tests/c/interval_arith.c"
line = 242
begin = 17
end = 31

[_C_11]
file = "HOME/tests/c/interval_arith.c"
line = 21
begin = 13
end = 14

[_C_21]
file = "HOME/tests/c/interval_arith.c"
line = 51
begin = 13
end = 16

[_C_118]
file = "HOME/tests/c/interval_arith.c"
line = 209
begin = 21
end = 35

========== jessie execution ==========
Generating Why function min
Generating Why function max
Generating Why function mul_dn
Generating Why function mul_up
Generating Why function add
Generating Why function mul
========== file tests/c/interval_arith.jessie/interval_arith.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs interval_arith.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs interval_arith.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_full.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/interval_arith_why.sx

project: why/interval_arith.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/interval_arith_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/interval_arith_why.vo

coq/interval_arith_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/interval_arith_why.v: why/interval_arith.why
	@echo 'why -coq [...] why/interval_arith.why' && $(WHY) $(JESSIELIBFILES) why/interval_arith.why && rm -f coq/jessie_why.v

coq-goals: goals coq/interval_arith_ctx_why.vo
	for f in why/*_po*.why; do make -f interval_arith.makefile coq/`basename $$f .why`_why.v ; done

coq/interval_arith_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/interval_arith_ctx_why.v: why/interval_arith_ctx.why
	@echo 'why -coq [...] why/interval_arith_ctx.why' && $(WHY) why/interval_arith_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export interval_arith_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/interval_arith_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/interval_arith_ctx_why.vo

pvs: pvs/interval_arith_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/interval_arith_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/interval_arith_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/interval_arith_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/interval_arith_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/interval_arith_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/interval_arith_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/interval_arith_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/interval_arith_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/interval_arith_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/interval_arith_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/interval_arith_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/interval_arith_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/interval_arith_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/interval_arith_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: interval_arith.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/interval_arith_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: interval_arith.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: interval_arith.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: interval_arith.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include interval_arith.depend

depend: coq/interval_arith_why.v
	-$(COQDEP) -I coq coq/interval_arith*_why.v > interval_arith.depend

clean:
	rm -f coq/*.vo

========== file tests/c/interval_arith.jessie/interval_arith.loc ==========
[add_ensures_default]
name = "Function add"
behavior = "default behavior"
file = "HOME/tests/c/interval_arith.c"
line = 156
begin = 5
end = 8

[JC_176]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 209
begin = 37
end = 51

[JC_177]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 209
begin = 21
end = 35

[JC_94]
file = "HOME/tests/c/interval_arith.c"
line = 132
begin = 13
end = 229

[JC_73]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_158]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 212
begin = 17
end = 31

[JC_63]
file = "HOME/tests/c/interval_arith.c"
line = 71
begin = 13
end = 58

[JC_80]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 79
begin = 11
end = 14

[JC_51]
file = "HOME/tests/c/interval_arith.c"
line = 47
begin = 12
end = 39

[JC_71]
file = "HOME/tests/c/interval_arith.c"
line = 71
begin = 13
end = 58

[JC_147]
file = "HOME/tests/c/interval_arith.c"
line = 198
begin = 12
end = 115

[JC_151]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 208
begin = 37
end = 51

[JC_45]
file = "HOME/tests/c/interval_arith.c"
line = 42
begin = 29
end = 41

[JC_123]
file = "HOME/tests/c/interval_arith.c"
line = 152
begin = 12
end = 115

[JC_106]
file = "HOME/tests/c/interval_arith.c"
line = 113
begin = 13
end = 185

[JC_143]
file = "HOME/tests/c/interval_arith.c"
line = 197
begin = 12
end = 30

[JC_113]
file = "HOME/tests/c/interval_arith.c"
line = 150
begin = 13
end = 53

[JC_116]
file = "HOME/tests/c/interval_arith.c"
line = 150
begin = 35
end = 53

[JC_64]
file = "HOME/tests/c/interval_arith.c"
line = 72
begin = 13
end = 140

[JC_133]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 164
begin = 9
end = 19

[JC_188]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 231
begin = 17
end = 31

[JC_180]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 212
begin = 17
end = 31

[JC_99]
file = "HOME/tests/c/interval_arith.c"
line = 87
begin = 13
end = 73

[JC_85]
file = "HOME/tests/c/interval_arith.c"
line = 92
begin = 13
end = 117

[JC_126]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_170]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 243
begin = 17
end = 31

[JC_31]
file = "HOME/tests/c/interval_arith.c"
line = 16
begin = 12
end = 32

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_194]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 247
begin = 17
end = 31

[JC_122]
file = "HOME/tests/c/interval_arith.c"
line = 151
begin = 12
end = 30

[JC_81]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 80
begin = 12
end = 13

[JC_55]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_138]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_134]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 164
begin = 9
end = 19

[JC_148]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_137]
file = "HOME/tests/c/interval_arith.c"
line = 196
begin = 13
end = 53

[mul_dn_safety]
name = "Function mul_dn"
behavior = "Safety"
file = "HOME/tests/c/interval_arith.c"
line = 49
begin = 7
end = 13

[JC_48]
file = "HOME/tests/c/interval_arith.c"
line = 45
begin = 13
end = 58

[JC_23]
file = "HOME/tests/c/interval_arith.c"
line = 15
begin = 13
end = 24

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_172]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 247
begin = 17
end = 31

[JC_121]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/tests/c/interval_arith.c"
line = 5
begin = 13
end = 24

[JC_125]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/tests/c/interval_arith.c"
line = 68
begin = 13
end = 24

[JC_9]
file = "HOME/tests/c/interval_arith.c"
line = 6
begin = 12
end = 32

[mul_ensures_default]
name = "Function mul"
behavior = "default behavior"
file = "HOME/tests/c/interval_arith.c"
line = 202
begin = 5
end = 8

[mul_up_ensures_default]
name = "Function mul_up"
behavior = "default behavior"
file = "HOME/tests/c/interval_arith.c"
line = 77
begin = 7
end = 13

[JC_75]
file = "HOME/tests/c/interval_arith.c"
line = 75
begin = 12
end = 41

[JC_24]
file = "HOME/tests/c/interval_arith.c"
line = 15
begin = 28
end = 39

[JC_193]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 246
begin = 17
end = 31

[JC_25]
file = "HOME/tests/c/interval_arith.c"
line = 15
begin = 13
end = 39

[JC_189]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 239
begin = 17
end = 31

[JC_186]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 227
begin = 17
end = 31

[JC_78]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_175]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 208
begin = 17
end = 52

[JC_41]
file = "HOME/tests/c/interval_arith.c"
line = 45
begin = 13
end = 58

[add_safety]
name = "Function add"
behavior = "Safety"
file = "HOME/tests/c/interval_arith.c"
line = 156
begin = 5
end = 8

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[min_ensures_default]
name = "Function min"
behavior = "default behavior"
file = "HOME/tests/c/interval_arith.c"
line = 9
begin = 7
end = 10

[JC_47]
file = "HOME/tests/c/interval_arith.c"
line = 44
begin = 13
end = 58

[JC_52]
file = "HOME/tests/c/interval_arith.jessie/interval_arith.jc"
line = 97
begin = 10
end = 18

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_154]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 209
begin = 37
end = 51

[JC_54]
file = "HOME/tests/c/interval_arith.jessie/interval_arith.jc"
line = 97
begin = 10
end = 18

[JC_79]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 78
begin = 12
end = 13

[JC_13]
file = "HOME/tests/c/interval_arith.c"
line = 6
begin = 12
end = 32

[JC_130]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 164
begin = 9
end = 19

[JC_82]
file = "HOME/tests/c/interval_arith.c"
line = 83
begin = 13
end = 75

[JC_174]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 208
begin = 21
end = 35

[JC_163]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 226
begin = 17
end = 31

[JC_153]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 208
begin = 17
end = 52

[JC_87]
file = "HOME/tests/c/interval_arith.c"
line = 100
begin = 13
end = 202

[JC_11]
file = "HOME/tests/c/interval_arith.c"
line = 7
begin = 12
end = 56

[JC_185]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 226
begin = 17
end = 31

[JC_184]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 224
begin = 17
end = 31

[JC_167]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 239
begin = 17
end = 31

[JC_98]
file = "HOME/tests/c/interval_arith.c"
line = 83
begin = 13
end = 75

[JC_70]
file = "HOME/tests/c/interval_arith.c"
line = 70
begin = 13
end = 58

[JC_15]
file = "HOME/tests/c/interval_arith.c"
line = 7
begin = 12
end = 56

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[min_safety]
name = "Function min"
behavior = "Safety"
file = "HOME/tests/c/interval_arith.c"
line = 9
begin = 7
end = 10

[JC_182]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 216
begin = 17
end = 31

[JC_168]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 240
begin = 17
end = 31

[JC_104]
file = "HOME/tests/c/interval_arith.c"
line = 105
begin = 13
end = 159

[JC_91]
file = "HOME/tests/c/interval_arith.c"
line = 117
begin = 13
end = 228

[JC_39]
file = "HOME/tests/c/interval_arith.c"
line = 43
begin = 13
end = 65

[JC_112]
file = "HOME/tests/c/interval_arith.c"
line = 150
begin = 35
end = 53

[JC_40]
file = "HOME/tests/c/interval_arith.c"
line = 44
begin = 13
end = 58

[JC_162]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 224
begin = 17
end = 31

[JC_135]
file = "HOME/tests/c/interval_arith.c"
line = 196
begin = 13
end = 31

[JC_169]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 242
begin = 17
end = 31

[JC_83]
file = "HOME/tests/c/interval_arith.c"
line = 87
begin = 13
end = 73

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_132]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 164
begin = 11
end = 13

[JC_27]
file = "HOME/tests/c/interval_arith.c"
line = 16
begin = 12
end = 32

[JC_115]
file = "HOME/tests/c/interval_arith.c"
line = 150
begin = 13
end = 31

[JC_109]
file = "HOME/tests/c/interval_arith.c"
line = 127
begin = 13
end = 229

[JC_107]
file = "HOME/tests/c/interval_arith.c"
line = 117
begin = 13
end = 228

[JC_69]
file = "HOME/tests/c/interval_arith.c"
line = 69
begin = 13
end = 65

[JC_179]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 211
begin = 17
end = 31

[JC_124]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/tests/c/interval_arith.c"
line = 42
begin = 29
end = 41

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/tests/c/interval_arith.c"
line = 5
begin = 28
end = 39

[JC_156]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 209
begin = 17
end = 52

[JC_127]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 158
begin = 7
end = 14

[JC_171]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 246
begin = 17
end = 31

[JC_164]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 227
begin = 17
end = 31

[JC_44]
file = "HOME/tests/c/interval_arith.c"
line = 42
begin = 13
end = 25

[JC_155]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 209
begin = 21
end = 35

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_191]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 242
begin = 17
end = 31

[JC_62]
file = "HOME/tests/c/interval_arith.c"
line = 70
begin = 13
end = 58

[JC_101]
file = "HOME/tests/c/interval_arith.c"
line = 92
begin = 13
end = 117

[JC_88]
file = "HOME/tests/c/interval_arith.c"
line = 105
begin = 13
end = 159

[JC_129]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 164
begin = 9
end = 19

[mul_up_safety]
name = "Function mul_up"
behavior = "Safety"
file = "HOME/tests/c/interval_arith.c"
line = 77
begin = 7
end = 13

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_190]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 240
begin = 17
end = 31

[max_safety]
name = "Function max"
behavior = "Safety"
file = "HOME/tests/c/interval_arith.c"
line = 19
begin = 7
end = 10

[JC_178]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 209
begin = 17
end = 52

[JC_110]
file = "HOME/tests/c/interval_arith.c"
line = 132
begin = 13
end = 229

[JC_166]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 231
begin = 17
end = 31

[JC_103]
file = "HOME/tests/c/interval_arith.c"
line = 100
begin = 13
end = 202

[JC_46]
file = "HOME/tests/c/interval_arith.c"
line = 43
begin = 13
end = 65

[JC_141]
file = "HOME/tests/c/interval_arith.c"
line = 196
begin = 13
end = 53

[JC_61]
file = "HOME/tests/c/interval_arith.c"
line = 69
begin = 13
end = 65

[JC_32]
file = "HOME/tests/c/interval_arith.c"
line = 16
begin = 36
end = 56

[JC_56]
file = "HOME/"
line = 0
begin = -1
end = -1

[mul_dn_ensures_default]
name = "Function mul_dn"
behavior = "default behavior"
file = "HOME/tests/c/interval_arith.c"
line = 49
begin = 7
end = 13

[JC_33]
file = "HOME/tests/c/interval_arith.c"
line = 17
begin = 12
end = 56

[JC_65]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_118]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_173]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 208
begin = 37
end = 51

[JC_105]
file = "HOME/tests/c/interval_arith.c"
line = 109
begin = 13
end = 182

[JC_140]
file = "HOME/tests/c/interval_arith.c"
line = 196
begin = 35
end = 53

[JC_29]
file = "HOME/tests/c/interval_arith.c"
line = 17
begin = 12
end = 56

[JC_144]
file = "HOME/tests/c/interval_arith.c"
line = 198
begin = 12
end = 115

[JC_159]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 215
begin = 17
end = 31

[JC_68]
file = "HOME/tests/c/interval_arith.c"
line = 68
begin = 28
end = 39

[JC_7]
file = "HOME/tests/c/interval_arith.c"
line = 5
begin = 13
end = 39

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 79
begin = 11
end = 14

[JC_43]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/tests/c/interval_arith.c"
line = 5
begin = 28
end = 39

[JC_95]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 78
begin = 12
end = 13

[JC_93]
file = "HOME/tests/c/interval_arith.c"
line = 127
begin = 13
end = 229

[JC_97]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 80
begin = 12
end = 13

[JC_84]
file = "HOME/tests/c/interval_arith.c"
line = 89
begin = 13
end = 115

[JC_160]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 216
begin = 17
end = 31

[JC_128]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 164
begin = 11
end = 13

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/tests/c/interval_arith.c"
line = 6
begin = 36
end = 56

[JC_150]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_117]
file = "HOME/tests/c/interval_arith.c"
line = 150
begin = 13
end = 53

[JC_90]
file = "HOME/tests/c/interval_arith.c"
line = 113
begin = 13
end = 185

[JC_53]
file = "HOME/tests/c/interval_arith.c"
line = 47
begin = 12
end = 39

[JC_157]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 211
begin = 17
end = 31

[JC_145]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/tests/c/interval_arith.c"
line = 15
begin = 13
end = 39

[JC_149]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_111]
file = "HOME/tests/c/interval_arith.c"
line = 150
begin = 13
end = 31

[JC_77]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/c/interval_arith.c"
line = 5
begin = 13
end = 24

[JC_131]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 158
begin = 7
end = 14

[JC_102]
file = "HOME/tests/c/interval_arith.c"
line = 95
begin = 13
end = 75

[JC_37]
file = "HOME/tests/c/interval_arith.c"
line = 42
begin = 13
end = 25

[JC_181]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 215
begin = 17
end = 31

[JC_142]
file = "HOME/"
line = 0
begin = -1
end = -1

[max_ensures_default]
name = "Function max"
behavior = "default behavior"
file = "HOME/tests/c/interval_arith.c"
line = 19
begin = 7
end = 10

[JC_10]
file = "HOME/tests/c/interval_arith.c"
line = 6
begin = 36
end = 56

[JC_108]
file = "HOME/tests/c/interval_arith.c"
line = 122
begin = 13
end = 227

[JC_57]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 51
begin = 13
end = 16

[JC_161]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 223
begin = 17
end = 31

[JC_146]
file = "HOME/tests/c/interval_arith.c"
line = 197
begin = 12
end = 30

[JC_89]
file = "HOME/tests/c/interval_arith.c"
line = 109
begin = 13
end = 182

[JC_136]
file = "HOME/tests/c/interval_arith.c"
line = 196
begin = 35
end = 53

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
file = "HOME/tests/c/interval_arith.c"
line = 68
begin = 13
end = 24

[JC_20]
file = "HOME/tests/c/interval_arith.c"
line = 15
begin = 28
end = 39

[JC_165]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 230
begin = 17
end = 31

[JC_192]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 243
begin = 17
end = 31

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/c/interval_arith.c"
line = 5
begin = 13
end = 39

[JC_92]
file = "HOME/tests/c/interval_arith.c"
line = 122
begin = 13
end = 227

[JC_152]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 208
begin = 21
end = 35

[JC_86]
file = "HOME/tests/c/interval_arith.c"
line = 95
begin = 13
end = 75

[JC_60]
file = "HOME/tests/c/interval_arith.c"
line = 68
begin = 28
end = 39

[JC_183]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 223
begin = 17
end = 31

[JC_139]
file = "HOME/tests/c/interval_arith.c"
line = 196
begin = 13
end = 31

[JC_72]
file = "HOME/tests/c/interval_arith.c"
line = 72
begin = 13
end = 140

[JC_19]
file = "HOME/tests/c/interval_arith.c"
line = 15
begin = 13
end = 24

[JC_119]
file = "HOME/tests/c/interval_arith.c"
line = 151
begin = 12
end = 30

[JC_187]
kind = UserCall
file = "HOME/tests/c/interval_arith.c"
line = 230
begin = 17
end = 31

[JC_76]
file = "HOME/tests/c/interval_arith.c"
line = 75
begin = 12
end = 41

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[mul_safety]
name = "Function mul"
behavior = "Safety"
file = "HOME/tests/c/interval_arith.c"
line = 202
begin = 5
end = 8

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_120]
file = "HOME/tests/c/interval_arith.c"
line = 152
begin = 12
end = 115

[JC_58]
kind = FPOverflow
file = "HOME/tests/c/interval_arith.c"
line = 51
begin = 13
end = 16

[JC_100]
file = "HOME/tests/c/interval_arith.c"
line = 89
begin = 13
end = 115

[JC_28]
file = "HOME/tests/c/interval_arith.c"
line = 16
begin = 36
end = 56

========== file tests/c/interval_arith.jessie/why/interval_arith.why ==========
type charP

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

predicate dif_sign(x_2:double, y_1:double) =
 (double_sign(x_2) <> double_sign(y_1))

predicate double_le_real(x_1_0:double, y_1_0:real) =
 ((double_is_finite(x_1_0) and le_real(double_value(x_1_0), y_1_0))
 or double_is_minus_infinity(x_1_0))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

predicate real_le_double(x_2_0:real, y_2:double) =
 ((double_is_finite(y_2) and le_real(x_2_0, double_value(y_2)))
 or double_is_plus_infinity(y_2))

predicate in_interval(a:real, l:double, u:double) =
 (double_le_real(l, a) and real_le_double(a, u))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate is_interval(xl:double, xu:double) =
 ((double_is_finite(xl) or double_is_minus_infinity(xl))
 and (double_is_finite(xu) or double_is_plus_infinity(xu)))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate sam_sign(x_0_0:double, y_0_0:double) =
 (double_sign(x_0_0) = double_sign(y_0_0))

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter zu : double ref

parameter zl : double ref

parameter add :
 xl_0:double ->
  xu_0:double ->
   yl:double ->
    yu:double ->
     { } unit reads zl,zu writes zl,zu
     { (JC_124:
       ((JC_122: is_interval(zl, zu))
       and (JC_123:
           (forall a_0_0:real.
            (forall b_0:real.
             ((in_interval(a_0_0, xl_0, xu_0) and in_interval(b_0, yl, yu)) ->
              in_interval(add_real(a_0_0, b_0), zl, zu))))))) }

parameter add_requires :
 xl_0:double ->
  xu_0:double ->
   yl:double ->
    yu:double ->
     { (JC_113:
       ((JC_111: is_interval(xl_0, xu_0)) and (JC_112: is_interval(yl, yu))))}
     unit reads zl,zu writes zl,zu
     { (JC_124:
       ((JC_122: is_interval(zl, zu))
       and (JC_123:
           (forall a_0_0:real.
            (forall b_0:real.
             ((in_interval(a_0_0, xl_0, xu_0) and in_interval(b_0, yl, yu)) ->
              in_interval(add_real(a_0_0, b_0), zl, zu))))))) }

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter max :
 x_1:double ->
  y:double ->
   { } double
   { (JC_34:
     ((JC_31: le_double_full(x_1, result))
     and ((JC_32: le_double_full(y, result))
         and (JC_33:
             (eq_double_full(result, x_1) or eq_double_full(result, y)))))) }

parameter max_requires :
 x_1:double ->
  y:double ->
   { (JC_21:
     ((JC_19: (not double_is_NaN(x_1))) and (JC_20: (not double_is_NaN(y)))))}
   double
   { (JC_34:
     ((JC_31: le_double_full(x_1, result))
     and ((JC_32: le_double_full(y, result))
         and (JC_33:
             (eq_double_full(result, x_1) or eq_double_full(result, y)))))) }

parameter min :
 x_0:double ->
  y_0:double ->
   { } double
   { (JC_16:
     ((JC_13: le_double_full(result, x_0))
     and ((JC_14: le_double_full(result, y_0))
         and (JC_15:
             (eq_double_full(result, x_0) or eq_double_full(result, y_0)))))) }

parameter min_requires :
 x_0:double ->
  y_0:double ->
   { (JC_3:
     ((JC_1: (not double_is_NaN(x_0))) and (JC_2: (not double_is_NaN(y_0)))))}
   double
   { (JC_16:
     ((JC_13: le_double_full(result, x_0))
     and ((JC_14: le_double_full(result, y_0))
         and (JC_15:
             (eq_double_full(result, x_0) or eq_double_full(result, y_0)))))) }

parameter mul :
 xl_0_0:double ->
  xu_0_0:double ->
   yl_0:double ->
    yu_0:double ->
     { } unit reads zl,zu writes zl,zu
     { (JC_148:
       ((JC_146: is_interval(zl, zu))
       and (JC_147:
           (forall a_1:real.
            (forall b_0_0:real.
             ((in_interval(a_1, xl_0_0, xu_0_0)
              and in_interval(b_0_0, yl_0, yu_0)) ->
              in_interval(mul_real(a_1, b_0_0), zl, zu))))))) }

parameter mul_dn :
 x_1_1:double ->
  y_1_1:double ->
   { } double
   { (JC_53:
     double_le_real(result,
     mul_real(double_value(x_1_1), double_value(y_1_1)))) }

parameter mul_dn_requires :
 x_1_1:double ->
  y_1_1:double ->
   { (JC_42:
     ((JC_37: (not double_is_NaN(x_1_1)))
     and ((JC_38: (not double_is_NaN(y_1_1)))
         and ((JC_39:
              ((double_is_infinite(x_1_1) or double_is_infinite(y_1_1)) ->
               dif_sign(x_1_1, y_1_1)))
             and ((JC_40:
                  ((double_is_infinite(x_1_1) and double_is_finite(y_1_1)) ->
                   (double_value(y_1_1) <> 0.0)))
                 and (JC_41:
                     ((double_is_finite(x_1_1) and double_is_infinite(y_1_1)) ->
                      (double_value(x_1_1) <> 0.0))))))))}
   double
   { (JC_53:
     double_le_real(result,
     mul_real(double_value(x_1_1), double_value(y_1_1)))) }

parameter mul_requires :
 xl_0_0:double ->
  xu_0_0:double ->
   yl_0:double ->
    yu_0:double ->
     { (JC_137:
       ((JC_135: is_interval(xl_0_0, xu_0_0))
       and (JC_136: is_interval(yl_0, yu_0))))}
     unit reads zl,zu writes zl,zu
     { (JC_148:
       ((JC_146: is_interval(zl, zu))
       and (JC_147:
           (forall a_1:real.
            (forall b_0_0:real.
             ((in_interval(a_1, xl_0_0, xu_0_0)
              and in_interval(b_0_0, yl_0, yu_0)) ->
              in_interval(mul_real(a_1, b_0_0), zl, zu))))))) }

parameter mul_up :
 x_2_1:double ->
  y_2_0:double ->
   { } double
   { (JC_76:
     real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
     result)) }

parameter mul_up_requires :
 x_2_1:double ->
  y_2_0:double ->
   { (JC_65:
     ((JC_59: (not double_is_NaN(x_2_1)))
     and ((JC_60: (not double_is_NaN(y_2_0)))
         and ((JC_61:
              ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
               sam_sign(x_2_1, y_2_0)))
             and ((JC_62:
                  ((double_is_infinite(x_2_1) and double_is_finite(y_2_0)) ->
                   (double_value(y_2_0) <> 0.0)))
                 and ((JC_63:
                      ((double_is_infinite(y_2_0)
                       and double_is_finite(x_2_1)) ->
                       (double_value(x_2_1) <> 0.0)))
                     and (JC_64:
                         ((double_is_finite(x_2_1)
                          and (double_is_finite(y_2_0)
                              and ((not no_overflow_double(down,
                                        neg_real(double_value(y_2_0))))
                                  and (double_sign(y_2_0) = Positive)))) ->
                          gt_real(double_value(x_2_1), 0.0)))))))))}
   double
   { (JC_76:
     real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
     result)) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let add_ensures_default =
 fun (xl_0 : double) (xu_0 : double) (yl : double) (yu : double) ->
  { (JC_117:
    ((JC_115: is_interval(xl_0, xu_0)) and (JC_116: is_interval(yl, yu)))) }
  (init:
  try
   begin
     (let _jessie_ = (zl := (JC_131: (((add_double down) xl_0) yl))) in
     void);
    (let _jessie_ =
    (zu := (JC_134:
           (neg_double (JC_133:
                       (((sub_double down) (JC_132: (neg_double xu_0))) yu))))) in
    void); (raise Return); (raise Return) end with Return -> void end)
  { (JC_121:
    ((JC_119: is_interval(zl, zu))
    and (JC_120:
        (forall a_0_0:real.
         (forall b_0:real.
          ((in_interval(a_0_0, xl_0, xu_0) and in_interval(b_0, yl, yu)) ->
           in_interval(add_real(a_0_0, b_0), zl, zu))))))) }

let add_safety =
 fun (xl_0 : double) (xu_0 : double) (yl : double) (yu : double) ->
  { (JC_117:
    ((JC_115: is_interval(xl_0, xu_0)) and (JC_116: is_interval(yl, yu)))) }
  (init:
  try
   begin
     (let _jessie_ = (zl := (JC_127: (((add_double down) xl_0) yl))) in
     void);
    (let _jessie_ =
    (zu := (JC_130:
           (neg_double (JC_129:
                       (((sub_double down) (JC_128: (neg_double xu_0))) yu))))) in
    void); (raise Return); (raise Return) end with Return -> void end)
  { true }

let max_ensures_default =
 fun (x_1 : double) (y : double) ->
  { (JC_25:
    ((JC_23: (not double_is_NaN(x_1))) and (JC_24: (not double_is_NaN(y))))) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let tmp_0 = ref (any_double void) in
     begin
       (let _jessie_ =
       (if ((gt_double_ x_1) y) then begin   (tmp_0 := x_1); !tmp_0 end
       else begin   (tmp_0 := y); !tmp_0 end) in void); (return := !tmp_0);
      (raise Return) end); absurd  end with Return -> !return end))
  { (JC_30:
    ((JC_27: le_double_full(x_1, result))
    and ((JC_28: le_double_full(y, result))
        and (JC_29:
            (eq_double_full(result, x_1) or eq_double_full(result, y)))))) }

let max_safety =
 fun (x_1 : double) (y : double) ->
  { (JC_25:
    ((JC_23: (not double_is_NaN(x_1))) and (JC_24: (not double_is_NaN(y))))) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let tmp_0 = ref (any_double void) in
     begin
       (let _jessie_ =
       (if ((gt_double_ x_1) y) then begin   (tmp_0 := x_1); !tmp_0 end
       else begin   (tmp_0 := y); !tmp_0 end) in void); (return := !tmp_0);
      (raise Return) end); absurd  end with Return -> !return end)) { true }

let min_ensures_default =
 fun (x_0 : double) (y_0 : double) ->
  { (JC_7:
    ((JC_5: (not double_is_NaN(x_0))) and (JC_6: (not double_is_NaN(y_0))))) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let tmp = ref (any_double void) in
     begin
       (let _jessie_ =
       (if ((lt_double_ x_0) y_0) then begin   (tmp := x_0); !tmp end
       else begin   (tmp := y_0); !tmp end) in void); (return := !tmp);
      (raise Return) end); absurd  end with Return -> !return end))
  { (JC_12:
    ((JC_9: le_double_full(result, x_0))
    and ((JC_10: le_double_full(result, y_0))
        and (JC_11:
            (eq_double_full(result, x_0) or eq_double_full(result, y_0)))))) }

let min_safety =
 fun (x_0 : double) (y_0 : double) ->
  { (JC_7:
    ((JC_5: (not double_is_NaN(x_0))) and (JC_6: (not double_is_NaN(y_0))))) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let tmp = ref (any_double void) in
     begin
       (let _jessie_ =
       (if ((lt_double_ x_0) y_0) then begin   (tmp := x_0); !tmp end
       else begin   (tmp := y_0); !tmp end) in void); (return := !tmp);
      (raise Return) end); absurd  end with Return -> !return end)) { true }

let mul_dn_ensures_default =
 fun (x_1_1 : double) (y_1_1 : double) ->
  { (JC_49:
    ((JC_44: (not double_is_NaN(x_1_1)))
    and ((JC_45: (not double_is_NaN(y_1_1)))
        and ((JC_46:
             ((double_is_infinite(x_1_1) or double_is_infinite(y_1_1)) ->
              dif_sign(x_1_1, y_1_1)))
            and ((JC_47:
                 ((double_is_infinite(x_1_1) and double_is_finite(y_1_1)) ->
                  (double_value(y_1_1) <> 0.0)))
                and (JC_48:
                    ((double_is_finite(x_1_1) and double_is_infinite(y_1_1)) ->
                     (double_value(x_1_1) <> 0.0)))))))) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let z = ref (any_double void) in
     begin
       (let _jessie_ = (z := (JC_58: (((mul_double down) x_1_1) y_1_1))) in
       void); (return := !z); (raise Return) end); absurd  end with Return ->
   !return end))
  { (JC_51:
    double_le_real(result,
    mul_real(double_value(x_1_1), double_value(y_1_1)))) }

let mul_dn_safety =
 fun (x_1_1 : double) (y_1_1 : double) ->
  { (JC_49:
    ((JC_44: (not double_is_NaN(x_1_1)))
    and ((JC_45: (not double_is_NaN(y_1_1)))
        and ((JC_46:
             ((double_is_infinite(x_1_1) or double_is_infinite(y_1_1)) ->
              dif_sign(x_1_1, y_1_1)))
            and ((JC_47:
                 ((double_is_infinite(x_1_1) and double_is_finite(y_1_1)) ->
                  (double_value(y_1_1) <> 0.0)))
                and (JC_48:
                    ((double_is_finite(x_1_1) and double_is_infinite(y_1_1)) ->
                     (double_value(x_1_1) <> 0.0)))))))) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let z = ref (any_double void) in
     begin
       (let _jessie_ = (z := (JC_57: (((mul_double down) x_1_1) y_1_1))) in
       void); (return := !z); (raise Return) end); absurd  end with Return ->
   !return end)) { true }

let mul_ensures_default =
 fun (xl_0_0 : double) (xu_0_0 : double) (yl_0 : double) (yu_0 : double) ->
  { (JC_141:
    ((JC_139: is_interval(xl_0_0, xu_0_0))
    and (JC_140: is_interval(yl_0, yu_0)))) }
  (init:
  try
   begin
     (let tmp_1 = ref (any_double void) in
     (let tmp_0_0 = ref (any_double void) in
     (let tmp_1_0 = ref (any_double void) in
     (let tmp_2 = ref (any_double void) in
     begin
       (let _jessie_ =
       (if ((lt_double_ xl_0_0) (double_of_real_exact 0.0))
       then
        (if ((gt_double_ xu_0_0) (double_of_real_exact 0.0))
        then
         (if ((lt_double_ yl_0) (double_of_real_exact 0.0))
         then
          (if ((gt_double_ yu_0) (double_of_real_exact 0.0))
          then
           begin
             (let _jessie_ =
             begin
               (let _jessie_ =
               (tmp_1 := (let _jessie_ = xu_0_0 in
                         (let _jessie_ = yl_0 in
                         (JC_173: ((mul_dn _jessie_) _jessie_))))) in
               void);
              (tmp_0_0 := (let _jessie_ = xl_0_0 in
                          (let _jessie_ = yu_0 in
                          (JC_174: ((mul_dn _jessie_) _jessie_)))));
              !tmp_0_0 end in void);
            (let _jessie_ =
            (zl := (let _jessie_ = !tmp_0_0 in
                   (let _jessie_ = !tmp_1 in
                   (JC_175: ((min _jessie_) _jessie_))))) in void);
            (let _jessie_ =
            begin
              (let _jessie_ =
              (tmp_1_0 := (let _jessie_ = xu_0_0 in
                          (let _jessie_ = yu_0 in
                          (JC_176: ((mul_up _jessie_) _jessie_))))) in
              void);
             (tmp_2 := (let _jessie_ = xl_0_0 in
                       (let _jessie_ = yl_0 in
                       (JC_177: ((mul_up _jessie_) _jessie_)))));
             !tmp_2 end in void);
            (zu := (let _jessie_ = !tmp_2 in
                   (let _jessie_ = !tmp_1_0 in
                   (JC_178: ((max _jessie_) _jessie_))))); !zu end
          else
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xu_0_0 in
                    (let _jessie_ = yl_0 in
                    (JC_179: ((mul_dn _jessie_) _jessie_))))) in void);
            (zu := (let _jessie_ = xl_0_0 in
                   (let _jessie_ = yl_0 in
                   (JC_180: ((mul_up _jessie_) _jessie_))))); !zu end)
         else
          (if ((gt_double_ yu_0) (double_of_real_exact 0.0))
          then
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xl_0_0 in
                    (let _jessie_ = yu_0 in
                    (JC_181: ((mul_dn _jessie_) _jessie_))))) in void);
            (zu := (let _jessie_ = xu_0_0 in
                   (let _jessie_ = yu_0 in
                   (JC_182: ((mul_up _jessie_) _jessie_))))); !zu end
          else
           begin
             (let _jessie_ = (zl := (double_of_real_exact 0.0)) in void);
            (zu := (double_of_real_exact 0.0)); !zu end))
        else
         (if ((lt_double_ yl_0) (double_of_real_exact 0.0))
         then
          (if ((gt_double_ yu_0) (double_of_real_exact 0.0))
          then
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xl_0_0 in
                    (let _jessie_ = yu_0 in
                    (JC_183: ((mul_dn _jessie_) _jessie_))))) in void);
            (zu := (let _jessie_ = xl_0_0 in
                   (let _jessie_ = yl_0 in
                   (JC_184: ((mul_up _jessie_) _jessie_))))); !zu end
          else
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xu_0_0 in
                    (let _jessie_ = yu_0 in
                    (JC_185: ((mul_dn _jessie_) _jessie_))))) in void);
            (zu := (let _jessie_ = xl_0_0 in
                   (let _jessie_ = yl_0 in
                   (JC_186: ((mul_up _jessie_) _jessie_))))); !zu end)
         else
          (if ((gt_double_ yu_0) (double_of_real_exact 0.0))
          then
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xl_0_0 in
                    (let _jessie_ = yu_0 in
                    (JC_187: ((mul_dn _jessie_) _jessie_))))) in void);
            (zu := (let _jessie_ = xu_0_0 in
                   (let _jessie_ = yl_0 in
                   (JC_188: ((mul_up _jessie_) _jessie_))))); !zu end
          else
           begin
             (let _jessie_ = (zl := (double_of_real_exact 0.0)) in void);
            (zu := (double_of_real_exact 0.0)); !zu end)))
       else
        (if ((gt_double_ xu_0_0) (double_of_real_exact 0.0))
        then
         (if ((lt_double_ yl_0) (double_of_real_exact 0.0))
         then
          (if ((gt_double_ yu_0) (double_of_real_exact 0.0))
          then
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xu_0_0 in
                    (let _jessie_ = yl_0 in
                    (JC_189: ((mul_dn _jessie_) _jessie_))))) in void);
            (zu := (let _jessie_ = xu_0_0 in
                   (let _jessie_ = yu_0 in
                   (JC_190: ((mul_up _jessie_) _jessie_))))); !zu end
          else
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xu_0_0 in
                    (let _jessie_ = yl_0 in
                    (JC_191: ((mul_dn _jessie_) _jessie_))))) in void);
            (zu := (let _jessie_ = xl_0_0 in
                   (let _jessie_ = yu_0 in
                   (JC_192: ((mul_up _jessie_) _jessie_))))); !zu end)
         else
          (if ((gt_double_ yu_0) (double_of_real_exact 0.0))
          then
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xl_0_0 in
                    (let _jessie_ = yl_0 in
                    (JC_193: ((mul_dn _jessie_) _jessie_))))) in void);
            (zu := (let _jessie_ = xu_0_0 in
                   (let _jessie_ = yu_0 in
                   (JC_194: ((mul_up _jessie_) _jessie_))))); !zu end
          else
           begin
             (let _jessie_ = (zl := (double_of_real_exact 0.0)) in void);
            (zu := (double_of_real_exact 0.0)); !zu end))
        else
         begin
           (let _jessie_ = (zl := (double_of_real_exact 0.0)) in void);
          (zu := (double_of_real_exact 0.0)); !zu end)) in void);
      (raise Return) end)))); (raise Return) end with Return -> void end)
  { (JC_145:
    ((JC_143: is_interval(zl, zu))
    and (JC_144:
        (forall a_1:real.
         (forall b_0_0:real.
          ((in_interval(a_1, xl_0_0, xu_0_0)
           and in_interval(b_0_0, yl_0, yu_0)) ->
           in_interval(mul_real(a_1, b_0_0), zl, zu))))))) }

let mul_safety =
 fun (xl_0_0 : double) (xu_0_0 : double) (yl_0 : double) (yu_0 : double) ->
  { (JC_141:
    ((JC_139: is_interval(xl_0_0, xu_0_0))
    and (JC_140: is_interval(yl_0, yu_0)))) }
  (init:
  try
   begin
     (let tmp_1 = ref (any_double void) in
     (let tmp_0_0 = ref (any_double void) in
     (let tmp_1_0 = ref (any_double void) in
     (let tmp_2 = ref (any_double void) in
     begin
       (let _jessie_ =
       (if ((lt_double_ xl_0_0) (double_of_real_exact 0.0))
       then
        (if ((gt_double_ xu_0_0) (double_of_real_exact 0.0))
        then
         (if ((lt_double_ yl_0) (double_of_real_exact 0.0))
         then
          (if ((gt_double_ yu_0) (double_of_real_exact 0.0))
          then
           begin
             (let _jessie_ =
             begin
               (let _jessie_ =
               (tmp_1 := (let _jessie_ = xu_0_0 in
                         (let _jessie_ = yl_0 in
                         (JC_151: ((mul_dn_requires _jessie_) _jessie_))))) in
               void);
              (tmp_0_0 := (let _jessie_ = xl_0_0 in
                          (let _jessie_ = yu_0 in
                          (JC_152: ((mul_dn_requires _jessie_) _jessie_)))));
              !tmp_0_0 end in void);
            (let _jessie_ =
            (zl := (let _jessie_ = !tmp_0_0 in
                   (let _jessie_ = !tmp_1 in
                   (JC_153: ((min_requires _jessie_) _jessie_))))) in
            void);
            (let _jessie_ =
            begin
              (let _jessie_ =
              (tmp_1_0 := (let _jessie_ = xu_0_0 in
                          (let _jessie_ = yu_0 in
                          (JC_154: ((mul_up_requires _jessie_) _jessie_))))) in
              void);
             (tmp_2 := (let _jessie_ = xl_0_0 in
                       (let _jessie_ = yl_0 in
                       (JC_155: ((mul_up_requires _jessie_) _jessie_)))));
             !tmp_2 end in void);
            (zu := (let _jessie_ = !tmp_2 in
                   (let _jessie_ = !tmp_1_0 in
                   (JC_156: ((max_requires _jessie_) _jessie_))))); !zu
           end
          else
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xu_0_0 in
                    (let _jessie_ = yl_0 in
                    (JC_157: ((mul_dn_requires _jessie_) _jessie_))))) in
             void);
            (zu := (let _jessie_ = xl_0_0 in
                   (let _jessie_ = yl_0 in
                   (JC_158: ((mul_up_requires _jessie_) _jessie_)))));
            !zu end)
         else
          (if ((gt_double_ yu_0) (double_of_real_exact 0.0))
          then
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xl_0_0 in
                    (let _jessie_ = yu_0 in
                    (JC_159: ((mul_dn_requires _jessie_) _jessie_))))) in
             void);
            (zu := (let _jessie_ = xu_0_0 in
                   (let _jessie_ = yu_0 in
                   (JC_160: ((mul_up_requires _jessie_) _jessie_)))));
            !zu end
          else
           begin
             (let _jessie_ = (zl := (double_of_real_exact 0.0)) in void);
            (zu := (double_of_real_exact 0.0)); !zu end))
        else
         (if ((lt_double_ yl_0) (double_of_real_exact 0.0))
         then
          (if ((gt_double_ yu_0) (double_of_real_exact 0.0))
          then
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xl_0_0 in
                    (let _jessie_ = yu_0 in
                    (JC_161: ((mul_dn_requires _jessie_) _jessie_))))) in
             void);
            (zu := (let _jessie_ = xl_0_0 in
                   (let _jessie_ = yl_0 in
                   (JC_162: ((mul_up_requires _jessie_) _jessie_)))));
            !zu end
          else
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xu_0_0 in
                    (let _jessie_ = yu_0 in
                    (JC_163: ((mul_dn_requires _jessie_) _jessie_))))) in
             void);
            (zu := (let _jessie_ = xl_0_0 in
                   (let _jessie_ = yl_0 in
                   (JC_164: ((mul_up_requires _jessie_) _jessie_)))));
            !zu end)
         else
          (if ((gt_double_ yu_0) (double_of_real_exact 0.0))
          then
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xl_0_0 in
                    (let _jessie_ = yu_0 in
                    (JC_165: ((mul_dn_requires _jessie_) _jessie_))))) in
             void);
            (zu := (let _jessie_ = xu_0_0 in
                   (let _jessie_ = yl_0 in
                   (JC_166: ((mul_up_requires _jessie_) _jessie_)))));
            !zu end
          else
           begin
             (let _jessie_ = (zl := (double_of_real_exact 0.0)) in void);
            (zu := (double_of_real_exact 0.0)); !zu end)))
       else
        (if ((gt_double_ xu_0_0) (double_of_real_exact 0.0))
        then
         (if ((lt_double_ yl_0) (double_of_real_exact 0.0))
         then
          (if ((gt_double_ yu_0) (double_of_real_exact 0.0))
          then
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xu_0_0 in
                    (let _jessie_ = yl_0 in
                    (JC_167: ((mul_dn_requires _jessie_) _jessie_))))) in
             void);
            (zu := (let _jessie_ = xu_0_0 in
                   (let _jessie_ = yu_0 in
                   (JC_168: ((mul_up_requires _jessie_) _jessie_)))));
            !zu end
          else
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xu_0_0 in
                    (let _jessie_ = yl_0 in
                    (JC_169: ((mul_dn_requires _jessie_) _jessie_))))) in
             void);
            (zu := (let _jessie_ = xl_0_0 in
                   (let _jessie_ = yu_0 in
                   (JC_170: ((mul_up_requires _jessie_) _jessie_)))));
            !zu end)
         else
          (if ((gt_double_ yu_0) (double_of_real_exact 0.0))
          then
           begin
             (let _jessie_ =
             (zl := (let _jessie_ = xl_0_0 in
                    (let _jessie_ = yl_0 in
                    (JC_171: ((mul_dn_requires _jessie_) _jessie_))))) in
             void);
            (zu := (let _jessie_ = xu_0_0 in
                   (let _jessie_ = yu_0 in
                   (JC_172: ((mul_up_requires _jessie_) _jessie_)))));
            !zu end
          else
           begin
             (let _jessie_ = (zl := (double_of_real_exact 0.0)) in void);
            (zu := (double_of_real_exact 0.0)); !zu end))
        else
         begin
           (let _jessie_ = (zl := (double_of_real_exact 0.0)) in void);
          (zu := (double_of_real_exact 0.0)); !zu end)) in void);
      (raise Return) end)))); (raise Return) end with Return -> void end)
  { true }

let mul_up_ensures_default =
 fun (x_2_1 : double) (y_2_0 : double) ->
  { (JC_73:
    ((JC_67: (not double_is_NaN(x_2_1)))
    and ((JC_68: (not double_is_NaN(y_2_0)))
        and ((JC_69:
             ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
              sam_sign(x_2_1, y_2_0)))
            and ((JC_70:
                 ((double_is_infinite(x_2_1) and double_is_finite(y_2_0)) ->
                  (double_value(y_2_0) <> 0.0)))
                and ((JC_71:
                     ((double_is_infinite(y_2_0) and double_is_finite(x_2_1)) ->
                      (double_value(x_2_1) <> 0.0)))
                    and (JC_72:
                        ((double_is_finite(x_2_1)
                         and (double_is_finite(y_2_0)
                             and ((not no_overflow_double(down,
                                       neg_real(double_value(y_2_0))))
                                 and (double_sign(y_2_0) = Positive)))) ->
                         gt_real(double_value(x_2_1), 0.0))))))))) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let a_0 = ref (any_double void) in
     (let b = ref (any_double void) in
     (let z_0 = ref (any_double void) in
     begin
       (let _jessie_ = (a_0 := (JC_95: (neg_double y_2_0))) in void);
      (let _jessie_ = (b := (JC_96: (((mul_double down) x_2_1) !a_0))) in
      void); (let _jessie_ = (z_0 := (JC_97: (neg_double !b))) in void);
      (assert
      { (JC_98:
        ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
         real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
         z_0))) }; void); void;
      (assert
      { (JC_99:
        ((double_is_finite(x_2_1) and double_is_infinite(y_2_0)) ->
         real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
         z_0))) }; void); void;
      (assert
      { (JC_100:
        ((double_is_infinite(x_2_1)
         and (double_is_finite(y_2_0)
             and no_overflow_double(down, neg_real(double_value(y_2_0))))) ->
         real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
         z_0))) }; void); void;
      (assert
      { (JC_101:
        ((double_is_infinite(x_2_1)
         and (double_is_finite(y_2_0)
             and (not no_overflow_double(down, neg_real(double_value(y_2_0)))))) ->
         real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
         z_0))) }; void); void;
      (assert
      { (JC_102:
        ((double_is_infinite(x_2_1) and double_is_infinite(y_2_0)) ->
         real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
         z_0))) }; void); void;
      (assert
      { (JC_103:
        ((double_is_finite(x_2_1)
         and (double_is_finite(y_2_0)
             and (no_overflow_double(down, neg_real(double_value(y_2_0)))
                 and (no_overflow_double(down,
                      mul_real(double_value(x_2_1), double_value(a_0)))
                     and (not no_overflow_double(down,
                              neg_real(double_value(b)))))))) ->
         real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
         z_0))) }; void); void;
      (assert
      { (JC_104:
        ((double_is_finite(x_2_1)
         and (double_is_finite(y_2_0)
             and (no_overflow_double(down, neg_real(double_value(y_2_0)))
                 and (not no_overflow_double(down,
                          mul_real(double_value(x_2_1), double_value(a_0))))))) ->
         real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
         z_0))) }; void); void;
      (assert
      { (JC_105:
        ((double_is_finite(x_2_1)
         and (double_is_finite(y_2_0)
             and ((not no_overflow_double(down,
                       neg_real(double_value(y_2_0))))
                 and (double_sign(y_2_0) = Positive)))) ->
         real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
         z_0))) }; void); void;
      (assert
      { (JC_106:
        ((double_is_finite(x_2_1)
         and (double_is_finite(y_2_0)
             and ((not no_overflow_double(down,
                       neg_real(double_value(y_2_0))))
                 and ((double_sign(y_2_0) = Negative)
                     and (not no_overflow_double(down,
                              mul_real(double_value(x_2_1),
                              double_value(a_0)))))))) ->
         real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
         z_0))) }; void); void;
      (assert
      { (JC_107:
        ((double_is_finite(x_2_1)
         and (double_is_finite(y_2_0)
             and ((not no_overflow_double(down,
                       neg_real(double_value(y_2_0))))
                 and ((double_sign(y_2_0) = Negative)
                     and (no_overflow_double(down,
                          mul_real(double_value(x_2_1), double_value(a_0)))
                         and (not no_overflow_double(down,
                                  neg_real(double_value(b))))))))) ->
         real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
         z_0))) }; void); void;
      (assert
      { (JC_108:
        ((double_is_finite(x_2_1)
         and (double_is_finite(y_2_0)
             and ((not no_overflow_double(down,
                       neg_real(double_value(y_2_0))))
                 and ((double_sign(y_2_0) = Negative)
                     and (no_overflow_double(down,
                          mul_real(double_value(x_2_1), double_value(a_0)))
                         and no_overflow_double(down,
                             neg_real(double_value(b)))))))) ->
         real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
         z_0))) }; void); void;
      (assert
      { (JC_109:
        ((double_is_finite(x_2_1)
         and (double_is_finite(y_2_0)
             and (no_overflow_double(down, neg_real(double_value(y_2_0)))
                 and (no_overflow_double(down,
                      mul_real(double_value(x_2_1), double_value(a_0)))
                     and (no_overflow_double(down, neg_real(double_value(b)))
                         and gt_real(double_value(x_2_1), 0.0)))))) ->
         (double_is_finite(z_0)
         and real_le_double(mul_real(double_value(x_2_1),
                            double_value(y_2_0)),
             z_0)))) }; void); void;
      (assert
      { (JC_110:
        ((double_is_finite(x_2_1)
         and (double_is_finite(y_2_0)
             and (no_overflow_double(down, neg_real(double_value(y_2_0)))
                 and (no_overflow_double(down,
                      mul_real(double_value(x_2_1), double_value(a_0)))
                     and (no_overflow_double(down, neg_real(double_value(b)))
                         and lt_real(double_value(x_2_1), 0.0)))))) ->
         (double_is_finite(z_0)
         and real_le_double(mul_real(double_value(x_2_1),
                            double_value(y_2_0)),
             z_0)))) }; void); void; (return := !z_0); (raise Return) end)));
    absurd  end with Return -> !return end))
  { (JC_75:
    real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
    result)) }

let mul_up_safety =
 fun (x_2_1 : double) (y_2_0 : double) ->
  { (JC_73:
    ((JC_67: (not double_is_NaN(x_2_1)))
    and ((JC_68: (not double_is_NaN(y_2_0)))
        and ((JC_69:
             ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
              sam_sign(x_2_1, y_2_0)))
            and ((JC_70:
                 ((double_is_infinite(x_2_1) and double_is_finite(y_2_0)) ->
                  (double_value(y_2_0) <> 0.0)))
                and ((JC_71:
                     ((double_is_infinite(y_2_0) and double_is_finite(x_2_1)) ->
                      (double_value(x_2_1) <> 0.0)))
                    and (JC_72:
                        ((double_is_finite(x_2_1)
                         and (double_is_finite(y_2_0)
                             and ((not no_overflow_double(down,
                                       neg_real(double_value(y_2_0))))
                                 and (double_sign(y_2_0) = Positive)))) ->
                         gt_real(double_value(x_2_1), 0.0))))))))) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let a_0 = ref (any_double void) in
     (let b = ref (any_double void) in
     (let z_0 = ref (any_double void) in
     begin
       (let _jessie_ = (a_0 := (JC_79: (neg_double y_2_0))) in void);
      (let _jessie_ = (b := (JC_80: (((mul_double down) x_2_1) !a_0))) in
      void); (let _jessie_ = (z_0 := (JC_81: (neg_double !b))) in void);
      [ { } unit reads z_0
        { (JC_82:
          ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
           real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
           z_0))) } ]; void;
      [ { } unit reads z_0
        { (JC_83:
          ((double_is_finite(x_2_1) and double_is_infinite(y_2_0)) ->
           real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
           z_0))) } ]; void;
      [ { } unit reads z_0
        { (JC_84:
          ((double_is_infinite(x_2_1)
           and (double_is_finite(y_2_0)
               and no_overflow_double(down, neg_real(double_value(y_2_0))))) ->
           real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
           z_0))) } ]; void;
      [ { } unit reads z_0
        { (JC_85:
          ((double_is_infinite(x_2_1)
           and (double_is_finite(y_2_0)
               and (not no_overflow_double(down,
                        neg_real(double_value(y_2_0)))))) ->
           real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
           z_0))) } ]; void;
      [ { } unit reads z_0
        { (JC_86:
          ((double_is_infinite(x_2_1) and double_is_infinite(y_2_0)) ->
           real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
           z_0))) } ]; void;
      [ { } unit reads a_0,b,z_0
        { (JC_87:
          ((double_is_finite(x_2_1)
           and (double_is_finite(y_2_0)
               and (no_overflow_double(down, neg_real(double_value(y_2_0)))
                   and (no_overflow_double(down,
                        mul_real(double_value(x_2_1), double_value(a_0)))
                       and (not no_overflow_double(down,
                                neg_real(double_value(b)))))))) ->
           real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
           z_0))) } ]; void;
      [ { } unit reads a_0,z_0
        { (JC_88:
          ((double_is_finite(x_2_1)
           and (double_is_finite(y_2_0)
               and (no_overflow_double(down, neg_real(double_value(y_2_0)))
                   and (not no_overflow_double(down,
                            mul_real(double_value(x_2_1), double_value(a_0))))))) ->
           real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
           z_0))) } ]; void;
      [ { } unit reads z_0
        { (JC_89:
          ((double_is_finite(x_2_1)
           and (double_is_finite(y_2_0)
               and ((not no_overflow_double(down,
                         neg_real(double_value(y_2_0))))
                   and (double_sign(y_2_0) = Positive)))) ->
           real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
           z_0))) } ]; void;
      [ { } unit reads a_0,z_0
        { (JC_90:
          ((double_is_finite(x_2_1)
           and (double_is_finite(y_2_0)
               and ((not no_overflow_double(down,
                         neg_real(double_value(y_2_0))))
                   and ((double_sign(y_2_0) = Negative)
                       and (not no_overflow_double(down,
                                mul_real(double_value(x_2_1),
                                double_value(a_0)))))))) ->
           real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
           z_0))) } ]; void;
      [ { } unit reads a_0,b,z_0
        { (JC_91:
          ((double_is_finite(x_2_1)
           and (double_is_finite(y_2_0)
               and ((not no_overflow_double(down,
                         neg_real(double_value(y_2_0))))
                   and ((double_sign(y_2_0) = Negative)
                       and (no_overflow_double(down,
                            mul_real(double_value(x_2_1), double_value(a_0)))
                           and (not no_overflow_double(down,
                                    neg_real(double_value(b))))))))) ->
           real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
           z_0))) } ]; void;
      [ { } unit reads a_0,b,z_0
        { (JC_92:
          ((double_is_finite(x_2_1)
           and (double_is_finite(y_2_0)
               and ((not no_overflow_double(down,
                         neg_real(double_value(y_2_0))))
                   and ((double_sign(y_2_0) = Negative)
                       and (no_overflow_double(down,
                            mul_real(double_value(x_2_1), double_value(a_0)))
                           and no_overflow_double(down,
                               neg_real(double_value(b)))))))) ->
           real_le_double(mul_real(double_value(x_2_1), double_value(y_2_0)),
           z_0))) } ]; void;
      [ { } unit reads a_0,b,z_0
        { (JC_93:
          ((double_is_finite(x_2_1)
           and (double_is_finite(y_2_0)
               and (no_overflow_double(down, neg_real(double_value(y_2_0)))
                   and (no_overflow_double(down,
                        mul_real(double_value(x_2_1), double_value(a_0)))
                       and (no_overflow_double(down,
                            neg_real(double_value(b)))
                           and gt_real(double_value(x_2_1), 0.0)))))) ->
           (double_is_finite(z_0)
           and real_le_double(mul_real(double_value(x_2_1),
                              double_value(y_2_0)),
               z_0)))) } ]; void;
      [ { } unit reads a_0,b,z_0
        { (JC_94:
          ((double_is_finite(x_2_1)
           and (double_is_finite(y_2_0)
               and (no_overflow_double(down, neg_real(double_value(y_2_0)))
                   and (no_overflow_double(down,
                        mul_real(double_value(x_2_1), double_value(a_0)))
                       and (no_overflow_double(down,
                            neg_real(double_value(b)))
                           and lt_real(double_value(x_2_1), 0.0)))))) ->
           (double_is_finite(z_0)
           and real_le_double(mul_real(double_value(x_2_1),
                              double_value(y_2_0)),
               z_0)))) } ]; void; (return := !z_0); (raise Return) end)));
    absurd  end with Return -> !return end)) { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/interval_arith.why
========== file tests/c/interval_arith.jessie/why/interval_arith_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type mode

logic nearest_even : mode

logic to_zero : mode

logic up : mode

logic down : mode

logic nearest_away : mode

logic mode_match : mode, 'a1, 'a1, 'a1, 'a1, 'a1 -> 'a1

axiom mode_match_nearest_even:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_2))))))

axiom mode_match_to_zero:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_3))))))

axiom mode_match_up:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_4))))))

axiom mode_match_down:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_5))))))

axiom mode_match_nearest_away:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_6))))))

axiom mode_inversion:
  (forall aux_1:mode.
    (((((aux_1 = nearest_even) or (aux_1 = to_zero)) or (aux_1 = up)) or
      (aux_1 = down)) or
     (aux_1 = nearest_away)))

logic mode_to_int : mode -> int

axiom mode_to_int_nearest_even: (mode_to_int(nearest_even) = 0)

axiom mode_to_int_to_zero: (mode_to_int(to_zero) = 1)

axiom mode_to_int_up: (mode_to_int(up) = 2)

axiom mode_to_int_down: (mode_to_int(down) = 3)

axiom mode_to_int_nearest_away: (mode_to_int(nearest_away) = 4)

type double

logic round_double : mode, real -> real

logic round_double_logic : mode, real -> double

logic double_value : double -> real

logic double_exact : double -> real

logic double_model : double -> real

function double_round_error(x: double) : real =
  abs_real((double_value(x) - double_exact(x)))

function double_total_error(x: double) : real =
  abs_real((double_value(x) - double_model(x)))

function max_double() : real = 0x1.FFFFFFFFFFFFFp1023

predicate no_overflow_double(m: mode, x: real) = (abs_real(round_double(m,
  x)) <= max_double)

axiom bounded_real_no_overflow_double:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_double) -> no_overflow_double(m, x))))

axiom round_double_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_double(m, x) <= round_double(m, y))))))

axiom exact_round_double_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-9007199254740992) <= i) and (i <= 9007199254740992)) ->
       (round_double(m, real_of_int(i)) = real_of_int(i)))))

axiom exact_round_double_for_doubles:
  (forall x:double.
    (forall m:mode. (round_double(m, double_value(x)) = double_value(x))))

axiom round_double_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_double(m1, round_double(m2,
        x)) = round_double(m2, x)))))

axiom round_down_double_neg:
  (forall x:real. (round_double(down, (-x)) = (-round_double(up, x))))

axiom round_up_double_neg:
  (forall x:real. (round_double(up, (-x)) = (-round_double(down, x))))

axiom round_double_down_le: (forall x:real. (round_double(down, x) <= x))

axiom round_up_double_ge: (forall x:real. (round_double(up, x) >= x))

type single

logic round_single : mode, real -> real

logic round_single_logic : mode, real -> single

logic single_value : single -> real

logic single_exact : single -> real

logic single_model : single -> real

function single_round_error(x: single) : real =
  abs_real((single_value(x) - single_exact(x)))

function single_total_error(x: single) : real =
  abs_real((single_value(x) - single_model(x)))

function max_single() : real = 0x1.FFFFFEp127

predicate no_overflow_single(m: mode, x: real) = (abs_real(round_single(m,
  x)) <= max_single)

axiom bounded_real_no_overflow_single:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_single) -> no_overflow_single(m, x))))

axiom round_single_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_single(m, x) <= round_single(m, y))))))

axiom exact_round_single_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-16777216) <= i) and (i <= 16777216)) -> (round_single(m,
       real_of_int(i)) = real_of_int(i)))))

axiom exact_round_single_for_singles:
  (forall x:single.
    (forall m:mode. (round_single(m, single_value(x)) = single_value(x))))

axiom round_single_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_single(m1, round_single(m2,
        x)) = round_single(m2, x)))))

axiom round_down_single_neg:
  (forall x:real. (round_single(down, (-x)) = (-round_single(up, x))))

axiom round_up_single_neg:
  (forall x:real. (round_single(up, (-x)) = (-round_single(down, x))))

axiom round_single_down_le: (forall x:real. (round_single(down, x) <= x))

axiom round_up_single_ge: (forall x:real. (round_single(up, x) >= x))

function min_single() : real = 0x1.p-149

function min_double() : real = 0x1.p-1074

type Float_class

logic Finite : Float_class

logic Infinite : Float_class

logic NaN : Float_class

logic Float_class_match : Float_class, 'a1, 'a1, 'a1 -> 'a1

axiom Float_class_match_Finite:
  (forall aux_8:'a1.
    (forall aux_9:'a1.
      (forall aux_10:'a1 [Float_class_match(Finite, aux_8, aux_9, aux_10)].
        (Float_class_match(Finite, aux_8, aux_9, aux_10) = aux_8))))

axiom Float_class_match_Infinite:
  (forall aux_8:'a1.
    (forall aux_9:'a1.
      (forall aux_10:'a1 [Float_class_match(Infinite, aux_8, aux_9, aux_10)].
        (Float_class_match(Infinite, aux_8, aux_9, aux_10) = aux_9))))

axiom Float_class_match_NaN:
  (forall aux_8:'a1.
    (forall aux_9:'a1.
      (forall aux_10:'a1 [Float_class_match(NaN, aux_8, aux_9, aux_10)].
        (Float_class_match(NaN, aux_8, aux_9, aux_10) = aux_10))))

axiom Float_class_inversion:
  (forall aux_7:Float_class.
    (((aux_7 = Finite) or (aux_7 = Infinite)) or (aux_7 = NaN)))

logic Float_class_to_int : Float_class -> int

axiom Float_class_to_int_Finite: (Float_class_to_int(Finite) = 0)

axiom Float_class_to_int_Infinite: (Float_class_to_int(Infinite) = 1)

axiom Float_class_to_int_NaN: (Float_class_to_int(NaN) = 2)

type sign

logic Negative : sign

logic Positive : sign

logic sign_match : sign, 'a1, 'a1 -> 'a1

axiom sign_match_Negative:
  (forall aux_12:'a1.
    (forall aux_13:'a1 [sign_match(Negative, aux_12, aux_13)].
      (sign_match(Negative, aux_12, aux_13) = aux_12)))

axiom sign_match_Positive:
  (forall aux_12:'a1.
    (forall aux_13:'a1 [sign_match(Positive, aux_12, aux_13)].
      (sign_match(Positive, aux_12, aux_13) = aux_13)))

axiom sign_inversion:
  (forall aux_11:sign. ((aux_11 = Negative) or (aux_11 = Positive)))

logic sign_to_int : sign -> int

axiom sign_to_int_Negative: (sign_to_int(Negative) = 0)

axiom sign_to_int_Positive: (sign_to_int(Positive) = 1)

logic single_class : single -> Float_class

logic double_class : double -> Float_class

logic single_sign : single -> sign

logic double_sign : double -> sign

logic same_sign_real_bool : sign, real -> prop

axiom same_sign_real_bool_inversion:
  (forall aux_14:sign.
    (forall aux_15:real [same_sign_real_bool(aux_14, aux_15)].
      (same_sign_real_bool(aux_14, aux_15) ->
       ((exists x:real.
          ((x < 0.0) and ((aux_14 = Negative) and (aux_15 = x)))) or
        (exists x:real.
          ((x > 0.0) and ((aux_14 = Positive) and (aux_15 = x))))))))

axiom neg_case:
  (forall x:real. ((x < 0.0) -> same_sign_real_bool(Negative, x)))

axiom pos_case:
  (forall x:real. ((x > 0.0) -> same_sign_real_bool(Positive, x)))

axiom same_sign_real_bool_zero1:
  (forall b:sign. (not same_sign_real_bool(b, 0.0)))

axiom same_sign_real_bool_zero2:
  (forall x:real.
    ((same_sign_real_bool(Negative, x) and same_sign_real_bool(Positive, x)) ->
     false))

axiom same_sign_real_bool_zero3:
  (forall b:sign. (forall x:real. (same_sign_real_bool(b, x) -> (x <> 0.0))))

axiom same_sign_real_bool_correct2:
  (forall b:sign.
    (forall x:real.
      (same_sign_real_bool(b, x) -> ((x < 0.0) <-> (b = Negative)))))

axiom same_sign_real_bool_correct3:
  (forall b:sign.
    (forall x:real.
      (same_sign_real_bool(b, x) -> ((x > 0.0) <-> (b = Positive)))))

predicate single_same_sign_real(x: single, y: real) =
  same_sign_real_bool(single_sign(x), y)

predicate single_same_sign(x: single, y: single) =
  (single_sign(x) = single_sign(y))

predicate single_diff_sign(x: single, y: single) =
  (single_sign(x) <> single_sign(y))

predicate single_product_sign(z: single, x: single, y: single) =
  ((single_same_sign(x, y) -> (single_sign(z) = Positive)) and
   (single_diff_sign(x, y) -> (single_sign(z) = Negative)))

predicate double_same_sign_real(x: double, y: real) =
  same_sign_real_bool(double_sign(x), y)

predicate double_same_sign(x: double, y: double) =
  (double_sign(x) = double_sign(y))

predicate double_diff_sign(x: double, y: double) =
  (double_sign(x) <> double_sign(y))

predicate double_product_sign(z: double, x: double, y: double) =
  ((double_same_sign(x, y) -> (double_sign(z) = Positive)) and
   (double_diff_sign(x, y) -> (double_sign(z) = Negative)))

predicate single_same_class(x: single, y: single) =
  (single_class(x) = single_class(y))

predicate singlediff_class(x: single, y: single) =
  (single_class(x) <> single_class(y))

predicate double_same_class(x: double, y: double) =
  (double_class(x) = double_class(y))

predicate doublediff_class(x: double, y: double) =
  (double_class(x) <> double_class(y))

axiom single_finite_sign:
  (forall x:single.
    (((single_class(x) = Finite) and (single_value(x) <> 0.0)) ->
     single_same_sign_real(x, single_value(x))))

axiom single_finite_sign_neg1:
  (forall x:single.
    (((single_class(x) = Finite) and (single_value(x) < 0.0)) ->
     (single_sign(x) = Negative)))

axiom single_finite_sign_neg2:
  (forall x:single.
    (((single_class(x) = Finite) and
      ((single_value(x) <> 0.0) and (single_sign(x) = Negative))) ->
     (single_value(x) < 0.0)))

axiom single_finite_sign_pos1:
  (forall x:single.
    (((single_class(x) = Finite) and (single_value(x) > 0.0)) ->
     (single_sign(x) = Positive)))

axiom single_finite_sign_pos2:
  (forall x:single.
    (((single_class(x) = Finite) and
      ((single_value(x) <> 0.0) and (single_sign(x) = Positive))) ->
     (single_value(x) > 0.0)))

axiom single_diff_sign_trans:
  (forall x:single.
    (forall y:single.
      (forall z:single.
        ((single_diff_sign(x, y) and single_diff_sign(y, z)) ->
         single_same_sign(x, z)))))

axiom single_same_sign_product:
  (forall x:single.
    (forall y:single.
      (((single_class(x) = Finite) and
        ((single_class(y) = Finite) and single_same_sign(x, y))) ->
       ((single_value(x) * single_value(y)) >= 0.0))))

axiom single_diff_sign_product:
  (forall x:single.
    (forall y:single.
      (((single_class(x) = Finite) and
        ((single_class(y) = Finite) and
         ((single_value(x) * single_value(y)) < 0.0))) ->
       single_diff_sign(x, y))))

axiom double_finite_sign:
  (forall x:double.
    (((double_class(x) = Finite) and (double_value(x) <> 0.0)) ->
     double_same_sign_real(x, double_value(x))))

axiom double_finite_sign_neg1:
  (forall x:double.
    (((double_class(x) = Finite) and (double_value(x) < 0.0)) ->
     (double_sign(x) = Negative)))

axiom double_finite_sign_neg2:
  (forall x:double.
    (((double_class(x) = Finite) and
      ((double_value(x) <> 0.0) and (double_sign(x) = Negative))) ->
     (double_value(x) < 0.0)))

axiom double_finite_sign_pos1:
  (forall x:double.
    (((double_class(x) = Finite) and (double_value(x) > 0.0)) ->
     (double_sign(x) = Positive)))

axiom double_finite_sign_pos2:
  (forall x:double.
    (((double_class(x) = Finite) and
      ((double_value(x) <> 0.0) and (double_sign(x) = Positive))) ->
     (double_value(x) > 0.0)))

axiom double_diff_sign_trans:
  (forall x:double.
    (forall y:double.
      (forall z:double.
        ((double_diff_sign(x, y) and double_diff_sign(y, z)) ->
         double_same_sign(x, z)))))

axiom double_same_sign_product:
  (forall x:double.
    (forall y:double.
      (((double_class(x) = Finite) and
        ((double_class(y) = Finite) and double_same_sign(x, y))) ->
       ((double_value(x) * double_value(y)) >= 0.0))))

axiom double_diff_sign_product:
  (forall x:double.
    (forall y:double.
      (((double_class(x) = Finite) and
        ((double_class(y) = Finite) and
         ((double_value(x) * double_value(y)) < 0.0))) ->
       double_diff_sign(x, y))))

predicate single_is_finite(x: single) = (single_class(x) = Finite)

predicate single_is_infinite(x: single) = (single_class(x) = Infinite)

predicate single_is_NaN(x: single) = (single_class(x) = NaN)

predicate single_is_not_NaN(x: single) =
  (single_is_finite(x) or single_is_infinite(x))

predicate single_is_minus_infinity(x: single) =
  (single_is_infinite(x) and (single_sign(x) = Negative))

predicate single_is_plus_infinity(x: single) =
  (single_is_infinite(x) and (single_sign(x) = Positive))

predicate single_is_gen_zero(x: single) =
  (single_is_finite(x) and (single_value(x) = 0.0))

predicate single_is_gen_zero_plus(x: single) =
  (single_is_gen_zero(x) and (single_sign(x) = Positive))

predicate single_is_gen_zero_minus(x: single) =
  (single_is_gen_zero(x) and (single_sign(x) = Negative))

predicate double_is_finite(x: double) = (double_class(x) = Finite)

predicate double_is_infinite(x: double) = (double_class(x) = Infinite)

predicate double_is_NaN(x: double) = (double_class(x) = NaN)

predicate double_is_not_NaN(x: double) =
  (double_is_finite(x) or double_is_infinite(x))

predicate double_is_minus_infinity(x: double) =
  (double_is_infinite(x) and (double_sign(x) = Negative))

predicate double_is_plus_infinity(x: double) =
  (double_is_infinite(x) and (double_sign(x) = Positive))

predicate double_is_gen_zero(x: double) =
  (double_is_finite(x) and (double_value(x) = 0.0))

predicate double_is_gen_zero_plus(x: double) =
  (double_is_gen_zero(x) and (double_sign(x) = Positive))

predicate double_is_gen_zero_minus(x: double) =
  (double_is_gen_zero(x) and (double_sign(x) = Negative))

predicate single_overflow_value(m: mode, x: single) =
  (((m = down) ->
    (((single_sign(x) = Negative) -> single_is_infinite(x)) and
     ((single_sign(x) = Positive) ->
      (single_is_finite(x) and (single_value(x) = max_single))))) and
   (((m = up) ->
     (((single_sign(x) = Negative) ->
       (single_is_finite(x) and (single_value(x) = (-max_single)))) and
      ((single_sign(x) = Positive) -> single_is_infinite(x)))) and
    (((m = to_zero) ->
      (single_is_finite(x) and
       (((single_sign(x) = Negative) -> (single_value(x) = (-max_single))) and
        ((single_sign(x) = Positive) -> (single_value(x) = max_single))))) and
     (((m = nearest_away) or (m = nearest_even)) -> single_is_infinite(x)))))

predicate double_overflow_value(m: mode, x: double) =
  (((m = down) ->
    (((double_sign(x) = Negative) -> double_is_infinite(x)) and
     ((double_sign(x) = Positive) ->
      (double_is_finite(x) and (double_value(x) = max_double))))) and
   (((m = up) ->
     (((double_sign(x) = Negative) ->
       (double_is_finite(x) and (double_value(x) = (-max_double)))) and
      ((double_sign(x) = Positive) -> double_is_infinite(x)))) and
    (((m = to_zero) ->
      (double_is_finite(x) and
       (((double_sign(x) = Negative) -> (double_value(x) = (-max_double))) and
        ((double_sign(x) = Positive) -> (double_value(x) = max_double))))) and
     (((m = nearest_away) or (m = nearest_even)) -> double_is_infinite(x)))))

predicate single_underflow_value(m: mode, x: single) =
  (single_is_finite(x) and
   (((single_sign(x) = Positive) ->
     ((((m = down) or
        ((m = to_zero) or ((m = nearest_even) or (m = nearest_away)))) ->
       (single_value(x) = 0.0)) and
      ((m = up) -> (single_value(x) = min_single)))) and
    ((single_sign(x) = Negative) ->
     ((((m = up) or
        ((m = to_zero) or ((m = nearest_even) or (m = nearest_away)))) ->
       (single_value(x) = 0.0)) and
      ((m = down) -> (single_value(x) = (-min_single)))))))

predicate double_underflow_value(m: mode, x: double) =
  (double_is_finite(x) and
   (((double_sign(x) = Positive) ->
     ((((m = down) or
        ((m = to_zero) or ((m = nearest_even) or (m = nearest_away)))) ->
       (double_value(x) = 0.0)) and
      ((m = up) -> (double_value(x) = min_double)))) and
    ((double_sign(x) = Negative) ->
     ((((m = up) or
        ((m = to_zero) or ((m = nearest_even) or (m = nearest_away)))) ->
       (double_value(x) = 0.0)) and
      ((m = down) -> (double_value(x) = (-min_double)))))))

predicate single_sign_zero_result(m: mode, x: single) =
  ((single_value(x) = 0.0) ->
   (((m = down) -> (single_sign(x) = Negative)) and
    ((m <> down) -> (single_sign(x) = Positive))))

predicate double_sign_zero_result(m: mode, x: double) =
  ((double_value(x) = 0.0) ->
   (((m = down) -> (double_sign(x) = Negative)) and
    ((m <> down) -> (double_sign(x) = Positive))))

predicate le_single_full(x: single, y: single) =
  ((single_is_finite(x) and
    (single_is_finite(y) and (single_value(x) <= single_value(y)))) or
   ((single_is_minus_infinity(x) and single_is_not_NaN(y)) or
    (single_is_not_NaN(x) and single_is_plus_infinity(y))))

predicate lt_single_full(x: single, y: single) =
  ((single_is_finite(x) and
    (single_is_finite(y) and (single_value(x) < single_value(y)))) or
   ((single_is_minus_infinity(x) and
     (single_is_not_NaN(y) and (not single_is_minus_infinity(y)))) or
    (single_is_not_NaN(x) and
     ((not single_is_plus_infinity(x)) and single_is_plus_infinity(y)))))

predicate ge_single_full(x: single, y: single) = le_single_full(y, x)

predicate gt_single_full(x: single, y: single) = lt_single_full(y, x)

predicate eq_single_full(x: single, y: single) =
  (single_is_not_NaN(x) and
   (single_is_not_NaN(y) and
    ((single_is_finite(x) and
      (single_is_finite(y) and (single_value(x) = single_value(y)))) or
     (single_is_infinite(x) and
      (single_is_infinite(y) and single_same_sign(x, y))))))

predicate ne_single_full(x: single, y: single) = (not eq_single_full(x, y))

predicate le_double_full(x: double, y: double) =
  ((double_is_finite(x) and
    (double_is_finite(y) and (double_value(x) <= double_value(y)))) or
   ((double_is_minus_infinity(x) and double_is_not_NaN(y)) or
    (double_is_not_NaN(x) and double_is_plus_infinity(y))))

predicate lt_double_full(x: double, y: double) =
  ((double_is_finite(x) and
    (double_is_finite(y) and (double_value(x) < double_value(y)))) or
   ((double_is_minus_infinity(x) and
     (double_is_not_NaN(y) and (not double_is_minus_infinity(y)))) or
    (double_is_not_NaN(x) and
     ((not double_is_plus_infinity(x)) and double_is_plus_infinity(y)))))

predicate ge_double_full(x: double, y: double) = le_double_full(y, x)

predicate gt_double_full(x: double, y: double) = lt_double_full(y, x)

predicate eq_double_full(x: double, y: double) =
  (double_is_not_NaN(x) and
   (double_is_not_NaN(y) and
    ((double_is_finite(x) and
      (double_is_finite(y) and (double_value(x) = double_value(y)))) or
     (double_is_infinite(x) and
      (double_is_infinite(y) and double_same_sign(x, y))))))

predicate ne_double_full(x: double, y: double) = (not eq_double_full(x, y))

axiom le_lt_double_trans:
  (forall x:double.
    (forall y:double.
      (forall z:double.
        ((le_double_full(x, y) and lt_double_full(y, z)) -> lt_double_full(x,
         z)))))

axiom lt_le_double_trans:
  (forall x:double.
    (forall y:double.
      (forall z:double.
        ((lt_double_full(x, y) and le_double_full(y, z)) -> lt_double_full(x,
         z)))))

axiom round_single1:
  (forall m:mode.
    (forall x:real.
      (no_overflow_single(m, x) ->
       (single_is_finite(round_single_logic(m, x)) and
        (single_value(round_single_logic(m, x)) = round_single(m, x))))))

axiom round_single2:
  (forall m:mode.
    (forall x:real.
      ((not no_overflow_single(m, x)) ->
       (single_same_sign_real(round_single_logic(m, x), x) and
        single_overflow_value(m, round_single_logic(m, x))))))

axiom round_single3:
  (forall m:mode.
    (forall x:real. (single_exact(round_single_logic(m, x)) = x)))

axiom round_single4:
  (forall m:mode.
    (forall x:real. (single_model(round_single_logic(m, x)) = x)))

axiom single_of_zero:
  (forall m:mode. single_is_gen_zero(round_single_logic(m, 0.0)))

axiom round_single_logic_le:
  (forall m:mode.
    (forall x:real.
      (single_is_finite(round_single_logic(m, x)) ->
       (abs_real(single_value(round_single_logic(m, x))) <= max_single))))

axiom round_single_no_overflow:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_single) ->
       (single_is_finite(round_single_logic(m, x)) and
        (single_value(round_single_logic(m, x)) = round_single(m, x))))))

axiom single_positive_constant:
  (forall m:mode.
    (forall x:real.
      (((min_single <= x) and (x <= max_single)) ->
       (single_is_finite(round_single_logic(m, x)) and
        ((single_value(round_single_logic(m, x)) > 0.0) and
         (single_sign(round_single_logic(m, x)) = Positive))))))

axiom single_negative_constant:
  (forall m:mode.
    (forall x:real.
      ((((-max_single) <= x) and (x <= (-min_single))) ->
       (single_is_finite(round_single_logic(m, x)) and
        ((single_value(round_single_logic(m, x)) < 0.0) and
         (single_sign(round_single_logic(m, x)) = Negative))))))

axiom round_double1:
  (forall m:mode.
    (forall x:real.
      (no_overflow_double(m, x) ->
       (double_is_finite(round_double_logic(m, x)) and
        (double_value(round_double_logic(m, x)) = round_double(m, x))))))

axiom round_double2:
  (forall m:mode.
    (forall x:real.
      ((not no_overflow_double(m, x)) ->
       (double_same_sign_real(round_double_logic(m, x), x) and
        double_overflow_value(m, round_double_logic(m, x))))))

axiom round_double3:
  (forall m:mode.
    (forall x:real. (double_exact(round_double_logic(m, x)) = x)))

axiom round_double4:
  (forall m:mode.
    (forall x:real. (double_model(round_double_logic(m, x)) = x)))

axiom double_of_zero:
  (forall m:mode. double_is_gen_zero(round_double_logic(m, 0.0)))

axiom round_double_logic_le:
  (forall m:mode.
    (forall x:real.
      (double_is_finite(round_double_logic(m, x)) ->
       (abs_real(double_value(round_double_logic(m, x))) <= max_double))))

axiom round_double_no_overflow:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_double) ->
       (double_is_finite(round_double_logic(m, x)) and
        (double_value(round_double_logic(m, x)) = round_double(m, x))))))

axiom double_positive_constant:
  (forall m:mode.
    (forall x:real.
      (((min_double <= x) and (x <= max_double)) ->
       (double_is_finite(round_double_logic(m, x)) and
        ((double_value(round_double_logic(m, x)) > 0.0) and
         (double_sign(round_double_logic(m, x)) = Positive))))))

axiom double_negative_constant:
  (forall m:mode.
    (forall x:real.
      ((((-max_double) <= x) and (x <= (-min_double))) ->
       (double_is_finite(round_double_logic(m, x)) and
        ((double_value(round_double_logic(m, x)) < 0.0) and
         (double_sign(round_double_logic(m, x)) = Negative))))))

axiom single_is_gen_zero_comp1:
  (forall x:single.
    (forall y:single.
      ((single_is_gen_zero(x) and
        ((single_value(x) = single_value(y)) and single_is_finite(y))) ->
       single_is_gen_zero(y))))

axiom single_is_gen_zero_comp2:
  (forall x:single.
    (forall y:single.
      ((single_is_finite(x) and
        ((not single_is_gen_zero(x)) and (single_value(x) = single_value(y)))) ->
       (not single_is_gen_zero(y)))))

axiom double_is_gen_zero_comp1:
  (forall x:double.
    (forall y:double.
      ((double_is_gen_zero(x) and
        ((double_value(x) = double_value(y)) and double_is_finite(y))) ->
       double_is_gen_zero(y))))

axiom double_is_gen_zero_comp2:
  (forall x:double.
    (forall y:double.
      ((double_is_finite(x) and
        ((not double_is_gen_zero(x)) and (double_value(x) = double_value(y)))) ->
       (not double_is_gen_zero(y)))))

type charP

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

predicate dif_sign(x_2: double, y_1: double) =
  (double_sign(x_2) <> double_sign(y_1))

predicate double_le_real(x_1_0: double, y_1_0: real) =
  ((double_is_finite(x_1_0) and (double_value(x_1_0) <= y_1_0)) or
   double_is_minus_infinity(x_1_0))

logic integer_of_int8 : int8 -> int

predicate eq_int8(x: int8, y: int8) =
  (integer_of_int8(x) = integer_of_int8(y))

logic integer_of_uint8 : uint8 -> int

predicate eq_uint8(x: uint8, y: uint8) =
  (integer_of_uint8(x) = integer_of_uint8(y))

predicate real_le_double(x_2_0: real, y_2: double) =
  ((double_is_finite(y_2) and (x_2_0 <= double_value(y_2))) or
   double_is_plus_infinity(y_2))

predicate in_interval(a: real, l: double, u: double) =
  (double_le_real(l, a) and real_le_double(a, u))

logic int8_of_integer : int -> int8

axiom int8_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_int8(int8_of_integer(x)) = x)))

axiom int8_extensionality:
  (forall x:int8.
    (forall y:int8. ((integer_of_int8(x) = integer_of_int8(y)) -> (x = y))))

axiom int8_range:
  (forall x:int8.
    (((-128) <= integer_of_int8(x)) and (integer_of_int8(x) <= 127)))

predicate is_interval(xl: double, xu: double) =
  ((double_is_finite(xl) or double_is_minus_infinity(xl)) and
   (double_is_finite(xu) or double_is_plus_infinity(xu)))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate sam_sign(x_0_0: double, y_0_0: double) =
  (double_sign(x_0_0) = double_sign(y_0_0))

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic uint8_of_integer : int -> uint8

axiom uint8_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 255)) -> (integer_of_uint8(uint8_of_integer(x)) = x)))

axiom uint8_extensionality:
  (forall x:uint8.
    (forall y:uint8.
      ((integer_of_uint8(x) = integer_of_uint8(y)) -> (x = y))))

axiom uint8_range:
  (forall x:uint8.
    ((0 <= integer_of_uint8(x)) and (integer_of_uint8(x) <= 255)))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

goal add_ensures_default_po_1:
  forall xl_0:double.
  forall xu_0:double.
  forall yl:double.
  forall yu:double.
  ("JC_117":
  (("JC_115": is_interval(xl_0, xu_0)) and ("JC_116": is_interval(yl, yu)))) ->
  forall result:double.
  (((double_is_NaN(xl_0) or double_is_NaN(yl)) -> double_is_NaN(result)) and
   (((double_is_finite(xl_0) and double_is_infinite(yl)) ->
     (double_is_infinite(result) and double_same_sign(result, yl))) and
    (((double_is_infinite(xl_0) and double_is_finite(yl)) ->
      (double_is_infinite(result) and double_same_sign(result, xl_0))) and
     (((double_is_infinite(xl_0) and
        (double_is_infinite(yl) and double_same_sign(xl_0, yl))) ->
       (double_is_infinite(result) and double_same_sign(result, xl_0))) and
      (((double_is_infinite(xl_0) and
         (double_is_infinite(yl) and double_diff_sign(xl_0, yl))) ->
        double_is_NaN(result)) and
       (((double_is_finite(xl_0) and
          (double_is_finite(yl) and no_overflow_double(down,
           (double_value(xl_0) + double_value(yl))))) ->
         (double_is_finite(result) and
          ((double_value(result) = round_double(down,
           (double_value(xl_0) + double_value(yl)))) and
           double_sign_zero_result(down, result)))) and
        (((double_is_finite(xl_0) and
           (double_is_finite(yl) and (not no_overflow_double(down,
            (double_value(xl_0) + double_value(yl)))))) ->
          (double_same_sign_real(result,
           (double_value(xl_0) + double_value(yl))) and
           double_overflow_value(down, result))) and
         ((double_exact(result) = (double_exact(xl_0) + double_exact(yl))) and
          (double_model(result) = (double_model(xl_0) + double_model(yl))))))))))) ->
  forall zl:double.
  (zl = result) ->
  forall result0:double.
  ((double_is_NaN(xu_0) -> double_is_NaN(result0)) and
   ((double_is_infinite(xu_0) -> double_is_infinite(result0)) and
    ((double_is_finite(xu_0) ->
      (double_is_finite(result0) and
       (double_value(result0) = (-double_value(xu_0))))) and
     (double_diff_sign(result0, xu_0) and
      ((double_exact(result0) = (-double_exact(xu_0))) and
       (double_model(result0) = (-double_model(xu_0)))))))) ->
  forall result1:double.
  (((double_is_NaN(result0) or double_is_NaN(yu)) -> double_is_NaN(result1)) and
   (((double_is_finite(result0) and double_is_infinite(yu)) ->
     (double_is_infinite(result1) and double_diff_sign(result1, yu))) and
    (((double_is_infinite(result0) and double_is_finite(yu)) ->
      (double_is_infinite(result1) and double_same_sign(result1, result0))) and
     (((double_is_infinite(result0) and
        (double_is_infinite(yu) and double_same_sign(result0, yu))) ->
       double_is_NaN(result1)) and
      (((double_is_infinite(result0) and
         (double_is_infinite(yu) and double_diff_sign(result0, yu))) ->
        (double_is_infinite(result1) and double_same_sign(result1, result0))) and
       (((double_is_finite(result0) and
          (double_is_finite(yu) and no_overflow_double(down,
           (double_value(result0) - double_value(yu))))) ->
         (double_is_finite(result1) and
          ((double_value(result1) = round_double(down,
           (double_value(result0) - double_value(yu)))) and
           double_sign_zero_result(down, result1)))) and
        (((double_is_finite(result0) and
           (double_is_finite(yu) and (not no_overflow_double(down,
            (double_value(result0) - double_value(yu)))))) ->
          (double_same_sign_real(result1,
           (double_value(result0) - double_value(yu))) and
           double_overflow_value(down, result1))) and
         ((double_exact(result1) = (double_exact(result0) - double_exact(yu))) and
          (double_model(result1) = (double_model(result0) - double_model(yu))))))))))) ->
  forall result2:double.
  ((double_is_NaN(result1) -> double_is_NaN(result2)) and
   ((double_is_infinite(result1) -> double_is_infinite(result2)) and
    ((double_is_finite(result1) ->
      (double_is_finite(result2) and
       (double_value(result2) = (-double_value(result1))))) and
     (double_diff_sign(result2, result1) and
      ((double_exact(result2) = (-double_exact(result1))) and
       (double_model(result2) = (-double_model(result1)))))))) ->
  forall zu:double.
  (zu = result2) ->
  ("JC_121": ("JC_119": is_interval(zl, zu)))

goal add_ensures_default_po_2:
  forall xl_0:double.
  forall xu_0:double.
  forall yl:double.
  forall yu:double.
  ("JC_117":
  (("JC_115": is_interval(xl_0, xu_0)) and ("JC_116": is_interval(yl, yu)))) ->
  forall result:double.
  (((double_is_NaN(xl_0) or double_is_NaN(yl)) -> double_is_NaN(result)) and
   (((double_is_finite(xl_0) and double_is_infinite(yl)) ->
     (double_is_infinite(result) and double_same_sign(result, yl))) and
    (((double_is_infinite(xl_0) and double_is_finite(yl)) ->
      (double_is_infinite(result) and double_same_sign(result, xl_0))) and
     (((double_is_infinite(xl_0) and
        (double_is_infinite(yl) and double_same_sign(xl_0, yl))) ->
       (double_is_infinite(result) and double_same_sign(result, xl_0))) and
      (((double_is_infinite(xl_0) and
         (double_is_infinite(yl) and double_diff_sign(xl_0, yl))) ->
        double_is_NaN(result)) and
       (((double_is_finite(xl_0) and
          (double_is_finite(yl) and no_overflow_double(down,
           (double_value(xl_0) + double_value(yl))))) ->
         (double_is_finite(result) and
          ((double_value(result) = round_double(down,
           (double_value(xl_0) + double_value(yl)))) and
           double_sign_zero_result(down, result)))) and
        (((double_is_finite(xl_0) and
           (double_is_finite(yl) and (not no_overflow_double(down,
            (double_value(xl_0) + double_value(yl)))))) ->
          (double_same_sign_real(result,
           (double_value(xl_0) + double_value(yl))) and
           double_overflow_value(down, result))) and
         ((double_exact(result) = (double_exact(xl_0) + double_exact(yl))) and
          (double_model(result) = (double_model(xl_0) + double_model(yl))))))))))) ->
  forall zl:double.
  (zl = result) ->
  forall result0:double.
  ((double_is_NaN(xu_0) -> double_is_NaN(result0)) and
   ((double_is_infinite(xu_0) -> double_is_infinite(result0)) and
    ((double_is_finite(xu_0) ->
      (double_is_finite(result0) and
       (double_value(result0) = (-double_value(xu_0))))) and
     (double_diff_sign(result0, xu_0) and
      ((double_exact(result0) = (-double_exact(xu_0))) and
       (double_model(result0) = (-double_model(xu_0)))))))) ->
  forall result1:double.
  (((double_is_NaN(result0) or double_is_NaN(yu)) -> double_is_NaN(result1)) and
   (((double_is_finite(result0) and double_is_infinite(yu)) ->
     (double_is_infinite(result1) and double_diff_sign(result1, yu))) and
    (((double_is_infinite(result0) and double_is_finite(yu)) ->
      (double_is_infinite(result1) and double_same_sign(result1, result0))) and
     (((double_is_infinite(result0) and
        (double_is_infinite(yu) and double_same_sign(result0, yu))) ->
       double_is_NaN(result1)) and
      (((double_is_infinite(result0) and
         (double_is_infinite(yu) and double_diff_sign(result0, yu))) ->
        (double_is_infinite(result1) and double_same_sign(result1, result0))) and
       (((double_is_finite(result0) and
          (double_is_finite(yu) and no_overflow_double(down,
           (double_value(result0) - double_value(yu))))) ->
         (double_is_finite(result1) and
          ((double_value(result1) = round_double(down,
           (double_value(result0) - double_value(yu)))) and
           double_sign_zero_result(down, result1)))) and
        (((double_is_finite(result0) and
           (double_is_finite(yu) and (not no_overflow_double(down,
            (double_value(result0) - double_value(yu)))))) ->
          (double_same_sign_real(result1,
           (double_value(result0) - double_value(yu))) and
           double_overflow_value(down, result1))) and
         ((double_exact(result1) = (double_exact(result0) - double_exact(yu))) and
          (double_model(result1) = (double_model(result0) - double_model(yu))))))))))) ->
  forall result2:double.
  ((double_is_NaN(result1) -> double_is_NaN(result2)) and
   ((double_is_infinite(result1) -> double_is_infinite(result2)) and
    ((double_is_finite(result1) ->
      (double_is_finite(result2) and
       (double_value(result2) = (-double_value(result1))))) and
     (double_diff_sign(result2, result1) and
      ((double_exact(result2) = (-double_exact(result1))) and
       (double_model(result2) = (-double_model(result1)))))))) ->
  forall zu:double.
  (zu = result2) ->
  forall a_0_0:real.
  forall b_0:real.
  (in_interval(a_0_0, xl_0, xu_0) and in_interval(b_0, yl, yu)) ->
  ("JC_121": ("JC_120": in_interval((a_0_0 + b_0), zl, zu)))

goal max_ensures_default_po_1:
  forall x_1:double.
  forall y:double.
  ("JC_25":
  (("JC_23": (not double_is_NaN(x_1))) and ("JC_24": (not double_is_NaN(y))))) ->
  gt_double_full(x_1, y) ->
  forall tmp_0:double.
  (tmp_0 = x_1) ->
  forall return:double.
  (return = tmp_0) ->
  ("JC_30": ("JC_27": le_double_full(x_1, return)))

goal max_ensures_default_po_2:
  forall x_1:double.
  forall y:double.
  ("JC_25":
  (("JC_23": (not double_is_NaN(x_1))) and ("JC_24": (not double_is_NaN(y))))) ->
  gt_double_full(x_1, y) ->
  forall tmp_0:double.
  (tmp_0 = x_1) ->
  forall return:double.
  (return = tmp_0) ->
  ("JC_30": ("JC_28": le_double_full(y, return)))

goal max_ensures_default_po_3:
  forall x_1:double.
  forall y:double.
  ("JC_25":
  (("JC_23": (not double_is_NaN(x_1))) and ("JC_24": (not double_is_NaN(y))))) ->
  gt_double_full(x_1, y) ->
  forall tmp_0:double.
  (tmp_0 = x_1) ->
  forall return:double.
  (return = tmp_0) ->
  ("JC_30":
  ("JC_29": (eq_double_full(return, x_1) or eq_double_full(return, y))))

goal max_ensures_default_po_4:
  forall x_1:double.
  forall y:double.
  ("JC_25":
  (("JC_23": (not double_is_NaN(x_1))) and ("JC_24": (not double_is_NaN(y))))) ->
  (not gt_double_full(x_1, y)) ->
  forall tmp_0:double.
  (tmp_0 = y) ->
  forall return:double.
  (return = tmp_0) ->
  ("JC_30": ("JC_27": le_double_full(x_1, return)))

goal max_ensures_default_po_5:
  forall x_1:double.
  forall y:double.
  ("JC_25":
  (("JC_23": (not double_is_NaN(x_1))) and ("JC_24": (not double_is_NaN(y))))) ->
  (not gt_double_full(x_1, y)) ->
  forall tmp_0:double.
  (tmp_0 = y) ->
  forall return:double.
  (return = tmp_0) ->
  ("JC_30": ("JC_28": le_double_full(y, return)))

goal max_ensures_default_po_6:
  forall x_1:double.
  forall y:double.
  ("JC_25":
  (("JC_23": (not double_is_NaN(x_1))) and ("JC_24": (not double_is_NaN(y))))) ->
  (not gt_double_full(x_1, y)) ->
  forall tmp_0:double.
  (tmp_0 = y) ->
  forall return:double.
  (return = tmp_0) ->
  ("JC_30":
  ("JC_29": (eq_double_full(return, x_1) or eq_double_full(return, y))))

goal min_ensures_default_po_1:
  forall x_0:double.
  forall y_0:double.
  ("JC_7":
  (("JC_5": (not double_is_NaN(x_0))) and ("JC_6": (not double_is_NaN(y_0))))) ->
  lt_double_full(x_0, y_0) ->
  forall tmp:double.
  (tmp = x_0) ->
  forall return:double.
  (return = tmp) ->
  ("JC_12": ("JC_9": le_double_full(return, x_0)))

goal min_ensures_default_po_2:
  forall x_0:double.
  forall y_0:double.
  ("JC_7":
  (("JC_5": (not double_is_NaN(x_0))) and ("JC_6": (not double_is_NaN(y_0))))) ->
  lt_double_full(x_0, y_0) ->
  forall tmp:double.
  (tmp = x_0) ->
  forall return:double.
  (return = tmp) ->
  ("JC_12": ("JC_10": le_double_full(return, y_0)))

goal min_ensures_default_po_3:
  forall x_0:double.
  forall y_0:double.
  ("JC_7":
  (("JC_5": (not double_is_NaN(x_0))) and ("JC_6": (not double_is_NaN(y_0))))) ->
  lt_double_full(x_0, y_0) ->
  forall tmp:double.
  (tmp = x_0) ->
  forall return:double.
  (return = tmp) ->
  ("JC_12":
  ("JC_11": (eq_double_full(return, x_0) or eq_double_full(return, y_0))))

goal min_ensures_default_po_4:
  forall x_0:double.
  forall y_0:double.
  ("JC_7":
  (("JC_5": (not double_is_NaN(x_0))) and ("JC_6": (not double_is_NaN(y_0))))) ->
  (not lt_double_full(x_0, y_0)) ->
  forall tmp:double.
  (tmp = y_0) ->
  forall return:double.
  (return = tmp) ->
  ("JC_12": ("JC_9": le_double_full(return, x_0)))

goal min_ensures_default_po_5:
  forall x_0:double.
  forall y_0:double.
  ("JC_7":
  (("JC_5": (not double_is_NaN(x_0))) and ("JC_6": (not double_is_NaN(y_0))))) ->
  (not lt_double_full(x_0, y_0)) ->
  forall tmp:double.
  (tmp = y_0) ->
  forall return:double.
  (return = tmp) ->
  ("JC_12": ("JC_10": le_double_full(return, y_0)))

goal min_ensures_default_po_6:
  forall x_0:double.
  forall y_0:double.
  ("JC_7":
  (("JC_5": (not double_is_NaN(x_0))) and ("JC_6": (not double_is_NaN(y_0))))) ->
  (not lt_double_full(x_0, y_0)) ->
  forall tmp:double.
  (tmp = y_0) ->
  forall return:double.
  (return = tmp) ->
  ("JC_12":
  ("JC_11": (eq_double_full(return, x_0) or eq_double_full(return, y_0))))

goal mul_dn_ensures_default_po_1:
  forall x_1_1:double.
  forall y_1_1:double.
  ("JC_49":
  (("JC_44": (not double_is_NaN(x_1_1))) and
   (("JC_45": (not double_is_NaN(y_1_1))) and
    (("JC_46":
     ((double_is_infinite(x_1_1) or double_is_infinite(y_1_1)) ->
      dif_sign(x_1_1, y_1_1))) and
     (("JC_47":
      ((double_is_infinite(x_1_1) and double_is_finite(y_1_1)) ->
       (double_value(y_1_1) <> 0.0))) and
      ("JC_48":
      ((double_is_finite(x_1_1) and double_is_infinite(y_1_1)) ->
       (double_value(x_1_1) <> 0.0)))))))) ->
  forall result:double.
  (((double_is_NaN(x_1_1) or double_is_NaN(y_1_1)) -> double_is_NaN(result)) and
   (((double_is_gen_zero(x_1_1) and double_is_infinite(y_1_1)) ->
     double_is_NaN(result)) and
    (((double_is_finite(x_1_1) and
       (double_is_infinite(y_1_1) and (double_value(x_1_1) <> 0.0))) ->
      double_is_infinite(result)) and
     (((double_is_infinite(x_1_1) and double_is_gen_zero(y_1_1)) ->
       double_is_NaN(result)) and
      (((double_is_infinite(x_1_1) and
         (double_is_finite(y_1_1) and (double_value(y_1_1) <> 0.0))) ->
        double_is_infinite(result)) and
       (((double_is_infinite(x_1_1) and double_is_infinite(y_1_1)) ->
         double_is_infinite(result)) and
        (((double_is_finite(x_1_1) and
           (double_is_finite(y_1_1) and no_overflow_double(down,
            (double_value(x_1_1) * double_value(y_1_1))))) ->
          (double_is_finite(result) and
           (double_value(result) = round_double(down,
           (double_value(x_1_1) * double_value(y_1_1)))))) and
         (((double_is_finite(x_1_1) and
            (double_is_finite(y_1_1) and (not no_overflow_double(down,
             (double_value(x_1_1) * double_value(y_1_1)))))) ->
           double_overflow_value(down, result)) and
          (double_product_sign(result, x_1_1, y_1_1) and
           ((double_exact(result) = (double_exact(x_1_1) * double_exact(y_1_1))) and
            (double_model(result) = (double_model(x_1_1) * double_model(y_1_1))))))))))))) ->
  forall z:double.
  (z = result) ->
  forall return:double.
  (return = z) ->
  ("JC_51": double_le_real(return,
  (double_value(x_1_1) * double_value(y_1_1))))

goal mul_ensures_default_po_1:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall tmp_1:double.
  (tmp_1 = result3) ->
  forall result4:double.
  ("JC_53": double_le_real(result4,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall tmp_0_0:double.
  (tmp_0_0 = result4) ->
  forall result5:double.
  ("JC_16":
  (("JC_13": le_double_full(result5, tmp_0_0)) and
   (("JC_14": le_double_full(result5, tmp_1)) and
    ("JC_15":
    (eq_double_full(result5, tmp_0_0) or eq_double_full(result5, tmp_1)))))) ->
  forall zl:double.
  (zl = result5) ->
  forall result6:double.
  ("JC_76": real_le_double((double_value(xu_0_0) * double_value(yu_0)),
  result6)) ->
  forall tmp_1_0:double.
  (tmp_1_0 = result6) ->
  forall result7:double.
  ("JC_76": real_le_double((double_value(xl_0_0) * double_value(yl_0)),
  result7)) ->
  forall tmp_2:double.
  (tmp_2 = result7) ->
  forall result8:double.
  ("JC_34":
  (("JC_31": le_double_full(tmp_2, result8)) and
   (("JC_32": le_double_full(tmp_1_0, result8)) and
    ("JC_33":
    (eq_double_full(result8, tmp_2) or eq_double_full(result8, tmp_1_0)))))) ->
  forall zu:double.
  (zu = result8) ->
  ("JC_145": ("JC_143": is_interval(zl, zu)))

goal mul_ensures_default_po_2:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall tmp_1:double.
  (tmp_1 = result3) ->
  forall result4:double.
  ("JC_53": double_le_real(result4,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall tmp_0_0:double.
  (tmp_0_0 = result4) ->
  forall result5:double.
  ("JC_16":
  (("JC_13": le_double_full(result5, tmp_0_0)) and
   (("JC_14": le_double_full(result5, tmp_1)) and
    ("JC_15":
    (eq_double_full(result5, tmp_0_0) or eq_double_full(result5, tmp_1)))))) ->
  forall zl:double.
  (zl = result5) ->
  forall result6:double.
  ("JC_76": real_le_double((double_value(xu_0_0) * double_value(yu_0)),
  result6)) ->
  forall tmp_1_0:double.
  (tmp_1_0 = result6) ->
  forall result7:double.
  ("JC_76": real_le_double((double_value(xl_0_0) * double_value(yl_0)),
  result7)) ->
  forall tmp_2:double.
  (tmp_2 = result7) ->
  forall result8:double.
  ("JC_34":
  (("JC_31": le_double_full(tmp_2, result8)) and
   (("JC_32": le_double_full(tmp_1_0, result8)) and
    ("JC_33":
    (eq_double_full(result8, tmp_2) or eq_double_full(result8, tmp_1_0)))))) ->
  forall zu:double.
  (zu = result8) ->
  forall a_1:real.
  forall b_0_0:real.
  (in_interval(a_1, xl_0_0, xu_0_0) and in_interval(b_0_0, yl_0, yu_0)) ->
  ("JC_145": ("JC_144": in_interval((a_1 * b_0_0), zl, zu)))

goal mul_ensures_default_po_3:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  forall result4:double.
  ("JC_76": real_le_double((double_value(xl_0_0) * double_value(yl_0)),
  result4)) ->
  forall zu:double.
  (zu = result4) ->
  ("JC_145": ("JC_143": is_interval(zl, zu)))

goal mul_ensures_default_po_4:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  forall result4:double.
  ("JC_76": real_le_double((double_value(xl_0_0) * double_value(yl_0)),
  result4)) ->
  forall zu:double.
  (zu = result4) ->
  forall a_1:real.
  forall b_0_0:real.
  (in_interval(a_1, xl_0_0, xu_0_0) and in_interval(b_0_0, yl_0, yu_0)) ->
  ("JC_145": ("JC_144": in_interval((a_1 * b_0_0), zl, zu)))

goal mul_ensures_default_po_5:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  forall result4:double.
  ("JC_76": real_le_double((double_value(xu_0_0) * double_value(yu_0)),
  result4)) ->
  forall zu:double.
  (zu = result4) ->
  ("JC_145": ("JC_143": is_interval(zl, zu)))

goal mul_ensures_default_po_6:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  forall result4:double.
  ("JC_76": real_le_double((double_value(xu_0_0) * double_value(yu_0)),
  result4)) ->
  forall zu:double.
  (zu = result4) ->
  forall a_1:real.
  forall b_0_0:real.
  (in_interval(a_1, xl_0_0, xu_0_0) and in_interval(b_0_0, yl_0, yu_0)) ->
  ("JC_145": ("JC_144": in_interval((a_1 * b_0_0), zl, zu)))

goal mul_ensures_default_po_7:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  forall result3:double.
  (double_is_finite(result3) and
   ((double_value(result3) = 0.0) and
    ((double_exact(result3) = 0.0) and (double_model(result3) = 0.0)))) ->
  forall zl:double.
  (zl = result3) ->
  forall result4:double.
  (double_is_finite(result4) and
   ((double_value(result4) = 0.0) and
    ((double_exact(result4) = 0.0) and (double_model(result4) = 0.0)))) ->
  forall zu:double.
  (zu = result4) ->
  ("JC_145": ("JC_143": is_interval(zl, zu)))

goal mul_ensures_default_po_8:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  forall result3:double.
  (double_is_finite(result3) and
   ((double_value(result3) = 0.0) and
    ((double_exact(result3) = 0.0) and (double_model(result3) = 0.0)))) ->
  forall zl:double.
  (zl = result3) ->
  forall result4:double.
  (double_is_finite(result4) and
   ((double_value(result4) = 0.0) and
    ((double_exact(result4) = 0.0) and (double_model(result4) = 0.0)))) ->
  forall zu:double.
  (zu = result4) ->
  forall a_1:real.
  forall b_0_0:real.
  (in_interval(a_1, xl_0_0, xu_0_0) and in_interval(b_0_0, yl_0, yu_0)) ->
  ("JC_145": ("JC_144": in_interval((a_1 * b_0_0), zl, zu)))

goal mul_ensures_default_po_9:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  forall result4:double.
  ("JC_76": real_le_double((double_value(xl_0_0) * double_value(yl_0)),
  result4)) ->
  forall zu:double.
  (zu = result4) ->
  ("JC_145": ("JC_143": is_interval(zl, zu)))

goal mul_ensures_default_po_10:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  forall result4:double.
  ("JC_76": real_le_double((double_value(xl_0_0) * double_value(yl_0)),
  result4)) ->
  forall zu:double.
  (zu = result4) ->
  forall a_1:real.
  forall b_0_0:real.
  (in_interval(a_1, xl_0_0, xu_0_0) and in_interval(b_0_0, yl_0, yu_0)) ->
  ("JC_145": ("JC_144": in_interval((a_1 * b_0_0), zl, zu)))

goal mul_ensures_default_po_11:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  forall result4:double.
  ("JC_76": real_le_double((double_value(xl_0_0) * double_value(yl_0)),
  result4)) ->
  forall zu:double.
  (zu = result4) ->
  ("JC_145": ("JC_143": is_interval(zl, zu)))

goal mul_ensures_default_po_12:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  forall result4:double.
  ("JC_76": real_le_double((double_value(xl_0_0) * double_value(yl_0)),
  result4)) ->
  forall zu:double.
  (zu = result4) ->
  forall a_1:real.
  forall b_0_0:real.
  (in_interval(a_1, xl_0_0, xu_0_0) and in_interval(b_0_0, yl_0, yu_0)) ->
  ("JC_145": ("JC_144": in_interval((a_1 * b_0_0), zl, zu)))

goal mul_ensures_default_po_13:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  forall result4:double.
  ("JC_76": real_le_double((double_value(xu_0_0) * double_value(yl_0)),
  result4)) ->
  forall zu:double.
  (zu = result4) ->
  ("JC_145": ("JC_143": is_interval(zl, zu)))

goal mul_ensures_default_po_14:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  forall result4:double.
  ("JC_76": real_le_double((double_value(xu_0_0) * double_value(yl_0)),
  result4)) ->
  forall zu:double.
  (zu = result4) ->
  forall a_1:real.
  forall b_0_0:real.
  (in_interval(a_1, xl_0_0, xu_0_0) and in_interval(b_0_0, yl_0, yu_0)) ->
  ("JC_145": ("JC_144": in_interval((a_1 * b_0_0), zl, zu)))

goal mul_ensures_default_po_15:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  forall result3:double.
  (double_is_finite(result3) and
   ((double_value(result3) = 0.0) and
    ((double_exact(result3) = 0.0) and (double_model(result3) = 0.0)))) ->
  forall zl:double.
  (zl = result3) ->
  forall result4:double.
  (double_is_finite(result4) and
   ((double_value(result4) = 0.0) and
    ((double_exact(result4) = 0.0) and (double_model(result4) = 0.0)))) ->
  forall zu:double.
  (zu = result4) ->
  ("JC_145": ("JC_143": is_interval(zl, zu)))

goal mul_ensures_default_po_16:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  forall result3:double.
  (double_is_finite(result3) and
   ((double_value(result3) = 0.0) and
    ((double_exact(result3) = 0.0) and (double_model(result3) = 0.0)))) ->
  forall zl:double.
  (zl = result3) ->
  forall result4:double.
  (double_is_finite(result4) and
   ((double_value(result4) = 0.0) and
    ((double_exact(result4) = 0.0) and (double_model(result4) = 0.0)))) ->
  forall zu:double.
  (zu = result4) ->
  forall a_1:real.
  forall b_0_0:real.
  (in_interval(a_1, xl_0_0, xu_0_0) and in_interval(b_0_0, yl_0, yu_0)) ->
  ("JC_145": ("JC_144": in_interval((a_1 * b_0_0), zl, zu)))

goal mul_ensures_default_po_17:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  forall result4:double.
  ("JC_76": real_le_double((double_value(xu_0_0) * double_value(yu_0)),
  result4)) ->
  forall zu:double.
  (zu = result4) ->
  ("JC_145": ("JC_143": is_interval(zl, zu)))

goal mul_ensures_default_po_18:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  forall result4:double.
  ("JC_76": real_le_double((double_value(xu_0_0) * double_value(yu_0)),
  result4)) ->
  forall zu:double.
  (zu = result4) ->
  forall a_1:real.
  forall b_0_0:real.
  (in_interval(a_1, xl_0_0, xu_0_0) and in_interval(b_0_0, yl_0, yu_0)) ->
  ("JC_145": ("JC_144": in_interval((a_1 * b_0_0), zl, zu)))

goal mul_ensures_default_po_19:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  forall result4:double.
  ("JC_76": real_le_double((double_value(xl_0_0) * double_value(yu_0)),
  result4)) ->
  forall zu:double.
  (zu = result4) ->
  ("JC_145": ("JC_143": is_interval(zl, zu)))

goal mul_ensures_default_po_20:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  forall result4:double.
  ("JC_76": real_le_double((double_value(xl_0_0) * double_value(yu_0)),
  result4)) ->
  forall zu:double.
  (zu = result4) ->
  forall a_1:real.
  forall b_0_0:real.
  (in_interval(a_1, xl_0_0, xu_0_0) and in_interval(b_0_0, yl_0, yu_0)) ->
  ("JC_145": ("JC_144": in_interval((a_1 * b_0_0), zl, zu)))

goal mul_ensures_default_po_21:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  forall result4:double.
  ("JC_76": real_le_double((double_value(xu_0_0) * double_value(yu_0)),
  result4)) ->
  forall zu:double.
  (zu = result4) ->
  ("JC_145": ("JC_143": is_interval(zl, zu)))

goal mul_ensures_default_po_22:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  forall result4:double.
  ("JC_76": real_le_double((double_value(xu_0_0) * double_value(yu_0)),
  result4)) ->
  forall zu:double.
  (zu = result4) ->
  forall a_1:real.
  forall b_0_0:real.
  (in_interval(a_1, xl_0_0, xu_0_0) and in_interval(b_0_0, yl_0, yu_0)) ->
  ("JC_145": ("JC_144": in_interval((a_1 * b_0_0), zl, zu)))

goal mul_ensures_default_po_23:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  forall result3:double.
  (double_is_finite(result3) and
   ((double_value(result3) = 0.0) and
    ((double_exact(result3) = 0.0) and (double_model(result3) = 0.0)))) ->
  forall zl:double.
  (zl = result3) ->
  forall result4:double.
  (double_is_finite(result4) and
   ((double_value(result4) = 0.0) and
    ((double_exact(result4) = 0.0) and (double_model(result4) = 0.0)))) ->
  forall zu:double.
  (zu = result4) ->
  ("JC_145": ("JC_143": is_interval(zl, zu)))

goal mul_ensures_default_po_24:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  forall result3:double.
  (double_is_finite(result3) and
   ((double_value(result3) = 0.0) and
    ((double_exact(result3) = 0.0) and (double_model(result3) = 0.0)))) ->
  forall zl:double.
  (zl = result3) ->
  forall result4:double.
  (double_is_finite(result4) and
   ((double_value(result4) = 0.0) and
    ((double_exact(result4) = 0.0) and (double_model(result4) = 0.0)))) ->
  forall zu:double.
  (zu = result4) ->
  forall a_1:real.
  forall b_0_0:real.
  (in_interval(a_1, xl_0_0, xu_0_0) and in_interval(b_0_0, yl_0, yu_0)) ->
  ("JC_145": ("JC_144": in_interval((a_1 * b_0_0), zl, zu)))

goal mul_ensures_default_po_25:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  forall zl:double.
  (zl = result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  forall zu:double.
  (zu = result2) ->
  ("JC_145": ("JC_143": is_interval(zl, zu)))

goal mul_ensures_default_po_26:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  forall zl:double.
  (zl = result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  forall zu:double.
  (zu = result2) ->
  forall a_1:real.
  forall b_0_0:real.
  (in_interval(a_1, xl_0_0, xu_0_0) and in_interval(b_0_0, yl_0, yu_0)) ->
  ("JC_145": ("JC_144": in_interval((a_1 * b_0_0), zl, zu)))

goal mul_safety_po_1:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42": ("JC_37": (not double_is_NaN(xu_0_0))))

goal mul_safety_po_2:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42": ("JC_38": (not double_is_NaN(yl_0))))

goal mul_safety_po_3:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  (double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
  ("JC_42": ("JC_39": dif_sign(xu_0_0, yl_0)))

goal mul_safety_po_4:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  (double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
  ("JC_42": ("JC_40": (double_value(yl_0) <> 0.0)))

goal mul_safety_po_5:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  (double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
  ("JC_42": ("JC_41": (double_value(xu_0_0) <> 0.0)))

goal mul_safety_po_6:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall tmp_1:double.
  (tmp_1 = result3) ->
  ("JC_42": ("JC_37": (not double_is_NaN(xl_0_0))))

goal mul_safety_po_7:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall tmp_1:double.
  (tmp_1 = result3) ->
  ("JC_42": ("JC_38": (not double_is_NaN(yu_0))))

goal mul_safety_po_8:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall tmp_1:double.
  (tmp_1 = result3) ->
  (double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
  ("JC_42": ("JC_39": dif_sign(xl_0_0, yu_0)))

goal mul_safety_po_9:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall tmp_1:double.
  (tmp_1 = result3) ->
  (double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
  ("JC_42": ("JC_40": (double_value(yu_0) <> 0.0)))

goal mul_safety_po_10:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall tmp_1:double.
  (tmp_1 = result3) ->
  (double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
  ("JC_42": ("JC_41": (double_value(xl_0_0) <> 0.0)))

goal mul_safety_po_11:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall tmp_1:double.
  (tmp_1 = result3) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result4:double.
  ("JC_53": double_le_real(result4,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall tmp_0_0:double.
  (tmp_0_0 = result4) ->
  ("JC_3": ("JC_1": (not double_is_NaN(tmp_0_0))))

goal mul_safety_po_12:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall tmp_1:double.
  (tmp_1 = result3) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result4:double.
  ("JC_53": double_le_real(result4,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall tmp_0_0:double.
  (tmp_0_0 = result4) ->
  ("JC_3": ("JC_2": (not double_is_NaN(tmp_1))))

goal mul_safety_po_13:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall tmp_1:double.
  (tmp_1 = result3) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result4:double.
  ("JC_53": double_le_real(result4,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall tmp_0_0:double.
  (tmp_0_0 = result4) ->
  ("JC_3":
  (("JC_1": (not double_is_NaN(tmp_0_0))) and
   ("JC_2": (not double_is_NaN(tmp_1))))) ->
  forall result5:double.
  ("JC_16":
  (("JC_13": le_double_full(result5, tmp_0_0)) and
   (("JC_14": le_double_full(result5, tmp_1)) and
    ("JC_15":
    (eq_double_full(result5, tmp_0_0) or eq_double_full(result5, tmp_1)))))) ->
  forall zl:double.
  (zl = result5) ->
  ("JC_65": ("JC_60": (not double_is_NaN(yu_0))))

goal mul_safety_po_14:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall tmp_1:double.
  (tmp_1 = result3) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result4:double.
  ("JC_53": double_le_real(result4,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall tmp_0_0:double.
  (tmp_0_0 = result4) ->
  ("JC_3":
  (("JC_1": (not double_is_NaN(tmp_0_0))) and
   ("JC_2": (not double_is_NaN(tmp_1))))) ->
  forall result5:double.
  ("JC_16":
  (("JC_13": le_double_full(result5, tmp_0_0)) and
   (("JC_14": le_double_full(result5, tmp_1)) and
    ("JC_15":
    (eq_double_full(result5, tmp_0_0) or eq_double_full(result5, tmp_1)))))) ->
  forall zl:double.
  (zl = result5) ->
  (double_is_infinite(xu_0_0) or double_is_infinite(yu_0)) ->
  ("JC_65": ("JC_61": sam_sign(xu_0_0, yu_0)))

goal mul_safety_po_15:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall tmp_1:double.
  (tmp_1 = result3) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result4:double.
  ("JC_53": double_le_real(result4,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall tmp_0_0:double.
  (tmp_0_0 = result4) ->
  ("JC_3":
  (("JC_1": (not double_is_NaN(tmp_0_0))) and
   ("JC_2": (not double_is_NaN(tmp_1))))) ->
  forall result5:double.
  ("JC_16":
  (("JC_13": le_double_full(result5, tmp_0_0)) and
   (("JC_14": le_double_full(result5, tmp_1)) and
    ("JC_15":
    (eq_double_full(result5, tmp_0_0) or eq_double_full(result5, tmp_1)))))) ->
  forall zl:double.
  (zl = result5) ->
  (double_is_infinite(xu_0_0) and double_is_finite(yu_0)) ->
  ("JC_65": ("JC_62": (double_value(yu_0) <> 0.0)))

goal mul_safety_po_16:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall tmp_1:double.
  (tmp_1 = result3) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result4:double.
  ("JC_53": double_le_real(result4,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall tmp_0_0:double.
  (tmp_0_0 = result4) ->
  ("JC_3":
  (("JC_1": (not double_is_NaN(tmp_0_0))) and
   ("JC_2": (not double_is_NaN(tmp_1))))) ->
  forall result5:double.
  ("JC_16":
  (("JC_13": le_double_full(result5, tmp_0_0)) and
   (("JC_14": le_double_full(result5, tmp_1)) and
    ("JC_15":
    (eq_double_full(result5, tmp_0_0) or eq_double_full(result5, tmp_1)))))) ->
  forall zl:double.
  (zl = result5) ->
  (double_is_infinite(yu_0) and double_is_finite(xu_0_0)) ->
  ("JC_65": ("JC_63": (double_value(xu_0_0) <> 0.0)))

goal mul_safety_po_17:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall tmp_1:double.
  (tmp_1 = result3) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result4:double.
  ("JC_53": double_le_real(result4,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall tmp_0_0:double.
  (tmp_0_0 = result4) ->
  ("JC_3":
  (("JC_1": (not double_is_NaN(tmp_0_0))) and
   ("JC_2": (not double_is_NaN(tmp_1))))) ->
  forall result5:double.
  ("JC_16":
  (("JC_13": le_double_full(result5, tmp_0_0)) and
   (("JC_14": le_double_full(result5, tmp_1)) and
    ("JC_15":
    (eq_double_full(result5, tmp_0_0) or eq_double_full(result5, tmp_1)))))) ->
  forall zl:double.
  (zl = result5) ->
  (double_is_finite(xu_0_0) and
   (double_is_finite(yu_0) and
    ((not no_overflow_double(down, (-double_value(yu_0)))) and
     (double_sign(yu_0) = Positive)))) ->
  ("JC_65": ("JC_64": (double_value(xu_0_0) > 0.0)))

goal mul_safety_po_18:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall tmp_1:double.
  (tmp_1 = result3) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result4:double.
  ("JC_53": double_le_real(result4,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall tmp_0_0:double.
  (tmp_0_0 = result4) ->
  ("JC_3":
  (("JC_1": (not double_is_NaN(tmp_0_0))) and
   ("JC_2": (not double_is_NaN(tmp_1))))) ->
  forall result5:double.
  ("JC_16":
  (("JC_13": le_double_full(result5, tmp_0_0)) and
   (("JC_14": le_double_full(result5, tmp_1)) and
    ("JC_15":
    (eq_double_full(result5, tmp_0_0) or eq_double_full(result5, tmp_1)))))) ->
  forall zl:double.
  (zl = result5) ->
  ("JC_65":
  (("JC_59": (not double_is_NaN(xu_0_0))) and
   (("JC_60": (not double_is_NaN(yu_0))) and
    (("JC_61":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yu_0)) ->
      sam_sign(xu_0_0, yu_0))) and
     (("JC_62":
      ((double_is_infinite(xu_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      (("JC_63":
       ((double_is_infinite(yu_0) and double_is_finite(xu_0_0)) ->
        (double_value(xu_0_0) <> 0.0))) and
       ("JC_64":
       ((double_is_finite(xu_0_0) and
         (double_is_finite(yu_0) and
          ((not no_overflow_double(down, (-double_value(yu_0)))) and
           (double_sign(yu_0) = Positive)))) ->
        (double_value(xu_0_0) > 0.0))))))))) ->
  forall result6:double.
  ("JC_76": real_le_double((double_value(xu_0_0) * double_value(yu_0)),
  result6)) ->
  forall tmp_1_0:double.
  (tmp_1_0 = result6) ->
  ("JC_65": ("JC_60": (not double_is_NaN(yl_0))))

goal mul_safety_po_19:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall tmp_1:double.
  (tmp_1 = result3) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result4:double.
  ("JC_53": double_le_real(result4,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall tmp_0_0:double.
  (tmp_0_0 = result4) ->
  ("JC_3":
  (("JC_1": (not double_is_NaN(tmp_0_0))) and
   ("JC_2": (not double_is_NaN(tmp_1))))) ->
  forall result5:double.
  ("JC_16":
  (("JC_13": le_double_full(result5, tmp_0_0)) and
   (("JC_14": le_double_full(result5, tmp_1)) and
    ("JC_15":
    (eq_double_full(result5, tmp_0_0) or eq_double_full(result5, tmp_1)))))) ->
  forall zl:double.
  (zl = result5) ->
  ("JC_65":
  (("JC_59": (not double_is_NaN(xu_0_0))) and
   (("JC_60": (not double_is_NaN(yu_0))) and
    (("JC_61":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yu_0)) ->
      sam_sign(xu_0_0, yu_0))) and
     (("JC_62":
      ((double_is_infinite(xu_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      (("JC_63":
       ((double_is_infinite(yu_0) and double_is_finite(xu_0_0)) ->
        (double_value(xu_0_0) <> 0.0))) and
       ("JC_64":
       ((double_is_finite(xu_0_0) and
         (double_is_finite(yu_0) and
          ((not no_overflow_double(down, (-double_value(yu_0)))) and
           (double_sign(yu_0) = Positive)))) ->
        (double_value(xu_0_0) > 0.0))))))))) ->
  forall result6:double.
  ("JC_76": real_le_double((double_value(xu_0_0) * double_value(yu_0)),
  result6)) ->
  forall tmp_1_0:double.
  (tmp_1_0 = result6) ->
  (double_is_infinite(xl_0_0) or double_is_infinite(yl_0)) ->
  ("JC_65": ("JC_61": sam_sign(xl_0_0, yl_0)))

goal mul_safety_po_20:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall tmp_1:double.
  (tmp_1 = result3) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result4:double.
  ("JC_53": double_le_real(result4,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall tmp_0_0:double.
  (tmp_0_0 = result4) ->
  ("JC_3":
  (("JC_1": (not double_is_NaN(tmp_0_0))) and
   ("JC_2": (not double_is_NaN(tmp_1))))) ->
  forall result5:double.
  ("JC_16":
  (("JC_13": le_double_full(result5, tmp_0_0)) and
   (("JC_14": le_double_full(result5, tmp_1)) and
    ("JC_15":
    (eq_double_full(result5, tmp_0_0) or eq_double_full(result5, tmp_1)))))) ->
  forall zl:double.
  (zl = result5) ->
  ("JC_65":
  (("JC_59": (not double_is_NaN(xu_0_0))) and
   (("JC_60": (not double_is_NaN(yu_0))) and
    (("JC_61":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yu_0)) ->
      sam_sign(xu_0_0, yu_0))) and
     (("JC_62":
      ((double_is_infinite(xu_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      (("JC_63":
       ((double_is_infinite(yu_0) and double_is_finite(xu_0_0)) ->
        (double_value(xu_0_0) <> 0.0))) and
       ("JC_64":
       ((double_is_finite(xu_0_0) and
         (double_is_finite(yu_0) and
          ((not no_overflow_double(down, (-double_value(yu_0)))) and
           (double_sign(yu_0) = Positive)))) ->
        (double_value(xu_0_0) > 0.0))))))))) ->
  forall result6:double.
  ("JC_76": real_le_double((double_value(xu_0_0) * double_value(yu_0)),
  result6)) ->
  forall tmp_1_0:double.
  (tmp_1_0 = result6) ->
  (double_is_infinite(xl_0_0) and double_is_finite(yl_0)) ->
  ("JC_65": ("JC_62": (double_value(yl_0) <> 0.0)))

goal mul_safety_po_21:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall tmp_1:double.
  (tmp_1 = result3) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result4:double.
  ("JC_53": double_le_real(result4,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall tmp_0_0:double.
  (tmp_0_0 = result4) ->
  ("JC_3":
  (("JC_1": (not double_is_NaN(tmp_0_0))) and
   ("JC_2": (not double_is_NaN(tmp_1))))) ->
  forall result5:double.
  ("JC_16":
  (("JC_13": le_double_full(result5, tmp_0_0)) and
   (("JC_14": le_double_full(result5, tmp_1)) and
    ("JC_15":
    (eq_double_full(result5, tmp_0_0) or eq_double_full(result5, tmp_1)))))) ->
  forall zl:double.
  (zl = result5) ->
  ("JC_65":
  (("JC_59": (not double_is_NaN(xu_0_0))) and
   (("JC_60": (not double_is_NaN(yu_0))) and
    (("JC_61":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yu_0)) ->
      sam_sign(xu_0_0, yu_0))) and
     (("JC_62":
      ((double_is_infinite(xu_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      (("JC_63":
       ((double_is_infinite(yu_0) and double_is_finite(xu_0_0)) ->
        (double_value(xu_0_0) <> 0.0))) and
       ("JC_64":
       ((double_is_finite(xu_0_0) and
         (double_is_finite(yu_0) and
          ((not no_overflow_double(down, (-double_value(yu_0)))) and
           (double_sign(yu_0) = Positive)))) ->
        (double_value(xu_0_0) > 0.0))))))))) ->
  forall result6:double.
  ("JC_76": real_le_double((double_value(xu_0_0) * double_value(yu_0)),
  result6)) ->
  forall tmp_1_0:double.
  (tmp_1_0 = result6) ->
  (double_is_infinite(yl_0) and double_is_finite(xl_0_0)) ->
  ("JC_65": ("JC_63": (double_value(xl_0_0) <> 0.0)))

goal mul_safety_po_22:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall tmp_1:double.
  (tmp_1 = result3) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result4:double.
  ("JC_53": double_le_real(result4,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall tmp_0_0:double.
  (tmp_0_0 = result4) ->
  ("JC_3":
  (("JC_1": (not double_is_NaN(tmp_0_0))) and
   ("JC_2": (not double_is_NaN(tmp_1))))) ->
  forall result5:double.
  ("JC_16":
  (("JC_13": le_double_full(result5, tmp_0_0)) and
   (("JC_14": le_double_full(result5, tmp_1)) and
    ("JC_15":
    (eq_double_full(result5, tmp_0_0) or eq_double_full(result5, tmp_1)))))) ->
  forall zl:double.
  (zl = result5) ->
  ("JC_65":
  (("JC_59": (not double_is_NaN(xu_0_0))) and
   (("JC_60": (not double_is_NaN(yu_0))) and
    (("JC_61":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yu_0)) ->
      sam_sign(xu_0_0, yu_0))) and
     (("JC_62":
      ((double_is_infinite(xu_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      (("JC_63":
       ((double_is_infinite(yu_0) and double_is_finite(xu_0_0)) ->
        (double_value(xu_0_0) <> 0.0))) and
       ("JC_64":
       ((double_is_finite(xu_0_0) and
         (double_is_finite(yu_0) and
          ((not no_overflow_double(down, (-double_value(yu_0)))) and
           (double_sign(yu_0) = Positive)))) ->
        (double_value(xu_0_0) > 0.0))))))))) ->
  forall result6:double.
  ("JC_76": real_le_double((double_value(xu_0_0) * double_value(yu_0)),
  result6)) ->
  forall tmp_1_0:double.
  (tmp_1_0 = result6) ->
  (double_is_finite(xl_0_0) and
   (double_is_finite(yl_0) and
    ((not no_overflow_double(down, (-double_value(yl_0)))) and
     (double_sign(yl_0) = Positive)))) ->
  ("JC_65": ("JC_64": (double_value(xl_0_0) > 0.0)))

goal mul_safety_po_23:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall tmp_1:double.
  (tmp_1 = result3) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result4:double.
  ("JC_53": double_le_real(result4,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall tmp_0_0:double.
  (tmp_0_0 = result4) ->
  ("JC_3":
  (("JC_1": (not double_is_NaN(tmp_0_0))) and
   ("JC_2": (not double_is_NaN(tmp_1))))) ->
  forall result5:double.
  ("JC_16":
  (("JC_13": le_double_full(result5, tmp_0_0)) and
   (("JC_14": le_double_full(result5, tmp_1)) and
    ("JC_15":
    (eq_double_full(result5, tmp_0_0) or eq_double_full(result5, tmp_1)))))) ->
  forall zl:double.
  (zl = result5) ->
  ("JC_65":
  (("JC_59": (not double_is_NaN(xu_0_0))) and
   (("JC_60": (not double_is_NaN(yu_0))) and
    (("JC_61":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yu_0)) ->
      sam_sign(xu_0_0, yu_0))) and
     (("JC_62":
      ((double_is_infinite(xu_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      (("JC_63":
       ((double_is_infinite(yu_0) and double_is_finite(xu_0_0)) ->
        (double_value(xu_0_0) <> 0.0))) and
       ("JC_64":
       ((double_is_finite(xu_0_0) and
         (double_is_finite(yu_0) and
          ((not no_overflow_double(down, (-double_value(yu_0)))) and
           (double_sign(yu_0) = Positive)))) ->
        (double_value(xu_0_0) > 0.0))))))))) ->
  forall result6:double.
  ("JC_76": real_le_double((double_value(xu_0_0) * double_value(yu_0)),
  result6)) ->
  forall tmp_1_0:double.
  (tmp_1_0 = result6) ->
  ("JC_65":
  (("JC_59": (not double_is_NaN(xl_0_0))) and
   (("JC_60": (not double_is_NaN(yl_0))) and
    (("JC_61":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yl_0)) ->
      sam_sign(xl_0_0, yl_0))) and
     (("JC_62":
      ((double_is_infinite(xl_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      (("JC_63":
       ((double_is_infinite(yl_0) and double_is_finite(xl_0_0)) ->
        (double_value(xl_0_0) <> 0.0))) and
       ("JC_64":
       ((double_is_finite(xl_0_0) and
         (double_is_finite(yl_0) and
          ((not no_overflow_double(down, (-double_value(yl_0)))) and
           (double_sign(yl_0) = Positive)))) ->
        (double_value(xl_0_0) > 0.0))))))))) ->
  forall result7:double.
  ("JC_76": real_le_double((double_value(xl_0_0) * double_value(yl_0)),
  result7)) ->
  forall tmp_2:double.
  (tmp_2 = result7) ->
  ("JC_21": ("JC_19": (not double_is_NaN(tmp_2))))

goal mul_safety_po_24:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall tmp_1:double.
  (tmp_1 = result3) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result4:double.
  ("JC_53": double_le_real(result4,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall tmp_0_0:double.
  (tmp_0_0 = result4) ->
  ("JC_3":
  (("JC_1": (not double_is_NaN(tmp_0_0))) and
   ("JC_2": (not double_is_NaN(tmp_1))))) ->
  forall result5:double.
  ("JC_16":
  (("JC_13": le_double_full(result5, tmp_0_0)) and
   (("JC_14": le_double_full(result5, tmp_1)) and
    ("JC_15":
    (eq_double_full(result5, tmp_0_0) or eq_double_full(result5, tmp_1)))))) ->
  forall zl:double.
  (zl = result5) ->
  ("JC_65":
  (("JC_59": (not double_is_NaN(xu_0_0))) and
   (("JC_60": (not double_is_NaN(yu_0))) and
    (("JC_61":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yu_0)) ->
      sam_sign(xu_0_0, yu_0))) and
     (("JC_62":
      ((double_is_infinite(xu_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      (("JC_63":
       ((double_is_infinite(yu_0) and double_is_finite(xu_0_0)) ->
        (double_value(xu_0_0) <> 0.0))) and
       ("JC_64":
       ((double_is_finite(xu_0_0) and
         (double_is_finite(yu_0) and
          ((not no_overflow_double(down, (-double_value(yu_0)))) and
           (double_sign(yu_0) = Positive)))) ->
        (double_value(xu_0_0) > 0.0))))))))) ->
  forall result6:double.
  ("JC_76": real_le_double((double_value(xu_0_0) * double_value(yu_0)),
  result6)) ->
  forall tmp_1_0:double.
  (tmp_1_0 = result6) ->
  ("JC_65":
  (("JC_59": (not double_is_NaN(xl_0_0))) and
   (("JC_60": (not double_is_NaN(yl_0))) and
    (("JC_61":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yl_0)) ->
      sam_sign(xl_0_0, yl_0))) and
     (("JC_62":
      ((double_is_infinite(xl_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      (("JC_63":
       ((double_is_infinite(yl_0) and double_is_finite(xl_0_0)) ->
        (double_value(xl_0_0) <> 0.0))) and
       ("JC_64":
       ((double_is_finite(xl_0_0) and
         (double_is_finite(yl_0) and
          ((not no_overflow_double(down, (-double_value(yl_0)))) and
           (double_sign(yl_0) = Positive)))) ->
        (double_value(xl_0_0) > 0.0))))))))) ->
  forall result7:double.
  ("JC_76": real_le_double((double_value(xl_0_0) * double_value(yl_0)),
  result7)) ->
  forall tmp_2:double.
  (tmp_2 = result7) ->
  ("JC_21": ("JC_20": (not double_is_NaN(tmp_1_0))))

goal mul_safety_po_25:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  ("JC_42": ("JC_37": (not double_is_NaN(xu_0_0))))

goal mul_safety_po_26:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  ("JC_42": ("JC_38": (not double_is_NaN(yl_0))))

goal mul_safety_po_27:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  (double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
  ("JC_42": ("JC_39": dif_sign(xu_0_0, yl_0)))

goal mul_safety_po_28:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  (double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
  ("JC_42": ("JC_40": (double_value(yl_0) <> 0.0)))

goal mul_safety_po_29:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  (double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
  ("JC_42": ("JC_41": (double_value(xu_0_0) <> 0.0)))

goal mul_safety_po_30:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  ("JC_65": ("JC_59": (not double_is_NaN(xl_0_0))))

goal mul_safety_po_31:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  ("JC_65": ("JC_60": (not double_is_NaN(yl_0))))

goal mul_safety_po_32:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_infinite(xl_0_0) or double_is_infinite(yl_0)) ->
  ("JC_65": ("JC_61": sam_sign(xl_0_0, yl_0)))

goal mul_safety_po_33:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_infinite(xl_0_0) and double_is_finite(yl_0)) ->
  ("JC_65": ("JC_62": (double_value(yl_0) <> 0.0)))

goal mul_safety_po_34:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_infinite(yl_0) and double_is_finite(xl_0_0)) ->
  ("JC_65": ("JC_63": (double_value(xl_0_0) <> 0.0)))

goal mul_safety_po_35:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_finite(xl_0_0) and
   (double_is_finite(yl_0) and
    ((not no_overflow_double(down, (-double_value(yl_0)))) and
     (double_sign(yl_0) = Positive)))) ->
  ("JC_65": ("JC_64": (double_value(xl_0_0) > 0.0)))

goal mul_safety_po_36:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42": ("JC_37": (not double_is_NaN(xl_0_0))))

goal mul_safety_po_37:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42": ("JC_38": (not double_is_NaN(yu_0))))

goal mul_safety_po_38:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  (double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
  ("JC_42": ("JC_39": dif_sign(xl_0_0, yu_0)))

goal mul_safety_po_39:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  (double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
  ("JC_42": ("JC_40": (double_value(yu_0) <> 0.0)))

goal mul_safety_po_40:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  (double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
  ("JC_42": ("JC_41": (double_value(xl_0_0) <> 0.0)))

goal mul_safety_po_41:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  ("JC_65": ("JC_59": (not double_is_NaN(xu_0_0))))

goal mul_safety_po_42:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  ("JC_65": ("JC_60": (not double_is_NaN(yu_0))))

goal mul_safety_po_43:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_infinite(xu_0_0) or double_is_infinite(yu_0)) ->
  ("JC_65": ("JC_61": sam_sign(xu_0_0, yu_0)))

goal mul_safety_po_44:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_infinite(xu_0_0) and double_is_finite(yu_0)) ->
  ("JC_65": ("JC_62": (double_value(yu_0) <> 0.0)))

goal mul_safety_po_45:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_infinite(yu_0) and double_is_finite(xu_0_0)) ->
  ("JC_65": ("JC_63": (double_value(xu_0_0) <> 0.0)))

goal mul_safety_po_46:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_finite(xu_0_0) and
   (double_is_finite(yu_0) and
    ((not no_overflow_double(down, (-double_value(yu_0)))) and
     (double_sign(yu_0) = Positive)))) ->
  ("JC_65": ("JC_64": (double_value(xu_0_0) > 0.0)))

goal mul_safety_po_47:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42": ("JC_37": (not double_is_NaN(xl_0_0))))

goal mul_safety_po_48:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42": ("JC_38": (not double_is_NaN(yu_0))))

goal mul_safety_po_49:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  (double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
  ("JC_42": ("JC_39": dif_sign(xl_0_0, yu_0)))

goal mul_safety_po_50:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  (double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
  ("JC_42": ("JC_40": (double_value(yu_0) <> 0.0)))

goal mul_safety_po_51:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  (double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
  ("JC_42": ("JC_41": (double_value(xl_0_0) <> 0.0)))

goal mul_safety_po_52:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  ("JC_65": ("JC_60": (not double_is_NaN(yl_0))))

goal mul_safety_po_53:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_infinite(xl_0_0) or double_is_infinite(yl_0)) ->
  ("JC_65": ("JC_61": sam_sign(xl_0_0, yl_0)))

goal mul_safety_po_54:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_infinite(xl_0_0) and double_is_finite(yl_0)) ->
  ("JC_65": ("JC_62": (double_value(yl_0) <> 0.0)))

goal mul_safety_po_55:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_infinite(yl_0) and double_is_finite(xl_0_0)) ->
  ("JC_65": ("JC_63": (double_value(xl_0_0) <> 0.0)))

goal mul_safety_po_56:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_finite(xl_0_0) and
   (double_is_finite(yl_0) and
    ((not no_overflow_double(down, (-double_value(yl_0)))) and
     (double_sign(yl_0) = Positive)))) ->
  ("JC_65": ("JC_64": (double_value(xl_0_0) > 0.0)))

goal mul_safety_po_57:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  ("JC_42": ("JC_37": (not double_is_NaN(xu_0_0))))

goal mul_safety_po_58:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  ("JC_42": ("JC_38": (not double_is_NaN(yu_0))))

goal mul_safety_po_59:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  (double_is_infinite(xu_0_0) or double_is_infinite(yu_0)) ->
  ("JC_42": ("JC_39": dif_sign(xu_0_0, yu_0)))

goal mul_safety_po_60:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  (double_is_infinite(xu_0_0) and double_is_finite(yu_0)) ->
  ("JC_42": ("JC_40": (double_value(yu_0) <> 0.0)))

goal mul_safety_po_61:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  (double_is_finite(xu_0_0) and double_is_infinite(yu_0)) ->
  ("JC_42": ("JC_41": (double_value(xu_0_0) <> 0.0)))

goal mul_safety_po_62:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xu_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  ("JC_65": ("JC_59": (not double_is_NaN(xl_0_0))))

goal mul_safety_po_63:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xu_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  ("JC_65": ("JC_60": (not double_is_NaN(yl_0))))

goal mul_safety_po_64:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xu_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_infinite(xl_0_0) or double_is_infinite(yl_0)) ->
  ("JC_65": ("JC_61": sam_sign(xl_0_0, yl_0)))

goal mul_safety_po_65:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xu_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_infinite(xl_0_0) and double_is_finite(yl_0)) ->
  ("JC_65": ("JC_62": (double_value(yl_0) <> 0.0)))

goal mul_safety_po_66:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xu_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_infinite(yl_0) and double_is_finite(xl_0_0)) ->
  ("JC_65": ("JC_63": (double_value(xl_0_0) <> 0.0)))

goal mul_safety_po_67:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xu_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_finite(xl_0_0) and
   (double_is_finite(yl_0) and
    ((not no_overflow_double(down, (-double_value(yl_0)))) and
     (double_sign(yl_0) = Positive)))) ->
  ("JC_65": ("JC_64": (double_value(xl_0_0) > 0.0)))

goal mul_safety_po_68:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42": ("JC_37": (not double_is_NaN(xl_0_0))))

goal mul_safety_po_69:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42": ("JC_38": (not double_is_NaN(yu_0))))

goal mul_safety_po_70:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  (double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
  ("JC_42": ("JC_39": dif_sign(xl_0_0, yu_0)))

goal mul_safety_po_71:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  (double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
  ("JC_42": ("JC_40": (double_value(yu_0) <> 0.0)))

goal mul_safety_po_72:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  (double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
  ("JC_42": ("JC_41": (double_value(xl_0_0) <> 0.0)))

goal mul_safety_po_73:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  ("JC_65": ("JC_59": (not double_is_NaN(xu_0_0))))

goal mul_safety_po_74:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  ("JC_65": ("JC_60": (not double_is_NaN(yl_0))))

goal mul_safety_po_75:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
  ("JC_65": ("JC_61": sam_sign(xu_0_0, yl_0)))

goal mul_safety_po_76:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
  ("JC_65": ("JC_62": (double_value(yl_0) <> 0.0)))

goal mul_safety_po_77:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_infinite(yl_0) and double_is_finite(xu_0_0)) ->
  ("JC_65": ("JC_63": (double_value(xu_0_0) <> 0.0)))

goal mul_safety_po_78:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  lt_double_full(xl_0_0, result) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  (not gt_double_full(xu_0_0, result0)) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yu_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
      dif_sign(xl_0_0, yu_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
       (double_value(yu_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yu_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yu_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_finite(xu_0_0) and
   (double_is_finite(yl_0) and
    ((not no_overflow_double(down, (-double_value(yl_0)))) and
     (double_sign(yl_0) = Positive)))) ->
  ("JC_65": ("JC_64": (double_value(xu_0_0) > 0.0)))

goal mul_safety_po_79:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42": ("JC_37": (not double_is_NaN(xu_0_0))))

goal mul_safety_po_80:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42": ("JC_38": (not double_is_NaN(yl_0))))

goal mul_safety_po_81:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  (double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
  ("JC_42": ("JC_39": dif_sign(xu_0_0, yl_0)))

goal mul_safety_po_82:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  (double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
  ("JC_42": ("JC_40": (double_value(yl_0) <> 0.0)))

goal mul_safety_po_83:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  (double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
  ("JC_42": ("JC_41": (double_value(xu_0_0) <> 0.0)))

goal mul_safety_po_84:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  ("JC_65": ("JC_60": (not double_is_NaN(yu_0))))

goal mul_safety_po_85:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_infinite(xu_0_0) or double_is_infinite(yu_0)) ->
  ("JC_65": ("JC_61": sam_sign(xu_0_0, yu_0)))

goal mul_safety_po_86:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_infinite(xu_0_0) and double_is_finite(yu_0)) ->
  ("JC_65": ("JC_62": (double_value(yu_0) <> 0.0)))

goal mul_safety_po_87:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_infinite(yu_0) and double_is_finite(xu_0_0)) ->
  ("JC_65": ("JC_63": (double_value(xu_0_0) <> 0.0)))

goal mul_safety_po_88:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_finite(xu_0_0) and
   (double_is_finite(yu_0) and
    ((not no_overflow_double(down, (-double_value(yu_0)))) and
     (double_sign(yu_0) = Positive)))) ->
  ("JC_65": ("JC_64": (double_value(xu_0_0) > 0.0)))

goal mul_safety_po_89:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  ("JC_42": ("JC_37": (not double_is_NaN(xu_0_0))))

goal mul_safety_po_90:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  ("JC_42": ("JC_38": (not double_is_NaN(yl_0))))

goal mul_safety_po_91:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  (double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
  ("JC_42": ("JC_39": dif_sign(xu_0_0, yl_0)))

goal mul_safety_po_92:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  (double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
  ("JC_42": ("JC_40": (double_value(yl_0) <> 0.0)))

goal mul_safety_po_93:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  (double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
  ("JC_42": ("JC_41": (double_value(xu_0_0) <> 0.0)))

goal mul_safety_po_94:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  ("JC_65": ("JC_59": (not double_is_NaN(xl_0_0))))

goal mul_safety_po_95:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  ("JC_65": ("JC_60": (not double_is_NaN(yu_0))))

goal mul_safety_po_96:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_infinite(xl_0_0) or double_is_infinite(yu_0)) ->
  ("JC_65": ("JC_61": sam_sign(xl_0_0, yu_0)))

goal mul_safety_po_97:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_infinite(xl_0_0) and double_is_finite(yu_0)) ->
  ("JC_65": ("JC_62": (double_value(yu_0) <> 0.0)))

goal mul_safety_po_98:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_infinite(yu_0) and double_is_finite(xl_0_0)) ->
  ("JC_65": ("JC_63": (double_value(xl_0_0) <> 0.0)))

goal mul_safety_po_99:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  lt_double_full(yl_0, result1) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  (not gt_double_full(yu_0, result2)) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xu_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xu_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xu_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xu_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xu_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xu_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xu_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_finite(xl_0_0) and
   (double_is_finite(yu_0) and
    ((not no_overflow_double(down, (-double_value(yu_0)))) and
     (double_sign(yu_0) = Positive)))) ->
  ("JC_65": ("JC_64": (double_value(xl_0_0) > 0.0)))

goal mul_safety_po_100:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42": ("JC_37": (not double_is_NaN(xl_0_0))))

goal mul_safety_po_101:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42": ("JC_38": (not double_is_NaN(yl_0))))

goal mul_safety_po_102:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  (double_is_infinite(xl_0_0) or double_is_infinite(yl_0)) ->
  ("JC_42": ("JC_39": dif_sign(xl_0_0, yl_0)))

goal mul_safety_po_103:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  (double_is_infinite(xl_0_0) and double_is_finite(yl_0)) ->
  ("JC_42": ("JC_40": (double_value(yl_0) <> 0.0)))

goal mul_safety_po_104:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  (double_is_finite(xl_0_0) and double_is_infinite(yl_0)) ->
  ("JC_42": ("JC_41": (double_value(xl_0_0) <> 0.0)))

goal mul_safety_po_105:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xl_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  ("JC_65": ("JC_59": (not double_is_NaN(xu_0_0))))

goal mul_safety_po_106:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xl_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  ("JC_65": ("JC_60": (not double_is_NaN(yu_0))))

goal mul_safety_po_107:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xl_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_infinite(xu_0_0) or double_is_infinite(yu_0)) ->
  ("JC_65": ("JC_61": sam_sign(xu_0_0, yu_0)))

goal mul_safety_po_108:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xl_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_infinite(xu_0_0) and double_is_finite(yu_0)) ->
  ("JC_65": ("JC_62": (double_value(yu_0) <> 0.0)))

goal mul_safety_po_109:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xl_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_infinite(yu_0) and double_is_finite(xu_0_0)) ->
  ("JC_65": ("JC_63": (double_value(xu_0_0) <> 0.0)))

goal mul_safety_po_110:
  forall xl_0_0:double.
  forall xu_0_0:double.
  forall yl_0:double.
  forall yu_0:double.
  ("JC_141":
  (("JC_139": is_interval(xl_0_0, xu_0_0)) and
   ("JC_140": is_interval(yl_0, yu_0)))) ->
  forall result:double.
  (double_is_finite(result) and
   ((double_value(result) = 0.0) and
    ((double_exact(result) = 0.0) and (double_model(result) = 0.0)))) ->
  (not lt_double_full(xl_0_0, result)) ->
  forall result0:double.
  (double_is_finite(result0) and
   ((double_value(result0) = 0.0) and
    ((double_exact(result0) = 0.0) and (double_model(result0) = 0.0)))) ->
  gt_double_full(xu_0_0, result0) ->
  forall result1:double.
  (double_is_finite(result1) and
   ((double_value(result1) = 0.0) and
    ((double_exact(result1) = 0.0) and (double_model(result1) = 0.0)))) ->
  (not lt_double_full(yl_0, result1)) ->
  forall result2:double.
  (double_is_finite(result2) and
   ((double_value(result2) = 0.0) and
    ((double_exact(result2) = 0.0) and (double_model(result2) = 0.0)))) ->
  gt_double_full(yu_0, result2) ->
  ("JC_42":
  (("JC_37": (not double_is_NaN(xl_0_0))) and
   (("JC_38": (not double_is_NaN(yl_0))) and
    (("JC_39":
     ((double_is_infinite(xl_0_0) or double_is_infinite(yl_0)) ->
      dif_sign(xl_0_0, yl_0))) and
     (("JC_40":
      ((double_is_infinite(xl_0_0) and double_is_finite(yl_0)) ->
       (double_value(yl_0) <> 0.0))) and
      ("JC_41":
      ((double_is_finite(xl_0_0) and double_is_infinite(yl_0)) ->
       (double_value(xl_0_0) <> 0.0)))))))) ->
  forall result3:double.
  ("JC_53": double_le_real(result3,
  (double_value(xl_0_0) * double_value(yl_0)))) ->
  forall zl:double.
  (zl = result3) ->
  (double_is_finite(xu_0_0) and
   (double_is_finite(yu_0) and
    ((not no_overflow_double(down, (-double_value(yu_0)))) and
     (double_sign(yu_0) = Positive)))) ->
  ("JC_65": ("JC_64": (double_value(xu_0_0) > 0.0)))

goal mul_up_ensures_default_po_1:
  forall x_2_1:double.
  forall y_2_0:double.
  ("JC_73":
  (("JC_67": (not double_is_NaN(x_2_1))) and
   (("JC_68": (not double_is_NaN(y_2_0))) and
    (("JC_69":
     ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
      sam_sign(x_2_1, y_2_0))) and
     (("JC_70":
      ((double_is_infinite(x_2_1) and double_is_finite(y_2_0)) ->
       (double_value(y_2_0) <> 0.0))) and
      (("JC_71":
       ((double_is_infinite(y_2_0) and double_is_finite(x_2_1)) ->
        (double_value(x_2_1) <> 0.0))) and
       ("JC_72":
       ((double_is_finite(x_2_1) and
         (double_is_finite(y_2_0) and
          ((not no_overflow_double(down, (-double_value(y_2_0)))) and
           (double_sign(y_2_0) = Positive)))) ->
        (double_value(x_2_1) > 0.0))))))))) ->
  forall result:double.
  ((double_is_NaN(y_2_0) -> double_is_NaN(result)) and
   ((double_is_infinite(y_2_0) -> double_is_infinite(result)) and
    ((double_is_finite(y_2_0) ->
      (double_is_finite(result) and
       (double_value(result) = (-double_value(y_2_0))))) and
     (double_diff_sign(result, y_2_0) and
      ((double_exact(result) = (-double_exact(y_2_0))) and
       (double_model(result) = (-double_model(y_2_0)))))))) ->
  forall a_0:double.
  (a_0 = result) ->
  forall result0:double.
  (((double_is_NaN(x_2_1) or double_is_NaN(a_0)) -> double_is_NaN(result0)) and
   (((double_is_gen_zero(x_2_1) and double_is_infinite(a_0)) ->
     double_is_NaN(result0)) and
    (((double_is_finite(x_2_1) and
       (double_is_infinite(a_0) and (double_value(x_2_1) <> 0.0))) ->
      double_is_infinite(result0)) and
     (((double_is_infinite(x_2_1) and double_is_gen_zero(a_0)) ->
       double_is_NaN(result0)) and
      (((double_is_infinite(x_2_1) and
         (double_is_finite(a_0) and (double_value(a_0) <> 0.0))) ->
        double_is_infinite(result0)) and
       (((double_is_infinite(x_2_1) and double_is_infinite(a_0)) ->
         double_is_infinite(result0)) and
        (((double_is_finite(x_2_1) and
           (double_is_finite(a_0) and no_overflow_double(down,
            (double_value(x_2_1) * double_value(a_0))))) ->
          (double_is_finite(result0) and
           (double_value(result0) = round_double(down,
           (double_value(x_2_1) * double_value(a_0)))))) and
         (((double_is_finite(x_2_1) and
            (double_is_finite(a_0) and (not no_overflow_double(down,
             (double_value(x_2_1) * double_value(a_0)))))) ->
           double_overflow_value(down, result0)) and
          (double_product_sign(result0, x_2_1, a_0) and
           ((double_exact(result0) = (double_exact(x_2_1) * double_exact(a_0))) and
            (double_model(result0) = (double_model(x_2_1) * double_model(a_0))))))))))))) ->
  forall b:double.
  (b = result0) ->
  forall result1:double.
  ((double_is_NaN(b) -> double_is_NaN(result1)) and
   ((double_is_infinite(b) -> double_is_infinite(result1)) and
    ((double_is_finite(b) ->
      (double_is_finite(result1) and
       (double_value(result1) = (-double_value(b))))) and
     (double_diff_sign(result1, b) and
      ((double_exact(result1) = (-double_exact(b))) and
       (double_model(result1) = (-double_model(b)))))))) ->
  forall z_0:double.
  (z_0 = result1) ->
  (double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
  ("JC_98": real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))

goal mul_up_ensures_default_po_2:
  forall x_2_1:double.
  forall y_2_0:double.
  ("JC_73":
  (("JC_67": (not double_is_NaN(x_2_1))) and
   (("JC_68": (not double_is_NaN(y_2_0))) and
    (("JC_69":
     ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
      sam_sign(x_2_1, y_2_0))) and
     (("JC_70":
      ((double_is_infinite(x_2_1) and double_is_finite(y_2_0)) ->
       (double_value(y_2_0) <> 0.0))) and
      (("JC_71":
       ((double_is_infinite(y_2_0) and double_is_finite(x_2_1)) ->
        (double_value(x_2_1) <> 0.0))) and
       ("JC_72":
       ((double_is_finite(x_2_1) and
         (double_is_finite(y_2_0) and
          ((not no_overflow_double(down, (-double_value(y_2_0)))) and
           (double_sign(y_2_0) = Positive)))) ->
        (double_value(x_2_1) > 0.0))))))))) ->
  forall result:double.
  ((double_is_NaN(y_2_0) -> double_is_NaN(result)) and
   ((double_is_infinite(y_2_0) -> double_is_infinite(result)) and
    ((double_is_finite(y_2_0) ->
      (double_is_finite(result) and
       (double_value(result) = (-double_value(y_2_0))))) and
     (double_diff_sign(result, y_2_0) and
      ((double_exact(result) = (-double_exact(y_2_0))) and
       (double_model(result) = (-double_model(y_2_0)))))))) ->
  forall a_0:double.
  (a_0 = result) ->
  forall result0:double.
  (((double_is_NaN(x_2_1) or double_is_NaN(a_0)) -> double_is_NaN(result0)) and
   (((double_is_gen_zero(x_2_1) and double_is_infinite(a_0)) ->
     double_is_NaN(result0)) and
    (((double_is_finite(x_2_1) and
       (double_is_infinite(a_0) and (double_value(x_2_1) <> 0.0))) ->
      double_is_infinite(result0)) and
     (((double_is_infinite(x_2_1) and double_is_gen_zero(a_0)) ->
       double_is_NaN(result0)) and
      (((double_is_infinite(x_2_1) and
         (double_is_finite(a_0) and (double_value(a_0) <> 0.0))) ->
        double_is_infinite(result0)) and
       (((double_is_infinite(x_2_1) and double_is_infinite(a_0)) ->
         double_is_infinite(result0)) and
        (((double_is_finite(x_2_1) and
           (double_is_finite(a_0) and no_overflow_double(down,
            (double_value(x_2_1) * double_value(a_0))))) ->
          (double_is_finite(result0) and
           (double_value(result0) = round_double(down,
           (double_value(x_2_1) * double_value(a_0)))))) and
         (((double_is_finite(x_2_1) and
            (double_is_finite(a_0) and (not no_overflow_double(down,
             (double_value(x_2_1) * double_value(a_0)))))) ->
           double_overflow_value(down, result0)) and
          (double_product_sign(result0, x_2_1, a_0) and
           ((double_exact(result0) = (double_exact(x_2_1) * double_exact(a_0))) and
            (double_model(result0) = (double_model(x_2_1) * double_model(a_0))))))))))))) ->
  forall b:double.
  (b = result0) ->
  forall result1:double.
  ((double_is_NaN(b) -> double_is_NaN(result1)) and
   ((double_is_infinite(b) -> double_is_infinite(result1)) and
    ((double_is_finite(b) ->
      (double_is_finite(result1) and
       (double_value(result1) = (-double_value(b))))) and
     (double_diff_sign(result1, b) and
      ((double_exact(result1) = (-double_exact(b))) and
       (double_model(result1) = (-double_model(b)))))))) ->
  forall z_0:double.
  (z_0 = result1) ->
  ("JC_98":
  ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  (double_is_finite(x_2_1) and double_is_infinite(y_2_0)) ->
  ("JC_99": real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))

goal mul_up_ensures_default_po_3:
  forall x_2_1:double.
  forall y_2_0:double.
  ("JC_73":
  (("JC_67": (not double_is_NaN(x_2_1))) and
   (("JC_68": (not double_is_NaN(y_2_0))) and
    (("JC_69":
     ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
      sam_sign(x_2_1, y_2_0))) and
     (("JC_70":
      ((double_is_infinite(x_2_1) and double_is_finite(y_2_0)) ->
       (double_value(y_2_0) <> 0.0))) and
      (("JC_71":
       ((double_is_infinite(y_2_0) and double_is_finite(x_2_1)) ->
        (double_value(x_2_1) <> 0.0))) and
       ("JC_72":
       ((double_is_finite(x_2_1) and
         (double_is_finite(y_2_0) and
          ((not no_overflow_double(down, (-double_value(y_2_0)))) and
           (double_sign(y_2_0) = Positive)))) ->
        (double_value(x_2_1) > 0.0))))))))) ->
  forall result:double.
  ((double_is_NaN(y_2_0) -> double_is_NaN(result)) and
   ((double_is_infinite(y_2_0) -> double_is_infinite(result)) and
    ((double_is_finite(y_2_0) ->
      (double_is_finite(result) and
       (double_value(result) = (-double_value(y_2_0))))) and
     (double_diff_sign(result, y_2_0) and
      ((double_exact(result) = (-double_exact(y_2_0))) and
       (double_model(result) = (-double_model(y_2_0)))))))) ->
  forall a_0:double.
  (a_0 = result) ->
  forall result0:double.
  (((double_is_NaN(x_2_1) or double_is_NaN(a_0)) -> double_is_NaN(result0)) and
   (((double_is_gen_zero(x_2_1) and double_is_infinite(a_0)) ->
     double_is_NaN(result0)) and
    (((double_is_finite(x_2_1) and
       (double_is_infinite(a_0) and (double_value(x_2_1) <> 0.0))) ->
      double_is_infinite(result0)) and
     (((double_is_infinite(x_2_1) and double_is_gen_zero(a_0)) ->
       double_is_NaN(result0)) and
      (((double_is_infinite(x_2_1) and
         (double_is_finite(a_0) and (double_value(a_0) <> 0.0))) ->
        double_is_infinite(result0)) and
       (((double_is_infinite(x_2_1) and double_is_infinite(a_0)) ->
         double_is_infinite(result0)) and
        (((double_is_finite(x_2_1) and
           (double_is_finite(a_0) and no_overflow_double(down,
            (double_value(x_2_1) * double_value(a_0))))) ->
          (double_is_finite(result0) and
           (double_value(result0) = round_double(down,
           (double_value(x_2_1) * double_value(a_0)))))) and
         (((double_is_finite(x_2_1) and
            (double_is_finite(a_0) and (not no_overflow_double(down,
             (double_value(x_2_1) * double_value(a_0)))))) ->
           double_overflow_value(down, result0)) and
          (double_product_sign(result0, x_2_1, a_0) and
           ((double_exact(result0) = (double_exact(x_2_1) * double_exact(a_0))) and
            (double_model(result0) = (double_model(x_2_1) * double_model(a_0))))))))))))) ->
  forall b:double.
  (b = result0) ->
  forall result1:double.
  ((double_is_NaN(b) -> double_is_NaN(result1)) and
   ((double_is_infinite(b) -> double_is_infinite(result1)) and
    ((double_is_finite(b) ->
      (double_is_finite(result1) and
       (double_value(result1) = (-double_value(b))))) and
     (double_diff_sign(result1, b) and
      ((double_exact(result1) = (-double_exact(b))) and
       (double_model(result1) = (-double_model(b)))))))) ->
  forall z_0:double.
  (z_0 = result1) ->
  ("JC_98":
  ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_99":
  ((double_is_finite(x_2_1) and double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  (double_is_infinite(x_2_1) and
   (double_is_finite(y_2_0) and no_overflow_double(down,
    (-double_value(y_2_0))))) ->
  ("JC_100": real_le_double((double_value(x_2_1) * double_value(y_2_0)),
  z_0))

goal mul_up_ensures_default_po_4:
  forall x_2_1:double.
  forall y_2_0:double.
  ("JC_73":
  (("JC_67": (not double_is_NaN(x_2_1))) and
   (("JC_68": (not double_is_NaN(y_2_0))) and
    (("JC_69":
     ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
      sam_sign(x_2_1, y_2_0))) and
     (("JC_70":
      ((double_is_infinite(x_2_1) and double_is_finite(y_2_0)) ->
       (double_value(y_2_0) <> 0.0))) and
      (("JC_71":
       ((double_is_infinite(y_2_0) and double_is_finite(x_2_1)) ->
        (double_value(x_2_1) <> 0.0))) and
       ("JC_72":
       ((double_is_finite(x_2_1) and
         (double_is_finite(y_2_0) and
          ((not no_overflow_double(down, (-double_value(y_2_0)))) and
           (double_sign(y_2_0) = Positive)))) ->
        (double_value(x_2_1) > 0.0))))))))) ->
  forall result:double.
  ((double_is_NaN(y_2_0) -> double_is_NaN(result)) and
   ((double_is_infinite(y_2_0) -> double_is_infinite(result)) and
    ((double_is_finite(y_2_0) ->
      (double_is_finite(result) and
       (double_value(result) = (-double_value(y_2_0))))) and
     (double_diff_sign(result, y_2_0) and
      ((double_exact(result) = (-double_exact(y_2_0))) and
       (double_model(result) = (-double_model(y_2_0)))))))) ->
  forall a_0:double.
  (a_0 = result) ->
  forall result0:double.
  (((double_is_NaN(x_2_1) or double_is_NaN(a_0)) -> double_is_NaN(result0)) and
   (((double_is_gen_zero(x_2_1) and double_is_infinite(a_0)) ->
     double_is_NaN(result0)) and
    (((double_is_finite(x_2_1) and
       (double_is_infinite(a_0) and (double_value(x_2_1) <> 0.0))) ->
      double_is_infinite(result0)) and
     (((double_is_infinite(x_2_1) and double_is_gen_zero(a_0)) ->
       double_is_NaN(result0)) and
      (((double_is_infinite(x_2_1) and
         (double_is_finite(a_0) and (double_value(a_0) <> 0.0))) ->
        double_is_infinite(result0)) and
       (((double_is_infinite(x_2_1) and double_is_infinite(a_0)) ->
         double_is_infinite(result0)) and
        (((double_is_finite(x_2_1) and
           (double_is_finite(a_0) and no_overflow_double(down,
            (double_value(x_2_1) * double_value(a_0))))) ->
          (double_is_finite(result0) and
           (double_value(result0) = round_double(down,
           (double_value(x_2_1) * double_value(a_0)))))) and
         (((double_is_finite(x_2_1) and
            (double_is_finite(a_0) and (not no_overflow_double(down,
             (double_value(x_2_1) * double_value(a_0)))))) ->
           double_overflow_value(down, result0)) and
          (double_product_sign(result0, x_2_1, a_0) and
           ((double_exact(result0) = (double_exact(x_2_1) * double_exact(a_0))) and
            (double_model(result0) = (double_model(x_2_1) * double_model(a_0))))))))))))) ->
  forall b:double.
  (b = result0) ->
  forall result1:double.
  ((double_is_NaN(b) -> double_is_NaN(result1)) and
   ((double_is_infinite(b) -> double_is_infinite(result1)) and
    ((double_is_finite(b) ->
      (double_is_finite(result1) and
       (double_value(result1) = (-double_value(b))))) and
     (double_diff_sign(result1, b) and
      ((double_exact(result1) = (-double_exact(b))) and
       (double_model(result1) = (-double_model(b)))))))) ->
  forall z_0:double.
  (z_0 = result1) ->
  ("JC_98":
  ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_99":
  ((double_is_finite(x_2_1) and double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_100":
  ((double_is_infinite(x_2_1) and
    (double_is_finite(y_2_0) and no_overflow_double(down,
     (-double_value(y_2_0))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  (double_is_infinite(x_2_1) and
   (double_is_finite(y_2_0) and (not no_overflow_double(down,
    (-double_value(y_2_0)))))) ->
  ("JC_101": real_le_double((double_value(x_2_1) * double_value(y_2_0)),
  z_0))

goal mul_up_ensures_default_po_5:
  forall x_2_1:double.
  forall y_2_0:double.
  ("JC_73":
  (("JC_67": (not double_is_NaN(x_2_1))) and
   (("JC_68": (not double_is_NaN(y_2_0))) and
    (("JC_69":
     ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
      sam_sign(x_2_1, y_2_0))) and
     (("JC_70":
      ((double_is_infinite(x_2_1) and double_is_finite(y_2_0)) ->
       (double_value(y_2_0) <> 0.0))) and
      (("JC_71":
       ((double_is_infinite(y_2_0) and double_is_finite(x_2_1)) ->
        (double_value(x_2_1) <> 0.0))) and
       ("JC_72":
       ((double_is_finite(x_2_1) and
         (double_is_finite(y_2_0) and
          ((not no_overflow_double(down, (-double_value(y_2_0)))) and
           (double_sign(y_2_0) = Positive)))) ->
        (double_value(x_2_1) > 0.0))))))))) ->
  forall result:double.
  ((double_is_NaN(y_2_0) -> double_is_NaN(result)) and
   ((double_is_infinite(y_2_0) -> double_is_infinite(result)) and
    ((double_is_finite(y_2_0) ->
      (double_is_finite(result) and
       (double_value(result) = (-double_value(y_2_0))))) and
     (double_diff_sign(result, y_2_0) and
      ((double_exact(result) = (-double_exact(y_2_0))) and
       (double_model(result) = (-double_model(y_2_0)))))))) ->
  forall a_0:double.
  (a_0 = result) ->
  forall result0:double.
  (((double_is_NaN(x_2_1) or double_is_NaN(a_0)) -> double_is_NaN(result0)) and
   (((double_is_gen_zero(x_2_1) and double_is_infinite(a_0)) ->
     double_is_NaN(result0)) and
    (((double_is_finite(x_2_1) and
       (double_is_infinite(a_0) and (double_value(x_2_1) <> 0.0))) ->
      double_is_infinite(result0)) and
     (((double_is_infinite(x_2_1) and double_is_gen_zero(a_0)) ->
       double_is_NaN(result0)) and
      (((double_is_infinite(x_2_1) and
         (double_is_finite(a_0) and (double_value(a_0) <> 0.0))) ->
        double_is_infinite(result0)) and
       (((double_is_infinite(x_2_1) and double_is_infinite(a_0)) ->
         double_is_infinite(result0)) and
        (((double_is_finite(x_2_1) and
           (double_is_finite(a_0) and no_overflow_double(down,
            (double_value(x_2_1) * double_value(a_0))))) ->
          (double_is_finite(result0) and
           (double_value(result0) = round_double(down,
           (double_value(x_2_1) * double_value(a_0)))))) and
         (((double_is_finite(x_2_1) and
            (double_is_finite(a_0) and (not no_overflow_double(down,
             (double_value(x_2_1) * double_value(a_0)))))) ->
           double_overflow_value(down, result0)) and
          (double_product_sign(result0, x_2_1, a_0) and
           ((double_exact(result0) = (double_exact(x_2_1) * double_exact(a_0))) and
            (double_model(result0) = (double_model(x_2_1) * double_model(a_0))))))))))))) ->
  forall b:double.
  (b = result0) ->
  forall result1:double.
  ((double_is_NaN(b) -> double_is_NaN(result1)) and
   ((double_is_infinite(b) -> double_is_infinite(result1)) and
    ((double_is_finite(b) ->
      (double_is_finite(result1) and
       (double_value(result1) = (-double_value(b))))) and
     (double_diff_sign(result1, b) and
      ((double_exact(result1) = (-double_exact(b))) and
       (double_model(result1) = (-double_model(b)))))))) ->
  forall z_0:double.
  (z_0 = result1) ->
  ("JC_98":
  ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_99":
  ((double_is_finite(x_2_1) and double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_100":
  ((double_is_infinite(x_2_1) and
    (double_is_finite(y_2_0) and no_overflow_double(down,
     (-double_value(y_2_0))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_101":
  ((double_is_infinite(x_2_1) and
    (double_is_finite(y_2_0) and (not no_overflow_double(down,
     (-double_value(y_2_0)))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  (double_is_infinite(x_2_1) and double_is_infinite(y_2_0)) ->
  ("JC_102": real_le_double((double_value(x_2_1) * double_value(y_2_0)),
  z_0))

goal mul_up_ensures_default_po_6:
  forall x_2_1:double.
  forall y_2_0:double.
  ("JC_73":
  (("JC_67": (not double_is_NaN(x_2_1))) and
   (("JC_68": (not double_is_NaN(y_2_0))) and
    (("JC_69":
     ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
      sam_sign(x_2_1, y_2_0))) and
     (("JC_70":
      ((double_is_infinite(x_2_1) and double_is_finite(y_2_0)) ->
       (double_value(y_2_0) <> 0.0))) and
      (("JC_71":
       ((double_is_infinite(y_2_0) and double_is_finite(x_2_1)) ->
        (double_value(x_2_1) <> 0.0))) and
       ("JC_72":
       ((double_is_finite(x_2_1) and
         (double_is_finite(y_2_0) and
          ((not no_overflow_double(down, (-double_value(y_2_0)))) and
           (double_sign(y_2_0) = Positive)))) ->
        (double_value(x_2_1) > 0.0))))))))) ->
  forall result:double.
  ((double_is_NaN(y_2_0) -> double_is_NaN(result)) and
   ((double_is_infinite(y_2_0) -> double_is_infinite(result)) and
    ((double_is_finite(y_2_0) ->
      (double_is_finite(result) and
       (double_value(result) = (-double_value(y_2_0))))) and
     (double_diff_sign(result, y_2_0) and
      ((double_exact(result) = (-double_exact(y_2_0))) and
       (double_model(result) = (-double_model(y_2_0)))))))) ->
  forall a_0:double.
  (a_0 = result) ->
  forall result0:double.
  (((double_is_NaN(x_2_1) or double_is_NaN(a_0)) -> double_is_NaN(result0)) and
   (((double_is_gen_zero(x_2_1) and double_is_infinite(a_0)) ->
     double_is_NaN(result0)) and
    (((double_is_finite(x_2_1) and
       (double_is_infinite(a_0) and (double_value(x_2_1) <> 0.0))) ->
      double_is_infinite(result0)) and
     (((double_is_infinite(x_2_1) and double_is_gen_zero(a_0)) ->
       double_is_NaN(result0)) and
      (((double_is_infinite(x_2_1) and
         (double_is_finite(a_0) and (double_value(a_0) <> 0.0))) ->
        double_is_infinite(result0)) and
       (((double_is_infinite(x_2_1) and double_is_infinite(a_0)) ->
         double_is_infinite(result0)) and
        (((double_is_finite(x_2_1) and
           (double_is_finite(a_0) and no_overflow_double(down,
            (double_value(x_2_1) * double_value(a_0))))) ->
          (double_is_finite(result0) and
           (double_value(result0) = round_double(down,
           (double_value(x_2_1) * double_value(a_0)))))) and
         (((double_is_finite(x_2_1) and
            (double_is_finite(a_0) and (not no_overflow_double(down,
             (double_value(x_2_1) * double_value(a_0)))))) ->
           double_overflow_value(down, result0)) and
          (double_product_sign(result0, x_2_1, a_0) and
           ((double_exact(result0) = (double_exact(x_2_1) * double_exact(a_0))) and
            (double_model(result0) = (double_model(x_2_1) * double_model(a_0))))))))))))) ->
  forall b:double.
  (b = result0) ->
  forall result1:double.
  ((double_is_NaN(b) -> double_is_NaN(result1)) and
   ((double_is_infinite(b) -> double_is_infinite(result1)) and
    ((double_is_finite(b) ->
      (double_is_finite(result1) and
       (double_value(result1) = (-double_value(b))))) and
     (double_diff_sign(result1, b) and
      ((double_exact(result1) = (-double_exact(b))) and
       (double_model(result1) = (-double_model(b)))))))) ->
  forall z_0:double.
  (z_0 = result1) ->
  ("JC_98":
  ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_99":
  ((double_is_finite(x_2_1) and double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_100":
  ((double_is_infinite(x_2_1) and
    (double_is_finite(y_2_0) and no_overflow_double(down,
     (-double_value(y_2_0))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_101":
  ((double_is_infinite(x_2_1) and
    (double_is_finite(y_2_0) and (not no_overflow_double(down,
     (-double_value(y_2_0)))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_102":
  ((double_is_infinite(x_2_1) and double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  (double_is_finite(x_2_1) and
   (double_is_finite(y_2_0) and
    (no_overflow_double(down, (-double_value(y_2_0))) and
     (no_overflow_double(down, (double_value(x_2_1) * double_value(a_0))) and
      (not no_overflow_double(down, (-double_value(b)))))))) ->
  ("JC_103": real_le_double((double_value(x_2_1) * double_value(y_2_0)),
  z_0))

goal mul_up_ensures_default_po_7:
  forall x_2_1:double.
  forall y_2_0:double.
  ("JC_73":
  (("JC_67": (not double_is_NaN(x_2_1))) and
   (("JC_68": (not double_is_NaN(y_2_0))) and
    (("JC_69":
     ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
      sam_sign(x_2_1, y_2_0))) and
     (("JC_70":
      ((double_is_infinite(x_2_1) and double_is_finite(y_2_0)) ->
       (double_value(y_2_0) <> 0.0))) and
      (("JC_71":
       ((double_is_infinite(y_2_0) and double_is_finite(x_2_1)) ->
        (double_value(x_2_1) <> 0.0))) and
       ("JC_72":
       ((double_is_finite(x_2_1) and
         (double_is_finite(y_2_0) and
          ((not no_overflow_double(down, (-double_value(y_2_0)))) and
           (double_sign(y_2_0) = Positive)))) ->
        (double_value(x_2_1) > 0.0))))))))) ->
  forall result:double.
  ((double_is_NaN(y_2_0) -> double_is_NaN(result)) and
   ((double_is_infinite(y_2_0) -> double_is_infinite(result)) and
    ((double_is_finite(y_2_0) ->
      (double_is_finite(result) and
       (double_value(result) = (-double_value(y_2_0))))) and
     (double_diff_sign(result, y_2_0) and
      ((double_exact(result) = (-double_exact(y_2_0))) and
       (double_model(result) = (-double_model(y_2_0)))))))) ->
  forall a_0:double.
  (a_0 = result) ->
  forall result0:double.
  (((double_is_NaN(x_2_1) or double_is_NaN(a_0)) -> double_is_NaN(result0)) and
   (((double_is_gen_zero(x_2_1) and double_is_infinite(a_0)) ->
     double_is_NaN(result0)) and
    (((double_is_finite(x_2_1) and
       (double_is_infinite(a_0) and (double_value(x_2_1) <> 0.0))) ->
      double_is_infinite(result0)) and
     (((double_is_infinite(x_2_1) and double_is_gen_zero(a_0)) ->
       double_is_NaN(result0)) and
      (((double_is_infinite(x_2_1) and
         (double_is_finite(a_0) and (double_value(a_0) <> 0.0))) ->
        double_is_infinite(result0)) and
       (((double_is_infinite(x_2_1) and double_is_infinite(a_0)) ->
         double_is_infinite(result0)) and
        (((double_is_finite(x_2_1) and
           (double_is_finite(a_0) and no_overflow_double(down,
            (double_value(x_2_1) * double_value(a_0))))) ->
          (double_is_finite(result0) and
           (double_value(result0) = round_double(down,
           (double_value(x_2_1) * double_value(a_0)))))) and
         (((double_is_finite(x_2_1) and
            (double_is_finite(a_0) and (not no_overflow_double(down,
             (double_value(x_2_1) * double_value(a_0)))))) ->
           double_overflow_value(down, result0)) and
          (double_product_sign(result0, x_2_1, a_0) and
           ((double_exact(result0) = (double_exact(x_2_1) * double_exact(a_0))) and
            (double_model(result0) = (double_model(x_2_1) * double_model(a_0))))))))))))) ->
  forall b:double.
  (b = result0) ->
  forall result1:double.
  ((double_is_NaN(b) -> double_is_NaN(result1)) and
   ((double_is_infinite(b) -> double_is_infinite(result1)) and
    ((double_is_finite(b) ->
      (double_is_finite(result1) and
       (double_value(result1) = (-double_value(b))))) and
     (double_diff_sign(result1, b) and
      ((double_exact(result1) = (-double_exact(b))) and
       (double_model(result1) = (-double_model(b)))))))) ->
  forall z_0:double.
  (z_0 = result1) ->
  ("JC_98":
  ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_99":
  ((double_is_finite(x_2_1) and double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_100":
  ((double_is_infinite(x_2_1) and
    (double_is_finite(y_2_0) and no_overflow_double(down,
     (-double_value(y_2_0))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_101":
  ((double_is_infinite(x_2_1) and
    (double_is_finite(y_2_0) and (not no_overflow_double(down,
     (-double_value(y_2_0)))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_102":
  ((double_is_infinite(x_2_1) and double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_103":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     (no_overflow_double(down, (-double_value(y_2_0))) and
      (no_overflow_double(down,
       (double_value(x_2_1) * double_value(a_0))) and
       (not no_overflow_double(down, (-double_value(b)))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  (double_is_finite(x_2_1) and
   (double_is_finite(y_2_0) and
    (no_overflow_double(down, (-double_value(y_2_0))) and
     (not no_overflow_double(down,
     (double_value(x_2_1) * double_value(a_0))))))) ->
  ("JC_104": real_le_double((double_value(x_2_1) * double_value(y_2_0)),
  z_0))

goal mul_up_ensures_default_po_8:
  forall x_2_1:double.
  forall y_2_0:double.
  ("JC_73":
  (("JC_67": (not double_is_NaN(x_2_1))) and
   (("JC_68": (not double_is_NaN(y_2_0))) and
    (("JC_69":
     ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
      sam_sign(x_2_1, y_2_0))) and
     (("JC_70":
      ((double_is_infinite(x_2_1) and double_is_finite(y_2_0)) ->
       (double_value(y_2_0) <> 0.0))) and
      (("JC_71":
       ((double_is_infinite(y_2_0) and double_is_finite(x_2_1)) ->
        (double_value(x_2_1) <> 0.0))) and
       ("JC_72":
       ((double_is_finite(x_2_1) and
         (double_is_finite(y_2_0) and
          ((not no_overflow_double(down, (-double_value(y_2_0)))) and
           (double_sign(y_2_0) = Positive)))) ->
        (double_value(x_2_1) > 0.0))))))))) ->
  forall result:double.
  ((double_is_NaN(y_2_0) -> double_is_NaN(result)) and
   ((double_is_infinite(y_2_0) -> double_is_infinite(result)) and
    ((double_is_finite(y_2_0) ->
      (double_is_finite(result) and
       (double_value(result) = (-double_value(y_2_0))))) and
     (double_diff_sign(result, y_2_0) and
      ((double_exact(result) = (-double_exact(y_2_0))) and
       (double_model(result) = (-double_model(y_2_0)))))))) ->
  forall a_0:double.
  (a_0 = result) ->
  forall result0:double.
  (((double_is_NaN(x_2_1) or double_is_NaN(a_0)) -> double_is_NaN(result0)) and
   (((double_is_gen_zero(x_2_1) and double_is_infinite(a_0)) ->
     double_is_NaN(result0)) and
    (((double_is_finite(x_2_1) and
       (double_is_infinite(a_0) and (double_value(x_2_1) <> 0.0))) ->
      double_is_infinite(result0)) and
     (((double_is_infinite(x_2_1) and double_is_gen_zero(a_0)) ->
       double_is_NaN(result0)) and
      (((double_is_infinite(x_2_1) and
         (double_is_finite(a_0) and (double_value(a_0) <> 0.0))) ->
        double_is_infinite(result0)) and
       (((double_is_infinite(x_2_1) and double_is_infinite(a_0)) ->
         double_is_infinite(result0)) and
        (((double_is_finite(x_2_1) and
           (double_is_finite(a_0) and no_overflow_double(down,
            (double_value(x_2_1) * double_value(a_0))))) ->
          (double_is_finite(result0) and
           (double_value(result0) = round_double(down,
           (double_value(x_2_1) * double_value(a_0)))))) and
         (((double_is_finite(x_2_1) and
            (double_is_finite(a_0) and (not no_overflow_double(down,
             (double_value(x_2_1) * double_value(a_0)))))) ->
           double_overflow_value(down, result0)) and
          (double_product_sign(result0, x_2_1, a_0) and
           ((double_exact(result0) = (double_exact(x_2_1) * double_exact(a_0))) and
            (double_model(result0) = (double_model(x_2_1) * double_model(a_0))))))))))))) ->
  forall b:double.
  (b = result0) ->
  forall result1:double.
  ((double_is_NaN(b) -> double_is_NaN(result1)) and
   ((double_is_infinite(b) -> double_is_infinite(result1)) and
    ((double_is_finite(b) ->
      (double_is_finite(result1) and
       (double_value(result1) = (-double_value(b))))) and
     (double_diff_sign(result1, b) and
      ((double_exact(result1) = (-double_exact(b))) and
       (double_model(result1) = (-double_model(b)))))))) ->
  forall z_0:double.
  (z_0 = result1) ->
  ("JC_98":
  ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_99":
  ((double_is_finite(x_2_1) and double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_100":
  ((double_is_infinite(x_2_1) and
    (double_is_finite(y_2_0) and no_overflow_double(down,
     (-double_value(y_2_0))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_101":
  ((double_is_infinite(x_2_1) and
    (double_is_finite(y_2_0) and (not no_overflow_double(down,
     (-double_value(y_2_0)))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_102":
  ((double_is_infinite(x_2_1) and double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_103":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     (no_overflow_double(down, (-double_value(y_2_0))) and
      (no_overflow_double(down,
       (double_value(x_2_1) * double_value(a_0))) and
       (not no_overflow_double(down, (-double_value(b)))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_104":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     (no_overflow_double(down, (-double_value(y_2_0))) and
      (not no_overflow_double(down,
      (double_value(x_2_1) * double_value(a_0))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  (double_is_finite(x_2_1) and
   (double_is_finite(y_2_0) and
    ((not no_overflow_double(down, (-double_value(y_2_0)))) and
     (double_sign(y_2_0) = Positive)))) ->
  ("JC_105": real_le_double((double_value(x_2_1) * double_value(y_2_0)),
  z_0))

goal mul_up_ensures_default_po_9:
  forall x_2_1:double.
  forall y_2_0:double.
  ("JC_73":
  (("JC_67": (not double_is_NaN(x_2_1))) and
   (("JC_68": (not double_is_NaN(y_2_0))) and
    (("JC_69":
     ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
      sam_sign(x_2_1, y_2_0))) and
     (("JC_70":
      ((double_is_infinite(x_2_1) and double_is_finite(y_2_0)) ->
       (double_value(y_2_0) <> 0.0))) and
      (("JC_71":
       ((double_is_infinite(y_2_0) and double_is_finite(x_2_1)) ->
        (double_value(x_2_1) <> 0.0))) and
       ("JC_72":
       ((double_is_finite(x_2_1) and
         (double_is_finite(y_2_0) and
          ((not no_overflow_double(down, (-double_value(y_2_0)))) and
           (double_sign(y_2_0) = Positive)))) ->
        (double_value(x_2_1) > 0.0))))))))) ->
  forall result:double.
  ((double_is_NaN(y_2_0) -> double_is_NaN(result)) and
   ((double_is_infinite(y_2_0) -> double_is_infinite(result)) and
    ((double_is_finite(y_2_0) ->
      (double_is_finite(result) and
       (double_value(result) = (-double_value(y_2_0))))) and
     (double_diff_sign(result, y_2_0) and
      ((double_exact(result) = (-double_exact(y_2_0))) and
       (double_model(result) = (-double_model(y_2_0)))))))) ->
  forall a_0:double.
  (a_0 = result) ->
  forall result0:double.
  (((double_is_NaN(x_2_1) or double_is_NaN(a_0)) -> double_is_NaN(result0)) and
   (((double_is_gen_zero(x_2_1) and double_is_infinite(a_0)) ->
     double_is_NaN(result0)) and
    (((double_is_finite(x_2_1) and
       (double_is_infinite(a_0) and (double_value(x_2_1) <> 0.0))) ->
      double_is_infinite(result0)) and
     (((double_is_infinite(x_2_1) and double_is_gen_zero(a_0)) ->
       double_is_NaN(result0)) and
      (((double_is_infinite(x_2_1) and
         (double_is_finite(a_0) and (double_value(a_0) <> 0.0))) ->
        double_is_infinite(result0)) and
       (((double_is_infinite(x_2_1) and double_is_infinite(a_0)) ->
         double_is_infinite(result0)) and
        (((double_is_finite(x_2_1) and
           (double_is_finite(a_0) and no_overflow_double(down,
            (double_value(x_2_1) * double_value(a_0))))) ->
          (double_is_finite(result0) and
           (double_value(result0) = round_double(down,
           (double_value(x_2_1) * double_value(a_0)))))) and
         (((double_is_finite(x_2_1) and
            (double_is_finite(a_0) and (not no_overflow_double(down,
             (double_value(x_2_1) * double_value(a_0)))))) ->
           double_overflow_value(down, result0)) and
          (double_product_sign(result0, x_2_1, a_0) and
           ((double_exact(result0) = (double_exact(x_2_1) * double_exact(a_0))) and
            (double_model(result0) = (double_model(x_2_1) * double_model(a_0))))))))))))) ->
  forall b:double.
  (b = result0) ->
  forall result1:double.
  ((double_is_NaN(b) -> double_is_NaN(result1)) and
   ((double_is_infinite(b) -> double_is_infinite(result1)) and
    ((double_is_finite(b) ->
      (double_is_finite(result1) and
       (double_value(result1) = (-double_value(b))))) and
     (double_diff_sign(result1, b) and
      ((double_exact(result1) = (-double_exact(b))) and
       (double_model(result1) = (-double_model(b)))))))) ->
  forall z_0:double.
  (z_0 = result1) ->
  ("JC_98":
  ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_99":
  ((double_is_finite(x_2_1) and double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_100":
  ((double_is_infinite(x_2_1) and
    (double_is_finite(y_2_0) and no_overflow_double(down,
     (-double_value(y_2_0))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_101":
  ((double_is_infinite(x_2_1) and
    (double_is_finite(y_2_0) and (not no_overflow_double(down,
     (-double_value(y_2_0)))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_102":
  ((double_is_infinite(x_2_1) and double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_103":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     (no_overflow_double(down, (-double_value(y_2_0))) and
      (no_overflow_double(down,
       (double_value(x_2_1) * double_value(a_0))) and
       (not no_overflow_double(down, (-double_value(b)))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_104":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     (no_overflow_double(down, (-double_value(y_2_0))) and
      (not no_overflow_double(down,
      (double_value(x_2_1) * double_value(a_0))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_105":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     ((not no_overflow_double(down, (-double_value(y_2_0)))) and
      (double_sign(y_2_0) = Positive)))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  (double_is_finite(x_2_1) and
   (double_is_finite(y_2_0) and
    ((not no_overflow_double(down, (-double_value(y_2_0)))) and
     ((double_sign(y_2_0) = Negative) and (not no_overflow_double(down,
      (double_value(x_2_1) * double_value(a_0)))))))) ->
  ("JC_106": real_le_double((double_value(x_2_1) * double_value(y_2_0)),
  z_0))

goal mul_up_ensures_default_po_10:
  forall x_2_1:double.
  forall y_2_0:double.
  ("JC_73":
  (("JC_67": (not double_is_NaN(x_2_1))) and
   (("JC_68": (not double_is_NaN(y_2_0))) and
    (("JC_69":
     ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
      sam_sign(x_2_1, y_2_0))) and
     (("JC_70":
      ((double_is_infinite(x_2_1) and double_is_finite(y_2_0)) ->
       (double_value(y_2_0) <> 0.0))) and
      (("JC_71":
       ((double_is_infinite(y_2_0) and double_is_finite(x_2_1)) ->
        (double_value(x_2_1) <> 0.0))) and
       ("JC_72":
       ((double_is_finite(x_2_1) and
         (double_is_finite(y_2_0) and
          ((not no_overflow_double(down, (-double_value(y_2_0)))) and
           (double_sign(y_2_0) = Positive)))) ->
        (double_value(x_2_1) > 0.0))))))))) ->
  forall result:double.
  ((double_is_NaN(y_2_0) -> double_is_NaN(result)) and
   ((double_is_infinite(y_2_0) -> double_is_infinite(result)) and
    ((double_is_finite(y_2_0) ->
      (double_is_finite(result) and
       (double_value(result) = (-double_value(y_2_0))))) and
     (double_diff_sign(result, y_2_0) and
      ((double_exact(result) = (-double_exact(y_2_0))) and
       (double_model(result) = (-double_model(y_2_0)))))))) ->
  forall a_0:double.
  (a_0 = result) ->
  forall result0:double.
  (((double_is_NaN(x_2_1) or double_is_NaN(a_0)) -> double_is_NaN(result0)) and
   (((double_is_gen_zero(x_2_1) and double_is_infinite(a_0)) ->
     double_is_NaN(result0)) and
    (((double_is_finite(x_2_1) and
       (double_is_infinite(a_0) and (double_value(x_2_1) <> 0.0))) ->
      double_is_infinite(result0)) and
     (((double_is_infinite(x_2_1) and double_is_gen_zero(a_0)) ->
       double_is_NaN(result0)) and
      (((double_is_infinite(x_2_1) and
         (double_is_finite(a_0) and (double_value(a_0) <> 0.0))) ->
        double_is_infinite(result0)) and
       (((double_is_infinite(x_2_1) and double_is_infinite(a_0)) ->
         double_is_infinite(result0)) and
        (((double_is_finite(x_2_1) and
           (double_is_finite(a_0) and no_overflow_double(down,
            (double_value(x_2_1) * double_value(a_0))))) ->
          (double_is_finite(result0) and
           (double_value(result0) = round_double(down,
           (double_value(x_2_1) * double_value(a_0)))))) and
         (((double_is_finite(x_2_1) and
            (double_is_finite(a_0) and (not no_overflow_double(down,
             (double_value(x_2_1) * double_value(a_0)))))) ->
           double_overflow_value(down, result0)) and
          (double_product_sign(result0, x_2_1, a_0) and
           ((double_exact(result0) = (double_exact(x_2_1) * double_exact(a_0))) and
            (double_model(result0) = (double_model(x_2_1) * double_model(a_0))))))))))))) ->
  forall b:double.
  (b = result0) ->
  forall result1:double.
  ((double_is_NaN(b) -> double_is_NaN(result1)) and
   ((double_is_infinite(b) -> double_is_infinite(result1)) and
    ((double_is_finite(b) ->
      (double_is_finite(result1) and
       (double_value(result1) = (-double_value(b))))) and
     (double_diff_sign(result1, b) and
      ((double_exact(result1) = (-double_exact(b))) and
       (double_model(result1) = (-double_model(b)))))))) ->
  forall z_0:double.
  (z_0 = result1) ->
  ("JC_98":
  ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_99":
  ((double_is_finite(x_2_1) and double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_100":
  ((double_is_infinite(x_2_1) and
    (double_is_finite(y_2_0) and no_overflow_double(down,
     (-double_value(y_2_0))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_101":
  ((double_is_infinite(x_2_1) and
    (double_is_finite(y_2_0) and (not no_overflow_double(down,
     (-double_value(y_2_0)))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_102":
  ((double_is_infinite(x_2_1) and double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_103":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     (no_overflow_double(down, (-double_value(y_2_0))) and
      (no_overflow_double(down,
       (double_value(x_2_1) * double_value(a_0))) and
       (not no_overflow_double(down, (-double_value(b)))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_104":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     (no_overflow_double(down, (-double_value(y_2_0))) and
      (not no_overflow_double(down,
      (double_value(x_2_1) * double_value(a_0))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_105":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     ((not no_overflow_double(down, (-double_value(y_2_0)))) and
      (double_sign(y_2_0) = Positive)))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_106":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     ((not no_overflow_double(down, (-double_value(y_2_0)))) and
      ((double_sign(y_2_0) = Negative) and (not no_overflow_double(down,
       (double_value(x_2_1) * double_value(a_0)))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  (double_is_finite(x_2_1) and
   (double_is_finite(y_2_0) and
    ((not no_overflow_double(down, (-double_value(y_2_0)))) and
     ((double_sign(y_2_0) = Negative) and
      (no_overflow_double(down,
       (double_value(x_2_1) * double_value(a_0))) and
       (not no_overflow_double(down, (-double_value(b))))))))) ->
  ("JC_107": real_le_double((double_value(x_2_1) * double_value(y_2_0)),
  z_0))

goal mul_up_ensures_default_po_11:
  forall x_2_1:double.
  forall y_2_0:double.
  ("JC_73":
  (("JC_67": (not double_is_NaN(x_2_1))) and
   (("JC_68": (not double_is_NaN(y_2_0))) and
    (("JC_69":
     ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
      sam_sign(x_2_1, y_2_0))) and
     (("JC_70":
      ((double_is_infinite(x_2_1) and double_is_finite(y_2_0)) ->
       (double_value(y_2_0) <> 0.0))) and
      (("JC_71":
       ((double_is_infinite(y_2_0) and double_is_finite(x_2_1)) ->
        (double_value(x_2_1) <> 0.0))) and
       ("JC_72":
       ((double_is_finite(x_2_1) and
         (double_is_finite(y_2_0) and
          ((not no_overflow_double(down, (-double_value(y_2_0)))) and
           (double_sign(y_2_0) = Positive)))) ->
        (double_value(x_2_1) > 0.0))))))))) ->
  forall result:double.
  ((double_is_NaN(y_2_0) -> double_is_NaN(result)) and
   ((double_is_infinite(y_2_0) -> double_is_infinite(result)) and
    ((double_is_finite(y_2_0) ->
      (double_is_finite(result) and
       (double_value(result) = (-double_value(y_2_0))))) and
     (double_diff_sign(result, y_2_0) and
      ((double_exact(result) = (-double_exact(y_2_0))) and
       (double_model(result) = (-double_model(y_2_0)))))))) ->
  forall a_0:double.
  (a_0 = result) ->
  forall result0:double.
  (((double_is_NaN(x_2_1) or double_is_NaN(a_0)) -> double_is_NaN(result0)) and
   (((double_is_gen_zero(x_2_1) and double_is_infinite(a_0)) ->
     double_is_NaN(result0)) and
    (((double_is_finite(x_2_1) and
       (double_is_infinite(a_0) and (double_value(x_2_1) <> 0.0))) ->
      double_is_infinite(result0)) and
     (((double_is_infinite(x_2_1) and double_is_gen_zero(a_0)) ->
       double_is_NaN(result0)) and
      (((double_is_infinite(x_2_1) and
         (double_is_finite(a_0) and (double_value(a_0) <> 0.0))) ->
        double_is_infinite(result0)) and
       (((double_is_infinite(x_2_1) and double_is_infinite(a_0)) ->
         double_is_infinite(result0)) and
        (((double_is_finite(x_2_1) and
           (double_is_finite(a_0) and no_overflow_double(down,
            (double_value(x_2_1) * double_value(a_0))))) ->
          (double_is_finite(result0) and
           (double_value(result0) = round_double(down,
           (double_value(x_2_1) * double_value(a_0)))))) and
         (((double_is_finite(x_2_1) and
            (double_is_finite(a_0) and (not no_overflow_double(down,
             (double_value(x_2_1) * double_value(a_0)))))) ->
           double_overflow_value(down, result0)) and
          (double_product_sign(result0, x_2_1, a_0) and
           ((double_exact(result0) = (double_exact(x_2_1) * double_exact(a_0))) and
            (double_model(result0) = (double_model(x_2_1) * double_model(a_0))))))))))))) ->
  forall b:double.
  (b = result0) ->
  forall result1:double.
  ((double_is_NaN(b) -> double_is_NaN(result1)) and
   ((double_is_infinite(b) -> double_is_infinite(result1)) and
    ((double_is_finite(b) ->
      (double_is_finite(result1) and
       (double_value(result1) = (-double_value(b))))) and
     (double_diff_sign(result1, b) and
      ((double_exact(result1) = (-double_exact(b))) and
       (double_model(result1) = (-double_model(b)))))))) ->
  forall z_0:double.
  (z_0 = result1) ->
  ("JC_98":
  ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_99":
  ((double_is_finite(x_2_1) and double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_100":
  ((double_is_infinite(x_2_1) and
    (double_is_finite(y_2_0) and no_overflow_double(down,
     (-double_value(y_2_0))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_101":
  ((double_is_infinite(x_2_1) and
    (double_is_finite(y_2_0) and (not no_overflow_double(down,
     (-double_value(y_2_0)))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_102":
  ((double_is_infinite(x_2_1) and double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_103":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     (no_overflow_double(down, (-double_value(y_2_0))) and
      (no_overflow_double(down,
       (double_value(x_2_1) * double_value(a_0))) and
       (not no_overflow_double(down, (-double_value(b)))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_104":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     (no_overflow_double(down, (-double_value(y_2_0))) and
      (not no_overflow_double(down,
      (double_value(x_2_1) * double_value(a_0))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_105":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     ((not no_overflow_double(down, (-double_value(y_2_0)))) and
      (double_sign(y_2_0) = Positive)))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_106":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     ((not no_overflow_double(down, (-double_value(y_2_0)))) and
      ((double_sign(y_2_0) = Negative) and (not no_overflow_double(down,
       (double_value(x_2_1) * double_value(a_0)))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_107":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     ((not no_overflow_double(down, (-double_value(y_2_0)))) and
      ((double_sign(y_2_0) = Negative) and
       (no_overflow_double(down,
        (double_value(x_2_1) * double_value(a_0))) and
        (not no_overflow_double(down, (-double_value(b))))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  (double_is_finite(x_2_1) and
   (double_is_finite(y_2_0) and
    ((not no_overflow_double(down, (-double_value(y_2_0)))) and
     ((double_sign(y_2_0) = Negative) and
      (no_overflow_double(down,
       (double_value(x_2_1) * double_value(a_0))) and
       no_overflow_double(down, (-double_value(b)))))))) ->
  ("JC_108": real_le_double((double_value(x_2_1) * double_value(y_2_0)),
  z_0))

goal mul_up_ensures_default_po_12:
  forall x_2_1:double.
  forall y_2_0:double.
  ("JC_73":
  (("JC_67": (not double_is_NaN(x_2_1))) and
   (("JC_68": (not double_is_NaN(y_2_0))) and
    (("JC_69":
     ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
      sam_sign(x_2_1, y_2_0))) and
     (("JC_70":
      ((double_is_infinite(x_2_1) and double_is_finite(y_2_0)) ->
       (double_value(y_2_0) <> 0.0))) and
      (("JC_71":
       ((double_is_infinite(y_2_0) and double_is_finite(x_2_1)) ->
        (double_value(x_2_1) <> 0.0))) and
       ("JC_72":
       ((double_is_finite(x_2_1) and
         (double_is_finite(y_2_0) and
          ((not no_overflow_double(down, (-double_value(y_2_0)))) and
           (double_sign(y_2_0) = Positive)))) ->
        (double_value(x_2_1) > 0.0))))))))) ->
  forall result:double.
  ((double_is_NaN(y_2_0) -> double_is_NaN(result)) and
   ((double_is_infinite(y_2_0) -> double_is_infinite(result)) and
    ((double_is_finite(y_2_0) ->
      (double_is_finite(result) and
       (double_value(result) = (-double_value(y_2_0))))) and
     (double_diff_sign(result, y_2_0) and
      ((double_exact(result) = (-double_exact(y_2_0))) and
       (double_model(result) = (-double_model(y_2_0)))))))) ->
  forall a_0:double.
  (a_0 = result) ->
  forall result0:double.
  (((double_is_NaN(x_2_1) or double_is_NaN(a_0)) -> double_is_NaN(result0)) and
   (((double_is_gen_zero(x_2_1) and double_is_infinite(a_0)) ->
     double_is_NaN(result0)) and
    (((double_is_finite(x_2_1) and
       (double_is_infinite(a_0) and (double_value(x_2_1) <> 0.0))) ->
      double_is_infinite(result0)) and
     (((double_is_infinite(x_2_1) and double_is_gen_zero(a_0)) ->
       double_is_NaN(result0)) and
      (((double_is_infinite(x_2_1) and
         (double_is_finite(a_0) and (double_value(a_0) <> 0.0))) ->
        double_is_infinite(result0)) and
       (((double_is_infinite(x_2_1) and double_is_infinite(a_0)) ->
         double_is_infinite(result0)) and
        (((double_is_finite(x_2_1) and
           (double_is_finite(a_0) and no_overflow_double(down,
            (double_value(x_2_1) * double_value(a_0))))) ->
          (double_is_finite(result0) and
           (double_value(result0) = round_double(down,
           (double_value(x_2_1) * double_value(a_0)))))) and
         (((double_is_finite(x_2_1) and
            (double_is_finite(a_0) and (not no_overflow_double(down,
             (double_value(x_2_1) * double_value(a_0)))))) ->
           double_overflow_value(down, result0)) and
          (double_product_sign(result0, x_2_1, a_0) and
           ((double_exact(result0) = (double_exact(x_2_1) * double_exact(a_0))) and
            (double_model(result0) = (double_model(x_2_1) * double_model(a_0))))))))))))) ->
  forall b:double.
  (b = result0) ->
  forall result1:double.
  ((double_is_NaN(b) -> double_is_NaN(result1)) and
   ((double_is_infinite(b) -> double_is_infinite(result1)) and
    ((double_is_finite(b) ->
      (double_is_finite(result1) and
       (double_value(result1) = (-double_value(b))))) and
     (double_diff_sign(result1, b) and
      ((double_exact(result1) = (-double_exact(b))) and
       (double_model(result1) = (-double_model(b)))))))) ->
  forall z_0:double.
  (z_0 = result1) ->
  ("JC_98":
  ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_99":
  ((double_is_finite(x_2_1) and double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_100":
  ((double_is_infinite(x_2_1) and
    (double_is_finite(y_2_0) and no_overflow_double(down,
     (-double_value(y_2_0))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_101":
  ((double_is_infinite(x_2_1) and
    (double_is_finite(y_2_0) and (not no_overflow_double(down,
     (-double_value(y_2_0)))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_102":
  ((double_is_infinite(x_2_1) and double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_103":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     (no_overflow_double(down, (-double_value(y_2_0))) and
      (no_overflow_double(down,
       (double_value(x_2_1) * double_value(a_0))) and
       (not no_overflow_double(down, (-double_value(b)))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_104":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     (no_overflow_double(down, (-double_value(y_2_0))) and
      (not no_overflow_double(down,
      (double_value(x_2_1) * double_value(a_0))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_105":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     ((not no_overflow_double(down, (-double_value(y_2_0)))) and
      (double_sign(y_2_0) = Positive)))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_106":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     ((not no_overflow_double(down, (-double_value(y_2_0)))) and
      ((double_sign(y_2_0) = Negative) and (not no_overflow_double(down,
       (double_value(x_2_1) * double_value(a_0)))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_107":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     ((not no_overflow_double(down, (-double_value(y_2_0)))) and
      ((double_sign(y_2_0) = Negative) and
       (no_overflow_double(down,
        (double_value(x_2_1) * double_value(a_0))) and
        (not no_overflow_double(down, (-double_value(b))))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_108":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     ((not no_overflow_double(down, (-double_value(y_2_0)))) and
      ((double_sign(y_2_0) = Negative) and
       (no_overflow_double(down,
        (double_value(x_2_1) * double_value(a_0))) and
        no_overflow_double(down, (-double_value(b)))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  (double_is_finite(x_2_1) and
   (double_is_finite(y_2_0) and
    (no_overflow_double(down, (-double_value(y_2_0))) and
     (no_overflow_double(down, (double_value(x_2_1) * double_value(a_0))) and
      (no_overflow_double(down, (-double_value(b))) and
       (double_value(x_2_1) > 0.0)))))) ->
  ("JC_109": double_is_finite(z_0))

goal mul_up_ensures_default_po_13:
  forall x_2_1:double.
  forall y_2_0:double.
  ("JC_73":
  (("JC_67": (not double_is_NaN(x_2_1))) and
   (("JC_68": (not double_is_NaN(y_2_0))) and
    (("JC_69":
     ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
      sam_sign(x_2_1, y_2_0))) and
     (("JC_70":
      ((double_is_infinite(x_2_1) and double_is_finite(y_2_0)) ->
       (double_value(y_2_0) <> 0.0))) and
      (("JC_71":
       ((double_is_infinite(y_2_0) and double_is_finite(x_2_1)) ->
        (double_value(x_2_1) <> 0.0))) and
       ("JC_72":
       ((double_is_finite(x_2_1) and
         (double_is_finite(y_2_0) and
          ((not no_overflow_double(down, (-double_value(y_2_0)))) and
           (double_sign(y_2_0) = Positive)))) ->
        (double_value(x_2_1) > 0.0))))))))) ->
  forall result:double.
  ((double_is_NaN(y_2_0) -> double_is_NaN(result)) and
   ((double_is_infinite(y_2_0) -> double_is_infinite(result)) and
    ((double_is_finite(y_2_0) ->
      (double_is_finite(result) and
       (double_value(result) = (-double_value(y_2_0))))) and
     (double_diff_sign(result, y_2_0) and
      ((double_exact(result) = (-double_exact(y_2_0))) and
       (double_model(result) = (-double_model(y_2_0)))))))) ->
  forall a_0:double.
  (a_0 = result) ->
  forall result0:double.
  (((double_is_NaN(x_2_1) or double_is_NaN(a_0)) -> double_is_NaN(result0)) and
   (((double_is_gen_zero(x_2_1) and double_is_infinite(a_0)) ->
     double_is_NaN(result0)) and
    (((double_is_finite(x_2_1) and
       (double_is_infinite(a_0) and (double_value(x_2_1) <> 0.0))) ->
      double_is_infinite(result0)) and
     (((double_is_infinite(x_2_1) and double_is_gen_zero(a_0)) ->
       double_is_NaN(result0)) and
      (((double_is_infinite(x_2_1) and
         (double_is_finite(a_0) and (double_value(a_0) <> 0.0))) ->
        double_is_infinite(result0)) and
       (((double_is_infinite(x_2_1) and double_is_infinite(a_0)) ->
         double_is_infinite(result0)) and
        (((double_is_finite(x_2_1) and
           (double_is_finite(a_0) and no_overflow_double(down,
            (double_value(x_2_1) * double_value(a_0))))) ->
          (double_is_finite(result0) and
           (double_value(result0) = round_double(down,
           (double_value(x_2_1) * double_value(a_0)))))) and
         (((double_is_finite(x_2_1) and
            (double_is_finite(a_0) and (not no_overflow_double(down,
             (double_value(x_2_1) * double_value(a_0)))))) ->
           double_overflow_value(down, result0)) and
          (double_product_sign(result0, x_2_1, a_0) and
           ((double_exact(result0) = (double_exact(x_2_1) * double_exact(a_0))) and
            (double_model(result0) = (double_model(x_2_1) * double_model(a_0))))))))))))) ->
  forall b:double.
  (b = result0) ->
  forall result1:double.
  ((double_is_NaN(b) -> double_is_NaN(result1)) and
   ((double_is_infinite(b) -> double_is_infinite(result1)) and
    ((double_is_finite(b) ->
      (double_is_finite(result1) and
       (double_value(result1) = (-double_value(b))))) and
     (double_diff_sign(result1, b) and
      ((double_exact(result1) = (-double_exact(b))) and
       (double_model(result1) = (-double_model(b)))))))) ->
  forall z_0:double.
  (z_0 = result1) ->
  ("JC_98":
  ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_99":
  ((double_is_finite(x_2_1) and double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_100":
  ((double_is_infinite(x_2_1) and
    (double_is_finite(y_2_0) and no_overflow_double(down,
     (-double_value(y_2_0))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_101":
  ((double_is_infinite(x_2_1) and
    (double_is_finite(y_2_0) and (not no_overflow_double(down,
     (-double_value(y_2_0)))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_102":
  ((double_is_infinite(x_2_1) and double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_103":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     (no_overflow_double(down, (-double_value(y_2_0))) and
      (no_overflow_double(down,
       (double_value(x_2_1) * double_value(a_0))) and
       (not no_overflow_double(down, (-double_value(b)))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_104":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     (no_overflow_double(down, (-double_value(y_2_0))) and
      (not no_overflow_double(down,
      (double_value(x_2_1) * double_value(a_0))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_105":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     ((not no_overflow_double(down, (-double_value(y_2_0)))) and
      (double_sign(y_2_0) = Positive)))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_106":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     ((not no_overflow_double(down, (-double_value(y_2_0)))) and
      ((double_sign(y_2_0) = Negative) and (not no_overflow_double(down,
       (double_value(x_2_1) * double_value(a_0)))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_107":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     ((not no_overflow_double(down, (-double_value(y_2_0)))) and
      ((double_sign(y_2_0) = Negative) and
       (no_overflow_double(down,
        (double_value(x_2_1) * double_value(a_0))) and
        (not no_overflow_double(down, (-double_value(b))))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_108":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     ((not no_overflow_double(down, (-double_value(y_2_0)))) and
      ((double_sign(y_2_0) = Negative) and
       (no_overflow_double(down,
        (double_value(x_2_1) * double_value(a_0))) and
        no_overflow_double(down, (-double_value(b)))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  (double_is_finite(x_2_1) and
   (double_is_finite(y_2_0) and
    (no_overflow_double(down, (-double_value(y_2_0))) and
     (no_overflow_double(down, (double_value(x_2_1) * double_value(a_0))) and
      (no_overflow_double(down, (-double_value(b))) and
       (double_value(x_2_1) > 0.0)))))) ->
  ("JC_109": real_le_double((double_value(x_2_1) * double_value(y_2_0)),
  z_0))

goal mul_up_ensures_default_po_14:
  forall x_2_1:double.
  forall y_2_0:double.
  ("JC_73":
  (("JC_67": (not double_is_NaN(x_2_1))) and
   (("JC_68": (not double_is_NaN(y_2_0))) and
    (("JC_69":
     ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
      sam_sign(x_2_1, y_2_0))) and
     (("JC_70":
      ((double_is_infinite(x_2_1) and double_is_finite(y_2_0)) ->
       (double_value(y_2_0) <> 0.0))) and
      (("JC_71":
       ((double_is_infinite(y_2_0) and double_is_finite(x_2_1)) ->
        (double_value(x_2_1) <> 0.0))) and
       ("JC_72":
       ((double_is_finite(x_2_1) and
         (double_is_finite(y_2_0) and
          ((not no_overflow_double(down, (-double_value(y_2_0)))) and
           (double_sign(y_2_0) = Positive)))) ->
        (double_value(x_2_1) > 0.0))))))))) ->
  forall result:double.
  ((double_is_NaN(y_2_0) -> double_is_NaN(result)) and
   ((double_is_infinite(y_2_0) -> double_is_infinite(result)) and
    ((double_is_finite(y_2_0) ->
      (double_is_finite(result) and
       (double_value(result) = (-double_value(y_2_0))))) and
     (double_diff_sign(result, y_2_0) and
      ((double_exact(result) = (-double_exact(y_2_0))) and
       (double_model(result) = (-double_model(y_2_0)))))))) ->
  forall a_0:double.
  (a_0 = result) ->
  forall result0:double.
  (((double_is_NaN(x_2_1) or double_is_NaN(a_0)) -> double_is_NaN(result0)) and
   (((double_is_gen_zero(x_2_1) and double_is_infinite(a_0)) ->
     double_is_NaN(result0)) and
    (((double_is_finite(x_2_1) and
       (double_is_infinite(a_0) and (double_value(x_2_1) <> 0.0))) ->
      double_is_infinite(result0)) and
     (((double_is_infinite(x_2_1) and double_is_gen_zero(a_0)) ->
       double_is_NaN(result0)) and
      (((double_is_infinite(x_2_1) and
         (double_is_finite(a_0) and (double_value(a_0) <> 0.0))) ->
        double_is_infinite(result0)) and
       (((double_is_infinite(x_2_1) and double_is_infinite(a_0)) ->
         double_is_infinite(result0)) and
        (((double_is_finite(x_2_1) and
           (double_is_finite(a_0) and no_overflow_double(down,
            (double_value(x_2_1) * double_value(a_0))))) ->
          (double_is_finite(result0) and
           (double_value(result0) = round_double(down,
           (double_value(x_2_1) * double_value(a_0)))))) and
         (((double_is_finite(x_2_1) and
            (double_is_finite(a_0) and (not no_overflow_double(down,
             (double_value(x_2_1) * double_value(a_0)))))) ->
           double_overflow_value(down, result0)) and
          (double_product_sign(result0, x_2_1, a_0) and
           ((double_exact(result0) = (double_exact(x_2_1) * double_exact(a_0))) and
            (double_model(result0) = (double_model(x_2_1) * double_model(a_0))))))))))))) ->
  forall b:double.
  (b = result0) ->
  forall result1:double.
  ((double_is_NaN(b) -> double_is_NaN(result1)) and
   ((double_is_infinite(b) -> double_is_infinite(result1)) and
    ((double_is_finite(b) ->
      (double_is_finite(result1) and
       (double_value(result1) = (-double_value(b))))) and
     (double_diff_sign(result1, b) and
      ((double_exact(result1) = (-double_exact(b))) and
       (double_model(result1) = (-double_model(b)))))))) ->
  forall z_0:double.
  (z_0 = result1) ->
  ("JC_98":
  ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_99":
  ((double_is_finite(x_2_1) and double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_100":
  ((double_is_infinite(x_2_1) and
    (double_is_finite(y_2_0) and no_overflow_double(down,
     (-double_value(y_2_0))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_101":
  ((double_is_infinite(x_2_1) and
    (double_is_finite(y_2_0) and (not no_overflow_double(down,
     (-double_value(y_2_0)))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_102":
  ((double_is_infinite(x_2_1) and double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_103":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     (no_overflow_double(down, (-double_value(y_2_0))) and
      (no_overflow_double(down,
       (double_value(x_2_1) * double_value(a_0))) and
       (not no_overflow_double(down, (-double_value(b)))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_104":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     (no_overflow_double(down, (-double_value(y_2_0))) and
      (not no_overflow_double(down,
      (double_value(x_2_1) * double_value(a_0))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_105":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     ((not no_overflow_double(down, (-double_value(y_2_0)))) and
      (double_sign(y_2_0) = Positive)))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_106":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     ((not no_overflow_double(down, (-double_value(y_2_0)))) and
      ((double_sign(y_2_0) = Negative) and (not no_overflow_double(down,
       (double_value(x_2_1) * double_value(a_0)))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_107":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     ((not no_overflow_double(down, (-double_value(y_2_0)))) and
      ((double_sign(y_2_0) = Negative) and
       (no_overflow_double(down,
        (double_value(x_2_1) * double_value(a_0))) and
        (not no_overflow_double(down, (-double_value(b))))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_108":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     ((not no_overflow_double(down, (-double_value(y_2_0)))) and
      ((double_sign(y_2_0) = Negative) and
       (no_overflow_double(down,
        (double_value(x_2_1) * double_value(a_0))) and
        no_overflow_double(down, (-double_value(b)))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_109":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     (no_overflow_double(down, (-double_value(y_2_0))) and
      (no_overflow_double(down,
       (double_value(x_2_1) * double_value(a_0))) and
       (no_overflow_double(down, (-double_value(b))) and
        (double_value(x_2_1) > 0.0)))))) ->
   (double_is_finite(z_0) and
    real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0)))) ->
  (double_is_finite(x_2_1) and
   (double_is_finite(y_2_0) and
    (no_overflow_double(down, (-double_value(y_2_0))) and
     (no_overflow_double(down, (double_value(x_2_1) * double_value(a_0))) and
      (no_overflow_double(down, (-double_value(b))) and
       (double_value(x_2_1) < 0.0)))))) ->
  ("JC_110": double_is_finite(z_0))

goal mul_up_ensures_default_po_15:
  forall x_2_1:double.
  forall y_2_0:double.
  ("JC_73":
  (("JC_67": (not double_is_NaN(x_2_1))) and
   (("JC_68": (not double_is_NaN(y_2_0))) and
    (("JC_69":
     ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
      sam_sign(x_2_1, y_2_0))) and
     (("JC_70":
      ((double_is_infinite(x_2_1) and double_is_finite(y_2_0)) ->
       (double_value(y_2_0) <> 0.0))) and
      (("JC_71":
       ((double_is_infinite(y_2_0) and double_is_finite(x_2_1)) ->
        (double_value(x_2_1) <> 0.0))) and
       ("JC_72":
       ((double_is_finite(x_2_1) and
         (double_is_finite(y_2_0) and
          ((not no_overflow_double(down, (-double_value(y_2_0)))) and
           (double_sign(y_2_0) = Positive)))) ->
        (double_value(x_2_1) > 0.0))))))))) ->
  forall result:double.
  ((double_is_NaN(y_2_0) -> double_is_NaN(result)) and
   ((double_is_infinite(y_2_0) -> double_is_infinite(result)) and
    ((double_is_finite(y_2_0) ->
      (double_is_finite(result) and
       (double_value(result) = (-double_value(y_2_0))))) and
     (double_diff_sign(result, y_2_0) and
      ((double_exact(result) = (-double_exact(y_2_0))) and
       (double_model(result) = (-double_model(y_2_0)))))))) ->
  forall a_0:double.
  (a_0 = result) ->
  forall result0:double.
  (((double_is_NaN(x_2_1) or double_is_NaN(a_0)) -> double_is_NaN(result0)) and
   (((double_is_gen_zero(x_2_1) and double_is_infinite(a_0)) ->
     double_is_NaN(result0)) and
    (((double_is_finite(x_2_1) and
       (double_is_infinite(a_0) and (double_value(x_2_1) <> 0.0))) ->
      double_is_infinite(result0)) and
     (((double_is_infinite(x_2_1) and double_is_gen_zero(a_0)) ->
       double_is_NaN(result0)) and
      (((double_is_infinite(x_2_1) and
         (double_is_finite(a_0) and (double_value(a_0) <> 0.0))) ->
        double_is_infinite(result0)) and
       (((double_is_infinite(x_2_1) and double_is_infinite(a_0)) ->
         double_is_infinite(result0)) and
        (((double_is_finite(x_2_1) and
           (double_is_finite(a_0) and no_overflow_double(down,
            (double_value(x_2_1) * double_value(a_0))))) ->
          (double_is_finite(result0) and
           (double_value(result0) = round_double(down,
           (double_value(x_2_1) * double_value(a_0)))))) and
         (((double_is_finite(x_2_1) and
            (double_is_finite(a_0) and (not no_overflow_double(down,
             (double_value(x_2_1) * double_value(a_0)))))) ->
           double_overflow_value(down, result0)) and
          (double_product_sign(result0, x_2_1, a_0) and
           ((double_exact(result0) = (double_exact(x_2_1) * double_exact(a_0))) and
            (double_model(result0) = (double_model(x_2_1) * double_model(a_0))))))))))))) ->
  forall b:double.
  (b = result0) ->
  forall result1:double.
  ((double_is_NaN(b) -> double_is_NaN(result1)) and
   ((double_is_infinite(b) -> double_is_infinite(result1)) and
    ((double_is_finite(b) ->
      (double_is_finite(result1) and
       (double_value(result1) = (-double_value(b))))) and
     (double_diff_sign(result1, b) and
      ((double_exact(result1) = (-double_exact(b))) and
       (double_model(result1) = (-double_model(b)))))))) ->
  forall z_0:double.
  (z_0 = result1) ->
  ("JC_98":
  ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_99":
  ((double_is_finite(x_2_1) and double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_100":
  ((double_is_infinite(x_2_1) and
    (double_is_finite(y_2_0) and no_overflow_double(down,
     (-double_value(y_2_0))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_101":
  ((double_is_infinite(x_2_1) and
    (double_is_finite(y_2_0) and (not no_overflow_double(down,
     (-double_value(y_2_0)))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_102":
  ((double_is_infinite(x_2_1) and double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_103":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     (no_overflow_double(down, (-double_value(y_2_0))) and
      (no_overflow_double(down,
       (double_value(x_2_1) * double_value(a_0))) and
       (not no_overflow_double(down, (-double_value(b)))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_104":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     (no_overflow_double(down, (-double_value(y_2_0))) and
      (not no_overflow_double(down,
      (double_value(x_2_1) * double_value(a_0))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_105":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     ((not no_overflow_double(down, (-double_value(y_2_0)))) and
      (double_sign(y_2_0) = Positive)))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_106":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     ((not no_overflow_double(down, (-double_value(y_2_0)))) and
      ((double_sign(y_2_0) = Negative) and (not no_overflow_double(down,
       (double_value(x_2_1) * double_value(a_0)))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_107":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     ((not no_overflow_double(down, (-double_value(y_2_0)))) and
      ((double_sign(y_2_0) = Negative) and
       (no_overflow_double(down,
        (double_value(x_2_1) * double_value(a_0))) and
        (not no_overflow_double(down, (-double_value(b))))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_108":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     ((not no_overflow_double(down, (-double_value(y_2_0)))) and
      ((double_sign(y_2_0) = Negative) and
       (no_overflow_double(down,
        (double_value(x_2_1) * double_value(a_0))) and
        no_overflow_double(down, (-double_value(b)))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_109":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     (no_overflow_double(down, (-double_value(y_2_0))) and
      (no_overflow_double(down,
       (double_value(x_2_1) * double_value(a_0))) and
       (no_overflow_double(down, (-double_value(b))) and
        (double_value(x_2_1) > 0.0)))))) ->
   (double_is_finite(z_0) and
    real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0)))) ->
  (double_is_finite(x_2_1) and
   (double_is_finite(y_2_0) and
    (no_overflow_double(down, (-double_value(y_2_0))) and
     (no_overflow_double(down, (double_value(x_2_1) * double_value(a_0))) and
      (no_overflow_double(down, (-double_value(b))) and
       (double_value(x_2_1) < 0.0)))))) ->
  ("JC_110": real_le_double((double_value(x_2_1) * double_value(y_2_0)),
  z_0))

goal mul_up_ensures_default_po_16:
  forall x_2_1:double.
  forall y_2_0:double.
  ("JC_73":
  (("JC_67": (not double_is_NaN(x_2_1))) and
   (("JC_68": (not double_is_NaN(y_2_0))) and
    (("JC_69":
     ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
      sam_sign(x_2_1, y_2_0))) and
     (("JC_70":
      ((double_is_infinite(x_2_1) and double_is_finite(y_2_0)) ->
       (double_value(y_2_0) <> 0.0))) and
      (("JC_71":
       ((double_is_infinite(y_2_0) and double_is_finite(x_2_1)) ->
        (double_value(x_2_1) <> 0.0))) and
       ("JC_72":
       ((double_is_finite(x_2_1) and
         (double_is_finite(y_2_0) and
          ((not no_overflow_double(down, (-double_value(y_2_0)))) and
           (double_sign(y_2_0) = Positive)))) ->
        (double_value(x_2_1) > 0.0))))))))) ->
  forall result:double.
  ((double_is_NaN(y_2_0) -> double_is_NaN(result)) and
   ((double_is_infinite(y_2_0) -> double_is_infinite(result)) and
    ((double_is_finite(y_2_0) ->
      (double_is_finite(result) and
       (double_value(result) = (-double_value(y_2_0))))) and
     (double_diff_sign(result, y_2_0) and
      ((double_exact(result) = (-double_exact(y_2_0))) and
       (double_model(result) = (-double_model(y_2_0)))))))) ->
  forall a_0:double.
  (a_0 = result) ->
  forall result0:double.
  (((double_is_NaN(x_2_1) or double_is_NaN(a_0)) -> double_is_NaN(result0)) and
   (((double_is_gen_zero(x_2_1) and double_is_infinite(a_0)) ->
     double_is_NaN(result0)) and
    (((double_is_finite(x_2_1) and
       (double_is_infinite(a_0) and (double_value(x_2_1) <> 0.0))) ->
      double_is_infinite(result0)) and
     (((double_is_infinite(x_2_1) and double_is_gen_zero(a_0)) ->
       double_is_NaN(result0)) and
      (((double_is_infinite(x_2_1) and
         (double_is_finite(a_0) and (double_value(a_0) <> 0.0))) ->
        double_is_infinite(result0)) and
       (((double_is_infinite(x_2_1) and double_is_infinite(a_0)) ->
         double_is_infinite(result0)) and
        (((double_is_finite(x_2_1) and
           (double_is_finite(a_0) and no_overflow_double(down,
            (double_value(x_2_1) * double_value(a_0))))) ->
          (double_is_finite(result0) and
           (double_value(result0) = round_double(down,
           (double_value(x_2_1) * double_value(a_0)))))) and
         (((double_is_finite(x_2_1) and
            (double_is_finite(a_0) and (not no_overflow_double(down,
             (double_value(x_2_1) * double_value(a_0)))))) ->
           double_overflow_value(down, result0)) and
          (double_product_sign(result0, x_2_1, a_0) and
           ((double_exact(result0) = (double_exact(x_2_1) * double_exact(a_0))) and
            (double_model(result0) = (double_model(x_2_1) * double_model(a_0))))))))))))) ->
  forall b:double.
  (b = result0) ->
  forall result1:double.
  ((double_is_NaN(b) -> double_is_NaN(result1)) and
   ((double_is_infinite(b) -> double_is_infinite(result1)) and
    ((double_is_finite(b) ->
      (double_is_finite(result1) and
       (double_value(result1) = (-double_value(b))))) and
     (double_diff_sign(result1, b) and
      ((double_exact(result1) = (-double_exact(b))) and
       (double_model(result1) = (-double_model(b)))))))) ->
  forall z_0:double.
  (z_0 = result1) ->
  ("JC_98":
  ((double_is_infinite(x_2_1) or double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_99":
  ((double_is_finite(x_2_1) and double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_100":
  ((double_is_infinite(x_2_1) and
    (double_is_finite(y_2_0) and no_overflow_double(down,
     (-double_value(y_2_0))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_101":
  ((double_is_infinite(x_2_1) and
    (double_is_finite(y_2_0) and (not no_overflow_double(down,
     (-double_value(y_2_0)))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_102":
  ((double_is_infinite(x_2_1) and double_is_infinite(y_2_0)) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_103":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     (no_overflow_double(down, (-double_value(y_2_0))) and
      (no_overflow_double(down,
       (double_value(x_2_1) * double_value(a_0))) and
       (not no_overflow_double(down, (-double_value(b)))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_104":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     (no_overflow_double(down, (-double_value(y_2_0))) and
      (not no_overflow_double(down,
      (double_value(x_2_1) * double_value(a_0))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_105":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     ((not no_overflow_double(down, (-double_value(y_2_0)))) and
      (double_sign(y_2_0) = Positive)))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_106":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     ((not no_overflow_double(down, (-double_value(y_2_0)))) and
      ((double_sign(y_2_0) = Negative) and (not no_overflow_double(down,
       (double_value(x_2_1) * double_value(a_0)))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_107":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     ((not no_overflow_double(down, (-double_value(y_2_0)))) and
      ((double_sign(y_2_0) = Negative) and
       (no_overflow_double(down,
        (double_value(x_2_1) * double_value(a_0))) and
        (not no_overflow_double(down, (-double_value(b))))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_108":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     ((not no_overflow_double(down, (-double_value(y_2_0)))) and
      ((double_sign(y_2_0) = Negative) and
       (no_overflow_double(down,
        (double_value(x_2_1) * double_value(a_0))) and
        no_overflow_double(down, (-double_value(b)))))))) ->
   real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0))) ->
  ("JC_109":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     (no_overflow_double(down, (-double_value(y_2_0))) and
      (no_overflow_double(down,
       (double_value(x_2_1) * double_value(a_0))) and
       (no_overflow_double(down, (-double_value(b))) and
        (double_value(x_2_1) > 0.0)))))) ->
   (double_is_finite(z_0) and
    real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0)))) ->
  ("JC_110":
  ((double_is_finite(x_2_1) and
    (double_is_finite(y_2_0) and
     (no_overflow_double(down, (-double_value(y_2_0))) and
      (no_overflow_double(down,
       (double_value(x_2_1) * double_value(a_0))) and
       (no_overflow_double(down, (-double_value(b))) and
        (double_value(x_2_1) < 0.0)))))) ->
   (double_is_finite(z_0) and
    real_le_double((double_value(x_2_1) * double_value(y_2_0)), z_0)))) ->
  forall return:double.
  (return = z_0) ->
  ("JC_75": real_le_double((double_value(x_2_1) * double_value(y_2_0)),
  return))

why-2.34/tests/c/oracle/array_max.res.oracle0000644000175000017500000035434412311670312017425 0ustar  rtusers========== file tests/c/array_max.c ==========
/*
COST Verification Competition. vladimir@cost-ic0701.org

Challenge 1: Maximum in an array

Given: A non-empty integer array a.

Verify that the index returned by the method max() given below points to
an element maximal in the array.

*/

/*@ requires len > 0 && \valid_range(a,0,len-1);
  @ ensures 0 <= \result < len &&
  @   \forall integer i; 0 <= i < len ==> a[i] <= a[\result];
  @*/
int max(int *a, int len) {
  int x = 0;
  int y = len-1;
  /*@ loop invariant 0 <= x <= y < len &&
    @      \forall integer i;
    @         0 <= i < x || y < i < len ==>
    @         a[i] <= \max(a[x],a[y]);
    @ loop variant y - x;
    @*/
  while (x != y) {
    if (a[x] <= a[y]) x++;
    else y--;
  }
  return x;
}

/*
Local Variables:
compile-command: "make array_max.why3ide"
End:
*/

========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/array_max.c"
tests/c/array_max.c:13:[kernel] warning: parsing obsolete ACSL construct '\valid_range(addr,min,max)'. '\valid(addr+(min..max))' should be used instead.
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/array_max.jessie
[jessie] File tests/c/array_max.jessie/array_max.jc written.
[jessie] File tests/c/array_max.jessie/array_max.cloc written.
========== file tests/c/array_max.jessie/array_max.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag intP = {
  int32 intM: 32;
}

type intP = [intP]

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

int32 max(intP[..] a, int32 len)
  requires (_C_28 : ((_C_29 : (len > 0)) &&
                      ((_C_31 : (\offset_min(a) <= 0)) &&
                        (_C_32 : (\offset_max(a) >= (len - 1))))));
behavior default:
  ensures (_C_23 : (((_C_25 : (0 <= \result)) &&
                      (_C_26 : (\result < \at(len,Old)))) &&
                     (_C_27 : (\forall integer i_2;
                                (((0 <= i_2) && (i_2 < \at(len,Old))) ==>
                                  ((\at(a,Old) + i_2).intM <=
                                    (\at(a,Old) + \result).intM))))));
{  
   (var int32 x);
   
   (var int32 y);
   
   {  (_C_1 : (x = 0));
      (_C_4 : (y = (_C_3 : ((_C_2 : (len - 1)) :> int32))));
      
      loop 
      behavior default:
        invariant (_C_6 : (((_C_8 : (0 <= x)) &&
                             ((_C_10 : (x <= y)) && (_C_11 : (y < len)))) &&
                            (_C_12 : (\forall integer i_1;
                                       ((((0 <= i_1) && (i_1 < x)) ||
                                          ((y < i_1) && (i_1 < len))) ==>
                                         ((a + i_1).intM <=
                                           \integer_max((a + x).intM,
                                                        (a + y).intM)))))));
      variant (_C_5 : (y - x));
      while (true)
      {  
         {  (if (x != y) then () else 
            (goto while_0_break));
            
            {  (if ((_C_22 : (_C_21 : (a + x)).intM) <=
                     (_C_20 : (_C_19 : (a + y)).intM)) then (_C_18 : (x = 
                                                            (_C_17 : (
                                                            (_C_16 : 
                                                            (x + 1)) :> int32)))) else 
               (_C_15 : (y = (_C_14 : ((_C_13 : (y - 1)) :> int32)))))
            }
         }
      };
      (while_0_break : ());
      
      (return x)
   }
}
========== file tests/c/array_max.jessie/array_max.cloc ==========
[_C_28]
file = "HOME/tests/c/array_max.c"
line = 13
begin = 13
end = 47

[_C_31]
file = "HOME/tests/c/array_max.c"
line = 13
begin = 24
end = 47

[max]
name = "Function max"
file = "HOME/tests/c/array_max.c"
line = 17
begin = 4
end = 7

[_C_4]
file = "HOME/tests/c/array_max.c"
line = 19
begin = 2
end = 5

[_C_32]
file = "HOME/tests/c/array_max.c"
line = 13
begin = 24
end = 47

[_C_23]
file = "HOME/tests/c/array_max.c"
line = 14
begin = 12
end = 94

[_C_19]
file = "HOME/tests/c/array_max.c"
line = 27
begin = 16
end = 17

[_C_13]
file = "HOME/tests/c/array_max.c"
line = 28
begin = 9
end = 12

[_C_5]
file = "HOME/tests/c/array_max.c"
line = 24
begin = 19
end = 24

[_C_12]
file = "HOME/tests/c/array_max.c"
line = 21
begin = 11
end = 111

[_C_22]
file = "HOME/tests/c/array_max.c"
line = 27
begin = 8
end = 12

[_C_9]
file = "HOME/tests/c/array_max.c"
line = 20
begin = 26
end = 38

[_C_30]
file = "HOME/tests/c/array_max.c"
line = 13
begin = 24
end = 47

[_C_6]
file = "HOME/tests/c/array_max.c"
line = 20
begin = 21
end = 153

[_C_24]
file = "HOME/tests/c/array_max.c"
line = 14
begin = 12
end = 30

[_C_20]
file = "HOME/tests/c/array_max.c"
line = 27
begin = 16
end = 20

[_C_3]
file = "HOME/tests/c/array_max.c"
line = 19
begin = 10
end = 15

[_C_17]
file = "HOME/tests/c/array_max.c"
line = 27
begin = 22
end = 25

[_C_7]
file = "HOME/tests/c/array_max.c"
line = 20
begin = 21
end = 38

[_C_27]
file = "HOME/tests/c/array_max.c"
line = 15
begin = 6
end = 60

[_C_15]
file = "HOME/tests/c/array_max.c"
line = 28
begin = 9
end = 12

[_C_26]
file = "HOME/tests/c/array_max.c"
line = 14
begin = 17
end = 30

[_C_10]
file = "HOME/tests/c/array_max.c"
line = 20
begin = 26
end = 32

[_C_8]
file = "HOME/tests/c/array_max.c"
line = 20
begin = 21
end = 27

[_C_18]
file = "HOME/tests/c/array_max.c"
line = 27
begin = 22
end = 25

[_C_29]
file = "HOME/tests/c/array_max.c"
line = 13
begin = 13
end = 20

[_C_14]
file = "HOME/tests/c/array_max.c"
line = 28
begin = 9
end = 12

[_C_2]
file = "HOME/tests/c/array_max.c"
line = 19
begin = 10
end = 15

[_C_16]
file = "HOME/tests/c/array_max.c"
line = 27
begin = 22
end = 25

[_C_1]
file = "HOME/tests/c/array_max.c"
line = 18
begin = 2
end = 5

[_C_25]
file = "HOME/tests/c/array_max.c"
line = 14
begin = 12
end = 24

[_C_11]
file = "HOME/tests/c/array_max.c"
line = 20
begin = 31
end = 38

[_C_21]
file = "HOME/tests/c/array_max.c"
line = 27
begin = 8
end = 9

========== jessie execution ==========
Generating Why function max
========== file tests/c/array_max.jessie/array_max.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs array_max.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs array_max.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/array_max_why.sx

project: why/array_max.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/array_max_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/array_max_why.vo

coq/array_max_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/array_max_why.v: why/array_max.why
	@echo 'why -coq [...] why/array_max.why' && $(WHY) $(JESSIELIBFILES) why/array_max.why && rm -f coq/jessie_why.v

coq-goals: goals coq/array_max_ctx_why.vo
	for f in why/*_po*.why; do make -f array_max.makefile coq/`basename $$f .why`_why.v ; done

coq/array_max_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/array_max_ctx_why.v: why/array_max_ctx.why
	@echo 'why -coq [...] why/array_max_ctx.why' && $(WHY) why/array_max_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export array_max_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/array_max_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/array_max_ctx_why.vo

pvs: pvs/array_max_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/array_max_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/array_max_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/array_max_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/array_max_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/array_max_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/array_max_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/array_max_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/array_max_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/array_max_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/array_max_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/array_max_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/array_max_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/array_max_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/array_max_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: array_max.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/array_max_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: array_max.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: array_max.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: array_max.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include array_max.depend

depend: coq/array_max_why.v
	-$(COQDEP) -I coq coq/array_max*_why.v > array_max.depend

clean:
	rm -f coq/*.vo

========== file tests/c/array_max.jessie/array_max.loc ==========
[JC_31]
kind = PointerDeref
file = "HOME/tests/c/array_max.c"
line = 27
begin = 16
end = 20

[JC_17]
file = "HOME/tests/c/array_max.c"
line = 15
begin = 6
end = 60

[JC_23]
file = "HOME/tests/c/array_max.c"
line = 20
begin = 26
end = 32

[JC_22]
file = "HOME/tests/c/array_max.c"
line = 20
begin = 21
end = 27

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/c/array_max.c"
line = 13
begin = 13
end = 47

[JC_24]
file = "HOME/tests/c/array_max.c"
line = 20
begin = 31
end = 38

[JC_25]
file = "HOME/tests/c/array_max.c"
line = 21
begin = 11
end = 111

[JC_41]
file = "HOME/tests/c/array_max.jessie/array_max.jc"
line = 61
begin = 6
end = 1183

[JC_26]
file = "HOME/tests/c/array_max.c"
line = 20
begin = 21
end = 153

[JC_8]
file = "HOME/tests/c/array_max.c"
line = 13
begin = 24
end = 47

[JC_13]
file = "HOME/tests/c/array_max.c"
line = 15
begin = 6
end = 60

[JC_11]
file = "HOME/tests/c/array_max.c"
line = 14
begin = 12
end = 24

[JC_15]
file = "HOME/tests/c/array_max.c"
line = 14
begin = 12
end = 24

[JC_36]
file = "HOME/tests/c/array_max.c"
line = 20
begin = 26
end = 32

[JC_39]
file = "HOME/tests/c/array_max.c"
line = 20
begin = 21
end = 153

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/tests/c/array_max.c"
line = 20
begin = 21
end = 27

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/tests/c/array_max.c"
line = 21
begin = 11
end = 111

[JC_12]
file = "HOME/tests/c/array_max.c"
line = 14
begin = 17
end = 30

[JC_6]
file = "HOME/tests/c/array_max.c"
line = 13
begin = 13
end = 20

[JC_4]
file = "HOME/tests/c/array_max.c"
line = 13
begin = 13
end = 47

[JC_42]
file = "HOME/tests/c/array_max.jessie/array_max.jc"
line = 61
begin = 6
end = 1183

[max_safety]
name = "Function max"
behavior = "Safety"
file = "HOME/tests/c/array_max.c"
line = 17
begin = 4
end = 7

[JC_32]
kind = ArithOverflow
file = "HOME/tests/c/array_max.c"
line = 27
begin = 22
end = 25

[JC_33]
kind = ArithOverflow
file = "HOME/tests/c/array_max.c"
line = 28
begin = 9
end = 12

[JC_29]
file = "HOME/tests/c/array_max.jessie/array_max.jc"
line = 61
begin = 6
end = 1183

[JC_7]
file = "HOME/tests/c/array_max.c"
line = 13
begin = 24
end = 47

[JC_16]
file = "HOME/tests/c/array_max.c"
line = 14
begin = 17
end = 30

[JC_2]
file = "HOME/tests/c/array_max.c"
line = 13
begin = 24
end = 47

[JC_34]
file = "HOME/tests/c/array_max.c"
line = 24
begin = 19
end = 24

[JC_14]
file = "HOME/tests/c/array_max.c"
line = 14
begin = 12
end = 94

[JC_21]
kind = ArithOverflow
file = "HOME/tests/c/array_max.c"
line = 19
begin = 10
end = 15

[JC_1]
file = "HOME/tests/c/array_max.c"
line = 13
begin = 13
end = 20

[JC_37]
file = "HOME/tests/c/array_max.c"
line = 20
begin = 31
end = 38

[max_ensures_default]
name = "Function max"
behavior = "default behavior"
file = "HOME/tests/c/array_max.c"
line = 17
begin = 4
end = 7

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/c/array_max.c"
line = 14
begin = 12
end = 94

[JC_3]
file = "HOME/tests/c/array_max.c"
line = 13
begin = 24
end = 47

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
kind = PointerDeref
file = "HOME/tests/c/array_max.c"
line = 27
begin = 8
end = 12

[JC_28]
file = "HOME/tests/c/array_max.jessie/array_max.jc"
line = 61
begin = 6
end = 1183

========== file tests/c/array_max.jessie/why/array_max.why ==========
type charP

type int32

type int8

type intP

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

logic intP_tag:  -> intP tag_id

axiom intP_int : (int_of_tag(intP_tag) = (1))

logic intP_of_pointer_address: unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr :
 (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom : parenttag(intP_tag, bottom_tag)

axiom intP_tags :
 (forall x:intP pointer.
  (forall intP_tag_table:intP tag_table.
   instanceof(intP_tag_table, x, intP_tag)))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_intP(p:intP pointer, a:int,
 intP_alloc_table:intP alloc_table) = (offset_min(intP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_intP(p:intP pointer, b:int,
 intP_alloc_table:intP alloc_table) = (offset_max(intP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Goto_while_0_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter intP_alloc_table : intP alloc_table ref

parameter intP_tag_table : intP tag_table ref

parameter alloc_struct_intP :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { } intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter alloc_struct_intP_requires :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { ge_int(n, (0))} intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter max :
 a:intP pointer ->
  len:int32 ->
   intP_a_1_alloc_table:intP alloc_table ->
    intP_intM_a_1:(intP, int32) memory ->
     { } int32
     { (JC_18:
       ((JC_15: le_int((0), integer_of_int32(result)))
       and ((JC_16: lt_int(integer_of_int32(result), integer_of_int32(len)))
           and (JC_17:
               (forall i_2:int.
                ((le_int((0), i_2) and lt_int(i_2, integer_of_int32(len))) ->
                 le_int(integer_of_int32(select(intP_intM_a_1, shift(a, i_2))),
                 integer_of_int32(select(intP_intM_a_1,
                                  shift(a, integer_of_int32(result))))))))))) }

parameter max_requires :
 a:intP pointer ->
  len:int32 ->
   intP_a_1_alloc_table:intP alloc_table ->
    intP_intM_a_1:(intP, int32) memory ->
     { (JC_4:
       ((JC_1: gt_int(integer_of_int32(len), (0)))
       and ((JC_2: le_int(offset_min(intP_a_1_alloc_table, a), (0)))
           and (JC_3:
               ge_int(offset_max(intP_a_1_alloc_table, a),
               sub_int(integer_of_int32(len), (1)))))))}
     int32
     { (JC_18:
       ((JC_15: le_int((0), integer_of_int32(result)))
       and ((JC_16: lt_int(integer_of_int32(result), integer_of_int32(len)))
           and (JC_17:
               (forall i_2:int.
                ((le_int((0), i_2) and lt_int(i_2, integer_of_int32(len))) ->
                 le_int(integer_of_int32(select(intP_intM_a_1, shift(a, i_2))),
                 integer_of_int32(select(intP_intM_a_1,
                                  shift(a, integer_of_int32(result))))))))))) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let max_ensures_default =
 fun (a : intP pointer) (len : int32) (intP_a_1_alloc_table : intP alloc_table) (intP_intM_a_1 : (intP, int32) memory) ->
  { (JC_9:
    ((JC_6: gt_int(integer_of_int32(len), (0)))
    and ((JC_7: le_int(offset_min(intP_a_1_alloc_table, a), (0)))
        and (JC_8:
            ge_int(offset_max(intP_a_1_alloc_table, a),
            sub_int(integer_of_int32(len), (1))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let x_0 = ref (any_int32 void) in
     (let y = ref (any_int32 void) in
     try
      begin
        (let _jessie_ = (x_0 := (safe_int32_of_integer_ (0))) in void);
       (let _jessie_ =
       (y := (safe_int32_of_integer_ ((sub_int (integer_of_int32 len)) (1)))) in
       void);
       (loop_2:
       begin
         while true do
         { invariant
             (JC_39:
             ((JC_35: le_int((0), integer_of_int32(x_0)))
             and ((JC_36: le_int(integer_of_int32(x_0), integer_of_int32(y)))
                 and ((JC_37:
                      lt_int(integer_of_int32(y), integer_of_int32(len)))
                     and (JC_38:
                         (forall i_1:int.
                          (((le_int((0), i_1)
                            and lt_int(i_1, integer_of_int32(x_0)))
                           or (lt_int(integer_of_int32(y), i_1)
                              and lt_int(i_1, integer_of_int32(len)))) ->
                           le_int(integer_of_int32(select(intP_intM_a_1,
                                                   shift(a, i_1))),
                           int_max(integer_of_int32(select(intP_intM_a_1,
                                                    shift(a,
                                                    integer_of_int32(x_0)))),
                           integer_of_int32(select(intP_intM_a_1,
                                            shift(a, integer_of_int32(y)))))))))))))
            }
          begin
            [ { } unit { true } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((neq_int_ (integer_of_int32 !x_0)) (integer_of_int32 !y))
                then void else (raise (Goto_while_0_break_exc void)));
               (if ((le_int_ (integer_of_int32 ((safe_acc_ intP_intM_a_1) 
                                                ((shift a) (integer_of_int32 !x_0))))) 
                    (integer_of_int32 ((safe_acc_ intP_intM_a_1) ((shift a) 
                                                                  (integer_of_int32 !y)))))
               then
                begin
                  (x_0 := (safe_int32_of_integer_ ((add_int (integer_of_int32 !x_0)) (1))));
                 !x_0 end
               else
                begin
                  (y := (safe_int32_of_integer_ ((sub_int (integer_of_int32 !y)) (1))));
                 !y end) end in void); (raise (Loop_continue_exc void)) end
            with Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (return := !x_0); (raise Return) end) end));
    absurd  end with Return -> !return end))
  { (JC_14:
    ((JC_11: le_int((0), integer_of_int32(result)))
    and ((JC_12: lt_int(integer_of_int32(result), integer_of_int32(len)))
        and (JC_13:
            (forall i_2:int.
             ((le_int((0), i_2) and lt_int(i_2, integer_of_int32(len))) ->
              le_int(integer_of_int32(select(intP_intM_a_1, shift(a, i_2))),
              integer_of_int32(select(intP_intM_a_1,
                               shift(a, integer_of_int32(result))))))))))) }

let max_safety =
 fun (a : intP pointer) (len : int32) (intP_a_1_alloc_table : intP alloc_table) (intP_intM_a_1 : (intP, int32) memory) ->
  { (JC_9:
    ((JC_6: gt_int(integer_of_int32(len), (0)))
    and ((JC_7: le_int(offset_min(intP_a_1_alloc_table, a), (0)))
        and (JC_8:
            ge_int(offset_max(intP_a_1_alloc_table, a),
            sub_int(integer_of_int32(len), (1))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let x_0 = ref (any_int32 void) in
     (let y = ref (any_int32 void) in
     try
      begin
        (let _jessie_ = (x_0 := (safe_int32_of_integer_ (0))) in void);
       (let _jessie_ =
       (y := (JC_21:
             (int32_of_integer_ ((sub_int (integer_of_int32 len)) (1))))) in
       void);
       (loop_1:
       begin
         while true do
         { invariant (JC_28: true)
           variant (JC_34 : sub_int(integer_of_int32(y),
                            integer_of_int32(x_0))) }
          begin
            [ { } unit reads x_0,y
              { (JC_26:
                ((JC_22: le_int((0), integer_of_int32(x_0)))
                and ((JC_23:
                     le_int(integer_of_int32(x_0), integer_of_int32(y)))
                    and ((JC_24:
                         lt_int(integer_of_int32(y), integer_of_int32(len)))
                        and (JC_25:
                            (forall i_1:int.
                             (((le_int((0), i_1)
                               and lt_int(i_1, integer_of_int32(x_0)))
                              or (lt_int(integer_of_int32(y), i_1)
                                 and lt_int(i_1, integer_of_int32(len)))) ->
                              le_int(integer_of_int32(select(intP_intM_a_1,
                                                      shift(a, i_1))),
                              int_max(integer_of_int32(select(intP_intM_a_1,
                                                       shift(a,
                                                       integer_of_int32(x_0)))),
                              integer_of_int32(select(intP_intM_a_1,
                                               shift(a, integer_of_int32(y))))))))))))) } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((neq_int_ (integer_of_int32 !x_0)) (integer_of_int32 !y))
                then void else (raise (Goto_while_0_break_exc void)));
               (if ((le_int_ (integer_of_int32 (JC_30:
                                               ((((offset_acc_ intP_a_1_alloc_table) intP_intM_a_1) a) 
                                                (integer_of_int32 !x_0))))) 
                    (integer_of_int32 (JC_31:
                                      ((((offset_acc_ intP_a_1_alloc_table) intP_intM_a_1) a) 
                                       (integer_of_int32 !y)))))
               then
                begin
                  (x_0 := (JC_32:
                          (int32_of_integer_ ((add_int (integer_of_int32 !x_0)) (1)))));
                 !x_0 end
               else
                begin
                  (y := (JC_33:
                        (int32_of_integer_ ((sub_int (integer_of_int32 !y)) (1)))));
                 !y end) end in void); (raise (Loop_continue_exc void)) end
            with Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (return := !x_0); (raise Return) end) end));
    absurd  end with Return -> !return end)) { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/array_max.why
========== file tests/c/array_max.jessie/why/array_max_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type charP

type int32

type int8

type intP

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_int8 : int8 -> int

predicate eq_int8(x: int8, y: int8) =
  (integer_of_int8(x) = integer_of_int8(y))

logic integer_of_uint8 : uint8 -> int

predicate eq_uint8(x: uint8, y: uint8) =
  (integer_of_uint8(x) = integer_of_uint8(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic int8_of_integer : int -> int8

axiom int8_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_int8(int8_of_integer(x)) = x)))

axiom int8_extensionality:
  (forall x:int8.
    (forall y:int8. ((integer_of_int8(x) = integer_of_int8(y)) -> (x = y))))

axiom int8_range:
  (forall x:int8.
    (((-128) <= integer_of_int8(x)) and (integer_of_int8(x) <= 127)))

logic intP_tag : intP tag_id

axiom intP_int: (int_of_tag(intP_tag) = 1)

logic intP_of_pointer_address : unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr:
  (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom: parenttag(intP_tag, bottom_tag)

axiom intP_tags:
  (forall x:intP pointer.
    (forall intP_tag_table:intP tag_table. instanceof(intP_tag_table, x,
      intP_tag)))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_intP(p: intP pointer, a: int,
  intP_alloc_table: intP alloc_table) = (offset_min(intP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_intP(p: intP pointer, b: int,
  intP_alloc_table: intP alloc_table) = (offset_max(intP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) = a) and (offset_max(intP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) = a) and (offset_max(intP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic uint8_of_integer : int -> uint8

axiom uint8_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 255)) -> (integer_of_uint8(uint8_of_integer(x)) = x)))

axiom uint8_extensionality:
  (forall x:uint8.
    (forall y:uint8.
      ((integer_of_uint8(x) = integer_of_uint8(y)) -> (x = y))))

axiom uint8_range:
  (forall x:uint8.
    ((0 <= integer_of_uint8(x)) and (integer_of_uint8(x) <= 255)))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) <= a) and (offset_max(intP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) <= a) and (offset_max(intP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

goal max_ensures_default_po_1:
  forall a:intP pointer.
  forall len:int32.
  forall intP_a_1_alloc_table:intP alloc_table.
  ("JC_9":
  (("JC_6": (integer_of_int32(len) > 0)) and
   (("JC_7": (offset_min(intP_a_1_alloc_table, a) <= 0)) and
    ("JC_8": (offset_max(intP_a_1_alloc_table,
    a) >= (integer_of_int32(len) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall x_0:int32.
  (x_0 = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len) - 1)) ->
  forall y:int32.
  (y = result0) ->
  ("JC_39": ("JC_35": (0 <= integer_of_int32(x_0))))

goal max_ensures_default_po_2:
  forall a:intP pointer.
  forall len:int32.
  forall intP_a_1_alloc_table:intP alloc_table.
  ("JC_9":
  (("JC_6": (integer_of_int32(len) > 0)) and
   (("JC_7": (offset_min(intP_a_1_alloc_table, a) <= 0)) and
    ("JC_8": (offset_max(intP_a_1_alloc_table,
    a) >= (integer_of_int32(len) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall x_0:int32.
  (x_0 = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len) - 1)) ->
  forall y:int32.
  (y = result0) ->
  ("JC_39": ("JC_36": (integer_of_int32(x_0) <= integer_of_int32(y))))

goal max_ensures_default_po_3:
  forall a:intP pointer.
  forall len:int32.
  forall intP_a_1_alloc_table:intP alloc_table.
  ("JC_9":
  (("JC_6": (integer_of_int32(len) > 0)) and
   (("JC_7": (offset_min(intP_a_1_alloc_table, a) <= 0)) and
    ("JC_8": (offset_max(intP_a_1_alloc_table,
    a) >= (integer_of_int32(len) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall x_0:int32.
  (x_0 = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len) - 1)) ->
  forall y:int32.
  (y = result0) ->
  ("JC_39": ("JC_37": (integer_of_int32(y) < integer_of_int32(len))))

goal max_ensures_default_po_4:
  forall a:intP pointer.
  forall len:int32.
  forall intP_a_1_alloc_table:intP alloc_table.
  forall intP_intM_a_1:(intP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(len) > 0)) and
   (("JC_7": (offset_min(intP_a_1_alloc_table, a) <= 0)) and
    ("JC_8": (offset_max(intP_a_1_alloc_table,
    a) >= (integer_of_int32(len) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall x_0:int32.
  (x_0 = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len) - 1)) ->
  forall y:int32.
  (y = result0) ->
  forall i_1:int.
  (((0 <= i_1) and (i_1 < integer_of_int32(x_0))) or
   ((integer_of_int32(y) < i_1) and (i_1 < integer_of_int32(len)))) ->
  ("JC_39":
  ("JC_38": (integer_of_int32(select(intP_intM_a_1, shift(a,
  i_1))) <= int_max(integer_of_int32(select(intP_intM_a_1, shift(a,
  integer_of_int32(x_0)))), integer_of_int32(select(intP_intM_a_1, shift(a,
  integer_of_int32(y))))))))

goal max_ensures_default_po_5:
  forall a:intP pointer.
  forall len:int32.
  forall intP_a_1_alloc_table:intP alloc_table.
  forall intP_intM_a_1:(intP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(len) > 0)) and
   (("JC_7": (offset_min(intP_a_1_alloc_table, a) <= 0)) and
    ("JC_8": (offset_max(intP_a_1_alloc_table,
    a) >= (integer_of_int32(len) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall x_0:int32.
  (x_0 = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len) - 1)) ->
  forall y:int32.
  (y = result0) ->
  forall x_0_0:int32.
  forall y0:int32.
  ("JC_39":
  (("JC_35": (0 <= integer_of_int32(x_0_0))) and
   (("JC_36": (integer_of_int32(x_0_0) <= integer_of_int32(y0))) and
    (("JC_37": (integer_of_int32(y0) < integer_of_int32(len))) and
     ("JC_38":
     (forall i_1:int.
       ((((0 <= i_1) and (i_1 < integer_of_int32(x_0_0))) or
         ((integer_of_int32(y0) < i_1) and (i_1 < integer_of_int32(len)))) ->
        (integer_of_int32(select(intP_intM_a_1, shift(a,
        i_1))) <= int_max(integer_of_int32(select(intP_intM_a_1, shift(a,
        integer_of_int32(x_0_0)))), integer_of_int32(select(intP_intM_a_1,
        shift(a, integer_of_int32(y0))))))))))))) ->
  (integer_of_int32(x_0_0) <> integer_of_int32(y0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_1, shift(a, integer_of_int32(x_0_0)))) ->
  forall result2:int32.
  (result2 = select(intP_intM_a_1, shift(a, integer_of_int32(y0)))) ->
  (integer_of_int32(result1) <= integer_of_int32(result2)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(x_0_0) + 1)) ->
  forall x_0_1:int32.
  (x_0_1 = result3) ->
  ("JC_39": ("JC_35": (0 <= integer_of_int32(x_0_1))))

goal max_ensures_default_po_6:
  forall a:intP pointer.
  forall len:int32.
  forall intP_a_1_alloc_table:intP alloc_table.
  forall intP_intM_a_1:(intP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(len) > 0)) and
   (("JC_7": (offset_min(intP_a_1_alloc_table, a) <= 0)) and
    ("JC_8": (offset_max(intP_a_1_alloc_table,
    a) >= (integer_of_int32(len) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall x_0:int32.
  (x_0 = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len) - 1)) ->
  forall y:int32.
  (y = result0) ->
  forall x_0_0:int32.
  forall y0:int32.
  ("JC_39":
  (("JC_35": (0 <= integer_of_int32(x_0_0))) and
   (("JC_36": (integer_of_int32(x_0_0) <= integer_of_int32(y0))) and
    (("JC_37": (integer_of_int32(y0) < integer_of_int32(len))) and
     ("JC_38":
     (forall i_1:int.
       ((((0 <= i_1) and (i_1 < integer_of_int32(x_0_0))) or
         ((integer_of_int32(y0) < i_1) and (i_1 < integer_of_int32(len)))) ->
        (integer_of_int32(select(intP_intM_a_1, shift(a,
        i_1))) <= int_max(integer_of_int32(select(intP_intM_a_1, shift(a,
        integer_of_int32(x_0_0)))), integer_of_int32(select(intP_intM_a_1,
        shift(a, integer_of_int32(y0))))))))))))) ->
  (integer_of_int32(x_0_0) <> integer_of_int32(y0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_1, shift(a, integer_of_int32(x_0_0)))) ->
  forall result2:int32.
  (result2 = select(intP_intM_a_1, shift(a, integer_of_int32(y0)))) ->
  (integer_of_int32(result1) <= integer_of_int32(result2)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(x_0_0) + 1)) ->
  forall x_0_1:int32.
  (x_0_1 = result3) ->
  ("JC_39": ("JC_36": (integer_of_int32(x_0_1) <= integer_of_int32(y0))))

goal max_ensures_default_po_7:
  forall a:intP pointer.
  forall len:int32.
  forall intP_a_1_alloc_table:intP alloc_table.
  forall intP_intM_a_1:(intP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(len) > 0)) and
   (("JC_7": (offset_min(intP_a_1_alloc_table, a) <= 0)) and
    ("JC_8": (offset_max(intP_a_1_alloc_table,
    a) >= (integer_of_int32(len) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall x_0:int32.
  (x_0 = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len) - 1)) ->
  forall y:int32.
  (y = result0) ->
  forall x_0_0:int32.
  forall y0:int32.
  ("JC_39":
  (("JC_35": (0 <= integer_of_int32(x_0_0))) and
   (("JC_36": (integer_of_int32(x_0_0) <= integer_of_int32(y0))) and
    (("JC_37": (integer_of_int32(y0) < integer_of_int32(len))) and
     ("JC_38":
     (forall i_1:int.
       ((((0 <= i_1) and (i_1 < integer_of_int32(x_0_0))) or
         ((integer_of_int32(y0) < i_1) and (i_1 < integer_of_int32(len)))) ->
        (integer_of_int32(select(intP_intM_a_1, shift(a,
        i_1))) <= int_max(integer_of_int32(select(intP_intM_a_1, shift(a,
        integer_of_int32(x_0_0)))), integer_of_int32(select(intP_intM_a_1,
        shift(a, integer_of_int32(y0))))))))))))) ->
  (integer_of_int32(x_0_0) <> integer_of_int32(y0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_1, shift(a, integer_of_int32(x_0_0)))) ->
  forall result2:int32.
  (result2 = select(intP_intM_a_1, shift(a, integer_of_int32(y0)))) ->
  (integer_of_int32(result1) <= integer_of_int32(result2)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(x_0_0) + 1)) ->
  forall x_0_1:int32.
  (x_0_1 = result3) ->
  ("JC_39": ("JC_37": (integer_of_int32(y0) < integer_of_int32(len))))

goal max_ensures_default_po_8:
  forall a:intP pointer.
  forall len:int32.
  forall intP_a_1_alloc_table:intP alloc_table.
  forall intP_intM_a_1:(intP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(len) > 0)) and
   (("JC_7": (offset_min(intP_a_1_alloc_table, a) <= 0)) and
    ("JC_8": (offset_max(intP_a_1_alloc_table,
    a) >= (integer_of_int32(len) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall x_0:int32.
  (x_0 = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len) - 1)) ->
  forall y:int32.
  (y = result0) ->
  forall x_0_0:int32.
  forall y0:int32.
  ("JC_39":
  (("JC_35": (0 <= integer_of_int32(x_0_0))) and
   (("JC_36": (integer_of_int32(x_0_0) <= integer_of_int32(y0))) and
    (("JC_37": (integer_of_int32(y0) < integer_of_int32(len))) and
     ("JC_38":
     (forall i_1:int.
       ((((0 <= i_1) and (i_1 < integer_of_int32(x_0_0))) or
         ((integer_of_int32(y0) < i_1) and (i_1 < integer_of_int32(len)))) ->
        (integer_of_int32(select(intP_intM_a_1, shift(a,
        i_1))) <= int_max(integer_of_int32(select(intP_intM_a_1, shift(a,
        integer_of_int32(x_0_0)))), integer_of_int32(select(intP_intM_a_1,
        shift(a, integer_of_int32(y0))))))))))))) ->
  (integer_of_int32(x_0_0) <> integer_of_int32(y0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_1, shift(a, integer_of_int32(x_0_0)))) ->
  forall result2:int32.
  (result2 = select(intP_intM_a_1, shift(a, integer_of_int32(y0)))) ->
  (integer_of_int32(result1) <= integer_of_int32(result2)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(x_0_0) + 1)) ->
  forall x_0_1:int32.
  (x_0_1 = result3) ->
  forall i_1:int.
  (((0 <= i_1) and (i_1 < integer_of_int32(x_0_1))) or
   ((integer_of_int32(y0) < i_1) and (i_1 < integer_of_int32(len)))) ->
  ("JC_39":
  ("JC_38": (integer_of_int32(select(intP_intM_a_1, shift(a,
  i_1))) <= int_max(integer_of_int32(select(intP_intM_a_1, shift(a,
  integer_of_int32(x_0_1)))), integer_of_int32(select(intP_intM_a_1, shift(a,
  integer_of_int32(y0))))))))

goal max_ensures_default_po_9:
  forall a:intP pointer.
  forall len:int32.
  forall intP_a_1_alloc_table:intP alloc_table.
  forall intP_intM_a_1:(intP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(len) > 0)) and
   (("JC_7": (offset_min(intP_a_1_alloc_table, a) <= 0)) and
    ("JC_8": (offset_max(intP_a_1_alloc_table,
    a) >= (integer_of_int32(len) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall x_0:int32.
  (x_0 = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len) - 1)) ->
  forall y:int32.
  (y = result0) ->
  forall x_0_0:int32.
  forall y0:int32.
  ("JC_39":
  (("JC_35": (0 <= integer_of_int32(x_0_0))) and
   (("JC_36": (integer_of_int32(x_0_0) <= integer_of_int32(y0))) and
    (("JC_37": (integer_of_int32(y0) < integer_of_int32(len))) and
     ("JC_38":
     (forall i_1:int.
       ((((0 <= i_1) and (i_1 < integer_of_int32(x_0_0))) or
         ((integer_of_int32(y0) < i_1) and (i_1 < integer_of_int32(len)))) ->
        (integer_of_int32(select(intP_intM_a_1, shift(a,
        i_1))) <= int_max(integer_of_int32(select(intP_intM_a_1, shift(a,
        integer_of_int32(x_0_0)))), integer_of_int32(select(intP_intM_a_1,
        shift(a, integer_of_int32(y0))))))))))))) ->
  (integer_of_int32(x_0_0) <> integer_of_int32(y0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_1, shift(a, integer_of_int32(x_0_0)))) ->
  forall result2:int32.
  (result2 = select(intP_intM_a_1, shift(a, integer_of_int32(y0)))) ->
  (integer_of_int32(result1) > integer_of_int32(result2)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(y0) - 1)) ->
  forall y1:int32.
  (y1 = result3) ->
  ("JC_39": ("JC_36": (integer_of_int32(x_0_0) <= integer_of_int32(y1))))

goal max_ensures_default_po_10:
  forall a:intP pointer.
  forall len:int32.
  forall intP_a_1_alloc_table:intP alloc_table.
  forall intP_intM_a_1:(intP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(len) > 0)) and
   (("JC_7": (offset_min(intP_a_1_alloc_table, a) <= 0)) and
    ("JC_8": (offset_max(intP_a_1_alloc_table,
    a) >= (integer_of_int32(len) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall x_0:int32.
  (x_0 = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len) - 1)) ->
  forall y:int32.
  (y = result0) ->
  forall x_0_0:int32.
  forall y0:int32.
  ("JC_39":
  (("JC_35": (0 <= integer_of_int32(x_0_0))) and
   (("JC_36": (integer_of_int32(x_0_0) <= integer_of_int32(y0))) and
    (("JC_37": (integer_of_int32(y0) < integer_of_int32(len))) and
     ("JC_38":
     (forall i_1:int.
       ((((0 <= i_1) and (i_1 < integer_of_int32(x_0_0))) or
         ((integer_of_int32(y0) < i_1) and (i_1 < integer_of_int32(len)))) ->
        (integer_of_int32(select(intP_intM_a_1, shift(a,
        i_1))) <= int_max(integer_of_int32(select(intP_intM_a_1, shift(a,
        integer_of_int32(x_0_0)))), integer_of_int32(select(intP_intM_a_1,
        shift(a, integer_of_int32(y0))))))))))))) ->
  (integer_of_int32(x_0_0) <> integer_of_int32(y0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_1, shift(a, integer_of_int32(x_0_0)))) ->
  forall result2:int32.
  (result2 = select(intP_intM_a_1, shift(a, integer_of_int32(y0)))) ->
  (integer_of_int32(result1) > integer_of_int32(result2)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(y0) - 1)) ->
  forall y1:int32.
  (y1 = result3) ->
  ("JC_39": ("JC_37": (integer_of_int32(y1) < integer_of_int32(len))))

goal max_ensures_default_po_11:
  forall a:intP pointer.
  forall len:int32.
  forall intP_a_1_alloc_table:intP alloc_table.
  forall intP_intM_a_1:(intP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(len) > 0)) and
   (("JC_7": (offset_min(intP_a_1_alloc_table, a) <= 0)) and
    ("JC_8": (offset_max(intP_a_1_alloc_table,
    a) >= (integer_of_int32(len) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall x_0:int32.
  (x_0 = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len) - 1)) ->
  forall y:int32.
  (y = result0) ->
  forall x_0_0:int32.
  forall y0:int32.
  ("JC_39":
  (("JC_35": (0 <= integer_of_int32(x_0_0))) and
   (("JC_36": (integer_of_int32(x_0_0) <= integer_of_int32(y0))) and
    (("JC_37": (integer_of_int32(y0) < integer_of_int32(len))) and
     ("JC_38":
     (forall i_1:int.
       ((((0 <= i_1) and (i_1 < integer_of_int32(x_0_0))) or
         ((integer_of_int32(y0) < i_1) and (i_1 < integer_of_int32(len)))) ->
        (integer_of_int32(select(intP_intM_a_1, shift(a,
        i_1))) <= int_max(integer_of_int32(select(intP_intM_a_1, shift(a,
        integer_of_int32(x_0_0)))), integer_of_int32(select(intP_intM_a_1,
        shift(a, integer_of_int32(y0))))))))))))) ->
  (integer_of_int32(x_0_0) <> integer_of_int32(y0)) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_1, shift(a, integer_of_int32(x_0_0)))) ->
  forall result2:int32.
  (result2 = select(intP_intM_a_1, shift(a, integer_of_int32(y0)))) ->
  (integer_of_int32(result1) > integer_of_int32(result2)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(y0) - 1)) ->
  forall y1:int32.
  (y1 = result3) ->
  forall i_1:int.
  (((0 <= i_1) and (i_1 < integer_of_int32(x_0_0))) or
   ((integer_of_int32(y1) < i_1) and (i_1 < integer_of_int32(len)))) ->
  ("JC_39":
  ("JC_38": (integer_of_int32(select(intP_intM_a_1, shift(a,
  i_1))) <= int_max(integer_of_int32(select(intP_intM_a_1, shift(a,
  integer_of_int32(x_0_0)))), integer_of_int32(select(intP_intM_a_1, shift(a,
  integer_of_int32(y1))))))))

goal max_ensures_default_po_12:
  forall a:intP pointer.
  forall len:int32.
  forall intP_a_1_alloc_table:intP alloc_table.
  forall intP_intM_a_1:(intP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(len) > 0)) and
   (("JC_7": (offset_min(intP_a_1_alloc_table, a) <= 0)) and
    ("JC_8": (offset_max(intP_a_1_alloc_table,
    a) >= (integer_of_int32(len) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall x_0:int32.
  (x_0 = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len) - 1)) ->
  forall y:int32.
  (y = result0) ->
  forall x_0_0:int32.
  forall y0:int32.
  ("JC_39":
  (("JC_35": (0 <= integer_of_int32(x_0_0))) and
   (("JC_36": (integer_of_int32(x_0_0) <= integer_of_int32(y0))) and
    (("JC_37": (integer_of_int32(y0) < integer_of_int32(len))) and
     ("JC_38":
     (forall i_1:int.
       ((((0 <= i_1) and (i_1 < integer_of_int32(x_0_0))) or
         ((integer_of_int32(y0) < i_1) and (i_1 < integer_of_int32(len)))) ->
        (integer_of_int32(select(intP_intM_a_1, shift(a,
        i_1))) <= int_max(integer_of_int32(select(intP_intM_a_1, shift(a,
        integer_of_int32(x_0_0)))), integer_of_int32(select(intP_intM_a_1,
        shift(a, integer_of_int32(y0))))))))))))) ->
  (integer_of_int32(x_0_0) = integer_of_int32(y0)) ->
  forall return:int32.
  (return = x_0_0) ->
  ("JC_14": ("JC_11": (0 <= integer_of_int32(return))))

goal max_ensures_default_po_13:
  forall a:intP pointer.
  forall len:int32.
  forall intP_a_1_alloc_table:intP alloc_table.
  forall intP_intM_a_1:(intP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(len) > 0)) and
   (("JC_7": (offset_min(intP_a_1_alloc_table, a) <= 0)) and
    ("JC_8": (offset_max(intP_a_1_alloc_table,
    a) >= (integer_of_int32(len) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall x_0:int32.
  (x_0 = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len) - 1)) ->
  forall y:int32.
  (y = result0) ->
  forall x_0_0:int32.
  forall y0:int32.
  ("JC_39":
  (("JC_35": (0 <= integer_of_int32(x_0_0))) and
   (("JC_36": (integer_of_int32(x_0_0) <= integer_of_int32(y0))) and
    (("JC_37": (integer_of_int32(y0) < integer_of_int32(len))) and
     ("JC_38":
     (forall i_1:int.
       ((((0 <= i_1) and (i_1 < integer_of_int32(x_0_0))) or
         ((integer_of_int32(y0) < i_1) and (i_1 < integer_of_int32(len)))) ->
        (integer_of_int32(select(intP_intM_a_1, shift(a,
        i_1))) <= int_max(integer_of_int32(select(intP_intM_a_1, shift(a,
        integer_of_int32(x_0_0)))), integer_of_int32(select(intP_intM_a_1,
        shift(a, integer_of_int32(y0))))))))))))) ->
  (integer_of_int32(x_0_0) = integer_of_int32(y0)) ->
  forall return:int32.
  (return = x_0_0) ->
  ("JC_14": ("JC_12": (integer_of_int32(return) < integer_of_int32(len))))

goal max_ensures_default_po_14:
  forall a:intP pointer.
  forall len:int32.
  forall intP_a_1_alloc_table:intP alloc_table.
  forall intP_intM_a_1:(intP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(len) > 0)) and
   (("JC_7": (offset_min(intP_a_1_alloc_table, a) <= 0)) and
    ("JC_8": (offset_max(intP_a_1_alloc_table,
    a) >= (integer_of_int32(len) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall x_0:int32.
  (x_0 = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len) - 1)) ->
  forall y:int32.
  (y = result0) ->
  forall x_0_0:int32.
  forall y0:int32.
  ("JC_39":
  (("JC_35": (0 <= integer_of_int32(x_0_0))) and
   (("JC_36": (integer_of_int32(x_0_0) <= integer_of_int32(y0))) and
    (("JC_37": (integer_of_int32(y0) < integer_of_int32(len))) and
     ("JC_38":
     (forall i_1:int.
       ((((0 <= i_1) and (i_1 < integer_of_int32(x_0_0))) or
         ((integer_of_int32(y0) < i_1) and (i_1 < integer_of_int32(len)))) ->
        (integer_of_int32(select(intP_intM_a_1, shift(a,
        i_1))) <= int_max(integer_of_int32(select(intP_intM_a_1, shift(a,
        integer_of_int32(x_0_0)))), integer_of_int32(select(intP_intM_a_1,
        shift(a, integer_of_int32(y0))))))))))))) ->
  (integer_of_int32(x_0_0) = integer_of_int32(y0)) ->
  forall return:int32.
  (return = x_0_0) ->
  forall i_2:int.
  ((0 <= i_2) and (i_2 < integer_of_int32(len))) ->
  ("JC_14":
  ("JC_13": (integer_of_int32(select(intP_intM_a_1, shift(a,
  i_2))) <= integer_of_int32(select(intP_intM_a_1, shift(a,
  integer_of_int32(return)))))))

goal max_safety_po_1:
  forall a:intP pointer.
  forall len:int32.
  forall intP_a_1_alloc_table:intP alloc_table.
  ("JC_9":
  (("JC_6": (integer_of_int32(len) > 0)) and
   (("JC_7": (offset_min(intP_a_1_alloc_table, a) <= 0)) and
    ("JC_8": (offset_max(intP_a_1_alloc_table,
    a) >= (integer_of_int32(len) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall x_0:int32.
  (x_0 = result) ->
  ((-2147483648) <= (integer_of_int32(len) - 1))

goal max_safety_po_2:
  forall a:intP pointer.
  forall len:int32.
  forall intP_a_1_alloc_table:intP alloc_table.
  ("JC_9":
  (("JC_6": (integer_of_int32(len) > 0)) and
   (("JC_7": (offset_min(intP_a_1_alloc_table, a) <= 0)) and
    ("JC_8": (offset_max(intP_a_1_alloc_table,
    a) >= (integer_of_int32(len) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall x_0:int32.
  (x_0 = result) ->
  ((integer_of_int32(len) - 1) <= 2147483647)

goal max_safety_po_3:
  forall a:intP pointer.
  forall len:int32.
  forall intP_a_1_alloc_table:intP alloc_table.
  forall intP_intM_a_1:(intP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(len) > 0)) and
   (("JC_7": (offset_min(intP_a_1_alloc_table, a) <= 0)) and
    ("JC_8": (offset_max(intP_a_1_alloc_table,
    a) >= (integer_of_int32(len) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall x_0:int32.
  (x_0 = result) ->
  (((-2147483648) <= (integer_of_int32(len) - 1)) and
   ((integer_of_int32(len) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len) - 1)) ->
  forall y:int32.
  (y = result0) ->
  forall x_0_0:int32.
  forall y0:int32.
  ("JC_28": true) ->
  ("JC_26":
  (("JC_22": (0 <= integer_of_int32(x_0_0))) and
   (("JC_23": (integer_of_int32(x_0_0) <= integer_of_int32(y0))) and
    (("JC_24": (integer_of_int32(y0) < integer_of_int32(len))) and
     ("JC_25":
     (forall i_1:int.
       ((((0 <= i_1) and (i_1 < integer_of_int32(x_0_0))) or
         ((integer_of_int32(y0) < i_1) and (i_1 < integer_of_int32(len)))) ->
        (integer_of_int32(select(intP_intM_a_1, shift(a,
        i_1))) <= int_max(integer_of_int32(select(intP_intM_a_1, shift(a,
        integer_of_int32(x_0_0)))), integer_of_int32(select(intP_intM_a_1,
        shift(a, integer_of_int32(y0))))))))))))) ->
  (integer_of_int32(x_0_0) <> integer_of_int32(y0)) ->
  (offset_min(intP_a_1_alloc_table, a) <= integer_of_int32(x_0_0))

goal max_safety_po_4:
  forall a:intP pointer.
  forall len:int32.
  forall intP_a_1_alloc_table:intP alloc_table.
  forall intP_intM_a_1:(intP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(len) > 0)) and
   (("JC_7": (offset_min(intP_a_1_alloc_table, a) <= 0)) and
    ("JC_8": (offset_max(intP_a_1_alloc_table,
    a) >= (integer_of_int32(len) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall x_0:int32.
  (x_0 = result) ->
  (((-2147483648) <= (integer_of_int32(len) - 1)) and
   ((integer_of_int32(len) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len) - 1)) ->
  forall y:int32.
  (y = result0) ->
  forall x_0_0:int32.
  forall y0:int32.
  ("JC_28": true) ->
  ("JC_26":
  (("JC_22": (0 <= integer_of_int32(x_0_0))) and
   (("JC_23": (integer_of_int32(x_0_0) <= integer_of_int32(y0))) and
    (("JC_24": (integer_of_int32(y0) < integer_of_int32(len))) and
     ("JC_25":
     (forall i_1:int.
       ((((0 <= i_1) and (i_1 < integer_of_int32(x_0_0))) or
         ((integer_of_int32(y0) < i_1) and (i_1 < integer_of_int32(len)))) ->
        (integer_of_int32(select(intP_intM_a_1, shift(a,
        i_1))) <= int_max(integer_of_int32(select(intP_intM_a_1, shift(a,
        integer_of_int32(x_0_0)))), integer_of_int32(select(intP_intM_a_1,
        shift(a, integer_of_int32(y0))))))))))))) ->
  (integer_of_int32(x_0_0) <> integer_of_int32(y0)) ->
  (integer_of_int32(x_0_0) <= offset_max(intP_a_1_alloc_table, a))

goal max_safety_po_5:
  forall a:intP pointer.
  forall len:int32.
  forall intP_a_1_alloc_table:intP alloc_table.
  forall intP_intM_a_1:(intP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(len) > 0)) and
   (("JC_7": (offset_min(intP_a_1_alloc_table, a) <= 0)) and
    ("JC_8": (offset_max(intP_a_1_alloc_table,
    a) >= (integer_of_int32(len) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall x_0:int32.
  (x_0 = result) ->
  (((-2147483648) <= (integer_of_int32(len) - 1)) and
   ((integer_of_int32(len) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len) - 1)) ->
  forall y:int32.
  (y = result0) ->
  forall x_0_0:int32.
  forall y0:int32.
  ("JC_28": true) ->
  ("JC_26":
  (("JC_22": (0 <= integer_of_int32(x_0_0))) and
   (("JC_23": (integer_of_int32(x_0_0) <= integer_of_int32(y0))) and
    (("JC_24": (integer_of_int32(y0) < integer_of_int32(len))) and
     ("JC_25":
     (forall i_1:int.
       ((((0 <= i_1) and (i_1 < integer_of_int32(x_0_0))) or
         ((integer_of_int32(y0) < i_1) and (i_1 < integer_of_int32(len)))) ->
        (integer_of_int32(select(intP_intM_a_1, shift(a,
        i_1))) <= int_max(integer_of_int32(select(intP_intM_a_1, shift(a,
        integer_of_int32(x_0_0)))), integer_of_int32(select(intP_intM_a_1,
        shift(a, integer_of_int32(y0))))))))))))) ->
  (integer_of_int32(x_0_0) <> integer_of_int32(y0)) ->
  ((offset_min(intP_a_1_alloc_table, a) <= integer_of_int32(x_0_0)) and
   (integer_of_int32(x_0_0) <= offset_max(intP_a_1_alloc_table, a))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_1, shift(a, integer_of_int32(x_0_0)))) ->
  (offset_min(intP_a_1_alloc_table, a) <= integer_of_int32(y0))

goal max_safety_po_6:
  forall a:intP pointer.
  forall len:int32.
  forall intP_a_1_alloc_table:intP alloc_table.
  forall intP_intM_a_1:(intP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(len) > 0)) and
   (("JC_7": (offset_min(intP_a_1_alloc_table, a) <= 0)) and
    ("JC_8": (offset_max(intP_a_1_alloc_table,
    a) >= (integer_of_int32(len) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall x_0:int32.
  (x_0 = result) ->
  (((-2147483648) <= (integer_of_int32(len) - 1)) and
   ((integer_of_int32(len) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len) - 1)) ->
  forall y:int32.
  (y = result0) ->
  forall x_0_0:int32.
  forall y0:int32.
  ("JC_28": true) ->
  ("JC_26":
  (("JC_22": (0 <= integer_of_int32(x_0_0))) and
   (("JC_23": (integer_of_int32(x_0_0) <= integer_of_int32(y0))) and
    (("JC_24": (integer_of_int32(y0) < integer_of_int32(len))) and
     ("JC_25":
     (forall i_1:int.
       ((((0 <= i_1) and (i_1 < integer_of_int32(x_0_0))) or
         ((integer_of_int32(y0) < i_1) and (i_1 < integer_of_int32(len)))) ->
        (integer_of_int32(select(intP_intM_a_1, shift(a,
        i_1))) <= int_max(integer_of_int32(select(intP_intM_a_1, shift(a,
        integer_of_int32(x_0_0)))), integer_of_int32(select(intP_intM_a_1,
        shift(a, integer_of_int32(y0))))))))))))) ->
  (integer_of_int32(x_0_0) <> integer_of_int32(y0)) ->
  ((offset_min(intP_a_1_alloc_table, a) <= integer_of_int32(x_0_0)) and
   (integer_of_int32(x_0_0) <= offset_max(intP_a_1_alloc_table, a))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_1, shift(a, integer_of_int32(x_0_0)))) ->
  (integer_of_int32(y0) <= offset_max(intP_a_1_alloc_table, a))

goal max_safety_po_7:
  forall a:intP pointer.
  forall len:int32.
  forall intP_a_1_alloc_table:intP alloc_table.
  forall intP_intM_a_1:(intP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(len) > 0)) and
   (("JC_7": (offset_min(intP_a_1_alloc_table, a) <= 0)) and
    ("JC_8": (offset_max(intP_a_1_alloc_table,
    a) >= (integer_of_int32(len) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall x_0:int32.
  (x_0 = result) ->
  (((-2147483648) <= (integer_of_int32(len) - 1)) and
   ((integer_of_int32(len) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len) - 1)) ->
  forall y:int32.
  (y = result0) ->
  forall x_0_0:int32.
  forall y0:int32.
  ("JC_28": true) ->
  ("JC_26":
  (("JC_22": (0 <= integer_of_int32(x_0_0))) and
   (("JC_23": (integer_of_int32(x_0_0) <= integer_of_int32(y0))) and
    (("JC_24": (integer_of_int32(y0) < integer_of_int32(len))) and
     ("JC_25":
     (forall i_1:int.
       ((((0 <= i_1) and (i_1 < integer_of_int32(x_0_0))) or
         ((integer_of_int32(y0) < i_1) and (i_1 < integer_of_int32(len)))) ->
        (integer_of_int32(select(intP_intM_a_1, shift(a,
        i_1))) <= int_max(integer_of_int32(select(intP_intM_a_1, shift(a,
        integer_of_int32(x_0_0)))), integer_of_int32(select(intP_intM_a_1,
        shift(a, integer_of_int32(y0))))))))))))) ->
  (integer_of_int32(x_0_0) <> integer_of_int32(y0)) ->
  ((offset_min(intP_a_1_alloc_table, a) <= integer_of_int32(x_0_0)) and
   (integer_of_int32(x_0_0) <= offset_max(intP_a_1_alloc_table, a))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_1, shift(a, integer_of_int32(x_0_0)))) ->
  ((offset_min(intP_a_1_alloc_table, a) <= integer_of_int32(y0)) and
   (integer_of_int32(y0) <= offset_max(intP_a_1_alloc_table, a))) ->
  forall result2:int32.
  (result2 = select(intP_intM_a_1, shift(a, integer_of_int32(y0)))) ->
  (integer_of_int32(result1) <= integer_of_int32(result2)) ->
  ((-2147483648) <= (integer_of_int32(x_0_0) + 1))

goal max_safety_po_8:
  forall a:intP pointer.
  forall len:int32.
  forall intP_a_1_alloc_table:intP alloc_table.
  forall intP_intM_a_1:(intP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(len) > 0)) and
   (("JC_7": (offset_min(intP_a_1_alloc_table, a) <= 0)) and
    ("JC_8": (offset_max(intP_a_1_alloc_table,
    a) >= (integer_of_int32(len) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall x_0:int32.
  (x_0 = result) ->
  (((-2147483648) <= (integer_of_int32(len) - 1)) and
   ((integer_of_int32(len) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len) - 1)) ->
  forall y:int32.
  (y = result0) ->
  forall x_0_0:int32.
  forall y0:int32.
  ("JC_28": true) ->
  ("JC_26":
  (("JC_22": (0 <= integer_of_int32(x_0_0))) and
   (("JC_23": (integer_of_int32(x_0_0) <= integer_of_int32(y0))) and
    (("JC_24": (integer_of_int32(y0) < integer_of_int32(len))) and
     ("JC_25":
     (forall i_1:int.
       ((((0 <= i_1) and (i_1 < integer_of_int32(x_0_0))) or
         ((integer_of_int32(y0) < i_1) and (i_1 < integer_of_int32(len)))) ->
        (integer_of_int32(select(intP_intM_a_1, shift(a,
        i_1))) <= int_max(integer_of_int32(select(intP_intM_a_1, shift(a,
        integer_of_int32(x_0_0)))), integer_of_int32(select(intP_intM_a_1,
        shift(a, integer_of_int32(y0))))))))))))) ->
  (integer_of_int32(x_0_0) <> integer_of_int32(y0)) ->
  ((offset_min(intP_a_1_alloc_table, a) <= integer_of_int32(x_0_0)) and
   (integer_of_int32(x_0_0) <= offset_max(intP_a_1_alloc_table, a))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_1, shift(a, integer_of_int32(x_0_0)))) ->
  ((offset_min(intP_a_1_alloc_table, a) <= integer_of_int32(y0)) and
   (integer_of_int32(y0) <= offset_max(intP_a_1_alloc_table, a))) ->
  forall result2:int32.
  (result2 = select(intP_intM_a_1, shift(a, integer_of_int32(y0)))) ->
  (integer_of_int32(result1) <= integer_of_int32(result2)) ->
  ((integer_of_int32(x_0_0) + 1) <= 2147483647)

goal max_safety_po_9:
  forall a:intP pointer.
  forall len:int32.
  forall intP_a_1_alloc_table:intP alloc_table.
  forall intP_intM_a_1:(intP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(len) > 0)) and
   (("JC_7": (offset_min(intP_a_1_alloc_table, a) <= 0)) and
    ("JC_8": (offset_max(intP_a_1_alloc_table,
    a) >= (integer_of_int32(len) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall x_0:int32.
  (x_0 = result) ->
  (((-2147483648) <= (integer_of_int32(len) - 1)) and
   ((integer_of_int32(len) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len) - 1)) ->
  forall y:int32.
  (y = result0) ->
  forall x_0_0:int32.
  forall y0:int32.
  ("JC_28": true) ->
  ("JC_26":
  (("JC_22": (0 <= integer_of_int32(x_0_0))) and
   (("JC_23": (integer_of_int32(x_0_0) <= integer_of_int32(y0))) and
    (("JC_24": (integer_of_int32(y0) < integer_of_int32(len))) and
     ("JC_25":
     (forall i_1:int.
       ((((0 <= i_1) and (i_1 < integer_of_int32(x_0_0))) or
         ((integer_of_int32(y0) < i_1) and (i_1 < integer_of_int32(len)))) ->
        (integer_of_int32(select(intP_intM_a_1, shift(a,
        i_1))) <= int_max(integer_of_int32(select(intP_intM_a_1, shift(a,
        integer_of_int32(x_0_0)))), integer_of_int32(select(intP_intM_a_1,
        shift(a, integer_of_int32(y0))))))))))))) ->
  (integer_of_int32(x_0_0) <> integer_of_int32(y0)) ->
  ((offset_min(intP_a_1_alloc_table, a) <= integer_of_int32(x_0_0)) and
   (integer_of_int32(x_0_0) <= offset_max(intP_a_1_alloc_table, a))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_1, shift(a, integer_of_int32(x_0_0)))) ->
  ((offset_min(intP_a_1_alloc_table, a) <= integer_of_int32(y0)) and
   (integer_of_int32(y0) <= offset_max(intP_a_1_alloc_table, a))) ->
  forall result2:int32.
  (result2 = select(intP_intM_a_1, shift(a, integer_of_int32(y0)))) ->
  (integer_of_int32(result1) <= integer_of_int32(result2)) ->
  (((-2147483648) <= (integer_of_int32(x_0_0) + 1)) and
   ((integer_of_int32(x_0_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(x_0_0) + 1)) ->
  forall x_0_1:int32.
  (x_0_1 = result3) ->
  (0 <= ("JC_34": (integer_of_int32(y0) - integer_of_int32(x_0_0))))

goal max_safety_po_10:
  forall a:intP pointer.
  forall len:int32.
  forall intP_a_1_alloc_table:intP alloc_table.
  forall intP_intM_a_1:(intP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(len) > 0)) and
   (("JC_7": (offset_min(intP_a_1_alloc_table, a) <= 0)) and
    ("JC_8": (offset_max(intP_a_1_alloc_table,
    a) >= (integer_of_int32(len) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall x_0:int32.
  (x_0 = result) ->
  (((-2147483648) <= (integer_of_int32(len) - 1)) and
   ((integer_of_int32(len) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len) - 1)) ->
  forall y:int32.
  (y = result0) ->
  forall x_0_0:int32.
  forall y0:int32.
  ("JC_28": true) ->
  ("JC_26":
  (("JC_22": (0 <= integer_of_int32(x_0_0))) and
   (("JC_23": (integer_of_int32(x_0_0) <= integer_of_int32(y0))) and
    (("JC_24": (integer_of_int32(y0) < integer_of_int32(len))) and
     ("JC_25":
     (forall i_1:int.
       ((((0 <= i_1) and (i_1 < integer_of_int32(x_0_0))) or
         ((integer_of_int32(y0) < i_1) and (i_1 < integer_of_int32(len)))) ->
        (integer_of_int32(select(intP_intM_a_1, shift(a,
        i_1))) <= int_max(integer_of_int32(select(intP_intM_a_1, shift(a,
        integer_of_int32(x_0_0)))), integer_of_int32(select(intP_intM_a_1,
        shift(a, integer_of_int32(y0))))))))))))) ->
  (integer_of_int32(x_0_0) <> integer_of_int32(y0)) ->
  ((offset_min(intP_a_1_alloc_table, a) <= integer_of_int32(x_0_0)) and
   (integer_of_int32(x_0_0) <= offset_max(intP_a_1_alloc_table, a))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_1, shift(a, integer_of_int32(x_0_0)))) ->
  ((offset_min(intP_a_1_alloc_table, a) <= integer_of_int32(y0)) and
   (integer_of_int32(y0) <= offset_max(intP_a_1_alloc_table, a))) ->
  forall result2:int32.
  (result2 = select(intP_intM_a_1, shift(a, integer_of_int32(y0)))) ->
  (integer_of_int32(result1) <= integer_of_int32(result2)) ->
  (((-2147483648) <= (integer_of_int32(x_0_0) + 1)) and
   ((integer_of_int32(x_0_0) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(x_0_0) + 1)) ->
  forall x_0_1:int32.
  (x_0_1 = result3) ->
  (("JC_34": (integer_of_int32(y0) - integer_of_int32(x_0_1))) < ("JC_34":
                                                                 (integer_of_int32(y0) - integer_of_int32(x_0_0))))

goal max_safety_po_11:
  forall a:intP pointer.
  forall len:int32.
  forall intP_a_1_alloc_table:intP alloc_table.
  forall intP_intM_a_1:(intP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(len) > 0)) and
   (("JC_7": (offset_min(intP_a_1_alloc_table, a) <= 0)) and
    ("JC_8": (offset_max(intP_a_1_alloc_table,
    a) >= (integer_of_int32(len) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall x_0:int32.
  (x_0 = result) ->
  (((-2147483648) <= (integer_of_int32(len) - 1)) and
   ((integer_of_int32(len) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len) - 1)) ->
  forall y:int32.
  (y = result0) ->
  forall x_0_0:int32.
  forall y0:int32.
  ("JC_28": true) ->
  ("JC_26":
  (("JC_22": (0 <= integer_of_int32(x_0_0))) and
   (("JC_23": (integer_of_int32(x_0_0) <= integer_of_int32(y0))) and
    (("JC_24": (integer_of_int32(y0) < integer_of_int32(len))) and
     ("JC_25":
     (forall i_1:int.
       ((((0 <= i_1) and (i_1 < integer_of_int32(x_0_0))) or
         ((integer_of_int32(y0) < i_1) and (i_1 < integer_of_int32(len)))) ->
        (integer_of_int32(select(intP_intM_a_1, shift(a,
        i_1))) <= int_max(integer_of_int32(select(intP_intM_a_1, shift(a,
        integer_of_int32(x_0_0)))), integer_of_int32(select(intP_intM_a_1,
        shift(a, integer_of_int32(y0))))))))))))) ->
  (integer_of_int32(x_0_0) <> integer_of_int32(y0)) ->
  ((offset_min(intP_a_1_alloc_table, a) <= integer_of_int32(x_0_0)) and
   (integer_of_int32(x_0_0) <= offset_max(intP_a_1_alloc_table, a))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_1, shift(a, integer_of_int32(x_0_0)))) ->
  ((offset_min(intP_a_1_alloc_table, a) <= integer_of_int32(y0)) and
   (integer_of_int32(y0) <= offset_max(intP_a_1_alloc_table, a))) ->
  forall result2:int32.
  (result2 = select(intP_intM_a_1, shift(a, integer_of_int32(y0)))) ->
  (integer_of_int32(result1) > integer_of_int32(result2)) ->
  ((-2147483648) <= (integer_of_int32(y0) - 1))

goal max_safety_po_12:
  forall a:intP pointer.
  forall len:int32.
  forall intP_a_1_alloc_table:intP alloc_table.
  forall intP_intM_a_1:(intP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(len) > 0)) and
   (("JC_7": (offset_min(intP_a_1_alloc_table, a) <= 0)) and
    ("JC_8": (offset_max(intP_a_1_alloc_table,
    a) >= (integer_of_int32(len) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall x_0:int32.
  (x_0 = result) ->
  (((-2147483648) <= (integer_of_int32(len) - 1)) and
   ((integer_of_int32(len) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len) - 1)) ->
  forall y:int32.
  (y = result0) ->
  forall x_0_0:int32.
  forall y0:int32.
  ("JC_28": true) ->
  ("JC_26":
  (("JC_22": (0 <= integer_of_int32(x_0_0))) and
   (("JC_23": (integer_of_int32(x_0_0) <= integer_of_int32(y0))) and
    (("JC_24": (integer_of_int32(y0) < integer_of_int32(len))) and
     ("JC_25":
     (forall i_1:int.
       ((((0 <= i_1) and (i_1 < integer_of_int32(x_0_0))) or
         ((integer_of_int32(y0) < i_1) and (i_1 < integer_of_int32(len)))) ->
        (integer_of_int32(select(intP_intM_a_1, shift(a,
        i_1))) <= int_max(integer_of_int32(select(intP_intM_a_1, shift(a,
        integer_of_int32(x_0_0)))), integer_of_int32(select(intP_intM_a_1,
        shift(a, integer_of_int32(y0))))))))))))) ->
  (integer_of_int32(x_0_0) <> integer_of_int32(y0)) ->
  ((offset_min(intP_a_1_alloc_table, a) <= integer_of_int32(x_0_0)) and
   (integer_of_int32(x_0_0) <= offset_max(intP_a_1_alloc_table, a))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_1, shift(a, integer_of_int32(x_0_0)))) ->
  ((offset_min(intP_a_1_alloc_table, a) <= integer_of_int32(y0)) and
   (integer_of_int32(y0) <= offset_max(intP_a_1_alloc_table, a))) ->
  forall result2:int32.
  (result2 = select(intP_intM_a_1, shift(a, integer_of_int32(y0)))) ->
  (integer_of_int32(result1) > integer_of_int32(result2)) ->
  ((integer_of_int32(y0) - 1) <= 2147483647)

goal max_safety_po_13:
  forall a:intP pointer.
  forall len:int32.
  forall intP_a_1_alloc_table:intP alloc_table.
  forall intP_intM_a_1:(intP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(len) > 0)) and
   (("JC_7": (offset_min(intP_a_1_alloc_table, a) <= 0)) and
    ("JC_8": (offset_max(intP_a_1_alloc_table,
    a) >= (integer_of_int32(len) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall x_0:int32.
  (x_0 = result) ->
  (((-2147483648) <= (integer_of_int32(len) - 1)) and
   ((integer_of_int32(len) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len) - 1)) ->
  forall y:int32.
  (y = result0) ->
  forall x_0_0:int32.
  forall y0:int32.
  ("JC_28": true) ->
  ("JC_26":
  (("JC_22": (0 <= integer_of_int32(x_0_0))) and
   (("JC_23": (integer_of_int32(x_0_0) <= integer_of_int32(y0))) and
    (("JC_24": (integer_of_int32(y0) < integer_of_int32(len))) and
     ("JC_25":
     (forall i_1:int.
       ((((0 <= i_1) and (i_1 < integer_of_int32(x_0_0))) or
         ((integer_of_int32(y0) < i_1) and (i_1 < integer_of_int32(len)))) ->
        (integer_of_int32(select(intP_intM_a_1, shift(a,
        i_1))) <= int_max(integer_of_int32(select(intP_intM_a_1, shift(a,
        integer_of_int32(x_0_0)))), integer_of_int32(select(intP_intM_a_1,
        shift(a, integer_of_int32(y0))))))))))))) ->
  (integer_of_int32(x_0_0) <> integer_of_int32(y0)) ->
  ((offset_min(intP_a_1_alloc_table, a) <= integer_of_int32(x_0_0)) and
   (integer_of_int32(x_0_0) <= offset_max(intP_a_1_alloc_table, a))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_1, shift(a, integer_of_int32(x_0_0)))) ->
  ((offset_min(intP_a_1_alloc_table, a) <= integer_of_int32(y0)) and
   (integer_of_int32(y0) <= offset_max(intP_a_1_alloc_table, a))) ->
  forall result2:int32.
  (result2 = select(intP_intM_a_1, shift(a, integer_of_int32(y0)))) ->
  (integer_of_int32(result1) > integer_of_int32(result2)) ->
  (((-2147483648) <= (integer_of_int32(y0) - 1)) and
   ((integer_of_int32(y0) - 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(y0) - 1)) ->
  forall y1:int32.
  (y1 = result3) ->
  (0 <= ("JC_34": (integer_of_int32(y0) - integer_of_int32(x_0_0))))

goal max_safety_po_14:
  forall a:intP pointer.
  forall len:int32.
  forall intP_a_1_alloc_table:intP alloc_table.
  forall intP_intM_a_1:(intP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(len) > 0)) and
   (("JC_7": (offset_min(intP_a_1_alloc_table, a) <= 0)) and
    ("JC_8": (offset_max(intP_a_1_alloc_table,
    a) >= (integer_of_int32(len) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall x_0:int32.
  (x_0 = result) ->
  (((-2147483648) <= (integer_of_int32(len) - 1)) and
   ((integer_of_int32(len) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(len) - 1)) ->
  forall y:int32.
  (y = result0) ->
  forall x_0_0:int32.
  forall y0:int32.
  ("JC_28": true) ->
  ("JC_26":
  (("JC_22": (0 <= integer_of_int32(x_0_0))) and
   (("JC_23": (integer_of_int32(x_0_0) <= integer_of_int32(y0))) and
    (("JC_24": (integer_of_int32(y0) < integer_of_int32(len))) and
     ("JC_25":
     (forall i_1:int.
       ((((0 <= i_1) and (i_1 < integer_of_int32(x_0_0))) or
         ((integer_of_int32(y0) < i_1) and (i_1 < integer_of_int32(len)))) ->
        (integer_of_int32(select(intP_intM_a_1, shift(a,
        i_1))) <= int_max(integer_of_int32(select(intP_intM_a_1, shift(a,
        integer_of_int32(x_0_0)))), integer_of_int32(select(intP_intM_a_1,
        shift(a, integer_of_int32(y0))))))))))))) ->
  (integer_of_int32(x_0_0) <> integer_of_int32(y0)) ->
  ((offset_min(intP_a_1_alloc_table, a) <= integer_of_int32(x_0_0)) and
   (integer_of_int32(x_0_0) <= offset_max(intP_a_1_alloc_table, a))) ->
  forall result1:int32.
  (result1 = select(intP_intM_a_1, shift(a, integer_of_int32(x_0_0)))) ->
  ((offset_min(intP_a_1_alloc_table, a) <= integer_of_int32(y0)) and
   (integer_of_int32(y0) <= offset_max(intP_a_1_alloc_table, a))) ->
  forall result2:int32.
  (result2 = select(intP_intM_a_1, shift(a, integer_of_int32(y0)))) ->
  (integer_of_int32(result1) > integer_of_int32(result2)) ->
  (((-2147483648) <= (integer_of_int32(y0) - 1)) and
   ((integer_of_int32(y0) - 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(y0) - 1)) ->
  forall y1:int32.
  (y1 = result3) ->
  (("JC_34": (integer_of_int32(y1) - integer_of_int32(x_0_0))) < ("JC_34":
                                                                 (integer_of_int32(y0) - integer_of_int32(x_0_0))))

why-2.34/tests/c/oracle/binary_heap.res.oracle0000644000175000017500000015236712311670312017724 0ustar  rtusers========== file tests/c/binary_heap.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

typedef unsigned int uint;

struct Heap;

typedef struct Heap *heap;

heap create(uint sz);

void insert(heap u, int e);

int extract_min(heap u);


========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/binary_heap.c"
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/binary_heap.jessie
[jessie] File tests/c/binary_heap.jessie/binary_heap.jc written.
[jessie] File tests/c/binary_heap.jessie/binary_heap.cloc written.
========== file tests/c/binary_heap.jessie/binary_heap.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]
========== file tests/c/binary_heap.jessie/binary_heap.cloc ==========
========== jessie execution ==========
========== file tests/c/binary_heap.jessie/binary_heap.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs binary_heap.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs binary_heap.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/binary_heap_why.sx

project: why/binary_heap.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/binary_heap_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/binary_heap_why.vo

coq/binary_heap_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/binary_heap_why.v: why/binary_heap.why
	@echo 'why -coq [...] why/binary_heap.why' && $(WHY) $(JESSIELIBFILES) why/binary_heap.why && rm -f coq/jessie_why.v

coq-goals: goals coq/binary_heap_ctx_why.vo
	for f in why/*_po*.why; do make -f binary_heap.makefile coq/`basename $$f .why`_why.v ; done

coq/binary_heap_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/binary_heap_ctx_why.v: why/binary_heap_ctx.why
	@echo 'why -coq [...] why/binary_heap_ctx.why' && $(WHY) why/binary_heap_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export binary_heap_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/binary_heap_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/binary_heap_ctx_why.vo

pvs: pvs/binary_heap_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/binary_heap_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/binary_heap_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/binary_heap_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/binary_heap_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/binary_heap_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/binary_heap_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/binary_heap_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/binary_heap_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/binary_heap_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/binary_heap_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/binary_heap_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/binary_heap_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/binary_heap_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/binary_heap_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: binary_heap.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/binary_heap_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: binary_heap.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: binary_heap.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: binary_heap.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include binary_heap.depend

depend: coq/binary_heap_why.v
	-$(COQDEP) -I coq coq/binary_heap*_why.v > binary_heap.depend

clean:
	rm -f coq/*.vo

========== file tests/c/binary_heap.jessie/binary_heap.loc ==========
========== file tests/c/binary_heap.jessie/why/binary_heap.why ==========
type charP

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/binary_heap.why
========== file tests/c/binary_heap.jessie/why/binary_heap_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type charP

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

logic integer_of_int8 : int8 -> int

predicate eq_int8(x: int8, y: int8) =
  (integer_of_int8(x) = integer_of_int8(y))

logic integer_of_uint8 : uint8 -> int

predicate eq_uint8(x: uint8, y: uint8) =
  (integer_of_uint8(x) = integer_of_uint8(y))

logic int8_of_integer : int -> int8

axiom int8_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_int8(int8_of_integer(x)) = x)))

axiom int8_extensionality:
  (forall x:int8.
    (forall y:int8. ((integer_of_int8(x) = integer_of_int8(y)) -> (x = y))))

axiom int8_range:
  (forall x:int8.
    (((-128) <= integer_of_int8(x)) and (integer_of_int8(x) <= 127)))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic uint8_of_integer : int -> uint8

axiom uint8_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 255)) -> (integer_of_uint8(uint8_of_integer(x)) = x)))

axiom uint8_extensionality:
  (forall x:uint8.
    (forall y:uint8.
      ((integer_of_uint8(x) = integer_of_uint8(y)) -> (x = y))))

axiom uint8_range:
  (forall x:uint8.
    ((0 <= integer_of_uint8(x)) and (integer_of_uint8(x) <= 255)))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

why-2.34/tests/c/oracle/exp.err.oracle0000644000175000017500000000000012311670312016206 0ustar  rtuserswhy-2.34/tests/c/oracle/heap_sort.res.oracle0000644000175000017500000042030112311670312017411 0ustar  rtusers========== file tests/c/heap_sort.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

#include "binary_heap.h"


/*@ requires len >= 0;
  @ requires \valid_range(arr,0,len-1);
  @ // assigns arr[..];
  @ ensures \forall integer i,j; 0 <= i <= j < len ==> arr[i] <= arr[j]; 
  @*/
void heap_sort(int *arr, uint len) {
  uint i;
  heap h = create(len);
  /*@ loop invariant 0 <= i <= len;
    @ loop variant len - i;
    @*/
  for (i = 0; i < len; ++i) insert(h,arr[i]);
  /*@ loop invariant 0 <= i <= len;
    @ loop variant len - i;
    @*/
  for (i = 0; i < len; ++i) arr[i] = extract_min(h);
}



void main() {
  int arr[] = {42, 13, 42};
  heap_sort(arr,3);
  //@ assert arr[0] <= arr[1] && arr[1] <= arr[2];
  //@ assert arr[0] == 13 && arr[1] == 42 && arr[2] == 42;
}

========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/heap_sort.c"
tests/c/heap_sort.c:36:[kernel] warning: parsing obsolete ACSL construct '\valid_range(addr,min,max)'. '\valid(addr+(min..max))' should be used instead.
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/heap_sort.jessie
[jessie] File tests/c/heap_sort.jessie/heap_sort.jc written.
[jessie] File tests/c/heap_sort.jessie/heap_sort.cloc written.
========== file tests/c/heap_sort.jessie/heap_sort.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type uint32 = 0..4294967295

type int8 = -128..127

type int32 = -2147483648..2147483647

tag intP = {
  int32 intM: 32;
}

type intP = [intP]

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

tag Heap = {
  int32 x: 32;
}

type Heap = [Heap]

Heap[..] create(uint32 sz)
behavior default:
  assigns \nothing;
  ensures (_C_1 : true);
;

unit insert(Heap[..] u_0, int32 e)
behavior default:
  assigns u_0.x;
  ensures (_C_2 : true);
;

int32 extract_min(Heap[..] u)
behavior default:
  assigns \nothing;
  ensures (_C_3 : true);
;

unit heap_sort(intP[..] arr, uint32 len)
  requires (_C_33 : (len >= 0));
  requires (_C_30 : ((_C_31 : (\offset_min(arr) <= 0)) &&
                      (_C_32 : (\offset_max(arr) >= (len - 1)))));
behavior default:
  ensures (_C_29 : (\forall integer i_1;
                     (\forall integer j_0;
                       (((0 <= i_1) &&
                          ((i_1 <= j_0) && (j_0 < \at(len,Old)))) ==>
                         ((\at(arr,Old) + i_1).intM <=
                           (\at(arr,Old) + j_0).intM)))));
{  
   (var uint32 i);
   
   (var Heap[..] h);
   
   {  (_C_5 : (h = (_C_4 : create(len))));
      (_C_6 : (i = 0));
      
      loop 
      behavior default:
        invariant (_C_8 : ((_C_9 : (0 <= i)) && (_C_10 : (i <= len))));
      variant (_C_7 : (len - i));
      while (true)
      {  
         {  (if (i < len) then () else 
            (goto while_0_break));
            (_C_13 : insert(h, (_C_12 : (_C_11 : (arr + i)).intM)));
            (_C_16 : (i = (_C_15 : ((_C_14 : (i + 1)) :> uint32))))
         }
      };
      (while_0_break : ());
      (_C_17 : (i = 0));
      
      loop 
      behavior default:
        invariant (_C_19 : ((_C_20 : (0 <= i)) && (_C_21 : (i <= len))));
      variant (_C_18 : (len - i));
      while (true)
      {  
         {  (if (i < len) then () else 
            (goto while_1_break));
            (_C_25 : ((_C_24 : (_C_23 : (arr + i)).intM) = (_C_22 : extract_min(
                                                           h))));
            (_C_28 : (i = (_C_27 : ((_C_26 : (i + 1)) :> uint32))))
         }
      };
      (while_1_break : ());
      
      (return ())
   }
}

unit main()
behavior default:
  ensures (_C_46 : true);
{  
   (var intP[0..2] arr_0);
   
   {  (_C_35 : (arr_0 = (_C_34 : (new intP[3]))));
      (_C_37 : ((_C_36 : (arr_0 + 0).intM) = 42));
      (_C_39 : ((_C_38 : (arr_0 + 1).intM) = 13));
      (_C_41 : ((_C_40 : (arr_0 + 2).intM) = 42));
      (_C_42 : heap_sort(arr_0, 3));
      
      {  
         (assert for default: (_C_43 : (jessie : (((arr_0 + 0).intM <=
                                                    (arr_0 + 1).intM) &&
                                                   ((arr_0 + 1).intM <=
                                                     (arr_0 + 2).intM)))));
         ()
      };
      
      {  
         (assert for default: (_C_44 : (jessie : ((((arr_0 + 0).intM == 13) &&
                                                    ((arr_0 + 1).intM == 42)) &&
                                                   ((arr_0 + 2).intM == 42)))));
         ()
      };
      
      {  (_C_45 : (free(arr_0)));
         
         (return ())
      }
   }
}
========== file tests/c/heap_sort.jessie/heap_sort.cloc ==========
[_C_35]
file = "HOME/tests/c/heap_sort.c"
line = 56
begin = 6
end = 9

[_C_28]
file = "HOME/tests/c/heap_sort.c"
line = 50
begin = 23
end = 26

[main]
name = "Function main"
file = "HOME/tests/c/heap_sort.c"
line = 55
begin = 5
end = 9

[_C_31]
file = "HOME/tests/c/heap_sort.c"
line = 36
begin = 13
end = 38

[_C_41]
file = "HOME/tests/c/heap_sort.c"
line = 56
begin = 2
end = 5

[_C_4]
file = "HOME/tests/c/heap_sort.c"
line = 42
begin = 11
end = 22

[_C_32]
file = "HOME/tests/c/heap_sort.c"
line = 36
begin = 13
end = 38

[_C_23]
file = "HOME/tests/c/heap_sort.c"
line = 50
begin = 28
end = 31

[_C_19]
file = "HOME/tests/c/heap_sort.c"
line = 47
begin = 21
end = 34

[_C_42]
file = "HOME/tests/c/heap_sort.c"
line = 57
begin = 2
end = 18

[_C_13]
file = "HOME/tests/c/heap_sort.c"
line = 46
begin = 28
end = 44

[_C_5]
file = "HOME/tests/c/heap_sort.c"
line = 42
begin = 11
end = 22

[_C_36]
file = "HOME/tests/c/heap_sort.c"
line = 56
begin = 2
end = 5

[_C_12]
file = "HOME/tests/c/heap_sort.c"
line = 46
begin = 37
end = 43

[_C_33]
file = "HOME/tests/c/heap_sort.c"
line = 35
begin = 13
end = 21

[_C_22]
file = "HOME/tests/c/heap_sort.c"
line = 50
begin = 37
end = 51

[_C_9]
file = "HOME/tests/c/heap_sort.c"
line = 43
begin = 21
end = 27

[_C_30]
file = "HOME/tests/c/heap_sort.c"
line = 36
begin = 13
end = 38

[_C_6]
file = "HOME/tests/c/heap_sort.c"
line = 46
begin = 11
end = 12

[_C_24]
file = "HOME/tests/c/heap_sort.c"
line = 50
begin = 37
end = 51

[_C_45]
file = "HOME/tests/c/heap_sort.c"
line = 56
begin = 6
end = 9

[_C_20]
file = "HOME/tests/c/heap_sort.c"
line = 47
begin = 21
end = 27

[_C_38]
file = "HOME/tests/c/heap_sort.c"
line = 56
begin = 2
end = 5

[_C_3]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_17]
file = "HOME/tests/c/heap_sort.c"
line = 50
begin = 11
end = 12

[_C_7]
file = "HOME/tests/c/heap_sort.c"
line = 44
begin = 19
end = 26

[_C_27]
file = "HOME/tests/c/heap_sort.c"
line = 50
begin = 23
end = 26

[_C_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_44]
file = "HOME/tests/c/heap_sort.c"
line = 59
begin = 13
end = 57

[_C_15]
file = "HOME/tests/c/heap_sort.c"
line = 46
begin = 23
end = 26

[_C_26]
file = "HOME/tests/c/heap_sort.c"
line = 50
begin = 23
end = 26

[_C_10]
file = "HOME/tests/c/heap_sort.c"
line = 43
begin = 26
end = 34

[_C_40]
file = "HOME/tests/c/heap_sort.c"
line = 56
begin = 2
end = 5

[_C_8]
file = "HOME/tests/c/heap_sort.c"
line = 43
begin = 21
end = 34

[_C_18]
file = "HOME/tests/c/heap_sort.c"
line = 48
begin = 19
end = 26

[_C_29]
file = "HOME/tests/c/heap_sort.c"
line = 38
begin = 12
end = 71

[_C_14]
file = "HOME/tests/c/heap_sort.c"
line = 46
begin = 23
end = 26

[_C_37]
file = "HOME/tests/c/heap_sort.c"
line = 56
begin = 2
end = 5

[_C_43]
file = "HOME/tests/c/heap_sort.c"
line = 58
begin = 13
end = 49

[_C_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_34]
file = "HOME/tests/c/heap_sort.c"
line = 56
begin = 6
end = 9

[_C_16]
file = "HOME/tests/c/heap_sort.c"
line = 46
begin = 23
end = 26

[_C_1]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_25]
file = "HOME/tests/c/heap_sort.c"
line = 50
begin = 37
end = 51

[_C_39]
file = "HOME/tests/c/heap_sort.c"
line = 56
begin = 2
end = 5

[_C_11]
file = "HOME/tests/c/heap_sort.c"
line = 46
begin = 37
end = 40

[heap_sort]
name = "Function heap_sort"
file = "HOME/tests/c/heap_sort.c"
line = 40
begin = 5
end = 14

[_C_21]
file = "HOME/tests/c/heap_sort.c"
line = 47
begin = 26
end = 34

========== jessie execution ==========
Generating Why function heap_sort
Generating Why function main
========== file tests/c/heap_sort.jessie/heap_sort.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs heap_sort.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs heap_sort.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/heap_sort_why.sx

project: why/heap_sort.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/heap_sort_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/heap_sort_why.vo

coq/heap_sort_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/heap_sort_why.v: why/heap_sort.why
	@echo 'why -coq [...] why/heap_sort.why' && $(WHY) $(JESSIELIBFILES) why/heap_sort.why && rm -f coq/jessie_why.v

coq-goals: goals coq/heap_sort_ctx_why.vo
	for f in why/*_po*.why; do make -f heap_sort.makefile coq/`basename $$f .why`_why.v ; done

coq/heap_sort_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/heap_sort_ctx_why.v: why/heap_sort_ctx.why
	@echo 'why -coq [...] why/heap_sort_ctx.why' && $(WHY) why/heap_sort_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export heap_sort_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/heap_sort_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/heap_sort_ctx_why.vo

pvs: pvs/heap_sort_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/heap_sort_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/heap_sort_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/heap_sort_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/heap_sort_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/heap_sort_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/heap_sort_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/heap_sort_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/heap_sort_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/heap_sort_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/heap_sort_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/heap_sort_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/heap_sort_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/heap_sort_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/heap_sort_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: heap_sort.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/heap_sort_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: heap_sort.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: heap_sort.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: heap_sort.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include heap_sort.depend

depend: coq/heap_sort_why.v
	-$(COQDEP) -I coq coq/heap_sort*_why.v > heap_sort.depend

clean:
	rm -f coq/*.vo

========== file tests/c/heap_sort.jessie/heap_sort.loc ==========
[main_safety]
name = "Function main"
behavior = "Safety"
file = "HOME/tests/c/heap_sort.c"
line = 55
begin = 5
end = 9

[JC_94]
kind = AllocSize
file = "HOME/tests/c/heap_sort.c"
line = 56
begin = 6
end = 9

[JC_73]
kind = UserCall
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 95
begin = 21
end = 66

[JC_63]
kind = PointerDeref
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 110
begin = 22
end = 143

[JC_80]
kind = UserCall
file = "HOME/tests/c/heap_sort.c"
line = 50
begin = 37
end = 51

[JC_51]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 87
begin = 6
end = 401

[JC_71]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 87
begin = 6
end = 401

[JC_45]
kind = UserCall
file = "HOME/tests/c/heap_sort.c"
line = 42
begin = 11
end = 22

[JC_64]
kind = ArithOverflow
file = "HOME/tests/c/heap_sort.c"
line = 50
begin = 23
end = 26

[JC_85]
file = "HOME/"
line = 0
begin = -1
end = -1

[heap_sort_ensures_default]
name = "Function heap_sort"
behavior = "default behavior"
file = "HOME/tests/c/heap_sort.c"
line = 40
begin = 5
end = 14

[JC_31]
file = "HOME/tests/c/heap_sort.c"
line = 35
begin = 13
end = 21

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_81]
file = "HOME/tests/c/heap_sort.c"
line = 55
begin = 5
end = 9

[JC_55]
file = "HOME/tests/c/heap_sort.c"
line = 44
begin = 19
end = 26

[JC_48]
file = "HOME/tests/c/heap_sort.c"
line = 43
begin = 21
end = 34

[JC_23]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 62
begin = 6
end = 17

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_67]
file = "HOME/tests/c/heap_sort.c"
line = 43
begin = 21
end = 27

[JC_9]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_75]
file = "HOME/tests/c/heap_sort.c"
line = 47
begin = 26
end = 34

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_78]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 102
begin = 6
end = 482

[JC_41]
file = "HOME/tests/c/heap_sort.c"
line = 38
begin = 12
end = 71

[JC_74]
file = "HOME/tests/c/heap_sort.c"
line = 47
begin = 21
end = 27

[JC_47]
file = "HOME/tests/c/heap_sort.c"
line = 43
begin = 26
end = 34

[JC_52]
kind = PointerDeref
file = "HOME/tests/c/heap_sort.c"
line = 46
begin = 37
end = 43

[JC_26]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 64
begin = 10
end = 18

[JC_8]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 52
begin = 10
end = 18

[JC_54]
kind = ArithOverflow
file = "HOME/tests/c/heap_sort.c"
line = 46
begin = 23
end = 26

[JC_79]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 102
begin = 6
end = 482

[JC_13]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 56
begin = 5
end = 11

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_87]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 56
begin = 5
end = 11

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/tests/c/heap_sort.c"
line = 35
begin = 13
end = 21

[JC_91]
kind = UserCall
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 131
begin = 15
end = 34

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
file = "HOME/tests/c/heap_sort.c"
line = 55
begin = 5
end = 9

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_69]
file = "HOME/tests/c/heap_sort.c"
line = 43
begin = 21
end = 34

[JC_38]
file = "HOME/tests/c/heap_sort.c"
line = 36
begin = 13
end = 38

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 52
begin = 10
end = 18

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[heap_sort_safety]
name = "Function heap_sort"
behavior = "Safety"
file = "HOME/tests/c/heap_sort.c"
line = 40
begin = 5
end = 14

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
kind = UserCall
file = "HOME/tests/c/heap_sort.c"
line = 50
begin = 37
end = 51

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/tests/c/heap_sort.c"
line = 38
begin = 12
end = 71

[main_ensures_default]
name = "Function main"
behavior = "default behavior"
file = "HOME/tests/c/heap_sort.c"
line = 55
begin = 5
end = 9

[JC_46]
file = "HOME/tests/c/heap_sort.c"
line = 43
begin = 21
end = 27

[JC_61]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 102
begin = 6
end = 482

[JC_32]
file = "HOME/tests/c/heap_sort.c"
line = 36
begin = 13
end = 38

[JC_56]
file = "HOME/tests/c/heap_sort.c"
line = 47
begin = 21
end = 27

[JC_33]
file = "HOME/tests/c/heap_sort.c"
line = 36
begin = 13
end = 38

[JC_65]
file = "HOME/tests/c/heap_sort.c"
line = 48
begin = 19
end = 26

[JC_29]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_68]
file = "HOME/tests/c/heap_sort.c"
line = 43
begin = 26
end = 34

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 56
begin = 5
end = 11

[JC_96]
file = "HOME/tests/c/heap_sort.c"
line = 58
begin = 13
end = 49

[JC_43]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_95]
kind = UserCall
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 131
begin = 15
end = 34

[JC_93]
file = "HOME/tests/c/heap_sort.c"
line = 59
begin = 13
end = 57

[JC_97]
file = "HOME/tests/c/heap_sort.c"
line = 59
begin = 13
end = 57

[JC_84]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_90]
kind = IndexBounds
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 127
begin = 16
end = 47

[JC_53]
kind = UserCall
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 95
begin = 21
end = 66

[JC_21]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 62
begin = 6
end = 17

[JC_77]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 50
begin = 9
end = 15

[JC_37]
file = "HOME/tests/c/heap_sort.c"
line = 36
begin = 13
end = 38

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/c/heap_sort.c"
line = 47
begin = 26
end = 34

[JC_89]
kind = AllocSize
file = "HOME/tests/c/heap_sort.c"
line = 56
begin = 6
end = 9

[JC_66]
kind = UserCall
file = "HOME/tests/c/heap_sort.c"
line = 42
begin = 11
end = 22

[JC_59]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 56
begin = 5
end = 11

[JC_3]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 50
begin = 9
end = 15

[JC_92]
file = "HOME/tests/c/heap_sort.c"
line = 58
begin = 13
end = 49

[JC_86]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_60]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 102
begin = 6
end = 482

[JC_72]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 87
begin = 6
end = 401

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_76]
file = "HOME/tests/c/heap_sort.c"
line = 47
begin = 21
end = 34

[JC_50]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 87
begin = 6
end = 401

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/tests/c/heap_sort.c"
line = 47
begin = 21
end = 34

[JC_28]
file = "HOME/tests/c/heap_sort.jessie/heap_sort.jc"
line = 64
begin = 10
end = 18

========== file tests/c/heap_sort.jessie/why/heap_sort.why ==========
type Heap

type charP

type int32

type int8

type intP

type padding

type uint32

type uint8

type unsigned_charP

type voidP

logic Heap_tag:  -> Heap tag_id

axiom Heap_int : (int_of_tag(Heap_tag) = (1))

logic Heap_of_pointer_address: unit pointer -> Heap pointer

axiom Heap_of_pointer_address_of_pointer_addr :
 (forall p:Heap pointer. (p = Heap_of_pointer_address(pointer_address(p))))

axiom Heap_parenttag_bottom : parenttag(Heap_tag, bottom_tag)

axiom Heap_tags :
 (forall x:Heap pointer.
  (forall Heap_tag_table:Heap tag_table.
   instanceof(Heap_tag_table, x, Heap_tag)))

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint32: uint32 -> int

predicate eq_uint32(x:uint32, y:uint32) =
 eq_int(integer_of_uint32(x), integer_of_uint32(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

logic intP_tag:  -> intP tag_id

axiom intP_int : (int_of_tag(intP_tag) = (1))

logic intP_of_pointer_address: unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr :
 (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom : parenttag(intP_tag, bottom_tag)

axiom intP_tags :
 (forall x:intP pointer.
  (forall intP_tag_table:intP tag_table.
   instanceof(intP_tag_table, x, intP_tag)))

predicate left_valid_struct_Heap(p:Heap pointer, a:int,
 Heap_alloc_table:Heap alloc_table) = (offset_min(Heap_alloc_table, p) <= a)

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_intP(p:intP pointer, a:int,
 intP_alloc_table:intP alloc_table) = (offset_min(intP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_Heap_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(Heap_of_pointer_address(p))))

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_Heap(p:Heap pointer, b:int,
 Heap_alloc_table:Heap alloc_table) = (offset_max(Heap_alloc_table, p) >= b)

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_intP(p:intP pointer, b:int,
 intP_alloc_table:intP alloc_table) = (offset_max(intP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_Heap(p:Heap pointer, a:int, b:int,
 Heap_alloc_table:Heap alloc_table) =
 ((offset_min(Heap_alloc_table, p) = a)
 and (offset_max(Heap_alloc_table, p) = b))

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_Heap(p:Heap pointer, a:int, b:int,
 Heap_alloc_table:Heap alloc_table) =
 ((offset_min(Heap_alloc_table, p) = a)
 and (offset_max(Heap_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint32_of_integer: int -> uint32

axiom uint32_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (4294967295))) ->
   eq_int(integer_of_uint32(uint32_of_integer(x)), x)))

axiom uint32_extensionality :
 (forall x:uint32.
  (forall y:uint32[eq_int(integer_of_uint32(x), integer_of_uint32(y))].
   (eq_int(integer_of_uint32(x), integer_of_uint32(y)) -> (x = y))))

axiom uint32_range :
 (forall x:uint32.
  (le_int((0), integer_of_uint32(x))
  and le_int(integer_of_uint32(x), (4294967295))))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_Heap(p:Heap pointer, a:int, b:int,
 Heap_alloc_table:Heap alloc_table) =
 ((offset_min(Heap_alloc_table, p) <= a)
 and (offset_max(Heap_alloc_table, p) >= b))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_Heap(p:Heap pointer, a:int, b:int,
 Heap_alloc_table:Heap alloc_table) =
 ((offset_min(Heap_alloc_table, p) <= a)
 and (offset_max(Heap_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Goto_while_0_break_exc of unit

exception Goto_while_1_break_exc of unit

parameter Heap_alloc_table : Heap alloc_table ref

parameter Heap_tag_table : Heap tag_table ref

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter alloc_struct_Heap :
 n:int ->
  Heap_alloc_table:Heap alloc_table ref ->
   Heap_tag_table:Heap tag_table ref ->
    { } Heap pointer writes Heap_alloc_table,Heap_tag_table
    { (strict_valid_struct_Heap(result, (0), sub_int(n, (1)),
       Heap_alloc_table)
      and (alloc_extends(Heap_alloc_table@, Heap_alloc_table)
          and (alloc_fresh(Heap_alloc_table@, result, n)
              and instanceof(Heap_tag_table, result, Heap_tag)))) }

parameter alloc_struct_Heap_requires :
 n:int ->
  Heap_alloc_table:Heap alloc_table ref ->
   Heap_tag_table:Heap tag_table ref ->
    { ge_int(n, (0))} Heap pointer writes Heap_alloc_table,Heap_tag_table
    { (strict_valid_struct_Heap(result, (0), sub_int(n, (1)),
       Heap_alloc_table)
      and (alloc_extends(Heap_alloc_table@, Heap_alloc_table)
          and (alloc_fresh(Heap_alloc_table@, result, n)
              and instanceof(Heap_tag_table, result, Heap_tag)))) }

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter intP_alloc_table : intP alloc_table ref

parameter intP_tag_table : intP tag_table ref

parameter alloc_struct_intP :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { } intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter alloc_struct_intP_requires :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { ge_int(n, (0))} intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint32 : unit -> { } uint32 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter create : sz:uint32 -> { } Heap pointer { true }

parameter create_requires : sz:uint32 -> { } Heap pointer { true }

parameter extract_min : u:Heap pointer -> { } int32 { true }

parameter extract_min_requires : u:Heap pointer -> { } int32 { true }

parameter heap_sort :
 arr:intP pointer ->
  len:uint32 ->
   intP_intM_arr_5:(intP, int32) memory ref ->
    intP_arr_5_alloc_table:intP alloc_table ->
     { } unit reads intP_intM_arr_5 writes intP_intM_arr_5
     { (JC_42:
       (forall i_1:int.
        (forall j_0:int.
         ((le_int((0), i_1)
          and (le_int(i_1, j_0) and lt_int(j_0, integer_of_uint32(len)))) ->
          le_int(integer_of_int32(select(intP_intM_arr_5, shift(arr, i_1))),
          integer_of_int32(select(intP_intM_arr_5, shift(arr, j_0)))))))) }

parameter heap_sort_requires :
 arr:intP pointer ->
  len:uint32 ->
   intP_intM_arr_5:(intP, int32) memory ref ->
    intP_arr_5_alloc_table:intP alloc_table ->
     { (JC_34:
       ((JC_31: ge_int(integer_of_uint32(len), (0)))
       and ((JC_32: le_int(offset_min(intP_arr_5_alloc_table, arr), (0)))
           and (JC_33:
               ge_int(offset_max(intP_arr_5_alloc_table, arr),
               sub_int(integer_of_uint32(len), (1)))))))}
     unit reads intP_intM_arr_5 writes intP_intM_arr_5
     { (JC_42:
       (forall i_1:int.
        (forall j_0:int.
         ((le_int((0), i_1)
          and (le_int(i_1, j_0) and lt_int(j_0, integer_of_uint32(len)))) ->
          le_int(integer_of_int32(select(intP_intM_arr_5, shift(arr, i_1))),
          integer_of_int32(select(intP_intM_arr_5, shift(arr, j_0)))))))) }

parameter insert :
 u_0:Heap pointer ->
  e:int32 ->
   Heap_x_u_0_3:(Heap, int32) memory ref ->
    Heap_u_0_3_alloc_table:Heap alloc_table ->
     { } unit writes Heap_x_u_0_3
     { (JC_18:
       not_assigns(Heap_u_0_3_alloc_table, Heap_x_u_0_3@, Heap_x_u_0_3,
       pset_singleton(u_0))) }

parameter insert_requires :
 u_0:Heap pointer ->
  e:int32 ->
   Heap_x_u_0_3:(Heap, int32) memory ref ->
    Heap_u_0_3_alloc_table:Heap alloc_table ->
     { } unit writes Heap_x_u_0_3
     { (JC_18:
       not_assigns(Heap_u_0_3_alloc_table, Heap_x_u_0_3@, Heap_x_u_0_3,
       pset_singleton(u_0))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter main : tt:unit -> { } unit { true }

parameter main_requires : tt:unit -> { } unit { true }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint32_of_integer_ :
 x:int -> { } uint32 { eq_int(integer_of_uint32(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint32_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (4294967295)))} uint32
  { eq_int(integer_of_uint32(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let heap_sort_ensures_default =
 fun (arr : intP pointer) (len : uint32) (intP_intM_arr_5 : (intP, int32) memory ref) (intP_arr_5_alloc_table : intP alloc_table) ->
  { (JC_39:
    ((JC_36: ge_int(integer_of_uint32(len), (0)))
    and ((JC_37: le_int(offset_min(intP_arr_5_alloc_table, arr), (0)))
        and (JC_38:
            ge_int(offset_max(intP_arr_5_alloc_table, arr),
            sub_int(integer_of_uint32(len), (1))))))) }
  (init:
  try
   begin
     (let Heap_x_h_6 = ref (any_memory void) in
     (let Heap_h_6_alloc_table = (any_alloc_table void) in
     (let i = ref (any_uint32 void) in
     (let h = ref (any_pointer void) in
     try
      begin
        try
         begin
           (let _jessie_ =
           (h := (let _jessie_ = len in (JC_66: (create _jessie_)))) in
           void);
          (let _jessie_ = (i := (safe_uint32_of_integer_ (0))) in void);
          (loop_3:
          begin
            while true do
            { invariant
                (JC_69:
                ((JC_67: le_int((0), integer_of_uint32(i)))
                and (JC_68:
                    le_int(integer_of_uint32(i), integer_of_uint32(len)))))
               }
             begin
               [ { } unit { true } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((lt_int_ (integer_of_uint32 !i)) (integer_of_uint32 len))
                   then void else (raise (Goto_while_0_break_exc void)));
                  (let _jessie_ = !h in
                  (let _jessie_ =
                  ((safe_acc_ !intP_intM_arr_5) ((shift arr) (integer_of_uint32 !i))) in
                  (JC_73:
                  ((((insert _jessie_) _jessie_) Heap_x_h_6) Heap_h_6_alloc_table))));
                  (i := (safe_uint32_of_integer_ ((add_int (integer_of_uint32 !i)) (1))));
                  !i end in void); (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (while_0_break:
         begin
           void;
          (let _jessie_ = (i := (safe_uint32_of_integer_ (0))) in void);
          (loop_4:
          while true do
          { invariant
              (JC_76:
              ((JC_74: le_int((0), integer_of_uint32(i)))
              and (JC_75:
                  le_int(integer_of_uint32(i), integer_of_uint32(len))))) 
             }
           begin
             [ { } unit { true } ];
            try
             begin
               (let _jessie_ =
               begin
                 (if ((lt_int_ (integer_of_uint32 !i)) (integer_of_uint32 len))
                 then void else (raise (Goto_while_1_break_exc void)));
                (let _jessie_ =
                (let _jessie_ =
                (let _jessie_ = !h in (JC_80: (extract_min _jessie_))) in
                (let _jessie_ = arr in
                (let _jessie_ = (integer_of_uint32 !i) in
                (let _jessie_ = ((shift _jessie_) _jessie_) in
                (((safe_upd_ intP_intM_arr_5) _jessie_) _jessie_))))) in
                void);
                (i := (safe_uint32_of_integer_ ((add_int (integer_of_uint32 !i)) (1))));
                !i end in void); (raise (Loop_continue_exc void)) end with
             Loop_continue_exc _jessie_ -> void end end done) end) end;
       (raise (Goto_while_1_break_exc void)) end with
      Goto_while_1_break_exc _jessie_ ->
      (while_1_break: begin   void; (raise Return) end) end))));
    (raise Return) end with Return -> void end)
  { (JC_41:
    (forall i_1:int.
     (forall j_0:int.
      ((le_int((0), i_1)
       and (le_int(i_1, j_0) and lt_int(j_0, integer_of_uint32(len)))) ->
       le_int(integer_of_int32(select(intP_intM_arr_5, shift(arr, i_1))),
       integer_of_int32(select(intP_intM_arr_5, shift(arr, j_0)))))))) }

let heap_sort_safety =
 fun (arr : intP pointer) (len : uint32) (intP_intM_arr_5 : (intP, int32) memory ref) (intP_arr_5_alloc_table : intP alloc_table) ->
  { (JC_39:
    ((JC_36: ge_int(integer_of_uint32(len), (0)))
    and ((JC_37: le_int(offset_min(intP_arr_5_alloc_table, arr), (0)))
        and (JC_38:
            ge_int(offset_max(intP_arr_5_alloc_table, arr),
            sub_int(integer_of_uint32(len), (1))))))) }
  (init:
  try
   begin
     (let Heap_x_h_6 = ref (any_memory void) in
     (let Heap_h_6_alloc_table = (any_alloc_table void) in
     (let i = ref (any_uint32 void) in
     (let h = ref (any_pointer void) in
     try
      begin
        try
         begin
           (let _jessie_ =
           (h := (let _jessie_ = len in
                 (JC_45: (create_requires _jessie_)))) in void);
          (let _jessie_ = (i := (safe_uint32_of_integer_ (0))) in void);
          (loop_1:
          begin
            while true do
            { invariant (JC_50: true)
              variant (JC_55 : sub_int(integer_of_uint32(len),
                               integer_of_uint32(i))) }
             begin
               [ { } unit reads i
                 { (JC_48:
                   ((JC_46: le_int((0), integer_of_uint32(i)))
                   and (JC_47:
                       le_int(integer_of_uint32(i), integer_of_uint32(len))))) } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((lt_int_ (integer_of_uint32 !i)) (integer_of_uint32 len))
                   then void else (raise (Goto_while_0_break_exc void)));
                  (let _jessie_ = !h in
                  (let _jessie_ =
                  (JC_52:
                  ((((offset_acc_ intP_arr_5_alloc_table) !intP_intM_arr_5) arr) 
                   (integer_of_uint32 !i))) in
                  (JC_53:
                  ((((insert_requires _jessie_) _jessie_) Heap_x_h_6) Heap_h_6_alloc_table))));
                  (i := (JC_54:
                        (uint32_of_integer_ ((add_int (integer_of_uint32 !i)) (1)))));
                  !i end in void); (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (while_0_break:
         begin
           void;
          (let _jessie_ = (i := (safe_uint32_of_integer_ (0))) in void);
          (loop_2:
          while true do
          { invariant (JC_60: true)
            variant (JC_65 : sub_int(integer_of_uint32(len),
                             integer_of_uint32(i))) }
           begin
             [ { } unit reads i
               { (JC_58:
                 ((JC_56: le_int((0), integer_of_uint32(i)))
                 and (JC_57:
                     le_int(integer_of_uint32(i), integer_of_uint32(len))))) } ];
            try
             begin
               (let _jessie_ =
               begin
                 (if ((lt_int_ (integer_of_uint32 !i)) (integer_of_uint32 len))
                 then void else (raise (Goto_while_1_break_exc void)));
                (let _jessie_ =
                (let _jessie_ =
                (let _jessie_ = !h in
                (JC_62: (extract_min_requires _jessie_))) in
                (let _jessie_ = arr in
                (let _jessie_ = (integer_of_uint32 !i) in
                (let _jessie_ = ((shift _jessie_) _jessie_) in
                (JC_63:
                (((((offset_upd_ intP_arr_5_alloc_table) intP_intM_arr_5) _jessie_) _jessie_) _jessie_)))))) in
                void);
                (i := (JC_64:
                      (uint32_of_integer_ ((add_int (integer_of_uint32 !i)) (1)))));
                !i end in void); (raise (Loop_continue_exc void)) end with
             Loop_continue_exc _jessie_ -> void end end done) end) end;
       (raise (Goto_while_1_break_exc void)) end with
      Goto_while_1_break_exc _jessie_ ->
      (while_1_break: begin   void; (raise Return) end) end))));
    (raise Return) end with Return -> void end) { true }

let main_ensures_default =
 fun (tt : unit) ->
  { (JC_84: true) }
  (init:
  try
   begin
     (let intP_intM_arr_0_8 = ref (any_memory void) in
     (let intP_arr_0_8_tag_table = ref (any_tag_table void) in
     (let intP_arr_0_8_alloc_table = ref (any_alloc_table void) in
     (let arr_0 = ref (any_pointer void) in
     begin
       (let _jessie_ =
       (arr_0 := (JC_94:
                 (((alloc_struct_intP (3)) intP_arr_0_8_alloc_table) intP_arr_0_8_tag_table))) in
       void);
      (let _jessie_ = (safe_int32_of_integer_ (42)) in
      (let _jessie_ = !arr_0 in
      (let _jessie_ = (safe_int32_of_integer_ (13)) in
      (let _jessie_ = !arr_0 in
      (let _jessie_ = (1) in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (let _jessie_ = (safe_int32_of_integer_ (42)) in
      (let _jessie_ = !arr_0 in
      (let _jessie_ = (2) in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      [ { } unit reads intP_arr_0_8_alloc_table,intP_intM_arr_0_8
        writes intP_intM_arr_0_8
        { (not_assigns(intP_arr_0_8_alloc_table, intP_intM_arr_0_8@,
           intP_intM_arr_0_8,
           pset_range(pset_singleton(_jessie_), (0), (2)))
          and ((select(intP_intM_arr_0_8, shift(_jessie_, (0))) = _jessie_)
              and ((select(intP_intM_arr_0_8, shift(_jessie_, (1))) = _jessie_)
                  and (select(intP_intM_arr_0_8, shift(_jessie_, (2))) = _jessie_)))) } ]))))))))));
      (let _jessie_ = !arr_0 in
      (let _jessie_ = (safe_uint32_of_integer_ (3)) in
      (JC_95:
      ((((heap_sort _jessie_) _jessie_) intP_intM_arr_0_8) !intP_arr_0_8_alloc_table))));
      (assert
      { (JC_96:
        (le_int(integer_of_int32(select(intP_intM_arr_0_8, shift(arr_0, (0)))),
         integer_of_int32(select(intP_intM_arr_0_8, shift(arr_0, (1)))))
        and le_int(integer_of_int32(select(intP_intM_arr_0_8,
                                    shift(arr_0, (1)))),
            integer_of_int32(select(intP_intM_arr_0_8, shift(arr_0, (2))))))) };
      void); void;
      (assert
      { (JC_97:
        ((integer_of_int32(select(intP_intM_arr_0_8, shift(arr_0, (0)))) = (13))
        and ((integer_of_int32(select(intP_intM_arr_0_8, shift(arr_0, (1)))) = (42))
            and (integer_of_int32(select(intP_intM_arr_0_8,
                                  shift(arr_0, (2)))) = (42))))) }; void);
      void; ((safe_free_parameter intP_arr_0_8_alloc_table) !arr_0);
      (raise Return) end)))); (raise Return) end with Return -> void end)
  { (JC_85: true) }

let main_safety =
 fun (tt : unit) ->
  { (JC_84: true) }
  (init:
  try
   begin
     (let intP_intM_arr_0_8 = ref (any_memory void) in
     (let intP_arr_0_8_tag_table = ref (any_tag_table void) in
     (let intP_arr_0_8_alloc_table = ref (any_alloc_table void) in
     (let arr_0 = ref (any_pointer void) in
     begin
       (let _jessie_ =
       (arr_0 := (let _jessie_ =
                 (JC_89:
                 (((alloc_struct_intP_requires (3)) intP_arr_0_8_alloc_table) intP_arr_0_8_tag_table)) in
                 (JC_90:
                 (assert
                 { ge_int(offset_max(intP_arr_0_8_alloc_table, _jessie_),
                   (2)) }; _jessie_)))) in void);
      (let _jessie_ = (safe_int32_of_integer_ (42)) in
      (let _jessie_ = !arr_0 in
      (let _jessie_ = (safe_int32_of_integer_ (13)) in
      (let _jessie_ = !arr_0 in
      (let _jessie_ = (1) in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (let _jessie_ = (safe_int32_of_integer_ (42)) in
      (let _jessie_ = !arr_0 in
      (let _jessie_ = (2) in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      [ { } unit reads intP_arr_0_8_alloc_table,intP_intM_arr_0_8
        writes intP_intM_arr_0_8
        { (not_assigns(intP_arr_0_8_alloc_table, intP_intM_arr_0_8@,
           intP_intM_arr_0_8,
           pset_range(pset_singleton(_jessie_), (0), (2)))
          and ((select(intP_intM_arr_0_8, shift(_jessie_, (0))) = _jessie_)
              and ((select(intP_intM_arr_0_8, shift(_jessie_, (1))) = _jessie_)
                  and (select(intP_intM_arr_0_8, shift(_jessie_, (2))) = _jessie_)))) } ]))))))))));
      (let _jessie_ = !arr_0 in
      (let _jessie_ = (safe_uint32_of_integer_ (3)) in
      (JC_91:
      ((((heap_sort_requires _jessie_) _jessie_) intP_intM_arr_0_8) !intP_arr_0_8_alloc_table))));
      [ { } unit reads arr_0,intP_intM_arr_0_8
        { (JC_92:
          (le_int(integer_of_int32(select(intP_intM_arr_0_8,
                                   shift(arr_0, (0)))),
           integer_of_int32(select(intP_intM_arr_0_8, shift(arr_0, (1)))))
          and le_int(integer_of_int32(select(intP_intM_arr_0_8,
                                      shift(arr_0, (1)))),
              integer_of_int32(select(intP_intM_arr_0_8, shift(arr_0, (2))))))) } ];
      void;
      [ { } unit reads arr_0,intP_intM_arr_0_8
        { (JC_93:
          ((integer_of_int32(select(intP_intM_arr_0_8, shift(arr_0, (0)))) = (13))
          and ((integer_of_int32(select(intP_intM_arr_0_8, shift(arr_0, (1)))) = (42))
              and (integer_of_int32(select(intP_intM_arr_0_8,
                                    shift(arr_0, (2)))) = (42))))) } ]; void;
      ((free_parameter intP_arr_0_8_alloc_table) !arr_0); (raise Return) end))));
    (raise Return) end with Return -> void end) { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/heap_sort.why
========== file tests/c/heap_sort.jessie/why/heap_sort_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type Heap

type charP

type int32

type int8

type intP

type padding

type uint32

type uint8

type unsigned_charP

type voidP

logic Heap_tag : Heap tag_id

axiom Heap_int: (int_of_tag(Heap_tag) = 1)

logic Heap_of_pointer_address : unit pointer -> Heap pointer

axiom Heap_of_pointer_address_of_pointer_addr:
  (forall p:Heap pointer. (p = Heap_of_pointer_address(pointer_address(p))))

axiom Heap_parenttag_bottom: parenttag(Heap_tag, bottom_tag)

axiom Heap_tags:
  (forall x:Heap pointer.
    (forall Heap_tag_table:Heap tag_table. instanceof(Heap_tag_table, x,
      Heap_tag)))

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_int8 : int8 -> int

predicate eq_int8(x: int8, y: int8) =
  (integer_of_int8(x) = integer_of_int8(y))

logic integer_of_uint32 : uint32 -> int

predicate eq_uint32(x: uint32, y: uint32) =
  (integer_of_uint32(x) = integer_of_uint32(y))

logic integer_of_uint8 : uint8 -> int

predicate eq_uint8(x: uint8, y: uint8) =
  (integer_of_uint8(x) = integer_of_uint8(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic int8_of_integer : int -> int8

axiom int8_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_int8(int8_of_integer(x)) = x)))

axiom int8_extensionality:
  (forall x:int8.
    (forall y:int8. ((integer_of_int8(x) = integer_of_int8(y)) -> (x = y))))

axiom int8_range:
  (forall x:int8.
    (((-128) <= integer_of_int8(x)) and (integer_of_int8(x) <= 127)))

logic intP_tag : intP tag_id

axiom intP_int: (int_of_tag(intP_tag) = 1)

logic intP_of_pointer_address : unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr:
  (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom: parenttag(intP_tag, bottom_tag)

axiom intP_tags:
  (forall x:intP pointer.
    (forall intP_tag_table:intP tag_table. instanceof(intP_tag_table, x,
      intP_tag)))

predicate left_valid_struct_Heap(p: Heap pointer, a: int,
  Heap_alloc_table: Heap alloc_table) = (offset_min(Heap_alloc_table,
  p) <= a)

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_intP(p: intP pointer, a: int,
  intP_alloc_table: intP alloc_table) = (offset_min(intP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

axiom pointer_addr_of_Heap_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(Heap_of_pointer_address(p))))

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_Heap(p: Heap pointer, b: int,
  Heap_alloc_table: Heap alloc_table) = (offset_max(Heap_alloc_table,
  p) >= b)

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_intP(p: intP pointer, b: int,
  intP_alloc_table: intP alloc_table) = (offset_max(intP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate strict_valid_root_Heap(p: Heap pointer, a: int, b: int,
  Heap_alloc_table: Heap alloc_table) =
  ((offset_min(Heap_alloc_table, p) = a) and (offset_max(Heap_alloc_table,
   p) = b))

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) = a) and (offset_max(intP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_Heap(p: Heap pointer, a: int, b: int,
  Heap_alloc_table: Heap alloc_table) =
  ((offset_min(Heap_alloc_table, p) = a) and (offset_max(Heap_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) = a) and (offset_max(intP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic uint32_of_integer : int -> uint32

axiom uint32_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 4294967295)) ->
     (integer_of_uint32(uint32_of_integer(x)) = x)))

axiom uint32_extensionality:
  (forall x:uint32.
    (forall y:uint32.
      ((integer_of_uint32(x) = integer_of_uint32(y)) -> (x = y))))

axiom uint32_range:
  (forall x:uint32.
    ((0 <= integer_of_uint32(x)) and (integer_of_uint32(x) <= 4294967295)))

logic uint8_of_integer : int -> uint8

axiom uint8_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 255)) -> (integer_of_uint8(uint8_of_integer(x)) = x)))

axiom uint8_extensionality:
  (forall x:uint8.
    (forall y:uint8.
      ((integer_of_uint8(x) = integer_of_uint8(y)) -> (x = y))))

axiom uint8_range:
  (forall x:uint8.
    ((0 <= integer_of_uint8(x)) and (integer_of_uint8(x) <= 255)))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_Heap(p: Heap pointer, a: int, b: int,
  Heap_alloc_table: Heap alloc_table) =
  ((offset_min(Heap_alloc_table, p) <= a) and (offset_max(Heap_alloc_table,
   p) >= b))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) <= a) and (offset_max(intP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_Heap(p: Heap pointer, a: int, b: int,
  Heap_alloc_table: Heap alloc_table) =
  ((offset_min(Heap_alloc_table, p) <= a) and (offset_max(Heap_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) <= a) and (offset_max(intP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

goal heap_sort_ensures_default_po_1:
  forall arr:intP pointer.
  forall len:uint32.
  forall intP_arr_5_alloc_table:intP alloc_table.
  ("JC_39":
  (("JC_36": (integer_of_uint32(len) >= 0)) and
   (("JC_37": (offset_min(intP_arr_5_alloc_table, arr) <= 0)) and
    ("JC_38": (offset_max(intP_arr_5_alloc_table,
    arr) >= (integer_of_uint32(len) - 1)))))) ->
  forall result0:Heap pointer.
  forall h:Heap pointer.
  (h = result0) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = 0) ->
  forall i:uint32.
  (i = result1) ->
  ("JC_69": ("JC_67": (0 <= integer_of_uint32(i))))

goal heap_sort_ensures_default_po_2:
  forall arr:intP pointer.
  forall len:uint32.
  forall intP_arr_5_alloc_table:intP alloc_table.
  ("JC_39":
  (("JC_36": (integer_of_uint32(len) >= 0)) and
   (("JC_37": (offset_min(intP_arr_5_alloc_table, arr) <= 0)) and
    ("JC_38": (offset_max(intP_arr_5_alloc_table,
    arr) >= (integer_of_uint32(len) - 1)))))) ->
  forall result0:Heap pointer.
  forall h:Heap pointer.
  (h = result0) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = 0) ->
  forall i:uint32.
  (i = result1) ->
  ("JC_69": ("JC_68": (integer_of_uint32(i) <= integer_of_uint32(len))))

goal heap_sort_ensures_default_po_3:
  forall arr:intP pointer.
  forall len:uint32.
  forall intP_arr_5_alloc_table:intP alloc_table.
  forall intP_intM_arr_5:(intP,
  int32) memory.
  ("JC_39":
  (("JC_36": (integer_of_uint32(len) >= 0)) and
   (("JC_37": (offset_min(intP_arr_5_alloc_table, arr) <= 0)) and
    ("JC_38": (offset_max(intP_arr_5_alloc_table,
    arr) >= (integer_of_uint32(len) - 1)))))) ->
  forall result:Heap alloc_table.
  forall result0:Heap pointer.
  forall h:Heap pointer.
  (h = result0) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = 0) ->
  forall i:uint32.
  (i = result1) ->
  forall Heap_x_h_6:(Heap,
  int32) memory.
  forall i0:uint32.
  ("JC_69":
  (("JC_67": (0 <= integer_of_uint32(i0))) and
   ("JC_68": (integer_of_uint32(i0) <= integer_of_uint32(len))))) ->
  (integer_of_uint32(i0) < integer_of_uint32(len)) ->
  forall result2:int32.
  (result2 = select(intP_intM_arr_5, shift(arr, integer_of_uint32(i0)))) ->
  forall Heap_x_h_6_0:(Heap,
  int32) memory.
  ("JC_18": not_assigns(result, Heap_x_h_6, Heap_x_h_6_0, pset_singleton(h))) ->
  forall result3:uint32.
  (integer_of_uint32(result3) = (integer_of_uint32(i0) + 1)) ->
  forall i1:uint32.
  (i1 = result3) ->
  ("JC_69": ("JC_67": (0 <= integer_of_uint32(i1))))

goal heap_sort_ensures_default_po_4:
  forall arr:intP pointer.
  forall len:uint32.
  forall intP_arr_5_alloc_table:intP alloc_table.
  forall intP_intM_arr_5:(intP,
  int32) memory.
  ("JC_39":
  (("JC_36": (integer_of_uint32(len) >= 0)) and
   (("JC_37": (offset_min(intP_arr_5_alloc_table, arr) <= 0)) and
    ("JC_38": (offset_max(intP_arr_5_alloc_table,
    arr) >= (integer_of_uint32(len) - 1)))))) ->
  forall result:Heap alloc_table.
  forall result0:Heap pointer.
  forall h:Heap pointer.
  (h = result0) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = 0) ->
  forall i:uint32.
  (i = result1) ->
  forall Heap_x_h_6:(Heap,
  int32) memory.
  forall i0:uint32.
  ("JC_69":
  (("JC_67": (0 <= integer_of_uint32(i0))) and
   ("JC_68": (integer_of_uint32(i0) <= integer_of_uint32(len))))) ->
  (integer_of_uint32(i0) < integer_of_uint32(len)) ->
  forall result2:int32.
  (result2 = select(intP_intM_arr_5, shift(arr, integer_of_uint32(i0)))) ->
  forall Heap_x_h_6_0:(Heap,
  int32) memory.
  ("JC_18": not_assigns(result, Heap_x_h_6, Heap_x_h_6_0, pset_singleton(h))) ->
  forall result3:uint32.
  (integer_of_uint32(result3) = (integer_of_uint32(i0) + 1)) ->
  forall i1:uint32.
  (i1 = result3) ->
  ("JC_69": ("JC_68": (integer_of_uint32(i1) <= integer_of_uint32(len))))

goal heap_sort_ensures_default_po_5:
  forall arr:intP pointer.
  forall len:uint32.
  forall intP_arr_5_alloc_table:intP alloc_table.
  ("JC_39":
  (("JC_36": (integer_of_uint32(len) >= 0)) and
   (("JC_37": (offset_min(intP_arr_5_alloc_table, arr) <= 0)) and
    ("JC_38": (offset_max(intP_arr_5_alloc_table,
    arr) >= (integer_of_uint32(len) - 1)))))) ->
  forall result0:Heap pointer.
  forall h:Heap pointer.
  (h = result0) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = 0) ->
  forall i:uint32.
  (i = result1) ->
  forall i0:uint32.
  ("JC_69":
  (("JC_67": (0 <= integer_of_uint32(i0))) and
   ("JC_68": (integer_of_uint32(i0) <= integer_of_uint32(len))))) ->
  (integer_of_uint32(i0) >= integer_of_uint32(len)) ->
  forall result2:uint32.
  (integer_of_uint32(result2) = 0) ->
  forall i1:uint32.
  (i1 = result2) ->
  ("JC_76": ("JC_74": (0 <= integer_of_uint32(i1))))

goal heap_sort_ensures_default_po_6:
  forall arr:intP pointer.
  forall len:uint32.
  forall intP_arr_5_alloc_table:intP alloc_table.
  ("JC_39":
  (("JC_36": (integer_of_uint32(len) >= 0)) and
   (("JC_37": (offset_min(intP_arr_5_alloc_table, arr) <= 0)) and
    ("JC_38": (offset_max(intP_arr_5_alloc_table,
    arr) >= (integer_of_uint32(len) - 1)))))) ->
  forall result0:Heap pointer.
  forall h:Heap pointer.
  (h = result0) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = 0) ->
  forall i:uint32.
  (i = result1) ->
  forall i0:uint32.
  ("JC_69":
  (("JC_67": (0 <= integer_of_uint32(i0))) and
   ("JC_68": (integer_of_uint32(i0) <= integer_of_uint32(len))))) ->
  (integer_of_uint32(i0) >= integer_of_uint32(len)) ->
  forall result2:uint32.
  (integer_of_uint32(result2) = 0) ->
  forall i1:uint32.
  (i1 = result2) ->
  ("JC_76": ("JC_75": (integer_of_uint32(i1) <= integer_of_uint32(len))))

goal heap_sort_ensures_default_po_7:
  forall arr:intP pointer.
  forall len:uint32.
  forall intP_arr_5_alloc_table:intP alloc_table.
  ("JC_39":
  (("JC_36": (integer_of_uint32(len) >= 0)) and
   (("JC_37": (offset_min(intP_arr_5_alloc_table, arr) <= 0)) and
    ("JC_38": (offset_max(intP_arr_5_alloc_table,
    arr) >= (integer_of_uint32(len) - 1)))))) ->
  forall result0:Heap pointer.
  forall h:Heap pointer.
  (h = result0) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = 0) ->
  forall i:uint32.
  (i = result1) ->
  forall i0:uint32.
  ("JC_69":
  (("JC_67": (0 <= integer_of_uint32(i0))) and
   ("JC_68": (integer_of_uint32(i0) <= integer_of_uint32(len))))) ->
  (integer_of_uint32(i0) >= integer_of_uint32(len)) ->
  forall result2:uint32.
  (integer_of_uint32(result2) = 0) ->
  forall i1:uint32.
  (i1 = result2) ->
  forall i2:uint32.
  forall intP_intM_arr_5_0:(intP,
  int32) memory.
  ("JC_76":
  (("JC_74": (0 <= integer_of_uint32(i2))) and
   ("JC_75": (integer_of_uint32(i2) <= integer_of_uint32(len))))) ->
  (integer_of_uint32(i2) < integer_of_uint32(len)) ->
  forall result3:int32.
  forall intP_intM_arr_5_1:(intP,
  int32) memory.
  (intP_intM_arr_5_1 = store(intP_intM_arr_5_0, shift(arr,
  integer_of_uint32(i2)), result3)) ->
  forall result4:uint32.
  (integer_of_uint32(result4) = (integer_of_uint32(i2) + 1)) ->
  forall i3:uint32.
  (i3 = result4) ->
  ("JC_76": ("JC_74": (0 <= integer_of_uint32(i3))))

goal heap_sort_ensures_default_po_8:
  forall arr:intP pointer.
  forall len:uint32.
  forall intP_arr_5_alloc_table:intP alloc_table.
  ("JC_39":
  (("JC_36": (integer_of_uint32(len) >= 0)) and
   (("JC_37": (offset_min(intP_arr_5_alloc_table, arr) <= 0)) and
    ("JC_38": (offset_max(intP_arr_5_alloc_table,
    arr) >= (integer_of_uint32(len) - 1)))))) ->
  forall result0:Heap pointer.
  forall h:Heap pointer.
  (h = result0) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = 0) ->
  forall i:uint32.
  (i = result1) ->
  forall i0:uint32.
  ("JC_69":
  (("JC_67": (0 <= integer_of_uint32(i0))) and
   ("JC_68": (integer_of_uint32(i0) <= integer_of_uint32(len))))) ->
  (integer_of_uint32(i0) >= integer_of_uint32(len)) ->
  forall result2:uint32.
  (integer_of_uint32(result2) = 0) ->
  forall i1:uint32.
  (i1 = result2) ->
  forall i2:uint32.
  forall intP_intM_arr_5_0:(intP,
  int32) memory.
  ("JC_76":
  (("JC_74": (0 <= integer_of_uint32(i2))) and
   ("JC_75": (integer_of_uint32(i2) <= integer_of_uint32(len))))) ->
  (integer_of_uint32(i2) < integer_of_uint32(len)) ->
  forall result3:int32.
  forall intP_intM_arr_5_1:(intP,
  int32) memory.
  (intP_intM_arr_5_1 = store(intP_intM_arr_5_0, shift(arr,
  integer_of_uint32(i2)), result3)) ->
  forall result4:uint32.
  (integer_of_uint32(result4) = (integer_of_uint32(i2) + 1)) ->
  forall i3:uint32.
  (i3 = result4) ->
  ("JC_76": ("JC_75": (integer_of_uint32(i3) <= integer_of_uint32(len))))

goal heap_sort_ensures_default_po_9:
  forall arr:intP pointer.
  forall len:uint32.
  forall intP_arr_5_alloc_table:intP alloc_table.
  ("JC_39":
  (("JC_36": (integer_of_uint32(len) >= 0)) and
   (("JC_37": (offset_min(intP_arr_5_alloc_table, arr) <= 0)) and
    ("JC_38": (offset_max(intP_arr_5_alloc_table,
    arr) >= (integer_of_uint32(len) - 1)))))) ->
  forall result0:Heap pointer.
  forall h:Heap pointer.
  (h = result0) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = 0) ->
  forall i:uint32.
  (i = result1) ->
  forall i0:uint32.
  ("JC_69":
  (("JC_67": (0 <= integer_of_uint32(i0))) and
   ("JC_68": (integer_of_uint32(i0) <= integer_of_uint32(len))))) ->
  (integer_of_uint32(i0) >= integer_of_uint32(len)) ->
  forall result2:uint32.
  (integer_of_uint32(result2) = 0) ->
  forall i1:uint32.
  (i1 = result2) ->
  forall i2:uint32.
  forall intP_intM_arr_5_0:(intP,
  int32) memory.
  ("JC_76":
  (("JC_74": (0 <= integer_of_uint32(i2))) and
   ("JC_75": (integer_of_uint32(i2) <= integer_of_uint32(len))))) ->
  (integer_of_uint32(i2) >= integer_of_uint32(len)) ->
  forall i_1:int.
  forall j_0:int.
  ((0 <= i_1) and ((i_1 <= j_0) and (j_0 < integer_of_uint32(len)))) ->
  ("JC_41": (integer_of_int32(select(intP_intM_arr_5_0, shift(arr,
  i_1))) <= integer_of_int32(select(intP_intM_arr_5_0, shift(arr, j_0)))))

goal heap_sort_safety_po_1:
  forall arr:intP pointer.
  forall len:uint32.
  forall intP_arr_5_alloc_table:intP alloc_table.
  ("JC_39":
  (("JC_36": (integer_of_uint32(len) >= 0)) and
   (("JC_37": (offset_min(intP_arr_5_alloc_table, arr) <= 0)) and
    ("JC_38": (offset_max(intP_arr_5_alloc_table,
    arr) >= (integer_of_uint32(len) - 1)))))) ->
  forall result0:Heap pointer.
  forall h:Heap pointer.
  (h = result0) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = 0) ->
  forall i:uint32.
  (i = result1) ->
  forall i0:uint32.
  ("JC_50": true) ->
  ("JC_48":
  (("JC_46": (0 <= integer_of_uint32(i0))) and
   ("JC_47": (integer_of_uint32(i0) <= integer_of_uint32(len))))) ->
  (integer_of_uint32(i0) < integer_of_uint32(len)) ->
  (offset_min(intP_arr_5_alloc_table, arr) <= integer_of_uint32(i0))

goal heap_sort_safety_po_2:
  forall arr:intP pointer.
  forall len:uint32.
  forall intP_arr_5_alloc_table:intP alloc_table.
  ("JC_39":
  (("JC_36": (integer_of_uint32(len) >= 0)) and
   (("JC_37": (offset_min(intP_arr_5_alloc_table, arr) <= 0)) and
    ("JC_38": (offset_max(intP_arr_5_alloc_table,
    arr) >= (integer_of_uint32(len) - 1)))))) ->
  forall result0:Heap pointer.
  forall h:Heap pointer.
  (h = result0) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = 0) ->
  forall i:uint32.
  (i = result1) ->
  forall i0:uint32.
  ("JC_50": true) ->
  ("JC_48":
  (("JC_46": (0 <= integer_of_uint32(i0))) and
   ("JC_47": (integer_of_uint32(i0) <= integer_of_uint32(len))))) ->
  (integer_of_uint32(i0) < integer_of_uint32(len)) ->
  (integer_of_uint32(i0) <= offset_max(intP_arr_5_alloc_table, arr))

goal heap_sort_safety_po_3:
  forall arr:intP pointer.
  forall len:uint32.
  forall intP_arr_5_alloc_table:intP alloc_table.
  forall intP_intM_arr_5:(intP,
  int32) memory.
  ("JC_39":
  (("JC_36": (integer_of_uint32(len) >= 0)) and
   (("JC_37": (offset_min(intP_arr_5_alloc_table, arr) <= 0)) and
    ("JC_38": (offset_max(intP_arr_5_alloc_table,
    arr) >= (integer_of_uint32(len) - 1)))))) ->
  forall result:Heap alloc_table.
  forall result0:Heap pointer.
  forall h:Heap pointer.
  (h = result0) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = 0) ->
  forall i:uint32.
  (i = result1) ->
  forall Heap_x_h_6:(Heap,
  int32) memory.
  forall i0:uint32.
  ("JC_50": true) ->
  ("JC_48":
  (("JC_46": (0 <= integer_of_uint32(i0))) and
   ("JC_47": (integer_of_uint32(i0) <= integer_of_uint32(len))))) ->
  (integer_of_uint32(i0) < integer_of_uint32(len)) ->
  ((offset_min(intP_arr_5_alloc_table, arr) <= integer_of_uint32(i0)) and
   (integer_of_uint32(i0) <= offset_max(intP_arr_5_alloc_table, arr))) ->
  forall result2:int32.
  (result2 = select(intP_intM_arr_5, shift(arr, integer_of_uint32(i0)))) ->
  forall Heap_x_h_6_0:(Heap,
  int32) memory.
  ("JC_18": not_assigns(result, Heap_x_h_6, Heap_x_h_6_0, pset_singleton(h))) ->
  (0 <= (integer_of_uint32(i0) + 1))

goal heap_sort_safety_po_4:
  forall arr:intP pointer.
  forall len:uint32.
  forall intP_arr_5_alloc_table:intP alloc_table.
  forall intP_intM_arr_5:(intP,
  int32) memory.
  ("JC_39":
  (("JC_36": (integer_of_uint32(len) >= 0)) and
   (("JC_37": (offset_min(intP_arr_5_alloc_table, arr) <= 0)) and
    ("JC_38": (offset_max(intP_arr_5_alloc_table,
    arr) >= (integer_of_uint32(len) - 1)))))) ->
  forall result:Heap alloc_table.
  forall result0:Heap pointer.
  forall h:Heap pointer.
  (h = result0) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = 0) ->
  forall i:uint32.
  (i = result1) ->
  forall Heap_x_h_6:(Heap,
  int32) memory.
  forall i0:uint32.
  ("JC_50": true) ->
  ("JC_48":
  (("JC_46": (0 <= integer_of_uint32(i0))) and
   ("JC_47": (integer_of_uint32(i0) <= integer_of_uint32(len))))) ->
  (integer_of_uint32(i0) < integer_of_uint32(len)) ->
  ((offset_min(intP_arr_5_alloc_table, arr) <= integer_of_uint32(i0)) and
   (integer_of_uint32(i0) <= offset_max(intP_arr_5_alloc_table, arr))) ->
  forall result2:int32.
  (result2 = select(intP_intM_arr_5, shift(arr, integer_of_uint32(i0)))) ->
  forall Heap_x_h_6_0:(Heap,
  int32) memory.
  ("JC_18": not_assigns(result, Heap_x_h_6, Heap_x_h_6_0, pset_singleton(h))) ->
  ((integer_of_uint32(i0) + 1) <= 4294967295)

goal heap_sort_safety_po_5:
  forall arr:intP pointer.
  forall len:uint32.
  forall intP_arr_5_alloc_table:intP alloc_table.
  forall intP_intM_arr_5:(intP,
  int32) memory.
  ("JC_39":
  (("JC_36": (integer_of_uint32(len) >= 0)) and
   (("JC_37": (offset_min(intP_arr_5_alloc_table, arr) <= 0)) and
    ("JC_38": (offset_max(intP_arr_5_alloc_table,
    arr) >= (integer_of_uint32(len) - 1)))))) ->
  forall result:Heap alloc_table.
  forall result0:Heap pointer.
  forall h:Heap pointer.
  (h = result0) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = 0) ->
  forall i:uint32.
  (i = result1) ->
  forall Heap_x_h_6:(Heap,
  int32) memory.
  forall i0:uint32.
  ("JC_50": true) ->
  ("JC_48":
  (("JC_46": (0 <= integer_of_uint32(i0))) and
   ("JC_47": (integer_of_uint32(i0) <= integer_of_uint32(len))))) ->
  (integer_of_uint32(i0) < integer_of_uint32(len)) ->
  ((offset_min(intP_arr_5_alloc_table, arr) <= integer_of_uint32(i0)) and
   (integer_of_uint32(i0) <= offset_max(intP_arr_5_alloc_table, arr))) ->
  forall result2:int32.
  (result2 = select(intP_intM_arr_5, shift(arr, integer_of_uint32(i0)))) ->
  forall Heap_x_h_6_0:(Heap,
  int32) memory.
  ("JC_18": not_assigns(result, Heap_x_h_6, Heap_x_h_6_0, pset_singleton(h))) ->
  ((0 <= (integer_of_uint32(i0) + 1)) and
   ((integer_of_uint32(i0) + 1) <= 4294967295)) ->
  forall result3:uint32.
  (integer_of_uint32(result3) = (integer_of_uint32(i0) + 1)) ->
  forall i1:uint32.
  (i1 = result3) ->
  (0 <= ("JC_55": (integer_of_uint32(len) - integer_of_uint32(i0))))

goal heap_sort_safety_po_6:
  forall arr:intP pointer.
  forall len:uint32.
  forall intP_arr_5_alloc_table:intP alloc_table.
  forall intP_intM_arr_5:(intP,
  int32) memory.
  ("JC_39":
  (("JC_36": (integer_of_uint32(len) >= 0)) and
   (("JC_37": (offset_min(intP_arr_5_alloc_table, arr) <= 0)) and
    ("JC_38": (offset_max(intP_arr_5_alloc_table,
    arr) >= (integer_of_uint32(len) - 1)))))) ->
  forall result:Heap alloc_table.
  forall result0:Heap pointer.
  forall h:Heap pointer.
  (h = result0) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = 0) ->
  forall i:uint32.
  (i = result1) ->
  forall Heap_x_h_6:(Heap,
  int32) memory.
  forall i0:uint32.
  ("JC_50": true) ->
  ("JC_48":
  (("JC_46": (0 <= integer_of_uint32(i0))) and
   ("JC_47": (integer_of_uint32(i0) <= integer_of_uint32(len))))) ->
  (integer_of_uint32(i0) < integer_of_uint32(len)) ->
  ((offset_min(intP_arr_5_alloc_table, arr) <= integer_of_uint32(i0)) and
   (integer_of_uint32(i0) <= offset_max(intP_arr_5_alloc_table, arr))) ->
  forall result2:int32.
  (result2 = select(intP_intM_arr_5, shift(arr, integer_of_uint32(i0)))) ->
  forall Heap_x_h_6_0:(Heap,
  int32) memory.
  ("JC_18": not_assigns(result, Heap_x_h_6, Heap_x_h_6_0, pset_singleton(h))) ->
  ((0 <= (integer_of_uint32(i0) + 1)) and
   ((integer_of_uint32(i0) + 1) <= 4294967295)) ->
  forall result3:uint32.
  (integer_of_uint32(result3) = (integer_of_uint32(i0) + 1)) ->
  forall i1:uint32.
  (i1 = result3) ->
  (("JC_55": (integer_of_uint32(len) - integer_of_uint32(i1))) < ("JC_55":
                                                                 (integer_of_uint32(len) - integer_of_uint32(i0))))

goal heap_sort_safety_po_7:
  forall arr:intP pointer.
  forall len:uint32.
  forall intP_arr_5_alloc_table:intP alloc_table.
  ("JC_39":
  (("JC_36": (integer_of_uint32(len) >= 0)) and
   (("JC_37": (offset_min(intP_arr_5_alloc_table, arr) <= 0)) and
    ("JC_38": (offset_max(intP_arr_5_alloc_table,
    arr) >= (integer_of_uint32(len) - 1)))))) ->
  forall result0:Heap pointer.
  forall h:Heap pointer.
  (h = result0) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = 0) ->
  forall i:uint32.
  (i = result1) ->
  forall i0:uint32.
  ("JC_50": true) ->
  ("JC_48":
  (("JC_46": (0 <= integer_of_uint32(i0))) and
   ("JC_47": (integer_of_uint32(i0) <= integer_of_uint32(len))))) ->
  (integer_of_uint32(i0) >= integer_of_uint32(len)) ->
  forall result2:uint32.
  (integer_of_uint32(result2) = 0) ->
  forall i1:uint32.
  (i1 = result2) ->
  forall i2:uint32.
  ("JC_60": true) ->
  ("JC_58":
  (("JC_56": (0 <= integer_of_uint32(i2))) and
   ("JC_57": (integer_of_uint32(i2) <= integer_of_uint32(len))))) ->
  (integer_of_uint32(i2) < integer_of_uint32(len)) ->
  (offset_min(intP_arr_5_alloc_table, arr) <= integer_of_uint32(i2))

goal heap_sort_safety_po_8:
  forall arr:intP pointer.
  forall len:uint32.
  forall intP_arr_5_alloc_table:intP alloc_table.
  ("JC_39":
  (("JC_36": (integer_of_uint32(len) >= 0)) and
   (("JC_37": (offset_min(intP_arr_5_alloc_table, arr) <= 0)) and
    ("JC_38": (offset_max(intP_arr_5_alloc_table,
    arr) >= (integer_of_uint32(len) - 1)))))) ->
  forall result0:Heap pointer.
  forall h:Heap pointer.
  (h = result0) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = 0) ->
  forall i:uint32.
  (i = result1) ->
  forall i0:uint32.
  ("JC_50": true) ->
  ("JC_48":
  (("JC_46": (0 <= integer_of_uint32(i0))) and
   ("JC_47": (integer_of_uint32(i0) <= integer_of_uint32(len))))) ->
  (integer_of_uint32(i0) >= integer_of_uint32(len)) ->
  forall result2:uint32.
  (integer_of_uint32(result2) = 0) ->
  forall i1:uint32.
  (i1 = result2) ->
  forall i2:uint32.
  ("JC_60": true) ->
  ("JC_58":
  (("JC_56": (0 <= integer_of_uint32(i2))) and
   ("JC_57": (integer_of_uint32(i2) <= integer_of_uint32(len))))) ->
  (integer_of_uint32(i2) < integer_of_uint32(len)) ->
  (integer_of_uint32(i2) <= offset_max(intP_arr_5_alloc_table, arr))

goal heap_sort_safety_po_9:
  forall arr:intP pointer.
  forall len:uint32.
  forall intP_arr_5_alloc_table:intP alloc_table.
  ("JC_39":
  (("JC_36": (integer_of_uint32(len) >= 0)) and
   (("JC_37": (offset_min(intP_arr_5_alloc_table, arr) <= 0)) and
    ("JC_38": (offset_max(intP_arr_5_alloc_table,
    arr) >= (integer_of_uint32(len) - 1)))))) ->
  forall result0:Heap pointer.
  forall h:Heap pointer.
  (h = result0) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = 0) ->
  forall i:uint32.
  (i = result1) ->
  forall i0:uint32.
  ("JC_50": true) ->
  ("JC_48":
  (("JC_46": (0 <= integer_of_uint32(i0))) and
   ("JC_47": (integer_of_uint32(i0) <= integer_of_uint32(len))))) ->
  (integer_of_uint32(i0) >= integer_of_uint32(len)) ->
  forall result2:uint32.
  (integer_of_uint32(result2) = 0) ->
  forall i1:uint32.
  (i1 = result2) ->
  forall i2:uint32.
  forall intP_intM_arr_5_0:(intP,
  int32) memory.
  ("JC_60": true) ->
  ("JC_58":
  (("JC_56": (0 <= integer_of_uint32(i2))) and
   ("JC_57": (integer_of_uint32(i2) <= integer_of_uint32(len))))) ->
  (integer_of_uint32(i2) < integer_of_uint32(len)) ->
  forall result3:int32.
  ((offset_min(intP_arr_5_alloc_table, arr) <= integer_of_uint32(i2)) and
   (integer_of_uint32(i2) <= offset_max(intP_arr_5_alloc_table, arr))) ->
  forall intP_intM_arr_5_1:(intP,
  int32) memory.
  (intP_intM_arr_5_1 = store(intP_intM_arr_5_0, shift(arr,
  integer_of_uint32(i2)), result3)) ->
  (0 <= (integer_of_uint32(i2) + 1))

goal heap_sort_safety_po_10:
  forall arr:intP pointer.
  forall len:uint32.
  forall intP_arr_5_alloc_table:intP alloc_table.
  ("JC_39":
  (("JC_36": (integer_of_uint32(len) >= 0)) and
   (("JC_37": (offset_min(intP_arr_5_alloc_table, arr) <= 0)) and
    ("JC_38": (offset_max(intP_arr_5_alloc_table,
    arr) >= (integer_of_uint32(len) - 1)))))) ->
  forall result0:Heap pointer.
  forall h:Heap pointer.
  (h = result0) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = 0) ->
  forall i:uint32.
  (i = result1) ->
  forall i0:uint32.
  ("JC_50": true) ->
  ("JC_48":
  (("JC_46": (0 <= integer_of_uint32(i0))) and
   ("JC_47": (integer_of_uint32(i0) <= integer_of_uint32(len))))) ->
  (integer_of_uint32(i0) >= integer_of_uint32(len)) ->
  forall result2:uint32.
  (integer_of_uint32(result2) = 0) ->
  forall i1:uint32.
  (i1 = result2) ->
  forall i2:uint32.
  forall intP_intM_arr_5_0:(intP,
  int32) memory.
  ("JC_60": true) ->
  ("JC_58":
  (("JC_56": (0 <= integer_of_uint32(i2))) and
   ("JC_57": (integer_of_uint32(i2) <= integer_of_uint32(len))))) ->
  (integer_of_uint32(i2) < integer_of_uint32(len)) ->
  forall result3:int32.
  ((offset_min(intP_arr_5_alloc_table, arr) <= integer_of_uint32(i2)) and
   (integer_of_uint32(i2) <= offset_max(intP_arr_5_alloc_table, arr))) ->
  forall intP_intM_arr_5_1:(intP,
  int32) memory.
  (intP_intM_arr_5_1 = store(intP_intM_arr_5_0, shift(arr,
  integer_of_uint32(i2)), result3)) ->
  ((integer_of_uint32(i2) + 1) <= 4294967295)

goal heap_sort_safety_po_11:
  forall arr:intP pointer.
  forall len:uint32.
  forall intP_arr_5_alloc_table:intP alloc_table.
  ("JC_39":
  (("JC_36": (integer_of_uint32(len) >= 0)) and
   (("JC_37": (offset_min(intP_arr_5_alloc_table, arr) <= 0)) and
    ("JC_38": (offset_max(intP_arr_5_alloc_table,
    arr) >= (integer_of_uint32(len) - 1)))))) ->
  forall result0:Heap pointer.
  forall h:Heap pointer.
  (h = result0) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = 0) ->
  forall i:uint32.
  (i = result1) ->
  forall i0:uint32.
  ("JC_50": true) ->
  ("JC_48":
  (("JC_46": (0 <= integer_of_uint32(i0))) and
   ("JC_47": (integer_of_uint32(i0) <= integer_of_uint32(len))))) ->
  (integer_of_uint32(i0) >= integer_of_uint32(len)) ->
  forall result2:uint32.
  (integer_of_uint32(result2) = 0) ->
  forall i1:uint32.
  (i1 = result2) ->
  forall i2:uint32.
  forall intP_intM_arr_5_0:(intP,
  int32) memory.
  ("JC_60": true) ->
  ("JC_58":
  (("JC_56": (0 <= integer_of_uint32(i2))) and
   ("JC_57": (integer_of_uint32(i2) <= integer_of_uint32(len))))) ->
  (integer_of_uint32(i2) < integer_of_uint32(len)) ->
  forall result3:int32.
  ((offset_min(intP_arr_5_alloc_table, arr) <= integer_of_uint32(i2)) and
   (integer_of_uint32(i2) <= offset_max(intP_arr_5_alloc_table, arr))) ->
  forall intP_intM_arr_5_1:(intP,
  int32) memory.
  (intP_intM_arr_5_1 = store(intP_intM_arr_5_0, shift(arr,
  integer_of_uint32(i2)), result3)) ->
  ((0 <= (integer_of_uint32(i2) + 1)) and
   ((integer_of_uint32(i2) + 1) <= 4294967295)) ->
  forall result4:uint32.
  (integer_of_uint32(result4) = (integer_of_uint32(i2) + 1)) ->
  forall i3:uint32.
  (i3 = result4) ->
  (0 <= ("JC_65": (integer_of_uint32(len) - integer_of_uint32(i2))))

goal heap_sort_safety_po_12:
  forall arr:intP pointer.
  forall len:uint32.
  forall intP_arr_5_alloc_table:intP alloc_table.
  ("JC_39":
  (("JC_36": (integer_of_uint32(len) >= 0)) and
   (("JC_37": (offset_min(intP_arr_5_alloc_table, arr) <= 0)) and
    ("JC_38": (offset_max(intP_arr_5_alloc_table,
    arr) >= (integer_of_uint32(len) - 1)))))) ->
  forall result0:Heap pointer.
  forall h:Heap pointer.
  (h = result0) ->
  forall result1:uint32.
  (integer_of_uint32(result1) = 0) ->
  forall i:uint32.
  (i = result1) ->
  forall i0:uint32.
  ("JC_50": true) ->
  ("JC_48":
  (("JC_46": (0 <= integer_of_uint32(i0))) and
   ("JC_47": (integer_of_uint32(i0) <= integer_of_uint32(len))))) ->
  (integer_of_uint32(i0) >= integer_of_uint32(len)) ->
  forall result2:uint32.
  (integer_of_uint32(result2) = 0) ->
  forall i1:uint32.
  (i1 = result2) ->
  forall i2:uint32.
  forall intP_intM_arr_5_0:(intP,
  int32) memory.
  ("JC_60": true) ->
  ("JC_58":
  (("JC_56": (0 <= integer_of_uint32(i2))) and
   ("JC_57": (integer_of_uint32(i2) <= integer_of_uint32(len))))) ->
  (integer_of_uint32(i2) < integer_of_uint32(len)) ->
  forall result3:int32.
  ((offset_min(intP_arr_5_alloc_table, arr) <= integer_of_uint32(i2)) and
   (integer_of_uint32(i2) <= offset_max(intP_arr_5_alloc_table, arr))) ->
  forall intP_intM_arr_5_1:(intP,
  int32) memory.
  (intP_intM_arr_5_1 = store(intP_intM_arr_5_0, shift(arr,
  integer_of_uint32(i2)), result3)) ->
  ((0 <= (integer_of_uint32(i2) + 1)) and
   ((integer_of_uint32(i2) + 1) <= 4294967295)) ->
  forall result4:uint32.
  (integer_of_uint32(result4) = (integer_of_uint32(i2) + 1)) ->
  forall i3:uint32.
  (i3 = result4) ->
  (("JC_65": (integer_of_uint32(len) - integer_of_uint32(i3))) < ("JC_65":
                                                                 (integer_of_uint32(len) - integer_of_uint32(i2))))

goal main_ensures_default_po_1:
  ("JC_84": true) ->
  forall result:(intP,
  int32) memory.
  forall result0:intP alloc_table.
  forall result1:intP pointer.
  forall intP_arr_0_8_alloc_table:intP alloc_table.
  forall intP_arr_0_8_tag_table:intP tag_table.
  (strict_valid_struct_intP(result1, 0, (3 - 1),
   intP_arr_0_8_alloc_table) and
   (alloc_extends(result0, intP_arr_0_8_alloc_table) and
    (alloc_fresh(result0, result1, 3) and instanceof(intP_arr_0_8_tag_table,
     result1, intP_tag)))) ->
  forall arr_0:intP pointer.
  (arr_0 = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = 42) ->
  forall result3:int32.
  (integer_of_int32(result3) = 13) ->
  forall result4:int32.
  (integer_of_int32(result4) = 42) ->
  forall intP_intM_arr_0_8:(intP,
  int32) memory.
  (not_assigns(intP_arr_0_8_alloc_table, result, intP_intM_arr_0_8,
   pset_range(pset_singleton(arr_0), 0, 2)) and
   ((select(intP_intM_arr_0_8, shift(arr_0, 0)) = result2) and
    ((select(intP_intM_arr_0_8, shift(arr_0, 1)) = result3) and
     (select(intP_intM_arr_0_8, shift(arr_0, 2)) = result4)))) ->
  forall result5:uint32.
  (integer_of_uint32(result5) = 3) ->
  forall intP_intM_arr_0_8_0:(intP,
  int32) memory.
  ("JC_42":
  (forall i_1:int.
    (forall j_0:int.
      (((0 <= i_1) and ((i_1 <= j_0) and (j_0 < integer_of_uint32(result5)))) ->
       (integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0,
       i_1))) <= integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0,
       j_0)))))))) ->
  ("JC_96": (integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0,
  0))) <= integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0, 1)))))

goal main_ensures_default_po_2:
  ("JC_84": true) ->
  forall result:(intP,
  int32) memory.
  forall result0:intP alloc_table.
  forall result1:intP pointer.
  forall intP_arr_0_8_alloc_table:intP alloc_table.
  forall intP_arr_0_8_tag_table:intP tag_table.
  (strict_valid_struct_intP(result1, 0, (3 - 1),
   intP_arr_0_8_alloc_table) and
   (alloc_extends(result0, intP_arr_0_8_alloc_table) and
    (alloc_fresh(result0, result1, 3) and instanceof(intP_arr_0_8_tag_table,
     result1, intP_tag)))) ->
  forall arr_0:intP pointer.
  (arr_0 = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = 42) ->
  forall result3:int32.
  (integer_of_int32(result3) = 13) ->
  forall result4:int32.
  (integer_of_int32(result4) = 42) ->
  forall intP_intM_arr_0_8:(intP,
  int32) memory.
  (not_assigns(intP_arr_0_8_alloc_table, result, intP_intM_arr_0_8,
   pset_range(pset_singleton(arr_0), 0, 2)) and
   ((select(intP_intM_arr_0_8, shift(arr_0, 0)) = result2) and
    ((select(intP_intM_arr_0_8, shift(arr_0, 1)) = result3) and
     (select(intP_intM_arr_0_8, shift(arr_0, 2)) = result4)))) ->
  forall result5:uint32.
  (integer_of_uint32(result5) = 3) ->
  forall intP_intM_arr_0_8_0:(intP,
  int32) memory.
  ("JC_42":
  (forall i_1:int.
    (forall j_0:int.
      (((0 <= i_1) and ((i_1 <= j_0) and (j_0 < integer_of_uint32(result5)))) ->
       (integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0,
       i_1))) <= integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0,
       j_0)))))))) ->
  ("JC_96": (integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0,
  1))) <= integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0, 2)))))

goal main_ensures_default_po_3:
  ("JC_84": true) ->
  forall result:(intP,
  int32) memory.
  forall result0:intP alloc_table.
  forall result1:intP pointer.
  forall intP_arr_0_8_alloc_table:intP alloc_table.
  forall intP_arr_0_8_tag_table:intP tag_table.
  (strict_valid_struct_intP(result1, 0, (3 - 1),
   intP_arr_0_8_alloc_table) and
   (alloc_extends(result0, intP_arr_0_8_alloc_table) and
    (alloc_fresh(result0, result1, 3) and instanceof(intP_arr_0_8_tag_table,
     result1, intP_tag)))) ->
  forall arr_0:intP pointer.
  (arr_0 = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = 42) ->
  forall result3:int32.
  (integer_of_int32(result3) = 13) ->
  forall result4:int32.
  (integer_of_int32(result4) = 42) ->
  forall intP_intM_arr_0_8:(intP,
  int32) memory.
  (not_assigns(intP_arr_0_8_alloc_table, result, intP_intM_arr_0_8,
   pset_range(pset_singleton(arr_0), 0, 2)) and
   ((select(intP_intM_arr_0_8, shift(arr_0, 0)) = result2) and
    ((select(intP_intM_arr_0_8, shift(arr_0, 1)) = result3) and
     (select(intP_intM_arr_0_8, shift(arr_0, 2)) = result4)))) ->
  forall result5:uint32.
  (integer_of_uint32(result5) = 3) ->
  forall intP_intM_arr_0_8_0:(intP,
  int32) memory.
  ("JC_42":
  (forall i_1:int.
    (forall j_0:int.
      (((0 <= i_1) and ((i_1 <= j_0) and (j_0 < integer_of_uint32(result5)))) ->
       (integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0,
       i_1))) <= integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0,
       j_0)))))))) ->
  ("JC_96":
  ((integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0,
   0))) <= integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0,
   1)))) and (integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0,
   1))) <= integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0, 2)))))) ->
  ("JC_97": (integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0,
  0))) = 13))

goal main_ensures_default_po_4:
  ("JC_84": true) ->
  forall result:(intP,
  int32) memory.
  forall result0:intP alloc_table.
  forall result1:intP pointer.
  forall intP_arr_0_8_alloc_table:intP alloc_table.
  forall intP_arr_0_8_tag_table:intP tag_table.
  (strict_valid_struct_intP(result1, 0, (3 - 1),
   intP_arr_0_8_alloc_table) and
   (alloc_extends(result0, intP_arr_0_8_alloc_table) and
    (alloc_fresh(result0, result1, 3) and instanceof(intP_arr_0_8_tag_table,
     result1, intP_tag)))) ->
  forall arr_0:intP pointer.
  (arr_0 = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = 42) ->
  forall result3:int32.
  (integer_of_int32(result3) = 13) ->
  forall result4:int32.
  (integer_of_int32(result4) = 42) ->
  forall intP_intM_arr_0_8:(intP,
  int32) memory.
  (not_assigns(intP_arr_0_8_alloc_table, result, intP_intM_arr_0_8,
   pset_range(pset_singleton(arr_0), 0, 2)) and
   ((select(intP_intM_arr_0_8, shift(arr_0, 0)) = result2) and
    ((select(intP_intM_arr_0_8, shift(arr_0, 1)) = result3) and
     (select(intP_intM_arr_0_8, shift(arr_0, 2)) = result4)))) ->
  forall result5:uint32.
  (integer_of_uint32(result5) = 3) ->
  forall intP_intM_arr_0_8_0:(intP,
  int32) memory.
  ("JC_42":
  (forall i_1:int.
    (forall j_0:int.
      (((0 <= i_1) and ((i_1 <= j_0) and (j_0 < integer_of_uint32(result5)))) ->
       (integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0,
       i_1))) <= integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0,
       j_0)))))))) ->
  ("JC_96":
  ((integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0,
   0))) <= integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0,
   1)))) and (integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0,
   1))) <= integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0, 2)))))) ->
  ("JC_97": (integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0,
  1))) = 42))

goal main_ensures_default_po_5:
  ("JC_84": true) ->
  forall result:(intP,
  int32) memory.
  forall result0:intP alloc_table.
  forall result1:intP pointer.
  forall intP_arr_0_8_alloc_table:intP alloc_table.
  forall intP_arr_0_8_tag_table:intP tag_table.
  (strict_valid_struct_intP(result1, 0, (3 - 1),
   intP_arr_0_8_alloc_table) and
   (alloc_extends(result0, intP_arr_0_8_alloc_table) and
    (alloc_fresh(result0, result1, 3) and instanceof(intP_arr_0_8_tag_table,
     result1, intP_tag)))) ->
  forall arr_0:intP pointer.
  (arr_0 = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = 42) ->
  forall result3:int32.
  (integer_of_int32(result3) = 13) ->
  forall result4:int32.
  (integer_of_int32(result4) = 42) ->
  forall intP_intM_arr_0_8:(intP,
  int32) memory.
  (not_assigns(intP_arr_0_8_alloc_table, result, intP_intM_arr_0_8,
   pset_range(pset_singleton(arr_0), 0, 2)) and
   ((select(intP_intM_arr_0_8, shift(arr_0, 0)) = result2) and
    ((select(intP_intM_arr_0_8, shift(arr_0, 1)) = result3) and
     (select(intP_intM_arr_0_8, shift(arr_0, 2)) = result4)))) ->
  forall result5:uint32.
  (integer_of_uint32(result5) = 3) ->
  forall intP_intM_arr_0_8_0:(intP,
  int32) memory.
  ("JC_42":
  (forall i_1:int.
    (forall j_0:int.
      (((0 <= i_1) and ((i_1 <= j_0) and (j_0 < integer_of_uint32(result5)))) ->
       (integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0,
       i_1))) <= integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0,
       j_0)))))))) ->
  ("JC_96":
  ((integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0,
   0))) <= integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0,
   1)))) and (integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0,
   1))) <= integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0, 2)))))) ->
  ("JC_97": (integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0,
  2))) = 42))

goal main_safety_po_1:
  ("JC_84": true) ->
  (3 >= 0)

goal main_safety_po_2:
  ("JC_84": true) ->
  forall result0:intP alloc_table.
  (3 >= 0) ->
  forall result1:intP pointer.
  forall intP_arr_0_8_alloc_table:intP alloc_table.
  forall intP_arr_0_8_tag_table:intP tag_table.
  (strict_valid_struct_intP(result1, 0, (3 - 1),
   intP_arr_0_8_alloc_table) and
   (alloc_extends(result0, intP_arr_0_8_alloc_table) and
    (alloc_fresh(result0, result1, 3) and instanceof(intP_arr_0_8_tag_table,
     result1, intP_tag)))) ->
  (offset_max(intP_arr_0_8_alloc_table, result1) >= 2)

goal main_safety_po_3:
  ("JC_84": true) ->
  forall result:(intP,
  int32) memory.
  forall result0:intP alloc_table.
  (3 >= 0) ->
  forall result1:intP pointer.
  forall intP_arr_0_8_alloc_table:intP alloc_table.
  forall intP_arr_0_8_tag_table:intP tag_table.
  (strict_valid_struct_intP(result1, 0, (3 - 1),
   intP_arr_0_8_alloc_table) and
   (alloc_extends(result0, intP_arr_0_8_alloc_table) and
    (alloc_fresh(result0, result1, 3) and instanceof(intP_arr_0_8_tag_table,
     result1, intP_tag)))) ->
  (offset_max(intP_arr_0_8_alloc_table, result1) >= 2) ->
  forall arr_0:intP pointer.
  (arr_0 = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = 42) ->
  forall result3:int32.
  (integer_of_int32(result3) = 13) ->
  forall result4:int32.
  (integer_of_int32(result4) = 42) ->
  forall intP_intM_arr_0_8:(intP,
  int32) memory.
  (not_assigns(intP_arr_0_8_alloc_table, result, intP_intM_arr_0_8,
   pset_range(pset_singleton(arr_0), 0, 2)) and
   ((select(intP_intM_arr_0_8, shift(arr_0, 0)) = result2) and
    ((select(intP_intM_arr_0_8, shift(arr_0, 1)) = result3) and
     (select(intP_intM_arr_0_8, shift(arr_0, 2)) = result4)))) ->
  forall result5:uint32.
  (integer_of_uint32(result5) = 3) ->
  ("JC_34": ("JC_31": (integer_of_uint32(result5) >= 0)))

goal main_safety_po_4:
  ("JC_84": true) ->
  forall result:(intP,
  int32) memory.
  forall result0:intP alloc_table.
  (3 >= 0) ->
  forall result1:intP pointer.
  forall intP_arr_0_8_alloc_table:intP alloc_table.
  forall intP_arr_0_8_tag_table:intP tag_table.
  (strict_valid_struct_intP(result1, 0, (3 - 1),
   intP_arr_0_8_alloc_table) and
   (alloc_extends(result0, intP_arr_0_8_alloc_table) and
    (alloc_fresh(result0, result1, 3) and instanceof(intP_arr_0_8_tag_table,
     result1, intP_tag)))) ->
  (offset_max(intP_arr_0_8_alloc_table, result1) >= 2) ->
  forall arr_0:intP pointer.
  (arr_0 = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = 42) ->
  forall result3:int32.
  (integer_of_int32(result3) = 13) ->
  forall result4:int32.
  (integer_of_int32(result4) = 42) ->
  forall intP_intM_arr_0_8:(intP,
  int32) memory.
  (not_assigns(intP_arr_0_8_alloc_table, result, intP_intM_arr_0_8,
   pset_range(pset_singleton(arr_0), 0, 2)) and
   ((select(intP_intM_arr_0_8, shift(arr_0, 0)) = result2) and
    ((select(intP_intM_arr_0_8, shift(arr_0, 1)) = result3) and
     (select(intP_intM_arr_0_8, shift(arr_0, 2)) = result4)))) ->
  forall result5:uint32.
  (integer_of_uint32(result5) = 3) ->
  ("JC_34": ("JC_32": (offset_min(intP_arr_0_8_alloc_table, arr_0) <= 0)))

goal main_safety_po_5:
  ("JC_84": true) ->
  forall result:(intP,
  int32) memory.
  forall result0:intP alloc_table.
  (3 >= 0) ->
  forall result1:intP pointer.
  forall intP_arr_0_8_alloc_table:intP alloc_table.
  forall intP_arr_0_8_tag_table:intP tag_table.
  (strict_valid_struct_intP(result1, 0, (3 - 1),
   intP_arr_0_8_alloc_table) and
   (alloc_extends(result0, intP_arr_0_8_alloc_table) and
    (alloc_fresh(result0, result1, 3) and instanceof(intP_arr_0_8_tag_table,
     result1, intP_tag)))) ->
  (offset_max(intP_arr_0_8_alloc_table, result1) >= 2) ->
  forall arr_0:intP pointer.
  (arr_0 = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = 42) ->
  forall result3:int32.
  (integer_of_int32(result3) = 13) ->
  forall result4:int32.
  (integer_of_int32(result4) = 42) ->
  forall intP_intM_arr_0_8:(intP,
  int32) memory.
  (not_assigns(intP_arr_0_8_alloc_table, result, intP_intM_arr_0_8,
   pset_range(pset_singleton(arr_0), 0, 2)) and
   ((select(intP_intM_arr_0_8, shift(arr_0, 0)) = result2) and
    ((select(intP_intM_arr_0_8, shift(arr_0, 1)) = result3) and
     (select(intP_intM_arr_0_8, shift(arr_0, 2)) = result4)))) ->
  forall result5:uint32.
  (integer_of_uint32(result5) = 3) ->
  ("JC_34":
  ("JC_33": (offset_max(intP_arr_0_8_alloc_table,
  arr_0) >= (integer_of_uint32(result5) - 1))))

goal main_safety_po_6:
  ("JC_84": true) ->
  forall result:(intP,
  int32) memory.
  forall result0:intP alloc_table.
  (3 >= 0) ->
  forall result1:intP pointer.
  forall intP_arr_0_8_alloc_table:intP alloc_table.
  forall intP_arr_0_8_tag_table:intP tag_table.
  (strict_valid_struct_intP(result1, 0, (3 - 1),
   intP_arr_0_8_alloc_table) and
   (alloc_extends(result0, intP_arr_0_8_alloc_table) and
    (alloc_fresh(result0, result1, 3) and instanceof(intP_arr_0_8_tag_table,
     result1, intP_tag)))) ->
  (offset_max(intP_arr_0_8_alloc_table, result1) >= 2) ->
  forall arr_0:intP pointer.
  (arr_0 = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = 42) ->
  forall result3:int32.
  (integer_of_int32(result3) = 13) ->
  forall result4:int32.
  (integer_of_int32(result4) = 42) ->
  forall intP_intM_arr_0_8:(intP,
  int32) memory.
  (not_assigns(intP_arr_0_8_alloc_table, result, intP_intM_arr_0_8,
   pset_range(pset_singleton(arr_0), 0, 2)) and
   ((select(intP_intM_arr_0_8, shift(arr_0, 0)) = result2) and
    ((select(intP_intM_arr_0_8, shift(arr_0, 1)) = result3) and
     (select(intP_intM_arr_0_8, shift(arr_0, 2)) = result4)))) ->
  forall result5:uint32.
  (integer_of_uint32(result5) = 3) ->
  ("JC_34":
  (("JC_31": (integer_of_uint32(result5) >= 0)) and
   (("JC_32": (offset_min(intP_arr_0_8_alloc_table, arr_0) <= 0)) and
    ("JC_33": (offset_max(intP_arr_0_8_alloc_table,
    arr_0) >= (integer_of_uint32(result5) - 1)))))) ->
  forall intP_intM_arr_0_8_0:(intP,
  int32) memory.
  ("JC_42":
  (forall i_1:int.
    (forall j_0:int.
      (((0 <= i_1) and ((i_1 <= j_0) and (j_0 < integer_of_uint32(result5)))) ->
       (integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0,
       i_1))) <= integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0,
       j_0)))))))) ->
  ("JC_92":
  ((integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0,
   0))) <= integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0,
   1)))) and (integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0,
   1))) <= integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0, 2)))))) ->
  ("JC_93":
  ((integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0, 0))) = 13) and
   ((integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0, 1))) = 42) and
    (integer_of_int32(select(intP_intM_arr_0_8_0, shift(arr_0, 2))) = 42)))) ->
  ((arr_0 = null) or (offset_max(intP_arr_0_8_alloc_table, arr_0) >= 0))

why-2.34/tests/c/oracle/eps_line2.err.oracle0000644000175000017500000000000012311670312017272 0ustar  rtuserswhy-2.34/tests/c/oracle/array_double.err.oracle0000644000175000017500000000000012311670312020062 0ustar  rtuserswhy-2.34/tests/c/oracle/conjugate.err.oracle0000644000175000017500000000000012311670312017371 0ustar  rtuserswhy-2.34/tests/c/oracle/sum_array.err.oracle0000644000175000017500000000000012311670312017414 0ustar  rtuserswhy-2.34/tests/c/oracle/Sterbenz.err.oracle0000644000175000017500000000012012311670312017211 0ustar  rtusersmake: *** [coq/Sterbenz_why.vo] Error 1
make: *** [coq/Sterbenz_why.vo] Error 1
why-2.34/tests/c/oracle/minmax.res.oracle0000644000175000017500000025144712311670312016733 0ustar  rtusers========== file tests/c/minmax.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


//@ ensures \result == \max(x,y);
int max(int x, int y) {
  return (x <= y) ? y : x;
}


//@ ensures \result == \min(x,y);
int min(int x, int y) {
  return (x <= y) ? x : y;
}


//@ ensures \result == \max(x,y);
float fmax(float x, float y) {
  return (x <= y) ? y : x;
}


//@ ensures \result == \min(x,y);
float fmin(float x, float y) {
  return (x <= y) ? x : y;
}


//@ ensures \result == \max(x,y);
double dmax(double x, double y) {
  return (x <= y) ? y : x;
}


//@ ensures \result == \min(x,y);
double dmin(double x, double y) {
  return (x <= y) ? x : y;
}



/*
Local Variables:
compile-command: "make minmax.why3ide"
End:
*/

========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/minmax.c"
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/minmax.jessie
[jessie] File tests/c/minmax.jessie/minmax.jc written.
[jessie] File tests/c/minmax.jessie/minmax.cloc written.
========== file tests/c/minmax.jessie/minmax.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

int32 max(int32 x_3, int32 y_3)
behavior default:
  ensures (_C_3 : (\result == \integer_max(\at(x_3,Old), \at(y_3,Old))));
{  
   (var int32 tmp);
   
   {  (if (x_3 <= y_3) then (_C_2 : (tmp = y_3)) else (_C_1 : (tmp = x_3)));
      
      (return tmp)
   }
}

int32 min(int32 x_4, int32 y_4)
behavior default:
  ensures (_C_6 : (\result == \integer_min(\at(x_4,Old), \at(y_4,Old))));
{  
   (var int32 tmp_0);
   
   {  (if (x_4 <= y_4) then (_C_5 : (tmp_0 = x_4)) else (_C_4 : (tmp_0 = y_4)));
      
      (return tmp_0)
   }
}

float fmax(float x_1, float y_1)
behavior default:
  ensures (_C_9 : ((\result :> real) ==
                    \real_max((\at(x_1,Old) :> real), (\at(y_1,Old) :> real))));
{  
   (var float tmp_1);
   
   {  (if (x_1 <= y_1) then (_C_8 : (tmp_1 = y_1)) else (_C_7 : (tmp_1 = x_1)));
      
      (return tmp_1)
   }
}

float fmin(float x_2, float y_2)
behavior default:
  ensures (_C_12 : ((\result :> real) ==
                     \real_min((\at(x_2,Old) :> real), (\at(y_2,Old) :> real))));
{  
   (var float tmp_2);
   
   {  (if (x_2 <= y_2) then (_C_11 : (tmp_2 = x_2)) else (_C_10 : (tmp_2 = y_2)));
      
      (return tmp_2)
   }
}

double dmax(double x, double y)
behavior default:
  ensures (_C_15 : ((\result :> real) ==
                     \real_max((\at(x,Old) :> real), (\at(y,Old) :> real))));
{  
   (var double tmp_3);
   
   {  (if (x <= y) then (_C_14 : (tmp_3 = y)) else (_C_13 : (tmp_3 = x)));
      
      (return tmp_3)
   }
}

double dmin(double x_0, double y_0)
behavior default:
  ensures (_C_18 : ((\result :> real) ==
                     \real_min((\at(x_0,Old) :> real), (\at(y_0,Old) :> real))));
{  
   (var double tmp_4);
   
   {  (if (x_0 <= y_0) then (_C_17 : (tmp_4 = x_0)) else (_C_16 : (tmp_4 = y_0)));
      
      (return tmp_4)
   }
}
========== file tests/c/minmax.jessie/minmax.cloc ==========
[max]
name = "Function max"
file = "HOME/tests/c/minmax.c"
line = 34
begin = 4
end = 7

[_C_4]
file = "HOME/tests/c/minmax.c"
line = 41
begin = 15
end = 16

[_C_13]
file = "HOME/tests/c/minmax.c"
line = 59
begin = 15
end = 16

[_C_5]
file = "HOME/tests/c/minmax.c"
line = 41
begin = 15
end = 16

[_C_12]
file = "HOME/tests/c/minmax.c"
line = 51
begin = 12
end = 32

[_C_9]
file = "HOME/tests/c/minmax.c"
line = 45
begin = 12
end = 32

[_C_6]
file = "HOME/tests/c/minmax.c"
line = 39
begin = 12
end = 32

[fmin]
name = "Function fmin"
file = "HOME/tests/c/minmax.c"
line = 52
begin = 6
end = 10

[fmax]
name = "Function fmax"
file = "HOME/tests/c/minmax.c"
line = 46
begin = 6
end = 10

[min]
name = "Function min"
file = "HOME/tests/c/minmax.c"
line = 40
begin = 4
end = 7

[_C_3]
file = "HOME/tests/c/minmax.c"
line = 33
begin = 12
end = 32

[_C_17]
file = "HOME/tests/c/minmax.c"
line = 65
begin = 15
end = 16

[_C_7]
file = "HOME/tests/c/minmax.c"
line = 47
begin = 15
end = 16

[_C_15]
file = "HOME/tests/c/minmax.c"
line = 57
begin = 12
end = 32

[_C_10]
file = "HOME/tests/c/minmax.c"
line = 53
begin = 15
end = 16

[_C_8]
file = "HOME/tests/c/minmax.c"
line = 47
begin = 15
end = 16

[_C_18]
file = "HOME/tests/c/minmax.c"
line = 63
begin = 12
end = 32

[dmin]
name = "Function dmin"
file = "HOME/tests/c/minmax.c"
line = 64
begin = 7
end = 11

[_C_14]
file = "HOME/tests/c/minmax.c"
line = 59
begin = 15
end = 16

[dmax]
name = "Function dmax"
file = "HOME/tests/c/minmax.c"
line = 58
begin = 7
end = 11

[_C_2]
file = "HOME/tests/c/minmax.c"
line = 35
begin = 15
end = 16

[_C_16]
file = "HOME/tests/c/minmax.c"
line = 65
begin = 15
end = 16

[_C_1]
file = "HOME/tests/c/minmax.c"
line = 35
begin = 15
end = 16

[_C_11]
file = "HOME/tests/c/minmax.c"
line = 53
begin = 15
end = 16

========== jessie execution ==========
Generating Why function max
Generating Why function min
Generating Why function fmax
Generating Why function fmin
Generating Why function dmax
Generating Why function dmin
========== file tests/c/minmax.jessie/minmax.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs minmax.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs minmax.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_strict.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/minmax_why.sx

project: why/minmax.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/minmax_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/minmax_why.vo

coq/minmax_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/minmax_why.v: why/minmax.why
	@echo 'why -coq [...] why/minmax.why' && $(WHY) $(JESSIELIBFILES) why/minmax.why && rm -f coq/jessie_why.v

coq-goals: goals coq/minmax_ctx_why.vo
	for f in why/*_po*.why; do make -f minmax.makefile coq/`basename $$f .why`_why.v ; done

coq/minmax_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/minmax_ctx_why.v: why/minmax_ctx.why
	@echo 'why -coq [...] why/minmax_ctx.why' && $(WHY) why/minmax_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export minmax_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/minmax_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/minmax_ctx_why.vo

pvs: pvs/minmax_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/minmax_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/minmax_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/minmax_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/minmax_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/minmax_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/minmax_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/minmax_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/minmax_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/minmax_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/minmax_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/minmax_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/minmax_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/minmax_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/minmax_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: minmax.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/minmax_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: minmax.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: minmax.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: minmax.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include minmax.depend

depend: coq/minmax_why.v
	-$(COQDEP) -I coq coq/minmax*_why.v > minmax.depend

clean:
	rm -f coq/*.vo

========== file tests/c/minmax.jessie/minmax.loc ==========
[dmax_safety]
name = "Function dmax"
behavior = "Safety"
file = "HOME/tests/c/minmax.c"
line = 58
begin = 7
end = 11

[JC_45]
file = "HOME/tests/c/minmax.c"
line = 63
begin = 12
end = 32

[fmax_safety]
name = "Function fmax"
behavior = "Safety"
file = "HOME/tests/c/minmax.c"
line = 46
begin = 6
end = 10

[fmin_ensures_default]
name = "Function fmin"
behavior = "default behavior"
file = "HOME/tests/c/minmax.c"
line = 52
begin = 6
end = 10

[JC_31]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_17]
file = "HOME/tests/c/minmax.c"
line = 46
begin = 6
end = 10

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/tests/c/minmax.c"
line = 45
begin = 12
end = 32

[JC_5]
file = "HOME/tests/c/minmax.c"
line = 33
begin = 12
end = 32

[JC_9]
file = "HOME/tests/c/minmax.c"
line = 40
begin = 4
end = 7

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/tests/c/minmax.c"
line = 52
begin = 6
end = 10

[JC_41]
file = "HOME/tests/c/minmax.c"
line = 64
begin = 7
end = 11

[min_ensures_default]
name = "Function min"
behavior = "default behavior"
file = "HOME/tests/c/minmax.c"
line = 40
begin = 4
end = 7

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/tests/c/minmax.c"
line = 39
begin = 12
end = 32

[JC_11]
file = "HOME/tests/c/minmax.c"
line = 40
begin = 4
end = 7

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[dmin_ensures_default]
name = "Function dmin"
behavior = "default behavior"
file = "HOME/tests/c/minmax.c"
line = 64
begin = 7
end = 11

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[min_safety]
name = "Function min"
behavior = "Safety"
file = "HOME/tests/c/minmax.c"
line = 40
begin = 4
end = 7

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/tests/c/minmax.c"
line = 58
begin = 7
end = 11

[JC_27]
file = "HOME/tests/c/minmax.c"
line = 52
begin = 6
end = 10

[JC_38]
file = "HOME/tests/c/minmax.c"
line = 57
begin = 12
end = 32

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/tests/c/minmax.c"
line = 33
begin = 12
end = 32

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[max_safety]
name = "Function max"
behavior = "Safety"
file = "HOME/tests/c/minmax.c"
line = 34
begin = 4
end = 7

[dmax_ensures_default]
name = "Function dmax"
behavior = "default behavior"
file = "HOME/tests/c/minmax.c"
line = 58
begin = 7
end = 11

[JC_46]
file = "HOME/tests/c/minmax.c"
line = 63
begin = 12
end = 32

[fmax_ensures_default]
name = "Function fmax"
behavior = "default behavior"
file = "HOME/tests/c/minmax.c"
line = 46
begin = 6
end = 10

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[dmin_safety]
name = "Function dmin"
behavior = "Safety"
file = "HOME/tests/c/minmax.c"
line = 64
begin = 7
end = 11

[JC_33]
file = "HOME/tests/c/minmax.c"
line = 58
begin = 7
end = 11

[JC_29]
file = "HOME/tests/c/minmax.c"
line = 51
begin = 12
end = 32

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
file = "HOME/tests/c/minmax.c"
line = 64
begin = 7
end = 11

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
file = "HOME/tests/c/minmax.c"
line = 39
begin = 12
end = 32

[JC_21]
file = "HOME/tests/c/minmax.c"
line = 45
begin = 12
end = 32

[JC_1]
file = "HOME/tests/c/minmax.c"
line = 34
begin = 4
end = 7

[JC_37]
file = "HOME/tests/c/minmax.c"
line = 57
begin = 12
end = 32

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[max_ensures_default]
name = "Function max"
behavior = "default behavior"
file = "HOME/tests/c/minmax.c"
line = 34
begin = 4
end = 7

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/c/minmax.c"
line = 34
begin = 4
end = 7

[fmin_safety]
name = "Function fmin"
behavior = "Safety"
file = "HOME/tests/c/minmax.c"
line = 52
begin = 6
end = 10

[JC_19]
file = "HOME/tests/c/minmax.c"
line = 46
begin = 6
end = 10

[JC_30]
file = "HOME/tests/c/minmax.c"
line = 51
begin = 12
end = 32

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/c/minmax.jessie/why/minmax.why ==========
type charP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter dmax :
 x_0:double ->
  y:double ->
   { } double
   { (JC_38:
     (double_value(result) = real_max(double_value(x_0), double_value(y)))) }

parameter dmax_requires :
 x_0:double ->
  y:double ->
   { } double
   { (JC_38:
     (double_value(result) = real_max(double_value(x_0), double_value(y)))) }

parameter dmin :
 x_0_0:double ->
  y_0:double ->
   { } double
   { (JC_46:
     (double_value(result) = real_min(double_value(x_0_0), double_value(y_0)))) }

parameter dmin_requires :
 x_0_0:double ->
  y_0:double ->
   { } double
   { (JC_46:
     (double_value(result) = real_min(double_value(x_0_0), double_value(y_0)))) }

parameter fmax :
 x_1:single ->
  y_1:single ->
   { } single
   { (JC_22:
     (single_value(result) = real_max(single_value(x_1), single_value(y_1)))) }

parameter fmax_requires :
 x_1:single ->
  y_1:single ->
   { } single
   { (JC_22:
     (single_value(result) = real_max(single_value(x_1), single_value(y_1)))) }

parameter fmin :
 x_2:single ->
  y_2:single ->
   { } single
   { (JC_30:
     (single_value(result) = real_min(single_value(x_2), single_value(y_2)))) }

parameter fmin_requires :
 x_2:single ->
  y_2:single ->
   { } single
   { (JC_30:
     (single_value(result) = real_min(single_value(x_2), single_value(y_2)))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter max :
 x_3:int32 ->
  y_3:int32 ->
   { } int32
   { (JC_6:
     (integer_of_int32(result) = int_max(integer_of_int32(x_3),
                                 integer_of_int32(y_3)))) }

parameter max_requires :
 x_3:int32 ->
  y_3:int32 ->
   { } int32
   { (JC_6:
     (integer_of_int32(result) = int_max(integer_of_int32(x_3),
                                 integer_of_int32(y_3)))) }

parameter min :
 x_4:int32 ->
  y_4:int32 ->
   { } int32
   { (JC_14:
     (integer_of_int32(result) = int_min(integer_of_int32(x_4),
                                 integer_of_int32(y_4)))) }

parameter min_requires :
 x_4:int32 ->
  y_4:int32 ->
   { } int32
   { (JC_14:
     (integer_of_int32(result) = int_min(integer_of_int32(x_4),
                                 integer_of_int32(y_4)))) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let dmax_ensures_default =
 fun (x_0 : double) (y : double) ->
  { (JC_36: true) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let tmp_3 = ref (any_double void) in
     begin
       (let _jessie_ =
       (if ((le_double_ x_0) y) then begin   (tmp_3 := y); !tmp_3 end
       else begin   (tmp_3 := x_0); !tmp_3 end) in void); (return := !tmp_3);
      (raise Return) end); absurd  end with Return -> !return end))
  { (JC_37:
    (double_value(result) = real_max(double_value(x_0), double_value(y)))) }

let dmax_safety =
 fun (x_0 : double) (y : double) ->
  { (JC_36: true) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let tmp_3 = ref (any_double void) in
     begin
       (let _jessie_ =
       (if ((le_double_ x_0) y) then begin   (tmp_3 := y); !tmp_3 end
       else begin   (tmp_3 := x_0); !tmp_3 end) in void); (return := !tmp_3);
      (raise Return) end); absurd  end with Return -> !return end)) { true }

let dmin_ensures_default =
 fun (x_0_0 : double) (y_0 : double) ->
  { (JC_44: true) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let tmp_4 = ref (any_double void) in
     begin
       (let _jessie_ =
       (if ((le_double_ x_0_0) y_0) then begin   (tmp_4 := x_0_0); !tmp_4 end
       else begin   (tmp_4 := y_0); !tmp_4 end) in void); (return := !tmp_4);
      (raise Return) end); absurd  end with Return -> !return end))
  { (JC_45:
    (double_value(result) = real_min(double_value(x_0_0), double_value(y_0)))) }

let dmin_safety =
 fun (x_0_0 : double) (y_0 : double) ->
  { (JC_44: true) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let tmp_4 = ref (any_double void) in
     begin
       (let _jessie_ =
       (if ((le_double_ x_0_0) y_0) then begin   (tmp_4 := x_0_0); !tmp_4 end
       else begin   (tmp_4 := y_0); !tmp_4 end) in void); (return := !tmp_4);
      (raise Return) end); absurd  end with Return -> !return end)) { true }

let fmax_ensures_default =
 fun (x_1 : single) (y_1 : single) ->
  { (JC_20: true) }
  (init:
  (let return = ref (any_single void) in
  try
   begin
     (let tmp_1 = ref (any_single void) in
     begin
       (let _jessie_ =
       (if ((le_single_ x_1) y_1) then begin   (tmp_1 := y_1); !tmp_1 end
       else begin   (tmp_1 := x_1); !tmp_1 end) in void); (return := !tmp_1);
      (raise Return) end); absurd  end with Return -> !return end))
  { (JC_21:
    (single_value(result) = real_max(single_value(x_1), single_value(y_1)))) }

let fmax_safety =
 fun (x_1 : single) (y_1 : single) ->
  { (JC_20: true) }
  (init:
  (let return = ref (any_single void) in
  try
   begin
     (let tmp_1 = ref (any_single void) in
     begin
       (let _jessie_ =
       (if ((le_single_ x_1) y_1) then begin   (tmp_1 := y_1); !tmp_1 end
       else begin   (tmp_1 := x_1); !tmp_1 end) in void); (return := !tmp_1);
      (raise Return) end); absurd  end with Return -> !return end)) { true }

let fmin_ensures_default =
 fun (x_2 : single) (y_2 : single) ->
  { (JC_28: true) }
  (init:
  (let return = ref (any_single void) in
  try
   begin
     (let tmp_2 = ref (any_single void) in
     begin
       (let _jessie_ =
       (if ((le_single_ x_2) y_2) then begin   (tmp_2 := x_2); !tmp_2 end
       else begin   (tmp_2 := y_2); !tmp_2 end) in void); (return := !tmp_2);
      (raise Return) end); absurd  end with Return -> !return end))
  { (JC_29:
    (single_value(result) = real_min(single_value(x_2), single_value(y_2)))) }

let fmin_safety =
 fun (x_2 : single) (y_2 : single) ->
  { (JC_28: true) }
  (init:
  (let return = ref (any_single void) in
  try
   begin
     (let tmp_2 = ref (any_single void) in
     begin
       (let _jessie_ =
       (if ((le_single_ x_2) y_2) then begin   (tmp_2 := x_2); !tmp_2 end
       else begin   (tmp_2 := y_2); !tmp_2 end) in void); (return := !tmp_2);
      (raise Return) end); absurd  end with Return -> !return end)) { true }

let max_ensures_default =
 fun (x_3 : int32) (y_3 : int32) ->
  { (JC_4: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let tmp = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (if ((le_int_ (integer_of_int32 x_3)) (integer_of_int32 y_3))
       then begin   (tmp := y_3); !tmp end
       else begin   (tmp := x_3); !tmp end) in void); (return := !tmp);
      (raise Return) end); absurd  end with Return -> !return end))
  { (JC_5:
    (integer_of_int32(result) = int_max(integer_of_int32(x_3),
                                integer_of_int32(y_3)))) }

let max_safety =
 fun (x_3 : int32) (y_3 : int32) ->
  { (JC_4: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let tmp = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (if ((le_int_ (integer_of_int32 x_3)) (integer_of_int32 y_3))
       then begin   (tmp := y_3); !tmp end
       else begin   (tmp := x_3); !tmp end) in void); (return := !tmp);
      (raise Return) end); absurd  end with Return -> !return end)) { true }

let min_ensures_default =
 fun (x_4 : int32) (y_4 : int32) ->
  { (JC_12: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let tmp_0 = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (if ((le_int_ (integer_of_int32 x_4)) (integer_of_int32 y_4))
       then begin   (tmp_0 := x_4); !tmp_0 end
       else begin   (tmp_0 := y_4); !tmp_0 end) in void); (return := !tmp_0);
      (raise Return) end); absurd  end with Return -> !return end))
  { (JC_13:
    (integer_of_int32(result) = int_min(integer_of_int32(x_4),
                                integer_of_int32(y_4)))) }

let min_safety =
 fun (x_4 : int32) (y_4 : int32) ->
  { (JC_12: true) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let tmp_0 = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (if ((le_int_ (integer_of_int32 x_4)) (integer_of_int32 y_4))
       then begin   (tmp_0 := x_4); !tmp_0 end
       else begin   (tmp_0 := y_4); !tmp_0 end) in void); (return := !tmp_0);
      (raise Return) end); absurd  end with Return -> !return end)) { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/minmax.why
========== file tests/c/minmax.jessie/why/minmax_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type mode

logic nearest_even : mode

logic to_zero : mode

logic up : mode

logic down : mode

logic nearest_away : mode

logic mode_match : mode, 'a1, 'a1, 'a1, 'a1, 'a1 -> 'a1

axiom mode_match_nearest_even:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_2))))))

axiom mode_match_to_zero:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_3))))))

axiom mode_match_up:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_4))))))

axiom mode_match_down:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_5))))))

axiom mode_match_nearest_away:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_6))))))

axiom mode_inversion:
  (forall aux_1:mode.
    (((((aux_1 = nearest_even) or (aux_1 = to_zero)) or (aux_1 = up)) or
      (aux_1 = down)) or
     (aux_1 = nearest_away)))

logic mode_to_int : mode -> int

axiom mode_to_int_nearest_even: (mode_to_int(nearest_even) = 0)

axiom mode_to_int_to_zero: (mode_to_int(to_zero) = 1)

axiom mode_to_int_up: (mode_to_int(up) = 2)

axiom mode_to_int_down: (mode_to_int(down) = 3)

axiom mode_to_int_nearest_away: (mode_to_int(nearest_away) = 4)

type double

logic round_double : mode, real -> real

logic round_double_logic : mode, real -> double

logic double_value : double -> real

logic double_exact : double -> real

logic double_model : double -> real

function double_round_error(x: double) : real =
  abs_real((double_value(x) - double_exact(x)))

function double_total_error(x: double) : real =
  abs_real((double_value(x) - double_model(x)))

function max_double() : real = 0x1.FFFFFFFFFFFFFp1023

predicate no_overflow_double(m: mode, x: real) = (abs_real(round_double(m,
  x)) <= max_double)

axiom bounded_real_no_overflow_double:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_double) -> no_overflow_double(m, x))))

axiom round_double_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_double(m, x) <= round_double(m, y))))))

axiom exact_round_double_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-9007199254740992) <= i) and (i <= 9007199254740992)) ->
       (round_double(m, real_of_int(i)) = real_of_int(i)))))

axiom exact_round_double_for_doubles:
  (forall x:double.
    (forall m:mode. (round_double(m, double_value(x)) = double_value(x))))

axiom round_double_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_double(m1, round_double(m2,
        x)) = round_double(m2, x)))))

axiom round_down_double_neg:
  (forall x:real. (round_double(down, (-x)) = (-round_double(up, x))))

axiom round_up_double_neg:
  (forall x:real. (round_double(up, (-x)) = (-round_double(down, x))))

axiom round_double_down_le: (forall x:real. (round_double(down, x) <= x))

axiom round_up_double_ge: (forall x:real. (round_double(up, x) >= x))

type single

logic round_single : mode, real -> real

logic round_single_logic : mode, real -> single

logic single_value : single -> real

logic single_exact : single -> real

logic single_model : single -> real

function single_round_error(x: single) : real =
  abs_real((single_value(x) - single_exact(x)))

function single_total_error(x: single) : real =
  abs_real((single_value(x) - single_model(x)))

function max_single() : real = 0x1.FFFFFEp127

predicate no_overflow_single(m: mode, x: real) = (abs_real(round_single(m,
  x)) <= max_single)

axiom bounded_real_no_overflow_single:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_single) -> no_overflow_single(m, x))))

axiom round_single_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_single(m, x) <= round_single(m, y))))))

axiom exact_round_single_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-16777216) <= i) and (i <= 16777216)) -> (round_single(m,
       real_of_int(i)) = real_of_int(i)))))

axiom exact_round_single_for_singles:
  (forall x:single.
    (forall m:mode. (round_single(m, single_value(x)) = single_value(x))))

axiom round_single_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_single(m1, round_single(m2,
        x)) = round_single(m2, x)))))

axiom round_down_single_neg:
  (forall x:real. (round_single(down, (-x)) = (-round_single(up, x))))

axiom round_up_single_neg:
  (forall x:real. (round_single(up, (-x)) = (-round_single(down, x))))

axiom round_single_down_le: (forall x:real. (round_single(down, x) <= x))

axiom round_up_single_ge: (forall x:real. (round_single(up, x) >= x))

axiom single_value_is_bounded:
  (forall x:single. (abs_real(single_value(x)) <= max_single))

axiom double_value_is_bounded:
  (forall x:double. (abs_real(double_value(x)) <= max_double))

predicate single_of_real_post(m: mode, x: real, res: single) =
  ((single_value(res) = round_single(m, x)) and
   ((single_exact(res) = x) and (single_model(res) = x)))

predicate single_of_double_post(m: mode, x: double, res: single) =
  ((single_value(res) = round_single(m, double_value(x))) and
   ((single_exact(res) = double_exact(x)) and
    (single_model(res) = double_model(x))))

predicate add_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) + single_value(y)))) and
   ((single_exact(res) = (single_exact(x) + single_exact(y))) and
    (single_model(res) = (single_model(x) + single_model(y)))))

predicate sub_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) - single_value(y)))) and
   ((single_exact(res) = (single_exact(x) - single_exact(y))) and
    (single_model(res) = (single_model(x) - single_model(y)))))

predicate mul_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) * single_value(y)))) and
   ((single_exact(res) = (single_exact(x) * single_exact(y))) and
    (single_model(res) = (single_model(x) * single_model(y)))))

predicate div_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m, div_real(single_value(x),
   single_value(y)))) and
   ((single_exact(res) = div_real(single_exact(x), single_exact(y))) and
    (single_model(res) = div_real(single_model(x), single_model(y)))))

predicate sqrt_single_post(m: mode, x: single, res: single) =
  ((single_value(res) = round_single(m, sqrt_real(single_value(x)))) and
   ((single_exact(res) = sqrt_real(single_exact(x))) and
    (single_model(res) = sqrt_real(single_model(x)))))

predicate neg_single_post(x: single, res: single) =
  ((single_value(res) = (-single_value(x))) and
   ((single_exact(res) = (-single_exact(x))) and
    (single_model(res) = (-single_model(x)))))

predicate abs_single_post(x: single, res: single) =
  ((single_value(res) = abs_real(single_value(x))) and
   ((single_exact(res) = abs_real(single_exact(x))) and
    (single_model(res) = abs_real(single_model(x)))))

predicate double_of_real_post(m: mode, x: real, res: double) =
  ((double_value(res) = round_double(m, x)) and
   ((double_exact(res) = x) and (double_model(res) = x)))

predicate double_of_single_post(x: single, res: double) =
  ((double_value(res) = single_value(x)) and
   ((double_exact(res) = single_exact(x)) and
    (double_model(res) = single_model(x))))

predicate add_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) + double_value(y)))) and
   ((double_exact(res) = (double_exact(x) + double_exact(y))) and
    (double_model(res) = (double_model(x) + double_model(y)))))

predicate sub_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) - double_value(y)))) and
   ((double_exact(res) = (double_exact(x) - double_exact(y))) and
    (double_model(res) = (double_model(x) - double_model(y)))))

predicate mul_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) * double_value(y)))) and
   ((double_exact(res) = (double_exact(x) * double_exact(y))) and
    (double_model(res) = (double_model(x) * double_model(y)))))

predicate div_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m, div_real(double_value(x),
   double_value(y)))) and
   ((double_exact(res) = div_real(double_exact(x), double_exact(y))) and
    (double_model(res) = div_real(double_model(x), double_model(y)))))

predicate sqrt_double_post(m: mode, x: double, res: double) =
  ((double_value(res) = round_double(m, sqrt_real(double_value(x)))) and
   ((double_exact(res) = sqrt_real(double_exact(x))) and
    (double_model(res) = sqrt_real(double_model(x)))))

predicate neg_double_post(x: double, res: double) =
  ((double_value(res) = (-double_value(x))) and
   ((double_exact(res) = (-double_exact(x))) and
    (double_model(res) = (-double_model(x)))))

predicate abs_double_post(x: double, res: double) =
  ((double_value(res) = abs_real(double_value(x))) and
   ((double_exact(res) = abs_real(double_exact(x))) and
    (double_model(res) = abs_real(double_model(x)))))

type charP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_int8 : int8 -> int

predicate eq_int8(x: int8, y: int8) =
  (integer_of_int8(x) = integer_of_int8(y))

logic integer_of_uint8 : uint8 -> int

predicate eq_uint8(x: uint8, y: uint8) =
  (integer_of_uint8(x) = integer_of_uint8(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic int8_of_integer : int -> int8

axiom int8_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_int8(int8_of_integer(x)) = x)))

axiom int8_extensionality:
  (forall x:int8.
    (forall y:int8. ((integer_of_int8(x) = integer_of_int8(y)) -> (x = y))))

axiom int8_range:
  (forall x:int8.
    (((-128) <= integer_of_int8(x)) and (integer_of_int8(x) <= 127)))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic uint8_of_integer : int -> uint8

axiom uint8_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 255)) -> (integer_of_uint8(uint8_of_integer(x)) = x)))

axiom uint8_extensionality:
  (forall x:uint8.
    (forall y:uint8.
      ((integer_of_uint8(x) = integer_of_uint8(y)) -> (x = y))))

axiom uint8_range:
  (forall x:uint8.
    ((0 <= integer_of_uint8(x)) and (integer_of_uint8(x) <= 255)))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

goal dmax_ensures_default_po_1:
  forall x_0:double.
  forall y:double.
  ("JC_36": true) ->
  (double_value(x_0) <= double_value(y)) ->
  forall tmp_3:double.
  (tmp_3 = y) ->
  forall return:double.
  (return = tmp_3) ->
  ("JC_37": (double_value(return) = real_max(double_value(x_0),
  double_value(y))))

goal dmax_ensures_default_po_2:
  forall x_0:double.
  forall y:double.
  ("JC_36": true) ->
  (double_value(x_0) > double_value(y)) ->
  forall tmp_3:double.
  (tmp_3 = x_0) ->
  forall return:double.
  (return = tmp_3) ->
  ("JC_37": (double_value(return) = real_max(double_value(x_0),
  double_value(y))))

goal dmin_ensures_default_po_1:
  forall x_0_0:double.
  forall y_0:double.
  ("JC_44": true) ->
  (double_value(x_0_0) <= double_value(y_0)) ->
  forall tmp_4:double.
  (tmp_4 = x_0_0) ->
  forall return:double.
  (return = tmp_4) ->
  ("JC_45": (double_value(return) = real_min(double_value(x_0_0),
  double_value(y_0))))

goal dmin_ensures_default_po_2:
  forall x_0_0:double.
  forall y_0:double.
  ("JC_44": true) ->
  (double_value(x_0_0) > double_value(y_0)) ->
  forall tmp_4:double.
  (tmp_4 = y_0) ->
  forall return:double.
  (return = tmp_4) ->
  ("JC_45": (double_value(return) = real_min(double_value(x_0_0),
  double_value(y_0))))

goal fmax_ensures_default_po_1:
  forall x_1:single.
  forall y_1:single.
  ("JC_20": true) ->
  (single_value(x_1) <= single_value(y_1)) ->
  forall tmp_1:single.
  (tmp_1 = y_1) ->
  forall return:single.
  (return = tmp_1) ->
  ("JC_21": (single_value(return) = real_max(single_value(x_1),
  single_value(y_1))))

goal fmax_ensures_default_po_2:
  forall x_1:single.
  forall y_1:single.
  ("JC_20": true) ->
  (single_value(x_1) > single_value(y_1)) ->
  forall tmp_1:single.
  (tmp_1 = x_1) ->
  forall return:single.
  (return = tmp_1) ->
  ("JC_21": (single_value(return) = real_max(single_value(x_1),
  single_value(y_1))))

goal fmin_ensures_default_po_1:
  forall x_2:single.
  forall y_2:single.
  ("JC_28": true) ->
  (single_value(x_2) <= single_value(y_2)) ->
  forall tmp_2:single.
  (tmp_2 = x_2) ->
  forall return:single.
  (return = tmp_2) ->
  ("JC_29": (single_value(return) = real_min(single_value(x_2),
  single_value(y_2))))

goal fmin_ensures_default_po_2:
  forall x_2:single.
  forall y_2:single.
  ("JC_28": true) ->
  (single_value(x_2) > single_value(y_2)) ->
  forall tmp_2:single.
  (tmp_2 = y_2) ->
  forall return:single.
  (return = tmp_2) ->
  ("JC_29": (single_value(return) = real_min(single_value(x_2),
  single_value(y_2))))

goal max_ensures_default_po_1:
  forall x_3:int32.
  forall y_3:int32.
  ("JC_4": true) ->
  (integer_of_int32(x_3) <= integer_of_int32(y_3)) ->
  forall tmp:int32.
  (tmp = y_3) ->
  forall return:int32.
  (return = tmp) ->
  ("JC_5": (integer_of_int32(return) = int_max(integer_of_int32(x_3),
  integer_of_int32(y_3))))

goal max_ensures_default_po_2:
  forall x_3:int32.
  forall y_3:int32.
  ("JC_4": true) ->
  (integer_of_int32(x_3) > integer_of_int32(y_3)) ->
  forall tmp:int32.
  (tmp = x_3) ->
  forall return:int32.
  (return = tmp) ->
  ("JC_5": (integer_of_int32(return) = int_max(integer_of_int32(x_3),
  integer_of_int32(y_3))))

goal min_ensures_default_po_1:
  forall x_4:int32.
  forall y_4:int32.
  ("JC_12": true) ->
  (integer_of_int32(x_4) <= integer_of_int32(y_4)) ->
  forall tmp_0:int32.
  (tmp_0 = x_4) ->
  forall return:int32.
  (return = tmp_0) ->
  ("JC_13": (integer_of_int32(return) = int_min(integer_of_int32(x_4),
  integer_of_int32(y_4))))

goal min_ensures_default_po_2:
  forall x_4:int32.
  forall y_4:int32.
  ("JC_12": true) ->
  (integer_of_int32(x_4) > integer_of_int32(y_4)) ->
  forall tmp_0:int32.
  (tmp_0 = y_4) ->
  forall return:int32.
  (return = tmp_0) ->
  ("JC_13": (integer_of_int32(return) = int_min(integer_of_int32(x_4),
  integer_of_int32(y_4))))

why-2.34/tests/c/oracle/Sterbenz.res.oracle0000644000175000017500000024552212311670312017233 0ustar  rtusers========== file tests/c/Sterbenz.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// RUNCOQ: will ask regtests to check Coq proofs of this program

/*@ requires  y / 2.0 <= x <= 2.0 * y;
  @ ensures   \result == x - y;
  @*/
float Sterbenz(float x, float y) {
  //@ assert 0.0 <= y;
  //@ assert 0.0 <= x;
  return x-y;
}


/*
Local Variables:
compile-command: "make Sterbenz.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/Sterbenz.c"
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/Sterbenz.jessie
[jessie] File tests/c/Sterbenz.jessie/Sterbenz.jc written.
[jessie] File tests/c/Sterbenz.jessie/Sterbenz.cloc written.
========== file tests/c/Sterbenz.jessie/Sterbenz.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

float Sterbenz(float x, float y)
  requires (_C_6 : ((_C_7 : (((y :> real) / 2.0) <= (x :> real))) &&
                     (_C_8 : ((x :> real) <= (2.0 * (y :> real))))));
behavior default:
  ensures (_C_5 : ((\result :> real) ==
                    ((\at(x,Old) :> real) - (\at(y,Old) :> real))));
{  
   (var float __retres);
   
   {  
      {  
         (assert for default: (_C_1 : (jessie : (0.0 <= (y :> real)))));
         ()
      };
      
      {  
         (assert for default: (_C_2 : (jessie : (0.0 <= (x :> real)))));
         ()
      };
      
      {  (_C_4 : (__retres = (_C_3 : (x - y))));
         
         (return __retres)
      }
   }
}
========== file tests/c/Sterbenz.jessie/Sterbenz.cloc ==========
[_C_4]
file = "HOME/tests/c/Sterbenz.c"
line = 40
begin = 2
end = 13

[_C_5]
file = "HOME/tests/c/Sterbenz.c"
line = 35
begin = 12
end = 28

[_C_6]
file = "HOME/tests/c/Sterbenz.c"
line = 34
begin = 13
end = 36

[_C_3]
file = "HOME/tests/c/Sterbenz.c"
line = 40
begin = 9
end = 12

[Sterbenz]
name = "Function Sterbenz"
file = "HOME/tests/c/Sterbenz.c"
line = 37
begin = 6
end = 14

[_C_7]
file = "HOME/tests/c/Sterbenz.c"
line = 34
begin = 13
end = 25

[_C_8]
file = "HOME/tests/c/Sterbenz.c"
line = 34
begin = 24
end = 36

[_C_2]
file = "HOME/tests/c/Sterbenz.c"
line = 39
begin = 13
end = 21

[_C_1]
file = "HOME/tests/c/Sterbenz.c"
line = 38
begin = 13
end = 21

========== jessie execution ==========
Generating Why function Sterbenz
========== file tests/c/Sterbenz.jessie/Sterbenz.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Sterbenz.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs Sterbenz.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_strict.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/Sterbenz_why.sx

project: why/Sterbenz.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/Sterbenz_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/Sterbenz_why.vo

coq/Sterbenz_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Sterbenz_why.v: why/Sterbenz.why
	@echo 'why -coq [...] why/Sterbenz.why' && $(WHY) $(JESSIELIBFILES) why/Sterbenz.why && rm -f coq/jessie_why.v

coq-goals: goals coq/Sterbenz_ctx_why.vo
	for f in why/*_po*.why; do make -f Sterbenz.makefile coq/`basename $$f .why`_why.v ; done

coq/Sterbenz_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/Sterbenz_ctx_why.v: why/Sterbenz_ctx.why
	@echo 'why -coq [...] why/Sterbenz_ctx.why' && $(WHY) why/Sterbenz_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export Sterbenz_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/Sterbenz_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/Sterbenz_ctx_why.vo

pvs: pvs/Sterbenz_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/Sterbenz_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/Sterbenz_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/Sterbenz_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/Sterbenz_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/Sterbenz_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/Sterbenz_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/Sterbenz_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/Sterbenz_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/Sterbenz_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/Sterbenz_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/Sterbenz_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/Sterbenz_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/Sterbenz_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/Sterbenz_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: Sterbenz.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/Sterbenz_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: Sterbenz.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: Sterbenz.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: Sterbenz.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include Sterbenz.depend

depend: coq/Sterbenz_why.v
	-$(COQDEP) -I coq coq/Sterbenz*_why.v > Sterbenz.depend

clean:
	rm -f coq/*.vo

========== file tests/c/Sterbenz.jessie/Sterbenz.loc ==========
[JC_17]
file = "HOME/tests/c/Sterbenz.c"
line = 39
begin = 13
end = 21

[Sterbenz_ensures_default]
name = "Function Sterbenz"
behavior = "default behavior"
file = "HOME/tests/c/Sterbenz.c"
line = 37
begin = 6
end = 14

[JC_5]
file = "HOME/tests/c/Sterbenz.c"
line = 34
begin = 13
end = 25

[JC_9]
file = "HOME/tests/c/Sterbenz.c"
line = 35
begin = 12
end = 28

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/tests/c/Sterbenz.c"
line = 38
begin = 13
end = 21

[JC_11]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
kind = FPOverflow
file = "HOME/tests/c/Sterbenz.c"
line = 40
begin = 9
end = 12

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/tests/c/Sterbenz.c"
line = 34
begin = 24
end = 36

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[Sterbenz_safety]
name = "Function Sterbenz"
behavior = "Safety"
file = "HOME/tests/c/Sterbenz.c"
line = 37
begin = 6
end = 14

[JC_7]
file = "HOME/tests/c/Sterbenz.c"
line = 34
begin = 13
end = 36

[JC_16]
file = "HOME/tests/c/Sterbenz.c"
line = 38
begin = 13
end = 21

[JC_2]
file = "HOME/tests/c/Sterbenz.c"
line = 34
begin = 24
end = 36

[JC_14]
file = "HOME/tests/c/Sterbenz.c"
line = 39
begin = 13
end = 21

[JC_1]
file = "HOME/tests/c/Sterbenz.c"
line = 34
begin = 13
end = 25

[JC_10]
file = "HOME/tests/c/Sterbenz.c"
line = 35
begin = 12
end = 28

[JC_18]
kind = FPOverflow
file = "HOME/tests/c/Sterbenz.c"
line = 40
begin = 9
end = 12

[JC_3]
file = "HOME/tests/c/Sterbenz.c"
line = 34
begin = 13
end = 36

========== file tests/c/Sterbenz.jessie/why/Sterbenz.why ==========
type charP

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter Sterbenz :
 x_0:single ->
  y:single ->
   { } single
   { (JC_10:
     (single_value(result) = sub_real(single_value(x_0), single_value(y)))) }

parameter Sterbenz_requires :
 x_0:single ->
  y:single ->
   { (JC_3:
     ((JC_1: le_real(div_real(single_value(y), 2.0), single_value(x_0)))
     and (JC_2: le_real(single_value(x_0), mul_real(2.0, single_value(y))))))}
   single
   { (JC_10:
     (single_value(result) = sub_real(single_value(x_0), single_value(y)))) }

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let Sterbenz_ensures_default =
 fun (x_0 : single) (y : single) ->
  { (JC_7:
    ((JC_5: le_real(div_real(single_value(y), 2.0), single_value(x_0)))
    and (JC_6: le_real(single_value(x_0), mul_real(2.0, single_value(y)))))) }
  (init:
  (let return = ref (any_single void) in
  try
   begin
     (let __retres = ref (any_single void) in
     begin
       (assert { (JC_16: le_real(0.0, single_value(y))) }; void); void;
      (assert { (JC_17: le_real(0.0, single_value(x_0))) }; void); void;
      (let _jessie_ =
      (__retres := (JC_18: (((sub_single_safe nearest_even) x_0) y))) in
      void); (return := !__retres); (raise Return) end); absurd  end with
   Return -> !return end))
  { (JC_9:
    (single_value(result) = sub_real(single_value(x_0), single_value(y)))) }

let Sterbenz_safety =
 fun (x_0 : single) (y : single) ->
  { (JC_7:
    ((JC_5: le_real(div_real(single_value(y), 2.0), single_value(x_0)))
    and (JC_6: le_real(single_value(x_0), mul_real(2.0, single_value(y)))))) }
  (init:
  (let return = ref (any_single void) in
  try
   begin
     (let __retres = ref (any_single void) in
     begin
       [ { } unit { (JC_13: le_real(0.0, single_value(y))) } ]; void;
      [ { } unit { (JC_14: le_real(0.0, single_value(x_0))) } ]; void;
      (let _jessie_ =
      (__retres := (JC_15: (((sub_single nearest_even) x_0) y))) in void);
      (return := !__retres); (raise Return) end); absurd  end with Return ->
   !return end)) { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/Sterbenz.why
========== file tests/c/Sterbenz.jessie/why/Sterbenz_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type mode

logic nearest_even : mode

logic to_zero : mode

logic up : mode

logic down : mode

logic nearest_away : mode

logic mode_match : mode, 'a1, 'a1, 'a1, 'a1, 'a1 -> 'a1

axiom mode_match_nearest_even:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_2))))))

axiom mode_match_to_zero:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_3))))))

axiom mode_match_up:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_4))))))

axiom mode_match_down:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_5))))))

axiom mode_match_nearest_away:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_6))))))

axiom mode_inversion:
  (forall aux_1:mode.
    (((((aux_1 = nearest_even) or (aux_1 = to_zero)) or (aux_1 = up)) or
      (aux_1 = down)) or
     (aux_1 = nearest_away)))

logic mode_to_int : mode -> int

axiom mode_to_int_nearest_even: (mode_to_int(nearest_even) = 0)

axiom mode_to_int_to_zero: (mode_to_int(to_zero) = 1)

axiom mode_to_int_up: (mode_to_int(up) = 2)

axiom mode_to_int_down: (mode_to_int(down) = 3)

axiom mode_to_int_nearest_away: (mode_to_int(nearest_away) = 4)

type double

logic round_double : mode, real -> real

logic round_double_logic : mode, real -> double

logic double_value : double -> real

logic double_exact : double -> real

logic double_model : double -> real

function double_round_error(x: double) : real =
  abs_real((double_value(x) - double_exact(x)))

function double_total_error(x: double) : real =
  abs_real((double_value(x) - double_model(x)))

function max_double() : real = 0x1.FFFFFFFFFFFFFp1023

predicate no_overflow_double(m: mode, x: real) = (abs_real(round_double(m,
  x)) <= max_double)

axiom bounded_real_no_overflow_double:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_double) -> no_overflow_double(m, x))))

axiom round_double_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_double(m, x) <= round_double(m, y))))))

axiom exact_round_double_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-9007199254740992) <= i) and (i <= 9007199254740992)) ->
       (round_double(m, real_of_int(i)) = real_of_int(i)))))

axiom exact_round_double_for_doubles:
  (forall x:double.
    (forall m:mode. (round_double(m, double_value(x)) = double_value(x))))

axiom round_double_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_double(m1, round_double(m2,
        x)) = round_double(m2, x)))))

axiom round_down_double_neg:
  (forall x:real. (round_double(down, (-x)) = (-round_double(up, x))))

axiom round_up_double_neg:
  (forall x:real. (round_double(up, (-x)) = (-round_double(down, x))))

axiom round_double_down_le: (forall x:real. (round_double(down, x) <= x))

axiom round_up_double_ge: (forall x:real. (round_double(up, x) >= x))

type single

logic round_single : mode, real -> real

logic round_single_logic : mode, real -> single

logic single_value : single -> real

logic single_exact : single -> real

logic single_model : single -> real

function single_round_error(x: single) : real =
  abs_real((single_value(x) - single_exact(x)))

function single_total_error(x: single) : real =
  abs_real((single_value(x) - single_model(x)))

function max_single() : real = 0x1.FFFFFEp127

predicate no_overflow_single(m: mode, x: real) = (abs_real(round_single(m,
  x)) <= max_single)

axiom bounded_real_no_overflow_single:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_single) -> no_overflow_single(m, x))))

axiom round_single_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_single(m, x) <= round_single(m, y))))))

axiom exact_round_single_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-16777216) <= i) and (i <= 16777216)) -> (round_single(m,
       real_of_int(i)) = real_of_int(i)))))

axiom exact_round_single_for_singles:
  (forall x:single.
    (forall m:mode. (round_single(m, single_value(x)) = single_value(x))))

axiom round_single_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_single(m1, round_single(m2,
        x)) = round_single(m2, x)))))

axiom round_down_single_neg:
  (forall x:real. (round_single(down, (-x)) = (-round_single(up, x))))

axiom round_up_single_neg:
  (forall x:real. (round_single(up, (-x)) = (-round_single(down, x))))

axiom round_single_down_le: (forall x:real. (round_single(down, x) <= x))

axiom round_up_single_ge: (forall x:real. (round_single(up, x) >= x))

axiom single_value_is_bounded:
  (forall x:single. (abs_real(single_value(x)) <= max_single))

axiom double_value_is_bounded:
  (forall x:double. (abs_real(double_value(x)) <= max_double))

predicate single_of_real_post(m: mode, x: real, res: single) =
  ((single_value(res) = round_single(m, x)) and
   ((single_exact(res) = x) and (single_model(res) = x)))

predicate single_of_double_post(m: mode, x: double, res: single) =
  ((single_value(res) = round_single(m, double_value(x))) and
   ((single_exact(res) = double_exact(x)) and
    (single_model(res) = double_model(x))))

predicate add_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) + single_value(y)))) and
   ((single_exact(res) = (single_exact(x) + single_exact(y))) and
    (single_model(res) = (single_model(x) + single_model(y)))))

predicate sub_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) - single_value(y)))) and
   ((single_exact(res) = (single_exact(x) - single_exact(y))) and
    (single_model(res) = (single_model(x) - single_model(y)))))

predicate mul_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) * single_value(y)))) and
   ((single_exact(res) = (single_exact(x) * single_exact(y))) and
    (single_model(res) = (single_model(x) * single_model(y)))))

predicate div_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m, div_real(single_value(x),
   single_value(y)))) and
   ((single_exact(res) = div_real(single_exact(x), single_exact(y))) and
    (single_model(res) = div_real(single_model(x), single_model(y)))))

predicate sqrt_single_post(m: mode, x: single, res: single) =
  ((single_value(res) = round_single(m, sqrt_real(single_value(x)))) and
   ((single_exact(res) = sqrt_real(single_exact(x))) and
    (single_model(res) = sqrt_real(single_model(x)))))

predicate neg_single_post(x: single, res: single) =
  ((single_value(res) = (-single_value(x))) and
   ((single_exact(res) = (-single_exact(x))) and
    (single_model(res) = (-single_model(x)))))

predicate abs_single_post(x: single, res: single) =
  ((single_value(res) = abs_real(single_value(x))) and
   ((single_exact(res) = abs_real(single_exact(x))) and
    (single_model(res) = abs_real(single_model(x)))))

predicate double_of_real_post(m: mode, x: real, res: double) =
  ((double_value(res) = round_double(m, x)) and
   ((double_exact(res) = x) and (double_model(res) = x)))

predicate double_of_single_post(x: single, res: double) =
  ((double_value(res) = single_value(x)) and
   ((double_exact(res) = single_exact(x)) and
    (double_model(res) = single_model(x))))

predicate add_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) + double_value(y)))) and
   ((double_exact(res) = (double_exact(x) + double_exact(y))) and
    (double_model(res) = (double_model(x) + double_model(y)))))

predicate sub_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) - double_value(y)))) and
   ((double_exact(res) = (double_exact(x) - double_exact(y))) and
    (double_model(res) = (double_model(x) - double_model(y)))))

predicate mul_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) * double_value(y)))) and
   ((double_exact(res) = (double_exact(x) * double_exact(y))) and
    (double_model(res) = (double_model(x) * double_model(y)))))

predicate div_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m, div_real(double_value(x),
   double_value(y)))) and
   ((double_exact(res) = div_real(double_exact(x), double_exact(y))) and
    (double_model(res) = div_real(double_model(x), double_model(y)))))

predicate sqrt_double_post(m: mode, x: double, res: double) =
  ((double_value(res) = round_double(m, sqrt_real(double_value(x)))) and
   ((double_exact(res) = sqrt_real(double_exact(x))) and
    (double_model(res) = sqrt_real(double_model(x)))))

predicate neg_double_post(x: double, res: double) =
  ((double_value(res) = (-double_value(x))) and
   ((double_exact(res) = (-double_exact(x))) and
    (double_model(res) = (-double_model(x)))))

predicate abs_double_post(x: double, res: double) =
  ((double_value(res) = abs_real(double_value(x))) and
   ((double_exact(res) = abs_real(double_exact(x))) and
    (double_model(res) = abs_real(double_model(x)))))

type charP

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

logic integer_of_int8 : int8 -> int

predicate eq_int8(x: int8, y: int8) =
  (integer_of_int8(x) = integer_of_int8(y))

logic integer_of_uint8 : uint8 -> int

predicate eq_uint8(x: uint8, y: uint8) =
  (integer_of_uint8(x) = integer_of_uint8(y))

logic int8_of_integer : int -> int8

axiom int8_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_int8(int8_of_integer(x)) = x)))

axiom int8_extensionality:
  (forall x:int8.
    (forall y:int8. ((integer_of_int8(x) = integer_of_int8(y)) -> (x = y))))

axiom int8_range:
  (forall x:int8.
    (((-128) <= integer_of_int8(x)) and (integer_of_int8(x) <= 127)))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic uint8_of_integer : int -> uint8

axiom uint8_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 255)) -> (integer_of_uint8(uint8_of_integer(x)) = x)))

axiom uint8_extensionality:
  (forall x:uint8.
    (forall y:uint8.
      ((integer_of_uint8(x) = integer_of_uint8(y)) -> (x = y))))

axiom uint8_range:
  (forall x:uint8.
    ((0 <= integer_of_uint8(x)) and (integer_of_uint8(x) <= 255)))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

goal Sterbenz_ensures_default_po_1:
  forall x_0:single.
  forall y:single.
  ("JC_7":
  (("JC_5": (div_real(single_value(y), 2.0) <= single_value(x_0))) and
   ("JC_6": (single_value(x_0) <= (2.0 * single_value(y)))))) ->
  ("JC_16": (0.0 <= single_value(y)))

goal Sterbenz_ensures_default_po_2:
  forall x_0:single.
  forall y:single.
  ("JC_7":
  (("JC_5": (div_real(single_value(y), 2.0) <= single_value(x_0))) and
   ("JC_6": (single_value(x_0) <= (2.0 * single_value(y)))))) ->
  ("JC_16": (0.0 <= single_value(y))) ->
  ("JC_17": (0.0 <= single_value(x_0)))

goal Sterbenz_ensures_default_po_3:
  forall x_0:single.
  forall y:single.
  ("JC_7":
  (("JC_5": (div_real(single_value(y), 2.0) <= single_value(x_0))) and
   ("JC_6": (single_value(x_0) <= (2.0 * single_value(y)))))) ->
  ("JC_16": (0.0 <= single_value(y))) ->
  ("JC_17": (0.0 <= single_value(x_0))) ->
  forall result:single.
  sub_single_post(nearest_even, x_0, y, result) ->
  forall __retres:single.
  (__retres = result) ->
  forall return:single.
  (return = __retres) ->
  ("JC_9": (single_value(return) = (single_value(x_0) - single_value(y))))

goal Sterbenz_safety_po_1:
  forall x_0:single.
  forall y:single.
  ("JC_7":
  (("JC_5": (div_real(single_value(y), 2.0) <= single_value(x_0))) and
   ("JC_6": (single_value(x_0) <= (2.0 * single_value(y)))))) ->
  ("JC_13": (0.0 <= single_value(y))) ->
  ("JC_14": (0.0 <= single_value(x_0))) ->
  no_overflow_single(nearest_even, (single_value(x_0) - single_value(y)))

// RUNCOQ: will ask regtests to check Coq proofs of this program
========== generation of Coq VC output ==========
why -coq [...] why/Sterbenz.why
File "/home/marche/why2/tests/c/Sterbenz.jessie/coq/Sterbenz_why.v", line 4, characters 0-37:
Error: Cannot find library WhyFloatsStrictLegacy in loadpath
========== file tests/c/Sterbenz.jessie/coq/Sterbenz_why.v ==========
(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)
Require Export jessie_why.
Require Export WhyFloatsStrictLegacy.

(*Why type*) Definition charP: Set.
Admitted.

(*Why type*) Definition int8: Set.
Admitted.

(*Why type*) Definition padding: Set.
Admitted.

(*Why type*) Definition uint8: Set.
Admitted.

(*Why type*) Definition unsigned_charP: Set.
Admitted.

(*Why type*) Definition voidP: Set.
Admitted.

(*Why logic*) Definition charP_tag : (tag_id charP).
Admitted.

(*Why axiom*) Lemma charP_int : (int_of_tag charP_tag) = 1.
Admitted.
Dp_hint charP_int.

(*Why logic*) Definition charP_of_pointer_address :
  (pointer unit) -> (pointer charP).
Admitted.

(*Why axiom*) Lemma charP_of_pointer_address_of_pointer_addr :
  (forall (p:(pointer charP)),
   p = (charP_of_pointer_address (pointer_address p))).
Admitted.
Dp_hint charP_of_pointer_address_of_pointer_addr.

(*Why axiom*) Lemma charP_parenttag_bottom :
  (parenttag charP_tag (@bottom_tag charP)).
Admitted.
Dp_hint charP_parenttag_bottom.

(*Why axiom*) Lemma charP_tags :
  (forall (x:(pointer charP)),
   (forall (charP_tag_table:(tag_table charP)),
    (instanceof charP_tag_table x charP_tag))).
Admitted.
Dp_hint charP_tags.

(*Why logic*) Definition integer_of_int8 : int8 -> Z.
Admitted.

(*Why predicate*) Definition eq_int8  (x:int8) (y:int8)
  := (integer_of_int8 x) = (integer_of_int8 y).

(*Why logic*) Definition integer_of_uint8 : uint8 -> Z.
Admitted.

(*Why predicate*) Definition eq_uint8  (x:uint8) (y:uint8)
  := (integer_of_uint8 x) = (integer_of_uint8 y).

(*Why logic*) Definition int8_of_integer : Z -> int8.
Admitted.

(*Why axiom*) Lemma int8_coerce :
  (forall (x:Z),
   ((-128) <= x /\ x <= 127 -> (integer_of_int8 (int8_of_integer x)) = x)).
Admitted.

(*Why axiom*) Lemma int8_extensionality :
  (forall (x:int8),
   (forall (y:int8), ((integer_of_int8 x) = (integer_of_int8 y) -> x = y))).
Admitted.
Dp_hint int8_extensionality.

(*Why axiom*) Lemma int8_range :
  (forall (x:int8), (-128) <= (integer_of_int8 x) /\ (integer_of_int8 x) <=
   127).
Admitted.



(*Why predicate*) Definition left_valid_struct_charP  (p:(pointer charP)) (a:Z) (charP_alloc_table:(alloc_table charP))
  := (offset_min charP_alloc_table p) <= a.

(*Why predicate*) Definition left_valid_struct_unsigned_charP  (p:(pointer unsigned_charP)) (a:Z) (unsigned_charP_alloc_table:(alloc_table unsigned_charP))
  := (offset_min unsigned_charP_alloc_table p) <= a.

(*Why predicate*) Definition left_valid_struct_voidP  (p:(pointer voidP)) (a:Z) (voidP_alloc_table:(alloc_table voidP))
  := (offset_min voidP_alloc_table p) <= a.

(*Why axiom*) Lemma pointer_addr_of_charP_of_pointer_address :
  (forall (p:(pointer unit)),
   p = (pointer_address (charP_of_pointer_address p))).
Admitted.
Dp_hint pointer_addr_of_charP_of_pointer_address.

(*Why logic*) Definition unsigned_charP_of_pointer_address :
  (pointer unit) -> (pointer unsigned_charP).
Admitted.

(*Why axiom*) Lemma pointer_addr_of_unsigned_charP_of_pointer_address :
  (forall (p:(pointer unit)),
   p = (pointer_address (unsigned_charP_of_pointer_address p))).
Admitted.
Dp_hint pointer_addr_of_unsigned_charP_of_pointer_address.

(*Why logic*) Definition voidP_of_pointer_address :
  (pointer unit) -> (pointer voidP).
Admitted.

(*Why axiom*) Lemma pointer_addr_of_voidP_of_pointer_address :
  (forall (p:(pointer unit)),
   p = (pointer_address (voidP_of_pointer_address p))).
Admitted.
Dp_hint pointer_addr_of_voidP_of_pointer_address.

(*Why predicate*) Definition right_valid_struct_charP  (p:(pointer charP)) (b:Z) (charP_alloc_table:(alloc_table charP))
  := (offset_max charP_alloc_table p) >= b.

(*Why predicate*) Definition right_valid_struct_unsigned_charP  (p:(pointer unsigned_charP)) (b:Z) (unsigned_charP_alloc_table:(alloc_table unsigned_charP))
  := (offset_max unsigned_charP_alloc_table p) >= b.

(*Why predicate*) Definition right_valid_struct_voidP  (p:(pointer voidP)) (b:Z) (voidP_alloc_table:(alloc_table voidP))
  := (offset_max voidP_alloc_table p) >= b.

(*Why predicate*) Definition strict_valid_root_charP  (p:(pointer charP)) (a:Z) (b:Z) (charP_alloc_table:(alloc_table charP))
  := (offset_min charP_alloc_table p) = a /\
     (offset_max charP_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_root_unsigned_charP  (p:(pointer unsigned_charP)) (a:Z) (b:Z) (unsigned_charP_alloc_table:(alloc_table unsigned_charP))
  := (offset_min unsigned_charP_alloc_table p) = a /\
     (offset_max unsigned_charP_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_root_voidP  (p:(pointer voidP)) (a:Z) (b:Z) (voidP_alloc_table:(alloc_table voidP))
  := (offset_min voidP_alloc_table p) = a /\
     (offset_max voidP_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_struct_charP  (p:(pointer charP)) (a:Z) (b:Z) (charP_alloc_table:(alloc_table charP))
  := (offset_min charP_alloc_table p) = a /\
     (offset_max charP_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_struct_unsigned_charP  (p:(pointer unsigned_charP)) (a:Z) (b:Z) (unsigned_charP_alloc_table:(alloc_table unsigned_charP))
  := (offset_min unsigned_charP_alloc_table p) = a /\
     (offset_max unsigned_charP_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_struct_voidP  (p:(pointer voidP)) (a:Z) (b:Z) (voidP_alloc_table:(alloc_table voidP))
  := (offset_min voidP_alloc_table p) = a /\
     (offset_max voidP_alloc_table p) = b.

(*Why logic*) Definition uint8_of_integer : Z -> uint8.
Admitted.

(*Why axiom*) Lemma uint8_coerce :
  (forall (x:Z),
   (0 <= x /\ x <= 255 -> (integer_of_uint8 (uint8_of_integer x)) = x)).
Admitted.
Dp_hint uint8_coerce.

(*Why axiom*) Lemma uint8_extensionality :
  (forall (x:uint8),
   (forall (y:uint8), ((integer_of_uint8 x) = (integer_of_uint8 y) -> x = y))).
Admitted.
Dp_hint uint8_extensionality.

(*Why axiom*) Lemma uint8_range :
  (forall (x:uint8), 0 <= (integer_of_uint8 x) /\ (integer_of_uint8 x) <= 255).
Admitted.
Dp_hint uint8_range.

(*Why logic*) Definition unsigned_charP_tag : (tag_id unsigned_charP).
Admitted.

(*Why axiom*) Lemma unsigned_charP_int : (int_of_tag unsigned_charP_tag) = 1.
Admitted.
Dp_hint unsigned_charP_int.

(*Why axiom*) Lemma unsigned_charP_of_pointer_address_of_pointer_addr :
  (forall (p:(pointer unsigned_charP)),
   p = (unsigned_charP_of_pointer_address (pointer_address p))).
Admitted.
Dp_hint unsigned_charP_of_pointer_address_of_pointer_addr.

(*Why axiom*) Lemma unsigned_charP_parenttag_bottom :
  (parenttag unsigned_charP_tag (@bottom_tag unsigned_charP)).
Admitted.
Dp_hint unsigned_charP_parenttag_bottom.

(*Why axiom*) Lemma unsigned_charP_tags :
  (forall (x:(pointer unsigned_charP)),
   (forall (unsigned_charP_tag_table:(tag_table unsigned_charP)),
    (instanceof unsigned_charP_tag_table x unsigned_charP_tag))).
Admitted.
Dp_hint unsigned_charP_tags.

(*Why predicate*) Definition valid_root_charP  (p:(pointer charP)) (a:Z) (b:Z) (charP_alloc_table:(alloc_table charP))
  := (offset_min charP_alloc_table p) <= a /\
     (offset_max charP_alloc_table p) >= b.

(*Why predicate*) Definition valid_root_unsigned_charP  (p:(pointer unsigned_charP)) (a:Z) (b:Z) (unsigned_charP_alloc_table:(alloc_table unsigned_charP))
  := (offset_min unsigned_charP_alloc_table p) <= a /\
     (offset_max unsigned_charP_alloc_table p) >= b.

(*Why predicate*) Definition valid_root_voidP  (p:(pointer voidP)) (a:Z) (b:Z) (voidP_alloc_table:(alloc_table voidP))
  := (offset_min voidP_alloc_table p) <= a /\
     (offset_max voidP_alloc_table p) >= b.

(*Why predicate*) Definition valid_struct_charP  (p:(pointer charP)) (a:Z) (b:Z) (charP_alloc_table:(alloc_table charP))
  := (offset_min charP_alloc_table p) <= a /\
     (offset_max charP_alloc_table p) >= b.

(*Why predicate*) Definition valid_struct_unsigned_charP  (p:(pointer unsigned_charP)) (a:Z) (b:Z) (unsigned_charP_alloc_table:(alloc_table unsigned_charP))
  := (offset_min unsigned_charP_alloc_table p) <= a /\
     (offset_max unsigned_charP_alloc_table p) >= b.

(*Why predicate*) Definition valid_struct_voidP  (p:(pointer voidP)) (a:Z) (b:Z) (voidP_alloc_table:(alloc_table voidP))
  := (offset_min voidP_alloc_table p) <= a /\
     (offset_max voidP_alloc_table p) >= b.

(*Why logic*) Definition voidP_tag : (tag_id voidP).
Admitted.

(*Why axiom*) Lemma voidP_int : (int_of_tag voidP_tag) = 1.
Admitted.
Dp_hint voidP_int.

(*Why axiom*) Lemma voidP_of_pointer_address_of_pointer_addr :
  (forall (p:(pointer voidP)),
   p = (voidP_of_pointer_address (pointer_address p))).
Admitted.
Dp_hint voidP_of_pointer_address_of_pointer_addr.

(*Why axiom*) Lemma voidP_parenttag_bottom :
  (parenttag voidP_tag (@bottom_tag voidP)).
Admitted.
Dp_hint voidP_parenttag_bottom.

(*Why axiom*) Lemma voidP_tags :
  (forall (x:(pointer voidP)),
   (forall (voidP_tag_table:(tag_table voidP)),
    (instanceof voidP_tag_table x voidP_tag))).
Admitted.
Dp_hint voidP_tags.

(* Why obligation from file "Sterbenz.c", line 38, characters 13-21: *)
(*Why goal*) Lemma Sterbenz_ensures_default_po_1 : 
  forall (x_0: single),
  forall (y: single),
  forall (HW_1: (* JC_7 *)
                ((* JC_5 *)
                 (Rle (Rdiv (single_value y) (2)%R) (single_value x_0)) /\
                (* JC_6 *)
                (Rle (single_value x_0) (Rmult (2)%R (single_value y))))),
  (* JC_16 *) (Rle (0)%R (single_value y)).
Proof.
intros x y (h1,h2).
apply Rmult_le_reg_l with 3%R.
  apply Rlt_le_trans with 2%R; auto with real.
apply Rplus_le_reg_l with (single_value y).
apply Rmult_le_reg_l with (/2)%R; auto with real.
replace (/ 2 * (single_value y + 3 * 0))%R with (single_value y / 2)%R by (unfold Rdiv; ring).
apply Rle_trans with (single_value x); [apply h1|idtac].
apply Rle_trans with  (2 * single_value y)%R; [ apply h2 | right; field].
Qed.

(* Why obligation from file "Sterbenz.c", line 39, characters 13-21: *)
(*Why goal*) Lemma Sterbenz_ensures_default_po_2 : 
  forall (x_0: single),
  forall (y: single),
  forall (HW_1: (* JC_7 *)
                ((* JC_5 *)
                 (Rle (Rdiv (single_value y) (2)%R) (single_value x_0)) /\
                (* JC_6 *)
                (Rle (single_value x_0) (Rmult (2)%R (single_value y))))),
  forall (HW_4: (* JC_16 *) (Rle (0)%R (single_value y))),
  (* JC_17 *) (Rle (0)%R (single_value x_0)).
Proof.
intros x y (h1,h2) y_pos.
apply Rle_trans with (single_value y / 2)%R; [idtac|apply h1].
unfold Rdiv; apply Rmult_le_pos; auto with real.
Save.

(* Why obligation from file "Sterbenz.c", line 35, characters 12-28: *)
(*Why goal*) Lemma Sterbenz_ensures_default_po_3 : 
  forall (x_0: single),
  forall (y: single),
  forall (HW_1: (* JC_7 *)
                ((* JC_5 *)
                 (Rle (Rdiv (single_value y) (2)%R) (single_value x_0)) /\
                (* JC_6 *)
                (Rle (single_value x_0) (Rmult (2)%R (single_value y))))),
  forall (HW_4: (* JC_16 *) (Rle (0)%R (single_value y))),
  forall (HW_5: (* JC_17 *) (Rle (0)%R (single_value x_0))),
  forall (result: single),
  forall (HW_6: (sub_single_post nearest_even x_0 y result)),
  forall (__retres: single),
  forall (HW_7: __retres = result),
  forall (why__return: single),
  forall (HW_8: why__return = __retres),
  (* JC_9 *)
  (eq (single_value why__return) (Rminus (single_value x_0) (single_value y))).
Proof.
intros x y (H1,H2) _ _ r (H4,(H5a,H5b)) r' H6 r'' H7.
rewrite H7,H6,H4; unfold single_value in *.
unfold FtoRradix; rewrite <- Fminus_correct; auto with zarith.
elim (mode_single_RoundingMode nearest_even); intros P (H8,H9).
apply sym_eq; apply RoundedModeProjectorIdemEq with bsingle 24%nat P; try apply psGivesBound; auto with zarith.
apply Sterbenz; auto with zarith; try apply FcanonicBound with radix; try now destruct x; try now destruct y.
fold FtoRradix; apply Rle_trans with (2:=H1); unfold Rdiv; simpl; right; ring.
Save.

(* Why obligation from file "Sterbenz.c", line 40, characters 9-12: *)
(*Why goal*) Lemma Sterbenz_safety_po_1 : 
  forall (x_0: single),
  forall (y: single),
  forall (HW_1: (* JC_7 *)
                ((* JC_5 *)
                 (Rle (Rdiv (single_value y) (2)%R) (single_value x_0)) /\
                (* JC_6 *)
                (Rle (single_value x_0) (Rmult (2)%R (single_value y))))),
  forall (HW_4: (* JC_13 *) (Rle (0)%R (single_value y))),
  forall (HW_5: (* JC_14 *) (Rle (0)%R (single_value x_0))),
  (no_overflow_single
   nearest_even (Rminus (single_value x_0) (single_value y))).
Proof.
intros x y (h1,h2) y_pos x_pos.
apply bounded_real_no_overflow_single.
case (Rle_or_lt (single_value x) (single_value y)); intros.
rewrite Rabs_left1.
ring_simplify.
apply Rle_trans with (-0+single_value y)%R;auto with real.
ring_simplify; rewrite <- (Rabs_right (single_value y)).
apply single_le_strict.
auto with real.
apply Rplus_le_reg_l with (single_value y); now ring_simplify.
rewrite Rabs_right.
ring_simplify.
apply Rle_trans with (single_value x-0)%R.
apply Rplus_le_compat_l; auto with real.
ring_simplify; rewrite <- (Rabs_right (single_value x)).
apply single_le_strict.
auto with real.
apply Rle_ge; apply Rplus_le_reg_l with (single_value y); ring_simplify; auto with real.
Save.

========== running Coq ==========
File "/home/marche/why2/tests/c/Sterbenz.jessie/coq/Sterbenz_why.v", line 4, characters 0-37:
Error: Cannot find library WhyFloatsStrictLegacy in loadpath
why-2.34/tests/c/oracle/maze.res.oracle0000644000175000017500000000633512311670312016370 0ustar  rtusers========== file tests/c/maze.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


void buildMaze(uint n) {

  union_find u = create(n*n);

  //@ ghost integer num_edges = 0;

  /*@ loop invariant num_edges + NumClasses(u) == n*n;
    @*/
  while (num_classes(u) > 1) {
    uint x = rand() % n;
    uint y = rand() % n;
    uint d = rand() % 2;
    uint w = x, z = y;
    id (d == 0) w++; else z++;
    if (w < n && z < n) {
      int a = y*n+x, b = w*n+z;
      if (find(u,a) != find(u,b)) {
	// output_edge(x,y,w,z);
	//@ ghost num_edges++;
	union(a,b);
      }
    }
  }
  // nombre d'aretes = n*n - 1
  //@ assert num_edges == n*n - 1

  // each node is reachable from origin
  //@ assert \forall int x; 0 <= x < n*n ==> same(u,x,0);
}



========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/maze.c"
tests/c/maze.c:33:[kernel] user error: syntax error
[kernel] user error: skipping file "tests/c/maze.c" that has errors.
[kernel] Frama-C aborted: invalid user input.
why-2.34/tests/c/oracle/array_double.res.oracle0000644000175000017500000030577112311670312020112 0ustar  rtusers========== file tests/c/array_double.c ==========



double a[2];
double b[2];
double c[2];


/*@ requires
  \valid(a+(0..1)) &&
  \valid(b+(0..1)) &&
  \valid(c+(0..1)) &&
      \abs(b[0]) <= 1.0 &&
      \abs(b[1]) <= 1.0 &&
      \abs(c[0]) <= 1.0 &&
      \abs(c[1]) <= 1.0 ;
*/
void test() {
  a[0] = b[0] + c[0];
  a[1] = b[1] + c[1];
  //@ assert \abs(a[0] - (b[0] + c[0])) <= 0x1p-53;

}


/*
Local Variables:
compile-command: "make array_double.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/array_double.c"
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/array_double.jessie
[jessie] File tests/c/array_double.jessie/array_double.jc written.
[jessie] File tests/c/array_double.jessie/array_double.cloc written.
========== file tests/c/array_double.jessie/array_double.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

tag doubleP = {
  double doubleM: 64;
}

type doubleP = [doubleP]

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

doubleP[0..1] a;

invariant valid_a :
((\offset_min(a) <= 0) && (\offset_max(a) >= 1))

doubleP[0..1] b;

invariant valid_b :
((\offset_min(b) <= 0) && (\offset_max(b) >= 1))

doubleP[0..1] c;

invariant valid_c :
((\offset_min(c) <= 0) && (\offset_max(c) >= 1))

unit test()
  requires (_C_13 : ((((((((_C_20 : (\offset_min(a) <= 0)) &&
                            (_C_21 : (\offset_max(a) >= 1))) &&
                           ((_C_23 : (\offset_min(b) <= 0)) &&
                             (_C_24 : (\offset_max(b) >= 1)))) &&
                          ((_C_26 : (\offset_min(c) <= 0)) &&
                            (_C_27 : (\offset_max(c) >= 1)))) &&
                         (_C_28 : (\real_abs(((b + 0).doubleM :> real)) <=
                                    1.0))) &&
                        (_C_29 : (\real_abs(((b + 1).doubleM :> real)) <=
                                   1.0))) &&
                       (_C_30 : (\real_abs(((c + 0).doubleM :> real)) <= 1.0))) &&
                      (_C_31 : (\real_abs(((c + 1).doubleM :> real)) <= 1.0))));
behavior default:
  ensures (_C_12 : true);
{  
   {  (_C_5 : ((_C_4 : (a + 0).doubleM) = (_C_3 : ((_C_2 : (b + 0).doubleM) +
                                                    (_C_1 : (c + 0).doubleM)))));
      (_C_10 : ((_C_9 : (a + 1).doubleM) = (_C_8 : ((_C_7 : (b + 1).doubleM) +
                                                     (_C_6 : (c + 1).doubleM)))));
      
      {  
         (assert for default: (_C_11 : (jessie : (\real_abs((((a + 0).doubleM :> real) -
                                                              (((b + 0).doubleM :> real) +
                                                                ((c + 0).doubleM :> real)))) <=
                                                   0x1p-53))));
         ()
      };
      
      (return ())
   }
}
========== file tests/c/array_double.jessie/array_double.cloc ==========
[_C_28]
file = "HOME/tests/c/array_double.c"
line = 13
begin = 6
end = 23

[_C_31]
file = "HOME/tests/c/array_double.c"
line = 16
begin = 6
end = 23

[test]
name = "Function test"
file = "HOME/tests/c/array_double.c"
line = 18
begin = 5
end = 9

[_C_4]
file = "HOME/tests/c/array_double.c"
line = 19
begin = 9
end = 20

[_C_23]
file = "HOME/tests/c/array_double.c"
line = 11
begin = 2
end = 18

[_C_19]
file = "HOME/tests/c/array_double.c"
line = 10
begin = 2
end = 18

[_C_13]
file = "HOME/tests/c/array_double.c"
line = 10
begin = 2
end = 170

[_C_5]
file = "HOME/tests/c/array_double.c"
line = 19
begin = 9
end = 20

[_C_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_22]
file = "HOME/tests/c/array_double.c"
line = 11
begin = 2
end = 18

[_C_9]
file = "HOME/tests/c/array_double.c"
line = 20
begin = 9
end = 20

[_C_30]
file = "HOME/tests/c/array_double.c"
line = 15
begin = 6
end = 23

[_C_6]
file = "HOME/tests/c/array_double.c"
line = 20
begin = 16
end = 20

[_C_24]
file = "HOME/tests/c/array_double.c"
line = 11
begin = 2
end = 18

[_C_20]
file = "HOME/tests/c/array_double.c"
line = 10
begin = 2
end = 18

[_C_3]
file = "HOME/tests/c/array_double.c"
line = 19
begin = 9
end = 20

[_C_17]
file = "HOME/tests/c/array_double.c"
line = 10
begin = 2
end = 62

[_C_7]
file = "HOME/tests/c/array_double.c"
line = 20
begin = 9
end = 13

[_C_27]
file = "HOME/tests/c/array_double.c"
line = 12
begin = 2
end = 18

[_C_15]
file = "HOME/tests/c/array_double.c"
line = 10
begin = 2
end = 116

[_C_26]
file = "HOME/tests/c/array_double.c"
line = 12
begin = 2
end = 18

[_C_10]
file = "HOME/tests/c/array_double.c"
line = 20
begin = 9
end = 20

[_C_8]
file = "HOME/tests/c/array_double.c"
line = 20
begin = 9
end = 20

[_C_18]
file = "HOME/tests/c/array_double.c"
line = 10
begin = 2
end = 40

[_C_29]
file = "HOME/tests/c/array_double.c"
line = 14
begin = 6
end = 23

[_C_14]
file = "HOME/tests/c/array_double.c"
line = 10
begin = 2
end = 143

[_C_2]
file = "HOME/tests/c/array_double.c"
line = 19
begin = 9
end = 13

[_C_16]
file = "HOME/tests/c/array_double.c"
line = 10
begin = 2
end = 89

[_C_1]
file = "HOME/tests/c/array_double.c"
line = 19
begin = 16
end = 20

[_C_25]
file = "HOME/tests/c/array_double.c"
line = 12
begin = 2
end = 18

[_C_11]
file = "HOME/tests/c/array_double.c"
line = 21
begin = 13
end = 50

[_C_21]
file = "HOME/tests/c/array_double.c"
line = 10
begin = 2
end = 18

========== jessie execution ==========
Generating Why function test
========== file tests/c/array_double.jessie/array_double.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs array_double.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs array_double.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_strict.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/array_double_why.sx

project: why/array_double.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/array_double_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/array_double_why.vo

coq/array_double_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/array_double_why.v: why/array_double.why
	@echo 'why -coq [...] why/array_double.why' && $(WHY) $(JESSIELIBFILES) why/array_double.why && rm -f coq/jessie_why.v

coq-goals: goals coq/array_double_ctx_why.vo
	for f in why/*_po*.why; do make -f array_double.makefile coq/`basename $$f .why`_why.v ; done

coq/array_double_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/array_double_ctx_why.v: why/array_double_ctx.why
	@echo 'why -coq [...] why/array_double_ctx.why' && $(WHY) why/array_double_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export array_double_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/array_double_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/array_double_ctx_why.vo

pvs: pvs/array_double_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/array_double_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/array_double_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/array_double_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/array_double_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/array_double_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/array_double_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/array_double_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/array_double_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/array_double_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/array_double_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/array_double_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/array_double_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/array_double_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/array_double_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: array_double.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/array_double_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: array_double.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: array_double.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: array_double.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include array_double.depend

depend: coq/array_double_why.v
	-$(COQDEP) -I coq coq/array_double*_why.v > array_double.depend

clean:
	rm -f coq/*.vo

========== file tests/c/array_double.jessie/array_double.loc ==========
[JC_51]
file = "HOME/tests/c/array_double.c"
line = 21
begin = 13
end = 50

[JC_45]
file = "HOME/tests/c/array_double.c"
line = 18
begin = 5
end = 9

[JC_31]
file = "HOME/tests/c/array_double.c"
line = 18
begin = 5
end = 9

[JC_17]
file = "HOME/tests/c/array_double.c"
line = 18
begin = 5
end = 9

[JC_48]
file = "HOME/tests/c/array_double.c"
line = 21
begin = 13
end = 50

[JC_23]
file = "HOME/tests/c/array_double.c"
line = 11
begin = 2
end = 18

[JC_22]
file = "HOME/tests/c/array_double.c"
line = 11
begin = 2
end = 18

[JC_5]
file = "HOME/tests/c/array_double.c"
line = 10
begin = 2
end = 18

[JC_9]
file = "HOME/tests/c/array_double.c"
line = 12
begin = 2
end = 18

[JC_24]
file = "HOME/tests/c/array_double.c"
line = 12
begin = 2
end = 18

[JC_25]
file = "HOME/tests/c/array_double.c"
line = 12
begin = 2
end = 18

[JC_41]
file = "HOME/tests/c/array_double.c"
line = 18
begin = 5
end = 9

[JC_47]
kind = FPOverflow
file = "HOME/tests/c/array_double.c"
line = 20
begin = 9
end = 20

[JC_26]
file = "HOME/tests/c/array_double.c"
line = 13
begin = 6
end = 23

[JC_8]
file = "HOME/tests/c/array_double.c"
line = 12
begin = 2
end = 18

[JC_13]
file = "HOME/tests/c/array_double.c"
line = 16
begin = 6
end = 23

[JC_11]
file = "HOME/tests/c/array_double.c"
line = 14
begin = 6
end = 23

[JC_15]
file = "HOME/tests/c/array_double.c"
line = 18
begin = 5
end = 9

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_39]
file = "HOME/tests/c/array_double.c"
line = 18
begin = 5
end = 9

[JC_40]
file = "HOME/tests/c/array_double.c"
line = 18
begin = 5
end = 9

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/tests/c/array_double.c"
line = 14
begin = 6
end = 23

[JC_38]
file = "HOME/tests/c/array_double.c"
line = 18
begin = 5
end = 9

[JC_12]
file = "HOME/tests/c/array_double.c"
line = 15
begin = 6
end = 23

[JC_6]
file = "HOME/tests/c/array_double.c"
line = 11
begin = 2
end = 18

[JC_44]
file = "HOME/tests/c/array_double.c"
line = 18
begin = 5
end = 9

[JC_4]
file = "HOME/tests/c/array_double.c"
line = 10
begin = 2
end = 18

[JC_42]
file = "HOME/tests/c/array_double.c"
line = 18
begin = 5
end = 9

[JC_46]
kind = FPOverflow
file = "HOME/tests/c/array_double.c"
line = 19
begin = 9
end = 20

[JC_32]
file = "HOME/tests/c/array_double.c"
line = 18
begin = 5
end = 9

[JC_33]
file = "HOME/tests/c/array_double.c"
line = 18
begin = 5
end = 9

[JC_29]
file = "HOME/tests/c/array_double.c"
line = 16
begin = 6
end = 23

[JC_7]
file = "HOME/tests/c/array_double.c"
line = 11
begin = 2
end = 18

[JC_16]
file = "HOME/tests/c/array_double.c"
line = 18
begin = 5
end = 9

[JC_43]
file = "HOME/tests/c/array_double.c"
line = 18
begin = 5
end = 9

[test_ensures_default]
name = "Function test"
behavior = "default behavior"
file = "HOME/tests/c/array_double.c"
line = 18
begin = 5
end = 9

[JC_34]
file = "HOME/tests/c/array_double.c"
line = 18
begin = 5
end = 9

[JC_14]
file = "HOME/tests/c/array_double.c"
line = 10
begin = 2
end = 170

[JC_21]
file = "HOME/tests/c/array_double.c"
line = 10
begin = 2
end = 18

[JC_49]
kind = FPOverflow
file = "HOME/tests/c/array_double.c"
line = 19
begin = 9
end = 20

[JC_37]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/tests/c/array_double.c"
line = 13
begin = 6
end = 23

[test_safety]
name = "Function test"
behavior = "Safety"
file = "HOME/tests/c/array_double.c"
line = 18
begin = 5
end = 9

[JC_20]
file = "HOME/tests/c/array_double.c"
line = 10
begin = 2
end = 18

[JC_18]
file = "HOME/tests/c/array_double.c"
line = 18
begin = 5
end = 9

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
kind = FPOverflow
file = "HOME/tests/c/array_double.c"
line = 20
begin = 9
end = 20

[JC_30]
file = "HOME/tests/c/array_double.c"
line = 10
begin = 2
end = 170

[JC_28]
file = "HOME/tests/c/array_double.c"
line = 15
begin = 6
end = 23

========== file tests/c/array_double.jessie/why/array_double.why ==========
type a_1

type b_2

type c_3

type charP

type doubleP

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic a:  -> doubleP pointer

logic b:  -> doubleP pointer

logic c:  -> doubleP pointer

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic doubleP_tag:  -> doubleP tag_id

axiom doubleP_int : (int_of_tag(doubleP_tag) = (1))

logic doubleP_of_pointer_address: unit pointer -> doubleP pointer

axiom doubleP_of_pointer_address_of_pointer_addr :
 (forall p:doubleP pointer.
  (p = doubleP_of_pointer_address(pointer_address(p))))

axiom doubleP_parenttag_bottom : parenttag(doubleP_tag, bottom_tag)

axiom doubleP_tags :
 (forall x:doubleP pointer.
  (forall doubleP_tag_table:doubleP tag_table.
   instanceof(doubleP_tag_table, x, doubleP_tag)))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_doubleP(p:doubleP pointer, a:int,
 doubleP_alloc_table:doubleP alloc_table) =
 (offset_min(doubleP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_doubleP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(doubleP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_doubleP(p:doubleP pointer, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 (offset_max(doubleP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) = a)
 and (offset_max(doubleP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) = a)
 and (offset_max(doubleP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_a(doubleP_a_1_alloc_table:doubleP alloc_table) =
 (le_int(offset_min(doubleP_a_1_alloc_table, a), (0))
 and ge_int(offset_max(doubleP_a_1_alloc_table, a), (1)))

predicate valid_b(doubleP_b_2_alloc_table:doubleP alloc_table) =
 (le_int(offset_min(doubleP_b_2_alloc_table, b), (0))
 and ge_int(offset_max(doubleP_b_2_alloc_table, b), (1)))

predicate valid_c(doubleP_c_3_alloc_table:doubleP alloc_table) =
 (le_int(offset_min(doubleP_c_3_alloc_table, c), (0))
 and ge_int(offset_max(doubleP_c_3_alloc_table, c), (1)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) <= a)
 and (offset_max(doubleP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) <= a)
 and (offset_max(doubleP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter doubleP_alloc_table : doubleP alloc_table ref

parameter doubleP_tag_table : doubleP tag_table ref

parameter alloc_struct_doubleP :
 n:int ->
  doubleP_alloc_table:doubleP alloc_table ref ->
   doubleP_tag_table:doubleP tag_table ref ->
    { } doubleP pointer writes doubleP_alloc_table,doubleP_tag_table
    { (strict_valid_struct_doubleP(result, (0), sub_int(n, (1)),
       doubleP_alloc_table)
      and (alloc_extends(doubleP_alloc_table@, doubleP_alloc_table)
          and (alloc_fresh(doubleP_alloc_table@, result, n)
              and instanceof(doubleP_tag_table, result, doubleP_tag)))) }

parameter alloc_struct_doubleP_requires :
 n:int ->
  doubleP_alloc_table:doubleP alloc_table ref ->
   doubleP_tag_table:doubleP tag_table ref ->
    { ge_int(n, (0))} doubleP pointer
    writes doubleP_alloc_table,doubleP_tag_table
    { (strict_valid_struct_doubleP(result, (0), sub_int(n, (1)),
       doubleP_alloc_table)
      and (alloc_extends(doubleP_alloc_table@, doubleP_alloc_table)
          and (alloc_fresh(doubleP_alloc_table@, result, n)
              and instanceof(doubleP_tag_table, result, doubleP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter doubleP_a_1_alloc_table : doubleP alloc_table ref

parameter doubleP_b_2_alloc_table : doubleP alloc_table ref

parameter doubleP_c_3_alloc_table : doubleP alloc_table ref

parameter doubleP_doubleM_a_1 : (doubleP, double) memory ref

parameter doubleP_doubleM_b_2 : (doubleP, double) memory ref

parameter doubleP_doubleM_c_3 : (doubleP, double) memory ref

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter test :
 tt:unit ->
  { } unit
  reads doubleP_a_1_alloc_table,doubleP_b_2_alloc_table,doubleP_c_3_alloc_table,doubleP_doubleM_a_1,doubleP_doubleM_b_2,doubleP_doubleM_c_3
  writes doubleP_doubleM_a_1
  { (JC_45:
    ((JC_42: valid_c(doubleP_c_3_alloc_table))
    and ((JC_43: valid_b(doubleP_b_2_alloc_table))
        and (JC_44: valid_a(doubleP_a_1_alloc_table))))) }

parameter test_requires :
 tt:unit ->
  { (JC_18:
    ((JC_14:
     ((JC_4: le_int(offset_min(doubleP_a_1_alloc_table, a), (0)))
     and ((JC_5: ge_int(offset_max(doubleP_a_1_alloc_table, a), (1)))
         and ((JC_6: le_int(offset_min(doubleP_b_2_alloc_table, b), (0)))
             and ((JC_7: ge_int(offset_max(doubleP_b_2_alloc_table, b), (1)))
                 and ((JC_8:
                      le_int(offset_min(doubleP_c_3_alloc_table, c), (0)))
                     and ((JC_9:
                          ge_int(offset_max(doubleP_c_3_alloc_table, c), (1)))
                         and ((JC_10:
                              le_real(abs_real(double_value(select(doubleP_doubleM_b_2,
                                                            shift(b, (0))))),
                              1.0))
                             and ((JC_11:
                                  le_real(abs_real(double_value(select(doubleP_doubleM_b_2,
                                                                shift(b, (1))))),
                                  1.0))
                                 and ((JC_12:
                                      le_real(abs_real(double_value(select(doubleP_doubleM_c_3,
                                                                    shift(c,
                                                                    (0))))),
                                      1.0))
                                     and (JC_13:
                                         le_real(abs_real(double_value(
                                                          select(doubleP_doubleM_c_3,
                                                          shift(c, (1))))),
                                         1.0))))))))))))
    and ((JC_15: valid_c(doubleP_c_3_alloc_table))
        and ((JC_16: valid_b(doubleP_b_2_alloc_table))
            and (JC_17: valid_a(doubleP_a_1_alloc_table))))))}
  unit
  reads doubleP_a_1_alloc_table,doubleP_b_2_alloc_table,doubleP_c_3_alloc_table,doubleP_doubleM_a_1,doubleP_doubleM_b_2,doubleP_doubleM_c_3
  writes doubleP_doubleM_a_1
  { (JC_45:
    ((JC_42: valid_c(doubleP_c_3_alloc_table))
    and ((JC_43: valid_b(doubleP_b_2_alloc_table))
        and (JC_44: valid_a(doubleP_a_1_alloc_table))))) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let test_ensures_default =
 fun (tt : unit) ->
  { (JC_34:
    ((JC_30:
     ((JC_20: le_int(offset_min(doubleP_a_1_alloc_table, a), (0)))
     and ((JC_21: ge_int(offset_max(doubleP_a_1_alloc_table, a), (1)))
         and ((JC_22: le_int(offset_min(doubleP_b_2_alloc_table, b), (0)))
             and ((JC_23:
                  ge_int(offset_max(doubleP_b_2_alloc_table, b), (1)))
                 and ((JC_24:
                      le_int(offset_min(doubleP_c_3_alloc_table, c), (0)))
                     and ((JC_25:
                          ge_int(offset_max(doubleP_c_3_alloc_table, c), (1)))
                         and ((JC_26:
                              le_real(abs_real(double_value(select(doubleP_doubleM_b_2,
                                                            shift(b, (0))))),
                              1.0))
                             and ((JC_27:
                                  le_real(abs_real(double_value(select(doubleP_doubleM_b_2,
                                                                shift(b, (1))))),
                                  1.0))
                                 and ((JC_28:
                                      le_real(abs_real(double_value(select(doubleP_doubleM_c_3,
                                                                    shift(c,
                                                                    (0))))),
                                      1.0))
                                     and (JC_29:
                                         le_real(abs_real(double_value(
                                                          select(doubleP_doubleM_c_3,
                                                          shift(c, (1))))),
                                         1.0))))))))))))
    and ((JC_31: valid_c(doubleP_c_3_alloc_table))
        and ((JC_32: valid_b(doubleP_b_2_alloc_table))
            and (JC_33: valid_a(doubleP_a_1_alloc_table)))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (JC_49:
     (((add_double_safe nearest_even) ((safe_acc_ !doubleP_doubleM_b_2) 
                                       ((shift b) (0)))) ((safe_acc_ !doubleP_doubleM_c_3) 
                                                          ((shift c) (0))))) in
     (let _jessie_ = a in
     (let _jessie_ =
     (JC_50:
     (((add_double_safe nearest_even) ((safe_acc_ !doubleP_doubleM_b_2) 
                                       ((shift b) (1)))) ((safe_acc_ !doubleP_doubleM_c_3) 
                                                          ((shift c) (1))))) in
     (let _jessie_ = a in
     (let _jessie_ = (1) in
     (let _jessie_ = ((shift _jessie_) _jessie_) in
     [ { } unit reads doubleP_a_1_alloc_table,doubleP_doubleM_a_1
       writes doubleP_doubleM_a_1
       { (not_assigns(doubleP_a_1_alloc_table, doubleP_doubleM_a_1@,
          doubleP_doubleM_a_1,
          pset_range(pset_singleton(_jessie_), (0), (1)))
         and ((select(doubleP_doubleM_a_1, shift(_jessie_, (0))) = _jessie_)
             and (select(doubleP_doubleM_a_1, shift(_jessie_, (1))) = _jessie_))) } ]))))));
    (assert
    { (JC_51:
      le_real(abs_real(sub_real(double_value(select(doubleP_doubleM_a_1,
                                             shift(a, (0)))),
                       add_real(double_value(select(doubleP_doubleM_b_2,
                                             shift(b, (0)))),
                       double_value(select(doubleP_doubleM_c_3,
                                    shift(c, (0))))))),
      0x1p-53)) }; void); void; (raise Return); (raise Return) end with
   Return -> void end) { (JC_36: true) }

let test_safety =
 fun (tt : unit) ->
  { (JC_34:
    ((JC_30:
     ((JC_20: le_int(offset_min(doubleP_a_1_alloc_table, a), (0)))
     and ((JC_21: ge_int(offset_max(doubleP_a_1_alloc_table, a), (1)))
         and ((JC_22: le_int(offset_min(doubleP_b_2_alloc_table, b), (0)))
             and ((JC_23:
                  ge_int(offset_max(doubleP_b_2_alloc_table, b), (1)))
                 and ((JC_24:
                      le_int(offset_min(doubleP_c_3_alloc_table, c), (0)))
                     and ((JC_25:
                          ge_int(offset_max(doubleP_c_3_alloc_table, c), (1)))
                         and ((JC_26:
                              le_real(abs_real(double_value(select(doubleP_doubleM_b_2,
                                                            shift(b, (0))))),
                              1.0))
                             and ((JC_27:
                                  le_real(abs_real(double_value(select(doubleP_doubleM_b_2,
                                                                shift(b, (1))))),
                                  1.0))
                                 and ((JC_28:
                                      le_real(abs_real(double_value(select(doubleP_doubleM_c_3,
                                                                    shift(c,
                                                                    (0))))),
                                      1.0))
                                     and (JC_29:
                                         le_real(abs_real(double_value(
                                                          select(doubleP_doubleM_c_3,
                                                          shift(c, (1))))),
                                         1.0))))))))))))
    and ((JC_31: valid_c(doubleP_c_3_alloc_table))
        and ((JC_32: valid_b(doubleP_b_2_alloc_table))
            and (JC_33: valid_a(doubleP_a_1_alloc_table)))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (JC_46:
     (((add_double nearest_even) ((safe_acc_ !doubleP_doubleM_b_2) ((shift b) (0)))) 
      ((safe_acc_ !doubleP_doubleM_c_3) ((shift c) (0))))) in
     (let _jessie_ = a in
     (let _jessie_ =
     (JC_47:
     (((add_double nearest_even) ((safe_acc_ !doubleP_doubleM_b_2) ((shift b) (1)))) 
      ((safe_acc_ !doubleP_doubleM_c_3) ((shift c) (1))))) in
     (let _jessie_ = a in
     (let _jessie_ = (1) in
     (let _jessie_ = ((shift _jessie_) _jessie_) in
     [ { } unit reads doubleP_a_1_alloc_table,doubleP_doubleM_a_1
       writes doubleP_doubleM_a_1
       { (not_assigns(doubleP_a_1_alloc_table, doubleP_doubleM_a_1@,
          doubleP_doubleM_a_1,
          pset_range(pset_singleton(_jessie_), (0), (1)))
         and ((select(doubleP_doubleM_a_1, shift(_jessie_, (0))) = _jessie_)
             and (select(doubleP_doubleM_a_1, shift(_jessie_, (1))) = _jessie_))) } ]))))));
    [ { } unit
      reads doubleP_doubleM_a_1,doubleP_doubleM_b_2,doubleP_doubleM_c_3
      { (JC_48:
        le_real(abs_real(sub_real(double_value(select(doubleP_doubleM_a_1,
                                               shift(a, (0)))),
                         add_real(double_value(select(doubleP_doubleM_b_2,
                                               shift(b, (0)))),
                         double_value(select(doubleP_doubleM_c_3,
                                      shift(c, (0))))))),
        0x1p-53)) } ]; void; (raise Return); (raise Return) end with
   Return -> void end)
  { (JC_41:
    ((JC_38: valid_c(doubleP_c_3_alloc_table))
    and ((JC_39: valid_b(doubleP_b_2_alloc_table))
        and (JC_40: valid_a(doubleP_a_1_alloc_table))))) }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/array_double.why
========== file tests/c/array_double.jessie/why/array_double_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type mode

logic nearest_even : mode

logic to_zero : mode

logic up : mode

logic down : mode

logic nearest_away : mode

logic mode_match : mode, 'a1, 'a1, 'a1, 'a1, 'a1 -> 'a1

axiom mode_match_nearest_even:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_2))))))

axiom mode_match_to_zero:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_3))))))

axiom mode_match_up:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_4))))))

axiom mode_match_down:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_5))))))

axiom mode_match_nearest_away:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_6))))))

axiom mode_inversion:
  (forall aux_1:mode.
    (((((aux_1 = nearest_even) or (aux_1 = to_zero)) or (aux_1 = up)) or
      (aux_1 = down)) or
     (aux_1 = nearest_away)))

logic mode_to_int : mode -> int

axiom mode_to_int_nearest_even: (mode_to_int(nearest_even) = 0)

axiom mode_to_int_to_zero: (mode_to_int(to_zero) = 1)

axiom mode_to_int_up: (mode_to_int(up) = 2)

axiom mode_to_int_down: (mode_to_int(down) = 3)

axiom mode_to_int_nearest_away: (mode_to_int(nearest_away) = 4)

type double

logic round_double : mode, real -> real

logic round_double_logic : mode, real -> double

logic double_value : double -> real

logic double_exact : double -> real

logic double_model : double -> real

function double_round_error(x: double) : real =
  abs_real((double_value(x) - double_exact(x)))

function double_total_error(x: double) : real =
  abs_real((double_value(x) - double_model(x)))

function max_double() : real = 0x1.FFFFFFFFFFFFFp1023

predicate no_overflow_double(m: mode, x: real) = (abs_real(round_double(m,
  x)) <= max_double)

axiom bounded_real_no_overflow_double:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_double) -> no_overflow_double(m, x))))

axiom round_double_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_double(m, x) <= round_double(m, y))))))

axiom exact_round_double_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-9007199254740992) <= i) and (i <= 9007199254740992)) ->
       (round_double(m, real_of_int(i)) = real_of_int(i)))))

axiom exact_round_double_for_doubles:
  (forall x:double.
    (forall m:mode. (round_double(m, double_value(x)) = double_value(x))))

axiom round_double_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_double(m1, round_double(m2,
        x)) = round_double(m2, x)))))

axiom round_down_double_neg:
  (forall x:real. (round_double(down, (-x)) = (-round_double(up, x))))

axiom round_up_double_neg:
  (forall x:real. (round_double(up, (-x)) = (-round_double(down, x))))

axiom round_double_down_le: (forall x:real. (round_double(down, x) <= x))

axiom round_up_double_ge: (forall x:real. (round_double(up, x) >= x))

type single

logic round_single : mode, real -> real

logic round_single_logic : mode, real -> single

logic single_value : single -> real

logic single_exact : single -> real

logic single_model : single -> real

function single_round_error(x: single) : real =
  abs_real((single_value(x) - single_exact(x)))

function single_total_error(x: single) : real =
  abs_real((single_value(x) - single_model(x)))

function max_single() : real = 0x1.FFFFFEp127

predicate no_overflow_single(m: mode, x: real) = (abs_real(round_single(m,
  x)) <= max_single)

axiom bounded_real_no_overflow_single:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_single) -> no_overflow_single(m, x))))

axiom round_single_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_single(m, x) <= round_single(m, y))))))

axiom exact_round_single_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-16777216) <= i) and (i <= 16777216)) -> (round_single(m,
       real_of_int(i)) = real_of_int(i)))))

axiom exact_round_single_for_singles:
  (forall x:single.
    (forall m:mode. (round_single(m, single_value(x)) = single_value(x))))

axiom round_single_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_single(m1, round_single(m2,
        x)) = round_single(m2, x)))))

axiom round_down_single_neg:
  (forall x:real. (round_single(down, (-x)) = (-round_single(up, x))))

axiom round_up_single_neg:
  (forall x:real. (round_single(up, (-x)) = (-round_single(down, x))))

axiom round_single_down_le: (forall x:real. (round_single(down, x) <= x))

axiom round_up_single_ge: (forall x:real. (round_single(up, x) >= x))

axiom single_value_is_bounded:
  (forall x:single. (abs_real(single_value(x)) <= max_single))

axiom double_value_is_bounded:
  (forall x:double. (abs_real(double_value(x)) <= max_double))

predicate single_of_real_post(m: mode, x: real, res: single) =
  ((single_value(res) = round_single(m, x)) and
   ((single_exact(res) = x) and (single_model(res) = x)))

predicate single_of_double_post(m: mode, x: double, res: single) =
  ((single_value(res) = round_single(m, double_value(x))) and
   ((single_exact(res) = double_exact(x)) and
    (single_model(res) = double_model(x))))

predicate add_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) + single_value(y)))) and
   ((single_exact(res) = (single_exact(x) + single_exact(y))) and
    (single_model(res) = (single_model(x) + single_model(y)))))

predicate sub_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) - single_value(y)))) and
   ((single_exact(res) = (single_exact(x) - single_exact(y))) and
    (single_model(res) = (single_model(x) - single_model(y)))))

predicate mul_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) * single_value(y)))) and
   ((single_exact(res) = (single_exact(x) * single_exact(y))) and
    (single_model(res) = (single_model(x) * single_model(y)))))

predicate div_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m, div_real(single_value(x),
   single_value(y)))) and
   ((single_exact(res) = div_real(single_exact(x), single_exact(y))) and
    (single_model(res) = div_real(single_model(x), single_model(y)))))

predicate sqrt_single_post(m: mode, x: single, res: single) =
  ((single_value(res) = round_single(m, sqrt_real(single_value(x)))) and
   ((single_exact(res) = sqrt_real(single_exact(x))) and
    (single_model(res) = sqrt_real(single_model(x)))))

predicate neg_single_post(x: single, res: single) =
  ((single_value(res) = (-single_value(x))) and
   ((single_exact(res) = (-single_exact(x))) and
    (single_model(res) = (-single_model(x)))))

predicate abs_single_post(x: single, res: single) =
  ((single_value(res) = abs_real(single_value(x))) and
   ((single_exact(res) = abs_real(single_exact(x))) and
    (single_model(res) = abs_real(single_model(x)))))

predicate double_of_real_post(m: mode, x: real, res: double) =
  ((double_value(res) = round_double(m, x)) and
   ((double_exact(res) = x) and (double_model(res) = x)))

predicate double_of_single_post(x: single, res: double) =
  ((double_value(res) = single_value(x)) and
   ((double_exact(res) = single_exact(x)) and
    (double_model(res) = single_model(x))))

predicate add_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) + double_value(y)))) and
   ((double_exact(res) = (double_exact(x) + double_exact(y))) and
    (double_model(res) = (double_model(x) + double_model(y)))))

predicate sub_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) - double_value(y)))) and
   ((double_exact(res) = (double_exact(x) - double_exact(y))) and
    (double_model(res) = (double_model(x) - double_model(y)))))

predicate mul_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) * double_value(y)))) and
   ((double_exact(res) = (double_exact(x) * double_exact(y))) and
    (double_model(res) = (double_model(x) * double_model(y)))))

predicate div_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m, div_real(double_value(x),
   double_value(y)))) and
   ((double_exact(res) = div_real(double_exact(x), double_exact(y))) and
    (double_model(res) = div_real(double_model(x), double_model(y)))))

predicate sqrt_double_post(m: mode, x: double, res: double) =
  ((double_value(res) = round_double(m, sqrt_real(double_value(x)))) and
   ((double_exact(res) = sqrt_real(double_exact(x))) and
    (double_model(res) = sqrt_real(double_model(x)))))

predicate neg_double_post(x: double, res: double) =
  ((double_value(res) = (-double_value(x))) and
   ((double_exact(res) = (-double_exact(x))) and
    (double_model(res) = (-double_model(x)))))

predicate abs_double_post(x: double, res: double) =
  ((double_value(res) = abs_real(double_value(x))) and
   ((double_exact(res) = abs_real(double_exact(x))) and
    (double_model(res) = abs_real(double_model(x)))))

type a_1

type b_2

type c_3

type charP

type doubleP

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic a : doubleP pointer

logic b : doubleP pointer

logic c : doubleP pointer

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

logic doubleP_tag : doubleP tag_id

axiom doubleP_int: (int_of_tag(doubleP_tag) = 1)

logic doubleP_of_pointer_address : unit pointer -> doubleP pointer

axiom doubleP_of_pointer_address_of_pointer_addr:
  (forall p:doubleP pointer.
    (p = doubleP_of_pointer_address(pointer_address(p))))

axiom doubleP_parenttag_bottom: parenttag(doubleP_tag, bottom_tag)

axiom doubleP_tags:
  (forall x:doubleP pointer.
    (forall doubleP_tag_table:doubleP tag_table.
      instanceof(doubleP_tag_table, x, doubleP_tag)))

logic integer_of_int8 : int8 -> int

predicate eq_int8(x: int8, y: int8) =
  (integer_of_int8(x) = integer_of_int8(y))

logic integer_of_uint8 : uint8 -> int

predicate eq_uint8(x: uint8, y: uint8) =
  (integer_of_uint8(x) = integer_of_uint8(y))

logic int8_of_integer : int -> int8

axiom int8_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_int8(int8_of_integer(x)) = x)))

axiom int8_extensionality:
  (forall x:int8.
    (forall y:int8. ((integer_of_int8(x) = integer_of_int8(y)) -> (x = y))))

axiom int8_range:
  (forall x:int8.
    (((-128) <= integer_of_int8(x)) and (integer_of_int8(x) <= 127)))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_doubleP(p: doubleP pointer, a: int,
  doubleP_alloc_table: doubleP alloc_table) =
  (offset_min(doubleP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_doubleP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(doubleP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_doubleP(p: doubleP pointer, b: int,
  doubleP_alloc_table: doubleP alloc_table) =
  (offset_max(doubleP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_doubleP(p: doubleP pointer, a: int, b: int,
  doubleP_alloc_table: doubleP alloc_table) =
  ((offset_min(doubleP_alloc_table, p) = a) and
   (offset_max(doubleP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_doubleP(p: doubleP pointer, a: int, b: int,
  doubleP_alloc_table: doubleP alloc_table) =
  ((offset_min(doubleP_alloc_table, p) = a) and
   (offset_max(doubleP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic uint8_of_integer : int -> uint8

axiom uint8_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 255)) -> (integer_of_uint8(uint8_of_integer(x)) = x)))

axiom uint8_extensionality:
  (forall x:uint8.
    (forall y:uint8.
      ((integer_of_uint8(x) = integer_of_uint8(y)) -> (x = y))))

axiom uint8_range:
  (forall x:uint8.
    ((0 <= integer_of_uint8(x)) and (integer_of_uint8(x) <= 255)))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_a(doubleP_a_1_alloc_table: doubleP alloc_table) =
  ((offset_min(doubleP_a_1_alloc_table, a) <= 0) and
   (offset_max(doubleP_a_1_alloc_table, a) >= 1))

predicate valid_b(doubleP_b_2_alloc_table: doubleP alloc_table) =
  ((offset_min(doubleP_b_2_alloc_table, b) <= 0) and
   (offset_max(doubleP_b_2_alloc_table, b) >= 1))

predicate valid_c(doubleP_c_3_alloc_table: doubleP alloc_table) =
  ((offset_min(doubleP_c_3_alloc_table, c) <= 0) and
   (offset_max(doubleP_c_3_alloc_table, c) >= 1))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_doubleP(p: doubleP pointer, a: int, b: int,
  doubleP_alloc_table: doubleP alloc_table) =
  ((offset_min(doubleP_alloc_table, p) <= a) and
   (offset_max(doubleP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_doubleP(p: doubleP pointer, a: int, b: int,
  doubleP_alloc_table: doubleP alloc_table) =
  ((offset_min(doubleP_alloc_table, p) <= a) and
   (offset_max(doubleP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

goal test_ensures_default_po_1:
  forall doubleP_a_1_alloc_table:doubleP alloc_table.
  forall doubleP_b_2_alloc_table:doubleP alloc_table.
  forall doubleP_c_3_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_a_1:(doubleP,
  double) memory.
  forall doubleP_doubleM_b_2:(doubleP,
  double) memory.
  forall doubleP_doubleM_c_3:(doubleP,
  double) memory.
  ("JC_34":
  (("JC_30":
   (("JC_20": (offset_min(doubleP_a_1_alloc_table, a) <= 0)) and
    (("JC_21": (offset_max(doubleP_a_1_alloc_table, a) >= 1)) and
     (("JC_22": (offset_min(doubleP_b_2_alloc_table, b) <= 0)) and
      (("JC_23": (offset_max(doubleP_b_2_alloc_table, b) >= 1)) and
       (("JC_24": (offset_min(doubleP_c_3_alloc_table, c) <= 0)) and
        (("JC_25": (offset_max(doubleP_c_3_alloc_table, c) >= 1)) and
         (("JC_26": (abs_real(double_value(select(doubleP_doubleM_b_2,
          shift(b, 0)))) <= 1.0)) and
          (("JC_27": (abs_real(double_value(select(doubleP_doubleM_b_2,
           shift(b, 1)))) <= 1.0)) and
           (("JC_28": (abs_real(double_value(select(doubleP_doubleM_c_3,
            shift(c, 0)))) <= 1.0)) and
            ("JC_29": (abs_real(double_value(select(doubleP_doubleM_c_3,
            shift(c, 1)))) <= 1.0)))))))))))) and
   (("JC_31": valid_c(doubleP_c_3_alloc_table)) and
    (("JC_32": valid_b(doubleP_b_2_alloc_table)) and
     ("JC_33": valid_a(doubleP_a_1_alloc_table)))))) ->
  forall result:double.
  (result = select(doubleP_doubleM_b_2, shift(b, 0))) ->
  forall result0:double.
  (result0 = select(doubleP_doubleM_c_3, shift(c, 0))) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  forall result2:double.
  (result2 = select(doubleP_doubleM_b_2, shift(b, 1))) ->
  forall result3:double.
  (result3 = select(doubleP_doubleM_c_3, shift(c, 1))) ->
  forall result4:double.
  add_double_post(nearest_even, result2, result3, result4) ->
  forall doubleP_doubleM_a_1_0:(doubleP,
  double) memory.
  (not_assigns(doubleP_a_1_alloc_table, doubleP_doubleM_a_1,
   doubleP_doubleM_a_1_0, pset_range(pset_singleton(a), 0, 1)) and
   ((select(doubleP_doubleM_a_1_0, shift(a, 0)) = result1) and
    (select(doubleP_doubleM_a_1_0, shift(a, 1)) = result4))) ->
  ("JC_51": (abs_real((double_value(select(doubleP_doubleM_a_1_0, shift(a,
  0))) - (double_value(select(doubleP_doubleM_b_2, shift(b,
  0))) + double_value(select(doubleP_doubleM_c_3, shift(c,
  0)))))) <= 0x1.p-53))

goal test_safety_po_1:
  forall doubleP_a_1_alloc_table:doubleP alloc_table.
  forall doubleP_b_2_alloc_table:doubleP alloc_table.
  forall doubleP_c_3_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_b_2:(doubleP,
  double) memory.
  forall doubleP_doubleM_c_3:(doubleP,
  double) memory.
  ("JC_34":
  (("JC_30":
   (("JC_20": (offset_min(doubleP_a_1_alloc_table, a) <= 0)) and
    (("JC_21": (offset_max(doubleP_a_1_alloc_table, a) >= 1)) and
     (("JC_22": (offset_min(doubleP_b_2_alloc_table, b) <= 0)) and
      (("JC_23": (offset_max(doubleP_b_2_alloc_table, b) >= 1)) and
       (("JC_24": (offset_min(doubleP_c_3_alloc_table, c) <= 0)) and
        (("JC_25": (offset_max(doubleP_c_3_alloc_table, c) >= 1)) and
         (("JC_26": (abs_real(double_value(select(doubleP_doubleM_b_2,
          shift(b, 0)))) <= 1.0)) and
          (("JC_27": (abs_real(double_value(select(doubleP_doubleM_b_2,
           shift(b, 1)))) <= 1.0)) and
           (("JC_28": (abs_real(double_value(select(doubleP_doubleM_c_3,
            shift(c, 0)))) <= 1.0)) and
            ("JC_29": (abs_real(double_value(select(doubleP_doubleM_c_3,
            shift(c, 1)))) <= 1.0)))))))))))) and
   (("JC_31": valid_c(doubleP_c_3_alloc_table)) and
    (("JC_32": valid_b(doubleP_b_2_alloc_table)) and
     ("JC_33": valid_a(doubleP_a_1_alloc_table)))))) ->
  forall result:double.
  (result = select(doubleP_doubleM_b_2, shift(b, 0))) ->
  forall result0:double.
  (result0 = select(doubleP_doubleM_c_3, shift(c, 0))) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0)))

goal test_safety_po_2:
  forall doubleP_a_1_alloc_table:doubleP alloc_table.
  forall doubleP_b_2_alloc_table:doubleP alloc_table.
  forall doubleP_c_3_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_b_2:(doubleP,
  double) memory.
  forall doubleP_doubleM_c_3:(doubleP,
  double) memory.
  ("JC_34":
  (("JC_30":
   (("JC_20": (offset_min(doubleP_a_1_alloc_table, a) <= 0)) and
    (("JC_21": (offset_max(doubleP_a_1_alloc_table, a) >= 1)) and
     (("JC_22": (offset_min(doubleP_b_2_alloc_table, b) <= 0)) and
      (("JC_23": (offset_max(doubleP_b_2_alloc_table, b) >= 1)) and
       (("JC_24": (offset_min(doubleP_c_3_alloc_table, c) <= 0)) and
        (("JC_25": (offset_max(doubleP_c_3_alloc_table, c) >= 1)) and
         (("JC_26": (abs_real(double_value(select(doubleP_doubleM_b_2,
          shift(b, 0)))) <= 1.0)) and
          (("JC_27": (abs_real(double_value(select(doubleP_doubleM_b_2,
           shift(b, 1)))) <= 1.0)) and
           (("JC_28": (abs_real(double_value(select(doubleP_doubleM_c_3,
            shift(c, 0)))) <= 1.0)) and
            ("JC_29": (abs_real(double_value(select(doubleP_doubleM_c_3,
            shift(c, 1)))) <= 1.0)))))))))))) and
   (("JC_31": valid_c(doubleP_c_3_alloc_table)) and
    (("JC_32": valid_b(doubleP_b_2_alloc_table)) and
     ("JC_33": valid_a(doubleP_a_1_alloc_table)))))) ->
  forall result:double.
  (result = select(doubleP_doubleM_b_2, shift(b, 0))) ->
  forall result0:double.
  (result0 = select(doubleP_doubleM_c_3, shift(c, 0))) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0))) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  forall result2:double.
  (result2 = select(doubleP_doubleM_b_2, shift(b, 1))) ->
  forall result3:double.
  (result3 = select(doubleP_doubleM_c_3, shift(c, 1))) ->
  no_overflow_double(nearest_even,
  (double_value(result2) + double_value(result3)))

goal test_safety_po_3:
  forall doubleP_a_1_alloc_table:doubleP alloc_table.
  forall doubleP_b_2_alloc_table:doubleP alloc_table.
  forall doubleP_c_3_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_a_1:(doubleP,
  double) memory.
  forall doubleP_doubleM_b_2:(doubleP,
  double) memory.
  forall doubleP_doubleM_c_3:(doubleP,
  double) memory.
  ("JC_34":
  (("JC_30":
   (("JC_20": (offset_min(doubleP_a_1_alloc_table, a) <= 0)) and
    (("JC_21": (offset_max(doubleP_a_1_alloc_table, a) >= 1)) and
     (("JC_22": (offset_min(doubleP_b_2_alloc_table, b) <= 0)) and
      (("JC_23": (offset_max(doubleP_b_2_alloc_table, b) >= 1)) and
       (("JC_24": (offset_min(doubleP_c_3_alloc_table, c) <= 0)) and
        (("JC_25": (offset_max(doubleP_c_3_alloc_table, c) >= 1)) and
         (("JC_26": (abs_real(double_value(select(doubleP_doubleM_b_2,
          shift(b, 0)))) <= 1.0)) and
          (("JC_27": (abs_real(double_value(select(doubleP_doubleM_b_2,
           shift(b, 1)))) <= 1.0)) and
           (("JC_28": (abs_real(double_value(select(doubleP_doubleM_c_3,
            shift(c, 0)))) <= 1.0)) and
            ("JC_29": (abs_real(double_value(select(doubleP_doubleM_c_3,
            shift(c, 1)))) <= 1.0)))))))))))) and
   (("JC_31": valid_c(doubleP_c_3_alloc_table)) and
    (("JC_32": valid_b(doubleP_b_2_alloc_table)) and
     ("JC_33": valid_a(doubleP_a_1_alloc_table)))))) ->
  forall result:double.
  (result = select(doubleP_doubleM_b_2, shift(b, 0))) ->
  forall result0:double.
  (result0 = select(doubleP_doubleM_c_3, shift(c, 0))) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0))) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  forall result2:double.
  (result2 = select(doubleP_doubleM_b_2, shift(b, 1))) ->
  forall result3:double.
  (result3 = select(doubleP_doubleM_c_3, shift(c, 1))) ->
  no_overflow_double(nearest_even,
  (double_value(result2) + double_value(result3))) ->
  forall result4:double.
  add_double_post(nearest_even, result2, result3, result4) ->
  forall doubleP_doubleM_a_1_0:(doubleP,
  double) memory.
  (not_assigns(doubleP_a_1_alloc_table, doubleP_doubleM_a_1,
   doubleP_doubleM_a_1_0, pset_range(pset_singleton(a), 0, 1)) and
   ((select(doubleP_doubleM_a_1_0, shift(a, 0)) = result1) and
    (select(doubleP_doubleM_a_1_0, shift(a, 1)) = result4))) ->
  ("JC_48": (abs_real((double_value(select(doubleP_doubleM_a_1_0, shift(a,
  0))) - (double_value(select(doubleP_doubleM_b_2, shift(b,
  0))) + double_value(select(doubleP_doubleM_c_3, shift(c,
  0)))))) <= 0x1.p-53)) ->
  ("JC_41": ("JC_38": valid_c(doubleP_c_3_alloc_table)))

goal test_safety_po_4:
  forall doubleP_a_1_alloc_table:doubleP alloc_table.
  forall doubleP_b_2_alloc_table:doubleP alloc_table.
  forall doubleP_c_3_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_a_1:(doubleP,
  double) memory.
  forall doubleP_doubleM_b_2:(doubleP,
  double) memory.
  forall doubleP_doubleM_c_3:(doubleP,
  double) memory.
  ("JC_34":
  (("JC_30":
   (("JC_20": (offset_min(doubleP_a_1_alloc_table, a) <= 0)) and
    (("JC_21": (offset_max(doubleP_a_1_alloc_table, a) >= 1)) and
     (("JC_22": (offset_min(doubleP_b_2_alloc_table, b) <= 0)) and
      (("JC_23": (offset_max(doubleP_b_2_alloc_table, b) >= 1)) and
       (("JC_24": (offset_min(doubleP_c_3_alloc_table, c) <= 0)) and
        (("JC_25": (offset_max(doubleP_c_3_alloc_table, c) >= 1)) and
         (("JC_26": (abs_real(double_value(select(doubleP_doubleM_b_2,
          shift(b, 0)))) <= 1.0)) and
          (("JC_27": (abs_real(double_value(select(doubleP_doubleM_b_2,
           shift(b, 1)))) <= 1.0)) and
           (("JC_28": (abs_real(double_value(select(doubleP_doubleM_c_3,
            shift(c, 0)))) <= 1.0)) and
            ("JC_29": (abs_real(double_value(select(doubleP_doubleM_c_3,
            shift(c, 1)))) <= 1.0)))))))))))) and
   (("JC_31": valid_c(doubleP_c_3_alloc_table)) and
    (("JC_32": valid_b(doubleP_b_2_alloc_table)) and
     ("JC_33": valid_a(doubleP_a_1_alloc_table)))))) ->
  forall result:double.
  (result = select(doubleP_doubleM_b_2, shift(b, 0))) ->
  forall result0:double.
  (result0 = select(doubleP_doubleM_c_3, shift(c, 0))) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0))) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  forall result2:double.
  (result2 = select(doubleP_doubleM_b_2, shift(b, 1))) ->
  forall result3:double.
  (result3 = select(doubleP_doubleM_c_3, shift(c, 1))) ->
  no_overflow_double(nearest_even,
  (double_value(result2) + double_value(result3))) ->
  forall result4:double.
  add_double_post(nearest_even, result2, result3, result4) ->
  forall doubleP_doubleM_a_1_0:(doubleP,
  double) memory.
  (not_assigns(doubleP_a_1_alloc_table, doubleP_doubleM_a_1,
   doubleP_doubleM_a_1_0, pset_range(pset_singleton(a), 0, 1)) and
   ((select(doubleP_doubleM_a_1_0, shift(a, 0)) = result1) and
    (select(doubleP_doubleM_a_1_0, shift(a, 1)) = result4))) ->
  ("JC_48": (abs_real((double_value(select(doubleP_doubleM_a_1_0, shift(a,
  0))) - (double_value(select(doubleP_doubleM_b_2, shift(b,
  0))) + double_value(select(doubleP_doubleM_c_3, shift(c,
  0)))))) <= 0x1.p-53)) ->
  ("JC_41": ("JC_39": valid_b(doubleP_b_2_alloc_table)))

goal test_safety_po_5:
  forall doubleP_a_1_alloc_table:doubleP alloc_table.
  forall doubleP_b_2_alloc_table:doubleP alloc_table.
  forall doubleP_c_3_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_a_1:(doubleP,
  double) memory.
  forall doubleP_doubleM_b_2:(doubleP,
  double) memory.
  forall doubleP_doubleM_c_3:(doubleP,
  double) memory.
  ("JC_34":
  (("JC_30":
   (("JC_20": (offset_min(doubleP_a_1_alloc_table, a) <= 0)) and
    (("JC_21": (offset_max(doubleP_a_1_alloc_table, a) >= 1)) and
     (("JC_22": (offset_min(doubleP_b_2_alloc_table, b) <= 0)) and
      (("JC_23": (offset_max(doubleP_b_2_alloc_table, b) >= 1)) and
       (("JC_24": (offset_min(doubleP_c_3_alloc_table, c) <= 0)) and
        (("JC_25": (offset_max(doubleP_c_3_alloc_table, c) >= 1)) and
         (("JC_26": (abs_real(double_value(select(doubleP_doubleM_b_2,
          shift(b, 0)))) <= 1.0)) and
          (("JC_27": (abs_real(double_value(select(doubleP_doubleM_b_2,
           shift(b, 1)))) <= 1.0)) and
           (("JC_28": (abs_real(double_value(select(doubleP_doubleM_c_3,
            shift(c, 0)))) <= 1.0)) and
            ("JC_29": (abs_real(double_value(select(doubleP_doubleM_c_3,
            shift(c, 1)))) <= 1.0)))))))))))) and
   (("JC_31": valid_c(doubleP_c_3_alloc_table)) and
    (("JC_32": valid_b(doubleP_b_2_alloc_table)) and
     ("JC_33": valid_a(doubleP_a_1_alloc_table)))))) ->
  forall result:double.
  (result = select(doubleP_doubleM_b_2, shift(b, 0))) ->
  forall result0:double.
  (result0 = select(doubleP_doubleM_c_3, shift(c, 0))) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0))) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  forall result2:double.
  (result2 = select(doubleP_doubleM_b_2, shift(b, 1))) ->
  forall result3:double.
  (result3 = select(doubleP_doubleM_c_3, shift(c, 1))) ->
  no_overflow_double(nearest_even,
  (double_value(result2) + double_value(result3))) ->
  forall result4:double.
  add_double_post(nearest_even, result2, result3, result4) ->
  forall doubleP_doubleM_a_1_0:(doubleP,
  double) memory.
  (not_assigns(doubleP_a_1_alloc_table, doubleP_doubleM_a_1,
   doubleP_doubleM_a_1_0, pset_range(pset_singleton(a), 0, 1)) and
   ((select(doubleP_doubleM_a_1_0, shift(a, 0)) = result1) and
    (select(doubleP_doubleM_a_1_0, shift(a, 1)) = result4))) ->
  ("JC_48": (abs_real((double_value(select(doubleP_doubleM_a_1_0, shift(a,
  0))) - (double_value(select(doubleP_doubleM_b_2, shift(b,
  0))) + double_value(select(doubleP_doubleM_c_3, shift(c,
  0)))))) <= 0x1.p-53)) ->
  ("JC_41": ("JC_40": valid_a(doubleP_a_1_alloc_table)))

why-2.34/tests/c/oracle/binary_search.res.oracle0000644000175000017500000073263712311670312020260 0ustar  rtusers========== file tests/c/binary_search.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// RUNSIMPLIFY this tells regtests to run Simplify in this example

//@ lemma mean: \forall integer x, y; x <= y ==> x <= (x+y)/2 <= y;

/*@ predicate sorted{L}(long *t, integer a, integer b) =
  @    \forall integer i,j; a <= i <= j <= b ==> t[i] <= t[j];
  @*/

/*@ requires n >= 0 && \valid(t+(0..n-1));
  @ ensures -1 <= \result < n;
  @ behavior success:
  @   ensures \result >= 0 ==> t[\result] == v;
  @ behavior failure:
  @   assumes sorted(t,0,n-1);
  @   ensures \result == -1 ==>
  @     \forall integer k; 0 <= k < n ==> t[k] != v;
  @*/
int binary_search(long t[], int n, long v) {
  int l = 0, u = n-1;
  /*@ loop invariant
    @   0 <= l && u <= n-1;
    @ for failure:
    @   loop invariant
    @   \forall integer k; 0 <= k < n && t[k] == v ==> l <= k <= u;
    @ loop variant u-l;
    @*/
  while (l <= u ) {
    int m = (l + u) / 2;
    //@ assert l <= m <= u;
    if (t[m] < v) l = m + 1;
    else if (t[m] > v) u = m - 1;
    else return m;
  }
  return -1;
}

/*
Local Variables:
compile-command: "make binary_search.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/binary_search.c"
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/binary_search.jessie
[jessie] File tests/c/binary_search.jessie/binary_search.jc written.
[jessie] File tests/c/binary_search.jessie/binary_search.cloc written.
========== file tests/c/binary_search.jessie/binary_search.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag longP = {
  int32 longM: 32;
}

type longP = [longP]

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

lemma mean :
(\forall integer x;
  (\forall integer y;
    ((x <= y) ==> ((x <= ((x + y) / 2)) && (((x + y) / 2) <= y)))))

predicate sorted{L}(longP[..] t, integer a, integer b) =
(\forall integer i_1;
  (\forall integer j_0;
    (((a <= i_1) && ((i_1 <= j_0) && (j_0 <= b))) ==>
      ((t + i_1).longM <= (t + j_0).longM))))

int32 binary_search(longP[..] t, int32 n_1, int32 v)
  requires (_C_33 : ((_C_34 : (n_1 >= 0)) &&
                      ((_C_36 : (\offset_min(t) <= 0)) &&
                        (_C_37 : (\offset_max(t) >= (n_1 - 1))))));
behavior default:
  ensures (_C_28 : ((_C_29 : ((- 1) <= \result)) &&
                     (_C_30 : (\result < \at(n_1,Old)))));
behavior success:
  ensures (_C_31 : ((\result >= 0) ==>
                     ((\at(t,Old) + \result).longM == \at(v,Old))));
behavior failure:
  assumes sorted{Here}(t, 0, (n_1 - 1));
  ensures (_C_32 : ((\result == (- 1)) ==>
                     (\forall integer k_0;
                       (((0 <= k_0) && (k_0 < \at(n_1,Old))) ==>
                         ((\at(t,Old) + k_0).longM != \at(v,Old))))));
{  
   (var int32 l);
   
   (var int32 u);
   
   (var int32 m);
   
   (var int32 __retres);
   
   {  (_C_1 : (l = 0));
      (_C_4 : (u = (_C_3 : ((_C_2 : (n_1 - 1)) :> int32))));
      
      loop 
      behavior default:
        invariant (_C_7 : ((_C_8 : (0 <= l)) && (_C_9 : (u <= (n_1 - 1)))));
      behavior failure:
        invariant (_C_6 : (\forall integer k;
                            ((((0 <= k) && (k < n_1)) &&
                               ((t + k).longM == v)) ==>
                              ((l <= k) && (k <= u)))));
      variant (_C_5 : (u - l));
      while (true)
      {  
         {  (if (l <= u) then () else 
            (goto while_0_break));
            
            {  (_C_14 : (m = (_C_13 : ((_C_12 : ((_C_11 : ((_C_10 : (l + u)) :> int32)) /
                                                  2)) :> int32))));
               
               {  
                  (assert for default: (_C_15 : (jessie : ((l <= m) &&
                                                            (m <= u)))));
                  ()
               };
               
               {  (if ((_C_26 : (_C_25 : (t + m)).longM) < v) then (_C_24 : (l = 
                                                                   (_C_23 : (
                                                                   (_C_22 : 
                                                                   (m +
                                                                    1)) :> int32)))) else 
                  (if ((_C_21 : (_C_20 : (t + m)).longM) > v) then (_C_19 : (u = 
                                                                   (_C_18 : (
                                                                   (_C_17 : 
                                                                   (m -
                                                                    1)) :> int32)))) else 
                  {  (_C_16 : (__retres = m));
                     
                     (goto return_label)
                  }))
               }
            }
         }
      };
      (while_0_break : ());
      (_C_27 : (__retres = -1));
      (return_label : 
      (return __retres))
   }
}
========== file tests/c/binary_search.jessie/binary_search.cloc ==========
[_C_35]
file = "HOME/tests/c/binary_search.c"
line = 40
begin = 23
end = 41

[_C_28]
file = "HOME/tests/c/binary_search.c"
line = 41
begin = 12
end = 29

[_C_31]
file = "HOME/tests/c/binary_search.c"
line = 43
begin = 14
end = 46

[mean]
name = "Lemma mean"
file = "HOME/tests/c/binary_search.c"
line = 34
begin = 4
end = 67

[_C_4]
file = "HOME/tests/c/binary_search.c"
line = 50
begin = 2
end = 5

[_C_32]
file = "HOME/tests/c/binary_search.c"
line = 46
begin = 14
end = 83

[_C_23]
file = "HOME/tests/c/binary_search.c"
line = 61
begin = 22
end = 27

[_C_19]
file = "HOME/tests/c/binary_search.c"
line = 62
begin = 27
end = 32

[_C_13]
file = "HOME/tests/c/binary_search.c"
line = 59
begin = 12
end = 23

[_C_5]
file = "HOME/tests/c/binary_search.c"
line = 56
begin = 19
end = 22

[_C_36]
file = "HOME/tests/c/binary_search.c"
line = 40
begin = 23
end = 41

[_C_12]
file = "HOME/tests/c/binary_search.c"
line = 59
begin = 12
end = 23

[_C_33]
file = "HOME/tests/c/binary_search.c"
line = 40
begin = 13
end = 41

[_C_22]
file = "HOME/tests/c/binary_search.c"
line = 61
begin = 22
end = 27

[binary_search]
name = "Function binary_search"
file = "HOME/tests/c/binary_search.c"
line = 49
begin = 4
end = 17

[_C_9]
file = "HOME/tests/c/binary_search.c"
line = 52
begin = 18
end = 26

[_C_30]
file = "HOME/tests/c/binary_search.c"
line = 41
begin = 18
end = 29

[_C_6]
file = "HOME/tests/c/binary_search.c"
line = 55
begin = 8
end = 66

[_C_24]
file = "HOME/tests/c/binary_search.c"
line = 61
begin = 22
end = 27

[_C_20]
file = "HOME/tests/c/binary_search.c"
line = 62
begin = 13
end = 14

[_C_3]
file = "HOME/tests/c/binary_search.c"
line = 50
begin = 17
end = 20

[_C_17]
file = "HOME/tests/c/binary_search.c"
line = 62
begin = 27
end = 32

[_C_7]
file = "HOME/tests/c/binary_search.c"
line = 52
begin = 8
end = 26

[_C_27]
file = "HOME/tests/c/binary_search.c"
line = 65
begin = 2
end = 12

[_C_15]
file = "HOME/tests/c/binary_search.c"
line = 60
begin = 15
end = 26

[_C_26]
file = "HOME/tests/c/binary_search.c"
line = 61
begin = 8
end = 12

[_C_10]
file = "HOME/tests/c/binary_search.c"
line = 59
begin = 13
end = 18

[_C_8]
file = "HOME/tests/c/binary_search.c"
line = 52
begin = 8
end = 14

[_C_18]
file = "HOME/tests/c/binary_search.c"
line = 62
begin = 27
end = 32

[_C_29]
file = "HOME/tests/c/binary_search.c"
line = 41
begin = 12
end = 25

[_C_14]
file = "HOME/tests/c/binary_search.c"
line = 59
begin = 4
end = 7

[_C_37]
file = "HOME/tests/c/binary_search.c"
line = 40
begin = 23
end = 41

[_C_2]
file = "HOME/tests/c/binary_search.c"
line = 50
begin = 17
end = 20

[_C_34]
file = "HOME/tests/c/binary_search.c"
line = 40
begin = 13
end = 19

[_C_16]
file = "HOME/tests/c/binary_search.c"
line = 63
begin = 9
end = 18

[_C_1]
file = "HOME/tests/c/binary_search.c"
line = 50
begin = 2
end = 5

[_C_25]
file = "HOME/tests/c/binary_search.c"
line = 61
begin = 8
end = 9

[_C_11]
file = "HOME/tests/c/binary_search.c"
line = 59
begin = 13
end = 18

[_C_21]
file = "HOME/tests/c/binary_search.c"
line = 62
begin = 13
end = 17

========== jessie execution ==========
Generating Why function binary_search
========== file tests/c/binary_search.jessie/binary_search.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs binary_search.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs binary_search.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/binary_search_why.sx

project: why/binary_search.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/binary_search_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/binary_search_why.vo

coq/binary_search_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/binary_search_why.v: why/binary_search.why
	@echo 'why -coq [...] why/binary_search.why' && $(WHY) $(JESSIELIBFILES) why/binary_search.why && rm -f coq/jessie_why.v

coq-goals: goals coq/binary_search_ctx_why.vo
	for f in why/*_po*.why; do make -f binary_search.makefile coq/`basename $$f .why`_why.v ; done

coq/binary_search_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/binary_search_ctx_why.v: why/binary_search_ctx.why
	@echo 'why -coq [...] why/binary_search_ctx.why' && $(WHY) why/binary_search_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export binary_search_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/binary_search_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/binary_search_ctx_why.vo

pvs: pvs/binary_search_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/binary_search_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/binary_search_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/binary_search_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/binary_search_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/binary_search_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/binary_search_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/binary_search_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/binary_search_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/binary_search_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/binary_search_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/binary_search_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/binary_search_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/binary_search_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/binary_search_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: binary_search.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/binary_search_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: binary_search.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: binary_search.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: binary_search.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include binary_search.depend

depend: coq/binary_search_why.v
	-$(COQDEP) -I coq coq/binary_search*_why.v > binary_search.depend

clean:
	rm -f coq/*.vo

========== file tests/c/binary_search.jessie/binary_search.loc ==========
[JC_63]
file = "HOME/tests/c/binary_search.c"
line = 60
begin = 15
end = 26

[JC_51]
file = "HOME/tests/c/binary_search.jessie/binary_search.jc"
line = 81
begin = 6
end = 1876

[binary_search_ensures_default]
name = "Function binary_search"
behavior = "default behavior"
file = "HOME/tests/c/binary_search.c"
line = 49
begin = 4
end = 17

[JC_45]
kind = DivByZero
file = "HOME/tests/c/binary_search.c"
line = 59
begin = 12
end = 23

[mean]
name = "Lemma mean"
behavior = "lemma"
file = "HOME/tests/c/binary_search.c"
line = 34
begin = 4
end = 67

[JC_31]
kind = DivByZero
file = "HOME/tests/c/binary_search.c"
line = 59
begin = 12
end = 23

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
file = "HOME/tests/c/binary_search.c"
line = 55
begin = 8
end = 66

[JC_48]
file = "HOME/tests/c/binary_search.c"
line = 52
begin = 18
end = 26

[JC_23]
kind = ArithOverflow
file = "HOME/tests/c/binary_search.c"
line = 50
begin = 17
end = 20

[JC_22]
file = "HOME/tests/c/binary_search.c"
line = 46
begin = 14
end = 83

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
file = "HOME/tests/c/binary_search.c"
line = 40
begin = 13
end = 41

[JC_24]
file = "HOME/tests/c/binary_search.c"
line = 52
begin = 8
end = 14

[JC_25]
file = "HOME/tests/c/binary_search.c"
line = 52
begin = 18
end = 26

[JC_41]
file = "HOME/tests/c/binary_search.c"
line = 52
begin = 8
end = 26

[JC_47]
file = "HOME/tests/c/binary_search.c"
line = 52
begin = 8
end = 14

[JC_52]
file = "HOME/tests/c/binary_search.jessie/binary_search.jc"
line = 81
begin = 6
end = 1876

[JC_26]
file = "HOME/tests/c/binary_search.c"
line = 52
begin = 8
end = 26

[JC_8]
file = "HOME/tests/c/binary_search.c"
line = 40
begin = 23
end = 41

[JC_54]
file = "HOME/tests/c/binary_search.c"
line = 60
begin = 15
end = 26

[JC_13]
file = "HOME/tests/c/binary_search.c"
line = 41
begin = 12
end = 29

[binary_search_ensures_success]
name = "Function binary_search"
behavior = "Behavior `success'"
file = "HOME/tests/c/binary_search.c"
line = 49
begin = 4
end = 17

[binary_search_ensures_failure]
name = "Function binary_search"
behavior = "Behavior `failure'"
file = "HOME/tests/c/binary_search.c"
line = 49
begin = 4
end = 17

[JC_11]
file = "HOME/tests/c/binary_search.c"
line = 41
begin = 12
end = 25

[JC_15]
file = "HOME/tests/c/binary_search.c"
line = 41
begin = 18
end = 29

[JC_36]
kind = PointerDeref
file = "HOME/tests/c/binary_search.c"
line = 62
begin = 13
end = 17

[JC_39]
file = "HOME/tests/c/binary_search.c"
line = 52
begin = 8
end = 14

[JC_40]
file = "HOME/tests/c/binary_search.c"
line = 52
begin = 18
end = 26

[JC_35]
kind = ArithOverflow
file = "HOME/tests/c/binary_search.c"
line = 61
begin = 22
end = 27

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/tests/c/binary_search.c"
line = 56
begin = 19
end = 22

[JC_12]
file = "HOME/tests/c/binary_search.c"
line = 41
begin = 18
end = 29

[JC_6]
file = "HOME/tests/c/binary_search.c"
line = 40
begin = 13
end = 19

[JC_44]
file = "HOME/tests/c/binary_search.jessie/binary_search.jc"
line = 81
begin = 6
end = 1876

[JC_4]
file = "HOME/tests/c/binary_search.c"
line = 40
begin = 13
end = 41

[JC_62]
kind = DivByZero
file = "HOME/tests/c/binary_search.c"
line = 59
begin = 12
end = 23

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/tests/c/binary_search.c"
line = 60
begin = 15
end = 26

[JC_61]
file = "HOME/tests/c/binary_search.jessie/binary_search.jc"
line = 81
begin = 6
end = 1876

[JC_32]
kind = ArithOverflow
file = "HOME/tests/c/binary_search.c"
line = 59
begin = 12
end = 23

[JC_56]
file = "HOME/tests/c/binary_search.c"
line = 52
begin = 8
end = 14

[JC_33]
file = "HOME/tests/c/binary_search.c"
line = 60
begin = 15
end = 26

[JC_29]
file = "HOME/tests/c/binary_search.jessie/binary_search.jc"
line = 81
begin = 6
end = 1876

[JC_7]
file = "HOME/tests/c/binary_search.c"
line = 40
begin = 23
end = 41

[JC_16]
file = "HOME/tests/c/binary_search.c"
line = 41
begin = 12
end = 29

[JC_43]
file = "HOME/tests/c/binary_search.jessie/binary_search.jc"
line = 81
begin = 6
end = 1876

[JC_2]
file = "HOME/tests/c/binary_search.c"
line = 40
begin = 23
end = 41

[JC_34]
kind = PointerDeref
file = "HOME/tests/c/binary_search.c"
line = 61
begin = 8
end = 12

[JC_14]
file = "HOME/tests/c/binary_search.c"
line = 41
begin = 12
end = 25

[JC_53]
kind = DivByZero
file = "HOME/tests/c/binary_search.c"
line = 59
begin = 12
end = 23

[JC_21]
file = "HOME/tests/c/binary_search.c"
line = 46
begin = 14
end = 83

[JC_49]
file = "HOME/tests/c/binary_search.c"
line = 52
begin = 8
end = 26

[JC_1]
file = "HOME/tests/c/binary_search.c"
line = 40
begin = 13
end = 19

[JC_37]
kind = ArithOverflow
file = "HOME/tests/c/binary_search.c"
line = 62
begin = 27
end = 32

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_57]
file = "HOME/tests/c/binary_search.c"
line = 52
begin = 18
end = 26

[JC_59]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_20]
file = "HOME/tests/c/binary_search.c"
line = 43
begin = 14
end = 46

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/c/binary_search.c"
line = 40
begin = 23
end = 41

[JC_60]
file = "HOME/tests/c/binary_search.jessie/binary_search.jc"
line = 81
begin = 6
end = 1876

[JC_19]
file = "HOME/tests/c/binary_search.c"
line = 43
begin = 14
end = 46

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[binary_search_safety]
name = "Function binary_search"
behavior = "Safety"
file = "HOME/tests/c/binary_search.c"
line = 49
begin = 4
end = 17

[JC_30]
kind = ArithOverflow
file = "HOME/tests/c/binary_search.c"
line = 59
begin = 13
end = 18

[JC_58]
file = "HOME/tests/c/binary_search.c"
line = 52
begin = 8
end = 26

[JC_28]
file = "HOME/tests/c/binary_search.jessie/binary_search.jc"
line = 81
begin = 6
end = 1876

========== file tests/c/binary_search.jessie/why/binary_search.why ==========
type charP

type int32

type int8

type longP

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_longP(p:longP pointer, a:int,
 longP_alloc_table:longP alloc_table) =
 (offset_min(longP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

logic longP_tag:  -> longP tag_id

axiom longP_int : (int_of_tag(longP_tag) = (1))

logic longP_of_pointer_address: unit pointer -> longP pointer

axiom longP_of_pointer_address_of_pointer_addr :
 (forall p:longP pointer. (p = longP_of_pointer_address(pointer_address(p))))

axiom longP_parenttag_bottom : parenttag(longP_tag, bottom_tag)

axiom longP_tags :
 (forall x:longP pointer.
  (forall longP_tag_table:longP tag_table.
   instanceof(longP_tag_table, x, longP_tag)))

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_longP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(longP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_longP(p:longP pointer, b:int,
 longP_alloc_table:longP alloc_table) =
 (offset_max(longP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate sorted(t:longP pointer, a:int, b:int,
 longP_longM_t_1_at_L:(longP, int32) memory) =
 (forall i_1:int.
  (forall j_0:int.
   ((le_int(a, i_1) and (le_int(i_1, j_0) and le_int(j_0, b))) ->
    le_int(integer_of_int32(select(longP_longM_t_1_at_L, shift(t, i_1))),
    integer_of_int32(select(longP_longM_t_1_at_L, shift(t, j_0)))))))

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_longP(p:longP pointer, a:int, b:int,
 longP_alloc_table:longP alloc_table) =
 ((offset_min(longP_alloc_table, p) = a)
 and (offset_max(longP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_longP(p:longP pointer, a:int, b:int,
 longP_alloc_table:longP alloc_table) =
 ((offset_min(longP_alloc_table, p) = a)
 and (offset_max(longP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_longP(p:longP pointer, a:int, b:int,
 longP_alloc_table:longP alloc_table) =
 ((offset_min(longP_alloc_table, p) <= a)
 and (offset_max(longP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_longP(p:longP pointer, a:int, b:int,
 longP_alloc_table:longP alloc_table) =
 ((offset_min(longP_alloc_table, p) <= a)
 and (offset_max(longP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

lemma mean :
 (forall x_0:int.
  (forall y:int.
   (le_int(x_0, y) ->
    (le_int(x_0, computer_div(add_int(x_0, y), (2)))
    and le_int(computer_div(add_int(x_0, y), (2)), y)))))

exception Goto_while_0_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter longP_alloc_table : longP alloc_table ref

parameter longP_tag_table : longP tag_table ref

parameter alloc_struct_longP :
 n:int ->
  longP_alloc_table:longP alloc_table ref ->
   longP_tag_table:longP tag_table ref ->
    { } longP pointer writes longP_alloc_table,longP_tag_table
    { (strict_valid_struct_longP(result, (0), sub_int(n, (1)),
       longP_alloc_table)
      and (alloc_extends(longP_alloc_table@, longP_alloc_table)
          and (alloc_fresh(longP_alloc_table@, result, n)
              and instanceof(longP_tag_table, result, longP_tag)))) }

parameter alloc_struct_longP_requires :
 n:int ->
  longP_alloc_table:longP alloc_table ref ->
   longP_tag_table:longP tag_table ref ->
    { ge_int(n, (0))} longP pointer writes longP_alloc_table,longP_tag_table
    { (strict_valid_struct_longP(result, (0), sub_int(n, (1)),
       longP_alloc_table)
      and (alloc_extends(longP_alloc_table@, longP_alloc_table)
          and (alloc_fresh(longP_alloc_table@, result, n)
              and instanceof(longP_tag_table, result, longP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter binary_search :
 t_0:longP pointer ->
  n_1:int32 ->
   v:int32 ->
    longP_t_2_alloc_table:longP alloc_table ->
     longP_longM_t_2:(longP, int32) memory ->
      { } int32
      { ((sorted(t_0, (0), sub_int(integer_of_int32(n_1), (1)),
          longP_longM_t_2) ->
          (JC_22:
          ((integer_of_int32(result) = neg_int((1))) ->
           (forall k_0:int.
            ((le_int((0), k_0) and lt_int(k_0, integer_of_int32(n_1))) ->
             (integer_of_int32(select(longP_longM_t_2, shift(t_0, k_0))) <> 
             integer_of_int32(v)))))))
        and ((JC_20:
             (ge_int(integer_of_int32(result), (0)) ->
              (integer_of_int32(select(longP_longM_t_2,
                                shift(t_0, integer_of_int32(result)))) = 
              integer_of_int32(v))))
            and (JC_16:
                ((JC_14: le_int(neg_int((1)), integer_of_int32(result)))
                and (JC_15:
                    lt_int(integer_of_int32(result), integer_of_int32(n_1))))))) }

parameter binary_search_requires :
 t_0:longP pointer ->
  n_1:int32 ->
   v:int32 ->
    longP_t_2_alloc_table:longP alloc_table ->
     longP_longM_t_2:(longP, int32) memory ->
      { (JC_4:
        ((JC_1: ge_int(integer_of_int32(n_1), (0)))
        and ((JC_2: le_int(offset_min(longP_t_2_alloc_table, t_0), (0)))
            and (JC_3:
                ge_int(offset_max(longP_t_2_alloc_table, t_0),
                sub_int(integer_of_int32(n_1), (1)))))))}
      int32
      { ((sorted(t_0, (0), sub_int(integer_of_int32(n_1), (1)),
          longP_longM_t_2) ->
          (JC_22:
          ((integer_of_int32(result) = neg_int((1))) ->
           (forall k_0:int.
            ((le_int((0), k_0) and lt_int(k_0, integer_of_int32(n_1))) ->
             (integer_of_int32(select(longP_longM_t_2, shift(t_0, k_0))) <> 
             integer_of_int32(v)))))))
        and ((JC_20:
             (ge_int(integer_of_int32(result), (0)) ->
              (integer_of_int32(select(longP_longM_t_2,
                                shift(t_0, integer_of_int32(result)))) = 
              integer_of_int32(v))))
            and (JC_16:
                ((JC_14: le_int(neg_int((1)), integer_of_int32(result)))
                and (JC_15:
                    lt_int(integer_of_int32(result), integer_of_int32(n_1))))))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let binary_search_ensures_default =
 fun (t_0 : longP pointer) (n_1 : int32) (v : int32) (longP_t_2_alloc_table : longP alloc_table) (longP_longM_t_2 : (longP, int32) memory) ->
  { (JC_9:
    ((JC_6: ge_int(integer_of_int32(n_1), (0)))
    and ((JC_7: le_int(offset_min(longP_t_2_alloc_table, t_0), (0)))
        and (JC_8:
            ge_int(offset_max(longP_t_2_alloc_table, t_0),
            sub_int(integer_of_int32(n_1), (1))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let l = ref (any_int32 void) in
     (let u = ref (any_int32 void) in
     (let m = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (l := (safe_int32_of_integer_ (0))) in void);
          (let _jessie_ =
          (u := (safe_int32_of_integer_ ((sub_int (integer_of_int32 n_1)) (1)))) in
          void);
          (loop_2:
          begin
            while true do
            { invariant
                (JC_41:
                ((JC_39: le_int((0), integer_of_int32(l)))
                and (JC_40:
                    le_int(integer_of_int32(u),
                    sub_int(integer_of_int32(n_1), (1))))))  }
             begin
               [ { } unit { true } ];
              try
               begin
                 (if ((le_int_ (integer_of_int32 !l)) (integer_of_int32 !u))
                 then void else (raise (Goto_while_0_break_exc void)));
                (let _jessie_ =
                (m := (safe_int32_of_integer_ (JC_45:
                                              ((computer_div (integer_of_int32 
                                                              (safe_int32_of_integer_ 
                                                               ((add_int 
                                                                 (integer_of_int32 !l)) 
                                                                (integer_of_int32 !u))))) (2))))) in
                void);
                (assert
                { (JC_46:
                  (le_int(integer_of_int32(l), integer_of_int32(m))
                  and le_int(integer_of_int32(m), integer_of_int32(u)))) };
                void); void;
                (if ((lt_int_ (integer_of_int32 ((safe_acc_ longP_longM_t_2) 
                                                 ((shift t_0) (integer_of_int32 !m))))) 
                     (integer_of_int32 v))
                then
                 (let _jessie_ =
                 (l := (safe_int32_of_integer_ ((add_int (integer_of_int32 !m)) (1)))) in
                 void)
                else
                 (if ((gt_int_ (integer_of_int32 ((safe_acc_ longP_longM_t_2) 
                                                  ((shift t_0) (integer_of_int32 !m))))) 
                      (integer_of_int32 v))
                 then
                  (let _jessie_ =
                  (u := (safe_int32_of_integer_ ((sub_int (integer_of_int32 !m)) (1)))) in
                  void)
                 else
                  begin
                    (let _jessie_ = (__retres := !m) in void);
                   (raise (Return_label_exc void)) end));
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (let _jessie_ =
         (while_0_break:
         begin
           void; (__retres := (safe_int32_of_integer_ (neg_int (1))));
          !__retres end) in void) end; (raise (Return_label_exc void)) end
      with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end))));
    absurd  end with Return -> !return end))
  { (JC_13:
    ((JC_11: le_int(neg_int((1)), integer_of_int32(result)))
    and (JC_12: lt_int(integer_of_int32(result), integer_of_int32(n_1))))) }

let binary_search_ensures_failure =
 fun (t_0 : longP pointer) (n_1 : int32) (v : int32) (longP_t_2_alloc_table : longP alloc_table) (longP_longM_t_2 : (longP, int32) memory) ->
  { (sorted(t_0, (0), sub_int(integer_of_int32(n_1), (1)), longP_longM_t_2)
    and (JC_9:
        ((JC_6: ge_int(integer_of_int32(n_1), (0)))
        and ((JC_7: le_int(offset_min(longP_t_2_alloc_table, t_0), (0)))
            and (JC_8:
                ge_int(offset_max(longP_t_2_alloc_table, t_0),
                sub_int(integer_of_int32(n_1), (1)))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let l = ref (any_int32 void) in
     (let u = ref (any_int32 void) in
     (let m = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (l := (safe_int32_of_integer_ (0))) in void);
          (let _jessie_ =
          (u := (safe_int32_of_integer_ ((sub_int (integer_of_int32 n_1)) (1)))) in
          void);
          (loop_4:
          begin
            while true do
            { invariant
                (JC_55:
                (forall k:int.
                 ((le_int((0), k)
                  and (lt_int(k, integer_of_int32(n_1))
                      and (integer_of_int32(select(longP_longM_t_2,
                                            shift(t_0, k))) = integer_of_int32(v)))) ->
                  (le_int(integer_of_int32(l), k)
                  and le_int(k, integer_of_int32(u))))))  }
             begin
               [ { } unit reads l,u
                 { (JC_58:
                   ((JC_56: le_int((0), integer_of_int32(l)))
                   and (JC_57:
                       le_int(integer_of_int32(u),
                       sub_int(integer_of_int32(n_1), (1)))))) } ];
              try
               begin
                 (if ((le_int_ (integer_of_int32 !l)) (integer_of_int32 !u))
                 then void else (raise (Goto_while_0_break_exc void)));
                (let _jessie_ =
                (m := (safe_int32_of_integer_ (JC_62:
                                              ((computer_div (integer_of_int32 
                                                              (safe_int32_of_integer_ 
                                                               ((add_int 
                                                                 (integer_of_int32 !l)) 
                                                                (integer_of_int32 !u))))) (2))))) in
                void);
                [ { } unit reads l,m,u
                  { (JC_63:
                    (le_int(integer_of_int32(l), integer_of_int32(m))
                    and le_int(integer_of_int32(m), integer_of_int32(u)))) } ];
                void;
                (if ((lt_int_ (integer_of_int32 ((safe_acc_ longP_longM_t_2) 
                                                 ((shift t_0) (integer_of_int32 !m))))) 
                     (integer_of_int32 v))
                then
                 (let _jessie_ =
                 (l := (safe_int32_of_integer_ ((add_int (integer_of_int32 !m)) (1)))) in
                 void)
                else
                 (if ((gt_int_ (integer_of_int32 ((safe_acc_ longP_longM_t_2) 
                                                  ((shift t_0) (integer_of_int32 !m))))) 
                      (integer_of_int32 v))
                 then
                  (let _jessie_ =
                  (u := (safe_int32_of_integer_ ((sub_int (integer_of_int32 !m)) (1)))) in
                  void)
                 else
                  begin
                    (let _jessie_ = (__retres := !m) in void);
                   (raise (Return_label_exc void)) end));
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (let _jessie_ =
         (while_0_break:
         begin
           void; (__retres := (safe_int32_of_integer_ (neg_int (1))));
          !__retres end) in void) end; (raise (Return_label_exc void)) end
      with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end))));
    absurd  end with Return -> !return end))
  { (JC_21:
    ((integer_of_int32(result) = neg_int((1))) ->
     (forall k_0:int.
      ((le_int((0), k_0) and lt_int(k_0, integer_of_int32(n_1))) ->
       (integer_of_int32(select(longP_longM_t_2, shift(t_0, k_0))) <> 
       integer_of_int32(v)))))) }

let binary_search_ensures_success =
 fun (t_0 : longP pointer) (n_1 : int32) (v : int32) (longP_t_2_alloc_table : longP alloc_table) (longP_longM_t_2 : (longP, int32) memory) ->
  { (JC_9:
    ((JC_6: ge_int(integer_of_int32(n_1), (0)))
    and ((JC_7: le_int(offset_min(longP_t_2_alloc_table, t_0), (0)))
        and (JC_8:
            ge_int(offset_max(longP_t_2_alloc_table, t_0),
            sub_int(integer_of_int32(n_1), (1))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let l = ref (any_int32 void) in
     (let u = ref (any_int32 void) in
     (let m = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (l := (safe_int32_of_integer_ (0))) in void);
          (let _jessie_ =
          (u := (safe_int32_of_integer_ ((sub_int (integer_of_int32 n_1)) (1)))) in
          void);
          (loop_3:
          begin
            while true do
            { invariant (JC_51: true)  }
             begin
               [ { } unit reads l,u
                 { (JC_49:
                   ((JC_47: le_int((0), integer_of_int32(l)))
                   and (JC_48:
                       le_int(integer_of_int32(u),
                       sub_int(integer_of_int32(n_1), (1)))))) } ];
              try
               begin
                 (if ((le_int_ (integer_of_int32 !l)) (integer_of_int32 !u))
                 then void else (raise (Goto_while_0_break_exc void)));
                (let _jessie_ =
                (m := (safe_int32_of_integer_ (JC_53:
                                              ((computer_div (integer_of_int32 
                                                              (safe_int32_of_integer_ 
                                                               ((add_int 
                                                                 (integer_of_int32 !l)) 
                                                                (integer_of_int32 !u))))) (2))))) in
                void);
                [ { } unit reads l,m,u
                  { (JC_54:
                    (le_int(integer_of_int32(l), integer_of_int32(m))
                    and le_int(integer_of_int32(m), integer_of_int32(u)))) } ];
                void;
                (if ((lt_int_ (integer_of_int32 ((safe_acc_ longP_longM_t_2) 
                                                 ((shift t_0) (integer_of_int32 !m))))) 
                     (integer_of_int32 v))
                then
                 (let _jessie_ =
                 (l := (safe_int32_of_integer_ ((add_int (integer_of_int32 !m)) (1)))) in
                 void)
                else
                 (if ((gt_int_ (integer_of_int32 ((safe_acc_ longP_longM_t_2) 
                                                  ((shift t_0) (integer_of_int32 !m))))) 
                      (integer_of_int32 v))
                 then
                  (let _jessie_ =
                  (u := (safe_int32_of_integer_ ((sub_int (integer_of_int32 !m)) (1)))) in
                  void)
                 else
                  begin
                    (let _jessie_ = (__retres := !m) in void);
                   (raise (Return_label_exc void)) end));
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (let _jessie_ =
         (while_0_break:
         begin
           void; (__retres := (safe_int32_of_integer_ (neg_int (1))));
          !__retres end) in void) end; (raise (Return_label_exc void)) end
      with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end))));
    absurd  end with Return -> !return end))
  { (JC_19:
    (ge_int(integer_of_int32(result), (0)) ->
     (integer_of_int32(select(longP_longM_t_2,
                       shift(t_0, integer_of_int32(result)))) = integer_of_int32(v)))) }

let binary_search_safety =
 fun (t_0 : longP pointer) (n_1 : int32) (v : int32) (longP_t_2_alloc_table : longP alloc_table) (longP_longM_t_2 : (longP, int32) memory) ->
  { (JC_9:
    ((JC_6: ge_int(integer_of_int32(n_1), (0)))
    and ((JC_7: le_int(offset_min(longP_t_2_alloc_table, t_0), (0)))
        and (JC_8:
            ge_int(offset_max(longP_t_2_alloc_table, t_0),
            sub_int(integer_of_int32(n_1), (1))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let l = ref (any_int32 void) in
     (let u = ref (any_int32 void) in
     (let m = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (l := (safe_int32_of_integer_ (0))) in void);
          (let _jessie_ =
          (u := (JC_23:
                (int32_of_integer_ ((sub_int (integer_of_int32 n_1)) (1))))) in
          void);
          (loop_1:
          begin
            while true do
            { invariant (JC_28: true)
              variant (JC_38 : sub_int(integer_of_int32(u),
                               integer_of_int32(l))) }
             begin
               [ { } unit reads l,u
                 { (JC_26:
                   ((JC_24: le_int((0), integer_of_int32(l)))
                   and (JC_25:
                       le_int(integer_of_int32(u),
                       sub_int(integer_of_int32(n_1), (1)))))) } ];
              try
               begin
                 (if ((le_int_ (integer_of_int32 !l)) (integer_of_int32 !u))
                 then void else (raise (Goto_while_0_break_exc void)));
                (let _jessie_ =
                (m := (JC_32:
                      (int32_of_integer_ (JC_31:
                                         ((computer_div_ (integer_of_int32 
                                                          (JC_30:
                                                          (int32_of_integer_ 
                                                           ((add_int 
                                                             (integer_of_int32 !l)) 
                                                            (integer_of_int32 !u)))))) (2)))))) in
                void);
                [ { } unit reads l,m,u
                  { (JC_33:
                    (le_int(integer_of_int32(l), integer_of_int32(m))
                    and le_int(integer_of_int32(m), integer_of_int32(u)))) } ];
                void;
                (if ((lt_int_ (integer_of_int32 (JC_34:
                                                ((((offset_acc_ longP_t_2_alloc_table) longP_longM_t_2) t_0) 
                                                 (integer_of_int32 !m))))) 
                     (integer_of_int32 v))
                then
                 (let _jessie_ =
                 (l := (JC_35:
                       (int32_of_integer_ ((add_int (integer_of_int32 !m)) (1))))) in
                 void)
                else
                 (if ((gt_int_ (integer_of_int32 (JC_36:
                                                 ((((offset_acc_ longP_t_2_alloc_table) longP_longM_t_2) t_0) 
                                                  (integer_of_int32 !m))))) 
                      (integer_of_int32 v))
                 then
                  (let _jessie_ =
                  (u := (JC_37:
                        (int32_of_integer_ ((sub_int (integer_of_int32 !m)) (1))))) in
                  void)
                 else
                  begin
                    (let _jessie_ = (__retres := !m) in void);
                   (raise (Return_label_exc void)) end));
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (let _jessie_ =
         (while_0_break:
         begin
           void; (__retres := (safe_int32_of_integer_ (neg_int (1))));
          !__retres end) in void) end; (raise (Return_label_exc void)) end
      with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end))));
    absurd  end with Return -> !return end)) { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/binary_search.why
========== file tests/c/binary_search.jessie/why/binary_search_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type charP

type int32

type int8

type longP

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_int8 : int8 -> int

predicate eq_int8(x: int8, y: int8) =
  (integer_of_int8(x) = integer_of_int8(y))

logic integer_of_uint8 : uint8 -> int

predicate eq_uint8(x: uint8, y: uint8) =
  (integer_of_uint8(x) = integer_of_uint8(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic int8_of_integer : int -> int8

axiom int8_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_int8(int8_of_integer(x)) = x)))

axiom int8_extensionality:
  (forall x:int8.
    (forall y:int8. ((integer_of_int8(x) = integer_of_int8(y)) -> (x = y))))

axiom int8_range:
  (forall x:int8.
    (((-128) <= integer_of_int8(x)) and (integer_of_int8(x) <= 127)))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_longP(p: longP pointer, a: int,
  longP_alloc_table: longP alloc_table) = (offset_min(longP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

logic longP_tag : longP tag_id

axiom longP_int: (int_of_tag(longP_tag) = 1)

logic longP_of_pointer_address : unit pointer -> longP pointer

axiom longP_of_pointer_address_of_pointer_addr:
  (forall p:longP pointer.
    (p = longP_of_pointer_address(pointer_address(p))))

axiom longP_parenttag_bottom: parenttag(longP_tag, bottom_tag)

axiom longP_tags:
  (forall x:longP pointer.
    (forall longP_tag_table:longP tag_table. instanceof(longP_tag_table, x,
      longP_tag)))

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_longP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(longP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_longP(p: longP pointer, b: int,
  longP_alloc_table: longP alloc_table) = (offset_max(longP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate sorted(t: longP pointer, a: int, b: int,
  longP_longM_t_1_at_L: (longP, int32) memory) =
  (forall i_1:int.
    (forall j_0:int.
      (((a <= i_1) and ((i_1 <= j_0) and (j_0 <= b))) ->
       (integer_of_int32(select(longP_longM_t_1_at_L, shift(t,
       i_1))) <= integer_of_int32(select(longP_longM_t_1_at_L, shift(t,
       j_0)))))))

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_longP(p: longP pointer, a: int, b: int,
  longP_alloc_table: longP alloc_table) =
  ((offset_min(longP_alloc_table, p) = a) and (offset_max(longP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_longP(p: longP pointer, a: int, b: int,
  longP_alloc_table: longP alloc_table) =
  ((offset_min(longP_alloc_table, p) = a) and (offset_max(longP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic uint8_of_integer : int -> uint8

axiom uint8_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 255)) -> (integer_of_uint8(uint8_of_integer(x)) = x)))

axiom uint8_extensionality:
  (forall x:uint8.
    (forall y:uint8.
      ((integer_of_uint8(x) = integer_of_uint8(y)) -> (x = y))))

axiom uint8_range:
  (forall x:uint8.
    ((0 <= integer_of_uint8(x)) and (integer_of_uint8(x) <= 255)))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_longP(p: longP pointer, a: int, b: int,
  longP_alloc_table: longP alloc_table) =
  ((offset_min(longP_alloc_table, p) <= a) and (offset_max(longP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_longP(p: longP pointer, a: int, b: int,
  longP_alloc_table: longP alloc_table) =
  ((offset_min(longP_alloc_table, p) <= a) and (offset_max(longP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

goal mean:
  (forall x_0:int.
    (forall y:int.
      ((x_0 <= y) ->
       ((x_0 <= computer_div((x_0 + y), 2)) and (computer_div((x_0 + y),
        2) <= y)))))

axiom mean_as_axiom:
  (forall x_0:int.
    (forall y:int.
      ((x_0 <= y) ->
       ((x_0 <= computer_div((x_0 + y), 2)) and (computer_div((x_0 + y),
        2) <= y)))))

goal binary_search_ensures_default_po_1:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  ("JC_9":
  (("JC_6": (integer_of_int32(n_1) >= 0)) and
   (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(longP_t_2_alloc_table,
    t_0) >= (integer_of_int32(n_1) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  ("JC_41": ("JC_39": (0 <= integer_of_int32(l))))

goal binary_search_ensures_default_po_2:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  ("JC_9":
  (("JC_6": (integer_of_int32(n_1) >= 0)) and
   (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(longP_t_2_alloc_table,
    t_0) >= (integer_of_int32(n_1) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  ("JC_41": ("JC_40": (integer_of_int32(u) <= (integer_of_int32(n_1) - 1))))

goal binary_search_ensures_default_po_3:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  ("JC_9":
  (("JC_6": (integer_of_int32(n_1) >= 0)) and
   (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(longP_t_2_alloc_table,
    t_0) >= (integer_of_int32(n_1) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_41":
  (("JC_39": (0 <= integer_of_int32(l0))) and
   ("JC_40": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(l0) + integer_of_int32(u0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall m:int32.
  (m = result2) ->
  ("JC_46": (integer_of_int32(l0) <= integer_of_int32(m)))

goal binary_search_ensures_default_po_4:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  ("JC_9":
  (("JC_6": (integer_of_int32(n_1) >= 0)) and
   (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(longP_t_2_alloc_table,
    t_0) >= (integer_of_int32(n_1) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_41":
  (("JC_39": (0 <= integer_of_int32(l0))) and
   ("JC_40": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(l0) + integer_of_int32(u0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall m:int32.
  (m = result2) ->
  ("JC_46": (integer_of_int32(m) <= integer_of_int32(u0)))

goal binary_search_ensures_default_po_5:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall v:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  forall longP_longM_t_2:(longP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(n_1) >= 0)) and
   (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(longP_t_2_alloc_table,
    t_0) >= (integer_of_int32(n_1) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_41":
  (("JC_39": (0 <= integer_of_int32(l0))) and
   ("JC_40": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(l0) + integer_of_int32(u0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall m:int32.
  (m = result2) ->
  ("JC_46":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  forall result3:int32.
  (result3 = select(longP_longM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result3) < integer_of_int32(v)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(m) + 1)) ->
  forall l1:int32.
  (l1 = result4) ->
  ("JC_41": ("JC_39": (0 <= integer_of_int32(l1))))

goal binary_search_ensures_default_po_6:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall v:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  forall longP_longM_t_2:(longP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(n_1) >= 0)) and
   (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(longP_t_2_alloc_table,
    t_0) >= (integer_of_int32(n_1) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_41":
  (("JC_39": (0 <= integer_of_int32(l0))) and
   ("JC_40": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(l0) + integer_of_int32(u0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall m:int32.
  (m = result2) ->
  ("JC_46":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  forall result3:int32.
  (result3 = select(longP_longM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result3) >= integer_of_int32(v)) ->
  forall result4:int32.
  (result4 = select(longP_longM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) > integer_of_int32(v)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(m) - 1)) ->
  forall u1:int32.
  (u1 = result5) ->
  ("JC_41": ("JC_40": (integer_of_int32(u1) <= (integer_of_int32(n_1) - 1))))

goal binary_search_ensures_default_po_7:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall v:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  forall longP_longM_t_2:(longP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(n_1) >= 0)) and
   (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(longP_t_2_alloc_table,
    t_0) >= (integer_of_int32(n_1) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_41":
  (("JC_39": (0 <= integer_of_int32(l0))) and
   ("JC_40": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(l0) + integer_of_int32(u0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall m:int32.
  (m = result2) ->
  ("JC_46":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  forall result3:int32.
  (result3 = select(longP_longM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result3) >= integer_of_int32(v)) ->
  forall result4:int32.
  (result4 = select(longP_longM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) <= integer_of_int32(v)) ->
  forall __retres:int32.
  (__retres = m) ->
  forall return:int32.
  (return = __retres) ->
  ("JC_13": ("JC_11": ((-1) <= integer_of_int32(return))))

goal binary_search_ensures_default_po_8:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall v:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  forall longP_longM_t_2:(longP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(n_1) >= 0)) and
   (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(longP_t_2_alloc_table,
    t_0) >= (integer_of_int32(n_1) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_41":
  (("JC_39": (0 <= integer_of_int32(l0))) and
   ("JC_40": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(l0) + integer_of_int32(u0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall m:int32.
  (m = result2) ->
  ("JC_46":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  forall result3:int32.
  (result3 = select(longP_longM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result3) >= integer_of_int32(v)) ->
  forall result4:int32.
  (result4 = select(longP_longM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) <= integer_of_int32(v)) ->
  forall __retres:int32.
  (__retres = m) ->
  forall return:int32.
  (return = __retres) ->
  ("JC_13": ("JC_12": (integer_of_int32(return) < integer_of_int32(n_1))))

goal binary_search_ensures_default_po_9:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  ("JC_9":
  (("JC_6": (integer_of_int32(n_1) >= 0)) and
   (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(longP_t_2_alloc_table,
    t_0) >= (integer_of_int32(n_1) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_41":
  (("JC_39": (0 <= integer_of_int32(l0))) and
   ("JC_40": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) > integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (-1)) ->
  forall __retres:int32.
  (__retres = result1) ->
  forall return:int32.
  (return = __retres) ->
  ("JC_13": ("JC_11": ((-1) <= integer_of_int32(return))))

goal binary_search_ensures_default_po_10:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  ("JC_9":
  (("JC_6": (integer_of_int32(n_1) >= 0)) and
   (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(longP_t_2_alloc_table,
    t_0) >= (integer_of_int32(n_1) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_41":
  (("JC_39": (0 <= integer_of_int32(l0))) and
   ("JC_40": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) > integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (-1)) ->
  forall __retres:int32.
  (__retres = result1) ->
  forall return:int32.
  (return = __retres) ->
  ("JC_13": ("JC_12": (integer_of_int32(return) < integer_of_int32(n_1))))

goal binary_search_ensures_failure_po_1:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall v:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  forall longP_longM_t_2:(longP,
  int32) memory.
  (sorted(t_0, 0, (integer_of_int32(n_1) - 1), longP_longM_t_2) and
   ("JC_9":
   (("JC_6": (integer_of_int32(n_1) >= 0)) and
    (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
     ("JC_8": (offset_max(longP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall k:int.
  ((0 <= k) and
   ((k < integer_of_int32(n_1)) and (integer_of_int32(select(longP_longM_t_2,
    shift(t_0, k))) = integer_of_int32(v)))) ->
  ("JC_55": (integer_of_int32(l) <= k))

goal binary_search_ensures_failure_po_2:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall v:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  forall longP_longM_t_2:(longP,
  int32) memory.
  (sorted(t_0, 0, (integer_of_int32(n_1) - 1), longP_longM_t_2) and
   ("JC_9":
   (("JC_6": (integer_of_int32(n_1) >= 0)) and
    (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
     ("JC_8": (offset_max(longP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall k:int.
  ((0 <= k) and
   ((k < integer_of_int32(n_1)) and (integer_of_int32(select(longP_longM_t_2,
    shift(t_0, k))) = integer_of_int32(v)))) ->
  ("JC_55": (k <= integer_of_int32(u)))

goal binary_search_ensures_failure_po_3:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall v:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  forall longP_longM_t_2:(longP,
  int32) memory.
  (sorted(t_0, 0, (integer_of_int32(n_1) - 1), longP_longM_t_2) and
   ("JC_9":
   (("JC_6": (integer_of_int32(n_1) >= 0)) and
    (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
     ("JC_8": (offset_max(longP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_55":
  (forall k:int.
    (((0 <= k) and
      ((k < integer_of_int32(n_1)) and
       (integer_of_int32(select(longP_longM_t_2, shift(t_0,
       k))) = integer_of_int32(v)))) ->
     ((integer_of_int32(l0) <= k) and (k <= integer_of_int32(u0)))))) ->
  ("JC_58":
  (("JC_56": (0 <= integer_of_int32(l0))) and
   ("JC_57": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(l0) + integer_of_int32(u0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall m:int32.
  (m = result2) ->
  ("JC_63":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  forall result3:int32.
  (result3 = select(longP_longM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result3) < integer_of_int32(v)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(m) + 1)) ->
  forall l1:int32.
  (l1 = result4) ->
  forall k:int.
  ((0 <= k) and
   ((k < integer_of_int32(n_1)) and (integer_of_int32(select(longP_longM_t_2,
    shift(t_0, k))) = integer_of_int32(v)))) ->
  ("JC_55": (integer_of_int32(l1) <= k))

goal binary_search_ensures_failure_po_4:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall v:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  forall longP_longM_t_2:(longP,
  int32) memory.
  (sorted(t_0, 0, (integer_of_int32(n_1) - 1), longP_longM_t_2) and
   ("JC_9":
   (("JC_6": (integer_of_int32(n_1) >= 0)) and
    (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
     ("JC_8": (offset_max(longP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_55":
  (forall k:int.
    (((0 <= k) and
      ((k < integer_of_int32(n_1)) and
       (integer_of_int32(select(longP_longM_t_2, shift(t_0,
       k))) = integer_of_int32(v)))) ->
     ((integer_of_int32(l0) <= k) and (k <= integer_of_int32(u0)))))) ->
  ("JC_58":
  (("JC_56": (0 <= integer_of_int32(l0))) and
   ("JC_57": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(l0) + integer_of_int32(u0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall m:int32.
  (m = result2) ->
  ("JC_63":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  forall result3:int32.
  (result3 = select(longP_longM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result3) < integer_of_int32(v)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(m) + 1)) ->
  forall l1:int32.
  (l1 = result4) ->
  forall k:int.
  ((0 <= k) and
   ((k < integer_of_int32(n_1)) and (integer_of_int32(select(longP_longM_t_2,
    shift(t_0, k))) = integer_of_int32(v)))) ->
  ("JC_55": (k <= integer_of_int32(u0)))

goal binary_search_ensures_failure_po_5:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall v:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  forall longP_longM_t_2:(longP,
  int32) memory.
  (sorted(t_0, 0, (integer_of_int32(n_1) - 1), longP_longM_t_2) and
   ("JC_9":
   (("JC_6": (integer_of_int32(n_1) >= 0)) and
    (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
     ("JC_8": (offset_max(longP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_55":
  (forall k:int.
    (((0 <= k) and
      ((k < integer_of_int32(n_1)) and
       (integer_of_int32(select(longP_longM_t_2, shift(t_0,
       k))) = integer_of_int32(v)))) ->
     ((integer_of_int32(l0) <= k) and (k <= integer_of_int32(u0)))))) ->
  ("JC_58":
  (("JC_56": (0 <= integer_of_int32(l0))) and
   ("JC_57": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(l0) + integer_of_int32(u0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall m:int32.
  (m = result2) ->
  ("JC_63":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  forall result3:int32.
  (result3 = select(longP_longM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result3) >= integer_of_int32(v)) ->
  forall result4:int32.
  (result4 = select(longP_longM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) > integer_of_int32(v)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(m) - 1)) ->
  forall u1:int32.
  (u1 = result5) ->
  forall k:int.
  ((0 <= k) and
   ((k < integer_of_int32(n_1)) and (integer_of_int32(select(longP_longM_t_2,
    shift(t_0, k))) = integer_of_int32(v)))) ->
  ("JC_55": (integer_of_int32(l0) <= k))

goal binary_search_ensures_failure_po_6:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall v:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  forall longP_longM_t_2:(longP,
  int32) memory.
  (sorted(t_0, 0, (integer_of_int32(n_1) - 1), longP_longM_t_2) and
   ("JC_9":
   (("JC_6": (integer_of_int32(n_1) >= 0)) and
    (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
     ("JC_8": (offset_max(longP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_55":
  (forall k:int.
    (((0 <= k) and
      ((k < integer_of_int32(n_1)) and
       (integer_of_int32(select(longP_longM_t_2, shift(t_0,
       k))) = integer_of_int32(v)))) ->
     ((integer_of_int32(l0) <= k) and (k <= integer_of_int32(u0)))))) ->
  ("JC_58":
  (("JC_56": (0 <= integer_of_int32(l0))) and
   ("JC_57": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(l0) + integer_of_int32(u0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall m:int32.
  (m = result2) ->
  ("JC_63":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  forall result3:int32.
  (result3 = select(longP_longM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result3) >= integer_of_int32(v)) ->
  forall result4:int32.
  (result4 = select(longP_longM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) > integer_of_int32(v)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(m) - 1)) ->
  forall u1:int32.
  (u1 = result5) ->
  forall k:int.
  ((0 <= k) and
   ((k < integer_of_int32(n_1)) and (integer_of_int32(select(longP_longM_t_2,
    shift(t_0, k))) = integer_of_int32(v)))) ->
  ("JC_55": (k <= integer_of_int32(u1)))

goal binary_search_ensures_failure_po_7:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall v:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  forall longP_longM_t_2:(longP,
  int32) memory.
  (sorted(t_0, 0, (integer_of_int32(n_1) - 1), longP_longM_t_2) and
   ("JC_9":
   (("JC_6": (integer_of_int32(n_1) >= 0)) and
    (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
     ("JC_8": (offset_max(longP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_55":
  (forall k:int.
    (((0 <= k) and
      ((k < integer_of_int32(n_1)) and
       (integer_of_int32(select(longP_longM_t_2, shift(t_0,
       k))) = integer_of_int32(v)))) ->
     ((integer_of_int32(l0) <= k) and (k <= integer_of_int32(u0)))))) ->
  ("JC_58":
  (("JC_56": (0 <= integer_of_int32(l0))) and
   ("JC_57": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(l0) + integer_of_int32(u0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall m:int32.
  (m = result2) ->
  ("JC_63":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  forall result3:int32.
  (result3 = select(longP_longM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result3) >= integer_of_int32(v)) ->
  forall result4:int32.
  (result4 = select(longP_longM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) <= integer_of_int32(v)) ->
  forall __retres:int32.
  (__retres = m) ->
  forall return:int32.
  (return = __retres) ->
  (integer_of_int32(return) = (-1)) ->
  forall k_0:int.
  ((0 <= k_0) and (k_0 < integer_of_int32(n_1))) ->
  ("JC_21": (integer_of_int32(select(longP_longM_t_2, shift(t_0,
  k_0))) <> integer_of_int32(v)))

goal binary_search_ensures_failure_po_8:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall v:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  forall longP_longM_t_2:(longP,
  int32) memory.
  (sorted(t_0, 0, (integer_of_int32(n_1) - 1), longP_longM_t_2) and
   ("JC_9":
   (("JC_6": (integer_of_int32(n_1) >= 0)) and
    (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
     ("JC_8": (offset_max(longP_t_2_alloc_table,
     t_0) >= (integer_of_int32(n_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_55":
  (forall k:int.
    (((0 <= k) and
      ((k < integer_of_int32(n_1)) and
       (integer_of_int32(select(longP_longM_t_2, shift(t_0,
       k))) = integer_of_int32(v)))) ->
     ((integer_of_int32(l0) <= k) and (k <= integer_of_int32(u0)))))) ->
  ("JC_58":
  (("JC_56": (0 <= integer_of_int32(l0))) and
   ("JC_57": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) > integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (-1)) ->
  forall __retres:int32.
  (__retres = result1) ->
  forall return:int32.
  (return = __retres) ->
  (integer_of_int32(return) = (-1)) ->
  forall k_0:int.
  ((0 <= k_0) and (k_0 < integer_of_int32(n_1))) ->
  ("JC_21": (integer_of_int32(select(longP_longM_t_2, shift(t_0,
  k_0))) <> integer_of_int32(v)))

goal binary_search_ensures_success_po_1:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall v:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  forall longP_longM_t_2:(longP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(n_1) >= 0)) and
   (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(longP_t_2_alloc_table,
    t_0) >= (integer_of_int32(n_1) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_51": true) ->
  ("JC_49":
  (("JC_47": (0 <= integer_of_int32(l0))) and
   ("JC_48": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(l0) + integer_of_int32(u0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall m:int32.
  (m = result2) ->
  ("JC_54":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  forall result3:int32.
  (result3 = select(longP_longM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result3) >= integer_of_int32(v)) ->
  forall result4:int32.
  (result4 = select(longP_longM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) <= integer_of_int32(v)) ->
  forall __retres:int32.
  (__retres = m) ->
  forall return:int32.
  (return = __retres) ->
  (integer_of_int32(return) >= 0) ->
  ("JC_19": (integer_of_int32(select(longP_longM_t_2, shift(t_0,
  integer_of_int32(return)))) = integer_of_int32(v)))

goal binary_search_ensures_success_po_2:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall v:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  forall longP_longM_t_2:(longP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(n_1) >= 0)) and
   (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(longP_t_2_alloc_table,
    t_0) >= (integer_of_int32(n_1) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_51": true) ->
  ("JC_49":
  (("JC_47": (0 <= integer_of_int32(l0))) and
   ("JC_48": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) > integer_of_int32(u0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (-1)) ->
  forall __retres:int32.
  (__retres = result1) ->
  forall return:int32.
  (return = __retres) ->
  (integer_of_int32(return) >= 0) ->
  ("JC_19": (integer_of_int32(select(longP_longM_t_2, shift(t_0,
  integer_of_int32(return)))) = integer_of_int32(v)))

goal binary_search_safety_po_1:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  ("JC_9":
  (("JC_6": (integer_of_int32(n_1) >= 0)) and
   (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(longP_t_2_alloc_table,
    t_0) >= (integer_of_int32(n_1) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  ((-2147483648) <= (integer_of_int32(n_1) - 1))

goal binary_search_safety_po_2:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  ("JC_9":
  (("JC_6": (integer_of_int32(n_1) >= 0)) and
   (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(longP_t_2_alloc_table,
    t_0) >= (integer_of_int32(n_1) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  ((integer_of_int32(n_1) - 1) <= 2147483647)

goal binary_search_safety_po_3:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  ("JC_9":
  (("JC_6": (integer_of_int32(n_1) >= 0)) and
   (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(longP_t_2_alloc_table,
    t_0) >= (integer_of_int32(n_1) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_28": true) ->
  ("JC_26":
  (("JC_24": (0 <= integer_of_int32(l0))) and
   ("JC_25": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  ((-2147483648) <= (integer_of_int32(l0) + integer_of_int32(u0)))

goal binary_search_safety_po_4:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  ("JC_9":
  (("JC_6": (integer_of_int32(n_1) >= 0)) and
   (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(longP_t_2_alloc_table,
    t_0) >= (integer_of_int32(n_1) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_28": true) ->
  ("JC_26":
  (("JC_24": (0 <= integer_of_int32(l0))) and
   ("JC_25": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  ((integer_of_int32(l0) + integer_of_int32(u0)) <= 2147483647)

goal binary_search_safety_po_5:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  ("JC_9":
  (("JC_6": (integer_of_int32(n_1) >= 0)) and
   (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(longP_t_2_alloc_table,
    t_0) >= (integer_of_int32(n_1) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_28": true) ->
  ("JC_26":
  (("JC_24": (0 <= integer_of_int32(l0))) and
   ("JC_25": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  (((-2147483648) <= (integer_of_int32(l0) + integer_of_int32(u0))) and
   ((integer_of_int32(l0) + integer_of_int32(u0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(l0) + integer_of_int32(u0))) ->
  (2 <> 0)

goal binary_search_safety_po_6:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  ("JC_9":
  (("JC_6": (integer_of_int32(n_1) >= 0)) and
   (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(longP_t_2_alloc_table,
    t_0) >= (integer_of_int32(n_1) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_28": true) ->
  ("JC_26":
  (("JC_24": (0 <= integer_of_int32(l0))) and
   ("JC_25": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  (((-2147483648) <= (integer_of_int32(l0) + integer_of_int32(u0))) and
   ((integer_of_int32(l0) + integer_of_int32(u0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(l0) + integer_of_int32(u0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  ((-2147483648) <= result2)

goal binary_search_safety_po_7:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  ("JC_9":
  (("JC_6": (integer_of_int32(n_1) >= 0)) and
   (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(longP_t_2_alloc_table,
    t_0) >= (integer_of_int32(n_1) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_28": true) ->
  ("JC_26":
  (("JC_24": (0 <= integer_of_int32(l0))) and
   ("JC_25": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  (((-2147483648) <= (integer_of_int32(l0) + integer_of_int32(u0))) and
   ((integer_of_int32(l0) + integer_of_int32(u0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(l0) + integer_of_int32(u0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (result2 <= 2147483647)

goal binary_search_safety_po_8:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  ("JC_9":
  (("JC_6": (integer_of_int32(n_1) >= 0)) and
   (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(longP_t_2_alloc_table,
    t_0) >= (integer_of_int32(n_1) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_28": true) ->
  ("JC_26":
  (("JC_24": (0 <= integer_of_int32(l0))) and
   ("JC_25": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  (((-2147483648) <= (integer_of_int32(l0) + integer_of_int32(u0))) and
   ((integer_of_int32(l0) + integer_of_int32(u0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(l0) + integer_of_int32(u0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  forall m:int32.
  (m = result3) ->
  ("JC_33":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  (offset_min(longP_t_2_alloc_table, t_0) <= integer_of_int32(m))

goal binary_search_safety_po_9:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  ("JC_9":
  (("JC_6": (integer_of_int32(n_1) >= 0)) and
   (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(longP_t_2_alloc_table,
    t_0) >= (integer_of_int32(n_1) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_28": true) ->
  ("JC_26":
  (("JC_24": (0 <= integer_of_int32(l0))) and
   ("JC_25": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  (((-2147483648) <= (integer_of_int32(l0) + integer_of_int32(u0))) and
   ((integer_of_int32(l0) + integer_of_int32(u0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(l0) + integer_of_int32(u0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  forall m:int32.
  (m = result3) ->
  ("JC_33":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  (integer_of_int32(m) <= offset_max(longP_t_2_alloc_table, t_0))

goal binary_search_safety_po_10:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall v:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  forall longP_longM_t_2:(longP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(n_1) >= 0)) and
   (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(longP_t_2_alloc_table,
    t_0) >= (integer_of_int32(n_1) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_28": true) ->
  ("JC_26":
  (("JC_24": (0 <= integer_of_int32(l0))) and
   ("JC_25": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  (((-2147483648) <= (integer_of_int32(l0) + integer_of_int32(u0))) and
   ((integer_of_int32(l0) + integer_of_int32(u0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(l0) + integer_of_int32(u0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  forall m:int32.
  (m = result3) ->
  ("JC_33":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  ((offset_min(longP_t_2_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(longP_t_2_alloc_table, t_0))) ->
  forall result4:int32.
  (result4 = select(longP_longM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) < integer_of_int32(v)) ->
  ((-2147483648) <= (integer_of_int32(m) + 1))

goal binary_search_safety_po_11:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall v:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  forall longP_longM_t_2:(longP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(n_1) >= 0)) and
   (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(longP_t_2_alloc_table,
    t_0) >= (integer_of_int32(n_1) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_28": true) ->
  ("JC_26":
  (("JC_24": (0 <= integer_of_int32(l0))) and
   ("JC_25": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  (((-2147483648) <= (integer_of_int32(l0) + integer_of_int32(u0))) and
   ((integer_of_int32(l0) + integer_of_int32(u0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(l0) + integer_of_int32(u0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  forall m:int32.
  (m = result3) ->
  ("JC_33":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  ((offset_min(longP_t_2_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(longP_t_2_alloc_table, t_0))) ->
  forall result4:int32.
  (result4 = select(longP_longM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) < integer_of_int32(v)) ->
  ((integer_of_int32(m) + 1) <= 2147483647)

goal binary_search_safety_po_12:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall v:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  forall longP_longM_t_2:(longP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(n_1) >= 0)) and
   (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(longP_t_2_alloc_table,
    t_0) >= (integer_of_int32(n_1) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_28": true) ->
  ("JC_26":
  (("JC_24": (0 <= integer_of_int32(l0))) and
   ("JC_25": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  (((-2147483648) <= (integer_of_int32(l0) + integer_of_int32(u0))) and
   ((integer_of_int32(l0) + integer_of_int32(u0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(l0) + integer_of_int32(u0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  forall m:int32.
  (m = result3) ->
  ("JC_33":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  ((offset_min(longP_t_2_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(longP_t_2_alloc_table, t_0))) ->
  forall result4:int32.
  (result4 = select(longP_longM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) < integer_of_int32(v)) ->
  (((-2147483648) <= (integer_of_int32(m) + 1)) and
   ((integer_of_int32(m) + 1) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(m) + 1)) ->
  forall l1:int32.
  (l1 = result5) ->
  (0 <= ("JC_38": (integer_of_int32(u0) - integer_of_int32(l0))))

goal binary_search_safety_po_13:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall v:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  forall longP_longM_t_2:(longP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(n_1) >= 0)) and
   (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(longP_t_2_alloc_table,
    t_0) >= (integer_of_int32(n_1) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_28": true) ->
  ("JC_26":
  (("JC_24": (0 <= integer_of_int32(l0))) and
   ("JC_25": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  (((-2147483648) <= (integer_of_int32(l0) + integer_of_int32(u0))) and
   ((integer_of_int32(l0) + integer_of_int32(u0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(l0) + integer_of_int32(u0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  forall m:int32.
  (m = result3) ->
  ("JC_33":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  ((offset_min(longP_t_2_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(longP_t_2_alloc_table, t_0))) ->
  forall result4:int32.
  (result4 = select(longP_longM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) < integer_of_int32(v)) ->
  (((-2147483648) <= (integer_of_int32(m) + 1)) and
   ((integer_of_int32(m) + 1) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(m) + 1)) ->
  forall l1:int32.
  (l1 = result5) ->
  (("JC_38": (integer_of_int32(u0) - integer_of_int32(l1))) < ("JC_38":
                                                              (integer_of_int32(u0) - integer_of_int32(l0))))

goal binary_search_safety_po_14:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall v:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  forall longP_longM_t_2:(longP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(n_1) >= 0)) and
   (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(longP_t_2_alloc_table,
    t_0) >= (integer_of_int32(n_1) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_28": true) ->
  ("JC_26":
  (("JC_24": (0 <= integer_of_int32(l0))) and
   ("JC_25": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  (((-2147483648) <= (integer_of_int32(l0) + integer_of_int32(u0))) and
   ((integer_of_int32(l0) + integer_of_int32(u0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(l0) + integer_of_int32(u0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  forall m:int32.
  (m = result3) ->
  ("JC_33":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  ((offset_min(longP_t_2_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(longP_t_2_alloc_table, t_0))) ->
  forall result4:int32.
  (result4 = select(longP_longM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) >= integer_of_int32(v)) ->
  ((offset_min(longP_t_2_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(longP_t_2_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(longP_longM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) > integer_of_int32(v)) ->
  ((-2147483648) <= (integer_of_int32(m) - 1))

goal binary_search_safety_po_15:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall v:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  forall longP_longM_t_2:(longP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(n_1) >= 0)) and
   (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(longP_t_2_alloc_table,
    t_0) >= (integer_of_int32(n_1) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_28": true) ->
  ("JC_26":
  (("JC_24": (0 <= integer_of_int32(l0))) and
   ("JC_25": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  (((-2147483648) <= (integer_of_int32(l0) + integer_of_int32(u0))) and
   ((integer_of_int32(l0) + integer_of_int32(u0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(l0) + integer_of_int32(u0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  forall m:int32.
  (m = result3) ->
  ("JC_33":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  ((offset_min(longP_t_2_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(longP_t_2_alloc_table, t_0))) ->
  forall result4:int32.
  (result4 = select(longP_longM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) >= integer_of_int32(v)) ->
  ((offset_min(longP_t_2_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(longP_t_2_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(longP_longM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) > integer_of_int32(v)) ->
  ((integer_of_int32(m) - 1) <= 2147483647)

goal binary_search_safety_po_16:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall v:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  forall longP_longM_t_2:(longP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(n_1) >= 0)) and
   (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(longP_t_2_alloc_table,
    t_0) >= (integer_of_int32(n_1) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_28": true) ->
  ("JC_26":
  (("JC_24": (0 <= integer_of_int32(l0))) and
   ("JC_25": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  (((-2147483648) <= (integer_of_int32(l0) + integer_of_int32(u0))) and
   ((integer_of_int32(l0) + integer_of_int32(u0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(l0) + integer_of_int32(u0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  forall m:int32.
  (m = result3) ->
  ("JC_33":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  ((offset_min(longP_t_2_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(longP_t_2_alloc_table, t_0))) ->
  forall result4:int32.
  (result4 = select(longP_longM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) >= integer_of_int32(v)) ->
  ((offset_min(longP_t_2_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(longP_t_2_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(longP_longM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) > integer_of_int32(v)) ->
  (((-2147483648) <= (integer_of_int32(m) - 1)) and
   ((integer_of_int32(m) - 1) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(m) - 1)) ->
  forall u1:int32.
  (u1 = result6) ->
  (0 <= ("JC_38": (integer_of_int32(u0) - integer_of_int32(l0))))

goal binary_search_safety_po_17:
  forall t_0:longP pointer.
  forall n_1:int32.
  forall v:int32.
  forall longP_t_2_alloc_table:longP alloc_table.
  forall longP_longM_t_2:(longP,
  int32) memory.
  ("JC_9":
  (("JC_6": (integer_of_int32(n_1) >= 0)) and
   (("JC_7": (offset_min(longP_t_2_alloc_table, t_0) <= 0)) and
    ("JC_8": (offset_max(longP_t_2_alloc_table,
    t_0) >= (integer_of_int32(n_1) - 1)))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall l:int32.
  (l = result) ->
  (((-2147483648) <= (integer_of_int32(n_1) - 1)) and
   ((integer_of_int32(n_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(n_1) - 1)) ->
  forall u:int32.
  (u = result0) ->
  forall l0:int32.
  forall u0:int32.
  ("JC_28": true) ->
  ("JC_26":
  (("JC_24": (0 <= integer_of_int32(l0))) and
   ("JC_25": (integer_of_int32(u0) <= (integer_of_int32(n_1) - 1))))) ->
  (integer_of_int32(l0) <= integer_of_int32(u0)) ->
  (((-2147483648) <= (integer_of_int32(l0) + integer_of_int32(u0))) and
   ((integer_of_int32(l0) + integer_of_int32(u0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(l0) + integer_of_int32(u0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  forall m:int32.
  (m = result3) ->
  ("JC_33":
  ((integer_of_int32(l0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= integer_of_int32(u0)))) ->
  ((offset_min(longP_t_2_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(longP_t_2_alloc_table, t_0))) ->
  forall result4:int32.
  (result4 = select(longP_longM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result4) >= integer_of_int32(v)) ->
  ((offset_min(longP_t_2_alloc_table, t_0) <= integer_of_int32(m)) and
   (integer_of_int32(m) <= offset_max(longP_t_2_alloc_table, t_0))) ->
  forall result5:int32.
  (result5 = select(longP_longM_t_2, shift(t_0, integer_of_int32(m)))) ->
  (integer_of_int32(result5) > integer_of_int32(v)) ->
  (((-2147483648) <= (integer_of_int32(m) - 1)) and
   ((integer_of_int32(m) - 1) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(m) - 1)) ->
  forall u1:int32.
  (u1 = result6) ->
  (("JC_38": (integer_of_int32(u1) - integer_of_int32(l0))) < ("JC_38":
                                                              (integer_of_int32(u0) - integer_of_int32(l0))))

// RUNSIMPLIFY this tells regtests to run Simplify in this example
========== generation of Simplify VC output ==========
why -simplify [...] why/binary_search.why
========== file tests/c/binary_search.jessie/simplify/binary_search_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(BG_PUSH
 ;; Why axiom charP_int
 (EQ (int_of_tag charP_tag) 1))

(BG_PUSH
 ;; Why axiom charP_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (charP_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom charP_parenttag_bottom
 (EQ (parenttag charP_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom charP_tags
 (FORALL (x charP_tag_table) (instanceof charP_tag_table x charP_tag)))

(DEFPRED (eq_int32 x y) (EQ (integer_of_int32 x) (integer_of_int32 y)))

(DEFPRED (eq_int8 x y) (EQ (integer_of_int8 x) (integer_of_int8 y)))

(DEFPRED (eq_uint8 x y) (EQ (integer_of_uint8 x) (integer_of_uint8 y)))

(BG_PUSH
 ;; Why axiom int32_coerce
 (FORALL (x)
 (IMPLIES
 (AND (<= (- 0 constant_too_large_2147483648) x)
 (<= x constant_too_large_2147483647))
 (EQ (integer_of_int32 (int32_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom int32_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_int32 x) (integer_of_int32 y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom int32_range
 (FORALL (x)
 (AND (<= (- 0 constant_too_large_2147483648) (integer_of_int32 x))
 (<= (integer_of_int32 x) constant_too_large_2147483647))))

(BG_PUSH
 ;; Why axiom int8_coerce
 (FORALL (x)
 (IMPLIES (AND (<= (- 0 128) x) (<= x 127))
 (EQ (integer_of_int8 (int8_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom int8_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_int8 x) (integer_of_int8 y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom int8_range
 (FORALL (x)
 (AND (<= (- 0 128) (integer_of_int8 x)) (<= (integer_of_int8 x) 127))))

(DEFPRED (left_valid_struct_charP p a charP_alloc_table)
  (<= (offset_min charP_alloc_table p) a))

(DEFPRED (left_valid_struct_longP p a longP_alloc_table)
  (<= (offset_min longP_alloc_table p) a))

(DEFPRED (left_valid_struct_unsigned_charP p a unsigned_charP_alloc_table)
  (<= (offset_min unsigned_charP_alloc_table p) a))

(DEFPRED (left_valid_struct_voidP p a voidP_alloc_table)
  (<= (offset_min voidP_alloc_table p) a))

(BG_PUSH
 ;; Why axiom longP_int
 (EQ (int_of_tag longP_tag) 1))

(BG_PUSH
 ;; Why axiom longP_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (longP_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom longP_parenttag_bottom
 (EQ (parenttag longP_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom longP_tags
 (FORALL (x longP_tag_table) (instanceof longP_tag_table x longP_tag)))

(BG_PUSH
 ;; Why axiom pointer_addr_of_charP_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (charP_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_longP_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (longP_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_unsigned_charP_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (unsigned_charP_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_voidP_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (voidP_of_pointer_address p)))))

(DEFPRED (right_valid_struct_charP p b charP_alloc_table)
  (>= (offset_max charP_alloc_table p) b))

(DEFPRED (right_valid_struct_longP p b longP_alloc_table)
  (>= (offset_max longP_alloc_table p) b))

(DEFPRED (right_valid_struct_unsigned_charP p b unsigned_charP_alloc_table)
  (>= (offset_max unsigned_charP_alloc_table p) b))

(DEFPRED (right_valid_struct_voidP p b voidP_alloc_table)
  (>= (offset_max voidP_alloc_table p) b))

(DEFPRED (sorted t a b longP_longM_t_1_at_L)
  (FORALL (i_1 j_0)
  (IMPLIES (AND (<= a i_1) (AND (<= i_1 j_0) (<= j_0 b)))
  (<= (integer_of_int32 (select longP_longM_t_1_at_L (shift t i_1))) 
  (integer_of_int32 (select longP_longM_t_1_at_L (shift t j_0)))))))

(DEFPRED (strict_valid_root_charP p a b charP_alloc_table)
  (AND (EQ (offset_min charP_alloc_table p) a)
  (EQ (offset_max charP_alloc_table p) b)))

(DEFPRED (strict_valid_root_longP p a b longP_alloc_table)
  (AND (EQ (offset_min longP_alloc_table p) a)
  (EQ (offset_max longP_alloc_table p) b)))

(DEFPRED (strict_valid_root_unsigned_charP p a b unsigned_charP_alloc_table)
  (AND (EQ (offset_min unsigned_charP_alloc_table p) a)
  (EQ (offset_max unsigned_charP_alloc_table p) b)))

(DEFPRED (strict_valid_root_voidP p a b voidP_alloc_table)
  (AND (EQ (offset_min voidP_alloc_table p) a)
  (EQ (offset_max voidP_alloc_table p) b)))

(DEFPRED (strict_valid_struct_charP p a b charP_alloc_table)
  (AND (EQ (offset_min charP_alloc_table p) a)
  (EQ (offset_max charP_alloc_table p) b)))

(DEFPRED (strict_valid_struct_longP p a b longP_alloc_table)
  (AND (EQ (offset_min longP_alloc_table p) a)
  (EQ (offset_max longP_alloc_table p) b)))

(DEFPRED (strict_valid_struct_unsigned_charP p a b unsigned_charP_alloc_table)
  (AND (EQ (offset_min unsigned_charP_alloc_table p) a)
  (EQ (offset_max unsigned_charP_alloc_table p) b)))

(DEFPRED (strict_valid_struct_voidP p a b voidP_alloc_table)
  (AND (EQ (offset_min voidP_alloc_table p) a)
  (EQ (offset_max voidP_alloc_table p) b)))

(BG_PUSH
 ;; Why axiom uint8_coerce
 (FORALL (x)
 (IMPLIES (AND (<= 0 x) (<= x 255))
 (EQ (integer_of_uint8 (uint8_of_integer x)) x))))

(BG_PUSH
 ;; Why axiom uint8_extensionality
 (FORALL (x y)
 (IMPLIES (EQ (integer_of_uint8 x) (integer_of_uint8 y)) (EQ x y))))

(BG_PUSH
 ;; Why axiom uint8_range
 (FORALL (x) (AND (<= 0 (integer_of_uint8 x)) (<= (integer_of_uint8 x) 255))))

(BG_PUSH
 ;; Why axiom unsigned_charP_int
 (EQ (int_of_tag unsigned_charP_tag) 1))

(BG_PUSH
 ;; Why axiom unsigned_charP_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (unsigned_charP_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom unsigned_charP_parenttag_bottom
 (EQ (parenttag unsigned_charP_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom unsigned_charP_tags
 (FORALL (x unsigned_charP_tag_table)
 (instanceof unsigned_charP_tag_table x unsigned_charP_tag)))

(DEFPRED (valid_root_charP p a b charP_alloc_table)
  (AND (<= (offset_min charP_alloc_table p) a)
  (>= (offset_max charP_alloc_table p) b)))

(DEFPRED (valid_root_longP p a b longP_alloc_table)
  (AND (<= (offset_min longP_alloc_table p) a)
  (>= (offset_max longP_alloc_table p) b)))

(DEFPRED (valid_root_unsigned_charP p a b unsigned_charP_alloc_table)
  (AND (<= (offset_min unsigned_charP_alloc_table p) a)
  (>= (offset_max unsigned_charP_alloc_table p) b)))

(DEFPRED (valid_root_voidP p a b voidP_alloc_table)
  (AND (<= (offset_min voidP_alloc_table p) a)
  (>= (offset_max voidP_alloc_table p) b)))

(DEFPRED (valid_struct_charP p a b charP_alloc_table)
  (AND (<= (offset_min charP_alloc_table p) a)
  (>= (offset_max charP_alloc_table p) b)))

(DEFPRED (valid_struct_longP p a b longP_alloc_table)
  (AND (<= (offset_min longP_alloc_table p) a)
  (>= (offset_max longP_alloc_table p) b)))

(DEFPRED (valid_struct_unsigned_charP p a b unsigned_charP_alloc_table)
  (AND (<= (offset_min unsigned_charP_alloc_table p) a)
  (>= (offset_max unsigned_charP_alloc_table p) b)))

(DEFPRED (valid_struct_voidP p a b voidP_alloc_table)
  (AND (<= (offset_min voidP_alloc_table p) a)
  (>= (offset_max voidP_alloc_table p) b)))

(BG_PUSH
 ;; Why axiom voidP_int
 (EQ (int_of_tag voidP_tag) 1))

(BG_PUSH
 ;; Why axiom voidP_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (voidP_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom voidP_parenttag_bottom
 (EQ (parenttag voidP_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom voidP_tags
 (FORALL (x voidP_tag_table) (instanceof voidP_tag_table x voidP_tag)))

;; mean, File "HOME/tests/c/binary_search.c", line 34, characters 4-67
(FORALL (x_0 y)
(IMPLIES (<= x_0 y)
(AND (<= x_0 (computer_div (+ x_0 y) 2)) (<= (computer_div (+ x_0 y) 2) y))))

(BG_PUSH
 ;; lemma mean as axiom
(FORALL (x_0 y)
(IMPLIES (<= x_0 y)
(AND (<= x_0 (computer_div (+ x_0 y) 2)) (<= (computer_div (+ x_0 y) 2) y)))))

;; binary_search_ensures_default_po_1, File "HOME/tests/c/binary_search.c", line 52, characters 8-14
(FORALL (t_0)
(FORALL (n_1)
(FORALL (longP_t_2_alloc_table)
(IMPLIES (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u) (IMPLIES (EQ u result0) (<= 0 (integer_of_int32 l))))))))))))))

;; binary_search_ensures_default_po_2, File "HOME/tests/c/binary_search.c", line 52, characters 18-26
(FORALL (t_0)
(FORALL (n_1)
(FORALL (longP_t_2_alloc_table)
(IMPLIES (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(<= (integer_of_int32 u) (- (integer_of_int32 n_1) 1))))))))))))))

;; binary_search_ensures_default_po_3, File "HOME/tests/c/binary_search.c", line 60, characters 15-26
(FORALL (t_0)
(FORALL (n_1)
(FORALL (longP_t_2_alloc_table)
(IMPLIES (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (<= (integer_of_int32 l0) (integer_of_int32 u0))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1)
         (+ (integer_of_int32 l0) (integer_of_int32 u0)))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (computer_div (integer_of_int32 result1) 2))
(FORALL (m)
(IMPLIES (EQ m result2) (<= (integer_of_int32 l0) (integer_of_int32 m))))))))))))))))))))))))

;; binary_search_ensures_default_po_4, File "HOME/tests/c/binary_search.c", line 60, characters 15-26
(FORALL (t_0)
(FORALL (n_1)
(FORALL (longP_t_2_alloc_table)
(IMPLIES (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (<= (integer_of_int32 l0) (integer_of_int32 u0))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1)
         (+ (integer_of_int32 l0) (integer_of_int32 u0)))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (computer_div (integer_of_int32 result1) 2))
(FORALL (m)
(IMPLIES (EQ m result2) (<= (integer_of_int32 m) (integer_of_int32 u0))))))))))))))))))))))))

;; binary_search_ensures_default_po_5, File "HOME/tests/c/binary_search.c", line 52, characters 8-14
(FORALL (t_0)
(FORALL (n_1)
(FORALL (v)
(FORALL (longP_t_2_alloc_table)
(FORALL (longP_longM_t_2)
(IMPLIES (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (<= (integer_of_int32 l0) (integer_of_int32 u0))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1)
         (+ (integer_of_int32 l0) (integer_of_int32 u0)))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (computer_div (integer_of_int32 result1) 2))
(FORALL (m)
(IMPLIES (EQ m result2)
(IMPLIES (AND (<= (integer_of_int32 l0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u0)))
(FORALL (result3)
(IMPLIES (EQ result3
         (select longP_longM_t_2 (shift t_0 (integer_of_int32 m))))
(IMPLIES (< (integer_of_int32 result3) (integer_of_int32 v))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) (+ (integer_of_int32 m) 1))
(FORALL (l1) (IMPLIES (EQ l1 result4) (<= 0 (integer_of_int32 l1))))))))))))))))))))))))))))))))))

;; binary_search_ensures_default_po_6, File "HOME/tests/c/binary_search.c", line 52, characters 18-26
(FORALL (t_0)
(FORALL (n_1)
(FORALL (v)
(FORALL (longP_t_2_alloc_table)
(FORALL (longP_longM_t_2)
(IMPLIES (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (<= (integer_of_int32 l0) (integer_of_int32 u0))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1)
         (+ (integer_of_int32 l0) (integer_of_int32 u0)))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (computer_div (integer_of_int32 result1) 2))
(FORALL (m)
(IMPLIES (EQ m result2)
(IMPLIES (AND (<= (integer_of_int32 l0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u0)))
(FORALL (result3)
(IMPLIES (EQ result3
         (select longP_longM_t_2 (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result3) (integer_of_int32 v))
(FORALL (result4)
(IMPLIES (EQ result4
         (select longP_longM_t_2 (shift t_0 (integer_of_int32 m))))
(IMPLIES (> (integer_of_int32 result4) (integer_of_int32 v))
(FORALL (result5)
(IMPLIES (EQ (integer_of_int32 result5) (- (integer_of_int32 m) 1))
(FORALL (u1)
(IMPLIES (EQ u1 result5)
(<= (integer_of_int32 u1) (- (integer_of_int32 n_1) 1)))))))))))))))))))))))))))))))))))))

;; binary_search_ensures_default_po_7, File "HOME/tests/c/binary_search.c", line 41, characters 12-25
(FORALL (t_0)
(FORALL (n_1)
(FORALL (v)
(FORALL (longP_t_2_alloc_table)
(FORALL (longP_longM_t_2)
(IMPLIES (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (<= (integer_of_int32 l0) (integer_of_int32 u0))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1)
         (+ (integer_of_int32 l0) (integer_of_int32 u0)))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (computer_div (integer_of_int32 result1) 2))
(FORALL (m)
(IMPLIES (EQ m result2)
(IMPLIES (AND (<= (integer_of_int32 l0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u0)))
(FORALL (result3)
(IMPLIES (EQ result3
         (select longP_longM_t_2 (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result3) (integer_of_int32 v))
(FORALL (result4)
(IMPLIES (EQ result4
         (select longP_longM_t_2 (shift t_0 (integer_of_int32 m))))
(IMPLIES (<= (integer_of_int32 result4) (integer_of_int32 v))
(FORALL (|__retres|)
(IMPLIES (EQ |__retres| m)
(FORALL (return)
(IMPLIES (EQ return |__retres|) (<= (- 0 1) (integer_of_int32 return)))))))))))))))))))))))))))))))))))))

;; binary_search_ensures_default_po_8, File "HOME/tests/c/binary_search.c", line 41, characters 18-29
(FORALL (t_0)
(FORALL (n_1)
(FORALL (v)
(FORALL (longP_t_2_alloc_table)
(FORALL (longP_longM_t_2)
(IMPLIES (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (<= (integer_of_int32 l0) (integer_of_int32 u0))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1)
         (+ (integer_of_int32 l0) (integer_of_int32 u0)))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (computer_div (integer_of_int32 result1) 2))
(FORALL (m)
(IMPLIES (EQ m result2)
(IMPLIES (AND (<= (integer_of_int32 l0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u0)))
(FORALL (result3)
(IMPLIES (EQ result3
         (select longP_longM_t_2 (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result3) (integer_of_int32 v))
(FORALL (result4)
(IMPLIES (EQ result4
         (select longP_longM_t_2 (shift t_0 (integer_of_int32 m))))
(IMPLIES (<= (integer_of_int32 result4) (integer_of_int32 v))
(FORALL (|__retres|)
(IMPLIES (EQ |__retres| m)
(FORALL (return)
(IMPLIES (EQ return |__retres|)
(< (integer_of_int32 return) (integer_of_int32 n_1)))))))))))))))))))))))))))))))))))))

;; binary_search_ensures_default_po_9, File "HOME/tests/c/binary_search.c", line 41, characters 12-25
(FORALL (t_0)
(FORALL (n_1)
(FORALL (longP_t_2_alloc_table)
(IMPLIES (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (> (integer_of_int32 l0) (integer_of_int32 u0))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- 0 1))
(FORALL (|__retres|)
(IMPLIES (EQ |__retres| result1)
(FORALL (return)
(IMPLIES (EQ return |__retres|) (<= (- 0 1) (integer_of_int32 return))))))))))))))))))))))))

;; binary_search_ensures_default_po_10, File "HOME/tests/c/binary_search.c", line 41, characters 18-29
(FORALL (t_0)
(FORALL (n_1)
(FORALL (longP_t_2_alloc_table)
(IMPLIES (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (> (integer_of_int32 l0) (integer_of_int32 u0))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- 0 1))
(FORALL (|__retres|)
(IMPLIES (EQ |__retres| result1)
(FORALL (return)
(IMPLIES (EQ return |__retres|)
(< (integer_of_int32 return) (integer_of_int32 n_1))))))))))))))))))))))))

;; binary_search_ensures_failure_po_1, File "HOME/tests/c/binary_search.c", line 55, characters 8-66
(FORALL (t_0)
(FORALL (n_1)
(FORALL (v)
(FORALL (longP_t_2_alloc_table)
(FORALL (longP_longM_t_2)
(IMPLIES (AND (sorted t_0 0 (- (integer_of_int32 n_1) 1) longP_longM_t_2)
         (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1)))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (k)
(IMPLIES (AND (<= 0 k)
         (AND (< k (integer_of_int32 n_1))
         (EQ (integer_of_int32 (select longP_longM_t_2 (shift t_0 k)))
         (integer_of_int32 v))))
(<= (integer_of_int32 l) k)))))))))))))))))

;; binary_search_ensures_failure_po_2, File "HOME/tests/c/binary_search.c", line 55, characters 8-66
(FORALL (t_0)
(FORALL (n_1)
(FORALL (v)
(FORALL (longP_t_2_alloc_table)
(FORALL (longP_longM_t_2)
(IMPLIES (AND (sorted t_0 0 (- (integer_of_int32 n_1) 1) longP_longM_t_2)
         (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1)))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (k)
(IMPLIES (AND (<= 0 k)
         (AND (< k (integer_of_int32 n_1))
         (EQ (integer_of_int32 (select longP_longM_t_2 (shift t_0 k)))
         (integer_of_int32 v))))
(<= k (integer_of_int32 u))))))))))))))))))

;; binary_search_ensures_failure_po_3, File "HOME/tests/c/binary_search.c", line 55, characters 8-66
(FORALL (t_0)
(FORALL (n_1)
(FORALL (v)
(FORALL (longP_t_2_alloc_table)
(FORALL (longP_longM_t_2)
(IMPLIES (AND (sorted t_0 0 (- (integer_of_int32 n_1) 1) longP_longM_t_2)
         (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1)))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES (FORALL (k)
         (IMPLIES
         (AND (<= 0 k)
         (AND (< k (integer_of_int32 n_1))
         (EQ (integer_of_int32 (select longP_longM_t_2 (shift t_0 k)))
         (integer_of_int32 v))))
         (AND (<= (integer_of_int32 l0) k) (<= k (integer_of_int32 u0)))))
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (<= (integer_of_int32 l0) (integer_of_int32 u0))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1)
         (+ (integer_of_int32 l0) (integer_of_int32 u0)))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (computer_div (integer_of_int32 result1) 2))
(FORALL (m)
(IMPLIES (EQ m result2)
(IMPLIES (AND (<= (integer_of_int32 l0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u0)))
(FORALL (result3)
(IMPLIES (EQ result3
         (select longP_longM_t_2 (shift t_0 (integer_of_int32 m))))
(IMPLIES (< (integer_of_int32 result3) (integer_of_int32 v))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) (+ (integer_of_int32 m) 1))
(FORALL (l1)
(IMPLIES (EQ l1 result4)
(FORALL (k)
(IMPLIES (AND (<= 0 k)
         (AND (< k (integer_of_int32 n_1))
         (EQ (integer_of_int32 (select longP_longM_t_2 (shift t_0 k)))
         (integer_of_int32 v))))
(<= (integer_of_int32 l1) k))))))))))))))))))))))))))))))))))))

;; binary_search_ensures_failure_po_4, File "HOME/tests/c/binary_search.c", line 55, characters 8-66
(FORALL (t_0)
(FORALL (n_1)
(FORALL (v)
(FORALL (longP_t_2_alloc_table)
(FORALL (longP_longM_t_2)
(IMPLIES (AND (sorted t_0 0 (- (integer_of_int32 n_1) 1) longP_longM_t_2)
         (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1)))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES (FORALL (k)
         (IMPLIES
         (AND (<= 0 k)
         (AND (< k (integer_of_int32 n_1))
         (EQ (integer_of_int32 (select longP_longM_t_2 (shift t_0 k)))
         (integer_of_int32 v))))
         (AND (<= (integer_of_int32 l0) k) (<= k (integer_of_int32 u0)))))
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (<= (integer_of_int32 l0) (integer_of_int32 u0))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1)
         (+ (integer_of_int32 l0) (integer_of_int32 u0)))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (computer_div (integer_of_int32 result1) 2))
(FORALL (m)
(IMPLIES (EQ m result2)
(IMPLIES (AND (<= (integer_of_int32 l0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u0)))
(FORALL (result3)
(IMPLIES (EQ result3
         (select longP_longM_t_2 (shift t_0 (integer_of_int32 m))))
(IMPLIES (< (integer_of_int32 result3) (integer_of_int32 v))
(FORALL (result4)
(IMPLIES (EQ (integer_of_int32 result4) (+ (integer_of_int32 m) 1))
(FORALL (l1)
(IMPLIES (EQ l1 result4)
(FORALL (k)
(IMPLIES (AND (<= 0 k)
         (AND (< k (integer_of_int32 n_1))
         (EQ (integer_of_int32 (select longP_longM_t_2 (shift t_0 k)))
         (integer_of_int32 v))))
(<= k (integer_of_int32 u0)))))))))))))))))))))))))))))))))))))

;; binary_search_ensures_failure_po_5, File "HOME/tests/c/binary_search.c", line 55, characters 8-66
(FORALL (t_0)
(FORALL (n_1)
(FORALL (v)
(FORALL (longP_t_2_alloc_table)
(FORALL (longP_longM_t_2)
(IMPLIES (AND (sorted t_0 0 (- (integer_of_int32 n_1) 1) longP_longM_t_2)
         (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1)))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES (FORALL (k)
         (IMPLIES
         (AND (<= 0 k)
         (AND (< k (integer_of_int32 n_1))
         (EQ (integer_of_int32 (select longP_longM_t_2 (shift t_0 k)))
         (integer_of_int32 v))))
         (AND (<= (integer_of_int32 l0) k) (<= k (integer_of_int32 u0)))))
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (<= (integer_of_int32 l0) (integer_of_int32 u0))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1)
         (+ (integer_of_int32 l0) (integer_of_int32 u0)))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (computer_div (integer_of_int32 result1) 2))
(FORALL (m)
(IMPLIES (EQ m result2)
(IMPLIES (AND (<= (integer_of_int32 l0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u0)))
(FORALL (result3)
(IMPLIES (EQ result3
         (select longP_longM_t_2 (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result3) (integer_of_int32 v))
(FORALL (result4)
(IMPLIES (EQ result4
         (select longP_longM_t_2 (shift t_0 (integer_of_int32 m))))
(IMPLIES (> (integer_of_int32 result4) (integer_of_int32 v))
(FORALL (result5)
(IMPLIES (EQ (integer_of_int32 result5) (- (integer_of_int32 m) 1))
(FORALL (u1)
(IMPLIES (EQ u1 result5)
(FORALL (k)
(IMPLIES (AND (<= 0 k)
         (AND (< k (integer_of_int32 n_1))
         (EQ (integer_of_int32 (select longP_longM_t_2 (shift t_0 k)))
         (integer_of_int32 v))))
(<= (integer_of_int32 l0) k)))))))))))))))))))))))))))))))))))))))

;; binary_search_ensures_failure_po_6, File "HOME/tests/c/binary_search.c", line 55, characters 8-66
(FORALL (t_0)
(FORALL (n_1)
(FORALL (v)
(FORALL (longP_t_2_alloc_table)
(FORALL (longP_longM_t_2)
(IMPLIES (AND (sorted t_0 0 (- (integer_of_int32 n_1) 1) longP_longM_t_2)
         (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1)))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES (FORALL (k)
         (IMPLIES
         (AND (<= 0 k)
         (AND (< k (integer_of_int32 n_1))
         (EQ (integer_of_int32 (select longP_longM_t_2 (shift t_0 k)))
         (integer_of_int32 v))))
         (AND (<= (integer_of_int32 l0) k) (<= k (integer_of_int32 u0)))))
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (<= (integer_of_int32 l0) (integer_of_int32 u0))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1)
         (+ (integer_of_int32 l0) (integer_of_int32 u0)))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (computer_div (integer_of_int32 result1) 2))
(FORALL (m)
(IMPLIES (EQ m result2)
(IMPLIES (AND (<= (integer_of_int32 l0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u0)))
(FORALL (result3)
(IMPLIES (EQ result3
         (select longP_longM_t_2 (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result3) (integer_of_int32 v))
(FORALL (result4)
(IMPLIES (EQ result4
         (select longP_longM_t_2 (shift t_0 (integer_of_int32 m))))
(IMPLIES (> (integer_of_int32 result4) (integer_of_int32 v))
(FORALL (result5)
(IMPLIES (EQ (integer_of_int32 result5) (- (integer_of_int32 m) 1))
(FORALL (u1)
(IMPLIES (EQ u1 result5)
(FORALL (k)
(IMPLIES (AND (<= 0 k)
         (AND (< k (integer_of_int32 n_1))
         (EQ (integer_of_int32 (select longP_longM_t_2 (shift t_0 k)))
         (integer_of_int32 v))))
(<= k (integer_of_int32 u1))))))))))))))))))))))))))))))))))))))))

;; binary_search_ensures_failure_po_7, File "HOME/tests/c/binary_search.c", line 46, characters 14-83
(FORALL (t_0)
(FORALL (n_1)
(FORALL (v)
(FORALL (longP_t_2_alloc_table)
(FORALL (longP_longM_t_2)
(IMPLIES (AND (sorted t_0 0 (- (integer_of_int32 n_1) 1) longP_longM_t_2)
         (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1)))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES (FORALL (k)
         (IMPLIES
         (AND (<= 0 k)
         (AND (< k (integer_of_int32 n_1))
         (EQ (integer_of_int32 (select longP_longM_t_2 (shift t_0 k)))
         (integer_of_int32 v))))
         (AND (<= (integer_of_int32 l0) k) (<= k (integer_of_int32 u0)))))
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (<= (integer_of_int32 l0) (integer_of_int32 u0))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1)
         (+ (integer_of_int32 l0) (integer_of_int32 u0)))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (computer_div (integer_of_int32 result1) 2))
(FORALL (m)
(IMPLIES (EQ m result2)
(IMPLIES (AND (<= (integer_of_int32 l0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u0)))
(FORALL (result3)
(IMPLIES (EQ result3
         (select longP_longM_t_2 (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result3) (integer_of_int32 v))
(FORALL (result4)
(IMPLIES (EQ result4
         (select longP_longM_t_2 (shift t_0 (integer_of_int32 m))))
(IMPLIES (<= (integer_of_int32 result4) (integer_of_int32 v))
(FORALL (|__retres|)
(IMPLIES (EQ |__retres| m)
(FORALL (return)
(IMPLIES (EQ return |__retres|)
(IMPLIES (EQ (integer_of_int32 return) (- 0 1))
(FORALL (k_0)
(IMPLIES (AND (<= 0 k_0) (< k_0 (integer_of_int32 n_1)))
(NEQ (integer_of_int32 (select longP_longM_t_2 (shift t_0 k_0)))
(integer_of_int32 v)))))))))))))))))))))))))))))))))))))))))

;; binary_search_ensures_failure_po_8, File "HOME/tests/c/binary_search.c", line 46, characters 14-83
(FORALL (t_0)
(FORALL (n_1)
(FORALL (v)
(FORALL (longP_t_2_alloc_table)
(FORALL (longP_longM_t_2)
(IMPLIES (AND (sorted t_0 0 (- (integer_of_int32 n_1) 1) longP_longM_t_2)
         (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1)))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES (FORALL (k)
         (IMPLIES
         (AND (<= 0 k)
         (AND (< k (integer_of_int32 n_1))
         (EQ (integer_of_int32 (select longP_longM_t_2 (shift t_0 k)))
         (integer_of_int32 v))))
         (AND (<= (integer_of_int32 l0) k) (<= k (integer_of_int32 u0)))))
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (> (integer_of_int32 l0) (integer_of_int32 u0))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- 0 1))
(FORALL (|__retres|)
(IMPLIES (EQ |__retres| result1)
(FORALL (return)
(IMPLIES (EQ return |__retres|)
(IMPLIES (EQ (integer_of_int32 return) (- 0 1))
(FORALL (k_0)
(IMPLIES (AND (<= 0 k_0) (< k_0 (integer_of_int32 n_1)))
(NEQ (integer_of_int32 (select longP_longM_t_2 (shift t_0 k_0)))
(integer_of_int32 v))))))))))))))))))))))))))))))

;; binary_search_ensures_success_po_1, File "HOME/tests/c/binary_search.c", line 43, characters 14-46
(FORALL (t_0)
(FORALL (n_1)
(FORALL (v)
(FORALL (longP_t_2_alloc_table)
(FORALL (longP_longM_t_2)
(IMPLIES (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (<= (integer_of_int32 l0) (integer_of_int32 u0))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1)
         (+ (integer_of_int32 l0) (integer_of_int32 u0)))
(FORALL (result2)
(IMPLIES (EQ (integer_of_int32 result2)
         (computer_div (integer_of_int32 result1) 2))
(FORALL (m)
(IMPLIES (EQ m result2)
(IMPLIES (AND (<= (integer_of_int32 l0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u0)))
(FORALL (result3)
(IMPLIES (EQ result3
         (select longP_longM_t_2 (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result3) (integer_of_int32 v))
(FORALL (result4)
(IMPLIES (EQ result4
         (select longP_longM_t_2 (shift t_0 (integer_of_int32 m))))
(IMPLIES (<= (integer_of_int32 result4) (integer_of_int32 v))
(FORALL (|__retres|)
(IMPLIES (EQ |__retres| m)
(FORALL (return)
(IMPLIES (EQ return |__retres|)
(IMPLIES (>= (integer_of_int32 return) 0)
(EQ (integer_of_int32
    (select longP_longM_t_2 (shift t_0 (integer_of_int32 return))))
(integer_of_int32 v)))))))))))))))))))))))))))))))))))))))

;; binary_search_ensures_success_po_2, File "HOME/tests/c/binary_search.c", line 43, characters 14-46
(FORALL (t_0)
(FORALL (n_1)
(FORALL (v)
(FORALL (longP_t_2_alloc_table)
(FORALL (longP_longM_t_2)
(IMPLIES (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (> (integer_of_int32 l0) (integer_of_int32 u0))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1) (- 0 1))
(FORALL (|__retres|)
(IMPLIES (EQ |__retres| result1)
(FORALL (return)
(IMPLIES (EQ return |__retres|)
(IMPLIES (>= (integer_of_int32 return) 0)
(EQ (integer_of_int32
    (select longP_longM_t_2 (shift t_0 (integer_of_int32 return))))
(integer_of_int32 v))))))))))))))))))))))))))))

;; binary_search_safety_po_1, File "HOME/tests/c/binary_search.c", line 50, characters 17-20
(FORALL (t_0)
(FORALL (n_1)
(FORALL (longP_t_2_alloc_table)
(IMPLIES (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(<= (- 0 constant_too_large_2147483648) (- (integer_of_int32 n_1) 1))))))))))

;; binary_search_safety_po_2, File "HOME/tests/c/binary_search.c", line 50, characters 17-20
(FORALL (t_0)
(FORALL (n_1)
(FORALL (longP_t_2_alloc_table)
(IMPLIES (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(<= (- (integer_of_int32 n_1) 1) constant_too_large_2147483647)))))))))

;; binary_search_safety_po_3, File "HOME/tests/c/binary_search.c", line 59, characters 13-18
(FORALL (t_0)
(FORALL (n_1)
(FORALL (longP_t_2_alloc_table)
(IMPLIES (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (- (integer_of_int32 n_1) 1))
         (<= (- (integer_of_int32 n_1) 1) constant_too_large_2147483647))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (<= (integer_of_int32 l0) (integer_of_int32 u0))
(<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 l0) (integer_of_int32
                                                                 u0)))))))))))))))))))))

;; binary_search_safety_po_4, File "HOME/tests/c/binary_search.c", line 59, characters 13-18
(FORALL (t_0)
(FORALL (n_1)
(FORALL (longP_t_2_alloc_table)
(IMPLIES (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (- (integer_of_int32 n_1) 1))
         (<= (- (integer_of_int32 n_1) 1) constant_too_large_2147483647))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (<= (integer_of_int32 l0) (integer_of_int32 u0))
(<= (+ (integer_of_int32 l0) (integer_of_int32 u0)) constant_too_large_2147483647)))))))))))))))))))

;; binary_search_safety_po_5, File "HOME/tests/c/binary_search.c", line 59, characters 12-23
(FORALL (t_0)
(FORALL (n_1)
(FORALL (longP_t_2_alloc_table)
(IMPLIES (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (- (integer_of_int32 n_1) 1))
         (<= (- (integer_of_int32 n_1) 1) constant_too_large_2147483647))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (<= (integer_of_int32 l0) (integer_of_int32 u0))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 l0) 
                                                 (integer_of_int32 u0)))
         (<= (+ (integer_of_int32 l0) (integer_of_int32 u0)) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1)
         (+ (integer_of_int32 l0) (integer_of_int32 u0)))
(NEQ 2 0))))))))))))))))))))))

;; binary_search_safety_po_6, File "HOME/tests/c/binary_search.c", line 59, characters 12-23
(FORALL (t_0)
(FORALL (n_1)
(FORALL (longP_t_2_alloc_table)
(IMPLIES (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (- (integer_of_int32 n_1) 1))
         (<= (- (integer_of_int32 n_1) 1) constant_too_large_2147483647))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (<= (integer_of_int32 l0) (integer_of_int32 u0))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 l0) 
                                                 (integer_of_int32 u0)))
         (<= (+ (integer_of_int32 l0) (integer_of_int32 u0)) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1)
         (+ (integer_of_int32 l0) (integer_of_int32 u0)))
(IMPLIES (NEQ 2 0)
(FORALL (result2)
(IMPLIES (EQ result2 (computer_div (integer_of_int32 result1) 2))
(<= (- 0 constant_too_large_2147483648) result2)))))))))))))))))))))))))

;; binary_search_safety_po_7, File "HOME/tests/c/binary_search.c", line 59, characters 12-23
(FORALL (t_0)
(FORALL (n_1)
(FORALL (longP_t_2_alloc_table)
(IMPLIES (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (- (integer_of_int32 n_1) 1))
         (<= (- (integer_of_int32 n_1) 1) constant_too_large_2147483647))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (<= (integer_of_int32 l0) (integer_of_int32 u0))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 l0) 
                                                 (integer_of_int32 u0)))
         (<= (+ (integer_of_int32 l0) (integer_of_int32 u0)) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1)
         (+ (integer_of_int32 l0) (integer_of_int32 u0)))
(IMPLIES (NEQ 2 0)
(FORALL (result2)
(IMPLIES (EQ result2 (computer_div (integer_of_int32 result1) 2))
(<= result2 constant_too_large_2147483647)))))))))))))))))))))))))

;; binary_search_safety_po_8, File "HOME/tests/c/binary_search.c", line 61, characters 8-12
(FORALL (t_0)
(FORALL (n_1)
(FORALL (longP_t_2_alloc_table)
(IMPLIES (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (- (integer_of_int32 n_1) 1))
         (<= (- (integer_of_int32 n_1) 1) constant_too_large_2147483647))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (<= (integer_of_int32 l0) (integer_of_int32 u0))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 l0) 
                                                 (integer_of_int32 u0)))
         (<= (+ (integer_of_int32 l0) (integer_of_int32 u0)) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1)
         (+ (integer_of_int32 l0) (integer_of_int32 u0)))
(IMPLIES (NEQ 2 0)
(FORALL (result2)
(IMPLIES (EQ result2 (computer_div (integer_of_int32 result1) 2))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) result2)
         (<= result2 constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) result2)
(FORALL (m)
(IMPLIES (EQ m result3)
(IMPLIES (AND (<= (integer_of_int32 l0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u0)))
(<= (offset_min longP_t_2_alloc_table t_0) (integer_of_int32 m))))))))))))))))))))))))))))))))

;; binary_search_safety_po_9, File "HOME/tests/c/binary_search.c", line 61, characters 8-12
(FORALL (t_0)
(FORALL (n_1)
(FORALL (longP_t_2_alloc_table)
(IMPLIES (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (- (integer_of_int32 n_1) 1))
         (<= (- (integer_of_int32 n_1) 1) constant_too_large_2147483647))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (<= (integer_of_int32 l0) (integer_of_int32 u0))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 l0) 
                                                 (integer_of_int32 u0)))
         (<= (+ (integer_of_int32 l0) (integer_of_int32 u0)) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1)
         (+ (integer_of_int32 l0) (integer_of_int32 u0)))
(IMPLIES (NEQ 2 0)
(FORALL (result2)
(IMPLIES (EQ result2 (computer_div (integer_of_int32 result1) 2))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) result2)
         (<= result2 constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) result2)
(FORALL (m)
(IMPLIES (EQ m result3)
(IMPLIES (AND (<= (integer_of_int32 l0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u0)))
(<= (integer_of_int32 m) (offset_max longP_t_2_alloc_table t_0))))))))))))))))))))))))))))))))

;; binary_search_safety_po_10, File "HOME/tests/c/binary_search.c", line 61, characters 22-27
(FORALL (t_0)
(FORALL (n_1)
(FORALL (v)
(FORALL (longP_t_2_alloc_table)
(FORALL (longP_longM_t_2)
(IMPLIES (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (- (integer_of_int32 n_1) 1))
         (<= (- (integer_of_int32 n_1) 1) constant_too_large_2147483647))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (<= (integer_of_int32 l0) (integer_of_int32 u0))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 l0) 
                                                 (integer_of_int32 u0)))
         (<= (+ (integer_of_int32 l0) (integer_of_int32 u0)) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1)
         (+ (integer_of_int32 l0) (integer_of_int32 u0)))
(IMPLIES (NEQ 2 0)
(FORALL (result2)
(IMPLIES (EQ result2 (computer_div (integer_of_int32 result1) 2))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) result2)
         (<= result2 constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) result2)
(FORALL (m)
(IMPLIES (EQ m result3)
(IMPLIES (AND (<= (integer_of_int32 l0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u0)))
(IMPLIES (AND
         (<= (offset_min longP_t_2_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max longP_t_2_alloc_table t_0)))
(FORALL (result4)
(IMPLIES (EQ result4
         (select longP_longM_t_2 (shift t_0 (integer_of_int32 m))))
(IMPLIES (< (integer_of_int32 result4) (integer_of_int32 v))
(<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 m) 1))))))))))))))))))))))))))))))))))))))

;; binary_search_safety_po_11, File "HOME/tests/c/binary_search.c", line 61, characters 22-27
(FORALL (t_0)
(FORALL (n_1)
(FORALL (v)
(FORALL (longP_t_2_alloc_table)
(FORALL (longP_longM_t_2)
(IMPLIES (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (- (integer_of_int32 n_1) 1))
         (<= (- (integer_of_int32 n_1) 1) constant_too_large_2147483647))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (<= (integer_of_int32 l0) (integer_of_int32 u0))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 l0) 
                                                 (integer_of_int32 u0)))
         (<= (+ (integer_of_int32 l0) (integer_of_int32 u0)) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1)
         (+ (integer_of_int32 l0) (integer_of_int32 u0)))
(IMPLIES (NEQ 2 0)
(FORALL (result2)
(IMPLIES (EQ result2 (computer_div (integer_of_int32 result1) 2))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) result2)
         (<= result2 constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) result2)
(FORALL (m)
(IMPLIES (EQ m result3)
(IMPLIES (AND (<= (integer_of_int32 l0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u0)))
(IMPLIES (AND
         (<= (offset_min longP_t_2_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max longP_t_2_alloc_table t_0)))
(FORALL (result4)
(IMPLIES (EQ result4
         (select longP_longM_t_2 (shift t_0 (integer_of_int32 m))))
(IMPLIES (< (integer_of_int32 result4) (integer_of_int32 v))
(<= (+ (integer_of_int32 m) 1) constant_too_large_2147483647)))))))))))))))))))))))))))))))))))))

;; binary_search_safety_po_12, File "HOME/tests/c/binary_search.c", line 56, characters 19-22
(FORALL (t_0)
(FORALL (n_1)
(FORALL (v)
(FORALL (longP_t_2_alloc_table)
(FORALL (longP_longM_t_2)
(IMPLIES (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (- (integer_of_int32 n_1) 1))
         (<= (- (integer_of_int32 n_1) 1) constant_too_large_2147483647))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (<= (integer_of_int32 l0) (integer_of_int32 u0))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 l0) 
                                                 (integer_of_int32 u0)))
         (<= (+ (integer_of_int32 l0) (integer_of_int32 u0)) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1)
         (+ (integer_of_int32 l0) (integer_of_int32 u0)))
(IMPLIES (NEQ 2 0)
(FORALL (result2)
(IMPLIES (EQ result2 (computer_div (integer_of_int32 result1) 2))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) result2)
         (<= result2 constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) result2)
(FORALL (m)
(IMPLIES (EQ m result3)
(IMPLIES (AND (<= (integer_of_int32 l0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u0)))
(IMPLIES (AND
         (<= (offset_min longP_t_2_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max longP_t_2_alloc_table t_0)))
(FORALL (result4)
(IMPLIES (EQ result4
         (select longP_longM_t_2 (shift t_0 (integer_of_int32 m))))
(IMPLIES (< (integer_of_int32 result4) (integer_of_int32 v))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 m) 1))
         (<= (+ (integer_of_int32 m) 1) constant_too_large_2147483647))
(FORALL (result5)
(IMPLIES (EQ (integer_of_int32 result5) (+ (integer_of_int32 m) 1))
(FORALL (l1)
(IMPLIES (EQ l1 result5)
(<= 0 (- (integer_of_int32 u0) (integer_of_int32 l0))))))))))))))))))))))))))))))))))))))))))))

;; binary_search_safety_po_13, File "HOME/tests/c/binary_search.c", line 56, characters 19-22
(FORALL (t_0)
(FORALL (n_1)
(FORALL (v)
(FORALL (longP_t_2_alloc_table)
(FORALL (longP_longM_t_2)
(IMPLIES (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (- (integer_of_int32 n_1) 1))
         (<= (- (integer_of_int32 n_1) 1) constant_too_large_2147483647))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (<= (integer_of_int32 l0) (integer_of_int32 u0))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 l0) 
                                                 (integer_of_int32 u0)))
         (<= (+ (integer_of_int32 l0) (integer_of_int32 u0)) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1)
         (+ (integer_of_int32 l0) (integer_of_int32 u0)))
(IMPLIES (NEQ 2 0)
(FORALL (result2)
(IMPLIES (EQ result2 (computer_div (integer_of_int32 result1) 2))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) result2)
         (<= result2 constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) result2)
(FORALL (m)
(IMPLIES (EQ m result3)
(IMPLIES (AND (<= (integer_of_int32 l0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u0)))
(IMPLIES (AND
         (<= (offset_min longP_t_2_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max longP_t_2_alloc_table t_0)))
(FORALL (result4)
(IMPLIES (EQ result4
         (select longP_longM_t_2 (shift t_0 (integer_of_int32 m))))
(IMPLIES (< (integer_of_int32 result4) (integer_of_int32 v))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 m) 1))
         (<= (+ (integer_of_int32 m) 1) constant_too_large_2147483647))
(FORALL (result5)
(IMPLIES (EQ (integer_of_int32 result5) (+ (integer_of_int32 m) 1))
(FORALL (l1)
(IMPLIES (EQ l1 result5)
(< (- (integer_of_int32 u0) (integer_of_int32 l1)) (- (integer_of_int32 u0) 
                                                   (integer_of_int32 l0))))))))))))))))))))))))))))))))))))))))))))

;; binary_search_safety_po_14, File "HOME/tests/c/binary_search.c", line 62, characters 27-32
(FORALL (t_0)
(FORALL (n_1)
(FORALL (v)
(FORALL (longP_t_2_alloc_table)
(FORALL (longP_longM_t_2)
(IMPLIES (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (- (integer_of_int32 n_1) 1))
         (<= (- (integer_of_int32 n_1) 1) constant_too_large_2147483647))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (<= (integer_of_int32 l0) (integer_of_int32 u0))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 l0) 
                                                 (integer_of_int32 u0)))
         (<= (+ (integer_of_int32 l0) (integer_of_int32 u0)) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1)
         (+ (integer_of_int32 l0) (integer_of_int32 u0)))
(IMPLIES (NEQ 2 0)
(FORALL (result2)
(IMPLIES (EQ result2 (computer_div (integer_of_int32 result1) 2))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) result2)
         (<= result2 constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) result2)
(FORALL (m)
(IMPLIES (EQ m result3)
(IMPLIES (AND (<= (integer_of_int32 l0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u0)))
(IMPLIES (AND
         (<= (offset_min longP_t_2_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max longP_t_2_alloc_table t_0)))
(FORALL (result4)
(IMPLIES (EQ result4
         (select longP_longM_t_2 (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result4) (integer_of_int32 v))
(IMPLIES (AND
         (<= (offset_min longP_t_2_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max longP_t_2_alloc_table t_0)))
(FORALL (result5)
(IMPLIES (EQ result5
         (select longP_longM_t_2 (shift t_0 (integer_of_int32 m))))
(IMPLIES (> (integer_of_int32 result5) (integer_of_int32 v))
(<= (- 0 constant_too_large_2147483648) (- (integer_of_int32 m) 1))))))))))))))))))))))))))))))))))))))))))

;; binary_search_safety_po_15, File "HOME/tests/c/binary_search.c", line 62, characters 27-32
(FORALL (t_0)
(FORALL (n_1)
(FORALL (v)
(FORALL (longP_t_2_alloc_table)
(FORALL (longP_longM_t_2)
(IMPLIES (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (- (integer_of_int32 n_1) 1))
         (<= (- (integer_of_int32 n_1) 1) constant_too_large_2147483647))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (<= (integer_of_int32 l0) (integer_of_int32 u0))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 l0) 
                                                 (integer_of_int32 u0)))
         (<= (+ (integer_of_int32 l0) (integer_of_int32 u0)) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1)
         (+ (integer_of_int32 l0) (integer_of_int32 u0)))
(IMPLIES (NEQ 2 0)
(FORALL (result2)
(IMPLIES (EQ result2 (computer_div (integer_of_int32 result1) 2))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) result2)
         (<= result2 constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) result2)
(FORALL (m)
(IMPLIES (EQ m result3)
(IMPLIES (AND (<= (integer_of_int32 l0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u0)))
(IMPLIES (AND
         (<= (offset_min longP_t_2_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max longP_t_2_alloc_table t_0)))
(FORALL (result4)
(IMPLIES (EQ result4
         (select longP_longM_t_2 (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result4) (integer_of_int32 v))
(IMPLIES (AND
         (<= (offset_min longP_t_2_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max longP_t_2_alloc_table t_0)))
(FORALL (result5)
(IMPLIES (EQ result5
         (select longP_longM_t_2 (shift t_0 (integer_of_int32 m))))
(IMPLIES (> (integer_of_int32 result5) (integer_of_int32 v))
(<= (- (integer_of_int32 m) 1) constant_too_large_2147483647)))))))))))))))))))))))))))))))))))))))))

;; binary_search_safety_po_16, File "HOME/tests/c/binary_search.c", line 56, characters 19-22
(FORALL (t_0)
(FORALL (n_1)
(FORALL (v)
(FORALL (longP_t_2_alloc_table)
(FORALL (longP_longM_t_2)
(IMPLIES (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (- (integer_of_int32 n_1) 1))
         (<= (- (integer_of_int32 n_1) 1) constant_too_large_2147483647))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (<= (integer_of_int32 l0) (integer_of_int32 u0))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 l0) 
                                                 (integer_of_int32 u0)))
         (<= (+ (integer_of_int32 l0) (integer_of_int32 u0)) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1)
         (+ (integer_of_int32 l0) (integer_of_int32 u0)))
(IMPLIES (NEQ 2 0)
(FORALL (result2)
(IMPLIES (EQ result2 (computer_div (integer_of_int32 result1) 2))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) result2)
         (<= result2 constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) result2)
(FORALL (m)
(IMPLIES (EQ m result3)
(IMPLIES (AND (<= (integer_of_int32 l0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u0)))
(IMPLIES (AND
         (<= (offset_min longP_t_2_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max longP_t_2_alloc_table t_0)))
(FORALL (result4)
(IMPLIES (EQ result4
         (select longP_longM_t_2 (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result4) (integer_of_int32 v))
(IMPLIES (AND
         (<= (offset_min longP_t_2_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max longP_t_2_alloc_table t_0)))
(FORALL (result5)
(IMPLIES (EQ result5
         (select longP_longM_t_2 (shift t_0 (integer_of_int32 m))))
(IMPLIES (> (integer_of_int32 result5) (integer_of_int32 v))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (- (integer_of_int32 m) 1))
         (<= (- (integer_of_int32 m) 1) constant_too_large_2147483647))
(FORALL (result6)
(IMPLIES (EQ (integer_of_int32 result6) (- (integer_of_int32 m) 1))
(FORALL (u1)
(IMPLIES (EQ u1 result6)
(<= 0 (- (integer_of_int32 u0) (integer_of_int32 l0))))))))))))))))))))))))))))))))))))))))))))))))

;; binary_search_safety_po_17, File "HOME/tests/c/binary_search.c", line 56, characters 19-22
(FORALL (t_0)
(FORALL (n_1)
(FORALL (v)
(FORALL (longP_t_2_alloc_table)
(FORALL (longP_longM_t_2)
(IMPLIES (AND (>= (integer_of_int32 n_1) 0)
         (AND (<= (offset_min longP_t_2_alloc_table t_0) 0)
         (>= (offset_max longP_t_2_alloc_table t_0) (- (integer_of_int32 n_1) 1))))
(FORALL (result)
(IMPLIES (EQ (integer_of_int32 result) 0)
(FORALL (l)
(IMPLIES (EQ l result)
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (- (integer_of_int32 n_1) 1))
         (<= (- (integer_of_int32 n_1) 1) constant_too_large_2147483647))
(FORALL (result0)
(IMPLIES (EQ (integer_of_int32 result0) (- (integer_of_int32 n_1) 1))
(FORALL (u)
(IMPLIES (EQ u result0)
(FORALL (l0)
(FORALL (u0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 (integer_of_int32 l0))
         (<= (integer_of_int32 u0) (- (integer_of_int32 n_1) 1)))
(IMPLIES (<= (integer_of_int32 l0) (integer_of_int32 u0))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (+ (integer_of_int32 l0) 
                                                 (integer_of_int32 u0)))
         (<= (+ (integer_of_int32 l0) (integer_of_int32 u0)) constant_too_large_2147483647))
(FORALL (result1)
(IMPLIES (EQ (integer_of_int32 result1)
         (+ (integer_of_int32 l0) (integer_of_int32 u0)))
(IMPLIES (NEQ 2 0)
(FORALL (result2)
(IMPLIES (EQ result2 (computer_div (integer_of_int32 result1) 2))
(IMPLIES (AND (<= (- 0 constant_too_large_2147483648) result2)
         (<= result2 constant_too_large_2147483647))
(FORALL (result3)
(IMPLIES (EQ (integer_of_int32 result3) result2)
(FORALL (m)
(IMPLIES (EQ m result3)
(IMPLIES (AND (<= (integer_of_int32 l0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (integer_of_int32 u0)))
(IMPLIES (AND
         (<= (offset_min longP_t_2_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max longP_t_2_alloc_table t_0)))
(FORALL (result4)
(IMPLIES (EQ result4
         (select longP_longM_t_2 (shift t_0 (integer_of_int32 m))))
(IMPLIES (>= (integer_of_int32 result4) (integer_of_int32 v))
(IMPLIES (AND
         (<= (offset_min longP_t_2_alloc_table t_0) (integer_of_int32 m))
         (<= (integer_of_int32 m) (offset_max longP_t_2_alloc_table t_0)))
(FORALL (result5)
(IMPLIES (EQ result5
         (select longP_longM_t_2 (shift t_0 (integer_of_int32 m))))
(IMPLIES (> (integer_of_int32 result5) (integer_of_int32 v))
(IMPLIES (AND
         (<= (- 0 constant_too_large_2147483648) (- (integer_of_int32 m) 1))
         (<= (- (integer_of_int32 m) 1) constant_too_large_2147483647))
(FORALL (result6)
(IMPLIES (EQ (integer_of_int32 result6) (- (integer_of_int32 m) 1))
(FORALL (u1)
(IMPLIES (EQ u1 result6)
(< (- (integer_of_int32 u1) (integer_of_int32 l0)) (- (integer_of_int32 u0) 
                                                   (integer_of_int32 l0))))))))))))))))))))))))))))))))))))))))))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/binary_search_why.sx : .....................?..?.........?... (35/0/3/0/0)
total   :  38
valid   :  35 ( 92%)
invalid :   0 (  0%)
unknown :   3 (  8%)
timeout :   0 (  0%)
failure :   0 (  0%)
why-2.34/tests/c/oracle/selection_sort.res.oracle0000644000175000017500000073373612311670312020504 0ustar  rtusers========== file tests/c/selection_sort.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// RUNSIMPLIFY: will ask regtests to run Simplify on this program

#pragma JessieIntegerModel(math)

#include "sorting.h"

/*@ requires \valid(t+i) && \valid(t+j);
  @ assigns t[i],t[j];
  @ ensures Swap{Old,Here}(t,i,j);
  @*/
void swap(int t[], int i, int j) {
  int tmp = t[i];
  t[i] = t[j];
  t[j] = tmp;
}

/*@ requires \valid_range(t,0,n-1);
  @ behavior sorted:
  @   ensures Sorted(t,0,n);
  @ behavior permutation:
  @   ensures Permut{Old,Here}(t,0,n-1);
  @*/
void sel_sort(int t[], int n) {
  int i,j;
  int mi,mv;
  if (n <= 0) return;
  /*@ loop invariant 0 <= i < n;
    @ for sorted:
    @  loop invariant
    @   Sorted(t,0,i) &&
    @   (\forall integer k1, k2 ;
    @      0 <= k1 < i <= k2 < n ==> t[k1] <= t[k2]) ;
    @ for permutation:
    @  loop invariant Permut{Pre,Here}(t,0,n-1);
    @ loop variant n-i;
    @*/
  for (i=0; i t[k] >= mv);
      @ for permutation:
      @  loop invariant
      @   Permut{Pre,Here}(t,0,n-1);
      @ loop variant n-j;
      @*/
    for (j=i+1; j < n; j++) {
      if (t[j] < mv) {
	mi = j ; mv = t[j];
      }
    }
  L:
    swap(t,i,mi);
    //@ assert Permut{L,Here}(t,0,n-1);
  }
}


/*
Local Variables:
compile-command: "frama-c -jessie selection_sort.c"
End:
*/
========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/selection_sort.c"
tests/c/selection_sort.c:48:[kernel] warning: parsing obsolete ACSL construct '\valid_range(addr,min,max)'. '\valid(addr+(min..max))' should be used instead.
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/selection_sort.jessie
[jessie] File tests/c/selection_sort.jessie/selection_sort.jc written.
[jessie] File tests/c/selection_sort.jessie/selection_sort.cloc written.
========== file tests/c/selection_sort.jessie/selection_sort.jc ==========
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

tag intP = {
  integer intM: 32;
}

type intP = [intP]

tag unsigned_charP = {
  integer unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  integer charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

predicate Swap{L1, L2}(intP[..] a, integer i_1, integer j_0) =
(((\at((a + i_1).intM,L1) == \at((a + j_0).intM,L2)) &&
   (\at((a + j_0).intM,L1) == \at((a + i_1).intM,L2))) &&
  (\forall integer k;
    (((k != i_1) && (k != j_0)) ==>
      (\at((a + k).intM,L1) == \at((a + k).intM,L2)))))

predicate Permut{L1, L2}(intP[..] a_0, integer l, integer h) {
case Permut_refl{L}: \at((\forall intP[..] a_1;
                           (\forall integer l_0;
                             (\forall integer h_0;
                               Permut{L,
                               L}(a_1, l_0, h_0)))),L);
  
  case Permut_sym{L1, L2}: (\forall intP[..] a_2;
                             (\forall integer l_1;
                               (\forall integer h_1;
                                 (Permut{L1,
                                   L2}(a_2, l_1, h_1) ==>
                                   Permut{L2,
                                   L1}(a_2, l_1, h_1)))));
  
  case Permut_trans{L1, L2, L3}: (\forall intP[..] a_3;
                                   (\forall integer l_2;
                                     (\forall integer h_2;
                                       ((Permut{L1,
                                          L2}(a_3, l_2, h_2) &&
                                          Permut{L2,
                                          L3}(a_3, l_2, h_2)) ==>
                                         Permut{L1,
                                         L3}(a_3, l_2, h_2)))));
  
  case Permut_swap{L1, L2}: (\forall intP[..] a_4;
                              (\forall integer l_3;
                                (\forall integer h_3;
                                  (\forall integer i_2;
                                    (\forall integer j_1;
                                      (((((l_3 <= i_2) && (i_2 <= h_3)) &&
                                          ((l_3 <= j_1) && (j_1 <= h_3))) &&
                                         Swap{L1,
                                         L2}(a_4, i_2, j_1)) ==>
                                        Permut{L1,
                                        L2}(a_4, l_3, h_3)))))));
  
}

predicate Sorted{L}(intP[..] a_5, integer l_4, integer h_4) =
(\forall integer i_3;
  (\forall integer j_2;
    (((l_4 <= i_3) && ((i_3 <= j_2) && (j_2 < h_4))) ==>
      ((a_5 + i_3).intM <= (a_5 + j_2).intM))))

unit swap(intP[..] t_0, integer i, integer j)
  requires (_C_13 : (((_C_15 : (\offset_min(t_0) <= i)) &&
                       (_C_16 : (\offset_max(t_0) >= i))) &&
                      ((_C_18 : (\offset_min(t_0) <= j)) &&
                        (_C_19 : (\offset_max(t_0) >= j)))));
behavior default:
  assigns (t_0 + i).intM,
  (t_0 + j).intM;
  ensures (_C_12 : Swap{Old, Here}(\at(t_0,Old), \at(i,Old), \at(j,Old)));
{  
   (var integer tmp);
   
   {  (_C_3 : (tmp = (_C_2 : (_C_1 : (t_0 + i)).intM)));
      (_C_8 : ((_C_7 : (_C_6 : (t_0 + i)).intM) = (_C_5 : (_C_4 : (t_0 + j)).intM)));
      (_C_11 : ((_C_10 : (_C_9 : (t_0 + j)).intM) = tmp));
      
      (return ())
   }
}

unit sel_sort(intP[..] t, integer n_1)
  requires (_C_61 : ((_C_62 : (\offset_min(t) <= 0)) &&
                      (_C_63 : (\offset_max(t) >= (n_1 - 1)))));
behavior default:
  ensures (_C_58 : true);
behavior sorted:
  ensures (_C_59 : Sorted{Here}(\at(t,Old), 0, \at(n_1,Old)));
behavior permutation:
  ensures (_C_60 : Permut{Old, Here}(\at(t,Old), 0, (\at(n_1,Old) - 1)));
{  
   (var integer i_0);
   
   (var integer j_0);
   
   (var integer mi);
   
   (var integer mv);
   
   {  (if (n_1 <= 0) then 
      (goto return_label) else ());
      (_C_20 : (i_0 = 0));
      
      loop 
      behavior default:
        invariant (_C_26 : ((_C_27 : (0 <= i_0)) && (_C_28 : (i_0 < n_1))));
      behavior sorted:
        invariant (_C_23 : ((_C_24 : Sorted{Here}(t, 0, i_0)) &&
                             (_C_25 : (\forall integer k1;
                                        (\forall integer k2;
                                          (((0 <= k1) &&
                                             ((k1 < i_0) &&
                                               ((i_0 <= k2) && (k2 < n_1)))) ==>
                                            ((t + k1).intM <= (t + k2).intM)))))));
      behavior permutation:
        invariant (_C_22 : Permut{Pre, Here}(t, 0, (n_1 - 1)));
      variant (_C_21 : (n_1 - i_0));
      while (true)
      {  
         {  (if (i_0 < (_C_29 : (n_1 - 1))) then () else 
            (goto while_0_break));
            
            {  (_C_32 : (mv = (_C_31 : (_C_30 : (t + i_0)).intM)));
               (_C_33 : (mi = i_0));
               (_C_35 : (j_0 = (_C_34 : (i_0 + 1))));
               
               loop 
               behavior default:
                 invariant (_C_41 : ((_C_42 : (i_0 < j_0)) &&
                                      ((_C_44 : (i_0 <= mi)) &&
                                        (_C_45 : (mi < n_1)))));
               behavior sorted:
                 invariant (_C_38 : ((_C_39 : (mv == (t + mi).intM)) &&
                                      (_C_40 : (\forall integer k_0;
                                                 (((i_0 <= k_0) &&
                                                    (k_0 < j_0)) ==>
                                                   ((t + k_0).intM >= mv))))));
               behavior permutation:
                 invariant (_C_37 : Permut{Pre, Here}(t, 0, (n_1 - 1)));
               variant (_C_36 : (n_1 - j_0));
               while (true)
               {  
                  {  (if (j_0 < n_1) then () else 
                     (goto while_1_break));
                     
                     {  (if ((_C_51 : (_C_50 : (t + j_0)).intM) < mv) then 
                        {  (_C_46 : (mi = j_0));
                           (_C_49 : (mv = (_C_48 : (_C_47 : (t + j_0)).intM)))
                        } else ())
                     };
                     (_C_53 : (j_0 = (_C_52 : (j_0 + 1))))
                  }
               };
               (while_1_break : ());
               (L : (_C_54 : swap(t, i_0, mi)));
               
               {  
                  (assert for default: (_C_55 : (jessie : Permut{L,
                                                Here}(t, 0, (n_1 - 1)))));
                  ()
               }
            };
            (_C_57 : (i_0 = (_C_56 : (i_0 + 1))))
         }
      };
      (while_0_break : ());
      (return_label : 
      (return ()))
   }
}
========== file tests/c/selection_sort.jessie/selection_sort.cloc ==========
[_C_52]
file = "HOME/tests/c/selection_sort.c"
line = 81
begin = 23
end = 26

[_C_35]
file = "HOME/tests/c/selection_sort.c"
line = 81
begin = 11
end = 14

[sel_sort]
name = "Function sel_sort"
file = "HOME/tests/c/selection_sort.c"
line = 54
begin = 5
end = 13

[_C_56]
file = "HOME/tests/c/selection_sort.c"
line = 68
begin = 19
end = 22

[_C_28]
file = "HOME/tests/c/selection_sort.c"
line = 58
begin = 26
end = 31

[_C_59]
file = "HOME/tests/c/selection_sort.c"
line = 50
begin = 14
end = 27

[_C_48]
file = "HOME/tests/c/selection_sort.c"
line = 83
begin = 15
end = 19

[_C_51]
file = "HOME/tests/c/selection_sort.c"
line = 82
begin = 10
end = 14

[_C_31]
file = "HOME/tests/c/selection_sort.c"
line = 70
begin = 9
end = 13

[_C_41]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 23
end = 43

[_C_4]
file = "HOME/tests/c/selection_sort.c"
line = 44
begin = 9
end = 10

[_C_61]
file = "HOME/tests/c/selection_sort.c"
line = 48
begin = 13
end = 34

[_C_32]
file = "HOME/tests/c/selection_sort.c"
line = 70
begin = 9
end = 13

[_C_23]
file = "HOME/tests/c/selection_sort.c"
line = 61
begin = 8
end = 111

[_C_19]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 28
end = 39

[_C_42]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 23
end = 28

[_C_13]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 13
end = 39

[_C_5]
file = "HOME/tests/c/selection_sort.c"
line = 44
begin = 9
end = 13

[_C_36]
file = "HOME/tests/c/selection_sort.c"
line = 79
begin = 21
end = 24

[_C_12]
file = "HOME/tests/c/selection_sort.c"
line = 40
begin = 12
end = 33

[_C_33]
file = "HOME/tests/c/selection_sort.c"
line = 70
begin = 20
end = 21

[_C_22]
file = "HOME/tests/c/selection_sort.c"
line = 65
begin = 22
end = 47

[_C_9]
file = "HOME/tests/c/selection_sort.c"
line = 45
begin = 2
end = 3

[_C_57]
file = "HOME/tests/c/selection_sort.c"
line = 68
begin = 19
end = 22

[_C_54]
file = "HOME/tests/c/selection_sort.c"
line = 87
begin = 4
end = 16

[_C_30]
file = "HOME/tests/c/selection_sort.c"
line = 70
begin = 9
end = 10

[_C_63]
file = "HOME/tests/c/selection_sort.c"
line = 48
begin = 13
end = 34

[_C_6]
file = "HOME/tests/c/selection_sort.c"
line = 44
begin = 2
end = 3

[_C_49]
file = "HOME/tests/c/selection_sort.c"
line = 83
begin = 15
end = 19

[_C_24]
file = "HOME/tests/c/selection_sort.c"
line = 61
begin = 8
end = 21

[_C_45]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 37
end = 43

[_C_20]
file = "HOME/tests/c/selection_sort.c"
line = 68
begin = 9
end = 10

[_C_38]
file = "HOME/tests/c/selection_sort.c"
line = 74
begin = 11
end = 83

[_C_3]
file = "HOME/tests/c/selection_sort.c"
line = 43
begin = 2
end = 5

[_C_17]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 28
end = 39

[_C_7]
file = "HOME/tests/c/selection_sort.c"
line = 44
begin = 9
end = 13

[_C_62]
file = "HOME/tests/c/selection_sort.c"
line = 48
begin = 13
end = 34

[_C_55]
file = "HOME/tests/c/selection_sort.c"
line = 88
begin = 15
end = 38

[_C_27]
file = "HOME/tests/c/selection_sort.c"
line = 58
begin = 21
end = 27

[_C_46]
file = "HOME/tests/c/selection_sort.c"
line = 83
begin = 6
end = 7

[_C_44]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 32
end = 39

[_C_15]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 13
end = 24

[_C_26]
file = "HOME/tests/c/selection_sort.c"
line = 58
begin = 21
end = 31

[_C_47]
file = "HOME/tests/c/selection_sort.c"
line = 83
begin = 15
end = 16

[_C_10]
file = "HOME/tests/c/selection_sort.c"
line = 45
begin = 9
end = 12

[_C_60]
file = "HOME/tests/c/selection_sort.c"
line = 52
begin = 14
end = 39

[_C_53]
file = "HOME/tests/c/selection_sort.c"
line = 81
begin = 23
end = 26

[_C_40]
file = "HOME/tests/c/selection_sort.c"
line = 75
begin = 11
end = 57

[_C_58]
file = "HOME/"
line = 0
begin = -1
end = -1

[swap]
name = "Function swap"
file = "HOME/tests/c/selection_sort.c"
line = 42
begin = 5
end = 9

[_C_8]
file = "HOME/tests/c/selection_sort.c"
line = 44
begin = 9
end = 13

[_C_18]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 28
end = 39

[_C_29]
file = "HOME/tests/c/selection_sort.c"
line = 68
begin = 14
end = 17

[_C_14]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 13
end = 24

[_C_50]
file = "HOME/tests/c/selection_sort.c"
line = 82
begin = 10
end = 11

[_C_37]
file = "HOME/tests/c/selection_sort.c"
line = 78
begin = 10
end = 35

[_C_43]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 32
end = 43

[_C_2]
file = "HOME/tests/c/selection_sort.c"
line = 43
begin = 12
end = 16

[_C_34]
file = "HOME/tests/c/selection_sort.c"
line = 81
begin = 11
end = 14

[_C_16]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 13
end = 24

[_C_1]
file = "HOME/tests/c/selection_sort.c"
line = 43
begin = 12
end = 13

[_C_25]
file = "HOME/tests/c/selection_sort.c"
line = 62
begin = 8
end = 86

[_C_39]
file = "HOME/tests/c/selection_sort.c"
line = 74
begin = 11
end = 22

[_C_11]
file = "HOME/tests/c/selection_sort.c"
line = 45
begin = 9
end = 12

[_C_21]
file = "HOME/tests/c/selection_sort.c"
line = 66
begin = 19
end = 22

========== jessie execution ==========
Generating Why function swap
Generating Why function sel_sort
========== file tests/c/selection_sort.jessie/selection_sort.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs selection_sort.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs selection_sort.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/selection_sort_why.sx

project: why/selection_sort.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/selection_sort_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/selection_sort_why.vo

coq/selection_sort_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/selection_sort_why.v: why/selection_sort.why
	@echo 'why -coq [...] why/selection_sort.why' && $(WHY) $(JESSIELIBFILES) why/selection_sort.why && rm -f coq/jessie_why.v

coq-goals: goals coq/selection_sort_ctx_why.vo
	for f in why/*_po*.why; do make -f selection_sort.makefile coq/`basename $$f .why`_why.v ; done

coq/selection_sort_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/selection_sort_ctx_why.v: why/selection_sort_ctx.why
	@echo 'why -coq [...] why/selection_sort_ctx.why' && $(WHY) why/selection_sort_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export selection_sort_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/selection_sort_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/selection_sort_ctx_why.vo

pvs: pvs/selection_sort_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/selection_sort_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/selection_sort_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/selection_sort_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/selection_sort_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/selection_sort_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/selection_sort_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/selection_sort_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/selection_sort_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/selection_sort_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/selection_sort_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/selection_sort_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/selection_sort_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/selection_sort_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/selection_sort_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: selection_sort.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/selection_sort_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: selection_sort.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: selection_sort.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: selection_sort.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include selection_sort.depend

depend: coq/selection_sort_why.v
	-$(COQDEP) -I coq coq/selection_sort*_why.v > selection_sort.depend

clean:
	rm -f coq/*.vo

========== file tests/c/selection_sort.jessie/selection_sort.loc ==========
[JC_94]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 152
begin = 15
end = 1312

[JC_73]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 152
begin = 15
end = 1312

[JC_63]
file = "HOME/tests/c/selection_sort.c"
line = 58
begin = 21
end = 31

[JC_80]
file = "HOME/tests/c/selection_sort.c"
line = 58
begin = 26
end = 31

[JC_51]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 23
end = 43

[JC_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_45]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 129
begin = 6
end = 2741

[JC_106]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 32
end = 39

[JC_113]
file = "HOME/tests/c/selection_sort.c"
line = 88
begin = 15
end = 38

[JC_64]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_99]
file = "HOME/tests/c/selection_sort.c"
line = 58
begin = 26
end = 31

[JC_85]
file = "HOME/tests/c/selection_sort.c"
line = 74
begin = 11
end = 22

[JC_31]
file = "HOME/tests/c/selection_sort.c"
line = 48
begin = 13
end = 34

[JC_17]
file = "HOME/tests/c/selection_sort.c"
line = 42
begin = 5
end = 9

[JC_81]
file = "HOME/tests/c/selection_sort.c"
line = 58
begin = 21
end = 31

[JC_55]
kind = PointerDeref
file = "HOME/tests/c/selection_sort.c"
line = 82
begin = 10
end = 14

[JC_48]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 23
end = 28

[JC_23]
kind = PointerDeref
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 100
begin = 15
end = 82

[JC_22]
kind = PointerDeref
file = "HOME/tests/c/selection_sort.c"
line = 44
begin = 9
end = 13

[JC_5]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 13
end = 39

[JC_67]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 23
end = 28

[JC_9]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 28
end = 39

[JC_75]
file = "HOME/tests/c/selection_sort.c"
line = 88
begin = 15
end = 38

[JC_24]
kind = PointerDeref
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 101
begin = 16
end = 55

[JC_25]
file = "HOME/tests/c/selection_sort.c"
line = 48
begin = 13
end = 34

[JC_78]
file = "HOME/tests/c/selection_sort.c"
line = 61
begin = 8
end = 111

[JC_41]
file = "HOME/tests/c/selection_sort.c"
line = 58
begin = 21
end = 27

[JC_74]
kind = UserCall
file = "HOME/tests/c/selection_sort.c"
line = 87
begin = 4
end = 16

[JC_47]
kind = PointerDeref
file = "HOME/tests/c/selection_sort.c"
line = 70
begin = 9
end = 13

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/tests/c/selection_sort.c"
line = 48
begin = 13
end = 34

[JC_8]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 13
end = 24

[JC_54]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 152
begin = 15
end = 1312

[JC_79]
file = "HOME/tests/c/selection_sort.c"
line = 58
begin = 21
end = 27

[JC_13]
file = "HOME/tests/c/selection_sort.c"
line = 40
begin = 12
end = 33

[JC_82]
file = "HOME/"
line = 0
begin = -1
end = -1

[sel_sort_ensures_sorted]
name = "Function sel_sort"
behavior = "Behavior `sorted'"
file = "HOME/tests/c/selection_sort.c"
line = 54
begin = 5
end = 13

[JC_87]
file = "HOME/tests/c/selection_sort.c"
line = 74
begin = 11
end = 83

[JC_11]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 13
end = 39

[JC_98]
file = "HOME/tests/c/selection_sort.c"
line = 58
begin = 21
end = 27

[JC_70]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 23
end = 43

[JC_15]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 92
begin = 9
end = 16

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_104]
file = "HOME/tests/c/selection_sort.c"
line = 78
begin = 10
end = 35

[JC_91]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 23
end = 43

[JC_39]
file = "HOME/tests/c/selection_sort.c"
line = 52
begin = 14
end = 39

[JC_112]
kind = UserCall
file = "HOME/tests/c/selection_sort.c"
line = 87
begin = 4
end = 16

[JC_40]
file = "HOME/tests/c/selection_sort.c"
line = 52
begin = 14
end = 39

[JC_83]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 129
begin = 6
end = 2741

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/tests/c/selection_sort.c"
line = 48
begin = 13
end = 34

[JC_109]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_107]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 37
end = 43

[JC_69]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 37
end = 43

[JC_38]
file = "HOME/tests/c/selection_sort.c"
line = 50
begin = 14
end = 27

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 28
end = 39

[JC_62]
file = "HOME/tests/c/selection_sort.c"
line = 58
begin = 26
end = 31

[JC_101]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_88]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 23
end = 28

[JC_42]
file = "HOME/tests/c/selection_sort.c"
line = 58
begin = 26
end = 31

[swap_ensures_default]
name = "Function swap"
behavior = "default behavior"
file = "HOME/tests/c/selection_sort.c"
line = 42
begin = 5
end = 9

[JC_110]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 152
begin = 15
end = 1312

[JC_103]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 129
begin = 6
end = 2741

[JC_46]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 129
begin = 6
end = 2741

[swap_safety]
name = "Function swap"
behavior = "Safety"
file = "HOME/tests/c/selection_sort.c"
line = 42
begin = 5
end = 9

[JC_61]
file = "HOME/tests/c/selection_sort.c"
line = 58
begin = 21
end = 27

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
kind = PointerDeref
file = "HOME/tests/c/selection_sort.c"
line = 83
begin = 15
end = 19

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 129
begin = 6
end = 2741

[JC_105]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 23
end = 28

[JC_29]
file = "HOME/tests/c/selection_sort.c"
line = 48
begin = 13
end = 34

[JC_68]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 32
end = 39

[JC_7]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 13
end = 24

[JC_16]
file = "HOME/tests/c/selection_sort.c"
line = 40
begin = 12
end = 33

[JC_96]
file = "HOME/tests/c/selection_sort.c"
line = 88
begin = 15
end = 38

[JC_43]
file = "HOME/tests/c/selection_sort.c"
line = 58
begin = 21
end = 31

[JC_2]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 13
end = 24

[JC_95]
kind = UserCall
file = "HOME/tests/c/selection_sort.c"
line = 87
begin = 4
end = 16

[JC_93]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 152
begin = 15
end = 1312

[JC_97]
file = "HOME/tests/c/selection_sort.c"
line = 65
begin = 22
end = 47

[JC_84]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 129
begin = 6
end = 2741

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[sel_sort_ensures_default]
name = "Function sel_sort"
behavior = "default behavior"
file = "HOME/tests/c/selection_sort.c"
line = 54
begin = 5
end = 13

[JC_14]
file = "HOME/tests/c/selection_sort.c"
line = 42
begin = 5
end = 9

[JC_90]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 37
end = 43

[JC_53]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 152
begin = 15
end = 1312

[sel_sort_safety]
name = "Function sel_sort"
behavior = "Safety"
file = "HOME/tests/c/selection_sort.c"
line = 54
begin = 5
end = 13

[JC_21]
kind = PointerDeref
file = "HOME/tests/c/selection_sort.c"
line = 43
begin = 12
end = 16

[JC_111]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 152
begin = 15
end = 1312

[JC_77]
file = "HOME/tests/c/selection_sort.c"
line = 62
begin = 8
end = 86

[JC_49]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 32
end = 39

[JC_1]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 13
end = 24

[JC_102]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 129
begin = 6
end = 2741

[JC_37]
file = "HOME/tests/c/selection_sort.c"
line = 50
begin = 14
end = 27

[JC_10]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 28
end = 39

[JC_108]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 23
end = 43

[JC_57]
file = "HOME/tests/c/selection_sort.c"
line = 79
begin = 21
end = 24

[JC_89]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 32
end = 39

[JC_66]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 129
begin = 6
end = 2741

[JC_59]
file = "HOME/tests/c/selection_sort.c"
line = 88
begin = 15
end = 38

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 92
begin = 9
end = 16

[JC_3]
file = "HOME/tests/c/selection_sort.c"
line = 38
begin = 28
end = 39

[JC_92]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_86]
file = "HOME/tests/c/selection_sort.c"
line = 75
begin = 11
end = 57

[JC_60]
file = "HOME/tests/c/selection_sort.c"
line = 66
begin = 19
end = 22

[JC_72]
file = "HOME/tests/c/selection_sort.jessie/selection_sort.jc"
line = 152
begin = 15
end = 1312

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[sel_sort_ensures_permutation]
name = "Function sel_sort"
behavior = "Behavior `permutation'"
file = "HOME/tests/c/selection_sort.c"
line = 54
begin = 5
end = 13

[JC_76]
file = "HOME/tests/c/selection_sort.c"
line = 61
begin = 8
end = 21

[JC_50]
file = "HOME/tests/c/selection_sort.c"
line = 71
begin = 37
end = 43

[JC_30]
file = "HOME/tests/c/selection_sort.c"
line = 48
begin = 13
end = 34

[JC_58]
kind = UserCall
file = "HOME/tests/c/selection_sort.c"
line = 87
begin = 4
end = 16

[JC_100]
file = "HOME/tests/c/selection_sort.c"
line = 58
begin = 21
end = 31

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/c/selection_sort.jessie/why/selection_sort.why ==========
type charP

type intP

type padding

type unsigned_charP

type voidP

predicate Swap(a:intP pointer, i_1:int, j_0:int,
 intP_intM_a_1_at_L2:(intP, int) memory,
 intP_intM_a_1_at_L1:(intP, int) memory) =
 ((select(intP_intM_a_1_at_L1, shift(a, i_1)) = select(intP_intM_a_1_at_L2,
                                                shift(a, j_0)))
 and ((select(intP_intM_a_1_at_L1, shift(a, j_0)) = select(intP_intM_a_1_at_L2,
                                                    shift(a, i_1)))
     and (forall k:int.
          (((k <> i_1) and (k <> j_0)) ->
           (select(intP_intM_a_1_at_L1, shift(a, k)) = select(intP_intM_a_1_at_L2,
                                                       shift(a, k)))))))

inductive Permut: intP pointer, int, int, (intP, int) memory,
                  (intP, int) memory -> prop =
 | Permut_refl: (forall intP_intM_a_0_2_at_L:(intP, int) memory.
                 (forall a_1:intP pointer.
                  (forall l_0:int.
                   (forall h_0:int.
                    Permut(a_1, l_0, h_0, intP_intM_a_0_2_at_L,
                    intP_intM_a_0_2_at_L)))))
 | Permut_sym: (forall intP_intM_a_0_2_at_L2:(intP, int) memory.
                (forall intP_intM_a_0_2_at_L1:(intP, int) memory.
                 (forall a_2:intP pointer.
                  (forall l_1:int.
                   (forall h_1:int.
                    (Permut(a_2, l_1, h_1, intP_intM_a_0_2_at_L2,
                     intP_intM_a_0_2_at_L1) ->
                     Permut(a_2, l_1, h_1, intP_intM_a_0_2_at_L1,
                     intP_intM_a_0_2_at_L2)))))))
 | Permut_trans: (forall intP_intM_a_0_2_at_L3:(intP, int) memory.
                  (forall intP_intM_a_0_2_at_L2:(intP, int) memory.
                   (forall intP_intM_a_0_2_at_L1:(intP, int) memory.
                    (forall a_3:intP pointer.
                     (forall l_2:int.
                      (forall h_2:int.
                       ((Permut(a_3, l_2, h_2, intP_intM_a_0_2_at_L2,
                         intP_intM_a_0_2_at_L1)
                        and Permut(a_3, l_2, h_2, intP_intM_a_0_2_at_L3,
                            intP_intM_a_0_2_at_L2)) ->
                        Permut(a_3, l_2, h_2, intP_intM_a_0_2_at_L3,
                        intP_intM_a_0_2_at_L1))))))))
 | Permut_swap: (forall intP_intM_a_0_2_at_L2:(intP, int) memory.
                 (forall intP_intM_a_0_2_at_L1:(intP, int) memory.
                  (forall a_4:intP pointer.
                   (forall l_3:int.
                    (forall h_3:int.
                     (forall i_2:int.
                      (forall j_1:int.
                       ((le_int(l_3, i_2)
                        and (le_int(i_2, h_3)
                            and (le_int(l_3, j_1)
                                and (le_int(j_1, h_3)
                                    and Swap(a_4, i_2, j_1,
                                        intP_intM_a_0_2_at_L2,
                                        intP_intM_a_0_2_at_L1))))) ->
                        Permut(a_4, l_3, h_3, intP_intM_a_0_2_at_L2,
                        intP_intM_a_0_2_at_L1)))))))))
 
predicate Sorted(a_5:intP pointer, l_4:int, h_4:int,
 intP_intM_a_5_3_at_L:(intP, int) memory) =
 (forall i_3:int.
  (forall j_2:int.
   ((le_int(l_4, i_3) and (le_int(i_3, j_2) and lt_int(j_2, h_4))) ->
    le_int(select(intP_intM_a_5_3_at_L, shift(a_5, i_3)),
    select(intP_intM_a_5_3_at_L, shift(a_5, j_2))))))

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic intP_tag:  -> intP tag_id

axiom intP_int : (int_of_tag(intP_tag) = (1))

logic intP_of_pointer_address: unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr :
 (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom : parenttag(intP_tag, bottom_tag)

axiom intP_tags :
 (forall x:intP pointer.
  (forall intP_tag_table:intP tag_table.
   instanceof(intP_tag_table, x, intP_tag)))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_intP(p:intP pointer, a:int,
 intP_alloc_table:intP alloc_table) = (offset_min(intP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_intP(p:intP pointer, b:int,
 intP_alloc_table:intP alloc_table) = (offset_max(intP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Goto_while_0_break_exc of unit

exception Goto_while_1_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter intP_alloc_table : intP alloc_table ref

parameter intP_tag_table : intP tag_table ref

parameter alloc_struct_intP :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { } intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter alloc_struct_intP_requires :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { ge_int(n, (0))} intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter sel_sort :
 t:intP pointer ->
  n_1:int ->
   intP_intM_t_5:(intP, int) memory ref ->
    intP_t_5_alloc_table:intP alloc_table ->
     { } unit reads intP_intM_t_5 writes intP_intM_t_5
     { ((JC_40:
        Permut(t, (0), sub_int(n_1, (1)), intP_intM_t_5, intP_intM_t_5@))
       and (JC_38: Sorted(t, (0), n_1, intP_intM_t_5))) }

parameter sel_sort_requires :
 t:intP pointer ->
  n_1:int ->
   intP_intM_t_5:(intP, int) memory ref ->
    intP_t_5_alloc_table:intP alloc_table ->
     { (JC_27:
       ((JC_25: le_int(offset_min(intP_t_5_alloc_table, t), (0)))
       and (JC_26:
           ge_int(offset_max(intP_t_5_alloc_table, t), sub_int(n_1, (1))))))}
     unit reads intP_intM_t_5 writes intP_intM_t_5
     { ((JC_40:
        Permut(t, (0), sub_int(n_1, (1)), intP_intM_t_5, intP_intM_t_5@))
       and (JC_38: Sorted(t, (0), n_1, intP_intM_t_5))) }

parameter swap :
 t_0:intP pointer ->
  i:int ->
   j:int ->
    intP_intM_t_0_4:(intP, int) memory ref ->
     intP_t_0_4_alloc_table:intP alloc_table ->
      { } unit reads intP_intM_t_0_4 writes intP_intM_t_0_4
      { (JC_18:
        ((JC_16: Swap(t_0, i, j, intP_intM_t_0_4, intP_intM_t_0_4@))
        and (JC_17:
            not_assigns(intP_t_0_4_alloc_table, intP_intM_t_0_4@,
            intP_intM_t_0_4,
            pset_union(pset_range(pset_singleton(t_0), j, j),
            pset_range(pset_singleton(t_0), i, i)))))) }

parameter swap_requires :
 t_0:intP pointer ->
  i:int ->
   j:int ->
    intP_intM_t_0_4:(intP, int) memory ref ->
     intP_t_0_4_alloc_table:intP alloc_table ->
      { (JC_5:
        ((JC_1: le_int(offset_min(intP_t_0_4_alloc_table, t_0), i))
        and ((JC_2: ge_int(offset_max(intP_t_0_4_alloc_table, t_0), i))
            and ((JC_3: le_int(offset_min(intP_t_0_4_alloc_table, t_0), j))
                and (JC_4:
                    ge_int(offset_max(intP_t_0_4_alloc_table, t_0), j))))))}
      unit reads intP_intM_t_0_4 writes intP_intM_t_0_4
      { (JC_18:
        ((JC_16: Swap(t_0, i, j, intP_intM_t_0_4, intP_intM_t_0_4@))
        and (JC_17:
            not_assigns(intP_t_0_4_alloc_table, intP_intM_t_0_4@,
            intP_intM_t_0_4,
            pset_union(pset_range(pset_singleton(t_0), j, j),
            pset_range(pset_singleton(t_0), i, i)))))) }

let sel_sort_ensures_default =
 fun (t : intP pointer) (n_1 : int) (intP_intM_t_5 : (intP, int) memory ref) (intP_t_5_alloc_table : intP alloc_table) ->
  { (JC_31:
    ((JC_29: le_int(offset_min(intP_t_5_alloc_table, t), (0)))
    and (JC_30:
        ge_int(offset_max(intP_t_5_alloc_table, t), sub_int(n_1, (1)))))) }
  (init:
  try
   begin
     (let i_0 = ref (any_int void) in
     (let j_0_0 = ref (any_int void) in
     (let mi = ref (any_int void) in
     (let mv = ref (any_int void) in
     try
      begin
        try
         begin
           (if ((le_int_ n_1) (0)) then (raise (Return_label_exc void))
           else void); (let _jessie_ = (i_0 := (0)) in void);
          (loop_3:
          begin
            while true do
            { invariant
                (JC_63:
                ((JC_61: le_int((0), i_0)) and (JC_62: lt_int(i_0, n_1)))) 
               }
             begin
               [ { } unit { true } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((lt_int_ !i_0) ((sub_int n_1) (1))) then void
                   else (raise (Goto_while_0_break_exc void)));
                  try
                   begin
                     (let _jessie_ =
                     (mv := ((safe_acc_ !intP_intM_t_5) ((shift t) !i_0))) in
                     void); (let _jessie_ = (mi := !i_0) in void);
                    (let _jessie_ = (j_0_0 := ((add_int !i_0) (1))) in
                    void);
                    (loop_4:
                    begin
                      while true do
                      { invariant
                          (JC_70:
                          ((JC_67: lt_int(i_0, j_0_0))
                          and ((JC_68: le_int(i_0, mi))
                              and (JC_69: lt_int(mi, n_1)))))  }
                       begin
                         [ { } unit { true } ];
                        try
                         begin
                           (let _jessie_ =
                           begin
                             (if ((lt_int_ !j_0_0) n_1) then void
                             else (raise (Goto_while_1_break_exc void)));
                            (if ((lt_int_ ((safe_acc_ !intP_intM_t_5) 
                                           ((shift t) !j_0_0))) !mv)
                            then
                             (let _jessie_ =
                             begin
                               (let _jessie_ = (mi := !j_0_0) in void);
                              (mv := ((safe_acc_ !intP_intM_t_5) ((shift t) !j_0_0)));
                              !mv end in void) else void);
                            (j_0_0 := ((add_int !j_0_0) (1))); !j_0_0 end in
                           void); (raise (Loop_continue_exc void)) end with
                         Loop_continue_exc _jessie_ -> void end end done;
                     (raise (Goto_while_1_break_exc void)) end) end with
                   Goto_while_1_break_exc _jessie_ ->
                   (while_1_break:
                   begin
                     void;
                    (L:
                    begin
                      (let _jessie_ = t in
                      (let _jessie_ = !i_0 in
                      (let _jessie_ = !mi in
                      (JC_74:
                      (((((swap _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))));
                     (assert
                     { (JC_75:
                       Permut(t, (0), sub_int(n_1, (1)), intP_intM_t_5,
                       intP_intM_t_5@L)) }; void); void end) end) end;
                  (i_0 := ((add_int !i_0) (1))); !i_0 end in void);
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ -> (while_0_break: void) end;
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: (raise Return)) end)))); (raise Return) end with
   Return -> void end) { (JC_33: true) }

let sel_sort_ensures_permutation =
 fun (t : intP pointer) (n_1 : int) (intP_intM_t_5 : (intP, int) memory ref) (intP_t_5_alloc_table : intP alloc_table) ->
  { (JC_31:
    ((JC_29: le_int(offset_min(intP_t_5_alloc_table, t), (0)))
    and (JC_30:
        ge_int(offset_max(intP_t_5_alloc_table, t), sub_int(n_1, (1)))))) }
  (init:
  try
   begin
     (let i_0 = ref (any_int void) in
     (let j_0_0 = ref (any_int void) in
     (let mi = ref (any_int void) in
     (let mv = ref (any_int void) in
     try
      begin
        try
         begin
           (if ((le_int_ n_1) (0)) then (raise (Return_label_exc void))
           else void); (let _jessie_ = (i_0 := (0)) in void);
          (loop_7:
          begin
            while true do
            { invariant
                (JC_97:
                Permut(t, (0), sub_int(n_1, (1)), intP_intM_t_5,
                intP_intM_t_5@init))  }
             begin
               [ { } unit reads i_0
                 { (JC_100:
                   ((JC_98: le_int((0), i_0)) and (JC_99: lt_int(i_0, n_1)))) } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((lt_int_ !i_0) ((sub_int n_1) (1))) then void
                   else (raise (Goto_while_0_break_exc void)));
                  try
                   begin
                     (let _jessie_ =
                     (mv := ((safe_acc_ !intP_intM_t_5) ((shift t) !i_0))) in
                     void); (let _jessie_ = (mi := !i_0) in void);
                    (let _jessie_ = (j_0_0 := ((add_int !i_0) (1))) in
                    void);
                    (loop_8:
                    begin
                      while true do
                      { invariant
                          (JC_104:
                          Permut(t, (0), sub_int(n_1, (1)), intP_intM_t_5,
                          intP_intM_t_5@init))  }
                       begin
                         [ { } unit reads i_0,j_0_0,mi
                           { (JC_108:
                             ((JC_105: lt_int(i_0, j_0_0))
                             and ((JC_106: le_int(i_0, mi))
                                 and (JC_107: lt_int(mi, n_1))))) } ];
                        try
                         begin
                           (let _jessie_ =
                           begin
                             (if ((lt_int_ !j_0_0) n_1) then void
                             else (raise (Goto_while_1_break_exc void)));
                            (if ((lt_int_ ((safe_acc_ !intP_intM_t_5) 
                                           ((shift t) !j_0_0))) !mv)
                            then
                             (let _jessie_ =
                             begin
                               (let _jessie_ = (mi := !j_0_0) in void);
                              (mv := ((safe_acc_ !intP_intM_t_5) ((shift t) !j_0_0)));
                              !mv end in void) else void);
                            (j_0_0 := ((add_int !j_0_0) (1))); !j_0_0 end in
                           void); (raise (Loop_continue_exc void)) end with
                         Loop_continue_exc _jessie_ -> void end end done;
                     (raise (Goto_while_1_break_exc void)) end) end with
                   Goto_while_1_break_exc _jessie_ ->
                   (while_1_break:
                   begin
                     void;
                    (L:
                    begin
                      (let _jessie_ = t in
                      (let _jessie_ = !i_0 in
                      (let _jessie_ = !mi in
                      (JC_112:
                      (((((swap _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))));
                     [ { } unit reads intP_intM_t_5
                       { (JC_113:
                         Permut(t, (0), sub_int(n_1, (1)), intP_intM_t_5,
                         intP_intM_t_5@L)) } ]; void end) end) end;
                  (i_0 := ((add_int !i_0) (1))); !i_0 end in void);
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ -> (while_0_break: void) end;
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: (raise Return)) end)))); (raise Return) end with
   Return -> void end)
  { (JC_39: Permut(t, (0), sub_int(n_1, (1)), intP_intM_t_5, intP_intM_t_5@)) }

let sel_sort_ensures_sorted =
 fun (t : intP pointer) (n_1 : int) (intP_intM_t_5 : (intP, int) memory ref) (intP_t_5_alloc_table : intP alloc_table) ->
  { (JC_31:
    ((JC_29: le_int(offset_min(intP_t_5_alloc_table, t), (0)))
    and (JC_30:
        ge_int(offset_max(intP_t_5_alloc_table, t), sub_int(n_1, (1)))))) }
  (init:
  try
   begin
     (let i_0 = ref (any_int void) in
     (let j_0_0 = ref (any_int void) in
     (let mi = ref (any_int void) in
     (let mv = ref (any_int void) in
     try
      begin
        try
         begin
           (if ((le_int_ n_1) (0)) then (raise (Return_label_exc void))
           else void); (let _jessie_ = (i_0 := (0)) in void);
          (loop_5:
          begin
            while true do
            { invariant
                (JC_78:
                ((JC_76: Sorted(t, (0), i_0, intP_intM_t_5))
                and (JC_77:
                    (forall k1:int.
                     (forall k2:int.
                      ((le_int((0), k1)
                       and (lt_int(k1, i_0)
                           and (le_int(i_0, k2) and lt_int(k2, n_1)))) ->
                       le_int(select(intP_intM_t_5, shift(t, k1)),
                       select(intP_intM_t_5, shift(t, k2)))))))))  }
             begin
               [ { } unit reads i_0
                 { (JC_81:
                   ((JC_79: le_int((0), i_0)) and (JC_80: lt_int(i_0, n_1)))) } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((lt_int_ !i_0) ((sub_int n_1) (1))) then void
                   else (raise (Goto_while_0_break_exc void)));
                  try
                   begin
                     (let _jessie_ =
                     (mv := ((safe_acc_ !intP_intM_t_5) ((shift t) !i_0))) in
                     void); (let _jessie_ = (mi := !i_0) in void);
                    (let _jessie_ = (j_0_0 := ((add_int !i_0) (1))) in
                    void);
                    (loop_6:
                    begin
                      while true do
                      { invariant
                          (JC_87:
                          ((JC_85:
                           (mv = select(intP_intM_t_5, shift(t, mi))))
                          and (JC_86:
                              (forall k_0:int.
                               ((le_int(i_0, k_0) and lt_int(k_0, j_0_0)) ->
                                ge_int(select(intP_intM_t_5, shift(t, k_0)),
                                mv))))))  }
                       begin
                         [ { } unit reads i_0,j_0_0,mi
                           { (JC_91:
                             ((JC_88: lt_int(i_0, j_0_0))
                             and ((JC_89: le_int(i_0, mi))
                                 and (JC_90: lt_int(mi, n_1))))) } ];
                        try
                         begin
                           (let _jessie_ =
                           begin
                             (if ((lt_int_ !j_0_0) n_1) then void
                             else (raise (Goto_while_1_break_exc void)));
                            (if ((lt_int_ ((safe_acc_ !intP_intM_t_5) 
                                           ((shift t) !j_0_0))) !mv)
                            then
                             (let _jessie_ =
                             begin
                               (let _jessie_ = (mi := !j_0_0) in void);
                              (mv := ((safe_acc_ !intP_intM_t_5) ((shift t) !j_0_0)));
                              !mv end in void) else void);
                            (j_0_0 := ((add_int !j_0_0) (1))); !j_0_0 end in
                           void); (raise (Loop_continue_exc void)) end with
                         Loop_continue_exc _jessie_ -> void end end done;
                     (raise (Goto_while_1_break_exc void)) end) end with
                   Goto_while_1_break_exc _jessie_ ->
                   (while_1_break:
                   begin
                     void;
                    (L:
                    begin
                      (let _jessie_ = t in
                      (let _jessie_ = !i_0 in
                      (let _jessie_ = !mi in
                      (JC_95:
                      (((((swap _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))));
                     [ { } unit reads intP_intM_t_5
                       { (JC_96:
                         Permut(t, (0), sub_int(n_1, (1)), intP_intM_t_5,
                         intP_intM_t_5@L)) } ]; void end) end) end;
                  (i_0 := ((add_int !i_0) (1))); !i_0 end in void);
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ -> (while_0_break: void) end;
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: (raise Return)) end)))); (raise Return) end with
   Return -> void end) { (JC_37: Sorted(t, (0), n_1, intP_intM_t_5)) }

let sel_sort_safety =
 fun (t : intP pointer) (n_1 : int) (intP_intM_t_5 : (intP, int) memory ref) (intP_t_5_alloc_table : intP alloc_table) ->
  { (JC_31:
    ((JC_29: le_int(offset_min(intP_t_5_alloc_table, t), (0)))
    and (JC_30:
        ge_int(offset_max(intP_t_5_alloc_table, t), sub_int(n_1, (1)))))) }
  (init:
  try
   begin
     (let i_0 = ref (any_int void) in
     (let j_0_0 = ref (any_int void) in
     (let mi = ref (any_int void) in
     (let mv = ref (any_int void) in
     try
      begin
        try
         begin
           (if ((le_int_ n_1) (0)) then (raise (Return_label_exc void))
           else void); (let _jessie_ = (i_0 := (0)) in void);
          (loop_1:
          begin
            while true do
            { invariant (JC_45: true) variant (JC_60 : sub_int(n_1, i_0)) }
             begin
               [ { } unit reads i_0
                 { (JC_43:
                   ((JC_41: le_int((0), i_0)) and (JC_42: lt_int(i_0, n_1)))) } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((lt_int_ !i_0) ((sub_int n_1) (1))) then void
                   else (raise (Goto_while_0_break_exc void)));
                  try
                   begin
                     (let _jessie_ =
                     (mv := (JC_47:
                            ((((offset_acc_ intP_t_5_alloc_table) !intP_intM_t_5) t) !i_0))) in
                     void); (let _jessie_ = (mi := !i_0) in void);
                    (let _jessie_ = (j_0_0 := ((add_int !i_0) (1))) in
                    void);
                    (loop_2:
                    begin
                      while true do
                      { invariant (JC_53: true)
                        variant (JC_57 : sub_int(n_1, j_0_0)) }
                       begin
                         [ { } unit reads i_0,j_0_0,mi
                           { (JC_51:
                             ((JC_48: lt_int(i_0, j_0_0))
                             and ((JC_49: le_int(i_0, mi))
                                 and (JC_50: lt_int(mi, n_1))))) } ];
                        try
                         begin
                           (let _jessie_ =
                           begin
                             (if ((lt_int_ !j_0_0) n_1) then void
                             else (raise (Goto_while_1_break_exc void)));
                            (if ((lt_int_ (JC_55:
                                          ((((offset_acc_ intP_t_5_alloc_table) !intP_intM_t_5) t) !j_0_0))) !mv)
                            then
                             (let _jessie_ =
                             begin
                               (let _jessie_ = (mi := !j_0_0) in void);
                              (mv := (JC_56:
                                     ((((offset_acc_ intP_t_5_alloc_table) !intP_intM_t_5) t) !j_0_0)));
                              !mv end in void) else void);
                            (j_0_0 := ((add_int !j_0_0) (1))); !j_0_0 end in
                           void); (raise (Loop_continue_exc void)) end with
                         Loop_continue_exc _jessie_ -> void end end done;
                     (raise (Goto_while_1_break_exc void)) end) end with
                   Goto_while_1_break_exc _jessie_ ->
                   (while_1_break:
                   begin
                     void;
                    (L:
                    begin
                      (let _jessie_ = t in
                      (let _jessie_ = !i_0 in
                      (let _jessie_ = !mi in
                      (JC_58:
                      (((((swap_requires _jessie_) _jessie_) _jessie_) intP_intM_t_5) intP_t_5_alloc_table)))));
                     [ { } unit reads intP_intM_t_5
                       { (JC_59:
                         Permut(t, (0), sub_int(n_1, (1)), intP_intM_t_5,
                         intP_intM_t_5@L)) } ]; void end) end) end;
                  (i_0 := ((add_int !i_0) (1))); !i_0 end in void);
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ -> (while_0_break: void) end;
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: (raise Return)) end)))); (raise Return) end with
   Return -> void end) { true }

let swap_ensures_default =
 fun (t_0 : intP pointer) (i : int) (j : int) (intP_intM_t_0_4 : (intP, int) memory ref) (intP_t_0_4_alloc_table : intP alloc_table) ->
  { (JC_11:
    ((JC_7: le_int(offset_min(intP_t_0_4_alloc_table, t_0), i))
    and ((JC_8: ge_int(offset_max(intP_t_0_4_alloc_table, t_0), i))
        and ((JC_9: le_int(offset_min(intP_t_0_4_alloc_table, t_0), j))
            and (JC_10: ge_int(offset_max(intP_t_0_4_alloc_table, t_0), j)))))) }
  (init:
  try
   begin
     (let tmp = ref (any_int void) in
     begin
       (let _jessie_ =
       (tmp := ((safe_acc_ !intP_intM_t_0_4) ((shift t_0) i))) in void);
      (let _jessie_ =
      (let _jessie_ = ((safe_acc_ !intP_intM_t_0_4) ((shift t_0) j)) in
      (let _jessie_ = t_0 in
      (let _jessie_ = i in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (((safe_upd_ intP_intM_t_0_4) _jessie_) _jessie_))))) in void);
      (let _jessie_ =
      (let _jessie_ = !tmp in
      (let _jessie_ = t_0 in
      (let _jessie_ = j in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (((safe_upd_ intP_intM_t_0_4) _jessie_) _jessie_))))) in void);
      (raise Return) end); (raise Return) end with Return -> void end)
  { (JC_15:
    ((JC_13: Swap(t_0, i, j, intP_intM_t_0_4, intP_intM_t_0_4@))
    and (JC_14:
        not_assigns(intP_t_0_4_alloc_table, intP_intM_t_0_4@,
        intP_intM_t_0_4,
        pset_union(pset_range(pset_singleton(t_0), j, j),
        pset_range(pset_singleton(t_0), i, i)))))) }

let swap_safety =
 fun (t_0 : intP pointer) (i : int) (j : int) (intP_intM_t_0_4 : (intP, int) memory ref) (intP_t_0_4_alloc_table : intP alloc_table) ->
  { (JC_11:
    ((JC_7: le_int(offset_min(intP_t_0_4_alloc_table, t_0), i))
    and ((JC_8: ge_int(offset_max(intP_t_0_4_alloc_table, t_0), i))
        and ((JC_9: le_int(offset_min(intP_t_0_4_alloc_table, t_0), j))
            and (JC_10: ge_int(offset_max(intP_t_0_4_alloc_table, t_0), j)))))) }
  (init:
  try
   begin
     (let tmp = ref (any_int void) in
     begin
       (let _jessie_ =
       (tmp := (JC_21:
               ((((offset_acc_ intP_t_0_4_alloc_table) !intP_intM_t_0_4) t_0) i))) in
       void);
      (let _jessie_ =
      (let _jessie_ =
      (JC_22:
      ((((offset_acc_ intP_t_0_4_alloc_table) !intP_intM_t_0_4) t_0) j)) in
      (let _jessie_ = t_0 in
      (let _jessie_ = i in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (JC_23:
      (((((offset_upd_ intP_t_0_4_alloc_table) intP_intM_t_0_4) _jessie_) _jessie_) _jessie_)))))) in
      void);
      (let _jessie_ =
      (let _jessie_ = !tmp in
      (let _jessie_ = t_0 in
      (let _jessie_ = j in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (JC_24:
      (((((offset_upd_ intP_t_0_4_alloc_table) intP_intM_t_0_4) _jessie_) _jessie_) _jessie_)))))) in
      void); (raise Return) end); (raise Return) end with Return -> void end)
  { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/selection_sort.why
========== file tests/c/selection_sort.jessie/why/selection_sort_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type charP

type intP

type padding

type unsigned_charP

type voidP

predicate Swap(a: intP pointer, i_1: int, j_0: int,
  intP_intM_a_1_at_L2: (intP, int) memory, intP_intM_a_1_at_L1: (intP,
  int) memory) =
  ((select(intP_intM_a_1_at_L1, shift(a, i_1)) = select(intP_intM_a_1_at_L2,
   shift(a, j_0))) and
   ((select(intP_intM_a_1_at_L1, shift(a, j_0)) = select(intP_intM_a_1_at_L2,
    shift(a, i_1))) and
    (forall k:int.
      (((k <> i_1) and (k <> j_0)) -> (select(intP_intM_a_1_at_L1, shift(a,
       k)) = select(intP_intM_a_1_at_L2, shift(a, k)))))))

logic Permut : intP pointer, int, int, (intP, int) memory, (intP,
int) memory -> prop

axiom Permut_inversion:
  (forall aux_1:intP pointer.
    (forall aux_2:int.
      (forall aux_3:int.
        (forall aux_4:(intP, int) memory.
          (forall aux_5:(intP, int) memory [Permut(aux_1, aux_2, aux_3,
            aux_4, aux_5)].
            (Permut(aux_1, aux_2, aux_3, aux_4, aux_5) ->
             ((exists intP_intM_a_0_2_at_L:(intP, int) memory.
                (exists a_1:intP pointer.
                  (exists l_0:int.
                    (exists h_0:int.
                      ((aux_1 = a_1) and
                       ((aux_2 = l_0) and
                        ((aux_3 = h_0) and
                         ((aux_4 = intP_intM_a_0_2_at_L) and
                          (aux_5 = intP_intM_a_0_2_at_L))))))))) or
              ((exists intP_intM_a_0_2_at_L2:(intP, int) memory.
                 (exists intP_intM_a_0_2_at_L1:(intP, int) memory.
                   (exists a_2:intP pointer.
                     (exists l_1:int.
                       (exists h_1:int.
                         (Permut(a_2, l_1, h_1, intP_intM_a_0_2_at_L2,
                          intP_intM_a_0_2_at_L1) and
                          ((aux_1 = a_2) and
                           ((aux_2 = l_1) and
                            ((aux_3 = h_1) and
                             ((aux_4 = intP_intM_a_0_2_at_L1) and
                              (aux_5 = intP_intM_a_0_2_at_L2))))))))))) or
               ((exists intP_intM_a_0_2_at_L3:(intP, int) memory.
                  (exists intP_intM_a_0_2_at_L2:(intP, int) memory.
                    (exists intP_intM_a_0_2_at_L1:(intP, int) memory.
                      (exists a_3:intP pointer.
                        (exists l_2:int.
                          (exists h_2:int.
                            ((Permut(a_3, l_2, h_2, intP_intM_a_0_2_at_L2,
                              intP_intM_a_0_2_at_L1) and Permut(a_3, l_2,
                              h_2, intP_intM_a_0_2_at_L3,
                              intP_intM_a_0_2_at_L2)) and
                             ((aux_1 = a_3) and
                              ((aux_2 = l_2) and
                               ((aux_3 = h_2) and
                                ((aux_4 = intP_intM_a_0_2_at_L3) and
                                 (aux_5 = intP_intM_a_0_2_at_L1)))))))))))) or
                (exists intP_intM_a_0_2_at_L2:(intP, int) memory.
                  (exists intP_intM_a_0_2_at_L1:(intP, int) memory.
                    (exists a_4:intP pointer.
                      (exists l_3:int.
                        (exists h_3:int.
                          (exists i_2:int.
                            (exists j_1:int.
                              (((l_3 <= i_2) and
                                ((i_2 <= h_3) and
                                 ((l_3 <= j_1) and
                                  ((j_1 <= h_3) and Swap(a_4, i_2, j_1,
                                   intP_intM_a_0_2_at_L2,
                                   intP_intM_a_0_2_at_L1))))) and
                               ((aux_1 = a_4) and
                                ((aux_2 = l_3) and
                                 ((aux_3 = h_3) and
                                  ((aux_4 = intP_intM_a_0_2_at_L2) and
                                   (aux_5 = intP_intM_a_0_2_at_L1))))))))))))))))))))))

axiom Permut_refl:
  (forall intP_intM_a_0_2_at_L:(intP, int) memory.
    (forall a_1:intP pointer.
      (forall l_0:int.
        (forall h_0:int. Permut(a_1, l_0, h_0, intP_intM_a_0_2_at_L,
          intP_intM_a_0_2_at_L)))))

axiom Permut_sym:
  (forall intP_intM_a_0_2_at_L2:(intP, int) memory.
    (forall intP_intM_a_0_2_at_L1:(intP, int) memory.
      (forall a_2:intP pointer.
        (forall l_1:int.
          (forall h_1:int.
            (Permut(a_2, l_1, h_1, intP_intM_a_0_2_at_L2,
             intP_intM_a_0_2_at_L1) -> Permut(a_2, l_1, h_1,
             intP_intM_a_0_2_at_L1, intP_intM_a_0_2_at_L2)))))))

axiom Permut_trans:
  (forall intP_intM_a_0_2_at_L3:(intP, int) memory.
    (forall intP_intM_a_0_2_at_L2:(intP, int) memory.
      (forall intP_intM_a_0_2_at_L1:(intP, int) memory.
        (forall a_3:intP pointer.
          (forall l_2:int.
            (forall h_2:int.
              ((Permut(a_3, l_2, h_2, intP_intM_a_0_2_at_L2,
                intP_intM_a_0_2_at_L1) and Permut(a_3, l_2, h_2,
                intP_intM_a_0_2_at_L3, intP_intM_a_0_2_at_L2)) ->
               Permut(a_3, l_2, h_2, intP_intM_a_0_2_at_L3,
               intP_intM_a_0_2_at_L1))))))))

axiom Permut_swap:
  (forall intP_intM_a_0_2_at_L2:(intP, int) memory.
    (forall intP_intM_a_0_2_at_L1:(intP, int) memory.
      (forall a_4:intP pointer.
        (forall l_3:int.
          (forall h_3:int.
            (forall i_2:int.
              (forall j_1:int.
                (((l_3 <= i_2) and
                  ((i_2 <= h_3) and
                   ((l_3 <= j_1) and
                    ((j_1 <= h_3) and Swap(a_4, i_2, j_1,
                     intP_intM_a_0_2_at_L2, intP_intM_a_0_2_at_L1))))) ->
                 Permut(a_4, l_3, h_3, intP_intM_a_0_2_at_L2,
                 intP_intM_a_0_2_at_L1)))))))))

predicate Sorted(a_5: intP pointer, l_4: int, h_4: int,
  intP_intM_a_5_3_at_L: (intP, int) memory) =
  (forall i_3:int.
    (forall j_2:int.
      (((l_4 <= i_3) and ((i_3 <= j_2) and (j_2 < h_4))) ->
       (select(intP_intM_a_5_3_at_L, shift(a_5,
       i_3)) <= select(intP_intM_a_5_3_at_L, shift(a_5, j_2))))))

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

logic intP_tag : intP tag_id

axiom intP_int: (int_of_tag(intP_tag) = 1)

logic intP_of_pointer_address : unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr:
  (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom: parenttag(intP_tag, bottom_tag)

axiom intP_tags:
  (forall x:intP pointer.
    (forall intP_tag_table:intP tag_table. instanceof(intP_tag_table, x,
      intP_tag)))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_intP(p: intP pointer, a: int,
  intP_alloc_table: intP alloc_table) = (offset_min(intP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_intP(p: intP pointer, b: int,
  intP_alloc_table: intP alloc_table) = (offset_max(intP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) = a) and (offset_max(intP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) = a) and (offset_max(intP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) <= a) and (offset_max(intP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) <= a) and (offset_max(intP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

goal sel_sort_ensures_default_po_1:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  ("JC_63": ("JC_61": (0 <= i_0)))

goal sel_sort_ensures_default_po_2:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  ("JC_63": ("JC_62": (i_0 < n_1)))

goal sel_sort_ensures_default_po_3:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_63": (("JC_61": (0 <= i_0_0)) and ("JC_62": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  ("JC_70": ("JC_67": (i_0_0 < j_0_0)))

goal sel_sort_ensures_default_po_4:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_63": (("JC_61": (0 <= i_0_0)) and ("JC_62": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  ("JC_70": ("JC_68": (i_0_0 <= mi)))

goal sel_sort_ensures_default_po_5:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_63": (("JC_61": (0 <= i_0_0)) and ("JC_62": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  ("JC_70": ("JC_69": (mi < n_1)))

goal sel_sort_ensures_default_po_6:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_63": (("JC_61": (0 <= i_0_0)) and ("JC_62": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  forall j_0_0_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_70":
  (("JC_67": (i_0_0 < j_0_0_0)) and
   (("JC_68": (i_0_0 <= mi0)) and ("JC_69": (mi0 < n_1))))) ->
  (j_0_0_0 < n_1) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5, shift(t, j_0_0_0))) ->
  (result0 < mv0) ->
  forall mi1:int.
  (mi1 = j_0_0_0) ->
  forall result1:int.
  (result1 = select(intP_intM_t_5, shift(t, j_0_0_0))) ->
  forall mv1:int.
  (mv1 = result1) ->
  forall j_0_0_1:int.
  (j_0_0_1 = (j_0_0_0 + 1)) ->
  ("JC_70": ("JC_67": (i_0_0 < j_0_0_1)))

goal sel_sort_ensures_default_po_7:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_63": (("JC_61": (0 <= i_0_0)) and ("JC_62": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  forall j_0_0_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_70":
  (("JC_67": (i_0_0 < j_0_0_0)) and
   (("JC_68": (i_0_0 <= mi0)) and ("JC_69": (mi0 < n_1))))) ->
  (j_0_0_0 < n_1) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5, shift(t, j_0_0_0))) ->
  (result0 < mv0) ->
  forall mi1:int.
  (mi1 = j_0_0_0) ->
  forall result1:int.
  (result1 = select(intP_intM_t_5, shift(t, j_0_0_0))) ->
  forall mv1:int.
  (mv1 = result1) ->
  forall j_0_0_1:int.
  (j_0_0_1 = (j_0_0_0 + 1)) ->
  ("JC_70": ("JC_68": (i_0_0 <= mi1)))

goal sel_sort_ensures_default_po_8:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_63": (("JC_61": (0 <= i_0_0)) and ("JC_62": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  forall j_0_0_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_70":
  (("JC_67": (i_0_0 < j_0_0_0)) and
   (("JC_68": (i_0_0 <= mi0)) and ("JC_69": (mi0 < n_1))))) ->
  (j_0_0_0 < n_1) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5, shift(t, j_0_0_0))) ->
  (result0 < mv0) ->
  forall mi1:int.
  (mi1 = j_0_0_0) ->
  forall result1:int.
  (result1 = select(intP_intM_t_5, shift(t, j_0_0_0))) ->
  forall mv1:int.
  (mv1 = result1) ->
  forall j_0_0_1:int.
  (j_0_0_1 = (j_0_0_0 + 1)) ->
  ("JC_70": ("JC_69": (mi1 < n_1)))

goal sel_sort_ensures_default_po_9:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_63": (("JC_61": (0 <= i_0_0)) and ("JC_62": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  forall j_0_0_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_70":
  (("JC_67": (i_0_0 < j_0_0_0)) and
   (("JC_68": (i_0_0 <= mi0)) and ("JC_69": (mi0 < n_1))))) ->
  (j_0_0_0 < n_1) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5, shift(t, j_0_0_0))) ->
  (result0 >= mv0) ->
  forall j_0_0_1:int.
  (j_0_0_1 = (j_0_0_0 + 1)) ->
  ("JC_70": ("JC_67": (i_0_0 < j_0_0_1)))

goal sel_sort_ensures_default_po_10:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_63": (("JC_61": (0 <= i_0_0)) and ("JC_62": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  forall j_0_0_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_70":
  (("JC_67": (i_0_0 < j_0_0_0)) and
   (("JC_68": (i_0_0 <= mi0)) and ("JC_69": (mi0 < n_1))))) ->
  (j_0_0_0 < n_1) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5, shift(t, j_0_0_0))) ->
  (result0 >= mv0) ->
  forall j_0_0_1:int.
  (j_0_0_1 = (j_0_0_0 + 1)) ->
  ("JC_70": ("JC_68": (i_0_0 <= mi0)))

goal sel_sort_ensures_default_po_11:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_63": (("JC_61": (0 <= i_0_0)) and ("JC_62": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  forall j_0_0_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_70":
  (("JC_67": (i_0_0 < j_0_0_0)) and
   (("JC_68": (i_0_0 <= mi0)) and ("JC_69": (mi0 < n_1))))) ->
  (j_0_0_0 < n_1) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5, shift(t, j_0_0_0))) ->
  (result0 >= mv0) ->
  forall j_0_0_1:int.
  (j_0_0_1 = (j_0_0_0 + 1)) ->
  ("JC_70": ("JC_69": (mi0 < n_1)))

goal sel_sort_ensures_default_po_12:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_63": (("JC_61": (0 <= i_0_0)) and ("JC_62": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  forall j_0_0_0:int.
  forall mi0:int.
  ("JC_70":
  (("JC_67": (i_0_0 < j_0_0_0)) and
   (("JC_68": (i_0_0 <= mi0)) and ("JC_69": (mi0 < n_1))))) ->
  (j_0_0_0 >= n_1) ->
  forall intP_intM_t_5_0:(intP,
  int) memory.
  ("JC_18":
  (("JC_16": Swap(t, i_0_0, mi0, intP_intM_t_5_0, intP_intM_t_5)) and
   ("JC_17": not_assigns(intP_t_5_alloc_table, intP_intM_t_5,
   intP_intM_t_5_0, pset_union(pset_range(pset_singleton(t), mi0, mi0),
   pset_range(pset_singleton(t), i_0_0, i_0_0)))))) ->
  ("JC_75": Permut(t, 0, (n_1 - 1), intP_intM_t_5_0, intP_intM_t_5))

goal sel_sort_ensures_default_po_13:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_63": (("JC_61": (0 <= i_0_0)) and ("JC_62": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  forall j_0_0_0:int.
  forall mi0:int.
  ("JC_70":
  (("JC_67": (i_0_0 < j_0_0_0)) and
   (("JC_68": (i_0_0 <= mi0)) and ("JC_69": (mi0 < n_1))))) ->
  (j_0_0_0 >= n_1) ->
  forall intP_intM_t_5_0:(intP,
  int) memory.
  ("JC_18":
  (("JC_16": Swap(t, i_0_0, mi0, intP_intM_t_5_0, intP_intM_t_5)) and
   ("JC_17": not_assigns(intP_t_5_alloc_table, intP_intM_t_5,
   intP_intM_t_5_0, pset_union(pset_range(pset_singleton(t), mi0, mi0),
   pset_range(pset_singleton(t), i_0_0, i_0_0)))))) ->
  ("JC_75": Permut(t, 0, (n_1 - 1), intP_intM_t_5_0, intP_intM_t_5)) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  ("JC_63": ("JC_61": (0 <= i_0_1)))

goal sel_sort_ensures_default_po_14:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_63": (("JC_61": (0 <= i_0_0)) and ("JC_62": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  forall j_0_0_0:int.
  forall mi0:int.
  ("JC_70":
  (("JC_67": (i_0_0 < j_0_0_0)) and
   (("JC_68": (i_0_0 <= mi0)) and ("JC_69": (mi0 < n_1))))) ->
  (j_0_0_0 >= n_1) ->
  forall intP_intM_t_5_0:(intP,
  int) memory.
  ("JC_18":
  (("JC_16": Swap(t, i_0_0, mi0, intP_intM_t_5_0, intP_intM_t_5)) and
   ("JC_17": not_assigns(intP_t_5_alloc_table, intP_intM_t_5,
   intP_intM_t_5_0, pset_union(pset_range(pset_singleton(t), mi0, mi0),
   pset_range(pset_singleton(t), i_0_0, i_0_0)))))) ->
  ("JC_75": Permut(t, 0, (n_1 - 1), intP_intM_t_5_0, intP_intM_t_5)) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  ("JC_63": ("JC_62": (i_0_1 < n_1)))

goal sel_sort_ensures_permutation_po_1:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 <= 0) ->
  ("JC_39": Permut(t, 0, (n_1 - 1), intP_intM_t_5, intP_intM_t_5))

goal sel_sort_ensures_permutation_po_2:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  ("JC_97": Permut(t, 0, (n_1 - 1), intP_intM_t_5, intP_intM_t_5))

goal sel_sort_ensures_permutation_po_3:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  ("JC_97": Permut(t, 0, (n_1 - 1), intP_intM_t_5_0, intP_intM_t_5)) ->
  ("JC_100": (("JC_98": (0 <= i_0_0)) and ("JC_99": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  forall result:int.
  (result = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  forall j_0_0_0:int.
  forall mi0:int.
  ("JC_104": Permut(t, 0, (n_1 - 1), intP_intM_t_5_0, intP_intM_t_5)) ->
  ("JC_108":
  (("JC_105": (i_0_0 < j_0_0_0)) and
   (("JC_106": (i_0_0 <= mi0)) and ("JC_107": (mi0 < n_1))))) ->
  (j_0_0_0 >= n_1) ->
  forall intP_intM_t_5_1:(intP,
  int) memory.
  ("JC_18":
  (("JC_16": Swap(t, i_0_0, mi0, intP_intM_t_5_1, intP_intM_t_5_0)) and
   ("JC_17": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_0,
   intP_intM_t_5_1, pset_union(pset_range(pset_singleton(t), mi0, mi0),
   pset_range(pset_singleton(t), i_0_0, i_0_0)))))) ->
  ("JC_113": Permut(t, 0, (n_1 - 1), intP_intM_t_5_1, intP_intM_t_5_0)) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  ("JC_97": Permut(t, 0, (n_1 - 1), intP_intM_t_5_1, intP_intM_t_5))

goal sel_sort_ensures_sorted_po_1:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 <= 0) ->
  ("JC_37": Sorted(t, 0, n_1, intP_intM_t_5))

goal sel_sort_ensures_sorted_po_2:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  ("JC_78": ("JC_76": Sorted(t, 0, i_0, intP_intM_t_5)))

goal sel_sort_ensures_sorted_po_3:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall k1:int.
  forall k2:int.
  ((0 <= k1) and ((k1 < i_0) and ((i_0 <= k2) and (k2 < n_1)))) ->
  ("JC_78":
  ("JC_77": (select(intP_intM_t_5, shift(t, k1)) <= select(intP_intM_t_5,
  shift(t, k2)))))

goal sel_sort_ensures_sorted_po_4:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  ("JC_78":
  (("JC_76": Sorted(t, 0, i_0_0, intP_intM_t_5_0)) and
   ("JC_77":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and ((k1 < i_0_0) and ((i_0_0 <= k2) and (k2 < n_1)))) ->
        (select(intP_intM_t_5_0, shift(t, k1)) <= select(intP_intM_t_5_0,
        shift(t, k2))))))))) ->
  ("JC_81": (("JC_79": (0 <= i_0_0)) and ("JC_80": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  forall result:int.
  (result = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  ("JC_87": ("JC_85": (mv = select(intP_intM_t_5_0, shift(t, mi)))))

goal sel_sort_ensures_sorted_po_5:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  ("JC_78":
  (("JC_76": Sorted(t, 0, i_0_0, intP_intM_t_5_0)) and
   ("JC_77":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and ((k1 < i_0_0) and ((i_0_0 <= k2) and (k2 < n_1)))) ->
        (select(intP_intM_t_5_0, shift(t, k1)) <= select(intP_intM_t_5_0,
        shift(t, k2))))))))) ->
  ("JC_81": (("JC_79": (0 <= i_0_0)) and ("JC_80": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  forall result:int.
  (result = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  forall k_0:int.
  ((i_0_0 <= k_0) and (k_0 < j_0_0)) ->
  ("JC_87": ("JC_86": (select(intP_intM_t_5_0, shift(t, k_0)) >= mv)))

goal sel_sort_ensures_sorted_po_6:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  ("JC_78":
  (("JC_76": Sorted(t, 0, i_0_0, intP_intM_t_5_0)) and
   ("JC_77":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and ((k1 < i_0_0) and ((i_0_0 <= k2) and (k2 < n_1)))) ->
        (select(intP_intM_t_5_0, shift(t, k1)) <= select(intP_intM_t_5_0,
        shift(t, k2))))))))) ->
  ("JC_81": (("JC_79": (0 <= i_0_0)) and ("JC_80": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  forall result:int.
  (result = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  forall j_0_0_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_87":
  (("JC_85": (mv0 = select(intP_intM_t_5_0, shift(t, mi0)))) and
   ("JC_86":
   (forall k_0:int.
     (((i_0_0 <= k_0) and (k_0 < j_0_0_0)) -> (select(intP_intM_t_5_0,
      shift(t, k_0)) >= mv0)))))) ->
  ("JC_91":
  (("JC_88": (i_0_0 < j_0_0_0)) and
   (("JC_89": (i_0_0 <= mi0)) and ("JC_90": (mi0 < n_1))))) ->
  (j_0_0_0 < n_1) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5_0, shift(t, j_0_0_0))) ->
  (result0 < mv0) ->
  forall mi1:int.
  (mi1 = j_0_0_0) ->
  forall result1:int.
  (result1 = select(intP_intM_t_5_0, shift(t, j_0_0_0))) ->
  forall mv1:int.
  (mv1 = result1) ->
  forall j_0_0_1:int.
  (j_0_0_1 = (j_0_0_0 + 1)) ->
  ("JC_87": ("JC_85": (mv1 = select(intP_intM_t_5_0, shift(t, mi1)))))

goal sel_sort_ensures_sorted_po_7:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  ("JC_78":
  (("JC_76": Sorted(t, 0, i_0_0, intP_intM_t_5_0)) and
   ("JC_77":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and ((k1 < i_0_0) and ((i_0_0 <= k2) and (k2 < n_1)))) ->
        (select(intP_intM_t_5_0, shift(t, k1)) <= select(intP_intM_t_5_0,
        shift(t, k2))))))))) ->
  ("JC_81": (("JC_79": (0 <= i_0_0)) and ("JC_80": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  forall result:int.
  (result = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  forall j_0_0_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_87":
  (("JC_85": (mv0 = select(intP_intM_t_5_0, shift(t, mi0)))) and
   ("JC_86":
   (forall k_0:int.
     (((i_0_0 <= k_0) and (k_0 < j_0_0_0)) -> (select(intP_intM_t_5_0,
      shift(t, k_0)) >= mv0)))))) ->
  ("JC_91":
  (("JC_88": (i_0_0 < j_0_0_0)) and
   (("JC_89": (i_0_0 <= mi0)) and ("JC_90": (mi0 < n_1))))) ->
  (j_0_0_0 < n_1) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5_0, shift(t, j_0_0_0))) ->
  (result0 < mv0) ->
  forall mi1:int.
  (mi1 = j_0_0_0) ->
  forall result1:int.
  (result1 = select(intP_intM_t_5_0, shift(t, j_0_0_0))) ->
  forall mv1:int.
  (mv1 = result1) ->
  forall j_0_0_1:int.
  (j_0_0_1 = (j_0_0_0 + 1)) ->
  forall k_0:int.
  ((i_0_0 <= k_0) and (k_0 < j_0_0_1)) ->
  ("JC_87": ("JC_86": (select(intP_intM_t_5_0, shift(t, k_0)) >= mv1)))

goal sel_sort_ensures_sorted_po_8:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  ("JC_78":
  (("JC_76": Sorted(t, 0, i_0_0, intP_intM_t_5_0)) and
   ("JC_77":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and ((k1 < i_0_0) and ((i_0_0 <= k2) and (k2 < n_1)))) ->
        (select(intP_intM_t_5_0, shift(t, k1)) <= select(intP_intM_t_5_0,
        shift(t, k2))))))))) ->
  ("JC_81": (("JC_79": (0 <= i_0_0)) and ("JC_80": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  forall result:int.
  (result = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  forall j_0_0_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_87":
  (("JC_85": (mv0 = select(intP_intM_t_5_0, shift(t, mi0)))) and
   ("JC_86":
   (forall k_0:int.
     (((i_0_0 <= k_0) and (k_0 < j_0_0_0)) -> (select(intP_intM_t_5_0,
      shift(t, k_0)) >= mv0)))))) ->
  ("JC_91":
  (("JC_88": (i_0_0 < j_0_0_0)) and
   (("JC_89": (i_0_0 <= mi0)) and ("JC_90": (mi0 < n_1))))) ->
  (j_0_0_0 < n_1) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5_0, shift(t, j_0_0_0))) ->
  (result0 >= mv0) ->
  forall j_0_0_1:int.
  (j_0_0_1 = (j_0_0_0 + 1)) ->
  forall k_0:int.
  ((i_0_0 <= k_0) and (k_0 < j_0_0_1)) ->
  ("JC_87": ("JC_86": (select(intP_intM_t_5_0, shift(t, k_0)) >= mv0)))

goal sel_sort_ensures_sorted_po_9:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  ("JC_78":
  (("JC_76": Sorted(t, 0, i_0_0, intP_intM_t_5_0)) and
   ("JC_77":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and ((k1 < i_0_0) and ((i_0_0 <= k2) and (k2 < n_1)))) ->
        (select(intP_intM_t_5_0, shift(t, k1)) <= select(intP_intM_t_5_0,
        shift(t, k2))))))))) ->
  ("JC_81": (("JC_79": (0 <= i_0_0)) and ("JC_80": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  forall result:int.
  (result = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  forall j_0_0_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_87":
  (("JC_85": (mv0 = select(intP_intM_t_5_0, shift(t, mi0)))) and
   ("JC_86":
   (forall k_0:int.
     (((i_0_0 <= k_0) and (k_0 < j_0_0_0)) -> (select(intP_intM_t_5_0,
      shift(t, k_0)) >= mv0)))))) ->
  ("JC_91":
  (("JC_88": (i_0_0 < j_0_0_0)) and
   (("JC_89": (i_0_0 <= mi0)) and ("JC_90": (mi0 < n_1))))) ->
  (j_0_0_0 >= n_1) ->
  forall intP_intM_t_5_1:(intP,
  int) memory.
  ("JC_18":
  (("JC_16": Swap(t, i_0_0, mi0, intP_intM_t_5_1, intP_intM_t_5_0)) and
   ("JC_17": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_0,
   intP_intM_t_5_1, pset_union(pset_range(pset_singleton(t), mi0, mi0),
   pset_range(pset_singleton(t), i_0_0, i_0_0)))))) ->
  ("JC_96": Permut(t, 0, (n_1 - 1), intP_intM_t_5_1, intP_intM_t_5_0)) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  ("JC_78": ("JC_76": Sorted(t, 0, i_0_1, intP_intM_t_5_1)))

goal sel_sort_ensures_sorted_po_10:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  ("JC_78":
  (("JC_76": Sorted(t, 0, i_0_0, intP_intM_t_5_0)) and
   ("JC_77":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and ((k1 < i_0_0) and ((i_0_0 <= k2) and (k2 < n_1)))) ->
        (select(intP_intM_t_5_0, shift(t, k1)) <= select(intP_intM_t_5_0,
        shift(t, k2))))))))) ->
  ("JC_81": (("JC_79": (0 <= i_0_0)) and ("JC_80": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  forall result:int.
  (result = select(intP_intM_t_5_0, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  forall j_0_0_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_87":
  (("JC_85": (mv0 = select(intP_intM_t_5_0, shift(t, mi0)))) and
   ("JC_86":
   (forall k_0:int.
     (((i_0_0 <= k_0) and (k_0 < j_0_0_0)) -> (select(intP_intM_t_5_0,
      shift(t, k_0)) >= mv0)))))) ->
  ("JC_91":
  (("JC_88": (i_0_0 < j_0_0_0)) and
   (("JC_89": (i_0_0 <= mi0)) and ("JC_90": (mi0 < n_1))))) ->
  (j_0_0_0 >= n_1) ->
  forall intP_intM_t_5_1:(intP,
  int) memory.
  ("JC_18":
  (("JC_16": Swap(t, i_0_0, mi0, intP_intM_t_5_1, intP_intM_t_5_0)) and
   ("JC_17": not_assigns(intP_t_5_alloc_table, intP_intM_t_5_0,
   intP_intM_t_5_1, pset_union(pset_range(pset_singleton(t), mi0, mi0),
   pset_range(pset_singleton(t), i_0_0, i_0_0)))))) ->
  ("JC_96": Permut(t, 0, (n_1 - 1), intP_intM_t_5_1, intP_intM_t_5_0)) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  forall k1:int.
  forall k2:int.
  ((0 <= k1) and ((k1 < i_0_1) and ((i_0_1 <= k2) and (k2 < n_1)))) ->
  ("JC_78":
  ("JC_77": (select(intP_intM_t_5_1, shift(t, k1)) <= select(intP_intM_t_5_1,
  shift(t, k2)))))

goal sel_sort_ensures_sorted_po_11:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5_0:(intP,
  int) memory.
  ("JC_78":
  (("JC_76": Sorted(t, 0, i_0_0, intP_intM_t_5_0)) and
   ("JC_77":
   (forall k1:int.
     (forall k2:int.
       (((0 <= k1) and ((k1 < i_0_0) and ((i_0_0 <= k2) and (k2 < n_1)))) ->
        (select(intP_intM_t_5_0, shift(t, k1)) <= select(intP_intM_t_5_0,
        shift(t, k2))))))))) ->
  ("JC_81": (("JC_79": (0 <= i_0_0)) and ("JC_80": (i_0_0 < n_1)))) ->
  (i_0_0 >= (n_1 - 1)) ->
  ("JC_37": Sorted(t, 0, n_1, intP_intM_t_5_0))

goal sel_sort_safety_po_1:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  ("JC_45": true) ->
  ("JC_43": (("JC_41": (0 <= i_0_0)) and ("JC_42": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  (offset_min(intP_t_5_alloc_table, t) <= i_0_0)

goal sel_sort_safety_po_2:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  ("JC_45": true) ->
  ("JC_43": (("JC_41": (0 <= i_0_0)) and ("JC_42": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  (i_0_0 <= offset_max(intP_t_5_alloc_table, t))

goal sel_sort_safety_po_3:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_45": true) ->
  ("JC_43": (("JC_41": (0 <= i_0_0)) and ("JC_42": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  ((offset_min(intP_t_5_alloc_table, t) <= i_0_0) and
   (i_0_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  forall j_0_0_0:int.
  forall mi0:int.
  ("JC_53": true) ->
  ("JC_51":
  (("JC_48": (i_0_0 < j_0_0_0)) and
   (("JC_49": (i_0_0 <= mi0)) and ("JC_50": (mi0 < n_1))))) ->
  (j_0_0_0 < n_1) ->
  (offset_min(intP_t_5_alloc_table, t) <= j_0_0_0)

goal sel_sort_safety_po_4:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_45": true) ->
  ("JC_43": (("JC_41": (0 <= i_0_0)) and ("JC_42": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  ((offset_min(intP_t_5_alloc_table, t) <= i_0_0) and
   (i_0_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  forall j_0_0_0:int.
  forall mi0:int.
  ("JC_53": true) ->
  ("JC_51":
  (("JC_48": (i_0_0 < j_0_0_0)) and
   (("JC_49": (i_0_0 <= mi0)) and ("JC_50": (mi0 < n_1))))) ->
  (j_0_0_0 < n_1) ->
  (j_0_0_0 <= offset_max(intP_t_5_alloc_table, t))

goal sel_sort_safety_po_5:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_45": true) ->
  ("JC_43": (("JC_41": (0 <= i_0_0)) and ("JC_42": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  ((offset_min(intP_t_5_alloc_table, t) <= i_0_0) and
   (i_0_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  forall j_0_0_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_53": true) ->
  ("JC_51":
  (("JC_48": (i_0_0 < j_0_0_0)) and
   (("JC_49": (i_0_0 <= mi0)) and ("JC_50": (mi0 < n_1))))) ->
  (j_0_0_0 < n_1) ->
  ((offset_min(intP_t_5_alloc_table, t) <= j_0_0_0) and
   (j_0_0_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5, shift(t, j_0_0_0))) ->
  (result0 < mv0) ->
  forall mi1:int.
  (mi1 = j_0_0_0) ->
  ((offset_min(intP_t_5_alloc_table, t) <= j_0_0_0) and
   (j_0_0_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result1:int.
  (result1 = select(intP_intM_t_5, shift(t, j_0_0_0))) ->
  forall mv1:int.
  (mv1 = result1) ->
  forall j_0_0_1:int.
  (j_0_0_1 = (j_0_0_0 + 1)) ->
  (0 <= ("JC_57": (n_1 - j_0_0_0)))

goal sel_sort_safety_po_6:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_45": true) ->
  ("JC_43": (("JC_41": (0 <= i_0_0)) and ("JC_42": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  ((offset_min(intP_t_5_alloc_table, t) <= i_0_0) and
   (i_0_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  forall j_0_0_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_53": true) ->
  ("JC_51":
  (("JC_48": (i_0_0 < j_0_0_0)) and
   (("JC_49": (i_0_0 <= mi0)) and ("JC_50": (mi0 < n_1))))) ->
  (j_0_0_0 < n_1) ->
  ((offset_min(intP_t_5_alloc_table, t) <= j_0_0_0) and
   (j_0_0_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5, shift(t, j_0_0_0))) ->
  (result0 < mv0) ->
  forall mi1:int.
  (mi1 = j_0_0_0) ->
  ((offset_min(intP_t_5_alloc_table, t) <= j_0_0_0) and
   (j_0_0_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result1:int.
  (result1 = select(intP_intM_t_5, shift(t, j_0_0_0))) ->
  forall mv1:int.
  (mv1 = result1) ->
  forall j_0_0_1:int.
  (j_0_0_1 = (j_0_0_0 + 1)) ->
  (("JC_57": (n_1 - j_0_0_1)) < ("JC_57": (n_1 - j_0_0_0)))

goal sel_sort_safety_po_7:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_45": true) ->
  ("JC_43": (("JC_41": (0 <= i_0_0)) and ("JC_42": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  ((offset_min(intP_t_5_alloc_table, t) <= i_0_0) and
   (i_0_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  forall j_0_0_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_53": true) ->
  ("JC_51":
  (("JC_48": (i_0_0 < j_0_0_0)) and
   (("JC_49": (i_0_0 <= mi0)) and ("JC_50": (mi0 < n_1))))) ->
  (j_0_0_0 < n_1) ->
  ((offset_min(intP_t_5_alloc_table, t) <= j_0_0_0) and
   (j_0_0_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5, shift(t, j_0_0_0))) ->
  (result0 >= mv0) ->
  forall j_0_0_1:int.
  (j_0_0_1 = (j_0_0_0 + 1)) ->
  (0 <= ("JC_57": (n_1 - j_0_0_0)))

goal sel_sort_safety_po_8:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_45": true) ->
  ("JC_43": (("JC_41": (0 <= i_0_0)) and ("JC_42": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  ((offset_min(intP_t_5_alloc_table, t) <= i_0_0) and
   (i_0_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  forall j_0_0_0:int.
  forall mi0:int.
  forall mv0:int.
  ("JC_53": true) ->
  ("JC_51":
  (("JC_48": (i_0_0 < j_0_0_0)) and
   (("JC_49": (i_0_0 <= mi0)) and ("JC_50": (mi0 < n_1))))) ->
  (j_0_0_0 < n_1) ->
  ((offset_min(intP_t_5_alloc_table, t) <= j_0_0_0) and
   (j_0_0_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result0:int.
  (result0 = select(intP_intM_t_5, shift(t, j_0_0_0))) ->
  (result0 >= mv0) ->
  forall j_0_0_1:int.
  (j_0_0_1 = (j_0_0_0 + 1)) ->
  (("JC_57": (n_1 - j_0_0_1)) < ("JC_57": (n_1 - j_0_0_0)))

goal sel_sort_safety_po_9:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_45": true) ->
  ("JC_43": (("JC_41": (0 <= i_0_0)) and ("JC_42": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  ((offset_min(intP_t_5_alloc_table, t) <= i_0_0) and
   (i_0_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  forall j_0_0_0:int.
  forall mi0:int.
  ("JC_53": true) ->
  ("JC_51":
  (("JC_48": (i_0_0 < j_0_0_0)) and
   (("JC_49": (i_0_0 <= mi0)) and ("JC_50": (mi0 < n_1))))) ->
  (j_0_0_0 >= n_1) ->
  ("JC_5": ("JC_2": (offset_max(intP_t_5_alloc_table, t) >= i_0_0)))

goal sel_sort_safety_po_10:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_45": true) ->
  ("JC_43": (("JC_41": (0 <= i_0_0)) and ("JC_42": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  ((offset_min(intP_t_5_alloc_table, t) <= i_0_0) and
   (i_0_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  forall j_0_0_0:int.
  forall mi0:int.
  ("JC_53": true) ->
  ("JC_51":
  (("JC_48": (i_0_0 < j_0_0_0)) and
   (("JC_49": (i_0_0 <= mi0)) and ("JC_50": (mi0 < n_1))))) ->
  (j_0_0_0 >= n_1) ->
  ("JC_5": ("JC_3": (offset_min(intP_t_5_alloc_table, t) <= mi0)))

goal sel_sort_safety_po_11:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_45": true) ->
  ("JC_43": (("JC_41": (0 <= i_0_0)) and ("JC_42": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  ((offset_min(intP_t_5_alloc_table, t) <= i_0_0) and
   (i_0_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  forall j_0_0_0:int.
  forall mi0:int.
  ("JC_53": true) ->
  ("JC_51":
  (("JC_48": (i_0_0 < j_0_0_0)) and
   (("JC_49": (i_0_0 <= mi0)) and ("JC_50": (mi0 < n_1))))) ->
  (j_0_0_0 >= n_1) ->
  ("JC_5": ("JC_4": (offset_max(intP_t_5_alloc_table, t) >= mi0)))

goal sel_sort_safety_po_12:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_45": true) ->
  ("JC_43": (("JC_41": (0 <= i_0_0)) and ("JC_42": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  ((offset_min(intP_t_5_alloc_table, t) <= i_0_0) and
   (i_0_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  forall j_0_0_0:int.
  forall mi0:int.
  ("JC_53": true) ->
  ("JC_51":
  (("JC_48": (i_0_0 < j_0_0_0)) and
   (("JC_49": (i_0_0 <= mi0)) and ("JC_50": (mi0 < n_1))))) ->
  (j_0_0_0 >= n_1) ->
  ("JC_5":
  (("JC_1": (offset_min(intP_t_5_alloc_table, t) <= i_0_0)) and
   (("JC_2": (offset_max(intP_t_5_alloc_table, t) >= i_0_0)) and
    (("JC_3": (offset_min(intP_t_5_alloc_table, t) <= mi0)) and
     ("JC_4": (offset_max(intP_t_5_alloc_table, t) >= mi0)))))) ->
  forall intP_intM_t_5_0:(intP,
  int) memory.
  ("JC_18":
  (("JC_16": Swap(t, i_0_0, mi0, intP_intM_t_5_0, intP_intM_t_5)) and
   ("JC_17": not_assigns(intP_t_5_alloc_table, intP_intM_t_5,
   intP_intM_t_5_0, pset_union(pset_range(pset_singleton(t), mi0, mi0),
   pset_range(pset_singleton(t), i_0_0, i_0_0)))))) ->
  ("JC_59": Permut(t, 0, (n_1 - 1), intP_intM_t_5_0, intP_intM_t_5)) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  (0 <= ("JC_60": (n_1 - i_0_0)))

goal sel_sort_safety_po_13:
  forall t:intP pointer.
  forall n_1:int.
  forall intP_t_5_alloc_table:intP alloc_table.
  ("JC_31":
  (("JC_29": (offset_min(intP_t_5_alloc_table, t) <= 0)) and
   ("JC_30": (offset_max(intP_t_5_alloc_table, t) >= (n_1 - 1))))) ->
  (n_1 > 0) ->
  forall i_0:int.
  (i_0 = 0) ->
  forall i_0_0:int.
  forall intP_intM_t_5:(intP,
  int) memory.
  ("JC_45": true) ->
  ("JC_43": (("JC_41": (0 <= i_0_0)) and ("JC_42": (i_0_0 < n_1)))) ->
  (i_0_0 < (n_1 - 1)) ->
  ((offset_min(intP_t_5_alloc_table, t) <= i_0_0) and
   (i_0_0 <= offset_max(intP_t_5_alloc_table, t))) ->
  forall result:int.
  (result = select(intP_intM_t_5, shift(t, i_0_0))) ->
  forall mv:int.
  (mv = result) ->
  forall mi:int.
  (mi = i_0_0) ->
  forall j_0_0:int.
  (j_0_0 = (i_0_0 + 1)) ->
  forall j_0_0_0:int.
  forall mi0:int.
  ("JC_53": true) ->
  ("JC_51":
  (("JC_48": (i_0_0 < j_0_0_0)) and
   (("JC_49": (i_0_0 <= mi0)) and ("JC_50": (mi0 < n_1))))) ->
  (j_0_0_0 >= n_1) ->
  ("JC_5":
  (("JC_1": (offset_min(intP_t_5_alloc_table, t) <= i_0_0)) and
   (("JC_2": (offset_max(intP_t_5_alloc_table, t) >= i_0_0)) and
    (("JC_3": (offset_min(intP_t_5_alloc_table, t) <= mi0)) and
     ("JC_4": (offset_max(intP_t_5_alloc_table, t) >= mi0)))))) ->
  forall intP_intM_t_5_0:(intP,
  int) memory.
  ("JC_18":
  (("JC_16": Swap(t, i_0_0, mi0, intP_intM_t_5_0, intP_intM_t_5)) and
   ("JC_17": not_assigns(intP_t_5_alloc_table, intP_intM_t_5,
   intP_intM_t_5_0, pset_union(pset_range(pset_singleton(t), mi0, mi0),
   pset_range(pset_singleton(t), i_0_0, i_0_0)))))) ->
  ("JC_59": Permut(t, 0, (n_1 - 1), intP_intM_t_5_0, intP_intM_t_5)) ->
  forall i_0_1:int.
  (i_0_1 = (i_0_0 + 1)) ->
  (("JC_60": (n_1 - i_0_1)) < ("JC_60": (n_1 - i_0_0)))

goal swap_ensures_default_po_1:
  forall t_0:intP pointer.
  forall i:int.
  forall j:int.
  forall intP_t_0_4_alloc_table:intP alloc_table.
  forall intP_intM_t_0_4:(intP,
  int) memory.
  ("JC_11":
  (("JC_7": (offset_min(intP_t_0_4_alloc_table, t_0) <= i)) and
   (("JC_8": (offset_max(intP_t_0_4_alloc_table, t_0) >= i)) and
    (("JC_9": (offset_min(intP_t_0_4_alloc_table, t_0) <= j)) and
     ("JC_10": (offset_max(intP_t_0_4_alloc_table, t_0) >= j)))))) ->
  forall result:int.
  (result = select(intP_intM_t_0_4, shift(t_0, i))) ->
  forall tmp:int.
  (tmp = result) ->
  forall result0:int.
  (result0 = select(intP_intM_t_0_4, shift(t_0, j))) ->
  forall intP_intM_t_0_4_0:(intP,
  int) memory.
  (intP_intM_t_0_4_0 = store(intP_intM_t_0_4, shift(t_0, i), result0)) ->
  forall intP_intM_t_0_4_1:(intP,
  int) memory.
  (intP_intM_t_0_4_1 = store(intP_intM_t_0_4_0, shift(t_0, j), tmp)) ->
  ("JC_15": ("JC_13": Swap(t_0, i, j, intP_intM_t_0_4_1, intP_intM_t_0_4)))

goal swap_ensures_default_po_2:
  forall t_0:intP pointer.
  forall i:int.
  forall j:int.
  forall intP_t_0_4_alloc_table:intP alloc_table.
  forall intP_intM_t_0_4:(intP,
  int) memory.
  ("JC_11":
  (("JC_7": (offset_min(intP_t_0_4_alloc_table, t_0) <= i)) and
   (("JC_8": (offset_max(intP_t_0_4_alloc_table, t_0) >= i)) and
    (("JC_9": (offset_min(intP_t_0_4_alloc_table, t_0) <= j)) and
     ("JC_10": (offset_max(intP_t_0_4_alloc_table, t_0) >= j)))))) ->
  forall result:int.
  (result = select(intP_intM_t_0_4, shift(t_0, i))) ->
  forall tmp:int.
  (tmp = result) ->
  forall result0:int.
  (result0 = select(intP_intM_t_0_4, shift(t_0, j))) ->
  forall intP_intM_t_0_4_0:(intP,
  int) memory.
  (intP_intM_t_0_4_0 = store(intP_intM_t_0_4, shift(t_0, i), result0)) ->
  forall intP_intM_t_0_4_1:(intP,
  int) memory.
  (intP_intM_t_0_4_1 = store(intP_intM_t_0_4_0, shift(t_0, j), tmp)) ->
  ("JC_15":
  ("JC_14": not_assigns(intP_t_0_4_alloc_table, intP_intM_t_0_4,
  intP_intM_t_0_4_1, pset_union(pset_range(pset_singleton(t_0), j, j),
  pset_range(pset_singleton(t_0), i, i)))))

goal swap_safety_po_1:
  forall t_0:intP pointer.
  forall i:int.
  forall j:int.
  forall intP_t_0_4_alloc_table:intP alloc_table.
  ("JC_11":
  (("JC_7": (offset_min(intP_t_0_4_alloc_table, t_0) <= i)) and
   (("JC_8": (offset_max(intP_t_0_4_alloc_table, t_0) >= i)) and
    (("JC_9": (offset_min(intP_t_0_4_alloc_table, t_0) <= j)) and
     ("JC_10": (offset_max(intP_t_0_4_alloc_table, t_0) >= j)))))) ->
  (i <= offset_max(intP_t_0_4_alloc_table, t_0))

goal swap_safety_po_2:
  forall t_0:intP pointer.
  forall i:int.
  forall j:int.
  forall intP_t_0_4_alloc_table:intP alloc_table.
  forall intP_intM_t_0_4:(intP,
  int) memory.
  ("JC_11":
  (("JC_7": (offset_min(intP_t_0_4_alloc_table, t_0) <= i)) and
   (("JC_8": (offset_max(intP_t_0_4_alloc_table, t_0) >= i)) and
    (("JC_9": (offset_min(intP_t_0_4_alloc_table, t_0) <= j)) and
     ("JC_10": (offset_max(intP_t_0_4_alloc_table, t_0) >= j)))))) ->
  ((offset_min(intP_t_0_4_alloc_table, t_0) <= i) and
   (i <= offset_max(intP_t_0_4_alloc_table, t_0))) ->
  forall result:int.
  (result = select(intP_intM_t_0_4, shift(t_0, i))) ->
  forall tmp:int.
  (tmp = result) ->
  (offset_min(intP_t_0_4_alloc_table, t_0) <= j)

goal swap_safety_po_3:
  forall t_0:intP pointer.
  forall i:int.
  forall j:int.
  forall intP_t_0_4_alloc_table:intP alloc_table.
  forall intP_intM_t_0_4:(intP,
  int) memory.
  ("JC_11":
  (("JC_7": (offset_min(intP_t_0_4_alloc_table, t_0) <= i)) and
   (("JC_8": (offset_max(intP_t_0_4_alloc_table, t_0) >= i)) and
    (("JC_9": (offset_min(intP_t_0_4_alloc_table, t_0) <= j)) and
     ("JC_10": (offset_max(intP_t_0_4_alloc_table, t_0) >= j)))))) ->
  ((offset_min(intP_t_0_4_alloc_table, t_0) <= i) and
   (i <= offset_max(intP_t_0_4_alloc_table, t_0))) ->
  forall result:int.
  (result = select(intP_intM_t_0_4, shift(t_0, i))) ->
  forall tmp:int.
  (tmp = result) ->
  (j <= offset_max(intP_t_0_4_alloc_table, t_0))

// RUNSIMPLIFY: will ask regtests to run Simplify on this program
========== generation of Simplify VC output ==========
why -simplify [...] why/selection_sort.why
========== file tests/c/selection_sort.jessie/simplify/selection_sort_why.sx ==========

;; DO NOT EDIT BELOW THIS LINE

(BG_PUSH (NEQ |@true| |@false|))

(DEFPRED (zwf_zero a b) (AND (<= 0 b) (< a b)))

(BG_PUSH
 ;; Why axiom bool_and_def
 (FORALL (a b)
 (IFF (EQ (bool_and a b) |@true|) (AND (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_or_def
 (FORALL (a b)
 (IFF (EQ (bool_or a b) |@true|) (OR (EQ a |@true|) (EQ b |@true|)))))

(BG_PUSH
 ;; Why axiom bool_xor_def
 (FORALL (a b) (IFF (EQ (bool_xor a b) |@true|) (NEQ a b))))

(BG_PUSH
 ;; Why axiom bool_not_def
 (FORALL (a) (IFF (EQ (bool_not a) |@true|) (EQ a |@false|))))

(BG_PUSH
 ;; Why axiom ite_true
 (FORALL (x y) (EQ (ite |@true| x y) x)))

(BG_PUSH
 ;; Why axiom ite_false
 (FORALL (x y) (EQ (ite |@false| x y) y)))

(BG_PUSH
 ;; Why axiom lt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (lt_int_bool x y) |@true|) (< x y))))

(BG_PUSH
 ;; Why axiom le_int_bool_axiom
 (FORALL (x y) (IFF (EQ (le_int_bool x y) |@true|) (<= x y))))

(BG_PUSH
 ;; Why axiom gt_int_bool_axiom
 (FORALL (x y) (IFF (EQ (gt_int_bool x y) |@true|) (> x y))))

(BG_PUSH
 ;; Why axiom ge_int_bool_axiom
 (FORALL (x y) (IFF (EQ (ge_int_bool x y) |@true|) (>= x y))))

(BG_PUSH
 ;; Why axiom eq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_int_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_int_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_int_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom abs_int_pos
 (FORALL (x) (IMPLIES (>= x 0) (EQ (abs_int x) x))))

(BG_PUSH
 ;; Why axiom abs_int_neg
 (FORALL (x) (IMPLIES (<= x 0) (EQ (abs_int x) (- 0 x)))))

(BG_PUSH
 ;; Why axiom int_max_is_ge
 (FORALL (x y) (AND (>= (int_max x y) x) (>= (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_max_is_some
 (FORALL (x y) (OR (EQ (int_max x y) x) (EQ (int_max x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_le
 (FORALL (x y) (AND (<= (int_min x y) x) (<= (int_min x y) y))))

(BG_PUSH
 ;; Why axiom int_min_is_some
 (FORALL (x y) (OR (EQ (int_min x y) x) (EQ (int_min x y) y))))

(BG_PUSH
 ;; Why axiom real_of_int_zero
 (EQ (real_of_int 0) real_constant_0_0e))

(BG_PUSH
 ;; Why axiom real_of_int_one
 (EQ (real_of_int 1) real_constant_1_0e))

(BG_PUSH
 ;; Why axiom real_of_int_add
 (FORALL (x y)
 (EQ (real_of_int (+ x y)) (real_add (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom real_of_int_sub
 (FORALL (x y)
 (EQ (real_of_int (- x y)) (real_sub (real_of_int x) (real_of_int y)))))

(BG_PUSH
 ;; Why axiom truncate_down_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (AND (EQ (le_real (real_of_int (truncate_real_to_int x)) x) |@true|)
 (EQ (lt_real x (real_of_int (+ (truncate_real_to_int x) 1))) |@true|)))))

(BG_PUSH
 ;; Why axiom truncate_up_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (AND (EQ (lt_real (real_of_int (- (truncate_real_to_int x) 1)) x) |@true|)
 (EQ (le_real x (real_of_int (truncate_real_to_int x))) |@true|)))))

(BG_PUSH
 ;; Why axiom lt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (lt_real_bool x y) |@true|) (EQ (lt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom le_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (le_real_bool x y) |@true|) (EQ (le_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom gt_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (gt_real_bool x y) |@true|) (EQ (gt_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom ge_real_bool_axiom
 (FORALL (x y)
 (IFF (EQ (ge_real_bool x y) |@true|) (EQ (ge_real x y) |@true|))))

(BG_PUSH
 ;; Why axiom eq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (eq_real_bool x y) |@true|) (EQ x y))))

(BG_PUSH
 ;; Why axiom neq_real_bool_axiom
 (FORALL (x y) (IFF (EQ (neq_real_bool x y) |@true|) (NEQ x y))))

(BG_PUSH
 ;; Why axiom real_max_is_ge
 (FORALL (x y)
 (AND (EQ (ge_real (real_max x y) x) |@true|)
 (EQ (ge_real (real_max x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_max_is_some
 (FORALL (x y) (OR (EQ (real_max x y) x) (EQ (real_max x y) y))))

(BG_PUSH
 ;; Why axiom real_min_is_le
 (FORALL (x y)
 (AND (EQ (le_real (real_min x y) x) |@true|)
 (EQ (le_real (real_min x y) y) |@true|))))

(BG_PUSH
 ;; Why axiom real_min_is_some
 (FORALL (x y) (OR (EQ (real_min x y) x) (EQ (real_min x y) y))))

(BG_PUSH
 ;; Why axiom sqr_real_def
 (FORALL (x) (EQ (sqr_real x) (real_mul x x))))

(BG_PUSH
 ;; Why axiom sqrt_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (ge_real (real_sqrt x) real_constant_0_0e) |@true|))))

(BG_PUSH
 ;; Why axiom sqrt_sqr
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (sqr_real (real_sqrt x)) x))))

(BG_PUSH
 ;; Why axiom sqr_sqrt
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|)
 (EQ (real_sqrt (real_mul x x)) x))))

(BG_PUSH
 ;; Why axiom abs_real_pos
 (FORALL (x)
 (IMPLIES (EQ (ge_real x real_constant_0_0e) |@true|) (EQ (real_abs x) x))))

(BG_PUSH
 ;; Why axiom abs_real_neg
 (FORALL (x)
 (IMPLIES (EQ (le_real x real_constant_0_0e) |@true|)
 (EQ (real_abs x) (real_neg x)))))

(BG_PUSH
 ;; Why axiom log_exp
 (FORALL (x) (EQ (log (exp x)) x)))

(BG_PUSH
 ;; Why axiom exp_log
 (FORALL (x)
 (IMPLIES (EQ (gt_real x real_constant_0_0e) |@true|) (EQ (exp (log x)) x))))

(BG_PUSH
 ;; Why axiom prod_pos
 (FORALL (x y)
 (AND
 (IMPLIES
 (AND (EQ (gt_real x real_constant_0_0e) |@true|)
 (EQ (gt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|))
 (IMPLIES
 (AND (EQ (lt_real x real_constant_0_0e) |@true|)
 (EQ (lt_real y real_constant_0_0e) |@true|))
 (EQ (gt_real (real_mul x y) real_constant_0_0e) |@true|)))))

(BG_PUSH
 ;; Why axiom abs_minus
 (FORALL (x) (EQ (real_abs (real_neg x)) (real_abs x))))

(BG_PUSH
 ;; Why axiom math_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (math_div x y)) (math_mod x y)))))))

(BG_PUSH
 ;; Why axiom math_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0)
 (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (AND (<= 0 (math_mod x y)) (< (math_mod x y) (abs_int y)))))))

(BG_PUSH
 ;; Why axiom computer_div_mod
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (EQ x (+ (* y (computer_div x y)) (computer_mod x y)))))))

(BG_PUSH
 ;; Why axiom computer_div_bound
 (FORALL (x y)
 (IMPLIES (AND (>= x 0) (> y 0))
 (AND (<= 0 (computer_div x y)) (<= (computer_div x y) x)))))

(BG_PUSH
 ;; Why axiom computer_mod_bound
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (< (abs_int (computer_mod x y)) (abs_int y))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (< (abs_int (computer_mod x y)) (abs_int y))))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_pos
 (FORALL (x y) (IMPLIES (AND (>= x 0) (NEQ y 0)) (>= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_mod_sign_neg
 (FORALL (x y) (IMPLIES (AND (<= x 0) (NEQ y 0)) (<= (computer_mod x y) 0))))

(BG_PUSH
 ;; Why axiom computer_rounds_toward_zero
 (FORALL (x y)
 (IMPLIES (NEQ y 0) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))

 (FORALL (y)
 (IMPLIES (NEQ y 0)
 (FORALL (x) (<= (abs_int (* (computer_div x y) y)) (abs_int x))))))

(DEFPRED (valid a p) (AND (<= (offset_min a p) 0) (>= (offset_max a p) 0)))

(DEFPRED (same_block p q) (EQ (base_block p) (base_block q)))

(BG_PUSH
 ;; Why axiom address_injective
 (FORALL (p q) (IFF (EQ p q) (EQ (address p) (address q)))))

(BG_PUSH
 ;; Why axiom address_null
 (EQ (address null) 0))

(BG_PUSH
 ;; Why axiom address_shift_lt
 (FORALL (p i j)
 (IFF (< (address (shift p i)) (address (shift p j))) (< i j))))

(BG_PUSH
 ;; Why axiom address_shift_le
 (FORALL (p i j)
 (IFF (<= (address (shift p i)) (address (shift p j))) (<= i j))))

(BG_PUSH
 ;; Why axiom shift_zero
 (FORALL (p) (EQ (shift p 0) p)))

(BG_PUSH
 ;; Why axiom shift_shift
 (FORALL (p i j) (EQ (shift (shift p i) j) (shift p (+ i j)))))

(BG_PUSH
 ;; Why axiom offset_max_shift
 (FORALL (a p i) (EQ (offset_max a (shift p i)) (- (offset_max a p) i))))

(BG_PUSH
 ;; Why axiom offset_min_shift
 (FORALL (a p i) (EQ (offset_min a (shift p i)) (- (offset_min a p) i))))

(BG_PUSH
 ;; Why axiom neq_shift
 (FORALL (p i j) (IMPLIES (NEQ i j) (NEQ (shift p i) (shift p j))))

 (FORALL (i j)
 (IMPLIES (NEQ i j) (FORALL (p) (NEQ (shift p i) (shift p j))))))

(BG_PUSH
 ;; Why axiom null_not_valid
 (FORALL (a) (NOT (valid a null))))

(BG_PUSH
 ;; Why axiom null_pointer
 (FORALL (a)
 (AND (>= (offset_min a null) 0) (<= (offset_max a null) (- 0 2)))))

(BG_PUSH
 ;; Why axiom eq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (eq_pointer_bool p1 p2) |@true|) (EQ p1 p2))))

(BG_PUSH
 ;; Why axiom neq_pointer_bool_def
 (FORALL (p1 p2) (IFF (EQ (neq_pointer_bool p1 p2) |@true|) (NEQ p1 p2))))

(BG_PUSH
 ;; Why axiom same_block_shift_right
 (FORALL (p q i) (IMPLIES (same_block p q) (same_block p (shift q i))))

 (FORALL (p q)
 (IMPLIES (same_block p q) (FORALL (i) (same_block p (shift q i))))))

(BG_PUSH
 ;; Why axiom same_block_shift_left
 (FORALL (p q i) (IMPLIES (same_block q p) (same_block (shift q i) p)))

 (FORALL (p q)
 (IMPLIES (same_block q p) (FORALL (i) (same_block (shift q i) p)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift
 (FORALL (p q) (IMPLIES (same_block p q) (EQ p (shift q (sub_pointer p q))))))

(BG_PUSH
 ;; Why axiom sub_pointer_self
 (FORALL (p) (EQ (sub_pointer p p) 0)))

(BG_PUSH
 ;; Why axiom sub_pointer_zero
 (FORALL (p q)
 (IMPLIES (same_block p q) (IMPLIES (EQ (sub_pointer p q) 0) (EQ p q)))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_left
 (FORALL (p q i) (EQ (sub_pointer (shift p i) q) (+ (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom sub_pointer_shift_right
 (FORALL (p q i) (EQ (sub_pointer p (shift q i)) (- (sub_pointer p q) i))))

(BG_PUSH
 ;; Why axiom select_store_eq
 (FORALL (m p1 p2 a)
 (IMPLIES (EQ p1 p2) (EQ (select (|why__store| m p1 a) p2) a)))

 (FORALL (p1 p2)
 (IMPLIES (EQ p1 p2) (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) a)))))

(BG_PUSH
 ;; Why axiom select_store_neq
 (FORALL (m p1 p2 a)
 (IMPLIES (NEQ p1 p2) (EQ (select (|why__store| m p1 a) p2) (select m p2))))

 (FORALL (p1 p2)
 (IMPLIES (NEQ p1 p2)
 (FORALL (m a) (EQ (select (|why__store| m p1 a) p2) (select m p2))))))

(DEFPRED (pset_disjoint ps1 ps2)
  (FORALL (p)
  (NOT (AND (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|)))))

(DEFPRED (pset_included ps1 ps2)
  (FORALL (p)
  (IMPLIES (EQ (in_pset p ps1) |@true|) (EQ (in_pset p ps2) |@true|))))

(BG_PUSH
 ;; Why axiom pset_included_self
 (FORALL (ps) (pset_included ps ps)))

(BG_PUSH
 ;; Why axiom pset_included_range
 (FORALL (ps a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (pset_included (pset_range ps a b) (pset_range ps c d))))

 (FORALL (a b c d)
 (IMPLIES (AND (<= c a) (<= b d))
 (FORALL (ps) (pset_included (pset_range ps a b) (pset_range ps c d))))))

(BG_PUSH
 ;; Why axiom pset_included_range_all
 (FORALL (ps a b c d) (pset_included (pset_range ps a b) (pset_all ps))))

(BG_PUSH
 ;; Why axiom in_pset_empty
 (FORALL (p) (NOT (EQ (in_pset p pset_empty) |@true|))))

(BG_PUSH
 ;; Why axiom in_pset_singleton
 (FORALL (p q) (IFF (EQ (in_pset p (pset_singleton q)) |@true|) (EQ p q))))

(BG_PUSH
 ;; Why axiom in_pset_deref
 (FORALL (p m q)
 (IFF (EQ (in_pset p (pset_deref m q)) |@true|)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (select m r)))))))

(BG_PUSH
 ;; Why axiom in_pset_all
 (FORALL (p q)
 (IFF (EQ (in_pset p (pset_all q)) |@true|)
 (EXISTS (i)
 (EXISTS (r) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))

(BG_PUSH
 ;; Why axiom in_pset_range
 (FORALL (p q a b)
 (IFF (EQ (in_pset p (pset_range q a b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i))))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_left
 (FORALL (p q b)
 (IFF (EQ (in_pset p (pset_range_left q b)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= i b) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_range_right
 (FORALL (p q a)
 (IFF (EQ (in_pset p (pset_range_right q a)) |@true|)
 (EXISTS (i)
 (EXISTS (r)
 (AND (<= a i) (AND (EQ (in_pset r q) |@true|) (EQ p (shift r i)))))))))

(BG_PUSH
 ;; Why axiom in_pset_union
 (FORALL (p s1 s2)
 (IFF (EQ (in_pset p (pset_union s1 s2)) |@true|)
 (OR (EQ (in_pset p s1) |@true|) (EQ (in_pset p s2) |@true|)))))

(BG_PUSH
 ;; Why axiom valid_pset_empty
 (FORALL (a) (EQ (valid_pset a pset_empty) |@true|)))

(BG_PUSH
 ;; Why axiom valid_pset_singleton
 (FORALL (a p)
 (IFF (EQ (valid_pset a (pset_singleton p)) |@true|) (valid a p))))

(BG_PUSH
 ;; Why axiom valid_pset_deref
 (FORALL (a m q)
 (IFF (EQ (valid_pset a (pset_deref m q)) |@true|)
 (FORALL (r p)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (EQ p (select m r))) (valid a p))))))

(BG_PUSH
 ;; Why axiom valid_pset_range
 (FORALL (a q c d)
 (IFF (EQ (valid_pset a (pset_range q c d)) |@true|)
 (FORALL (i r)
 (IMPLIES (AND (EQ (in_pset r q) |@true|) (AND (<= c i) (<= i d)))
 (valid a (shift r i)))))))

(BG_PUSH
 ;; Why axiom valid_pset_union
 (FORALL (a s1 s2)
 (IFF (EQ (valid_pset a (pset_union s1 s2)) |@true|)
 (AND (EQ (valid_pset a s1) |@true|) (EQ (valid_pset a s2) |@true|)))))

(DEFPRED (not_assigns a m1 m2 l)
  (FORALL (p)
  (IMPLIES (AND (valid a p) (NOT (EQ (in_pset p l) |@true|)))
  (EQ (select m2 p) (select m1 p)))))

(BG_PUSH
 ;; Why axiom not_assigns_refl
 (FORALL (a m l) (not_assigns a m m l)))

(BG_PUSH
 ;; Why axiom not_assigns_trans
 (FORALL (a m1 m2 m3 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))

 (FORALL (a m1 m2 l)
 (IMPLIES (not_assigns a m1 m2 l)
 (FORALL (m3) (IMPLIES (not_assigns a m2 m3 l) (not_assigns a m1 m3 l))))))

(BG_PUSH
 ;; Why axiom full_separated_shift1
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift2
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated p q) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift3
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated (shift q i) p) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated (shift q i) p) |@true|)))))

(BG_PUSH
 ;; Why axiom full_separated_shift4
 (FORALL (p q i)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (EQ (full_separated p (shift q i)) |@true|)))

 (FORALL (p q)
 (IMPLIES (EQ (full_separated q p) |@true|)
 (FORALL (i) (EQ (full_separated p (shift q i)) |@true|)))))

(BG_PUSH
 ;; Why axiom subtag_bool_def
 (FORALL (t1 t2)
 (IFF (EQ (subtag_bool t1 t2) |@true|) (EQ (subtag t1 t2) |@true|))))

(BG_PUSH
 ;; Why axiom subtag_refl
 (FORALL (t) (EQ (subtag t t) |@true|)))

(BG_PUSH
 ;; Why axiom subtag_parent
 (FORALL (t1 t2 t3)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))

 (FORALL (t1 t2)
 (IMPLIES (EQ (subtag t1 t2) |@true|)
 (FORALL (t3)
 (IMPLIES (EQ (parenttag t2 t3) |@true|) (EQ (subtag t1 t3) |@true|))))))

(DEFPRED (instanceof a p t) (EQ (subtag (typeof a p) t) |@true|))

(BG_PUSH
 ;; Why axiom downcast_instanceof
 (FORALL (a p s) (IMPLIES (instanceof a p s) (EQ (downcast a p s) p))))

(BG_PUSH
 ;; Why axiom bottom_tag_axiom
 (FORALL (t) (EQ (subtag t bottom_tag) |@true|)))

(DEFPRED (root_tag t) (EQ (parenttag t bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom root_subtag
 (FORALL (a b c)
 (IMPLIES (root_tag a)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|)))))))

 (FORALL (a)
 (IMPLIES (root_tag a)
 (FORALL (b)
 (IMPLIES (root_tag b)
 (IMPLIES (NEQ a b)
 (FORALL (c)
 (IMPLIES (EQ (subtag c a) |@true|) (NOT (EQ (subtag c b) |@true|))))))))))

(DEFPRED (fully_packed tag_table mutable this)
  (EQ (select mutable this) (typeof tag_table this)))

(BG_PUSH
 ;; Why axiom bw_and_not_null
 (FORALL (a b) (IMPLIES (NEQ (bw_and a b) 0) (AND (NEQ a 0) (NEQ b 0)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsl a b)))))

(BG_PUSH
 ;; Why axiom lsl_left_positive_monotone
 (FORALL (a1 a2 b)
 (IMPLIES (AND (<= 0 a1) (AND (<= a1 a2) (<= 0 b)))
 (<= (lsl a1 b) (lsl a2 b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_returns_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsr_left_positive_decreases
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsr a b) a))))

(BG_PUSH
 ;; Why axiom asr_positive_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= 0 (asr a b)))))

(BG_PUSH
 ;; Why axiom asr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (asr a b) a))))

(BG_PUSH
 ;; Why axiom asr_lsr_same_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (asr a b) (lsr a b)))))

(BG_PUSH
 ;; Why axiom lsl_of_lsr_decreases_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (<= (lsl (lsr a b) b) a))))

(BG_PUSH
 ;; Why axiom lsr_of_lsl_identity_on_positive
 (FORALL (a b) (IMPLIES (AND (<= 0 a) (<= 0 b)) (EQ (lsr (lsl a b) b) a))))

(DEFPRED (alloc_fresh a p n)
  (FORALL (i) (IMPLIES (AND (<= 0 i) (< i n)) (NOT (valid a (shift p i))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_min
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_offset_max
 (FORALL (a1 a2)
 (IMPLIES (EQ (alloc_extends a1 a2) |@true|)
 (FORALL (p) (IMPLIES (valid a1 p) (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_not_assigns_empty
 (FORALL (a1 a2 m1 m2 l p n)
 (IMPLIES
 (AND (EQ (alloc_extends a1 a2) |@true|)
 (AND (alloc_fresh a1 p n)
 (AND (not_assigns a2 m1 m2 l)
 (pset_included l (pset_all (pset_singleton p))))))
 (not_assigns a1 m1 m2 pset_empty))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_min
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_min a1 p) (offset_min a2 p)))))))

(BG_PUSH
 ;; Why axiom alloc_extends_except_offset_max
 (FORALL (a1 a2 l)
 (IMPLIES (EQ (alloc_extends_except a1 a2 l) |@true|)
 (FORALL (p)
 (IMPLIES (AND (valid a1 p) (NOT (EQ (in_pset p l) |@true|)))
 (EQ (offset_max a1 p) (offset_max a2 p)))))))

(BG_PUSH
 ;; Why axiom disj_sym
 (FORALL (s1 s2)
 (IMPLIES (EQ (disj_mybag s1 s2) |@true|) (EQ (disj_mybag s2 s1) |@true|))))

(BG_PUSH
 ;; Why axiom sub_refl
 (FORALL (sa) (EQ (sub_mybag sa sa) |@true|)))

(BG_PUSH
 ;; Why axiom sub_disj
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))

 (FORALL (s1 s3)
 (IMPLIES (EQ (disj_mybag s1 s3) |@true|)
 (FORALL (s2)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (disj_mybag s1 s2) |@true|))))))

(BG_PUSH
 ;; Why axiom sub_in
 (FORALL (s1 s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))

 (FORALL (s2 p)
 (IMPLIES (NOT (EQ (in_mybag p s2) |@true|))
 (FORALL (s1)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|) (NOT (EQ (in_mybag p s1) |@true|)))))))

(BG_PUSH
 ;; Why axiom sub_sub
 (FORALL (s1 s2 s3)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))

 (FORALL (s1 s2)
 (IMPLIES (EQ (sub_mybag s1 s2) |@true|)
 (FORALL (s3)
 (IMPLIES (EQ (sub_mybag s2 s3) |@true|) (EQ (sub_mybag s1 s3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_refl
 (FORALL (sa m) (EQ (frame_between sa m m) |@true|)))

(BG_PUSH
 ;; Why axiom frame_between_gen
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (EQ (in_mybag p sa) |@true|)
 (FORALL (v) (EQ (frame_between sa (|why__store| m1 p v) m2) |@true|)))))))

(BG_PUSH
 ;; Why axiom frame_between_gen2
 (FORALL (sa m1 m2 m3)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between sa m2 m3) |@true|)
 (EQ (frame_between sa m1 m3) |@true|))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub1
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 s13)
 (IMPLIES (EQ (sub_mybag s12 s13) |@true|)
 (FORALL (m2 m1)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s23 m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_gen_sub2
 (FORALL (s12 s23 s13 m1 m2 m3)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|)))))

 (FORALL (s12 m1 m2)
 (IMPLIES (EQ (frame_between s12 m1 m2) |@true|)
 (FORALL (s13 s23)
 (IMPLIES (EQ (sub_mybag s23 s13) |@true|)
 (FORALL (m3)
 (IMPLIES (EQ (frame_between s23 m2 m3) |@true|)
 (EQ (frame_between s13 m1 m3) |@true|))))))))

(BG_PUSH
 ;; Why axiom frame_between_pointer
 (FORALL (sa m1 m2 p v)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (EQ (select m1 p) (select m2 p)))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (p)
 (IMPLIES (NOT (EQ (in_mybag p sa) |@true|))
 (FORALL (v) (EQ (select m1 p) (select m2 p))))))))

(BG_PUSH
 ;; Why axiom frame_between_sub
 (FORALL (sa sb m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))

 (FORALL (sa m1 m2)
 (IMPLIES (EQ (frame_between sa m1 m2) |@true|)
 (FORALL (sb)
 (IMPLIES (EQ (sub_mybag sa sb) |@true|)
 (EQ (frame_between sb m1 m2) |@true|))))))

(DEFPRED (Swap a i_1 j_0 intP_intM_a_1_at_L2 intP_intM_a_1_at_L1)
  (AND
  (EQ (select intP_intM_a_1_at_L1 (shift a i_1))
  (select intP_intM_a_1_at_L2 (shift a j_0)))
  (AND
  (EQ (select intP_intM_a_1_at_L1 (shift a j_0))
  (select intP_intM_a_1_at_L2 (shift a i_1)))
  (FORALL (k)
  (IMPLIES (AND (NEQ k i_1) (NEQ k j_0))
  (EQ (select intP_intM_a_1_at_L1 (shift a k))
  (select intP_intM_a_1_at_L2 (shift a k))))))))

(BG_PUSH
 ;; Why axiom Permut_inversion
 (FORALL (aux_1 aux_2 aux_3 aux_4 aux_5)
 (IMPLIES (EQ (Permut aux_1 aux_2 aux_3 aux_4 aux_5) |@true|)
 (OR
 (EXISTS (intP_intM_a_0_2_at_L)
 (EXISTS (a_1)
 (EXISTS (l_0)
 (EXISTS (h_0)
 (AND (EQ aux_1 a_1)
 (AND (EQ aux_2 l_0)
 (AND (EQ aux_3 h_0)
 (AND (EQ aux_4 intP_intM_a_0_2_at_L) (EQ aux_5 intP_intM_a_0_2_at_L)))))))))
 (OR
 (EXISTS (intP_intM_a_0_2_at_L2)
 (EXISTS (intP_intM_a_0_2_at_L1)
 (EXISTS (a_2)
 (EXISTS (l_1)
 (EXISTS (h_1)
 (AND
 (EQ (Permut
 a_2 l_1 h_1 intP_intM_a_0_2_at_L2 intP_intM_a_0_2_at_L1) |@true|)
 (AND (EQ aux_1 a_2)
 (AND (EQ aux_2 l_1)
 (AND (EQ aux_3 h_1)
 (AND (EQ aux_4 intP_intM_a_0_2_at_L1) (EQ aux_5 intP_intM_a_0_2_at_L2)))))))))))
 (OR
 (EXISTS (intP_intM_a_0_2_at_L3)
 (EXISTS (intP_intM_a_0_2_at_L2)
 (EXISTS (intP_intM_a_0_2_at_L1)
 (EXISTS (a_3)
 (EXISTS (l_2)
 (EXISTS (h_2)
 (AND
 (AND
 (EQ (Permut
 a_3 l_2 h_2 intP_intM_a_0_2_at_L2 intP_intM_a_0_2_at_L1) |@true|)
 (EQ (Permut
 a_3 l_2 h_2 intP_intM_a_0_2_at_L3 intP_intM_a_0_2_at_L2) |@true|))
 (AND (EQ aux_1 a_3)
 (AND (EQ aux_2 l_2)
 (AND (EQ aux_3 h_2)
 (AND (EQ aux_4 intP_intM_a_0_2_at_L3) (EQ aux_5 intP_intM_a_0_2_at_L1))))))))))))
 (EXISTS (intP_intM_a_0_2_at_L2)
 (EXISTS (intP_intM_a_0_2_at_L1)
 (EXISTS (a_4)
 (EXISTS (l_3)
 (EXISTS (h_3)
 (EXISTS (i_2)
 (EXISTS (j_1)
 (AND
 (AND (<= l_3 i_2)
 (AND (<= i_2 h_3)
 (AND (<= l_3 j_1)
 (AND (<= j_1 h_3)
 (Swap a_4 i_2 j_1 intP_intM_a_0_2_at_L2 intP_intM_a_0_2_at_L1)))))
 (AND (EQ aux_1 a_4)
 (AND (EQ aux_2 l_3)
 (AND (EQ aux_3 h_3)
 (AND (EQ aux_4 intP_intM_a_0_2_at_L2) (EQ aux_5 intP_intM_a_0_2_at_L1)))))))))))))))))))

(BG_PUSH
 ;; Why axiom Permut_refl
 (FORALL (intP_intM_a_0_2_at_L a_1 l_0 h_0)
 (EQ (Permut a_1 l_0 h_0 intP_intM_a_0_2_at_L intP_intM_a_0_2_at_L) |@true|)))

(BG_PUSH
 ;; Why axiom Permut_sym
 (FORALL (intP_intM_a_0_2_at_L2 intP_intM_a_0_2_at_L1 a_2 l_1 h_1)
 (IMPLIES
 (EQ (Permut
 a_2 l_1 h_1 intP_intM_a_0_2_at_L2 intP_intM_a_0_2_at_L1) |@true|)
 (EQ (Permut
 a_2 l_1 h_1 intP_intM_a_0_2_at_L1 intP_intM_a_0_2_at_L2) |@true|))))

(BG_PUSH
 ;; Why axiom Permut_trans
 (FORALL (intP_intM_a_0_2_at_L3 intP_intM_a_0_2_at_L2 intP_intM_a_0_2_at_L1 a_3 l_2 h_2)
 (IMPLIES
 (AND
 (EQ (Permut
 a_3 l_2 h_2 intP_intM_a_0_2_at_L2 intP_intM_a_0_2_at_L1) |@true|)
 (EQ (Permut
 a_3 l_2 h_2 intP_intM_a_0_2_at_L3 intP_intM_a_0_2_at_L2) |@true|))
 (EQ (Permut
 a_3 l_2 h_2 intP_intM_a_0_2_at_L3 intP_intM_a_0_2_at_L1) |@true|))))

(BG_PUSH
 ;; Why axiom Permut_swap
 (FORALL (intP_intM_a_0_2_at_L2 intP_intM_a_0_2_at_L1 a_4 l_3 h_3 i_2 j_1)
 (IMPLIES
 (AND (<= l_3 i_2)
 (AND (<= i_2 h_3)
 (AND (<= l_3 j_1)
 (AND (<= j_1 h_3)
 (Swap a_4 i_2 j_1 intP_intM_a_0_2_at_L2 intP_intM_a_0_2_at_L1)))))
 (EQ (Permut
 a_4 l_3 h_3 intP_intM_a_0_2_at_L2 intP_intM_a_0_2_at_L1) |@true|))))

(DEFPRED (Sorted a_5 l_4 h_4 intP_intM_a_5_3_at_L)
  (FORALL (i_3 j_2)
  (IMPLIES (AND (<= l_4 i_3) (AND (<= i_3 j_2) (< j_2 h_4)))
  (<= (select intP_intM_a_5_3_at_L (shift a_5 i_3)) (select
                                                    intP_intM_a_5_3_at_L 
                                                    (shift a_5 j_2))))))

(BG_PUSH
 ;; Why axiom charP_int
 (EQ (int_of_tag charP_tag) 1))

(BG_PUSH
 ;; Why axiom charP_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (charP_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom charP_parenttag_bottom
 (EQ (parenttag charP_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom charP_tags
 (FORALL (x charP_tag_table) (instanceof charP_tag_table x charP_tag)))

(BG_PUSH
 ;; Why axiom intP_int
 (EQ (int_of_tag intP_tag) 1))

(BG_PUSH
 ;; Why axiom intP_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (intP_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom intP_parenttag_bottom
 (EQ (parenttag intP_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom intP_tags
 (FORALL (x intP_tag_table) (instanceof intP_tag_table x intP_tag)))

(DEFPRED (left_valid_struct_charP p a charP_alloc_table)
  (<= (offset_min charP_alloc_table p) a))

(DEFPRED (left_valid_struct_intP p a intP_alloc_table)
  (<= (offset_min intP_alloc_table p) a))

(DEFPRED (left_valid_struct_unsigned_charP p a unsigned_charP_alloc_table)
  (<= (offset_min unsigned_charP_alloc_table p) a))

(DEFPRED (left_valid_struct_voidP p a voidP_alloc_table)
  (<= (offset_min voidP_alloc_table p) a))

(BG_PUSH
 ;; Why axiom pointer_addr_of_charP_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (charP_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_intP_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (intP_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_unsigned_charP_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (unsigned_charP_of_pointer_address p)))))

(BG_PUSH
 ;; Why axiom pointer_addr_of_voidP_of_pointer_address
 (FORALL (p) (EQ p (pointer_address (voidP_of_pointer_address p)))))

(DEFPRED (right_valid_struct_charP p b charP_alloc_table)
  (>= (offset_max charP_alloc_table p) b))

(DEFPRED (right_valid_struct_intP p b intP_alloc_table)
  (>= (offset_max intP_alloc_table p) b))

(DEFPRED (right_valid_struct_unsigned_charP p b unsigned_charP_alloc_table)
  (>= (offset_max unsigned_charP_alloc_table p) b))

(DEFPRED (right_valid_struct_voidP p b voidP_alloc_table)
  (>= (offset_max voidP_alloc_table p) b))

(DEFPRED (strict_valid_root_charP p a b charP_alloc_table)
  (AND (EQ (offset_min charP_alloc_table p) a)
  (EQ (offset_max charP_alloc_table p) b)))

(DEFPRED (strict_valid_root_intP p a b intP_alloc_table)
  (AND (EQ (offset_min intP_alloc_table p) a)
  (EQ (offset_max intP_alloc_table p) b)))

(DEFPRED (strict_valid_root_unsigned_charP p a b unsigned_charP_alloc_table)
  (AND (EQ (offset_min unsigned_charP_alloc_table p) a)
  (EQ (offset_max unsigned_charP_alloc_table p) b)))

(DEFPRED (strict_valid_root_voidP p a b voidP_alloc_table)
  (AND (EQ (offset_min voidP_alloc_table p) a)
  (EQ (offset_max voidP_alloc_table p) b)))

(DEFPRED (strict_valid_struct_charP p a b charP_alloc_table)
  (AND (EQ (offset_min charP_alloc_table p) a)
  (EQ (offset_max charP_alloc_table p) b)))

(DEFPRED (strict_valid_struct_intP p a b intP_alloc_table)
  (AND (EQ (offset_min intP_alloc_table p) a)
  (EQ (offset_max intP_alloc_table p) b)))

(DEFPRED (strict_valid_struct_unsigned_charP p a b unsigned_charP_alloc_table)
  (AND (EQ (offset_min unsigned_charP_alloc_table p) a)
  (EQ (offset_max unsigned_charP_alloc_table p) b)))

(DEFPRED (strict_valid_struct_voidP p a b voidP_alloc_table)
  (AND (EQ (offset_min voidP_alloc_table p) a)
  (EQ (offset_max voidP_alloc_table p) b)))

(BG_PUSH
 ;; Why axiom unsigned_charP_int
 (EQ (int_of_tag unsigned_charP_tag) 1))

(BG_PUSH
 ;; Why axiom unsigned_charP_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (unsigned_charP_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom unsigned_charP_parenttag_bottom
 (EQ (parenttag unsigned_charP_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom unsigned_charP_tags
 (FORALL (x unsigned_charP_tag_table)
 (instanceof unsigned_charP_tag_table x unsigned_charP_tag)))

(DEFPRED (valid_root_charP p a b charP_alloc_table)
  (AND (<= (offset_min charP_alloc_table p) a)
  (>= (offset_max charP_alloc_table p) b)))

(DEFPRED (valid_root_intP p a b intP_alloc_table)
  (AND (<= (offset_min intP_alloc_table p) a)
  (>= (offset_max intP_alloc_table p) b)))

(DEFPRED (valid_root_unsigned_charP p a b unsigned_charP_alloc_table)
  (AND (<= (offset_min unsigned_charP_alloc_table p) a)
  (>= (offset_max unsigned_charP_alloc_table p) b)))

(DEFPRED (valid_root_voidP p a b voidP_alloc_table)
  (AND (<= (offset_min voidP_alloc_table p) a)
  (>= (offset_max voidP_alloc_table p) b)))

(DEFPRED (valid_struct_charP p a b charP_alloc_table)
  (AND (<= (offset_min charP_alloc_table p) a)
  (>= (offset_max charP_alloc_table p) b)))

(DEFPRED (valid_struct_intP p a b intP_alloc_table)
  (AND (<= (offset_min intP_alloc_table p) a)
  (>= (offset_max intP_alloc_table p) b)))

(DEFPRED (valid_struct_unsigned_charP p a b unsigned_charP_alloc_table)
  (AND (<= (offset_min unsigned_charP_alloc_table p) a)
  (>= (offset_max unsigned_charP_alloc_table p) b)))

(DEFPRED (valid_struct_voidP p a b voidP_alloc_table)
  (AND (<= (offset_min voidP_alloc_table p) a)
  (>= (offset_max voidP_alloc_table p) b)))

(BG_PUSH
 ;; Why axiom voidP_int
 (EQ (int_of_tag voidP_tag) 1))

(BG_PUSH
 ;; Why axiom voidP_of_pointer_address_of_pointer_addr
 (FORALL (p) (EQ p (voidP_of_pointer_address (pointer_address p)))))

(BG_PUSH
 ;; Why axiom voidP_parenttag_bottom
 (EQ (parenttag voidP_tag bottom_tag) |@true|))

(BG_PUSH
 ;; Why axiom voidP_tags
 (FORALL (x voidP_tag_table) (instanceof voidP_tag_table x voidP_tag)))

;; sel_sort_ensures_default_po_1, File "HOME/tests/c/selection_sort.c", line 58, characters 21-27
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0) (FORALL (i_0) (IMPLIES (EQ i_0 0) (<= 0 i_0))))))))

;; sel_sort_ensures_default_po_2, File "HOME/tests/c/selection_sort.c", line 58, characters 26-31
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0) (FORALL (i_0) (IMPLIES (EQ i_0 0) (< i_0 n_1))))))))

;; sel_sort_ensures_default_po_3, File "HOME/tests/c/selection_sort.c", line 71, characters 23-28
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0) (IMPLIES (EQ j_0_0 (+ i_0_0 1)) (< i_0_0 j_0_0))))))))))))))))))))

;; sel_sort_ensures_default_po_4, File "HOME/tests/c/selection_sort.c", line 71, characters 32-39
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0) (IMPLIES (EQ j_0_0 (+ i_0_0 1)) (<= i_0_0 mi))))))))))))))))))))

;; sel_sort_ensures_default_po_5, File "HOME/tests/c/selection_sort.c", line 71, characters 37-43
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0) (IMPLIES (EQ j_0_0 (+ i_0_0 1)) (< mi n_1))))))))))))))))))))

;; sel_sort_ensures_default_po_6, File "HOME/tests/c/selection_sort.c", line 71, characters 23-28
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (+ i_0_0 1))
(FORALL (j_0_0_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< i_0_0 j_0_0_0) (AND (<= i_0_0 mi0) (< mi0 n_1)))
(IMPLIES (< j_0_0_0 n_1)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5 (shift t j_0_0_0)))
(IMPLIES (< result0 mv0)
(FORALL (mi1)
(IMPLIES (EQ mi1 j_0_0_0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intP_intM_t_5 (shift t j_0_0_0)))
(FORALL (mv1)
(IMPLIES (EQ mv1 result1)
(FORALL (j_0_0_1) (IMPLIES (EQ j_0_0_1 (+ j_0_0_0 1)) (< i_0_0 j_0_0_1))))))))))))))))))))))))))))))))))))

;; sel_sort_ensures_default_po_7, File "HOME/tests/c/selection_sort.c", line 71, characters 32-39
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (+ i_0_0 1))
(FORALL (j_0_0_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< i_0_0 j_0_0_0) (AND (<= i_0_0 mi0) (< mi0 n_1)))
(IMPLIES (< j_0_0_0 n_1)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5 (shift t j_0_0_0)))
(IMPLIES (< result0 mv0)
(FORALL (mi1)
(IMPLIES (EQ mi1 j_0_0_0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intP_intM_t_5 (shift t j_0_0_0)))
(FORALL (mv1)
(IMPLIES (EQ mv1 result1)
(FORALL (j_0_0_1) (IMPLIES (EQ j_0_0_1 (+ j_0_0_0 1)) (<= i_0_0 mi1))))))))))))))))))))))))))))))))))))

;; sel_sort_ensures_default_po_8, File "HOME/tests/c/selection_sort.c", line 71, characters 37-43
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (+ i_0_0 1))
(FORALL (j_0_0_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< i_0_0 j_0_0_0) (AND (<= i_0_0 mi0) (< mi0 n_1)))
(IMPLIES (< j_0_0_0 n_1)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5 (shift t j_0_0_0)))
(IMPLIES (< result0 mv0)
(FORALL (mi1)
(IMPLIES (EQ mi1 j_0_0_0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intP_intM_t_5 (shift t j_0_0_0)))
(FORALL (mv1)
(IMPLIES (EQ mv1 result1)
(FORALL (j_0_0_1) (IMPLIES (EQ j_0_0_1 (+ j_0_0_0 1)) (< mi1 n_1))))))))))))))))))))))))))))))))))))

;; sel_sort_ensures_default_po_9, File "HOME/tests/c/selection_sort.c", line 71, characters 23-28
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (+ i_0_0 1))
(FORALL (j_0_0_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< i_0_0 j_0_0_0) (AND (<= i_0_0 mi0) (< mi0 n_1)))
(IMPLIES (< j_0_0_0 n_1)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5 (shift t j_0_0_0)))
(IMPLIES (>= result0 mv0)
(FORALL (j_0_0_1) (IMPLIES (EQ j_0_0_1 (+ j_0_0_0 1)) (< i_0_0 j_0_0_1))))))))))))))))))))))))))))))

;; sel_sort_ensures_default_po_10, File "HOME/tests/c/selection_sort.c", line 71, characters 32-39
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (+ i_0_0 1))
(FORALL (j_0_0_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< i_0_0 j_0_0_0) (AND (<= i_0_0 mi0) (< mi0 n_1)))
(IMPLIES (< j_0_0_0 n_1)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5 (shift t j_0_0_0)))
(IMPLIES (>= result0 mv0)
(FORALL (j_0_0_1) (IMPLIES (EQ j_0_0_1 (+ j_0_0_0 1)) (<= i_0_0 mi0))))))))))))))))))))))))))))))

;; sel_sort_ensures_default_po_11, File "HOME/tests/c/selection_sort.c", line 71, characters 37-43
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (+ i_0_0 1))
(FORALL (j_0_0_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (< i_0_0 j_0_0_0) (AND (<= i_0_0 mi0) (< mi0 n_1)))
(IMPLIES (< j_0_0_0 n_1)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5 (shift t j_0_0_0)))
(IMPLIES (>= result0 mv0)
(FORALL (j_0_0_1) (IMPLIES (EQ j_0_0_1 (+ j_0_0_0 1)) (< mi0 n_1))))))))))))))))))))))))))))))

;; sel_sort_ensures_default_po_12, File "HOME/tests/c/selection_sort.c", line 88, characters 15-38
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (+ i_0_0 1))
(FORALL (j_0_0_0)
(FORALL (mi0)
(IMPLIES (AND (< i_0_0 j_0_0_0) (AND (<= i_0_0 mi0) (< mi0 n_1)))
(IMPLIES (>= j_0_0_0 n_1)
(FORALL (intP_intM_t_5_0)
(IMPLIES (AND (Swap t i_0_0 mi0 intP_intM_t_5_0 intP_intM_t_5)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5 intP_intM_t_5_0 (pset_union
                                                            (pset_range
                                                            (pset_singleton
                                                            t) mi0 mi0) 
                                                            (pset_range
                                                            (pset_singleton
                                                            t) i_0_0 i_0_0))))
(EQ (Permut t 0 (- n_1 1) intP_intM_t_5_0 intP_intM_t_5) |@true|))))))))))))))))))))))))))

;; sel_sort_ensures_default_po_13, File "HOME/tests/c/selection_sort.c", line 58, characters 21-27
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (+ i_0_0 1))
(FORALL (j_0_0_0)
(FORALL (mi0)
(IMPLIES (AND (< i_0_0 j_0_0_0) (AND (<= i_0_0 mi0) (< mi0 n_1)))
(IMPLIES (>= j_0_0_0 n_1)
(FORALL (intP_intM_t_5_0)
(IMPLIES (AND (Swap t i_0_0 mi0 intP_intM_t_5_0 intP_intM_t_5)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5 intP_intM_t_5_0 (pset_union
                                                            (pset_range
                                                            (pset_singleton
                                                            t) mi0 mi0) 
                                                            (pset_range
                                                            (pset_singleton
                                                            t) i_0_0 i_0_0))))
(IMPLIES (EQ (Permut t 0 (- n_1 1) intP_intM_t_5_0 intP_intM_t_5) |@true|)
(FORALL (i_0_1) (IMPLIES (EQ i_0_1 (+ i_0_0 1)) (<= 0 i_0_1)))))))))))))))))))))))))))))

;; sel_sort_ensures_default_po_14, File "HOME/tests/c/selection_sort.c", line 58, characters 26-31
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (+ i_0_0 1))
(FORALL (j_0_0_0)
(FORALL (mi0)
(IMPLIES (AND (< i_0_0 j_0_0_0) (AND (<= i_0_0 mi0) (< mi0 n_1)))
(IMPLIES (>= j_0_0_0 n_1)
(FORALL (intP_intM_t_5_0)
(IMPLIES (AND (Swap t i_0_0 mi0 intP_intM_t_5_0 intP_intM_t_5)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5 intP_intM_t_5_0 (pset_union
                                                            (pset_range
                                                            (pset_singleton
                                                            t) mi0 mi0) 
                                                            (pset_range
                                                            (pset_singleton
                                                            t) i_0_0 i_0_0))))
(IMPLIES (EQ (Permut t 0 (- n_1 1) intP_intM_t_5_0 intP_intM_t_5) |@true|)
(FORALL (i_0_1) (IMPLIES (EQ i_0_1 (+ i_0_0 1)) (< i_0_1 n_1)))))))))))))))))))))))))))))

;; sel_sort_ensures_permutation_po_1, File "HOME/tests/c/selection_sort.c", line 52, characters 14-39
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (<= n_1 0)
(EQ (Permut t 0 (- n_1 1) intP_intM_t_5 intP_intM_t_5) |@true|)))))))

;; sel_sort_ensures_permutation_po_2, File "HOME/tests/c/selection_sort.c", line 65, characters 22-47
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(EQ (Permut t 0 (- n_1 1) intP_intM_t_5 intP_intM_t_5) |@true|)))))))))

;; sel_sort_ensures_permutation_po_3, File "HOME/tests/c/selection_sort.c", line 65, characters 22-47
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(IMPLIES (EQ (Permut t 0 (- n_1 1) intP_intM_t_5_0 intP_intM_t_5) |@true|)
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5_0 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (+ i_0_0 1))
(FORALL (j_0_0_0)
(FORALL (mi0)
(IMPLIES (EQ (Permut t 0 (- n_1 1) intP_intM_t_5_0 intP_intM_t_5) |@true|)
(IMPLIES (AND (< i_0_0 j_0_0_0) (AND (<= i_0_0 mi0) (< mi0 n_1)))
(IMPLIES (>= j_0_0_0 n_1)
(FORALL (intP_intM_t_5_1)
(IMPLIES (AND (Swap t i_0_0 mi0 intP_intM_t_5_1 intP_intM_t_5_0)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_0 intP_intM_t_5_1 (pset_union
                                                              (pset_range
                                                              (pset_singleton
                                                              t) mi0 mi0) 
                                                              (pset_range
                                                              (pset_singleton
                                                              t) i_0_0 i_0_0))))
(IMPLIES (EQ (Permut t 0 (- n_1 1) intP_intM_t_5_1 intP_intM_t_5_0) |@true|)
(FORALL (i_0_1)
(IMPLIES (EQ i_0_1 (+ i_0_0 1))
(EQ (Permut t 0 (- n_1 1) intP_intM_t_5_1 intP_intM_t_5) |@true|))))))))))))))))))))))))))))))))

;; sel_sort_ensures_sorted_po_1, File "HOME/tests/c/selection_sort.c", line 50, characters 14-27
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (<= n_1 0) (Sorted t 0 n_1 intP_intM_t_5)))))))

;; sel_sort_ensures_sorted_po_2, File "HOME/tests/c/selection_sort.c", line 61, characters 8-21
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0) (IMPLIES (EQ i_0 0) (Sorted t 0 i_0 intP_intM_t_5)))))))))

;; sel_sort_ensures_sorted_po_3, File "HOME/tests/c/selection_sort.c", line 62, characters 8-86
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(FORALL (intP_intM_t_5)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (k1)
(FORALL (k2)
(IMPLIES (AND (<= 0 k1) (AND (< k1 i_0) (AND (<= i_0 k2) (< k2 n_1))))
(<= (select intP_intM_t_5 (shift t k1)) (select intP_intM_t_5 (shift t k2))))))))))))))

;; sel_sort_ensures_sorted_po_4, File "HOME/tests/c/selection_sort.c", line 74, characters 11-22
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(IMPLIES (AND (Sorted t 0 i_0_0 intP_intM_t_5_0)
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1) (AND (< k1 i_0_0) (AND (<= i_0_0 k2) (< k2 n_1))))
         (<= (select intP_intM_t_5_0 (shift t k1)) (select
                                                   intP_intM_t_5_0 (shift
                                                                   t k2))))))
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5_0 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (+ i_0_0 1))
(EQ mv (select intP_intM_t_5_0 (shift t mi)))))))))))))))))))))))

;; sel_sort_ensures_sorted_po_5, File "HOME/tests/c/selection_sort.c", line 75, characters 11-57
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(IMPLIES (AND (Sorted t 0 i_0_0 intP_intM_t_5_0)
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1) (AND (< k1 i_0_0) (AND (<= i_0_0 k2) (< k2 n_1))))
         (<= (select intP_intM_t_5_0 (shift t k1)) (select
                                                   intP_intM_t_5_0 (shift
                                                                   t k2))))))
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5_0 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (+ i_0_0 1))
(FORALL (k_0)
(IMPLIES (AND (<= i_0_0 k_0) (< k_0 j_0_0))
(>= (select intP_intM_t_5_0 (shift t k_0)) mv)))))))))))))))))))))))

;; sel_sort_ensures_sorted_po_6, File "HOME/tests/c/selection_sort.c", line 74, characters 11-22
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(IMPLIES (AND (Sorted t 0 i_0_0 intP_intM_t_5_0)
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1) (AND (< k1 i_0_0) (AND (<= i_0_0 k2) (< k2 n_1))))
         (<= (select intP_intM_t_5_0 (shift t k1)) (select
                                                   intP_intM_t_5_0 (shift
                                                                   t k2))))))
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5_0 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (+ i_0_0 1))
(FORALL (j_0_0_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (EQ mv0 (select intP_intM_t_5_0 (shift t mi0)))
         (FORALL (k_0)
         (IMPLIES (AND (<= i_0_0 k_0) (< k_0 j_0_0_0))
         (>= (select intP_intM_t_5_0 (shift t k_0)) mv0))))
(IMPLIES (AND (< i_0_0 j_0_0_0) (AND (<= i_0_0 mi0) (< mi0 n_1)))
(IMPLIES (< j_0_0_0 n_1)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5_0 (shift t j_0_0_0)))
(IMPLIES (< result0 mv0)
(FORALL (mi1)
(IMPLIES (EQ mi1 j_0_0_0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intP_intM_t_5_0 (shift t j_0_0_0)))
(FORALL (mv1)
(IMPLIES (EQ mv1 result1)
(FORALL (j_0_0_1)
(IMPLIES (EQ j_0_0_1 (+ j_0_0_0 1))
(EQ mv1 (select intP_intM_t_5_0 (shift t mi1))))))))))))))))))))))))))))))))))))))))

;; sel_sort_ensures_sorted_po_7, File "HOME/tests/c/selection_sort.c", line 75, characters 11-57
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(IMPLIES (AND (Sorted t 0 i_0_0 intP_intM_t_5_0)
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1) (AND (< k1 i_0_0) (AND (<= i_0_0 k2) (< k2 n_1))))
         (<= (select intP_intM_t_5_0 (shift t k1)) (select
                                                   intP_intM_t_5_0 (shift
                                                                   t k2))))))
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5_0 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (+ i_0_0 1))
(FORALL (j_0_0_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (EQ mv0 (select intP_intM_t_5_0 (shift t mi0)))
         (FORALL (k_0)
         (IMPLIES (AND (<= i_0_0 k_0) (< k_0 j_0_0_0))
         (>= (select intP_intM_t_5_0 (shift t k_0)) mv0))))
(IMPLIES (AND (< i_0_0 j_0_0_0) (AND (<= i_0_0 mi0) (< mi0 n_1)))
(IMPLIES (< j_0_0_0 n_1)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5_0 (shift t j_0_0_0)))
(IMPLIES (< result0 mv0)
(FORALL (mi1)
(IMPLIES (EQ mi1 j_0_0_0)
(FORALL (result1)
(IMPLIES (EQ result1 (select intP_intM_t_5_0 (shift t j_0_0_0)))
(FORALL (mv1)
(IMPLIES (EQ mv1 result1)
(FORALL (j_0_0_1)
(IMPLIES (EQ j_0_0_1 (+ j_0_0_0 1))
(FORALL (k_0)
(IMPLIES (AND (<= i_0_0 k_0) (< k_0 j_0_0_1))
(>= (select intP_intM_t_5_0 (shift t k_0)) mv1))))))))))))))))))))))))))))))))))))))))

;; sel_sort_ensures_sorted_po_8, File "HOME/tests/c/selection_sort.c", line 75, characters 11-57
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(IMPLIES (AND (Sorted t 0 i_0_0 intP_intM_t_5_0)
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1) (AND (< k1 i_0_0) (AND (<= i_0_0 k2) (< k2 n_1))))
         (<= (select intP_intM_t_5_0 (shift t k1)) (select
                                                   intP_intM_t_5_0 (shift
                                                                   t k2))))))
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5_0 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (+ i_0_0 1))
(FORALL (j_0_0_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (EQ mv0 (select intP_intM_t_5_0 (shift t mi0)))
         (FORALL (k_0)
         (IMPLIES (AND (<= i_0_0 k_0) (< k_0 j_0_0_0))
         (>= (select intP_intM_t_5_0 (shift t k_0)) mv0))))
(IMPLIES (AND (< i_0_0 j_0_0_0) (AND (<= i_0_0 mi0) (< mi0 n_1)))
(IMPLIES (< j_0_0_0 n_1)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5_0 (shift t j_0_0_0)))
(IMPLIES (>= result0 mv0)
(FORALL (j_0_0_1)
(IMPLIES (EQ j_0_0_1 (+ j_0_0_0 1))
(FORALL (k_0)
(IMPLIES (AND (<= i_0_0 k_0) (< k_0 j_0_0_1))
(>= (select intP_intM_t_5_0 (shift t k_0)) mv0))))))))))))))))))))))))))))))))))

;; sel_sort_ensures_sorted_po_9, File "HOME/tests/c/selection_sort.c", line 61, characters 8-21
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(IMPLIES (AND (Sorted t 0 i_0_0 intP_intM_t_5_0)
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1) (AND (< k1 i_0_0) (AND (<= i_0_0 k2) (< k2 n_1))))
         (<= (select intP_intM_t_5_0 (shift t k1)) (select
                                                   intP_intM_t_5_0 (shift
                                                                   t k2))))))
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5_0 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (+ i_0_0 1))
(FORALL (j_0_0_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (EQ mv0 (select intP_intM_t_5_0 (shift t mi0)))
         (FORALL (k_0)
         (IMPLIES (AND (<= i_0_0 k_0) (< k_0 j_0_0_0))
         (>= (select intP_intM_t_5_0 (shift t k_0)) mv0))))
(IMPLIES (AND (< i_0_0 j_0_0_0) (AND (<= i_0_0 mi0) (< mi0 n_1)))
(IMPLIES (>= j_0_0_0 n_1)
(FORALL (intP_intM_t_5_1)
(IMPLIES (AND (Swap t i_0_0 mi0 intP_intM_t_5_1 intP_intM_t_5_0)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_0 intP_intM_t_5_1 (pset_union
                                                              (pset_range
                                                              (pset_singleton
                                                              t) mi0 mi0) 
                                                              (pset_range
                                                              (pset_singleton
                                                              t) i_0_0 i_0_0))))
(IMPLIES (EQ (Permut t 0 (- n_1 1) intP_intM_t_5_1 intP_intM_t_5_0) |@true|)
(FORALL (i_0_1)
(IMPLIES (EQ i_0_1 (+ i_0_0 1)) (Sorted t 0 i_0_1 intP_intM_t_5_1))))))))))))))))))))))))))))))))

;; sel_sort_ensures_sorted_po_10, File "HOME/tests/c/selection_sort.c", line 62, characters 8-86
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(IMPLIES (AND (Sorted t 0 i_0_0 intP_intM_t_5_0)
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1) (AND (< k1 i_0_0) (AND (<= i_0_0 k2) (< k2 n_1))))
         (<= (select intP_intM_t_5_0 (shift t k1)) (select
                                                   intP_intM_t_5_0 (shift
                                                                   t k2))))))
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5_0 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (+ i_0_0 1))
(FORALL (j_0_0_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES (AND (EQ mv0 (select intP_intM_t_5_0 (shift t mi0)))
         (FORALL (k_0)
         (IMPLIES (AND (<= i_0_0 k_0) (< k_0 j_0_0_0))
         (>= (select intP_intM_t_5_0 (shift t k_0)) mv0))))
(IMPLIES (AND (< i_0_0 j_0_0_0) (AND (<= i_0_0 mi0) (< mi0 n_1)))
(IMPLIES (>= j_0_0_0 n_1)
(FORALL (intP_intM_t_5_1)
(IMPLIES (AND (Swap t i_0_0 mi0 intP_intM_t_5_1 intP_intM_t_5_0)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5_0 intP_intM_t_5_1 (pset_union
                                                              (pset_range
                                                              (pset_singleton
                                                              t) mi0 mi0) 
                                                              (pset_range
                                                              (pset_singleton
                                                              t) i_0_0 i_0_0))))
(IMPLIES (EQ (Permut t 0 (- n_1 1) intP_intM_t_5_1 intP_intM_t_5_0) |@true|)
(FORALL (i_0_1)
(IMPLIES (EQ i_0_1 (+ i_0_0 1))
(FORALL (k1)
(FORALL (k2)
(IMPLIES (AND (<= 0 k1) (AND (< k1 i_0_1) (AND (<= i_0_1 k2) (< k2 n_1))))
(<= (select intP_intM_t_5_1 (shift t k1)) (select
                                          intP_intM_t_5_1 (shift t k2)))))))))))))))))))))))))))))))))))))

;; sel_sort_ensures_sorted_po_11, File "HOME/tests/c/selection_sort.c", line 50, characters 14-27
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5_0)
(IMPLIES (AND (Sorted t 0 i_0_0 intP_intM_t_5_0)
         (FORALL (k1 k2)
         (IMPLIES
         (AND (<= 0 k1) (AND (< k1 i_0_0) (AND (<= i_0_0 k2) (< k2 n_1))))
         (<= (select intP_intM_t_5_0 (shift t k1)) (select
                                                   intP_intM_t_5_0 (shift
                                                                   t k2))))))
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (>= i_0_0 (- n_1 1)) (Sorted t 0 n_1 intP_intM_t_5_0)))))))))))))

;; sel_sort_safety_po_1, File "HOME/tests/c/selection_sort.c", line 70, characters 9-13
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1)) (<= (offset_min intP_t_5_alloc_table t) i_0_0))))))))))))

;; sel_sort_safety_po_2, File "HOME/tests/c/selection_sort.c", line 70, characters 9-13
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1)) (<= i_0_0 (offset_max intP_t_5_alloc_table t)))))))))))))

;; sel_sort_safety_po_3, File "HOME/tests/c/selection_sort.c", line 82, characters 10-14
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) i_0_0)
         (<= i_0_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (+ i_0_0 1))
(FORALL (j_0_0_0)
(FORALL (mi0)
(IMPLIES TRUE
(IMPLIES (AND (< i_0_0 j_0_0_0) (AND (<= i_0_0 mi0) (< mi0 n_1)))
(IMPLIES (< j_0_0_0 n_1) (<= (offset_min intP_t_5_alloc_table t) j_0_0_0)))))))))))))))))))))))))))

;; sel_sort_safety_po_4, File "HOME/tests/c/selection_sort.c", line 82, characters 10-14
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) i_0_0)
         (<= i_0_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (+ i_0_0 1))
(FORALL (j_0_0_0)
(FORALL (mi0)
(IMPLIES TRUE
(IMPLIES (AND (< i_0_0 j_0_0_0) (AND (<= i_0_0 mi0) (< mi0 n_1)))
(IMPLIES (< j_0_0_0 n_1) (<= j_0_0_0 (offset_max intP_t_5_alloc_table t))))))))))))))))))))))))))))

;; sel_sort_safety_po_5, File "HOME/tests/c/selection_sort.c", line 79, characters 21-24
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) i_0_0)
         (<= i_0_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (+ i_0_0 1))
(FORALL (j_0_0_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES TRUE
(IMPLIES (AND (< i_0_0 j_0_0_0) (AND (<= i_0_0 mi0) (< mi0 n_1)))
(IMPLIES (< j_0_0_0 n_1)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) j_0_0_0)
         (<= j_0_0_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5 (shift t j_0_0_0)))
(IMPLIES (< result0 mv0)
(FORALL (mi1)
(IMPLIES (EQ mi1 j_0_0_0)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) j_0_0_0)
         (<= j_0_0_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result1)
(IMPLIES (EQ result1 (select intP_intM_t_5 (shift t j_0_0_0)))
(FORALL (mv1)
(IMPLIES (EQ mv1 result1)
(FORALL (j_0_0_1)
(IMPLIES (EQ j_0_0_1 (+ j_0_0_0 1)) (<= 0 (- n_1 j_0_0_0))))))))))))))))))))))))))))))))))))))))))

;; sel_sort_safety_po_6, File "HOME/tests/c/selection_sort.c", line 79, characters 21-24
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) i_0_0)
         (<= i_0_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (+ i_0_0 1))
(FORALL (j_0_0_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES TRUE
(IMPLIES (AND (< i_0_0 j_0_0_0) (AND (<= i_0_0 mi0) (< mi0 n_1)))
(IMPLIES (< j_0_0_0 n_1)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) j_0_0_0)
         (<= j_0_0_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5 (shift t j_0_0_0)))
(IMPLIES (< result0 mv0)
(FORALL (mi1)
(IMPLIES (EQ mi1 j_0_0_0)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) j_0_0_0)
         (<= j_0_0_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result1)
(IMPLIES (EQ result1 (select intP_intM_t_5 (shift t j_0_0_0)))
(FORALL (mv1)
(IMPLIES (EQ mv1 result1)
(FORALL (j_0_0_1)
(IMPLIES (EQ j_0_0_1 (+ j_0_0_0 1)) (< (- n_1 j_0_0_1) (- n_1 j_0_0_0))))))))))))))))))))))))))))))))))))))))))

;; sel_sort_safety_po_7, File "HOME/tests/c/selection_sort.c", line 79, characters 21-24
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) i_0_0)
         (<= i_0_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (+ i_0_0 1))
(FORALL (j_0_0_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES TRUE
(IMPLIES (AND (< i_0_0 j_0_0_0) (AND (<= i_0_0 mi0) (< mi0 n_1)))
(IMPLIES (< j_0_0_0 n_1)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) j_0_0_0)
         (<= j_0_0_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5 (shift t j_0_0_0)))
(IMPLIES (>= result0 mv0)
(FORALL (j_0_0_1)
(IMPLIES (EQ j_0_0_1 (+ j_0_0_0 1)) (<= 0 (- n_1 j_0_0_0)))))))))))))))))))))))))))))))))))

;; sel_sort_safety_po_8, File "HOME/tests/c/selection_sort.c", line 79, characters 21-24
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) i_0_0)
         (<= i_0_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (+ i_0_0 1))
(FORALL (j_0_0_0)
(FORALL (mi0)
(FORALL (mv0)
(IMPLIES TRUE
(IMPLIES (AND (< i_0_0 j_0_0_0) (AND (<= i_0_0 mi0) (< mi0 n_1)))
(IMPLIES (< j_0_0_0 n_1)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) j_0_0_0)
         (<= j_0_0_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_5 (shift t j_0_0_0)))
(IMPLIES (>= result0 mv0)
(FORALL (j_0_0_1)
(IMPLIES (EQ j_0_0_1 (+ j_0_0_0 1)) (< (- n_1 j_0_0_1) (- n_1 j_0_0_0)))))))))))))))))))))))))))))))))))

;; sel_sort_safety_po_9, File "HOME/tests/c/selection_sort.c", line 87, characters 4-16
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) i_0_0)
         (<= i_0_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (+ i_0_0 1))
(FORALL (j_0_0_0)
(FORALL (mi0)
(IMPLIES TRUE
(IMPLIES (AND (< i_0_0 j_0_0_0) (AND (<= i_0_0 mi0) (< mi0 n_1)))
(IMPLIES (>= j_0_0_0 n_1) (>= (offset_max intP_t_5_alloc_table t) i_0_0)))))))))))))))))))))))))))

;; sel_sort_safety_po_10, File "HOME/tests/c/selection_sort.c", line 87, characters 4-16
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) i_0_0)
         (<= i_0_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (+ i_0_0 1))
(FORALL (j_0_0_0)
(FORALL (mi0)
(IMPLIES TRUE
(IMPLIES (AND (< i_0_0 j_0_0_0) (AND (<= i_0_0 mi0) (< mi0 n_1)))
(IMPLIES (>= j_0_0_0 n_1) (<= (offset_min intP_t_5_alloc_table t) mi0)))))))))))))))))))))))))))

;; sel_sort_safety_po_11, File "HOME/tests/c/selection_sort.c", line 87, characters 4-16
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) i_0_0)
         (<= i_0_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (+ i_0_0 1))
(FORALL (j_0_0_0)
(FORALL (mi0)
(IMPLIES TRUE
(IMPLIES (AND (< i_0_0 j_0_0_0) (AND (<= i_0_0 mi0) (< mi0 n_1)))
(IMPLIES (>= j_0_0_0 n_1) (>= (offset_max intP_t_5_alloc_table t) mi0)))))))))))))))))))))))))))

;; sel_sort_safety_po_12, File "HOME/tests/c/selection_sort.c", line 66, characters 19-22
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) i_0_0)
         (<= i_0_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (+ i_0_0 1))
(FORALL (j_0_0_0)
(FORALL (mi0)
(IMPLIES TRUE
(IMPLIES (AND (< i_0_0 j_0_0_0) (AND (<= i_0_0 mi0) (< mi0 n_1)))
(IMPLIES (>= j_0_0_0 n_1)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) i_0_0)
         (AND (>= (offset_max intP_t_5_alloc_table t) i_0_0)
         (AND (<= (offset_min intP_t_5_alloc_table t) mi0)
         (>= (offset_max intP_t_5_alloc_table t) mi0))))
(FORALL (intP_intM_t_5_0)
(IMPLIES (AND (Swap t i_0_0 mi0 intP_intM_t_5_0 intP_intM_t_5)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5 intP_intM_t_5_0 (pset_union
                                                            (pset_range
                                                            (pset_singleton
                                                            t) mi0 mi0) 
                                                            (pset_range
                                                            (pset_singleton
                                                            t) i_0_0 i_0_0))))
(IMPLIES (EQ (Permut t 0 (- n_1 1) intP_intM_t_5_0 intP_intM_t_5) |@true|)
(FORALL (i_0_1) (IMPLIES (EQ i_0_1 (+ i_0_0 1)) (<= 0 (- n_1 i_0_0))))))))))))))))))))))))))))))))))

;; sel_sort_safety_po_13, File "HOME/tests/c/selection_sort.c", line 66, characters 19-22
(FORALL (t)
(FORALL (n_1)
(FORALL (intP_t_5_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) 0)
         (>= (offset_max intP_t_5_alloc_table t) (- n_1 1)))
(IMPLIES (> n_1 0)
(FORALL (i_0)
(IMPLIES (EQ i_0 0)
(FORALL (i_0_0)
(FORALL (intP_intM_t_5)
(IMPLIES TRUE
(IMPLIES (AND (<= 0 i_0_0) (< i_0_0 n_1))
(IMPLIES (< i_0_0 (- n_1 1))
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) i_0_0)
         (<= i_0_0 (offset_max intP_t_5_alloc_table t)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_5 (shift t i_0_0)))
(FORALL (mv)
(IMPLIES (EQ mv result)
(FORALL (mi)
(IMPLIES (EQ mi i_0_0)
(FORALL (j_0_0)
(IMPLIES (EQ j_0_0 (+ i_0_0 1))
(FORALL (j_0_0_0)
(FORALL (mi0)
(IMPLIES TRUE
(IMPLIES (AND (< i_0_0 j_0_0_0) (AND (<= i_0_0 mi0) (< mi0 n_1)))
(IMPLIES (>= j_0_0_0 n_1)
(IMPLIES (AND (<= (offset_min intP_t_5_alloc_table t) i_0_0)
         (AND (>= (offset_max intP_t_5_alloc_table t) i_0_0)
         (AND (<= (offset_min intP_t_5_alloc_table t) mi0)
         (>= (offset_max intP_t_5_alloc_table t) mi0))))
(FORALL (intP_intM_t_5_0)
(IMPLIES (AND (Swap t i_0_0 mi0 intP_intM_t_5_0 intP_intM_t_5)
         (not_assigns
         intP_t_5_alloc_table intP_intM_t_5 intP_intM_t_5_0 (pset_union
                                                            (pset_range
                                                            (pset_singleton
                                                            t) mi0 mi0) 
                                                            (pset_range
                                                            (pset_singleton
                                                            t) i_0_0 i_0_0))))
(IMPLIES (EQ (Permut t 0 (- n_1 1) intP_intM_t_5_0 intP_intM_t_5) |@true|)
(FORALL (i_0_1)
(IMPLIES (EQ i_0_1 (+ i_0_0 1)) (< (- n_1 i_0_1) (- n_1 i_0_0))))))))))))))))))))))))))))))))))

;; swap_ensures_default_po_1, File "HOME/tests/c/selection_sort.c", line 40, characters 12-33
(FORALL (t_0)
(FORALL (i)
(FORALL (j)
(FORALL (intP_t_0_4_alloc_table)
(FORALL (intP_intM_t_0_4)
(IMPLIES (AND (<= (offset_min intP_t_0_4_alloc_table t_0) i)
         (AND (>= (offset_max intP_t_0_4_alloc_table t_0) i)
         (AND (<= (offset_min intP_t_0_4_alloc_table t_0) j)
         (>= (offset_max intP_t_0_4_alloc_table t_0) j))))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_0_4 (shift t_0 i)))
(FORALL (tmp)
(IMPLIES (EQ tmp result)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_0_4 (shift t_0 j)))
(FORALL (intP_intM_t_0_4_0)
(IMPLIES (EQ intP_intM_t_0_4_0
         (|why__store| intP_intM_t_0_4 (shift t_0 i) result0))
(FORALL (intP_intM_t_0_4_1)
(IMPLIES (EQ intP_intM_t_0_4_1
         (|why__store| intP_intM_t_0_4_0 (shift t_0 j) tmp))
(Swap t_0 i j intP_intM_t_0_4_1 intP_intM_t_0_4)))))))))))))))))

;; swap_ensures_default_po_2, File "HOME/tests/c/selection_sort.c", line 42, characters 5-9
(FORALL (t_0)
(FORALL (i)
(FORALL (j)
(FORALL (intP_t_0_4_alloc_table)
(FORALL (intP_intM_t_0_4)
(IMPLIES (AND (<= (offset_min intP_t_0_4_alloc_table t_0) i)
         (AND (>= (offset_max intP_t_0_4_alloc_table t_0) i)
         (AND (<= (offset_min intP_t_0_4_alloc_table t_0) j)
         (>= (offset_max intP_t_0_4_alloc_table t_0) j))))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_0_4 (shift t_0 i)))
(FORALL (tmp)
(IMPLIES (EQ tmp result)
(FORALL (result0)
(IMPLIES (EQ result0 (select intP_intM_t_0_4 (shift t_0 j)))
(FORALL (intP_intM_t_0_4_0)
(IMPLIES (EQ intP_intM_t_0_4_0
         (|why__store| intP_intM_t_0_4 (shift t_0 i) result0))
(FORALL (intP_intM_t_0_4_1)
(IMPLIES (EQ intP_intM_t_0_4_1
         (|why__store| intP_intM_t_0_4_0 (shift t_0 j) tmp))
(not_assigns
intP_t_0_4_alloc_table intP_intM_t_0_4 intP_intM_t_0_4_1 (pset_union
                                                         (pset_range
                                                         (pset_singleton t_0) j j) 
                                                         (pset_range
                                                         (pset_singleton t_0) i i)))))))))))))))))))

;; swap_safety_po_1, File "HOME/tests/c/selection_sort.c", line 43, characters 12-16
(FORALL (t_0)
(FORALL (i)
(FORALL (j)
(FORALL (intP_t_0_4_alloc_table)
(IMPLIES (AND (<= (offset_min intP_t_0_4_alloc_table t_0) i)
         (AND (>= (offset_max intP_t_0_4_alloc_table t_0) i)
         (AND (<= (offset_min intP_t_0_4_alloc_table t_0) j)
         (>= (offset_max intP_t_0_4_alloc_table t_0) j))))
(<= i (offset_max intP_t_0_4_alloc_table t_0)))))))

;; swap_safety_po_2, File "HOME/tests/c/selection_sort.c", line 44, characters 9-13
(FORALL (t_0)
(FORALL (i)
(FORALL (j)
(FORALL (intP_t_0_4_alloc_table)
(FORALL (intP_intM_t_0_4)
(IMPLIES (AND (<= (offset_min intP_t_0_4_alloc_table t_0) i)
         (AND (>= (offset_max intP_t_0_4_alloc_table t_0) i)
         (AND (<= (offset_min intP_t_0_4_alloc_table t_0) j)
         (>= (offset_max intP_t_0_4_alloc_table t_0) j))))
(IMPLIES (AND (<= (offset_min intP_t_0_4_alloc_table t_0) i)
         (<= i (offset_max intP_t_0_4_alloc_table t_0)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_0_4 (shift t_0 i)))
(FORALL (tmp)
(IMPLIES (EQ tmp result) (<= (offset_min intP_t_0_4_alloc_table t_0) j))))))))))))

;; swap_safety_po_3, File "HOME/tests/c/selection_sort.c", line 44, characters 9-13
(FORALL (t_0)
(FORALL (i)
(FORALL (j)
(FORALL (intP_t_0_4_alloc_table)
(FORALL (intP_intM_t_0_4)
(IMPLIES (AND (<= (offset_min intP_t_0_4_alloc_table t_0) i)
         (AND (>= (offset_max intP_t_0_4_alloc_table t_0) i)
         (AND (<= (offset_min intP_t_0_4_alloc_table t_0) j)
         (>= (offset_max intP_t_0_4_alloc_table t_0) j))))
(IMPLIES (AND (<= (offset_min intP_t_0_4_alloc_table t_0) i)
         (<= i (offset_max intP_t_0_4_alloc_table t_0)))
(FORALL (result)
(IMPLIES (EQ result (select intP_intM_t_0_4 (shift t_0 i)))
(FORALL (tmp)
(IMPLIES (EQ tmp result) (<= j (offset_max intP_t_0_4_alloc_table t_0)))))))))))))

========== running Simplify ==========
Running Simplify on proof obligations
(. = valid * = invalid ? = unknown # = timeout ! = failure)
simplify/selection_sort_why.sx: .............................................. (46/0/0/0/0)
total   :  46
valid   :  46 (100%)
invalid :   0 (  0%)
unknown :   0 (  0%)
timeout :   0 (  0%)
failure :   0 (  0%)
why-2.34/tests/c/oracle/quick_sort.err.oracle0000644000175000017500000000062612311670312017613 0ustar  rtusersWarning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
Warning: recursive definition of Permut in generated file
why-2.34/tests/c/oracle/scalar_product.err.oracle0000644000175000017500000000000012311670312020417 0ustar  rtuserswhy-2.34/tests/c/oracle/cd1d.res.oracle0000644000175000017500000023263412311670312016252 0ustar  rtusers========== file tests/c/cd1d.c ==========
#define D 10.0
#define T 1.0

/*@ predicate conflict(real s, real v) =
      \exists real t; 0<=t<=T && s - t * v < D;
*/

/*@ predicate cd1d(real s, real v) = D + T * v > s ; */

/*@ lemma completeness: \forall real s, v; v >= 0.0 ==>
             conflict(s,v) ==> cd1d(s,v); */

#define eps 0x1p-49

#define Dp (D+eps)

/*@ requires 100.>=s>=0. && 1. >=v >= 0.;
       behavior completeness:
          assumes cd1d(s,v);
          ensures \result == 1;
 */
int cd1d_double(double s, double v) {
  return (Dp+T*v>s) ? 1 : 0;
}
========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/cd1d.c"
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/cd1d.jessie
[jessie] File tests/c/cd1d.jessie/cd1d.jc written.
[jessie] File tests/c/cd1d.jessie/cd1d.cloc written.
========== file tests/c/cd1d.jessie/cd1d.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

predicate conflict(real s, real v) =
(\exists real t;
  (((0 <= t) && (t <= 1.0)) && ((s - (t * v)) < 10.0)))

predicate cd1d(real s_0, real v_0) =
((10.0 + (1.0 * v_0)) > s_0)

lemma completeness :
(\forall real s_1;
  (\forall real v_1;
    ((v_1 >= 0.0) ==> (conflict(s_1, v_1) ==> cd1d(s_1, v_1)))))

int32 cd1d_double(double s, double v)
  requires (_C_8 : (((_C_10 : (100. >= (s :> real))) &&
                      (_C_11 : ((s :> real) >= 0.))) &&
                     ((_C_13 : (1. >= (v :> real))) &&
                       (_C_14 : ((v :> real) >= 0.)))));
behavior default:
  ensures (_C_6 : true);
behavior completeness:
  assumes cd1d((s :> real), (v :> real));
  ensures (_C_7 : (\result == 1));
{  
   (var int32 tmp);
   
   {  (if ((_C_5 : ((_C_4 : ((10.0 :> double) + (0x1p-49 :> double))) +
                     (_C_3 : ((1.0 :> double) * v)))) >
            s) then (_C_2 : (tmp = 1)) else (_C_1 : (tmp = 0)));
      
      (return tmp)
   }
}
========== file tests/c/cd1d.jessie/cd1d.cloc ==========
[_C_4]
file = "HOME/tests/c/cd1d.c"
line = 23
begin = 11
end = 24

[completeness]
name = "Lemma completeness"
file = "HOME/tests/c/cd1d.c"
line = 10
begin = 4
end = 97

[_C_13]
file = "HOME/tests/c/cd1d.c"
line = 17
begin = 28
end = 34

[_C_5]
file = "HOME/tests/c/cd1d.c"
line = 23
begin = 10
end = 31

[_C_12]
file = "HOME/tests/c/cd1d.c"
line = 17
begin = 28
end = 40

[_C_9]
file = "HOME/tests/c/cd1d.c"
line = 17
begin = 13
end = 24

[_C_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[cd1d_double]
name = "Function cd1d_double"
file = "HOME/tests/c/cd1d.c"
line = 22
begin = 4
end = 15

[_C_3]
file = "HOME/tests/c/cd1d.c"
line = 23
begin = 26
end = 31

[_C_7]
file = "HOME/tests/c/cd1d.c"
line = 20
begin = 18
end = 30

[_C_10]
file = "HOME/tests/c/cd1d.c"
line = 17
begin = 13
end = 20

[_C_8]
file = "HOME/tests/c/cd1d.c"
line = 17
begin = 13
end = 40

[_C_14]
file = "HOME/tests/c/cd1d.c"
line = 17
begin = 33
end = 40

[_C_2]
file = "HOME/tests/c/cd1d.c"
line = 23
begin = 32
end = 33

[_C_1]
file = "HOME/tests/c/cd1d.c"
line = 23
begin = 32
end = 33

[_C_11]
file = "HOME/tests/c/cd1d.c"
line = 17
begin = 19
end = 24

========== jessie execution ==========
Generating Why function cd1d_double
========== file tests/c/cd1d.jessie/cd1d.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs cd1d.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs cd1d.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_strict.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/cd1d_why.sx

project: why/cd1d.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/cd1d_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/cd1d_why.vo

coq/cd1d_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/cd1d_why.v: why/cd1d.why
	@echo 'why -coq [...] why/cd1d.why' && $(WHY) $(JESSIELIBFILES) why/cd1d.why && rm -f coq/jessie_why.v

coq-goals: goals coq/cd1d_ctx_why.vo
	for f in why/*_po*.why; do make -f cd1d.makefile coq/`basename $$f .why`_why.v ; done

coq/cd1d_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/cd1d_ctx_why.v: why/cd1d_ctx.why
	@echo 'why -coq [...] why/cd1d_ctx.why' && $(WHY) why/cd1d_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export cd1d_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/cd1d_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/cd1d_ctx_why.vo

pvs: pvs/cd1d_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/cd1d_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/cd1d_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/cd1d_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/cd1d_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/cd1d_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/cd1d_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/cd1d_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/cd1d_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/cd1d_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/cd1d_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/cd1d_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/cd1d_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/cd1d_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/cd1d_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: cd1d.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/cd1d_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: cd1d.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: cd1d.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: cd1d.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include cd1d.depend

depend: coq/cd1d_why.v
	-$(COQDEP) -I coq coq/cd1d*_why.v > cd1d.depend

clean:
	rm -f coq/*.vo

========== file tests/c/cd1d.jessie/cd1d.loc ==========
[JC_17]
file = "HOME/tests/c/cd1d.c"
line = 20
begin = 18
end = 30

[JC_23]
kind = FPOverflow
file = "HOME/tests/c/cd1d.c"
line = 23
begin = 11
end = 24

[JC_22]
kind = FPOverflow
file = "HOME/tests/c/cd1d.c"
line = 23
begin = 10
end = 31

[JC_5]
file = "HOME/tests/c/cd1d.c"
line = 17
begin = 13
end = 40

[JC_9]
file = "HOME/tests/c/cd1d.c"
line = 17
begin = 28
end = 34

[completeness]
name = "Lemma completeness"
behavior = "lemma"
file = "HOME/tests/c/cd1d.c"
line = 10
begin = 4
end = 97

[JC_24]
kind = FPOverflow
file = "HOME/tests/c/cd1d.c"
line = 23
begin = 26
end = 31

[JC_25]
kind = FPOverflow
file = "HOME/tests/c/cd1d.c"
line = 23
begin = 10
end = 31

[JC_26]
kind = FPOverflow
file = "HOME/tests/c/cd1d.c"
line = 23
begin = 11
end = 24

[JC_8]
file = "HOME/tests/c/cd1d.c"
line = 17
begin = 19
end = 24

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/c/cd1d.c"
line = 17
begin = 13
end = 40

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
kind = FPOverflow
file = "HOME/tests/c/cd1d.c"
line = 23
begin = 26
end = 31

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/tests/c/cd1d.c"
line = 17
begin = 33
end = 40

[cd1d_double_ensures_default]
name = "Function cd1d_double"
behavior = "default behavior"
file = "HOME/tests/c/cd1d.c"
line = 22
begin = 4
end = 15

[cd1d_double_safety]
name = "Function cd1d_double"
behavior = "Safety"
file = "HOME/tests/c/cd1d.c"
line = 22
begin = 4
end = 15

[JC_7]
file = "HOME/tests/c/cd1d.c"
line = 17
begin = 13
end = 20

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_2]
file = "HOME/tests/c/cd1d.c"
line = 17
begin = 19
end = 24

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
kind = FPOverflow
file = "HOME/tests/c/cd1d.c"
line = 23
begin = 26
end = 31

[cd1d_double_ensures_completeness]
name = "Function cd1d_double"
behavior = "Behavior `completeness'"
file = "HOME/tests/c/cd1d.c"
line = 22
begin = 4
end = 15

[JC_1]
file = "HOME/tests/c/cd1d.c"
line = 17
begin = 13
end = 20

[JC_10]
file = "HOME/tests/c/cd1d.c"
line = 17
begin = 33
end = 40

[JC_20]
kind = FPOverflow
file = "HOME/tests/c/cd1d.c"
line = 23
begin = 11
end = 24

[JC_18]
file = "HOME/tests/c/cd1d.c"
line = 20
begin = 18
end = 30

[JC_3]
file = "HOME/tests/c/cd1d.c"
line = 17
begin = 28
end = 34

[JC_19]
kind = FPOverflow
file = "HOME/tests/c/cd1d.jessie/cd1d.jc"
line = 61
begin = 48
end = 67

[JC_28]
kind = FPOverflow
file = "HOME/tests/c/cd1d.c"
line = 23
begin = 10
end = 31

========== file tests/c/cd1d.jessie/why/cd1d.why ==========
type charP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

predicate cd1d(s_0_0:real, v_0:real) =
 gt_real(add_real(10.0, mul_real(1.0, v_0)), s_0_0)

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

predicate conflict(s_0:real, v:real) =
 (exists t:real.
  (le_real(0.0, t)
  and (le_real(t, 1.0) and lt_real(sub_real(s_0, mul_real(t, v)), 10.0))))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

lemma completeness :
 (forall s_1_0:real.
  (forall v_1_0:real.
   (ge_real(v_1_0, 0.0) -> (conflict(s_1_0, v_1_0) -> cd1d(s_1_0, v_1_0)))))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter cd1d_double :
 s_1:double ->
  v_1:double ->
   { } int32
   { (cd1d(double_value(s_1), double_value(v_1)) ->
      (JC_18: (integer_of_int32(result) = (1)))) }

parameter cd1d_double_requires :
 s_1:double ->
  v_1:double ->
   { (JC_5:
     ((JC_1: ge_real(100., double_value(s_1)))
     and ((JC_2: ge_real(double_value(s_1), 0.))
         and ((JC_3: ge_real(1., double_value(v_1)))
             and (JC_4: ge_real(double_value(v_1), 0.))))))}
   int32
   { (cd1d(double_value(s_1), double_value(v_1)) ->
      (JC_18: (integer_of_int32(result) = (1)))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let cd1d_double_ensures_completeness =
 fun (s_1 : double) (v_1 : double) ->
  { (cd1d(double_value(s_1), double_value(v_1))
    and (JC_11:
        ((JC_7: ge_real(100., double_value(s_1)))
        and ((JC_8: ge_real(double_value(s_1), 0.))
            and ((JC_9: ge_real(1., double_value(v_1)))
                and (JC_10: ge_real(double_value(v_1), 0.))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let tmp = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (if ((gt_double_ (JC_28:
                        (((add_double_safe nearest_even) (JC_26:
                                                         (((add_double_safe nearest_even) 
                                                           (double_of_real_exact 10.0)) 
                                                          ((double_of_real_safe nearest_even) 0x1p-49)))) 
                         (JC_27:
                         (((mul_double_safe nearest_even) (double_of_real_exact 1.0)) v_1))))) s_1)
       then begin   (tmp := (safe_int32_of_integer_ (1))); !tmp end
       else begin   (tmp := (safe_int32_of_integer_ (0))); !tmp end) in void);
      (return := !tmp); (raise Return) end); absurd  end with Return ->
   !return end)) { (JC_17: (integer_of_int32(result) = (1))) }

let cd1d_double_ensures_default =
 fun (s_1 : double) (v_1 : double) ->
  { (JC_11:
    ((JC_7: ge_real(100., double_value(s_1)))
    and ((JC_8: ge_real(double_value(s_1), 0.))
        and ((JC_9: ge_real(1., double_value(v_1)))
            and (JC_10: ge_real(double_value(v_1), 0.)))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let tmp = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (if ((gt_double_ (JC_25:
                        (((add_double_safe nearest_even) (JC_23:
                                                         (((add_double_safe nearest_even) 
                                                           (double_of_real_exact 10.0)) 
                                                          ((double_of_real_safe nearest_even) 0x1p-49)))) 
                         (JC_24:
                         (((mul_double_safe nearest_even) (double_of_real_exact 1.0)) v_1))))) s_1)
       then begin   (tmp := (safe_int32_of_integer_ (1))); !tmp end
       else begin   (tmp := (safe_int32_of_integer_ (0))); !tmp end) in void);
      (return := !tmp); (raise Return) end); absurd  end with Return ->
   !return end)) { (JC_13: true) }

let cd1d_double_safety =
 fun (s_1 : double) (v_1 : double) ->
  { (JC_11:
    ((JC_7: ge_real(100., double_value(s_1)))
    and ((JC_8: ge_real(double_value(s_1), 0.))
        and ((JC_9: ge_real(1., double_value(v_1)))
            and (JC_10: ge_real(double_value(v_1), 0.)))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let tmp = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (if ((gt_double_ (JC_22:
                        (((add_double nearest_even) (JC_20:
                                                    (((add_double nearest_even) 
                                                      (double_of_real_exact 10.0)) 
                                                     (JC_19:
                                                     ((double_of_real nearest_even) 0x1p-49))))) 
                         (JC_21:
                         (((mul_double nearest_even) (double_of_real_exact 1.0)) v_1))))) s_1)
       then begin   (tmp := (safe_int32_of_integer_ (1))); !tmp end
       else begin   (tmp := (safe_int32_of_integer_ (0))); !tmp end) in void);
      (return := !tmp); (raise Return) end); absurd  end with Return ->
   !return end)) { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/cd1d.why
========== file tests/c/cd1d.jessie/why/cd1d_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type mode

logic nearest_even : mode

logic to_zero : mode

logic up : mode

logic down : mode

logic nearest_away : mode

logic mode_match : mode, 'a1, 'a1, 'a1, 'a1, 'a1 -> 'a1

axiom mode_match_nearest_even:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_2))))))

axiom mode_match_to_zero:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_3))))))

axiom mode_match_up:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_4))))))

axiom mode_match_down:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_5))))))

axiom mode_match_nearest_away:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_6))))))

axiom mode_inversion:
  (forall aux_1:mode.
    (((((aux_1 = nearest_even) or (aux_1 = to_zero)) or (aux_1 = up)) or
      (aux_1 = down)) or
     (aux_1 = nearest_away)))

logic mode_to_int : mode -> int

axiom mode_to_int_nearest_even: (mode_to_int(nearest_even) = 0)

axiom mode_to_int_to_zero: (mode_to_int(to_zero) = 1)

axiom mode_to_int_up: (mode_to_int(up) = 2)

axiom mode_to_int_down: (mode_to_int(down) = 3)

axiom mode_to_int_nearest_away: (mode_to_int(nearest_away) = 4)

type double

logic round_double : mode, real -> real

logic round_double_logic : mode, real -> double

logic double_value : double -> real

logic double_exact : double -> real

logic double_model : double -> real

function double_round_error(x: double) : real =
  abs_real((double_value(x) - double_exact(x)))

function double_total_error(x: double) : real =
  abs_real((double_value(x) - double_model(x)))

function max_double() : real = 0x1.FFFFFFFFFFFFFp1023

predicate no_overflow_double(m: mode, x: real) = (abs_real(round_double(m,
  x)) <= max_double)

axiom bounded_real_no_overflow_double:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_double) -> no_overflow_double(m, x))))

axiom round_double_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_double(m, x) <= round_double(m, y))))))

axiom exact_round_double_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-9007199254740992) <= i) and (i <= 9007199254740992)) ->
       (round_double(m, real_of_int(i)) = real_of_int(i)))))

axiom exact_round_double_for_doubles:
  (forall x:double.
    (forall m:mode. (round_double(m, double_value(x)) = double_value(x))))

axiom round_double_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_double(m1, round_double(m2,
        x)) = round_double(m2, x)))))

axiom round_down_double_neg:
  (forall x:real. (round_double(down, (-x)) = (-round_double(up, x))))

axiom round_up_double_neg:
  (forall x:real. (round_double(up, (-x)) = (-round_double(down, x))))

axiom round_double_down_le: (forall x:real. (round_double(down, x) <= x))

axiom round_up_double_ge: (forall x:real. (round_double(up, x) >= x))

type single

logic round_single : mode, real -> real

logic round_single_logic : mode, real -> single

logic single_value : single -> real

logic single_exact : single -> real

logic single_model : single -> real

function single_round_error(x: single) : real =
  abs_real((single_value(x) - single_exact(x)))

function single_total_error(x: single) : real =
  abs_real((single_value(x) - single_model(x)))

function max_single() : real = 0x1.FFFFFEp127

predicate no_overflow_single(m: mode, x: real) = (abs_real(round_single(m,
  x)) <= max_single)

axiom bounded_real_no_overflow_single:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_single) -> no_overflow_single(m, x))))

axiom round_single_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_single(m, x) <= round_single(m, y))))))

axiom exact_round_single_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-16777216) <= i) and (i <= 16777216)) -> (round_single(m,
       real_of_int(i)) = real_of_int(i)))))

axiom exact_round_single_for_singles:
  (forall x:single.
    (forall m:mode. (round_single(m, single_value(x)) = single_value(x))))

axiom round_single_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_single(m1, round_single(m2,
        x)) = round_single(m2, x)))))

axiom round_down_single_neg:
  (forall x:real. (round_single(down, (-x)) = (-round_single(up, x))))

axiom round_up_single_neg:
  (forall x:real. (round_single(up, (-x)) = (-round_single(down, x))))

axiom round_single_down_le: (forall x:real. (round_single(down, x) <= x))

axiom round_up_single_ge: (forall x:real. (round_single(up, x) >= x))

axiom single_value_is_bounded:
  (forall x:single. (abs_real(single_value(x)) <= max_single))

axiom double_value_is_bounded:
  (forall x:double. (abs_real(double_value(x)) <= max_double))

predicate single_of_real_post(m: mode, x: real, res: single) =
  ((single_value(res) = round_single(m, x)) and
   ((single_exact(res) = x) and (single_model(res) = x)))

predicate single_of_double_post(m: mode, x: double, res: single) =
  ((single_value(res) = round_single(m, double_value(x))) and
   ((single_exact(res) = double_exact(x)) and
    (single_model(res) = double_model(x))))

predicate add_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) + single_value(y)))) and
   ((single_exact(res) = (single_exact(x) + single_exact(y))) and
    (single_model(res) = (single_model(x) + single_model(y)))))

predicate sub_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) - single_value(y)))) and
   ((single_exact(res) = (single_exact(x) - single_exact(y))) and
    (single_model(res) = (single_model(x) - single_model(y)))))

predicate mul_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) * single_value(y)))) and
   ((single_exact(res) = (single_exact(x) * single_exact(y))) and
    (single_model(res) = (single_model(x) * single_model(y)))))

predicate div_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m, div_real(single_value(x),
   single_value(y)))) and
   ((single_exact(res) = div_real(single_exact(x), single_exact(y))) and
    (single_model(res) = div_real(single_model(x), single_model(y)))))

predicate sqrt_single_post(m: mode, x: single, res: single) =
  ((single_value(res) = round_single(m, sqrt_real(single_value(x)))) and
   ((single_exact(res) = sqrt_real(single_exact(x))) and
    (single_model(res) = sqrt_real(single_model(x)))))

predicate neg_single_post(x: single, res: single) =
  ((single_value(res) = (-single_value(x))) and
   ((single_exact(res) = (-single_exact(x))) and
    (single_model(res) = (-single_model(x)))))

predicate abs_single_post(x: single, res: single) =
  ((single_value(res) = abs_real(single_value(x))) and
   ((single_exact(res) = abs_real(single_exact(x))) and
    (single_model(res) = abs_real(single_model(x)))))

predicate double_of_real_post(m: mode, x: real, res: double) =
  ((double_value(res) = round_double(m, x)) and
   ((double_exact(res) = x) and (double_model(res) = x)))

predicate double_of_single_post(x: single, res: double) =
  ((double_value(res) = single_value(x)) and
   ((double_exact(res) = single_exact(x)) and
    (double_model(res) = single_model(x))))

predicate add_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) + double_value(y)))) and
   ((double_exact(res) = (double_exact(x) + double_exact(y))) and
    (double_model(res) = (double_model(x) + double_model(y)))))

predicate sub_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) - double_value(y)))) and
   ((double_exact(res) = (double_exact(x) - double_exact(y))) and
    (double_model(res) = (double_model(x) - double_model(y)))))

predicate mul_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) * double_value(y)))) and
   ((double_exact(res) = (double_exact(x) * double_exact(y))) and
    (double_model(res) = (double_model(x) * double_model(y)))))

predicate div_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m, div_real(double_value(x),
   double_value(y)))) and
   ((double_exact(res) = div_real(double_exact(x), double_exact(y))) and
    (double_model(res) = div_real(double_model(x), double_model(y)))))

predicate sqrt_double_post(m: mode, x: double, res: double) =
  ((double_value(res) = round_double(m, sqrt_real(double_value(x)))) and
   ((double_exact(res) = sqrt_real(double_exact(x))) and
    (double_model(res) = sqrt_real(double_model(x)))))

predicate neg_double_post(x: double, res: double) =
  ((double_value(res) = (-double_value(x))) and
   ((double_exact(res) = (-double_exact(x))) and
    (double_model(res) = (-double_model(x)))))

predicate abs_double_post(x: double, res: double) =
  ((double_value(res) = abs_real(double_value(x))) and
   ((double_exact(res) = abs_real(double_exact(x))) and
    (double_model(res) = abs_real(double_model(x)))))

type charP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

predicate cd1d(s_0_0: real, v_0: real) = ((10.0 + (1.0 * v_0)) > s_0_0)

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

predicate conflict(s_0: real, v: real) =
  (exists t:real. ((0.0 <= t) and ((t <= 1.0) and ((s_0 - (t * v)) < 10.0))))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_int8 : int8 -> int

predicate eq_int8(x: int8, y: int8) =
  (integer_of_int8(x) = integer_of_int8(y))

logic integer_of_uint8 : uint8 -> int

predicate eq_uint8(x: uint8, y: uint8) =
  (integer_of_uint8(x) = integer_of_uint8(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic int8_of_integer : int -> int8

axiom int8_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_int8(int8_of_integer(x)) = x)))

axiom int8_extensionality:
  (forall x:int8.
    (forall y:int8. ((integer_of_int8(x) = integer_of_int8(y)) -> (x = y))))

axiom int8_range:
  (forall x:int8.
    (((-128) <= integer_of_int8(x)) and (integer_of_int8(x) <= 127)))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic uint8_of_integer : int -> uint8

axiom uint8_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 255)) -> (integer_of_uint8(uint8_of_integer(x)) = x)))

axiom uint8_extensionality:
  (forall x:uint8.
    (forall y:uint8.
      ((integer_of_uint8(x) = integer_of_uint8(y)) -> (x = y))))

axiom uint8_range:
  (forall x:uint8.
    ((0 <= integer_of_uint8(x)) and (integer_of_uint8(x) <= 255)))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

goal completeness:
  (forall s_1_0:real.
    (forall v_1_0:real.
      ((v_1_0 >= 0.0) -> (conflict(s_1_0, v_1_0) -> cd1d(s_1_0, v_1_0)))))

axiom completeness_as_axiom:
  (forall s_1_0:real.
    (forall v_1_0:real.
      ((v_1_0 >= 0.0) -> (conflict(s_1_0, v_1_0) -> cd1d(s_1_0, v_1_0)))))

goal cd1d_double_ensures_completeness_po_1:
  forall s_1:double.
  forall v_1:double.
  (cd1d(double_value(s_1), double_value(v_1)) and
   ("JC_11":
   (("JC_7": (100. >= double_value(s_1))) and
    (("JC_8": (double_value(s_1) >= 0.)) and
     (("JC_9": (1. >= double_value(v_1))) and
      ("JC_10": (double_value(v_1) >= 0.))))))) ->
  forall result:double.
  ((double_value(result) = 10.0) and
   ((double_exact(result) = 10.0) and (double_model(result) = 10.0))) ->
  forall result0:double.
  double_of_real_post(nearest_even, 0x1.p-49, result0) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  forall result2:double.
  ((double_value(result2) = 1.0) and
   ((double_exact(result2) = 1.0) and (double_model(result2) = 1.0))) ->
  forall result3:double.
  mul_double_post(nearest_even, result2, v_1, result3) ->
  forall result4:double.
  add_double_post(nearest_even, result1, result3, result4) ->
  (double_value(result4) > double_value(s_1)) ->
  forall result5:int32.
  (integer_of_int32(result5) = 1) ->
  forall tmp:int32.
  (tmp = result5) ->
  forall return:int32.
  (return = tmp) ->
  ("JC_17": (integer_of_int32(return) = 1))

goal cd1d_double_ensures_completeness_po_2:
  forall s_1:double.
  forall v_1:double.
  (cd1d(double_value(s_1), double_value(v_1)) and
   ("JC_11":
   (("JC_7": (100. >= double_value(s_1))) and
    (("JC_8": (double_value(s_1) >= 0.)) and
     (("JC_9": (1. >= double_value(v_1))) and
      ("JC_10": (double_value(v_1) >= 0.))))))) ->
  forall result:double.
  ((double_value(result) = 10.0) and
   ((double_exact(result) = 10.0) and (double_model(result) = 10.0))) ->
  forall result0:double.
  double_of_real_post(nearest_even, 0x1.p-49, result0) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  forall result2:double.
  ((double_value(result2) = 1.0) and
   ((double_exact(result2) = 1.0) and (double_model(result2) = 1.0))) ->
  forall result3:double.
  mul_double_post(nearest_even, result2, v_1, result3) ->
  forall result4:double.
  add_double_post(nearest_even, result1, result3, result4) ->
  (double_value(result4) <= double_value(s_1)) ->
  forall result5:int32.
  (integer_of_int32(result5) = 0) ->
  forall tmp:int32.
  (tmp = result5) ->
  forall return:int32.
  (return = tmp) ->
  ("JC_17": (integer_of_int32(return) = 1))

goal cd1d_double_safety_po_1:
  forall s_1:double.
  forall v_1:double.
  ("JC_11":
  (("JC_7": (100. >= double_value(s_1))) and
   (("JC_8": (double_value(s_1) >= 0.)) and
    (("JC_9": (1. >= double_value(v_1))) and
     ("JC_10": (double_value(v_1) >= 0.)))))) ->
  forall result:double.
  ((double_value(result) = 10.0) and
   ((double_exact(result) = 10.0) and (double_model(result) = 10.0))) ->
  no_overflow_double(nearest_even, 0x1.p-49)

goal cd1d_double_safety_po_2:
  forall s_1:double.
  forall v_1:double.
  ("JC_11":
  (("JC_7": (100. >= double_value(s_1))) and
   (("JC_8": (double_value(s_1) >= 0.)) and
    (("JC_9": (1. >= double_value(v_1))) and
     ("JC_10": (double_value(v_1) >= 0.)))))) ->
  forall result:double.
  ((double_value(result) = 10.0) and
   ((double_exact(result) = 10.0) and (double_model(result) = 10.0))) ->
  no_overflow_double(nearest_even, 0x1.p-49) ->
  forall result0:double.
  double_of_real_post(nearest_even, 0x1.p-49, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0)))

goal cd1d_double_safety_po_3:
  forall s_1:double.
  forall v_1:double.
  ("JC_11":
  (("JC_7": (100. >= double_value(s_1))) and
   (("JC_8": (double_value(s_1) >= 0.)) and
    (("JC_9": (1. >= double_value(v_1))) and
     ("JC_10": (double_value(v_1) >= 0.)))))) ->
  forall result:double.
  ((double_value(result) = 10.0) and
   ((double_exact(result) = 10.0) and (double_model(result) = 10.0))) ->
  no_overflow_double(nearest_even, 0x1.p-49) ->
  forall result0:double.
  double_of_real_post(nearest_even, 0x1.p-49, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0))) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  forall result2:double.
  ((double_value(result2) = 1.0) and
   ((double_exact(result2) = 1.0) and (double_model(result2) = 1.0))) ->
  no_overflow_double(nearest_even,
  (double_value(result2) * double_value(v_1)))

goal cd1d_double_safety_po_4:
  forall s_1:double.
  forall v_1:double.
  ("JC_11":
  (("JC_7": (100. >= double_value(s_1))) and
   (("JC_8": (double_value(s_1) >= 0.)) and
    (("JC_9": (1. >= double_value(v_1))) and
     ("JC_10": (double_value(v_1) >= 0.)))))) ->
  forall result:double.
  ((double_value(result) = 10.0) and
   ((double_exact(result) = 10.0) and (double_model(result) = 10.0))) ->
  no_overflow_double(nearest_even, 0x1.p-49) ->
  forall result0:double.
  double_of_real_post(nearest_even, 0x1.p-49, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0))) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  forall result2:double.
  ((double_value(result2) = 1.0) and
   ((double_exact(result2) = 1.0) and (double_model(result2) = 1.0))) ->
  no_overflow_double(nearest_even,
  (double_value(result2) * double_value(v_1))) ->
  forall result3:double.
  mul_double_post(nearest_even, result2, v_1, result3) ->
  no_overflow_double(nearest_even,
  (double_value(result1) + double_value(result3)))

why-2.34/tests/c/oracle/heap_sort.err.oracle0000644000175000017500000000000012311670312017376 0ustar  rtuserswhy-2.34/tests/c/oracle/array_max.err.oracle0000644000175000017500000000000012311670312017375 0ustar  rtuserswhy-2.34/tests/c/oracle/float_array.err.oracle0000644000175000017500000000000012311670312017715 0ustar  rtuserswhy-2.34/tests/c/oracle/float_array.res.oracle0000644000175000017500000036324712311670312017747 0ustar  rtusers========== file tests/c/float_array.c ==========
#define EPS1 0x1p-53
#define UPPER 0x1p0
#define n 10

//@ predicate bounded(real z, real bound) = \abs(z) <= bound;

double x;

/*@
  @ requires bounded(d, UPPER);
  @ requires \round_error(d) == 0;
  @
  @ ensures \abs(x - (d + 1.0)) <= EPS1;
  @ ensures \round_error(x) <= EPS1;
*/
void AffectDoubleDansX(double d) {
        x=d+1.0;
}

/*@
  @ requires \valid_range(X,0,n);
  @ requires bounded(d, UPPER);
  @ requires \round_error(d) == 0;
  @
  @ ensures \abs(X[1] - (d + 1.0)) <= EPS1;
  @ ensures \round_error(X[1]) <= EPS1;
  @ ensures \abs(X[2] - (d + 1.0)) <= EPS1;
  @ ensures \round_error(X[2]) <= EPS1;
*/
void AffectDoubleDansTab(double d, double X[]) {
        X[1]=d+1.0;
        X[2]=d+1.0;
        // assert X[1] == \round_double(\NearestEven,d+1.0);
}

/*@
  @ requires \valid_range(X,0,n);
  @ requires bounded(d, UPPER);
  @ requires \round_error(d) == 0;
  @
  @ ensures \abs(X[1] - (d + 1.0)) <= EPS1;
  @ ensures \round_error(X[1]) <= EPS1;
*/
void AffectDoubleDansTab1(double d, double X[]) {
        X[1]=d+1.0;
}

/*@
  @ requires \valid_range(X,0,n);
  @ requires bounded(d, UPPER);
  @ requires \round_error(d) == 0;
  @
  @ ensures \abs(X[0] - (d + 1.0)) <= EPS1;
  @ ensures \round_error(X[0]) <= EPS1;
*/
void AffectDoubleDansTab0(double d, double X[]) {
        X[0]=d+1.0;
        //@ assert X[0] == \round_double(\NearestEven,d+1.0);
        //@ assert \exact(X[0]) == d+1.0;
}
========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/float_array.c"
tests/c/float_array.c:21:[kernel] warning: parsing obsolete ACSL construct '\valid_range(addr,min,max)'. '\valid(addr+(min..max))' should be used instead.
tests/c/float_array.c:37:[kernel] warning: parsing obsolete ACSL construct '\valid_range(addr,min,max)'. '\valid(addr+(min..max))' should be used instead.
tests/c/float_array.c:49:[kernel] warning: parsing obsolete ACSL construct '\valid_range(addr,min,max)'. '\valid(addr+(min..max))' should be used instead.
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/float_array.jessie
[jessie] File tests/c/float_array.jessie/float_array.jc written.
[jessie] File tests/c/float_array.jessie/float_array.cloc written.
========== file tests/c/float_array.jessie/float_array.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

tag doubleP = {
  double doubleM: 64;
}

type doubleP = [doubleP]

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

predicate bounded(real z, real bound) =
(\real_abs(z) <= bound)

double x;

unit AffectDoubleDansX(double d_2)
  requires (_C_7 : bounded((d_2 :> real), 0x1p0));
  requires (_C_6 : (\double_round_error(d_2) == 0));
behavior default:
  ensures (_C_3 : ((_C_4 : (\real_abs(((x :> real) -
                                        ((\at(d_2,Old) :> real) + 1.0))) <=
                             0x1p-53)) &&
                    (_C_5 : (\double_round_error(x) <= 0x1p-53))));
{  
   {  (_C_2 : (x = (_C_1 : (d_2 + (1.0 :> double)))));
      
      (return ())
   }
}

unit AffectDoubleDansTab(double d, doubleP[..] X)
  requires (_C_25 : ((_C_26 : (\offset_min(X) <= 0)) &&
                      (_C_27 : (\offset_max(X) >= 10))));
  requires (_C_24 : bounded((d :> real), 0x1p0));
  requires (_C_23 : (\double_round_error(d) == 0));
behavior default:
  ensures (_C_16 : ((_C_17 : (\real_abs((((\at(X,Old) + 1).doubleM :> real) -
                                          ((\at(d,Old) :> real) + 1.0))) <=
                               0x1p-53)) &&
                     ((_C_19 : (\double_round_error((\at(X,Old) + 1).doubleM) <=
                                 0x1p-53)) &&
                       ((_C_21 : (\real_abs((((\at(X,Old) + 2).doubleM :> real) -
                                              ((\at(d,Old) :> real) + 1.0))) <=
                                   0x1p-53)) &&
                         (_C_22 : (\double_round_error((\at(X,Old) + 2).doubleM) <=
                                    0x1p-53))))));
{  
   {  (_C_11 : ((_C_10 : (_C_9 : (X + 1)).doubleM) = (_C_8 : (d +
                                                               (1.0 :> double)))));
      (_C_15 : ((_C_14 : (_C_13 : (X + 2)).doubleM) = (_C_12 : (d +
                                                                 (1.0 :> double)))));
      
      (return ())
   }
}

unit AffectDoubleDansTab1(double d_1, doubleP[..] X_1)
  requires (_C_37 : ((_C_38 : (\offset_min(X_1) <= 0)) &&
                      (_C_39 : (\offset_max(X_1) >= 10))));
  requires (_C_36 : bounded((d_1 :> real), 0x1p0));
  requires (_C_35 : (\double_round_error(d_1) == 0));
behavior default:
  ensures (_C_32 : ((_C_33 : (\real_abs((((\at(X_1,Old) + 1).doubleM :> real) -
                                          ((\at(d_1,Old) :> real) + 1.0))) <=
                               0x1p-53)) &&
                     (_C_34 : (\double_round_error((\at(X_1,Old) + 1).doubleM) <=
                                0x1p-53))));
{  
   {  (_C_31 : ((_C_30 : (_C_29 : (X_1 + 1)).doubleM) = (_C_28 : (d_1 +
                                                                   (1.0 :> double)))));
      
      (return ())
   }
}

unit AffectDoubleDansTab0(double d_0, doubleP[..] X_0)
  requires (_C_51 : ((_C_52 : (\offset_min(X_0) <= 0)) &&
                      (_C_53 : (\offset_max(X_0) >= 10))));
  requires (_C_50 : bounded((d_0 :> real), 0x1p0));
  requires (_C_49 : (\double_round_error(d_0) == 0));
behavior default:
  ensures (_C_46 : ((_C_47 : (\real_abs((((\at(X_0,Old) + 0).doubleM :> real) -
                                          ((\at(d_0,Old) :> real) + 1.0))) <=
                               0x1p-53)) &&
                     (_C_48 : (\double_round_error((\at(X_0,Old) + 0).doubleM) <=
                                0x1p-53))));
{  
   {  (_C_43 : ((_C_42 : (_C_41 : (X_0 + 0)).doubleM) = (_C_40 : (d_0 +
                                                                   (1.0 :> double)))));
      
      {  
         (assert for default: (_C_44 : (jessie : (((X_0 + 0).doubleM :> real) ==
                                                   (\round_double(\NearestEven(
                                                                  ),
                                                                  ((d_0 :> real) +
                                                                    1.0)) :> real)))));
         ()
      };
      
      {  
         (assert for default: (_C_45 : (jessie : (\double_exact((X_0 + 0).doubleM) ==
                                                   ((d_0 :> real) + 1.0)))));
         ()
      };
      
      (return ())
   }
}
========== file tests/c/float_array.jessie/float_array.cloc ==========
[_C_52]
file = "HOME/tests/c/float_array.c"
line = 49
begin = 13
end = 33

[_C_35]
file = "HOME/tests/c/float_array.c"
line = 39
begin = 13
end = 33

[_C_28]
file = "HOME/tests/c/float_array.c"
line = 45
begin = 13
end = 18

[_C_48]
file = "HOME/tests/c/float_array.c"
line = 54
begin = 12
end = 41

[_C_51]
file = "HOME/tests/c/float_array.c"
line = 49
begin = 13
end = 33

[_C_31]
file = "HOME/tests/c/float_array.c"
line = 45
begin = 13
end = 18

[_C_41]
file = "HOME/tests/c/float_array.c"
line = 57
begin = 8
end = 9

[_C_4]
file = "HOME/tests/c/float_array.c"
line = 13
begin = 12
end = 42

[_C_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_23]
file = "HOME/tests/c/float_array.c"
line = 23
begin = 13
end = 33

[_C_19]
file = "HOME/tests/c/float_array.c"
line = 26
begin = 12
end = 41

[AffectDoubleDansX]
name = "Function AffectDoubleDansX"
file = "HOME/tests/c/float_array.c"
line = 16
begin = 5
end = 22

[_C_42]
file = "HOME/tests/c/float_array.c"
line = 57
begin = 13
end = 18

[AffectDoubleDansTab1]
name = "Function AffectDoubleDansTab1"
file = "HOME/tests/c/float_array.c"
line = 44
begin = 5
end = 25

[_C_13]
file = "HOME/tests/c/float_array.c"
line = 32
begin = 8
end = 9

[_C_5]
file = "HOME/tests/c/float_array.c"
line = 14
begin = 12
end = 38

[_C_36]
file = "HOME/tests/c/float_array.c"
line = 38
begin = 13
end = 30

[_C_12]
file = "HOME/tests/c/float_array.c"
line = 32
begin = 13
end = 18

[_C_33]
file = "HOME/tests/c/float_array.c"
line = 41
begin = 12
end = 45

[_C_22]
file = "HOME/tests/c/float_array.c"
line = 28
begin = 12
end = 41

[_C_9]
file = "HOME/tests/c/float_array.c"
line = 31
begin = 8
end = 9

[_C_30]
file = "HOME/tests/c/float_array.c"
line = 45
begin = 13
end = 18

[_C_6]
file = "HOME/tests/c/float_array.c"
line = 11
begin = 13
end = 33

[_C_49]
file = "HOME/tests/c/float_array.c"
line = 51
begin = 13
end = 33

[_C_24]
file = "HOME/tests/c/float_array.c"
line = 22
begin = 13
end = 30

[_C_45]
file = "HOME/tests/c/float_array.c"
line = 59
begin = 19
end = 40

[_C_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_38]
file = "HOME/tests/c/float_array.c"
line = 37
begin = 13
end = 33

[AffectDoubleDansTab]
name = "Function AffectDoubleDansTab"
file = "HOME/tests/c/float_array.c"
line = 30
begin = 5
end = 24

[_C_3]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_17]
file = "HOME/tests/c/float_array.c"
line = 25
begin = 12
end = 45

[_C_7]
file = "HOME/tests/c/float_array.c"
line = 10
begin = 13
end = 30

[_C_27]
file = "HOME/tests/c/float_array.c"
line = 21
begin = 13
end = 33

[_C_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_44]
file = "HOME/tests/c/float_array.c"
line = 58
begin = 19
end = 60

[_C_15]
file = "HOME/tests/c/float_array.c"
line = 32
begin = 13
end = 18

[_C_26]
file = "HOME/tests/c/float_array.c"
line = 21
begin = 13
end = 33

[_C_47]
file = "HOME/tests/c/float_array.c"
line = 53
begin = 12
end = 45

[_C_10]
file = "HOME/tests/c/float_array.c"
line = 31
begin = 13
end = 18

[_C_53]
file = "HOME/tests/c/float_array.c"
line = 49
begin = 13
end = 33

[_C_40]
file = "HOME/tests/c/float_array.c"
line = 57
begin = 13
end = 18

[_C_8]
file = "HOME/tests/c/float_array.c"
line = 31
begin = 13
end = 18

[_C_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_29]
file = "HOME/tests/c/float_array.c"
line = 45
begin = 8
end = 9

[_C_14]
file = "HOME/tests/c/float_array.c"
line = 32
begin = 13
end = 18

[_C_50]
file = "HOME/tests/c/float_array.c"
line = 50
begin = 13
end = 30

[_C_37]
file = "HOME/tests/c/float_array.c"
line = 37
begin = 13
end = 33

[_C_43]
file = "HOME/tests/c/float_array.c"
line = 57
begin = 13
end = 18

[_C_2]
file = "HOME/tests/c/float_array.c"
line = 17
begin = 10
end = 15

[_C_34]
file = "HOME/tests/c/float_array.c"
line = 42
begin = 12
end = 41

[_C_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_1]
file = "HOME/tests/c/float_array.c"
line = 17
begin = 10
end = 15

[_C_25]
file = "HOME/tests/c/float_array.c"
line = 21
begin = 13
end = 33

[_C_39]
file = "HOME/tests/c/float_array.c"
line = 37
begin = 13
end = 33

[AffectDoubleDansTab0]
name = "Function AffectDoubleDansTab0"
file = "HOME/tests/c/float_array.c"
line = 56
begin = 5
end = 25

[_C_11]
file = "HOME/tests/c/float_array.c"
line = 31
begin = 13
end = 18

[_C_21]
file = "HOME/tests/c/float_array.c"
line = 27
begin = 12
end = 45

========== jessie execution ==========
Generating Why function AffectDoubleDansX
Generating Why function AffectDoubleDansTab
Generating Why function AffectDoubleDansTab1
Generating Why function AffectDoubleDansTab0
========== file tests/c/float_array.jessie/float_array.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs float_array.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs float_array.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_strict.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/float_array_why.sx

project: why/float_array.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/float_array_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/float_array_why.vo

coq/float_array_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/float_array_why.v: why/float_array.why
	@echo 'why -coq [...] why/float_array.why' && $(WHY) $(JESSIELIBFILES) why/float_array.why && rm -f coq/jessie_why.v

coq-goals: goals coq/float_array_ctx_why.vo
	for f in why/*_po*.why; do make -f float_array.makefile coq/`basename $$f .why`_why.v ; done

coq/float_array_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/float_array_ctx_why.v: why/float_array_ctx.why
	@echo 'why -coq [...] why/float_array_ctx.why' && $(WHY) why/float_array_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export float_array_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/float_array_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/float_array_ctx_why.vo

pvs: pvs/float_array_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/float_array_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/float_array_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/float_array_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/float_array_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/float_array_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/float_array_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/float_array_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/float_array_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/float_array_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/float_array_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/float_array_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/float_array_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/float_array_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/float_array_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: float_array.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/float_array_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: float_array.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: float_array.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: float_array.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include float_array.depend

depend: coq/float_array_why.v
	-$(COQDEP) -I coq coq/float_array*_why.v > float_array.depend

clean:
	rm -f coq/*.vo

========== file tests/c/float_array.jessie/float_array.loc ==========
[JC_94]
kind = FPOverflow
file = "HOME/tests/c/float_array.c"
line = 57
begin = 13
end = 18

[JC_73]
file = "HOME/tests/c/float_array.c"
line = 51
begin = 13
end = 33

[JC_63]
file = "HOME/tests/c/float_array.c"
line = 42
begin = 12
end = 41

[JC_80]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_51]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_71]
file = "HOME/tests/c/float_array.c"
line = 49
begin = 13
end = 33

[JC_45]
kind = FPOverflow
file = "HOME/tests/c/float_array.c"
line = 31
begin = 13
end = 18

[JC_64]
file = "HOME/"
line = 0
begin = -1
end = -1

[AffectDoubleDansTab_ensures_default]
name = "Function AffectDoubleDansTab"
behavior = "default behavior"
file = "HOME/tests/c/float_array.c"
line = 30
begin = 5
end = 24

[JC_85]
file = "HOME/tests/c/float_array.c"
line = 53
begin = 12
end = 45

[AffectDoubleDansTab1_ensures_default]
name = "Function AffectDoubleDansTab1"
behavior = "default behavior"
file = "HOME/tests/c/float_array.c"
line = 44
begin = 5
end = 25

[JC_31]
file = "HOME/tests/c/float_array.c"
line = 25
begin = 12
end = 45

[JC_17]
kind = FPOverflow
file = "HOME/tests/c/float_array.c"
line = 17
begin = 10
end = 15

[JC_81]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
file = "HOME/tests/c/float_array.c"
line = 38
begin = 13
end = 30

[JC_48]
file = "HOME/tests/c/float_array.c"
line = 37
begin = 13
end = 33

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/tests/c/float_array.c"
line = 23
begin = 13
end = 33

[JC_5]
file = "HOME/tests/c/float_array.c"
line = 10
begin = 13
end = 30

[JC_67]
kind = FPOverflow
file = "HOME/tests/c/float_array.c"
line = 45
begin = 13
end = 18

[JC_9]
file = "HOME/tests/c/float_array.c"
line = 13
begin = 12
end = 42

[JC_75]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/tests/c/float_array.c"
line = 21
begin = 13
end = 33

[JC_78]
file = "HOME/tests/c/float_array.c"
line = 50
begin = 13
end = 30

[JC_41]
file = "HOME/"
line = 0
begin = -1
end = -1

[AffectDoubleDansTab1_safety]
name = "Function AffectDoubleDansTab1"
behavior = "Safety"
file = "HOME/tests/c/float_array.c"
line = 44
begin = 5
end = 25

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/tests/c/float_array.c"
line = 37
begin = 13
end = 33

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/tests/c/float_array.c"
line = 21
begin = 13
end = 33

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/tests/c/float_array.c"
line = 37
begin = 13
end = 33

[JC_79]
file = "HOME/tests/c/float_array.c"
line = 51
begin = 13
end = 33

[JC_13]
file = "HOME/tests/c/float_array.c"
line = 14
begin = 12
end = 38

[AffectDoubleDansTab0_safety]
name = "Function AffectDoubleDansTab0"
behavior = "Safety"
file = "HOME/tests/c/float_array.c"
line = 56
begin = 5
end = 25

[JC_82]
file = "HOME/tests/c/float_array.c"
line = 53
begin = 12
end = 45

[JC_87]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_70]
file = "HOME/tests/c/float_array.c"
line = 49
begin = 13
end = 33

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/tests/c/float_array.c"
line = 25
begin = 12
end = 45

[JC_91]
file = "HOME/tests/c/float_array.c"
line = 58
begin = 19
end = 60

[JC_39]
file = "HOME/tests/c/float_array.c"
line = 28
begin = 12
end = 41

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
file = "HOME/tests/c/float_array.c"
line = 54
begin = 12
end = 41

[JC_35]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_27]
file = "HOME/tests/c/float_array.c"
line = 22
begin = 13
end = 30

[JC_69]
kind = FPOverflow
file = "HOME/tests/c/float_array.c"
line = 45
begin = 13
end = 18

[JC_38]
file = "HOME/tests/c/float_array.c"
line = 27
begin = 12
end = 45

[AffectDoubleDansTab0_ensures_default]
name = "Function AffectDoubleDansTab0"
behavior = "default behavior"
file = "HOME/tests/c/float_array.c"
line = 56
begin = 5
end = 25

[JC_12]
file = "HOME/tests/c/float_array.c"
line = 13
begin = 12
end = 42

[JC_6]
file = "HOME/tests/c/float_array.c"
line = 11
begin = 13
end = 33

[JC_44]
kind = FPOverflow
file = "HOME/tests/c/float_array.c"
line = 32
begin = 13
end = 18

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[AffectDoubleDansX_safety]
name = "Function AffectDoubleDansX"
behavior = "Safety"
file = "HOME/tests/c/float_array.c"
line = 16
begin = 5
end = 22

[JC_62]
file = "HOME/tests/c/float_array.c"
line = 41
begin = 12
end = 45

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
kind = FPOverflow
file = "HOME/tests/c/float_array.c"
line = 32
begin = 13
end = 18

[JC_61]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_32]
file = "HOME/tests/c/float_array.c"
line = 26
begin = 12
end = 41

[JC_56]
file = "HOME/tests/c/float_array.c"
line = 39
begin = 13
end = 33

[JC_33]
file = "HOME/tests/c/float_array.c"
line = 27
begin = 12
end = 45

[JC_65]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_29]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_68]
kind = PointerDeref
file = "HOME/tests/c/float_array.jessie/float_array.jc"
line = 98
begin = 16
end = 156

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
file = "HOME/tests/c/float_array.c"
line = 59
begin = 19
end = 40

[JC_43]
kind = FPOverflow
file = "HOME/tests/c/float_array.c"
line = 31
begin = 13
end = 18

[JC_2]
file = "HOME/tests/c/float_array.c"
line = 11
begin = 13
end = 33

[JC_95]
file = "HOME/tests/c/float_array.c"
line = 58
begin = 19
end = 60

[JC_93]
kind = PointerDeref
file = "HOME/tests/c/float_array.jessie/float_array.jc"
line = 117
begin = 16
end = 156

[AffectDoubleDansX_ensures_default]
name = "Function AffectDoubleDansX"
behavior = "default behavior"
file = "HOME/tests/c/float_array.c"
line = 16
begin = 5
end = 22

[JC_84]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/tests/c/float_array.c"
line = 28
begin = 12
end = 41

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_90]
kind = FPOverflow
file = "HOME/tests/c/float_array.c"
line = 57
begin = 13
end = 18

[JC_53]
file = "HOME/tests/c/float_array.c"
line = 37
begin = 13
end = 33

[JC_21]
file = "HOME/tests/c/float_array.c"
line = 22
begin = 13
end = 30

[JC_77]
file = "HOME/tests/c/float_array.c"
line = 49
begin = 13
end = 33

[JC_49]
file = "HOME/tests/c/float_array.c"
line = 38
begin = 13
end = 30

[JC_1]
file = "HOME/tests/c/float_array.c"
line = 10
begin = 13
end = 30

[JC_37]
file = "HOME/tests/c/float_array.c"
line = 26
begin = 12
end = 41

[JC_10]
file = "HOME/tests/c/float_array.c"
line = 14
begin = 12
end = 38

[JC_57]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_89]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
file = "HOME/tests/c/float_array.c"
line = 41
begin = 12
end = 45

[JC_20]
file = "HOME/tests/c/float_array.c"
line = 21
begin = 13
end = 33

[JC_18]
kind = FPOverflow
file = "HOME/tests/c/float_array.c"
line = 17
begin = 10
end = 15

[JC_3]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_92]
file = "HOME/tests/c/float_array.c"
line = 59
begin = 19
end = 40

[JC_86]
file = "HOME/tests/c/float_array.c"
line = 54
begin = 12
end = 41

[JC_60]
file = "HOME/tests/c/float_array.c"
line = 42
begin = 12
end = 41

[AffectDoubleDansTab_safety]
name = "Function AffectDoubleDansTab"
behavior = "Safety"
file = "HOME/tests/c/float_array.c"
line = 30
begin = 5
end = 24

[JC_72]
file = "HOME/tests/c/float_array.c"
line = 50
begin = 13
end = 30

[JC_19]
file = "HOME/tests/c/float_array.c"
line = 21
begin = 13
end = 33

[JC_76]
file = "HOME/tests/c/float_array.c"
line = 49
begin = 13
end = 33

[JC_50]
file = "HOME/tests/c/float_array.c"
line = 39
begin = 13
end = 33

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_28]
file = "HOME/tests/c/float_array.c"
line = 23
begin = 13
end = 33

========== file tests/c/float_array.jessie/why/float_array.why ==========
type charP

type doubleP

type int8

type padding

type uint8

type unsigned_charP

type voidP

predicate bounded(z:real, bound:real) = le_real(abs_real(z), bound)

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic doubleP_tag:  -> doubleP tag_id

axiom doubleP_int : (int_of_tag(doubleP_tag) = (1))

logic doubleP_of_pointer_address: unit pointer -> doubleP pointer

axiom doubleP_of_pointer_address_of_pointer_addr :
 (forall p:doubleP pointer.
  (p = doubleP_of_pointer_address(pointer_address(p))))

axiom doubleP_parenttag_bottom : parenttag(doubleP_tag, bottom_tag)

axiom doubleP_tags :
 (forall x:doubleP pointer.
  (forall doubleP_tag_table:doubleP tag_table.
   instanceof(doubleP_tag_table, x, doubleP_tag)))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_doubleP(p:doubleP pointer, a:int,
 doubleP_alloc_table:doubleP alloc_table) =
 (offset_min(doubleP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_doubleP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(doubleP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_doubleP(p:doubleP pointer, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 (offset_max(doubleP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) = a)
 and (offset_max(doubleP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) = a)
 and (offset_max(doubleP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) <= a)
 and (offset_max(doubleP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) <= a)
 and (offset_max(doubleP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

parameter AffectDoubleDansTab :
 d:double ->
  X:doubleP pointer ->
   doubleP_doubleM_X_1:(doubleP, double) memory ref ->
    doubleP_X_1_alloc_table:doubleP alloc_table ->
     { } unit reads doubleP_doubleM_X_1 writes doubleP_doubleM_X_1
     { (JC_40:
       ((JC_36:
        le_real(abs_real(sub_real(double_value(select(doubleP_doubleM_X_1,
                                               shift(X, (1)))),
                         add_real(double_value(d), 1.0))),
        0x1p-53))
       and ((JC_37:
            le_real(double_round_error(select(doubleP_doubleM_X_1,
                                       shift(X, (1)))),
            0x1p-53))
           and ((JC_38:
                le_real(abs_real(sub_real(double_value(select(doubleP_doubleM_X_1,
                                                       shift(X, (2)))),
                                 add_real(double_value(d), 1.0))),
                0x1p-53))
               and (JC_39:
                   le_real(double_round_error(select(doubleP_doubleM_X_1,
                                              shift(X, (2)))),
                   0x1p-53)))))) }

parameter AffectDoubleDansTab0 :
 d_0:double ->
  X_0:doubleP pointer ->
   doubleP_doubleM_X_0_3:(doubleP, double) memory ref ->
    doubleP_X_0_3_alloc_table:doubleP alloc_table ->
     { } unit reads doubleP_doubleM_X_0_3 writes doubleP_doubleM_X_0_3
     { (JC_87:
       ((JC_85:
        le_real(abs_real(sub_real(double_value(select(doubleP_doubleM_X_0_3,
                                               shift(X_0, (0)))),
                         add_real(double_value(d_0), 1.0))),
        0x1p-53))
       and (JC_86:
           le_real(double_round_error(select(doubleP_doubleM_X_0_3,
                                      shift(X_0, (0)))),
           0x1p-53)))) }

parameter AffectDoubleDansTab0_requires :
 d_0:double ->
  X_0:doubleP pointer ->
   doubleP_doubleM_X_0_3:(doubleP, double) memory ref ->
    doubleP_X_0_3_alloc_table:doubleP alloc_table ->
     { (JC_74:
       ((JC_70: le_int(offset_min(doubleP_X_0_3_alloc_table, X_0), (0)))
       and ((JC_71: ge_int(offset_max(doubleP_X_0_3_alloc_table, X_0), (10)))
           and ((JC_72: bounded(double_value(d_0), 0x1p0))
               and (JC_73: (double_round_error(d_0) = 0.0))))))}
     unit reads doubleP_doubleM_X_0_3 writes doubleP_doubleM_X_0_3
     { (JC_87:
       ((JC_85:
        le_real(abs_real(sub_real(double_value(select(doubleP_doubleM_X_0_3,
                                               shift(X_0, (0)))),
                         add_real(double_value(d_0), 1.0))),
        0x1p-53))
       and (JC_86:
           le_real(double_round_error(select(doubleP_doubleM_X_0_3,
                                      shift(X_0, (0)))),
           0x1p-53)))) }

parameter AffectDoubleDansTab1 :
 d_1:double ->
  X_1:doubleP pointer ->
   doubleP_doubleM_X_1_2:(doubleP, double) memory ref ->
    doubleP_X_1_2_alloc_table:doubleP alloc_table ->
     { } unit reads doubleP_doubleM_X_1_2 writes doubleP_doubleM_X_1_2
     { (JC_64:
       ((JC_62:
        le_real(abs_real(sub_real(double_value(select(doubleP_doubleM_X_1_2,
                                               shift(X_1, (1)))),
                         add_real(double_value(d_1), 1.0))),
        0x1p-53))
       and (JC_63:
           le_real(double_round_error(select(doubleP_doubleM_X_1_2,
                                      shift(X_1, (1)))),
           0x1p-53)))) }

parameter AffectDoubleDansTab1_requires :
 d_1:double ->
  X_1:doubleP pointer ->
   doubleP_doubleM_X_1_2:(doubleP, double) memory ref ->
    doubleP_X_1_2_alloc_table:doubleP alloc_table ->
     { (JC_51:
       ((JC_47: le_int(offset_min(doubleP_X_1_2_alloc_table, X_1), (0)))
       and ((JC_48: ge_int(offset_max(doubleP_X_1_2_alloc_table, X_1), (10)))
           and ((JC_49: bounded(double_value(d_1), 0x1p0))
               and (JC_50: (double_round_error(d_1) = 0.0))))))}
     unit reads doubleP_doubleM_X_1_2 writes doubleP_doubleM_X_1_2
     { (JC_64:
       ((JC_62:
        le_real(abs_real(sub_real(double_value(select(doubleP_doubleM_X_1_2,
                                               shift(X_1, (1)))),
                         add_real(double_value(d_1), 1.0))),
        0x1p-53))
       and (JC_63:
           le_real(double_round_error(select(doubleP_doubleM_X_1_2,
                                      shift(X_1, (1)))),
           0x1p-53)))) }

parameter AffectDoubleDansTab_requires :
 d:double ->
  X:doubleP pointer ->
   doubleP_doubleM_X_1:(doubleP, double) memory ref ->
    doubleP_X_1_alloc_table:doubleP alloc_table ->
     { (JC_23:
       ((JC_19: le_int(offset_min(doubleP_X_1_alloc_table, X), (0)))
       and ((JC_20: ge_int(offset_max(doubleP_X_1_alloc_table, X), (10)))
           and ((JC_21: bounded(double_value(d), 0x1p0))
               and (JC_22: (double_round_error(d) = 0.0))))))}
     unit reads doubleP_doubleM_X_1 writes doubleP_doubleM_X_1
     { (JC_40:
       ((JC_36:
        le_real(abs_real(sub_real(double_value(select(doubleP_doubleM_X_1,
                                               shift(X, (1)))),
                         add_real(double_value(d), 1.0))),
        0x1p-53))
       and ((JC_37:
            le_real(double_round_error(select(doubleP_doubleM_X_1,
                                       shift(X, (1)))),
            0x1p-53))
           and ((JC_38:
                le_real(abs_real(sub_real(double_value(select(doubleP_doubleM_X_1,
                                                       shift(X, (2)))),
                                 add_real(double_value(d), 1.0))),
                0x1p-53))
               and (JC_39:
                   le_real(double_round_error(select(doubleP_doubleM_X_1,
                                              shift(X, (2)))),
                   0x1p-53)))))) }

parameter x_0 : double ref

parameter AffectDoubleDansX :
 d_2:double ->
  { } unit reads x_0 writes x_0
  { (JC_14:
    ((JC_12:
     le_real(abs_real(sub_real(double_value(x_0),
                      add_real(double_value(d_2), 1.0))),
     0x1p-53))
    and (JC_13: le_real(double_round_error(x_0), 0x1p-53)))) }

parameter AffectDoubleDansX_requires :
 d_2:double ->
  { (JC_3:
    ((JC_1: bounded(double_value(d_2), 0x1p0))
    and (JC_2: (double_round_error(d_2) = 0.0))))}
  unit reads x_0 writes x_0
  { (JC_14:
    ((JC_12:
     le_real(abs_real(sub_real(double_value(x_0),
                      add_real(double_value(d_2), 1.0))),
     0x1p-53))
    and (JC_13: le_real(double_round_error(x_0), 0x1p-53)))) }

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter doubleP_alloc_table : doubleP alloc_table ref

parameter doubleP_tag_table : doubleP tag_table ref

parameter alloc_struct_doubleP :
 n:int ->
  doubleP_alloc_table:doubleP alloc_table ref ->
   doubleP_tag_table:doubleP tag_table ref ->
    { } doubleP pointer writes doubleP_alloc_table,doubleP_tag_table
    { (strict_valid_struct_doubleP(result, (0), sub_int(n, (1)),
       doubleP_alloc_table)
      and (alloc_extends(doubleP_alloc_table@, doubleP_alloc_table)
          and (alloc_fresh(doubleP_alloc_table@, result, n)
              and instanceof(doubleP_tag_table, result, doubleP_tag)))) }

parameter alloc_struct_doubleP_requires :
 n:int ->
  doubleP_alloc_table:doubleP alloc_table ref ->
   doubleP_tag_table:doubleP tag_table ref ->
    { ge_int(n, (0))} doubleP pointer
    writes doubleP_alloc_table,doubleP_tag_table
    { (strict_valid_struct_doubleP(result, (0), sub_int(n, (1)),
       doubleP_alloc_table)
      and (alloc_extends(doubleP_alloc_table@, doubleP_alloc_table)
          and (alloc_fresh(doubleP_alloc_table@, result, n)
              and instanceof(doubleP_tag_table, result, doubleP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let AffectDoubleDansTab0_ensures_default =
 fun (d_0 : double) (X_0 : doubleP pointer) (doubleP_doubleM_X_0_3 : (doubleP, double) memory ref) (doubleP_X_0_3_alloc_table : doubleP alloc_table) ->
  { (JC_80:
    ((JC_76: le_int(offset_min(doubleP_X_0_3_alloc_table, X_0), (0)))
    and ((JC_77: ge_int(offset_max(doubleP_X_0_3_alloc_table, X_0), (10)))
        and ((JC_78: bounded(double_value(d_0), 0x1p0))
            and (JC_79: (double_round_error(d_0) = 0.0)))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (JC_94:
     (((add_double_safe nearest_even) d_0) (double_of_real_exact 1.0))) in
     (let _jessie_ = X_0 in
     (((safe_upd_ doubleP_doubleM_X_0_3) _jessie_) _jessie_)));
    (assert
    { (JC_95:
      (double_value(select(doubleP_doubleM_X_0_3, shift(X_0, (0)))) = 
      round_double(nearest_even, add_real(double_value(d_0), 1.0)))) }; void);
    void;
    (assert
    { (JC_96:
      (double_exact(select(doubleP_doubleM_X_0_3, shift(X_0, (0)))) = 
      add_real(double_value(d_0), 1.0))) }; void); void; (raise Return);
    (raise Return) end with Return -> void end)
  { (JC_84:
    ((JC_82:
     le_real(abs_real(sub_real(double_value(select(doubleP_doubleM_X_0_3,
                                            shift(X_0, (0)))),
                      add_real(double_value(d_0), 1.0))),
     0x1p-53))
    and (JC_83:
        le_real(double_round_error(select(doubleP_doubleM_X_0_3,
                                   shift(X_0, (0)))),
        0x1p-53)))) }

let AffectDoubleDansTab0_safety =
 fun (d_0 : double) (X_0 : doubleP pointer) (doubleP_doubleM_X_0_3 : (doubleP, double) memory ref) (doubleP_X_0_3_alloc_table : doubleP alloc_table) ->
  { (JC_80:
    ((JC_76: le_int(offset_min(doubleP_X_0_3_alloc_table, X_0), (0)))
    and ((JC_77: ge_int(offset_max(doubleP_X_0_3_alloc_table, X_0), (10)))
        and ((JC_78: bounded(double_value(d_0), 0x1p0))
            and (JC_79: (double_round_error(d_0) = 0.0)))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (JC_90: (((add_double nearest_even) d_0) (double_of_real_exact 1.0))) in
     (let _jessie_ = X_0 in
     (JC_93:
     ((((upd_ doubleP_X_0_3_alloc_table) doubleP_doubleM_X_0_3) _jessie_) _jessie_))));
    [ { } unit reads doubleP_doubleM_X_0_3
      { (JC_91:
        (double_value(select(doubleP_doubleM_X_0_3, shift(X_0, (0)))) = 
        round_double(nearest_even, add_real(double_value(d_0), 1.0)))) } ];
    void;
    [ { } unit reads doubleP_doubleM_X_0_3
      { (JC_92:
        (double_exact(select(doubleP_doubleM_X_0_3, shift(X_0, (0)))) = 
        add_real(double_value(d_0), 1.0))) } ]; void; (raise Return);
    (raise Return) end with Return -> void end) { true }

let AffectDoubleDansTab1_ensures_default =
 fun (d_1 : double) (X_1 : doubleP pointer) (doubleP_doubleM_X_1_2 : (doubleP, double) memory ref) (doubleP_X_1_2_alloc_table : doubleP alloc_table) ->
  { (JC_57:
    ((JC_53: le_int(offset_min(doubleP_X_1_2_alloc_table, X_1), (0)))
    and ((JC_54: ge_int(offset_max(doubleP_X_1_2_alloc_table, X_1), (10)))
        and ((JC_55: bounded(double_value(d_1), 0x1p0))
            and (JC_56: (double_round_error(d_1) = 0.0)))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (JC_69:
     (((add_double_safe nearest_even) d_1) (double_of_real_exact 1.0))) in
     (let _jessie_ = X_1 in
     (let _jessie_ = (1) in
     (let _jessie_ = ((shift _jessie_) _jessie_) in
     (let _jessie_ = ((shift _jessie_) (1)) in
     (((safe_upd_ doubleP_doubleM_X_1_2) _jessie_) _jessie_))))));
    (raise Return); (raise Return) end with Return -> void end)
  { (JC_61:
    ((JC_59:
     le_real(abs_real(sub_real(double_value(select(doubleP_doubleM_X_1_2,
                                            shift(X_1, (1)))),
                      add_real(double_value(d_1), 1.0))),
     0x1p-53))
    and (JC_60:
        le_real(double_round_error(select(doubleP_doubleM_X_1_2,
                                   shift(X_1, (1)))),
        0x1p-53)))) }

let AffectDoubleDansTab1_safety =
 fun (d_1 : double) (X_1 : doubleP pointer) (doubleP_doubleM_X_1_2 : (doubleP, double) memory ref) (doubleP_X_1_2_alloc_table : doubleP alloc_table) ->
  { (JC_57:
    ((JC_53: le_int(offset_min(doubleP_X_1_2_alloc_table, X_1), (0)))
    and ((JC_54: ge_int(offset_max(doubleP_X_1_2_alloc_table, X_1), (10)))
        and ((JC_55: bounded(double_value(d_1), 0x1p0))
            and (JC_56: (double_round_error(d_1) = 0.0)))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (JC_67: (((add_double nearest_even) d_1) (double_of_real_exact 1.0))) in
     (let _jessie_ = X_1 in
     (let _jessie_ = (1) in
     (let _jessie_ = ((shift _jessie_) _jessie_) in
     (let _jessie_ = ((shift _jessie_) (1)) in
     (JC_68:
     ((((upd_ doubleP_X_1_2_alloc_table) doubleP_doubleM_X_1_2) _jessie_) _jessie_)))))));
    (raise Return); (raise Return) end with Return -> void end) { true }

let AffectDoubleDansTab_ensures_default =
 fun (d : double) (X : doubleP pointer) (doubleP_doubleM_X_1 : (doubleP, double) memory ref) (doubleP_X_1_alloc_table : doubleP alloc_table) ->
  { (JC_29:
    ((JC_25: le_int(offset_min(doubleP_X_1_alloc_table, X), (0)))
    and ((JC_26: ge_int(offset_max(doubleP_X_1_alloc_table, X), (10)))
        and ((JC_27: bounded(double_value(d), 0x1p0))
            and (JC_28: (double_round_error(d) = 0.0)))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (JC_45: (((add_double_safe nearest_even) d) (double_of_real_exact 1.0))) in
     (let _jessie_ = X in
     (let _jessie_ = (1) in
     (let _jessie_ = ((shift _jessie_) _jessie_) in
     (let _jessie_ =
     (JC_46: (((add_double_safe nearest_even) d) (double_of_real_exact 1.0))) in
     (let _jessie_ = X in
     (let _jessie_ = (2) in
     (let _jessie_ = ((shift _jessie_) _jessie_) in
     [ { } unit reads doubleP_doubleM_X_1 writes doubleP_doubleM_X_1
       { (not_assigns(doubleP_X_1_alloc_table, doubleP_doubleM_X_1@,
          doubleP_doubleM_X_1,
          pset_range(pset_singleton(_jessie_), (1), (2)))
         and ((select(doubleP_doubleM_X_1, shift(_jessie_, (1))) = _jessie_)
             and (select(doubleP_doubleM_X_1, shift(_jessie_, (2))) = _jessie_))) } ]))))))));
    (raise Return); (raise Return) end with Return -> void end)
  { (JC_35:
    ((JC_31:
     le_real(abs_real(sub_real(double_value(select(doubleP_doubleM_X_1,
                                            shift(X, (1)))),
                      add_real(double_value(d), 1.0))),
     0x1p-53))
    and ((JC_32:
         le_real(double_round_error(select(doubleP_doubleM_X_1,
                                    shift(X, (1)))),
         0x1p-53))
        and ((JC_33:
             le_real(abs_real(sub_real(double_value(select(doubleP_doubleM_X_1,
                                                    shift(X, (2)))),
                              add_real(double_value(d), 1.0))),
             0x1p-53))
            and (JC_34:
                le_real(double_round_error(select(doubleP_doubleM_X_1,
                                           shift(X, (2)))),
                0x1p-53)))))) }

let AffectDoubleDansTab_safety =
 fun (d : double) (X : doubleP pointer) (doubleP_doubleM_X_1 : (doubleP, double) memory ref) (doubleP_X_1_alloc_table : doubleP alloc_table) ->
  { (JC_29:
    ((JC_25: le_int(offset_min(doubleP_X_1_alloc_table, X), (0)))
    and ((JC_26: ge_int(offset_max(doubleP_X_1_alloc_table, X), (10)))
        and ((JC_27: bounded(double_value(d), 0x1p0))
            and (JC_28: (double_round_error(d) = 0.0)))))) }
  (init:
  try
   begin
     (let _jessie_ =
     (JC_43: (((add_double nearest_even) d) (double_of_real_exact 1.0))) in
     (let _jessie_ = X in
     (let _jessie_ = (1) in
     (let _jessie_ = ((shift _jessie_) _jessie_) in
     (let _jessie_ =
     (JC_44: (((add_double nearest_even) d) (double_of_real_exact 1.0))) in
     (let _jessie_ = X in
     (let _jessie_ = (2) in
     (let _jessie_ = ((shift _jessie_) _jessie_) in
     [ { (le_int(offset_min(doubleP_X_1_alloc_table, _jessie_), (2))
         and (le_int((2), offset_max(doubleP_X_1_alloc_table, _jessie_))
             and (le_int(offset_min(doubleP_X_1_alloc_table, _jessie_), (1))
                 and le_int((1),
                     offset_max(doubleP_X_1_alloc_table, _jessie_)))))}
       unit reads doubleP_doubleM_X_1 writes doubleP_doubleM_X_1
       { (not_assigns(doubleP_X_1_alloc_table, doubleP_doubleM_X_1@,
          doubleP_doubleM_X_1,
          pset_range(pset_singleton(_jessie_), (1), (2)))
         and ((select(doubleP_doubleM_X_1, shift(_jessie_, (1))) = _jessie_)
             and (select(doubleP_doubleM_X_1, shift(_jessie_, (2))) = _jessie_))) } ]))))))));
    (raise Return); (raise Return) end with Return -> void end) { true }

let AffectDoubleDansX_ensures_default =
 fun (d_2 : double) ->
  { (JC_7:
    ((JC_5: bounded(double_value(d_2), 0x1p0))
    and (JC_6: (double_round_error(d_2) = 0.0)))) }
  (init:
  try
   begin
     (let _jessie_ =
     (x_0 := (JC_18:
             (((add_double_safe nearest_even) d_2) (double_of_real_exact 1.0)))) in
     void); (raise Return); (raise Return) end with Return -> void end)
  { (JC_11:
    ((JC_9:
     le_real(abs_real(sub_real(double_value(x_0),
                      add_real(double_value(d_2), 1.0))),
     0x1p-53))
    and (JC_10: le_real(double_round_error(x_0), 0x1p-53)))) }

let AffectDoubleDansX_safety =
 fun (d_2 : double) ->
  { (JC_7:
    ((JC_5: bounded(double_value(d_2), 0x1p0))
    and (JC_6: (double_round_error(d_2) = 0.0)))) }
  (init:
  try
   begin
     (let _jessie_ =
     (x_0 := (JC_17:
             (((add_double nearest_even) d_2) (double_of_real_exact 1.0)))) in
     void); (raise Return); (raise Return) end with Return -> void end)
  { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/float_array.why
========== file tests/c/float_array.jessie/why/float_array_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type mode

logic nearest_even : mode

logic to_zero : mode

logic up : mode

logic down : mode

logic nearest_away : mode

logic mode_match : mode, 'a1, 'a1, 'a1, 'a1, 'a1 -> 'a1

axiom mode_match_nearest_even:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_2))))))

axiom mode_match_to_zero:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_3))))))

axiom mode_match_up:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_4))))))

axiom mode_match_down:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_5))))))

axiom mode_match_nearest_away:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_6))))))

axiom mode_inversion:
  (forall aux_1:mode.
    (((((aux_1 = nearest_even) or (aux_1 = to_zero)) or (aux_1 = up)) or
      (aux_1 = down)) or
     (aux_1 = nearest_away)))

logic mode_to_int : mode -> int

axiom mode_to_int_nearest_even: (mode_to_int(nearest_even) = 0)

axiom mode_to_int_to_zero: (mode_to_int(to_zero) = 1)

axiom mode_to_int_up: (mode_to_int(up) = 2)

axiom mode_to_int_down: (mode_to_int(down) = 3)

axiom mode_to_int_nearest_away: (mode_to_int(nearest_away) = 4)

type double

logic round_double : mode, real -> real

logic round_double_logic : mode, real -> double

logic double_value : double -> real

logic double_exact : double -> real

logic double_model : double -> real

function double_round_error(x: double) : real =
  abs_real((double_value(x) - double_exact(x)))

function double_total_error(x: double) : real =
  abs_real((double_value(x) - double_model(x)))

function max_double() : real = 0x1.FFFFFFFFFFFFFp1023

predicate no_overflow_double(m: mode, x: real) = (abs_real(round_double(m,
  x)) <= max_double)

axiom bounded_real_no_overflow_double:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_double) -> no_overflow_double(m, x))))

axiom round_double_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_double(m, x) <= round_double(m, y))))))

axiom exact_round_double_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-9007199254740992) <= i) and (i <= 9007199254740992)) ->
       (round_double(m, real_of_int(i)) = real_of_int(i)))))

axiom exact_round_double_for_doubles:
  (forall x:double.
    (forall m:mode. (round_double(m, double_value(x)) = double_value(x))))

axiom round_double_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_double(m1, round_double(m2,
        x)) = round_double(m2, x)))))

axiom round_down_double_neg:
  (forall x:real. (round_double(down, (-x)) = (-round_double(up, x))))

axiom round_up_double_neg:
  (forall x:real. (round_double(up, (-x)) = (-round_double(down, x))))

axiom round_double_down_le: (forall x:real. (round_double(down, x) <= x))

axiom round_up_double_ge: (forall x:real. (round_double(up, x) >= x))

type single

logic round_single : mode, real -> real

logic round_single_logic : mode, real -> single

logic single_value : single -> real

logic single_exact : single -> real

logic single_model : single -> real

function single_round_error(x: single) : real =
  abs_real((single_value(x) - single_exact(x)))

function single_total_error(x: single) : real =
  abs_real((single_value(x) - single_model(x)))

function max_single() : real = 0x1.FFFFFEp127

predicate no_overflow_single(m: mode, x: real) = (abs_real(round_single(m,
  x)) <= max_single)

axiom bounded_real_no_overflow_single:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_single) -> no_overflow_single(m, x))))

axiom round_single_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_single(m, x) <= round_single(m, y))))))

axiom exact_round_single_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-16777216) <= i) and (i <= 16777216)) -> (round_single(m,
       real_of_int(i)) = real_of_int(i)))))

axiom exact_round_single_for_singles:
  (forall x:single.
    (forall m:mode. (round_single(m, single_value(x)) = single_value(x))))

axiom round_single_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_single(m1, round_single(m2,
        x)) = round_single(m2, x)))))

axiom round_down_single_neg:
  (forall x:real. (round_single(down, (-x)) = (-round_single(up, x))))

axiom round_up_single_neg:
  (forall x:real. (round_single(up, (-x)) = (-round_single(down, x))))

axiom round_single_down_le: (forall x:real. (round_single(down, x) <= x))

axiom round_up_single_ge: (forall x:real. (round_single(up, x) >= x))

axiom single_value_is_bounded:
  (forall x:single. (abs_real(single_value(x)) <= max_single))

axiom double_value_is_bounded:
  (forall x:double. (abs_real(double_value(x)) <= max_double))

predicate single_of_real_post(m: mode, x: real, res: single) =
  ((single_value(res) = round_single(m, x)) and
   ((single_exact(res) = x) and (single_model(res) = x)))

predicate single_of_double_post(m: mode, x: double, res: single) =
  ((single_value(res) = round_single(m, double_value(x))) and
   ((single_exact(res) = double_exact(x)) and
    (single_model(res) = double_model(x))))

predicate add_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) + single_value(y)))) and
   ((single_exact(res) = (single_exact(x) + single_exact(y))) and
    (single_model(res) = (single_model(x) + single_model(y)))))

predicate sub_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) - single_value(y)))) and
   ((single_exact(res) = (single_exact(x) - single_exact(y))) and
    (single_model(res) = (single_model(x) - single_model(y)))))

predicate mul_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) * single_value(y)))) and
   ((single_exact(res) = (single_exact(x) * single_exact(y))) and
    (single_model(res) = (single_model(x) * single_model(y)))))

predicate div_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m, div_real(single_value(x),
   single_value(y)))) and
   ((single_exact(res) = div_real(single_exact(x), single_exact(y))) and
    (single_model(res) = div_real(single_model(x), single_model(y)))))

predicate sqrt_single_post(m: mode, x: single, res: single) =
  ((single_value(res) = round_single(m, sqrt_real(single_value(x)))) and
   ((single_exact(res) = sqrt_real(single_exact(x))) and
    (single_model(res) = sqrt_real(single_model(x)))))

predicate neg_single_post(x: single, res: single) =
  ((single_value(res) = (-single_value(x))) and
   ((single_exact(res) = (-single_exact(x))) and
    (single_model(res) = (-single_model(x)))))

predicate abs_single_post(x: single, res: single) =
  ((single_value(res) = abs_real(single_value(x))) and
   ((single_exact(res) = abs_real(single_exact(x))) and
    (single_model(res) = abs_real(single_model(x)))))

predicate double_of_real_post(m: mode, x: real, res: double) =
  ((double_value(res) = round_double(m, x)) and
   ((double_exact(res) = x) and (double_model(res) = x)))

predicate double_of_single_post(x: single, res: double) =
  ((double_value(res) = single_value(x)) and
   ((double_exact(res) = single_exact(x)) and
    (double_model(res) = single_model(x))))

predicate add_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) + double_value(y)))) and
   ((double_exact(res) = (double_exact(x) + double_exact(y))) and
    (double_model(res) = (double_model(x) + double_model(y)))))

predicate sub_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) - double_value(y)))) and
   ((double_exact(res) = (double_exact(x) - double_exact(y))) and
    (double_model(res) = (double_model(x) - double_model(y)))))

predicate mul_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) * double_value(y)))) and
   ((double_exact(res) = (double_exact(x) * double_exact(y))) and
    (double_model(res) = (double_model(x) * double_model(y)))))

predicate div_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m, div_real(double_value(x),
   double_value(y)))) and
   ((double_exact(res) = div_real(double_exact(x), double_exact(y))) and
    (double_model(res) = div_real(double_model(x), double_model(y)))))

predicate sqrt_double_post(m: mode, x: double, res: double) =
  ((double_value(res) = round_double(m, sqrt_real(double_value(x)))) and
   ((double_exact(res) = sqrt_real(double_exact(x))) and
    (double_model(res) = sqrt_real(double_model(x)))))

predicate neg_double_post(x: double, res: double) =
  ((double_value(res) = (-double_value(x))) and
   ((double_exact(res) = (-double_exact(x))) and
    (double_model(res) = (-double_model(x)))))

predicate abs_double_post(x: double, res: double) =
  ((double_value(res) = abs_real(double_value(x))) and
   ((double_exact(res) = abs_real(double_exact(x))) and
    (double_model(res) = abs_real(double_model(x)))))

type charP

type doubleP

type int8

type padding

type uint8

type unsigned_charP

type voidP

predicate bounded(z: real, bound: real) = (abs_real(z) <= bound)

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

logic doubleP_tag : doubleP tag_id

axiom doubleP_int: (int_of_tag(doubleP_tag) = 1)

logic doubleP_of_pointer_address : unit pointer -> doubleP pointer

axiom doubleP_of_pointer_address_of_pointer_addr:
  (forall p:doubleP pointer.
    (p = doubleP_of_pointer_address(pointer_address(p))))

axiom doubleP_parenttag_bottom: parenttag(doubleP_tag, bottom_tag)

axiom doubleP_tags:
  (forall x:doubleP pointer.
    (forall doubleP_tag_table:doubleP tag_table.
      instanceof(doubleP_tag_table, x, doubleP_tag)))

logic integer_of_int8 : int8 -> int

predicate eq_int8(x: int8, y: int8) =
  (integer_of_int8(x) = integer_of_int8(y))

logic integer_of_uint8 : uint8 -> int

predicate eq_uint8(x: uint8, y: uint8) =
  (integer_of_uint8(x) = integer_of_uint8(y))

logic int8_of_integer : int -> int8

axiom int8_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_int8(int8_of_integer(x)) = x)))

axiom int8_extensionality:
  (forall x:int8.
    (forall y:int8. ((integer_of_int8(x) = integer_of_int8(y)) -> (x = y))))

axiom int8_range:
  (forall x:int8.
    (((-128) <= integer_of_int8(x)) and (integer_of_int8(x) <= 127)))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_doubleP(p: doubleP pointer, a: int,
  doubleP_alloc_table: doubleP alloc_table) =
  (offset_min(doubleP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_doubleP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(doubleP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_doubleP(p: doubleP pointer, b: int,
  doubleP_alloc_table: doubleP alloc_table) =
  (offset_max(doubleP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_doubleP(p: doubleP pointer, a: int, b: int,
  doubleP_alloc_table: doubleP alloc_table) =
  ((offset_min(doubleP_alloc_table, p) = a) and
   (offset_max(doubleP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_doubleP(p: doubleP pointer, a: int, b: int,
  doubleP_alloc_table: doubleP alloc_table) =
  ((offset_min(doubleP_alloc_table, p) = a) and
   (offset_max(doubleP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic uint8_of_integer : int -> uint8

axiom uint8_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 255)) -> (integer_of_uint8(uint8_of_integer(x)) = x)))

axiom uint8_extensionality:
  (forall x:uint8.
    (forall y:uint8.
      ((integer_of_uint8(x) = integer_of_uint8(y)) -> (x = y))))

axiom uint8_range:
  (forall x:uint8.
    ((0 <= integer_of_uint8(x)) and (integer_of_uint8(x) <= 255)))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_doubleP(p: doubleP pointer, a: int, b: int,
  doubleP_alloc_table: doubleP alloc_table) =
  ((offset_min(doubleP_alloc_table, p) <= a) and
   (offset_max(doubleP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_doubleP(p: doubleP pointer, a: int, b: int,
  doubleP_alloc_table: doubleP alloc_table) =
  ((offset_min(doubleP_alloc_table, p) <= a) and
   (offset_max(doubleP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

goal AffectDoubleDansTab0_ensures_default_po_1:
  forall d_0:double.
  forall X_0:doubleP pointer.
  forall doubleP_X_0_3_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_X_0_3:(doubleP,
  double) memory.
  ("JC_80":
  (("JC_76": (offset_min(doubleP_X_0_3_alloc_table, X_0) <= 0)) and
   (("JC_77": (offset_max(doubleP_X_0_3_alloc_table, X_0) >= 10)) and
    (("JC_78": bounded(double_value(d_0), 0x1.p0)) and
     ("JC_79": (double_round_error(d_0) = 0.0)))))) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  forall result0:double.
  add_double_post(nearest_even, d_0, result, result0) ->
  forall doubleP_doubleM_X_0_3_0:(doubleP,
  double) memory.
  (doubleP_doubleM_X_0_3_0 = store(doubleP_doubleM_X_0_3, X_0, result0)) ->
  ("JC_95": (double_value(select(doubleP_doubleM_X_0_3_0, shift(X_0,
  0))) = round_double(nearest_even, (double_value(d_0) + 1.0))))

goal AffectDoubleDansTab0_ensures_default_po_2:
  forall d_0:double.
  forall X_0:doubleP pointer.
  forall doubleP_X_0_3_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_X_0_3:(doubleP,
  double) memory.
  ("JC_80":
  (("JC_76": (offset_min(doubleP_X_0_3_alloc_table, X_0) <= 0)) and
   (("JC_77": (offset_max(doubleP_X_0_3_alloc_table, X_0) >= 10)) and
    (("JC_78": bounded(double_value(d_0), 0x1.p0)) and
     ("JC_79": (double_round_error(d_0) = 0.0)))))) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  forall result0:double.
  add_double_post(nearest_even, d_0, result, result0) ->
  forall doubleP_doubleM_X_0_3_0:(doubleP,
  double) memory.
  (doubleP_doubleM_X_0_3_0 = store(doubleP_doubleM_X_0_3, X_0, result0)) ->
  ("JC_95": (double_value(select(doubleP_doubleM_X_0_3_0, shift(X_0,
  0))) = round_double(nearest_even, (double_value(d_0) + 1.0)))) ->
  ("JC_96": (double_exact(select(doubleP_doubleM_X_0_3_0, shift(X_0,
  0))) = (double_value(d_0) + 1.0)))

goal AffectDoubleDansTab0_ensures_default_po_3:
  forall d_0:double.
  forall X_0:doubleP pointer.
  forall doubleP_X_0_3_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_X_0_3:(doubleP,
  double) memory.
  ("JC_80":
  (("JC_76": (offset_min(doubleP_X_0_3_alloc_table, X_0) <= 0)) and
   (("JC_77": (offset_max(doubleP_X_0_3_alloc_table, X_0) >= 10)) and
    (("JC_78": bounded(double_value(d_0), 0x1.p0)) and
     ("JC_79": (double_round_error(d_0) = 0.0)))))) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  forall result0:double.
  add_double_post(nearest_even, d_0, result, result0) ->
  forall doubleP_doubleM_X_0_3_0:(doubleP,
  double) memory.
  (doubleP_doubleM_X_0_3_0 = store(doubleP_doubleM_X_0_3, X_0, result0)) ->
  ("JC_95": (double_value(select(doubleP_doubleM_X_0_3_0, shift(X_0,
  0))) = round_double(nearest_even, (double_value(d_0) + 1.0)))) ->
  ("JC_96": (double_exact(select(doubleP_doubleM_X_0_3_0, shift(X_0,
  0))) = (double_value(d_0) + 1.0))) ->
  ("JC_84":
  ("JC_82": (abs_real((double_value(select(doubleP_doubleM_X_0_3_0,
  shift(X_0, 0))) - (double_value(d_0) + 1.0))) <= 0x1.p-53)))

goal AffectDoubleDansTab0_ensures_default_po_4:
  forall d_0:double.
  forall X_0:doubleP pointer.
  forall doubleP_X_0_3_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_X_0_3:(doubleP,
  double) memory.
  ("JC_80":
  (("JC_76": (offset_min(doubleP_X_0_3_alloc_table, X_0) <= 0)) and
   (("JC_77": (offset_max(doubleP_X_0_3_alloc_table, X_0) >= 10)) and
    (("JC_78": bounded(double_value(d_0), 0x1.p0)) and
     ("JC_79": (double_round_error(d_0) = 0.0)))))) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  forall result0:double.
  add_double_post(nearest_even, d_0, result, result0) ->
  forall doubleP_doubleM_X_0_3_0:(doubleP,
  double) memory.
  (doubleP_doubleM_X_0_3_0 = store(doubleP_doubleM_X_0_3, X_0, result0)) ->
  ("JC_95": (double_value(select(doubleP_doubleM_X_0_3_0, shift(X_0,
  0))) = round_double(nearest_even, (double_value(d_0) + 1.0)))) ->
  ("JC_96": (double_exact(select(doubleP_doubleM_X_0_3_0, shift(X_0,
  0))) = (double_value(d_0) + 1.0))) ->
  ("JC_84":
  ("JC_83": (double_round_error(select(doubleP_doubleM_X_0_3_0, shift(X_0,
  0))) <= 0x1.p-53)))

goal AffectDoubleDansTab0_safety_po_1:
  forall d_0:double.
  forall X_0:doubleP pointer.
  forall doubleP_X_0_3_alloc_table:doubleP alloc_table.
  ("JC_80":
  (("JC_76": (offset_min(doubleP_X_0_3_alloc_table, X_0) <= 0)) and
   (("JC_77": (offset_max(doubleP_X_0_3_alloc_table, X_0) >= 10)) and
    (("JC_78": bounded(double_value(d_0), 0x1.p0)) and
     ("JC_79": (double_round_error(d_0) = 0.0)))))) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  no_overflow_double(nearest_even,
  (double_value(d_0) + double_value(result)))

goal AffectDoubleDansTab0_safety_po_2:
  forall d_0:double.
  forall X_0:doubleP pointer.
  forall doubleP_X_0_3_alloc_table:doubleP alloc_table.
  ("JC_80":
  (("JC_76": (offset_min(doubleP_X_0_3_alloc_table, X_0) <= 0)) and
   (("JC_77": (offset_max(doubleP_X_0_3_alloc_table, X_0) >= 10)) and
    (("JC_78": bounded(double_value(d_0), 0x1.p0)) and
     ("JC_79": (double_round_error(d_0) = 0.0)))))) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  no_overflow_double(nearest_even,
  (double_value(d_0) + double_value(result))) ->
  forall result0:double.
  add_double_post(nearest_even, d_0, result, result0) ->
  (0 <= offset_max(doubleP_X_0_3_alloc_table, X_0))

goal AffectDoubleDansTab1_ensures_default_po_1:
  forall d_1:double.
  forall X_1:doubleP pointer.
  forall doubleP_X_1_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_X_1_2:(doubleP,
  double) memory.
  ("JC_57":
  (("JC_53": (offset_min(doubleP_X_1_2_alloc_table, X_1) <= 0)) and
   (("JC_54": (offset_max(doubleP_X_1_2_alloc_table, X_1) >= 10)) and
    (("JC_55": bounded(double_value(d_1), 0x1.p0)) and
     ("JC_56": (double_round_error(d_1) = 0.0)))))) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  forall result0:double.
  add_double_post(nearest_even, d_1, result, result0) ->
  forall doubleP_doubleM_X_1_2_0:(doubleP,
  double) memory.
  (doubleP_doubleM_X_1_2_0 = store(doubleP_doubleM_X_1_2, shift(X_1, 1),
  result0)) ->
  ("JC_61":
  ("JC_59": (abs_real((double_value(select(doubleP_doubleM_X_1_2_0,
  shift(X_1, 1))) - (double_value(d_1) + 1.0))) <= 0x1.p-53)))

goal AffectDoubleDansTab1_ensures_default_po_2:
  forall d_1:double.
  forall X_1:doubleP pointer.
  forall doubleP_X_1_2_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_X_1_2:(doubleP,
  double) memory.
  ("JC_57":
  (("JC_53": (offset_min(doubleP_X_1_2_alloc_table, X_1) <= 0)) and
   (("JC_54": (offset_max(doubleP_X_1_2_alloc_table, X_1) >= 10)) and
    (("JC_55": bounded(double_value(d_1), 0x1.p0)) and
     ("JC_56": (double_round_error(d_1) = 0.0)))))) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  forall result0:double.
  add_double_post(nearest_even, d_1, result, result0) ->
  forall doubleP_doubleM_X_1_2_0:(doubleP,
  double) memory.
  (doubleP_doubleM_X_1_2_0 = store(doubleP_doubleM_X_1_2, shift(X_1, 1),
  result0)) ->
  ("JC_61":
  ("JC_60": (double_round_error(select(doubleP_doubleM_X_1_2_0, shift(X_1,
  1))) <= 0x1.p-53)))

goal AffectDoubleDansTab1_safety_po_1:
  forall d_1:double.
  forall X_1:doubleP pointer.
  forall doubleP_X_1_2_alloc_table:doubleP alloc_table.
  ("JC_57":
  (("JC_53": (offset_min(doubleP_X_1_2_alloc_table, X_1) <= 0)) and
   (("JC_54": (offset_max(doubleP_X_1_2_alloc_table, X_1) >= 10)) and
    (("JC_55": bounded(double_value(d_1), 0x1.p0)) and
     ("JC_56": (double_round_error(d_1) = 0.0)))))) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  no_overflow_double(nearest_even,
  (double_value(d_1) + double_value(result)))

goal AffectDoubleDansTab1_safety_po_2:
  forall d_1:double.
  forall X_1:doubleP pointer.
  forall doubleP_X_1_2_alloc_table:doubleP alloc_table.
  ("JC_57":
  (("JC_53": (offset_min(doubleP_X_1_2_alloc_table, X_1) <= 0)) and
   (("JC_54": (offset_max(doubleP_X_1_2_alloc_table, X_1) >= 10)) and
    (("JC_55": bounded(double_value(d_1), 0x1.p0)) and
     ("JC_56": (double_round_error(d_1) = 0.0)))))) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  no_overflow_double(nearest_even,
  (double_value(d_1) + double_value(result))) ->
  forall result0:double.
  add_double_post(nearest_even, d_1, result, result0) ->
  (offset_min(doubleP_X_1_2_alloc_table, shift(X_1, 1)) <= 0)

goal AffectDoubleDansTab1_safety_po_3:
  forall d_1:double.
  forall X_1:doubleP pointer.
  forall doubleP_X_1_2_alloc_table:doubleP alloc_table.
  ("JC_57":
  (("JC_53": (offset_min(doubleP_X_1_2_alloc_table, X_1) <= 0)) and
   (("JC_54": (offset_max(doubleP_X_1_2_alloc_table, X_1) >= 10)) and
    (("JC_55": bounded(double_value(d_1), 0x1.p0)) and
     ("JC_56": (double_round_error(d_1) = 0.0)))))) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  no_overflow_double(nearest_even,
  (double_value(d_1) + double_value(result))) ->
  forall result0:double.
  add_double_post(nearest_even, d_1, result, result0) ->
  (0 <= offset_max(doubleP_X_1_2_alloc_table, shift(X_1, 1)))

goal AffectDoubleDansTab_ensures_default_po_1:
  forall d:double.
  forall X:doubleP pointer.
  forall doubleP_X_1_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_X_1:(doubleP,
  double) memory.
  ("JC_29":
  (("JC_25": (offset_min(doubleP_X_1_alloc_table, X) <= 0)) and
   (("JC_26": (offset_max(doubleP_X_1_alloc_table, X) >= 10)) and
    (("JC_27": bounded(double_value(d), 0x1.p0)) and
     ("JC_28": (double_round_error(d) = 0.0)))))) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  forall result0:double.
  add_double_post(nearest_even, d, result, result0) ->
  forall result1:double.
  ((double_value(result1) = 1.0) and
   ((double_exact(result1) = 1.0) and (double_model(result1) = 1.0))) ->
  forall result2:double.
  add_double_post(nearest_even, d, result1, result2) ->
  forall doubleP_doubleM_X_1_0:(doubleP,
  double) memory.
  (not_assigns(doubleP_X_1_alloc_table, doubleP_doubleM_X_1,
   doubleP_doubleM_X_1_0, pset_range(pset_singleton(X), 1, 2)) and
   ((select(doubleP_doubleM_X_1_0, shift(X, 1)) = result0) and
    (select(doubleP_doubleM_X_1_0, shift(X, 2)) = result2))) ->
  ("JC_35":
  ("JC_31": (abs_real((double_value(select(doubleP_doubleM_X_1_0, shift(X,
  1))) - (double_value(d) + 1.0))) <= 0x1.p-53)))

goal AffectDoubleDansTab_ensures_default_po_2:
  forall d:double.
  forall X:doubleP pointer.
  forall doubleP_X_1_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_X_1:(doubleP,
  double) memory.
  ("JC_29":
  (("JC_25": (offset_min(doubleP_X_1_alloc_table, X) <= 0)) and
   (("JC_26": (offset_max(doubleP_X_1_alloc_table, X) >= 10)) and
    (("JC_27": bounded(double_value(d), 0x1.p0)) and
     ("JC_28": (double_round_error(d) = 0.0)))))) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  forall result0:double.
  add_double_post(nearest_even, d, result, result0) ->
  forall result1:double.
  ((double_value(result1) = 1.0) and
   ((double_exact(result1) = 1.0) and (double_model(result1) = 1.0))) ->
  forall result2:double.
  add_double_post(nearest_even, d, result1, result2) ->
  forall doubleP_doubleM_X_1_0:(doubleP,
  double) memory.
  (not_assigns(doubleP_X_1_alloc_table, doubleP_doubleM_X_1,
   doubleP_doubleM_X_1_0, pset_range(pset_singleton(X), 1, 2)) and
   ((select(doubleP_doubleM_X_1_0, shift(X, 1)) = result0) and
    (select(doubleP_doubleM_X_1_0, shift(X, 2)) = result2))) ->
  ("JC_35":
  ("JC_32": (double_round_error(select(doubleP_doubleM_X_1_0, shift(X,
  1))) <= 0x1.p-53)))

goal AffectDoubleDansTab_ensures_default_po_3:
  forall d:double.
  forall X:doubleP pointer.
  forall doubleP_X_1_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_X_1:(doubleP,
  double) memory.
  ("JC_29":
  (("JC_25": (offset_min(doubleP_X_1_alloc_table, X) <= 0)) and
   (("JC_26": (offset_max(doubleP_X_1_alloc_table, X) >= 10)) and
    (("JC_27": bounded(double_value(d), 0x1.p0)) and
     ("JC_28": (double_round_error(d) = 0.0)))))) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  forall result0:double.
  add_double_post(nearest_even, d, result, result0) ->
  forall result1:double.
  ((double_value(result1) = 1.0) and
   ((double_exact(result1) = 1.0) and (double_model(result1) = 1.0))) ->
  forall result2:double.
  add_double_post(nearest_even, d, result1, result2) ->
  forall doubleP_doubleM_X_1_0:(doubleP,
  double) memory.
  (not_assigns(doubleP_X_1_alloc_table, doubleP_doubleM_X_1,
   doubleP_doubleM_X_1_0, pset_range(pset_singleton(X), 1, 2)) and
   ((select(doubleP_doubleM_X_1_0, shift(X, 1)) = result0) and
    (select(doubleP_doubleM_X_1_0, shift(X, 2)) = result2))) ->
  ("JC_35":
  ("JC_33": (abs_real((double_value(select(doubleP_doubleM_X_1_0, shift(X,
  2))) - (double_value(d) + 1.0))) <= 0x1.p-53)))

goal AffectDoubleDansTab_ensures_default_po_4:
  forall d:double.
  forall X:doubleP pointer.
  forall doubleP_X_1_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_X_1:(doubleP,
  double) memory.
  ("JC_29":
  (("JC_25": (offset_min(doubleP_X_1_alloc_table, X) <= 0)) and
   (("JC_26": (offset_max(doubleP_X_1_alloc_table, X) >= 10)) and
    (("JC_27": bounded(double_value(d), 0x1.p0)) and
     ("JC_28": (double_round_error(d) = 0.0)))))) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  forall result0:double.
  add_double_post(nearest_even, d, result, result0) ->
  forall result1:double.
  ((double_value(result1) = 1.0) and
   ((double_exact(result1) = 1.0) and (double_model(result1) = 1.0))) ->
  forall result2:double.
  add_double_post(nearest_even, d, result1, result2) ->
  forall doubleP_doubleM_X_1_0:(doubleP,
  double) memory.
  (not_assigns(doubleP_X_1_alloc_table, doubleP_doubleM_X_1,
   doubleP_doubleM_X_1_0, pset_range(pset_singleton(X), 1, 2)) and
   ((select(doubleP_doubleM_X_1_0, shift(X, 1)) = result0) and
    (select(doubleP_doubleM_X_1_0, shift(X, 2)) = result2))) ->
  ("JC_35":
  ("JC_34": (double_round_error(select(doubleP_doubleM_X_1_0, shift(X,
  2))) <= 0x1.p-53)))

goal AffectDoubleDansTab_safety_po_1:
  forall d:double.
  forall X:doubleP pointer.
  forall doubleP_X_1_alloc_table:doubleP alloc_table.
  ("JC_29":
  (("JC_25": (offset_min(doubleP_X_1_alloc_table, X) <= 0)) and
   (("JC_26": (offset_max(doubleP_X_1_alloc_table, X) >= 10)) and
    (("JC_27": bounded(double_value(d), 0x1.p0)) and
     ("JC_28": (double_round_error(d) = 0.0)))))) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  no_overflow_double(nearest_even, (double_value(d) + double_value(result)))

goal AffectDoubleDansTab_safety_po_2:
  forall d:double.
  forall X:doubleP pointer.
  forall doubleP_X_1_alloc_table:doubleP alloc_table.
  ("JC_29":
  (("JC_25": (offset_min(doubleP_X_1_alloc_table, X) <= 0)) and
   (("JC_26": (offset_max(doubleP_X_1_alloc_table, X) >= 10)) and
    (("JC_27": bounded(double_value(d), 0x1.p0)) and
     ("JC_28": (double_round_error(d) = 0.0)))))) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  no_overflow_double(nearest_even,
  (double_value(d) + double_value(result))) ->
  forall result0:double.
  add_double_post(nearest_even, d, result, result0) ->
  forall result1:double.
  ((double_value(result1) = 1.0) and
   ((double_exact(result1) = 1.0) and (double_model(result1) = 1.0))) ->
  no_overflow_double(nearest_even, (double_value(d) + double_value(result1)))

goal AffectDoubleDansTab_safety_po_3:
  forall d:double.
  forall X:doubleP pointer.
  forall doubleP_X_1_alloc_table:doubleP alloc_table.
  ("JC_29":
  (("JC_25": (offset_min(doubleP_X_1_alloc_table, X) <= 0)) and
   (("JC_26": (offset_max(doubleP_X_1_alloc_table, X) >= 10)) and
    (("JC_27": bounded(double_value(d), 0x1.p0)) and
     ("JC_28": (double_round_error(d) = 0.0)))))) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  no_overflow_double(nearest_even,
  (double_value(d) + double_value(result))) ->
  forall result0:double.
  add_double_post(nearest_even, d, result, result0) ->
  forall result1:double.
  ((double_value(result1) = 1.0) and
   ((double_exact(result1) = 1.0) and (double_model(result1) = 1.0))) ->
  no_overflow_double(nearest_even,
  (double_value(d) + double_value(result1))) ->
  forall result2:double.
  add_double_post(nearest_even, d, result1, result2) ->
  (offset_min(doubleP_X_1_alloc_table, X) <= 2)

goal AffectDoubleDansTab_safety_po_4:
  forall d:double.
  forall X:doubleP pointer.
  forall doubleP_X_1_alloc_table:doubleP alloc_table.
  ("JC_29":
  (("JC_25": (offset_min(doubleP_X_1_alloc_table, X) <= 0)) and
   (("JC_26": (offset_max(doubleP_X_1_alloc_table, X) >= 10)) and
    (("JC_27": bounded(double_value(d), 0x1.p0)) and
     ("JC_28": (double_round_error(d) = 0.0)))))) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  no_overflow_double(nearest_even,
  (double_value(d) + double_value(result))) ->
  forall result0:double.
  add_double_post(nearest_even, d, result, result0) ->
  forall result1:double.
  ((double_value(result1) = 1.0) and
   ((double_exact(result1) = 1.0) and (double_model(result1) = 1.0))) ->
  no_overflow_double(nearest_even,
  (double_value(d) + double_value(result1))) ->
  forall result2:double.
  add_double_post(nearest_even, d, result1, result2) ->
  (2 <= offset_max(doubleP_X_1_alloc_table, X))

goal AffectDoubleDansTab_safety_po_5:
  forall d:double.
  forall X:doubleP pointer.
  forall doubleP_X_1_alloc_table:doubleP alloc_table.
  ("JC_29":
  (("JC_25": (offset_min(doubleP_X_1_alloc_table, X) <= 0)) and
   (("JC_26": (offset_max(doubleP_X_1_alloc_table, X) >= 10)) and
    (("JC_27": bounded(double_value(d), 0x1.p0)) and
     ("JC_28": (double_round_error(d) = 0.0)))))) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  no_overflow_double(nearest_even,
  (double_value(d) + double_value(result))) ->
  forall result0:double.
  add_double_post(nearest_even, d, result, result0) ->
  forall result1:double.
  ((double_value(result1) = 1.0) and
   ((double_exact(result1) = 1.0) and (double_model(result1) = 1.0))) ->
  no_overflow_double(nearest_even,
  (double_value(d) + double_value(result1))) ->
  forall result2:double.
  add_double_post(nearest_even, d, result1, result2) ->
  (offset_min(doubleP_X_1_alloc_table, X) <= 1)

goal AffectDoubleDansTab_safety_po_6:
  forall d:double.
  forall X:doubleP pointer.
  forall doubleP_X_1_alloc_table:doubleP alloc_table.
  ("JC_29":
  (("JC_25": (offset_min(doubleP_X_1_alloc_table, X) <= 0)) and
   (("JC_26": (offset_max(doubleP_X_1_alloc_table, X) >= 10)) and
    (("JC_27": bounded(double_value(d), 0x1.p0)) and
     ("JC_28": (double_round_error(d) = 0.0)))))) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  no_overflow_double(nearest_even,
  (double_value(d) + double_value(result))) ->
  forall result0:double.
  add_double_post(nearest_even, d, result, result0) ->
  forall result1:double.
  ((double_value(result1) = 1.0) and
   ((double_exact(result1) = 1.0) and (double_model(result1) = 1.0))) ->
  no_overflow_double(nearest_even,
  (double_value(d) + double_value(result1))) ->
  forall result2:double.
  add_double_post(nearest_even, d, result1, result2) ->
  (1 <= offset_max(doubleP_X_1_alloc_table, X))

goal AffectDoubleDansX_ensures_default_po_1:
  forall d_2:double.
  ("JC_7":
  (("JC_5": bounded(double_value(d_2), 0x1.p0)) and
   ("JC_6": (double_round_error(d_2) = 0.0)))) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  forall result0:double.
  add_double_post(nearest_even, d_2, result, result0) ->
  forall x_0:double.
  (x_0 = result0) ->
  ("JC_11":
  ("JC_9":
  (abs_real((double_value(x_0) - (double_value(d_2) + 1.0))) <= 0x1.p-53)))

goal AffectDoubleDansX_ensures_default_po_2:
  forall d_2:double.
  ("JC_7":
  (("JC_5": bounded(double_value(d_2), 0x1.p0)) and
   ("JC_6": (double_round_error(d_2) = 0.0)))) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  forall result0:double.
  add_double_post(nearest_even, d_2, result, result0) ->
  forall x_0:double.
  (x_0 = result0) ->
  ("JC_11": ("JC_10": (double_round_error(x_0) <= 0x1.p-53)))

goal AffectDoubleDansX_safety_po_1:
  forall d_2:double.
  ("JC_7":
  (("JC_5": bounded(double_value(d_2), 0x1.p0)) and
   ("JC_6": (double_round_error(d_2) = 0.0)))) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  no_overflow_double(nearest_even,
  (double_value(d_2) + double_value(result)))

why-2.34/tests/c/oracle/binary_heap.err.oracle0000644000175000017500000000000012311670312017673 0ustar  rtuserswhy-2.34/tests/c/oracle/popHeap.res.oracle0000644000175000017500000606266512311670312017046 0ustar  rtusers========== file tests/c/popHeap.c ==========

/**
Extract from
http://www.first.fraunhofer.de/fileadmin/FIRST/ACSL-by-Example.pdf
*/

#pragma SeparationPolicy(none)


typedef int bool;
#define false		((bool)0)
#define true		((bool)1)

typedef int value_type;

typedef int size_type; 




/*@
  predicate IsValidRange(value_type* a, integer n) =
    (0 <= n) && \valid_range(a, 0, n-1);
*/

/*@
  predicate
    IsEqual{A,B}(value_type* a, integer n, value_type* b) =
      \forall integer i; 0 <= i < n ==> 
        \at(a[i], A) == \at(b[i], B);
*/



/*@
  axiomatic ParentChildAxioms
  {
    predicate ParentChild(integer i, integer j);

    axiom ParentChild_1:
      \forall integer i, j; ParentChild(i, j) <==>
         0 <= i < j && (j == 2*i+1 || j == 2*i+2);

    axiom ParentChild_2:
      \forall integer i, j; ParentChild(i, j) <==>
        0 < j && i == (j-1)/2;
  }

  lemma ParentChild_3:
    \forall integer i; 0 < i ==>
      ParentChild((i-1)/2, i) && 0 <= (i-1)/2 < i;

  predicate IsHeap{L}(value_type* c, integer n) = 
    \forall integer i, j;
      j < n && ParentChild(i, j) ==> c[i] >= c[j];
*/

/*@
  predicate IsMaximum{L}(value_type* a, integer n, integer max) =
     \forall integer i; 0 <= i < n ==> a[max] >= a[i];

  predicate IsFirstMaximum{L}(value_type* a, integer max) =
    \forall integer i; 0 <= i < max ==> a[i] < a[max];
*/

/*@
  axiomatic CountAxiomatic
  {
    logic integer Count{L}(value_type* a, value_type v,
                           integer i, integer j) reads a[i..(j-1)];

    axiom Count0:
      \forall value_type *a, v, integer i,j;
        i >= j ==> Count(a, v, i, j) == 0;

    axiom Count1:
      \forall value_type *a, v, integer i, j, k;
        0 <= i <= j <= k ==> Count(a, v, i ,k) ==
                             Count(a, v, i, j) + Count(a, v, j, k);

    axiom Count2:
      \forall value_type *a, v, integer i;
        (a[i] != v ==> Count(a, v, i, i+1) == 0) &&
        (a[i] == v ==> Count(a, v, i, i+1) == 1);

  logic integer CountWithHole{L}(value_type* c, value_type v, integer i, integer h,  integer j) =
      Count{L}(c, v, i, h) + Count{L}(c, v, h+1, j);

  logic integer CountWithoutHole{L}(value_type* c, value_type v, integer i, integer h,  integer j) =
      Count{L}(c, v, i, h) + Count{L}(c, v, h, j);
  }

  lemma CountLemma: \forall value_type *a, v, integer i;
    0 <= i ==> Count(a, v, 0, i+1) ==
               Count(a, v, 0, i) + Count(a, v, i, i+1);
*/

/*@
  predicate
    Permutation{A,B}(value_type* c, size_type n) = 
      \forall value_type x; 
        Count{A}(c, x, 0, n) == Count{B}(c, x, 0, n);
*/

/*@
  requires 0 < n && IsValidRange(a, n);
  requires IsHeap(a, n);

  assigns \nothing;

  ensures \forall integer i; 0 <= i < n ==> a[0] >= a[i];
*/
void pop_heap_induction(const value_type* a, size_type n);


/*@
  requires 0 < n && IsValidRange(a, n);
  requires 0 <= parent < child < n;
  requires a[parent] == a[child];

  assigns \nothing;

  ensures \forall value_type x; 
    CountWithHole(a, x, 0, child, n) == CountWithHole(a, x, 0, parent, n);
*/
void pop_push_heap_copy(value_type* a, size_type n, size_type parent, size_type child);

#define INT_MAX			2147483647

/*@
   requires 0 < n <  (INT_MAX-2)/2;
   requires IsValidRange(a, n);
   requires IsHeap(a, n);

   assigns a[0..(n-1)];

   ensures IsHeap(a, n-1);
   ensures a[n-1] == \old(a[0]);
   ensures IsMaximum(a, n, n-1);
   ensures Permutation{Old, Here}(a, n);
*/
void pop_heap(value_type* a, size_type n);


void pop_heap(value_type* a, size_type n)
{
  //@ ghost pop_heap_induction(a,n);
  //@ assert \forall integer i; 0 < i < n ==> a[0] >= a[i];
  value_type tmp = 0, max = 0;
  size_type hole = 0;
  tmp = a[n-1];
  max  = a[0];
  /*@ assert \forall value_type x;
        CountWithHole(a,x,0,hole,n) == Count{Pre}(a,x,1,n);
  */
  /*@
     loop invariant 0 <= hole < n;
     loop invariant IsHeap(a,n-1);
     loop invariant \forall integer i; 0 <= i < n ==> a[i] <= max;
     loop invariant \forall integer i;
        hole < n-1 && ParentChild(i,hole) ==> a[i] >= tmp;
     loop invariant \forall value_type x;
        CountWithHole(a,x,0,hole,n) == Count{Pre}(a,x,1,n);
     loop invariant \at(a[n-1],Pre) == a[n-1];

     loop assigns a[0..hole],hole;
     loop   variant n - hole;
  */
  while (true)
  {
    size_type child = 2*hole + 2;
    if (child < n-1)
    {
      if (a[child] < a[child-1]) child--;
      //@ assert ParentChild(hole,child);
      if (a[child] > tmp)
      {
        //@ assert hole < n-1;
        a[hole] = a[child];
        //@ assert \at(a[n-1],Pre) == a[n-1];
        //@ ghost pop_push_heap_copy(a,n,hole,child);
        hole = child;
      }
      else break;
    }
    else
    {
      child = 2*hole + 1;
      if (child == n-2 && a[child] > tmp)
      {
        //@ assert hole < n-1;
        a[hole] = a[child];
        //@ assert \at(a[n-1],Pre) == a[n-1];
        //@ ghost pop_push_heap_copy(a,n,hole,child);
        hole = child;
      }
      break;
    }
  }
  /*@  assert \forall integer i;
    hole < n-1 && ParentChild(i,hole) ==> a[i] >= tmp;
  */

  a[hole] = tmp;
  /*@ assert \forall value_type x;
        CountWithHole(a,x,0,hole,n) == Count{Pre}(a,x,1,n);
  */
  //@ assert hole a[hole] ==tmp== \at(a[n-1],Pre) == a[n-1];
  /*@ assert \forall value_type x; hole < n-1 ==>
        Count(a,x,hole+1,(n-1)+1)==CountWithoutHole(a,x,hole+1,n-1,n);
  */

  /*@ assert \forall value_type x;
      (hole < n-1 ==> CountWithHole(a,x,0,hole,n) ==
        CountWithHole(a,x,0,hole,n-1) +  Count(a,x,n-1 ,(n-1)+1) ==
        CountWithoutHole(a,x,0,hole,hole+1) + Count(a,x,hole+1,n-1) ==
        CountWithoutHole(a,x,0,hole,n-1) ==
        Count(a,x,0,n-1)) &&
      (hole == n-1 ==> CountWithHole(a,x,0,hole,n) ==
        CountWithHole(a,x,0,n-1,n) == Count(a,x,0,n-1));
  */
  /*@ assert \forall value_type x; Count(a,x,0,n-1) ==
        CountWithHole(a,x,0,hole,n) == Count{Pre}(a,x,1,n);
  */

  a[n-1]  = max;
  /*@ assert \forall value_type x;
        Count(a,x,n-1,(n-1)+1) == Count{Pre}(a,x,0,1);
  */
  /*@ assert \forall value_type x; CountWithoutHole(a,x,0,n-1,n) 
        == CountWithoutHole{Pre}(a,x,0,1,n);
  */
  /*@ assert \forall value_type x;
        Count(a,x,0,n) == CountWithoutHole(a,x,0,n-1,n) ==
        CountWithoutHole{Pre}(a,x,0,1,n) == Count{Pre}(a,x,0,n);
  */
}



void pop_heap_induction(const value_type* a, size_type n)
{
  /*@
  loop invariant 0 <= i <= n;
  loop invariant  \forall integer j;
     0 <= j < i <= n ==> a[0] >= a[j];
  loop   variant n - i;
  */
  for (size_type i = 1; i < n; i++)
  {
    //@ assert 0 < i ==> ParentChild((i-1)/2, i);
  }
}



========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/popHeap.c"
tests/c/popHeap.c:23:[kernel] warning: parsing obsolete ACSL construct '\valid_range(addr,min,max)'. '\valid(addr+(min..max))' should be used instead.
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/popHeap.jessie
[jessie] File tests/c/popHeap.jessie/popHeap.jc written.
[jessie] File tests/c/popHeap.jessie/popHeap.cloc written.
========== file tests/c/popHeap.jessie/popHeap.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = None
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag intP = {
  int32 intM: 32;
}

type intP = [intP]

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

predicate IsValidRange{L}(intP[..] a, integer n) =
\at(((0 <= n) && ((\offset_min(a) <= 0) && (\offset_max(a) >= (n - 1)))),L)

predicate IsEqual{A, B}(intP[..] a_0, integer n_0, intP[..] b) =
(\forall integer i_1;
  (((0 <= i_1) && (i_1 < n_0)) ==>
    (\at((a_0 + i_1).intM,A) == \at((b + i_1).intM,B))))

axiomatic ParentChildAxioms {

  predicate ParentChild(integer i_2, integer j_0)
   
  axiom ParentChild_1 :
  (\forall integer i_3;
    (\forall integer j_1;
      (ParentChild(i_3, j_1) <==>
        (((0 <= i_3) && (i_3 < j_1)) &&
          ((j_1 == ((2 * i_3) + 1)) || (j_1 == ((2 * i_3) + 2)))))))
   
  axiom ParentChild_2 :
  (\forall integer i_4;
    (\forall integer j_2;
      (ParentChild(i_4, j_2) <==> ((0 < j_2) && (i_4 == ((j_2 - 1) / 2))))))
  
}

lemma ParentChild_3 :
(\forall integer i_5;
  ((0 < i_5) ==>
    (ParentChild(((i_5 - 1) / 2), i_5) &&
      ((0 <= ((i_5 - 1) / 2)) && (((i_5 - 1) / 2) < i_5)))))

predicate IsHeap{L}(intP[..] c, integer n_1) =
(\forall integer i_6;
  (\forall integer j_3;
    (((j_3 < n_1) && ParentChild(i_6, j_3)) ==>
      ((c + i_6).intM >= (c + j_3).intM))))

predicate IsMaximum{L}(intP[..] a_1, integer n_2, integer max) =
(\forall integer i_7;
  (((0 <= i_7) && (i_7 < n_2)) ==> ((a_1 + max).intM >= (a_1 + i_7).intM)))

predicate IsFirstMaximum{L}(intP[..] a_2, integer max_0) =
(\forall integer i_8;
  (((0 <= i_8) && (i_8 < max_0)) ==> ((a_2 + i_8).intM < (a_2 + max_0).intM)))

axiomatic CountAxiomatic {

  logic integer Count{L}(intP[..] a_3, int32 v, integer i_9, integer j_4)
  reads (a_3 + [i_9..(j_4 - 1)]).intM;
   
  axiom Count0{L} :
  (\forall intP[..] a_4;
    (\forall int32 v_0;
      (\forall integer i_10;
        (\forall integer j_5;
          ((i_10 >= j_5) ==> (Count{L}(a_4, v_0, i_10, j_5) == 0))))))
   
  axiom Count1{L} :
  (\forall intP[..] a_5;
    (\forall int32 v_1;
      (\forall integer i_11;
        (\forall integer j_6;
          (\forall integer k;
            (((0 <= i_11) && ((i_11 <= j_6) && (j_6 <= k))) ==>
              (Count{L}(a_5, v_1, i_11, k) ==
                (Count{L}(a_5, v_1, i_11, j_6) + Count{L}(a_5, v_1, j_6, k)))))))))
   
  axiom Count2{L} :
  (\forall intP[..] a_6;
    (\forall int32 v_2;
      (\forall integer i_12;
        ((((a_6 + i_12).intM != v_2) ==>
           (Count{L}(a_6, v_2, i_12, (i_12 + 1)) == 0)) &&
          (((a_6 + i_12).intM == v_2) ==>
            (Count{L}(a_6, v_2, i_12, (i_12 + 1)) == 1))))))
   
  logic integer CountWithHole{L}(intP[..] c_0, int32 v_3, integer i_13,
                                 integer h, integer j_7) =
  (Count{L}(c_0, v_3, i_13, h) + Count{L}(c_0, v_3, (h + 1), j_7))
   
  logic integer CountWithoutHole{L}(intP[..] c_1, int32 v_4, integer i_14,
                                    integer h_0, integer j_8) =
  (Count{L}(c_1, v_4, i_14, h_0) + Count{L}(c_1, v_4, h_0, j_8))
  
}

lemma CountLemma{L} :
(\forall intP[..] a_7;
  (\forall int32 v_5;
    (\forall integer i_15;
      ((0 <= i_15) ==>
        (Count{L}(a_7, v_5, 0, (i_15 + 1)) ==
          (Count{L}(a_7, v_5, 0, i_15) +
            Count{L}(a_7, v_5, i_15, (i_15 + 1))))))))

predicate Permutation{A, B}(intP[..] c_2, int32 n_3) =
(\forall int32 x;
  (Count{A}(c_2, x, 0, n_3) == Count{B}(c_2, x, 0, n_3)))

unit pop_push_heap_copy(intP[..] a_1, int32 n_3, int32 parent, int32 child)
  requires (_C_8 : ((_C_9 : (0 < n_3)) &&
                     (_C_10 : IsValidRange{Here}(a_1, n_3))));
  requires (_C_3 : ((_C_4 : (0 <= parent)) &&
                     ((_C_6 : (parent < child)) && (_C_7 : (child < n_3)))));
  requires (_C_2 : ((a_1 + parent).intM == (a_1 + child).intM));
behavior default:
  assigns \nothing;
  ensures (_C_1 : (\forall int32 x_0;
                    (CountWithHole{Here}(\at(a_1,Old), x_0, 0,
                                         \at(child,Old), \at(n_3,Old)) ==
                      CountWithHole{Here}(\at(a_1,Old), x_0, 0,
                                          \at(parent,Old), \at(n_3,Old)))));
;

unit pop_heap(intP[..] a, int32 n_1)
  requires (_C_106 : ((_C_107 : (0 < n_1)) &&
                       (_C_108 : (n_1 < ((2147483647 - 2) / 2)))));
  requires (_C_105 : IsValidRange{Here}(a, n_1));
  requires (_C_104 : IsHeap{Here}(a, n_1));
behavior default:
  assigns (a + [0..(n_1 - 1)]).intM;
  ensures (_C_97 : ((_C_98 : IsHeap{Here}(\at(a,Old), (\at(n_1,Old) - 1))) &&
                     ((_C_100 : ((\at(a,Old) + (\at(n_1,Old) - 1)).intM ==
                                  \at((a + 0).intM,Old))) &&
                       ((_C_102 : IsMaximum{Here}(\at(a,Old), \at(n_1,Old),
                                                  (\at(n_1,Old) - 1))) &&
                         (_C_103 : Permutation{Old,
                         Here}(\at(a,Old), \at(n_1,Old)))))));
{  
   (var int32 tmp);
   
   (var int32 max);
   
   (var int32 hole);
   
   (var int32 child_0);
   
   {  (_C_11 : pop_heap_induction(a, n_1));
      
      {  
         (assert for default: (_C_12 : (jessie : (\forall integer i_16;
                                                   (((0 < i_16) &&
                                                      (i_16 < n_1)) ==>
                                                     ((a + 0).intM >=
                                                       (a + i_16).intM))))));
         ()
      };
      
      {  (_C_13 : (tmp = 0));
         (_C_14 : (max = 0))
      };
      (_C_15 : (hole = 0));
      (_C_20 : (tmp = (_C_19 : (_C_18 : (a +
                                          (_C_17 : ((_C_16 : (n_1 - 1)) :> int32)))).intM)));
      (_C_23 : (max = (_C_22 : (_C_21 : (a + 0)).intM)));
      
      {  
         (assert for default: (_C_24 : (jessie : (\forall int32 x_1;
                                                   (CountWithHole{Here}(
                                                     a, x_1, 0, hole, n_1) ==
                                                     Count{Pre}(a, x_1, 1,
                                                                n_1))))));
         ()
      };
      
      loop 
      behavior default:
        invariant (_C_31 : ((_C_32 : (0 <= hole)) && (_C_33 : (hole < n_1))));
      behavior default:
        invariant (_C_30 : IsHeap{Here}(a, (n_1 - 1)));
      behavior default:
        invariant (_C_29 : (\forall integer i_17;
                             (((0 <= i_17) && (i_17 < n_1)) ==>
                               ((a + i_17).intM <= max))));
      behavior default:
        invariant (_C_28 : (\forall integer i_18;
                             (((hole < (n_1 - 1)) && ParentChild(i_18, hole)) ==>
                               ((a + i_18).intM >= tmp))));
      behavior default:
        invariant (_C_27 : (\forall int32 x_2;
                             (CountWithHole{Here}(a, x_2, 0, hole, n_1) ==
                               Count{Pre}(a, x_2, 1, n_1))));
      behavior default:
        invariant (_C_26 : (\at((a + (n_1 - 1)).intM,Pre) ==
                             (a + (n_1 - 1)).intM));
      behavior default:
        
        assigns (a + [0..hole]).intM,
        hole;
      variant (_C_25 : (n_1 - hole));
      while (true)
      {  
         {  (_C_38 : (child_0 = (_C_37 : ((_C_36 : ((_C_35 : ((_C_34 : 
                                                              (2 *
                                                                hole)) :> int32)) +
                                                     2)) :> int32))));
            (if (child_0 < (_C_79 : ((_C_78 : (n_1 - 1)) :> int32))) then 
            {  (if ((_C_65 : (_C_64 : (a + child_0)).intM) <
                     (_C_63 : (_C_62 : (a +
                                         (_C_61 : ((_C_60 : (child_0 - 1)) :> int32)))).intM)) then 
               (_C_59 : (child_0 = (_C_58 : ((_C_57 : (child_0 - 1)) :> int32)))) else ());
               
               {  
                  (assert for default: (_C_66 : (jessie : ParentChild(
                                                hole, child_0))));
                  ()
               };
               
               {  (if ((_C_77 : (_C_76 : (a + child_0)).intM) > tmp) then 
                  {  
                     {  
                        (assert for default: (_C_67 : (jessie : (hole <
                                                                  (n_1 - 1)))));
                        ()
                     };
                     (_C_72 : ((_C_71 : (_C_70 : (a + hole)).intM) = 
                     (_C_69 : (_C_68 : (a + child_0)).intM)));
                     
                     {  
                        (assert for default: (_C_73 : (jessie : (\at(
                                                                 (a +
                                                                   (n_1 - 1)).intM,Pre) ==
                                                                  (a +
                                                                    (n_1 - 1)).intM))));
                        ()
                     };
                     (_C_74 : pop_push_heap_copy(a, n_1, hole, child_0));
                     (_C_75 : (hole = child_0))
                  } else 
                  (goto while_0_break))
               }
            } else 
            {  (_C_43 : (child_0 = (_C_42 : ((_C_41 : ((_C_40 : ((_C_39 : 
                                                                 (2 *
                                                                   hole)) :> int32)) +
                                                        1)) :> int32))));
               (if (child_0 == (_C_56 : ((_C_55 : (n_1 - 2)) :> int32))) then 
               (if ((_C_54 : (_C_53 : (a + child_0)).intM) > tmp) then 
               {  
                  {  
                     (assert for default: (_C_44 : (jessie : (hole <
                                                               (n_1 - 1)))));
                     ()
                  };
                  (_C_49 : ((_C_48 : (_C_47 : (a + hole)).intM) = (_C_46 : 
                                                                  (_C_45 : 
                                                                  (a +
                                                                    child_0)).intM)));
                  
                  {  
                     (assert for default: (_C_50 : (jessie : (\at((a +
                                                                    (n_1 - 1)).intM,Pre) ==
                                                               (a +
                                                                 (n_1 - 1)).intM))));
                     ()
                  };
                  (_C_51 : pop_push_heap_copy(a, n_1, hole, child_0));
                  (_C_52 : (hole = child_0))
               } else ()) else ());
               
               (goto while_0_break)
            })
         }
      };
      (while_0_break : ());
      
      {  
         (assert for default: (_C_80 : (jessie : (\forall integer i_19;
                                                   (((hole < (n_1 - 1)) &&
                                                      ParentChild(i_19, hole)) ==>
                                                     ((a + i_19).intM >= tmp))))));
         ()
      };
      (_C_83 : ((_C_82 : (_C_81 : (a + hole)).intM) = tmp));
      
      {  
         (assert for default: (_C_84 : (jessie : (\forall int32 x_3;
                                                   (CountWithHole{Here}(
                                                     a, x_3, 0, hole, n_1) ==
                                                     Count{Pre}(a, x_3, 1,
                                                                n_1))))));
         ()
      };
      
      {  
         (assert for default: (_C_85 : (jessie : ((hole < (n_1 - 1)) ==>
                                                   (((a + hole).intM == tmp) &&
                                                     ((tmp ==
                                                        \at((a + (n_1 - 1)).intM,Pre)) &&
                                                       (\at((a + (n_1 - 1)).intM,Pre) ==
                                                         (a + (n_1 - 1)).intM)))))));
         ()
      };
      
      {  
         (assert for default: (_C_86 : (jessie : (\forall int32 x_4;
                                                   ((hole < (n_1 - 1)) ==>
                                                     (Count{Here}(a, x_4,
                                                                  (hole + 1),
                                                                  ((n_1 - 1) +
                                                                    1)) ==
                                                       CountWithoutHole{Here}(
                                                       a, x_4, (hole + 1),
                                                       (n_1 - 1), n_1)))))));
         ()
      };
      
      {  
         (assert for default: (_C_87 : (jessie : (\forall int32 x_5;
                                                   (((hole < (n_1 - 1)) ==>
                                                      ((CountWithHole{Here}(
                                                         a, x_5, 0, hole, n_1) ==
                                                         (CountWithHole{Here}(
                                                           a, x_5, 0, hole,
                                                           (n_1 - 1)) +
                                                           Count{Here}(
                                                           a, x_5, (n_1 - 1),
                                                           ((n_1 - 1) + 1)))) &&
                                                        (((CountWithHole{Here}(
                                                            a, x_5, 0, hole,
                                                            (n_1 - 1)) +
                                                            Count{Here}(
                                                            a, x_5,
                                                            (n_1 - 1),
                                                            ((n_1 - 1) + 1))) ==
                                                           (CountWithoutHole{Here}(
                                                             a, x_5, 0, hole,
                                                             (hole + 1)) +
                                                             Count{Here}(
                                                             a, x_5,
                                                             (hole + 1),
                                                             (n_1 - 1)))) &&
                                                          (((CountWithoutHole{Here}(
                                                              a, x_5, 0,
                                                              hole,
                                                              (hole + 1)) +
                                                              Count{Here}(
                                                              a, x_5,
                                                              (hole + 1),
                                                              (n_1 - 1))) ==
                                                             CountWithoutHole{Here}(
                                                             a, x_5, 0, hole,
                                                             (n_1 - 1))) &&
                                                            (CountWithoutHole{Here}(
                                                              a, x_5, 0,
                                                              hole, (n_1 - 1)) ==
                                                              Count{Here}(
                                                              a, x_5, 0,
                                                              (n_1 - 1))))))) &&
                                                     ((hole == (n_1 - 1)) ==>
                                                       ((CountWithHole{Here}(
                                                          a, x_5, 0, hole,
                                                          n_1) ==
                                                          CountWithHole{Here}(
                                                          a, x_5, 0,
                                                          (n_1 - 1), n_1)) &&
                                                         (CountWithHole{Here}(
                                                           a, x_5, 0,
                                                           (n_1 - 1), n_1) ==
                                                           Count{Here}(
                                                           a, x_5, 0,
                                                           (n_1 - 1))))))))));
         ()
      };
      
      {  
         (assert for default: (_C_88 : (jessie : (\forall int32 x_6;
                                                   ((Count{Here}(a, x_6, 0,
                                                                 (n_1 - 1)) ==
                                                      CountWithHole{Here}(
                                                      a, x_6, 0, hole, n_1)) &&
                                                     (CountWithHole{Here}(
                                                       a, x_6, 0, hole, n_1) ==
                                                       Count{Pre}(a, x_6, 1,
                                                                  n_1)))))));
         ()
      };
      (_C_93 : ((_C_92 : (_C_91 : (a +
                                    (_C_90 : ((_C_89 : (n_1 - 1)) :> int32)))).intM) = max));
      
      {  
         (assert for default: (_C_94 : (jessie : (\forall int32 x_7;
                                                   (Count{Here}(a, x_7,
                                                                (n_1 - 1),
                                                                ((n_1 - 1) +
                                                                  1)) ==
                                                     Count{Pre}(a, x_7, 0, 1))))));
         ()
      };
      
      {  
         (assert for default: (_C_95 : (jessie : (\forall int32 x_8;
                                                   (CountWithoutHole{Here}(
                                                     a, x_8, 0, (n_1 - 1),
                                                     n_1) ==
                                                     CountWithoutHole{Pre}(
                                                     a, x_8, 0, 1, n_1))))));
         ()
      };
      
      {  
         (assert for default: (_C_96 : (jessie : (\forall int32 x_9;
                                                   ((Count{Here}(a, x_9, 0,
                                                                 n_1) ==
                                                      CountWithoutHole{Here}(
                                                      a, x_9, 0, (n_1 - 1),
                                                      n_1)) &&
                                                     ((CountWithoutHole{Here}(
                                                        a, x_9, 0, (n_1 - 1),
                                                        n_1) ==
                                                        CountWithoutHole{Pre}(
                                                        a, x_9, 0, 1, n_1)) &&
                                                       (CountWithoutHole{Pre}(
                                                         a, x_9, 0, 1, n_1) ==
                                                         Count{Pre}(a, x_9,
                                                                    0, n_1))))))));
         ()
      };
      
      (return ())
   }
}

unit pop_heap_induction(intP[..] a_0, int32 n_2)
  requires (_C_121 : ((_C_122 : (0 < n_2)) &&
                       (_C_123 : IsValidRange{Here}(a_0, n_2))));
  requires (_C_120 : IsHeap{Here}(a_0, n_2));
behavior default:
  assigns \nothing;
  ensures (_C_119 : (\forall integer i_20;
                      (((0 <= i_20) && (i_20 < \at(n_2,Old))) ==>
                        ((\at(a_0,Old) + 0).intM >=
                          (\at(a_0,Old) + i_20).intM))));
{  
   (var int32 i);
   
   {  (_C_109 : (i = 1));
      
      loop 
      behavior default:
        invariant (_C_112 : ((_C_113 : (0 <= i)) && (_C_114 : (i <= n_2))));
      behavior default:
        invariant (_C_111 : (\forall integer j_9;
                              (((0 <= j_9) && ((j_9 < i) && (i <= n_2))) ==>
                                ((a_0 + 0).intM >= (a_0 + j_9).intM))));
      variant (_C_110 : (n_2 - i));
      while (true)
      {  
         {  (if (i < n_2) then () else 
            (goto while_0_break));
            
            {  
               {  
                  (assert for default: (_C_115 : (jessie : ((0 < i) ==>
                                                             ParentChild(
                                                             ((i - 1) / 2), i)))));
                  ()
               }
            };
            (_C_118 : (i = (_C_117 : ((_C_116 : (i + 1)) :> int32))))
         }
      };
      (while_0_break : ());
      
      (return ())
   }
}
========== file tests/c/popHeap.jessie/popHeap.cloc ==========
[_C_115]
file = "HOME/tests/c/popHeap.c"
line = 251
begin = 15
end = 48

[_C_52]
file = "HOME/tests/c/popHeap.c"
line = 195
begin = 15
end = 20

[_C_121]
file = "HOME/tests/c/popHeap.c"
line = 106
begin = 11
end = 38

[_C_35]
file = "HOME/tests/c/popHeap.c"
line = 171
begin = 22
end = 28

[_C_117]
file = "HOME/tests/c/popHeap.c"
line = 249
begin = 31
end = 34

[_C_120]
file = "HOME/tests/c/popHeap.c"
line = 107
begin = 11
end = 23

[_C_56]
file = "HOME/tests/c/popHeap.c"
line = 189
begin = 19
end = 22

[_C_28]
file = "HOME/tests/c/popHeap.c"
line = 160
begin = 20
end = 96

[_C_72]
file = "HOME/tests/c/popHeap.c"
line = 179
begin = 18
end = 26

[_C_59]
file = "HOME/tests/c/popHeap.c"
line = 174
begin = 33
end = 40

[_C_48]
file = "HOME/tests/c/popHeap.c"
line = 192
begin = 18
end = 26

[_C_116]
file = "HOME/tests/c/popHeap.c"
line = 249
begin = 31
end = 34

[_C_51]
file = "HOME/tests/c/popHeap.c"
line = 194
begin = 18
end = 52

[_C_103]
file = "HOME/tests/c/popHeap.c"
line = 140
begin = 11
end = 39

[_C_31]
file = "HOME/tests/c/popHeap.c"
line = 157
begin = 20
end = 33

[_C_108]
file = "HOME/tests/c/popHeap.c"
line = 131
begin = 16
end = 37

[_C_77]
file = "HOME/tests/c/popHeap.c"
line = 176
begin = 10
end = 18

[_C_83]
file = "HOME/tests/c/popHeap.c"
line = 204
begin = 12
end = 15

[ParentChild_3]
name = "Lemma ParentChild_3"
file = "HOME/tests/c/popHeap.c"
line = 49
begin = 2
end = 234

[_C_41]
file = "HOME/tests/c/popHeap.c"
line = 188
begin = 14
end = 24

[_C_4]
file = "HOME/tests/c/popHeap.c"
line = 118
begin = 11
end = 22

[ParentChild_1]
name = "Lemma ParentChild_1"
file = "HOME/tests/c/popHeap.c"
line = 40
begin = 4
end = 126

[_C_101]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_71]
file = "HOME/tests/c/popHeap.c"
line = 179
begin = 18
end = 26

[_C_70]
file = "HOME/tests/c/popHeap.c"
line = 179
begin = 8
end = 9

[_C_89]
file = "HOME/tests/c/popHeap.c"
line = 226
begin = 4
end = 7

[_C_90]
file = "HOME/tests/c/popHeap.c"
line = 226
begin = 4
end = 7

[_C_61]
file = "HOME/tests/c/popHeap.c"
line = 174
begin = 23
end = 30

[_C_69]
file = "HOME/tests/c/popHeap.c"
line = 179
begin = 18
end = 26

[_C_32]
file = "HOME/tests/c/popHeap.c"
line = 157
begin = 20
end = 29

[_C_23]
file = "HOME/tests/c/popHeap.c"
line = 152
begin = 8
end = 12

[_C_19]
file = "HOME/tests/c/popHeap.c"
line = 151
begin = 8
end = 14

[_C_42]
file = "HOME/tests/c/popHeap.c"
line = 188
begin = 14
end = 24

[_C_82]
file = "HOME/tests/c/popHeap.c"
line = 204
begin = 12
end = 15

[_C_110]
file = "HOME/tests/c/popHeap.c"
line = 247
begin = 15
end = 20

[_C_94]
file = "HOME/tests/c/popHeap.c"
line = 227
begin = 13
end = 88

[_C_84]
file = "HOME/tests/c/popHeap.c"
line = 205
begin = 13
end = 93

[_C_13]
file = "HOME/tests/c/popHeap.c"
line = 149
begin = 2
end = 12

[_C_5]
file = "HOME/tests/c/popHeap.c"
line = 118
begin = 16
end = 34

[_C_91]
file = "HOME/tests/c/popHeap.c"
line = 226
begin = 2
end = 3

[_C_36]
file = "HOME/tests/c/popHeap.c"
line = 171
begin = 22
end = 32

[_C_12]
file = "HOME/tests/c/popHeap.c"
line = 148
begin = 13
end = 58

[_C_33]
file = "HOME/tests/c/popHeap.c"
line = 157
begin = 25
end = 33

[_C_111]
file = "HOME/tests/c/popHeap.c"
line = 245
begin = 17
end = 73

[_C_79]
file = "HOME/tests/c/popHeap.c"
line = 172
begin = 16
end = 19

[CountLemma]
name = "Lemma CountLemma"
file = "HOME/tests/c/popHeap.c"
line = 93
begin = 2
end = 150

[ParentChild_2]
name = "Lemma ParentChild_2"
file = "HOME/tests/c/popHeap.c"
line = 44
begin = 4
end = 106

[_C_104]
file = "HOME/tests/c/popHeap.c"
line = 133
begin = 12
end = 24

[_C_85]
file = "HOME/tests/c/popHeap.c"
line = 208
begin = 13
end = 67

[_C_22]
file = "HOME/tests/c/popHeap.c"
line = 152
begin = 8
end = 12

[_C_65]
file = "HOME/tests/c/popHeap.c"
line = 174
begin = 10
end = 18

[_C_9]
file = "HOME/tests/c/popHeap.c"
line = 117
begin = 11
end = 16

[_C_57]
file = "HOME/tests/c/popHeap.c"
line = 174
begin = 33
end = 40

[_C_54]
file = "HOME/tests/c/popHeap.c"
line = 189
begin = 26
end = 34

[_C_30]
file = "HOME/tests/c/popHeap.c"
line = 158
begin = 20
end = 33

[_C_63]
file = "HOME/tests/c/popHeap.c"
line = 174
begin = 21
end = 31

[_C_6]
file = "HOME/tests/c/popHeap.c"
line = 118
begin = 16
end = 30

[_C_64]
file = "HOME/tests/c/popHeap.c"
line = 174
begin = 10
end = 11

[_C_122]
file = "HOME/tests/c/popHeap.c"
line = 106
begin = 11
end = 16

[_C_95]
file = "HOME/tests/c/popHeap.c"
line = 230
begin = 13
end = 108

[_C_93]
file = "HOME/tests/c/popHeap.c"
line = 226
begin = 11
end = 14

[_C_102]
file = "HOME/tests/c/popHeap.c"
line = 139
begin = 11
end = 31

[_C_49]
file = "HOME/tests/c/popHeap.c"
line = 192
begin = 18
end = 26

[_C_24]
file = "HOME/tests/c/popHeap.c"
line = 153
begin = 13
end = 93

[_C_45]
file = "HOME/tests/c/popHeap.c"
line = 192
begin = 18
end = 19

[_C_97]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_20]
file = "HOME/tests/c/popHeap.c"
line = 151
begin = 8
end = 14

[_C_73]
file = "HOME/tests/c/popHeap.c"
line = 180
begin = 19
end = 44

[pop_heap]
name = "Function pop_heap"
file = "HOME/tests/c/popHeap.c"
line = 145
begin = 5
end = 13

[Count2]
name = "Lemma Count2"
file = "HOME/tests/c/popHeap.c"
line = 81
begin = 4
end = 162

[_C_96]
file = "HOME/tests/c/popHeap.c"
line = 233
begin = 13
end = 157

[_C_38]
file = "HOME/tests/c/popHeap.c"
line = 171
begin = 4
end = 13

[_C_3]
file = "HOME/tests/c/popHeap.c"
line = 118
begin = 11
end = 34

[_C_98]
file = "HOME/tests/c/popHeap.c"
line = 137
begin = 11
end = 25

[_C_109]
file = "HOME/tests/c/popHeap.c"
line = 249
begin = 7
end = 16

[_C_114]
file = "HOME/tests/c/popHeap.c"
line = 244
begin = 22
end = 28

[_C_92]
file = "HOME/tests/c/popHeap.c"
line = 226
begin = 11
end = 14

[_C_81]
file = "HOME/tests/c/popHeap.c"
line = 204
begin = 2
end = 3

[_C_17]
file = "HOME/tests/c/popHeap.c"
line = 151
begin = 10
end = 13

[_C_112]
file = "HOME/tests/c/popHeap.c"
line = 244
begin = 17
end = 28

[Count0]
name = "Lemma Count0"
file = "HOME/tests/c/popHeap.c"
line = 72
begin = 4
end = 105

[_C_7]
file = "HOME/tests/c/popHeap.c"
line = 118
begin = 25
end = 34

[_C_86]
file = "HOME/tests/c/popHeap.c"
line = 209
begin = 13
end = 119

[_C_62]
file = "HOME/tests/c/popHeap.c"
line = 174
begin = 21
end = 22

[_C_55]
file = "HOME/tests/c/popHeap.c"
line = 189
begin = 19
end = 22

[_C_27]
file = "HOME/tests/c/popHeap.c"
line = 162
begin = 20
end = 100

[_C_105]
file = "HOME/tests/c/popHeap.c"
line = 132
begin = 12
end = 30

[_C_87]
file = "HOME/tests/c/popHeap.c"
line = 213
begin = 13
end = 408

[_C_46]
file = "HOME/tests/c/popHeap.c"
line = 192
begin = 18
end = 26

[_C_44]
file = "HOME/tests/c/popHeap.c"
line = 191
begin = 19
end = 29

[_C_15]
file = "HOME/tests/c/popHeap.c"
line = 150
begin = 2
end = 11

[_C_99]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_26]
file = "HOME/tests/c/popHeap.c"
line = 164
begin = 20
end = 45

[_C_47]
file = "HOME/tests/c/popHeap.c"
line = 192
begin = 8
end = 9

[_C_10]
file = "HOME/tests/c/popHeap.c"
line = 117
begin = 20
end = 38

[_C_68]
file = "HOME/tests/c/popHeap.c"
line = 179
begin = 18
end = 19

[_C_60]
file = "HOME/tests/c/popHeap.c"
line = 174
begin = 23
end = 30

[_C_53]
file = "HOME/tests/c/popHeap.c"
line = 189
begin = 26
end = 27

[_C_40]
file = "HOME/tests/c/popHeap.c"
line = 188
begin = 14
end = 20

[_C_58]
file = "HOME/tests/c/popHeap.c"
line = 174
begin = 33
end = 40

[_C_8]
file = "HOME/tests/c/popHeap.c"
line = 117
begin = 11
end = 38

[_C_119]
file = "HOME/tests/c/popHeap.c"
line = 111
begin = 10
end = 56

[_C_66]
file = "HOME/tests/c/popHeap.c"
line = 175
begin = 17
end = 40

[_C_18]
file = "HOME/tests/c/popHeap.c"
line = 151
begin = 8
end = 9

[_C_29]
file = "HOME/tests/c/popHeap.c"
line = 159
begin = 20
end = 65

[_C_75]
file = "HOME/tests/c/popHeap.c"
line = 182
begin = 15
end = 20

[_C_14]
file = "HOME/tests/c/popHeap.c"
line = 149
begin = 2
end = 12

[_C_123]
file = "HOME/tests/c/popHeap.c"
line = 106
begin = 20
end = 38

[_C_106]
file = "HOME/tests/c/popHeap.c"
line = 131
begin = 12
end = 37

[_C_50]
file = "HOME/tests/c/popHeap.c"
line = 193
begin = 19
end = 44

[_C_37]
file = "HOME/tests/c/popHeap.c"
line = 171
begin = 22
end = 32

[_C_43]
file = "HOME/tests/c/popHeap.c"
line = 188
begin = 14
end = 24

[_C_107]
file = "HOME/tests/c/popHeap.c"
line = 131
begin = 12
end = 17

[_C_88]
file = "HOME/tests/c/popHeap.c"
line = 222
begin = 13
end = 113

[_C_100]
file = "HOME/tests/c/popHeap.c"
line = 138
begin = 11
end = 31

[_C_2]
file = "HOME/tests/c/popHeap.c"
line = 119
begin = 11
end = 32

[Count1]
name = "Lemma Count1"
file = "HOME/tests/c/popHeap.c"
line = 76
begin = 4
end = 184

[_C_34]
file = "HOME/tests/c/popHeap.c"
line = 171
begin = 22
end = 28

[_C_67]
file = "HOME/tests/c/popHeap.c"
line = 178
begin = 19
end = 29

[_C_16]
file = "HOME/tests/c/popHeap.c"
line = 151
begin = 10
end = 13

[_C_113]
file = "HOME/tests/c/popHeap.c"
line = 244
begin = 17
end = 23

[_C_1]
file = "HOME/tests/c/popHeap.c"
line = 123
begin = 10
end = 105

[_C_76]
file = "HOME/tests/c/popHeap.c"
line = 176
begin = 10
end = 11

[_C_25]
file = "HOME/tests/c/popHeap.c"
line = 167
begin = 18
end = 26

[_C_39]
file = "HOME/tests/c/popHeap.c"
line = 188
begin = 14
end = 20

[pop_heap_induction]
name = "Function pop_heap_induction"
file = "HOME/tests/c/popHeap.c"
line = 241
begin = 5
end = 23

[_C_80]
file = "HOME/tests/c/popHeap.c"
line = 200
begin = 14
end = 86

[_C_74]
file = "HOME/tests/c/popHeap.c"
line = 181
begin = 18
end = 52

[_C_78]
file = "HOME/tests/c/popHeap.c"
line = 172
begin = 16
end = 19

[_C_11]
file = "HOME/tests/c/popHeap.c"
line = 147
begin = 12
end = 35

[_C_21]
file = "HOME/tests/c/popHeap.c"
line = 152
begin = 8
end = 9

[_C_118]
file = "HOME/tests/c/popHeap.c"
line = 249
begin = 31
end = 34

========== jessie execution ==========
Generating Why function pop_heap
Generating Why function pop_heap_induction
========== file tests/c/popHeap.jessie/popHeap.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs popHeap.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs popHeap.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/popHeap_why.sx

project: why/popHeap.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/popHeap_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/popHeap_why.vo

coq/popHeap_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/popHeap_why.v: why/popHeap.why
	@echo 'why -coq [...] why/popHeap.why' && $(WHY) $(JESSIELIBFILES) why/popHeap.why && rm -f coq/jessie_why.v

coq-goals: goals coq/popHeap_ctx_why.vo
	for f in why/*_po*.why; do make -f popHeap.makefile coq/`basename $$f .why`_why.v ; done

coq/popHeap_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/popHeap_ctx_why.v: why/popHeap_ctx.why
	@echo 'why -coq [...] why/popHeap_ctx.why' && $(WHY) why/popHeap_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export popHeap_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/popHeap_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/popHeap_ctx_why.vo

pvs: pvs/popHeap_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/popHeap_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/popHeap_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/popHeap_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/popHeap_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/popHeap_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/popHeap_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/popHeap_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/popHeap_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/popHeap_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/popHeap_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/popHeap_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/popHeap_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/popHeap_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/popHeap_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: popHeap.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/popHeap_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: popHeap.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: popHeap.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: popHeap.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include popHeap.depend

depend: coq/popHeap_why.v
	-$(COQDEP) -I coq coq/popHeap*_why.v > popHeap.depend

clean:
	rm -f coq/*.vo

========== file tests/c/popHeap.jessie/popHeap.loc ==========
[JC_94]
file = "HOME/tests/c/popHeap.c"
line = 205
begin = 13
end = 93

[JC_73]
kind = PointerDeref
file = "HOME/tests/c/popHeap.c"
line = 174
begin = 21
end = 31

[JC_158]
kind = ArithOverflow
file = "HOME/tests/c/popHeap.c"
line = 249
begin = 31
end = 34

[JC_63]
file = "HOME/tests/c/popHeap.c"
line = 157
begin = 25
end = 33

[JC_80]
file = "HOME/tests/c/popHeap.c"
line = 180
begin = 19
end = 44

[JC_51]
kind = UserCall
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 180
begin = 15
end = 41

[JC_71]
kind = PointerDeref
file = "HOME/tests/c/popHeap.c"
line = 174
begin = 10
end = 18

[JC_147]
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 471
begin = 10
end = 18

[JC_151]
file = "HOME/tests/c/popHeap.c"
line = 244
begin = 17
end = 23

[JC_45]
file = "HOME/tests/c/popHeap.c"
line = 140
begin = 11
end = 39

[JC_123]
file = "HOME/tests/c/popHeap.c"
line = 193
begin = 19
end = 44

[JC_106]
file = "HOME/tests/c/popHeap.c"
line = 153
begin = 13
end = 93

[JC_143]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_113]
file = "HOME/tests/c/popHeap.c"
line = 157
begin = 25
end = 33

[JC_116]
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 208
begin = 6
end = 4815

[JC_64]
file = "HOME/tests/c/popHeap.c"
line = 157
begin = 20
end = 33

[JC_133]
file = "HOME/tests/c/popHeap.c"
line = 233
begin = 13
end = 157

[JC_99]
kind = ArithOverflow
file = "HOME/tests/c/popHeap.c"
line = 226
begin = 4
end = 7

[ParentChild_3]
name = "Lemma ParentChild_3"
behavior = "lemma"
file = "HOME/tests/c/popHeap.c"
line = 49
begin = 2
end = 234

[JC_85]
kind = PointerDeref
file = "HOME/tests/c/popHeap.c"
line = 189
begin = 26
end = 34

[JC_126]
file = "HOME/tests/c/popHeap.c"
line = 205
begin = 13
end = 93

[ParentChild_1]
name = "Lemma ParentChild_1"
behavior = "axiom"
file = "HOME/tests/c/popHeap.c"
line = 40
begin = 4
end = 126

[JC_31]
file = "HOME/tests/c/popHeap.c"
line = 132
begin = 12
end = 30

[JC_17]
file = "HOME/tests/c/popHeap.c"
line = 123
begin = 10
end = 105

[JC_122]
file = "HOME/tests/c/popHeap.c"
line = 191
begin = 19
end = 29

[JC_81]
kind = UserCall
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 269
begin = 30
end = 71

[JC_55]
kind = PointerDeref
file = "HOME/tests/c/popHeap.c"
line = 152
begin = 8
end = 12

[JC_138]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_134]
file = "HOME/tests/c/popHeap.c"
line = 106
begin = 11
end = 16

[JC_148]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_137]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_48]
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 162
begin = 9
end = 16

[JC_23]
file = "HOME/tests/c/popHeap.c"
line = 131
begin = 12
end = 17

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_121]
kind = UserCall
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 269
begin = 30
end = 71

[JC_5]
file = "HOME/tests/c/popHeap.c"
line = 118
begin = 25
end = 34

[JC_125]
file = "HOME/tests/c/popHeap.c"
line = 200
begin = 14
end = 86

[JC_67]
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 208
begin = 6
end = 4815

[JC_9]
file = "HOME/tests/c/popHeap.c"
line = 117
begin = 11
end = 16

[JC_75]
file = "HOME/tests/c/popHeap.c"
line = 175
begin = 17
end = 40

[JC_24]
file = "HOME/tests/c/popHeap.c"
line = 131
begin = 16
end = 37

[JC_25]
file = "HOME/tests/c/popHeap.c"
line = 132
begin = 12
end = 30

[JC_78]
kind = PointerDeref
file = "HOME/tests/c/popHeap.c"
line = 179
begin = 18
end = 26

[JC_41]
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 162
begin = 9
end = 16

[JC_74]
kind = ArithOverflow
file = "HOME/tests/c/popHeap.c"
line = 174
begin = 33
end = 40

[JC_47]
file = "HOME/tests/c/popHeap.c"
line = 145
begin = 5
end = 13

[JC_52]
file = "HOME/tests/c/popHeap.c"
line = 148
begin = 13
end = 58

[JC_26]
file = "HOME/tests/c/popHeap.c"
line = 133
begin = 12
end = 24

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[CountLemma]
name = "Lemma CountLemma"
behavior = "lemma"
file = "HOME/tests/c/popHeap.c"
line = 93
begin = 2
end = 150

[ParentChild_2]
name = "Lemma ParentChild_2"
behavior = "axiom"
file = "HOME/tests/c/popHeap.c"
line = 44
begin = 4
end = 106

[JC_154]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
kind = PointerDeref
file = "HOME/tests/c/popHeap.c"
line = 151
begin = 8
end = 14

[JC_79]
kind = PointerDeref
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 258
begin = 31
end = 129

[JC_13]
file = "HOME/tests/c/popHeap.c"
line = 118
begin = 25
end = 34

[JC_130]
file = "HOME/tests/c/popHeap.c"
line = 222
begin = 13
end = 113

[JC_82]
kind = ArithOverflow
file = "HOME/tests/c/popHeap.c"
line = 188
begin = 14
end = 20

[JC_163]
file = "HOME/tests/c/popHeap.c"
line = 244
begin = 17
end = 28

[JC_153]
file = "HOME/tests/c/popHeap.c"
line = 244
begin = 17
end = 28

[JC_87]
kind = PointerDeref
file = "HOME/tests/c/popHeap.c"
line = 192
begin = 18
end = 26

[JC_11]
file = "HOME/tests/c/popHeap.c"
line = 118
begin = 11
end = 22

[pop_heap_induction_ensures_default]
name = "Function pop_heap_induction"
behavior = "default behavior"
file = "HOME/tests/c/popHeap.c"
line = 241
begin = 5
end = 23

[JC_167]
file = "HOME/tests/c/popHeap.c"
line = 251
begin = 15
end = 48

[JC_98]
file = "HOME/tests/c/popHeap.c"
line = 222
begin = 13
end = 113

[JC_70]
kind = ArithOverflow
file = "HOME/tests/c/popHeap.c"
line = 172
begin = 16
end = 19

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/tests/c/popHeap.c"
line = 138
begin = 11
end = 31

[JC_104]
kind = UserCall
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 180
begin = 15
end = 41

[JC_91]
file = "HOME/tests/c/popHeap.c"
line = 167
begin = 18
end = 26

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_112]
file = "HOME/tests/c/popHeap.c"
line = 157
begin = 20
end = 29

[JC_40]
file = "HOME/tests/c/popHeap.c"
line = 145
begin = 5
end = 13

[JC_162]
file = "HOME/tests/c/popHeap.c"
line = 244
begin = 22
end = 28

[JC_135]
file = "HOME/tests/c/popHeap.c"
line = 106
begin = 20
end = 38

[JC_83]
kind = ArithOverflow
file = "HOME/tests/c/popHeap.c"
line = 188
begin = 14
end = 24

[JC_35]
file = "HOME/tests/c/popHeap.c"
line = 137
begin = 11
end = 25

[Count2]
name = "Lemma Count2"
behavior = "axiom"
file = "HOME/tests/c/popHeap.c"
line = 81
begin = 4
end = 162

[JC_132]
file = "HOME/tests/c/popHeap.c"
line = 230
begin = 13
end = 108

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_115]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_109]
file = "HOME/tests/c/popHeap.c"
line = 160
begin = 20
end = 96

[JC_107]
file = "HOME/tests/c/popHeap.c"
line = 164
begin = 20
end = 45

[JC_69]
kind = ArithOverflow
file = "HOME/tests/c/popHeap.c"
line = 171
begin = 22
end = 32

[JC_124]
kind = UserCall
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 299
begin = 27
end = 68

[JC_38]
file = "HOME/tests/c/popHeap.c"
line = 140
begin = 11
end = 39

[JC_12]
file = "HOME/tests/c/popHeap.c"
line = 118
begin = 16
end = 30

[JC_6]
file = "HOME/tests/c/popHeap.c"
line = 119
begin = 11
end = 32

[JC_156]
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 481
begin = 6
end = 896

[JC_127]
file = "HOME/tests/c/popHeap.c"
line = 208
begin = 13
end = 67

[JC_164]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/tests/c/popHeap.c"
line = 139
begin = 11
end = 31

[JC_155]
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 481
begin = 6
end = 896

[JC_4]
file = "HOME/tests/c/popHeap.c"
line = 118
begin = 16
end = 30

[pop_heap_induction_safety]
name = "Function pop_heap_induction"
behavior = "Safety"
file = "HOME/tests/c/popHeap.c"
line = 241
begin = 5
end = 23

[JC_62]
file = "HOME/tests/c/popHeap.c"
line = 157
begin = 20
end = 29

[JC_101]
file = "HOME/tests/c/popHeap.c"
line = 227
begin = 13
end = 88

[Count0]
name = "Lemma Count0"
behavior = "axiom"
file = "HOME/tests/c/popHeap.c"
line = 72
begin = 4
end = 105

[JC_88]
kind = PointerDeref
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 287
begin = 28
end = 306

[JC_129]
file = "HOME/tests/c/popHeap.c"
line = 213
begin = 13
end = 408

[JC_42]
file = "HOME/tests/c/popHeap.c"
line = 137
begin = 11
end = 25

[JC_110]
file = "HOME/tests/c/popHeap.c"
line = 159
begin = 20
end = 65

[JC_166]
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 481
begin = 6
end = 896

[JC_103]
file = "HOME/tests/c/popHeap.c"
line = 233
begin = 13
end = 157

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_141]
file = "HOME/tests/c/popHeap.c"
line = 107
begin = 11
end = 23

[JC_61]
file = "HOME/tests/c/popHeap.c"
line = 158
begin = 20
end = 33

[JC_32]
file = "HOME/tests/c/popHeap.c"
line = 133
begin = 12
end = 24

[JC_56]
file = "HOME/tests/c/popHeap.c"
line = 153
begin = 13
end = 93

[JC_33]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_65]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_118]
file = "HOME/tests/c/popHeap.c"
line = 175
begin = 17
end = 40

[JC_105]
file = "HOME/tests/c/popHeap.c"
line = 148
begin = 13
end = 58

[JC_140]
file = "HOME/tests/c/popHeap.c"
line = 106
begin = 20
end = 38

[JC_29]
file = "HOME/tests/c/popHeap.c"
line = 131
begin = 12
end = 17

[JC_144]
file = "HOME/tests/c/popHeap.c"
line = 111
begin = 10
end = 56

[JC_159]
file = "HOME/tests/c/popHeap.c"
line = 247
begin = 15
end = 20

[JC_68]
kind = ArithOverflow
file = "HOME/tests/c/popHeap.c"
line = 171
begin = 22
end = 28

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_96]
file = "HOME/tests/c/popHeap.c"
line = 209
begin = 13
end = 119

[JC_43]
file = "HOME/tests/c/popHeap.c"
line = 138
begin = 11
end = 31

[JC_2]
file = "HOME/tests/c/popHeap.c"
line = 117
begin = 20
end = 38

[JC_95]
file = "HOME/tests/c/popHeap.c"
line = 208
begin = 13
end = 67

[JC_93]
kind = PointerDeref
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 316
begin = 16
end = 57

[JC_97]
file = "HOME/tests/c/popHeap.c"
line = 213
begin = 13
end = 408

[JC_84]
kind = ArithOverflow
file = "HOME/tests/c/popHeap.c"
line = 189
begin = 19
end = 22

[JC_160]
file = "HOME/tests/c/popHeap.c"
line = 245
begin = 17
end = 73

[JC_128]
file = "HOME/tests/c/popHeap.c"
line = 209
begin = 13
end = 119

[JC_34]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_114]
file = "HOME/tests/c/popHeap.c"
line = 157
begin = 20
end = 33

[JC_14]
file = "HOME/tests/c/popHeap.c"
line = 119
begin = 11
end = 32

[JC_150]
file = "HOME/tests/c/popHeap.c"
line = 245
begin = 17
end = 73

[pop_heap_ensures_default]
name = "Function pop_heap"
behavior = "default behavior"
file = "HOME/tests/c/popHeap.c"
line = 145
begin = 5
end = 13

[JC_117]
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 208
begin = 6
end = 4815

[pop_heap_safety]
name = "Function pop_heap"
behavior = "Safety"
file = "HOME/tests/c/popHeap.c"
line = 145
begin = 5
end = 13

[JC_90]
kind = UserCall
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 299
begin = 27
end = 68

[JC_53]
kind = ArithOverflow
file = "HOME/tests/c/popHeap.c"
line = 151
begin = 10
end = 13

[JC_157]
file = "HOME/tests/c/popHeap.c"
line = 251
begin = 15
end = 48

[JC_145]
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 471
begin = 10
end = 18

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_149]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_111]
file = "HOME/tests/c/popHeap.c"
line = 158
begin = 20
end = 33

[JC_77]
file = "HOME/tests/c/popHeap.c"
line = 178
begin = 19
end = 29

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/c/popHeap.c"
line = 117
begin = 11
end = 16

[JC_131]
file = "HOME/tests/c/popHeap.c"
line = 227
begin = 13
end = 88

[JC_102]
file = "HOME/tests/c/popHeap.c"
line = 230
begin = 13
end = 108

[JC_37]
file = "HOME/tests/c/popHeap.c"
line = 139
begin = 11
end = 31

[Count1]
name = "Lemma Count1"
behavior = "axiom"
file = "HOME/tests/c/popHeap.c"
line = 76
begin = 4
end = 184

[JC_142]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_10]
file = "HOME/tests/c/popHeap.c"
line = 117
begin = 20
end = 38

[JC_108]
file = "HOME/tests/c/popHeap.c"
line = 162
begin = 20
end = 100

[JC_57]
file = "HOME/tests/c/popHeap.c"
line = 164
begin = 20
end = 45

[JC_161]
file = "HOME/tests/c/popHeap.c"
line = 244
begin = 17
end = 23

[JC_146]
file = "HOME/tests/c/popHeap.c"
line = 111
begin = 10
end = 56

[JC_89]
file = "HOME/tests/c/popHeap.c"
line = 193
begin = 19
end = 44

[JC_136]
file = "HOME/tests/c/popHeap.c"
line = 107
begin = 11
end = 23

[JC_66]
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 208
begin = 6
end = 4815

[JC_59]
file = "HOME/tests/c/popHeap.c"
line = 160
begin = 20
end = 96

[JC_20]
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 149
begin = 10
end = 18

[JC_165]
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 481
begin = 6
end = 896

[JC_18]
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 149
begin = 10
end = 18

[JC_3]
file = "HOME/tests/c/popHeap.c"
line = 118
begin = 11
end = 22

[JC_92]
file = "HOME/tests/c/popHeap.c"
line = 200
begin = 14
end = 86

[JC_152]
file = "HOME/tests/c/popHeap.c"
line = 244
begin = 22
end = 28

[JC_86]
file = "HOME/tests/c/popHeap.c"
line = 191
begin = 19
end = 29

[JC_60]
file = "HOME/tests/c/popHeap.c"
line = 159
begin = 20
end = 65

[JC_139]
file = "HOME/tests/c/popHeap.c"
line = 106
begin = 11
end = 16

[JC_72]
kind = ArithOverflow
file = "HOME/tests/c/popHeap.c"
line = 174
begin = 23
end = 30

[JC_19]
file = "HOME/tests/c/popHeap.c"
line = 123
begin = 10
end = 105

[JC_119]
file = "HOME/tests/c/popHeap.c"
line = 178
begin = 19
end = 29

[JC_76]
kind = PointerDeref
file = "HOME/tests/c/popHeap.c"
line = 176
begin = 10
end = 18

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/tests/c/popHeap.c"
line = 131
begin = 16
end = 37

[JC_120]
file = "HOME/tests/c/popHeap.c"
line = 180
begin = 19
end = 44

[JC_58]
file = "HOME/tests/c/popHeap.c"
line = 162
begin = 20
end = 100

[JC_100]
kind = PointerDeref
file = "HOME/tests/c/popHeap.jessie/popHeap.jc"
line = 420
begin = 16
end = 129

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/c/popHeap.jessie/why/popHeap.why ==========
type charP

type int32

type int8

type intP

type padding

type uint8

type unsigned_charP

type voidP

logic Count: intP pointer, int32, int, int, (intP, int32) memory -> int

function CountWithHole(c_0:intP pointer, v_3:int32, i_13:int, h:int, j_7:int,
 intP_intM_at_L:(intP, int32) memory) : int =
 add_int(Count(c_0, v_3, i_13, h, intP_intM_at_L),
 Count(c_0, v_3, add_int(h, (1)), j_7, intP_intM_at_L))

function CountWithoutHole(c_1:intP pointer, v_4:int32, i_14:int, h_0:int,
 j_8:int, intP_intM_at_L:(intP, int32) memory) : int =
 add_int(Count(c_1, v_4, i_14, h_0, intP_intM_at_L),
 Count(c_1, v_4, h_0, j_8, intP_intM_at_L))

logic integer_of_int32: int32 -> int

predicate IsEqual(a_0:intP pointer, n_0:int, b:intP pointer,
 intP_intM_at_B:(intP, int32) memory, intP_intM_at_A:(intP, int32) memory) =
 (forall i_1:int.
  ((le_int((0), i_1) and lt_int(i_1, n_0)) ->
   (integer_of_int32(select(intP_intM_at_A, shift(a_0, i_1))) = integer_of_int32(
                                                                select(intP_intM_at_B,
                                                                shift(b, i_1))))))

predicate IsFirstMaximum(a_2:intP pointer, max_0:int,
 intP_intM_at_L:(intP, int32) memory) =
 (forall i_8:int.
  ((le_int((0), i_8) and lt_int(i_8, max_0)) ->
   lt_int(integer_of_int32(select(intP_intM_at_L, shift(a_2, i_8))),
   integer_of_int32(select(intP_intM_at_L, shift(a_2, max_0))))))

logic ParentChild: int, int -> prop

predicate IsHeap(c:intP pointer, n_1:int,
 intP_intM_at_L:(intP, int32) memory) =
 (forall i_6:int.
  (forall j_3:int.
   ((lt_int(j_3, n_1) and ParentChild(i_6, j_3)) ->
    ge_int(integer_of_int32(select(intP_intM_at_L, shift(c, i_6))),
    integer_of_int32(select(intP_intM_at_L, shift(c, j_3)))))))

predicate IsMaximum(a_1:intP pointer, n_2:int, max:int,
 intP_intM_at_L:(intP, int32) memory) =
 (forall i_7:int.
  ((le_int((0), i_7) and lt_int(i_7, n_2)) ->
   ge_int(integer_of_int32(select(intP_intM_at_L, shift(a_1, max))),
   integer_of_int32(select(intP_intM_at_L, shift(a_1, i_7))))))

predicate IsValidRange(a:intP pointer, n:int,
 intP_alloc_table_at_L:intP alloc_table) =
 (le_int((0), n)
 and (le_int(offset_min(intP_alloc_table_at_L, a), (0))
     and ge_int(offset_max(intP_alloc_table_at_L, a), sub_int(n, (1)))))

predicate Permutation(c_2:intP pointer, n_3:int32,
 intP_intM_at_B:(intP, int32) memory, intP_intM_at_A:(intP, int32) memory) =
 (forall x_0:int32.
  (Count(c_2, x_0, (0), integer_of_int32(n_3), intP_intM_at_A) = Count(c_2,
                                                                 x_0, (0),
                                                                 integer_of_int32(n_3),
                                                                 intP_intM_at_B)))

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

logic intP_tag:  -> intP tag_id

axiom intP_int : (int_of_tag(intP_tag) = (1))

logic intP_of_pointer_address: unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr :
 (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom : parenttag(intP_tag, bottom_tag)

axiom intP_tags :
 (forall x:intP pointer.
  (forall intP_tag_table:intP tag_table.
   instanceof(intP_tag_table, x, intP_tag)))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_intP(p:intP pointer, a:int,
 intP_alloc_table:intP alloc_table) = (offset_min(intP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom no_assign_Count_0 :
 (forall tmp:intP pset.
  (forall tmpmem:(intP, int32) memory.
   (forall tmpalloc:intP alloc_table.
    (forall intP_intM_at_L:(intP, int32) memory.
     (forall j_4:int.
      (forall i_9:int.
       (forall v:int32.
        (forall a_3:intP pointer.
         ((pset_disjoint(tmp,
           pset_range(pset_singleton(a_3), i_9, sub_int(j_4, (1))))
          and not_assigns(tmpalloc, intP_intM_at_L, tmpmem, tmp)) ->
          (Count(a_3, v, i_9, j_4, intP_intM_at_L) = Count(a_3, v, i_9, j_4,
                                                     tmpmem)))))))))))

axiom no_update_Count_0 :
 (forall tmp:intP pointer.
  (forall tmpval:int32.
   (forall intP_intM_at_L:(intP, int32) memory.
    (forall j_4:int.
     (forall i_9:int.
      (forall v:int32.
       (forall a_3:intP pointer.
        ((not in_pset(tmp,
              pset_range(pset_singleton(a_3), i_9, sub_int(j_4, (1))))) ->
         (Count(a_3, v, i_9, j_4, intP_intM_at_L) = Count(a_3, v, i_9, j_4,
                                                    store(intP_intM_at_L,
                                                    tmp, tmpval)))))))))))

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_intP(p:intP pointer, b:int,
 intP_alloc_table:intP alloc_table) = (offset_max(intP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

axiom ParentChild_1 :
 (forall i_3:int.
  (forall j_1:int.
   (ParentChild(i_3, j_1)
   <-> (le_int((0), i_3)
       and (lt_int(i_3, j_1)
           and ((j_1 = add_int(mul_int((2), i_3), (1)))
               or (j_1 = add_int(mul_int((2), i_3), (2)))))))))

axiom ParentChild_2 :
 (forall i_4:int.
  (forall j_2:int.
   (ParentChild(i_4, j_2)
   <-> (lt_int((0), j_2) and (i_4 = computer_div(sub_int(j_2, (1)), (2)))))))

lemma ParentChild_3 :
 (forall i_5:int.
  (lt_int((0), i_5) ->
   (ParentChild(computer_div(sub_int(i_5, (1)), (2)), i_5)
   and (le_int((0), computer_div(sub_int(i_5, (1)), (2)))
       and lt_int(computer_div(sub_int(i_5, (1)), (2)), i_5)))))

axiom Count0 :
 (forall intP_intM_at_L:(intP, int32) memory.
  (forall a_4_0:intP pointer.
   (forall v_0:int32.
    (forall i_10:int.
     (forall j_5:int.
      (ge_int(i_10, j_5) ->
       (Count(a_4_0, v_0, i_10, j_5, intP_intM_at_L) = (0))))))))

axiom Count1 :
 (forall intP_intM_at_L:(intP, int32) memory.
  (forall a_5:intP pointer.
   (forall v_1:int32.
    (forall i_11:int.
     (forall j_6:int.
      (forall k:int.
       ((le_int((0), i_11) and (le_int(i_11, j_6) and le_int(j_6, k))) ->
        (Count(a_5, v_1, i_11, k, intP_intM_at_L) = add_int(Count(a_5, v_1,
                                                            i_11, j_6,
                                                            intP_intM_at_L),
                                                    Count(a_5, v_1, j_6, k,
                                                    intP_intM_at_L))))))))))

axiom Count2 :
 (forall intP_intM_at_L:(intP, int32) memory.
  (forall a_6:intP pointer.
   (forall v_2:int32.
    (forall i_12:int.
     (((integer_of_int32(select(intP_intM_at_L, shift(a_6, i_12))) <> 
       integer_of_int32(v_2)) ->
       (Count(a_6, v_2, i_12, add_int(i_12, (1)), intP_intM_at_L) = (0)))
     and ((integer_of_int32(select(intP_intM_at_L, shift(a_6, i_12))) = 
          integer_of_int32(v_2)) ->
          (Count(a_6, v_2, i_12, add_int(i_12, (1)), intP_intM_at_L) = (1))))))))

lemma CountLemma :
 (forall intP_intM_at_L:(intP, int32) memory.
  (forall a_7:intP pointer.
   (forall v_5:int32.
    (forall i_15:int.
     (le_int((0), i_15) ->
      (Count(a_7, v_5, (0), add_int(i_15, (1)), intP_intM_at_L) = add_int(
                                                                  Count(a_7,
                                                                  v_5, (0),
                                                                  i_15,
                                                                  intP_intM_at_L),
                                                                  Count(a_7,
                                                                  v_5, i_15,
                                                                  add_int(i_15,
                                                                  (1)),
                                                                  intP_intM_at_L))))))))

exception Goto_while_0_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter intP_alloc_table : intP alloc_table ref

parameter intP_tag_table : intP tag_table ref

parameter alloc_struct_intP :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { } intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter alloc_struct_intP_requires :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { ge_int(n, (0))} intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter charP_charM : (charP, int8) memory ref

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter intP_intM : (intP, int32) memory ref

parameter pop_heap :
 a_4:intP pointer ->
  n_1_0:int32 ->
   { } unit reads intP_alloc_table,intP_intM writes intP_intM
   { (JC_48:
     ((JC_46:
      ((JC_42: IsHeap(a_4, sub_int(integer_of_int32(n_1_0), (1)), intP_intM))
      and ((JC_43:
           (integer_of_int32(select(intP_intM,
                             shift(a_4,
                             sub_int(integer_of_int32(n_1_0), (1))))) = 
           integer_of_int32(select(intP_intM@, shift(a_4, (0))))))
          and ((JC_44:
               IsMaximum(a_4, integer_of_int32(n_1_0),
               sub_int(integer_of_int32(n_1_0), (1)), intP_intM))
              and (JC_45: Permutation(a_4, n_1_0, intP_intM, intP_intM@))))))
     and (JC_47:
         not_assigns(intP_alloc_table@, intP_intM@, intP_intM,
         pset_range(pset_singleton(a_4), (0),
         sub_int(integer_of_int32(n_1_0), (1))))))) }

parameter pop_heap_induction :
 a_0_0:intP pointer ->
  n_2_0:int32 ->
   { } unit reads intP_alloc_table,intP_intM
   { (JC_146:
     (forall i_20:int.
      ((le_int((0), i_20) and lt_int(i_20, integer_of_int32(n_2_0))) ->
       ge_int(integer_of_int32(select(intP_intM, shift(a_0_0, (0)))),
       integer_of_int32(select(intP_intM, shift(a_0_0, i_20))))))) }

parameter pop_heap_induction_requires :
 a_0_0:intP pointer ->
  n_2_0:int32 ->
   { (JC_137:
     ((JC_134: lt_int((0), integer_of_int32(n_2_0)))
     and ((JC_135:
          IsValidRange(a_0_0, integer_of_int32(n_2_0), intP_alloc_table))
         and (JC_136: IsHeap(a_0_0, integer_of_int32(n_2_0), intP_intM)))))}
   unit reads intP_alloc_table,intP_intM
   { (JC_146:
     (forall i_20:int.
      ((le_int((0), i_20) and lt_int(i_20, integer_of_int32(n_2_0))) ->
       ge_int(integer_of_int32(select(intP_intM, shift(a_0_0, (0)))),
       integer_of_int32(select(intP_intM, shift(a_0_0, i_20))))))) }

parameter pop_heap_requires :
 a_4:intP pointer ->
  n_1_0:int32 ->
   { (JC_27:
     ((JC_23: lt_int((0), integer_of_int32(n_1_0)))
     and ((JC_24:
          lt_int(integer_of_int32(n_1_0),
          computer_div(sub_int((2147483647), (2)), (2))))
         and ((JC_25:
              IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table))
             and (JC_26: IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))))}
   unit reads intP_alloc_table,intP_intM writes intP_intM
   { (JC_48:
     ((JC_46:
      ((JC_42: IsHeap(a_4, sub_int(integer_of_int32(n_1_0), (1)), intP_intM))
      and ((JC_43:
           (integer_of_int32(select(intP_intM,
                             shift(a_4,
                             sub_int(integer_of_int32(n_1_0), (1))))) = 
           integer_of_int32(select(intP_intM@, shift(a_4, (0))))))
          and ((JC_44:
               IsMaximum(a_4, integer_of_int32(n_1_0),
               sub_int(integer_of_int32(n_1_0), (1)), intP_intM))
              and (JC_45: Permutation(a_4, n_1_0, intP_intM, intP_intM@))))))
     and (JC_47:
         not_assigns(intP_alloc_table@, intP_intM@, intP_intM,
         pset_range(pset_singleton(a_4), (0),
         sub_int(integer_of_int32(n_1_0), (1))))))) }

parameter pop_push_heap_copy :
 a_1_0:intP pointer ->
  n_3_0:int32 ->
   parent:int32 ->
    child:int32 ->
     { } unit reads intP_alloc_table,intP_intM
     { (JC_19:
       (forall x_0_0:int32.
        (CountWithHole(a_1_0, x_0_0, (0), integer_of_int32(child),
         integer_of_int32(n_3_0), intP_intM) = CountWithHole(a_1_0, x_0_0,
                                               (0), integer_of_int32(parent),
                                               integer_of_int32(n_3_0),
                                               intP_intM)))) }

parameter pop_push_heap_copy_requires :
 a_1_0:intP pointer ->
  n_3_0:int32 ->
   parent:int32 ->
    child:int32 ->
     { (JC_7:
       ((JC_1: lt_int((0), integer_of_int32(n_3_0)))
       and ((JC_2:
            IsValidRange(a_1_0, integer_of_int32(n_3_0), intP_alloc_table))
           and ((JC_3: le_int((0), integer_of_int32(parent)))
               and ((JC_4:
                    lt_int(integer_of_int32(parent), integer_of_int32(child)))
                   and ((JC_5:
                        lt_int(integer_of_int32(child),
                        integer_of_int32(n_3_0)))
                       and (JC_6:
                           (integer_of_int32(select(intP_intM,
                                             shift(a_1_0,
                                             integer_of_int32(parent)))) = 
                           integer_of_int32(select(intP_intM,
                                            shift(a_1_0,
                                            integer_of_int32(child))))))))))))}
     unit reads intP_alloc_table,intP_intM
     { (JC_19:
       (forall x_0_0:int32.
        (CountWithHole(a_1_0, x_0_0, (0), integer_of_int32(child),
         integer_of_int32(n_3_0), intP_intM) = CountWithHole(a_1_0, x_0_0,
                                               (0), integer_of_int32(parent),
                                               integer_of_int32(n_3_0),
                                               intP_intM)))) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

parameter unsigned_charP_unsigned_charM : (unsigned_charP, uint8) memory ref

let pop_heap_ensures_default =
 fun (a_4 : intP pointer) (n_1_0 : int32) ->
  { (JC_33:
    ((JC_29: lt_int((0), integer_of_int32(n_1_0)))
    and ((JC_30:
         lt_int(integer_of_int32(n_1_0),
         computer_div(sub_int((2147483647), (2)), (2))))
        and ((JC_31:
             IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table))
            and (JC_32: IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) }
  (init:
  try
   begin
     (let tmp = ref (any_int32 void) in
     (let max_1 = ref (any_int32 void) in
     (let hole = ref (any_int32 void) in
     (let child_0 = ref (any_int32 void) in
     try
      begin
        (let _jessie_ = a_4 in
        (let _jessie_ = n_1_0 in
        (JC_104: ((pop_heap_induction _jessie_) _jessie_))));
       (assert
       { (JC_105:
         (forall i_16:int.
          ((lt_int((0), i_16) and lt_int(i_16, integer_of_int32(n_1_0))) ->
           ge_int(integer_of_int32(select(intP_intM, shift(a_4, (0)))),
           integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) }; void);
       void;
       (let _jessie_ =
       begin
         (let _jessie_ = (tmp := (safe_int32_of_integer_ (0))) in void);
        (max_1 := (safe_int32_of_integer_ (0))); !max_1 end in void);
       (let _jessie_ = (hole := (safe_int32_of_integer_ (0))) in void);
       (let _jessie_ =
       (tmp := ((safe_acc_ !intP_intM) ((shift a_4) (integer_of_int32 
                                                     (safe_int32_of_integer_ 
                                                      ((sub_int (integer_of_int32 n_1_0)) (1))))))) in
       void);
       (let _jessie_ =
       (max_1 := ((safe_acc_ !intP_intM) ((shift a_4) (0)))) in void);
       (assert
       { (JC_106:
         (forall x_1:int32.
          (CountWithHole(a_4, x_1, (0), integer_of_int32(hole),
           integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, (1),
                                                 integer_of_int32(n_1_0),
                                                 intP_intM@init)))) }; void);
       begin
         void;
        (loop_2:
        begin
          while true do
          { invariant
              (((JC_107:
                (integer_of_int32(select(intP_intM@init,
                                  shift(a_4,
                                  sub_int(integer_of_int32(n_1_0), (1))))) = 
                integer_of_int32(select(intP_intM,
                                 shift(a_4,
                                 sub_int(integer_of_int32(n_1_0), (1)))))))
               and ((JC_108:
                    (forall x_2:int32.
                     (CountWithHole(a_4, x_2, (0), integer_of_int32(hole),
                      integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_2,
                                                            (1),
                                                            integer_of_int32(n_1_0),
                                                            intP_intM@init))))
                   and ((JC_109:
                        (forall i_18:int.
                         ((lt_int(integer_of_int32(hole),
                           sub_int(integer_of_int32(n_1_0), (1)))
                          and ParentChild(i_18, integer_of_int32(hole))) ->
                          ge_int(integer_of_int32(select(intP_intM,
                                                  shift(a_4, i_18))),
                          integer_of_int32(tmp)))))
                       and ((JC_110:
                            (forall i_17:int.
                             ((le_int((0), i_17)
                              and lt_int(i_17, integer_of_int32(n_1_0))) ->
                              le_int(integer_of_int32(select(intP_intM,
                                                      shift(a_4, i_17))),
                              integer_of_int32(max_1)))))
                           and ((JC_111:
                                IsHeap(a_4,
                                sub_int(integer_of_int32(n_1_0), (1)),
                                intP_intM))
                               and (JC_114:
                                   ((JC_112:
                                    le_int((0), integer_of_int32(hole)))
                                   and (JC_113:
                                       lt_int(integer_of_int32(hole),
                                       integer_of_int32(n_1_0))))))))))
              and ((JC_116:
                   not_assigns(intP_alloc_table@loop_2, intP_intM@loop_2,
                   intP_intM,
                   pset_range(pset_singleton(a_4), (0),
                   integer_of_int32(hole))))
                  and (JC_117:
                      not_assigns(intP_alloc_table@init, intP_intM@init,
                      intP_intM,
                      pset_range(pset_singleton(a_4), (0),
                      sub_int(integer_of_int32(n_1_0), (1)))))))  }
           begin
             [ { } unit { true } ];
            try
             begin
               (let _jessie_ =
               (child_0 := (safe_int32_of_integer_ ((add_int (integer_of_int32 
                                                              (safe_int32_of_integer_ 
                                                               ((mul_int (2)) 
                                                                (integer_of_int32 !hole))))) (2)))) in
               void);
              (if ((lt_int_ (integer_of_int32 !child_0)) (integer_of_int32 
                                                          (safe_int32_of_integer_ 
                                                           ((sub_int 
                                                             (integer_of_int32 n_1_0)) (1)))))
              then
               begin
                 (if ((lt_int_ (integer_of_int32 ((safe_acc_ !intP_intM) 
                                                  ((shift a_4) (integer_of_int32 !child_0))))) 
                      (integer_of_int32 ((safe_acc_ !intP_intM) ((shift a_4) 
                                                                 (integer_of_int32 
                                                                  (safe_int32_of_integer_ 
                                                                   ((sub_int 
                                                                    (integer_of_int32 !child_0)) (1))))))))
                 then
                  (let _jessie_ =
                  (child_0 := (safe_int32_of_integer_ ((sub_int (integer_of_int32 !child_0)) (1)))) in
                  void) else void);
                (assert
                { (JC_118:
                  ParentChild(integer_of_int32(hole),
                  integer_of_int32(child_0))) }; void); void;
                (if ((gt_int_ (integer_of_int32 ((safe_acc_ !intP_intM) 
                                                 ((shift a_4) (integer_of_int32 !child_0))))) 
                     (integer_of_int32 !tmp))
                then
                 (let _jessie_ =
                 begin
                   (assert
                   { (JC_119:
                     lt_int(integer_of_int32(hole),
                     sub_int(integer_of_int32(n_1_0), (1)))) }; void); void;
                  (let _jessie_ =
                  (let _jessie_ =
                  ((safe_acc_ !intP_intM) ((shift a_4) (integer_of_int32 !child_0))) in
                  (let _jessie_ = a_4 in
                  (let _jessie_ = (integer_of_int32 !hole) in
                  (let _jessie_ = ((shift _jessie_) _jessie_) in
                  (((safe_upd_ intP_intM) _jessie_) _jessie_))))) in
                  void);
                  (assert
                  { (JC_120:
                    (integer_of_int32(select(intP_intM@init,
                                      shift(a_4,
                                      sub_int(integer_of_int32(n_1_0), (1))))) = 
                    integer_of_int32(select(intP_intM,
                                     shift(a_4,
                                     sub_int(integer_of_int32(n_1_0), (1))))))) };
                  void); void;
                  (let _jessie_ = a_4 in
                  (let _jessie_ = n_1_0 in
                  (let _jessie_ = !hole in
                  (let _jessie_ = !child_0 in
                  (JC_121:
                  ((((pop_push_heap_copy _jessie_) _jessie_) _jessie_) _jessie_))))));
                  (hole := !child_0); !hole end in void)
                else (raise (Goto_while_0_break_exc void))) end
              else
               begin
                 (let _jessie_ =
                 (child_0 := (safe_int32_of_integer_ ((add_int (integer_of_int32 
                                                                (safe_int32_of_integer_ 
                                                                 ((mul_int (2)) 
                                                                  (integer_of_int32 !hole))))) (1)))) in
                 void);
                (if ((eq_int_ (integer_of_int32 !child_0)) (integer_of_int32 
                                                            (safe_int32_of_integer_ 
                                                             ((sub_int 
                                                               (integer_of_int32 n_1_0)) (2)))))
                then
                 (if ((gt_int_ (integer_of_int32 ((safe_acc_ !intP_intM) 
                                                  ((shift a_4) (integer_of_int32 !child_0))))) 
                      (integer_of_int32 !tmp))
                 then
                  (let _jessie_ =
                  begin
                    (assert
                    { (JC_122:
                      lt_int(integer_of_int32(hole),
                      sub_int(integer_of_int32(n_1_0), (1)))) }; void); void;
                   (let _jessie_ =
                   (let _jessie_ =
                   ((safe_acc_ !intP_intM) ((shift a_4) (integer_of_int32 !child_0))) in
                   (let _jessie_ = a_4 in
                   (let _jessie_ = (integer_of_int32 !hole) in
                   (let _jessie_ = ((shift _jessie_) _jessie_) in
                   (((safe_upd_ intP_intM) _jessie_) _jessie_))))) in
                   void);
                   (assert
                   { (JC_123:
                     (integer_of_int32(select(intP_intM@init,
                                       shift(a_4,
                                       sub_int(integer_of_int32(n_1_0), (1))))) = 
                     integer_of_int32(select(intP_intM,
                                      shift(a_4,
                                      sub_int(integer_of_int32(n_1_0), (1))))))) };
                   void); void;
                   (let _jessie_ = a_4 in
                   (let _jessie_ = n_1_0 in
                   (let _jessie_ = !hole in
                   (let _jessie_ = !child_0 in
                   (JC_124:
                   ((((pop_push_heap_copy _jessie_) _jessie_) _jessie_) _jessie_))))));
                   (hole := !child_0); !hole end in void) else void)
                else void); (raise (Goto_while_0_break_exc void)) end);
              (raise (Loop_continue_exc void)) end with
             Loop_continue_exc _jessie_ -> void end end done;
         (raise (Goto_while_0_break_exc void)) end) end end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break:
      begin
        void;
       (assert
       { (JC_125:
         (forall i_19:int.
          ((lt_int(integer_of_int32(hole),
            sub_int(integer_of_int32(n_1_0), (1)))
           and ParentChild(i_19, integer_of_int32(hole))) ->
           ge_int(integer_of_int32(select(intP_intM, shift(a_4, i_19))),
           integer_of_int32(tmp))))) }; void); void;
       (let _jessie_ =
       (let _jessie_ = !tmp in
       (let _jessie_ = a_4 in
       (let _jessie_ = (integer_of_int32 !hole) in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (((safe_upd_ intP_intM) _jessie_) _jessie_))))) in void);
       (assert
       { (JC_126:
         (forall x_3:int32.
          (CountWithHole(a_4, x_3, (0), integer_of_int32(hole),
           integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_3, (1),
                                                 integer_of_int32(n_1_0),
                                                 intP_intM@init)))) }; void);
       void;
       (assert
       { (JC_127:
         (lt_int(integer_of_int32(hole),
          sub_int(integer_of_int32(n_1_0), (1))) ->
          ((integer_of_int32(select(intP_intM,
                             shift(a_4, integer_of_int32(hole)))) = integer_of_int32(tmp))
          and ((integer_of_int32(tmp) = integer_of_int32(select(intP_intM@init,
                                                         shift(a_4,
                                                         sub_int(integer_of_int32(n_1_0),
                                                         (1))))))
              and (integer_of_int32(select(intP_intM@init,
                                    shift(a_4,
                                    sub_int(integer_of_int32(n_1_0), (1))))) = 
                  integer_of_int32(select(intP_intM,
                                   shift(a_4,
                                   sub_int(integer_of_int32(n_1_0), (1)))))))))) };
       void); void;
       (assert
       { (JC_128:
         (forall x_4:int32.
          (lt_int(integer_of_int32(hole),
           sub_int(integer_of_int32(n_1_0), (1))) ->
           (Count(a_4, x_4, add_int(integer_of_int32(hole), (1)),
            add_int(sub_int(integer_of_int32(n_1_0), (1)), (1)), intP_intM) = 
           CountWithoutHole(a_4, x_4, add_int(integer_of_int32(hole), (1)),
           sub_int(integer_of_int32(n_1_0), (1)), integer_of_int32(n_1_0),
           intP_intM))))) }; void); void;
       (assert
       { (JC_129:
         (forall x_5:int32.
          ((lt_int(integer_of_int32(hole),
            sub_int(integer_of_int32(n_1_0), (1))) ->
            ((CountWithHole(a_4, x_5, (0), integer_of_int32(hole),
              integer_of_int32(n_1_0), intP_intM) = add_int(CountWithHole(a_4,
                                                            x_5, (0),
                                                            integer_of_int32(hole),
                                                            sub_int(integer_of_int32(n_1_0),
                                                            (1)), intP_intM),
                                                    Count(a_4, x_5,
                                                    sub_int(integer_of_int32(n_1_0),
                                                    (1)),
                                                    add_int(sub_int(integer_of_int32(n_1_0),
                                                            (1)),
                                                    (1)), intP_intM)))
            and ((add_int(CountWithHole(a_4, x_5, (0),
                          integer_of_int32(hole),
                          sub_int(integer_of_int32(n_1_0), (1)), intP_intM),
                  Count(a_4, x_5, sub_int(integer_of_int32(n_1_0), (1)),
                  add_int(sub_int(integer_of_int32(n_1_0), (1)), (1)),
                  intP_intM)) = add_int(CountWithoutHole(a_4, x_5, (0),
                                        integer_of_int32(hole),
                                        add_int(integer_of_int32(hole), (1)),
                                        intP_intM),
                                Count(a_4, x_5,
                                add_int(integer_of_int32(hole), (1)),
                                sub_int(integer_of_int32(n_1_0), (1)),
                                intP_intM)))
                and ((add_int(CountWithoutHole(a_4, x_5, (0),
                              integer_of_int32(hole),
                              add_int(integer_of_int32(hole), (1)),
                              intP_intM),
                      Count(a_4, x_5, add_int(integer_of_int32(hole), (1)),
                      sub_int(integer_of_int32(n_1_0), (1)), intP_intM)) = 
                     CountWithoutHole(a_4, x_5, (0), integer_of_int32(hole),
                     sub_int(integer_of_int32(n_1_0), (1)), intP_intM))
                    and (CountWithoutHole(a_4, x_5, (0),
                         integer_of_int32(hole),
                         sub_int(integer_of_int32(n_1_0), (1)), intP_intM) = 
                        Count(a_4, x_5, (0),
                        sub_int(integer_of_int32(n_1_0), (1)), intP_intM))))))
          and ((integer_of_int32(hole) = sub_int(integer_of_int32(n_1_0),
                                         (1))) ->
               ((CountWithHole(a_4, x_5, (0), integer_of_int32(hole),
                 integer_of_int32(n_1_0), intP_intM) = CountWithHole(a_4,
                                                       x_5, (0),
                                                       sub_int(integer_of_int32(n_1_0),
                                                       (1)),
                                                       integer_of_int32(n_1_0),
                                                       intP_intM))
               and (CountWithHole(a_4, x_5, (0),
                    sub_int(integer_of_int32(n_1_0), (1)),
                    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_5,
                                                          (0),
                                                          sub_int(integer_of_int32(n_1_0),
                                                          (1)), intP_intM))))))) };
       void); void;
       (assert
       { (JC_130:
         (forall x_6:int32.
          ((Count(a_4, x_6, (0), sub_int(integer_of_int32(n_1_0), (1)),
            intP_intM) = CountWithHole(a_4, x_6, (0), integer_of_int32(hole),
                         integer_of_int32(n_1_0), intP_intM))
          and (CountWithHole(a_4, x_6, (0), integer_of_int32(hole),
               integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_6, (1),
                                                     integer_of_int32(n_1_0),
                                                     intP_intM@init))))) };
       void); void;
       (let _jessie_ =
       (let _jessie_ = !max_1 in
       (let _jessie_ = a_4 in
       (let _jessie_ =
       (integer_of_int32 (safe_int32_of_integer_ ((sub_int (integer_of_int32 n_1_0)) (1)))) in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (((safe_upd_ intP_intM) _jessie_) _jessie_))))) in void);
       (assert
       { (JC_131:
         (forall x_7:int32.
          (Count(a_4, x_7, sub_int(integer_of_int32(n_1_0), (1)),
           add_int(sub_int(integer_of_int32(n_1_0), (1)), (1)), intP_intM) = 
          Count(a_4, x_7, (0), (1), intP_intM@init)))) }; void); void;
       (assert
       { (JC_132:
         (forall x_8:int32.
          (CountWithoutHole(a_4, x_8, (0),
           sub_int(integer_of_int32(n_1_0), (1)), integer_of_int32(n_1_0),
           intP_intM) = CountWithoutHole(a_4, x_8, (0), (1),
                        integer_of_int32(n_1_0), intP_intM@init)))) }; void);
       void;
       (assert
       { (JC_133:
         (forall x_9:int32.
          ((Count(a_4, x_9, (0), integer_of_int32(n_1_0), intP_intM) = 
           CountWithoutHole(a_4, x_9, (0),
           sub_int(integer_of_int32(n_1_0), (1)), integer_of_int32(n_1_0),
           intP_intM))
          and ((CountWithoutHole(a_4, x_9, (0),
                sub_int(integer_of_int32(n_1_0), (1)),
                integer_of_int32(n_1_0), intP_intM) = CountWithoutHole(a_4,
                                                      x_9, (0), (1),
                                                      integer_of_int32(n_1_0),
                                                      intP_intM@init))
              and (CountWithoutHole(a_4, x_9, (0), (1),
                   integer_of_int32(n_1_0), intP_intM@init) = Count(a_4, x_9,
                                                              (0),
                                                              integer_of_int32(n_1_0),
                                                              intP_intM@init)))))) };
       void); void; (raise Return) end) end)))); (raise Return) end with
   Return -> void end)
  { (JC_41:
    ((JC_39:
     ((JC_35: IsHeap(a_4, sub_int(integer_of_int32(n_1_0), (1)), intP_intM))
     and ((JC_36:
          (integer_of_int32(select(intP_intM,
                            shift(a_4, sub_int(integer_of_int32(n_1_0), (1))))) = 
          integer_of_int32(select(intP_intM@, shift(a_4, (0))))))
         and ((JC_37:
              IsMaximum(a_4, integer_of_int32(n_1_0),
              sub_int(integer_of_int32(n_1_0), (1)), intP_intM))
             and (JC_38: Permutation(a_4, n_1_0, intP_intM, intP_intM@))))))
    and (JC_40:
        not_assigns(intP_alloc_table@, intP_intM@, intP_intM,
        pset_range(pset_singleton(a_4), (0),
        sub_int(integer_of_int32(n_1_0), (1))))))) }

let pop_heap_induction_ensures_default =
 fun (a_0_0 : intP pointer) (n_2_0 : int32) ->
  { (JC_142:
    ((JC_139: lt_int((0), integer_of_int32(n_2_0)))
    and ((JC_140:
         IsValidRange(a_0_0, integer_of_int32(n_2_0), intP_alloc_table))
        and (JC_141: IsHeap(a_0_0, integer_of_int32(n_2_0), intP_intM))))) }
  (init:
  try
   begin
     (let i = ref (any_int32 void) in
     try
      begin
        (let _jessie_ = (i := (safe_int32_of_integer_ (1))) in void);
       (loop_4:
       begin
         while true do
         { invariant
             ((JC_160:
              (forall j_9:int.
               ((le_int((0), j_9)
                and (lt_int(j_9, integer_of_int32(i))
                    and le_int(integer_of_int32(i), integer_of_int32(n_2_0)))) ->
                ge_int(integer_of_int32(select(intP_intM, shift(a_0_0, (0)))),
                integer_of_int32(select(intP_intM, shift(a_0_0, j_9)))))))
             and (JC_163:
                 ((JC_161: le_int((0), integer_of_int32(i)))
                 and (JC_162:
                     le_int(integer_of_int32(i), integer_of_int32(n_2_0))))))
            }
          begin
            [ { } unit { true } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((lt_int_ (integer_of_int32 !i)) (integer_of_int32 n_2_0))
                then void else (raise (Goto_while_0_break_exc void)));
               (assert
               { (JC_167:
                 (lt_int((0), integer_of_int32(i)) ->
                  ParentChild(computer_div(sub_int(integer_of_int32(i), (1)),
                              (2)),
                  integer_of_int32(i)))) }; void); void;
               (i := (safe_int32_of_integer_ ((add_int (integer_of_int32 !i)) (1))));
               !i end in void); (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (raise Return) end) end); (raise Return)
   end with Return -> void end)
  { (JC_144:
    (forall i_20:int.
     ((le_int((0), i_20) and lt_int(i_20, integer_of_int32(n_2_0))) ->
      ge_int(integer_of_int32(select(intP_intM, shift(a_0_0, (0)))),
      integer_of_int32(select(intP_intM, shift(a_0_0, i_20))))))) }

let pop_heap_induction_safety =
 fun (a_0_0 : intP pointer) (n_2_0 : int32) ->
  { (JC_142:
    ((JC_139: lt_int((0), integer_of_int32(n_2_0)))
    and ((JC_140:
         IsValidRange(a_0_0, integer_of_int32(n_2_0), intP_alloc_table))
        and (JC_141: IsHeap(a_0_0, integer_of_int32(n_2_0), intP_intM))))) }
  (init:
  try
   begin
     (let i = ref (any_int32 void) in
     try
      begin
        (let _jessie_ = (i := (safe_int32_of_integer_ (1))) in void);
       (loop_3:
       begin
         while true do
         { invariant (JC_155: true)
           variant (JC_159 : sub_int(integer_of_int32(n_2_0),
                             integer_of_int32(i))) }
          begin
            [ { } unit reads i,intP_intM
              { ((JC_150:
                 (forall j_9:int.
                  ((le_int((0), j_9)
                   and (lt_int(j_9, integer_of_int32(i))
                       and le_int(integer_of_int32(i),
                           integer_of_int32(n_2_0)))) ->
                   ge_int(integer_of_int32(select(intP_intM,
                                           shift(a_0_0, (0)))),
                   integer_of_int32(select(intP_intM, shift(a_0_0, j_9)))))))
                and (JC_153:
                    ((JC_151: le_int((0), integer_of_int32(i)))
                    and (JC_152:
                        le_int(integer_of_int32(i), integer_of_int32(n_2_0)))))) } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((lt_int_ (integer_of_int32 !i)) (integer_of_int32 n_2_0))
                then void else (raise (Goto_while_0_break_exc void)));
               [ { } unit reads i
                 { (JC_157:
                   (lt_int((0), integer_of_int32(i)) ->
                    ParentChild(computer_div(sub_int(integer_of_int32(i),
                                             (1)),
                                (2)),
                    integer_of_int32(i)))) } ]; void;
               (i := (JC_158:
                     (int32_of_integer_ ((add_int (integer_of_int32 !i)) (1)))));
               !i end in void); (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (raise Return) end) end); (raise Return)
   end with Return -> void end) { true }

let pop_heap_safety =
 fun (a_4 : intP pointer) (n_1_0 : int32) ->
  { (JC_33:
    ((JC_29: lt_int((0), integer_of_int32(n_1_0)))
    and ((JC_30:
         lt_int(integer_of_int32(n_1_0),
         computer_div(sub_int((2147483647), (2)), (2))))
        and ((JC_31:
             IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table))
            and (JC_32: IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) }
  (init:
  try
   begin
     (let tmp = ref (any_int32 void) in
     (let max_1 = ref (any_int32 void) in
     (let hole = ref (any_int32 void) in
     (let child_0 = ref (any_int32 void) in
     try
      begin
        (let _jessie_ = a_4 in
        (let _jessie_ = n_1_0 in
        (JC_51: ((pop_heap_induction_requires _jessie_) _jessie_))));
       [ { } unit reads intP_intM
         { (JC_52:
           (forall i_16:int.
            ((lt_int((0), i_16) and lt_int(i_16, integer_of_int32(n_1_0))) ->
             ge_int(integer_of_int32(select(intP_intM, shift(a_4, (0)))),
             integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) } ];
       void;
       (let _jessie_ =
       begin
         (let _jessie_ = (tmp := (safe_int32_of_integer_ (0))) in void);
        (max_1 := (safe_int32_of_integer_ (0))); !max_1 end in void);
       (let _jessie_ = (hole := (safe_int32_of_integer_ (0))) in void);
       (let _jessie_ =
       (tmp := (JC_54:
               ((((offset_acc_ !intP_alloc_table) !intP_intM) a_4) (integer_of_int32 
                                                                    (JC_53:
                                                                    (int32_of_integer_ 
                                                                    ((sub_int 
                                                                    (integer_of_int32 n_1_0)) (1)))))))) in
       void);
       (let _jessie_ =
       (max_1 := (JC_55: (((acc_ !intP_alloc_table) !intP_intM) a_4))) in
       void);
       [ { } unit reads hole,intP_intM
         { (JC_56:
           (forall x_1:int32.
            (CountWithHole(a_4, x_1, (0), integer_of_int32(hole),
             integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, (1),
                                                   integer_of_int32(n_1_0),
                                                   intP_intM@init)))) } ];
       begin
         void;
        (loop_1:
        begin
          while true do
          { invariant (JC_66: true)
            variant (JC_91 : sub_int(integer_of_int32(n_1_0),
                             integer_of_int32(hole))) }
           begin
             [ { } unit reads hole,intP_intM,max_1,tmp
               { ((JC_57:
                  (integer_of_int32(select(intP_intM@init,
                                    shift(a_4,
                                    sub_int(integer_of_int32(n_1_0), (1))))) = 
                  integer_of_int32(select(intP_intM,
                                   shift(a_4,
                                   sub_int(integer_of_int32(n_1_0), (1)))))))
                 and ((JC_58:
                      (forall x_2:int32.
                       (CountWithHole(a_4, x_2, (0), integer_of_int32(hole),
                        integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_2,
                                                              (1),
                                                              integer_of_int32(n_1_0),
                                                              intP_intM@init))))
                     and ((JC_59:
                          (forall i_18:int.
                           ((lt_int(integer_of_int32(hole),
                             sub_int(integer_of_int32(n_1_0), (1)))
                            and ParentChild(i_18, integer_of_int32(hole))) ->
                            ge_int(integer_of_int32(select(intP_intM,
                                                    shift(a_4, i_18))),
                            integer_of_int32(tmp)))))
                         and ((JC_60:
                              (forall i_17:int.
                               ((le_int((0), i_17)
                                and lt_int(i_17, integer_of_int32(n_1_0))) ->
                                le_int(integer_of_int32(select(intP_intM,
                                                        shift(a_4, i_17))),
                                integer_of_int32(max_1)))))
                             and ((JC_61:
                                  IsHeap(a_4,
                                  sub_int(integer_of_int32(n_1_0), (1)),
                                  intP_intM))
                                 and (JC_64:
                                     ((JC_62:
                                      le_int((0), integer_of_int32(hole)))
                                     and (JC_63:
                                         lt_int(integer_of_int32(hole),
                                         integer_of_int32(n_1_0)))))))))) } ];
            try
             begin
               (let _jessie_ =
               (child_0 := (JC_69:
                           (int32_of_integer_ ((add_int (integer_of_int32 
                                                         (JC_68:
                                                         (int32_of_integer_ 
                                                          ((mul_int (2)) 
                                                           (integer_of_int32 !hole)))))) (2))))) in
               void);
              (if ((lt_int_ (integer_of_int32 !child_0)) (integer_of_int32 
                                                          (JC_70:
                                                          (int32_of_integer_ 
                                                           ((sub_int 
                                                             (integer_of_int32 n_1_0)) (1))))))
              then
               begin
                 (if ((lt_int_ (integer_of_int32 (JC_71:
                                                 ((((offset_acc_ !intP_alloc_table) !intP_intM) a_4) 
                                                  (integer_of_int32 !child_0))))) 
                      (integer_of_int32 (JC_73:
                                        ((((offset_acc_ !intP_alloc_table) !intP_intM) a_4) 
                                         (integer_of_int32 (JC_72:
                                                           (int32_of_integer_ 
                                                            ((sub_int 
                                                              (integer_of_int32 !child_0)) (1)))))))))
                 then
                  (let _jessie_ =
                  (child_0 := (JC_74:
                              (int32_of_integer_ ((sub_int (integer_of_int32 !child_0)) (1))))) in
                  void) else void);
                [ { } unit reads child_0,hole
                  { (JC_75:
                    ParentChild(integer_of_int32(hole),
                    integer_of_int32(child_0))) } ]; void;
                (if ((gt_int_ (integer_of_int32 (JC_76:
                                                ((((offset_acc_ !intP_alloc_table) !intP_intM) a_4) 
                                                 (integer_of_int32 !child_0))))) 
                     (integer_of_int32 !tmp))
                then
                 (let _jessie_ =
                 begin
                   [ { } unit reads hole
                     { (JC_77:
                       lt_int(integer_of_int32(hole),
                       sub_int(integer_of_int32(n_1_0), (1)))) } ]; void;
                  (let _jessie_ =
                  (let _jessie_ =
                  (JC_78:
                  ((((offset_acc_ !intP_alloc_table) !intP_intM) a_4) 
                   (integer_of_int32 !child_0))) in
                  (let _jessie_ = a_4 in
                  (let _jessie_ = (integer_of_int32 !hole) in
                  (let _jessie_ = ((shift _jessie_) _jessie_) in
                  (JC_79:
                  (((((offset_upd_ !intP_alloc_table) intP_intM) _jessie_) _jessie_) _jessie_)))))) in
                  void);
                  [ { } unit reads intP_intM
                    { (JC_80:
                      (integer_of_int32(select(intP_intM@init,
                                        shift(a_4,
                                        sub_int(integer_of_int32(n_1_0), (1))))) = 
                      integer_of_int32(select(intP_intM,
                                       shift(a_4,
                                       sub_int(integer_of_int32(n_1_0), (1))))))) } ];
                  void;
                  (let _jessie_ = a_4 in
                  (let _jessie_ = n_1_0 in
                  (let _jessie_ = !hole in
                  (let _jessie_ = !child_0 in
                  (JC_81:
                  ((((pop_push_heap_copy_requires _jessie_) _jessie_) _jessie_) _jessie_))))));
                  (hole := !child_0); !hole end in void)
                else (raise (Goto_while_0_break_exc void))) end
              else
               begin
                 (let _jessie_ =
                 (child_0 := (JC_83:
                             (int32_of_integer_ ((add_int (integer_of_int32 
                                                           (JC_82:
                                                           (int32_of_integer_ 
                                                            ((mul_int (2)) 
                                                             (integer_of_int32 !hole)))))) (1))))) in
                 void);
                (if ((eq_int_ (integer_of_int32 !child_0)) (integer_of_int32 
                                                            (JC_84:
                                                            (int32_of_integer_ 
                                                             ((sub_int 
                                                               (integer_of_int32 n_1_0)) (2))))))
                then
                 (if ((gt_int_ (integer_of_int32 (JC_85:
                                                 ((((offset_acc_ !intP_alloc_table) !intP_intM) a_4) 
                                                  (integer_of_int32 !child_0))))) 
                      (integer_of_int32 !tmp))
                 then
                  (let _jessie_ =
                  begin
                    [ { } unit reads hole
                      { (JC_86:
                        lt_int(integer_of_int32(hole),
                        sub_int(integer_of_int32(n_1_0), (1)))) } ]; void;
                   (let _jessie_ =
                   (let _jessie_ =
                   (JC_87:
                   ((((offset_acc_ !intP_alloc_table) !intP_intM) a_4) 
                    (integer_of_int32 !child_0))) in
                   (let _jessie_ = a_4 in
                   (let _jessie_ = (integer_of_int32 !hole) in
                   (let _jessie_ = ((shift _jessie_) _jessie_) in
                   (JC_88:
                   (((((offset_upd_ !intP_alloc_table) intP_intM) _jessie_) _jessie_) _jessie_)))))) in
                   void);
                   [ { } unit reads intP_intM
                     { (JC_89:
                       (integer_of_int32(select(intP_intM@init,
                                         shift(a_4,
                                         sub_int(integer_of_int32(n_1_0),
                                         (1))))) = integer_of_int32(select(intP_intM,
                                                                    shift(a_4,
                                                                    sub_int(
                                                                    integer_of_int32(n_1_0),
                                                                    (1))))))) } ];
                   void;
                   (let _jessie_ = a_4 in
                   (let _jessie_ = n_1_0 in
                   (let _jessie_ = !hole in
                   (let _jessie_ = !child_0 in
                   (JC_90:
                   ((((pop_push_heap_copy_requires _jessie_) _jessie_) _jessie_) _jessie_))))));
                   (hole := !child_0); !hole end in void) else void)
                else void); (raise (Goto_while_0_break_exc void)) end);
              (raise (Loop_continue_exc void)) end with
             Loop_continue_exc _jessie_ -> void end end done;
         (raise (Goto_while_0_break_exc void)) end) end end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break:
      begin
        void;
       [ { } unit reads hole,intP_intM,tmp
         { (JC_92:
           (forall i_19:int.
            ((lt_int(integer_of_int32(hole),
              sub_int(integer_of_int32(n_1_0), (1)))
             and ParentChild(i_19, integer_of_int32(hole))) ->
             ge_int(integer_of_int32(select(intP_intM, shift(a_4, i_19))),
             integer_of_int32(tmp))))) } ]; void;
       (let _jessie_ =
       (let _jessie_ = !tmp in
       (let _jessie_ = a_4 in
       (let _jessie_ = (integer_of_int32 !hole) in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (JC_93:
       (((((offset_upd_ !intP_alloc_table) intP_intM) _jessie_) _jessie_) _jessie_)))))) in
       void);
       [ { } unit reads hole,intP_intM
         { (JC_94:
           (forall x_3:int32.
            (CountWithHole(a_4, x_3, (0), integer_of_int32(hole),
             integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_3, (1),
                                                   integer_of_int32(n_1_0),
                                                   intP_intM@init)))) } ];
       void;
       [ { } unit reads hole,intP_intM,tmp
         { (JC_95:
           (lt_int(integer_of_int32(hole),
            sub_int(integer_of_int32(n_1_0), (1))) ->
            ((integer_of_int32(select(intP_intM,
                               shift(a_4, integer_of_int32(hole)))) = 
             integer_of_int32(tmp))
            and ((integer_of_int32(tmp) = integer_of_int32(select(intP_intM@init,
                                                           shift(a_4,
                                                           sub_int(integer_of_int32(n_1_0),
                                                           (1))))))
                and (integer_of_int32(select(intP_intM@init,
                                      shift(a_4,
                                      sub_int(integer_of_int32(n_1_0), (1))))) = 
                    integer_of_int32(select(intP_intM,
                                     shift(a_4,
                                     sub_int(integer_of_int32(n_1_0), (1)))))))))) } ];
       void;
       [ { } unit reads hole,intP_intM
         { (JC_96:
           (forall x_4:int32.
            (lt_int(integer_of_int32(hole),
             sub_int(integer_of_int32(n_1_0), (1))) ->
             (Count(a_4, x_4, add_int(integer_of_int32(hole), (1)),
              add_int(sub_int(integer_of_int32(n_1_0), (1)), (1)), intP_intM) = 
             CountWithoutHole(a_4, x_4, add_int(integer_of_int32(hole), (1)),
             sub_int(integer_of_int32(n_1_0), (1)), integer_of_int32(n_1_0),
             intP_intM))))) } ]; void;
       [ { } unit reads hole,intP_intM
         { (JC_97:
           (forall x_5:int32.
            ((lt_int(integer_of_int32(hole),
              sub_int(integer_of_int32(n_1_0), (1))) ->
              ((CountWithHole(a_4, x_5, (0), integer_of_int32(hole),
                integer_of_int32(n_1_0), intP_intM) = add_int(CountWithHole(a_4,
                                                              x_5, (0),
                                                              integer_of_int32(hole),
                                                              sub_int(
                                                              integer_of_int32(n_1_0),
                                                              (1)),
                                                              intP_intM),
                                                      Count(a_4, x_5,
                                                      sub_int(integer_of_int32(n_1_0),
                                                      (1)),
                                                      add_int(sub_int(
                                                              integer_of_int32(n_1_0),
                                                              (1)),
                                                      (1)), intP_intM)))
              and ((add_int(CountWithHole(a_4, x_5, (0),
                            integer_of_int32(hole),
                            sub_int(integer_of_int32(n_1_0), (1)), intP_intM),
                    Count(a_4, x_5, sub_int(integer_of_int32(n_1_0), (1)),
                    add_int(sub_int(integer_of_int32(n_1_0), (1)), (1)),
                    intP_intM)) = add_int(CountWithoutHole(a_4, x_5, (0),
                                          integer_of_int32(hole),
                                          add_int(integer_of_int32(hole),
                                          (1)), intP_intM),
                                  Count(a_4, x_5,
                                  add_int(integer_of_int32(hole), (1)),
                                  sub_int(integer_of_int32(n_1_0), (1)),
                                  intP_intM)))
                  and ((add_int(CountWithoutHole(a_4, x_5, (0),
                                integer_of_int32(hole),
                                add_int(integer_of_int32(hole), (1)),
                                intP_intM),
                        Count(a_4, x_5, add_int(integer_of_int32(hole), (1)),
                        sub_int(integer_of_int32(n_1_0), (1)), intP_intM)) = 
                       CountWithoutHole(a_4, x_5, (0),
                       integer_of_int32(hole),
                       sub_int(integer_of_int32(n_1_0), (1)), intP_intM))
                      and (CountWithoutHole(a_4, x_5, (0),
                           integer_of_int32(hole),
                           sub_int(integer_of_int32(n_1_0), (1)), intP_intM) = 
                          Count(a_4, x_5, (0),
                          sub_int(integer_of_int32(n_1_0), (1)), intP_intM))))))
            and ((integer_of_int32(hole) = sub_int(integer_of_int32(n_1_0),
                                           (1))) ->
                 ((CountWithHole(a_4, x_5, (0), integer_of_int32(hole),
                   integer_of_int32(n_1_0), intP_intM) = CountWithHole(a_4,
                                                         x_5, (0),
                                                         sub_int(integer_of_int32(n_1_0),
                                                         (1)),
                                                         integer_of_int32(n_1_0),
                                                         intP_intM))
                 and (CountWithHole(a_4, x_5, (0),
                      sub_int(integer_of_int32(n_1_0), (1)),
                      integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_5,
                                                            (0),
                                                            sub_int(integer_of_int32(n_1_0),
                                                            (1)), intP_intM))))))) } ];
       void;
       [ { } unit reads hole,intP_intM
         { (JC_98:
           (forall x_6:int32.
            ((Count(a_4, x_6, (0), sub_int(integer_of_int32(n_1_0), (1)),
              intP_intM) = CountWithHole(a_4, x_6, (0),
                           integer_of_int32(hole), integer_of_int32(n_1_0),
                           intP_intM))
            and (CountWithHole(a_4, x_6, (0), integer_of_int32(hole),
                 integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_6, (1),
                                                       integer_of_int32(n_1_0),
                                                       intP_intM@init))))) } ];
       void;
       (let _jessie_ =
       (let _jessie_ = !max_1 in
       (let _jessie_ = a_4 in
       (let _jessie_ =
       (integer_of_int32 (JC_99:
                         (int32_of_integer_ ((sub_int (integer_of_int32 n_1_0)) (1))))) in
       (let _jessie_ = ((shift _jessie_) _jessie_) in
       (JC_100:
       (((((offset_upd_ !intP_alloc_table) intP_intM) _jessie_) _jessie_) _jessie_)))))) in
       void);
       [ { } unit reads intP_intM
         { (JC_101:
           (forall x_7:int32.
            (Count(a_4, x_7, sub_int(integer_of_int32(n_1_0), (1)),
             add_int(sub_int(integer_of_int32(n_1_0), (1)), (1)), intP_intM) = 
            Count(a_4, x_7, (0), (1), intP_intM@init)))) } ]; void;
       [ { } unit reads intP_intM
         { (JC_102:
           (forall x_8:int32.
            (CountWithoutHole(a_4, x_8, (0),
             sub_int(integer_of_int32(n_1_0), (1)), integer_of_int32(n_1_0),
             intP_intM) = CountWithoutHole(a_4, x_8, (0), (1),
                          integer_of_int32(n_1_0), intP_intM@init)))) } ];
       void;
       [ { } unit reads intP_intM
         { (JC_103:
           (forall x_9:int32.
            ((Count(a_4, x_9, (0), integer_of_int32(n_1_0), intP_intM) = 
             CountWithoutHole(a_4, x_9, (0),
             sub_int(integer_of_int32(n_1_0), (1)), integer_of_int32(n_1_0),
             intP_intM))
            and ((CountWithoutHole(a_4, x_9, (0),
                  sub_int(integer_of_int32(n_1_0), (1)),
                  integer_of_int32(n_1_0), intP_intM) = CountWithoutHole(a_4,
                                                        x_9, (0), (1),
                                                        integer_of_int32(n_1_0),
                                                        intP_intM@init))
                and (CountWithoutHole(a_4, x_9, (0), (1),
                     integer_of_int32(n_1_0), intP_intM@init) = Count(a_4,
                                                                x_9, (0),
                                                                integer_of_int32(n_1_0),
                                                                intP_intM@init)))))) } ];
       void; (raise Return) end) end)))); (raise Return) end with Return ->
   void end) { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/popHeap.why
========== file tests/c/popHeap.jessie/why/popHeap_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type charP

type int32

type int8

type intP

type padding

type uint8

type unsigned_charP

type voidP

logic Count : intP pointer, int32, int, int, (intP, int32) memory -> int

function CountWithHole(c_0: intP pointer, v_3: int32, i_13: int, h: int,
  j_7: int, intP_intM_at_L: (intP, int32) memory) : int = (Count(c_0, v_3,
  i_13, h, intP_intM_at_L) + Count(c_0, v_3, (h + 1), j_7, intP_intM_at_L))

function CountWithoutHole(c_1: intP pointer, v_4: int32, i_14: int, h_0: int,
  j_8: int, intP_intM_at_L: (intP, int32) memory) : int = (Count(c_1, v_4,
  i_14, h_0, intP_intM_at_L) + Count(c_1, v_4, h_0, j_8, intP_intM_at_L))

logic integer_of_int32 : int32 -> int

predicate IsEqual(a_0: intP pointer, n_0: int, b: intP pointer,
  intP_intM_at_B: (intP, int32) memory, intP_intM_at_A: (intP,
  int32) memory) =
  (forall i_1:int.
    (((0 <= i_1) and (i_1 < n_0)) -> (integer_of_int32(select(intP_intM_at_A,
     shift(a_0, i_1))) = integer_of_int32(select(intP_intM_at_B, shift(b,
     i_1))))))

predicate IsFirstMaximum(a_2: intP pointer, max_0: int,
  intP_intM_at_L: (intP, int32) memory) =
  (forall i_8:int.
    (((0 <= i_8) and (i_8 < max_0)) ->
     (integer_of_int32(select(intP_intM_at_L, shift(a_2,
     i_8))) < integer_of_int32(select(intP_intM_at_L, shift(a_2, max_0))))))

logic ParentChild : int, int -> prop

predicate IsHeap(c: intP pointer, n_1: int, intP_intM_at_L: (intP,
  int32) memory) =
  (forall i_6:int.
    (forall j_3:int.
      (((j_3 < n_1) and ParentChild(i_6, j_3)) ->
       (integer_of_int32(select(intP_intM_at_L, shift(c,
       i_6))) >= integer_of_int32(select(intP_intM_at_L, shift(c, j_3)))))))

predicate IsMaximum(a_1: intP pointer, n_2: int, max: int,
  intP_intM_at_L: (intP, int32) memory) =
  (forall i_7:int.
    (((0 <= i_7) and (i_7 < n_2)) -> (integer_of_int32(select(intP_intM_at_L,
     shift(a_1, max))) >= integer_of_int32(select(intP_intM_at_L, shift(a_1,
     i_7))))))

predicate IsValidRange(a: intP pointer, n: int,
  intP_alloc_table_at_L: intP alloc_table) =
  ((0 <= n) and
   ((offset_min(intP_alloc_table_at_L, a) <= 0) and
    (offset_max(intP_alloc_table_at_L, a) >= (n - 1))))

predicate Permutation(c_2: intP pointer, n_3: int32, intP_intM_at_B: (intP,
  int32) memory, intP_intM_at_A: (intP, int32) memory) =
  (forall x_0:int32. (Count(c_2, x_0, 0, integer_of_int32(n_3),
    intP_intM_at_A) = Count(c_2, x_0, 0, integer_of_int32(n_3),
    intP_intM_at_B)))

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_int8 : int8 -> int

predicate eq_int8(x: int8, y: int8) =
  (integer_of_int8(x) = integer_of_int8(y))

logic integer_of_uint8 : uint8 -> int

predicate eq_uint8(x: uint8, y: uint8) =
  (integer_of_uint8(x) = integer_of_uint8(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic int8_of_integer : int -> int8

axiom int8_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_int8(int8_of_integer(x)) = x)))

axiom int8_extensionality:
  (forall x:int8.
    (forall y:int8. ((integer_of_int8(x) = integer_of_int8(y)) -> (x = y))))

axiom int8_range:
  (forall x:int8.
    (((-128) <= integer_of_int8(x)) and (integer_of_int8(x) <= 127)))

logic intP_tag : intP tag_id

axiom intP_int: (int_of_tag(intP_tag) = 1)

logic intP_of_pointer_address : unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr:
  (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom: parenttag(intP_tag, bottom_tag)

axiom intP_tags:
  (forall x:intP pointer.
    (forall intP_tag_table:intP tag_table. instanceof(intP_tag_table, x,
      intP_tag)))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_intP(p: intP pointer, a: int,
  intP_alloc_table: intP alloc_table) = (offset_min(intP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

axiom no_assign_Count_0:
  (forall tmp:intP pset.
    (forall tmpmem:(intP, int32) memory.
      (forall tmpalloc:intP alloc_table.
        (forall intP_intM_at_L:(intP, int32) memory.
          (forall j_4:int.
            (forall i_9:int.
              (forall v:int32.
                (forall a_3:intP pointer.
                  ((pset_disjoint(tmp, pset_range(pset_singleton(a_3), i_9,
                    (j_4 - 1))) and not_assigns(tmpalloc, intP_intM_at_L,
                    tmpmem, tmp)) ->
                   (Count(a_3, v, i_9, j_4, intP_intM_at_L) = Count(a_3, v,
                   i_9, j_4, tmpmem)))))))))))

axiom no_update_Count_0:
  (forall tmp:intP pointer.
    (forall tmpval:int32.
      (forall intP_intM_at_L:(intP, int32) memory.
        (forall j_4:int.
          (forall i_9:int.
            (forall v:int32.
              (forall a_3:intP pointer.
                ((not in_pset(tmp, pset_range(pset_singleton(a_3), i_9,
                 (j_4 - 1)))) -> (Count(a_3, v, i_9, j_4,
                 intP_intM_at_L) = Count(a_3, v, i_9, j_4,
                 store(intP_intM_at_L, tmp, tmpval)))))))))))

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_intP(p: intP pointer, b: int,
  intP_alloc_table: intP alloc_table) = (offset_max(intP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) = a) and (offset_max(intP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) = a) and (offset_max(intP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic uint8_of_integer : int -> uint8

axiom uint8_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 255)) -> (integer_of_uint8(uint8_of_integer(x)) = x)))

axiom uint8_extensionality:
  (forall x:uint8.
    (forall y:uint8.
      ((integer_of_uint8(x) = integer_of_uint8(y)) -> (x = y))))

axiom uint8_range:
  (forall x:uint8.
    ((0 <= integer_of_uint8(x)) and (integer_of_uint8(x) <= 255)))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) <= a) and (offset_max(intP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) <= a) and (offset_max(intP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

axiom ParentChild_1:
  (forall i_3:int.
    (forall j_1:int.
      (ParentChild(i_3, j_1) <->
       ((0 <= i_3) and
        ((i_3 < j_1) and ((j_1 = ((2 * i_3) + 1)) or (j_1 = ((2 * i_3) + 2))))))))

axiom ParentChild_2:
  (forall i_4:int.
    (forall j_2:int.
      (ParentChild(i_4, j_2) <->
       ((0 < j_2) and (i_4 = computer_div((j_2 - 1), 2))))))

goal ParentChild_3:
  (forall i_5:int.
    ((0 < i_5) ->
     (ParentChild(computer_div((i_5 - 1), 2), i_5) and
      ((0 <= computer_div((i_5 - 1), 2)) and (computer_div((i_5 - 1),
       2) < i_5)))))

axiom ParentChild_3_as_axiom:
  (forall i_5:int.
    ((0 < i_5) ->
     (ParentChild(computer_div((i_5 - 1), 2), i_5) and
      ((0 <= computer_div((i_5 - 1), 2)) and (computer_div((i_5 - 1),
       2) < i_5)))))

axiom Count0:
  (forall intP_intM_at_L:(intP, int32) memory.
    (forall a_4_0:intP pointer.
      (forall v_0:int32.
        (forall i_10:int.
          (forall j_5:int.
            ((i_10 >= j_5) -> (Count(a_4_0, v_0, i_10, j_5,
             intP_intM_at_L) = 0)))))))

axiom Count1:
  (forall intP_intM_at_L:(intP, int32) memory.
    (forall a_5:intP pointer.
      (forall v_1:int32.
        (forall i_11:int.
          (forall j_6:int.
            (forall k:int.
              (((0 <= i_11) and ((i_11 <= j_6) and (j_6 <= k))) ->
               (Count(a_5, v_1, i_11, k, intP_intM_at_L) = (Count(a_5, v_1,
               i_11, j_6, intP_intM_at_L) + Count(a_5, v_1, j_6, k,
               intP_intM_at_L))))))))))

axiom Count2:
  (forall intP_intM_at_L:(intP, int32) memory.
    (forall a_6:intP pointer.
      (forall v_2:int32.
        (forall i_12:int.
          (((integer_of_int32(select(intP_intM_at_L, shift(a_6,
            i_12))) <> integer_of_int32(v_2)) -> (Count(a_6, v_2, i_12,
            (i_12 + 1), intP_intM_at_L) = 0)) and
           ((integer_of_int32(select(intP_intM_at_L, shift(a_6,
            i_12))) = integer_of_int32(v_2)) -> (Count(a_6, v_2, i_12,
            (i_12 + 1), intP_intM_at_L) = 1)))))))

goal CountLemma:
  (forall intP_intM_at_L:(intP, int32) memory.
    (forall a_7:intP pointer.
      (forall v_5:int32.
        (forall i_15:int.
          ((0 <= i_15) -> (Count(a_7, v_5, 0, (i_15 + 1),
           intP_intM_at_L) = (Count(a_7, v_5, 0, i_15,
           intP_intM_at_L) + Count(a_7, v_5, i_15, (i_15 + 1),
           intP_intM_at_L))))))))

axiom CountLemma_as_axiom:
  (forall intP_intM_at_L:(intP, int32) memory.
    (forall a_7:intP pointer.
      (forall v_5:int32.
        (forall i_15:int.
          ((0 <= i_15) -> (Count(a_7, v_5, 0, (i_15 + 1),
           intP_intM_at_L) = (Count(a_7, v_5, 0, i_15,
           intP_intM_at_L) + Count(a_7, v_5, i_15, (i_15 + 1),
           intP_intM_at_L))))))))

goal pop_heap_ensures_default_po_1:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  forall i_16:int.
  ((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
  ("JC_105": (integer_of_int32(select(intP_intM, shift(a_4,
  0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16)))))

goal pop_heap_ensures_default_po_2:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  forall x_1:int32.
  ("JC_106": (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
  integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
  integer_of_int32(n_1_0), intP_intM)))

goal pop_heap_ensures_default_po_3:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall x_2:int32.
  ("JC_108": (CountWithHole(a_4, x_2, 0, integer_of_int32(hole),
  integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_2, 1,
  integer_of_int32(n_1_0), intP_intM)))

goal pop_heap_ensures_default_po_4:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall i_18:int.
  ((integer_of_int32(hole) < (integer_of_int32(n_1_0) - 1)) and
   ParentChild(i_18, integer_of_int32(hole))) ->
  ("JC_109": (integer_of_int32(select(intP_intM, shift(a_4,
  i_18))) >= integer_of_int32(tmp0)))

goal pop_heap_ensures_default_po_5:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall i_17:int.
  ((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
  ("JC_110": (integer_of_int32(select(intP_intM, shift(a_4,
  i_17))) <= integer_of_int32(max_1_0)))

goal pop_heap_ensures_default_po_6:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM))

goal pop_heap_ensures_default_po_7:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_114": ("JC_112": (0 <= integer_of_int32(hole))))

goal pop_heap_ensures_default_po_8:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_114": ("JC_113": (integer_of_int32(hole) < integer_of_int32(n_1_0))))

goal pop_heap_ensures_default_po_9:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM,
  pset_range(pset_singleton(a_4), 0, integer_of_int32(hole))))

goal pop_heap_ensures_default_po_10:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM,
  pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1))))

goal pop_heap_ensures_default_po_11:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0)))

goal pop_heap_ensures_default_po_12:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) > integer_of_int32(tmp0)) ->
  ("JC_119": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)))

goal pop_heap_ensures_default_po_13:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) > integer_of_int32(tmp0)) ->
  ("JC_119": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result13:int32.
  (result13 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result13)) ->
  ("JC_120": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1))))))

goal pop_heap_ensures_default_po_14:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) > integer_of_int32(tmp0)) ->
  ("JC_119": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result13:int32.
  (result13 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result13)) ->
  ("JC_120": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  forall x_2:int32.
  ("JC_108": (CountWithHole(a_4, x_2, 0, integer_of_int32(hole1),
  integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_2, 1,
  integer_of_int32(n_1_0), intP_intM)))

goal pop_heap_ensures_default_po_15:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) > integer_of_int32(tmp0)) ->
  ("JC_119": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result13:int32.
  (result13 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result13)) ->
  ("JC_120": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  forall i_18:int.
  ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) and
   ParentChild(i_18, integer_of_int32(hole1))) ->
  ("JC_109": (integer_of_int32(select(intP_intM1, shift(a_4,
  i_18))) >= integer_of_int32(tmp0)))

goal pop_heap_ensures_default_po_16:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) > integer_of_int32(tmp0)) ->
  ("JC_119": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result13:int32.
  (result13 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result13)) ->
  ("JC_120": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  forall i_17:int.
  ((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
  ("JC_110": (integer_of_int32(select(intP_intM1, shift(a_4,
  i_17))) <= integer_of_int32(max_1_0)))

goal pop_heap_ensures_default_po_17:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) > integer_of_int32(tmp0)) ->
  ("JC_119": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result13:int32.
  (result13 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result13)) ->
  ("JC_120": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM1))

goal pop_heap_ensures_default_po_18:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) > integer_of_int32(tmp0)) ->
  ("JC_119": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result13:int32.
  (result13 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result13)) ->
  ("JC_120": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_114": ("JC_112": (0 <= integer_of_int32(hole1))))

goal pop_heap_ensures_default_po_19:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) > integer_of_int32(tmp0)) ->
  ("JC_119": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result13:int32.
  (result13 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result13)) ->
  ("JC_120": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_114": ("JC_113": (integer_of_int32(hole1) < integer_of_int32(n_1_0))))

goal pop_heap_ensures_default_po_20:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) > integer_of_int32(tmp0)) ->
  ("JC_119": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result13:int32.
  (result13 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result13)) ->
  ("JC_120": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM1,
  pset_range(pset_singleton(a_4), 0, integer_of_int32(hole1))))

goal pop_heap_ensures_default_po_21:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) > integer_of_int32(tmp0)) ->
  ("JC_119": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result13:int32.
  (result13 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result13)) ->
  ("JC_120": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM1,
  pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1))))

goal pop_heap_ensures_default_po_22:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) <= integer_of_int32(tmp0)) ->
  forall i_19:int.
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
   ParentChild(i_19, integer_of_int32(hole0))) ->
  ("JC_125": (integer_of_int32(select(intP_intM0, shift(a_4,
  i_19))) >= integer_of_int32(tmp0)))

goal pop_heap_ensures_default_po_23:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  forall x_3:int32.
  ("JC_126": (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
  integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
  integer_of_int32(n_1_0), intP_intM)))

goal pop_heap_ensures_default_po_24:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_127": (integer_of_int32(select(intP_intM1, shift(a_4,
  integer_of_int32(hole0)))) = integer_of_int32(tmp0)))

goal pop_heap_ensures_default_po_25:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_127": (integer_of_int32(tmp0) = integer_of_int32(select(intP_intM,
  shift(a_4, (integer_of_int32(n_1_0) - 1))))))

goal pop_heap_ensures_default_po_26:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_127": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1))))))

goal pop_heap_ensures_default_po_27:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  forall x_4:int32.
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_128": (Count(a_4, x_4, (integer_of_int32(hole0) + 1),
  ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1) = CountWithoutHole(a_4,
  x_4, (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
  integer_of_int32(n_1_0), intP_intM1)))

goal pop_heap_ensures_default_po_28:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  forall x_5:int32.
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_129": (CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
  integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
  integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
  intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
  ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))))

goal pop_heap_ensures_default_po_29:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  forall x_5:int32.
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_129": ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
  (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
  (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
  intP_intM1)) = (CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
  (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
  (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
  intP_intM1))))

goal pop_heap_ensures_default_po_30:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  forall x_5:int32.
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_129": ((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
  (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
  (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
  intP_intM1)) = CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
  (integer_of_int32(n_1_0) - 1), intP_intM1)))

goal pop_heap_ensures_default_po_31:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  forall x_5:int32.
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_129": (CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
  (integer_of_int32(n_1_0) - 1), intP_intM1) = Count(a_4, x_5, 0,
  (integer_of_int32(n_1_0) - 1), intP_intM1)))

goal pop_heap_ensures_default_po_32:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  forall x_5:int32.
  (integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
  ("JC_129": (CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
  integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
  (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1)))

goal pop_heap_ensures_default_po_33:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  forall x_5:int32.
  (integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
  ("JC_129": (CountWithHole(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
  integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_5, 0,
  (integer_of_int32(n_1_0) - 1), intP_intM1)))

goal pop_heap_ensures_default_po_34:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  forall x_6:int32.
  ("JC_130": (Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
  intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
  integer_of_int32(n_1_0), intP_intM1)))

goal pop_heap_ensures_default_po_35:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  forall x_6:int32.
  ("JC_130": (CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
  integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_6, 1,
  integer_of_int32(n_1_0), intP_intM)))

goal pop_heap_ensures_default_po_36:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result13:int32.
  (integer_of_int32(result13) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result13)),
  max_1_0)) ->
  forall x_7:int32.
  ("JC_131": (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
  ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
  intP_intM)))

goal pop_heap_ensures_default_po_37:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result13:int32.
  (integer_of_int32(result13) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result13)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  forall x_8:int32.
  ("JC_132": (CountWithoutHole(a_4, x_8, 0, (integer_of_int32(n_1_0) - 1),
  integer_of_int32(n_1_0), intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1,
  integer_of_int32(n_1_0), intP_intM)))

goal pop_heap_ensures_default_po_38:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result13:int32.
  (integer_of_int32(result13) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result13)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  forall x_9:int32.
  ("JC_133": (Count(a_4, x_9, 0, integer_of_int32(n_1_0),
  intP_intM2) = CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
  integer_of_int32(n_1_0), intP_intM2)))

goal pop_heap_ensures_default_po_39:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result13:int32.
  (integer_of_int32(result13) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result13)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  forall x_9:int32.
  ("JC_133": (CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
  integer_of_int32(n_1_0), intP_intM2) = CountWithoutHole(a_4, x_9, 0, 1,
  integer_of_int32(n_1_0), intP_intM)))

goal pop_heap_ensures_default_po_40:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result13:int32.
  (integer_of_int32(result13) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result13)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  forall x_9:int32.
  ("JC_133": (CountWithoutHole(a_4, x_9, 0, 1, integer_of_int32(n_1_0),
  intP_intM) = Count(a_4, x_9, 0, integer_of_int32(n_1_0), intP_intM)))

goal pop_heap_ensures_default_po_41:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result13:int32.
  (integer_of_int32(result13) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result13)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  ("JC_133":
  (forall x_9:int32.
    ((Count(a_4, x_9, 0, integer_of_int32(n_1_0),
     intP_intM2) = CountWithoutHole(a_4, x_9, 0,
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2)) and
     ((CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
      integer_of_int32(n_1_0), intP_intM2) = CountWithoutHole(a_4, x_9, 0, 1,
      integer_of_int32(n_1_0), intP_intM)) and (CountWithoutHole(a_4, x_9, 0,
      1, integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_9, 0,
      integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_41":
  ("JC_39":
  ("JC_35": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM2))))

goal pop_heap_ensures_default_po_42:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result13:int32.
  (integer_of_int32(result13) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result13)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  ("JC_133":
  (forall x_9:int32.
    ((Count(a_4, x_9, 0, integer_of_int32(n_1_0),
     intP_intM2) = CountWithoutHole(a_4, x_9, 0,
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2)) and
     ((CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
      integer_of_int32(n_1_0), intP_intM2) = CountWithoutHole(a_4, x_9, 0, 1,
      integer_of_int32(n_1_0), intP_intM)) and (CountWithoutHole(a_4, x_9, 0,
      1, integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_9, 0,
      integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_41":
  ("JC_39":
  ("JC_36": (integer_of_int32(select(intP_intM2, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM,
  shift(a_4, 0)))))))

goal pop_heap_ensures_default_po_43:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result13:int32.
  (integer_of_int32(result13) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result13)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  ("JC_133":
  (forall x_9:int32.
    ((Count(a_4, x_9, 0, integer_of_int32(n_1_0),
     intP_intM2) = CountWithoutHole(a_4, x_9, 0,
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2)) and
     ((CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
      integer_of_int32(n_1_0), intP_intM2) = CountWithoutHole(a_4, x_9, 0, 1,
      integer_of_int32(n_1_0), intP_intM)) and (CountWithoutHole(a_4, x_9, 0,
      1, integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_9, 0,
      integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_41":
  ("JC_39":
  ("JC_37": IsMaximum(a_4, integer_of_int32(n_1_0),
  (integer_of_int32(n_1_0) - 1), intP_intM2))))

goal pop_heap_ensures_default_po_44:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result13:int32.
  (integer_of_int32(result13) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result13)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  ("JC_133":
  (forall x_9:int32.
    ((Count(a_4, x_9, 0, integer_of_int32(n_1_0),
     intP_intM2) = CountWithoutHole(a_4, x_9, 0,
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2)) and
     ((CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
      integer_of_int32(n_1_0), intP_intM2) = CountWithoutHole(a_4, x_9, 0, 1,
      integer_of_int32(n_1_0), intP_intM)) and (CountWithoutHole(a_4, x_9, 0,
      1, integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_9, 0,
      integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_41":
  ("JC_39": ("JC_38": Permutation(a_4, n_1_0, intP_intM2, intP_intM))))

goal pop_heap_ensures_default_po_45:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_118": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result13:int32.
  (integer_of_int32(result13) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result13)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  ("JC_133":
  (forall x_9:int32.
    ((Count(a_4, x_9, 0, integer_of_int32(n_1_0),
     intP_intM2) = CountWithoutHole(a_4, x_9, 0,
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2)) and
     ((CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
      integer_of_int32(n_1_0), intP_intM2) = CountWithoutHole(a_4, x_9, 0, 1,
      integer_of_int32(n_1_0), intP_intM)) and (CountWithoutHole(a_4, x_9, 0,
      1, integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_9, 0,
      integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_41":
  ("JC_40": not_assigns(intP_alloc_table, intP_intM, intP_intM2,
  pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))

goal pop_heap_ensures_default_po_46:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0)))

goal pop_heap_ensures_default_po_47:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_119": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)))

goal pop_heap_ensures_default_po_48:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_119": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_120": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1))))))

goal pop_heap_ensures_default_po_49:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_119": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_120": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0) ->
  forall x_2:int32.
  ("JC_108": (CountWithHole(a_4, x_2, 0, integer_of_int32(hole1),
  integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_2, 1,
  integer_of_int32(n_1_0), intP_intM)))

goal pop_heap_ensures_default_po_50:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_119": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_120": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0) ->
  forall i_18:int.
  ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) and
   ParentChild(i_18, integer_of_int32(hole1))) ->
  ("JC_109": (integer_of_int32(select(intP_intM1, shift(a_4,
  i_18))) >= integer_of_int32(tmp0)))

goal pop_heap_ensures_default_po_51:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_119": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_120": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0) ->
  forall i_17:int.
  ((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
  ("JC_110": (integer_of_int32(select(intP_intM1, shift(a_4,
  i_17))) <= integer_of_int32(max_1_0)))

goal pop_heap_ensures_default_po_52:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_119": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_120": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0) ->
  ("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM1))

goal pop_heap_ensures_default_po_53:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_119": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_120": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0) ->
  ("JC_114": ("JC_112": (0 <= integer_of_int32(hole1))))

goal pop_heap_ensures_default_po_54:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_119": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_120": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0) ->
  ("JC_114": ("JC_113": (integer_of_int32(hole1) < integer_of_int32(n_1_0))))

goal pop_heap_ensures_default_po_55:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_119": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_120": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0) ->
  ("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM1,
  pset_range(pset_singleton(a_4), 0, integer_of_int32(hole1))))

goal pop_heap_ensures_default_po_56:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_119": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_120": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0) ->
  ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM1,
  pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1))))

goal pop_heap_ensures_default_po_57:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  forall i_19:int.
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
   ParentChild(i_19, integer_of_int32(hole0))) ->
  ("JC_125": (integer_of_int32(select(intP_intM0, shift(a_4,
  i_19))) >= integer_of_int32(tmp0)))

goal pop_heap_ensures_default_po_58:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  forall x_3:int32.
  ("JC_126": (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
  integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
  integer_of_int32(n_1_0), intP_intM)))

goal pop_heap_ensures_default_po_59:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_127": (integer_of_int32(select(intP_intM1, shift(a_4,
  integer_of_int32(hole0)))) = integer_of_int32(tmp0)))

goal pop_heap_ensures_default_po_60:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_127": (integer_of_int32(tmp0) = integer_of_int32(select(intP_intM,
  shift(a_4, (integer_of_int32(n_1_0) - 1))))))

goal pop_heap_ensures_default_po_61:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_127": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1))))))

goal pop_heap_ensures_default_po_62:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  forall x_4:int32.
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_128": (Count(a_4, x_4, (integer_of_int32(hole0) + 1),
  ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1) = CountWithoutHole(a_4,
  x_4, (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
  integer_of_int32(n_1_0), intP_intM1)))

goal pop_heap_ensures_default_po_63:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  forall x_5:int32.
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_129": (CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
  integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
  integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
  intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
  ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))))

goal pop_heap_ensures_default_po_64:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  forall x_5:int32.
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_129": ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
  (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
  (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
  intP_intM1)) = (CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
  (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
  (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
  intP_intM1))))

goal pop_heap_ensures_default_po_65:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  forall x_5:int32.
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_129": ((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
  (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
  (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
  intP_intM1)) = CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
  (integer_of_int32(n_1_0) - 1), intP_intM1)))

goal pop_heap_ensures_default_po_66:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  forall x_5:int32.
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_129": (CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
  (integer_of_int32(n_1_0) - 1), intP_intM1) = Count(a_4, x_5, 0,
  (integer_of_int32(n_1_0) - 1), intP_intM1)))

goal pop_heap_ensures_default_po_67:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  forall x_5:int32.
  (integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
  ("JC_129": (CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
  integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
  (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1)))

goal pop_heap_ensures_default_po_68:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  forall x_5:int32.
  (integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
  ("JC_129": (CountWithHole(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
  integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_5, 0,
  (integer_of_int32(n_1_0) - 1), intP_intM1)))

goal pop_heap_ensures_default_po_69:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  forall x_6:int32.
  ("JC_130": (Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
  intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
  integer_of_int32(n_1_0), intP_intM1)))

goal pop_heap_ensures_default_po_70:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  forall x_6:int32.
  ("JC_130": (CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
  integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_6, 1,
  integer_of_int32(n_1_0), intP_intM)))

goal pop_heap_ensures_default_po_71:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result12:int32.
  (integer_of_int32(result12) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result12)),
  max_1_0)) ->
  forall x_7:int32.
  ("JC_131": (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
  ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
  intP_intM)))

goal pop_heap_ensures_default_po_72:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result12:int32.
  (integer_of_int32(result12) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result12)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  forall x_8:int32.
  ("JC_132": (CountWithoutHole(a_4, x_8, 0, (integer_of_int32(n_1_0) - 1),
  integer_of_int32(n_1_0), intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1,
  integer_of_int32(n_1_0), intP_intM)))

goal pop_heap_ensures_default_po_73:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result12:int32.
  (integer_of_int32(result12) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result12)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  forall x_9:int32.
  ("JC_133": (Count(a_4, x_9, 0, integer_of_int32(n_1_0),
  intP_intM2) = CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
  integer_of_int32(n_1_0), intP_intM2)))

goal pop_heap_ensures_default_po_74:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result12:int32.
  (integer_of_int32(result12) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result12)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  forall x_9:int32.
  ("JC_133": (CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
  integer_of_int32(n_1_0), intP_intM2) = CountWithoutHole(a_4, x_9, 0, 1,
  integer_of_int32(n_1_0), intP_intM)))

goal pop_heap_ensures_default_po_75:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result12:int32.
  (integer_of_int32(result12) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result12)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  forall x_9:int32.
  ("JC_133": (CountWithoutHole(a_4, x_9, 0, 1, integer_of_int32(n_1_0),
  intP_intM) = Count(a_4, x_9, 0, integer_of_int32(n_1_0), intP_intM)))

goal pop_heap_ensures_default_po_76:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result12:int32.
  (integer_of_int32(result12) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result12)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  ("JC_133":
  (forall x_9:int32.
    ((Count(a_4, x_9, 0, integer_of_int32(n_1_0),
     intP_intM2) = CountWithoutHole(a_4, x_9, 0,
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2)) and
     ((CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
      integer_of_int32(n_1_0), intP_intM2) = CountWithoutHole(a_4, x_9, 0, 1,
      integer_of_int32(n_1_0), intP_intM)) and (CountWithoutHole(a_4, x_9, 0,
      1, integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_9, 0,
      integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_41":
  ("JC_39":
  ("JC_35": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM2))))

goal pop_heap_ensures_default_po_77:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result12:int32.
  (integer_of_int32(result12) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result12)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  ("JC_133":
  (forall x_9:int32.
    ((Count(a_4, x_9, 0, integer_of_int32(n_1_0),
     intP_intM2) = CountWithoutHole(a_4, x_9, 0,
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2)) and
     ((CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
      integer_of_int32(n_1_0), intP_intM2) = CountWithoutHole(a_4, x_9, 0, 1,
      integer_of_int32(n_1_0), intP_intM)) and (CountWithoutHole(a_4, x_9, 0,
      1, integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_9, 0,
      integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_41":
  ("JC_39":
  ("JC_36": (integer_of_int32(select(intP_intM2, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM,
  shift(a_4, 0)))))))

goal pop_heap_ensures_default_po_78:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result12:int32.
  (integer_of_int32(result12) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result12)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  ("JC_133":
  (forall x_9:int32.
    ((Count(a_4, x_9, 0, integer_of_int32(n_1_0),
     intP_intM2) = CountWithoutHole(a_4, x_9, 0,
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2)) and
     ((CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
      integer_of_int32(n_1_0), intP_intM2) = CountWithoutHole(a_4, x_9, 0, 1,
      integer_of_int32(n_1_0), intP_intM)) and (CountWithoutHole(a_4, x_9, 0,
      1, integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_9, 0,
      integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_41":
  ("JC_39":
  ("JC_37": IsMaximum(a_4, integer_of_int32(n_1_0),
  (integer_of_int32(n_1_0) - 1), intP_intM2))))

goal pop_heap_ensures_default_po_79:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result12:int32.
  (integer_of_int32(result12) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result12)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  ("JC_133":
  (forall x_9:int32.
    ((Count(a_4, x_9, 0, integer_of_int32(n_1_0),
     intP_intM2) = CountWithoutHole(a_4, x_9, 0,
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2)) and
     ((CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
      integer_of_int32(n_1_0), intP_intM2) = CountWithoutHole(a_4, x_9, 0, 1,
      integer_of_int32(n_1_0), intP_intM)) and (CountWithoutHole(a_4, x_9, 0,
      1, integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_9, 0,
      integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_41":
  ("JC_39": ("JC_38": Permutation(a_4, n_1_0, intP_intM2, intP_intM))))

goal pop_heap_ensures_default_po_80:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_118": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result12:int32.
  (integer_of_int32(result12) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result12)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  ("JC_133":
  (forall x_9:int32.
    ((Count(a_4, x_9, 0, integer_of_int32(n_1_0),
     intP_intM2) = CountWithoutHole(a_4, x_9, 0,
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2)) and
     ((CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
      integer_of_int32(n_1_0), intP_intM2) = CountWithoutHole(a_4, x_9, 0, 1,
      integer_of_int32(n_1_0), intP_intM)) and (CountWithoutHole(a_4, x_9, 0,
      1, integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_9, 0,
      integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_41":
  ("JC_40": not_assigns(intP_alloc_table, intP_intM, intP_intM2,
  pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))

goal pop_heap_ensures_default_po_81:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_122": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)))

goal pop_heap_ensures_default_po_82:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_122": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_123": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1))))))

goal pop_heap_ensures_default_po_83:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_122": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_123": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  forall i_19:int.
  ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) and
   ParentChild(i_19, integer_of_int32(hole1))) ->
  ("JC_125": (integer_of_int32(select(intP_intM1, shift(a_4,
  i_19))) >= integer_of_int32(tmp0)))

goal pop_heap_ensures_default_po_84:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_122": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_123": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole1))) ->
     (integer_of_int32(select(intP_intM1, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(hole1)),
  tmp0)) ->
  forall x_3:int32.
  ("JC_126": (CountWithHole(a_4, x_3, 0, integer_of_int32(hole1),
  integer_of_int32(n_1_0), intP_intM2) = Count(a_4, x_3, 1,
  integer_of_int32(n_1_0), intP_intM)))

goal pop_heap_ensures_default_po_85:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_122": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_123": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole1))) ->
     (integer_of_int32(select(intP_intM1, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(hole1)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole1),
    integer_of_int32(n_1_0), intP_intM2) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  (integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_127": (integer_of_int32(select(intP_intM2, shift(a_4,
  integer_of_int32(hole1)))) = integer_of_int32(tmp0)))

goal pop_heap_ensures_default_po_86:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_122": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_123": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole1))) ->
     (integer_of_int32(select(intP_intM1, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(hole1)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole1),
    integer_of_int32(n_1_0), intP_intM2) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  (integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_127": (integer_of_int32(tmp0) = integer_of_int32(select(intP_intM,
  shift(a_4, (integer_of_int32(n_1_0) - 1))))))

goal pop_heap_ensures_default_po_87:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_122": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_123": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole1))) ->
     (integer_of_int32(select(intP_intM1, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(hole1)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole1),
    integer_of_int32(n_1_0), intP_intM2) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  (integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_127": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM2,
  shift(a_4, (integer_of_int32(n_1_0) - 1))))))

goal pop_heap_ensures_default_po_88:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_122": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_123": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole1))) ->
     (integer_of_int32(select(intP_intM1, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(hole1)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole1),
    integer_of_int32(n_1_0), intP_intM2) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM2, shift(a_4,
    integer_of_int32(hole1)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM2,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  forall x_4:int32.
  (integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_128": (Count(a_4, x_4, (integer_of_int32(hole1) + 1),
  ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = CountWithoutHole(a_4,
  x_4, (integer_of_int32(hole1) + 1), (integer_of_int32(n_1_0) - 1),
  integer_of_int32(n_1_0), intP_intM2)))

goal pop_heap_ensures_default_po_89:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_122": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_123": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole1))) ->
     (integer_of_int32(select(intP_intM1, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(hole1)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole1),
    integer_of_int32(n_1_0), intP_intM2) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM2, shift(a_4,
    integer_of_int32(hole1)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM2,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole1) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM2) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole1) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2))))) ->
  forall x_5:int32.
  (integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_129": (CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
  integer_of_int32(n_1_0), intP_intM2) = (CountWithHole(a_4, x_5, 0,
  integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
  intP_intM2) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
  ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2))))

goal pop_heap_ensures_default_po_90:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_122": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_123": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole1))) ->
     (integer_of_int32(select(intP_intM1, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(hole1)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole1),
    integer_of_int32(n_1_0), intP_intM2) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM2, shift(a_4,
    integer_of_int32(hole1)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM2,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole1) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM2) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole1) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2))))) ->
  forall x_5:int32.
  (integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_129": ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
  (integer_of_int32(n_1_0) - 1), intP_intM2) + Count(a_4, x_5,
  (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
  intP_intM2)) = (CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole1),
  (integer_of_int32(hole1) + 1), intP_intM2) + Count(a_4, x_5,
  (integer_of_int32(hole1) + 1), (integer_of_int32(n_1_0) - 1),
  intP_intM2))))

goal pop_heap_ensures_default_po_91:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_122": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_123": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole1))) ->
     (integer_of_int32(select(intP_intM1, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(hole1)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole1),
    integer_of_int32(n_1_0), intP_intM2) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM2, shift(a_4,
    integer_of_int32(hole1)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM2,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole1) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM2) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole1) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2))))) ->
  forall x_5:int32.
  (integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_129": ((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole1),
  (integer_of_int32(hole1) + 1), intP_intM2) + Count(a_4, x_5,
  (integer_of_int32(hole1) + 1), (integer_of_int32(n_1_0) - 1),
  intP_intM2)) = CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole1),
  (integer_of_int32(n_1_0) - 1), intP_intM2)))

goal pop_heap_ensures_default_po_92:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_122": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_123": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole1))) ->
     (integer_of_int32(select(intP_intM1, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(hole1)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole1),
    integer_of_int32(n_1_0), intP_intM2) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM2, shift(a_4,
    integer_of_int32(hole1)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM2,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole1) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM2) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole1) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2))))) ->
  forall x_5:int32.
  (integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_129": (CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole1),
  (integer_of_int32(n_1_0) - 1), intP_intM2) = Count(a_4, x_5, 0,
  (integer_of_int32(n_1_0) - 1), intP_intM2)))

goal pop_heap_ensures_default_po_93:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_122": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_123": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole1))) ->
     (integer_of_int32(select(intP_intM1, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(hole1)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole1),
    integer_of_int32(n_1_0), intP_intM2) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM2, shift(a_4,
    integer_of_int32(hole1)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM2,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole1) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM2) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole1) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2))))) ->
  forall x_5:int32.
  (integer_of_int32(hole1) = (integer_of_int32(n_1_0) - 1)) ->
  ("JC_129": (CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
  integer_of_int32(n_1_0), intP_intM2) = CountWithHole(a_4, x_5, 0,
  (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2)))

goal pop_heap_ensures_default_po_94:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_122": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_123": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole1))) ->
     (integer_of_int32(select(intP_intM1, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(hole1)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole1),
    integer_of_int32(n_1_0), intP_intM2) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM2, shift(a_4,
    integer_of_int32(hole1)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM2,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole1) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM2) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole1) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2))))) ->
  forall x_5:int32.
  (integer_of_int32(hole1) = (integer_of_int32(n_1_0) - 1)) ->
  ("JC_129": (CountWithHole(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
  integer_of_int32(n_1_0), intP_intM2) = Count(a_4, x_5, 0,
  (integer_of_int32(n_1_0) - 1), intP_intM2)))

goal pop_heap_ensures_default_po_95:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_122": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_123": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole1))) ->
     (integer_of_int32(select(intP_intM1, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(hole1)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole1),
    integer_of_int32(n_1_0), intP_intM2) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM2, shift(a_4,
    integer_of_int32(hole1)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM2,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole1) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM2) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole1) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
       integer_of_int32(n_1_0), intP_intM2) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
       intP_intM2) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
        (integer_of_int32(n_1_0) - 1), intP_intM2) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM2)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole1), (integer_of_int32(hole1) + 1),
        intP_intM2) + Count(a_4, x_5, (integer_of_int32(hole1) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM2))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole1),
         (integer_of_int32(hole1) + 1), intP_intM2) + Count(a_4, x_5,
         (integer_of_int32(hole1) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM2)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
         intP_intM2)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
         intP_intM2) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM2)))))) and
     ((integer_of_int32(hole1) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
       integer_of_int32(n_1_0), intP_intM2) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM2)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM2) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM2))))))) ->
  forall x_6:int32.
  ("JC_130": (Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
  intP_intM2) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole1),
  integer_of_int32(n_1_0), intP_intM2)))

goal pop_heap_ensures_default_po_96:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_122": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_123": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole1))) ->
     (integer_of_int32(select(intP_intM1, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(hole1)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole1),
    integer_of_int32(n_1_0), intP_intM2) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM2, shift(a_4,
    integer_of_int32(hole1)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM2,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole1) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM2) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole1) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
       integer_of_int32(n_1_0), intP_intM2) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
       intP_intM2) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
        (integer_of_int32(n_1_0) - 1), intP_intM2) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM2)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole1), (integer_of_int32(hole1) + 1),
        intP_intM2) + Count(a_4, x_5, (integer_of_int32(hole1) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM2))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole1),
         (integer_of_int32(hole1) + 1), intP_intM2) + Count(a_4, x_5,
         (integer_of_int32(hole1) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM2)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
         intP_intM2)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
         intP_intM2) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM2)))))) and
     ((integer_of_int32(hole1) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
       integer_of_int32(n_1_0), intP_intM2) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM2)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM2) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM2))))))) ->
  forall x_6:int32.
  ("JC_130": (CountWithHole(a_4, x_6, 0, integer_of_int32(hole1),
  integer_of_int32(n_1_0), intP_intM2) = Count(a_4, x_6, 1,
  integer_of_int32(n_1_0), intP_intM)))

goal pop_heap_ensures_default_po_97:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_122": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_123": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole1))) ->
     (integer_of_int32(select(intP_intM1, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(hole1)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole1),
    integer_of_int32(n_1_0), intP_intM2) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM2, shift(a_4,
    integer_of_int32(hole1)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM2,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole1) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM2) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole1) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
       integer_of_int32(n_1_0), intP_intM2) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
       intP_intM2) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
        (integer_of_int32(n_1_0) - 1), intP_intM2) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM2)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole1), (integer_of_int32(hole1) + 1),
        intP_intM2) + Count(a_4, x_5, (integer_of_int32(hole1) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM2))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole1),
         (integer_of_int32(hole1) + 1), intP_intM2) + Count(a_4, x_5,
         (integer_of_int32(hole1) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM2)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
         intP_intM2)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
         intP_intM2) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM2)))))) and
     ((integer_of_int32(hole1) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
       integer_of_int32(n_1_0), intP_intM2) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM2)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM2) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM2))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM2) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole1),
     integer_of_int32(n_1_0), intP_intM2)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole1), integer_of_int32(n_1_0),
     intP_intM2) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result13:int32.
  (integer_of_int32(result13) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM3:(intP,
  int32) memory.
  (intP_intM3 = store(intP_intM2, shift(a_4, integer_of_int32(result13)),
  max_1_0)) ->
  forall x_7:int32.
  ("JC_131": (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
  ((integer_of_int32(n_1_0) - 1) + 1), intP_intM3) = Count(a_4, x_7, 0, 1,
  intP_intM)))

goal pop_heap_ensures_default_po_98:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_122": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_123": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole1))) ->
     (integer_of_int32(select(intP_intM1, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(hole1)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole1),
    integer_of_int32(n_1_0), intP_intM2) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM2, shift(a_4,
    integer_of_int32(hole1)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM2,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole1) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM2) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole1) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
       integer_of_int32(n_1_0), intP_intM2) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
       intP_intM2) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
        (integer_of_int32(n_1_0) - 1), intP_intM2) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM2)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole1), (integer_of_int32(hole1) + 1),
        intP_intM2) + Count(a_4, x_5, (integer_of_int32(hole1) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM2))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole1),
         (integer_of_int32(hole1) + 1), intP_intM2) + Count(a_4, x_5,
         (integer_of_int32(hole1) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM2)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
         intP_intM2)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
         intP_intM2) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM2)))))) and
     ((integer_of_int32(hole1) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
       integer_of_int32(n_1_0), intP_intM2) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM2)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM2) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM2))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM2) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole1),
     integer_of_int32(n_1_0), intP_intM2)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole1), integer_of_int32(n_1_0),
     intP_intM2) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result13:int32.
  (integer_of_int32(result13) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM3:(intP,
  int32) memory.
  (intP_intM3 = store(intP_intM2, shift(a_4, integer_of_int32(result13)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM3) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  forall x_8:int32.
  ("JC_132": (CountWithoutHole(a_4, x_8, 0, (integer_of_int32(n_1_0) - 1),
  integer_of_int32(n_1_0), intP_intM3) = CountWithoutHole(a_4, x_8, 0, 1,
  integer_of_int32(n_1_0), intP_intM)))

goal pop_heap_ensures_default_po_99:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_122": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_123": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole1))) ->
     (integer_of_int32(select(intP_intM1, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(hole1)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole1),
    integer_of_int32(n_1_0), intP_intM2) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM2, shift(a_4,
    integer_of_int32(hole1)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM2,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole1) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM2) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole1) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
       integer_of_int32(n_1_0), intP_intM2) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
       intP_intM2) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
        (integer_of_int32(n_1_0) - 1), intP_intM2) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM2)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole1), (integer_of_int32(hole1) + 1),
        intP_intM2) + Count(a_4, x_5, (integer_of_int32(hole1) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM2))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole1),
         (integer_of_int32(hole1) + 1), intP_intM2) + Count(a_4, x_5,
         (integer_of_int32(hole1) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM2)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
         intP_intM2)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
         intP_intM2) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM2)))))) and
     ((integer_of_int32(hole1) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
       integer_of_int32(n_1_0), intP_intM2) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM2)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM2) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM2))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM2) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole1),
     integer_of_int32(n_1_0), intP_intM2)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole1), integer_of_int32(n_1_0),
     intP_intM2) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result13:int32.
  (integer_of_int32(result13) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM3:(intP,
  int32) memory.
  (intP_intM3 = store(intP_intM2, shift(a_4, integer_of_int32(result13)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM3) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM3) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  forall x_9:int32.
  ("JC_133": (Count(a_4, x_9, 0, integer_of_int32(n_1_0),
  intP_intM3) = CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
  integer_of_int32(n_1_0), intP_intM3)))

goal pop_heap_ensures_default_po_100:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_122": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_123": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole1))) ->
     (integer_of_int32(select(intP_intM1, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(hole1)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole1),
    integer_of_int32(n_1_0), intP_intM2) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM2, shift(a_4,
    integer_of_int32(hole1)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM2,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole1) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM2) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole1) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
       integer_of_int32(n_1_0), intP_intM2) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
       intP_intM2) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
        (integer_of_int32(n_1_0) - 1), intP_intM2) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM2)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole1), (integer_of_int32(hole1) + 1),
        intP_intM2) + Count(a_4, x_5, (integer_of_int32(hole1) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM2))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole1),
         (integer_of_int32(hole1) + 1), intP_intM2) + Count(a_4, x_5,
         (integer_of_int32(hole1) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM2)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
         intP_intM2)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
         intP_intM2) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM2)))))) and
     ((integer_of_int32(hole1) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
       integer_of_int32(n_1_0), intP_intM2) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM2)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM2) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM2))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM2) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole1),
     integer_of_int32(n_1_0), intP_intM2)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole1), integer_of_int32(n_1_0),
     intP_intM2) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result13:int32.
  (integer_of_int32(result13) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM3:(intP,
  int32) memory.
  (intP_intM3 = store(intP_intM2, shift(a_4, integer_of_int32(result13)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM3) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM3) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  forall x_9:int32.
  ("JC_133": (CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
  integer_of_int32(n_1_0), intP_intM3) = CountWithoutHole(a_4, x_9, 0, 1,
  integer_of_int32(n_1_0), intP_intM)))

goal pop_heap_ensures_default_po_101:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_122": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_123": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole1))) ->
     (integer_of_int32(select(intP_intM1, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(hole1)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole1),
    integer_of_int32(n_1_0), intP_intM2) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM2, shift(a_4,
    integer_of_int32(hole1)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM2,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole1) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM2) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole1) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
       integer_of_int32(n_1_0), intP_intM2) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
       intP_intM2) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
        (integer_of_int32(n_1_0) - 1), intP_intM2) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM2)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole1), (integer_of_int32(hole1) + 1),
        intP_intM2) + Count(a_4, x_5, (integer_of_int32(hole1) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM2))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole1),
         (integer_of_int32(hole1) + 1), intP_intM2) + Count(a_4, x_5,
         (integer_of_int32(hole1) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM2)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
         intP_intM2)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
         intP_intM2) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM2)))))) and
     ((integer_of_int32(hole1) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
       integer_of_int32(n_1_0), intP_intM2) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM2)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM2) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM2))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM2) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole1),
     integer_of_int32(n_1_0), intP_intM2)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole1), integer_of_int32(n_1_0),
     intP_intM2) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result13:int32.
  (integer_of_int32(result13) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM3:(intP,
  int32) memory.
  (intP_intM3 = store(intP_intM2, shift(a_4, integer_of_int32(result13)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM3) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM3) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  forall x_9:int32.
  ("JC_133": (CountWithoutHole(a_4, x_9, 0, 1, integer_of_int32(n_1_0),
  intP_intM) = Count(a_4, x_9, 0, integer_of_int32(n_1_0), intP_intM)))

goal pop_heap_ensures_default_po_102:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_122": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_123": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole1))) ->
     (integer_of_int32(select(intP_intM1, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(hole1)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole1),
    integer_of_int32(n_1_0), intP_intM2) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM2, shift(a_4,
    integer_of_int32(hole1)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM2,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole1) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM2) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole1) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
       integer_of_int32(n_1_0), intP_intM2) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
       intP_intM2) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
        (integer_of_int32(n_1_0) - 1), intP_intM2) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM2)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole1), (integer_of_int32(hole1) + 1),
        intP_intM2) + Count(a_4, x_5, (integer_of_int32(hole1) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM2))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole1),
         (integer_of_int32(hole1) + 1), intP_intM2) + Count(a_4, x_5,
         (integer_of_int32(hole1) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM2)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
         intP_intM2)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
         intP_intM2) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM2)))))) and
     ((integer_of_int32(hole1) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
       integer_of_int32(n_1_0), intP_intM2) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM2)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM2) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM2))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM2) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole1),
     integer_of_int32(n_1_0), intP_intM2)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole1), integer_of_int32(n_1_0),
     intP_intM2) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result13:int32.
  (integer_of_int32(result13) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM3:(intP,
  int32) memory.
  (intP_intM3 = store(intP_intM2, shift(a_4, integer_of_int32(result13)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM3) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM3) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  ("JC_133":
  (forall x_9:int32.
    ((Count(a_4, x_9, 0, integer_of_int32(n_1_0),
     intP_intM3) = CountWithoutHole(a_4, x_9, 0,
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM3)) and
     ((CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
      integer_of_int32(n_1_0), intP_intM3) = CountWithoutHole(a_4, x_9, 0, 1,
      integer_of_int32(n_1_0), intP_intM)) and (CountWithoutHole(a_4, x_9, 0,
      1, integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_9, 0,
      integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_41":
  ("JC_39":
  ("JC_35": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM3))))

goal pop_heap_ensures_default_po_103:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_122": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_123": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole1))) ->
     (integer_of_int32(select(intP_intM1, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(hole1)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole1),
    integer_of_int32(n_1_0), intP_intM2) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM2, shift(a_4,
    integer_of_int32(hole1)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM2,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole1) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM2) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole1) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
       integer_of_int32(n_1_0), intP_intM2) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
       intP_intM2) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
        (integer_of_int32(n_1_0) - 1), intP_intM2) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM2)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole1), (integer_of_int32(hole1) + 1),
        intP_intM2) + Count(a_4, x_5, (integer_of_int32(hole1) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM2))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole1),
         (integer_of_int32(hole1) + 1), intP_intM2) + Count(a_4, x_5,
         (integer_of_int32(hole1) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM2)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
         intP_intM2)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
         intP_intM2) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM2)))))) and
     ((integer_of_int32(hole1) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
       integer_of_int32(n_1_0), intP_intM2) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM2)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM2) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM2))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM2) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole1),
     integer_of_int32(n_1_0), intP_intM2)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole1), integer_of_int32(n_1_0),
     intP_intM2) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result13:int32.
  (integer_of_int32(result13) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM3:(intP,
  int32) memory.
  (intP_intM3 = store(intP_intM2, shift(a_4, integer_of_int32(result13)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM3) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM3) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  ("JC_133":
  (forall x_9:int32.
    ((Count(a_4, x_9, 0, integer_of_int32(n_1_0),
     intP_intM3) = CountWithoutHole(a_4, x_9, 0,
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM3)) and
     ((CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
      integer_of_int32(n_1_0), intP_intM3) = CountWithoutHole(a_4, x_9, 0, 1,
      integer_of_int32(n_1_0), intP_intM)) and (CountWithoutHole(a_4, x_9, 0,
      1, integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_9, 0,
      integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_41":
  ("JC_39":
  ("JC_36": (integer_of_int32(select(intP_intM3, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM,
  shift(a_4, 0)))))))

goal pop_heap_ensures_default_po_104:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_122": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_123": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole1))) ->
     (integer_of_int32(select(intP_intM1, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(hole1)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole1),
    integer_of_int32(n_1_0), intP_intM2) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM2, shift(a_4,
    integer_of_int32(hole1)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM2,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole1) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM2) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole1) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
       integer_of_int32(n_1_0), intP_intM2) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
       intP_intM2) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
        (integer_of_int32(n_1_0) - 1), intP_intM2) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM2)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole1), (integer_of_int32(hole1) + 1),
        intP_intM2) + Count(a_4, x_5, (integer_of_int32(hole1) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM2))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole1),
         (integer_of_int32(hole1) + 1), intP_intM2) + Count(a_4, x_5,
         (integer_of_int32(hole1) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM2)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
         intP_intM2)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
         intP_intM2) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM2)))))) and
     ((integer_of_int32(hole1) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
       integer_of_int32(n_1_0), intP_intM2) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM2)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM2) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM2))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM2) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole1),
     integer_of_int32(n_1_0), intP_intM2)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole1), integer_of_int32(n_1_0),
     intP_intM2) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result13:int32.
  (integer_of_int32(result13) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM3:(intP,
  int32) memory.
  (intP_intM3 = store(intP_intM2, shift(a_4, integer_of_int32(result13)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM3) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM3) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  ("JC_133":
  (forall x_9:int32.
    ((Count(a_4, x_9, 0, integer_of_int32(n_1_0),
     intP_intM3) = CountWithoutHole(a_4, x_9, 0,
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM3)) and
     ((CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
      integer_of_int32(n_1_0), intP_intM3) = CountWithoutHole(a_4, x_9, 0, 1,
      integer_of_int32(n_1_0), intP_intM)) and (CountWithoutHole(a_4, x_9, 0,
      1, integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_9, 0,
      integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_41":
  ("JC_39":
  ("JC_37": IsMaximum(a_4, integer_of_int32(n_1_0),
  (integer_of_int32(n_1_0) - 1), intP_intM3))))

goal pop_heap_ensures_default_po_105:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_122": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_123": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole1))) ->
     (integer_of_int32(select(intP_intM1, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(hole1)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole1),
    integer_of_int32(n_1_0), intP_intM2) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM2, shift(a_4,
    integer_of_int32(hole1)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM2,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole1) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM2) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole1) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
       integer_of_int32(n_1_0), intP_intM2) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
       intP_intM2) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
        (integer_of_int32(n_1_0) - 1), intP_intM2) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM2)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole1), (integer_of_int32(hole1) + 1),
        intP_intM2) + Count(a_4, x_5, (integer_of_int32(hole1) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM2))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole1),
         (integer_of_int32(hole1) + 1), intP_intM2) + Count(a_4, x_5,
         (integer_of_int32(hole1) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM2)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
         intP_intM2)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
         intP_intM2) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM2)))))) and
     ((integer_of_int32(hole1) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
       integer_of_int32(n_1_0), intP_intM2) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM2)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM2) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM2))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM2) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole1),
     integer_of_int32(n_1_0), intP_intM2)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole1), integer_of_int32(n_1_0),
     intP_intM2) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result13:int32.
  (integer_of_int32(result13) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM3:(intP,
  int32) memory.
  (intP_intM3 = store(intP_intM2, shift(a_4, integer_of_int32(result13)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM3) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM3) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  ("JC_133":
  (forall x_9:int32.
    ((Count(a_4, x_9, 0, integer_of_int32(n_1_0),
     intP_intM3) = CountWithoutHole(a_4, x_9, 0,
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM3)) and
     ((CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
      integer_of_int32(n_1_0), intP_intM3) = CountWithoutHole(a_4, x_9, 0, 1,
      integer_of_int32(n_1_0), intP_intM)) and (CountWithoutHole(a_4, x_9, 0,
      1, integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_9, 0,
      integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_41":
  ("JC_39": ("JC_38": Permutation(a_4, n_1_0, intP_intM3, intP_intM))))

goal pop_heap_ensures_default_po_106:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_122": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_123": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole1))) ->
     (integer_of_int32(select(intP_intM1, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(hole1)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole1),
    integer_of_int32(n_1_0), intP_intM2) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM2, shift(a_4,
    integer_of_int32(hole1)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM2,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole1) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM2) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole1) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
       integer_of_int32(n_1_0), intP_intM2) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
       intP_intM2) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
        (integer_of_int32(n_1_0) - 1), intP_intM2) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM2)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole1), (integer_of_int32(hole1) + 1),
        intP_intM2) + Count(a_4, x_5, (integer_of_int32(hole1) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM2))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole1),
         (integer_of_int32(hole1) + 1), intP_intM2) + Count(a_4, x_5,
         (integer_of_int32(hole1) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM2)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
         intP_intM2)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
         intP_intM2) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM2)))))) and
     ((integer_of_int32(hole1) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
       integer_of_int32(n_1_0), intP_intM2) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM2)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM2) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM2))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM2) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole1),
     integer_of_int32(n_1_0), intP_intM2)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole1), integer_of_int32(n_1_0),
     intP_intM2) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result13:int32.
  (integer_of_int32(result13) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM3:(intP,
  int32) memory.
  (intP_intM3 = store(intP_intM2, shift(a_4, integer_of_int32(result13)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM3) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM3) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  ("JC_133":
  (forall x_9:int32.
    ((Count(a_4, x_9, 0, integer_of_int32(n_1_0),
     intP_intM3) = CountWithoutHole(a_4, x_9, 0,
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM3)) and
     ((CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
      integer_of_int32(n_1_0), intP_intM3) = CountWithoutHole(a_4, x_9, 0, 1,
      integer_of_int32(n_1_0), intP_intM)) and (CountWithoutHole(a_4, x_9, 0,
      1, integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_9, 0,
      integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_41":
  ("JC_40": not_assigns(intP_alloc_table, intP_intM, intP_intM3,
  pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))

goal pop_heap_ensures_default_po_107:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  forall i_19:int.
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
   ParentChild(i_19, integer_of_int32(hole0))) ->
  ("JC_125": (integer_of_int32(select(intP_intM0, shift(a_4,
  i_19))) >= integer_of_int32(tmp0)))

goal pop_heap_ensures_default_po_108:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  forall x_3:int32.
  ("JC_126": (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
  integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
  integer_of_int32(n_1_0), intP_intM)))

goal pop_heap_ensures_default_po_109:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_127": (integer_of_int32(select(intP_intM1, shift(a_4,
  integer_of_int32(hole0)))) = integer_of_int32(tmp0)))

goal pop_heap_ensures_default_po_110:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_127": (integer_of_int32(tmp0) = integer_of_int32(select(intP_intM,
  shift(a_4, (integer_of_int32(n_1_0) - 1))))))

goal pop_heap_ensures_default_po_111:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_127": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1))))))

goal pop_heap_ensures_default_po_112:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  forall x_4:int32.
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_128": (Count(a_4, x_4, (integer_of_int32(hole0) + 1),
  ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1) = CountWithoutHole(a_4,
  x_4, (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
  integer_of_int32(n_1_0), intP_intM1)))

goal pop_heap_ensures_default_po_113:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  forall x_5:int32.
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_129": (CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
  integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
  integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
  intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
  ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))))

goal pop_heap_ensures_default_po_114:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  forall x_5:int32.
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_129": ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
  (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
  (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
  intP_intM1)) = (CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
  (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
  (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
  intP_intM1))))

goal pop_heap_ensures_default_po_115:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  forall x_5:int32.
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_129": ((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
  (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
  (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
  intP_intM1)) = CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
  (integer_of_int32(n_1_0) - 1), intP_intM1)))

goal pop_heap_ensures_default_po_116:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  forall x_5:int32.
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_129": (CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
  (integer_of_int32(n_1_0) - 1), intP_intM1) = Count(a_4, x_5, 0,
  (integer_of_int32(n_1_0) - 1), intP_intM1)))

goal pop_heap_ensures_default_po_117:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  forall x_5:int32.
  (integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
  ("JC_129": (CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
  integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
  (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1)))

goal pop_heap_ensures_default_po_118:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  forall x_5:int32.
  (integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
  ("JC_129": (CountWithHole(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
  integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_5, 0,
  (integer_of_int32(n_1_0) - 1), intP_intM1)))

goal pop_heap_ensures_default_po_119:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  forall x_6:int32.
  ("JC_130": (Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
  intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
  integer_of_int32(n_1_0), intP_intM1)))

goal pop_heap_ensures_default_po_120:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  forall x_6:int32.
  ("JC_130": (CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
  integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_6, 1,
  integer_of_int32(n_1_0), intP_intM)))

goal pop_heap_ensures_default_po_121:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result12:int32.
  (integer_of_int32(result12) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result12)),
  max_1_0)) ->
  forall x_7:int32.
  ("JC_131": (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
  ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
  intP_intM)))

goal pop_heap_ensures_default_po_122:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result12:int32.
  (integer_of_int32(result12) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result12)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  forall x_8:int32.
  ("JC_132": (CountWithoutHole(a_4, x_8, 0, (integer_of_int32(n_1_0) - 1),
  integer_of_int32(n_1_0), intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1,
  integer_of_int32(n_1_0), intP_intM)))

goal pop_heap_ensures_default_po_123:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result12:int32.
  (integer_of_int32(result12) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result12)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  forall x_9:int32.
  ("JC_133": (Count(a_4, x_9, 0, integer_of_int32(n_1_0),
  intP_intM2) = CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
  integer_of_int32(n_1_0), intP_intM2)))

goal pop_heap_ensures_default_po_124:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result12:int32.
  (integer_of_int32(result12) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result12)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  forall x_9:int32.
  ("JC_133": (CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
  integer_of_int32(n_1_0), intP_intM2) = CountWithoutHole(a_4, x_9, 0, 1,
  integer_of_int32(n_1_0), intP_intM)))

goal pop_heap_ensures_default_po_125:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result12:int32.
  (integer_of_int32(result12) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result12)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  forall x_9:int32.
  ("JC_133": (CountWithoutHole(a_4, x_9, 0, 1, integer_of_int32(n_1_0),
  intP_intM) = Count(a_4, x_9, 0, integer_of_int32(n_1_0), intP_intM)))

goal pop_heap_ensures_default_po_126:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result12:int32.
  (integer_of_int32(result12) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result12)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  ("JC_133":
  (forall x_9:int32.
    ((Count(a_4, x_9, 0, integer_of_int32(n_1_0),
     intP_intM2) = CountWithoutHole(a_4, x_9, 0,
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2)) and
     ((CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
      integer_of_int32(n_1_0), intP_intM2) = CountWithoutHole(a_4, x_9, 0, 1,
      integer_of_int32(n_1_0), intP_intM)) and (CountWithoutHole(a_4, x_9, 0,
      1, integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_9, 0,
      integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_41":
  ("JC_39":
  ("JC_35": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM2))))

goal pop_heap_ensures_default_po_127:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result12:int32.
  (integer_of_int32(result12) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result12)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  ("JC_133":
  (forall x_9:int32.
    ((Count(a_4, x_9, 0, integer_of_int32(n_1_0),
     intP_intM2) = CountWithoutHole(a_4, x_9, 0,
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2)) and
     ((CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
      integer_of_int32(n_1_0), intP_intM2) = CountWithoutHole(a_4, x_9, 0, 1,
      integer_of_int32(n_1_0), intP_intM)) and (CountWithoutHole(a_4, x_9, 0,
      1, integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_9, 0,
      integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_41":
  ("JC_39":
  ("JC_36": (integer_of_int32(select(intP_intM2, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM,
  shift(a_4, 0)))))))

goal pop_heap_ensures_default_po_128:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result12:int32.
  (integer_of_int32(result12) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result12)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  ("JC_133":
  (forall x_9:int32.
    ((Count(a_4, x_9, 0, integer_of_int32(n_1_0),
     intP_intM2) = CountWithoutHole(a_4, x_9, 0,
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2)) and
     ((CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
      integer_of_int32(n_1_0), intP_intM2) = CountWithoutHole(a_4, x_9, 0, 1,
      integer_of_int32(n_1_0), intP_intM)) and (CountWithoutHole(a_4, x_9, 0,
      1, integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_9, 0,
      integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_41":
  ("JC_39":
  ("JC_37": IsMaximum(a_4, integer_of_int32(n_1_0),
  (integer_of_int32(n_1_0) - 1), intP_intM2))))

goal pop_heap_ensures_default_po_129:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result12:int32.
  (integer_of_int32(result12) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result12)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  ("JC_133":
  (forall x_9:int32.
    ((Count(a_4, x_9, 0, integer_of_int32(n_1_0),
     intP_intM2) = CountWithoutHole(a_4, x_9, 0,
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2)) and
     ((CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
      integer_of_int32(n_1_0), intP_intM2) = CountWithoutHole(a_4, x_9, 0, 1,
      integer_of_int32(n_1_0), intP_intM)) and (CountWithoutHole(a_4, x_9, 0,
      1, integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_9, 0,
      integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_41":
  ("JC_39": ("JC_38": Permutation(a_4, n_1_0, intP_intM2, intP_intM))))

goal pop_heap_ensures_default_po_130:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result12:int32.
  (integer_of_int32(result12) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result12)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  ("JC_133":
  (forall x_9:int32.
    ((Count(a_4, x_9, 0, integer_of_int32(n_1_0),
     intP_intM2) = CountWithoutHole(a_4, x_9, 0,
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2)) and
     ((CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
      integer_of_int32(n_1_0), intP_intM2) = CountWithoutHole(a_4, x_9, 0, 1,
      integer_of_int32(n_1_0), intP_intM)) and (CountWithoutHole(a_4, x_9, 0,
      1, integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_9, 0,
      integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_41":
  ("JC_40": not_assigns(intP_alloc_table, intP_intM, intP_intM2,
  pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))

goal pop_heap_ensures_default_po_131:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) <> integer_of_int32(result10)) ->
  forall i_19:int.
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
   ParentChild(i_19, integer_of_int32(hole0))) ->
  ("JC_125": (integer_of_int32(select(intP_intM0, shift(a_4,
  i_19))) >= integer_of_int32(tmp0)))

goal pop_heap_ensures_default_po_132:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) <> integer_of_int32(result10)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  forall x_3:int32.
  ("JC_126": (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
  integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
  integer_of_int32(n_1_0), intP_intM)))

goal pop_heap_ensures_default_po_133:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) <> integer_of_int32(result10)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_127": (integer_of_int32(select(intP_intM1, shift(a_4,
  integer_of_int32(hole0)))) = integer_of_int32(tmp0)))

goal pop_heap_ensures_default_po_134:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) <> integer_of_int32(result10)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_127": (integer_of_int32(tmp0) = integer_of_int32(select(intP_intM,
  shift(a_4, (integer_of_int32(n_1_0) - 1))))))

goal pop_heap_ensures_default_po_135:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) <> integer_of_int32(result10)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_127": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1))))))

goal pop_heap_ensures_default_po_136:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) <> integer_of_int32(result10)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  forall x_4:int32.
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_128": (Count(a_4, x_4, (integer_of_int32(hole0) + 1),
  ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1) = CountWithoutHole(a_4,
  x_4, (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
  integer_of_int32(n_1_0), intP_intM1)))

goal pop_heap_ensures_default_po_137:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) <> integer_of_int32(result10)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  forall x_5:int32.
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_129": (CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
  integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
  integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
  intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
  ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))))

goal pop_heap_ensures_default_po_138:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) <> integer_of_int32(result10)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  forall x_5:int32.
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_129": ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
  (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
  (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
  intP_intM1)) = (CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
  (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
  (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
  intP_intM1))))

goal pop_heap_ensures_default_po_139:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) <> integer_of_int32(result10)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  forall x_5:int32.
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_129": ((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
  (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
  (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
  intP_intM1)) = CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
  (integer_of_int32(n_1_0) - 1), intP_intM1)))

goal pop_heap_ensures_default_po_140:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) <> integer_of_int32(result10)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  forall x_5:int32.
  (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
  ("JC_129": (CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
  (integer_of_int32(n_1_0) - 1), intP_intM1) = Count(a_4, x_5, 0,
  (integer_of_int32(n_1_0) - 1), intP_intM1)))

goal pop_heap_ensures_default_po_141:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) <> integer_of_int32(result10)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  forall x_5:int32.
  (integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
  ("JC_129": (CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
  integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
  (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1)))

goal pop_heap_ensures_default_po_142:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) <> integer_of_int32(result10)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  forall x_5:int32.
  (integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
  ("JC_129": (CountWithHole(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
  integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_5, 0,
  (integer_of_int32(n_1_0) - 1), intP_intM1)))

goal pop_heap_ensures_default_po_143:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) <> integer_of_int32(result10)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  forall x_6:int32.
  ("JC_130": (Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
  intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
  integer_of_int32(n_1_0), intP_intM1)))

goal pop_heap_ensures_default_po_144:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) <> integer_of_int32(result10)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  forall x_6:int32.
  ("JC_130": (CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
  integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_6, 1,
  integer_of_int32(n_1_0), intP_intM)))

goal pop_heap_ensures_default_po_145:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) <> integer_of_int32(result10)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result11)),
  max_1_0)) ->
  forall x_7:int32.
  ("JC_131": (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
  ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
  intP_intM)))

goal pop_heap_ensures_default_po_146:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) <> integer_of_int32(result10)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result11)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  forall x_8:int32.
  ("JC_132": (CountWithoutHole(a_4, x_8, 0, (integer_of_int32(n_1_0) - 1),
  integer_of_int32(n_1_0), intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1,
  integer_of_int32(n_1_0), intP_intM)))

goal pop_heap_ensures_default_po_147:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) <> integer_of_int32(result10)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result11)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  forall x_9:int32.
  ("JC_133": (Count(a_4, x_9, 0, integer_of_int32(n_1_0),
  intP_intM2) = CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
  integer_of_int32(n_1_0), intP_intM2)))

goal pop_heap_ensures_default_po_148:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) <> integer_of_int32(result10)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result11)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  forall x_9:int32.
  ("JC_133": (CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
  integer_of_int32(n_1_0), intP_intM2) = CountWithoutHole(a_4, x_9, 0, 1,
  integer_of_int32(n_1_0), intP_intM)))

goal pop_heap_ensures_default_po_149:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) <> integer_of_int32(result10)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result11)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  forall x_9:int32.
  ("JC_133": (CountWithoutHole(a_4, x_9, 0, 1, integer_of_int32(n_1_0),
  intP_intM) = Count(a_4, x_9, 0, integer_of_int32(n_1_0), intP_intM)))

goal pop_heap_ensures_default_po_150:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) <> integer_of_int32(result10)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result11)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  ("JC_133":
  (forall x_9:int32.
    ((Count(a_4, x_9, 0, integer_of_int32(n_1_0),
     intP_intM2) = CountWithoutHole(a_4, x_9, 0,
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2)) and
     ((CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
      integer_of_int32(n_1_0), intP_intM2) = CountWithoutHole(a_4, x_9, 0, 1,
      integer_of_int32(n_1_0), intP_intM)) and (CountWithoutHole(a_4, x_9, 0,
      1, integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_9, 0,
      integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_41":
  ("JC_39":
  ("JC_35": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM2))))

goal pop_heap_ensures_default_po_151:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) <> integer_of_int32(result10)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result11)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  ("JC_133":
  (forall x_9:int32.
    ((Count(a_4, x_9, 0, integer_of_int32(n_1_0),
     intP_intM2) = CountWithoutHole(a_4, x_9, 0,
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2)) and
     ((CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
      integer_of_int32(n_1_0), intP_intM2) = CountWithoutHole(a_4, x_9, 0, 1,
      integer_of_int32(n_1_0), intP_intM)) and (CountWithoutHole(a_4, x_9, 0,
      1, integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_9, 0,
      integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_41":
  ("JC_39":
  ("JC_36": (integer_of_int32(select(intP_intM2, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM,
  shift(a_4, 0)))))))

goal pop_heap_ensures_default_po_152:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) <> integer_of_int32(result10)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result11)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  ("JC_133":
  (forall x_9:int32.
    ((Count(a_4, x_9, 0, integer_of_int32(n_1_0),
     intP_intM2) = CountWithoutHole(a_4, x_9, 0,
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2)) and
     ((CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
      integer_of_int32(n_1_0), intP_intM2) = CountWithoutHole(a_4, x_9, 0, 1,
      integer_of_int32(n_1_0), intP_intM)) and (CountWithoutHole(a_4, x_9, 0,
      1, integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_9, 0,
      integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_41":
  ("JC_39":
  ("JC_37": IsMaximum(a_4, integer_of_int32(n_1_0),
  (integer_of_int32(n_1_0) - 1), intP_intM2))))

goal pop_heap_ensures_default_po_153:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) <> integer_of_int32(result10)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result11)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  ("JC_133":
  (forall x_9:int32.
    ((Count(a_4, x_9, 0, integer_of_int32(n_1_0),
     intP_intM2) = CountWithoutHole(a_4, x_9, 0,
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2)) and
     ((CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
      integer_of_int32(n_1_0), intP_intM2) = CountWithoutHole(a_4, x_9, 0, 1,
      integer_of_int32(n_1_0), intP_intM)) and (CountWithoutHole(a_4, x_9, 0,
      1, integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_9, 0,
      integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_41":
  ("JC_39": ("JC_38": Permutation(a_4, n_1_0, intP_intM2, intP_intM))))

goal pop_heap_ensures_default_po_154:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_105":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM, shift(a_4, 0))) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_106":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ((("JC_107": (integer_of_int32(select(intP_intM, shift(a_4,
    (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
    shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
    (("JC_108":
     (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
       integer_of_int32(n_1_0), intP_intM)))) and
     (("JC_109":
      (forall i_18:int.
        (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
          ParentChild(i_18, integer_of_int32(hole0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_18))) >= integer_of_int32(tmp0))))) and
      (("JC_110":
       (forall i_17:int.
         (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
          (integer_of_int32(select(intP_intM0, shift(a_4,
          i_17))) <= integer_of_int32(max_1_0))))) and
       (("JC_111": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
        ("JC_114":
        (("JC_112": (0 <= integer_of_int32(hole0))) and
         ("JC_113": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) and
   (("JC_116": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, integer_of_int32(hole0)))) and
    ("JC_117": not_assigns(intP_alloc_table, intP_intM, intP_intM0,
    pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) <> integer_of_int32(result10)) ->
  ("JC_125":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_126":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_127":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_128":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_129":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_130":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(n_1_0) - 1)) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(result11)),
  max_1_0)) ->
  ("JC_131":
  (forall x_7:int32. (Count(a_4, x_7, (integer_of_int32(n_1_0) - 1),
    ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2) = Count(a_4, x_7, 0, 1,
    intP_intM)))) ->
  ("JC_132":
  (forall x_8:int32. (CountWithoutHole(a_4, x_8, 0,
    (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
    intP_intM2) = CountWithoutHole(a_4, x_8, 0, 1, integer_of_int32(n_1_0),
    intP_intM)))) ->
  ("JC_133":
  (forall x_9:int32.
    ((Count(a_4, x_9, 0, integer_of_int32(n_1_0),
     intP_intM2) = CountWithoutHole(a_4, x_9, 0,
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2)) and
     ((CountWithoutHole(a_4, x_9, 0, (integer_of_int32(n_1_0) - 1),
      integer_of_int32(n_1_0), intP_intM2) = CountWithoutHole(a_4, x_9, 0, 1,
      integer_of_int32(n_1_0), intP_intM)) and (CountWithoutHole(a_4, x_9, 0,
      1, integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_9, 0,
      integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_41":
  ("JC_40": not_assigns(intP_alloc_table, intP_intM, intP_intM2,
  pset_range(pset_singleton(a_4), 0, (integer_of_int32(n_1_0) - 1)))))

goal pop_heap_induction_ensures_default_po_1:
  forall a_0_0:intP pointer.
  forall n_2_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_142":
  (("JC_139": (0 < integer_of_int32(n_2_0))) and
   (("JC_140": IsValidRange(a_0_0, integer_of_int32(n_2_0),
    intP_alloc_table)) and
    ("JC_141": IsHeap(a_0_0, integer_of_int32(n_2_0), intP_intM))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall i:int32.
  (i = result) ->
  forall j_9:int.
  ((0 <= j_9) and
   ((j_9 < integer_of_int32(i)) and
    (integer_of_int32(i) <= integer_of_int32(n_2_0)))) ->
  ("JC_160": (integer_of_int32(select(intP_intM, shift(a_0_0,
  0))) >= integer_of_int32(select(intP_intM, shift(a_0_0, j_9)))))

goal pop_heap_induction_ensures_default_po_2:
  forall a_0_0:intP pointer.
  forall n_2_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_142":
  (("JC_139": (0 < integer_of_int32(n_2_0))) and
   (("JC_140": IsValidRange(a_0_0, integer_of_int32(n_2_0),
    intP_alloc_table)) and
    ("JC_141": IsHeap(a_0_0, integer_of_int32(n_2_0), intP_intM))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall i:int32.
  (i = result) ->
  ("JC_163": ("JC_161": (0 <= integer_of_int32(i))))

goal pop_heap_induction_ensures_default_po_3:
  forall a_0_0:intP pointer.
  forall n_2_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_142":
  (("JC_139": (0 < integer_of_int32(n_2_0))) and
   (("JC_140": IsValidRange(a_0_0, integer_of_int32(n_2_0),
    intP_alloc_table)) and
    ("JC_141": IsHeap(a_0_0, integer_of_int32(n_2_0), intP_intM))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall i:int32.
  (i = result) ->
  ("JC_163": ("JC_162": (integer_of_int32(i) <= integer_of_int32(n_2_0))))

goal pop_heap_induction_ensures_default_po_4:
  forall a_0_0:intP pointer.
  forall n_2_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_142":
  (("JC_139": (0 < integer_of_int32(n_2_0))) and
   (("JC_140": IsValidRange(a_0_0, integer_of_int32(n_2_0),
    intP_alloc_table)) and
    ("JC_141": IsHeap(a_0_0, integer_of_int32(n_2_0), intP_intM))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  (("JC_160":
   (forall j_9:int.
     (((0 <= j_9) and
       ((j_9 < integer_of_int32(i0)) and
        (integer_of_int32(i0) <= integer_of_int32(n_2_0)))) ->
      (integer_of_int32(select(intP_intM, shift(a_0_0,
      0))) >= integer_of_int32(select(intP_intM, shift(a_0_0, j_9))))))) and
   ("JC_163":
   (("JC_161": (0 <= integer_of_int32(i0))) and
    ("JC_162": (integer_of_int32(i0) <= integer_of_int32(n_2_0)))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_2_0)) ->
  (0 < integer_of_int32(i0)) ->
  ("JC_167": ParentChild(computer_div((integer_of_int32(i0) - 1), 2),
  integer_of_int32(i0)))

goal pop_heap_induction_ensures_default_po_5:
  forall a_0_0:intP pointer.
  forall n_2_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_142":
  (("JC_139": (0 < integer_of_int32(n_2_0))) and
   (("JC_140": IsValidRange(a_0_0, integer_of_int32(n_2_0),
    intP_alloc_table)) and
    ("JC_141": IsHeap(a_0_0, integer_of_int32(n_2_0), intP_intM))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  (("JC_160":
   (forall j_9:int.
     (((0 <= j_9) and
       ((j_9 < integer_of_int32(i0)) and
        (integer_of_int32(i0) <= integer_of_int32(n_2_0)))) ->
      (integer_of_int32(select(intP_intM, shift(a_0_0,
      0))) >= integer_of_int32(select(intP_intM, shift(a_0_0, j_9))))))) and
   ("JC_163":
   (("JC_161": (0 <= integer_of_int32(i0))) and
    ("JC_162": (integer_of_int32(i0) <= integer_of_int32(n_2_0)))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_2_0)) ->
  ("JC_167":
  ((0 < integer_of_int32(i0)) ->
   ParentChild(computer_div((integer_of_int32(i0) - 1), 2),
   integer_of_int32(i0)))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result0) ->
  forall j_9:int.
  ((0 <= j_9) and
   ((j_9 < integer_of_int32(i1)) and
    (integer_of_int32(i1) <= integer_of_int32(n_2_0)))) ->
  ("JC_160": (integer_of_int32(select(intP_intM, shift(a_0_0,
  0))) >= integer_of_int32(select(intP_intM, shift(a_0_0, j_9)))))

goal pop_heap_induction_ensures_default_po_6:
  forall a_0_0:intP pointer.
  forall n_2_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_142":
  (("JC_139": (0 < integer_of_int32(n_2_0))) and
   (("JC_140": IsValidRange(a_0_0, integer_of_int32(n_2_0),
    intP_alloc_table)) and
    ("JC_141": IsHeap(a_0_0, integer_of_int32(n_2_0), intP_intM))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  (("JC_160":
   (forall j_9:int.
     (((0 <= j_9) and
       ((j_9 < integer_of_int32(i0)) and
        (integer_of_int32(i0) <= integer_of_int32(n_2_0)))) ->
      (integer_of_int32(select(intP_intM, shift(a_0_0,
      0))) >= integer_of_int32(select(intP_intM, shift(a_0_0, j_9))))))) and
   ("JC_163":
   (("JC_161": (0 <= integer_of_int32(i0))) and
    ("JC_162": (integer_of_int32(i0) <= integer_of_int32(n_2_0)))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_2_0)) ->
  ("JC_167":
  ((0 < integer_of_int32(i0)) ->
   ParentChild(computer_div((integer_of_int32(i0) - 1), 2),
   integer_of_int32(i0)))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result0) ->
  ("JC_163": ("JC_161": (0 <= integer_of_int32(i1))))

goal pop_heap_induction_ensures_default_po_7:
  forall a_0_0:intP pointer.
  forall n_2_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_142":
  (("JC_139": (0 < integer_of_int32(n_2_0))) and
   (("JC_140": IsValidRange(a_0_0, integer_of_int32(n_2_0),
    intP_alloc_table)) and
    ("JC_141": IsHeap(a_0_0, integer_of_int32(n_2_0), intP_intM))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  (("JC_160":
   (forall j_9:int.
     (((0 <= j_9) and
       ((j_9 < integer_of_int32(i0)) and
        (integer_of_int32(i0) <= integer_of_int32(n_2_0)))) ->
      (integer_of_int32(select(intP_intM, shift(a_0_0,
      0))) >= integer_of_int32(select(intP_intM, shift(a_0_0, j_9))))))) and
   ("JC_163":
   (("JC_161": (0 <= integer_of_int32(i0))) and
    ("JC_162": (integer_of_int32(i0) <= integer_of_int32(n_2_0)))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_2_0)) ->
  ("JC_167":
  ((0 < integer_of_int32(i0)) ->
   ParentChild(computer_div((integer_of_int32(i0) - 1), 2),
   integer_of_int32(i0)))) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result0) ->
  ("JC_163": ("JC_162": (integer_of_int32(i1) <= integer_of_int32(n_2_0))))

goal pop_heap_induction_ensures_default_po_8:
  forall a_0_0:intP pointer.
  forall n_2_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_142":
  (("JC_139": (0 < integer_of_int32(n_2_0))) and
   (("JC_140": IsValidRange(a_0_0, integer_of_int32(n_2_0),
    intP_alloc_table)) and
    ("JC_141": IsHeap(a_0_0, integer_of_int32(n_2_0), intP_intM))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  (("JC_160":
   (forall j_9:int.
     (((0 <= j_9) and
       ((j_9 < integer_of_int32(i0)) and
        (integer_of_int32(i0) <= integer_of_int32(n_2_0)))) ->
      (integer_of_int32(select(intP_intM, shift(a_0_0,
      0))) >= integer_of_int32(select(intP_intM, shift(a_0_0, j_9))))))) and
   ("JC_163":
   (("JC_161": (0 <= integer_of_int32(i0))) and
    ("JC_162": (integer_of_int32(i0) <= integer_of_int32(n_2_0)))))) ->
  (integer_of_int32(i0) >= integer_of_int32(n_2_0)) ->
  forall i_20:int.
  ((0 <= i_20) and (i_20 < integer_of_int32(n_2_0))) ->
  ("JC_144": (integer_of_int32(select(intP_intM, shift(a_0_0,
  0))) >= integer_of_int32(select(intP_intM, shift(a_0_0, i_20)))))

goal pop_heap_induction_safety_po_1:
  forall a_0_0:intP pointer.
  forall n_2_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_142":
  (("JC_139": (0 < integer_of_int32(n_2_0))) and
   (("JC_140": IsValidRange(a_0_0, integer_of_int32(n_2_0),
    intP_alloc_table)) and
    ("JC_141": IsHeap(a_0_0, integer_of_int32(n_2_0), intP_intM))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_155": true) ->
  (("JC_150":
   (forall j_9:int.
     (((0 <= j_9) and
       ((j_9 < integer_of_int32(i0)) and
        (integer_of_int32(i0) <= integer_of_int32(n_2_0)))) ->
      (integer_of_int32(select(intP_intM, shift(a_0_0,
      0))) >= integer_of_int32(select(intP_intM, shift(a_0_0, j_9))))))) and
   ("JC_153":
   (("JC_151": (0 <= integer_of_int32(i0))) and
    ("JC_152": (integer_of_int32(i0) <= integer_of_int32(n_2_0)))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_2_0)) ->
  ("JC_157":
  ((0 < integer_of_int32(i0)) ->
   ParentChild(computer_div((integer_of_int32(i0) - 1), 2),
   integer_of_int32(i0)))) ->
  ((-2147483648) <= (integer_of_int32(i0) + 1))

goal pop_heap_induction_safety_po_2:
  forall a_0_0:intP pointer.
  forall n_2_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_142":
  (("JC_139": (0 < integer_of_int32(n_2_0))) and
   (("JC_140": IsValidRange(a_0_0, integer_of_int32(n_2_0),
    intP_alloc_table)) and
    ("JC_141": IsHeap(a_0_0, integer_of_int32(n_2_0), intP_intM))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_155": true) ->
  (("JC_150":
   (forall j_9:int.
     (((0 <= j_9) and
       ((j_9 < integer_of_int32(i0)) and
        (integer_of_int32(i0) <= integer_of_int32(n_2_0)))) ->
      (integer_of_int32(select(intP_intM, shift(a_0_0,
      0))) >= integer_of_int32(select(intP_intM, shift(a_0_0, j_9))))))) and
   ("JC_153":
   (("JC_151": (0 <= integer_of_int32(i0))) and
    ("JC_152": (integer_of_int32(i0) <= integer_of_int32(n_2_0)))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_2_0)) ->
  ("JC_157":
  ((0 < integer_of_int32(i0)) ->
   ParentChild(computer_div((integer_of_int32(i0) - 1), 2),
   integer_of_int32(i0)))) ->
  ((integer_of_int32(i0) + 1) <= 2147483647)

goal pop_heap_induction_safety_po_3:
  forall a_0_0:intP pointer.
  forall n_2_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_142":
  (("JC_139": (0 < integer_of_int32(n_2_0))) and
   (("JC_140": IsValidRange(a_0_0, integer_of_int32(n_2_0),
    intP_alloc_table)) and
    ("JC_141": IsHeap(a_0_0, integer_of_int32(n_2_0), intP_intM))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_155": true) ->
  (("JC_150":
   (forall j_9:int.
     (((0 <= j_9) and
       ((j_9 < integer_of_int32(i0)) and
        (integer_of_int32(i0) <= integer_of_int32(n_2_0)))) ->
      (integer_of_int32(select(intP_intM, shift(a_0_0,
      0))) >= integer_of_int32(select(intP_intM, shift(a_0_0, j_9))))))) and
   ("JC_153":
   (("JC_151": (0 <= integer_of_int32(i0))) and
    ("JC_152": (integer_of_int32(i0) <= integer_of_int32(n_2_0)))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_2_0)) ->
  ("JC_157":
  ((0 < integer_of_int32(i0)) ->
   ParentChild(computer_div((integer_of_int32(i0) - 1), 2),
   integer_of_int32(i0)))) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result0) ->
  (0 <= ("JC_159": (integer_of_int32(n_2_0) - integer_of_int32(i0))))

goal pop_heap_induction_safety_po_4:
  forall a_0_0:intP pointer.
  forall n_2_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_142":
  (("JC_139": (0 < integer_of_int32(n_2_0))) and
   (("JC_140": IsValidRange(a_0_0, integer_of_int32(n_2_0),
    intP_alloc_table)) and
    ("JC_141": IsHeap(a_0_0, integer_of_int32(n_2_0), intP_intM))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall i:int32.
  (i = result) ->
  forall i0:int32.
  ("JC_155": true) ->
  (("JC_150":
   (forall j_9:int.
     (((0 <= j_9) and
       ((j_9 < integer_of_int32(i0)) and
        (integer_of_int32(i0) <= integer_of_int32(n_2_0)))) ->
      (integer_of_int32(select(intP_intM, shift(a_0_0,
      0))) >= integer_of_int32(select(intP_intM, shift(a_0_0, j_9))))))) and
   ("JC_153":
   (("JC_151": (0 <= integer_of_int32(i0))) and
    ("JC_152": (integer_of_int32(i0) <= integer_of_int32(n_2_0)))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_2_0)) ->
  ("JC_157":
  ((0 < integer_of_int32(i0)) ->
   ParentChild(computer_div((integer_of_int32(i0) - 1), 2),
   integer_of_int32(i0)))) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result0) ->
  (("JC_159": (integer_of_int32(n_2_0) - integer_of_int32(i1))) < ("JC_159":
                                                                  (integer_of_int32(n_2_0) - integer_of_int32(i0))))

goal pop_heap_safety_po_1:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  ("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)))

goal pop_heap_safety_po_2:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137": ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))

goal pop_heap_safety_po_3:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  ((-2147483648) <= (integer_of_int32(n_1_0) - 1))

goal pop_heap_safety_po_4:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  ((integer_of_int32(n_1_0) - 1) <= 2147483647)

goal pop_heap_safety_po_5:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  (offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2))

goal pop_heap_safety_po_6:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))

goal pop_heap_safety_po_7:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  (offset_min(intP_alloc_table, a_4) <= 0)

goal pop_heap_safety_po_8:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  (0 <= offset_max(intP_alloc_table, a_4))

goal pop_heap_safety_po_9:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  ((-2147483648) <= (2 * integer_of_int32(hole0)))

goal pop_heap_safety_po_10:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  ((2 * integer_of_int32(hole0)) <= 2147483647)

goal pop_heap_safety_po_11:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  ((-2147483648) <= (integer_of_int32(result5) + 2))

goal pop_heap_safety_po_12:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  ((integer_of_int32(result5) + 2) <= 2147483647)

goal pop_heap_safety_po_13:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  (offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0))

goal pop_heap_safety_po_14:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))

goal pop_heap_safety_po_15:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  ((-2147483648) <= (integer_of_int32(child_0) - 1))

goal pop_heap_safety_po_16:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  ((integer_of_int32(child_0) - 1) <= 2147483647)

goal pop_heap_safety_po_17:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  (offset_min(intP_alloc_table, a_4) <= integer_of_int32(result9))

goal pop_heap_safety_po_18:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  (integer_of_int32(result9) <= offset_max(intP_alloc_table, a_4))

goal pop_heap_safety_po_19:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result9)) and
   (integer_of_int32(result9) <= offset_max(intP_alloc_table, a_4))) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_75": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  (offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0))

goal pop_heap_safety_po_20:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result9)) and
   (integer_of_int32(result9) <= offset_max(intP_alloc_table, a_4))) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_75": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))

goal pop_heap_safety_po_21:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result9)) and
   (integer_of_int32(result9) <= offset_max(intP_alloc_table, a_4))) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_75": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) > integer_of_int32(tmp0)) ->
  ("JC_77": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result13:int32.
  (result13 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0))

goal pop_heap_safety_po_22:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result9)) and
   (integer_of_int32(result9) <= offset_max(intP_alloc_table, a_4))) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_75": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) > integer_of_int32(tmp0)) ->
  ("JC_77": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result13:int32.
  (result13 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))

goal pop_heap_safety_po_23:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result9)) and
   (integer_of_int32(result9) <= offset_max(intP_alloc_table, a_4))) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_75": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) > integer_of_int32(tmp0)) ->
  ("JC_77": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result13:int32.
  (result13 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result13)) ->
  ("JC_80": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_7":
  ("JC_2": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)))

goal pop_heap_safety_po_24:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result9)) and
   (integer_of_int32(result9) <= offset_max(intP_alloc_table, a_4))) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_75": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) > integer_of_int32(tmp0)) ->
  ("JC_77": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result13:int32.
  (result13 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result13)) ->
  ("JC_80": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_7": ("JC_3": (0 <= integer_of_int32(hole0))))

goal pop_heap_safety_po_25:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result9)) and
   (integer_of_int32(result9) <= offset_max(intP_alloc_table, a_4))) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_75": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) > integer_of_int32(tmp0)) ->
  ("JC_77": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result13:int32.
  (result13 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result13)) ->
  ("JC_80": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_7": ("JC_4": (integer_of_int32(hole0) < integer_of_int32(child_0_0))))

goal pop_heap_safety_po_26:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result9)) and
   (integer_of_int32(result9) <= offset_max(intP_alloc_table, a_4))) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_75": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) > integer_of_int32(tmp0)) ->
  ("JC_77": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result13:int32.
  (result13 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result13)) ->
  ("JC_80": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_7": ("JC_5": (integer_of_int32(child_0_0) < integer_of_int32(n_1_0))))

goal pop_heap_safety_po_27:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result9)) and
   (integer_of_int32(result9) <= offset_max(intP_alloc_table, a_4))) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_75": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) > integer_of_int32(tmp0)) ->
  ("JC_77": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result13:int32.
  (result13 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result13)) ->
  ("JC_80": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_7":
  ("JC_6": (integer_of_int32(select(intP_intM1, shift(a_4,
  integer_of_int32(hole0)))) = integer_of_int32(select(intP_intM1, shift(a_4,
  integer_of_int32(child_0_0)))))))

goal pop_heap_safety_po_28:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result9)) and
   (integer_of_int32(result9) <= offset_max(intP_alloc_table, a_4))) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_75": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) > integer_of_int32(tmp0)) ->
  ("JC_77": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result13:int32.
  (result13 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result13)) ->
  ("JC_80": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_7":
  (("JC_1": (0 < integer_of_int32(n_1_0))) and
   (("JC_2": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    (("JC_3": (0 <= integer_of_int32(hole0))) and
     (("JC_4": (integer_of_int32(hole0) < integer_of_int32(child_0_0))) and
      (("JC_5": (integer_of_int32(child_0_0) < integer_of_int32(n_1_0))) and
       ("JC_6": (integer_of_int32(select(intP_intM1, shift(a_4,
       integer_of_int32(hole0)))) = integer_of_int32(select(intP_intM1,
       shift(a_4, integer_of_int32(child_0_0)))))))))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  (0 <= ("JC_91": (integer_of_int32(n_1_0) - integer_of_int32(hole0))))

goal pop_heap_safety_po_29:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result9)) and
   (integer_of_int32(result9) <= offset_max(intP_alloc_table, a_4))) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_75": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) > integer_of_int32(tmp0)) ->
  ("JC_77": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result13:int32.
  (result13 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result13)) ->
  ("JC_80": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_7":
  (("JC_1": (0 < integer_of_int32(n_1_0))) and
   (("JC_2": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    (("JC_3": (0 <= integer_of_int32(hole0))) and
     (("JC_4": (integer_of_int32(hole0) < integer_of_int32(child_0_0))) and
      (("JC_5": (integer_of_int32(child_0_0) < integer_of_int32(n_1_0))) and
       ("JC_6": (integer_of_int32(select(intP_intM1, shift(a_4,
       integer_of_int32(hole0)))) = integer_of_int32(select(intP_intM1,
       shift(a_4, integer_of_int32(child_0_0)))))))))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  (("JC_91": (integer_of_int32(n_1_0) - integer_of_int32(hole1))) < ("JC_91":
                                                                    (integer_of_int32(n_1_0) - integer_of_int32(hole0))))

goal pop_heap_safety_po_30:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result9)) and
   (integer_of_int32(result9) <= offset_max(intP_alloc_table, a_4))) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_75": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) <= integer_of_int32(tmp0)) ->
  ("JC_92":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  (offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0))

goal pop_heap_safety_po_31:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result9)) and
   (integer_of_int32(result9) <= offset_max(intP_alloc_table, a_4))) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_75": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) <= integer_of_int32(tmp0)) ->
  ("JC_92":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))

goal pop_heap_safety_po_32:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result9)) and
   (integer_of_int32(result9) <= offset_max(intP_alloc_table, a_4))) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_75": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) <= integer_of_int32(tmp0)) ->
  ("JC_92":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_94":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_95":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_96":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_97":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_98":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result13:int32.
  (integer_of_int32(result13) = (integer_of_int32(n_1_0) - 1)) ->
  (offset_min(intP_alloc_table, a_4) <= integer_of_int32(result13))

goal pop_heap_safety_po_33:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result9)) and
   (integer_of_int32(result9) <= offset_max(intP_alloc_table, a_4))) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) < integer_of_int32(result10)) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(child_0) - 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result11) ->
  ("JC_75": ParentChild(integer_of_int32(hole0),
  integer_of_int32(child_0_0))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result12) <= integer_of_int32(tmp0)) ->
  ("JC_92":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_94":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_95":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_96":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_97":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_98":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result13:int32.
  (integer_of_int32(result13) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(result13) <= offset_max(intP_alloc_table, a_4))

goal pop_heap_safety_po_34:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result9)) and
   (integer_of_int32(result9) <= offset_max(intP_alloc_table, a_4))) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_75": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_77": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0))

goal pop_heap_safety_po_35:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result9)) and
   (integer_of_int32(result9) <= offset_max(intP_alloc_table, a_4))) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_75": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_77": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))

goal pop_heap_safety_po_36:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result9)) and
   (integer_of_int32(result9) <= offset_max(intP_alloc_table, a_4))) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_75": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_77": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_80": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_7":
  ("JC_2": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)))

goal pop_heap_safety_po_37:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result9)) and
   (integer_of_int32(result9) <= offset_max(intP_alloc_table, a_4))) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_75": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_77": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_80": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_7": ("JC_3": (0 <= integer_of_int32(hole0))))

goal pop_heap_safety_po_38:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result9)) and
   (integer_of_int32(result9) <= offset_max(intP_alloc_table, a_4))) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_75": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_77": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_80": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_7": ("JC_4": (integer_of_int32(hole0) < integer_of_int32(child_0))))

goal pop_heap_safety_po_39:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result9)) and
   (integer_of_int32(result9) <= offset_max(intP_alloc_table, a_4))) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_75": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_77": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_80": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_7": ("JC_5": (integer_of_int32(child_0) < integer_of_int32(n_1_0))))

goal pop_heap_safety_po_40:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result9)) and
   (integer_of_int32(result9) <= offset_max(intP_alloc_table, a_4))) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_75": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_77": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_80": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_7":
  ("JC_6": (integer_of_int32(select(intP_intM1, shift(a_4,
  integer_of_int32(hole0)))) = integer_of_int32(select(intP_intM1, shift(a_4,
  integer_of_int32(child_0)))))))

goal pop_heap_safety_po_41:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result9)) and
   (integer_of_int32(result9) <= offset_max(intP_alloc_table, a_4))) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_75": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_77": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_80": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_7":
  (("JC_1": (0 < integer_of_int32(n_1_0))) and
   (("JC_2": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    (("JC_3": (0 <= integer_of_int32(hole0))) and
     (("JC_4": (integer_of_int32(hole0) < integer_of_int32(child_0))) and
      (("JC_5": (integer_of_int32(child_0) < integer_of_int32(n_1_0))) and
       ("JC_6": (integer_of_int32(select(intP_intM1, shift(a_4,
       integer_of_int32(hole0)))) = integer_of_int32(select(intP_intM1,
       shift(a_4, integer_of_int32(child_0)))))))))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0) ->
  (0 <= ("JC_91": (integer_of_int32(n_1_0) - integer_of_int32(hole0))))

goal pop_heap_safety_po_42:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result9)) and
   (integer_of_int32(result9) <= offset_max(intP_alloc_table, a_4))) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_75": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_77": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_80": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_7":
  (("JC_1": (0 < integer_of_int32(n_1_0))) and
   (("JC_2": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    (("JC_3": (0 <= integer_of_int32(hole0))) and
     (("JC_4": (integer_of_int32(hole0) < integer_of_int32(child_0))) and
      (("JC_5": (integer_of_int32(child_0) < integer_of_int32(n_1_0))) and
       ("JC_6": (integer_of_int32(select(intP_intM1, shift(a_4,
       integer_of_int32(hole0)))) = integer_of_int32(select(intP_intM1,
       shift(a_4, integer_of_int32(child_0)))))))))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0) ->
  (("JC_91": (integer_of_int32(n_1_0) - integer_of_int32(hole1))) < ("JC_91":
                                                                    (integer_of_int32(n_1_0) - integer_of_int32(hole0))))

goal pop_heap_safety_po_43:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result9)) and
   (integer_of_int32(result9) <= offset_max(intP_alloc_table, a_4))) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_75": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_92":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  (offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0))

goal pop_heap_safety_po_44:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result9)) and
   (integer_of_int32(result9) <= offset_max(intP_alloc_table, a_4))) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_75": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_92":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))

goal pop_heap_safety_po_45:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result9)) and
   (integer_of_int32(result9) <= offset_max(intP_alloc_table, a_4))) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_75": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_92":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_94":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_95":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_96":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_97":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_98":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result12:int32.
  (integer_of_int32(result12) = (integer_of_int32(n_1_0) - 1)) ->
  (offset_min(intP_alloc_table, a_4) <= integer_of_int32(result12))

goal pop_heap_safety_po_46:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) < integer_of_int32(result7)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result8:int32.
  (result8 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (((-2147483648) <= (integer_of_int32(child_0) - 1)) and
   ((integer_of_int32(child_0) - 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(child_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result9)) and
   (integer_of_int32(result9) <= offset_max(intP_alloc_table, a_4))) ->
  forall result10:int32.
  (result10 = select(intP_intM0, shift(a_4, integer_of_int32(result9)))) ->
  (integer_of_int32(result8) >= integer_of_int32(result10)) ->
  ("JC_75": ParentChild(integer_of_int32(hole0), integer_of_int32(child_0))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0)) and
   (integer_of_int32(child_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_92":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_94":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_95":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_96":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_97":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_98":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result12:int32.
  (integer_of_int32(result12) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(result12) <= offset_max(intP_alloc_table, a_4))

goal pop_heap_safety_po_47:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  ((-2147483648) <= (integer_of_int32(result8) + 1))

goal pop_heap_safety_po_48:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  ((integer_of_int32(result8) + 1) <= 2147483647)

goal pop_heap_safety_po_49:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result8) + 1)) and
   ((integer_of_int32(result8) + 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  ((-2147483648) <= (integer_of_int32(n_1_0) - 2))

goal pop_heap_safety_po_50:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result8) + 1)) and
   ((integer_of_int32(result8) + 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  ((integer_of_int32(n_1_0) - 2) <= 2147483647)

goal pop_heap_safety_po_51:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result8) + 1)) and
   ((integer_of_int32(result8) + 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 2)) and
   ((integer_of_int32(n_1_0) - 2) <= 2147483647)) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  (offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0))

goal pop_heap_safety_po_52:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result8) + 1)) and
   ((integer_of_int32(result8) + 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 2)) and
   ((integer_of_int32(n_1_0) - 2) <= 2147483647)) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))

goal pop_heap_safety_po_53:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result8) + 1)) and
   ((integer_of_int32(result8) + 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 2)) and
   ((integer_of_int32(n_1_0) - 2) <= 2147483647)) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_86": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0))

goal pop_heap_safety_po_54:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result8) + 1)) and
   ((integer_of_int32(result8) + 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 2)) and
   ((integer_of_int32(n_1_0) - 2) <= 2147483647)) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_86": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))

goal pop_heap_safety_po_55:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result8) + 1)) and
   ((integer_of_int32(result8) + 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 2)) and
   ((integer_of_int32(n_1_0) - 2) <= 2147483647)) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_86": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_89": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_7":
  ("JC_2": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)))

goal pop_heap_safety_po_56:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result8) + 1)) and
   ((integer_of_int32(result8) + 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 2)) and
   ((integer_of_int32(n_1_0) - 2) <= 2147483647)) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_86": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_89": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_7": ("JC_3": (0 <= integer_of_int32(hole0))))

goal pop_heap_safety_po_57:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result8) + 1)) and
   ((integer_of_int32(result8) + 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 2)) and
   ((integer_of_int32(n_1_0) - 2) <= 2147483647)) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_86": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_89": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_7": ("JC_4": (integer_of_int32(hole0) < integer_of_int32(child_0_0))))

goal pop_heap_safety_po_58:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result8) + 1)) and
   ((integer_of_int32(result8) + 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 2)) and
   ((integer_of_int32(n_1_0) - 2) <= 2147483647)) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_86": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_89": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_7": ("JC_5": (integer_of_int32(child_0_0) < integer_of_int32(n_1_0))))

goal pop_heap_safety_po_59:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result8) + 1)) and
   ((integer_of_int32(result8) + 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 2)) and
   ((integer_of_int32(n_1_0) - 2) <= 2147483647)) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_86": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_89": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_7":
  ("JC_6": (integer_of_int32(select(intP_intM1, shift(a_4,
  integer_of_int32(hole0)))) = integer_of_int32(select(intP_intM1, shift(a_4,
  integer_of_int32(child_0_0)))))))

goal pop_heap_safety_po_60:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result8) + 1)) and
   ((integer_of_int32(result8) + 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 2)) and
   ((integer_of_int32(n_1_0) - 2) <= 2147483647)) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_86": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_89": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_7":
  (("JC_1": (0 < integer_of_int32(n_1_0))) and
   (("JC_2": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    (("JC_3": (0 <= integer_of_int32(hole0))) and
     (("JC_4": (integer_of_int32(hole0) < integer_of_int32(child_0_0))) and
      (("JC_5": (integer_of_int32(child_0_0) < integer_of_int32(n_1_0))) and
       ("JC_6": (integer_of_int32(select(intP_intM1, shift(a_4,
       integer_of_int32(hole0)))) = integer_of_int32(select(intP_intM1,
       shift(a_4, integer_of_int32(child_0_0)))))))))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_92":
  (forall i_19:int.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole1))) ->
     (integer_of_int32(select(intP_intM1, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  (offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole1))

goal pop_heap_safety_po_61:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result8) + 1)) and
   ((integer_of_int32(result8) + 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 2)) and
   ((integer_of_int32(n_1_0) - 2) <= 2147483647)) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_86": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_89": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_7":
  (("JC_1": (0 < integer_of_int32(n_1_0))) and
   (("JC_2": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    (("JC_3": (0 <= integer_of_int32(hole0))) and
     (("JC_4": (integer_of_int32(hole0) < integer_of_int32(child_0_0))) and
      (("JC_5": (integer_of_int32(child_0_0) < integer_of_int32(n_1_0))) and
       ("JC_6": (integer_of_int32(select(intP_intM1, shift(a_4,
       integer_of_int32(hole0)))) = integer_of_int32(select(intP_intM1,
       shift(a_4, integer_of_int32(child_0_0)))))))))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_92":
  (forall i_19:int.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole1))) ->
     (integer_of_int32(select(intP_intM1, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  (integer_of_int32(hole1) <= offset_max(intP_alloc_table, a_4))

goal pop_heap_safety_po_62:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result8) + 1)) and
   ((integer_of_int32(result8) + 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 2)) and
   ((integer_of_int32(n_1_0) - 2) <= 2147483647)) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_86": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_89": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_7":
  (("JC_1": (0 < integer_of_int32(n_1_0))) and
   (("JC_2": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    (("JC_3": (0 <= integer_of_int32(hole0))) and
     (("JC_4": (integer_of_int32(hole0) < integer_of_int32(child_0_0))) and
      (("JC_5": (integer_of_int32(child_0_0) < integer_of_int32(n_1_0))) and
       ("JC_6": (integer_of_int32(select(intP_intM1, shift(a_4,
       integer_of_int32(hole0)))) = integer_of_int32(select(intP_intM1,
       shift(a_4, integer_of_int32(child_0_0)))))))))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_92":
  (forall i_19:int.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole1))) ->
     (integer_of_int32(select(intP_intM1, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole1)) and
   (integer_of_int32(hole1) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(hole1)),
  tmp0)) ->
  ("JC_94":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole1),
    integer_of_int32(n_1_0), intP_intM2) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_95":
  ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM2, shift(a_4,
    integer_of_int32(hole1)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM2,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_96":
  (forall x_4:int32.
    ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole1) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM2) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole1) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2))))) ->
  ("JC_97":
  (forall x_5:int32.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
       integer_of_int32(n_1_0), intP_intM2) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
       intP_intM2) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
        (integer_of_int32(n_1_0) - 1), intP_intM2) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM2)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole1), (integer_of_int32(hole1) + 1),
        intP_intM2) + Count(a_4, x_5, (integer_of_int32(hole1) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM2))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole1),
         (integer_of_int32(hole1) + 1), intP_intM2) + Count(a_4, x_5,
         (integer_of_int32(hole1) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM2)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
         intP_intM2)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
         intP_intM2) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM2)))))) and
     ((integer_of_int32(hole1) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
       integer_of_int32(n_1_0), intP_intM2) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM2)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM2) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM2))))))) ->
  ("JC_98":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM2) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole1),
     integer_of_int32(n_1_0), intP_intM2)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole1), integer_of_int32(n_1_0),
     intP_intM2) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result13:int32.
  (integer_of_int32(result13) = (integer_of_int32(n_1_0) - 1)) ->
  (offset_min(intP_alloc_table, a_4) <= integer_of_int32(result13))

goal pop_heap_safety_po_63:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result8) + 1)) and
   ((integer_of_int32(result8) + 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 2)) and
   ((integer_of_int32(n_1_0) - 2) <= 2147483647)) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) > integer_of_int32(tmp0)) ->
  ("JC_86": (integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result12:int32.
  (result12 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  result12)) ->
  ("JC_89": (integer_of_int32(select(intP_intM, shift(a_4,
  (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
  shift(a_4, (integer_of_int32(n_1_0) - 1)))))) ->
  ("JC_7":
  (("JC_1": (0 < integer_of_int32(n_1_0))) and
   (("JC_2": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    (("JC_3": (0 <= integer_of_int32(hole0))) and
     (("JC_4": (integer_of_int32(hole0) < integer_of_int32(child_0_0))) and
      (("JC_5": (integer_of_int32(child_0_0) < integer_of_int32(n_1_0))) and
       ("JC_6": (integer_of_int32(select(intP_intM1, shift(a_4,
       integer_of_int32(hole0)))) = integer_of_int32(select(intP_intM1,
       shift(a_4, integer_of_int32(child_0_0)))))))))))) ->
  ("JC_19":
  (forall x_0_0:int32. (CountWithHole(a_4, x_0_0, 0,
    integer_of_int32(child_0_0), integer_of_int32(n_1_0),
    intP_intM1) = CountWithHole(a_4, x_0_0, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1)))) ->
  forall hole1:int32.
  (hole1 = child_0_0) ->
  ("JC_92":
  (forall i_19:int.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole1))) ->
     (integer_of_int32(select(intP_intM1, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole1)) and
   (integer_of_int32(hole1) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM2:(intP,
  int32) memory.
  (intP_intM2 = store(intP_intM1, shift(a_4, integer_of_int32(hole1)),
  tmp0)) ->
  ("JC_94":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole1),
    integer_of_int32(n_1_0), intP_intM2) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_95":
  ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM2, shift(a_4,
    integer_of_int32(hole1)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM2,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_96":
  (forall x_4:int32.
    ((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole1) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM2) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole1) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM2))))) ->
  ("JC_97":
  (forall x_5:int32.
    (((integer_of_int32(hole1) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
       integer_of_int32(n_1_0), intP_intM2) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
       intP_intM2) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM2))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
        (integer_of_int32(n_1_0) - 1), intP_intM2) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM2)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole1), (integer_of_int32(hole1) + 1),
        intP_intM2) + Count(a_4, x_5, (integer_of_int32(hole1) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM2))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole1),
         (integer_of_int32(hole1) + 1), intP_intM2) + Count(a_4, x_5,
         (integer_of_int32(hole1) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM2)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
         intP_intM2)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole1), (integer_of_int32(n_1_0) - 1),
         intP_intM2) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM2)))))) and
     ((integer_of_int32(hole1) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole1),
       integer_of_int32(n_1_0), intP_intM2) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM2)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM2) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM2))))))) ->
  ("JC_98":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM2) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole1),
     integer_of_int32(n_1_0), intP_intM2)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole1), integer_of_int32(n_1_0),
     intP_intM2) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result13:int32.
  (integer_of_int32(result13) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(result13) <= offset_max(intP_alloc_table, a_4))

goal pop_heap_safety_po_64:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result8) + 1)) and
   ((integer_of_int32(result8) + 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 2)) and
   ((integer_of_int32(n_1_0) - 2) <= 2147483647)) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_92":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  (offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0))

goal pop_heap_safety_po_65:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result8) + 1)) and
   ((integer_of_int32(result8) + 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 2)) and
   ((integer_of_int32(n_1_0) - 2) <= 2147483647)) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_92":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))

goal pop_heap_safety_po_66:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result8) + 1)) and
   ((integer_of_int32(result8) + 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 2)) and
   ((integer_of_int32(n_1_0) - 2) <= 2147483647)) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_92":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_94":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_95":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_96":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_97":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_98":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result12:int32.
  (integer_of_int32(result12) = (integer_of_int32(n_1_0) - 1)) ->
  (offset_min(intP_alloc_table, a_4) <= integer_of_int32(result12))

goal pop_heap_safety_po_67:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result8) + 1)) and
   ((integer_of_int32(result8) + 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 2)) and
   ((integer_of_int32(n_1_0) - 2) <= 2147483647)) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) = integer_of_int32(result10)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(child_0_0)) and
   (integer_of_int32(child_0_0) <= offset_max(intP_alloc_table, a_4))) ->
  forall result11:int32.
  (result11 = select(intP_intM0, shift(a_4, integer_of_int32(child_0_0)))) ->
  (integer_of_int32(result11) <= integer_of_int32(tmp0)) ->
  ("JC_92":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_94":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_95":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_96":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_97":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_98":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result12:int32.
  (integer_of_int32(result12) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(result12) <= offset_max(intP_alloc_table, a_4))

goal pop_heap_safety_po_68:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result8) + 1)) and
   ((integer_of_int32(result8) + 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 2)) and
   ((integer_of_int32(n_1_0) - 2) <= 2147483647)) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) <> integer_of_int32(result10)) ->
  ("JC_92":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  (offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0))

goal pop_heap_safety_po_69:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result8) + 1)) and
   ((integer_of_int32(result8) + 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 2)) and
   ((integer_of_int32(n_1_0) - 2) <= 2147483647)) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) <> integer_of_int32(result10)) ->
  ("JC_92":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))

goal pop_heap_safety_po_70:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result8) + 1)) and
   ((integer_of_int32(result8) + 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 2)) and
   ((integer_of_int32(n_1_0) - 2) <= 2147483647)) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) <> integer_of_int32(result10)) ->
  ("JC_92":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_94":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_95":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_96":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_97":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_98":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(n_1_0) - 1)) ->
  (offset_min(intP_alloc_table, a_4) <= integer_of_int32(result11))

goal pop_heap_safety_po_71:
  forall a_4:intP pointer.
  forall n_1_0:int32.
  forall intP_alloc_table:intP alloc_table.
  forall intP_intM:(intP,
  int32) memory.
  ("JC_33":
  (("JC_29": (0 < integer_of_int32(n_1_0))) and
   (("JC_30": (integer_of_int32(n_1_0) < computer_div((2147483647 - 2), 2))) and
    (("JC_31": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
     ("JC_32": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM)))))) ->
  ("JC_137":
  (("JC_134": (0 < integer_of_int32(n_1_0))) and
   (("JC_135": IsValidRange(a_4, integer_of_int32(n_1_0), intP_alloc_table)) and
    ("JC_136": IsHeap(a_4, integer_of_int32(n_1_0), intP_intM))))) ->
  ("JC_146":
  (forall i_20:int.
    (((0 <= i_20) and (i_20 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_20))))))) ->
  ("JC_52":
  (forall i_16:int.
    (((0 < i_16) and (i_16 < integer_of_int32(n_1_0))) ->
     (integer_of_int32(select(intP_intM, shift(a_4,
     0))) >= integer_of_int32(select(intP_intM, shift(a_4, i_16))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall tmp:int32.
  (tmp = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall max_1:int32.
  (max_1 = result0) ->
  forall result1:int32.
  (integer_of_int32(result1) = 0) ->
  forall hole:int32.
  (hole = result1) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result2:int32.
  (integer_of_int32(result2) = (integer_of_int32(n_1_0) - 1)) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(result2)) and
   (integer_of_int32(result2) <= offset_max(intP_alloc_table, a_4))) ->
  forall result3:int32.
  (result3 = select(intP_intM, shift(a_4, integer_of_int32(result2)))) ->
  forall tmp0:int32.
  (tmp0 = result3) ->
  ((offset_min(intP_alloc_table, a_4) <= 0) and
   (0 <= offset_max(intP_alloc_table, a_4))) ->
  forall result4:int32.
  (result4 = select(intP_intM, a_4)) ->
  forall max_1_0:int32.
  (max_1_0 = result4) ->
  ("JC_56":
  (forall x_1:int32. (CountWithHole(a_4, x_1, 0, integer_of_int32(hole),
    integer_of_int32(n_1_0), intP_intM) = Count(a_4, x_1, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  forall hole0:int32.
  forall intP_intM0:(intP,
  int32) memory.
  ("JC_66": true) ->
  (("JC_57": (integer_of_int32(select(intP_intM, shift(a_4,
   (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM0,
   shift(a_4, (integer_of_int32(n_1_0) - 1)))))) and
   (("JC_58":
    (forall x_2:int32. (CountWithHole(a_4, x_2, 0, integer_of_int32(hole0),
      integer_of_int32(n_1_0), intP_intM0) = Count(a_4, x_2, 1,
      integer_of_int32(n_1_0), intP_intM)))) and
    (("JC_59":
     (forall i_18:int.
       (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
         ParentChild(i_18, integer_of_int32(hole0))) ->
        (integer_of_int32(select(intP_intM0, shift(a_4,
        i_18))) >= integer_of_int32(tmp0))))) and
     (("JC_60":
      (forall i_17:int.
        (((0 <= i_17) and (i_17 < integer_of_int32(n_1_0))) ->
         (integer_of_int32(select(intP_intM0, shift(a_4,
         i_17))) <= integer_of_int32(max_1_0))))) and
      (("JC_61": IsHeap(a_4, (integer_of_int32(n_1_0) - 1), intP_intM0)) and
       ("JC_64":
       (("JC_62": (0 <= integer_of_int32(hole0))) and
        ("JC_63": (integer_of_int32(hole0) < integer_of_int32(n_1_0)))))))))) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 2)) and
   ((integer_of_int32(result5) + 2) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 2)) ->
  forall child_0:int32.
  (child_0 = result6) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(child_0) >= integer_of_int32(result7)) ->
  (((-2147483648) <= (2 * integer_of_int32(hole0))) and
   ((2 * integer_of_int32(hole0)) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (2 * integer_of_int32(hole0))) ->
  (((-2147483648) <= (integer_of_int32(result8) + 1)) and
   ((integer_of_int32(result8) + 1) <= 2147483647)) ->
  forall result9:int32.
  (integer_of_int32(result9) = (integer_of_int32(result8) + 1)) ->
  forall child_0_0:int32.
  (child_0_0 = result9) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 2)) and
   ((integer_of_int32(n_1_0) - 2) <= 2147483647)) ->
  forall result10:int32.
  (integer_of_int32(result10) = (integer_of_int32(n_1_0) - 2)) ->
  (integer_of_int32(child_0_0) <> integer_of_int32(result10)) ->
  ("JC_92":
  (forall i_19:int.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) and
      ParentChild(i_19, integer_of_int32(hole0))) ->
     (integer_of_int32(select(intP_intM0, shift(a_4,
     i_19))) >= integer_of_int32(tmp0))))) ->
  ((offset_min(intP_alloc_table, a_4) <= integer_of_int32(hole0)) and
   (integer_of_int32(hole0) <= offset_max(intP_alloc_table, a_4))) ->
  forall intP_intM1:(intP,
  int32) memory.
  (intP_intM1 = store(intP_intM0, shift(a_4, integer_of_int32(hole0)),
  tmp0)) ->
  ("JC_94":
  (forall x_3:int32. (CountWithHole(a_4, x_3, 0, integer_of_int32(hole0),
    integer_of_int32(n_1_0), intP_intM1) = Count(a_4, x_3, 1,
    integer_of_int32(n_1_0), intP_intM)))) ->
  ("JC_95":
  ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
   ((integer_of_int32(select(intP_intM1, shift(a_4,
    integer_of_int32(hole0)))) = integer_of_int32(tmp0)) and
    ((integer_of_int32(tmp0) = integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1))))) and
     (integer_of_int32(select(intP_intM, shift(a_4,
     (integer_of_int32(n_1_0) - 1)))) = integer_of_int32(select(intP_intM1,
     shift(a_4, (integer_of_int32(n_1_0) - 1))))))))) ->
  ("JC_96":
  (forall x_4:int32.
    ((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) -> (Count(a_4,
     x_4, (integer_of_int32(hole0) + 1), ((integer_of_int32(n_1_0) - 1) + 1),
     intP_intM1) = CountWithoutHole(a_4, x_4, (integer_of_int32(hole0) + 1),
     (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0), intP_intM1))))) ->
  ("JC_97":
  (forall x_5:int32.
    (((integer_of_int32(hole0) < (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = (CountWithHole(a_4, x_5, 0,
       integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
       intP_intM1) + Count(a_4, x_5, (integer_of_int32(n_1_0) - 1),
       ((integer_of_int32(n_1_0) - 1) + 1), intP_intM1))) and
       (((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
        (integer_of_int32(n_1_0) - 1), intP_intM1) + Count(a_4, x_5,
        (integer_of_int32(n_1_0) - 1), ((integer_of_int32(n_1_0) - 1) + 1),
        intP_intM1)) = (CountWithoutHole(a_4, x_5, 0,
        integer_of_int32(hole0), (integer_of_int32(hole0) + 1),
        intP_intM1) + Count(a_4, x_5, (integer_of_int32(hole0) + 1),
        (integer_of_int32(n_1_0) - 1), intP_intM1))) and
        (((CountWithoutHole(a_4, x_5, 0, integer_of_int32(hole0),
         (integer_of_int32(hole0) + 1), intP_intM1) + Count(a_4, x_5,
         (integer_of_int32(hole0) + 1), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) = CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1)) and (CountWithoutHole(a_4, x_5, 0,
         integer_of_int32(hole0), (integer_of_int32(n_1_0) - 1),
         intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
         intP_intM1)))))) and
     ((integer_of_int32(hole0) = (integer_of_int32(n_1_0) - 1)) ->
      ((CountWithHole(a_4, x_5, 0, integer_of_int32(hole0),
       integer_of_int32(n_1_0), intP_intM1) = CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1)) and (CountWithHole(a_4, x_5, 0,
       (integer_of_int32(n_1_0) - 1), integer_of_int32(n_1_0),
       intP_intM1) = Count(a_4, x_5, 0, (integer_of_int32(n_1_0) - 1),
       intP_intM1))))))) ->
  ("JC_98":
  (forall x_6:int32.
    ((Count(a_4, x_6, 0, (integer_of_int32(n_1_0) - 1),
     intP_intM1) = CountWithHole(a_4, x_6, 0, integer_of_int32(hole0),
     integer_of_int32(n_1_0), intP_intM1)) and (CountWithHole(a_4, x_6, 0,
     integer_of_int32(hole0), integer_of_int32(n_1_0),
     intP_intM1) = Count(a_4, x_6, 1, integer_of_int32(n_1_0), intP_intM))))) ->
  (((-2147483648) <= (integer_of_int32(n_1_0) - 1)) and
   ((integer_of_int32(n_1_0) - 1) <= 2147483647)) ->
  forall result11:int32.
  (integer_of_int32(result11) = (integer_of_int32(n_1_0) - 1)) ->
  (integer_of_int32(result11) <= offset_max(intP_alloc_table, a_4))

why-2.34/tests/c/oracle/cd1d.err.oracle0000644000175000017500000000000012311670312016225 0ustar  rtuserswhy-2.34/tests/c/oracle/sparse_array2.err.oracle0000644000175000017500000000000012311670312020167 0ustar  rtuserswhy-2.34/tests/c/oracle/double_rounding_multirounding_model.res.oracle0000644000175000017500000022321112311670312024745 0ustar  rtusers========== file tests/c/double_rounding_multirounding_model.c ==========

/* 

Warning: the proof can be achieve with Gappa 0.14.1 but not
with versions 0.15 ou 0.16. Hopefully it will work with 0.16.1 and higher

*/

#pragma JessieFloatModel(multirounding)

double doublerounding() {
  double x = 1.0;
  double y = 0x1p-53 + 0x1p-64;
  double z = x + y;
  //@ assert 1.0 - 0x1p-63 <= z <= 1.0 + 0x1p-52 + 0x1p-62;
  // assert 1.0 <= z <= 1.0 + 0x1p-52;
  return z;
}

/*
Local Variables:
compile-command: "LC_ALL=C make double_rounding_multirounding_model.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/double_rounding_multirounding_model.c"
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/double_rounding_multirounding_model.jessie
[jessie] File tests/c/double_rounding_multirounding_model.jessie/double_rounding_multirounding_model.jc written.
[jessie] File tests/c/double_rounding_multirounding_model.jessie/double_rounding_multirounding_model.cloc written.
========== file tests/c/double_rounding_multirounding_model.jessie/double_rounding_multirounding_model.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol
# FloatModel = multirounding

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

double doublerounding()
behavior default:
  ensures (_C_7 : true);
{  
   (var double x);
   
   (var double y);
   
   (var double z);
   
   {  (_C_1 : (x = (1.0 :> double)));
      (_C_3 : (y = (_C_2 : ((0x1p-53 :> double) + (0x1p-64 :> double)))));
      (_C_5 : (z = (_C_4 : (x + y))));
      
      {  
         (assert for default: (_C_6 : (jessie : (((1.0 - 0x1p-63) <=
                                                   (z :> real)) &&
                                                  ((z :> real) <=
                                                    ((1.0 + 0x1p-52) +
                                                      0x1p-62))))));
         ()
      };
      
      {  
         (return z)
      }
   }
}
========== file tests/c/double_rounding_multirounding_model.jessie/double_rounding_multirounding_model.cloc ==========
[_C_4]
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 14
begin = 13
end = 18

[_C_5]
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 14
begin = 2
end = 8

[doublerounding]
name = "Function doublerounding"
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 11
begin = 7
end = 21

[_C_6]
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 15
begin = 13
end = 58

[_C_3]
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 13
begin = 2
end = 8

[_C_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_2]
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 13
begin = 13
end = 30

[_C_1]
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 12
begin = 2
end = 8

========== jessie execution ==========
Generating Why function doublerounding
========== file tests/c/double_rounding_multirounding_model.jessie/double_rounding_multirounding_model.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs double_rounding_multirounding_model.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs double_rounding_multirounding_model.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_multi_rounding.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/double_rounding_multirounding_model_why.sx

project: why/double_rounding_multirounding_model.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/double_rounding_multirounding_model_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/double_rounding_multirounding_model_why.vo

coq/double_rounding_multirounding_model_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/double_rounding_multirounding_model_why.v: why/double_rounding_multirounding_model.why
	@echo 'why -coq [...] why/double_rounding_multirounding_model.why' && $(WHY) $(JESSIELIBFILES) why/double_rounding_multirounding_model.why && rm -f coq/jessie_why.v

coq-goals: goals coq/double_rounding_multirounding_model_ctx_why.vo
	for f in why/*_po*.why; do make -f double_rounding_multirounding_model.makefile coq/`basename $$f .why`_why.v ; done

coq/double_rounding_multirounding_model_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/double_rounding_multirounding_model_ctx_why.v: why/double_rounding_multirounding_model_ctx.why
	@echo 'why -coq [...] why/double_rounding_multirounding_model_ctx.why' && $(WHY) why/double_rounding_multirounding_model_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export double_rounding_multirounding_model_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/double_rounding_multirounding_model_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/double_rounding_multirounding_model_ctx_why.vo

pvs: pvs/double_rounding_multirounding_model_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/double_rounding_multirounding_model_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/double_rounding_multirounding_model_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/double_rounding_multirounding_model_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/double_rounding_multirounding_model_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/double_rounding_multirounding_model_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/double_rounding_multirounding_model_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/double_rounding_multirounding_model_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/double_rounding_multirounding_model_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/double_rounding_multirounding_model_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/double_rounding_multirounding_model_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/double_rounding_multirounding_model_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/double_rounding_multirounding_model_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/double_rounding_multirounding_model_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/double_rounding_multirounding_model_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: double_rounding_multirounding_model.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/double_rounding_multirounding_model_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: double_rounding_multirounding_model.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: double_rounding_multirounding_model.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: double_rounding_multirounding_model.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include double_rounding_multirounding_model.depend

depend: coq/double_rounding_multirounding_model_why.v
	-$(COQDEP) -I coq coq/double_rounding_multirounding_model*_why.v > double_rounding_multirounding_model.depend

clean:
	rm -f coq/*.vo

========== file tests/c/double_rounding_multirounding_model.jessie/double_rounding_multirounding_model.loc ==========
[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
kind = FPOverflow
file = "HOME/tests/c/double_rounding_multirounding_model.jessie/double_rounding_multirounding_model.jc"
line = 46
begin = 28
end = 47

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 15
begin = 13
end = 58

[JC_11]
kind = FPOverflow
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 13
begin = 13
end = 30

[JC_15]
kind = FPOverflow
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 14
begin = 13
end = 18

[JC_12]
kind = FPOverflow
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 14
begin = 13
end = 18

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[doublerounding_ensures_default]
name = "Function doublerounding"
behavior = "default behavior"
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 11
begin = 7
end = 21

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 15
begin = 13
end = 58

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
kind = FPOverflow
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 13
begin = 13
end = 30

[doublerounding_safety]
name = "Function doublerounding"
behavior = "Safety"
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 11
begin = 7
end = 21

[JC_1]
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 11
begin = 7
end = 21

[JC_10]
kind = FPOverflow
file = "HOME/tests/c/double_rounding_multirounding_model.jessie/double_rounding_multirounding_model.jc"
line = 46
begin = 50
end = 69

[JC_3]
file = "HOME/tests/c/double_rounding_multirounding_model.c"
line = 11
begin = 7
end = 21

========== file tests/c/double_rounding_multirounding_model.jessie/why/double_rounding_multirounding_model.why ==========
type charP

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter doublerounding : tt:unit -> { } double { true }

parameter doublerounding_requires : tt:unit -> { } double { true }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let doublerounding_ensures_default =
 fun (tt : unit) ->
  { (JC_4: true) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let x_0 = ref (any_double void) in
     (let y = ref (any_double void) in
     (let z = ref (any_double void) in
     begin
       (let _jessie_ = (x_0 := (double_of_real_exact 1.0)) in void);
      (let _jessie_ =
      (y := (JC_14:
            (((add_double_safe nearest_even) ((double_of_real_safe nearest_even) 0x1p-53)) 
             ((double_of_real_safe nearest_even) 0x1p-64)))) in void);
      (let _jessie_ =
      (z := (JC_15: (((add_double_safe nearest_even) !x_0) !y))) in void);
      (assert
      { (JC_16:
        (le_real(sub_real(1.0, 0x1p-63), double_value(z))
        and le_real(double_value(z),
            add_real(add_real(1.0, 0x1p-52), 0x1p-62)))) }; void); void;
      (return := !z); (raise Return) end))); absurd  end with Return ->
   !return end)) { (JC_5: true) }

let doublerounding_safety =
 fun (tt : unit) ->
  { (JC_4: true) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let x_0 = ref (any_double void) in
     (let y = ref (any_double void) in
     (let z = ref (any_double void) in
     begin
       (let _jessie_ = (x_0 := (double_of_real_exact 1.0)) in void);
      (let _jessie_ =
      (y := (JC_11:
            (((add_double nearest_even) (JC_9:
                                        ((double_of_real nearest_even) 0x1p-53))) 
             (JC_10: ((double_of_real nearest_even) 0x1p-64))))) in void);
      (let _jessie_ =
      (z := (JC_12: (((add_double nearest_even) !x_0) !y))) in void);
      [ { } unit reads z
        { (JC_13:
          (le_real(sub_real(1.0, 0x1p-63), double_value(z))
          and le_real(double_value(z),
              add_real(add_real(1.0, 0x1p-52), 0x1p-62)))) } ]; void;
      (return := !z); (raise Return) end))); absurd  end with Return ->
   !return end)) { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/double_rounding_multirounding_model.why
========== file tests/c/double_rounding_multirounding_model.jessie/why/double_rounding_multirounding_model_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type mode

logic nearest_even : mode

logic to_zero : mode

logic up : mode

logic down : mode

logic nearest_away : mode

logic mode_match : mode, 'a1, 'a1, 'a1, 'a1, 'a1 -> 'a1

axiom mode_match_nearest_even:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_2))))))

axiom mode_match_to_zero:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_3))))))

axiom mode_match_up:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_4))))))

axiom mode_match_down:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_5))))))

axiom mode_match_nearest_away:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_6))))))

axiom mode_inversion:
  (forall aux_1:mode.
    (((((aux_1 = nearest_even) or (aux_1 = to_zero)) or (aux_1 = up)) or
      (aux_1 = down)) or
     (aux_1 = nearest_away)))

logic mode_to_int : mode -> int

axiom mode_to_int_nearest_even: (mode_to_int(nearest_even) = 0)

axiom mode_to_int_to_zero: (mode_to_int(to_zero) = 1)

axiom mode_to_int_up: (mode_to_int(up) = 2)

axiom mode_to_int_down: (mode_to_int(down) = 3)

axiom mode_to_int_nearest_away: (mode_to_int(nearest_away) = 4)

type double

logic round_double : mode, real -> real

logic round_double_logic : mode, real -> double

logic double_value : double -> real

logic double_exact : double -> real

logic double_model : double -> real

function double_round_error(x: double) : real =
  abs_real((double_value(x) - double_exact(x)))

function double_total_error(x: double) : real =
  abs_real((double_value(x) - double_model(x)))

function max_double() : real = 0x1.FFFFFFFFFFFFFp1023

predicate no_overflow_double(m: mode, x: real) = (abs_real(round_double(m,
  x)) <= max_double)

axiom bounded_real_no_overflow_double:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_double) -> no_overflow_double(m, x))))

axiom round_double_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_double(m, x) <= round_double(m, y))))))

axiom exact_round_double_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-9007199254740992) <= i) and (i <= 9007199254740992)) ->
       (round_double(m, real_of_int(i)) = real_of_int(i)))))

axiom exact_round_double_for_doubles:
  (forall x:double.
    (forall m:mode. (round_double(m, double_value(x)) = double_value(x))))

axiom round_double_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_double(m1, round_double(m2,
        x)) = round_double(m2, x)))))

axiom round_down_double_neg:
  (forall x:real. (round_double(down, (-x)) = (-round_double(up, x))))

axiom round_up_double_neg:
  (forall x:real. (round_double(up, (-x)) = (-round_double(down, x))))

axiom round_double_down_le: (forall x:real. (round_double(down, x) <= x))

axiom round_up_double_ge: (forall x:real. (round_double(up, x) >= x))

type single

logic round_single : mode, real -> real

logic round_single_logic : mode, real -> single

logic single_value : single -> real

logic single_exact : single -> real

logic single_model : single -> real

function single_round_error(x: single) : real =
  abs_real((single_value(x) - single_exact(x)))

function single_total_error(x: single) : real =
  abs_real((single_value(x) - single_model(x)))

function max_single() : real = 0x1.FFFFFEp127

predicate no_overflow_single(m: mode, x: real) = (abs_real(round_single(m,
  x)) <= max_single)

axiom bounded_real_no_overflow_single:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_single) -> no_overflow_single(m, x))))

axiom round_single_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_single(m, x) <= round_single(m, y))))))

axiom exact_round_single_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-16777216) <= i) and (i <= 16777216)) -> (round_single(m,
       real_of_int(i)) = real_of_int(i)))))

axiom exact_round_single_for_singles:
  (forall x:single.
    (forall m:mode. (round_single(m, single_value(x)) = single_value(x))))

axiom round_single_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_single(m1, round_single(m2,
        x)) = round_single(m2, x)))))

axiom round_down_single_neg:
  (forall x:real. (round_single(down, (-x)) = (-round_single(up, x))))

axiom round_up_single_neg:
  (forall x:real. (round_single(up, (-x)) = (-round_single(down, x))))

axiom round_single_down_le: (forall x:real. (round_single(down, x) <= x))

axiom round_up_single_ge: (forall x:real. (round_single(up, x) >= x))

logic cond_sub_double : mode, double, double -> int

axiom cond_sub_double_axiom1:
  (forall m:mode.
    (forall x:double.
      (forall y:double.
        ((abs_real((double_value(x) - double_value(y))) >= 0x1.p-1022) ->
         (cond_sub_double(m, x, y) = 1)))))

axiom cond_sub_double_axiom2:
  (forall m:mode.
    (forall x:double.
      (forall y:double.
        ((((0x1.p-1075 <= abs_real((double_value(x) - double_value(y)))) and
           (abs_real((double_value(x) - double_value(y))) <= 0x1.p-1022)) and
          ((abs_real((double_value(x) - double_value(y))) <> 0x1.p-1022) and
           (abs_real((double_value(x) - double_value(y))) <> 0x1.p-1075))) ->
         (cond_sub_double(m, x, y) = 2)))))

axiom cond_sub_double_axiom3:
  (forall m:mode.
    (forall x:double.
      (forall y:double.
        (((0.0 <= abs_real((double_value(x) - double_value(y)))) and
          (abs_real((double_value(x) - double_value(y))) <= 0x1.p-1075)) ->
         (cond_sub_double(m, x, y) = 3)))))

logic post_cond_sub_double : mode, double, double, double -> int

axiom post_cond_sub_double_axiom1:
  (forall m:mode.
    (forall x:double.
      (forall y:double.
        (forall result:double.
          ((post_cond_sub_double(m, x, y, result) = 1) ->
           (abs_real(div_real((double_value(result) - (double_value(x) - double_value(y))),
           (double_value(x) - double_value(y)))) <= 0x1.p-53))))))

axiom post_cond_sub_double_axiom2:
  (forall m:mode.
    (forall x:double.
      (forall y:double.
        (forall result:double.
          ((post_cond_sub_double(m, x, y, result) = 2) ->
           (double_value(result) = (double_value(x) - double_value(y))))))))

axiom post_cond_sub_double_axiom3:
  (forall m:mode.
    (forall x:double.
      (forall y:double.
        (forall result:double.
          ((post_cond_sub_double(m, x, y, result) = 3) ->
           (double_value(result) = 0.0))))))

predicate double_of_real_post(m: mode, x: real, res: double) =
  ((double_value(res) = round_double(m, x)) and
   ((double_exact(res) = x) and (double_model(res) = x)))

predicate add_double_post(m: mode, x: double, y: double, result: double) =
  ((((abs_real((double_value(x) + double_value(y))) >= 0x1.p-1022) and
     (abs_real((double_value(result) - (double_value(x) + double_value(y)))) <= (0x1.004p-53 * abs_real((double_value(x) + double_value(y)))))) or
    ((abs_real((double_value(x) + double_value(y))) <= 0x1.p-1022) and
     (abs_real((double_value(result) - (double_value(x) + double_value(y)))) <= 0x1.002p-1075))) and
   ((double_exact(result) = (double_exact(x) + double_exact(y))) and
    (double_model(result) = (double_model(x) + double_model(y)))))

predicate sub_double_post(m: mode, x: double, y: double, result: double) =
  ((((abs_real((double_value(x) - double_value(y))) >= 0x1.p-1022) and
     (abs_real((double_value(result) - (double_value(x) - double_value(y)))) <= (0x1.004p-53 * abs_real((double_value(x) - double_value(y)))))) or
    (((0.0 <= abs_real((double_value(x) - double_value(y)))) and
      (abs_real((double_value(x) - double_value(y))) <= 0x1.p-1022)) and
     (abs_real((double_value(result) - (double_value(x) - double_value(y)))) <= 0x1.002p-1075))) and
   ((double_exact(result) = (double_exact(x) - double_exact(y))) and
    (double_model(result) = (double_model(x) - double_model(y)))))

predicate neg_double_post(m: mode, x: double, result: double) =
  ((((abs_real((-double_value(x))) >= 0x1.p-1022) and
     (abs_real(div_real((double_value(result) + double_value(x)),
     double_value(x))) <= 0x1.004p-53)) or
    (((0.0 <= abs_real((-double_value(x)))) and
      (abs_real((-double_value(x))) <= 0x1.p-1022)) and
     (abs_real((double_value(result) + double_value(x))) <= 0x1.002p-1075))) and
   ((double_exact(result) = (-double_exact(x))) and
    (double_model(result) = (-double_model(x)))))

predicate mul_double_post(m: mode, x: double, y: double, result: double) =
  ((((abs_real((double_value(x) * double_value(y))) >= 0x1.p-1022) and
     (abs_real((double_value(result) - (double_value(x) * double_value(y)))) <= (0x1.004p-53 * abs_real((double_value(x) * double_value(y)))))) or
    ((abs_real((double_value(x) * double_value(y))) <= 0x1.p-1022) and
     (abs_real((double_value(result) - (double_value(x) * double_value(y)))) <= 0x1.002p-1075))) and
   ((double_exact(result) = (double_exact(x) * double_exact(y))) and
    (double_model(result) = (double_model(x) * double_model(y)))))

predicate div_double_post(m: mode, x: double, y: double, result: double) =
  ((((abs_real(div_real(double_value(x), double_value(y))) >= 0x1.p-1022) and
     (abs_real((double_value(result) - div_real(double_value(x),
     double_value(y)))) <= (0x1.004p-53 * abs_real(div_real(double_value(x),
     double_value(y)))))) or
    ((abs_real(div_real(double_value(x), double_value(y))) <= 0x1.p-1022) and
     (abs_real((double_value(result) - div_real(double_value(x),
     double_value(y)))) <= 0x1.002p-1075))) and
   ((double_exact(result) = div_real(double_exact(x), double_exact(y))) and
    (double_model(result) = div_real(double_model(x), double_model(y)))))

predicate sqrt_double_post(m: mode, x: double, result: double) =
  ((((abs_real(sqrt_real(double_value(x))) >= 0x1.p-1022) and
     (abs_real((double_value(result) - sqrt_real(double_value(x)))) <= (0x1.004p-53 * abs_real(sqrt_real(double_value(x)))))) or
    ((abs_real(sqrt_real(double_value(x))) <= 0x1.p-1022) and
     (abs_real((double_value(result) - sqrt_real(double_value(x)))) <= 0x1.002p-1075))) and
   ((double_exact(result) = sqrt_real(double_exact(x))) and
    (double_model(result) = sqrt_real(double_model(x)))))

predicate abs_double_post(m: mode, x: double, result: double) =
  ((((abs_real(double_value(x)) >= 0x1.p-1022) and
     (abs_real((double_value(result) - abs_real(double_value(x)))) <= (0x1.004p-53 * abs_real(abs_real(double_value(x)))))) or
    ((abs_real(double_value(x)) <= 0x1.p-1022) and
     (abs_real((double_value(result) - abs_real(double_value(x)))) <= 0x1.002p-1075))) and
   ((double_exact(result) = abs_real(double_exact(x))) and
    (double_model(result) = abs_real(double_model(x)))))

type charP

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

logic integer_of_int8 : int8 -> int

predicate eq_int8(x: int8, y: int8) =
  (integer_of_int8(x) = integer_of_int8(y))

logic integer_of_uint8 : uint8 -> int

predicate eq_uint8(x: uint8, y: uint8) =
  (integer_of_uint8(x) = integer_of_uint8(y))

logic int8_of_integer : int -> int8

axiom int8_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_int8(int8_of_integer(x)) = x)))

axiom int8_extensionality:
  (forall x:int8.
    (forall y:int8. ((integer_of_int8(x) = integer_of_int8(y)) -> (x = y))))

axiom int8_range:
  (forall x:int8.
    (((-128) <= integer_of_int8(x)) and (integer_of_int8(x) <= 127)))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic uint8_of_integer : int -> uint8

axiom uint8_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 255)) -> (integer_of_uint8(uint8_of_integer(x)) = x)))

axiom uint8_extensionality:
  (forall x:uint8.
    (forall y:uint8.
      ((integer_of_uint8(x) = integer_of_uint8(y)) -> (x = y))))

axiom uint8_range:
  (forall x:uint8.
    ((0 <= integer_of_uint8(x)) and (integer_of_uint8(x) <= 255)))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

goal doublerounding_ensures_default_po_1:
  ("JC_4": true) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  forall x_0:double.
  (x_0 = result) ->
  forall result0:double.
  (no_overflow_double(nearest_even, 0x1.p-53) and
   double_of_real_post(nearest_even, 0x1.p-53, result0)) ->
  forall result1:double.
  (no_overflow_double(nearest_even, 0x1.p-64) and
   double_of_real_post(nearest_even, 0x1.p-64, result1)) ->
  forall result2:double.
  (no_overflow_double(nearest_even,
   (double_value(result0) + double_value(result1))) and
   add_double_post(nearest_even, result0, result1, result2)) ->
  forall y:double.
  (y = result2) ->
  forall result3:double.
  (no_overflow_double(nearest_even,
   (double_value(x_0) + double_value(y))) and add_double_post(nearest_even,
   x_0, y, result3)) ->
  forall z:double.
  (z = result3) ->
  ("JC_16": ((1.0 - 0x1.p-63) <= double_value(z)))

goal doublerounding_ensures_default_po_2:
  ("JC_4": true) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  forall x_0:double.
  (x_0 = result) ->
  forall result0:double.
  (no_overflow_double(nearest_even, 0x1.p-53) and
   double_of_real_post(nearest_even, 0x1.p-53, result0)) ->
  forall result1:double.
  (no_overflow_double(nearest_even, 0x1.p-64) and
   double_of_real_post(nearest_even, 0x1.p-64, result1)) ->
  forall result2:double.
  (no_overflow_double(nearest_even,
   (double_value(result0) + double_value(result1))) and
   add_double_post(nearest_even, result0, result1, result2)) ->
  forall y:double.
  (y = result2) ->
  forall result3:double.
  (no_overflow_double(nearest_even,
   (double_value(x_0) + double_value(y))) and add_double_post(nearest_even,
   x_0, y, result3)) ->
  forall z:double.
  (z = result3) ->
  ("JC_16": (double_value(z) <= ((1.0 + 0x1.p-52) + 0x1.p-62)))

goal doublerounding_safety_po_1:
  ("JC_4": true) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  forall x_0:double.
  (x_0 = result) ->
  no_overflow_double(nearest_even, 0x1.p-53)

goal doublerounding_safety_po_2:
  ("JC_4": true) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  forall x_0:double.
  (x_0 = result) ->
  no_overflow_double(nearest_even, 0x1.p-53) ->
  forall result0:double.
  double_of_real_post(nearest_even, 0x1.p-53, result0) ->
  no_overflow_double(nearest_even, 0x1.p-64)

goal doublerounding_safety_po_3:
  ("JC_4": true) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  forall x_0:double.
  (x_0 = result) ->
  no_overflow_double(nearest_even, 0x1.p-53) ->
  forall result0:double.
  double_of_real_post(nearest_even, 0x1.p-53, result0) ->
  no_overflow_double(nearest_even, 0x1.p-64) ->
  forall result1:double.
  double_of_real_post(nearest_even, 0x1.p-64, result1) ->
  no_overflow_double(nearest_even,
  (double_value(result0) + double_value(result1)))

goal doublerounding_safety_po_4:
  ("JC_4": true) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  forall x_0:double.
  (x_0 = result) ->
  no_overflow_double(nearest_even, 0x1.p-53) ->
  forall result0:double.
  double_of_real_post(nearest_even, 0x1.p-53, result0) ->
  no_overflow_double(nearest_even, 0x1.p-64) ->
  forall result1:double.
  double_of_real_post(nearest_even, 0x1.p-64, result1) ->
  no_overflow_double(nearest_even,
  (double_value(result0) + double_value(result1))) ->
  forall result2:double.
  add_double_post(nearest_even, result0, result1, result2) ->
  forall y:double.
  (y = result2) ->
  no_overflow_double(nearest_even, (double_value(x_0) + double_value(y)))

why-2.34/tests/c/oracle/maze.err.oracle0000644000175000017500000000000012311670312016346 0ustar  rtuserswhy-2.34/tests/c/oracle/floats_bsearch.err.oracle0000644000175000017500000000000012311670312020371 0ustar  rtuserswhy-2.34/tests/c/oracle/find_array.res.oracle0000644000175000017500000051167512311670312017562 0ustar  rtusers========== file tests/c/find_array.c ==========
/** from Julien Signoles' tutorial
 **/

/*@
  predicate sorted{L}(int* arr, integer length) =
  \forall integer i, j; 0 <= i <= j < length ==> arr[i] <= arr[j];

  predicate mem{L}(int elt, int* arr, integer length) =
  \exists integer i; 0 <= i = 0;
  requires \valid(arr+(0..(length-1)));

  assigns \nothing;

  behavior exists:
    assumes mem(query, arr, length);
    ensures arr[\result] == query;

  behavior not_exists:
    assumes ! mem(query, arr, length);
    ensures \result == -1;
*/
int find_array(int* arr, int length, int query) {
  int low = 0;
  int high = length - 1;
  /*@
    loop invariant 0 <= low;
    loop invariant high < length;
    loop invariant \forall integer i; 0 <= i < low ==> arr[i] < query;
    loop invariant \forall integer i; high < i < length ==> arr[i] > query;
    loop variant high - low;
  */
  while (low <= high) {
    int mean = low + (high -low) / 2;
    if (arr[mean] == query) return mean;
    if (arr[mean] < query) low = mean + 1;
    else high = mean - 1;
  }
  return -1;
}

/*
Local Variables:
compile-command: "frama-c -jessie find_array.c"
End:
*/
========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/find_array.c"
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/find_array.jessie
[jessie] File tests/c/find_array.jessie/find_array.jc written.
[jessie] File tests/c/find_array.jessie/find_array.cloc written.
========== file tests/c/find_array.jessie/find_array.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag intP = {
  int32 intM: 32;
}

type intP = [intP]

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

predicate sorted{L}(intP[..] arr, integer length) =
(\forall integer i_1;
  (\forall integer j_0;
    (((0 <= i_1) && ((i_1 <= j_0) && (j_0 < length))) ==>
      ((arr + i_1).intM <= (arr + j_0).intM))))

predicate mem{L}(int32 elt, intP[..] arr_0, integer length_0) =
(\exists integer i_2;
  (((0 <= i_2) && (i_2 < length_0)) && ((arr_0 + i_2).intM == elt)))

int32 find_array(intP[..] arr, int32 length, int32 query)
  requires (_C_36 : sorted{Here}(arr, length));
  requires (_C_35 : (length >= 0));
  requires (_C_32 : ((_C_33 : (\offset_min(arr) <= 0)) &&
                      (_C_34 : (\offset_max(arr) >= (length - 1)))));
behavior default:
  assigns \nothing;
  ensures (_C_29 : true);
behavior exists:
  assumes mem{Here}(query, arr, length);
  ensures (_C_30 : ((\at(arr,Old) + \result).intM == \at(query,Old)));
behavior not_exists:
  assumes (! mem{Here}(query, arr, length));
  ensures (_C_31 : (\result == (- 1)));
{  
   (var int32 low);
   
   (var int32 high);
   
   (var int32 mean);
   
   (var int32 __retres);
   
   {  (_C_1 : (low = 0));
      (_C_4 : (high = (_C_3 : ((_C_2 : (length - 1)) :> int32))));
      
      loop 
      behavior default:
        invariant (_C_9 : (0 <= low));
      behavior default:
        invariant (_C_8 : (high < length));
      behavior default:
        invariant (_C_7 : (\forall integer i_3;
                            (((0 <= i_3) && (i_3 < low)) ==>
                              ((arr + i_3).intM < query))));
      behavior default:
        invariant (_C_6 : (\forall integer i_4;
                            (((high < i_4) && (i_4 < length)) ==>
                              ((arr + i_4).intM > query))));
      variant (_C_5 : (high - low));
      while (true)
      {  
         {  (if (low <= high) then () else 
            (goto while_0_break));
            
            {  (_C_16 : (mean = (_C_15 : ((_C_14 : (low +
                                                     (_C_13 : ((_C_12 : 
                                                               ((_C_11 : (
                                                                (_C_10 : 
                                                                (high -
                                                                  low)) :> int32)) /
                                                                 2)) :> int32)))) :> int32))));
               (if ((_C_19 : (_C_18 : (arr + mean)).intM) == query) then 
               {  (_C_17 : (__retres = mean));
                  
                  (goto return_label)
               } else ());
               (if ((_C_27 : (_C_26 : (arr + mean)).intM) < query) then 
               (_C_25 : (low = (_C_24 : ((_C_23 : (mean + 1)) :> int32)))) else 
               (_C_22 : (high = (_C_21 : ((_C_20 : (mean - 1)) :> int32)))))
            }
         }
      };
      (while_0_break : ());
      (_C_28 : (__retres = -1));
      (return_label : 
      (return __retres))
   }
}
========== file tests/c/find_array.jessie/find_array.cloc ==========
[_C_35]
file = "HOME/tests/c/find_array.c"
line = 14
begin = 11
end = 22

[_C_28]
file = "HOME/tests/c/find_array.c"
line = 43
begin = 2
end = 12

[_C_31]
file = "HOME/tests/c/find_array.c"
line = 25
begin = 12
end = 25

[find_array]
name = "Function find_array"
file = "HOME/tests/c/find_array.c"
line = 27
begin = 4
end = 14

[_C_4]
file = "HOME/tests/c/find_array.c"
line = 29
begin = 2
end = 5

[_C_32]
file = "HOME/tests/c/find_array.c"
line = 15
begin = 11
end = 38

[_C_23]
file = "HOME/tests/c/find_array.c"
line = 40
begin = 33
end = 41

[_C_19]
file = "HOME/tests/c/find_array.c"
line = 39
begin = 8
end = 17

[_C_13]
file = "HOME/tests/c/find_array.c"
line = 38
begin = 21
end = 36

[_C_5]
file = "HOME/tests/c/find_array.c"
line = 35
begin = 17
end = 27

[_C_36]
file = "HOME/tests/c/find_array.c"
line = 13
begin = 11
end = 29

[_C_12]
file = "HOME/tests/c/find_array.c"
line = 38
begin = 21
end = 36

[_C_33]
file = "HOME/tests/c/find_array.c"
line = 15
begin = 11
end = 38

[_C_22]
file = "HOME/tests/c/find_array.c"
line = 41
begin = 16
end = 24

[_C_9]
file = "HOME/tests/c/find_array.c"
line = 31
begin = 19
end = 27

[_C_30]
file = "HOME/tests/c/find_array.c"
line = 21
begin = 12
end = 33

[_C_6]
file = "HOME/tests/c/find_array.c"
line = 34
begin = 19
end = 74

[_C_24]
file = "HOME/tests/c/find_array.c"
line = 40
begin = 33
end = 41

[_C_20]
file = "HOME/tests/c/find_array.c"
line = 41
begin = 16
end = 24

[_C_3]
file = "HOME/tests/c/find_array.c"
line = 29
begin = 13
end = 23

[_C_17]
file = "HOME/tests/c/find_array.c"
line = 39
begin = 28
end = 40

[_C_7]
file = "HOME/tests/c/find_array.c"
line = 33
begin = 19
end = 69

[_C_27]
file = "HOME/tests/c/find_array.c"
line = 40
begin = 8
end = 17

[_C_15]
file = "HOME/tests/c/find_array.c"
line = 38
begin = 15
end = 36

[_C_26]
file = "HOME/tests/c/find_array.c"
line = 40
begin = 8
end = 11

[_C_10]
file = "HOME/tests/c/find_array.c"
line = 38
begin = 22
end = 31

[_C_8]
file = "HOME/tests/c/find_array.c"
line = 32
begin = 19
end = 32

[_C_18]
file = "HOME/tests/c/find_array.c"
line = 39
begin = 8
end = 11

[_C_29]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_14]
file = "HOME/tests/c/find_array.c"
line = 38
begin = 15
end = 36

[_C_2]
file = "HOME/tests/c/find_array.c"
line = 29
begin = 13
end = 23

[_C_34]
file = "HOME/tests/c/find_array.c"
line = 15
begin = 11
end = 38

[_C_16]
file = "HOME/tests/c/find_array.c"
line = 38
begin = 4
end = 7

[_C_1]
file = "HOME/tests/c/find_array.c"
line = 28
begin = 2
end = 5

[_C_25]
file = "HOME/tests/c/find_array.c"
line = 40
begin = 33
end = 41

[_C_11]
file = "HOME/tests/c/find_array.c"
line = 38
begin = 22
end = 31

[_C_21]
file = "HOME/tests/c/find_array.c"
line = 41
begin = 16
end = 24

========== jessie execution ==========
Generating Why function find_array
========== file tests/c/find_array.jessie/find_array.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs find_array.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs find_array.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/find_array_why.sx

project: why/find_array.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/find_array_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/find_array_why.vo

coq/find_array_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/find_array_why.v: why/find_array.why
	@echo 'why -coq [...] why/find_array.why' && $(WHY) $(JESSIELIBFILES) why/find_array.why && rm -f coq/jessie_why.v

coq-goals: goals coq/find_array_ctx_why.vo
	for f in why/*_po*.why; do make -f find_array.makefile coq/`basename $$f .why`_why.v ; done

coq/find_array_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/find_array_ctx_why.v: why/find_array_ctx.why
	@echo 'why -coq [...] why/find_array_ctx.why' && $(WHY) why/find_array_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export find_array_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/find_array_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/find_array_ctx_why.vo

pvs: pvs/find_array_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/find_array_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/find_array_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/find_array_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/find_array_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/find_array_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/find_array_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/find_array_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/find_array_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/find_array_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/find_array_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/find_array_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/find_array_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/find_array_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/find_array_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: find_array.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/find_array_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: find_array.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: find_array.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: find_array.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include find_array.depend

depend: coq/find_array_why.v
	-$(COQDEP) -I coq coq/find_array*_why.v > find_array.depend

clean:
	rm -f coq/*.vo

========== file tests/c/find_array.jessie/find_array.loc ==========
[JC_63]
kind = DivByZero
file = "HOME/tests/c/find_array.c"
line = 38
begin = 21
end = 36

[JC_51]
file = "HOME/tests/c/find_array.c"
line = 31
begin = 19
end = 27

[JC_45]
file = "HOME/tests/c/find_array.jessie/find_array.jc"
line = 78
begin = 6
end = 1695

[JC_31]
kind = ArithOverflow
file = "HOME/tests/c/find_array.c"
line = 38
begin = 22
end = 31

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
kind = DivByZero
file = "HOME/tests/c/find_array.c"
line = 38
begin = 21
end = 36

[JC_48]
file = "HOME/tests/c/find_array.c"
line = 34
begin = 19
end = 74

[JC_23]
kind = ArithOverflow
file = "HOME/tests/c/find_array.c"
line = 29
begin = 13
end = 23

[JC_22]
file = "HOME/tests/c/find_array.c"
line = 25
begin = 12
end = 25

[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[find_array_safety]
name = "Function find_array"
behavior = "Safety"
file = "HOME/tests/c/find_array.c"
line = 27
begin = 4
end = 14

[JC_9]
file = "HOME/tests/c/find_array.c"
line = 15
begin = 11
end = 38

[JC_24]
file = "HOME/tests/c/find_array.c"
line = 34
begin = 19
end = 74

[JC_25]
file = "HOME/tests/c/find_array.c"
line = 33
begin = 19
end = 69

[JC_41]
file = "HOME/tests/c/find_array.c"
line = 33
begin = 19
end = 69

[JC_47]
kind = DivByZero
file = "HOME/tests/c/find_array.c"
line = 38
begin = 21
end = 36

[JC_52]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_26]
file = "HOME/tests/c/find_array.c"
line = 32
begin = 19
end = 32

[JC_8]
file = "HOME/tests/c/find_array.c"
line = 14
begin = 11
end = 22

[JC_54]
file = "HOME/tests/c/find_array.jessie/find_array.jc"
line = 78
begin = 6
end = 1695

[find_array_ensures_not_exists]
name = "Function find_array"
behavior = "Behavior `not_exists'"
file = "HOME/tests/c/find_array.c"
line = 27
begin = 4
end = 14

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
kind = PointerDeref
file = "HOME/tests/c/find_array.c"
line = 40
begin = 8
end = 17

[JC_39]
file = "HOME/tests/c/find_array.c"
line = 35
begin = 17
end = 27

[JC_40]
file = "HOME/tests/c/find_array.c"
line = 34
begin = 19
end = 74

[JC_35]
kind = PointerDeref
file = "HOME/tests/c/find_array.c"
line = 39
begin = 8
end = 17

[JC_27]
file = "HOME/tests/c/find_array.c"
line = 31
begin = 19
end = 27

[JC_38]
kind = ArithOverflow
file = "HOME/tests/c/find_array.c"
line = 41
begin = 16
end = 24

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_44]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/tests/c/find_array.c"
line = 15
begin = 11
end = 38

[JC_62]
file = "HOME/tests/c/find_array.jessie/find_array.jc"
line = 78
begin = 6
end = 1695

[JC_42]
file = "HOME/tests/c/find_array.c"
line = 32
begin = 19
end = 32

[JC_46]
file = "HOME/tests/c/find_array.jessie/find_array.jc"
line = 78
begin = 6
end = 1695

[JC_61]
file = "HOME/tests/c/find_array.jessie/find_array.jc"
line = 78
begin = 6
end = 1695

[JC_32]
kind = DivByZero
file = "HOME/tests/c/find_array.c"
line = 38
begin = 21
end = 36

[JC_56]
file = "HOME/tests/c/find_array.c"
line = 34
begin = 19
end = 74

[JC_33]
kind = ArithOverflow
file = "HOME/tests/c/find_array.c"
line = 38
begin = 21
end = 36

[JC_29]
file = "HOME/tests/c/find_array.jessie/find_array.jc"
line = 78
begin = 6
end = 1695

[JC_7]
file = "HOME/tests/c/find_array.c"
line = 13
begin = 11
end = 29

[JC_16]
file = "HOME/tests/c/find_array.jessie/find_array.jc"
line = 58
begin = 10
end = 18

[JC_43]
file = "HOME/tests/c/find_array.c"
line = 31
begin = 19
end = 27

[JC_2]
file = "HOME/tests/c/find_array.c"
line = 14
begin = 11
end = 22

[JC_34]
kind = ArithOverflow
file = "HOME/tests/c/find_array.c"
line = 38
begin = 15
end = 36

[JC_14]
file = "HOME/tests/c/find_array.jessie/find_array.jc"
line = 58
begin = 10
end = 18

[JC_53]
file = "HOME/tests/c/find_array.jessie/find_array.jc"
line = 78
begin = 6
end = 1695

[JC_21]
file = "HOME/tests/c/find_array.c"
line = 25
begin = 12
end = 25

[JC_49]
file = "HOME/tests/c/find_array.c"
line = 33
begin = 19
end = 69

[JC_1]
file = "HOME/tests/c/find_array.c"
line = 13
begin = 11
end = 29

[JC_37]
kind = ArithOverflow
file = "HOME/tests/c/find_array.c"
line = 40
begin = 33
end = 41

[JC_10]
file = "HOME/tests/c/find_array.c"
line = 15
begin = 11
end = 38

[JC_57]
file = "HOME/tests/c/find_array.c"
line = 33
begin = 19
end = 69

[JC_59]
file = "HOME/tests/c/find_array.c"
line = 31
begin = 19
end = 27

[find_array_ensures_default]
name = "Function find_array"
behavior = "default behavior"
file = "HOME/tests/c/find_array.c"
line = 27
begin = 4
end = 14

[JC_20]
file = "HOME/tests/c/find_array.c"
line = 21
begin = 12
end = 33

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/c/find_array.c"
line = 15
begin = 11
end = 38

[JC_60]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/tests/c/find_array.c"
line = 21
begin = 12
end = 33

[find_array_ensures_exists]
name = "Function find_array"
behavior = "Behavior `exists'"
file = "HOME/tests/c/find_array.c"
line = 27
begin = 4
end = 14

[JC_50]
file = "HOME/tests/c/find_array.c"
line = 32
begin = 19
end = 32

[JC_30]
file = "HOME/tests/c/find_array.jessie/find_array.jc"
line = 78
begin = 6
end = 1695

[JC_58]
file = "HOME/tests/c/find_array.c"
line = 32
begin = 19
end = 32

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/c/find_array.jessie/why/find_array.why ==========
type charP

type int32

type int8

type intP

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

logic intP_tag:  -> intP tag_id

axiom intP_int : (int_of_tag(intP_tag) = (1))

logic intP_of_pointer_address: unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr :
 (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom : parenttag(intP_tag, bottom_tag)

axiom intP_tags :
 (forall x:intP pointer.
  (forall intP_tag_table:intP tag_table.
   instanceof(intP_tag_table, x, intP_tag)))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_intP(p:intP pointer, a:int,
 intP_alloc_table:intP alloc_table) = (offset_min(intP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

predicate mem(elt:int32, arr_0:intP pointer, length_0:int,
 intP_intM_arr_0_2_at_L:(intP, int32) memory) =
 (exists i_2:int.
  (le_int((0), i_2)
  and (lt_int(i_2, length_0)
      and (integer_of_int32(select(intP_intM_arr_0_2_at_L, shift(arr_0, i_2))) = 
          integer_of_int32(elt)))))

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_intP(p:intP pointer, b:int,
 intP_alloc_table:intP alloc_table) = (offset_max(intP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate sorted(arr:intP pointer, length:int,
 intP_intM_arr_1_at_L:(intP, int32) memory) =
 (forall i_1:int.
  (forall j_0:int.
   ((le_int((0), i_1) and (le_int(i_1, j_0) and lt_int(j_0, length))) ->
    le_int(integer_of_int32(select(intP_intM_arr_1_at_L, shift(arr, i_1))),
    integer_of_int32(select(intP_intM_arr_1_at_L, shift(arr, j_0)))))))

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Goto_while_0_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter intP_alloc_table : intP alloc_table ref

parameter intP_tag_table : intP tag_table ref

parameter alloc_struct_intP :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { } intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter alloc_struct_intP_requires :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { ge_int(n, (0))} intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter find_array :
 arr_1:intP pointer ->
  length_1:int32 ->
   query:int32 ->
    intP_arr_3_alloc_table:intP alloc_table ->
     intP_intM_arr_3:(intP, int32) memory ->
      { } int32
      { (((not mem(query, arr_1, integer_of_int32(length_1), intP_intM_arr_3)) ->
          (JC_22: (integer_of_int32(result) = neg_int((1)))))
        and (mem(query, arr_1, integer_of_int32(length_1), intP_intM_arr_3) ->
             (JC_20:
             (integer_of_int32(select(intP_intM_arr_3,
                               shift(arr_1, integer_of_int32(result)))) = 
             integer_of_int32(query))))) }

parameter find_array_requires :
 arr_1:intP pointer ->
  length_1:int32 ->
   query:int32 ->
    intP_arr_3_alloc_table:intP alloc_table ->
     intP_intM_arr_3:(intP, int32) memory ->
      { (JC_5:
        ((JC_1: sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3))
        and ((JC_2: ge_int(integer_of_int32(length_1), (0)))
            and ((JC_3:
                 le_int(offset_min(intP_arr_3_alloc_table, arr_1), (0)))
                and (JC_4:
                    ge_int(offset_max(intP_arr_3_alloc_table, arr_1),
                    sub_int(integer_of_int32(length_1), (1))))))))}
      int32
      { (((not mem(query, arr_1, integer_of_int32(length_1), intP_intM_arr_3)) ->
          (JC_22: (integer_of_int32(result) = neg_int((1)))))
        and (mem(query, arr_1, integer_of_int32(length_1), intP_intM_arr_3) ->
             (JC_20:
             (integer_of_int32(select(intP_intM_arr_3,
                               shift(arr_1, integer_of_int32(result)))) = 
             integer_of_int32(query))))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let find_array_ensures_default =
 fun (arr_1 : intP pointer) (length_1 : int32) (query : int32) (intP_arr_3_alloc_table : intP alloc_table) (intP_intM_arr_3 : (intP, int32) memory) ->
  { (JC_11:
    ((JC_7: sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3))
    and ((JC_8: ge_int(integer_of_int32(length_1), (0)))
        and ((JC_9: le_int(offset_min(intP_arr_3_alloc_table, arr_1), (0)))
            and (JC_10:
                ge_int(offset_max(intP_arr_3_alloc_table, arr_1),
                sub_int(integer_of_int32(length_1), (1)))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let low = ref (any_int32 void) in
     (let high = ref (any_int32 void) in
     (let mean = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (low := (safe_int32_of_integer_ (0))) in void);
          (let _jessie_ =
          (high := (safe_int32_of_integer_ ((sub_int (integer_of_int32 length_1)) (1)))) in
          void);
          (loop_2:
          begin
            while true do
            { invariant
                ((JC_40:
                 (forall i_4:int.
                  ((lt_int(integer_of_int32(high), i_4)
                   and lt_int(i_4, integer_of_int32(length_1))) ->
                   gt_int(integer_of_int32(select(intP_intM_arr_3,
                                           shift(arr_1, i_4))),
                   integer_of_int32(query)))))
                and ((JC_41:
                     (forall i_3:int.
                      ((le_int((0), i_3)
                       and lt_int(i_3, integer_of_int32(low))) ->
                       lt_int(integer_of_int32(select(intP_intM_arr_3,
                                               shift(arr_1, i_3))),
                       integer_of_int32(query)))))
                    and ((JC_42:
                         lt_int(integer_of_int32(high),
                         integer_of_int32(length_1)))
                        and (JC_43: le_int((0), integer_of_int32(low)))))) 
               }
             begin
               [ { } unit { true } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((le_int_ (integer_of_int32 !low)) (integer_of_int32 !high))
                   then void else (raise (Goto_while_0_break_exc void)));
                  (let _jessie_ =
                  (mean := (safe_int32_of_integer_ ((add_int (integer_of_int32 !low)) 
                                                    (integer_of_int32 
                                                     (safe_int32_of_integer_ 
                                                      (JC_47:
                                                      ((computer_div 
                                                        (integer_of_int32 
                                                         (safe_int32_of_integer_ 
                                                          ((sub_int (integer_of_int32 !high)) 
                                                           (integer_of_int32 !low))))) (2)))))))) in
                  void);
                  (if ((eq_int_ (integer_of_int32 ((safe_acc_ intP_intM_arr_3) 
                                                   ((shift arr_1) (integer_of_int32 !mean))))) 
                       (integer_of_int32 query))
                  then
                   begin
                     (let _jessie_ = (__retres := !mean) in void);
                    (raise (Return_label_exc void)) end else void);
                  (if ((lt_int_ (integer_of_int32 ((safe_acc_ intP_intM_arr_3) 
                                                   ((shift arr_1) (integer_of_int32 !mean))))) 
                       (integer_of_int32 query))
                  then
                   begin
                     (low := (safe_int32_of_integer_ ((add_int (integer_of_int32 !mean)) (1))));
                    !low end
                  else
                   begin
                     (high := (safe_int32_of_integer_ ((sub_int (integer_of_int32 !mean)) (1))));
                    !high end) end in void); (raise (Loop_continue_exc void))
               end with Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (let _jessie_ =
         (while_0_break:
         begin
           void; (__retres := (safe_int32_of_integer_ (neg_int (1))));
          !__retres end) in void) end; (raise (Return_label_exc void)) end
      with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end))));
    absurd  end with Return -> !return end)) { (JC_14: true) }

let find_array_ensures_exists =
 fun (arr_1 : intP pointer) (length_1 : int32) (query : int32) (intP_arr_3_alloc_table : intP alloc_table) (intP_intM_arr_3 : (intP, int32) memory) ->
  { (mem(query, arr_1, integer_of_int32(length_1), intP_intM_arr_3)
    and (JC_11:
        ((JC_7: sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3))
        and ((JC_8: ge_int(integer_of_int32(length_1), (0)))
            and ((JC_9:
                 le_int(offset_min(intP_arr_3_alloc_table, arr_1), (0)))
                and (JC_10:
                    ge_int(offset_max(intP_arr_3_alloc_table, arr_1),
                    sub_int(integer_of_int32(length_1), (1))))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let low = ref (any_int32 void) in
     (let high = ref (any_int32 void) in
     (let mean = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (low := (safe_int32_of_integer_ (0))) in void);
          (let _jessie_ =
          (high := (safe_int32_of_integer_ ((sub_int (integer_of_int32 length_1)) (1)))) in
          void);
          (loop_3:
          begin
            while true do
            { invariant (JC_53: true)  }
             begin
               [ { } unit reads high,low
                 { ((JC_48:
                    (forall i_4:int.
                     ((lt_int(integer_of_int32(high), i_4)
                      and lt_int(i_4, integer_of_int32(length_1))) ->
                      gt_int(integer_of_int32(select(intP_intM_arr_3,
                                              shift(arr_1, i_4))),
                      integer_of_int32(query)))))
                   and ((JC_49:
                        (forall i_3:int.
                         ((le_int((0), i_3)
                          and lt_int(i_3, integer_of_int32(low))) ->
                          lt_int(integer_of_int32(select(intP_intM_arr_3,
                                                  shift(arr_1, i_3))),
                          integer_of_int32(query)))))
                       and ((JC_50:
                            lt_int(integer_of_int32(high),
                            integer_of_int32(length_1)))
                           and (JC_51: le_int((0), integer_of_int32(low)))))) } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((le_int_ (integer_of_int32 !low)) (integer_of_int32 !high))
                   then void else (raise (Goto_while_0_break_exc void)));
                  (let _jessie_ =
                  (mean := (safe_int32_of_integer_ ((add_int (integer_of_int32 !low)) 
                                                    (integer_of_int32 
                                                     (safe_int32_of_integer_ 
                                                      (JC_55:
                                                      ((computer_div 
                                                        (integer_of_int32 
                                                         (safe_int32_of_integer_ 
                                                          ((sub_int (integer_of_int32 !high)) 
                                                           (integer_of_int32 !low))))) (2)))))))) in
                  void);
                  (if ((eq_int_ (integer_of_int32 ((safe_acc_ intP_intM_arr_3) 
                                                   ((shift arr_1) (integer_of_int32 !mean))))) 
                       (integer_of_int32 query))
                  then
                   begin
                     (let _jessie_ = (__retres := !mean) in void);
                    (raise (Return_label_exc void)) end else void);
                  (if ((lt_int_ (integer_of_int32 ((safe_acc_ intP_intM_arr_3) 
                                                   ((shift arr_1) (integer_of_int32 !mean))))) 
                       (integer_of_int32 query))
                  then
                   begin
                     (low := (safe_int32_of_integer_ ((add_int (integer_of_int32 !mean)) (1))));
                    !low end
                  else
                   begin
                     (high := (safe_int32_of_integer_ ((sub_int (integer_of_int32 !mean)) (1))));
                    !high end) end in void); (raise (Loop_continue_exc void))
               end with Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (let _jessie_ =
         (while_0_break:
         begin
           void; (__retres := (safe_int32_of_integer_ (neg_int (1))));
          !__retres end) in void) end; (raise (Return_label_exc void)) end
      with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end))));
    absurd  end with Return -> !return end))
  { (JC_19:
    (integer_of_int32(select(intP_intM_arr_3,
                      shift(arr_1, integer_of_int32(result)))) = integer_of_int32(query))) }

let find_array_ensures_not_exists =
 fun (arr_1 : intP pointer) (length_1 : int32) (query : int32) (intP_arr_3_alloc_table : intP alloc_table) (intP_intM_arr_3 : (intP, int32) memory) ->
  { ((not mem(query, arr_1, integer_of_int32(length_1), intP_intM_arr_3))
    and (JC_11:
        ((JC_7: sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3))
        and ((JC_8: ge_int(integer_of_int32(length_1), (0)))
            and ((JC_9:
                 le_int(offset_min(intP_arr_3_alloc_table, arr_1), (0)))
                and (JC_10:
                    ge_int(offset_max(intP_arr_3_alloc_table, arr_1),
                    sub_int(integer_of_int32(length_1), (1))))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let low = ref (any_int32 void) in
     (let high = ref (any_int32 void) in
     (let mean = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (low := (safe_int32_of_integer_ (0))) in void);
          (let _jessie_ =
          (high := (safe_int32_of_integer_ ((sub_int (integer_of_int32 length_1)) (1)))) in
          void);
          (loop_4:
          begin
            while true do
            { invariant (JC_61: true)  }
             begin
               [ { } unit reads high,low
                 { ((JC_56:
                    (forall i_4:int.
                     ((lt_int(integer_of_int32(high), i_4)
                      and lt_int(i_4, integer_of_int32(length_1))) ->
                      gt_int(integer_of_int32(select(intP_intM_arr_3,
                                              shift(arr_1, i_4))),
                      integer_of_int32(query)))))
                   and ((JC_57:
                        (forall i_3:int.
                         ((le_int((0), i_3)
                          and lt_int(i_3, integer_of_int32(low))) ->
                          lt_int(integer_of_int32(select(intP_intM_arr_3,
                                                  shift(arr_1, i_3))),
                          integer_of_int32(query)))))
                       and ((JC_58:
                            lt_int(integer_of_int32(high),
                            integer_of_int32(length_1)))
                           and (JC_59: le_int((0), integer_of_int32(low)))))) } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((le_int_ (integer_of_int32 !low)) (integer_of_int32 !high))
                   then void else (raise (Goto_while_0_break_exc void)));
                  (let _jessie_ =
                  (mean := (safe_int32_of_integer_ ((add_int (integer_of_int32 !low)) 
                                                    (integer_of_int32 
                                                     (safe_int32_of_integer_ 
                                                      (JC_63:
                                                      ((computer_div 
                                                        (integer_of_int32 
                                                         (safe_int32_of_integer_ 
                                                          ((sub_int (integer_of_int32 !high)) 
                                                           (integer_of_int32 !low))))) (2)))))))) in
                  void);
                  (if ((eq_int_ (integer_of_int32 ((safe_acc_ intP_intM_arr_3) 
                                                   ((shift arr_1) (integer_of_int32 !mean))))) 
                       (integer_of_int32 query))
                  then
                   begin
                     (let _jessie_ = (__retres := !mean) in void);
                    (raise (Return_label_exc void)) end else void);
                  (if ((lt_int_ (integer_of_int32 ((safe_acc_ intP_intM_arr_3) 
                                                   ((shift arr_1) (integer_of_int32 !mean))))) 
                       (integer_of_int32 query))
                  then
                   begin
                     (low := (safe_int32_of_integer_ ((add_int (integer_of_int32 !mean)) (1))));
                    !low end
                  else
                   begin
                     (high := (safe_int32_of_integer_ ((sub_int (integer_of_int32 !mean)) (1))));
                    !high end) end in void); (raise (Loop_continue_exc void))
               end with Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (let _jessie_ =
         (while_0_break:
         begin
           void; (__retres := (safe_int32_of_integer_ (neg_int (1))));
          !__retres end) in void) end; (raise (Return_label_exc void)) end
      with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end))));
    absurd  end with Return -> !return end))
  { (JC_21: (integer_of_int32(result) = neg_int((1)))) }

let find_array_safety =
 fun (arr_1 : intP pointer) (length_1 : int32) (query : int32) (intP_arr_3_alloc_table : intP alloc_table) (intP_intM_arr_3 : (intP, int32) memory) ->
  { (JC_11:
    ((JC_7: sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3))
    and ((JC_8: ge_int(integer_of_int32(length_1), (0)))
        and ((JC_9: le_int(offset_min(intP_arr_3_alloc_table, arr_1), (0)))
            and (JC_10:
                ge_int(offset_max(intP_arr_3_alloc_table, arr_1),
                sub_int(integer_of_int32(length_1), (1)))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let low = ref (any_int32 void) in
     (let high = ref (any_int32 void) in
     (let mean = ref (any_int32 void) in
     (let __retres = ref (any_int32 void) in
     try
      begin
        try
         begin
           (let _jessie_ = (low := (safe_int32_of_integer_ (0))) in void);
          (let _jessie_ =
          (high := (JC_23:
                   (int32_of_integer_ ((sub_int (integer_of_int32 length_1)) (1))))) in
          void);
          (loop_1:
          begin
            while true do
            { invariant (JC_29: true)
              variant (JC_39 : sub_int(integer_of_int32(high),
                               integer_of_int32(low))) }
             begin
               [ { } unit reads high,low
                 { ((JC_24:
                    (forall i_4:int.
                     ((lt_int(integer_of_int32(high), i_4)
                      and lt_int(i_4, integer_of_int32(length_1))) ->
                      gt_int(integer_of_int32(select(intP_intM_arr_3,
                                              shift(arr_1, i_4))),
                      integer_of_int32(query)))))
                   and ((JC_25:
                        (forall i_3:int.
                         ((le_int((0), i_3)
                          and lt_int(i_3, integer_of_int32(low))) ->
                          lt_int(integer_of_int32(select(intP_intM_arr_3,
                                                  shift(arr_1, i_3))),
                          integer_of_int32(query)))))
                       and ((JC_26:
                            lt_int(integer_of_int32(high),
                            integer_of_int32(length_1)))
                           and (JC_27: le_int((0), integer_of_int32(low)))))) } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((le_int_ (integer_of_int32 !low)) (integer_of_int32 !high))
                   then void else (raise (Goto_while_0_break_exc void)));
                  (let _jessie_ =
                  (mean := (JC_34:
                           (int32_of_integer_ ((add_int (integer_of_int32 !low)) 
                                               (integer_of_int32 (JC_33:
                                                                 (int32_of_integer_ 
                                                                  (JC_32:
                                                                  ((computer_div_ 
                                                                    (integer_of_int32 
                                                                    (JC_31:
                                                                    (int32_of_integer_ 
                                                                    ((sub_int 
                                                                    (integer_of_int32 !high)) 
                                                                    (integer_of_int32 !low)))))) (2)))))))))) in
                  void);
                  (if ((eq_int_ (integer_of_int32 (JC_35:
                                                  ((((offset_acc_ intP_arr_3_alloc_table) intP_intM_arr_3) arr_1) 
                                                   (integer_of_int32 !mean))))) 
                       (integer_of_int32 query))
                  then
                   begin
                     (let _jessie_ = (__retres := !mean) in void);
                    (raise (Return_label_exc void)) end else void);
                  (if ((lt_int_ (integer_of_int32 (JC_36:
                                                  ((((offset_acc_ intP_arr_3_alloc_table) intP_intM_arr_3) arr_1) 
                                                   (integer_of_int32 !mean))))) 
                       (integer_of_int32 query))
                  then
                   begin
                     (low := (JC_37:
                             (int32_of_integer_ ((add_int (integer_of_int32 !mean)) (1)))));
                    !low end
                  else
                   begin
                     (high := (JC_38:
                              (int32_of_integer_ ((sub_int (integer_of_int32 !mean)) (1)))));
                    !high end) end in void); (raise (Loop_continue_exc void))
               end with Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ ->
         (let _jessie_ =
         (while_0_break:
         begin
           void; (__retres := (safe_int32_of_integer_ (neg_int (1))));
          !__retres end) in void) end; (raise (Return_label_exc void)) end
      with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end))));
    absurd  end with Return -> !return end)) { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/find_array.why
========== file tests/c/find_array.jessie/why/find_array_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type charP

type int32

type int8

type intP

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_int8 : int8 -> int

predicate eq_int8(x: int8, y: int8) =
  (integer_of_int8(x) = integer_of_int8(y))

logic integer_of_uint8 : uint8 -> int

predicate eq_uint8(x: uint8, y: uint8) =
  (integer_of_uint8(x) = integer_of_uint8(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic int8_of_integer : int -> int8

axiom int8_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_int8(int8_of_integer(x)) = x)))

axiom int8_extensionality:
  (forall x:int8.
    (forall y:int8. ((integer_of_int8(x) = integer_of_int8(y)) -> (x = y))))

axiom int8_range:
  (forall x:int8.
    (((-128) <= integer_of_int8(x)) and (integer_of_int8(x) <= 127)))

logic intP_tag : intP tag_id

axiom intP_int: (int_of_tag(intP_tag) = 1)

logic intP_of_pointer_address : unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr:
  (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom: parenttag(intP_tag, bottom_tag)

axiom intP_tags:
  (forall x:intP pointer.
    (forall intP_tag_table:intP tag_table. instanceof(intP_tag_table, x,
      intP_tag)))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_intP(p: intP pointer, a: int,
  intP_alloc_table: intP alloc_table) = (offset_min(intP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

predicate mem(elt: int32, arr_0: intP pointer, length_0: int,
  intP_intM_arr_0_2_at_L: (intP, int32) memory) =
  (exists i_2:int.
    ((0 <= i_2) and
     ((i_2 < length_0) and (integer_of_int32(select(intP_intM_arr_0_2_at_L,
      shift(arr_0, i_2))) = integer_of_int32(elt)))))

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_intP(p: intP pointer, b: int,
  intP_alloc_table: intP alloc_table) = (offset_max(intP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate sorted(arr: intP pointer, length: int, intP_intM_arr_1_at_L: (intP,
  int32) memory) =
  (forall i_1:int.
    (forall j_0:int.
      (((0 <= i_1) and ((i_1 <= j_0) and (j_0 < length))) ->
       (integer_of_int32(select(intP_intM_arr_1_at_L, shift(arr,
       i_1))) <= integer_of_int32(select(intP_intM_arr_1_at_L, shift(arr,
       j_0)))))))

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) = a) and (offset_max(intP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) = a) and (offset_max(intP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic uint8_of_integer : int -> uint8

axiom uint8_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 255)) -> (integer_of_uint8(uint8_of_integer(x)) = x)))

axiom uint8_extensionality:
  (forall x:uint8.
    (forall y:uint8.
      ((integer_of_uint8(x) = integer_of_uint8(y)) -> (x = y))))

axiom uint8_range:
  (forall x:uint8.
    ((0 <= integer_of_uint8(x)) and (integer_of_uint8(x) <= 255)))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) <= a) and (offset_max(intP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) <= a) and (offset_max(intP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

goal find_array_ensures_default_po_1:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall i_4:int.
  ((integer_of_int32(high) < i_4) and (i_4 < integer_of_int32(length_1))) ->
  ("JC_40": (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
  i_4))) > integer_of_int32(query)))

goal find_array_ensures_default_po_2:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall i_3:int.
  ((0 <= i_3) and (i_3 < integer_of_int32(low))) ->
  ("JC_41": (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
  i_3))) < integer_of_int32(query)))

goal find_array_ensures_default_po_3:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  ("JC_42": (integer_of_int32(high) < integer_of_int32(length_1)))

goal find_array_ensures_default_po_4:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  ("JC_43": (0 <= integer_of_int32(low)))

goal find_array_ensures_default_po_5:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall high0:int32.
  forall low0:int32.
  (("JC_40":
   (forall i_4:int.
     (((integer_of_int32(high0) < i_4) and (i_4 < integer_of_int32(length_1))) ->
      (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
      i_4))) > integer_of_int32(query))))) and
   (("JC_41":
    (forall i_3:int.
      (((0 <= i_3) and (i_3 < integer_of_int32(low0))) ->
       (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
       i_3))) < integer_of_int32(query))))) and
    (("JC_42": (integer_of_int32(high0) < integer_of_int32(length_1))) and
     ("JC_43": (0 <= integer_of_int32(low0)))))) ->
  (integer_of_int32(low0) <= integer_of_int32(high0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(high0) - integer_of_int32(low0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(low0) + integer_of_int32(result2))) ->
  forall mean:int32.
  (mean = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result4) <> integer_of_int32(query)) ->
  forall result5:int32.
  (result5 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result5) < integer_of_int32(query)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(mean) + 1)) ->
  forall low1:int32.
  (low1 = result6) ->
  forall i_4:int.
  ((integer_of_int32(high0) < i_4) and (i_4 < integer_of_int32(length_1))) ->
  ("JC_40": (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
  i_4))) > integer_of_int32(query)))

goal find_array_ensures_default_po_6:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall high0:int32.
  forall low0:int32.
  (("JC_40":
   (forall i_4:int.
     (((integer_of_int32(high0) < i_4) and (i_4 < integer_of_int32(length_1))) ->
      (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
      i_4))) > integer_of_int32(query))))) and
   (("JC_41":
    (forall i_3:int.
      (((0 <= i_3) and (i_3 < integer_of_int32(low0))) ->
       (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
       i_3))) < integer_of_int32(query))))) and
    (("JC_42": (integer_of_int32(high0) < integer_of_int32(length_1))) and
     ("JC_43": (0 <= integer_of_int32(low0)))))) ->
  (integer_of_int32(low0) <= integer_of_int32(high0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(high0) - integer_of_int32(low0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(low0) + integer_of_int32(result2))) ->
  forall mean:int32.
  (mean = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result4) <> integer_of_int32(query)) ->
  forall result5:int32.
  (result5 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result5) < integer_of_int32(query)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(mean) + 1)) ->
  forall low1:int32.
  (low1 = result6) ->
  forall i_3:int.
  ((0 <= i_3) and (i_3 < integer_of_int32(low1))) ->
  ("JC_41": (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
  i_3))) < integer_of_int32(query)))

goal find_array_ensures_default_po_7:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall high0:int32.
  forall low0:int32.
  (("JC_40":
   (forall i_4:int.
     (((integer_of_int32(high0) < i_4) and (i_4 < integer_of_int32(length_1))) ->
      (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
      i_4))) > integer_of_int32(query))))) and
   (("JC_41":
    (forall i_3:int.
      (((0 <= i_3) and (i_3 < integer_of_int32(low0))) ->
       (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
       i_3))) < integer_of_int32(query))))) and
    (("JC_42": (integer_of_int32(high0) < integer_of_int32(length_1))) and
     ("JC_43": (0 <= integer_of_int32(low0)))))) ->
  (integer_of_int32(low0) <= integer_of_int32(high0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(high0) - integer_of_int32(low0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(low0) + integer_of_int32(result2))) ->
  forall mean:int32.
  (mean = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result4) <> integer_of_int32(query)) ->
  forall result5:int32.
  (result5 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result5) < integer_of_int32(query)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(mean) + 1)) ->
  forall low1:int32.
  (low1 = result6) ->
  ("JC_42": (integer_of_int32(high0) < integer_of_int32(length_1)))

goal find_array_ensures_default_po_8:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall high0:int32.
  forall low0:int32.
  (("JC_40":
   (forall i_4:int.
     (((integer_of_int32(high0) < i_4) and (i_4 < integer_of_int32(length_1))) ->
      (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
      i_4))) > integer_of_int32(query))))) and
   (("JC_41":
    (forall i_3:int.
      (((0 <= i_3) and (i_3 < integer_of_int32(low0))) ->
       (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
       i_3))) < integer_of_int32(query))))) and
    (("JC_42": (integer_of_int32(high0) < integer_of_int32(length_1))) and
     ("JC_43": (0 <= integer_of_int32(low0)))))) ->
  (integer_of_int32(low0) <= integer_of_int32(high0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(high0) - integer_of_int32(low0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(low0) + integer_of_int32(result2))) ->
  forall mean:int32.
  (mean = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result4) <> integer_of_int32(query)) ->
  forall result5:int32.
  (result5 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result5) < integer_of_int32(query)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(mean) + 1)) ->
  forall low1:int32.
  (low1 = result6) ->
  ("JC_43": (0 <= integer_of_int32(low1)))

goal find_array_ensures_default_po_9:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall high0:int32.
  forall low0:int32.
  (("JC_40":
   (forall i_4:int.
     (((integer_of_int32(high0) < i_4) and (i_4 < integer_of_int32(length_1))) ->
      (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
      i_4))) > integer_of_int32(query))))) and
   (("JC_41":
    (forall i_3:int.
      (((0 <= i_3) and (i_3 < integer_of_int32(low0))) ->
       (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
       i_3))) < integer_of_int32(query))))) and
    (("JC_42": (integer_of_int32(high0) < integer_of_int32(length_1))) and
     ("JC_43": (0 <= integer_of_int32(low0)))))) ->
  (integer_of_int32(low0) <= integer_of_int32(high0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(high0) - integer_of_int32(low0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(low0) + integer_of_int32(result2))) ->
  forall mean:int32.
  (mean = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result4) <> integer_of_int32(query)) ->
  forall result5:int32.
  (result5 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result5) >= integer_of_int32(query)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(mean) - 1)) ->
  forall high1:int32.
  (high1 = result6) ->
  forall i_4:int.
  ((integer_of_int32(high1) < i_4) and (i_4 < integer_of_int32(length_1))) ->
  ("JC_40": (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
  i_4))) > integer_of_int32(query)))

goal find_array_ensures_default_po_10:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall high0:int32.
  forall low0:int32.
  (("JC_40":
   (forall i_4:int.
     (((integer_of_int32(high0) < i_4) and (i_4 < integer_of_int32(length_1))) ->
      (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
      i_4))) > integer_of_int32(query))))) and
   (("JC_41":
    (forall i_3:int.
      (((0 <= i_3) and (i_3 < integer_of_int32(low0))) ->
       (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
       i_3))) < integer_of_int32(query))))) and
    (("JC_42": (integer_of_int32(high0) < integer_of_int32(length_1))) and
     ("JC_43": (0 <= integer_of_int32(low0)))))) ->
  (integer_of_int32(low0) <= integer_of_int32(high0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(high0) - integer_of_int32(low0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(low0) + integer_of_int32(result2))) ->
  forall mean:int32.
  (mean = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result4) <> integer_of_int32(query)) ->
  forall result5:int32.
  (result5 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result5) >= integer_of_int32(query)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(mean) - 1)) ->
  forall high1:int32.
  (high1 = result6) ->
  forall i_3:int.
  ((0 <= i_3) and (i_3 < integer_of_int32(low0))) ->
  ("JC_41": (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
  i_3))) < integer_of_int32(query)))

goal find_array_ensures_default_po_11:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall high0:int32.
  forall low0:int32.
  (("JC_40":
   (forall i_4:int.
     (((integer_of_int32(high0) < i_4) and (i_4 < integer_of_int32(length_1))) ->
      (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
      i_4))) > integer_of_int32(query))))) and
   (("JC_41":
    (forall i_3:int.
      (((0 <= i_3) and (i_3 < integer_of_int32(low0))) ->
       (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
       i_3))) < integer_of_int32(query))))) and
    (("JC_42": (integer_of_int32(high0) < integer_of_int32(length_1))) and
     ("JC_43": (0 <= integer_of_int32(low0)))))) ->
  (integer_of_int32(low0) <= integer_of_int32(high0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(high0) - integer_of_int32(low0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(low0) + integer_of_int32(result2))) ->
  forall mean:int32.
  (mean = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result4) <> integer_of_int32(query)) ->
  forall result5:int32.
  (result5 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result5) >= integer_of_int32(query)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(mean) - 1)) ->
  forall high1:int32.
  (high1 = result6) ->
  ("JC_42": (integer_of_int32(high1) < integer_of_int32(length_1)))

goal find_array_ensures_default_po_12:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall high0:int32.
  forall low0:int32.
  (("JC_40":
   (forall i_4:int.
     (((integer_of_int32(high0) < i_4) and (i_4 < integer_of_int32(length_1))) ->
      (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
      i_4))) > integer_of_int32(query))))) and
   (("JC_41":
    (forall i_3:int.
      (((0 <= i_3) and (i_3 < integer_of_int32(low0))) ->
       (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
       i_3))) < integer_of_int32(query))))) and
    (("JC_42": (integer_of_int32(high0) < integer_of_int32(length_1))) and
     ("JC_43": (0 <= integer_of_int32(low0)))))) ->
  (integer_of_int32(low0) <= integer_of_int32(high0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(high0) - integer_of_int32(low0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(low0) + integer_of_int32(result2))) ->
  forall mean:int32.
  (mean = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result4) <> integer_of_int32(query)) ->
  forall result5:int32.
  (result5 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result5) >= integer_of_int32(query)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(mean) - 1)) ->
  forall high1:int32.
  (high1 = result6) ->
  ("JC_43": (0 <= integer_of_int32(low0)))

goal find_array_ensures_exists_po_1:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  (mem(query, arr_1, integer_of_int32(length_1), intP_intM_arr_3) and
   ("JC_11":
   (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
    (("JC_8": (integer_of_int32(length_1) >= 0)) and
     (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
      ("JC_10": (offset_max(intP_arr_3_alloc_table,
      arr_1) >= (integer_of_int32(length_1) - 1)))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall high0:int32.
  forall low0:int32.
  ("JC_53": true) ->
  (("JC_48":
   (forall i_4:int.
     (((integer_of_int32(high0) < i_4) and (i_4 < integer_of_int32(length_1))) ->
      (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
      i_4))) > integer_of_int32(query))))) and
   (("JC_49":
    (forall i_3:int.
      (((0 <= i_3) and (i_3 < integer_of_int32(low0))) ->
       (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
       i_3))) < integer_of_int32(query))))) and
    (("JC_50": (integer_of_int32(high0) < integer_of_int32(length_1))) and
     ("JC_51": (0 <= integer_of_int32(low0)))))) ->
  (integer_of_int32(low0) <= integer_of_int32(high0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(high0) - integer_of_int32(low0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(low0) + integer_of_int32(result2))) ->
  forall mean:int32.
  (mean = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result4) = integer_of_int32(query)) ->
  forall __retres:int32.
  (__retres = mean) ->
  forall return:int32.
  (return = __retres) ->
  ("JC_19": (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(return)))) = integer_of_int32(query)))

goal find_array_ensures_exists_po_2:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  (mem(query, arr_1, integer_of_int32(length_1), intP_intM_arr_3) and
   ("JC_11":
   (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
    (("JC_8": (integer_of_int32(length_1) >= 0)) and
     (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
      ("JC_10": (offset_max(intP_arr_3_alloc_table,
      arr_1) >= (integer_of_int32(length_1) - 1)))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall high0:int32.
  forall low0:int32.
  ("JC_53": true) ->
  (("JC_48":
   (forall i_4:int.
     (((integer_of_int32(high0) < i_4) and (i_4 < integer_of_int32(length_1))) ->
      (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
      i_4))) > integer_of_int32(query))))) and
   (("JC_49":
    (forall i_3:int.
      (((0 <= i_3) and (i_3 < integer_of_int32(low0))) ->
       (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
       i_3))) < integer_of_int32(query))))) and
    (("JC_50": (integer_of_int32(high0) < integer_of_int32(length_1))) and
     ("JC_51": (0 <= integer_of_int32(low0)))))) ->
  (integer_of_int32(low0) > integer_of_int32(high0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (-1)) ->
  forall __retres:int32.
  (__retres = result1) ->
  forall return:int32.
  (return = __retres) ->
  ("JC_19": (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(return)))) = integer_of_int32(query)))

goal find_array_ensures_not_exists_po_1:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ((not mem(query, arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   ("JC_11":
   (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
    (("JC_8": (integer_of_int32(length_1) >= 0)) and
     (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
      ("JC_10": (offset_max(intP_arr_3_alloc_table,
      arr_1) >= (integer_of_int32(length_1) - 1)))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall high0:int32.
  forall low0:int32.
  ("JC_61": true) ->
  (("JC_56":
   (forall i_4:int.
     (((integer_of_int32(high0) < i_4) and (i_4 < integer_of_int32(length_1))) ->
      (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
      i_4))) > integer_of_int32(query))))) and
   (("JC_57":
    (forall i_3:int.
      (((0 <= i_3) and (i_3 < integer_of_int32(low0))) ->
       (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
       i_3))) < integer_of_int32(query))))) and
    (("JC_58": (integer_of_int32(high0) < integer_of_int32(length_1))) and
     ("JC_59": (0 <= integer_of_int32(low0)))))) ->
  (integer_of_int32(low0) <= integer_of_int32(high0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(high0) - integer_of_int32(low0))) ->
  forall result2:int32.
  (integer_of_int32(result2) = computer_div(integer_of_int32(result1), 2)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(low0) + integer_of_int32(result2))) ->
  forall mean:int32.
  (mean = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result4) = integer_of_int32(query)) ->
  forall __retres:int32.
  (__retres = mean) ->
  forall return:int32.
  (return = __retres) ->
  ("JC_21": (integer_of_int32(return) = (-1)))

goal find_array_ensures_not_exists_po_2:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ((not mem(query, arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   ("JC_11":
   (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
    (("JC_8": (integer_of_int32(length_1) >= 0)) and
     (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
      ("JC_10": (offset_max(intP_arr_3_alloc_table,
      arr_1) >= (integer_of_int32(length_1) - 1)))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall high0:int32.
  forall low0:int32.
  ("JC_61": true) ->
  (("JC_56":
   (forall i_4:int.
     (((integer_of_int32(high0) < i_4) and (i_4 < integer_of_int32(length_1))) ->
      (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
      i_4))) > integer_of_int32(query))))) and
   (("JC_57":
    (forall i_3:int.
      (((0 <= i_3) and (i_3 < integer_of_int32(low0))) ->
       (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
       i_3))) < integer_of_int32(query))))) and
    (("JC_58": (integer_of_int32(high0) < integer_of_int32(length_1))) and
     ("JC_59": (0 <= integer_of_int32(low0)))))) ->
  (integer_of_int32(low0) > integer_of_int32(high0)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (-1)) ->
  forall __retres:int32.
  (__retres = result1) ->
  forall return:int32.
  (return = __retres) ->
  ("JC_21": (integer_of_int32(return) = (-1)))

goal find_array_safety_po_1:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  ((-2147483648) <= (integer_of_int32(length_1) - 1))

goal find_array_safety_po_2:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  ((integer_of_int32(length_1) - 1) <= 2147483647)

goal find_array_safety_po_3:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  (((-2147483648) <= (integer_of_int32(length_1) - 1)) and
   ((integer_of_int32(length_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall high0:int32.
  forall low0:int32.
  ("JC_29": true) ->
  (("JC_24":
   (forall i_4:int.
     (((integer_of_int32(high0) < i_4) and (i_4 < integer_of_int32(length_1))) ->
      (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
      i_4))) > integer_of_int32(query))))) and
   (("JC_25":
    (forall i_3:int.
      (((0 <= i_3) and (i_3 < integer_of_int32(low0))) ->
       (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
       i_3))) < integer_of_int32(query))))) and
    (("JC_26": (integer_of_int32(high0) < integer_of_int32(length_1))) and
     ("JC_27": (0 <= integer_of_int32(low0)))))) ->
  (integer_of_int32(low0) <= integer_of_int32(high0)) ->
  ((-2147483648) <= (integer_of_int32(high0) - integer_of_int32(low0)))

goal find_array_safety_po_4:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  (((-2147483648) <= (integer_of_int32(length_1) - 1)) and
   ((integer_of_int32(length_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall high0:int32.
  forall low0:int32.
  ("JC_29": true) ->
  (("JC_24":
   (forall i_4:int.
     (((integer_of_int32(high0) < i_4) and (i_4 < integer_of_int32(length_1))) ->
      (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
      i_4))) > integer_of_int32(query))))) and
   (("JC_25":
    (forall i_3:int.
      (((0 <= i_3) and (i_3 < integer_of_int32(low0))) ->
       (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
       i_3))) < integer_of_int32(query))))) and
    (("JC_26": (integer_of_int32(high0) < integer_of_int32(length_1))) and
     ("JC_27": (0 <= integer_of_int32(low0)))))) ->
  (integer_of_int32(low0) <= integer_of_int32(high0)) ->
  ((integer_of_int32(high0) - integer_of_int32(low0)) <= 2147483647)

goal find_array_safety_po_5:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  (((-2147483648) <= (integer_of_int32(length_1) - 1)) and
   ((integer_of_int32(length_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall high0:int32.
  forall low0:int32.
  ("JC_29": true) ->
  (("JC_24":
   (forall i_4:int.
     (((integer_of_int32(high0) < i_4) and (i_4 < integer_of_int32(length_1))) ->
      (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
      i_4))) > integer_of_int32(query))))) and
   (("JC_25":
    (forall i_3:int.
      (((0 <= i_3) and (i_3 < integer_of_int32(low0))) ->
       (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
       i_3))) < integer_of_int32(query))))) and
    (("JC_26": (integer_of_int32(high0) < integer_of_int32(length_1))) and
     ("JC_27": (0 <= integer_of_int32(low0)))))) ->
  (integer_of_int32(low0) <= integer_of_int32(high0)) ->
  (((-2147483648) <= (integer_of_int32(high0) - integer_of_int32(low0))) and
   ((integer_of_int32(high0) - integer_of_int32(low0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(high0) - integer_of_int32(low0))) ->
  (2 <> 0)

goal find_array_safety_po_6:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  (((-2147483648) <= (integer_of_int32(length_1) - 1)) and
   ((integer_of_int32(length_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall high0:int32.
  forall low0:int32.
  ("JC_29": true) ->
  (("JC_24":
   (forall i_4:int.
     (((integer_of_int32(high0) < i_4) and (i_4 < integer_of_int32(length_1))) ->
      (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
      i_4))) > integer_of_int32(query))))) and
   (("JC_25":
    (forall i_3:int.
      (((0 <= i_3) and (i_3 < integer_of_int32(low0))) ->
       (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
       i_3))) < integer_of_int32(query))))) and
    (("JC_26": (integer_of_int32(high0) < integer_of_int32(length_1))) and
     ("JC_27": (0 <= integer_of_int32(low0)))))) ->
  (integer_of_int32(low0) <= integer_of_int32(high0)) ->
  (((-2147483648) <= (integer_of_int32(high0) - integer_of_int32(low0))) and
   ((integer_of_int32(high0) - integer_of_int32(low0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(high0) - integer_of_int32(low0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  ((-2147483648) <= result2)

goal find_array_safety_po_7:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  (((-2147483648) <= (integer_of_int32(length_1) - 1)) and
   ((integer_of_int32(length_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall high0:int32.
  forall low0:int32.
  ("JC_29": true) ->
  (("JC_24":
   (forall i_4:int.
     (((integer_of_int32(high0) < i_4) and (i_4 < integer_of_int32(length_1))) ->
      (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
      i_4))) > integer_of_int32(query))))) and
   (("JC_25":
    (forall i_3:int.
      (((0 <= i_3) and (i_3 < integer_of_int32(low0))) ->
       (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
       i_3))) < integer_of_int32(query))))) and
    (("JC_26": (integer_of_int32(high0) < integer_of_int32(length_1))) and
     ("JC_27": (0 <= integer_of_int32(low0)))))) ->
  (integer_of_int32(low0) <= integer_of_int32(high0)) ->
  (((-2147483648) <= (integer_of_int32(high0) - integer_of_int32(low0))) and
   ((integer_of_int32(high0) - integer_of_int32(low0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(high0) - integer_of_int32(low0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (result2 <= 2147483647)

goal find_array_safety_po_8:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  (((-2147483648) <= (integer_of_int32(length_1) - 1)) and
   ((integer_of_int32(length_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall high0:int32.
  forall low0:int32.
  ("JC_29": true) ->
  (("JC_24":
   (forall i_4:int.
     (((integer_of_int32(high0) < i_4) and (i_4 < integer_of_int32(length_1))) ->
      (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
      i_4))) > integer_of_int32(query))))) and
   (("JC_25":
    (forall i_3:int.
      (((0 <= i_3) and (i_3 < integer_of_int32(low0))) ->
       (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
       i_3))) < integer_of_int32(query))))) and
    (("JC_26": (integer_of_int32(high0) < integer_of_int32(length_1))) and
     ("JC_27": (0 <= integer_of_int32(low0)))))) ->
  (integer_of_int32(low0) <= integer_of_int32(high0)) ->
  (((-2147483648) <= (integer_of_int32(high0) - integer_of_int32(low0))) and
   ((integer_of_int32(high0) - integer_of_int32(low0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(high0) - integer_of_int32(low0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  ((-2147483648) <= (integer_of_int32(low0) + integer_of_int32(result3)))

goal find_array_safety_po_9:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  (((-2147483648) <= (integer_of_int32(length_1) - 1)) and
   ((integer_of_int32(length_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall high0:int32.
  forall low0:int32.
  ("JC_29": true) ->
  (("JC_24":
   (forall i_4:int.
     (((integer_of_int32(high0) < i_4) and (i_4 < integer_of_int32(length_1))) ->
      (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
      i_4))) > integer_of_int32(query))))) and
   (("JC_25":
    (forall i_3:int.
      (((0 <= i_3) and (i_3 < integer_of_int32(low0))) ->
       (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
       i_3))) < integer_of_int32(query))))) and
    (("JC_26": (integer_of_int32(high0) < integer_of_int32(length_1))) and
     ("JC_27": (0 <= integer_of_int32(low0)))))) ->
  (integer_of_int32(low0) <= integer_of_int32(high0)) ->
  (((-2147483648) <= (integer_of_int32(high0) - integer_of_int32(low0))) and
   ((integer_of_int32(high0) - integer_of_int32(low0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(high0) - integer_of_int32(low0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  ((integer_of_int32(low0) + integer_of_int32(result3)) <= 2147483647)

goal find_array_safety_po_10:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  (((-2147483648) <= (integer_of_int32(length_1) - 1)) and
   ((integer_of_int32(length_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall high0:int32.
  forall low0:int32.
  ("JC_29": true) ->
  (("JC_24":
   (forall i_4:int.
     (((integer_of_int32(high0) < i_4) and (i_4 < integer_of_int32(length_1))) ->
      (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
      i_4))) > integer_of_int32(query))))) and
   (("JC_25":
    (forall i_3:int.
      (((0 <= i_3) and (i_3 < integer_of_int32(low0))) ->
       (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
       i_3))) < integer_of_int32(query))))) and
    (("JC_26": (integer_of_int32(high0) < integer_of_int32(length_1))) and
     ("JC_27": (0 <= integer_of_int32(low0)))))) ->
  (integer_of_int32(low0) <= integer_of_int32(high0)) ->
  (((-2147483648) <= (integer_of_int32(high0) - integer_of_int32(low0))) and
   ((integer_of_int32(high0) - integer_of_int32(low0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(high0) - integer_of_int32(low0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  (((-2147483648) <= (integer_of_int32(low0) + integer_of_int32(result3))) and
   ((integer_of_int32(low0) + integer_of_int32(result3)) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(low0) + integer_of_int32(result3))) ->
  forall mean:int32.
  (mean = result4) ->
  (offset_min(intP_arr_3_alloc_table, arr_1) <= integer_of_int32(mean))

goal find_array_safety_po_11:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  (((-2147483648) <= (integer_of_int32(length_1) - 1)) and
   ((integer_of_int32(length_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall high0:int32.
  forall low0:int32.
  ("JC_29": true) ->
  (("JC_24":
   (forall i_4:int.
     (((integer_of_int32(high0) < i_4) and (i_4 < integer_of_int32(length_1))) ->
      (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
      i_4))) > integer_of_int32(query))))) and
   (("JC_25":
    (forall i_3:int.
      (((0 <= i_3) and (i_3 < integer_of_int32(low0))) ->
       (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
       i_3))) < integer_of_int32(query))))) and
    (("JC_26": (integer_of_int32(high0) < integer_of_int32(length_1))) and
     ("JC_27": (0 <= integer_of_int32(low0)))))) ->
  (integer_of_int32(low0) <= integer_of_int32(high0)) ->
  (((-2147483648) <= (integer_of_int32(high0) - integer_of_int32(low0))) and
   ((integer_of_int32(high0) - integer_of_int32(low0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(high0) - integer_of_int32(low0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  (((-2147483648) <= (integer_of_int32(low0) + integer_of_int32(result3))) and
   ((integer_of_int32(low0) + integer_of_int32(result3)) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(low0) + integer_of_int32(result3))) ->
  forall mean:int32.
  (mean = result4) ->
  (integer_of_int32(mean) <= offset_max(intP_arr_3_alloc_table, arr_1))

goal find_array_safety_po_12:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  (((-2147483648) <= (integer_of_int32(length_1) - 1)) and
   ((integer_of_int32(length_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall high0:int32.
  forall low0:int32.
  ("JC_29": true) ->
  (("JC_24":
   (forall i_4:int.
     (((integer_of_int32(high0) < i_4) and (i_4 < integer_of_int32(length_1))) ->
      (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
      i_4))) > integer_of_int32(query))))) and
   (("JC_25":
    (forall i_3:int.
      (((0 <= i_3) and (i_3 < integer_of_int32(low0))) ->
       (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
       i_3))) < integer_of_int32(query))))) and
    (("JC_26": (integer_of_int32(high0) < integer_of_int32(length_1))) and
     ("JC_27": (0 <= integer_of_int32(low0)))))) ->
  (integer_of_int32(low0) <= integer_of_int32(high0)) ->
  (((-2147483648) <= (integer_of_int32(high0) - integer_of_int32(low0))) and
   ((integer_of_int32(high0) - integer_of_int32(low0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(high0) - integer_of_int32(low0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  (((-2147483648) <= (integer_of_int32(low0) + integer_of_int32(result3))) and
   ((integer_of_int32(low0) + integer_of_int32(result3)) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(low0) + integer_of_int32(result3))) ->
  forall mean:int32.
  (mean = result4) ->
  ((offset_min(intP_arr_3_alloc_table, arr_1) <= integer_of_int32(mean)) and
   (integer_of_int32(mean) <= offset_max(intP_arr_3_alloc_table, arr_1))) ->
  forall result5:int32.
  (result5 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result5) <> integer_of_int32(query)) ->
  ((offset_min(intP_arr_3_alloc_table, arr_1) <= integer_of_int32(mean)) and
   (integer_of_int32(mean) <= offset_max(intP_arr_3_alloc_table, arr_1))) ->
  forall result6:int32.
  (result6 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result6) < integer_of_int32(query)) ->
  ((-2147483648) <= (integer_of_int32(mean) + 1))

goal find_array_safety_po_13:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  (((-2147483648) <= (integer_of_int32(length_1) - 1)) and
   ((integer_of_int32(length_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall high0:int32.
  forall low0:int32.
  ("JC_29": true) ->
  (("JC_24":
   (forall i_4:int.
     (((integer_of_int32(high0) < i_4) and (i_4 < integer_of_int32(length_1))) ->
      (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
      i_4))) > integer_of_int32(query))))) and
   (("JC_25":
    (forall i_3:int.
      (((0 <= i_3) and (i_3 < integer_of_int32(low0))) ->
       (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
       i_3))) < integer_of_int32(query))))) and
    (("JC_26": (integer_of_int32(high0) < integer_of_int32(length_1))) and
     ("JC_27": (0 <= integer_of_int32(low0)))))) ->
  (integer_of_int32(low0) <= integer_of_int32(high0)) ->
  (((-2147483648) <= (integer_of_int32(high0) - integer_of_int32(low0))) and
   ((integer_of_int32(high0) - integer_of_int32(low0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(high0) - integer_of_int32(low0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  (((-2147483648) <= (integer_of_int32(low0) + integer_of_int32(result3))) and
   ((integer_of_int32(low0) + integer_of_int32(result3)) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(low0) + integer_of_int32(result3))) ->
  forall mean:int32.
  (mean = result4) ->
  ((offset_min(intP_arr_3_alloc_table, arr_1) <= integer_of_int32(mean)) and
   (integer_of_int32(mean) <= offset_max(intP_arr_3_alloc_table, arr_1))) ->
  forall result5:int32.
  (result5 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result5) <> integer_of_int32(query)) ->
  ((offset_min(intP_arr_3_alloc_table, arr_1) <= integer_of_int32(mean)) and
   (integer_of_int32(mean) <= offset_max(intP_arr_3_alloc_table, arr_1))) ->
  forall result6:int32.
  (result6 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result6) < integer_of_int32(query)) ->
  ((integer_of_int32(mean) + 1) <= 2147483647)

goal find_array_safety_po_14:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  (((-2147483648) <= (integer_of_int32(length_1) - 1)) and
   ((integer_of_int32(length_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall high0:int32.
  forall low0:int32.
  ("JC_29": true) ->
  (("JC_24":
   (forall i_4:int.
     (((integer_of_int32(high0) < i_4) and (i_4 < integer_of_int32(length_1))) ->
      (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
      i_4))) > integer_of_int32(query))))) and
   (("JC_25":
    (forall i_3:int.
      (((0 <= i_3) and (i_3 < integer_of_int32(low0))) ->
       (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
       i_3))) < integer_of_int32(query))))) and
    (("JC_26": (integer_of_int32(high0) < integer_of_int32(length_1))) and
     ("JC_27": (0 <= integer_of_int32(low0)))))) ->
  (integer_of_int32(low0) <= integer_of_int32(high0)) ->
  (((-2147483648) <= (integer_of_int32(high0) - integer_of_int32(low0))) and
   ((integer_of_int32(high0) - integer_of_int32(low0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(high0) - integer_of_int32(low0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  (((-2147483648) <= (integer_of_int32(low0) + integer_of_int32(result3))) and
   ((integer_of_int32(low0) + integer_of_int32(result3)) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(low0) + integer_of_int32(result3))) ->
  forall mean:int32.
  (mean = result4) ->
  ((offset_min(intP_arr_3_alloc_table, arr_1) <= integer_of_int32(mean)) and
   (integer_of_int32(mean) <= offset_max(intP_arr_3_alloc_table, arr_1))) ->
  forall result5:int32.
  (result5 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result5) <> integer_of_int32(query)) ->
  ((offset_min(intP_arr_3_alloc_table, arr_1) <= integer_of_int32(mean)) and
   (integer_of_int32(mean) <= offset_max(intP_arr_3_alloc_table, arr_1))) ->
  forall result6:int32.
  (result6 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result6) < integer_of_int32(query)) ->
  (((-2147483648) <= (integer_of_int32(mean) + 1)) and
   ((integer_of_int32(mean) + 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(mean) + 1)) ->
  forall low1:int32.
  (low1 = result7) ->
  (0 <= ("JC_39": (integer_of_int32(high0) - integer_of_int32(low0))))

goal find_array_safety_po_15:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  (((-2147483648) <= (integer_of_int32(length_1) - 1)) and
   ((integer_of_int32(length_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall high0:int32.
  forall low0:int32.
  ("JC_29": true) ->
  (("JC_24":
   (forall i_4:int.
     (((integer_of_int32(high0) < i_4) and (i_4 < integer_of_int32(length_1))) ->
      (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
      i_4))) > integer_of_int32(query))))) and
   (("JC_25":
    (forall i_3:int.
      (((0 <= i_3) and (i_3 < integer_of_int32(low0))) ->
       (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
       i_3))) < integer_of_int32(query))))) and
    (("JC_26": (integer_of_int32(high0) < integer_of_int32(length_1))) and
     ("JC_27": (0 <= integer_of_int32(low0)))))) ->
  (integer_of_int32(low0) <= integer_of_int32(high0)) ->
  (((-2147483648) <= (integer_of_int32(high0) - integer_of_int32(low0))) and
   ((integer_of_int32(high0) - integer_of_int32(low0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(high0) - integer_of_int32(low0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  (((-2147483648) <= (integer_of_int32(low0) + integer_of_int32(result3))) and
   ((integer_of_int32(low0) + integer_of_int32(result3)) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(low0) + integer_of_int32(result3))) ->
  forall mean:int32.
  (mean = result4) ->
  ((offset_min(intP_arr_3_alloc_table, arr_1) <= integer_of_int32(mean)) and
   (integer_of_int32(mean) <= offset_max(intP_arr_3_alloc_table, arr_1))) ->
  forall result5:int32.
  (result5 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result5) <> integer_of_int32(query)) ->
  ((offset_min(intP_arr_3_alloc_table, arr_1) <= integer_of_int32(mean)) and
   (integer_of_int32(mean) <= offset_max(intP_arr_3_alloc_table, arr_1))) ->
  forall result6:int32.
  (result6 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result6) < integer_of_int32(query)) ->
  (((-2147483648) <= (integer_of_int32(mean) + 1)) and
   ((integer_of_int32(mean) + 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(mean) + 1)) ->
  forall low1:int32.
  (low1 = result7) ->
  (("JC_39": (integer_of_int32(high0) - integer_of_int32(low1))) < ("JC_39":
                                                                   (integer_of_int32(high0) - integer_of_int32(low0))))

goal find_array_safety_po_16:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  (((-2147483648) <= (integer_of_int32(length_1) - 1)) and
   ((integer_of_int32(length_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall high0:int32.
  forall low0:int32.
  ("JC_29": true) ->
  (("JC_24":
   (forall i_4:int.
     (((integer_of_int32(high0) < i_4) and (i_4 < integer_of_int32(length_1))) ->
      (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
      i_4))) > integer_of_int32(query))))) and
   (("JC_25":
    (forall i_3:int.
      (((0 <= i_3) and (i_3 < integer_of_int32(low0))) ->
       (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
       i_3))) < integer_of_int32(query))))) and
    (("JC_26": (integer_of_int32(high0) < integer_of_int32(length_1))) and
     ("JC_27": (0 <= integer_of_int32(low0)))))) ->
  (integer_of_int32(low0) <= integer_of_int32(high0)) ->
  (((-2147483648) <= (integer_of_int32(high0) - integer_of_int32(low0))) and
   ((integer_of_int32(high0) - integer_of_int32(low0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(high0) - integer_of_int32(low0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  (((-2147483648) <= (integer_of_int32(low0) + integer_of_int32(result3))) and
   ((integer_of_int32(low0) + integer_of_int32(result3)) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(low0) + integer_of_int32(result3))) ->
  forall mean:int32.
  (mean = result4) ->
  ((offset_min(intP_arr_3_alloc_table, arr_1) <= integer_of_int32(mean)) and
   (integer_of_int32(mean) <= offset_max(intP_arr_3_alloc_table, arr_1))) ->
  forall result5:int32.
  (result5 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result5) <> integer_of_int32(query)) ->
  ((offset_min(intP_arr_3_alloc_table, arr_1) <= integer_of_int32(mean)) and
   (integer_of_int32(mean) <= offset_max(intP_arr_3_alloc_table, arr_1))) ->
  forall result6:int32.
  (result6 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result6) >= integer_of_int32(query)) ->
  ((-2147483648) <= (integer_of_int32(mean) - 1))

goal find_array_safety_po_17:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  (((-2147483648) <= (integer_of_int32(length_1) - 1)) and
   ((integer_of_int32(length_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall high0:int32.
  forall low0:int32.
  ("JC_29": true) ->
  (("JC_24":
   (forall i_4:int.
     (((integer_of_int32(high0) < i_4) and (i_4 < integer_of_int32(length_1))) ->
      (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
      i_4))) > integer_of_int32(query))))) and
   (("JC_25":
    (forall i_3:int.
      (((0 <= i_3) and (i_3 < integer_of_int32(low0))) ->
       (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
       i_3))) < integer_of_int32(query))))) and
    (("JC_26": (integer_of_int32(high0) < integer_of_int32(length_1))) and
     ("JC_27": (0 <= integer_of_int32(low0)))))) ->
  (integer_of_int32(low0) <= integer_of_int32(high0)) ->
  (((-2147483648) <= (integer_of_int32(high0) - integer_of_int32(low0))) and
   ((integer_of_int32(high0) - integer_of_int32(low0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(high0) - integer_of_int32(low0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  (((-2147483648) <= (integer_of_int32(low0) + integer_of_int32(result3))) and
   ((integer_of_int32(low0) + integer_of_int32(result3)) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(low0) + integer_of_int32(result3))) ->
  forall mean:int32.
  (mean = result4) ->
  ((offset_min(intP_arr_3_alloc_table, arr_1) <= integer_of_int32(mean)) and
   (integer_of_int32(mean) <= offset_max(intP_arr_3_alloc_table, arr_1))) ->
  forall result5:int32.
  (result5 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result5) <> integer_of_int32(query)) ->
  ((offset_min(intP_arr_3_alloc_table, arr_1) <= integer_of_int32(mean)) and
   (integer_of_int32(mean) <= offset_max(intP_arr_3_alloc_table, arr_1))) ->
  forall result6:int32.
  (result6 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result6) >= integer_of_int32(query)) ->
  ((integer_of_int32(mean) - 1) <= 2147483647)

goal find_array_safety_po_18:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  (((-2147483648) <= (integer_of_int32(length_1) - 1)) and
   ((integer_of_int32(length_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall high0:int32.
  forall low0:int32.
  ("JC_29": true) ->
  (("JC_24":
   (forall i_4:int.
     (((integer_of_int32(high0) < i_4) and (i_4 < integer_of_int32(length_1))) ->
      (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
      i_4))) > integer_of_int32(query))))) and
   (("JC_25":
    (forall i_3:int.
      (((0 <= i_3) and (i_3 < integer_of_int32(low0))) ->
       (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
       i_3))) < integer_of_int32(query))))) and
    (("JC_26": (integer_of_int32(high0) < integer_of_int32(length_1))) and
     ("JC_27": (0 <= integer_of_int32(low0)))))) ->
  (integer_of_int32(low0) <= integer_of_int32(high0)) ->
  (((-2147483648) <= (integer_of_int32(high0) - integer_of_int32(low0))) and
   ((integer_of_int32(high0) - integer_of_int32(low0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(high0) - integer_of_int32(low0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  (((-2147483648) <= (integer_of_int32(low0) + integer_of_int32(result3))) and
   ((integer_of_int32(low0) + integer_of_int32(result3)) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(low0) + integer_of_int32(result3))) ->
  forall mean:int32.
  (mean = result4) ->
  ((offset_min(intP_arr_3_alloc_table, arr_1) <= integer_of_int32(mean)) and
   (integer_of_int32(mean) <= offset_max(intP_arr_3_alloc_table, arr_1))) ->
  forall result5:int32.
  (result5 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result5) <> integer_of_int32(query)) ->
  ((offset_min(intP_arr_3_alloc_table, arr_1) <= integer_of_int32(mean)) and
   (integer_of_int32(mean) <= offset_max(intP_arr_3_alloc_table, arr_1))) ->
  forall result6:int32.
  (result6 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result6) >= integer_of_int32(query)) ->
  (((-2147483648) <= (integer_of_int32(mean) - 1)) and
   ((integer_of_int32(mean) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(mean) - 1)) ->
  forall high1:int32.
  (high1 = result7) ->
  (0 <= ("JC_39": (integer_of_int32(high0) - integer_of_int32(low0))))

goal find_array_safety_po_19:
  forall arr_1:intP pointer.
  forall length_1:int32.
  forall query:int32.
  forall intP_arr_3_alloc_table:intP alloc_table.
  forall intP_intM_arr_3:(intP,
  int32) memory.
  ("JC_11":
  (("JC_7": sorted(arr_1, integer_of_int32(length_1), intP_intM_arr_3)) and
   (("JC_8": (integer_of_int32(length_1) >= 0)) and
    (("JC_9": (offset_min(intP_arr_3_alloc_table, arr_1) <= 0)) and
     ("JC_10": (offset_max(intP_arr_3_alloc_table,
     arr_1) >= (integer_of_int32(length_1) - 1))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall low:int32.
  (low = result) ->
  (((-2147483648) <= (integer_of_int32(length_1) - 1)) and
   ((integer_of_int32(length_1) - 1) <= 2147483647)) ->
  forall result0:int32.
  (integer_of_int32(result0) = (integer_of_int32(length_1) - 1)) ->
  forall high:int32.
  (high = result0) ->
  forall high0:int32.
  forall low0:int32.
  ("JC_29": true) ->
  (("JC_24":
   (forall i_4:int.
     (((integer_of_int32(high0) < i_4) and (i_4 < integer_of_int32(length_1))) ->
      (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
      i_4))) > integer_of_int32(query))))) and
   (("JC_25":
    (forall i_3:int.
      (((0 <= i_3) and (i_3 < integer_of_int32(low0))) ->
       (integer_of_int32(select(intP_intM_arr_3, shift(arr_1,
       i_3))) < integer_of_int32(query))))) and
    (("JC_26": (integer_of_int32(high0) < integer_of_int32(length_1))) and
     ("JC_27": (0 <= integer_of_int32(low0)))))) ->
  (integer_of_int32(low0) <= integer_of_int32(high0)) ->
  (((-2147483648) <= (integer_of_int32(high0) - integer_of_int32(low0))) and
   ((integer_of_int32(high0) - integer_of_int32(low0)) <= 2147483647)) ->
  forall result1:int32.
  (integer_of_int32(result1) = (integer_of_int32(high0) - integer_of_int32(low0))) ->
  (2 <> 0) ->
  forall result2:int.
  (result2 = computer_div(integer_of_int32(result1), 2)) ->
  (((-2147483648) <= result2) and (result2 <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = result2) ->
  (((-2147483648) <= (integer_of_int32(low0) + integer_of_int32(result3))) and
   ((integer_of_int32(low0) + integer_of_int32(result3)) <= 2147483647)) ->
  forall result4:int32.
  (integer_of_int32(result4) = (integer_of_int32(low0) + integer_of_int32(result3))) ->
  forall mean:int32.
  (mean = result4) ->
  ((offset_min(intP_arr_3_alloc_table, arr_1) <= integer_of_int32(mean)) and
   (integer_of_int32(mean) <= offset_max(intP_arr_3_alloc_table, arr_1))) ->
  forall result5:int32.
  (result5 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result5) <> integer_of_int32(query)) ->
  ((offset_min(intP_arr_3_alloc_table, arr_1) <= integer_of_int32(mean)) and
   (integer_of_int32(mean) <= offset_max(intP_arr_3_alloc_table, arr_1))) ->
  forall result6:int32.
  (result6 = select(intP_intM_arr_3, shift(arr_1,
  integer_of_int32(mean)))) ->
  (integer_of_int32(result6) >= integer_of_int32(query)) ->
  (((-2147483648) <= (integer_of_int32(mean) - 1)) and
   ((integer_of_int32(mean) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(mean) - 1)) ->
  forall high1:int32.
  (high1 = result7) ->
  (("JC_39": (integer_of_int32(high1) - integer_of_int32(low0))) < ("JC_39":
                                                                   (integer_of_int32(high0) - integer_of_int32(low0))))

why-2.34/tests/c/oracle/binary_search.err.oracle0000644000175000017500000000000012311670312020223 0ustar  rtuserswhy-2.34/tests/c/oracle/eps_line2.res.oracle0000644000175000017500000036752312311670312017325 0ustar  rtusers========== file tests/c/eps_line2.c ==========

#pragma JessieFloatModel(multirounding)

#define E 0x1.90641p-45

//@ logic integer l_sign(real x) = (x >= 0.0) ? 1 : -1;

/*@ requires e1<= x-\exact(x) <= e2;
  @ ensures  (\result != 0 ==> \result == l_sign(\exact(x))) &&
  @          \abs(\result) <= 1 ;
  @*/
int sign(double x, double e1, double e2) {

  if (x > e2)
    return 1;
  if (x < e1)
    return -1;
  return 0;
}

/*@ requires
  @   sx == \exact(sx)  && sy == \exact(sy) &&
  @   vx == \exact(vx)  && vy == \exact(vy) &&
  @   \abs(sx) <= 100.0 && \abs(sy) <= 100.0 &&
  @   \abs(vx) <= 1.0   && \abs(vy) <= 1.0;
  @ ensures
  @    \result != 0
  @      ==> \result == l_sign(\exact(sx)*\exact(vx)+\exact(sy)*\exact(vy))
  @            * l_sign(\exact(sx)*\exact(vy)-\exact(sy)*\exact(vx));
  @*/
int eps_line(double sx, double sy,double vx, double vy){
  int s1,s2;

  s1=sign(sx*vx+sy*vy, -E, E);
  s2=sign(sx*vy-sy*vx, -E, E);

  return s1*s2;
}

/*
Local Variables:
compile-command: "LC_ALL=C make eps_line2.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/eps_line2.c"
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/eps_line2.jessie
[jessie] File tests/c/eps_line2.jessie/eps_line2.jc written.
[jessie] File tests/c/eps_line2.jessie/eps_line2.cloc written.
========== file tests/c/eps_line2.jessie/eps_line2.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol
# FloatModel = multirounding

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

logic integer l_sign(real x) =
(if (x >= 0.0) then 1 else (- 1))

int32 sign(double x, double e1, double e2)
  requires (_C_7 : ((_C_8 : ((e1 :> real) <=
                              ((x :> real) - \double_exact(x)))) &&
                     (_C_9 : (((x :> real) - \double_exact(x)) <=
                               (e2 :> real)))));
behavior default:
  ensures (_C_4 : ((_C_5 : ((\result != 0) ==>
                             (\result == l_sign(\double_exact(\at(x,Old)))))) &&
                    (_C_6 : (\integer_abs(\result) <= 1))));
{  
   (var int32 __retres);
   
   {  (if (x > e2) then 
      {  (_C_1 : (__retres = 1));
         
         (goto return_label)
      } else ());
      (if (x < e1) then 
      {  (_C_2 : (__retres = -1));
         
         (goto return_label)
      } else ());
      (_C_3 : (__retres = 0));
      (return_label : 
      (return __retres))
   }
}

int32 eps_line(double sx, double sy, double vx, double vy)
  requires (_C_26 : ((((((((_C_33 : ((sx :> real) == \double_exact(sx))) &&
                            (_C_34 : ((sy :> real) == \double_exact(sy)))) &&
                           (_C_35 : ((vx :> real) == \double_exact(vx)))) &&
                          (_C_36 : ((vy :> real) == \double_exact(vy)))) &&
                         (_C_37 : (\real_abs((sx :> real)) <= 100.0))) &&
                        (_C_38 : (\real_abs((sy :> real)) <= 100.0))) &&
                       (_C_39 : (\real_abs((vx :> real)) <= 1.0))) &&
                      (_C_40 : (\real_abs((vy :> real)) <= 1.0))));
behavior default:
  ensures (_C_25 : ((\result != 0) ==>
                     (\result ==
                       (l_sign(((\double_exact(\at(sx,Old)) *
                                  \double_exact(\at(vx,Old))) +
                                 (\double_exact(\at(sy,Old)) *
                                   \double_exact(\at(vy,Old))))) *
                         l_sign(((\double_exact(\at(sx,Old)) *
                                   \double_exact(\at(vy,Old))) -
                                  (\double_exact(\at(sy,Old)) *
                                    \double_exact(\at(vx,Old)))))))));
{  
   (var int32 s1);
   
   (var int32 s2);
   
   (var int32 __retres_0);
   
   {  (_C_15 : (s1 = (_C_14 : sign((_C_12 : ((_C_11 : (sx * vx)) +
                                              (_C_10 : (sy * vy)))),
                                   (_C_13 : (- (0x1.90641p-45 :> double))),
                                   (0x1.90641p-45 :> double)))));
      (_C_21 : (s2 = (_C_20 : sign((_C_18 : ((_C_17 : (sx * vy)) -
                                              (_C_16 : (sy * vx)))),
                                   (_C_19 : (- (0x1.90641p-45 :> double))),
                                   (0x1.90641p-45 :> double)))));
      (_C_24 : (__retres_0 = (_C_23 : ((_C_22 : (s1 * s2)) :> int32))));
      
      (return __retres_0)
   }
}
========== file tests/c/eps_line2.jessie/eps_line2.cloc ==========
[sign]
name = "Function sign"
file = "HOME/tests/c/eps_line2.c"
line = 12
begin = 4
end = 8

[_C_35]
file = "HOME/tests/c/eps_line2.c"
line = 23
begin = 6
end = 22

[_C_28]
file = "HOME/tests/c/eps_line2.c"
line = 22
begin = 6
end = 136

[_C_31]
file = "HOME/tests/c/eps_line2.c"
line = 22
begin = 6
end = 68

[_C_4]
file = "HOME/tests/c/eps_line2.c"
line = 9
begin = 12
end = 94

[_C_32]
file = "HOME/tests/c/eps_line2.c"
line = 22
begin = 6
end = 42

[_C_23]
file = "HOME/tests/c/eps_line2.c"
line = 37
begin = 9
end = 14

[_C_19]
file = "HOME/tests/c/eps_line2.c"
line = 35
begin = 24
end = 37

[_C_13]
file = "HOME/tests/c/eps_line2.c"
line = 34
begin = 24
end = 37

[_C_5]
file = "HOME/tests/c/eps_line2.c"
line = 9
begin = 12
end = 59

[_C_36]
file = "HOME/tests/c/eps_line2.c"
line = 23
begin = 26
end = 42

[_C_12]
file = "HOME/tests/c/eps_line2.c"
line = 34
begin = 10
end = 21

[_C_33]
file = "HOME/tests/c/eps_line2.c"
line = 22
begin = 6
end = 22

[_C_22]
file = "HOME/tests/c/eps_line2.c"
line = 37
begin = 9
end = 14

[_C_9]
file = "HOME/tests/c/eps_line2.c"
line = 8
begin = 18
end = 35

[_C_30]
file = "HOME/tests/c/eps_line2.c"
line = 22
begin = 6
end = 88

[_C_6]
file = "HOME/tests/c/eps_line2.c"
line = 10
begin = 13
end = 31

[_C_24]
file = "HOME/tests/c/eps_line2.c"
line = 37
begin = 2
end = 15

[_C_20]
file = "HOME/tests/c/eps_line2.c"
line = 35
begin = 5
end = 53

[_C_38]
file = "HOME/tests/c/eps_line2.c"
line = 24
begin = 27
end = 44

[_C_3]
file = "HOME/tests/c/eps_line2.c"
line = 18
begin = 2
end = 11

[_C_17]
file = "HOME/tests/c/eps_line2.c"
line = 35
begin = 10
end = 15

[_C_7]
file = "HOME/tests/c/eps_line2.c"
line = 8
begin = 13
end = 35

[_C_27]
file = "HOME/tests/c/eps_line2.c"
line = 22
begin = 6
end = 161

[_C_15]
file = "HOME/tests/c/eps_line2.c"
line = 34
begin = 5
end = 53

[_C_26]
file = "HOME/tests/c/eps_line2.c"
line = 22
begin = 6
end = 180

[_C_10]
file = "HOME/tests/c/eps_line2.c"
line = 34
begin = 16
end = 21

[_C_40]
file = "HOME/tests/c/eps_line2.c"
line = 25
begin = 25
end = 40

[_C_8]
file = "HOME/tests/c/eps_line2.c"
line = 8
begin = 13
end = 29

[_C_18]
file = "HOME/tests/c/eps_line2.c"
line = 35
begin = 10
end = 21

[_C_29]
file = "HOME/tests/c/eps_line2.c"
line = 22
begin = 6
end = 115

[_C_14]
file = "HOME/tests/c/eps_line2.c"
line = 34
begin = 5
end = 53

[_C_37]
file = "HOME/tests/c/eps_line2.c"
line = 24
begin = 6
end = 23

[_C_2]
file = "HOME/tests/c/eps_line2.c"
line = 17
begin = 4
end = 14

[_C_34]
file = "HOME/tests/c/eps_line2.c"
line = 22
begin = 26
end = 42

[_C_16]
file = "HOME/tests/c/eps_line2.c"
line = 35
begin = 16
end = 21

[eps_line]
name = "Function eps_line"
file = "HOME/tests/c/eps_line2.c"
line = 31
begin = 4
end = 12

[_C_1]
file = "HOME/tests/c/eps_line2.c"
line = 15
begin = 4
end = 13

[_C_25]
file = "HOME/tests/c/eps_line2.c"
line = 27
begin = 7
end = 164

[_C_39]
file = "HOME/tests/c/eps_line2.c"
line = 25
begin = 6
end = 21

[_C_11]
file = "HOME/tests/c/eps_line2.c"
line = 34
begin = 10
end = 15

[_C_21]
file = "HOME/tests/c/eps_line2.c"
line = 35
begin = 5
end = 53

========== jessie execution ==========
Generating Why function sign
Generating Why function eps_line
========== file tests/c/eps_line2.jessie/eps_line2.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs eps_line2.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs eps_line2.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_multi_rounding.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/eps_line2_why.sx

project: why/eps_line2.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/eps_line2_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/eps_line2_why.vo

coq/eps_line2_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/eps_line2_why.v: why/eps_line2.why
	@echo 'why -coq [...] why/eps_line2.why' && $(WHY) $(JESSIELIBFILES) why/eps_line2.why && rm -f coq/jessie_why.v

coq-goals: goals coq/eps_line2_ctx_why.vo
	for f in why/*_po*.why; do make -f eps_line2.makefile coq/`basename $$f .why`_why.v ; done

coq/eps_line2_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/eps_line2_ctx_why.v: why/eps_line2_ctx.why
	@echo 'why -coq [...] why/eps_line2_ctx.why' && $(WHY) why/eps_line2_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export eps_line2_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/eps_line2_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/eps_line2_ctx_why.vo

pvs: pvs/eps_line2_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/eps_line2_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/eps_line2_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/eps_line2_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/eps_line2_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/eps_line2_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/eps_line2_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/eps_line2_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/eps_line2_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/eps_line2_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/eps_line2_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/eps_line2_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/eps_line2_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/eps_line2_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/eps_line2_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: eps_line2.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/eps_line2_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: eps_line2.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: eps_line2.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: eps_line2.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include eps_line2.depend

depend: coq/eps_line2_why.v
	-$(COQDEP) -I coq coq/eps_line2*_why.v > eps_line2.depend

clean:
	rm -f coq/*.vo

========== file tests/c/eps_line2.jessie/eps_line2.loc ==========
[JC_63]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 35
begin = 16
end = 21

[JC_51]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 35
begin = 10
end = 15

[JC_45]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 34
begin = 16
end = 21

[JC_64]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 35
begin = 10
end = 21

[eps_line_safety]
name = "Function eps_line"
behavior = "Safety"
file = "HOME/tests/c/eps_line2.c"
line = 31
begin = 4
end = 12

[JC_31]
file = "HOME/tests/c/eps_line2.c"
line = 24
begin = 6
end = 23

[JC_17]
file = "HOME/tests/c/eps_line2.c"
line = 22
begin = 6
end = 22

[JC_55]
kind = ArithOverflow
file = "HOME/tests/c/eps_line2.c"
line = 37
begin = 9
end = 14

[JC_48]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.jessie/eps_line2.jc"
line = 102
begin = 35
end = 60

[JC_23]
file = "HOME/tests/c/eps_line2.c"
line = 25
begin = 6
end = 21

[JC_22]
file = "HOME/tests/c/eps_line2.c"
line = 24
begin = 27
end = 44

[JC_5]
file = "HOME/tests/c/eps_line2.c"
line = 8
begin = 13
end = 29

[JC_9]
file = "HOME/tests/c/eps_line2.c"
line = 9
begin = 12
end = 59

[JC_24]
file = "HOME/tests/c/eps_line2.c"
line = 25
begin = 25
end = 40

[JC_25]
file = "HOME/tests/c/eps_line2.c"
line = 22
begin = 6
end = 180

[JC_41]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.jessie/eps_line2.jc"
line = 98
begin = 35
end = 60

[JC_47]
kind = UserCall
file = "HOME/tests/c/eps_line2.c"
line = 34
begin = 5
end = 53

[JC_52]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 35
begin = 16
end = 21

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
kind = UserCall
file = "HOME/tests/c/eps_line2.c"
line = 35
begin = 5
end = 53

[JC_13]
file = "HOME/tests/c/eps_line2.c"
line = 10
begin = 13
end = 31

[JC_11]
file = "HOME/tests/c/eps_line2.c"
line = 9
begin = 12
end = 94

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/"
line = 0
begin = -1
end = -1

[sign_ensures_default]
name = "Function sign"
behavior = "default behavior"
file = "HOME/tests/c/eps_line2.c"
line = 12
begin = 4
end = 8

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_35]
file = "HOME/tests/c/eps_line2.c"
line = 22
begin = 6
end = 180

[sign_safety]
name = "Function sign"
behavior = "Safety"
file = "HOME/tests/c/eps_line2.c"
line = 12
begin = 4
end = 8

[JC_27]
file = "HOME/tests/c/eps_line2.c"
line = 22
begin = 6
end = 22

[JC_38]
file = "HOME/tests/c/eps_line2.c"
line = 27
begin = 7
end = 164

[JC_12]
file = "HOME/tests/c/eps_line2.c"
line = 9
begin = 12
end = 59

[JC_6]
file = "HOME/tests/c/eps_line2.c"
line = 8
begin = 18
end = 35

[JC_44]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 34
begin = 10
end = 15

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 35
begin = 10
end = 15

[JC_42]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.jessie/eps_line2.jc"
line = 97
begin = 47
end = 72

[JC_46]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 34
begin = 10
end = 21

[JC_61]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 35
begin = 24
end = 37

[JC_32]
file = "HOME/tests/c/eps_line2.c"
line = 24
begin = 27
end = 44

[JC_56]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 34
begin = 24
end = 37

[JC_33]
file = "HOME/tests/c/eps_line2.c"
line = 25
begin = 6
end = 21

[JC_65]
kind = UserCall
file = "HOME/tests/c/eps_line2.c"
line = 35
begin = 5
end = 53

[JC_29]
file = "HOME/tests/c/eps_line2.c"
line = 23
begin = 6
end = 22

[JC_7]
file = "HOME/tests/c/eps_line2.c"
line = 8
begin = 13
end = 35

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 34
begin = 24
end = 37

[JC_2]
file = "HOME/tests/c/eps_line2.c"
line = 8
begin = 18
end = 35

[JC_34]
file = "HOME/tests/c/eps_line2.c"
line = 25
begin = 25
end = 40

[JC_14]
file = "HOME/tests/c/eps_line2.c"
line = 9
begin = 12
end = 94

[JC_53]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 35
begin = 10
end = 21

[JC_21]
file = "HOME/tests/c/eps_line2.c"
line = 24
begin = 6
end = 23

[JC_49]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.jessie/eps_line2.jc"
line = 101
begin = 47
end = 72

[JC_1]
file = "HOME/tests/c/eps_line2.c"
line = 8
begin = 13
end = 29

[JC_37]
file = "HOME/tests/c/eps_line2.c"
line = 27
begin = 7
end = 164

[JC_10]
file = "HOME/tests/c/eps_line2.c"
line = 10
begin = 13
end = 31

[JC_57]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 34
begin = 10
end = 15

[JC_59]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 34
begin = 10
end = 21

[JC_20]
file = "HOME/tests/c/eps_line2.c"
line = 23
begin = 26
end = 42

[JC_18]
file = "HOME/tests/c/eps_line2.c"
line = 22
begin = 26
end = 42

[JC_3]
file = "HOME/tests/c/eps_line2.c"
line = 8
begin = 13
end = 35

[JC_60]
kind = UserCall
file = "HOME/tests/c/eps_line2.c"
line = 34
begin = 5
end = 53

[JC_19]
file = "HOME/tests/c/eps_line2.c"
line = 23
begin = 6
end = 22

[JC_50]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 35
begin = 24
end = 37

[JC_30]
file = "HOME/tests/c/eps_line2.c"
line = 23
begin = 26
end = 42

[eps_line_ensures_default]
name = "Function eps_line"
behavior = "default behavior"
file = "HOME/tests/c/eps_line2.c"
line = 31
begin = 4
end = 12

[JC_58]
kind = FPOverflow
file = "HOME/tests/c/eps_line2.c"
line = 34
begin = 16
end = 21

[JC_28]
file = "HOME/tests/c/eps_line2.c"
line = 22
begin = 26
end = 42

========== file tests/c/eps_line2.jessie/why/eps_line2.why ==========
type charP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

function l_sign(x_0:real) : int =
 (if ge_real_bool(x_0, 0.0) then (1) else neg_int((1)))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter eps_line :
 sx:double ->
  sy:double ->
   vx:double ->
    vy:double ->
     { } int32
     { (JC_38:
       ((integer_of_int32(result) <> (0)) ->
        (integer_of_int32(result) = mul_int(l_sign(add_real(mul_real(
                                                            double_exact(sx),
                                                            double_exact(vx)),
                                                   mul_real(double_exact(sy),
                                                   double_exact(vy)))),
                                    l_sign(sub_real(mul_real(double_exact(sx),
                                                    double_exact(vy)),
                                           mul_real(double_exact(sy),
                                           double_exact(vx)))))))) }

parameter eps_line_requires :
 sx:double ->
  sy:double ->
   vx:double ->
    vy:double ->
     { (JC_25:
       ((JC_17: (double_value(sx) = double_exact(sx)))
       and ((JC_18: (double_value(sy) = double_exact(sy)))
           and ((JC_19: (double_value(vx) = double_exact(vx)))
               and ((JC_20: (double_value(vy) = double_exact(vy)))
                   and ((JC_21: le_real(abs_real(double_value(sx)), 100.0))
                       and ((JC_22:
                            le_real(abs_real(double_value(sy)), 100.0))
                           and ((JC_23:
                                le_real(abs_real(double_value(vx)), 1.0))
                               and (JC_24:
                                   le_real(abs_real(double_value(vy)), 1.0))))))))))}
     int32
     { (JC_38:
       ((integer_of_int32(result) <> (0)) ->
        (integer_of_int32(result) = mul_int(l_sign(add_real(mul_real(
                                                            double_exact(sx),
                                                            double_exact(vx)),
                                                   mul_real(double_exact(sy),
                                                   double_exact(vy)))),
                                    l_sign(sub_real(mul_real(double_exact(sx),
                                                    double_exact(vy)),
                                           mul_real(double_exact(sy),
                                           double_exact(vx)))))))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter sign :
 x_1:double ->
  e1:double ->
   e2:double ->
    { } int32
    { (JC_14:
      ((JC_12:
       ((integer_of_int32(result) <> (0)) ->
        (integer_of_int32(result) = l_sign(double_exact(x_1)))))
      and (JC_13: le_int(abs_int(integer_of_int32(result)), (1))))) }

parameter sign_requires :
 x_1:double ->
  e1:double ->
   e2:double ->
    { (JC_3:
      ((JC_1:
       le_real(double_value(e1),
       sub_real(double_value(x_1), double_exact(x_1))))
      and (JC_2:
          le_real(sub_real(double_value(x_1), double_exact(x_1)),
          double_value(e2)))))}
    int32
    { (JC_14:
      ((JC_12:
       ((integer_of_int32(result) <> (0)) ->
        (integer_of_int32(result) = l_sign(double_exact(x_1)))))
      and (JC_13: le_int(abs_int(integer_of_int32(result)), (1))))) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let eps_line_ensures_default =
 fun (sx : double) (sy : double) (vx : double) (vy : double) ->
  { (JC_35:
    ((JC_27: (double_value(sx) = double_exact(sx)))
    and ((JC_28: (double_value(sy) = double_exact(sy)))
        and ((JC_29: (double_value(vx) = double_exact(vx)))
            and ((JC_30: (double_value(vy) = double_exact(vy)))
                and ((JC_31: le_real(abs_real(double_value(sx)), 100.0))
                    and ((JC_32: le_real(abs_real(double_value(sy)), 100.0))
                        and ((JC_33:
                             le_real(abs_real(double_value(vx)), 1.0))
                            and (JC_34:
                                le_real(abs_real(double_value(vy)), 1.0)))))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let s1_1 = ref (any_int32 void) in
     (let s2_1 = ref (any_int32 void) in
     (let __retres_0 = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (s1_1 := (let _jessie_ =
                (JC_59:
                (((add_double_safe nearest_even) (JC_57:
                                                 (((mul_double_safe nearest_even) sx) vx))) 
                 (JC_58: (((mul_double_safe nearest_even) sy) vy)))) in
                (let _jessie_ =
                (JC_56:
                ((neg_double_safe nearest_even) ((double_of_real_safe nearest_even) 0x1.90641p-45))) in
                (let _jessie_ =
                ((double_of_real_safe nearest_even) 0x1.90641p-45) in
                (JC_60: (((sign _jessie_) _jessie_) _jessie_)))))) in
       void);
      (let _jessie_ =
      (s2_1 := (let _jessie_ =
               (JC_64:
               (((sub_double_safe nearest_even) (JC_62:
                                                (((mul_double_safe nearest_even) sx) vy))) 
                (JC_63: (((mul_double_safe nearest_even) sy) vx)))) in
               (let _jessie_ =
               (JC_61:
               ((neg_double_safe nearest_even) ((double_of_real_safe nearest_even) 0x1.90641p-45))) in
               (let _jessie_ =
               ((double_of_real_safe nearest_even) 0x1.90641p-45) in
               (JC_65: (((sign _jessie_) _jessie_) _jessie_)))))) in
      void);
      (let _jessie_ =
      (__retres_0 := (safe_int32_of_integer_ ((mul_int (integer_of_int32 !s1_1)) 
                                              (integer_of_int32 !s2_1)))) in
      void); (return := !__retres_0); (raise Return) end))); absurd  end with
   Return -> !return end))
  { (JC_37:
    ((integer_of_int32(result) <> (0)) ->
     (integer_of_int32(result) = mul_int(l_sign(add_real(mul_real(double_exact(sx),
                                                         double_exact(vx)),
                                                mul_real(double_exact(sy),
                                                double_exact(vy)))),
                                 l_sign(sub_real(mul_real(double_exact(sx),
                                                 double_exact(vy)),
                                        mul_real(double_exact(sy),
                                        double_exact(vx)))))))) }

let eps_line_safety =
 fun (sx : double) (sy : double) (vx : double) (vy : double) ->
  { (JC_35:
    ((JC_27: (double_value(sx) = double_exact(sx)))
    and ((JC_28: (double_value(sy) = double_exact(sy)))
        and ((JC_29: (double_value(vx) = double_exact(vx)))
            and ((JC_30: (double_value(vy) = double_exact(vy)))
                and ((JC_31: le_real(abs_real(double_value(sx)), 100.0))
                    and ((JC_32: le_real(abs_real(double_value(sy)), 100.0))
                        and ((JC_33:
                             le_real(abs_real(double_value(vx)), 1.0))
                            and (JC_34:
                                le_real(abs_real(double_value(vy)), 1.0)))))))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let s1_1 = ref (any_int32 void) in
     (let s2_1 = ref (any_int32 void) in
     (let __retres_0 = ref (any_int32 void) in
     begin
       (let _jessie_ =
       (s1_1 := (let _jessie_ =
                (JC_46:
                (((add_double nearest_even) (JC_44:
                                            (((mul_double nearest_even) sx) vx))) 
                 (JC_45: (((mul_double nearest_even) sy) vy)))) in
                (let _jessie_ =
                (JC_43:
                ((neg_double nearest_even) (JC_42:
                                           ((double_of_real nearest_even) 0x1.90641p-45)))) in
                (let _jessie_ =
                (JC_41: ((double_of_real nearest_even) 0x1.90641p-45)) in
                (JC_47: (((sign_requires _jessie_) _jessie_) _jessie_)))))) in
       void);
      (let _jessie_ =
      (s2_1 := (let _jessie_ =
               (JC_53:
               (((sub_double nearest_even) (JC_51:
                                           (((mul_double nearest_even) sx) vy))) 
                (JC_52: (((mul_double nearest_even) sy) vx)))) in
               (let _jessie_ =
               (JC_50:
               ((neg_double nearest_even) (JC_49:
                                          ((double_of_real nearest_even) 0x1.90641p-45)))) in
               (let _jessie_ =
               (JC_48: ((double_of_real nearest_even) 0x1.90641p-45)) in
               (JC_54: (((sign_requires _jessie_) _jessie_) _jessie_)))))) in
      void);
      (let _jessie_ =
      (__retres_0 := (JC_55:
                     (int32_of_integer_ ((mul_int (integer_of_int32 !s1_1)) 
                                         (integer_of_int32 !s2_1))))) in
      void); (return := !__retres_0); (raise Return) end))); absurd  end with
   Return -> !return end)) { true }

let sign_ensures_default =
 fun (x_1 : double) (e1 : double) (e2 : double) ->
  { (JC_7:
    ((JC_5:
     le_real(double_value(e1),
     sub_real(double_value(x_1), double_exact(x_1))))
    and (JC_6:
        le_real(sub_real(double_value(x_1), double_exact(x_1)),
        double_value(e2))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let __retres = ref (any_int32 void) in
     try
      begin
        (if ((gt_double_ x_1) e2)
        then
         begin
           (let _jessie_ = (__retres := (safe_int32_of_integer_ (1))) in
           void); (raise (Return_label_exc void)) end else void);
       (if ((lt_double_ x_1) e1)
       then
        begin
          (let _jessie_ =
          (__retres := (safe_int32_of_integer_ (neg_int (1)))) in void);
         (raise (Return_label_exc void)) end else void);
       (let _jessie_ = (__retres := (safe_int32_of_integer_ (0))) in void);
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end);
    absurd  end with Return -> !return end))
  { (JC_11:
    ((JC_9:
     ((integer_of_int32(result) <> (0)) ->
      (integer_of_int32(result) = l_sign(double_exact(x_1)))))
    and (JC_10: le_int(abs_int(integer_of_int32(result)), (1))))) }

let sign_safety =
 fun (x_1 : double) (e1 : double) (e2 : double) ->
  { (JC_7:
    ((JC_5:
     le_real(double_value(e1),
     sub_real(double_value(x_1), double_exact(x_1))))
    and (JC_6:
        le_real(sub_real(double_value(x_1), double_exact(x_1)),
        double_value(e2))))) }
  (init:
  (let return = ref (any_int32 void) in
  try
   begin
     (let __retres = ref (any_int32 void) in
     try
      begin
        (if ((gt_double_ x_1) e2)
        then
         begin
           (let _jessie_ = (__retres := (safe_int32_of_integer_ (1))) in
           void); (raise (Return_label_exc void)) end else void);
       (if ((lt_double_ x_1) e1)
       then
        begin
          (let _jessie_ =
          (__retres := (safe_int32_of_integer_ (neg_int (1)))) in void);
         (raise (Return_label_exc void)) end else void);
       (let _jessie_ = (__retres := (safe_int32_of_integer_ (0))) in void);
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end);
    absurd  end with Return -> !return end)) { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/eps_line2.why
========== file tests/c/eps_line2.jessie/why/eps_line2_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type mode

logic nearest_even : mode

logic to_zero : mode

logic up : mode

logic down : mode

logic nearest_away : mode

logic mode_match : mode, 'a1, 'a1, 'a1, 'a1, 'a1 -> 'a1

axiom mode_match_nearest_even:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_2))))))

axiom mode_match_to_zero:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_3))))))

axiom mode_match_up:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_4))))))

axiom mode_match_down:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_5))))))

axiom mode_match_nearest_away:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_6))))))

axiom mode_inversion:
  (forall aux_1:mode.
    (((((aux_1 = nearest_even) or (aux_1 = to_zero)) or (aux_1 = up)) or
      (aux_1 = down)) or
     (aux_1 = nearest_away)))

logic mode_to_int : mode -> int

axiom mode_to_int_nearest_even: (mode_to_int(nearest_even) = 0)

axiom mode_to_int_to_zero: (mode_to_int(to_zero) = 1)

axiom mode_to_int_up: (mode_to_int(up) = 2)

axiom mode_to_int_down: (mode_to_int(down) = 3)

axiom mode_to_int_nearest_away: (mode_to_int(nearest_away) = 4)

type double

logic round_double : mode, real -> real

logic round_double_logic : mode, real -> double

logic double_value : double -> real

logic double_exact : double -> real

logic double_model : double -> real

function double_round_error(x: double) : real =
  abs_real((double_value(x) - double_exact(x)))

function double_total_error(x: double) : real =
  abs_real((double_value(x) - double_model(x)))

function max_double() : real = 0x1.FFFFFFFFFFFFFp1023

predicate no_overflow_double(m: mode, x: real) = (abs_real(round_double(m,
  x)) <= max_double)

axiom bounded_real_no_overflow_double:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_double) -> no_overflow_double(m, x))))

axiom round_double_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_double(m, x) <= round_double(m, y))))))

axiom exact_round_double_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-9007199254740992) <= i) and (i <= 9007199254740992)) ->
       (round_double(m, real_of_int(i)) = real_of_int(i)))))

axiom exact_round_double_for_doubles:
  (forall x:double.
    (forall m:mode. (round_double(m, double_value(x)) = double_value(x))))

axiom round_double_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_double(m1, round_double(m2,
        x)) = round_double(m2, x)))))

axiom round_down_double_neg:
  (forall x:real. (round_double(down, (-x)) = (-round_double(up, x))))

axiom round_up_double_neg:
  (forall x:real. (round_double(up, (-x)) = (-round_double(down, x))))

axiom round_double_down_le: (forall x:real. (round_double(down, x) <= x))

axiom round_up_double_ge: (forall x:real. (round_double(up, x) >= x))

type single

logic round_single : mode, real -> real

logic round_single_logic : mode, real -> single

logic single_value : single -> real

logic single_exact : single -> real

logic single_model : single -> real

function single_round_error(x: single) : real =
  abs_real((single_value(x) - single_exact(x)))

function single_total_error(x: single) : real =
  abs_real((single_value(x) - single_model(x)))

function max_single() : real = 0x1.FFFFFEp127

predicate no_overflow_single(m: mode, x: real) = (abs_real(round_single(m,
  x)) <= max_single)

axiom bounded_real_no_overflow_single:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_single) -> no_overflow_single(m, x))))

axiom round_single_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_single(m, x) <= round_single(m, y))))))

axiom exact_round_single_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-16777216) <= i) and (i <= 16777216)) -> (round_single(m,
       real_of_int(i)) = real_of_int(i)))))

axiom exact_round_single_for_singles:
  (forall x:single.
    (forall m:mode. (round_single(m, single_value(x)) = single_value(x))))

axiom round_single_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_single(m1, round_single(m2,
        x)) = round_single(m2, x)))))

axiom round_down_single_neg:
  (forall x:real. (round_single(down, (-x)) = (-round_single(up, x))))

axiom round_up_single_neg:
  (forall x:real. (round_single(up, (-x)) = (-round_single(down, x))))

axiom round_single_down_le: (forall x:real. (round_single(down, x) <= x))

axiom round_up_single_ge: (forall x:real. (round_single(up, x) >= x))

logic cond_sub_double : mode, double, double -> int

axiom cond_sub_double_axiom1:
  (forall m:mode.
    (forall x:double.
      (forall y:double.
        ((abs_real((double_value(x) - double_value(y))) >= 0x1.p-1022) ->
         (cond_sub_double(m, x, y) = 1)))))

axiom cond_sub_double_axiom2:
  (forall m:mode.
    (forall x:double.
      (forall y:double.
        ((((0x1.p-1075 <= abs_real((double_value(x) - double_value(y)))) and
           (abs_real((double_value(x) - double_value(y))) <= 0x1.p-1022)) and
          ((abs_real((double_value(x) - double_value(y))) <> 0x1.p-1022) and
           (abs_real((double_value(x) - double_value(y))) <> 0x1.p-1075))) ->
         (cond_sub_double(m, x, y) = 2)))))

axiom cond_sub_double_axiom3:
  (forall m:mode.
    (forall x:double.
      (forall y:double.
        (((0.0 <= abs_real((double_value(x) - double_value(y)))) and
          (abs_real((double_value(x) - double_value(y))) <= 0x1.p-1075)) ->
         (cond_sub_double(m, x, y) = 3)))))

logic post_cond_sub_double : mode, double, double, double -> int

axiom post_cond_sub_double_axiom1:
  (forall m:mode.
    (forall x:double.
      (forall y:double.
        (forall result:double.
          ((post_cond_sub_double(m, x, y, result) = 1) ->
           (abs_real(div_real((double_value(result) - (double_value(x) - double_value(y))),
           (double_value(x) - double_value(y)))) <= 0x1.p-53))))))

axiom post_cond_sub_double_axiom2:
  (forall m:mode.
    (forall x:double.
      (forall y:double.
        (forall result:double.
          ((post_cond_sub_double(m, x, y, result) = 2) ->
           (double_value(result) = (double_value(x) - double_value(y))))))))

axiom post_cond_sub_double_axiom3:
  (forall m:mode.
    (forall x:double.
      (forall y:double.
        (forall result:double.
          ((post_cond_sub_double(m, x, y, result) = 3) ->
           (double_value(result) = 0.0))))))

predicate double_of_real_post(m: mode, x: real, res: double) =
  ((double_value(res) = round_double(m, x)) and
   ((double_exact(res) = x) and (double_model(res) = x)))

predicate add_double_post(m: mode, x: double, y: double, result: double) =
  ((((abs_real((double_value(x) + double_value(y))) >= 0x1.p-1022) and
     (abs_real((double_value(result) - (double_value(x) + double_value(y)))) <= (0x1.004p-53 * abs_real((double_value(x) + double_value(y)))))) or
    ((abs_real((double_value(x) + double_value(y))) <= 0x1.p-1022) and
     (abs_real((double_value(result) - (double_value(x) + double_value(y)))) <= 0x1.002p-1075))) and
   ((double_exact(result) = (double_exact(x) + double_exact(y))) and
    (double_model(result) = (double_model(x) + double_model(y)))))

predicate sub_double_post(m: mode, x: double, y: double, result: double) =
  ((((abs_real((double_value(x) - double_value(y))) >= 0x1.p-1022) and
     (abs_real((double_value(result) - (double_value(x) - double_value(y)))) <= (0x1.004p-53 * abs_real((double_value(x) - double_value(y)))))) or
    (((0.0 <= abs_real((double_value(x) - double_value(y)))) and
      (abs_real((double_value(x) - double_value(y))) <= 0x1.p-1022)) and
     (abs_real((double_value(result) - (double_value(x) - double_value(y)))) <= 0x1.002p-1075))) and
   ((double_exact(result) = (double_exact(x) - double_exact(y))) and
    (double_model(result) = (double_model(x) - double_model(y)))))

predicate neg_double_post(m: mode, x: double, result: double) =
  ((((abs_real((-double_value(x))) >= 0x1.p-1022) and
     (abs_real(div_real((double_value(result) + double_value(x)),
     double_value(x))) <= 0x1.004p-53)) or
    (((0.0 <= abs_real((-double_value(x)))) and
      (abs_real((-double_value(x))) <= 0x1.p-1022)) and
     (abs_real((double_value(result) + double_value(x))) <= 0x1.002p-1075))) and
   ((double_exact(result) = (-double_exact(x))) and
    (double_model(result) = (-double_model(x)))))

predicate mul_double_post(m: mode, x: double, y: double, result: double) =
  ((((abs_real((double_value(x) * double_value(y))) >= 0x1.p-1022) and
     (abs_real((double_value(result) - (double_value(x) * double_value(y)))) <= (0x1.004p-53 * abs_real((double_value(x) * double_value(y)))))) or
    ((abs_real((double_value(x) * double_value(y))) <= 0x1.p-1022) and
     (abs_real((double_value(result) - (double_value(x) * double_value(y)))) <= 0x1.002p-1075))) and
   ((double_exact(result) = (double_exact(x) * double_exact(y))) and
    (double_model(result) = (double_model(x) * double_model(y)))))

predicate div_double_post(m: mode, x: double, y: double, result: double) =
  ((((abs_real(div_real(double_value(x), double_value(y))) >= 0x1.p-1022) and
     (abs_real((double_value(result) - div_real(double_value(x),
     double_value(y)))) <= (0x1.004p-53 * abs_real(div_real(double_value(x),
     double_value(y)))))) or
    ((abs_real(div_real(double_value(x), double_value(y))) <= 0x1.p-1022) and
     (abs_real((double_value(result) - div_real(double_value(x),
     double_value(y)))) <= 0x1.002p-1075))) and
   ((double_exact(result) = div_real(double_exact(x), double_exact(y))) and
    (double_model(result) = div_real(double_model(x), double_model(y)))))

predicate sqrt_double_post(m: mode, x: double, result: double) =
  ((((abs_real(sqrt_real(double_value(x))) >= 0x1.p-1022) and
     (abs_real((double_value(result) - sqrt_real(double_value(x)))) <= (0x1.004p-53 * abs_real(sqrt_real(double_value(x)))))) or
    ((abs_real(sqrt_real(double_value(x))) <= 0x1.p-1022) and
     (abs_real((double_value(result) - sqrt_real(double_value(x)))) <= 0x1.002p-1075))) and
   ((double_exact(result) = sqrt_real(double_exact(x))) and
    (double_model(result) = sqrt_real(double_model(x)))))

predicate abs_double_post(m: mode, x: double, result: double) =
  ((((abs_real(double_value(x)) >= 0x1.p-1022) and
     (abs_real((double_value(result) - abs_real(double_value(x)))) <= (0x1.004p-53 * abs_real(abs_real(double_value(x)))))) or
    ((abs_real(double_value(x)) <= 0x1.p-1022) and
     (abs_real((double_value(result) - abs_real(double_value(x)))) <= 0x1.002p-1075))) and
   ((double_exact(result) = abs_real(double_exact(x))) and
    (double_model(result) = abs_real(double_model(x)))))

type charP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_int8 : int8 -> int

predicate eq_int8(x: int8, y: int8) =
  (integer_of_int8(x) = integer_of_int8(y))

logic integer_of_uint8 : uint8 -> int

predicate eq_uint8(x: uint8, y: uint8) =
  (integer_of_uint8(x) = integer_of_uint8(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic int8_of_integer : int -> int8

axiom int8_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_int8(int8_of_integer(x)) = x)))

axiom int8_extensionality:
  (forall x:int8.
    (forall y:int8. ((integer_of_int8(x) = integer_of_int8(y)) -> (x = y))))

axiom int8_range:
  (forall x:int8.
    (((-128) <= integer_of_int8(x)) and (integer_of_int8(x) <= 127)))

function l_sign(x_0: real) : int = ite(ge_real_bool(x_0, 0.0), 1, (-1))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic uint8_of_integer : int -> uint8

axiom uint8_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 255)) -> (integer_of_uint8(uint8_of_integer(x)) = x)))

axiom uint8_extensionality:
  (forall x:uint8.
    (forall y:uint8.
      ((integer_of_uint8(x) = integer_of_uint8(y)) -> (x = y))))

axiom uint8_range:
  (forall x:uint8.
    ((0 <= integer_of_uint8(x)) and (integer_of_uint8(x) <= 255)))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

goal eps_line_ensures_default_po_1:
  forall sx:double.
  forall sy:double.
  forall vx:double.
  forall vy:double.
  ("JC_35":
  (("JC_27": (double_value(sx) = double_exact(sx))) and
   (("JC_28": (double_value(sy) = double_exact(sy))) and
    (("JC_29": (double_value(vx) = double_exact(vx))) and
     (("JC_30": (double_value(vy) = double_exact(vy))) and
      (("JC_31": (abs_real(double_value(sx)) <= 100.0)) and
       (("JC_32": (abs_real(double_value(sy)) <= 100.0)) and
        (("JC_33": (abs_real(double_value(vx)) <= 1.0)) and
         ("JC_34": (abs_real(double_value(vy)) <= 1.0)))))))))) ->
  forall result:double.
  (no_overflow_double(nearest_even,
   (double_value(sx) * double_value(vx))) and mul_double_post(nearest_even,
   sx, vx, result)) ->
  forall result0:double.
  (no_overflow_double(nearest_even,
   (double_value(sy) * double_value(vy))) and mul_double_post(nearest_even,
   sy, vy, result0)) ->
  forall result1:double.
  (no_overflow_double(nearest_even,
   (double_value(result) + double_value(result0))) and
   add_double_post(nearest_even, result, result0, result1)) ->
  forall result2:double.
  (no_overflow_double(nearest_even, 0x1.90641p-45) and
   double_of_real_post(nearest_even, 0x1.90641p-45, result2)) ->
  forall result3:double.
  (no_overflow_double(nearest_even, (-double_value(result2))) and
   neg_double_post(nearest_even, result2, result3)) ->
  forall result4:double.
  (no_overflow_double(nearest_even, 0x1.90641p-45) and
   double_of_real_post(nearest_even, 0x1.90641p-45, result4)) ->
  forall result5:int32.
  ("JC_14":
  (("JC_12":
   ((integer_of_int32(result5) <> 0) ->
    (integer_of_int32(result5) = l_sign(double_exact(result1))))) and
   ("JC_13": (abs_int(integer_of_int32(result5)) <= 1)))) ->
  forall s1_1:int32.
  (s1_1 = result5) ->
  forall result6:double.
  (no_overflow_double(nearest_even,
   (double_value(sx) * double_value(vy))) and mul_double_post(nearest_even,
   sx, vy, result6)) ->
  forall result7:double.
  (no_overflow_double(nearest_even,
   (double_value(sy) * double_value(vx))) and mul_double_post(nearest_even,
   sy, vx, result7)) ->
  forall result8:double.
  (no_overflow_double(nearest_even,
   (double_value(result6) - double_value(result7))) and
   sub_double_post(nearest_even, result6, result7, result8)) ->
  forall result9:double.
  (no_overflow_double(nearest_even, 0x1.90641p-45) and
   double_of_real_post(nearest_even, 0x1.90641p-45, result9)) ->
  forall result10:double.
  (no_overflow_double(nearest_even, (-double_value(result9))) and
   neg_double_post(nearest_even, result9, result10)) ->
  forall result11:double.
  (no_overflow_double(nearest_even, 0x1.90641p-45) and
   double_of_real_post(nearest_even, 0x1.90641p-45, result11)) ->
  forall result12:int32.
  ("JC_14":
  (("JC_12":
   ((integer_of_int32(result12) <> 0) ->
    (integer_of_int32(result12) = l_sign(double_exact(result8))))) and
   ("JC_13": (abs_int(integer_of_int32(result12)) <= 1)))) ->
  forall s2_1:int32.
  (s2_1 = result12) ->
  forall result13:int32.
  (integer_of_int32(result13) = (integer_of_int32(s1_1) * integer_of_int32(s2_1))) ->
  forall __retres_0:int32.
  (__retres_0 = result13) ->
  forall return:int32.
  (return = __retres_0) ->
  (integer_of_int32(return) <> 0) ->
  ("JC_37":
  (integer_of_int32(return) = (l_sign(((double_exact(sx) * double_exact(vx)) + (double_exact(sy) * double_exact(vy)))) * l_sign(((double_exact(sx) * double_exact(vy)) - (double_exact(sy) * double_exact(vx)))))))

goal eps_line_safety_po_1:
  forall sx:double.
  forall sy:double.
  forall vx:double.
  forall vy:double.
  ("JC_35":
  (("JC_27": (double_value(sx) = double_exact(sx))) and
   (("JC_28": (double_value(sy) = double_exact(sy))) and
    (("JC_29": (double_value(vx) = double_exact(vx))) and
     (("JC_30": (double_value(vy) = double_exact(vy))) and
      (("JC_31": (abs_real(double_value(sx)) <= 100.0)) and
       (("JC_32": (abs_real(double_value(sy)) <= 100.0)) and
        (("JC_33": (abs_real(double_value(vx)) <= 1.0)) and
         ("JC_34": (abs_real(double_value(vy)) <= 1.0)))))))))) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vx)))

goal eps_line_safety_po_2:
  forall sx:double.
  forall sy:double.
  forall vx:double.
  forall vy:double.
  ("JC_35":
  (("JC_27": (double_value(sx) = double_exact(sx))) and
   (("JC_28": (double_value(sy) = double_exact(sy))) and
    (("JC_29": (double_value(vx) = double_exact(vx))) and
     (("JC_30": (double_value(vy) = double_exact(vy))) and
      (("JC_31": (abs_real(double_value(sx)) <= 100.0)) and
       (("JC_32": (abs_real(double_value(sy)) <= 100.0)) and
        (("JC_33": (abs_real(double_value(vx)) <= 1.0)) and
         ("JC_34": (abs_real(double_value(vy)) <= 1.0)))))))))) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vx))) ->
  forall result:double.
  mul_double_post(nearest_even, sx, vx, result) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vy)))

goal eps_line_safety_po_3:
  forall sx:double.
  forall sy:double.
  forall vx:double.
  forall vy:double.
  ("JC_35":
  (("JC_27": (double_value(sx) = double_exact(sx))) and
   (("JC_28": (double_value(sy) = double_exact(sy))) and
    (("JC_29": (double_value(vx) = double_exact(vx))) and
     (("JC_30": (double_value(vy) = double_exact(vy))) and
      (("JC_31": (abs_real(double_value(sx)) <= 100.0)) and
       (("JC_32": (abs_real(double_value(sy)) <= 100.0)) and
        (("JC_33": (abs_real(double_value(vx)) <= 1.0)) and
         ("JC_34": (abs_real(double_value(vy)) <= 1.0)))))))))) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vx))) ->
  forall result:double.
  mul_double_post(nearest_even, sx, vx, result) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vy))) ->
  forall result0:double.
  mul_double_post(nearest_even, sy, vy, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0)))

goal eps_line_safety_po_4:
  forall sx:double.
  forall sy:double.
  forall vx:double.
  forall vy:double.
  ("JC_35":
  (("JC_27": (double_value(sx) = double_exact(sx))) and
   (("JC_28": (double_value(sy) = double_exact(sy))) and
    (("JC_29": (double_value(vx) = double_exact(vx))) and
     (("JC_30": (double_value(vy) = double_exact(vy))) and
      (("JC_31": (abs_real(double_value(sx)) <= 100.0)) and
       (("JC_32": (abs_real(double_value(sy)) <= 100.0)) and
        (("JC_33": (abs_real(double_value(vx)) <= 1.0)) and
         ("JC_34": (abs_real(double_value(vy)) <= 1.0)))))))))) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vx))) ->
  forall result:double.
  mul_double_post(nearest_even, sx, vx, result) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vy))) ->
  forall result0:double.
  mul_double_post(nearest_even, sy, vy, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0))) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  no_overflow_double(nearest_even, 0x1.90641p-45)

goal eps_line_safety_po_5:
  forall sx:double.
  forall sy:double.
  forall vx:double.
  forall vy:double.
  ("JC_35":
  (("JC_27": (double_value(sx) = double_exact(sx))) and
   (("JC_28": (double_value(sy) = double_exact(sy))) and
    (("JC_29": (double_value(vx) = double_exact(vx))) and
     (("JC_30": (double_value(vy) = double_exact(vy))) and
      (("JC_31": (abs_real(double_value(sx)) <= 100.0)) and
       (("JC_32": (abs_real(double_value(sy)) <= 100.0)) and
        (("JC_33": (abs_real(double_value(vx)) <= 1.0)) and
         ("JC_34": (abs_real(double_value(vy)) <= 1.0)))))))))) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vx))) ->
  forall result:double.
  mul_double_post(nearest_even, sx, vx, result) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vy))) ->
  forall result0:double.
  mul_double_post(nearest_even, sy, vy, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0))) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  no_overflow_double(nearest_even, 0x1.90641p-45) ->
  forall result2:double.
  double_of_real_post(nearest_even, 0x1.90641p-45, result2) ->
  no_overflow_double(nearest_even, (-double_value(result2)))

goal eps_line_safety_po_6:
  forall sx:double.
  forall sy:double.
  forall vx:double.
  forall vy:double.
  ("JC_35":
  (("JC_27": (double_value(sx) = double_exact(sx))) and
   (("JC_28": (double_value(sy) = double_exact(sy))) and
    (("JC_29": (double_value(vx) = double_exact(vx))) and
     (("JC_30": (double_value(vy) = double_exact(vy))) and
      (("JC_31": (abs_real(double_value(sx)) <= 100.0)) and
       (("JC_32": (abs_real(double_value(sy)) <= 100.0)) and
        (("JC_33": (abs_real(double_value(vx)) <= 1.0)) and
         ("JC_34": (abs_real(double_value(vy)) <= 1.0)))))))))) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vx))) ->
  forall result:double.
  mul_double_post(nearest_even, sx, vx, result) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vy))) ->
  forall result0:double.
  mul_double_post(nearest_even, sy, vy, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0))) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  no_overflow_double(nearest_even, 0x1.90641p-45) ->
  forall result2:double.
  double_of_real_post(nearest_even, 0x1.90641p-45, result2) ->
  no_overflow_double(nearest_even, (-double_value(result2))) ->
  forall result3:double.
  neg_double_post(nearest_even, result2, result3) ->
  no_overflow_double(nearest_even, 0x1.90641p-45) ->
  forall result4:double.
  double_of_real_post(nearest_even, 0x1.90641p-45, result4) ->
  ("JC_3":
  ("JC_1":
  (double_value(result3) <= (double_value(result1) - double_exact(result1)))))

goal eps_line_safety_po_7:
  forall sx:double.
  forall sy:double.
  forall vx:double.
  forall vy:double.
  ("JC_35":
  (("JC_27": (double_value(sx) = double_exact(sx))) and
   (("JC_28": (double_value(sy) = double_exact(sy))) and
    (("JC_29": (double_value(vx) = double_exact(vx))) and
     (("JC_30": (double_value(vy) = double_exact(vy))) and
      (("JC_31": (abs_real(double_value(sx)) <= 100.0)) and
       (("JC_32": (abs_real(double_value(sy)) <= 100.0)) and
        (("JC_33": (abs_real(double_value(vx)) <= 1.0)) and
         ("JC_34": (abs_real(double_value(vy)) <= 1.0)))))))))) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vx))) ->
  forall result:double.
  mul_double_post(nearest_even, sx, vx, result) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vy))) ->
  forall result0:double.
  mul_double_post(nearest_even, sy, vy, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0))) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  no_overflow_double(nearest_even, 0x1.90641p-45) ->
  forall result2:double.
  double_of_real_post(nearest_even, 0x1.90641p-45, result2) ->
  no_overflow_double(nearest_even, (-double_value(result2))) ->
  forall result3:double.
  neg_double_post(nearest_even, result2, result3) ->
  no_overflow_double(nearest_even, 0x1.90641p-45) ->
  forall result4:double.
  double_of_real_post(nearest_even, 0x1.90641p-45, result4) ->
  ("JC_3":
  ("JC_2":
  ((double_value(result1) - double_exact(result1)) <= double_value(result4))))

goal eps_line_safety_po_8:
  forall sx:double.
  forall sy:double.
  forall vx:double.
  forall vy:double.
  ("JC_35":
  (("JC_27": (double_value(sx) = double_exact(sx))) and
   (("JC_28": (double_value(sy) = double_exact(sy))) and
    (("JC_29": (double_value(vx) = double_exact(vx))) and
     (("JC_30": (double_value(vy) = double_exact(vy))) and
      (("JC_31": (abs_real(double_value(sx)) <= 100.0)) and
       (("JC_32": (abs_real(double_value(sy)) <= 100.0)) and
        (("JC_33": (abs_real(double_value(vx)) <= 1.0)) and
         ("JC_34": (abs_real(double_value(vy)) <= 1.0)))))))))) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vx))) ->
  forall result:double.
  mul_double_post(nearest_even, sx, vx, result) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vy))) ->
  forall result0:double.
  mul_double_post(nearest_even, sy, vy, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0))) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  no_overflow_double(nearest_even, 0x1.90641p-45) ->
  forall result2:double.
  double_of_real_post(nearest_even, 0x1.90641p-45, result2) ->
  no_overflow_double(nearest_even, (-double_value(result2))) ->
  forall result3:double.
  neg_double_post(nearest_even, result2, result3) ->
  no_overflow_double(nearest_even, 0x1.90641p-45) ->
  forall result4:double.
  double_of_real_post(nearest_even, 0x1.90641p-45, result4) ->
  ("JC_3":
  (("JC_1":
   (double_value(result3) <= (double_value(result1) - double_exact(result1)))) and
   ("JC_2":
   ((double_value(result1) - double_exact(result1)) <= double_value(result4))))) ->
  forall result5:int32.
  ("JC_14":
  (("JC_12":
   ((integer_of_int32(result5) <> 0) ->
    (integer_of_int32(result5) = l_sign(double_exact(result1))))) and
   ("JC_13": (abs_int(integer_of_int32(result5)) <= 1)))) ->
  forall s1_1:int32.
  (s1_1 = result5) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vy)))

goal eps_line_safety_po_9:
  forall sx:double.
  forall sy:double.
  forall vx:double.
  forall vy:double.
  ("JC_35":
  (("JC_27": (double_value(sx) = double_exact(sx))) and
   (("JC_28": (double_value(sy) = double_exact(sy))) and
    (("JC_29": (double_value(vx) = double_exact(vx))) and
     (("JC_30": (double_value(vy) = double_exact(vy))) and
      (("JC_31": (abs_real(double_value(sx)) <= 100.0)) and
       (("JC_32": (abs_real(double_value(sy)) <= 100.0)) and
        (("JC_33": (abs_real(double_value(vx)) <= 1.0)) and
         ("JC_34": (abs_real(double_value(vy)) <= 1.0)))))))))) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vx))) ->
  forall result:double.
  mul_double_post(nearest_even, sx, vx, result) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vy))) ->
  forall result0:double.
  mul_double_post(nearest_even, sy, vy, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0))) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  no_overflow_double(nearest_even, 0x1.90641p-45) ->
  forall result2:double.
  double_of_real_post(nearest_even, 0x1.90641p-45, result2) ->
  no_overflow_double(nearest_even, (-double_value(result2))) ->
  forall result3:double.
  neg_double_post(nearest_even, result2, result3) ->
  no_overflow_double(nearest_even, 0x1.90641p-45) ->
  forall result4:double.
  double_of_real_post(nearest_even, 0x1.90641p-45, result4) ->
  ("JC_3":
  (("JC_1":
   (double_value(result3) <= (double_value(result1) - double_exact(result1)))) and
   ("JC_2":
   ((double_value(result1) - double_exact(result1)) <= double_value(result4))))) ->
  forall result5:int32.
  ("JC_14":
  (("JC_12":
   ((integer_of_int32(result5) <> 0) ->
    (integer_of_int32(result5) = l_sign(double_exact(result1))))) and
   ("JC_13": (abs_int(integer_of_int32(result5)) <= 1)))) ->
  forall s1_1:int32.
  (s1_1 = result5) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vy))) ->
  forall result6:double.
  mul_double_post(nearest_even, sx, vy, result6) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vx)))

goal eps_line_safety_po_10:
  forall sx:double.
  forall sy:double.
  forall vx:double.
  forall vy:double.
  ("JC_35":
  (("JC_27": (double_value(sx) = double_exact(sx))) and
   (("JC_28": (double_value(sy) = double_exact(sy))) and
    (("JC_29": (double_value(vx) = double_exact(vx))) and
     (("JC_30": (double_value(vy) = double_exact(vy))) and
      (("JC_31": (abs_real(double_value(sx)) <= 100.0)) and
       (("JC_32": (abs_real(double_value(sy)) <= 100.0)) and
        (("JC_33": (abs_real(double_value(vx)) <= 1.0)) and
         ("JC_34": (abs_real(double_value(vy)) <= 1.0)))))))))) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vx))) ->
  forall result:double.
  mul_double_post(nearest_even, sx, vx, result) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vy))) ->
  forall result0:double.
  mul_double_post(nearest_even, sy, vy, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0))) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  no_overflow_double(nearest_even, 0x1.90641p-45) ->
  forall result2:double.
  double_of_real_post(nearest_even, 0x1.90641p-45, result2) ->
  no_overflow_double(nearest_even, (-double_value(result2))) ->
  forall result3:double.
  neg_double_post(nearest_even, result2, result3) ->
  no_overflow_double(nearest_even, 0x1.90641p-45) ->
  forall result4:double.
  double_of_real_post(nearest_even, 0x1.90641p-45, result4) ->
  ("JC_3":
  (("JC_1":
   (double_value(result3) <= (double_value(result1) - double_exact(result1)))) and
   ("JC_2":
   ((double_value(result1) - double_exact(result1)) <= double_value(result4))))) ->
  forall result5:int32.
  ("JC_14":
  (("JC_12":
   ((integer_of_int32(result5) <> 0) ->
    (integer_of_int32(result5) = l_sign(double_exact(result1))))) and
   ("JC_13": (abs_int(integer_of_int32(result5)) <= 1)))) ->
  forall s1_1:int32.
  (s1_1 = result5) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vy))) ->
  forall result6:double.
  mul_double_post(nearest_even, sx, vy, result6) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vx))) ->
  forall result7:double.
  mul_double_post(nearest_even, sy, vx, result7) ->
  no_overflow_double(nearest_even,
  (double_value(result6) - double_value(result7)))

goal eps_line_safety_po_11:
  forall sx:double.
  forall sy:double.
  forall vx:double.
  forall vy:double.
  ("JC_35":
  (("JC_27": (double_value(sx) = double_exact(sx))) and
   (("JC_28": (double_value(sy) = double_exact(sy))) and
    (("JC_29": (double_value(vx) = double_exact(vx))) and
     (("JC_30": (double_value(vy) = double_exact(vy))) and
      (("JC_31": (abs_real(double_value(sx)) <= 100.0)) and
       (("JC_32": (abs_real(double_value(sy)) <= 100.0)) and
        (("JC_33": (abs_real(double_value(vx)) <= 1.0)) and
         ("JC_34": (abs_real(double_value(vy)) <= 1.0)))))))))) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vx))) ->
  forall result:double.
  mul_double_post(nearest_even, sx, vx, result) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vy))) ->
  forall result0:double.
  mul_double_post(nearest_even, sy, vy, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0))) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  no_overflow_double(nearest_even, 0x1.90641p-45) ->
  forall result2:double.
  double_of_real_post(nearest_even, 0x1.90641p-45, result2) ->
  no_overflow_double(nearest_even, (-double_value(result2))) ->
  forall result3:double.
  neg_double_post(nearest_even, result2, result3) ->
  no_overflow_double(nearest_even, 0x1.90641p-45) ->
  forall result4:double.
  double_of_real_post(nearest_even, 0x1.90641p-45, result4) ->
  ("JC_3":
  (("JC_1":
   (double_value(result3) <= (double_value(result1) - double_exact(result1)))) and
   ("JC_2":
   ((double_value(result1) - double_exact(result1)) <= double_value(result4))))) ->
  forall result5:int32.
  ("JC_14":
  (("JC_12":
   ((integer_of_int32(result5) <> 0) ->
    (integer_of_int32(result5) = l_sign(double_exact(result1))))) and
   ("JC_13": (abs_int(integer_of_int32(result5)) <= 1)))) ->
  forall s1_1:int32.
  (s1_1 = result5) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vy))) ->
  forall result6:double.
  mul_double_post(nearest_even, sx, vy, result6) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vx))) ->
  forall result7:double.
  mul_double_post(nearest_even, sy, vx, result7) ->
  no_overflow_double(nearest_even,
  (double_value(result6) - double_value(result7))) ->
  forall result8:double.
  sub_double_post(nearest_even, result6, result7, result8) ->
  no_overflow_double(nearest_even, 0x1.90641p-45) ->
  forall result9:double.
  double_of_real_post(nearest_even, 0x1.90641p-45, result9) ->
  no_overflow_double(nearest_even, (-double_value(result9)))

goal eps_line_safety_po_12:
  forall sx:double.
  forall sy:double.
  forall vx:double.
  forall vy:double.
  ("JC_35":
  (("JC_27": (double_value(sx) = double_exact(sx))) and
   (("JC_28": (double_value(sy) = double_exact(sy))) and
    (("JC_29": (double_value(vx) = double_exact(vx))) and
     (("JC_30": (double_value(vy) = double_exact(vy))) and
      (("JC_31": (abs_real(double_value(sx)) <= 100.0)) and
       (("JC_32": (abs_real(double_value(sy)) <= 100.0)) and
        (("JC_33": (abs_real(double_value(vx)) <= 1.0)) and
         ("JC_34": (abs_real(double_value(vy)) <= 1.0)))))))))) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vx))) ->
  forall result:double.
  mul_double_post(nearest_even, sx, vx, result) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vy))) ->
  forall result0:double.
  mul_double_post(nearest_even, sy, vy, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0))) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  no_overflow_double(nearest_even, 0x1.90641p-45) ->
  forall result2:double.
  double_of_real_post(nearest_even, 0x1.90641p-45, result2) ->
  no_overflow_double(nearest_even, (-double_value(result2))) ->
  forall result3:double.
  neg_double_post(nearest_even, result2, result3) ->
  no_overflow_double(nearest_even, 0x1.90641p-45) ->
  forall result4:double.
  double_of_real_post(nearest_even, 0x1.90641p-45, result4) ->
  ("JC_3":
  (("JC_1":
   (double_value(result3) <= (double_value(result1) - double_exact(result1)))) and
   ("JC_2":
   ((double_value(result1) - double_exact(result1)) <= double_value(result4))))) ->
  forall result5:int32.
  ("JC_14":
  (("JC_12":
   ((integer_of_int32(result5) <> 0) ->
    (integer_of_int32(result5) = l_sign(double_exact(result1))))) and
   ("JC_13": (abs_int(integer_of_int32(result5)) <= 1)))) ->
  forall s1_1:int32.
  (s1_1 = result5) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vy))) ->
  forall result6:double.
  mul_double_post(nearest_even, sx, vy, result6) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vx))) ->
  forall result7:double.
  mul_double_post(nearest_even, sy, vx, result7) ->
  no_overflow_double(nearest_even,
  (double_value(result6) - double_value(result7))) ->
  forall result8:double.
  sub_double_post(nearest_even, result6, result7, result8) ->
  no_overflow_double(nearest_even, 0x1.90641p-45) ->
  forall result9:double.
  double_of_real_post(nearest_even, 0x1.90641p-45, result9) ->
  no_overflow_double(nearest_even, (-double_value(result9))) ->
  forall result10:double.
  neg_double_post(nearest_even, result9, result10) ->
  no_overflow_double(nearest_even, 0x1.90641p-45) ->
  forall result11:double.
  double_of_real_post(nearest_even, 0x1.90641p-45, result11) ->
  ("JC_3":
  ("JC_1":
  (double_value(result10) <= (double_value(result8) - double_exact(result8)))))

goal eps_line_safety_po_13:
  forall sx:double.
  forall sy:double.
  forall vx:double.
  forall vy:double.
  ("JC_35":
  (("JC_27": (double_value(sx) = double_exact(sx))) and
   (("JC_28": (double_value(sy) = double_exact(sy))) and
    (("JC_29": (double_value(vx) = double_exact(vx))) and
     (("JC_30": (double_value(vy) = double_exact(vy))) and
      (("JC_31": (abs_real(double_value(sx)) <= 100.0)) and
       (("JC_32": (abs_real(double_value(sy)) <= 100.0)) and
        (("JC_33": (abs_real(double_value(vx)) <= 1.0)) and
         ("JC_34": (abs_real(double_value(vy)) <= 1.0)))))))))) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vx))) ->
  forall result:double.
  mul_double_post(nearest_even, sx, vx, result) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vy))) ->
  forall result0:double.
  mul_double_post(nearest_even, sy, vy, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0))) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  no_overflow_double(nearest_even, 0x1.90641p-45) ->
  forall result2:double.
  double_of_real_post(nearest_even, 0x1.90641p-45, result2) ->
  no_overflow_double(nearest_even, (-double_value(result2))) ->
  forall result3:double.
  neg_double_post(nearest_even, result2, result3) ->
  no_overflow_double(nearest_even, 0x1.90641p-45) ->
  forall result4:double.
  double_of_real_post(nearest_even, 0x1.90641p-45, result4) ->
  ("JC_3":
  (("JC_1":
   (double_value(result3) <= (double_value(result1) - double_exact(result1)))) and
   ("JC_2":
   ((double_value(result1) - double_exact(result1)) <= double_value(result4))))) ->
  forall result5:int32.
  ("JC_14":
  (("JC_12":
   ((integer_of_int32(result5) <> 0) ->
    (integer_of_int32(result5) = l_sign(double_exact(result1))))) and
   ("JC_13": (abs_int(integer_of_int32(result5)) <= 1)))) ->
  forall s1_1:int32.
  (s1_1 = result5) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vy))) ->
  forall result6:double.
  mul_double_post(nearest_even, sx, vy, result6) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vx))) ->
  forall result7:double.
  mul_double_post(nearest_even, sy, vx, result7) ->
  no_overflow_double(nearest_even,
  (double_value(result6) - double_value(result7))) ->
  forall result8:double.
  sub_double_post(nearest_even, result6, result7, result8) ->
  no_overflow_double(nearest_even, 0x1.90641p-45) ->
  forall result9:double.
  double_of_real_post(nearest_even, 0x1.90641p-45, result9) ->
  no_overflow_double(nearest_even, (-double_value(result9))) ->
  forall result10:double.
  neg_double_post(nearest_even, result9, result10) ->
  no_overflow_double(nearest_even, 0x1.90641p-45) ->
  forall result11:double.
  double_of_real_post(nearest_even, 0x1.90641p-45, result11) ->
  ("JC_3":
  ("JC_2":
  ((double_value(result8) - double_exact(result8)) <= double_value(result11))))

goal eps_line_safety_po_14:
  forall sx:double.
  forall sy:double.
  forall vx:double.
  forall vy:double.
  ("JC_35":
  (("JC_27": (double_value(sx) = double_exact(sx))) and
   (("JC_28": (double_value(sy) = double_exact(sy))) and
    (("JC_29": (double_value(vx) = double_exact(vx))) and
     (("JC_30": (double_value(vy) = double_exact(vy))) and
      (("JC_31": (abs_real(double_value(sx)) <= 100.0)) and
       (("JC_32": (abs_real(double_value(sy)) <= 100.0)) and
        (("JC_33": (abs_real(double_value(vx)) <= 1.0)) and
         ("JC_34": (abs_real(double_value(vy)) <= 1.0)))))))))) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vx))) ->
  forall result:double.
  mul_double_post(nearest_even, sx, vx, result) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vy))) ->
  forall result0:double.
  mul_double_post(nearest_even, sy, vy, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0))) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  no_overflow_double(nearest_even, 0x1.90641p-45) ->
  forall result2:double.
  double_of_real_post(nearest_even, 0x1.90641p-45, result2) ->
  no_overflow_double(nearest_even, (-double_value(result2))) ->
  forall result3:double.
  neg_double_post(nearest_even, result2, result3) ->
  no_overflow_double(nearest_even, 0x1.90641p-45) ->
  forall result4:double.
  double_of_real_post(nearest_even, 0x1.90641p-45, result4) ->
  ("JC_3":
  (("JC_1":
   (double_value(result3) <= (double_value(result1) - double_exact(result1)))) and
   ("JC_2":
   ((double_value(result1) - double_exact(result1)) <= double_value(result4))))) ->
  forall result5:int32.
  ("JC_14":
  (("JC_12":
   ((integer_of_int32(result5) <> 0) ->
    (integer_of_int32(result5) = l_sign(double_exact(result1))))) and
   ("JC_13": (abs_int(integer_of_int32(result5)) <= 1)))) ->
  forall s1_1:int32.
  (s1_1 = result5) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vy))) ->
  forall result6:double.
  mul_double_post(nearest_even, sx, vy, result6) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vx))) ->
  forall result7:double.
  mul_double_post(nearest_even, sy, vx, result7) ->
  no_overflow_double(nearest_even,
  (double_value(result6) - double_value(result7))) ->
  forall result8:double.
  sub_double_post(nearest_even, result6, result7, result8) ->
  no_overflow_double(nearest_even, 0x1.90641p-45) ->
  forall result9:double.
  double_of_real_post(nearest_even, 0x1.90641p-45, result9) ->
  no_overflow_double(nearest_even, (-double_value(result9))) ->
  forall result10:double.
  neg_double_post(nearest_even, result9, result10) ->
  no_overflow_double(nearest_even, 0x1.90641p-45) ->
  forall result11:double.
  double_of_real_post(nearest_even, 0x1.90641p-45, result11) ->
  ("JC_3":
  (("JC_1":
   (double_value(result10) <= (double_value(result8) - double_exact(result8)))) and
   ("JC_2":
   ((double_value(result8) - double_exact(result8)) <= double_value(result11))))) ->
  forall result12:int32.
  ("JC_14":
  (("JC_12":
   ((integer_of_int32(result12) <> 0) ->
    (integer_of_int32(result12) = l_sign(double_exact(result8))))) and
   ("JC_13": (abs_int(integer_of_int32(result12)) <= 1)))) ->
  forall s2_1:int32.
  (s2_1 = result12) ->
  ((-2147483648) <= (integer_of_int32(s1_1) * integer_of_int32(s2_1)))

goal eps_line_safety_po_15:
  forall sx:double.
  forall sy:double.
  forall vx:double.
  forall vy:double.
  ("JC_35":
  (("JC_27": (double_value(sx) = double_exact(sx))) and
   (("JC_28": (double_value(sy) = double_exact(sy))) and
    (("JC_29": (double_value(vx) = double_exact(vx))) and
     (("JC_30": (double_value(vy) = double_exact(vy))) and
      (("JC_31": (abs_real(double_value(sx)) <= 100.0)) and
       (("JC_32": (abs_real(double_value(sy)) <= 100.0)) and
        (("JC_33": (abs_real(double_value(vx)) <= 1.0)) and
         ("JC_34": (abs_real(double_value(vy)) <= 1.0)))))))))) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vx))) ->
  forall result:double.
  mul_double_post(nearest_even, sx, vx, result) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vy))) ->
  forall result0:double.
  mul_double_post(nearest_even, sy, vy, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result0))) ->
  forall result1:double.
  add_double_post(nearest_even, result, result0, result1) ->
  no_overflow_double(nearest_even, 0x1.90641p-45) ->
  forall result2:double.
  double_of_real_post(nearest_even, 0x1.90641p-45, result2) ->
  no_overflow_double(nearest_even, (-double_value(result2))) ->
  forall result3:double.
  neg_double_post(nearest_even, result2, result3) ->
  no_overflow_double(nearest_even, 0x1.90641p-45) ->
  forall result4:double.
  double_of_real_post(nearest_even, 0x1.90641p-45, result4) ->
  ("JC_3":
  (("JC_1":
   (double_value(result3) <= (double_value(result1) - double_exact(result1)))) and
   ("JC_2":
   ((double_value(result1) - double_exact(result1)) <= double_value(result4))))) ->
  forall result5:int32.
  ("JC_14":
  (("JC_12":
   ((integer_of_int32(result5) <> 0) ->
    (integer_of_int32(result5) = l_sign(double_exact(result1))))) and
   ("JC_13": (abs_int(integer_of_int32(result5)) <= 1)))) ->
  forall s1_1:int32.
  (s1_1 = result5) ->
  no_overflow_double(nearest_even, (double_value(sx) * double_value(vy))) ->
  forall result6:double.
  mul_double_post(nearest_even, sx, vy, result6) ->
  no_overflow_double(nearest_even, (double_value(sy) * double_value(vx))) ->
  forall result7:double.
  mul_double_post(nearest_even, sy, vx, result7) ->
  no_overflow_double(nearest_even,
  (double_value(result6) - double_value(result7))) ->
  forall result8:double.
  sub_double_post(nearest_even, result6, result7, result8) ->
  no_overflow_double(nearest_even, 0x1.90641p-45) ->
  forall result9:double.
  double_of_real_post(nearest_even, 0x1.90641p-45, result9) ->
  no_overflow_double(nearest_even, (-double_value(result9))) ->
  forall result10:double.
  neg_double_post(nearest_even, result9, result10) ->
  no_overflow_double(nearest_even, 0x1.90641p-45) ->
  forall result11:double.
  double_of_real_post(nearest_even, 0x1.90641p-45, result11) ->
  ("JC_3":
  (("JC_1":
   (double_value(result10) <= (double_value(result8) - double_exact(result8)))) and
   ("JC_2":
   ((double_value(result8) - double_exact(result8)) <= double_value(result11))))) ->
  forall result12:int32.
  ("JC_14":
  (("JC_12":
   ((integer_of_int32(result12) <> 0) ->
    (integer_of_int32(result12) = l_sign(double_exact(result8))))) and
   ("JC_13": (abs_int(integer_of_int32(result12)) <= 1)))) ->
  forall s2_1:int32.
  (s2_1 = result12) ->
  ((integer_of_int32(s1_1) * integer_of_int32(s2_1)) <= 2147483647)

goal sign_ensures_default_po_1:
  forall x_1:double.
  forall e1:double.
  forall e2:double.
  ("JC_7":
  (("JC_5": (double_value(e1) <= (double_value(x_1) - double_exact(x_1)))) and
   ("JC_6": ((double_value(x_1) - double_exact(x_1)) <= double_value(e2))))) ->
  (double_value(x_1) > double_value(e2)) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall __retres:int32.
  (__retres = result) ->
  forall return:int32.
  (return = __retres) ->
  (integer_of_int32(return) <> 0) ->
  ("JC_11": ("JC_9": (integer_of_int32(return) = l_sign(double_exact(x_1)))))

goal sign_ensures_default_po_2:
  forall x_1:double.
  forall e1:double.
  forall e2:double.
  ("JC_7":
  (("JC_5": (double_value(e1) <= (double_value(x_1) - double_exact(x_1)))) and
   ("JC_6": ((double_value(x_1) - double_exact(x_1)) <= double_value(e2))))) ->
  (double_value(x_1) > double_value(e2)) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall __retres:int32.
  (__retres = result) ->
  forall return:int32.
  (return = __retres) ->
  ("JC_11": ("JC_10": (abs_int(integer_of_int32(return)) <= 1)))

goal sign_ensures_default_po_3:
  forall x_1:double.
  forall e1:double.
  forall e2:double.
  ("JC_7":
  (("JC_5": (double_value(e1) <= (double_value(x_1) - double_exact(x_1)))) and
   ("JC_6": ((double_value(x_1) - double_exact(x_1)) <= double_value(e2))))) ->
  (double_value(x_1) <= double_value(e2)) ->
  (double_value(x_1) < double_value(e1)) ->
  forall result:int32.
  (integer_of_int32(result) = (-1)) ->
  forall __retres:int32.
  (__retres = result) ->
  forall return:int32.
  (return = __retres) ->
  (integer_of_int32(return) <> 0) ->
  ("JC_11": ("JC_9": (integer_of_int32(return) = l_sign(double_exact(x_1)))))

goal sign_ensures_default_po_4:
  forall x_1:double.
  forall e1:double.
  forall e2:double.
  ("JC_7":
  (("JC_5": (double_value(e1) <= (double_value(x_1) - double_exact(x_1)))) and
   ("JC_6": ((double_value(x_1) - double_exact(x_1)) <= double_value(e2))))) ->
  (double_value(x_1) <= double_value(e2)) ->
  (double_value(x_1) < double_value(e1)) ->
  forall result:int32.
  (integer_of_int32(result) = (-1)) ->
  forall __retres:int32.
  (__retres = result) ->
  forall return:int32.
  (return = __retres) ->
  ("JC_11": ("JC_10": (abs_int(integer_of_int32(return)) <= 1)))

goal sign_ensures_default_po_5:
  forall x_1:double.
  forall e1:double.
  forall e2:double.
  ("JC_7":
  (("JC_5": (double_value(e1) <= (double_value(x_1) - double_exact(x_1)))) and
   ("JC_6": ((double_value(x_1) - double_exact(x_1)) <= double_value(e2))))) ->
  (double_value(x_1) <= double_value(e2)) ->
  (double_value(x_1) >= double_value(e1)) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall __retres:int32.
  (__retres = result) ->
  forall return:int32.
  (return = __retres) ->
  (integer_of_int32(return) <> 0) ->
  ("JC_11": ("JC_9": (integer_of_int32(return) = l_sign(double_exact(x_1)))))

goal sign_ensures_default_po_6:
  forall x_1:double.
  forall e1:double.
  forall e2:double.
  ("JC_7":
  (("JC_5": (double_value(e1) <= (double_value(x_1) - double_exact(x_1)))) and
   ("JC_6": ((double_value(x_1) - double_exact(x_1)) <= double_value(e2))))) ->
  (double_value(x_1) <= double_value(e2)) ->
  (double_value(x_1) >= double_value(e1)) ->
  forall result:int32.
  (integer_of_int32(result) = 0) ->
  forall __retres:int32.
  (__retres = result) ->
  forall return:int32.
  (return = __retres) ->
  ("JC_11": ("JC_10": (abs_int(integer_of_int32(return)) <= 1)))

why-2.34/tests/c/oracle/flag.err.oracle0000644000175000017500000000000012311670312016323 0ustar  rtuserswhy-2.34/tests/c/oracle/my_cosine.res.oracle0000644000175000017500000032113512311670312017417 0ustar  rtusers========== file tests/c/my_cosine.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// does not work: RUN GAPPA: will ask regtests to run Gappa on this program
// does not work anymore: RUN COQ: use why3 instead


/*@ lemma method_error: \forall real x;
  @     \abs(x) <= 0x1p-5 ==> \abs(1.0 - x*x*0.5 - \cos(x)) <= 0x1p-24;
  @*/

/*@ requires \abs(x) <= 0x1p-5;
  @ ensures \abs(\result - \cos(x)) <= 0x1p-23;
  @*/
float my_cos1(float x) {
  //@ assert \abs(1.0 - x*x*0.5 - \cos(x)) <= 0x1p-24;
  return 1.0f - x * x * 0.5f;
}


/*@ requires \abs(x) <= 0x1p-5 && \round_error(x) == 0.0;
  @ ensures \abs(\result - \cos(x)) <= 0x1p-23;
  @*/
float my_cos2(float x) {
  //@ assert \exact(x) == x;
  float r = 1.0f - x * x * 0.5f;
  //@ assert \abs(\exact(r) - \cos(x)) <= 0x1p-24;
  return r;
}


/*@ requires \abs(\exact(x)) <= 0x1p-5
  @     && \round_error(x) <= 0x1p-20;
  @ ensures \abs(\exact(\result) - \cos(\exact(x))) <= 0x1p-24
  @     && \round_error(\result) <= \round_error(x) + 0x3p-24;
  @*/
float my_cos3(float x) {
  float r = 1.0f - x * x * 0.5f;
  //@ assert \abs(\exact(r) - \cos(\exact(x))) <= 0x1p-24;  // by interval
  return r;
}

/*@ requires \abs(x) <= 0.07 ;
  @ ensures \abs(\result - \cos(x)) <= 0x1.3p-20;
  @*/
float my_cos4(float x) {
  //@ assert \abs(1.0 - x*x*0.5 - \cos(x)) <= 0x1.2p-20;
  return 1.0f - x * x * 0.5f;
}


/*
Local Variables:
compile-command: "make my_cosine.why3ide"
End:
*/


========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/my_cosine.c"
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/my_cosine.jessie
[jessie] File tests/c/my_cosine.jessie/my_cosine.jc written.
[jessie] File tests/c/my_cosine.jessie/my_cosine.cloc written.
========== file tests/c/my_cosine.jessie/my_cosine.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

lemma method_error :
(\forall real x;
  ((\real_abs(x) <= 0x1p-5) ==>
    (\real_abs(((1.0 - ((x * x) * 0.5)) - \cos(x))) <= 0x1p-24)))

float my_cos1(float x)
  requires (_C_7 : (\real_abs((x :> real)) <= 0x1p-5));
behavior default:
  ensures (_C_6 : (\real_abs(((\result :> real) - \cos((\at(x,Old) :> real)))) <=
                    0x1p-23));
{  
   (var float __retres);
   
   {  
      {  
         (assert for default: (_C_1 : (jessie : (\real_abs(((1.0 -
                                                              (((x :> real) *
                                                                 (x :> real)) *
                                                                0.5)) -
                                                             \cos((x :> real)))) <=
                                                  0x1p-24))));
         ()
      };
      
      {  (_C_5 : (__retres = (_C_4 : ((1.0 :> float) -
                                       (_C_3 : ((_C_2 : (x * x)) *
                                                 (0.5 :> float)))))));
         
         (return __retres)
      }
   }
}

float my_cos2(float x_0)
  requires (_C_15 : ((_C_16 : (\real_abs((x_0 :> real)) <= 0x1p-5)) &&
                      (_C_17 : (\single_round_error(x_0) == 0.0))));
behavior default:
  ensures (_C_14 : (\real_abs(((\result :> real) -
                                \cos((\at(x_0,Old) :> real)))) <=
                     0x1p-23));
{  
   (var float r);
   
   {  
      {  
         (assert for default: (_C_8 : (jessie : (\single_exact(x_0) ==
                                                  (x_0 :> real)))));
         ()
      };
      
      {  (_C_12 : (r = (_C_11 : ((1.0 :> float) -
                                  (_C_10 : ((_C_9 : (x_0 * x_0)) *
                                             (0.5 :> float)))))))
      };
      
      {  
         (assert for default: (_C_13 : (jessie : (\real_abs((\single_exact(
                                                              r) -
                                                              \cos((x_0 :> real)))) <=
                                                   0x1p-24))));
         ()
      };
      
      {  
         (return r)
      }
   }
}

float my_cos3(float x_1)
  requires (_C_26 : ((_C_27 : (\real_abs(\single_exact(x_1)) <= 0x1p-5)) &&
                      (_C_28 : (\single_round_error(x_1) <= 0x1p-20))));
behavior default:
  ensures (_C_23 : ((_C_24 : (\real_abs((\single_exact(\result) -
                                          \cos(\single_exact(\at(x_1,Old))))) <=
                               0x1p-24)) &&
                     (_C_25 : (\single_round_error(\result) <=
                                (\single_round_error(\at(x_1,Old)) + 0x3p-24)))));
{  
   (var float r_0);
   
   {  (_C_21 : (r_0 = (_C_20 : ((1.0 :> float) -
                                 (_C_19 : ((_C_18 : (x_1 * x_1)) *
                                            (0.5 :> float)))))));
      
      {  
         (assert for default: (_C_22 : (jessie : (\real_abs((\single_exact(
                                                              r_0) -
                                                              \cos(\single_exact(
                                                                   x_1)))) <=
                                                   0x1p-24))));
         ()
      };
      
      {  
         (return r_0)
      }
   }
}

float my_cos4(float x_2)
  requires (_C_35 : (\real_abs((x_2 :> real)) <= 0.07));
behavior default:
  ensures (_C_34 : (\real_abs(((\result :> real) -
                                \cos((\at(x_2,Old) :> real)))) <=
                     0x1.3p-20));
{  
   (var float __retres_0);
   
   {  
      {  
         (assert for default: (_C_29 : (jessie : (\real_abs(((1.0 -
                                                               (((x_2 :> real) *
                                                                  (x_2 :> real)) *
                                                                 0.5)) -
                                                              \cos((x_2 :> real)))) <=
                                                   0x1.2p-20))));
         ()
      };
      
      {  (_C_33 : (__retres_0 = (_C_32 : ((1.0 :> float) -
                                           (_C_31 : ((_C_30 : (x_2 * x_2)) *
                                                      (0.5 :> float)))))));
         
         (return __retres_0)
      }
   }
}
========== file tests/c/my_cosine.jessie/my_cosine.cloc ==========
[_C_35]
file = "HOME/tests/c/my_cosine.c"
line = 71
begin = 13
end = 28

[_C_28]
file = "HOME/tests/c/my_cosine.c"
line = 61
begin = 11
end = 37

[_C_31]
file = "HOME/tests/c/my_cosine.c"
line = 76
begin = 16
end = 28

[_C_4]
file = "HOME/tests/c/my_cosine.c"
line = 45
begin = 9
end = 28

[_C_32]
file = "HOME/tests/c/my_cosine.c"
line = 76
begin = 9
end = 28

[_C_23]
file = "HOME/tests/c/my_cosine.c"
line = 62
begin = 12
end = 124

[_C_19]
file = "HOME/tests/c/my_cosine.c"
line = 66
begin = 19
end = 31

[my_cos3]
name = "Function my_cos3"
file = "HOME/tests/c/my_cosine.c"
line = 65
begin = 6
end = 13

[_C_13]
file = "HOME/tests/c/my_cosine.c"
line = 55
begin = 13
end = 49

[_C_5]
file = "HOME/tests/c/my_cosine.c"
line = 45
begin = 2
end = 29

[_C_12]
file = "HOME/tests/c/my_cosine.c"
line = 54
begin = 2
end = 7

[my_cos4]
name = "Function my_cos4"
file = "HOME/tests/c/my_cosine.c"
line = 74
begin = 6
end = 13

[_C_33]
file = "HOME/tests/c/my_cosine.c"
line = 76
begin = 2
end = 29

[_C_22]
file = "HOME/tests/c/my_cosine.c"
line = 67
begin = 13
end = 57

[_C_9]
file = "HOME/tests/c/my_cosine.c"
line = 54
begin = 19
end = 24

[_C_30]
file = "HOME/tests/c/my_cosine.c"
line = 76
begin = 16
end = 21

[_C_6]
file = "HOME/tests/c/my_cosine.c"
line = 41
begin = 12
end = 46

[_C_24]
file = "HOME/tests/c/my_cosine.c"
line = 62
begin = 12
end = 62

[_C_20]
file = "HOME/tests/c/my_cosine.c"
line = 66
begin = 12
end = 31

[_C_3]
file = "HOME/tests/c/my_cosine.c"
line = 45
begin = 16
end = 28

[_C_17]
file = "HOME/tests/c/my_cosine.c"
line = 49
begin = 34
end = 56

[my_cos2]
name = "Function my_cos2"
file = "HOME/tests/c/my_cosine.c"
line = 52
begin = 6
end = 13

[_C_7]
file = "HOME/tests/c/my_cosine.c"
line = 40
begin = 13
end = 30

[_C_27]
file = "HOME/tests/c/my_cosine.c"
line = 60
begin = 13
end = 38

[_C_15]
file = "HOME/tests/c/my_cosine.c"
line = 49
begin = 13
end = 56

[_C_26]
file = "HOME/tests/c/my_cosine.c"
line = 60
begin = 13
end = 76

[_C_10]
file = "HOME/tests/c/my_cosine.c"
line = 54
begin = 19
end = 31

[method_error]
name = "Lemma method_error"
file = "HOME/tests/c/my_cosine.c"
line = 36
begin = 4
end = 111

[_C_8]
file = "HOME/tests/c/my_cosine.c"
line = 53
begin = 13
end = 27

[_C_18]
file = "HOME/tests/c/my_cosine.c"
line = 66
begin = 19
end = 24

[_C_29]
file = "HOME/tests/c/my_cosine.c"
line = 75
begin = 13
end = 55

[_C_14]
file = "HOME/tests/c/my_cosine.c"
line = 50
begin = 12
end = 46

[my_cos1]
name = "Function my_cos1"
file = "HOME/tests/c/my_cosine.c"
line = 43
begin = 6
end = 13

[_C_2]
file = "HOME/tests/c/my_cosine.c"
line = 45
begin = 16
end = 21

[_C_34]
file = "HOME/tests/c/my_cosine.c"
line = 72
begin = 12
end = 48

[_C_16]
file = "HOME/tests/c/my_cosine.c"
line = 49
begin = 13
end = 30

[_C_1]
file = "HOME/tests/c/my_cosine.c"
line = 44
begin = 13
end = 53

[_C_25]
file = "HOME/tests/c/my_cosine.c"
line = 63
begin = 11
end = 61

[_C_11]
file = "HOME/tests/c/my_cosine.c"
line = 54
begin = 12
end = 31

[_C_21]
file = "HOME/tests/c/my_cosine.c"
line = 66
begin = 2
end = 7

========== jessie execution ==========
Generating Why function my_cos1
Generating Why function my_cos2
Generating Why function my_cos3
Generating Why function my_cos4
========== file tests/c/my_cosine.jessie/my_cosine.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs my_cosine.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs my_cosine.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_strict.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/my_cosine_why.sx

project: why/my_cosine.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/my_cosine_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/my_cosine_why.vo

coq/my_cosine_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/my_cosine_why.v: why/my_cosine.why
	@echo 'why -coq [...] why/my_cosine.why' && $(WHY) $(JESSIELIBFILES) why/my_cosine.why && rm -f coq/jessie_why.v

coq-goals: goals coq/my_cosine_ctx_why.vo
	for f in why/*_po*.why; do make -f my_cosine.makefile coq/`basename $$f .why`_why.v ; done

coq/my_cosine_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/my_cosine_ctx_why.v: why/my_cosine_ctx.why
	@echo 'why -coq [...] why/my_cosine_ctx.why' && $(WHY) why/my_cosine_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export my_cosine_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/my_cosine_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/my_cosine_ctx_why.vo

pvs: pvs/my_cosine_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/my_cosine_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/my_cosine_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/my_cosine_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/my_cosine_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/my_cosine_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/my_cosine_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/my_cosine_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/my_cosine_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/my_cosine_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/my_cosine_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/my_cosine_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/my_cosine_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/my_cosine_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/my_cosine_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: my_cosine.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/my_cosine_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: my_cosine.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: my_cosine.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: my_cosine.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include my_cosine.depend

depend: coq/my_cosine_why.v
	-$(COQDEP) -I coq coq/my_cosine*_why.v > my_cosine.depend

clean:
	rm -f coq/*.vo

========== file tests/c/my_cosine.jessie/my_cosine.loc ==========
[JC_73]
kind = FPOverflow
file = "HOME/tests/c/my_cosine.c"
line = 76
begin = 16
end = 28

[JC_63]
file = "HOME/tests/c/my_cosine.c"
line = 71
begin = 13
end = 28

[JC_51]
file = "HOME/tests/c/my_cosine.c"
line = 63
begin = 11
end = 61

[my_cos1_ensures_default]
name = "Function my_cos1"
behavior = "default behavior"
file = "HOME/tests/c/my_cosine.c"
line = 43
begin = 6
end = 13

[JC_71]
file = "HOME/tests/c/my_cosine.c"
line = 75
begin = 13
end = 55

[JC_45]
file = "HOME/tests/c/my_cosine.c"
line = 60
begin = 13
end = 76

[JC_64]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_31]
kind = FPOverflow
file = "HOME/tests/c/my_cosine.c"
line = 54
begin = 19
end = 31

[JC_17]
file = "HOME/tests/c/my_cosine.c"
line = 49
begin = 13
end = 30

[JC_55]
kind = FPOverflow
file = "HOME/tests/c/my_cosine.c"
line = 66
begin = 19
end = 24

[JC_48]
file = "HOME/tests/c/my_cosine.c"
line = 63
begin = 11
end = 61

[JC_23]
file = "HOME/tests/c/my_cosine.c"
line = 49
begin = 13
end = 56

[JC_22]
file = "HOME/tests/c/my_cosine.c"
line = 49
begin = 34
end = 56

[JC_5]
file = "HOME/tests/c/my_cosine.c"
line = 41
begin = 12
end = 46

[JC_67]
file = "HOME/tests/c/my_cosine.c"
line = 72
begin = 12
end = 48

[JC_9]
file = "HOME/tests/c/my_cosine.c"
line = 44
begin = 13
end = 53

[JC_75]
file = "HOME/tests/c/my_cosine.c"
line = 75
begin = 13
end = 55

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/tests/c/my_cosine.c"
line = 50
begin = 12
end = 46

[JC_78]
kind = FPOverflow
file = "HOME/tests/c/my_cosine.c"
line = 76
begin = 9
end = 28

[JC_41]
file = "HOME/tests/c/my_cosine.c"
line = 60
begin = 13
end = 76

[JC_74]
kind = FPOverflow
file = "HOME/tests/c/my_cosine.c"
line = 76
begin = 9
end = 28

[JC_47]
file = "HOME/tests/c/my_cosine.c"
line = 62
begin = 12
end = 62

[JC_52]
file = "HOME/tests/c/my_cosine.c"
line = 62
begin = 12
end = 124

[JC_26]
file = "HOME/tests/c/my_cosine.c"
line = 50
begin = 12
end = 46

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[my_cos2_safety]
name = "Function my_cos2"
behavior = "Safety"
file = "HOME/tests/c/my_cosine.c"
line = 52
begin = 6
end = 13

[JC_54]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/tests/c/my_cosine.c"
line = 44
begin = 13
end = 53

[my_cos4_ensures_default]
name = "Function my_cos4"
behavior = "default behavior"
file = "HOME/tests/c/my_cosine.c"
line = 74
begin = 6
end = 13

[JC_11]
kind = FPOverflow
file = "HOME/tests/c/my_cosine.c"
line = 45
begin = 16
end = 28

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
kind = FPOverflow
file = "HOME/tests/c/my_cosine.c"
line = 45
begin = 16
end = 28

[JC_36]
kind = FPOverflow
file = "HOME/tests/c/my_cosine.c"
line = 54
begin = 19
end = 31

[JC_39]
file = "HOME/tests/c/my_cosine.c"
line = 60
begin = 13
end = 38

[JC_40]
file = "HOME/tests/c/my_cosine.c"
line = 61
begin = 11
end = 37

[JC_35]
kind = FPOverflow
file = "HOME/tests/c/my_cosine.c"
line = 54
begin = 19
end = 24

[my_cos2_ensures_default]
name = "Function my_cos2"
behavior = "default behavior"
file = "HOME/tests/c/my_cosine.c"
line = 52
begin = 6
end = 13

[JC_27]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_69]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_38]
file = "HOME/tests/c/my_cosine.c"
line = 55
begin = 13
end = 49

[JC_12]
kind = FPOverflow
file = "HOME/tests/c/my_cosine.c"
line = 45
begin = 9
end = 28

[JC_6]
file = "HOME/tests/c/my_cosine.c"
line = 41
begin = 12
end = 46

[JC_44]
file = "HOME/tests/c/my_cosine.c"
line = 61
begin = 11
end = 37

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
file = "HOME/tests/c/my_cosine.c"
line = 67
begin = 13
end = 57

[JC_42]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[my_cos3_ensures_default]
name = "Function my_cos3"
behavior = "default behavior"
file = "HOME/tests/c/my_cosine.c"
line = 65
begin = 6
end = 13

[JC_61]
kind = FPOverflow
file = "HOME/tests/c/my_cosine.c"
line = 66
begin = 12
end = 31

[JC_32]
kind = FPOverflow
file = "HOME/tests/c/my_cosine.c"
line = 54
begin = 12
end = 31

[JC_56]
kind = FPOverflow
file = "HOME/tests/c/my_cosine.c"
line = 66
begin = 19
end = 31

[my_cos3_safety]
name = "Function my_cos3"
behavior = "Safety"
file = "HOME/tests/c/my_cosine.c"
line = 65
begin = 6
end = 13

[JC_33]
file = "HOME/tests/c/my_cosine.c"
line = 55
begin = 13
end = 49

[JC_65]
file = "HOME/tests/c/my_cosine.c"
line = 71
begin = 13
end = 28

[JC_29]
file = "HOME/tests/c/my_cosine.c"
line = 53
begin = 13
end = 27

[method_error]
name = "Lemma method_error"
behavior = "lemma"
file = "HOME/tests/c/my_cosine.c"
line = 36
begin = 4
end = 111

[JC_68]
file = "HOME/tests/c/my_cosine.c"
line = 72
begin = 12
end = 48

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
kind = FPOverflow
file = "HOME/tests/c/my_cosine.c"
line = 45
begin = 9
end = 28

[JC_43]
file = "HOME/tests/c/my_cosine.c"
line = 60
begin = 13
end = 38

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[my_cos4_safety]
name = "Function my_cos4"
behavior = "Safety"
file = "HOME/tests/c/my_cosine.c"
line = 74
begin = 6
end = 13

[JC_34]
file = "HOME/tests/c/my_cosine.c"
line = 53
begin = 13
end = 27

[JC_14]
kind = FPOverflow
file = "HOME/tests/c/my_cosine.c"
line = 45
begin = 16
end = 21

[JC_53]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_21]
file = "HOME/tests/c/my_cosine.c"
line = 49
begin = 13
end = 30

[JC_77]
kind = FPOverflow
file = "HOME/tests/c/my_cosine.c"
line = 76
begin = 16
end = 28

[JC_49]
file = "HOME/tests/c/my_cosine.c"
line = 62
begin = 12
end = 124

[JC_1]
file = "HOME/tests/c/my_cosine.c"
line = 40
begin = 13
end = 30

[JC_37]
kind = FPOverflow
file = "HOME/tests/c/my_cosine.c"
line = 54
begin = 12
end = 31

[JC_10]
kind = FPOverflow
file = "HOME/tests/c/my_cosine.c"
line = 45
begin = 16
end = 21

[JC_57]
kind = FPOverflow
file = "HOME/tests/c/my_cosine.c"
line = 66
begin = 12
end = 31

[my_cos1_safety]
name = "Function my_cos1"
behavior = "Safety"
file = "HOME/tests/c/my_cosine.c"
line = 43
begin = 6
end = 13

[JC_66]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_59]
kind = FPOverflow
file = "HOME/tests/c/my_cosine.c"
line = 66
begin = 19
end = 24

[JC_20]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_18]
file = "HOME/tests/c/my_cosine.c"
line = 49
begin = 34
end = 56

[JC_3]
file = "HOME/tests/c/my_cosine.c"
line = 40
begin = 13
end = 30

[JC_60]
kind = FPOverflow
file = "HOME/tests/c/my_cosine.c"
line = 66
begin = 19
end = 31

[JC_72]
kind = FPOverflow
file = "HOME/tests/c/my_cosine.c"
line = 76
begin = 16
end = 21

[JC_19]
file = "HOME/tests/c/my_cosine.c"
line = 49
begin = 13
end = 56

[JC_76]
kind = FPOverflow
file = "HOME/tests/c/my_cosine.c"
line = 76
begin = 16
end = 21

[JC_50]
file = "HOME/tests/c/my_cosine.c"
line = 62
begin = 12
end = 62

[JC_30]
kind = FPOverflow
file = "HOME/tests/c/my_cosine.c"
line = 54
begin = 19
end = 24

[JC_58]
file = "HOME/tests/c/my_cosine.c"
line = 67
begin = 13
end = 57

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/c/my_cosine.jessie/why/my_cosine.why ==========
type charP

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

lemma method_error :
 (forall x_3:real.
  (le_real(abs_real(x_3), 0x1p-5) ->
   le_real(abs_real(sub_real(sub_real(1.0, mul_real(mul_real(x_3, x_3), 0.5)),
                    cos(x_3))),
   0x1p-24)))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter my_cos1 :
 x_0:single ->
  { } single
  { (JC_6:
    le_real(abs_real(sub_real(single_value(result), cos(single_value(x_0)))),
    0x1p-23)) }

parameter my_cos1_requires :
 x_0:single ->
  { (JC_1: le_real(abs_real(single_value(x_0)), 0x1p-5))} single
  { (JC_6:
    le_real(abs_real(sub_real(single_value(result), cos(single_value(x_0)))),
    0x1p-23)) }

parameter my_cos2 :
 x_0_0:single ->
  { } single
  { (JC_26:
    le_real(abs_real(sub_real(single_value(result), cos(single_value(x_0_0)))),
    0x1p-23)) }

parameter my_cos2_requires :
 x_0_0:single ->
  { (JC_19:
    ((JC_17: le_real(abs_real(single_value(x_0_0)), 0x1p-5))
    and (JC_18: (single_round_error(x_0_0) = 0.0))))}
  single
  { (JC_26:
    le_real(abs_real(sub_real(single_value(result), cos(single_value(x_0_0)))),
    0x1p-23)) }

parameter my_cos3 :
 x_1:single ->
  { } single
  { (JC_52:
    ((JC_50:
     le_real(abs_real(sub_real(single_exact(result), cos(single_exact(x_1)))),
     0x1p-24))
    and (JC_51:
        le_real(single_round_error(result),
        add_real(single_round_error(x_1), 0x3p-24))))) }

parameter my_cos3_requires :
 x_1:single ->
  { (JC_41:
    ((JC_39: le_real(abs_real(single_exact(x_1)), 0x1p-5))
    and (JC_40: le_real(single_round_error(x_1), 0x1p-20))))}
  single
  { (JC_52:
    ((JC_50:
     le_real(abs_real(sub_real(single_exact(result), cos(single_exact(x_1)))),
     0x1p-24))
    and (JC_51:
        le_real(single_round_error(result),
        add_real(single_round_error(x_1), 0x3p-24))))) }

parameter my_cos4 :
 x_2:single ->
  { } single
  { (JC_68:
    le_real(abs_real(sub_real(single_value(result), cos(single_value(x_2)))),
    0x1.3p-20)) }

parameter my_cos4_requires :
 x_2:single ->
  { (JC_63: le_real(abs_real(single_value(x_2)), 0.07))} single
  { (JC_68:
    le_real(abs_real(sub_real(single_value(result), cos(single_value(x_2)))),
    0x1.3p-20)) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let my_cos1_ensures_default =
 fun (x_0 : single) ->
  { (JC_3: le_real(abs_real(single_value(x_0)), 0x1p-5)) }
  (init:
  (let return = ref (any_single void) in
  try
   begin
     (let __retres = ref (any_single void) in
     begin
       (assert
       { (JC_13:
         le_real(abs_real(sub_real(sub_real(1.0,
                                   mul_real(mul_real(single_value(x_0),
                                            single_value(x_0)),
                                   0.5)),
                          cos(single_value(x_0)))),
         0x1p-24)) }; void); void;
      (let _jessie_ =
      (__retres := (JC_16:
                   (((sub_single_safe nearest_even) (single_of_real_exact 1.0)) 
                    (JC_15:
                    (((mul_single_safe nearest_even) (JC_14:
                                                     (((mul_single_safe nearest_even) x_0) x_0))) 
                     (single_of_real_exact 0.5)))))) in void);
      (return := !__retres); (raise Return) end); absurd  end with Return ->
   !return end))
  { (JC_5:
    le_real(abs_real(sub_real(single_value(result), cos(single_value(x_0)))),
    0x1p-23)) }

let my_cos1_safety =
 fun (x_0 : single) ->
  { (JC_3: le_real(abs_real(single_value(x_0)), 0x1p-5)) }
  (init:
  (let return = ref (any_single void) in
  try
   begin
     (let __retres = ref (any_single void) in
     begin
       [ { } unit
         { (JC_9:
           le_real(abs_real(sub_real(sub_real(1.0,
                                     mul_real(mul_real(single_value(x_0),
                                              single_value(x_0)),
                                     0.5)),
                            cos(single_value(x_0)))),
           0x1p-24)) } ]; void;
      (let _jessie_ =
      (__retres := (JC_12:
                   (((sub_single nearest_even) (single_of_real_exact 1.0)) 
                    (JC_11:
                    (((mul_single nearest_even) (JC_10:
                                                (((mul_single nearest_even) x_0) x_0))) 
                     (single_of_real_exact 0.5)))))) in void);
      (return := !__retres); (raise Return) end); absurd  end with Return ->
   !return end)) { true }

let my_cos2_ensures_default =
 fun (x_0_0 : single) ->
  { (JC_23:
    ((JC_21: le_real(abs_real(single_value(x_0_0)), 0x1p-5))
    and (JC_22: (single_round_error(x_0_0) = 0.0)))) }
  (init:
  (let return = ref (any_single void) in
  try
   begin
     (let r = ref (any_single void) in
     begin
       (assert { (JC_34: (single_exact(x_0_0) = single_value(x_0_0))) };
       void); void;
      (let _jessie_ =
      begin
        (r := (JC_37:
              (((sub_single_safe nearest_even) (single_of_real_exact 1.0)) 
               (JC_36:
               (((mul_single_safe nearest_even) (JC_35:
                                                (((mul_single_safe nearest_even) x_0_0) x_0_0))) 
                (single_of_real_exact 0.5)))))); !r end in void);
      (assert
      { (JC_38:
        le_real(abs_real(sub_real(single_exact(r), cos(single_value(x_0_0)))),
        0x1p-24)) }; void); void; (return := !r); (raise Return) end); 
    absurd  end with Return -> !return end))
  { (JC_25:
    le_real(abs_real(sub_real(single_value(result), cos(single_value(x_0_0)))),
    0x1p-23)) }

let my_cos2_safety =
 fun (x_0_0 : single) ->
  { (JC_23:
    ((JC_21: le_real(abs_real(single_value(x_0_0)), 0x1p-5))
    and (JC_22: (single_round_error(x_0_0) = 0.0)))) }
  (init:
  (let return = ref (any_single void) in
  try
   begin
     (let r = ref (any_single void) in
     begin
       [ { } unit { (JC_29: (single_exact(x_0_0) = single_value(x_0_0))) } ];
      void;
      (let _jessie_ =
      begin
        (r := (JC_32:
              (((sub_single nearest_even) (single_of_real_exact 1.0)) 
               (JC_31:
               (((mul_single nearest_even) (JC_30:
                                           (((mul_single nearest_even) x_0_0) x_0_0))) 
                (single_of_real_exact 0.5)))))); !r end in void);
      [ { } unit reads r
        { (JC_33:
          le_real(abs_real(sub_real(single_exact(r),
                           cos(single_value(x_0_0)))),
          0x1p-24)) } ]; void; (return := !r); (raise Return) end); absurd 
   end with Return -> !return end)) { true }

let my_cos3_ensures_default =
 fun (x_1 : single) ->
  { (JC_45:
    ((JC_43: le_real(abs_real(single_exact(x_1)), 0x1p-5))
    and (JC_44: le_real(single_round_error(x_1), 0x1p-20)))) }
  (init:
  (let return = ref (any_single void) in
  try
   begin
     (let r_0 = ref (any_single void) in
     begin
       (let _jessie_ =
       (r_0 := (JC_61:
               (((sub_single_safe nearest_even) (single_of_real_exact 1.0)) 
                (JC_60:
                (((mul_single_safe nearest_even) (JC_59:
                                                 (((mul_single_safe nearest_even) x_1) x_1))) 
                 (single_of_real_exact 0.5)))))) in void);
      (assert
      { (JC_62:
        le_real(abs_real(sub_real(single_exact(r_0), cos(single_exact(x_1)))),
        0x1p-24)) }; void); void; (return := !r_0); (raise Return) end);
    absurd  end with Return -> !return end))
  { (JC_49:
    ((JC_47:
     le_real(abs_real(sub_real(single_exact(result), cos(single_exact(x_1)))),
     0x1p-24))
    and (JC_48:
        le_real(single_round_error(result),
        add_real(single_round_error(x_1), 0x3p-24))))) }

let my_cos3_safety =
 fun (x_1 : single) ->
  { (JC_45:
    ((JC_43: le_real(abs_real(single_exact(x_1)), 0x1p-5))
    and (JC_44: le_real(single_round_error(x_1), 0x1p-20)))) }
  (init:
  (let return = ref (any_single void) in
  try
   begin
     (let r_0 = ref (any_single void) in
     begin
       (let _jessie_ =
       (r_0 := (JC_57:
               (((sub_single nearest_even) (single_of_real_exact 1.0)) 
                (JC_56:
                (((mul_single nearest_even) (JC_55:
                                            (((mul_single nearest_even) x_1) x_1))) 
                 (single_of_real_exact 0.5)))))) in void);
      [ { } unit reads r_0
        { (JC_58:
          le_real(abs_real(sub_real(single_exact(r_0),
                           cos(single_exact(x_1)))),
          0x1p-24)) } ]; void; (return := !r_0); (raise Return) end); 
    absurd  end with Return -> !return end)) { true }

let my_cos4_ensures_default =
 fun (x_2 : single) ->
  { (JC_65: le_real(abs_real(single_value(x_2)), 0.07)) }
  (init:
  (let return = ref (any_single void) in
  try
   begin
     (let __retres_0 = ref (any_single void) in
     begin
       (assert
       { (JC_75:
         le_real(abs_real(sub_real(sub_real(1.0,
                                   mul_real(mul_real(single_value(x_2),
                                            single_value(x_2)),
                                   0.5)),
                          cos(single_value(x_2)))),
         0x1.2p-20)) }; void); void;
      (let _jessie_ =
      (__retres_0 := (JC_78:
                     (((sub_single_safe nearest_even) (single_of_real_exact 1.0)) 
                      (JC_77:
                      (((mul_single_safe nearest_even) (JC_76:
                                                       (((mul_single_safe nearest_even) x_2) x_2))) 
                       (single_of_real_exact 0.5)))))) in void);
      (return := !__retres_0); (raise Return) end); absurd  end with
   Return -> !return end))
  { (JC_67:
    le_real(abs_real(sub_real(single_value(result), cos(single_value(x_2)))),
    0x1.3p-20)) }

let my_cos4_safety =
 fun (x_2 : single) ->
  { (JC_65: le_real(abs_real(single_value(x_2)), 0.07)) }
  (init:
  (let return = ref (any_single void) in
  try
   begin
     (let __retres_0 = ref (any_single void) in
     begin
       [ { } unit
         { (JC_71:
           le_real(abs_real(sub_real(sub_real(1.0,
                                     mul_real(mul_real(single_value(x_2),
                                              single_value(x_2)),
                                     0.5)),
                            cos(single_value(x_2)))),
           0x1.2p-20)) } ]; void;
      (let _jessie_ =
      (__retres_0 := (JC_74:
                     (((sub_single nearest_even) (single_of_real_exact 1.0)) 
                      (JC_73:
                      (((mul_single nearest_even) (JC_72:
                                                  (((mul_single nearest_even) x_2) x_2))) 
                       (single_of_real_exact 0.5)))))) in void);
      (return := !__retres_0); (raise Return) end); absurd  end with
   Return -> !return end)) { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/my_cosine.why
========== file tests/c/my_cosine.jessie/why/my_cosine_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type mode

logic nearest_even : mode

logic to_zero : mode

logic up : mode

logic down : mode

logic nearest_away : mode

logic mode_match : mode, 'a1, 'a1, 'a1, 'a1, 'a1 -> 'a1

axiom mode_match_nearest_even:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_2))))))

axiom mode_match_to_zero:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_3))))))

axiom mode_match_up:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_4))))))

axiom mode_match_down:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_5))))))

axiom mode_match_nearest_away:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_6))))))

axiom mode_inversion:
  (forall aux_1:mode.
    (((((aux_1 = nearest_even) or (aux_1 = to_zero)) or (aux_1 = up)) or
      (aux_1 = down)) or
     (aux_1 = nearest_away)))

logic mode_to_int : mode -> int

axiom mode_to_int_nearest_even: (mode_to_int(nearest_even) = 0)

axiom mode_to_int_to_zero: (mode_to_int(to_zero) = 1)

axiom mode_to_int_up: (mode_to_int(up) = 2)

axiom mode_to_int_down: (mode_to_int(down) = 3)

axiom mode_to_int_nearest_away: (mode_to_int(nearest_away) = 4)

type double

logic round_double : mode, real -> real

logic round_double_logic : mode, real -> double

logic double_value : double -> real

logic double_exact : double -> real

logic double_model : double -> real

function double_round_error(x: double) : real =
  abs_real((double_value(x) - double_exact(x)))

function double_total_error(x: double) : real =
  abs_real((double_value(x) - double_model(x)))

function max_double() : real = 0x1.FFFFFFFFFFFFFp1023

predicate no_overflow_double(m: mode, x: real) = (abs_real(round_double(m,
  x)) <= max_double)

axiom bounded_real_no_overflow_double:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_double) -> no_overflow_double(m, x))))

axiom round_double_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_double(m, x) <= round_double(m, y))))))

axiom exact_round_double_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-9007199254740992) <= i) and (i <= 9007199254740992)) ->
       (round_double(m, real_of_int(i)) = real_of_int(i)))))

axiom exact_round_double_for_doubles:
  (forall x:double.
    (forall m:mode. (round_double(m, double_value(x)) = double_value(x))))

axiom round_double_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_double(m1, round_double(m2,
        x)) = round_double(m2, x)))))

axiom round_down_double_neg:
  (forall x:real. (round_double(down, (-x)) = (-round_double(up, x))))

axiom round_up_double_neg:
  (forall x:real. (round_double(up, (-x)) = (-round_double(down, x))))

axiom round_double_down_le: (forall x:real. (round_double(down, x) <= x))

axiom round_up_double_ge: (forall x:real. (round_double(up, x) >= x))

type single

logic round_single : mode, real -> real

logic round_single_logic : mode, real -> single

logic single_value : single -> real

logic single_exact : single -> real

logic single_model : single -> real

function single_round_error(x: single) : real =
  abs_real((single_value(x) - single_exact(x)))

function single_total_error(x: single) : real =
  abs_real((single_value(x) - single_model(x)))

function max_single() : real = 0x1.FFFFFEp127

predicate no_overflow_single(m: mode, x: real) = (abs_real(round_single(m,
  x)) <= max_single)

axiom bounded_real_no_overflow_single:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_single) -> no_overflow_single(m, x))))

axiom round_single_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_single(m, x) <= round_single(m, y))))))

axiom exact_round_single_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-16777216) <= i) and (i <= 16777216)) -> (round_single(m,
       real_of_int(i)) = real_of_int(i)))))

axiom exact_round_single_for_singles:
  (forall x:single.
    (forall m:mode. (round_single(m, single_value(x)) = single_value(x))))

axiom round_single_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_single(m1, round_single(m2,
        x)) = round_single(m2, x)))))

axiom round_down_single_neg:
  (forall x:real. (round_single(down, (-x)) = (-round_single(up, x))))

axiom round_up_single_neg:
  (forall x:real. (round_single(up, (-x)) = (-round_single(down, x))))

axiom round_single_down_le: (forall x:real. (round_single(down, x) <= x))

axiom round_up_single_ge: (forall x:real. (round_single(up, x) >= x))

axiom single_value_is_bounded:
  (forall x:single. (abs_real(single_value(x)) <= max_single))

axiom double_value_is_bounded:
  (forall x:double. (abs_real(double_value(x)) <= max_double))

predicate single_of_real_post(m: mode, x: real, res: single) =
  ((single_value(res) = round_single(m, x)) and
   ((single_exact(res) = x) and (single_model(res) = x)))

predicate single_of_double_post(m: mode, x: double, res: single) =
  ((single_value(res) = round_single(m, double_value(x))) and
   ((single_exact(res) = double_exact(x)) and
    (single_model(res) = double_model(x))))

predicate add_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) + single_value(y)))) and
   ((single_exact(res) = (single_exact(x) + single_exact(y))) and
    (single_model(res) = (single_model(x) + single_model(y)))))

predicate sub_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) - single_value(y)))) and
   ((single_exact(res) = (single_exact(x) - single_exact(y))) and
    (single_model(res) = (single_model(x) - single_model(y)))))

predicate mul_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) * single_value(y)))) and
   ((single_exact(res) = (single_exact(x) * single_exact(y))) and
    (single_model(res) = (single_model(x) * single_model(y)))))

predicate div_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m, div_real(single_value(x),
   single_value(y)))) and
   ((single_exact(res) = div_real(single_exact(x), single_exact(y))) and
    (single_model(res) = div_real(single_model(x), single_model(y)))))

predicate sqrt_single_post(m: mode, x: single, res: single) =
  ((single_value(res) = round_single(m, sqrt_real(single_value(x)))) and
   ((single_exact(res) = sqrt_real(single_exact(x))) and
    (single_model(res) = sqrt_real(single_model(x)))))

predicate neg_single_post(x: single, res: single) =
  ((single_value(res) = (-single_value(x))) and
   ((single_exact(res) = (-single_exact(x))) and
    (single_model(res) = (-single_model(x)))))

predicate abs_single_post(x: single, res: single) =
  ((single_value(res) = abs_real(single_value(x))) and
   ((single_exact(res) = abs_real(single_exact(x))) and
    (single_model(res) = abs_real(single_model(x)))))

predicate double_of_real_post(m: mode, x: real, res: double) =
  ((double_value(res) = round_double(m, x)) and
   ((double_exact(res) = x) and (double_model(res) = x)))

predicate double_of_single_post(x: single, res: double) =
  ((double_value(res) = single_value(x)) and
   ((double_exact(res) = single_exact(x)) and
    (double_model(res) = single_model(x))))

predicate add_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) + double_value(y)))) and
   ((double_exact(res) = (double_exact(x) + double_exact(y))) and
    (double_model(res) = (double_model(x) + double_model(y)))))

predicate sub_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) - double_value(y)))) and
   ((double_exact(res) = (double_exact(x) - double_exact(y))) and
    (double_model(res) = (double_model(x) - double_model(y)))))

predicate mul_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) * double_value(y)))) and
   ((double_exact(res) = (double_exact(x) * double_exact(y))) and
    (double_model(res) = (double_model(x) * double_model(y)))))

predicate div_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m, div_real(double_value(x),
   double_value(y)))) and
   ((double_exact(res) = div_real(double_exact(x), double_exact(y))) and
    (double_model(res) = div_real(double_model(x), double_model(y)))))

predicate sqrt_double_post(m: mode, x: double, res: double) =
  ((double_value(res) = round_double(m, sqrt_real(double_value(x)))) and
   ((double_exact(res) = sqrt_real(double_exact(x))) and
    (double_model(res) = sqrt_real(double_model(x)))))

predicate neg_double_post(x: double, res: double) =
  ((double_value(res) = (-double_value(x))) and
   ((double_exact(res) = (-double_exact(x))) and
    (double_model(res) = (-double_model(x)))))

predicate abs_double_post(x: double, res: double) =
  ((double_value(res) = abs_real(double_value(x))) and
   ((double_exact(res) = abs_real(double_exact(x))) and
    (double_model(res) = abs_real(double_model(x)))))

type charP

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

logic integer_of_int8 : int8 -> int

predicate eq_int8(x: int8, y: int8) =
  (integer_of_int8(x) = integer_of_int8(y))

logic integer_of_uint8 : uint8 -> int

predicate eq_uint8(x: uint8, y: uint8) =
  (integer_of_uint8(x) = integer_of_uint8(y))

logic int8_of_integer : int -> int8

axiom int8_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_int8(int8_of_integer(x)) = x)))

axiom int8_extensionality:
  (forall x:int8.
    (forall y:int8. ((integer_of_int8(x) = integer_of_int8(y)) -> (x = y))))

axiom int8_range:
  (forall x:int8.
    (((-128) <= integer_of_int8(x)) and (integer_of_int8(x) <= 127)))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic uint8_of_integer : int -> uint8

axiom uint8_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 255)) -> (integer_of_uint8(uint8_of_integer(x)) = x)))

axiom uint8_extensionality:
  (forall x:uint8.
    (forall y:uint8.
      ((integer_of_uint8(x) = integer_of_uint8(y)) -> (x = y))))

axiom uint8_range:
  (forall x:uint8.
    ((0 <= integer_of_uint8(x)) and (integer_of_uint8(x) <= 255)))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

goal method_error:
  (forall x_3:real.
    ((abs_real(x_3) <= 0x1.p-5) ->
     (abs_real(((1.0 - ((x_3 * x_3) * 0.5)) - cos(x_3))) <= 0x1.p-24)))

axiom method_error_as_axiom:
  (forall x_3:real.
    ((abs_real(x_3) <= 0x1.p-5) ->
     (abs_real(((1.0 - ((x_3 * x_3) * 0.5)) - cos(x_3))) <= 0x1.p-24)))

goal my_cos1_ensures_default_po_1:
  forall x_0:single.
  ("JC_3": (abs_real(single_value(x_0)) <= 0x1.p-5)) ->
  ("JC_13":
  (abs_real(((1.0 - ((single_value(x_0) * single_value(x_0)) * 0.5)) - cos(single_value(x_0)))) <= 0x1.p-24))

goal my_cos1_ensures_default_po_2:
  forall x_0:single.
  ("JC_3": (abs_real(single_value(x_0)) <= 0x1.p-5)) ->
  ("JC_13":
  (abs_real(((1.0 - ((single_value(x_0) * single_value(x_0)) * 0.5)) - cos(single_value(x_0)))) <= 0x1.p-24)) ->
  forall result:single.
  ((single_value(result) = 1.0) and
   ((single_exact(result) = 1.0) and (single_model(result) = 1.0))) ->
  forall result0:single.
  mul_single_post(nearest_even, x_0, x_0, result0) ->
  forall result1:single.
  ((single_value(result1) = 0.5) and
   ((single_exact(result1) = 0.5) and (single_model(result1) = 0.5))) ->
  forall result2:single.
  mul_single_post(nearest_even, result0, result1, result2) ->
  forall result3:single.
  sub_single_post(nearest_even, result, result2, result3) ->
  forall __retres:single.
  (__retres = result3) ->
  forall return:single.
  (return = __retres) ->
  ("JC_5":
  (abs_real((single_value(return) - cos(single_value(x_0)))) <= 0x1.p-23))

goal my_cos1_safety_po_1:
  forall x_0:single.
  ("JC_3": (abs_real(single_value(x_0)) <= 0x1.p-5)) ->
  ("JC_9":
  (abs_real(((1.0 - ((single_value(x_0) * single_value(x_0)) * 0.5)) - cos(single_value(x_0)))) <= 0x1.p-24)) ->
  forall result:single.
  ((single_value(result) = 1.0) and
   ((single_exact(result) = 1.0) and (single_model(result) = 1.0))) ->
  no_overflow_single(nearest_even, (single_value(x_0) * single_value(x_0)))

goal my_cos1_safety_po_2:
  forall x_0:single.
  ("JC_3": (abs_real(single_value(x_0)) <= 0x1.p-5)) ->
  ("JC_9":
  (abs_real(((1.0 - ((single_value(x_0) * single_value(x_0)) * 0.5)) - cos(single_value(x_0)))) <= 0x1.p-24)) ->
  forall result:single.
  ((single_value(result) = 1.0) and
   ((single_exact(result) = 1.0) and (single_model(result) = 1.0))) ->
  no_overflow_single(nearest_even,
  (single_value(x_0) * single_value(x_0))) ->
  forall result0:single.
  mul_single_post(nearest_even, x_0, x_0, result0) ->
  forall result1:single.
  ((single_value(result1) = 0.5) and
   ((single_exact(result1) = 0.5) and (single_model(result1) = 0.5))) ->
  no_overflow_single(nearest_even,
  (single_value(result0) * single_value(result1)))

goal my_cos1_safety_po_3:
  forall x_0:single.
  ("JC_3": (abs_real(single_value(x_0)) <= 0x1.p-5)) ->
  ("JC_9":
  (abs_real(((1.0 - ((single_value(x_0) * single_value(x_0)) * 0.5)) - cos(single_value(x_0)))) <= 0x1.p-24)) ->
  forall result:single.
  ((single_value(result) = 1.0) and
   ((single_exact(result) = 1.0) and (single_model(result) = 1.0))) ->
  no_overflow_single(nearest_even,
  (single_value(x_0) * single_value(x_0))) ->
  forall result0:single.
  mul_single_post(nearest_even, x_0, x_0, result0) ->
  forall result1:single.
  ((single_value(result1) = 0.5) and
   ((single_exact(result1) = 0.5) and (single_model(result1) = 0.5))) ->
  no_overflow_single(nearest_even,
  (single_value(result0) * single_value(result1))) ->
  forall result2:single.
  mul_single_post(nearest_even, result0, result1, result2) ->
  no_overflow_single(nearest_even,
  (single_value(result) - single_value(result2)))

goal my_cos2_ensures_default_po_1:
  forall x_0_0:single.
  ("JC_23":
  (("JC_21": (abs_real(single_value(x_0_0)) <= 0x1.p-5)) and
   ("JC_22": (single_round_error(x_0_0) = 0.0)))) ->
  ("JC_34": (single_exact(x_0_0) = single_value(x_0_0)))

goal my_cos2_ensures_default_po_2:
  forall x_0_0:single.
  ("JC_23":
  (("JC_21": (abs_real(single_value(x_0_0)) <= 0x1.p-5)) and
   ("JC_22": (single_round_error(x_0_0) = 0.0)))) ->
  ("JC_34": (single_exact(x_0_0) = single_value(x_0_0))) ->
  forall result:single.
  ((single_value(result) = 1.0) and
   ((single_exact(result) = 1.0) and (single_model(result) = 1.0))) ->
  forall result0:single.
  mul_single_post(nearest_even, x_0_0, x_0_0, result0) ->
  forall result1:single.
  ((single_value(result1) = 0.5) and
   ((single_exact(result1) = 0.5) and (single_model(result1) = 0.5))) ->
  forall result2:single.
  mul_single_post(nearest_even, result0, result1, result2) ->
  forall result3:single.
  sub_single_post(nearest_even, result, result2, result3) ->
  forall r:single.
  (r = result3) ->
  ("JC_38":
  (abs_real((single_exact(r) - cos(single_value(x_0_0)))) <= 0x1.p-24))

goal my_cos2_ensures_default_po_3:
  forall x_0_0:single.
  ("JC_23":
  (("JC_21": (abs_real(single_value(x_0_0)) <= 0x1.p-5)) and
   ("JC_22": (single_round_error(x_0_0) = 0.0)))) ->
  ("JC_34": (single_exact(x_0_0) = single_value(x_0_0))) ->
  forall result:single.
  ((single_value(result) = 1.0) and
   ((single_exact(result) = 1.0) and (single_model(result) = 1.0))) ->
  forall result0:single.
  mul_single_post(nearest_even, x_0_0, x_0_0, result0) ->
  forall result1:single.
  ((single_value(result1) = 0.5) and
   ((single_exact(result1) = 0.5) and (single_model(result1) = 0.5))) ->
  forall result2:single.
  mul_single_post(nearest_even, result0, result1, result2) ->
  forall result3:single.
  sub_single_post(nearest_even, result, result2, result3) ->
  forall r:single.
  (r = result3) ->
  ("JC_38":
  (abs_real((single_exact(r) - cos(single_value(x_0_0)))) <= 0x1.p-24)) ->
  forall return:single.
  (return = r) ->
  ("JC_25":
  (abs_real((single_value(return) - cos(single_value(x_0_0)))) <= 0x1.p-23))

goal my_cos2_safety_po_1:
  forall x_0_0:single.
  ("JC_23":
  (("JC_21": (abs_real(single_value(x_0_0)) <= 0x1.p-5)) and
   ("JC_22": (single_round_error(x_0_0) = 0.0)))) ->
  ("JC_29": (single_exact(x_0_0) = single_value(x_0_0))) ->
  forall result:single.
  ((single_value(result) = 1.0) and
   ((single_exact(result) = 1.0) and (single_model(result) = 1.0))) ->
  no_overflow_single(nearest_even,
  (single_value(x_0_0) * single_value(x_0_0)))

goal my_cos2_safety_po_2:
  forall x_0_0:single.
  ("JC_23":
  (("JC_21": (abs_real(single_value(x_0_0)) <= 0x1.p-5)) and
   ("JC_22": (single_round_error(x_0_0) = 0.0)))) ->
  ("JC_29": (single_exact(x_0_0) = single_value(x_0_0))) ->
  forall result:single.
  ((single_value(result) = 1.0) and
   ((single_exact(result) = 1.0) and (single_model(result) = 1.0))) ->
  no_overflow_single(nearest_even,
  (single_value(x_0_0) * single_value(x_0_0))) ->
  forall result0:single.
  mul_single_post(nearest_even, x_0_0, x_0_0, result0) ->
  forall result1:single.
  ((single_value(result1) = 0.5) and
   ((single_exact(result1) = 0.5) and (single_model(result1) = 0.5))) ->
  no_overflow_single(nearest_even,
  (single_value(result0) * single_value(result1)))

goal my_cos2_safety_po_3:
  forall x_0_0:single.
  ("JC_23":
  (("JC_21": (abs_real(single_value(x_0_0)) <= 0x1.p-5)) and
   ("JC_22": (single_round_error(x_0_0) = 0.0)))) ->
  ("JC_29": (single_exact(x_0_0) = single_value(x_0_0))) ->
  forall result:single.
  ((single_value(result) = 1.0) and
   ((single_exact(result) = 1.0) and (single_model(result) = 1.0))) ->
  no_overflow_single(nearest_even,
  (single_value(x_0_0) * single_value(x_0_0))) ->
  forall result0:single.
  mul_single_post(nearest_even, x_0_0, x_0_0, result0) ->
  forall result1:single.
  ((single_value(result1) = 0.5) and
   ((single_exact(result1) = 0.5) and (single_model(result1) = 0.5))) ->
  no_overflow_single(nearest_even,
  (single_value(result0) * single_value(result1))) ->
  forall result2:single.
  mul_single_post(nearest_even, result0, result1, result2) ->
  no_overflow_single(nearest_even,
  (single_value(result) - single_value(result2)))

goal my_cos3_ensures_default_po_1:
  forall x_1:single.
  ("JC_45":
  (("JC_43": (abs_real(single_exact(x_1)) <= 0x1.p-5)) and
   ("JC_44": (single_round_error(x_1) <= 0x1.p-20)))) ->
  forall result:single.
  ((single_value(result) = 1.0) and
   ((single_exact(result) = 1.0) and (single_model(result) = 1.0))) ->
  forall result0:single.
  mul_single_post(nearest_even, x_1, x_1, result0) ->
  forall result1:single.
  ((single_value(result1) = 0.5) and
   ((single_exact(result1) = 0.5) and (single_model(result1) = 0.5))) ->
  forall result2:single.
  mul_single_post(nearest_even, result0, result1, result2) ->
  forall result3:single.
  sub_single_post(nearest_even, result, result2, result3) ->
  forall r_0:single.
  (r_0 = result3) ->
  ("JC_62":
  (abs_real((single_exact(r_0) - cos(single_exact(x_1)))) <= 0x1.p-24))

goal my_cos3_ensures_default_po_2:
  forall x_1:single.
  ("JC_45":
  (("JC_43": (abs_real(single_exact(x_1)) <= 0x1.p-5)) and
   ("JC_44": (single_round_error(x_1) <= 0x1.p-20)))) ->
  forall result:single.
  ((single_value(result) = 1.0) and
   ((single_exact(result) = 1.0) and (single_model(result) = 1.0))) ->
  forall result0:single.
  mul_single_post(nearest_even, x_1, x_1, result0) ->
  forall result1:single.
  ((single_value(result1) = 0.5) and
   ((single_exact(result1) = 0.5) and (single_model(result1) = 0.5))) ->
  forall result2:single.
  mul_single_post(nearest_even, result0, result1, result2) ->
  forall result3:single.
  sub_single_post(nearest_even, result, result2, result3) ->
  forall r_0:single.
  (r_0 = result3) ->
  ("JC_62":
  (abs_real((single_exact(r_0) - cos(single_exact(x_1)))) <= 0x1.p-24)) ->
  forall return:single.
  (return = r_0) ->
  ("JC_49":
  ("JC_47":
  (abs_real((single_exact(return) - cos(single_exact(x_1)))) <= 0x1.p-24)))

goal my_cos3_ensures_default_po_3:
  forall x_1:single.
  ("JC_45":
  (("JC_43": (abs_real(single_exact(x_1)) <= 0x1.p-5)) and
   ("JC_44": (single_round_error(x_1) <= 0x1.p-20)))) ->
  forall result:single.
  ((single_value(result) = 1.0) and
   ((single_exact(result) = 1.0) and (single_model(result) = 1.0))) ->
  forall result0:single.
  mul_single_post(nearest_even, x_1, x_1, result0) ->
  forall result1:single.
  ((single_value(result1) = 0.5) and
   ((single_exact(result1) = 0.5) and (single_model(result1) = 0.5))) ->
  forall result2:single.
  mul_single_post(nearest_even, result0, result1, result2) ->
  forall result3:single.
  sub_single_post(nearest_even, result, result2, result3) ->
  forall r_0:single.
  (r_0 = result3) ->
  ("JC_62":
  (abs_real((single_exact(r_0) - cos(single_exact(x_1)))) <= 0x1.p-24)) ->
  forall return:single.
  (return = r_0) ->
  ("JC_49":
  ("JC_48":
  (single_round_error(return) <= (single_round_error(x_1) + 0x3.p-24))))

goal my_cos3_safety_po_1:
  forall x_1:single.
  ("JC_45":
  (("JC_43": (abs_real(single_exact(x_1)) <= 0x1.p-5)) and
   ("JC_44": (single_round_error(x_1) <= 0x1.p-20)))) ->
  forall result:single.
  ((single_value(result) = 1.0) and
   ((single_exact(result) = 1.0) and (single_model(result) = 1.0))) ->
  no_overflow_single(nearest_even, (single_value(x_1) * single_value(x_1)))

goal my_cos3_safety_po_2:
  forall x_1:single.
  ("JC_45":
  (("JC_43": (abs_real(single_exact(x_1)) <= 0x1.p-5)) and
   ("JC_44": (single_round_error(x_1) <= 0x1.p-20)))) ->
  forall result:single.
  ((single_value(result) = 1.0) and
   ((single_exact(result) = 1.0) and (single_model(result) = 1.0))) ->
  no_overflow_single(nearest_even,
  (single_value(x_1) * single_value(x_1))) ->
  forall result0:single.
  mul_single_post(nearest_even, x_1, x_1, result0) ->
  forall result1:single.
  ((single_value(result1) = 0.5) and
   ((single_exact(result1) = 0.5) and (single_model(result1) = 0.5))) ->
  no_overflow_single(nearest_even,
  (single_value(result0) * single_value(result1)))

goal my_cos3_safety_po_3:
  forall x_1:single.
  ("JC_45":
  (("JC_43": (abs_real(single_exact(x_1)) <= 0x1.p-5)) and
   ("JC_44": (single_round_error(x_1) <= 0x1.p-20)))) ->
  forall result:single.
  ((single_value(result) = 1.0) and
   ((single_exact(result) = 1.0) and (single_model(result) = 1.0))) ->
  no_overflow_single(nearest_even,
  (single_value(x_1) * single_value(x_1))) ->
  forall result0:single.
  mul_single_post(nearest_even, x_1, x_1, result0) ->
  forall result1:single.
  ((single_value(result1) = 0.5) and
   ((single_exact(result1) = 0.5) and (single_model(result1) = 0.5))) ->
  no_overflow_single(nearest_even,
  (single_value(result0) * single_value(result1))) ->
  forall result2:single.
  mul_single_post(nearest_even, result0, result1, result2) ->
  no_overflow_single(nearest_even,
  (single_value(result) - single_value(result2)))

goal my_cos4_ensures_default_po_1:
  forall x_2:single.
  ("JC_65": (abs_real(single_value(x_2)) <= 0.07)) ->
  ("JC_75":
  (abs_real(((1.0 - ((single_value(x_2) * single_value(x_2)) * 0.5)) - cos(single_value(x_2)))) <= 0x1.2p-20))

goal my_cos4_ensures_default_po_2:
  forall x_2:single.
  ("JC_65": (abs_real(single_value(x_2)) <= 0.07)) ->
  ("JC_75":
  (abs_real(((1.0 - ((single_value(x_2) * single_value(x_2)) * 0.5)) - cos(single_value(x_2)))) <= 0x1.2p-20)) ->
  forall result:single.
  ((single_value(result) = 1.0) and
   ((single_exact(result) = 1.0) and (single_model(result) = 1.0))) ->
  forall result0:single.
  mul_single_post(nearest_even, x_2, x_2, result0) ->
  forall result1:single.
  ((single_value(result1) = 0.5) and
   ((single_exact(result1) = 0.5) and (single_model(result1) = 0.5))) ->
  forall result2:single.
  mul_single_post(nearest_even, result0, result1, result2) ->
  forall result3:single.
  sub_single_post(nearest_even, result, result2, result3) ->
  forall __retres_0:single.
  (__retres_0 = result3) ->
  forall return:single.
  (return = __retres_0) ->
  ("JC_67":
  (abs_real((single_value(return) - cos(single_value(x_2)))) <= 0x1.3p-20))

goal my_cos4_safety_po_1:
  forall x_2:single.
  ("JC_65": (abs_real(single_value(x_2)) <= 0.07)) ->
  ("JC_71":
  (abs_real(((1.0 - ((single_value(x_2) * single_value(x_2)) * 0.5)) - cos(single_value(x_2)))) <= 0x1.2p-20)) ->
  forall result:single.
  ((single_value(result) = 1.0) and
   ((single_exact(result) = 1.0) and (single_model(result) = 1.0))) ->
  no_overflow_single(nearest_even, (single_value(x_2) * single_value(x_2)))

goal my_cos4_safety_po_2:
  forall x_2:single.
  ("JC_65": (abs_real(single_value(x_2)) <= 0.07)) ->
  ("JC_71":
  (abs_real(((1.0 - ((single_value(x_2) * single_value(x_2)) * 0.5)) - cos(single_value(x_2)))) <= 0x1.2p-20)) ->
  forall result:single.
  ((single_value(result) = 1.0) and
   ((single_exact(result) = 1.0) and (single_model(result) = 1.0))) ->
  no_overflow_single(nearest_even,
  (single_value(x_2) * single_value(x_2))) ->
  forall result0:single.
  mul_single_post(nearest_even, x_2, x_2, result0) ->
  forall result1:single.
  ((single_value(result1) = 0.5) and
   ((single_exact(result1) = 0.5) and (single_model(result1) = 0.5))) ->
  no_overflow_single(nearest_even,
  (single_value(result0) * single_value(result1)))

goal my_cos4_safety_po_3:
  forall x_2:single.
  ("JC_65": (abs_real(single_value(x_2)) <= 0.07)) ->
  ("JC_71":
  (abs_real(((1.0 - ((single_value(x_2) * single_value(x_2)) * 0.5)) - cos(single_value(x_2)))) <= 0x1.2p-20)) ->
  forall result:single.
  ((single_value(result) = 1.0) and
   ((single_exact(result) = 1.0) and (single_model(result) = 1.0))) ->
  no_overflow_single(nearest_even,
  (single_value(x_2) * single_value(x_2))) ->
  forall result0:single.
  mul_single_post(nearest_even, x_2, x_2, result0) ->
  forall result1:single.
  ((single_value(result1) = 0.5) and
   ((single_exact(result1) = 0.5) and (single_model(result1) = 0.5))) ->
  no_overflow_single(nearest_even,
  (single_value(result0) * single_value(result1))) ->
  forall result2:single.
  mul_single_post(nearest_even, result0, result1, result2) ->
  no_overflow_single(nearest_even,
  (single_value(result) - single_value(result2)))

why-2.34/tests/c/oracle/clock_drift.err.oracle0000644000175000017500000000032412311670312017706 0ustar  rtuserssed: can't read tests/c/clock_drift.jessie/gappa/clock_drift_why.gappa: No such file or directory
Uncaught exception: Sys_error("gappa/clock_drift_why.gappa: No such file or directory")
make: *** [gappa] Error 2
why-2.34/tests/c/oracle/double_rounding_strict_model.res.oracle0000644000175000017500000021310112311670312023352 0ustar  rtusers========== file tests/c/double_rounding_strict_model.c ==========


double doublerounding() {
  double x = 1.0;
  double y = 0x1p-53 + 0x1p-64;
  double z = x + y;
  //@ assert z == 1.0 + 0x1p-52;
  return z;
}


/*
Local Variables:
compile-command: "LC_ALL=C make double_rounding_strict_model.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/double_rounding_strict_model.c"
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/double_rounding_strict_model.jessie
[jessie] File tests/c/double_rounding_strict_model.jessie/double_rounding_strict_model.jc written.
[jessie] File tests/c/double_rounding_strict_model.jessie/double_rounding_strict_model.cloc written.
========== file tests/c/double_rounding_strict_model.jessie/double_rounding_strict_model.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

double doublerounding()
behavior default:
  ensures (_C_7 : true);
{  
   (var double x);
   
   (var double y);
   
   (var double z);
   
   {  (_C_1 : (x = (1.0 :> double)));
      (_C_3 : (y = (_C_2 : ((0x1p-53 :> double) + (0x1p-64 :> double)))));
      (_C_5 : (z = (_C_4 : (x + y))));
      
      {  
         (assert for default: (_C_6 : (jessie : ((z :> real) ==
                                                  (1.0 + 0x1p-52)))));
         ()
      };
      
      {  
         (return z)
      }
   }
}
========== file tests/c/double_rounding_strict_model.jessie/double_rounding_strict_model.cloc ==========
[_C_4]
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 6
begin = 13
end = 18

[_C_5]
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 6
begin = 2
end = 8

[doublerounding]
name = "Function doublerounding"
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 3
begin = 7
end = 21

[_C_6]
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 7
begin = 13
end = 31

[_C_3]
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 5
begin = 2
end = 8

[_C_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_2]
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 5
begin = 13
end = 30

[_C_1]
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 4
begin = 2
end = 8

========== jessie execution ==========
Generating Why function doublerounding
========== file tests/c/double_rounding_strict_model.jessie/double_rounding_strict_model.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs double_rounding_strict_model.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs double_rounding_strict_model.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_strict.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/double_rounding_strict_model_why.sx

project: why/double_rounding_strict_model.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/double_rounding_strict_model_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/double_rounding_strict_model_why.vo

coq/double_rounding_strict_model_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/double_rounding_strict_model_why.v: why/double_rounding_strict_model.why
	@echo 'why -coq [...] why/double_rounding_strict_model.why' && $(WHY) $(JESSIELIBFILES) why/double_rounding_strict_model.why && rm -f coq/jessie_why.v

coq-goals: goals coq/double_rounding_strict_model_ctx_why.vo
	for f in why/*_po*.why; do make -f double_rounding_strict_model.makefile coq/`basename $$f .why`_why.v ; done

coq/double_rounding_strict_model_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/double_rounding_strict_model_ctx_why.v: why/double_rounding_strict_model_ctx.why
	@echo 'why -coq [...] why/double_rounding_strict_model_ctx.why' && $(WHY) why/double_rounding_strict_model_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export double_rounding_strict_model_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/double_rounding_strict_model_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/double_rounding_strict_model_ctx_why.vo

pvs: pvs/double_rounding_strict_model_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/double_rounding_strict_model_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/double_rounding_strict_model_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/double_rounding_strict_model_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/double_rounding_strict_model_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/double_rounding_strict_model_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/double_rounding_strict_model_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/double_rounding_strict_model_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/double_rounding_strict_model_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/double_rounding_strict_model_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/double_rounding_strict_model_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/double_rounding_strict_model_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/double_rounding_strict_model_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/double_rounding_strict_model_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/double_rounding_strict_model_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: double_rounding_strict_model.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/double_rounding_strict_model_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: double_rounding_strict_model.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: double_rounding_strict_model.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: double_rounding_strict_model.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include double_rounding_strict_model.depend

depend: coq/double_rounding_strict_model_why.v
	-$(COQDEP) -I coq coq/double_rounding_strict_model*_why.v > double_rounding_strict_model.depend

clean:
	rm -f coq/*.vo

========== file tests/c/double_rounding_strict_model.jessie/double_rounding_strict_model.loc ==========
[JC_5]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_9]
kind = FPOverflow
file = "HOME/tests/c/double_rounding_strict_model.jessie/double_rounding_strict_model.jc"
line = 45
begin = 28
end = 47

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 7
begin = 13
end = 31

[JC_11]
kind = FPOverflow
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 5
begin = 13
end = 30

[JC_15]
kind = FPOverflow
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 6
begin = 13
end = 18

[JC_12]
kind = FPOverflow
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 6
begin = 13
end = 18

[JC_6]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[doublerounding_ensures_default]
name = "Function doublerounding"
behavior = "default behavior"
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 3
begin = 7
end = 21

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 7
begin = 13
end = 31

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
kind = FPOverflow
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 5
begin = 13
end = 30

[doublerounding_safety]
name = "Function doublerounding"
behavior = "Safety"
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 3
begin = 7
end = 21

[JC_1]
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 3
begin = 7
end = 21

[JC_10]
kind = FPOverflow
file = "HOME/tests/c/double_rounding_strict_model.jessie/double_rounding_strict_model.jc"
line = 45
begin = 50
end = 69

[JC_3]
file = "HOME/tests/c/double_rounding_strict_model.c"
line = 3
begin = 7
end = 21

========== file tests/c/double_rounding_strict_model.jessie/why/double_rounding_strict_model.why ==========
type charP

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter doublerounding : tt:unit -> { } double { true }

parameter doublerounding_requires : tt:unit -> { } double { true }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let doublerounding_ensures_default =
 fun (tt : unit) ->
  { (JC_4: true) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let x_0 = ref (any_double void) in
     (let y = ref (any_double void) in
     (let z = ref (any_double void) in
     begin
       (let _jessie_ = (x_0 := (double_of_real_exact 1.0)) in void);
      (let _jessie_ =
      (y := (JC_14:
            (((add_double_safe nearest_even) ((double_of_real_safe nearest_even) 0x1p-53)) 
             ((double_of_real_safe nearest_even) 0x1p-64)))) in void);
      (let _jessie_ =
      (z := (JC_15: (((add_double_safe nearest_even) !x_0) !y))) in void);
      (assert { (JC_16: (double_value(z) = add_real(1.0, 0x1p-52))) }; void);
      void; (return := !z); (raise Return) end))); absurd  end with Return ->
   !return end)) { (JC_5: true) }

let doublerounding_safety =
 fun (tt : unit) ->
  { (JC_4: true) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let x_0 = ref (any_double void) in
     (let y = ref (any_double void) in
     (let z = ref (any_double void) in
     begin
       (let _jessie_ = (x_0 := (double_of_real_exact 1.0)) in void);
      (let _jessie_ =
      (y := (JC_11:
            (((add_double nearest_even) (JC_9:
                                        ((double_of_real nearest_even) 0x1p-53))) 
             (JC_10: ((double_of_real nearest_even) 0x1p-64))))) in void);
      (let _jessie_ =
      (z := (JC_12: (((add_double nearest_even) !x_0) !y))) in void);
      [ { } unit reads z
        { (JC_13: (double_value(z) = add_real(1.0, 0x1p-52))) } ]; void;
      (return := !z); (raise Return) end))); absurd  end with Return ->
   !return end)) { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/double_rounding_strict_model.why
========== file tests/c/double_rounding_strict_model.jessie/why/double_rounding_strict_model_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type mode

logic nearest_even : mode

logic to_zero : mode

logic up : mode

logic down : mode

logic nearest_away : mode

logic mode_match : mode, 'a1, 'a1, 'a1, 'a1, 'a1 -> 'a1

axiom mode_match_nearest_even:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_2))))))

axiom mode_match_to_zero:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_3))))))

axiom mode_match_up:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_4))))))

axiom mode_match_down:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_5))))))

axiom mode_match_nearest_away:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_6))))))

axiom mode_inversion:
  (forall aux_1:mode.
    (((((aux_1 = nearest_even) or (aux_1 = to_zero)) or (aux_1 = up)) or
      (aux_1 = down)) or
     (aux_1 = nearest_away)))

logic mode_to_int : mode -> int

axiom mode_to_int_nearest_even: (mode_to_int(nearest_even) = 0)

axiom mode_to_int_to_zero: (mode_to_int(to_zero) = 1)

axiom mode_to_int_up: (mode_to_int(up) = 2)

axiom mode_to_int_down: (mode_to_int(down) = 3)

axiom mode_to_int_nearest_away: (mode_to_int(nearest_away) = 4)

type double

logic round_double : mode, real -> real

logic round_double_logic : mode, real -> double

logic double_value : double -> real

logic double_exact : double -> real

logic double_model : double -> real

function double_round_error(x: double) : real =
  abs_real((double_value(x) - double_exact(x)))

function double_total_error(x: double) : real =
  abs_real((double_value(x) - double_model(x)))

function max_double() : real = 0x1.FFFFFFFFFFFFFp1023

predicate no_overflow_double(m: mode, x: real) = (abs_real(round_double(m,
  x)) <= max_double)

axiom bounded_real_no_overflow_double:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_double) -> no_overflow_double(m, x))))

axiom round_double_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_double(m, x) <= round_double(m, y))))))

axiom exact_round_double_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-9007199254740992) <= i) and (i <= 9007199254740992)) ->
       (round_double(m, real_of_int(i)) = real_of_int(i)))))

axiom exact_round_double_for_doubles:
  (forall x:double.
    (forall m:mode. (round_double(m, double_value(x)) = double_value(x))))

axiom round_double_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_double(m1, round_double(m2,
        x)) = round_double(m2, x)))))

axiom round_down_double_neg:
  (forall x:real. (round_double(down, (-x)) = (-round_double(up, x))))

axiom round_up_double_neg:
  (forall x:real. (round_double(up, (-x)) = (-round_double(down, x))))

axiom round_double_down_le: (forall x:real. (round_double(down, x) <= x))

axiom round_up_double_ge: (forall x:real. (round_double(up, x) >= x))

type single

logic round_single : mode, real -> real

logic round_single_logic : mode, real -> single

logic single_value : single -> real

logic single_exact : single -> real

logic single_model : single -> real

function single_round_error(x: single) : real =
  abs_real((single_value(x) - single_exact(x)))

function single_total_error(x: single) : real =
  abs_real((single_value(x) - single_model(x)))

function max_single() : real = 0x1.FFFFFEp127

predicate no_overflow_single(m: mode, x: real) = (abs_real(round_single(m,
  x)) <= max_single)

axiom bounded_real_no_overflow_single:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_single) -> no_overflow_single(m, x))))

axiom round_single_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_single(m, x) <= round_single(m, y))))))

axiom exact_round_single_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-16777216) <= i) and (i <= 16777216)) -> (round_single(m,
       real_of_int(i)) = real_of_int(i)))))

axiom exact_round_single_for_singles:
  (forall x:single.
    (forall m:mode. (round_single(m, single_value(x)) = single_value(x))))

axiom round_single_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_single(m1, round_single(m2,
        x)) = round_single(m2, x)))))

axiom round_down_single_neg:
  (forall x:real. (round_single(down, (-x)) = (-round_single(up, x))))

axiom round_up_single_neg:
  (forall x:real. (round_single(up, (-x)) = (-round_single(down, x))))

axiom round_single_down_le: (forall x:real. (round_single(down, x) <= x))

axiom round_up_single_ge: (forall x:real. (round_single(up, x) >= x))

axiom single_value_is_bounded:
  (forall x:single. (abs_real(single_value(x)) <= max_single))

axiom double_value_is_bounded:
  (forall x:double. (abs_real(double_value(x)) <= max_double))

predicate single_of_real_post(m: mode, x: real, res: single) =
  ((single_value(res) = round_single(m, x)) and
   ((single_exact(res) = x) and (single_model(res) = x)))

predicate single_of_double_post(m: mode, x: double, res: single) =
  ((single_value(res) = round_single(m, double_value(x))) and
   ((single_exact(res) = double_exact(x)) and
    (single_model(res) = double_model(x))))

predicate add_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) + single_value(y)))) and
   ((single_exact(res) = (single_exact(x) + single_exact(y))) and
    (single_model(res) = (single_model(x) + single_model(y)))))

predicate sub_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) - single_value(y)))) and
   ((single_exact(res) = (single_exact(x) - single_exact(y))) and
    (single_model(res) = (single_model(x) - single_model(y)))))

predicate mul_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) * single_value(y)))) and
   ((single_exact(res) = (single_exact(x) * single_exact(y))) and
    (single_model(res) = (single_model(x) * single_model(y)))))

predicate div_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m, div_real(single_value(x),
   single_value(y)))) and
   ((single_exact(res) = div_real(single_exact(x), single_exact(y))) and
    (single_model(res) = div_real(single_model(x), single_model(y)))))

predicate sqrt_single_post(m: mode, x: single, res: single) =
  ((single_value(res) = round_single(m, sqrt_real(single_value(x)))) and
   ((single_exact(res) = sqrt_real(single_exact(x))) and
    (single_model(res) = sqrt_real(single_model(x)))))

predicate neg_single_post(x: single, res: single) =
  ((single_value(res) = (-single_value(x))) and
   ((single_exact(res) = (-single_exact(x))) and
    (single_model(res) = (-single_model(x)))))

predicate abs_single_post(x: single, res: single) =
  ((single_value(res) = abs_real(single_value(x))) and
   ((single_exact(res) = abs_real(single_exact(x))) and
    (single_model(res) = abs_real(single_model(x)))))

predicate double_of_real_post(m: mode, x: real, res: double) =
  ((double_value(res) = round_double(m, x)) and
   ((double_exact(res) = x) and (double_model(res) = x)))

predicate double_of_single_post(x: single, res: double) =
  ((double_value(res) = single_value(x)) and
   ((double_exact(res) = single_exact(x)) and
    (double_model(res) = single_model(x))))

predicate add_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) + double_value(y)))) and
   ((double_exact(res) = (double_exact(x) + double_exact(y))) and
    (double_model(res) = (double_model(x) + double_model(y)))))

predicate sub_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) - double_value(y)))) and
   ((double_exact(res) = (double_exact(x) - double_exact(y))) and
    (double_model(res) = (double_model(x) - double_model(y)))))

predicate mul_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) * double_value(y)))) and
   ((double_exact(res) = (double_exact(x) * double_exact(y))) and
    (double_model(res) = (double_model(x) * double_model(y)))))

predicate div_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m, div_real(double_value(x),
   double_value(y)))) and
   ((double_exact(res) = div_real(double_exact(x), double_exact(y))) and
    (double_model(res) = div_real(double_model(x), double_model(y)))))

predicate sqrt_double_post(m: mode, x: double, res: double) =
  ((double_value(res) = round_double(m, sqrt_real(double_value(x)))) and
   ((double_exact(res) = sqrt_real(double_exact(x))) and
    (double_model(res) = sqrt_real(double_model(x)))))

predicate neg_double_post(x: double, res: double) =
  ((double_value(res) = (-double_value(x))) and
   ((double_exact(res) = (-double_exact(x))) and
    (double_model(res) = (-double_model(x)))))

predicate abs_double_post(x: double, res: double) =
  ((double_value(res) = abs_real(double_value(x))) and
   ((double_exact(res) = abs_real(double_exact(x))) and
    (double_model(res) = abs_real(double_model(x)))))

type charP

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

logic integer_of_int8 : int8 -> int

predicate eq_int8(x: int8, y: int8) =
  (integer_of_int8(x) = integer_of_int8(y))

logic integer_of_uint8 : uint8 -> int

predicate eq_uint8(x: uint8, y: uint8) =
  (integer_of_uint8(x) = integer_of_uint8(y))

logic int8_of_integer : int -> int8

axiom int8_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_int8(int8_of_integer(x)) = x)))

axiom int8_extensionality:
  (forall x:int8.
    (forall y:int8. ((integer_of_int8(x) = integer_of_int8(y)) -> (x = y))))

axiom int8_range:
  (forall x:int8.
    (((-128) <= integer_of_int8(x)) and (integer_of_int8(x) <= 127)))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic uint8_of_integer : int -> uint8

axiom uint8_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 255)) -> (integer_of_uint8(uint8_of_integer(x)) = x)))

axiom uint8_extensionality:
  (forall x:uint8.
    (forall y:uint8.
      ((integer_of_uint8(x) = integer_of_uint8(y)) -> (x = y))))

axiom uint8_range:
  (forall x:uint8.
    ((0 <= integer_of_uint8(x)) and (integer_of_uint8(x) <= 255)))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

goal doublerounding_ensures_default_po_1:
  ("JC_4": true) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  forall x_0:double.
  (x_0 = result) ->
  forall result0:double.
  double_of_real_post(nearest_even, 0x1.p-53, result0) ->
  forall result1:double.
  double_of_real_post(nearest_even, 0x1.p-64, result1) ->
  forall result2:double.
  add_double_post(nearest_even, result0, result1, result2) ->
  forall y:double.
  (y = result2) ->
  forall result3:double.
  add_double_post(nearest_even, x_0, y, result3) ->
  forall z:double.
  (z = result3) ->
  ("JC_16": (double_value(z) = (1.0 + 0x1.p-52)))

goal doublerounding_safety_po_1:
  ("JC_4": true) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  forall x_0:double.
  (x_0 = result) ->
  no_overflow_double(nearest_even, 0x1.p-53)

goal doublerounding_safety_po_2:
  ("JC_4": true) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  forall x_0:double.
  (x_0 = result) ->
  no_overflow_double(nearest_even, 0x1.p-53) ->
  forall result0:double.
  double_of_real_post(nearest_even, 0x1.p-53, result0) ->
  no_overflow_double(nearest_even, 0x1.p-64)

goal doublerounding_safety_po_3:
  ("JC_4": true) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  forall x_0:double.
  (x_0 = result) ->
  no_overflow_double(nearest_even, 0x1.p-53) ->
  forall result0:double.
  double_of_real_post(nearest_even, 0x1.p-53, result0) ->
  no_overflow_double(nearest_even, 0x1.p-64) ->
  forall result1:double.
  double_of_real_post(nearest_even, 0x1.p-64, result1) ->
  no_overflow_double(nearest_even,
  (double_value(result0) + double_value(result1)))

goal doublerounding_safety_po_4:
  ("JC_4": true) ->
  forall result:double.
  ((double_value(result) = 1.0) and
   ((double_exact(result) = 1.0) and (double_model(result) = 1.0))) ->
  forall x_0:double.
  (x_0 = result) ->
  no_overflow_double(nearest_even, 0x1.p-53) ->
  forall result0:double.
  double_of_real_post(nearest_even, 0x1.p-53, result0) ->
  no_overflow_double(nearest_even, 0x1.p-64) ->
  forall result1:double.
  double_of_real_post(nearest_even, 0x1.p-64, result1) ->
  no_overflow_double(nearest_even,
  (double_value(result0) + double_value(result1))) ->
  forall result2:double.
  add_double_post(nearest_even, result0, result1, result2) ->
  forall y:double.
  (y = result2) ->
  no_overflow_double(nearest_even, (double_value(x_0) + double_value(y)))

why-2.34/tests/c/oracle/double_rounding_multirounding_model.err.oracle0000644000175000017500000000000012311670312024731 0ustar  rtuserswhy-2.34/tests/c/oracle/sparse_array.err.oracle0000644000175000017500000000000012311670312020105 0ustar  rtuserswhy-2.34/tests/c/oracle/overflow_level.err.oracle0000644000175000017500000000000012311670312020444 0ustar  rtuserswhy-2.34/tests/c/oracle/power.res.oracle0000644000175000017500000007652212311670312016575 0ustar  rtusers========== file tests/c/power.c ==========


// int model: unbounded mathematical integers
#pragma JessieIntegerModel(math)


/*@ axiomatic Power {
  @   logic integer power(integer x, integer n);
  @ }
  @*/
#pragma JessieBuiltin(power, "\\int_pow")

/*@ lemma power_even:
  @   \forall integer x,n; n >= 0 && n % 2 == 0 ==>
  @     power(x,n) == power(x*x,n/2);
  @*/

/*@ lemma power_odd:
  @   \forall integer x,n; n >= 0 && n % 2 != 0 ==>
  @     power(x,n) == x*power(x*x,n/2);
  @*/


// recursive implementation

/*@ requires 0 <= n;
  @ decreases n;
  @ ensures \result == power(x,n);
  @*/
long rec(long x, int n) {
  if (n == 0) return 1;
  long r = rec(x, n/2);
  if ( n % 2 == 0 ) return r*r;
  return r*r*x;
}


// non-recursive implementation

/*@ requires 0 <= n;
  @ ensures \result == power(x,n);
  @*/
long imp(long x, int n) {
  long r = 1, p = x;
  int e = n;

  /*@ loop invariant
    @   0 <= e && r * power(p,e) == power(x,n);
    @ loop variant e;
    @*/
  while (e > 0) {
    if (e % 2 != 0) r *= p;
    p *= p;
    e /= 2;
  }
  return r;
}

========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/power.c"
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/power.jessie
[jessie] File tests/c/power.jessie/power.jc written.
[jessie] File tests/c/power.jessie/power.cloc written.
========== file tests/c/power.jessie/power.jc ==========
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

tag unsigned_charP = {
  integer unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  integer charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

axiomatic Power {

  logic integer power(integer x, integer n)
  
}

lemma power_even :
(\forall integer x_0;
  (\forall integer n_0;
    (((n_0 >= 0) && ((n_0 % 2) == 0)) ==>
      (\int_pow(x_0, n_0) == \int_pow((x_0 * x_0), (n_0 / 2))))))

lemma power_odd :
(\forall integer x_1;
  (\forall integer n_1;
    (((n_1 >= 0) && ((n_1 % 2) != 0)) ==>
      (\int_pow(x_1, n_1) == (x_1 * \int_pow((x_1 * x_1), (n_1 / 2)))))))

integer rec(integer x_0, integer n_2)
  requires (_C_12 : (0 <= n_2));
  decreases (_C_13 : n_2);
behavior default:
  ensures (_C_11 : (\result == \int_pow(\at(x_0,Old), \at(n_2,Old))));
{  
   (var integer r);
   
   (var integer __retres);
   
   {  (if (n_2 == 0) then 
      {  (_C_1 : (__retres = 1));
         
         (goto return_label)
      } else ());
      (_C_4 : (r = (_C_3 : rec(x_0, (_C_2 : (n_2 / 2))))));
      (if ((_C_7 : (n_2 % 2)) == 0) then 
      {  (_C_6 : (__retres = (_C_5 : (r * r))));
         
         (goto return_label)
      } else ());
      (_C_10 : (__retres = (_C_9 : ((_C_8 : (r * r)) * x_0))));
      (return_label : 
      (return __retres))
   }
}

integer imp(integer x, integer n_1)
  requires (_C_29 : (0 <= n_1));
behavior default:
  ensures (_C_28 : (\result == \int_pow(\at(x,Old), \at(n_1,Old))));
{  
   (var integer r_0);
   
   (var integer p);
   
   (var integer e);
   
   {  (_C_14 : (r_0 = 1));
      (_C_15 : (p = x));
      (_C_16 : (e = n_1));
      
      loop 
      behavior default:
        invariant (_C_18 : ((_C_19 : (0 <= e)) &&
                             (_C_20 : ((r_0 * \int_pow(p, e)) ==
                                        \int_pow(x, n_1)))));
      variant (_C_17 : e);
      while (true)
      {  
         {  (if (e > 0) then () else 
            (goto while_0_break));
            
            {  (if ((_C_23 : (e % 2)) != 0) then (_C_22 : (r_0 = (_C_21 : 
                                                                 (r_0 *
                                                                   p)))) else ());
               (_C_25 : (p = (_C_24 : (p * p))));
               (_C_27 : (e = (_C_26 : (e / 2))))
            }
         }
      };
      (while_0_break : ());
      
      (return r_0)
   }
}
========== file tests/c/power.jessie/power.cloc ==========
[_C_28]
file = "HOME/tests/c/power.c"
line = 41
begin = 12
end = 33

[rec]
name = "Function rec"
file = "HOME/tests/c/power.c"
line = 30
begin = 5
end = 8

[_C_4]
file = "HOME/tests/c/power.c"
line = 32
begin = 11
end = 22

[_C_23]
file = "HOME/tests/c/power.c"
line = 52
begin = 8
end = 13

[_C_19]
file = "HOME/tests/c/power.c"
line = 48
begin = 8
end = 14

[_C_13]
file = "HOME/tests/c/power.c"
line = 27
begin = 14
end = 15

[_C_5]
file = "HOME/tests/c/power.c"
line = 33
begin = 27
end = 30

[_C_12]
file = "HOME/tests/c/power.c"
line = 26
begin = 13
end = 19

[_C_22]
file = "HOME/tests/c/power.c"
line = 52
begin = 20
end = 26

[_C_9]
file = "HOME/tests/c/power.c"
line = 34
begin = 9
end = 14

[_C_6]
file = "HOME/tests/c/power.c"
line = 33
begin = 20
end = 31

[_C_24]
file = "HOME/tests/c/power.c"
line = 53
begin = 4
end = 10

[_C_20]
file = "HOME/tests/c/power.c"
line = 48
begin = 18
end = 46

[power_even]
name = "Lemma power_even"
file = "HOME/tests/c/power.c"
line = 13
begin = 4
end = 111

[_C_3]
file = "HOME/tests/c/power.c"
line = 32
begin = 11
end = 22

[_C_17]
file = "HOME/tests/c/power.c"
line = 49
begin = 19
end = 20

[_C_7]
file = "HOME/tests/c/power.c"
line = 33
begin = 7
end = 12

[_C_27]
file = "HOME/tests/c/power.c"
line = 54
begin = 4
end = 10

[_C_15]
file = "HOME/tests/c/power.c"
line = 44
begin = 2
end = 6

[_C_26]
file = "HOME/tests/c/power.c"
line = 54
begin = 4
end = 10

[_C_10]
file = "HOME/tests/c/power.c"
line = 34
begin = 2
end = 15

[_C_8]
file = "HOME/tests/c/power.c"
line = 34
begin = 9
end = 12

[_C_18]
file = "HOME/tests/c/power.c"
line = 48
begin = 8
end = 46

[_C_29]
file = "HOME/tests/c/power.c"
line = 40
begin = 13
end = 19

[_C_14]
file = "HOME/tests/c/power.c"
line = 44
begin = 2
end = 6

[imp]
name = "Function imp"
file = "HOME/tests/c/power.c"
line = 43
begin = 5
end = 8

[_C_2]
file = "HOME/tests/c/power.c"
line = 32
begin = 18
end = 21

[power_odd]
name = "Lemma power_odd"
file = "HOME/tests/c/power.c"
line = 18
begin = 4
end = 112

[_C_16]
file = "HOME/tests/c/power.c"
line = 45
begin = 2
end = 5

[_C_1]
file = "HOME/tests/c/power.c"
line = 31
begin = 14
end = 23

[_C_25]
file = "HOME/tests/c/power.c"
line = 53
begin = 4
end = 10

[_C_11]
file = "HOME/tests/c/power.c"
line = 28
begin = 12
end = 33

[_C_21]
file = "HOME/tests/c/power.c"
line = 52
begin = 20
end = 26

========== jessie execution ==========
Generating Why function rec_0
Generating Why function imp
========== file tests/c/power.jessie/power.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs power.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs power.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/power_why.sx

project: why/power.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/power_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/power_why.vo

coq/power_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/power_why.v: why/power.why
	@echo 'why -coq [...] why/power.why' && $(WHY) $(JESSIELIBFILES) why/power.why && rm -f coq/jessie_why.v

coq-goals: goals coq/power_ctx_why.vo
	for f in why/*_po*.why; do make -f power.makefile coq/`basename $$f .why`_why.v ; done

coq/power_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/power_ctx_why.v: why/power_ctx.why
	@echo 'why -coq [...] why/power_ctx.why' && $(WHY) why/power_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export power_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/power_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/power_ctx_why.vo

pvs: pvs/power_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/power_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/power_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/power_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/power_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/power_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/power_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/power_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/power_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/power_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/power_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/power_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/power_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/power_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/power_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: power.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/power_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: power.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: power.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: power.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include power.depend

depend: coq/power_why.v
	-$(COQDEP) -I coq coq/power*_why.v > power.depend

clean:
	rm -f coq/*.vo

========== file tests/c/power.jessie/power.loc ==========
[rec_safety]
name = "Function rec"
behavior = "Safety"
file = "HOME/tests/c/power.c"
line = 30
begin = 5
end = 8

[JC_31]
file = "HOME/tests/c/power.jessie/power.jc"
line = 89
begin = 6
end = 716

[JC_17]
kind = DivByZero
file = "HOME/tests/c/power.c"
line = 33
begin = 7
end = 12

[JC_23]
file = "HOME/tests/c/power.c"
line = 41
begin = 12
end = 33

[JC_22]
file = "HOME/tests/c/power.c"
line = 41
begin = 12
end = 33

[JC_5]
file = "HOME/tests/c/power.c"
line = 28
begin = 12
end = 33

[JC_9]
kind = DivByZero
file = "HOME/tests/c/power.c"
line = 32
begin = 18
end = 21

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
kind = DivByZero
file = "HOME/tests/c/power.c"
line = 52
begin = 8
end = 13

[JC_26]
file = "HOME/tests/c/power.c"
line = 48
begin = 8
end = 14

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
kind = VarDecr
file = "HOME/tests/c/power.c"
line = 32
begin = 11
end = 22

[rec_ensures_default]
name = "Function rec"
behavior = "default behavior"
file = "HOME/tests/c/power.c"
line = 30
begin = 5
end = 8

[JC_11]
file = "HOME/tests/c/power.c"
line = 27
begin = 14
end = 15

[JC_15]
kind = DivByZero
file = "HOME/tests/c/power.c"
line = 32
begin = 18
end = 21

[JC_36]
file = "HOME/tests/c/power.c"
line = 48
begin = 18
end = 46

[JC_39]
file = "HOME/tests/c/power.jessie/power.jc"
line = 89
begin = 6
end = 716

[JC_40]
file = "HOME/tests/c/power.jessie/power.jc"
line = 89
begin = 6
end = 716

[JC_35]
file = "HOME/tests/c/power.c"
line = 48
begin = 8
end = 14

[power_even]
name = "Lemma power_even"
behavior = "lemma"
file = "HOME/tests/c/power.c"
line = 13
begin = 4
end = 111

[JC_27]
file = "HOME/tests/c/power.c"
line = 48
begin = 18
end = 46

[imp_ensures_default]
name = "Function imp"
behavior = "default behavior"
file = "HOME/tests/c/power.c"
line = 43
begin = 5
end = 8

[JC_38]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_12]
file = "HOME/tests/c/power.c"
line = 27
begin = 14
end = 15

[JC_6]
file = "HOME/tests/c/power.c"
line = 28
begin = 12
end = 33

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_42]
kind = DivByZero
file = "HOME/tests/c/power.c"
line = 54
begin = 4
end = 10

[JC_32]
kind = DivByZero
file = "HOME/tests/c/power.c"
line = 52
begin = 8
end = 13

[JC_33]
kind = DivByZero
file = "HOME/tests/c/power.c"
line = 54
begin = 4
end = 10

[JC_29]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
kind = UserCall
file = "HOME/tests/c/power.c"
line = 32
begin = 11
end = 22

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_34]
file = "HOME/tests/c/power.c"
line = 49
begin = 19
end = 20

[JC_14]
kind = DivByZero
file = "HOME/tests/c/power.c"
line = 33
begin = 7
end = 12

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/c/power.c"
line = 26
begin = 13
end = 19

[imp_safety]
name = "Function imp"
behavior = "Safety"
file = "HOME/tests/c/power.c"
line = 43
begin = 5
end = 8

[JC_37]
file = "HOME/tests/c/power.c"
line = 48
begin = 8
end = 46

[JC_10]
kind = UserCall
file = "HOME/tests/c/power.c"
line = 32
begin = 11
end = 22

[power_odd]
name = "Lemma power_odd"
behavior = "lemma"
file = "HOME/tests/c/power.c"
line = 18
begin = 4
end = 112

[JC_20]
file = "HOME/tests/c/power.c"
line = 40
begin = 13
end = 19

[JC_18]
file = "HOME/tests/c/power.c"
line = 40
begin = 13
end = 19

[JC_3]
file = "HOME/tests/c/power.c"
line = 26
begin = 13
end = 19

[JC_19]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/tests/c/power.jessie/power.jc"
line = 89
begin = 6
end = 716

[JC_28]
file = "HOME/tests/c/power.c"
line = 48
begin = 8
end = 46

========== file tests/c/power.jessie/why/power.why ==========
type charP

type padding

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

logic power: int, int -> int

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

lemma power_even :
 (forall x_0_1:int.
  (forall n_0:int.
   ((ge_int(n_0, (0)) and (computer_mod(n_0, (2)) = (0))) ->
    (pow_int(x_0_1, n_0) = pow_int(mul_int(x_0_1, x_0_1),
                           computer_div(n_0, (2)))))))

lemma power_odd :
 (forall x_1_0:int.
  (forall n_1_0:int.
   ((ge_int(n_1_0, (0)) and (computer_mod(n_1_0, (2)) <> (0))) ->
    (pow_int(x_1_0, n_1_0) = mul_int(x_1_0,
                             pow_int(mul_int(x_1_0, x_1_0),
                             computer_div(n_1_0, (2))))))))

exception Goto_while_0_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter imp :
 x_1:int -> n_1:int -> { } int { (JC_23: (result = pow_int(x_1, n_1))) }

parameter imp_requires :
 x_1:int ->
  n_1:int ->
   { (JC_18: le_int((0), n_1))} int { (JC_23: (result = pow_int(x_1, n_1))) }

parameter rec_0 :
 x_0_0:int -> n_2:int -> { } int { (JC_6: (result = pow_int(x_0_0, n_2))) }

parameter rec_0_requires :
 x_0_0:int ->
  n_2:int ->
   { (JC_1: le_int((0), n_2))} int { (JC_6: (result = pow_int(x_0_0, n_2))) }

let imp_ensures_default =
 fun (x_1 : int) (n_1 : int) ->
  { (JC_20: le_int((0), n_1)) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let r_0 = ref (any_int void) in
     (let p = ref (any_int void) in
     (let e = ref (any_int void) in
     try
      begin
        (let _jessie_ = (r_0 := (1)) in void);
       (let _jessie_ = (p := x_1) in void);
       (let _jessie_ = (e := n_1) in void);
       (loop_2:
       begin
         while true do
         { invariant
             (JC_37:
             ((JC_35: le_int((0), e))
             and (JC_36: (mul_int(r_0, pow_int(p, e)) = pow_int(x_1, n_1)))))
            }
          begin
            [ { } unit { true } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((gt_int_ !e) (0)) then void
                else (raise (Goto_while_0_break_exc void)));
               (if ((neq_int_ (JC_41: ((computer_mod !e) (2)))) (0))
               then (let _jessie_ = (r_0 := ((mul_int !r_0) !p)) in void)
               else void);
               (let _jessie_ = (p := ((mul_int !p) !p)) in void);
               (e := (JC_42: ((computer_div !e) (2)))); !e end in void);
             (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (return := !r_0); (raise Return) end) end)));
    absurd  end with Return -> !return end))
  { (JC_22: (result = pow_int(x_1, n_1))) }

let imp_safety =
 fun (x_1 : int) (n_1 : int) ->
  { (JC_20: le_int((0), n_1)) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let r_0 = ref (any_int void) in
     (let p = ref (any_int void) in
     (let e = ref (any_int void) in
     try
      begin
        (let _jessie_ = (r_0 := (1)) in void);
       (let _jessie_ = (p := x_1) in void);
       (let _jessie_ = (e := n_1) in void);
       (loop_1:
       begin
         while true do
         { invariant (JC_30: true) variant (JC_34 : e) }
          begin
            [ { } unit reads e,p,r_0
              { (JC_28:
                ((JC_26: le_int((0), e))
                and (JC_27:
                    (mul_int(r_0, pow_int(p, e)) = pow_int(x_1, n_1))))) } ];
           try
            begin
              (let _jessie_ =
              begin
                (if ((gt_int_ !e) (0)) then void
                else (raise (Goto_while_0_break_exc void)));
               (if ((neq_int_ (JC_32: ((computer_mod_ !e) (2)))) (0))
               then (let _jessie_ = (r_0 := ((mul_int !r_0) !p)) in void)
               else void);
               (let _jessie_ = (p := ((mul_int !p) !p)) in void);
               (e := (JC_33: ((computer_div_ !e) (2)))); !e end in void);
             (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (return := !r_0); (raise Return) end) end)));
    absurd  end with Return -> !return end)) { true }

let rec_ensures_default =
 fun (x_0_0 : int) (n_2 : int) ->
  { (JC_3: le_int((0), n_2)) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let r = ref (any_int void) in
     (let __retres = ref (any_int void) in
     try
      begin
        (if ((eq_int_ n_2) (0))
        then
         begin
           (let _jessie_ = (__retres := (1)) in void);
          (raise (Return_label_exc void)) end else void);
       (let _jessie_ =
       (r := (let _jessie_ = x_0_0 in
             (let _jessie_ = (JC_15: ((computer_div n_2) (2))) in
             (JC_16: ((rec_0 _jessie_) _jessie_))))) in void);
       (if ((eq_int_ (JC_17: ((computer_mod n_2) (2)))) (0))
       then
        begin
          (let _jessie_ = (__retres := ((mul_int !r) !r)) in void);
         (raise (Return_label_exc void)) end else void);
       (let _jessie_ = (__retres := ((mul_int ((mul_int !r) !r)) x_0_0)) in
       void); (raise (Return_label_exc void)) end with
      Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end));
    absurd  end with Return -> !return end))
  { (JC_5: (result = pow_int(x_0_0, n_2))) }

let rec_safety =
 fun (x_0_0 : int) (n_2 : int) ->
  { (JC_3: le_int((0), n_2)) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let r = ref (any_int void) in
     (let __retres = ref (any_int void) in
     try
      begin
        (if ((eq_int_ n_2) (0))
        then
         begin
           (let _jessie_ = (__retres := (1)) in void);
          (raise (Return_label_exc void)) end else void);
       (let _jessie_ =
       (r := (let _jessie_ = x_0_0 in
             (let _jessie_ = (JC_9: ((computer_div_ n_2) (2))) in
             (JC_13:
             (check { zwf_zero((JC_12 : _jessie_), (JC_11 : n_2)) };
             (JC_10: ((rec_0_requires _jessie_) _jessie_))))))) in void);
       (if ((eq_int_ (JC_14: ((computer_mod_ n_2) (2)))) (0))
       then
        begin
          (let _jessie_ = (__retres := ((mul_int !r) !r)) in void);
         (raise (Return_label_exc void)) end else void);
       (let _jessie_ = (__retres := ((mul_int ((mul_int !r) !r)) x_0_0)) in
       void); (raise (Return_label_exc void)) end with
      Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end));
    absurd  end with Return -> !return end)) { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/power.why
========== file tests/c/power.jessie/why/power_why.why ==========
why-2.34/tests/c/oracle/isqrt2.res.oracle0000644000175000017500000000005412311670312016650 0ustar  rtusersdon't know what to do with -journal-disable
why-2.34/tests/c/oracle/float_sqrt.err.oracle0000644000175000017500000000000012311670312017570 0ustar  rtuserswhy-2.34/tests/c/oracle/scalar_product.res.oracle0000644000175000017500000062101112311670312020433 0ustar  rtusers========== file tests/c/scalar_product.c ==========

// for N = 10
#define NMAX 10
#define NMAXR 10.0
#define B 0x1.1p-50

// for N = 100
// #define NMAX 100
// #define NMAXR 100.0
// #define B 0x1.02p-47


// for N = 1000
// #define NMAX 1000
// #define NMAXR 1000.0
// #define B 0x1.004p-44


/*@ axiomatic ScalarProduct {
  @   // exact_scalar_product(x,y,n) = x[0]*y[0] + ... + x[n-1] * y[n-1]
  @   logic real exact_scalar_product{L}(double *x, double *y, integer n)
  @       reads x[..], y[..];
  @   axiom A1{L}: \forall double *x,*y;
  @      exact_scalar_product(x,y,0) == 0.0;
  @   axiom A2{L}: \forall double *x,*y; \forall integer n ;
  @      n >= 0 ==>
  @        exact_scalar_product(x,y,n+1) == 
  @          exact_scalar_product(x,y,n) + x[n]*y[n];
  @ }
  @*/


/*@ lemma bound_int_to_real:
  @   \forall integer i; i <= NMAX ==> i <= NMAXR;
  @*/


/*@ requires 0 <= n <= NMAX;
  @ requires \valid(x+(0..n-1)) && \valid(y+(0.. n-1)) ;
  @ requires \forall integer i; 0 <= i < n ==>
  @          \abs(x[i]) <= 1.0 && \abs(y[i]) <= 1.0 ;
  @ ensures
  @    \abs(\result - exact_scalar_product(x,y,n)) <= n * B;
  @*/
double scalar_product(double x[], double y[], int n) {
  double p = 0.0;
  /*@ loop invariant 0 <= i <= n ;
    @ loop invariant \abs(exact_scalar_product(x,y,i)) <= i;
    @ loop invariant \abs(p - exact_scalar_product(x,y,i)) <= i * B;
    @ loop variant n-i;
    @*/
  for (int i=0; i < n; i++) {
    // bounds, needed by Gappa
    //@ assert \abs(x[i]) <= 1.0;
    //@ assert \abs(y[i]) <= 1.0;
    //@ assert \abs(p) <= NMAXR*(1+B) ;

  L:
    p = p + x[i]*y[i];

    // bound on the rounding errors in the statement above, proved by gappa
    /*@ assert \abs(p - (\at(p,L) + x[i]*y[i])) <= B;
     */

    // the proper instance of triangular inequality to show the main invariant
    /*@ assert
          \abs(p - exact_scalar_product(x,y,i+1)) <=
          \abs(p - (\at(p,L) + x[i]*y[i])) +
          \abs((\at(p,L) + x[i]*y[i]) -
               (exact_scalar_product(x,y,i) + x[i]*y[i])) ;
    */

    // a lemma to show the invariant \abs(exact_scalar_product(x,y,i)) <= i
    /*@ assert
      \abs(exact_scalar_product(x,y,i+1)) <=
         \abs(exact_scalar_product(x,y,i)) + \abs(x[i]) * \abs(y[i]);
    */

    // a necessary lemma, proved only by gappa
    //@ assert \abs(x[i]) * \abs(y[i]) <= 1.0;
  }
  return p;
}



/*
Local Variables:
compile-command: "make scalar_product.why3ide"
End:
*/


========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/scalar_product.c"
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/scalar_product.jessie
[jessie] File tests/c/scalar_product.jessie/scalar_product.jc written.
[jessie] File tests/c/scalar_product.jessie/scalar_product.cloc written.
========== file tests/c/scalar_product.jessie/scalar_product.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag doubleP = {
  double doubleM: 64;
}

type doubleP = [doubleP]

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

axiomatic ScalarProduct {

  logic real exact_scalar_product{L}(doubleP[..] x, doubleP[..] y, integer n)
  reads (x + [..]).doubleM, (y + [..]).doubleM;
   
  axiom A1{L} :
  (\forall doubleP[..] x_0;
    (\forall doubleP[..] y_0;
      (exact_scalar_product{L}(x_0, y_0, 0) == 0.0)))
   
  axiom A2{L} :
  (\forall doubleP[..] x_1;
    (\forall doubleP[..] y_1;
      (\forall integer n_0;
        ((n_0 >= 0) ==>
          (exact_scalar_product{L}(x_1, y_1, (n_0 + 1)) ==
            (exact_scalar_product{L}(x_1, y_1, n_0) +
              (((x_1 + n_0).doubleM :> real) * ((y_1 + n_0).doubleM :> real))))))))
  
}

lemma bound_int_to_real :
(\forall integer i_1;
  ((i_1 <= 10) ==> (i_1 <= 10.0)))

double scalar_product(doubleP[..] x, doubleP[..] y, int32 n_1)
  requires (_C_35 : ((_C_36 : (0 <= n_1)) && (_C_37 : (n_1 <= 10))));
  requires (_C_28 : (((_C_30 : (\offset_min(x) <= 0)) &&
                       (_C_31 : (\offset_max(x) >= (n_1 - 1)))) &&
                      ((_C_33 : (\offset_min(y) <= 0)) &&
                        (_C_34 : (\offset_max(y) >= (n_1 - 1))))));
  requires (_C_27 : (\forall integer i_2;
                      (((0 <= i_2) && (i_2 < n_1)) ==>
                        ((\real_abs(((x + i_2).doubleM :> real)) <= 1.0) &&
                          (\real_abs(((y + i_2).doubleM :> real)) <= 1.0)))));
behavior default:
  ensures (_C_26 : (\real_abs(((\result :> real) -
                                exact_scalar_product{Here}(\at(x,Old),
                                                           \at(y,Old),
                                                           \at(n_1,Old)))) <=
                     (\at(n_1,Old) * 0x1.1p-50)));
{  
   (var double p);
   
   (var int32 i);
   
   {  (_C_1 : (p = (0.0 :> double)));
      
      {  (_C_2 : (i = 0));
         
         loop 
         behavior default:
           invariant (_C_6 : ((_C_7 : (0 <= i)) && (_C_8 : (i <= n_1))));
         behavior default:
           invariant (_C_5 : (\real_abs(exact_scalar_product{Here}(x, y, i)) <=
                               i));
         behavior default:
           invariant (_C_4 : (\real_abs(((p :> real) -
                                          exact_scalar_product{Here}(
                                          x, y, i))) <=
                               (i * 0x1.1p-50)));
         variant (_C_3 : (n_1 - i));
         while (true)
         {  
            {  (if (i < n_1) then () else 
               (goto while_0_break));
               
               {  
                  {  
                     (assert for default: (_C_9 : (jessie : (\real_abs(
                                                              ((x + i).doubleM :> real)) <=
                                                              1.0))));
                     ()
                  };
                  
                  {  
                     (assert for default: (_C_10 : (jessie : (\real_abs(
                                                               ((y + i).doubleM :> real)) <=
                                                               1.0))));
                     ()
                  };
                  
                  {  
                     (assert for default: (_C_11 : (jessie : (\real_abs(
                                                               (p :> real)) <=
                                                               (10.0 *
                                                                 (1 +
                                                                   0x1.1p-50))))));
                     ()
                  };
                  (L : (_C_18 : (p = (_C_17 : (p +
                                                (_C_16 : ((_C_15 : (_C_14 : 
                                                                   (x +
                                                                    i)).doubleM) *
                                                           (_C_13 : (_C_12 : 
                                                                    (y +
                                                                    i)).doubleM))))))));
                  
                  {  
                     (assert for default: (_C_19 : (jessie : (\real_abs(
                                                               ((p :> real) -
                                                                 ((\at(p,L) :> real) +
                                                                   (((x + i).doubleM :> real) *
                                                                    ((y + i).doubleM :> real))))) <=
                                                               0x1.1p-50))));
                     ()
                  };
                  
                  {  
                     (assert for default: (_C_20 : (jessie : (\real_abs(
                                                               ((p :> real) -
                                                                 exact_scalar_product{Here}(
                                                                 x, y,
                                                                 (i + 1)))) <=
                                                               (\real_abs(
                                                                 ((p :> real) -
                                                                   ((\at(p,L) :> real) +
                                                                    (((x + i).doubleM :> real) *
                                                                    ((y + i).doubleM :> real))))) +
                                                                 \real_abs(
                                                                 (((\at(p,L) :> real) +
                                                                    (((x + i).doubleM :> real) *
                                                                    ((y + i).doubleM :> real))) -
                                                                   (exact_scalar_product{Here}(
                                                                    x, y, i) +
                                                                    (((x + i).doubleM :> real) *
                                                                    ((y + i).doubleM :> real))))))))));
                     ()
                  };
                  
                  {  
                     (assert for default: (_C_21 : (jessie : (\real_abs(
                                                               exact_scalar_product{Here}(
                                                               x, y, 
                                                               (i + 1))) <=
                                                               (\real_abs(
                                                                 exact_scalar_product{Here}(
                                                                 x, y, i)) +
                                                                 (\real_abs(
                                                                   ((x + i).doubleM :> real)) *
                                                                   \real_abs(
                                                                   ((y + i).doubleM :> real))))))));
                     ()
                  };
                  
                  {  
                     (assert for default: (_C_22 : (jessie : ((\real_abs(
                                                                ((x + i).doubleM :> real)) *
                                                                \real_abs(
                                                                ((y + i).doubleM :> real))) <=
                                                               1.0))));
                     ()
                  }
               };
               (_C_25 : (i = (_C_24 : ((_C_23 : (i + 1)) :> int32))))
            }
         };
         (while_0_break : ())
      };
      
      (return p)
   }
}
========== file tests/c/scalar_product.jessie/scalar_product.cloc ==========
[_C_35]
file = "HOME/tests/c/scalar_product.c"
line = 38
begin = 13
end = 25

[_C_28]
file = "HOME/tests/c/scalar_product.c"
line = 39
begin = 13
end = 54

[_C_31]
file = "HOME/tests/c/scalar_product.c"
line = 39
begin = 13
end = 31

[_C_4]
file = "HOME/tests/c/scalar_product.c"
line = 49
begin = 21
end = 75

[_C_32]
file = "HOME/tests/c/scalar_product.c"
line = 39
begin = 35
end = 54

[_C_23]
file = "HOME/tests/c/scalar_product.c"
line = 52
begin = 23
end = 26

[_C_19]
file = "HOME/tests/c/scalar_product.c"
line = 62
begin = 15
end = 60

[_C_13]
file = "HOME/tests/c/scalar_product.c"
line = 59
begin = 17
end = 21

[_C_5]
file = "HOME/tests/c/scalar_product.c"
line = 48
begin = 21
end = 59

[_C_36]
file = "HOME/tests/c/scalar_product.c"
line = 38
begin = 13
end = 19

[_C_12]
file = "HOME/tests/c/scalar_product.c"
line = 59
begin = 17
end = 18

[_C_33]
file = "HOME/tests/c/scalar_product.c"
line = 39
begin = 35
end = 54

[_C_22]
file = "HOME/tests/c/scalar_product.c"
line = 80
begin = 15
end = 45

[A2]
name = "Lemma A2"
file = "HOME/tests/c/scalar_product.c"
line = 25
begin = 6
end = 178

[_C_9]
file = "HOME/tests/c/scalar_product.c"
line = 54
begin = 15
end = 32

[_C_30]
file = "HOME/tests/c/scalar_product.c"
line = 39
begin = 13
end = 31

[_C_6]
file = "HOME/tests/c/scalar_product.c"
line = 47
begin = 21
end = 32

[_C_24]
file = "HOME/tests/c/scalar_product.c"
line = 52
begin = 23
end = 26

[_C_20]
file = "HOME/tests/c/scalar_product.c"
line = 67
begin = 10
end = 195

[scalar_product]
name = "Function scalar_product"
file = "HOME/tests/c/scalar_product.c"
line = 45
begin = 7
end = 21

[_C_3]
file = "HOME/tests/c/scalar_product.c"
line = 50
begin = 19
end = 22

[_C_17]
file = "HOME/tests/c/scalar_product.c"
line = 59
begin = 8
end = 21

[_C_7]
file = "HOME/tests/c/scalar_product.c"
line = 47
begin = 21
end = 27

[_C_27]
file = "HOME/tests/c/scalar_product.c"
line = 40
begin = 13
end = 98

[A1]
name = "Lemma A1"
file = "HOME/tests/c/scalar_product.c"
line = 23
begin = 6
end = 85

[_C_15]
file = "HOME/tests/c/scalar_product.c"
line = 59
begin = 12
end = 16

[_C_26]
file = "HOME/tests/c/scalar_product.c"
line = 43
begin = 7
end = 67

[_C_10]
file = "HOME/tests/c/scalar_product.c"
line = 55
begin = 15
end = 32

[_C_8]
file = "HOME/tests/c/scalar_product.c"
line = 47
begin = 26
end = 32

[_C_18]
file = "HOME/tests/c/scalar_product.c"
line = 59
begin = 8
end = 21

[_C_29]
file = "HOME/tests/c/scalar_product.c"
line = 39
begin = 13
end = 31

[_C_14]
file = "HOME/tests/c/scalar_product.c"
line = 59
begin = 12
end = 13

[_C_37]
file = "HOME/tests/c/scalar_product.c"
line = 38
begin = 18
end = 25

[_C_2]
file = "HOME/tests/c/scalar_product.c"
line = 52
begin = 7
end = 10

[_C_34]
file = "HOME/tests/c/scalar_product.c"
line = 39
begin = 35
end = 54

[_C_16]
file = "HOME/tests/c/scalar_product.c"
line = 59
begin = 12
end = 21

[_C_1]
file = "HOME/tests/c/scalar_product.c"
line = 46
begin = 2
end = 8

[bound_int_to_real]
name = "Lemma bound_int_to_real"
file = "HOME/tests/c/scalar_product.c"
line = 33
begin = 4
end = 76

[_C_25]
file = "HOME/tests/c/scalar_product.c"
line = 52
begin = 23
end = 26

[_C_11]
file = "HOME/tests/c/scalar_product.c"
line = 56
begin = 15
end = 44

[_C_21]
file = "HOME/tests/c/scalar_product.c"
line = 75
begin = 6
end = 113

========== jessie execution ==========
Generating Why function scalar_product
========== file tests/c/scalar_product.jessie/scalar_product.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs scalar_product.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs scalar_product.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_strict.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/scalar_product_why.sx

project: why/scalar_product.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/scalar_product_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/scalar_product_why.vo

coq/scalar_product_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/scalar_product_why.v: why/scalar_product.why
	@echo 'why -coq [...] why/scalar_product.why' && $(WHY) $(JESSIELIBFILES) why/scalar_product.why && rm -f coq/jessie_why.v

coq-goals: goals coq/scalar_product_ctx_why.vo
	for f in why/*_po*.why; do make -f scalar_product.makefile coq/`basename $$f .why`_why.v ; done

coq/scalar_product_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/scalar_product_ctx_why.v: why/scalar_product_ctx.why
	@echo 'why -coq [...] why/scalar_product_ctx.why' && $(WHY) why/scalar_product_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export scalar_product_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/scalar_product_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/scalar_product_ctx_why.vo

pvs: pvs/scalar_product_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/scalar_product_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/scalar_product_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/scalar_product_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/scalar_product_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/scalar_product_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/scalar_product_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/scalar_product_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/scalar_product_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/scalar_product_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/scalar_product_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/scalar_product_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/scalar_product_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/scalar_product_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/scalar_product_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: scalar_product.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/scalar_product_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: scalar_product.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: scalar_product.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: scalar_product.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include scalar_product.depend

depend: coq/scalar_product_why.v
	-$(COQDEP) -I coq coq/scalar_product*_why.v > scalar_product.depend

clean:
	rm -f coq/*.vo

========== file tests/c/scalar_product.jessie/scalar_product.loc ==========
[JC_51]
file = "HOME/tests/c/scalar_product.jessie/scalar_product.jc"
line = 92
begin = 9
end = 6171

[JC_45]
file = "HOME/tests/c/scalar_product.c"
line = 48
begin = 21
end = 59

[JC_31]
file = "HOME/tests/c/scalar_product.c"
line = 54
begin = 15
end = 32

[JC_17]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_55]
kind = FPOverflow
file = "HOME/tests/c/scalar_product.c"
line = 59
begin = 12
end = 21

[JC_48]
file = "HOME/tests/c/scalar_product.c"
line = 47
begin = 21
end = 32

[scalar_product_safety]
name = "Function scalar_product"
behavior = "Safety"
file = "HOME/tests/c/scalar_product.c"
line = 45
begin = 7
end = 21

[JC_23]
file = "HOME/tests/c/scalar_product.c"
line = 49
begin = 21
end = 75

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/tests/c/scalar_product.c"
line = 39
begin = 35
end = 54

[JC_9]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/tests/c/scalar_product.c"
line = 48
begin = 21
end = 59

[JC_25]
file = "HOME/tests/c/scalar_product.c"
line = 47
begin = 21
end = 27

[JC_41]
file = "HOME/tests/c/scalar_product.c"
line = 80
begin = 15
end = 45

[JC_47]
file = "HOME/tests/c/scalar_product.c"
line = 47
begin = 26
end = 32

[JC_52]
file = "HOME/tests/c/scalar_product.c"
line = 54
begin = 15
end = 32

[JC_26]
file = "HOME/tests/c/scalar_product.c"
line = 47
begin = 26
end = 32

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
file = "HOME/tests/c/scalar_product.c"
line = 56
begin = 15
end = 44

[A2]
name = "Lemma A2"
behavior = "axiom"
file = "HOME/tests/c/scalar_product.c"
line = 25
begin = 6
end = 178

[JC_13]
file = "HOME/tests/c/scalar_product.c"
line = 39
begin = 13
end = 31

[JC_11]
file = "HOME/tests/c/scalar_product.c"
line = 38
begin = 18
end = 25

[JC_15]
file = "HOME/tests/c/scalar_product.c"
line = 39
begin = 35
end = 54

[JC_36]
kind = FPOverflow
file = "HOME/tests/c/scalar_product.c"
line = 59
begin = 12
end = 21

[JC_39]
file = "HOME/tests/c/scalar_product.c"
line = 67
begin = 10
end = 195

[JC_40]
file = "HOME/tests/c/scalar_product.c"
line = 75
begin = 6
end = 113

[JC_35]
kind = PointerDeref
file = "HOME/tests/c/scalar_product.c"
line = 59
begin = 17
end = 21

[JC_27]
file = "HOME/tests/c/scalar_product.c"
line = 47
begin = 21
end = 32

[JC_38]
file = "HOME/tests/c/scalar_product.c"
line = 62
begin = 15
end = 60

[JC_12]
file = "HOME/tests/c/scalar_product.c"
line = 39
begin = 13
end = 31

[JC_6]
file = "HOME/tests/c/scalar_product.c"
line = 39
begin = 35
end = 54

[JC_44]
file = "HOME/tests/c/scalar_product.c"
line = 49
begin = 21
end = 75

[JC_4]
file = "HOME/tests/c/scalar_product.c"
line = 39
begin = 13
end = 31

[JC_42]
kind = ArithOverflow
file = "HOME/tests/c/scalar_product.c"
line = 52
begin = 23
end = 26

[JC_46]
file = "HOME/tests/c/scalar_product.c"
line = 47
begin = 21
end = 27

[A1]
name = "Lemma A1"
behavior = "axiom"
file = "HOME/tests/c/scalar_product.c"
line = 23
begin = 6
end = 85

[JC_32]
file = "HOME/tests/c/scalar_product.c"
line = 55
begin = 15
end = 32

[JC_56]
kind = FPOverflow
file = "HOME/tests/c/scalar_product.c"
line = 59
begin = 8
end = 21

[JC_33]
file = "HOME/tests/c/scalar_product.c"
line = 56
begin = 15
end = 44

[JC_29]
file = "HOME/tests/c/scalar_product.jessie/scalar_product.jc"
line = 92
begin = 9
end = 6171

[JC_7]
file = "HOME/tests/c/scalar_product.c"
line = 40
begin = 13
end = 98

[JC_16]
file = "HOME/tests/c/scalar_product.c"
line = 40
begin = 13
end = 98

[JC_43]
file = "HOME/tests/c/scalar_product.c"
line = 50
begin = 19
end = 22

[JC_2]
file = "HOME/tests/c/scalar_product.c"
line = 38
begin = 18
end = 25

[JC_34]
kind = PointerDeref
file = "HOME/tests/c/scalar_product.c"
line = 59
begin = 12
end = 16

[JC_14]
file = "HOME/tests/c/scalar_product.c"
line = 39
begin = 35
end = 54

[scalar_product_ensures_default]
name = "Function scalar_product"
behavior = "default behavior"
file = "HOME/tests/c/scalar_product.c"
line = 45
begin = 7
end = 21

[JC_53]
file = "HOME/tests/c/scalar_product.c"
line = 55
begin = 15
end = 32

[JC_21]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/c/scalar_product.c"
line = 38
begin = 13
end = 19

[JC_37]
kind = FPOverflow
file = "HOME/tests/c/scalar_product.c"
line = 59
begin = 8
end = 21

[JC_10]
file = "HOME/tests/c/scalar_product.c"
line = 38
begin = 13
end = 19

[JC_57]
file = "HOME/tests/c/scalar_product.c"
line = 62
begin = 15
end = 60

[JC_59]
file = "HOME/tests/c/scalar_product.c"
line = 75
begin = 6
end = 113

[JC_20]
file = "HOME/tests/c/scalar_product.c"
line = 43
begin = 7
end = 67

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/c/scalar_product.c"
line = 39
begin = 13
end = 31

[bound_int_to_real]
name = "Lemma bound_int_to_real"
behavior = "lemma"
file = "HOME/tests/c/scalar_product.c"
line = 33
begin = 4
end = 76

[JC_60]
file = "HOME/tests/c/scalar_product.c"
line = 80
begin = 15
end = 45

[JC_19]
file = "HOME/tests/c/scalar_product.c"
line = 43
begin = 7
end = 67

[JC_50]
file = "HOME/tests/c/scalar_product.jessie/scalar_product.jc"
line = 92
begin = 9
end = 6171

[JC_30]
file = "HOME/tests/c/scalar_product.jessie/scalar_product.jc"
line = 92
begin = 9
end = 6171

[JC_58]
file = "HOME/tests/c/scalar_product.c"
line = 67
begin = 10
end = 195

[JC_28]
file = "HOME/"
line = 0
begin = -1
end = -1

========== file tests/c/scalar_product.jessie/why/scalar_product.why ==========
type charP

type doubleP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic doubleP_tag:  -> doubleP tag_id

axiom doubleP_int : (int_of_tag(doubleP_tag) = (1))

logic doubleP_of_pointer_address: unit pointer -> doubleP pointer

axiom doubleP_of_pointer_address_of_pointer_addr :
 (forall p:doubleP pointer.
  (p = doubleP_of_pointer_address(pointer_address(p))))

axiom doubleP_parenttag_bottom : parenttag(doubleP_tag, bottom_tag)

axiom doubleP_tags :
 (forall x:doubleP pointer.
  (forall doubleP_tag_table:doubleP tag_table.
   instanceof(doubleP_tag_table, x, doubleP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic exact_scalar_product: doubleP pointer, doubleP pointer, int,
 (doubleP, double) memory, (doubleP, double) memory -> real

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_doubleP(p:doubleP pointer, a:int,
 doubleP_alloc_table:doubleP alloc_table) =
 (offset_min(doubleP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom no_assign_exact_scalar_product_0 :
 (forall tmp:doubleP pset.
  (forall tmpmem:(doubleP, double) memory.
   (forall tmpalloc:doubleP alloc_table.
    (forall doubleP_doubleM_x_1_at_L:(doubleP, double) memory.
     (forall doubleP_doubleM_y_2_at_L:(doubleP, double) memory.
      (forall n:int.
       (forall y:doubleP pointer.
        (forall x_0:doubleP pointer.
         ((pset_disjoint(tmp, pset_all(pset_singleton(y)))
          and not_assigns(tmpalloc, doubleP_doubleM_y_2_at_L, tmpmem, tmp)) ->
          (exact_scalar_product(x_0, y, n, doubleP_doubleM_y_2_at_L,
           doubleP_doubleM_x_1_at_L) = exact_scalar_product(x_0, y, n,
                                       tmpmem, doubleP_doubleM_x_1_at_L)))))))))))

axiom no_assign_exact_scalar_product_1 :
 (forall tmp:doubleP pset.
  (forall tmpmem:(doubleP, double) memory.
   (forall tmpalloc:doubleP alloc_table.
    (forall doubleP_doubleM_x_1_at_L:(doubleP, double) memory.
     (forall doubleP_doubleM_y_2_at_L:(doubleP, double) memory.
      (forall n:int.
       (forall y:doubleP pointer.
        (forall x_0:doubleP pointer.
         ((pset_disjoint(tmp, pset_all(pset_singleton(x_0)))
          and not_assigns(tmpalloc, doubleP_doubleM_x_1_at_L, tmpmem, tmp)) ->
          (exact_scalar_product(x_0, y, n, doubleP_doubleM_y_2_at_L,
           doubleP_doubleM_x_1_at_L) = exact_scalar_product(x_0, y, n,
                                       doubleP_doubleM_y_2_at_L, tmpmem)))))))))))

axiom no_update_exact_scalar_product_0 :
 (forall tmp:doubleP pointer.
  (forall tmpval:double.
   (forall doubleP_doubleM_x_1_at_L:(doubleP, double) memory.
    (forall doubleP_doubleM_y_2_at_L:(doubleP, double) memory.
     (forall n:int.
      (forall y:doubleP pointer.
       (forall x_0:doubleP pointer.
        ((not in_pset(tmp, pset_all(pset_singleton(y)))) ->
         (exact_scalar_product(x_0, y, n, doubleP_doubleM_y_2_at_L,
          doubleP_doubleM_x_1_at_L) = exact_scalar_product(x_0, y, n,
                                      store(doubleP_doubleM_y_2_at_L, tmp,
                                      tmpval), doubleP_doubleM_x_1_at_L))))))))))

axiom no_update_exact_scalar_product_1 :
 (forall tmp:doubleP pointer.
  (forall tmpval:double.
   (forall doubleP_doubleM_x_1_at_L:(doubleP, double) memory.
    (forall doubleP_doubleM_y_2_at_L:(doubleP, double) memory.
     (forall n:int.
      (forall y:doubleP pointer.
       (forall x_0:doubleP pointer.
        ((not in_pset(tmp, pset_all(pset_singleton(x_0)))) ->
         (exact_scalar_product(x_0, y, n, doubleP_doubleM_y_2_at_L,
          doubleP_doubleM_x_1_at_L) = exact_scalar_product(x_0, y, n,
                                      doubleP_doubleM_y_2_at_L,
                                      store(doubleP_doubleM_x_1_at_L, tmp,
                                      tmpval)))))))))))

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_doubleP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(doubleP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_doubleP(p:doubleP pointer, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 (offset_max(doubleP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) = a)
 and (offset_max(doubleP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) = a)
 and (offset_max(doubleP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) <= a)
 and (offset_max(doubleP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_doubleP(p:doubleP pointer, a:int, b:int,
 doubleP_alloc_table:doubleP alloc_table) =
 ((offset_min(doubleP_alloc_table, p) <= a)
 and (offset_max(doubleP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

axiom A1 :
 (forall doubleP_doubleM_y_2_at_L:(doubleP, double) memory.
  (forall doubleP_doubleM_x_1_at_L:(doubleP, double) memory.
   (forall x_0_0:doubleP pointer.
    (forall y_0_0:doubleP pointer.
     (exact_scalar_product(x_0_0, y_0_0, (0), doubleP_doubleM_y_2_at_L,
      doubleP_doubleM_x_1_at_L) = 0.0)))))

axiom A2 :
 (forall doubleP_doubleM_y_2_at_L:(doubleP, double) memory.
  (forall doubleP_doubleM_x_1_at_L:(doubleP, double) memory.
   (forall x_1_0:doubleP pointer.
    (forall y_1:doubleP pointer.
     (forall n_0:int.
      (ge_int(n_0, (0)) ->
       (exact_scalar_product(x_1_0, y_1, add_int(n_0, (1)),
        doubleP_doubleM_y_2_at_L, doubleP_doubleM_x_1_at_L) = add_real(
                                                              exact_scalar_product(x_1_0,
                                                              y_1, n_0,
                                                              doubleP_doubleM_y_2_at_L,
                                                              doubleP_doubleM_x_1_at_L),
                                                              mul_real(
                                                              double_value(
                                                              select(doubleP_doubleM_x_1_at_L,
                                                              shift(x_1_0,
                                                              n_0))),
                                                              double_value(
                                                              select(doubleP_doubleM_y_2_at_L,
                                                              shift(y_1, n_0))))))))))))

lemma bound_int_to_real :
 (forall i_1:int. (le_int(i_1, (10)) -> le_real(real_of_int(i_1), 10.0)))

exception Goto_while_0_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter doubleP_alloc_table : doubleP alloc_table ref

parameter doubleP_tag_table : doubleP tag_table ref

parameter alloc_struct_doubleP :
 n:int ->
  doubleP_alloc_table:doubleP alloc_table ref ->
   doubleP_tag_table:doubleP tag_table ref ->
    { } doubleP pointer writes doubleP_alloc_table,doubleP_tag_table
    { (strict_valid_struct_doubleP(result, (0), sub_int(n, (1)),
       doubleP_alloc_table)
      and (alloc_extends(doubleP_alloc_table@, doubleP_alloc_table)
          and (alloc_fresh(doubleP_alloc_table@, result, n)
              and instanceof(doubleP_tag_table, result, doubleP_tag)))) }

parameter alloc_struct_doubleP_requires :
 n:int ->
  doubleP_alloc_table:doubleP alloc_table ref ->
   doubleP_tag_table:doubleP tag_table ref ->
    { ge_int(n, (0))} doubleP pointer
    writes doubleP_alloc_table,doubleP_tag_table
    { (strict_valid_struct_doubleP(result, (0), sub_int(n, (1)),
       doubleP_alloc_table)
      and (alloc_extends(doubleP_alloc_table@, doubleP_alloc_table)
          and (alloc_fresh(doubleP_alloc_table@, result, n)
              and instanceof(doubleP_tag_table, result, doubleP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter scalar_product :
 x_1:doubleP pointer ->
  y_0:doubleP pointer ->
   n_1:int32 ->
    doubleP_y_4_alloc_table:doubleP alloc_table ->
     doubleP_x_3_alloc_table:doubleP alloc_table ->
      doubleP_doubleM_y_4:(doubleP, double) memory ->
       doubleP_doubleM_x_3:(doubleP, double) memory ->
        { } double
        { (JC_20:
          le_real(abs_real(sub_real(double_value(result),
                           exact_scalar_product(x_1, y_0,
                           integer_of_int32(n_1), doubleP_doubleM_y_4,
                           doubleP_doubleM_x_3))),
          mul_real(real_of_int(integer_of_int32(n_1)), 0x1.1p-50))) }

parameter scalar_product_requires :
 x_1:doubleP pointer ->
  y_0:doubleP pointer ->
   n_1:int32 ->
    doubleP_y_4_alloc_table:doubleP alloc_table ->
     doubleP_x_3_alloc_table:doubleP alloc_table ->
      doubleP_doubleM_y_4:(doubleP, double) memory ->
       doubleP_doubleM_x_3:(doubleP, double) memory ->
        { (JC_8:
          ((JC_1: le_int((0), integer_of_int32(n_1)))
          and ((JC_2: le_int(integer_of_int32(n_1), (10)))
              and ((JC_3:
                   le_int(offset_min(doubleP_x_3_alloc_table, x_1), (0)))
                  and ((JC_4:
                       ge_int(offset_max(doubleP_x_3_alloc_table, x_1),
                       sub_int(integer_of_int32(n_1), (1))))
                      and ((JC_5:
                           le_int(offset_min(doubleP_y_4_alloc_table, y_0),
                           (0)))
                          and ((JC_6:
                               ge_int(offset_max(doubleP_y_4_alloc_table,
                                      y_0),
                               sub_int(integer_of_int32(n_1), (1))))
                              and (JC_7:
                                  (forall i_2:int.
                                   ((le_int((0), i_2)
                                    and lt_int(i_2, integer_of_int32(n_1))) ->
                                    (le_real(abs_real(double_value(select(doubleP_doubleM_x_3,
                                                                   shift(x_1,
                                                                   i_2)))),
                                     1.0)
                                    and le_real(abs_real(double_value(
                                                         select(doubleP_doubleM_y_4,
                                                         shift(y_0, i_2)))),
                                        1.0))))))))))))}
        double
        { (JC_20:
          le_real(abs_real(sub_real(double_value(result),
                           exact_scalar_product(x_1, y_0,
                           integer_of_int32(n_1), doubleP_doubleM_y_4,
                           doubleP_doubleM_x_3))),
          mul_real(real_of_int(integer_of_int32(n_1)), 0x1.1p-50))) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let scalar_product_ensures_default =
 fun (x_1 : doubleP pointer) (y_0 : doubleP pointer) (n_1 : int32) (doubleP_x_3_alloc_table : doubleP alloc_table) (doubleP_y_4_alloc_table : doubleP alloc_table) (doubleP_doubleM_x_3 : (doubleP, double) memory) (doubleP_doubleM_y_4 : (doubleP, double) memory) ->
  { (JC_17:
    ((JC_10: le_int((0), integer_of_int32(n_1)))
    and ((JC_11: le_int(integer_of_int32(n_1), (10)))
        and ((JC_12: le_int(offset_min(doubleP_x_3_alloc_table, x_1), (0)))
            and ((JC_13:
                 ge_int(offset_max(doubleP_x_3_alloc_table, x_1),
                 sub_int(integer_of_int32(n_1), (1))))
                and ((JC_14:
                     le_int(offset_min(doubleP_y_4_alloc_table, y_0), (0)))
                    and ((JC_15:
                         ge_int(offset_max(doubleP_y_4_alloc_table, y_0),
                         sub_int(integer_of_int32(n_1), (1))))
                        and (JC_16:
                            (forall i_2:int.
                             ((le_int((0), i_2)
                              and lt_int(i_2, integer_of_int32(n_1))) ->
                              (le_real(abs_real(double_value(select(doubleP_doubleM_x_3,
                                                             shift(x_1, i_2)))),
                               1.0)
                              and le_real(abs_real(double_value(select(doubleP_doubleM_y_4,
                                                                shift(y_0,
                                                                i_2)))),
                                  1.0)))))))))))) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let p = ref (any_double void) in
     (let i = ref (any_int32 void) in
     begin
       (let _jessie_ = (p := (double_of_real_exact 0.0)) in void);
      try
       begin
         (let _jessie_ = (i := (safe_int32_of_integer_ (0))) in void);
        (loop_2:
        begin
          while true do
          { invariant
              ((JC_44:
               le_real(abs_real(sub_real(double_value(p),
                                exact_scalar_product(x_1, y_0,
                                integer_of_int32(i), doubleP_doubleM_y_4,
                                doubleP_doubleM_x_3))),
               mul_real(real_of_int(integer_of_int32(i)), 0x1.1p-50)))
              and ((JC_45:
                   le_real(abs_real(exact_scalar_product(x_1, y_0,
                                    integer_of_int32(i), doubleP_doubleM_y_4,
                                    doubleP_doubleM_x_3)),
                   real_of_int(integer_of_int32(i))))
                  and (JC_48:
                      ((JC_46: le_int((0), integer_of_int32(i)))
                      and (JC_47:
                          le_int(integer_of_int32(i), integer_of_int32(n_1)))))))
             }
           begin
             [ { } unit { true } ];
            try
             begin
               (let _jessie_ =
               begin
                 (if ((lt_int_ (integer_of_int32 !i)) (integer_of_int32 n_1))
                 then void else (raise (Goto_while_0_break_exc void)));
                (assert
                { (JC_52:
                  le_real(abs_real(double_value(select(doubleP_doubleM_x_3,
                                                shift(x_1,
                                                integer_of_int32(i))))),
                  1.0)) }; void); void;
                (assert
                { (JC_53:
                  le_real(abs_real(double_value(select(doubleP_doubleM_y_4,
                                                shift(y_0,
                                                integer_of_int32(i))))),
                  1.0)) }; void); void;
                (assert
                { (JC_54:
                  le_real(abs_real(double_value(p)),
                  mul_real(10.0, add_real(1.0, 0x1.1p-50)))) }; void);
                begin
                  void;
                 (L:
                 begin
                   (let _jessie_ =
                   (p := (JC_56:
                         (((add_double_safe nearest_even) !p) (JC_55:
                                                              (((mul_double_safe nearest_even) 
                                                                ((safe_acc_ doubleP_doubleM_x_3) 
                                                                 ((shift x_1) 
                                                                  (integer_of_int32 !i)))) 
                                                               ((safe_acc_ doubleP_doubleM_y_4) 
                                                                ((shift y_0) 
                                                                 (integer_of_int32 !i)))))))) in
                   void);
                  (assert
                  { (JC_57:
                    le_real(abs_real(sub_real(double_value(p),
                                     add_real(double_value(p@L),
                                     mul_real(double_value(select(doubleP_doubleM_x_3,
                                                           shift(x_1,
                                                           integer_of_int32(i)))),
                                     double_value(select(doubleP_doubleM_y_4,
                                                  shift(y_0,
                                                  integer_of_int32(i)))))))),
                    0x1.1p-50)) }; void); void;
                  (assert
                  { (JC_58:
                    le_real(abs_real(sub_real(double_value(p),
                                     exact_scalar_product(x_1, y_0,
                                     add_int(integer_of_int32(i), (1)),
                                     doubleP_doubleM_y_4,
                                     doubleP_doubleM_x_3))),
                    add_real(abs_real(sub_real(double_value(p),
                                      add_real(double_value(p@L),
                                      mul_real(double_value(select(doubleP_doubleM_x_3,
                                                            shift(x_1,
                                                            integer_of_int32(i)))),
                                      double_value(select(doubleP_doubleM_y_4,
                                                   shift(y_0,
                                                   integer_of_int32(i)))))))),
                    abs_real(sub_real(add_real(double_value(p@L),
                                      mul_real(double_value(select(doubleP_doubleM_x_3,
                                                            shift(x_1,
                                                            integer_of_int32(i)))),
                                      double_value(select(doubleP_doubleM_y_4,
                                                   shift(y_0,
                                                   integer_of_int32(i)))))),
                             add_real(exact_scalar_product(x_1, y_0,
                                      integer_of_int32(i),
                                      doubleP_doubleM_y_4,
                                      doubleP_doubleM_x_3),
                             mul_real(double_value(select(doubleP_doubleM_x_3,
                                                   shift(x_1,
                                                   integer_of_int32(i)))),
                             double_value(select(doubleP_doubleM_y_4,
                                          shift(y_0, integer_of_int32(i))))))))))) };
                  void); void;
                  (assert
                  { (JC_59:
                    le_real(abs_real(exact_scalar_product(x_1, y_0,
                                     add_int(integer_of_int32(i), (1)),
                                     doubleP_doubleM_y_4,
                                     doubleP_doubleM_x_3)),
                    add_real(abs_real(exact_scalar_product(x_1, y_0,
                                      integer_of_int32(i),
                                      doubleP_doubleM_y_4,
                                      doubleP_doubleM_x_3)),
                    mul_real(abs_real(double_value(select(doubleP_doubleM_x_3,
                                                   shift(x_1,
                                                   integer_of_int32(i))))),
                    abs_real(double_value(select(doubleP_doubleM_y_4,
                                          shift(y_0, integer_of_int32(i))))))))) };
                  void); void;
                  (assert
                  { (JC_60:
                    le_real(mul_real(abs_real(double_value(select(doubleP_doubleM_x_3,
                                                           shift(x_1,
                                                           integer_of_int32(i))))),
                            abs_real(double_value(select(doubleP_doubleM_y_4,
                                                  shift(y_0,
                                                  integer_of_int32(i)))))),
                    1.0)) }; void); void;
                  (i := (safe_int32_of_integer_ ((add_int (integer_of_int32 !i)) (1))));
                  !i end) end end in void); (raise (Loop_continue_exc void))
             end with Loop_continue_exc _jessie_ -> void end end done;
         (raise (Goto_while_0_break_exc void)) end) end with
       Goto_while_0_break_exc _jessie_ -> (while_0_break: void) end;
      (return := !p); (raise Return) end)); absurd  end with Return ->
   !return end))
  { (JC_19:
    le_real(abs_real(sub_real(double_value(result),
                     exact_scalar_product(x_1, y_0, integer_of_int32(n_1),
                     doubleP_doubleM_y_4, doubleP_doubleM_x_3))),
    mul_real(real_of_int(integer_of_int32(n_1)), 0x1.1p-50))) }

let scalar_product_safety =
 fun (x_1 : doubleP pointer) (y_0 : doubleP pointer) (n_1 : int32) (doubleP_x_3_alloc_table : doubleP alloc_table) (doubleP_y_4_alloc_table : doubleP alloc_table) (doubleP_doubleM_x_3 : (doubleP, double) memory) (doubleP_doubleM_y_4 : (doubleP, double) memory) ->
  { (JC_17:
    ((JC_10: le_int((0), integer_of_int32(n_1)))
    and ((JC_11: le_int(integer_of_int32(n_1), (10)))
        and ((JC_12: le_int(offset_min(doubleP_x_3_alloc_table, x_1), (0)))
            and ((JC_13:
                 ge_int(offset_max(doubleP_x_3_alloc_table, x_1),
                 sub_int(integer_of_int32(n_1), (1))))
                and ((JC_14:
                     le_int(offset_min(doubleP_y_4_alloc_table, y_0), (0)))
                    and ((JC_15:
                         ge_int(offset_max(doubleP_y_4_alloc_table, y_0),
                         sub_int(integer_of_int32(n_1), (1))))
                        and (JC_16:
                            (forall i_2:int.
                             ((le_int((0), i_2)
                              and lt_int(i_2, integer_of_int32(n_1))) ->
                              (le_real(abs_real(double_value(select(doubleP_doubleM_x_3,
                                                             shift(x_1, i_2)))),
                               1.0)
                              and le_real(abs_real(double_value(select(doubleP_doubleM_y_4,
                                                                shift(y_0,
                                                                i_2)))),
                                  1.0)))))))))))) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let p = ref (any_double void) in
     (let i = ref (any_int32 void) in
     begin
       (let _jessie_ = (p := (double_of_real_exact 0.0)) in void);
      try
       begin
         (let _jessie_ = (i := (safe_int32_of_integer_ (0))) in void);
        (loop_1:
        begin
          while true do
          { invariant (JC_29: true)
            variant (JC_43 : sub_int(integer_of_int32(n_1),
                             integer_of_int32(i))) }
           begin
             [ { } unit reads i,p
               { ((JC_23:
                  le_real(abs_real(sub_real(double_value(p),
                                   exact_scalar_product(x_1, y_0,
                                   integer_of_int32(i), doubleP_doubleM_y_4,
                                   doubleP_doubleM_x_3))),
                  mul_real(real_of_int(integer_of_int32(i)), 0x1.1p-50)))
                 and ((JC_24:
                      le_real(abs_real(exact_scalar_product(x_1, y_0,
                                       integer_of_int32(i),
                                       doubleP_doubleM_y_4,
                                       doubleP_doubleM_x_3)),
                      real_of_int(integer_of_int32(i))))
                     and (JC_27:
                         ((JC_25: le_int((0), integer_of_int32(i)))
                         and (JC_26:
                             le_int(integer_of_int32(i),
                             integer_of_int32(n_1))))))) } ];
            try
             begin
               (let _jessie_ =
               begin
                 (if ((lt_int_ (integer_of_int32 !i)) (integer_of_int32 n_1))
                 then void else (raise (Goto_while_0_break_exc void)));
                [ { } unit reads i
                  { (JC_31:
                    le_real(abs_real(double_value(select(doubleP_doubleM_x_3,
                                                  shift(x_1,
                                                  integer_of_int32(i))))),
                    1.0)) } ]; void;
                [ { } unit reads i
                  { (JC_32:
                    le_real(abs_real(double_value(select(doubleP_doubleM_y_4,
                                                  shift(y_0,
                                                  integer_of_int32(i))))),
                    1.0)) } ]; void;
                [ { } unit reads p
                  { (JC_33:
                    le_real(abs_real(double_value(p)),
                    mul_real(10.0, add_real(1.0, 0x1.1p-50)))) } ];
                begin
                  void;
                 (L:
                 begin
                   (let _jessie_ =
                   (p := (JC_37:
                         (((add_double nearest_even) !p) (JC_36:
                                                         (((mul_double nearest_even) 
                                                           (JC_34:
                                                           ((((offset_acc_ doubleP_x_3_alloc_table) doubleP_doubleM_x_3) x_1) 
                                                            (integer_of_int32 !i)))) 
                                                          (JC_35:
                                                          ((((offset_acc_ doubleP_y_4_alloc_table) doubleP_doubleM_y_4) y_0) 
                                                           (integer_of_int32 !i)))))))) in
                   void);
                  [ { } unit reads i,p
                    { (JC_38:
                      le_real(abs_real(sub_real(double_value(p),
                                       add_real(double_value(p@L),
                                       mul_real(double_value(select(doubleP_doubleM_x_3,
                                                             shift(x_1,
                                                             integer_of_int32(i)))),
                                       double_value(select(doubleP_doubleM_y_4,
                                                    shift(y_0,
                                                    integer_of_int32(i)))))))),
                      0x1.1p-50)) } ]; void;
                  [ { } unit reads i,p
                    { (JC_39:
                      le_real(abs_real(sub_real(double_value(p),
                                       exact_scalar_product(x_1, y_0,
                                       add_int(integer_of_int32(i), (1)),
                                       doubleP_doubleM_y_4,
                                       doubleP_doubleM_x_3))),
                      add_real(abs_real(sub_real(double_value(p),
                                        add_real(double_value(p@L),
                                        mul_real(double_value(select(doubleP_doubleM_x_3,
                                                              shift(x_1,
                                                              integer_of_int32(i)))),
                                        double_value(select(doubleP_doubleM_y_4,
                                                     shift(y_0,
                                                     integer_of_int32(i)))))))),
                      abs_real(sub_real(add_real(double_value(p@L),
                                        mul_real(double_value(select(doubleP_doubleM_x_3,
                                                              shift(x_1,
                                                              integer_of_int32(i)))),
                                        double_value(select(doubleP_doubleM_y_4,
                                                     shift(y_0,
                                                     integer_of_int32(i)))))),
                               add_real(exact_scalar_product(x_1, y_0,
                                        integer_of_int32(i),
                                        doubleP_doubleM_y_4,
                                        doubleP_doubleM_x_3),
                               mul_real(double_value(select(doubleP_doubleM_x_3,
                                                     shift(x_1,
                                                     integer_of_int32(i)))),
                               double_value(select(doubleP_doubleM_y_4,
                                            shift(y_0, integer_of_int32(i))))))))))) } ];
                  void;
                  [ { } unit reads i
                    { (JC_40:
                      le_real(abs_real(exact_scalar_product(x_1, y_0,
                                       add_int(integer_of_int32(i), (1)),
                                       doubleP_doubleM_y_4,
                                       doubleP_doubleM_x_3)),
                      add_real(abs_real(exact_scalar_product(x_1, y_0,
                                        integer_of_int32(i),
                                        doubleP_doubleM_y_4,
                                        doubleP_doubleM_x_3)),
                      mul_real(abs_real(double_value(select(doubleP_doubleM_x_3,
                                                     shift(x_1,
                                                     integer_of_int32(i))))),
                      abs_real(double_value(select(doubleP_doubleM_y_4,
                                            shift(y_0, integer_of_int32(i))))))))) } ];
                  void;
                  [ { } unit reads i
                    { (JC_41:
                      le_real(mul_real(abs_real(double_value(select(doubleP_doubleM_x_3,
                                                             shift(x_1,
                                                             integer_of_int32(i))))),
                              abs_real(double_value(select(doubleP_doubleM_y_4,
                                                    shift(y_0,
                                                    integer_of_int32(i)))))),
                      1.0)) } ]; void;
                  (i := (JC_42:
                        (int32_of_integer_ ((add_int (integer_of_int32 !i)) (1)))));
                  !i end) end end in void); (raise (Loop_continue_exc void))
             end with Loop_continue_exc _jessie_ -> void end end done;
         (raise (Goto_while_0_break_exc void)) end) end with
       Goto_while_0_break_exc _jessie_ -> (while_0_break: void) end;
      (return := !p); (raise Return) end)); absurd  end with Return ->
   !return end)) { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/scalar_product.why
========== file tests/c/scalar_product.jessie/why/scalar_product_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type mode

logic nearest_even : mode

logic to_zero : mode

logic up : mode

logic down : mode

logic nearest_away : mode

logic mode_match : mode, 'a1, 'a1, 'a1, 'a1, 'a1 -> 'a1

axiom mode_match_nearest_even:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_2))))))

axiom mode_match_to_zero:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_3))))))

axiom mode_match_up:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_4))))))

axiom mode_match_down:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_5))))))

axiom mode_match_nearest_away:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_6))))))

axiom mode_inversion:
  (forall aux_1:mode.
    (((((aux_1 = nearest_even) or (aux_1 = to_zero)) or (aux_1 = up)) or
      (aux_1 = down)) or
     (aux_1 = nearest_away)))

logic mode_to_int : mode -> int

axiom mode_to_int_nearest_even: (mode_to_int(nearest_even) = 0)

axiom mode_to_int_to_zero: (mode_to_int(to_zero) = 1)

axiom mode_to_int_up: (mode_to_int(up) = 2)

axiom mode_to_int_down: (mode_to_int(down) = 3)

axiom mode_to_int_nearest_away: (mode_to_int(nearest_away) = 4)

type double

logic round_double : mode, real -> real

logic round_double_logic : mode, real -> double

logic double_value : double -> real

logic double_exact : double -> real

logic double_model : double -> real

function double_round_error(x: double) : real =
  abs_real((double_value(x) - double_exact(x)))

function double_total_error(x: double) : real =
  abs_real((double_value(x) - double_model(x)))

function max_double() : real = 0x1.FFFFFFFFFFFFFp1023

predicate no_overflow_double(m: mode, x: real) = (abs_real(round_double(m,
  x)) <= max_double)

axiom bounded_real_no_overflow_double:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_double) -> no_overflow_double(m, x))))

axiom round_double_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_double(m, x) <= round_double(m, y))))))

axiom exact_round_double_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-9007199254740992) <= i) and (i <= 9007199254740992)) ->
       (round_double(m, real_of_int(i)) = real_of_int(i)))))

axiom exact_round_double_for_doubles:
  (forall x:double.
    (forall m:mode. (round_double(m, double_value(x)) = double_value(x))))

axiom round_double_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_double(m1, round_double(m2,
        x)) = round_double(m2, x)))))

axiom round_down_double_neg:
  (forall x:real. (round_double(down, (-x)) = (-round_double(up, x))))

axiom round_up_double_neg:
  (forall x:real. (round_double(up, (-x)) = (-round_double(down, x))))

axiom round_double_down_le: (forall x:real. (round_double(down, x) <= x))

axiom round_up_double_ge: (forall x:real. (round_double(up, x) >= x))

type single

logic round_single : mode, real -> real

logic round_single_logic : mode, real -> single

logic single_value : single -> real

logic single_exact : single -> real

logic single_model : single -> real

function single_round_error(x: single) : real =
  abs_real((single_value(x) - single_exact(x)))

function single_total_error(x: single) : real =
  abs_real((single_value(x) - single_model(x)))

function max_single() : real = 0x1.FFFFFEp127

predicate no_overflow_single(m: mode, x: real) = (abs_real(round_single(m,
  x)) <= max_single)

axiom bounded_real_no_overflow_single:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_single) -> no_overflow_single(m, x))))

axiom round_single_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_single(m, x) <= round_single(m, y))))))

axiom exact_round_single_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-16777216) <= i) and (i <= 16777216)) -> (round_single(m,
       real_of_int(i)) = real_of_int(i)))))

axiom exact_round_single_for_singles:
  (forall x:single.
    (forall m:mode. (round_single(m, single_value(x)) = single_value(x))))

axiom round_single_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_single(m1, round_single(m2,
        x)) = round_single(m2, x)))))

axiom round_down_single_neg:
  (forall x:real. (round_single(down, (-x)) = (-round_single(up, x))))

axiom round_up_single_neg:
  (forall x:real. (round_single(up, (-x)) = (-round_single(down, x))))

axiom round_single_down_le: (forall x:real. (round_single(down, x) <= x))

axiom round_up_single_ge: (forall x:real. (round_single(up, x) >= x))

axiom single_value_is_bounded:
  (forall x:single. (abs_real(single_value(x)) <= max_single))

axiom double_value_is_bounded:
  (forall x:double. (abs_real(double_value(x)) <= max_double))

predicate single_of_real_post(m: mode, x: real, res: single) =
  ((single_value(res) = round_single(m, x)) and
   ((single_exact(res) = x) and (single_model(res) = x)))

predicate single_of_double_post(m: mode, x: double, res: single) =
  ((single_value(res) = round_single(m, double_value(x))) and
   ((single_exact(res) = double_exact(x)) and
    (single_model(res) = double_model(x))))

predicate add_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) + single_value(y)))) and
   ((single_exact(res) = (single_exact(x) + single_exact(y))) and
    (single_model(res) = (single_model(x) + single_model(y)))))

predicate sub_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) - single_value(y)))) and
   ((single_exact(res) = (single_exact(x) - single_exact(y))) and
    (single_model(res) = (single_model(x) - single_model(y)))))

predicate mul_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) * single_value(y)))) and
   ((single_exact(res) = (single_exact(x) * single_exact(y))) and
    (single_model(res) = (single_model(x) * single_model(y)))))

predicate div_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m, div_real(single_value(x),
   single_value(y)))) and
   ((single_exact(res) = div_real(single_exact(x), single_exact(y))) and
    (single_model(res) = div_real(single_model(x), single_model(y)))))

predicate sqrt_single_post(m: mode, x: single, res: single) =
  ((single_value(res) = round_single(m, sqrt_real(single_value(x)))) and
   ((single_exact(res) = sqrt_real(single_exact(x))) and
    (single_model(res) = sqrt_real(single_model(x)))))

predicate neg_single_post(x: single, res: single) =
  ((single_value(res) = (-single_value(x))) and
   ((single_exact(res) = (-single_exact(x))) and
    (single_model(res) = (-single_model(x)))))

predicate abs_single_post(x: single, res: single) =
  ((single_value(res) = abs_real(single_value(x))) and
   ((single_exact(res) = abs_real(single_exact(x))) and
    (single_model(res) = abs_real(single_model(x)))))

predicate double_of_real_post(m: mode, x: real, res: double) =
  ((double_value(res) = round_double(m, x)) and
   ((double_exact(res) = x) and (double_model(res) = x)))

predicate double_of_single_post(x: single, res: double) =
  ((double_value(res) = single_value(x)) and
   ((double_exact(res) = single_exact(x)) and
    (double_model(res) = single_model(x))))

predicate add_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) + double_value(y)))) and
   ((double_exact(res) = (double_exact(x) + double_exact(y))) and
    (double_model(res) = (double_model(x) + double_model(y)))))

predicate sub_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) - double_value(y)))) and
   ((double_exact(res) = (double_exact(x) - double_exact(y))) and
    (double_model(res) = (double_model(x) - double_model(y)))))

predicate mul_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) * double_value(y)))) and
   ((double_exact(res) = (double_exact(x) * double_exact(y))) and
    (double_model(res) = (double_model(x) * double_model(y)))))

predicate div_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m, div_real(double_value(x),
   double_value(y)))) and
   ((double_exact(res) = div_real(double_exact(x), double_exact(y))) and
    (double_model(res) = div_real(double_model(x), double_model(y)))))

predicate sqrt_double_post(m: mode, x: double, res: double) =
  ((double_value(res) = round_double(m, sqrt_real(double_value(x)))) and
   ((double_exact(res) = sqrt_real(double_exact(x))) and
    (double_model(res) = sqrt_real(double_model(x)))))

predicate neg_double_post(x: double, res: double) =
  ((double_value(res) = (-double_value(x))) and
   ((double_exact(res) = (-double_exact(x))) and
    (double_model(res) = (-double_model(x)))))

predicate abs_double_post(x: double, res: double) =
  ((double_value(res) = abs_real(double_value(x))) and
   ((double_exact(res) = abs_real(double_exact(x))) and
    (double_model(res) = abs_real(double_model(x)))))

type charP

type doubleP

type int32

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

logic doubleP_tag : doubleP tag_id

axiom doubleP_int: (int_of_tag(doubleP_tag) = 1)

logic doubleP_of_pointer_address : unit pointer -> doubleP pointer

axiom doubleP_of_pointer_address_of_pointer_addr:
  (forall p:doubleP pointer.
    (p = doubleP_of_pointer_address(pointer_address(p))))

axiom doubleP_parenttag_bottom: parenttag(doubleP_tag, bottom_tag)

axiom doubleP_tags:
  (forall x:doubleP pointer.
    (forall doubleP_tag_table:doubleP tag_table.
      instanceof(doubleP_tag_table, x, doubleP_tag)))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_int8 : int8 -> int

predicate eq_int8(x: int8, y: int8) =
  (integer_of_int8(x) = integer_of_int8(y))

logic integer_of_uint8 : uint8 -> int

predicate eq_uint8(x: uint8, y: uint8) =
  (integer_of_uint8(x) = integer_of_uint8(y))

logic exact_scalar_product : doubleP pointer, doubleP pointer, int, (doubleP,
double) memory, (doubleP, double) memory -> real

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic int8_of_integer : int -> int8

axiom int8_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_int8(int8_of_integer(x)) = x)))

axiom int8_extensionality:
  (forall x:int8.
    (forall y:int8. ((integer_of_int8(x) = integer_of_int8(y)) -> (x = y))))

axiom int8_range:
  (forall x:int8.
    (((-128) <= integer_of_int8(x)) and (integer_of_int8(x) <= 127)))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_doubleP(p: doubleP pointer, a: int,
  doubleP_alloc_table: doubleP alloc_table) =
  (offset_min(doubleP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

axiom no_assign_exact_scalar_product_0:
  (forall tmp:doubleP pset.
    (forall tmpmem:(doubleP, double) memory.
      (forall tmpalloc:doubleP alloc_table.
        (forall doubleP_doubleM_x_1_at_L:(doubleP, double) memory.
          (forall doubleP_doubleM_y_2_at_L:(doubleP, double) memory.
            (forall n:int.
              (forall y:doubleP pointer.
                (forall x_0:doubleP pointer.
                  ((pset_disjoint(tmp, pset_all(pset_singleton(y))) and
                    not_assigns(tmpalloc, doubleP_doubleM_y_2_at_L, tmpmem,
                    tmp)) ->
                   (exact_scalar_product(x_0, y, n, doubleP_doubleM_y_2_at_L,
                   doubleP_doubleM_x_1_at_L) = exact_scalar_product(x_0, y,
                   n, tmpmem, doubleP_doubleM_x_1_at_L)))))))))))

axiom no_assign_exact_scalar_product_1:
  (forall tmp:doubleP pset.
    (forall tmpmem:(doubleP, double) memory.
      (forall tmpalloc:doubleP alloc_table.
        (forall doubleP_doubleM_x_1_at_L:(doubleP, double) memory.
          (forall doubleP_doubleM_y_2_at_L:(doubleP, double) memory.
            (forall n:int.
              (forall y:doubleP pointer.
                (forall x_0:doubleP pointer.
                  ((pset_disjoint(tmp, pset_all(pset_singleton(x_0))) and
                    not_assigns(tmpalloc, doubleP_doubleM_x_1_at_L, tmpmem,
                    tmp)) ->
                   (exact_scalar_product(x_0, y, n, doubleP_doubleM_y_2_at_L,
                   doubleP_doubleM_x_1_at_L) = exact_scalar_product(x_0, y,
                   n, doubleP_doubleM_y_2_at_L, tmpmem)))))))))))

axiom no_update_exact_scalar_product_0:
  (forall tmp:doubleP pointer.
    (forall tmpval:double.
      (forall doubleP_doubleM_x_1_at_L:(doubleP, double) memory.
        (forall doubleP_doubleM_y_2_at_L:(doubleP, double) memory.
          (forall n:int.
            (forall y:doubleP pointer.
              (forall x_0:doubleP pointer.
                ((not in_pset(tmp, pset_all(pset_singleton(y)))) ->
                 (exact_scalar_product(x_0, y, n, doubleP_doubleM_y_2_at_L,
                 doubleP_doubleM_x_1_at_L) = exact_scalar_product(x_0, y, n,
                 store(doubleP_doubleM_y_2_at_L, tmp, tmpval),
                 doubleP_doubleM_x_1_at_L))))))))))

axiom no_update_exact_scalar_product_1:
  (forall tmp:doubleP pointer.
    (forall tmpval:double.
      (forall doubleP_doubleM_x_1_at_L:(doubleP, double) memory.
        (forall doubleP_doubleM_y_2_at_L:(doubleP, double) memory.
          (forall n:int.
            (forall y:doubleP pointer.
              (forall x_0:doubleP pointer.
                ((not in_pset(tmp, pset_all(pset_singleton(x_0)))) ->
                 (exact_scalar_product(x_0, y, n, doubleP_doubleM_y_2_at_L,
                 doubleP_doubleM_x_1_at_L) = exact_scalar_product(x_0, y, n,
                 doubleP_doubleM_y_2_at_L, store(doubleP_doubleM_x_1_at_L,
                 tmp, tmpval)))))))))))

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_doubleP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(doubleP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_doubleP(p: doubleP pointer, b: int,
  doubleP_alloc_table: doubleP alloc_table) =
  (offset_max(doubleP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_doubleP(p: doubleP pointer, a: int, b: int,
  doubleP_alloc_table: doubleP alloc_table) =
  ((offset_min(doubleP_alloc_table, p) = a) and
   (offset_max(doubleP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_doubleP(p: doubleP pointer, a: int, b: int,
  doubleP_alloc_table: doubleP alloc_table) =
  ((offset_min(doubleP_alloc_table, p) = a) and
   (offset_max(doubleP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic uint8_of_integer : int -> uint8

axiom uint8_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 255)) -> (integer_of_uint8(uint8_of_integer(x)) = x)))

axiom uint8_extensionality:
  (forall x:uint8.
    (forall y:uint8.
      ((integer_of_uint8(x) = integer_of_uint8(y)) -> (x = y))))

axiom uint8_range:
  (forall x:uint8.
    ((0 <= integer_of_uint8(x)) and (integer_of_uint8(x) <= 255)))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_doubleP(p: doubleP pointer, a: int, b: int,
  doubleP_alloc_table: doubleP alloc_table) =
  ((offset_min(doubleP_alloc_table, p) <= a) and
   (offset_max(doubleP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_doubleP(p: doubleP pointer, a: int, b: int,
  doubleP_alloc_table: doubleP alloc_table) =
  ((offset_min(doubleP_alloc_table, p) <= a) and
   (offset_max(doubleP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

axiom A1:
  (forall doubleP_doubleM_y_2_at_L:(doubleP, double) memory.
    (forall doubleP_doubleM_x_1_at_L:(doubleP, double) memory.
      (forall x_0_0:doubleP pointer.
        (forall y_0_0:doubleP pointer. (exact_scalar_product(x_0_0, y_0_0, 0,
          doubleP_doubleM_y_2_at_L, doubleP_doubleM_x_1_at_L) = 0.0)))))

axiom A2:
  (forall doubleP_doubleM_y_2_at_L:(doubleP, double) memory.
    (forall doubleP_doubleM_x_1_at_L:(doubleP, double) memory.
      (forall x_1_0:doubleP pointer.
        (forall y_1:doubleP pointer.
          (forall n_0:int.
            ((n_0 >= 0) -> (exact_scalar_product(x_1_0, y_1, (n_0 + 1),
             doubleP_doubleM_y_2_at_L,
             doubleP_doubleM_x_1_at_L) = (exact_scalar_product(x_1_0, y_1,
             n_0, doubleP_doubleM_y_2_at_L,
             doubleP_doubleM_x_1_at_L) + (double_value(select(doubleP_doubleM_x_1_at_L,
             shift(x_1_0,
             n_0))) * double_value(select(doubleP_doubleM_y_2_at_L,
             shift(y_1, n_0))))))))))))

goal bound_int_to_real:
  (forall i_1:int. ((i_1 <= 10) -> (real_of_int(i_1) <= 10.0)))

axiom bound_int_to_real_as_axiom:
  (forall i_1:int. ((i_1 <= 10) -> (real_of_int(i_1) <= 10.0)))

goal scalar_product_ensures_default_po_1:
  forall x_1:doubleP pointer.
  forall y_0:doubleP pointer.
  forall n_1:int32.
  forall doubleP_x_3_alloc_table:doubleP alloc_table.
  forall doubleP_y_4_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_x_3:(doubleP,
  double) memory.
  forall doubleP_doubleM_y_4:(doubleP,
  double) memory.
  ("JC_17":
  (("JC_10": (0 <= integer_of_int32(n_1))) and
   (("JC_11": (integer_of_int32(n_1) <= 10)) and
    (("JC_12": (offset_min(doubleP_x_3_alloc_table, x_1) <= 0)) and
     (("JC_13": (offset_max(doubleP_x_3_alloc_table,
      x_1) >= (integer_of_int32(n_1) - 1))) and
      (("JC_14": (offset_min(doubleP_y_4_alloc_table, y_0) <= 0)) and
       (("JC_15": (offset_max(doubleP_y_4_alloc_table,
        y_0) >= (integer_of_int32(n_1) - 1))) and
        ("JC_16":
        (forall i_2:int.
          (((0 <= i_2) and (i_2 < integer_of_int32(n_1))) ->
           ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
            i_2)))) <= 1.0) and
            (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
            i_2)))) <= 1.0)))))))))))) ->
  forall result:double.
  ((double_value(result) = 0.0) and
   ((double_exact(result) = 0.0) and (double_model(result) = 0.0))) ->
  forall p:double.
  (p = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  ("JC_44": (abs_real((double_value(p) - exact_scalar_product(x_1, y_0,
  integer_of_int32(i), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3))) <= (real_of_int(integer_of_int32(i)) * 0x1.1p-50)))

goal scalar_product_ensures_default_po_2:
  forall x_1:doubleP pointer.
  forall y_0:doubleP pointer.
  forall n_1:int32.
  forall doubleP_x_3_alloc_table:doubleP alloc_table.
  forall doubleP_y_4_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_x_3:(doubleP,
  double) memory.
  forall doubleP_doubleM_y_4:(doubleP,
  double) memory.
  ("JC_17":
  (("JC_10": (0 <= integer_of_int32(n_1))) and
   (("JC_11": (integer_of_int32(n_1) <= 10)) and
    (("JC_12": (offset_min(doubleP_x_3_alloc_table, x_1) <= 0)) and
     (("JC_13": (offset_max(doubleP_x_3_alloc_table,
      x_1) >= (integer_of_int32(n_1) - 1))) and
      (("JC_14": (offset_min(doubleP_y_4_alloc_table, y_0) <= 0)) and
       (("JC_15": (offset_max(doubleP_y_4_alloc_table,
        y_0) >= (integer_of_int32(n_1) - 1))) and
        ("JC_16":
        (forall i_2:int.
          (((0 <= i_2) and (i_2 < integer_of_int32(n_1))) ->
           ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
            i_2)))) <= 1.0) and
            (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
            i_2)))) <= 1.0)))))))))))) ->
  forall result:double.
  ((double_value(result) = 0.0) and
   ((double_exact(result) = 0.0) and (double_model(result) = 0.0))) ->
  forall p:double.
  (p = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  ("JC_45": (abs_real(exact_scalar_product(x_1, y_0, integer_of_int32(i),
  doubleP_doubleM_y_4,
  doubleP_doubleM_x_3)) <= real_of_int(integer_of_int32(i))))

goal scalar_product_ensures_default_po_3:
  forall x_1:doubleP pointer.
  forall y_0:doubleP pointer.
  forall n_1:int32.
  forall doubleP_x_3_alloc_table:doubleP alloc_table.
  forall doubleP_y_4_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_x_3:(doubleP,
  double) memory.
  forall doubleP_doubleM_y_4:(doubleP,
  double) memory.
  ("JC_17":
  (("JC_10": (0 <= integer_of_int32(n_1))) and
   (("JC_11": (integer_of_int32(n_1) <= 10)) and
    (("JC_12": (offset_min(doubleP_x_3_alloc_table, x_1) <= 0)) and
     (("JC_13": (offset_max(doubleP_x_3_alloc_table,
      x_1) >= (integer_of_int32(n_1) - 1))) and
      (("JC_14": (offset_min(doubleP_y_4_alloc_table, y_0) <= 0)) and
       (("JC_15": (offset_max(doubleP_y_4_alloc_table,
        y_0) >= (integer_of_int32(n_1) - 1))) and
        ("JC_16":
        (forall i_2:int.
          (((0 <= i_2) and (i_2 < integer_of_int32(n_1))) ->
           ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
            i_2)))) <= 1.0) and
            (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
            i_2)))) <= 1.0)))))))))))) ->
  forall result:double.
  ((double_value(result) = 0.0) and
   ((double_exact(result) = 0.0) and (double_model(result) = 0.0))) ->
  forall p:double.
  (p = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  ("JC_48": ("JC_46": (0 <= integer_of_int32(i))))

goal scalar_product_ensures_default_po_4:
  forall x_1:doubleP pointer.
  forall y_0:doubleP pointer.
  forall n_1:int32.
  forall doubleP_x_3_alloc_table:doubleP alloc_table.
  forall doubleP_y_4_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_x_3:(doubleP,
  double) memory.
  forall doubleP_doubleM_y_4:(doubleP,
  double) memory.
  ("JC_17":
  (("JC_10": (0 <= integer_of_int32(n_1))) and
   (("JC_11": (integer_of_int32(n_1) <= 10)) and
    (("JC_12": (offset_min(doubleP_x_3_alloc_table, x_1) <= 0)) and
     (("JC_13": (offset_max(doubleP_x_3_alloc_table,
      x_1) >= (integer_of_int32(n_1) - 1))) and
      (("JC_14": (offset_min(doubleP_y_4_alloc_table, y_0) <= 0)) and
       (("JC_15": (offset_max(doubleP_y_4_alloc_table,
        y_0) >= (integer_of_int32(n_1) - 1))) and
        ("JC_16":
        (forall i_2:int.
          (((0 <= i_2) and (i_2 < integer_of_int32(n_1))) ->
           ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
            i_2)))) <= 1.0) and
            (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
            i_2)))) <= 1.0)))))))))))) ->
  forall result:double.
  ((double_value(result) = 0.0) and
   ((double_exact(result) = 0.0) and (double_model(result) = 0.0))) ->
  forall p:double.
  (p = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  ("JC_48": ("JC_47": (integer_of_int32(i) <= integer_of_int32(n_1))))

goal scalar_product_ensures_default_po_5:
  forall x_1:doubleP pointer.
  forall y_0:doubleP pointer.
  forall n_1:int32.
  forall doubleP_x_3_alloc_table:doubleP alloc_table.
  forall doubleP_y_4_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_x_3:(doubleP,
  double) memory.
  forall doubleP_doubleM_y_4:(doubleP,
  double) memory.
  ("JC_17":
  (("JC_10": (0 <= integer_of_int32(n_1))) and
   (("JC_11": (integer_of_int32(n_1) <= 10)) and
    (("JC_12": (offset_min(doubleP_x_3_alloc_table, x_1) <= 0)) and
     (("JC_13": (offset_max(doubleP_x_3_alloc_table,
      x_1) >= (integer_of_int32(n_1) - 1))) and
      (("JC_14": (offset_min(doubleP_y_4_alloc_table, y_0) <= 0)) and
       (("JC_15": (offset_max(doubleP_y_4_alloc_table,
        y_0) >= (integer_of_int32(n_1) - 1))) and
        ("JC_16":
        (forall i_2:int.
          (((0 <= i_2) and (i_2 < integer_of_int32(n_1))) ->
           ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
            i_2)))) <= 1.0) and
            (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
            i_2)))) <= 1.0)))))))))))) ->
  forall result:double.
  ((double_value(result) = 0.0) and
   ((double_exact(result) = 0.0) and (double_model(result) = 0.0))) ->
  forall p:double.
  (p = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall p0:double.
  (("JC_44": (abs_real((double_value(p0) - exact_scalar_product(x_1, y_0,
   integer_of_int32(i0), doubleP_doubleM_y_4,
   doubleP_doubleM_x_3))) <= (real_of_int(integer_of_int32(i0)) * 0x1.1p-50))) and
   (("JC_45": (abs_real(exact_scalar_product(x_1, y_0, integer_of_int32(i0),
    doubleP_doubleM_y_4,
    doubleP_doubleM_x_3)) <= real_of_int(integer_of_int32(i0)))) and
    ("JC_48":
    (("JC_46": (0 <= integer_of_int32(i0))) and
     ("JC_47": (integer_of_int32(i0) <= integer_of_int32(n_1))))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_52": (abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0))))) <= 1.0))

goal scalar_product_ensures_default_po_6:
  forall x_1:doubleP pointer.
  forall y_0:doubleP pointer.
  forall n_1:int32.
  forall doubleP_x_3_alloc_table:doubleP alloc_table.
  forall doubleP_y_4_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_x_3:(doubleP,
  double) memory.
  forall doubleP_doubleM_y_4:(doubleP,
  double) memory.
  ("JC_17":
  (("JC_10": (0 <= integer_of_int32(n_1))) and
   (("JC_11": (integer_of_int32(n_1) <= 10)) and
    (("JC_12": (offset_min(doubleP_x_3_alloc_table, x_1) <= 0)) and
     (("JC_13": (offset_max(doubleP_x_3_alloc_table,
      x_1) >= (integer_of_int32(n_1) - 1))) and
      (("JC_14": (offset_min(doubleP_y_4_alloc_table, y_0) <= 0)) and
       (("JC_15": (offset_max(doubleP_y_4_alloc_table,
        y_0) >= (integer_of_int32(n_1) - 1))) and
        ("JC_16":
        (forall i_2:int.
          (((0 <= i_2) and (i_2 < integer_of_int32(n_1))) ->
           ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
            i_2)))) <= 1.0) and
            (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
            i_2)))) <= 1.0)))))))))))) ->
  forall result:double.
  ((double_value(result) = 0.0) and
   ((double_exact(result) = 0.0) and (double_model(result) = 0.0))) ->
  forall p:double.
  (p = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall p0:double.
  (("JC_44": (abs_real((double_value(p0) - exact_scalar_product(x_1, y_0,
   integer_of_int32(i0), doubleP_doubleM_y_4,
   doubleP_doubleM_x_3))) <= (real_of_int(integer_of_int32(i0)) * 0x1.1p-50))) and
   (("JC_45": (abs_real(exact_scalar_product(x_1, y_0, integer_of_int32(i0),
    doubleP_doubleM_y_4,
    doubleP_doubleM_x_3)) <= real_of_int(integer_of_int32(i0)))) and
    ("JC_48":
    (("JC_46": (0 <= integer_of_int32(i0))) and
     ("JC_47": (integer_of_int32(i0) <= integer_of_int32(n_1))))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_52": (abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_53": (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0))))) <= 1.0))

goal scalar_product_ensures_default_po_7:
  forall x_1:doubleP pointer.
  forall y_0:doubleP pointer.
  forall n_1:int32.
  forall doubleP_x_3_alloc_table:doubleP alloc_table.
  forall doubleP_y_4_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_x_3:(doubleP,
  double) memory.
  forall doubleP_doubleM_y_4:(doubleP,
  double) memory.
  ("JC_17":
  (("JC_10": (0 <= integer_of_int32(n_1))) and
   (("JC_11": (integer_of_int32(n_1) <= 10)) and
    (("JC_12": (offset_min(doubleP_x_3_alloc_table, x_1) <= 0)) and
     (("JC_13": (offset_max(doubleP_x_3_alloc_table,
      x_1) >= (integer_of_int32(n_1) - 1))) and
      (("JC_14": (offset_min(doubleP_y_4_alloc_table, y_0) <= 0)) and
       (("JC_15": (offset_max(doubleP_y_4_alloc_table,
        y_0) >= (integer_of_int32(n_1) - 1))) and
        ("JC_16":
        (forall i_2:int.
          (((0 <= i_2) and (i_2 < integer_of_int32(n_1))) ->
           ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
            i_2)))) <= 1.0) and
            (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
            i_2)))) <= 1.0)))))))))))) ->
  forall result:double.
  ((double_value(result) = 0.0) and
   ((double_exact(result) = 0.0) and (double_model(result) = 0.0))) ->
  forall p:double.
  (p = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall p0:double.
  (("JC_44": (abs_real((double_value(p0) - exact_scalar_product(x_1, y_0,
   integer_of_int32(i0), doubleP_doubleM_y_4,
   doubleP_doubleM_x_3))) <= (real_of_int(integer_of_int32(i0)) * 0x1.1p-50))) and
   (("JC_45": (abs_real(exact_scalar_product(x_1, y_0, integer_of_int32(i0),
    doubleP_doubleM_y_4,
    doubleP_doubleM_x_3)) <= real_of_int(integer_of_int32(i0)))) and
    ("JC_48":
    (("JC_46": (0 <= integer_of_int32(i0))) and
     ("JC_47": (integer_of_int32(i0) <= integer_of_int32(n_1))))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_52": (abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_53": (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_54": (abs_real(double_value(p0)) <= (10.0 * (1.0 + 0x1.1p-50))))

goal scalar_product_ensures_default_po_8:
  forall x_1:doubleP pointer.
  forall y_0:doubleP pointer.
  forall n_1:int32.
  forall doubleP_x_3_alloc_table:doubleP alloc_table.
  forall doubleP_y_4_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_x_3:(doubleP,
  double) memory.
  forall doubleP_doubleM_y_4:(doubleP,
  double) memory.
  ("JC_17":
  (("JC_10": (0 <= integer_of_int32(n_1))) and
   (("JC_11": (integer_of_int32(n_1) <= 10)) and
    (("JC_12": (offset_min(doubleP_x_3_alloc_table, x_1) <= 0)) and
     (("JC_13": (offset_max(doubleP_x_3_alloc_table,
      x_1) >= (integer_of_int32(n_1) - 1))) and
      (("JC_14": (offset_min(doubleP_y_4_alloc_table, y_0) <= 0)) and
       (("JC_15": (offset_max(doubleP_y_4_alloc_table,
        y_0) >= (integer_of_int32(n_1) - 1))) and
        ("JC_16":
        (forall i_2:int.
          (((0 <= i_2) and (i_2 < integer_of_int32(n_1))) ->
           ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
            i_2)))) <= 1.0) and
            (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
            i_2)))) <= 1.0)))))))))))) ->
  forall result:double.
  ((double_value(result) = 0.0) and
   ((double_exact(result) = 0.0) and (double_model(result) = 0.0))) ->
  forall p:double.
  (p = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall p0:double.
  (("JC_44": (abs_real((double_value(p0) - exact_scalar_product(x_1, y_0,
   integer_of_int32(i0), doubleP_doubleM_y_4,
   doubleP_doubleM_x_3))) <= (real_of_int(integer_of_int32(i0)) * 0x1.1p-50))) and
   (("JC_45": (abs_real(exact_scalar_product(x_1, y_0, integer_of_int32(i0),
    doubleP_doubleM_y_4,
    doubleP_doubleM_x_3)) <= real_of_int(integer_of_int32(i0)))) and
    ("JC_48":
    (("JC_46": (0 <= integer_of_int32(i0))) and
     ("JC_47": (integer_of_int32(i0) <= integer_of_int32(n_1))))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_52": (abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_53": (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_54": (abs_real(double_value(p0)) <= (10.0 * (1.0 + 0x1.1p-50)))) ->
  forall result1:double.
  (result1 = select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0)))) ->
  forall result2:double.
  (result2 = select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0)))) ->
  forall result3:double.
  mul_double_post(nearest_even, result1, result2, result3) ->
  forall result4:double.
  add_double_post(nearest_even, p0, result3, result4) ->
  forall p1:double.
  (p1 = result4) ->
  ("JC_57":
  (abs_real((double_value(p1) - (double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))))) <= 0x1.1p-50))

goal scalar_product_ensures_default_po_9:
  forall x_1:doubleP pointer.
  forall y_0:doubleP pointer.
  forall n_1:int32.
  forall doubleP_x_3_alloc_table:doubleP alloc_table.
  forall doubleP_y_4_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_x_3:(doubleP,
  double) memory.
  forall doubleP_doubleM_y_4:(doubleP,
  double) memory.
  ("JC_17":
  (("JC_10": (0 <= integer_of_int32(n_1))) and
   (("JC_11": (integer_of_int32(n_1) <= 10)) and
    (("JC_12": (offset_min(doubleP_x_3_alloc_table, x_1) <= 0)) and
     (("JC_13": (offset_max(doubleP_x_3_alloc_table,
      x_1) >= (integer_of_int32(n_1) - 1))) and
      (("JC_14": (offset_min(doubleP_y_4_alloc_table, y_0) <= 0)) and
       (("JC_15": (offset_max(doubleP_y_4_alloc_table,
        y_0) >= (integer_of_int32(n_1) - 1))) and
        ("JC_16":
        (forall i_2:int.
          (((0 <= i_2) and (i_2 < integer_of_int32(n_1))) ->
           ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
            i_2)))) <= 1.0) and
            (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
            i_2)))) <= 1.0)))))))))))) ->
  forall result:double.
  ((double_value(result) = 0.0) and
   ((double_exact(result) = 0.0) and (double_model(result) = 0.0))) ->
  forall p:double.
  (p = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall p0:double.
  (("JC_44": (abs_real((double_value(p0) - exact_scalar_product(x_1, y_0,
   integer_of_int32(i0), doubleP_doubleM_y_4,
   doubleP_doubleM_x_3))) <= (real_of_int(integer_of_int32(i0)) * 0x1.1p-50))) and
   (("JC_45": (abs_real(exact_scalar_product(x_1, y_0, integer_of_int32(i0),
    doubleP_doubleM_y_4,
    doubleP_doubleM_x_3)) <= real_of_int(integer_of_int32(i0)))) and
    ("JC_48":
    (("JC_46": (0 <= integer_of_int32(i0))) and
     ("JC_47": (integer_of_int32(i0) <= integer_of_int32(n_1))))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_52": (abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_53": (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_54": (abs_real(double_value(p0)) <= (10.0 * (1.0 + 0x1.1p-50)))) ->
  forall result1:double.
  (result1 = select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0)))) ->
  forall result2:double.
  (result2 = select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0)))) ->
  forall result3:double.
  mul_double_post(nearest_even, result1, result2, result3) ->
  forall result4:double.
  add_double_post(nearest_even, p0, result3, result4) ->
  forall p1:double.
  (p1 = result4) ->
  ("JC_57":
  (abs_real((double_value(p1) - (double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))))) <= 0x1.1p-50)) ->
  ("JC_58": (abs_real((double_value(p1) - exact_scalar_product(x_1, y_0,
  (integer_of_int32(i0) + 1), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3))) <= (abs_real((double_value(p1) - (double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0,
  integer_of_int32(i0)))))))) + abs_real(((double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))) - (exact_scalar_product(x_1, y_0,
  integer_of_int32(i0), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3) + (double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))))))))

goal scalar_product_ensures_default_po_10:
  forall x_1:doubleP pointer.
  forall y_0:doubleP pointer.
  forall n_1:int32.
  forall doubleP_x_3_alloc_table:doubleP alloc_table.
  forall doubleP_y_4_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_x_3:(doubleP,
  double) memory.
  forall doubleP_doubleM_y_4:(doubleP,
  double) memory.
  ("JC_17":
  (("JC_10": (0 <= integer_of_int32(n_1))) and
   (("JC_11": (integer_of_int32(n_1) <= 10)) and
    (("JC_12": (offset_min(doubleP_x_3_alloc_table, x_1) <= 0)) and
     (("JC_13": (offset_max(doubleP_x_3_alloc_table,
      x_1) >= (integer_of_int32(n_1) - 1))) and
      (("JC_14": (offset_min(doubleP_y_4_alloc_table, y_0) <= 0)) and
       (("JC_15": (offset_max(doubleP_y_4_alloc_table,
        y_0) >= (integer_of_int32(n_1) - 1))) and
        ("JC_16":
        (forall i_2:int.
          (((0 <= i_2) and (i_2 < integer_of_int32(n_1))) ->
           ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
            i_2)))) <= 1.0) and
            (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
            i_2)))) <= 1.0)))))))))))) ->
  forall result:double.
  ((double_value(result) = 0.0) and
   ((double_exact(result) = 0.0) and (double_model(result) = 0.0))) ->
  forall p:double.
  (p = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall p0:double.
  (("JC_44": (abs_real((double_value(p0) - exact_scalar_product(x_1, y_0,
   integer_of_int32(i0), doubleP_doubleM_y_4,
   doubleP_doubleM_x_3))) <= (real_of_int(integer_of_int32(i0)) * 0x1.1p-50))) and
   (("JC_45": (abs_real(exact_scalar_product(x_1, y_0, integer_of_int32(i0),
    doubleP_doubleM_y_4,
    doubleP_doubleM_x_3)) <= real_of_int(integer_of_int32(i0)))) and
    ("JC_48":
    (("JC_46": (0 <= integer_of_int32(i0))) and
     ("JC_47": (integer_of_int32(i0) <= integer_of_int32(n_1))))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_52": (abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_53": (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_54": (abs_real(double_value(p0)) <= (10.0 * (1.0 + 0x1.1p-50)))) ->
  forall result1:double.
  (result1 = select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0)))) ->
  forall result2:double.
  (result2 = select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0)))) ->
  forall result3:double.
  mul_double_post(nearest_even, result1, result2, result3) ->
  forall result4:double.
  add_double_post(nearest_even, p0, result3, result4) ->
  forall p1:double.
  (p1 = result4) ->
  ("JC_57":
  (abs_real((double_value(p1) - (double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))))) <= 0x1.1p-50)) ->
  ("JC_58": (abs_real((double_value(p1) - exact_scalar_product(x_1, y_0,
  (integer_of_int32(i0) + 1), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3))) <= (abs_real((double_value(p1) - (double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0,
  integer_of_int32(i0)))))))) + abs_real(((double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))) - (exact_scalar_product(x_1, y_0,
  integer_of_int32(i0), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3) + (double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0))))))))))) ->
  ("JC_59": (abs_real(exact_scalar_product(x_1, y_0,
  (integer_of_int32(i0) + 1), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3)) <= (abs_real(exact_scalar_product(x_1, y_0,
  integer_of_int32(i0), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3)) + (abs_real(double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0))))) * abs_real(double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))))))

goal scalar_product_ensures_default_po_11:
  forall x_1:doubleP pointer.
  forall y_0:doubleP pointer.
  forall n_1:int32.
  forall doubleP_x_3_alloc_table:doubleP alloc_table.
  forall doubleP_y_4_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_x_3:(doubleP,
  double) memory.
  forall doubleP_doubleM_y_4:(doubleP,
  double) memory.
  ("JC_17":
  (("JC_10": (0 <= integer_of_int32(n_1))) and
   (("JC_11": (integer_of_int32(n_1) <= 10)) and
    (("JC_12": (offset_min(doubleP_x_3_alloc_table, x_1) <= 0)) and
     (("JC_13": (offset_max(doubleP_x_3_alloc_table,
      x_1) >= (integer_of_int32(n_1) - 1))) and
      (("JC_14": (offset_min(doubleP_y_4_alloc_table, y_0) <= 0)) and
       (("JC_15": (offset_max(doubleP_y_4_alloc_table,
        y_0) >= (integer_of_int32(n_1) - 1))) and
        ("JC_16":
        (forall i_2:int.
          (((0 <= i_2) and (i_2 < integer_of_int32(n_1))) ->
           ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
            i_2)))) <= 1.0) and
            (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
            i_2)))) <= 1.0)))))))))))) ->
  forall result:double.
  ((double_value(result) = 0.0) and
   ((double_exact(result) = 0.0) and (double_model(result) = 0.0))) ->
  forall p:double.
  (p = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall p0:double.
  (("JC_44": (abs_real((double_value(p0) - exact_scalar_product(x_1, y_0,
   integer_of_int32(i0), doubleP_doubleM_y_4,
   doubleP_doubleM_x_3))) <= (real_of_int(integer_of_int32(i0)) * 0x1.1p-50))) and
   (("JC_45": (abs_real(exact_scalar_product(x_1, y_0, integer_of_int32(i0),
    doubleP_doubleM_y_4,
    doubleP_doubleM_x_3)) <= real_of_int(integer_of_int32(i0)))) and
    ("JC_48":
    (("JC_46": (0 <= integer_of_int32(i0))) and
     ("JC_47": (integer_of_int32(i0) <= integer_of_int32(n_1))))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_52": (abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_53": (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_54": (abs_real(double_value(p0)) <= (10.0 * (1.0 + 0x1.1p-50)))) ->
  forall result1:double.
  (result1 = select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0)))) ->
  forall result2:double.
  (result2 = select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0)))) ->
  forall result3:double.
  mul_double_post(nearest_even, result1, result2, result3) ->
  forall result4:double.
  add_double_post(nearest_even, p0, result3, result4) ->
  forall p1:double.
  (p1 = result4) ->
  ("JC_57":
  (abs_real((double_value(p1) - (double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))))) <= 0x1.1p-50)) ->
  ("JC_58": (abs_real((double_value(p1) - exact_scalar_product(x_1, y_0,
  (integer_of_int32(i0) + 1), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3))) <= (abs_real((double_value(p1) - (double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0,
  integer_of_int32(i0)))))))) + abs_real(((double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))) - (exact_scalar_product(x_1, y_0,
  integer_of_int32(i0), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3) + (double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0))))))))))) ->
  ("JC_59": (abs_real(exact_scalar_product(x_1, y_0,
  (integer_of_int32(i0) + 1), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3)) <= (abs_real(exact_scalar_product(x_1, y_0,
  integer_of_int32(i0), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3)) + (abs_real(double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0))))) * abs_real(double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0))))))))) ->
  ("JC_60": ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0))))) * abs_real(double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))) <= 1.0))

goal scalar_product_ensures_default_po_12:
  forall x_1:doubleP pointer.
  forall y_0:doubleP pointer.
  forall n_1:int32.
  forall doubleP_x_3_alloc_table:doubleP alloc_table.
  forall doubleP_y_4_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_x_3:(doubleP,
  double) memory.
  forall doubleP_doubleM_y_4:(doubleP,
  double) memory.
  ("JC_17":
  (("JC_10": (0 <= integer_of_int32(n_1))) and
   (("JC_11": (integer_of_int32(n_1) <= 10)) and
    (("JC_12": (offset_min(doubleP_x_3_alloc_table, x_1) <= 0)) and
     (("JC_13": (offset_max(doubleP_x_3_alloc_table,
      x_1) >= (integer_of_int32(n_1) - 1))) and
      (("JC_14": (offset_min(doubleP_y_4_alloc_table, y_0) <= 0)) and
       (("JC_15": (offset_max(doubleP_y_4_alloc_table,
        y_0) >= (integer_of_int32(n_1) - 1))) and
        ("JC_16":
        (forall i_2:int.
          (((0 <= i_2) and (i_2 < integer_of_int32(n_1))) ->
           ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
            i_2)))) <= 1.0) and
            (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
            i_2)))) <= 1.0)))))))))))) ->
  forall result:double.
  ((double_value(result) = 0.0) and
   ((double_exact(result) = 0.0) and (double_model(result) = 0.0))) ->
  forall p:double.
  (p = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall p0:double.
  (("JC_44": (abs_real((double_value(p0) - exact_scalar_product(x_1, y_0,
   integer_of_int32(i0), doubleP_doubleM_y_4,
   doubleP_doubleM_x_3))) <= (real_of_int(integer_of_int32(i0)) * 0x1.1p-50))) and
   (("JC_45": (abs_real(exact_scalar_product(x_1, y_0, integer_of_int32(i0),
    doubleP_doubleM_y_4,
    doubleP_doubleM_x_3)) <= real_of_int(integer_of_int32(i0)))) and
    ("JC_48":
    (("JC_46": (0 <= integer_of_int32(i0))) and
     ("JC_47": (integer_of_int32(i0) <= integer_of_int32(n_1))))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_52": (abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_53": (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_54": (abs_real(double_value(p0)) <= (10.0 * (1.0 + 0x1.1p-50)))) ->
  forall result1:double.
  (result1 = select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0)))) ->
  forall result2:double.
  (result2 = select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0)))) ->
  forall result3:double.
  mul_double_post(nearest_even, result1, result2, result3) ->
  forall result4:double.
  add_double_post(nearest_even, p0, result3, result4) ->
  forall p1:double.
  (p1 = result4) ->
  ("JC_57":
  (abs_real((double_value(p1) - (double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))))) <= 0x1.1p-50)) ->
  ("JC_58": (abs_real((double_value(p1) - exact_scalar_product(x_1, y_0,
  (integer_of_int32(i0) + 1), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3))) <= (abs_real((double_value(p1) - (double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0,
  integer_of_int32(i0)))))))) + abs_real(((double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))) - (exact_scalar_product(x_1, y_0,
  integer_of_int32(i0), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3) + (double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0))))))))))) ->
  ("JC_59": (abs_real(exact_scalar_product(x_1, y_0,
  (integer_of_int32(i0) + 1), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3)) <= (abs_real(exact_scalar_product(x_1, y_0,
  integer_of_int32(i0), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3)) + (abs_real(double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0))))) * abs_real(double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0))))))))) ->
  ("JC_60": ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0))))) * abs_real(double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))) <= 1.0)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result5) ->
  ("JC_44": (abs_real((double_value(p1) - exact_scalar_product(x_1, y_0,
  integer_of_int32(i1), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3))) <= (real_of_int(integer_of_int32(i1)) * 0x1.1p-50)))

goal scalar_product_ensures_default_po_13:
  forall x_1:doubleP pointer.
  forall y_0:doubleP pointer.
  forall n_1:int32.
  forall doubleP_x_3_alloc_table:doubleP alloc_table.
  forall doubleP_y_4_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_x_3:(doubleP,
  double) memory.
  forall doubleP_doubleM_y_4:(doubleP,
  double) memory.
  ("JC_17":
  (("JC_10": (0 <= integer_of_int32(n_1))) and
   (("JC_11": (integer_of_int32(n_1) <= 10)) and
    (("JC_12": (offset_min(doubleP_x_3_alloc_table, x_1) <= 0)) and
     (("JC_13": (offset_max(doubleP_x_3_alloc_table,
      x_1) >= (integer_of_int32(n_1) - 1))) and
      (("JC_14": (offset_min(doubleP_y_4_alloc_table, y_0) <= 0)) and
       (("JC_15": (offset_max(doubleP_y_4_alloc_table,
        y_0) >= (integer_of_int32(n_1) - 1))) and
        ("JC_16":
        (forall i_2:int.
          (((0 <= i_2) and (i_2 < integer_of_int32(n_1))) ->
           ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
            i_2)))) <= 1.0) and
            (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
            i_2)))) <= 1.0)))))))))))) ->
  forall result:double.
  ((double_value(result) = 0.0) and
   ((double_exact(result) = 0.0) and (double_model(result) = 0.0))) ->
  forall p:double.
  (p = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall p0:double.
  (("JC_44": (abs_real((double_value(p0) - exact_scalar_product(x_1, y_0,
   integer_of_int32(i0), doubleP_doubleM_y_4,
   doubleP_doubleM_x_3))) <= (real_of_int(integer_of_int32(i0)) * 0x1.1p-50))) and
   (("JC_45": (abs_real(exact_scalar_product(x_1, y_0, integer_of_int32(i0),
    doubleP_doubleM_y_4,
    doubleP_doubleM_x_3)) <= real_of_int(integer_of_int32(i0)))) and
    ("JC_48":
    (("JC_46": (0 <= integer_of_int32(i0))) and
     ("JC_47": (integer_of_int32(i0) <= integer_of_int32(n_1))))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_52": (abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_53": (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_54": (abs_real(double_value(p0)) <= (10.0 * (1.0 + 0x1.1p-50)))) ->
  forall result1:double.
  (result1 = select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0)))) ->
  forall result2:double.
  (result2 = select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0)))) ->
  forall result3:double.
  mul_double_post(nearest_even, result1, result2, result3) ->
  forall result4:double.
  add_double_post(nearest_even, p0, result3, result4) ->
  forall p1:double.
  (p1 = result4) ->
  ("JC_57":
  (abs_real((double_value(p1) - (double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))))) <= 0x1.1p-50)) ->
  ("JC_58": (abs_real((double_value(p1) - exact_scalar_product(x_1, y_0,
  (integer_of_int32(i0) + 1), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3))) <= (abs_real((double_value(p1) - (double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0,
  integer_of_int32(i0)))))))) + abs_real(((double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))) - (exact_scalar_product(x_1, y_0,
  integer_of_int32(i0), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3) + (double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0))))))))))) ->
  ("JC_59": (abs_real(exact_scalar_product(x_1, y_0,
  (integer_of_int32(i0) + 1), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3)) <= (abs_real(exact_scalar_product(x_1, y_0,
  integer_of_int32(i0), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3)) + (abs_real(double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0))))) * abs_real(double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0))))))))) ->
  ("JC_60": ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0))))) * abs_real(double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))) <= 1.0)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result5) ->
  ("JC_45": (abs_real(exact_scalar_product(x_1, y_0, integer_of_int32(i1),
  doubleP_doubleM_y_4,
  doubleP_doubleM_x_3)) <= real_of_int(integer_of_int32(i1))))

goal scalar_product_ensures_default_po_14:
  forall x_1:doubleP pointer.
  forall y_0:doubleP pointer.
  forall n_1:int32.
  forall doubleP_x_3_alloc_table:doubleP alloc_table.
  forall doubleP_y_4_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_x_3:(doubleP,
  double) memory.
  forall doubleP_doubleM_y_4:(doubleP,
  double) memory.
  ("JC_17":
  (("JC_10": (0 <= integer_of_int32(n_1))) and
   (("JC_11": (integer_of_int32(n_1) <= 10)) and
    (("JC_12": (offset_min(doubleP_x_3_alloc_table, x_1) <= 0)) and
     (("JC_13": (offset_max(doubleP_x_3_alloc_table,
      x_1) >= (integer_of_int32(n_1) - 1))) and
      (("JC_14": (offset_min(doubleP_y_4_alloc_table, y_0) <= 0)) and
       (("JC_15": (offset_max(doubleP_y_4_alloc_table,
        y_0) >= (integer_of_int32(n_1) - 1))) and
        ("JC_16":
        (forall i_2:int.
          (((0 <= i_2) and (i_2 < integer_of_int32(n_1))) ->
           ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
            i_2)))) <= 1.0) and
            (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
            i_2)))) <= 1.0)))))))))))) ->
  forall result:double.
  ((double_value(result) = 0.0) and
   ((double_exact(result) = 0.0) and (double_model(result) = 0.0))) ->
  forall p:double.
  (p = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall p0:double.
  (("JC_44": (abs_real((double_value(p0) - exact_scalar_product(x_1, y_0,
   integer_of_int32(i0), doubleP_doubleM_y_4,
   doubleP_doubleM_x_3))) <= (real_of_int(integer_of_int32(i0)) * 0x1.1p-50))) and
   (("JC_45": (abs_real(exact_scalar_product(x_1, y_0, integer_of_int32(i0),
    doubleP_doubleM_y_4,
    doubleP_doubleM_x_3)) <= real_of_int(integer_of_int32(i0)))) and
    ("JC_48":
    (("JC_46": (0 <= integer_of_int32(i0))) and
     ("JC_47": (integer_of_int32(i0) <= integer_of_int32(n_1))))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_52": (abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_53": (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_54": (abs_real(double_value(p0)) <= (10.0 * (1.0 + 0x1.1p-50)))) ->
  forall result1:double.
  (result1 = select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0)))) ->
  forall result2:double.
  (result2 = select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0)))) ->
  forall result3:double.
  mul_double_post(nearest_even, result1, result2, result3) ->
  forall result4:double.
  add_double_post(nearest_even, p0, result3, result4) ->
  forall p1:double.
  (p1 = result4) ->
  ("JC_57":
  (abs_real((double_value(p1) - (double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))))) <= 0x1.1p-50)) ->
  ("JC_58": (abs_real((double_value(p1) - exact_scalar_product(x_1, y_0,
  (integer_of_int32(i0) + 1), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3))) <= (abs_real((double_value(p1) - (double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0,
  integer_of_int32(i0)))))))) + abs_real(((double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))) - (exact_scalar_product(x_1, y_0,
  integer_of_int32(i0), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3) + (double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0))))))))))) ->
  ("JC_59": (abs_real(exact_scalar_product(x_1, y_0,
  (integer_of_int32(i0) + 1), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3)) <= (abs_real(exact_scalar_product(x_1, y_0,
  integer_of_int32(i0), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3)) + (abs_real(double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0))))) * abs_real(double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0))))))))) ->
  ("JC_60": ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0))))) * abs_real(double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))) <= 1.0)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result5) ->
  ("JC_48": ("JC_46": (0 <= integer_of_int32(i1))))

goal scalar_product_ensures_default_po_15:
  forall x_1:doubleP pointer.
  forall y_0:doubleP pointer.
  forall n_1:int32.
  forall doubleP_x_3_alloc_table:doubleP alloc_table.
  forall doubleP_y_4_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_x_3:(doubleP,
  double) memory.
  forall doubleP_doubleM_y_4:(doubleP,
  double) memory.
  ("JC_17":
  (("JC_10": (0 <= integer_of_int32(n_1))) and
   (("JC_11": (integer_of_int32(n_1) <= 10)) and
    (("JC_12": (offset_min(doubleP_x_3_alloc_table, x_1) <= 0)) and
     (("JC_13": (offset_max(doubleP_x_3_alloc_table,
      x_1) >= (integer_of_int32(n_1) - 1))) and
      (("JC_14": (offset_min(doubleP_y_4_alloc_table, y_0) <= 0)) and
       (("JC_15": (offset_max(doubleP_y_4_alloc_table,
        y_0) >= (integer_of_int32(n_1) - 1))) and
        ("JC_16":
        (forall i_2:int.
          (((0 <= i_2) and (i_2 < integer_of_int32(n_1))) ->
           ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
            i_2)))) <= 1.0) and
            (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
            i_2)))) <= 1.0)))))))))))) ->
  forall result:double.
  ((double_value(result) = 0.0) and
   ((double_exact(result) = 0.0) and (double_model(result) = 0.0))) ->
  forall p:double.
  (p = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall p0:double.
  (("JC_44": (abs_real((double_value(p0) - exact_scalar_product(x_1, y_0,
   integer_of_int32(i0), doubleP_doubleM_y_4,
   doubleP_doubleM_x_3))) <= (real_of_int(integer_of_int32(i0)) * 0x1.1p-50))) and
   (("JC_45": (abs_real(exact_scalar_product(x_1, y_0, integer_of_int32(i0),
    doubleP_doubleM_y_4,
    doubleP_doubleM_x_3)) <= real_of_int(integer_of_int32(i0)))) and
    ("JC_48":
    (("JC_46": (0 <= integer_of_int32(i0))) and
     ("JC_47": (integer_of_int32(i0) <= integer_of_int32(n_1))))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_52": (abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_53": (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_54": (abs_real(double_value(p0)) <= (10.0 * (1.0 + 0x1.1p-50)))) ->
  forall result1:double.
  (result1 = select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0)))) ->
  forall result2:double.
  (result2 = select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0)))) ->
  forall result3:double.
  mul_double_post(nearest_even, result1, result2, result3) ->
  forall result4:double.
  add_double_post(nearest_even, p0, result3, result4) ->
  forall p1:double.
  (p1 = result4) ->
  ("JC_57":
  (abs_real((double_value(p1) - (double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))))) <= 0x1.1p-50)) ->
  ("JC_58": (abs_real((double_value(p1) - exact_scalar_product(x_1, y_0,
  (integer_of_int32(i0) + 1), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3))) <= (abs_real((double_value(p1) - (double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0,
  integer_of_int32(i0)))))))) + abs_real(((double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))) - (exact_scalar_product(x_1, y_0,
  integer_of_int32(i0), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3) + (double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0))))))))))) ->
  ("JC_59": (abs_real(exact_scalar_product(x_1, y_0,
  (integer_of_int32(i0) + 1), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3)) <= (abs_real(exact_scalar_product(x_1, y_0,
  integer_of_int32(i0), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3)) + (abs_real(double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0))))) * abs_real(double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0))))))))) ->
  ("JC_60": ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0))))) * abs_real(double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))) <= 1.0)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result5) ->
  ("JC_48": ("JC_47": (integer_of_int32(i1) <= integer_of_int32(n_1))))

goal scalar_product_ensures_default_po_16:
  forall x_1:doubleP pointer.
  forall y_0:doubleP pointer.
  forall n_1:int32.
  forall doubleP_x_3_alloc_table:doubleP alloc_table.
  forall doubleP_y_4_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_x_3:(doubleP,
  double) memory.
  forall doubleP_doubleM_y_4:(doubleP,
  double) memory.
  ("JC_17":
  (("JC_10": (0 <= integer_of_int32(n_1))) and
   (("JC_11": (integer_of_int32(n_1) <= 10)) and
    (("JC_12": (offset_min(doubleP_x_3_alloc_table, x_1) <= 0)) and
     (("JC_13": (offset_max(doubleP_x_3_alloc_table,
      x_1) >= (integer_of_int32(n_1) - 1))) and
      (("JC_14": (offset_min(doubleP_y_4_alloc_table, y_0) <= 0)) and
       (("JC_15": (offset_max(doubleP_y_4_alloc_table,
        y_0) >= (integer_of_int32(n_1) - 1))) and
        ("JC_16":
        (forall i_2:int.
          (((0 <= i_2) and (i_2 < integer_of_int32(n_1))) ->
           ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
            i_2)))) <= 1.0) and
            (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
            i_2)))) <= 1.0)))))))))))) ->
  forall result:double.
  ((double_value(result) = 0.0) and
   ((double_exact(result) = 0.0) and (double_model(result) = 0.0))) ->
  forall p:double.
  (p = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall p0:double.
  (("JC_44": (abs_real((double_value(p0) - exact_scalar_product(x_1, y_0,
   integer_of_int32(i0), doubleP_doubleM_y_4,
   doubleP_doubleM_x_3))) <= (real_of_int(integer_of_int32(i0)) * 0x1.1p-50))) and
   (("JC_45": (abs_real(exact_scalar_product(x_1, y_0, integer_of_int32(i0),
    doubleP_doubleM_y_4,
    doubleP_doubleM_x_3)) <= real_of_int(integer_of_int32(i0)))) and
    ("JC_48":
    (("JC_46": (0 <= integer_of_int32(i0))) and
     ("JC_47": (integer_of_int32(i0) <= integer_of_int32(n_1))))))) ->
  (integer_of_int32(i0) >= integer_of_int32(n_1)) ->
  forall return:double.
  (return = p0) ->
  ("JC_19": (abs_real((double_value(return) - exact_scalar_product(x_1, y_0,
  integer_of_int32(n_1), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3))) <= (real_of_int(integer_of_int32(n_1)) * 0x1.1p-50)))

goal scalar_product_safety_po_1:
  forall x_1:doubleP pointer.
  forall y_0:doubleP pointer.
  forall n_1:int32.
  forall doubleP_x_3_alloc_table:doubleP alloc_table.
  forall doubleP_y_4_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_x_3:(doubleP,
  double) memory.
  forall doubleP_doubleM_y_4:(doubleP,
  double) memory.
  ("JC_17":
  (("JC_10": (0 <= integer_of_int32(n_1))) and
   (("JC_11": (integer_of_int32(n_1) <= 10)) and
    (("JC_12": (offset_min(doubleP_x_3_alloc_table, x_1) <= 0)) and
     (("JC_13": (offset_max(doubleP_x_3_alloc_table,
      x_1) >= (integer_of_int32(n_1) - 1))) and
      (("JC_14": (offset_min(doubleP_y_4_alloc_table, y_0) <= 0)) and
       (("JC_15": (offset_max(doubleP_y_4_alloc_table,
        y_0) >= (integer_of_int32(n_1) - 1))) and
        ("JC_16":
        (forall i_2:int.
          (((0 <= i_2) and (i_2 < integer_of_int32(n_1))) ->
           ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
            i_2)))) <= 1.0) and
            (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
            i_2)))) <= 1.0)))))))))))) ->
  forall result:double.
  ((double_value(result) = 0.0) and
   ((double_exact(result) = 0.0) and (double_model(result) = 0.0))) ->
  forall p:double.
  (p = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall p0:double.
  ("JC_29": true) ->
  (("JC_23": (abs_real((double_value(p0) - exact_scalar_product(x_1, y_0,
   integer_of_int32(i0), doubleP_doubleM_y_4,
   doubleP_doubleM_x_3))) <= (real_of_int(integer_of_int32(i0)) * 0x1.1p-50))) and
   (("JC_24": (abs_real(exact_scalar_product(x_1, y_0, integer_of_int32(i0),
    doubleP_doubleM_y_4,
    doubleP_doubleM_x_3)) <= real_of_int(integer_of_int32(i0)))) and
    ("JC_27":
    (("JC_25": (0 <= integer_of_int32(i0))) and
     ("JC_26": (integer_of_int32(i0) <= integer_of_int32(n_1))))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_31": (abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_32": (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_33": (abs_real(double_value(p0)) <= (10.0 * (1.0 + 0x1.1p-50)))) ->
  (offset_min(doubleP_x_3_alloc_table, x_1) <= integer_of_int32(i0))

goal scalar_product_safety_po_2:
  forall x_1:doubleP pointer.
  forall y_0:doubleP pointer.
  forall n_1:int32.
  forall doubleP_x_3_alloc_table:doubleP alloc_table.
  forall doubleP_y_4_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_x_3:(doubleP,
  double) memory.
  forall doubleP_doubleM_y_4:(doubleP,
  double) memory.
  ("JC_17":
  (("JC_10": (0 <= integer_of_int32(n_1))) and
   (("JC_11": (integer_of_int32(n_1) <= 10)) and
    (("JC_12": (offset_min(doubleP_x_3_alloc_table, x_1) <= 0)) and
     (("JC_13": (offset_max(doubleP_x_3_alloc_table,
      x_1) >= (integer_of_int32(n_1) - 1))) and
      (("JC_14": (offset_min(doubleP_y_4_alloc_table, y_0) <= 0)) and
       (("JC_15": (offset_max(doubleP_y_4_alloc_table,
        y_0) >= (integer_of_int32(n_1) - 1))) and
        ("JC_16":
        (forall i_2:int.
          (((0 <= i_2) and (i_2 < integer_of_int32(n_1))) ->
           ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
            i_2)))) <= 1.0) and
            (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
            i_2)))) <= 1.0)))))))))))) ->
  forall result:double.
  ((double_value(result) = 0.0) and
   ((double_exact(result) = 0.0) and (double_model(result) = 0.0))) ->
  forall p:double.
  (p = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall p0:double.
  ("JC_29": true) ->
  (("JC_23": (abs_real((double_value(p0) - exact_scalar_product(x_1, y_0,
   integer_of_int32(i0), doubleP_doubleM_y_4,
   doubleP_doubleM_x_3))) <= (real_of_int(integer_of_int32(i0)) * 0x1.1p-50))) and
   (("JC_24": (abs_real(exact_scalar_product(x_1, y_0, integer_of_int32(i0),
    doubleP_doubleM_y_4,
    doubleP_doubleM_x_3)) <= real_of_int(integer_of_int32(i0)))) and
    ("JC_27":
    (("JC_25": (0 <= integer_of_int32(i0))) and
     ("JC_26": (integer_of_int32(i0) <= integer_of_int32(n_1))))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_31": (abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_32": (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_33": (abs_real(double_value(p0)) <= (10.0 * (1.0 + 0x1.1p-50)))) ->
  (integer_of_int32(i0) <= offset_max(doubleP_x_3_alloc_table, x_1))

goal scalar_product_safety_po_3:
  forall x_1:doubleP pointer.
  forall y_0:doubleP pointer.
  forall n_1:int32.
  forall doubleP_x_3_alloc_table:doubleP alloc_table.
  forall doubleP_y_4_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_x_3:(doubleP,
  double) memory.
  forall doubleP_doubleM_y_4:(doubleP,
  double) memory.
  ("JC_17":
  (("JC_10": (0 <= integer_of_int32(n_1))) and
   (("JC_11": (integer_of_int32(n_1) <= 10)) and
    (("JC_12": (offset_min(doubleP_x_3_alloc_table, x_1) <= 0)) and
     (("JC_13": (offset_max(doubleP_x_3_alloc_table,
      x_1) >= (integer_of_int32(n_1) - 1))) and
      (("JC_14": (offset_min(doubleP_y_4_alloc_table, y_0) <= 0)) and
       (("JC_15": (offset_max(doubleP_y_4_alloc_table,
        y_0) >= (integer_of_int32(n_1) - 1))) and
        ("JC_16":
        (forall i_2:int.
          (((0 <= i_2) and (i_2 < integer_of_int32(n_1))) ->
           ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
            i_2)))) <= 1.0) and
            (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
            i_2)))) <= 1.0)))))))))))) ->
  forall result:double.
  ((double_value(result) = 0.0) and
   ((double_exact(result) = 0.0) and (double_model(result) = 0.0))) ->
  forall p:double.
  (p = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall p0:double.
  ("JC_29": true) ->
  (("JC_23": (abs_real((double_value(p0) - exact_scalar_product(x_1, y_0,
   integer_of_int32(i0), doubleP_doubleM_y_4,
   doubleP_doubleM_x_3))) <= (real_of_int(integer_of_int32(i0)) * 0x1.1p-50))) and
   (("JC_24": (abs_real(exact_scalar_product(x_1, y_0, integer_of_int32(i0),
    doubleP_doubleM_y_4,
    doubleP_doubleM_x_3)) <= real_of_int(integer_of_int32(i0)))) and
    ("JC_27":
    (("JC_25": (0 <= integer_of_int32(i0))) and
     ("JC_26": (integer_of_int32(i0) <= integer_of_int32(n_1))))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_31": (abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_32": (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_33": (abs_real(double_value(p0)) <= (10.0 * (1.0 + 0x1.1p-50)))) ->
  ((offset_min(doubleP_x_3_alloc_table, x_1) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(doubleP_x_3_alloc_table, x_1))) ->
  forall result1:double.
  (result1 = select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0)))) ->
  (offset_min(doubleP_y_4_alloc_table, y_0) <= integer_of_int32(i0))

goal scalar_product_safety_po_4:
  forall x_1:doubleP pointer.
  forall y_0:doubleP pointer.
  forall n_1:int32.
  forall doubleP_x_3_alloc_table:doubleP alloc_table.
  forall doubleP_y_4_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_x_3:(doubleP,
  double) memory.
  forall doubleP_doubleM_y_4:(doubleP,
  double) memory.
  ("JC_17":
  (("JC_10": (0 <= integer_of_int32(n_1))) and
   (("JC_11": (integer_of_int32(n_1) <= 10)) and
    (("JC_12": (offset_min(doubleP_x_3_alloc_table, x_1) <= 0)) and
     (("JC_13": (offset_max(doubleP_x_3_alloc_table,
      x_1) >= (integer_of_int32(n_1) - 1))) and
      (("JC_14": (offset_min(doubleP_y_4_alloc_table, y_0) <= 0)) and
       (("JC_15": (offset_max(doubleP_y_4_alloc_table,
        y_0) >= (integer_of_int32(n_1) - 1))) and
        ("JC_16":
        (forall i_2:int.
          (((0 <= i_2) and (i_2 < integer_of_int32(n_1))) ->
           ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
            i_2)))) <= 1.0) and
            (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
            i_2)))) <= 1.0)))))))))))) ->
  forall result:double.
  ((double_value(result) = 0.0) and
   ((double_exact(result) = 0.0) and (double_model(result) = 0.0))) ->
  forall p:double.
  (p = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall p0:double.
  ("JC_29": true) ->
  (("JC_23": (abs_real((double_value(p0) - exact_scalar_product(x_1, y_0,
   integer_of_int32(i0), doubleP_doubleM_y_4,
   doubleP_doubleM_x_3))) <= (real_of_int(integer_of_int32(i0)) * 0x1.1p-50))) and
   (("JC_24": (abs_real(exact_scalar_product(x_1, y_0, integer_of_int32(i0),
    doubleP_doubleM_y_4,
    doubleP_doubleM_x_3)) <= real_of_int(integer_of_int32(i0)))) and
    ("JC_27":
    (("JC_25": (0 <= integer_of_int32(i0))) and
     ("JC_26": (integer_of_int32(i0) <= integer_of_int32(n_1))))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_31": (abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_32": (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_33": (abs_real(double_value(p0)) <= (10.0 * (1.0 + 0x1.1p-50)))) ->
  ((offset_min(doubleP_x_3_alloc_table, x_1) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(doubleP_x_3_alloc_table, x_1))) ->
  forall result1:double.
  (result1 = select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0)))) ->
  (integer_of_int32(i0) <= offset_max(doubleP_y_4_alloc_table, y_0))

goal scalar_product_safety_po_5:
  forall x_1:doubleP pointer.
  forall y_0:doubleP pointer.
  forall n_1:int32.
  forall doubleP_x_3_alloc_table:doubleP alloc_table.
  forall doubleP_y_4_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_x_3:(doubleP,
  double) memory.
  forall doubleP_doubleM_y_4:(doubleP,
  double) memory.
  ("JC_17":
  (("JC_10": (0 <= integer_of_int32(n_1))) and
   (("JC_11": (integer_of_int32(n_1) <= 10)) and
    (("JC_12": (offset_min(doubleP_x_3_alloc_table, x_1) <= 0)) and
     (("JC_13": (offset_max(doubleP_x_3_alloc_table,
      x_1) >= (integer_of_int32(n_1) - 1))) and
      (("JC_14": (offset_min(doubleP_y_4_alloc_table, y_0) <= 0)) and
       (("JC_15": (offset_max(doubleP_y_4_alloc_table,
        y_0) >= (integer_of_int32(n_1) - 1))) and
        ("JC_16":
        (forall i_2:int.
          (((0 <= i_2) and (i_2 < integer_of_int32(n_1))) ->
           ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
            i_2)))) <= 1.0) and
            (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
            i_2)))) <= 1.0)))))))))))) ->
  forall result:double.
  ((double_value(result) = 0.0) and
   ((double_exact(result) = 0.0) and (double_model(result) = 0.0))) ->
  forall p:double.
  (p = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall p0:double.
  ("JC_29": true) ->
  (("JC_23": (abs_real((double_value(p0) - exact_scalar_product(x_1, y_0,
   integer_of_int32(i0), doubleP_doubleM_y_4,
   doubleP_doubleM_x_3))) <= (real_of_int(integer_of_int32(i0)) * 0x1.1p-50))) and
   (("JC_24": (abs_real(exact_scalar_product(x_1, y_0, integer_of_int32(i0),
    doubleP_doubleM_y_4,
    doubleP_doubleM_x_3)) <= real_of_int(integer_of_int32(i0)))) and
    ("JC_27":
    (("JC_25": (0 <= integer_of_int32(i0))) and
     ("JC_26": (integer_of_int32(i0) <= integer_of_int32(n_1))))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_31": (abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_32": (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_33": (abs_real(double_value(p0)) <= (10.0 * (1.0 + 0x1.1p-50)))) ->
  ((offset_min(doubleP_x_3_alloc_table, x_1) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(doubleP_x_3_alloc_table, x_1))) ->
  forall result1:double.
  (result1 = select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0)))) ->
  ((offset_min(doubleP_y_4_alloc_table, y_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(doubleP_y_4_alloc_table, y_0))) ->
  forall result2:double.
  (result2 = select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0)))) ->
  no_overflow_double(nearest_even,
  (double_value(result1) * double_value(result2)))

goal scalar_product_safety_po_6:
  forall x_1:doubleP pointer.
  forall y_0:doubleP pointer.
  forall n_1:int32.
  forall doubleP_x_3_alloc_table:doubleP alloc_table.
  forall doubleP_y_4_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_x_3:(doubleP,
  double) memory.
  forall doubleP_doubleM_y_4:(doubleP,
  double) memory.
  ("JC_17":
  (("JC_10": (0 <= integer_of_int32(n_1))) and
   (("JC_11": (integer_of_int32(n_1) <= 10)) and
    (("JC_12": (offset_min(doubleP_x_3_alloc_table, x_1) <= 0)) and
     (("JC_13": (offset_max(doubleP_x_3_alloc_table,
      x_1) >= (integer_of_int32(n_1) - 1))) and
      (("JC_14": (offset_min(doubleP_y_4_alloc_table, y_0) <= 0)) and
       (("JC_15": (offset_max(doubleP_y_4_alloc_table,
        y_0) >= (integer_of_int32(n_1) - 1))) and
        ("JC_16":
        (forall i_2:int.
          (((0 <= i_2) and (i_2 < integer_of_int32(n_1))) ->
           ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
            i_2)))) <= 1.0) and
            (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
            i_2)))) <= 1.0)))))))))))) ->
  forall result:double.
  ((double_value(result) = 0.0) and
   ((double_exact(result) = 0.0) and (double_model(result) = 0.0))) ->
  forall p:double.
  (p = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall p0:double.
  ("JC_29": true) ->
  (("JC_23": (abs_real((double_value(p0) - exact_scalar_product(x_1, y_0,
   integer_of_int32(i0), doubleP_doubleM_y_4,
   doubleP_doubleM_x_3))) <= (real_of_int(integer_of_int32(i0)) * 0x1.1p-50))) and
   (("JC_24": (abs_real(exact_scalar_product(x_1, y_0, integer_of_int32(i0),
    doubleP_doubleM_y_4,
    doubleP_doubleM_x_3)) <= real_of_int(integer_of_int32(i0)))) and
    ("JC_27":
    (("JC_25": (0 <= integer_of_int32(i0))) and
     ("JC_26": (integer_of_int32(i0) <= integer_of_int32(n_1))))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_31": (abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_32": (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_33": (abs_real(double_value(p0)) <= (10.0 * (1.0 + 0x1.1p-50)))) ->
  ((offset_min(doubleP_x_3_alloc_table, x_1) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(doubleP_x_3_alloc_table, x_1))) ->
  forall result1:double.
  (result1 = select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0)))) ->
  ((offset_min(doubleP_y_4_alloc_table, y_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(doubleP_y_4_alloc_table, y_0))) ->
  forall result2:double.
  (result2 = select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0)))) ->
  no_overflow_double(nearest_even,
  (double_value(result1) * double_value(result2))) ->
  forall result3:double.
  mul_double_post(nearest_even, result1, result2, result3) ->
  no_overflow_double(nearest_even,
  (double_value(p0) + double_value(result3)))

goal scalar_product_safety_po_7:
  forall x_1:doubleP pointer.
  forall y_0:doubleP pointer.
  forall n_1:int32.
  forall doubleP_x_3_alloc_table:doubleP alloc_table.
  forall doubleP_y_4_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_x_3:(doubleP,
  double) memory.
  forall doubleP_doubleM_y_4:(doubleP,
  double) memory.
  ("JC_17":
  (("JC_10": (0 <= integer_of_int32(n_1))) and
   (("JC_11": (integer_of_int32(n_1) <= 10)) and
    (("JC_12": (offset_min(doubleP_x_3_alloc_table, x_1) <= 0)) and
     (("JC_13": (offset_max(doubleP_x_3_alloc_table,
      x_1) >= (integer_of_int32(n_1) - 1))) and
      (("JC_14": (offset_min(doubleP_y_4_alloc_table, y_0) <= 0)) and
       (("JC_15": (offset_max(doubleP_y_4_alloc_table,
        y_0) >= (integer_of_int32(n_1) - 1))) and
        ("JC_16":
        (forall i_2:int.
          (((0 <= i_2) and (i_2 < integer_of_int32(n_1))) ->
           ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
            i_2)))) <= 1.0) and
            (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
            i_2)))) <= 1.0)))))))))))) ->
  forall result:double.
  ((double_value(result) = 0.0) and
   ((double_exact(result) = 0.0) and (double_model(result) = 0.0))) ->
  forall p:double.
  (p = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall p0:double.
  ("JC_29": true) ->
  (("JC_23": (abs_real((double_value(p0) - exact_scalar_product(x_1, y_0,
   integer_of_int32(i0), doubleP_doubleM_y_4,
   doubleP_doubleM_x_3))) <= (real_of_int(integer_of_int32(i0)) * 0x1.1p-50))) and
   (("JC_24": (abs_real(exact_scalar_product(x_1, y_0, integer_of_int32(i0),
    doubleP_doubleM_y_4,
    doubleP_doubleM_x_3)) <= real_of_int(integer_of_int32(i0)))) and
    ("JC_27":
    (("JC_25": (0 <= integer_of_int32(i0))) and
     ("JC_26": (integer_of_int32(i0) <= integer_of_int32(n_1))))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_31": (abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_32": (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_33": (abs_real(double_value(p0)) <= (10.0 * (1.0 + 0x1.1p-50)))) ->
  ((offset_min(doubleP_x_3_alloc_table, x_1) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(doubleP_x_3_alloc_table, x_1))) ->
  forall result1:double.
  (result1 = select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0)))) ->
  ((offset_min(doubleP_y_4_alloc_table, y_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(doubleP_y_4_alloc_table, y_0))) ->
  forall result2:double.
  (result2 = select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0)))) ->
  no_overflow_double(nearest_even,
  (double_value(result1) * double_value(result2))) ->
  forall result3:double.
  mul_double_post(nearest_even, result1, result2, result3) ->
  no_overflow_double(nearest_even,
  (double_value(p0) + double_value(result3))) ->
  forall result4:double.
  add_double_post(nearest_even, p0, result3, result4) ->
  forall p1:double.
  (p1 = result4) ->
  ("JC_38":
  (abs_real((double_value(p1) - (double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))))) <= 0x1.1p-50)) ->
  ("JC_39": (abs_real((double_value(p1) - exact_scalar_product(x_1, y_0,
  (integer_of_int32(i0) + 1), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3))) <= (abs_real((double_value(p1) - (double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0,
  integer_of_int32(i0)))))))) + abs_real(((double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))) - (exact_scalar_product(x_1, y_0,
  integer_of_int32(i0), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3) + (double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0))))))))))) ->
  ("JC_40": (abs_real(exact_scalar_product(x_1, y_0,
  (integer_of_int32(i0) + 1), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3)) <= (abs_real(exact_scalar_product(x_1, y_0,
  integer_of_int32(i0), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3)) + (abs_real(double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0))))) * abs_real(double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0))))))))) ->
  ("JC_41": ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0))))) * abs_real(double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))) <= 1.0)) ->
  ((-2147483648) <= (integer_of_int32(i0) + 1))

goal scalar_product_safety_po_8:
  forall x_1:doubleP pointer.
  forall y_0:doubleP pointer.
  forall n_1:int32.
  forall doubleP_x_3_alloc_table:doubleP alloc_table.
  forall doubleP_y_4_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_x_3:(doubleP,
  double) memory.
  forall doubleP_doubleM_y_4:(doubleP,
  double) memory.
  ("JC_17":
  (("JC_10": (0 <= integer_of_int32(n_1))) and
   (("JC_11": (integer_of_int32(n_1) <= 10)) and
    (("JC_12": (offset_min(doubleP_x_3_alloc_table, x_1) <= 0)) and
     (("JC_13": (offset_max(doubleP_x_3_alloc_table,
      x_1) >= (integer_of_int32(n_1) - 1))) and
      (("JC_14": (offset_min(doubleP_y_4_alloc_table, y_0) <= 0)) and
       (("JC_15": (offset_max(doubleP_y_4_alloc_table,
        y_0) >= (integer_of_int32(n_1) - 1))) and
        ("JC_16":
        (forall i_2:int.
          (((0 <= i_2) and (i_2 < integer_of_int32(n_1))) ->
           ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
            i_2)))) <= 1.0) and
            (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
            i_2)))) <= 1.0)))))))))))) ->
  forall result:double.
  ((double_value(result) = 0.0) and
   ((double_exact(result) = 0.0) and (double_model(result) = 0.0))) ->
  forall p:double.
  (p = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall p0:double.
  ("JC_29": true) ->
  (("JC_23": (abs_real((double_value(p0) - exact_scalar_product(x_1, y_0,
   integer_of_int32(i0), doubleP_doubleM_y_4,
   doubleP_doubleM_x_3))) <= (real_of_int(integer_of_int32(i0)) * 0x1.1p-50))) and
   (("JC_24": (abs_real(exact_scalar_product(x_1, y_0, integer_of_int32(i0),
    doubleP_doubleM_y_4,
    doubleP_doubleM_x_3)) <= real_of_int(integer_of_int32(i0)))) and
    ("JC_27":
    (("JC_25": (0 <= integer_of_int32(i0))) and
     ("JC_26": (integer_of_int32(i0) <= integer_of_int32(n_1))))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_31": (abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_32": (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_33": (abs_real(double_value(p0)) <= (10.0 * (1.0 + 0x1.1p-50)))) ->
  ((offset_min(doubleP_x_3_alloc_table, x_1) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(doubleP_x_3_alloc_table, x_1))) ->
  forall result1:double.
  (result1 = select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0)))) ->
  ((offset_min(doubleP_y_4_alloc_table, y_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(doubleP_y_4_alloc_table, y_0))) ->
  forall result2:double.
  (result2 = select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0)))) ->
  no_overflow_double(nearest_even,
  (double_value(result1) * double_value(result2))) ->
  forall result3:double.
  mul_double_post(nearest_even, result1, result2, result3) ->
  no_overflow_double(nearest_even,
  (double_value(p0) + double_value(result3))) ->
  forall result4:double.
  add_double_post(nearest_even, p0, result3, result4) ->
  forall p1:double.
  (p1 = result4) ->
  ("JC_38":
  (abs_real((double_value(p1) - (double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))))) <= 0x1.1p-50)) ->
  ("JC_39": (abs_real((double_value(p1) - exact_scalar_product(x_1, y_0,
  (integer_of_int32(i0) + 1), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3))) <= (abs_real((double_value(p1) - (double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0,
  integer_of_int32(i0)))))))) + abs_real(((double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))) - (exact_scalar_product(x_1, y_0,
  integer_of_int32(i0), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3) + (double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0))))))))))) ->
  ("JC_40": (abs_real(exact_scalar_product(x_1, y_0,
  (integer_of_int32(i0) + 1), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3)) <= (abs_real(exact_scalar_product(x_1, y_0,
  integer_of_int32(i0), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3)) + (abs_real(double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0))))) * abs_real(double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0))))))))) ->
  ("JC_41": ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0))))) * abs_real(double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))) <= 1.0)) ->
  ((integer_of_int32(i0) + 1) <= 2147483647)

goal scalar_product_safety_po_9:
  forall x_1:doubleP pointer.
  forall y_0:doubleP pointer.
  forall n_1:int32.
  forall doubleP_x_3_alloc_table:doubleP alloc_table.
  forall doubleP_y_4_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_x_3:(doubleP,
  double) memory.
  forall doubleP_doubleM_y_4:(doubleP,
  double) memory.
  ("JC_17":
  (("JC_10": (0 <= integer_of_int32(n_1))) and
   (("JC_11": (integer_of_int32(n_1) <= 10)) and
    (("JC_12": (offset_min(doubleP_x_3_alloc_table, x_1) <= 0)) and
     (("JC_13": (offset_max(doubleP_x_3_alloc_table,
      x_1) >= (integer_of_int32(n_1) - 1))) and
      (("JC_14": (offset_min(doubleP_y_4_alloc_table, y_0) <= 0)) and
       (("JC_15": (offset_max(doubleP_y_4_alloc_table,
        y_0) >= (integer_of_int32(n_1) - 1))) and
        ("JC_16":
        (forall i_2:int.
          (((0 <= i_2) and (i_2 < integer_of_int32(n_1))) ->
           ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
            i_2)))) <= 1.0) and
            (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
            i_2)))) <= 1.0)))))))))))) ->
  forall result:double.
  ((double_value(result) = 0.0) and
   ((double_exact(result) = 0.0) and (double_model(result) = 0.0))) ->
  forall p:double.
  (p = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall p0:double.
  ("JC_29": true) ->
  (("JC_23": (abs_real((double_value(p0) - exact_scalar_product(x_1, y_0,
   integer_of_int32(i0), doubleP_doubleM_y_4,
   doubleP_doubleM_x_3))) <= (real_of_int(integer_of_int32(i0)) * 0x1.1p-50))) and
   (("JC_24": (abs_real(exact_scalar_product(x_1, y_0, integer_of_int32(i0),
    doubleP_doubleM_y_4,
    doubleP_doubleM_x_3)) <= real_of_int(integer_of_int32(i0)))) and
    ("JC_27":
    (("JC_25": (0 <= integer_of_int32(i0))) and
     ("JC_26": (integer_of_int32(i0) <= integer_of_int32(n_1))))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_31": (abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_32": (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_33": (abs_real(double_value(p0)) <= (10.0 * (1.0 + 0x1.1p-50)))) ->
  ((offset_min(doubleP_x_3_alloc_table, x_1) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(doubleP_x_3_alloc_table, x_1))) ->
  forall result1:double.
  (result1 = select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0)))) ->
  ((offset_min(doubleP_y_4_alloc_table, y_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(doubleP_y_4_alloc_table, y_0))) ->
  forall result2:double.
  (result2 = select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0)))) ->
  no_overflow_double(nearest_even,
  (double_value(result1) * double_value(result2))) ->
  forall result3:double.
  mul_double_post(nearest_even, result1, result2, result3) ->
  no_overflow_double(nearest_even,
  (double_value(p0) + double_value(result3))) ->
  forall result4:double.
  add_double_post(nearest_even, p0, result3, result4) ->
  forall p1:double.
  (p1 = result4) ->
  ("JC_38":
  (abs_real((double_value(p1) - (double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))))) <= 0x1.1p-50)) ->
  ("JC_39": (abs_real((double_value(p1) - exact_scalar_product(x_1, y_0,
  (integer_of_int32(i0) + 1), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3))) <= (abs_real((double_value(p1) - (double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0,
  integer_of_int32(i0)))))))) + abs_real(((double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))) - (exact_scalar_product(x_1, y_0,
  integer_of_int32(i0), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3) + (double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0))))))))))) ->
  ("JC_40": (abs_real(exact_scalar_product(x_1, y_0,
  (integer_of_int32(i0) + 1), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3)) <= (abs_real(exact_scalar_product(x_1, y_0,
  integer_of_int32(i0), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3)) + (abs_real(double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0))))) * abs_real(double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0))))))))) ->
  ("JC_41": ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0))))) * abs_real(double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))) <= 1.0)) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result5) ->
  (0 <= ("JC_43": (integer_of_int32(n_1) - integer_of_int32(i0))))

goal scalar_product_safety_po_10:
  forall x_1:doubleP pointer.
  forall y_0:doubleP pointer.
  forall n_1:int32.
  forall doubleP_x_3_alloc_table:doubleP alloc_table.
  forall doubleP_y_4_alloc_table:doubleP alloc_table.
  forall doubleP_doubleM_x_3:(doubleP,
  double) memory.
  forall doubleP_doubleM_y_4:(doubleP,
  double) memory.
  ("JC_17":
  (("JC_10": (0 <= integer_of_int32(n_1))) and
   (("JC_11": (integer_of_int32(n_1) <= 10)) and
    (("JC_12": (offset_min(doubleP_x_3_alloc_table, x_1) <= 0)) and
     (("JC_13": (offset_max(doubleP_x_3_alloc_table,
      x_1) >= (integer_of_int32(n_1) - 1))) and
      (("JC_14": (offset_min(doubleP_y_4_alloc_table, y_0) <= 0)) and
       (("JC_15": (offset_max(doubleP_y_4_alloc_table,
        y_0) >= (integer_of_int32(n_1) - 1))) and
        ("JC_16":
        (forall i_2:int.
          (((0 <= i_2) and (i_2 < integer_of_int32(n_1))) ->
           ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
            i_2)))) <= 1.0) and
            (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
            i_2)))) <= 1.0)))))))))))) ->
  forall result:double.
  ((double_value(result) = 0.0) and
   ((double_exact(result) = 0.0) and (double_model(result) = 0.0))) ->
  forall p:double.
  (p = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall i:int32.
  (i = result0) ->
  forall i0:int32.
  forall p0:double.
  ("JC_29": true) ->
  (("JC_23": (abs_real((double_value(p0) - exact_scalar_product(x_1, y_0,
   integer_of_int32(i0), doubleP_doubleM_y_4,
   doubleP_doubleM_x_3))) <= (real_of_int(integer_of_int32(i0)) * 0x1.1p-50))) and
   (("JC_24": (abs_real(exact_scalar_product(x_1, y_0, integer_of_int32(i0),
    doubleP_doubleM_y_4,
    doubleP_doubleM_x_3)) <= real_of_int(integer_of_int32(i0)))) and
    ("JC_27":
    (("JC_25": (0 <= integer_of_int32(i0))) and
     ("JC_26": (integer_of_int32(i0) <= integer_of_int32(n_1))))))) ->
  (integer_of_int32(i0) < integer_of_int32(n_1)) ->
  ("JC_31": (abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_32": (abs_real(double_value(select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0))))) <= 1.0)) ->
  ("JC_33": (abs_real(double_value(p0)) <= (10.0 * (1.0 + 0x1.1p-50)))) ->
  ((offset_min(doubleP_x_3_alloc_table, x_1) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(doubleP_x_3_alloc_table, x_1))) ->
  forall result1:double.
  (result1 = select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0)))) ->
  ((offset_min(doubleP_y_4_alloc_table, y_0) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(doubleP_y_4_alloc_table, y_0))) ->
  forall result2:double.
  (result2 = select(doubleP_doubleM_y_4, shift(y_0,
  integer_of_int32(i0)))) ->
  no_overflow_double(nearest_even,
  (double_value(result1) * double_value(result2))) ->
  forall result3:double.
  mul_double_post(nearest_even, result1, result2, result3) ->
  no_overflow_double(nearest_even,
  (double_value(p0) + double_value(result3))) ->
  forall result4:double.
  add_double_post(nearest_even, p0, result3, result4) ->
  forall p1:double.
  (p1 = result4) ->
  ("JC_38":
  (abs_real((double_value(p1) - (double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))))) <= 0x1.1p-50)) ->
  ("JC_39": (abs_real((double_value(p1) - exact_scalar_product(x_1, y_0,
  (integer_of_int32(i0) + 1), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3))) <= (abs_real((double_value(p1) - (double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0,
  integer_of_int32(i0)))))))) + abs_real(((double_value(p0) + (double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))) - (exact_scalar_product(x_1, y_0,
  integer_of_int32(i0), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3) + (double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0)))) * double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0))))))))))) ->
  ("JC_40": (abs_real(exact_scalar_product(x_1, y_0,
  (integer_of_int32(i0) + 1), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3)) <= (abs_real(exact_scalar_product(x_1, y_0,
  integer_of_int32(i0), doubleP_doubleM_y_4,
  doubleP_doubleM_x_3)) + (abs_real(double_value(select(doubleP_doubleM_x_3,
  shift(x_1,
  integer_of_int32(i0))))) * abs_real(double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0))))))))) ->
  ("JC_41": ((abs_real(double_value(select(doubleP_doubleM_x_3, shift(x_1,
  integer_of_int32(i0))))) * abs_real(double_value(select(doubleP_doubleM_y_4,
  shift(y_0, integer_of_int32(i0)))))) <= 1.0)) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result5:int32.
  (integer_of_int32(result5) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result5) ->
  (("JC_43": (integer_of_int32(n_1) - integer_of_int32(i1))) < ("JC_43":
                                                               (integer_of_int32(n_1) - integer_of_int32(i0))))

why-2.34/tests/c/oracle/conjugate.res.oracle0000644000175000017500000074042512311670312017420 0ustar  rtusers========== file tests/c/conjugate.c ==========
/*

  This was inspired by this article:

    Franck Butelle, Florent Hivert, Micaela Mayero, and Frédéric
    Toumazet. Formal Proof of SCHUR Conjugate Function. In Proceedings
    of Calculemus 2010, pages 158-171. Springer-Verlag LNAI, 2010.

  and an improvement made in Why3 (http://why3.lri.fr) by
  Jean-Christophe Filliatre

  Original C code from SCHUR

  Note that arrays are one-based
  (that code was translated from Pascal code where arrays were one-based)

*/

#define MAX 100

/*@ predicate is_partition(int *a) =
    // elements ranges between 0 and MAX-1
    (\forall integer i; 1 <= i < MAX ==> 0 <= a[i] < MAX-1) &&
    // sorted in non-increasing order 
    (\forall integer i,j; 1 <= i <= j < MAX ==> a[i] >= a[j]) &&
    // at least one 0 sentinel
    a[MAX-1] == 0 ;

  predicate numofgt (int *a, integer n, integer v) =
    // values in a[1..n] are >= v, and a[n+1] < v
    0 <= n < MAX-1 &&
    (\forall integer j; 1 <= j <= n ==> v <= a[j]) &&
    v > a[n+1] ;

  predicate is_conjugate (int *a, int *b) =
    MAX > a[1] &&
    \forall integer j; 1 <= j < MAX ==> numofgt(a,b[j],j);

*/

/*@ requires \valid(A + (0 .. MAX-1));
  @ requires \valid(B + (0 .. MAX-1));
  @ // requires \forall integer i; 1 <= i < MAX ==> 1 <= A[i] < MAX-1;
  @ requires \forall integer k; 1 <= k < MAX ==> B[k] == 0;
  @ requires is_partition(A);
  @ assigns B[..];
  @ ensures is_conjugate(A,B);
  @*/
void conjgte (int A[MAX], int B[MAX]) {
  int i, partc = 1, edge = 0;
  /*@ loop invariant 1 <= partc < MAX;
    @ loop invariant \forall integer j;
    @   A[partc] < j <= A[1] ==> numofgt(A,B[j],j);
    @ loop invariant \forall integer j;
    @   A[1] < j < MAX ==> B[j] == 0;
    @ loop variant MAX - partc;
    @*/
  while (A[partc] != 0) 
    Start: {
    edge = A[partc];
    /*@ loop invariant \at(partc,Start) <= partc < MAX-1;
      @ loop invariant \forall integer j; 
      @    \at(partc,Start) <= j < partc ==> A[j] == edge;
      @ loop variant MAX - partc;
      @*/
    do
      partc = partc + 1;
    while (A[partc] == edge);
    /*@ loop invariant 1 <= i;
      @ loop invariant \forall integer j;
      @   edge < j < MAX ==> B[j] == \at(B[j],Start);
      @ loop invariant \forall integer j;
      @   A[partc] < j < i ==> B[j] == partc-1;
      @ loop variant edge-i;
      @*/
    for (i = A[partc] + 1; i <= edge; i++)
      B[i] = partc - 1;
  }
}

========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/conjugate.c"
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/conjugate.jessie
[jessie] File tests/c/conjugate.jessie/conjugate.jc written.
[jessie] File tests/c/conjugate.jessie/conjugate.cloc written.
========== file tests/c/conjugate.jessie/conjugate.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

type int32 = -2147483648..2147483647

tag intP = {
  int32 intM: 32;
}

type intP = [intP]

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

predicate is_partition{L}(intP[..] a) =
\at((((\forall integer i_1;
        (((1 <= i_1) && (i_1 < 100)) ==>
          ((0 <= (a + i_1).intM) && ((a + i_1).intM < (100 - 1))))) &&
       (\forall integer i_2;
         (\forall integer j_0;
           (((1 <= i_2) && ((i_2 <= j_0) && (j_0 < 100))) ==>
             ((a + i_2).intM >= (a + j_0).intM))))) &&
      ((a + (100 - 1)).intM == 0)),L)

predicate numofgt{L}(intP[..] a_0, integer n, integer v) =
\at(((((0 <= n) && (n < (100 - 1))) &&
       (\forall integer j_1;
         (((1 <= j_1) && (j_1 <= n)) ==> (v <= (a_0 + j_1).intM)))) &&
      (v > (a_0 + (n + 1)).intM)),L)

predicate is_conjugate{L}(intP[..] a_1, intP[..] b) =
\at(((100 > (a_1 + 1).intM) &&
      (\forall integer j_2;
        (((1 <= j_2) && (j_2 < 100)) ==>
          numofgt{L}(a_1, (b + j_2).intM, j_2)))),L)

unit conjgte(intP[0] A, intP[0] B)
  requires (_C_47 : ((_C_48 : (\offset_min(A) <= 0)) &&
                      (_C_49 : (\offset_max(A) >= (100 - 1)))));
  requires (_C_44 : ((_C_45 : (\offset_min(B) <= 0)) &&
                      (_C_46 : (\offset_max(B) >= (100 - 1)))));
  requires (_C_43 : (\forall integer k;
                      (((1 <= k) && (k < 100)) ==> ((B + k).intM == 0))));
  requires (_C_42 : is_partition{Here}(A));
behavior default:
  assigns (B + [..]).intM;
  ensures (_C_41 : is_conjugate{Here}(\at(A,Old), \at(B,Old)));
{  
   (var int32 i);
   
   (var int32 partc);
   
   (var int32 edge);
   
   {  (_C_1 : (partc = 1));
      (_C_2 : (edge = 0));
      
      loop 
      behavior default:
        invariant (_C_6 : ((_C_7 : (1 <= partc)) && (_C_8 : (partc < 100))));
      behavior default:
        invariant (_C_5 : (\forall integer j_6;
                            ((((A + partc).intM < j_6) &&
                               (j_6 <= (A + 1).intM)) ==>
                              numofgt{Here}(A, (B + j_6).intM, j_6))));
      behavior default:
        invariant (_C_4 : (\forall integer j_7;
                            ((((A + 1).intM < j_7) && (j_7 < 100)) ==>
                              ((B + j_7).intM == 0))));
      variant (_C_3 : (100 - partc));
      while (true)
      {  
         {  (if ((_C_10 : (_C_9 : (A + partc)).intM) != 0) then () else 
            (goto while_0_break));
            (Start : 
            {  (_C_13 : (edge = (_C_12 : (_C_11 : (A + partc)).intM)));
               
               loop 
               behavior default:
                 invariant (_C_16 : ((_C_17 : (\at(partc,Start) <= partc)) &&
                                      (_C_18 : (partc < (100 - 1)))));
               behavior default:
                 invariant (_C_15 : (\forall integer j_3;
                                      (((\at(partc,Start) <= j_3) &&
                                         (j_3 < partc)) ==>
                                        ((A + j_3).intM == edge))));
               variant (_C_14 : (100 - partc));
               while (true)
               {  
                  {  (_C_21 : (partc = (_C_20 : ((_C_19 : (partc + 1)) :> int32))));
                     (if ((_C_23 : (_C_22 : (A + partc)).intM) == edge) then () else 
                     (goto while_1_break))
                  }
               };
               (while_1_break : ());
               (_C_28 : (i = (_C_27 : ((_C_26 : ((_C_25 : (_C_24 : (A +
                                                                    partc)).intM) +
                                                  1)) :> int32))));
               
               loop 
               behavior default:
                 invariant (_C_32 : (1 <= i));
               behavior default:
                 invariant (_C_31 : (\forall integer j_4;
                                      (((edge < j_4) && (j_4 < 100)) ==>
                                        ((B + j_4).intM ==
                                          \at((B + j_4).intM,Start)))));
               behavior default:
                 invariant (_C_30 : (\forall integer j_5;
                                      ((((A + partc).intM < j_5) &&
                                         (j_5 < i)) ==>
                                        ((B + j_5).intM == (partc - 1)))));
               variant (_C_29 : (edge - i));
               while (true)
               {  
                  {  (if (i <= edge) then () else 
                     (goto while_2_break));
                     (_C_37 : ((_C_36 : (_C_35 : (B + i)).intM) = (_C_34 : (
                                                                  (_C_33 : 
                                                                  (partc -
                                                                    1)) :> int32))));
                     (_C_40 : (i = (_C_39 : ((_C_38 : (i + 1)) :> int32))))
                  }
               };
               (while_2_break : ())
            })
         }
      };
      (while_0_break : ());
      
      (return ())
   }
}
========== file tests/c/conjugate.jessie/conjugate.cloc ==========
[_C_35]
file = "HOME/tests/c/conjugate.c"
line = 77
begin = 6
end = 7

[_C_28]
file = "HOME/tests/c/conjugate.c"
line = 76
begin = 13
end = 25

[_C_48]
file = "HOME/tests/c/conjugate.c"
line = 41
begin = 13
end = 38

[_C_31]
file = "HOME/tests/c/conjugate.c"
line = 70
begin = 23
end = 94

[_C_41]
file = "HOME/tests/c/conjugate.c"
line = 47
begin = 12
end = 29

[_C_4]
file = "HOME/tests/c/conjugate.c"
line = 54
begin = 21
end = 76

[_C_32]
file = "HOME/tests/c/conjugate.c"
line = 69
begin = 23
end = 29

[_C_23]
file = "HOME/tests/c/conjugate.c"
line = 68
begin = 11
end = 19

[_C_19]
file = "HOME/tests/c/conjugate.c"
line = 67
begin = 14
end = 23

[_C_42]
file = "HOME/tests/c/conjugate.c"
line = 45
begin = 13
end = 28

[_C_13]
file = "HOME/tests/c/conjugate.c"
line = 60
begin = 11
end = 19

[_C_5]
file = "HOME/tests/c/conjugate.c"
line = 52
begin = 21
end = 90

[_C_36]
file = "HOME/tests/c/conjugate.c"
line = 77
begin = 13
end = 22

[_C_12]
file = "HOME/tests/c/conjugate.c"
line = 60
begin = 11
end = 19

[_C_33]
file = "HOME/tests/c/conjugate.c"
line = 77
begin = 13
end = 22

[_C_22]
file = "HOME/tests/c/conjugate.c"
line = 68
begin = 11
end = 12

[_C_9]
file = "HOME/tests/c/conjugate.c"
line = 58
begin = 9
end = 10

[_C_30]
file = "HOME/tests/c/conjugate.c"
line = 72
begin = 23
end = 88

[_C_6]
file = "HOME/tests/c/conjugate.c"
line = 51
begin = 21
end = 37

[_C_49]
file = "HOME/tests/c/conjugate.c"
line = 41
begin = 13
end = 38

[_C_24]
file = "HOME/tests/c/conjugate.c"
line = 76
begin = 13
end = 14

[_C_45]
file = "HOME/tests/c/conjugate.c"
line = 42
begin = 13
end = 38

[_C_20]
file = "HOME/tests/c/conjugate.c"
line = 67
begin = 14
end = 23

[conjgte]
name = "Function conjgte"
file = "HOME/tests/c/conjugate.c"
line = 49
begin = 5
end = 12

[_C_38]
file = "HOME/tests/c/conjugate.c"
line = 76
begin = 38
end = 41

[_C_3]
file = "HOME/tests/c/conjugate.c"
line = 56
begin = 19
end = 30

[_C_17]
file = "HOME/tests/c/conjugate.c"
line = 61
begin = 23
end = 48

[_C_7]
file = "HOME/tests/c/conjugate.c"
line = 51
begin = 21
end = 31

[_C_27]
file = "HOME/tests/c/conjugate.c"
line = 76
begin = 13
end = 25

[_C_46]
file = "HOME/tests/c/conjugate.c"
line = 42
begin = 13
end = 38

[_C_44]
file = "HOME/tests/c/conjugate.c"
line = 42
begin = 13
end = 38

[_C_15]
file = "HOME/tests/c/conjugate.c"
line = 62
begin = 23
end = 99

[_C_26]
file = "HOME/tests/c/conjugate.c"
line = 76
begin = 13
end = 25

[_C_47]
file = "HOME/tests/c/conjugate.c"
line = 41
begin = 13
end = 38

[_C_10]
file = "HOME/tests/c/conjugate.c"
line = 58
begin = 9
end = 17

[_C_40]
file = "HOME/tests/c/conjugate.c"
line = 76
begin = 38
end = 41

[_C_8]
file = "HOME/tests/c/conjugate.c"
line = 51
begin = 26
end = 37

[_C_18]
file = "HOME/tests/c/conjugate.c"
line = 61
begin = 43
end = 57

[_C_29]
file = "HOME/tests/c/conjugate.c"
line = 74
begin = 21
end = 27

[_C_14]
file = "HOME/tests/c/conjugate.c"
line = 64
begin = 21
end = 32

[_C_37]
file = "HOME/tests/c/conjugate.c"
line = 77
begin = 13
end = 22

[_C_43]
file = "HOME/tests/c/conjugate.c"
line = 44
begin = 13
end = 58

[_C_2]
file = "HOME/tests/c/conjugate.c"
line = 50
begin = 2
end = 5

[_C_34]
file = "HOME/tests/c/conjugate.c"
line = 77
begin = 13
end = 22

[_C_16]
file = "HOME/tests/c/conjugate.c"
line = 61
begin = 23
end = 57

[_C_1]
file = "HOME/tests/c/conjugate.c"
line = 50
begin = 2
end = 5

[_C_25]
file = "HOME/tests/c/conjugate.c"
line = 76
begin = 13
end = 21

[_C_39]
file = "HOME/tests/c/conjugate.c"
line = 76
begin = 38
end = 41

[_C_11]
file = "HOME/tests/c/conjugate.c"
line = 60
begin = 11
end = 12

[_C_21]
file = "HOME/tests/c/conjugate.c"
line = 67
begin = 14
end = 23

========== jessie execution ==========
Generating Why function conjgte
========== file tests/c/conjugate.jessie/conjugate.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs conjugate.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs conjugate.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/conjugate_why.sx

project: why/conjugate.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/conjugate_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/conjugate_why.vo

coq/conjugate_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/conjugate_why.v: why/conjugate.why
	@echo 'why -coq [...] why/conjugate.why' && $(WHY) $(JESSIELIBFILES) why/conjugate.why && rm -f coq/jessie_why.v

coq-goals: goals coq/conjugate_ctx_why.vo
	for f in why/*_po*.why; do make -f conjugate.makefile coq/`basename $$f .why`_why.v ; done

coq/conjugate_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/conjugate_ctx_why.v: why/conjugate_ctx.why
	@echo 'why -coq [...] why/conjugate_ctx.why' && $(WHY) why/conjugate_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export conjugate_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/conjugate_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/conjugate_ctx_why.vo

pvs: pvs/conjugate_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/conjugate_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/conjugate_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/conjugate_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/conjugate_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/conjugate_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/conjugate_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/conjugate_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/conjugate_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/conjugate_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/conjugate_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/conjugate_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/conjugate_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/conjugate_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/conjugate_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: conjugate.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/conjugate_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: conjugate.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: conjugate.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: conjugate.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include conjugate.depend

depend: coq/conjugate_why.v
	-$(COQDEP) -I coq coq/conjugate*_why.v > conjugate.depend

clean:
	rm -f coq/*.vo

========== file tests/c/conjugate.jessie/conjugate.loc ==========
[JC_73]
file = "HOME/tests/c/conjugate.c"
line = 72
begin = 23
end = 88

[JC_63]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_51]
file = "HOME/tests/c/conjugate.jessie/conjugate.jc"
line = 127
begin = 15
end = 1301

[JC_71]
file = "HOME/tests/c/conjugate.jessie/conjugate.jc"
line = 105
begin = 15
end = 837

[JC_45]
kind = PointerDeref
file = "HOME/tests/c/conjugate.c"
line = 76
begin = 13
end = 21

[JC_64]
file = "HOME/tests/c/conjugate.jessie/conjugate.jc"
line = 85
begin = 6
end = 3346

[JC_31]
file = "HOME/tests/c/conjugate.jessie/conjugate.jc"
line = 85
begin = 6
end = 3346

[JC_17]
file = "HOME/tests/c/conjugate.c"
line = 47
begin = 12
end = 29

[JC_55]
kind = ArithOverflow
file = "HOME/tests/c/conjugate.c"
line = 76
begin = 38
end = 41

[JC_48]
file = "HOME/tests/c/conjugate.c"
line = 70
begin = 23
end = 94

[JC_23]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_22]
file = "HOME/tests/c/conjugate.jessie/conjugate.jc"
line = 72
begin = 9
end = 16

[JC_5]
file = "HOME/tests/c/conjugate.c"
line = 44
begin = 13
end = 58

[JC_67]
file = "HOME/tests/c/conjugate.c"
line = 61
begin = 23
end = 48

[JC_9]
file = "HOME/tests/c/conjugate.c"
line = 41
begin = 13
end = 38

[JC_75]
file = "HOME/tests/c/conjugate.c"
line = 69
begin = 23
end = 29

[JC_24]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_25]
file = "HOME/tests/c/conjugate.c"
line = 54
begin = 21
end = 76

[JC_78]
file = "HOME/tests/c/conjugate.jessie/conjugate.jc"
line = 127
begin = 15
end = 1301

[JC_41]
file = "HOME/tests/c/conjugate.jessie/conjugate.jc"
line = 105
begin = 15
end = 837

[JC_74]
file = "HOME/tests/c/conjugate.c"
line = 70
begin = 23
end = 94

[JC_47]
file = "HOME/tests/c/conjugate.c"
line = 72
begin = 23
end = 88

[JC_52]
file = "HOME/tests/c/conjugate.jessie/conjugate.jc"
line = 127
begin = 15
end = 1301

[JC_26]
file = "HOME/tests/c/conjugate.c"
line = 52
begin = 21
end = 90

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[conjgte_ensures_default]
name = "Function conjgte"
behavior = "default behavior"
file = "HOME/tests/c/conjugate.c"
line = 49
begin = 5
end = 12

[JC_54]
kind = PointerDeref
file = "HOME/tests/c/conjugate.jessie/conjugate.jc"
line = 145
begin = 31
end = 310

[JC_13]
file = "HOME/tests/c/conjugate.c"
line = 44
begin = 13
end = 58

[JC_11]
file = "HOME/tests/c/conjugate.c"
line = 42
begin = 13
end = 38

[JC_70]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_15]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_36]
file = "HOME/tests/c/conjugate.c"
line = 61
begin = 23
end = 48

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_40]
file = "HOME/tests/c/conjugate.jessie/conjugate.jc"
line = 105
begin = 15
end = 837

[JC_35]
file = "HOME/tests/c/conjugate.c"
line = 62
begin = 23
end = 99

[JC_27]
file = "HOME/tests/c/conjugate.c"
line = 51
begin = 21
end = 31

[JC_69]
file = "HOME/tests/c/conjugate.c"
line = 61
begin = 23
end = 57

[JC_38]
file = "HOME/tests/c/conjugate.c"
line = 61
begin = 23
end = 57

[JC_12]
file = "HOME/tests/c/conjugate.c"
line = 42
begin = 13
end = 38

[JC_6]
file = "HOME/tests/c/conjugate.c"
line = 45
begin = 13
end = 28

[JC_44]
file = "HOME/tests/c/conjugate.c"
line = 64
begin = 21
end = 32

[JC_4]
file = "HOME/tests/c/conjugate.c"
line = 42
begin = 13
end = 38

[JC_62]
file = "HOME/tests/c/conjugate.c"
line = 51
begin = 21
end = 37

[JC_42]
kind = ArithOverflow
file = "HOME/tests/c/conjugate.c"
line = 67
begin = 14
end = 23

[JC_46]
kind = ArithOverflow
file = "HOME/tests/c/conjugate.c"
line = 76
begin = 13
end = 25

[JC_61]
file = "HOME/tests/c/conjugate.c"
line = 51
begin = 26
end = 37

[JC_32]
file = "HOME/tests/c/conjugate.jessie/conjugate.jc"
line = 85
begin = 6
end = 3346

[JC_56]
file = "HOME/tests/c/conjugate.c"
line = 74
begin = 21
end = 27

[JC_33]
kind = PointerDeref
file = "HOME/tests/c/conjugate.c"
line = 58
begin = 9
end = 17

[JC_65]
file = "HOME/tests/c/conjugate.jessie/conjugate.jc"
line = 85
begin = 6
end = 3346

[JC_29]
file = "HOME/tests/c/conjugate.c"
line = 51
begin = 21
end = 37

[JC_68]
file = "HOME/tests/c/conjugate.c"
line = 61
begin = 43
end = 57

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_43]
kind = PointerDeref
file = "HOME/tests/c/conjugate.c"
line = 68
begin = 11
end = 19

[JC_2]
file = "HOME/tests/c/conjugate.c"
line = 41
begin = 13
end = 38

[JC_34]
kind = PointerDeref
file = "HOME/tests/c/conjugate.c"
line = 60
begin = 11
end = 19

[JC_14]
file = "HOME/tests/c/conjugate.c"
line = 45
begin = 13
end = 28

[JC_53]
kind = ArithOverflow
file = "HOME/tests/c/conjugate.c"
line = 77
begin = 13
end = 22

[JC_21]
file = "HOME/tests/c/conjugate.c"
line = 49
begin = 5
end = 12

[conjgte_safety]
name = "Function conjgte"
behavior = "Safety"
file = "HOME/tests/c/conjugate.c"
line = 49
begin = 5
end = 12

[JC_77]
file = "HOME/tests/c/conjugate.jessie/conjugate.jc"
line = 127
begin = 15
end = 1301

[JC_49]
file = "HOME/tests/c/conjugate.c"
line = 69
begin = 23
end = 29

[JC_1]
file = "HOME/tests/c/conjugate.c"
line = 41
begin = 13
end = 38

[JC_37]
file = "HOME/tests/c/conjugate.c"
line = 61
begin = 43
end = 57

[JC_10]
file = "HOME/tests/c/conjugate.c"
line = 41
begin = 13
end = 38

[JC_57]
file = "HOME/tests/c/conjugate.c"
line = 56
begin = 19
end = 30

[JC_66]
file = "HOME/tests/c/conjugate.c"
line = 62
begin = 23
end = 99

[JC_59]
file = "HOME/tests/c/conjugate.c"
line = 52
begin = 21
end = 90

[JC_20]
file = "HOME/tests/c/conjugate.c"
line = 47
begin = 12
end = 29

[JC_18]
file = "HOME/tests/c/conjugate.c"
line = 49
begin = 5
end = 12

[JC_3]
file = "HOME/tests/c/conjugate.c"
line = 42
begin = 13
end = 38

[JC_60]
file = "HOME/tests/c/conjugate.c"
line = 51
begin = 21
end = 31

[JC_72]
file = "HOME/tests/c/conjugate.jessie/conjugate.jc"
line = 105
begin = 15
end = 837

[JC_19]
file = "HOME/tests/c/conjugate.jessie/conjugate.jc"
line = 72
begin = 9
end = 16

[JC_76]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_58]
file = "HOME/tests/c/conjugate.c"
line = 54
begin = 21
end = 76

[JC_28]
file = "HOME/tests/c/conjugate.c"
line = 51
begin = 26
end = 37

========== file tests/c/conjugate.jessie/why/conjugate.why ==========
type charP

type int32

type int8

type intP

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int32: int32 -> int

predicate eq_int32(x:int32, y:int32) =
 eq_int(integer_of_int32(x), integer_of_int32(y))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int32_of_integer: int -> int32

axiom int32_coerce :
 (forall x:int.
  ((le_int((-2147483648), x) and le_int(x, (2147483647))) ->
   eq_int(integer_of_int32(int32_of_integer(x)), x)))

axiom int32_extensionality :
 (forall x:int32.
  (forall y:int32[eq_int(integer_of_int32(x), integer_of_int32(y))].
   (eq_int(integer_of_int32(x), integer_of_int32(y)) -> (x = y))))

axiom int32_range :
 (forall x:int32.
  (le_int((-2147483648), integer_of_int32(x))
  and le_int(integer_of_int32(x), (2147483647))))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

logic intP_tag:  -> intP tag_id

axiom intP_int : (int_of_tag(intP_tag) = (1))

logic intP_of_pointer_address: unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr :
 (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom : parenttag(intP_tag, bottom_tag)

axiom intP_tags :
 (forall x:intP pointer.
  (forall intP_tag_table:intP tag_table.
   instanceof(intP_tag_table, x, intP_tag)))

predicate numofgt(a_0:intP pointer, n:int, v:int,
 intP_intM_a_0_2_at_L:(intP, int32) memory) =
 (le_int((0), n)
 and (lt_int(n, sub_int((100), (1)))
     and ((forall j_1:int.
           ((le_int((1), j_1) and le_int(j_1, n)) ->
            le_int(v,
            integer_of_int32(select(intP_intM_a_0_2_at_L, shift(a_0, j_1))))))
         and gt_int(v,
             integer_of_int32(select(intP_intM_a_0_2_at_L,
                              shift(a_0, add_int(n, (1)))))))))

predicate is_conjugate(a_1:intP pointer, b:intP pointer,
 intP_intM_b_4_at_L:(intP, int32) memory,
 intP_intM_a_1_3_at_L:(intP, int32) memory) =
 (gt_int((100),
  integer_of_int32(select(intP_intM_a_1_3_at_L, shift(a_1, (1)))))
 and (forall j_2:int.
      ((le_int((1), j_2) and lt_int(j_2, (100))) ->
       numofgt(a_1,
       integer_of_int32(select(intP_intM_b_4_at_L, shift(b, j_2))), j_2,
       intP_intM_a_1_3_at_L))))

predicate is_partition(a:intP pointer,
 intP_intM_a_1_at_L:(intP, int32) memory) =
 ((forall i_1:int.
   ((le_int((1), i_1) and lt_int(i_1, (100))) ->
    (le_int((0), integer_of_int32(select(intP_intM_a_1_at_L, shift(a, i_1))))
    and lt_int(integer_of_int32(select(intP_intM_a_1_at_L, shift(a, i_1))),
        sub_int((100), (1))))))
 and ((forall i_2:int.
       (forall j_0:int.
        ((le_int((1), i_2) and (le_int(i_2, j_0) and lt_int(j_0, (100)))) ->
         ge_int(integer_of_int32(select(intP_intM_a_1_at_L, shift(a, i_2))),
         integer_of_int32(select(intP_intM_a_1_at_L, shift(a, j_0)))))))
     and (integer_of_int32(select(intP_intM_a_1_at_L,
                           shift(a, sub_int((100), (1))))) = (0))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_intP(p:intP pointer, a:int,
 intP_alloc_table:intP alloc_table) = (offset_min(intP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_intP(p:intP pointer, b:int,
 intP_alloc_table:intP alloc_table) = (offset_max(intP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) = a)
 and (offset_max(intP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_intP(p:intP pointer, a:int, b:int,
 intP_alloc_table:intP alloc_table) =
 ((offset_min(intP_alloc_table, p) <= a)
 and (offset_max(intP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Goto_while_0_break_exc of unit

exception Goto_while_1_break_exc of unit

exception Goto_while_2_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter intP_alloc_table : intP alloc_table ref

parameter intP_tag_table : intP tag_table ref

parameter alloc_struct_intP :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { } intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter alloc_struct_intP_requires :
 n:int ->
  intP_alloc_table:intP alloc_table ref ->
   intP_tag_table:intP tag_table ref ->
    { ge_int(n, (0))} intP pointer writes intP_alloc_table,intP_tag_table
    { (strict_valid_struct_intP(result, (0), sub_int(n, (1)),
       intP_alloc_table)
      and (alloc_extends(intP_alloc_table@, intP_alloc_table)
          and (alloc_fresh(intP_alloc_table@, result, n)
              and instanceof(intP_tag_table, result, intP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int32 : unit -> { } int32 { true }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter conjgte :
 A:intP pointer ->
  B:intP pointer ->
   intP_intM_B_6:(intP, int32) memory ref ->
    intP_B_6_alloc_table:intP alloc_table ->
     intP_A_5_alloc_table:intP alloc_table ->
      intP_intM_A_5:(intP, int32) memory ->
       { } unit reads intP_intM_B_6 writes intP_intM_B_6
       { (JC_22:
         ((JC_20: is_conjugate(A, B, intP_intM_B_6, intP_intM_A_5))
         and (JC_21:
             not_assigns(intP_B_6_alloc_table, intP_intM_B_6@, intP_intM_B_6,
             pset_all(pset_singleton(B)))))) }

parameter conjgte_requires :
 A:intP pointer ->
  B:intP pointer ->
   intP_intM_B_6:(intP, int32) memory ref ->
    intP_B_6_alloc_table:intP alloc_table ->
     intP_A_5_alloc_table:intP alloc_table ->
      intP_intM_A_5:(intP, int32) memory ->
       { (JC_7:
         ((JC_1: le_int(offset_min(intP_A_5_alloc_table, A), (0)))
         and ((JC_2:
              ge_int(offset_max(intP_A_5_alloc_table, A),
              sub_int((100), (1))))
             and ((JC_3: le_int(offset_min(intP_B_6_alloc_table, B), (0)))
                 and ((JC_4:
                      ge_int(offset_max(intP_B_6_alloc_table, B),
                      sub_int((100), (1))))
                     and ((JC_5:
                          (forall k:int.
                           ((le_int((1), k) and lt_int(k, (100))) ->
                            (integer_of_int32(select(intP_intM_B_6,
                                              shift(B, k))) = (0)))))
                         and (JC_6: is_partition(A, intP_intM_A_5))))))))}
       unit reads intP_intM_B_6 writes intP_intM_B_6
       { (JC_22:
         ((JC_20: is_conjugate(A, B, intP_intM_B_6, intP_intM_A_5))
         and (JC_21:
             not_assigns(intP_B_6_alloc_table, intP_intM_B_6@, intP_intM_B_6,
             pset_all(pset_singleton(B)))))) }

parameter int32_of_integer_ :
 x:int ->
  { (le_int((-2147483648), x) and le_int(x, (2147483647)))} int32
  { eq_int(integer_of_int32(result), x) }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int32_of_integer_ :
 x:int -> { } int32 { eq_int(integer_of_int32(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let conjgte_ensures_default =
 fun (A : intP pointer) (B : intP pointer) (intP_intM_B_6 : (intP, int32) memory ref) (intP_A_5_alloc_table : intP alloc_table) (intP_B_6_alloc_table : intP alloc_table) (intP_intM_A_5 : (intP, int32) memory) ->
  { (valid_struct_intP(B, (0), (0), intP_B_6_alloc_table)
    and (valid_struct_intP(A, (0), (0), intP_A_5_alloc_table)
        and (JC_15:
            ((JC_9: le_int(offset_min(intP_A_5_alloc_table, A), (0)))
            and ((JC_10:
                 ge_int(offset_max(intP_A_5_alloc_table, A),
                 sub_int((100), (1))))
                and ((JC_11:
                     le_int(offset_min(intP_B_6_alloc_table, B), (0)))
                    and ((JC_12:
                         ge_int(offset_max(intP_B_6_alloc_table, B),
                         sub_int((100), (1))))
                        and ((JC_13:
                             (forall k:int.
                              ((le_int((1), k) and lt_int(k, (100))) ->
                               (integer_of_int32(select(intP_intM_B_6,
                                                 shift(B, k))) = (0)))))
                            and (JC_14: is_partition(A, intP_intM_A_5)))))))))) }
  (init:
  try
   begin
     (let i = ref (any_int32 void) in
     (let partc = ref (any_int32 void) in
     (let edge = ref (any_int32 void) in
     try
      begin
        (let _jessie_ = (partc := (safe_int32_of_integer_ (1))) in void);
       (let _jessie_ = (edge := (safe_int32_of_integer_ (0))) in void);
       (loop_4:
       begin
         while true do
         { invariant
             (((JC_58:
               (forall j_7:int.
                ((lt_int(integer_of_int32(select(intP_intM_A_5,
                                          shift(A, (1)))),
                  j_7)
                 and lt_int(j_7, (100))) ->
                 (integer_of_int32(select(intP_intM_B_6, shift(B, j_7))) = (0)))))
              and ((JC_59:
                   (forall j_6:int.
                    ((lt_int(integer_of_int32(select(intP_intM_A_5,
                                              shift(A,
                                              integer_of_int32(partc)))),
                      j_6)
                     and le_int(j_6,
                         integer_of_int32(select(intP_intM_A_5,
                                          shift(A, (1)))))) ->
                     numofgt(A,
                     integer_of_int32(select(intP_intM_B_6, shift(B, j_6))),
                     j_6, intP_intM_A_5))))
                  and (JC_62:
                      ((JC_60: le_int((1), integer_of_int32(partc)))
                      and (JC_61: lt_int(integer_of_int32(partc), (100)))))))
             and (JC_64:
                 not_assigns(intP_B_6_alloc_table, intP_intM_B_6@init,
                 intP_intM_B_6, pset_all(pset_singleton(B)))))  }
          begin
            [ { } unit { true } ];
           try
            begin
              (if ((neq_int_ (integer_of_int32 ((safe_acc_ intP_intM_A_5) 
                                                ((shift A) (integer_of_int32 !partc))))) (0))
              then void else (raise (Goto_while_0_break_exc void)));
             (Start:
             begin
               try
                begin
                  try
                   begin
                     (let _jessie_ =
                     (edge := ((safe_acc_ intP_intM_A_5) ((shift A) (integer_of_int32 !partc)))) in
                     void);
                    (loop_5:
                    begin
                      while true do
                      { invariant
                          (((JC_66:
                            (forall j_3:int.
                             ((le_int(integer_of_int32(partc@Start), j_3)
                              and lt_int(j_3, integer_of_int32(partc))) ->
                              (integer_of_int32(select(intP_intM_A_5,
                                                shift(A, j_3))) = integer_of_int32(edge)))))
                           and (JC_69:
                               ((JC_67:
                                le_int(integer_of_int32(partc@Start),
                                integer_of_int32(partc)))
                               and (JC_68:
                                   lt_int(integer_of_int32(partc),
                                   sub_int((100), (1)))))))
                          and (JC_71:
                              not_assigns(intP_B_6_alloc_table,
                              intP_intM_B_6@init, intP_intM_B_6,
                              pset_all(pset_singleton(B)))))  }
                       begin
                         [ { } unit { true } ];
                        try
                         begin
                           (let _jessie_ =
                           (partc := (safe_int32_of_integer_ ((add_int 
                                                               (integer_of_int32 !partc)) (1)))) in
                           void);
                          (if ((eq_int_ (integer_of_int32 ((safe_acc_ intP_intM_A_5) 
                                                           ((shift A) 
                                                            (integer_of_int32 !partc))))) 
                               (integer_of_int32 !edge)) then void
                          else (raise (Goto_while_1_break_exc void)));
                          (raise (Loop_continue_exc void)) end with
                         Loop_continue_exc _jessie_ -> void end end done;
                     (raise (Goto_while_1_break_exc void)) end) end with
                   Goto_while_1_break_exc _jessie_ ->
                   (while_1_break:
                   begin
                     void;
                    (let _jessie_ =
                    (i := (safe_int32_of_integer_ ((add_int (integer_of_int32 
                                                             ((safe_acc_ intP_intM_A_5) 
                                                              ((shift A) 
                                                               (integer_of_int32 !partc))))) (1)))) in
                    void);
                    (loop_6:
                    while true do
                    { invariant
                        (((JC_73:
                          (forall j_5:int.
                           ((lt_int(integer_of_int32(select(intP_intM_A_5,
                                                     shift(A,
                                                     integer_of_int32(partc)))),
                             j_5)
                            and lt_int(j_5, integer_of_int32(i))) ->
                            (integer_of_int32(select(intP_intM_B_6,
                                              shift(B, j_5))) = sub_int(
                                                                integer_of_int32(partc),
                                                                (1))))))
                         and ((JC_74:
                              (forall j_4:int.
                               ((lt_int(integer_of_int32(edge), j_4)
                                and lt_int(j_4, (100))) ->
                                (integer_of_int32(select(intP_intM_B_6,
                                                  shift(B, j_4))) = integer_of_int32(
                                                                    select(intP_intM_B_6@Start,
                                                                    shift(B,
                                                                    j_4)))))))
                             and (JC_75: le_int((1), integer_of_int32(i)))))
                        and (JC_77:
                            not_assigns(intP_B_6_alloc_table,
                            intP_intM_B_6@init, intP_intM_B_6,
                            pset_all(pset_singleton(B)))))  }
                     begin
                       [ { } unit { true } ];
                      try
                       begin
                         (let _jessie_ =
                         begin
                           (if ((le_int_ (integer_of_int32 !i)) (integer_of_int32 !edge))
                           then void
                           else (raise (Goto_while_2_break_exc void)));
                          (let _jessie_ =
                          (let _jessie_ =
                          (safe_int32_of_integer_ ((sub_int (integer_of_int32 !partc)) (1))) in
                          (let _jessie_ = B in
                          (let _jessie_ = (integer_of_int32 !i) in
                          (let _jessie_ =
                          ((shift _jessie_) _jessie_) in
                          (((safe_upd_ intP_intM_B_6) _jessie_) _jessie_))))) in
                          void);
                          (i := (safe_int32_of_integer_ ((add_int (integer_of_int32 !i)) (1))));
                          !i end in void); (raise (Loop_continue_exc void))
                       end with Loop_continue_exc _jessie_ -> void end end
                    done) end) end; (raise (Goto_while_2_break_exc void)) end
                with Goto_while_2_break_exc _jessie_ ->
                (while_2_break: void) end; (raise (Loop_continue_exc void))
             end) end with Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (raise Return) end) end)));
    (raise Return) end with Return -> void end)
  { (JC_19:
    ((JC_17: is_conjugate(A, B, intP_intM_B_6, intP_intM_A_5))
    and (JC_18:
        not_assigns(intP_B_6_alloc_table, intP_intM_B_6@, intP_intM_B_6,
        pset_all(pset_singleton(B)))))) }

let conjgte_safety =
 fun (A : intP pointer) (B : intP pointer) (intP_intM_B_6 : (intP, int32) memory ref) (intP_A_5_alloc_table : intP alloc_table) (intP_B_6_alloc_table : intP alloc_table) (intP_intM_A_5 : (intP, int32) memory) ->
  { (valid_struct_intP(B, (0), (0), intP_B_6_alloc_table)
    and (valid_struct_intP(A, (0), (0), intP_A_5_alloc_table)
        and (JC_15:
            ((JC_9: le_int(offset_min(intP_A_5_alloc_table, A), (0)))
            and ((JC_10:
                 ge_int(offset_max(intP_A_5_alloc_table, A),
                 sub_int((100), (1))))
                and ((JC_11:
                     le_int(offset_min(intP_B_6_alloc_table, B), (0)))
                    and ((JC_12:
                         ge_int(offset_max(intP_B_6_alloc_table, B),
                         sub_int((100), (1))))
                        and ((JC_13:
                             (forall k:int.
                              ((le_int((1), k) and lt_int(k, (100))) ->
                               (integer_of_int32(select(intP_intM_B_6,
                                                 shift(B, k))) = (0)))))
                            and (JC_14: is_partition(A, intP_intM_A_5)))))))))) }
  (init:
  try
   begin
     (let i = ref (any_int32 void) in
     (let partc = ref (any_int32 void) in
     (let edge = ref (any_int32 void) in
     try
      begin
        (let _jessie_ = (partc := (safe_int32_of_integer_ (1))) in void);
       (let _jessie_ = (edge := (safe_int32_of_integer_ (0))) in void);
       (loop_1:
       begin
         while true do
         { invariant (JC_31: true)
           variant (JC_57 : sub_int((100), integer_of_int32(partc))) }
          begin
            [ { } unit reads intP_intM_B_6,partc
              { ((JC_25:
                 (forall j_7:int.
                  ((lt_int(integer_of_int32(select(intP_intM_A_5,
                                            shift(A, (1)))),
                    j_7)
                   and lt_int(j_7, (100))) ->
                   (integer_of_int32(select(intP_intM_B_6, shift(B, j_7))) = (0)))))
                and ((JC_26:
                     (forall j_6:int.
                      ((lt_int(integer_of_int32(select(intP_intM_A_5,
                                                shift(A,
                                                integer_of_int32(partc)))),
                        j_6)
                       and le_int(j_6,
                           integer_of_int32(select(intP_intM_A_5,
                                            shift(A, (1)))))) ->
                       numofgt(A,
                       integer_of_int32(select(intP_intM_B_6, shift(B, j_6))),
                       j_6, intP_intM_A_5))))
                    and (JC_29:
                        ((JC_27: le_int((1), integer_of_int32(partc)))
                        and (JC_28: lt_int(integer_of_int32(partc), (100))))))) } ];
           try
            begin
              (if ((neq_int_ (integer_of_int32 (JC_33:
                                               ((((offset_acc_ intP_A_5_alloc_table) intP_intM_A_5) A) 
                                                (integer_of_int32 !partc))))) (0))
              then void else (raise (Goto_while_0_break_exc void)));
             (Start:
             begin
               try
                begin
                  try
                   begin
                     (let _jessie_ =
                     (edge := (JC_34:
                              ((((offset_acc_ intP_A_5_alloc_table) intP_intM_A_5) A) 
                               (integer_of_int32 !partc)))) in void);
                    (loop_2:
                    begin
                      while true do
                      { invariant (JC_40: true)
                        variant (JC_44 : sub_int((100),
                                         integer_of_int32(partc))) }
                       begin
                         [ { } unit reads edge,partc
                           { ((JC_35:
                              (forall j_3:int.
                               ((le_int(integer_of_int32(partc@Start), j_3)
                                and lt_int(j_3, integer_of_int32(partc))) ->
                                (integer_of_int32(select(intP_intM_A_5,
                                                  shift(A, j_3))) = integer_of_int32(edge)))))
                             and (JC_38:
                                 ((JC_36:
                                  le_int(integer_of_int32(partc@Start),
                                  integer_of_int32(partc)))
                                 and (JC_37:
                                     lt_int(integer_of_int32(partc),
                                     sub_int((100), (1))))))) } ];
                        try
                         begin
                           (let _jessie_ =
                           (partc := (JC_42:
                                     (int32_of_integer_ ((add_int (integer_of_int32 !partc)) (1))))) in
                           void);
                          (if ((eq_int_ (integer_of_int32 (JC_43:
                                                          ((((offset_acc_ intP_A_5_alloc_table) intP_intM_A_5) A) 
                                                           (integer_of_int32 !partc))))) 
                               (integer_of_int32 !edge)) then void
                          else (raise (Goto_while_1_break_exc void)));
                          (raise (Loop_continue_exc void)) end with
                         Loop_continue_exc _jessie_ -> void end end done;
                     (raise (Goto_while_1_break_exc void)) end) end with
                   Goto_while_1_break_exc _jessie_ ->
                   (while_1_break:
                   begin
                     void;
                    (let _jessie_ =
                    (i := (JC_46:
                          (int32_of_integer_ ((add_int (integer_of_int32 
                                                        (JC_45:
                                                        ((((offset_acc_ intP_A_5_alloc_table) intP_intM_A_5) A) 
                                                         (integer_of_int32 !partc))))) (1))))) in
                    void);
                    (loop_3:
                    while true do
                    { invariant (JC_51: true)
                      variant (JC_56 : sub_int(integer_of_int32(edge),
                                       integer_of_int32(i))) }
                     begin
                       [ { } unit reads edge,i,intP_intM_B_6,partc
                         { ((JC_47:
                            (forall j_5:int.
                             ((lt_int(integer_of_int32(select(intP_intM_A_5,
                                                       shift(A,
                                                       integer_of_int32(partc)))),
                               j_5)
                              and lt_int(j_5, integer_of_int32(i))) ->
                              (integer_of_int32(select(intP_intM_B_6,
                                                shift(B, j_5))) = sub_int(
                                                                  integer_of_int32(partc),
                                                                  (1))))))
                           and ((JC_48:
                                (forall j_4:int.
                                 ((lt_int(integer_of_int32(edge), j_4)
                                  and lt_int(j_4, (100))) ->
                                  (integer_of_int32(select(intP_intM_B_6,
                                                    shift(B, j_4))) = 
                                  integer_of_int32(select(intP_intM_B_6@Start,
                                                   shift(B, j_4)))))))
                               and (JC_49: le_int((1), integer_of_int32(i))))) } ];
                      try
                       begin
                         (let _jessie_ =
                         begin
                           (if ((le_int_ (integer_of_int32 !i)) (integer_of_int32 !edge))
                           then void
                           else (raise (Goto_while_2_break_exc void)));
                          (let _jessie_ =
                          (let _jessie_ =
                          (JC_53:
                          (int32_of_integer_ ((sub_int (integer_of_int32 !partc)) (1)))) in
                          (let _jessie_ = B in
                          (let _jessie_ = (integer_of_int32 !i) in
                          (let _jessie_ =
                          ((shift _jessie_) _jessie_) in
                          (JC_54:
                          (((((offset_upd_ intP_B_6_alloc_table) intP_intM_B_6) _jessie_) _jessie_) _jessie_)))))) in
                          void);
                          (i := (JC_55:
                                (int32_of_integer_ ((add_int (integer_of_int32 !i)) (1)))));
                          !i end in void); (raise (Loop_continue_exc void))
                       end with Loop_continue_exc _jessie_ -> void end end
                    done) end) end; (raise (Goto_while_2_break_exc void)) end
                with Goto_while_2_break_exc _jessie_ ->
                (while_2_break: void) end; (raise (Loop_continue_exc void))
             end) end with Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (raise Return) end) end)));
    (raise Return) end with Return -> void end) { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/conjugate.why
========== file tests/c/conjugate.jessie/why/conjugate_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type charP

type int32

type int8

type intP

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

logic integer_of_int32 : int32 -> int

predicate eq_int32(x: int32, y: int32) =
  (integer_of_int32(x) = integer_of_int32(y))

logic integer_of_int8 : int8 -> int

predicate eq_int8(x: int8, y: int8) =
  (integer_of_int8(x) = integer_of_int8(y))

logic integer_of_uint8 : uint8 -> int

predicate eq_uint8(x: uint8, y: uint8) =
  (integer_of_uint8(x) = integer_of_uint8(y))

logic int32_of_integer : int -> int32

axiom int32_coerce:
  (forall x:int.
    ((((-2147483648) <= x) and (x <= 2147483647)) ->
     (integer_of_int32(int32_of_integer(x)) = x)))

axiom int32_extensionality:
  (forall x:int32.
    (forall y:int32.
      ((integer_of_int32(x) = integer_of_int32(y)) -> (x = y))))

axiom int32_range:
  (forall x:int32.
    (((-2147483648) <= integer_of_int32(x)) and
     (integer_of_int32(x) <= 2147483647)))

logic int8_of_integer : int -> int8

axiom int8_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_int8(int8_of_integer(x)) = x)))

axiom int8_extensionality:
  (forall x:int8.
    (forall y:int8. ((integer_of_int8(x) = integer_of_int8(y)) -> (x = y))))

axiom int8_range:
  (forall x:int8.
    (((-128) <= integer_of_int8(x)) and (integer_of_int8(x) <= 127)))

logic intP_tag : intP tag_id

axiom intP_int: (int_of_tag(intP_tag) = 1)

logic intP_of_pointer_address : unit pointer -> intP pointer

axiom intP_of_pointer_address_of_pointer_addr:
  (forall p:intP pointer. (p = intP_of_pointer_address(pointer_address(p))))

axiom intP_parenttag_bottom: parenttag(intP_tag, bottom_tag)

axiom intP_tags:
  (forall x:intP pointer.
    (forall intP_tag_table:intP tag_table. instanceof(intP_tag_table, x,
      intP_tag)))

predicate numofgt(a_0: intP pointer, n: int, v: int,
  intP_intM_a_0_2_at_L: (intP, int32) memory) =
  ((0 <= n) and
   ((n < (100 - 1)) and
    ((forall j_1:int.
       (((1 <= j_1) and (j_1 <= n)) ->
        (v <= integer_of_int32(select(intP_intM_a_0_2_at_L, shift(a_0,
        j_1)))))) and
     (v > integer_of_int32(select(intP_intM_a_0_2_at_L, shift(a_0,
     (n + 1))))))))

predicate is_conjugate(a_1: intP pointer, b: intP pointer,
  intP_intM_b_4_at_L: (intP, int32) memory, intP_intM_a_1_3_at_L: (intP,
  int32) memory) =
  ((100 > integer_of_int32(select(intP_intM_a_1_3_at_L, shift(a_1, 1)))) and
   (forall j_2:int.
     (((1 <= j_2) and (j_2 < 100)) -> numofgt(a_1,
      integer_of_int32(select(intP_intM_b_4_at_L, shift(b, j_2))), j_2,
      intP_intM_a_1_3_at_L))))

predicate is_partition(a: intP pointer, intP_intM_a_1_at_L: (intP,
  int32) memory) =
  ((forall i_1:int.
     (((1 <= i_1) and (i_1 < 100)) ->
      ((0 <= integer_of_int32(select(intP_intM_a_1_at_L, shift(a, i_1)))) and
       (integer_of_int32(select(intP_intM_a_1_at_L, shift(a,
       i_1))) < (100 - 1))))) and
   ((forall i_2:int.
      (forall j_0:int.
        (((1 <= i_2) and ((i_2 <= j_0) and (j_0 < 100))) ->
         (integer_of_int32(select(intP_intM_a_1_at_L, shift(a,
         i_2))) >= integer_of_int32(select(intP_intM_a_1_at_L, shift(a,
         j_0))))))) and
    (integer_of_int32(select(intP_intM_a_1_at_L, shift(a, (100 - 1)))) = 0)))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_intP(p: intP pointer, a: int,
  intP_alloc_table: intP alloc_table) = (offset_min(intP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

axiom pointer_addr_of_intP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(intP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_intP(p: intP pointer, b: int,
  intP_alloc_table: intP alloc_table) = (offset_max(intP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) = a) and (offset_max(intP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) = a) and (offset_max(intP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic uint8_of_integer : int -> uint8

axiom uint8_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 255)) -> (integer_of_uint8(uint8_of_integer(x)) = x)))

axiom uint8_extensionality:
  (forall x:uint8.
    (forall y:uint8.
      ((integer_of_uint8(x) = integer_of_uint8(y)) -> (x = y))))

axiom uint8_range:
  (forall x:uint8.
    ((0 <= integer_of_uint8(x)) and (integer_of_uint8(x) <= 255)))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) <= a) and (offset_max(intP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_intP(p: intP pointer, a: int, b: int,
  intP_alloc_table: intP alloc_table) =
  ((offset_min(intP_alloc_table, p) <= a) and (offset_max(intP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

goal conjgte_ensures_default_po_1:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall j_7:int.
  ((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
   (j_7 < 100)) ->
  ("JC_58": (integer_of_int32(select(intP_intM_B_6, shift(B, j_7))) = 0))

goal conjgte_ensures_default_po_2:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall j_6:int.
  ((integer_of_int32(select(intP_intM_A_5, shift(A,
   integer_of_int32(partc)))) < j_6) and
   (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
  ("JC_59": numofgt(A, integer_of_int32(select(intP_intM_B_6, shift(B,
  j_6))), j_6, intP_intM_A_5))

goal conjgte_ensures_default_po_3:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  ("JC_62": ("JC_60": (1 <= integer_of_int32(partc))))

goal conjgte_ensures_default_po_4:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  ("JC_62": ("JC_61": (integer_of_int32(partc) < 100)))

goal conjgte_ensures_default_po_5:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  ("JC_64": not_assigns(intP_B_6_alloc_table, intP_intM_B_6, intP_intM_B_6,
  pset_all(pset_singleton(B))))

goal conjgte_ensures_default_po_6:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ((("JC_58":
    (forall j_7:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
        (j_7 < 100)) ->
       (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
    (("JC_59":
     (forall j_6:int.
       (((integer_of_int32(select(intP_intM_A_5, shift(A,
         integer_of_int32(partc0)))) < j_6) and
         (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
        numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
        j_6, intP_intM_A_5)))) and
     ("JC_62":
     (("JC_60": (1 <= integer_of_int32(partc0))) and
      ("JC_61": (integer_of_int32(partc0) < 100)))))) and
   ("JC_64": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_0, pset_all(pset_singleton(B))))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall j_3:int.
  ((integer_of_int32(partc0) <= j_3) and (j_3 < integer_of_int32(partc0))) ->
  ("JC_66": (integer_of_int32(select(intP_intM_A_5, shift(A,
  j_3))) = integer_of_int32(edge0)))

goal conjgte_ensures_default_po_7:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ((("JC_58":
    (forall j_7:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
        (j_7 < 100)) ->
       (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
    (("JC_59":
     (forall j_6:int.
       (((integer_of_int32(select(intP_intM_A_5, shift(A,
         integer_of_int32(partc0)))) < j_6) and
         (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
        numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
        j_6, intP_intM_A_5)))) and
     ("JC_62":
     (("JC_60": (1 <= integer_of_int32(partc0))) and
      ("JC_61": (integer_of_int32(partc0) < 100)))))) and
   ("JC_64": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_0, pset_all(pset_singleton(B))))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  ("JC_69":
  ("JC_67": (integer_of_int32(partc0) <= integer_of_int32(partc0))))

goal conjgte_ensures_default_po_8:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ((("JC_58":
    (forall j_7:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
        (j_7 < 100)) ->
       (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
    (("JC_59":
     (forall j_6:int.
       (((integer_of_int32(select(intP_intM_A_5, shift(A,
         integer_of_int32(partc0)))) < j_6) and
         (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
        numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
        j_6, intP_intM_A_5)))) and
     ("JC_62":
     (("JC_60": (1 <= integer_of_int32(partc0))) and
      ("JC_61": (integer_of_int32(partc0) < 100)))))) and
   ("JC_64": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_0, pset_all(pset_singleton(B))))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  ("JC_69": ("JC_68": (integer_of_int32(partc0) < (100 - 1))))

goal conjgte_ensures_default_po_9:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ((("JC_58":
    (forall j_7:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
        (j_7 < 100)) ->
       (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
    (("JC_59":
     (forall j_6:int.
       (((integer_of_int32(select(intP_intM_A_5, shift(A,
         integer_of_int32(partc0)))) < j_6) and
         (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
        numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
        j_6, intP_intM_A_5)))) and
     ("JC_62":
     (("JC_60": (1 <= integer_of_int32(partc0))) and
      ("JC_61": (integer_of_int32(partc0) < 100)))))) and
   ("JC_64": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_0, pset_all(pset_singleton(B))))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ((("JC_66":
    (forall j_3:int.
      (((integer_of_int32(partc0) <= j_3) and
        (j_3 < integer_of_int32(partc1))) ->
       (integer_of_int32(select(intP_intM_A_5, shift(A,
       j_3))) = integer_of_int32(edge0))))) and
    ("JC_69":
    (("JC_67": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
     ("JC_68": (integer_of_int32(partc1) < (100 - 1)))))) and
   ("JC_71": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_0, pset_all(pset_singleton(B))))) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(partc1) + 1)) ->
  forall partc2:int32.
  (partc2 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (integer_of_int32(result4) = integer_of_int32(edge0)) ->
  forall j_3:int.
  ((integer_of_int32(partc0) <= j_3) and (j_3 < integer_of_int32(partc2))) ->
  ("JC_66": (integer_of_int32(select(intP_intM_A_5, shift(A,
  j_3))) = integer_of_int32(edge0)))

goal conjgte_ensures_default_po_10:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ((("JC_58":
    (forall j_7:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
        (j_7 < 100)) ->
       (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
    (("JC_59":
     (forall j_6:int.
       (((integer_of_int32(select(intP_intM_A_5, shift(A,
         integer_of_int32(partc0)))) < j_6) and
         (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
        numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
        j_6, intP_intM_A_5)))) and
     ("JC_62":
     (("JC_60": (1 <= integer_of_int32(partc0))) and
      ("JC_61": (integer_of_int32(partc0) < 100)))))) and
   ("JC_64": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_0, pset_all(pset_singleton(B))))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ((("JC_66":
    (forall j_3:int.
      (((integer_of_int32(partc0) <= j_3) and
        (j_3 < integer_of_int32(partc1))) ->
       (integer_of_int32(select(intP_intM_A_5, shift(A,
       j_3))) = integer_of_int32(edge0))))) and
    ("JC_69":
    (("JC_67": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
     ("JC_68": (integer_of_int32(partc1) < (100 - 1)))))) and
   ("JC_71": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_0, pset_all(pset_singleton(B))))) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(partc1) + 1)) ->
  forall partc2:int32.
  (partc2 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (integer_of_int32(result4) = integer_of_int32(edge0)) ->
  ("JC_69":
  ("JC_67": (integer_of_int32(partc0) <= integer_of_int32(partc2))))

goal conjgte_ensures_default_po_11:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ((("JC_58":
    (forall j_7:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
        (j_7 < 100)) ->
       (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
    (("JC_59":
     (forall j_6:int.
       (((integer_of_int32(select(intP_intM_A_5, shift(A,
         integer_of_int32(partc0)))) < j_6) and
         (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
        numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
        j_6, intP_intM_A_5)))) and
     ("JC_62":
     (("JC_60": (1 <= integer_of_int32(partc0))) and
      ("JC_61": (integer_of_int32(partc0) < 100)))))) and
   ("JC_64": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_0, pset_all(pset_singleton(B))))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ((("JC_66":
    (forall j_3:int.
      (((integer_of_int32(partc0) <= j_3) and
        (j_3 < integer_of_int32(partc1))) ->
       (integer_of_int32(select(intP_intM_A_5, shift(A,
       j_3))) = integer_of_int32(edge0))))) and
    ("JC_69":
    (("JC_67": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
     ("JC_68": (integer_of_int32(partc1) < (100 - 1)))))) and
   ("JC_71": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_0, pset_all(pset_singleton(B))))) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(partc1) + 1)) ->
  forall partc2:int32.
  (partc2 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (integer_of_int32(result4) = integer_of_int32(edge0)) ->
  ("JC_69": ("JC_68": (integer_of_int32(partc2) < (100 - 1))))

goal conjgte_ensures_default_po_12:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ((("JC_58":
    (forall j_7:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
        (j_7 < 100)) ->
       (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
    (("JC_59":
     (forall j_6:int.
       (((integer_of_int32(select(intP_intM_A_5, shift(A,
         integer_of_int32(partc0)))) < j_6) and
         (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
        numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
        j_6, intP_intM_A_5)))) and
     ("JC_62":
     (("JC_60": (1 <= integer_of_int32(partc0))) and
      ("JC_61": (integer_of_int32(partc0) < 100)))))) and
   ("JC_64": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_0, pset_all(pset_singleton(B))))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ((("JC_66":
    (forall j_3:int.
      (((integer_of_int32(partc0) <= j_3) and
        (j_3 < integer_of_int32(partc1))) ->
       (integer_of_int32(select(intP_intM_A_5, shift(A,
       j_3))) = integer_of_int32(edge0))))) and
    ("JC_69":
    (("JC_67": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
     ("JC_68": (integer_of_int32(partc1) < (100 - 1)))))) and
   ("JC_71": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_0, pset_all(pset_singleton(B))))) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(partc1) + 1)) ->
  forall partc2:int32.
  (partc2 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (integer_of_int32(result4) <> integer_of_int32(edge0)) ->
  forall result5:int32.
  (result5 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 1)) ->
  forall i:int32.
  (i = result6) ->
  forall j_5:int.
  ((integer_of_int32(select(intP_intM_A_5, shift(A,
   integer_of_int32(partc2)))) < j_5) and (j_5 < integer_of_int32(i))) ->
  ("JC_73": (integer_of_int32(select(intP_intM_B_6_0, shift(B,
  j_5))) = (integer_of_int32(partc2) - 1)))

goal conjgte_ensures_default_po_13:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ((("JC_58":
    (forall j_7:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
        (j_7 < 100)) ->
       (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
    (("JC_59":
     (forall j_6:int.
       (((integer_of_int32(select(intP_intM_A_5, shift(A,
         integer_of_int32(partc0)))) < j_6) and
         (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
        numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
        j_6, intP_intM_A_5)))) and
     ("JC_62":
     (("JC_60": (1 <= integer_of_int32(partc0))) and
      ("JC_61": (integer_of_int32(partc0) < 100)))))) and
   ("JC_64": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_0, pset_all(pset_singleton(B))))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ((("JC_66":
    (forall j_3:int.
      (((integer_of_int32(partc0) <= j_3) and
        (j_3 < integer_of_int32(partc1))) ->
       (integer_of_int32(select(intP_intM_A_5, shift(A,
       j_3))) = integer_of_int32(edge0))))) and
    ("JC_69":
    (("JC_67": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
     ("JC_68": (integer_of_int32(partc1) < (100 - 1)))))) and
   ("JC_71": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_0, pset_all(pset_singleton(B))))) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(partc1) + 1)) ->
  forall partc2:int32.
  (partc2 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (integer_of_int32(result4) <> integer_of_int32(edge0)) ->
  forall result5:int32.
  (result5 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 1)) ->
  forall i:int32.
  (i = result6) ->
  ("JC_75": (1 <= integer_of_int32(i)))

goal conjgte_ensures_default_po_14:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ((("JC_58":
    (forall j_7:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
        (j_7 < 100)) ->
       (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
    (("JC_59":
     (forall j_6:int.
       (((integer_of_int32(select(intP_intM_A_5, shift(A,
         integer_of_int32(partc0)))) < j_6) and
         (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
        numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
        j_6, intP_intM_A_5)))) and
     ("JC_62":
     (("JC_60": (1 <= integer_of_int32(partc0))) and
      ("JC_61": (integer_of_int32(partc0) < 100)))))) and
   ("JC_64": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_0, pset_all(pset_singleton(B))))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ((("JC_66":
    (forall j_3:int.
      (((integer_of_int32(partc0) <= j_3) and
        (j_3 < integer_of_int32(partc1))) ->
       (integer_of_int32(select(intP_intM_A_5, shift(A,
       j_3))) = integer_of_int32(edge0))))) and
    ("JC_69":
    (("JC_67": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
     ("JC_68": (integer_of_int32(partc1) < (100 - 1)))))) and
   ("JC_71": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_0, pset_all(pset_singleton(B))))) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(partc1) + 1)) ->
  forall partc2:int32.
  (partc2 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (integer_of_int32(result4) <> integer_of_int32(edge0)) ->
  forall result5:int32.
  (result5 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 1)) ->
  forall i:int32.
  (i = result6) ->
  forall i0:int32.
  forall intP_intM_B_6_1:(intP,
  int32) memory.
  ((("JC_73":
    (forall j_5:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A,
        integer_of_int32(partc2)))) < j_5) and (j_5 < integer_of_int32(i0))) ->
       (integer_of_int32(select(intP_intM_B_6_1, shift(B,
       j_5))) = (integer_of_int32(partc2) - 1))))) and
    (("JC_74":
     (forall j_4:int.
       (((integer_of_int32(edge0) < j_4) and (j_4 < 100)) ->
        (integer_of_int32(select(intP_intM_B_6_1, shift(B,
        j_4))) = integer_of_int32(select(intP_intM_B_6_0, shift(B, j_4))))))) and
     ("JC_75": (1 <= integer_of_int32(i0))))) and
   ("JC_77": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_1, pset_all(pset_singleton(B))))) ->
  (integer_of_int32(i0) <= integer_of_int32(edge0)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(partc2) - 1)) ->
  forall intP_intM_B_6_2:(intP,
  int32) memory.
  (intP_intM_B_6_2 = store(intP_intM_B_6_1, shift(B, integer_of_int32(i0)),
  result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result8) ->
  forall j_5:int.
  ((integer_of_int32(select(intP_intM_A_5, shift(A,
   integer_of_int32(partc2)))) < j_5) and (j_5 < integer_of_int32(i1))) ->
  ("JC_73": (integer_of_int32(select(intP_intM_B_6_2, shift(B,
  j_5))) = (integer_of_int32(partc2) - 1)))

goal conjgte_ensures_default_po_15:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ((("JC_58":
    (forall j_7:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
        (j_7 < 100)) ->
       (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
    (("JC_59":
     (forall j_6:int.
       (((integer_of_int32(select(intP_intM_A_5, shift(A,
         integer_of_int32(partc0)))) < j_6) and
         (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
        numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
        j_6, intP_intM_A_5)))) and
     ("JC_62":
     (("JC_60": (1 <= integer_of_int32(partc0))) and
      ("JC_61": (integer_of_int32(partc0) < 100)))))) and
   ("JC_64": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_0, pset_all(pset_singleton(B))))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ((("JC_66":
    (forall j_3:int.
      (((integer_of_int32(partc0) <= j_3) and
        (j_3 < integer_of_int32(partc1))) ->
       (integer_of_int32(select(intP_intM_A_5, shift(A,
       j_3))) = integer_of_int32(edge0))))) and
    ("JC_69":
    (("JC_67": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
     ("JC_68": (integer_of_int32(partc1) < (100 - 1)))))) and
   ("JC_71": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_0, pset_all(pset_singleton(B))))) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(partc1) + 1)) ->
  forall partc2:int32.
  (partc2 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (integer_of_int32(result4) <> integer_of_int32(edge0)) ->
  forall result5:int32.
  (result5 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 1)) ->
  forall i:int32.
  (i = result6) ->
  forall i0:int32.
  forall intP_intM_B_6_1:(intP,
  int32) memory.
  ((("JC_73":
    (forall j_5:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A,
        integer_of_int32(partc2)))) < j_5) and (j_5 < integer_of_int32(i0))) ->
       (integer_of_int32(select(intP_intM_B_6_1, shift(B,
       j_5))) = (integer_of_int32(partc2) - 1))))) and
    (("JC_74":
     (forall j_4:int.
       (((integer_of_int32(edge0) < j_4) and (j_4 < 100)) ->
        (integer_of_int32(select(intP_intM_B_6_1, shift(B,
        j_4))) = integer_of_int32(select(intP_intM_B_6_0, shift(B, j_4))))))) and
     ("JC_75": (1 <= integer_of_int32(i0))))) and
   ("JC_77": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_1, pset_all(pset_singleton(B))))) ->
  (integer_of_int32(i0) <= integer_of_int32(edge0)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(partc2) - 1)) ->
  forall intP_intM_B_6_2:(intP,
  int32) memory.
  (intP_intM_B_6_2 = store(intP_intM_B_6_1, shift(B, integer_of_int32(i0)),
  result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result8) ->
  forall j_4:int.
  ((integer_of_int32(edge0) < j_4) and (j_4 < 100)) ->
  ("JC_74": (integer_of_int32(select(intP_intM_B_6_2, shift(B,
  j_4))) = integer_of_int32(select(intP_intM_B_6_0, shift(B, j_4)))))

goal conjgte_ensures_default_po_16:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ((("JC_58":
    (forall j_7:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
        (j_7 < 100)) ->
       (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
    (("JC_59":
     (forall j_6:int.
       (((integer_of_int32(select(intP_intM_A_5, shift(A,
         integer_of_int32(partc0)))) < j_6) and
         (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
        numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
        j_6, intP_intM_A_5)))) and
     ("JC_62":
     (("JC_60": (1 <= integer_of_int32(partc0))) and
      ("JC_61": (integer_of_int32(partc0) < 100)))))) and
   ("JC_64": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_0, pset_all(pset_singleton(B))))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ((("JC_66":
    (forall j_3:int.
      (((integer_of_int32(partc0) <= j_3) and
        (j_3 < integer_of_int32(partc1))) ->
       (integer_of_int32(select(intP_intM_A_5, shift(A,
       j_3))) = integer_of_int32(edge0))))) and
    ("JC_69":
    (("JC_67": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
     ("JC_68": (integer_of_int32(partc1) < (100 - 1)))))) and
   ("JC_71": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_0, pset_all(pset_singleton(B))))) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(partc1) + 1)) ->
  forall partc2:int32.
  (partc2 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (integer_of_int32(result4) <> integer_of_int32(edge0)) ->
  forall result5:int32.
  (result5 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 1)) ->
  forall i:int32.
  (i = result6) ->
  forall i0:int32.
  forall intP_intM_B_6_1:(intP,
  int32) memory.
  ((("JC_73":
    (forall j_5:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A,
        integer_of_int32(partc2)))) < j_5) and (j_5 < integer_of_int32(i0))) ->
       (integer_of_int32(select(intP_intM_B_6_1, shift(B,
       j_5))) = (integer_of_int32(partc2) - 1))))) and
    (("JC_74":
     (forall j_4:int.
       (((integer_of_int32(edge0) < j_4) and (j_4 < 100)) ->
        (integer_of_int32(select(intP_intM_B_6_1, shift(B,
        j_4))) = integer_of_int32(select(intP_intM_B_6_0, shift(B, j_4))))))) and
     ("JC_75": (1 <= integer_of_int32(i0))))) and
   ("JC_77": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_1, pset_all(pset_singleton(B))))) ->
  (integer_of_int32(i0) <= integer_of_int32(edge0)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(partc2) - 1)) ->
  forall intP_intM_B_6_2:(intP,
  int32) memory.
  (intP_intM_B_6_2 = store(intP_intM_B_6_1, shift(B, integer_of_int32(i0)),
  result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result8) ->
  ("JC_75": (1 <= integer_of_int32(i1)))

goal conjgte_ensures_default_po_17:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ((("JC_58":
    (forall j_7:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
        (j_7 < 100)) ->
       (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
    (("JC_59":
     (forall j_6:int.
       (((integer_of_int32(select(intP_intM_A_5, shift(A,
         integer_of_int32(partc0)))) < j_6) and
         (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
        numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
        j_6, intP_intM_A_5)))) and
     ("JC_62":
     (("JC_60": (1 <= integer_of_int32(partc0))) and
      ("JC_61": (integer_of_int32(partc0) < 100)))))) and
   ("JC_64": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_0, pset_all(pset_singleton(B))))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ((("JC_66":
    (forall j_3:int.
      (((integer_of_int32(partc0) <= j_3) and
        (j_3 < integer_of_int32(partc1))) ->
       (integer_of_int32(select(intP_intM_A_5, shift(A,
       j_3))) = integer_of_int32(edge0))))) and
    ("JC_69":
    (("JC_67": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
     ("JC_68": (integer_of_int32(partc1) < (100 - 1)))))) and
   ("JC_71": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_0, pset_all(pset_singleton(B))))) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(partc1) + 1)) ->
  forall partc2:int32.
  (partc2 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (integer_of_int32(result4) <> integer_of_int32(edge0)) ->
  forall result5:int32.
  (result5 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 1)) ->
  forall i:int32.
  (i = result6) ->
  forall i0:int32.
  forall intP_intM_B_6_1:(intP,
  int32) memory.
  ((("JC_73":
    (forall j_5:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A,
        integer_of_int32(partc2)))) < j_5) and (j_5 < integer_of_int32(i0))) ->
       (integer_of_int32(select(intP_intM_B_6_1, shift(B,
       j_5))) = (integer_of_int32(partc2) - 1))))) and
    (("JC_74":
     (forall j_4:int.
       (((integer_of_int32(edge0) < j_4) and (j_4 < 100)) ->
        (integer_of_int32(select(intP_intM_B_6_1, shift(B,
        j_4))) = integer_of_int32(select(intP_intM_B_6_0, shift(B, j_4))))))) and
     ("JC_75": (1 <= integer_of_int32(i0))))) and
   ("JC_77": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_1, pset_all(pset_singleton(B))))) ->
  (integer_of_int32(i0) <= integer_of_int32(edge0)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(partc2) - 1)) ->
  forall intP_intM_B_6_2:(intP,
  int32) memory.
  (intP_intM_B_6_2 = store(intP_intM_B_6_1, shift(B, integer_of_int32(i0)),
  result7)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result8) ->
  ("JC_77": not_assigns(intP_B_6_alloc_table, intP_intM_B_6, intP_intM_B_6_2,
  pset_all(pset_singleton(B))))

goal conjgte_ensures_default_po_18:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ((("JC_58":
    (forall j_7:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
        (j_7 < 100)) ->
       (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
    (("JC_59":
     (forall j_6:int.
       (((integer_of_int32(select(intP_intM_A_5, shift(A,
         integer_of_int32(partc0)))) < j_6) and
         (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
        numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
        j_6, intP_intM_A_5)))) and
     ("JC_62":
     (("JC_60": (1 <= integer_of_int32(partc0))) and
      ("JC_61": (integer_of_int32(partc0) < 100)))))) and
   ("JC_64": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_0, pset_all(pset_singleton(B))))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ((("JC_66":
    (forall j_3:int.
      (((integer_of_int32(partc0) <= j_3) and
        (j_3 < integer_of_int32(partc1))) ->
       (integer_of_int32(select(intP_intM_A_5, shift(A,
       j_3))) = integer_of_int32(edge0))))) and
    ("JC_69":
    (("JC_67": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
     ("JC_68": (integer_of_int32(partc1) < (100 - 1)))))) and
   ("JC_71": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_0, pset_all(pset_singleton(B))))) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(partc1) + 1)) ->
  forall partc2:int32.
  (partc2 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (integer_of_int32(result4) <> integer_of_int32(edge0)) ->
  forall result5:int32.
  (result5 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 1)) ->
  forall i:int32.
  (i = result6) ->
  forall i0:int32.
  forall intP_intM_B_6_1:(intP,
  int32) memory.
  ((("JC_73":
    (forall j_5:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A,
        integer_of_int32(partc2)))) < j_5) and (j_5 < integer_of_int32(i0))) ->
       (integer_of_int32(select(intP_intM_B_6_1, shift(B,
       j_5))) = (integer_of_int32(partc2) - 1))))) and
    (("JC_74":
     (forall j_4:int.
       (((integer_of_int32(edge0) < j_4) and (j_4 < 100)) ->
        (integer_of_int32(select(intP_intM_B_6_1, shift(B,
        j_4))) = integer_of_int32(select(intP_intM_B_6_0, shift(B, j_4))))))) and
     ("JC_75": (1 <= integer_of_int32(i0))))) and
   ("JC_77": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_1, pset_all(pset_singleton(B))))) ->
  (integer_of_int32(i0) > integer_of_int32(edge0)) ->
  forall j_7:int.
  ((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
   (j_7 < 100)) ->
  ("JC_58": (integer_of_int32(select(intP_intM_B_6_1, shift(B, j_7))) = 0))

goal conjgte_ensures_default_po_19:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ((("JC_58":
    (forall j_7:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
        (j_7 < 100)) ->
       (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
    (("JC_59":
     (forall j_6:int.
       (((integer_of_int32(select(intP_intM_A_5, shift(A,
         integer_of_int32(partc0)))) < j_6) and
         (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
        numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
        j_6, intP_intM_A_5)))) and
     ("JC_62":
     (("JC_60": (1 <= integer_of_int32(partc0))) and
      ("JC_61": (integer_of_int32(partc0) < 100)))))) and
   ("JC_64": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_0, pset_all(pset_singleton(B))))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ((("JC_66":
    (forall j_3:int.
      (((integer_of_int32(partc0) <= j_3) and
        (j_3 < integer_of_int32(partc1))) ->
       (integer_of_int32(select(intP_intM_A_5, shift(A,
       j_3))) = integer_of_int32(edge0))))) and
    ("JC_69":
    (("JC_67": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
     ("JC_68": (integer_of_int32(partc1) < (100 - 1)))))) and
   ("JC_71": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_0, pset_all(pset_singleton(B))))) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(partc1) + 1)) ->
  forall partc2:int32.
  (partc2 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (integer_of_int32(result4) <> integer_of_int32(edge0)) ->
  forall result5:int32.
  (result5 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 1)) ->
  forall i:int32.
  (i = result6) ->
  forall i0:int32.
  forall intP_intM_B_6_1:(intP,
  int32) memory.
  ((("JC_73":
    (forall j_5:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A,
        integer_of_int32(partc2)))) < j_5) and (j_5 < integer_of_int32(i0))) ->
       (integer_of_int32(select(intP_intM_B_6_1, shift(B,
       j_5))) = (integer_of_int32(partc2) - 1))))) and
    (("JC_74":
     (forall j_4:int.
       (((integer_of_int32(edge0) < j_4) and (j_4 < 100)) ->
        (integer_of_int32(select(intP_intM_B_6_1, shift(B,
        j_4))) = integer_of_int32(select(intP_intM_B_6_0, shift(B, j_4))))))) and
     ("JC_75": (1 <= integer_of_int32(i0))))) and
   ("JC_77": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_1, pset_all(pset_singleton(B))))) ->
  (integer_of_int32(i0) > integer_of_int32(edge0)) ->
  forall j_6:int.
  ((integer_of_int32(select(intP_intM_A_5, shift(A,
   integer_of_int32(partc2)))) < j_6) and
   (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
  ("JC_59": numofgt(A, integer_of_int32(select(intP_intM_B_6_1, shift(B,
  j_6))), j_6, intP_intM_A_5))

goal conjgte_ensures_default_po_20:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ((("JC_58":
    (forall j_7:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
        (j_7 < 100)) ->
       (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
    (("JC_59":
     (forall j_6:int.
       (((integer_of_int32(select(intP_intM_A_5, shift(A,
         integer_of_int32(partc0)))) < j_6) and
         (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
        numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
        j_6, intP_intM_A_5)))) and
     ("JC_62":
     (("JC_60": (1 <= integer_of_int32(partc0))) and
      ("JC_61": (integer_of_int32(partc0) < 100)))))) and
   ("JC_64": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_0, pset_all(pset_singleton(B))))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ((("JC_66":
    (forall j_3:int.
      (((integer_of_int32(partc0) <= j_3) and
        (j_3 < integer_of_int32(partc1))) ->
       (integer_of_int32(select(intP_intM_A_5, shift(A,
       j_3))) = integer_of_int32(edge0))))) and
    ("JC_69":
    (("JC_67": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
     ("JC_68": (integer_of_int32(partc1) < (100 - 1)))))) and
   ("JC_71": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_0, pset_all(pset_singleton(B))))) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(partc1) + 1)) ->
  forall partc2:int32.
  (partc2 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (integer_of_int32(result4) <> integer_of_int32(edge0)) ->
  forall result5:int32.
  (result5 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 1)) ->
  forall i:int32.
  (i = result6) ->
  forall i0:int32.
  forall intP_intM_B_6_1:(intP,
  int32) memory.
  ((("JC_73":
    (forall j_5:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A,
        integer_of_int32(partc2)))) < j_5) and (j_5 < integer_of_int32(i0))) ->
       (integer_of_int32(select(intP_intM_B_6_1, shift(B,
       j_5))) = (integer_of_int32(partc2) - 1))))) and
    (("JC_74":
     (forall j_4:int.
       (((integer_of_int32(edge0) < j_4) and (j_4 < 100)) ->
        (integer_of_int32(select(intP_intM_B_6_1, shift(B,
        j_4))) = integer_of_int32(select(intP_intM_B_6_0, shift(B, j_4))))))) and
     ("JC_75": (1 <= integer_of_int32(i0))))) and
   ("JC_77": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_1, pset_all(pset_singleton(B))))) ->
  (integer_of_int32(i0) > integer_of_int32(edge0)) ->
  ("JC_62": ("JC_60": (1 <= integer_of_int32(partc2))))

goal conjgte_ensures_default_po_21:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ((("JC_58":
    (forall j_7:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
        (j_7 < 100)) ->
       (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
    (("JC_59":
     (forall j_6:int.
       (((integer_of_int32(select(intP_intM_A_5, shift(A,
         integer_of_int32(partc0)))) < j_6) and
         (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
        numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
        j_6, intP_intM_A_5)))) and
     ("JC_62":
     (("JC_60": (1 <= integer_of_int32(partc0))) and
      ("JC_61": (integer_of_int32(partc0) < 100)))))) and
   ("JC_64": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_0, pset_all(pset_singleton(B))))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ((("JC_66":
    (forall j_3:int.
      (((integer_of_int32(partc0) <= j_3) and
        (j_3 < integer_of_int32(partc1))) ->
       (integer_of_int32(select(intP_intM_A_5, shift(A,
       j_3))) = integer_of_int32(edge0))))) and
    ("JC_69":
    (("JC_67": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
     ("JC_68": (integer_of_int32(partc1) < (100 - 1)))))) and
   ("JC_71": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_0, pset_all(pset_singleton(B))))) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(partc1) + 1)) ->
  forall partc2:int32.
  (partc2 = result3) ->
  forall result4:int32.
  (result4 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (integer_of_int32(result4) <> integer_of_int32(edge0)) ->
  forall result5:int32.
  (result5 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 1)) ->
  forall i:int32.
  (i = result6) ->
  forall i0:int32.
  forall intP_intM_B_6_1:(intP,
  int32) memory.
  ((("JC_73":
    (forall j_5:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A,
        integer_of_int32(partc2)))) < j_5) and (j_5 < integer_of_int32(i0))) ->
       (integer_of_int32(select(intP_intM_B_6_1, shift(B,
       j_5))) = (integer_of_int32(partc2) - 1))))) and
    (("JC_74":
     (forall j_4:int.
       (((integer_of_int32(edge0) < j_4) and (j_4 < 100)) ->
        (integer_of_int32(select(intP_intM_B_6_1, shift(B,
        j_4))) = integer_of_int32(select(intP_intM_B_6_0, shift(B, j_4))))))) and
     ("JC_75": (1 <= integer_of_int32(i0))))) and
   ("JC_77": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_1, pset_all(pset_singleton(B))))) ->
  (integer_of_int32(i0) > integer_of_int32(edge0)) ->
  ("JC_62": ("JC_61": (integer_of_int32(partc2) < 100)))

goal conjgte_ensures_default_po_22:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ((("JC_58":
    (forall j_7:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
        (j_7 < 100)) ->
       (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
    (("JC_59":
     (forall j_6:int.
       (((integer_of_int32(select(intP_intM_A_5, shift(A,
         integer_of_int32(partc0)))) < j_6) and
         (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
        numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
        j_6, intP_intM_A_5)))) and
     ("JC_62":
     (("JC_60": (1 <= integer_of_int32(partc0))) and
      ("JC_61": (integer_of_int32(partc0) < 100)))))) and
   ("JC_64": not_assigns(intP_B_6_alloc_table, intP_intM_B_6,
   intP_intM_B_6_0, pset_all(pset_singleton(B))))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) = 0) ->
  ("JC_19": ("JC_17": is_conjugate(A, B, intP_intM_B_6_0, intP_intM_A_5)))

goal conjgte_safety_po_1:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ("JC_31": true) ->
  (("JC_25":
   (forall j_7:int.
     (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
       (j_7 < 100)) ->
      (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
   (("JC_26":
    (forall j_6:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A,
        integer_of_int32(partc0)))) < j_6) and
        (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
       numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
       j_6, intP_intM_A_5)))) and
    ("JC_29":
    (("JC_27": (1 <= integer_of_int32(partc0))) and
     ("JC_28": (integer_of_int32(partc0) < 100)))))) ->
  (offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0))

goal conjgte_safety_po_2:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ("JC_31": true) ->
  (("JC_25":
   (forall j_7:int.
     (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
       (j_7 < 100)) ->
      (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
   (("JC_26":
    (forall j_6:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A,
        integer_of_int32(partc0)))) < j_6) and
        (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
       numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
       j_6, intP_intM_A_5)))) and
    ("JC_29":
    (("JC_27": (1 <= integer_of_int32(partc0))) and
     ("JC_28": (integer_of_int32(partc0) < 100)))))) ->
  (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))

goal conjgte_safety_po_3:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ("JC_31": true) ->
  (("JC_25":
   (forall j_7:int.
     (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
       (j_7 < 100)) ->
      (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
   (("JC_26":
    (forall j_6:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A,
        integer_of_int32(partc0)))) < j_6) and
        (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
       numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
       j_6, intP_intM_A_5)))) and
    ("JC_29":
    (("JC_27": (1 <= integer_of_int32(partc0))) and
     ("JC_28": (integer_of_int32(partc0) < 100)))))) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ("JC_40": true) ->
  (("JC_35":
   (forall j_3:int.
     (((integer_of_int32(partc0) <= j_3) and (j_3 < integer_of_int32(partc1))) ->
      (integer_of_int32(select(intP_intM_A_5, shift(A,
      j_3))) = integer_of_int32(edge0))))) and
   ("JC_38":
   (("JC_36": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
    ("JC_37": (integer_of_int32(partc1) < (100 - 1)))))) ->
  ((-2147483648) <= (integer_of_int32(partc1) + 1))

goal conjgte_safety_po_4:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ("JC_31": true) ->
  (("JC_25":
   (forall j_7:int.
     (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
       (j_7 < 100)) ->
      (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
   (("JC_26":
    (forall j_6:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A,
        integer_of_int32(partc0)))) < j_6) and
        (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
       numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
       j_6, intP_intM_A_5)))) and
    ("JC_29":
    (("JC_27": (1 <= integer_of_int32(partc0))) and
     ("JC_28": (integer_of_int32(partc0) < 100)))))) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ("JC_40": true) ->
  (("JC_35":
   (forall j_3:int.
     (((integer_of_int32(partc0) <= j_3) and (j_3 < integer_of_int32(partc1))) ->
      (integer_of_int32(select(intP_intM_A_5, shift(A,
      j_3))) = integer_of_int32(edge0))))) and
   ("JC_38":
   (("JC_36": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
    ("JC_37": (integer_of_int32(partc1) < (100 - 1)))))) ->
  ((integer_of_int32(partc1) + 1) <= 2147483647)

goal conjgte_safety_po_5:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ("JC_31": true) ->
  (("JC_25":
   (forall j_7:int.
     (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
       (j_7 < 100)) ->
      (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
   (("JC_26":
    (forall j_6:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A,
        integer_of_int32(partc0)))) < j_6) and
        (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
       numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
       j_6, intP_intM_A_5)))) and
    ("JC_29":
    (("JC_27": (1 <= integer_of_int32(partc0))) and
     ("JC_28": (integer_of_int32(partc0) < 100)))))) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ("JC_40": true) ->
  (("JC_35":
   (forall j_3:int.
     (((integer_of_int32(partc0) <= j_3) and (j_3 < integer_of_int32(partc1))) ->
      (integer_of_int32(select(intP_intM_A_5, shift(A,
      j_3))) = integer_of_int32(edge0))))) and
   ("JC_38":
   (("JC_36": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
    ("JC_37": (integer_of_int32(partc1) < (100 - 1)))))) ->
  (((-2147483648) <= (integer_of_int32(partc1) + 1)) and
   ((integer_of_int32(partc1) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(partc1) + 1)) ->
  forall partc2:int32.
  (partc2 = result3) ->
  (offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc2))

goal conjgte_safety_po_6:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ("JC_31": true) ->
  (("JC_25":
   (forall j_7:int.
     (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
       (j_7 < 100)) ->
      (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
   (("JC_26":
    (forall j_6:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A,
        integer_of_int32(partc0)))) < j_6) and
        (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
       numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
       j_6, intP_intM_A_5)))) and
    ("JC_29":
    (("JC_27": (1 <= integer_of_int32(partc0))) and
     ("JC_28": (integer_of_int32(partc0) < 100)))))) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ("JC_40": true) ->
  (("JC_35":
   (forall j_3:int.
     (((integer_of_int32(partc0) <= j_3) and (j_3 < integer_of_int32(partc1))) ->
      (integer_of_int32(select(intP_intM_A_5, shift(A,
      j_3))) = integer_of_int32(edge0))))) and
   ("JC_38":
   (("JC_36": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
    ("JC_37": (integer_of_int32(partc1) < (100 - 1)))))) ->
  (((-2147483648) <= (integer_of_int32(partc1) + 1)) and
   ((integer_of_int32(partc1) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(partc1) + 1)) ->
  forall partc2:int32.
  (partc2 = result3) ->
  (integer_of_int32(partc2) <= offset_max(intP_A_5_alloc_table, A))

goal conjgte_safety_po_7:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ("JC_31": true) ->
  (("JC_25":
   (forall j_7:int.
     (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
       (j_7 < 100)) ->
      (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
   (("JC_26":
    (forall j_6:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A,
        integer_of_int32(partc0)))) < j_6) and
        (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
       numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
       j_6, intP_intM_A_5)))) and
    ("JC_29":
    (("JC_27": (1 <= integer_of_int32(partc0))) and
     ("JC_28": (integer_of_int32(partc0) < 100)))))) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ("JC_40": true) ->
  (("JC_35":
   (forall j_3:int.
     (((integer_of_int32(partc0) <= j_3) and (j_3 < integer_of_int32(partc1))) ->
      (integer_of_int32(select(intP_intM_A_5, shift(A,
      j_3))) = integer_of_int32(edge0))))) and
   ("JC_38":
   (("JC_36": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
    ("JC_37": (integer_of_int32(partc1) < (100 - 1)))))) ->
  (((-2147483648) <= (integer_of_int32(partc1) + 1)) and
   ((integer_of_int32(partc1) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(partc1) + 1)) ->
  forall partc2:int32.
  (partc2 = result3) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc2)) and
   (integer_of_int32(partc2) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result4:int32.
  (result4 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (integer_of_int32(result4) = integer_of_int32(edge0)) ->
  (0 <= ("JC_44": (100 - integer_of_int32(partc1))))

goal conjgte_safety_po_8:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ("JC_31": true) ->
  (("JC_25":
   (forall j_7:int.
     (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
       (j_7 < 100)) ->
      (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
   (("JC_26":
    (forall j_6:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A,
        integer_of_int32(partc0)))) < j_6) and
        (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
       numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
       j_6, intP_intM_A_5)))) and
    ("JC_29":
    (("JC_27": (1 <= integer_of_int32(partc0))) and
     ("JC_28": (integer_of_int32(partc0) < 100)))))) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ("JC_40": true) ->
  (("JC_35":
   (forall j_3:int.
     (((integer_of_int32(partc0) <= j_3) and (j_3 < integer_of_int32(partc1))) ->
      (integer_of_int32(select(intP_intM_A_5, shift(A,
      j_3))) = integer_of_int32(edge0))))) and
   ("JC_38":
   (("JC_36": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
    ("JC_37": (integer_of_int32(partc1) < (100 - 1)))))) ->
  (((-2147483648) <= (integer_of_int32(partc1) + 1)) and
   ((integer_of_int32(partc1) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(partc1) + 1)) ->
  forall partc2:int32.
  (partc2 = result3) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc2)) and
   (integer_of_int32(partc2) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result4:int32.
  (result4 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (integer_of_int32(result4) = integer_of_int32(edge0)) ->
  (("JC_44": (100 - integer_of_int32(partc2))) < ("JC_44":
                                                 (100 - integer_of_int32(partc1))))

goal conjgte_safety_po_9:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ("JC_31": true) ->
  (("JC_25":
   (forall j_7:int.
     (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
       (j_7 < 100)) ->
      (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
   (("JC_26":
    (forall j_6:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A,
        integer_of_int32(partc0)))) < j_6) and
        (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
       numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
       j_6, intP_intM_A_5)))) and
    ("JC_29":
    (("JC_27": (1 <= integer_of_int32(partc0))) and
     ("JC_28": (integer_of_int32(partc0) < 100)))))) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ("JC_40": true) ->
  (("JC_35":
   (forall j_3:int.
     (((integer_of_int32(partc0) <= j_3) and (j_3 < integer_of_int32(partc1))) ->
      (integer_of_int32(select(intP_intM_A_5, shift(A,
      j_3))) = integer_of_int32(edge0))))) and
   ("JC_38":
   (("JC_36": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
    ("JC_37": (integer_of_int32(partc1) < (100 - 1)))))) ->
  (((-2147483648) <= (integer_of_int32(partc1) + 1)) and
   ((integer_of_int32(partc1) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(partc1) + 1)) ->
  forall partc2:int32.
  (partc2 = result3) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc2)) and
   (integer_of_int32(partc2) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result4:int32.
  (result4 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (integer_of_int32(result4) <> integer_of_int32(edge0)) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc2)) and
   (integer_of_int32(partc2) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result5:int32.
  (result5 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  ((-2147483648) <= (integer_of_int32(result5) + 1))

goal conjgte_safety_po_10:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ("JC_31": true) ->
  (("JC_25":
   (forall j_7:int.
     (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
       (j_7 < 100)) ->
      (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
   (("JC_26":
    (forall j_6:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A,
        integer_of_int32(partc0)))) < j_6) and
        (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
       numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
       j_6, intP_intM_A_5)))) and
    ("JC_29":
    (("JC_27": (1 <= integer_of_int32(partc0))) and
     ("JC_28": (integer_of_int32(partc0) < 100)))))) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ("JC_40": true) ->
  (("JC_35":
   (forall j_3:int.
     (((integer_of_int32(partc0) <= j_3) and (j_3 < integer_of_int32(partc1))) ->
      (integer_of_int32(select(intP_intM_A_5, shift(A,
      j_3))) = integer_of_int32(edge0))))) and
   ("JC_38":
   (("JC_36": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
    ("JC_37": (integer_of_int32(partc1) < (100 - 1)))))) ->
  (((-2147483648) <= (integer_of_int32(partc1) + 1)) and
   ((integer_of_int32(partc1) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(partc1) + 1)) ->
  forall partc2:int32.
  (partc2 = result3) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc2)) and
   (integer_of_int32(partc2) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result4:int32.
  (result4 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (integer_of_int32(result4) <> integer_of_int32(edge0)) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc2)) and
   (integer_of_int32(partc2) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result5:int32.
  (result5 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  ((integer_of_int32(result5) + 1) <= 2147483647)

goal conjgte_safety_po_11:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ("JC_31": true) ->
  (("JC_25":
   (forall j_7:int.
     (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
       (j_7 < 100)) ->
      (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
   (("JC_26":
    (forall j_6:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A,
        integer_of_int32(partc0)))) < j_6) and
        (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
       numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
       j_6, intP_intM_A_5)))) and
    ("JC_29":
    (("JC_27": (1 <= integer_of_int32(partc0))) and
     ("JC_28": (integer_of_int32(partc0) < 100)))))) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ("JC_40": true) ->
  (("JC_35":
   (forall j_3:int.
     (((integer_of_int32(partc0) <= j_3) and (j_3 < integer_of_int32(partc1))) ->
      (integer_of_int32(select(intP_intM_A_5, shift(A,
      j_3))) = integer_of_int32(edge0))))) and
   ("JC_38":
   (("JC_36": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
    ("JC_37": (integer_of_int32(partc1) < (100 - 1)))))) ->
  (((-2147483648) <= (integer_of_int32(partc1) + 1)) and
   ((integer_of_int32(partc1) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(partc1) + 1)) ->
  forall partc2:int32.
  (partc2 = result3) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc2)) and
   (integer_of_int32(partc2) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result4:int32.
  (result4 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (integer_of_int32(result4) <> integer_of_int32(edge0)) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc2)) and
   (integer_of_int32(partc2) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result5:int32.
  (result5 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 1)) and
   ((integer_of_int32(result5) + 1) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 1)) ->
  forall i:int32.
  (i = result6) ->
  forall i0:int32.
  forall intP_intM_B_6_1:(intP,
  int32) memory.
  ("JC_51": true) ->
  (("JC_47":
   (forall j_5:int.
     (((integer_of_int32(select(intP_intM_A_5, shift(A,
       integer_of_int32(partc2)))) < j_5) and (j_5 < integer_of_int32(i0))) ->
      (integer_of_int32(select(intP_intM_B_6_1, shift(B,
      j_5))) = (integer_of_int32(partc2) - 1))))) and
   (("JC_48":
    (forall j_4:int.
      (((integer_of_int32(edge0) < j_4) and (j_4 < 100)) ->
       (integer_of_int32(select(intP_intM_B_6_1, shift(B,
       j_4))) = integer_of_int32(select(intP_intM_B_6_0, shift(B, j_4))))))) and
    ("JC_49": (1 <= integer_of_int32(i0))))) ->
  (integer_of_int32(i0) <= integer_of_int32(edge0)) ->
  ((-2147483648) <= (integer_of_int32(partc2) - 1))

goal conjgte_safety_po_12:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ("JC_31": true) ->
  (("JC_25":
   (forall j_7:int.
     (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
       (j_7 < 100)) ->
      (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
   (("JC_26":
    (forall j_6:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A,
        integer_of_int32(partc0)))) < j_6) and
        (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
       numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
       j_6, intP_intM_A_5)))) and
    ("JC_29":
    (("JC_27": (1 <= integer_of_int32(partc0))) and
     ("JC_28": (integer_of_int32(partc0) < 100)))))) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ("JC_40": true) ->
  (("JC_35":
   (forall j_3:int.
     (((integer_of_int32(partc0) <= j_3) and (j_3 < integer_of_int32(partc1))) ->
      (integer_of_int32(select(intP_intM_A_5, shift(A,
      j_3))) = integer_of_int32(edge0))))) and
   ("JC_38":
   (("JC_36": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
    ("JC_37": (integer_of_int32(partc1) < (100 - 1)))))) ->
  (((-2147483648) <= (integer_of_int32(partc1) + 1)) and
   ((integer_of_int32(partc1) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(partc1) + 1)) ->
  forall partc2:int32.
  (partc2 = result3) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc2)) and
   (integer_of_int32(partc2) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result4:int32.
  (result4 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (integer_of_int32(result4) <> integer_of_int32(edge0)) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc2)) and
   (integer_of_int32(partc2) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result5:int32.
  (result5 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 1)) and
   ((integer_of_int32(result5) + 1) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 1)) ->
  forall i:int32.
  (i = result6) ->
  forall i0:int32.
  forall intP_intM_B_6_1:(intP,
  int32) memory.
  ("JC_51": true) ->
  (("JC_47":
   (forall j_5:int.
     (((integer_of_int32(select(intP_intM_A_5, shift(A,
       integer_of_int32(partc2)))) < j_5) and (j_5 < integer_of_int32(i0))) ->
      (integer_of_int32(select(intP_intM_B_6_1, shift(B,
      j_5))) = (integer_of_int32(partc2) - 1))))) and
   (("JC_48":
    (forall j_4:int.
      (((integer_of_int32(edge0) < j_4) and (j_4 < 100)) ->
       (integer_of_int32(select(intP_intM_B_6_1, shift(B,
       j_4))) = integer_of_int32(select(intP_intM_B_6_0, shift(B, j_4))))))) and
    ("JC_49": (1 <= integer_of_int32(i0))))) ->
  (integer_of_int32(i0) <= integer_of_int32(edge0)) ->
  ((integer_of_int32(partc2) - 1) <= 2147483647)

goal conjgte_safety_po_13:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ("JC_31": true) ->
  (("JC_25":
   (forall j_7:int.
     (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
       (j_7 < 100)) ->
      (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
   (("JC_26":
    (forall j_6:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A,
        integer_of_int32(partc0)))) < j_6) and
        (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
       numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
       j_6, intP_intM_A_5)))) and
    ("JC_29":
    (("JC_27": (1 <= integer_of_int32(partc0))) and
     ("JC_28": (integer_of_int32(partc0) < 100)))))) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ("JC_40": true) ->
  (("JC_35":
   (forall j_3:int.
     (((integer_of_int32(partc0) <= j_3) and (j_3 < integer_of_int32(partc1))) ->
      (integer_of_int32(select(intP_intM_A_5, shift(A,
      j_3))) = integer_of_int32(edge0))))) and
   ("JC_38":
   (("JC_36": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
    ("JC_37": (integer_of_int32(partc1) < (100 - 1)))))) ->
  (((-2147483648) <= (integer_of_int32(partc1) + 1)) and
   ((integer_of_int32(partc1) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(partc1) + 1)) ->
  forall partc2:int32.
  (partc2 = result3) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc2)) and
   (integer_of_int32(partc2) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result4:int32.
  (result4 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (integer_of_int32(result4) <> integer_of_int32(edge0)) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc2)) and
   (integer_of_int32(partc2) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result5:int32.
  (result5 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 1)) and
   ((integer_of_int32(result5) + 1) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 1)) ->
  forall i:int32.
  (i = result6) ->
  forall i0:int32.
  forall intP_intM_B_6_1:(intP,
  int32) memory.
  ("JC_51": true) ->
  (("JC_47":
   (forall j_5:int.
     (((integer_of_int32(select(intP_intM_A_5, shift(A,
       integer_of_int32(partc2)))) < j_5) and (j_5 < integer_of_int32(i0))) ->
      (integer_of_int32(select(intP_intM_B_6_1, shift(B,
      j_5))) = (integer_of_int32(partc2) - 1))))) and
   (("JC_48":
    (forall j_4:int.
      (((integer_of_int32(edge0) < j_4) and (j_4 < 100)) ->
       (integer_of_int32(select(intP_intM_B_6_1, shift(B,
       j_4))) = integer_of_int32(select(intP_intM_B_6_0, shift(B, j_4))))))) and
    ("JC_49": (1 <= integer_of_int32(i0))))) ->
  (integer_of_int32(i0) <= integer_of_int32(edge0)) ->
  (((-2147483648) <= (integer_of_int32(partc2) - 1)) and
   ((integer_of_int32(partc2) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(partc2) - 1)) ->
  (offset_min(intP_B_6_alloc_table, B) <= integer_of_int32(i0))

goal conjgte_safety_po_14:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ("JC_31": true) ->
  (("JC_25":
   (forall j_7:int.
     (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
       (j_7 < 100)) ->
      (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
   (("JC_26":
    (forall j_6:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A,
        integer_of_int32(partc0)))) < j_6) and
        (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
       numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
       j_6, intP_intM_A_5)))) and
    ("JC_29":
    (("JC_27": (1 <= integer_of_int32(partc0))) and
     ("JC_28": (integer_of_int32(partc0) < 100)))))) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ("JC_40": true) ->
  (("JC_35":
   (forall j_3:int.
     (((integer_of_int32(partc0) <= j_3) and (j_3 < integer_of_int32(partc1))) ->
      (integer_of_int32(select(intP_intM_A_5, shift(A,
      j_3))) = integer_of_int32(edge0))))) and
   ("JC_38":
   (("JC_36": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
    ("JC_37": (integer_of_int32(partc1) < (100 - 1)))))) ->
  (((-2147483648) <= (integer_of_int32(partc1) + 1)) and
   ((integer_of_int32(partc1) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(partc1) + 1)) ->
  forall partc2:int32.
  (partc2 = result3) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc2)) and
   (integer_of_int32(partc2) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result4:int32.
  (result4 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (integer_of_int32(result4) <> integer_of_int32(edge0)) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc2)) and
   (integer_of_int32(partc2) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result5:int32.
  (result5 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 1)) and
   ((integer_of_int32(result5) + 1) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 1)) ->
  forall i:int32.
  (i = result6) ->
  forall i0:int32.
  forall intP_intM_B_6_1:(intP,
  int32) memory.
  ("JC_51": true) ->
  (("JC_47":
   (forall j_5:int.
     (((integer_of_int32(select(intP_intM_A_5, shift(A,
       integer_of_int32(partc2)))) < j_5) and (j_5 < integer_of_int32(i0))) ->
      (integer_of_int32(select(intP_intM_B_6_1, shift(B,
      j_5))) = (integer_of_int32(partc2) - 1))))) and
   (("JC_48":
    (forall j_4:int.
      (((integer_of_int32(edge0) < j_4) and (j_4 < 100)) ->
       (integer_of_int32(select(intP_intM_B_6_1, shift(B,
       j_4))) = integer_of_int32(select(intP_intM_B_6_0, shift(B, j_4))))))) and
    ("JC_49": (1 <= integer_of_int32(i0))))) ->
  (integer_of_int32(i0) <= integer_of_int32(edge0)) ->
  (((-2147483648) <= (integer_of_int32(partc2) - 1)) and
   ((integer_of_int32(partc2) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(partc2) - 1)) ->
  (integer_of_int32(i0) <= offset_max(intP_B_6_alloc_table, B))

goal conjgte_safety_po_15:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ("JC_31": true) ->
  (("JC_25":
   (forall j_7:int.
     (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
       (j_7 < 100)) ->
      (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
   (("JC_26":
    (forall j_6:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A,
        integer_of_int32(partc0)))) < j_6) and
        (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
       numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
       j_6, intP_intM_A_5)))) and
    ("JC_29":
    (("JC_27": (1 <= integer_of_int32(partc0))) and
     ("JC_28": (integer_of_int32(partc0) < 100)))))) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ("JC_40": true) ->
  (("JC_35":
   (forall j_3:int.
     (((integer_of_int32(partc0) <= j_3) and (j_3 < integer_of_int32(partc1))) ->
      (integer_of_int32(select(intP_intM_A_5, shift(A,
      j_3))) = integer_of_int32(edge0))))) and
   ("JC_38":
   (("JC_36": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
    ("JC_37": (integer_of_int32(partc1) < (100 - 1)))))) ->
  (((-2147483648) <= (integer_of_int32(partc1) + 1)) and
   ((integer_of_int32(partc1) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(partc1) + 1)) ->
  forall partc2:int32.
  (partc2 = result3) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc2)) and
   (integer_of_int32(partc2) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result4:int32.
  (result4 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (integer_of_int32(result4) <> integer_of_int32(edge0)) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc2)) and
   (integer_of_int32(partc2) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result5:int32.
  (result5 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 1)) and
   ((integer_of_int32(result5) + 1) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 1)) ->
  forall i:int32.
  (i = result6) ->
  forall i0:int32.
  forall intP_intM_B_6_1:(intP,
  int32) memory.
  ("JC_51": true) ->
  (("JC_47":
   (forall j_5:int.
     (((integer_of_int32(select(intP_intM_A_5, shift(A,
       integer_of_int32(partc2)))) < j_5) and (j_5 < integer_of_int32(i0))) ->
      (integer_of_int32(select(intP_intM_B_6_1, shift(B,
      j_5))) = (integer_of_int32(partc2) - 1))))) and
   (("JC_48":
    (forall j_4:int.
      (((integer_of_int32(edge0) < j_4) and (j_4 < 100)) ->
       (integer_of_int32(select(intP_intM_B_6_1, shift(B,
       j_4))) = integer_of_int32(select(intP_intM_B_6_0, shift(B, j_4))))))) and
    ("JC_49": (1 <= integer_of_int32(i0))))) ->
  (integer_of_int32(i0) <= integer_of_int32(edge0)) ->
  (((-2147483648) <= (integer_of_int32(partc2) - 1)) and
   ((integer_of_int32(partc2) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(partc2) - 1)) ->
  ((offset_min(intP_B_6_alloc_table, B) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_B_6_alloc_table, B))) ->
  forall intP_intM_B_6_2:(intP,
  int32) memory.
  (intP_intM_B_6_2 = store(intP_intM_B_6_1, shift(B, integer_of_int32(i0)),
  result7)) ->
  ((-2147483648) <= (integer_of_int32(i0) + 1))

goal conjgte_safety_po_16:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ("JC_31": true) ->
  (("JC_25":
   (forall j_7:int.
     (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
       (j_7 < 100)) ->
      (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
   (("JC_26":
    (forall j_6:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A,
        integer_of_int32(partc0)))) < j_6) and
        (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
       numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
       j_6, intP_intM_A_5)))) and
    ("JC_29":
    (("JC_27": (1 <= integer_of_int32(partc0))) and
     ("JC_28": (integer_of_int32(partc0) < 100)))))) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ("JC_40": true) ->
  (("JC_35":
   (forall j_3:int.
     (((integer_of_int32(partc0) <= j_3) and (j_3 < integer_of_int32(partc1))) ->
      (integer_of_int32(select(intP_intM_A_5, shift(A,
      j_3))) = integer_of_int32(edge0))))) and
   ("JC_38":
   (("JC_36": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
    ("JC_37": (integer_of_int32(partc1) < (100 - 1)))))) ->
  (((-2147483648) <= (integer_of_int32(partc1) + 1)) and
   ((integer_of_int32(partc1) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(partc1) + 1)) ->
  forall partc2:int32.
  (partc2 = result3) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc2)) and
   (integer_of_int32(partc2) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result4:int32.
  (result4 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (integer_of_int32(result4) <> integer_of_int32(edge0)) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc2)) and
   (integer_of_int32(partc2) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result5:int32.
  (result5 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 1)) and
   ((integer_of_int32(result5) + 1) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 1)) ->
  forall i:int32.
  (i = result6) ->
  forall i0:int32.
  forall intP_intM_B_6_1:(intP,
  int32) memory.
  ("JC_51": true) ->
  (("JC_47":
   (forall j_5:int.
     (((integer_of_int32(select(intP_intM_A_5, shift(A,
       integer_of_int32(partc2)))) < j_5) and (j_5 < integer_of_int32(i0))) ->
      (integer_of_int32(select(intP_intM_B_6_1, shift(B,
      j_5))) = (integer_of_int32(partc2) - 1))))) and
   (("JC_48":
    (forall j_4:int.
      (((integer_of_int32(edge0) < j_4) and (j_4 < 100)) ->
       (integer_of_int32(select(intP_intM_B_6_1, shift(B,
       j_4))) = integer_of_int32(select(intP_intM_B_6_0, shift(B, j_4))))))) and
    ("JC_49": (1 <= integer_of_int32(i0))))) ->
  (integer_of_int32(i0) <= integer_of_int32(edge0)) ->
  (((-2147483648) <= (integer_of_int32(partc2) - 1)) and
   ((integer_of_int32(partc2) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(partc2) - 1)) ->
  ((offset_min(intP_B_6_alloc_table, B) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_B_6_alloc_table, B))) ->
  forall intP_intM_B_6_2:(intP,
  int32) memory.
  (intP_intM_B_6_2 = store(intP_intM_B_6_1, shift(B, integer_of_int32(i0)),
  result7)) ->
  ((integer_of_int32(i0) + 1) <= 2147483647)

goal conjgte_safety_po_17:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ("JC_31": true) ->
  (("JC_25":
   (forall j_7:int.
     (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
       (j_7 < 100)) ->
      (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
   (("JC_26":
    (forall j_6:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A,
        integer_of_int32(partc0)))) < j_6) and
        (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
       numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
       j_6, intP_intM_A_5)))) and
    ("JC_29":
    (("JC_27": (1 <= integer_of_int32(partc0))) and
     ("JC_28": (integer_of_int32(partc0) < 100)))))) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ("JC_40": true) ->
  (("JC_35":
   (forall j_3:int.
     (((integer_of_int32(partc0) <= j_3) and (j_3 < integer_of_int32(partc1))) ->
      (integer_of_int32(select(intP_intM_A_5, shift(A,
      j_3))) = integer_of_int32(edge0))))) and
   ("JC_38":
   (("JC_36": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
    ("JC_37": (integer_of_int32(partc1) < (100 - 1)))))) ->
  (((-2147483648) <= (integer_of_int32(partc1) + 1)) and
   ((integer_of_int32(partc1) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(partc1) + 1)) ->
  forall partc2:int32.
  (partc2 = result3) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc2)) and
   (integer_of_int32(partc2) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result4:int32.
  (result4 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (integer_of_int32(result4) <> integer_of_int32(edge0)) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc2)) and
   (integer_of_int32(partc2) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result5:int32.
  (result5 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 1)) and
   ((integer_of_int32(result5) + 1) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 1)) ->
  forall i:int32.
  (i = result6) ->
  forall i0:int32.
  forall intP_intM_B_6_1:(intP,
  int32) memory.
  ("JC_51": true) ->
  (("JC_47":
   (forall j_5:int.
     (((integer_of_int32(select(intP_intM_A_5, shift(A,
       integer_of_int32(partc2)))) < j_5) and (j_5 < integer_of_int32(i0))) ->
      (integer_of_int32(select(intP_intM_B_6_1, shift(B,
      j_5))) = (integer_of_int32(partc2) - 1))))) and
   (("JC_48":
    (forall j_4:int.
      (((integer_of_int32(edge0) < j_4) and (j_4 < 100)) ->
       (integer_of_int32(select(intP_intM_B_6_1, shift(B,
       j_4))) = integer_of_int32(select(intP_intM_B_6_0, shift(B, j_4))))))) and
    ("JC_49": (1 <= integer_of_int32(i0))))) ->
  (integer_of_int32(i0) <= integer_of_int32(edge0)) ->
  (((-2147483648) <= (integer_of_int32(partc2) - 1)) and
   ((integer_of_int32(partc2) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(partc2) - 1)) ->
  ((offset_min(intP_B_6_alloc_table, B) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_B_6_alloc_table, B))) ->
  forall intP_intM_B_6_2:(intP,
  int32) memory.
  (intP_intM_B_6_2 = store(intP_intM_B_6_1, shift(B, integer_of_int32(i0)),
  result7)) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result8) ->
  (0 <= ("JC_56": (integer_of_int32(edge0) - integer_of_int32(i0))))

goal conjgte_safety_po_18:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ("JC_31": true) ->
  (("JC_25":
   (forall j_7:int.
     (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
       (j_7 < 100)) ->
      (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
   (("JC_26":
    (forall j_6:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A,
        integer_of_int32(partc0)))) < j_6) and
        (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
       numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
       j_6, intP_intM_A_5)))) and
    ("JC_29":
    (("JC_27": (1 <= integer_of_int32(partc0))) and
     ("JC_28": (integer_of_int32(partc0) < 100)))))) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ("JC_40": true) ->
  (("JC_35":
   (forall j_3:int.
     (((integer_of_int32(partc0) <= j_3) and (j_3 < integer_of_int32(partc1))) ->
      (integer_of_int32(select(intP_intM_A_5, shift(A,
      j_3))) = integer_of_int32(edge0))))) and
   ("JC_38":
   (("JC_36": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
    ("JC_37": (integer_of_int32(partc1) < (100 - 1)))))) ->
  (((-2147483648) <= (integer_of_int32(partc1) + 1)) and
   ((integer_of_int32(partc1) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(partc1) + 1)) ->
  forall partc2:int32.
  (partc2 = result3) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc2)) and
   (integer_of_int32(partc2) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result4:int32.
  (result4 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (integer_of_int32(result4) <> integer_of_int32(edge0)) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc2)) and
   (integer_of_int32(partc2) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result5:int32.
  (result5 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 1)) and
   ((integer_of_int32(result5) + 1) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 1)) ->
  forall i:int32.
  (i = result6) ->
  forall i0:int32.
  forall intP_intM_B_6_1:(intP,
  int32) memory.
  ("JC_51": true) ->
  (("JC_47":
   (forall j_5:int.
     (((integer_of_int32(select(intP_intM_A_5, shift(A,
       integer_of_int32(partc2)))) < j_5) and (j_5 < integer_of_int32(i0))) ->
      (integer_of_int32(select(intP_intM_B_6_1, shift(B,
      j_5))) = (integer_of_int32(partc2) - 1))))) and
   (("JC_48":
    (forall j_4:int.
      (((integer_of_int32(edge0) < j_4) and (j_4 < 100)) ->
       (integer_of_int32(select(intP_intM_B_6_1, shift(B,
       j_4))) = integer_of_int32(select(intP_intM_B_6_0, shift(B, j_4))))))) and
    ("JC_49": (1 <= integer_of_int32(i0))))) ->
  (integer_of_int32(i0) <= integer_of_int32(edge0)) ->
  (((-2147483648) <= (integer_of_int32(partc2) - 1)) and
   ((integer_of_int32(partc2) - 1) <= 2147483647)) ->
  forall result7:int32.
  (integer_of_int32(result7) = (integer_of_int32(partc2) - 1)) ->
  ((offset_min(intP_B_6_alloc_table, B) <= integer_of_int32(i0)) and
   (integer_of_int32(i0) <= offset_max(intP_B_6_alloc_table, B))) ->
  forall intP_intM_B_6_2:(intP,
  int32) memory.
  (intP_intM_B_6_2 = store(intP_intM_B_6_1, shift(B, integer_of_int32(i0)),
  result7)) ->
  (((-2147483648) <= (integer_of_int32(i0) + 1)) and
   ((integer_of_int32(i0) + 1) <= 2147483647)) ->
  forall result8:int32.
  (integer_of_int32(result8) = (integer_of_int32(i0) + 1)) ->
  forall i1:int32.
  (i1 = result8) ->
  (("JC_56": (integer_of_int32(edge0) - integer_of_int32(i1))) < ("JC_56":
                                                                 (integer_of_int32(edge0) - integer_of_int32(i0))))

goal conjgte_safety_po_19:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ("JC_31": true) ->
  (("JC_25":
   (forall j_7:int.
     (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
       (j_7 < 100)) ->
      (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
   (("JC_26":
    (forall j_6:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A,
        integer_of_int32(partc0)))) < j_6) and
        (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
       numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
       j_6, intP_intM_A_5)))) and
    ("JC_29":
    (("JC_27": (1 <= integer_of_int32(partc0))) and
     ("JC_28": (integer_of_int32(partc0) < 100)))))) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ("JC_40": true) ->
  (("JC_35":
   (forall j_3:int.
     (((integer_of_int32(partc0) <= j_3) and (j_3 < integer_of_int32(partc1))) ->
      (integer_of_int32(select(intP_intM_A_5, shift(A,
      j_3))) = integer_of_int32(edge0))))) and
   ("JC_38":
   (("JC_36": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
    ("JC_37": (integer_of_int32(partc1) < (100 - 1)))))) ->
  (((-2147483648) <= (integer_of_int32(partc1) + 1)) and
   ((integer_of_int32(partc1) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(partc1) + 1)) ->
  forall partc2:int32.
  (partc2 = result3) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc2)) and
   (integer_of_int32(partc2) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result4:int32.
  (result4 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (integer_of_int32(result4) <> integer_of_int32(edge0)) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc2)) and
   (integer_of_int32(partc2) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result5:int32.
  (result5 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 1)) and
   ((integer_of_int32(result5) + 1) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 1)) ->
  forall i:int32.
  (i = result6) ->
  forall i0:int32.
  forall intP_intM_B_6_1:(intP,
  int32) memory.
  ("JC_51": true) ->
  (("JC_47":
   (forall j_5:int.
     (((integer_of_int32(select(intP_intM_A_5, shift(A,
       integer_of_int32(partc2)))) < j_5) and (j_5 < integer_of_int32(i0))) ->
      (integer_of_int32(select(intP_intM_B_6_1, shift(B,
      j_5))) = (integer_of_int32(partc2) - 1))))) and
   (("JC_48":
    (forall j_4:int.
      (((integer_of_int32(edge0) < j_4) and (j_4 < 100)) ->
       (integer_of_int32(select(intP_intM_B_6_1, shift(B,
       j_4))) = integer_of_int32(select(intP_intM_B_6_0, shift(B, j_4))))))) and
    ("JC_49": (1 <= integer_of_int32(i0))))) ->
  (integer_of_int32(i0) > integer_of_int32(edge0)) ->
  (0 <= ("JC_57": (100 - integer_of_int32(partc0))))

goal conjgte_safety_po_20:
  forall A:intP pointer.
  forall B:intP pointer.
  forall intP_A_5_alloc_table:intP alloc_table.
  forall intP_B_6_alloc_table:intP alloc_table.
  forall intP_intM_A_5:(intP, int32) memory.
  forall intP_intM_B_6:(intP,
  int32) memory.
  (valid_struct_intP(B, 0, 0, intP_B_6_alloc_table) and
   (valid_struct_intP(A, 0, 0, intP_A_5_alloc_table) and
    ("JC_15":
    (("JC_9": (offset_min(intP_A_5_alloc_table, A) <= 0)) and
     (("JC_10": (offset_max(intP_A_5_alloc_table, A) >= (100 - 1))) and
      (("JC_11": (offset_min(intP_B_6_alloc_table, B) <= 0)) and
       (("JC_12": (offset_max(intP_B_6_alloc_table, B) >= (100 - 1))) and
        (("JC_13":
         (forall k:int.
           (((1 <= k) and (k < 100)) ->
            (integer_of_int32(select(intP_intM_B_6, shift(B, k))) = 0)))) and
         ("JC_14": is_partition(A, intP_intM_A_5)))))))))) ->
  forall result:int32.
  (integer_of_int32(result) = 1) ->
  forall partc:int32.
  (partc = result) ->
  forall result0:int32.
  (integer_of_int32(result0) = 0) ->
  forall edge:int32.
  (edge = result0) ->
  forall intP_intM_B_6_0:(intP,
  int32) memory.
  forall partc0:int32.
  ("JC_31": true) ->
  (("JC_25":
   (forall j_7:int.
     (((integer_of_int32(select(intP_intM_A_5, shift(A, 1))) < j_7) and
       (j_7 < 100)) ->
      (integer_of_int32(select(intP_intM_B_6_0, shift(B, j_7))) = 0)))) and
   (("JC_26":
    (forall j_6:int.
      (((integer_of_int32(select(intP_intM_A_5, shift(A,
        integer_of_int32(partc0)))) < j_6) and
        (j_6 <= integer_of_int32(select(intP_intM_A_5, shift(A, 1))))) ->
       numofgt(A, integer_of_int32(select(intP_intM_B_6_0, shift(B, j_6))),
       j_6, intP_intM_A_5)))) and
    ("JC_29":
    (("JC_27": (1 <= integer_of_int32(partc0))) and
     ("JC_28": (integer_of_int32(partc0) < 100)))))) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result1:int32.
  (result1 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  (integer_of_int32(result1) <> 0) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc0)) and
   (integer_of_int32(partc0) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result2:int32.
  (result2 = select(intP_intM_A_5, shift(A, integer_of_int32(partc0)))) ->
  forall edge0:int32.
  (edge0 = result2) ->
  forall partc1:int32.
  ("JC_40": true) ->
  (("JC_35":
   (forall j_3:int.
     (((integer_of_int32(partc0) <= j_3) and (j_3 < integer_of_int32(partc1))) ->
      (integer_of_int32(select(intP_intM_A_5, shift(A,
      j_3))) = integer_of_int32(edge0))))) and
   ("JC_38":
   (("JC_36": (integer_of_int32(partc0) <= integer_of_int32(partc1))) and
    ("JC_37": (integer_of_int32(partc1) < (100 - 1)))))) ->
  (((-2147483648) <= (integer_of_int32(partc1) + 1)) and
   ((integer_of_int32(partc1) + 1) <= 2147483647)) ->
  forall result3:int32.
  (integer_of_int32(result3) = (integer_of_int32(partc1) + 1)) ->
  forall partc2:int32.
  (partc2 = result3) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc2)) and
   (integer_of_int32(partc2) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result4:int32.
  (result4 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (integer_of_int32(result4) <> integer_of_int32(edge0)) ->
  ((offset_min(intP_A_5_alloc_table, A) <= integer_of_int32(partc2)) and
   (integer_of_int32(partc2) <= offset_max(intP_A_5_alloc_table, A))) ->
  forall result5:int32.
  (result5 = select(intP_intM_A_5, shift(A, integer_of_int32(partc2)))) ->
  (((-2147483648) <= (integer_of_int32(result5) + 1)) and
   ((integer_of_int32(result5) + 1) <= 2147483647)) ->
  forall result6:int32.
  (integer_of_int32(result6) = (integer_of_int32(result5) + 1)) ->
  forall i:int32.
  (i = result6) ->
  forall i0:int32.
  forall intP_intM_B_6_1:(intP,
  int32) memory.
  ("JC_51": true) ->
  (("JC_47":
   (forall j_5:int.
     (((integer_of_int32(select(intP_intM_A_5, shift(A,
       integer_of_int32(partc2)))) < j_5) and (j_5 < integer_of_int32(i0))) ->
      (integer_of_int32(select(intP_intM_B_6_1, shift(B,
      j_5))) = (integer_of_int32(partc2) - 1))))) and
   (("JC_48":
    (forall j_4:int.
      (((integer_of_int32(edge0) < j_4) and (j_4 < 100)) ->
       (integer_of_int32(select(intP_intM_B_6_1, shift(B,
       j_4))) = integer_of_int32(select(intP_intM_B_6_0, shift(B, j_4))))))) and
    ("JC_49": (1 <= integer_of_int32(i0))))) ->
  (integer_of_int32(i0) > integer_of_int32(edge0)) ->
  (("JC_57": (100 - integer_of_int32(partc2))) < ("JC_57":
                                                 (100 - integer_of_int32(partc0))))

why-2.34/tests/c/oracle/float_sqrt.res.oracle0000644000175000017500000045476212311670312017625 0ustar  rtusers========== file tests/c/float_sqrt.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


/* contribution by Guillaume Melquiond */

// RUN GAPPA (does not work)

#pragma JessieFloatModel(defensive)

/*
 With some help, the Gappa tool is able to prove the postcondition of the
 sqrt function.

 First, it needs to know that Newton's iteration converges quadratically.
 This formula on relative errors is denoted by the newton_rel predicate.
 The newton states its general expression and it is proved by a short Coq
 script performing algebraic manipulations. The newton lemma is then
 instantiated by Alt-Ergo at each iteration of the loop to solve the
 three assertions about the predicate.

 In order to prove the postcondition, Gappa also needs to be told that
 the value computed after an iteration is close to both sqrt(x) and the
 value that would have been computed with an infinite precision. This is
 done by putting distance expressions into the context through three
 other assertions about the closeness predicate. They are much weaker
 than what Gappa will end up proving; they are only here to guide its
 heuristics.

 Finally, Gappa also needs to know about the inverse square root trick.
 That is what the assertion is for, and it is proved in Coq.
*/

/*@
 predicate newton_rel(real t, real x) =
   (0.5 * t * (3 - t * t * x) - 1/\sqrt(x)) / (1/\sqrt(x)) ==
     - (1.5 + 0.5 * ((t - 1/\sqrt(x)) / (1/\sqrt(x)))) *
     (((t - 1/\sqrt(x)) / (1/\sqrt(x))) * ((t - 1/\sqrt(x)) / (1/\sqrt(x))));

 lemma newton: \forall real t, x; x > 0. ==> newton_rel(t, x);

 predicate closeness(real u, real t, real x) =
   \abs(u - 0.5 * t * (3 - t * t * x)) <= 1 &&
   \abs(u - 1/\sqrt(x)) <= 1;
*/

/*@
 requires 0.5 <= x <= 2;
 ensures \abs(\result - 1/\sqrt(x)) <= 0x1p-6 * \abs(1/\sqrt(x));
*/
double sqrt_init(double x);

/*@
 requires 0.5 <= x <= 2;
 ensures \abs(\result - \sqrt(x)) <= 0x1p-43 * \abs(\sqrt(x));
*/
double sqrt(double x)
{
  double t, u;
  t = sqrt_init(x);

  u = 0.5 * t * (3 - t * t * x);
  //@ assert newton_rel(t, x);
  //@ assert closeness(u, t, x);
  t = u;

  u = 0.5 * t * (3 - t * t * x);
  //@ assert newton_rel(t, x);
  //@ assert closeness(u, t, x);
  t = u;

  u = 0.5 * t * (3 - t * t * x);
  //@ assert newton_rel(t, x);
  //@ assert closeness(u, t, x);
  t = u;

  //@ assert x * (1/\sqrt(x)) == \sqrt(x);
  return x * t;
}



/*
Local Variables:
compile-command: "make float_sqrt.why3ide"
End:
*/


========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/float_sqrt.c"
[jessie] Starting Jessie translation
tests/c/float_sqrt.c:85:[kernel] warning: No code nor implicit assigns clause for function sqrt_init, generating default assigns from the prototype
[jessie] Producing Jessie files in subdir tests/c/float_sqrt.jessie
[jessie] File tests/c/float_sqrt.jessie/float_sqrt.jc written.
[jessie] File tests/c/float_sqrt.jessie/float_sqrt.cloc written.
========== file tests/c/float_sqrt.jessie/float_sqrt.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol
# FloatModel = defensive

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

predicate newton_rel(real t, real x) =
(((((0.5 * t) * (3 - ((t * t) * x))) - (1 / \real_sqrt(x))) /
   (1 / \real_sqrt(x))) ==
  ((- (1.5 + (0.5 * ((t - (1 / \real_sqrt(x))) / (1 / \real_sqrt(x)))))) *
    (((t - (1 / \real_sqrt(x))) / (1 / \real_sqrt(x))) *
      ((t - (1 / \real_sqrt(x))) / (1 / \real_sqrt(x))))))

lemma newton :
(\forall real t_0;
  (\forall real x_0;
    ((x_0 > 0.) ==> newton_rel(t_0, x_0))))

predicate closeness(real u, real t_1, real x_1) =
((\real_abs((u - ((0.5 * t_1) * (3 - ((t_1 * t_1) * x_1))))) <= 1) &&
  (\real_abs((u - (1 / \real_sqrt(x_1)))) <= 1))

double sqrt_init(double x_0)
  requires (_C_2 : ((_C_3 : (0.5 <= (x_0 :> real))) &&
                     (_C_4 : ((x_0 :> real) <= 2))));
behavior default:
  assigns \nothing;
  ensures (_C_1 : (\real_abs(((\result :> real) -
                               (1 / \real_sqrt((\at(x_0,Old) :> real))))) <=
                    (0x1p-6 *
                      \real_abs((1 / \real_sqrt((\at(x_0,Old) :> real)))))));
;

double sqrt(double x)
  requires (_C_41 : ((_C_42 : (0.5 <= (x :> real))) &&
                      (_C_43 : ((x :> real) <= 2))));
behavior default:
  ensures (_C_40 : (\real_abs(((\result :> real) -
                                \real_sqrt((\at(x,Old) :> real)))) <=
                     (0x1p-43 * \real_abs(\real_sqrt((\at(x,Old) :> real))))));
{  
   (var double t);
   
   (var double u);
   
   (var double __retres);
   
   {  (_C_6 : (t = (_C_5 : sqrt_init(x))));
      (_C_13 : (u = (_C_12 : ((_C_11 : ((0.5 :> double) * t)) *
                               (_C_10 : ((_C_9 : (3 :> double)) -
                                          (_C_8 : ((_C_7 : (t * t)) * x))))))));
      
      {  
         (assert for default: (_C_14 : (jessie : newton_rel((t :> real),
                                                            (x :> real)))));
         ()
      };
      
      {  
         (assert for default: (_C_15 : (jessie : closeness((u :> real),
                                                           (t :> real),
                                                           (x :> real)))));
         ()
      };
      (_C_16 : (t = u));
      (_C_23 : (u = (_C_22 : ((_C_21 : ((0.5 :> double) * t)) *
                               (_C_20 : ((_C_19 : (3 :> double)) -
                                          (_C_18 : ((_C_17 : (t * t)) * x))))))));
      
      {  
         (assert for default: (_C_24 : (jessie : newton_rel((t :> real),
                                                            (x :> real)))));
         ()
      };
      
      {  
         (assert for default: (_C_25 : (jessie : closeness((u :> real),
                                                           (t :> real),
                                                           (x :> real)))));
         ()
      };
      (_C_26 : (t = u));
      (_C_33 : (u = (_C_32 : ((_C_31 : ((0.5 :> double) * t)) *
                               (_C_30 : ((_C_29 : (3 :> double)) -
                                          (_C_28 : ((_C_27 : (t * t)) * x))))))));
      
      {  
         (assert for default: (_C_34 : (jessie : newton_rel((t :> real),
                                                            (x :> real)))));
         ()
      };
      
      {  
         (assert for default: (_C_35 : (jessie : closeness((u :> real),
                                                           (t :> real),
                                                           (x :> real)))));
         ()
      };
      (_C_36 : (t = u));
      
      {  
         (assert for default: (_C_37 : (jessie : (((x :> real) *
                                                    (1 /
                                                      \real_sqrt((x :> real)))) ==
                                                   \real_sqrt((x :> real))))));
         ()
      };
      
      {  (_C_39 : (__retres = (_C_38 : (x * t))));
         
         (return __retres)
      }
   }
}
========== file tests/c/float_sqrt.jessie/float_sqrt.cloc ==========
[_C_35]
file = "HOME/tests/c/float_sqrt.c"
line = 102
begin = 13
end = 31

[_C_28]
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 21
end = 30

[_C_31]
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 6
end = 13

[_C_41]
file = "HOME/tests/c/float_sqrt.c"
line = 82
begin = 10
end = 23

[_C_4]
file = "HOME/tests/c/float_sqrt.c"
line = 76
begin = 17
end = 23

[_C_32]
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 6
end = 31

[_C_23]
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 6
end = 31

[_C_19]
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 17
end = 18

[_C_42]
file = "HOME/tests/c/float_sqrt.c"
line = 82
begin = 10
end = 18

[_C_13]
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 6
end = 31

[_C_5]
file = "HOME/tests/c/float_sqrt.c"
line = 88
begin = 6
end = 18

[_C_36]
file = "HOME/tests/c/float_sqrt.c"
line = 103
begin = 6
end = 7

[_C_12]
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 6
end = 31

[sqrt]
name = "Function sqrt"
file = "HOME/tests/c/float_sqrt.c"
line = 85
begin = 7
end = 11

[_C_33]
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 6
end = 31

[_C_22]
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 6
end = 31

[_C_9]
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 17
end = 18

[_C_30]
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 17
end = 30

[_C_6]
file = "HOME/tests/c/float_sqrt.c"
line = 88
begin = 6
end = 18

[_C_24]
file = "HOME/tests/c/float_sqrt.c"
line = 96
begin = 13
end = 29

[_C_20]
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 17
end = 30

[_C_38]
file = "HOME/tests/c/float_sqrt.c"
line = 106
begin = 9
end = 14

[_C_3]
file = "HOME/tests/c/float_sqrt.c"
line = 76
begin = 10
end = 18

[_C_17]
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 21
end = 26

[_C_7]
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 21
end = 26

[_C_27]
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 21
end = 26

[_C_15]
file = "HOME/tests/c/float_sqrt.c"
line = 92
begin = 13
end = 31

[_C_26]
file = "HOME/tests/c/float_sqrt.c"
line = 98
begin = 6
end = 7

[_C_10]
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 17
end = 30

[_C_40]
file = "HOME/tests/c/float_sqrt.c"
line = 83
begin = 9
end = 61

[_C_8]
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 21
end = 30

[_C_18]
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 21
end = 30

[_C_29]
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 17
end = 18

[_C_14]
file = "HOME/tests/c/float_sqrt.c"
line = 91
begin = 13
end = 29

[_C_37]
file = "HOME/tests/c/float_sqrt.c"
line = 105
begin = 13
end = 41

[_C_43]
file = "HOME/tests/c/float_sqrt.c"
line = 82
begin = 17
end = 23

[_C_2]
file = "HOME/tests/c/float_sqrt.c"
line = 76
begin = 10
end = 23

[_C_34]
file = "HOME/tests/c/float_sqrt.c"
line = 101
begin = 13
end = 29

[_C_16]
file = "HOME/tests/c/float_sqrt.c"
line = 93
begin = 6
end = 7

[newton]
name = "Lemma newton"
file = "HOME/tests/c/float_sqrt.c"
line = 68
begin = 1
end = 187

[_C_1]
file = "HOME/tests/c/float_sqrt.c"
line = 77
begin = 9
end = 64

[_C_25]
file = "HOME/tests/c/float_sqrt.c"
line = 97
begin = 13
end = 31

[_C_39]
file = "HOME/tests/c/float_sqrt.c"
line = 106
begin = 2
end = 15

[_C_11]
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 6
end = 13

[_C_21]
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 6
end = 13

========== jessie execution ==========
Generating Why function sqrt
========== file tests/c/float_sqrt.jessie/float_sqrt.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs float_sqrt.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs float_sqrt.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_strict.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/float_sqrt_why.sx

project: why/float_sqrt.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/float_sqrt_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/float_sqrt_why.vo

coq/float_sqrt_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/float_sqrt_why.v: why/float_sqrt.why
	@echo 'why -coq [...] why/float_sqrt.why' && $(WHY) $(JESSIELIBFILES) why/float_sqrt.why && rm -f coq/jessie_why.v

coq-goals: goals coq/float_sqrt_ctx_why.vo
	for f in why/*_po*.why; do make -f float_sqrt.makefile coq/`basename $$f .why`_why.v ; done

coq/float_sqrt_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/float_sqrt_ctx_why.v: why/float_sqrt_ctx.why
	@echo 'why -coq [...] why/float_sqrt_ctx.why' && $(WHY) why/float_sqrt_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export float_sqrt_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/float_sqrt_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/float_sqrt_ctx_why.vo

pvs: pvs/float_sqrt_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/float_sqrt_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/float_sqrt_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/float_sqrt_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/float_sqrt_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/float_sqrt_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/float_sqrt_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/float_sqrt_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/float_sqrt_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/float_sqrt_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/float_sqrt_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/float_sqrt_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/float_sqrt_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/float_sqrt_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/float_sqrt_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: float_sqrt.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/float_sqrt_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: float_sqrt.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: float_sqrt.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: float_sqrt.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include float_sqrt.depend

depend: coq/float_sqrt_why.v
	-$(COQDEP) -I coq coq/float_sqrt*_why.v > float_sqrt.depend

clean:
	rm -f coq/*.vo

========== file tests/c/float_sqrt.jessie/float_sqrt.loc ==========
[JC_73]
file = "HOME/tests/c/float_sqrt.c"
line = 105
begin = 13
end = 41

[JC_63]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 6
end = 31

[JC_51]
kind = UserCall
file = "HOME/tests/c/float_sqrt.c"
line = 88
begin = 6
end = 18

[JC_71]
file = "HOME/tests/c/float_sqrt.c"
line = 101
begin = 13
end = 29

[JC_45]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 17
end = 30

[JC_64]
file = "HOME/tests/c/float_sqrt.c"
line = 96
begin = 13
end = 29

[JC_31]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 17
end = 30

[JC_17]
file = "HOME/tests/c/float_sqrt.c"
line = 82
begin = 10
end = 23

[JC_55]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 17
end = 30

[JC_48]
file = "HOME/tests/c/float_sqrt.c"
line = 102
begin = 13
end = 31

[JC_23]
file = "HOME/tests/c/float_sqrt.c"
line = 83
begin = 9
end = 61

[JC_22]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_5]
file = "HOME/tests/c/float_sqrt.c"
line = 76
begin = 10
end = 18

[JC_67]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 21
end = 26

[JC_9]
file = "HOME/tests/c/float_sqrt.c"
line = 77
begin = 9
end = 64

[JC_24]
file = "HOME/tests/c/float_sqrt.c"
line = 83
begin = 9
end = 61

[JC_25]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_41]
file = "HOME/tests/c/float_sqrt.c"
line = 97
begin = 13
end = 31

[JC_74]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 106
begin = 9
end = 14

[JC_47]
file = "HOME/tests/c/float_sqrt.c"
line = 101
begin = 13
end = 29

[JC_52]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 6
end = 13

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_54]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 21
end = 30

[JC_13]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_11]
file = "HOME/tests/c/float_sqrt.c"
line = 77
begin = 9
end = 64

[JC_70]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 6
end = 31

[JC_15]
file = "HOME/tests/c/float_sqrt.c"
line = 82
begin = 10
end = 18

[JC_36]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 21
end = 26

[JC_39]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 6
end = 31

[JC_40]
file = "HOME/tests/c/float_sqrt.c"
line = 96
begin = 13
end = 29

[JC_35]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 6
end = 13

[JC_27]
kind = UserCall
file = "HOME/tests/c/float_sqrt.c"
line = 88
begin = 6
end = 18

[JC_69]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 17
end = 30

[JC_38]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 17
end = 30

[JC_12]
file = "HOME/tests/c/float_sqrt.jessie/float_sqrt.jc"
line = 55
begin = 10
end = 18

[JC_6]
file = "HOME/tests/c/float_sqrt.c"
line = 76
begin = 17
end = 23

[JC_44]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 21
end = 30

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 17
end = 30

[JC_42]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 6
end = 13

[JC_46]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 6
end = 31

[sqrt_ensures_default]
name = "Function sqrt"
behavior = "default behavior"
file = "HOME/tests/c/float_sqrt.c"
line = 85
begin = 7
end = 11

[JC_61]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 21
end = 30

[JC_32]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 6
end = 31

[JC_56]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 6
end = 31

[JC_33]
file = "HOME/tests/c/float_sqrt.c"
line = 91
begin = 13
end = 29

[JC_65]
file = "HOME/tests/c/float_sqrt.c"
line = 97
begin = 13
end = 31

[JC_29]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 21
end = 26

[JC_68]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 21
end = 30

[JC_7]
file = "HOME/tests/c/float_sqrt.c"
line = 76
begin = 10
end = 23

[JC_16]
file = "HOME/tests/c/float_sqrt.c"
line = 82
begin = 17
end = 23

[JC_43]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 21
end = 26

[JC_2]
file = "HOME/tests/c/float_sqrt.c"
line = 76
begin = 17
end = 23

[JC_34]
file = "HOME/tests/c/float_sqrt.c"
line = 92
begin = 13
end = 31

[JC_14]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_53]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 21
end = 26

[JC_21]
file = "HOME/tests/c/float_sqrt.c"
line = 82
begin = 10
end = 23

[JC_49]
file = "HOME/tests/c/float_sqrt.c"
line = 105
begin = 13
end = 41

[JC_1]
file = "HOME/tests/c/float_sqrt.c"
line = 76
begin = 10
end = 18

[JC_37]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 21
end = 30

[JC_10]
file = "HOME/tests/c/float_sqrt.jessie/float_sqrt.jc"
line = 55
begin = 10
end = 18

[JC_57]
file = "HOME/tests/c/float_sqrt.c"
line = 91
begin = 13
end = 29

[JC_66]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 100
begin = 6
end = 13

[JC_59]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 6
end = 13

[newton]
name = "Lemma newton"
behavior = "lemma"
file = "HOME/tests/c/float_sqrt.c"
line = 68
begin = 1
end = 187

[JC_20]
file = "HOME/tests/c/float_sqrt.c"
line = 82
begin = 17
end = 23

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/c/float_sqrt.c"
line = 76
begin = 10
end = 23

[sqrt_safety]
name = "Function sqrt"
behavior = "Safety"
file = "HOME/tests/c/float_sqrt.c"
line = 85
begin = 7
end = 11

[JC_60]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 95
begin = 21
end = 26

[JC_72]
file = "HOME/tests/c/float_sqrt.c"
line = 102
begin = 13
end = 31

[JC_19]
file = "HOME/tests/c/float_sqrt.c"
line = 82
begin = 10
end = 18

[JC_50]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 106
begin = 9
end = 14

[JC_30]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 21
end = 30

[JC_58]
file = "HOME/tests/c/float_sqrt.c"
line = 92
begin = 13
end = 31

[JC_28]
kind = FPOverflow
file = "HOME/tests/c/float_sqrt.c"
line = 90
begin = 6
end = 13

========== file tests/c/float_sqrt.jessie/why/float_sqrt.why ==========
type charP

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

predicate closeness(u:real, t_1:real, x_1:real) =
 (le_real(abs_real(sub_real(u,
                   mul_real(mul_real(0.5, t_1),
                   sub_real(3.0, mul_real(mul_real(t_1, t_1), x_1))))),
  1.0)
 and le_real(abs_real(sub_real(u, div_real(1.0, sqrt_real(x_1)))), 1.0))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

predicate newton_rel(t:real, x_0:real) =
 (div_real(sub_real(mul_real(mul_real(0.5, t),
                    sub_real(3.0, mul_real(mul_real(t, t), x_0))),
           div_real(1.0, sqrt_real(x_0))),
  div_real(1.0, sqrt_real(x_0))) = mul_real(neg_real(add_real(1.5,
                                                     mul_real(0.5,
                                                     div_real(sub_real(t,
                                                              div_real(1.0,
                                                              sqrt_real(x_0))),
                                                     div_real(1.0,
                                                     sqrt_real(x_0)))))),
                                   mul_real(div_real(sub_real(t,
                                                     div_real(1.0,
                                                     sqrt_real(x_0))),
                                            div_real(1.0, sqrt_real(x_0))),
                                   div_real(sub_real(t,
                                            div_real(1.0, sqrt_real(x_0))),
                                   div_real(1.0, sqrt_real(x_0))))))

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

lemma newton :
 (forall t_0:real.
  (forall x_0_1:real. (gt_real(x_0_1, 0.) -> newton_rel(t_0, x_0_1))))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter sqrt :
 x_2:double ->
  { } double
  { (JC_24:
    le_real(abs_real(sub_real(double_value(result),
                     sqrt_real(double_value(x_2)))),
    mul_real(0x1p-43, abs_real(sqrt_real(double_value(x_2)))))) }

parameter sqrt_init :
 x_0_0:double ->
  { } double
  { (JC_11:
    le_real(abs_real(sub_real(double_value(result),
                     div_real(1.0, sqrt_real(double_value(x_0_0))))),
    mul_real(0x1p-6, abs_real(div_real(1.0, sqrt_real(double_value(x_0_0))))))) }

parameter sqrt_init_requires :
 x_0_0:double ->
  { (JC_3:
    ((JC_1: le_real(0.5, double_value(x_0_0)))
    and (JC_2: le_real(double_value(x_0_0), 2.0))))}
  double
  { (JC_11:
    le_real(abs_real(sub_real(double_value(result),
                     div_real(1.0, sqrt_real(double_value(x_0_0))))),
    mul_real(0x1p-6, abs_real(div_real(1.0, sqrt_real(double_value(x_0_0))))))) }

parameter sqrt_requires :
 x_2:double ->
  { (JC_17:
    ((JC_15: le_real(0.5, double_value(x_2)))
    and (JC_16: le_real(double_value(x_2), 2.0))))}
  double
  { (JC_24:
    le_real(abs_real(sub_real(double_value(result),
                     sqrt_real(double_value(x_2)))),
    mul_real(0x1p-43, abs_real(sqrt_real(double_value(x_2)))))) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let sqrt_ensures_default =
 fun (x_2 : double) ->
  { (JC_21:
    ((JC_19: le_real(0.5, double_value(x_2)))
    and (JC_20: le_real(double_value(x_2), 2.0)))) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let t_2 = ref (any_double void) in
     (let u_0 = ref (any_double void) in
     (let __retres = ref (any_double void) in
     begin
       (let _jessie_ =
       (t_2 := (let _jessie_ = x_2 in (JC_51: (sqrt_init _jessie_)))) in
       void);
      (let _jessie_ =
      (u_0 := (JC_56:
              (((mul_double_safe nearest_even) (JC_52:
                                               (((mul_double_safe nearest_even) 
                                                 (double_of_real_exact 0.5)) !t_2))) 
               (JC_55:
               (((sub_double_safe nearest_even) (double_of_real_exact 3.0)) 
                (JC_54:
                (((mul_double_safe nearest_even) (JC_53:
                                                 (((mul_double_safe nearest_even) !t_2) !t_2))) x_2))))))) in
      void);
      (assert { (JC_57: newton_rel(double_value(t_2), double_value(x_2))) };
      void); void;
      (assert
      { (JC_58:
        closeness(double_value(u_0), double_value(t_2), double_value(x_2))) };
      void); void; (let _jessie_ = (t_2 := !u_0) in void);
      (let _jessie_ =
      (u_0 := (JC_63:
              (((mul_double_safe nearest_even) (JC_59:
                                               (((mul_double_safe nearest_even) 
                                                 (double_of_real_exact 0.5)) !t_2))) 
               (JC_62:
               (((sub_double_safe nearest_even) (double_of_real_exact 3.0)) 
                (JC_61:
                (((mul_double_safe nearest_even) (JC_60:
                                                 (((mul_double_safe nearest_even) !t_2) !t_2))) x_2))))))) in
      void);
      (assert { (JC_64: newton_rel(double_value(t_2), double_value(x_2))) };
      void); void;
      (assert
      { (JC_65:
        closeness(double_value(u_0), double_value(t_2), double_value(x_2))) };
      void); void; (let _jessie_ = (t_2 := !u_0) in void);
      (let _jessie_ =
      (u_0 := (JC_70:
              (((mul_double_safe nearest_even) (JC_66:
                                               (((mul_double_safe nearest_even) 
                                                 (double_of_real_exact 0.5)) !t_2))) 
               (JC_69:
               (((sub_double_safe nearest_even) (double_of_real_exact 3.0)) 
                (JC_68:
                (((mul_double_safe nearest_even) (JC_67:
                                                 (((mul_double_safe nearest_even) !t_2) !t_2))) x_2))))))) in
      void);
      (assert { (JC_71: newton_rel(double_value(t_2), double_value(x_2))) };
      void); void;
      (assert
      { (JC_72:
        closeness(double_value(u_0), double_value(t_2), double_value(x_2))) };
      void); void; (let _jessie_ = (t_2 := !u_0) in void);
      (assert
      { (JC_73:
        (mul_real(double_value(x_2),
         div_real(1.0, sqrt_real(double_value(x_2)))) = sqrt_real(double_value(x_2)))) };
      void); void;
      (let _jessie_ =
      (__retres := (JC_74: (((mul_double_safe nearest_even) x_2) !t_2))) in
      void); (return := !__retres); (raise Return) end))); absurd  end with
   Return -> !return end))
  { (JC_23:
    le_real(abs_real(sub_real(double_value(result),
                     sqrt_real(double_value(x_2)))),
    mul_real(0x1p-43, abs_real(sqrt_real(double_value(x_2)))))) }

let sqrt_safety =
 fun (x_2 : double) ->
  { (JC_21:
    ((JC_19: le_real(0.5, double_value(x_2)))
    and (JC_20: le_real(double_value(x_2), 2.0)))) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let t_2 = ref (any_double void) in
     (let u_0 = ref (any_double void) in
     (let __retres = ref (any_double void) in
     begin
       (let _jessie_ =
       (t_2 := (let _jessie_ = x_2 in
               (JC_27: (sqrt_init_requires _jessie_)))) in void);
      (let _jessie_ =
      (u_0 := (JC_32:
              (((mul_double nearest_even) (JC_28:
                                          (((mul_double nearest_even) 
                                            (double_of_real_exact 0.5)) !t_2))) 
               (JC_31:
               (((sub_double nearest_even) (double_of_real_exact 3.0)) 
                (JC_30:
                (((mul_double nearest_even) (JC_29:
                                            (((mul_double nearest_even) !t_2) !t_2))) x_2))))))) in
      void);
      [ { } unit reads t_2
        { (JC_33: newton_rel(double_value(t_2), double_value(x_2))) } ];
      void;
      [ { } unit reads t_2,u_0
        { (JC_34:
          closeness(double_value(u_0), double_value(t_2), double_value(x_2))) } ];
      void; (let _jessie_ = (t_2 := !u_0) in void);
      (let _jessie_ =
      (u_0 := (JC_39:
              (((mul_double nearest_even) (JC_35:
                                          (((mul_double nearest_even) 
                                            (double_of_real_exact 0.5)) !t_2))) 
               (JC_38:
               (((sub_double nearest_even) (double_of_real_exact 3.0)) 
                (JC_37:
                (((mul_double nearest_even) (JC_36:
                                            (((mul_double nearest_even) !t_2) !t_2))) x_2))))))) in
      void);
      [ { } unit reads t_2
        { (JC_40: newton_rel(double_value(t_2), double_value(x_2))) } ];
      void;
      [ { } unit reads t_2,u_0
        { (JC_41:
          closeness(double_value(u_0), double_value(t_2), double_value(x_2))) } ];
      void; (let _jessie_ = (t_2 := !u_0) in void);
      (let _jessie_ =
      (u_0 := (JC_46:
              (((mul_double nearest_even) (JC_42:
                                          (((mul_double nearest_even) 
                                            (double_of_real_exact 0.5)) !t_2))) 
               (JC_45:
               (((sub_double nearest_even) (double_of_real_exact 3.0)) 
                (JC_44:
                (((mul_double nearest_even) (JC_43:
                                            (((mul_double nearest_even) !t_2) !t_2))) x_2))))))) in
      void);
      [ { } unit reads t_2
        { (JC_47: newton_rel(double_value(t_2), double_value(x_2))) } ];
      void;
      [ { } unit reads t_2,u_0
        { (JC_48:
          closeness(double_value(u_0), double_value(t_2), double_value(x_2))) } ];
      void; (let _jessie_ = (t_2 := !u_0) in void);
      [ { } unit
        { (JC_49:
          (mul_real(double_value(x_2),
           div_real(1.0, sqrt_real(double_value(x_2)))) = sqrt_real(double_value(x_2)))) } ];
      void;
      (let _jessie_ =
      (__retres := (JC_50: (((mul_double nearest_even) x_2) !t_2))) in void);
      (return := !__retres); (raise Return) end))); absurd  end with
   Return -> !return end)) { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/float_sqrt.why
========== file tests/c/float_sqrt.jessie/why/float_sqrt_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type mode

logic nearest_even : mode

logic to_zero : mode

logic up : mode

logic down : mode

logic nearest_away : mode

logic mode_match : mode, 'a1, 'a1, 'a1, 'a1, 'a1 -> 'a1

axiom mode_match_nearest_even:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_2))))))

axiom mode_match_to_zero:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_3))))))

axiom mode_match_up:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_4))))))

axiom mode_match_down:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_5))))))

axiom mode_match_nearest_away:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_6))))))

axiom mode_inversion:
  (forall aux_1:mode.
    (((((aux_1 = nearest_even) or (aux_1 = to_zero)) or (aux_1 = up)) or
      (aux_1 = down)) or
     (aux_1 = nearest_away)))

logic mode_to_int : mode -> int

axiom mode_to_int_nearest_even: (mode_to_int(nearest_even) = 0)

axiom mode_to_int_to_zero: (mode_to_int(to_zero) = 1)

axiom mode_to_int_up: (mode_to_int(up) = 2)

axiom mode_to_int_down: (mode_to_int(down) = 3)

axiom mode_to_int_nearest_away: (mode_to_int(nearest_away) = 4)

type double

logic round_double : mode, real -> real

logic round_double_logic : mode, real -> double

logic double_value : double -> real

logic double_exact : double -> real

logic double_model : double -> real

function double_round_error(x: double) : real =
  abs_real((double_value(x) - double_exact(x)))

function double_total_error(x: double) : real =
  abs_real((double_value(x) - double_model(x)))

function max_double() : real = 0x1.FFFFFFFFFFFFFp1023

predicate no_overflow_double(m: mode, x: real) = (abs_real(round_double(m,
  x)) <= max_double)

axiom bounded_real_no_overflow_double:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_double) -> no_overflow_double(m, x))))

axiom round_double_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_double(m, x) <= round_double(m, y))))))

axiom exact_round_double_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-9007199254740992) <= i) and (i <= 9007199254740992)) ->
       (round_double(m, real_of_int(i)) = real_of_int(i)))))

axiom exact_round_double_for_doubles:
  (forall x:double.
    (forall m:mode. (round_double(m, double_value(x)) = double_value(x))))

axiom round_double_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_double(m1, round_double(m2,
        x)) = round_double(m2, x)))))

axiom round_down_double_neg:
  (forall x:real. (round_double(down, (-x)) = (-round_double(up, x))))

axiom round_up_double_neg:
  (forall x:real. (round_double(up, (-x)) = (-round_double(down, x))))

axiom round_double_down_le: (forall x:real. (round_double(down, x) <= x))

axiom round_up_double_ge: (forall x:real. (round_double(up, x) >= x))

type single

logic round_single : mode, real -> real

logic round_single_logic : mode, real -> single

logic single_value : single -> real

logic single_exact : single -> real

logic single_model : single -> real

function single_round_error(x: single) : real =
  abs_real((single_value(x) - single_exact(x)))

function single_total_error(x: single) : real =
  abs_real((single_value(x) - single_model(x)))

function max_single() : real = 0x1.FFFFFEp127

predicate no_overflow_single(m: mode, x: real) = (abs_real(round_single(m,
  x)) <= max_single)

axiom bounded_real_no_overflow_single:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_single) -> no_overflow_single(m, x))))

axiom round_single_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_single(m, x) <= round_single(m, y))))))

axiom exact_round_single_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-16777216) <= i) and (i <= 16777216)) -> (round_single(m,
       real_of_int(i)) = real_of_int(i)))))

axiom exact_round_single_for_singles:
  (forall x:single.
    (forall m:mode. (round_single(m, single_value(x)) = single_value(x))))

axiom round_single_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_single(m1, round_single(m2,
        x)) = round_single(m2, x)))))

axiom round_down_single_neg:
  (forall x:real. (round_single(down, (-x)) = (-round_single(up, x))))

axiom round_up_single_neg:
  (forall x:real. (round_single(up, (-x)) = (-round_single(down, x))))

axiom round_single_down_le: (forall x:real. (round_single(down, x) <= x))

axiom round_up_single_ge: (forall x:real. (round_single(up, x) >= x))

axiom single_value_is_bounded:
  (forall x:single. (abs_real(single_value(x)) <= max_single))

axiom double_value_is_bounded:
  (forall x:double. (abs_real(double_value(x)) <= max_double))

predicate single_of_real_post(m: mode, x: real, res: single) =
  ((single_value(res) = round_single(m, x)) and
   ((single_exact(res) = x) and (single_model(res) = x)))

predicate single_of_double_post(m: mode, x: double, res: single) =
  ((single_value(res) = round_single(m, double_value(x))) and
   ((single_exact(res) = double_exact(x)) and
    (single_model(res) = double_model(x))))

predicate add_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) + single_value(y)))) and
   ((single_exact(res) = (single_exact(x) + single_exact(y))) and
    (single_model(res) = (single_model(x) + single_model(y)))))

predicate sub_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) - single_value(y)))) and
   ((single_exact(res) = (single_exact(x) - single_exact(y))) and
    (single_model(res) = (single_model(x) - single_model(y)))))

predicate mul_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) * single_value(y)))) and
   ((single_exact(res) = (single_exact(x) * single_exact(y))) and
    (single_model(res) = (single_model(x) * single_model(y)))))

predicate div_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m, div_real(single_value(x),
   single_value(y)))) and
   ((single_exact(res) = div_real(single_exact(x), single_exact(y))) and
    (single_model(res) = div_real(single_model(x), single_model(y)))))

predicate sqrt_single_post(m: mode, x: single, res: single) =
  ((single_value(res) = round_single(m, sqrt_real(single_value(x)))) and
   ((single_exact(res) = sqrt_real(single_exact(x))) and
    (single_model(res) = sqrt_real(single_model(x)))))

predicate neg_single_post(x: single, res: single) =
  ((single_value(res) = (-single_value(x))) and
   ((single_exact(res) = (-single_exact(x))) and
    (single_model(res) = (-single_model(x)))))

predicate abs_single_post(x: single, res: single) =
  ((single_value(res) = abs_real(single_value(x))) and
   ((single_exact(res) = abs_real(single_exact(x))) and
    (single_model(res) = abs_real(single_model(x)))))

predicate double_of_real_post(m: mode, x: real, res: double) =
  ((double_value(res) = round_double(m, x)) and
   ((double_exact(res) = x) and (double_model(res) = x)))

predicate double_of_single_post(x: single, res: double) =
  ((double_value(res) = single_value(x)) and
   ((double_exact(res) = single_exact(x)) and
    (double_model(res) = single_model(x))))

predicate add_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) + double_value(y)))) and
   ((double_exact(res) = (double_exact(x) + double_exact(y))) and
    (double_model(res) = (double_model(x) + double_model(y)))))

predicate sub_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) - double_value(y)))) and
   ((double_exact(res) = (double_exact(x) - double_exact(y))) and
    (double_model(res) = (double_model(x) - double_model(y)))))

predicate mul_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) * double_value(y)))) and
   ((double_exact(res) = (double_exact(x) * double_exact(y))) and
    (double_model(res) = (double_model(x) * double_model(y)))))

predicate div_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m, div_real(double_value(x),
   double_value(y)))) and
   ((double_exact(res) = div_real(double_exact(x), double_exact(y))) and
    (double_model(res) = div_real(double_model(x), double_model(y)))))

predicate sqrt_double_post(m: mode, x: double, res: double) =
  ((double_value(res) = round_double(m, sqrt_real(double_value(x)))) and
   ((double_exact(res) = sqrt_real(double_exact(x))) and
    (double_model(res) = sqrt_real(double_model(x)))))

predicate neg_double_post(x: double, res: double) =
  ((double_value(res) = (-double_value(x))) and
   ((double_exact(res) = (-double_exact(x))) and
    (double_model(res) = (-double_model(x)))))

predicate abs_double_post(x: double, res: double) =
  ((double_value(res) = abs_real(double_value(x))) and
   ((double_exact(res) = abs_real(double_exact(x))) and
    (double_model(res) = abs_real(double_model(x)))))

type charP

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

predicate closeness(u: real, t_1: real, x_1: real) =
  ((abs_real((u - ((0.5 * t_1) * (3.0 - ((t_1 * t_1) * x_1))))) <= 1.0) and
   (abs_real((u - div_real(1.0, sqrt_real(x_1)))) <= 1.0))

logic integer_of_int8 : int8 -> int

predicate eq_int8(x: int8, y: int8) =
  (integer_of_int8(x) = integer_of_int8(y))

logic integer_of_uint8 : uint8 -> int

predicate eq_uint8(x: uint8, y: uint8) =
  (integer_of_uint8(x) = integer_of_uint8(y))

logic int8_of_integer : int -> int8

axiom int8_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_int8(int8_of_integer(x)) = x)))

axiom int8_extensionality:
  (forall x:int8.
    (forall y:int8. ((integer_of_int8(x) = integer_of_int8(y)) -> (x = y))))

axiom int8_range:
  (forall x:int8.
    (((-128) <= integer_of_int8(x)) and (integer_of_int8(x) <= 127)))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

predicate newton_rel(t: real, x_0: real) =
  (div_real((((0.5 * t) * (3.0 - ((t * t) * x_0))) - div_real(1.0,
  sqrt_real(x_0))), div_real(1.0,
  sqrt_real(x_0))) = ((-(1.5 + (0.5 * div_real((t - div_real(1.0,
  sqrt_real(x_0))), div_real(1.0,
  sqrt_real(x_0)))))) * (div_real((t - div_real(1.0, sqrt_real(x_0))),
  div_real(1.0, sqrt_real(x_0))) * div_real((t - div_real(1.0,
  sqrt_real(x_0))), div_real(1.0, sqrt_real(x_0))))))

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic uint8_of_integer : int -> uint8

axiom uint8_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 255)) -> (integer_of_uint8(uint8_of_integer(x)) = x)))

axiom uint8_extensionality:
  (forall x:uint8.
    (forall y:uint8.
      ((integer_of_uint8(x) = integer_of_uint8(y)) -> (x = y))))

axiom uint8_range:
  (forall x:uint8.
    ((0 <= integer_of_uint8(x)) and (integer_of_uint8(x) <= 255)))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

goal newton:
  (forall t_0:real.
    (forall x_0_1:real. ((x_0_1 > 0.) -> newton_rel(t_0, x_0_1))))

axiom newton_as_axiom:
  (forall t_0:real.
    (forall x_0_1:real. ((x_0_1 > 0.) -> newton_rel(t_0, x_0_1))))

goal sqrt_ensures_default_po_1:
  forall x_2:double.
  ("JC_21":
  (("JC_19": (0.5 <= double_value(x_2))) and
   ("JC_20": (double_value(x_2) <= 2.0)))) ->
  forall result:double.
  ("JC_11": (abs_real((double_value(result) - div_real(1.0,
  sqrt_real(double_value(x_2))))) <= (0x1.p-6 * abs_real(div_real(1.0,
  sqrt_real(double_value(x_2))))))) ->
  forall t_2:double.
  (t_2 = result) ->
  forall result0:double.
  ((double_value(result0) = 0.5) and
   ((double_exact(result0) = 0.5) and (double_model(result0) = 0.5))) ->
  forall result1:double.
  mul_double_post(nearest_even, result0, t_2, result1) ->
  forall result2:double.
  ((double_value(result2) = 3.0) and
   ((double_exact(result2) = 3.0) and (double_model(result2) = 3.0))) ->
  forall result3:double.
  mul_double_post(nearest_even, t_2, t_2, result3) ->
  forall result4:double.
  mul_double_post(nearest_even, result3, x_2, result4) ->
  forall result5:double.
  sub_double_post(nearest_even, result2, result4, result5) ->
  forall result6:double.
  mul_double_post(nearest_even, result1, result5, result6) ->
  forall u_0:double.
  (u_0 = result6) ->
  ("JC_57": newton_rel(double_value(t_2), double_value(x_2)))

goal sqrt_ensures_default_po_2:
  forall x_2:double.
  ("JC_21":
  (("JC_19": (0.5 <= double_value(x_2))) and
   ("JC_20": (double_value(x_2) <= 2.0)))) ->
  forall result:double.
  ("JC_11": (abs_real((double_value(result) - div_real(1.0,
  sqrt_real(double_value(x_2))))) <= (0x1.p-6 * abs_real(div_real(1.0,
  sqrt_real(double_value(x_2))))))) ->
  forall t_2:double.
  (t_2 = result) ->
  forall result0:double.
  ((double_value(result0) = 0.5) and
   ((double_exact(result0) = 0.5) and (double_model(result0) = 0.5))) ->
  forall result1:double.
  mul_double_post(nearest_even, result0, t_2, result1) ->
  forall result2:double.
  ((double_value(result2) = 3.0) and
   ((double_exact(result2) = 3.0) and (double_model(result2) = 3.0))) ->
  forall result3:double.
  mul_double_post(nearest_even, t_2, t_2, result3) ->
  forall result4:double.
  mul_double_post(nearest_even, result3, x_2, result4) ->
  forall result5:double.
  sub_double_post(nearest_even, result2, result4, result5) ->
  forall result6:double.
  mul_double_post(nearest_even, result1, result5, result6) ->
  forall u_0:double.
  (u_0 = result6) ->
  ("JC_57": newton_rel(double_value(t_2), double_value(x_2))) ->
  ("JC_58": closeness(double_value(u_0), double_value(t_2),
  double_value(x_2)))

goal sqrt_ensures_default_po_3:
  forall x_2:double.
  ("JC_21":
  (("JC_19": (0.5 <= double_value(x_2))) and
   ("JC_20": (double_value(x_2) <= 2.0)))) ->
  forall result:double.
  ("JC_11": (abs_real((double_value(result) - div_real(1.0,
  sqrt_real(double_value(x_2))))) <= (0x1.p-6 * abs_real(div_real(1.0,
  sqrt_real(double_value(x_2))))))) ->
  forall t_2:double.
  (t_2 = result) ->
  forall result0:double.
  ((double_value(result0) = 0.5) and
   ((double_exact(result0) = 0.5) and (double_model(result0) = 0.5))) ->
  forall result1:double.
  mul_double_post(nearest_even, result0, t_2, result1) ->
  forall result2:double.
  ((double_value(result2) = 3.0) and
   ((double_exact(result2) = 3.0) and (double_model(result2) = 3.0))) ->
  forall result3:double.
  mul_double_post(nearest_even, t_2, t_2, result3) ->
  forall result4:double.
  mul_double_post(nearest_even, result3, x_2, result4) ->
  forall result5:double.
  sub_double_post(nearest_even, result2, result4, result5) ->
  forall result6:double.
  mul_double_post(nearest_even, result1, result5, result6) ->
  forall u_0:double.
  (u_0 = result6) ->
  ("JC_57": newton_rel(double_value(t_2), double_value(x_2))) ->
  ("JC_58": closeness(double_value(u_0), double_value(t_2),
  double_value(x_2))) ->
  forall t_2_0:double.
  (t_2_0 = u_0) ->
  forall result7:double.
  ((double_value(result7) = 0.5) and
   ((double_exact(result7) = 0.5) and (double_model(result7) = 0.5))) ->
  forall result8:double.
  mul_double_post(nearest_even, result7, t_2_0, result8) ->
  forall result9:double.
  ((double_value(result9) = 3.0) and
   ((double_exact(result9) = 3.0) and (double_model(result9) = 3.0))) ->
  forall result10:double.
  mul_double_post(nearest_even, t_2_0, t_2_0, result10) ->
  forall result11:double.
  mul_double_post(nearest_even, result10, x_2, result11) ->
  forall result12:double.
  sub_double_post(nearest_even, result9, result11, result12) ->
  forall result13:double.
  mul_double_post(nearest_even, result8, result12, result13) ->
  forall u_0_0:double.
  (u_0_0 = result13) ->
  ("JC_64": newton_rel(double_value(t_2_0), double_value(x_2)))

goal sqrt_ensures_default_po_4:
  forall x_2:double.
  ("JC_21":
  (("JC_19": (0.5 <= double_value(x_2))) and
   ("JC_20": (double_value(x_2) <= 2.0)))) ->
  forall result:double.
  ("JC_11": (abs_real((double_value(result) - div_real(1.0,
  sqrt_real(double_value(x_2))))) <= (0x1.p-6 * abs_real(div_real(1.0,
  sqrt_real(double_value(x_2))))))) ->
  forall t_2:double.
  (t_2 = result) ->
  forall result0:double.
  ((double_value(result0) = 0.5) and
   ((double_exact(result0) = 0.5) and (double_model(result0) = 0.5))) ->
  forall result1:double.
  mul_double_post(nearest_even, result0, t_2, result1) ->
  forall result2:double.
  ((double_value(result2) = 3.0) and
   ((double_exact(result2) = 3.0) and (double_model(result2) = 3.0))) ->
  forall result3:double.
  mul_double_post(nearest_even, t_2, t_2, result3) ->
  forall result4:double.
  mul_double_post(nearest_even, result3, x_2, result4) ->
  forall result5:double.
  sub_double_post(nearest_even, result2, result4, result5) ->
  forall result6:double.
  mul_double_post(nearest_even, result1, result5, result6) ->
  forall u_0:double.
  (u_0 = result6) ->
  ("JC_57": newton_rel(double_value(t_2), double_value(x_2))) ->
  ("JC_58": closeness(double_value(u_0), double_value(t_2),
  double_value(x_2))) ->
  forall t_2_0:double.
  (t_2_0 = u_0) ->
  forall result7:double.
  ((double_value(result7) = 0.5) and
   ((double_exact(result7) = 0.5) and (double_model(result7) = 0.5))) ->
  forall result8:double.
  mul_double_post(nearest_even, result7, t_2_0, result8) ->
  forall result9:double.
  ((double_value(result9) = 3.0) and
   ((double_exact(result9) = 3.0) and (double_model(result9) = 3.0))) ->
  forall result10:double.
  mul_double_post(nearest_even, t_2_0, t_2_0, result10) ->
  forall result11:double.
  mul_double_post(nearest_even, result10, x_2, result11) ->
  forall result12:double.
  sub_double_post(nearest_even, result9, result11, result12) ->
  forall result13:double.
  mul_double_post(nearest_even, result8, result12, result13) ->
  forall u_0_0:double.
  (u_0_0 = result13) ->
  ("JC_64": newton_rel(double_value(t_2_0), double_value(x_2))) ->
  ("JC_65": closeness(double_value(u_0_0), double_value(t_2_0),
  double_value(x_2)))

goal sqrt_ensures_default_po_5:
  forall x_2:double.
  ("JC_21":
  (("JC_19": (0.5 <= double_value(x_2))) and
   ("JC_20": (double_value(x_2) <= 2.0)))) ->
  forall result:double.
  ("JC_11": (abs_real((double_value(result) - div_real(1.0,
  sqrt_real(double_value(x_2))))) <= (0x1.p-6 * abs_real(div_real(1.0,
  sqrt_real(double_value(x_2))))))) ->
  forall t_2:double.
  (t_2 = result) ->
  forall result0:double.
  ((double_value(result0) = 0.5) and
   ((double_exact(result0) = 0.5) and (double_model(result0) = 0.5))) ->
  forall result1:double.
  mul_double_post(nearest_even, result0, t_2, result1) ->
  forall result2:double.
  ((double_value(result2) = 3.0) and
   ((double_exact(result2) = 3.0) and (double_model(result2) = 3.0))) ->
  forall result3:double.
  mul_double_post(nearest_even, t_2, t_2, result3) ->
  forall result4:double.
  mul_double_post(nearest_even, result3, x_2, result4) ->
  forall result5:double.
  sub_double_post(nearest_even, result2, result4, result5) ->
  forall result6:double.
  mul_double_post(nearest_even, result1, result5, result6) ->
  forall u_0:double.
  (u_0 = result6) ->
  ("JC_57": newton_rel(double_value(t_2), double_value(x_2))) ->
  ("JC_58": closeness(double_value(u_0), double_value(t_2),
  double_value(x_2))) ->
  forall t_2_0:double.
  (t_2_0 = u_0) ->
  forall result7:double.
  ((double_value(result7) = 0.5) and
   ((double_exact(result7) = 0.5) and (double_model(result7) = 0.5))) ->
  forall result8:double.
  mul_double_post(nearest_even, result7, t_2_0, result8) ->
  forall result9:double.
  ((double_value(result9) = 3.0) and
   ((double_exact(result9) = 3.0) and (double_model(result9) = 3.0))) ->
  forall result10:double.
  mul_double_post(nearest_even, t_2_0, t_2_0, result10) ->
  forall result11:double.
  mul_double_post(nearest_even, result10, x_2, result11) ->
  forall result12:double.
  sub_double_post(nearest_even, result9, result11, result12) ->
  forall result13:double.
  mul_double_post(nearest_even, result8, result12, result13) ->
  forall u_0_0:double.
  (u_0_0 = result13) ->
  ("JC_64": newton_rel(double_value(t_2_0), double_value(x_2))) ->
  ("JC_65": closeness(double_value(u_0_0), double_value(t_2_0),
  double_value(x_2))) ->
  forall t_2_1:double.
  (t_2_1 = u_0_0) ->
  forall result14:double.
  ((double_value(result14) = 0.5) and
   ((double_exact(result14) = 0.5) and (double_model(result14) = 0.5))) ->
  forall result15:double.
  mul_double_post(nearest_even, result14, t_2_1, result15) ->
  forall result16:double.
  ((double_value(result16) = 3.0) and
   ((double_exact(result16) = 3.0) and (double_model(result16) = 3.0))) ->
  forall result17:double.
  mul_double_post(nearest_even, t_2_1, t_2_1, result17) ->
  forall result18:double.
  mul_double_post(nearest_even, result17, x_2, result18) ->
  forall result19:double.
  sub_double_post(nearest_even, result16, result18, result19) ->
  forall result20:double.
  mul_double_post(nearest_even, result15, result19, result20) ->
  forall u_0_1:double.
  (u_0_1 = result20) ->
  ("JC_71": newton_rel(double_value(t_2_1), double_value(x_2)))

goal sqrt_ensures_default_po_6:
  forall x_2:double.
  ("JC_21":
  (("JC_19": (0.5 <= double_value(x_2))) and
   ("JC_20": (double_value(x_2) <= 2.0)))) ->
  forall result:double.
  ("JC_11": (abs_real((double_value(result) - div_real(1.0,
  sqrt_real(double_value(x_2))))) <= (0x1.p-6 * abs_real(div_real(1.0,
  sqrt_real(double_value(x_2))))))) ->
  forall t_2:double.
  (t_2 = result) ->
  forall result0:double.
  ((double_value(result0) = 0.5) and
   ((double_exact(result0) = 0.5) and (double_model(result0) = 0.5))) ->
  forall result1:double.
  mul_double_post(nearest_even, result0, t_2, result1) ->
  forall result2:double.
  ((double_value(result2) = 3.0) and
   ((double_exact(result2) = 3.0) and (double_model(result2) = 3.0))) ->
  forall result3:double.
  mul_double_post(nearest_even, t_2, t_2, result3) ->
  forall result4:double.
  mul_double_post(nearest_even, result3, x_2, result4) ->
  forall result5:double.
  sub_double_post(nearest_even, result2, result4, result5) ->
  forall result6:double.
  mul_double_post(nearest_even, result1, result5, result6) ->
  forall u_0:double.
  (u_0 = result6) ->
  ("JC_57": newton_rel(double_value(t_2), double_value(x_2))) ->
  ("JC_58": closeness(double_value(u_0), double_value(t_2),
  double_value(x_2))) ->
  forall t_2_0:double.
  (t_2_0 = u_0) ->
  forall result7:double.
  ((double_value(result7) = 0.5) and
   ((double_exact(result7) = 0.5) and (double_model(result7) = 0.5))) ->
  forall result8:double.
  mul_double_post(nearest_even, result7, t_2_0, result8) ->
  forall result9:double.
  ((double_value(result9) = 3.0) and
   ((double_exact(result9) = 3.0) and (double_model(result9) = 3.0))) ->
  forall result10:double.
  mul_double_post(nearest_even, t_2_0, t_2_0, result10) ->
  forall result11:double.
  mul_double_post(nearest_even, result10, x_2, result11) ->
  forall result12:double.
  sub_double_post(nearest_even, result9, result11, result12) ->
  forall result13:double.
  mul_double_post(nearest_even, result8, result12, result13) ->
  forall u_0_0:double.
  (u_0_0 = result13) ->
  ("JC_64": newton_rel(double_value(t_2_0), double_value(x_2))) ->
  ("JC_65": closeness(double_value(u_0_0), double_value(t_2_0),
  double_value(x_2))) ->
  forall t_2_1:double.
  (t_2_1 = u_0_0) ->
  forall result14:double.
  ((double_value(result14) = 0.5) and
   ((double_exact(result14) = 0.5) and (double_model(result14) = 0.5))) ->
  forall result15:double.
  mul_double_post(nearest_even, result14, t_2_1, result15) ->
  forall result16:double.
  ((double_value(result16) = 3.0) and
   ((double_exact(result16) = 3.0) and (double_model(result16) = 3.0))) ->
  forall result17:double.
  mul_double_post(nearest_even, t_2_1, t_2_1, result17) ->
  forall result18:double.
  mul_double_post(nearest_even, result17, x_2, result18) ->
  forall result19:double.
  sub_double_post(nearest_even, result16, result18, result19) ->
  forall result20:double.
  mul_double_post(nearest_even, result15, result19, result20) ->
  forall u_0_1:double.
  (u_0_1 = result20) ->
  ("JC_71": newton_rel(double_value(t_2_1), double_value(x_2))) ->
  ("JC_72": closeness(double_value(u_0_1), double_value(t_2_1),
  double_value(x_2)))

goal sqrt_ensures_default_po_7:
  forall x_2:double.
  ("JC_21":
  (("JC_19": (0.5 <= double_value(x_2))) and
   ("JC_20": (double_value(x_2) <= 2.0)))) ->
  forall result:double.
  ("JC_11": (abs_real((double_value(result) - div_real(1.0,
  sqrt_real(double_value(x_2))))) <= (0x1.p-6 * abs_real(div_real(1.0,
  sqrt_real(double_value(x_2))))))) ->
  forall t_2:double.
  (t_2 = result) ->
  forall result0:double.
  ((double_value(result0) = 0.5) and
   ((double_exact(result0) = 0.5) and (double_model(result0) = 0.5))) ->
  forall result1:double.
  mul_double_post(nearest_even, result0, t_2, result1) ->
  forall result2:double.
  ((double_value(result2) = 3.0) and
   ((double_exact(result2) = 3.0) and (double_model(result2) = 3.0))) ->
  forall result3:double.
  mul_double_post(nearest_even, t_2, t_2, result3) ->
  forall result4:double.
  mul_double_post(nearest_even, result3, x_2, result4) ->
  forall result5:double.
  sub_double_post(nearest_even, result2, result4, result5) ->
  forall result6:double.
  mul_double_post(nearest_even, result1, result5, result6) ->
  forall u_0:double.
  (u_0 = result6) ->
  ("JC_57": newton_rel(double_value(t_2), double_value(x_2))) ->
  ("JC_58": closeness(double_value(u_0), double_value(t_2),
  double_value(x_2))) ->
  forall t_2_0:double.
  (t_2_0 = u_0) ->
  forall result7:double.
  ((double_value(result7) = 0.5) and
   ((double_exact(result7) = 0.5) and (double_model(result7) = 0.5))) ->
  forall result8:double.
  mul_double_post(nearest_even, result7, t_2_0, result8) ->
  forall result9:double.
  ((double_value(result9) = 3.0) and
   ((double_exact(result9) = 3.0) and (double_model(result9) = 3.0))) ->
  forall result10:double.
  mul_double_post(nearest_even, t_2_0, t_2_0, result10) ->
  forall result11:double.
  mul_double_post(nearest_even, result10, x_2, result11) ->
  forall result12:double.
  sub_double_post(nearest_even, result9, result11, result12) ->
  forall result13:double.
  mul_double_post(nearest_even, result8, result12, result13) ->
  forall u_0_0:double.
  (u_0_0 = result13) ->
  ("JC_64": newton_rel(double_value(t_2_0), double_value(x_2))) ->
  ("JC_65": closeness(double_value(u_0_0), double_value(t_2_0),
  double_value(x_2))) ->
  forall t_2_1:double.
  (t_2_1 = u_0_0) ->
  forall result14:double.
  ((double_value(result14) = 0.5) and
   ((double_exact(result14) = 0.5) and (double_model(result14) = 0.5))) ->
  forall result15:double.
  mul_double_post(nearest_even, result14, t_2_1, result15) ->
  forall result16:double.
  ((double_value(result16) = 3.0) and
   ((double_exact(result16) = 3.0) and (double_model(result16) = 3.0))) ->
  forall result17:double.
  mul_double_post(nearest_even, t_2_1, t_2_1, result17) ->
  forall result18:double.
  mul_double_post(nearest_even, result17, x_2, result18) ->
  forall result19:double.
  sub_double_post(nearest_even, result16, result18, result19) ->
  forall result20:double.
  mul_double_post(nearest_even, result15, result19, result20) ->
  forall u_0_1:double.
  (u_0_1 = result20) ->
  ("JC_71": newton_rel(double_value(t_2_1), double_value(x_2))) ->
  ("JC_72": closeness(double_value(u_0_1), double_value(t_2_1),
  double_value(x_2))) ->
  forall t_2_2:double.
  (t_2_2 = u_0_1) ->
  ("JC_73": ((double_value(x_2) * div_real(1.0,
  sqrt_real(double_value(x_2)))) = sqrt_real(double_value(x_2))))

goal sqrt_ensures_default_po_8:
  forall x_2:double.
  ("JC_21":
  (("JC_19": (0.5 <= double_value(x_2))) and
   ("JC_20": (double_value(x_2) <= 2.0)))) ->
  forall result:double.
  ("JC_11": (abs_real((double_value(result) - div_real(1.0,
  sqrt_real(double_value(x_2))))) <= (0x1.p-6 * abs_real(div_real(1.0,
  sqrt_real(double_value(x_2))))))) ->
  forall t_2:double.
  (t_2 = result) ->
  forall result0:double.
  ((double_value(result0) = 0.5) and
   ((double_exact(result0) = 0.5) and (double_model(result0) = 0.5))) ->
  forall result1:double.
  mul_double_post(nearest_even, result0, t_2, result1) ->
  forall result2:double.
  ((double_value(result2) = 3.0) and
   ((double_exact(result2) = 3.0) and (double_model(result2) = 3.0))) ->
  forall result3:double.
  mul_double_post(nearest_even, t_2, t_2, result3) ->
  forall result4:double.
  mul_double_post(nearest_even, result3, x_2, result4) ->
  forall result5:double.
  sub_double_post(nearest_even, result2, result4, result5) ->
  forall result6:double.
  mul_double_post(nearest_even, result1, result5, result6) ->
  forall u_0:double.
  (u_0 = result6) ->
  ("JC_57": newton_rel(double_value(t_2), double_value(x_2))) ->
  ("JC_58": closeness(double_value(u_0), double_value(t_2),
  double_value(x_2))) ->
  forall t_2_0:double.
  (t_2_0 = u_0) ->
  forall result7:double.
  ((double_value(result7) = 0.5) and
   ((double_exact(result7) = 0.5) and (double_model(result7) = 0.5))) ->
  forall result8:double.
  mul_double_post(nearest_even, result7, t_2_0, result8) ->
  forall result9:double.
  ((double_value(result9) = 3.0) and
   ((double_exact(result9) = 3.0) and (double_model(result9) = 3.0))) ->
  forall result10:double.
  mul_double_post(nearest_even, t_2_0, t_2_0, result10) ->
  forall result11:double.
  mul_double_post(nearest_even, result10, x_2, result11) ->
  forall result12:double.
  sub_double_post(nearest_even, result9, result11, result12) ->
  forall result13:double.
  mul_double_post(nearest_even, result8, result12, result13) ->
  forall u_0_0:double.
  (u_0_0 = result13) ->
  ("JC_64": newton_rel(double_value(t_2_0), double_value(x_2))) ->
  ("JC_65": closeness(double_value(u_0_0), double_value(t_2_0),
  double_value(x_2))) ->
  forall t_2_1:double.
  (t_2_1 = u_0_0) ->
  forall result14:double.
  ((double_value(result14) = 0.5) and
   ((double_exact(result14) = 0.5) and (double_model(result14) = 0.5))) ->
  forall result15:double.
  mul_double_post(nearest_even, result14, t_2_1, result15) ->
  forall result16:double.
  ((double_value(result16) = 3.0) and
   ((double_exact(result16) = 3.0) and (double_model(result16) = 3.0))) ->
  forall result17:double.
  mul_double_post(nearest_even, t_2_1, t_2_1, result17) ->
  forall result18:double.
  mul_double_post(nearest_even, result17, x_2, result18) ->
  forall result19:double.
  sub_double_post(nearest_even, result16, result18, result19) ->
  forall result20:double.
  mul_double_post(nearest_even, result15, result19, result20) ->
  forall u_0_1:double.
  (u_0_1 = result20) ->
  ("JC_71": newton_rel(double_value(t_2_1), double_value(x_2))) ->
  ("JC_72": closeness(double_value(u_0_1), double_value(t_2_1),
  double_value(x_2))) ->
  forall t_2_2:double.
  (t_2_2 = u_0_1) ->
  ("JC_73": ((double_value(x_2) * div_real(1.0,
  sqrt_real(double_value(x_2)))) = sqrt_real(double_value(x_2)))) ->
  forall result21:double.
  mul_double_post(nearest_even, x_2, t_2_2, result21) ->
  forall __retres:double.
  (__retres = result21) ->
  forall return:double.
  (return = __retres) ->
  ("JC_23":
  (abs_real((double_value(return) - sqrt_real(double_value(x_2)))) <= (0x1.p-43 * abs_real(sqrt_real(double_value(x_2))))))

goal sqrt_safety_po_1:
  forall x_2:double.
  ("JC_21":
  (("JC_19": (0.5 <= double_value(x_2))) and
   ("JC_20": (double_value(x_2) <= 2.0)))) ->
  ("JC_3":
  (("JC_1": (0.5 <= double_value(x_2))) and
   ("JC_2": (double_value(x_2) <= 2.0)))) ->
  forall result:double.
  ("JC_11": (abs_real((double_value(result) - div_real(1.0,
  sqrt_real(double_value(x_2))))) <= (0x1.p-6 * abs_real(div_real(1.0,
  sqrt_real(double_value(x_2))))))) ->
  forall t_2:double.
  (t_2 = result) ->
  forall result0:double.
  ((double_value(result0) = 0.5) and
   ((double_exact(result0) = 0.5) and (double_model(result0) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result0) * double_value(t_2)))

goal sqrt_safety_po_2:
  forall x_2:double.
  ("JC_21":
  (("JC_19": (0.5 <= double_value(x_2))) and
   ("JC_20": (double_value(x_2) <= 2.0)))) ->
  ("JC_3":
  (("JC_1": (0.5 <= double_value(x_2))) and
   ("JC_2": (double_value(x_2) <= 2.0)))) ->
  forall result:double.
  ("JC_11": (abs_real((double_value(result) - div_real(1.0,
  sqrt_real(double_value(x_2))))) <= (0x1.p-6 * abs_real(div_real(1.0,
  sqrt_real(double_value(x_2))))))) ->
  forall t_2:double.
  (t_2 = result) ->
  forall result0:double.
  ((double_value(result0) = 0.5) and
   ((double_exact(result0) = 0.5) and (double_model(result0) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result0) * double_value(t_2))) ->
  forall result1:double.
  mul_double_post(nearest_even, result0, t_2, result1) ->
  forall result2:double.
  ((double_value(result2) = 3.0) and
   ((double_exact(result2) = 3.0) and (double_model(result2) = 3.0))) ->
  no_overflow_double(nearest_even, (double_value(t_2) * double_value(t_2)))

goal sqrt_safety_po_3:
  forall x_2:double.
  ("JC_21":
  (("JC_19": (0.5 <= double_value(x_2))) and
   ("JC_20": (double_value(x_2) <= 2.0)))) ->
  ("JC_3":
  (("JC_1": (0.5 <= double_value(x_2))) and
   ("JC_2": (double_value(x_2) <= 2.0)))) ->
  forall result:double.
  ("JC_11": (abs_real((double_value(result) - div_real(1.0,
  sqrt_real(double_value(x_2))))) <= (0x1.p-6 * abs_real(div_real(1.0,
  sqrt_real(double_value(x_2))))))) ->
  forall t_2:double.
  (t_2 = result) ->
  forall result0:double.
  ((double_value(result0) = 0.5) and
   ((double_exact(result0) = 0.5) and (double_model(result0) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result0) * double_value(t_2))) ->
  forall result1:double.
  mul_double_post(nearest_even, result0, t_2, result1) ->
  forall result2:double.
  ((double_value(result2) = 3.0) and
   ((double_exact(result2) = 3.0) and (double_model(result2) = 3.0))) ->
  no_overflow_double(nearest_even,
  (double_value(t_2) * double_value(t_2))) ->
  forall result3:double.
  mul_double_post(nearest_even, t_2, t_2, result3) ->
  no_overflow_double(nearest_even,
  (double_value(result3) * double_value(x_2)))

goal sqrt_safety_po_4:
  forall x_2:double.
  ("JC_21":
  (("JC_19": (0.5 <= double_value(x_2))) and
   ("JC_20": (double_value(x_2) <= 2.0)))) ->
  ("JC_3":
  (("JC_1": (0.5 <= double_value(x_2))) and
   ("JC_2": (double_value(x_2) <= 2.0)))) ->
  forall result:double.
  ("JC_11": (abs_real((double_value(result) - div_real(1.0,
  sqrt_real(double_value(x_2))))) <= (0x1.p-6 * abs_real(div_real(1.0,
  sqrt_real(double_value(x_2))))))) ->
  forall t_2:double.
  (t_2 = result) ->
  forall result0:double.
  ((double_value(result0) = 0.5) and
   ((double_exact(result0) = 0.5) and (double_model(result0) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result0) * double_value(t_2))) ->
  forall result1:double.
  mul_double_post(nearest_even, result0, t_2, result1) ->
  forall result2:double.
  ((double_value(result2) = 3.0) and
   ((double_exact(result2) = 3.0) and (double_model(result2) = 3.0))) ->
  no_overflow_double(nearest_even,
  (double_value(t_2) * double_value(t_2))) ->
  forall result3:double.
  mul_double_post(nearest_even, t_2, t_2, result3) ->
  no_overflow_double(nearest_even,
  (double_value(result3) * double_value(x_2))) ->
  forall result4:double.
  mul_double_post(nearest_even, result3, x_2, result4) ->
  no_overflow_double(nearest_even,
  (double_value(result2) - double_value(result4)))

goal sqrt_safety_po_5:
  forall x_2:double.
  ("JC_21":
  (("JC_19": (0.5 <= double_value(x_2))) and
   ("JC_20": (double_value(x_2) <= 2.0)))) ->
  ("JC_3":
  (("JC_1": (0.5 <= double_value(x_2))) and
   ("JC_2": (double_value(x_2) <= 2.0)))) ->
  forall result:double.
  ("JC_11": (abs_real((double_value(result) - div_real(1.0,
  sqrt_real(double_value(x_2))))) <= (0x1.p-6 * abs_real(div_real(1.0,
  sqrt_real(double_value(x_2))))))) ->
  forall t_2:double.
  (t_2 = result) ->
  forall result0:double.
  ((double_value(result0) = 0.5) and
   ((double_exact(result0) = 0.5) and (double_model(result0) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result0) * double_value(t_2))) ->
  forall result1:double.
  mul_double_post(nearest_even, result0, t_2, result1) ->
  forall result2:double.
  ((double_value(result2) = 3.0) and
   ((double_exact(result2) = 3.0) and (double_model(result2) = 3.0))) ->
  no_overflow_double(nearest_even,
  (double_value(t_2) * double_value(t_2))) ->
  forall result3:double.
  mul_double_post(nearest_even, t_2, t_2, result3) ->
  no_overflow_double(nearest_even,
  (double_value(result3) * double_value(x_2))) ->
  forall result4:double.
  mul_double_post(nearest_even, result3, x_2, result4) ->
  no_overflow_double(nearest_even,
  (double_value(result2) - double_value(result4))) ->
  forall result5:double.
  sub_double_post(nearest_even, result2, result4, result5) ->
  no_overflow_double(nearest_even,
  (double_value(result1) * double_value(result5)))

goal sqrt_safety_po_6:
  forall x_2:double.
  ("JC_21":
  (("JC_19": (0.5 <= double_value(x_2))) and
   ("JC_20": (double_value(x_2) <= 2.0)))) ->
  ("JC_3":
  (("JC_1": (0.5 <= double_value(x_2))) and
   ("JC_2": (double_value(x_2) <= 2.0)))) ->
  forall result:double.
  ("JC_11": (abs_real((double_value(result) - div_real(1.0,
  sqrt_real(double_value(x_2))))) <= (0x1.p-6 * abs_real(div_real(1.0,
  sqrt_real(double_value(x_2))))))) ->
  forall t_2:double.
  (t_2 = result) ->
  forall result0:double.
  ((double_value(result0) = 0.5) and
   ((double_exact(result0) = 0.5) and (double_model(result0) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result0) * double_value(t_2))) ->
  forall result1:double.
  mul_double_post(nearest_even, result0, t_2, result1) ->
  forall result2:double.
  ((double_value(result2) = 3.0) and
   ((double_exact(result2) = 3.0) and (double_model(result2) = 3.0))) ->
  no_overflow_double(nearest_even,
  (double_value(t_2) * double_value(t_2))) ->
  forall result3:double.
  mul_double_post(nearest_even, t_2, t_2, result3) ->
  no_overflow_double(nearest_even,
  (double_value(result3) * double_value(x_2))) ->
  forall result4:double.
  mul_double_post(nearest_even, result3, x_2, result4) ->
  no_overflow_double(nearest_even,
  (double_value(result2) - double_value(result4))) ->
  forall result5:double.
  sub_double_post(nearest_even, result2, result4, result5) ->
  no_overflow_double(nearest_even,
  (double_value(result1) * double_value(result5))) ->
  forall result6:double.
  mul_double_post(nearest_even, result1, result5, result6) ->
  forall u_0:double.
  (u_0 = result6) ->
  ("JC_33": newton_rel(double_value(t_2), double_value(x_2))) ->
  ("JC_34": closeness(double_value(u_0), double_value(t_2),
  double_value(x_2))) ->
  forall t_2_0:double.
  (t_2_0 = u_0) ->
  forall result7:double.
  ((double_value(result7) = 0.5) and
   ((double_exact(result7) = 0.5) and (double_model(result7) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result7) * double_value(t_2_0)))

goal sqrt_safety_po_7:
  forall x_2:double.
  ("JC_21":
  (("JC_19": (0.5 <= double_value(x_2))) and
   ("JC_20": (double_value(x_2) <= 2.0)))) ->
  ("JC_3":
  (("JC_1": (0.5 <= double_value(x_2))) and
   ("JC_2": (double_value(x_2) <= 2.0)))) ->
  forall result:double.
  ("JC_11": (abs_real((double_value(result) - div_real(1.0,
  sqrt_real(double_value(x_2))))) <= (0x1.p-6 * abs_real(div_real(1.0,
  sqrt_real(double_value(x_2))))))) ->
  forall t_2:double.
  (t_2 = result) ->
  forall result0:double.
  ((double_value(result0) = 0.5) and
   ((double_exact(result0) = 0.5) and (double_model(result0) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result0) * double_value(t_2))) ->
  forall result1:double.
  mul_double_post(nearest_even, result0, t_2, result1) ->
  forall result2:double.
  ((double_value(result2) = 3.0) and
   ((double_exact(result2) = 3.0) and (double_model(result2) = 3.0))) ->
  no_overflow_double(nearest_even,
  (double_value(t_2) * double_value(t_2))) ->
  forall result3:double.
  mul_double_post(nearest_even, t_2, t_2, result3) ->
  no_overflow_double(nearest_even,
  (double_value(result3) * double_value(x_2))) ->
  forall result4:double.
  mul_double_post(nearest_even, result3, x_2, result4) ->
  no_overflow_double(nearest_even,
  (double_value(result2) - double_value(result4))) ->
  forall result5:double.
  sub_double_post(nearest_even, result2, result4, result5) ->
  no_overflow_double(nearest_even,
  (double_value(result1) * double_value(result5))) ->
  forall result6:double.
  mul_double_post(nearest_even, result1, result5, result6) ->
  forall u_0:double.
  (u_0 = result6) ->
  ("JC_33": newton_rel(double_value(t_2), double_value(x_2))) ->
  ("JC_34": closeness(double_value(u_0), double_value(t_2),
  double_value(x_2))) ->
  forall t_2_0:double.
  (t_2_0 = u_0) ->
  forall result7:double.
  ((double_value(result7) = 0.5) and
   ((double_exact(result7) = 0.5) and (double_model(result7) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result7) * double_value(t_2_0))) ->
  forall result8:double.
  mul_double_post(nearest_even, result7, t_2_0, result8) ->
  forall result9:double.
  ((double_value(result9) = 3.0) and
   ((double_exact(result9) = 3.0) and (double_model(result9) = 3.0))) ->
  no_overflow_double(nearest_even,
  (double_value(t_2_0) * double_value(t_2_0)))

goal sqrt_safety_po_8:
  forall x_2:double.
  ("JC_21":
  (("JC_19": (0.5 <= double_value(x_2))) and
   ("JC_20": (double_value(x_2) <= 2.0)))) ->
  ("JC_3":
  (("JC_1": (0.5 <= double_value(x_2))) and
   ("JC_2": (double_value(x_2) <= 2.0)))) ->
  forall result:double.
  ("JC_11": (abs_real((double_value(result) - div_real(1.0,
  sqrt_real(double_value(x_2))))) <= (0x1.p-6 * abs_real(div_real(1.0,
  sqrt_real(double_value(x_2))))))) ->
  forall t_2:double.
  (t_2 = result) ->
  forall result0:double.
  ((double_value(result0) = 0.5) and
   ((double_exact(result0) = 0.5) and (double_model(result0) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result0) * double_value(t_2))) ->
  forall result1:double.
  mul_double_post(nearest_even, result0, t_2, result1) ->
  forall result2:double.
  ((double_value(result2) = 3.0) and
   ((double_exact(result2) = 3.0) and (double_model(result2) = 3.0))) ->
  no_overflow_double(nearest_even,
  (double_value(t_2) * double_value(t_2))) ->
  forall result3:double.
  mul_double_post(nearest_even, t_2, t_2, result3) ->
  no_overflow_double(nearest_even,
  (double_value(result3) * double_value(x_2))) ->
  forall result4:double.
  mul_double_post(nearest_even, result3, x_2, result4) ->
  no_overflow_double(nearest_even,
  (double_value(result2) - double_value(result4))) ->
  forall result5:double.
  sub_double_post(nearest_even, result2, result4, result5) ->
  no_overflow_double(nearest_even,
  (double_value(result1) * double_value(result5))) ->
  forall result6:double.
  mul_double_post(nearest_even, result1, result5, result6) ->
  forall u_0:double.
  (u_0 = result6) ->
  ("JC_33": newton_rel(double_value(t_2), double_value(x_2))) ->
  ("JC_34": closeness(double_value(u_0), double_value(t_2),
  double_value(x_2))) ->
  forall t_2_0:double.
  (t_2_0 = u_0) ->
  forall result7:double.
  ((double_value(result7) = 0.5) and
   ((double_exact(result7) = 0.5) and (double_model(result7) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result7) * double_value(t_2_0))) ->
  forall result8:double.
  mul_double_post(nearest_even, result7, t_2_0, result8) ->
  forall result9:double.
  ((double_value(result9) = 3.0) and
   ((double_exact(result9) = 3.0) and (double_model(result9) = 3.0))) ->
  no_overflow_double(nearest_even,
  (double_value(t_2_0) * double_value(t_2_0))) ->
  forall result10:double.
  mul_double_post(nearest_even, t_2_0, t_2_0, result10) ->
  no_overflow_double(nearest_even,
  (double_value(result10) * double_value(x_2)))

goal sqrt_safety_po_9:
  forall x_2:double.
  ("JC_21":
  (("JC_19": (0.5 <= double_value(x_2))) and
   ("JC_20": (double_value(x_2) <= 2.0)))) ->
  ("JC_3":
  (("JC_1": (0.5 <= double_value(x_2))) and
   ("JC_2": (double_value(x_2) <= 2.0)))) ->
  forall result:double.
  ("JC_11": (abs_real((double_value(result) - div_real(1.0,
  sqrt_real(double_value(x_2))))) <= (0x1.p-6 * abs_real(div_real(1.0,
  sqrt_real(double_value(x_2))))))) ->
  forall t_2:double.
  (t_2 = result) ->
  forall result0:double.
  ((double_value(result0) = 0.5) and
   ((double_exact(result0) = 0.5) and (double_model(result0) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result0) * double_value(t_2))) ->
  forall result1:double.
  mul_double_post(nearest_even, result0, t_2, result1) ->
  forall result2:double.
  ((double_value(result2) = 3.0) and
   ((double_exact(result2) = 3.0) and (double_model(result2) = 3.0))) ->
  no_overflow_double(nearest_even,
  (double_value(t_2) * double_value(t_2))) ->
  forall result3:double.
  mul_double_post(nearest_even, t_2, t_2, result3) ->
  no_overflow_double(nearest_even,
  (double_value(result3) * double_value(x_2))) ->
  forall result4:double.
  mul_double_post(nearest_even, result3, x_2, result4) ->
  no_overflow_double(nearest_even,
  (double_value(result2) - double_value(result4))) ->
  forall result5:double.
  sub_double_post(nearest_even, result2, result4, result5) ->
  no_overflow_double(nearest_even,
  (double_value(result1) * double_value(result5))) ->
  forall result6:double.
  mul_double_post(nearest_even, result1, result5, result6) ->
  forall u_0:double.
  (u_0 = result6) ->
  ("JC_33": newton_rel(double_value(t_2), double_value(x_2))) ->
  ("JC_34": closeness(double_value(u_0), double_value(t_2),
  double_value(x_2))) ->
  forall t_2_0:double.
  (t_2_0 = u_0) ->
  forall result7:double.
  ((double_value(result7) = 0.5) and
   ((double_exact(result7) = 0.5) and (double_model(result7) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result7) * double_value(t_2_0))) ->
  forall result8:double.
  mul_double_post(nearest_even, result7, t_2_0, result8) ->
  forall result9:double.
  ((double_value(result9) = 3.0) and
   ((double_exact(result9) = 3.0) and (double_model(result9) = 3.0))) ->
  no_overflow_double(nearest_even,
  (double_value(t_2_0) * double_value(t_2_0))) ->
  forall result10:double.
  mul_double_post(nearest_even, t_2_0, t_2_0, result10) ->
  no_overflow_double(nearest_even,
  (double_value(result10) * double_value(x_2))) ->
  forall result11:double.
  mul_double_post(nearest_even, result10, x_2, result11) ->
  no_overflow_double(nearest_even,
  (double_value(result9) - double_value(result11)))

goal sqrt_safety_po_10:
  forall x_2:double.
  ("JC_21":
  (("JC_19": (0.5 <= double_value(x_2))) and
   ("JC_20": (double_value(x_2) <= 2.0)))) ->
  ("JC_3":
  (("JC_1": (0.5 <= double_value(x_2))) and
   ("JC_2": (double_value(x_2) <= 2.0)))) ->
  forall result:double.
  ("JC_11": (abs_real((double_value(result) - div_real(1.0,
  sqrt_real(double_value(x_2))))) <= (0x1.p-6 * abs_real(div_real(1.0,
  sqrt_real(double_value(x_2))))))) ->
  forall t_2:double.
  (t_2 = result) ->
  forall result0:double.
  ((double_value(result0) = 0.5) and
   ((double_exact(result0) = 0.5) and (double_model(result0) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result0) * double_value(t_2))) ->
  forall result1:double.
  mul_double_post(nearest_even, result0, t_2, result1) ->
  forall result2:double.
  ((double_value(result2) = 3.0) and
   ((double_exact(result2) = 3.0) and (double_model(result2) = 3.0))) ->
  no_overflow_double(nearest_even,
  (double_value(t_2) * double_value(t_2))) ->
  forall result3:double.
  mul_double_post(nearest_even, t_2, t_2, result3) ->
  no_overflow_double(nearest_even,
  (double_value(result3) * double_value(x_2))) ->
  forall result4:double.
  mul_double_post(nearest_even, result3, x_2, result4) ->
  no_overflow_double(nearest_even,
  (double_value(result2) - double_value(result4))) ->
  forall result5:double.
  sub_double_post(nearest_even, result2, result4, result5) ->
  no_overflow_double(nearest_even,
  (double_value(result1) * double_value(result5))) ->
  forall result6:double.
  mul_double_post(nearest_even, result1, result5, result6) ->
  forall u_0:double.
  (u_0 = result6) ->
  ("JC_33": newton_rel(double_value(t_2), double_value(x_2))) ->
  ("JC_34": closeness(double_value(u_0), double_value(t_2),
  double_value(x_2))) ->
  forall t_2_0:double.
  (t_2_0 = u_0) ->
  forall result7:double.
  ((double_value(result7) = 0.5) and
   ((double_exact(result7) = 0.5) and (double_model(result7) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result7) * double_value(t_2_0))) ->
  forall result8:double.
  mul_double_post(nearest_even, result7, t_2_0, result8) ->
  forall result9:double.
  ((double_value(result9) = 3.0) and
   ((double_exact(result9) = 3.0) and (double_model(result9) = 3.0))) ->
  no_overflow_double(nearest_even,
  (double_value(t_2_0) * double_value(t_2_0))) ->
  forall result10:double.
  mul_double_post(nearest_even, t_2_0, t_2_0, result10) ->
  no_overflow_double(nearest_even,
  (double_value(result10) * double_value(x_2))) ->
  forall result11:double.
  mul_double_post(nearest_even, result10, x_2, result11) ->
  no_overflow_double(nearest_even,
  (double_value(result9) - double_value(result11))) ->
  forall result12:double.
  sub_double_post(nearest_even, result9, result11, result12) ->
  no_overflow_double(nearest_even,
  (double_value(result8) * double_value(result12)))

goal sqrt_safety_po_11:
  forall x_2:double.
  ("JC_21":
  (("JC_19": (0.5 <= double_value(x_2))) and
   ("JC_20": (double_value(x_2) <= 2.0)))) ->
  ("JC_3":
  (("JC_1": (0.5 <= double_value(x_2))) and
   ("JC_2": (double_value(x_2) <= 2.0)))) ->
  forall result:double.
  ("JC_11": (abs_real((double_value(result) - div_real(1.0,
  sqrt_real(double_value(x_2))))) <= (0x1.p-6 * abs_real(div_real(1.0,
  sqrt_real(double_value(x_2))))))) ->
  forall t_2:double.
  (t_2 = result) ->
  forall result0:double.
  ((double_value(result0) = 0.5) and
   ((double_exact(result0) = 0.5) and (double_model(result0) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result0) * double_value(t_2))) ->
  forall result1:double.
  mul_double_post(nearest_even, result0, t_2, result1) ->
  forall result2:double.
  ((double_value(result2) = 3.0) and
   ((double_exact(result2) = 3.0) and (double_model(result2) = 3.0))) ->
  no_overflow_double(nearest_even,
  (double_value(t_2) * double_value(t_2))) ->
  forall result3:double.
  mul_double_post(nearest_even, t_2, t_2, result3) ->
  no_overflow_double(nearest_even,
  (double_value(result3) * double_value(x_2))) ->
  forall result4:double.
  mul_double_post(nearest_even, result3, x_2, result4) ->
  no_overflow_double(nearest_even,
  (double_value(result2) - double_value(result4))) ->
  forall result5:double.
  sub_double_post(nearest_even, result2, result4, result5) ->
  no_overflow_double(nearest_even,
  (double_value(result1) * double_value(result5))) ->
  forall result6:double.
  mul_double_post(nearest_even, result1, result5, result6) ->
  forall u_0:double.
  (u_0 = result6) ->
  ("JC_33": newton_rel(double_value(t_2), double_value(x_2))) ->
  ("JC_34": closeness(double_value(u_0), double_value(t_2),
  double_value(x_2))) ->
  forall t_2_0:double.
  (t_2_0 = u_0) ->
  forall result7:double.
  ((double_value(result7) = 0.5) and
   ((double_exact(result7) = 0.5) and (double_model(result7) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result7) * double_value(t_2_0))) ->
  forall result8:double.
  mul_double_post(nearest_even, result7, t_2_0, result8) ->
  forall result9:double.
  ((double_value(result9) = 3.0) and
   ((double_exact(result9) = 3.0) and (double_model(result9) = 3.0))) ->
  no_overflow_double(nearest_even,
  (double_value(t_2_0) * double_value(t_2_0))) ->
  forall result10:double.
  mul_double_post(nearest_even, t_2_0, t_2_0, result10) ->
  no_overflow_double(nearest_even,
  (double_value(result10) * double_value(x_2))) ->
  forall result11:double.
  mul_double_post(nearest_even, result10, x_2, result11) ->
  no_overflow_double(nearest_even,
  (double_value(result9) - double_value(result11))) ->
  forall result12:double.
  sub_double_post(nearest_even, result9, result11, result12) ->
  no_overflow_double(nearest_even,
  (double_value(result8) * double_value(result12))) ->
  forall result13:double.
  mul_double_post(nearest_even, result8, result12, result13) ->
  forall u_0_0:double.
  (u_0_0 = result13) ->
  ("JC_40": newton_rel(double_value(t_2_0), double_value(x_2))) ->
  ("JC_41": closeness(double_value(u_0_0), double_value(t_2_0),
  double_value(x_2))) ->
  forall t_2_1:double.
  (t_2_1 = u_0_0) ->
  forall result14:double.
  ((double_value(result14) = 0.5) and
   ((double_exact(result14) = 0.5) and (double_model(result14) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result14) * double_value(t_2_1)))

goal sqrt_safety_po_12:
  forall x_2:double.
  ("JC_21":
  (("JC_19": (0.5 <= double_value(x_2))) and
   ("JC_20": (double_value(x_2) <= 2.0)))) ->
  ("JC_3":
  (("JC_1": (0.5 <= double_value(x_2))) and
   ("JC_2": (double_value(x_2) <= 2.0)))) ->
  forall result:double.
  ("JC_11": (abs_real((double_value(result) - div_real(1.0,
  sqrt_real(double_value(x_2))))) <= (0x1.p-6 * abs_real(div_real(1.0,
  sqrt_real(double_value(x_2))))))) ->
  forall t_2:double.
  (t_2 = result) ->
  forall result0:double.
  ((double_value(result0) = 0.5) and
   ((double_exact(result0) = 0.5) and (double_model(result0) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result0) * double_value(t_2))) ->
  forall result1:double.
  mul_double_post(nearest_even, result0, t_2, result1) ->
  forall result2:double.
  ((double_value(result2) = 3.0) and
   ((double_exact(result2) = 3.0) and (double_model(result2) = 3.0))) ->
  no_overflow_double(nearest_even,
  (double_value(t_2) * double_value(t_2))) ->
  forall result3:double.
  mul_double_post(nearest_even, t_2, t_2, result3) ->
  no_overflow_double(nearest_even,
  (double_value(result3) * double_value(x_2))) ->
  forall result4:double.
  mul_double_post(nearest_even, result3, x_2, result4) ->
  no_overflow_double(nearest_even,
  (double_value(result2) - double_value(result4))) ->
  forall result5:double.
  sub_double_post(nearest_even, result2, result4, result5) ->
  no_overflow_double(nearest_even,
  (double_value(result1) * double_value(result5))) ->
  forall result6:double.
  mul_double_post(nearest_even, result1, result5, result6) ->
  forall u_0:double.
  (u_0 = result6) ->
  ("JC_33": newton_rel(double_value(t_2), double_value(x_2))) ->
  ("JC_34": closeness(double_value(u_0), double_value(t_2),
  double_value(x_2))) ->
  forall t_2_0:double.
  (t_2_0 = u_0) ->
  forall result7:double.
  ((double_value(result7) = 0.5) and
   ((double_exact(result7) = 0.5) and (double_model(result7) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result7) * double_value(t_2_0))) ->
  forall result8:double.
  mul_double_post(nearest_even, result7, t_2_0, result8) ->
  forall result9:double.
  ((double_value(result9) = 3.0) and
   ((double_exact(result9) = 3.0) and (double_model(result9) = 3.0))) ->
  no_overflow_double(nearest_even,
  (double_value(t_2_0) * double_value(t_2_0))) ->
  forall result10:double.
  mul_double_post(nearest_even, t_2_0, t_2_0, result10) ->
  no_overflow_double(nearest_even,
  (double_value(result10) * double_value(x_2))) ->
  forall result11:double.
  mul_double_post(nearest_even, result10, x_2, result11) ->
  no_overflow_double(nearest_even,
  (double_value(result9) - double_value(result11))) ->
  forall result12:double.
  sub_double_post(nearest_even, result9, result11, result12) ->
  no_overflow_double(nearest_even,
  (double_value(result8) * double_value(result12))) ->
  forall result13:double.
  mul_double_post(nearest_even, result8, result12, result13) ->
  forall u_0_0:double.
  (u_0_0 = result13) ->
  ("JC_40": newton_rel(double_value(t_2_0), double_value(x_2))) ->
  ("JC_41": closeness(double_value(u_0_0), double_value(t_2_0),
  double_value(x_2))) ->
  forall t_2_1:double.
  (t_2_1 = u_0_0) ->
  forall result14:double.
  ((double_value(result14) = 0.5) and
   ((double_exact(result14) = 0.5) and (double_model(result14) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result14) * double_value(t_2_1))) ->
  forall result15:double.
  mul_double_post(nearest_even, result14, t_2_1, result15) ->
  forall result16:double.
  ((double_value(result16) = 3.0) and
   ((double_exact(result16) = 3.0) and (double_model(result16) = 3.0))) ->
  no_overflow_double(nearest_even,
  (double_value(t_2_1) * double_value(t_2_1)))

goal sqrt_safety_po_13:
  forall x_2:double.
  ("JC_21":
  (("JC_19": (0.5 <= double_value(x_2))) and
   ("JC_20": (double_value(x_2) <= 2.0)))) ->
  ("JC_3":
  (("JC_1": (0.5 <= double_value(x_2))) and
   ("JC_2": (double_value(x_2) <= 2.0)))) ->
  forall result:double.
  ("JC_11": (abs_real((double_value(result) - div_real(1.0,
  sqrt_real(double_value(x_2))))) <= (0x1.p-6 * abs_real(div_real(1.0,
  sqrt_real(double_value(x_2))))))) ->
  forall t_2:double.
  (t_2 = result) ->
  forall result0:double.
  ((double_value(result0) = 0.5) and
   ((double_exact(result0) = 0.5) and (double_model(result0) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result0) * double_value(t_2))) ->
  forall result1:double.
  mul_double_post(nearest_even, result0, t_2, result1) ->
  forall result2:double.
  ((double_value(result2) = 3.0) and
   ((double_exact(result2) = 3.0) and (double_model(result2) = 3.0))) ->
  no_overflow_double(nearest_even,
  (double_value(t_2) * double_value(t_2))) ->
  forall result3:double.
  mul_double_post(nearest_even, t_2, t_2, result3) ->
  no_overflow_double(nearest_even,
  (double_value(result3) * double_value(x_2))) ->
  forall result4:double.
  mul_double_post(nearest_even, result3, x_2, result4) ->
  no_overflow_double(nearest_even,
  (double_value(result2) - double_value(result4))) ->
  forall result5:double.
  sub_double_post(nearest_even, result2, result4, result5) ->
  no_overflow_double(nearest_even,
  (double_value(result1) * double_value(result5))) ->
  forall result6:double.
  mul_double_post(nearest_even, result1, result5, result6) ->
  forall u_0:double.
  (u_0 = result6) ->
  ("JC_33": newton_rel(double_value(t_2), double_value(x_2))) ->
  ("JC_34": closeness(double_value(u_0), double_value(t_2),
  double_value(x_2))) ->
  forall t_2_0:double.
  (t_2_0 = u_0) ->
  forall result7:double.
  ((double_value(result7) = 0.5) and
   ((double_exact(result7) = 0.5) and (double_model(result7) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result7) * double_value(t_2_0))) ->
  forall result8:double.
  mul_double_post(nearest_even, result7, t_2_0, result8) ->
  forall result9:double.
  ((double_value(result9) = 3.0) and
   ((double_exact(result9) = 3.0) and (double_model(result9) = 3.0))) ->
  no_overflow_double(nearest_even,
  (double_value(t_2_0) * double_value(t_2_0))) ->
  forall result10:double.
  mul_double_post(nearest_even, t_2_0, t_2_0, result10) ->
  no_overflow_double(nearest_even,
  (double_value(result10) * double_value(x_2))) ->
  forall result11:double.
  mul_double_post(nearest_even, result10, x_2, result11) ->
  no_overflow_double(nearest_even,
  (double_value(result9) - double_value(result11))) ->
  forall result12:double.
  sub_double_post(nearest_even, result9, result11, result12) ->
  no_overflow_double(nearest_even,
  (double_value(result8) * double_value(result12))) ->
  forall result13:double.
  mul_double_post(nearest_even, result8, result12, result13) ->
  forall u_0_0:double.
  (u_0_0 = result13) ->
  ("JC_40": newton_rel(double_value(t_2_0), double_value(x_2))) ->
  ("JC_41": closeness(double_value(u_0_0), double_value(t_2_0),
  double_value(x_2))) ->
  forall t_2_1:double.
  (t_2_1 = u_0_0) ->
  forall result14:double.
  ((double_value(result14) = 0.5) and
   ((double_exact(result14) = 0.5) and (double_model(result14) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result14) * double_value(t_2_1))) ->
  forall result15:double.
  mul_double_post(nearest_even, result14, t_2_1, result15) ->
  forall result16:double.
  ((double_value(result16) = 3.0) and
   ((double_exact(result16) = 3.0) and (double_model(result16) = 3.0))) ->
  no_overflow_double(nearest_even,
  (double_value(t_2_1) * double_value(t_2_1))) ->
  forall result17:double.
  mul_double_post(nearest_even, t_2_1, t_2_1, result17) ->
  no_overflow_double(nearest_even,
  (double_value(result17) * double_value(x_2)))

goal sqrt_safety_po_14:
  forall x_2:double.
  ("JC_21":
  (("JC_19": (0.5 <= double_value(x_2))) and
   ("JC_20": (double_value(x_2) <= 2.0)))) ->
  ("JC_3":
  (("JC_1": (0.5 <= double_value(x_2))) and
   ("JC_2": (double_value(x_2) <= 2.0)))) ->
  forall result:double.
  ("JC_11": (abs_real((double_value(result) - div_real(1.0,
  sqrt_real(double_value(x_2))))) <= (0x1.p-6 * abs_real(div_real(1.0,
  sqrt_real(double_value(x_2))))))) ->
  forall t_2:double.
  (t_2 = result) ->
  forall result0:double.
  ((double_value(result0) = 0.5) and
   ((double_exact(result0) = 0.5) and (double_model(result0) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result0) * double_value(t_2))) ->
  forall result1:double.
  mul_double_post(nearest_even, result0, t_2, result1) ->
  forall result2:double.
  ((double_value(result2) = 3.0) and
   ((double_exact(result2) = 3.0) and (double_model(result2) = 3.0))) ->
  no_overflow_double(nearest_even,
  (double_value(t_2) * double_value(t_2))) ->
  forall result3:double.
  mul_double_post(nearest_even, t_2, t_2, result3) ->
  no_overflow_double(nearest_even,
  (double_value(result3) * double_value(x_2))) ->
  forall result4:double.
  mul_double_post(nearest_even, result3, x_2, result4) ->
  no_overflow_double(nearest_even,
  (double_value(result2) - double_value(result4))) ->
  forall result5:double.
  sub_double_post(nearest_even, result2, result4, result5) ->
  no_overflow_double(nearest_even,
  (double_value(result1) * double_value(result5))) ->
  forall result6:double.
  mul_double_post(nearest_even, result1, result5, result6) ->
  forall u_0:double.
  (u_0 = result6) ->
  ("JC_33": newton_rel(double_value(t_2), double_value(x_2))) ->
  ("JC_34": closeness(double_value(u_0), double_value(t_2),
  double_value(x_2))) ->
  forall t_2_0:double.
  (t_2_0 = u_0) ->
  forall result7:double.
  ((double_value(result7) = 0.5) and
   ((double_exact(result7) = 0.5) and (double_model(result7) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result7) * double_value(t_2_0))) ->
  forall result8:double.
  mul_double_post(nearest_even, result7, t_2_0, result8) ->
  forall result9:double.
  ((double_value(result9) = 3.0) and
   ((double_exact(result9) = 3.0) and (double_model(result9) = 3.0))) ->
  no_overflow_double(nearest_even,
  (double_value(t_2_0) * double_value(t_2_0))) ->
  forall result10:double.
  mul_double_post(nearest_even, t_2_0, t_2_0, result10) ->
  no_overflow_double(nearest_even,
  (double_value(result10) * double_value(x_2))) ->
  forall result11:double.
  mul_double_post(nearest_even, result10, x_2, result11) ->
  no_overflow_double(nearest_even,
  (double_value(result9) - double_value(result11))) ->
  forall result12:double.
  sub_double_post(nearest_even, result9, result11, result12) ->
  no_overflow_double(nearest_even,
  (double_value(result8) * double_value(result12))) ->
  forall result13:double.
  mul_double_post(nearest_even, result8, result12, result13) ->
  forall u_0_0:double.
  (u_0_0 = result13) ->
  ("JC_40": newton_rel(double_value(t_2_0), double_value(x_2))) ->
  ("JC_41": closeness(double_value(u_0_0), double_value(t_2_0),
  double_value(x_2))) ->
  forall t_2_1:double.
  (t_2_1 = u_0_0) ->
  forall result14:double.
  ((double_value(result14) = 0.5) and
   ((double_exact(result14) = 0.5) and (double_model(result14) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result14) * double_value(t_2_1))) ->
  forall result15:double.
  mul_double_post(nearest_even, result14, t_2_1, result15) ->
  forall result16:double.
  ((double_value(result16) = 3.0) and
   ((double_exact(result16) = 3.0) and (double_model(result16) = 3.0))) ->
  no_overflow_double(nearest_even,
  (double_value(t_2_1) * double_value(t_2_1))) ->
  forall result17:double.
  mul_double_post(nearest_even, t_2_1, t_2_1, result17) ->
  no_overflow_double(nearest_even,
  (double_value(result17) * double_value(x_2))) ->
  forall result18:double.
  mul_double_post(nearest_even, result17, x_2, result18) ->
  no_overflow_double(nearest_even,
  (double_value(result16) - double_value(result18)))

goal sqrt_safety_po_15:
  forall x_2:double.
  ("JC_21":
  (("JC_19": (0.5 <= double_value(x_2))) and
   ("JC_20": (double_value(x_2) <= 2.0)))) ->
  ("JC_3":
  (("JC_1": (0.5 <= double_value(x_2))) and
   ("JC_2": (double_value(x_2) <= 2.0)))) ->
  forall result:double.
  ("JC_11": (abs_real((double_value(result) - div_real(1.0,
  sqrt_real(double_value(x_2))))) <= (0x1.p-6 * abs_real(div_real(1.0,
  sqrt_real(double_value(x_2))))))) ->
  forall t_2:double.
  (t_2 = result) ->
  forall result0:double.
  ((double_value(result0) = 0.5) and
   ((double_exact(result0) = 0.5) and (double_model(result0) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result0) * double_value(t_2))) ->
  forall result1:double.
  mul_double_post(nearest_even, result0, t_2, result1) ->
  forall result2:double.
  ((double_value(result2) = 3.0) and
   ((double_exact(result2) = 3.0) and (double_model(result2) = 3.0))) ->
  no_overflow_double(nearest_even,
  (double_value(t_2) * double_value(t_2))) ->
  forall result3:double.
  mul_double_post(nearest_even, t_2, t_2, result3) ->
  no_overflow_double(nearest_even,
  (double_value(result3) * double_value(x_2))) ->
  forall result4:double.
  mul_double_post(nearest_even, result3, x_2, result4) ->
  no_overflow_double(nearest_even,
  (double_value(result2) - double_value(result4))) ->
  forall result5:double.
  sub_double_post(nearest_even, result2, result4, result5) ->
  no_overflow_double(nearest_even,
  (double_value(result1) * double_value(result5))) ->
  forall result6:double.
  mul_double_post(nearest_even, result1, result5, result6) ->
  forall u_0:double.
  (u_0 = result6) ->
  ("JC_33": newton_rel(double_value(t_2), double_value(x_2))) ->
  ("JC_34": closeness(double_value(u_0), double_value(t_2),
  double_value(x_2))) ->
  forall t_2_0:double.
  (t_2_0 = u_0) ->
  forall result7:double.
  ((double_value(result7) = 0.5) and
   ((double_exact(result7) = 0.5) and (double_model(result7) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result7) * double_value(t_2_0))) ->
  forall result8:double.
  mul_double_post(nearest_even, result7, t_2_0, result8) ->
  forall result9:double.
  ((double_value(result9) = 3.0) and
   ((double_exact(result9) = 3.0) and (double_model(result9) = 3.0))) ->
  no_overflow_double(nearest_even,
  (double_value(t_2_0) * double_value(t_2_0))) ->
  forall result10:double.
  mul_double_post(nearest_even, t_2_0, t_2_0, result10) ->
  no_overflow_double(nearest_even,
  (double_value(result10) * double_value(x_2))) ->
  forall result11:double.
  mul_double_post(nearest_even, result10, x_2, result11) ->
  no_overflow_double(nearest_even,
  (double_value(result9) - double_value(result11))) ->
  forall result12:double.
  sub_double_post(nearest_even, result9, result11, result12) ->
  no_overflow_double(nearest_even,
  (double_value(result8) * double_value(result12))) ->
  forall result13:double.
  mul_double_post(nearest_even, result8, result12, result13) ->
  forall u_0_0:double.
  (u_0_0 = result13) ->
  ("JC_40": newton_rel(double_value(t_2_0), double_value(x_2))) ->
  ("JC_41": closeness(double_value(u_0_0), double_value(t_2_0),
  double_value(x_2))) ->
  forall t_2_1:double.
  (t_2_1 = u_0_0) ->
  forall result14:double.
  ((double_value(result14) = 0.5) and
   ((double_exact(result14) = 0.5) and (double_model(result14) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result14) * double_value(t_2_1))) ->
  forall result15:double.
  mul_double_post(nearest_even, result14, t_2_1, result15) ->
  forall result16:double.
  ((double_value(result16) = 3.0) and
   ((double_exact(result16) = 3.0) and (double_model(result16) = 3.0))) ->
  no_overflow_double(nearest_even,
  (double_value(t_2_1) * double_value(t_2_1))) ->
  forall result17:double.
  mul_double_post(nearest_even, t_2_1, t_2_1, result17) ->
  no_overflow_double(nearest_even,
  (double_value(result17) * double_value(x_2))) ->
  forall result18:double.
  mul_double_post(nearest_even, result17, x_2, result18) ->
  no_overflow_double(nearest_even,
  (double_value(result16) - double_value(result18))) ->
  forall result19:double.
  sub_double_post(nearest_even, result16, result18, result19) ->
  no_overflow_double(nearest_even,
  (double_value(result15) * double_value(result19)))

goal sqrt_safety_po_16:
  forall x_2:double.
  ("JC_21":
  (("JC_19": (0.5 <= double_value(x_2))) and
   ("JC_20": (double_value(x_2) <= 2.0)))) ->
  ("JC_3":
  (("JC_1": (0.5 <= double_value(x_2))) and
   ("JC_2": (double_value(x_2) <= 2.0)))) ->
  forall result:double.
  ("JC_11": (abs_real((double_value(result) - div_real(1.0,
  sqrt_real(double_value(x_2))))) <= (0x1.p-6 * abs_real(div_real(1.0,
  sqrt_real(double_value(x_2))))))) ->
  forall t_2:double.
  (t_2 = result) ->
  forall result0:double.
  ((double_value(result0) = 0.5) and
   ((double_exact(result0) = 0.5) and (double_model(result0) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result0) * double_value(t_2))) ->
  forall result1:double.
  mul_double_post(nearest_even, result0, t_2, result1) ->
  forall result2:double.
  ((double_value(result2) = 3.0) and
   ((double_exact(result2) = 3.0) and (double_model(result2) = 3.0))) ->
  no_overflow_double(nearest_even,
  (double_value(t_2) * double_value(t_2))) ->
  forall result3:double.
  mul_double_post(nearest_even, t_2, t_2, result3) ->
  no_overflow_double(nearest_even,
  (double_value(result3) * double_value(x_2))) ->
  forall result4:double.
  mul_double_post(nearest_even, result3, x_2, result4) ->
  no_overflow_double(nearest_even,
  (double_value(result2) - double_value(result4))) ->
  forall result5:double.
  sub_double_post(nearest_even, result2, result4, result5) ->
  no_overflow_double(nearest_even,
  (double_value(result1) * double_value(result5))) ->
  forall result6:double.
  mul_double_post(nearest_even, result1, result5, result6) ->
  forall u_0:double.
  (u_0 = result6) ->
  ("JC_33": newton_rel(double_value(t_2), double_value(x_2))) ->
  ("JC_34": closeness(double_value(u_0), double_value(t_2),
  double_value(x_2))) ->
  forall t_2_0:double.
  (t_2_0 = u_0) ->
  forall result7:double.
  ((double_value(result7) = 0.5) and
   ((double_exact(result7) = 0.5) and (double_model(result7) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result7) * double_value(t_2_0))) ->
  forall result8:double.
  mul_double_post(nearest_even, result7, t_2_0, result8) ->
  forall result9:double.
  ((double_value(result9) = 3.0) and
   ((double_exact(result9) = 3.0) and (double_model(result9) = 3.0))) ->
  no_overflow_double(nearest_even,
  (double_value(t_2_0) * double_value(t_2_0))) ->
  forall result10:double.
  mul_double_post(nearest_even, t_2_0, t_2_0, result10) ->
  no_overflow_double(nearest_even,
  (double_value(result10) * double_value(x_2))) ->
  forall result11:double.
  mul_double_post(nearest_even, result10, x_2, result11) ->
  no_overflow_double(nearest_even,
  (double_value(result9) - double_value(result11))) ->
  forall result12:double.
  sub_double_post(nearest_even, result9, result11, result12) ->
  no_overflow_double(nearest_even,
  (double_value(result8) * double_value(result12))) ->
  forall result13:double.
  mul_double_post(nearest_even, result8, result12, result13) ->
  forall u_0_0:double.
  (u_0_0 = result13) ->
  ("JC_40": newton_rel(double_value(t_2_0), double_value(x_2))) ->
  ("JC_41": closeness(double_value(u_0_0), double_value(t_2_0),
  double_value(x_2))) ->
  forall t_2_1:double.
  (t_2_1 = u_0_0) ->
  forall result14:double.
  ((double_value(result14) = 0.5) and
   ((double_exact(result14) = 0.5) and (double_model(result14) = 0.5))) ->
  no_overflow_double(nearest_even,
  (double_value(result14) * double_value(t_2_1))) ->
  forall result15:double.
  mul_double_post(nearest_even, result14, t_2_1, result15) ->
  forall result16:double.
  ((double_value(result16) = 3.0) and
   ((double_exact(result16) = 3.0) and (double_model(result16) = 3.0))) ->
  no_overflow_double(nearest_even,
  (double_value(t_2_1) * double_value(t_2_1))) ->
  forall result17:double.
  mul_double_post(nearest_even, t_2_1, t_2_1, result17) ->
  no_overflow_double(nearest_even,
  (double_value(result17) * double_value(x_2))) ->
  forall result18:double.
  mul_double_post(nearest_even, result17, x_2, result18) ->
  no_overflow_double(nearest_even,
  (double_value(result16) - double_value(result18))) ->
  forall result19:double.
  sub_double_post(nearest_even, result16, result18, result19) ->
  no_overflow_double(nearest_even,
  (double_value(result15) * double_value(result19))) ->
  forall result20:double.
  mul_double_post(nearest_even, result15, result19, result20) ->
  forall u_0_1:double.
  (u_0_1 = result20) ->
  ("JC_47": newton_rel(double_value(t_2_1), double_value(x_2))) ->
  ("JC_48": closeness(double_value(u_0_1), double_value(t_2_1),
  double_value(x_2))) ->
  forall t_2_2:double.
  (t_2_2 = u_0_1) ->
  ("JC_49": ((double_value(x_2) * div_real(1.0,
  sqrt_real(double_value(x_2)))) = sqrt_real(double_value(x_2)))) ->
  no_overflow_double(nearest_even, (double_value(x_2) * double_value(t_2_2)))

why-2.34/tests/c/oracle/power.err.oracle0000644000175000017500000000030412311670312016555 0ustar  rtusersFile "why/power.why", line 159, characters 27-108:
Unbound variable pow_int
make: *** [why/power_why.why] Error 1
sed: can't read tests/c/power.jessie/why/power_why.why: No such file or directory
why-2.34/tests/c/oracle/sparse_array.res.oracle0000644000175000017500000001263112311670312020123 0ustar  rtusers========== file tests/c/sparse_array.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

typedef unsigned int uint;

#define MAXLEN 1000

typedef struct SparseArray {
  int val[MAXLEN];
  uint idx[MAXLEN], back[MAXLEN];
  uint n;
  uint sz;
} *sparse_array;

/*@ requires sz <= MAXLEN;
  @ ensures \fresh(\result,sizeof(struct SparseArray));
  @*/
sparse_array create(uint sz) {
  sparse_array a = (sparse_array)malloc(sizeof(struct SparseArray));
  a->n = 0;
  a->sz = sz;
  return a;
}

/*@ requires \valid(a);
  @*/
int get(sparse_array a, uint i) {
  if (a->idx[i] < a->n && a-> back[a->idx[i]] == i) return a->val[i];
  else return 0;
}

/*@ requires \valid(a);
  @*/
void set(sparse_array a, uint i, int v) {
  a->val[i] = v;
  if (!(a->idx[i] < a->n && a-> back[a->idx[i]] == i)) {
    //@ assert a->n < MAXLEN;
    a->idx[i] = a->n; a->back[a->n] = i; a->n++;
  }
}



int main() {
  sparse_array a = create(10), b = create(20);
  int x,y;
  x = get(a,5); y = get(b,7);
  //@ assert x == 0 && y == 0;
  set(a,5,1); set(b,7,2);
  x = get(a,5); y = get(b,7);
  //@ assert x == 1 && y == 2;
  x = get(a,0); y = get(b,0);
  //@ assert x == 0 && y == 0;
  return 0;
}





/*
Local Variables:
compile-command: "make sparse_array.why3ide"
End:
*/


========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/sparse_array.c"
tests/c/sparse_array.c:47:[kernel] warning: Calling undeclared function malloc. Old style K&R code?
[jessie] Starting Jessie translation
tests/c/sparse_array.c:72:[kernel] warning: Neither code nor specification for function malloc, generating default assigns from the prototype
[kernel] Current source was: tests/c/sparse_array.c:47
         The full backtrace is:
         Raised at file "src/kernel/ast_info.ml", line 391, characters 11-23
         Called from file "src/kernel/ast_info.ml", line 394, characters 19-43
         Called from file "interp.ml", line 1816, characters 22-50
         Called from file "interp.ml", line 1953, characters 17-30
         Called from file "list.ml", line 66, characters 22-25
         Called from file "interp.ml", line 2119, characters 36-66
         Called from file "interp.ml", line 2568, characters 40-71
         Called from file "list.ml", line 66, characters 22-25
         Called from file "interp.ml", line 2701, characters 27-66
         Called from file "register.ml", line 176, characters 16-32
         Called from file "register.ml", line 327, characters 6-12
         Called from file "queue.ml", line 134, characters 6-20
         Called from file "src/kernel/boot.ml", line 37, characters 4-20
         Called from file "src/kernel/cmdline.ml", line 735, characters 2-9
         Called from file "src/kernel/cmdline.ml", line 214, characters 4-8
         
         Unexpected error (File "src/kernel/ast_info.ml", line 391, characters 11-17: Assertion failed).
         Please report as 'crash' at http://bts.frama-c.com/.
         Your Frama-C version is Neon-20140301.
         Note that a version and a backtrace alone often do not contain enough
         information to understand the bug. Guidelines for reporting bugs are at:
         http://bts.frama-c.com/dokuwiki/doku.php?id=mantis:frama-c:bug_reporting_guidelines
why-2.34/tests/c/oracle/tree_max.err.oracle0000644000175000017500000000000012311670312017216 0ustar  rtuserswhy-2.34/tests/c/oracle/popHeap.err.oracle0000644000175000017500000000000012311670312017006 0ustar  rtuserswhy-2.34/tests/c/oracle/flag.res.oracle0000644000175000017500000060755212311670312016355 0ustar  rtusers========== file tests/c/flag.c ==========
/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2011                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud 11                */
/*    Claude MARCHE, INRIA & Univ. Paris-sud 11                           */
/*    Yannick MOY, Univ. Paris-sud 11                                     */
/*    Romain BARDOU, Univ. Paris-sud 11                                   */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud 11  (former Caduceus front-end)     */
/*    Nicolas ROUSSET, Univ. Paris-sud 11 (on Jessie & Krakatoa)          */
/*    Ali AYAD, CNRS & CEA Saclay         (floating-point support)        */
/*    Sylvie BOLDO, INRIA                 (floating-point support)        */
/*    Jean-Francois COUCHOT, INRIA        (sort encodings, hyps pruning)  */
/*    Mehdi DOGGUY, Univ. Paris-sud 11    (Why GUI)                       */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* Dijkstra's dutch flag */

#pragma JessieIntegerModel(math)

typedef char color;

#define BLUE (color)1
#define WHITE (color)2
#define RED (color)3

/*@ predicate is_color(color c) =
  @   c == BLUE || c == WHITE || c == RED ;
  @*/

/*@ predicate is_color_array{L}(color *t, integer l) =
  @   \valid_range(t,0,l-1) &&
  @   \forall integer i; 0 <= i < l ==> is_color(t[i]) ;
  @*/

/*@ predicate is_monochrome{L}(color *t,integer i, integer j, color c) =
  @   \forall integer k; i <= k < j ==> t[k] == c ;
  @*/


/*@ requires \valid_range(t,i,j);
  @ behavior decides_monochromatic:
  @   ensures \result <==> is_monochrome(t,i,j,c);
  @*/
int isMonochrome(color t[], int i, int j, color c) {
  /*@ loop invariant i <= k &&
    @   \forall integer l; i <= l < k ==> t[l] == c;
    @ loop variant j - k;
    @*/
  for (int k = i; k < j; k++) if (t[k] != c) return 0;
  return 1;
}

/*@ requires \valid_index(t,i);
  @ requires \valid_index(t,j);
  @ behavior i_j_swapped:
  @   assigns t[i],t[j];
  @   ensures t[i] == \old(t[j]) && t[j] == \old(t[i]);
  @*/
void swap(color t[], int i, int j) {
  color z = t[i];
  t[i] = t[j];
  t[j] = z;
}

/*@ requires l >= 0 && is_color_array(t, l);
  @ behavior sorts:
  @   ensures
  @     (\exists integer b,r;
  @        is_monochrome(t,0,b,BLUE) &&
  @        is_monochrome(t,b,r,WHITE) &&
  @        is_monochrome(t,r,l,RED));
  @*/
void flag(color t[], int l) {
  int b = 0;
  int i = 0;
  int r = l;
  /*@ loop invariant
    @   is_color_array(t,l) &&
    @   0 <= b <= i <= r <= l &&
    @   is_monochrome(t,0,b,BLUE) &&
    @   is_monochrome(t,b,i,WHITE) &&
    @   is_monochrome(t,r,l,RED);
    @ loop variant r - i;
    @*/
  while (i < r) {
    switch (t[i]) {
    case BLUE:
      swap(t,b++, i++);
      break;
    case WHITE:
      i++;
      break;
    case RED:
      swap(t,--r, i);
      break;
    }
  }
}



/*
Local Variables:
compile-command: "make flag.why3ide"
End:
*/
========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/flag.c"
tests/c/flag.c:47:[kernel] warning: parsing obsolete ACSL construct '\valid_range(addr,min,max)'. '\valid(addr+(min..max))' should be used instead.
tests/c/flag.c:56:[kernel] warning: parsing obsolete ACSL construct '\valid_range(addr,min,max)'. '\valid(addr+(min..max))' should be used instead.
tests/c/flag.c:69:[kernel] warning: parsing obsolete ACSL construct '\valid_index(addr,idx)'. '\valid(addr+idx)' should be used instead.
tests/c/flag.c:70:[kernel] warning: parsing obsolete ACSL construct '\valid_index(addr,idx)'. '\valid(addr+idx)' should be used instead.
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/flag.jessie
[jessie] File tests/c/flag.jessie/flag.jc written.
[jessie] File tests/c/flag.jessie/flag.cloc written.
========== file tests/c/flag.jessie/flag.jc ==========
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

tag unsigned_charP = {
  integer unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  integer charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

predicate is_color(integer c) =
(((c == 1) || (c == 2)) || (c == 3))

predicate is_color_array{L}(charP[..] t, integer l) =
(((\offset_min(t) <= 0) && (\offset_max(t) >= (l - 1))) &&
  (\forall integer i_1;
    (((0 <= i_1) && (i_1 < l)) ==> is_color((t + i_1).charM))))

predicate is_monochrome{L}(charP[..] t_0, integer i_2, integer j_0,
                           integer c_0) =
(\forall integer k;
  (((i_2 <= k) && (k < j_0)) ==> ((t_0 + k).charM == c_0)))

integer isMonochrome(charP[..] t_0, integer i, integer j, integer c)
  requires (_C_14 : ((_C_15 : (\offset_min(t_0) <= i)) &&
                      (_C_16 : (\offset_max(t_0) >= j))));
behavior default:
  ensures (_C_12 : true);
behavior decides_monochromatic:
  ensures (_C_13 : ((\result != 0) <==>
                     is_monochrome{Here}(\at(t_0,Old), \at(i,Old),
                                         \at(j,Old), \at(c,Old))));
{  
   (var integer k);
   
   (var integer __retres);
   
   {  
      {  (_C_1 : (k = i));
         
         loop 
         behavior default:
           invariant (_C_3 : ((_C_4 : (i <= k)) &&
                               (_C_5 : (\forall integer l_0;
                                         (((i <= l_0) && (l_0 < k)) ==>
                                           ((t_0 + l_0).charM == c))))));
         variant (_C_2 : (j - k));
         while (true)
         {  
            {  (if (k < j) then () else 
               (goto while_0_break));
               (if ((_C_8 : (_C_7 : (t_0 + k)).charM) != c) then 
               {  (_C_6 : (__retres = 0));
                  
                  (goto return_label)
               } else ());
               (_C_10 : (k = (_C_9 : (k + 1))))
            }
         };
         (while_0_break : ())
      };
      (_C_11 : (__retres = 1));
      (return_label : 
      (return __retres))
   }
}

unit swap(charP[..] t_1, integer i_0, integer j_0)
  requires (_C_35 : ((_C_36 : (\offset_min(t_1) <= i_0)) &&
                      (_C_37 : (\offset_max(t_1) >= i_0))));
  requires (_C_32 : ((_C_33 : (\offset_min(t_1) <= j_0)) &&
                      (_C_34 : (\offset_max(t_1) >= j_0))));
behavior default:
  ensures (_C_28 : true);
behavior i_j_swapped:
  assigns (t_1 + i_0).charM,
  (t_1 + j_0).charM;
  ensures (_C_29 : ((_C_30 : ((\at(t_1,Old) + \at(i_0,Old)).charM ==
                               \at((t_1 + j_0).charM,Old))) &&
                     (_C_31 : ((\at(t_1,Old) + \at(j_0,Old)).charM ==
                                \at((t_1 + i_0).charM,Old)))));
{  
   (var integer z);
   
   {  (_C_19 : (z = (_C_18 : (_C_17 : (t_1 + i_0)).charM)));
      (_C_24 : ((_C_23 : (_C_22 : (t_1 + i_0)).charM) = (_C_21 : (_C_20 : 
                                                                 (t_1 +
                                                                   j_0)).charM)));
      (_C_27 : ((_C_26 : (_C_25 : (t_1 + j_0)).charM) = z));
      
      (return ())
   }
}

unit flag(charP[..] t, integer l)
  requires (_C_73 : ((_C_74 : (l >= 0)) &&
                      (_C_75 : is_color_array{Here}(t, l))));
behavior default:
  ensures (_C_71 : true);
behavior sorts:
  ensures (_C_72 : (\exists integer b;
                     (\exists integer r;
                       ((is_monochrome{Here}(\at(t,Old), 0, b, 1) &&
                          is_monochrome{Here}(\at(t,Old), b, r, 2)) &&
                         is_monochrome{Here}(\at(t,Old), r, \at(l,Old), 3)))));
{  
   (var integer b);
   
   (var integer i_1);
   
   (var integer r);
   
   (var integer tmp);
   
   (var integer tmp_0);
   
   {  (_C_38 : (b = 0));
      (_C_39 : (i_1 = 0));
      (_C_40 : (r = l));
      
      loop 
      behavior default:
        invariant (_C_42 : (((((_C_46 : is_color_array{Here}(t, l)) &&
                                ((_C_48 : (0 <= b)) &&
                                  ((_C_50 : (b <= i_1)) &&
                                    ((_C_52 : (i_1 <= r)) &&
                                      (_C_53 : (r <= l)))))) &&
                               (_C_54 : is_monochrome{Here}(t, 0, b, 1))) &&
                              (_C_55 : is_monochrome{Here}(t, b, i_1, 2))) &&
                             (_C_56 : is_monochrome{Here}(t, r, l, 3))));
      variant (_C_41 : (r - i_1));
      while (true)
      {  
         {  (if (i_1 < r) then () else 
            (goto while_0_break));
            
            {  
               switch ((_C_70 : (_C_69 : (t + i_1)).charM)) {
                 case 1:
                 {  
                    {  (_C_57 : (tmp = i_1));
                       (_C_59 : (i_1 = (_C_58 : (i_1 + 1))));
                       ();
                       (_C_60 : (tmp_0 = b));
                       (_C_62 : (b = (_C_61 : (b + 1))));
                       ();
                       ()
                    };
                    (_C_63 : swap(t, tmp_0, tmp));
                    
                    (goto switch_1_break)
                 }
                 case 2:
                 {  (_C_65 : (i_1 = (_C_64 : (i_1 + 1))));
                    
                    (goto switch_1_break)
                 }
                 case 3:
                 {  
                    {  ();
                       (_C_67 : (r = (_C_66 : (r - 1))));
                       ()
                    };
                    (_C_68 : swap(t, r, i_1));
                    
                    (goto switch_1_break)
                 }
               };
               (switch_1_break : ())
            }
         }
      };
      (while_0_break : ());
      
      (return ())
   }
}
========== file tests/c/flag.jessie/flag.cloc ==========
[_C_52]
file = "HOME/tests/c/flag.c"
line = 95
begin = 18
end = 24

[_C_35]
file = "HOME/tests/c/flag.c"
line = 69
begin = 13
end = 30

[_C_56]
file = "HOME/tests/c/flag.c"
line = 98
begin = 8
end = 37

[_C_28]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_72]
file = "HOME/tests/c/flag.c"
line = 84
begin = 8
end = 159

[flag]
name = "Function flag"
file = "HOME/tests/c/flag.c"
line = 89
begin = 5
end = 9

[_C_59]
file = "HOME/tests/c/flag.c"
line = 104
begin = 18
end = 21

[_C_48]
file = "HOME/tests/c/flag.c"
line = 95
begin = 8
end = 14

[_C_51]
file = "HOME/tests/c/flag.c"
line = 95
begin = 18
end = 29

[_C_31]
file = "HOME/tests/c/flag.c"
line = 73
begin = 36
end = 54

[_C_41]
file = "HOME/tests/c/flag.c"
line = 99
begin = 19
end = 24

[_C_4]
file = "HOME/tests/c/flag.c"
line = 61
begin = 21
end = 27

[_C_71]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_70]
file = "HOME/tests/c/flag.c"
line = 102
begin = 12
end = 16

[_C_61]
file = "HOME/tests/c/flag.c"
line = 104
begin = 13
end = 16

[_C_69]
file = "HOME/tests/c/flag.c"
line = 102
begin = 12
end = 13

[_C_32]
file = "HOME/tests/c/flag.c"
line = 70
begin = 13
end = 30

[_C_23]
file = "HOME/tests/c/flag.c"
line = 77
begin = 9
end = 13

[_C_19]
file = "HOME/tests/c/flag.c"
line = 76
begin = 2
end = 7

[isMonochrome]
name = "Function isMonochrome"
file = "HOME/tests/c/flag.c"
line = 60
begin = 4
end = 16

[_C_42]
file = "HOME/tests/c/flag.c"
line = 94
begin = 8
end = 183

[_C_13]
file = "HOME/tests/c/flag.c"
line = 58
begin = 14
end = 49

[_C_5]
file = "HOME/tests/c/flag.c"
line = 62
begin = 8
end = 51

[_C_36]
file = "HOME/tests/c/flag.c"
line = 69
begin = 13
end = 30

[_C_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[_C_33]
file = "HOME/tests/c/flag.c"
line = 70
begin = 13
end = 30

[_C_22]
file = "HOME/tests/c/flag.c"
line = 77
begin = 2
end = 3

[_C_65]
file = "HOME/tests/c/flag.c"
line = 107
begin = 6
end = 9

[_C_9]
file = "HOME/tests/c/flag.c"
line = 65
begin = 25
end = 28

[_C_57]
file = "HOME/tests/c/flag.c"
line = 104
begin = 18
end = 21

[_C_54]
file = "HOME/tests/c/flag.c"
line = 96
begin = 8
end = 37

[_C_30]
file = "HOME/tests/c/flag.c"
line = 73
begin = 14
end = 32

[_C_63]
file = "HOME/tests/c/flag.c"
line = 104
begin = 6
end = 22

[_C_6]
file = "HOME/tests/c/flag.c"
line = 65
begin = 45
end = 54

[_C_64]
file = "HOME/tests/c/flag.c"
line = 107
begin = 6
end = 9

[_C_49]
file = "HOME/tests/c/flag.c"
line = 95
begin = 13
end = 29

[_C_24]
file = "HOME/tests/c/flag.c"
line = 77
begin = 9
end = 13

[_C_45]
file = "HOME/tests/c/flag.c"
line = 94
begin = 8
end = 60

[_C_20]
file = "HOME/tests/c/flag.c"
line = 77
begin = 9
end = 10

[_C_73]
file = "HOME/tests/c/flag.c"
line = 81
begin = 13
end = 43

[_C_38]
file = "HOME/tests/c/flag.c"
line = 90
begin = 2
end = 5

[_C_3]
file = "HOME/tests/c/flag.c"
line = 61
begin = 21
end = 82

[_C_17]
file = "HOME/tests/c/flag.c"
line = 76
begin = 12
end = 13

[_C_7]
file = "HOME/tests/c/flag.c"
line = 65
begin = 34
end = 35

[_C_62]
file = "HOME/tests/c/flag.c"
line = 104
begin = 13
end = 16

[_C_55]
file = "HOME/tests/c/flag.c"
line = 97
begin = 8
end = 37

[_C_27]
file = "HOME/tests/c/flag.c"
line = 78
begin = 9
end = 10

[_C_46]
file = "HOME/tests/c/flag.c"
line = 94
begin = 8
end = 27

[_C_44]
file = "HOME/tests/c/flag.c"
line = 94
begin = 8
end = 101

[_C_15]
file = "HOME/tests/c/flag.c"
line = 56
begin = 13
end = 32

[_C_26]
file = "HOME/tests/c/flag.c"
line = 78
begin = 9
end = 10

[_C_47]
file = "HOME/tests/c/flag.c"
line = 95
begin = 8
end = 29

[_C_10]
file = "HOME/tests/c/flag.c"
line = 65
begin = 25
end = 28

[_C_68]
file = "HOME/tests/c/flag.c"
line = 110
begin = 6
end = 20

[_C_60]
file = "HOME/tests/c/flag.c"
line = 104
begin = 13
end = 16

[_C_53]
file = "HOME/tests/c/flag.c"
line = 95
begin = 23
end = 29

[_C_40]
file = "HOME/tests/c/flag.c"
line = 92
begin = 2
end = 5

[_C_58]
file = "HOME/tests/c/flag.c"
line = 104
begin = 18
end = 21

[swap]
name = "Function swap"
file = "HOME/tests/c/flag.c"
line = 75
begin = 5
end = 9

[_C_8]
file = "HOME/tests/c/flag.c"
line = 65
begin = 34
end = 38

[_C_66]
file = "HOME/tests/c/flag.c"
line = 110
begin = 13
end = 16

[_C_18]
file = "HOME/tests/c/flag.c"
line = 76
begin = 12
end = 16

[_C_29]
file = "HOME/tests/c/flag.c"
line = 73
begin = 14
end = 54

[_C_75]
file = "HOME/tests/c/flag.c"
line = 81
begin = 23
end = 43

[_C_14]
file = "HOME/tests/c/flag.c"
line = 56
begin = 13
end = 32

[_C_50]
file = "HOME/tests/c/flag.c"
line = 95
begin = 13
end = 19

[_C_37]
file = "HOME/tests/c/flag.c"
line = 69
begin = 13
end = 30

[_C_43]
file = "HOME/tests/c/flag.c"
line = 94
begin = 8
end = 142

[_C_2]
file = "HOME/tests/c/flag.c"
line = 63
begin = 19
end = 24

[_C_34]
file = "HOME/tests/c/flag.c"
line = 70
begin = 13
end = 30

[_C_67]
file = "HOME/tests/c/flag.c"
line = 110
begin = 13
end = 16

[_C_16]
file = "HOME/tests/c/flag.c"
line = 56
begin = 13
end = 32

[_C_1]
file = "HOME/tests/c/flag.c"
line = 65
begin = 7
end = 10

[_C_25]
file = "HOME/tests/c/flag.c"
line = 78
begin = 2
end = 3

[_C_39]
file = "HOME/tests/c/flag.c"
line = 91
begin = 2
end = 5

[_C_74]
file = "HOME/tests/c/flag.c"
line = 81
begin = 13
end = 19

[_C_11]
file = "HOME/tests/c/flag.c"
line = 66
begin = 2
end = 11

[_C_21]
file = "HOME/tests/c/flag.c"
line = 77
begin = 9
end = 13

========== jessie execution ==========
Generating Why function isMonochrome
Generating Why function swap
Generating Why function flag
========== file tests/c/flag.jessie/flag.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs flag.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs flag.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/flag_why.sx

project: why/flag.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/flag_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/flag_why.vo

coq/flag_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/flag_why.v: why/flag.why
	@echo 'why -coq [...] why/flag.why' && $(WHY) $(JESSIELIBFILES) why/flag.why && rm -f coq/jessie_why.v

coq-goals: goals coq/flag_ctx_why.vo
	for f in why/*_po*.why; do make -f flag.makefile coq/`basename $$f .why`_why.v ; done

coq/flag_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/flag_ctx_why.v: why/flag_ctx.why
	@echo 'why -coq [...] why/flag_ctx.why' && $(WHY) why/flag_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export flag_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/flag_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/flag_ctx_why.vo

pvs: pvs/flag_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/flag_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/flag_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/flag_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/flag_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/flag_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/flag_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/flag_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/flag_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/flag_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/flag_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/flag_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/flag_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/flag_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/flag_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: flag.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/flag_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: flag.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: flag.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: flag.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include flag.depend

depend: coq/flag_why.v
	-$(COQDEP) -I coq coq/flag*_why.v > flag.depend

clean:
	rm -f coq/*.vo

========== file tests/c/flag.jessie/flag.loc ==========
[JC_94]
file = "HOME/tests/c/flag.c"
line = 99
begin = 19
end = 24

[JC_73]
file = "HOME/"
line = 0
begin = -1
end = -1

[isMonochrome_safety]
name = "Function isMonochrome"
behavior = "Safety"
file = "HOME/tests/c/flag.c"
line = 60
begin = 4
end = 16

[JC_63]
kind = PointerDeref
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 104
begin = 16
end = 226

[JC_80]
file = "HOME/tests/c/flag.c"
line = 95
begin = 8
end = 14

[JC_51]
file = "HOME/tests/c/flag.c"
line = 73
begin = 14
end = 32

[JC_71]
file = "HOME/tests/c/flag.c"
line = 81
begin = 13
end = 43

[JC_45]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_106]
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 139
begin = 6
end = 1861

[JC_113]
file = "HOME/tests/c/flag.c"
line = 95
begin = 23
end = 29

[JC_116]
file = "HOME/tests/c/flag.c"
line = 98
begin = 8
end = 37

[JC_64]
kind = PointerDeref
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 107
begin = 16
end = 57

[JC_99]
file = "HOME/tests/c/flag.c"
line = 95
begin = 23
end = 29

[JC_85]
file = "HOME/tests/c/flag.c"
line = 97
begin = 8
end = 37

[JC_31]
file = "HOME/tests/c/flag.c"
line = 61
begin = 21
end = 82

[JC_17]
file = "HOME/tests/c/flag.c"
line = 61
begin = 21
end = 82

[JC_122]
kind = UserCall
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 182
begin = 29
end = 44

[JC_81]
file = "HOME/tests/c/flag.c"
line = 95
begin = 13
end = 19

[JC_55]
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 93
begin = 9
end = 20

[JC_48]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_23]
file = "HOME/tests/c/flag.c"
line = 61
begin = 21
end = 27

[JC_22]
file = "HOME/tests/c/flag.c"
line = 63
begin = 19
end = 24

[JC_121]
kind = UserCall
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 167
begin = 29
end = 48

[isMonochrome_ensures_default]
name = "Function isMonochrome"
behavior = "default behavior"
file = "HOME/tests/c/flag.c"
line = 60
begin = 4
end = 16

[JC_5]
file = "HOME/tests/c/flag.c"
line = 56
begin = 13
end = 32

[JC_67]
file = "HOME/tests/c/flag.c"
line = 81
begin = 13
end = 43

[JC_9]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_75]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_24]
file = "HOME/tests/c/flag.c"
line = 62
begin = 8
end = 51

[JC_25]
file = "HOME/tests/c/flag.c"
line = 61
begin = 21
end = 82

[flag_ensures_sorts]
name = "Function flag"
behavior = "Behavior `sorts'"
file = "HOME/tests/c/flag.c"
line = 89
begin = 5
end = 9

[JC_78]
file = "HOME/tests/c/flag.c"
line = 84
begin = 8
end = 159

[JC_41]
file = "HOME/tests/c/flag.c"
line = 69
begin = 13
end = 30

[JC_74]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_47]
file = "HOME/"
line = 0
begin = -1
end = -1

[isMonochrome_ensures_decides_monochromatic]
name = "Function isMonochrome"
behavior = "Behavior `decides_monochromatic'"
file = "HOME/tests/c/flag.c"
line = 60
begin = 4
end = 16

[JC_52]
file = "HOME/tests/c/flag.c"
line = 73
begin = 36
end = 54

[JC_26]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[swap_ensures_i_j_swapped]
name = "Function swap"
behavior = "Behavior `i_j_swapped'"
file = "HOME/tests/c/flag.c"
line = 75
begin = 5
end = 9

[JC_54]
file = "HOME/tests/c/flag.c"
line = 75
begin = 5
end = 9

[JC_79]
file = "HOME/tests/c/flag.c"
line = 94
begin = 8
end = 27

[JC_13]
file = "HOME/tests/c/flag.c"
line = 58
begin = 14
end = 49

[JC_82]
file = "HOME/tests/c/flag.c"
line = 95
begin = 18
end = 24

[JC_87]
file = "HOME/tests/c/flag.c"
line = 94
begin = 8
end = 183

[JC_11]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_98]
file = "HOME/tests/c/flag.c"
line = 95
begin = 18
end = 24

[JC_70]
file = "HOME/tests/c/flag.c"
line = 81
begin = 23
end = 43

[JC_15]
file = "HOME/tests/c/flag.c"
line = 61
begin = 21
end = 27

[JC_36]
file = "HOME/tests/c/flag.c"
line = 69
begin = 13
end = 30

[JC_104]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_91]
kind = PointerDeref
file = "HOME/tests/c/flag.c"
line = 102
begin = 12
end = 16

[JC_39]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_112]
file = "HOME/tests/c/flag.c"
line = 95
begin = 18
end = 24

[JC_40]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_83]
file = "HOME/tests/c/flag.c"
line = 95
begin = 23
end = 29

[JC_35]
file = "HOME/tests/c/flag.c"
line = 69
begin = 13
end = 30

[JC_27]
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 59
begin = 9
end = 714

[JC_115]
file = "HOME/tests/c/flag.c"
line = 97
begin = 8
end = 37

[JC_109]
file = "HOME/tests/c/flag.c"
line = 94
begin = 8
end = 27

[JC_107]
kind = UserCall
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 167
begin = 29
end = 48

[JC_69]
file = "HOME/tests/c/flag.c"
line = 81
begin = 13
end = 19

[JC_38]
file = "HOME/tests/c/flag.c"
line = 70
begin = 13
end = 30

[JC_12]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_6]
file = "HOME/tests/c/flag.c"
line = 56
begin = 13
end = 32

[JC_44]
file = "HOME/tests/c/flag.c"
line = 70
begin = 13
end = 30

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_62]
kind = PointerDeref
file = "HOME/tests/c/flag.c"
line = 77
begin = 9
end = 13

[JC_101]
file = "HOME/tests/c/flag.c"
line = 97
begin = 8
end = 37

[JC_88]
file = "HOME/"
line = 0
begin = -1
end = -1

[flag_safety]
name = "Function flag"
behavior = "Safety"
file = "HOME/tests/c/flag.c"
line = 89
begin = 5
end = 9

[JC_42]
file = "HOME/tests/c/flag.c"
line = 69
begin = 13
end = 30

[swap_ensures_default]
name = "Function swap"
behavior = "default behavior"
file = "HOME/tests/c/flag.c"
line = 75
begin = 5
end = 9

[JC_110]
file = "HOME/tests/c/flag.c"
line = 95
begin = 8
end = 14

[JC_103]
file = "HOME/tests/c/flag.c"
line = 94
begin = 8
end = 183

[JC_46]
file = "HOME/"
line = 0
begin = -1
end = -1

[swap_safety]
name = "Function swap"
behavior = "Safety"
file = "HOME/tests/c/flag.c"
line = 75
begin = 5
end = 9

[JC_61]
kind = PointerDeref
file = "HOME/tests/c/flag.c"
line = 76
begin = 12
end = 16

[JC_32]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_56]
file = "HOME/tests/c/flag.c"
line = 73
begin = 14
end = 32

[JC_33]
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 59
begin = 9
end = 714

[flag_ensures_default]
name = "Function flag"
behavior = "default behavior"
file = "HOME/tests/c/flag.c"
line = 89
begin = 5
end = 9

[JC_65]
file = "HOME/tests/c/flag.c"
line = 81
begin = 13
end = 19

[JC_118]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_105]
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 139
begin = 6
end = 1861

[JC_29]
file = "HOME/tests/c/flag.c"
line = 61
begin = 21
end = 27

[JC_68]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_7]
file = "HOME/tests/c/flag.c"
line = 56
begin = 13
end = 32

[JC_16]
file = "HOME/tests/c/flag.c"
line = 62
begin = 8
end = 51

[JC_96]
file = "HOME/tests/c/flag.c"
line = 95
begin = 8
end = 14

[JC_43]
file = "HOME/tests/c/flag.c"
line = 70
begin = 13
end = 30

[JC_2]
file = "HOME/tests/c/flag.c"
line = 56
begin = 13
end = 32

[JC_95]
file = "HOME/tests/c/flag.c"
line = 94
begin = 8
end = 27

[JC_93]
kind = UserCall
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 182
begin = 29
end = 44

[JC_97]
file = "HOME/tests/c/flag.c"
line = 95
begin = 13
end = 19

[JC_84]
file = "HOME/tests/c/flag.c"
line = 96
begin = 8
end = 37

[JC_34]
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 59
begin = 9
end = 714

[JC_114]
file = "HOME/tests/c/flag.c"
line = 96
begin = 8
end = 37

[JC_14]
file = "HOME/tests/c/flag.c"
line = 58
begin = 14
end = 49

[JC_117]
file = "HOME/tests/c/flag.c"
line = 94
begin = 8
end = 183

[JC_90]
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 139
begin = 6
end = 1861

[JC_53]
file = "HOME/tests/c/flag.c"
line = 73
begin = 14
end = 54

[JC_21]
kind = PointerDeref
file = "HOME/tests/c/flag.c"
line = 65
begin = 34
end = 38

[JC_111]
file = "HOME/tests/c/flag.c"
line = 95
begin = 13
end = 19

[JC_77]
file = "HOME/tests/c/flag.c"
line = 84
begin = 8
end = 159

[JC_49]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_1]
file = "HOME/tests/c/flag.c"
line = 56
begin = 13
end = 32

[JC_102]
file = "HOME/tests/c/flag.c"
line = 98
begin = 8
end = 37

[JC_37]
file = "HOME/tests/c/flag.c"
line = 70
begin = 13
end = 30

[JC_10]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_108]
kind = UserCall
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 182
begin = 29
end = 44

[JC_57]
file = "HOME/tests/c/flag.c"
line = 73
begin = 36
end = 54

[JC_89]
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 139
begin = 6
end = 1861

[JC_66]
file = "HOME/tests/c/flag.c"
line = 81
begin = 23
end = 43

[JC_59]
file = "HOME/tests/c/flag.c"
line = 75
begin = 5
end = 9

[JC_20]
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 59
begin = 9
end = 714

[JC_18]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_3]
file = "HOME/tests/c/flag.c"
line = 56
begin = 13
end = 32

[JC_92]
kind = UserCall
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 167
begin = 29
end = 48

[JC_86]
file = "HOME/tests/c/flag.c"
line = 98
begin = 8
end = 37

[JC_60]
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 93
begin = 9
end = 20

[JC_72]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_19]
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 59
begin = 9
end = 714

[JC_119]
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 139
begin = 6
end = 1861

[JC_76]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_50]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_30]
file = "HOME/tests/c/flag.c"
line = 62
begin = 8
end = 51

[JC_120]
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 139
begin = 6
end = 1861

[JC_58]
file = "HOME/tests/c/flag.c"
line = 73
begin = 14
end = 54

[JC_100]
file = "HOME/tests/c/flag.c"
line = 96
begin = 8
end = 37

[JC_28]
file = "HOME/tests/c/flag.jessie/flag.jc"
line = 59
begin = 9
end = 714

========== file tests/c/flag.jessie/why/flag.why ==========
type charP

type padding

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

predicate is_color(c:int) = ((c = (1)) or ((c = (2)) or (c = (3))))

predicate is_color_array(t:charP pointer, l:int,
 charP_t_1_alloc_table_at_L:charP alloc_table,
 charP_charM_t_1_at_L:(charP, int) memory) =
 (le_int(offset_min(charP_t_1_alloc_table_at_L, t), (0))
 and (ge_int(offset_max(charP_t_1_alloc_table_at_L, t), sub_int(l, (1)))
     and (forall i_1:int.
          ((le_int((0), i_1) and lt_int(i_1, l)) ->
           is_color(select(charP_charM_t_1_at_L, shift(t, i_1)))))))

predicate is_monochrome(t_0:charP pointer, i_2:int, j_0:int, c_0:int,
 charP_charM_t_0_2_at_L:(charP, int) memory) =
 (forall k:int.
  ((le_int(i_2, k) and lt_int(k, j_0)) ->
   (select(charP_charM_t_0_2_at_L, shift(t_0, k)) = c_0)))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Goto_switch_1_break_exc of unit

exception Goto_while_0_break_exc of unit

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter flag :
 t_2:charP pointer ->
  l_0:int ->
   charP_charM_t_5:(charP, int) memory ref ->
    charP_t_5_alloc_table:charP alloc_table ->
     { } unit reads charP_charM_t_5 writes charP_charM_t_5
     { (JC_78:
       (exists b:int.
        (exists r:int.
         (is_monochrome(t_2, (0), b, (1), charP_charM_t_5)
         and (is_monochrome(t_2, b, r, (2), charP_charM_t_5)
             and is_monochrome(t_2, r, l_0, (3), charP_charM_t_5)))))) }

parameter flag_requires :
 t_2:charP pointer ->
  l_0:int ->
   charP_charM_t_5:(charP, int) memory ref ->
    charP_t_5_alloc_table:charP alloc_table ->
     { (JC_67:
       ((JC_65: ge_int(l_0, (0)))
       and (JC_66:
           is_color_array(t_2, l_0, charP_t_5_alloc_table, charP_charM_t_5))))}
     unit reads charP_charM_t_5 writes charP_charM_t_5
     { (JC_78:
       (exists b:int.
        (exists r:int.
         (is_monochrome(t_2, (0), b, (1), charP_charM_t_5)
         and (is_monochrome(t_2, b, r, (2), charP_charM_t_5)
             and is_monochrome(t_2, r, l_0, (3), charP_charM_t_5)))))) }

parameter isMonochrome :
 t_0_0:charP pointer ->
  i:int ->
   j:int ->
    c_1:int ->
     charP_t_0_3_alloc_table:charP alloc_table ->
      charP_charM_t_0_3:(charP, int) memory ->
       { } int
       { (JC_14:
         ((result <> (0))
         <-> is_monochrome(t_0_0, i, j, c_1, charP_charM_t_0_3))) }

parameter isMonochrome_requires :
 t_0_0:charP pointer ->
  i:int ->
   j:int ->
    c_1:int ->
     charP_t_0_3_alloc_table:charP alloc_table ->
      charP_charM_t_0_3:(charP, int) memory ->
       { (JC_3:
         ((JC_1: le_int(offset_min(charP_t_0_3_alloc_table, t_0_0), i))
         and (JC_2: ge_int(offset_max(charP_t_0_3_alloc_table, t_0_0), j))))}
       int
       { (JC_14:
         ((result <> (0))
         <-> is_monochrome(t_0_0, i, j, c_1, charP_charM_t_0_3))) }

parameter swap :
 t_1:charP pointer ->
  i_0:int ->
   j_0_0:int ->
    charP_charM_t_1_4:(charP, int) memory ref ->
     charP_t_1_4_alloc_table:charP alloc_table ->
      { } unit reads charP_charM_t_1_4 writes charP_charM_t_1_4
      { (JC_60:
        ((JC_58:
         ((JC_56:
          (select(charP_charM_t_1_4, shift(t_1, i_0)) = select(charP_charM_t_1_4@,
                                                        shift(t_1, j_0_0))))
         and (JC_57:
             (select(charP_charM_t_1_4, shift(t_1, j_0_0)) = select(charP_charM_t_1_4@,
                                                             shift(t_1, i_0))))))
        and (JC_59:
            not_assigns(charP_t_1_4_alloc_table, charP_charM_t_1_4@,
            charP_charM_t_1_4,
            pset_union(pset_range(pset_singleton(t_1), j_0_0, j_0_0),
            pset_range(pset_singleton(t_1), i_0, i_0)))))) }

parameter swap_requires :
 t_1:charP pointer ->
  i_0:int ->
   j_0_0:int ->
    charP_charM_t_1_4:(charP, int) memory ref ->
     charP_t_1_4_alloc_table:charP alloc_table ->
      { (JC_39:
        ((JC_35: le_int(offset_min(charP_t_1_4_alloc_table, t_1), i_0))
        and ((JC_36: ge_int(offset_max(charP_t_1_4_alloc_table, t_1), i_0))
            and ((JC_37:
                 le_int(offset_min(charP_t_1_4_alloc_table, t_1), j_0_0))
                and (JC_38:
                    ge_int(offset_max(charP_t_1_4_alloc_table, t_1), j_0_0))))))}
      unit reads charP_charM_t_1_4 writes charP_charM_t_1_4
      { (JC_60:
        ((JC_58:
         ((JC_56:
          (select(charP_charM_t_1_4, shift(t_1, i_0)) = select(charP_charM_t_1_4@,
                                                        shift(t_1, j_0_0))))
         and (JC_57:
             (select(charP_charM_t_1_4, shift(t_1, j_0_0)) = select(charP_charM_t_1_4@,
                                                             shift(t_1, i_0))))))
        and (JC_59:
            not_assigns(charP_t_1_4_alloc_table, charP_charM_t_1_4@,
            charP_charM_t_1_4,
            pset_union(pset_range(pset_singleton(t_1), j_0_0, j_0_0),
            pset_range(pset_singleton(t_1), i_0, i_0)))))) }

let flag_ensures_default =
 fun (t_2 : charP pointer) (l_0 : int) (charP_charM_t_5 : (charP, int) memory ref) (charP_t_5_alloc_table : charP alloc_table) ->
  { (JC_71:
    ((JC_69: ge_int(l_0, (0)))
    and (JC_70:
        is_color_array(t_2, l_0, charP_t_5_alloc_table, charP_charM_t_5)))) }
  (init:
  try
   begin
     (let b_0 = ref (any_int void) in
     (let i_1_0 = ref (any_int void) in
     (let r_0 = ref (any_int void) in
     (let tmp = ref (any_int void) in
     (let tmp_0 = ref (any_int void) in
     try
      begin
        (let _jessie_ = (b_0 := (0)) in void);
       (let _jessie_ = (i_1_0 := (0)) in void);
       (let _jessie_ = (r_0 := l_0) in void);
       (loop_5:
       begin
         while true do
         { invariant
             (JC_103:
             ((JC_95:
              is_color_array(t_2, l_0, charP_t_5_alloc_table,
              charP_charM_t_5))
             and ((JC_96: le_int((0), b_0))
                 and ((JC_97: le_int(b_0, i_1_0))
                     and ((JC_98: le_int(i_1_0, r_0))
                         and ((JC_99: le_int(r_0, l_0))
                             and ((JC_100:
                                  is_monochrome(t_2, (0), b_0, (1),
                                  charP_charM_t_5))
                                 and ((JC_101:
                                      is_monochrome(t_2, b_0, i_1_0, (2),
                                      charP_charM_t_5))
                                     and (JC_102:
                                         is_monochrome(t_2, r_0, l_0, (3),
                                         charP_charM_t_5))))))))))  }
          begin
            [ { } unit { true } ];
           try
            begin
              (if ((lt_int_ !i_1_0) !r_0) then void
              else (raise (Goto_while_0_break_exc void)));
             try
              begin
                (let _jessie_ =
                ((safe_acc_ !charP_charM_t_5) ((shift t_2) !i_1_0)) in
                begin
                  (if ((eq_int_ _jessie_) (1))
                  then
                   begin
                     (let _jessie_ = (tmp := !i_1_0) in void);
                    (let _jessie_ = (i_1_0 := ((add_int !i_1_0) (1))) in
                    void); void; (let _jessie_ = (tmp_0 := !b_0) in void);
                    (let _jessie_ = (b_0 := ((add_int !b_0) (1))) in void);
                    void; void;
                    (let _jessie_ = t_2 in
                    (let _jessie_ = !tmp_0 in
                    (let _jessie_ = !tmp in
                    (JC_107:
                    (((((swap _jessie_) _jessie_) _jessie_) charP_charM_t_5) charP_t_5_alloc_table)))));
                    (raise (Goto_switch_1_break_exc void)) end else void);
                 (if (((eq_int_ _jessie_) (2)) || ((eq_int_ _jessie_) (1)))
                 then
                  begin
                    (let _jessie_ = (i_1_0 := ((add_int !i_1_0) (1))) in
                    void); (raise (Goto_switch_1_break_exc void)) end
                 else void);
                 (if (((eq_int_ _jessie_) (3)) || (((eq_int_ _jessie_) (2)) || 
                                                   ((eq_int_ _jessie_) (1))))
                 then
                  begin
                    void;
                   (let _jessie_ = (r_0 := ((sub_int !r_0) (1))) in void);
                   void;
                   (let _jessie_ = t_2 in
                   (let _jessie_ = !r_0 in
                   (let _jessie_ = !i_1_0 in
                   (JC_108:
                   (((((swap _jessie_) _jessie_) _jessie_) charP_charM_t_5) charP_t_5_alloc_table)))));
                   (raise (Goto_switch_1_break_exc void)) end else void) end);
               (raise (Goto_switch_1_break_exc void)) end with
              Goto_switch_1_break_exc _jessie_ -> (switch_1_break: void) end;
             (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (raise Return) end) end)))));
    (raise Return) end with Return -> void end) { (JC_73: true) }

let flag_ensures_sorts =
 fun (t_2 : charP pointer) (l_0 : int) (charP_charM_t_5 : (charP, int) memory ref) (charP_t_5_alloc_table : charP alloc_table) ->
  { (JC_71:
    ((JC_69: ge_int(l_0, (0)))
    and (JC_70:
        is_color_array(t_2, l_0, charP_t_5_alloc_table, charP_charM_t_5)))) }
  (init:
  try
   begin
     (let b_0 = ref (any_int void) in
     (let i_1_0 = ref (any_int void) in
     (let r_0 = ref (any_int void) in
     (let tmp = ref (any_int void) in
     (let tmp_0 = ref (any_int void) in
     try
      begin
        (let _jessie_ = (b_0 := (0)) in void);
       (let _jessie_ = (i_1_0 := (0)) in void);
       (let _jessie_ = (r_0 := l_0) in void);
       (loop_6:
       begin
         while true do
         { invariant (JC_119: true)  }
          begin
            [ { } unit reads b_0,charP_charM_t_5,i_1_0,r_0
              { (JC_117:
                ((JC_109:
                 is_color_array(t_2, l_0, charP_t_5_alloc_table,
                 charP_charM_t_5))
                and ((JC_110: le_int((0), b_0))
                    and ((JC_111: le_int(b_0, i_1_0))
                        and ((JC_112: le_int(i_1_0, r_0))
                            and ((JC_113: le_int(r_0, l_0))
                                and ((JC_114:
                                     is_monochrome(t_2, (0), b_0, (1),
                                     charP_charM_t_5))
                                    and ((JC_115:
                                         is_monochrome(t_2, b_0, i_1_0, (2),
                                         charP_charM_t_5))
                                        and (JC_116:
                                            is_monochrome(t_2, r_0, l_0, (3),
                                            charP_charM_t_5)))))))))) } ];
           try
            begin
              (if ((lt_int_ !i_1_0) !r_0) then void
              else (raise (Goto_while_0_break_exc void)));
             try
              begin
                (let _jessie_ =
                ((safe_acc_ !charP_charM_t_5) ((shift t_2) !i_1_0)) in
                begin
                  (if ((eq_int_ _jessie_) (1))
                  then
                   begin
                     (let _jessie_ = (tmp := !i_1_0) in void);
                    (let _jessie_ = (i_1_0 := ((add_int !i_1_0) (1))) in
                    void); void; (let _jessie_ = (tmp_0 := !b_0) in void);
                    (let _jessie_ = (b_0 := ((add_int !b_0) (1))) in void);
                    void; void;
                    (let _jessie_ = t_2 in
                    (let _jessie_ = !tmp_0 in
                    (let _jessie_ = !tmp in
                    (JC_121:
                    (((((swap _jessie_) _jessie_) _jessie_) charP_charM_t_5) charP_t_5_alloc_table)))));
                    (raise (Goto_switch_1_break_exc void)) end else void);
                 (if (((eq_int_ _jessie_) (2)) || ((eq_int_ _jessie_) (1)))
                 then
                  begin
                    (let _jessie_ = (i_1_0 := ((add_int !i_1_0) (1))) in
                    void); (raise (Goto_switch_1_break_exc void)) end
                 else void);
                 (if (((eq_int_ _jessie_) (3)) || (((eq_int_ _jessie_) (2)) || 
                                                   ((eq_int_ _jessie_) (1))))
                 then
                  begin
                    void;
                   (let _jessie_ = (r_0 := ((sub_int !r_0) (1))) in void);
                   void;
                   (let _jessie_ = t_2 in
                   (let _jessie_ = !r_0 in
                   (let _jessie_ = !i_1_0 in
                   (JC_122:
                   (((((swap _jessie_) _jessie_) _jessie_) charP_charM_t_5) charP_t_5_alloc_table)))));
                   (raise (Goto_switch_1_break_exc void)) end else void) end);
               (raise (Goto_switch_1_break_exc void)) end with
              Goto_switch_1_break_exc _jessie_ -> (switch_1_break: void) end;
             (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (raise Return) end) end)))));
    (raise Return) end with Return -> void end)
  { (JC_77:
    (exists b:int.
     (exists r:int.
      (is_monochrome(t_2, (0), b, (1), charP_charM_t_5)
      and (is_monochrome(t_2, b, r, (2), charP_charM_t_5)
          and is_monochrome(t_2, r, l_0, (3), charP_charM_t_5)))))) }

let flag_safety =
 fun (t_2 : charP pointer) (l_0 : int) (charP_charM_t_5 : (charP, int) memory ref) (charP_t_5_alloc_table : charP alloc_table) ->
  { (JC_71:
    ((JC_69: ge_int(l_0, (0)))
    and (JC_70:
        is_color_array(t_2, l_0, charP_t_5_alloc_table, charP_charM_t_5)))) }
  (init:
  try
   begin
     (let b_0 = ref (any_int void) in
     (let i_1_0 = ref (any_int void) in
     (let r_0 = ref (any_int void) in
     (let tmp = ref (any_int void) in
     (let tmp_0 = ref (any_int void) in
     try
      begin
        (let _jessie_ = (b_0 := (0)) in void);
       (let _jessie_ = (i_1_0 := (0)) in void);
       (let _jessie_ = (r_0 := l_0) in void);
       (loop_4:
       begin
         while true do
         { invariant (JC_89: true) variant (JC_94 : sub_int(r_0, i_1_0)) }
          begin
            [ { } unit reads b_0,charP_charM_t_5,i_1_0,r_0
              { (JC_87:
                ((JC_79:
                 is_color_array(t_2, l_0, charP_t_5_alloc_table,
                 charP_charM_t_5))
                and ((JC_80: le_int((0), b_0))
                    and ((JC_81: le_int(b_0, i_1_0))
                        and ((JC_82: le_int(i_1_0, r_0))
                            and ((JC_83: le_int(r_0, l_0))
                                and ((JC_84:
                                     is_monochrome(t_2, (0), b_0, (1),
                                     charP_charM_t_5))
                                    and ((JC_85:
                                         is_monochrome(t_2, b_0, i_1_0, (2),
                                         charP_charM_t_5))
                                        and (JC_86:
                                            is_monochrome(t_2, r_0, l_0, (3),
                                            charP_charM_t_5)))))))))) } ];
           try
            begin
              (if ((lt_int_ !i_1_0) !r_0) then void
              else (raise (Goto_while_0_break_exc void)));
             try
              begin
                (let _jessie_ =
                (JC_91:
                ((((offset_acc_ charP_t_5_alloc_table) !charP_charM_t_5) t_2) !i_1_0)) in
                begin
                  (if ((eq_int_ _jessie_) (1))
                  then
                   begin
                     (let _jessie_ = (tmp := !i_1_0) in void);
                    (let _jessie_ = (i_1_0 := ((add_int !i_1_0) (1))) in
                    void); void; (let _jessie_ = (tmp_0 := !b_0) in void);
                    (let _jessie_ = (b_0 := ((add_int !b_0) (1))) in void);
                    void; void;
                    (let _jessie_ = t_2 in
                    (let _jessie_ = !tmp_0 in
                    (let _jessie_ = !tmp in
                    (JC_92:
                    (((((swap_requires _jessie_) _jessie_) _jessie_) charP_charM_t_5) charP_t_5_alloc_table)))));
                    (raise (Goto_switch_1_break_exc void)) end else void);
                 (if (((eq_int_ _jessie_) (2)) || ((eq_int_ _jessie_) (1)))
                 then
                  begin
                    (let _jessie_ = (i_1_0 := ((add_int !i_1_0) (1))) in
                    void); (raise (Goto_switch_1_break_exc void)) end
                 else void);
                 (if (((eq_int_ _jessie_) (3)) || (((eq_int_ _jessie_) (2)) || 
                                                   ((eq_int_ _jessie_) (1))))
                 then
                  begin
                    void;
                   (let _jessie_ = (r_0 := ((sub_int !r_0) (1))) in void);
                   void;
                   (let _jessie_ = t_2 in
                   (let _jessie_ = !r_0 in
                   (let _jessie_ = !i_1_0 in
                   (JC_93:
                   (((((swap_requires _jessie_) _jessie_) _jessie_) charP_charM_t_5) charP_t_5_alloc_table)))));
                   (raise (Goto_switch_1_break_exc void)) end else void) end);
               (raise (Goto_switch_1_break_exc void)) end with
              Goto_switch_1_break_exc _jessie_ -> (switch_1_break: void) end;
             (raise (Loop_continue_exc void)) end with
            Loop_continue_exc _jessie_ -> void end end done;
        (raise (Goto_while_0_break_exc void)) end) end with
      Goto_while_0_break_exc _jessie_ ->
      (while_0_break: begin   void; (raise Return) end) end)))));
    (raise Return) end with Return -> void end) { true }

let isMonochrome_ensures_decides_monochromatic =
 fun (t_0_0 : charP pointer) (i : int) (j : int) (c_1 : int) (charP_t_0_3_alloc_table : charP alloc_table) (charP_charM_t_0_3 : (charP, int) memory) ->
  { (JC_7:
    ((JC_5: le_int(offset_min(charP_t_0_3_alloc_table, t_0_0), i))
    and (JC_6: ge_int(offset_max(charP_t_0_3_alloc_table, t_0_0), j)))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let k_0 = ref (any_int void) in
     (let __retres = ref (any_int void) in
     try
      begin
        try
         begin
           (let _jessie_ = (k_0 := i) in void);
          (loop_3:
          begin
            while true do
            { invariant (JC_33: true)  }
             begin
               [ { } unit reads k_0
                 { (JC_31:
                   ((JC_29: le_int(i, k_0))
                   and (JC_30:
                       (forall l_0_0:int.
                        ((le_int(i, l_0_0) and lt_int(l_0_0, k_0)) ->
                         (select(charP_charM_t_0_3, shift(t_0_0, l_0_0)) = c_1)))))) } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((lt_int_ !k_0) j) then void
                   else (raise (Goto_while_0_break_exc void)));
                  (if ((neq_int_ ((safe_acc_ charP_charM_t_0_3) ((shift t_0_0) !k_0))) c_1)
                  then
                   begin
                     (let _jessie_ = (__retres := (0)) in void);
                    (raise (Return_label_exc void)) end else void);
                  (k_0 := ((add_int !k_0) (1))); !k_0 end in void);
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ -> (while_0_break: void) end;
       (let _jessie_ = (__retres := (1)) in void);
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end));
    absurd  end with Return -> !return end))
  { (JC_13:
    ((result <> (0)) <-> is_monochrome(t_0_0, i, j, c_1, charP_charM_t_0_3))) }

let isMonochrome_ensures_default =
 fun (t_0_0 : charP pointer) (i : int) (j : int) (c_1 : int) (charP_t_0_3_alloc_table : charP alloc_table) (charP_charM_t_0_3 : (charP, int) memory) ->
  { (JC_7:
    ((JC_5: le_int(offset_min(charP_t_0_3_alloc_table, t_0_0), i))
    and (JC_6: ge_int(offset_max(charP_t_0_3_alloc_table, t_0_0), j)))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let k_0 = ref (any_int void) in
     (let __retres = ref (any_int void) in
     try
      begin
        try
         begin
           (let _jessie_ = (k_0 := i) in void);
          (loop_2:
          begin
            while true do
            { invariant
                (JC_25:
                ((JC_23: le_int(i, k_0))
                and (JC_24:
                    (forall l_0_0:int.
                     ((le_int(i, l_0_0) and lt_int(l_0_0, k_0)) ->
                      (select(charP_charM_t_0_3, shift(t_0_0, l_0_0)) = c_1))))))
               }
             begin
               [ { } unit { true } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((lt_int_ !k_0) j) then void
                   else (raise (Goto_while_0_break_exc void)));
                  (if ((neq_int_ ((safe_acc_ charP_charM_t_0_3) ((shift t_0_0) !k_0))) c_1)
                  then
                   begin
                     (let _jessie_ = (__retres := (0)) in void);
                    (raise (Return_label_exc void)) end else void);
                  (k_0 := ((add_int !k_0) (1))); !k_0 end in void);
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ -> (while_0_break: void) end;
       (let _jessie_ = (__retres := (1)) in void);
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end));
    absurd  end with Return -> !return end)) { (JC_9: true) }

let isMonochrome_safety =
 fun (t_0_0 : charP pointer) (i : int) (j : int) (c_1 : int) (charP_t_0_3_alloc_table : charP alloc_table) (charP_charM_t_0_3 : (charP, int) memory) ->
  { (JC_7:
    ((JC_5: le_int(offset_min(charP_t_0_3_alloc_table, t_0_0), i))
    and (JC_6: ge_int(offset_max(charP_t_0_3_alloc_table, t_0_0), j)))) }
  (init:
  (let return = ref (any_int void) in
  try
   begin
     (let k_0 = ref (any_int void) in
     (let __retres = ref (any_int void) in
     try
      begin
        try
         begin
           (let _jessie_ = (k_0 := i) in void);
          (loop_1:
          begin
            while true do
            { invariant (JC_19: true) variant (JC_22 : sub_int(j, k_0)) }
             begin
               [ { } unit reads k_0
                 { (JC_17:
                   ((JC_15: le_int(i, k_0))
                   and (JC_16:
                       (forall l_0_0:int.
                        ((le_int(i, l_0_0) and lt_int(l_0_0, k_0)) ->
                         (select(charP_charM_t_0_3, shift(t_0_0, l_0_0)) = c_1)))))) } ];
              try
               begin
                 (let _jessie_ =
                 begin
                   (if ((lt_int_ !k_0) j) then void
                   else (raise (Goto_while_0_break_exc void)));
                  (if ((neq_int_ (JC_21:
                                 ((((offset_acc_ charP_t_0_3_alloc_table) charP_charM_t_0_3) t_0_0) !k_0))) c_1)
                  then
                   begin
                     (let _jessie_ = (__retres := (0)) in void);
                    (raise (Return_label_exc void)) end else void);
                  (k_0 := ((add_int !k_0) (1))); !k_0 end in void);
                (raise (Loop_continue_exc void)) end with
               Loop_continue_exc _jessie_ -> void end end done;
           (raise (Goto_while_0_break_exc void)) end) end with
         Goto_while_0_break_exc _jessie_ -> (while_0_break: void) end;
       (let _jessie_ = (__retres := (1)) in void);
       (raise (Return_label_exc void)) end with Return_label_exc _jessie_ ->
      (return_label: begin   (return := !__retres); (raise Return) end) end));
    absurd  end with Return -> !return end)) { true }

let swap_ensures_default =
 fun (t_1 : charP pointer) (i_0 : int) (j_0_0 : int) (charP_charM_t_1_4 : (charP, int) memory ref) (charP_t_1_4_alloc_table : charP alloc_table) ->
  { (JC_45:
    ((JC_41: le_int(offset_min(charP_t_1_4_alloc_table, t_1), i_0))
    and ((JC_42: ge_int(offset_max(charP_t_1_4_alloc_table, t_1), i_0))
        and ((JC_43: le_int(offset_min(charP_t_1_4_alloc_table, t_1), j_0_0))
            and (JC_44:
                ge_int(offset_max(charP_t_1_4_alloc_table, t_1), j_0_0)))))) }
  (init:
  try
   begin
     (let z = ref (any_int void) in
     begin
       (let _jessie_ =
       (z := ((safe_acc_ !charP_charM_t_1_4) ((shift t_1) i_0))) in void);
      (let _jessie_ =
      (let _jessie_ =
      ((safe_acc_ !charP_charM_t_1_4) ((shift t_1) j_0_0)) in
      (let _jessie_ = t_1 in
      (let _jessie_ = i_0 in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (((safe_upd_ charP_charM_t_1_4) _jessie_) _jessie_))))) in void);
      (let _jessie_ =
      (let _jessie_ = !z in
      (let _jessie_ = t_1 in
      (let _jessie_ = j_0_0 in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (((safe_upd_ charP_charM_t_1_4) _jessie_) _jessie_))))) in void);
      (raise Return) end); (raise Return) end with Return -> void end)
  { (JC_47: true) }

let swap_ensures_i_j_swapped =
 fun (t_1 : charP pointer) (i_0 : int) (j_0_0 : int) (charP_charM_t_1_4 : (charP, int) memory ref) (charP_t_1_4_alloc_table : charP alloc_table) ->
  { (JC_45:
    ((JC_41: le_int(offset_min(charP_t_1_4_alloc_table, t_1), i_0))
    and ((JC_42: ge_int(offset_max(charP_t_1_4_alloc_table, t_1), i_0))
        and ((JC_43: le_int(offset_min(charP_t_1_4_alloc_table, t_1), j_0_0))
            and (JC_44:
                ge_int(offset_max(charP_t_1_4_alloc_table, t_1), j_0_0)))))) }
  (init:
  try
   begin
     (let z = ref (any_int void) in
     begin
       (let _jessie_ =
       (z := ((safe_acc_ !charP_charM_t_1_4) ((shift t_1) i_0))) in void);
      (let _jessie_ =
      (let _jessie_ =
      ((safe_acc_ !charP_charM_t_1_4) ((shift t_1) j_0_0)) in
      (let _jessie_ = t_1 in
      (let _jessie_ = i_0 in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (((safe_upd_ charP_charM_t_1_4) _jessie_) _jessie_))))) in void);
      (let _jessie_ =
      (let _jessie_ = !z in
      (let _jessie_ = t_1 in
      (let _jessie_ = j_0_0 in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (((safe_upd_ charP_charM_t_1_4) _jessie_) _jessie_))))) in void);
      (raise Return) end); (raise Return) end with Return -> void end)
  { (JC_55:
    ((JC_53:
     ((JC_51:
      (select(charP_charM_t_1_4, shift(t_1, i_0)) = select(charP_charM_t_1_4@,
                                                    shift(t_1, j_0_0))))
     and (JC_52:
         (select(charP_charM_t_1_4, shift(t_1, j_0_0)) = select(charP_charM_t_1_4@,
                                                         shift(t_1, i_0))))))
    and (JC_54:
        not_assigns(charP_t_1_4_alloc_table, charP_charM_t_1_4@,
        charP_charM_t_1_4,
        pset_union(pset_range(pset_singleton(t_1), j_0_0, j_0_0),
        pset_range(pset_singleton(t_1), i_0, i_0)))))) }

let swap_safety =
 fun (t_1 : charP pointer) (i_0 : int) (j_0_0 : int) (charP_charM_t_1_4 : (charP, int) memory ref) (charP_t_1_4_alloc_table : charP alloc_table) ->
  { (JC_45:
    ((JC_41: le_int(offset_min(charP_t_1_4_alloc_table, t_1), i_0))
    and ((JC_42: ge_int(offset_max(charP_t_1_4_alloc_table, t_1), i_0))
        and ((JC_43: le_int(offset_min(charP_t_1_4_alloc_table, t_1), j_0_0))
            and (JC_44:
                ge_int(offset_max(charP_t_1_4_alloc_table, t_1), j_0_0)))))) }
  (init:
  try
   begin
     (let z = ref (any_int void) in
     begin
       (let _jessie_ =
       (z := (JC_61:
             ((((offset_acc_ charP_t_1_4_alloc_table) !charP_charM_t_1_4) t_1) i_0))) in
       void);
      (let _jessie_ =
      (let _jessie_ =
      (JC_62:
      ((((offset_acc_ charP_t_1_4_alloc_table) !charP_charM_t_1_4) t_1) j_0_0)) in
      (let _jessie_ = t_1 in
      (let _jessie_ = i_0 in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (JC_63:
      (((((offset_upd_ charP_t_1_4_alloc_table) charP_charM_t_1_4) _jessie_) _jessie_) _jessie_)))))) in
      void);
      (let _jessie_ =
      (let _jessie_ = !z in
      (let _jessie_ = t_1 in
      (let _jessie_ = j_0_0 in
      (let _jessie_ = ((shift _jessie_) _jessie_) in
      (JC_64:
      (((((offset_upd_ charP_t_1_4_alloc_table) charP_charM_t_1_4) _jessie_) _jessie_) _jessie_)))))) in
      void); (raise Return) end); (raise Return) end with Return -> void end)
  { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/flag.why
========== file tests/c/flag.jessie/why/flag_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type charP

type padding

type unsigned_charP

type voidP

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

predicate is_color(c: int) = ((c = 1) or ((c = 2) or (c = 3)))

predicate is_color_array(t: charP pointer, l: int,
  charP_t_1_alloc_table_at_L: charP alloc_table,
  charP_charM_t_1_at_L: (charP, int) memory) =
  ((offset_min(charP_t_1_alloc_table_at_L, t) <= 0) and
   ((offset_max(charP_t_1_alloc_table_at_L, t) >= (l - 1)) and
    (forall i_1:int.
      (((0 <= i_1) and (i_1 < l)) -> is_color(select(charP_charM_t_1_at_L,
       shift(t, i_1)))))))

predicate is_monochrome(t_0: charP pointer, i_2: int, j_0: int, c_0: int,
  charP_charM_t_0_2_at_L: (charP, int) memory) =
  (forall k:int.
    (((i_2 <= k) and (k < j_0)) -> (select(charP_charM_t_0_2_at_L, shift(t_0,
     k)) = c_0)))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

goal flag_ensures_default_po_1:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  ("JC_103": ("JC_96": (0 <= b_0)))

goal flag_ensures_default_po_2:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  ("JC_103": ("JC_97": (b_0 <= i_1_0)))

goal flag_ensures_default_po_3:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  ("JC_103": ("JC_98": (i_1_0 <= r_0)))

goal flag_ensures_default_po_4:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  ("JC_103": ("JC_99": (r_0 <= l_0)))

goal flag_ensures_default_po_5:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  ("JC_103": ("JC_100": is_monochrome(t_2, 0, b_0, 1, charP_charM_t_5)))

goal flag_ensures_default_po_6:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  ("JC_103": ("JC_101": is_monochrome(t_2, b_0, i_1_0, 2, charP_charM_t_5)))

goal flag_ensures_default_po_7:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  ("JC_103": ("JC_102": is_monochrome(t_2, r_0, l_0, 3, charP_charM_t_5)))

goal flag_ensures_default_po_8:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_103":
  (("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_96": (0 <= b_0_0)) and
    (("JC_97": (b_0_0 <= i_1_0_0)) and
     (("JC_98": (i_1_0_0 <= r_0_0)) and
      (("JC_99": (r_0_0 <= l_0)) and
       (("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result = 1) ->
  forall tmp:int.
  (tmp = i_1_0_0) ->
  forall i_1_0_1:int.
  (i_1_0_1 = (i_1_0_0 + 1)) ->
  forall tmp_0:int.
  (tmp_0 = b_0_0) ->
  forall b_0_1:int.
  (b_0_1 = (b_0_0 + 1)) ->
  forall charP_charM_t_5_1:(charP,
  int) memory.
  ("JC_60":
  (("JC_58":
   (("JC_56": (select(charP_charM_t_5_1, shift(t_2,
    tmp_0)) = select(charP_charM_t_5_0, shift(t_2, tmp)))) and
    ("JC_57": (select(charP_charM_t_5_1, shift(t_2,
    tmp)) = select(charP_charM_t_5_0, shift(t_2, tmp_0)))))) and
   ("JC_59": not_assigns(charP_t_5_alloc_table, charP_charM_t_5_0,
   charP_charM_t_5_1, pset_union(pset_range(pset_singleton(t_2), tmp, tmp),
   pset_range(pset_singleton(t_2), tmp_0, tmp_0)))))) ->
  ("JC_103":
  ("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
  charP_charM_t_5_1)))

goal flag_ensures_default_po_9:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_103":
  (("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_96": (0 <= b_0_0)) and
    (("JC_97": (b_0_0 <= i_1_0_0)) and
     (("JC_98": (i_1_0_0 <= r_0_0)) and
      (("JC_99": (r_0_0 <= l_0)) and
       (("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result = 1) ->
  forall tmp:int.
  (tmp = i_1_0_0) ->
  forall i_1_0_1:int.
  (i_1_0_1 = (i_1_0_0 + 1)) ->
  forall tmp_0:int.
  (tmp_0 = b_0_0) ->
  forall b_0_1:int.
  (b_0_1 = (b_0_0 + 1)) ->
  forall charP_charM_t_5_1:(charP,
  int) memory.
  ("JC_60":
  (("JC_58":
   (("JC_56": (select(charP_charM_t_5_1, shift(t_2,
    tmp_0)) = select(charP_charM_t_5_0, shift(t_2, tmp)))) and
    ("JC_57": (select(charP_charM_t_5_1, shift(t_2,
    tmp)) = select(charP_charM_t_5_0, shift(t_2, tmp_0)))))) and
   ("JC_59": not_assigns(charP_t_5_alloc_table, charP_charM_t_5_0,
   charP_charM_t_5_1, pset_union(pset_range(pset_singleton(t_2), tmp, tmp),
   pset_range(pset_singleton(t_2), tmp_0, tmp_0)))))) ->
  ("JC_103": ("JC_96": (0 <= b_0_1)))

goal flag_ensures_default_po_10:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_103":
  (("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_96": (0 <= b_0_0)) and
    (("JC_97": (b_0_0 <= i_1_0_0)) and
     (("JC_98": (i_1_0_0 <= r_0_0)) and
      (("JC_99": (r_0_0 <= l_0)) and
       (("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result = 1) ->
  forall tmp:int.
  (tmp = i_1_0_0) ->
  forall i_1_0_1:int.
  (i_1_0_1 = (i_1_0_0 + 1)) ->
  forall tmp_0:int.
  (tmp_0 = b_0_0) ->
  forall b_0_1:int.
  (b_0_1 = (b_0_0 + 1)) ->
  forall charP_charM_t_5_1:(charP,
  int) memory.
  ("JC_60":
  (("JC_58":
   (("JC_56": (select(charP_charM_t_5_1, shift(t_2,
    tmp_0)) = select(charP_charM_t_5_0, shift(t_2, tmp)))) and
    ("JC_57": (select(charP_charM_t_5_1, shift(t_2,
    tmp)) = select(charP_charM_t_5_0, shift(t_2, tmp_0)))))) and
   ("JC_59": not_assigns(charP_t_5_alloc_table, charP_charM_t_5_0,
   charP_charM_t_5_1, pset_union(pset_range(pset_singleton(t_2), tmp, tmp),
   pset_range(pset_singleton(t_2), tmp_0, tmp_0)))))) ->
  ("JC_103": ("JC_97": (b_0_1 <= i_1_0_1)))

goal flag_ensures_default_po_11:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_103":
  (("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_96": (0 <= b_0_0)) and
    (("JC_97": (b_0_0 <= i_1_0_0)) and
     (("JC_98": (i_1_0_0 <= r_0_0)) and
      (("JC_99": (r_0_0 <= l_0)) and
       (("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result = 1) ->
  forall tmp:int.
  (tmp = i_1_0_0) ->
  forall i_1_0_1:int.
  (i_1_0_1 = (i_1_0_0 + 1)) ->
  forall tmp_0:int.
  (tmp_0 = b_0_0) ->
  forall b_0_1:int.
  (b_0_1 = (b_0_0 + 1)) ->
  forall charP_charM_t_5_1:(charP,
  int) memory.
  ("JC_60":
  (("JC_58":
   (("JC_56": (select(charP_charM_t_5_1, shift(t_2,
    tmp_0)) = select(charP_charM_t_5_0, shift(t_2, tmp)))) and
    ("JC_57": (select(charP_charM_t_5_1, shift(t_2,
    tmp)) = select(charP_charM_t_5_0, shift(t_2, tmp_0)))))) and
   ("JC_59": not_assigns(charP_t_5_alloc_table, charP_charM_t_5_0,
   charP_charM_t_5_1, pset_union(pset_range(pset_singleton(t_2), tmp, tmp),
   pset_range(pset_singleton(t_2), tmp_0, tmp_0)))))) ->
  ("JC_103": ("JC_98": (i_1_0_1 <= r_0_0)))

goal flag_ensures_default_po_12:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_103":
  (("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_96": (0 <= b_0_0)) and
    (("JC_97": (b_0_0 <= i_1_0_0)) and
     (("JC_98": (i_1_0_0 <= r_0_0)) and
      (("JC_99": (r_0_0 <= l_0)) and
       (("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result = 1) ->
  forall tmp:int.
  (tmp = i_1_0_0) ->
  forall i_1_0_1:int.
  (i_1_0_1 = (i_1_0_0 + 1)) ->
  forall tmp_0:int.
  (tmp_0 = b_0_0) ->
  forall b_0_1:int.
  (b_0_1 = (b_0_0 + 1)) ->
  forall charP_charM_t_5_1:(charP,
  int) memory.
  ("JC_60":
  (("JC_58":
   (("JC_56": (select(charP_charM_t_5_1, shift(t_2,
    tmp_0)) = select(charP_charM_t_5_0, shift(t_2, tmp)))) and
    ("JC_57": (select(charP_charM_t_5_1, shift(t_2,
    tmp)) = select(charP_charM_t_5_0, shift(t_2, tmp_0)))))) and
   ("JC_59": not_assigns(charP_t_5_alloc_table, charP_charM_t_5_0,
   charP_charM_t_5_1, pset_union(pset_range(pset_singleton(t_2), tmp, tmp),
   pset_range(pset_singleton(t_2), tmp_0, tmp_0)))))) ->
  ("JC_103": ("JC_99": (r_0_0 <= l_0)))

goal flag_ensures_default_po_13:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_103":
  (("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_96": (0 <= b_0_0)) and
    (("JC_97": (b_0_0 <= i_1_0_0)) and
     (("JC_98": (i_1_0_0 <= r_0_0)) and
      (("JC_99": (r_0_0 <= l_0)) and
       (("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result = 1) ->
  forall tmp:int.
  (tmp = i_1_0_0) ->
  forall i_1_0_1:int.
  (i_1_0_1 = (i_1_0_0 + 1)) ->
  forall tmp_0:int.
  (tmp_0 = b_0_0) ->
  forall b_0_1:int.
  (b_0_1 = (b_0_0 + 1)) ->
  forall charP_charM_t_5_1:(charP,
  int) memory.
  ("JC_60":
  (("JC_58":
   (("JC_56": (select(charP_charM_t_5_1, shift(t_2,
    tmp_0)) = select(charP_charM_t_5_0, shift(t_2, tmp)))) and
    ("JC_57": (select(charP_charM_t_5_1, shift(t_2,
    tmp)) = select(charP_charM_t_5_0, shift(t_2, tmp_0)))))) and
   ("JC_59": not_assigns(charP_t_5_alloc_table, charP_charM_t_5_0,
   charP_charM_t_5_1, pset_union(pset_range(pset_singleton(t_2), tmp, tmp),
   pset_range(pset_singleton(t_2), tmp_0, tmp_0)))))) ->
  ("JC_103": ("JC_100": is_monochrome(t_2, 0, b_0_1, 1, charP_charM_t_5_1)))

goal flag_ensures_default_po_14:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_103":
  (("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_96": (0 <= b_0_0)) and
    (("JC_97": (b_0_0 <= i_1_0_0)) and
     (("JC_98": (i_1_0_0 <= r_0_0)) and
      (("JC_99": (r_0_0 <= l_0)) and
       (("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result = 1) ->
  forall tmp:int.
  (tmp = i_1_0_0) ->
  forall i_1_0_1:int.
  (i_1_0_1 = (i_1_0_0 + 1)) ->
  forall tmp_0:int.
  (tmp_0 = b_0_0) ->
  forall b_0_1:int.
  (b_0_1 = (b_0_0 + 1)) ->
  forall charP_charM_t_5_1:(charP,
  int) memory.
  ("JC_60":
  (("JC_58":
   (("JC_56": (select(charP_charM_t_5_1, shift(t_2,
    tmp_0)) = select(charP_charM_t_5_0, shift(t_2, tmp)))) and
    ("JC_57": (select(charP_charM_t_5_1, shift(t_2,
    tmp)) = select(charP_charM_t_5_0, shift(t_2, tmp_0)))))) and
   ("JC_59": not_assigns(charP_t_5_alloc_table, charP_charM_t_5_0,
   charP_charM_t_5_1, pset_union(pset_range(pset_singleton(t_2), tmp, tmp),
   pset_range(pset_singleton(t_2), tmp_0, tmp_0)))))) ->
  ("JC_103":
  ("JC_101": is_monochrome(t_2, b_0_1, i_1_0_1, 2, charP_charM_t_5_1)))

goal flag_ensures_default_po_15:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_103":
  (("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_96": (0 <= b_0_0)) and
    (("JC_97": (b_0_0 <= i_1_0_0)) and
     (("JC_98": (i_1_0_0 <= r_0_0)) and
      (("JC_99": (r_0_0 <= l_0)) and
       (("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result = 1) ->
  forall tmp:int.
  (tmp = i_1_0_0) ->
  forall i_1_0_1:int.
  (i_1_0_1 = (i_1_0_0 + 1)) ->
  forall tmp_0:int.
  (tmp_0 = b_0_0) ->
  forall b_0_1:int.
  (b_0_1 = (b_0_0 + 1)) ->
  forall charP_charM_t_5_1:(charP,
  int) memory.
  ("JC_60":
  (("JC_58":
   (("JC_56": (select(charP_charM_t_5_1, shift(t_2,
    tmp_0)) = select(charP_charM_t_5_0, shift(t_2, tmp)))) and
    ("JC_57": (select(charP_charM_t_5_1, shift(t_2,
    tmp)) = select(charP_charM_t_5_0, shift(t_2, tmp_0)))))) and
   ("JC_59": not_assigns(charP_t_5_alloc_table, charP_charM_t_5_0,
   charP_charM_t_5_1, pset_union(pset_range(pset_singleton(t_2), tmp, tmp),
   pset_range(pset_singleton(t_2), tmp_0, tmp_0)))))) ->
  ("JC_103":
  ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_1)))

goal flag_ensures_default_po_16:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_103":
  (("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_96": (0 <= b_0_0)) and
    (("JC_97": (b_0_0 <= i_1_0_0)) and
     (("JC_98": (i_1_0_0 <= r_0_0)) and
      (("JC_99": (r_0_0 <= l_0)) and
       (("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result = 2) or ((result <> 2) and (result = 1))) ->
  forall i_1_0_1:int.
  (i_1_0_1 = (i_1_0_0 + 1)) ->
  ("JC_103": ("JC_96": (0 <= b_0_0)))

goal flag_ensures_default_po_17:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_103":
  (("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_96": (0 <= b_0_0)) and
    (("JC_97": (b_0_0 <= i_1_0_0)) and
     (("JC_98": (i_1_0_0 <= r_0_0)) and
      (("JC_99": (r_0_0 <= l_0)) and
       (("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result = 2) or ((result <> 2) and (result = 1))) ->
  forall i_1_0_1:int.
  (i_1_0_1 = (i_1_0_0 + 1)) ->
  ("JC_103": ("JC_97": (b_0_0 <= i_1_0_1)))

goal flag_ensures_default_po_18:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_103":
  (("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_96": (0 <= b_0_0)) and
    (("JC_97": (b_0_0 <= i_1_0_0)) and
     (("JC_98": (i_1_0_0 <= r_0_0)) and
      (("JC_99": (r_0_0 <= l_0)) and
       (("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result = 2) or ((result <> 2) and (result = 1))) ->
  forall i_1_0_1:int.
  (i_1_0_1 = (i_1_0_0 + 1)) ->
  ("JC_103": ("JC_98": (i_1_0_1 <= r_0_0)))

goal flag_ensures_default_po_19:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_103":
  (("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_96": (0 <= b_0_0)) and
    (("JC_97": (b_0_0 <= i_1_0_0)) and
     (("JC_98": (i_1_0_0 <= r_0_0)) and
      (("JC_99": (r_0_0 <= l_0)) and
       (("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result = 2) or ((result <> 2) and (result = 1))) ->
  forall i_1_0_1:int.
  (i_1_0_1 = (i_1_0_0 + 1)) ->
  ("JC_103": ("JC_99": (r_0_0 <= l_0)))

goal flag_ensures_default_po_20:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_103":
  (("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_96": (0 <= b_0_0)) and
    (("JC_97": (b_0_0 <= i_1_0_0)) and
     (("JC_98": (i_1_0_0 <= r_0_0)) and
      (("JC_99": (r_0_0 <= l_0)) and
       (("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result = 2) or ((result <> 2) and (result = 1))) ->
  forall i_1_0_1:int.
  (i_1_0_1 = (i_1_0_0 + 1)) ->
  ("JC_103": ("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)))

goal flag_ensures_default_po_21:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_103":
  (("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_96": (0 <= b_0_0)) and
    (("JC_97": (b_0_0 <= i_1_0_0)) and
     (("JC_98": (i_1_0_0 <= r_0_0)) and
      (("JC_99": (r_0_0 <= l_0)) and
       (("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result = 2) or ((result <> 2) and (result = 1))) ->
  forall i_1_0_1:int.
  (i_1_0_1 = (i_1_0_0 + 1)) ->
  ("JC_103":
  ("JC_101": is_monochrome(t_2, b_0_0, i_1_0_1, 2, charP_charM_t_5_0)))

goal flag_ensures_default_po_22:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_103":
  (("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_96": (0 <= b_0_0)) and
    (("JC_97": (b_0_0 <= i_1_0_0)) and
     (("JC_98": (i_1_0_0 <= r_0_0)) and
      (("JC_99": (r_0_0 <= l_0)) and
       (("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result = 2) or ((result <> 2) and (result = 1))) ->
  forall i_1_0_1:int.
  (i_1_0_1 = (i_1_0_0 + 1)) ->
  ("JC_103":
  ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))

goal flag_ensures_default_po_23:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_103":
  (("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_96": (0 <= b_0_0)) and
    (("JC_97": (b_0_0 <= i_1_0_0)) and
     (("JC_98": (i_1_0_0 <= r_0_0)) and
      (("JC_99": (r_0_0 <= l_0)) and
       (("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result <> 2) and (result <> 1)) ->
  ((result = 3) or
   ((result <> 3) and ((result = 2) or ((result <> 2) and (result = 1))))) ->
  forall r_0_1:int.
  (r_0_1 = (r_0_0 - 1)) ->
  forall charP_charM_t_5_1:(charP,
  int) memory.
  ("JC_60":
  (("JC_58":
   (("JC_56": (select(charP_charM_t_5_1, shift(t_2,
    r_0_1)) = select(charP_charM_t_5_0, shift(t_2, i_1_0_0)))) and
    ("JC_57": (select(charP_charM_t_5_1, shift(t_2,
    i_1_0_0)) = select(charP_charM_t_5_0, shift(t_2, r_0_1)))))) and
   ("JC_59": not_assigns(charP_t_5_alloc_table, charP_charM_t_5_0,
   charP_charM_t_5_1, pset_union(pset_range(pset_singleton(t_2), i_1_0_0,
   i_1_0_0), pset_range(pset_singleton(t_2), r_0_1, r_0_1)))))) ->
  ("JC_103":
  ("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
  charP_charM_t_5_1)))

goal flag_ensures_default_po_24:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_103":
  (("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_96": (0 <= b_0_0)) and
    (("JC_97": (b_0_0 <= i_1_0_0)) and
     (("JC_98": (i_1_0_0 <= r_0_0)) and
      (("JC_99": (r_0_0 <= l_0)) and
       (("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result <> 2) and (result <> 1)) ->
  ((result = 3) or
   ((result <> 3) and ((result = 2) or ((result <> 2) and (result = 1))))) ->
  forall r_0_1:int.
  (r_0_1 = (r_0_0 - 1)) ->
  forall charP_charM_t_5_1:(charP,
  int) memory.
  ("JC_60":
  (("JC_58":
   (("JC_56": (select(charP_charM_t_5_1, shift(t_2,
    r_0_1)) = select(charP_charM_t_5_0, shift(t_2, i_1_0_0)))) and
    ("JC_57": (select(charP_charM_t_5_1, shift(t_2,
    i_1_0_0)) = select(charP_charM_t_5_0, shift(t_2, r_0_1)))))) and
   ("JC_59": not_assigns(charP_t_5_alloc_table, charP_charM_t_5_0,
   charP_charM_t_5_1, pset_union(pset_range(pset_singleton(t_2), i_1_0_0,
   i_1_0_0), pset_range(pset_singleton(t_2), r_0_1, r_0_1)))))) ->
  ("JC_103": ("JC_96": (0 <= b_0_0)))

goal flag_ensures_default_po_25:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_103":
  (("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_96": (0 <= b_0_0)) and
    (("JC_97": (b_0_0 <= i_1_0_0)) and
     (("JC_98": (i_1_0_0 <= r_0_0)) and
      (("JC_99": (r_0_0 <= l_0)) and
       (("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result <> 2) and (result <> 1)) ->
  ((result = 3) or
   ((result <> 3) and ((result = 2) or ((result <> 2) and (result = 1))))) ->
  forall r_0_1:int.
  (r_0_1 = (r_0_0 - 1)) ->
  forall charP_charM_t_5_1:(charP,
  int) memory.
  ("JC_60":
  (("JC_58":
   (("JC_56": (select(charP_charM_t_5_1, shift(t_2,
    r_0_1)) = select(charP_charM_t_5_0, shift(t_2, i_1_0_0)))) and
    ("JC_57": (select(charP_charM_t_5_1, shift(t_2,
    i_1_0_0)) = select(charP_charM_t_5_0, shift(t_2, r_0_1)))))) and
   ("JC_59": not_assigns(charP_t_5_alloc_table, charP_charM_t_5_0,
   charP_charM_t_5_1, pset_union(pset_range(pset_singleton(t_2), i_1_0_0,
   i_1_0_0), pset_range(pset_singleton(t_2), r_0_1, r_0_1)))))) ->
  ("JC_103": ("JC_97": (b_0_0 <= i_1_0_0)))

goal flag_ensures_default_po_26:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_103":
  (("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_96": (0 <= b_0_0)) and
    (("JC_97": (b_0_0 <= i_1_0_0)) and
     (("JC_98": (i_1_0_0 <= r_0_0)) and
      (("JC_99": (r_0_0 <= l_0)) and
       (("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result <> 2) and (result <> 1)) ->
  ((result = 3) or
   ((result <> 3) and ((result = 2) or ((result <> 2) and (result = 1))))) ->
  forall r_0_1:int.
  (r_0_1 = (r_0_0 - 1)) ->
  forall charP_charM_t_5_1:(charP,
  int) memory.
  ("JC_60":
  (("JC_58":
   (("JC_56": (select(charP_charM_t_5_1, shift(t_2,
    r_0_1)) = select(charP_charM_t_5_0, shift(t_2, i_1_0_0)))) and
    ("JC_57": (select(charP_charM_t_5_1, shift(t_2,
    i_1_0_0)) = select(charP_charM_t_5_0, shift(t_2, r_0_1)))))) and
   ("JC_59": not_assigns(charP_t_5_alloc_table, charP_charM_t_5_0,
   charP_charM_t_5_1, pset_union(pset_range(pset_singleton(t_2), i_1_0_0,
   i_1_0_0), pset_range(pset_singleton(t_2), r_0_1, r_0_1)))))) ->
  ("JC_103": ("JC_98": (i_1_0_0 <= r_0_1)))

goal flag_ensures_default_po_27:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_103":
  (("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_96": (0 <= b_0_0)) and
    (("JC_97": (b_0_0 <= i_1_0_0)) and
     (("JC_98": (i_1_0_0 <= r_0_0)) and
      (("JC_99": (r_0_0 <= l_0)) and
       (("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result <> 2) and (result <> 1)) ->
  ((result = 3) or
   ((result <> 3) and ((result = 2) or ((result <> 2) and (result = 1))))) ->
  forall r_0_1:int.
  (r_0_1 = (r_0_0 - 1)) ->
  forall charP_charM_t_5_1:(charP,
  int) memory.
  ("JC_60":
  (("JC_58":
   (("JC_56": (select(charP_charM_t_5_1, shift(t_2,
    r_0_1)) = select(charP_charM_t_5_0, shift(t_2, i_1_0_0)))) and
    ("JC_57": (select(charP_charM_t_5_1, shift(t_2,
    i_1_0_0)) = select(charP_charM_t_5_0, shift(t_2, r_0_1)))))) and
   ("JC_59": not_assigns(charP_t_5_alloc_table, charP_charM_t_5_0,
   charP_charM_t_5_1, pset_union(pset_range(pset_singleton(t_2), i_1_0_0,
   i_1_0_0), pset_range(pset_singleton(t_2), r_0_1, r_0_1)))))) ->
  ("JC_103": ("JC_99": (r_0_1 <= l_0)))

goal flag_ensures_default_po_28:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_103":
  (("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_96": (0 <= b_0_0)) and
    (("JC_97": (b_0_0 <= i_1_0_0)) and
     (("JC_98": (i_1_0_0 <= r_0_0)) and
      (("JC_99": (r_0_0 <= l_0)) and
       (("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result <> 2) and (result <> 1)) ->
  ((result = 3) or
   ((result <> 3) and ((result = 2) or ((result <> 2) and (result = 1))))) ->
  forall r_0_1:int.
  (r_0_1 = (r_0_0 - 1)) ->
  forall charP_charM_t_5_1:(charP,
  int) memory.
  ("JC_60":
  (("JC_58":
   (("JC_56": (select(charP_charM_t_5_1, shift(t_2,
    r_0_1)) = select(charP_charM_t_5_0, shift(t_2, i_1_0_0)))) and
    ("JC_57": (select(charP_charM_t_5_1, shift(t_2,
    i_1_0_0)) = select(charP_charM_t_5_0, shift(t_2, r_0_1)))))) and
   ("JC_59": not_assigns(charP_t_5_alloc_table, charP_charM_t_5_0,
   charP_charM_t_5_1, pset_union(pset_range(pset_singleton(t_2), i_1_0_0,
   i_1_0_0), pset_range(pset_singleton(t_2), r_0_1, r_0_1)))))) ->
  ("JC_103": ("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_1)))

goal flag_ensures_default_po_29:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_103":
  (("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_96": (0 <= b_0_0)) and
    (("JC_97": (b_0_0 <= i_1_0_0)) and
     (("JC_98": (i_1_0_0 <= r_0_0)) and
      (("JC_99": (r_0_0 <= l_0)) and
       (("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result <> 2) and (result <> 1)) ->
  ((result = 3) or
   ((result <> 3) and ((result = 2) or ((result <> 2) and (result = 1))))) ->
  forall r_0_1:int.
  (r_0_1 = (r_0_0 - 1)) ->
  forall charP_charM_t_5_1:(charP,
  int) memory.
  ("JC_60":
  (("JC_58":
   (("JC_56": (select(charP_charM_t_5_1, shift(t_2,
    r_0_1)) = select(charP_charM_t_5_0, shift(t_2, i_1_0_0)))) and
    ("JC_57": (select(charP_charM_t_5_1, shift(t_2,
    i_1_0_0)) = select(charP_charM_t_5_0, shift(t_2, r_0_1)))))) and
   ("JC_59": not_assigns(charP_t_5_alloc_table, charP_charM_t_5_0,
   charP_charM_t_5_1, pset_union(pset_range(pset_singleton(t_2), i_1_0_0,
   i_1_0_0), pset_range(pset_singleton(t_2), r_0_1, r_0_1)))))) ->
  ("JC_103":
  ("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_1)))

goal flag_ensures_default_po_30:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_103":
  (("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_96": (0 <= b_0_0)) and
    (("JC_97": (b_0_0 <= i_1_0_0)) and
     (("JC_98": (i_1_0_0 <= r_0_0)) and
      (("JC_99": (r_0_0 <= l_0)) and
       (("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result <> 2) and (result <> 1)) ->
  ((result = 3) or
   ((result <> 3) and ((result = 2) or ((result <> 2) and (result = 1))))) ->
  forall r_0_1:int.
  (r_0_1 = (r_0_0 - 1)) ->
  forall charP_charM_t_5_1:(charP,
  int) memory.
  ("JC_60":
  (("JC_58":
   (("JC_56": (select(charP_charM_t_5_1, shift(t_2,
    r_0_1)) = select(charP_charM_t_5_0, shift(t_2, i_1_0_0)))) and
    ("JC_57": (select(charP_charM_t_5_1, shift(t_2,
    i_1_0_0)) = select(charP_charM_t_5_0, shift(t_2, r_0_1)))))) and
   ("JC_59": not_assigns(charP_t_5_alloc_table, charP_charM_t_5_0,
   charP_charM_t_5_1, pset_union(pset_range(pset_singleton(t_2), i_1_0_0,
   i_1_0_0), pset_range(pset_singleton(t_2), r_0_1, r_0_1)))))) ->
  ("JC_103":
  ("JC_102": is_monochrome(t_2, r_0_1, l_0, 3, charP_charM_t_5_1)))

goal flag_ensures_default_po_31:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_103":
  (("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_96": (0 <= b_0_0)) and
    (("JC_97": (b_0_0 <= i_1_0_0)) and
     (("JC_98": (i_1_0_0 <= r_0_0)) and
      (("JC_99": (r_0_0 <= l_0)) and
       (("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result <> 2) and (result <> 1)) ->
  ((result <> 3) and ((result <> 2) and (result <> 1))) ->
  ("JC_103": ("JC_96": (0 <= b_0_0)))

goal flag_ensures_default_po_32:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_103":
  (("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_96": (0 <= b_0_0)) and
    (("JC_97": (b_0_0 <= i_1_0_0)) and
     (("JC_98": (i_1_0_0 <= r_0_0)) and
      (("JC_99": (r_0_0 <= l_0)) and
       (("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result <> 2) and (result <> 1)) ->
  ((result <> 3) and ((result <> 2) and (result <> 1))) ->
  ("JC_103": ("JC_97": (b_0_0 <= i_1_0_0)))

goal flag_ensures_default_po_33:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_103":
  (("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_96": (0 <= b_0_0)) and
    (("JC_97": (b_0_0 <= i_1_0_0)) and
     (("JC_98": (i_1_0_0 <= r_0_0)) and
      (("JC_99": (r_0_0 <= l_0)) and
       (("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result <> 2) and (result <> 1)) ->
  ((result <> 3) and ((result <> 2) and (result <> 1))) ->
  ("JC_103": ("JC_98": (i_1_0_0 <= r_0_0)))

goal flag_ensures_default_po_34:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_103":
  (("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_96": (0 <= b_0_0)) and
    (("JC_97": (b_0_0 <= i_1_0_0)) and
     (("JC_98": (i_1_0_0 <= r_0_0)) and
      (("JC_99": (r_0_0 <= l_0)) and
       (("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result <> 2) and (result <> 1)) ->
  ((result <> 3) and ((result <> 2) and (result <> 1))) ->
  ("JC_103": ("JC_99": (r_0_0 <= l_0)))

goal flag_ensures_default_po_35:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_103":
  (("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_96": (0 <= b_0_0)) and
    (("JC_97": (b_0_0 <= i_1_0_0)) and
     (("JC_98": (i_1_0_0 <= r_0_0)) and
      (("JC_99": (r_0_0 <= l_0)) and
       (("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result <> 2) and (result <> 1)) ->
  ((result <> 3) and ((result <> 2) and (result <> 1))) ->
  ("JC_103": ("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)))

goal flag_ensures_default_po_36:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_103":
  (("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_96": (0 <= b_0_0)) and
    (("JC_97": (b_0_0 <= i_1_0_0)) and
     (("JC_98": (i_1_0_0 <= r_0_0)) and
      (("JC_99": (r_0_0 <= l_0)) and
       (("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result <> 2) and (result <> 1)) ->
  ((result <> 3) and ((result <> 2) and (result <> 1))) ->
  ("JC_103":
  ("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)))

goal flag_ensures_default_po_37:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_103":
  (("JC_95": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_96": (0 <= b_0_0)) and
    (("JC_97": (b_0_0 <= i_1_0_0)) and
     (("JC_98": (i_1_0_0 <= r_0_0)) and
      (("JC_99": (r_0_0 <= l_0)) and
       (("JC_100": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_101": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result <> 2) and (result <> 1)) ->
  ((result <> 3) and ((result <> 2) and (result <> 1))) ->
  ("JC_103":
  ("JC_102": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))

goal flag_ensures_sorts_po_1:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_119": true) ->
  ("JC_117":
  (("JC_109": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_110": (0 <= b_0_0)) and
    (("JC_111": (b_0_0 <= i_1_0_0)) and
     (("JC_112": (i_1_0_0 <= r_0_0)) and
      (("JC_113": (r_0_0 <= l_0)) and
       (("JC_114": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_115": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_116": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 >= r_0_0) ->
  ("JC_77":
  (exists b:int.
    (exists r:int.
      (is_monochrome(t_2, 0, b, 1, charP_charM_t_5_0) and
       (is_monochrome(t_2, b, r, 2, charP_charM_t_5_0) and is_monochrome(t_2,
        r, l_0, 3, charP_charM_t_5_0))))))

goal flag_safety_po_1:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_89": true) ->
  ("JC_87":
  (("JC_79": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_80": (0 <= b_0_0)) and
    (("JC_81": (b_0_0 <= i_1_0_0)) and
     (("JC_82": (i_1_0_0 <= r_0_0)) and
      (("JC_83": (r_0_0 <= l_0)) and
       (("JC_84": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_85": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_86": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  (offset_min(charP_t_5_alloc_table, t_2) <= i_1_0_0)

goal flag_safety_po_2:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_89": true) ->
  ("JC_87":
  (("JC_79": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_80": (0 <= b_0_0)) and
    (("JC_81": (b_0_0 <= i_1_0_0)) and
     (("JC_82": (i_1_0_0 <= r_0_0)) and
      (("JC_83": (r_0_0 <= l_0)) and
       (("JC_84": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_85": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_86": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  (i_1_0_0 <= offset_max(charP_t_5_alloc_table, t_2))

goal flag_safety_po_3:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_89": true) ->
  ("JC_87":
  (("JC_79": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_80": (0 <= b_0_0)) and
    (("JC_81": (b_0_0 <= i_1_0_0)) and
     (("JC_82": (i_1_0_0 <= r_0_0)) and
      (("JC_83": (r_0_0 <= l_0)) and
       (("JC_84": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_85": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_86": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  ((offset_min(charP_t_5_alloc_table, t_2) <= i_1_0_0) and
   (i_1_0_0 <= offset_max(charP_t_5_alloc_table, t_2))) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result = 1) ->
  forall tmp:int.
  (tmp = i_1_0_0) ->
  forall i_1_0_1:int.
  (i_1_0_1 = (i_1_0_0 + 1)) ->
  forall tmp_0:int.
  (tmp_0 = b_0_0) ->
  forall b_0_1:int.
  (b_0_1 = (b_0_0 + 1)) ->
  ("JC_39": ("JC_35": (offset_min(charP_t_5_alloc_table, t_2) <= tmp_0)))

goal flag_safety_po_4:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_89": true) ->
  ("JC_87":
  (("JC_79": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_80": (0 <= b_0_0)) and
    (("JC_81": (b_0_0 <= i_1_0_0)) and
     (("JC_82": (i_1_0_0 <= r_0_0)) and
      (("JC_83": (r_0_0 <= l_0)) and
       (("JC_84": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_85": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_86": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  ((offset_min(charP_t_5_alloc_table, t_2) <= i_1_0_0) and
   (i_1_0_0 <= offset_max(charP_t_5_alloc_table, t_2))) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result = 1) ->
  forall tmp:int.
  (tmp = i_1_0_0) ->
  forall i_1_0_1:int.
  (i_1_0_1 = (i_1_0_0 + 1)) ->
  forall tmp_0:int.
  (tmp_0 = b_0_0) ->
  forall b_0_1:int.
  (b_0_1 = (b_0_0 + 1)) ->
  ("JC_39": ("JC_36": (offset_max(charP_t_5_alloc_table, t_2) >= tmp_0)))

goal flag_safety_po_5:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_89": true) ->
  ("JC_87":
  (("JC_79": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_80": (0 <= b_0_0)) and
    (("JC_81": (b_0_0 <= i_1_0_0)) and
     (("JC_82": (i_1_0_0 <= r_0_0)) and
      (("JC_83": (r_0_0 <= l_0)) and
       (("JC_84": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_85": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_86": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  ((offset_min(charP_t_5_alloc_table, t_2) <= i_1_0_0) and
   (i_1_0_0 <= offset_max(charP_t_5_alloc_table, t_2))) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result = 1) ->
  forall tmp:int.
  (tmp = i_1_0_0) ->
  forall i_1_0_1:int.
  (i_1_0_1 = (i_1_0_0 + 1)) ->
  forall tmp_0:int.
  (tmp_0 = b_0_0) ->
  forall b_0_1:int.
  (b_0_1 = (b_0_0 + 1)) ->
  ("JC_39": ("JC_37": (offset_min(charP_t_5_alloc_table, t_2) <= tmp)))

goal flag_safety_po_6:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_89": true) ->
  ("JC_87":
  (("JC_79": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_80": (0 <= b_0_0)) and
    (("JC_81": (b_0_0 <= i_1_0_0)) and
     (("JC_82": (i_1_0_0 <= r_0_0)) and
      (("JC_83": (r_0_0 <= l_0)) and
       (("JC_84": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_85": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_86": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  ((offset_min(charP_t_5_alloc_table, t_2) <= i_1_0_0) and
   (i_1_0_0 <= offset_max(charP_t_5_alloc_table, t_2))) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result = 1) ->
  forall tmp:int.
  (tmp = i_1_0_0) ->
  forall i_1_0_1:int.
  (i_1_0_1 = (i_1_0_0 + 1)) ->
  forall tmp_0:int.
  (tmp_0 = b_0_0) ->
  forall b_0_1:int.
  (b_0_1 = (b_0_0 + 1)) ->
  ("JC_39": ("JC_38": (offset_max(charP_t_5_alloc_table, t_2) >= tmp)))

goal flag_safety_po_7:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_89": true) ->
  ("JC_87":
  (("JC_79": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_80": (0 <= b_0_0)) and
    (("JC_81": (b_0_0 <= i_1_0_0)) and
     (("JC_82": (i_1_0_0 <= r_0_0)) and
      (("JC_83": (r_0_0 <= l_0)) and
       (("JC_84": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_85": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_86": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  ((offset_min(charP_t_5_alloc_table, t_2) <= i_1_0_0) and
   (i_1_0_0 <= offset_max(charP_t_5_alloc_table, t_2))) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result = 1) ->
  forall tmp:int.
  (tmp = i_1_0_0) ->
  forall i_1_0_1:int.
  (i_1_0_1 = (i_1_0_0 + 1)) ->
  forall tmp_0:int.
  (tmp_0 = b_0_0) ->
  forall b_0_1:int.
  (b_0_1 = (b_0_0 + 1)) ->
  ("JC_39":
  (("JC_35": (offset_min(charP_t_5_alloc_table, t_2) <= tmp_0)) and
   (("JC_36": (offset_max(charP_t_5_alloc_table, t_2) >= tmp_0)) and
    (("JC_37": (offset_min(charP_t_5_alloc_table, t_2) <= tmp)) and
     ("JC_38": (offset_max(charP_t_5_alloc_table, t_2) >= tmp)))))) ->
  forall charP_charM_t_5_1:(charP,
  int) memory.
  ("JC_60":
  (("JC_58":
   (("JC_56": (select(charP_charM_t_5_1, shift(t_2,
    tmp_0)) = select(charP_charM_t_5_0, shift(t_2, tmp)))) and
    ("JC_57": (select(charP_charM_t_5_1, shift(t_2,
    tmp)) = select(charP_charM_t_5_0, shift(t_2, tmp_0)))))) and
   ("JC_59": not_assigns(charP_t_5_alloc_table, charP_charM_t_5_0,
   charP_charM_t_5_1, pset_union(pset_range(pset_singleton(t_2), tmp, tmp),
   pset_range(pset_singleton(t_2), tmp_0, tmp_0)))))) ->
  (0 <= ("JC_94": (r_0_0 - i_1_0_0)))

goal flag_safety_po_8:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_89": true) ->
  ("JC_87":
  (("JC_79": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_80": (0 <= b_0_0)) and
    (("JC_81": (b_0_0 <= i_1_0_0)) and
     (("JC_82": (i_1_0_0 <= r_0_0)) and
      (("JC_83": (r_0_0 <= l_0)) and
       (("JC_84": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_85": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_86": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  ((offset_min(charP_t_5_alloc_table, t_2) <= i_1_0_0) and
   (i_1_0_0 <= offset_max(charP_t_5_alloc_table, t_2))) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result = 1) ->
  forall tmp:int.
  (tmp = i_1_0_0) ->
  forall i_1_0_1:int.
  (i_1_0_1 = (i_1_0_0 + 1)) ->
  forall tmp_0:int.
  (tmp_0 = b_0_0) ->
  forall b_0_1:int.
  (b_0_1 = (b_0_0 + 1)) ->
  ("JC_39":
  (("JC_35": (offset_min(charP_t_5_alloc_table, t_2) <= tmp_0)) and
   (("JC_36": (offset_max(charP_t_5_alloc_table, t_2) >= tmp_0)) and
    (("JC_37": (offset_min(charP_t_5_alloc_table, t_2) <= tmp)) and
     ("JC_38": (offset_max(charP_t_5_alloc_table, t_2) >= tmp)))))) ->
  forall charP_charM_t_5_1:(charP,
  int) memory.
  ("JC_60":
  (("JC_58":
   (("JC_56": (select(charP_charM_t_5_1, shift(t_2,
    tmp_0)) = select(charP_charM_t_5_0, shift(t_2, tmp)))) and
    ("JC_57": (select(charP_charM_t_5_1, shift(t_2,
    tmp)) = select(charP_charM_t_5_0, shift(t_2, tmp_0)))))) and
   ("JC_59": not_assigns(charP_t_5_alloc_table, charP_charM_t_5_0,
   charP_charM_t_5_1, pset_union(pset_range(pset_singleton(t_2), tmp, tmp),
   pset_range(pset_singleton(t_2), tmp_0, tmp_0)))))) ->
  (("JC_94": (r_0_0 - i_1_0_1)) < ("JC_94": (r_0_0 - i_1_0_0)))

goal flag_safety_po_9:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_89": true) ->
  ("JC_87":
  (("JC_79": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_80": (0 <= b_0_0)) and
    (("JC_81": (b_0_0 <= i_1_0_0)) and
     (("JC_82": (i_1_0_0 <= r_0_0)) and
      (("JC_83": (r_0_0 <= l_0)) and
       (("JC_84": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_85": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_86": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  ((offset_min(charP_t_5_alloc_table, t_2) <= i_1_0_0) and
   (i_1_0_0 <= offset_max(charP_t_5_alloc_table, t_2))) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result = 2) or ((result <> 2) and (result = 1))) ->
  forall i_1_0_1:int.
  (i_1_0_1 = (i_1_0_0 + 1)) ->
  (0 <= ("JC_94": (r_0_0 - i_1_0_0)))

goal flag_safety_po_10:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_89": true) ->
  ("JC_87":
  (("JC_79": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_80": (0 <= b_0_0)) and
    (("JC_81": (b_0_0 <= i_1_0_0)) and
     (("JC_82": (i_1_0_0 <= r_0_0)) and
      (("JC_83": (r_0_0 <= l_0)) and
       (("JC_84": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_85": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_86": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  ((offset_min(charP_t_5_alloc_table, t_2) <= i_1_0_0) and
   (i_1_0_0 <= offset_max(charP_t_5_alloc_table, t_2))) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result = 2) or ((result <> 2) and (result = 1))) ->
  forall i_1_0_1:int.
  (i_1_0_1 = (i_1_0_0 + 1)) ->
  (("JC_94": (r_0_0 - i_1_0_1)) < ("JC_94": (r_0_0 - i_1_0_0)))

goal flag_safety_po_11:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_89": true) ->
  ("JC_87":
  (("JC_79": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_80": (0 <= b_0_0)) and
    (("JC_81": (b_0_0 <= i_1_0_0)) and
     (("JC_82": (i_1_0_0 <= r_0_0)) and
      (("JC_83": (r_0_0 <= l_0)) and
       (("JC_84": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_85": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_86": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  ((offset_min(charP_t_5_alloc_table, t_2) <= i_1_0_0) and
   (i_1_0_0 <= offset_max(charP_t_5_alloc_table, t_2))) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result <> 2) and (result <> 1)) ->
  ((result = 3) or
   ((result <> 3) and ((result = 2) or ((result <> 2) and (result = 1))))) ->
  forall r_0_1:int.
  (r_0_1 = (r_0_0 - 1)) ->
  ("JC_39": ("JC_35": (offset_min(charP_t_5_alloc_table, t_2) <= r_0_1)))

goal flag_safety_po_12:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_89": true) ->
  ("JC_87":
  (("JC_79": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_80": (0 <= b_0_0)) and
    (("JC_81": (b_0_0 <= i_1_0_0)) and
     (("JC_82": (i_1_0_0 <= r_0_0)) and
      (("JC_83": (r_0_0 <= l_0)) and
       (("JC_84": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_85": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_86": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  ((offset_min(charP_t_5_alloc_table, t_2) <= i_1_0_0) and
   (i_1_0_0 <= offset_max(charP_t_5_alloc_table, t_2))) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result <> 2) and (result <> 1)) ->
  ((result = 3) or
   ((result <> 3) and ((result = 2) or ((result <> 2) and (result = 1))))) ->
  forall r_0_1:int.
  (r_0_1 = (r_0_0 - 1)) ->
  ("JC_39": ("JC_36": (offset_max(charP_t_5_alloc_table, t_2) >= r_0_1)))

goal flag_safety_po_13:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_89": true) ->
  ("JC_87":
  (("JC_79": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_80": (0 <= b_0_0)) and
    (("JC_81": (b_0_0 <= i_1_0_0)) and
     (("JC_82": (i_1_0_0 <= r_0_0)) and
      (("JC_83": (r_0_0 <= l_0)) and
       (("JC_84": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_85": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_86": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  ((offset_min(charP_t_5_alloc_table, t_2) <= i_1_0_0) and
   (i_1_0_0 <= offset_max(charP_t_5_alloc_table, t_2))) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result <> 2) and (result <> 1)) ->
  ((result = 3) or
   ((result <> 3) and ((result = 2) or ((result <> 2) and (result = 1))))) ->
  forall r_0_1:int.
  (r_0_1 = (r_0_0 - 1)) ->
  ("JC_39": ("JC_38": (offset_max(charP_t_5_alloc_table, t_2) >= i_1_0_0)))

goal flag_safety_po_14:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_89": true) ->
  ("JC_87":
  (("JC_79": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_80": (0 <= b_0_0)) and
    (("JC_81": (b_0_0 <= i_1_0_0)) and
     (("JC_82": (i_1_0_0 <= r_0_0)) and
      (("JC_83": (r_0_0 <= l_0)) and
       (("JC_84": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_85": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_86": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  ((offset_min(charP_t_5_alloc_table, t_2) <= i_1_0_0) and
   (i_1_0_0 <= offset_max(charP_t_5_alloc_table, t_2))) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result <> 2) and (result <> 1)) ->
  ((result = 3) or
   ((result <> 3) and ((result = 2) or ((result <> 2) and (result = 1))))) ->
  forall r_0_1:int.
  (r_0_1 = (r_0_0 - 1)) ->
  ("JC_39":
  (("JC_35": (offset_min(charP_t_5_alloc_table, t_2) <= r_0_1)) and
   (("JC_36": (offset_max(charP_t_5_alloc_table, t_2) >= r_0_1)) and
    (("JC_37": (offset_min(charP_t_5_alloc_table, t_2) <= i_1_0_0)) and
     ("JC_38": (offset_max(charP_t_5_alloc_table, t_2) >= i_1_0_0)))))) ->
  forall charP_charM_t_5_1:(charP,
  int) memory.
  ("JC_60":
  (("JC_58":
   (("JC_56": (select(charP_charM_t_5_1, shift(t_2,
    r_0_1)) = select(charP_charM_t_5_0, shift(t_2, i_1_0_0)))) and
    ("JC_57": (select(charP_charM_t_5_1, shift(t_2,
    i_1_0_0)) = select(charP_charM_t_5_0, shift(t_2, r_0_1)))))) and
   ("JC_59": not_assigns(charP_t_5_alloc_table, charP_charM_t_5_0,
   charP_charM_t_5_1, pset_union(pset_range(pset_singleton(t_2), i_1_0_0,
   i_1_0_0), pset_range(pset_singleton(t_2), r_0_1, r_0_1)))))) ->
  (0 <= ("JC_94": (r_0_0 - i_1_0_0)))

goal flag_safety_po_15:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_89": true) ->
  ("JC_87":
  (("JC_79": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_80": (0 <= b_0_0)) and
    (("JC_81": (b_0_0 <= i_1_0_0)) and
     (("JC_82": (i_1_0_0 <= r_0_0)) and
      (("JC_83": (r_0_0 <= l_0)) and
       (("JC_84": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_85": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_86": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  ((offset_min(charP_t_5_alloc_table, t_2) <= i_1_0_0) and
   (i_1_0_0 <= offset_max(charP_t_5_alloc_table, t_2))) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result <> 2) and (result <> 1)) ->
  ((result = 3) or
   ((result <> 3) and ((result = 2) or ((result <> 2) and (result = 1))))) ->
  forall r_0_1:int.
  (r_0_1 = (r_0_0 - 1)) ->
  ("JC_39":
  (("JC_35": (offset_min(charP_t_5_alloc_table, t_2) <= r_0_1)) and
   (("JC_36": (offset_max(charP_t_5_alloc_table, t_2) >= r_0_1)) and
    (("JC_37": (offset_min(charP_t_5_alloc_table, t_2) <= i_1_0_0)) and
     ("JC_38": (offset_max(charP_t_5_alloc_table, t_2) >= i_1_0_0)))))) ->
  forall charP_charM_t_5_1:(charP,
  int) memory.
  ("JC_60":
  (("JC_58":
   (("JC_56": (select(charP_charM_t_5_1, shift(t_2,
    r_0_1)) = select(charP_charM_t_5_0, shift(t_2, i_1_0_0)))) and
    ("JC_57": (select(charP_charM_t_5_1, shift(t_2,
    i_1_0_0)) = select(charP_charM_t_5_0, shift(t_2, r_0_1)))))) and
   ("JC_59": not_assigns(charP_t_5_alloc_table, charP_charM_t_5_0,
   charP_charM_t_5_1, pset_union(pset_range(pset_singleton(t_2), i_1_0_0,
   i_1_0_0), pset_range(pset_singleton(t_2), r_0_1, r_0_1)))))) ->
  (("JC_94": (r_0_1 - i_1_0_0)) < ("JC_94": (r_0_0 - i_1_0_0)))

goal flag_safety_po_16:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_89": true) ->
  ("JC_87":
  (("JC_79": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_80": (0 <= b_0_0)) and
    (("JC_81": (b_0_0 <= i_1_0_0)) and
     (("JC_82": (i_1_0_0 <= r_0_0)) and
      (("JC_83": (r_0_0 <= l_0)) and
       (("JC_84": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_85": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_86": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  ((offset_min(charP_t_5_alloc_table, t_2) <= i_1_0_0) and
   (i_1_0_0 <= offset_max(charP_t_5_alloc_table, t_2))) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result <> 2) and (result <> 1)) ->
  ((result <> 3) and ((result <> 2) and (result <> 1))) ->
  (0 <= ("JC_94": (r_0_0 - i_1_0_0)))

goal flag_safety_po_17:
  forall t_2:charP pointer.
  forall l_0:int.
  forall charP_t_5_alloc_table:charP alloc_table.
  forall charP_charM_t_5:(charP,
  int) memory.
  ("JC_71":
  (("JC_69": (l_0 >= 0)) and
   ("JC_70": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5)))) ->
  forall b_0:int.
  (b_0 = 0) ->
  forall i_1_0:int.
  (i_1_0 = 0) ->
  forall r_0:int.
  (r_0 = l_0) ->
  forall b_0_0:int.
  forall charP_charM_t_5_0:(charP,
  int) memory.
  forall i_1_0_0:int.
  forall r_0_0:int.
  ("JC_89": true) ->
  ("JC_87":
  (("JC_79": is_color_array(t_2, l_0, charP_t_5_alloc_table,
   charP_charM_t_5_0)) and
   (("JC_80": (0 <= b_0_0)) and
    (("JC_81": (b_0_0 <= i_1_0_0)) and
     (("JC_82": (i_1_0_0 <= r_0_0)) and
      (("JC_83": (r_0_0 <= l_0)) and
       (("JC_84": is_monochrome(t_2, 0, b_0_0, 1, charP_charM_t_5_0)) and
        (("JC_85": is_monochrome(t_2, b_0_0, i_1_0_0, 2, charP_charM_t_5_0)) and
         ("JC_86": is_monochrome(t_2, r_0_0, l_0, 3, charP_charM_t_5_0)))))))))) ->
  (i_1_0_0 < r_0_0) ->
  ((offset_min(charP_t_5_alloc_table, t_2) <= i_1_0_0) and
   (i_1_0_0 <= offset_max(charP_t_5_alloc_table, t_2))) ->
  forall result:int.
  (result = select(charP_charM_t_5_0, shift(t_2, i_1_0_0))) ->
  (result <> 1) ->
  ((result <> 2) and (result <> 1)) ->
  ((result <> 3) and ((result <> 2) and (result <> 1))) ->
  (("JC_94": (r_0_0 - i_1_0_0)) < ("JC_94": (r_0_0 - i_1_0_0)))

goal isMonochrome_ensures_decides_monochromatic_po_1:
  forall t_0_0:charP pointer.
  forall i:int.
  forall j:int.
  forall c_1:int.
  forall charP_t_0_3_alloc_table:charP alloc_table.
  forall charP_charM_t_0_3:(charP,
  int) memory.
  ("JC_7":
  (("JC_5": (offset_min(charP_t_0_3_alloc_table, t_0_0) <= i)) and
   ("JC_6": (offset_max(charP_t_0_3_alloc_table, t_0_0) >= j)))) ->
  forall k_0:int.
  (k_0 = i) ->
  forall k_0_0:int.
  ("JC_33": true) ->
  ("JC_31":
  (("JC_29": (i <= k_0_0)) and
   ("JC_30":
   (forall l_0_0:int.
     (((i <= l_0_0) and (l_0_0 < k_0_0)) -> (select(charP_charM_t_0_3,
      shift(t_0_0, l_0_0)) = c_1)))))) ->
  (k_0_0 < j) ->
  forall result:int.
  (result = select(charP_charM_t_0_3, shift(t_0_0, k_0_0))) ->
  (result <> c_1) ->
  forall __retres:int.
  (__retres = 0) ->
  forall return:int.
  (return = __retres) ->
  (return <> 0) ->
  ("JC_13": is_monochrome(t_0_0, i, j, c_1, charP_charM_t_0_3))

goal isMonochrome_ensures_decides_monochromatic_po_2:
  forall t_0_0:charP pointer.
  forall i:int.
  forall j:int.
  forall c_1:int.
  forall charP_t_0_3_alloc_table:charP alloc_table.
  forall charP_charM_t_0_3:(charP,
  int) memory.
  ("JC_7":
  (("JC_5": (offset_min(charP_t_0_3_alloc_table, t_0_0) <= i)) and
   ("JC_6": (offset_max(charP_t_0_3_alloc_table, t_0_0) >= j)))) ->
  forall k_0:int.
  (k_0 = i) ->
  forall k_0_0:int.
  ("JC_33": true) ->
  ("JC_31":
  (("JC_29": (i <= k_0_0)) and
   ("JC_30":
   (forall l_0_0:int.
     (((i <= l_0_0) and (l_0_0 < k_0_0)) -> (select(charP_charM_t_0_3,
      shift(t_0_0, l_0_0)) = c_1)))))) ->
  (k_0_0 < j) ->
  forall result:int.
  (result = select(charP_charM_t_0_3, shift(t_0_0, k_0_0))) ->
  (result <> c_1) ->
  forall __retres:int.
  (__retres = 0) ->
  forall return:int.
  (return = __retres) ->
  is_monochrome(t_0_0, i, j, c_1, charP_charM_t_0_3) ->
  ("JC_13": (return <> 0))

goal isMonochrome_ensures_decides_monochromatic_po_3:
  forall t_0_0:charP pointer.
  forall i:int.
  forall j:int.
  forall c_1:int.
  forall charP_t_0_3_alloc_table:charP alloc_table.
  forall charP_charM_t_0_3:(charP,
  int) memory.
  ("JC_7":
  (("JC_5": (offset_min(charP_t_0_3_alloc_table, t_0_0) <= i)) and
   ("JC_6": (offset_max(charP_t_0_3_alloc_table, t_0_0) >= j)))) ->
  forall k_0:int.
  (k_0 = i) ->
  forall k_0_0:int.
  ("JC_33": true) ->
  ("JC_31":
  (("JC_29": (i <= k_0_0)) and
   ("JC_30":
   (forall l_0_0:int.
     (((i <= l_0_0) and (l_0_0 < k_0_0)) -> (select(charP_charM_t_0_3,
      shift(t_0_0, l_0_0)) = c_1)))))) ->
  (k_0_0 >= j) ->
  forall __retres:int.
  (__retres = 1) ->
  forall return:int.
  (return = __retres) ->
  (return <> 0) ->
  ("JC_13": is_monochrome(t_0_0, i, j, c_1, charP_charM_t_0_3))

goal isMonochrome_ensures_decides_monochromatic_po_4:
  forall t_0_0:charP pointer.
  forall i:int.
  forall j:int.
  forall c_1:int.
  forall charP_t_0_3_alloc_table:charP alloc_table.
  forall charP_charM_t_0_3:(charP,
  int) memory.
  ("JC_7":
  (("JC_5": (offset_min(charP_t_0_3_alloc_table, t_0_0) <= i)) and
   ("JC_6": (offset_max(charP_t_0_3_alloc_table, t_0_0) >= j)))) ->
  forall k_0:int.
  (k_0 = i) ->
  forall k_0_0:int.
  ("JC_33": true) ->
  ("JC_31":
  (("JC_29": (i <= k_0_0)) and
   ("JC_30":
   (forall l_0_0:int.
     (((i <= l_0_0) and (l_0_0 < k_0_0)) -> (select(charP_charM_t_0_3,
      shift(t_0_0, l_0_0)) = c_1)))))) ->
  (k_0_0 >= j) ->
  forall __retres:int.
  (__retres = 1) ->
  forall return:int.
  (return = __retres) ->
  is_monochrome(t_0_0, i, j, c_1, charP_charM_t_0_3) ->
  ("JC_13": (return <> 0))

goal isMonochrome_ensures_default_po_1:
  forall t_0_0:charP pointer.
  forall i:int.
  forall j:int.
  forall charP_t_0_3_alloc_table:charP alloc_table.
  ("JC_7":
  (("JC_5": (offset_min(charP_t_0_3_alloc_table, t_0_0) <= i)) and
   ("JC_6": (offset_max(charP_t_0_3_alloc_table, t_0_0) >= j)))) ->
  forall k_0:int.
  (k_0 = i) ->
  ("JC_25": ("JC_23": (i <= k_0)))

goal isMonochrome_ensures_default_po_2:
  forall t_0_0:charP pointer.
  forall i:int.
  forall j:int.
  forall c_1:int.
  forall charP_t_0_3_alloc_table:charP alloc_table.
  forall charP_charM_t_0_3:(charP,
  int) memory.
  ("JC_7":
  (("JC_5": (offset_min(charP_t_0_3_alloc_table, t_0_0) <= i)) and
   ("JC_6": (offset_max(charP_t_0_3_alloc_table, t_0_0) >= j)))) ->
  forall k_0:int.
  (k_0 = i) ->
  forall l_0_0:int.
  ((i <= l_0_0) and (l_0_0 < k_0)) ->
  ("JC_25":
  ("JC_24": (select(charP_charM_t_0_3, shift(t_0_0, l_0_0)) = c_1)))

goal isMonochrome_ensures_default_po_3:
  forall t_0_0:charP pointer.
  forall i:int.
  forall j:int.
  forall c_1:int.
  forall charP_t_0_3_alloc_table:charP alloc_table.
  forall charP_charM_t_0_3:(charP,
  int) memory.
  ("JC_7":
  (("JC_5": (offset_min(charP_t_0_3_alloc_table, t_0_0) <= i)) and
   ("JC_6": (offset_max(charP_t_0_3_alloc_table, t_0_0) >= j)))) ->
  forall k_0:int.
  (k_0 = i) ->
  forall k_0_0:int.
  ("JC_25":
  (("JC_23": (i <= k_0_0)) and
   ("JC_24":
   (forall l_0_0:int.
     (((i <= l_0_0) and (l_0_0 < k_0_0)) -> (select(charP_charM_t_0_3,
      shift(t_0_0, l_0_0)) = c_1)))))) ->
  (k_0_0 < j) ->
  forall result:int.
  (result = select(charP_charM_t_0_3, shift(t_0_0, k_0_0))) ->
  (result = c_1) ->
  forall k_0_1:int.
  (k_0_1 = (k_0_0 + 1)) ->
  ("JC_25": ("JC_23": (i <= k_0_1)))

goal isMonochrome_ensures_default_po_4:
  forall t_0_0:charP pointer.
  forall i:int.
  forall j:int.
  forall c_1:int.
  forall charP_t_0_3_alloc_table:charP alloc_table.
  forall charP_charM_t_0_3:(charP,
  int) memory.
  ("JC_7":
  (("JC_5": (offset_min(charP_t_0_3_alloc_table, t_0_0) <= i)) and
   ("JC_6": (offset_max(charP_t_0_3_alloc_table, t_0_0) >= j)))) ->
  forall k_0:int.
  (k_0 = i) ->
  forall k_0_0:int.
  ("JC_25":
  (("JC_23": (i <= k_0_0)) and
   ("JC_24":
   (forall l_0_0:int.
     (((i <= l_0_0) and (l_0_0 < k_0_0)) -> (select(charP_charM_t_0_3,
      shift(t_0_0, l_0_0)) = c_1)))))) ->
  (k_0_0 < j) ->
  forall result:int.
  (result = select(charP_charM_t_0_3, shift(t_0_0, k_0_0))) ->
  (result = c_1) ->
  forall k_0_1:int.
  (k_0_1 = (k_0_0 + 1)) ->
  forall l_0_0:int.
  ((i <= l_0_0) and (l_0_0 < k_0_1)) ->
  ("JC_25":
  ("JC_24": (select(charP_charM_t_0_3, shift(t_0_0, l_0_0)) = c_1)))

goal isMonochrome_safety_po_1:
  forall t_0_0:charP pointer.
  forall i:int.
  forall j:int.
  forall c_1:int.
  forall charP_t_0_3_alloc_table:charP alloc_table.
  forall charP_charM_t_0_3:(charP,
  int) memory.
  ("JC_7":
  (("JC_5": (offset_min(charP_t_0_3_alloc_table, t_0_0) <= i)) and
   ("JC_6": (offset_max(charP_t_0_3_alloc_table, t_0_0) >= j)))) ->
  forall k_0:int.
  (k_0 = i) ->
  forall k_0_0:int.
  ("JC_19": true) ->
  ("JC_17":
  (("JC_15": (i <= k_0_0)) and
   ("JC_16":
   (forall l_0_0:int.
     (((i <= l_0_0) and (l_0_0 < k_0_0)) -> (select(charP_charM_t_0_3,
      shift(t_0_0, l_0_0)) = c_1)))))) ->
  (k_0_0 < j) ->
  (offset_min(charP_t_0_3_alloc_table, t_0_0) <= k_0_0)

goal isMonochrome_safety_po_2:
  forall t_0_0:charP pointer.
  forall i:int.
  forall j:int.
  forall c_1:int.
  forall charP_t_0_3_alloc_table:charP alloc_table.
  forall charP_charM_t_0_3:(charP,
  int) memory.
  ("JC_7":
  (("JC_5": (offset_min(charP_t_0_3_alloc_table, t_0_0) <= i)) and
   ("JC_6": (offset_max(charP_t_0_3_alloc_table, t_0_0) >= j)))) ->
  forall k_0:int.
  (k_0 = i) ->
  forall k_0_0:int.
  ("JC_19": true) ->
  ("JC_17":
  (("JC_15": (i <= k_0_0)) and
   ("JC_16":
   (forall l_0_0:int.
     (((i <= l_0_0) and (l_0_0 < k_0_0)) -> (select(charP_charM_t_0_3,
      shift(t_0_0, l_0_0)) = c_1)))))) ->
  (k_0_0 < j) ->
  (k_0_0 <= offset_max(charP_t_0_3_alloc_table, t_0_0))

goal isMonochrome_safety_po_3:
  forall t_0_0:charP pointer.
  forall i:int.
  forall j:int.
  forall c_1:int.
  forall charP_t_0_3_alloc_table:charP alloc_table.
  forall charP_charM_t_0_3:(charP,
  int) memory.
  ("JC_7":
  (("JC_5": (offset_min(charP_t_0_3_alloc_table, t_0_0) <= i)) and
   ("JC_6": (offset_max(charP_t_0_3_alloc_table, t_0_0) >= j)))) ->
  forall k_0:int.
  (k_0 = i) ->
  forall k_0_0:int.
  ("JC_19": true) ->
  ("JC_17":
  (("JC_15": (i <= k_0_0)) and
   ("JC_16":
   (forall l_0_0:int.
     (((i <= l_0_0) and (l_0_0 < k_0_0)) -> (select(charP_charM_t_0_3,
      shift(t_0_0, l_0_0)) = c_1)))))) ->
  (k_0_0 < j) ->
  ((offset_min(charP_t_0_3_alloc_table, t_0_0) <= k_0_0) and
   (k_0_0 <= offset_max(charP_t_0_3_alloc_table, t_0_0))) ->
  forall result:int.
  (result = select(charP_charM_t_0_3, shift(t_0_0, k_0_0))) ->
  (result = c_1) ->
  forall k_0_1:int.
  (k_0_1 = (k_0_0 + 1)) ->
  (0 <= ("JC_22": (j - k_0_0)))

goal isMonochrome_safety_po_4:
  forall t_0_0:charP pointer.
  forall i:int.
  forall j:int.
  forall c_1:int.
  forall charP_t_0_3_alloc_table:charP alloc_table.
  forall charP_charM_t_0_3:(charP,
  int) memory.
  ("JC_7":
  (("JC_5": (offset_min(charP_t_0_3_alloc_table, t_0_0) <= i)) and
   ("JC_6": (offset_max(charP_t_0_3_alloc_table, t_0_0) >= j)))) ->
  forall k_0:int.
  (k_0 = i) ->
  forall k_0_0:int.
  ("JC_19": true) ->
  ("JC_17":
  (("JC_15": (i <= k_0_0)) and
   ("JC_16":
   (forall l_0_0:int.
     (((i <= l_0_0) and (l_0_0 < k_0_0)) -> (select(charP_charM_t_0_3,
      shift(t_0_0, l_0_0)) = c_1)))))) ->
  (k_0_0 < j) ->
  ((offset_min(charP_t_0_3_alloc_table, t_0_0) <= k_0_0) and
   (k_0_0 <= offset_max(charP_t_0_3_alloc_table, t_0_0))) ->
  forall result:int.
  (result = select(charP_charM_t_0_3, shift(t_0_0, k_0_0))) ->
  (result = c_1) ->
  forall k_0_1:int.
  (k_0_1 = (k_0_0 + 1)) ->
  (("JC_22": (j - k_0_1)) < ("JC_22": (j - k_0_0)))

goal swap_ensures_i_j_swapped_po_1:
  forall t_1:charP pointer.
  forall i_0:int.
  forall j_0_0:int.
  forall charP_t_1_4_alloc_table:charP alloc_table.
  forall charP_charM_t_1_4:(charP,
  int) memory.
  ("JC_45":
  (("JC_41": (offset_min(charP_t_1_4_alloc_table, t_1) <= i_0)) and
   (("JC_42": (offset_max(charP_t_1_4_alloc_table, t_1) >= i_0)) and
    (("JC_43": (offset_min(charP_t_1_4_alloc_table, t_1) <= j_0_0)) and
     ("JC_44": (offset_max(charP_t_1_4_alloc_table, t_1) >= j_0_0)))))) ->
  forall result:int.
  (result = select(charP_charM_t_1_4, shift(t_1, i_0))) ->
  forall z:int.
  (z = result) ->
  forall result0:int.
  (result0 = select(charP_charM_t_1_4, shift(t_1, j_0_0))) ->
  forall charP_charM_t_1_4_0:(charP,
  int) memory.
  (charP_charM_t_1_4_0 = store(charP_charM_t_1_4, shift(t_1, i_0),
  result0)) ->
  forall charP_charM_t_1_4_1:(charP,
  int) memory.
  (charP_charM_t_1_4_1 = store(charP_charM_t_1_4_0, shift(t_1, j_0_0), z)) ->
  ("JC_55":
  ("JC_53":
  ("JC_51": (select(charP_charM_t_1_4_1, shift(t_1,
  i_0)) = select(charP_charM_t_1_4, shift(t_1, j_0_0))))))

goal swap_ensures_i_j_swapped_po_2:
  forall t_1:charP pointer.
  forall i_0:int.
  forall j_0_0:int.
  forall charP_t_1_4_alloc_table:charP alloc_table.
  forall charP_charM_t_1_4:(charP,
  int) memory.
  ("JC_45":
  (("JC_41": (offset_min(charP_t_1_4_alloc_table, t_1) <= i_0)) and
   (("JC_42": (offset_max(charP_t_1_4_alloc_table, t_1) >= i_0)) and
    (("JC_43": (offset_min(charP_t_1_4_alloc_table, t_1) <= j_0_0)) and
     ("JC_44": (offset_max(charP_t_1_4_alloc_table, t_1) >= j_0_0)))))) ->
  forall result:int.
  (result = select(charP_charM_t_1_4, shift(t_1, i_0))) ->
  forall z:int.
  (z = result) ->
  forall result0:int.
  (result0 = select(charP_charM_t_1_4, shift(t_1, j_0_0))) ->
  forall charP_charM_t_1_4_0:(charP,
  int) memory.
  (charP_charM_t_1_4_0 = store(charP_charM_t_1_4, shift(t_1, i_0),
  result0)) ->
  forall charP_charM_t_1_4_1:(charP,
  int) memory.
  (charP_charM_t_1_4_1 = store(charP_charM_t_1_4_0, shift(t_1, j_0_0), z)) ->
  ("JC_55":
  ("JC_53":
  ("JC_52": (select(charP_charM_t_1_4_1, shift(t_1,
  j_0_0)) = select(charP_charM_t_1_4, shift(t_1, i_0))))))

goal swap_ensures_i_j_swapped_po_3:
  forall t_1:charP pointer.
  forall i_0:int.
  forall j_0_0:int.
  forall charP_t_1_4_alloc_table:charP alloc_table.
  forall charP_charM_t_1_4:(charP,
  int) memory.
  ("JC_45":
  (("JC_41": (offset_min(charP_t_1_4_alloc_table, t_1) <= i_0)) and
   (("JC_42": (offset_max(charP_t_1_4_alloc_table, t_1) >= i_0)) and
    (("JC_43": (offset_min(charP_t_1_4_alloc_table, t_1) <= j_0_0)) and
     ("JC_44": (offset_max(charP_t_1_4_alloc_table, t_1) >= j_0_0)))))) ->
  forall result:int.
  (result = select(charP_charM_t_1_4, shift(t_1, i_0))) ->
  forall z:int.
  (z = result) ->
  forall result0:int.
  (result0 = select(charP_charM_t_1_4, shift(t_1, j_0_0))) ->
  forall charP_charM_t_1_4_0:(charP,
  int) memory.
  (charP_charM_t_1_4_0 = store(charP_charM_t_1_4, shift(t_1, i_0),
  result0)) ->
  forall charP_charM_t_1_4_1:(charP,
  int) memory.
  (charP_charM_t_1_4_1 = store(charP_charM_t_1_4_0, shift(t_1, j_0_0), z)) ->
  ("JC_55":
  ("JC_54": not_assigns(charP_t_1_4_alloc_table, charP_charM_t_1_4,
  charP_charM_t_1_4_1, pset_union(pset_range(pset_singleton(t_1), j_0_0,
  j_0_0), pset_range(pset_singleton(t_1), i_0, i_0)))))

goal swap_safety_po_1:
  forall t_1:charP pointer.
  forall i_0:int.
  forall j_0_0:int.
  forall charP_t_1_4_alloc_table:charP alloc_table.
  ("JC_45":
  (("JC_41": (offset_min(charP_t_1_4_alloc_table, t_1) <= i_0)) and
   (("JC_42": (offset_max(charP_t_1_4_alloc_table, t_1) >= i_0)) and
    (("JC_43": (offset_min(charP_t_1_4_alloc_table, t_1) <= j_0_0)) and
     ("JC_44": (offset_max(charP_t_1_4_alloc_table, t_1) >= j_0_0)))))) ->
  (i_0 <= offset_max(charP_t_1_4_alloc_table, t_1))

goal swap_safety_po_2:
  forall t_1:charP pointer.
  forall i_0:int.
  forall j_0_0:int.
  forall charP_t_1_4_alloc_table:charP alloc_table.
  forall charP_charM_t_1_4:(charP,
  int) memory.
  ("JC_45":
  (("JC_41": (offset_min(charP_t_1_4_alloc_table, t_1) <= i_0)) and
   (("JC_42": (offset_max(charP_t_1_4_alloc_table, t_1) >= i_0)) and
    (("JC_43": (offset_min(charP_t_1_4_alloc_table, t_1) <= j_0_0)) and
     ("JC_44": (offset_max(charP_t_1_4_alloc_table, t_1) >= j_0_0)))))) ->
  ((offset_min(charP_t_1_4_alloc_table, t_1) <= i_0) and
   (i_0 <= offset_max(charP_t_1_4_alloc_table, t_1))) ->
  forall result:int.
  (result = select(charP_charM_t_1_4, shift(t_1, i_0))) ->
  forall z:int.
  (z = result) ->
  (offset_min(charP_t_1_4_alloc_table, t_1) <= j_0_0)

goal swap_safety_po_3:
  forall t_1:charP pointer.
  forall i_0:int.
  forall j_0_0:int.
  forall charP_t_1_4_alloc_table:charP alloc_table.
  forall charP_charM_t_1_4:(charP,
  int) memory.
  ("JC_45":
  (("JC_41": (offset_min(charP_t_1_4_alloc_table, t_1) <= i_0)) and
   (("JC_42": (offset_max(charP_t_1_4_alloc_table, t_1) >= i_0)) and
    (("JC_43": (offset_min(charP_t_1_4_alloc_table, t_1) <= j_0_0)) and
     ("JC_44": (offset_max(charP_t_1_4_alloc_table, t_1) >= j_0_0)))))) ->
  ((offset_min(charP_t_1_4_alloc_table, t_1) <= i_0) and
   (i_0 <= offset_max(charP_t_1_4_alloc_table, t_1))) ->
  forall result:int.
  (result = select(charP_charM_t_1_4, shift(t_1, i_0))) ->
  forall z:int.
  (z = result) ->
  (j_0_0 <= offset_max(charP_t_1_4_alloc_table, t_1))

why-2.34/tests/c/oracle/exp.res.oracle0000644000175000017500000023206212311670312016226 0ustar  rtusers========== file tests/c/exp.c ==========
/*@ requires \abs(x) <= 1.0;
  @ ensures \abs(\result - \exp(x)) <= 0x1p-4; */
double my_exp(double x) {
  /*@ assert \abs(0.9890365552 + 1.130258690*x + 
    @          0.5540440796*x*x - \exp(x)) <= 0x0.FFFFp-4; */
  return 0.9890365552 + 1.130258690 * x + 0.5540440796 * x * x;
}



/*
Local Variables:
compile-command: "make exp.why3ide"
End:
*/


========== frama-c -jessie execution ==========
[kernel] preprocessing with "gcc -C -E -I.  -dD tests/c/exp.c"
tests/c/exp.c:6:[kernel] warning: Floating-point constant 0.9890365552 is not represented exactly. Will use 0x1.fa62ffd643d6ep-1. See documentation for option -warn-decimal-float
[jessie] Starting Jessie translation
[jessie] Producing Jessie files in subdir tests/c/exp.jessie
[jessie] File tests/c/exp.jessie/exp.jc written.
[jessie] File tests/c/exp.jessie/exp.cloc written.
========== file tests/c/exp.jessie/exp.jc ==========
# IntModel = bounded
# InvariantPolicy = Arguments
# SeparationPolicy = Regions
# AnnotationPolicy = None
# AbstractDomain = Pol

axiomatic Padding {

  logic type padding
  
}

type uint8 = 0..255

type int8 = -128..127

tag unsigned_charP = {
  uint8 unsigned_charM: 8;
}

type unsigned_charP = [unsigned_charP]

tag charP = {
  int8 charM: 8;
}

type charP = [charP]

tag voidP = {
}

type voidP = [voidP]

double my_exp(double x)
  requires (_C_9 : (\real_abs((x :> real)) <= 1.0));
behavior default:
  ensures (_C_8 : (\real_abs(((\result :> real) - \exp((\at(x,Old) :> real)))) <=
                    0x1p-4));
{  
   (var double __retres);
   
   {  
      {  
         (assert for default: (_C_1 : (jessie : (\real_abs((((0.9890365552 +
                                                               (1.130258690 *
                                                                 (x :> real))) +
                                                              ((0.5540440796 *
                                                                 (x :> real)) *
                                                                (x :> real))) -
                                                             \exp((x :> real)))) <=
                                                  0x0.FFFFp-4))));
         ()
      };
      
      {  (_C_7 : (__retres = (_C_6 : ((_C_5 : ((0.9890365552 :> double) +
                                                (_C_4 : ((1.130258690 :> double) *
                                                          x)))) +
                                       (_C_3 : ((_C_2 : ((0.5540440796 :> double) *
                                                          x)) *
                                                 x))))));
         
         (return __retres)
      }
   }
}
========== file tests/c/exp.jessie/exp.cloc ==========
[_C_4]
file = "HOME/tests/c/exp.c"
line = 6
begin = 24
end = 39

[_C_5]
file = "HOME/tests/c/exp.c"
line = 6
begin = 9
end = 39

[_C_9]
file = "HOME/tests/c/exp.c"
line = 1
begin = 13
end = 27

[_C_6]
file = "HOME/tests/c/exp.c"
line = 6
begin = 9
end = 62

[my_exp]
name = "Function my_exp"
file = "HOME/tests/c/exp.c"
line = 3
begin = 7
end = 13

[_C_3]
file = "HOME/tests/c/exp.c"
line = 6
begin = 42
end = 62

[_C_7]
file = "HOME/tests/c/exp.c"
line = 6
begin = 2
end = 63

[_C_8]
file = "HOME/tests/c/exp.c"
line = 2
begin = 12
end = 45

[_C_2]
file = "HOME/tests/c/exp.c"
line = 6
begin = 42
end = 58

[_C_1]
file = "HOME/tests/c/exp.c"
line = 4
begin = 13
end = 106

========== jessie execution ==========
Generating Why function my_exp
========== file tests/c/exp.jessie/exp.makefile ==========
# this makefile was automatically generated; do not edit 

TIMEOUT ?= 10

DP ?= why-dp -timeout $(TIMEOUT)
WHYEXEC ?= why
GWHYEXEC ?= gwhy-bin
WHYLIB ?= HOME/lib

USERWHYTWOOPT= -split-user-conj
USERWHYTHREEOPT=
WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs exp.loc

GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs exp.loc

JESSIELIBFILES ?= $(WHYLIB)/why/jessie.why $(WHYLIB)/why/floats_strict.why
JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf

COQDEP = coqdep

.PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon

all: simplify/exp_why.sx

project: why/exp.wpr

why/%.wpr:  WHYOPT=--project -dir why
why/%.wpr: why/%.why
	@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

goals: why/exp_ctx.why

why/%_ctx.why: WHYOPT=--multi-why -dir why
why/%_ctx.why: why/%.why
	@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

coq: coq/exp_why.vo

coq/exp_why.v: WHYOPT=-coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/exp_why.v: why/exp.why
	@echo 'why -coq [...] why/exp.why' && $(WHY) $(JESSIELIBFILES) why/exp.why && rm -f coq/jessie_why.v

coq-goals: goals coq/exp_ctx_why.vo
	for f in why/*_po*.why; do make -f exp.makefile coq/`basename $$f .why`_why.v ; done

coq/exp_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export jessie_why." -coq-tactic "intuition"
coq/exp_ctx_why.v: why/exp_ctx.why
	@echo 'why -coq [...] why/exp_ctx.why' && $(WHY) why/exp_ctx.why

coq/%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble "Require Export exp_ctx_why." -coq-tactic "intuition"
coq/%_why.v: why/%.why
	@echo 'why -coq [...] why/$*.why' && $(WHY) why/exp_ctx.why why/$*.why

coq/%.vo: coq/%.v
	coqc -I coq $<
coq/%_po_why.vo: coq/exp_ctx_why.vo

pvs: pvs/exp_why.pvs

pvs/%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@jessie"
pvs/%_why.pvs: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why

pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble "IMPORTING why@why"
pvs/jessie_why.pvs:
	$(WHY) $(JESSIELIBFILES)

isabelle: isabelle/exp_why.thy

isabelle/%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why
isabelle/%_why.thy: why/%.why
	$(WHY) $(JESSIELIBFILES) why/$*.why
	cp -f HOME/lib/isabelle/jessie_why.thy isabelle/

simplify: simplify/exp_why.sx
	@echo 'Running Simplify on proof obligations' && ($(DP) $^)

simplify/%_why.sx: WHYOPT=-simplify -dir simplify
simplify/%_why.sx: why/%.why
	@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

vampire: vampire/exp_why.vp
	@echo 'Running Vampire on proof obligations' && ($(DP) $^)

vampire/%_why.vp: WHYOPT=-vampire -dir vampire
vampire/%_why.vp: why/%.why
	@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

alt-ergo ergo: why/exp_why.why
	@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)

why/%_why.why: WHYOPT=-alt-ergo -dir why
why/%_why.why: why/%.why
	@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

gappa: gappa/exp_why.gappa
	@echo 'Running Gappa on proof obligations' && ($(DP) $^)

gappa/%_why.gappa: WHYOPT=-gappa -dir gappa
gappa/%_why.gappa: why/%.why
	@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

cvcl: cvcl/exp_why.cvc

	@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)

cvcl/%_why.cvc: WHYOPT=-cvcl -dir cvcl
cvcl/%_why.cvc: why/%.why
	@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

harvey: harvey/exp_why.rv
	@echo 'Running haRVey on proof obligations' && ($(DP) $^)

harvey/%_why.rv: WHYOPT=-harvey -dir harvey
harvey/%_why.rv: why/%.why
	@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

zenon: zenon/exp_why.znn
	@echo 'Running Zenon on proof obligations' && ($(DP) $^)

zenon/%_why.znn: WHYOPT=-zenon -dir zenon
zenon/%_why.znn: why/%.why
	@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

smtlib: smtlib/exp_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) $^)

smtlib/%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib
smtlib/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

z3: smtlib/exp_why.smt
	@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)

yices: smtlib/exp_why.smt
	@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)

cvc3: smtlib/exp_why.smt
	@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)

smtlib-v1: smtlib-v1/exp_why.smt
smtlib-v1/%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1
smtlib-v1/%_why.smt: why/%.why
	@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why

verit: smtlib-v1/exp_why.smt
	@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)

gui stat: exp.stat

%.stat: why/%.why
	@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why

why3: why/exp_why3.why
why/%_why3.why:  WHYOPT=-why3
why/%_why3.why: why/%.why
	@echo 'why -why3 [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why
why3ml: exp.mlw
	 why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3ide: exp.mlw
	 why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

why3replay: exp.mlw
	 why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<

-include exp.depend

depend: coq/exp_why.v
	-$(COQDEP) -I coq coq/exp*_why.v > exp.depend

clean:
	rm -f coq/*.vo

========== file tests/c/exp.jessie/exp.loc ==========
[my_exp_ensures_default]
name = "Function my_exp"
behavior = "default behavior"
file = "HOME/tests/c/exp.c"
line = 3
begin = 7
end = 13

[JC_17]
kind = FPOverflow
file = "HOME/tests/c/exp.c"
line = 6
begin = 9
end = 62

[JC_23]
kind = FPOverflow
file = "HOME/tests/c/exp.c"
line = 6
begin = 9
end = 62

[JC_22]
kind = FPOverflow
file = "HOME/tests/c/exp.c"
line = 6
begin = 42
end = 62

[JC_5]
file = "HOME/tests/c/exp.c"
line = 2
begin = 12
end = 45

[JC_9]
file = "HOME/tests/c/exp.c"
line = 4
begin = 13
end = 106

[JC_8]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_13]
kind = FPOverflow
file = "HOME/tests/c/exp.c"
line = 6
begin = 9
end = 39

[JC_11]
kind = FPOverflow
file = "HOME/tests/c/exp.jessie/exp.jc"
line = 56
begin = 57
end = 80

[JC_15]
kind = FPOverflow
file = "HOME/tests/c/exp.c"
line = 6
begin = 42
end = 58

[JC_12]
kind = FPOverflow
file = "HOME/tests/c/exp.c"
line = 6
begin = 24
end = 39

[JC_6]
file = "HOME/tests/c/exp.c"
line = 2
begin = 12
end = 45

[JC_4]
file = "HOME/"
line = 0
begin = -1
end = -1

[my_exp_safety]
name = "Function my_exp"
behavior = "Safety"
file = "HOME/tests/c/exp.c"
line = 3
begin = 7
end = 13

[JC_7]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_16]
kind = FPOverflow
file = "HOME/tests/c/exp.c"
line = 6
begin = 42
end = 62

[JC_2]
file = "HOME/"
line = 0
begin = -1
end = -1

[JC_14]
kind = FPOverflow
file = "HOME/tests/c/exp.jessie/exp.jc"
line = 58
begin = 57
end = 81

[JC_21]
kind = FPOverflow
file = "HOME/tests/c/exp.c"
line = 6
begin = 42
end = 58

[JC_1]
file = "HOME/tests/c/exp.c"
line = 1
begin = 13
end = 27

[JC_10]
kind = FPOverflow
file = "HOME/tests/c/exp.jessie/exp.jc"
line = 55
begin = 47
end = 71

[JC_20]
kind = FPOverflow
file = "HOME/tests/c/exp.c"
line = 6
begin = 9
end = 39

[JC_18]
file = "HOME/tests/c/exp.c"
line = 4
begin = 13
end = 106

[JC_3]
file = "HOME/tests/c/exp.c"
line = 1
begin = 13
end = 27

[JC_19]
kind = FPOverflow
file = "HOME/tests/c/exp.c"
line = 6
begin = 24
end = 39

========== file tests/c/exp.jessie/why/exp.why ==========
type charP

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag:  -> charP tag_id

axiom charP_int : (int_of_tag(charP_tag) = (1))

logic charP_of_pointer_address: unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr :
 (forall p:charP pointer. (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom : parenttag(charP_tag, bottom_tag)

axiom charP_tags :
 (forall x:charP pointer.
  (forall charP_tag_table:charP tag_table.
   instanceof(charP_tag_table, x, charP_tag)))

logic integer_of_int8: int8 -> int

predicate eq_int8(x:int8, y:int8) =
 eq_int(integer_of_int8(x), integer_of_int8(y))

logic integer_of_uint8: uint8 -> int

predicate eq_uint8(x:uint8, y:uint8) =
 eq_int(integer_of_uint8(x), integer_of_uint8(y))

logic int8_of_integer: int -> int8

axiom int8_coerce :
 (forall x:int.
  ((le_int((-128), x) and le_int(x, (127))) ->
   eq_int(integer_of_int8(int8_of_integer(x)), x)))

axiom int8_extensionality :
 (forall x:int8.
  (forall y:int8[eq_int(integer_of_int8(x), integer_of_int8(y))].
   (eq_int(integer_of_int8(x), integer_of_int8(y)) -> (x = y))))

axiom int8_range :
 (forall x:int8.
  (le_int((-128), integer_of_int8(x)) and le_int(integer_of_int8(x), (127))))

predicate left_valid_struct_charP(p:charP pointer, a:int,
 charP_alloc_table:charP alloc_table) =
 (offset_min(charP_alloc_table, p) <= a)

predicate left_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p:voidP pointer, a:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_min(voidP_alloc_table, p) <= a)

axiom pointer_addr_of_charP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address: unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address :
 (forall p:unit pointer.
  (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address: unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address :
 (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p:charP pointer, b:int,
 charP_alloc_table:charP alloc_table) =
 (offset_max(charP_alloc_table, p) >= b)

predicate right_valid_struct_unsigned_charP(p:unsigned_charP pointer, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p:voidP pointer, b:int,
 voidP_alloc_table:voidP alloc_table) =
 (offset_max(voidP_alloc_table, p) >= b)

predicate strict_valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_root_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

predicate strict_valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) = a)
 and (offset_max(charP_alloc_table, p) = b))

predicate strict_valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int,
 b:int, unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) = a)
 and (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) = a)
 and (offset_max(voidP_alloc_table, p) = b))

logic uint8_of_integer: int -> uint8

axiom uint8_coerce :
 (forall x:int.
  ((le_int((0), x) and le_int(x, (255))) ->
   eq_int(integer_of_uint8(uint8_of_integer(x)), x)))

axiom uint8_extensionality :
 (forall x:uint8.
  (forall y:uint8[eq_int(integer_of_uint8(x), integer_of_uint8(y))].
   (eq_int(integer_of_uint8(x), integer_of_uint8(y)) -> (x = y))))

axiom uint8_range :
 (forall x:uint8.
  (le_int((0), integer_of_uint8(x)) and le_int(integer_of_uint8(x), (255))))

logic unsigned_charP_tag:  -> unsigned_charP tag_id

axiom unsigned_charP_int : (int_of_tag(unsigned_charP_tag) = (1))

axiom unsigned_charP_of_pointer_address_of_pointer_addr :
 (forall p:unsigned_charP pointer.
  (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom :
 parenttag(unsigned_charP_tag, bottom_tag)

axiom unsigned_charP_tags :
 (forall x:unsigned_charP pointer.
  (forall unsigned_charP_tag_table:unsigned_charP tag_table.
   instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_root_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

predicate valid_struct_charP(p:charP pointer, a:int, b:int,
 charP_alloc_table:charP alloc_table) =
 ((offset_min(charP_alloc_table, p) <= a)
 and (offset_max(charP_alloc_table, p) >= b))

predicate valid_struct_unsigned_charP(p:unsigned_charP pointer, a:int, b:int,
 unsigned_charP_alloc_table:unsigned_charP alloc_table) =
 ((offset_min(unsigned_charP_alloc_table, p) <= a)
 and (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p:voidP pointer, a:int, b:int,
 voidP_alloc_table:voidP alloc_table) =
 ((offset_min(voidP_alloc_table, p) <= a)
 and (offset_max(voidP_alloc_table, p) >= b))

logic voidP_tag:  -> voidP tag_id

axiom voidP_int : (int_of_tag(voidP_tag) = (1))

axiom voidP_of_pointer_address_of_pointer_addr :
 (forall p:voidP pointer. (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom : parenttag(voidP_tag, bottom_tag)

axiom voidP_tags :
 (forall x:voidP pointer.
  (forall voidP_tag_table:voidP tag_table.
   instanceof(voidP_tag_table, x, voidP_tag)))

exception Loop_continue_exc of unit

exception Loop_exit_exc of unit

exception Return_label_exc of unit

parameter charP_alloc_table : charP alloc_table ref

parameter charP_tag_table : charP tag_table ref

parameter alloc_struct_charP :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { } charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter alloc_struct_charP_requires :
 n:int ->
  charP_alloc_table:charP alloc_table ref ->
   charP_tag_table:charP tag_table ref ->
    { ge_int(n, (0))} charP pointer writes charP_alloc_table,charP_tag_table
    { (strict_valid_struct_charP(result, (0), sub_int(n, (1)),
       charP_alloc_table)
      and (alloc_extends(charP_alloc_table@, charP_alloc_table)
          and (alloc_fresh(charP_alloc_table@, result, n)
              and instanceof(charP_tag_table, result, charP_tag)))) }

parameter unsigned_charP_alloc_table : unsigned_charP alloc_table ref

parameter unsigned_charP_tag_table : unsigned_charP tag_table ref

parameter alloc_struct_unsigned_charP :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { } unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter alloc_struct_unsigned_charP_requires :
 n:int ->
  unsigned_charP_alloc_table:unsigned_charP alloc_table ref ->
   unsigned_charP_tag_table:unsigned_charP tag_table ref ->
    { ge_int(n, (0))} unsigned_charP pointer
    writes unsigned_charP_alloc_table,unsigned_charP_tag_table
    { (strict_valid_struct_unsigned_charP(result, (0), sub_int(n, (1)),
       unsigned_charP_alloc_table)
      and (alloc_extends(unsigned_charP_alloc_table@,
           unsigned_charP_alloc_table)
          and (alloc_fresh(unsigned_charP_alloc_table@, result, n)
              and instanceof(unsigned_charP_tag_table, result,
                  unsigned_charP_tag)))) }

parameter voidP_alloc_table : voidP alloc_table ref

parameter voidP_tag_table : voidP tag_table ref

parameter alloc_struct_voidP :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { } voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter alloc_struct_voidP_requires :
 n:int ->
  voidP_alloc_table:voidP alloc_table ref ->
   voidP_tag_table:voidP tag_table ref ->
    { ge_int(n, (0))} voidP pointer writes voidP_alloc_table,voidP_tag_table
    { (strict_valid_struct_voidP(result, (0), sub_int(n, (1)),
       voidP_alloc_table)
      and (alloc_extends(voidP_alloc_table@, voidP_alloc_table)
          and (alloc_fresh(voidP_alloc_table@, result, n)
              and instanceof(voidP_tag_table, result, voidP_tag)))) }

parameter any_int8 : unit -> { } int8 { true }

parameter any_uint8 : unit -> { } uint8 { true }

parameter int8_of_integer_ :
 x:int ->
  { (le_int((-128), x) and le_int(x, (127)))} int8
  { eq_int(integer_of_int8(result), x) }

parameter my_exp :
 x_0:double ->
  { } double
  { (JC_6:
    le_real(abs_real(sub_real(double_value(result), exp(double_value(x_0)))),
    0x1p-4)) }

parameter my_exp_requires :
 x_0:double ->
  { (JC_1: le_real(abs_real(double_value(x_0)), 1.0))} double
  { (JC_6:
    le_real(abs_real(sub_real(double_value(result), exp(double_value(x_0)))),
    0x1p-4)) }

parameter safe_int8_of_integer_ :
 x:int -> { } int8 { eq_int(integer_of_int8(result), x) }

parameter safe_uint8_of_integer_ :
 x:int -> { } uint8 { eq_int(integer_of_uint8(result), x) }

parameter uint8_of_integer_ :
 x:int ->
  { (le_int((0), x) and le_int(x, (255)))} uint8
  { eq_int(integer_of_uint8(result), x) }

let my_exp_ensures_default =
 fun (x_0 : double) ->
  { (JC_3: le_real(abs_real(double_value(x_0)), 1.0)) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let __retres = ref (any_double void) in
     begin
       (assert
       { (JC_18:
         le_real(abs_real(sub_real(add_real(add_real(0.9890365552,
                                            mul_real(1.130258690,
                                            double_value(x_0))),
                                   mul_real(mul_real(0.5540440796,
                                            double_value(x_0)),
                                   double_value(x_0))),
                          exp(double_value(x_0)))),
         0x0.FFFFp-4)) }; void); void;
      (let _jessie_ =
      (__retres := (JC_23:
                   (((add_double_safe nearest_even) (JC_20:
                                                    (((add_double_safe nearest_even) 
                                                      ((double_of_real_safe nearest_even) 0.9890365552)) 
                                                     (JC_19:
                                                     (((mul_double_safe nearest_even) 
                                                       ((double_of_real_safe nearest_even) 1.130258690)) x_0))))) 
                    (JC_22:
                    (((mul_double_safe nearest_even) (JC_21:
                                                     (((mul_double_safe nearest_even) 
                                                       ((double_of_real_safe nearest_even) 0.5540440796)) x_0))) x_0))))) in
      void); (return := !__retres); (raise Return) end); absurd  end with
   Return -> !return end))
  { (JC_5:
    le_real(abs_real(sub_real(double_value(result), exp(double_value(x_0)))),
    0x1p-4)) }

let my_exp_safety =
 fun (x_0 : double) ->
  { (JC_3: le_real(abs_real(double_value(x_0)), 1.0)) }
  (init:
  (let return = ref (any_double void) in
  try
   begin
     (let __retres = ref (any_double void) in
     begin
       [ { } unit
         { (JC_9:
           le_real(abs_real(sub_real(add_real(add_real(0.9890365552,
                                              mul_real(1.130258690,
                                              double_value(x_0))),
                                     mul_real(mul_real(0.5540440796,
                                              double_value(x_0)),
                                     double_value(x_0))),
                            exp(double_value(x_0)))),
           0x0.FFFFp-4)) } ]; void;
      (let _jessie_ =
      (__retres := (JC_17:
                   (((add_double nearest_even) (JC_13:
                                               (((add_double nearest_even) 
                                                 (JC_10:
                                                 ((double_of_real nearest_even) 0.9890365552))) 
                                                (JC_12:
                                                (((mul_double nearest_even) 
                                                  (JC_11:
                                                  ((double_of_real nearest_even) 1.130258690))) x_0))))) 
                    (JC_16:
                    (((mul_double nearest_even) (JC_15:
                                                (((mul_double nearest_even) 
                                                  (JC_14:
                                                  ((double_of_real nearest_even) 0.5540440796))) x_0))) x_0))))) in
      void); (return := !__retres); (raise Return) end); absurd  end with
   Return -> !return end)) { true }


========== generation of alt-ergo VC output ==========
why -alt-ergo [...] why/exp.why
========== file tests/c/exp.jessie/why/exp_why.why ==========
logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic bool_and : bool, bool -> bool

logic bool_or : bool, bool -> bool

logic bool_xor : bool, bool -> bool

logic bool_not : bool -> bool

axiom bool_and_def:
  (forall a:bool.
    (forall b:bool.
      ((bool_and(a, b) = true) <-> ((a = true) and (b = true)))))

axiom bool_or_def:
  (forall a:bool.
    (forall b:bool. ((bool_or(a, b) = true) <-> ((a = true) or (b = true)))))

axiom bool_xor_def:
  (forall a:bool. (forall b:bool. ((bool_xor(a, b) = true) <-> (a <> b))))

axiom bool_not_def: (forall a:bool. ((bool_not(a) = true) <-> (a = false)))

logic ite : bool, 'a1, 'a1 -> 'a1

axiom ite_true: (forall x:'a1. (forall y:'a1. (ite(true, x, y) = x)))

axiom ite_false: (forall x:'a1. (forall y:'a1. (ite(false, x, y) = y)))

logic lt_int_bool : int, int -> bool

logic le_int_bool : int, int -> bool

logic gt_int_bool : int, int -> bool

logic ge_int_bool : int, int -> bool

logic eq_int_bool : int, int -> bool

logic neq_int_bool : int, int -> bool

axiom lt_int_bool_axiom:
  (forall x:int. (forall y:int. ((lt_int_bool(x, y) = true) <-> (x < y))))

axiom le_int_bool_axiom:
  (forall x:int. (forall y:int. ((le_int_bool(x, y) = true) <-> (x <= y))))

axiom gt_int_bool_axiom:
  (forall x:int. (forall y:int. ((gt_int_bool(x, y) = true) <-> (x > y))))

axiom ge_int_bool_axiom:
  (forall x:int. (forall y:int. ((ge_int_bool(x, y) = true) <-> (x >= y))))

axiom eq_int_bool_axiom:
  (forall x:int. (forall y:int. ((eq_int_bool(x, y) = true) <-> (x = y))))

axiom neq_int_bool_axiom:
  (forall x:int. (forall y:int. ((neq_int_bool(x, y) = true) <-> (x <> y))))

logic abs_int : int -> int

axiom abs_int_pos: (forall x:int. ((x >= 0) -> (abs_int(x) = x)))

axiom abs_int_neg: (forall x:int. ((x <= 0) -> (abs_int(x) = (-x))))

logic int_max : int, int -> int

logic int_min : int, int -> int

axiom int_max_is_ge:
  (forall x:int.
    (forall y:int. ((int_max(x, y) >= x) and (int_max(x, y) >= y))))

axiom int_max_is_some:
  (forall x:int.
    (forall y:int. ((int_max(x, y) = x) or (int_max(x, y) = y))))

axiom int_min_is_le:
  (forall x:int.
    (forall y:int. ((int_min(x, y) <= x) and (int_min(x, y) <= y))))

axiom int_min_is_some:
  (forall x:int.
    (forall y:int. ((int_min(x, y) = x) or (int_min(x, y) = y))))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

axiom real_of_int_zero: (real_of_int(0) = 0.0)

axiom real_of_int_one: (real_of_int(1) = 1.0)

axiom real_of_int_add:
  (forall x:int.
    (forall y:int.
      (real_of_int((x + y)) = (real_of_int(x) + real_of_int(y)))))

axiom real_of_int_sub:
  (forall x:int.
    (forall y:int.
      (real_of_int((x - y)) = (real_of_int(x) - real_of_int(y)))))

logic truncate_real_to_int : real -> int

axiom truncate_down_pos:
  (forall x:real.
    ((x >= 0.0) ->
     ((real_of_int(truncate_real_to_int(x)) <= x) and
      (x < real_of_int((truncate_real_to_int(x) + 1))))))

axiom truncate_up_neg:
  (forall x:real.
    ((x <= 0.0) ->
     ((real_of_int((truncate_real_to_int(x) - 1)) < x) and
      (x <= real_of_int(truncate_real_to_int(x))))))

logic floor_real_to_int : real -> int

logic ceil_real_to_int : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

function sqr_real(x: real) : real = (x * x)

logic sqrt_real : real -> real

axiom sqrt_pos: (forall x:real. ((x >= 0.0) -> (sqrt_real(x) >= 0.0)))

axiom sqrt_sqr: (forall x:real. ((x >= 0.0) -> (sqr_real(sqrt_real(x)) = x)))

axiom sqr_sqrt: (forall x:real. ((x >= 0.0) -> (sqrt_real((x * x)) = x)))

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

axiom exp_log: (forall x:real. ((x > 0.0) -> (exp(log(x)) = x)))

logic pow_real_int : real, int -> real

logic pow_real : real, real -> real

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic pi : real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

logic computer_div : int, int -> int

logic computer_mod : int, int -> int

logic math_div : int, int -> int

logic math_mod : int, int -> int

axiom math_div_mod:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (x = ((y * math_div(x, y)) + math_mod(x, y))))))

axiom math_mod_bound:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> ((0 <= math_mod(x, y)) and (math_mod(x, y) < abs_int(y))))))

axiom computer_div_mod:
  (forall x:int.
    (forall y:int [computer_div(x, y), computer_mod(x, y)].
      ((y <> 0) -> (x = ((y * computer_div(x, y)) + computer_mod(x, y))))))

axiom computer_div_bound:
  (forall x:int.
    (forall y:int.
      (((x >= 0) and (y > 0)) ->
       ((0 <= computer_div(x, y)) and (computer_div(x, y) <= x)))))

axiom computer_mod_bound:
  (forall x:int.
    (forall y:int. ((y <> 0) -> (abs_int(computer_mod(x, y)) < abs_int(y)))))

axiom computer_mod_sign_pos:
  (forall x:int.
    (forall y:int. (((x >= 0) and (y <> 0)) -> (computer_mod(x, y) >= 0))))

axiom computer_mod_sign_neg:
  (forall x:int.
    (forall y:int. (((x <= 0) and (y <> 0)) -> (computer_mod(x, y) <= 0))))

axiom computer_rounds_toward_zero:
  (forall x:int.
    (forall y:int.
      ((y <> 0) -> (abs_int((computer_div(x, y) * y)) <= abs_int(x)))))

type 't alloc_table

type 't pointer

type 't block

logic base_block : 'a1 pointer -> 'a1 block

logic offset_max : 'a1 alloc_table, 'a1 pointer -> int

logic offset_min : 'a1 alloc_table, 'a1 pointer -> int

predicate valid(a: 'a1 alloc_table, p: 'a1 pointer) =
  ((offset_min(a, p) <= 0) and (offset_max(a, p) >= 0))

predicate same_block(p: 'a1 pointer, q: 'a1 pointer) =
  (base_block(p) = base_block(q))

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic null : 'a1 pointer

logic pointer_address : 'a1 pointer -> unit pointer

logic absolute_address : int -> unit pointer

logic address : 'a1 pointer -> int

axiom address_injective:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. ((p = q) <-> (address(p) = address(q)))))

axiom address_null: (address(null) = 0)

axiom address_shift_lt:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) < address(shift(p, j))) <-> (i < j)))))

axiom address_shift_le:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [address(shift(p, i)), address(shift(p, j))].
        ((address(shift(p, i)) <= address(shift(p, j))) <-> (i <= j)))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom offset_max_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_max(a, shift(p, i)) = (offset_max(a, p) - i)))))

axiom offset_min_shift:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (offset_min(a, shift(p, i)) = (offset_min(a, p) - i)))))

axiom neq_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(p, i), shift(p, j)].
        ((i <> j) -> (shift(p, i) <> shift(p, j))))))

axiom null_not_valid: (forall a:'a1 alloc_table. (not valid(a, null)))

axiom null_pointer:
  (forall a:'a1 alloc_table.
    ((offset_min(a, null) >= 0) and (offset_max(a, null) <= (-2))))

logic eq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

logic neq_pointer_bool : 'a1 pointer, 'a1 pointer -> bool

axiom eq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer. ((eq_pointer_bool(p1, p2) = true) <-> (p1 = p2))))

axiom neq_pointer_bool_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((neq_pointer_bool(p1, p2) = true) <-> (p1 <> p2))))

axiom same_block_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(p, shift(q, i))].
        (same_block(p, q) -> same_block(p, shift(q, i))))))

axiom same_block_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [same_block(shift(q, i), p)].
        (same_block(q, p) -> same_block(shift(q, i), p)))))

axiom sub_pointer_shift:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> (p = shift(q, sub_pointer(p, q))))))

axiom sub_pointer_self:
  (forall p:'a1 pointer [sub_pointer(p, p)]. (sub_pointer(p, p) = 0))

axiom sub_pointer_zero:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer [sub_pointer(p, q)].
      (same_block(p, q) -> ((sub_pointer(p, q) = 0) -> (p = q)))))

axiom sub_pointer_shift_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(shift(p, i), q)]. (sub_pointer(shift(p, i),
        q) = (sub_pointer(p, q) + i)))))

axiom sub_pointer_shift_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [sub_pointer(p, shift(q, i))]. (sub_pointer(p, shift(q,
        i)) = (sub_pointer(p, q) - i)))))

type ('t, 'v) memory

logic select : ('a2, 'a1) memory, 'a2 pointer -> 'a1

logic store : ('a1, 'a2) memory, 'a1 pointer, 'a2 -> ('a1, 'a2) memory

axiom select_store_eq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 = p2) -> (select(store(m, p1, a), p2) = a))))))

axiom select_store_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        (forall a:'a2 [store(m, p1, a), p2].
          ((p1 <> p2) -> (select(store(m, p1, a), p2) = select(m, p2)))))))

type 't pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_deref : ('a2, 'a1 pointer) memory, 'a2 pset -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic in_pset : 'a1 pointer, 'a1 pset -> prop

logic valid_pset : 'a1 alloc_table, 'a1 pset -> prop

predicate pset_disjoint(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (not (in_pset(p, ps1) and in_pset(p, ps2))))

predicate pset_included(ps1: 'a1 pset, ps2: 'a1 pset) =
  (forall p:'a1 pointer. (in_pset(p, ps1) -> in_pset(p, ps2)))

axiom pset_included_self: (forall ps:'a1 pset. pset_included(ps, ps))

axiom pset_included_range:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))].
            (((c <= a) and (b <= d)) -> pset_included(pset_range(ps, a, b),
             pset_range(ps, c, d))))))))

axiom pset_included_range_all:
  (forall ps:'a1 pset.
    (forall a:int.
      (forall b:int.
        (forall c:int.
          (forall d:int [pset_included(pset_range(ps, a, b), pset_range(ps,
            c, d))]. pset_included(pset_range(ps, a, b), pset_all(ps)))))))

axiom in_pset_empty: (forall p:'a1 pointer. (not in_pset(p, pset_empty)))

axiom in_pset_singleton:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer. (in_pset(p, pset_singleton(q)) <-> (p = q))))

axiom in_pset_deref:
  (forall p:'a1 pointer.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (in_pset(p, pset_deref(m, q)) <->
         (exists r:'a2 pointer. (in_pset(r, q) and (p = select(m, r))))))))

axiom in_pset_all:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (in_pset(p, pset_all(q)) <->
       (exists i:int.
         (exists r:'a1 pointer. (in_pset(r, q) and (p = shift(r, i))))))))

axiom in_pset_range:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (forall b:int.
          (in_pset(p, pset_range(q, a, b)) <->
           (exists i:int.
             (exists r:'a1 pointer.
               ((a <= i) and
                ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))))

axiom in_pset_range_left:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall b:int.
        (in_pset(p, pset_range_left(q, b)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((i <= b) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_range_right:
  (forall p:'a1 pointer.
    (forall q:'a1 pset.
      (forall a:int.
        (in_pset(p, pset_range_right(q, a)) <->
         (exists i:int.
           (exists r:'a1 pointer.
             ((a <= i) and (in_pset(r, q) and (p = shift(r, i))))))))))

axiom in_pset_union:
  (forall p:'a1 pointer.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (in_pset(p, pset_union(s1, s2)) <->
         (in_pset(p, s1) or in_pset(p, s2))))))

axiom valid_pset_empty: (forall a:'a1 alloc_table. valid_pset(a, pset_empty))

axiom valid_pset_singleton:
  (forall a:'a1 alloc_table.
    (forall p:'a1 pointer.
      (valid_pset(a, pset_singleton(p)) <-> valid(a, p))))

axiom valid_pset_deref:
  (forall a:'a1 alloc_table.
    (forall m:('a2, 'a1 pointer) memory.
      (forall q:'a2 pset.
        (valid_pset(a, pset_deref(m, q)) <->
         (forall r:'a2 pointer.
           (forall p:'a1 pointer.
             ((in_pset(r, q) and (p = select(m, r))) -> valid(a, p))))))))

axiom valid_pset_range:
  (forall a:'a1 alloc_table.
    (forall q:'a1 pset.
      (forall c:int.
        (forall d:int.
          (valid_pset(a, pset_range(q, c, d)) <->
           (forall i:int.
             (forall r:'a1 pointer.
               ((in_pset(r, q) and ((c <= i) and (i <= d))) -> valid(a,
                shift(r, i))))))))))

axiom valid_pset_union:
  (forall a:'a1 alloc_table.
    (forall s1:'a1 pset.
      (forall s2:'a1 pset.
        (valid_pset(a, pset_union(s1, s2)) <->
         (valid_pset(a, s1) and valid_pset(a, s2))))))

predicate not_assigns(a: 'a1 alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a1 pset) =
  (forall p:'a1 pointer.
    ((valid(a, p) and (not in_pset(p, l))) -> (select(m2, p) = select(m1, p))))

axiom not_assigns_refl:
  (forall a:'a1 alloc_table.
    (forall m:('a1, 'a2) memory.
      (forall l:'a1 pset. not_assigns(a, m, m, l))))

axiom not_assigns_trans:
  (forall a:'a1 alloc_table.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory.
          (forall l:'a1 pset [not_assigns(a, m1, m2, l), not_assigns(a, m1,
            m3, l)].
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

logic full_separated : 'a1 pointer, 'a2 pointer -> prop

axiom full_separated_shift1:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(p, shift(q, i))))))

axiom full_separated_shift2:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(p, q), shift(q, i)].
        (full_separated(p, q) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift3:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(shift(q, i), p)))))

axiom full_separated_shift4:
  (forall p:'a1 pointer.
    (forall q:'a1 pointer.
      (forall i:int [full_separated(q, p), shift(q, i)].
        (full_separated(q, p) -> full_separated(p, shift(q, i))))))

type 't tag_table

type 't tag_id

logic int_of_tag : 'a1 tag_id -> int

logic typeof : 'a1 tag_table, 'a1 pointer -> 'a1 tag_id

logic parenttag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag : 'a1 tag_id, 'a1 tag_id -> prop

logic subtag_bool : 'a1 tag_id, 'a1 tag_id -> bool

axiom subtag_bool_def:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id. ((subtag_bool(t1, t2) = true) <-> subtag(t1, t2))))

axiom subtag_refl: (forall t:'a1 tag_id. subtag(t, t))

axiom subtag_parent:
  (forall t1:'a1 tag_id.
    (forall t2:'a1 tag_id.
      (forall t3:'a1 tag_id.
        (subtag(t1, t2) -> (parenttag(t2, t3) -> subtag(t1, t3))))))

predicate instanceof(a: 'a1 tag_table, p: 'a1 pointer, t: 'a1 tag_id) =
  subtag(typeof(a, p), t)

logic downcast : 'a1 tag_table, 'a1 pointer, 'a1 tag_id -> 'a1 pointer

axiom downcast_instanceof:
  (forall a:'a1 tag_table.
    (forall p:'a1 pointer.
      (forall s:'a1 tag_id. (instanceof(a, p, s) -> (downcast(a, p, s) = p)))))

logic bottom_tag : 'a1 tag_id

axiom bottom_tag_axiom: (forall t:'a1 tag_id. subtag(t, bottom_tag))

predicate root_tag(t: 'a1 tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  (forall a:'a1 tag_id.
    (forall b:'a1 tag_id.
      (forall c:'a1 tag_id.
        (root_tag(a) ->
         (root_tag(b) -> ((a <> b) -> (subtag(c, a) -> (not subtag(c, b)))))))))

predicate fully_packed(tag_table: 'a1 tag_table, mutable: ('a1,
  'a1 tag_id) memory, this: 'a1 pointer) = (select(mutable,
  this) = typeof(tag_table, this))

logic bw_compl : int -> int

logic bw_and : int, int -> int

axiom bw_and_not_null:
  (forall a:int.
    (forall b:int. ((bw_and(a, b) <> 0) -> ((a <> 0) and (b <> 0)))))

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

axiom lsl_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsl(a, b)))))

axiom lsl_left_positive_monotone:
  (forall a1:int.
    (forall a2:int.
      (forall b:int.
        (((0 <= a1) and ((a1 <= a2) and (0 <= b))) -> (lsl(a1, b) <= lsl(a2,
         b))))))

logic lsr : int, int -> int

axiom lsr_left_positive_returns_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= lsr(a, b)))))

axiom lsr_left_positive_decreases:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(a, b) <= a))))

logic asr : int, int -> int

axiom asr_positive_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (0 <= asr(a, b)))))

axiom asr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) <= a))))

axiom asr_lsr_same_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (asr(a, b) = lsr(a, b)))))

axiom lsl_of_lsr_decreases_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsl(lsr(a, b), b) <= a))))

axiom lsr_of_lsl_identity_on_positive:
  (forall a:int.
    (forall b:int. (((0 <= a) and (0 <= b)) -> (lsr(lsl(a, b), b) = a))))

logic alloc_extends : 'a1 alloc_table, 'a1 alloc_table -> prop

predicate alloc_fresh(a: 'a1 alloc_table, p: 'a1 pointer, n: int) =
  (forall i:int. (((0 <= i) and (i < n)) -> (not valid(a, shift(p, i)))))

axiom alloc_extends_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_min(a1, p) = offset_min(a2, p)))))))

axiom alloc_extends_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table [alloc_extends(a1, a2)].
      (alloc_extends(a1, a2) ->
       (forall p:'a1 pointer.
         (valid(a1, p) -> (offset_max(a1, p) = offset_max(a2, p)))))))

axiom alloc_extends_not_assigns_empty:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory.
          (forall l:'a1 pset.
            (forall p:'a1 pointer.
              (forall n:int [alloc_extends(a1, a2), alloc_fresh(a1, p, n),
                not_assigns(a2, m1, m2, l)].
                ((alloc_extends(a1, a2) and
                  (alloc_fresh(a1, p, n) and
                   (not_assigns(a2, m1, m2, l) and pset_included(l,
                    pset_all(pset_singleton(p)))))) ->
                 not_assigns(a1, m1, m2, pset_empty)))))))))

logic alloc_extends_except : 'a1 alloc_table, 'a1 alloc_table,
'a1 pset -> prop

axiom alloc_extends_except_offset_min:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_min(a1,
            p) = offset_min(a2, p))))))))

axiom alloc_extends_except_offset_max:
  (forall a1:'a1 alloc_table.
    (forall a2:'a1 alloc_table.
      (forall l:'a1 pset [alloc_extends_except(a1, a2, l)].
        (alloc_extends_except(a1, a2, l) ->
         (forall p:'a1 pointer.
           ((valid(a1, p) and (not in_pset(p, l))) -> (offset_max(a1,
            p) = offset_max(a2, p))))))))

type 'a mybag

logic in_mybag : 'a1, 'a1 mybag -> prop

logic disj_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom disj_sym:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag [disj_mybag(s1, s2)].
      (disj_mybag(s1, s2) -> disj_mybag(s2, s1))))

logic sub_mybag : 'a1 mybag, 'a1 mybag -> prop

axiom sub_refl:
  (forall sa:'a1 pointer mybag [sub_mybag(sa, sa)]. sub_mybag(sa, sa))

axiom sub_disj:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [disj_mybag(s1, s2), sub_mybag(s2, s3)|
        disj_mybag(s1, s3), sub_mybag(s2, s3)].
        (disj_mybag(s1, s3) -> (sub_mybag(s2, s3) -> disj_mybag(s1, s2))))))

axiom sub_in:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall p:'a1 [in_mybag(p, s1), sub_mybag(s1, s2)| in_mybag(p, s2),
        sub_mybag(s1, s2)].
        ((not in_mybag(p, s2)) ->
         (sub_mybag(s1, s2) -> (not in_mybag(p, s1)))))))

axiom sub_sub:
  (forall s1:'a1 mybag.
    (forall s2:'a1 mybag.
      (forall s3:'a1 mybag [sub_mybag(s1, s3), sub_mybag(s2, s3)|
        sub_mybag(s1, s3), sub_mybag(s1, s2)].
        (sub_mybag(s1, s2) -> (sub_mybag(s2, s3) -> sub_mybag(s1, s3))))))

logic frame_between : 'a1 pointer mybag, ('a1, 'a2) memory, ('a1,
'a2) memory -> prop

axiom frame_between_refl:
  (forall sa:'a1 pointer mybag.
    (forall m:('a1, 'a2) memory [frame_between(sa, m, m)]. frame_between(sa,
      m, m)))

axiom frame_between_gen:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, store(m2, p, v))].
            (frame_between(sa, m1, m2) ->
             (in_mybag(p, sa) -> frame_between(sa, store(m1, p, v), m2))))))))

axiom frame_between_gen2:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall m3:('a1, 'a2) memory [frame_between(sa, m1, m2),
          frame_between(sa, m1, m3)| frame_between(sa, m2, m3),
          frame_between(sa, m1, m3)].
          (frame_between(sa, m1, m2) ->
           (frame_between(sa, m2, m3) -> frame_between(sa, m1, m3)))))))

axiom frame_between_gen_sub1:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s12, m1, m2),
              frame_between(s13, m1, m3)].
              (sub_mybag(s12, s13) ->
               (frame_between(s12, m1, m2) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_gen_sub2:
  (forall s12:'a1 pointer mybag.
    (forall s23:'a1 pointer mybag.
      (forall s13:'a1 pointer mybag.
        (forall m1:('a1, 'a2) memory.
          (forall m2:('a1, 'a2) memory.
            (forall m3:('a1, 'a2) memory [frame_between(s23, m2, m3),
              frame_between(s13, m1, m3)].
              (frame_between(s12, m1, m2) ->
               (sub_mybag(s23, s13) ->
                (frame_between(s23, m2, m3) -> frame_between(s13, m1, m3))))))))))

axiom frame_between_pointer:
  (forall sa:'a1 pointer mybag.
    (forall m1:('a1, 'a2) memory.
      (forall m2:('a1, 'a2) memory.
        (forall p:'a1 pointer.
          (forall v:'a2 [frame_between(sa, m1, m2), select(m1, p)|
            frame_between(sa, m1, m2), select(m2, p)].
            (frame_between(sa, m1, m2) ->
             ((not in_mybag(p, sa)) -> (select(m1, p) = select(m2, p)))))))))

axiom frame_between_sub:
  (forall sa:'a1 pointer mybag.
    (forall sb:'a1 pointer mybag.
      (forall m1:('a1, 'a2) memory.
        (forall m2:('a1, 'a2) memory [frame_between(sa, m1, m2),
          sub_mybag(sa, sb)].
          (frame_between(sa, m1, m2) ->
           (sub_mybag(sa, sb) -> frame_between(sb, m1, m2)))))))

type mode

logic nearest_even : mode

logic to_zero : mode

logic up : mode

logic down : mode

logic nearest_away : mode

logic mode_match : mode, 'a1, 'a1, 'a1, 'a1, 'a1 -> 'a1

axiom mode_match_nearest_even:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_even, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_2))))))

axiom mode_match_to_zero:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(to_zero, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_3))))))

axiom mode_match_up:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(up, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_4))))))

axiom mode_match_down:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6)]. (mode_match(down, aux_2, aux_3, aux_4, aux_5,
            aux_6) = aux_5))))))

axiom mode_match_nearest_away:
  (forall aux_2:'a1.
    (forall aux_3:'a1.
      (forall aux_4:'a1.
        (forall aux_5:'a1.
          (forall aux_6:'a1 [mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6)]. (mode_match(nearest_away, aux_2, aux_3, aux_4,
            aux_5, aux_6) = aux_6))))))

axiom mode_inversion:
  (forall aux_1:mode.
    (((((aux_1 = nearest_even) or (aux_1 = to_zero)) or (aux_1 = up)) or
      (aux_1 = down)) or
     (aux_1 = nearest_away)))

logic mode_to_int : mode -> int

axiom mode_to_int_nearest_even: (mode_to_int(nearest_even) = 0)

axiom mode_to_int_to_zero: (mode_to_int(to_zero) = 1)

axiom mode_to_int_up: (mode_to_int(up) = 2)

axiom mode_to_int_down: (mode_to_int(down) = 3)

axiom mode_to_int_nearest_away: (mode_to_int(nearest_away) = 4)

type double

logic round_double : mode, real -> real

logic round_double_logic : mode, real -> double

logic double_value : double -> real

logic double_exact : double -> real

logic double_model : double -> real

function double_round_error(x: double) : real =
  abs_real((double_value(x) - double_exact(x)))

function double_total_error(x: double) : real =
  abs_real((double_value(x) - double_model(x)))

function max_double() : real = 0x1.FFFFFFFFFFFFFp1023

predicate no_overflow_double(m: mode, x: real) = (abs_real(round_double(m,
  x)) <= max_double)

axiom bounded_real_no_overflow_double:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_double) -> no_overflow_double(m, x))))

axiom round_double_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_double(m, x) <= round_double(m, y))))))

axiom exact_round_double_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-9007199254740992) <= i) and (i <= 9007199254740992)) ->
       (round_double(m, real_of_int(i)) = real_of_int(i)))))

axiom exact_round_double_for_doubles:
  (forall x:double.
    (forall m:mode. (round_double(m, double_value(x)) = double_value(x))))

axiom round_double_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_double(m1, round_double(m2,
        x)) = round_double(m2, x)))))

axiom round_down_double_neg:
  (forall x:real. (round_double(down, (-x)) = (-round_double(up, x))))

axiom round_up_double_neg:
  (forall x:real. (round_double(up, (-x)) = (-round_double(down, x))))

axiom round_double_down_le: (forall x:real. (round_double(down, x) <= x))

axiom round_up_double_ge: (forall x:real. (round_double(up, x) >= x))

type single

logic round_single : mode, real -> real

logic round_single_logic : mode, real -> single

logic single_value : single -> real

logic single_exact : single -> real

logic single_model : single -> real

function single_round_error(x: single) : real =
  abs_real((single_value(x) - single_exact(x)))

function single_total_error(x: single) : real =
  abs_real((single_value(x) - single_model(x)))

function max_single() : real = 0x1.FFFFFEp127

predicate no_overflow_single(m: mode, x: real) = (abs_real(round_single(m,
  x)) <= max_single)

axiom bounded_real_no_overflow_single:
  (forall m:mode.
    (forall x:real.
      ((abs_real(x) <= max_single) -> no_overflow_single(m, x))))

axiom round_single_monotonic:
  (forall x:real.
    (forall y:real.
      (forall m:mode.
        ((x <= y) -> (round_single(m, x) <= round_single(m, y))))))

axiom exact_round_single_for_integers:
  (forall i:int.
    (forall m:mode.
      ((((-16777216) <= i) and (i <= 16777216)) -> (round_single(m,
       real_of_int(i)) = real_of_int(i)))))

axiom exact_round_single_for_singles:
  (forall x:single.
    (forall m:mode. (round_single(m, single_value(x)) = single_value(x))))

axiom round_single_idempotent:
  (forall m1:mode.
    (forall m2:mode.
      (forall x:real. (round_single(m1, round_single(m2,
        x)) = round_single(m2, x)))))

axiom round_down_single_neg:
  (forall x:real. (round_single(down, (-x)) = (-round_single(up, x))))

axiom round_up_single_neg:
  (forall x:real. (round_single(up, (-x)) = (-round_single(down, x))))

axiom round_single_down_le: (forall x:real. (round_single(down, x) <= x))

axiom round_up_single_ge: (forall x:real. (round_single(up, x) >= x))

axiom single_value_is_bounded:
  (forall x:single. (abs_real(single_value(x)) <= max_single))

axiom double_value_is_bounded:
  (forall x:double. (abs_real(double_value(x)) <= max_double))

predicate single_of_real_post(m: mode, x: real, res: single) =
  ((single_value(res) = round_single(m, x)) and
   ((single_exact(res) = x) and (single_model(res) = x)))

predicate single_of_double_post(m: mode, x: double, res: single) =
  ((single_value(res) = round_single(m, double_value(x))) and
   ((single_exact(res) = double_exact(x)) and
    (single_model(res) = double_model(x))))

predicate add_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) + single_value(y)))) and
   ((single_exact(res) = (single_exact(x) + single_exact(y))) and
    (single_model(res) = (single_model(x) + single_model(y)))))

predicate sub_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) - single_value(y)))) and
   ((single_exact(res) = (single_exact(x) - single_exact(y))) and
    (single_model(res) = (single_model(x) - single_model(y)))))

predicate mul_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m,
   (single_value(x) * single_value(y)))) and
   ((single_exact(res) = (single_exact(x) * single_exact(y))) and
    (single_model(res) = (single_model(x) * single_model(y)))))

predicate div_single_post(m: mode, x: single, y: single, res: single) =
  ((single_value(res) = round_single(m, div_real(single_value(x),
   single_value(y)))) and
   ((single_exact(res) = div_real(single_exact(x), single_exact(y))) and
    (single_model(res) = div_real(single_model(x), single_model(y)))))

predicate sqrt_single_post(m: mode, x: single, res: single) =
  ((single_value(res) = round_single(m, sqrt_real(single_value(x)))) and
   ((single_exact(res) = sqrt_real(single_exact(x))) and
    (single_model(res) = sqrt_real(single_model(x)))))

predicate neg_single_post(x: single, res: single) =
  ((single_value(res) = (-single_value(x))) and
   ((single_exact(res) = (-single_exact(x))) and
    (single_model(res) = (-single_model(x)))))

predicate abs_single_post(x: single, res: single) =
  ((single_value(res) = abs_real(single_value(x))) and
   ((single_exact(res) = abs_real(single_exact(x))) and
    (single_model(res) = abs_real(single_model(x)))))

predicate double_of_real_post(m: mode, x: real, res: double) =
  ((double_value(res) = round_double(m, x)) and
   ((double_exact(res) = x) and (double_model(res) = x)))

predicate double_of_single_post(x: single, res: double) =
  ((double_value(res) = single_value(x)) and
   ((double_exact(res) = single_exact(x)) and
    (double_model(res) = single_model(x))))

predicate add_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) + double_value(y)))) and
   ((double_exact(res) = (double_exact(x) + double_exact(y))) and
    (double_model(res) = (double_model(x) + double_model(y)))))

predicate sub_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) - double_value(y)))) and
   ((double_exact(res) = (double_exact(x) - double_exact(y))) and
    (double_model(res) = (double_model(x) - double_model(y)))))

predicate mul_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m,
   (double_value(x) * double_value(y)))) and
   ((double_exact(res) = (double_exact(x) * double_exact(y))) and
    (double_model(res) = (double_model(x) * double_model(y)))))

predicate div_double_post(m: mode, x: double, y: double, res: double) =
  ((double_value(res) = round_double(m, div_real(double_value(x),
   double_value(y)))) and
   ((double_exact(res) = div_real(double_exact(x), double_exact(y))) and
    (double_model(res) = div_real(double_model(x), double_model(y)))))

predicate sqrt_double_post(m: mode, x: double, res: double) =
  ((double_value(res) = round_double(m, sqrt_real(double_value(x)))) and
   ((double_exact(res) = sqrt_real(double_exact(x))) and
    (double_model(res) = sqrt_real(double_model(x)))))

predicate neg_double_post(x: double, res: double) =
  ((double_value(res) = (-double_value(x))) and
   ((double_exact(res) = (-double_exact(x))) and
    (double_model(res) = (-double_model(x)))))

predicate abs_double_post(x: double, res: double) =
  ((double_value(res) = abs_real(double_value(x))) and
   ((double_exact(res) = abs_real(double_exact(x))) and
    (double_model(res) = abs_real(double_model(x)))))

type charP

type int8

type padding

type uint8

type unsigned_charP

type voidP

logic charP_tag : charP tag_id

axiom charP_int: (int_of_tag(charP_tag) = 1)

logic charP_of_pointer_address : unit pointer -> charP pointer

axiom charP_of_pointer_address_of_pointer_addr:
  (forall p:charP pointer.
    (p = charP_of_pointer_address(pointer_address(p))))

axiom charP_parenttag_bottom: parenttag(charP_tag, bottom_tag)

axiom charP_tags:
  (forall x:charP pointer.
    (forall charP_tag_table:charP tag_table. instanceof(charP_tag_table, x,
      charP_tag)))

logic integer_of_int8 : int8 -> int

predicate eq_int8(x: int8, y: int8) =
  (integer_of_int8(x) = integer_of_int8(y))

logic integer_of_uint8 : uint8 -> int

predicate eq_uint8(x: uint8, y: uint8) =
  (integer_of_uint8(x) = integer_of_uint8(y))

logic int8_of_integer : int -> int8

axiom int8_coerce:
  (forall x:int.
    ((((-128) <= x) and (x <= 127)) ->
     (integer_of_int8(int8_of_integer(x)) = x)))

axiom int8_extensionality:
  (forall x:int8.
    (forall y:int8. ((integer_of_int8(x) = integer_of_int8(y)) -> (x = y))))

axiom int8_range:
  (forall x:int8.
    (((-128) <= integer_of_int8(x)) and (integer_of_int8(x) <= 127)))

predicate left_valid_struct_charP(p: charP pointer, a: int,
  charP_alloc_table: charP alloc_table) = (offset_min(charP_alloc_table,
  p) <= a)

predicate left_valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_min(unsigned_charP_alloc_table, p) <= a)

predicate left_valid_struct_voidP(p: voidP pointer, a: int,
  voidP_alloc_table: voidP alloc_table) = (offset_min(voidP_alloc_table,
  p) <= a)

axiom pointer_addr_of_charP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(charP_of_pointer_address(p))))

logic unsigned_charP_of_pointer_address : unit pointer -> unsigned_charP pointer

axiom pointer_addr_of_unsigned_charP_of_pointer_address:
  (forall p:unit pointer.
    (p = pointer_address(unsigned_charP_of_pointer_address(p))))

logic voidP_of_pointer_address : unit pointer -> voidP pointer

axiom pointer_addr_of_voidP_of_pointer_address:
  (forall p:unit pointer. (p = pointer_address(voidP_of_pointer_address(p))))

predicate right_valid_struct_charP(p: charP pointer, b: int,
  charP_alloc_table: charP alloc_table) = (offset_max(charP_alloc_table,
  p) >= b)

predicate right_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  (offset_max(unsigned_charP_alloc_table, p) >= b)

predicate right_valid_struct_voidP(p: voidP pointer, b: int,
  voidP_alloc_table: voidP alloc_table) = (offset_max(voidP_alloc_table,
  p) >= b)

predicate strict_valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

predicate strict_valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) = a) and (offset_max(charP_alloc_table,
   p) = b))

predicate strict_valid_struct_unsigned_charP(p: unsigned_charP pointer,
  a: int, b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) = a) and
   (offset_max(unsigned_charP_alloc_table, p) = b))

predicate strict_valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) = a) and (offset_max(voidP_alloc_table,
   p) = b))

logic uint8_of_integer : int -> uint8

axiom uint8_coerce:
  (forall x:int.
    (((0 <= x) and (x <= 255)) -> (integer_of_uint8(uint8_of_integer(x)) = x)))

axiom uint8_extensionality:
  (forall x:uint8.
    (forall y:uint8.
      ((integer_of_uint8(x) = integer_of_uint8(y)) -> (x = y))))

axiom uint8_range:
  (forall x:uint8.
    ((0 <= integer_of_uint8(x)) and (integer_of_uint8(x) <= 255)))

logic unsigned_charP_tag : unsigned_charP tag_id

axiom unsigned_charP_int: (int_of_tag(unsigned_charP_tag) = 1)

axiom unsigned_charP_of_pointer_address_of_pointer_addr:
  (forall p:unsigned_charP pointer.
    (p = unsigned_charP_of_pointer_address(pointer_address(p))))

axiom unsigned_charP_parenttag_bottom: parenttag(unsigned_charP_tag,
  bottom_tag)

axiom unsigned_charP_tags:
  (forall x:unsigned_charP pointer.
    (forall unsigned_charP_tag_table:unsigned_charP tag_table.
      instanceof(unsigned_charP_tag_table, x, unsigned_charP_tag)))

predicate valid_root_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_root_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_root_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

predicate valid_struct_charP(p: charP pointer, a: int, b: int,
  charP_alloc_table: charP alloc_table) =
  ((offset_min(charP_alloc_table, p) <= a) and (offset_max(charP_alloc_table,
   p) >= b))

predicate valid_struct_unsigned_charP(p: unsigned_charP pointer, a: int,
  b: int, unsigned_charP_alloc_table: unsigned_charP alloc_table) =
  ((offset_min(unsigned_charP_alloc_table, p) <= a) and
   (offset_max(unsigned_charP_alloc_table, p) >= b))

predicate valid_struct_voidP(p: voidP pointer, a: int, b: int,
  voidP_alloc_table: voidP alloc_table) =
  ((offset_min(voidP_alloc_table, p) <= a) and (offset_max(voidP_alloc_table,
   p) >= b))

logic voidP_tag : voidP tag_id

axiom voidP_int: (int_of_tag(voidP_tag) = 1)

axiom voidP_of_pointer_address_of_pointer_addr:
  (forall p:voidP pointer.
    (p = voidP_of_pointer_address(pointer_address(p))))

axiom voidP_parenttag_bottom: parenttag(voidP_tag, bottom_tag)

axiom voidP_tags:
  (forall x:voidP pointer.
    (forall voidP_tag_table:voidP tag_table. instanceof(voidP_tag_table, x,
      voidP_tag)))

goal my_exp_ensures_default_po_1:
  forall x_0:double.
  ("JC_3": (abs_real(double_value(x_0)) <= 1.0)) ->
  ("JC_18":
  (abs_real((((0.9890365552 + (1.130258690 * double_value(x_0))) + ((0.5540440796 * double_value(x_0)) * double_value(x_0))) - exp(double_value(x_0)))) <= 0x0.FFFFp-4))

goal my_exp_ensures_default_po_2:
  forall x_0:double.
  ("JC_3": (abs_real(double_value(x_0)) <= 1.0)) ->
  ("JC_18":
  (abs_real((((0.9890365552 + (1.130258690 * double_value(x_0))) + ((0.5540440796 * double_value(x_0)) * double_value(x_0))) - exp(double_value(x_0)))) <= 0x0.FFFFp-4)) ->
  forall result:double.
  double_of_real_post(nearest_even, 0.9890365552, result) ->
  forall result0:double.
  double_of_real_post(nearest_even, 1.130258690, result0) ->
  forall result1:double.
  mul_double_post(nearest_even, result0, x_0, result1) ->
  forall result2:double.
  add_double_post(nearest_even, result, result1, result2) ->
  forall result3:double.
  double_of_real_post(nearest_even, 0.5540440796, result3) ->
  forall result4:double.
  mul_double_post(nearest_even, result3, x_0, result4) ->
  forall result5:double.
  mul_double_post(nearest_even, result4, x_0, result5) ->
  forall result6:double.
  add_double_post(nearest_even, result2, result5, result6) ->
  forall __retres:double.
  (__retres = result6) ->
  forall return:double.
  (return = __retres) ->
  ("JC_5":
  (abs_real((double_value(return) - exp(double_value(x_0)))) <= 0x1.p-4))

goal my_exp_safety_po_1:
  forall x_0:double.
  ("JC_3": (abs_real(double_value(x_0)) <= 1.0)) ->
  ("JC_9":
  (abs_real((((0.9890365552 + (1.130258690 * double_value(x_0))) + ((0.5540440796 * double_value(x_0)) * double_value(x_0))) - exp(double_value(x_0)))) <= 0x0.FFFFp-4)) ->
  no_overflow_double(nearest_even, 0.9890365552)

goal my_exp_safety_po_2:
  forall x_0:double.
  ("JC_3": (abs_real(double_value(x_0)) <= 1.0)) ->
  ("JC_9":
  (abs_real((((0.9890365552 + (1.130258690 * double_value(x_0))) + ((0.5540440796 * double_value(x_0)) * double_value(x_0))) - exp(double_value(x_0)))) <= 0x0.FFFFp-4)) ->
  no_overflow_double(nearest_even, 0.9890365552) ->
  forall result:double.
  double_of_real_post(nearest_even, 0.9890365552, result) ->
  no_overflow_double(nearest_even, 1.130258690)

goal my_exp_safety_po_3:
  forall x_0:double.
  ("JC_3": (abs_real(double_value(x_0)) <= 1.0)) ->
  ("JC_9":
  (abs_real((((0.9890365552 + (1.130258690 * double_value(x_0))) + ((0.5540440796 * double_value(x_0)) * double_value(x_0))) - exp(double_value(x_0)))) <= 0x0.FFFFp-4)) ->
  no_overflow_double(nearest_even, 0.9890365552) ->
  forall result:double.
  double_of_real_post(nearest_even, 0.9890365552, result) ->
  no_overflow_double(nearest_even, 1.130258690) ->
  forall result0:double.
  double_of_real_post(nearest_even, 1.130258690, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result0) * double_value(x_0)))

goal my_exp_safety_po_4:
  forall x_0:double.
  ("JC_3": (abs_real(double_value(x_0)) <= 1.0)) ->
  ("JC_9":
  (abs_real((((0.9890365552 + (1.130258690 * double_value(x_0))) + ((0.5540440796 * double_value(x_0)) * double_value(x_0))) - exp(double_value(x_0)))) <= 0x0.FFFFp-4)) ->
  no_overflow_double(nearest_even, 0.9890365552) ->
  forall result:double.
  double_of_real_post(nearest_even, 0.9890365552, result) ->
  no_overflow_double(nearest_even, 1.130258690) ->
  forall result0:double.
  double_of_real_post(nearest_even, 1.130258690, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result0) * double_value(x_0))) ->
  forall result1:double.
  mul_double_post(nearest_even, result0, x_0, result1) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result1)))

goal my_exp_safety_po_5:
  forall x_0:double.
  ("JC_3": (abs_real(double_value(x_0)) <= 1.0)) ->
  ("JC_9":
  (abs_real((((0.9890365552 + (1.130258690 * double_value(x_0))) + ((0.5540440796 * double_value(x_0)) * double_value(x_0))) - exp(double_value(x_0)))) <= 0x0.FFFFp-4)) ->
  no_overflow_double(nearest_even, 0.9890365552) ->
  forall result:double.
  double_of_real_post(nearest_even, 0.9890365552, result) ->
  no_overflow_double(nearest_even, 1.130258690) ->
  forall result0:double.
  double_of_real_post(nearest_even, 1.130258690, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result0) * double_value(x_0))) ->
  forall result1:double.
  mul_double_post(nearest_even, result0, x_0, result1) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result1))) ->
  forall result2:double.
  add_double_post(nearest_even, result, result1, result2) ->
  no_overflow_double(nearest_even, 0.5540440796)

goal my_exp_safety_po_6:
  forall x_0:double.
  ("JC_3": (abs_real(double_value(x_0)) <= 1.0)) ->
  ("JC_9":
  (abs_real((((0.9890365552 + (1.130258690 * double_value(x_0))) + ((0.5540440796 * double_value(x_0)) * double_value(x_0))) - exp(double_value(x_0)))) <= 0x0.FFFFp-4)) ->
  no_overflow_double(nearest_even, 0.9890365552) ->
  forall result:double.
  double_of_real_post(nearest_even, 0.9890365552, result) ->
  no_overflow_double(nearest_even, 1.130258690) ->
  forall result0:double.
  double_of_real_post(nearest_even, 1.130258690, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result0) * double_value(x_0))) ->
  forall result1:double.
  mul_double_post(nearest_even, result0, x_0, result1) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result1))) ->
  forall result2:double.
  add_double_post(nearest_even, result, result1, result2) ->
  no_overflow_double(nearest_even, 0.5540440796) ->
  forall result3:double.
  double_of_real_post(nearest_even, 0.5540440796, result3) ->
  no_overflow_double(nearest_even,
  (double_value(result3) * double_value(x_0)))

goal my_exp_safety_po_7:
  forall x_0:double.
  ("JC_3": (abs_real(double_value(x_0)) <= 1.0)) ->
  ("JC_9":
  (abs_real((((0.9890365552 + (1.130258690 * double_value(x_0))) + ((0.5540440796 * double_value(x_0)) * double_value(x_0))) - exp(double_value(x_0)))) <= 0x0.FFFFp-4)) ->
  no_overflow_double(nearest_even, 0.9890365552) ->
  forall result:double.
  double_of_real_post(nearest_even, 0.9890365552, result) ->
  no_overflow_double(nearest_even, 1.130258690) ->
  forall result0:double.
  double_of_real_post(nearest_even, 1.130258690, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result0) * double_value(x_0))) ->
  forall result1:double.
  mul_double_post(nearest_even, result0, x_0, result1) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result1))) ->
  forall result2:double.
  add_double_post(nearest_even, result, result1, result2) ->
  no_overflow_double(nearest_even, 0.5540440796) ->
  forall result3:double.
  double_of_real_post(nearest_even, 0.5540440796, result3) ->
  no_overflow_double(nearest_even,
  (double_value(result3) * double_value(x_0))) ->
  forall result4:double.
  mul_double_post(nearest_even, result3, x_0, result4) ->
  no_overflow_double(nearest_even,
  (double_value(result4) * double_value(x_0)))

goal my_exp_safety_po_8:
  forall x_0:double.
  ("JC_3": (abs_real(double_value(x_0)) <= 1.0)) ->
  ("JC_9":
  (abs_real((((0.9890365552 + (1.130258690 * double_value(x_0))) + ((0.5540440796 * double_value(x_0)) * double_value(x_0))) - exp(double_value(x_0)))) <= 0x0.FFFFp-4)) ->
  no_overflow_double(nearest_even, 0.9890365552) ->
  forall result:double.
  double_of_real_post(nearest_even, 0.9890365552, result) ->
  no_overflow_double(nearest_even, 1.130258690) ->
  forall result0:double.
  double_of_real_post(nearest_even, 1.130258690, result0) ->
  no_overflow_double(nearest_even,
  (double_value(result0) * double_value(x_0))) ->
  forall result1:double.
  mul_double_post(nearest_even, result0, x_0, result1) ->
  no_overflow_double(nearest_even,
  (double_value(result) + double_value(result1))) ->
  forall result2:double.
  add_double_post(nearest_even, result, result1, result2) ->
  no_overflow_double(nearest_even, 0.5540440796) ->
  forall result3:double.
  double_of_real_post(nearest_even, 0.5540440796, result3) ->
  no_overflow_double(nearest_even,
  (double_value(result3) * double_value(x_0))) ->
  forall result4:double.
  mul_double_post(nearest_even, result3, x_0, result4) ->
  no_overflow_double(nearest_even,
  (double_value(result4) * double_value(x_0))) ->
  forall result5:double.
  mul_double_post(nearest_even, result4, x_0, result5) ->
  no_overflow_double(nearest_even,
  (double_value(result2) + double_value(result5)))

why-2.34/tests/c/isqrt2.c0000644000175000017500000000603612311670312013576 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* run.config
   OPT: -journal-disable -cvcg
*/

/*@ requires 0 <= x <= 32768 * 32768 - 1;
  @ assigns \nothing;
  @ ensures \result >= 0 &&
  @         \result * \result <= x &&
  @         x < (\result + 1) * (\result + 1);
  @*/
int isqrt(int x) {
  int count = 0, sum = 1;
  /*@ loop invariant 0 <= count <= 32767 &&
    @                x >= count * count &&
    @                sum == (count+1)*(count+1);
    @ loop assigns count, sum;
    @ loop variant  x - count;
    @*/
  while (sum <= x) sum += 2 * ++count + 1;
  return count;
}

//@ ensures \result == 4;
int test () {
  int r;
  r = 0 + isqrt(17);
  //@ assert r < 4 ==> \false;
  //@ assert r > 4 ==> \false;
  return r;
}

int main () {
  return 0;
}


/*
Local Variables:
compile-command: "make isqrt2.why3ide"
End:
*/


why-2.34/tests/c/double_rounding_multirounding_model.c0000644000175000017500000000537312311670312021674 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* 

Warning: the proof can be achieve with Gappa 0.14.1 but not
with versions 0.15 ou 0.16. Hopefully it will work with 0.16.1 and higher

*/

#pragma JessieFloatModel(multirounding)

double doublerounding() {
  double x = 1.0;
  double y = 0x1p-53 + 0x1p-64;
  double z = x + y;
  //@ assert 1.0 - 0x1p-63 <= z <= 1.0 + 0x1p-52 + 0x1p-62;
  // assert 1.0 <= z <= 1.0 + 0x1p-52;
  return z;
}

/*
Local Variables:
compile-command: "LC_ALL=C make double_rounding_multirounding_model.why3ide"
End:
*/
why-2.34/tests/c/eps_line2.c0000644000175000017500000000635212311670312014233 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

#pragma JessieFloatModel(multirounding)

#define E 0x1.90641p-45

//@ logic integer l_sign(real x) = (x >= 0.0) ? 1 : -1;

/*@ requires e1<= x-\exact(x) <= e2;
  @ ensures  (\result != 0 ==> \result == l_sign(\exact(x))) &&
  @          \abs(\result) <= 1 ;
  @*/
int sign(double x, double e1, double e2) {

  if (x > e2)
    return 1;
  if (x < e1)
    return -1;
  return 0;
}

/*@ requires
  @   sx == \exact(sx)  && sy == \exact(sy) &&
  @   vx == \exact(vx)  && vy == \exact(vy) &&
  @   \abs(sx) <= 100.0 && \abs(sy) <= 100.0 &&
  @   \abs(vx) <= 1.0   && \abs(vy) <= 1.0;
  @ ensures
  @    \result != 0
  @      ==> \result == l_sign(\exact(sx)*\exact(vx)+\exact(sy)*\exact(vy))
  @            * l_sign(\exact(sx)*\exact(vy)-\exact(sy)*\exact(vx));
  @*/
int eps_line(double sx, double sy,double vx, double vy){
  int s1,s2;

  s1=sign(sx*vx+sy*vy, -E, E);
  s2=sign(sx*vy-sy*vx, -E, E);

  return s1*s2;
}

/*
Local Variables:
compile-command: "LC_ALL=C make eps_line2.why3ide"
End:
*/
why-2.34/tests/c/tree_max.c0000644000175000017500000001073212311670312014154 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

#pragma JessieTerminationPolicy(user)

#define NULL (void*)0

//@ ensures \result == \max(x,y);
int max(int x, int y);

typedef struct Tree *tree;
struct Tree {
  int value;
  tree left;
  tree right;
};

/* not accepted by Why3 (termination not proved) 
  @ predicate mem(int x, tree t) =
  @  (t==\null) ? \false : (x==t->value) || mem(x,t->left) || mem(x,t->right);
  @*/

/*@ axiomatic Mem {
  @   predicate mem{L}(int x, tree t);
  @   axiom mem_null{L}: \forall int x; ! mem(x,\null);
  @   axiom mem_root{L}: \forall tree t; t != \null ==>
  @     mem(t->value,t);
  @   axiom mem_root_eq{L}: \forall int x, tree t; t != \null ==>
  @     x==t->value ==> mem(x,t);
  @   axiom mem_left{L}: \forall int x, tree t; t != \null ==>
  @     mem(x,t->left) ==> mem(x,t);
  @   axiom mem_right{L}: \forall int x, tree t; t != \null ==>
  @     mem(x,t->right) ==> mem(x,t);
  @   axiom mem_inversion{L}: \forall int x, tree t;
  @     mem(x,t) ==> t != \null &&
  @       (x==t->value || mem(x,t->left) || mem(x,t->right));
  @ }
  @*/

/*@ axiomatic WellFormedTree {
  @   predicate has_size{L}(tree t, integer s);
  @   axiom has_size_null{L}: has_size(\null,0);
  @   axiom has_size_non_null{L}: \forall tree t; \valid(t) ==>
  @     \forall integer s1,s2;
  @     has_size(t->left,s1) && has_size(t->right,s2) ==>
  @     has_size(t,s1+s2+1) ;
  @   axiom has_size_inversion{L}: \forall tree t, integer s;
  @     has_size(t,s) ==>
  @       (t == \null && s == 0) ||
  @       (\valid(t) && \exists integer s1,s2;
  @            has_size(t->left,s1) && has_size(t->right,s2) &&
  @            0 <= s1 && 0 <= s2 && s == s1+s2+1) ;
  @  predicate size_decreases{L}(tree t1, tree t2) =
  @    \exists integer s1,s2; has_size(t1,s1) && has_size(t2,s2) && s1 > s2;
  @   predicate valid_tree{L}(tree t) =
  @     \exists integer s; has_size(t,s);
  @ }
  @*/

/*@ requires t != \null && valid_tree(t);
  @ // decreases t for size_decreases;
  @ ensures mem(\result,t) && \forall int x; mem(x,t) ==> \result >= x;
  @*/
int tree_max(tree t) {
  int m = t->value;
  if (t->left != NULL) m = max(m,tree_max(t->left));
  if (t->right != NULL) m = max(m,tree_max(t->right));
  return m;
  }



/*
Local Variables:
compile-command: "make tree_max.why3ide"
End:
*/
why-2.34/tests/c/sparse_array.c0000644000175000017500000000662112311670312015045 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

typedef unsigned int uint;

#define MAXLEN 1000

typedef struct SparseArray {
  int val[MAXLEN];
  uint idx[MAXLEN], back[MAXLEN];
  uint n;
  uint sz;
} *sparse_array;

/*@ requires sz <= MAXLEN;
  @ ensures \fresh(\result,sizeof(struct SparseArray));
  @*/
sparse_array create(uint sz) {
  sparse_array a = (sparse_array)malloc(sizeof(struct SparseArray));
  a->n = 0;
  a->sz = sz;
  return a;
}

/*@ requires \valid(a);
  @*/
int get(sparse_array a, uint i) {
  if (a->idx[i] < a->n && a-> back[a->idx[i]] == i) return a->val[i];
  else return 0;
}

/*@ requires \valid(a);
  @*/
void set(sparse_array a, uint i, int v) {
  a->val[i] = v;
  if (!(a->idx[i] < a->n && a-> back[a->idx[i]] == i)) {
    //@ assert a->n < MAXLEN;
    a->idx[i] = a->n; a->back[a->n] = i; a->n++;
  }
}



int main() {
  sparse_array a = create(10), b = create(20);
  int x,y;
  x = get(a,5); y = get(b,7);
  //@ assert x == 0 && y == 0;
  set(a,5,1); set(b,7,2);
  x = get(a,5); y = get(b,7);
  //@ assert x == 1 && y == 2;
  x = get(a,0); y = get(b,0);
  //@ assert x == 0 && y == 0;
  return 0;
}





/*
Local Variables:
compile-command: "make sparse_array.why3ide"
End:
*/


why-2.34/tests/c/power.c0000644000175000017500000000641112311670312013503 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


// int model: unbounded mathematical integers
#pragma JessieIntegerModel(math)


/*@ axiomatic Power {
  @   logic integer power(integer x, integer n);
  @ }
  @*/
#pragma JessieBuiltin(power, "\\int_pow")

/*@ lemma power_even:
  @   \forall integer x,n; n >= 0 && n % 2 == 0 ==>
  @     power(x,n) == power(x*x,n/2);
  @*/

/*@ lemma power_odd:
  @   \forall integer x,n; n >= 0 && n % 2 != 0 ==>
  @     power(x,n) == x*power(x*x,n/2);
  @*/


// recursive implementation

/*@ requires 0 <= n;
  @ decreases n;
  @ ensures \result == power(x,n);
  @*/
long rec(long x, int n) {
  if (n == 0) return 1;
  long r = rec(x, n/2);
  if ( n % 2 == 0 ) return r*r;
  return r*r*x;
}


// non-recursive implementation

/*@ requires 0 <= n;
  @ ensures \result == power(x,n);
  @*/
long imp(long x, int n) {
  long r = 1, p = x;
  int e = n;

  /*@ loop invariant
    @   0 <= e && r * power(p,e) == power(x,n);
    @ loop variant e;
    @*/
  while (e > 0) {
    if (e % 2 != 0) r *= p;
    p *= p;
    e /= 2;
  }
  return r;
}

why-2.34/tests/c/Sterbenz.jessie/0000755000175000017500000000000012311670312015256 5ustar  rtuserswhy-2.34/tests/c/Sterbenz.jessie/coq/0000755000175000017500000000000012311670312016040 5ustar  rtuserswhy-2.34/tests/c/Sterbenz.jessie/coq/floats_strict_why.v0000644000175000017500000002545112311670312022005 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)
Require Export jessie_why.

(*Why type*) Inductive mode : Set :=
  | nearest_even : mode
  | to_zero : mode
  | up : mode
  | down : mode
  | nearest_away : mode.

(*Why type*) Definition double: Set.
Admitted.

(*Why logic*) Definition round_double : mode -> R -> R.
Admitted.

(*Why logic*) Definition round_double_logic : mode -> R -> double.
Admitted.

(*Why logic*) Definition double_value : double -> R.
Admitted.

(*Why logic*) Definition double_exact : double -> R.
Admitted.

(*Why logic*) Definition double_model : double -> R.
Admitted.

(*Why function*) Definition double_round_error  (x:double)
  := (Rabs (Rminus (double_value x) (double_exact x))).

(*Why function*) Definition double_total_error  (x:double)
  := (Rabs (Rminus (double_value x) (double_model x))).

(*Why function*) Definition max_double  
  := (9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%R.

(*Why predicate*) Definition no_overflow_double  (m:mode) (x:R)
  := (Rle (Rabs (round_double m x)) max_double).

(*Why axiom*) Lemma bounded_real_no_overflow_double :
  (forall (m:mode),
   (forall (x:R), ((Rle (Rabs x) max_double) -> (no_overflow_double m x)))).
Admitted.
Dp_hint bounded_real_no_overflow_double.

(*Why axiom*) Lemma round_double_monotonic :
  (forall (x:R),
   (forall (y:R),
    (forall (m:mode),
     ((Rle x y) -> (Rle (round_double m x) (round_double m y)))))).
Admitted.
Dp_hint round_double_monotonic.

(*Why axiom*) Lemma exact_round_double_for_integers :
  (forall (i:Z),
   (forall (m:mode),
    ((-9007199254740992) <= i /\ i <= 9007199254740992 ->
     (eq (round_double m (IZR i)) (IZR i))))).
Admitted.
Dp_hint exact_round_double_for_integers.

(*Why axiom*) Lemma exact_round_double_for_doubles :
  (forall (x:double),
   (forall (m:mode), (eq (round_double m (double_value x)) (double_value x)))).
Admitted.
Dp_hint exact_round_double_for_doubles.

(*Why axiom*) Lemma round_double_idempotent :
  (forall (m1:mode),
   (forall (m2:mode),
    (forall (x:R),
     (eq (round_double m1 (round_double m2 x)) (round_double m2 x))))).
Admitted.
Dp_hint round_double_idempotent.

(*Why axiom*) Lemma round_down_double_neg :
  (forall (x:R), (eq (round_double down (Ropp x)) (Ropp (round_double up x)))).
Admitted.
Dp_hint round_down_double_neg.

(*Why axiom*) Lemma round_up_double_neg :
  (forall (x:R), (eq (round_double up (Ropp x)) (Ropp (round_double down x)))).
Admitted.
Dp_hint round_up_double_neg.

(*Why axiom*) Lemma round_double_down_le :
  (forall (x:R), (Rle (round_double down x) x)).
Admitted.
Dp_hint round_double_down_le.

(*Why axiom*) Lemma round_up_double_ge :
  (forall (x:R), (Rge (round_double up x) x)).
Admitted.
Dp_hint round_up_double_ge.

(*Why type*) Definition single: Set.
Admitted.

(*Why logic*) Definition round_single : mode -> R -> R.
Admitted.

(*Why logic*) Definition round_single_logic : mode -> R -> single.
Admitted.

(*Why logic*) Definition single_value : single -> R.
Admitted.

(*Why logic*) Definition single_exact : single -> R.
Admitted.

(*Why logic*) Definition single_model : single -> R.
Admitted.

(*Why function*) Definition single_round_error  (x:single)
  := (Rabs (Rminus (single_value x) (single_exact x))).

(*Why function*) Definition single_total_error  (x:single)
  := (Rabs (Rminus (single_value x) (single_model x))).

(*Why function*) Definition max_single  
  := (33554430 * 10141204801825835211973625643008)%R.

(*Why predicate*) Definition no_overflow_single  (m:mode) (x:R)
  := (Rle (Rabs (round_single m x)) max_single).

(*Why axiom*) Lemma bounded_real_no_overflow_single :
  (forall (m:mode),
   (forall (x:R), ((Rle (Rabs x) max_single) -> (no_overflow_single m x)))).
Admitted.
Dp_hint bounded_real_no_overflow_single.

(*Why axiom*) Lemma round_single_monotonic :
  (forall (x:R),
   (forall (y:R),
    (forall (m:mode),
     ((Rle x y) -> (Rle (round_single m x) (round_single m y)))))).
Admitted.
Dp_hint round_single_monotonic.

(*Why axiom*) Lemma exact_round_single_for_integers :
  (forall (i:Z),
   (forall (m:mode),
    ((-16777216) <= i /\ i <= 16777216 ->
     (eq (round_single m (IZR i)) (IZR i))))).
Admitted.
Dp_hint exact_round_single_for_integers.

(*Why axiom*) Lemma exact_round_single_for_singles :
  (forall (x:single),
   (forall (m:mode), (eq (round_single m (single_value x)) (single_value x)))).
Admitted.
Dp_hint exact_round_single_for_singles.

(*Why axiom*) Lemma round_single_idempotent :
  (forall (m1:mode),
   (forall (m2:mode),
    (forall (x:R),
     (eq (round_single m1 (round_single m2 x)) (round_single m2 x))))).
Admitted.
Dp_hint round_single_idempotent.

(*Why axiom*) Lemma round_down_single_neg :
  (forall (x:R), (eq (round_single down (Ropp x)) (Ropp (round_single up x)))).
Admitted.
Dp_hint round_down_single_neg.

(*Why axiom*) Lemma round_up_single_neg :
  (forall (x:R), (eq (round_single up (Ropp x)) (Ropp (round_single down x)))).
Admitted.
Dp_hint round_up_single_neg.

(*Why axiom*) Lemma round_single_down_le :
  (forall (x:R), (Rle (round_single down x) x)).
Admitted.
Dp_hint round_single_down_le.

(*Why axiom*) Lemma round_up_single_ge :
  (forall (x:R), (Rge (round_single up x) x)).
Admitted.
Dp_hint round_up_single_ge.

(*Why axiom*) Lemma single_value_is_bounded :
  (forall (x:single), (Rle (Rabs (single_value x)) max_single)).
Admitted.
Dp_hint single_value_is_bounded.

(*Why axiom*) Lemma double_value_is_bounded :
  (forall (x:double), (Rle (Rabs (double_value x)) max_double)).
Admitted.
Dp_hint double_value_is_bounded.

(*Why predicate*) Definition single_of_real_post  (m:mode) (x:R) (res:single)
  := (eq (single_value res) (round_single m x)) /\
     (eq (single_exact res) x) /\ (eq (single_model res) x).

(*Why predicate*) Definition single_of_double_post  (m:mode) (x:double) (res:single)
  := (eq (single_value res) (round_single m (double_value x))) /\
     (eq (single_exact res) (double_exact x)) /\
     (eq (single_model res) (double_model x)).

(*Why predicate*) Definition add_single_post  (m:mode) (x:single) (y:single) (res:single)
  := (eq (single_value res) (round_single
                             m (Rplus (single_value x) (single_value y)))) /\
     (eq (single_exact res) (Rplus (single_exact x) (single_exact y))) /\
     (eq (single_model res) (Rplus (single_model x) (single_model y))).

(*Why predicate*) Definition sub_single_post  (m:mode) (x:single) (y:single) (res:single)
  := (eq (single_value res) (round_single
                             m (Rminus (single_value x) (single_value y)))) /\
     (eq (single_exact res) (Rminus (single_exact x) (single_exact y))) /\
     (eq (single_model res) (Rminus (single_model x) (single_model y))).

(*Why predicate*) Definition mul_single_post  (m:mode) (x:single) (y:single) (res:single)
  := (eq (single_value res) (round_single
                             m (Rmult (single_value x) (single_value y)))) /\
     (eq (single_exact res) (Rmult (single_exact x) (single_exact y))) /\
     (eq (single_model res) (Rmult (single_model x) (single_model y))).

(*Why predicate*) Definition div_single_post  (m:mode) (x:single) (y:single) (res:single)
  := (eq (single_value res) (round_single
                             m (Rdiv (single_value x) (single_value y)))) /\
     (eq (single_exact res) (Rdiv (single_exact x) (single_exact y))) /\
     (eq (single_model res) (Rdiv (single_model x) (single_model y))).

(*Why predicate*) Definition sqrt_single_post  (m:mode) (x:single) (res:single)
  := (eq (single_value res) (round_single m (sqrt (single_value x)))) /\
     (eq (single_exact res) (sqrt (single_exact x))) /\
     (eq (single_model res) (sqrt (single_model x))).

(*Why predicate*) Definition neg_single_post  (x:single) (res:single)
  := (eq (single_value res) (Ropp (single_value x))) /\
     (eq (single_exact res) (Ropp (single_exact x))) /\
     (eq (single_model res) (Ropp (single_model x))).

(*Why predicate*) Definition abs_single_post  (x:single) (res:single)
  := (eq (single_value res) (Rabs (single_value x))) /\
     (eq (single_exact res) (Rabs (single_exact x))) /\
     (eq (single_model res) (Rabs (single_model x))).

(*Why predicate*) Definition double_of_real_post  (m:mode) (x:R) (res:double)
  := (eq (double_value res) (round_double m x)) /\
     (eq (double_exact res) x) /\ (eq (double_model res) x).

(*Why predicate*) Definition double_of_single_post  (x:single) (res:double)
  := (eq (double_value res) (single_value x)) /\
     (eq (double_exact res) (single_exact x)) /\
     (eq (double_model res) (single_model x)).

(*Why predicate*) Definition add_double_post  (m:mode) (x:double) (y:double) (res:double)
  := (eq (double_value res) (round_double
                             m (Rplus (double_value x) (double_value y)))) /\
     (eq (double_exact res) (Rplus (double_exact x) (double_exact y))) /\
     (eq (double_model res) (Rplus (double_model x) (double_model y))).

(*Why predicate*) Definition sub_double_post  (m:mode) (x:double) (y:double) (res:double)
  := (eq (double_value res) (round_double
                             m (Rminus (double_value x) (double_value y)))) /\
     (eq (double_exact res) (Rminus (double_exact x) (double_exact y))) /\
     (eq (double_model res) (Rminus (double_model x) (double_model y))).

(*Why predicate*) Definition mul_double_post  (m:mode) (x:double) (y:double) (res:double)
  := (eq (double_value res) (round_double
                             m (Rmult (double_value x) (double_value y)))) /\
     (eq (double_exact res) (Rmult (double_exact x) (double_exact y))) /\
     (eq (double_model res) (Rmult (double_model x) (double_model y))).

(*Why predicate*) Definition div_double_post  (m:mode) (x:double) (y:double) (res:double)
  := (eq (double_value res) (round_double
                             m (Rdiv (double_value x) (double_value y)))) /\
     (eq (double_exact res) (Rdiv (double_exact x) (double_exact y))) /\
     (eq (double_model res) (Rdiv (double_model x) (double_model y))).

(*Why predicate*) Definition sqrt_double_post  (m:mode) (x:double) (res:double)
  := (eq (double_value res) (round_double m (sqrt (double_value x)))) /\
     (eq (double_exact res) (sqrt (double_exact x))) /\
     (eq (double_model res) (sqrt (double_model x))).

(*Why predicate*) Definition neg_double_post  (x:double) (res:double)
  := (eq (double_value res) (Ropp (double_value x))) /\
     (eq (double_exact res) (Ropp (double_exact x))) /\
     (eq (double_model res) (Ropp (double_model x))).

(*Why predicate*) Definition abs_double_post  (x:double) (res:double)
  := (eq (double_value res) (Rabs (double_value x))) /\
     (eq (double_exact res) (Rabs (double_exact x))) /\
     (eq (double_model res) (Rabs (double_model x))).

why-2.34/tests/c/Sterbenz.jessie/coq/Sterbenz_why.v0000644000175000017500000003161212311670312020715 0ustar  rtusers(* This file was originally generated by why.
   It can be modified; only the generated parts will be overwritten. *)
Require Export jessie_why.
Require Export WhyFloatsStrictLegacy.

(*Why type*) Definition charP: Set.
Admitted.

(*Why type*) Definition int8: Set.
Admitted.

(*Why type*) Definition padding: Set.
Admitted.

(*Why type*) Definition uint8: Set.
Admitted.

(*Why type*) Definition unsigned_charP: Set.
Admitted.

(*Why type*) Definition voidP: Set.
Admitted.

(*Why logic*) Definition charP_tag : (tag_id charP).
Admitted.

(*Why axiom*) Lemma charP_int : (int_of_tag charP_tag) = 1.
Admitted.
Dp_hint charP_int.

(*Why logic*) Definition charP_of_pointer_address :
  (pointer unit) -> (pointer charP).
Admitted.

(*Why axiom*) Lemma charP_of_pointer_address_of_pointer_addr :
  (forall (p:(pointer charP)),
   p = (charP_of_pointer_address (pointer_address p))).
Admitted.
Dp_hint charP_of_pointer_address_of_pointer_addr.

(*Why axiom*) Lemma charP_parenttag_bottom :
  (parenttag charP_tag (@bottom_tag charP)).
Admitted.
Dp_hint charP_parenttag_bottom.

(*Why axiom*) Lemma charP_tags :
  (forall (x:(pointer charP)),
   (forall (charP_tag_table:(tag_table charP)),
    (instanceof charP_tag_table x charP_tag))).
Admitted.
Dp_hint charP_tags.

(*Why logic*) Definition integer_of_int8 : int8 -> Z.
Admitted.

(*Why predicate*) Definition eq_int8  (x:int8) (y:int8)
  := (integer_of_int8 x) = (integer_of_int8 y).

(*Why logic*) Definition integer_of_uint8 : uint8 -> Z.
Admitted.

(*Why predicate*) Definition eq_uint8  (x:uint8) (y:uint8)
  := (integer_of_uint8 x) = (integer_of_uint8 y).

(*Why logic*) Definition int8_of_integer : Z -> int8.
Admitted.

(*Why axiom*) Lemma int8_coerce :
  (forall (x:Z),
   ((-128) <= x /\ x <= 127 -> (integer_of_int8 (int8_of_integer x)) = x)).
Admitted.

(*Why axiom*) Lemma int8_extensionality :
  (forall (x:int8),
   (forall (y:int8), ((integer_of_int8 x) = (integer_of_int8 y) -> x = y))).
Admitted.
Dp_hint int8_extensionality.

(*Why axiom*) Lemma int8_range :
  (forall (x:int8), (-128) <= (integer_of_int8 x) /\ (integer_of_int8 x) <=
   127).
Admitted.



(*Why predicate*) Definition left_valid_struct_charP  (p:(pointer charP)) (a:Z) (charP_alloc_table:(alloc_table charP))
  := (offset_min charP_alloc_table p) <= a.

(*Why predicate*) Definition left_valid_struct_unsigned_charP  (p:(pointer unsigned_charP)) (a:Z) (unsigned_charP_alloc_table:(alloc_table unsigned_charP))
  := (offset_min unsigned_charP_alloc_table p) <= a.

(*Why predicate*) Definition left_valid_struct_voidP  (p:(pointer voidP)) (a:Z) (voidP_alloc_table:(alloc_table voidP))
  := (offset_min voidP_alloc_table p) <= a.

(*Why axiom*) Lemma pointer_addr_of_charP_of_pointer_address :
  (forall (p:(pointer unit)),
   p = (pointer_address (charP_of_pointer_address p))).
Admitted.
Dp_hint pointer_addr_of_charP_of_pointer_address.

(*Why logic*) Definition unsigned_charP_of_pointer_address :
  (pointer unit) -> (pointer unsigned_charP).
Admitted.

(*Why axiom*) Lemma pointer_addr_of_unsigned_charP_of_pointer_address :
  (forall (p:(pointer unit)),
   p = (pointer_address (unsigned_charP_of_pointer_address p))).
Admitted.
Dp_hint pointer_addr_of_unsigned_charP_of_pointer_address.

(*Why logic*) Definition voidP_of_pointer_address :
  (pointer unit) -> (pointer voidP).
Admitted.

(*Why axiom*) Lemma pointer_addr_of_voidP_of_pointer_address :
  (forall (p:(pointer unit)),
   p = (pointer_address (voidP_of_pointer_address p))).
Admitted.
Dp_hint pointer_addr_of_voidP_of_pointer_address.

(*Why predicate*) Definition right_valid_struct_charP  (p:(pointer charP)) (b:Z) (charP_alloc_table:(alloc_table charP))
  := (offset_max charP_alloc_table p) >= b.

(*Why predicate*) Definition right_valid_struct_unsigned_charP  (p:(pointer unsigned_charP)) (b:Z) (unsigned_charP_alloc_table:(alloc_table unsigned_charP))
  := (offset_max unsigned_charP_alloc_table p) >= b.

(*Why predicate*) Definition right_valid_struct_voidP  (p:(pointer voidP)) (b:Z) (voidP_alloc_table:(alloc_table voidP))
  := (offset_max voidP_alloc_table p) >= b.

(*Why predicate*) Definition strict_valid_root_charP  (p:(pointer charP)) (a:Z) (b:Z) (charP_alloc_table:(alloc_table charP))
  := (offset_min charP_alloc_table p) = a /\
     (offset_max charP_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_root_unsigned_charP  (p:(pointer unsigned_charP)) (a:Z) (b:Z) (unsigned_charP_alloc_table:(alloc_table unsigned_charP))
  := (offset_min unsigned_charP_alloc_table p) = a /\
     (offset_max unsigned_charP_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_root_voidP  (p:(pointer voidP)) (a:Z) (b:Z) (voidP_alloc_table:(alloc_table voidP))
  := (offset_min voidP_alloc_table p) = a /\
     (offset_max voidP_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_struct_charP  (p:(pointer charP)) (a:Z) (b:Z) (charP_alloc_table:(alloc_table charP))
  := (offset_min charP_alloc_table p) = a /\
     (offset_max charP_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_struct_unsigned_charP  (p:(pointer unsigned_charP)) (a:Z) (b:Z) (unsigned_charP_alloc_table:(alloc_table unsigned_charP))
  := (offset_min unsigned_charP_alloc_table p) = a /\
     (offset_max unsigned_charP_alloc_table p) = b.

(*Why predicate*) Definition strict_valid_struct_voidP  (p:(pointer voidP)) (a:Z) (b:Z) (voidP_alloc_table:(alloc_table voidP))
  := (offset_min voidP_alloc_table p) = a /\
     (offset_max voidP_alloc_table p) = b.

(*Why logic*) Definition uint8_of_integer : Z -> uint8.
Admitted.

(*Why axiom*) Lemma uint8_coerce :
  (forall (x:Z),
   (0 <= x /\ x <= 255 -> (integer_of_uint8 (uint8_of_integer x)) = x)).
Admitted.
Dp_hint uint8_coerce.

(*Why axiom*) Lemma uint8_extensionality :
  (forall (x:uint8),
   (forall (y:uint8), ((integer_of_uint8 x) = (integer_of_uint8 y) -> x = y))).
Admitted.
Dp_hint uint8_extensionality.

(*Why axiom*) Lemma uint8_range :
  (forall (x:uint8), 0 <= (integer_of_uint8 x) /\ (integer_of_uint8 x) <= 255).
Admitted.
Dp_hint uint8_range.

(*Why logic*) Definition unsigned_charP_tag : (tag_id unsigned_charP).
Admitted.

(*Why axiom*) Lemma unsigned_charP_int : (int_of_tag unsigned_charP_tag) = 1.
Admitted.
Dp_hint unsigned_charP_int.

(*Why axiom*) Lemma unsigned_charP_of_pointer_address_of_pointer_addr :
  (forall (p:(pointer unsigned_charP)),
   p = (unsigned_charP_of_pointer_address (pointer_address p))).
Admitted.
Dp_hint unsigned_charP_of_pointer_address_of_pointer_addr.

(*Why axiom*) Lemma unsigned_charP_parenttag_bottom :
  (parenttag unsigned_charP_tag (@bottom_tag unsigned_charP)).
Admitted.
Dp_hint unsigned_charP_parenttag_bottom.

(*Why axiom*) Lemma unsigned_charP_tags :
  (forall (x:(pointer unsigned_charP)),
   (forall (unsigned_charP_tag_table:(tag_table unsigned_charP)),
    (instanceof unsigned_charP_tag_table x unsigned_charP_tag))).
Admitted.
Dp_hint unsigned_charP_tags.

(*Why predicate*) Definition valid_root_charP  (p:(pointer charP)) (a:Z) (b:Z) (charP_alloc_table:(alloc_table charP))
  := (offset_min charP_alloc_table p) <= a /\
     (offset_max charP_alloc_table p) >= b.

(*Why predicate*) Definition valid_root_unsigned_charP  (p:(pointer unsigned_charP)) (a:Z) (b:Z) (unsigned_charP_alloc_table:(alloc_table unsigned_charP))
  := (offset_min unsigned_charP_alloc_table p) <= a /\
     (offset_max unsigned_charP_alloc_table p) >= b.

(*Why predicate*) Definition valid_root_voidP  (p:(pointer voidP)) (a:Z) (b:Z) (voidP_alloc_table:(alloc_table voidP))
  := (offset_min voidP_alloc_table p) <= a /\
     (offset_max voidP_alloc_table p) >= b.

(*Why predicate*) Definition valid_struct_charP  (p:(pointer charP)) (a:Z) (b:Z) (charP_alloc_table:(alloc_table charP))
  := (offset_min charP_alloc_table p) <= a /\
     (offset_max charP_alloc_table p) >= b.

(*Why predicate*) Definition valid_struct_unsigned_charP  (p:(pointer unsigned_charP)) (a:Z) (b:Z) (unsigned_charP_alloc_table:(alloc_table unsigned_charP))
  := (offset_min unsigned_charP_alloc_table p) <= a /\
     (offset_max unsigned_charP_alloc_table p) >= b.

(*Why predicate*) Definition valid_struct_voidP  (p:(pointer voidP)) (a:Z) (b:Z) (voidP_alloc_table:(alloc_table voidP))
  := (offset_min voidP_alloc_table p) <= a /\
     (offset_max voidP_alloc_table p) >= b.

(*Why logic*) Definition voidP_tag : (tag_id voidP).
Admitted.

(*Why axiom*) Lemma voidP_int : (int_of_tag voidP_tag) = 1.
Admitted.
Dp_hint voidP_int.

(*Why axiom*) Lemma voidP_of_pointer_address_of_pointer_addr :
  (forall (p:(pointer voidP)),
   p = (voidP_of_pointer_address (pointer_address p))).
Admitted.
Dp_hint voidP_of_pointer_address_of_pointer_addr.

(*Why axiom*) Lemma voidP_parenttag_bottom :
  (parenttag voidP_tag (@bottom_tag voidP)).
Admitted.
Dp_hint voidP_parenttag_bottom.

(*Why axiom*) Lemma voidP_tags :
  (forall (x:(pointer voidP)),
   (forall (voidP_tag_table:(tag_table voidP)),
    (instanceof voidP_tag_table x voidP_tag))).
Admitted.
Dp_hint voidP_tags.

(* Why obligation from file "Sterbenz.c", line 38, characters 13-21: *)
(*Why goal*) Lemma Sterbenz_ensures_default_po_1 : 
  forall (x_0: single),
  forall (y: single),
  forall (HW_1: (* JC_7 *)
                ((* JC_5 *)
                 (Rle (Rdiv (single_value y) (2)%R) (single_value x_0)) /\
                (* JC_6 *)
                (Rle (single_value x_0) (Rmult (2)%R (single_value y))))),
  (* JC_16 *) (Rle (0)%R (single_value y)).
Proof.
intros x y (h1,h2).
apply Rmult_le_reg_l with 3%R.
  apply Rlt_le_trans with 2%R; auto with real.
apply Rplus_le_reg_l with (single_value y).
apply Rmult_le_reg_l with (/2)%R; auto with real.
replace (/ 2 * (single_value y + 3 * 0))%R with (single_value y / 2)%R by (unfold Rdiv; ring).
apply Rle_trans with (single_value x); [apply h1|idtac].
apply Rle_trans with  (2 * single_value y)%R; [ apply h2 | right; field].
Qed.

(* Why obligation from file "Sterbenz.c", line 39, characters 13-21: *)
(*Why goal*) Lemma Sterbenz_ensures_default_po_2 : 
  forall (x_0: single),
  forall (y: single),
  forall (HW_1: (* JC_7 *)
                ((* JC_5 *)
                 (Rle (Rdiv (single_value y) (2)%R) (single_value x_0)) /\
                (* JC_6 *)
                (Rle (single_value x_0) (Rmult (2)%R (single_value y))))),
  forall (HW_4: (* JC_16 *) (Rle (0)%R (single_value y))),
  (* JC_17 *) (Rle (0)%R (single_value x_0)).
Proof.
intros x y (h1,h2) y_pos.
apply Rle_trans with (single_value y / 2)%R; [idtac|apply h1].
unfold Rdiv; apply Rmult_le_pos; auto with real.
Save.

(* Why obligation from file "Sterbenz.c", line 35, characters 12-28: *)
(*Why goal*) Lemma Sterbenz_ensures_default_po_3 : 
  forall (x_0: single),
  forall (y: single),
  forall (HW_1: (* JC_7 *)
                ((* JC_5 *)
                 (Rle (Rdiv (single_value y) (2)%R) (single_value x_0)) /\
                (* JC_6 *)
                (Rle (single_value x_0) (Rmult (2)%R (single_value y))))),
  forall (HW_4: (* JC_16 *) (Rle (0)%R (single_value y))),
  forall (HW_5: (* JC_17 *) (Rle (0)%R (single_value x_0))),
  forall (result: single),
  forall (HW_6: (sub_single_post nearest_even x_0 y result)),
  forall (__retres: single),
  forall (HW_7: __retres = result),
  forall (why__return: single),
  forall (HW_8: why__return = __retres),
  (* JC_9 *)
  (eq (single_value why__return) (Rminus (single_value x_0) (single_value y))).
Proof.
intros x y (H1,H2) _ _ r (H4,(H5a,H5b)) r' H6 r'' H7.
rewrite H7,H6,H4; unfold single_value in *.
unfold FtoRradix; rewrite <- Fminus_correct; auto with zarith.
elim (mode_single_RoundingMode nearest_even); intros P (H8,H9).
apply sym_eq; apply RoundedModeProjectorIdemEq with bsingle 24%nat P; try apply psGivesBound; auto with zarith.
apply Sterbenz; auto with zarith; try apply FcanonicBound with radix; try now destruct x; try now destruct y.
fold FtoRradix; apply Rle_trans with (2:=H1); unfold Rdiv; simpl; right; ring.
Save.

(* Why obligation from file "Sterbenz.c", line 40, characters 9-12: *)
(*Why goal*) Lemma Sterbenz_safety_po_1 : 
  forall (x_0: single),
  forall (y: single),
  forall (HW_1: (* JC_7 *)
                ((* JC_5 *)
                 (Rle (Rdiv (single_value y) (2)%R) (single_value x_0)) /\
                (* JC_6 *)
                (Rle (single_value x_0) (Rmult (2)%R (single_value y))))),
  forall (HW_4: (* JC_13 *) (Rle (0)%R (single_value y))),
  forall (HW_5: (* JC_14 *) (Rle (0)%R (single_value x_0))),
  (no_overflow_single
   nearest_even (Rminus (single_value x_0) (single_value y))).
Proof.
intros x y (h1,h2) y_pos x_pos.
apply bounded_real_no_overflow_single.
case (Rle_or_lt (single_value x) (single_value y)); intros.
rewrite Rabs_left1.
ring_simplify.
apply Rle_trans with (-0+single_value y)%R;auto with real.
ring_simplify; rewrite <- (Rabs_right (single_value y)).
apply single_le_strict.
auto with real.
apply Rplus_le_reg_l with (single_value y); now ring_simplify.
rewrite Rabs_right.
ring_simplify.
apply Rle_trans with (single_value x-0)%R.
apply Rplus_le_compat_l; auto with real.
ring_simplify; rewrite <- (Rabs_right (single_value x)).
apply single_le_strict.
auto with real.
apply Rle_ge; apply Rplus_le_reg_l with (single_value y); ring_simplify; auto with real.
Save.

why-2.34/tests/c/binary_heap.c0000644000175000017500000000463412311670312014635 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

typedef unsigned int uint;

struct Heap;

typedef struct Heap *heap;

heap create(uint sz);

void insert(heap u, int e);

int extract_min(heap u);


why-2.34/tests/c/conjugate.c0000644000175000017500000001113012311670312014320 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/*

  This was inspired by this article:

    Franck Butelle, Florent Hivert, Micaela Mayero, and Frédéric
    Toumazet. Formal Proof of SCHUR Conjugate Function. In Proceedings
    of Calculemus 2010, pages 158-171. Springer-Verlag LNAI, 2010.

  and an improvement made in Why3 (http://why3.lri.fr) by
  Jean-Christophe Filliatre

  Original C code from SCHUR

  Note that arrays are one-based
  (that code was translated from Pascal code where arrays were one-based)

*/

#define MAX 100

/*@ predicate is_partition(int *a) =
    // elements ranges between 0 and MAX-1
    (\forall integer i; 1 <= i < MAX ==> 0 <= a[i] < MAX-1) &&
    // sorted in non-increasing order 
    (\forall integer i,j; 1 <= i <= j < MAX ==> a[i] >= a[j]) &&
    // at least one 0 sentinel
    a[MAX-1] == 0 ;

  predicate numofgt (int *a, integer n, integer v) =
    // values in a[1..n] are >= v, and a[n+1] < v
    0 <= n < MAX-1 &&
    (\forall integer j; 1 <= j <= n ==> v <= a[j]) &&
    v > a[n+1] ;

  predicate is_conjugate (int *a, int *b) =
    MAX > a[1] &&
    \forall integer j; 1 <= j < MAX ==> numofgt(a,b[j],j);

*/

/*@ requires \valid(A + (0 .. MAX-1));
  @ requires \valid(B + (0 .. MAX-1));
  @ // requires \forall integer i; 1 <= i < MAX ==> 1 <= A[i] < MAX-1;
  @ requires \forall integer k; 1 <= k < MAX ==> B[k] == 0;
  @ requires is_partition(A);
  @ assigns B[..];
  @ ensures is_conjugate(A,B);
  @*/
void conjgte (int A[MAX], int B[MAX]) {
  int i, partc = 1, edge = 0;
  /*@ loop invariant 1 <= partc < MAX;
    @ loop invariant \forall integer j;
    @   A[partc] < j <= A[1] ==> numofgt(A,B[j],j);
    @ loop invariant \forall integer j;
    @   A[1] < j < MAX ==> B[j] == 0;
    @ loop variant MAX - partc;
    @*/
  while (A[partc] != 0) 
    Start: {
    edge = A[partc];
    /*@ loop invariant \at(partc,Start) <= partc < MAX-1;
      @ loop invariant \forall integer j; 
      @    \at(partc,Start) <= j < partc ==> A[j] == edge;
      @ loop variant MAX - partc;
      @*/
    do
      partc = partc + 1;
    while (A[partc] == edge);
    /*@ loop invariant 1 <= i;
      @ loop invariant \forall integer j;
      @   edge < j < MAX ==> B[j] == \at(B[j],Start);
      @ loop invariant \forall integer j;
      @   A[partc] < j < i ==> B[j] == partc-1;
      @ loop variant edge-i;
      @*/
    for (i = A[partc] + 1; i <= edge; i++)
      B[i] = partc - 1;
  }
}

why-2.34/tests/c/scalar_product.c0000644000175000017500000001114412311670312015353 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// for N = 10
#define NMAX 10
#define NMAXR 10.0
#define B 0x1.1p-50

// for N = 100
// #define NMAX 100
// #define NMAXR 100.0
// #define B 0x1.02p-47


// for N = 1000
// #define NMAX 1000
// #define NMAXR 1000.0
// #define B 0x1.004p-44


/*@ axiomatic ScalarProduct {
  @   // exact_scalar_product(x,y,n) = x[0]*y[0] + ... + x[n-1] * y[n-1]
  @   logic real exact_scalar_product{L}(double *x, double *y, integer n)
  @       reads x[..], y[..];
  @   axiom A1{L}: \forall double *x,*y;
  @      exact_scalar_product(x,y,0) == 0.0;
  @   axiom A2{L}: \forall double *x,*y; \forall integer n ;
  @      n >= 0 ==>
  @        exact_scalar_product(x,y,n+1) == 
  @          exact_scalar_product(x,y,n) + x[n]*y[n];
  @ }
  @*/


/*@ lemma bound_int_to_real:
  @   \forall integer i; i <= NMAX ==> i <= NMAXR;
  @*/


/*@ requires 0 <= n <= NMAX;
  @ requires \valid(x+(0..n-1)) && \valid(y+(0.. n-1)) ;
  @ requires \forall integer i; 0 <= i < n ==>
  @          \abs(x[i]) <= 1.0 && \abs(y[i]) <= 1.0 ;
  @ ensures
  @    \abs(\result - exact_scalar_product(x,y,n)) <= n * B;
  @*/
double scalar_product(double x[], double y[], int n) {
  double p = 0.0;
  /*@ loop invariant 0 <= i <= n ;
    @ loop invariant \abs(exact_scalar_product(x,y,i)) <= i;
    @ loop invariant \abs(p - exact_scalar_product(x,y,i)) <= i * B;
    @ loop variant n-i;
    @*/
  for (int i=0; i < n; i++) {
    // bounds, needed by Gappa
    //@ assert \abs(x[i]) <= 1.0;
    //@ assert \abs(y[i]) <= 1.0;
    //@ assert \abs(p) <= NMAXR*(1+B) ;

  L:
    p = p + x[i]*y[i];

    // bound on the rounding errors in the statement above, proved by gappa
    /*@ assert \abs(p - (\at(p,L) + x[i]*y[i])) <= B;
     */

    // the proper instance of triangular inequality to show the main invariant
    /*@ assert
          \abs(p - exact_scalar_product(x,y,i+1)) <=
          \abs(p - (\at(p,L) + x[i]*y[i])) +
          \abs((\at(p,L) + x[i]*y[i]) -
               (exact_scalar_product(x,y,i) + x[i]*y[i])) ;
    */

    // a lemma to show the invariant \abs(exact_scalar_product(x,y,i)) <= i
    /*@ assert
      \abs(exact_scalar_product(x,y,i+1)) <=
         \abs(exact_scalar_product(x,y,i)) + \abs(x[i]) * \abs(y[i]);
    */

    // a necessary lemma, proved only by gappa
    //@ assert \abs(x[i]) * \abs(y[i]) <= 1.0;
  }
  return p;
}



/*
Local Variables:
compile-command: "make scalar_product.why3ide"
End:
*/


why-2.34/tests/c/double_rounding_strict_model.c0000644000175000017500000000477312311670312020307 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


double doublerounding() {
  double x = 1.0;
  double y = 0x1p-53 + 0x1p-64;
  double z = x + y;
  //@ assert z == 1.0 + 0x1p-52;
  return z;
}


/*
Local Variables:
compile-command: "LC_ALL=C make double_rounding_strict_model.why3ide"
End:
*/
why-2.34/tests/c/result/0000755000175000017500000000000012311670312013517 5ustar  rtuserswhy-2.34/tests/c/result/README0000644000175000017500000000013312311670312014374 0ustar  rtusersthis directory is to store results of tests. There is
intentionally no file managed by SVN
why-2.34/tests/c/Sterbenz.c0000644000175000017500000000507612311670312014151 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// RUNCOQ: will ask regtests to check Coq proofs of this program

/*@ requires  y / 2.0 <= x <= 2.0 * y;
  @ ensures   \result == x - y;
  @*/
float Sterbenz(float x, float y) {
  //@ assert 0.0 <= y;
  //@ assert 0.0 <= x;
  return x-y;
}


/*
Local Variables:
compile-command: "make Sterbenz.why3ide"
End:
*/
why-2.34/tests/c/insertion_sort.c0000644000175000017500000000627112311670312015434 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

// RUNSIMPLIFY: will ask regtests to run Simplify on this program

#pragma JessieIntegerModel(math)

#include "sorting.h"

/*@ requires \valid(t+(0..n-1));
  @ ensures Sorted(t,0,n-1);
  @*/
void insert_sort(int t[], int n) {
  int i,j;
  int mv;
  if (n <= 1) return;
  /*@ loop invariant 0 <= i <= n;
    @ loop invariant Sorted(t,0,i);
    @ loop variant n-i;
    @*/
  for (i=1; i Sorted(t,0,i);
      @ loop invariant j < i ==> Sorted(t,0,i+1);
      @ loop invariant \forall integer k; j <= k < i ==> t[k] > mv;
      @ loop variant j;
      @*/
    // look for the right index j to put t[i]
    for (j=i; j > 0; j--) {
      if (t[j-1] <= mv) break;
      t[j] = t[j-1];
    }
    t[j] = mv;
  }
}


/*
Local Variables:
compile-command: "make insertion_sort.why3ide"
End:
*/
why-2.34/tests/c/muller.c0000644000175000017500000001014512311670312013646 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

typedef unsigned int size_t;
void *malloc(size_t size);
void *calloc(size_t nmemb, size_t size);

/*@ axiomatic NumOfPos {
  @  logic integer num_of_pos{L}(integer i,integer j,int *t);
  @  axiom num_of_pos_empty{L} :
  @   \forall integer i, j, int *t;
  @    i >= j ==> num_of_pos(i,j,t) == 0;
  @  axiom num_of_pos_true_case{L} :
  @   \forall integer i, j, int *t;
  @       i < j && t[j-1] > 0 ==>
  @         num_of_pos(i,j,t) == num_of_pos(i,j-1,t) + 1;
  @  axiom num_of_pos_false_case{L} :
  @   \forall integer i, j, int *t;
  @       i < j && ! (t[j-1] > 0) ==>
  @         num_of_pos(i,j,t) == num_of_pos(i,j-1,t);
  @ }
  @*/


/*@ lemma num_of_pos_non_negative{L} :
  @   \forall integer i, j, int *t; 0 <= num_of_pos(i,j,t);
  @*/

/*@ lemma num_of_pos_additive{L} :
  @   \forall integer i, j, k, int *t; i <= j <= k ==>
  @       num_of_pos(i,k,t) == num_of_pos(i,j,t) + num_of_pos(j,k,t);
  @*/

/*@ lemma num_of_pos_increasing{L} :
  @   \forall integer i, j, k, int *t;
  @       j <= k ==> num_of_pos(i,j,t) <= num_of_pos(i,k,t);
  @*/

/*@ lemma num_of_pos_strictly_increasing{L} :
  @   \forall integer i, n, int *t;
  @       0 <= i < n && t[i] > 0 ==>
  @       num_of_pos(0,i,t) < num_of_pos(0,n,t);
  @*/

/*@ requires l >= 0 && \valid_range(t,0,l-1);
  @*/
int* m(int *t, int l) {
  int i, count = 0;
  int *u;

  /*@ loop invariant
    @    0 <= i <= l &&
    @    0 <= count <= i &&
    @    count == num_of_pos(0,i,t) ;
    @ loop variant l - i;
    @*/
  for (i=0 ; i < l; i++) if (t[i] > 0) count++;

  u = (int*)calloc(count,sizeof(int));
  count = 0;

  /*@ loop invariant
    @    0 <= i <= l &&
    @    0 <= count <= i &&
    @    count == num_of_pos(0,i,t);
    @ loop variant l - i;
    @*/
  for (int i=0 ; i < l; i++) {
    if (t[i] > 0) u[count++] = t[i];
  }
  return u;
}


/*
Local Variables:
compile-command: "make muller.why3ide"
End:
*/
why-2.34/tests/c/eps_line1.c0000644000175000017500000000627412311670312014235 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

#define E 0x1p-45


//@ logic integer l_sign(real x) = (x >= 0.0) ? 1 : -1;

/*@ requires e1<= x-\exact(x) <= e2;
  @ ensures  (\result != 0 ==> \result == l_sign(\exact(x))) &&
  @          \abs(\result) <= 1 ;
  @*/
int sign(double x, double e1, double e2) {

  if (x > e2)
    return 1;
  if (x < e1)
    return -1;
  return 0;
}

/*@ requires
  @   sx == \exact(sx)  && sy == \exact(sy) &&
  @   vx == \exact(vx)  && vy == \exact(vy) &&
  @   \abs(sx) <= 100.0 && \abs(sy) <= 100.0 &&
  @   \abs(vx) <= 1.0   && \abs(vy) <= 1.0;
  @ ensures
  @    \result != 0
  @      ==> \result == l_sign(\exact(sx)*\exact(vx)+\exact(sy)*\exact(vy))
  @            * l_sign(\exact(sx)*\exact(vy)-\exact(sy)*\exact(vx));
  @*/
int eps_line(double sx, double sy,double vx, double vy){
  int s1,s2;

  s1=sign(sx*vx+sy*vy, -E, E);
  s2=sign(sx*vy-sy*vx, -E, E);

  return s1*s2;
}

/*
Local Variables:
compile-command: "LC_ALL=C make eps_line1.why3ide"
End:
*/
why-2.34/tests/regtest.sh0000755000175000017500000001336112311670312013777 0ustar  rtusers#!/bin/sh

echo 'Format.eprintf "%s@." (Sys.getcwd());;' | ocaml 1>/dev/null 2> /tmp/regtests.cwd

DIR=`cat /tmp/regtests.cwd`
rm -f /tmp/regtests.cwd
LIBDIR=`grep "libdir" $DIR/src/version.ml | sed -e 's|[^"]*"\([^"]*\)"[^"]*|\1|g' | head -n 1`
LANG=

echofilename () {
  echo "========== file $1 =========="
}

mycat() {
  echofilename $1
  sed -e "s|jessie_[0-9]\+|jessie_|g" $1
}

mycatfilterdir () {
  echofilename $1
  sed -e "s|$DIR|HOME|g" -e "s|$LIBDIR|WHYLIB|g" $1
}

case $1 in
  *.java)
        d=`dirname $1`
	b=`basename $1 .java`
        f=$d/$b
	mycat $f.java
	echo "========== krakatoa execution =========="
	rm -f $f.jc
	rm -f $f.jloc
	opt=""
	if grep JAVACARD $f.java ; then
	    opt=-javacard
	fi
	KRAKATOALIB=$DIR/lib bin/krakatoa.opt -gen-only $opt $1 || exit 1
	mycat $f.jc
	mycatfilterdir $f.jloc
	echo "========== jessie execution =========="
	rm -f $f.makefile
	rm -f $d/why/$b.why
	rm -f $f.loc
	WHYLIB=$DIR/lib bin/jessie.opt -locs $f.jloc -why-opt -split-user-conj $f.jc || exit 2
	mycatfilterdir $f.makefile
	mycatfilterdir $f.loc
	mycat $d/why/$b.why
	echo "========== make project execution =========="
	rm -f $d/why/$b.wpr
	rm -f $d/why/$b'_ctx'.why
	rm -f $d/why/$b'_po'*.why
	WHYLIB=$DIR/lib WHYEXEC=$DIR/bin/why.opt make --quiet -C $d -f $b.makefile project
	mycatfilterdir $d/why/$b.wpr
	mycat $d/why/$b'_ctx'.why
	for i in `ls $d/why/$b'_po'*.why`; do mycat $i; done
	echo "========== generation of Simplify VC output =========="
	WHYLIB=$DIR/lib WHYEXEC=$DIR/bin/why.opt make --quiet -C $d -f $b.makefile simplify/$b'_why'.sx
	mycatfilterdir $d/simplify/$b'_why'.sx
	echo "========== running Simplify =========="
	tmp=$(tempfile -s regtests_simplify)
	DP="$DIR/bin/why-dp.opt -no-timings -timeout 1" WHYLIB=$DIR/lib WHYEXEC=$DIR/bin/why.opt make --quiet -C $d -f $b.makefile simplify 2> $tmp
	grep -v 'CPU time limit' $tmp >&2
	echo "========== generation of alt-ergo VC output =========="
	WHYLIB=$DIR/lib WHYEXEC=$DIR/bin/why.opt make --quiet -C $d -f $b.makefile why/$b'_why'.why
	mycat $d/why/$b'_why'.why
	if grep RUNALTERGO $1 ; then
  	    echo "========== running alt-ergo =========="
	    tmp=$(tempfile -s regtests_ergo)
	    DP="$DIR/bin/why-dp.opt -no-timings -timeout 10" WHYLIB=$DIR/lib WHYEXEC=$DIR/bin/why.opt make --quiet -C $d -f $b.makefile ergo 2> $tmp
	    grep -v 'CPU time limit' $tmp >&2
        fi
	if grep RUNSIMPLIFY $1 ; then
	    echo "========== generation of Simplify VC output =========="
	    WHYLIB=$DIR/lib WHYEXEC=$DIR/bin/why.opt make --quiet -C $d -f $b.makefile simplify/$b'_why'.sx
	    mycatfilterdir $d/simplify/$b'_why'.sx
	    echo "========== running Simplify =========="
	    tmp=$(tempfile -s regtests_simplify)
	    DP="$DIR/bin/why-dp.opt -no-timings -timeout 1" WHYLIB=$DIR/lib WHYEXEC=$DIR/bin/why.opt make --quiet -C $d -f $b.makefile simplify 2> $tmp
	    grep -v 'CPU time limit' $tmp >&2
        fi
	if grep RUNCOQ $f.java ; then
	    echo "========== generation of Coq VC output =========="
	    WHYLIB=$DIR/lib WHYEXEC=$DIR/bin/why.opt make --quiet -C $d -f $b.makefile coq
	    mycatfilterdir $d/coq/$b'_why'.v
	    echo "========== running Coq =========="
	    DP="$DIR/bin/why-dp.opt -no-timings -timeout 100" WHYLIB=$DIR/lib WHYEXEC=$DIR/bin/why.opt make --quiet -C $d -f $b.makefile coq
        fi
	;;
  *.c)
        d=`dirname $1`
	b=`basename $1 .c`
        j=$d/$b.jessie
        f=$j/$b
	mycat $1
	echo "========== frama-c -jessie execution =========="
	rm -f $f.jc
	rm -f $f.cloc
	FRAMAC_PLUGIN=$DIR/frama-c-plugin frama-c -jessie -jessie-gen-only $1 || exit 1
	mycat $f.jc
	mycatfilterdir $f.cloc
	echo "========== jessie execution =========="
	rm -f $f.makefile
	rm -f $j/why/$b.why
	rm -f $f.loc
	WHYLIB=$DIR/lib bin/jessie.opt -locs $f.cloc -why-opt -split-user-conj $f.jc || exit 2
	mycatfilterdir $f.makefile
	mycatfilterdir $f.loc
	mycat $j/why/$b.why
	echo "========== generation of alt-ergo VC output =========="
	WHYLIB=$DIR/lib WHYEXEC=$DIR/bin/why.opt make --quiet -C $j -f $b.makefile why/$b'_why'.why
	mycat $j/why/$b'_why'.why
	if grep RUNALTERGO $1 ; then
	    echo "========== running alt-ergo =========="
	    tmp=$(tempfile -s regtests_ergo)
	    DP="$DIR/bin/why-dp.opt -no-timings -timeout 2" WHYLIB=$DIR/lib WHYEXEC=$DIR/bin/why.opt make --quiet -C $j -f $b.makefile ergo 2> $tmp
	    grep -v 'CPU time limit' $tmp >&2
        fi
	if grep RUNGAPPA $1 ; then
	    echo "========== generation of Gappa VC output =========="
	    WHYLIB=$DIR/lib WHYEXEC=$DIR/bin/why.opt make --quiet -C $j -f $b.makefile gappa/$b'_why'.gappa
	    mycatfilterdir $j/gappa/$b'_why'.gappa
	    echo "========== running Gappa =========="
	    tmp=$(tempfile -s regtests_gappa)
	    DP="$DIR/bin/why-dp.opt -no-timings -timeout 1" WHYLIB=$DIR/lib WHYEXEC=$DIR/bin/why.opt make --quiet -C $j -f $b.makefile gappa 2> $tmp
	    grep -v 'CPU time limit' $tmp >&2
        fi
	if grep RUNSIMPLIFY $1 ; then
	    echo "========== generation of Simplify VC output =========="
	    WHYLIB=$DIR/lib WHYEXEC=$DIR/bin/why.opt make --quiet -C $j -f $b.makefile simplify/$b'_why'.sx
	    mycatfilterdir $j/simplify/$b'_why'.sx
	    echo "========== running Simplify =========="
	    tmp=$(tempfile -s regtests_simplify)
	    DP="$DIR/bin/why-dp.opt -no-timings -timeout 1" WHYLIB=$DIR/lib WHYEXEC=$DIR/bin/why.opt make --quiet -C $j -f $b.makefile simplify 2> $tmp
	    grep -v 'CPU time limit' $tmp >&2
        fi
	if grep RUNCOQ $1 ; then
	    echo "========== generation of Coq VC output =========="
	    WHYLIB=$DIR/lib WHYEXEC=$DIR/bin/why.opt make --quiet -C $j -f $b.makefile coq
	    mycatfilterdir $j/coq/$b'_why'.v
	    echo "========== running Coq =========="
	    DP="$DIR/bin/why-dp.opt -no-timings -timeout 100" WHYLIB=$DIR/lib WHYEXEC=$DIR/bin/why.opt make --quiet -C $j -f $b.makefile coq
        fi
	;;
  *)
	echo "don't know what to do with $1"
	exit 1
esac


why-2.34/atp/0000755000175000017500000000000012311670312011401 5ustar  rtuserswhy-2.34/atp/intro.ml0000644000175000017500000002636112311670312013076 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(* ========================================================================= *)
(* Simple algebraic expression example from the introductory chapter.        *)
(*                                                                           *)
(* Copyright (c) 2003, John Harrison. (See "LICENSE.txt" for details.)       *)
(* ========================================================================= *)

type expression =
   Var of string
 | Const of int
 | Add of expression * expression
 | Mul of expression * expression;;

(* ------------------------------------------------------------------------- *)
(* Trivial example of using the type constructors.                           *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
Add(Mul(Const 2,Var "x"),Var "y");;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Simplification example.                                                   *)
(* ------------------------------------------------------------------------- *)

let simplify1 expr =
  match expr with
    Add(Const(m),Const(n)) -> Const(m + n)
  | Mul(Const(m),Const(n)) -> Const(m * n)
  | Add(Const(0),x) -> x
  | Add(x,Const(0)) -> x
  | Mul(Const(0),x) -> Const(0)
  | Mul(x,Const(0)) -> Const(0)
  | Mul(Const(1),x) -> x
  | Mul(x,Const(1)) -> x
  | _ -> expr;;

let rec simplify expr =
  match expr with
    Add(e1,e2) -> simplify1(Add(simplify e1,simplify e2))
  | Mul(e1,e2) -> simplify1(Mul(simplify e1,simplify e2))
  | _ -> expr;;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)
START_INTERACTIVE;;
let e = Add(Mul(Add(Mul(Const(0),Var "x"),Const(1)),Const(3)),
            Const(12));;
simplify e;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Lexical analysis.                                                         *)
(* ------------------------------------------------------------------------- *)

let matches s = let chars = explode s in fun c -> mem c chars;;

let space = matches " \t\n"
and punctuation = matches "()[]{},"
and symbolic = matches "~`!@#$%^&*-+=|\\:;<>.?/"
and numeric = matches "0123456789"
and alphanumeric = matches
  "abcdefghijklmnopqrstuvwxyz_'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";;

let rec lexwhile prop inp =
  match inp with
    [] -> "",[]
  | c::cs ->
        if prop c then let tok,rest = lexwhile prop cs in c^tok,rest
        else "",inp;;

let rec lex inp =
  let _,inp1 = lexwhile space inp in
  match inp1 with
    [] -> []
  | c::cs -> let prop =
               if alphanumeric(c) then alphanumeric
               else if symbolic(c) then symbolic
               else if punctuation(c) then (fun c -> false)
               else failwith "Unknown character in input" in
             let toktl,rest = lexwhile prop cs in
             (c^toktl)::lex rest;;

START_INTERACTIVE;;
lex(explode "2*((var_1 + x') + 11)");;
lex(explode "if (*p1-- == *p2++) then f() else g()");;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Parsing.                                                                  *)
(* ------------------------------------------------------------------------- *)

let rec parse_expression inp =
  let e1,inp1 = parse_product inp in
  if inp1 <> [] & hd inp1 = "+" then
     let e2,inp2 = parse_expression (tl inp1) in Add(e1,e2),inp2
  else e1,inp1

and parse_product inp =
  let e1,inp1 = parse_atom inp in
  if inp1 <> [] & hd inp1 = "*" then
     let e2,inp2 = parse_product (tl inp1) in Mul(e1,e2),inp2
  else e1,inp1

and parse_atom inp =
  match inp with
    [] -> failwith "Expected an expression at end of input"
  | tok::toks ->
        if tok = "(" then
           let e,inp1 = parse_expression toks in
           if inp1 <> [] & hd inp1 = ")" then e,tl inp1
           else failwith "Expected closing bracket"
        else if forall numeric (explode tok) then
           Const(int_of_string tok),toks
        else Var(tok),toks;;

(* ------------------------------------------------------------------------- *)
(* Generic function to impose lexing and exhaustion checking on a parser.    *)
(* ------------------------------------------------------------------------- *)

let make_parser pfn s =
  let expr,rest = pfn (lex(explode s)) in
  if rest = [] then expr else failwith "Unparsed input";;

(* ------------------------------------------------------------------------- *)
(* Our parser.                                                               *)
(* ------------------------------------------------------------------------- *)

let parsee = make_parser parse_expression;;

(* ------------------------------------------------------------------------- *)
(* Examples.                                                                 *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
parsee "x + 1";;

parsee "(x1 + x2 + x3) * (1 + 2 + 3 * x + y)";;

END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Conservatively bracketing first attempt at printer.                       *)
(* ------------------------------------------------------------------------- *)

let rec string_of_exp e =
  match e with
    Var s -> s
  | Const n -> string_of_int n
  | Add(e1,e2) -> "("^(string_of_exp e1)^" + "^(string_of_exp e2)^")"
  | Mul(e1,e2) -> "("^(string_of_exp e1)^" * "^(string_of_exp e2)^")";;

(* ------------------------------------------------------------------------- *)
(* Examples.                                                                 *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
string_of_exp(parsee "x + 3 * y");;
let e = parsee "3 * (y + z) + 7 * 4";;
parsee(string_of_exp e) = e;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Somewhat better attempt.                                                  *)
(* ------------------------------------------------------------------------- *)

let rec string_of_exp pr e =
  match e with
    Var s -> s
  | Const n -> string_of_int n
  | Add(e1,e2) ->
        let s = (string_of_exp 3 e1)^" + "^(string_of_exp 2 e2) in
        if pr > 2 then "("^s^")" else s
  | Mul(e1,e2) ->
        let s = (string_of_exp 5 e1)^" * "^(string_of_exp 4 e2) in
        if pr > 4 then "("^s^")" else s;;

(* ------------------------------------------------------------------------- *)
(* Examples.                                                                 *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
string_of_exp 0 (parsee "x + 3 * y");;
string_of_exp 0 (parsee "(x + 3) * y");;
string_of_exp 0 (parsee "1 + 2 + 3");;
string_of_exp 0 (parsee "((1 + 2) + 3) + 4");;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Example shows the problem.                                                *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
let e = parsee "(x1 + x2 + x3 + x4 + x5 + x6 + x7 + x8 + x9 + x10) *
                (y1 + y2 + y3 + y4 + y5 + y6 + y7 + y8 + y9 + y10)";;

string_of_exp 0 e;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Real printer with proper line breaks.                                     *)
(* ------------------------------------------------------------------------- *)

let rec print_exp pr e =
  match e with
    Var s -> print_string s
  | Const n -> print_int n
  | Add(e1,e2) ->
        if pr > 2 then (print_string "("; open_box 0) else ();
        print_exp 3 e1;
        print_string " +"; print_space();
        print_exp 2 e2;
        if pr > 2 then (close_box(); print_string ")") else ()
  | Mul(e1,e2) ->
        if pr > 4 then (print_string "("; open_box 0) else ();
        print_exp 5 e1;
        print_string " *"; print_space();
        print_exp 4 e2;
        if pr > 4 then (close_box(); print_string ")") else ();;

let print_expression e =
  open_box 0; print_string "<<";
              open_box 0; print_exp 0 e; close_box();
  print_string ">>"; close_box();;

(* ------------------------------------------------------------------------- *)
(* Also set up parsing of quotations.                                        *)
(* ------------------------------------------------------------------------- *)

let default_parser = parsee;;

(* ------------------------------------------------------------------------- *)
(* Examples.                                                                 *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
print_expression(Mul(Const 3,Add(Mul(e,e),Mul(e,e))));;

#install_printer print_expression;;

parsee "3 + x * y";;

<<3 + x * y>>;;

END_INTERACTIVE;;
why-2.34/atp/Mk_ml_file0000755000175000017500000000016312311670312013365 0ustar  rtusersecho "open Num;;"
echo "open Format;;"

cat $@ | sed 's/START_INTERACTIVE;;/(\*/' | sed 's/END_INTERACTIVE;;/\*)/'
why-2.34/atp/qelim.ml0000644000175000017500000002122512311670312013044 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(* ========================================================================= *)
(* Introduction to quantifier elimination.                                   *)
(*                                                                           *)
(* Copyright (c) 2003, John Harrison. (See "LICENSE.txt" for details.)       *)
(* ========================================================================= *)

let rec disjuncts fm =
  match fm with
    Or(p,q) -> disjuncts p @ disjuncts q
  | _ -> [fm];;

let rec conjuncts fm =
  match fm with
    And(p,q) -> conjuncts p @ conjuncts q
  | _ -> [fm];;

(* ------------------------------------------------------------------------- *)
(* Lift procedure given literal modifier, formula normalizer, and a  basic   *)
(* elimination procedure for existential formulas with conjunctive body.     *)
(* ------------------------------------------------------------------------- *)

let lift_qelim afn nfn qfn =
  let rec qelift vars fm =
    match fm with
    | Atom(R(_,_)) -> afn vars fm
    | Not(p) -> Not(qelift vars p)
    | And(p,q) -> And(qelift vars p,qelift vars q)
    | Or(p,q) -> Or(qelift vars p,qelift vars q)
    | Imp(p,q) -> Imp(qelift vars p,qelift vars q)
    | Iff(p,q) -> Iff(qelift vars p,qelift vars q)
    | Forall(x,p) -> Not(qelift vars (Exists(x,Not p)))
    | Exists(x,p) ->
          let djs = disjuncts(nfn(qelift (x::vars) p)) in
          list_disj(map (qelim x vars) djs)
    | _ -> fm
  and qelim x vars p =
    let cjs = conjuncts p in
    let ycjs,ncjs = partition (mem x ** fv) cjs in
    if ycjs = [] then p else
    let q = qfn vars (Exists(x,list_conj ycjs)) in
    itlist (fun p q -> And(p,q)) ncjs q in
  fun fm -> simplify(qelift (fv fm) fm);;

(* ------------------------------------------------------------------------- *)
(* Cleverer (proposisional) NNF with conditional and literal modification.   *)
(* ------------------------------------------------------------------------- *)

let cnnf lfn =
  let rec cnnf fm =
    match fm with
      And(p,q) -> And(cnnf p,cnnf q)
    | Or(p,q) -> Or(cnnf p,cnnf q)
    | Imp(p,q) -> Or(cnnf(Not p),cnnf q)
    | Iff(p,q) -> Or(And(cnnf p,cnnf q),And(cnnf(Not p),cnnf(Not q)))
    | Not(Not p) -> cnnf p
    | Not(And(p,q)) -> Or(cnnf(Not p),cnnf(Not q))
    | Not(Or(And(p,q),And(p',r))) when p' = negate p ->
         Or(cnnf (And(p,Not q)),cnnf (And(p',Not r)))
    | Not(Or(p,q)) -> And(cnnf(Not p),cnnf(Not q))
    | Not(Imp(p,q)) -> And(cnnf p,cnnf(Not q))
    | Not(Iff(p,q)) -> Or(And(cnnf p,cnnf(Not q)),
                          And(cnnf(Not p),cnnf q))
    | _ -> lfn fm in
  simplify ** cnnf ** simplify;;

(* ------------------------------------------------------------------------- *)
(* Initial literal simplifier and intermediate literal modifier.             *)
(* ------------------------------------------------------------------------- *)

let lfn_dlo fm =
  match fm with
    Not(Atom(R("<",[s;t]))) -> Or(Atom(R("=",[s;t])),Atom(R("<",[t;s])))
  | Not(Atom(R("=",[s;t]))) -> Or(Atom(R("<",[s;t])),Atom(R("<",[t;s])))
  | _ -> fm;;

(* ------------------------------------------------------------------------- *)
(* Simple example of dense linear orderings; this is the base function.      *)
(* ------------------------------------------------------------------------- *)

let dlobasic fm =
  match fm with
    Exists(x,p) ->
      let cjs = subtract (conjuncts p) [Atom(R("=",[Var x;Var x]))] in
      try let eqn = find
            (function (Atom(R("=",_))) -> true | _ -> false) cjs in
          let (Atom(R("=",[s;t]))) = eqn in
          let y = if s = Var x then t else s in
          list_conj(map (formsubst (x := y)) (subtract cjs [eqn]))
      with Failure _ ->
          if mem (Atom(R("<",[Var x;Var x]))) cjs then False else
          let l,r =
            partition (fun (Atom(R("<",[s;t]))) -> t = Var x) cjs in
          let lefts = map (fun (Atom(R("<",[l;_]))) -> l) l
          and rights = map (fun (Atom(R("<",[_;r]))) -> r) r in
          list_conj(allpairs (fun l r -> Atom(R("<",[l;r])))
                             lefts rights)
  | _ -> failwith "dlobasic";;

(* ------------------------------------------------------------------------- *)
(* Overall quelim procedure.                                                 *)
(* ------------------------------------------------------------------------- *)

let afn_dlo vars fm =
  match fm with
    Atom(R("<=",[s;t])) -> Not(Atom(R("<",[t;s])))
  | Atom(R(">=",[s;t])) -> Not(Atom(R("<",[s;t])))
  | Atom(R(">",[s;t])) -> Atom(R("<",[t;s]))
  | _ -> fm;;

let quelim_dlo =
  lift_qelim afn_dlo (dnf ** cnnf lfn_dlo) (fun v -> dlobasic);;

(* ------------------------------------------------------------------------- *)
(* Examples.                                                                 *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
quelim_dlo <>;;

quelim_dlo <>;;

quelim_dlo <>;;

quelim_dlo <<(forall x. x < a ==> x < b)>>;;

quelim_dlo < x < b) <=> a = b>>;;

time quelim_dlo <>;;

time quelim_dlo < x < z>>;;

time quelim_dlo <>;;

time quelim_dlo <>;;

time quelim_dlo <>;;

time quelim_dlo <>;;

time quelim_dlo <>;;

time quelim_dlo < exists z. x < z /\ z < y>>;;

time quelim_dlo
  < exists u. u < x /\ (y < u \/ x < y)>>;;

time quelim_dlo <>;;

time quelim_dlo <>;;

time quelim_dlo <>;;

time quelim_dlo <>;;

time quelim_dlo <>;;

time quelim_dlo <>;;

time quelim_dlo < w < z>>;;

time quelim_dlo <>;;

time quelim_dlo <>;;

time quelim_dlo < x < b) <=> a <= b>>;;

time quelim_dlo < x < b>>;;

time quelim_dlo < x <= b>>;;

time quelim_dlo <>;;

time quelim_dlo < y>>;;

time quelim_dlo <>;;
END_INTERACTIVE;;
why-2.34/atp/Makefile0000644000175000017500000000403212311670312013040 0ustar  rtusers# List of ML files to compile as a library. This leaves out the following
# which are probably not much use:
#
# sigma.ml       (Sigma-formulas and evaluator-by-proof)
# turing.ml      (OCaml implementation of Turing machines)
# undecidable.ml (Proofs related to undecidability results)
# bhk.ml         (Trivial instance of BHK interpretation)
# many.ml        (Example relevant to many-sorted logic)
# hol.ml         (Simple higher order logic setup)

#MLFILES = lib.ml intro.ml formulas.ml prop.ml propexamples.ml           \
          defcnf.ml dp.ml stal.ml bdd.ml fol.ml skolem.ml               \
          herbrand.ml unif.ml tableaux.ml resolution.ml prolog.ml       \
          meson.ml skolems.ml equal.ml cong.ml rewrite.ml               \
          order.ml completion.ml orewrite.ml eqelim.ml                  \
          paramodulation.ml decidable.ml qelim.ml cooper.ml             \
          complex.ml grobner.ml real.ml geom.ml interpolation.ml        \
          combining.ml transition.ml temporal.ml model.ml ltl.ml        \
          ste.ml lcf.ml hilbert.ml lcfprop.ml lcffol.ml checking.ml     \
          tactics.ml

MLFILES = lib.ml intro.ml formulas.ml prop.ml propexamples.ml           \
	  defcnf.ml dp.ml fol.ml skolem.ml herbrand.ml qelim.ml         \
	  cooper.ml fourier_motzkin.ml

# The default is to build a bytecode executable

bytecode: example.ml atp.cmo; ocamlc -o example nums.cma atp.cmo example.ml

# Alternatively, produce native code

compiled: example.ml atp.cmx; ocamlopt -o example nums.cmxa atp.cmx example.ml

# Make the appropriate object for the main body of code

atp.cmx: atp.ml; ocamlopt -w ax -c atp.ml

atp.cmo: atp.ml; ocamlc -w ax -c atp.ml

# Make the camlp4 quotation expander

Quotexpander.cmo: Quotexpander.ml; ocamlc -I +camlp4 -c Quotexpander.ml

# Extract the non-interactive part of the code

atp.ml: $(MLFILES); ./Mk_ml_file $(MLFILES) >atp.ml

# Clean up

clean:; -rm -f atp.cma atp.cmi atp.cmo atp.cmx atp.o atp.ml example example.cmi example.cmo example.cmx example.o Quotexpander.cmo Quotexpander.cmi
why-2.34/atp/herbrand.ml0000644000175000017500000003210112311670312013515 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(* ========================================================================= *)
(* Relation between FOL and propositonal logic; Herbrand theorem.            *)
(*                                                                           *)
(* Copyright (c) 2003, John Harrison. (See "LICENSE.txt" for details.)       *)
(* ========================================================================= *)

(* ------------------------------------------------------------------------- *)
(* We want to generalize a formula before negating and refuting.             *)
(* ------------------------------------------------------------------------- *)

let generalize fm = itlist (fun x p -> Forall(x,p)) (fv fm) fm;;

(* ------------------------------------------------------------------------- *)
(* Propositional valuation.                                                  *)
(* ------------------------------------------------------------------------- *)

let pholds d fm = eval fm (fun p -> d(Atom p));;

(* ------------------------------------------------------------------------- *)
(* Characteristic function of Herbrand interpretation for p.                 *)
(* ------------------------------------------------------------------------- *)

let rec herbdom funcs tm =
  match tm with
    Var _ -> false
  | Fn(f,a) -> mem (f,length a) funcs & forall (herbdom funcs) a;;

(* ------------------------------------------------------------------------- *)
(* Get the constants for Herbrand base, adding nullary one if necessary.     *)
(* ------------------------------------------------------------------------- *)

let herbfuns fm =
  let cns,fns = partition (fun (_,ar) -> ar = 0) (functions fm) in
  if cns = [] then ["c",0],fns else cns,fns;;

(* ------------------------------------------------------------------------- *)
(* Enumeration of ground terms and m-tuples, ordered by total fns.           *)
(* ------------------------------------------------------------------------- *)

let rec groundterms cntms funcs n =
  if n = 0 then cntms else
  itlist (fun (f,m) -> (@)
                (map (fun args -> Fn(f,args))
                     (groundtuples cntms funcs (n - 1) m)))
         funcs []

and groundtuples cntms funcs n m =
  if m = 0 then if n = 0 then [[]] else [] else
  itlist (fun k -> (@)
                (allpairs (fun h t -> h::t)
                          (groundterms cntms funcs k)
                          (groundtuples cntms funcs (n - k) (m - 1))))
         (0 -- n) [];;

(* ------------------------------------------------------------------------- *)
(* Iterate modifier "mfn" over ground terms till "tfn" fails.                *)
(* ------------------------------------------------------------------------- *)

let rec herbloop mfn tfn fl0 cntms funcs fvs n fl tried tuples =
  print_string(string_of_int(length tried)^" ground instances tried; "^
               string_of_int(length fl)^" items in list");
  print_newline();
  match tuples with
    [] -> let newtups = groundtuples cntms funcs n (length fvs) in
          herbloop mfn tfn fl0 cntms funcs fvs (n + 1) fl tried newtups
  | tup::tups ->
          let fl' = mfn fl0 (formsubst(instantiate fvs tup)) fl in
          if not(tfn fl') then tup::tried else
          herbloop mfn tfn fl0 cntms funcs fvs n fl' (tup::tried) tups;;

(* ------------------------------------------------------------------------- *)
(* Hence a simple Gilmore-type procedure.                                    *)
(* ------------------------------------------------------------------------- *)

let gilmore_loop =
  let mfn djs0 ifn djs =
    filter (non contradictory) (distrib (smap (smap ifn) djs0) djs) in
  herbloop mfn (fun djs -> djs <> []);;

let gilmore fm =
  let sfm = skolemize(Not(generalize fm)) in
  let fvs = fv sfm and consts,funcs = herbfuns sfm in
  let cntms = smap (fun (c,_) -> Fn(c,[])) consts in
  length(gilmore_loop (simpdnf sfm) cntms funcs fvs 0 [[]] [] []);;

(* ------------------------------------------------------------------------- *)
(* First example and a little tracing.                                       *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
gilmore < P(y)>>;;

let sfm = skolemize(Not < P(y)>>);;

(* ------------------------------------------------------------------------- *)
(* Quick examples.                                                           *)
(* ------------------------------------------------------------------------- *)

let p19 = gilmore
 < Q(z)) ==> P(x) ==> Q(x)>>;;

let p24 = gilmore
 <<~(exists x. U(x) /\ Q(x)) /\
   (forall x. P(x) ==> Q(x) \/ R(x)) /\
   ~(exists x. P(x) ==> (exists x. Q(x))) /\
   (forall x. Q(x) /\ R(x) ==> U(x))
   ==> (exists x. P(x) /\ R(x))>>;;

let p39 = gilmore
 <<~(exists x. forall y. P(y,x) <=> ~P(y,y))>>;;

let p42 = gilmore
 <<~(exists y. forall x. P(x,y) <=> ~(exists z. P(x,z) /\ P(z,x)))>>;;

let p44 = gilmore
 <<(forall x. P(x) ==> (exists y. G(y) /\ H(x,y)) /\
   (exists y. G(y) /\ ~H(x,y))) /\
   (exists x. J(x) /\ (forall y. G(y) ==> H(x,y)))
   ==> (exists x. J(x) /\ ~P(x))>>;;

let p59 = gilmore
 <<(forall x. P(x) <=> ~P(f(x))) ==> (exists x. P(x) /\ ~P(f(x)))>>;;

(* ------------------------------------------------------------------------- *)
(* Slightly less easy examples.                                              *)
(* ------------------------------------------------------------------------- *)

let p45 = gilmore
 <<(forall x.
     P(x) /\ (forall y. G(y) /\ H(x,y) ==> J(x,y))
     ==> (forall y. G(y) /\ H(x,y) ==> R(y))) /\
   ~(exists y. L(y) /\ R(y)) /\
   (exists x. P(x) /\ (forall y. H(x,y) ==> L(y)) /\
                      (forall y. G(y) /\ H(x,y) ==> J(x,y)))
   ==> (exists x. P(x) /\ ~(exists y. G(y) /\ H(x,y)))>>;;

let p60 = gilmore
 <
             exists y. (forall z. P(z,y) ==> P(z,f(x))) /\ P(x,y)>>;;

let p43 = gilmore
 <<(forall x y. Q(x,y) <=> forall z. P(z,x) <=> P(z,y))
   ==> forall x y. Q(x,y) <=> Q(y,x)>>;;

END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* The Davis-Putnam procedure for first order logic.                         *)
(* ------------------------------------------------------------------------- *)

let clausal fm = smap (smap negate) (simpdnf(nnf(Not fm)));;

let dp_mfn cjs0 ifn cjs = union (smap (smap ifn) cjs0) cjs;;

let dp_loop = herbloop dp_mfn dpll;;

let davisputnam fm =
  let sfm = skolemize(Not(generalize fm)) in
  if sfm = False then 0
  else if sfm = True then failwith "davisputnam" else
  let fvs = fv sfm and consts,funcs = herbfuns sfm in
  let cntms = smap (fun (c,_) -> Fn(c,[])) consts in
  length(dp_loop (clausal sfm) cntms funcs fvs 0 [] [] []);;

(* ------------------------------------------------------------------------- *)
(* Show how much better than the Gilmore procedure this can be.              *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
let p20 = davisputnam
 <<(forall x y. exists z. forall w. P(x) /\ Q(y) ==> R(z) /\ U(w))
   ==> (exists x y. P(x) /\ Q(y)) ==> (exists z. R(z))>>;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Show the sensitivity to order: try also with variant suggested.           *)
(* ------------------------------------------------------------------------- *)

let rec herbloop' mfn tfn fl0 cntms funcs fvs n fl tried tuples =
  print_string(string_of_int(length tried)^" ground instances tried; "^
               string_of_int(length fl)^" items in list");
  print_newline();
  match tuples with
    [] -> let newtups = rev(groundtuples cntms funcs n (length fvs)) in
          herbloop' mfn tfn fl0 cntms funcs fvs (n + 1) fl tried newtups
  | tup::tups ->
          let fl' = mfn fl0 (formsubst(instantiate fvs tup)) fl in
          if not(tfn fl') then tup::tried else
          herbloop' mfn tfn fl0 cntms funcs fvs n fl' (tup::tried) tups;;

let dp_loop' =
  herbloop' (fun cjs0 ifn cjs -> union (smap (smap ifn) cjs0) cjs) dpll;;

let davisputnam' fm =
  let sfm = skolemize(Not(generalize fm)) in
  if sfm = False then 0
  else if sfm = True then failwith "davisputnam" else
  let fvs = fv sfm and consts,funcs = herbfuns sfm in
  let cntms = smap (fun (c,_) -> Fn(c,[])) consts in
  length(dp_loop' (clausal sfm) cntms funcs fvs 0 [] [] []);;

START_INTERACTIVE;;
let p36 = davisputnam
 <<(forall x. exists y. P(x,y)) /\
   (forall x. exists y. G(x,y)) /\
   (forall x y. P(x,y) \/ G(x,y)
                ==> (forall z. P(y,z) \/ G(y,z) ==> H(x,z)))
   ==> (forall x. exists y. H(x,y))>>;;

let p36 = davisputnam'
 <<(forall x. exists y. P(x,y)) /\
   (forall x. exists y. G(x,y)) /\
   (forall x y. P(x,y) \/ G(x,y)
                ==> (forall z. P(y,z) \/ G(y,z) ==> H(x,z)))
   ==> (forall x. exists y. H(x,y))>>;;

let p29 = davisputnam
 <<(exists x. P(x)) /\ (exists x. G(x)) ==>
   ((forall x. P(x) ==> H(x)) /\ (forall x. G(x) ==> J(x)) <=>
    (forall x y. P(x) /\ G(y) ==> H(x) /\ J(y)))>>;;

let p29 = davisputnam'
 <<(exists x. P(x)) /\ (exists x. G(x)) ==>
   ((forall x. P(x) ==> H(x)) /\ (forall x. G(x) ==> J(x)) <=>
    (forall x y. P(x) /\ G(y) ==> H(x) /\ J(y)))>>;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Try to cut out useless instantiations in final result.                    *)
(* ------------------------------------------------------------------------- *)

let rec dp_refine cjs0 fvs dunno need =
  match dunno with
    [] -> need
  | cl::dknow ->
      let mfn = dp_mfn cjs0 ** formsubst ** instantiate fvs in
      let need' =
       if dpll(itlist mfn (need @ dknow) []) then cl::need else need in
      dp_refine cjs0 fvs dknow need';;

let dp_refine_loop cjs0 cntms funcs fvs n cjs tried tuples =
  let tups = dp_loop cjs0 cntms funcs fvs n cjs tried tuples in
  dp_refine cjs0 fvs tups [];;

(* ------------------------------------------------------------------------- *)
(* Show how few of the instances we really need. Hence unification!          *)
(* ------------------------------------------------------------------------- *)

let davisputnam'' fm =
  let sfm = skolemize(Not(generalize fm)) in
  if sfm = False then 0
  else if sfm = True then failwith "davisputnam" else
  let fvs = fv sfm and consts,funcs = herbfuns sfm in
  let cntms = smap (fun (c,_) -> Fn(c,[])) consts in
  length(dp_refine_loop (clausal sfm) cntms funcs fvs 0 [] [] []);;

START_INTERACTIVE;;
let p36 = davisputnam''
 <<(forall x. exists y. P(x,y)) /\
   (forall x. exists y. G(x,y)) /\
   (forall x y. P(x,y) \/ G(x,y)
                ==> (forall z. P(y,z) \/ G(y,z) ==> H(x,z)))
   ==> (forall x. exists y. H(x,y))>>;;

let p29 = davisputnam''
 <<(exists x. P(x)) /\ (exists x. G(x)) ==>
   ((forall x. P(x) ==> H(x)) /\ (forall x. G(x) ==> J(x)) <=>
    (forall x y. P(x) /\ G(y) ==> H(x) /\ J(y)))>>;;
END_INTERACTIVE;;
why-2.34/atp/lib.ml0000644000175000017500000005076412311670312012515 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(* ========================================================================= *)
(* Misc library functions to set up a nice environment.                      *)
(*                                                                           *)
(* Copyright (c) 2003, John Harrison. (See "LICENSE.txt" for details.)       *)
(* ========================================================================= *)

let identity x = x;;

(* ------------------------------------------------------------------------- *)
(* Function composition.                                                     *)
(* ------------------------------------------------------------------------- *)

let ( ** ) = fun f g x -> f(g x);;

(* ------------------------------------------------------------------------- *)
(* GCD and LCM on arbitrary-precision numbers.                               *)
(* ------------------------------------------------------------------------- *)

let gcd_num n1 n2 =
  abs_num(num_of_big_int
      (Big_int.gcd_big_int (big_int_of_num n1) (big_int_of_num n2)));;

let lcm_num n1 n2 = abs_num(n1 */ n2) // gcd_num n1 n2;;

(* ------------------------------------------------------------------------- *)
(* A useful idiom for "non contradictory" etc.                               *)
(* ------------------------------------------------------------------------- *)

let non p x = not(p x);;

(* ------------------------------------------------------------------------- *)
(* Repetition of a function.                                                 *)
(* ------------------------------------------------------------------------- *)

let rec funpow n f x =
  if n < 1 then x else funpow (n-1) f (f x);;

let can f x = try f x; true with Failure _ -> false;;

(* ------------------------------------------------------------------------- *)
(* Handy list operations.                                                    *)
(* ------------------------------------------------------------------------- *)

let rec (--) = fun m n -> if m > n then [] else m::((m + 1) -- n);;

let rec (---) = fun m n -> if m >/ n then [] else m::((m +/ Int 1) --- n);;

let rec map2 f l1 l2 =
  match (l1,l2) with
    [],[] -> []
  | (h1::t1),(h2::t2) -> let h = f h1 h2 in h::(map2 f t1 t2)
  | _ -> failwith "map2: length mismatch";;

let rev =
  let rec rev_append acc l =
    match l with
      [] -> acc
    | h::t -> rev_append (h::acc) t in
  fun l -> rev_append [] l;;

let hd l =
  match l with
   h::t -> h
  | _ -> failwith "hd";;

let tl l =
  match l with
   h::t -> t
  | _ -> failwith "tl";;

let rec itlist f l b =
  match l with
    [] -> b
  | (h::t) -> f h (itlist f t b);;

let rec end_itlist f l =
  match l with
        []     -> failwith "end_itlist"
      | [x]    -> x
      | (h::t) -> f h (end_itlist f t);;

let rec itlist2 f l1 l2 b =
  match (l1,l2) with
    ([],[]) -> b
  | (h1::t1,h2::t2) -> f h1 h2 (itlist2 f t1 t2 b)
  | _ -> failwith "itlist2";;

let rec zip l1 l2 =
  match (l1,l2) with
        ([],[]) -> []
      | (h1::t1,h2::t2) -> (h1,h2)::(zip t1 t2)
      | _ -> failwith "zip";;

let rec forall p l =
  match l with
    [] -> true
  | h::t -> p(h) & forall p t;;

let rec exists p l =
  match l with
    [] -> false
  | h::t -> p(h) or exists p t;;

let partition p l =
    itlist (fun a (yes,no) -> if p a then a::yes,no else yes,a::no) l ([],[]);;

let filter p l = fst(partition p l);;

let length =
  let rec len k l =
    if l = [] then k else len (k + 1) (tl l) in
  fun l -> len 0 l;;

let rec last l =
  match l with
    [x] -> x
  | (h::t) -> last t
  | [] -> failwith "last";;

let rec butlast l =
  match l with
    [_] -> []
  | (h::t) -> h::(butlast t)
  | [] -> failwith "butlast";;

let rec find p l =
  match l with
      [] -> failwith "find"
    | (h::t) -> if p(h) then h else find p t;;

let rec el n l =
  if n = 0 then hd l else el (n - 1) (tl l);;

let map f =
  let rec mapf l =
    match l with
      [] -> []
    | (x::t) -> let y = f x in y::(mapf t) in
  mapf;;

let rec allpairs f l1 l2 =
  itlist (fun x -> (@) (map (f x) l2)) l1 [];;

let distinctpairs l =
  filter (fun (a,b) -> a < b) (allpairs (fun a b -> a,b) l l);;

let rec chop_list n l =
  if n = 0 then [],l else
  try let m,l' = chop_list (n-1) (tl l) in (hd l)::m,l'
  with Failure _ -> failwith "chop_list";;

let replicate n a = map (fun x -> a) (1--n);;

let rec insertat i x l =
  if i = 0 then x::l else
  match l with
    [] -> failwith "insertat: list too short for position to exist"
  | h::t -> h::(insertat (i-1) x t);;

let rec forall2 p l1 l2 =
  match (l1,l2) with
    [],[] -> true
  | (h1::t1,h2::t2) -> p h1 h2 & forall2 p t1 t2
  | _ -> false;;

let index x =
  let rec ind n l =
    match l with
      [] -> failwith "index"
    | (h::t) -> if x = h then n else ind (n + 1) t in
  ind 0;;

let rec unzip l =
  match l with
    [] -> [],[]
  | (x,y)::t ->
      let xs,ys = unzip t in x::xs,y::ys;;

(* ------------------------------------------------------------------------- *)
(* Whether the first of two items comes earlier in the list.                 *)
(* ------------------------------------------------------------------------- *)

let rec earlier l x y =
  match l with
    h::t -> if h = y then false
              else if h = x then true
              else earlier t x y
  | [] -> false;;

(* ------------------------------------------------------------------------- *)
(* Application of (presumably imperative) function over a list.              *)
(* ------------------------------------------------------------------------- *)

let rec do_list f l =
  match l with
    [] -> ()
  | h::t -> f(h); do_list f t;;

(* ------------------------------------------------------------------------- *)
(* Association lists.                                                        *)
(* ------------------------------------------------------------------------- *)

let assoc x l = snd(find (fun p -> fst p = x) l);;

let rev_assoc x l = fst(find (fun p -> snd p = x) l);;

(* ------------------------------------------------------------------------- *)
(* Merging of sorted lists (maintaining repetitions).                        *)
(* ------------------------------------------------------------------------- *)

let rec merge ord l1 l2 =
  match l1 with
    [] -> l2
  | h1::t1 -> match l2 with
                [] -> l1
              | h2::t2 -> if ord h1 h2 then h1::(merge ord t1 l2)
                          else h2::(merge ord l1 t2);;

(* ------------------------------------------------------------------------- *)
(* Bottom-up mergesort.                                                      *)
(* ------------------------------------------------------------------------- *)

let sort ord =
  let rec mergepairs l1 l2 =
    match (l1,l2) with
        ([s],[]) -> s
      | (l,[]) -> mergepairs [] l
      | (l,[s1]) -> mergepairs (s1::l) []
      | (l,(s1::s2::ss)) -> mergepairs ((merge ord s1 s2)::l) ss in
  fun l -> if l = [] then [] else mergepairs [] (map (fun x -> [x]) l);;

(* ------------------------------------------------------------------------- *)
(* Common measure predicates to use with "sort".                             *)
(* ------------------------------------------------------------------------- *)

let increasing f x y = f x < f y;;

let decreasing f x y = f x > f y;;

(* ------------------------------------------------------------------------- *)
(* Eliminate repetitions of adjacent elements, with and without counting.    *)
(* ------------------------------------------------------------------------- *)

let rec uniq l =
  match l with
    (x::(y::_ as ys)) -> if x = y then uniq ys else x::(uniq ys)
   | _ -> l;;

let repetitions =
  let rec repcount n l =
    match l with
      x::(y::_ as ys) -> if y = x then repcount (n + 1) ys
                  else (x,n)::(repcount 1 ys)
    | [x] -> [x,n] in
  fun l -> if l = [] then [] else repcount 1 l;;

let rec tryfind f l =
  match l with
      [] -> failwith "tryfind"
    | (h::t) -> try f h with Failure _ -> tryfind f t;;

let rec mapfilter f l =
  match l with
    [] -> []
  | (h::t) -> let rest = mapfilter f t in
              try (f h)::rest with Failure _ -> rest;;

(* ------------------------------------------------------------------------- *)
(* Set operations on ordered lists.                                          *)
(* ------------------------------------------------------------------------- *)

let setify =
  let rec canonical lis =
     match lis with
       x::(y::_ as rest) -> x < y & canonical rest
     | _ -> true in
  fun l -> if canonical l then l else uniq (sort (<=) l);;

let union =
  let rec union l1 l2 =
    match (l1,l2) with
        ([],l2) -> l2
      | (l1,[]) -> l1
      | ((h1::t1 as l1),(h2::t2 as l2)) ->
          if h1 = h2 then h1::(union t1 t2)
          else if h1 < h2 then h1::(union t1 l2)
          else h2::(union l1 t2) in
  fun s1 s2 -> union (setify s1) (setify s2);;

let intersect =
  let rec intersect l1 l2 =
    match (l1,l2) with
        ([],l2) -> []
      | (l1,[]) -> []
      | ((h1::t1 as l1),(h2::t2 as l2)) ->
          if h1 = h2 then h1::(intersect t1 t2)
          else if h1 < h2 then intersect t1 l2
          else intersect l1 t2 in
  fun s1 s2 -> intersect (setify s1) (setify s2);;

let subtract =
  let rec subtract l1 l2 =
    match (l1,l2) with
        ([],l2) -> []
      | (l1,[]) -> l1
      | ((h1::t1 as l1),(h2::t2 as l2)) ->
          if h1 = h2 then subtract t1 t2
          else if h1 < h2 then h1::(subtract t1 l2)
          else subtract l1 t2 in
  fun s1 s2 -> subtract (setify s1) (setify s2);;

let subset,psubset =
  let rec subset l1 l2 =
    match (l1,l2) with
        ([],l2) -> true
      | (l1,[]) -> false
      | ((h1::t1 as l1),(h2::t2 as l2)) ->
          if h1 = h2 then subset t1 t2
          else if h1 < h2 then false
          else subset l1 t2
  and psubset l1 l2 =
    match (l1,l2) with
        (l1,[]) -> false
      | ([],l2) -> true
      | ((h1::t1 as l1),(h2::t2 as l2)) ->
          if h1 = h2 then psubset t1 t2
          else if h1 < h2 then false
          else subset l1 t2 in
  (fun s1 s2 -> subset (setify s1) (setify s2)),
  (fun s1 s2 -> psubset (setify s1) (setify s2));;

let rec set_eq s1 s2 = (setify s1 = setify s2);;

let insert x s = union [x] s;;

let smap f s = setify (map f s);;

(* ------------------------------------------------------------------------- *)
(* Union of a family of sets.                                                *)
(* ------------------------------------------------------------------------- *)

let unions s = setify(itlist (@) s []);;

(* ------------------------------------------------------------------------- *)
(* List membership. This does *not* assume the list is a set.                *)
(* ------------------------------------------------------------------------- *)

let rec mem x lis =
  match lis with
    [] -> false
  | (h::t) -> x = h or mem x t;;

(* ------------------------------------------------------------------------- *)
(* Finding all subsets or all subsets of a given size.                       *)
(* ------------------------------------------------------------------------- *)

let rec allsets m l =
  if m = 0 then [[]] else
  match l with
    [] -> []
  | h::t -> map (fun g -> h::g) (allsets (m - 1) t) @ allsets m t;;

let rec allsubsets s =
  match s with
    [] -> [[]]
  | (a::t) -> let res = allsubsets t in
              map (fun b -> a::b) res @ res;;

let allnonemptysubsets s = subtract (allsubsets s) [[]];;

(* ------------------------------------------------------------------------- *)
(* Explosion and implosion of strings.                                       *)
(* ------------------------------------------------------------------------- *)

let explode s =
  let rec exap n l =
     if n < 0 then l else
      exap (n - 1) ((String.sub s n 1) :: l) in
  exap (String.length s - 1) [];;

let implode l = itlist (^) l "";;

(* ------------------------------------------------------------------------- *)
(* Timing; useful for documentation but not logically necessary.             *)
(* ------------------------------------------------------------------------- *)

let time f x =
  let start_time = Sys.time() in
  let result = f x in
  let finish_time = Sys.time() in
  print_string
    ("CPU time (user): "^(string_of_float(finish_time -. start_time)));
  print_newline();
  result;;

(* ------------------------------------------------------------------------- *)
(* Representation of finite partial functions as balanced trees.             *)
(* Alas, there's no polymorphic one available in the standard library.       *)
(* So this is basically a copy of what's there.                              *)
(* ------------------------------------------------------------------------- *)

type ('a,'b)func =
    Empty
  | Node of ('a,'b)func * 'a * 'b * ('a,'b)func * int;;

let apply,undefined,(|->),undefine,dom,funset =
  let compare x y = if x = y then 0 else if x < y then -1 else 1 in
  let empty = Empty in
  let height = function
      Empty -> 0
    | Node(_,_,_,_,h) -> h in
  let create l x d r =
    let hl = height l and hr = height r in
    Node(l, x, d, r, (if hl >= hr then hl + 1 else hr + 1)) in
  let bal l x d r =
    let hl = match l with Empty -> 0 | Node(_,_,_,_,h) -> h in
    let hr = match r with Empty -> 0 | Node(_,_,_,_,h) -> h in
    if hl > hr + 2 then begin
      match l with
        Empty -> invalid_arg "Map.bal"
      | Node(ll, lv, ld, lr, _) ->
          if height ll >= height lr then
            create ll lv ld (create lr x d r)
          else begin
            match lr with
              Empty -> invalid_arg "Map.bal"
            | Node(lrl, lrv, lrd, lrr, _)->
                create (create ll lv ld lrl) lrv lrd (create lrr x d r)
          end
    end else if hr > hl + 2 then begin
      match r with
        Empty -> invalid_arg "Map.bal"
      | Node(rl, rv, rd, rr, _) ->
          if height rr >= height rl then
            create (create l x d rl) rv rd rr
          else begin
            match rl with
              Empty -> invalid_arg "Map.bal"
            | Node(rll, rlv, rld, rlr, _) ->
                create (create l x d rll) rlv rld (create rlr rv rd rr)
          end
    end else
      Node(l, x, d, r, (if hl >= hr then hl + 1 else hr + 1)) in
  let rec add x data = function
      Empty ->
        Node(Empty, x, data, Empty, 1)
    | Node(l, v, d, r, h) as t ->
        let c = compare x v in
        if c = 0 then
          Node(l, x, data, r, h)
        else if c < 0 then
          bal (add x data l) v d r
        else
          bal l v d (add x data r) in
  let rec find x = function
      Empty ->
        raise Not_found
    | Node(l, v, d, r, _) ->
        let c = compare x v in
        if c = 0 then d
        else find x (if c < 0 then l else r) in
  let rec mem x = function
      Empty ->
        false
    | Node(l, v, d, r, _) ->
        let c = compare x v in
        c = 0 or mem x (if c < 0 then l else r) in
  let rec merge t1 t2 =
    match (t1, t2) with
      (Empty, t) -> t
    | (t, Empty) -> t
    | (Node(l1, v1, d1, r1, h1), Node(l2, v2, d2, r2, h2)) ->
        bal l1 v1 d1 (bal (merge r1 l2) v2 d2 r2) in
  let rec remove x = function
      Empty ->
        Empty
    | Node(l, v, d, r, h) as t ->
        let c = compare x v in
        if c = 0 then
          merge l r
        else if c < 0 then
          bal (remove x l) v d r
        else
          bal l v d (remove x r) in
  let rec iter f = function
      Empty -> ()
    | Node(l, v, d, r, _) ->
        iter f l; f v d; iter f r in
  let rec map f = function
      Empty               -> Empty
    | Node(l, v, d, r, h) -> Node(map f l, v, f d, map f r, h) in
  let rec mapi f = function
      Empty               -> Empty
    | Node(l, v, d, r, h) -> Node(mapi f l, v, f v d, mapi f r, h) in
  let rec fold f m accu =
    match m with
      Empty -> accu
    | Node(l, v, d, r, _) ->
        fold f l (f v d (fold f r accu)) in
  let apply f x = try find x f with Not_found -> failwith "apply" in
  let undefined = Empty in
  let valmod x y f = add x y f in
  let undefine a f = remove a f in
  let dom f = setify(fold (fun x y a -> x::a) f []) in
  let funset f = setify(fold (fun x y a -> (x,y)::a) f []) in
apply,undefined,valmod,undefine,dom,funset;;

let tryapplyd f a d = try apply f a with Failure _ -> d;;
let tryapply f x = tryapplyd f x x;;
let tryapplyl f x = tryapplyd f x [];;
let (:=) = fun x y -> (x |-> y) undefined;;
let fpf assigs = itlist (fun x -> x) assigs undefined;;
let defined f x = can (apply f) x;;

(* ------------------------------------------------------------------------- *)
(* Install a (trivial) printer for finite partial functions.                 *)
(* ------------------------------------------------------------------------- *)

let print_fpf (f:('a,'b)func) = print_string "";;

START_INTERACTIVE;;
#install_printer print_fpf;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Related stuff for standard functions.                                     *)
(* ------------------------------------------------------------------------- *)

let valmod a y f x = if x = a then y else f(x);;

let undef x = failwith "undefined function";;

(* ------------------------------------------------------------------------- *)
(* Union-find algorithm.                                                     *)
(* ------------------------------------------------------------------------- *)

type ('a)pnode = Nonterminal of 'a | Terminal of 'a * int;;

type ('a)partition = Partition of ('a,('a)pnode)func;;

let rec terminus (Partition f as ptn) a =
  match (apply f a) with
    Nonterminal(b) -> terminus ptn b
  | Terminal(p,q) -> (p,q);;

let tryterminus ptn a =
  try terminus ptn a with Failure _ -> (a,0);;

let canonize ptn a = try fst(terminus ptn a) with Failure _ -> a;;

let equate (a,b) (Partition f as ptn) =
  let (a',na) = tryterminus ptn a
  and (b',nb) = tryterminus ptn b in
  Partition
   (if a' = b' then f else
    if na <= nb then
       itlist identity [a' |-> Nonterminal b'; b' |-> Terminal(b',na+nb)] f
    else
       itlist identity [b' |-> Nonterminal a'; a' |-> Terminal(a',na+nb)] f);;

let unequal = Partition undefined;;

let equated (Partition f) = dom f;;

(* ------------------------------------------------------------------------- *)
(* First number starting at n for which p succeeds.                          *)
(* ------------------------------------------------------------------------- *)

let rec first n p = if p(n) then n else first (n +/ Int 1) p;;
why-2.34/atp/Quotexpander.ml0000644000175000017500000000571212311670312014417 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(* ========================================================================= *)
(* Quotation expander for <<...>> and <<|...|>>.                             *)
(*                                                                           *)
(* Copyright (c) 2003, John Harrison. (See "LICENSE.txt" for details.)       *)
(* ========================================================================= *)

let quotexpander s =
  if String.sub s 0 1 = "|" & String.sub s (String.length s - 1) 1 = "|" then
    "secondary_parser \""^
    (String.escaped (String.sub s 1 (String.length s - 2)))^"\""
  else "default_parser \""^(String.escaped s)^"\"";;

Quotation.add "" (Quotation.ExStr (fun x -> quotexpander));;
why-2.34/atp/defcnf.ml0000644000175000017500000002343412311670312013166 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(* ========================================================================= *)
(* Definitional CNF.                                                         *)
(*                                                                           *)
(* Copyright (c) 2003, John Harrison. (See "LICENSE.txt" for details.)       *)
(* ========================================================================= *)

(* ------------------------------------------------------------------------- *)
(* Variant of NNF without splitting equivalences.                            *)
(* ------------------------------------------------------------------------- *)

let rec nenf fm =
  match fm with
    Not(Not p) -> nenf p
  | Not(And(p,q)) -> Or(nenf(Not p),nenf(Not q))
  | Not(Or(p,q)) -> And(nenf(Not p),nenf(Not q))
  | Not(Imp(p,q)) -> And(nenf p,nenf(Not q))
  | Not(Iff(p,q)) -> Iff(nenf p,nenf(Not q))
  | And(p,q) -> And(nenf p,nenf q)
  | Or(p,q) -> Or(nenf p,nenf q)
  | Imp(p,q) -> Or(nenf(Not p),nenf q)
  | Iff(p,q) -> Iff(nenf p,nenf q)
  | _ -> fm;;

(* ------------------------------------------------------------------------- *)
(* Make a stylized variable and update the index.                            *)
(* ------------------------------------------------------------------------- *)

let mkprop n = Atom(P("p_"^(string_of_num n))),n +/ Int 1;;

(* ------------------------------------------------------------------------- *)
(* Make n large enough that "v_m" won't clash with s for any m >= n          *)
(* ------------------------------------------------------------------------- *)

let max_varindex pfx =
  let m = String.length pfx in
  fun s n ->
    let l = String.length s in
    if l <= m or String.sub s 0 m <> pfx then n else
    let s' = String.sub s m (l - m) in
    if forall numeric (explode s') then max_num n (num_of_string s')
    else n;;

(* ------------------------------------------------------------------------- *)
(* Basic definitional CNF procedure.                                         *)
(* ------------------------------------------------------------------------- *)

let rec maincnf (fm,defs,n as trip) =
  match fm with
    And(p,q) -> defstep (fun (p,q) -> And(p,q)) (p,q) trip
  | Or(p,q) -> defstep (fun (p,q) -> Or(p,q)) (p,q) trip
  | Iff(p,q) -> defstep (fun (p,q) -> Iff(p,q)) (p,q) trip
  | _ -> trip

and defstep op (p,q) (fm,defs,n) =
  let fm1,defs1,n1 = maincnf (p,defs,n) in
  let fm2,defs2,n2 = maincnf (q,defs1,n1) in
  let fm' = op(fm1,fm2) in
  try (fst(apply defs2 fm'),defs2,n2) with Failure _ ->
  let v,n3 = mkprop n2 in (v,(fm'|->(v,Iff(v,fm'))) defs2,n3);;

let defcnf fm =
  let fm' = nenf(psimplify fm) in
  let n = Int 1 +/ overatoms (max_varindex "p_" ** pname) fm' (Int 0) in
  let (fm'',defs,_) = maincnf (fm',undefined,n) in
  let deflist = map (snd ** snd) (funset defs) in
  let subcnfs = itlist ((@) ** simpcnf) deflist (simpcnf fm'') in
  list_conj (map list_disj (setify subcnfs));;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
let fm = <<(p \/ (q /\ ~r)) /\ s>>;;

defcnf fm;;

cnf fm;;

cnf <
 (q <=> r)>>;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Version tweaked to exploit initial structure.                             *)
(* ------------------------------------------------------------------------- *)

let subcnf sfn op (p,q) (fm,defs,n) =
  let fm1,defs1,n1 = sfn(p,defs,n) in
  let fm2,defs2,n2 = sfn(q,defs1,n1) in (op(fm1,fm2),defs2,n2);;

let rec orcnf (fm,defs,n as trip) =
  match fm with
    Or(p,q) -> subcnf orcnf (fun (p,q) -> Or(p,q)) (p,q) trip
  | _ -> maincnf trip;;

let rec andcnf (fm,defs,n as trip) =
  match fm with
    And(p,q) -> subcnf andcnf (fun (p,q) -> And(p,q)) (p,q) trip
  | _ -> orcnf trip;;

let defcnfs fm =
  let fm' = nenf(psimplify fm) in
  let n = Int 1 +/ overatoms (max_varindex "p_" ** pname) fm' (Int 0) in
  let (fm'',defs,_) = andcnf (fm',undefined,n) in
  let deflist = map (snd ** snd) (funset defs) in
  setify(itlist ((@) ** simpcnf) deflist (simpcnf fm''));;

let defcnf fm = list_conj (map list_disj (defcnfs fm));;

(* ------------------------------------------------------------------------- *)
(* Examples.                                                                 *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
defcnf fm;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Version using only implication where possible.                            *)
(* ------------------------------------------------------------------------- *)

let defstep pos sfn op (p,q) (fm,defs,n) =
  let fm1,defs1,n1 = sfn (p,defs,n) in
  let fm2,defs2,n2 = sfn (q,defs1,n1) in
  let (fl,fm' as ffm') = (pos,op(fm1,fm2)) in
  try (fst(apply defs2 ffm'),defs2,n2) with Failure _ ->
  let (v,n3) = mkprop n2 in
  let cons = if pos then fun (p,q) -> Imp(p,q)
             else fun (p,q) -> Iff(p,q) in
  (v,(ffm' |-> (v,cons(v,fm'))) defs2,n3);;

let rec maincnf pos (fm,defs,n as trip) =
  match fm with
    And(p,q) ->
        defstep pos (maincnf pos) (fun (p,q) -> And(p,q)) (p,q) trip
  | Or(p,q) ->
        defstep pos (maincnf pos) (fun (p,q) -> Or(p,q)) (p,q) trip
  | Iff(p,q) ->
        defstep pos (maincnf false) (fun (p,q) -> Iff(p,q)) (p,q) trip
  | _ -> trip;;

let rec orcnf pos (fm,defs,n as trip) =
  match fm with
    Or(p,q) -> subcnf (orcnf pos) (fun (p,q) -> Or(p,q)) (p,q) trip
  | _ -> maincnf pos trip;;

let rec andcnf pos (fm,defs,n as trip) =
  match fm with
    And(p,q) -> subcnf (andcnf pos) (fun (p,q) -> And(p,q)) (p,q) trip
  | _ -> orcnf pos trip;;

let defcnfs imps fm =
  let fm' = nenf(psimplify fm) in
  let n = Int 1 +/ overatoms (max_varindex "p_" ** pname) fm' (Int 0) in
  let (fm'',defs,_) = andcnf imps (fm',undefined,n) in
  let deflist = map (snd ** snd) (funset defs) in
  setify(itlist ((@) ** simpcnf) deflist (simpcnf fm''));;

let defcnf imps fm = list_conj (map list_disj (defcnfs imps fm));;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
defcnf false fm;;

defcnf true fm;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Version that guarantees 3-CNF.                                            *)
(* ------------------------------------------------------------------------- *)

let rec andcnf3 pos (fm,defs,n as trip) =
  match fm with
    And(p,q) -> subcnf (andcnf3 pos) (fun (p,q) -> And(p,q)) (p,q) trip
  | _ -> maincnf pos trip;;

let defcnf3s imps fm =
  let fm' = nenf(psimplify fm) in
  let n = Int 1 +/ overatoms (max_varindex "p_" ** pname) fm' (Int 0) in
  let (fm'',defs,_) = andcnf3 imps (fm',undefined,n) in
  let deflist = map (snd ** snd) (funset defs) in
  setify(itlist ((@) ** simpcnf) deflist (simpcnf fm''));;

let defcnf3 imps fm = list_conj (map list_disj (defcnf3s imps fm));;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
let fm = <<(p \/ q \/ r \/ s) /\ ~p /\ (~p \/ q)>>;;

defcnf true fm;;

defcnf3 true fm;;
END_INTERACTIVE;;
why-2.34/atp/formulas.ml0000644000175000017500000002107312311670312013566 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(* ========================================================================= *)
(* Polymorphic type of formulas with parser and printer.                     *)
(*                                                                           *)
(* Copyright (c) 2003, John Harrison. (See "LICENSE.txt" for details.)       *)
(* ========================================================================= *)

type ('a)formula = False
                 | True
                 | Atom of 'a
                 | Not of ('a)formula
                 | And of ('a)formula * ('a)formula
                 | Or of ('a)formula * ('a)formula
                 | Imp of ('a)formula * ('a)formula
                 | Iff of ('a)formula * ('a)formula
                 | Forall of string * ('a)formula
                 | Exists of string * ('a)formula;;

(* ------------------------------------------------------------------------- *)
(* General homomorphism and iteration functions for atoms in formula.        *)
(* ------------------------------------------------------------------------- *)

let rec onatoms fn fm =
  match fm with
    Atom(a) -> fn a
  | Not(p) -> Not(onatoms fn p)
  | And(p,q) -> And(onatoms fn p,onatoms fn q)
  | Or(p,q) -> Or(onatoms fn p,onatoms fn q)
  | Imp(p,q) -> Imp(onatoms fn p,onatoms fn q)
  | Iff(p,q) -> Iff(onatoms fn p,onatoms fn q)
  | Forall(x,p) -> Forall(x,onatoms fn p)
  | Exists(x,p) -> Exists(x,onatoms fn p)
  | _ -> fm;;

let rec overatoms f fm b =
  match fm with
    Atom(a) -> f a b
  | Not(p) -> overatoms f p b
  | And(p,q) | Or(p,q) | Imp(p,q) | Iff(p,q) ->
        overatoms f p (overatoms f q b)
  | Forall(x,p) | Exists(x,p) -> overatoms f p b
  | _ -> b;;

(* ------------------------------------------------------------------------- *)
(* Special case of a union of the results of a function over the atoms.      *)
(* ------------------------------------------------------------------------- *)

let atom_union f fm = setify (overatoms (fun h t -> f(h)@t) fm []);;

(* ------------------------------------------------------------------------- *)
(* General parsing of iterated infixes.                                      *)
(* ------------------------------------------------------------------------- *)

let rec parse_ginfix opsym opupdate sof subparser inp =
  let e1,inp1 = subparser inp in
  if inp1 <> [] & hd inp1 = opsym then
     parse_ginfix opsym opupdate (opupdate sof e1) subparser (tl inp1)
  else sof e1,inp1;;

let parse_left_infix opsym opcon =
  parse_ginfix opsym (fun f e1 e2 -> opcon(f e1,e2)) (fun x -> x);;

let parse_right_infix opsym opcon =
  parse_ginfix opsym (fun f e1 e2 -> f(opcon(e1,e2))) (fun x -> x);;

let parse_list opsym =
  parse_ginfix opsym (fun f e1 e2 -> (f e1)@[e2]) (fun x -> [x]);;

(* ------------------------------------------------------------------------- *)
(* Other general parsing combinators.                                        *)
(* ------------------------------------------------------------------------- *)

let papply f (ast,rest) = (f ast,rest);;

let nextin inp tok = inp <> [] & hd inp = tok;;

let parse_bracketed subparser cbra inp =
  let ast,rest = subparser inp in
  if nextin rest cbra then ast,tl rest
  else failwith "Closing bracket expected";;

(* ------------------------------------------------------------------------- *)
(* Parsing of formulas, parametrized by atom parser "pfn".                   *)
(* ------------------------------------------------------------------------- *)

let rec parse_atomic_formula pfn vs inp =
  match inp with
    [] -> failwith "formula expected"
  | "false"::rest -> False,rest
  | "true"::rest -> True,rest
  | "("::rest -> (try pfn vs inp with Failure _ ->
                  parse_bracketed (parse_formula pfn vs) ")" rest)
  | "~"::rest -> papply (fun p -> Not p)
                        (parse_atomic_formula pfn vs rest)
  | "forall"::x::rest ->
        parse_quant pfn (x::vs) (fun (x,p) -> Forall(x,p)) x rest
  | "exists"::x::rest ->
        parse_quant pfn (x::vs) (fun (x,p) -> Exists(x,p)) x rest
  | _ -> pfn vs inp

and parse_quant pfn vs qcon x inp =
   match inp with
     [] -> failwith "Body of quantified term expected"
   | y::rest ->
        papply (fun fm -> qcon(x,fm))
               (if y = "." then parse_formula pfn vs rest
                else parse_quant pfn (y::vs) qcon y rest)

and parse_formula pfn vs inp =
   parse_right_infix "<=>" (fun (p,q) -> Iff(p,q))
     (parse_right_infix "==>" (fun (p,q) -> Imp(p,q))
         (parse_right_infix "\\/" (fun (p,q) -> Or(p,q))
             (parse_right_infix "/\\" (fun (p,q) -> And(p,q))
                  (parse_atomic_formula pfn vs)))) inp;;

(* ------------------------------------------------------------------------- *)
(* Printing of formulas, parametrized by atom printer.                       *)
(* ------------------------------------------------------------------------- *)

let rec strip_quant isforall fm =
  match (fm,isforall) with
    Forall(x,p),true -> papply (fun l -> x::l) (strip_quant isforall p)
  | Exists(x,p),false -> papply (fun l -> x::l) (strip_quant isforall p)
  | _ -> [],fm;;

let rec print_formula pfn prec fm =
  match fm with
    False -> print_string "false"
  | True -> print_string "true"
  | Atom(pargs) -> pfn prec pargs
  | Not(p) -> print_string "~"; print_formula pfn 10 p
  | And(p,q) -> print_infix_formula pfn prec 8 "/\\" p q
  | Or(p,q) -> print_infix_formula pfn prec 6 "\\/" p q
  | Imp(p,q) -> print_infix_formula pfn prec 4 "==>" p q
  | Iff(p,q) -> print_infix_formula pfn prec 2 "<=>" p q
  | Forall(x,p) -> print_quant pfn prec "forall" (strip_quant true fm)
  | Exists(x,p) -> print_quant pfn prec "exists" (strip_quant false fm)

and print_quant pfn prec qname (bvs,bod) =
  if prec <> 0 then print_string "(" else ();
  print_string qname;
  do_list (fun v -> print_string " "; print_string v) bvs;
  print_string ". "; open_box 0;
  print_formula pfn 0 bod;
  close_box();
  if prec <> 0 then print_string ")" else ()

and print_infix_formula pfn oldprec newprec sym p q =
  if oldprec > newprec then (print_string "("; open_box 0) else ();
  print_formula pfn (newprec+1) p;
  print_string(" "^sym); print_space();
  print_formula pfn newprec q;
  if oldprec > newprec then (close_box(); print_string ")") else ();;

let formula_printer pfn fm =
  open_box 0; print_string "<<";
  open_box 0; print_formula pfn 0 fm; close_box();
  print_string ">>"; close_box();;
why-2.34/atp/fol.ml0000644000175000017500000003677512311670312012535 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(* ========================================================================= *)
(* Basic stuff for first order logic.                                        *)
(*                                                                           *)
(* Copyright (c) 2003, John Harrison. (See "LICENSE.txt" for details.)       *)
(* ========================================================================= *)

(* ------------------------------------------------------------------------- *)
(* Terms.                                                                    *)
(* ------------------------------------------------------------------------- *)

type term = Var of string
          | Fn of string * term list;;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
Fn("sqrt",[Fn("-",[Fn("1",[]);
                   Fn("cos",[Fn("power",[Fn("+",[Var "x"; Var "y"]);
                                        Fn("2",[])])])])]);;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Abbreviation for FOL formula.                                             *)
(* ------------------------------------------------------------------------- *)

type fol = R of string * term list;;

(* ------------------------------------------------------------------------- *)
(* Trivial example of "x + y < z".                                           *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
Atom(R("<",[Fn("+",[Var "x"; Var "y"]); Var "z"]));;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Parsing of terms.                                                         *)
(* ------------------------------------------------------------------------- *)

let is_const s = forall numeric (explode s) or s = "nil";;

let rec parse_atomic_term vs inp =
  match inp with
    [] -> failwith "term expected"
  | "("::rest -> parse_bracketed (parse_term vs) ")" rest
  | f::"("::")"::rest -> Fn(f,[]),rest
  | f::"("::rest ->
      papply (fun args -> Fn(f,args))
             (parse_bracketed (parse_list "," (parse_term vs)) ")" rest)
  | a::rest ->
      (if is_const a & not(mem a vs) then Fn(a,[]) else Var a),rest

and parse_term vs inp =
  parse_right_infix "::" (fun (e1,e2) -> Fn("::",[e1;e2]))
    (parse_right_infix "+" (fun (e1,e2) -> Fn("+",[e1;e2]))
       (parse_left_infix "-" (fun (e1,e2) -> Fn("-",[e1;e2]))
           (parse_right_infix "*" (fun (e1,e2) -> Fn("*",[e1;e2]))
                (parse_left_infix "^" (fun (e1,e2) -> Fn("^",[e1;e2]))
                   (parse_atomic_term vs))))) inp;;

let parset = make_parser (parse_term []);;

(* ------------------------------------------------------------------------- *)
(* Parsing of formulas.                                                      *)
(* ------------------------------------------------------------------------- *)

let parse_atom vs inp =
  try let tm,rest = parse_term vs inp in
      if exists (nextin rest) ["="; "<"; "<="; ">"; ">="] then
            papply (fun tm' -> Atom(R(hd rest,[tm;tm'])))
                   (parse_term vs (tl rest))
      else failwith ""
  with Failure _ ->
  match inp with
  | p::"("::")"::rest -> Atom(R(p,[])),rest
  | p::"("::rest ->
      papply (fun args -> Atom(R(p,args)))
             (parse_bracketed (parse_list "," (parse_term vs)) ")" rest)
  | p::rest when p <> "(" -> Atom(R(p,[])),rest
  | _ -> failwith "parse_atom";;

let parse = make_parser (parse_formula parse_atom []);;

(* ------------------------------------------------------------------------- *)
(* Set up parsing of quotations.                                             *)
(* ------------------------------------------------------------------------- *)

let default_parser = parse;;

let secondary_parser = parset;;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
<<(forall x. x < 2 ==> 2 * x <= 3) \/ false>>;;

<<|2 * x|>>;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Printing of terms.                                                        *)
(* ------------------------------------------------------------------------- *)

let rec print_term prec fm =
  match fm with
    Var x -> print_string x
  | Fn("^",[tm1;tm2]) -> print_infix_term true prec 22 "^" tm1 tm2
  | Fn("*",[tm1;tm2]) -> print_infix_term false prec 20 "*" tm1 tm2
  | Fn("-",[tm1;tm2]) -> print_infix_term true prec 18 "-" tm1 tm2
  | Fn("+",[tm1;tm2]) -> print_infix_term false prec 16 "+" tm1 tm2
  | Fn("::",[tm1;tm2]) -> print_infix_term false prec 14 "::" tm1 tm2
  | Fn(f,args) -> print_fargs f args

and print_fargs f args =
  print_string f;
  if args = [] then () else
   (print_string "(";
    open_box 0;
    print_term 0 (hd args); print_break 0 0;
    do_list (fun t -> print_string ","; print_break 0 0; print_term 0 t)
            (tl args);
    close_box();
    print_string ")")

and print_infix_term isleft oldprec newprec sym p q =
  if oldprec > newprec then (print_string "("; open_box 0) else ();
  print_term (if isleft then newprec else newprec+1) p;
  print_string(" "^sym); print_space();
  print_term (if isleft then newprec+1 else newprec) q;
  if oldprec > newprec then (close_box(); print_string ")") else ();;

let printert fm = open_box 0; print_term 0 fm; close_box();;

START_INTERACTIVE;;
#install_printer printert;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Printing of formulas.                                                     *)
(* ------------------------------------------------------------------------- *)

let print_atom prec (R(p,args)) =
  if mem p ["="; "<"; "<="; ">"; ">="] & length args = 2
  then print_infix_term false 12 12 p (el 0 args) (el 1 args)
  else print_fargs p args;;

let printer = formula_printer print_atom;;

START_INTERACTIVE;;
#install_printer printer;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Examples in the main text.                                                *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
<>;;

<<~(forall x. P(x)) <=> exists y. ~P(y)>>;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Model-theoretic notions, but here restricted to finite interpretations.   *)
(* ------------------------------------------------------------------------- *)

type ('a)interpretation =
  Interp of ('a)list *
            (string -> ('a)list -> 'a) *
            (string -> ('a)list -> bool);;

let domain(Interp(d,funs,preds)) = d
and func(Interp(d,funs,preds)) = funs
and predicate(Interp(d,funs,preds)) = preds;;

(* ------------------------------------------------------------------------- *)
(* Semantics.                                                                *)
(* ------------------------------------------------------------------------- *)

let rec termval md v tm =
  match tm with
    Var(x) -> apply v x
  | Fn(f,args) -> func(md) f (map (termval md v) args);;

let rec holds md v fm =
  match fm with
    False -> false
  | True -> true
  | Atom(R(r,args)) -> predicate(md) r (map (termval md v) args)
  | Not(p) -> not(holds md v p)
  | And(p,q) -> (holds md v p) & (holds md v q)
  | Or(p,q) -> (holds md v p) or (holds md v q)
  | Imp(p,q) -> not(holds md v p) or (holds md v q)
  | Iff(p,q) -> (holds md v p = holds md v q)
  | Forall(x,p) ->
        forall (fun a -> holds md ((x |-> a) v) p) (domain md)
  | Exists(x,p) ->
        exists (fun a -> holds md ((x |-> a) v) p) (domain md);;

(* ------------------------------------------------------------------------- *)
(* Examples of particular interpretations.                                   *)
(* ------------------------------------------------------------------------- *)

let bool_interp =
  let fns f args =
    match (f,args) with
      ("0",[]) -> false
    | ("1",[]) -> true
    | ("+",[x;y]) -> not(x = y)
    | ("*",[x;y]) -> x & y
    | _ -> failwith "uninterpreted function"
  and prs p args =
    match (p,args) with
      ("=",[x;y]) -> x = y
    | _ -> failwith "uninterpreted predicate" in
  Interp([false; true],fns,prs);;

let mod_interp n =
  let fns f args =
    match (f,args) with
      ("0",[]) -> 0
    | ("1",[]) -> 1 mod n
    | ("+",[x;y]) -> (x + y) mod n
    | ("*",[x;y]) -> (x * y) mod n
    | _ -> failwith "uninterpreted function"
  and prs p args =
    match (p,args) with
      ("=",[x;y]) -> x = y
    | _ -> failwith "uninterpreted predicate" in
  Interp(0 -- (n - 1),fns,prs);;

START_INTERACTIVE;;
let fm1 = <>;;

holds bool_interp undefined fm1;;

holds (mod_interp 2) undefined fm1;;

holds (mod_interp 3) undefined fm1;;

let fm2 = < exists y. x * y = 1>>;;

holds bool_interp undefined fm2;;

holds (mod_interp 2) undefined fm2;;

holds (mod_interp 3) undefined fm2;;

holds (mod_interp 4) undefined fm2;;

holds (mod_interp 31) undefined fm2;;

holds (mod_interp 33) undefined fm2;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Free variables in terms and formulas.                                     *)
(* ------------------------------------------------------------------------- *)

let rec fvt tm =
  match tm with
    Var x -> [x]
  | Fn(f,args) -> itlist (union ** fvt) args [];;

let rec fv fm =
  match fm with
    False -> []
  | True -> []
  | Atom(R(p,args)) -> itlist (union ** fvt) args []
  | Not(p) -> fv p
  | And(p,q) -> union (fv p) (fv q)
  | Or(p,q) -> union (fv p) (fv q)
  | Imp(p,q) -> union (fv p) (fv q)
  | Iff(p,q) -> union (fv p) (fv q)
  | Forall(x,p) -> subtract (fv p) [x]
  | Exists(x,p) -> subtract (fv p) [x];;

(* ------------------------------------------------------------------------- *)
(* Substitution within terms.                                                *)
(* ------------------------------------------------------------------------- *)

let instantiate vlist tlist =
  itlist2 (fun x t -> x |-> t) vlist tlist undefined;;

let rec termsubst sfn tm =
  match tm with
    Var x -> tryapplyd sfn x tm
  | Fn(f,args) -> Fn(f,map (termsubst sfn) args);;

(* ------------------------------------------------------------------------- *)
(* Incorrect substitution in formulas, and example showing why it's wrong.   *)
(* ------------------------------------------------------------------------- *)

let rec formsubst subfn fm =    (* WRONG! *)
  match fm with
    False -> False
  | True -> True
  | Atom(R(p,args)) -> Atom(R(p,map (termsubst subfn) args))
  | Not(p) -> Not(formsubst subfn p)
  | And(p,q) -> And(formsubst subfn p,formsubst subfn q)
  | Or(p,q) -> Or(formsubst subfn p,formsubst subfn q)
  | Imp(p,q) -> Imp(formsubst subfn p,formsubst subfn q)
  | Iff(p,q) -> Iff(formsubst subfn p,formsubst subfn q)
  | Forall(x,p) -> Forall(x,formsubst (undefine x subfn) p)
  | Exists(x,p) -> Exists(x,formsubst (undefine x subfn) p);;

START_INTERACTIVE;;
formsubst ("y" := Var "x") <>;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Variant function and examples.                                            *)
(* ------------------------------------------------------------------------- *)

let rec variant x vars =
  if mem x vars then variant (x^"'") vars else x;;

START_INTERACTIVE;;
variant "x" ["y"; "z"];;

variant "x" ["x"; "y"];;

variant "x" ["x"; "x'"];;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* The correct version.                                                      *)
(* ------------------------------------------------------------------------- *)

let rec formsubst subfn fm =
  match fm with
    False -> False
  | True -> True
  | Atom(R(p,args)) -> Atom(R(p,map (termsubst subfn) args))
  | Not(p) -> Not(formsubst subfn p)
  | And(p,q) -> And(formsubst subfn p,formsubst subfn q)
  | Or(p,q) -> Or(formsubst subfn p,formsubst subfn q)
  | Imp(p,q) -> Imp(formsubst subfn p,formsubst subfn q)
  | Iff(p,q) -> Iff(formsubst subfn p,formsubst subfn q)
  | Forall(x,p) -> formsubstq subfn (fun (x,p) -> Forall(x,p)) (x,p)
  | Exists(x,p) -> formsubstq subfn (fun (x,p) -> Exists(x,p)) (x,p)

and formsubstq subfn quant (x,p) =
  let subfn' = undefine x subfn in
  let x' = if exists
             (fun y -> mem x (fvt(tryapplyd subfn' y (Var y))))
             (subtract (fv p) [x])
           then variant x (fv(formsubst subfn' p)) else x in
  quant(x',formsubst ((x |-> Var x') subfn) p);;

(* ------------------------------------------------------------------------- *)
(* Examples.                                                                 *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
formsubst ("y" := Var "x") <>;;

formsubst ("y" := Var "x") < x = x'>>;;
END_INTERACTIVE;;
why-2.34/atp/make.ml0000644000175000017500000001067712311670312012663 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(* ========================================================================= *)
(* Load theorem proving example code into OCaml toplevel.                    *)
(*                                                                           *)
(* Copyright (c) 2003, John Harrison. (See "LICENSE.txt" for details.)       *)
(* ========================================================================= *)

#load "nums.cma";;                                     (* For Ocaml 3.06     *)
#load "camlp4o.cma";;                                  (* For quotations     *)

(* ------------------------------------------------------------------------- *)
(* Various small tweaks to OCAML's default state.                            *)
(* ------------------------------------------------------------------------- *)

Gc.set { (Gc.get()) with Gc.stack_limit = 16777216 };; (* Up the stack size  *)
Format.set_margin 72;;                                 (* Reduce margins     *)
open Format;;                                          (* Open formatting    *)
open Num;;                                             (* Open bignums       *)
let imperative_assign = (:=);;                         (* Preserve this      *)

let print_num n = print_string(string_of_num n);;      (* Avoid range limit  *)
#install_printer print_num;;                           (* when printing nums *)

(* ------------------------------------------------------------------------- *)
(* Bind these special identifiers to something so we can just do "#use".     *)
(* ------------------------------------------------------------------------- *)

type dummy_interactive = START_INTERACTIVE | END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Set up default quotation parsers for <<...>> and <<|...|>>.               *)
(* ------------------------------------------------------------------------- *)

let quotexpander s =
  if String.sub s 0 1 = "|" & String.sub s (String.length s - 1) 1 = "|" then
    "secondary_parser \""^
    (String.escaped (String.sub s 1 (String.length s - 2)))^"\""
  else "default_parser \""^(String.escaped s)^"\"";;

Quotation.add "" (Quotation.ExStr (fun x -> quotexpander));;

#use "atp.ml"
why-2.34/atp/skolem.ml0000644000175000017500000002275212311670312013235 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(* ========================================================================= *)
(* Prenex and Skolem normal forms.                                           *)
(*                                                                           *)
(* Copyright (c) 2003, John Harrison. (See "LICENSE.txt" for details.)       *)
(* ========================================================================= *)

(* ------------------------------------------------------------------------- *)
(* Routine simplification. Like "psimplify" but with quantifier clauses.     *)
(* ------------------------------------------------------------------------- *)

let simplify1 fm =
  match fm with
    Forall(x,p) -> if mem x (fv p) then fm else p
  | Exists(x,p) -> if mem x (fv p) then fm else p
  | _ -> psimplify1 fm;;

let rec simplify fm =
  match fm with
    Not p -> simplify1 (Not(simplify p))
  | And(p,q) -> simplify1 (And(simplify p,simplify q))
  | Or(p,q) -> simplify1 (Or(simplify p,simplify q))
  | Imp(p,q) -> simplify1 (Imp(simplify p,simplify q))
  | Iff(p,q) -> simplify1 (Iff(simplify p,simplify q))
  | Forall(x,p) -> simplify1(Forall(x,simplify p))
  | Exists(x,p) -> simplify1(Exists(x,simplify p))
  | _ -> fm;;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
simplify <<(forall x y. P(x) \/ (P(y) /\ false)) ==> exists z. P(z)>>;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Negation normal form.                                                     *)
(* ------------------------------------------------------------------------- *)

let rec nnf fm =
  match fm with
    And(p,q) -> And(nnf p,nnf q)
  | Or(p,q) -> Or(nnf p,nnf q)
  | Imp(p,q) -> Or(nnf(Not p),nnf q)
  | Iff(p,q) -> Or(And(nnf p,nnf q),And(nnf(Not p),nnf(Not q)))
  | Not(Not p) -> nnf p
  | Not(And(p,q)) -> Or(nnf(Not p),nnf(Not q))
  | Not(Or(p,q)) -> And(nnf(Not p),nnf(Not q))
  | Not(Imp(p,q)) -> And(nnf p,nnf(Not q))
  | Not(Iff(p,q)) -> Or(And(nnf p,nnf(Not q)),And(nnf(Not p),nnf q))
  | Forall(x,p) -> Forall(x,nnf p)
  | Exists(x,p) -> Exists(x,nnf p)
  | Not(Forall(x,p)) -> Exists(x,nnf(Not p))
  | Not(Exists(x,p)) -> Forall(x,nnf(Not p))
  | _ -> fm;;

(* ------------------------------------------------------------------------- *)
(* Example of NNF function in action.                                        *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
let fm = <<(forall x. P(x))
           ==> ((exists y. Q(y)) <=> exists z. P(z) /\ Q(z))>> in
nnf fm;;

let andrews =
 <<((exists x. forall y. P(x) <=> P(y)) <=>
    ((exists x. Q(x)) <=> (forall y. Q(y)))) <=>
   ((exists x. forall y. Q(x) <=> Q(y)) <=>
    ((exists x. P(x)) <=> (forall y. P(y))))>> in
 nnf andrews;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Prenex normal form.                                                       *)
(* ------------------------------------------------------------------------- *)

let mk_all x p = Forall(x,p) and mk_ex x p = Exists(x,p);;
let mk_and p q = And(p,q) and mk_or p q = Or(p,q);;

let rec pullquants fm =
  match fm with
    And(Forall(x,p),Forall(y,q)) -> pullquant_2 fm mk_all mk_and x y p q
  | Or(Exists(x,p),Exists(y,q)) -> pullquant_2 fm mk_ex mk_or x y p q
  | And(Forall(x,p),q) -> pullquant_l fm mk_all mk_and x p q
  | And(p,Forall(x,q)) -> pullquant_r fm mk_all mk_and x p q
  | Or(Forall(x,p),q) -> pullquant_l fm mk_all mk_or x p q
  | Or(p,Forall(x,q)) -> pullquant_r fm mk_all mk_or x p q
  | And(Exists(x,p),q) -> pullquant_l fm mk_ex mk_and x p q
  | And(p,Exists(x,q)) -> pullquant_r fm mk_ex mk_and x p q
  | Or(Exists(x,p),q) -> pullquant_l fm mk_ex mk_or x p q
  | Or(p,Exists(x,q)) -> pullquant_r fm mk_ex mk_or x p q
  | _ -> fm

and pullquant_l fm quant op x p q =
  let x' = variant x (fv fm) in
  quant x' (pullquants(op (formsubst (x := Var x') p) q))

and pullquant_r fm quant op x p q =
  let x' = variant x (fv fm) in
  quant x' (pullquants(op p (formsubst (x := Var x') q)))

and pullquant_2 fm quant op x y p q =
  let x' = variant x (fv fm) in
  quant x' (pullquants(op (formsubst (x := Var x') p)
                          (formsubst (y := Var x') q)));;

let rec prenex fm =
  match fm with
    Forall(x,p) -> Forall(x,prenex p)
  | Exists(x,p) -> Exists(x,prenex p)
  | And(p,q) -> pullquants(And(prenex p,prenex q))
  | Or(p,q) -> pullquants(Or(prenex p,prenex q))
  | _ -> fm;;

let pnf fm = prenex(nnf(simplify fm));;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
pnf < exists y z. Q(y) \/ ~(exists z. P(z) /\ Q(z))>>;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Get the functions in a term and formula.                                  *)
(* ------------------------------------------------------------------------- *)

let rec funcs tm = match tm with
    Var x -> []
  | Fn(f,args) -> itlist (union ** funcs) args [f,length args];;

let functions fm =
  atom_union (fun (R(p,a)) -> itlist (union ** funcs) a []) fm;;

(* ------------------------------------------------------------------------- *)
(* Core Skolemization function.                                              *)
(* ------------------------------------------------------------------------- *)

let rec skolem fm corr =
  match fm with
    Exists(y,p) ->
        let xs = fv(fm)
        and fns = map (fun (Fn(f,args),def) -> f) corr in
        let f = variant (if xs = [] then "c_"^y else "f_"^y) fns in
        let fx = Fn(f,map (fun x -> Var x) xs) in
        skolem (formsubst (y := fx) p) ((fx,fm)::corr)
  | Forall(x,p) -> let p',corr' = skolem p corr in Forall(x,p'),corr'
  | And(p,q) -> skolem2 (fun (p,q) -> And(p,q)) (p,q) corr
  | Or(p,q) -> skolem2 (fun (p,q) -> Or(p,q)) (p,q) corr
  | _ -> fm,corr

and skolem2 cons (p,q) corr =
  let p',corr' = skolem p corr in
  let q',corr'' = skolem q corr' in
  cons(p',q'),corr'';;

(* ------------------------------------------------------------------------- *)
(* Overall Skolemization function.                                           *)
(* ------------------------------------------------------------------------- *)

let askolemize fm =
  let fm1 = nnf(simplify fm) in
  let corr = map (fun (n,a) -> Fn(n,[]),False) (functions fm1) in
  fst(skolem fm1 corr);;

let rec specialize fm =
  match fm with
    Forall(x,p) -> specialize p
  | _ -> fm;;

let skolemize fm = specialize(pnf(askolemize fm));;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
skolemize < forall u. exists v. x * u < y * v>>;;

skolemize
 < (exists y z. Q(y) \/ ~(exists z. P(z) /\ Q(z)))>>;;
END_INTERACTIVE;;
why-2.34/atp/cooper.ml0000644000175000017500000004426712311670312013237 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(* ========================================================================= *)
(* Cooper's algorithm for Presburger arithmetic.                             *)
(*                                                                           *)
(* Copyright (c) 2003, John Harrison. (See "LICENSE.txt" for details.)       *)
(* ========================================================================= *)

(* ------------------------------------------------------------------------- *)
(* Lift operations up to numerals.                                           *)
(* ------------------------------------------------------------------------- *)

let mk_numeral n = Fn(string_of_num n,[]);;

let dest_numeral =
  function (Fn(ns,[])) -> num_of_string ns
         | _ -> failwith "dest_numeral";;

let is_numeral = can dest_numeral;;

let numeral1 fn n = mk_numeral(fn(dest_numeral n));;

let numeral2 fn m n = mk_numeral(fn (dest_numeral m) (dest_numeral n));;

(* ------------------------------------------------------------------------- *)
(* Operations on canonical linear terms c1 * x1 + ... + cn * xn + k          *)
(*                                                                           *)
(* Note that we're quite strict: the ci must be present even if 1            *)
(* (but if 0 we expect the monomial to be omitted) and k must be there       *)
(* even if it's zero. Thus, it's a constant iff not an addition term.        *)
(* ------------------------------------------------------------------------- *)

let rec linear_cmul n tm =
  if n =/ Int 0 then Fn("0",[]) else
  match tm with
    Fn("+",[Fn("*",[c1; x1]); rest]) ->
        Fn("+",[Fn("*",[numeral1 (( */ ) n) c1; x1]);
                        linear_cmul n rest])
  | k -> numeral1 (( */ ) n) k;;

let earlierv vars (Var x) (Var y) = earlier vars x y;;

let rec linear_add vars tm1 tm2 =
  match (tm1,tm2) with
   (Fn("+",[Fn("*",[c1; x1]); rest1]),
    Fn("+",[Fn("*",[c2; x2]); rest2])) ->
        if x1 = x2 then
          let c = numeral2 (+/) c1 c2 in
          if c = Fn("0",[]) then linear_add vars rest1 rest2
          else Fn("+",[Fn("*",[c; x1]); linear_add vars rest1 rest2])
        else if earlierv vars x1 x2 then
          Fn("+",[Fn("*",[c1; x1]); linear_add vars rest1 tm2])
        else
          Fn("+",[Fn("*",[c2; x2]); linear_add vars tm1 rest2])
  | (Fn("+",[Fn("*",[c1; x1]); rest1]),_) ->
        Fn("+",[Fn("*",[c1; x1]); linear_add vars rest1 tm2])
  | (_,Fn("+",[Fn("*",[c2; x2]); rest2])) ->
        Fn("+",[Fn("*",[c2; x2]); linear_add vars tm1 rest2])
  | _ -> numeral2 (+/) tm1 tm2;;

let linear_neg tm = linear_cmul (Int(-1)) tm;;

let linear_sub vars tm1 tm2 = linear_add vars tm1 (linear_neg tm2);;

(* ------------------------------------------------------------------------- *)
(* Linearize a term.                                                         *)
(* ------------------------------------------------------------------------- *)

let rec lint vars tm =
  match tm with
    Var x -> Fn("+",[Fn("*",[Fn("1",[]); tm]); Fn("0",[])])
  | Fn("-",[t]) -> linear_neg (lint vars t)
  | Fn("+",[s;t]) -> linear_add vars (lint vars s) (lint vars t)
  | Fn("-",[s;t]) -> linear_sub vars (lint vars s) (lint vars t)
  | Fn("*",[s;t]) ->
        let s' = lint vars s and t' = lint vars t in
        if is_numeral s' then linear_cmul (dest_numeral s') t'
        else if is_numeral t' then linear_cmul (dest_numeral t') s'
        else failwith "lint: apparent nonlinearity"
  | _ -> if is_numeral tm then tm else failwith "lint: unknown term";;

(* ------------------------------------------------------------------------- *)
(* Linearize the atoms in a formula, and eliminate non-strict inequalities.  *)
(* ------------------------------------------------------------------------- *)

let mkatom vars p t = Atom(R(p,[Fn("0",[]);lint vars t]));;

let linform vars fm =
  match fm with
    Atom(R("divides",[c;t])) ->
        let c' = mk_numeral(abs_num(dest_numeral c)) in
        Atom(R("divides",[c';lint vars t]))
  | Atom(R("=",[s;t])) -> mkatom vars "=" (Fn("-",[t;s]))
  | Atom(R("<",[s;t])) -> mkatom vars "<" (Fn("-",[t;s]))
  | Atom(R(">",[s;t])) -> mkatom vars "<" (Fn("-",[s;t]))
  | Atom(R("<=",[s;t])) ->
        mkatom vars "<" (Fn("-",[Fn("+",[t;Fn("1",[])]);s]))
  | Atom(R(">=",[s;t])) ->
        mkatom vars "<" (Fn("-",[Fn("+",[s;Fn("1",[])]);t]))
  | _ -> fm;;

(* ------------------------------------------------------------------------- *)
(* Post-NNF transformation eliminating negated inequalities.                 *)
(* ------------------------------------------------------------------------- *)

let rec posineq fm =
  match fm with
  | Not(Atom(R("<",[Fn("0",[]); t]))) ->
        Atom(R("<",[Fn("0",[]); linear_sub [] (Fn("1",[])) t]))
  | _ -> fm;;

(* ------------------------------------------------------------------------- *)
(* Find the LCM of the coefficients of x.                                    *)
(* ------------------------------------------------------------------------- *)

let rec formlcm x fm =
  match fm with
    Atom(R(p,[_;Fn("+",[Fn("*",[c;y]);z])])) when y = x ->
        abs_num(dest_numeral c)
  | Not(p) -> formlcm x p
  | And(p,q) -> lcm_num (formlcm x p) (formlcm x q)
  | Or(p,q) -> lcm_num (formlcm x p) (formlcm x q)
  | _ -> Int 1;;

(* ------------------------------------------------------------------------- *)
(* Adjust all coefficients of x in formula; fold in reduction to +/- 1.      *)
(* ------------------------------------------------------------------------- *)

let rec adjustcoeff x l fm =
  match fm with
    Atom(R(p,[d; Fn("+",[Fn("*",[c;y]);z])])) when y = x ->
        let m = l // dest_numeral c in
        let n = if p = "<" then abs_num(m) else m in
        let xtm = Fn("*",[mk_numeral(m // n); x]) in
        Atom(R(p,[linear_cmul (abs_num m) d;
                Fn("+",[xtm; linear_cmul n z])]))
  | Not(p) -> Not(adjustcoeff x l p)
  | And(p,q) -> And(adjustcoeff x l p,adjustcoeff x l q)
  | Or(p,q) -> Or(adjustcoeff x l p,adjustcoeff x l q)
  | _ -> fm;;

(* ------------------------------------------------------------------------- *)
(* Hence make coefficient of x one in existential formula.                   *)
(* ------------------------------------------------------------------------- *)

let unitycoeff x fm =
  let l = formlcm x fm in
  let fm' = adjustcoeff x l fm in
  if l =/ Int 1 then fm' else
  let xp = Fn("+",[Fn("*",[Fn("1",[]);x]); Fn("0",[])]) in
  And(Atom(R("divides",[mk_numeral l; xp])),adjustcoeff x l fm);;

(* ------------------------------------------------------------------------- *)
(* The "minus infinity" version.                                             *)
(* ------------------------------------------------------------------------- *)

let rec minusinf x fm =
  match fm with
    Atom(R("=",[Fn("0",[]); Fn("+",[Fn("*",[Fn("1",[]);y]);z])]))
        when y = x -> False
  | Atom(R("<",[Fn("0",[]); Fn("+",[Fn("*",[pm1;y]);z])])) when y = x ->
        if pm1 = Fn("1",[]) then False else True
  | Not(p) -> Not(minusinf x p)
  | And(p,q) -> And(minusinf x p,minusinf x q)
  | Or(p,q) -> Or(minusinf x p,minusinf x q)
  | _ -> fm;;

(* ------------------------------------------------------------------------- *)
(* The LCM of all the divisors that involve x.                               *)
(* ------------------------------------------------------------------------- *)

let rec divlcm x fm =
  match fm with
    Atom(R("divides",[d;Fn("+",[Fn("*",[c;y]);z])])) when y = x ->
        dest_numeral d
  | Not(p) -> divlcm x p
  | And(p,q) -> lcm_num (divlcm x p) (divlcm x q)
  | Or(p,q) -> lcm_num (divlcm x p) (divlcm x q)
  | _ -> Int 1;;

(* ------------------------------------------------------------------------- *)
(* Construct the B-set.                                                      *)
(* ------------------------------------------------------------------------- *)

let rec bset x fm =
  match fm with
    Not(Atom(R("=",[Fn("0",[]); Fn("+",[Fn("*",[Fn("1",[]);y]);a])])))
    when y = x -> [linear_neg a]
  | Atom(R("=",[Fn("0",[]); Fn("+",[Fn("*",[Fn("1",[]);y]);a])]))
    when y = x -> [linear_neg(linear_add [] a (Fn("1",[])))]
  | Atom(R("<",[Fn("0",[]); Fn("+",[Fn("*",[Fn("1",[]);y]);a])]))
    when y = x -> [linear_neg a]
  | Not(p) -> bset x p
  | And(p,q) -> union (bset x p) (bset x q)
  | Or(p,q) -> union (bset x p) (bset x q)
  | _ -> [];;

(* ------------------------------------------------------------------------- *)
(* Replace top variable with another linear form, retaining canonicality.    *)
(* ------------------------------------------------------------------------- *)

let rec linrep vars x t fm =
  match fm with
    Atom(R(p,[d; Fn("+",[Fn("*",[c;y]);z])])) when y = x ->
        let ct = linear_cmul (dest_numeral c) t in
        Atom(R(p,[d; linear_add vars ct z]))
  | Not(p) -> Not(linrep vars x t p)
  | And(p,q) -> And(linrep vars x t p,linrep vars x t q)
  | Or(p,q) -> Or(linrep vars x t p,linrep vars x t q)
  | _ -> fm;;

(* ------------------------------------------------------------------------- *)
(* Evaluation of constant expressions.                                       *)
(* ------------------------------------------------------------------------- *)

let operations =
  ["=",(=/); "<",(",(>/); "<=",(<=/); ">=",(>=/);
   "divides",(fun x y -> mod_num y x =/ Int 0)];;

let evalc_atom at =
  match at with
    R(p,[s;t]) ->
        (try if assoc p operations (dest_numeral s) (dest_numeral t)
             then True else False
         with Failure _ -> Atom at)
  | _ -> Atom at;;

let evalc = onatoms evalc_atom;;

(* ------------------------------------------------------------------------- *)
(* Hence the core quantifier elimination procedure.                          *)
(* ------------------------------------------------------------------------- *)

let cooper vars fm =
  match fm with
   Exists(x0,p0) ->
        let x = Var x0 in
        let p = unitycoeff x p0 in
        let p_inf = simplify(minusinf x p) and bs = bset x p
        and js = Int 1 --- divlcm x p in
        let p_element j b =
          linrep vars x (linear_add vars b (mk_numeral j)) p in
        let stage j = list_disj
           (linrep vars x (mk_numeral j) p_inf ::
            map (p_element j) bs) in
        list_disj (map stage js)
  | _ -> failwith "cooper: not an existential formula";;

(* ------------------------------------------------------------------------- *)
(* Overall function.                                                         *)
(* ------------------------------------------------------------------------- *)

let integer_qelim =
  simplify ** evalc **
  lift_qelim linform (cnnf posineq ** evalc) cooper;;

(* ------------------------------------------------------------------------- *)
(* Examples.                                                                 *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
integer_qelim < 2 * x + 1 < 2 * y>>;;

integer_qelim <>;;

integer_qelim < 0 /\ y >= 0 /\ 3 * x - 5 * y = 1>>;;

integer_qelim <>;;

integer_qelim < a <= x>>;;

integer_qelim < b < 3 * x>>;;

time integer_qelim < 2 * x + 1 < 2 * y>>;;

time integer_qelim <<(exists d. y = 65 * d) ==> (exists d. y = 5 * d)>>;;

time integer_qelim
  < (exists d. y = 5 * d)>>;;

time integer_qelim <>;;

time integer_qelim
  < x + y + z > 129>>;;

time integer_qelim < b < x>>;;

time integer_qelim < b < x>>;;

(* ------------------------------------------------------------------------- *)
(* Formula examples from Cooper's paper.                                     *)
(* ------------------------------------------------------------------------- *)

time integer_qelim <>;;

time integer_qelim <>;;

time integer_qelim <>;;

time integer_qelim
  < b + 1)>>;;

time integer_qelim
  < 1 /\ 13 * x - y > 1 /\ x + 2 < 0>>;;

(* ------------------------------------------------------------------------- *)
(* Some more.                                                                *)
(* ------------------------------------------------------------------------- *)

time integer_qelim <= 0 /\ y >= 0
                  ==> 12 * x - 8 * y < 0 \/ 12 * x - 8 * y > 2>>;;

time integer_qelim <>;;

time integer_qelim <>;;

time integer_qelim <= 0 /\ y >= 0 /\ 5 * x - 6 * y = 1>>;;


time integer_qelim <>;;

time integer_qelim <= 0 /\ y >= 0 /\ 5 * x - 3 * y = 1>>;;

time integer_qelim <= 0 /\ y >= 0 /\ 3 * x - 5 * y = 1>>;;

time integer_qelim <= 0 /\ y >= 0 /\ 6 * x - 3 * y = 1>>;;

time integer_qelim
  < 5 * y < 6 * x \/ 5 * y > 6 * x>>;;

time integer_qelim
  < ~(6 * x = 5 * y)>>;;

time integer_qelim < ~(6 * x = 5 * y)>>;;

time integer_qelim <>;;

time integer_qelim < exists d. y = 3 * d>>;;

time integer_qelim <<6 * x = 5 * y ==> exists d. y = 3 * d>>;;

(* ------------------------------------------------------------------------- *)
(* Positive variant of the Bezout theorem.                                   *)
(* ------------------------------------------------------------------------- *)

time integer_qelim
  < 7 ==> exists x y. x >= 0 /\ y >= 0 /\ 3 * x + 5 * y = z>>;;

time integer_qelim
  < 2 ==> exists x y. x >= 0 /\ y >= 0 /\ 3 * x + 5 * y = z>>;;

time integer_qelim
  < ((exists x y. x >= 0 /\ y >= 0 /\ 3 * x + 5 * y = z) <=>
             ~(exists x y. x >= 0 /\ y >= 0 /\ 3 * x + 5 * y = 7 - z))>>;;

(* ------------------------------------------------------------------------- *)
(* Basic result about congruences.                                           *)
(* ------------------------------------------------------------------------- *)

time integer_qelim
  <
              divides(12,x-1) \/ divides(12,x-7)>>;;

time integer_qelim
  <
              (exists m. x = 12 * m + 1) \/ (exists m. x = 12 * m + 7)>>;;

(* ------------------------------------------------------------------------- *)
(* Something else.                                                           *)
(* ------------------------------------------------------------------------- *)

time integer_qelim
 < divides(4,x-1) \/
            divides(8,x-1) \/
            divides(8,x-3) \/
            divides(6,x-1) \/
            divides(14,x-1) \/
            divides(14,x-9) \/
            divides(14,x-11) \/
            divides(24,x-5) \/
            divides(24,x-11)>>;;

(* ------------------------------------------------------------------------- *)
(* Testing fix for an earlier version.                                       *)
(* ------------------------------------------------------------------------- *)

(integer_qelim ** generalize)
  < false>>;;

(* ------------------------------------------------------------------------- *)
(* Inspired by the Collatz conjecture.                                       *)
(* ------------------------------------------------------------------------- *)

integer_qelim
  <>;;

integer_qelim
 < 1 /\ b > 1 /\
               ((2 * b = a) \/ (2 * b = 3 * a + 1)) /\
               (a = b)>>;;

END_INTERACTIVE;;
why-2.34/atp/fourier_motzkin.ml0000644000175000017500000001642612311670312015172 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(* ========================================================================= *)
(* Fourier-Motzkin elimination for integers.                                 *)
(* ========================================================================= *)

(* We use the functions already defined in [qelim.ml] and [cooper.ml]. *)

(* ------------------------------------------------------------------------- *)
(* Linearize the atoms in a formula, and eliminate strict inequalities.      *)
(* ------------------------------------------------------------------------- *)

let mkatom vars p t = Atom(R(p,[Fn("0",[]);lint vars t]));;

let linform vars fm =
  match fm with
    Atom(R("=",[s;t])) -> mkatom vars "=" (Fn("-",[t;s]))
  | Atom(R("<=",[s;t])) -> mkatom vars "<=" (Fn("-",[t;s]))
  | Atom(R(">=",[s;t])) -> mkatom vars "<=" (Fn("-",[s;t]))
  | Atom(R("<",[s;t])) ->
        mkatom vars "<=" (Fn("-",[Fn("-",[t;Fn("1",[])]);s]))
  | Atom(R(">",[s;t])) ->
        mkatom vars "<=" (Fn("-",[Fn("-",[s;Fn("1",[])]);t]))
  | _ -> fm;;

(* ------------------------------------------------------------------------- *)
(* Post-NNF transformation eliminating negated inequalities.                 *)
(* ------------------------------------------------------------------------- *)

let rec posineq fm =
  match fm with
  | Not(Atom(R("<=",[Fn("0",[]); t]))) ->
        Atom(R("<=",[Fn("0",[]); linear_sub [] (Fn("-1",[])) t]))
  | Not(Atom(R("=",[Fn("0",[]); t]))) ->
        Or(Atom(R("<=",[Fn("0",[]); linear_sub [] (Fn("-1",[])) t])),
	   Atom(R("<=",[Fn("0",[]); linear_add [] (Fn("-1",[])) t])))
  | _ -> fm;;

(* ------------------------------------------------------------------------- *)
(* Adjust all coefficients of x in formula; fold in reduction to +/- 1.      *)
(* ------------------------------------------------------------------------- *)

let rec adjustcoeff x l fm =
  match fm with
    Atom(R(p,[d; Fn("+",[Fn("*",[c;y]);z])])) when y = x ->
        let m = l // dest_numeral c in
        let n = if p = "<=" then abs_num(m) else m in
        let xtm = Fn("*",[mk_numeral(m // n); x]) in
        Atom(R(p,[linear_cmul (abs_num m) d;
                Fn("+",[xtm; linear_cmul n z])]))
  | Not(p) -> Not(adjustcoeff x l p)
  | And(p,q) -> And(adjustcoeff x l p,adjustcoeff x l q)
  | Or(p,q) -> Or(adjustcoeff x l p,adjustcoeff x l q)
  | _ -> fm;;

(* ------------------------------------------------------------------------- *)
(* Make coefficient of x one in existential formula.                         *)
(* ------------------------------------------------------------------------- *)

let unitycoeff x fm =
  let l = formlcm x fm in
  let fm' = adjustcoeff x l fm in
  if l =/ Int 1 then fm' else
  adjustcoeff x l fm;;

(* ------------------------------------------------------------------------- *)
(* Isolate x on left-hand-side and replace.                                  *)
(* ------------------------------------------------------------------------- *)

let isolate x fm =
  match fm with
    Atom(R(p,[_;Fn("+",[Fn("*",[c;y]);z])])) when y = x ->
      let c = mk_numeral (Int 0 -/ dest_numeral c) in
      Atom(R(p,[Fn("*",[c;y]);z]))
  | Atom(R(p,[zero;Fn("*",[c;y])])) when y = x ->
      let c = mk_numeral (Int 0 -/ dest_numeral c) in
      Atom(R(p,[Fn("*",[c;y]);zero]))
  | _ -> 
      printer fm;
      assert false

let replace vars x t fm =
  match fm with
    Atom(R(p,[Fn("*",[c;y]);z])) when y = x ->
      let t = if dest_numeral c >/ Int 0 then t else linear_neg t in
      linform vars (Atom(R(p,[t;z])))
  | _ -> assert false

(* ------------------------------------------------------------------------- *)
(* This is the base function.                                                *)
(* ------------------------------------------------------------------------- *)

let fourier vars fm =
  match fm with
    Exists(x0,p0) ->
      let x = Var x0 in
      let p = unitycoeff x p0 in
      let cjs = map (isolate x) (conjuncts p) in
      try let eqn = find
            (function (Atom(R("=",_))) -> true | _ -> false) cjs in
          let (Atom(R("=",[s;t]))) = eqn in
	  let (Fn("*",[c;_])) = s in
	  let y = if dest_numeral c =/ Int 1 then t else linear_neg t in 
          list_conj(map (replace vars x y) (subtract cjs [eqn]))
      with Failure _ ->
        let l,r =
          partition 
	    (fun (Atom(R("<=",[Fn("*",[c;_]);t]))) -> 
	      dest_numeral c =/ Int (-1)) cjs 
	in
        let lefts = map (fun (Atom(R("<=",[_;l]))) -> linear_neg l) l
        and rights = map (fun (Atom(R("<=",[_;r]))) -> r) r in
        list_conj(allpairs 
	  (fun l r -> Atom(R("<=",[Fn("0",[]); linear_sub vars r l])))
          lefts rights)
  | _ -> failwith "fourier";;

(* ------------------------------------------------------------------------- *)
(* Overall quelim procedure.                                                 *)
(* ------------------------------------------------------------------------- *)

let fourier_qelim =
  simplify ** evalc **
  lift_qelim linform (dnf ** cnnf posineq ** evalc) fourier;;

(*
Local Variables:
compile-command: "LC_ALL=C ocamlc -I . fourier_motzkin.ml"
End:
*)
why-2.34/atp/prop.ml0000644000175000017500000005515012311670312012721 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(* ========================================================================= *)
(* Basic stuff for propositional logic: datatype, parsing and printing.      *)
(*                                                                           *)
(* Copyright (c) 2003, John Harrison. (See "LICENSE.txt" for details.)       *)
(* ========================================================================= *)

type prop = P of string;;

let pname(P s) = s;;

(* ------------------------------------------------------------------------- *)
(* Parsing of propositional formulas.                                        *)
(* ------------------------------------------------------------------------- *)

let parse_propvar vs inp =
  match inp with
    p::oinp when p <> "(" -> Atom(P(p)),oinp
  | _ -> failwith "parse_propvar";;

let parsep = make_parser (parse_formula parse_propvar []);;

(* ------------------------------------------------------------------------- *)
(* Set this up as default for quotations.                                    *)
(* ------------------------------------------------------------------------- *)

let default_parser = parsep;;

(* ------------------------------------------------------------------------- *)
(* Test of the parser.                                                       *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
let fm = parsep "p ==> q <=> r /\\ s \\/ (t <=> ~ ~u /\\ v)";;

let fm = <
 q <=> r /\ s \/ (t <=> ~ ~u /\ v)>>;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Printer.                                                                  *)
(* ------------------------------------------------------------------------- *)

let print_propvar prec p = print_string(pname p);;

let pr = formula_printer print_propvar;;

START_INTERACTIVE;;
#install_printer pr;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Testing the printer.                                                      *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
And(fm,fm);;

And(Or(fm,fm),fm);;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Interpretation of formulas.                                               *)
(* ------------------------------------------------------------------------- *)

let rec eval fm v =
  match fm with
    False -> false
  | True -> true
  | Atom(x) -> v(x)
  | Not(p) -> not(eval p v)
  | And(p,q) -> (eval p v) & (eval q v)
  | Or(p,q) -> (eval p v) or (eval q v)
  | Imp(p,q) -> not(eval p v) or (eval q v)
  | Iff(p,q) -> (eval p v) = (eval q v);;

(* ------------------------------------------------------------------------- *)
(* Example of how we could define connective interpretations ourselves.      *)
(* ------------------------------------------------------------------------- *)

let (-->) p q = match (p,q) with (true,false) -> false | _ -> true;;

let rec eval fm v =
  match fm with
    False -> false
  | True -> true
  | Atom(x) -> v(x)
  | Not(p) -> not(eval p v)
  | And(p,q) -> (eval p v) & (eval q v)
  | Or(p,q) -> (eval p v) or (eval q v)
  | Imp(p,q) -> eval p v --> eval q v
  | Iff(p,q) -> (eval p v) = (eval q v);;

(* ------------------------------------------------------------------------- *)
(* Example of use, showing the "partial" evaluation.                         *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
let fm = <
 q /\ r>>;;

let fm_interp = eval fm;;

eval fm (function P"p" -> true | P"q" -> false | P"r" -> true);;

eval fm (function P"p" -> true | P"q" -> true | P"r" -> false);;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Return the set of propositional variables in a formula.                   *)
(* ------------------------------------------------------------------------- *)

let atoms fm = atom_union (fun a -> [a]) fm;;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
atoms <
 ~p \/ (r <=> s)>>;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Code to print out truth tables.                                           *)
(* ------------------------------------------------------------------------- *)

let rec onallvaluations subfn v pvs =
  match pvs with
    [] -> subfn v
  | p::ps -> let v' t q = if q = p then t else v(q) in
             onallvaluations subfn (v' false) ps &
             onallvaluations subfn (v' true) ps;;

let print_truthtable fm =
  let pvs = atoms fm in
  let width = itlist (max ** String.length ** pname) pvs 5 + 1 in
  let fixw s = s^String.make(width - String.length s) ' ' in
  let truthstring p = fixw (if p then "true" else "false") in
  let mk_row v =
     let lis = map (fun x -> truthstring(v x)) pvs
     and ans = truthstring(eval fm v) in
     print_string(itlist (^) lis ("| "^ans)); print_newline();
     true in
  let separator = String.make (width * length pvs + 9) '-' in
  print_string(itlist (fun s t -> fixw(pname s) ^ t) pvs "| formula");
  print_newline(); print_string separator; print_newline();
  onallvaluations mk_row (fun x -> false) pvs;
  print_string separator; print_newline();;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
let fm = <
 q /\ r>>;;

print_truthtable fm;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Additional examples illustrating formula classes.                         *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
print_truthtable <<((p ==> q) ==> p) ==> p>>;;

print_truthtable <
>;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Recognizing tautologies.                                                  *)
(* ------------------------------------------------------------------------- *)

let tautology fm =
  onallvaluations (eval fm) (fun s -> false) (atoms fm);;

(* ------------------------------------------------------------------------- *)
(* Examples.                                                                 *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
tautology <
>;;
tautology <
 p>>;;
tautology <
 q \/ (p <=> q)>>;;
tautology <<(p \/ q) /\ ~(p /\ q) ==> (~p <=> q)>>;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Related concepts.                                                         *)
(* ------------------------------------------------------------------------- *)

let unsatisfiable fm = tautology(Not fm);;

let satisfiable fm = not(unsatisfiable fm);;

(* ------------------------------------------------------------------------- *)
(* Substitution operation.                                                   *)
(* ------------------------------------------------------------------------- *)

let propsubst subfn = onatoms (fun p -> tryapplyd subfn p (Atom p));;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
let pandq = <
>;;

propsubst (P"p" := pandq) pandq;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Surprising tautologies including Dijkstra's "Golden rule".                *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
tautology <<(p ==> q) \/ (q ==> p)>>;;

tautology <
 r) <=> (p \/ q <=> p \/ r)>>;;

tautology <
 ((p <=> q) <=> p \/ q)>>;;

(* ------------------------------------------------------------------------- *)
(* Some logical equivalences allowing elimination of connectives.            *)
(* ------------------------------------------------------------------------- *)

tautology < p /\ ~p>>;;
tautology < ~(p /\ ~p)>>;;
tautology <
 ~(~p /\ ~q)>>;;
tautology <
 q <=> ~(p /\ ~q)>>;;
tautology <<(p <=> q) <=> ~(p /\ ~q) /\ ~(~p /\ q)>>;;

tautology < false ==> false>>;;
tautology <<~p <=> p ==> false>>;;
tautology <
 (p ==> q ==> false) ==> false>>;;
tautology <
 (p ==> false) ==> q>>;;
tautology(parsep
  "(p <=> q) <=> ((p ==> q) ==> (q ==> p) ==> false) ==> false");;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Dualization.                                                              *)
(* ------------------------------------------------------------------------- *)

let rec subdualize fm =
  match fm with
    False -> True
  | True -> False
  | Atom(p) -> fm
  | Not(p) -> Not(subdualize p)
  | And(p,q) -> Or(subdualize p,subdualize q)
  | Or(p,q) -> And(subdualize p,subdualize q)
  | _ -> failwith "Formula involves connectives ==> and <=>";;

let dualize fm = Not(subdualize fm);;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
dualize <
>;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Routine simplification.                                                   *)
(* ------------------------------------------------------------------------- *)

let psimplify1 fm =
  match fm with
    Not False -> True
  | Not True -> False
  | And(False,q) -> False
  | And(p,False) -> False
  | And(True,q) -> q
  | And(p,True) -> p
  | Or(False,q) -> q
  | Or(p,False) -> p
  | Or(True,q) -> True
  | Or(p,True) -> True
  | Imp(False,q) -> True
  | Imp(True,q) -> q
  | Imp(p,True) -> True
  | Imp(p,False) -> Not p
  | Iff(True,q) -> q
  | Iff(p,True) -> p
  | Iff(False,q) -> Not q
  | Iff(p,False) -> Not p
  | _ -> fm;;

let rec psimplify fm =
  match fm with
  | Not p -> psimplify1 (Not(psimplify p))
  | And(p,q) -> psimplify1 (And(psimplify p,psimplify q))
  | Or(p,q) -> psimplify1 (Or(psimplify p,psimplify q))
  | Imp(p,q) -> psimplify1 (Imp(psimplify p,psimplify q))
  | Iff(p,q) -> psimplify1 (Iff(psimplify p,psimplify q))
  | _ -> fm;;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
psimplify <<(true ==> (x <=> false)) ==> ~(y \/ false /\ z)>>;;

psimplify <<((x ==> y) ==> true) \/ ~false>>;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Negation normal form.                                                     *)
(* ------------------------------------------------------------------------- *)

let rec nnf fm =
  match fm with
  | And(p,q) -> And(nnf p,nnf q)
  | Or(p,q) -> Or(nnf p,nnf q)
  | Imp(p,q) -> Or(nnf(Not p),nnf q)
  | Iff(p,q) -> Or(And(nnf p,nnf q),And(nnf(Not p),nnf(Not q)))
  | Not(Not p) -> nnf p
  | Not(And(p,q)) -> Or(nnf(Not p),nnf(Not q))
  | Not(Or(p,q)) -> And(nnf(Not p),nnf(Not q))
  | Not(Imp(p,q)) -> And(nnf p,nnf(Not q))
  | Not(Iff(p,q)) -> Or(And(nnf p,nnf(Not q)),And(nnf(Not p),nnf q))
  | _ -> fm;;

(* ------------------------------------------------------------------------- *)
(* Side remark on possible alternative tautology.                            *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
tautology <<(p <=> q) <=> (p \/ ~q) /\ (~p \/ q)>>;;

(* ------------------------------------------------------------------------- *)
(* Example of NNF function in action.                                        *)
(* ------------------------------------------------------------------------- *)

let fm = <<(p <=> q) <=> ~(r ==> s)>>;;

let fm' = nnf fm;;

tautology(Iff(fm,fm'));;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* More efficient version.                                                   *)
(* ------------------------------------------------------------------------- *)

let rec nnfp fm =
  match fm with
  | Not(p) ->
        let p',p'' = nnfp p in
        p'',p'
  | And(p,q) ->
        let p',p'' = nnfp p and q',q'' = nnfp q in
        And(p',q'),Or(p'',q'')
  | Or(p,q) ->
        let p',p'' = nnfp p and q',q'' = nnfp q in
        Or(p',q'),And(p'',q'')
  | Imp(p,q) ->
        let p',p'' = nnfp p and q',q'' = nnfp q in
        Or(p'',q'),And(p',q'')
  | Iff(p,q) ->
        let p',p'' = nnfp p and q',q'' = nnfp q in
        Or(And(p',q'),And(p'',q'')),Or(And(p',q''),And(p'',q'))
  | _ -> fm,Not fm;;

let nnf fm = fst(nnfp(psimplify fm));;

(* ------------------------------------------------------------------------- *)
(* Some tautologies remarked on.                                             *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
tautology
 <<(p ==> p') /\ (q ==> q') ==> (p \/ q ==> p' \/ q')>>;;

tautology
 <<(p ==> p') /\ (q ==> q') ==> (p /\ q ==> p' /\ q')>>;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Tracking positive and negative occurrences.                               *)
(* ------------------------------------------------------------------------- *)

let rec occurrences x fm =
  match fm with
    Atom(y) ->
        (x = y,false)
  | Not(p) ->
        let pos,neg = occurrences x p in neg,pos
  | And(p,q) ->
        let pos1,neg1 = occurrences x p
        and pos2,neg2 = occurrences x q in
        (pos1 or pos2,neg1 or neg2)
  | Or(p,q) ->
        let pos1,neg1 = occurrences x p
        and pos2,neg2 = occurrences x q in
        (pos1 or pos2,neg1 or neg2)
  | Imp(p,q) ->
        let pos1,neg1 = occurrences x p
        and pos2,neg2 = occurrences x q in
        (neg1 or pos2,pos1 or neg2)
  | Iff(p,q) ->
        let pos1,neg1 = occurrences x p
        and pos2,neg2 = occurrences x q in
        if pos1 or pos2 or neg1 or neg2 then (true,true)
        else (false,false)
  | _ -> (false,false);;

(* ------------------------------------------------------------------------- *)
(* Disjunctive normal form (DNF) via truth tables.                           *)
(* ------------------------------------------------------------------------- *)

let list_conj l =
  if l = [] then True else end_itlist (fun p q -> And(p,q)) l;;

let list_disj l =
  if l = [] then False else end_itlist (fun p q -> Or(p,q)) l;;

let mk_lits pvs v =
  list_conj (map (fun p -> if eval p v then p else Not p) pvs);;

let rec allsatvaluations subfn v pvs =
  match pvs with
    [] -> if subfn v then [v] else []
  | p::ps -> let v' t q = if q = p then t else v(q) in
             allsatvaluations subfn (v' false) ps @
             allsatvaluations subfn (v' true) ps;;

let dnf fm =
  let pvs = atoms fm in
  let satvals = allsatvaluations (eval fm) (fun s -> false) pvs in
  list_disj (map (mk_lits (map (fun p -> Atom p) pvs)) satvals);;

(* ------------------------------------------------------------------------- *)
(* Examples.                                                                 *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
let fm = <<(p /\ (q \/ r /\ s)) /\ (~p \/ ~q \/ ~s)>>;;

dnf fm;;

print_truthtable fm;;

let fm = <
>;;

dnf fm;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* DNF via distribution.                                                     *)
(* ------------------------------------------------------------------------- *)

let rec distrib fm =
  match fm with
    And(p,(Or(q,r))) -> Or(distrib(And(p,q)),distrib(And(p,r)))
  | And(Or(p,q),r) -> Or(distrib(And(p,r)),distrib(And(q,r)))
  | _ -> fm;;

let rec rawdnf fm =
  match fm with
    And(p,q) -> distrib(And(rawdnf p,rawdnf q))
  | Or(p,q) -> Or(rawdnf p,rawdnf q)
  | _ -> fm;;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
let fm = <<(p /\ (q \/ r /\ s)) /\ (~p \/ ~q \/ ~s)>>;;

rawdnf fm;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* A version using a list representation.                                    *)
(* ------------------------------------------------------------------------- *)

let distrib s1 s2 = allpairs union s1 s2;;      (** Value restriction hell!  *)
                                                (** Need it for FOL formulas *)
let rec purednf fm =
  match fm with
    And(p,q) -> distrib (purednf p) (purednf q)
  | Or(p,q) -> union (purednf p) (purednf q)
  | _ -> [[fm]];;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
purednf fm;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Filtering out noncontradictory disjuncts only.                            *)
(* ------------------------------------------------------------------------- *)

let negative = function (Not p) -> true | _ -> false;;

let positive lit = not(negative lit);;

let negate = function (Not p) -> p | p -> Not p;;

let contradictory lits =
  let pos,neg = partition positive lits in
  intersect pos (map negate neg) <> [];;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
filter (non contradictory) (purednf fm);;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* With subsumption checking, done very naively (quadratic).                 *)
(* ------------------------------------------------------------------------- *)

let subsumes s1 s2 = psubset s2 s1;;

let subsume cls =
  filter (fun cl -> not(exists (subsumes cl) cls)) cls;;

let simpdnf fm =
  if fm = False then []
  else if fm = True then [[]]
  else subsume (filter (non contradictory) (purednf(nnf fm)));;

(* ------------------------------------------------------------------------- *)
(* Mapping back to a formula.                                                *)
(* ------------------------------------------------------------------------- *)

let dnf fm = list_disj(map list_conj (simpdnf fm));;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
dnf fm;;

tautology(Iff(fm,dnf fm));;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Conjunctive normal form (CNF) by duality.                                 *)
(* ------------------------------------------------------------------------- *)

let purecnf fm = smap (smap negate) (purednf(nnf(Not fm)));;

let simpcnf fm = subsume (filter (non contradictory) (purecnf fm));;

let cnf fm = list_conj(map list_disj (simpcnf fm));;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
cnf fm;;

cnf(Iff(fm,cnf fm));;
END_INTERACTIVE;;
why-2.34/atp/propexamples.ml0000644000175000017500000003417112311670312014460 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(* ========================================================================= *)
(* Some propositional formulas to test, and functions to generate classes.   *)
(*                                                                           *)
(* Copyright (c) 2003, John Harrison. (See "LICENSE.txt" for details.)       *)
(* ========================================================================= *)

START_INTERACTIVE;;

forall tautology
 [<
 q <=> ~q ==> ~p>>;
  <<~ ~p <=> p>>;
  <<~(p ==> q) ==> q ==> p>>;
  <<~p ==> q <=> ~q ==> p>>;
  <<(p \/ q ==> p \/ r) ==> p \/ (q ==> r)>>;
  <
>;
  <
>;
  <<((p ==> q) ==> p) ==> p>>;
  <<(p \/ q) /\ (~p \/ q) /\ (p \/ ~q) ==> ~(~q \/ ~q)>>;
  <<(q ==> r) /\ (r ==> p /\ q) /\ (p ==> q /\ r) ==> (p <=> q)>>;
  <
 p>>;
  <<((p <=> q) <=> r) <=> (p <=> (q <=> r))>>;
  <
 (p \/ q) /\ (p \/ r)>>;
  <<(p <=> q) <=> (q \/ ~p) /\ (~q \/ p)>>;
  <
 q <=> ~p \/ q>>;
  <<(p ==> q) \/ (q ==> p)>>;
  <
 r) ==> s <=> (~p \/ q \/ s) /\ (~p \/ ~r \/ s)>>];;

(* ------------------------------------------------------------------------- *)
(* Some graph-colouring examples.                                            *)
(* ------------------------------------------------------------------------- *)

let fm =
 <<(a1 \/ a2 \/ a3) /\
   (b1 \/ b2 \/ b3) /\
   (c1 \/ c2 \/ c3) /\
   (d1 \/ d2 \/ d3) /\
   ~(a1 /\ a2) /\ ~(a1 /\ a3) /\ ~(a2 /\ a3) /\
   ~(b1 /\ b2) /\ ~(b1 /\ b3) /\ ~(b2 /\ b3) /\
   ~(c1 /\ c2) /\ ~(c1 /\ c3) /\ ~(c2 /\ c3) /\
   ~(d1 /\ d2) /\ ~(d1 /\ d3) /\ ~(d2 /\ d3) /\
   ~(a1 /\ d1) /\ ~(a2 /\ d2) /\ ~(a3 /\ d3) /\
   ~(b1 /\ d1) /\ ~(b2 /\ d2) /\ ~(b3 /\ d3) /\
   ~(c1 /\ d1) /\ ~(c2 /\ d2) /\ ~(c3 /\ d3) /\
   ~(a1 /\ b1) /\ ~(a2 /\ b2) /\ ~(a3 /\ b3) /\
   ~(b1 /\ c1) /\ ~(b2 /\ c2) /\ ~(b3 /\ c3) /\
   ~(c1 /\ a1) /\ ~(c2 /\ a2) /\ ~(c3 /\ a3)>>;;

satisfiable fm;;

END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Generate assertion equivalent to R(s,t) <= n for the Ramsey number R(s,t) *)
(* ------------------------------------------------------------------------- *)

let var l =
  match l with
    [m;n] -> Atom(P("p_"^(string_of_int m)^"_"^(string_of_int n)))
  | _ -> failwith "var: expected 2-element list";;

let ramsey s t n =
  let vertices = 1 -- n in
  let yesgrps = map (allsets 2) (allsets s vertices)
  and nogrps = map (allsets 2) (allsets t vertices) in
  Or(list_disj (map (list_conj ** map var) yesgrps),
     list_disj (map (list_conj ** map (fun p -> Not(var p))) nogrps));;

(* ------------------------------------------------------------------------- *)
(* Some currently tractable examples.                                        *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;

ramsey 3 3 4;;

tautology(ramsey 3 3 5);;

tautology(ramsey 3 3 6);;

END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Half adder.                                                               *)
(* ------------------------------------------------------------------------- *)

let halfsum x y = Iff(x,Not y);;

let halfcarry x y = And(x,y);;

let ha x y s c = And(Iff(s,halfsum x y),Iff(c,halfcarry x y));;

(* ------------------------------------------------------------------------- *)
(* Full adder.                                                               *)
(* ------------------------------------------------------------------------- *)

let carry x y z = Or(And(x,y),And(Or(x,y),z));;

let sum x y z = halfsum (halfsum x y) z;;

let fa x y z s c = And(Iff(s,sum x y z),Iff(c,carry x y z));;

(* ------------------------------------------------------------------------- *)
(* Useful idiom.                                                             *)
(* ------------------------------------------------------------------------- *)

let conjoin f l = list_conj (map f l);;

(* ------------------------------------------------------------------------- *)
(* n-bit ripple carry adder with carry c(0) propagated in and c(n) out.      *)
(* ------------------------------------------------------------------------- *)

let ripplecarry x y c out n =
  conjoin (fun i -> fa (x i) (y i) (c i) (out i) (c(i + 1)))
          (0 -- (n - 1));;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

let mk_index s i = Atom(P(s^"_"^(string_of_int i)));;

START_INTERACTIVE;;

let [x; y; out; c] = map mk_index ["X"; "Y"; "OUT"; "C"];;

ripplecarry x y c out 2;;

END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Special case with 0 instead of c(0).                                      *)
(* ------------------------------------------------------------------------- *)

let ripplecarry0 x y c out n =
  psimplify
   (ripplecarry x y (fun i -> if i = 0 then False else c i) out n);;

(* ------------------------------------------------------------------------- *)
(* Example.                                                                  *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;

ripplecarry0 x y c out 2;;

END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* Carry-select adder                                                        *)
(* ------------------------------------------------------------------------- *)

let ripplecarry1 x y c out n =
  psimplify
   (ripplecarry x y (fun i -> if i = 0 then True else c i) out n);;

let mux sel in0 in1 = Or(And(Not sel,in0),And(sel,in1));;

let offset n x i = x(n + i);;

let rec carryselect x y c0 c1 s0 s1 c s n k =
  let k' = min n k in
  let fm =
    And(And(ripplecarry0 x y c0 s0 k',ripplecarry1 x y c1 s1 k'),
        And(Iff(c k',mux (c 0) (c0 k') (c1 k')),
            conjoin (fun i -> Iff(s i,mux (c 0) (s0 i) (s1 i)))
                    (0 -- (k' - 1)))) in
  if k' < k then fm else
  And(fm,carryselect
            (offset k x) (offset k y) (offset k c0) (offset k c1)
            (offset k s0) (offset k s1) (offset k c) (offset k s)
            (n - k) k);;

(* ------------------------------------------------------------------------- *)
(* Equivalence problems for carry-select vs ripple carry adders.             *)
(* ------------------------------------------------------------------------- *)

let mk_adder_test n k =
  let [x; y; c; s; c0; s0; c1; s1; c2; s2] = map mk_index
      ["x"; "y"; "c"; "s"; "c0"; "s0"; "c1"; "s1"; "c2"; "s2"] in
  Imp(And(And(carryselect x y c0 c1 s0 s1 c s n k,Not(c 0)),
          ripplecarry0 x y c2 s2 n),
      And(Iff(c n,c2 n),
          conjoin (fun i -> Iff(s i,s2 i)) (0 -- (n - 1))));;

(* ------------------------------------------------------------------------- *)
(* Ripple carry stage that separates off the final result.                   *)
(*                                                                           *)
(*       UUUUUUUUUUUUUUUUUUUU  (u)                                           *)
(*    +  VVVVVVVVVVVVVVVVVVVV  (v)                                           *)
(*                                                                           *)
(*    = WWWWWWWWWWWWWWWWWWWW   (w)                                           *)
(*    +                     Z  (z)                                           *)
(* ------------------------------------------------------------------------- *)

let rippleshift u v c z w n =
  ripplecarry0 u v (fun i -> if i = n then w(n - 1) else c(i + 1))
                   (fun i -> if i = 0 then z else w(i - 1)) n;;

(* ------------------------------------------------------------------------- *)
(* Naive multiplier based on repeated ripple carry.                          *)
(* ------------------------------------------------------------------------- *)

let mult_rip x u v out n =
  if n = 1 then And(Iff(out 0,x 0 0),Not(out 1)) else
  psimplify
   (And(Iff(out 0,x 0 0),
        And(rippleshift
               (fun i -> if i = n - 1 then False else x 0 (i + 1))
               (x 1) (v 2) (out 1) (u 2) n,
            if n = 2 then And(Iff(out 2,u 2 0),Iff(out 3,u 2 1)) else
            conjoin (fun k -> rippleshift (u k) (x k) (v(k + 1)) (out k)
                                (if k = n - 1 then fun i -> out(n + i)
                                 else u(k + 1)) n) (2 -- (n - 1)))));;

(* ------------------------------------------------------------------------- *)
(* One stage in a sequential multiplier based on CSAs.                       *)
(*                                                                           *)
(*        UUUUUUUUUUUUUUU         (u)                                        *)
(*        VVVVVVVVVVVVVVV         (v)                                        *)
(*       XXXXXXXXXXXXXXX          (x)                                        *)
(*     ------------------------------------------------                      *)
(*       WWWWWWWWWWWWWWW          (w)                                        *)
(*       YYYYYYYYYYYYYYY          (y)                                        *)
(*                      Z         (z)                                        *)
(* ------------------------------------------------------------------------- *)

let csastage u v x z w y n =
  And(ha (u 0) (v 0) z (w 0),
      And(conjoin (fun i -> fa (u(i + 1)) (v(i + 1)) (x i)
                               (y i) (w(i + 1))) (0 -- (n - 2)),
          Iff(y(n - 1),x(n - 1))));;

(* ------------------------------------------------------------------------- *)
(* CSA-based multiplier only using ripple carry for last iteration.          *)
(* ------------------------------------------------------------------------- *)

let csa_init x u v out n =
  And(Iff(out 0,x 0 0),
      And(ha (x 0 1) (x 1 0) (out 1) (u 3 0),
          And(conjoin (fun i -> fa (x 0 (i + 2)) (x 1 (i + 1)) (x 2 i)
                                   (v 3 i) (u 3 (i + 1)))
                      (0 -- (n - 3)),
              And(ha (x 1 (n - 1)) (x 2 (n - 2))
                     (v 3 (n - 2)) (u 3 (n - 1)),
                  Iff(v 3 (n - 1),x 2 (n - 1))))));;

let mult_csa x u v out n =
  And(csa_init x u v out n,
      And(conjoin (fun i -> csastage (u i) (v i) (x i)
                                 (out(i - 1)) (u(i + 1)) (v(i + 1)) n)
                  (3 -- (n - 1)),
          rippleshift (u n) (v n) (v(n + 1))
                      (out(n - 1)) (fun i -> out(n + i)) n));;

(* ------------------------------------------------------------------------- *)
(* Equivalence for ripple vs CSA sequential multipler.                       *)
(* ------------------------------------------------------------------------- *)

let mk_index2 x i j =
  Atom(P(x^"_"^(string_of_int i)^"_"^(string_of_int j)));;

let mk_mult_test n =
  let [x; y; out; out'] = map mk_index ["x"; "y"; "**"; "p"] in
  let m i j = And(x i,y j)
  and [u; v; u'; v'] = map mk_index2 ["u"; "v"; "w"; "z"] in
  Imp(And(mult_rip m u v out n,
          mult_csa m u' v' out' n),
      conjoin (fun i -> Iff(out i,out' i)) (0 -- (n - 1)));;

(* ------------------------------------------------------------------------- *)
(* Primality examples (using CSAs since they are slightly shorter).          *)
(* For large examples, should use "num" instead of "int" in these functions. *)
(* ------------------------------------------------------------------------- *)

let rec bitlength x = if x = 0 then 0 else 1 + bitlength (x / 2);;

let rec bit n x = if n = 0 then x mod 2 = 1 else bit (n - 1) (x / 2);;

let congruent_to x m n =
  conjoin (fun i -> if bit i m then x i else Not(x i))
          (0 -- (n - 1));;

let prime p =
  let [x; y; out] = map mk_index ["x"; "y"; "out"] in
  let m i j = And(x i,y j)
  and [u; v] = map mk_index2 ["u"; "v"] in
  let n = bitlength p in
  Not(And(mult_rip m u v out (n - 1),
      congruent_to out p (max n (2 * n - 2))));;
why-2.34/atp/LICENSE.txt0000644000175000017500000000317312311670312013230 0ustar  rtusersIMPORTANT:  READ BEFORE DOWNLOADING, COPYING, INSTALLING OR USING.
By downloading, copying, installing or using the software you agree
to this license.  If you do not agree to this license, do not
download, install, copy or use the software.

Copyright (c) 2003, John Harrison
All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:

* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.

* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.

* The name of John Harrison may not be used to endorse or promote
products derived from this software without specific prior written
permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
why-2.34/atp/dp.ml0000644000175000017500000001551112311670312012341 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(* ========================================================================= *)
(* The Davis-Putnam and Davis-Putnam-Loveland-Logemann procedures.           *)
(*                                                                           *)
(* Copyright (c) 2003, John Harrison. (See "LICENSE.txt" for details.)       *)
(* ========================================================================= *)

let clausal fm = defcnfs false fm;;

(* ------------------------------------------------------------------------- *)
(* Examples of clausal form.                                                 *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
let fm = <
 (~p <=> r))>>;;

clausal fm;;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* The DP procedure.                                                         *)
(* ------------------------------------------------------------------------- *)

let one_literal_rule clauses =
  let ucl = hd (find (fun cl -> length cl = 1) clauses) in
  let ucl' = negate ucl in
  let clauses1 = filter (fun cl -> not (mem ucl cl)) clauses in
  smap (fun cl -> subtract cl [ucl']) clauses1;;

let affirmative_negative_rule clauses =
  let literals = itlist union clauses [] in
  let neglits,poslits = partition negative literals in
  let neglits' = smap negate neglits in
  let common = intersect poslits neglits' in
  let pos_only_lits = subtract poslits common
  and neg_only_lits = subtract neglits' common in
  let elim = union pos_only_lits (smap negate neg_only_lits) in
  if elim = [] then failwith "affirmative_negative_rule" else
  filter (fun cl -> intersect cl elim = []) clauses;;

let find_blowup cls l =
  let m = length(filter (mem l) cls)
  and n = length(filter (mem (negate l)) cls) in
  m * n - m - n,l;;

let resolution_rule clauses =
  let pvs = filter positive (itlist union clauses []) in
  let lblows = map (find_blowup clauses) pvs in
  let p = assoc (end_itlist min (map fst lblows)) lblows in
  let p' = negate p in
  let pos,notpos = partition (mem p) clauses in
  let neg,none = partition (mem p') notpos in
  let pos' = smap (filter (fun l -> l <> p)) pos
  and neg' = smap (filter (fun l -> l <> p')) neg in
  let res0 = allpairs union pos' neg' in
  union none (filter (non contradictory) res0);;

(* ------------------------------------------------------------------------- *)
(* Overall procedure.                                                        *)
(* ------------------------------------------------------------------------- *)

let rec dp clauses =
  if clauses = [] then true
  else if mem [] clauses then false else
  try dp(one_literal_rule clauses)
  with Failure _ -> try
      dp(affirmative_negative_rule clauses)
  with Failure _ ->
      dp(resolution_rule clauses);;

(* ------------------------------------------------------------------------- *)
(* Davis-Putnam satisfiability tester and tautology checker.                 *)
(* ------------------------------------------------------------------------- *)

let dpsat fm = dp(clausal fm);;

let dptaut fm = not(dpsat(Not fm));;

(* ------------------------------------------------------------------------- *)
(* Examples.                                                                 *)
(* ------------------------------------------------------------------------- *)

START_INTERACTIVE;;
tautology(prime 11);;

dptaut(prime 11);;
END_INTERACTIVE;;

(* ------------------------------------------------------------------------- *)
(* The same thing but with the DPLL procedure.                               *)
(* ------------------------------------------------------------------------- *)

let find_count cls l =
  let m = length(filter (mem l) cls)
  and n = length(filter (mem (negate l)) cls) in
  m + n,l;;

let rec dpll clauses =
  if clauses = [] then true
  else if mem [] clauses then false else
  try dpll(one_literal_rule clauses)
  with Failure _ -> try
      dpll(affirmative_negative_rule clauses)
  with Failure _ ->
    let pvs = filter positive (itlist union clauses []) in
    let lcounts = map (find_count clauses) pvs in
    let p = assoc (end_itlist max (map fst lcounts)) lcounts in
    dpll (insert [p] clauses) or
    dpll (insert [negate p] clauses);;

let dpllsat fm = dpll(clausal fm);;

let dplltaut fm = not(dpllsat(Not fm));;

(* ------------------------------------------------------------------------- *)
(* The same example.                                                         *)
(* ------------------------------------------------------------------------- *)

dplltaut(prime 11);;
why-2.34/version.sh0000755000175000017500000000152412311670312012643 0ustar  rtusers #!/bin/sh

# Note: the BINDIR variable is a free variable
# Note: the LIBDIR variable is a free variable
# Note: the COQVER variable is a free variable
# Note: the mkdirs are needed for the Ocamlbuild Makefile.

. ./Version

# Why
WHYVF=src/version.ml
mkdir -p src
echo "let coqversion = \"$COQVER\"" > $WHYVF
echo "let version = \"$VERSION\"" >> $WHYVF
echo "let date = \""`date`"\"" >> $WHYVF
echo "let bindir = \"$BINDIR\"" >> $WHYVF
echo "let libdir = \"$LIBDIR/why\"" >> $WHYVF

# Caduceus
CADUCEUSVF=c/cversion.ml
mkdir -p c
echo "let version = \""$CVERSION"\"" > $CADUCEUSVF
echo "let date = \""`date`"\"" >> $CADUCEUSVF
echo "let libdir = \""$LIBDIR/caduceus"\"" >> $CADUCEUSVF


# Doc
DOCF=doc/version.tex
mkdir -p doc
printf '\\newcommand{\\whyversion}{'$VERSION'}\n' > $DOCF
printf '\\newcommand{\\caduceusversion}{'$CVERSION'}\n' >> $DOCF
why-2.34/ml/0000755000175000017500000000000012311670312011225 5ustar  rtuserswhy-2.34/ml/ml_interp.ml0000644000175000017500000006714112311670312013561 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(* Interpretation of Ocaml programs to Jessie *)

open Jc_ast
open Jc_output
open Jc_env
open Jc_fenv
open Ml_misc
open Ml_pattern
open Ml_constant
open Ml_ocaml.Asttypes
open Ml_ocaml.Typedtree
open Ml_ocaml.Types
open Ml_ocaml.Path
open Ml_ocaml.Ident
open Ml_type

let binary_op_of_string = function
  | ">=" -> Bge_int
  | ">" -> Bgt_int
  | "<=" -> Ble_int
  | "<" -> Blt_int
  | "=" -> Beq_int
  | "<>" -> Bneq_int
  | "*" -> Bmul_int
  | "/" -> Bdiv_int
  | "+" -> Badd_int
  | "-" -> Bsub_int
  | "&&" -> Bland
  | "||" -> Blor
  (* Note: the following cases don't exist in OCaml *)
  | "==>" -> Bimplies
  | "<=>" -> Biff
  | _ -> raise Not_found

let unary_op_of_string = function
  | _ -> raise Not_found

let binary_op_type = function
  | Bge_int
  | Bgt_int
  | Ble_int
  | Blt_int
  | Beq_int
  | Bneq_int -> JCTnative Tboolean
  | Bmul_int
  | Bdiv_int
  | Badd_int
  | Bsub_int -> JCTnative Tinteger
  | _ -> failwith "binary_op_type"

let binary_op_expr loc op = function
  | [ x; y ] -> JCTEbinary(x, op, y)
  | l -> locate_error loc "2 arguments required, %d found" (List.length l)

let binary_op_term loc op = function
  | [ x; y ] -> JCTbinary(x, op, y)
  | l -> locate_error loc "2 arguments required, %d found" (List.length l)

let apply_op id args binary_op not_found =
  try
    binary_op (binary_op_of_string (name id)) args
  with Not_found ->
    not_found (name id)

let apply_op_expr id args binary_op not_found =
  try
    let op = binary_op_of_string (name id) in
    make_expr (binary_op op args) (binary_op_type op)
  with Not_found ->
    not_found (name id)

(******************************************************************************)

type find_function_result =
  | MLFbinary of Jc_ast.bin_op
  | MLFunary of Jc_ast.unary_op
  | MLFfun_info of Jc_fenv.fun_info
  | MLFarray_make
  | MLFarray_get
  | MLFarray_set

let find_function env loc path =
  let name = Ml_ocaml.Path.name path in
  try MLFbinary (binary_op_of_string name) with Not_found ->
    try MLFunary (unary_op_of_string name) with Not_found ->
      match name with
	| "Array.make" -> MLFarray_make
	| "Array.get" -> MLFarray_get
	| "Array.set" -> MLFarray_set
	| _ -> try MLFfun_info(Ml_env.find_fun name env) with
	    | Ml_env.Not_found_str s -> not_implemented loc "%s" s

let make_apply_expr env loc path rty args =
  make_expr begin
    match find_function env loc path with
      | MLFbinary op ->
	  let (x, _), (y, _) = couple_of_list ~loc:loc args in
	  JCTEbinary(x, op, y)
      | MLFunary op ->
	  JCTEunary(op, fst (singleton_of_list ~loc:loc args))
      | MLFfun_info fi ->
	  JCTEcall(fi, List.map fst args)
      | MLFarray_make ->
	  JCTEcall((array rty).ml_ai_make, List.map fst args)
      | MLFarray_get ->
	  let (x, xty), (y, _) = couple_of_list ~loc:loc args in
	  let ai = array xty in
	  JCTEderef(
	    make_expr (JCTEshift(x, y))
	      (make_valid_pointer (JCtag ai.ml_ai_struct)),
	    ai.ml_ai_data_field)
      | MLFarray_set ->
	  let (x, xty), (y, _), (z, _) = triple_of_list args in
	  let ai = array xty in
	  JCTEassign_heap(
	    make_expr (JCTEshift(x, y))
	      (make_valid_pointer (JCtag ai.ml_ai_struct)),
	    ai.ml_ai_data_field,
	    z)
  end (make rty)
  
(*******************************************************************************)

exception Not_an_expression

let rec expression env e =
  match e.exp_desc with
    | Texp_ident(Pident id, { val_kind = Val_reg }) ->
	JCTEvar(Ml_env.find_var (name id) env)
    | Texp_constant c -> JCTEconst(constant c)
    | Texp_let((Nonrecursive | Default),
	       [ { pat_desc = Tpat_var id }, eq_expr ], in_expr) ->
	let new_env, vi =
	  Ml_env.add_var (name id) (make eq_expr.exp_type) env
	in
	JCTElet(
	  vi,
	  make_expr (expression env eq_expr) (make eq_expr.exp_type),
	  make_expr (expression new_env in_expr) (make in_expr.exp_type))
    | Texp_let(Recursive, _, _) ->
	not_implemented e.exp_loc "recursive let"
    | Texp_function _ ->
	locate_error e.exp_loc
	  "ml_interp.ml, in expression: the AST is not defunctionalized"
    | Texp_apply(f, args) ->
	let args' = List.map
	  (function
	     | Some arg, Required ->
		 make_expr (expression env arg) (make arg.exp_type), arg.exp_type
	     | _ -> not_implemented e.exp_loc "apply with optional arguments")
	  args
	in
	begin match f.exp_desc with
	  | Texp_ident(path, { val_kind = Val_reg }) ->
	      (make_apply_expr env e.exp_loc path e.exp_type args').
		jc_texpr_node
	  | _ ->
	      not_implemented e.exp_loc "unsupported application (expression)"
	end
    | Texp_match(e, pel, partial) ->
	assert false (* TODO *)
(*	let e = PatExpression.pattern_expr_list
	  env
	  (make_expr (expression env e) (make e.exp_type))
	  (List.map
	     (fun (pat, expr) ->
		pat,
		fun env2 ->
		  make_expr (expression env2 expr) (make expr.exp_type))
	     pel)
	  (match partial with
	     | Partial ->
		 not_implemented e.exp_loc
		   "partial pattern-matching (expression)"
	     | Total ->
		 None)
	in e.jc_texpr_node*)
(*    | Texp_try of expression * (pattern * expression) list
    | Texp_tuple of expression list*)
    | Texp_construct(cd, el) ->
	let ci = constructor e.exp_type cd in
	make_let_alloc_tmp ci.ml_ci_structure
	  (fun vi ve ->
	     make_seq_expr
	       (List.map2
		      (make_affect_field_expr ve)
		      ci.ml_ci_arguments
		      (List.map
			 (fun e ->
			    make_expr (expression env e) (make e.exp_type))
			 el))
	       ve)
(*    | Texp_variant of label * expression option *)
    | Texp_record(lbls, None) ->
	not_implemented e.exp_loc "TO REDO: ml_interp.ml: expression: records (make_let_tmp, label, ...)";
	(*let si = match lbls with
	  | [] ->
	      locate_error e.exp_loc "empty record"
	  | (lbl, _)::_ ->
	      (label e.exp_type lbl).ml_li_structure
	in
	let lbls = List.map
	  (fun (ld, e) ->
	     label ld, make_expr (expression env e) (make e.exp_type))
	  lbls
	in
	let tmp_ty = make_pointer_type si in
	let tmp_var = new_var tmp_ty in
	let tmp_expr = make_expr (JCTEvar tmp_var) tmp_ty in
	let assigns = List.map
	  (fun (lbl, e) ->
	     make_expr
	       (JCTEassign_heap(tmp_expr, lbl.ml_li_field, e))
	       e.jc_texpr_type)
	  lbls
	in
	JCTElet(
	  tmp_var,
	  make_expr (JCTEalloc(expr_of_int 1, si)) tmp_ty,
	  expr_seq_to_let assigns (make_expr (JCTEvar tmp_var) tmp_ty)
	)*)
    | Texp_record(_, Some _) ->
	not_implemented e.exp_loc "record with"
    | Texp_field(x, lbl) ->
	let tx = make_expr (expression env x) (make x.exp_type) in
	let fi = (label x.exp_type lbl).ml_li_field in
	JCTEderef(tx, fi)
    | Texp_setfield(x, lbl, v) ->
	let tx = make_expr (expression env x) (make x.exp_type) in
	let tv = make_expr (expression env v) (make v.exp_type) in
	let fi = (label x.exp_type lbl).ml_li_field in
	JCTEassign_heap(tx, fi, tv)
(*  | Texp_array of expression list *)
    | Texp_ifthenelse(if_expr, then_expr, else_expr) ->
	let else', else_type = match else_expr with
	  | None -> JCTEconst JCCvoid, JCTnative Tunit
	  | Some expr -> expression env expr, make expr.exp_type
	in
	JCTEif(
	  make_expr (expression env if_expr) (make if_expr.exp_type),
	make_expr (expression env then_expr) (make if_expr.exp_type),
	  make_expr else' else_type)
(*  | Texp_sequence of expression * expression *)
    | Texp_while _
    | Texp_for _ -> raise Not_an_expression
(*  | Texp_when of expression * expression
    | Texp_send of expression * meth
    | Texp_new of Path.t * class_declaration
    | Texp_instvar of Path.t * Path.t
    | Texp_setinstvar of Path.t * Path.t * expression
    | Texp_override of Path.t * (Path.t * expression) list
    | Texp_letmodule of Ident.t * module_expr * expression
    | Texp_assert of expression
    | Texp_assertfalse
    | Texp_lazy of expression
    | Texp_object of class_structure * class_signature * string list *)
    | Texp_result
    | Texp_old _ ->
	assert false (* impossible *)
    | _ -> not_implemented e.exp_loc "ml_interp.ml: expression"

let rec term env e =
  let binary_op = binary_op_term e.exp_loc in
  match e.exp_desc with
    | Texp_ident(Pident id, { val_kind = Val_reg }) ->
	JCTvar(Ml_env.find_var (name id) env)
    | Texp_constant c -> JCTconst(constant c)
(*    | Texp_let of rec_flag * (pattern * expression) list * expression
    | Texp_function of (pattern * expression) list * partial*)
    | Texp_apply(f, args) ->
	let args' = List.map
	  (function
	     | Some arg, Required ->
		 make_term (term env arg) (make arg.exp_type)
	     | _ -> not_implemented e.exp_loc "apply with optional arguments")
	  args
	in
	begin match f.exp_desc with
	  | Texp_ident(Pident id, { val_kind = Val_reg }) ->
	      apply_op id args' binary_op
		(fun x -> try
		   let li = Ml_env.find_logic_fun x env in
		   make_app_term_node li args'
		 with Ml_env.Not_found_str x ->
		   locate_error e.exp_loc "unknown logic function: %s" x)
	  | _ -> not_implemented e.exp_loc "unsupported application (term)"
	end
(*    | Texp_match of expression * (pattern * expression) list * partial
    | Texp_try of expression * (pattern * expression) list
    | Texp_tuple of expression list
    | Texp_construct of constructor_description * expression list
    | Texp_variant of label * expression option
    | Texp_record of (label_description * expression) list * expression option*)
    | Texp_field(e, lbl) ->
	let te = term env e in
	let fi = (label e.exp_type lbl).ml_li_field in
	JCTderef(make_term te (make e.exp_type), LabelHere, fi)
(*    | Texp_setfield of expression * label_description * expression
    | Texp_array of expression list
    | Texp_ifthenelse(if_expr, then_expr, else_expr) ->
    | Texp_sequence of expression * expression
    | Texp_while of expression * expression
    | Texp_for of
	Ident.t * expression * expression * direction_flag * expression
    | Texp_when of expression * expression
    | Texp_send of expression * meth
    | Texp_new of Path.t * class_declaration
    | Texp_instvar of Path.t * Path.t
    | Texp_setinstvar of Path.t * Path.t * expression
    | Texp_override of Path.t * (Path.t * expression) list
    | Texp_letmodule of Ident.t * module_expr * expression
    | Texp_assert of expression
    | Texp_assertfalse
    | Texp_lazy of expression
    | Texp_object of class_structure * class_signature * string list *)
    | Texp_result ->
	JCTvar(Jc_pervasives.var (make e.exp_type) "\\result")
    | Texp_old e ->
	JCTold(make_term (term env e) (make e.exp_type))
    | Texp_implies(a, b) ->
	JCTif(
	  make_term (term env a) (make a.exp_type),
	  make_term (term env b) (make b.exp_type),
	  make_term (JCTconst (JCCboolean true)) (JCTnative Tboolean))
    | _ -> not_implemented e.exp_loc "ml_interp.ml: term"

let rec assertion env e =
  match e.exp_desc with
    | Texp_ident _ ->
	JCAbool_term(make_term (term env e) (make e.exp_type))
(*    | Texp_constant c
    | Texp_let of rec_flag * (pattern * expression) list * expression
    | Texp_function of (pattern * expression) list * partial*)
    | Texp_apply(f, args) ->
	let args_assertion () = List.map
	  (function
	     | Some arg, Required ->
		 make_assertion (assertion env arg)
	     | _ -> not_implemented e.exp_loc "apply with optional arguments")
	  args
	in
	begin match f.exp_desc with
	  | Texp_ident(Pident id, { val_kind = Val_reg }) ->
	      begin match name id with
		| "&&" -> (make_and_list (args_assertion ())).jc_assertion_node
		| _ ->
		    JCAbool_term(make_term (term env e) (make e.exp_type))
	      end
	  | _ -> not_implemented e.exp_loc "unsupported application (assertion)"
	end
(*    | Texp_match of expression * (pattern * expression) list * partial
    | Texp_try of expression * (pattern * expression) list
    | Texp_tuple of expression list
    | Texp_construct of constructor_description * expression list
    | Texp_variant of label * expression option
    | Texp_record of (label_description * expression) list * expression option
    | Texp_field of expression * label_description
    | Texp_setfield of expression * label_description * expression
    | Texp_array of expression list
    | Texp_ifthenelse(if_expr, then_expr, else_expr) ->
    | Texp_sequence of expression * expression
    | Texp_while of expression * expression
    | Texp_for of
	Ident.t * expression * expression * direction_flag * expression
    | Texp_when of expression * expression
    | Texp_send of expression * meth
    | Texp_new of Path.t * class_declaration
    | Texp_instvar of Path.t * Path.t
    | Texp_setinstvar of Path.t * Path.t * expression
    | Texp_override of Path.t * (Path.t * expression) list
    | Texp_letmodule of Ident.t * module_expr * expression
    | Texp_assert of expression
    | Texp_assertfalse
    | Texp_lazy of expression
    | Texp_object of class_structure * class_signature * string list *)
    | Texp_result
    | Texp_old _ ->
	assert false (* impossible *)
    | Texp_implies(a, b) ->
	JCAimplies(
	  make_assertion (assertion env a),
	  make_assertion (assertion env b))
    | _ -> not_implemented e.exp_loc "ml_interp.ml: assertion"

type jessie_or_caml_expr =
  | Jessie_expr of Jc_ast.texpr
  | Caml_expr of Ml_ocaml.Typedtree.expression

let try_expression env e =
  try
    Jessie_expr(make_expr (expression env e) (make e.exp_type))
  with Not_an_expression ->
    Caml_expr e

let rec statement env e cont =
  match e.exp_desc with
    | Texp_ident _
    | Texp_constant _ ->
	cont (make_expr (expression env e) (make e.exp_type))
    | Texp_let((Nonrecursive | Default),
	       [ { pat_desc = Tpat_var id }, eq_expr ], in_expr) ->
	let new_env, vi =
	  Ml_env.add_var (name id) (make eq_expr.exp_type) env
	in
	let in_ty = make in_expr.exp_type in
	if is_unit in_ty then begin
	  (* no need for a temporary variable for the result *)
	  statement env eq_expr
	    (fun eq_res ->
	       make_statement_block [
		 make_var_decl vi (Some eq_res)
		   (statement new_env in_expr make_discard);
		 cont void;
	       ])
	end else begin
	  let in_tmp = new_var in_ty in
	  statement env eq_expr
	    (fun eq_res ->
	       make_var_decl in_tmp None
		 (make_statement_block [
		    make_var_decl vi (Some eq_res)
		      (statement new_env in_expr (make_affect in_tmp));
		    cont (make_expr (JCTEvar in_tmp) in_ty);
		  ]))
	end
    | Texp_let(Recursive, _, _) ->
	not_implemented e.exp_loc "recursive let"
(*    | Texp_function of (pattern * expression) list * partial*)
    | Texp_apply(f, args) ->
	let args = list_filter_option (List.map fst args) in
	let args_try =
	  List.combine
	    (List.map (try_expression env) args)
	    (List.map (fun e -> e.exp_type) args)
	in
	let args_final = List.map
	  (function
	     | Jessie_expr e, ty -> e, ty
	     | Caml_expr e, _ -> not_implemented e.exp_loc
		 "while loop in argument")
	  args_try
	in
	cont (match f.exp_desc with
	  | Texp_ident(path, { val_kind = Val_reg }) ->
	      make_apply_expr env e.exp_loc path e.exp_type args_final
(*	      apply_op_expr id args_final (binary_op_expr e.exp_loc)
		(fun x -> let fi = try
		   Ml_env.find_fun x env
		 with
		   | Ml_env.Not_found_str x -> locate_error e.exp_loc
		       "unknown function: %s" x
		 in
		 make_expr (JCTEcall(fi, args_final))
		   fi.jc_fun_info_result.jc_var_info_type)*)
	  | _ -> not_implemented e.exp_loc "unsupported application (statement)"
	)
    | Texp_match(me, pel, _) ->
	statement env me
	  (fun res ->
	     make_var_tmp (make me.exp_type) (Some res)
	       (fun _ arg ->
		  make_var_tmp (make e.exp_type) None
		    (fun resvi rese ->
		       let psl = List.map
			 (fun (p, e) ->
			    let newenv, p = pattern env p in
			    let s = statement newenv e (make_affect resvi) in
			    p, [s])
			 pel
		       in
		       make_statement_block [
			 make_statement (JCTSmatch(arg, psl));
			 cont rese;
		       ])))
(*    | Texp_try of expression * (pattern * expression) list*)
    | Texp_tuple el ->
	let si = structure e.exp_type in
	make_alloc_tmp si
	  (fun _ tmp_e ->
	     make_statement_block [
	       statement_list env el
		 (list_mapi
		    (fun i _ ->
		       let fi = proj e.exp_type i in
		       make_affect_field tmp_e fi)
		    el);
	       cont tmp_e;
	     ])
    | Texp_construct(cd, el) ->
	let ci = constructor e.exp_type cd in
	make_alloc_tmp ci.ml_ci_structure
	  (fun _ tmp_e ->
	     make_statement_block [
	       statement_list env el
		 (List.map (fun fi -> make_affect_field tmp_e fi)
		    ci.ml_ci_arguments);
	       cont tmp_e;
	     ])
(*    | Texp_variant of label * expression option*)
    | Texp_record(lel, None) ->
	let si = structure e.exp_type in
	make_alloc_tmp si
	  (fun _ tmp_e ->
	     make_statement_block [
	       statement_list env (List.map snd lel)
		 (List.map
		    (fun (ld, _) ->
		       let li = label e.exp_type ld in
		       make_affect_field tmp_e li.ml_li_field)
		    lel);
	       cont tmp_e;
	     ])
    | Texp_record(_, Some _) ->
	not_implemented e.exp_loc "record with"
    | Texp_field(e, lbl) ->
	let fi = (label e.exp_type lbl).ml_li_field in
	statement env e
	  (fun res -> cont
	     (make_expr (JCTEderef(res, fi))
		fi.jc_field_info_type))
    | Texp_setfield(e, lbl, v) ->
	let fi = (label e.exp_type lbl).ml_li_field in
	statement env e
	  (fun res ->
	     statement env v
	       (fun res2 -> cont
		  (make_expr (JCTEassign_heap(res, fi, res2))
		     (JCTnative Tunit))))
(*    | Texp_array of expression list*)
    | Texp_ifthenelse(if_expr, then_expr, else_expr) ->
	let ty = make then_expr.exp_type in
	if is_unit ty then begin
	  (* no temporary variable for the result, as it is discarded *)
	  statement env if_expr
	    (fun if_res ->
	       let if_statement =
		 JCTSif(
		   if_res,
		   statement env then_expr cont,
		   match else_expr with
		     | None -> make_statement (JCTSblock [])
		     | Some e -> statement env e cont)
	       in
	       make_statement if_statement)
	end else begin
	  let tmp = new_var ty in
	  statement env if_expr
	    (fun if_res ->
	       let if_statement =
		 JCTSif(
		   if_res,
		   statement env then_expr (make_affect tmp),
		   match else_expr with
		     | None -> make_statement (JCTSblock [])
		     | Some e -> statement env e (make_affect tmp))
	       in
	       make_var_decl tmp None
		 (make_statement_block [
		    make_statement if_statement;
		    cont (make_expr (JCTEvar tmp) ty);
		  ]))
	end
    | Texp_sequence(e1, e2) ->
	make_statement_block [
	  statement env e1 make_discard;
	  statement env e2 cont;
	]
    | Texp_while(cond, annot, body) ->
	let annot = {
	  jc_loop_tag = fresh_int ();
	  jc_loop_invariant =
	    (match annot.ws_invariant with
	       | None -> make_assertion JCAtrue
	       | Some x -> make_assertion (assertion env x)); 
	  jc_loop_variant =
	    (match annot.ws_variant with
	       | None -> None
	       | Some x -> Some(
		   make_term (term env x) (make x.exp_type)));
	  jc_free_loop_invariant = make_assertion JCAtrue;
	} in
	statement env cond
	  (fun e -> make_statement_block [
	     make_statement (JCTSwhile("", e, annot,
				       statement env body make_discard));
	     cont void;
	   ])
(*    | Texp_for of
	Ident.t * expression * expression * direction_flag * expression
    | Texp_when of expression * expression
    | Texp_send of expression * meth
    | Texp_new of Path.t * class_declaration
    | Texp_instvar of Path.t * Path.t
    | Texp_setinstvar of Path.t * Path.t * expression
    | Texp_override of Path.t * (Path.t * expression) list
    | Texp_letmodule of Ident.t * module_expr * expression*)
    | Texp_assert e ->
	make_statement_block [
	  make_statement (JCTSassert (make_assertion (assertion env e)));
	  cont void;
	]
    | Texp_assertfalse ->
	make_statement_block [
	  make_statement (JCTSassert (make_assertion JCAfalse));
	  cont void;
	]
(*    | Texp_lazy of expression
    | Texp_object of class_structure * class_signature * string list *)
    | Texp_result
    | Texp_old _ ->
	assert false (* impossible *)
    | _ -> not_implemented e.exp_loc "ml_interp.ml: statement"

and statement_list env l conts =
  let stl = List.fold_left2
    (fun stl e cont -> match e with
       | Jessie_expr e -> (cont e)::stl
       | Caml_expr e -> (statement env e cont)::stl)
    []
    (List.map (try_expression env) l)
    conts
  in
  make_statement_block (List.rev stl)

let behavior env b =
  log "        Behavior %s..." b.b_name;
  Loc.dummy_position,
  b.b_name,
  { 
    jc_behavior_throws = None;
    jc_behavior_assumes = None;
    jc_behavior_assigns = None;
    jc_behavior_ensures = make_assertion(assertion env b.b_ensures);
  }

let invariants env spec =
  list_fold_map
    (fun env i ->
       let arg_vi, body = pattern_assertion env
	 (fun env -> make_assertion (assertion env i.ti_body))
	 i.ti_argument
       in
       let final_env, _ =
	 Ml_env.add_logic_fun (name i.ti_name) [ arg_vi ] None env
       in
       final_env, (name i.ti_name, arg_vi, body))
    env
    spec.ts_invariants

let rec function_decl env e = match e.exp_desc with
  | Texp_function([ { pat_desc = Tpat_var pid;
		      pat_type = pty },
		    body ], _) ->
      let params, body' = function_decl env body in
      (pid, pty)::params, body'
  | _ -> [], e

let rec read_location_set env = function
  | RLvar id ->
      JCLSvar(Ml_env.find_var (Ml_ocaml.Path.name id) env)
  | RLderef(rl, ld) ->
      not_implemented Ml_ocaml.Location.none "deref in reads"

let rec read_location env = function
  | RLvar id ->
      JCLvar(Ml_env.find_var (Ml_ocaml.Path.name id) env)
  | RLderef(rl, ld) ->
      not_implemented Ml_ocaml.Location.none "deref in reads"

let structure_item env = function
  | Tstr_value(recflag, [ { pat_desc = Tpat_var id },
		    ({ exp_desc = Texp_function _ } as expr) ]) ->
      let fun_name = identifier_of_symbol (name id) in
      log "    Function %s (%s):" (name id) fun_name;
      let params, body = function_decl env expr in
      log "      Looking for spec...";
      let spec =
	try
	  Ml_env.find_fun_spec id env
	with Ml_env.Not_found_str _ ->
	  log "        Not found";
	  {
	    fs_function = Pident id; (* unused *)
	    fs_arguments = []; (* unused *)
	    fs_requires = None;
	    fs_behaviors = [];
	  }
      in
      log "      Return type...";
      let return_type = make body.exp_type in
      log "      Building environment...";
      let new_env, params' = list_fold_map
	(fun env (pid, pty) -> Ml_env.add_var (name pid) (make pty) env)
	env
	params
      in
      let body_env = match recflag with
	| Nonrecursive
	| Default ->
	    new_env
	| Recursive ->
	    Ml_env.add_fun (name id) params' return_type new_env
      in
      log "      Body...";
      let body' = statement body_env body
	(if is_unit return_type then make_discard else make_return)
      in
      log "      Requires...";
      let requires = match spec.fs_requires with
	| None -> JCAtrue
	| Some x -> assertion body_env x
      in
      log "      Behaviors...";
      let behaviors = List.map (behavior body_env) spec.fs_behaviors in
      log "      Finalizing...";
      let jc_spec = {
	jc_fun_requires = {
	  jc_assertion_node = requires;
	  jc_assertion_loc = Loc.dummy_position;
	  jc_assertion_label = "";
	};
	jc_fun_behavior = behaviors;
	jc_fun_free_requires = make_assertion JCAtrue;
      } in
      let jc_fun_def = make_fun_def
	~name:fun_name
	~return_type:return_type
	~params:params'
	~body:[body']
	~spec:jc_spec
	()
      in
      [ jc_fun_def ], Ml_env.add_fun (name id) params' return_type env
  | Tstr_type l ->
      List.iter (fun (id, td) -> declare id td false) l;
      [], env
  | Tstr_function_spec _ -> [], env (* done before (see add_structure_specs) *)
  | Tstr_type_spec ({ ts_type = Pident id } as spec) ->
      let env, invariants = invariants env spec in
      List.iter (add_invariant id) invariants;
      [], env
  | Tstr_logic_function_spec lfs ->
      begin match lfs.lfs_arguments with
	| [] ->
	    (* logic constant *)
	    let ty = make lfs.lfs_return_type in
	    let id = name lfs.lfs_name in
	    [ JClogic_const_def(
		ty,
		id,
		match lfs.lfs_body with
		  | OBbody e -> Some(make_term (term env e) (make e.exp_type))
		  | OBreads [] -> None
		  | OBreads _ -> assert false) ],
	    fst (Ml_env.add_var id ty env)
	| _ ->
	    (* logic function *)
	    let rty = if lfs.lfs_predicate then None else
	      Some(make lfs.lfs_return_type) in
	    let id = name lfs.lfs_name in
	    let body_env, args = list_fold_mapi
	      (fun env i -> function
		 | { pat_desc = Tpat_var id; pat_type = ty } ->
		     Ml_env.add_var (name id) (make ty) env
		 | { pat_loc = loc } ->
		     not_implemented loc "pattern in logic function argument")
	      env
	      lfs.lfs_arguments
	    in
	    [ JClogic_fun_def(
		rty,
		id,
		[],
		args,
		match lfs.lfs_body with
		  | OBbody e ->
		      JCTerm(make_term (term body_env e) (make e.exp_type))
		  | OBreads rl ->
		      JCReads(List.map (read_location body_env) rl)) ],
	    fst (Ml_env.add_logic_fun id args rty env)
      end
  | Tstr_logic_type_spec(id, td) ->
      declare id td true;
      [], env
  | Tstr_axiom_spec axs ->
      let args, body = pattern_list_assertion env
	(fun env -> make_assertion (assertion env axs.as_body))
	axs.as_arguments
      in
      let body = quantify_list Forall args body in
      let li = {
	label_info_name = "L";
	label_info_final_name = "L";
	times_used = 0;
      } in
      [ JClemma_def(axs.as_name, true, [LabelName li], body) ], env
  | x -> not_implemented Ml_ocaml.Location.none "ml_interp.ml.structure_item"

let rec structure env = function
  | [] -> [], env
  | si::tl ->
      let jc_items, new_env = structure_item env si in
      let jc_rem_items, final_env = structure new_env tl in
      jc_items @ jc_rem_items, final_env

let add_structure_specs env = List.fold_left
  (fun env -> function
     | Tstr_function_spec ({ fs_function = Pident id } as spec) ->
	 Ml_env.add_fun_spec id spec env
     | _ -> env)
  env

let base_decls = [
  JCinvariant_policy InvOwnership;
]

(*
Local Variables: 
compile-command: "unset LANG; make -j -C .. bin/jessica.opt"
End: 
*)
why-2.34/ml/ml_misc.ml0000644000175000017500000004250612311670312013211 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Lexing
open Ml_ocaml.Location

module StringMap = Map.Make(String)

(******************************************************************************)

let error x =
  Printf.ksprintf
    (fun s -> Printf.fprintf stderr "%s\n%!" s; exit 1) x

let locate_error loc =
  Printf.ksprintf
    (fun s -> error "File \"%s\", line %d, characters %d-%d:\n%s"
       loc.loc_start.pos_fname
       loc.loc_start.pos_lnum
       (loc.loc_start.pos_cnum - loc.loc_start.pos_bol)
       (loc.loc_end.pos_cnum - loc.loc_start.pos_bol)
       s)

let caml_error loc report error =
  let buf = Buffer.create 64 in
  let fmt = Format.formatter_of_buffer buf in
  report fmt error;
  Format.pp_print_flush fmt ();
  locate_error loc "%s" (Buffer.contents buf)

let log x =
  Printf.ksprintf
    (fun s -> Printf.printf "%s\n%!" s) x

let not_implemented loc =
  Printf.ksprintf (locate_error loc "Not implemented (%s)")

let fresh_int = let c = ref(-1) in fun () -> incr c; !c

let rec list_filter_option acc = function
  | [] -> List.rev acc
  | None::rem -> list_filter_option acc rem
  | (Some x)::rem -> list_filter_option (x::acc) rem
let list_filter_option l = list_filter_option [] l

let rec list_fold_map acc f useracc = function
  | [] -> useracc, List.rev acc
  | x::rem ->
      let useracc', y = f useracc x in
      list_fold_map (y::acc) f useracc' rem
let list_fold_map x = list_fold_map [] x

let rec list_fold_map2 acc f useracc l1 l2 = match l1, l2 with
  | [], [] -> useracc, List.rev acc
  | x1::rem1, x2::rem2 ->
      let useracc', y = f useracc x1 x2 in
      list_fold_map2 (y::acc) f useracc' rem1 rem2
  | _::_, [] | [], _::_ -> raise (Invalid_argument "list_fold_map2")
let list_fold_map2 x = list_fold_map2 [] x

let rec list_fold_mapi i acc f useracc = function
  | [] -> useracc, List.rev acc
  | x::rem ->
      let useracc', y = f useracc i x in
      list_fold_mapi (i+1) (y::acc) f useracc' rem
let list_fold_mapi x = list_fold_mapi 0 [] x

let rec list_mapi f index acc = function
  | [] -> List.rev acc
  | x::rem -> list_mapi f (index + 1) ((f index x)::acc) rem
let list_mapi f = list_mapi f 0 []

let rec list_iteri f index = function
  | [] -> ()
  | x::rem ->
      f index x;
      list_iteri f (index + 1) rem
let list_iteri f = list_iteri f 0

let rec list_fold_lefti f i acc = function
  | [] -> acc
  | x::rem ->
      list_fold_lefti f (i+1) (f i acc x) rem
let list_fold_lefti f = list_fold_lefti f 0

let triple_of_list ?(loc = Ml_ocaml.Location.none) = function
  | [x; y; z] -> x, y, z
  | args -> locate_error loc "3 arguments needed, %d found" (List.length args)

let couple_of_list ?(loc = Ml_ocaml.Location.none) = function
  | [x; y] -> x, y
  | args -> locate_error loc "2 arguments needed, %d found" (List.length args)

let singleton_of_list ?(loc = Ml_ocaml.Location.none) = function
  | [x] -> x
  | args -> locate_error loc "1 argument needed, %d found" (List.length args)

(******************************************************************************)

let identifier_of_symbol_char = function
  | '!' -> "bang"
  | ':' -> "colon"
  | '=' -> "equal"
  | '[' -> "lsquare"
  | ']' -> "rsquare"
  | '\'' -> "prime"
  | c -> String.make 1 c

let identifier_of_symbol = function
  | "ref" -> "jessica_ref"
  | s ->
      let buf = Buffer.create 10 in
      for i = 0 to String.length s - 1 do
	Buffer.add_string buf (identifier_of_symbol_char s.[i])
      done;
      Buffer.contents buf

let idents = Hashtbl.create 111 (* 111 = 42 + 69 *)

let fresh_ident base =
  if Hashtbl.mem idents base then begin
    let i = Hashtbl.find idents base + 1 in
    Hashtbl.replace idents base i;
    identifier_of_symbol base ^ string_of_int i
  end else begin
    Hashtbl.add idents base 0;
    identifier_of_symbol base
  end

(******************************************************************************)

open Jc_ast
open Jc_env
open Jc_fenv
open Jc_output

let default_region = Jc_region.dummy_region

let is_unit t = t = JCTnative Tunit

let is_void_statement_node = function
  | JCTSblock []
  | JCTSexpr({ jc_texpr_node = JCTEconst JCCvoid }) -> true
  | _ -> false

let is_void_statement s = is_void_statement_node s.jc_tstatement_node

let make_expr ?(loc=Loc.dummy_position) ?(label="") ~node ~ty = {
  jc_texpr_node = node;
  jc_texpr_loc = loc;
  jc_texpr_type = ty;
  jc_texpr_label = label; (* ? *)
  jc_texpr_region = default_region;
}

let make_assertion ?(loc=Loc.dummy_position) ?(label="") ~node = {
  jc_assertion_node = node;
  jc_assertion_loc = loc;
  jc_assertion_label = label; (* ? *)
}

let make_term ?(loc=Loc.dummy_position) ?(label="") ~node ~ty = {
  jc_term_node = node;
  jc_term_type = ty;
  jc_term_loc = loc;
  jc_term_label = label;
  jc_term_region = default_region;
}

let make_bool_expr ?(loc=Loc.dummy_position) ?(label="") ~node =
  make_expr ~loc:loc ~label:label ~node:node ~ty:(JCTnative Tboolean)

let make_int_expr ?(loc=Loc.dummy_position) ?(label="") ~node =
  make_expr ~loc:loc ~label:label ~node:node ~ty:(JCTnative Tinteger)

let make_bool_term ?(loc=Loc.dummy_position) ?(label="") ~node =
  make_term ~loc:loc ~label:label ~node:node ~ty:(JCTnative Tboolean)

let make_int_term ?(loc=Loc.dummy_position) ?(label="") ~node =
  make_term ~loc:loc ~label:label ~node:node ~ty:(JCTnative Tinteger)

let make_eq_term a b =
  (* it shouldn't always be "int"... but for the output it works *)
  make_bool_term (JCTbinary(a, Beq_int, b))

let make_eq_expr a b =
  make_expr (JCTEbinary(a, Beq_int, b)) (JCTnative Tboolean)

let make_eq_assertion a b =
  make_assertion (JCAbool_term(make_eq_term a b))

let make_var_term vi =
  make_term (JCTvar vi) vi.jc_var_info_type

let make_var_expr vi =
  make_expr (JCTEvar vi) vi.jc_var_info_type

let make_and a b = match a.jc_assertion_node, b.jc_assertion_node with
  | JCAand al, JCAand bl -> make_assertion (JCAand(al@bl))
  | JCAtrue, _ -> b
  | _, JCAtrue -> a
  | _ -> make_assertion (JCAand [ a; b ])

let make_implies a b = match a.jc_assertion_node with
  | JCAtrue -> b
  | _ -> make_assertion (JCAimplies(a, b))

let make_and_expr a b = match a.jc_texpr_node, b.jc_texpr_node with
  | JCTEconst JCCboolean true, _ -> b
  | _, JCTEconst JCCboolean true -> a
  | _ -> make_bool_expr (JCTEbinary(a, Bland, b))

let make_and_term a b = match a.jc_term_node, b.jc_term_node with
  | JCTconst JCCboolean true, _ -> b
  | _, JCTconst JCCboolean true -> a
  | _ -> make_bool_term (JCTbinary(a, Bland, b))

let make_or a b = match a.jc_assertion_node, b.jc_assertion_node with
  | JCAor al, JCAor bl -> make_assertion (JCAor(al@bl))
  | JCAfalse, _ -> b
  | _, JCAfalse -> a
  | _ -> make_assertion (JCAor [ a; b ])

let make_or_expr a b = match a.jc_texpr_node, b.jc_texpr_node with
  | JCTEconst JCCboolean false, _ -> b
  | _, JCTEconst JCCboolean false -> a
  | _ -> make_bool_expr (JCTEbinary(a, Blor, b))

let make_or_term a b = match a.jc_term_node, b.jc_term_node with
  | JCTconst JCCboolean false, _ -> b
  | _, JCTconst JCCboolean false -> a
  | _ -> make_bool_term (JCTbinary(a, Blor, b))

let make_and_list = List.fold_left make_and (make_assertion JCAtrue)

let make_and_list_expr = List.fold_left make_and_expr
  (make_bool_expr (JCTEconst(JCCboolean true)))

let make_and_list_term = List.fold_left make_and_term
  (make_bool_term (JCTconst(JCCboolean true)))

let make_or_list = List.fold_left make_or (make_assertion JCAfalse)

let make_or_list_expr = List.fold_left make_or_expr
  (make_bool_expr (JCTEconst(JCCboolean false)))

let make_or_list_term = List.fold_left make_or_term
  (make_bool_term (JCTconst(JCCboolean false)))

let expr_of_int i = make_int_expr(JCTEconst(JCCinteger(string_of_int i)))

let term_of_int i = make_int_term(JCTconst(JCCinteger(string_of_int i)))

let make_var_info ~name ~ty = {
    jc_var_info_tag = fresh_int ();
    jc_var_info_name = name;
    jc_var_info_final_name = name;
    jc_var_info_type = ty;
    jc_var_info_formal = false;
    jc_var_info_assigned = false;
    jc_var_info_static = false;
    jc_var_info_region = default_region;
  }

(* Jc_pervasives produces names that will be used by Jessie too, which is bad *)
let new_var = let var_cnt = ref 0 in fun ?add ty ->
  let add = match add with
    | None -> "_"
    | Some s -> "_"^s^"_"
  in
  incr var_cnt;
  let id = "jessica"^add^(string_of_int !var_cnt) in
  make_var_info ~name:id ~ty:ty

let ignored_var ty = make_var_info ~name:"jessica_ignored" ~ty:ty

let expr_seq_to_let =
  List.fold_right
    (fun e acc ->
       make_expr
	 (JCTElet(ignored_var e.jc_texpr_type, e, acc))
	 acc.jc_texpr_type)

let make_statement ?(loc=Loc.dummy_position) s = {
  jc_tstatement_node = s;
  jc_tstatement_loc = loc;
}

let make_statement_block ?(loc=Loc.dummy_position) sl =
  (* remove voids and flatten blocks *)
  let sl = List.map
    (fun s ->
       if is_void_statement s then [] else
	 match s with
	   | { jc_tstatement_node = JCTSblock l } -> l
	   | _ -> [ s ])
    sl
  in
  match List.flatten sl with
    | ([] as l)
    | ([ { jc_tstatement_node = JCTSdecl _ } ] as l)
    | (_::_::_ as l) -> make_statement ~loc:loc (JCTSblock l)
    | [ x ] -> x

let make_affect vi e =
  if is_unit e.jc_texpr_type then
    make_statement (JCTSexpr e)
  else
    make_statement (JCTSexpr({ e with jc_texpr_node = JCTEassign_var(vi, e) }))

let make_affect_field x fi e =
  if is_unit e.jc_texpr_type then
    make_statement (JCTSexpr e)
  else
    make_statement (JCTSexpr({ e with jc_texpr_node =
				 JCTEassign_heap(x, fi, e) }))

let make_affect_field_expr x fi e =
  make_expr (JCTEassign_heap(x, fi, e)) (JCTnative Tunit)

let make_discard e =
  make_statement (JCTSexpr e)

let make_return e =
  make_statement (JCTSreturn(e.jc_texpr_type, e))

let make_var_decl vi init s =
  make_statement (JCTSdecl(vi, init, s))

let make_var_decls =
  List.fold_left (fun acc vi -> make_var_decl vi None acc)

let make_var_tmp ty init cont =
  let vi = new_var ty in
  make_var_decl vi init (cont vi (make_expr (JCTEvar vi) ty))

let make_let_tmp ty f =
  let vi = new_var ty in
  let ve = make_expr (JCTEvar vi) ty in
  let a, b = f vi ve in
  JCTElet(vi, a, b)

let make_pointer ?min ?max tov =
  JCTpointer(tov,
	     (match min with None -> None | Some i -> Some(Num.num_of_int i)),
	     (match max with None -> None | Some i -> Some(Num.num_of_int i)))

let make_valid_pointer tov =
  make_pointer ~min:0 ~max:0 tov

let make_let_alloc_tmp ?(count=expr_of_int 1) si f =
  let ty = make_valid_pointer (JCtag si) in
  let init = make_expr (JCTEalloc(count, si)) ty in
  make_let_tmp ty (fun vi ve -> init, f vi ve)

let make_seq_expr el acc =
  let ty = acc.jc_texpr_type in
  List.fold_left
    (fun acc e -> make_expr (JCTElet(ignored_var e.jc_texpr_type, e, acc)) ty)
    acc
    (List.rev el)

let make_alloc_tmp si =
  let ty = make_valid_pointer (JCtag si) in
  let init = make_expr (JCTEalloc(expr_of_int 1, si)) ty in
  make_var_tmp ty (Some init)

(*let make_alloc_tmp si cont =
  let tmp_ty = make_pointer_type si in
  let tmp_var = new_var tmp_ty in
  let tmp_expr = make_expr (JCTEvar tmp_var) tmp_ty in
  let tmp_init = make_expr (JCTEalloc(expr_of_int 1, si)) tmp_ty in
  make_var_decl tmp_var (Some tmp_init) (cont tmp_var tmp_expr)*)

let void = make_expr (JCTEconst JCCvoid) (JCTnative Tunit)

let make_variant name =
  let name = identifier_of_symbol name in {
    jc_variant_info_name = name;
    jc_variant_info_roots = [];
  }

let make_root_struct vi name =
  let name = identifier_of_symbol name in
  let rec si = {
    jc_struct_info_name = name;
    jc_struct_info_parent = None;
    jc_struct_info_root = si;
    jc_struct_info_fields = [];
    jc_struct_info_variant = Some vi;
  } in
  vi.jc_variant_info_roots <- si::vi.jc_variant_info_roots;
  si

let make_field si name jcty =
  let name = identifier_of_symbol name in
  let fi = {
    jc_field_info_tag = fresh_int ();
    jc_field_info_name = name;
    jc_field_info_final_name = name;
    jc_field_info_type = jcty;
    jc_field_info_struct = si;
    jc_field_info_root = si.jc_struct_info_root;
    jc_field_info_rep = true;
  } in
  si.jc_struct_info_fields <- fi::si.jc_struct_info_fields;
  fi

let make_var name ty =
  let name = identifier_of_symbol name in
  {
    jc_var_info_tag = fresh_int ();
    jc_var_info_name = name;
    jc_var_info_final_name = name;
    jc_var_info_type = ty;
    jc_var_info_region = default_region;
    jc_var_info_formal = false;
    jc_var_info_assigned = false;
    jc_var_info_static = false;
  }

let dummy_variant = make_variant "dummy_variant"
let dummy_struct = make_root_struct dummy_variant "dummy_struct"

let make_struct_def si invs =
  JCstruct_def(
    si.jc_struct_info_name,
    (match si.jc_struct_info_parent with
       | None -> None
       | Some si -> Some si.jc_struct_info_name),
    si.jc_struct_info_fields,
    invs
  )

let make_variant_def vi =
  JCvariant_type_def(
    vi.jc_variant_info_name,
    List.map (fun root -> root.jc_struct_info_name) vi.jc_variant_info_roots
  )

let make_app li args = {
  jc_app_fun = li;
  jc_app_args = args;
  jc_app_region_assoc = [];
  jc_app_label_assoc = [];
}

let make_app_term_node li args = JCTapp (make_app li args)

let quantify q vi body =
  make_assertion (JCAquantifier(q, vi, body))

let quantify_list q =
  List.fold_right (quantify q)

let make_fun_info ~name ~return_type ~params () = {
  jc_fun_info_tag = fresh_int ();
  jc_fun_info_name = name;
  jc_fun_info_final_name = name;
  jc_fun_info_result = make_var ("jessica_"^name^"_result") return_type;
  jc_fun_info_parameters = params;
  jc_fun_info_calls = [];
  jc_fun_info_logic_apps = [];
  jc_fun_info_effects = Jc_pervasives.empty_fun_effect;
  jc_fun_info_return_region = default_region;
  jc_fun_info_param_regions = [];
  jc_fun_info_is_recursive = false;
}

let make_fun_def ~name ~return_type ~params ?body ~spec () =
  JCfun_def(
    return_type,
    name,
    params,
    spec,
    body
  )

let make_behavior ?throws ?assumes ?assigns
    ?(ensures=make_assertion JCAtrue) () =
  {
    jc_behavior_throws = throws;
    jc_behavior_assumes = assumes;
    jc_behavior_assigns = begin match assigns with
      | None -> None
      | Some l -> Some(Loc.dummy_position, l)
    end;
    jc_behavior_ensures = ensures;
  }

let make_fun_spec ?(requires=make_assertion JCAtrue)
    ?(free_requires=make_assertion JCAtrue)
    ?ensures ?assigns ?(behaviors=[]) () =
  {
    jc_fun_requires = requires;
    jc_fun_free_requires = free_requires;
    jc_fun_behavior =
      let b = match ensures, assigns with
	| None, None -> None
	| Some e, None -> Some (make_behavior ~ensures:e ())
	| None, Some a -> Some (make_behavior ~assigns:a ())
	| Some e, Some a -> Some (make_behavior ~ensures:e ~assigns:a ())
      in
      match b with
	| None -> behaviors
	| Some b -> (Loc.dummy_position, "default", b)::behaviors
  }

let make_offset_min term si =
  make_int_term (JCToffset(Offset_min, term, si))

let make_offset_max term si =
  make_int_term (JCToffset(Offset_max, term, si))

let result_var ty =
  make_var_info "\\result" ty

let result_term ty =
  make_var_term (result_var ty)

let make_deref_term a b =
  make_term (JCTderef(a, LabelHere, b)) b.jc_field_info_type

let make_shift_term a b =
  make_term (JCTshift(a, b)) a.jc_term_type

let make_deref_location a b =
  JCLderef(a, LabelHere, b, default_region)

(*
Local Variables: 
compile-command: "unset LANG; make -C .. -f build.makefile jessica.all"
End: 
*)
why-2.34/ml/ml_ocaml.mlpack0000644000175000017500000000116512311670312014204 0ustar  rtusersparsing/Asttypes
parsing/Lexer
parsing/Linenum
parsing/Location
parsing/Longident
parsing/Parser
parsing/Parsetree
parsing/Syntaxerr

typing/Btype
typing/Ctype
typing/Datarepr
typing/Env
typing/Ident
typing/Includeclass
typing/Includecore
typing/Includemod
typing/Mtype
typing/Oprint
typing/Outcometree2
typing/Parmatch
typing/Path
typing/Predef
typing/Primitive
typing/Printtyp
typing/Stypes
typing/Subst
typing/Typeclass
typing/Typecore
typing/Typedecl
typing/Typedtree
typing/Typemod
typing/Types
typing/Typetexp
typing/Unused_var

utils/Clflags
utils/Config
utils/Consistbl
utils/Misc
utils/Tbl
utils/Terminfo
utils/Warnings
why-2.34/ml/ml_options.mli0000644000175000017500000000455012311670312014117 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

type input_kind = Ml | Mli

val input_files: (input_kind * string) list

val output_file: string
why-2.34/ml/ml_main.ml0000644000175000017500000001260612311670312013200 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(* One module to rule them all, one module to find them, one module to bring
them all and in the bytecode bind them. *)

open Ml_misc
open Unix

let parse f file_name =
  (* Open file *)
  let fd = try
    openfile file_name [ O_RDONLY ] 0o640
  with
    | Unix_error _ -> error "Could not read file: %s" file_name
  in
  let chan = in_channel_of_descr fd in

  (* Parse file *)
  let lexbuf = Lexing.from_channel chan in
  Ml_ocaml.Location.init lexbuf file_name;
  try
    f Ml_ocaml.Lexer.token lexbuf
  with
    | Ml_ocaml.Lexer.Error(error, loc) ->
	caml_error loc Ml_ocaml.Lexer.report_error error
    | Parsing.Parse_error ->
	locate_error (Ml_ocaml.Location.curr lexbuf) "Parse error"

let file (mlenv, env) (file_kind, file_name) =
  match file_kind with
    | Ml_options.Ml ->
	log "Implementation %s:" file_name;
	let parse_tree = parse Ml_ocaml.Parser.implementation file_name in
	
        (* Type with the OCaml typer *)
	log "  Typing...";
	let typed_tree, _, new_env = try
	  Ml_ocaml.Typemod.type_structure env parse_tree
	with
	  | Ml_ocaml.Typecore.Error(loc, error) ->
	      caml_error loc Ml_ocaml.Typecore.report_error error
	  | Ml_ocaml.Typetexp.Error(loc, error) ->
	      caml_error loc Ml_ocaml.Typetexp.report_error error
	  | Ml_ocaml.Typemod.Error(loc, error) ->
	      caml_error loc Ml_ocaml.Typemod.report_error error
	in

	(* Add specifications to the environment *)
	log "  Listing function specifications...";
	let mlenv =
	  Ml_interp.add_structure_specs mlenv typed_tree
	in
	(*log "  Listing type specifications...";
	let spec_env =
	  Ml_interp.add_type_specs spec_env typed_tree
	in*)
  
        (* Interpret to a Jessie typed AST *)
	log "  Interpreting...";
        let code_decls, mlenv = Ml_interp.structure mlenv typed_tree in
	let type_decls = Ml_type.jc_decls () in
	let jessie_ast = Ml_interp.base_decls @ type_decls @ code_decls in

        (* Open the output file *)
	log "  Output file: %s" Ml_options.output_file;
	let fd = try
	  openfile Ml_options.output_file [ O_WRONLY; O_CREAT; O_TRUNC ] 0o640
	with
	  | Unix_error _ -> error "Could not open or create file: %s" file_name
	in
	let chan = out_channel_of_descr fd in

        (* Output our translation *)
	Jc_output.print_decls (Format.formatter_of_out_channel chan) jessie_ast;

	(* Return the new environment *)
	log "  Done.";
	mlenv, new_env
    | Ml_options.Mli ->
	log "Interface %s:" file_name;
	let parse_tree = parse Ml_ocaml.Parser.interface file_name in

	(* Type with the OCaml typer *)
	let typed_tree = try
	  Ml_ocaml.Typemod.transl_signature env parse_tree
	with
	  | Ml_ocaml.Typecore.Error(loc, error) ->
	      caml_error loc Ml_ocaml.Typecore.report_error error
	  | Ml_ocaml.Typetexp.Error(loc, error) ->
	      caml_error loc Ml_ocaml.Typetexp.report_error error
	  | Ml_ocaml.Typemod.Error(loc, error) ->
	      caml_error loc Ml_ocaml.Typemod.report_error error
	in

	(* Return the new environment *)
	mlenv, Ml_ocaml.Env.add_signature typed_tree env

let _ =
  List.fold_left
    file
    (Ml_pervasives.default_mlenv, Ml_pervasives.default_env)
    Ml_options.input_files

(*
Local Variables: 
compile-command: "unset LANG; make -j -C .. bin/jessica.byte"
End: 
*)
why-2.34/ml/ml_type.ml0000644000175000017500000003411712311670312013236 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(* Interpretation of Ocaml types to Jessie *)

open Ml_misc
open Jc_ast
open Jc_env
open Jc_fenv
open Jc_output
open Ml_ocaml.Types
open Ml_ocaml.Ident
open Ml_ocaml.Location
open Format

let rec print_type fmt t =
  fprintf fmt "(level %d, id %d: " t.level t.id;
  begin match t.desc with
    | Tvar ->
	fprintf fmt "Tvar"
    | Tarrow(_, a, b, _) ->
	print_type fmt a;
	fprintf fmt " -> ";
	print_type fmt b
    | Ttuple tl ->
	List.iter (fun t -> print_type fmt t; fprintf fmt " * ") tl
    | Tconstr(path, tl, _) ->
	fprintf fmt "Tconstr %s [ " (Ml_ocaml.Path.name path);
	List.iter (fun t -> print_type fmt t; fprintf fmt "; ") tl;
	fprintf fmt "]";
    | Tobject _ ->
	fprintf fmt "Tobject"
    | Tfield _ ->
	fprintf fmt "Tfield"
    | Tnil ->
	fprintf fmt "Tnil"
    | Tlink lt ->
	fprintf fmt "Tlink";
	print_type fmt lt
    | Tsubst _ ->
	fprintf fmt "Tsubst"
    | Tvariant _ ->
	fprintf fmt "Tvariant"
    | Tunivar ->
	fprintf fmt "Tunivar"
    | Tpoly _ ->
	fprintf fmt "Tpoly"
  end;
  fprintf fmt ")"

let print_type t =
  let fmt = formatter_of_out_channel stdout in
  print_type fmt t;
  fprintf fmt "@."

type ml_label_info = {
  ml_li_name: string;
  ml_li_structure: Jc_env.struct_info;
  ml_li_field: Jc_env.field_info;
}

type ml_constructor_info = {
  ml_ci_name: string;
  ml_ci_structure: Jc_env.struct_info;
  ml_ci_arguments: Jc_env.field_info list;
}

type ml_array_info = {
  ml_ai_struct: Jc_env.struct_info;
  ml_ai_data_field: Jc_env.field_info;
  ml_ai_make: Jc_fenv.fun_info;
}

type ml_jessie_type =
  | MLTnot_closed
  | MLTnative of native_type
  | MLTrecord of Jc_env.struct_info * (string * ml_label_info) list
  | MLTvariant of Jc_env.variant_info * (string * ml_constructor_info) list
  | MLTtuple of Jc_env.struct_info
  | MLTlogic of string
  | MLTarray of ml_array_info

module ComparableCamlTypeList = struct
  type t = type_expr list

  let rec compare_lists f l1 l2 = match l1, l2 with
    | [], [] -> 0
    | x1::rem1, x2::rem2 ->
	let r = f x1 x2 in
	if r = 0 then compare_lists f rem1 rem2 else r
    | _::_, [] -> 1
    | [], _::_ -> -1

  let rec compare_types a b = match a.desc, b.desc with
    | Tvar, Tvar -> Pervasives.compare a.id b.id
    | Tlink a', _ -> compare_types a' b
    | _, Tlink b' -> compare_types a b'
    | Tconstr(p1, al1, _), Tconstr(p2, al2, _) ->
	let r = String.compare
	  (Ml_ocaml.Path.name p1)
	  (Ml_ocaml.Path.name p2)
	in
	if r = 0 then compare_lists compare_types al1 al2 else r
    | _ -> Pervasives.compare a b

  let rec compare = compare_lists compare_types
end

module ParamMap = Map.Make(ComparableCamlTypeList)

type ml_caml_type = {
  ml_ty_name: string;
  ml_ty_decl: Ml_ocaml.Types.type_declaration;
  ml_ty_logic: bool; (* unused, actually (using "Type_abstract" instead) *)
  mutable ml_ty_instances: ml_jessie_type ParamMap.t;
  mutable ml_ty_invariants: (string * Jc_env.var_info * Jc_ast.assertion) list;
}

let ml_types = Hashtbl.create 11 (* string -> ml_caml_type *)
let ml_tuples: Jc_env.struct_info ParamMap.t ref = ref ParamMap.empty
let ml_arrays: ml_array_info ParamMap.t ref = ref ParamMap.empty

let declare_str n td logic =
  Hashtbl.add ml_types n {
    ml_ty_name = n;
    ml_ty_decl = td;
    ml_ty_logic = logic;
    ml_ty_instances = ParamMap.empty;
    ml_ty_invariants = [];
  }

let declare id = declare_str (name id)

(* declare pervasive types *)
let _ =
  declare_str "list" Ml_ocaml.Predef.decl_list false

let add_invariant id inv =
  let mlty = Hashtbl.find ml_types (name id) in
  mlty.ml_ty_invariants <- inv::mlty.ml_ty_invariants

exception Not_closed

let rec make_type mlt =
  let not_implemented x = not_implemented none x in
  match mlt.desc with
    | Tvar -> raise Not_closed
    | Tarrow _ -> not_implemented "ml_type.ml: make_type: Tarrow"
    | Ttuple tl ->
	begin try
	  MLTtuple(ParamMap.find tl !ml_tuples)
	with Not_found ->
	  let jcty = tuple tl in
	  ml_tuples := ParamMap.add tl jcty !ml_tuples;
	  MLTtuple jcty
	end
    | Tconstr(path, args, _) ->
	begin match Ml_ocaml.Path.name path with
	  | "unit" -> MLTnative Tunit
	  | "int" -> MLTnative Tinteger
	  | "float" -> MLTnative Treal
	  | "bool" -> MLTnative Tboolean
	  | "array" ->
	      begin try
		MLTarray(ParamMap.find args !ml_arrays)
	      with Not_found ->
		let vi = make_variant (fresh_ident "jessica_array") in
		let si = make_root_struct vi (fresh_ident "jessica_array") in
		let fi, argty = match args with
		  | [ty] ->
		      let argty = make ty in
		      make_field si "t" argty, argty
		  | _ -> assert false (* array with #arguments <> 1 ?? *)
		in
		let make = make_fun_info
		  ~name:(fresh_ident "jessica_array_make")
		  ~return_type:(make_pointer ~min:0 (JCtag si))
		  ~params:[
		    make_var_info ~name:"n" ~ty:(JCTnative Tinteger);
		    make_var_info ~name:"v" ~ty:argty;
		  ]
		  ()
		in
		let ai = {
		  ml_ai_struct = si;
		  ml_ai_data_field = fi;
		  ml_ai_make = make;
		} in
		ml_arrays := ParamMap.add args ai !ml_arrays;
		MLTarray ai
	      end
	  | name ->
	      let ty = try
		Hashtbl.find ml_types name
	      with Not_found ->
		not_implemented "ml_type.ml: make_type: predefined type %s" name
	      in
	      begin try
		ParamMap.find args ty.ml_ty_instances
	      with Not_found ->
		try
		  let jcty = instance args ty in
		  ty.ml_ty_instances <-
		    ParamMap.add args jcty ty.ml_ty_instances;
		  jcty
		with Not_closed ->
		  MLTnot_closed
	      end
	end
    | Tobject _ -> not_implemented "ml_type.ml: make_type: Tobject"
    | Tfield _ -> not_implemented "ml_type.ml: make_type: Tfield"
    | Tnil -> not_implemented "ml_type.ml: make_type: Tnil"
    | Tlink t -> make_type t
    | Tsubst _ -> not_implemented "ml_type.ml: make_type: Tsubst"
    | Tvariant _ -> not_implemented "ml_type.ml: make_type: Tvariant"
    | Tunivar -> not_implemented "ml_type.ml: make_type: Tunivar"
    | Tpoly _ -> not_implemented "ml_type.ml: make_type: Tpoly"

and make mlt =
  match make_type mlt with
    | MLTnot_closed ->
	JCTlogic "caml_not_closed"
    | MLTnative t ->
	JCTnative t
    | MLTrecord(si, _)
    | MLTtuple si ->
	make_valid_pointer (JCtag si)
    | MLTvariant(vi, _) ->
	make_valid_pointer (JCvariant vi)
    | MLTlogic x ->
	JCTlogic x
    | MLTarray ai ->
	make_pointer ~min:0 (JCtag ai.ml_ai_struct)

and instance args ty =
  log "Instanciate type %s with %d/%d arguments." ty.ml_ty_name
    (List.length args) ty.ml_ty_decl.type_arity;
  match ty.ml_ty_decl.type_kind with
    | Type_abstract ->
	MLTlogic(fresh_ident ty.ml_ty_name)
    | Type_record(ll, _, _) ->
	let vi = make_variant (fresh_ident ty.ml_ty_name) in
	let si = make_root_struct vi (fresh_ident ty.ml_ty_name) in
	(* temporary declaration in case of recursive type definition *)
	ty.ml_ty_instances <- ParamMap.add
	  args (MLTrecord(si, [])) ty.ml_ty_instances;
	let lbls = List.map
	  (fun (name, _, lty) ->
	     let app_ty = Ml_ocaml.Ctype.apply (Ml_ocaml.Env.empty)
	       ty.ml_ty_decl.type_params lty args in
	     let fi = make_field si name (make app_ty) in
	     let li = {
	       ml_li_name = name;
	       ml_li_structure = si;
	       ml_li_field = fi;
	     } in
	     name, li)
	  ll
	in
	MLTrecord(si, lbls)
    | Type_variant(cl, _) ->
	let vi = make_variant (fresh_ident ty.ml_ty_name) in
	(* temporary declaration in case of recursive type definition *)
	ty.ml_ty_instances <- ParamMap.add
	  args (MLTvariant(vi, [])) ty.ml_ty_instances;
	let constrs = List.map
	  (fun (name, cargs) ->
	     let si = make_root_struct vi (fresh_ident name) in
	     let app_cargs = List.map
	       (fun caty ->
		  Ml_ocaml.Ctype.apply (Ml_ocaml.Env.empty)
		    ty.ml_ty_decl.type_params caty args)
	       cargs
	     in
	     let fi_args = list_mapi
	       (fun i ty -> make_field si (name^string_of_int i) (make ty))
	       app_cargs
	     in
	     let ci = {
	       ml_ci_name = name;
	       ml_ci_structure = si;
	       ml_ci_arguments = fi_args;
	     } in
	     name, ci)
	  cl
	in
	MLTvariant(vi, constrs)

and tuple tl =
  let vi = make_variant (fresh_ident "jessica_tuple") in
  let si = make_root_struct vi (fresh_ident "jessica_tuple") in
  list_iteri
    (fun i ty -> ignore (make_field si ("f"^string_of_int i) (make ty)))
    tl;
  si.jc_struct_info_fields <- List.rev si.jc_struct_info_fields;
  si

let structure ty =
  match make_type ty with
    | MLTrecord(si, _)
    | MLTtuple si
    | MLTarray{ml_ai_struct = si} -> si
    | _ -> failwith "ml_type.ml: structure: not translated to a structure type"

let label recty ld =
  match make_type recty with
    | MLTrecord(_, lbls) -> List.assoc ld.lbl_name lbls
    | _ -> failwith "ml_type.ml: label: not a record type"

let constructor varty cd =
  match make_type varty with
    | MLTvariant(_, constrs) -> List.assoc cd.cstr_name constrs
    | _ -> failwith "ml_type.ml: constructor: not a variant type"

let proj tty index =
  match make_type tty with
    | MLTtuple si -> List.nth si.jc_struct_info_fields index
    | _ -> failwith "ml_type.ml: proj: not a tuple type"

let array aty =
  match make_type aty with
    | MLTarray ai -> ai
    | _ -> failwith "ml_type.ml: array: not an array type"

let get_variant si = match si.jc_struct_info_variant with
  | None -> raise (Invalid_argument "ml_type.ml, get_variant")
  | Some vi -> vi

let jc_decl mlty = function
  | MLTnot_closed ->
      assert false
  | MLTnative t ->
      [ JClogic_type_def mlty.ml_ty_name ]
  | MLTrecord(si, lbls) ->
      [ make_variant_def (get_variant si);
	JCstruct_def(
	  si.jc_struct_info_name,
	  (match si.jc_struct_info_parent with
	     | None -> None
	     | Some si -> Some si.jc_struct_info_name),
	  List.map (fun (_, l) -> l.ml_li_field) lbls,
	  mlty.ml_ty_invariants
	)]
  | MLTvariant(vi, constrs) ->
      let c_defs = List.map
	(fun (_, ci) ->
	   let si = ci.ml_ci_structure in
	   JCstruct_def(
	     si.jc_struct_info_name,
	     None,
	     ci.ml_ci_arguments,
	     mlty.ml_ty_invariants
	   ))
	constrs
      in
      (make_variant_def vi)::c_defs
  | MLTlogic x ->
      [ JClogic_type_def x ]
  | MLTarray _ | MLTtuple _ ->
      (* declarations are made in jc_tuple_decl or jc_array_decl *)
      []

let jc_tuple_decl _ si acc = [
  make_variant_def (get_variant si);
  make_struct_def si [];
] @ acc

let jc_array_decl _ ai acc =
  let n, v = couple_of_list ai.ml_ai_make.jc_fun_info_parameters in
  let req = make_assertion
    (JCArelation(
       make_int_term (JCTvar n),
       Bge_int,
       term_of_int 0))
  in
  let rty = ai.ml_ai_make.jc_fun_info_result.jc_var_info_type in
  let result = result_term rty in
  let i = make_var_info ~name:"i" ~ty:(JCTnative Tinteger) in
  let ens = make_and_list [
    (*make_assertion
      (JCArelation(
	 make_offset_min result ai.ml_ai_struct,
	 Beq_int,
	 term_of_int 0));*) (* no need: included in return type *)
    make_assertion
      (JCArelation(
	 make_offset_max result ai.ml_ai_struct,
	 Beq_int,
	 make_int_term
	   (JCTbinary(
	      make_var_term n,
	      Bsub_int,
	      term_of_int 1))));
    make_assertion
      (JCAquantifier(
	 Forall, i,
	 make_assertion
	   (JCArelation(
	      make_deref_term
		(make_shift_term result (make_var_term i))
		ai.ml_ai_data_field,
	      Beq_int, (* hack *)
	      make_var_term v))))
  ] in
(*  let ass =
    [make_deref_location
       (JCLSvar (result_var rty))
       ai.ml_ai_data_field]
  in*)
  [
    make_variant_def (get_variant ai.ml_ai_struct);
    make_struct_def ai.ml_ai_struct [];
    make_fun_def
      ~name:ai.ml_ai_make.jc_fun_info_final_name
      ~return_type:rty
      ~params:ai.ml_ai_make.jc_fun_info_parameters
      ~spec:(make_fun_spec ~requires:req(* ~assigns:ass*) ~ensures:ens ())
      ()
  ] @ acc

let jc_decls () =
  let decls = [] in
  let decls = ParamMap.fold jc_tuple_decl !ml_tuples decls in
  let decls = ParamMap.fold jc_array_decl !ml_arrays decls in
  let decls = Hashtbl.fold
    (fun _ ty acc ->
       ParamMap.fold
	 (fun _ ity acc -> jc_decl ty ity @ acc)
	 ty.ml_ty_instances
	 acc)
    ml_types
    decls
  in
  decls

(*
Local Variables: 
compile-command: "unset LANG; make -C .. -f build.makefile jessica.all"
End: 
*)
why-2.34/ml/ml_pattern.ml0000644000175000017500000001172012311670312013725 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Ml_misc
open Jc_env
open Jc_ast
open Ml_ocaml.Typedtree
open Ml_ocaml.Ident
open Ml_type
open Ml_env
open Ml_constant

let rec pattern env pat =
  let newenv, node = match pat.pat_desc with
    | Tpat_any ->
	env, JCPany
    | Tpat_var id ->
	let env, vi = add_var (name id) (make pat.pat_type) env in
	env, JCPvar vi
    | Tpat_alias(p, id) ->
	let env, p = pattern env p in
	let env, vi = add_var (name id) (make pat.pat_type) env in
	env, JCPas(p, vi)
    | Tpat_constant c ->
	env, JCPconst(constant c)
    | Tpat_tuple pl ->
	let si = structure pat.pat_type in
	let env, fpl = list_fold_mapi
	  (fun env i p ->
	     let env, p = pattern env p in
	     env, (proj pat.pat_type i, p))
	  env pl
	in
	env, JCPstruct(si, fpl)
    | Tpat_construct(cd, pl) ->
	let ci = constructor pat.pat_type cd in
	let env, fpl = list_fold_map2
	  (fun env fi p ->
	     let env, p = pattern env p in
	     env, (fi, p))
	  env ci.ml_ci_arguments pl
	in
	env, JCPstruct(ci.ml_ci_structure, fpl)
    | Tpat_variant _ ->
	assert false (* TODO *)
    | Tpat_record lpl ->
	let si = structure pat.pat_type in
	let env, fpl = list_fold_map
	  (fun env (l, p) ->
	     let li = label pat.pat_type l in
	     let env, p = pattern env p in
	     env, (li.ml_li_field, p))
	  env lpl
	in
	env, JCPstruct(si, fpl)
    | Tpat_array _ ->
	assert false (* TODO *)
    | Tpat_or(p1, p2, _) ->
	let _, p1 = pattern env p1 in
	let env, p2 = pattern env p2 in
	env, JCPor(p1, p2)
  in newenv, {
    jc_pattern_node = node;
    jc_pattern_loc = Loc.dummy_position;
    jc_pattern_type = JCTnull;
  }

let pattern_list make env body pats =
  let benv, pats = list_fold_map pattern env pats in
  let args = List.map
    (fun pat -> match pat.jc_pattern_node with
       | JCPvar vi | JCPas(_, vi) -> vi
       | JCPor _ | JCPconst _ | JCPany | JCPstruct _ ->
	   new_var ~add:"arg" pat.jc_pattern_type)
    pats
  in
  let result = List.fold_right2
    (fun pat vi body ->
       match pat.jc_pattern_node with
	 | JCPvar _ -> body
	 | _ -> make pat vi body)
    pats args (body benv)
  in
  args, result

let pattern_list_term =
  pattern_list
    (fun pat vi body -> make_term
       (JCTmatch(
	  make_var_term vi,
	  [ pat, body ]
	))
       body.jc_term_type)

let pattern_list_assertion =
  pattern_list
    (fun pat vi body -> make_assertion
       (JCAmatch(
	  make_var_term vi,
	  [ pat, body ]
	)))

let pattern_ make env body pat =
  let args, result = make env body [pat] in
  let arg = match args with
    | [vi] -> vi
    | _ -> assert false (* impossible *)
  in
  arg, result

let pattern_term = pattern_ pattern_list_term

let pattern_assertion = pattern_ pattern_list_assertion

(*
Local Variables: 
compile-command: "unset LANG; make -j -C .. bin/jessica.opt"
End: 
*)
why-2.34/ml/ml_env.mli0000644000175000017500000000725112311670312013215 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

type t

exception Not_found_str of string

val empty: t

val add_var: string -> Jc_env.jc_type -> t -> t * Jc_env.var_info
val add_fun: string -> Jc_env.var_info list -> Jc_env.jc_type -> t -> t
(*val add_field: string -> Jc_env.jc_type -> Jc_env.struct_info -> t ->
  t * Jc_env.field_info
val add_constructor: string -> Jc_env.jc_type list -> Jc_env.struct_info ->
  int -> t -> t * Jc_env.field_info list
val add_struct: Jc_env.struct_info -> t -> t*)
val add_logic_fun: string -> Jc_env.var_info list -> Jc_env.jc_type option ->
  t -> t * Jc_fenv.logic_info
(*val add_tag: Jc_env.struct_info -> t -> t * Jc_env.field_info*)
val add_fun_spec: Ml_ocaml.Ident.t -> Ml_ocaml.Typedtree.function_spec -> t -> t
(*val add_type_spec: Ml_ocaml.Ident.t -> Ml_ocaml.Typedtree.type_spec -> t -> t*)

val find_var: string -> t -> Jc_env.var_info
val find_fun: string -> t -> Jc_fenv.fun_info
(*val find_field: string -> t -> Jc_env.field_info
val find_constructor: string -> t ->
  Jc_env.struct_info * int * Jc_env.field_info list
val find_struct: string -> t -> Jc_env.struct_info*)
val find_logic_fun: string -> t -> Jc_fenv.logic_info
(*val find_tag: Jc_env.struct_info -> t -> Jc_env.field_info*)
val find_fun_spec: Ml_ocaml.Ident.t -> t -> Ml_ocaml.Typedtree.function_spec
(*val find_type_spec: Ml_ocaml.Ident.t -> t -> Ml_ocaml.Typedtree.type_spec*)

(*
Local Variables: 
compile-command: "unset LANG; make -j -C .. bin/jessica.byte"
End: 
*)
why-2.34/ml/ml_options.ml0000644000175000017500000000717612311670312013755 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

type input_kind = Ml | Mli

let input_files = ref []

let output_file = ref None

(******************************************************************************)

let input_file t n = input_files := (t, n) :: !input_files

let spec = Arg.align [
  "-ml", Arg.String(input_file Ml),
  " Input file assuming it is a structure";
  "-mli", Arg.String(input_file Mli),
  " Input file assuming it is a signature";
  "-o", Arg.String(fun s -> output_file := Some s),
  " Output file"
]

let file_ext f =
  let i = ref (String.length f - 1) in
  while !i >= 0 && f.[!i] <> '.' do i := !i - 1 done;
  match if !i < 0 then "" else String.sub f !i (String.length f - !i) with
    | ".mli" -> Mli
    | _ -> Ml

let anon_fun s = input_file (file_ext s) s

let usage_msg = "jessica [options] files"

let _ =
  Arg.parse spec anon_fun usage_msg

(******************************************************************************)

let default_filename = match !input_files with
  | [] -> "jessica_out.jc"
  | (_, x)::_ -> Filename.chop_extension x ^ ".jc"

let input_files = List.rev !input_files

let rec list_last_snd def = function
  | [] -> def
  | [ x ] -> snd x
  | _::tl -> list_last_snd def tl

let output_file = match !output_file with
  | Some filename -> filename
  | None -> default_filename

(*
Local Variables: 
compile-command: "unset LANG; make -j -C .. bin/jessica.byte"
End: 
*)
why-2.34/ml/ml_constant.ml0000644000175000017500000000573012311670312014105 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(* Interpretation of Ocaml constants to Jessie *)

open Ml_misc
open Ml_ocaml.Asttypes
open Jc_ast
open Jc_env

let constant = function
  | Const_int i -> JCCinteger(string_of_int i)
  | Const_float s -> JCCreal s
  | _ -> not_implemented Ml_ocaml.Location.none "ml_constant.ml: constant"

let constant_type = function
  | Const_int _ -> JCTnative Tinteger
  | Const_float _ -> JCTnative Treal
  | _ -> not_implemented Ml_ocaml.Location.none "ml_constant.ml: constant_type"

let constant_term c =
  make_term (JCTconst (constant c)) (constant_type c)

let constant_expr c =
  make_expr (JCTEconst (constant c)) (constant_type c)

(*
Local Variables: 
compile-command: "unset LANG; make -j -C .. bin/jessica.opt"
End: 
*)
why-2.34/ml/ml_pervasives.ml0000644000175000017500000000453412311670312014444 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Ml_ocaml

let default_env = Env.initial

open Ml_env

let default_mlenv = empty
why-2.34/ml/ml_type.mli0000644000175000017500000001026312311670312013403 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(** Add a type declaration like [type t = ...] so that type [t] is known and
can be instanciated. *)
val declare: Ml_ocaml.Ident.t -> Ml_ocaml.Types.type_declaration -> bool -> unit

(** Add an invariant to a declared type. *)
val add_invariant: Ml_ocaml.Ident.t ->
  (string * Jc_env.var_info * Jc_ast.assertion) -> unit

(** Translate an OCaml type into a Jessie type. May instanciate the type if
needed. *)
val make: Ml_ocaml.Types.type_expr -> Jc_env.jc_type

(** If the argument is a record type or a tuple, return the structure used
to interpret it. Fail otherwise. *)
val structure: Ml_ocaml.Types.type_expr -> Jc_env.struct_info

type ml_label_info = {
  ml_li_name: string;
  ml_li_structure: Jc_env.struct_info;
  ml_li_field: Jc_env.field_info;
}

(** Given a record type and a label of this record, instantiate the type if
needed and return the label interpretation. *)
val label: Ml_ocaml.Types.type_expr -> Ml_ocaml.Types.label_description ->
  ml_label_info

type ml_constructor_info = {
  ml_ci_name: string;
  ml_ci_structure: Jc_env.struct_info;
  ml_ci_arguments: Jc_env.field_info list;
}

(** Given a variant type and a tag of this record, instantiate the type if
needed and return the tag interpretation. *)
val constructor: Ml_ocaml.Types.type_expr -> 
  Ml_ocaml.Types.constructor_description -> ml_constructor_info

(** Return the field associated to some tuple projection. *)
val proj: Ml_ocaml.Types.type_expr -> int -> Jc_env.field_info

type ml_array_info = {
  ml_ai_struct: Jc_env.struct_info;
  ml_ai_data_field: Jc_env.field_info;
  ml_ai_make: Jc_fenv.fun_info;
}

(** Given the argument type of an array, instantiate the array if needed and
return the array info. *)
val array: Ml_ocaml.Types.type_expr -> ml_array_info

(** Return the declarations for all type instantiations. *)
val jc_decls: unit -> Jc_output.jc_decl list

(*
Local Variables: 
compile-command: "unset LANG; make -C .. -f build.makefile jessica.all"
End: 
*)
why-2.34/ml/typing/0000755000175000017500000000000012311670312012537 5ustar  rtuserswhy-2.34/ml/typing/typetexp.mli0000644000175000017500000000500612311670312015125 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: typetexp.mli,v 1.1 2007-11-30 10:16:44 bardou Exp $ *)

(* Typechecking of type expressions for the core language *)

open Format;;

val transl_simple_type:
        Env.t -> bool -> Parsetree.core_type -> Types.type_expr
val transl_simple_type_univars:
        Env.t -> Parsetree.core_type -> Types.type_expr
val transl_simple_type_delayed:
        Env.t -> Parsetree.core_type -> Types.type_expr * (unit -> unit)
        (* Translate a type, but leave type variables unbound. Returns
           the type and a function that binds the type variable. *)
val transl_type_scheme:
        Env.t -> Parsetree.core_type -> Types.type_expr
val reset_type_variables: unit -> unit
val enter_type_variable: bool -> Location.t -> string -> Types.type_expr
val type_variable: Location.t -> string -> Types.type_expr

type variable_context
val narrow: unit -> variable_context
val widen: variable_context -> unit

exception Already_bound

type error =
    Unbound_type_variable of string
  | Unbound_type_constructor of Longident.t
  | Unbound_type_constructor_2 of Path.t
  | Type_arity_mismatch of Longident.t * int * int
  | Bound_type_variable of string
  | Recursive_type
  | Unbound_class of Longident.t
  | Unbound_row_variable of Longident.t
  | Type_mismatch of (Types.type_expr * Types.type_expr) list
  | Alias_type_mismatch of (Types.type_expr * Types.type_expr) list
  | Present_has_conjunction of string
  | Present_has_no_type of string
  | Constructor_mismatch of Types.type_expr * Types.type_expr
  | Not_a_variant of Types.type_expr
  | Variant_tags of string * string
  | Invalid_variable_name of string
  | Cannot_quantify of string * Types.type_expr

exception Error of Location.t * error

val report_error: formatter -> error -> unit
why-2.34/ml/typing/types.mli0000644000175000017500000001606312311670312014414 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: types.mli,v 1.3 2007-12-13 16:42:57 bardou Exp $ *)

(* Representation of types and declarations *)

open Asttypes

(* Type expressions for the core language *)

type type_expr =
  { mutable desc: type_desc; 
    mutable level: int;
    mutable id: int }

and type_desc =
    Tvar
  | Tarrow of label * type_expr * type_expr * commutable
  | Ttuple of type_expr list
  | Tconstr of Path.t * type_expr list * abbrev_memo ref
  | Tobject of type_expr * (Path.t * type_expr list) option ref
  | Tfield of string * field_kind * type_expr * type_expr
  | Tnil
  | Tlink of type_expr
  | Tsubst of type_expr         (* for copying *)
  | Tvariant of row_desc
  | Tunivar
  | Tpoly of type_expr * type_expr list

and row_desc =
    { row_fields: (label * row_field) list;
      row_more: type_expr;
      row_bound: type_expr list;
      row_closed: bool;
      row_fixed: bool;
      row_name: (Path.t * type_expr list) option }

and row_field =
    Rpresent of type_expr option
  | Reither of bool * type_expr list * bool * row_field option ref
        (* 1st true denotes a constant constructor *)
        (* 2nd true denotes a tag in a pattern matching, and
           is erased later *)
  | Rabsent

and abbrev_memo =
    Mnil
  | Mcons of Path.t * type_expr * type_expr * abbrev_memo
  | Mlink of abbrev_memo ref

and field_kind =
    Fvar of field_kind option ref
  | Fpresent
  | Fabsent

and commutable =
    Cok
  | Cunknown
  | Clink of commutable ref

module TypeOps : sig
  type t = type_expr
  val compare : t -> t -> int
  val equal : t -> t -> bool
  val hash : t -> int
end

(* Maps of methods and instance variables *)

module Meths : Map.S with type key = string
module Vars  : Map.S with type key = string

(* Value descriptions *)

type value_description =
  { val_type: type_expr;                (* Type of the value *)
    val_kind: value_kind }

and value_kind =
    Val_reg                             (* Regular value *)
  | Val_prim of Primitive.description   (* Primitive *)
  | Val_ivar of mutable_flag * string   (* Instance variable (mutable ?) *)
  | Val_self of (Ident.t * type_expr) Meths.t ref *
                (Ident.t * Asttypes.mutable_flag *
                 Asttypes.virtual_flag * type_expr) Vars.t ref *
                string * type_expr
                                        (* Self *)
  | Val_anc of (string * Ident.t) list * string
                                        (* Ancestor *)
  | Val_unbound                         (* Unbound variable *)

(* Constructor descriptions *)

type constructor_description =
  { cstr_res: type_expr;                (* Type of the result *)
    cstr_args: type_expr list;          (* Type of the arguments *)
    cstr_arity: int;                    (* Number of arguments *)
    cstr_tag: constructor_tag;          (* Tag for heap blocks *)
    cstr_consts: int;                   (* Number of constant constructors *)
    cstr_nonconsts: int;                (* Number of non-const constructors *)
    cstr_private: private_flag;         (* Read-only constructor? *)
    cstr_name: string }                 (* Used by Jessica *)

and constructor_tag =
    Cstr_constant of int                (* Constant constructor (an int) *)
  | Cstr_block of int                   (* Regular constructor (a block) *)
  | Cstr_exception of Path.t            (* Exception constructor *)

(* Record label descriptions *)

type label_description =
  { lbl_res: type_expr;                 (* Type of the result *)
    lbl_arg: type_expr;                 (* Type of the argument *)
    lbl_mut: mutable_flag;              (* Is this a mutable field? *)
    lbl_pos: int;                       (* Position in block *)
    lbl_all: label_description array;   (* All the labels in this type *)
    lbl_repres: record_representation;  (* Representation for this record *)
    lbl_private: private_flag;          (* Read-only field? *)
    lbl_name: string }                  (* Used by Jessica *)

and record_representation =
    Record_regular                      (* All fields are boxed / tagged *)
  | Record_float                        (* All fields are floats *)

(* Type definitions *)

type type_declaration =
  { type_params: type_expr list;
    type_arity: int;
    type_kind: type_kind;
    type_manifest: type_expr option;
    type_variance: (bool * bool * bool) list }
            (* covariant, contravariant, weakly contravariant *)

and type_kind =
    Type_abstract
  | Type_variant of (string * type_expr list) list * private_flag
  | Type_record of (string * mutable_flag * type_expr) list
                 * record_representation * private_flag

type exception_declaration = type_expr list

(* Type expressions for the class language *)

module Concr : Set.S with type elt = string

type class_type =
    Tcty_constr of Path.t * type_expr list * class_type
  | Tcty_signature of class_signature
  | Tcty_fun of label * type_expr * class_type

and class_signature =
  { cty_self: type_expr;
    cty_vars:
      (Asttypes.mutable_flag * Asttypes.virtual_flag * type_expr) Vars.t;
    cty_concr: Concr.t;
    cty_inher: (Path.t * type_expr list) list }

type class_declaration =
  { cty_params: type_expr list;
    mutable cty_type: class_type;
    cty_path: Path.t;
    cty_new: type_expr option;
    cty_variance: (bool * bool) list }

type cltype_declaration =
  { clty_params: type_expr list;
    clty_type: class_type;
    clty_path: Path.t;
    clty_variance: (bool * bool) list }

(* Type expressions for the module language *)

type module_type =
    Tmty_ident of Path.t
  | Tmty_signature of signature
  | Tmty_functor of Ident.t * module_type * module_type

and signature = signature_item list

and signature_item =
    Tsig_value of Ident.t * value_description
  | Tsig_type of Ident.t * type_declaration * rec_status
  | Tsig_exception of Ident.t * exception_declaration
  | Tsig_module of Ident.t * module_type * rec_status
  | Tsig_modtype of Ident.t * modtype_declaration
  | Tsig_class of Ident.t * class_declaration * rec_status
  | Tsig_cltype of Ident.t * cltype_declaration * rec_status

and modtype_declaration =
    Tmodtype_abstract
  | Tmodtype_manifest of module_type

and rec_status =
    Trec_not                            (* not recursive *)
  | Trec_first                          (* first in a recursive group *)
  | Trec_next                           (* not first in a recursive group *)
why-2.34/ml/typing/typemod.ml0000644000175000017500000011631012311670312014554 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: typemod.ml,v 1.8 2007-12-20 17:10:01 bardou Exp $ *)

(* Type-checking of the module language *)

open Misc
open Longident
open Path
open Asttypes
open Parsetree
open Types
open Typedtree
open Format

type error =
    Unbound_module of Longident.t
  | Unbound_modtype of Longident.t
  | Cannot_apply of module_type
  | Not_included of Includemod.error list
  | Cannot_eliminate_dependency of module_type
  | Signature_expected
  | Structure_expected of module_type
  | With_no_component of Longident.t
  | With_mismatch of Longident.t * Includemod.error list
  | Repeated_name of string * string
  | Non_generalizable of type_expr
  | Non_generalizable_class of Ident.t * class_declaration
  | Non_generalizable_module of module_type
  | Implementation_is_required of string
  | Interface_not_compiled of string

exception Error of Location.t * error

(* Extract a signature from a module type *)

let extract_sig env loc mty =
  match Mtype.scrape env mty with
    Tmty_signature sg -> sg
  | _ -> raise(Error(loc, Signature_expected))

let extract_sig_open env loc mty =
  match Mtype.scrape env mty with
    Tmty_signature sg -> sg
  | _ -> raise(Error(loc, Structure_expected mty))

(* Lookup the type of a module path *)

let type_module_path env loc lid =
  try
    Env.lookup_module lid env
  with Not_found ->
    raise(Error(loc, Unbound_module lid))

(* Record a module type *)
let rm node =
  Stypes.record (Stypes.Ti_mod node);
  node

(* Merge one "with" constraint in a signature *)

let rec add_rec_types env = function
    Tsig_type(id, decl, Trec_next) :: rem ->
      add_rec_types (Env.add_type id decl env) rem
  | _ -> env

let check_type_decl env id row_id newdecl decl rs rem =
  let env = Env.add_type id newdecl env in
  let env =
    match row_id with None -> env | Some id -> Env.add_type id newdecl env in
  let env = if rs = Trec_not then env else add_rec_types env rem in
  Includemod.type_declarations env id newdecl decl

let merge_constraint initial_env loc sg lid constr =
  let rec merge env sg namelist row_id =
    match (sg, namelist, constr) with
      ([], _, _) ->
        raise(Error(loc, With_no_component lid))
    | (Tsig_type(id, decl, rs) :: rem, [s],
       Pwith_type ({ptype_kind = Ptype_private} as sdecl))
      when Ident.name id = s ->
        let decl_row =
          { type_params =
              List.map (fun _ -> Btype.newgenvar()) sdecl.ptype_params;
            type_arity = List.length sdecl.ptype_params;
            type_kind = Type_abstract;
            type_manifest = None;
            type_variance =
              List.map (fun (c,n) -> (not n, not c, not c))
              sdecl.ptype_variance }
        and id_row = Ident.create (s^"#row") in
        let initial_env = Env.add_type id_row decl_row initial_env in
        let newdecl = Typedecl.transl_with_constraint
                        initial_env id (Some(Pident id_row)) sdecl in
        check_type_decl env id row_id newdecl decl rs rem;
        let decl_row = {decl_row with type_params = newdecl.type_params} in
        let rs' = if rs = Trec_first then Trec_not else rs in
        Tsig_type(id_row, decl_row, rs') :: Tsig_type(id, newdecl, rs) :: rem
    | (Tsig_type(id, decl, rs) :: rem, [s], Pwith_type sdecl)
      when Ident.name id = s ->
        let newdecl =
          Typedecl.transl_with_constraint initial_env id None sdecl in
        check_type_decl env id row_id newdecl decl rs rem;
        Tsig_type(id, newdecl, rs) :: rem
    | (Tsig_type(id, decl, rs) :: rem, [s], Pwith_type sdecl)
      when Ident.name id = s ^ "#row" ->
        merge env rem namelist (Some id)
    | (Tsig_module(id, mty, rs) :: rem, [s], Pwith_module lid)
      when Ident.name id = s ->
        let (path, mty') = type_module_path initial_env loc lid in
        let newmty = Mtype.strengthen env mty' path in
        ignore(Includemod.modtypes env newmty mty);
        Tsig_module(id, newmty, rs) :: rem
    | (Tsig_module(id, mty, rs) :: rem, s :: namelist, _)
      when Ident.name id = s ->
        let newsg = merge env (extract_sig env loc mty) namelist None in
        Tsig_module(id, Tmty_signature newsg, rs) :: rem
    | (item :: rem, _, _) ->
        item :: merge (Env.add_item item env) rem namelist row_id in
  try
    merge initial_env sg (Longident.flatten lid) None
  with Includemod.Error explanation ->
    raise(Error(loc, With_mismatch(lid, explanation)))

(* Add recursion flags on declarations arising from a mutually recursive
   block. *)

let map_rec fn decls rem =
  match decls with
  | [] -> rem
  | d1 :: dl -> fn Trec_first d1 :: map_end (fn Trec_next) dl rem

let rec map_rec' fn decls rem =
  match decls with
  | (id,_ as d1) :: dl when Btype.is_row_name (Ident.name id) ->
      fn Trec_not d1 :: map_rec' fn dl rem
  | _ -> map_rec fn decls rem

(* Auxiliary for translating recursively-defined module types.
   Return a module type that approximates the shape of the given module
   type AST.  Retain only module, type, and module type
   components of signatures.  For types, retain only their arity,
   making them abstract otherwise. *)

let approx_modtype transl_mty init_env smty =

  let rec approx_mty env smty =
    match smty.pmty_desc with
      Pmty_ident lid ->
        begin try
          let (path, info) = Env.lookup_modtype lid env in
          Tmty_ident path
        with Not_found ->
          raise(Error(smty.pmty_loc, Unbound_modtype lid))
        end
    | Pmty_signature ssg ->
        Tmty_signature(approx_sig env ssg)
    | Pmty_functor(param, sarg, sres) ->
        let arg = approx_mty env sarg in
        let (id, newenv) = Env.enter_module param arg env in
        let res = approx_mty newenv sres in
        Tmty_functor(id, arg, res)
    | Pmty_with(sbody, constraints) ->
        approx_mty env sbody

  and approx_sig env ssg =
    match ssg with
      [] -> []
    | item :: srem ->
        match item.psig_desc with
        | Psig_type sdecls ->
            let decls = Typedecl.approx_type_decl env sdecls in
            let rem = approx_sig env srem in
            map_rec' (fun rs (id, info) -> Tsig_type(id, info, rs)) decls rem
        | Psig_module(name, smty) ->
            let mty = approx_mty env smty in
            let (id, newenv) = Env.enter_module name mty env in
            Tsig_module(id, mty, Trec_not) :: approx_sig newenv srem
        | Psig_recmodule sdecls ->
            let decls =
              List.map
                (fun (name, smty) ->
                  (Ident.create name, approx_mty env smty))
                sdecls in
            let newenv =
              List.fold_left (fun env (id, mty) -> Env.add_module id mty env)
              env decls in
            map_rec (fun rs (id, mty) -> Tsig_module(id, mty, rs)) decls
                    (approx_sig newenv srem)
        | Psig_modtype(name, sinfo) ->
            let info = approx_mty_info env sinfo in
            let (id, newenv) = Env.enter_modtype name info env in
            Tsig_modtype(id, info) :: approx_sig newenv srem
        | Psig_open lid ->
            let (path, mty) = type_module_path env item.psig_loc lid in
            let sg = extract_sig_open env item.psig_loc mty in
            let newenv = Env.open_signature path sg env in
            approx_sig newenv srem
        | Psig_include smty ->
            let mty = transl_mty init_env smty in
            let sg = Subst.signature Subst.identity
                       (extract_sig env smty.pmty_loc mty) in
            let newenv = Env.add_signature sg env in
            sg @ approx_sig newenv srem
        | Psig_class sdecls | Psig_class_type sdecls ->
            let decls = Typeclass.approx_class_declarations env sdecls in
            let rem = approx_sig env srem in
            List.flatten
              (map_rec
                (fun rs (i1, d1, i2, d2, i3, d3) ->
                  [Tsig_cltype(i1, d1, rs);
                   Tsig_type(i2, d2, rs);
                   Tsig_type(i3, d3, rs)])
                decls [rem])
        | _ ->
            approx_sig env srem

  and approx_mty_info env sinfo =
    match sinfo with
      Pmodtype_abstract ->
        Tmodtype_abstract
    | Pmodtype_manifest smty ->
        Tmodtype_manifest(approx_mty env smty)

  in approx_mty init_env smty

(* Additional validity checks on type definitions arising from
   recursive modules *)

let check_recmod_typedecls env sdecls decls =
  let recmod_ids = List.map fst decls in
  List.iter2
    (fun (_, smty) (id, mty) ->
      List.iter
        (fun path ->
          Typedecl.check_recmod_typedecl env smty.pmty_loc recmod_ids
                                         path (Env.find_type path env))
        (Mtype.type_paths env (Pident id) mty))
    sdecls decls

(* Auxiliaries for checking uniqueness of names in signatures and structures *)

module StringSet = Set.Make(struct type t = string let compare = compare end)

let check cl loc set_ref name =
  if StringSet.mem name !set_ref
  then raise(Error(loc, Repeated_name(cl, name)))
  else set_ref := StringSet.add name !set_ref

let check_sig_item type_names module_names modtype_names loc = function
    Tsig_type(id, _, _) ->
      check "type" loc type_names (Ident.name id)
  | Tsig_module(id, _, _) ->
      check "module" loc module_names (Ident.name id)
  | Tsig_modtype(id, _) ->
      check "module type" loc modtype_names (Ident.name id)
  | _ -> ()

(* Check and translate a module type expression *)

let rec transl_modtype env smty =
  match smty.pmty_desc with
    Pmty_ident lid ->
      begin try
        let (path, info) = Env.lookup_modtype lid env in
        Tmty_ident path
      with Not_found ->
        raise(Error(smty.pmty_loc, Unbound_modtype lid))
      end
  | Pmty_signature ssg ->
      Tmty_signature(transl_signature env ssg)
  | Pmty_functor(param, sarg, sres) ->
      let arg = transl_modtype env sarg in
      let (id, newenv) = Env.enter_module param arg env in
      let res = transl_modtype newenv sres in
      Tmty_functor(id, arg, res)
  | Pmty_with(sbody, constraints) ->
      let body = transl_modtype env sbody in
      let init_sg = extract_sig env sbody.pmty_loc body in
      let final_sg =
        List.fold_left
          (fun sg (lid, sdecl) ->
            merge_constraint env smty.pmty_loc sg lid sdecl)
          init_sg constraints in
      Mtype.freshen (Tmty_signature final_sg)

and transl_signature env sg =
  let type_names = ref StringSet.empty
  and module_names = ref StringSet.empty
  and modtype_names = ref StringSet.empty in
  let rec transl_sig env sg =
    Ctype.init_def(Ident.current_time());
    match sg with
      [] -> []
    | item :: srem ->
        match item.psig_desc with
        | Psig_value(name, sdesc) ->
            let desc = Typedecl.transl_value_decl env sdesc in
            let (id, newenv) = Env.enter_value name desc env in
            let rem = transl_sig newenv srem in
            Tsig_value(id, desc) :: rem
        | Psig_type sdecls ->
            List.iter
              (fun (name, decl) -> check "type" item.psig_loc type_names name)
              sdecls;
            let (decls, newenv) = Typedecl.transl_type_decl env sdecls in
            let rem = transl_sig newenv srem in
            map_rec' (fun rs (id, info) -> Tsig_type(id, info, rs)) decls rem
        | Psig_exception(name, sarg) ->
            let arg = Typedecl.transl_exception env sarg in
            let (id, newenv) = Env.enter_exception name arg env in
            let rem = transl_sig newenv srem in
            Tsig_exception(id, arg) :: rem
        | Psig_module(name, smty) ->
            check "module" item.psig_loc module_names name;
            let mty = transl_modtype env smty in
            let (id, newenv) = Env.enter_module name mty env in
            let rem = transl_sig newenv srem in
            Tsig_module(id, mty, Trec_not) :: rem
        | Psig_recmodule sdecls ->
            List.iter
              (fun (name, smty) ->
                 check "module" item.psig_loc module_names name)
              sdecls;
            let (decls, newenv) =
              transl_recmodule_modtypes item.psig_loc env sdecls in
            let rem = transl_sig newenv srem in
            map_rec (fun rs (id, mty) -> Tsig_module(id, mty, rs)) decls rem
        | Psig_modtype(name, sinfo) ->
            check "module type" item.psig_loc modtype_names name;
            let info = transl_modtype_info env sinfo in
            let (id, newenv) = Env.enter_modtype name info env in
            let rem = transl_sig newenv srem in
            Tsig_modtype(id, info) :: rem
        | Psig_open lid ->
            let (path, mty) = type_module_path env item.psig_loc lid in
            let sg = extract_sig_open env item.psig_loc mty in
            let newenv = Env.open_signature path sg env in
            transl_sig newenv srem
        | Psig_include smty ->
            let mty = transl_modtype env smty in
            let sg = Subst.signature Subst.identity
                       (extract_sig env smty.pmty_loc mty) in
            List.iter
              (check_sig_item type_names module_names modtype_names
                              item.psig_loc)
              sg;
            let newenv = Env.add_signature sg env in
            let rem = transl_sig newenv srem in
            sg @ rem
        | Psig_class cl ->
            List.iter
              (fun {pci_name = name} ->
                 check "type" item.psig_loc type_names name)
              cl;
            let (classes, newenv) = Typeclass.class_descriptions env cl in
            let rem = transl_sig newenv srem in
            List.flatten
              (map_rec
                 (fun rs (i, d, i', d', i'', d'', i''', d''', _, _, _) ->
                    [Tsig_class(i, d, rs);
                     Tsig_cltype(i', d', rs);
                     Tsig_type(i'', d'', rs);
                     Tsig_type(i''', d''', rs)])
                 classes [rem])
        | Psig_class_type cl ->
            List.iter
              (fun {pci_name = name} ->
                 check "type" item.psig_loc type_names name)
              cl;
            let (classes, newenv) = Typeclass.class_type_declarations env cl in
            let rem = transl_sig newenv srem in
            List.flatten
              (map_rec
                 (fun rs (i, d, i', d', i'', d'') ->
                    [Tsig_cltype(i, d, rs);
                     Tsig_type(i', d', rs);
                     Tsig_type(i'', d'', rs)])
                 classes [rem])
    in transl_sig env sg

and transl_modtype_info env sinfo =
  match sinfo with
    Pmodtype_abstract ->
      Tmodtype_abstract
  | Pmodtype_manifest smty ->
      Tmodtype_manifest(transl_modtype env smty)

and transl_recmodule_modtypes loc env sdecls =
  let make_env curr =
    List.fold_left
      (fun env (id, mty) -> Env.add_module id mty env)
      env curr in
  let transition env_c curr =
    List.map2
      (fun (_, smty) (id, mty) -> (id, transl_modtype env_c smty))
      sdecls curr in
  let init =
    List.map
      (fun (name, smty) ->
        (Ident.create name, approx_modtype transl_modtype env smty))
      sdecls in
  let first = transition (make_env init) init in
  let final_env = make_env first in
  let final_decl = transition final_env init in
  check_recmod_typedecls final_env sdecls final_decl;
  (final_decl, final_env)

(* Try to convert a module expression to a module path. *)

exception Not_a_path

let rec path_of_module mexp =
  match mexp.mod_desc with
    Tmod_ident p -> p
  | Tmod_apply(funct, arg, coercion) ->
      Papply(path_of_module funct, path_of_module arg)
  | _ -> raise Not_a_path

(* Check that all core type schemes in a structure are closed *)

let rec closed_modtype = function
    Tmty_ident p -> true
  | Tmty_signature sg -> List.for_all closed_signature_item sg
  | Tmty_functor(id, param, body) -> closed_modtype body

and closed_signature_item = function
    Tsig_value(id, desc) -> Ctype.closed_schema desc.val_type
  | Tsig_module(id, mty, _) -> closed_modtype mty
  | _ -> true

let check_nongen_scheme env = function
    Tstr_value(rec_flag, pat_exp_list) ->
      List.iter
        (fun (pat, exp) ->
          if not (Ctype.closed_schema exp.exp_type) then
            raise(Error(exp.exp_loc, Non_generalizable exp.exp_type)))
        pat_exp_list
  | Tstr_module(id, md) ->
      if not (closed_modtype md.mod_type) then
        raise(Error(md.mod_loc, Non_generalizable_module md.mod_type))
  | _ -> ()

let check_nongen_schemes env str =
  List.iter (check_nongen_scheme env) str

(* Extract the list of "value" identifiers bound by a signature.
   "Value" identifiers are identifiers for signature components that
   correspond to a run-time value: values, exceptions, modules, classes.
   Note: manifest primitives do not correspond to a run-time value! *)

let rec bound_value_identifiers = function
    [] -> []
  | Tsig_value(id, {val_kind = Val_reg}) :: rem ->
      id :: bound_value_identifiers rem
  | Tsig_exception(id, decl) :: rem -> id :: bound_value_identifiers rem
  | Tsig_module(id, mty, _) :: rem -> id :: bound_value_identifiers rem
  | Tsig_class(id, decl, _) :: rem -> id :: bound_value_identifiers rem
  | _ :: rem -> bound_value_identifiers rem

(* Helpers for typing recursive modules *)

let anchor_submodule name anchor =
  match anchor with None -> None | Some p -> Some(Pdot(p, name, nopos))
let anchor_recmodule id anchor =
  Some (Pident id)

let enrich_type_decls anchor decls oldenv newenv =
  match anchor with
    None -> newenv
  | Some p ->
      List.fold_left
        (fun e (id, info) ->
          let info' =
            Mtype.enrich_typedecl oldenv (Pdot(p, Ident.name id, nopos)) info
          in
            Env.add_type id info' e)
        oldenv decls

let enrich_module_type anchor name mty env =
  match anchor with
    None -> mty
  | Some p -> Mtype.enrich_modtype env (Pdot(p, name, nopos)) mty

(* Type a module value expression *)

let rec type_module anchor env smod =
  match smod.pmod_desc with
    Pmod_ident lid ->
      let (path, mty) = type_module_path env smod.pmod_loc lid in
      rm { mod_desc = Tmod_ident path;
           mod_type = Mtype.strengthen env mty path;
           mod_env = env;
           mod_loc = smod.pmod_loc }
  | Pmod_structure sstr ->
      let (str, sg, finalenv) = type_structure anchor env sstr in
      rm { mod_desc = Tmod_structure str;
           mod_type = Tmty_signature sg;
           mod_env = env;
           mod_loc = smod.pmod_loc }
  | Pmod_functor(name, smty, sbody) ->
      let mty = transl_modtype env smty in
      let (id, newenv) = Env.enter_module name mty env in
      let body = type_module None newenv sbody in
      rm { mod_desc = Tmod_functor(id, mty, body);
           mod_type = Tmty_functor(id, mty, body.mod_type);
           mod_env = env;
           mod_loc = smod.pmod_loc }
  | Pmod_apply(sfunct, sarg) ->
      let funct = type_module None env sfunct in
      let arg = type_module None env sarg in
      begin match Mtype.scrape env funct.mod_type with
        Tmty_functor(param, mty_param, mty_res) as mty_functor ->
          let coercion =
            try
              Includemod.modtypes env arg.mod_type mty_param
            with Includemod.Error msg ->
              raise(Error(sarg.pmod_loc, Not_included msg)) in
          let mty_appl =
            try
              let path = path_of_module arg in
              Subst.modtype (Subst.add_module param path Subst.identity)
                            mty_res
            with Not_a_path ->
              try
                Mtype.nondep_supertype
                  (Env.add_module param arg.mod_type env) param mty_res
              with Not_found ->
                raise(Error(smod.pmod_loc,
                            Cannot_eliminate_dependency mty_functor)) in
          rm { mod_desc = Tmod_apply(funct, arg, coercion);
               mod_type = mty_appl;
               mod_env = env;
               mod_loc = smod.pmod_loc }
      | _ ->
          raise(Error(sfunct.pmod_loc, Cannot_apply funct.mod_type))
      end
  | Pmod_constraint(sarg, smty) ->
      let arg = type_module anchor env sarg in
      let mty = transl_modtype env smty in
      let coercion =
        try
          Includemod.modtypes env arg.mod_type mty
        with Includemod.Error msg ->
          raise(Error(sarg.pmod_loc, Not_included msg)) in
      rm { mod_desc = Tmod_constraint(arg, mty, coercion);
           mod_type = mty;
           mod_env = env;
           mod_loc = smod.pmod_loc }

and type_structure anchor env sstr =
  let type_names = ref StringSet.empty
  and module_names = ref StringSet.empty
  and modtype_names = ref StringSet.empty in
  let rec type_struct env sstr =
    Ctype.init_def(Ident.current_time());
    match sstr with
      [] ->
        ([], [], env)
    | {pstr_desc = Pstr_eval sexpr} :: srem ->
        let expr = Typecore.type_expression env sexpr in
        let (str_rem, sig_rem, final_env) = type_struct env srem in
        (Tstr_eval expr :: str_rem, sig_rem, final_env)
    | {pstr_desc = Pstr_value(rec_flag, sdefs)} :: srem ->
        let (defs, newenv) =
          Typecore.type_binding env rec_flag sdefs in
        let (str_rem, sig_rem, final_env) = type_struct newenv srem in
        let bound_idents = let_bound_idents defs in
        let make_sig_value id =
          Tsig_value(id, Env.find_value (Pident id) newenv) in
        (Tstr_value(rec_flag, defs) :: str_rem,
         map_end make_sig_value bound_idents sig_rem,
         final_env)
    | {pstr_desc = Pstr_primitive(name, sdesc)} :: srem ->
        let desc = Typedecl.transl_value_decl env sdesc in
        let (id, newenv) = Env.enter_value name desc env in
        let (str_rem, sig_rem, final_env) = type_struct newenv srem in
        (Tstr_primitive(id, desc) :: str_rem,
         Tsig_value(id, desc) :: sig_rem,
         final_env)
    | {pstr_desc = Pstr_type sdecls; pstr_loc = loc} :: srem ->
        List.iter
          (fun (name, decl) -> check "type" loc type_names name)
          sdecls;
        let (decls, newenv) = Typedecl.transl_type_decl env sdecls in
        let newenv' =
          enrich_type_decls anchor decls env newenv in
        let (str_rem, sig_rem, final_env) = type_struct newenv' srem in
        (Tstr_type decls :: str_rem,
         map_rec' (fun rs (id, info) -> Tsig_type(id, info, rs)) decls sig_rem,
         final_env)
    | {pstr_desc = Pstr_exception(name, sarg)} :: srem ->
        let arg = Typedecl.transl_exception env sarg in
        let (id, newenv) = Env.enter_exception name arg env in
        let (str_rem, sig_rem, final_env) = type_struct newenv srem in
        (Tstr_exception(id, arg) :: str_rem,
         Tsig_exception(id, arg) :: sig_rem,
         final_env)
    | {pstr_desc = Pstr_exn_rebind(name, longid); pstr_loc = loc} :: srem ->
        let (path, arg) = Typedecl.transl_exn_rebind env loc longid in
        let (id, newenv) = Env.enter_exception name arg env in
        let (str_rem, sig_rem, final_env) = type_struct newenv srem in
        (Tstr_exn_rebind(id, path) :: str_rem,
         Tsig_exception(id, arg) :: sig_rem,
         final_env)
    | {pstr_desc = Pstr_module(name, smodl); pstr_loc = loc} :: srem ->
        check "module" loc module_names name;
        let modl = type_module  (anchor_submodule name anchor) env smodl in
        let mty = enrich_module_type anchor name modl.mod_type env in
        let (id, newenv) = Env.enter_module name mty env in
        let (str_rem, sig_rem, final_env) = type_struct newenv srem in
        (Tstr_module(id, modl) :: str_rem,
         Tsig_module(id, modl.mod_type, Trec_not) :: sig_rem,
         final_env)
    | {pstr_desc = Pstr_recmodule sbind; pstr_loc = loc} :: srem ->
        List.iter
          (fun (name, _, _) -> check "module" loc module_names name)
          sbind;
        let (decls, newenv) =
          transl_recmodule_modtypes loc env
            (List.map (fun (name, smty, smodl) -> (name, smty)) sbind) in
        let type_recmodule_binding (id, mty) (name, smty, smodl) =
          let modl =
            type_module (anchor_recmodule id anchor) newenv smodl in
          let coercion =
            try
              Includemod.modtypes newenv
                 (Mtype.strengthen env modl.mod_type (Pident id))
                 mty
            with Includemod.Error msg ->
              raise(Error(smodl.pmod_loc, Not_included msg)) in
          let modl' =
            { mod_desc = Tmod_constraint(modl, mty, coercion);
              mod_type = mty;
              mod_env = newenv;
              mod_loc = smodl.pmod_loc } in
          (id, modl') in
        let bind = List.map2 type_recmodule_binding decls sbind in
        let (str_rem, sig_rem, final_env) = type_struct newenv srem in
        (Tstr_recmodule bind :: str_rem,
         map_rec (fun rs (id, modl) -> Tsig_module(id, modl.mod_type, rs))
                 bind sig_rem,
         final_env)
    | {pstr_desc = Pstr_modtype(name, smty); pstr_loc = loc} :: srem ->
        check "module type" loc modtype_names name;
        let mty = transl_modtype env smty in
        let (id, newenv) = Env.enter_modtype name (Tmodtype_manifest mty) env in
        let (str_rem, sig_rem, final_env) = type_struct newenv srem in
        (Tstr_modtype(id, mty) :: str_rem,
         Tsig_modtype(id, Tmodtype_manifest mty) :: sig_rem,
         final_env)
    | {pstr_desc = Pstr_open lid; pstr_loc = loc} :: srem ->
        let (path, mty) = type_module_path env loc lid in
        let sg = extract_sig_open env loc mty in
        type_struct (Env.open_signature path sg env) srem
    | {pstr_desc = Pstr_class cl; pstr_loc = loc} :: srem ->
         List.iter
           (fun {pci_name = name} -> check "type" loc type_names name)
           cl;
        let (classes, new_env) = Typeclass.class_declarations env cl in
        let (str_rem, sig_rem, final_env) = type_struct new_env srem in
        (Tstr_class
           (List.map (fun (i, d, _,_,_,_,_,_, s, m, c) ->
              let vf = if d.cty_new = None then Virtual else Concrete in
              (i, s, m, c, vf)) classes) ::
         Tstr_cltype
           (List.map (fun (_,_, i, d, _,_,_,_,_,_,_) -> (i, d)) classes) ::
         Tstr_type
           (List.map (fun (_,_,_,_, i, d, _,_,_,_,_) -> (i, d)) classes) ::
         Tstr_type
           (List.map (fun (_,_,_,_,_,_, i, d, _,_,_) -> (i, d)) classes) ::
         str_rem,
         List.flatten
           (map_rec
              (fun rs (i, d, i', d', i'', d'', i''', d''', _, _, _) ->
                 [Tsig_class(i, d, rs);
                  Tsig_cltype(i', d', rs);
                  Tsig_type(i'', d'', rs);
                  Tsig_type(i''', d''', rs)])
              classes [sig_rem]),
         final_env)
    | {pstr_desc = Pstr_class_type cl; pstr_loc = loc} :: srem ->
        List.iter
          (fun {pci_name = name} -> check "type" loc type_names name)
          cl;
        let (classes, new_env) = Typeclass.class_type_declarations env cl in
        let (str_rem, sig_rem, final_env) = type_struct new_env srem in
        (Tstr_cltype
           (List.map (fun (i, d, _, _, _, _) -> (i, d)) classes) ::
         Tstr_type
           (List.map (fun (_, _, i, d, _, _) -> (i, d)) classes) ::
         Tstr_type
           (List.map (fun (_, _, _, _, i, d) -> (i, d)) classes) ::
         str_rem,
         List.flatten
           (map_rec
              (fun rs (i, d, i', d', i'', d'') ->
                 [Tsig_cltype(i, d, rs);
                  Tsig_type(i', d', rs);
                  Tsig_type(i'', d'', rs)])
              classes [sig_rem]),
         final_env)
    | {pstr_desc = Pstr_include smodl; pstr_loc = loc} :: srem ->
        let modl = type_module None env smodl in
        (* Rename all identifiers bound by this signature to avoid clashes *)
        let sg = Subst.signature Subst.identity
                   (extract_sig_open env smodl.pmod_loc modl.mod_type) in
        List.iter
          (check_sig_item type_names module_names modtype_names loc) sg;
        let new_env = Env.add_signature sg env in
        let (str_rem, sig_rem, final_env) = type_struct new_env srem in
        (Tstr_include (modl, bound_value_identifiers sg) :: str_rem,
         sg @ sig_rem,
         final_env)
    | {pstr_desc = Pstr_function_spec fs; pstr_loc = loc} :: srem ->
	(* function *)
	let fun_path, fun_vd = try
	  Env.lookup_value (Lident fs.pfs_name) env;
	with Not_found ->
	  raise (Typecore.Error(loc, Typecore.Unbound_value
				  (Lident fs.pfs_name)))
	in
	(* arguments *)
	let args, spec_env = List.fold_left
	  (fun (args, env) name ->
	     let desc = {
	       val_type = Ctype.newvar ();
	       val_kind = Val_reg;
	     } in
	     let id, new_env = Env.enter_value name desc env in
	     id::args, new_env)
	  ([], env)
	  fs.pfs_arguments
	in
	(* \result *)
	let res_ty =
	  let rec rightmost_type te = match te.desc with
	    | Tarrow(_, _, x, _) -> rightmost_type x
	    | Tlink x -> rightmost_type x
	    | x -> te
	  in
	  rightmost_type fun_vd.val_type
	in
	let res_vd = {
	  val_type = res_ty;
	  val_kind = Val_reg;
	} in
	let _, result_env = Env.enter_value "\\result" res_vd spec_env in
	(* typed spec *)
	let tfs = {
	  fs_function = fun_path;
	  fs_arguments = List.rev args;
	  fs_requires =
	    begin match fs.pfs_requires with
	      | None -> None
	      | Some x -> Some (Typecore.type_expression spec_env x)
	    end;
	  fs_behaviors = List.map
	    (fun b -> {
	       b_name = b.pb_name;
	       b_ensures = Typecore.type_expression result_env b.pb_ensures;
	     })
	    fs.pfs_behaviors;
	} in
	(* finish *)
        let (str_rem, sig_rem, final_env) = type_struct env srem in
        (Tstr_function_spec tfs :: str_rem, sig_rem, final_env)
    | {pstr_desc = Pstr_type_spec ts; pstr_loc = loc} :: srem ->
	(* type *)
	let type_path, type_decl = try
	  Env.lookup_type (Lident ts.pts_name) env;
	with Not_found ->
	  raise (Typetexp.Error(loc, Typetexp.Unbound_type_constructor
				  (Lident ts.pts_name)))
	in
	(* invariants *)
	let invariants, new_env = List.fold_left
	  (fun (acc, env) i ->
	     let env, inv = Typecore.type_invariant env
	       (Ctype.newconstr type_path []) i in
	     inv::acc, env)
	  ([], env)
	  ts.pts_invariants
	in
	(* typed spec *)
	let tts = {
	  ts_type = type_path;
	  ts_invariants = List.rev invariants;
	} in
	(* finish *)
        let (str_rem, sig_rem, final_env) = type_struct new_env srem in
        (Tstr_type_spec tts :: str_rem, sig_rem, final_env)
    | {pstr_desc = Pstr_logic_function_spec lfs; pstr_loc = loc} :: srem ->
	let new_env, tlfs = Typecore.type_logic_function env loc lfs in
        let (str_rem, sig_rem, final_env) = type_struct new_env srem in
        (Tstr_logic_function_spec tlfs :: str_rem, sig_rem, final_env)
    | {pstr_desc = Pstr_logic_type_spec lts; pstr_loc = loc} :: srem ->
	let td = {
	  type_params = [];
	  type_arity = 0;
	  type_kind = Type_abstract;
	  type_manifest = None;
	  type_variance = [];
	} in
	let type_id, new_env = Env.enter_type lts td env in
        let (str_rem, sig_rem, final_env) = type_struct new_env srem in
        (Tstr_logic_type_spec(type_id, td) :: str_rem, sig_rem, final_env)
    | {pstr_desc = Pstr_axiom_spec axs; pstr_loc = loc} :: srem ->
	let taxs = Typecore.type_axiom env axs in
        let (str_rem, sig_rem, final_env) = type_struct env srem in
        (Tstr_axiom_spec taxs :: str_rem, sig_rem, final_env)
  in
  if !Clflags.save_types
  then List.iter (function {pstr_loc = l} -> Stypes.record_phrase l) sstr;
  type_struct env sstr

let type_module = type_module None
let type_structure = type_structure None

(* Fill in the forward declaration *)
let _ =
  Typecore.type_module := type_module

(* Normalize types in a signature *)

let rec normalize_modtype env = function
    Tmty_ident p -> ()
  | Tmty_signature sg -> normalize_signature env sg
  | Tmty_functor(id, param, body) -> normalize_modtype env body

and normalize_signature env = List.iter (normalize_signature_item env)

and normalize_signature_item env = function
    Tsig_value(id, desc) -> Ctype.normalize_type env desc.val_type
  | Tsig_module(id, mty, _) -> normalize_modtype env mty
  | _ -> ()

(* Simplify multiple specifications of a value or an exception in a signature.
   (Other signature components, e.g. types, modules, etc, are checked for
   name uniqueness.)  If multiple specifications with the same name,
   keep only the last (rightmost) one. *)

let rec simplify_modtype mty =
  match mty with
    Tmty_ident path -> mty
  | Tmty_functor(id, arg, res) -> Tmty_functor(id, arg, simplify_modtype res)
  | Tmty_signature sg -> Tmty_signature(simplify_signature sg)

and simplify_signature sg =
  let rec simplif val_names exn_names res = function
    [] -> res
  | (Tsig_value(id, descr) as component) :: sg ->
      let name = Ident.name id in
      simplif (StringSet.add name val_names) exn_names
              (if StringSet.mem name val_names then res else component :: res)
              sg
  | (Tsig_exception(id, decl) as component) :: sg ->
      let name = Ident.name id in
      simplif val_names (StringSet.add name exn_names)
              (if StringSet.mem name exn_names then res else component :: res)
              sg
  | Tsig_module(id, mty, rs) :: sg ->
      simplif val_names exn_names
              (Tsig_module(id, simplify_modtype mty, rs) :: res) sg
  | component :: sg ->
      simplif val_names exn_names (component :: res) sg
  in
    simplif StringSet.empty StringSet.empty [] (List.rev sg)

(* Typecheck an implementation file *)

let type_implementation sourcefile outputprefix modulename initial_env ast =
  Typecore.reset_delayed_checks ();
  let (str, sg, finalenv) =
    Misc.try_finally (fun () -> type_structure initial_env ast)
                     (fun () -> Stypes.dump (outputprefix ^ ".annot"))
  in
  let simple_sg = simplify_signature sg in
  Typecore.force_delayed_checks ();
  if !Clflags.print_types then begin
    fprintf std_formatter "%a@." Printtyp.signature simple_sg;
    (str, Tcoerce_none)   (* result is ignored by Compile.implementation *)
  end else begin
    let sourceintf =
      Misc.chop_extension_if_any sourcefile ^ !Config.interface_suffix in
    if Sys.file_exists sourceintf then begin
      let intf_file =
        try
          find_in_path_uncap !Config.load_path (modulename ^ ".cmi")
        with Not_found ->
          raise(Error(Location.none, Interface_not_compiled sourceintf)) in
      let dclsig = Env.read_signature modulename intf_file in
      let coercion = Includemod.compunit sourcefile sg intf_file dclsig in
      (str, coercion)
    end else begin
      check_nongen_schemes finalenv str;
      normalize_signature finalenv sg;
      let coercion =
        Includemod.compunit sourcefile sg
                            "(inferred signature)" simple_sg in
      if not !Clflags.dont_write_files then
        Env.save_signature simple_sg modulename (outputprefix ^ ".cmi");
      (str, coercion)
    end
  end

(* "Packaging" of several compilation units into one unit
   having them as sub-modules.  *)

let rec package_signatures subst = function
    [] -> []
  | (name, sg) :: rem ->
      let sg' = Subst.signature subst sg in
      let oldid = Ident.create_persistent name
      and newid = Ident.create name in
      Tsig_module(newid, Tmty_signature sg', Trec_not) ::
      package_signatures (Subst.add_module oldid (Pident newid) subst) rem

let package_units objfiles cmifile modulename =
  (* Read the signatures of the units *)
  let units =
    List.map
      (fun f ->
         let pref = chop_extensions f in
         let modname = String.capitalize(Filename.basename pref) in
         let sg = Env.read_signature modname (pref ^ ".cmi") in
         if Filename.check_suffix f ".cmi" &&
            not(Mtype.no_code_needed_sig Env.initial sg)
         then raise(Error(Location.none, Implementation_is_required f));
         (modname, Env.read_signature modname (pref ^ ".cmi")))
      objfiles in
  (* Compute signature of packaged unit *)
  Ident.reinit();
  let sg = package_signatures Subst.identity units in
  (* See if explicit interface is provided *)
  let mlifile =
    chop_extension_if_any cmifile ^ !Config.interface_suffix in
  if Sys.file_exists mlifile then begin
    if not (Sys.file_exists cmifile) then begin
      raise(Error(Location.in_file mlifile, Interface_not_compiled mlifile))
    end;
    let dclsig = Env.read_signature modulename cmifile in
    Includemod.compunit "(obtained by packing)" sg mlifile dclsig
  end else begin
    (* Determine imports *)
    let unit_names = List.map fst units in
    let imports =
      List.filter
        (fun (name, crc) -> not (List.mem name unit_names))
        (Env.imported_units()) in
    (* Write packaged signature *)
    Env.save_signature_with_imports sg modulename cmifile imports;
    Tcoerce_none
  end

(* Error report *)

open Printtyp

let report_error ppf = function
  | Unbound_module lid -> fprintf ppf "Unbound module %a" longident lid
  | Unbound_modtype lid -> fprintf ppf "Unbound module type %a" longident lid
  | Cannot_apply mty ->
      fprintf ppf
        "@[This module is not a functor; it has type@ %a@]" modtype mty
  | Not_included errs ->
      fprintf ppf
        "@[Signature mismatch:@ %a@]" Includemod.report_error errs
  | Cannot_eliminate_dependency mty ->
      fprintf ppf
        "@[This functor has type@ %a@ \
           The parameter cannot be eliminated in the result type.@  \
           Please bind the argument to a module identifier.@]" modtype mty
  | Signature_expected -> fprintf ppf "This module type is not a signature"
  | Structure_expected mty ->
      fprintf ppf
        "@[This module is not a structure; it has type@ %a" modtype mty
  | With_no_component lid ->
      fprintf ppf
        "@[The signature constrained by `with' has no component named %a@]"
        longident lid
  | With_mismatch(lid, explanation) ->
      fprintf ppf
        "@[\
           @[In this `with' constraint, the new definition of %a@ \
             does not match its original definition@ \
             in the constrained signature:@]@ \
           %a@]"
        longident lid Includemod.report_error explanation
  | Repeated_name(kind, name) ->
      fprintf ppf
        "@[Multiple definition of the %s name %s.@ \
           Names must be unique in a given structure or signature.@]" kind name
  | Non_generalizable typ ->
      fprintf ppf
        "@[The type of this expression,@ %a,@ \
           contains type variables that cannot be generalized@]" type_scheme typ
  | Non_generalizable_class (id, desc) ->
      fprintf ppf
        "@[The type of this class,@ %a,@ \
           contains type variables that cannot be generalized@]"
        (class_declaration id) desc
  | Non_generalizable_module mty ->
      fprintf ppf
        "@[The type of this module,@ %a,@ \
           contains type variables that cannot be generalized@]" modtype mty
  | Implementation_is_required intf_name ->
      fprintf ppf
        "@[The interface %s@ declares values, not just types.@ \
           An implementation must be provided.@]" intf_name
  | Interface_not_compiled intf_name ->
      fprintf ppf
        "@[Could not find the .cmi file for interface@ %s.@]" intf_name
why-2.34/ml/typing/typedtree.mli0000644000175000017500000001633312311670312015255 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: typedtree.mli,v 1.10 2007-12-20 17:10:01 bardou Exp $ *)

(* Abstract syntax tree after typing *)

open Asttypes
open Types

(* Value expressions for the core language *)

type pattern =
  { pat_desc: pattern_desc;
    pat_loc: Location.t;
    pat_type: type_expr;
    pat_env: Env.t }

and pattern_desc =
    Tpat_any
  | Tpat_var of Ident.t
  | Tpat_alias of pattern * Ident.t
  | Tpat_constant of constant
  | Tpat_tuple of pattern list
  | Tpat_construct of constructor_description * pattern list
  | Tpat_variant of label * pattern option * row_desc
  | Tpat_record of (label_description * pattern) list
  | Tpat_array of pattern list
  | Tpat_or of pattern * pattern * Path.t option

type partial = Partial | Total
type optional = Required | Optional

type expression =
  { exp_desc: expression_desc;
    exp_loc: Location.t;
    exp_type: type_expr;
    exp_env: Env.t }

and expression_desc =
    Texp_ident of Path.t * value_description
  | Texp_constant of constant
  | Texp_let of rec_flag * (pattern * expression) list * expression
  | Texp_function of (pattern * expression) list * partial
  | Texp_apply of expression * (expression option * optional) list
  | Texp_match of expression * (pattern * expression) list * partial
  | Texp_try of expression * (pattern * expression) list
  | Texp_tuple of expression list
  | Texp_construct of constructor_description * expression list
  | Texp_variant of label * expression option
  | Texp_record of (label_description * expression) list * expression option
  | Texp_field of expression * label_description
  | Texp_setfield of expression * label_description * expression
  | Texp_array of expression list
  | Texp_ifthenelse of expression * expression * expression option
  | Texp_sequence of expression * expression
  | Texp_while of expression * while_spec * expression
  | Texp_for of
      Ident.t * expression * expression * direction_flag * expression
  | Texp_when of expression * expression
  | Texp_send of expression * meth
  | Texp_new of Path.t * class_declaration
  | Texp_instvar of Path.t * Path.t
  | Texp_setinstvar of Path.t * Path.t * expression
  | Texp_override of Path.t * (Path.t * expression) list
  | Texp_letmodule of Ident.t * module_expr * expression
  | Texp_assert of expression
  | Texp_assertfalse
  | Texp_lazy of expression
  | Texp_object of class_structure * class_signature * string list
  | Texp_result
  | Texp_old of expression
  | Texp_implies of expression * expression

and while_spec = {
  ws_invariant: expression option;
  ws_variant: expression option;
}

and meth =
    Tmeth_name of string
  | Tmeth_val of Ident.t

(* Value expressions for the class language *)

and class_expr =
  { cl_desc: class_expr_desc;
    cl_loc: Location.t;
    cl_type: class_type;
    cl_env: Env.t }

and class_expr_desc =
    Tclass_ident of Path.t
  | Tclass_structure of class_structure
  | Tclass_fun of pattern * (Ident.t * expression) list * class_expr * partial
  | Tclass_apply of class_expr * (expression option * optional) list
  | Tclass_let of rec_flag *  (pattern * expression) list *
                  (Ident.t * expression) list * class_expr
  | Tclass_constraint of class_expr * string list * string list * Concr.t
    (* Visible instance variables, methods and concretes methods *)

and class_structure =
  { cl_field: class_field list;
    cl_meths: Ident.t Meths.t }

and class_field =
    Cf_inher of class_expr * (string * Ident.t) list * (string * Ident.t) list
    (* Inherited instance variables and concrete methods *)
  | Cf_val of string * Ident.t * expression option * bool
        (* None = virtual, true = override *)
  | Cf_meth of string * expression
  | Cf_let of rec_flag * (pattern * expression) list *
              (Ident.t * expression) list
  | Cf_init of expression

(* Value expressions for the module language *)

and module_expr =
  { mod_desc: module_expr_desc;
    mod_loc: Location.t;
    mod_type: module_type;
    mod_env: Env.t }

and module_expr_desc =
    Tmod_ident of Path.t
  | Tmod_structure of structure
  | Tmod_functor of Ident.t * module_type * module_expr
  | Tmod_apply of module_expr * module_expr * module_coercion
  | Tmod_constraint of module_expr * module_type * module_coercion

and structure = structure_item list

and structure_item =
    Tstr_eval of expression
  | Tstr_value of rec_flag * (pattern * expression) list
  | Tstr_primitive of Ident.t * value_description
  | Tstr_type of (Ident.t * type_declaration) list
  | Tstr_exception of Ident.t * exception_declaration
  | Tstr_exn_rebind of Ident.t * Path.t
  | Tstr_module of Ident.t * module_expr
  | Tstr_recmodule of (Ident.t * module_expr) list
  | Tstr_modtype of Ident.t * module_type
  | Tstr_open of Path.t
  | Tstr_class of
      (Ident.t * int * string list * class_expr * virtual_flag) list
  | Tstr_cltype of (Ident.t * cltype_declaration) list
  | Tstr_include of module_expr * Ident.t list
  | Tstr_function_spec of function_spec
  | Tstr_type_spec of type_spec
  | Tstr_logic_function_spec of logic_function_spec
  | Tstr_logic_type_spec of Ident.t * Types.type_declaration
  | Tstr_axiom_spec of axiom_spec

and behavior = {
  b_name: string;
  b_ensures: expression;
}

and function_spec = {
  fs_function: Path.t;
  fs_arguments: Ident.t list;
  fs_requires: expression option;
  fs_behaviors: behavior list;
}

and type_invariant = {
  ti_name: Ident.t;
  ti_argument: pattern;
  ti_body: expression;
}

and type_spec = {
  ts_type: Path.t;
  ts_invariants: type_invariant list;
}

and read_location =
  | RLvar of Path.t
  | RLderef of read_location * label_description

and optional_body =
  | OBreads of read_location list
  | OBbody of expression

and logic_function_spec = {
  lfs_name: Ident.t;
  lfs_arguments: pattern list;
  lfs_return_type: type_expr;
  lfs_body: optional_body;
  lfs_predicate: bool;
}

and axiom_spec = {
  as_name: string;
  as_arguments: pattern list;
  as_body: expression;
}

and module_coercion =
    Tcoerce_none
  | Tcoerce_structure of (int * module_coercion) list
  | Tcoerce_functor of module_coercion * module_coercion
  | Tcoerce_primitive of Primitive.description

(* Auxiliary functions over the a.s.t. *)

val iter_pattern_desc : (pattern -> unit) -> pattern_desc -> unit
val map_pattern_desc : (pattern -> pattern) -> pattern_desc -> pattern_desc

val let_bound_idents: (pattern * expression) list -> Ident.t list
val rev_let_bound_idents: (pattern * expression) list -> Ident.t list

(* Alpha conversion of patterns *)
val alpha_pat : (Ident.t * Ident.t) list -> pattern -> pattern

why-2.34/ml/typing/types.ml0000644000175000017500000001532512311670312014243 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: types.ml,v 1.3 2007-12-13 16:42:57 bardou Exp $ *)

(* Representation of types and declarations *)

open Misc
open Asttypes

(* Type expressions for the core language *)

type type_expr =
  { mutable desc: type_desc; 
    mutable level: int;
    mutable id: int }

and type_desc =
    Tvar
  | Tarrow of label * type_expr * type_expr * commutable
  | Ttuple of type_expr list
  | Tconstr of Path.t * type_expr list * abbrev_memo ref
  | Tobject of type_expr * (Path.t * type_expr list) option ref
  | Tfield of string * field_kind * type_expr * type_expr
  | Tnil
  | Tlink of type_expr
  | Tsubst of type_expr
  | Tvariant of row_desc
  | Tunivar
  | Tpoly of type_expr * type_expr list

and row_desc =
    { row_fields: (label * row_field) list;
      row_more: type_expr;
      row_bound: type_expr list;
      row_closed: bool;
      row_fixed: bool;
      row_name: (Path.t * type_expr list) option }

and row_field =
    Rpresent of type_expr option
  | Reither of bool * type_expr list * bool * row_field option ref
  | Rabsent

and abbrev_memo =
    Mnil
  | Mcons of Path.t * type_expr * type_expr * abbrev_memo
  | Mlink of abbrev_memo ref

and field_kind =
    Fvar of field_kind option ref
  | Fpresent
  | Fabsent

and commutable =
    Cok
  | Cunknown
  | Clink of commutable ref

module TypeOps = struct
  type t = type_expr
  let compare t1 t2 = t1.id - t2.id
  let hash t = t.id
  let equal t1 t2 = t1 == t2
end

(* Maps of methods and instance variables *)

module OrderedString = struct type t = string let compare = compare end
module Meths = Map.Make(OrderedString)
module Vars = Meths

(* Value descriptions *)

type value_description =
  { val_type: type_expr;                (* Type of the value *)
    val_kind: value_kind }

and value_kind =
    Val_reg                             (* Regular value *)
  | Val_prim of Primitive.description   (* Primitive *)
  | Val_ivar of mutable_flag * string   (* Instance variable (mutable ?) *)
  | Val_self of (Ident.t * type_expr) Meths.t ref *
                (Ident.t * Asttypes.mutable_flag *
                 Asttypes.virtual_flag * type_expr) Vars.t ref *
                string * type_expr
                                        (* Self *)
  | Val_anc of (string * Ident.t) list * string
                                        (* Ancestor *)
  | Val_unbound                         (* Unbound variable *)

(* Constructor descriptions *)

type constructor_description =
  { cstr_res: type_expr;                (* Type of the result *)
    cstr_args: type_expr list;          (* Type of the arguments *)
    cstr_arity: int;                    (* Number of arguments *)
    cstr_tag: constructor_tag;          (* Tag for heap blocks *)
    cstr_consts: int;                   (* Number of constant constructors *)
    cstr_nonconsts: int;                (* Number of non-const constructors *)
    cstr_private: private_flag;         (* Read-only constructor? *)
    cstr_name: string }                 (* Used by Jessica *)

and constructor_tag =
    Cstr_constant of int                (* Constant constructor (an int) *)
  | Cstr_block of int                   (* Regular constructor (a block) *)
  | Cstr_exception of Path.t            (* Exception constructor *)

(* Record label descriptions *)

type label_description =
  { lbl_res: type_expr;                 (* Type of the result *)
    lbl_arg: type_expr;                 (* Type of the argument *)
    lbl_mut: mutable_flag;              (* Is this a mutable field? *)
    lbl_pos: int;                       (* Position in block *)
    lbl_all: label_description array;   (* All the labels in this type *)
    lbl_repres: record_representation;  (* Representation for this record *)
    lbl_private: private_flag;          (* Read-only field? *)
    lbl_name: string }                  (* Used by Jessica *)

and record_representation =
    Record_regular                      (* All fields are boxed / tagged *)
  | Record_float                        (* All fields are floats *)

(* Type definitions *)

type type_declaration =
  { type_params: type_expr list;
    type_arity: int;
    type_kind: type_kind;
    type_manifest: type_expr option;
    type_variance: (bool * bool * bool) list }

and type_kind =
    Type_abstract
  | Type_variant of (string * type_expr list) list * private_flag
  | Type_record of (string * mutable_flag * type_expr) list
                 * record_representation * private_flag

type exception_declaration = type_expr list

(* Type expressions for the class language *)

module Concr = Set.Make(OrderedString)

type class_type =
    Tcty_constr of Path.t * type_expr list * class_type
  | Tcty_signature of class_signature
  | Tcty_fun of label * type_expr * class_type

and class_signature =
  { cty_self: type_expr;
    cty_vars:
      (Asttypes.mutable_flag * Asttypes.virtual_flag * type_expr) Vars.t;
    cty_concr: Concr.t;
    cty_inher: (Path.t * type_expr list) list }

type class_declaration =
  { cty_params: type_expr list;
    mutable cty_type: class_type;
    cty_path: Path.t;
    cty_new: type_expr option;
    cty_variance: (bool * bool) list }

type cltype_declaration =
  { clty_params: type_expr list;
    clty_type: class_type;
    clty_path: Path.t;
    clty_variance: (bool * bool) list }

(* Type expressions for the module language *)

type module_type =
    Tmty_ident of Path.t
  | Tmty_signature of signature
  | Tmty_functor of Ident.t * module_type * module_type

and signature = signature_item list

and signature_item =
    Tsig_value of Ident.t * value_description
  | Tsig_type of Ident.t * type_declaration * rec_status
  | Tsig_exception of Ident.t * exception_declaration
  | Tsig_module of Ident.t * module_type * rec_status
  | Tsig_modtype of Ident.t * modtype_declaration
  | Tsig_class of Ident.t * class_declaration * rec_status
  | Tsig_cltype of Ident.t * cltype_declaration * rec_status

and modtype_declaration =
    Tmodtype_abstract
  | Tmodtype_manifest of module_type

and rec_status =
    Trec_not
  | Trec_first
  | Trec_next
why-2.34/ml/typing/typemod.mli0000644000175000017500000000434612311670312014732 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: typemod.mli,v 1.1 2007-11-30 10:16:44 bardou Exp $ *)

(* Type-checking of the module language *)

open Types
open Format

val type_module:
        Env.t -> Parsetree.module_expr -> Typedtree.module_expr
val type_structure:
        Env.t -> Parsetree.structure -> Typedtree.structure * signature * Env.t
val type_implementation:
        string -> string -> string -> Env.t -> Parsetree.structure ->
                               Typedtree.structure * Typedtree.module_coercion
val transl_signature:
        Env.t -> Parsetree.signature -> signature
val check_nongen_schemes:
        Env.t -> Typedtree.structure -> unit

val simplify_signature: signature -> signature

val package_units:
        string list -> string -> string -> Typedtree.module_coercion

type error =
    Unbound_module of Longident.t
  | Unbound_modtype of Longident.t
  | Cannot_apply of module_type
  | Not_included of Includemod.error list
  | Cannot_eliminate_dependency of module_type
  | Signature_expected
  | Structure_expected of module_type
  | With_no_component of Longident.t
  | With_mismatch of Longident.t * Includemod.error list
  | Repeated_name of string * string
  | Non_generalizable of type_expr
  | Non_generalizable_class of Ident.t * class_declaration
  | Non_generalizable_module of module_type
  | Implementation_is_required of string
  | Interface_not_compiled of string

exception Error of Location.t * error

val report_error: formatter -> error -> unit
why-2.34/ml/typing/unused_var.mli0000644000175000017500000000177112311670312015423 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*           Damien Doligez, projet Cristal, INRIA Rocquencourt        *)
(*                                                                     *)
(*  Copyright 2004 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: unused_var.mli,v 1.1 2007-11-30 10:16:44 bardou Exp $ *)

val warn : Format.formatter -> Parsetree.structure -> Parsetree.structure;;
(* Warn on unused variables; return the second argument. *)
why-2.34/ml/typing/typedecl.ml0000644000175000017500000010024212311670312014701 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(* Xavier Leroy and Jerome Vouillon, projet Cristal, INRIA Rocquencourt*)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: typedecl.ml,v 1.1 2007-11-30 10:16:44 bardou Exp $ *)

(**** Typing of type definitions ****)

open Misc
open Asttypes
open Parsetree
open Primitive
open Types
open Typedtree
open Typetexp

type error =
    Repeated_parameter
  | Duplicate_constructor of string
  | Too_many_constructors
  | Duplicate_label of string
  | Recursive_abbrev of string
  | Definition_mismatch of type_expr
  | Constraint_failed of type_expr * type_expr
  | Unconsistent_constraint of (type_expr * type_expr) list
  | Type_clash of (type_expr * type_expr) list
  | Parameters_differ of Path.t * type_expr * type_expr
  | Null_arity_external
  | Missing_native_external
  | Unbound_type_var of type_expr * type_declaration
  | Unbound_exception of Longident.t
  | Not_an_exception of Longident.t
  | Bad_variance of int * (bool*bool) * (bool*bool)
  | Unavailable_type_constructor of Path.t
  | Bad_fixed_type of string

exception Error of Location.t * error

(* Enter all declared types in the environment as abstract types *)

let enter_type env (name, sdecl) id =
  let decl =
    { type_params =
        List.map (fun _ -> Btype.newgenvar ()) sdecl.ptype_params;
      type_arity = List.length sdecl.ptype_params;
      type_kind = Type_abstract;
      type_manifest =
        begin match sdecl.ptype_manifest with None -> None
        | Some _ -> Some(Ctype.newvar ()) end;
      type_variance = List.map (fun _ -> true, true, true) sdecl.ptype_params;
    }
  in
  Env.add_type id decl env

let update_type temp_env env id loc =
  let path = Path.Pident id in
  let decl = Env.find_type path temp_env in
  match decl.type_manifest with None -> ()
  | Some ty ->
      let params = List.map (fun _ -> Ctype.newvar ()) decl.type_params in
      try Ctype.unify env (Ctype.newconstr path params) ty
      with Ctype.Unify trace ->
        raise (Error(loc, Type_clash trace))

(* Determine if a type is (an abbreviation for) the type "float" *)

let is_float env ty =
  match Ctype.repr (Ctype.expand_head env ty) with
    {desc = Tconstr(p, _, _)} -> Path.same p Predef.path_float
  | _ -> false

(* Set the row variable in a fixed type *)
let set_fixed_row env loc p decl =
  let tm =
    match decl.type_manifest with
      None -> assert false
    | Some t -> Ctype.expand_head env t
  in
  let rv =
    match tm.desc with
      Tvariant row ->
        let row = Btype.row_repr row in
        tm.desc <- Tvariant {row with row_fixed = true};
        if Btype.static_row row then Btype.newgenty Tnil
        else row.row_more
    | Tobject (ty, _) ->
        snd (Ctype.flatten_fields ty)
    | _ ->
        raise (Error (loc, Bad_fixed_type "is not an object or variant"))
  in
  if rv.desc <> Tvar then
    raise (Error (loc, Bad_fixed_type "has no row variable"));
  rv.desc <- Tconstr (p, decl.type_params, ref Mnil)

(* Translate one type declaration *)

module StringSet =
  Set.Make(struct
    type t = string
    let compare = compare
  end)

let transl_declaration env (name, sdecl) id =
  (* Bind type parameters *)
  reset_type_variables();
  Ctype.begin_def ();
  let params =
    try List.map (enter_type_variable true sdecl.ptype_loc) sdecl.ptype_params
    with Already_bound ->
      raise(Error(sdecl.ptype_loc, Repeated_parameter))
  in
  let cstrs = List.map
      (fun (sty, sty', loc) ->
        transl_simple_type env false sty,
        transl_simple_type env false sty', loc)
      sdecl.ptype_cstrs
  in
  let decl =
    { type_params = params;
      type_arity = List.length params;
      type_kind =
        begin match sdecl.ptype_kind with
          Ptype_abstract | Ptype_private ->
            Type_abstract
        | Ptype_variant (cstrs, priv) ->
            let all_constrs = ref StringSet.empty in
            List.iter
              (fun (name, args, loc) ->
                if StringSet.mem name !all_constrs then
                  raise(Error(sdecl.ptype_loc, Duplicate_constructor name));
                all_constrs := StringSet.add name !all_constrs)
              cstrs;
            if List.length (List.filter (fun (_, args, _) -> args <> []) cstrs)
               > (Config.max_tag + 1) then
              raise(Error(sdecl.ptype_loc, Too_many_constructors));
            Type_variant(List.map
              (fun (name, args, loc) ->
                      (name, List.map (transl_simple_type env true) args))
              cstrs, priv)
        | Ptype_record (lbls, priv) ->
            let all_labels = ref StringSet.empty in
            List.iter
              (fun (name, mut, arg, loc) ->
                if StringSet.mem name !all_labels then
                  raise(Error(sdecl.ptype_loc, Duplicate_label name));
                all_labels := StringSet.add name !all_labels)
              lbls;
            let lbls' =
              List.map
                (fun (name, mut, arg, loc) ->
                  let ty = transl_simple_type env true arg in
                  name, mut, match ty.desc with Tpoly(t,[]) -> t | _ -> ty)
                lbls in
            let rep =
              if List.for_all (fun (name, mut, arg) -> is_float env arg) lbls'
              then Record_float
              else Record_regular in
            Type_record(lbls', rep, priv)
        end;
      type_manifest =
        begin match sdecl.ptype_manifest with
          None -> None
        | Some sty ->
            let ty =
              transl_simple_type env (sdecl.ptype_kind <> Ptype_private) sty in
            if Ctype.cyclic_abbrev env id ty then
              raise(Error(sdecl.ptype_loc, Recursive_abbrev name));
            Some ty
        end;
      type_variance = List.map (fun _ -> true, true, true) params;
    } in

  (* Check constraints *)
  List.iter
    (fun (ty, ty', loc) ->
      try Ctype.unify env ty ty' with Ctype.Unify tr ->
        raise(Error(loc, Unconsistent_constraint tr)))
    cstrs;
  Ctype.end_def ();
  if sdecl.ptype_kind = Ptype_private then begin
    let (p, _) =
      try Env.lookup_type (Longident.Lident(Ident.name id ^ "#row")) env
      with Not_found -> assert false in
    set_fixed_row env sdecl.ptype_loc p decl
  end;
  (id, decl)

(* Generalize a type declaration *)

let generalize_decl decl =
  List.iter Ctype.generalize decl.type_params;
  begin match decl.type_kind with
    Type_abstract ->
      ()
  | Type_variant (v, priv) ->
      List.iter (fun (_, tyl) -> List.iter Ctype.generalize tyl) v
  | Type_record(r, rep, priv) ->
      List.iter (fun (_, _, ty) -> Ctype.generalize ty) r
  end;
  begin match decl.type_manifest with
  | None    -> ()
  | Some ty -> Ctype.generalize ty
  end

(* Check that all constraints are enforced *)

module TypeSet =
  Set.Make
    (struct
      type t = type_expr
      let compare t1 t2 = t1.id - t2.id
    end)

let rec check_constraints_rec env loc visited ty =
  let ty = Ctype.repr ty in
  if TypeSet.mem ty !visited then () else begin
  visited := TypeSet.add ty !visited;
  match ty.desc with
  | Tconstr (path, args, _) ->
      let args' = List.map (fun _ -> Ctype.newvar ()) args in
      let ty' = Ctype.newconstr path args' in
      begin try Ctype.enforce_constraints env ty'
      with Ctype.Unify _ -> assert false
      | Not_found -> raise (Error(loc, Unavailable_type_constructor path))
      end;
      if not (Ctype.matches env ty ty') then
        raise (Error(loc, Constraint_failed (ty, ty')));
      List.iter (check_constraints_rec env loc visited) args
  | Tpoly (ty, tl) ->
      let _, ty = Ctype.instance_poly false tl ty in
      check_constraints_rec env loc visited ty
  | _ ->
      Btype.iter_type_expr (check_constraints_rec env loc visited) ty
  end

let check_constraints env (_, sdecl) (_, decl) =
  let visited = ref TypeSet.empty in
  begin match decl.type_kind with
  | Type_abstract -> ()
  | Type_variant (l, _) ->
      let rec find_pl = function
          Ptype_variant(pl, _) -> pl
        | Ptype_record _ | Ptype_abstract | Ptype_private -> assert false
      in
      let pl = find_pl sdecl.ptype_kind in
      List.iter
        (fun (name, tyl) ->
          let styl =
            try let (_,sty,_) = List.find (fun (n,_,_) -> n = name) pl in sty
            with Not_found -> assert false in
          List.iter2
            (fun sty ty ->
              check_constraints_rec env sty.ptyp_loc visited ty)
            styl tyl)
        l
  | Type_record (l, _, _) ->
      let rec find_pl = function
          Ptype_record(pl, _) -> pl
        | Ptype_variant _ | Ptype_abstract | Ptype_private -> assert false
      in
      let pl = find_pl sdecl.ptype_kind in
      let rec get_loc name = function
          [] -> assert false
        | (name', _, sty, _) :: tl ->
            if name = name' then sty.ptyp_loc else get_loc name tl
      in
      List.iter
        (fun (name, _, ty) ->
          check_constraints_rec env (get_loc name pl) visited ty)
        l
  end;
  begin match decl.type_manifest with
  | None -> ()
  | Some ty ->
      let sty =
        match sdecl.ptype_manifest with Some sty -> sty | _ -> assert false
      in
      check_constraints_rec env sty.ptyp_loc visited ty
  end

(*
   If both a variant/record definition and a type equation are given,
   need to check that the equation refers to a type of the same kind
   with the same constructors and labels.
*)
let check_abbrev env (_, sdecl) (id, decl) =
  match decl with
    {type_kind = (Type_variant _ | Type_record _); type_manifest = Some ty} ->
      begin match (Ctype.repr ty).desc with
        Tconstr(path, args, _) ->
          begin try
            let decl' = Env.find_type path env in
            if List.length args = List.length decl.type_params
            && Ctype.equal env false args decl.type_params
            && Includecore.type_declarations env id
                decl'
                (Subst.type_declaration (Subst.add_type id path Subst.identity)
                                        decl)
            then ()
            else raise(Error(sdecl.ptype_loc, Definition_mismatch ty))
          with Not_found ->
            raise(Error(sdecl.ptype_loc, Unavailable_type_constructor path))
          end
      | _ -> raise(Error(sdecl.ptype_loc, Definition_mismatch ty))
      end
  | _ -> ()

(* Check for ill-defined abbrevs *)

let check_recursion env loc path decl to_check =
  (* to_check is true for potentially mutually recursive paths.
     (path, decl) is the type declaration to be checked. *)

  let visited = ref [] in

  let rec check_regular cpath args prev_exp ty =
    let ty = Ctype.repr ty in
    if not (List.memq ty !visited) then begin
      visited := ty :: !visited;
      match ty.desc with
      | Tconstr(path', args', _) ->
          if Path.same path path' then begin
            if not (Ctype.equal env false args args') then
              raise (Error(loc,
                     Parameters_differ(cpath, ty, Ctype.newconstr path args)))
          end
          (* Attempt to expand a type abbreviation if:
              1- [to_check path'] holds
                 (otherwise the expansion cannot involve [path]);
              2- we haven't expanded this type constructor before
                 (otherwise we could loop if [path'] is itself
                 a non-regular abbreviation). *)
          else if to_check path' && not (List.mem path' prev_exp) then begin
            try
              (* Attempt expansion *)
              let (params0, body0) = Env.find_type_expansion path' env in
              let (params, body) =
                Ctype.instance_parameterized_type params0 body0 in
              begin
                try List.iter2 (Ctype.unify env) params args'
                with Ctype.Unify _ ->
                  raise (Error(loc, Constraint_failed
                                 (ty, Ctype.newconstr path' params0)));
              end;
              check_regular path' args (path' :: prev_exp) body
            with Not_found -> ()
          end;
          List.iter (check_regular cpath args prev_exp) args'
      | Tpoly (ty, tl) ->
          let (_, ty) = Ctype.instance_poly false tl ty in
          check_regular cpath args prev_exp ty
      | _ ->
          Btype.iter_type_expr (check_regular cpath args prev_exp) ty
    end in

  match decl.type_manifest with
  | None -> ()
  | Some body ->
      (* Check that recursion is well-founded *)
      begin try
        Ctype.correct_abbrev env path decl.type_params body
      with Ctype.Recursive_abbrev ->
        raise(Error(loc, Recursive_abbrev (Path.name path)))
      | Ctype.Unify trace -> raise(Error(loc, Type_clash trace))
      end;
      (* Check that recursion is regular *)
      if decl.type_params = [] then () else
      let (args, body) =
        Ctype.instance_parameterized_type decl.type_params body in
      check_regular path args [] body

let check_abbrev_recursion env id_loc_list (id, decl) =
  check_recursion env (List.assoc id id_loc_list) (Path.Pident id) decl
    (function Path.Pident id -> List.mem_assoc id id_loc_list | _ -> false)

(* Compute variance *)

let compute_variance env tvl nega posi cntr ty =
  let pvisited = ref TypeSet.empty
  and nvisited = ref TypeSet.empty
  and cvisited = ref TypeSet.empty in
  let rec compute_variance_rec posi nega cntr ty =
    let ty = Ctype.repr ty in
    if (not posi || TypeSet.mem ty !pvisited)
    && (not nega || TypeSet.mem ty !nvisited)
    && (not cntr || TypeSet.mem ty !cvisited) then
      ()
    else begin
      if posi then pvisited := TypeSet.add ty !pvisited;
      if nega then nvisited := TypeSet.add ty !nvisited;
      if cntr then cvisited := TypeSet.add ty !cvisited;
      let compute_same = compute_variance_rec posi nega cntr in
      match ty.desc with
        Tarrow (_, ty1, ty2, _) ->
          compute_variance_rec nega posi true ty1;
          compute_same ty2
      | Ttuple tl ->
          List.iter compute_same tl
      | Tconstr (path, tl, _) ->
          if tl = [] then () else begin
            try
              let decl = Env.find_type path env in
              List.iter2
                (fun ty (co,cn,ct) ->
                  compute_variance_rec
                    (posi && co || nega && cn)
                    (posi && cn || nega && co)
                    (cntr || ct)
                    ty)
                tl decl.type_variance
            with Not_found ->
              List.iter (compute_variance_rec true true true) tl
          end
      | Tobject (ty, _) ->
          compute_same ty
      | Tfield (_, _, ty1, ty2) ->
          compute_same ty1;
          compute_same ty2
      | Tsubst ty ->
          compute_same ty
      | Tvariant row ->
          let row = Btype.row_repr row in
          List.iter
            (fun (_,f) ->
              match Btype.row_field_repr f with
                Rpresent (Some ty) ->
                  compute_same ty
              | Reither (_, tyl, _, _) ->
                  List.iter compute_same tyl
              | _ -> ())
            row.row_fields;
          compute_same row.row_more
      | Tpoly (ty, _) ->
          compute_same ty
      | Tvar | Tnil | Tlink _ | Tunivar -> ()
    end
  in
  compute_variance_rec nega posi cntr ty;
  List.iter
    (fun (ty, covar, convar, ctvar) ->
      if TypeSet.mem ty !pvisited then covar := true;
      if TypeSet.mem ty !nvisited then convar := true;
      if TypeSet.mem ty !cvisited then ctvar := true)
    tvl

let make_variance ty = (ty, ref false, ref false, ref false)
let whole_type decl =
  match decl.type_kind with
    Type_variant (tll,_) ->
      Btype.newgenty
        (Ttuple (List.map (fun (_, tl) -> Btype.newgenty (Ttuple tl)) tll))
  | Type_record (ftl, _, _) ->
      Btype.newgenty
        (Ttuple (List.map (fun (_, _, ty) -> ty) ftl))
  | Type_abstract ->
      match decl.type_manifest with
        Some ty -> ty
      | _ -> Btype.newgenty (Ttuple [])

let compute_variance_decl env check decl (required, loc) =
  if decl.type_kind = Type_abstract && decl.type_manifest = None then
    List.map (fun (c, n) -> if c || n then (c, n, n) else (true, true, true))
      required
  else
  let params = List.map Btype.repr decl.type_params in
  let tvl0 = List.map make_variance params in
  let fvl = if check then Ctype.free_variables (whole_type decl) else [] in
  let fvl = List.filter (fun v -> not (List.memq v params)) fvl in
  let tvl1 = List.map make_variance fvl in
  let tvl2 = List.map make_variance fvl in
  let tvl = tvl0 @ tvl1 in
  begin match decl.type_kind with
    Type_abstract ->
      begin match decl.type_manifest with
        None -> assert false
      | Some ty -> compute_variance env tvl true false false ty
      end
  | Type_variant (tll, _) ->
      List.iter
        (fun (_,tl) ->
          List.iter (compute_variance env tvl true false false) tl)
        tll
  | Type_record (ftl, _, _) ->
      List.iter
        (fun (_, mut, ty) ->
          let cn = (mut = Mutable) in
          compute_variance env tvl true cn cn ty)
        ftl
  end;
  let priv =
    match decl.type_kind with
      Type_abstract ->
        begin match decl.type_manifest with
          Some ty when not (Btype.has_constr_row ty) -> Public
        | _ -> Private
        end
    | Type_variant (_, priv) | Type_record (_, _, priv) -> priv
  and required =
    List.map (fun (c,n as r) -> if c || n then r else (true,true))
      required
  in
  List.iter2
    (fun (ty, co, cn, ct) (c, n) ->
      if ty.desc <> Tvar || priv = Private then begin
        co := c; cn := n; ct := n;
        compute_variance env tvl2 c n n ty
      end)
    tvl0 required;
  List.iter2
    (fun (ty, c1, n1, t1) (_, c2, n2, t2) ->
      if !c1 && not !c2 || !n1 && not !n2
      (* || !t1 && not !t2 && decl.type_kind = Type_abstract *)
      then raise (Error(loc,
                        if not (!c2 || !n2) then Unbound_type_var (ty, decl)
                        else Bad_variance (0, (!c1,!n1), (!c2,!n2)))))
    tvl1 tvl2;
  let pos = ref 0 in
  List.map2
    (fun (_, co, cn, ct) (c, n) ->
      incr pos;
      if !co && not c || !cn && not n
      then raise (Error(loc, Bad_variance (!pos, (!co,!cn), (c,n))));
      let ct = if decl.type_kind = Type_abstract then ct else cn in
      (!co, !cn, !ct))
    tvl0 required

let is_sharp id =
  let s = Ident.name id in
  String.length s > 0 && s.[0] = '#'

let rec compute_variance_fixpoint env decls required variances =
  let new_decls =
    List.map2
      (fun (id, decl) variance -> id, {decl with type_variance = variance})
      decls variances
  in
  let new_env =
    List.fold_right (fun (id, decl) env -> Env.add_type id decl env)
      new_decls env
  in
  let new_variances =
    List.map2
      (fun (id, decl) -> compute_variance_decl new_env false decl)
      new_decls required
  in
  let new_variances =
    List.map2
      (List.map2 (fun (c1,n1,t1) (c2,n2,t2) -> c1||c2, n1||n2, t1||t2))
      new_variances variances in
  if new_variances <> variances then
    compute_variance_fixpoint env decls required new_variances
  else begin
    List.iter2
      (fun (id, decl) req -> if not (is_sharp id) then
        ignore (compute_variance_decl new_env true decl req))
      new_decls required;
    new_decls, new_env
  end

let init_variance (id, decl) =
  List.map (fun _ -> (false, false, false)) decl.type_params

(* for typeclass.ml *)
let compute_variance_decls env cldecls =
  let decls, required =
    List.fold_right
      (fun (obj_id, obj_abbr, cl_abbr, clty, cltydef, required) (decls, req) ->
        (obj_id, obj_abbr) :: decls, required :: req)
      cldecls ([],[])
  in
  let variances = List.map init_variance decls in
  let (decls, _) = compute_variance_fixpoint env decls required variances in
  List.map2
    (fun (_,decl) (_, _, cl_abbr, clty, cltydef, _) ->
      let variance = List.map (fun (c,n,t) -> (c,n)) decl.type_variance in
      (decl, {cl_abbr with type_variance = decl.type_variance},
       {clty with cty_variance = variance},
       {cltydef with clty_variance = variance}))
    decls cldecls

(* Force recursion to go through id for private types*)
let name_recursion sdecl id decl =
  match decl with
    { type_kind = Type_abstract; type_manifest = Some ty }
    when sdecl.ptype_kind = Ptype_private ->
      let ty = Ctype.repr ty in
      let ty' = Btype.newty2 ty.level ty.desc in
      if Ctype.deep_occur ty ty' then
        let td = Tconstr(Path.Pident id, decl.type_params, ref Mnil) in
        Btype.link_type ty (Btype.newty2 ty.level td);
        {decl with type_manifest = Some ty'}
      else decl
  | _ -> decl

(* Translate a set of mutually recursive type declarations *)
let transl_type_decl env name_sdecl_list =
  (* Add dummy types for fixed rows *)
  let fixed_types =
    List.filter (fun (_,sd) -> sd.ptype_kind = Ptype_private) name_sdecl_list
  in
  let name_sdecl_list =
    List.map
      (fun (name,sdecl) ->
        name^"#row",
        {sdecl with ptype_kind = Ptype_abstract; ptype_manifest = None})
      fixed_types
    @ name_sdecl_list
  in
  (* Create identifiers. *)
  let id_list =
    List.map (fun (name, _) -> Ident.create name) name_sdecl_list
  in
  (*
     Since we've introduced fresh idents, make sure the definition
     level is at least the binding time of these events. Otherwise,
     passing one of the recursively-defined type constrs as argument
     to an abbreviation may fail.
  *)
  Ctype.init_def(Ident.current_time());
  Ctype.begin_def();
  (* Enter types. *)
  let temp_env = List.fold_left2 enter_type env name_sdecl_list id_list in
  (* Translate each declaration. *)
  let decls =
    List.map2 (transl_declaration temp_env) name_sdecl_list id_list in
  (* Build the final env. *)
  let newenv =
    List.fold_right
      (fun (id, decl) env -> Env.add_type id decl env)
      decls env
  in
  (* Update stubs *)
  List.iter2
    (fun id (_, sdecl) -> update_type temp_env newenv id sdecl.ptype_loc)
    id_list name_sdecl_list;
  (* Generalize type declarations. *)
  Ctype.end_def();
  List.iter (fun (_, decl) -> generalize_decl decl) decls;
  (* Check for ill-formed abbrevs *)
  let id_loc_list =
    List.map2 (fun id (_,sdecl) -> (id, sdecl.ptype_loc))
      id_list name_sdecl_list
  in
  List.iter (check_abbrev_recursion newenv id_loc_list) decls;
  (* Check that all type variable are closed *)
  List.iter2
    (fun (_, sdecl) (id, decl) ->
       match Ctype.closed_type_decl decl with
         Some ty -> raise(Error(sdecl.ptype_loc, Unbound_type_var(ty,decl)))
       | None   -> ())
    name_sdecl_list decls;
  (* Check re-exportation *)
  List.iter2 (check_abbrev newenv) name_sdecl_list decls;
  (* Check that constraints are enforced *)
  List.iter2 (check_constraints newenv) name_sdecl_list decls;
  (* Name recursion *)
  let decls =
    List.map2 (fun (_, sdecl) (id, decl) -> id, name_recursion sdecl id decl)
      name_sdecl_list decls
  in
  (* Add variances to the environment *)
  let required =
    List.map (fun (_, sdecl) -> sdecl.ptype_variance, sdecl.ptype_loc)
      name_sdecl_list
  in
  let final_decls, final_env =
    compute_variance_fixpoint env decls required (List.map init_variance decls)
  in
  (* Done *)
  (final_decls, final_env)

(* Translate an exception declaration *)
let transl_exception env excdecl =
  reset_type_variables();
  Ctype.begin_def();
  let types = List.map (transl_simple_type env true) excdecl in
  Ctype.end_def();
  List.iter Ctype.generalize types;
  types

(* Translate an exception rebinding *)
let transl_exn_rebind env loc lid =
  let cdescr =
    try
      Env.lookup_constructor lid env
    with Not_found ->
      raise(Error(loc, Unbound_exception lid)) in
  match cdescr.cstr_tag with
    Cstr_exception path -> (path, cdescr.cstr_args)
  | _ -> raise(Error(loc, Not_an_exception lid))

(* Translate a value declaration *)
let transl_value_decl env valdecl =
  let ty = Typetexp.transl_type_scheme env valdecl.pval_type in
  match valdecl.pval_prim with
    [] ->
      { val_type = ty; val_kind = Val_reg }
  | decl ->
      let arity = Ctype.arity ty in
      if arity = 0 then
        raise(Error(valdecl.pval_type.ptyp_loc, Null_arity_external));
      let prim = Primitive.parse_declaration arity decl in
      if !Clflags.native_code
      && prim.prim_arity > 5
      && prim.prim_native_name = ""
      then raise(Error(valdecl.pval_type.ptyp_loc, Missing_native_external));
      { val_type = ty; val_kind = Val_prim prim }

(* Translate a "with" constraint -- much simplified version of
    transl_type_decl. *)
let transl_with_constraint env id row_path sdecl =
  reset_type_variables();
  Ctype.begin_def();
  let params =
    try
      List.map (enter_type_variable true sdecl.ptype_loc) sdecl.ptype_params
    with Already_bound ->
      raise(Error(sdecl.ptype_loc, Repeated_parameter)) in
  List.iter
    (function (ty, ty', loc) ->
       try
         Ctype.unify env (transl_simple_type env false ty)
                         (transl_simple_type env false ty')
       with Ctype.Unify tr ->
         raise(Error(loc, Unconsistent_constraint tr)))
    sdecl.ptype_cstrs;
  let no_row = sdecl.ptype_kind <> Ptype_private in
  let decl =
    { type_params = params;
      type_arity = List.length params;
      type_kind = Type_abstract;
      type_manifest =
        begin match sdecl.ptype_manifest with
          None -> None
        | Some sty ->
            Some(transl_simple_type env no_row sty)
        end;
      type_variance = [];
    }
  in
  begin match row_path with None -> ()
  | Some p -> set_fixed_row env sdecl.ptype_loc p decl
  end;
  begin match Ctype.closed_type_decl decl with None -> ()
  | Some ty -> raise(Error(sdecl.ptype_loc, Unbound_type_var(ty,decl)))
  end;
  let decl = name_recursion sdecl id decl in
  let decl =
    {decl with type_variance =
     compute_variance_decl env false decl
       (sdecl.ptype_variance, sdecl.ptype_loc)} in
  Ctype.end_def();
  generalize_decl decl;
  decl

(* Approximate a type declaration: just make all types abstract *)

let abstract_type_decl arity =
  let rec make_params n =
    if n <= 0 then [] else Ctype.newvar() :: make_params (n-1) in
  Ctype.begin_def();
  let decl =
    { type_params = make_params arity;
      type_arity = arity;
      type_kind = Type_abstract;
      type_manifest = None;
      type_variance = replicate_list (true, true, true) arity } in
  Ctype.end_def();
  generalize_decl decl;
  decl

let approx_type_decl env name_sdecl_list =
  List.map
    (fun (name, sdecl) ->
      (Ident.create name,
       abstract_type_decl (List.length sdecl.ptype_params)))
    name_sdecl_list

(* Variant of check_abbrev_recursion to check the well-formedness
   conditions on type abbreviations defined within recursive modules. *)

let check_recmod_typedecl env loc recmod_ids path decl =
  (* recmod_ids is the list of recursively-defined module idents.
     (path, decl) is the type declaration to be checked. *)
  check_recursion env loc path decl
    (fun path -> List.mem (Path.head path) recmod_ids)


(**** Error report ****)

open Format

let report_error ppf = function
  | Repeated_parameter ->
      fprintf ppf "A type parameter occurs several times"
  | Duplicate_constructor s ->
      fprintf ppf "Two constructors are named %s" s
  | Too_many_constructors ->
      fprintf ppf "Too many non-constant constructors -- \
                   maximum is %i non-constant constructors"
        (Config.max_tag + 1)
  | Duplicate_label s ->
      fprintf ppf "Two labels are named %s" s
  | Recursive_abbrev s ->
      fprintf ppf "The type abbreviation %s is cyclic" s
  | Definition_mismatch ty ->
      Printtyp.reset_and_mark_loops ty;
      fprintf ppf
        "The variant or record definition does not match that of type@ %a"
        Printtyp.type_expr ty
  | Constraint_failed (ty, ty') ->
      fprintf ppf "Constraints are not satisfied in this type.@.";
      Printtyp.reset_and_mark_loops ty;
      Printtyp.mark_loops ty';
      fprintf ppf "@[Type@ %a@ should be an instance of@ %a@]"
        Printtyp.type_expr ty Printtyp.type_expr ty'
  | Parameters_differ (path, ty, ty') ->
      Printtyp.reset_and_mark_loops ty;
      Printtyp.mark_loops ty';
      fprintf ppf
        "@[In the definition of %s, type@ %a@ should be@ %a@]"
        (Path.name path) Printtyp.type_expr ty Printtyp.type_expr ty'
  | Unconsistent_constraint trace ->
      fprintf ppf "The type constraints are not consistent.@.";
      Printtyp.report_unification_error ppf trace
        (fun ppf -> fprintf ppf "Type")
        (fun ppf -> fprintf ppf "is not compatible with type")
  | Type_clash trace ->
      Printtyp.report_unification_error ppf trace
        (function ppf ->
           fprintf ppf "This type constructor expands to type")
        (function ppf ->
           fprintf ppf "but is here used with type")
  | Null_arity_external ->
      fprintf ppf "External identifiers must be functions"
  | Missing_native_external ->
      fprintf ppf "@[An external function with more than 5 arguments \
                   requires second stub function@ \
                   for native-code compilation@]"
  | Unbound_type_var (ty, decl) ->
      fprintf ppf "A type variable is unbound in this type declaration";
      let ty = Ctype.repr ty in
      let explain tl typ kwd lab =
        let ti = List.find (fun ti -> Ctype.deep_occur ty (typ ti)) tl in
        let ty0 = (* Hack to force aliasing when needed *)
          Btype.newgenty (Tobject(ty, ref None)) in
        Printtyp.reset_and_mark_loops_list [typ ti; ty0];
        fprintf ppf
          ".@.@[In %s@ %s%a@;<1 -2>the variable %a is unbound@]"
          kwd (lab ti) Printtyp.type_expr (typ ti) Printtyp.type_expr ty
      in
      begin try match decl.type_kind, decl.type_manifest with
        Type_variant (tl, _), _ ->
          explain tl (fun (_,tl) -> Btype.newgenty (Ttuple tl))
            "case" (fun (lab,_) -> lab ^ " of ")
      | Type_record (tl, _, _), _ ->
          explain tl (fun (_,_,t) -> t)
            "field" (fun (lab,_,_) -> lab ^ ": ")
      | Type_abstract, Some ty' ->
          let trivial ty =
            explain [ty] (fun t -> t) "definition" (fun _ -> "") in
          begin match (Ctype.repr ty').desc with
            Tobject(fi,_) ->
              let (tl, rv) = Ctype.flatten_fields fi in
              if rv == ty then trivial ty' else
              explain tl (fun (_,_,t) -> t)
                "method" (fun (lab,_,_) -> lab ^ ": ")
          | Tvariant row ->
              let row = Btype.row_repr row in
              if row.row_more == ty then trivial ty' else
              explain row.row_fields
                (fun (l,f) -> match Btype.row_field_repr f with
                  Rpresent (Some t) -> t
                | Reither (_,[t],_,_) -> t
                | Reither (_,tl,_,_) -> Btype.newgenty (Ttuple tl)
                | _ -> Btype.newgenty (Ttuple[]))
                "case" (fun (lab,_) -> "`" ^ lab ^ " of ")
          | _ -> trivial ty'
          end
      | _ -> ()
      with Not_found -> ()
      end
  | Unbound_exception lid ->
      fprintf ppf "Unbound exception constructor@ %a" Printtyp.longident lid
  | Not_an_exception lid ->
      fprintf ppf "The constructor@ %a@ is not an exception"
        Printtyp.longident lid
  | Bad_variance (n, v1, v2) ->
      let variance = function
          (true, true)  -> "invariant"
        | (true, false) -> "covariant"
        | (false,true)  -> "contravariant"
        | (false,false) -> "unrestricted"
      in
      if n < 1 then
        fprintf ppf "%s@ %s@ %s"
          "In this definition, a type variable"
          "has a variance that is not reflected"
          "by its occurence in type parameters."
      else
        fprintf ppf "%s@ %s@ %s %d%s %s %s,@ %s %s"
          "In this definition, expected parameter"
          "variances are not satisfied."
          "The" n (match n with 1 -> "st" | 2 -> "nd" | 3 -> "rd" | _ -> "th")
          "type parameter was expected to be" (variance v2)
          "but it is" (variance v1)
  | Unavailable_type_constructor p ->
      fprintf ppf "The definition of type %a@ is unavailable" Printtyp.path p
  | Bad_fixed_type r ->
      fprintf ppf "This fixed type %s" r
why-2.34/ml/typing/typeclass.mli0000644000175000017500000000626212311670312015257 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*         Jerome Vouillon, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: typeclass.mli,v 1.1 2007-11-30 10:16:44 bardou Exp $ *)

open Asttypes
open Types
open Typedtree
open Format

val class_declarations:
  Env.t -> Parsetree.class_declaration list ->
  (Ident.t * class_declaration *
   Ident.t * cltype_declaration *
   Ident.t * type_declaration *
   Ident.t * type_declaration *
   int * string list * class_expr) list * Env.t

val class_descriptions:
  Env.t -> Parsetree.class_description list ->
  (Ident.t * class_declaration *
   Ident.t * cltype_declaration *
   Ident.t * type_declaration *
   Ident.t * type_declaration *
   int * string list * class_type) list * Env.t

val class_type_declarations:
  Env.t -> Parsetree.class_description list ->
  (Ident.t * cltype_declaration *
   Ident.t * type_declaration *
   Ident.t * type_declaration) list * Env.t

val approx_class_declarations:
  Env.t -> Parsetree.class_description list ->
  (Ident.t * cltype_declaration *
   Ident.t * type_declaration *
   Ident.t * type_declaration) list

val virtual_methods: Types.class_signature -> label list

type error =
    Unconsistent_constraint of (type_expr * type_expr) list
  | Field_type_mismatch of string * string * (type_expr * type_expr) list
  | Structure_expected of class_type
  | Cannot_apply of class_type
  | Apply_wrong_label of label
  | Pattern_type_clash of type_expr
  | Repeated_parameter
  | Unbound_class of Longident.t
  | Unbound_class_2 of Longident.t
  | Unbound_class_type of Longident.t
  | Unbound_class_type_2 of Longident.t
  | Abbrev_type_clash of type_expr * type_expr * type_expr
  | Constructor_type_mismatch of string * (type_expr * type_expr) list
  | Virtual_class of bool * string list * string list
  | Parameter_arity_mismatch of Longident.t * int * int
  | Parameter_mismatch of (type_expr * type_expr) list
  | Bad_parameters of Ident.t * type_expr * type_expr
  | Class_match_failure of Ctype.class_match_failure list
  | Unbound_val of string
  | Unbound_type_var of (formatter -> unit) * Ctype.closed_class_failure
  | Make_nongen_seltype of type_expr
  | Non_generalizable_class of Ident.t * Types.class_declaration
  | Cannot_coerce_self of type_expr
  | Non_collapsable_conjunction of
      Ident.t * Types.class_declaration * (type_expr * type_expr) list
  | Final_self_clash of (type_expr * type_expr) list
  | Mutability_mismatch of string * mutable_flag

exception Error of Location.t * error

val report_error : formatter -> error -> unit
why-2.34/ml/typing/ident.mli0000644000175000017500000000426612311670312014355 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: ident.mli,v 1.1 2007-11-30 10:16:43 bardou Exp $ *)

(* Identifiers (unique names) *)

type t

val create: string -> t
val create_persistent: string -> t
val create_predef_exn: string -> t
val rename: t -> t
val name: t -> string
val unique_name: t -> string
val unique_toplevel_name: t -> string
val persistent: t -> bool
val equal: t -> t -> bool
        (* Compare identifiers by name. *)      
val same: t -> t -> bool
        (* Compare identifiers by binding location.
           Two identifiers are the same either if they are both
           non-persistent and have been created by the same call to
           [new], or if they are both persistent and have the same
           name. *)
val hide: t -> t
        (* Return an identifier with same name as the given identifier,
           but stamp different from any stamp returned by new.
           When put in a 'a tbl, this identifier can only be looked
           up by name. *)

val make_global: t -> unit
val global: t -> bool
val is_predef_exn: t -> bool

val binding_time: t -> int
val current_time: unit -> int
val set_current_time: int -> unit
val reinit: unit -> unit

val print: Format.formatter -> t -> unit

type 'a tbl
        (* Association tables from identifiers to type 'a. *)

val empty: 'a tbl
val add: t -> 'a -> 'a tbl -> 'a tbl
val find_same: t -> 'a tbl -> 'a
val find_name: string -> 'a tbl -> 'a
val keys: 'a tbl -> t list
why-2.34/ml/typing/env.mli0000644000175000017500000001224612311670312014037 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: env.mli,v 1.1 2007-11-30 10:16:43 bardou Exp $ *)

(* Environment handling *)

open Types

type t

val empty: t
val initial: t
val diff: t -> t -> Ident.t list

(* Lookup by paths *)

val find_value: Path.t -> t -> value_description
val find_type: Path.t -> t -> type_declaration
val find_module: Path.t -> t -> module_type
val find_modtype: Path.t -> t -> modtype_declaration
val find_class: Path.t -> t -> class_declaration
val find_cltype: Path.t -> t -> cltype_declaration

val find_type_expansion: Path.t -> t -> type_expr list * type_expr
val find_modtype_expansion: Path.t -> t -> Types.module_type

(* Lookup by long identifiers *)

val lookup_value: Longident.t -> t -> Path.t * value_description
val lookup_constructor: Longident.t -> t -> constructor_description
val lookup_label: Longident.t -> t -> label_description
val lookup_type: Longident.t -> t -> Path.t * type_declaration
val lookup_module: Longident.t -> t -> Path.t * module_type
val lookup_modtype: Longident.t -> t -> Path.t * modtype_declaration
val lookup_class: Longident.t -> t -> Path.t * class_declaration
val lookup_cltype: Longident.t -> t -> Path.t * cltype_declaration

(* Insertion by identifier *)

val add_value: Ident.t -> value_description -> t -> t
val add_type: Ident.t -> type_declaration -> t -> t
val add_exception: Ident.t -> exception_declaration -> t -> t
val add_module: Ident.t -> module_type -> t -> t
val add_modtype: Ident.t -> modtype_declaration -> t -> t
val add_class: Ident.t -> class_declaration -> t -> t
val add_cltype: Ident.t -> cltype_declaration -> t -> t

(* Insertion of all fields of a signature. *)

val add_item: signature_item -> t -> t
val add_signature: signature -> t -> t

(* Insertion of all fields of a signature, relative to the given path.
   Used to implement open. *)

val open_signature: Path.t -> signature -> t -> t
val open_pers_signature: string -> t -> t

(* Insertion by name *)

val enter_value: string -> value_description -> t -> Ident.t * t
val enter_type: string -> type_declaration -> t -> Ident.t * t
val enter_exception: string -> exception_declaration -> t -> Ident.t * t
val enter_module: string -> module_type -> t -> Ident.t * t
val enter_modtype: string -> modtype_declaration -> t -> Ident.t * t
val enter_class: string -> class_declaration -> t -> Ident.t * t
val enter_cltype: string -> cltype_declaration -> t -> Ident.t * t

(* Initialize the cache of in-core module interfaces. *)
val reset_cache: unit -> unit

(* Remember the name of the current compilation unit. *)
val set_unit_name: string -> unit

(* Read, save a signature to/from a file *)

val read_signature: string -> string -> signature
        (* Arguments: module name, file name. Results: signature. *)
val save_signature: signature -> string -> string -> unit
        (* Arguments: signature, module name, file name. *)
val save_signature_with_imports:
            signature -> string -> string -> (string * Digest.t) list -> unit
        (* Arguments: signature, module name, file name, 
           imported units with their CRCs. *)

(* Return the CRC of the interface of the given compilation unit *)

val crc_of_unit: string -> Digest.t

(* Return the set of compilation units imported, with their CRC *)

val imported_units: unit -> (string * Digest.t) list

(* Direct access to the table of imported compilation units with their CRC *)

val crc_units: Consistbl.t

(* Summaries -- compact representation of an environment, to be
   exported in debugging information. *)

type summary =
    Env_empty
  | Env_value of summary * Ident.t * value_description
  | Env_type of summary * Ident.t * type_declaration
  | Env_exception of summary * Ident.t * exception_declaration
  | Env_module of summary * Ident.t * module_type
  | Env_modtype of summary * Ident.t * modtype_declaration
  | Env_class of summary * Ident.t * class_declaration
  | Env_cltype of summary * Ident.t * cltype_declaration
  | Env_open of summary * Path.t

val summary: t -> summary

(* Error report *)

type error =
    Not_an_interface of string
  | Corrupted_interface of string
  | Illegal_renaming of string * string
  | Inconsistent_import of string * string * string
  | Need_recursive_types of string * string

exception Error of error

open Format

val report_error: formatter -> error -> unit

(* Forward declaration to break mutual recursion with Includemod. *)
val check_modtype_inclusion:
      (t -> module_type -> Path.t -> module_type -> unit) ref

why-2.34/ml/typing/typedecl.mli0000644000175000017500000000555112311670312015061 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: typedecl.mli,v 1.1 2007-11-30 10:16:44 bardou Exp $ *)

(* Typing of type definitions and primitive definitions *)

open Types
open Format

val transl_type_decl:
    Env.t -> (string * Parsetree.type_declaration) list ->
                                  (Ident.t * type_declaration) list * Env.t
val transl_exception:
    Env.t -> Parsetree.exception_declaration -> exception_declaration

val transl_exn_rebind:
    Env.t -> Location.t -> Longident.t -> Path.t * exception_declaration

val transl_value_decl:
    Env.t -> Parsetree.value_description -> value_description

val transl_with_constraint:
    Env.t -> Ident.t -> Path.t option ->
    Parsetree.type_declaration -> type_declaration

val abstract_type_decl: int -> type_declaration
val approx_type_decl:
    Env.t -> (string * Parsetree.type_declaration) list ->
                                  (Ident.t * type_declaration) list
val check_recmod_typedecl:
    Env.t -> Location.t -> Ident.t list -> Path.t -> type_declaration -> unit

(* for typeclass.ml *)
val compute_variance_decls:
    Env.t ->
    (Ident.t * type_declaration * type_declaration * class_declaration *
       cltype_declaration * ((bool * bool) list * Location.t)) list ->
    (type_declaration * type_declaration * class_declaration *
       cltype_declaration) list
    
type error =
    Repeated_parameter
  | Duplicate_constructor of string
  | Too_many_constructors
  | Duplicate_label of string
  | Recursive_abbrev of string
  | Definition_mismatch of type_expr
  | Constraint_failed of type_expr * type_expr
  | Unconsistent_constraint of (type_expr * type_expr) list
  | Type_clash of (type_expr * type_expr) list
  | Parameters_differ of Path.t * type_expr * type_expr
  | Null_arity_external
  | Missing_native_external
  | Unbound_type_var of type_expr * type_declaration
  | Unbound_exception of Longident.t
  | Not_an_exception of Longident.t
  | Bad_variance of int * (bool*bool) * (bool*bool)
  | Unavailable_type_constructor of Path.t
  | Bad_fixed_type of string

exception Error of Location.t * error

val report_error: formatter -> error -> unit
why-2.34/ml/typing/typedtree.ml0000644000175000017500000002160012311670312015075 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: typedtree.ml,v 1.10 2007-12-20 17:10:01 bardou Exp $ *)

(* Abstract syntax tree after typing *)

open Misc
open Asttypes
open Types

(* Value expressions for the core language *)

type pattern =
  { pat_desc: pattern_desc;
    pat_loc: Location.t;
    pat_type: type_expr;
    pat_env: Env.t }

and pattern_desc =
    Tpat_any
  | Tpat_var of Ident.t
  | Tpat_alias of pattern * Ident.t
  | Tpat_constant of constant
  | Tpat_tuple of pattern list
  | Tpat_construct of constructor_description * pattern list
  | Tpat_variant of label * pattern option * row_desc
  | Tpat_record of (label_description * pattern) list
  | Tpat_array of pattern list
  | Tpat_or of pattern * pattern * Path.t option

type partial = Partial | Total
type optional = Required | Optional

type expression =
  { exp_desc: expression_desc;
    exp_loc: Location.t;
    exp_type: type_expr;
    exp_env: Env.t }

and expression_desc =
    Texp_ident of Path.t * value_description
  | Texp_constant of constant
  | Texp_let of rec_flag * (pattern * expression) list * expression
  | Texp_function of (pattern * expression) list * partial
  | Texp_apply of expression * (expression option * optional) list
  | Texp_match of expression * (pattern * expression) list * partial
  | Texp_try of expression * (pattern * expression) list
  | Texp_tuple of expression list
  | Texp_construct of constructor_description * expression list
  | Texp_variant of label * expression option
  | Texp_record of (label_description * expression) list * expression option
  | Texp_field of expression * label_description
  | Texp_setfield of expression * label_description * expression
  | Texp_array of expression list
  | Texp_ifthenelse of expression * expression * expression option
  | Texp_sequence of expression * expression
  | Texp_while of expression * while_spec * expression
  | Texp_for of
      Ident.t * expression * expression * direction_flag * expression
  | Texp_when of expression * expression
  | Texp_send of expression * meth
  | Texp_new of Path.t * class_declaration
  | Texp_instvar of Path.t * Path.t
  | Texp_setinstvar of Path.t * Path.t * expression
  | Texp_override of Path.t * (Path.t * expression) list
  | Texp_letmodule of Ident.t * module_expr * expression
  | Texp_assert of expression
  | Texp_assertfalse
  | Texp_lazy of expression
  | Texp_object of class_structure * class_signature * string list
  | Texp_result
  | Texp_old of expression
  | Texp_implies of expression * expression

and while_spec = {
  ws_invariant: expression option;
  ws_variant: expression option;
}

and meth =
    Tmeth_name of string
  | Tmeth_val of Ident.t

(* Value expressions for the class language *)

and class_expr =
  { cl_desc: class_expr_desc;
    cl_loc: Location.t;
    cl_type: class_type;
    cl_env: Env.t }

and class_expr_desc =
    Tclass_ident of Path.t
  | Tclass_structure of class_structure
  | Tclass_fun of pattern * (Ident.t * expression) list * class_expr * partial
  | Tclass_apply of class_expr * (expression option * optional) list
  | Tclass_let of rec_flag *  (pattern * expression) list *
                  (Ident.t * expression) list * class_expr
  | Tclass_constraint of class_expr * string list * string list * Concr.t

and class_structure =
  { cl_field: class_field list;
    cl_meths: Ident.t Meths.t }

and class_field =
    Cf_inher of class_expr * (string * Ident.t) list * (string * Ident.t) list
  | Cf_val of string * Ident.t * expression option * bool
  | Cf_meth of string * expression
  | Cf_let of rec_flag * (pattern * expression) list *
              (Ident.t * expression) list
  | Cf_init of expression

(* Value expressions for the module language *)

and module_expr =
  { mod_desc: module_expr_desc;
    mod_loc: Location.t;
    mod_type: module_type;
    mod_env: Env.t }

and module_expr_desc =
    Tmod_ident of Path.t
  | Tmod_structure of structure
  | Tmod_functor of Ident.t * module_type * module_expr
  | Tmod_apply of module_expr * module_expr * module_coercion
  | Tmod_constraint of module_expr * module_type * module_coercion

and structure = structure_item list

and structure_item =
    Tstr_eval of expression
  | Tstr_value of rec_flag * (pattern * expression) list
  | Tstr_primitive of Ident.t * value_description
  | Tstr_type of (Ident.t * type_declaration) list
  | Tstr_exception of Ident.t * exception_declaration
  | Tstr_exn_rebind of Ident.t * Path.t
  | Tstr_module of Ident.t * module_expr
  | Tstr_recmodule of (Ident.t * module_expr) list
  | Tstr_modtype of Ident.t * module_type
  | Tstr_open of Path.t
  | Tstr_class of
      (Ident.t * int * string list * class_expr * virtual_flag) list
  | Tstr_cltype of (Ident.t * cltype_declaration) list
  | Tstr_include of module_expr * Ident.t list
  | Tstr_function_spec of function_spec
  | Tstr_type_spec of type_spec
  | Tstr_logic_function_spec of logic_function_spec
  | Tstr_logic_type_spec of Ident.t * Types.type_declaration
  | Tstr_axiom_spec of axiom_spec

and behavior = {
  b_name: string;
  b_ensures: expression;
}

and function_spec = {
  fs_function: Path.t;
  fs_arguments: Ident.t list;
  fs_requires: expression option;
  fs_behaviors: behavior list;
}

and type_invariant = {
  ti_name: Ident.t;
  ti_argument: pattern;
  ti_body: expression;
}

and type_spec = {
  ts_type: Path.t;
  ts_invariants: type_invariant list;
}

and read_location =
  | RLvar of Path.t
  | RLderef of read_location * label_description

and optional_body =
  | OBreads of read_location list
  | OBbody of expression

and logic_function_spec = {
  lfs_name: Ident.t;
  lfs_arguments: pattern list;
  lfs_return_type: type_expr;
  lfs_body: optional_body;
  lfs_predicate: bool;
}

and axiom_spec = {
  as_name: string;
  as_arguments: pattern list;
  as_body: expression;
}

and module_coercion =
    Tcoerce_none
  | Tcoerce_structure of (int * module_coercion) list
  | Tcoerce_functor of module_coercion * module_coercion
  | Tcoerce_primitive of Primitive.description

(* Auxiliary functions over the a.s.t. *)

let iter_pattern_desc f = function
  | Tpat_alias(p, id) -> f p
  | Tpat_tuple patl -> List.iter f patl
  | Tpat_construct(cstr, patl) -> List.iter f patl
  | Tpat_variant(_, pat, _) -> may f pat
  | Tpat_record lbl_pat_list ->
      List.iter (fun (lbl, pat) -> f pat) lbl_pat_list
  | Tpat_array patl -> List.iter f patl
  | Tpat_or(p1, p2, _) -> f p1; f p2
  | Tpat_any
  | Tpat_var _
  | Tpat_constant _ -> ()

let map_pattern_desc f d =
  match d with
  | Tpat_alias (p1, id) ->
      Tpat_alias (f p1, id)
  | Tpat_tuple pats ->
      Tpat_tuple (List.map f pats)
  | Tpat_record lpats ->
      Tpat_record (List.map (fun (l,p) -> l, f p) lpats)
  | Tpat_construct (c,pats) ->
      Tpat_construct (c, List.map f pats)
  | Tpat_array pats ->
      Tpat_array (List.map f pats)
  | Tpat_variant (x1, Some p1, x2) ->
      Tpat_variant (x1, Some (f p1), x2)
  | Tpat_or (p1,p2,path) ->
      Tpat_or (f p1, f p2, path)
  | Tpat_var _
  | Tpat_constant _
  | Tpat_any
  | Tpat_variant (_,None,_) -> d

(* List the identifiers bound by a pattern or a let *)

let idents = ref([]: Ident.t list)

let rec bound_idents pat =
  match pat.pat_desc with
  | Tpat_var id -> idents := id :: !idents
  | Tpat_alias(p, id) -> bound_idents p; idents := id :: !idents
  | Tpat_or(p1, _, _) ->
      (* Invariant : both arguments binds the same variables *)
      bound_idents p1
  | d -> iter_pattern_desc bound_idents d

let pat_bound_idents pat =
  idents := []; bound_idents pat; let res = !idents in idents := []; res

let rev_let_bound_idents pat_expr_list =
  idents := [];
  List.iter (fun (pat, expr) -> bound_idents pat) pat_expr_list;
  let res = !idents in idents := []; res

let let_bound_idents pat_expr_list =
  List.rev(rev_let_bound_idents pat_expr_list)

let alpha_var env id = List.assoc id env

let rec alpha_pat env p = match p.pat_desc with
| Tpat_var id -> (* note the ``Not_found'' case *)
    {p with pat_desc =
     try Tpat_var (alpha_var env id) with
     | Not_found -> Tpat_any}
| Tpat_alias (p1, id) ->
    let new_p =  alpha_pat env p1 in
    begin try
      {p with pat_desc = Tpat_alias (new_p, alpha_var env id)}
    with
    | Not_found -> new_p
    end
| d ->
    {p with pat_desc = map_pattern_desc (alpha_pat env) d}
why-2.34/ml/typing/includecore.mli0000644000175000017500000000250112311670312015534 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: includecore.mli,v 1.1 2007-11-30 10:16:43 bardou Exp $ *)

(* Inclusion checks for the core language *)

open Types
open Typedtree

exception Dont_match

val value_descriptions:
        Env.t -> value_description -> value_description -> module_coercion
val type_declarations:
        Env.t -> Ident.t -> type_declaration -> type_declaration -> bool
val exception_declarations:
        Env.t -> exception_declaration -> exception_declaration -> bool
(*
val class_types:
        Env.t -> class_type -> class_type -> bool
*)
why-2.34/ml/typing/includeclass.mli0000644000175000017500000000253312311670312015716 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*          Jerome Vouillon, projet Cristal, INRIA Rocquencourt        *)
(*                                                                     *)
(*  Copyright 1997 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: includeclass.mli,v 1.1 2007-11-30 10:16:43 bardou Exp $ *)

(* Inclusion checks for the class language *)

open Types
open Typedtree
open Ctype
open Format

val class_types:
        Env.t -> class_type -> class_type -> class_match_failure list
val class_type_declarations:
        Env.t -> cltype_declaration -> cltype_declaration ->
        class_match_failure list
val class_declarations:
        Env.t -> class_declaration -> class_declaration ->
        class_match_failure list

val report_error: formatter -> class_match_failure list -> unit
why-2.34/ml/typing/includeclass.ml0000644000175000017500000001011312311670312015536 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*          Jerome Vouillon, projet Cristal, INRIA Rocquencourt        *)
(*                                                                     *)
(*  Copyright 1997 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: includeclass.ml,v 1.1 2007-11-30 10:16:43 bardou Exp $ *)

(* Inclusion checks for the class language *)

open Types

let class_types env cty1 cty2 =
  Ctype.match_class_types env cty1 cty2

let class_type_declarations env cty1 cty2 =
  Ctype.match_class_declarations env
    cty1.clty_params cty1.clty_type
    cty2.clty_params cty2.clty_type

let class_declarations env cty1 cty2 =
  match cty1.cty_new, cty2.cty_new with
    None, Some _ ->
      [Ctype.CM_Virtual_class]
  | _ ->
      Ctype.match_class_declarations env
        cty1.cty_params cty1.cty_type
        cty2.cty_params cty2.cty_type

open Format
open Ctype

let include_err ppf =
  function
  | CM_Virtual_class ->
      fprintf ppf "A class cannot be changed from virtual to concrete"
  | CM_Parameter_arity_mismatch (ls, lp) ->
      fprintf ppf
        "The classes do not have the same number of type parameters"     
  | CM_Type_parameter_mismatch trace ->
      fprintf ppf "@[%a@]"
      (Printtyp.unification_error false trace
        (function ppf ->
          fprintf ppf "One type parameter has type"))
        (function ppf ->
          fprintf ppf "but is expected to have type")
  | CM_Class_type_mismatch (cty1, cty2) ->
      fprintf ppf
       "@[The class type@;<1 2>%a@ is not matched by the class type@;<1 2>%a@]"
       Printtyp.class_type cty1 Printtyp.class_type cty2
  | CM_Parameter_mismatch trace ->
      fprintf ppf "@[%a@]"
      (Printtyp.unification_error false trace
        (function ppf ->
          fprintf ppf "One parameter has type"))
        (function ppf ->
          fprintf ppf "but is expected to have type")
  | CM_Val_type_mismatch (lab, trace) ->
      fprintf ppf "@[%a@]"
      (Printtyp.unification_error false trace
        (function ppf ->
          fprintf ppf "The instance variable %s@ has type" lab))
        (function ppf ->
          fprintf ppf "but is expected to have type")
  | CM_Meth_type_mismatch (lab, trace) ->
      fprintf ppf "@[%a@]"
      (Printtyp.unification_error false trace
        (function ppf ->
          fprintf ppf "The method %s@ has type" lab))
        (function ppf ->
          fprintf ppf "but is expected to have type")
  | CM_Non_mutable_value lab ->
      fprintf ppf
       "@[The non-mutable instance variable %s cannot become mutable@]" lab
  | CM_Non_concrete_value lab ->
      fprintf ppf
       "@[The virtual instance variable %s cannot become concrete@]" lab
  | CM_Missing_value lab ->
      fprintf ppf "@[The first class type has no instance variable %s@]" lab
  | CM_Missing_method lab ->
      fprintf ppf "@[The first class type has no method %s@]" lab
  | CM_Hide_public lab ->
     fprintf ppf "@[The public method %s cannot be hidden@]" lab
  | CM_Hide_virtual (k, lab) ->
      fprintf ppf "@[The virtual %s %s cannot be hidden@]" k lab
  | CM_Public_method lab ->
      fprintf ppf "@[The public method %s cannot become private" lab
  | CM_Virtual_method lab ->
      fprintf ppf "@[The virtual method %s  cannot become concrete" lab
  | CM_Private_method lab ->
      fprintf ppf "The private method %s cannot become public" lab

let report_error ppf = function
  |  [] -> ()
  | err :: errs ->
      let print_errs ppf errs =
         List.iter (fun err -> fprintf ppf "@ %a" include_err err) errs in
      fprintf ppf "@[%a%a@]" include_err err print_errs errs



why-2.34/ml/typing/mtype.ml0000644000175000017500000001631312311670312014233 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: mtype.ml,v 1.1 2007-11-30 10:16:43 bardou Exp $ *)

(* Operations on module types *)

open Path
open Types


let rec scrape env mty =
  match mty with
    Tmty_ident p ->
      begin try
        scrape env (Env.find_modtype_expansion p env)
      with Not_found ->
        mty
      end
  | _ -> mty

let freshen mty =
  Subst.modtype Subst.identity mty

let rec strengthen env mty p =
  match scrape env mty with
    Tmty_signature sg ->
      Tmty_signature(strengthen_sig env sg p)
  | Tmty_functor(param, arg, res) ->
      Tmty_functor(param, arg, strengthen env res (Papply(p, Pident param)))
  | mty ->
      mty

and strengthen_sig env sg p =
  match sg with
    [] -> []
  | (Tsig_value(id, desc) as sigelt) :: rem ->
      sigelt :: strengthen_sig env rem p
  | Tsig_type(id, decl, rs) :: rem ->
      let newdecl =
        match decl.type_manifest with
          Some ty when not (Btype.has_constr_row ty) -> decl
        | _ ->
            { decl with type_manifest =
                Some(Btype.newgenty(Tconstr(Pdot(p, Ident.name id, nopos),
                                            decl.type_params, ref Mnil))) }
      in
      Tsig_type(id, newdecl, rs) :: strengthen_sig env rem p
  | (Tsig_exception(id, d) as sigelt) :: rem ->
      sigelt :: strengthen_sig env rem p
  | Tsig_module(id, mty, rs) :: rem ->
      Tsig_module(id, strengthen env mty (Pdot(p, Ident.name id, nopos)), rs)
      :: strengthen_sig (Env.add_module id mty env) rem p
      (* Need to add the module in case it defines manifest module types *)
  | Tsig_modtype(id, decl) :: rem ->
      let newdecl =
        match decl with
          Tmodtype_abstract ->
            Tmodtype_manifest(Tmty_ident(Pdot(p, Ident.name id, nopos)))
        | Tmodtype_manifest _ ->
            decl in
      Tsig_modtype(id, newdecl) ::
      strengthen_sig (Env.add_modtype id decl env) rem p
      (* Need to add the module type in case it is manifest *)
  | (Tsig_class(id, decl, rs) as sigelt) :: rem ->
      sigelt :: strengthen_sig env rem p
  | (Tsig_cltype(id, decl, rs) as sigelt) :: rem ->
      sigelt :: strengthen_sig env rem p

(* In nondep_supertype, env is only used for the type it assigns to id.
   Hence there is no need to keep env up-to-date by adding the bindings
   traversed. *)

type variance = Co | Contra | Strict

let nondep_supertype env mid mty =

  let rec nondep_mty va mty =
    match mty with
      Tmty_ident p ->
        if Path.isfree mid p then
          nondep_mty va (Env.find_modtype_expansion p env)
        else mty
    | Tmty_signature sg ->
        Tmty_signature(nondep_sig va sg)
    | Tmty_functor(param, arg, res) ->
        let var_inv =
          match va with Co -> Contra | Contra -> Co | Strict -> Strict in
        Tmty_functor(param, nondep_mty var_inv arg, nondep_mty va res)

  and nondep_sig va = function
    [] -> []
  | item :: rem ->
      let rem' = nondep_sig va rem in
      match item with
        Tsig_value(id, d) ->
          Tsig_value(id, {val_type = Ctype.nondep_type env mid d.val_type;
                          val_kind = d.val_kind}) :: rem'
      | Tsig_type(id, d, rs) ->
          Tsig_type(id, Ctype.nondep_type_decl env mid id (va = Co) d, rs)
          :: rem'
      | Tsig_exception(id, d) ->
          Tsig_exception(id, List.map (Ctype.nondep_type env mid) d) :: rem'
      | Tsig_module(id, mty, rs) ->
          Tsig_module(id, nondep_mty va mty, rs) :: rem'
      | Tsig_modtype(id, d) ->
          begin try
            Tsig_modtype(id, nondep_modtype_decl d) :: rem'
          with Not_found ->
            match va with
              Co -> Tsig_modtype(id, Tmodtype_abstract) :: rem'
            | _  -> raise Not_found
          end
      | Tsig_class(id, d, rs) ->
          Tsig_class(id, Ctype.nondep_class_declaration env mid d, rs)
          :: rem'
      | Tsig_cltype(id, d, rs) ->
          Tsig_cltype(id, Ctype.nondep_cltype_declaration env mid d, rs)
          :: rem'

  and nondep_modtype_decl = function
      Tmodtype_abstract -> Tmodtype_abstract
    | Tmodtype_manifest mty -> Tmodtype_manifest(nondep_mty Strict mty)

  in
    nondep_mty Co mty

let enrich_typedecl env p decl =
  match decl.type_manifest with
    Some ty -> decl
  | None ->
      try
        let orig_decl = Env.find_type p env in
        if orig_decl.type_arity <> decl.type_arity 
        then decl
        else {decl with type_manifest =
                Some(Btype.newgenty(Tconstr(p, decl.type_params, ref Mnil)))}
      with Not_found ->
        decl

let rec enrich_modtype env p mty =
  match mty with
    Tmty_signature sg ->
      Tmty_signature(List.map (enrich_item env p) sg)
  | _ ->
      mty

and enrich_item env p = function
    Tsig_type(id, decl, rs) ->
      Tsig_type(id,
                enrich_typedecl env (Pdot(p, Ident.name id, nopos)) decl, rs)
  | Tsig_module(id, mty, rs) ->
      Tsig_module(id,
                  enrich_modtype env (Pdot(p, Ident.name id, nopos)) mty, rs)
  | item -> item

let rec type_paths env p mty =
  match scrape env mty with
    Tmty_ident p -> []
  | Tmty_signature sg -> type_paths_sig env p 0 sg
  | Tmty_functor(param, arg, res) -> []

and type_paths_sig env p pos sg =
  match sg with
    [] -> []
  | Tsig_value(id, decl) :: rem ->
      let pos' = match decl.val_kind with Val_prim _ -> pos | _ -> pos + 1 in
      type_paths_sig env p pos' rem
  | Tsig_type(id, decl, _) :: rem ->
      Pdot(p, Ident.name id, nopos) :: type_paths_sig env p pos rem
  | Tsig_module(id, mty, _) :: rem ->
      type_paths env (Pdot(p, Ident.name id, pos)) mty @
      type_paths_sig (Env.add_module id mty env) p (pos+1) rem
  | Tsig_modtype(id, decl) :: rem ->
      type_paths_sig (Env.add_modtype id decl env) p pos rem
  | (Tsig_exception _ | Tsig_class _) :: rem ->
      type_paths_sig env p (pos+1) rem
  | (Tsig_cltype _) :: rem ->
      type_paths_sig env p pos rem

let rec no_code_needed env mty =
  match scrape env mty with
    Tmty_ident p -> false
  | Tmty_signature sg -> no_code_needed_sig env sg
  | Tmty_functor(_, _, _) -> false  

and no_code_needed_sig env sg =
  match sg with
    [] -> true
  | Tsig_value(id, decl) :: rem ->
      begin match decl.val_kind with
      | Val_prim _ -> no_code_needed_sig env rem
      | _ -> false
      end
  | Tsig_module(id, mty, _) :: rem ->
      no_code_needed env mty &&
      no_code_needed_sig (Env.add_module id mty env) rem
  | (Tsig_type _ | Tsig_modtype _ | Tsig_cltype _) :: rem ->
      no_code_needed_sig env rem
  | (Tsig_exception _ | Tsig_class _) :: rem ->
      false
why-2.34/ml/typing/datarepr.ml0000644000175000017500000000713212311670312014676 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: datarepr.ml,v 1.3 2007-12-13 16:42:57 bardou Exp $ *)

(* Compute constructor and label descriptions from type declarations,
   determining their representation. *)

open Misc
open Asttypes
open Types

let constructor_descrs ty_res cstrs priv =
  let num_consts = ref 0 and num_nonconsts = ref 0 in
  List.iter
    (function (name, []) -> incr num_consts
            | (name, _)  -> incr num_nonconsts)
    cstrs;
  let rec describe_constructors idx_const idx_nonconst = function
      [] -> []
    | (name, ty_args) :: rem ->
        let (tag, descr_rem) =
          match ty_args with
            [] -> (Cstr_constant idx_const,
                   describe_constructors (idx_const+1) idx_nonconst rem)
          | _  -> (Cstr_block idx_nonconst,
                   describe_constructors idx_const (idx_nonconst+1) rem) in
        let cstr =
          { cstr_res = ty_res;
            cstr_args = ty_args;
            cstr_arity = List.length ty_args;
            cstr_tag = tag;
            cstr_consts = !num_consts;
            cstr_nonconsts = !num_nonconsts;
            cstr_private = priv;
	    cstr_name = name } in
        (name, cstr) :: descr_rem in
  describe_constructors 0 0 cstrs

let exception_descr path_exc decl =
  { cstr_res = Predef.type_exn;
    cstr_args = decl;
    cstr_arity = List.length decl;
    cstr_tag = Cstr_exception path_exc;
    cstr_consts = -1;
    cstr_nonconsts = -1;
    cstr_private = Public;
    cstr_name = Path.name path_exc }

let none = {desc = Ttuple []; level = -1; id = -1}
                                        (* Clearly ill-formed type *)
let dummy_label =
  { lbl_res = none; lbl_arg = none; lbl_mut = Immutable;
    lbl_pos = (-1); lbl_all = [||]; lbl_repres = Record_regular;
    lbl_private = Public; lbl_name = "" }

let label_descrs ty_res lbls repres priv =
  let all_labels = Array.create (List.length lbls) dummy_label in
  let rec describe_labels num = function
      [] -> []
    | (name, mut_flag, ty_arg) :: rest ->
        let lbl =
          { lbl_res = ty_res;
            lbl_arg = ty_arg;
            lbl_mut = mut_flag;
            lbl_pos = num;
            lbl_all = all_labels;
            lbl_repres = repres;
            lbl_private = priv;
	    lbl_name = name } in
        all_labels.(num) <- lbl;
        (name, lbl) :: describe_labels (num+1) rest in
  describe_labels 0 lbls

exception Constr_not_found

let rec find_constr tag num_const num_nonconst = function
    [] ->
      raise Constr_not_found
  | (name, [] as cstr) :: rem ->
      if tag = Cstr_constant num_const
      then cstr
      else find_constr tag (num_const + 1) num_nonconst rem
  | (name, _ as cstr) :: rem ->
      if tag = Cstr_block num_nonconst
      then cstr
      else find_constr tag num_const (num_nonconst + 1) rem

let find_constr_by_tag tag cstrlist =
  find_constr tag 0 0 cstrlist
why-2.34/ml/typing/primitive.ml0000644000175000017500000000513612311670312015106 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: primitive.ml,v 1.1 2007-11-30 10:16:43 bardou Exp $ *)

(* Description of primitive functions *)

open Misc

type description =
  { prim_name: string;         (* Name of primitive  or C function *)
    prim_arity: int;           (* Number of arguments *)
    prim_alloc: bool;          (* Does it allocates or raise? *)
    prim_native_name: string;  (* Name of C function for the nat. code gen. *)
    prim_native_float: bool }  (* Does the above operate on unboxed floats? *)

let parse_declaration arity decl =
  match decl with
  | name :: "noalloc" :: name2 :: "float" :: _ ->
      {prim_name = name; prim_arity = arity; prim_alloc = false;
       prim_native_name = name2; prim_native_float = true}
  | name :: "noalloc" :: name2 :: _ ->
      {prim_name = name; prim_arity = arity; prim_alloc = false;
       prim_native_name = name2; prim_native_float = false}
  | name :: name2 :: "float" :: _ ->
      {prim_name = name; prim_arity = arity; prim_alloc = true;
       prim_native_name = name2; prim_native_float = true}
  | name :: "noalloc" :: _ ->
      {prim_name = name; prim_arity = arity; prim_alloc = false;
       prim_native_name = ""; prim_native_float = false}
  | name :: name2 :: _ ->
      {prim_name = name; prim_arity = arity; prim_alloc = true;
       prim_native_name = name2; prim_native_float = false}
  | name :: _ ->
      {prim_name = name; prim_arity = arity; prim_alloc = true;
       prim_native_name = ""; prim_native_float = false}
  | [] ->
      fatal_error "Primitive.parse_declaration"

let description_list p =
  let list = [p.prim_name] in
  let list = if not p.prim_alloc then "noalloc" :: list else list in
  let list =
    if p.prim_native_name <> "" then p.prim_native_name :: list else list
  in
  let list = if p.prim_native_float then "float" :: list else list in
  List.rev list
why-2.34/ml/typing/stypes.ml0000644000175000017500000000740612311670312014427 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*          Damien Doligez, projet Moscova, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 2003 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: stypes.ml,v 1.1 2007-11-30 10:16:44 bardou Exp $ *)

(* Recording and dumping (partial) type information *)

(*
  We record all types in a list as they are created.
  This means we can dump type information even if type inference fails,
  which is extremely important, since type information is most
  interesting in case of errors.
*)

open Format;;
open Lexing;;
open Location;;
open Typedtree;;

type type_info =
    Ti_pat   of pattern
  | Ti_expr  of expression
  | Ti_class of class_expr
  | Ti_mod   of module_expr
;;

let get_location ti =
  match ti with
    Ti_pat p   -> p.pat_loc
  | Ti_expr e  -> e.exp_loc
  | Ti_class c -> c.cl_loc
  | Ti_mod m   -> m.mod_loc
;;

let type_info = ref ([] : type_info list);;
let phrases = ref ([] : Location.t list);;

let record ti =
  if !Clflags.save_types && not (get_location ti).Location.loc_ghost then
    type_info := ti :: !type_info
;;

let record_phrase loc =
  if !Clflags.save_types then phrases := loc :: !phrases;
;;

(* comparison order:
   the intervals are sorted by order of increasing upper bound
   same upper bound -> sorted by decreasing lower bound
*)
let cmp_loc_inner_first loc1 loc2 =
  match compare loc1.loc_end.pos_cnum loc2.loc_end.pos_cnum with
  | 0 -> compare loc2.loc_start.pos_cnum loc1.loc_start.pos_cnum
  | x -> x
;;
let cmp_ti_inner_first ti1 ti2 =
  cmp_loc_inner_first (get_location ti1) (get_location ti2)
;;

let print_position pp pos =
  fprintf pp "%S %d %d %d" pos.pos_fname pos.pos_lnum pos.pos_bol pos.pos_cnum;
;;

let sort_filter_phrases () =
  let ph = List.sort (fun x y -> cmp_loc_inner_first y x) !phrases in
  let rec loop accu cur l =
    match l with
    | [] -> accu
    | loc :: t ->
       if cur.loc_start.pos_cnum <= loc.loc_start.pos_cnum
          && cur.loc_end.pos_cnum >= loc.loc_end.pos_cnum
       then loop accu cur t
       else loop (loc :: accu) loc t
  in
  phrases := loop [] Location.none ph;
;;

let rec printtyp_reset_maybe loc =
  match !phrases with
  | cur :: t when cur.loc_start.pos_cnum <= loc.loc_start.pos_cnum ->
     Printtyp.reset ();
     phrases := t;
     printtyp_reset_maybe loc;
  | _ -> ()
;;


(* The format of the annotation file is documented in emacs/caml-types.el. *)

let print_info pp ti =
  match ti with
  | Ti_class _ | Ti_mod _ -> ()
  | Ti_pat  {pat_loc = loc; pat_type = typ}
  | Ti_expr {exp_loc = loc; exp_type = typ} ->
      print_position pp loc.loc_start;
      fprintf pp " ";
      print_position pp loc.loc_end;
      fprintf pp "@.type(@.  ";
      printtyp_reset_maybe loc;
      Printtyp.mark_loops typ;
      Printtyp.type_sch pp typ;
      fprintf pp "@.)@.";
;;

let get_info () =
  let info = List.fast_sort cmp_ti_inner_first !type_info in
  type_info := [];
  info
;;

let dump filename =
  if !Clflags.save_types then begin
    let info = get_info () in
    let pp = formatter_of_out_channel (open_out filename) in
    sort_filter_phrases ();
    List.iter (print_info pp) info;
    phrases := [];
  end else begin
    type_info := [];
  end;
;;
why-2.34/ml/typing/includemod.mli0000644000175000017500000000406512311670312015372 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: includemod.mli,v 1.1 2007-11-30 10:16:43 bardou Exp $ *)

(* Inclusion checks for the module language *)

open Types
open Typedtree
open Format

val modtypes: Env.t -> module_type -> module_type -> module_coercion
val signatures: Env.t -> signature -> signature -> module_coercion
val compunit: string -> signature -> string -> signature -> module_coercion
val type_declarations:
      Env.t -> Ident.t -> type_declaration -> type_declaration -> unit

type error =
    Missing_field of Ident.t
  | Value_descriptions of Ident.t * value_description * value_description
  | Type_declarations of Ident.t * type_declaration * type_declaration
  | Exception_declarations of
      Ident.t * exception_declaration * exception_declaration
  | Module_types of module_type * module_type
  | Modtype_infos of Ident.t * modtype_declaration * modtype_declaration
  | Modtype_permutation
  | Interface_mismatch of string * string
  | Class_type_declarations of
      Ident.t * cltype_declaration * cltype_declaration *
      Ctype.class_match_failure list
  | Class_declarations of
      Ident.t * class_declaration * class_declaration *
      Ctype.class_match_failure list
  | Unbound_modtype_path of Path.t

exception Error of error list

val report_error: formatter -> error list -> unit
why-2.34/ml/typing/btype.ml0000644000175000017500000003637712311670312014234 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(* Xavier Leroy and Jerome Vouillon, projet Cristal, INRIA Rocquencourt*)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: btype.ml,v 1.1 2007-11-30 10:16:43 bardou Exp $ *)

(* Basic operations on core types *)

open Types

(**** Type level management ****)

let generic_level = 100000000

(* Used to mark a type during a traversal. *)
let lowest_level = 0
let pivot_level = 2 * lowest_level - 1
    (* pivot_level - lowest_level < lowest_level *)

(**** Some type creators ****)

let new_id = ref (-1)

let newty2 level desc  =
  incr new_id; { desc = desc; level = level; id = !new_id }
let newgenty desc      = newty2 generic_level desc
let newgenvar ()       = newgenty Tvar
(*
let newmarkedvar level =
  incr new_id; { desc = Tvar; level = pivot_level - level; id = !new_id }
let newmarkedgenvar () =
  incr new_id;
  { desc = Tvar; level = pivot_level - generic_level; id = !new_id }
*)

(**** Representative of a type ****)

let rec field_kind_repr =
  function
    Fvar {contents = Some kind} -> field_kind_repr kind
  | kind                        -> kind

let rec repr =
  function
    {desc = Tlink t'} ->
      (* 
         We do no path compression. Path compression does not seem to
         improve notably efficiency, and it prevents from changing a
         [Tlink] into another type (for instance, for undoing a
         unification).
      *)
      repr t'
  | {desc = Tfield (_, k, _, t')} when field_kind_repr k = Fabsent ->
      repr t'
  | t -> t

let rec commu_repr = function
    Clink r when !r <> Cunknown -> commu_repr !r
  | c -> c

let rec row_field_repr_aux tl = function
    Reither(_, tl', _, {contents = Some fi}) ->
      row_field_repr_aux (tl@tl') fi
  | Reither(c, tl', m, r) ->
      Reither(c, tl@tl', m, r)
  | Rpresent (Some _) when tl <> [] ->
      Rpresent (Some (List.hd tl))
  | fi -> fi

let row_field_repr fi = row_field_repr_aux [] fi

let rec rev_concat l ll =
  match ll with
    [] -> l
  | l'::ll -> rev_concat (l'@l) ll

let rec row_repr_aux ll row =
  match (repr row.row_more).desc with
  | Tvariant row' ->
      let f = row.row_fields in
      row_repr_aux (if f = [] then ll else f::ll) row'
  | _ ->
      if ll = [] then row else
      {row with row_fields = rev_concat row.row_fields ll}

let row_repr row = row_repr_aux [] row

let rec row_field tag row =
  let rec find = function
    | (tag',f) :: fields ->
	if tag = tag' then row_field_repr f else find fields
    | [] ->
	match repr row.row_more with
	| {desc=Tvariant row'} -> row_field tag row'
	| _ -> Rabsent
  in find row.row_fields

let rec row_more row =
  match repr row.row_more with
  | {desc=Tvariant row'} -> row_more row'
  | ty -> ty

let static_row row =
  let row = row_repr row in
  row.row_closed &&
  List.for_all
    (fun (_,f) -> match row_field_repr f with Reither _ -> false | _ -> true)
    row.row_fields

let hash_variant s =
  let accu = ref 0 in
  for i = 0 to String.length s - 1 do
    accu := 223 * !accu + Char.code s.[i]
  done;
  (* reduce to 31 bits *)
  accu := !accu land (1 lsl 31 - 1);
  (* make it signed for 64 bits architectures *)
  if !accu > 0x3FFFFFFF then !accu - (1 lsl 31) else !accu

let proxy ty =
  let ty0 = repr ty in
  match ty0.desc with
  | Tvariant row when not (static_row row) ->
      row_more row
  | Tobject (ty, _) ->
      let rec proxy_obj ty =
        match ty.desc with
          Tfield (_, _, _, ty) | Tlink ty -> proxy_obj ty
        | Tvar | Tunivar | Tconstr _ -> ty
        | Tnil -> ty0
        | _ -> assert false
      in proxy_obj ty
  | _ -> ty0

(**** Utilities for private types ****)

let has_constr_row t =
  match (repr t).desc with
    Tobject(t,_) ->
      let rec check_row t =
        match (repr t).desc with
          Tfield(_,_,_,t) -> check_row t
        | Tconstr _ -> true
        | _ -> false
      in check_row t
  | Tvariant row ->
      (match row_more row with {desc=Tconstr _} -> true | _ -> false)
  | _ ->
      false

let is_row_name s =
  let l = String.length s in
  if l < 4 then false else String.sub s (l-4) 4 = "#row"


                  (**********************************)
                  (*  Utilities for type traversal  *)
                  (**********************************)

let rec iter_row f row =
  List.iter
    (fun (_, fi) ->
      match row_field_repr fi with
      | Rpresent(Some ty) -> f ty
      | Reither(_, tl, _, _) -> List.iter f tl
      | _ -> ())
    row.row_fields;
  match (repr row.row_more).desc with
    Tvariant row -> iter_row f row
  | Tvar | Tunivar | Tsubst _ | Tconstr _ ->
      Misc.may (fun (_,l) -> List.iter f l) row.row_name;
      List.iter f row.row_bound
  | _ -> assert false

let iter_type_expr f ty =
  match ty.desc with
    Tvar                -> ()
  | Tarrow (_, ty1, ty2, _) -> f ty1; f ty2
  | Ttuple l            -> List.iter f l
  | Tconstr (_, l, _)   -> List.iter f l
  | Tobject(ty, {contents = Some (_, p)})
                        -> f ty; List.iter f p
  | Tobject (ty, _)     -> f ty
  | Tvariant row        -> iter_row f row; f (row_more row)
  | Tfield (_, _, ty1, ty2) -> f ty1; f ty2
  | Tnil                -> ()
  | Tlink ty            -> f ty
  | Tsubst ty           -> f ty
  | Tunivar             -> ()
  | Tpoly (ty, tyl)     -> f ty; List.iter f tyl

let rec iter_abbrev f = function
    Mnil                   -> ()
  | Mcons(_, ty, ty', rem) -> f ty; f ty'; iter_abbrev f rem
  | Mlink rem              -> iter_abbrev f !rem

let copy_row f fixed row keep more =
  let bound = ref [] in
  let fields = List.map
      (fun (l, fi) -> l,
        match row_field_repr fi with
        | Rpresent(Some ty) -> Rpresent(Some(f ty))
        | Reither(c, tl, m, e) ->
            let e = if keep then e else ref None in
            let m = if row.row_fixed then fixed else m in
            let tl = List.map f tl in
            bound := List.filter
                (function {desc=Tconstr(_,[],_)} -> false | _ -> true)
                (List.map repr tl)
              @ !bound;
            Reither(c, tl, m, e)
        | _ -> fi)
      row.row_fields in
  let name =
    match row.row_name with None -> None
    | Some (path, tl) -> Some (path, List.map f tl) in
  { row_fields = fields; row_more = more;
    row_bound = !bound; row_fixed = row.row_fixed && fixed;
    row_closed = row.row_closed; row_name = name; }

let rec copy_kind = function
    Fvar{contents = Some k} -> copy_kind k
  | Fvar _   -> Fvar (ref None)
  | Fpresent -> Fpresent
  | Fabsent  -> assert false

let copy_commu c =
  if commu_repr c = Cok then Cok else Clink (ref Cunknown)

(* Since univars may be used as row variables, we need to do some
   encoding during substitution *)
let rec norm_univar ty =
  match ty.desc with
    Tunivar | Tsubst _ -> ty
  | Tlink ty           -> norm_univar ty
  | Ttuple (ty :: _)   -> norm_univar ty
  | _                  -> assert false

let rec copy_type_desc f = function
    Tvar                -> Tvar
  | Tarrow (p, ty1, ty2, c)-> Tarrow (p, f ty1, f ty2, copy_commu c)
  | Ttuple l            -> Ttuple (List.map f l)
  | Tconstr (p, l, _)   -> Tconstr (p, List.map f l, ref Mnil)
  | Tobject(ty, {contents = Some (p, tl)})
                        -> Tobject (f ty, ref (Some(p, List.map f tl)))
  | Tobject (ty, _)     -> Tobject (f ty, ref None)
  | Tvariant row        -> assert false (* too ambiguous *)
  | Tfield (p, k, ty1, ty2) -> (* the kind is kept shared *)
      Tfield (p, field_kind_repr k, f ty1, f ty2)
  | Tnil                -> Tnil
  | Tlink ty            -> copy_type_desc f ty.desc
  | Tsubst ty           -> assert false
  | Tunivar             -> Tunivar
  | Tpoly (ty, tyl)     ->
      let tyl = List.map (fun x -> norm_univar (f x)) tyl in
      Tpoly (f ty, tyl)


(* Utilities for copying *)

let saved_desc = ref []
  (* Saved association of generic nodes with their description. *)

let save_desc ty desc = 
  saved_desc := (ty, desc)::!saved_desc

let saved_kinds = ref [] (* duplicated kind variables *)
let new_kinds = ref []   (* new kind variables *)
let dup_kind r =
  (match !r with None -> () | Some _ -> assert false);
  if not (List.memq r !new_kinds) then begin
    saved_kinds := r :: !saved_kinds;
    let r' = ref None in
    new_kinds := r' :: !new_kinds;
    r := Some (Fvar r')
  end

(* Restored type descriptions. *)
let cleanup_types () =
  List.iter (fun (ty, desc) -> ty.desc <- desc) !saved_desc;
  List.iter (fun r -> r := None) !saved_kinds;
  saved_desc := []; saved_kinds := []; new_kinds := []

(* Mark a type. *)
let rec mark_type ty =
  let ty = repr ty in
  if ty.level >= lowest_level then begin
    ty.level <- pivot_level - ty.level;
    iter_type_expr mark_type ty
  end

let mark_type_node ty =
  let ty = repr ty in
  if ty.level >= lowest_level then begin
    ty.level <- pivot_level - ty.level;
  end

let mark_type_params ty =
  iter_type_expr mark_type ty

(* Remove marks from a type. *)
let rec unmark_type ty =
  let ty = repr ty in
  if ty.level < lowest_level then begin
    ty.level <- pivot_level - ty.level;
    iter_type_expr unmark_type ty
  end

let unmark_type_decl decl =
  List.iter unmark_type decl.type_params;
  begin match decl.type_kind with
    Type_abstract -> ()
  | Type_variant (cstrs, priv) ->
      List.iter (fun (c, tl) -> List.iter unmark_type tl) cstrs
  | Type_record(lbls, rep, priv) ->
      List.iter (fun (c, mut, t) -> unmark_type t) lbls
  end;
  begin match decl.type_manifest with
    None    -> ()
  | Some ty -> unmark_type ty
  end

let unmark_class_signature sign =
  unmark_type sign.cty_self;
  Vars.iter (fun l (m, v, t) -> unmark_type t) sign.cty_vars

let rec unmark_class_type =
  function
    Tcty_constr (p, tyl, cty) ->
      List.iter unmark_type tyl; unmark_class_type cty
  | Tcty_signature sign ->
      unmark_class_signature sign
  | Tcty_fun (_, ty, cty) ->
      unmark_type ty; unmark_class_type cty


                  (*******************************************)
                  (*  Memorization of abbreviation expansion *)
                  (*******************************************)

(* Search whether the expansion has been memorized. *)
let rec find_expans p1 = function
    Mnil -> None
  | Mcons (p2, ty0, ty, _) when Path.same p1 p2 -> Some ty
  | Mcons (_, _, _, rem)   -> find_expans p1 rem
  | Mlink {contents = rem} -> find_expans p1 rem

(* debug: check for cycles in abbreviation. only works with -principal
let rec check_expans visited ty =
  let ty = repr ty in
  assert (not (List.memq ty visited));
  match ty.desc with
    Tconstr (path, args, abbrev) ->
      begin match find_expans path !abbrev with
        Some ty' -> check_expans (ty :: visited) ty'
      | None -> ()
      end
  | _ -> ()
*)

let memo = ref []
        (* Contains the list of saved abbreviation expansions. *)

let cleanup_abbrev () =
        (* Remove all memorized abbreviation expansions. *)
  List.iter (fun abbr -> abbr := Mnil) !memo;
  memo := []

let memorize_abbrev mem path v v' =
        (* Memorize the expansion of an abbreviation. *)
  mem := Mcons (path, v, v', !mem);
  (* check_expans [] v; *)
  memo := mem :: !memo

let rec forget_abbrev_rec mem path =
  match mem with
    Mnil ->
      assert false
  | Mcons (path', _, _, rem) when Path.same path path' ->
      rem 
  | Mcons (path', v, v', rem) ->
      Mcons (path', v, v', forget_abbrev_rec rem path)
  | Mlink mem' ->
      mem' := forget_abbrev_rec !mem' path;
      raise Exit

let forget_abbrev mem path =
  try mem := forget_abbrev_rec !mem path with Exit -> ()

(* debug: check for invalid abbreviations
let rec check_abbrev_rec = function
    Mnil -> true
  | Mcons (_, ty1, ty2, rem) ->
      repr ty1 != repr ty2
  | Mlink mem' ->
      check_abbrev_rec !mem'

let check_memorized_abbrevs () =
  List.for_all (fun mem -> check_abbrev_rec !mem) !memo
*)

                  (**********************************)
                  (*  Utilities for labels          *)
                  (**********************************)

let is_optional l =
  String.length l > 0 && l.[0] = '?'

let label_name l =
  if is_optional l then String.sub l 1 (String.length l - 1)
                   else l

let rec extract_label_aux hd l = function
    [] -> raise Not_found
  | (l',t as p) :: ls ->
      if label_name l' = l then (l', t, List.rev hd, ls)
      else extract_label_aux (p::hd) l ls

let extract_label l ls = extract_label_aux [] l ls


                  (**********************************)
                  (*  Utilities for backtracking    *)
                  (**********************************)

type change =
    Ctype of type_expr * type_desc
  | Clevel of type_expr * int
  | Cname of
      (Path.t * type_expr list) option ref * (Path.t * type_expr list) option
  | Crow of row_field option ref * row_field option
  | Ckind of field_kind option ref * field_kind option
  | Ccommu of commutable ref * commutable
  | Cuniv of type_expr option ref * type_expr option

let undo_change = function
    Ctype  (ty, desc)  -> ty.desc <- desc
  | Clevel (ty, level) -> ty.level <- level
  | Cname  (r, v) -> r := v
  | Crow   (r, v) -> r := v
  | Ckind  (r, v) -> r := v
  | Ccommu (r, v) -> r := v
  | Cuniv  (r, v) -> r := v

type changes = 
    Change of change * changes ref
  | Unchanged
  | Invalid

type snapshot = changes ref * int

let trail = Weak.create 1
let last_snapshot = ref 0

let log_change ch =
  match Weak.get trail 0 with None -> ()
  | Some r ->
      let r' = ref Unchanged in
      r := Change (ch, r');
      Weak.set trail 0 (Some r')

let log_type ty =
  if ty.id <= !last_snapshot then log_change (Ctype (ty, ty.desc))
let link_type ty ty' = log_type ty; ty.desc <- Tlink ty'
  (* ; assert (check_memorized_abbrevs ()) *)
  (*  ; check_expans [] ty' *)
let set_level ty level =
  if ty.id <= !last_snapshot then log_change (Clevel (ty, ty.level));
  ty.level <- level
let set_univar rty ty =
  log_change (Cuniv (rty, !rty)); rty := Some ty
let set_name nm v =
  log_change (Cname (nm, !nm)); nm := v
let set_row_field e v =
  log_change (Crow (e, !e)); e := Some v
let set_kind rk k =
  log_change (Ckind (rk, !rk)); rk := Some k
let set_commu rc c =
  log_change (Ccommu (rc, !rc)); rc := c

let snapshot () =
  let old = !last_snapshot in
  last_snapshot := !new_id;
  match Weak.get trail 0 with Some r -> (r, old)
  | None ->
      let r = ref Unchanged in
      Weak.set trail 0 (Some r);
      (r, old)

let rec rev_log accu = function
    Unchanged -> accu
  | Invalid -> assert false
  | Change (ch, next) ->
      let d = !next in
      next := Invalid;
      rev_log (ch::accu) d

let backtrack (changes, old) =
  match !changes with
    Unchanged -> last_snapshot := old
  | Invalid -> failwith "Btype.backtrack"
  | Change _ as change ->
      cleanup_abbrev ();
      let backlog = rev_log [] change in
      List.iter undo_change backlog;
      changes := Unchanged;
      last_snapshot := old;
      Weak.set trail 0 (Some changes)
why-2.34/ml/typing/subst.ml0000644000175000017500000002367212311670312014243 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: subst.ml,v 1.1 2007-11-30 10:16:44 bardou Exp $ *)

(* Substitutions *)

open Misc
open Path
open Types
open Btype

type t = 
  { types: (Ident.t, Path.t) Tbl.t;
    modules: (Ident.t, Path.t) Tbl.t;
    modtypes: (Ident.t, module_type) Tbl.t;
    for_saving: bool }

let identity =
  { types = Tbl.empty; modules = Tbl.empty; modtypes = Tbl.empty;
    for_saving = false }

let add_type id p s = { s with types = Tbl.add id p s.types }

let add_module id p s = { s with modules = Tbl.add id p s.modules }

let add_modtype id ty s = { s with modtypes = Tbl.add id ty s.modtypes }

let for_saving s = { s with for_saving = true }

let rec module_path s = function
    Pident id as p ->
      begin try Tbl.find id s.modules with Not_found -> p end
  | Pdot(p, n, pos) ->
      Pdot(module_path s p, n, pos)
  | Papply(p1, p2) ->
      Papply(module_path s p1, module_path s p2)

let type_path s = function
    Pident id as p ->
      begin try Tbl.find id s.types with Not_found -> p end
  | Pdot(p, n, pos) ->
      Pdot(module_path s p, n, pos)
  | Papply(p1, p2) ->
      fatal_error "Subst.type_path"

(* Special type ids for saved signatures *)

let new_id = ref (-1)
let reset_for_saving () = new_id := -1

let newpersty desc =
  decr new_id; { desc = desc; level = generic_level; id = !new_id }

(* Similar to [Ctype.nondep_type_rec]. *)
let rec typexp s ty =
  let ty = repr ty in
  match ty.desc with
    Tvar | Tunivar ->
      if s.for_saving || ty.id < 0 then
        let ty' =
          if s.for_saving then newpersty ty.desc else newty2 ty.level ty.desc
        in
        save_desc ty ty.desc; ty.desc <- Tsubst ty'; ty'
      else ty
  | Tsubst ty ->
      ty
(* cannot do it, since it would omit subsitution
  | Tvariant row when not (static_row row) ->
      ty
*)
  | _ ->
    let desc = ty.desc in
    save_desc ty desc;
    (* Make a stub *)
    let ty' = if s.for_saving then newpersty Tvar else newgenvar () in
    ty.desc <- Tsubst ty';
    ty'.desc <-
      begin match desc with
      | Tconstr(p, tl, abbrev) ->
          Tconstr(type_path s p, List.map (typexp s) tl, ref Mnil)
      | Tobject (t1, name) ->
          Tobject (typexp s t1,
                 ref (match !name with
                        None -> None
                      | Some (p, tl) ->
                          Some (type_path s p, List.map (typexp s) tl)))
      | Tvariant row ->
          let row = row_repr row in
          let more = repr row.row_more in
          (* We must substitute in a subtle way *)
          (* Tsubst takes a tuple containing the row var and the variant *)
          begin match more.desc with
            Tsubst {desc = Ttuple [_;ty2]} ->
              (* This variant type has been already copied *)
              ty.desc <- Tsubst ty2; (* avoid Tlink in the new type *)
              Tlink ty2
          | _ ->
              let dup =
                s.for_saving || more.level = generic_level || static_row row ||
                match more.desc with Tconstr _ -> true | _ -> false in
              (* Various cases for the row variable *)
              let more' =
                match more.desc with
                  Tsubst ty -> ty
                | Tconstr _ -> typexp s more
                | Tunivar | Tvar ->
                    save_desc more more.desc;
                    if s.for_saving then newpersty more.desc else
                    if dup && more.desc <> Tunivar then newgenvar () else more
                | _ -> assert false
              in
              (* Register new type first for recursion *)
              more.desc <- Tsubst(newgenty(Ttuple[more';ty']));
              (* Return a new copy *)
              let row =
                copy_row (typexp s) true row (not dup) more' in
              let row =
                if s.for_saving then {row with row_bound = []} else row in
              match row.row_name with
                Some (p, tl) ->
                  Tvariant {row with row_name = Some (type_path s p, tl)}
              | None ->
                  Tvariant row
          end
      | Tfield(label, kind, t1, t2) when field_kind_repr kind = Fabsent ->
          Tlink (typexp s t2)
      | _ -> copy_type_desc (typexp s) desc
      end;
    ty'

(*
   Always make a copy of the type. If this is not done, type levels
   might not be correct.
*)
let type_expr s ty =
  let ty' = typexp s ty in
  cleanup_types ();
  ty'

let type_declaration s decl =
  let decl =
    { type_params = List.map (typexp s) decl.type_params;
      type_arity = decl.type_arity;
      type_kind =
        begin match decl.type_kind with
          Type_abstract -> Type_abstract
        | Type_variant (cstrs, priv) ->
            Type_variant(
              List.map (fun (n, args) -> (n, List.map (typexp s) args))
                       cstrs,
              priv)
        | Type_record(lbls, rep, priv) ->
            Type_record(
              List.map (fun (n, mut, arg) -> (n, mut, typexp s arg))
                       lbls,
              rep, priv)
        end;
      type_manifest =
        begin match decl.type_manifest with
          None -> None
        | Some ty -> Some(typexp s ty)
        end;
      type_variance = decl.type_variance;
    }
  in
  cleanup_types ();
  decl

let class_signature s sign =
  { cty_self = typexp s sign.cty_self;
    cty_vars =
      Vars.map (function (m, v, t) -> (m, v, typexp s t)) sign.cty_vars;
    cty_concr = sign.cty_concr;
    cty_inher =
      List.map (fun (p, tl) -> (type_path s p, List.map (typexp s) tl))
        sign.cty_inher
  }

let rec class_type s =
  function
    Tcty_constr (p, tyl, cty) ->
      Tcty_constr (type_path s p, List.map (typexp s) tyl, class_type s cty)
  | Tcty_signature sign ->
      Tcty_signature (class_signature s sign)
  | Tcty_fun (l, ty, cty) ->
      Tcty_fun (l, typexp s ty, class_type s cty)

let class_declaration s decl =
  let decl =
    { cty_params = List.map (typexp s) decl.cty_params;
      cty_variance = decl.cty_variance;
      cty_type = class_type s decl.cty_type;
      cty_path = type_path s decl.cty_path;
      cty_new =
        begin match decl.cty_new with
          None    -> None
        | Some ty -> Some (typexp s ty)
        end }
  in
  (* Do not clean up if saving: next is cltype_declaration *)
  if not s.for_saving then cleanup_types ();
  decl

let cltype_declaration s decl =
  let decl =
    { clty_params = List.map (typexp s) decl.clty_params;
      clty_variance = decl.clty_variance;
      clty_type = class_type s decl.clty_type;
      clty_path = type_path s decl.clty_path }
  in
  (* Do clean up even if saving: type_declaration may be recursive *)
  cleanup_types ();
  decl

let class_type s cty =
  let cty = class_type s cty in
  cleanup_types ();
  cty

let value_description s descr =
  { val_type = type_expr s descr.val_type;
    val_kind = descr.val_kind }

let exception_declaration s tyl =
  List.map (type_expr s) tyl

let rec rename_bound_idents s idents = function
    [] -> (List.rev idents, s)
  | Tsig_type(id, d, _) :: sg ->
      let id' = Ident.rename id in
      rename_bound_idents (add_type id (Pident id') s) (id' :: idents) sg
  | Tsig_module(id, mty, _) :: sg ->
      let id' = Ident.rename id in
      rename_bound_idents (add_module id (Pident id') s) (id' :: idents) sg
  | Tsig_modtype(id, d) :: sg ->
      let id' = Ident.rename id in
      rename_bound_idents (add_modtype id (Tmty_ident(Pident id')) s)
                          (id' :: idents) sg
  | (Tsig_value(id, _) | Tsig_exception(id, _) | 
     Tsig_class(id, _, _) | Tsig_cltype(id, _, _)) :: sg ->
      let id' = Ident.rename id in
      rename_bound_idents s (id' :: idents) sg

let rec modtype s = function
    Tmty_ident p as mty ->
      begin match p with
        Pident id ->
          begin try Tbl.find id s.modtypes with Not_found -> mty end
      | Pdot(p, n, pos) ->
          Tmty_ident(Pdot(module_path s p, n, pos))
      | Papply(p1, p2) ->
          fatal_error "Subst.modtype"
      end
  | Tmty_signature sg ->
      Tmty_signature(signature s sg)
  | Tmty_functor(id, arg, res) ->
      let id' = Ident.rename id in
      Tmty_functor(id', modtype s arg,
                        modtype (add_module id (Pident id') s) res)

and signature s sg =
  (* Components of signature may be mutually recursive (e.g. type declarations
     or class and type declarations), so first build global renaming
     substitution... *)
  let (new_idents, s') = rename_bound_idents s [] sg in
  (* ... then apply it to each signature component in turn *)
  List.map2 (signature_component s') sg new_idents

and signature_component s comp newid =
  match comp with
    Tsig_value(id, d) ->
      Tsig_value(newid, value_description s d)
  | Tsig_type(id, d, rs) ->
      Tsig_type(newid, type_declaration s d, rs)
  | Tsig_exception(id, d) ->
      Tsig_exception(newid, exception_declaration s d)
  | Tsig_module(id, mty, rs) ->
      Tsig_module(newid, modtype s mty, rs)
  | Tsig_modtype(id, d) ->
      Tsig_modtype(newid, modtype_declaration s d)
  | Tsig_class(id, d, rs) ->
      Tsig_class(newid, class_declaration s d, rs)
  | Tsig_cltype(id, d, rs) ->
      Tsig_cltype(newid, cltype_declaration s d, rs)

and modtype_declaration s = function
    Tmodtype_abstract -> Tmodtype_abstract
  | Tmodtype_manifest mty -> Tmodtype_manifest(modtype s mty)
why-2.34/ml/typing/includemod.ml0000644000175000017500000003461712311670312015227 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: includemod.ml,v 1.1 2007-11-30 10:16:43 bardou Exp $ *)

(* Inclusion checks for the module language *)

open Misc
open Path
open Types
open Typedtree

type error =
    Missing_field of Ident.t
  | Value_descriptions of Ident.t * value_description * value_description
  | Type_declarations of Ident.t * type_declaration * type_declaration
  | Exception_declarations of
      Ident.t * exception_declaration * exception_declaration
  | Module_types of module_type * module_type
  | Modtype_infos of Ident.t * modtype_declaration * modtype_declaration
  | Modtype_permutation
  | Interface_mismatch of string * string
  | Class_type_declarations of
      Ident.t * cltype_declaration * cltype_declaration *
      Ctype.class_match_failure list
  | Class_declarations of
      Ident.t * class_declaration * class_declaration *
      Ctype.class_match_failure list
  | Unbound_modtype_path of Path.t

exception Error of error list

(* All functions "blah env x1 x2" check that x1 is included in x2,
   i.e. that x1 is the type of an implementation that fulfills the
   specification x2. If not, Error is raised with a backtrace of the error. *)

(* Inclusion between value descriptions *)

let value_descriptions env subst id vd1 vd2 =
  let vd2 = Subst.value_description subst vd2 in
  try
    Includecore.value_descriptions env vd1 vd2
  with Includecore.Dont_match ->
    raise(Error[Value_descriptions(id, vd1, vd2)])

(* Inclusion between type declarations *)

let type_declarations env subst id decl1 decl2 =
  let decl2 = Subst.type_declaration subst decl2 in
  if Includecore.type_declarations env id decl1 decl2
  then ()
  else raise(Error[Type_declarations(id, decl1, decl2)])

(* Inclusion between exception declarations *)

let exception_declarations env subst id decl1 decl2 =
  let decl2 = Subst.exception_declaration subst decl2 in
  if Includecore.exception_declarations env decl1 decl2
  then ()
  else raise(Error[Exception_declarations(id, decl1, decl2)])

(* Inclusion between class declarations *)

let class_type_declarations env subst id decl1 decl2 =
  let decl2 = Subst.cltype_declaration subst decl2 in
  match Includeclass.class_type_declarations env decl1 decl2 with
    []     -> ()
  | reason -> raise(Error[Class_type_declarations(id, decl1, decl2, reason)])

let class_declarations env subst id decl1 decl2 =
  let decl2 = Subst.class_declaration subst decl2 in
  match Includeclass.class_declarations env decl1 decl2 with
    []     -> ()
  | reason -> raise(Error[Class_declarations(id, decl1, decl2, reason)])

(* Expand a module type identifier when possible *)

exception Dont_match

let expand_module_path env path =
  try
    Env.find_modtype_expansion path env
  with Not_found ->
    raise(Error[Unbound_modtype_path path])

(* Extract name, kind and ident from a signature item *)

type field_desc =
    Field_value of string
  | Field_type of string
  | Field_exception of string
  | Field_module of string
  | Field_modtype of string
  | Field_class of string
  | Field_classtype of string

let item_ident_name = function
    Tsig_value(id, _) -> (id, Field_value(Ident.name id))
  | Tsig_type(id, _, _) -> (id, Field_type(Ident.name id))
  | Tsig_exception(id, _) -> (id, Field_exception(Ident.name id))
  | Tsig_module(id, _, _) -> (id, Field_module(Ident.name id))
  | Tsig_modtype(id, _) -> (id, Field_modtype(Ident.name id))
  | Tsig_class(id, _, _) -> (id, Field_class(Ident.name id))
  | Tsig_cltype(id, _, _) -> (id, Field_classtype(Ident.name id))

(* Simplify a structure coercion *)

let simplify_structure_coercion cc =
  let rec is_identity_coercion pos = function
  | [] ->
      true
  | (n, c) :: rem ->
      n = pos && c = Tcoerce_none && is_identity_coercion (pos + 1) rem in
  if is_identity_coercion 0 cc
  then Tcoerce_none
  else Tcoerce_structure cc

(* Inclusion between module types. 
   Return the restriction that transforms a value of the smaller type
   into a value of the bigger type. *)

let rec modtypes env subst mty1 mty2 =
  try
    try_modtypes env subst mty1 mty2
  with 
    Dont_match ->
      raise(Error[Module_types(mty1, Subst.modtype subst mty2)])
  | Error reasons ->
      raise(Error(Module_types(mty1, Subst.modtype subst mty2) :: reasons))

and try_modtypes env subst mty1 mty2 =
  match (mty1, mty2) with
    (_, Tmty_ident p2) ->
      try_modtypes2 env mty1 (Subst.modtype subst mty2)
  | (Tmty_ident p1, _) ->
      try_modtypes env subst (expand_module_path env p1) mty2
  | (Tmty_signature sig1, Tmty_signature sig2) ->
      signatures env subst sig1 sig2
  | (Tmty_functor(param1, arg1, res1), Tmty_functor(param2, arg2, res2)) ->
      let arg2' = Subst.modtype subst arg2 in
      let cc_arg = modtypes env Subst.identity arg2' arg1 in
      let cc_res =
        modtypes (Env.add_module param1 arg2' env)
          (Subst.add_module param2 (Pident param1) subst) res1 res2 in
      begin match (cc_arg, cc_res) with
          (Tcoerce_none, Tcoerce_none) -> Tcoerce_none
        | _ -> Tcoerce_functor(cc_arg, cc_res)
      end
  | (_, _) ->
      raise Dont_match

and try_modtypes2 env mty1 mty2 =
  (* mty2 is an identifier *)
  match (mty1, mty2) with
    (Tmty_ident p1, Tmty_ident p2) when Path.same p1 p2 ->
      Tcoerce_none
  | (_, Tmty_ident p2) ->
      try_modtypes env Subst.identity mty1 (expand_module_path env p2)
  | (_, _) ->
      assert false

(* Inclusion between signatures *)

and signatures env subst sig1 sig2 =
  (* Environment used to check inclusion of components *)
  let new_env =
    Env.add_signature sig1 env in
  (* Build a table of the components of sig1, along with their positions.
     The table is indexed by kind and name of component *)
  let rec build_component_table pos tbl = function
      [] -> tbl
    | item :: rem ->
        let (id, name) = item_ident_name item in
        let nextpos =
          match item with
            Tsig_value(_,{val_kind = Val_prim _})
          | Tsig_type(_,_,_)
          | Tsig_modtype(_,_)
          | Tsig_cltype(_,_,_) -> pos
          | Tsig_value(_,_)
          | Tsig_exception(_,_)
          | Tsig_module(_,_,_)
          | Tsig_class(_, _,_) -> pos+1 in
        build_component_table nextpos
                              (Tbl.add name (id, item, pos) tbl) rem in
  let comps1 =
    build_component_table 0 Tbl.empty sig1 in
  (* Pair each component of sig2 with a component of sig1,
     identifying the names along the way.
     Return a coercion list indicating, for all run-time components
     of sig2, the position of the matching run-time components of sig1
     and the coercion to be applied to it. *)
  let rec pair_components subst paired unpaired = function
      [] ->
        begin match unpaired with
            [] -> signature_components new_env subst (List.rev paired)
          | _  -> raise(Error unpaired)
        end
    | item2 :: rem ->
        let (id2, name2) = item_ident_name item2 in
        let name2, report =
          match name2 with
            Field_type s when let l = String.length s in
            l >= 4 && String.sub s (l-4) 4 = "#row" ->
              (* Do not report in case of failure,
                 as the main type will generate an error *)
              Field_type (String.sub s 0 (String.length s - 4)), false
          | _ -> name2, true
        in
        begin try
          let (id1, item1, pos1) = Tbl.find name2 comps1 in
          let new_subst =
            match item2 with
              Tsig_type _ ->
                Subst.add_type id2 (Pident id1) subst
            | Tsig_module _ ->
                Subst.add_module id2 (Pident id1) subst
            | Tsig_modtype _ ->
                Subst.add_modtype id2 (Tmty_ident (Pident id1)) subst
            | Tsig_value _ | Tsig_exception _ | Tsig_class _ | Tsig_cltype _ ->
                subst
          in
          pair_components new_subst
            ((item1, item2, pos1) :: paired) unpaired rem
        with Not_found ->
          let unpaired =
            if report then Missing_field id2 :: unpaired else unpaired in
          pair_components subst paired unpaired rem
        end in
  (* Do the pairing and checking, and return the final coercion *)
  simplify_structure_coercion (pair_components subst [] [] sig2)

(* Inclusion between signature components *)

and signature_components env subst = function
    [] -> []
  | (Tsig_value(id1, valdecl1), Tsig_value(id2, valdecl2), pos) :: rem ->
      let cc = value_descriptions env subst id1 valdecl1 valdecl2 in
      begin match valdecl2.val_kind with
        Val_prim p -> signature_components env subst rem
      | _ -> (pos, cc) :: signature_components env subst rem
      end
  | (Tsig_type(id1, tydecl1, _), Tsig_type(id2, tydecl2, _), pos) :: rem ->
      type_declarations env subst id1 tydecl1 tydecl2;
      signature_components env subst rem
  | (Tsig_exception(id1, excdecl1), Tsig_exception(id2, excdecl2), pos)
    :: rem ->
      exception_declarations env subst id1 excdecl1 excdecl2;
      (pos, Tcoerce_none) :: signature_components env subst rem
  | (Tsig_module(id1, mty1, _), Tsig_module(id2, mty2, _), pos) :: rem ->
      let cc =
        modtypes env subst (Mtype.strengthen env mty1 (Pident id1)) mty2 in
      (pos, cc) :: signature_components env subst rem
  | (Tsig_modtype(id1, info1), Tsig_modtype(id2, info2), pos) :: rem ->
      modtype_infos env subst id1 info1 info2;
      signature_components env subst rem
  | (Tsig_class(id1, decl1, _), Tsig_class(id2, decl2, _), pos) :: rem ->
      class_declarations env subst id1 decl1 decl2;
      (pos, Tcoerce_none) :: signature_components env subst rem
  | (Tsig_cltype(id1, info1, _), Tsig_cltype(id2, info2, _), pos) :: rem ->
      class_type_declarations env subst id1 info1 info2;
      signature_components env subst rem
  | _ ->
      assert false

(* Inclusion between module type specifications *)

and modtype_infos env subst id info1 info2 =
  let info2 = Subst.modtype_declaration subst info2 in
  try
    match (info1, info2) with
      (Tmodtype_abstract, Tmodtype_abstract) -> ()
    | (Tmodtype_manifest mty1, Tmodtype_abstract) -> ()
    | (Tmodtype_manifest mty1, Tmodtype_manifest mty2) ->
        check_modtype_equiv env mty1 mty2
    | (Tmodtype_abstract, Tmodtype_manifest mty2) ->
        check_modtype_equiv env (Tmty_ident(Pident id)) mty2
  with Error reasons ->
    raise(Error(Modtype_infos(id, info1, info2) :: reasons))

and check_modtype_equiv env mty1 mty2 =
  match
    (modtypes env Subst.identity mty1 mty2,
     modtypes env Subst.identity mty2 mty1)
  with
    (Tcoerce_none, Tcoerce_none) -> ()
  | (_, _) -> raise(Error [Modtype_permutation])

(* Simplified inclusion check between module types (for Env) *)

let check_modtype_inclusion env mty1 path1 mty2 =
  try
    ignore(modtypes env Subst.identity
                    (Mtype.strengthen env mty1 path1) mty2)
  with Error reasons ->
    raise Not_found

let _ = Env.check_modtype_inclusion := check_modtype_inclusion

(* Check that an implementation of a compilation unit meets its
   interface. *)

let compunit impl_name impl_sig intf_name intf_sig =
  try
    signatures Env.initial Subst.identity impl_sig intf_sig
  with Error reasons ->
    raise(Error(Interface_mismatch(impl_name, intf_name) :: reasons))

(* Hide the substitution parameter to the outside world *)

let modtypes env mty1 mty2 = modtypes env Subst.identity mty1 mty2
let signatures env sig1 sig2 = signatures env Subst.identity sig1 sig2
let type_declarations env id decl1 decl2 =
  type_declarations env Subst.identity id decl1 decl2

(* Error report *)

open Format
open Printtyp

let include_err ppf = function
  | Missing_field id ->
      fprintf ppf "The field `%a' is required but not provided" ident id
  | Value_descriptions(id, d1, d2) ->
      fprintf ppf
       "@[Values do not match:@ \
        %a@;<1 -2>is not included in@ %a@]"
       (value_description id) d1 (value_description id) d2
  | Type_declarations(id, d1, d2) ->
      fprintf ppf
       "@[Type declarations do not match:@ \
        %a@;<1 -2>is not included in@ %a@]"
       (type_declaration id) d1
       (type_declaration id) d2
  | Exception_declarations(id, d1, d2) ->
      fprintf ppf
       "@[Exception declarations do not match:@ \
        %a@;<1 -2>is not included in@ %a@]"
      (exception_declaration id) d1
      (exception_declaration id) d2
  | Module_types(mty1, mty2)->
      fprintf ppf
       "@[Modules do not match:@ \
        %a@;<1 -2>is not included in@ %a@]"
      modtype mty1
      modtype mty2
  | Modtype_infos(id, d1, d2) ->
      fprintf ppf
       "@[Module type declarations do not match:@ \
        %a@;<1 -2>does not match@ %a@]"
      (modtype_declaration id) d1
      (modtype_declaration id) d2
  | Modtype_permutation ->
      fprintf ppf "Illegal permutation of structure fields"
  | Interface_mismatch(impl_name, intf_name) ->
      fprintf ppf "@[The implementation %s@ does not match the interface %s:" 
       impl_name intf_name
  | Class_type_declarations(id, d1, d2, reason) ->
      fprintf ppf
       "@[Class type declarations do not match:@ \
        %a@;<1 -2>does not match@ %a@]@ %a"
      (Printtyp.cltype_declaration id) d1
      (Printtyp.cltype_declaration id) d2
      Includeclass.report_error reason
  | Class_declarations(id, d1, d2, reason) ->
      fprintf ppf
       "@[Class declarations do not match:@ \
        %a@;<1 -2>does not match@ %a@]@ %a"
      (Printtyp.class_declaration id) d1
      (Printtyp.class_declaration id) d2
      Includeclass.report_error reason
  | Unbound_modtype_path path ->
      fprintf ppf "Unbound module type %a" Printtyp.path path

let report_error ppf = function
  |  [] -> ()
  | err :: errs ->
      let print_errs ppf errs =
         List.iter (fun err -> fprintf ppf "@ %a" include_err err) errs in
      fprintf ppf "@[%a%a@]" include_err err print_errs errs
why-2.34/ml/typing/path.mli0000644000175000017500000000214312311670312014176 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: path.mli,v 1.1 2007-11-30 10:16:43 bardou Exp $ *)

(* Access paths *)

type t =
    Pident of Ident.t
  | Pdot of t * string * int
  | Papply of t * t

val same: t -> t -> bool
val isfree: Ident.t -> t -> bool
val binding_time: t -> int

val nopos: int

val name: t -> string
val head: t -> Ident.t
why-2.34/ml/typing/env.ml0000644000175000017500000006650412311670312013674 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: env.ml,v 1.1 2007-11-30 10:16:43 bardou Exp $ *)

(* Environment handling *)

open Config
open Misc
open Asttypes
open Longident
open Path
open Types


type error =
    Not_an_interface of string
  | Corrupted_interface of string
  | Illegal_renaming of string * string
  | Inconsistent_import of string * string * string
  | Need_recursive_types of string * string

exception Error of error

type summary =
    Env_empty
  | Env_value of summary * Ident.t * value_description
  | Env_type of summary * Ident.t * type_declaration
  | Env_exception of summary * Ident.t * exception_declaration
  | Env_module of summary * Ident.t * module_type
  | Env_modtype of summary * Ident.t * modtype_declaration
  | Env_class of summary * Ident.t * class_declaration
  | Env_cltype of summary * Ident.t * cltype_declaration
  | Env_open of summary * Path.t

type t = {
  values: (Path.t * value_description) Ident.tbl;
  constrs: constructor_description Ident.tbl;
  labels: label_description Ident.tbl;
  types: (Path.t * type_declaration) Ident.tbl;
  modules: (Path.t * module_type) Ident.tbl;
  modtypes: (Path.t * modtype_declaration) Ident.tbl;
  components: (Path.t * module_components) Ident.tbl;
  classes: (Path.t * class_declaration) Ident.tbl;
  cltypes: (Path.t * cltype_declaration) Ident.tbl;
  summary: summary
}

and module_components = module_components_repr Lazy.t

and module_components_repr =
    Structure_comps of structure_components
  | Functor_comps of functor_components

and structure_components = {
  mutable comp_values: (string, (value_description * int)) Tbl.t;
  mutable comp_constrs: (string, (constructor_description * int)) Tbl.t;
  mutable comp_labels: (string, (label_description * int)) Tbl.t;
  mutable comp_types: (string, (type_declaration * int)) Tbl.t;
  mutable comp_modules: (string, (module_type Lazy.t * int)) Tbl.t;
  mutable comp_modtypes: (string, (modtype_declaration * int)) Tbl.t;
  mutable comp_components: (string, (module_components * int)) Tbl.t;
  mutable comp_classes: (string, (class_declaration * int)) Tbl.t;
  mutable comp_cltypes: (string, (cltype_declaration * int)) Tbl.t
}

and functor_components = {
  fcomp_param: Ident.t;                 (* Formal parameter *)
  fcomp_arg: module_type;               (* Argument signature *)
  fcomp_res: module_type;               (* Result signature *)
  fcomp_env: t;     (* Environment in which the result signature makes sense *)
  fcomp_subst: Subst.t;  (* Prefixing substitution for the result signature *)
  fcomp_cache: (Path.t, module_components) Hashtbl.t  (* For memoization *)
}

let empty = {
  values = Ident.empty; constrs = Ident.empty;
  labels = Ident.empty; types = Ident.empty;
  modules = Ident.empty; modtypes = Ident.empty;
  components = Ident.empty; classes = Ident.empty;
  cltypes = Ident.empty;
  summary = Env_empty }

let diff_keys tbl1 tbl2 =
  let keys2 = Ident.keys tbl2 in
  List.filter
    (fun id ->
      match Ident.find_same id tbl2 with Pident _, _ ->
        (try ignore (Ident.find_same id tbl1); false with Not_found -> true)
      | _ -> false)
    keys2

let diff env1 env2 =
  diff_keys env1.values env2.values @
  diff_keys env1.modules env2.modules @
  diff_keys env1.classes env2.classes

(* Forward declarations *)

let components_of_module' =
  ref ((fun env sub path mty -> assert false) :
          t -> Subst.t -> Path.t -> module_type -> module_components)
let components_of_functor_appl' =
  ref ((fun f p1 p2 -> assert false) :
          functor_components -> Path.t -> Path.t -> module_components)
let check_modtype_inclusion =
  (* to be filled with Includemod.check_modtype_inclusion *)
  ref ((fun env mty1 path1 mty2 -> assert false) :
          t -> module_type -> Path.t -> module_type -> unit)

(* The name of the compilation unit currently compiled.
   "" if outside a compilation unit. *)

let current_unit = ref ""

(* Persistent structure descriptions *)

type pers_flags = Rectypes

type pers_struct =
  { ps_name: string;
    ps_sig: signature;
    ps_comps: module_components;
    ps_crcs: (string * Digest.t) list;
    ps_filename: string;
    ps_flags: pers_flags list }

let persistent_structures =
  (Hashtbl.create 17 : (string, pers_struct) Hashtbl.t)

(* Consistency between persistent structures *)

let crc_units = Consistbl.create()

let check_consistency filename crcs =
  try
    List.iter
      (fun (name, crc) -> Consistbl.check crc_units name crc filename)
      crcs
  with Consistbl.Inconsistency(name, source, auth) ->
    raise(Error(Inconsistent_import(name, auth, source)))

(* Reading persistent structures from .cmi files *)

let read_pers_struct modname filename =
  let ic = open_in_bin filename in
  try
    let buffer = String.create (String.length cmi_magic_number) in
    really_input ic buffer 0 (String.length cmi_magic_number);
    if buffer <> cmi_magic_number then begin
      close_in ic;
      raise(Error(Not_an_interface filename))
    end;
    let (name, sign) = input_value ic in
    let crcs = input_value ic in
    let flags = input_value ic in
    close_in ic;
    let comps =
      !components_of_module' empty Subst.identity
                             (Pident(Ident.create_persistent name))
                             (Tmty_signature sign) in
    let ps = { ps_name = name;
               ps_sig = sign;
               ps_comps = comps;
               ps_crcs = crcs;
               ps_filename = filename;
               ps_flags = flags } in
    if ps.ps_name <> modname then
      raise(Error(Illegal_renaming(ps.ps_name, filename)));
    check_consistency filename ps.ps_crcs;
    List.iter
      (function Rectypes ->
        if not !Clflags.recursive_types then
          raise(Error(Need_recursive_types(ps.ps_name, !current_unit))))
      ps.ps_flags;
    Hashtbl.add persistent_structures modname ps;
    ps
  with End_of_file | Failure _ ->
    close_in ic;
    raise(Error(Corrupted_interface(filename)))

let find_pers_struct name =
  try
    Hashtbl.find persistent_structures name
  with Not_found ->
    read_pers_struct name (find_in_path_uncap !load_path (name ^ ".cmi"))

let reset_cache () =
  current_unit := "";
  Hashtbl.clear persistent_structures;
  Consistbl.clear crc_units

let set_unit_name name =
  current_unit := name

(* Lookup by identifier *)

let rec find_module_descr path env =
  match path with
    Pident id ->
      begin try
        let (p, desc) = Ident.find_same id env.components
        in desc
      with Not_found ->
        if Ident.persistent id
        then (find_pers_struct (Ident.name id)).ps_comps
        else raise Not_found
      end
  | Pdot(p, s, pos) ->
      begin match Lazy.force(find_module_descr p env) with
        Structure_comps c ->
          let (descr, pos) = Tbl.find s c.comp_components in
          descr
      | Functor_comps f ->
         raise Not_found
      end
  | Papply(p1, p2) ->
      begin match Lazy.force(find_module_descr p1 env) with
        Functor_comps f ->
          !components_of_functor_appl' f p1 p2
      | Structure_comps c ->
          raise Not_found
      end

let find proj1 proj2 path env =
  match path with
    Pident id ->
      let (p, data) = Ident.find_same id (proj1 env)
      in data
  | Pdot(p, s, pos) ->
      begin match Lazy.force(find_module_descr p env) with
        Structure_comps c ->
          let (data, pos) = Tbl.find s (proj2 c) in data
      | Functor_comps f ->
          raise Not_found
      end
  | Papply(p1, p2) ->
      raise Not_found

let find_value =
  find (fun env -> env.values) (fun sc -> sc.comp_values)
and find_type =
  find (fun env -> env.types) (fun sc -> sc.comp_types)
and find_modtype =
  find (fun env -> env.modtypes) (fun sc -> sc.comp_modtypes)
and find_class =
  find (fun env -> env.classes) (fun sc -> sc.comp_classes)
and find_cltype =
  find (fun env -> env.cltypes) (fun sc -> sc.comp_cltypes)

let find_type_expansion path env =
  let decl = find_type path env in
  match decl.type_manifest with
    None      -> raise Not_found
  | Some body -> (decl.type_params, body)

let find_modtype_expansion path env =
  match find_modtype path env with
    Tmodtype_abstract     -> raise Not_found
  | Tmodtype_manifest mty -> mty

let find_module path env =
  match path with
    Pident id ->
      begin try
        let (p, data) = Ident.find_same id env.modules
        in data
      with Not_found ->
        if Ident.persistent id then
          let ps = find_pers_struct (Ident.name id) in
          Tmty_signature(ps.ps_sig)
        else raise Not_found
      end
  | Pdot(p, s, pos) ->
      begin match Lazy.force (find_module_descr p env) with
        Structure_comps c ->
          let (data, pos) = Tbl.find s c.comp_modules in Lazy.force data
      | Functor_comps f ->
          raise Not_found
      end
  | Papply(p1, p2) ->
      raise Not_found (* not right *)

(* Lookup by name *)

let rec lookup_module_descr lid env =
  match lid with
    Lident s ->
      begin try
        Ident.find_name s env.components
      with Not_found ->
        if s = !current_unit then raise Not_found;
        let ps = find_pers_struct s in
        (Pident(Ident.create_persistent s), ps.ps_comps)
      end
  | Ldot(l, s) ->
      let (p, descr) = lookup_module_descr l env in
      begin match Lazy.force descr with
        Structure_comps c ->
          let (descr, pos) = Tbl.find s c.comp_components in
          (Pdot(p, s, pos), descr)
      | Functor_comps f ->
          raise Not_found
      end
  | Lapply(l1, l2) ->
      let (p1, desc1) = lookup_module_descr l1 env in
      let (p2, mty2) = lookup_module l2 env in
      begin match Lazy.force desc1 with
        Functor_comps f ->
          !check_modtype_inclusion env mty2 p2 f.fcomp_arg;
          (Papply(p1, p2), !components_of_functor_appl' f p1 p2)
      | Structure_comps c ->
          raise Not_found
      end

and lookup_module lid env =
  match lid with
    Lident s ->
      begin try
        Ident.find_name s env.modules
      with Not_found ->
        if s = !current_unit then raise Not_found;
        let ps = find_pers_struct s in
        (Pident(Ident.create_persistent s), Tmty_signature ps.ps_sig)
      end
  | Ldot(l, s) ->
      let (p, descr) = lookup_module_descr l env in
      begin match Lazy.force descr with
        Structure_comps c ->
          let (data, pos) = Tbl.find s c.comp_modules in
          (Pdot(p, s, pos), Lazy.force data)
      | Functor_comps f ->
          raise Not_found
      end
  | Lapply(l1, l2) ->
      let (p1, desc1) = lookup_module_descr l1 env in
      let (p2, mty2) = lookup_module l2 env in
      let p = Papply(p1, p2) in
      begin match Lazy.force desc1 with
        Functor_comps f ->
          !check_modtype_inclusion env mty2 p2 f.fcomp_arg;
          (p, Subst.modtype (Subst.add_module f.fcomp_param p2 f.fcomp_subst)
                            f.fcomp_res)
      | Structure_comps c ->
          raise Not_found
      end

let lookup proj1 proj2 lid env =
  match lid with
    Lident s ->
      Ident.find_name s (proj1 env)
  | Ldot(l, s) ->
      let (p, desc) = lookup_module_descr l env in
      begin match Lazy.force desc with
        Structure_comps c ->
          let (data, pos) = Tbl.find s (proj2 c) in
          (Pdot(p, s, pos), data)
      | Functor_comps f ->
          raise Not_found
      end
  | Lapply(l1, l2) ->
      raise Not_found

let lookup_simple proj1 proj2 lid env =
  match lid with
    Lident s ->
      Ident.find_name s (proj1 env)
  | Ldot(l, s) ->
      let (p, desc) = lookup_module_descr l env in
      begin match Lazy.force desc with
        Structure_comps c ->
          let (data, pos) = Tbl.find s (proj2 c) in
          data
      | Functor_comps f ->
          raise Not_found
      end
  | Lapply(l1, l2) ->
      raise Not_found

let lookup_value =
  lookup (fun env -> env.values) (fun sc -> sc.comp_values)
and lookup_constructor =
  lookup_simple (fun env -> env.constrs) (fun sc -> sc.comp_constrs)
and lookup_label =
  lookup_simple (fun env -> env.labels) (fun sc -> sc.comp_labels)
and lookup_type =
  lookup (fun env -> env.types) (fun sc -> sc.comp_types)
and lookup_modtype =
  lookup (fun env -> env.modtypes) (fun sc -> sc.comp_modtypes)
and lookup_class =
  lookup (fun env -> env.classes) (fun sc -> sc.comp_classes)
and lookup_cltype =
  lookup (fun env -> env.cltypes) (fun sc -> sc.comp_cltypes)

(* Expand manifest module type names at the top of the given module type *)

let rec scrape_modtype mty env =
  match mty with
    Tmty_ident path ->
      begin try
        scrape_modtype (find_modtype_expansion path env) env
      with Not_found ->
        mty
      end
  | _ -> mty

(* Compute constructor descriptions *)

let constructors_of_type ty_path decl =
  match decl.type_kind with
    Type_variant(cstrs, priv) ->
      Datarepr.constructor_descrs
        (Btype.newgenty (Tconstr(ty_path, decl.type_params, ref Mnil)))
        cstrs priv
  | Type_record _ | Type_abstract -> []

(* Compute label descriptions *)

let labels_of_type ty_path decl =
  match decl.type_kind with
    Type_record(labels, rep, priv) ->
      Datarepr.label_descrs
        (Btype.newgenty (Tconstr(ty_path, decl.type_params, ref Mnil)))
        labels rep priv
  | Type_variant _ | Type_abstract -> []

(* Given a signature and a root path, prefix all idents in the signature
   by the root path and build the corresponding substitution. *)

let rec prefix_idents root pos sub = function
    [] -> ([], sub)
  | Tsig_value(id, decl) :: rem ->
      let p = Pdot(root, Ident.name id, pos) in
      let nextpos = match decl.val_kind with Val_prim _ -> pos | _ -> pos+1 in
      let (pl, final_sub) = prefix_idents root nextpos sub rem in
      (p::pl, final_sub)
  | Tsig_type(id, decl, _) :: rem ->
      let p = Pdot(root, Ident.name id, nopos) in
      let (pl, final_sub) =
        prefix_idents root pos (Subst.add_type id p sub) rem in
      (p::pl, final_sub)
  | Tsig_exception(id, decl) :: rem ->
      let p = Pdot(root, Ident.name id, pos) in
      let (pl, final_sub) = prefix_idents root (pos+1) sub rem in
      (p::pl, final_sub)
  | Tsig_module(id, mty, _) :: rem ->
      let p = Pdot(root, Ident.name id, pos) in
      let (pl, final_sub) =
        prefix_idents root (pos+1) (Subst.add_module id p sub) rem in
      (p::pl, final_sub)
  | Tsig_modtype(id, decl) :: rem ->
      let p = Pdot(root, Ident.name id, nopos) in
      let (pl, final_sub) =
        prefix_idents root pos
                      (Subst.add_modtype id (Tmty_ident p) sub) rem in
      (p::pl, final_sub)
  | Tsig_class(id, decl, _) :: rem ->
      let p = Pdot(root, Ident.name id, pos) in
      let (pl, final_sub) = prefix_idents root (pos + 1) sub rem in
      (p::pl, final_sub)
  | Tsig_cltype(id, decl, _) :: rem ->
      let p = Pdot(root, Ident.name id, nopos) in
      let (pl, final_sub) = prefix_idents root pos sub rem in
      (p::pl, final_sub)

(* Compute structure descriptions *)

let rec components_of_module env sub path mty =
  lazy(match scrape_modtype mty env with
    Tmty_signature sg ->
      let c =
        { comp_values = Tbl.empty; comp_constrs = Tbl.empty;
          comp_labels = Tbl.empty; comp_types = Tbl.empty;
          comp_modules = Tbl.empty; comp_modtypes = Tbl.empty;
          comp_components = Tbl.empty; comp_classes = Tbl.empty;
          comp_cltypes = Tbl.empty } in
      let (pl, sub) = prefix_idents path 0 sub sg in
      let env = ref env in
      let pos = ref 0 in
      List.iter2 (fun item path ->
        match item with
          Tsig_value(id, decl) ->
            let decl' = Subst.value_description sub decl in
            c.comp_values <-
              Tbl.add (Ident.name id) (decl', !pos) c.comp_values;
            begin match decl.val_kind with
              Val_prim _ -> () | _ -> incr pos
            end
        | Tsig_type(id, decl, _) ->
            let decl' = Subst.type_declaration sub decl in
            c.comp_types <-
              Tbl.add (Ident.name id) (decl', nopos) c.comp_types;
            List.iter
              (fun (name, descr) ->
                c.comp_constrs <- Tbl.add name (descr, nopos) c.comp_constrs)
              (constructors_of_type path decl');
            List.iter
              (fun (name, descr) ->
                c.comp_labels <- Tbl.add name (descr, nopos) c.comp_labels)
              (labels_of_type path decl'); 
            env := store_type_infos id path decl !env
        | Tsig_exception(id, decl) ->
            let decl' = Subst.exception_declaration sub decl in
            let cstr = Datarepr.exception_descr path decl' in
            c.comp_constrs <-
              Tbl.add (Ident.name id) (cstr, !pos) c.comp_constrs;
            incr pos
        | Tsig_module(id, mty, _) ->
            let mty' = lazy (Subst.modtype sub mty) in
            c.comp_modules <-
              Tbl.add (Ident.name id) (mty', !pos) c.comp_modules;
            let comps = components_of_module !env sub path mty in
            c.comp_components <-
              Tbl.add (Ident.name id) (comps, !pos) c.comp_components;
            env := store_module id path mty !env;
            incr pos
        | Tsig_modtype(id, decl) ->
            let decl' = Subst.modtype_declaration sub decl in
            c.comp_modtypes <-
              Tbl.add (Ident.name id) (decl', nopos) c.comp_modtypes;
            env := store_modtype id path decl !env
        | Tsig_class(id, decl, _) ->
            let decl' = Subst.class_declaration sub decl in
            c.comp_classes <-
              Tbl.add (Ident.name id) (decl', !pos) c.comp_classes;
            incr pos
        | Tsig_cltype(id, decl, _) ->
            let decl' = Subst.cltype_declaration sub decl in
            c.comp_cltypes <-
              Tbl.add (Ident.name id) (decl', !pos) c.comp_cltypes)
        sg pl;
        Structure_comps c
  | Tmty_functor(param, ty_arg, ty_res) ->
        Functor_comps {
          fcomp_param = param;
          (* fcomp_arg must be prefixed eagerly, because it is interpreted
             in the outer environment, not in env *)
          fcomp_arg = Subst.modtype sub ty_arg;
          (* fcomp_res is prefixed lazily, because it is interpreted in env *)
          fcomp_res = ty_res;
          fcomp_env = env;
          fcomp_subst = sub;
          fcomp_cache = Hashtbl.create 17 }
  | Tmty_ident p ->
        Structure_comps {
          comp_values = Tbl.empty; comp_constrs = Tbl.empty;
          comp_labels = Tbl.empty; comp_types = Tbl.empty;
          comp_modules = Tbl.empty; comp_modtypes = Tbl.empty;
          comp_components = Tbl.empty; comp_classes = Tbl.empty;
          comp_cltypes = Tbl.empty })

(* Insertion of bindings by identifier + path *)

and store_value id path decl env =
  { env with
    values = Ident.add id (path, decl) env.values;
    summary = Env_value(env.summary, id, decl) }

and store_type id path info env =
  { env with
    constrs =
      List.fold_right
        (fun (name, descr) constrs ->
          Ident.add (Ident.create name) descr constrs)
        (constructors_of_type path info)
        env.constrs;
    labels =
      List.fold_right
        (fun (name, descr) labels ->
          Ident.add (Ident.create name) descr labels)
        (labels_of_type path info)
        env.labels;
    types = Ident.add id (path, info) env.types;
    summary = Env_type(env.summary, id, info) }

and store_type_infos id path info env =
  (* Simplified version of store_type that doesn't compute and store
     constructor and label infos, but simply record the arity and
     manifest-ness of the type.  Used in components_of_module to
     keep track of type abbreviations (e.g. type t = float) in the
     computation of label representations. *)
  { env with
    types = Ident.add id (path, info) env.types;
    summary = Env_type(env.summary, id, info) }

and store_exception id path decl env =
  { env with
    constrs = Ident.add id (Datarepr.exception_descr path decl) env.constrs;
    summary = Env_exception(env.summary, id, decl) }

and store_module id path mty env =
  { env with
    modules = Ident.add id (path, mty) env.modules;
    components =
      Ident.add id (path, components_of_module env Subst.identity path mty)
                   env.components;
    summary = Env_module(env.summary, id, mty) }

and store_modtype id path info env =
  { env with
    modtypes = Ident.add id (path, info) env.modtypes;
    summary = Env_modtype(env.summary, id, info) }

and store_class id path desc env =
  { env with
    classes = Ident.add id (path, desc) env.classes;
    summary = Env_class(env.summary, id, desc) }

and store_cltype id path desc env =
  { env with
    cltypes = Ident.add id (path, desc) env.cltypes;
    summary = Env_cltype(env.summary, id, desc) }

(* Compute the components of a functor application in a path. *)

let components_of_functor_appl f p1 p2 =
  try
    Hashtbl.find f.fcomp_cache p2
  with Not_found ->
    let p = Papply(p1, p2) in
    let mty = 
      Subst.modtype (Subst.add_module f.fcomp_param p2 Subst.identity)
                    f.fcomp_res in
    let comps = components_of_module f.fcomp_env f.fcomp_subst p mty in
    Hashtbl.add f.fcomp_cache p2 comps;
    comps

(* Define forward functions *)

let _ =
  components_of_module' := components_of_module;
  components_of_functor_appl' := components_of_functor_appl

(* Insertion of bindings by identifier *)

let add_value id desc env =
  store_value id (Pident id) desc env

and add_type id info env =
  store_type id (Pident id) info env

and add_exception id decl env =
  store_exception id (Pident id) decl env

and add_module id mty env =
  store_module id (Pident id) mty env

and add_modtype id info env =
  store_modtype id (Pident id) info env

and add_class id ty env =
  store_class id (Pident id) ty env

and add_cltype id ty env =
  store_cltype id (Pident id) ty env

(* Insertion of bindings by name *)

let enter store_fun name data env =
  let id = Ident.create name in (id, store_fun id (Pident id) data env)

let enter_value = enter store_value
and enter_type = enter store_type
and enter_exception = enter store_exception
and enter_module = enter store_module
and enter_modtype = enter store_modtype
and enter_class = enter store_class
and enter_cltype = enter store_cltype

(* Insertion of all components of a signature *)

let add_item comp env =
  match comp with
    Tsig_value(id, decl)     -> add_value id decl env
  | Tsig_type(id, decl, _)   -> add_type id decl env
  | Tsig_exception(id, decl) -> add_exception id decl env
  | Tsig_module(id, mty, _)  -> add_module id mty env
  | Tsig_modtype(id, decl)   -> add_modtype id decl env
  | Tsig_class(id, decl, _)  -> add_class id decl env
  | Tsig_cltype(id, decl, _) -> add_cltype id decl env

let rec add_signature sg env =
  match sg with
    [] -> env
  | comp :: rem -> add_signature rem (add_item comp env)

(* Open a signature path *)

let open_signature root sg env =
  (* First build the paths and substitution *)
  let (pl, sub) = prefix_idents root 0 Subst.identity sg in
  (* Then enter the components in the environment after substitution *)
  let newenv =
    List.fold_left2
      (fun env item p ->
        match item with
          Tsig_value(id, decl) ->
            store_value (Ident.hide id) p
                        (Subst.value_description sub decl) env
        | Tsig_type(id, decl, _) ->
            store_type (Ident.hide id) p
                       (Subst.type_declaration sub decl) env
        | Tsig_exception(id, decl) ->
            store_exception (Ident.hide id) p
                            (Subst.exception_declaration sub decl) env
        | Tsig_module(id, mty, _) ->
            store_module (Ident.hide id) p (Subst.modtype sub mty) env
        | Tsig_modtype(id, decl) ->
            store_modtype (Ident.hide id) p
                          (Subst.modtype_declaration sub decl) env
        | Tsig_class(id, decl, _) ->
            store_class (Ident.hide id) p
                        (Subst.class_declaration sub decl) env
        | Tsig_cltype(id, decl, _) ->
            store_cltype (Ident.hide id) p
                         (Subst.cltype_declaration sub decl) env)
      env sg pl in
  { newenv with summary = Env_open(env.summary, root) }
  
(* Open a signature from a file *)

let open_pers_signature name env =
  let ps = find_pers_struct name in
  open_signature (Pident(Ident.create_persistent name)) ps.ps_sig env

(* Read a signature from a file *)

let read_signature modname filename =
  let ps = read_pers_struct modname filename in ps.ps_sig

(* Return the CRC of the interface of the given compilation unit *)

let crc_of_unit name =
  let ps = find_pers_struct name in
  try
    List.assoc name ps.ps_crcs
  with Not_found ->
    assert false

(* Return the list of imported interfaces with their CRCs *)

let imported_units() =
  Consistbl.extract crc_units

(* Save a signature to a file *)

let save_signature_with_imports sg modname filename imports =
  Btype.cleanup_abbrev ();
  Subst.reset_for_saving ();
  let sg = Subst.signature (Subst.for_saving Subst.identity) sg in
  let oc = open_out_bin filename in
  try
    output_string oc cmi_magic_number;
    output_value oc (modname, sg);
    flush oc;
    let crc = Digest.file filename in
    let crcs = (modname, crc) :: imports in
    output_value oc crcs;
    let flags = if !Clflags.recursive_types then [Rectypes] else [] in
    output_value oc flags;
    close_out oc;
    (* Enter signature in persistent table so that imported_unit()
       will also return its crc *)
    let comps =
      components_of_module empty Subst.identity
        (Pident(Ident.create_persistent modname)) (Tmty_signature sg) in
    let ps =
      { ps_name = modname;
        ps_sig = sg;
        ps_comps = comps;
        ps_crcs = crcs;
        ps_filename = filename;
        ps_flags = flags } in
    Hashtbl.add persistent_structures modname ps;
    Consistbl.set crc_units modname crc filename
  with exn ->
    close_out oc;
    remove_file filename;
    raise exn

let save_signature sg modname filename =
  save_signature_with_imports sg modname filename (imported_units())

(* Make the initial environment *)

let initial = Predef.build_initial_env add_type add_exception empty

(* Return the environment summary *)

let summary env = env.summary

(* Error report *)

open Format

let report_error ppf = function
  | Not_an_interface filename -> fprintf ppf
      "%s@ is not a compiled interface" filename
  | Corrupted_interface filename -> fprintf ppf
      "Corrupted compiled interface@ %s" filename
  | Illegal_renaming(modname, filename) -> fprintf ppf
      "Wrong file naming: %s@ contains the compiled interface for@ %s"
      filename modname
  | Inconsistent_import(name, source1, source2) -> fprintf ppf
      "@[The files %s@ and %s@ \
              make inconsistent assumptions@ over interface %s@]"
      source1 source2 name
  | Need_recursive_types(import, export) ->
      fprintf ppf
        "@[Unit %s imports from %s, which uses recursive types.@ %s@]"
        import export "The compilation flag -rectypes is required"
why-2.34/ml/typing/parmatch.ml0000644000175000017500000014314612311670312014701 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: parmatch.ml,v 1.1 2007-11-30 10:16:43 bardou Exp $ *)

(* Detection of partial matches and unused match cases. *)

open Misc
open Asttypes
open Types
open Typedtree

(*************************************)
(* Utilities for building patterns   *)
(*************************************)

let make_pat desc ty tenv =
  {pat_desc = desc; pat_loc = Location.none;
   pat_type = ty ; pat_env = tenv }

let omega = make_pat Tpat_any Ctype.none Env.empty

let extra_pat =
  make_pat (Tpat_var (Ident.create "+")) Ctype.none Env.empty
  
let rec omegas i =
  if i <= 0 then [] else omega :: omegas (i-1)

let omega_list l = List.map (fun _ -> omega) l

let zero = make_pat (Tpat_constant (Const_int 0)) Ctype.none Env.empty

(***********************)
(* Compatibility check *)
(***********************)

(* p and q compatible means, there exists V that matches both *)

let is_absent tag row = Btype.row_field tag row = Rabsent

let is_absent_pat p = match p.pat_desc with
| Tpat_variant (tag, _, row) -> is_absent tag row
| _ -> false

let sort_fields args =
  Sort.list
    (fun (lbl1,_) (lbl2,_) -> lbl1.lbl_pos <= lbl2.lbl_pos)
    args

let records_args l1 l2 =
  let l1 = sort_fields l1
  and l2 = sort_fields l2 in
  let rec combine r1 r2 l1 l2 = match l1,l2 with
  | [],[] -> r1,r2
  | [],(_,p2)::rem2 -> combine (omega::r1) (p2::r2) [] rem2
  | (_,p1)::rem1,[] -> combine (p1::r1) (omega::r2) rem1 []
  | (lbl1,p1)::rem1, (lbl2,p2)::rem2 ->
      if lbl1.lbl_pos < lbl2.lbl_pos then
        combine (p1::r1) (omega::r2) rem1 l2
      else if lbl1.lbl_pos > lbl2.lbl_pos then
        combine (omega::r1) (p2::r2) l1 rem2
      else (* same label on both sides *)
        combine (p1::r1) (p2::r2) rem1 rem2 in
  combine [] [] l1 l2


let rec compat p q =
  match p.pat_desc,q.pat_desc with
  | Tpat_alias (p,_),_      -> compat p q
  | _,Tpat_alias (q,_)      -> compat p q
  | (Tpat_any|Tpat_var _),_ -> true
  | _,(Tpat_any|Tpat_var _) -> true
  | Tpat_or (p1,p2,_),_     -> compat p1 q || compat p2 q
  | _,Tpat_or (q1,q2,_)     -> compat p q1 || compat p q2    
  | Tpat_constant c1, Tpat_constant c2 -> c1=c2
  | Tpat_tuple ps, Tpat_tuple qs -> compats ps qs
  | Tpat_construct (c1,ps1), Tpat_construct (c2,ps2) ->
      c1.cstr_tag = c2.cstr_tag && compats ps1 ps2
  | Tpat_variant(l1,Some p1, r1), Tpat_variant(l2,Some p2,_) ->
      l1=l2 && compat p1 p2
  | Tpat_variant (l1,None,r1), Tpat_variant(l2,None,_) ->
      l1 = l2 
  | Tpat_variant (_, None, _), Tpat_variant (_,Some _, _) -> false
  | Tpat_variant (_, Some _, _), Tpat_variant (_, None, _) -> false
  | Tpat_record l1,Tpat_record l2 ->
      let ps,qs = records_args l1 l2 in
      compats ps qs
  | Tpat_array ps, Tpat_array qs ->
      List.length ps = List.length qs &&
      compats ps qs
  | _,_  ->
      assert false
        
and compats ps qs = match ps,qs with
| [], [] -> true
| p::ps, q::qs -> compat p q && compats ps qs
| _,_    -> assert false

(****************************************)
(* Utilities for retrieving constructor *)
(* and record label names               *)
(****************************************)

exception Empty (* Empty pattern *)

let get_type_path ty tenv =
  let ty = Ctype.repr (Ctype.expand_head tenv ty) in
  match ty.desc with
  | Tconstr (path,_,_) -> path
  | _ -> fatal_error "Parmatch.get_type_path"

let get_type_descr ty tenv =
  match (Ctype.repr ty).desc with
  | Tconstr (path,_,_) -> Env.find_type path tenv
  | _ -> fatal_error "Parmatch.get_type_descr"

let rec get_constr tag ty tenv =
  match get_type_descr ty tenv with
  | {type_kind=Type_variant(constr_list, priv)} ->
      Datarepr.find_constr_by_tag tag constr_list
  | {type_manifest = Some _} ->
      get_constr tag (Ctype.expand_head_once tenv ty) tenv
  | _ -> fatal_error "Parmatch.get_constr"

let find_label lbl lbls =
  try
    let name,_,_ = List.nth lbls lbl.lbl_pos in
    name
  with Failure "nth" -> "*Unknown label*"

let rec get_record_labels ty tenv =
  match get_type_descr ty tenv with
  | {type_kind = Type_record(lbls, rep, priv)} -> lbls
  | {type_manifest = Some _} ->
      get_record_labels (Ctype.expand_head_once tenv ty) tenv
  | _ -> fatal_error "Parmatch.get_record_labels"


(*************************************)
(* Values as patterns pretty printer *)
(*************************************)

open Format
;;

let get_constr_name tag ty tenv  = match tag with
| Cstr_exception path -> Path.name path
| _ ->
  try
    let name,_ = get_constr tag ty tenv in name
  with
  | Datarepr.Constr_not_found -> "*Unknown constructor*"

let is_cons tag v  = match get_constr_name tag v.pat_type v.pat_env with
| "::" -> true
| _ -> false

  
let rec pretty_val ppf v = match v.pat_desc with
  | Tpat_any -> fprintf ppf "_"
  | Tpat_var x -> Ident.print ppf x
  | Tpat_constant (Const_int i) -> fprintf ppf "%d" i
  | Tpat_constant (Const_char c) -> fprintf ppf "%C" c
  | Tpat_constant (Const_string s) -> fprintf ppf "%S" s
  | Tpat_constant (Const_float f) -> fprintf ppf "%s" f
  | Tpat_constant (Const_int32 i) -> fprintf ppf "%ldl" i
  | Tpat_constant (Const_int64 i) -> fprintf ppf "%LdL" i
  | Tpat_constant (Const_nativeint i) -> fprintf ppf "%ndn" i
  | Tpat_tuple vs ->
      fprintf ppf "@[(%a)@]" (pretty_vals ",") vs
  | Tpat_construct ({cstr_tag=tag},[]) ->
      let name = get_constr_name tag v.pat_type v.pat_env in
      fprintf ppf "%s" name
  | Tpat_construct ({cstr_tag=tag},[w]) ->
      let name = get_constr_name tag v.pat_type v.pat_env in
      fprintf ppf "@[<2>%s@ %a@]" name pretty_arg w
  | Tpat_construct ({cstr_tag=tag},vs) ->
      let name = get_constr_name tag v.pat_type v.pat_env in
      begin match (name, vs) with
        ("::", [v1;v2]) ->
          fprintf ppf "@[%a::@,%a@]" pretty_car v1 pretty_cdr v2
      |  _ ->
          fprintf ppf "@[<2>%s@ @[(%a)@]@]" name (pretty_vals ",") vs
      end
  | Tpat_variant (l, None, _) ->
      fprintf ppf "`%s" l
  | Tpat_variant (l, Some w, _) ->
      fprintf ppf "@[<2>`%s@ %a@]" l pretty_arg w
  | Tpat_record lvs ->
      fprintf ppf "@[{%a}@]"
        (pretty_lvals (get_record_labels v.pat_type v.pat_env))
        (List.filter
           (function
             | (_,{pat_desc=Tpat_any}) -> false (* do not show lbl=_ *)
             | _ -> true) lvs)
  | Tpat_array vs ->
      fprintf ppf "@[[| %a |]@]" (pretty_vals " ;") vs
  | Tpat_alias (v,x) ->
      fprintf ppf "@[(%a@ as %a)@]" pretty_val v Ident.print x
  | Tpat_or (v,w,_)    ->
      fprintf ppf "@[(%a|@,%a)@]" pretty_or v pretty_or w

and pretty_car ppf v = match v.pat_desc with
| Tpat_construct ({cstr_tag=tag}, [_ ; _])
    when is_cons tag v ->
      fprintf ppf "(%a)" pretty_val v
| _ -> pretty_val ppf v

and pretty_cdr ppf v = match v.pat_desc with
| Tpat_construct ({cstr_tag=tag}, [v1 ; v2])
    when is_cons tag v ->
      fprintf ppf "%a::@,%a" pretty_car v1 pretty_cdr v2
| _ -> pretty_val ppf v

and pretty_arg ppf v = match v.pat_desc with
| Tpat_construct (_,_::_) -> fprintf ppf "(%a)" pretty_val v
|  _ -> pretty_val ppf v

and pretty_or ppf v = match v.pat_desc with
| Tpat_or (v,w,_) ->
    fprintf ppf "%a|@,%a" pretty_or v pretty_or w
| _ -> pretty_val ppf v

and pretty_vals sep ppf = function
  | [] -> ()
  | [v] -> pretty_val ppf v
  | v::vs ->
      fprintf ppf "%a%s@ %a" pretty_val v sep (pretty_vals sep) vs

and pretty_lvals lbls ppf = function
  | [] -> ()
  | [lbl,v] ->
      let name = find_label lbl lbls in
      fprintf ppf "%s=%a" name pretty_val v
  | (lbl,v)::rest ->
      let name = find_label lbl lbls in
      fprintf ppf "%s=%a;@ %a" name pretty_val v (pretty_lvals lbls) rest

let top_pretty ppf v =
  fprintf ppf "@[%a@]@?" pretty_val v


let prerr_pat v =
  top_pretty str_formatter v ;
  prerr_string (flush_str_formatter ())
  

(****************************)
(* Utilities for matching   *)
(****************************)

(* Check top matching *)
let simple_match p1 p2 = 
  match p1.pat_desc, p2.pat_desc with
  | Tpat_construct(c1, _), Tpat_construct(c2, _) ->
      c1.cstr_tag = c2.cstr_tag
  | Tpat_variant(l1, _, _), Tpat_variant(l2, _, _) ->
      l1 = l2
  | Tpat_constant(Const_float s1), Tpat_constant(Const_float s2) ->
      float_of_string s1 = float_of_string s2
  | Tpat_constant(c1), Tpat_constant(c2) -> c1 = c2
  | Tpat_tuple _, Tpat_tuple _ -> true
  | Tpat_record _ , Tpat_record _ -> true
  | Tpat_array p1s, Tpat_array p2s -> List.length p1s = List.length p2s
  | _, (Tpat_any | Tpat_var(_)) -> true
  | _, _ -> false




(* extract record fields as a whole *)
let record_arg p = match p.pat_desc with
| Tpat_any -> []
| Tpat_record args -> args
| _ -> fatal_error "Parmatch.as_record"


(* Raise Not_found when pos is not present in arg *)


let get_field pos arg =
  let _,p = List.find (fun (lbl,_) -> pos = lbl.lbl_pos) arg in
  p


let extract_fields omegas arg =
  List.map
    (fun (lbl,_) ->
      try
        get_field lbl.lbl_pos arg
      with Not_found -> omega)
    omegas



let sort_record p = match p.pat_desc with
| Tpat_record args ->
    make_pat
      (Tpat_record (sort_fields args))
      p.pat_type p.pat_env
| _ -> p

let all_record_args lbls = match lbls with
| ({lbl_all=lbl_all},_)::_ ->
    let t =
      Array.map
        (fun lbl -> lbl,omega) lbl_all in
    List.iter
      (fun ((lbl,_) as x) ->  t.(lbl.lbl_pos) <- x)
      lbls ;
    Array.to_list t
|  _ -> fatal_error "Parmatch.all_record_args"


(* Build argument list when p2 >= p1, where p1 is a simple pattern *)
let rec simple_match_args p1 p2 = match p2.pat_desc with
| Tpat_alias (p2,_) -> simple_match_args p1 p2
| Tpat_construct(cstr, args) -> args
| Tpat_variant(lab, Some arg, _) -> [arg]
| Tpat_tuple(args)  -> args
| Tpat_record(args) ->  extract_fields (record_arg p1) args
| Tpat_array(args) -> args
| (Tpat_any | Tpat_var(_)) ->
    begin match p1.pat_desc with
      Tpat_construct(_, args) -> omega_list args
    | Tpat_variant(_, Some _, _) -> [omega]
    | Tpat_tuple(args) -> omega_list args
    | Tpat_record(args) ->  omega_list args
    | Tpat_array(args) ->  omega_list args
    | _ -> []
    end
| _ -> []

(*
  Normalize a pattern ->
   all arguments are omega (simple pattern) and no more variables
*)

let rec normalize_pat q = match q.pat_desc with
  | Tpat_any | Tpat_constant _ -> q
  | Tpat_var _ -> make_pat Tpat_any q.pat_type q.pat_env
  | Tpat_alias (p,_) -> normalize_pat p
  | Tpat_tuple (args) ->
      make_pat (Tpat_tuple (omega_list args)) q.pat_type q.pat_env
  | Tpat_construct  (c,args) ->
      make_pat (Tpat_construct (c,omega_list args)) q.pat_type q.pat_env
  | Tpat_variant (l, arg, row) ->
      make_pat (Tpat_variant (l, may_map (fun _ -> omega) arg, row))
        q.pat_type q.pat_env
  | Tpat_array (args) ->
      make_pat (Tpat_array (omega_list args))  q.pat_type q.pat_env
  | Tpat_record (largs) ->
      make_pat (Tpat_record (List.map (fun (lbl,_) -> lbl,omega) largs))
        q.pat_type q.pat_env
  | Tpat_or _ -> fatal_error "Parmatch.normalize_pat"


(*
  Build normalized (cf. supra) discriminating pattern,
  in the non-data type case
*)

let discr_pat q pss =

  let rec acc_pat acc pss = match pss with
    ({pat_desc = Tpat_alias (p,_)}::ps)::pss -> 
        acc_pat acc ((p::ps)::pss)
  | ({pat_desc = Tpat_or (p1,p2,_)}::ps)::pss ->
        acc_pat acc ((p1::ps)::(p2::ps)::pss)
  | ({pat_desc = (Tpat_any | Tpat_var _)}::_)::pss ->
        acc_pat acc pss
  | (({pat_desc = Tpat_tuple _} as p)::_)::_ -> normalize_pat p
  | (({pat_desc = Tpat_record largs} as p)::_)::pss ->
      let new_omegas =
        List.fold_left
          (fun r (lbl,_) ->
            try
              let _ = get_field lbl.lbl_pos r in
              r
            with Not_found ->
              (lbl,omega)::r)
          (record_arg acc)
          largs in
      acc_pat
        (make_pat (Tpat_record new_omegas) p.pat_type p.pat_env)
        pss
  | _ -> acc in

  match normalize_pat q with
  | {pat_desc= (Tpat_any | Tpat_record _)} as q ->
      sort_record (acc_pat q pss)
  | q -> q

(*
   In case a matching value is found, set actual arguments
   of the matching pattern.
*)

let rec read_args xs r = match xs,r with
| [],_ -> [],r
| _::xs, arg::rest ->
   let args,rest = read_args xs rest in
   arg::args,rest
| _,_ ->
    fatal_error "Parmatch.read_args"

let do_set_args erase_mutable q r = match q with
| {pat_desc = Tpat_tuple omegas} ->
    let args,rest = read_args omegas r in
    make_pat (Tpat_tuple args) q.pat_type q.pat_env::rest
| {pat_desc = Tpat_record omegas} ->
    let args,rest = read_args omegas r in
    make_pat
      (Tpat_record
         (List.map2 (fun (lbl,_) arg ->
           if
             erase_mutable &&
             (match lbl.lbl_mut with
             | Mutable -> true | Immutable -> false)
           then
             lbl, omega
           else
             lbl,arg)
            omegas args))
      q.pat_type q.pat_env::
    rest
| {pat_desc = Tpat_construct (c,omegas)} ->
    let args,rest = read_args omegas r in
    make_pat
      (Tpat_construct (c,args)) q.pat_type q.pat_env::
    rest
| {pat_desc = Tpat_variant (l, omega, row)} ->
    let arg, rest =
      match omega, r with
        Some _, a::r -> Some a, r
      | None, r -> None, r
      | _ -> assert false
    in
    make_pat
      (Tpat_variant (l, arg, row)) q.pat_type q.pat_env::
    rest
| {pat_desc = Tpat_array omegas} ->
    let args,rest = read_args omegas r in
    make_pat
      (Tpat_array args) q.pat_type q.pat_env::
    rest
| {pat_desc=Tpat_constant _|Tpat_any} ->
    q::r (* case any is used in matching.ml *)
| _ -> fatal_error "Parmatch.set_args"

let set_args q r = do_set_args false q r
and set_args_erase_mutable q r = do_set_args true q r

(* filter pss acording to pattern q *)
let filter_one q pss =
  let rec filter_rec = function
      ({pat_desc = Tpat_alias(p,_)}::ps)::pss -> 
        filter_rec ((p::ps)::pss)
    | ({pat_desc = Tpat_or(p1,p2,_)}::ps)::pss ->
        filter_rec ((p1::ps)::(p2::ps)::pss)
    | (p::ps)::pss ->
        if simple_match q p
        then (simple_match_args q p @ ps) :: filter_rec pss
        else filter_rec pss
    | _ -> [] in
  filter_rec pss

(*
  Filter pss in the ``extra case''. This applies :
  - According to an extra constructor (datatype case, non-complete signature).
  - Acordinng to anything (all-variables case).
*)
let filter_extra pss =
  let rec filter_rec = function
      ({pat_desc = Tpat_alias(p,_)}::ps)::pss -> 
        filter_rec ((p::ps)::pss)
    | ({pat_desc = Tpat_or(p1,p2,_)}::ps)::pss ->
        filter_rec ((p1::ps)::(p2::ps)::pss)
    | ({pat_desc = (Tpat_any | Tpat_var(_))} :: qs) :: pss ->
        qs :: filter_rec pss
    | _::pss  -> filter_rec pss
    | [] -> [] in
  filter_rec pss

(* 
  Pattern p0 is the discriminating pattern,
  returns [(q0,pss0) ; ... ; (qn,pssn)]
  where the qi's are simple patterns and the pssi's are
  matched matrices.

  NOTES
   * (qi,[]) is impossible.
   * In the case when matching is useless (all-variable case),
     returns []
*)

let filter_all pat0 pss =

  let rec insert q qs env =
    match env with
      [] ->
        let q0 = normalize_pat q in
        [q0, [simple_match_args q0 q @ qs]]
    | ((q0,pss) as c)::env ->
        if simple_match q0 q
        then (q0, ((simple_match_args q0 q @ qs) :: pss)) :: env
        else c :: insert q qs env in

  let rec filter_rec env = function
    ({pat_desc = Tpat_alias(p,_)}::ps)::pss ->
      filter_rec env ((p::ps)::pss)
  | ({pat_desc = Tpat_or(p1,p2,_)}::ps)::pss ->
      filter_rec env ((p1::ps)::(p2::ps)::pss)
  | ({pat_desc = (Tpat_any | Tpat_var(_))}::_)::pss ->
      filter_rec env pss
  | (p::ps)::pss ->
      filter_rec (insert p ps env) pss
  | _ -> env

  and filter_omega env = function
    ({pat_desc = Tpat_alias(p,_)}::ps)::pss ->
      filter_omega env ((p::ps)::pss)
  | ({pat_desc = Tpat_or(p1,p2,_)}::ps)::pss ->
      filter_omega env ((p1::ps)::(p2::ps)::pss)
  | ({pat_desc = (Tpat_any | Tpat_var(_))}::ps)::pss ->
      filter_omega
        (List.map (fun (q,qss) -> (q,(simple_match_args q omega @ ps) :: qss)) env)
        pss
  | _::pss -> filter_omega env pss
  | [] -> env in
        
  filter_omega
    (filter_rec
      (match pat0.pat_desc with
        (Tpat_record(_) | Tpat_tuple(_)) -> [pat0,[]]
      | _ -> [])
      pss)
    pss

(* Variant related functions *)

let rec set_last a = function
    [] -> []
  | [_] -> [a]
  | x::l -> x :: set_last a l

(* mark constructor lines for failure when they are incomplete *)
let rec mark_partial = function
    ({pat_desc = Tpat_alias(p,_)}::ps)::pss -> 
      mark_partial ((p::ps)::pss)
  | ({pat_desc = Tpat_or(p1,p2,_)}::ps)::pss ->
      mark_partial ((p1::ps)::(p2::ps)::pss)
  | ({pat_desc = (Tpat_any | Tpat_var(_))} :: _ as ps) :: pss ->
      ps :: mark_partial pss
  | ps::pss  ->
      (set_last zero ps) :: mark_partial pss
  | [] -> []

let close_variant env row =
  let row = Btype.row_repr row in
  let nm =
    List.fold_left
      (fun nm (tag,f) ->
        match Btype.row_field_repr f with
        | Reither(_, _, false, e) ->
            (* m=false means that this tag is not explicitly matched *)
            Btype.set_row_field e Rabsent;
            None
        | Rabsent | Reither (_, _, true, _) | Rpresent _ -> nm)
      row.row_name row.row_fields in
  if not row.row_closed || nm != row.row_name then begin
    (* this unification cannot fail *)
    Ctype.unify env row.row_more
      (Btype.newgenty
         (Tvariant {row with row_fields = []; row_more = Btype.newgenvar();
                    row_closed = true; row_name = nm}))
  end

(*
  Check whether the first column of env makes up a complete signature or
  not.
*)      

let full_match closing env =  match env with
| ({pat_desc = Tpat_construct ({cstr_tag=Cstr_exception _},_)},_)::_ ->
    false
| ({pat_desc = Tpat_construct(c,_)},_) :: _ ->
    List.length env = c.cstr_consts + c.cstr_nonconsts
| ({pat_desc = Tpat_variant(_,_,row)},_) :: _ ->
    let fields =
      List.map
        (function ({pat_desc = Tpat_variant (tag, _, _)}, _) -> tag
          | _ -> assert false)
        env
    in
    let row = Btype.row_repr row in
    if closing && not row.row_fixed then
      (* closing=true, we are considering the variant as closed *)
      List.for_all
        (fun (tag,f) ->
          match Btype.row_field_repr f with
            Rabsent | Reither(_, _, false, _) -> true
          | Reither (_, _, true, _)
              (* m=true, do not discard matched tags, rather warn *)
          | Rpresent _ -> List.mem tag fields)
        row.row_fields
    else
      row.row_closed &&
      List.for_all
        (fun (tag,f) ->
          Btype.row_field_repr f = Rabsent || List.mem tag fields)
        row.row_fields
| ({pat_desc = Tpat_constant(Const_char _)},_) :: _ ->
    List.length env = 256
| ({pat_desc = Tpat_constant(_)},_) :: _ -> false
| ({pat_desc = Tpat_tuple(_)},_) :: _ -> true
| ({pat_desc = Tpat_record(_)},_) :: _ -> true
| ({pat_desc = Tpat_array(_)},_) :: _ -> false
| _ -> fatal_error "Parmatch.full_match"

let extendable_match env = match env with
| ({pat_desc = Tpat_construct({cstr_tag=(Cstr_constant _|Cstr_block _)},_)} as p,_) :: _ ->
    let path = get_type_path p.pat_type p.pat_env in
    not
      (Path.same path Predef.path_bool ||
      Path.same path Predef.path_list ||
      Path.same path Predef.path_option)
| _ -> false


let should_extend ext env = match ext with
| None -> false
| Some ext -> match env with
  | ({pat_desc =
       Tpat_construct({cstr_tag=(Cstr_constant _|Cstr_block _)},_)} as p,_)
    :: _ ->
      let path = get_type_path p.pat_type p.pat_env in
      Path.same path ext
  | _ -> false

(* complement constructor tags *)
let complete_tags nconsts nconstrs tags =
  let seen_const = Array.create nconsts false
  and seen_constr = Array.create nconstrs false in
  List.iter
    (function
      | Cstr_constant i -> seen_const.(i) <- true
      | Cstr_block i -> seen_constr.(i) <- true
      | _  -> assert false)
    tags ;
  let r = ref [] in
  for i = 0 to nconsts-1 do
    if not seen_const.(i) then
      r := Cstr_constant i :: !r
  done ;
  for i = 0 to nconstrs-1 do
    if not seen_constr.(i) then
      r := Cstr_block i :: !r
  done ;  
  !r

(* build a pattern from a constructor list *)
let pat_of_constr ex_pat cstr =
 {ex_pat with pat_desc = Tpat_construct (cstr,omegas cstr.cstr_arity)}
    
let rec pat_of_constrs ex_pat = function
| [] -> raise Empty
| [cstr] -> pat_of_constr ex_pat cstr
| cstr::rem ->    
    {ex_pat with
    pat_desc=
      Tpat_or
        (pat_of_constr ex_pat cstr,
         pat_of_constrs ex_pat rem, None)}

(* Sends back a pattern that complements constructor tags all_tag *)
let complete_constrs p all_tags = match p.pat_desc with
| Tpat_construct (c,_) ->
    begin try
      let not_tags = complete_tags  c.cstr_consts c.cstr_nonconsts all_tags in
      List.map
        (fun tag ->
          let _,targs = get_constr tag p.pat_type p.pat_env in
          {c with
      cstr_tag = tag ;
      cstr_args = targs ;
      cstr_arity = List.length targs})
        not_tags
with
| Datarepr.Constr_not_found ->
    fatal_error "Parmatch.complete_constr: constr_not_found"
    end
| _ -> fatal_error "Parmatch.complete_constr"


(* Auxiliary for build_other *)

let build_other_constant proj make first next p env =
  let all = List.map (fun (p, _) -> proj p.pat_desc) env in
  let rec try_const i =
    if List.mem i all
    then try_const (next i)
    else make_pat (make i) p.pat_type p.pat_env
  in try_const first

(*
  Builds a pattern that is incompatible with all patterns in
  in the first column of env
*)

let build_other ext env =  match env with
| ({pat_desc = Tpat_construct ({cstr_tag=Cstr_exception _} as c,_)},_)
  ::_ ->
    make_pat
      (Tpat_construct
         ({c with
           cstr_tag=(Cstr_exception
            (Path.Pident (Ident.create "*exception*")))},
          []))
      Ctype.none Env.empty
| ({pat_desc = Tpat_construct (_,_)} as p,_) :: _ ->
    begin match ext with
    | Some ext when Path.same ext (get_type_path p.pat_type p.pat_env) ->
        extra_pat
    | _ ->
        let get_tag = function
          | {pat_desc = Tpat_construct (c,_)} -> c.cstr_tag
          | _ -> fatal_error "Parmatch.get_tag" in
        let all_tags =  List.map (fun (p,_) -> get_tag p) env in
        pat_of_constrs p (complete_constrs p all_tags)
    end
| ({pat_desc = Tpat_variant(_,_,row)} as p,_) :: _ ->
    let tags =
      List.map
        (function ({pat_desc = Tpat_variant (tag, _, _)}, _) -> tag
                | _ -> assert false)
        env
    in
    let row = Btype.row_repr row in
    let make_other_pat tag const =
      let arg = if const then None else Some omega in
      make_pat (Tpat_variant(tag, arg, row)) p.pat_type p.pat_env in
    begin match
      List.fold_left
        (fun others (tag,f) ->
          if List.mem tag tags then others else
          match Btype.row_field_repr f with
            Rabsent (* | Reither _ *) -> others
          (* This one is called after erasing pattern info *)
          | Reither (c, _, _, _) -> make_other_pat tag c :: others
          | Rpresent arg -> make_other_pat tag (arg = None) :: others)
        [] row.row_fields
    with
      [] ->
        make_other_pat "AnyExtraTag" true
    | pat::other_pats ->
        List.fold_left
          (fun p_res pat ->
            make_pat (Tpat_or (pat, p_res, None)) p.pat_type p.pat_env)
          pat other_pats
    end
| ({pat_desc = Tpat_constant(Const_char _)} as p,_) :: _ ->
    let all_chars =
      List.map
        (fun (p,_) -> match p.pat_desc with
        | Tpat_constant (Const_char c) -> c
        | _ -> assert false)
        env in
    
    let rec find_other i imax =
      if i > imax then raise Not_found
      else
        let ci = Char.chr i in
        if List.mem ci all_chars then
          find_other (i+1) imax
        else
          make_pat (Tpat_constant (Const_char ci)) p.pat_type p.pat_env in
    let rec try_chars = function
      | [] -> omega
      | (c1,c2) :: rest ->
          try
            find_other (Char.code c1) (Char.code c2)
          with
          | Not_found -> try_chars rest in

    try_chars
      [ 'a', 'z' ; 'A', 'Z' ; '0', '9' ;
        ' ', '~' ; Char.chr 0 , Char.chr 255]

| ({pat_desc=(Tpat_constant (Const_int _))} as p,_) :: _ ->
    build_other_constant
      (function Tpat_constant(Const_int i) -> i | _ -> assert false)
      (function i -> Tpat_constant(Const_int i))
      0 succ p env
| ({pat_desc=(Tpat_constant (Const_int32 _))} as p,_) :: _ ->
    build_other_constant
      (function Tpat_constant(Const_int32 i) -> i | _ -> assert false)
      (function i -> Tpat_constant(Const_int32 i))
      0l Int32.succ p env
| ({pat_desc=(Tpat_constant (Const_int64 _))} as p,_) :: _ ->
    build_other_constant
      (function Tpat_constant(Const_int64 i) -> i | _ -> assert false)
      (function i -> Tpat_constant(Const_int64 i))
      0L Int64.succ p env
| ({pat_desc=(Tpat_constant (Const_nativeint _))} as p,_) :: _ ->
    build_other_constant
      (function Tpat_constant(Const_nativeint i) -> i | _ -> assert false)
      (function i -> Tpat_constant(Const_nativeint i))
      0n Nativeint.succ p env
| ({pat_desc=(Tpat_constant (Const_string _))} as p,_) :: _ ->
    build_other_constant
      (function Tpat_constant(Const_string s) -> String.length s
              | _ -> assert false)
      (function i -> Tpat_constant(Const_string(String.make i '*')))
      0 succ p env
| ({pat_desc=(Tpat_constant (Const_float _))} as p,_) :: _ ->
    build_other_constant
      (function Tpat_constant(Const_float f) -> float_of_string f
              | _ -> assert false)
      (function f -> Tpat_constant(Const_float (string_of_float f)))
      0.0 (fun f -> f +. 1.0) p env

| ({pat_desc = Tpat_array args} as p,_)::_ ->
    let all_lengths =
      List.map
        (fun (p,_) -> match p.pat_desc with
        | Tpat_array args -> List.length args
        | _ -> assert false)
        env in
    let rec try_arrays l =
      if List.mem l all_lengths then try_arrays (l+1)
      else
        make_pat
          (Tpat_array (omegas l))
          p.pat_type p.pat_env in
    try_arrays 0
| [] -> omega
| _ -> omega  

(*
  Core function :
  Is the last row of pattern matrix pss + qs satisfiable ?
  That is :
    Does there exists at least one value vector, es such that :
     1- for all ps in pss ps # es (ps and es are not compatible)
     2- qs <= es                  (es matches qs)
*)

let rec has_instance p = match p.pat_desc with
  | Tpat_variant (l,_,r) when is_absent l r -> false
  | Tpat_any | Tpat_var _ | Tpat_constant _ | Tpat_variant (_,None,_) -> true
  | Tpat_alias (p,_) | Tpat_variant (_,Some p,_) -> has_instance p
  | Tpat_or (p1,p2,_) -> has_instance p1 || has_instance p2
  | Tpat_construct (_,ps) | Tpat_tuple ps | Tpat_array ps -> has_instances ps
  | Tpat_record lps -> has_instances (List.map snd lps)
      
and has_instances = function
  | [] -> true
  | q::rem -> has_instance q && has_instances rem
  
let rec satisfiable pss qs = match pss with
| [] -> has_instances qs 
| _  ->
    match qs with
    | [] -> false
    | {pat_desc = Tpat_or(q1,q2,_)}::qs -> 
        satisfiable pss (q1::qs) || satisfiable pss (q2::qs)
    | {pat_desc = Tpat_alias(q,_)}::qs ->
          satisfiable pss (q::qs)
    | {pat_desc = (Tpat_any | Tpat_var(_))}::qs ->
        let q0 = discr_pat omega pss in
        begin match filter_all q0 pss with
          (* first column of pss is made of variables only *)
        | [] -> satisfiable (filter_extra pss) qs
        | constrs  ->
            if full_match false constrs then
              List.exists
                (fun (p,pss) ->
                  not (is_absent_pat p) &&
                  satisfiable pss (simple_match_args p omega @ qs))
                constrs
            else
              satisfiable (filter_extra pss) qs
        end
    | {pat_desc=Tpat_variant (l,_,r)}::_ when is_absent l r -> false
    | q::qs ->
        let q0 = discr_pat q pss in
        satisfiable (filter_one q0 pss) (simple_match_args q0 q @ qs)

(*
  Now another satisfiable function that additionally
  supplies an example of a matching value.

  This function should be called for exhaustiveness check only.
*)

type 'a result = 
  | Rnone           (* No matching value *)
  | Rsome of 'a     (* This matching value *)

let rec try_many f = function
  | [] -> Rnone
  | x::rest ->
      begin match f x with
      | Rnone -> try_many f rest
      | r -> r
      end

let rec exhaust ext pss n = match pss with
| []    ->  Rsome (omegas n)
| []::_ ->  Rnone
| pss   ->
    let q0 = discr_pat omega pss in
    begin match filter_all q0 pss with
          (* first column of pss is made of variables only *)
    | [] ->
        begin match exhaust ext (filter_extra pss) (n-1) with
        | Rsome r -> Rsome (q0::r)
        | r -> r
      end
    | constrs ->          
        let try_non_omega (p,pss) =
          if is_absent_pat p then
            Rnone
          else
            match
              exhaust
                ext pss (List.length (simple_match_args p omega) + n - 1)
            with
            | Rsome r -> Rsome (set_args p r)
            | r       -> r in
        if
          full_match false constrs && not (should_extend ext constrs)
        then
          try_many try_non_omega constrs
        else
          (*
             D = filter_extra pss is the default matrix
             as it is included in pss, one can avoid
             recursive calls on specialized matrices,
             Essentially :
             * D exhaustive => pss exhaustive
             * D non-exhaustive => we have a non-filtered value
          *)
          let r =  exhaust ext (filter_extra pss) (n-1) in
          match r with
          | Rnone -> Rnone
          | Rsome r ->
              try
                Rsome (build_other ext constrs::r)
              with
      (* cannot occur, since constructors don't make a full signature *)
              | Empty -> fatal_error "Parmatch.exhaust"
    end

(*
   Another exhaustiveness check, enforcing variant typing.
   Note that it does not check exact exhaustiveness, but whether a
   matching could be made exhaustive by closing all variant types.
   When this is true of all other columns, the current column is left
   open (even if it means that the whole matching is not exhaustive as
   a result).
   When this is false for the matrix minus the current column, and the
   current column is composed of variant tags, we close the variant
   (even if it doesn't help in making the matching exhaustive).
*)

let rec pressure_variants tdefs = function
  | []    -> false
  | []::_ -> true
  | pss   ->
      let q0 = discr_pat omega pss in
      begin match filter_all q0 pss with
        [] -> pressure_variants tdefs (filter_extra pss)
      | constrs ->   
          let rec try_non_omega = function
              (p,pss) :: rem ->
                let ok = pressure_variants tdefs pss in
                try_non_omega rem && ok
            | [] -> true
          in
          if full_match (tdefs=None) constrs then
            try_non_omega constrs
          else if tdefs = None then
            pressure_variants None (filter_extra pss)
          else
            let full = full_match true constrs in
            let ok =
              if full then try_non_omega constrs
              else try_non_omega (filter_all q0 (mark_partial pss))
            in
            begin match constrs, tdefs with
              ({pat_desc=Tpat_variant(_,_,row)},_):: _, Some env ->
                let row = Btype.row_repr row in
                if row.row_fixed
                || pressure_variants None (filter_extra pss) then ()
                else close_variant env row
            | _ -> ()
            end;
            ok
      end


(* Yet another satisfiable fonction *)

(*
   This time every_satisfiable pss qs checks the
   utility of every expansion of qs.
   Expansion means expansion of or-patterns inside qs
*)

type answer =
  | Used                                (* Useful pattern *)
  | Unused                              (* Useless pattern *)
  | Upartial of Typedtree.pattern list  (* Neither, with list of useless pattern *)


let pretty_pat p =
  top_pretty Format.str_formatter p ;
  prerr_string (Format.flush_str_formatter ())

type matrix = pattern list list

let pretty_line ps =
  List.iter
    (fun p ->
      top_pretty Format.str_formatter p ;
      prerr_string " <" ;
      prerr_string (Format.flush_str_formatter ()) ;
      prerr_string ">")
    ps

let pretty_matrix pss =
  prerr_endline "begin matrix" ;
  List.iter
    (fun ps ->
      pretty_line ps ;
      prerr_endline "")
    pss ;
  prerr_endline "end matrix"
  
(* this row type enable column processing inside the matrix 
    - left  ->  elements not to be processed,
    - right ->  elements to be processed
*)
type 'a row = {no_ors : 'a list ; ors : 'a list ; active : 'a list}


let pretty_row {ors=ors ; no_ors=no_ors; active=active} =
  pretty_line ors ; prerr_string " *" ;
  pretty_line no_ors ; prerr_string " *" ;
  pretty_line active

let pretty_rows rs =
  prerr_endline "begin matrix" ;
  List.iter
    (fun r ->
      pretty_row r ;
      prerr_endline "")
    rs ;
  prerr_endline "end matrix"

(* Initial build *)
let make_row ps = {ors=[] ; no_ors=[]; active=ps}

let make_rows pss = List.map make_row pss


(* Useful to detect and expand  or pats inside as pats *)
let rec unalias p = match p.pat_desc with
| Tpat_alias (p,_) -> unalias p
| _ -> p


let is_var p = match (unalias p).pat_desc with
| Tpat_any|Tpat_var _ -> true
| _                   -> false

let is_var_column rs =
  List.for_all
    (fun r -> match r.active with
    | p::_ -> is_var p
    | []   -> assert false)
    rs

(* Standard or-args for left-to-right matching *)
let rec or_args p = match p.pat_desc with
| Tpat_or (p1,p2,_) -> p1,p2
| Tpat_alias (p,_)  -> or_args p
| _                 -> assert false

(* Just remove current column *)
let remove r = match r.active with
| _::rem -> {r with active=rem}
| []     -> assert false

let remove_column rs = List.map remove rs
    
(* Current column has been processed *)
let push_no_or r = match r.active with
| p::rem -> { r with no_ors = p::r.no_ors ; active=rem}
| [] -> assert false

let push_or r = match r.active with
| p::rem -> { r with ors = p::r.ors ; active=rem}
| [] -> assert false

let push_or_column rs = List.map push_or rs
and push_no_or_column rs = List.map push_no_or rs

(* Those are adaptations of the previous homonymous functions that
   work on the current column, instead of the first column
*)

let discr_pat q rs = 
  discr_pat q (List.map (fun r -> r.active) rs)

let filter_one q rs =
  let rec filter_rec rs = match rs with
  | [] -> []
  | r::rem ->
      match r.active with
      | [] -> assert false
      | {pat_desc = Tpat_alias(p,_)}::ps ->
          filter_rec ({r with active = p::ps}::rem)
      | {pat_desc = Tpat_or(p1,p2,_)}::ps ->
          filter_rec
            ({r with active = p1::ps}::
             {r with active = p2::ps}::
             rem)
      | p::ps ->
          if simple_match q p then
            {r with active=simple_match_args q p @ ps} :: filter_rec rem
          else
            filter_rec rem in
  filter_rec rs


(* Back to normal matrices *)
let make_vector r = r.no_ors

let make_matrix rs = List.map make_vector rs


(* Standard union on answers *)
let union_res r1 r2 = match r1, r2 with
| (Unused,_)
| (_, Unused) -> Unused
| Used,_    -> r2
| _, Used   -> r1
| Upartial u1, Upartial u2 -> Upartial (u1@u2)

(* propose or pats for expansion *)
let extract_elements qs =
  let rec do_rec seen = function
    | [] -> []
    | q::rem ->
        {no_ors= List.rev_append seen rem @ qs.no_ors ;
        ors=[] ;
        active = [q]}::
        do_rec (q::seen) rem in
  do_rec [] qs.ors

(* idem for matrices *)
let transpose rs = match rs with
| [] -> assert false
| r::rem ->
    let i = List.map (fun x -> [x]) r in
    List.fold_left
      (List.map2 (fun r x -> x::r))
      i rem

let extract_columns pss qs = match pss with
| [] -> List.map (fun _ -> []) qs.ors
| _  ->
  let rows = List.map extract_elements pss in
  transpose rows

(* Core function
   The idea is to first look for or patterns (recursive case), then
   check or-patterns argument usefulness (terminal case)
*)

let rec every_satisfiables pss qs = match qs.active with
| []     ->
    (* qs is now partitionned,  check usefulness *)
    begin match qs.ors with
    | [] -> (* no or-patterns *)
        if satisfiable (make_matrix pss) (make_vector qs) then
          Used
        else
          Unused
    | _  -> (* n or-patterns -> 2n expansions *)
        List.fold_right2
          (fun pss qs r -> match r with
          | Unused -> Unused
          | _ ->
              match qs.active with
              | [q] ->
                  let q1,q2 = or_args q in
                  let r_loc = every_both pss qs q1 q2 in
                  union_res r r_loc
              | _   -> assert false)
          (extract_columns pss qs) (extract_elements qs)
          Used
    end
| q::rem ->
    let uq = unalias q in
    begin match uq.pat_desc with
    | Tpat_any | Tpat_var _ ->
        if is_var_column pss then
(* forget about ``all-variable''  columns now *)
          every_satisfiables (remove_column pss) (remove qs)
        else
(* otherwise this is direct food for satisfiable *)
          every_satisfiables (push_no_or_column pss) (push_no_or qs)
    | Tpat_or (q1,q2,_) ->
        if
          q1.pat_loc.Location.loc_ghost &&
          q2.pat_loc.Location.loc_ghost
        then
(* syntactically generated or-pats should not be expanded *)
          every_satisfiables (push_no_or_column pss) (push_no_or qs)
        else 
(* this is a real or-pattern *)
          every_satisfiables (push_or_column pss) (push_or qs)
    | Tpat_variant (l,_,r) when is_absent l r -> (* Ah Jacques... *)
        Unused
    | _ ->
(* standard case, filter matrix *)
        let q0 = discr_pat q pss in
        every_satisfiables
          (filter_one q0 pss)
          {qs with active=simple_match_args q0 q @ rem}
    end

(*
  This function ``every_both'' performs the usefulness check
  of or-pat q1|q2.
  The trick is to call every_satisfied twice with
  current active columns restricted to q1 and q2,
  That way,
  - others orpats in qs.ors will not get expanded.
  - all matching work performed on qs.no_ors is not performed again.
  *)
and every_both pss qs q1 q2 =
  let qs1 = {qs with active=[q1]}
  and qs2 =  {qs with active=[q2]} in
  let r1 = every_satisfiables pss qs1
  and r2 =  every_satisfiables (if compat q1 q2 then qs1::pss else pss) qs2 in
  match r1 with
  | Unused ->
      begin match r2 with
      | Unused -> Unused
      | Used   -> Upartial [q1]
      | Upartial u2 -> Upartial (q1::u2)
      end
  | Used ->
      begin match r2 with
      | Unused -> Upartial [q2]
      | _      -> r2
      end
  | Upartial u1 ->
      begin match r2 with
      | Unused -> Upartial (u1@[q2])
      | Used   -> r1
      | Upartial u2 -> Upartial (u1 @ u2)
      end

  


(* le_pat p q  means, forall V,  V matches q implies V matches p *)
let rec le_pat p q =
  match (p.pat_desc, q.pat_desc) with
  | (Tpat_var _|Tpat_any),_ -> true
  | Tpat_alias(p,_), _ -> le_pat p q
  | _, Tpat_alias(q,_) -> le_pat p q
  | Tpat_constant(c1), Tpat_constant(c2) -> c1 = c2
  | Tpat_construct(c1,ps), Tpat_construct(c2,qs) ->
      c1.cstr_tag = c2.cstr_tag && le_pats ps qs
  | Tpat_variant(l1,Some p1,_), Tpat_variant(l2,Some p2,_) ->
      (l1 = l2 && le_pat p1 p2)
  | Tpat_variant(l1,None,r1), Tpat_variant(l2,None,_) ->
      l1 = l2
  | Tpat_variant(_,_,_), Tpat_variant(_,_,_) -> false
  | Tpat_tuple(ps), Tpat_tuple(qs) -> le_pats ps qs
  | Tpat_record l1, Tpat_record l2 ->
      let ps,qs = records_args l1 l2 in
      le_pats ps qs
  | Tpat_array(ps), Tpat_array(qs) ->
      List.length ps = List.length qs && le_pats ps qs
(* In all other cases, enumeration is performed *)
  | _,_  -> not (satisfiable [[p]] [q])
        
and le_pats ps qs =
  match ps,qs with
    p::ps, q::qs -> le_pat p q && le_pats ps qs
  | _, _         -> true

let get_mins le ps =
  let rec select_rec r = function
      [] -> r
    | p::ps ->
        if List.exists (fun p0 -> le p0 p) ps
        then select_rec r ps
        else select_rec (p::r) ps in
  select_rec [] (select_rec [] ps)

(*
  lub p q is a pattern that matches all values matched by p and q
  may raise Empty, when p and q and not compatible
*)

let rec lub p q = match p.pat_desc,q.pat_desc with
| Tpat_alias (p,_),_      -> lub p q
| _,Tpat_alias (q,_)      -> lub p q
| (Tpat_any|Tpat_var _),_ -> q
| _,(Tpat_any|Tpat_var _) -> p
| Tpat_or (p1,p2,_),_     -> orlub p1 p2 q
| _,Tpat_or (q1,q2,_)     -> orlub q1 q2 p (* Thanks god, lub is commutative *)
| Tpat_constant c1, Tpat_constant c2 when c1=c2 -> p
| Tpat_tuple ps, Tpat_tuple qs ->
    let rs = lubs ps qs in
    make_pat (Tpat_tuple rs) p.pat_type p.pat_env
| Tpat_construct (c1,ps1), Tpat_construct (c2,ps2)
      when  c1.cstr_tag = c2.cstr_tag  ->
        let rs = lubs ps1 ps2 in
        make_pat (Tpat_construct (c1,rs)) p.pat_type p.pat_env
| Tpat_variant(l1,Some p1,row), Tpat_variant(l2,Some p2,_)
          when  l1=l2 ->
            let r=lub p1 p2 in
            make_pat (Tpat_variant (l1,Some r,row)) p.pat_type p.pat_env
| Tpat_variant (l1,None,row), Tpat_variant(l2,None,_)
              when l1 = l2 -> p
| Tpat_record l1,Tpat_record l2 ->
    let rs = record_lubs l1 l2 in
    make_pat (Tpat_record rs) p.pat_type p.pat_env
| Tpat_array ps, Tpat_array qs
      when List.length ps = List.length qs ->
        let rs = lubs ps qs in
        make_pat (Tpat_array rs) p.pat_type p.pat_env
| _,_  ->
    raise Empty

and orlub p1 p2 q =
  try    
    let r1 = lub p1 q in
    try
      {q with pat_desc=(Tpat_or (r1,lub p2 q,None))}
  with
  | Empty -> r1
with
| Empty -> lub p2 q

and record_lubs l1 l2 =
  let l1 = sort_fields l1 and l2 = sort_fields l2 in
  let rec lub_rec l1 l2 = match l1,l2 with
  | [],_ -> l2
  | _,[] -> l1
  | (lbl1,p1)::rem1, (lbl2,p2)::rem2 ->
      if lbl1.lbl_pos < lbl2.lbl_pos then
        (lbl1,p1)::lub_rec rem1 l2
      else if lbl2.lbl_pos < lbl1.lbl_pos  then
        (lbl2,p2)::lub_rec l1 rem2
      else
        (lbl1,lub p1 p2)::lub_rec rem1 rem2 in
  lub_rec l1 l2
    
and lubs ps qs = match ps,qs with
| p::ps, q::qs -> lub p q :: lubs ps qs
| _,_ -> []
      
      
(******************************)
(* Exported variant closing   *)
(******************************)

(* Apply pressure to variants *)

let pressure_variants tdefs patl =
  let pss = List.map (fun p -> [p;omega]) patl in
  ignore (pressure_variants (Some tdefs) pss)

(*****************************)
(* Utilities for diagnostics *)
(*****************************)

(*
  Build up a working pattern matrix by forgetting
  about guarded patterns
*)

let has_guard act =   match act.exp_desc with
| Texp_when(_, _) -> true
| _ -> false


let rec initial_matrix = function
    [] -> []
  | (pat, act) :: rem ->
      if has_guard act
      then
        initial_matrix rem
      else
        [pat] :: initial_matrix rem

(******************************************)
(* Look for a row that matches some value *)
(******************************************)

(*
  Useful for seeing if the example of
  non-matched value can indeed be matched
  (by a guarded clause)
*)



exception NoGuard

let rec initial_all no_guard = function
  | [] ->
      if no_guard then
        raise NoGuard
      else
        []
  | (pat, act) :: rem ->
      ([pat], pat.pat_loc) :: initial_all (no_guard && not (has_guard act)) rem


let rec do_filter_var = function
  | (_::ps,loc)::rem -> (ps,loc)::do_filter_var rem
  | _ -> []

let do_filter_one q pss =
  let rec filter_rec = function
    | ({pat_desc = Tpat_alias(p,_)}::ps,loc)::pss -> 
        filter_rec ((p::ps,loc)::pss)
    | ({pat_desc = Tpat_or(p1,p2,_)}::ps,loc)::pss ->
        filter_rec ((p1::ps,loc)::(p2::ps,loc)::pss)
    | (p::ps,loc)::pss ->
        if simple_match q p
        then (simple_match_args q p @ ps, loc) :: filter_rec pss
        else filter_rec pss
    | _ -> [] in
  filter_rec pss

let rec do_match pss qs = match qs with
| [] ->
    begin match pss  with
    | ([],loc)::_ -> Some loc
    | _ -> None
    end
| q::qs -> match q with
  | {pat_desc = Tpat_or (q1,q2,_)} ->
      begin match do_match pss (q1::qs) with
      | None -> do_match pss (q2::qs)
      | r -> r
      end
  | {pat_desc = Tpat_any} ->
      do_match (do_filter_var pss) qs
  | _ ->
      let q0 = normalize_pat q in
      do_match (do_filter_one q0 pss) (simple_match_args q0 q @ qs)

        
let check_partial_all v casel =
  try
    let pss = initial_all true casel in
    do_match pss [v]
  with
  | NoGuard -> None

(************************)
(* Exhaustiveness check *)
(************************)

let do_check_partial loc casel pss = match pss with
| [] ->
        (*
          This can occur
          - For empty matches generated by ocamlp4 (no warning)
          - when all patterns have guards (then, casel <> [])
          (specific warning)
          Then match MUST be considered non-exhaustive,
          otherwise compilation of PM is broken.
          *)
    begin match casel with
    | [] -> ()
    | _  -> Location.prerr_warning loc Warnings.All_clauses_guarded
    end ;
    Partial
| ps::_  ->      
    begin match exhaust None pss (List.length ps) with
    | Rnone -> Total
    | Rsome [v] ->
        let errmsg =
          try
            let buf = Buffer.create 16 in
            let fmt = formatter_of_buffer buf in
            top_pretty fmt v;
            begin match check_partial_all v casel with
            | None -> ()
            | Some _ ->
                  (* This is 'Some loc', where loc is the location of
                     a possibly matching clause.
                     Forget about loc, because printing two locations
                     is a pain in the top-level *)                  
                Buffer.add_string buf
                  "\n(However, some guarded clause may match this value.)"
            end ;
            Buffer.contents buf
          with _ ->
            "" in          
        Location.prerr_warning loc (Warnings.Partial_match errmsg) ;
        Partial
    | _ ->
        fatal_error "Parmatch.check_partial"
    end


(*****************)
(* Fragile check *)
(*****************)

(* Collect all data types in a pattern *)

let rec add_path path = function
  | [] -> [path]
  | x::rem as paths ->
      if Path.same path x then paths
      else x::add_path path rem

let extendable_path path =
  not
    (Path.same path Predef.path_bool ||
    Path.same path Predef.path_list ||
    Path.same path Predef.path_option)

let rec collect_paths_from_pat r p = match p.pat_desc with
| Tpat_construct({cstr_tag=(Cstr_constant _|Cstr_block _)},ps) ->
    let path =  get_type_path p.pat_type p.pat_env in
    List.fold_left
      collect_paths_from_pat
      (if extendable_path path then add_path path r else r)
      ps
| Tpat_any|Tpat_var _|Tpat_constant _| Tpat_variant (_,None,_) -> r
| Tpat_tuple ps | Tpat_array ps
| Tpat_construct ({cstr_tag=Cstr_exception _}, ps)->
    List.fold_left collect_paths_from_pat r ps
| Tpat_record lps ->
    List.fold_left
      (fun r (_,p) -> collect_paths_from_pat r p)
      r lps
| Tpat_variant (_, Some p, _) | Tpat_alias (p,_) -> collect_paths_from_pat r p
| Tpat_or (p1,p2,_) ->
    collect_paths_from_pat (collect_paths_from_pat r p1) p2
      

(*
  Actual fragile check
   1. Collect data types in the patterns of the match.
   2. One exhautivity check per datatype, considering that
      the type is extended.
*)

let do_check_fragile loc casel pss =
  let exts =
    List.fold_left
      (fun r (p,_) -> collect_paths_from_pat r p)
      [] casel in
  match exts with
  | [] -> ()
  | _ -> match pss with
    | [] -> ()
    | ps::_ ->
        List.iter
          (fun ext ->
            match exhaust (Some ext) pss (List.length ps) with
            | Rnone ->
                Location.prerr_warning
                  loc
                  (Warnings.Fragile_match (Path.name ext))
            | Rsome _ -> ())
          exts


(********************************)
(* Exported exhustiveness check *)
(********************************)

(*
   Fragile check is performed when required and
   on exhaustive matches only.
*)

let check_partial loc casel =
  if Warnings.is_active (Warnings.Partial_match "") then begin
    let pss = initial_matrix casel in
    let pss = get_mins le_pats pss in
    let total = do_check_partial loc casel pss in
    if
      total = Total && Warnings.is_active (Warnings.Fragile_match "")
    then begin
      do_check_fragile loc casel pss
    end ;
    total
  end else
    Partial


(********************************)
(* Exported unused clause check *)
(********************************)

let check_unused tdefs casel =
  if Warnings.is_active Warnings.Unused_match then
    let rec do_rec pref = function
      | [] -> ()
      | (q,act)::rem ->
          let qs = [q] in
            begin try
              let pss =
                  get_mins le_pats (List.filter (compats qs) pref) in
              let r = every_satisfiables (make_rows pss) (make_row qs) in
              match r with
              | Unused ->
                  Location.prerr_warning
                    q.pat_loc Warnings.Unused_match
              | Upartial ps ->
                  List.iter
                    (fun p ->
                      Location.prerr_warning
                        p.pat_loc Warnings.Unused_pat)
                    ps
              | Used -> ()
            with e -> assert false
            end ;
                   
          if has_guard act then
            do_rec pref rem
          else
            do_rec ([q]::pref) rem in

    do_rec [] casel
why-2.34/ml/typing/typecore.mli0000644000175000017500000001167012311670312015101 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: typecore.mli,v 1.5 2007-12-20 15:00:39 bardou Exp $ *)

(* Type inference for the core language *)

open Asttypes
open Types
open Format

val is_nonexpansive: Typedtree.expression -> bool

val type_binding:
        Env.t -> rec_flag ->
          (Parsetree.pattern * Parsetree.expression) list -> 
          (Typedtree.pattern * Typedtree.expression) list * Env.t
val type_let:
        Env.t -> rec_flag ->
          (Parsetree.pattern * Parsetree.expression) list -> 
          (Typedtree.pattern * Typedtree.expression) list * Env.t
val type_expression:
        Env.t -> Parsetree.expression -> Typedtree.expression
val type_class_arg_pattern:
        string -> Env.t -> Env.t -> label -> Parsetree.pattern ->
        Typedtree.pattern * (Ident.t * Ident.t * type_expr) list *
        Env.t * Env.t
val type_self_pattern:
        string -> type_expr -> Env.t -> Env.t -> Env.t -> Parsetree.pattern ->
        Typedtree.pattern *
        (Ident.t * type_expr) Meths.t ref *
        (Ident.t * Asttypes.mutable_flag * Asttypes.virtual_flag * type_expr)
            Vars.t ref *
        Env.t * Env.t * Env.t
val type_expect:
        ?in_function:(Location.t * type_expr) ->
        Env.t -> Parsetree.expression -> type_expr -> Typedtree.expression
val type_exp:
        Env.t -> Parsetree.expression -> Typedtree.expression
val type_approx:
        Env.t -> Parsetree.expression -> type_expr
val type_argument:
        Env.t -> Parsetree.expression -> type_expr -> Typedtree.expression

val type_invariant:
  Env.t -> Types.type_expr -> Parsetree.type_invariant ->
  Env.t * Typedtree.type_invariant
val type_axiom:
  Env.t -> Parsetree.axiom_spec -> Typedtree.axiom_spec
val type_logic_function:
  Env.t -> Location.t -> Parsetree.logic_function_spec ->
  Env.t * Typedtree.logic_function_spec

val option_some: Typedtree.expression -> Typedtree.expression
val option_none: type_expr -> Location.t -> Typedtree.expression
val extract_option_type: Env.t -> type_expr -> type_expr
val iter_pattern: (Typedtree.pattern -> unit) -> Typedtree.pattern -> unit
val reset_delayed_checks: unit -> unit
val force_delayed_checks: unit -> unit

val self_coercion : (Path.t * Location.t list ref) list ref

type error =
    Unbound_value of Longident.t
  | Unbound_constructor of Longident.t
  | Unbound_label of Longident.t
  | Polymorphic_label of Longident.t
  | Constructor_arity_mismatch of Longident.t * int * int
  | Label_mismatch of Longident.t * (type_expr * type_expr) list
  | Pattern_type_clash of (type_expr * type_expr) list
  | Multiply_bound_variable
  | Orpat_vars of Ident.t
  | Expr_type_clash of (type_expr * type_expr) list
  | Apply_non_function of type_expr
  | Apply_wrong_label of label * type_expr
  | Label_multiply_defined of Longident.t
  | Label_missing of string list
  | Label_not_mutable of Longident.t
  | Incomplete_format of string
  | Bad_conversion of string * int * char
  | Undefined_method of type_expr * string
  | Undefined_inherited_method of string
  | Unbound_class of Longident.t
  | Virtual_class of Longident.t
  | Private_type of type_expr
  | Private_label of Longident.t * type_expr
  | Unbound_instance_variable of string
  | Instance_variable_not_mutable of string
  | Not_subtype of (type_expr * type_expr) list * (type_expr * type_expr) list
  | Outside_class
  | Value_multiply_overridden of string
  | Coercion_failure of
      type_expr * type_expr * (type_expr * type_expr) list * bool
  | Too_many_arguments of bool * type_expr
  | Abstract_wrong_label of label * type_expr
  | Scoping_let_module of string * type_expr
  | Masked_instance_variable of Longident.t
  | Not_a_variant_type of Longident.t
  | Incoherent_label_order
  | Less_general of string * (type_expr * type_expr) list
  | Cannot_infer_logic_function_type of string

exception Error of Location.t * error

val report_error: formatter -> error -> unit

(* Forward declaration, to be filled in by Typemod.type_module *)
val type_module: (Env.t -> Parsetree.module_expr -> Typedtree.module_expr) ref
(* Forward declaration, to be filled in by Typeclass.class_structure *)
val type_object:
  (Env.t -> Location.t -> Parsetree.class_structure ->
   Typedtree.class_structure * class_signature * string list) ref
why-2.34/ml/typing/datarepr.mli0000644000175000017500000000275512311670312015055 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: datarepr.mli,v 1.1 2007-11-30 10:16:43 bardou Exp $ *)

(* Compute constructor and label descriptions from type declarations,
   determining their representation. *)

open Asttypes
open Types

val constructor_descrs:
  type_expr -> (string * type_expr list) list -> private_flag ->
    (string * constructor_description) list
val exception_descr:
  Path.t -> type_expr list -> constructor_description
val label_descrs:
  type_expr -> (string * mutable_flag * type_expr) list ->
    record_representation -> private_flag -> 
    (string * label_description) list

exception Constr_not_found

val find_constr_by_tag:
  constructor_tag -> (string * type_expr list) list -> string * type_expr list
why-2.34/ml/typing/predef.mli0000644000175000017500000000442012311670312014507 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: predef.mli,v 1.2 2008-02-01 12:18:49 bardou Exp $ *)

(* Predefined type constructors (with special typing rules in typecore) *)

open Types

val type_int: type_expr
val type_char: type_expr
val type_string: type_expr
val type_float: type_expr
val type_bool: type_expr
val type_unit: type_expr
val type_exn: type_expr
val type_array: type_expr -> type_expr
val type_list: type_expr -> type_expr
val type_option: type_expr -> type_expr
val type_nativeint: type_expr
val type_int32: type_expr
val type_int64: type_expr
val type_lazy_t: type_expr -> type_expr

val path_int: Path.t
val path_char: Path.t
val path_string: Path.t
val path_float: Path.t
val path_bool: Path.t
val path_unit: Path.t
val path_exn: Path.t
val path_array: Path.t
val path_list: Path.t
val path_format6: Path.t
val path_option: Path.t
val path_nativeint: Path.t
val path_int32: Path.t
val path_int64: Path.t
val path_lazy_t: Path.t

(* Jessica needs the following declarations *)
val decl_list: type_declaration

val path_match_failure: Path.t
val path_assert_failure : Path.t
val path_undefined_recursive_module : Path.t

(* To build the initial environment. Since there is a nasty mutual
   recursion between predef and env, we break it by parameterizing
   over Env.t, Env.add_type and Env.add_exception. *)

val build_initial_env:
  (Ident.t -> type_declaration -> 'a -> 'a) ->
  (Ident.t -> exception_declaration -> 'a -> 'a) ->
  'a -> 'a

(* To initialize linker tables *)

val builtin_values: (string * Ident.t) list
why-2.34/ml/typing/parmatch.mli0000644000175000017500000000451112311670312015042 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: parmatch.mli,v 1.1 2007-11-30 10:16:43 bardou Exp $ *)

(* Detection of partial matches and unused match cases. *)
open Types
open Typedtree

val top_pretty : Format.formatter -> pattern -> unit
val pretty_pat : pattern -> unit
val pretty_line : pattern list -> unit
val pretty_matrix : pattern list list -> unit

val omega : pattern
val omegas : int -> pattern list
val omega_list : 'a list -> pattern list
val normalize_pat : pattern -> pattern
val all_record_args :
    (label_description * pattern) list -> (label_description * pattern) list

val le_pat : pattern -> pattern -> bool
val le_pats : pattern list -> pattern list -> bool
val compat : pattern -> pattern -> bool
val compats : pattern list -> pattern list -> bool
exception Empty
val lub : pattern -> pattern -> pattern
val lubs : pattern list -> pattern list -> pattern list

val get_mins : ('a -> 'a -> bool) -> 'a list -> 'a list

(* Those to functions recombine one pattern and its arguments:
   For instance:
     (_,_)::p1::p2::rem -> (p1, p2)::rem
   The second one will replace mutable arguments by '_'
*)
val set_args : pattern -> pattern list -> pattern list
val set_args_erase_mutable : pattern -> pattern list -> pattern list

val pat_of_constr : pattern -> constructor_description -> pattern
val complete_constrs :
    pattern -> constructor_tag list -> constructor_description  list

val pressure_variants: Env.t -> pattern list -> unit
val check_partial: Location.t -> (pattern * expression) list -> partial
val check_unused: Env.t -> (pattern * expression) list -> unit



why-2.34/ml/typing/predef.ml0000644000175000017500000001662012311670312014343 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: predef.ml,v 1.2 2008-02-01 12:18:49 bardou Exp $ *)

(* Predefined type constructors (with special typing rules in typecore) *)

open Asttypes
open Path
open Types
open Btype

let ident_int = Ident.create "int"
and ident_char = Ident.create "char"
and ident_string = Ident.create "string"
and ident_float = Ident.create "float"
and ident_bool = Ident.create "bool"
and ident_unit = Ident.create "unit"
and ident_exn = Ident.create "exn"
and ident_array = Ident.create "array"
and ident_list = Ident.create "list"
and ident_format6 = Ident.create "format6"
and ident_option = Ident.create "option"
and ident_nativeint = Ident.create "nativeint"
and ident_int32 = Ident.create "int32"
and ident_int64 = Ident.create "int64"
and ident_lazy_t = Ident.create "lazy_t"

let path_int = Pident ident_int
and path_char = Pident ident_char
and path_string = Pident ident_string
and path_float = Pident ident_float
and path_bool = Pident ident_bool
and path_unit = Pident ident_unit
and path_exn = Pident ident_exn
and path_array = Pident ident_array
and path_list = Pident ident_list
and path_format6 = Pident ident_format6
and path_option = Pident ident_option
and path_nativeint = Pident ident_nativeint
and path_int32 = Pident ident_int32
and path_int64 = Pident ident_int64
and path_lazy_t = Pident ident_lazy_t

let type_int = newgenty (Tconstr(path_int, [], ref Mnil))
and type_char = newgenty (Tconstr(path_char, [], ref Mnil))
and type_string = newgenty (Tconstr(path_string, [], ref Mnil))
and type_float = newgenty (Tconstr(path_float, [], ref Mnil))
and type_bool = newgenty (Tconstr(path_bool, [], ref Mnil))
and type_unit = newgenty (Tconstr(path_unit, [], ref Mnil))
and type_exn = newgenty (Tconstr(path_exn, [], ref Mnil))
and type_array t = newgenty (Tconstr(path_array, [t], ref Mnil))
and type_list t = newgenty (Tconstr(path_list, [t], ref Mnil))
and type_option t = newgenty (Tconstr(path_option, [t], ref Mnil))
and type_nativeint = newgenty (Tconstr(path_nativeint, [], ref Mnil))
and type_int32 = newgenty (Tconstr(path_int32, [], ref Mnil))
and type_int64 = newgenty (Tconstr(path_int64, [], ref Mnil))
and type_lazy_t t = newgenty (Tconstr(path_lazy_t, [t], ref Mnil))

let ident_match_failure = Ident.create_predef_exn "Match_failure"
and ident_out_of_memory = Ident.create_predef_exn "Out_of_memory"
and ident_invalid_argument = Ident.create_predef_exn "Invalid_argument"
and ident_failure = Ident.create_predef_exn "Failure"
and ident_not_found = Ident.create_predef_exn "Not_found"
and ident_sys_error = Ident.create_predef_exn "Sys_error"
and ident_end_of_file = Ident.create_predef_exn "End_of_file"
and ident_division_by_zero = Ident.create_predef_exn "Division_by_zero"
and ident_stack_overflow = Ident.create_predef_exn "Stack_overflow"
and ident_sys_blocked_io = Ident.create_predef_exn "Sys_blocked_io"
and ident_assert_failure = Ident.create_predef_exn "Assert_failure"
and ident_undefined_recursive_module =
        Ident.create_predef_exn "Undefined_recursive_module"

let path_match_failure = Pident ident_match_failure
and path_assert_failure = Pident ident_assert_failure
and path_undefined_recursive_module = Pident ident_undefined_recursive_module

let decl_abstr =
  {type_params = [];
   type_arity = 0;
   type_kind = Type_abstract;
   type_manifest = None;
   type_variance = []}
let decl_bool =
  {type_params = [];
   type_arity = 0;
   type_kind = Type_variant(["false",[]; "true",[]], Public);
   type_manifest = None;
   type_variance = []}
let decl_unit =
  {type_params = []; 
   type_arity = 0;
   type_kind = Type_variant(["()",[]], Public);
   type_manifest = None;
   type_variance = []}
let decl_exn =
  {type_params = [];
   type_arity = 0;
   type_kind = Type_variant([], Public);
   type_manifest = None;
   type_variance = []}
let decl_array =
  let tvar = newgenvar() in
  {type_params = [tvar];
   type_arity = 1;
   type_kind = Type_abstract;
   type_manifest = None;
   type_variance = [true, true, true]}
let decl_list =
  let tvar = newgenvar() in
  {type_params = [tvar];
   type_arity = 1;
   type_kind =
      Type_variant(["[]", []; "::", [tvar; type_list tvar]], Public);
   type_manifest = None;
   type_variance = [true, false, false]}
let decl_format6 =
  {type_params = [
     newgenvar(); newgenvar(); newgenvar();
     newgenvar(); newgenvar(); newgenvar();
   ];
   type_arity = 6;
   type_kind = Type_abstract;
   type_manifest = None;
   type_variance = [
     true, true, true; true, true, true;
     true, true, true; true, true, true;
     true, true, true; true, true, true;
   ]}
let decl_option =
  let tvar = newgenvar() in
  {type_params = [tvar];
   type_arity = 1;
   type_kind = Type_variant(["None", []; "Some", [tvar]], Public);
   type_manifest = None;
   type_variance = [true, false, false]}
let decl_lazy_t =
  let tvar = newgenvar() in
  {type_params = [tvar];
   type_arity = 1;
   type_kind = Type_abstract;
   type_manifest = None;
   type_variance = [true, false, false]}

let build_initial_env add_type add_exception empty_env =
  add_exception ident_match_failure
                         [newgenty (Ttuple[type_string; type_int; type_int])] (
  add_exception ident_out_of_memory [] (
  add_exception ident_stack_overflow [] (
  add_exception ident_invalid_argument [type_string] (
  add_exception ident_failure [type_string] (
  add_exception ident_not_found [] (
  add_exception ident_sys_blocked_io [] (
  add_exception ident_sys_error [type_string] (
  add_exception ident_end_of_file [] (
  add_exception ident_division_by_zero [] (
  add_exception ident_assert_failure
                         [newgenty (Ttuple[type_string; type_int; type_int])] (
  add_exception ident_undefined_recursive_module
                         [newgenty (Ttuple[type_string; type_int; type_int])] (
  add_type ident_int64 decl_abstr (
  add_type ident_int32 decl_abstr (
  add_type ident_nativeint decl_abstr (
  add_type ident_lazy_t decl_lazy_t (
  add_type ident_option decl_option (
  add_type ident_format6 decl_format6 (
  add_type ident_list decl_list (
  add_type ident_array decl_array (
  add_type ident_exn decl_exn (
  add_type ident_unit decl_unit (
  add_type ident_bool decl_bool (
  add_type ident_float decl_abstr (
  add_type ident_string decl_abstr (
  add_type ident_char decl_abstr (
  add_type ident_int decl_abstr (
    empty_env)))))))))))))))))))))))))))

let builtin_values =
  List.map (fun id -> Ident.make_global id; (Ident.name id, id))
      [ident_match_failure; ident_out_of_memory; ident_stack_overflow;
       ident_invalid_argument;
       ident_failure; ident_not_found; ident_sys_error; ident_end_of_file;
       ident_division_by_zero; ident_sys_blocked_io;
       ident_assert_failure; ident_undefined_recursive_module ]
why-2.34/ml/typing/ident.ml0000644000175000017500000001211312311670312014172 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: ident.ml,v 1.1 2007-11-30 10:16:43 bardou Exp $ *)

open Format

type t = { stamp: int; name: string; mutable flags: int }

let global_flag = 1
let predef_exn_flag = 2

(* A stamp of 0 denotes a persistent identifier *)

let currentstamp = ref 0

let create s =
  incr currentstamp;
  { name = s; stamp = !currentstamp; flags = 0 }

let create_predef_exn s =
  incr currentstamp;
  { name = s; stamp = !currentstamp; flags = predef_exn_flag }

let create_persistent s =
  { name = s; stamp = 0; flags = global_flag }

let rename i =
  incr currentstamp;
  { i with stamp = !currentstamp }

let name i = i.name

let stamp i = i.stamp

let unique_name i = i.name ^ "_" ^ string_of_int i.stamp

let unique_toplevel_name i = i.name ^ "/" ^ string_of_int i.stamp

let persistent i = (i.stamp = 0)

let equal i1 i2 = i1.name = i2.name

let same i1 i2 = i1 = i2
  (* Possibly more efficient version (with a real compiler, at least):
       if i1.stamp <> 0
       then i1.stamp = i2.stamp
       else i2.stamp = 0 && i1.name = i2.name *)

let binding_time i = i.stamp

let current_time() = !currentstamp
let set_current_time t = currentstamp := max !currentstamp t

let reinit_level = ref (-1)

let reinit () = 
  if !reinit_level < 0
  then reinit_level := !currentstamp
  else currentstamp := !reinit_level

let hide i =
  { i with stamp = -1 }

let make_global i =
  i.flags <- i.flags lor global_flag

let global i =
  (i.flags land global_flag) <> 0

let is_predef_exn i =
  (i.flags land predef_exn_flag) <> 0

let print ppf i =
  match i.stamp with
  | 0 -> fprintf ppf "%s!" i.name
  | -1 -> fprintf ppf "%s#" i.name
  | n -> fprintf ppf "%s/%i%s" i.name n (if global i then "g" else "")

type 'a tbl =
    Empty
  | Node of 'a tbl * 'a data * 'a tbl * int

and 'a data =
  { ident: t;
    data: 'a;
    previous: 'a data option }

let empty = Empty

(* Inline expansion of height for better speed
 * let height = function
 *     Empty -> 0
 *   | Node(_,_,_,h) -> h
 *)

let mknode l d r =
  let hl = match l with Empty -> 0 | Node(_,_,_,h) -> h
  and hr = match r with Empty -> 0 | Node(_,_,_,h) -> h in
  Node(l, d, r, (if hl >= hr then hl + 1 else hr + 1))

let balance l d r =
  let hl = match l with Empty -> 0 | Node(_,_,_,h) -> h
  and hr = match r with Empty -> 0 | Node(_,_,_,h) -> h in
  if hl > hr + 1 then
    match l with
    | Node (ll, ld, lr, _)
      when (match ll with Empty -> 0 | Node(_,_,_,h) -> h) >=
           (match lr with Empty -> 0 | Node(_,_,_,h) -> h) ->
        mknode ll ld (mknode lr d r)
    | Node (ll, ld, Node(lrl, lrd, lrr, _), _) ->
        mknode (mknode ll ld lrl) lrd (mknode lrr d r)
    | _ -> assert false
  else if hr > hl + 1 then
    match r with
    | Node (rl, rd, rr, _)
      when (match rr with Empty -> 0 | Node(_,_,_,h) -> h) >=
           (match rl with Empty -> 0 | Node(_,_,_,h) -> h) ->
        mknode (mknode l d rl) rd rr
    | Node (Node (rll, rld, rlr, _), rd, rr, _) ->
        mknode (mknode l d rll) rld (mknode rlr rd rr)
    | _ -> assert false
  else
    mknode l d r

let rec add id data = function
    Empty ->
      Node(Empty, {ident = id; data = data; previous = None}, Empty, 1)
  | Node(l, k, r, h) ->
      let c = compare id.name k.ident.name in
      if c = 0 then
        Node(l, {ident = id; data = data; previous = Some k}, r, h)
      else if c < 0 then
        balance (add id data l) k r
      else
        balance l k (add id data r)

let rec find_stamp s = function
    None ->
      raise Not_found
  | Some k ->
      if k.ident.stamp = s then k.data else find_stamp s k.previous

let rec find_same id = function
    Empty ->
      raise Not_found
  | Node(l, k, r, _) ->
      let c = compare id.name k.ident.name in
      if c = 0 then
        if id.stamp = k.ident.stamp
        then k.data
        else find_stamp id.stamp k.previous
      else
        find_same id (if c < 0 then l else r)

let rec find_name name = function
    Empty ->
      raise Not_found
  | Node(l, k, r, _) ->
      let c = compare name k.ident.name in
      if c = 0 then
        k.data
      else
        find_name name (if c < 0 then l else r)

let rec keys_aux stack accu = function
    Empty ->
      begin match stack with
        [] -> accu
      | a :: l -> keys_aux l accu a
      end
  | Node(l, k, r, _) ->
      keys_aux (l :: stack) (k.ident :: accu) r

let keys tbl = keys_aux [] [] tbl
why-2.34/ml/typing/typecore.ml0000644000175000017500000024741012311670312014733 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: typecore.ml,v 1.8 2007-12-20 17:10:01 bardou Exp $ *)

(* Typechecking for the core language *)

open Misc
open Asttypes
open Parsetree
open Types
open Typedtree
open Btype
open Ctype

type error =
    Unbound_value of Longident.t
  | Unbound_constructor of Longident.t
  | Unbound_label of Longident.t
  | Polymorphic_label of Longident.t
  | Constructor_arity_mismatch of Longident.t * int * int
  | Label_mismatch of Longident.t * (type_expr * type_expr) list
  | Pattern_type_clash of (type_expr * type_expr) list
  | Multiply_bound_variable
  | Orpat_vars of Ident.t
  | Expr_type_clash of (type_expr * type_expr) list
  | Apply_non_function of type_expr
  | Apply_wrong_label of label * type_expr
  | Label_multiply_defined of Longident.t
  | Label_missing of string list
  | Label_not_mutable of Longident.t
  | Incomplete_format of string
  | Bad_conversion of string * int * char
  | Undefined_method of type_expr * string
  | Undefined_inherited_method of string
  | Unbound_class of Longident.t
  | Virtual_class of Longident.t
  | Private_type of type_expr
  | Private_label of Longident.t * type_expr
  | Unbound_instance_variable of string
  | Instance_variable_not_mutable of string
  | Not_subtype of (type_expr * type_expr) list * (type_expr * type_expr) list
  | Outside_class
  | Value_multiply_overridden of string
  | Coercion_failure of
      type_expr * type_expr * (type_expr * type_expr) list * bool
  | Too_many_arguments of bool * type_expr
  | Abstract_wrong_label of label * type_expr
  | Scoping_let_module of string * type_expr
  | Masked_instance_variable of Longident.t
  | Not_a_variant_type of Longident.t
  | Incoherent_label_order
  | Less_general of string * (type_expr * type_expr) list
  | Cannot_infer_logic_function_type of string

exception Error of Location.t * error

(* Used by Jessica patches *)
let try_unify env loc x y =
  try
    unify env x y
  with Unify trace ->
    raise (Error(loc, Expr_type_clash trace))

(* Forward declaration, to be filled in by Typemod.type_module *)

let type_module =
  ref ((fun env md -> assert false) :
       Env.t -> Parsetree.module_expr -> Typedtree.module_expr)

(* Forward declaration, to be filled in by Typeclass.class_structure *)
let type_object =
  ref (fun env s -> assert false :
       Env.t -> Location.t -> Parsetree.class_structure ->
         class_structure * class_signature * string list)

(*
  Saving and outputting type information.
  We keep these function names short, because they have to be
  called each time we create a record of type [Typedtree.expression]
  or [Typedtree.pattern] that will end up in the typed AST.
*)
let re node =
  Stypes.record (Stypes.Ti_expr node);
  node
;;
let rp node =
  Stypes.record (Stypes.Ti_pat node);
  node
;;


(* Typing of constants *)

let type_constant = function
    Const_int _ -> instance Predef.type_int
  | Const_char _ -> instance Predef.type_char
  | Const_string _ -> instance Predef.type_string
  | Const_float _ -> instance Predef.type_float
  | Const_int32 _ -> instance Predef.type_int32
  | Const_int64 _ -> instance Predef.type_int64
  | Const_nativeint _ -> instance Predef.type_nativeint

(* Specific version of type_option, using newty rather than newgenty *)

let type_option ty =
  newty (Tconstr(Predef.path_option,[ty], ref Mnil))

let option_none ty loc =
  let cnone = Env.lookup_constructor (Longident.Lident "None") Env.initial in
  { exp_desc = Texp_construct(cnone, []);
    exp_type = ty; exp_loc = loc; exp_env = Env.initial }

let option_some texp =
  let csome = Env.lookup_constructor (Longident.Lident "Some") Env.initial in
  { exp_desc = Texp_construct(csome, [texp]); exp_loc = texp.exp_loc;
    exp_type = type_option texp.exp_type; exp_env = texp.exp_env }

let extract_option_type env ty =
  match expand_head env ty with {desc = Tconstr(path, [ty], _)}
    when Path.same path Predef.path_option -> ty
  | _ -> assert false

let rec extract_label_names sexp env ty =
  let ty = repr ty in
  match ty.desc with
  | Tconstr (path, _, _) ->
      let td = Env.find_type path env in
      begin match td.type_kind with
      | Type_record (fields, _, _) ->
          List.map (fun (name, _, _) -> name) fields
      | Type_abstract when td.type_manifest <> None ->
          extract_label_names sexp env (expand_head env ty)
      | _ -> assert false
      end
  | _ ->
      assert false

(* Typing of patterns *)

(* Creating new conjunctive types is not allowed when typing patterns *)
let unify_pat env pat expected_ty =
  try
    unify env pat.pat_type expected_ty
  with
    Unify trace ->
      raise(Error(pat.pat_loc, Pattern_type_clash(trace)))
  | Tags(l1,l2) ->
      raise(Typetexp.Error(pat.pat_loc, Typetexp.Variant_tags (l1, l2)))

(* make all Reither present in open variants *)
let finalize_variant pat =
  match pat.pat_desc with
    Tpat_variant(tag, opat, row) ->
      let row = row_repr row in
      let field = row_field tag row in
      begin match field with
      | Rabsent -> assert false
      | Reither (true, [], _, e) when not row.row_closed ->
          set_row_field e (Rpresent None)
      | Reither (false, ty::tl, _, e) when not row.row_closed ->
          set_row_field e (Rpresent (Some ty));
          begin match opat with None -> assert false
          | Some pat -> List.iter (unify_pat pat.pat_env pat) (ty::tl)
          end
      | Reither (c, l, true, e) when not row.row_fixed ->
          set_row_field e (Reither (c, [], false, ref None))
      | _ -> ()
      end;
      (* Force check of well-formedness *)
      unify_pat pat.pat_env pat
        (newty(Tvariant{row_fields=[]; row_more=newvar(); row_closed=false;
                        row_bound=[]; row_fixed=false; row_name=None}));
  | _ -> ()

let rec iter_pattern f p =
  f p;
  iter_pattern_desc (iter_pattern f) p.pat_desc

let has_variants p =
  try
    iter_pattern (function {pat_desc=Tpat_variant _} -> raise Exit | _ -> ())
      p;
    false
  with Exit ->
    true


(* pattern environment *)
let pattern_variables = ref ([]: (Ident.t * type_expr) list)
let pattern_force = ref ([] : (unit -> unit) list)
let reset_pattern () =
  pattern_variables := [];
  pattern_force := []

let enter_variable loc name ty =
  if List.exists (fun (id, _) -> Ident.name id = name) !pattern_variables
  then raise(Error(loc, Multiply_bound_variable));
  let id = Ident.create name in
  pattern_variables := (id, ty) :: !pattern_variables;
  id

let sort_pattern_variables vs =
  List.sort
    (fun (x,_) (y,_) -> Pervasives.compare (Ident.name x) (Ident.name y))
    vs

let enter_orpat_variables loc env  p1_vs p2_vs =
  (* unify_vars operate on sorted lists *)

  let p1_vs = sort_pattern_variables p1_vs
  and p2_vs = sort_pattern_variables p2_vs in

  let rec unify_vars p1_vs p2_vs = match p1_vs, p2_vs with
      | (x1,t1)::rem1, (x2,t2)::rem2 when Ident.equal x1 x2 ->
          if x1==x2 then
            unify_vars rem1 rem2
          else begin
            begin try
              unify env t1 t2
            with
            | Unify trace ->
                raise(Error(loc, Pattern_type_clash(trace)))
            end ;
          (x2,x1)::unify_vars rem1 rem2
          end
      | [],[] -> []
      | (x,_)::_, [] -> raise (Error (loc, Orpat_vars x))
      | [],(x,_)::_  -> raise (Error (loc, Orpat_vars x))
      | (x,_)::_, (y,_)::_ ->
          let min_var =
            if Ident.name x < Ident.name y then x
            else y in
          raise (Error (loc, Orpat_vars min_var)) in
  unify_vars p1_vs p2_vs

let rec build_as_type env p =
  match p.pat_desc with
    Tpat_alias(p1, _) -> build_as_type env p1
  | Tpat_tuple pl ->
      let tyl = List.map (build_as_type env) pl in
      newty (Ttuple tyl)
  | Tpat_construct(cstr, pl) ->
      if cstr.cstr_private = Private then p.pat_type else
      let tyl = List.map (build_as_type env) pl in
      let ty_args, ty_res = instance_constructor cstr in
      List.iter2 (fun (p,ty) -> unify_pat env {p with pat_type = ty})
        (List.combine pl tyl) ty_args;
      ty_res
  | Tpat_variant(l, p', _) ->
      let ty = may_map (build_as_type env) p' in
      newty (Tvariant{row_fields=[l, Rpresent ty]; row_more=newvar();
                      row_bound=[]; row_name=None;
                      row_fixed=false; row_closed=false})
  | Tpat_record lpl ->
      let lbl = fst(List.hd lpl) in
      if lbl.lbl_private = Private then p.pat_type else
      let ty = newvar () in
      let ppl = List.map (fun (l,p) -> l.lbl_pos, p) lpl in
      let do_label lbl =
        let _, ty_arg, ty_res = instance_label false lbl in
        unify_pat env {p with pat_type = ty} ty_res;
        if lbl.lbl_mut = Immutable && List.mem_assoc lbl.lbl_pos ppl then begin
          let arg = List.assoc lbl.lbl_pos ppl in
          unify_pat env {arg with pat_type = build_as_type env arg} ty_arg
        end else begin
          let _, ty_arg', ty_res' = instance_label false lbl in
          unify env ty_arg ty_arg';
          unify_pat env p ty_res'
        end in
      Array.iter do_label lbl.lbl_all;
      ty
  | Tpat_or(p1, p2, path) ->
      let ty1 = build_as_type env p1 and ty2 = build_as_type env p2 in
      unify_pat env {p2 with pat_type = ty2} ty1;
      begin match path with None -> ()
      | Some path ->
          let td = try Env.find_type path env with Not_found -> assert false in
          let params = List.map (fun _ -> newvar()) td.type_params in
          match expand_head env (newty (Tconstr (path, params, ref Mnil)))
          with {desc=Tvariant row} when static_row row ->
            unify_pat env {p1 with pat_type = ty1}
              (newty (Tvariant{row with row_closed=false; row_more=newvar()}))
          | _ -> ()
      end;
      ty1
  | Tpat_any | Tpat_var _ | Tpat_constant _ | Tpat_array _ -> p.pat_type

let build_or_pat env loc lid =
  let path, decl =
    try Env.lookup_type lid env
    with Not_found ->
      raise(Typetexp.Error(loc, Typetexp.Unbound_type_constructor lid))
  in
  let tyl = List.map (fun _ -> newvar()) decl.type_params in
  let fields =
    let ty = expand_head env (newty(Tconstr(path, tyl, ref Mnil))) in
    match ty.desc with
      Tvariant row when static_row row ->
        (row_repr row).row_fields
    | _ -> raise(Error(loc, Not_a_variant_type lid))
  in
  let bound = ref [] in
  let pats, fields =
    List.fold_left
      (fun (pats,fields) (l,f) ->
        match row_field_repr f with
          Rpresent None ->
            (l,None) :: pats,
            (l, Reither(true,[], true, ref None)) :: fields
        | Rpresent (Some ty) ->
            bound := ty :: !bound;
            (l, Some {pat_desc=Tpat_any; pat_loc=Location.none; pat_env=env;
                      pat_type=ty})
            :: pats,
            (l, Reither(false, [ty], true, ref None)) :: fields
        | _ -> pats, fields)
      ([],[]) fields in
  let row =
    { row_fields = List.rev fields; row_more = newvar(); row_bound = !bound;
      row_closed = false; row_fixed = false; row_name = Some (path, tyl) }
  in
  let ty = newty (Tvariant row) in
  let gloc = {loc with Location.loc_ghost=true} in
  let pats =
    List.map (fun (l,p) -> {pat_desc=Tpat_variant(l,p,row); pat_loc=gloc;
                            pat_env=env; pat_type=ty})
      pats
  in
  match pats with
    [] -> raise(Error(loc, Not_a_variant_type lid))
  | pat :: pats ->
      let r =
        List.fold_left
          (fun pat pat0 -> {pat_desc=Tpat_or(pat0,pat,Some path);
                            pat_loc=gloc; pat_env=env; pat_type=ty})
          pat pats in
      rp { r with pat_loc = loc }

let rec find_record_qual = function
  | [] -> None
  | (Longident.Ldot (modname, _), _) :: _ -> Some modname
  | _ :: rest -> find_record_qual rest

let type_label_a_list type_lid_a lid_a_list =
  match find_record_qual lid_a_list with
  | None -> List.map type_lid_a lid_a_list
  | Some modname ->
      List.map
        (function
         | (Longident.Lident id), sarg ->
              type_lid_a (Longident.Ldot (modname, id), sarg)
         | lid_a -> type_lid_a lid_a)
        lid_a_list

let rec type_pat env sp =
  match sp.ppat_desc with
    Ppat_any ->
      rp {
        pat_desc = Tpat_any;
        pat_loc = sp.ppat_loc;
        pat_type = newvar();
        pat_env = env }
  | Ppat_var name ->
      let ty = newvar() in
      let id = enter_variable sp.ppat_loc name ty in
      rp {
        pat_desc = Tpat_var id;
        pat_loc = sp.ppat_loc;
        pat_type = ty;
        pat_env = env }
  | Ppat_alias(sq, name) ->
      let q = type_pat env sq in
      begin_def ();
      let ty_var = build_as_type env q in
      end_def ();
      generalize ty_var;
      let id = enter_variable sp.ppat_loc name ty_var in
      rp {
        pat_desc = Tpat_alias(q, id);
        pat_loc = sp.ppat_loc;
        pat_type = q.pat_type;
        pat_env = env }
  | Ppat_constant cst ->
      rp {
        pat_desc = Tpat_constant cst;
        pat_loc = sp.ppat_loc;
        pat_type = type_constant cst;
        pat_env = env }
  | Ppat_tuple spl ->
      let pl = List.map (type_pat env) spl in
      rp {
        pat_desc = Tpat_tuple pl;
        pat_loc = sp.ppat_loc;
        pat_type = newty (Ttuple(List.map (fun p -> p.pat_type) pl));
        pat_env = env }
  | Ppat_construct(lid, sarg, explicit_arity) ->
      let constr =
        try
          Env.lookup_constructor lid env
        with Not_found ->
          raise(Error(sp.ppat_loc, Unbound_constructor lid)) in
      let sargs =
        match sarg with
          None -> []
        | Some {ppat_desc = Ppat_tuple spl} when explicit_arity -> spl
        | Some {ppat_desc = Ppat_tuple spl} when constr.cstr_arity > 1 -> spl
        | Some({ppat_desc = Ppat_any} as sp) when constr.cstr_arity > 1 ->
            replicate_list sp constr.cstr_arity
        | Some sp -> [sp] in
      if List.length sargs <> constr.cstr_arity then
        raise(Error(sp.ppat_loc, Constructor_arity_mismatch(lid,
                                     constr.cstr_arity, List.length sargs)));
      let args = List.map (type_pat env) sargs in
      let (ty_args, ty_res) = instance_constructor constr in
      List.iter2 (unify_pat env) args ty_args;
      rp {
        pat_desc = Tpat_construct(constr, args);
        pat_loc = sp.ppat_loc;
        pat_type = ty_res;
        pat_env = env }
  | Ppat_variant(l, sarg) ->
      let arg = may_map (type_pat env) sarg in
      let arg_type = match arg with None -> [] | Some arg -> [arg.pat_type]  in
      let row = { row_fields =
                    [l, Reither(arg = None, arg_type, true, ref None)];
                  row_bound = arg_type;
                  row_closed = false;
                  row_more = newvar ();
                  row_fixed = false;
                  row_name = None } in
      rp {
        pat_desc = Tpat_variant(l, arg, row);
        pat_loc = sp.ppat_loc;
        pat_type = newty (Tvariant row);
        pat_env = env }
  | Ppat_record lid_sp_list ->
      let rec check_duplicates = function
        [] -> ()
      | (lid, sarg) :: remainder ->
          if List.mem_assoc lid remainder
          then raise(Error(sp.ppat_loc, Label_multiply_defined lid))
          else check_duplicates remainder in
      check_duplicates lid_sp_list;
      let ty = newvar() in
      let type_label_pat (lid, sarg) =
        let label =
          try
            Env.lookup_label lid env
          with Not_found ->
            raise(Error(sp.ppat_loc, Unbound_label lid)) in
        begin_def ();
        let (vars, ty_arg, ty_res) = instance_label false label in
        if vars = [] then end_def ();
        begin try
          unify env ty_res ty
        with Unify trace ->
          raise(Error(sp.ppat_loc, Label_mismatch(lid, trace)))
        end;
        let arg = type_pat env sarg in
        unify_pat env arg ty_arg;
        if vars <> [] then begin
          end_def ();
          generalize ty_arg;
          List.iter generalize vars;
          let instantiated tv =
            let tv = expand_head env tv in
            tv.desc <> Tvar || tv.level <> generic_level in
          if List.exists instantiated vars then
            raise (Error(sp.ppat_loc, Polymorphic_label lid))
        end;
        (label, arg)
      in
      rp {
        pat_desc = Tpat_record(type_label_a_list type_label_pat lid_sp_list);
        pat_loc = sp.ppat_loc;
        pat_type = ty;
        pat_env = env }
  | Ppat_array spl ->
      let pl = List.map (type_pat env) spl in
      let ty_elt = newvar() in
      List.iter (fun p -> unify_pat env p ty_elt) pl;
      rp {
        pat_desc = Tpat_array pl;
        pat_loc = sp.ppat_loc;
        pat_type = instance (Predef.type_array ty_elt);
        pat_env = env }
  | Ppat_or(sp1, sp2) ->
      let initial_pattern_variables = !pattern_variables in
      let p1 = type_pat env sp1 in
      let p1_variables = !pattern_variables in
      pattern_variables := initial_pattern_variables ;
      let p2 = type_pat env sp2 in
      let p2_variables = !pattern_variables in
      unify_pat env p2 p1.pat_type;
      let alpha_env =
        enter_orpat_variables sp.ppat_loc env p1_variables p2_variables in
      pattern_variables := p1_variables ;
      rp {
        pat_desc = Tpat_or(p1, alpha_pat alpha_env p2, None);
        pat_loc = sp.ppat_loc;
        pat_type = p1.pat_type;
        pat_env = env }
  | Ppat_constraint(sp, sty) ->
      let p = type_pat env sp in
      let ty, force = Typetexp.transl_simple_type_delayed env sty in
      unify_pat env p ty;
      pattern_force := force :: !pattern_force;
      p
  | Ppat_type lid ->
      build_or_pat env sp.ppat_loc lid

let get_ref r =
  let v = !r in r := []; v

let add_pattern_variables env =
  let pv = get_ref pattern_variables in
  List.fold_right
    (fun (id, ty) env ->
       Env.add_value id {val_type = ty; val_kind = Val_reg} env)
    pv env

let type_pattern env spat =
  reset_pattern ();
  let pat = type_pat env spat in
  let new_env = add_pattern_variables env in
  (pat, new_env, get_ref pattern_force)

let type_pattern_list env spatl =
  reset_pattern ();
  let patl = List.map (type_pat env) spatl in
  let new_env = add_pattern_variables env in
  (patl, new_env, get_ref pattern_force)

let type_class_arg_pattern cl_num val_env met_env l spat =
  reset_pattern ();
  let pat = type_pat val_env spat in
  if has_variants pat then begin
    Parmatch.pressure_variants val_env [pat];
    iter_pattern finalize_variant pat
  end;
  List.iter (fun f -> f()) (get_ref pattern_force);
  if is_optional l then unify_pat val_env pat (type_option (newvar ()));
  let (pv, met_env) =
    List.fold_right
      (fun (id, ty) (pv, env) ->
         let id' = Ident.create (Ident.name id) in
         ((id', id, ty)::pv,
          Env.add_value id' {val_type = ty;
                             val_kind = Val_ivar (Immutable, cl_num)}
            env))
      !pattern_variables ([], met_env)
  in
  let val_env = add_pattern_variables val_env in
  (pat, pv, val_env, met_env)

let mkpat d = { ppat_desc = d; ppat_loc = Location.none }

let type_self_pattern cl_num privty val_env met_env par_env spat =
  let spat =
    mkpat (Ppat_alias (mkpat(Ppat_alias (spat, "selfpat-*")),
                       "selfpat-" ^ cl_num))
  in
  reset_pattern ();
  let pat = type_pat val_env spat in
  List.iter (fun f -> f()) (get_ref pattern_force);
  let meths = ref Meths.empty in
  let vars = ref Vars.empty in
  let pv = !pattern_variables in
  pattern_variables := [];
  let (val_env, met_env, par_env) =
    List.fold_right
      (fun (id, ty) (val_env, met_env, par_env) ->
         (Env.add_value id {val_type = ty; val_kind = Val_unbound} val_env,
          Env.add_value id {val_type = ty;
                            val_kind = Val_self (meths, vars, cl_num, privty)}
            met_env,
          Env.add_value id {val_type = ty; val_kind = Val_unbound} par_env))
      pv (val_env, met_env, par_env)
  in
  (pat, meths, vars, val_env, met_env, par_env)

let delayed_checks = ref []
let reset_delayed_checks () = delayed_checks := []
let add_delayed_check f = delayed_checks := f :: !delayed_checks
let force_delayed_checks () =
  List.iter (fun f -> f ()) (List.rev !delayed_checks);
  reset_delayed_checks ()


(* Generalization criterion for expressions *)

let rec is_nonexpansive exp =
  match exp.exp_desc with
    Texp_ident(_,_) -> true
  | Texp_constant _ -> true
  | Texp_let(rec_flag, pat_exp_list, body) ->
      List.for_all (fun (pat, exp) -> is_nonexpansive exp) pat_exp_list &&
      is_nonexpansive body
  | Texp_function _ -> true
  | Texp_apply(e, (None,_)::el) ->
      is_nonexpansive e && List.for_all is_nonexpansive_opt (List.map fst el)
  | Texp_tuple el ->
      List.for_all is_nonexpansive el
  | Texp_construct(_, el) ->
      List.for_all is_nonexpansive el
  | Texp_variant(_, arg) -> is_nonexpansive_opt arg
  | Texp_record(lbl_exp_list, opt_init_exp) ->
      List.for_all
        (fun (lbl, exp) -> lbl.lbl_mut = Immutable && is_nonexpansive exp)
        lbl_exp_list
      && is_nonexpansive_opt opt_init_exp
  | Texp_field(exp, lbl) -> is_nonexpansive exp
  | Texp_array [] -> true
  | Texp_ifthenelse(cond, ifso, ifnot) ->
      is_nonexpansive ifso && is_nonexpansive_opt ifnot
  | Texp_new (_, cl_decl) when Ctype.class_type_arity cl_decl.cty_type > 0 ->
      true
  (* Note: nonexpansive only means no _observable_ side effects *)
  | Texp_lazy e -> is_nonexpansive e
  | Texp_object ({cl_field=fields}, {cty_vars=vars}, _) ->
      let count = ref 0 in
      List.for_all
        (function
            Cf_meth _ -> true
          | Cf_val (_,_,e,_) -> incr count; is_nonexpansive_opt e
          | Cf_init e -> is_nonexpansive e
          | Cf_inher _ | Cf_let _ -> false)
        fields &&
      Vars.fold (fun _ (mut,_,_) b -> decr count; b && mut = Immutable)
        vars true &&
      !count = 0
  | _ -> false

and is_nonexpansive_opt = function
    None -> true
  | Some e -> is_nonexpansive e

(* Typing of printf formats.
   (Handling of * modifiers contributed by Thorsten Ohl.) *)

external string_to_format :
 string -> ('a, 'b, 'c, 'd, 'e, 'f) format6 = "%identity"
external format_to_string :
 ('a, 'b, 'c, 'd, 'e, 'f) format6 -> string = "%identity"

let type_format loc fmt =

  let ty_arrow gty ty = newty (Tarrow ("", instance gty, ty, Cok)) in

  let bad_conversion fmt i c =
    raise (Error (loc, Bad_conversion (fmt, i, c))) in
  let incomplete_format fmt =
    raise (Error (loc, Incomplete_format fmt)) in

  let range_closing_index fmt i =

    let len = String.length fmt in
    let find_closing j =
      if j >= len then incomplete_format fmt else
      try String.index_from fmt j ']' with
      | Not_found -> incomplete_format fmt in
    let skip_pos j =
      if j >= len then incomplete_format fmt else
      match fmt.[j] with
      | ']' -> find_closing (j + 1)
      | c -> find_closing j in
    let rec skip_neg j =
      if j >= len then incomplete_format fmt else
      match fmt.[j] with
      | '^' -> skip_pos (j + 1)
      | c -> skip_pos j in
    find_closing (skip_neg (i + 1)) in

  let rec type_in_format fmt =

    let len = String.length fmt in

    let ty_input = newvar ()
    and ty_result = newvar ()
    and ty_aresult = newvar ()
    and ty_uresult = newvar () in

    let meta = ref 0 in

    let rec scan_format i =
      if i >= len then
        if !meta = 0
        then ty_uresult, ty_result
        else incomplete_format fmt else
      match fmt.[i] with
      | '%' -> scan_opts i (i + 1)
      | _ -> scan_format (i + 1)
    and scan_opts i j =
      if j >= len then incomplete_format fmt else
      match fmt.[j] with
      | '_' -> scan_rest true i (j + 1)
      | _ -> scan_rest false i j
    and scan_rest skip i j =
      let rec scan_flags i j =
        if j >= len then incomplete_format fmt else
        match fmt.[j] with
        | '#' | '0' | '-' | ' ' | '+' -> scan_flags i (j + 1)
        | _ -> scan_width i j
      and scan_width i j = scan_width_or_prec_value scan_precision i j
      and scan_decimal_string scan i j =
        if j >= len then incomplete_format fmt else
        match fmt.[j] with
        | '0' .. '9' -> scan_decimal_string scan i (j + 1)
        | _ -> scan i j
      and scan_width_or_prec_value scan i j =
        if j >= len then incomplete_format fmt else
        match fmt.[j] with
        | '*' ->
          let ty_uresult, ty_result = scan i (j + 1) in
          ty_uresult, ty_arrow Predef.type_int ty_result
        | '-' | '+' -> scan_decimal_string scan i (j + 1)
        | _ -> scan_decimal_string scan i j
      and scan_precision i j =
        if j >= len then incomplete_format fmt else
        match fmt.[j] with
        | '.' -> scan_width_or_prec_value scan_conversion i (j + 1)
        | _ -> scan_conversion i j

      and conversion j ty_arg =
        let ty_uresult, ty_result = scan_format (j + 1) in
        ty_uresult,
        if skip then ty_result else ty_arrow ty_arg ty_result

      and scan_conversion i j =
        if j >= len then incomplete_format fmt else
        match fmt.[j] with
        | '%' | '!' -> scan_format (j + 1)
        | 's' | 'S' -> conversion j Predef.type_string
        | '[' ->
          let j = range_closing_index fmt j in
          conversion j Predef.type_string
        | 'c' | 'C' -> conversion j Predef.type_char
        | 'd' | 'i' | 'o' | 'x' | 'X' | 'u' | 'N' ->
          conversion j Predef.type_int
        | 'f' | 'e' | 'E' | 'g' | 'G' | 'F' -> conversion j Predef.type_float
        | 'B' | 'b' -> conversion j Predef.type_bool
        | 'a' ->
          let ty_arg = newvar () in
          let ty_a = ty_arrow ty_input (ty_arrow ty_arg ty_aresult) in
          let ty_uresult, ty_result = conversion j ty_arg in
          ty_uresult, ty_arrow ty_a ty_result
        | 'r' ->
          let ty_arg = newvar () in
          let ty_r = ty_arrow ty_input ty_arg in
          let ty_uresult, ty_result = conversion j ty_arg in
          ty_arrow ty_r ty_uresult, ty_result
        | 't' -> conversion j (ty_arrow ty_input ty_aresult)
        | 'l' | 'n' | 'L' as c ->
          let j = j + 1 in
          if j >= len then conversion (j - 1) Predef.type_int else begin
            match fmt.[j] with
            | 'd' | 'i' | 'o' | 'x' | 'X' | 'u' ->
              let ty_arg =
                match c with
                | 'l' -> Predef.type_int32
                | 'n' -> Predef.type_nativeint
                | _ -> Predef.type_int64 in
              conversion j ty_arg
            | c -> conversion (j - 1) Predef.type_int
          end
        | '{' | '(' as c ->
          let j = j + 1 in
          if j >= len then incomplete_format fmt else
          let sj =
            Printf.CamlinternalPr.Tformat.sub_format
              (fun fmt -> incomplete_format (format_to_string fmt))
              (fun fmt -> bad_conversion (format_to_string fmt))
              c (string_to_format fmt) j in
          let sfmt = String.sub fmt j (sj - 2 - j) in
          let ty_sfmt = type_in_format sfmt in
          begin match c with
          | '{' -> conversion (sj - 1) ty_sfmt
          | _ -> incr meta; conversion (j - 1) ty_sfmt end
        | ')' when !meta > 0 -> decr meta; scan_format (j + 1)
        | c -> bad_conversion fmt i c in
      scan_flags i j in

    let ty_ureader, ty_args = scan_format 0 in
    newty
      (Tconstr
         (Predef.path_format6,
          [ty_args; ty_input; ty_aresult; ty_ureader; ty_uresult; ty_result],
          ref Mnil)) in

  type_in_format fmt

(* Approximate the type of an expression, for better recursion *)

let rec approx_type env sty =
  match sty.ptyp_desc with
    Ptyp_arrow (p, _, sty) ->
      let ty1 = if is_optional p then type_option (newvar ()) else newvar () in
      newty (Tarrow (p, ty1, approx_type env sty, Cok))
  | Ptyp_tuple args ->
      newty (Ttuple (List.map (approx_type env) args))
  | Ptyp_constr (lid, ctl) ->
      begin try
        let (path, decl) = Env.lookup_type lid env in
        if List.length ctl <> decl.type_arity then raise Not_found;
        let tyl = List.map (approx_type env) ctl in
        newconstr path tyl
      with Not_found -> newvar ()
      end
  | _ -> newvar ()

let rec type_approx env sexp =
  match sexp.pexp_desc with
    Pexp_let (_, _, e) -> type_approx env e
  | Pexp_function (p,_,(_,e)::_) when is_optional p ->
       newty (Tarrow(p, type_option (newvar ()), type_approx env e, Cok))
  | Pexp_function (p,_,(_,e)::_) ->
       newty (Tarrow(p, newvar (), type_approx env e, Cok))
  | Pexp_match (_, (_,e)::_) -> type_approx env e
  | Pexp_try (e, _) -> type_approx env e
  | Pexp_tuple l -> newty (Ttuple(List.map (type_approx env) l))
  | Pexp_ifthenelse (_,e,_) -> type_approx env e
  | Pexp_sequence (_,e) -> type_approx env e
  | Pexp_constraint (e, sty1, sty2) ->
      let approx_ty_opt = function
        | None -> newvar ()
        | Some sty -> approx_type env sty
      in
      let ty = type_approx env e
      and ty1 = approx_ty_opt sty1
      and ty2 = approx_ty_opt sty2 in
      begin try unify env ty ty1 with Unify trace ->
        raise(Error(sexp.pexp_loc, Expr_type_clash trace))
      end;
      if sty2 = None then ty1 else ty2
  | _ -> newvar ()

(* List labels in a function type, and whether return type is a variable *)
let rec list_labels_aux env visited ls ty_fun =
  let ty = expand_head env ty_fun in
  if List.memq ty visited then
    List.rev ls, false
  else match ty.desc with
    Tarrow (l, _, ty_res, _) ->
      list_labels_aux env (ty::visited) (l::ls) ty_res
  | _ ->
      List.rev ls, ty.desc = Tvar

let list_labels env ty = list_labels_aux env [] [] ty

(* Check that all univars are safe in a type *)
let check_univars env kind exp ty_expected vars =
  (* need to expand twice? cf. Ctype.unify2 *)
  let vars = List.map (expand_head env) vars in
  let vars = List.map (expand_head env) vars in
  let vars' =
    List.filter
      (fun t ->
        let t = repr t in
        generalize t;
        if t.desc = Tvar && t.level = generic_level then
          (log_type t; t.desc <- Tunivar; true)
        else false)
      vars in
  if List.length vars = List.length vars' then () else
  let ty = newgenty (Tpoly(repr exp.exp_type, vars'))
  and ty_expected = repr ty_expected in
  raise (Error (exp.exp_loc,
                Less_general(kind, [ty, ty; ty_expected, ty_expected])))

(* Check that a type is not a function *)
let check_application_result env statement exp =
  match (expand_head env exp.exp_type).desc with
  | Tarrow _ ->
      Location.prerr_warning exp.exp_loc Warnings.Partial_application
  | Tvar -> ()
  | Tconstr (p, _, _) when Path.same p Predef.path_unit -> ()
  | _ ->
      if statement then
        Location.prerr_warning exp.exp_loc Warnings.Statement_type

(* Hack to allow coercion of self. Will clean-up later. *)
let self_coercion = ref ([] : (Path.t * Location.t list ref) list)

(* Typing of expressions *)

let unify_exp env exp expected_ty =
  (* Format.eprintf "@[%a@ %a@]@." Printtyp.raw_type_expr exp.exp_type
    Printtyp.raw_type_expr expected_ty; *)
  try
    unify env exp.exp_type expected_ty
  with
    Unify trace ->
      raise(Error(exp.exp_loc, Expr_type_clash(trace)))
  | Tags(l1,l2) ->
      raise(Typetexp.Error(exp.exp_loc, Typetexp.Variant_tags (l1, l2)))

let rec type_exp env sexp =
  match sexp.pexp_desc with
    Pexp_ident lid ->
      begin try
        let (path, desc) = Env.lookup_value lid env in
        re {
          exp_desc =
            begin match desc.val_kind with
              Val_ivar (_, cl_num) ->
                let (self_path, _) =
                  Env.lookup_value (Longident.Lident ("self-" ^ cl_num)) env
                in
                Texp_instvar(self_path, path)
            | Val_self (_, _, cl_num, _) ->
                let (path, _) =
                  Env.lookup_value (Longident.Lident ("self-" ^ cl_num)) env
                in
                Texp_ident(path, desc)
            | Val_unbound ->
                raise(Error(sexp.pexp_loc, Masked_instance_variable lid))
            | _ ->
                Texp_ident(path, desc)
            end;
          exp_loc = sexp.pexp_loc;
          exp_type = instance desc.val_type;
          exp_env = env }
      with Not_found ->
        raise(Error(sexp.pexp_loc, Unbound_value lid))
      end
  | Pexp_constant cst ->
      re {
        exp_desc = Texp_constant cst;
        exp_loc = sexp.pexp_loc;
        exp_type = type_constant cst;
        exp_env = env }
  | Pexp_let(rec_flag, spat_sexp_list, sbody) ->
      let (pat_exp_list, new_env) = type_let env rec_flag spat_sexp_list in
      let body = type_exp new_env sbody in
      re {
        exp_desc = Texp_let(rec_flag, pat_exp_list, body);
        exp_loc = sexp.pexp_loc;
        exp_type = body.exp_type;
        exp_env = env }
  | Pexp_function _ ->     (* defined in type_expect *)
      type_expect env sexp (newvar())
  | Pexp_apply(sfunct, sargs) ->
      begin_def (); (* one more level for non-returning functions *)
      if !Clflags.principal then begin_def ();
      let funct = type_exp env sfunct in
      if !Clflags.principal then begin
        end_def ();
        generalize_structure funct.exp_type
      end;
      let rec lower_args seen ty_fun =
        let ty = expand_head env ty_fun in
        if List.memq ty seen then () else
        match ty.desc with
          Tarrow (l, ty_arg, ty_fun, com) ->
            unify_var env (newvar()) ty_arg;
            lower_args (ty::seen) ty_fun
        | _ -> ()
      in
      let ty = instance funct.exp_type in
      end_def ();
      lower_args [] ty;
      begin_def ();
      let (args, ty_res) = type_application env funct sargs in
      end_def ();
      unify_var env (newvar()) funct.exp_type;
      re {
        exp_desc = Texp_apply(funct, args);
        exp_loc = sexp.pexp_loc;
        exp_type = ty_res;
        exp_env = env }
  | Pexp_match(sarg, caselist) ->
      let arg = type_exp env sarg in
      let ty_res = newvar() in
      let cases, partial =
        type_cases env arg.exp_type ty_res (Some sexp.pexp_loc) caselist
      in
      re {
        exp_desc = Texp_match(arg, cases, partial);
        exp_loc = sexp.pexp_loc;
        exp_type = ty_res;
        exp_env = env }
  | Pexp_try(sbody, caselist) ->
      let body = type_exp env sbody in
      let cases, _ =
        type_cases env (instance Predef.type_exn) body.exp_type None
          caselist in
      re {
        exp_desc = Texp_try(body, cases);
        exp_loc = sexp.pexp_loc;
        exp_type = body.exp_type;
        exp_env = env }
  | Pexp_tuple sexpl ->
      let expl = List.map (type_exp env) sexpl in
      re {
        exp_desc = Texp_tuple expl;
        exp_loc = sexp.pexp_loc;
        exp_type = newty (Ttuple(List.map (fun exp -> exp.exp_type) expl));
        exp_env = env }
  | Pexp_construct(lid, sarg, explicit_arity) ->
      type_construct env sexp.pexp_loc lid sarg explicit_arity (newvar ())
  | Pexp_variant(l, sarg) ->
      let arg = may_map (type_exp env) sarg in
      let arg_type = may_map (fun arg -> arg.exp_type) arg in
      re {
        exp_desc = Texp_variant(l, arg);
        exp_loc = sexp.pexp_loc;
        exp_type= newty (Tvariant{row_fields = [l, Rpresent arg_type];
                                  row_more = newvar ();
                                  row_bound = [];
                                  row_closed = false;
                                  row_fixed = false;
                                  row_name = None});
        exp_env = env }
  | Pexp_record(lid_sexp_list, opt_sexp) ->
      let ty = newvar() in
      let num_fields = ref 0 in
      let type_label_exp (lid, sarg) =
        let label =
          try
            Env.lookup_label lid env
          with Not_found ->
            raise(Error(sexp.pexp_loc, Unbound_label lid)) in
        begin_def ();
        if !Clflags.principal then begin_def ();
        let (vars, ty_arg, ty_res) = instance_label true label in
        if !Clflags.principal then begin
          end_def ();
          generalize_structure ty_arg;
          generalize_structure ty_res
        end;
        begin try
          unify env (instance ty_res) ty
        with Unify trace ->
          raise(Error(sexp.pexp_loc, Label_mismatch(lid, trace)))
        end;
        let arg = type_argument env sarg ty_arg in
        end_def ();
        if vars <> [] && not (is_nonexpansive arg) then
          generalize_expansive env arg.exp_type;
        check_univars env "field value" arg label.lbl_arg vars;
        num_fields := Array.length label.lbl_all;
        if label.lbl_private = Private then
          raise(Error(sexp.pexp_loc, Private_type ty));
        (label, {arg with exp_type = instance arg.exp_type}) in
      let lbl_exp_list = type_label_a_list type_label_exp lid_sexp_list in
      let rec check_duplicates seen_pos lid_sexp lbl_exp =
        match (lid_sexp, lbl_exp) with
          ((lid, _) :: rem1, (lbl, _) :: rem2) ->
            if List.mem lbl.lbl_pos seen_pos
            then raise(Error(sexp.pexp_loc, Label_multiply_defined lid))
            else check_duplicates (lbl.lbl_pos :: seen_pos) rem1 rem2
        | (_, _) -> () in
      check_duplicates [] lid_sexp_list lbl_exp_list;
      let opt_exp =
        match opt_sexp, lbl_exp_list with
          None, _ -> None
        | Some sexp, (lbl, _) :: _ ->
            let ty_exp = newvar () in
            let unify_kept lbl =
              if List.for_all (fun (lbl',_) -> lbl'.lbl_pos <> lbl.lbl_pos)
                  lbl_exp_list
              then begin
                let _, ty_arg1, ty_res1 = instance_label false lbl
                and _, ty_arg2, ty_res2 = instance_label false lbl in
                unify env ty_exp ty_res1;
                unify env ty ty_res2;
                unify env ty_arg1 ty_arg2
              end in
            Array.iter unify_kept lbl.lbl_all;
            Some(type_expect env sexp ty_exp)
        | _ -> assert false
      in
      if opt_sexp = None && List.length lid_sexp_list <> !num_fields then begin
        let present_indices =
          List.map (fun (lbl, _) -> lbl.lbl_pos) lbl_exp_list in
        let label_names = extract_label_names sexp env ty in
        let rec missing_labels n = function
            [] -> []
          | lbl :: rem ->
              if List.mem n present_indices then missing_labels (n + 1) rem
              else lbl :: missing_labels (n + 1) rem
        in
        let missing = missing_labels 0 label_names in
        raise(Error(sexp.pexp_loc, Label_missing missing))
      end
      else if opt_sexp <> None && List.length lid_sexp_list = !num_fields then
        Location.prerr_warning sexp.pexp_loc Warnings.Useless_record_with;
      re {
        exp_desc = Texp_record(lbl_exp_list, opt_exp);
        exp_loc = sexp.pexp_loc;
        exp_type = ty;
        exp_env = env }
  | Pexp_field(sarg, lid) ->
      let arg = type_exp env sarg in
      let label =
        try
          Env.lookup_label lid env
        with Not_found ->
          raise(Error(sexp.pexp_loc, Unbound_label lid)) in
      let (_, ty_arg, ty_res) = instance_label false label in
      unify_exp env arg ty_res;
      re {
        exp_desc = Texp_field(arg, label);
        exp_loc = sexp.pexp_loc;
        exp_type = ty_arg;
        exp_env = env }
  | Pexp_setfield(srecord, lid, snewval) ->
      let record = type_exp env srecord in
      let label =
        try
          Env.lookup_label lid env
        with Not_found ->
          raise(Error(sexp.pexp_loc, Unbound_label lid)) in
      if label.lbl_mut = Immutable then
        raise(Error(sexp.pexp_loc, Label_not_mutable lid));
      begin_def ();
      let (vars, ty_arg, ty_res) = instance_label true label in
      unify_exp env record ty_res;
      let newval = type_expect env snewval ty_arg in
      end_def ();
      if vars <> [] && not (is_nonexpansive newval) then
        generalize_expansive env newval.exp_type;
      check_univars env "field value" newval label.lbl_arg vars;
      if label.lbl_private = Private then
        raise(Error(sexp.pexp_loc, Private_label(lid, ty_res)));
      re {
        exp_desc = Texp_setfield(record, label, newval);
        exp_loc = sexp.pexp_loc;
        exp_type = instance Predef.type_unit;
        exp_env = env }
  | Pexp_array(sargl) ->
      let ty = newvar() in
      let argl = List.map (fun sarg -> type_expect env sarg ty) sargl in
      re {
        exp_desc = Texp_array argl;
        exp_loc = sexp.pexp_loc;
        exp_type = instance (Predef.type_array ty);
        exp_env = env }
  | Pexp_ifthenelse(scond, sifso, sifnot) ->
      let cond = type_expect env scond (instance Predef.type_bool) in
      begin match sifnot with
        None ->
          let ifso = type_expect env sifso (instance Predef.type_unit) in
          re {
            exp_desc = Texp_ifthenelse(cond, ifso, None);
            exp_loc = sexp.pexp_loc;
            exp_type = instance Predef.type_unit;
            exp_env = env }
      | Some sifnot ->
          let ifso = type_exp env sifso in
          let ifnot = type_expect env sifnot ifso.exp_type in
          re {
            exp_desc = Texp_ifthenelse(cond, ifso, Some ifnot);
            exp_loc = sexp.pexp_loc;
            exp_type = ifso.exp_type;
            exp_env = env }
      end
  | Pexp_sequence(sexp1, sexp2) ->
      let exp1 = type_statement env sexp1 in
      let exp2 = type_exp env sexp2 in
      re {
        exp_desc = Texp_sequence(exp1, exp2);
        exp_loc = sexp.pexp_loc;
        exp_type = exp2.exp_type;
        exp_env = env }
  | Pexp_while(scond, sannot, sbody) ->
      let cond = type_expect env scond (instance Predef.type_bool) in
      let annot = {
	ws_invariant = (match sannot.pws_invariant with
	  | None -> None
	  | Some x -> Some(type_exp env x));
	ws_variant = (match sannot.pws_variant with
	  | None -> None
	  | Some x -> Some(type_exp env x));
      } in
      let body = type_statement env sbody in
      re {
        exp_desc = Texp_while(cond, annot, body);
        exp_loc = sexp.pexp_loc;
        exp_type = instance Predef.type_unit;
        exp_env = env }
  | Pexp_for(param, slow, shigh, dir, sbody) ->
      let low = type_expect env slow (instance Predef.type_int) in
      let high = type_expect env shigh (instance Predef.type_int) in
      let (id, new_env) =
        Env.enter_value param {val_type = instance Predef.type_int;
                                val_kind = Val_reg} env in
      let body = type_statement new_env sbody in
      re {
        exp_desc = Texp_for(id, low, high, dir, body);
        exp_loc = sexp.pexp_loc;
        exp_type = instance Predef.type_unit;
        exp_env = env }
  | Pexp_constraint(sarg, sty, sty') ->
      let (arg, ty') =
        match (sty, sty') with
          (None, None) ->               (* Case actually unused *)
            let arg = type_exp env sarg in
            (arg, arg.exp_type)
        | (Some sty, None) ->
            if !Clflags.principal then begin_def ();
            let ty = Typetexp.transl_simple_type env false sty in
            if !Clflags.principal then begin
              end_def ();
              generalize_structure ty;
              let ty1 = instance ty and ty2 = instance ty in
              (type_expect env sarg ty1, ty2)
            end else
              (type_expect env sarg ty, ty)
        | (None, Some sty') ->
            let (ty', force) =
              Typetexp.transl_simple_type_delayed env sty'
            in
            let arg = type_exp env sarg in
            begin match arg.exp_desc, !self_coercion, (repr ty').desc with
              Texp_ident(_, {val_kind=Val_self _}), (path,r) :: _,
              Tconstr(path',_,_) when Path.same path path' ->
                r := sexp.pexp_loc :: !r;
                force ()
            | _ ->
                let ty, b = enlarge_type env ty' in
                force ();
                begin try Ctype.unify env arg.exp_type ty with Unify trace ->
                  raise(Error(sarg.pexp_loc,
                        Coercion_failure(ty', full_expand env ty', trace, b)))
                end
            end;
            (arg, ty')
        | (Some sty, Some sty') ->
            let (ty, force) =
              Typetexp.transl_simple_type_delayed env sty
            and (ty', force') =
              Typetexp.transl_simple_type_delayed env sty'
            in
            begin try
              let force'' = subtype env ty ty' in
              force (); force' (); force'' ()
            with Subtype (tr1, tr2) ->
              raise(Error(sexp.pexp_loc, Not_subtype(tr1, tr2)))
            end;
            (type_expect env sarg ty, ty')
      in
      re {
        exp_desc = arg.exp_desc;
        exp_loc = arg.exp_loc;
        exp_type = ty';
        exp_env = env }
  | Pexp_when(scond, sbody) ->
      let cond = type_expect env scond (instance Predef.type_bool) in
      let body = type_exp env sbody in
      re {
        exp_desc = Texp_when(cond, body);
        exp_loc = sexp.pexp_loc;
        exp_type = body.exp_type;
        exp_env = env }
  | Pexp_send (e, met) ->
      if !Clflags.principal then begin_def ();
      let obj = type_exp env e in
      begin try
        let (exp, typ) =
          match obj.exp_desc with
            Texp_ident(path, {val_kind = Val_self (meths, _, _, privty)}) ->
              let (id, typ) =
                filter_self_method env met Private meths privty
              in
              if (repr typ).desc = Tvar then
                Location.prerr_warning sexp.pexp_loc
                  (Warnings.Undeclared_virtual_method met);
              (Texp_send(obj, Tmeth_val id), typ)
          | Texp_ident(path, {val_kind = Val_anc (methods, cl_num)}) ->
              let method_id =
                begin try List.assoc met methods with Not_found ->
                  raise(Error(e.pexp_loc, Undefined_inherited_method met))
                end
              in
              begin match
                Env.lookup_value (Longident.Lident ("selfpat-" ^ cl_num)) env,
                Env.lookup_value (Longident.Lident ("self-" ^cl_num)) env
              with
                (_, ({val_kind = Val_self (meths, _, _, privty)} as desc)),
                (path, _) ->
                  let (_, typ) =
                    filter_self_method env met Private meths privty
                  in
                  let method_type = newvar () in
                  let (obj_ty, res_ty) = filter_arrow env method_type "" in
                  unify env obj_ty desc.val_type;
                  unify env res_ty (instance typ);
                  (Texp_apply({ exp_desc = Texp_ident(Path.Pident method_id,
                                                     {val_type = method_type;
                                                       val_kind = Val_reg});
                                exp_loc = sexp.pexp_loc;
                                exp_type = method_type;
                                exp_env = env },
                              [Some {exp_desc = Texp_ident(path, desc);
                                     exp_loc = obj.exp_loc;
                                     exp_type = desc.val_type;
                                     exp_env = env },
                               Required]),
                   typ)
              |  _ ->
                  assert false
              end
          | _ ->
              (Texp_send(obj, Tmeth_name met),
               filter_method env met Public obj.exp_type)
        in
        if !Clflags.principal then begin
          end_def ();
          generalize_structure typ;
        end;
        let typ =
          match repr typ with
            {desc = Tpoly (ty, [])} ->
              instance ty
          | {desc = Tpoly (ty, tl); level = l} ->
              if !Clflags.principal && l <> generic_level then
                Location.prerr_warning sexp.pexp_loc
                  (Warnings.Not_principal "this use of a polymorphic method");
              snd (instance_poly false tl ty)
          | {desc = Tvar} as ty ->
              let ty' = newvar () in
              unify env (instance ty) (newty(Tpoly(ty',[])));
              (* if not !Clflags.nolabels then
                 Location.prerr_warning loc (Warnings.Unknown_method met); *)
              ty'
          | _ ->
              assert false
        in
          re {
            exp_desc = exp;
            exp_loc = sexp.pexp_loc;
            exp_type = typ;
            exp_env = env }
      with Unify _ ->
        raise(Error(e.pexp_loc, Undefined_method (obj.exp_type, met)))
      end
  | Pexp_new cl ->
      let (cl_path, cl_decl) =
        try Env.lookup_class cl env with Not_found ->
          raise(Error(sexp.pexp_loc, Unbound_class cl))
      in
        begin match cl_decl.cty_new with
          None ->
            raise(Error(sexp.pexp_loc, Virtual_class cl))
        | Some ty ->
            re {
              exp_desc = Texp_new (cl_path, cl_decl);
              exp_loc = sexp.pexp_loc;
              exp_type = instance ty;
              exp_env = env }
        end
  | Pexp_setinstvar (lab, snewval) ->
      begin try
        let (path, desc) = Env.lookup_value (Longident.Lident lab) env in
        match desc.val_kind with
          Val_ivar (Mutable, cl_num) ->
            let newval = type_expect env snewval (instance desc.val_type) in
            let (path_self, _) =
              Env.lookup_value (Longident.Lident ("self-" ^ cl_num)) env
            in
            re {
              exp_desc = Texp_setinstvar(path_self, path, newval);
              exp_loc = sexp.pexp_loc;
              exp_type = instance Predef.type_unit;
              exp_env = env }
        | Val_ivar _ ->
            raise(Error(sexp.pexp_loc, Instance_variable_not_mutable lab))
        | _ ->
            raise(Error(sexp.pexp_loc, Unbound_instance_variable lab))
      with
        Not_found ->
          raise(Error(sexp.pexp_loc, Unbound_instance_variable lab))
      end
  | Pexp_override lst ->
      let _ =
       List.fold_right
        (fun (lab, _) l ->
           if List.exists ((=) lab) l then
             raise(Error(sexp.pexp_loc,
                         Value_multiply_overridden lab));
           lab::l)
        lst
        [] in
      begin match
        try
          Env.lookup_value (Longident.Lident "selfpat-*") env,
          Env.lookup_value (Longident.Lident "self-*") env
        with Not_found ->
          raise(Error(sexp.pexp_loc, Outside_class))
      with
        (_, {val_type = self_ty; val_kind = Val_self (_, vars, _, _)}),
        (path_self, _) ->
          let type_override (lab, snewval) =
            begin try
              let (id, _, _, ty) = Vars.find lab !vars in
              (Path.Pident id, type_expect env snewval (instance ty))
            with
              Not_found ->
                raise(Error(sexp.pexp_loc, Unbound_instance_variable lab))
            end
          in
          let modifs = List.map type_override lst in
          re {
            exp_desc = Texp_override(path_self, modifs);
            exp_loc = sexp.pexp_loc;
            exp_type = self_ty;
            exp_env = env }
      | _ ->
          assert false
      end
  | Pexp_letmodule(name, smodl, sbody) ->
      let ty = newvar() in
      Ident.set_current_time ty.level;
      let context = Typetexp.narrow () in
      let modl = !type_module env smodl in
      let (id, new_env) = Env.enter_module name modl.mod_type env in
      Ctype.init_def(Ident.current_time());
      Typetexp.widen context;
      let body = type_exp new_env sbody in
      (* Unification of body.exp_type with the fresh variable ty
         fails if and only if the prefix condition is violated,
         i.e. if generative types rooted at id show up in the
         type body.exp_type.  Thus, this unification enforces the
         scoping condition on "let module". *)
      begin try
        Ctype.unify new_env body.exp_type ty
      with Unify _ ->
        raise(Error(sexp.pexp_loc, Scoping_let_module(name, body.exp_type)))
      end;
      re {
        exp_desc = Texp_letmodule(id, modl, body);
        exp_loc = sexp.pexp_loc;
        exp_type = ty;
        exp_env = env }
  | Pexp_assert (e) ->
       let cond = type_expect env e (instance Predef.type_bool) in
       re {
         exp_desc = Texp_assert (cond);
         exp_loc = sexp.pexp_loc;
         exp_type = instance Predef.type_unit;
         exp_env = env;
       }
  | Pexp_assertfalse ->
       re {
         exp_desc = Texp_assertfalse;
         exp_loc = sexp.pexp_loc;
         exp_type = newvar ();
         exp_env = env;
       }
  | Pexp_lazy (e) ->
       let arg = type_exp env e in
       re {
         exp_desc = Texp_lazy arg;
         exp_loc = sexp.pexp_loc;
         exp_type = instance (Predef.type_lazy_t arg.exp_type);
         exp_env = env;
       }
  | Pexp_object s ->
      let desc, sign, meths = !type_object env sexp.pexp_loc s in
      re {
        exp_desc = Texp_object (desc, sign, meths);
        exp_loc = sexp.pexp_loc;
        exp_type = sign.cty_self;
        exp_env = env;
      }
  | Pexp_poly _ ->
      assert false
  | Pexp_result ->
      let tr =
	type_exp env { sexp with pexp_desc =
	    Pexp_ident (Longident.Lident "\\result") }
      in
      { tr with exp_desc = Texp_result }
  | Pexp_old e ->
      let te = type_exp env e in
      re {
        exp_desc = Texp_old te;
        exp_loc = sexp.pexp_loc;
        exp_type = te.exp_type;
        exp_env = env;
      }
  | Pexp_implies(a, b) ->
      let ta = type_exp env a in
      try_unify env a.pexp_loc ta.exp_type Predef.type_bool;
      let tb = type_exp env b in
      try_unify env b.pexp_loc tb.exp_type Predef.type_bool;
      re {
	exp_desc = Texp_implies(ta, tb);
	exp_loc = sexp.pexp_loc;
	exp_type = Predef.type_bool;
	exp_env = env;
      }

and type_argument env sarg ty_expected' =
  (* ty_expected' may be generic *)
  let no_labels ty =
    let ls, tvar = list_labels env ty in
    not tvar && List.for_all ((=) "") ls
  in
  let ty_expected = instance ty_expected' in
  match expand_head env ty_expected', sarg with
  | _, {pexp_desc = Pexp_function(l,_,_)} when not (is_optional l) ->
      type_expect env sarg ty_expected
  | {desc = Tarrow("",ty_arg,ty_res,_); level = lv}, _ ->
      (* apply optional arguments when expected type is "" *)
      (* we must be very careful about not breaking the semantics *)
      if !Clflags.principal then begin_def ();
      let texp = type_exp env sarg in
      if !Clflags.principal then begin
        end_def ();
        generalize_structure texp.exp_type
      end;
      let rec make_args args ty_fun =
        match (expand_head env ty_fun).desc with
        | Tarrow (l,ty_arg,ty_fun,_) when is_optional l ->
            make_args
              ((Some(option_none (instance ty_arg) sarg.pexp_loc), Optional)
               :: args)
              ty_fun
        | Tarrow (l,_,ty_res',_) when l = "" || !Clflags.classic ->
            args, ty_fun, no_labels ty_res'
        | Tvar ->  args, ty_fun, false
        |  _ -> [], texp.exp_type, false
      in
      let args, ty_fun', simple_res = make_args [] texp.exp_type in
      let warn = !Clflags.principal &&
        (lv <> generic_level || (repr ty_fun').level <> generic_level)
      and texp = {texp with exp_type = instance texp.exp_type}
      and ty_fun = instance ty_fun' in
      if not (simple_res || no_labels ty_res) then begin
        unify_exp env texp ty_expected;
        texp
      end else begin
      unify_exp env {texp with exp_type = ty_fun} ty_expected;
      if args = [] then texp else
      (* eta-expand to avoid side effects *)
      let var_pair name ty =
        let id = Ident.create name in
        {pat_desc = Tpat_var id; pat_type = ty;
         pat_loc = Location.none; pat_env = env},
        {exp_type = ty; exp_loc = Location.none; exp_env = env; exp_desc =
         Texp_ident(Path.Pident id,{val_type = ty; val_kind = Val_reg})}
      in
      let eta_pat, eta_var = var_pair "eta" ty_arg in
      let func texp =
        { texp with exp_type = ty_fun; exp_desc =
          Texp_function([eta_pat, {texp with exp_type = ty_res; exp_desc =
                                   Texp_apply (texp, args@
                                               [Some eta_var, Required])}],
                        Total) } in
      if warn then Location.prerr_warning texp.exp_loc
          (Warnings.Without_principality "eliminated optional argument");
      if is_nonexpansive texp then func texp else
      (* let-expand to have side effects *)
      let let_pat, let_var = var_pair "let" texp.exp_type in
      re { texp with exp_type = ty_fun; exp_desc =
           Texp_let (Nonrecursive, [let_pat, texp], func let_var) }
      end
  | _ ->
      type_expect env sarg ty_expected

and type_application env funct sargs =
  (* funct.exp_type may be generic *)
  let result_type omitted ty_fun =
    List.fold_left
      (fun ty_fun (l,ty,lv) -> newty2 lv (Tarrow(l,ty,ty_fun,Cok)))
      ty_fun omitted
  in
  let has_label l ty_fun =
    let ls, tvar = list_labels env ty_fun in
    tvar || List.mem l ls
  in
  let ignored = ref [] in
  let rec type_unknown_args args omitted ty_fun = function
      [] ->
        (List.map
           (function None, x -> None, x | Some f, x -> Some (f ()), x)
           (List.rev args),
         instance (result_type omitted ty_fun))
    | (l1, sarg1) :: sargl ->
        let (ty1, ty2) =
          let ty_fun = expand_head env ty_fun in
          match ty_fun.desc with
            Tvar ->
              let t1 = newvar () and t2 = newvar () in
              let not_identity = function
                  Texp_ident(_,{val_kind=Val_prim
                                  {Primitive.prim_name="%identity"}}) ->
                    false
                | _ -> true
              in
              if ty_fun.level >= t1.level && not_identity funct.exp_desc then
                Location.prerr_warning sarg1.pexp_loc Warnings.Unused_argument;
              unify env ty_fun (newty (Tarrow(l1,t1,t2,Clink(ref Cunknown))));
              (t1, t2)
          | Tarrow (l,t1,t2,_) when l = l1
            || !Clflags.classic && l1 = "" && not (is_optional l) ->
              (t1, t2)
          | td ->
              let ty_fun =
                match td with Tarrow _ -> newty td | _ -> ty_fun in
              let ty_res = result_type (omitted @ !ignored) ty_fun in
              match ty_res.desc with
                Tarrow _ ->
                  if (!Clflags.classic || not (has_label l1 ty_fun)) then
                    raise(Error(sarg1.pexp_loc, Apply_wrong_label(l1, ty_res)))
                  else
                    raise(Error(funct.exp_loc, Incoherent_label_order))
              | _ ->
                  raise(Error(funct.exp_loc, Apply_non_function
                                (expand_head env funct.exp_type)))
        in
        let optional = if is_optional l1 then Optional else Required in
        let arg1 () =
          let arg1 = type_expect env sarg1 ty1 in
          if optional = Optional then
            unify_exp env arg1 (type_option(newvar()));
          arg1
        in
        type_unknown_args ((Some arg1, optional) :: args) omitted ty2 sargl
  in
  let ignore_labels =
    !Clflags.classic ||
    begin
      let ls, tvar = list_labels env funct.exp_type in
      not tvar &&
      let labels = List.filter (fun l -> not (is_optional l)) ls in
      List.length labels = List.length sargs &&
      List.for_all (fun (l,_) -> l = "") sargs &&
      List.exists (fun l -> l <> "") labels &&
      (Location.prerr_warning funct.exp_loc Warnings.Labels_omitted;
       true)
    end
  in
  let warned = ref false in
  let rec type_args args omitted ty_fun ty_old sargs more_sargs =
    match expand_head env ty_fun with
      {desc=Tarrow (l, ty, ty_fun, com); level=lv} as ty_fun'
      when (sargs <> [] || more_sargs <> []) && commu_repr com = Cok ->
        let may_warn loc w =
          if not !warned && !Clflags.principal && lv <> generic_level
          then begin
            warned := true;
            Location.prerr_warning loc w
          end
        in
        let name = label_name l
        and optional = if is_optional l then Optional else Required in
        let sargs, more_sargs, arg =
          if ignore_labels && not (is_optional l) then begin
            (* In classic mode, omitted = [] *)
            match sargs, more_sargs with
              (l', sarg0) :: _, _ ->
                raise(Error(sarg0.pexp_loc, Apply_wrong_label(l', ty_old)))
            | _, (l', sarg0) :: more_sargs ->
                if l <> l' && l' <> "" then
                  raise(Error(sarg0.pexp_loc, Apply_wrong_label(l', ty_fun')))
                else
                  ([], more_sargs, Some (fun () -> type_argument env sarg0 ty))
            | _ ->
                assert false
          end else try
            let (l', sarg0, sargs, more_sargs) =
              try
                let (l', sarg0, sargs1, sargs2) = extract_label name sargs in
                if sargs1 <> [] then
                  may_warn sarg0.pexp_loc
                    (Warnings.Not_principal "commuting this argument");
                (l', sarg0, sargs1 @ sargs2, more_sargs)
              with Not_found ->
                let (l', sarg0, sargs1, sargs2) =
                  extract_label name more_sargs in
                if sargs1 <> [] || sargs <> [] then
                  may_warn sarg0.pexp_loc
                    (Warnings.Not_principal "commuting this argument");
                (l', sarg0, sargs @ sargs1, sargs2)
            in
            sargs, more_sargs,
            if optional = Required || is_optional l' then
              Some (fun () -> type_argument env sarg0 ty)
            else begin
              may_warn sarg0.pexp_loc
                (Warnings.Not_principal "using an optional argument here");
              Some (fun () -> option_some (type_argument env sarg0
                                             (extract_option_type env ty)))
            end
          with Not_found ->
            sargs, more_sargs,
            if optional = Optional &&
              (List.mem_assoc "" sargs || List.mem_assoc "" more_sargs)
            then begin
              may_warn funct.exp_loc
                (Warnings.Without_principality "eliminated optional argument");
              ignored := (l,ty,lv) :: !ignored;
              Some (fun () -> option_none (instance ty) Location.none)
            end else begin
              may_warn funct.exp_loc
                (Warnings.Without_principality "commuted an argument");
              None
            end
        in
        let omitted =
          if arg = None then (l,ty,lv) :: omitted else omitted in
        let ty_old = if sargs = [] then ty_fun else ty_old in
        type_args ((arg,optional)::args) omitted ty_fun ty_old sargs more_sargs
    | _ ->
        match sargs with
          (l, sarg0) :: _ when ignore_labels ->
            raise(Error(sarg0.pexp_loc, Apply_wrong_label(l, ty_old)))
        | _ ->
            type_unknown_args args omitted (instance ty_fun)
              (sargs @ more_sargs)
  in
  match funct.exp_desc, sargs with
    (* Special case for ignore: avoid discarding warning *)
    Texp_ident (_, {val_kind=Val_prim{Primitive.prim_name="%ignore"}}),
    ["", sarg] ->
      let ty_arg, ty_res = filter_arrow env (instance funct.exp_type) "" in
      let exp = type_expect env sarg ty_arg in
      begin match (expand_head env exp.exp_type).desc with
      | Tarrow _ ->
          Location.prerr_warning exp.exp_loc Warnings.Partial_application
      | Tvar ->
          add_delayed_check (fun () -> check_application_result env false exp)
      | _ -> ()
      end;
      ([Some exp, Required], ty_res)
  | _ ->
      let ty = funct.exp_type in
      if ignore_labels then
        type_args [] [] ty ty [] sargs
      else
        type_args [] [] ty ty sargs []

and type_construct env loc lid sarg explicit_arity ty_expected =
  let constr =
    try
      Env.lookup_constructor lid env
    with Not_found ->
      raise(Error(loc, Unbound_constructor lid)) in
  let sargs =
    match sarg with
      None -> []
    | Some {pexp_desc = Pexp_tuple sel} when explicit_arity -> sel
    | Some {pexp_desc = Pexp_tuple sel} when constr.cstr_arity > 1 -> sel
    | Some se -> [se] in
  if List.length sargs <> constr.cstr_arity then
    raise(Error(loc, Constructor_arity_mismatch
                  (lid, constr.cstr_arity, List.length sargs)));
  if !Clflags.principal then begin_def ();
  let (ty_args, ty_res) = instance_constructor constr in
  if !Clflags.principal then begin
    end_def ();
    List.iter generalize_structure ty_args;
    generalize_structure ty_res
  end;
  let texp =
    re {
      exp_desc = Texp_construct(constr, []);
      exp_loc = loc;
      exp_type = instance ty_res;
      exp_env = env } in
  unify_exp env texp ty_expected;
  let args = List.map2 (type_argument env) sargs ty_args in
  if constr.cstr_private = Private then
    raise(Error(loc, Private_type ty_res));
  { texp with exp_desc = Texp_construct(constr, args) }

(* Typing of an expression with an expected type.
   Some constructs are treated specially to provide better error messages. *)

and type_expect ?in_function env sexp ty_expected =
  match sexp.pexp_desc with
    Pexp_constant(Const_string s as cst) ->
      let exp =
        re {
          exp_desc = Texp_constant cst;
          exp_loc = sexp.pexp_loc;
          exp_type =
            (* Terrible hack for format strings *)
            begin match (repr (expand_head env ty_expected)).desc with
              Tconstr(path, _, _) when Path.same path Predef.path_format6 ->
                type_format sexp.pexp_loc s
            | _ -> instance Predef.type_string
            end;
          exp_env = env } in
      unify_exp env exp ty_expected;
      exp
  | Pexp_construct(lid, sarg, explicit_arity) ->
      type_construct env sexp.pexp_loc lid sarg explicit_arity ty_expected
  | Pexp_let(rec_flag, spat_sexp_list, sbody) ->
      let (pat_exp_list, new_env) = type_let env rec_flag spat_sexp_list in
      let body = type_expect new_env sbody ty_expected in
      re {
        exp_desc = Texp_let(rec_flag, pat_exp_list, body);
        exp_loc = sexp.pexp_loc;
        exp_type = body.exp_type;
        exp_env = env }
  | Pexp_sequence(sexp1, sexp2) ->
      let exp1 = type_statement env sexp1 in
      let exp2 = type_expect env sexp2 ty_expected in
      re {
        exp_desc = Texp_sequence(exp1, exp2);
        exp_loc = sexp.pexp_loc;
        exp_type = exp2.exp_type;
        exp_env = env }
  | Pexp_function (l, Some default, [spat, sbody]) ->
      let loc = default.pexp_loc in
      let scases =
        [{ppat_loc = loc; ppat_desc =
          Ppat_construct(Longident.Lident"Some",
                         Some{ppat_loc = loc; ppat_desc = Ppat_var"*sth*"},
                         false)},
         {pexp_loc = loc; pexp_desc = Pexp_ident(Longident.Lident"*sth*")};
         {ppat_loc = loc; ppat_desc =
          Ppat_construct(Longident.Lident"None", None, false)},
         default] in
      let smatch =
        {pexp_loc = loc; pexp_desc =
         Pexp_match({pexp_loc = loc; pexp_desc =
                     Pexp_ident(Longident.Lident"*opt*")},
                    scases)} in
      let sfun =
        {pexp_loc = sexp.pexp_loc; pexp_desc =
         Pexp_function(l, None,[{ppat_loc = loc; ppat_desc = Ppat_var"*opt*"},
                                {pexp_loc = sexp.pexp_loc; pexp_desc =
                                 Pexp_let(Default, [spat, smatch], sbody)}])}
      in
      type_expect ?in_function env sfun ty_expected
  | Pexp_function (l, _, caselist) ->
      let (loc, ty_fun) =
        match in_function with Some p -> p
        | None -> (sexp.pexp_loc, ty_expected)
      in
      let (ty_arg, ty_res) =
        try filter_arrow env ty_expected l
        with Unify _ ->
          match expand_head env ty_expected with
            {desc = Tarrow _} as ty ->
              raise(Error(sexp.pexp_loc, Abstract_wrong_label(l, ty)))
          | _ ->
              raise(Error(loc,
                          Too_many_arguments (in_function <> None, ty_fun)))
      in
      let ty_arg =
        if is_optional l then
          let tv = newvar() in
          begin
            try unify env ty_arg (type_option tv)
            with Unify _ -> assert false
          end;
          type_option tv
        else ty_arg
      in
      let cases, partial =
        type_cases ~in_function:(loc,ty_fun) env ty_arg ty_res
          (Some sexp.pexp_loc) caselist in
      let not_function ty =
        let ls, tvar = list_labels env ty in
        ls = [] && not tvar
      in
      if is_optional l && not_function ty_res then
        Location.prerr_warning (fst (List.hd cases)).pat_loc
          Warnings.Unerasable_optional_argument;
      re {
        exp_desc = Texp_function(cases, partial);
        exp_loc = sexp.pexp_loc;
        exp_type = newty (Tarrow(l, ty_arg, ty_res, Cok));
        exp_env = env }
  | Pexp_when(scond, sbody) ->
      let cond = type_expect env scond (instance Predef.type_bool) in
      let body = type_expect env sbody ty_expected in
      re {
        exp_desc = Texp_when(cond, body);
        exp_loc = sexp.pexp_loc;
        exp_type = body.exp_type;
        exp_env = env }
  | Pexp_poly(sbody, sty) ->
      let ty =
        match sty with None -> repr ty_expected
        | Some sty ->
            let ty = Typetexp.transl_simple_type env false sty in
            repr ty
      in
      let set_type ty =
        unify_exp env
          { exp_desc = Texp_tuple []; exp_loc = sexp.pexp_loc;
            exp_type = ty; exp_env = env } ty_expected in
      begin
        match ty.desc with
          Tpoly (ty', []) ->
            if sty <> None then set_type ty;
            let exp = type_expect env sbody ty' in
            re { exp with exp_type = ty }
        | Tpoly (ty', tl) ->
            if sty <> None then set_type ty;
            (* One more level to generalize locally *)
            begin_def ();
            let vars, ty'' = instance_poly true tl ty' in
            let exp = type_expect env sbody ty'' in
            end_def ();
            check_univars env "method" exp ty_expected vars;
            re { exp with exp_type = ty }
        | _ -> assert false
      end
  | _ ->
      let exp = type_exp env sexp in
      unify_exp env exp ty_expected;
      exp

(* Typing of statements (expressions whose values are discarded) *)

and type_statement env sexp =
  begin_def();
  let exp = type_exp env sexp in
  end_def();
  let ty = expand_head env exp.exp_type and tv = newvar() in
  begin match ty.desc with
  | Tarrow _ ->
      Location.prerr_warning sexp.pexp_loc Warnings.Partial_application
  | Tconstr (p, _, _) when Path.same p Predef.path_unit -> ()
  | Tvar when ty.level > tv.level ->
      Location.prerr_warning sexp.pexp_loc Warnings.Nonreturning_statement
  | Tvar ->
      add_delayed_check (fun () -> check_application_result env true exp)
  | _ ->
      Location.prerr_warning sexp.pexp_loc Warnings.Statement_type
  end;
  unify_var env tv ty;
  exp

(* Typing of match cases *)

and type_cases ?in_function env ty_arg ty_res partial_loc caselist =
  let ty_arg' = newvar () in
  let pattern_force = ref [] in
  let pat_env_list =
    List.map
      (fun (spat, sexp) ->
        if !Clflags.principal then begin_def ();
        let (pat, ext_env, force) = type_pattern env spat in
        pattern_force := force @ !pattern_force;
        let pat =
          if !Clflags.principal then begin
            end_def ();
            iter_pattern (fun {pat_type=t} -> generalize_structure t) pat;
            { pat with pat_type = instance pat.pat_type }
          end else pat
        in
        unify_pat env pat ty_arg';
        (pat, ext_env))
      caselist in
  (* Check for polymorphic variants to close *)
  let patl = List.map fst pat_env_list in
  if List.exists has_variants patl then begin
    Parmatch.pressure_variants env patl;
    List.iter (iter_pattern finalize_variant) patl
  end;
  (* `Contaminating' unifications start here *)
  List.iter (fun f -> f()) !pattern_force;
  begin match pat_env_list with [] -> ()
  | (pat, _) :: _ -> unify_pat env pat ty_arg
  end;
  let in_function = if List.length caselist = 1 then in_function else None in
  let cases =
    List.map2
      (fun (pat, ext_env) (spat, sexp) ->
        let exp = type_expect ?in_function ext_env sexp ty_res in
        (pat, exp))
      pat_env_list caselist
  in
  let partial =
    match partial_loc with None -> Partial
    | Some loc -> Parmatch.check_partial loc cases
  in
  add_delayed_check (fun () -> Parmatch.check_unused env cases);
  cases, partial

(* Typing of let bindings *)

and type_let env rec_flag spat_sexp_list =
  begin_def();
  if !Clflags.principal then begin_def ();
  let (pat_list, new_env, force) =
    type_pattern_list env (List.map (fun (spat, sexp) -> spat) spat_sexp_list)
  in
  if rec_flag = Recursive then
    List.iter2
      (fun pat (_, sexp) -> unify_pat env pat (type_approx env sexp))
      pat_list spat_sexp_list;
  let pat_list =
    if !Clflags.principal then begin
      end_def ();
      List.map
        (fun pat ->
          iter_pattern (fun pat -> generalize_structure pat.pat_type) pat;
          {pat with pat_type = instance pat.pat_type})
        pat_list
    end else pat_list in
  (* Polymoprhic variant processing *)
  List.iter
    (fun pat ->
      if has_variants pat then begin
        Parmatch.pressure_variants env [pat];
        iter_pattern finalize_variant pat
      end)
    pat_list;
  (* Only bind pattern variables after generalizing *)
  List.iter (fun f -> f()) force;
  let exp_env =
    match rec_flag with Nonrecursive | Default -> env | Recursive -> new_env in
  let exp_list =
    List.map2
      (fun (spat, sexp) pat -> type_expect exp_env sexp pat.pat_type)
      spat_sexp_list pat_list in
  List.iter2
    (fun pat exp -> ignore(Parmatch.check_partial pat.pat_loc [pat, exp]))
    pat_list exp_list;
  end_def();
  List.iter2
    (fun pat exp ->
       if not (is_nonexpansive exp) then
         iter_pattern (fun pat -> generalize_expansive env pat.pat_type) pat)
    pat_list exp_list;
  List.iter
    (fun pat -> iter_pattern (fun pat -> generalize pat.pat_type) pat)
    pat_list;
  (List.combine pat_list exp_list, new_env)

(* Typing of toplevel bindings *)

let type_binding env rec_flag spat_sexp_list =
  Typetexp.reset_type_variables();
  type_let env rec_flag spat_sexp_list

(* Typing of toplevel expressions *)

let type_expression env sexp =
  Typetexp.reset_type_variables();
  begin_def();
  let exp = type_exp env sexp in
  end_def();
  if is_nonexpansive exp then generalize exp.exp_type
  else generalize_expansive env exp.exp_type;
  exp

(* Typing of specifications *)

let type_pattern_with env pat ty =
  (* type the pattern (ie: bind variables) *)
  let (typed_pat, body_env, force) = type_pattern env pat in
  unify_pat body_env typed_pat ty;
  (* Polymorphic variant processing (copied from "type_let") *)
  if has_variants typed_pat then begin
    Parmatch.pressure_variants env [ typed_pat ];
    iter_pattern finalize_variant typed_pat
  end;
  (* Copied from type_let (???) *)
  List.iter (fun f -> f()) force;
  typed_pat, body_env

let type_pattern_force env pat =
  (* type the pattern (ie: bind variables) *)
  let (typed_pat, body_env, force) = type_pattern env pat in
  (* Polymorphic variant processing (copied from "type_let") *)
  if has_variants typed_pat then begin
    Parmatch.pressure_variants env [ typed_pat ];
    iter_pattern finalize_variant typed_pat
  end;
  (* Copied from type_let (???) *)
  List.iter (fun f -> f()) force;
  typed_pat, body_env

let type_pattern_list_force env pats =
  List.fold_right
    (fun pat (env, args) ->
       let pat2, env2 = type_pattern_force env pat in
       env2, pat2::args)
    pats
    (env, [])

let type_expression_with env expr ty =
  let te = type_expression env expr in
  try_unify env te.exp_loc te.exp_type ty;
  te

let env_enter_function name args body env =
  let ty = List.fold_right
    (fun arg acc -> newgenty (Tarrow("", arg, acc, Cunknown)))
    args
    body
  in
  let d = {
    val_type = ty;
    val_kind = Val_reg;
  } in
  Env.enter_value name d env

let type_invariant env ty pti =
  let pat, body_env = type_pattern_with env pti.pti_argument ty in
  let body = type_expression_with body_env pti.pti_body Predef.type_bool in
  let id, new_env =
    env_enter_function pti.pti_name [ ty ] Predef.type_bool env in
  new_env, {
    ti_name = id;
    ti_argument = pat;
    ti_body = body;
  }

let type_axiom env axs =
  let body_env, args = type_pattern_list_force env axs.pas_arguments in
  let body = type_expression_with body_env axs.pas_body Predef.type_bool in
  {
    as_name = axs.pas_name;
    as_arguments = args;
    as_body = body;
  }

let rec type_read_location env = function
  | PRLvar x ->
      let path, _ = Env.lookup_value (Longident.Lident x) env in
      RLvar path
  | PRLderef(rl, lbl) ->
      let tlbl = Env.lookup_label (Longident.Lident lbl) env in
      RLderef(type_read_location env rl, tlbl)

let type_logic_function env loc lfs =
  let body_env, args = type_pattern_list_force env lfs.plfs_arguments in
  let body, return_type = match lfs.plfs_body, lfs.plfs_return_type with
    | POBreads _, None ->
	raise (Error(loc, Cannot_infer_logic_function_type lfs.plfs_name))
    | POBreads rll, Some ty ->
	OBreads(List.map (type_read_location body_env) rll),
	Typetexp.transl_simple_type env false ty
    | POBbody e, None ->
	let te = type_expression body_env e in
	OBbody(te), te.exp_type
    | POBbody e, Some ty ->
	let tty = Typetexp.transl_simple_type env false ty in
	let te = type_expression_with body_env e tty in
	OBbody(te), te.exp_type
  in
  let id, new_env = env_enter_function
    lfs.plfs_name
    (List.map (fun pat -> pat.pat_type) args)
    return_type
    env
  in
  new_env, {
    lfs_name = id;
    lfs_arguments = args;
    lfs_return_type = return_type;
    lfs_body = body;
    lfs_predicate = lfs.plfs_predicate;
  }

(* Error report *)

open Format
open Printtyp

let report_error ppf = function
  | Unbound_value lid ->
      fprintf ppf "Unbound value %a" longident lid
  | Unbound_constructor lid ->
      fprintf ppf "Unbound constructor %a" longident lid
  | Unbound_label lid ->
      fprintf ppf "Unbound record field label %a" longident lid
  | Polymorphic_label lid ->
      fprintf ppf "@[The record field label %a is polymorphic.@ %s@]"
        longident lid "You cannot instantiate it in a pattern."
  | Constructor_arity_mismatch(lid, expected, provided) ->
      fprintf ppf
       "@[The constructor %a@ expects %i argument(s),@ \
        but is here applied to %i argument(s)@]"
       longident lid expected provided
  | Label_mismatch(lid, trace) ->
      report_unification_error ppf trace
        (function ppf ->
           fprintf ppf "The record field label %a@ belongs to the type"
                   longident lid)
        (function ppf ->
           fprintf ppf "but is here mixed with labels of type")
  | Pattern_type_clash trace ->
      report_unification_error ppf trace
        (function ppf ->
           fprintf ppf "This pattern matches values of type")
        (function ppf ->
           fprintf ppf "but is here used to match values of type")
  | Multiply_bound_variable ->
      fprintf ppf "This variable is bound several times in this matching"
  | Orpat_vars id ->
      fprintf ppf "Variable %s must occur on both sides of this | pattern"
        (Ident.name id)
  | Expr_type_clash trace ->
      report_unification_error ppf trace
        (function ppf ->
           fprintf ppf "This expression has type")
        (function ppf ->
           fprintf ppf "but is here used with type")
  | Apply_non_function typ ->
      begin match (repr typ).desc with
        Tarrow _ ->
          fprintf ppf "This function is applied to too many arguments,@ ";
          fprintf ppf "maybe you forgot a `;'"
      | _ ->
          fprintf ppf
            "This expression is not a function, it cannot be applied"
      end
  | Apply_wrong_label (l, ty) ->
      let print_label ppf = function
        | "" -> fprintf ppf "without label"
        | l ->
            fprintf ppf "with label %s%s" (if is_optional l then "" else "~") l
      in
      reset_and_mark_loops ty;
      fprintf ppf
        "@[@[<2>Expecting function has type@ %a@]@.\
          This argument cannot be applied %a@]"
        type_expr ty print_label l
  | Label_multiply_defined lid ->
      fprintf ppf "The record field label %a is defined several times"
              longident lid
  | Label_missing labels ->
      let print_labels ppf = List.iter (fun lbl -> fprintf ppf "@ %s" lbl) in
      fprintf ppf "@[Some record field labels are undefined:%a@]"
        print_labels labels
  | Label_not_mutable lid ->
      fprintf ppf "The record field label %a is not mutable" longident lid
  | Incomplete_format s ->
      fprintf ppf "Premature end of format string ``%S''" s
  | Bad_conversion (fmt, i, c) ->
      fprintf ppf
        "Bad conversion %%%c, at char number %d \
         in format string ``%s''" c i fmt
  | Undefined_method (ty, me) ->
      reset_and_mark_loops ty;
      fprintf ppf
        "@[@[This expression has type@;<1 2>%a@]@,\
         It has no method %s@]" type_expr ty me
  | Undefined_inherited_method me ->
      fprintf ppf "This expression has no method %s" me
  | Unbound_class cl ->
      fprintf ppf "Unbound class %a" longident cl
  | Virtual_class cl ->
      fprintf ppf "One cannot create instances of the virtual class %a"
        longident cl
  | Unbound_instance_variable v ->
      fprintf ppf "Unbound instance variable %s" v
  | Instance_variable_not_mutable v ->
      fprintf ppf "The instance variable %s is not mutable" v
  | Not_subtype(tr1, tr2) ->
      report_subtyping_error ppf tr1 "is not a subtype of type" tr2
  | Outside_class ->
      fprintf ppf "This object duplication occurs outside a method definition"
  | Value_multiply_overridden v ->
      fprintf ppf "The instance variable %s is overridden several times" v
  | Coercion_failure (ty, ty', trace, b) ->
      report_unification_error ppf trace
        (function ppf ->
           let ty, ty' = prepare_expansion (ty, ty') in
           fprintf ppf
             "This expression cannot be coerced to type@;<1 2>%a;@ it has type"
           (type_expansion ty) ty')
        (function ppf ->
           fprintf ppf "but is here used with type");
      if b then
        fprintf ppf ".@.@[%s@ %s@]"
          "This simple coercion was not fully general."
          "Consider using a double coercion."
  | Too_many_arguments (in_function, ty) ->
      reset_and_mark_loops ty;
      if in_function then begin
        fprintf ppf "This function expects too many arguments,@ ";
        fprintf ppf "it should have type@ %a"
          type_expr ty
      end else begin
        fprintf ppf "This expression should not be a function,@ ";
        fprintf ppf "the expected type is@ %a"
          type_expr ty
      end
  | Abstract_wrong_label (l, ty) ->
      let label_mark = function
        | "" -> "but its first argument is not labeled"
        |  l -> sprintf "but its first argument is labeled ~%s" l in
      reset_and_mark_loops ty;
      fprintf ppf "@[@[<2>This function should have type@ %a@]@,%s@]"
      type_expr ty (label_mark l)
  | Scoping_let_module(id, ty) ->
      reset_and_mark_loops ty;
      fprintf ppf
       "This `let module' expression has type@ %a@ " type_expr ty;
      fprintf ppf
       "In this type, the locally bound module name %s escapes its scope" id
  | Masked_instance_variable lid ->
      fprintf ppf
        "The instance variable %a@ \
         cannot be accessed from the definition of another instance variable"
        longident lid
  | Private_type ty ->
      fprintf ppf "Cannot create values of the private type %a" type_expr ty
  | Private_label (lid, ty) ->
      fprintf ppf "Cannot assign field %a of the private type %a"
        longident lid type_expr ty
  | Not_a_variant_type lid ->
      fprintf ppf "The type %a@ is not a variant type" longident lid
  | Incoherent_label_order ->
      fprintf ppf "This function is applied to arguments@ ";
      fprintf ppf "in an order different from other calls.@ ";
      fprintf ppf "This is only allowed when the real type is known."
  | Less_general (kind, trace) ->
      report_unification_error ppf trace
        (fun ppf -> fprintf ppf "This %s has type" kind)
        (fun ppf -> fprintf ppf "which is less general than")
  | Cannot_infer_logic_function_type id ->
      fprintf ppf "Cannot infer return type for logic function %s" id
why-2.34/ml/typing/unused_var.ml0000644000175000017500000002133512311670312015250 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*           Damien Doligez, projet Cristal, INRIA Rocquencourt        *)
(*                                                                     *)
(*  Copyright 2004 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: unused_var.ml,v 1.7 2007-12-20 15:00:39 bardou Exp $ *)

open Parsetree

let silent v = String.length v > 0 && v.[0] = '_';;

let add_vars tbl (vll1, vll2) =
  let add_var (v, _loc, used) = Hashtbl.add tbl v used in
  List.iter add_var vll1;
  List.iter add_var vll2;
;;

let rm_vars tbl (vll1, vll2) =
  let rm_var (v, _, _) = Hashtbl.remove tbl v in
  List.iter rm_var vll1;
  List.iter rm_var vll2;
;;

let w_suspicious x = Warnings.Unused_var x;;
let w_strict x = Warnings.Unused_var_strict x;;

let check_rm_vars ppf tbl (vlul_pat, vlul_as) =
  let check_rm_var kind (v, loc, used) =
    if not !used && not (silent v)
    then Location.print_warning loc ppf (kind v);
    Hashtbl.remove tbl v;
  in
  List.iter (check_rm_var w_strict) vlul_pat;
  List.iter (check_rm_var w_suspicious) vlul_as;
;;

let check_rm_let ppf tbl vlulpl =
  let check_rm_one flag (v, loc, used) =
    Hashtbl.remove tbl v;
    flag && (silent v || not !used)
  in
  let warn_var w_kind (v, loc, used) =
    if not (silent v) && not !used
    then Location.print_warning loc ppf (w_kind v)
  in
  let check_rm_pat (def, def_as) =
    let def_unused = List.fold_left check_rm_one true def in
    let all_unused = List.fold_left check_rm_one def_unused def_as in
    List.iter (warn_var (if all_unused then w_suspicious else w_strict)) def;
    List.iter (warn_var w_suspicious) def_as;
  in
  List.iter check_rm_pat vlulpl;
;;

let rec get_vars ((vacc, asacc) as acc) p =
  match p.ppat_desc with
  | Ppat_any -> acc
  | Ppat_var v -> ((v, p.ppat_loc, ref false) :: vacc, asacc)
  | Ppat_alias (pp, v) ->
      get_vars (vacc, ((v, p.ppat_loc, ref false) :: asacc)) pp
  | Ppat_constant _ -> acc
  | Ppat_tuple pl -> List.fold_left get_vars acc pl
  | Ppat_construct (_, po, _) -> get_vars_option acc po
  | Ppat_variant (_, po) -> get_vars_option acc po
  | Ppat_record ipl ->
      List.fold_left (fun a (_, p) -> get_vars a p) acc ipl
  | Ppat_array pl -> List.fold_left get_vars acc pl
  | Ppat_or (p1, _p2) -> get_vars acc p1
  | Ppat_constraint (pp, _) -> get_vars acc pp
  | Ppat_type _ -> acc

and get_vars_option acc po =
  match po with
  | Some p -> get_vars acc p
  | None -> acc
;;

let get_pel_vars pel =
  List.map (fun (p, _) -> get_vars ([], []) p) pel
;;

let rec structure ppf tbl l =
  List.iter (structure_item ppf tbl) l

and structure_item ppf tbl s =
  match s.pstr_desc with
  | Pstr_eval e -> expression ppf tbl e;
  | Pstr_value (recflag, pel) -> let_pel ppf tbl recflag pel None;
  | Pstr_primitive _ -> ()
  | Pstr_type _ -> ()
  | Pstr_exception _ -> ()
  | Pstr_exn_rebind _ -> ()
  | Pstr_module (_, me) -> module_expr ppf tbl me;
  | Pstr_recmodule stml ->
      List.iter (fun (_, _, me) -> module_expr ppf tbl me) stml;
  | Pstr_modtype _ -> ()
  | Pstr_open _ -> ()
  | Pstr_class cdl -> List.iter (class_declaration ppf tbl) cdl;
  | Pstr_class_type _ -> ()
  | Pstr_include _ -> ()
  | Pstr_function_spec _ -> ()
  | Pstr_type_spec _ -> ()
  | Pstr_logic_function_spec _ -> ()
  | Pstr_logic_type_spec _ -> ()
  | Pstr_axiom_spec _ -> ()

and expression ppf tbl e =
  match e.pexp_desc with
  | Pexp_ident (Longident.Lident id) ->
      begin try (Hashtbl.find tbl id) := true;
      with Not_found -> ()
      end;
  | Pexp_ident _ -> ()
  | Pexp_constant _ -> ()
  | Pexp_let (recflag, pel, e) ->
      let_pel ppf tbl recflag pel (Some (fun ppf tbl -> expression ppf tbl e));
  | Pexp_function (_, eo, pel) ->
      expression_option ppf tbl eo;
      match_pel ppf tbl pel;
  | Pexp_apply (e, lel) ->
      expression ppf tbl e;
      List.iter (fun (_, e) -> expression ppf tbl e) lel;
  | Pexp_match (e, pel) ->
      expression ppf tbl e;
      match_pel ppf tbl pel;
  | Pexp_try (e, pel) ->
      expression ppf tbl e;
      match_pel ppf tbl pel;
  | Pexp_tuple el -> List.iter (expression ppf tbl) el;
  | Pexp_construct (_, eo, _) -> expression_option ppf tbl eo;
  | Pexp_variant (_, eo) -> expression_option ppf tbl eo;
  | Pexp_record (iel, eo) ->
      List.iter (fun (_, e) -> expression ppf tbl e) iel;
      expression_option ppf tbl eo;
  | Pexp_field (e, _) -> expression ppf tbl e;
  | Pexp_setfield (e1, _, e2) ->
      expression ppf tbl e1;
      expression ppf tbl e2;
  | Pexp_array el -> List.iter (expression ppf tbl) el;
  | Pexp_ifthenelse (e1, e2, eo) ->
      expression ppf tbl e1;
      expression ppf tbl e2;
      expression_option ppf tbl eo;
  | Pexp_sequence (e1, e2) ->
      expression ppf tbl e1;
      expression ppf tbl e2;
  | Pexp_while (e1, _, e2) ->
      expression ppf tbl e1;
      expression ppf tbl e2;
  | Pexp_for (id, e1, e2, _, e3) ->
      expression ppf tbl e1;
      expression ppf tbl e2;
      let defined = ([ (id, e.pexp_loc, ref true) ], []) in
      add_vars tbl defined;
      expression ppf tbl e3;
      check_rm_vars ppf tbl defined;
  | Pexp_constraint (e, _, _) -> expression ppf tbl e;
  | Pexp_when (e1, e2) ->
      expression ppf tbl e1;
      expression ppf tbl e2;
  | Pexp_send (e, _) -> expression ppf tbl e;
  | Pexp_new _ -> ()
  | Pexp_setinstvar (_, e) -> expression ppf tbl e;
  | Pexp_override sel -> List.iter (fun (_, e) -> expression ppf tbl e) sel;
  | Pexp_letmodule (_, me, e) ->
      module_expr ppf tbl me;
      expression ppf tbl e;
  | Pexp_assert e -> expression ppf tbl e;
  | Pexp_assertfalse -> ()
  | Pexp_lazy e -> expression ppf tbl e;
  | Pexp_poly (e, _) -> expression ppf tbl e;
  | Pexp_object cs -> class_structure ppf tbl cs;
  | Pexp_result
  | Pexp_old _
  | Pexp_implies _ -> ()

and expression_option ppf tbl eo =
  match eo with
  | Some e -> expression ppf tbl e;
  | None -> ()

and let_pel ppf tbl recflag pel body =
  match recflag with
  | Asttypes.Recursive ->
      let defined = get_pel_vars pel in
      List.iter (add_vars tbl) defined;
      List.iter (fun (_, e) -> expression ppf tbl e) pel;
      begin match body with
      | None ->
          List.iter (rm_vars tbl) defined;
      | Some f ->
          f ppf tbl;
          check_rm_let ppf tbl defined;
      end;
  | _ ->
      List.iter (fun (_, e) -> expression ppf tbl e) pel;
      begin match body with
      | None -> ()
      | Some f ->
          let defined = get_pel_vars pel in
          List.iter (add_vars tbl) defined;
          f ppf tbl;
          check_rm_let ppf tbl defined;
      end;

and match_pel ppf tbl pel =
  List.iter (match_pe ppf tbl) pel

and match_pe ppf tbl (p, e) =
 let defined = get_vars ([], []) p in
  add_vars tbl defined;
  expression ppf tbl e;
  check_rm_vars ppf tbl defined;

and module_expr ppf tbl me =
  match me.pmod_desc with
  | Pmod_ident _ -> ()
  | Pmod_structure s -> structure ppf tbl s
  | Pmod_functor (_, _, me) -> module_expr ppf tbl me
  | Pmod_apply (me1, me2) ->
      module_expr ppf tbl me1;
      module_expr ppf tbl me2;
  | Pmod_constraint (me, _) -> module_expr ppf tbl me

and class_declaration ppf tbl cd = class_expr ppf tbl cd.pci_expr

and class_expr ppf tbl ce =
  match ce.pcl_desc with
  | Pcl_constr _ -> ()
  | Pcl_structure cs -> class_structure ppf tbl cs;
  | Pcl_fun (_, _, _, ce) -> class_expr ppf tbl ce;
  | Pcl_apply (ce, lel) ->
      class_expr ppf tbl ce;
      List.iter (fun (_, e) -> expression ppf tbl e) lel;
  | Pcl_let (recflag, pel, ce) ->
      let_pel ppf tbl recflag pel (Some (fun ppf tbl -> class_expr ppf tbl ce));
  | Pcl_constraint (ce, _) -> class_expr ppf tbl ce;

and class_structure ppf tbl (p, cfl) =
  let defined = get_vars ([], []) p in
  add_vars tbl defined;
  List.iter (class_field ppf tbl) cfl;
  check_rm_vars ppf tbl defined;

and class_field ppf tbl cf =
  match cf with
  | Pcf_inher (ce, _) -> class_expr ppf tbl ce;
  | Pcf_val (_, _, e, _) -> expression ppf tbl e;
  | Pcf_virt _ | Pcf_valvirt _ -> ()
  | Pcf_meth (_, _, e, _) -> expression ppf tbl e;
  | Pcf_cstr _ -> ()
  | Pcf_let (recflag, pel, _) -> let_pel ppf tbl recflag pel None;
  | Pcf_init e -> expression ppf tbl e;
;;

let warn ppf ast =
  if Warnings.is_active (w_suspicious "") || Warnings.is_active (w_strict "")
  then begin
    let tbl = Hashtbl.create 97 in
    structure ppf tbl ast;
  end;
  ast
;;
why-2.34/ml/typing/outcometree2.mli0000644000175000017500000000757212311670312015672 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*     Daniel de Rauglaudre, projet Cristal, INRIA Rocquencourt        *)
(*                                                                     *)
(*  Copyright 2001 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: outcometree2.mli,v 1.1 2008-02-19 15:53:36 bardou Exp $ *)

(* Module [Outcometree2]: results displayed by the toplevel *)

(* These types represent messages that the toplevel displays as normal
   results or errors. The real displaying is customisable using the hooks:
      [Toploop.print_out_value]
      [Toploop.print_out_type]
      [Toploop.print_out_sig_item]
      [Toploop.print_out_phrase] *)

type out_ident =
  | Oide_apply of out_ident * out_ident
  | Oide_dot of out_ident * string
  | Oide_ident of string

type out_value =
  | Oval_array of out_value list
  | Oval_char of char
  | Oval_constr of out_ident * out_value list
  | Oval_ellipsis
  | Oval_float of float
  | Oval_int of int
  | Oval_int32 of int32
  | Oval_int64 of int64
  | Oval_nativeint of nativeint
  | Oval_list of out_value list
  | Oval_printer of (Format.formatter -> unit)
  | Oval_record of (out_ident * out_value) list
  | Oval_string of string
  | Oval_stuff of string
  | Oval_tuple of out_value list
  | Oval_variant of string * out_value option

type out_type =
  | Otyp_abstract
  | Otyp_alias of out_type * string
  | Otyp_arrow of string * out_type * out_type
  | Otyp_class of bool * out_ident * out_type list
  | Otyp_constr of out_ident * out_type list
  | Otyp_manifest of out_type * out_type
  | Otyp_object of (string * out_type) list * bool option
  | Otyp_record of (string * bool * out_type) list
  | Otyp_stuff of string
  | Otyp_sum of (string * out_type list) list
  | Otyp_tuple of out_type list
  | Otyp_var of bool * string
  | Otyp_variant of
      bool * out_variant * bool * (string list) option
  | Otyp_poly of string list * out_type
and out_variant =
  | Ovar_fields of (string * bool * out_type list) list
  | Ovar_name of out_ident * out_type list

type out_class_type =
  | Octy_constr of out_ident * out_type list
  | Octy_fun of string * out_type * out_class_type
  | Octy_signature of out_type option * out_class_sig_item list
and out_class_sig_item =
  | Ocsg_constraint of out_type * out_type
  | Ocsg_method of string * bool * bool * out_type
  | Ocsg_value of string * bool * bool * out_type

type out_module_type =
  | Omty_abstract
  | Omty_functor of string * out_module_type * out_module_type
  | Omty_ident of out_ident
  | Omty_signature of out_sig_item list
and out_sig_item =
  | Osig_class of
      bool * string * (string * (bool * bool)) list * out_class_type *
        out_rec_status
  | Osig_class_type of
      bool * string * (string * (bool * bool)) list * out_class_type *
        out_rec_status
  | Osig_exception of string * out_type list
  | Osig_modtype of string * out_module_type
  | Osig_module of string * out_module_type * out_rec_status
  | Osig_type of out_type_decl * out_rec_status
  | Osig_value of string * out_type * string list
and out_type_decl =
  string * (string * (bool * bool)) list * out_type * Asttypes.private_flag *
  (out_type * out_type) list
and out_rec_status =
  | Orec_not
  | Orec_first
  | Orec_next

type out_phrase =
  | Ophr_eval of out_value * out_type
  | Ophr_signature of (out_sig_item * out_value option) list
  | Ophr_exception of (exn * out_value)
why-2.34/ml/typing/subst.mli0000644000175000017500000000434112311670312014404 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: subst.mli,v 1.1 2007-11-30 10:16:44 bardou Exp $ *)

(* Substitutions *)

open Types

type t

(*
   Substitutions are used to translate a type from one context to
   another.  This requires substituing paths for identifiers, and
   possibly also lowering the level of non-generic variables so that
   it be inferior to the maximum level of the new context.

   Substitutions can also be used to create a "clean" copy of a type.
   Indeed, non-variable node of a type are duplicated, with their
   levels set to generic level.  That way, the resulting type is
   well-formed (decreasing levels), even if the original one was not.
*)

val identity: t

val add_type: Ident.t -> Path.t -> t -> t
val add_module: Ident.t -> Path.t -> t -> t
val add_modtype: Ident.t -> module_type -> t -> t
val for_saving: t -> t
val reset_for_saving: unit -> unit

val type_expr: t -> type_expr -> type_expr
val class_type: t -> class_type -> class_type
val value_description: t -> value_description -> value_description
val type_declaration: t -> type_declaration -> type_declaration
val exception_declaration:
        t -> exception_declaration -> exception_declaration
val class_declaration: t -> class_declaration -> class_declaration
val cltype_declaration: t -> cltype_declaration -> cltype_declaration
val modtype: t -> module_type -> module_type
val signature: t -> signature -> signature
val modtype_declaration: t -> modtype_declaration -> modtype_declaration
why-2.34/ml/typing/includecore.ml0000644000175000017500000001516712311670312015377 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: includecore.ml,v 1.1 2007-11-30 10:16:43 bardou Exp $ *)

(* Inclusion checks for the core language *)

open Misc
open Asttypes
open Path
open Types
open Typedtree

(* Inclusion between value descriptions *)

exception Dont_match

let value_descriptions env vd1 vd2 =
  if Ctype.moregeneral env true vd1.val_type vd2.val_type then begin
    match (vd1.val_kind, vd2.val_kind) with
        (Val_prim p1, Val_prim p2) ->
          if p1 = p2 then Tcoerce_none else raise Dont_match
      | (Val_prim p, _) -> Tcoerce_primitive p
      | (_, Val_prim p) -> raise Dont_match
      | (_, _) -> Tcoerce_none
  end else
    raise Dont_match

(* Inclusion between "private" annotations *)

let private_flags priv1 priv2 =
  match (priv1, priv2) with (Private, Public) -> false | (_, _) -> true

(* Inclusion between manifest types (particularly for private row types) *)

let is_absrow env ty =
  match ty.desc with
    Tconstr(Pident id, _, _) ->
      begin match Ctype.expand_head env ty with
        {desc=Tobject _|Tvariant _} -> true
      | _ -> false
      end
  | _ -> false

let type_manifest env ty1 params1 ty2 params2 =
  let ty1' = Ctype.expand_head env ty1 and ty2' = Ctype.expand_head env ty2 in
  match ty1'.desc, ty2'.desc with
    Tvariant row1, Tvariant row2 when is_absrow env (Btype.row_more row2) ->
      let row1 = Btype.row_repr row1 and row2 = Btype.row_repr row2 in
      Ctype.equal env true (ty1::params1) (row2.row_more::params2) &&
      (match row1.row_more with	{desc=Tvar|Tconstr _} -> true | _ -> false) &&
      let r1, r2, pairs =
	Ctype.merge_row_fields row1.row_fields row2.row_fields in
      (not row2.row_closed ||
       row1.row_closed && Ctype.filter_row_fields false r1 = []) &&
      List.for_all
	(fun (_,f) -> match Btype.row_field_repr f with
	  Rabsent | Reither _ -> true | Rpresent _ -> false)
	r2 &&
      let to_equal = ref (List.combine params1 params2) in
      List.for_all
	(fun (_, f1, f2) ->
	  match Btype.row_field_repr f1, Btype.row_field_repr f2 with
	    Rpresent(Some t1),
	    (Rpresent(Some t2) | Reither(false, [t2], _, _)) ->
	      to_equal := (t1,t2) :: !to_equal; true
	  | Rpresent None, (Rpresent None | Reither(true, [], _, _)) -> true
	  | Reither(c1,tl1,_,_), Reither(c2,tl2,_,_)
	    when List.length tl1 = List.length tl2 && c1 = c2 ->
	      to_equal := List.combine tl1 tl2 @ !to_equal; true
	  | Rabsent, (Reither _ | Rabsent) -> true
	  | _ -> false)
	pairs &&
      let tl1, tl2 = List.split !to_equal in
      Ctype.equal env true tl1 tl2
  | Tobject (fi1, _), Tobject (fi2, _)
    when is_absrow env (snd(Ctype.flatten_fields fi2)) ->
      let (fields2,rest2) = Ctype.flatten_fields fi2 in
      Ctype.equal env true (ty1::params1) (rest2::params2) &&
      let (fields1,rest1) = Ctype.flatten_fields fi1 in
      (match rest1 with {desc=Tnil|Tvar|Tconstr _} -> true | _ -> false) &&
      let pairs, miss1, miss2 = Ctype.associate_fields fields1 fields2 in
      miss2 = [] &&
      let tl1, tl2 =
	List.split (List.map (fun (_,_,t1,_,t2) -> t1, t2) pairs) in
      Ctype.equal env true (params1 @ tl1) (params2 @ tl2)
  | _ -> 
      Ctype.equal env true (ty1 :: params1) (ty2 :: params2)

(* Inclusion between type declarations *)

let type_declarations env id decl1 decl2 =
  decl1.type_arity = decl2.type_arity &&
  begin match (decl1.type_kind, decl2.type_kind) with
      (_, Type_abstract) -> true
    | (Type_variant (cstrs1, priv1), Type_variant (cstrs2, priv2)) ->
        private_flags priv1 priv2 &&
        Misc.for_all2
          (fun (cstr1, arg1) (cstr2, arg2) ->
            cstr1 = cstr2 &&
            Misc.for_all2
              (fun ty1 ty2 ->
                Ctype.equal env true (ty1::decl1.type_params)
                                     (ty2::decl2.type_params))
              arg1 arg2)
          cstrs1 cstrs2
    | (Type_record(labels1,rep1,priv1), Type_record(labels2,rep2,priv2)) ->
        private_flags priv1 priv2 &&
        rep1 = rep2 &&
        Misc.for_all2
          (fun (lbl1, mut1, ty1) (lbl2, mut2, ty2) ->
            lbl1 = lbl2 && mut1 = mut2 &&
            Ctype.equal env true (ty1::decl1.type_params)
                                 (ty2::decl2.type_params))
          labels1 labels2
    | (_, _) -> false
  end &&
  begin match (decl1.type_manifest, decl2.type_manifest) with
      (_, None) ->
        Ctype.equal env true decl1.type_params decl2.type_params
    | (Some ty1, Some ty2) ->
	type_manifest env ty1 decl1.type_params ty2 decl2.type_params
    | (None, Some ty2) ->
        let ty1 =
          Btype.newgenty (Tconstr(Pident id, decl2.type_params, ref Mnil))
        in
        Ctype.equal env true decl1.type_params decl2.type_params &&
        Ctype.equal env false [ty1] [ty2]
  end &&
  if match decl2.type_kind with
  | Type_record(_,_,priv) | Type_variant(_,priv) -> priv = Private
  | Type_abstract ->
      match decl2.type_manifest with None -> true
      | Some ty -> Btype.has_constr_row (Ctype.expand_head env ty)
  then
    List.for_all2
      (fun (co1,cn1,ct1) (co2,cn2,ct2) -> (not co1 || co2) && (not cn1 || cn2))
      decl1.type_variance decl2.type_variance
  else true

(* Inclusion between exception declarations *)

let exception_declarations env ed1 ed2 =
  Misc.for_all2 (fun ty1 ty2 -> Ctype.equal env false [ty1] [ty2]) ed1 ed2

(* Inclusion between class types *)
let encode_val (mut, ty) rem =
  begin match mut with
    Asttypes.Mutable   -> Predef.type_unit
  | Asttypes.Immutable -> Btype.newgenty Tvar
  end
  ::ty::rem

let meths meths1 meths2 =
  Meths.fold
    (fun nam t2 (ml1, ml2) ->
       (begin try
          Meths.find nam meths1 :: ml1
        with Not_found ->
          ml1
        end,
        t2 :: ml2))
    meths2 ([], [])

let vars vars1 vars2 =
  Vars.fold
    (fun lab v2 (vl1, vl2) ->
       (begin try
          encode_val (Vars.find lab vars1) vl1
        with Not_found ->
          vl1
        end,
        encode_val v2 vl2))
    vars2 ([], [])
why-2.34/ml/typing/stypes.mli0000644000175000017500000000243112311670312014571 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*          Damien Doligez, projet Moscova, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 2003 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: stypes.mli,v 1.1 2007-11-30 10:16:44 bardou Exp $ *)

(* Recording and dumping (partial) type information *)

(* Clflags.save_types must be true *)

open Typedtree;;

type type_info =
    Ti_pat   of pattern
  | Ti_expr  of expression
  | Ti_class of class_expr
  | Ti_mod   of module_expr
;;

val record : type_info -> unit;;
val record_phrase : Location.t -> unit;;
val dump : string -> unit;;

val get_location : type_info -> Location.t;;
val get_info : unit -> type_info list;;
why-2.34/ml/typing/typeclass.ml0000644000175000017500000015673312311670312015117 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*         Jerome Vouillon, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: typeclass.ml,v 1.4 2007-12-06 15:14:51 bardou Exp $ *)

open Misc
open Parsetree
open Asttypes
open Path
open Types
open Typedtree
open Typecore
open Typetexp
open Format

type error =
    Unconsistent_constraint of (type_expr * type_expr) list
  | Field_type_mismatch of string * string * (type_expr * type_expr) list
  | Structure_expected of class_type
  | Cannot_apply of class_type
  | Apply_wrong_label of label
  | Pattern_type_clash of type_expr
  | Repeated_parameter
  | Unbound_class of Longident.t
  | Unbound_class_2 of Longident.t
  | Unbound_class_type of Longident.t
  | Unbound_class_type_2 of Longident.t
  | Abbrev_type_clash of type_expr * type_expr * type_expr
  | Constructor_type_mismatch of string * (type_expr * type_expr) list
  | Virtual_class of bool * string list * string list
  | Parameter_arity_mismatch of Longident.t * int * int
  | Parameter_mismatch of (type_expr * type_expr) list
  | Bad_parameters of Ident.t * type_expr * type_expr
  | Class_match_failure of Ctype.class_match_failure list
  | Unbound_val of string
  | Unbound_type_var of (formatter -> unit) * Ctype.closed_class_failure
  | Make_nongen_seltype of type_expr
  | Non_generalizable_class of Ident.t * Types.class_declaration
  | Cannot_coerce_self of type_expr
  | Non_collapsable_conjunction of
      Ident.t * Types.class_declaration * (type_expr * type_expr) list
  | Final_self_clash of (type_expr * type_expr) list
  | Mutability_mismatch of string * mutable_flag

exception Error of Location.t * error


                       (**********************)
                       (*  Useful constants  *)
                       (**********************)


(*
   Self type have a dummy private method, thus preventing it to become
   closed.
*)
let dummy_method = Ctype.dummy_method

(*
   Path associated to the temporary class type of a class being typed
   (its constructor is not available).
*)
let unbound_class = Path.Pident (Ident.create "")


                (************************************)
                (*  Some operations on class types  *)
                (************************************)


(* Fully expand the head of a class type *)
let rec scrape_class_type =
  function
    Tcty_constr (_, _, cty) -> scrape_class_type cty
  | cty                     -> cty

(* Generalize a class type *)
let rec generalize_class_type =
  function
    Tcty_constr (_, params, cty) ->
      List.iter Ctype.generalize params;
      generalize_class_type cty
  | Tcty_signature {cty_self = sty; cty_vars = vars; cty_inher = inher} ->
      Ctype.generalize sty;
      Vars.iter (fun _ (_, _, ty) -> Ctype.generalize ty) vars;
      List.iter (fun (_,tl) -> List.iter Ctype.generalize tl) inher
  | Tcty_fun (_, ty, cty) ->
      Ctype.generalize ty;
      generalize_class_type cty

(* Return the virtual methods of a class type *)
let virtual_methods sign =
  let (fields, _) = Ctype.flatten_fields (Ctype.object_fields sign.cty_self) in
  List.fold_left
    (fun virt (lab, _, _) ->
       if lab = dummy_method then virt else
       if Concr.mem lab sign.cty_concr then virt else
       lab::virt)
    [] fields

(* Return the constructor type associated to a class type *)
let rec constructor_type constr cty =
  match cty with
    Tcty_constr (_, _, cty) ->
      constructor_type constr cty
  | Tcty_signature sign ->
      constr
  | Tcty_fun (l, ty, cty) ->
      Ctype.newty (Tarrow (l, ty, constructor_type constr cty, Cok))

let rec class_body cty =
  match cty with
    Tcty_constr (_, _, cty') ->
      cty (* Only class bodies can be abbreviated *)
  | Tcty_signature sign ->
      cty
  | Tcty_fun (_, ty, cty) ->
      class_body cty

let rec extract_constraints cty =
  let sign = Ctype.signature_of_class_type cty in
  (Vars.fold (fun lab _ vars -> lab :: vars) sign.cty_vars [],
   begin let (fields, _) =
     Ctype.flatten_fields (Ctype.object_fields sign.cty_self)
   in
   List.fold_left
     (fun meths (lab, _, _) ->
        if lab = dummy_method then meths else lab::meths)
     [] fields
   end,
   sign.cty_concr)

let rec abbreviate_class_type path params cty =
  match cty with
    Tcty_constr (_, _, _) | Tcty_signature _ ->
      Tcty_constr (path, params, cty)
  | Tcty_fun (l, ty, cty) ->
      Tcty_fun (l, ty, abbreviate_class_type path params cty)

let rec closed_class_type =
  function
    Tcty_constr (_, params, _) ->
      List.for_all Ctype.closed_schema params
  | Tcty_signature sign ->
      Ctype.closed_schema sign.cty_self
        &&
      Vars.fold (fun _ (_, _, ty) cc -> Ctype.closed_schema ty && cc)
        sign.cty_vars
        true
  | Tcty_fun (_, ty, cty) ->
      Ctype.closed_schema ty
        &&
      closed_class_type cty

let closed_class cty =
  List.for_all Ctype.closed_schema cty.cty_params
    &&
  closed_class_type cty.cty_type

let rec limited_generalize rv =
  function
    Tcty_constr (path, params, cty) ->
      List.iter (Ctype.limited_generalize rv) params;
      limited_generalize rv cty
  | Tcty_signature sign ->
      Ctype.limited_generalize rv sign.cty_self;
      Vars.iter (fun _ (_, _, ty) -> Ctype.limited_generalize rv ty)
        sign.cty_vars;
      List.iter (fun (_, tl) -> List.iter (Ctype.limited_generalize rv) tl)
        sign.cty_inher
  | Tcty_fun (_, ty, cty) ->
      Ctype.limited_generalize rv ty;
      limited_generalize rv cty

(* Record a class type *)
let rc node =
  Stypes.record (Stypes.Ti_class node);
  node


                (***********************************)
                (*  Primitives for typing classes  *)
                (***********************************)


(* Enter a value in the method environment only *)
let enter_met_env lab kind ty val_env met_env par_env =
  let (id, val_env) =
    Env.enter_value lab {val_type = ty; val_kind = Val_unbound} val_env
  in
  (id, val_env,
   Env.add_value id {val_type = ty; val_kind = kind} met_env,
   Env.add_value id {val_type = ty; val_kind = Val_unbound} par_env)

(* Enter an instance variable in the environment *)
let enter_val cl_num vars inh lab mut virt ty val_env met_env par_env loc =
  let (id, virt) =
    try
      let (id, mut', virt', ty') = Vars.find lab !vars in
      if mut' <> mut then raise (Error(loc, Mutability_mismatch(lab, mut)));
      Ctype.unify val_env (Ctype.instance ty) (Ctype.instance ty');
      (if not inh then Some id else None),
      (if virt' = Concrete then virt' else virt)
    with
      Ctype.Unify tr ->
        raise (Error(loc, Field_type_mismatch("instance variable", lab, tr)))
    | Not_found -> None, virt
  in
  let (id, _, _, _) as result =
    match id with Some id -> (id, val_env, met_env, par_env)
    | None ->
        enter_met_env lab (Val_ivar (mut, cl_num)) ty val_env met_env par_env
  in
  vars := Vars.add lab (id, mut, virt, ty) !vars;
  result

let inheritance self_type env concr_meths warn_meths loc parent =
  match scrape_class_type parent with
    Tcty_signature cl_sig ->

      (* Methods *)
      begin try
        Ctype.unify env self_type cl_sig.cty_self
      with Ctype.Unify trace ->
        match trace with
          _::_::_::({desc = Tfield(n, _, _, _)}, _)::rem ->
            raise(Error(loc, Field_type_mismatch ("method", n, rem)))
        | _ ->
            assert false
      end;

      let overridings = Concr.inter cl_sig.cty_concr warn_meths in
      if not (Concr.is_empty overridings) then begin
        let cname =
          match parent with
            Tcty_constr (p, _, _) -> Path.name p
          | _ -> "inherited"
        in
        Location.prerr_warning loc
          (Warnings.Method_override (cname :: Concr.elements overridings))
      end;

      let concr_meths = Concr.union cl_sig.cty_concr concr_meths in
      (* No need to warn about overriding of inherited methods! *)
      (* let warn_meths = Concr.union cl_sig.cty_concr warn_meths in *)

      (cl_sig, concr_meths, warn_meths)

  | _ ->
      raise(Error(loc, Structure_expected parent))

let virtual_method val_env meths self_type lab priv sty loc =
  let (_, ty') =
     Ctype.filter_self_method val_env lab priv meths self_type
  in
  let ty = transl_simple_type val_env false sty in
  try Ctype.unify val_env ty ty' with Ctype.Unify trace ->
    raise(Error(loc, Field_type_mismatch ("method", lab, trace)))

let delayed_meth_specs = ref []

let declare_method val_env meths self_type lab priv sty loc =
  let (_, ty') =
     Ctype.filter_self_method val_env lab priv meths self_type
  in
  let unif ty =
    try Ctype.unify val_env ty ty' with Ctype.Unify trace ->
      raise(Error(loc, Field_type_mismatch ("method", lab, trace)))
  in
  match sty.ptyp_desc, priv with
    Ptyp_poly ([],sty), Public ->
      delayed_meth_specs :=
        lazy (unif (transl_simple_type_univars val_env sty)) ::
        !delayed_meth_specs
  | _ -> unif (transl_simple_type val_env false sty)

let type_constraint val_env sty sty' loc =
  let ty  = transl_simple_type val_env false sty in
  let ty' = transl_simple_type val_env false sty' in
  try Ctype.unify val_env ty ty' with Ctype.Unify trace ->
    raise(Error(loc, Unconsistent_constraint trace))

let mkpat d = { ppat_desc = d; ppat_loc = Location.none }
let make_method cl_num expr =
  { pexp_desc =
      Pexp_function ("", None,
                     [mkpat (Ppat_alias (mkpat(Ppat_var "self-*"),
                                         "self-" ^ cl_num)),
                      expr]);
    pexp_loc = expr.pexp_loc }

(*******************************)

let add_val env loc lab (mut, virt, ty) val_sig =
  let virt =
    try
      let (mut', virt', ty') = Vars.find lab val_sig in
      if virt' = Concrete then virt' else virt
    with Not_found -> virt
  in
  Vars.add lab (mut, virt, ty) val_sig

let rec class_type_field env self_type meths (val_sig, concr_meths, inher) =
  function
    Pctf_inher sparent ->
      let parent = class_type env sparent in
      let inher =
        match parent with
          Tcty_constr (p, tl, _) -> (p, tl) :: inher
        | _ -> inher
      in
      let (cl_sig, concr_meths, _) =
        inheritance self_type env concr_meths Concr.empty sparent.pcty_loc
          parent
      in
      let val_sig =
        Vars.fold (add_val env sparent.pcty_loc) cl_sig.cty_vars val_sig in
      (val_sig, concr_meths, inher)

  | Pctf_val (lab, mut, virt, sty, loc) ->
      let ty = transl_simple_type env false sty in
      (add_val env loc lab (mut, virt, ty) val_sig, concr_meths, inher)

  | Pctf_virt (lab, priv, sty, loc) ->
      declare_method env meths self_type lab priv sty loc;
      (val_sig, concr_meths, inher)

  | Pctf_meth (lab, priv, sty, loc)  ->
      declare_method env meths self_type lab priv sty loc;
      (val_sig, Concr.add lab concr_meths, inher)

  | Pctf_cstr (sty, sty', loc) ->
      type_constraint env sty sty' loc;
      (val_sig, concr_meths, inher)

and class_signature env sty sign =
  let meths = ref Meths.empty in
  let self_type = transl_simple_type env false sty in

  (* Check that the binder is a correct type, and introduce a dummy
     method preventing self type from being closed. *)
  let dummy_obj = Ctype.newvar () in
  Ctype.unify env (Ctype.filter_method env dummy_method Private dummy_obj)
    (Ctype.newty (Ttuple []));
  begin try
    Ctype.unify env self_type dummy_obj
  with Ctype.Unify _ ->
    raise(Error(sty.ptyp_loc, Pattern_type_clash self_type))
  end;

  (* Class type fields *)
  let (val_sig, concr_meths, inher) =
    List.fold_left (class_type_field env self_type meths)
      (Vars.empty, Concr.empty, [])
      sign
  in

  {cty_self = self_type;
   cty_vars = val_sig;
   cty_concr = concr_meths;
   cty_inher = inher}

and class_type env scty =
  match scty.pcty_desc with
    Pcty_constr (lid, styl) ->
      let (path, decl) =
        try Env.lookup_cltype lid env with Not_found ->
          raise(Error(scty.pcty_loc, Unbound_class_type lid))
      in
      if Path.same decl.clty_path unbound_class then
        raise(Error(scty.pcty_loc, Unbound_class_type_2 lid));
      let (params, clty) =
        Ctype.instance_class decl.clty_params decl.clty_type
      in
      if List.length params <> List.length styl then
        raise(Error(scty.pcty_loc,
                    Parameter_arity_mismatch (lid, List.length params,
                                                   List.length styl)));
      List.iter2
        (fun sty ty ->
           let ty' = transl_simple_type env false sty in
           try Ctype.unify env ty' ty with Ctype.Unify trace ->
             raise(Error(sty.ptyp_loc, Parameter_mismatch trace)))
        styl params;
      Tcty_constr (path, params, clty)

  | Pcty_signature (sty, sign) ->
      Tcty_signature (class_signature env sty sign)

  | Pcty_fun (l, sty, scty) ->
      let ty = transl_simple_type env false sty in
      let cty = class_type env scty in
      Tcty_fun (l, ty, cty)

let class_type env scty =
  delayed_meth_specs := [];
  let cty = class_type env scty in
  List.iter Lazy.force (List.rev !delayed_meth_specs);
  delayed_meth_specs := [];
  cty

(*******************************)

module StringSet = Set.Make(struct type t = string let compare = compare end)

let rec class_field cl_num self_type meths vars
    (val_env, met_env, par_env, fields, concr_meths, warn_meths,
     warn_vals, inher) =
  function
    Pcf_inher (sparent, super) ->
      let parent = class_expr cl_num val_env par_env sparent in
      let inher =
        match parent.cl_type with
          Tcty_constr (p, tl, _) -> (p, tl) :: inher
        | _ -> inher
      in
      let (cl_sig, concr_meths, warn_meths) =
        inheritance self_type val_env concr_meths warn_meths sparent.pcl_loc
          parent.cl_type
      in
      (* Variables *)
      let (val_env, met_env, par_env, inh_vars, warn_vals) =
        Vars.fold
          (fun lab info (val_env, met_env, par_env, inh_vars, warn_vals) ->
             let mut, vr, ty = info in
             let (id, val_env, met_env, par_env) =
               enter_val cl_num vars true lab mut vr ty val_env met_env par_env
                 sparent.pcl_loc
             in
             let warn_vals =
               if vr = Virtual then warn_vals else
               if StringSet.mem lab warn_vals then
                 (Location.prerr_warning sparent.pcl_loc
                   (Warnings.Instance_variable_override lab); warn_vals)
               else StringSet.add lab warn_vals
             in
             (val_env, met_env, par_env, (lab, id) :: inh_vars, warn_vals))
          cl_sig.cty_vars (val_env, met_env, par_env, [], warn_vals)
      in
      (* Inherited concrete methods *)
      let inh_meths =
        Concr.fold (fun lab rem -> (lab, Ident.create lab)::rem)
          cl_sig.cty_concr []
      in
      (* Super *)
      let (val_env, met_env, par_env) =
        match super with
          None ->
            (val_env, met_env, par_env)
        | Some name ->
            let (id, val_env, met_env, par_env) =
              enter_met_env name (Val_anc (inh_meths, cl_num)) self_type
                val_env met_env par_env
            in
            (val_env, met_env, par_env)
      in
      (val_env, met_env, par_env,
       lazy(Cf_inher (parent, inh_vars, inh_meths))::fields,
       concr_meths, warn_meths, warn_vals, inher)

  | Pcf_valvirt (lab, mut, styp, loc) ->
      if !Clflags.principal then Ctype.begin_def ();
      let ty = Typetexp.transl_simple_type val_env false styp in
      if !Clflags.principal then begin
        Ctype.end_def ();
        Ctype.generalize_structure ty
      end;
      let (id, val_env, met_env', par_env) =
        enter_val cl_num vars false lab mut Virtual ty
          val_env met_env par_env loc
      in
      (val_env, met_env', par_env,
       lazy(Cf_val (lab, id, None, met_env' == met_env)) :: fields,
       concr_meths, warn_meths, StringSet.remove lab warn_vals, inher)

  | Pcf_val (lab, mut, sexp, loc) ->
      if StringSet.mem lab warn_vals then
        Location.prerr_warning loc (Warnings.Instance_variable_override lab);
      if !Clflags.principal then Ctype.begin_def ();
      let exp =
        try type_exp val_env sexp with Ctype.Unify [(ty, _)] ->
          raise(Error(loc, Make_nongen_seltype ty))
      in
      if !Clflags.principal then begin
        Ctype.end_def ();
        Ctype.generalize_structure exp.exp_type
      end;
      let (id, val_env, met_env', par_env) =
        enter_val cl_num vars false lab mut Concrete exp.exp_type
          val_env met_env par_env loc
      in
      (val_env, met_env', par_env,
       lazy(Cf_val (lab, id, Some exp, met_env' == met_env)) :: fields,
       concr_meths, warn_meths, StringSet.add lab warn_vals, inher)

  | Pcf_virt (lab, priv, sty, loc) ->
      virtual_method val_env meths self_type lab priv sty loc;
      let warn_meths = Concr.remove lab warn_meths in
      (val_env, met_env, par_env, fields, concr_meths, warn_meths,
       warn_vals, inher)

  | Pcf_meth (lab, priv, expr, loc)  ->
      if Concr.mem lab warn_meths then
        Location.prerr_warning loc (Warnings.Method_override [lab]);
      let (_, ty) =
        Ctype.filter_self_method val_env lab priv meths self_type
      in
      begin try match expr.pexp_desc with
        Pexp_poly (sbody, sty) ->
          begin match sty with None -> ()
          | Some sty ->
              Ctype.unify val_env
                (Typetexp.transl_simple_type val_env false sty) ty
          end;
          begin match (Ctype.repr ty).desc with
            Tvar ->
              let ty' = Ctype.newvar () in
              Ctype.unify val_env (Ctype.newty (Tpoly (ty', []))) ty;
              Ctype.unify val_env (type_approx val_env sbody) ty'
          | Tpoly (ty1, tl) ->
              let _, ty1' = Ctype.instance_poly false tl ty1 in
              let ty2 = type_approx val_env sbody in
              Ctype.unify val_env ty2 ty1'
          | _ -> assert false
          end
      | _ -> assert false
      with Ctype.Unify trace ->
        raise(Error(loc, Field_type_mismatch ("method", lab, trace)))
      end;
      let meth_expr = make_method cl_num expr in
      (* backup variables for Pexp_override *)
      let vars_local = !vars in

      let field =
        lazy begin
          let meth_type =
            Ctype.newty (Tarrow("", self_type, Ctype.instance ty, Cok)) in
          Ctype.raise_nongen_level ();
          vars := vars_local;
          let texp = type_expect met_env meth_expr meth_type in
          Ctype.end_def ();
          Cf_meth (lab, texp)
        end in
      (val_env, met_env, par_env, field::fields,
       Concr.add lab concr_meths, Concr.add lab warn_meths, warn_vals, inher)

  | Pcf_cstr (sty, sty', loc) ->
      type_constraint val_env sty sty' loc;
      (val_env, met_env, par_env, fields, concr_meths, warn_meths,
       warn_vals, inher)

  | Pcf_let (rec_flag, sdefs, loc) ->
      let (defs, val_env) =
        try
          Typecore.type_let val_env rec_flag sdefs
        with Ctype.Unify [(ty, _)] ->
          raise(Error(loc, Make_nongen_seltype ty))
      in
      let (vals, met_env, par_env) =
        List.fold_right
          (fun id (vals, met_env, par_env) ->
             let expr =
               Typecore.type_exp val_env
                 {pexp_desc = Pexp_ident (Longident.Lident (Ident.name id));
                  pexp_loc = Location.none}
             in
             let desc =
               {val_type = expr.exp_type;
                val_kind = Val_ivar (Immutable, cl_num)}
             in
             let id' = Ident.create (Ident.name id) in
             ((id', expr)
              :: vals,
              Env.add_value id' desc met_env,
              Env.add_value id' desc par_env))
          (let_bound_idents defs)
          ([], met_env, par_env)
      in
      (val_env, met_env, par_env, lazy(Cf_let(rec_flag, defs, vals))::fields,
       concr_meths, warn_meths, warn_vals, inher)

  | Pcf_init expr ->
      let expr = make_method cl_num expr in
      let vars_local = !vars in
      let field =
        lazy begin
          Ctype.raise_nongen_level ();
          let meth_type =
            Ctype.newty
              (Tarrow ("", self_type, Ctype.instance Predef.type_unit, Cok)) in
          vars := vars_local;
          let texp = type_expect met_env expr meth_type in
          Ctype.end_def ();
          Cf_init texp
        end in
      (val_env, met_env, par_env, field::fields,
       concr_meths, warn_meths, warn_vals, inher)

and class_structure cl_num final val_env met_env loc (spat, str) =
  (* Environment for substructures *)
  let par_env = met_env in

  (* Self type, with a dummy method preventing it from being closed/escaped. *)
  let self_type = Ctype.newvar () in
  Ctype.unify val_env
    (Ctype.filter_method val_env dummy_method Private self_type)
    (Ctype.newty (Ttuple []));

  (* Private self is used for private method calls *)
  let private_self = if final then Ctype.newvar () else self_type in

  (* Self binder *)
  let (pat, meths, vars, val_env, meth_env, par_env) =
    type_self_pattern cl_num private_self val_env met_env par_env spat
  in
  let public_self = pat.pat_type in

  (* Check that the binder has a correct type *)
  let ty =
    if final then Ctype.newty (Tobject (Ctype.newvar(), ref None))
    else self_type in
  begin try Ctype.unify val_env public_self ty with
    Ctype.Unify _ ->
      raise(Error(spat.ppat_loc, Pattern_type_clash public_self))
  end;
  let get_methods ty =
    (fst (Ctype.flatten_fields
            (Ctype.object_fields (Ctype.expand_head val_env ty)))) in
  if final then begin
    (* Copy known information to still empty self_type *)
    List.iter
      (fun (lab,kind,ty) ->
        let k =
          if Btype.field_kind_repr kind = Fpresent then Public else Private in
        try Ctype.unify val_env ty
            (Ctype.filter_method val_env lab k self_type)
        with _ -> assert false)
      (get_methods public_self)
  end;

  (* Typing of class fields *)
  let (_, _, _, fields, concr_meths, _, _, inher) =
    List.fold_left (class_field cl_num self_type meths vars)
      (val_env, meth_env, par_env, [], Concr.empty, Concr.empty,
       StringSet.empty, [])
      str
  in
  Ctype.unify val_env self_type (Ctype.newvar ());
  let sign =
    {cty_self = public_self;
     cty_vars = Vars.map (fun (id, mut, vr, ty) -> (mut, vr, ty)) !vars;
     cty_concr = concr_meths;
     cty_inher = inher} in
  let methods = get_methods self_type in
  let priv_meths =
    List.filter (fun (_,kind,_) -> Btype.field_kind_repr kind <> Fpresent)
      methods in
  if final then begin
    (* Unify private_self and a copy of self_type. self_type will not
       be modified after this point *)
    Ctype.close_object self_type;
    let mets = virtual_methods {sign with cty_self = self_type} in
    let vals =
      Vars.fold
        (fun name (mut, vr, ty) l -> if vr = Virtual then name :: l else l)
        sign.cty_vars [] in
    if mets <> [] then raise(Error(loc, Virtual_class(true, mets, vals)));
    let self_methods =
      List.fold_right
        (fun (lab,kind,ty) rem ->
          if lab = dummy_method then
            (* allow public self and private self to be unified *)
            match Btype.field_kind_repr kind with
              Fvar r -> Btype.set_kind r Fabsent; rem
            | _ -> rem
          else
            Ctype.newty(Tfield(lab, Btype.copy_kind kind, ty, rem)))
        methods (Ctype.newty Tnil) in
    begin try
      Ctype.unify val_env private_self
        (Ctype.newty (Tobject(self_methods, ref None)));
      Ctype.unify val_env public_self self_type
    with Ctype.Unify trace -> raise(Error(loc, Final_self_clash trace))
    end;
  end;

  (* Typing of method bodies *)
  if !Clflags.principal then
    List.iter (fun (_,_,ty) -> Ctype.generalize_spine ty) methods;
  let fields = List.map Lazy.force (List.rev fields) in
  if !Clflags.principal then
    List.iter (fun (_,_,ty) -> Ctype.unify val_env ty (Ctype.newvar ()))
      methods;
  let meths = Meths.map (function (id, ty) -> id) !meths in

  (* Check for private methods made public *)
  let pub_meths' =
    List.filter (fun (_,kind,_) -> Btype.field_kind_repr kind = Fpresent)
      (get_methods public_self) in
  let names = List.map (fun (x,_,_) -> x) in
  let l1 = names priv_meths and l2 = names pub_meths' in
  let added = List.filter (fun x -> List.mem x l1) l2 in
  if added <> [] then
    Location.prerr_warning loc (Warnings.Implicit_public_methods added);
  {cl_field = fields; cl_meths = meths}, sign

and class_expr cl_num val_env met_env scl =
  match scl.pcl_desc with
    Pcl_constr (lid, styl) ->
      let (path, decl) =
        try Env.lookup_class lid val_env with Not_found ->
          raise(Error(scl.pcl_loc, Unbound_class lid))
      in
      if Path.same decl.cty_path unbound_class then
        raise(Error(scl.pcl_loc, Unbound_class_2 lid));
      let tyl = List.map
          (fun sty -> transl_simple_type val_env false sty, sty.ptyp_loc)
          styl
      in
      let (params, clty) =
        Ctype.instance_class decl.cty_params decl.cty_type
      in
      let clty' = abbreviate_class_type path params clty in
      if List.length params <> List.length tyl then
        raise(Error(scl.pcl_loc,
                    Parameter_arity_mismatch (lid, List.length params,
                                                   List.length tyl)));
      List.iter2
        (fun (ty',loc) ty ->
           try Ctype.unify val_env ty' ty with Ctype.Unify trace ->
             raise(Error(loc, Parameter_mismatch trace)))
        tyl params;
      let cl =
        rc {cl_desc = Tclass_ident path;
            cl_loc = scl.pcl_loc;
            cl_type = clty';
            cl_env = val_env}
      in
      let (vals, meths, concrs) = extract_constraints clty in
      rc {cl_desc = Tclass_constraint (cl, vals, meths, concrs);
          cl_loc = scl.pcl_loc;
          cl_type = clty';
          cl_env = val_env}
  | Pcl_structure cl_str ->
      let (desc, ty) =
        class_structure cl_num false val_env met_env scl.pcl_loc cl_str in
      rc {cl_desc = Tclass_structure desc;
          cl_loc = scl.pcl_loc;
          cl_type = Tcty_signature ty;
          cl_env = val_env}
  | Pcl_fun (l, Some default, spat, sbody) ->
      let loc = default.pexp_loc in
      let scases =
        [{ppat_loc = loc; ppat_desc =
          Ppat_construct(Longident.Lident"Some",
                         Some{ppat_loc = loc; ppat_desc = Ppat_var"*sth*"},
                         false)},
         {pexp_loc = loc; pexp_desc = Pexp_ident(Longident.Lident"*sth*")};
         {ppat_loc = loc; ppat_desc =
          Ppat_construct(Longident.Lident"None", None, false)},
         default] in
      let smatch =
        {pexp_loc = loc; pexp_desc =
         Pexp_match({pexp_loc = loc; pexp_desc =
                     Pexp_ident(Longident.Lident"*opt*")},
                    scases)} in
      let sfun =
        {pcl_loc = scl.pcl_loc; pcl_desc =
         Pcl_fun(l, None, {ppat_loc = loc; ppat_desc = Ppat_var"*opt*"},
                 {pcl_loc = scl.pcl_loc; pcl_desc =
                  Pcl_let(Default, [spat, smatch], sbody)})}
      in
      class_expr cl_num val_env met_env sfun
  | Pcl_fun (l, None, spat, scl') ->
      if !Clflags.principal then Ctype.begin_def ();
      let (pat, pv, val_env, met_env) =
        Typecore.type_class_arg_pattern cl_num val_env met_env l spat
      in
      if !Clflags.principal then begin
        Ctype.end_def ();
        iter_pattern (fun {pat_type=ty} -> Ctype.generalize_structure ty) pat
      end;
      let pv =
        List.map
          (function (id, id', ty) ->
            (id,
             Typecore.type_exp val_env
               {pexp_desc = Pexp_ident (Longident.Lident (Ident.name id));
                pexp_loc = Location.none}))
          pv
      in
      let rec not_function = function
          Tcty_fun _ -> false
        | _ -> true
      in
      let partial =
        Parmatch.check_partial pat.pat_loc
          [pat, (* Dummy expression *)
           {exp_desc = Texp_constant (Asttypes.Const_int 1);
            exp_loc = Location.none;
            exp_type = Ctype.none;
            exp_env = Env.empty }] in
      Ctype.raise_nongen_level ();
      let cl = class_expr cl_num val_env met_env scl' in
      Ctype.end_def ();
      if Btype.is_optional l && not_function cl.cl_type then
        Location.prerr_warning pat.pat_loc
          Warnings.Unerasable_optional_argument;
      rc {cl_desc = Tclass_fun (pat, pv, cl, partial);
          cl_loc = scl.pcl_loc;
          cl_type = Tcty_fun (l, Ctype.instance pat.pat_type, cl.cl_type);
          cl_env = val_env}
  | Pcl_apply (scl', sargs) ->
      let cl = class_expr cl_num val_env met_env scl' in
      let rec nonopt_labels ls ty_fun =
        match ty_fun with
        | Tcty_fun (l, _, ty_res) ->
            if Btype.is_optional l then nonopt_labels ls ty_res
            else nonopt_labels (l::ls) ty_res
        | _    -> ls
      in
      let ignore_labels =
        !Clflags.classic ||
        let labels = nonopt_labels [] cl.cl_type in
        List.length labels = List.length sargs &&
        List.for_all (fun (l,_) -> l = "") sargs &&
        List.exists (fun l -> l <> "") labels &&
        begin
          Location.prerr_warning cl.cl_loc Warnings.Labels_omitted;
          true
        end
      in
      let rec type_args args omitted ty_fun sargs more_sargs =
        match ty_fun with
        | Tcty_fun (l, ty, ty_fun) when sargs <> [] || more_sargs <> [] ->
            let name = Btype.label_name l
            and optional =
              if Btype.is_optional l then Optional else Required in
            let sargs, more_sargs, arg =
              if ignore_labels && not (Btype.is_optional l) then begin
                match sargs, more_sargs with
                  (l', sarg0)::_, _ ->
                    raise(Error(sarg0.pexp_loc, Apply_wrong_label(l')))
                | _, (l', sarg0)::more_sargs ->
                    if l <> l' && l' <> "" then
                      raise(Error(sarg0.pexp_loc, Apply_wrong_label l'))
                    else ([], more_sargs, Some(type_argument val_env sarg0 ty))
                | _ ->
                    assert false
              end else try
                let (l', sarg0, sargs, more_sargs) =
                  try
                    let (l', sarg0, sargs1, sargs2) =
                      Btype.extract_label name sargs
                    in (l', sarg0, sargs1 @ sargs2, more_sargs)
                  with Not_found ->
                    let (l', sarg0, sargs1, sargs2) =
                      Btype.extract_label name more_sargs
                    in (l', sarg0, sargs @ sargs1, sargs2)
                in
                sargs, more_sargs,
                if Btype.is_optional l' || not (Btype.is_optional l) then
                  Some (type_argument val_env sarg0 ty)
                else
                  let arg = type_argument val_env
                      sarg0 (extract_option_type val_env ty) in
                  Some (option_some arg)
              with Not_found ->
                sargs, more_sargs,
                if Btype.is_optional l &&
                  (List.mem_assoc "" sargs || List.mem_assoc "" more_sargs)
                then
                  Some (option_none ty Location.none)
                else None
            in
            let omitted = if arg = None then (l,ty) :: omitted else omitted in
            type_args ((arg,optional)::args) omitted ty_fun sargs more_sargs
        | _ ->
            match sargs @ more_sargs with
              (l, sarg0)::_ ->
                if omitted <> [] then
                  raise(Error(sarg0.pexp_loc, Apply_wrong_label l))
                else
                  raise(Error(cl.cl_loc, Cannot_apply cl.cl_type))
            | [] ->
                (List.rev args,
                 List.fold_left
                   (fun ty_fun (l,ty) -> Tcty_fun(l,ty,ty_fun))
                   ty_fun omitted)
      in
      let (args, cty) =
        if ignore_labels then
          type_args [] [] cl.cl_type [] sargs
        else
          type_args [] [] cl.cl_type sargs []
      in
      rc {cl_desc = Tclass_apply (cl, args);
          cl_loc = scl.pcl_loc;
          cl_type = cty;
          cl_env = val_env}
  | Pcl_let (rec_flag, sdefs, scl') ->
      let (defs, val_env) =
        try
          Typecore.type_let val_env rec_flag sdefs
        with Ctype.Unify [(ty, _)] ->
          raise(Error(scl.pcl_loc, Make_nongen_seltype ty))
      in
      let (vals, met_env) =
        List.fold_right
          (fun id (vals, met_env) ->
             Ctype.begin_def ();
             let expr =
               Typecore.type_exp val_env
                 {pexp_desc = Pexp_ident (Longident.Lident (Ident.name id));
                  pexp_loc = Location.none}
             in
             Ctype.end_def ();
             Ctype.generalize expr.exp_type;
             let desc =
               {val_type = expr.exp_type; val_kind = Val_ivar (Immutable,
                                                               cl_num)}
             in
             let id' = Ident.create (Ident.name id) in
             ((id', expr)
              :: vals,
              Env.add_value id' desc met_env))
          (let_bound_idents defs)
          ([], met_env)
      in
      let cl = class_expr cl_num val_env met_env scl' in
      rc {cl_desc = Tclass_let (rec_flag, defs, vals, cl);
          cl_loc = scl.pcl_loc;
          cl_type = cl.cl_type;
          cl_env = val_env}
  | Pcl_constraint (scl', scty) ->
      Ctype.begin_class_def ();
      let context = Typetexp.narrow () in
      let cl = class_expr cl_num val_env met_env scl' in
      Typetexp.widen context;
      let context = Typetexp.narrow () in
      let clty = class_type val_env scty in
      Typetexp.widen context;
      Ctype.end_def ();

      limited_generalize (Ctype.row_variable (Ctype.self_type cl.cl_type))
          cl.cl_type;
      limited_generalize (Ctype.row_variable (Ctype.self_type clty)) clty;

      begin match Includeclass.class_types val_env cl.cl_type clty with
        []    -> ()
      | error -> raise(Error(cl.cl_loc, Class_match_failure error))
      end;
      let (vals, meths, concrs) = extract_constraints clty in
      rc {cl_desc = Tclass_constraint (cl, vals, meths, concrs);
          cl_loc = scl.pcl_loc;
          cl_type = snd (Ctype.instance_class [] clty);
          cl_env = val_env}

(*******************************)

(* Approximate the type of the constructor to allow recursive use *)
(* of optional parameters                                         *)

let var_option = Predef.type_option (Btype.newgenvar ())

let rec approx_declaration cl =
  match cl.pcl_desc with
    Pcl_fun (l, _, _, cl) ->
      let arg =
        if Btype.is_optional l then Ctype.instance var_option
        else Ctype.newvar () in
      Ctype.newty (Tarrow (l, arg, approx_declaration cl, Cok))
  | Pcl_let (_, _, cl) ->
      approx_declaration cl
  | Pcl_constraint (cl, _) ->
      approx_declaration cl
  | _ -> Ctype.newvar ()

let rec approx_description ct =
  match ct.pcty_desc with
    Pcty_fun (l, _, ct) ->
      let arg =
        if Btype.is_optional l then Ctype.instance var_option
        else Ctype.newvar () in
      Ctype.newty (Tarrow (l, arg, approx_description ct, Cok))
  | _ -> Ctype.newvar ()

(*******************************)

let temp_abbrev env id arity =
  let params = ref [] in
  for i = 1 to arity do
    params := Ctype.newvar () :: !params
  done;
  let ty = Ctype.newobj (Ctype.newvar ()) in
  let env =
    Env.add_type id
      {type_params = !params;
       type_arity = arity;
       type_kind = Type_abstract;
       type_manifest = Some ty;
       type_variance = List.map (fun _ -> true, true, true) !params}
      env
  in
  (!params, ty, env)

let rec initial_env define_class approx
    (res, env) (cl, id, ty_id, obj_id, cl_id) =
  (* Temporary abbreviations *)
  let arity = List.length (fst cl.pci_params) in
  let (obj_params, obj_ty, env) = temp_abbrev env obj_id arity in
  let (cl_params, cl_ty, env) = temp_abbrev env cl_id arity in

  (* Temporary type for the class constructor *)
  let constr_type = approx cl.pci_expr in
  if !Clflags.principal then Ctype.generalize_spine constr_type;
  let dummy_cty =
    Tcty_signature
      { cty_self = Ctype.newvar ();
        cty_vars = Vars.empty;
        cty_concr = Concr.empty;
        cty_inher = [] }
  in
  let dummy_class =
    {cty_params = [];             (* Dummy value *)
     cty_variance = [];
     cty_type = dummy_cty;        (* Dummy value *)
     cty_path = unbound_class;
     cty_new =
       match cl.pci_virt with
         Virtual  -> None
       | Concrete -> Some constr_type}
  in
  let env =
    Env.add_cltype ty_id
      {clty_params = [];            (* Dummy value *)
       clty_variance = [];
       clty_type = dummy_cty;       (* Dummy value *)
       clty_path = unbound_class} (
    if define_class then
      Env.add_class id dummy_class env
    else
      env)
  in
  ((cl, id, ty_id,
    obj_id, obj_params, obj_ty,
    cl_id, cl_params, cl_ty,
    constr_type, dummy_class)::res,
   env)

let class_infos define_class kind
    (cl, id, ty_id,
     obj_id, obj_params, obj_ty,
     cl_id, cl_params, cl_ty,
     constr_type, dummy_class)
    (res, env) =

  reset_type_variables ();
  Ctype.begin_class_def ();

  (* Introduce class parameters *)
  let params =
    try
      let params, loc = cl.pci_params in
      List.map (enter_type_variable true loc) params
    with Already_bound ->
      raise(Error(snd cl.pci_params, Repeated_parameter))
  in

  (* Allow self coercions (only for class declarations) *)
  let coercion_locs = ref [] in

  (* Type the class expression *)
  let (expr, typ) =
    try
      Typecore.self_coercion :=
        (Path.Pident obj_id, coercion_locs) :: !Typecore.self_coercion;
      let res = kind env cl.pci_expr in
      Typecore.self_coercion := List.tl !Typecore.self_coercion;
      res
    with exn ->
      Typecore.self_coercion := []; raise exn
  in

  Ctype.end_def ();

  let sty = Ctype.self_type typ in

  (* Generalize the row variable *)
  let rv = Ctype.row_variable sty in
  List.iter (Ctype.limited_generalize rv) params;
  limited_generalize rv typ;

  (* Check the abbreviation for the object type *)
  let (obj_params', obj_type) = Ctype.instance_class params typ in
  let constr = Ctype.newconstr (Path.Pident obj_id) obj_params in
  begin
    let ty = Ctype.self_type obj_type in
    Ctype.hide_private_methods ty;
    Ctype.close_object ty;
    begin try
      List.iter2 (Ctype.unify env) obj_params obj_params'
    with Ctype.Unify _ ->
      raise(Error(cl.pci_loc,
            Bad_parameters (obj_id, constr,
                            Ctype.newconstr (Path.Pident obj_id)
                                            obj_params')))
    end;
    begin try
      Ctype.unify env ty constr
    with Ctype.Unify _ ->
      raise(Error(cl.pci_loc,
        Abbrev_type_clash (constr, ty, Ctype.expand_head env constr)))
    end
  end;

  (* Check the other temporary abbreviation (#-type) *)
  begin
    let (cl_params', cl_type) = Ctype.instance_class params typ in
    let ty = Ctype.self_type cl_type in
    Ctype.hide_private_methods ty;
    Ctype.set_object_name obj_id (Ctype.row_variable ty) cl_params ty;
    begin try
      List.iter2 (Ctype.unify env) cl_params cl_params'
    with Ctype.Unify _ ->
      raise(Error(cl.pci_loc,
            Bad_parameters (cl_id,
                            Ctype.newconstr (Path.Pident cl_id)
                                            cl_params,
                            Ctype.newconstr (Path.Pident cl_id)
                                            cl_params')))
    end;
    begin try
      Ctype.unify env ty cl_ty
    with Ctype.Unify _ ->
      let constr = Ctype.newconstr (Path.Pident cl_id) params in
      raise(Error(cl.pci_loc, Abbrev_type_clash (constr, ty, cl_ty)))
    end
  end;

  (* Type of the class constructor *)
  begin try
    Ctype.unify env
      (constructor_type constr obj_type)
      (Ctype.instance constr_type)
  with Ctype.Unify trace ->
    raise(Error(cl.pci_loc,
                Constructor_type_mismatch (cl.pci_name, trace)))
  end;

  (* Class and class type temporary definitions *)
  let cty_variance = List.map (fun _ -> true, true) params in
  let cltydef =
    {clty_params = params; clty_type = class_body typ;
     clty_variance = cty_variance;
     clty_path = Path.Pident obj_id}
  and clty =
    {cty_params = params; cty_type = typ;
     cty_variance = cty_variance;
     cty_path = Path.Pident obj_id;
     cty_new =
       match cl.pci_virt with
         Virtual  -> None
       | Concrete -> Some constr_type}
  in
  dummy_class.cty_type <- typ;
  let env =
    Env.add_cltype ty_id cltydef (
    if define_class then Env.add_class id clty env else env)
  in

  if cl.pci_virt = Concrete then begin
    let sign = Ctype.signature_of_class_type typ in
    let mets = virtual_methods sign in
    let vals =
      Vars.fold
        (fun name (mut, vr, ty) l -> if vr = Virtual then name :: l else l)
        sign.cty_vars [] in
    if mets <> []  || vals <> [] then
      raise(Error(cl.pci_loc, Virtual_class(true, mets, vals)));
  end;

  (* Misc. *)
  let arity = Ctype.class_type_arity typ in
  let pub_meths =
    let (fields, _) =
      Ctype.flatten_fields (Ctype.object_fields (Ctype.expand_head env obj_ty))
    in
    List.map (function (lab, _, _) -> lab) fields
  in

  (* Final definitions *)
  let (params', typ') = Ctype.instance_class params typ in
  let cltydef =
    {clty_params = params'; clty_type = class_body typ';
     clty_variance = cty_variance;
     clty_path = Path.Pident obj_id}
  and clty =
    {cty_params = params'; cty_type = typ';
     cty_variance = cty_variance;
     cty_path = Path.Pident obj_id;
     cty_new =
       match cl.pci_virt with
         Virtual  -> None
       | Concrete -> Some (Ctype.instance constr_type)}
  in
  let obj_abbr =
    {type_params = obj_params;
     type_arity = List.length obj_params;
     type_kind = Type_abstract;
     type_manifest = Some obj_ty;
     type_variance = List.map (fun _ -> true, true, true) obj_params}
  in
  let (cl_params, cl_ty) =
    Ctype.instance_parameterized_type params (Ctype.self_type typ)
  in
  Ctype.hide_private_methods cl_ty;
  Ctype.set_object_name obj_id (Ctype.row_variable cl_ty) cl_params cl_ty;
  let cl_abbr =
    {type_params = cl_params;
     type_arity = List.length cl_params;
     type_kind = Type_abstract;
     type_manifest = Some cl_ty;
     type_variance = List.map (fun _ -> true, true, true) cl_params}
  in
  ((cl, id, clty, ty_id, cltydef, obj_id, obj_abbr, cl_id, cl_abbr,
    arity, pub_meths, List.rev !coercion_locs, expr) :: res,
   env)

let final_decl env define_class
    (cl, id, clty, ty_id, cltydef, obj_id, obj_abbr, cl_id, cl_abbr,
     arity, pub_meths, coe, expr) =

  begin try Ctype.collapse_conj_params env clty.cty_params
  with Ctype.Unify trace ->
    raise(Error(cl.pci_loc, Non_collapsable_conjunction (id, clty, trace)))
  end;

  List.iter Ctype.generalize clty.cty_params;
  generalize_class_type clty.cty_type;
  begin match clty.cty_new with
    None -> ()
  | Some ty -> Ctype.generalize ty
  end;
  List.iter Ctype.generalize obj_abbr.type_params;
  begin match obj_abbr.type_manifest with
    None    -> ()
  | Some ty -> Ctype.generalize ty
  end;
  List.iter Ctype.generalize cl_abbr.type_params;
  begin match cl_abbr.type_manifest with
    None    -> ()
  | Some ty -> Ctype.generalize ty
  end;

  if not (closed_class clty) then
    raise(Error(cl.pci_loc, Non_generalizable_class (id, clty)));

  begin match
    Ctype.closed_class clty.cty_params
      (Ctype.signature_of_class_type clty.cty_type)
  with
    None        -> ()
  | Some reason ->
      let printer =
        if define_class
        then function ppf -> Printtyp.class_declaration id ppf clty
        else function ppf -> Printtyp.cltype_declaration id ppf cltydef
      in
      raise(Error(cl.pci_loc, Unbound_type_var(printer, reason)))
  end;

  (id, clty, ty_id, cltydef, obj_id, obj_abbr, cl_id, cl_abbr,
   arity, pub_meths, coe, expr, (cl.pci_variance, cl.pci_loc))

let extract_type_decls
    (id, clty, ty_id, cltydef, obj_id, obj_abbr, cl_id, cl_abbr,
     arity, pub_meths, coe, expr, required) decls =
  (obj_id, obj_abbr, cl_abbr, clty, cltydef, required) :: decls

let merge_type_decls
    (id, _clty, ty_id, _cltydef, obj_id, _obj_abbr, cl_id, _cl_abbr,
     arity, pub_meths, coe, expr, req) (obj_abbr, cl_abbr, clty, cltydef) =
  (id, clty, ty_id, cltydef, obj_id, obj_abbr, cl_id, cl_abbr,
   arity, pub_meths, coe, expr)

let final_env define_class env
    (id, clty, ty_id, cltydef, obj_id, obj_abbr, cl_id, cl_abbr,
     arity, pub_meths, coe, expr) =
  (* Add definitions after cleaning them *)
  Env.add_type obj_id (Subst.type_declaration Subst.identity obj_abbr) (
  Env.add_type cl_id (Subst.type_declaration Subst.identity cl_abbr) (
  Env.add_cltype ty_id (Subst.cltype_declaration Subst.identity cltydef) (
  if define_class then
    Env.add_class id (Subst.class_declaration Subst.identity clty) env
  else env)))

(* Check that #c is coercible to c if there is a self-coercion *)
let check_coercions env
    (id, clty, ty_id, cltydef, obj_id, obj_abbr, cl_id, cl_abbr,
     arity, pub_meths, coercion_locs, expr) =
  begin match coercion_locs with [] -> ()
  | loc :: _ ->
      let cl_ty, obj_ty =
        match cl_abbr.type_manifest, obj_abbr.type_manifest with
          Some cl_ab, Some obj_ab ->
            let cl_params, cl_ty =
              Ctype.instance_parameterized_type cl_abbr.type_params cl_ab
            and obj_params, obj_ty =
              Ctype.instance_parameterized_type obj_abbr.type_params obj_ab
            in
            List.iter2 (Ctype.unify env) cl_params obj_params;
            cl_ty, obj_ty
        | _ -> assert false
      in
      begin try Ctype.subtype env cl_ty obj_ty ()
      with Ctype.Subtype (tr1, tr2) ->
        raise(Typecore.Error(loc, Typecore.Not_subtype(tr1, tr2)))
      end;
      if not (Ctype.opened_object cl_ty) then
        raise(Error(loc, Cannot_coerce_self obj_ty))
  end;
  (id, clty, ty_id, cltydef, obj_id, obj_abbr, cl_id, cl_abbr,
   arity, pub_meths, expr)

(*******************************)

let type_classes define_class approx kind env cls =
  let cls =
    List.map
      (function cl ->
         (cl,
          Ident.create cl.pci_name, Ident.create cl.pci_name,
          Ident.create cl.pci_name, Ident.create ("#" ^ cl.pci_name)))
      cls
  in
  Ctype.init_def (Ident.current_time ());
  Ctype.begin_class_def ();
  let (res, env) =
    List.fold_left (initial_env define_class approx) ([], env) cls
  in
  let (res, env) =
    List.fold_right (class_infos define_class kind) res ([], env)
  in
  Ctype.end_def ();
  let res = List.rev_map (final_decl env define_class) res in
  let decls = List.fold_right extract_type_decls res [] in
  let decls = Typedecl.compute_variance_decls env decls in
  let res = List.map2 merge_type_decls res decls in
  let env = List.fold_left (final_env define_class) env res in
  let res = List.map (check_coercions env) res in
  (res, env)

let class_num = ref 0
let class_declaration env sexpr =
  incr class_num;
  let expr = class_expr (string_of_int !class_num) env env sexpr in
  (expr, expr.cl_type)

let class_description env sexpr =
  let expr = class_type env sexpr in
  (expr, expr)

let class_declarations env cls =
  type_classes true approx_declaration class_declaration env cls

let class_descriptions env cls =
  type_classes true approx_description class_description env cls

let class_type_declarations env cls =
  let (decl, env) =
    type_classes false approx_description class_description env cls
  in
  (List.map
     (function
       (_, _, ty_id, cltydef, obj_id, obj_abbr, cl_id, cl_abbr, _, _, _) ->
        (ty_id, cltydef, obj_id, obj_abbr, cl_id, cl_abbr))
     decl,
   env)

let rec unify_parents env ty cl =
  match cl.cl_desc with
    Tclass_ident p ->
      begin try
        let decl = Env.find_class p env in
        let _, body = Ctype.find_cltype_for_path env decl.cty_path in
        Ctype.unify env ty (Ctype.instance body)
      with exn -> assert (exn = Not_found)
      end
  | Tclass_structure st -> unify_parents_struct env ty st
  | Tclass_fun (_, _, cl, _)
  | Tclass_apply (cl, _)
  | Tclass_let (_, _, _, cl)
  | Tclass_constraint (cl, _, _, _) -> unify_parents env ty cl
and unify_parents_struct env ty st =
  List.iter
    (function Cf_inher (cl, _, _) -> unify_parents env ty cl
      | _ -> ())
    st.cl_field

let type_object env loc s =
  incr class_num;
  let (desc, sign) =
    class_structure (string_of_int !class_num) true env env loc s in
  let sty = Ctype.expand_head env sign.cty_self in
  Ctype.hide_private_methods sty;
  let (fields, _) = Ctype.flatten_fields (Ctype.object_fields sty) in
  let meths = List.map (fun (s,_,_) -> s) fields in
  unify_parents_struct env sign.cty_self desc;
  (desc, sign, meths)

let () =
  Typecore.type_object := type_object

(*******************************)

(* Approximate the class declaration as class ['params] id = object end *)
let approx_class sdecl =
  let self' =
    { ptyp_desc = Ptyp_any; ptyp_loc = Location.none } in
  let clty' =
    { pcty_desc = Pcty_signature(self', []);
      pcty_loc = sdecl.pci_expr.pcty_loc } in
  { sdecl with pci_expr = clty' }

let approx_class_declarations env sdecls =
  fst (class_type_declarations env (List.map approx_class sdecls))

(*******************************)

(* Error report *)

open Format

let report_error ppf = function
  | Repeated_parameter ->
      fprintf ppf "A type parameter occurs several times"
  | Unconsistent_constraint trace ->
      fprintf ppf "The class constraints are not consistent.@.";
      Printtyp.report_unification_error ppf trace
        (fun ppf -> fprintf ppf "Type")
        (fun ppf -> fprintf ppf "is not compatible with type")
  | Field_type_mismatch (k, m, trace) ->
      Printtyp.report_unification_error ppf trace
        (function ppf ->
           fprintf ppf "The %s %s@ has type" k m)
        (function ppf ->
           fprintf ppf "but is expected to have type")
  | Structure_expected clty ->
      fprintf ppf
        "@[This class expression is not a class structure; it has type@ %a@]"
        Printtyp.class_type clty
  | Cannot_apply clty ->
      fprintf ppf
        "This class expression is not a class function, it cannot be applied"
  | Apply_wrong_label l ->
      let mark_label = function
        | "" -> "out label"
        |  l -> sprintf " label ~%s" l in
      fprintf ppf "This argument cannot be applied with%s" (mark_label l)
  | Pattern_type_clash ty ->
      (* XXX Trace *)
      (* XXX Revoir message d'erreur *)
      Printtyp.reset_and_mark_loops ty;
      fprintf ppf "@[%s@ %a@]"
        "This pattern cannot match self: it only matches values of type"
        Printtyp.type_expr ty
  | Unbound_class cl ->
      fprintf ppf "Unbound class@ %a"
      Printtyp.longident cl
  | Unbound_class_2 cl ->
      fprintf ppf "The class@ %a@ is not yet completely defined"
      Printtyp.longident cl
  | Unbound_class_type cl ->
      fprintf ppf "Unbound class type@ %a"
      Printtyp.longident cl
  | Unbound_class_type_2 cl ->
      fprintf ppf "The class type@ %a@ is not yet completely defined"
      Printtyp.longident cl
  | Abbrev_type_clash (abbrev, actual, expected) ->
      (* XXX Afficher une trace ? *)
      Printtyp.reset_and_mark_loops_list [abbrev; actual; expected];
      fprintf ppf "@[The abbreviation@ %a@ expands to type@ %a@ \
       but is used with type@ %a@]"
       Printtyp.type_expr abbrev
       Printtyp.type_expr actual
       Printtyp.type_expr expected
  | Constructor_type_mismatch (c, trace) ->
      Printtyp.report_unification_error ppf trace
        (function ppf ->
           fprintf ppf "The expression \"new %s\" has type" c)
        (function ppf ->
           fprintf ppf "but is used with type")
  | Virtual_class (cl, mets, vals) ->
      let print_mets ppf mets =
        List.iter (function met -> fprintf ppf "@ %s" met) mets in
      let cl_mark = if cl then "" else " type" in
      let missings =
        match mets, vals with
          [], _ -> "variables"
        | _, [] -> "methods"
        | _ -> "methods and variables"
      in
      fprintf ppf
        "@[This class%s should be virtual.@ \
           @[<2>The following %s are undefined :%a@]@]"
          cl_mark missings print_mets (mets @ vals)
  | Parameter_arity_mismatch(lid, expected, provided) ->
      fprintf ppf
        "@[The class constructor %a@ expects %i type argument(s),@ \
           but is here applied to %i type argument(s)@]"
        Printtyp.longident lid expected provided
  | Parameter_mismatch trace ->
      Printtyp.report_unification_error ppf trace
        (function ppf ->
           fprintf ppf "The type parameter")
        (function ppf ->
           fprintf ppf "does not meet its constraint: it should be")
  | Bad_parameters (id, params, cstrs) ->
      Printtyp.reset_and_mark_loops_list [params; cstrs];
      fprintf ppf
        "@[The abbreviation %a@ is used with parameters@ %a@ \
           wich are incompatible with constraints@ %a@]"
        Printtyp.ident id Printtyp.type_expr params Printtyp.type_expr cstrs
  | Class_match_failure error ->
      Includeclass.report_error ppf error
  | Unbound_val lab ->
      fprintf ppf "Unbound instance variable %s" lab
  | Unbound_type_var (printer, reason) ->
      let print_common ppf kind ty0 real lab ty =
        let ty1 =
          if real then ty0 else Btype.newgenty(Tobject(ty0, ref None)) in
        Printtyp.mark_loops ty1;
        fprintf ppf
          "The %s %s@ has type@;<1 2>%a@ where@ %a@ is unbound"
            kind lab Printtyp.type_expr ty Printtyp.type_expr ty0
      in
      let print_reason ppf = function
      | Ctype.CC_Method (ty0, real, lab, ty) ->
          print_common ppf "method" ty0 real lab ty
      | Ctype.CC_Value (ty0, real, lab, ty) ->
          print_common ppf "instance variable" ty0 real lab ty
      in
      Printtyp.reset ();
      fprintf ppf
        "@[@[Some type variables are unbound in this type:@;<1 2>%t@]@ \
              @[%a@]@]"
       printer print_reason reason
  | Make_nongen_seltype ty ->
      fprintf ppf
        "@[@[Self type should not occur in the non-generic type@;<1 2>\
                %a@]@,\
           It would escape the scope of its class@]"
        Printtyp.type_scheme ty
  | Non_generalizable_class (id, clty) ->
      fprintf ppf
        "@[The type of this class,@ %a,@ \
           contains type variables that cannot be generalized@]"
        (Printtyp.class_declaration id) clty
  | Cannot_coerce_self ty ->
      fprintf ppf
        "@[The type of self cannot be coerced to@ \
           the type of the current class:@ %a.@.\
           Some occurences are contravariant@]"
        Printtyp.type_scheme ty
  | Non_collapsable_conjunction (id, clty, trace) ->
      fprintf ppf
        "@[The type of this class,@ %a,@ \
           contains non-collapsable conjunctive types in constraints@]"
        (Printtyp.class_declaration id) clty;
      Printtyp.report_unification_error ppf trace
        (fun ppf -> fprintf ppf "Type")
        (fun ppf -> fprintf ppf "is not compatible with type")
  | Final_self_clash trace ->
      Printtyp.report_unification_error ppf trace
        (function ppf ->
           fprintf ppf "This object is expected to have type")
        (function ppf ->
           fprintf ppf "but has actually type")
  | Mutability_mismatch (lab, mut) ->
      let mut1, mut2 =
        if mut = Immutable then "mutable", "immutable"
        else "immutable", "mutable" in
      fprintf ppf
        "@[The instance variable is %s,@ it cannot be redefined as %s@]"
        mut1 mut2
why-2.34/ml/typing/path.ml0000644000175000017500000000344212311670312014030 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: path.ml,v 1.1 2007-11-30 10:16:43 bardou Exp $ *)

type t =
    Pident of Ident.t
  | Pdot of t * string * int
  | Papply of t * t

let nopos = -1

let rec same p1 p2 =
  match (p1, p2) with
    (Pident id1, Pident id2) -> Ident.same id1 id2
  | (Pdot(p1, s1, pos1), Pdot(p2, s2, pos2)) -> s1 = s2 && same p1 p2
  | (Papply(fun1, arg1), Papply(fun2, arg2)) ->
       same fun1 fun2 && same arg1 arg2
  | (_, _) -> false

let rec isfree id = function
    Pident id' -> Ident.same id id'
  | Pdot(p, s, pos) -> isfree id p
  | Papply(p1, p2) -> isfree id p1 || isfree id p2

let rec binding_time = function
    Pident id -> Ident.binding_time id
  | Pdot(p, s, pos) -> binding_time p
  | Papply(p1, p2) -> max (binding_time p1) (binding_time p2)

let rec name = function
    Pident id -> Ident.name id
  | Pdot(p, s, pos) -> name p ^ "." ^ s
  | Papply(p1, p2) -> name p1 ^ "(" ^ name p2 ^ ")"

let rec head = function
    Pident id -> id
  | Pdot(p, s, pos) -> head p
  | Papply(p1, p2) -> assert false

why-2.34/ml/typing/oprint.ml0000644000175000017500000003706712311670312014421 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*                  Projet Cristal, INRIA Rocquencourt                 *)
(*                                                                     *)
(*  Copyright 2002 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: oprint.ml,v 1.2 2008-02-19 15:53:36 bardou Exp $ *)

open Format
open Outcometree2

exception Ellipsis

let cautious f ppf arg =
  try f ppf arg with
    Ellipsis -> fprintf ppf "..."

let rec print_ident ppf =
  function
    Oide_ident s -> fprintf ppf "%s" s
  | Oide_dot (id, s) -> fprintf ppf "%a.%s" print_ident id s
  | Oide_apply (id1, id2) ->
      fprintf ppf "%a(%a)" print_ident id1 print_ident id2

let value_ident ppf name =
  if List.mem name
       ["or"; "mod"; "land"; "lor"; "lxor"; "lsl"; "lsr"; "asr"] then
    fprintf ppf "( %s )" name
  else
    match name.[0] with
      'a'..'z' | '\223'..'\246' | '\248'..'\255' | '_' ->
        fprintf ppf "%s" name
    | _ -> fprintf ppf "( %s )" name

(* Values *)

let valid_float_lexeme s =
  let l = String.length s in
  let rec loop i =
    if i >= l then s ^ "." else
    match s.[i] with
    | '0' .. '9' | '-' -> loop (i+1)
    | _ -> s
  in loop 0

let float_repres f =
  match classify_float f with
    FP_nan -> "nan"
  | FP_infinite ->
      if f < 0.0 then "neg_infinity" else "infinity"
  | _ ->
      let s1 = Printf.sprintf "%.12g" f in
      if f = float_of_string s1 then valid_float_lexeme s1 else
      let s2 = Printf.sprintf "%.15g" f in
      if f = float_of_string s2 then valid_float_lexeme s2 else
      Printf.sprintf "%.18g" f

let parenthesize_if_neg ppf fmt v isneg =
  if isneg then pp_print_char ppf '(';
  fprintf ppf fmt v;
  if isneg then pp_print_char ppf ')'

let print_out_value ppf tree =
  let rec print_tree_1 ppf =
    function
    | Oval_constr (name, [param]) ->
        fprintf ppf "@[<1>%a@ %a@]" print_ident name print_constr_param param
    | Oval_constr (name, (_ :: _ as params)) ->
        fprintf ppf "@[<1>%a@ (%a)@]" print_ident name
          (print_tree_list print_tree_1 ",") params
    | Oval_variant (name, Some param) ->
        fprintf ppf "@[<2>`%s@ %a@]" name print_simple_tree param
    | tree -> print_simple_tree ppf tree
  and print_constr_param ppf = function
    | Oval_int i -> parenthesize_if_neg ppf "%i" i (i < 0)
    | Oval_int32 i -> parenthesize_if_neg ppf "%lil" i (i < 0l)
    | Oval_int64 i -> parenthesize_if_neg ppf "%LiL" i (i < 0L)
    | Oval_nativeint i -> parenthesize_if_neg ppf "%nin" i (i < 0n)
    | Oval_float f -> parenthesize_if_neg ppf "%s" (float_repres f) (f < 0.0)
    | tree -> print_simple_tree ppf tree
  and print_simple_tree ppf =
    function
      Oval_int i -> fprintf ppf "%i" i
    | Oval_int32 i -> fprintf ppf "%lil" i
    | Oval_int64 i -> fprintf ppf "%LiL" i
    | Oval_nativeint i -> fprintf ppf "%nin" i
    | Oval_float f -> fprintf ppf "%s" (float_repres f)
    | Oval_char c -> fprintf ppf "%C" c
    | Oval_string s ->
        begin try fprintf ppf "%S" s with
          Invalid_argument "String.create" -> fprintf ppf ""
        end
    | Oval_list tl ->
        fprintf ppf "@[<1>[%a]@]" (print_tree_list print_tree_1 ";") tl
    | Oval_array tl ->
        fprintf ppf "@[<2>[|%a|]@]" (print_tree_list print_tree_1 ";") tl
    | Oval_constr (name, []) -> print_ident ppf name
    | Oval_variant (name, None) -> fprintf ppf "`%s" name
    | Oval_stuff s -> fprintf ppf "%s" s
    | Oval_record fel ->
        fprintf ppf "@[<1>{%a}@]" (cautious (print_fields true)) fel
    | Oval_ellipsis -> raise Ellipsis
    | Oval_printer f -> f ppf
    | Oval_tuple tree_list ->
        fprintf ppf "@[<1>(%a)@]" (print_tree_list print_tree_1 ",") tree_list
    | tree -> fprintf ppf "@[<1>(%a)@]" (cautious print_tree_1) tree
  and print_fields first ppf =
    function
      [] -> ()
    | (name, tree) :: fields ->
        if not first then fprintf ppf ";@ ";
        fprintf ppf "@[<1>%a@ =@ %a@]" print_ident name (cautious print_tree_1)
          tree;
        print_fields false ppf fields
  and print_tree_list print_item sep ppf tree_list =
    let rec print_list first ppf =
      function
        [] -> ()
      | tree :: tree_list ->
          if not first then fprintf ppf "%s@ " sep;
          print_item ppf tree;
          print_list false ppf tree_list
    in
    cautious (print_list true) ppf tree_list
  in
  cautious print_tree_1 ppf tree

let out_value = ref print_out_value

(* Types *)

let rec print_list_init pr sep ppf =
  function
    [] -> ()
  | a :: l -> sep ppf; pr ppf a; print_list_init pr sep ppf l

let rec print_list pr sep ppf =
  function
    [] -> ()
  | [a] -> pr ppf a
  | a :: l -> pr ppf a; sep ppf; print_list pr sep ppf l

let pr_present =
  print_list (fun ppf s -> fprintf ppf "`%s" s) (fun ppf -> fprintf ppf "@ ")

let pr_vars =
  print_list (fun ppf s -> fprintf ppf "'%s" s) (fun ppf -> fprintf ppf "@ ")

let rec print_out_type ppf =
  function
  | Otyp_alias (ty, s) ->
      fprintf ppf "@[%a@ as '%s@]" print_out_type ty s
  | Otyp_poly (sl, ty) ->
      fprintf ppf "@[%a.@ %a@]"
        pr_vars sl
        print_out_type ty
  | ty ->
      print_out_type_1 ppf ty

and print_out_type_1 ppf =
  function
    Otyp_arrow (lab, ty1, ty2) ->
      fprintf ppf "@[%s%a ->@ %a@]" (if lab <> "" then lab ^ ":" else "")
        print_out_type_2 ty1 print_out_type_1 ty2
  | ty -> print_out_type_2 ppf ty
and print_out_type_2 ppf =
  function
    Otyp_tuple tyl ->
      fprintf ppf "@[<0>%a@]" (print_typlist print_simple_out_type " *") tyl
  | ty -> print_simple_out_type ppf ty
and print_simple_out_type ppf =
  function
    Otyp_class (ng, id, tyl) ->
      fprintf ppf "@[%a%s#%a@]" print_typargs tyl (if ng then "_" else "")
        print_ident id
  | Otyp_constr (id, tyl) ->
      fprintf ppf "@[%a%a@]" print_typargs tyl print_ident id
  | Otyp_object (fields, rest) ->
      fprintf ppf "@[<2>< %a >@]" (print_fields rest) fields
  | Otyp_stuff s -> fprintf ppf "%s" s
  | Otyp_var (ng, s) -> fprintf ppf "'%s%s" (if ng then "_" else "") s
  | Otyp_variant (non_gen, row_fields, closed, tags) ->
      let print_present ppf =
        function
          None | Some [] -> ()
        | Some l -> fprintf ppf "@;<1 -2>> @[%a@]" pr_present l
      in
      let print_fields ppf =
        function
          Ovar_fields fields ->
            print_list print_row_field (fun ppf -> fprintf ppf "@;<1 -2>| ")
              ppf fields
        | Ovar_name (id, tyl) ->
            fprintf ppf "@[%a%a@]" print_typargs tyl print_ident id
      in
      fprintf ppf "%s[%s@[@[%a@]%a ]@]" (if non_gen then "_" else "")
        (if closed then if tags = None then " " else "< "
         else if tags = None then "> " else "? ")
        print_fields row_fields
        print_present tags
  | Otyp_alias _ | Otyp_poly _ | Otyp_arrow _ | Otyp_tuple _ as ty ->
      fprintf ppf "@[<1>(%a)@]" print_out_type ty
  | Otyp_abstract | Otyp_sum _ | Otyp_record _ | Otyp_manifest (_, _) -> ()
and print_fields rest ppf =
  function
    [] ->
      begin match rest with
        Some non_gen -> fprintf ppf "%s.." (if non_gen then "_" else "")
      | None -> ()
      end
  | [s, t] ->
      fprintf ppf "%s : %a" s print_out_type t;
      begin match rest with
        Some _ -> fprintf ppf ";@ "
      | None -> ()
      end;
      print_fields rest ppf []
  | (s, t) :: l ->
      fprintf ppf "%s : %a;@ %a" s print_out_type t (print_fields rest) l
and print_row_field ppf (l, opt_amp, tyl) =
  let pr_of ppf =
    if opt_amp then fprintf ppf " of@ &@ "
    else if tyl <> [] then fprintf ppf " of@ "
    else fprintf ppf ""
  in
  fprintf ppf "@[`%s%t%a@]" l pr_of (print_typlist print_out_type " &")
    tyl
and print_typlist print_elem sep ppf =
  function
    [] -> ()
  | [ty] -> print_elem ppf ty
  | ty :: tyl ->
      fprintf ppf "%a%s@ %a" print_elem ty sep (print_typlist print_elem sep)
        tyl
and print_typargs ppf =
  function
    [] -> ()
  | [ty1] -> fprintf ppf "%a@ " print_simple_out_type ty1
  | tyl -> fprintf ppf "@[<1>(%a)@]@ " (print_typlist print_out_type ",") tyl

let out_type = ref print_out_type

(* Class types *)

let type_parameter ppf (ty, (co, cn)) =
  fprintf ppf "%s'%s" (if not cn then "+" else if not co then "-" else "")
    (*if co then if cn then "!" else "+" else if cn then "-" else "?"*)
    ty

let print_out_class_params ppf =
  function
    [] -> ()
  | tyl ->
      fprintf ppf "@[<1>[%a]@]@ "
        (print_list type_parameter (fun ppf -> fprintf ppf ", "))
        tyl

let rec print_out_class_type ppf =
  function
    Octy_constr (id, tyl) ->
      let pr_tyl ppf =
        function
          [] -> ()
        | tyl ->
            fprintf ppf "@[<1>[%a]@]@ " (print_typlist !out_type ",") tyl
      in
      fprintf ppf "@[%a%a@]" pr_tyl tyl print_ident id
  | Octy_fun (lab, ty, cty) ->
      fprintf ppf "@[%s%a ->@ %a@]" (if lab <> "" then lab ^ ":" else "")
        print_out_type_2 ty print_out_class_type cty
  | Octy_signature (self_ty, csil) ->
      let pr_param ppf =
        function
          Some ty -> fprintf ppf "@ @[(%a)@]" !out_type ty
        | None -> ()
      in
      fprintf ppf "@[@[<2>object%a@]@ %a@;<1 -2>end@]" pr_param self_ty
        (print_list print_out_class_sig_item (fun ppf -> fprintf ppf "@ "))
        csil
and print_out_class_sig_item ppf =
  function
    Ocsg_constraint (ty1, ty2) ->
      fprintf ppf "@[<2>constraint %a =@ %a@]" !out_type ty1
        !out_type ty2
  | Ocsg_method (name, priv, virt, ty) ->
      fprintf ppf "@[<2>method %s%s%s :@ %a@]"
        (if priv then "private " else "") (if virt then "virtual " else "")
        name !out_type ty
  | Ocsg_value (name, mut, vr, ty) ->
      fprintf ppf "@[<2>val %s%s%s :@ %a@]"
        (if mut then "mutable " else "")
        (if vr then "virtual " else "")
        name !out_type ty

let out_class_type = ref print_out_class_type

(* Signature *)

let out_module_type = ref (fun _ -> failwith "Oprint.out_module_type")
let out_sig_item = ref (fun _ -> failwith "Oprint.out_sig_item")
let out_signature = ref (fun _ -> failwith "Oprint.out_signature")

let rec print_out_module_type ppf =
  function
    Omty_abstract -> ()
  | Omty_functor (name, mty_arg, mty_res) ->
      fprintf ppf "@[<2>functor@ (%s : %a) ->@ %a@]" name
        print_out_module_type mty_arg print_out_module_type mty_res
  | Omty_ident id -> fprintf ppf "%a" print_ident id
  | Omty_signature sg ->
      fprintf ppf "@[sig@ %a@;<1 -2>end@]" !out_signature sg
and print_out_signature ppf =
  function
    [] -> ()
  | [item] -> !out_sig_item ppf item
  | item :: items ->
      fprintf ppf "%a@ %a" !out_sig_item item print_out_signature items
and print_out_sig_item ppf =
  function
    Osig_class (vir_flag, name, params, clt, rs) ->
      fprintf ppf "@[<2>%s%s@ %a%s@ :@ %a@]"
        (if rs = Orec_next then "and" else "class")
        (if vir_flag then " virtual" else "") print_out_class_params params
        name !out_class_type clt
  | Osig_class_type (vir_flag, name, params, clt, rs) ->
      fprintf ppf "@[<2>%s%s@ %a%s@ =@ %a@]"
        (if rs = Orec_next then "and" else "class type")
        (if vir_flag then " virtual" else "") print_out_class_params params
        name !out_class_type clt
  | Osig_exception (id, tyl) ->
      fprintf ppf "@[<2>exception %a@]" print_out_constr (id, tyl)
  | Osig_modtype (name, Omty_abstract) ->
      fprintf ppf "@[<2>module type %s@]" name
  | Osig_modtype (name, mty) ->
      fprintf ppf "@[<2>module type %s =@ %a@]" name !out_module_type mty
  | Osig_module (name, mty, rs) ->
      fprintf ppf "@[<2>%s %s :@ %a@]" 
        (match rs with Orec_not -> "module"
                     | Orec_first -> "module rec"
                     | Orec_next -> "and")
        name !out_module_type mty
  | Osig_type(td, rs) ->
        print_out_type_decl
          (if rs = Orec_next then "and" else "type")
          ppf td
  | Osig_value (name, ty, prims) ->
      let kwd = if prims = [] then "val" else "external" in
      let pr_prims ppf =
        function
          [] -> ()
        | s :: sl ->
            fprintf ppf "@ = \"%s\"" s;
            List.iter (fun s -> fprintf ppf "@ \"%s\"" s) sl
      in
      fprintf ppf "@[<2>%s %a :@ %a%a@]" kwd value_ident name !out_type
        ty pr_prims prims

and print_out_type_decl kwd ppf (name, args, ty, priv, constraints) =
  let print_constraints ppf params =
    List.iter
      (fun (ty1, ty2) ->
         fprintf ppf "@ @[<2>constraint %a =@ %a@]" !out_type ty1
           !out_type ty2)
      params
  in
  let type_defined ppf =
    match args with
      [] -> fprintf ppf "%s" name
    | [arg] -> fprintf ppf "@[%a@ %s@]" type_parameter arg name
    | _ ->
        fprintf ppf "@[(@[%a)@]@ %s@]"
          (print_list type_parameter (fun ppf -> fprintf ppf ",@ ")) args name
  in
  let print_manifest ppf =
    function
      Otyp_manifest (ty, _) -> fprintf ppf " =@ %a" !out_type ty
    | _ -> ()
  in
  let print_name_args ppf =
    fprintf ppf "%s %t%a" kwd type_defined print_manifest ty
  in
  let ty =
    match ty with
      Otyp_manifest (_, ty) -> ty
    | _ -> ty
  in
  let print_private ppf = function
    Asttypes.Private -> fprintf ppf " private"
  | Asttypes.Public -> () in
  let rec print_out_tkind ppf = function
  | Otyp_abstract -> ()
  | Otyp_record lbls ->
      fprintf ppf " =%a {%a@;<1 -2>}"
        print_private priv
        (print_list_init print_out_label (fun ppf -> fprintf ppf "@ ")) lbls
  | Otyp_sum constrs ->
      fprintf ppf " =%a@;<1 2>%a"
        print_private priv
        (print_list print_out_constr (fun ppf -> fprintf ppf "@ | ")) constrs
  | ty ->
      fprintf ppf " =%a@;<1 2>%a"
        print_private priv
        !out_type ty
  in
  fprintf ppf "@[<2>@[%t%a@]%a@]"
    print_name_args
    print_out_tkind ty
    print_constraints constraints
and print_out_constr ppf (name, tyl) =
  match tyl with
    [] -> fprintf ppf "%s" name
  | _ ->
      fprintf ppf "@[<2>%s of@ %a@]" name
        (print_typlist print_simple_out_type " *") tyl
and print_out_label ppf (name, mut, arg) =
  fprintf ppf "@[<2>%s%s :@ %a@];" (if mut then "mutable " else "") name
    !out_type arg

let _ = out_module_type := print_out_module_type
let _ = out_signature := print_out_signature
let _ = out_sig_item := print_out_sig_item

(* Phrases *)

let print_out_exception ppf exn outv =
  match exn with
    Sys.Break -> fprintf ppf "Interrupted.@."
  | Out_of_memory -> fprintf ppf "Out of memory during evaluation.@."
  | Stack_overflow ->
      fprintf ppf "Stack overflow during evaluation (looping recursion?).@."
  | _ -> fprintf ppf "@[Exception:@ %a.@]@." !out_value outv

let rec print_items ppf =
  function
    [] -> ()
  | (tree, valopt) :: items ->
      begin match valopt with
        Some v ->
          fprintf ppf "@[<2>%a =@ %a@]" !out_sig_item tree
            !out_value v
      | None -> fprintf ppf "@[%a@]" !out_sig_item tree
      end;
      if items <> [] then fprintf ppf "@ %a" print_items items

let print_out_phrase ppf =
  function
    Ophr_eval (outv, ty) ->
      fprintf ppf "@[- : %a@ =@ %a@]@." !out_type ty !out_value outv
  | Ophr_signature [] -> ()
  | Ophr_signature items -> fprintf ppf "@[%a@]@." print_items items
  | Ophr_exception (exn, outv) -> print_out_exception ppf exn outv

let out_phrase = ref print_out_phrase
why-2.34/ml/typing/printtyp.mli0000644000175000017500000000657012311670312015143 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: printtyp.mli,v 1.2 2008-02-19 15:53:36 bardou Exp $ *)

(* Printing functions *)

open Format
open Types
open Outcometree2

val longident: formatter -> Longident.t -> unit
val ident: formatter -> Ident.t -> unit
val tree_of_path: Path.t -> out_ident
val path: formatter -> Path.t -> unit
val raw_type_expr: formatter -> type_expr -> unit
val reset: unit -> unit
val mark_loops: type_expr -> unit
val reset_and_mark_loops: type_expr -> unit
val reset_and_mark_loops_list: type_expr list -> unit
val type_expr: formatter -> type_expr -> unit
val tree_of_type_scheme: type_expr -> out_type
val type_sch : formatter -> type_expr -> unit
val type_scheme: formatter -> type_expr -> unit
(* Maxence *)
val reset_names: unit -> unit
val type_scheme_max: ?b_reset_names: bool ->
        formatter -> type_expr -> unit
(* Fin Maxence *)
val tree_of_value_description: Ident.t -> value_description -> out_sig_item
val value_description: Ident.t -> formatter -> value_description -> unit
val tree_of_type_declaration: Ident.t -> type_declaration -> rec_status -> out_sig_item
val type_declaration: Ident.t -> formatter -> type_declaration -> unit
val tree_of_exception_declaration: Ident.t -> exception_declaration -> out_sig_item
val exception_declaration: Ident.t -> formatter -> exception_declaration -> unit
val tree_of_module: Ident.t -> module_type -> rec_status -> out_sig_item
val modtype: formatter -> module_type -> unit
val signature: formatter -> signature -> unit
val tree_of_modtype_declaration: Ident.t -> modtype_declaration -> out_sig_item
val modtype_declaration: Ident.t -> formatter -> modtype_declaration -> unit
val class_type: formatter -> class_type -> unit
val tree_of_class_declaration: Ident.t -> class_declaration -> rec_status -> out_sig_item
val class_declaration: Ident.t -> formatter -> class_declaration -> unit
val tree_of_cltype_declaration: Ident.t -> cltype_declaration -> rec_status -> out_sig_item
val cltype_declaration: Ident.t -> formatter -> cltype_declaration -> unit
val type_expansion: type_expr -> Format.formatter -> type_expr -> unit
val prepare_expansion: type_expr * type_expr -> type_expr * type_expr
val trace: bool -> string -> formatter -> (type_expr * type_expr) list -> unit
val unification_error:
    bool -> (type_expr * type_expr) list ->
    (formatter -> unit) -> formatter -> (formatter -> unit) ->
    unit
val report_unification_error:
    formatter -> (type_expr * type_expr) list ->
    (formatter -> unit) -> (formatter -> unit) ->
    unit
val report_subtyping_error:
    formatter -> (type_expr * type_expr) list ->
    string -> (type_expr * type_expr) list -> unit
why-2.34/ml/typing/ctype.ml0000644000175000017500000034005512311670312014224 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(* Xavier Leroy and Jerome Vouillon, projet Cristal, INRIA Rocquencourt*)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: ctype.ml,v 1.1 2007-11-30 10:16:43 bardou Exp $ *)

(* Operations on core types *)

open Misc
open Asttypes
open Types
open Btype

(*
   Type manipulation after type inference
   ======================================
   If one wants to manipulate a type after type inference (for
   instance, during code generation or in the debugger), one must
   first make sure that the type levels are correct, using the
   function [correct_levels]. Then, this type can be correctely
   manipulated by [apply], [expand_head] and [moregeneral].
*)

(*
   General notes
   =============
   - As much sharing as possible should be kept : it makes types
     smaller and better abbreviated.
     When necessary, some sharing can be lost. Types will still be
     printed correctly (+++ TO DO...), and abbreviations defined by a
     class do not depend on sharing thanks to constrained
     abbreviations. (Of course, even if some sharing is lost, typing
     will still be correct.)
   - All nodes of a type have a level : that way, one know whether a
     node need to be duplicated or not when instantiating a type.
   - Levels of a type are decreasing (generic level being considered
     as greatest).
   - The level of a type constructor is superior to the binding
     time of its path.
   - Recursive types without limitation should be handled (even if
     there is still an occur check). This avoid treating specially the
     case for objects, for instance. Furthermore, the occur check
     policy can then be easily changed.
*)

(*
   A faire
   =======
   - Revoir affichage des types.
   - Etendre la portee d'un alias [... as 'a] a tout le type englobant.
   - #-type implementes comme de vraies abreviations.
   - Niveaux plus fins pour les identificateurs :
       Champ [global] renomme en [level];
       Niveau -1 : global
               0 : module toplevel
               1 : module contenu dans module toplevel
              ...
     En fait, incrementer le niveau a chaque fois que l'on rentre dans
     un module.

       3   4 6
        \ / /
       1 2 5
        \|/
         0

     [Subst] doit ecreter les niveaux (pour qu'un variable non
     generalisable dans un module de niveau 2 ne se retrouve pas
     generalisable lorsque l'on l'utilise au niveau 0).

   - Traitement de la trace de l'unification separe de la fonction
     [unify].
*)

(**** Errors ****)

exception Unify of (type_expr * type_expr) list

exception Tags of label * label

exception Subtype of
        (type_expr * type_expr) list * (type_expr * type_expr) list

exception Cannot_expand

exception Cannot_apply

exception Recursive_abbrev

(**** Type level management ****)

let current_level = ref 0
let nongen_level = ref 0
let global_level = ref 1
let saved_level = ref []
let saved_global_level = ref []

let init_def level = current_level := level; nongen_level := level
let begin_def () =
  saved_level := (!current_level, !nongen_level) :: !saved_level;
  incr current_level; nongen_level := !current_level
let begin_class_def () =
  saved_level := (!current_level, !nongen_level) :: !saved_level;
  incr current_level
let raise_nongen_level () =
  saved_level := (!current_level, !nongen_level) :: !saved_level;
  nongen_level := !current_level
let end_def () =
  let (cl, nl) = List.hd !saved_level in
  saved_level := List.tl !saved_level;
  current_level := cl; nongen_level := nl

let reset_global_level () =
  global_level := !current_level + 1;
  saved_global_level := []
let increase_global_level () =
  let gl = !global_level in
  global_level := !current_level;
  gl
let restore_global_level gl =
  global_level := gl

(* Abbreviations without parameters *)
(* Shall reset after generalizing *)
let simple_abbrevs = ref Mnil
let proper_abbrevs path tl abbrev =
  if !Clflags.principal || tl <> [] then abbrev else
  let name = match path with Path.Pident id -> Ident.name id
                           | Path.Pdot(_, s,_) -> s
                           | Path.Papply _ -> assert false in
  if name.[0] <> '#' then simple_abbrevs else abbrev

(**** Some type creators ****)

(* Re-export generic type creators *)

let newty2             = Btype.newty2
let newty desc         = newty2 !current_level desc
let new_global_ty desc = newty2 !global_level desc

let newvar ()          = newty2 !current_level Tvar
let newvar2 level      = newty2 level Tvar
let new_global_var ()  = newty2 !global_level Tvar

let newobj fields      = newty (Tobject (fields, ref None))

let newconstr path tyl = newty (Tconstr (path, tyl, ref Mnil))

let none = newty (Ttuple [])                (* Clearly ill-formed type *)

(**** Representative of a type ****)

(* Re-export repr *)
let repr = repr

(**** Type maps ****)

module TypePairs =
  Hashtbl.Make (struct
    type t = type_expr * type_expr
    let equal (t1, t1') (t2, t2') = (t1 == t2) && (t1' == t2')
    let hash (t, t') = t.id + 93 * t'.id
 end)

                  (**********************************************)
                  (*  Miscellaneous operations on object types  *)
                  (**********************************************)


(**** Object field manipulation. ****)

let dummy_method = "*dummy method*"

let object_fields ty =
  match (repr ty).desc with
    Tobject (fields, _) -> fields
  | _                   -> assert false

let flatten_fields ty =
  let rec flatten l ty =
    let ty = repr ty in
    match ty.desc with
      Tfield(s, k, ty1, ty2) ->
        flatten ((s, k, ty1)::l) ty2
    | _ ->
        (l, ty)
  in
    let (l, r) = flatten [] ty in
    (Sort.list (fun (n, _, _) (n', _, _) -> n < n') l, r)

let build_fields level =
  List.fold_right
    (fun (s, k, ty1) ty2 -> newty2 level (Tfield(s, k, ty1, ty2)))

let associate_fields fields1 fields2 =
  let rec associate p s s' =
    function
      (l, []) ->
        (List.rev p, (List.rev s) @ l, List.rev s')
    | ([], l') ->
        (List.rev p, List.rev s, (List.rev s') @ l')
    | ((n, k, t)::r, (n', k', t')::r') when n = n' ->
        associate ((n, k, t, k', t')::p) s s' (r, r')
    | ((n, k, t)::r, ((n', k', t')::_ as l')) when n < n' ->
        associate p ((n, k, t)::s) s' (r, l')
    | (((n, k, t)::r as l), (n', k', t')::r') (* when n > n' *) ->
        associate p s ((n', k', t')::s') (l, r')
  in
  associate [] [] [] (fields1, fields2)

(**** Check whether an object is open ****)

(* +++ Il faudra penser a eventuellement expanser l'abreviation *)
let rec object_row ty =
  let ty = repr ty in
  match ty.desc with
    Tobject (t, _)     -> object_row t
  | Tfield(_, _, _, t) -> object_row t
  | _ -> ty

let opened_object ty =
  match (object_row ty).desc with
  | Tvar               -> true
  | Tunivar            -> true
  | Tconstr _          -> true
  | _                  -> false

(**** Close an object ****)

let close_object ty =
  let rec close ty =
    let ty = repr ty in
    match ty.desc with
      Tvar ->
        link_type ty (newty2 ty.level Tnil)
    | Tfield(_, _, _, ty') -> close ty'
    | _                    -> assert false
  in
  match (repr ty).desc with
    Tobject (ty, _)   -> close ty
  | _                 -> assert false

(**** Row variable of an object type ****)

let row_variable ty =
  let rec find ty =
    let ty = repr ty in
    match ty.desc with
      Tfield (_, _, _, ty) -> find ty
    | Tvar                 -> ty
    | _                    -> assert false
  in
  match (repr ty).desc with
    Tobject (fi, _) -> find fi
  | _               -> assert false

(**** Object name manipulation ****)
(* +++ Bientot obsolete *)

let set_object_name id rv params ty =
  match (repr ty).desc with
    Tobject (fi, nm) ->
      set_name nm (Some (Path.Pident id, rv::params))
  | _ ->
      assert false

let remove_object_name ty =
  match (repr ty).desc with
    Tobject (_, nm)   -> set_name nm None
  | Tconstr (_, _, _) -> ()
  | _                 -> fatal_error "Ctype.remove_object_name"

(**** Hiding of private methods ****)

let hide_private_methods ty =
  match (repr ty).desc with
    Tobject (fi, nm) ->
      nm := None;
      let (fl, _) = flatten_fields fi in
      List.iter
        (function (_, k, _) ->
          match field_kind_repr k with
            Fvar r -> set_kind r Fabsent
          | _      -> ())
        fl
  | _ ->
      assert false


                              (*******************************)
                              (*  Operations on class types  *)
                              (*******************************)


let rec signature_of_class_type =
  function
    Tcty_constr (_, _, cty) -> signature_of_class_type cty
  | Tcty_signature sign     -> sign
  | Tcty_fun (_, ty, cty)   -> signature_of_class_type cty

let self_type cty =
  repr (signature_of_class_type cty).cty_self

let rec class_type_arity =
  function
    Tcty_constr (_, _, cty) ->  class_type_arity cty
  | Tcty_signature _        ->  0
  | Tcty_fun (_, _, cty)    ->  1 + class_type_arity cty


                  (*******************************************)
                  (*  Miscellaneous operations on row types  *)
                  (*******************************************)

let sort_row_fields = Sort.list (fun (p,_) (q,_) -> p < q)

let merge_row_fields fi1 fi2 =
  let rec merge r1 r2 pairs fi1 fi2 =
    match fi1, fi2 with
      (l1,f1 as p1)::fi1', (l2,f2 as p2)::fi2' ->
        if l1 = l2 then merge r1 r2 ((l1,f1,f2)::pairs) fi1' fi2' else
        if l1 < l2 then merge (p1::r1) r2 pairs fi1' fi2 else
        merge r1 (p2::r2) pairs fi1 fi2'
    | [], _ -> (List.rev r1, List.rev_append r2 fi2, pairs)
    | _, [] -> (List.rev_append r1 fi1, List.rev r2, pairs)
  in
  merge [] [] [] (sort_row_fields fi1) (sort_row_fields fi2)

let rec filter_row_fields erase = function
    [] -> []
  | (l,f as p)::fi ->
      let fi = filter_row_fields erase fi in
      match row_field_repr f with
        Rabsent -> fi
      | Reither(_,_,false,e) when erase -> set_row_field e Rabsent; fi
      | _ -> p :: fi

                    (**************************************)
                    (*  Check genericity of type schemes  *)
                    (**************************************)


exception Non_closed

let rec closed_schema_rec ty =
  let ty = repr ty in
  if ty.level >= lowest_level then begin
    let level = ty.level in
    ty.level <- pivot_level - level;
    match ty.desc with
      Tvar when level <> generic_level ->
        raise Non_closed
    | Tfield(_, kind, t1, t2) ->
        if field_kind_repr kind = Fpresent then
          closed_schema_rec t1;
        closed_schema_rec t2
    | Tvariant row ->
        let row = row_repr row in
        iter_row closed_schema_rec {row with row_bound = []};
        if not (static_row row) then closed_schema_rec row.row_more
    | _ ->
        iter_type_expr closed_schema_rec ty
  end

(* Return whether all variables of type [ty] are generic. *)
let closed_schema ty =
  try
    closed_schema_rec ty;
    unmark_type ty;
    true
  with Non_closed ->
    unmark_type ty;
    false

exception Non_closed of type_expr * bool

let free_variables = ref []

let rec free_vars_rec real ty =
  let ty = repr ty in
  if ty.level >= lowest_level then begin
    ty.level <- pivot_level - ty.level;
    begin match ty.desc with
      Tvar ->
        free_variables := (ty, real) :: !free_variables
(* Do not count "virtual" free variables
    | Tobject(ty, {contents = Some (_, p)}) ->
        free_vars_rec false ty; List.iter (free_vars_rec true) p
*)
    | Tobject (ty, _) ->
        free_vars_rec false ty
    | Tfield (_, _, ty1, ty2) ->
        free_vars_rec true ty1; free_vars_rec false ty2
    | Tvariant row ->
        let row = row_repr row in
        iter_row (free_vars_rec true) {row with row_bound = []};
        if not (static_row row) then free_vars_rec false row.row_more
    | _    ->
        iter_type_expr (free_vars_rec true) ty
    end;
  end

let free_vars ty =
  free_variables := [];
  free_vars_rec true ty;
  let res = !free_variables in
  free_variables := [];
  res

let free_variables ty =
  let tl = List.map fst (free_vars ty) in
  unmark_type ty;
  tl

let rec closed_type ty =
  match free_vars ty with
      []           -> ()
  | (v, real) :: _ -> raise (Non_closed (v, real))

let closed_parameterized_type params ty =
  List.iter mark_type params;
  let ok =
    try closed_type ty; true with Non_closed _ -> false in
  List.iter unmark_type params;
  unmark_type ty;
  ok

let closed_type_decl decl =
  try
    List.iter mark_type decl.type_params;
    begin match decl.type_kind with
      Type_abstract ->
        ()
    | Type_variant(v, priv) ->
        List.iter (fun (_, tyl) -> List.iter closed_type tyl) v
    | Type_record(r, rep, priv) ->
        List.iter (fun (_, _, ty) -> closed_type ty) r
    end;
    begin match decl.type_manifest with
      None    -> ()
    | Some ty -> closed_type ty
    end;
    unmark_type_decl decl;
    None
  with Non_closed (ty, _) ->
    unmark_type_decl decl;
    Some ty

type closed_class_failure =
    CC_Method of type_expr * bool * string * type_expr
  | CC_Value of type_expr * bool * string * type_expr

exception Failure of closed_class_failure

let closed_class params sign =
  let ty = object_fields (repr sign.cty_self) in
  let (fields, rest) = flatten_fields ty in
  List.iter mark_type params;
  mark_type rest;
  List.iter
    (fun (lab, _, ty) -> if lab = dummy_method then mark_type ty)
    fields;
  try
    mark_type_node (repr sign.cty_self);
    List.iter
      (fun (lab, kind, ty) ->
        if field_kind_repr kind = Fpresent then
        try closed_type ty with Non_closed (ty0, real) ->
          raise (Failure (CC_Method (ty0, real, lab, ty))))
      fields;
    mark_type_params (repr sign.cty_self);
    List.iter unmark_type params;
    unmark_class_signature sign;
    None
  with Failure reason ->
    mark_type_params (repr sign.cty_self);
    List.iter unmark_type params;
    unmark_class_signature sign;
    Some reason


                            (**********************)
                            (*  Type duplication  *)
                            (**********************)


(* Duplicate a type, preserving only type variables *)
let duplicate_type ty =
  Subst.type_expr Subst.identity ty

(* Same, for class types *)
let duplicate_class_type ty =
  Subst.class_type Subst.identity ty


                         (*****************************)
                         (*  Type level manipulation  *)
                         (*****************************)

(*
   It would be a bit more efficient to remove abbreviation expansions
   rather than generalizing them: these expansions will usually not be
   used anymore. However, this is not possible in the general case, as
   [expand_abbrev] (via [subst]) requires these expansions to be
   preserved. Does it worth duplicating this code ?
*)
let rec iter_generalize tyl ty =
  let ty = repr ty in
  if (ty.level > !current_level) && (ty.level <> generic_level) then begin
    set_level ty generic_level;
    begin match ty.desc with
      Tconstr (_, _, abbrev) ->
        iter_abbrev (iter_generalize tyl) !abbrev
    | _ -> ()
    end;
    iter_type_expr (iter_generalize tyl) ty
  end else
    tyl := ty :: !tyl

let iter_generalize tyl ty =
  simple_abbrevs := Mnil;
  iter_generalize tyl ty

let generalize ty =
  iter_generalize (ref []) ty

(* Efficient repeated generalisation of the same type *)
let iterative_generalization min_level tyl =
  let tyl' = ref [] in
  List.iter (iter_generalize tyl') tyl;
  List.fold_right (fun ty l -> if ty.level <= min_level then l else ty::l)
    !tyl' []

(* Generalize the structure and lower the variables *)

let rec generalize_structure var_level ty =
  let ty = repr ty in
  if ty.level <> generic_level then begin
    if ty.desc = Tvar && ty.level > var_level then
      set_level ty var_level
    else if ty.level > !current_level then begin
      set_level ty generic_level;
      begin match ty.desc with
        Tconstr (_, _, abbrev) -> abbrev := Mnil
      | _ -> ()
      end;
      iter_type_expr (generalize_structure var_level) ty
    end
  end

let generalize_structure var_level ty =
  simple_abbrevs := Mnil;
  generalize_structure var_level ty

(* let generalize_expansive ty = generalize_structure !nongen_level ty *)
let generalize_global ty = generalize_structure !global_level ty
let generalize_structure ty = generalize_structure !current_level ty

(* Generalize the spine of a function, if the level >= !current_level *)

let rec generalize_spine ty =
  let ty = repr ty in
  if ty.level < !current_level || ty.level = generic_level then () else
  match ty.desc with
    Tarrow (_, _, ty', _) | Tpoly (ty', _) ->
      set_level ty generic_level;
      generalize_spine ty'
  | _ -> ()

let try_expand_once' = (* Forward declaration *)
  ref (fun env ty -> raise Cannot_expand)

(*
   Lower the levels of a type (assume [level] is not
   [generic_level]).
*)
(*
    The level of a type constructor must be greater than its binding
    time. That way, a type constructor cannot escape the scope of its
    definition, as would be the case in
      let x = ref []
      module M = struct type t let _ = (x : t list ref) end
    (without this constraint, the type system would actually be unsound.)
*)
let rec update_level env level ty =
  let ty = repr ty in
  if ty.level > level then begin
    begin match ty.desc with
      Tconstr(p, tl, abbrev)  when level < Path.binding_time p ->
        (* Try first to replace an abbreviation by its expansion. *)
        begin try
          link_type ty (!try_expand_once' env ty);
          update_level env level ty
        with Cannot_expand ->
          (* +++ Levels should be restored... *)
          raise (Unify [(ty, newvar2 level)])
        end
    | Tobject(_, ({contents=Some(p, tl)} as nm))
      when level < Path.binding_time p ->
        set_name nm None;
        update_level env level ty
    | Tvariant row ->
        let row = row_repr row in
        begin match row.row_name with
        | Some (p, tl) when level < Path.binding_time p ->
            log_type ty;
            ty.desc <- Tvariant {row with row_name = None}
        | _ -> ()
        end;
        set_level ty level;
        iter_type_expr (update_level env level) ty
    | Tfield(lab, _, _, _) when lab = dummy_method ->
        raise (Unify [(ty, newvar2 level)])
    | _ ->
        set_level ty level;
        (* XXX what about abbreviations in Tconstr ? *)
        iter_type_expr (update_level env level) ty
    end
  end

(* Generalize and lower levels of contravariant branches simultaneously *)

let rec generalize_expansive env var_level ty =
  let ty = repr ty in
  if ty.level <> generic_level then begin
    if ty.level > var_level then begin
      set_level ty generic_level;
      match ty.desc with
        Tconstr (path, tyl, abbrev) ->
          let variance =
            try (Env.find_type path env).type_variance
            with Not_found -> List.map (fun _ -> (true,true,true)) tyl in
          abbrev := Mnil;
          List.iter2
            (fun (co,cn,ct) t ->
              if ct then update_level env var_level t
              else generalize_expansive env var_level t)
            variance tyl
      | Tarrow (_, t1, t2, _) ->
          update_level env var_level t1;
          generalize_expansive env var_level t2
      | _ ->
          iter_type_expr (generalize_expansive env var_level) ty
    end
  end

let generalize_expansive env ty =
  simple_abbrevs := Mnil;
  try
    generalize_expansive env !nongen_level ty
  with Unify [_, ty'] ->
    raise (Unify [ty, ty'])

(* Correct the levels of type [ty]. *)
let correct_levels ty =
  duplicate_type ty

(* Only generalize the type ty0 in ty *)
let limited_generalize ty0 ty =
  let ty0 = repr ty0 in

  let graph = Hashtbl.create 17 in
  let idx = ref lowest_level in
  let roots = ref [] in

  let rec inverse pty ty =
    let ty = repr ty in
    if (ty.level > !current_level) || (ty.level = generic_level) then begin
      decr idx;
      Hashtbl.add graph !idx (ty, ref pty);
      if (ty.level = generic_level) || (ty == ty0) then
        roots := ty :: !roots;
      set_level ty !idx;
      iter_type_expr (inverse [ty]) ty
    end else if ty.level < lowest_level then begin
      let (_, parents) = Hashtbl.find graph ty.level in
      parents := pty @ !parents
    end

  and generalize_parents ty =
    let idx = ty.level in
    if idx <> generic_level then begin
      set_level ty generic_level;
      List.iter generalize_parents !(snd (Hashtbl.find graph idx));
      (* Special case for rows: must generalize the row variable *)
      match ty.desc with
        Tvariant row ->
          let more = row_more row in
          let lv = more.level in
          if (lv < lowest_level || lv > !current_level)
          && lv <> generic_level then set_level more generic_level
      | _ -> ()
    end
  in

  inverse [] ty;
  if ty0.level < lowest_level then
    iter_type_expr (inverse []) ty0;
  List.iter generalize_parents !roots;
  Hashtbl.iter
    (fun _ (ty, _) ->
       if ty.level <> generic_level then set_level ty !current_level)
    graph


                              (*******************)
                              (*  Instantiation  *)
                              (*******************)


let rec find_repr p1 =
  function
    Mnil ->
      None
  | Mcons (p2, ty, _, _) when Path.same p1 p2 ->
      Some ty
  | Mcons (_, _, _, rem) ->
      find_repr p1 rem
  | Mlink {contents = rem} ->
      find_repr p1 rem

(*
   Generic nodes are duplicated, while non-generic nodes are left
   as-is.
   During instantiation, the description of a generic node is first
   replaced by a link to a stub ([Tsubst (newvar ())]). Once the
   copy is made, it replaces the stub.
   After instantiation, the description of generic node, which was
   stored by [save_desc], must be put back, using [cleanup_types].
*)

let abbreviations = ref (ref Mnil)
  (* Abbreviation memorized. *)

let rec copy ty =
  let ty = repr ty in
  match ty.desc with
    Tsubst ty -> ty
  | _ ->
    if ty.level <> generic_level then ty else
    let desc = ty.desc in
    save_desc ty desc;
    let t = newvar() in          (* Stub *)
    ty.desc <- Tsubst t;
    t.desc <-
      begin match desc with
      | Tconstr (p, tl, _) ->
          let abbrevs = proper_abbrevs p tl !abbreviations in
          begin match find_repr p !abbrevs with
            Some ty when repr ty != t -> (* XXX Commentaire... *)
              Tlink ty
          | _ ->
          (*
             One must allocate a new reference, so that abbrevia-
             tions belonging to different branches of a type are
             independent.
             Moreover, a reference containing a [Mcons] must be
             shared, so that the memorized expansion of an abbrevi-
             ation can be released by changing the content of just
             one reference.
          *)
              Tconstr (p, List.map copy tl,
                       ref (match !(!abbreviations) with
                              Mcons _ -> Mlink !abbreviations
                            | abbrev  -> abbrev))
          end
      | Tvariant row0 ->
          let row = row_repr row0 in
          let more = repr row.row_more in
          (* We must substitute in a subtle way *)
          (* Tsubst takes a tuple containing the row var and the variant *)
          begin match more.desc with
            Tsubst {desc = Ttuple [_;ty2]} ->
              (* This variant type has been already copied *)
              ty.desc <- Tsubst ty2; (* avoid Tlink in the new type *)
              Tlink ty2
          | _ ->
              (* If the row variable is not generic, we must keep it *)
              let keep = more.level <> generic_level in
              let more' =
                match more.desc with
                  Tsubst ty -> ty
                | Tconstr _ ->
                    if keep then save_desc more more.desc;
                    copy more
                | Tvar | Tunivar ->
                    save_desc more more.desc;
                    if keep then more else newty more.desc
                |  _ -> assert false
              in
              (* Register new type first for recursion *)
              more.desc <- Tsubst(newgenty(Ttuple[more';t]));
              (* Return a new copy *)
              Tvariant (copy_row copy true row keep more')
          end
      | Tfield (p, k, ty1, ty2) ->
          begin match field_kind_repr k with
            Fabsent  -> Tlink (copy ty2)
          | Fpresent -> copy_type_desc copy desc
          | Fvar r ->
              dup_kind r;
              copy_type_desc copy desc
          end
      | _ -> copy_type_desc copy desc
      end;
    t

(**** Variants of instantiations ****)

let instance sch =
  let ty = copy sch in
  cleanup_types ();
  ty

let instance_list schl =
  let tyl = List.map copy schl in
  cleanup_types ();
  tyl

let instance_constructor cstr =
  let ty_res = copy cstr.cstr_res in
  let ty_args = List.map copy cstr.cstr_args in
  cleanup_types ();
  (ty_args, ty_res)

let instance_parameterized_type sch_args sch =
  let ty_args = List.map copy sch_args in
  let ty = copy sch in
  cleanup_types ();
  (ty_args, ty)

let instance_parameterized_type_2 sch_args sch_lst sch =
  let ty_args = List.map copy sch_args in
  let ty_lst = List.map copy sch_lst in
  let ty = copy sch in
  cleanup_types ();
  (ty_args, ty_lst, ty)

let instance_class params cty =
  let rec copy_class_type =
    function
      Tcty_constr (path, tyl, cty) ->
        Tcty_constr (path, List.map copy tyl, copy_class_type cty)
    | Tcty_signature sign ->
        Tcty_signature
          {cty_self = copy sign.cty_self;
           cty_vars =
             Vars.map (function (m, v, ty) -> (m, v, copy ty)) sign.cty_vars;
           cty_concr = sign.cty_concr;
           cty_inher =
             List.map (fun (p,tl) -> (p, List.map copy tl)) sign.cty_inher}
    | Tcty_fun (l, ty, cty) ->
        Tcty_fun (l, copy ty, copy_class_type cty)
  in
  let params' = List.map copy params in
  let cty' = copy_class_type cty in
  cleanup_types ();
  (params', cty')

(**** Instanciation for types with free universal variables ****)

module TypeHash = Hashtbl.Make(TypeOps)
module TypeSet = Set.Make(TypeOps)

type inv_type_expr =
    { inv_type : type_expr;
      mutable inv_parents : inv_type_expr list }

let rec inv_type hash pty ty =
  let ty = repr ty in
  try
    let inv = TypeHash.find hash ty in
    inv.inv_parents <- pty @ inv.inv_parents
  with Not_found ->
    let inv = { inv_type = ty; inv_parents = pty } in
    TypeHash.add hash ty inv;
    iter_type_expr (inv_type hash [inv]) ty

let compute_univars ty =
  let inverted = TypeHash.create 17 in
  inv_type inverted [] ty;
  let node_univars = TypeHash.create 17 in
  let rec add_univar univ inv =
    match inv.inv_type.desc with
      Tpoly (ty, tl) when List.memq univ (List.map repr tl) -> ()
    | _ ->
        try
          let univs = TypeHash.find node_univars inv.inv_type in
          if not (TypeSet.mem univ !univs) then begin
            univs := TypeSet.add univ !univs;
            List.iter (add_univar univ) inv.inv_parents
          end
        with Not_found ->
          TypeHash.add node_univars inv.inv_type (ref(TypeSet.singleton univ));
          List.iter (add_univar univ) inv.inv_parents
  in
  TypeHash.iter (fun ty inv -> if ty.desc = Tunivar then add_univar ty inv)
    inverted;
  fun ty ->
    try !(TypeHash.find node_univars ty) with Not_found -> TypeSet.empty

let rec diff_list l1 l2 =
  if l1 == l2 then [] else
  match l1 with [] -> invalid_arg "Ctype.diff_list"
  | a :: l1 -> a :: diff_list l1 l2

let conflicts free bound =
  let bound = List.map repr bound in
  TypeSet.exists (fun t -> List.memq (repr t) bound) free

let delayed_copy = ref []
    (* copying to do later *)

(* Copy without sharing until there are no free univars left *)
(* all free univars must be included in [visited]            *)
let rec copy_sep fixed free bound visited ty =
  let ty = repr ty in
  let univars = free ty in
  if TypeSet.is_empty univars then
    if ty.level <> generic_level then ty else
    let t = newvar () in
    delayed_copy :=
      lazy (t.desc <- Tlink (copy ty))
      :: !delayed_copy;
    t
  else try
    let t, bound_t = List.assq ty visited in
    let dl = if ty.desc = Tunivar then [] else diff_list bound bound_t in
    if dl <> [] && conflicts univars dl then raise Not_found;
    t
  with Not_found -> begin
    let t = newvar() in          (* Stub *)
    let visited =
      match ty.desc with
        Tarrow _ | Ttuple _ | Tvariant _ | Tconstr _ | Tobject _ ->
          (ty,(t,bound)) :: visited
      | _ -> visited in
    let copy_rec = copy_sep fixed free bound visited in
    t.desc <-
      begin match ty.desc with
      | Tvariant row0 ->
          let row = row_repr row0 in
          let more = repr row.row_more in
          (* We shall really check the level on the row variable *)
          let keep = more.desc = Tvar && more.level <> generic_level in
          let more' = copy_rec more in
          let fixed' = fixed && (repr more').desc = Tvar in
          let row = copy_row copy_rec fixed' row keep more' in
          Tvariant row
      | Tpoly (t1, tl) ->
          let tl = List.map repr tl in
          let tl' = List.map (fun t -> newty Tunivar) tl in
          let bound = tl @ bound in
          let visited =
            List.map2 (fun ty t -> ty,(t,bound)) tl tl' @ visited in
          Tpoly (copy_sep fixed free bound visited t1, tl')
      | _ -> copy_type_desc copy_rec ty.desc
      end;
    t
  end

let instance_poly fixed univars sch =
  let vars = List.map (fun _ -> newvar ()) univars in
  let pairs = List.map2 (fun u v -> repr u, (v, [])) univars vars in
  delayed_copy := [];
  let ty = copy_sep fixed (compute_univars sch) [] pairs sch in
  List.iter Lazy.force !delayed_copy;
  delayed_copy := [];
  cleanup_types ();
  vars, ty

let instance_label fixed lbl =
  let ty_res = copy lbl.lbl_res in
  let vars, ty_arg =
    match repr lbl.lbl_arg with
      {desc = Tpoly (ty, tl)} ->
        instance_poly fixed tl ty
    | ty ->
        [], copy lbl.lbl_arg
  in
  cleanup_types ();
  (vars, ty_arg, ty_res)

(**** Instantiation with parameter substitution ****)

let unify' = (* Forward declaration *)
  ref (fun env ty1 ty2 -> raise (Unify []))

let rec subst env level abbrev ty params args body =
  if List.length params <> List.length args then raise (Unify []);
  let old_level = !current_level in
  current_level := level;
  try
    let body0 = newvar () in          (* Stub *)
    begin match ty with
      None      -> ()
    | Some ({desc = Tconstr (path, tl, _)} as ty) ->
        let abbrev = proper_abbrevs path tl abbrev in
        memorize_abbrev abbrev path ty body0
    | _ ->
        assert false
    end;
    abbreviations := abbrev;
    let (params', body') = instance_parameterized_type params body in
    abbreviations := ref Mnil;
    !unify' env body0 body';
    List.iter2 (!unify' env) params' args;
    current_level := old_level;
    body'
  with Unify _ as exn ->
    current_level := old_level;
    raise exn

(*
   Only the shape of the type matters, not whether is is generic or
   not. [generic_level] might be somewhat slower, but it ensures
   invariants on types are enforced (decreasing levels.), and we don't
   care about efficiency here.
*)
let apply env params body args =
  try
    subst env generic_level (ref Mnil) None params args body
  with
    Unify _ -> raise Cannot_apply


                              (****************************)
                              (*  Abbreviation expansion  *)
                              (****************************)

(*
   If the environnement has changed, memorized expansions might not
   be correct anymore, and so we flush the cache. This is safe but
   quite pessimistic: it would be enough to flush the cache when a
   type or module definition is overriden in the environnement.
*)
let previous_env = ref Env.empty
let check_abbrev_env env =
  if env != !previous_env then begin
    cleanup_abbrev ();
    previous_env := env
  end

(* Expand an abbreviation. The expansion is memorized. *)
(*
   Assume the level is greater than the path binding time of the
   expanded abbreviation.
*)
(*
   An abbreviation expansion will fail in either of these cases:
   1. The type constructor does not correspond to a manifest type.
   2. The type constructor is defined in an external file, and this
      file is not in the path (missing -I options).
   3. The type constructor is not in the "local" environment. This can
      happens when a non-generic type variable has been instantiated
      afterwards to the not yet defined type constructor. (Actually,
      this cannot happen at the moment due to the strong constraints
      between type levels and constructor binding time.)
   4. The expansion requires the expansion of another abbreviation,
      and this other expansion fails.
*)
let expand_abbrev env ty =
  check_abbrev_env env;
  match ty with
    {desc = Tconstr (path, args, abbrev); level = level} ->
      let lookup_abbrev = proper_abbrevs path args abbrev in
      begin match find_expans path !lookup_abbrev with
        Some ty ->
          if level <> generic_level then
            begin try
              update_level env level ty
            with Unify _ ->
              (* XXX This should not happen.
                 However, levels are not correctly restored after a
                 typing error *)
              ()
            end;
          ty
      | None ->
          let (params, body) =
            try Env.find_type_expansion path env with Not_found ->
              raise Cannot_expand
          in
          let ty' = subst env level abbrev (Some ty) params args body in
          (* Hack to name the variant type *)
          begin match repr ty' with
            {desc=Tvariant row} as ty when static_row row ->
              ty.desc <- Tvariant { row with row_name = Some (path, args) }
          | _ -> ()
          end;
          ty'
      end
  | _ ->
      assert false

let safe_abbrev env ty =
  let snap = Btype.snapshot () in
  try ignore (expand_abbrev env ty); true
  with Cannot_expand | Unify _ ->
    Btype.backtrack snap;
    false

let try_expand_once env ty =
  let ty = repr ty in
  match ty.desc with
    Tconstr _ -> repr (expand_abbrev env ty)
  | _ -> raise Cannot_expand

let _ = try_expand_once' := try_expand_once

(* Fully expand the head of a type.
   Raise Cannot_expand if the type cannot be expanded.
   May raise Unify, if a recursion was hidden in the type. *)
let rec try_expand_head env ty =
  let ty' = try_expand_once env ty in
  begin try
    try_expand_head env ty'
  with Cannot_expand ->
    ty'
  end

(* Expand once the head of a type *)
let expand_head_once env ty =
  try expand_abbrev env (repr ty) with Cannot_expand -> assert false

(* Fully expand the head of a type. *)
let expand_head_unif env ty =
  try try_expand_head env ty with Cannot_expand -> repr ty

let expand_head env ty =
  let snap = Btype.snapshot () in
  try try_expand_head env ty
  with Cannot_expand | Unify _ -> (* expand_head shall never fail *)
    Btype.backtrack snap;
    repr ty

(* Make sure that the type parameters of the type constructor [ty]
   respect the type constraints *)
let enforce_constraints env ty =
  match ty with
    {desc = Tconstr (path, args, abbrev); level = level} ->
      let decl = Env.find_type path env in
      ignore
        (subst env level (ref Mnil) None decl.type_params args (newvar2 level))
  | _ ->
      assert false

(* Recursively expand the head of a type.
   Also expand #-types. *)
let rec full_expand env ty =
  let ty = repr (expand_head env ty) in
  match ty.desc with
    Tobject (fi, {contents = Some (_, v::_)}) when (repr v).desc = Tvar ->
      newty2 ty.level (Tobject (fi, ref None))
  | _ ->
      ty

(*
   Check whether the abbreviation expands to a well-defined type.
   During the typing of a class, abbreviations for correspondings
   types expand to non-generic types.
*)
let generic_abbrev env path =
  try
    let (_, body) = Env.find_type_expansion path env in
    (repr body).level = generic_level
  with
    Not_found ->
      false


                              (*****************)
                              (*  Occur check  *)
                              (*****************)


exception Occur

(* The marks are already used by [expand_abbrev]... *)
let visited = ref []

let rec non_recursive_abbrev env ty0 ty =
  let ty = repr ty in
  if ty == repr ty0 then raise Recursive_abbrev;
  if not (List.memq ty !visited) then begin
    visited := ty :: !visited;
    match ty.desc with
      Tconstr(p, args, abbrev) ->
        begin try
          non_recursive_abbrev env ty0 (try_expand_head env ty)
        with Cannot_expand ->
          if !Clflags.recursive_types then () else
          iter_type_expr (non_recursive_abbrev env ty0) ty
        end
    | Tobject _ | Tvariant _ ->
        ()
    | _ ->
        if !Clflags.recursive_types then () else
        iter_type_expr (non_recursive_abbrev env ty0) ty
  end

let correct_abbrev env path params ty =
  check_abbrev_env env;
  let ty0 = newgenvar () in
  visited := [];
  let abbrev = Mcons (path, ty0, ty0, Mnil) in
  simple_abbrevs := abbrev;
  try
    non_recursive_abbrev env ty0
      (subst env generic_level (ref abbrev) None [] [] ty);
    simple_abbrevs := Mnil;
    visited := []
  with exn ->
    simple_abbrevs := Mnil;
    visited := [];
    raise exn

let rec occur_rec env visited ty0 ty =
  if ty == ty0  then raise Occur;
  match ty.desc with
    Tconstr(p, tl, abbrev) ->
      begin try
        if List.memq ty visited || !Clflags.recursive_types then raise Occur;
        iter_type_expr (occur_rec env (ty::visited) ty0) ty
      with Occur -> try
        let ty' = try_expand_head env ty in
        (* Maybe we could simply make a recursive call here,
           but it seems it could make the occur check loop
           (see change in rev. 1.58) *)
        if ty' == ty0 || List.memq ty' visited then raise Occur;
        match ty'.desc with
          Tobject _ | Tvariant _ -> ()
        | _ ->
            if not !Clflags.recursive_types then
              iter_type_expr (occur_rec env (ty'::visited) ty0) ty'
      with Cannot_expand ->
        if not !Clflags.recursive_types then raise Occur
      end
  | Tobject _ | Tvariant _ ->
      ()
  | _ ->
      if not !Clflags.recursive_types then
        iter_type_expr (occur_rec env visited ty0) ty

let type_changed = ref false (* trace possible changes to the studied type *)

let merge r b = if b then r := true

let occur env ty0 ty =
  let old = !type_changed in
  try
    while type_changed := false; occur_rec env [] ty0 ty; !type_changed
    do () (* prerr_endline "changed" *) done;
    merge type_changed old
  with exn ->
    merge type_changed old;
    raise (match exn with Occur -> Unify [] | _ -> exn)


                   (*****************************)
                   (*  Polymorphic Unification  *)
                   (*****************************)

(* Since we cannot duplicate universal variables, unification must
   be done at meta-level, using bindings in univar_pairs *)
let rec unify_univar t1 t2 = function
    (cl1, cl2) :: rem ->
      let find_univ t cl =
        try
          let (_, r) = List.find (fun (t',_) -> t == repr t') cl in
          Some r
        with Not_found -> None
      in
      begin match find_univ t1 cl1, find_univ t2 cl2 with
        Some {contents=Some t'2}, Some _ when t2 == repr t'2 ->
          ()
      | Some({contents=None} as r1), Some({contents=None} as r2) ->
          set_univar r1 t2; set_univar r2 t1
      | None, None ->
          unify_univar t1 t2 rem
      | _ ->
          raise (Unify [])
      end
  | [] -> raise (Unify [])

module TypeMap = Map.Make (TypeOps)

(* Test the occurence of free univars in a type *)
(* that's way too expansive. Must do some kind of cacheing *)
let occur_univar env ty =
  let visited = ref TypeMap.empty in
  let rec occur_rec bound ty =
    let ty = repr ty in
    if ty.level >= lowest_level &&
      if TypeSet.is_empty bound then
        (ty.level <- pivot_level - ty.level; true)
      else try
        let bound' = TypeMap.find ty !visited in
        if TypeSet.exists (fun x -> not (TypeSet.mem x bound)) bound' then
          (visited := TypeMap.add ty (TypeSet.inter bound bound') !visited;
           true)
        else false
      with Not_found ->
        visited := TypeMap.add ty bound !visited;
        true
    then
      match ty.desc with
        Tunivar ->
          if not (TypeSet.mem ty bound) then raise (Unify [ty, newgenvar()])
      | Tpoly (ty, tyl) ->
          let bound = List.fold_right TypeSet.add (List.map repr tyl) bound in
          occur_rec bound  ty
      | Tconstr (_, [], _) -> ()
      | Tconstr (p, tl, _) ->
          begin try
            let td = Env.find_type p env in
            List.iter2
              (fun t (pos,neg,_) -> if pos || neg then occur_rec bound t)
              tl td.type_variance
          with Not_found ->
            List.iter (occur_rec bound) tl
          end
      | _ -> iter_type_expr (occur_rec bound) ty
  in
  try
    occur_rec TypeSet.empty ty; unmark_type ty
  with exn ->
    unmark_type ty; raise exn

(* Grouping univars by families according to their binders *)
let add_univars =
  List.fold_left (fun s (t,_) -> TypeSet.add (repr t) s)

let get_univar_family univar_pairs univars =
  if univars = [] then TypeSet.empty else
  let rec insert s = function
      cl1, (_::_ as cl2) ->
        if List.exists (fun (t1,_) -> TypeSet.mem (repr t1) s) cl1 then
          add_univars s cl2
        else s
    | _ -> s
  in
  let s = List.fold_right TypeSet.add univars TypeSet.empty in
  List.fold_left insert s univar_pairs

(* Whether a family of univars escapes from a type *)
let univars_escape env univar_pairs vl ty =
  let family = get_univar_family univar_pairs vl in
  let visited = ref TypeSet.empty in
  let rec occur t =
    let t = repr t in
    if TypeSet.mem t !visited then () else begin
      visited := TypeSet.add t !visited;
      match t.desc with
        Tpoly (t, tl) ->
          if List.exists (fun t -> TypeSet.mem (repr t) family) tl then ()
          else occur t
      | Tunivar ->
          if TypeSet.mem t family then raise Occur
      | Tconstr (_, [], _) -> ()
      | Tconstr (p, tl, _) ->
          begin try
            let td = Env.find_type p env in
            List.iter2 (fun t (pos,neg,_) -> if pos || neg then occur t)
              tl td.type_variance
          with Not_found ->
            List.iter occur tl
          end
      | _ ->
          iter_type_expr occur t
    end
  in
  try occur ty; false with Occur -> true

(* Wrapper checking that no variable escapes and updating univar_pairs *)
let enter_poly env univar_pairs t1 tl1 t2 tl2 f =
  let old_univars = !univar_pairs in
  let known_univars =
    List.fold_left (fun s (cl,_) -> add_univars s cl)
      TypeSet.empty old_univars
  in
  let tl1 = List.map repr tl1 and tl2 = List.map repr tl2 in
  if List.exists (fun t -> TypeSet.mem t known_univars) tl1 &&
    univars_escape env old_univars tl1 (newty(Tpoly(t2,tl2)))
  || List.exists (fun t -> TypeSet.mem t known_univars) tl2 &&
    univars_escape env old_univars tl2 (newty(Tpoly(t1,tl1)))
  then raise (Unify []);
  let cl1 = List.map (fun t -> t, ref None) tl1
  and cl2 = List.map (fun t -> t, ref None) tl2 in
  univar_pairs := (cl1,cl2) :: (cl2,cl1) :: old_univars;
  try let res = f t1 t2 in univar_pairs := old_univars; res
  with exn -> univar_pairs := old_univars; raise exn

let univar_pairs = ref []


                              (*****************)
                              (*  Unification  *)
                              (*****************)



let rec has_cached_expansion p abbrev =
  match abbrev with
    Mnil                   -> false
  | Mcons(p', _, _, rem)   -> Path.same p p' || has_cached_expansion p rem
  | Mlink rem              -> has_cached_expansion p !rem

(**** Transform error trace ****)
(* +++ Move it to some other place ? *)

let expand_trace env trace =
  List.fold_right
    (fun (t1, t2) rem ->
       (repr t1, full_expand env t1)::(repr t2, full_expand env t2)::rem)
    trace []

(* build a dummy variant type *)
let mkvariant fields closed =
  newgenty
    (Tvariant
       {row_fields = fields; row_closed = closed; row_more = newvar();
        row_bound = []; row_fixed = false; row_name = None })

(**** Unification ****)

(* Return whether [t0] occurs in [ty]. Objects are also traversed. *)
let deep_occur t0 ty =
  let rec occur_rec ty =
    let ty = repr ty in
    if ty.level >= lowest_level then begin
      if ty == t0 then raise Occur;
      ty.level <- pivot_level - ty.level;
      iter_type_expr occur_rec ty
    end
  in
  try
    occur_rec ty; unmark_type ty; false
  with Occur ->
    unmark_type ty; true

(*
   1. When unifying two non-abbreviated types, one type is made a link
      to the other. When unifying an abbreviated type with a
      non-abbreviated type, the non-abbreviated type is made a link to
      the other one. When unifying to abbreviated types, these two
      types are kept distincts, but they are made to (temporally)
      expand to the same type.
   2. Abbreviations with at least one parameter are systematically
      expanded. The overhead does not seem to high, and that way
      abbreviations where some parameters does not appear in the
      expansion, such as ['a t = int], are correctly handled. In
      particular, for this example, unifying ['a t] with ['b t] keeps
      ['a] and ['b] distincts. (Is it really important ?)
   3. Unifying an abbreviation ['a t = 'a] with ['a] should not yield
      ['a t as 'a]. Indeed, the type variable would otherwise be lost.
      This problem occurs for abbreviations expanding to a type
      variable, but also to many other constrained abbreviations (for
      instance, [(< x : 'a > -> unit) t = ]). The solution is
      that, if an abbreviation is unified with some subpart of its
      parameters, then the parameter actually does not get
      abbreviated.  It would be possible to check whether some
      information is indeed lost, but it probably does not worth it.
*)
let rec unify env t1 t2 =
  (* First step: special cases (optimizations) *)
  if t1 == t2 then () else
  let t1 = repr t1 in
  let t2 = repr t2 in
  if t1 == t2 then () else

  try
    type_changed := true;
    match (t1.desc, t2.desc) with
      (Tvar, Tconstr _) when deep_occur t1 t2 ->
        unify2 env t1 t2
    | (Tconstr _, Tvar) when deep_occur t2 t1 ->
        unify2 env t1 t2
    | (Tvar, _) ->
        occur env t1 t2; occur_univar env t2;
        update_level env t1.level t2;
        link_type t1 t2
    | (_, Tvar) ->
        occur env t2 t1; occur_univar env t1;
        update_level env t2.level t1;
        link_type t2 t1
    | (Tunivar, Tunivar) ->
        unify_univar t1 t2 !univar_pairs;
        update_level env t1.level t2;
        link_type t1 t2
    | (Tconstr (p1, [], a1), Tconstr (p2, [], a2))
          when Path.same p1 p2
            (* This optimization assumes that t1 does not expand to t2
               (and conversely), so we fall back to the general case
               when any of the types has a cached expansion. *)
            && not (has_cached_expansion p1 !a1
                 || has_cached_expansion p2 !a2) ->
        update_level env t1.level t2;
        link_type t1 t2
    | _ ->
        unify2 env t1 t2
  with Unify trace ->
    raise (Unify ((t1, t2)::trace))

and unify2 env t1 t2 =
  (* Second step: expansion of abbreviations *)
  let rec expand_both t1'' t2'' =
    let t1' = expand_head_unif env t1 in
    let t2' = expand_head_unif env t2 in
    (* Expansion may have changed the representative of the types... *)
    if t1' == t1'' && t2' == t2'' then (t1',t2') else
    expand_both t1' t2'
  in
  let t1', t2' = expand_both t1 t2 in
  if t1' == t2' then () else

  let t1 = repr t1 and t2 = repr t2 in
  if (t1 == t1') || (t2 != t2') then
    unify3 env t1 t1' t2 t2'
  else
    try unify3 env t2 t2' t1 t1' with Unify trace ->
      raise (Unify (List.map (fun (x, y) -> (y, x)) trace))

and unify3 env t1 t1' t2 t2' =
  (* Third step: truly unification *)
  (* Assumes either [t1 == t1'] or [t2 != t2'] *)
  let d1 = t1'.desc and d2 = t2'.desc in

  let create_recursion = (t2 != t2') && (deep_occur t1' t2) in
  occur env t1' t2;
  update_level env t1'.level t2;
  link_type t1' t2;

  try
    begin match (d1, d2) with
      (Tvar, _) ->
        occur_univar env t2
    | (_, Tvar) ->
        let td1 = newgenty d1 in
        occur env t2' td1;
        occur_univar env td1;
        if t1 == t1' then begin
          (* The variable must be instantiated... *)
          let ty = newty2 t1'.level d1 in
          update_level env t2'.level ty;
          link_type t2' ty
        end else begin
          log_type t1';
          t1'.desc <- d1;
          update_level env t2'.level t1;
          link_type t2' t1
        end
    | (Tarrow (l1, t1, u1, c1), Tarrow (l2, t2, u2, c2)) when l1 = l2
      || !Clflags.classic && not (is_optional l1 || is_optional l2) ->
        unify env t1 t2; unify env u1 u2;
        begin match commu_repr c1, commu_repr c2 with
          Clink r, c2 -> set_commu r c2
        | c1, Clink r -> set_commu r c1
        | _ -> ()
        end
    | (Ttuple tl1, Ttuple tl2) ->
        unify_list env tl1 tl2
    | (Tconstr (p1, tl1, _), Tconstr (p2, tl2, _)) when Path.same p1 p2 ->
        unify_list env tl1 tl2
    | (Tobject (fi1, nm1), Tobject (fi2, _)) ->
        unify_fields env fi1 fi2;
        (* Type [t2'] may have been instantiated by [unify_fields] *)
        (* XXX One should do some kind of unification... *)
        begin match (repr t2').desc with
          Tobject (_, {contents = Some (_, va::_)})
          when let va = repr va in List.mem va.desc [Tvar; Tunivar; Tnil] ->
            ()
        | Tobject (_, nm2) ->
            set_name nm2 !nm1
        | _ ->
            ()
        end
    | (Tvariant row1, Tvariant row2) ->
        unify_row env row1 row2
    | (Tfield _, Tfield _) ->           (* Actually unused *)
        unify_fields env t1' t2'
    | (Tfield(f,kind,_,rem), Tnil) | (Tnil, Tfield(f,kind,_,rem)) ->
        begin match field_kind_repr kind with
          Fvar r when f <> dummy_method -> set_kind r Fabsent
        | _      -> raise (Unify [])
        end
    | (Tnil, Tnil) ->
        ()
    | (Tpoly (t1, []), Tpoly (t2, [])) ->
        unify env t1 t2
    | (Tpoly (t1, tl1), Tpoly (t2, tl2)) ->
        enter_poly env univar_pairs t1 tl1 t2 tl2 (unify env)
    | (_, _) ->
        raise (Unify [])
    end;

(* XXX Commentaires + changer "create_recursion" *)
    if create_recursion then begin
      match t2.desc with
        Tconstr (p, tl, abbrev) ->
          forget_abbrev abbrev p;
          let t2'' = expand_head_unif env t2 in
          if not (closed_parameterized_type tl t2'') then
            link_type (repr t2) (repr t2')
      | _ ->
          () (* t2 has already been expanded by update_level *)
    end

(*
    (*
       Can only be done afterwards, once the row variable has
       (possibly) been instantiated.
    *)
    if t1 != t1' (* && t2 != t2' *) then begin
      match (t1.desc, t2.desc) with
        (Tconstr (p, ty::_, _), _)
            when ((repr ty).desc <> Tvar)
              && weak_abbrev p
              && not (deep_occur t1 t2) ->
          update_level env t1.level t2;
          link_type t1 t2
      | (_, Tconstr (p, ty::_, _))
            when ((repr ty).desc <> Tvar)
              && weak_abbrev p
              && not (deep_occur t2 t1) ->
          update_level env t2.level t1;
          link_type t2 t1;
          link_type t1' t2'
      | _ ->
          ()
    end
*)
  with Unify trace ->
    t1'.desc <- d1;
    raise (Unify trace)

and unify_list env tl1 tl2 =
  if List.length tl1 <> List.length tl2 then
    raise (Unify []);
  List.iter2 (unify env) tl1 tl2

and unify_fields env ty1 ty2 =          (* Optimization *)
  let (fields1, rest1) = flatten_fields ty1
  and (fields2, rest2) = flatten_fields ty2 in
  let (pairs, miss1, miss2) = associate_fields fields1 fields2 in
  let l1 = (repr ty1).level and l2 = (repr ty2).level in
  let va =
    if miss1 = [] then rest2
    else if miss2 = [] then rest1
    else newty2 (min l1 l2) Tvar
  in
  let d1 = rest1.desc and d2 = rest2.desc in
  try
    unify env (build_fields l1 miss1 va) rest2;
    unify env rest1 (build_fields l2 miss2 va);
    List.iter
      (fun (n, k1, t1, k2, t2) ->
        unify_kind k1 k2;
        try unify env t1 t2 with Unify trace ->
          raise (Unify ((newty (Tfield(n, k1, t1, va)),
                         newty (Tfield(n, k2, t2, va)))::trace)))
      pairs
  with exn ->
    log_type rest1; rest1.desc <- d1;
    log_type rest2; rest2.desc <- d2;
    raise exn

and unify_kind k1 k2 =
  let k1 = field_kind_repr k1 in
  let k2 = field_kind_repr k2 in
  if k1 == k2 then () else
  match k1, k2 with
    (Fvar r, (Fvar _ | Fpresent)) -> set_kind r k2
  | (Fpresent, Fvar r)            -> set_kind r k1
  | (Fpresent, Fpresent)          -> ()
  | _                             -> assert false

and unify_pairs env tpl =
  List.iter (fun (t1, t2) -> unify env t1 t2) tpl

and unify_row env row1 row2 =
  let row1 = row_repr row1 and row2 = row_repr row2 in
  let rm1 = row_more row1 and rm2 = row_more row2 in
  if rm1 == rm2 then () else
  let r1, r2, pairs = merge_row_fields row1.row_fields row2.row_fields in
  if r1 <> [] && r2 <> [] then begin
    let ht = Hashtbl.create (List.length r1) in
    List.iter (fun (l,_) -> Hashtbl.add ht (hash_variant l) l) r1;
    List.iter
      (fun (l,_) ->
        try raise (Tags(l, Hashtbl.find ht (hash_variant l)))
        with Not_found -> ())
      r2
  end;
  let more =
    if row1.row_fixed then rm1 else
    if row2.row_fixed then rm2 else
    newgenvar ()
  in update_level env (min rm1.level rm2.level) more;
  let fixed = row1.row_fixed || row2.row_fixed
  and closed = row1.row_closed || row2.row_closed in
  let keep switch =
    List.for_all
      (fun (_,f1,f2) ->
        let f1, f2 = switch f1 f2 in
        row_field_repr f1 = Rabsent || row_field_repr f2 <> Rabsent)
      pairs
  in
  let empty fields =
    List.for_all (fun (_,f) -> row_field_repr f = Rabsent) fields in
  (* Check whether we are going to build an empty type *)
  if closed && (empty r1 || row2.row_closed) && (empty r2 || row1.row_closed)
  && List.for_all
      (fun (_,f1,f2) ->
        row_field_repr f1 = Rabsent || row_field_repr f2 = Rabsent)
      pairs
  then raise (Unify [mkvariant [] true, mkvariant [] true]);
  let name =
    if row1.row_name <> None && (row1.row_closed || empty r2) &&
      (not row2.row_closed || keep (fun f1 f2 -> f1, f2) && empty r1)
    then row1.row_name
    else if row2.row_name <> None && (row2.row_closed || empty r1) &&
      (not row1.row_closed || keep (fun f1 f2 -> f2, f1) && empty r2)
    then row2.row_name
    else None
  in
  let bound = row1.row_bound @ row2.row_bound in
  let row0 = {row_fields = []; row_more = more; row_bound = bound;
              row_closed = closed; row_fixed = fixed; row_name = name} in
  let set_more row rest =
    let rest =
      if closed then
        filter_row_fields row.row_closed rest
      else rest in
    if rest <> [] && (row.row_closed || row.row_fixed)
    || closed && row.row_fixed && not row.row_closed then begin
      let t1 = mkvariant [] true and t2 = mkvariant rest false in
      raise (Unify [if row == row1 then (t1,t2) else (t2,t1)])
    end;
    let rm = row_more row in
    if row.row_fixed then
      if row0.row_more == rm then () else
      if rm.desc = Tvar then link_type rm row0.row_more else
      unify env rm row0.row_more
    else
      let ty = newty2 generic_level (Tvariant {row0 with row_fields = rest}) in
      update_level env rm.level ty;
      link_type rm ty
  in
  let md1 = rm1.desc and md2 = rm2.desc in
  begin try
    set_more row2 r1;
    set_more row1 r2;
    List.iter
      (fun (l,f1,f2) ->
        try unify_row_field env row1.row_fixed row2.row_fixed l f1 f2
        with Unify trace ->
          raise (Unify ((mkvariant [l,f1] true,
                         mkvariant [l,f2] true) :: trace)))
      pairs;
  with exn ->
    log_type rm1; rm1.desc <- md1; log_type rm2; rm2.desc <- md2; raise exn
  end

and unify_row_field env fixed1 fixed2 l f1 f2 =
  let f1 = row_field_repr f1 and f2 = row_field_repr f2 in
  if f1 == f2 then () else
  match f1, f2 with
    Rpresent(Some t1), Rpresent(Some t2) -> unify env t1 t2
  | Rpresent None, Rpresent None -> ()
  | Reither(c1, tl1, m1, e1), Reither(c2, tl2, m2, e2) ->
      if e1 == e2 then () else
      let redo =
        (m1 || m2) &&
        begin match tl1 @ tl2 with [] -> false
        | t1 :: tl ->
            if c1 || c2 then raise (Unify []);
            List.iter (unify env t1) tl;
            !e1 <> None || !e2 <> None
        end in
      if redo then unify_row_field env fixed1 fixed2 l f1 f2 else
      let tl1 = List.map repr tl1 and tl2 = List.map repr tl2 in
      let rec remq tl = function [] -> []
        | ty :: tl' ->
            if List.memq ty tl then remq tl tl' else ty :: remq tl tl'
      in
      let tl2' = remq tl2 tl1 and tl1' = remq tl1 tl2 in
      let e = ref None in
      let f1' = Reither(c1 || c2, tl1', m1 || m2, e)
      and f2' = Reither(c1 || c2, tl2', m1 || m2, e) in
      set_row_field e1 f1'; set_row_field e2 f2';
  | Reither(_, _, false, e1), Rabsent -> set_row_field e1 f2
  | Rabsent, Reither(_, _, false, e2) -> set_row_field e2 f1
  | Rabsent, Rabsent -> ()
  | Reither(false, tl, _, e1), Rpresent(Some t2) when not fixed1 ->
      set_row_field e1 f2;
      (try List.iter (fun t1 -> unify env t1 t2) tl
      with exn -> e1 := None; raise exn)
  | Rpresent(Some t1), Reither(false, tl, _, e2) when not fixed2 ->
      set_row_field e2 f1;
      (try List.iter (unify env t1) tl
      with exn -> e2 := None; raise exn)
  | Reither(true, [], _, e1), Rpresent None when not fixed1 ->
      set_row_field e1 f2
  | Rpresent None, Reither(true, [], _, e2) when not fixed2 ->
      set_row_field e2 f1
  | _ -> raise (Unify [])


let unify env ty1 ty2 =
  try
    unify env ty1 ty2
  with Unify trace ->
    raise (Unify (expand_trace env trace))

let unify_var env t1 t2 =
  let t1 = repr t1 and t2 = repr t2 in
  if t1 == t2 then () else
  match t1.desc with
    Tvar ->
      begin try
        occur env t1 t2;
        update_level env t1.level t2;
        link_type t1 t2
      with Unify trace ->
        raise (Unify (expand_trace env ((t1,t2)::trace)))
      end
  | _ ->
      unify env t1 t2

let _ = unify' := unify_var

let unify_pairs env ty1 ty2 pairs =
  univar_pairs := pairs;
  unify env ty1 ty2

let unify env ty1 ty2 =
  univar_pairs := [];
  unify env ty1 ty2


(**** Special cases of unification ****)

(*
   Unify [t] and [l:'a -> 'b]. Return ['a] and ['b].
   In label mode, label mismatch is accepted when
   (1) the requested label is ""
   (2) the original label is not optional
*)
let rec filter_arrow env t l =
  let t = expand_head_unif env t in
  match t.desc with
    Tvar ->
      let t1 = newvar () and t2 = newvar () in
      let t' = newty (Tarrow (l, t1, t2, Cok)) in
      update_level env t.level t';
      link_type t t';
      (t1, t2)
  | Tarrow(l', t1, t2, _)
    when l = l' || !Clflags.classic && l = "" && not (is_optional l') ->
      (t1, t2)
  | _ ->
      raise (Unify [])

(* Used by [filter_method]. *)
let rec filter_method_field env name priv ty =
  let ty = repr ty in
  match ty.desc with
    Tvar ->
      let level = ty.level in
      let ty1 = newvar2 level and ty2 = newvar2 level in
      let ty' = newty2 level (Tfield (name,
                                      begin match priv with
                                        Private -> Fvar (ref None)
                                      | Public  -> Fpresent
                                      end,
                                      ty1, ty2))
      in
      link_type ty ty';
      ty1
  | Tfield(n, kind, ty1, ty2) ->
      let kind = field_kind_repr kind in
      if (n = name) && (kind <> Fabsent) then begin
        if priv = Public then
          unify_kind kind Fpresent;
        ty1
      end else
        filter_method_field env name priv ty2
  | _ ->
      raise (Unify [])

(* Unify [ty] and [< name : 'a; .. >]. Return ['a]. *)
let rec filter_method env name priv ty =
  let ty = expand_head_unif env ty in
  match ty.desc with
    Tvar ->
      let ty1 = newvar () in
      let ty' = newobj ty1 in
      update_level env ty.level ty';
      link_type ty ty';
      filter_method_field env name priv ty1
  | Tobject(f, _) ->
      filter_method_field env name priv f
  | _ ->
      raise (Unify [])

let check_filter_method env name priv ty =
  ignore(filter_method env name priv ty)

let filter_self_method env lab priv meths ty =
  let ty' = filter_method env lab priv ty in
  try
    Meths.find lab !meths
  with Not_found ->
    let pair = (Ident.create lab, ty') in
    meths := Meths.add lab pair !meths;
    pair


                        (***********************************)
                        (*  Matching between type schemes  *)
                        (***********************************)

(*
   Update the level of [ty]. First check that the levels of generic
   variables from the subject are not lowered.
*)
let moregen_occur env level ty =
  let rec occur ty =
    let ty = repr ty in
    if ty.level > level then begin
      if ty.desc = Tvar && ty.level >= generic_level - 1 then raise Occur;
      ty.level <- pivot_level - ty.level;
      match ty.desc with
        Tvariant row when static_row row ->
          iter_row occur row
      | _ ->
          iter_type_expr occur ty
    end
  in
  begin try
    occur ty; unmark_type ty
  with Occur ->
    unmark_type ty; raise (Unify [])
  end;
  (* also check for free univars *)
  occur_univar env ty;
  update_level env level ty

let rec moregen inst_nongen type_pairs env t1 t2 =
  if t1 == t2 then () else
  let t1 = repr t1 in
  let t2 = repr t2 in
  if t1 == t2 then () else

  try
    match (t1.desc, t2.desc) with
      (Tunivar, Tunivar) ->
        unify_univar t1 t2 !univar_pairs
    | (Tvar, _) when if inst_nongen then t1.level <> generic_level - 1
                                    else t1.level =  generic_level ->
        moregen_occur env t1.level t2;
        occur env t1 t2;
        link_type t1 t2
    | (Tconstr (p1, [], _), Tconstr (p2, [], _)) when Path.same p1 p2 ->
        ()
    | _ ->
        let t1' = expand_head_unif env t1 in
        let t2' = expand_head_unif env t2 in
        (* Expansion may have changed the representative of the types... *)
        let t1' = repr t1' and t2' = repr t2' in
        if t1' == t2' then () else
        begin try
          TypePairs.find type_pairs (t1', t2')
        with Not_found ->
          TypePairs.add type_pairs (t1', t2') ();
          match (t1'.desc, t2'.desc) with
            (Tvar, _) when if inst_nongen then t1'.level <> generic_level - 1
                                          else t1'.level =  generic_level ->
              moregen_occur env t1'.level t2;
              link_type t1' t2
          | (Tarrow (l1, t1, u1, _), Tarrow (l2, t2, u2, _)) when l1 = l2
            || !Clflags.classic && not (is_optional l1 || is_optional l2) ->
              moregen inst_nongen type_pairs env t1 t2;
              moregen inst_nongen type_pairs env u1 u2
          | (Ttuple tl1, Ttuple tl2) ->
              moregen_list inst_nongen type_pairs env tl1 tl2
          | (Tconstr (p1, tl1, _), Tconstr (p2, tl2, _))
                when Path.same p1 p2 ->
              moregen_list inst_nongen type_pairs env tl1 tl2
          | (Tvariant row1, Tvariant row2) ->
              moregen_row inst_nongen type_pairs env row1 row2
          | (Tobject (fi1, nm1), Tobject (fi2, nm2)) ->
              moregen_fields inst_nongen type_pairs env fi1 fi2
          | (Tfield _, Tfield _) ->           (* Actually unused *)
              moregen_fields inst_nongen type_pairs env t1' t2'
          | (Tnil, Tnil) ->
              ()
          | (Tpoly (t1, []), Tpoly (t2, [])) ->
              moregen inst_nongen type_pairs env t1 t2
          | (Tpoly (t1, tl1), Tpoly (t2, tl2)) ->
              enter_poly env univar_pairs t1 tl1 t2 tl2
                (moregen inst_nongen type_pairs env)
          | (_, _) ->
              raise (Unify [])
        end
  with Unify trace ->
    raise (Unify ((t1, t2)::trace))

and moregen_list inst_nongen type_pairs env tl1 tl2 =
  if List.length tl1 <> List.length tl2 then
    raise (Unify []);
  List.iter2 (moregen inst_nongen type_pairs env) tl1 tl2

and moregen_fields inst_nongen type_pairs env ty1 ty2 =
  let (fields1, rest1) = flatten_fields ty1
  and (fields2, rest2) = flatten_fields ty2 in
  let (pairs, miss1, miss2) = associate_fields fields1 fields2 in
  if miss1 <> [] then raise (Unify []);
  moregen inst_nongen type_pairs env rest1
    (build_fields (repr ty2).level miss2 rest2);
  List.iter
    (fun (n, k1, t1, k2, t2) ->
       moregen_kind k1 k2;
       try moregen inst_nongen type_pairs env t1 t2 with Unify trace ->
         raise (Unify ((newty (Tfield(n, k1, t1, rest2)),
                        newty (Tfield(n, k2, t2, rest2)))::trace)))
    pairs

and moregen_kind k1 k2 =
  let k1 = field_kind_repr k1 in
  let k2 = field_kind_repr k2 in
  if k1 == k2 then () else
  match k1, k2 with
    (Fvar r, (Fvar _ | Fpresent))  -> set_kind r k2
  | (Fpresent, Fpresent)           -> ()
  | _                              -> raise (Unify [])

and moregen_row inst_nongen type_pairs env row1 row2 =
  let row1 = row_repr row1 and row2 = row_repr row2 in
  let r1, r2, pairs = merge_row_fields row1.row_fields row2.row_fields in
  let r1, r2 =
    if row2.row_closed then
      filter_row_fields true r1, filter_row_fields false r2
    else r1, r2
  in
  if r1 <> [] || row1.row_closed && (not row2.row_closed || r2 <> [])
  then raise (Unify []);
  let rm1 = repr row1.row_more and rm2 = repr row2.row_more in
  let univ =
    match rm1.desc, rm2.desc with
      Tunivar, Tunivar ->
        unify_univar rm1 rm2 !univar_pairs;
        true
    | Tunivar, _ | _, Tunivar ->
        raise (Unify [])
    | _ ->
        if not (static_row row2) then moregen_occur env rm1.level rm2;
        let ext =
          if r2 = [] then rm2 else
          let row_ext = {row2 with row_fields = r2} in
          iter_row (moregen_occur env rm1.level) row_ext;
          newty2 rm1.level (Tvariant row_ext)
        in
        if ext != rm1 then link_type rm1 ext;
        false
  in
  List.iter
    (fun (l,f1,f2) ->
      let f1 = row_field_repr f1 and f2 = row_field_repr f2 in
      if f1 == f2 then () else
      match f1, f2 with
        Rpresent(Some t1), Rpresent(Some t2) ->
          moregen inst_nongen type_pairs env t1 t2
      | Rpresent None, Rpresent None -> ()
      | Reither(false, tl1, _, e1), Rpresent(Some t2) when not univ ->
          set_row_field e1 f2;
          List.iter (fun t1 -> moregen inst_nongen type_pairs env t1 t2) tl1
      | Reither(c1, tl1, _, e1), Reither(c2, tl2, m2, e2) ->
          if e1 != e2 then begin
            if c1 && not c2 then raise(Unify []);
            set_row_field e1 (Reither (c2, [], m2, e2));
            if List.length tl1 = List.length tl2 then
              List.iter2 (moregen inst_nongen type_pairs env) tl1 tl2
            else match tl2 with
              t2 :: _ ->
                List.iter (fun t1 -> moregen inst_nongen type_pairs env t1 t2)
                  tl1
            | [] ->
                if tl1 <> [] then raise (Unify [])
          end
      | Reither(true, [], _, e1), Rpresent None when not univ ->
          set_row_field e1 f2
      | Reither(_, _, _, e1), Rabsent when not univ ->
          set_row_field e1 f2
      | Rabsent, Rabsent -> ()
      | _ -> raise (Unify []))
    pairs

(* Must empty univar_pairs first *)
let moregen inst_nongen type_pairs env patt subj =
  univar_pairs := [];
  moregen inst_nongen type_pairs env patt subj

(*
   Non-generic variable can be instanciated only if [inst_nongen] is
   true. So, [inst_nongen] should be set to false if the subject might
   contain non-generic variables (and we do not want them to be
   instanciated).
   Usually, the subject is given by the user, and the pattern
   is unimportant.  So, no need to propagate abbreviations.
*)
let moregeneral env inst_nongen pat_sch subj_sch =
  let old_level = !current_level in
  current_level := generic_level - 1;
  (*
     Generic variables are first duplicated with [instance].  So,
     their levels are lowered to [generic_level - 1].  The subject is
     then copied with [duplicate_type].  That way, its levels won't be
     changed.
  *)
  let subj = duplicate_type (instance subj_sch) in
  current_level := generic_level;
  (* Duplicate generic variables *)
  let patt = instance pat_sch in
  let res =
    try moregen inst_nongen (TypePairs.create 13) env patt subj; true with
      Unify _ -> false
  in
  current_level := old_level;
  res


(* Alternative approach: "rigidify" a type scheme,
   and check validity after unification *)
(* Simpler, no? *)

let rec rigidify_rec vars ty =
  let ty = repr ty in
  if ty.level >= lowest_level then begin
    ty.level <- pivot_level - ty.level;
    match ty.desc with
    | Tvar ->
        if not (List.memq ty !vars) then vars := ty :: !vars
    | Tvariant row ->
        let row = row_repr row in
        let more = repr row.row_more in
        if more.desc = Tvar && not row.row_fixed then begin
          let more' = newty2 more.level Tvar in
          let row' = {row with row_fixed=true; row_fields=[]; row_more=more'}
          in link_type more (newty2 ty.level (Tvariant row'))
        end;
        iter_row (rigidify_rec vars) row;
        (* only consider the row variable if the variant is not static *)
        if not (static_row row) then rigidify_rec vars (row_more row)
    | _ ->
        iter_type_expr (rigidify_rec vars) ty
  end

let rigidify ty =
  let vars = ref [] in
  rigidify_rec vars ty;
  unmark_type ty;
  !vars

let all_distinct_vars env vars =
  let tyl = ref [] in
  List.for_all
    (fun ty ->
      let ty = expand_head env ty in
      if List.memq ty !tyl then false else
      (tyl := ty :: !tyl; ty.desc = Tvar))
    vars

let matches env ty ty' =
  let snap = snapshot () in
  let vars = rigidify ty in
  cleanup_abbrev ();
  let ok =
    try unify env ty ty'; all_distinct_vars env vars
    with Unify _ -> false
  in
  backtrack snap;
  ok


                 (*********************************************)
                 (*  Equivalence between parameterized types  *)
                 (*********************************************)

let normalize_subst subst =
  if List.exists
      (function {desc=Tlink _}, _ | _, {desc=Tlink _} -> true | _ -> false)
      !subst
  then subst := List.map (fun (t1,t2) -> repr t1, repr t2) !subst

let rec eqtype rename type_pairs subst env t1 t2 =
  if t1 == t2 then () else
  let t1 = repr t1 in
  let t2 = repr t2 in
  if t1 == t2 then () else

  try
    match (t1.desc, t2.desc) with
      (Tvar, Tvar) when rename ->
        begin try
          normalize_subst subst;
          if List.assq t1 !subst != t2 then raise (Unify [])
        with Not_found ->
          subst := (t1, t2) :: !subst
        end
    | (Tconstr (p1, [], _), Tconstr (p2, [], _)) when Path.same p1 p2 ->
        ()
    | _ ->
        let t1' = expand_head_unif env t1 in
        let t2' = expand_head_unif env t2 in
        (* Expansion may have changed the representative of the types... *)
        let t1' = repr t1' and t2' = repr t2' in
        if t1' == t2' then () else
        begin try
          TypePairs.find type_pairs (t1', t2')
        with Not_found ->
          TypePairs.add type_pairs (t1', t2') ();
          match (t1'.desc, t2'.desc) with
            (Tvar, Tvar) when rename ->
              begin try
                normalize_subst subst;
                if List.assq t1' !subst != t2' then raise (Unify [])
              with Not_found ->
                subst := (t1', t2') :: !subst
              end
          | (Tarrow (l1, t1, u1, _), Tarrow (l2, t2, u2, _)) when l1 = l2
            || !Clflags.classic && not (is_optional l1 || is_optional l2) ->
              eqtype rename type_pairs subst env t1 t2;
              eqtype rename type_pairs subst env u1 u2;
          | (Ttuple tl1, Ttuple tl2) ->
              eqtype_list rename type_pairs subst env tl1 tl2
          | (Tconstr (p1, tl1, _), Tconstr (p2, tl2, _))
                when Path.same p1 p2 ->
              eqtype_list rename type_pairs subst env tl1 tl2
          | (Tvariant row1, Tvariant row2) ->
              eqtype_row rename type_pairs subst env row1 row2
          | (Tobject (fi1, nm1), Tobject (fi2, nm2)) ->
              eqtype_fields rename type_pairs subst env fi1 fi2
          | (Tfield _, Tfield _) ->       (* Actually unused *)
              eqtype_fields rename type_pairs subst env t1' t2'
          | (Tnil, Tnil) ->
              ()
          | (Tpoly (t1, []), Tpoly (t2, [])) ->
              eqtype rename type_pairs subst env t1 t2
          | (Tpoly (t1, tl1), Tpoly (t2, tl2)) ->
              enter_poly env univar_pairs t1 tl1 t2 tl2
                (eqtype rename type_pairs subst env)
          | (Tunivar, Tunivar) ->
              unify_univar t1' t2' !univar_pairs
          | (_, _) ->
              raise (Unify [])
        end
  with Unify trace ->
    raise (Unify ((t1, t2)::trace))

and eqtype_list rename type_pairs subst env tl1 tl2 =
  if List.length tl1 <> List.length tl2 then
    raise (Unify []);
  List.iter2 (eqtype rename type_pairs subst env) tl1 tl2

and eqtype_fields rename type_pairs subst env ty1 ty2 =
  let (fields2, rest2) = flatten_fields ty2 in
  (* Try expansion, needed when called from Includecore.type_manifest *)
  try match try_expand_head env rest2 with
    {desc=Tobject(ty2,_)} -> eqtype_fields rename type_pairs subst env ty1 ty2
  | _ -> raise Cannot_expand
  with Cannot_expand ->
  let (fields1, rest1) = flatten_fields ty1 in
  let (pairs, miss1, miss2) = associate_fields fields1 fields2 in
  eqtype rename type_pairs subst env rest1 rest2;
  if (miss1 <> []) || (miss2 <> []) then raise (Unify []);
  List.iter
    (function (n, k1, t1, k2, t2) ->
       eqtype_kind k1 k2;
       try eqtype rename type_pairs subst env t1 t2 with Unify trace ->
         raise (Unify ((newty (Tfield(n, k1, t1, rest2)),
                        newty (Tfield(n, k2, t2, rest2)))::trace)))
    pairs

and eqtype_kind k1 k2 =
  let k1 = field_kind_repr k1 in
  let k2 = field_kind_repr k2 in
  match k1, k2 with
    (Fvar _, Fvar _)
  | (Fpresent, Fpresent) -> ()
  | _                    -> raise (Unify [])

and eqtype_row rename type_pairs subst env row1 row2 =
  (* Try expansion, needed when called from Includecore.type_manifest *)
  try match try_expand_head env (row_more row2) with
    {desc=Tvariant row2} -> eqtype_row rename type_pairs subst env row1 row2
  | _ -> raise Cannot_expand
  with Cannot_expand ->
  let row1 = row_repr row1 and row2 = row_repr row2 in
  let r1, r2, pairs = merge_row_fields row1.row_fields row2.row_fields in
  if row1.row_closed <> row2.row_closed
  || not row1.row_closed && (r1 <> [] || r2 <> [])
  || filter_row_fields false (r1 @ r2) <> []
  then raise (Unify []);
  if not (static_row row1) then
    eqtype rename type_pairs subst env row1.row_more row2.row_more;
  List.iter
    (fun (_,f1,f2) ->
      match row_field_repr f1, row_field_repr f2 with
        Rpresent(Some t1), Rpresent(Some t2) ->
          eqtype rename type_pairs subst env t1 t2
      | Reither(true, [], _, _), Reither(true, [], _, _) ->
          ()
      | Reither(false, t1::tl1, _, _), Reither(false, t2::tl2, _, _) ->
          eqtype rename type_pairs subst env t1 t2;
          if List.length tl1 = List.length tl2 then
            (* if same length allow different types (meaning?) *)
            List.iter2 (eqtype rename type_pairs subst env) tl1 tl2
          else begin
            (* otherwise everything must be equal *)
            List.iter (eqtype rename type_pairs subst env t1) tl2;
            List.iter (fun t1 -> eqtype rename type_pairs subst env t1 t2) tl1
          end
      | Rpresent None, Rpresent None -> ()
      | Rabsent, Rabsent -> ()
      | _ -> raise (Unify []))
    pairs

(* Two modes: with or without renaming of variables *)
let equal env rename tyl1 tyl2 =
  try
    univar_pairs := [];
    eqtype_list rename (TypePairs.create 11) (ref []) env tyl1 tyl2; true
  with
    Unify _ -> false

(* Must empty univar_pairs first *)
let eqtype rename type_pairs subst env t1 t2 =
  univar_pairs := [];
  eqtype rename type_pairs subst env t1 t2


                          (*************************)
                          (*  Class type matching  *)
                          (*************************)


type class_match_failure =
    CM_Virtual_class
  | CM_Parameter_arity_mismatch of int * int
  | CM_Type_parameter_mismatch of (type_expr * type_expr) list
  | CM_Class_type_mismatch of class_type * class_type
  | CM_Parameter_mismatch of (type_expr * type_expr) list
  | CM_Val_type_mismatch of string * (type_expr * type_expr) list
  | CM_Meth_type_mismatch of string * (type_expr * type_expr) list
  | CM_Non_mutable_value of string
  | CM_Non_concrete_value of string
  | CM_Missing_value of string
  | CM_Missing_method of string
  | CM_Hide_public of string
  | CM_Hide_virtual of string * string
  | CM_Public_method of string
  | CM_Private_method of string
  | CM_Virtual_method of string

exception Failure of class_match_failure list

let rec moregen_clty trace type_pairs env cty1 cty2 =
  try
    match cty1, cty2 with
      Tcty_constr (_, _, cty1), _ ->
        moregen_clty true type_pairs env cty1 cty2
    | _, Tcty_constr (_, _, cty2) ->
        moregen_clty true type_pairs env cty1 cty2
    | Tcty_fun (l1, ty1, cty1'), Tcty_fun (l2, ty2, cty2') when l1 = l2 ->
        begin try moregen true type_pairs env ty1 ty2 with Unify trace ->
          raise (Failure [CM_Parameter_mismatch (expand_trace env trace)])
        end;
        moregen_clty false type_pairs env cty1' cty2'
    | Tcty_signature sign1, Tcty_signature sign2 ->
        let ty1 = object_fields (repr sign1.cty_self) in
        let ty2 = object_fields (repr sign2.cty_self) in
        let (fields1, rest1) = flatten_fields ty1
        and (fields2, rest2) = flatten_fields ty2 in
        let (pairs, miss1, miss2) = associate_fields fields1 fields2 in
        List.iter
          (fun (lab, k1, t1, k2, t2) ->
            begin try moregen true type_pairs env t1 t2 with Unify trace ->
              raise (Failure [CM_Meth_type_mismatch
                                 (lab, expand_trace env trace)])
           end)
        pairs;
      Vars.iter
        (fun lab (mut, v, ty) ->
           let (mut', v', ty') = Vars.find lab sign1.cty_vars in
           try moregen true type_pairs env ty' ty with Unify trace ->
             raise (Failure [CM_Val_type_mismatch
                                (lab, expand_trace env trace)]))
        sign2.cty_vars
  | _ ->
      raise (Failure [])
  with
    Failure error when trace ->
      raise (Failure (CM_Class_type_mismatch (cty1, cty2)::error))

let match_class_types env pat_sch subj_sch =
  let type_pairs = TypePairs.create 53 in
  let old_level = !current_level in
  current_level := generic_level - 1;
  (*
     Generic variables are first duplicated with [instance].  So,
     their levels are lowered to [generic_level - 1].  The subject is
     then copied with [duplicate_type].  That way, its levels won't be
     changed.
  *)
  let (_, subj_inst) = instance_class [] subj_sch in
  let subj = duplicate_class_type subj_inst in
  current_level := generic_level;
  (* Duplicate generic variables *)
  let (_, patt) = instance_class [] pat_sch in
  let res =
    let sign1 = signature_of_class_type patt in
    let sign2 = signature_of_class_type subj in
    let t1 = repr sign1.cty_self in
    let t2 = repr sign2.cty_self in
    TypePairs.add type_pairs (t1, t2) ();
    let (fields1, rest1) = flatten_fields (object_fields t1)
    and (fields2, rest2) = flatten_fields (object_fields t2) in
    let (pairs, miss1, miss2) = associate_fields fields1 fields2 in
    let error =
      List.fold_right
        (fun (lab, k, _) err ->
           let err =
             let k = field_kind_repr k in
             begin match k with
               Fvar r -> set_kind r Fabsent; err
             | _      -> CM_Hide_public lab::err
             end
           in
           if Concr.mem lab sign1.cty_concr then err
           else CM_Hide_virtual ("method", lab) :: err)
        miss1 []
    in
    let missing_method = List.map (fun (m, _, _) -> m) miss2 in
    let error =
      (List.map (fun m -> CM_Missing_method m) missing_method) @ error
    in
    (* Always succeeds *)
    moregen true type_pairs env rest1 rest2;
    let error =
      List.fold_right
        (fun (lab, k1, t1, k2, t2) err ->
           try moregen_kind k1 k2; err with
             Unify _ -> CM_Public_method lab::err)
        pairs error
    in
    let error =
      Vars.fold
        (fun lab (mut, vr, ty) err ->
          try
            let (mut', vr', ty') = Vars.find lab sign1.cty_vars in
            if mut = Mutable && mut' <> Mutable then
              CM_Non_mutable_value lab::err
            else if vr = Concrete && vr' <> Concrete then
              CM_Non_concrete_value lab::err
            else
              err
          with Not_found ->
            CM_Missing_value lab::err)
        sign2.cty_vars error
    in
    let error =
      Vars.fold
        (fun lab (_,vr,_) err ->
          if vr = Virtual && not (Vars.mem lab sign2.cty_vars) then
            CM_Hide_virtual ("instance variable", lab) :: err
          else err)
        sign1.cty_vars error
    in
    let error =
      List.fold_right
        (fun e l ->
           if List.mem e missing_method then l else CM_Virtual_method e::l)
        (Concr.elements (Concr.diff sign2.cty_concr sign1.cty_concr))
        error
    in
    match error with
      [] ->
        begin try
          moregen_clty true type_pairs env patt subj;
          []
        with
          Failure r -> r
        end
    | error ->
        CM_Class_type_mismatch (patt, subj)::error
  in
  current_level := old_level;
  res

let rec equal_clty trace type_pairs subst env cty1 cty2 =
  try
    match cty1, cty2 with
      Tcty_constr (_, _, cty1), Tcty_constr (_, _, cty2) ->
        equal_clty true type_pairs subst env cty1 cty2
    | Tcty_constr (_, _, cty1), _ ->
        equal_clty true type_pairs subst env cty1 cty2
    | _, Tcty_constr (_, _, cty2) ->
        equal_clty true type_pairs subst env cty1 cty2
    | Tcty_fun (l1, ty1, cty1'), Tcty_fun (l2, ty2, cty2') when l1 = l2 ->
        begin try eqtype true type_pairs subst env ty1 ty2 with Unify trace ->
          raise (Failure [CM_Parameter_mismatch (expand_trace env trace)])
        end;
        equal_clty false type_pairs subst env cty1' cty2'
    | Tcty_signature sign1, Tcty_signature sign2 ->
        let ty1 = object_fields (repr sign1.cty_self) in
        let ty2 = object_fields (repr sign2.cty_self) in
        let (fields1, rest1) = flatten_fields ty1
        and (fields2, rest2) = flatten_fields ty2 in
        let (pairs, miss1, miss2) = associate_fields fields1 fields2 in
        List.iter
          (fun (lab, k1, t1, k2, t2) ->
             begin try eqtype true type_pairs subst env t1 t2 with
               Unify trace ->
                 raise (Failure [CM_Meth_type_mismatch
                                    (lab, expand_trace env trace)])
             end)
          pairs;
        Vars.iter
          (fun lab (_, _, ty) ->
             let (_, _, ty') = Vars.find lab sign1.cty_vars in
             try eqtype true type_pairs subst env ty ty' with Unify trace ->
               raise (Failure [CM_Val_type_mismatch
                                  (lab, expand_trace env trace)]))
          sign2.cty_vars
    | _ ->
        raise
          (Failure (if trace then []
                    else [CM_Class_type_mismatch (cty1, cty2)]))
  with
    Failure error when trace ->
      raise (Failure (CM_Class_type_mismatch (cty1, cty2)::error))

(* XXX On pourrait autoriser l'instantiation du type des parametres... *)
(* XXX Correct ? (variables de type dans parametres et corps de classe *)
let match_class_declarations env patt_params patt_type subj_params subj_type =
  let type_pairs = TypePairs.create 53 in
  let subst = ref [] in
  let sign1 = signature_of_class_type patt_type in
  let sign2 = signature_of_class_type subj_type in
  let t1 = repr sign1.cty_self in
  let t2 = repr sign2.cty_self in
  TypePairs.add type_pairs (t1, t2) ();
  let (fields1, rest1) = flatten_fields (object_fields t1)
  and (fields2, rest2) = flatten_fields (object_fields t2) in
  let (pairs, miss1, miss2) = associate_fields fields1 fields2 in
  let error =
    List.fold_right
      (fun (lab, k, _) err ->
        let err =
          let k = field_kind_repr k in
          begin match k with
            Fvar r -> err
          | _      -> CM_Hide_public lab::err
          end
        in
        if Concr.mem lab sign1.cty_concr then err
        else CM_Hide_virtual ("method", lab) :: err)
      miss1 []
  in
  let missing_method = List.map (fun (m, _, _) -> m) miss2 in
  let error =
    (List.map (fun m -> CM_Missing_method m) missing_method) @ error
  in
  (* Always succeeds *)
  eqtype true type_pairs subst env rest1 rest2;
  let error =
    List.fold_right
      (fun (lab, k1, t1, k2, t2) err ->
        let k1 = field_kind_repr k1 in
        let k2 = field_kind_repr k2 in
        match k1, k2 with
          (Fvar _, Fvar _)
        | (Fpresent, Fpresent) -> err
        | (Fvar _, Fpresent)   -> CM_Private_method lab::err
        | (Fpresent, Fvar _)  -> CM_Public_method lab::err
        | _                    -> assert false)
      pairs error
  in
  let error =
    Vars.fold
      (fun lab (mut, vr, ty) err ->
         try
           let (mut', vr', ty') = Vars.find lab sign1.cty_vars in
           if mut = Mutable && mut' <> Mutable then
             CM_Non_mutable_value lab::err
           else if vr = Concrete && vr' <> Concrete then
             CM_Non_concrete_value lab::err
           else
             err
         with Not_found ->
           CM_Missing_value lab::err)
      sign2.cty_vars error
  in
  let error =
    Vars.fold
      (fun lab (_,vr,_) err ->
        if vr = Virtual && not (Vars.mem lab sign2.cty_vars) then
          CM_Hide_virtual ("instance variable", lab) :: err
        else err)
      sign1.cty_vars error
  in
  let error =
    List.fold_right
      (fun e l ->
        if List.mem e missing_method then l else CM_Virtual_method e::l)
      (Concr.elements (Concr.diff sign2.cty_concr sign1.cty_concr))
      error
  in
  match error with
    [] ->
      begin try
        let lp = List.length patt_params in
        let ls = List.length subj_params in
        if lp  <> ls then
          raise (Failure [CM_Parameter_arity_mismatch (lp, ls)]);
        List.iter2 (fun p s ->
          try eqtype true type_pairs subst env p s with Unify trace ->
            raise (Failure [CM_Type_parameter_mismatch
                               (expand_trace env trace)]))
          patt_params subj_params;
        equal_clty false type_pairs subst env patt_type subj_type;
        []
      with
        Failure r -> r
      end
  | error ->
      error


                              (***************)
                              (*  Subtyping  *)
                              (***************)


(**** Build a subtype of a given type. ****)

(* build_subtype:
   [visited] traces traversed object and variant types
   [loops] is a mapping from variables to variables, to reproduce
     positive loops in a class type
   [posi] true if the current variance is positive
   [level] number of expansions/enlargement allowed on this branch *)

let warn = ref false  (* whether double coercion might do better *)
let pred_expand n = if n mod 2 = 0 && n > 0 then pred n else n
let pred_enlarge n = if n mod 2 = 1 then pred n else n

type change = Unchanged | Equiv | Changed
let collect l = List.fold_left (fun c1 (_, c2) -> max c1 c2) Unchanged l

let rec filter_visited = function
    [] -> []
  | {desc=Tobject _|Tvariant _} :: _ as l -> l
  | _ :: l -> filter_visited l

let memq_warn t visited =
  if List.memq t visited then (warn := true; true) else false

let rec lid_of_path sharp = function
    Path.Pident id ->
      Longident.Lident (sharp ^ Ident.name id)
  | Path.Pdot (p1, s, _) ->
      Longident.Ldot (lid_of_path "" p1, sharp ^ s)
  | Path.Papply (p1, p2) ->
      Longident.Lapply (lid_of_path sharp p1, lid_of_path "" p2)

let find_cltype_for_path env p =
  let path, cl_abbr = Env.lookup_type (lid_of_path "#" p) env in
  match cl_abbr.type_manifest with
    Some ty ->
      begin match (repr ty).desc with
        Tobject(_,{contents=Some(p',_)}) when Path.same p p' -> cl_abbr, ty
      | _ -> raise Not_found
      end
  | None -> assert false

let has_constr_row' env t =
  has_constr_row (expand_abbrev env t)

let rec build_subtype env visited loops posi level t =
  let t = repr t in
  match t.desc with
    Tvar ->
      if posi then
        try
          let t' = List.assq t loops in
          warn := true;
          (t', Equiv)
        with Not_found ->
          (t, Unchanged)
      else
        (t, Unchanged)
  | Tarrow(l, t1, t2, _) ->
      if memq_warn t visited then (t, Unchanged) else
      let visited = t :: visited in
      let (t1', c1) = build_subtype env visited loops (not posi) level t1 in
      let (t2', c2) = build_subtype env visited loops posi level t2 in
      let c = max c1 c2 in
      if c > Unchanged then (newty (Tarrow(l, t1', t2', Cok)), c)
      else (t, Unchanged)
  | Ttuple tlist ->
      if memq_warn t visited then (t, Unchanged) else
      let visited = t :: visited in
      let tlist' =
        List.map (build_subtype env visited loops posi level) tlist
      in
      let c = collect tlist' in
      if c > Unchanged then (newty (Ttuple (List.map fst tlist')), c)
      else (t, Unchanged)
  | Tconstr(p, tl, abbrev)
    when level > 0 && generic_abbrev env p && safe_abbrev env t
    && not (has_constr_row' env t) ->
      let t' = repr (expand_abbrev env t) in
      let level' = pred_expand level in
      begin try match t'.desc with
        Tobject _ when posi && not (opened_object t') ->
          let cl_abbr, body = find_cltype_for_path env p in
          let ty =
            subst env !current_level abbrev None cl_abbr.type_params tl body in
          let ty = repr ty in
          let ty1, tl1 =
            match ty.desc with
              Tobject(ty1,{contents=Some(p',tl1)}) when Path.same p p' ->
                ty1, tl1
            | _ -> raise Not_found
          in
          ty.desc <- Tvar;
          let t'' = newvar () in
          let loops = (ty, t'') :: loops in
          (* May discard [visited] as level is going down *)
          let (ty1', c) =
            build_subtype env [t'] loops posi (pred_enlarge level') ty1 in
          assert (t''.desc = Tvar);
          let nm =
            if c > Equiv || deep_occur ty ty1' then None else Some(p,tl1) in
          t''.desc <- Tobject (ty1', ref nm);
          (try unify_var env ty t with Unify _ -> assert false);
          (t'', Changed)
      | _ -> raise Not_found
      with Not_found ->
        let (t'',c) = build_subtype env visited loops posi level' t' in
        if c > Unchanged then (t'',c)
        else (t, Unchanged)
      end
  | Tconstr(p, tl, abbrev) ->
      (* Must check recursion on constructors, since we do not always
         expand them *)
      if memq_warn t visited then (t, Unchanged) else
      let visited = t :: visited in
      begin try
        let decl = Env.find_type p env in
        if level = 0 && generic_abbrev env p && safe_abbrev env t
        && not (has_constr_row' env t)
        then warn := true;
        let tl' =
          List.map2
            (fun (co,cn,_) t ->
              if cn then
                if co then (t, Unchanged)
                else build_subtype env visited loops (not posi) level t
              else
                if co then build_subtype env visited loops posi level t
                else (newvar(), Changed))
            decl.type_variance tl
        in
        let c = collect tl' in
        if c > Unchanged then (newconstr p (List.map fst tl'), c)
        else (t, Unchanged)
      with Not_found ->
        (t, Unchanged)
      end
  | Tvariant row ->
      let row = row_repr row in
      if memq_warn t visited || not (static_row row) then (t, Unchanged) else
      let level' = pred_enlarge level in
      let visited =
        t :: if level' < level then [] else filter_visited visited in
      let bound = ref row.row_bound in
      let fields = filter_row_fields false row.row_fields in
      let fields =
        List.map
          (fun (l,f as orig) -> match row_field_repr f with
            Rpresent None ->
              if posi then
                (l, Reither(true, [], false, ref None)), Unchanged
              else
                orig, Unchanged
          | Rpresent(Some t) ->
              let (t', c) = build_subtype env visited loops posi level' t in
              if posi && level > 0 then begin
                bound := t' :: !bound;
                (l, Reither(false, [t'], false, ref None)), c
              end else
                (l, Rpresent(Some t')), c
          | _ -> assert false)
          fields
      in
      let c = collect fields in
      let row =
        { row_fields = List.map fst fields; row_more = newvar();
          row_bound = !bound; row_closed = posi; row_fixed = false;
          row_name = if c > Unchanged then None else row.row_name }
      in
      (newty (Tvariant row), Changed)
  | Tobject (t1, _) ->
      if memq_warn t visited || opened_object t1 then (t, Unchanged) else
      let level' = pred_enlarge level in
      let visited =
        t :: if level' < level then [] else filter_visited visited in
      let (t1', c) = build_subtype env visited loops posi level' t1 in
      if c > Unchanged then (newty (Tobject (t1', ref None)), c)
      else (t, Unchanged)
  | Tfield(s, _, t1, t2) (* Always present *) ->
      let (t1', c1) = build_subtype env visited loops posi level t1 in
      let (t2', c2) = build_subtype env visited loops posi level t2 in
      let c = max c1 c2 in
      if c > Unchanged then (newty (Tfield(s, Fpresent, t1', t2')), c)
      else (t, Unchanged)
  | Tnil ->
      if posi then
        let v = newvar () in
        (v, Changed)
      else begin
        warn := true;
        (t, Unchanged)
      end
  | Tsubst _ | Tlink _ ->
      assert false
  | Tpoly(t1, tl) ->
      let (t1', c) = build_subtype env visited loops posi level t1 in
      if c > Unchanged then (newty (Tpoly(t1', tl)), c)
      else (t, Unchanged)
  | Tunivar ->
      (t, Unchanged)

let enlarge_type env ty =
  warn := false;
  (* [level = 4] allows 2 expansions involving objects/variants *)
  let (ty', _) = build_subtype env [] [] true 4 ty in
  (ty', !warn)

(**** Check whether a type is a subtype of another type. ****)

(*
    During the traversal, a trace of visited types is maintained. It
    is printed in case of error.
    Constraints (pairs of types that must be equals) are accumulated
    rather than being enforced straight. Indeed, the result would
    otherwise depend on the order in which these constraints are
    enforced.
    A function enforcing these constraints is returned. That way, type
    variables can be bound to their actual values before this function
    is called (see Typecore).
    Only well-defined abbreviations are expanded (hence the tests
    [generic_abbrev ...]).
*)

let subtypes = TypePairs.create 17

let subtype_error env trace =
  raise (Subtype (expand_trace env (List.rev trace), []))

let rec subtype_rec env trace t1 t2 cstrs =
  let t1 = repr t1 in
  let t2 = repr t2 in
  if t1 == t2 then cstrs else

  begin try
    TypePairs.find subtypes (t1, t2);
    cstrs
  with Not_found ->
    TypePairs.add subtypes (t1, t2) ();
    match (t1.desc, t2.desc) with
      (Tvar, _) | (_, Tvar) ->
        (trace, t1, t2, !univar_pairs)::cstrs
    | (Tarrow(l1, t1, u1, _), Tarrow(l2, t2, u2, _)) when l1 = l2
      || !Clflags.classic && not (is_optional l1 || is_optional l2) ->
        let cstrs = subtype_rec env ((t2, t1)::trace) t2 t1 cstrs in
        subtype_rec env ((u1, u2)::trace) u1 u2 cstrs
    | (Ttuple tl1, Ttuple tl2) ->
        subtype_list env trace tl1 tl2 cstrs
    | (Tconstr(p1, [], _), Tconstr(p2, [], _)) when Path.same p1 p2 ->
        cstrs
    | (Tconstr(p1, tl1, abbrev1), _)
      when generic_abbrev env p1 && safe_abbrev env t1 ->
        subtype_rec env trace (expand_abbrev env t1) t2 cstrs
    | (_, Tconstr(p2, tl2, abbrev2))
      when generic_abbrev env p2 && safe_abbrev env t2 ->
        subtype_rec env trace t1 (expand_abbrev env t2) cstrs
    | (Tconstr(p1, tl1, _), Tconstr(p2, tl2, _)) when Path.same p1 p2 ->
        begin try
          let decl = Env.find_type p1 env in
          List.fold_left2
            (fun cstrs (co, cn, _) (t1, t2) ->
              if co then
                if cn then
                  (trace, newty2 t1.level (Ttuple[t1]),
                   newty2 t2.level (Ttuple[t2]), !univar_pairs) :: cstrs
                else subtype_rec env ((t1, t2)::trace) t1 t2 cstrs
              else
                if cn then subtype_rec env ((t2, t1)::trace) t2 t1 cstrs
                else cstrs)
            cstrs decl.type_variance (List.combine tl1 tl2)
        with Not_found ->
          (trace, t1, t2, !univar_pairs)::cstrs
        end
    | (Tobject (f1, _), Tobject (f2, _))
      when (object_row f1).desc = Tvar && (object_row f2).desc = Tvar ->
        (* Same row variable implies same object. *)
        (trace, t1, t2, !univar_pairs)::cstrs
    | (Tobject (f1, _), Tobject (f2, _)) ->
        subtype_fields env trace f1 f2 cstrs
    | (Tvariant row1, Tvariant row2) ->
        begin try
          subtype_row env trace row1 row2 cstrs
        with Exit ->
          (trace, t1, t2, !univar_pairs)::cstrs
        end
    | (Tpoly (u1, []), Tpoly (u2, [])) ->
        subtype_rec env trace u1 u2 cstrs
    | (Tpoly (u1, tl1), Tpoly (u2,tl2)) ->
        begin try
          enter_poly env univar_pairs u1 tl1 u2 tl2
            (fun t1 t2 -> subtype_rec env trace t1 t2 cstrs)
        with Unify _ ->
          (trace, t1, t2, !univar_pairs)::cstrs
        end
    | (_, _) ->
        (trace, t1, t2, !univar_pairs)::cstrs
  end

and subtype_list env trace tl1 tl2 cstrs =
  if List.length tl1 <> List.length tl2 then
    subtype_error env trace;
  List.fold_left2
    (fun cstrs t1 t2 -> subtype_rec env ((t1, t2)::trace) t1 t2 cstrs)
    cstrs tl1 tl2

and subtype_fields env trace ty1 ty2 cstrs =
  (* Assume that either rest1 or rest2 is not Tvar *)
  let (fields1, rest1) = flatten_fields ty1 in
  let (fields2, rest2) = flatten_fields ty2 in
  let (pairs, miss1, miss2) = associate_fields fields1 fields2 in
  let cstrs =
    if rest2.desc = Tnil then cstrs else
    if miss1 = [] then
      subtype_rec env ((rest1, rest2)::trace) rest1 rest2 cstrs
    else
      (trace, build_fields (repr ty1).level miss1 rest1, rest2,
       !univar_pairs) :: cstrs
  in
  let cstrs =
    if miss2 = [] then cstrs else
    (trace, rest1, build_fields (repr ty2).level miss2 (newvar ()),
     !univar_pairs) :: cstrs
  in
  List.fold_left
    (fun cstrs (_, k1, t1, k2, t2) ->
      (* Theses fields are always present *)
      subtype_rec env ((t1, t2)::trace) t1 t2 cstrs)
    cstrs pairs

and subtype_row env trace row1 row2 cstrs =
  let row1 = row_repr row1 and row2 = row_repr row2 in
  let r1, r2, pairs =
    merge_row_fields row1.row_fields row2.row_fields in
  let more1 = repr row1.row_more
  and more2 = repr row2.row_more in
  match more1.desc, more2.desc with
    Tconstr(p1,_,_), Tconstr(p2,_,_) when Path.same p1 p2 ->
      subtype_rec env ((more1,more2)::trace) more1 more2 cstrs
  | (Tvar|Tconstr _), (Tvar|Tconstr _)
    when row1.row_closed && r1 = [] ->
      List.fold_left
        (fun cstrs (_,f1,f2) ->
          match row_field_repr f1, row_field_repr f2 with
            (Rpresent None|Reither(true,_,_,_)), Rpresent None ->
              cstrs
          | Rpresent(Some t1), Rpresent(Some t2) ->
              subtype_rec env ((t1, t2)::trace) t1 t2 cstrs
          | Reither(false, t1::_, _, _), Rpresent(Some t2) ->
              subtype_rec env ((t1, t2)::trace) t1 t2 cstrs
          | Rabsent, _ -> cstrs
          | _ -> raise Exit)
        cstrs pairs
  | Tunivar, Tunivar
    when row1.row_closed = row2.row_closed && r1 = [] && r2 = [] ->
      let cstrs =
        subtype_rec env ((more1,more2)::trace) more1 more2 cstrs in
      List.fold_left
        (fun cstrs (_,f1,f2) ->
          match row_field_repr f1, row_field_repr f2 with
            Rpresent None, Rpresent None
          | Reither(true,[],_,_), Reither(true,[],_,_)
          | Rabsent, Rabsent ->
              cstrs
          | Rpresent(Some t1), Rpresent(Some t2)
          | Reither(false,[t1],_,_), Reither(false,[t2],_,_) ->
              subtype_rec env ((t1, t2)::trace) t1 t2 cstrs
          | _ -> raise Exit)
        cstrs pairs
  | _ ->
      raise Exit

let subtype env ty1 ty2 =
  TypePairs.clear subtypes;
  univar_pairs := [];
  (* Build constraint set. *)
  let cstrs = subtype_rec env [(ty1, ty2)] ty1 ty2 [] in
  TypePairs.clear subtypes;
  (* Enforce constraints. *)
  function () ->
    List.iter
      (function (trace0, t1, t2, pairs) ->
         try unify_pairs env t1 t2 pairs with Unify trace ->
           raise (Subtype (expand_trace env (List.rev trace0),
                           List.tl (List.tl trace))))
      (List.rev cstrs)

                              (*******************)
                              (*  Miscellaneous  *)
                              (*******************)

(* Utility for printing. The resulting type is not used in computation. *)
let rec unalias_object ty =
  let ty = repr ty in
  match ty.desc with
    Tfield (s, k, t1, t2) ->
      newty2 ty.level (Tfield (s, k, t1, unalias_object t2))
  | Tvar | Tnil ->
      newty2 ty.level ty.desc
  | Tunivar ->
      ty
  | Tconstr _ ->
      newty2 ty.level Tvar
  | _ ->
      assert false

let unalias ty =
  let ty = repr ty in
  match ty.desc with
    Tvar | Tunivar ->
      ty
  | Tvariant row ->
      let row = row_repr row in
      let more = row.row_more in
      newty2 ty.level
        (Tvariant {row with row_more = newty2 more.level more.desc})
  | Tobject (ty, nm) ->
      newty2 ty.level (Tobject (unalias_object ty, nm))
  | _ ->
      newty2 ty.level ty.desc

let unroll_abbrev id tl ty =
  let ty = repr ty in
  if (ty.desc = Tvar) || (List.exists (deep_occur ty) tl) then
    ty
  else
    let ty' = newty2 ty.level ty.desc in
    link_type ty (newty2 ty.level (Tconstr (Path.Pident id, tl, ref Mnil)));
    ty'

(* Return the arity (as for curried functions) of the given type. *)
let rec arity ty =
  match (repr ty).desc with
    Tarrow(_, t1, t2, _) -> 1 + arity t2
  | _ -> 0

(* Check whether an abbreviation expands to itself. *)
let cyclic_abbrev env id ty =
  let rec check_cycle seen ty =
    let ty = repr ty in
    match ty.desc with
      Tconstr (p, tl, abbrev) ->
        p = Path.Pident id || List.memq ty seen ||
        begin try
          check_cycle (ty :: seen) (expand_abbrev env ty)
        with
          Cannot_expand -> false
        | Unify _ -> true
        end
    | _ ->
        false
  in check_cycle [] ty

(* Normalize a type before printing, saving... *)
let rec normalize_type_rec env ty =
  let ty = repr ty in
  if ty.level >= lowest_level then begin
    mark_type_node ty;
    begin match ty.desc with
    | Tvariant row ->
      let row = row_repr row in
      let fields = List.map
          (fun (l,f) ->
            let f = row_field_repr f in l,
            match f with Reither(b, ty::(_::_ as tyl), m, e) ->
              let tyl' =
                List.fold_left
                  (fun tyl ty ->
                    if List.exists (fun ty' -> equal env false [ty] [ty']) tyl
                    then tyl else ty::tyl)
                  [ty] tyl
              in
              if List.length tyl' <= List.length tyl then
                let f = Reither(b, List.rev tyl', m, ref None) in
                set_row_field e f;
                f
              else f
            | _ -> f)
          row.row_fields in
      let fields =
        List.sort (fun (p,_) (q,_) -> compare p q)
          (List.filter (fun (_,fi) -> fi <> Rabsent) fields)
      and bound = List.fold_left
          (fun tyl ty -> if List.memq ty tyl then tyl else ty :: tyl)
          [] (List.map repr row.row_bound)
      in
      log_type ty;
      ty.desc <- Tvariant {row with row_fields = fields; row_bound = bound}
    | Tobject (fi, nm) ->
        begin match !nm with
        | None -> ()
        | Some (n, v :: l) ->
            let v' = repr v in
            begin match v'.desc with
            | Tvar|Tunivar ->
                if v' != v then set_name nm (Some (n, v' :: l))
            | Tnil -> log_type ty; ty.desc <- Tconstr (n, l, ref Mnil)
            | _ -> set_name nm None
            end
        | _ ->
            fatal_error "Ctype.normalize_type_rec"
        end;
        let fi = repr fi in
        if fi.level < lowest_level then () else
        let fields, row = flatten_fields fi in
        let fi' = build_fields fi.level fields row in
        log_type ty; fi.desc <- fi'.desc
    | _ -> ()
    end;
    iter_type_expr (normalize_type_rec env) ty
  end

let normalize_type env ty =
  normalize_type_rec env ty;
  unmark_type ty


                              (*************************)
                              (*  Remove dependencies  *)
                              (*************************)


(*
   Variables are left unchanged. Other type nodes are duplicated, with
   levels set to generic level.
   During copying, the description of a (non-variable) node is first
   replaced by a link to a stub ([Tsubst (newgenvar ())]).
   Once the copy is made, it replaces the stub.
   After copying, the description of node, which was stored by
   [save_desc], must be put back, using [cleanup_types].
*)

let rec nondep_type_rec env id ty =
  let ty = repr ty in
  match ty.desc with
    Tvar | Tunivar -> ty
  | Tsubst ty -> ty
  | _ ->
    let desc = ty.desc in
    save_desc ty desc;
    let ty' = newgenvar () in        (* Stub *)
    ty.desc <- Tsubst ty';
    ty'.desc <-
      begin match desc with
      | Tconstr(p, tl, abbrev) ->
          if Path.isfree id p then
            begin try
              Tlink (nondep_type_rec env id
                       (expand_abbrev env (newty2 ty.level desc)))
              (*
                 The [Tlink] is important. The expanded type may be a
                 variable, or may not be completely copied yet
                 (recursive type), so one cannot just take its
                 description.
               *)
            with Cannot_expand ->
              raise Not_found
            end
          else
            Tconstr(p, List.map (nondep_type_rec env id) tl, ref Mnil)
      | Tobject (t1, name) ->
          Tobject (nondep_type_rec env id t1,
                 ref (match !name with
                        None -> None
                      | Some (p, tl) ->
                          if Path.isfree id p then None
                          else Some (p, List.map (nondep_type_rec env id) tl)))
      | Tvariant row ->
          let row = row_repr row in
          let more = repr row.row_more in
          (* We must substitute in a subtle way *)
          (* Tsubst denotes the variant itself, as the row var is unchanged *)
          begin match more.desc with
            Tsubst ty2 ->
              (* This variant type has been already copied *)
              ty.desc <- Tsubst ty2; (* avoid Tlink in the new type *)
              Tlink ty2
          | _ ->
              let static = static_row row in
              (* Register new type first for recursion *)
              save_desc more more.desc;
              more.desc <- ty.desc;
              let more' = if static then newgenvar () else more in
              (* Return a new copy *)
              let row =
                copy_row (nondep_type_rec env id) true row true more' in
              match row.row_name with
                Some (p, tl) when Path.isfree id p ->
                  Tvariant {row with row_name = None}
              | _ -> Tvariant row
          end
      | _ -> copy_type_desc (nondep_type_rec env id) desc
      end;
    ty'

let nondep_type env id ty =
  try
    let ty' = nondep_type_rec env id ty in
    cleanup_types ();
    unmark_type ty';
    ty'
  with Not_found ->
    cleanup_types ();
    raise Not_found

(* Preserve sharing inside type declarations. *)
let nondep_type_decl env mid id is_covariant decl =
  try
    let params = List.map (nondep_type_rec env mid) decl.type_params in
    let decl =
      { type_params = params;
        type_arity = decl.type_arity;
        type_kind =
          begin try
            match decl.type_kind with
              Type_abstract ->
                Type_abstract
            | Type_variant(cstrs, priv) ->
                Type_variant(List.map
                  (fun (c, tl) -> (c, List.map (nondep_type_rec env mid) tl))
                  cstrs, priv)
            | Type_record(lbls, rep, priv) ->
                Type_record(
                  List.map
                    (fun (c, mut, t) -> (c, mut, nondep_type_rec env mid t))
                    lbls,
                  rep, priv)
          with Not_found when is_covariant ->
            Type_abstract
          end;
        type_manifest =
          begin try
            match decl.type_manifest with
              None -> None
            | Some ty ->
                Some (unroll_abbrev id params (nondep_type_rec env mid ty))
          with Not_found when is_covariant ->
            None
          end;
        type_variance = decl.type_variance;
      }
    in
    cleanup_types ();
    List.iter unmark_type decl.type_params;
    begin match decl.type_kind with
      Type_abstract -> ()
    | Type_variant(cstrs, priv) ->
        List.iter (fun (c, tl) -> List.iter unmark_type tl) cstrs
    | Type_record(lbls, rep, priv) ->
        List.iter (fun (c, mut, t) -> unmark_type t) lbls
    end;
    begin match decl.type_manifest with
      None    -> ()
    | Some ty -> unmark_type ty
    end;
    decl
  with Not_found ->
    cleanup_types ();
    raise Not_found

(* Preserve sharing inside class types. *)
let nondep_class_signature env id sign =
  { cty_self = nondep_type_rec env id sign.cty_self;
    cty_vars =
      Vars.map (function (m, v, t) -> (m, v, nondep_type_rec env id t))
        sign.cty_vars;
    cty_concr = sign.cty_concr;
    cty_inher =
      List.map (fun (p,tl) -> (p, List.map (nondep_type_rec env id) tl))
        sign.cty_inher }

let rec nondep_class_type env id =
  function
    Tcty_constr (p, _, cty) when Path.isfree id p ->
      nondep_class_type env id cty
  | Tcty_constr (p, tyl, cty) ->
      Tcty_constr (p, List.map (nondep_type_rec env id) tyl,
                   nondep_class_type env id cty)
  | Tcty_signature sign ->
      Tcty_signature (nondep_class_signature env id sign)
  | Tcty_fun (l, ty, cty) ->
      Tcty_fun (l, nondep_type_rec env id ty, nondep_class_type env id cty)

let nondep_class_declaration env id decl =
  assert (not (Path.isfree id decl.cty_path));
  let decl =
    { cty_params = List.map (nondep_type_rec env id) decl.cty_params;
      cty_variance = decl.cty_variance;
      cty_type = nondep_class_type env id decl.cty_type;
      cty_path = decl.cty_path;
      cty_new =
        begin match decl.cty_new with
          None    -> None
        | Some ty -> Some (nondep_type_rec env id ty)
        end }
  in
  cleanup_types ();
  List.iter unmark_type decl.cty_params;
  unmark_class_type decl.cty_type;
  begin match decl.cty_new with
    None    -> ()
  | Some ty -> unmark_type ty
  end;
  decl

let nondep_cltype_declaration env id decl =
  assert (not (Path.isfree id decl.clty_path));
  let decl =
    { clty_params = List.map (nondep_type_rec env id) decl.clty_params;
      clty_variance = decl.clty_variance;
      clty_type = nondep_class_type env id decl.clty_type;
      clty_path = decl.clty_path }
  in
  cleanup_types ();
  List.iter unmark_type decl.clty_params;
  unmark_class_type decl.clty_type;
  decl

(* collapse conjonctive types in class parameters *)
let rec collapse_conj env visited ty =
  let ty = repr ty in
  if List.memq ty visited then () else
  let visited = ty :: visited in
  match ty.desc with
    Tvariant row ->
      let row = row_repr row in
      List.iter
        (fun (l,fi) ->
          match row_field_repr fi with
            Reither (c, t1::(_::_ as tl), m, e) ->
              List.iter (unify env t1) tl;
              set_row_field e (Reither (c, [t1], m, ref None))
          | _ ->
              ())
        row.row_fields;
      iter_row (collapse_conj env visited) row
  | _ ->
      iter_type_expr (collapse_conj env visited) ty

let collapse_conj_params env params =
  List.iter (collapse_conj env []) params
why-2.34/ml/typing/ctype.mli0000644000175000017500000002545212311670312014376 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: ctype.mli,v 1.1 2007-11-30 10:16:43 bardou Exp $ *)

(* Operations on core types *)

open Asttypes
open Types

exception Unify of (type_expr * type_expr) list
exception Tags of label * label
exception Subtype of
        (type_expr * type_expr) list * (type_expr * type_expr) list
exception Cannot_expand
exception Cannot_apply
exception Recursive_abbrev

val init_def: int -> unit
        (* Set the initial variable level *)
val begin_def: unit -> unit
        (* Raise the variable level by one at the beginning of a definition. *)
val end_def: unit -> unit
        (* Lower the variable level by one at the end of a definition *)
val begin_class_def: unit -> unit
val raise_nongen_level: unit -> unit
val reset_global_level: unit -> unit
        (* Reset the global level before typing an expression *)
val increase_global_level: unit -> int
val restore_global_level: int -> unit
        (* This pair of functions is only used in Typetexp *)

val newty: type_desc -> type_expr
val newvar: unit -> type_expr
        (* Return a fresh variable *)
val new_global_var: unit -> type_expr
        (* Return a fresh variable, bound at toplevel
           (as type variables ['a] in type constraints). *)
val newobj: type_expr -> type_expr
val newconstr: Path.t -> type_expr list -> type_expr
val none: type_expr
        (* A dummy type expression *)

val repr: type_expr -> type_expr
        (* Return the canonical representative of a type. *)

val dummy_method: label
val object_fields: type_expr -> type_expr
val flatten_fields:
        type_expr -> (string * field_kind * type_expr) list * type_expr
        (* Transform a field type into a list of pairs label-type *)
        (* The fields are sorted *)
val associate_fields:
        (string * field_kind * type_expr) list ->
        (string * field_kind * type_expr) list ->
        (string * field_kind * type_expr * field_kind * type_expr) list *
        (string * field_kind * type_expr) list *
        (string * field_kind * type_expr) list
val opened_object: type_expr -> bool
val close_object: type_expr -> unit
val row_variable: type_expr -> type_expr
        (* Return the row variable of an open object type *)
val set_object_name:
        Ident.t -> type_expr -> type_expr list -> type_expr -> unit
val remove_object_name: type_expr -> unit
val hide_private_methods: type_expr -> unit
val find_cltype_for_path: Env.t -> Path.t -> type_declaration * type_expr

val sort_row_fields: (label * row_field) list -> (label * row_field) list
val merge_row_fields:
        (label * row_field) list -> (label * row_field) list ->
        (label * row_field) list * (label * row_field) list *
        (label * row_field * row_field) list
val filter_row_fields:
        bool -> (label * row_field) list -> (label * row_field) list

val generalize: type_expr -> unit
        (* Generalize in-place the given type *)
val iterative_generalization: int -> type_expr list -> type_expr list
        (* Efficient repeated generalization of a type *)
val generalize_expansive: Env.t -> type_expr -> unit
        (* Generalize the covariant part of a type, making
           contravariant branches non-generalizable *)
val generalize_global: type_expr -> unit
        (* Generalize the structure of a type, lowering variables
           to !global_level *)
val generalize_structure: type_expr -> unit
        (* Same, but variables are only lowered to !current_level *)
val generalize_spine: type_expr -> unit
        (* Special function to generalize a method during inference *)
val correct_levels: type_expr -> type_expr
        (* Returns a copy with decreasing levels *)
val limited_generalize: type_expr -> type_expr -> unit
        (* Only generalize some part of the type
           Make the remaining of the type non-generalizable *)

val instance: type_expr -> type_expr
        (* Take an instance of a type scheme *)
val instance_list: type_expr list -> type_expr list
        (* Take an instance of a list of type schemes *)
val instance_constructor:
        constructor_description -> type_expr list * type_expr
        (* Same, for a constructor *)
val instance_parameterized_type:
        type_expr list -> type_expr -> type_expr list * type_expr
val instance_parameterized_type_2:
        type_expr list -> type_expr list -> type_expr ->
        type_expr list * type_expr list * type_expr
val instance_class:
        type_expr list -> class_type -> type_expr list * class_type
val instance_poly:
        bool -> type_expr list -> type_expr -> type_expr list * type_expr
        (* Take an instance of a type scheme containing free univars *)
val instance_label:
        bool -> label_description -> type_expr list * type_expr * type_expr
        (* Same, for a label *)
val apply:
        Env.t -> type_expr list -> type_expr -> type_expr list -> type_expr
        (* [apply [p1...pN] t [a1...aN]] match the arguments [ai] to
        the parameters [pi] and returns the corresponding instance of
        [t]. Exception [Cannot_apply] is raised in case of failure. *)

val expand_head_once: Env.t -> type_expr -> type_expr
val expand_head: Env.t -> type_expr -> type_expr
val full_expand: Env.t -> type_expr -> type_expr

val enforce_constraints: Env.t -> type_expr -> unit

val unify: Env.t -> type_expr -> type_expr -> unit
        (* Unify the two types given. Raise [Unify] if not possible. *)
val unify_var: Env.t -> type_expr -> type_expr -> unit
        (* Same as [unify], but allow free univars when first type
           is a variable. *)
val filter_arrow: Env.t -> type_expr -> label -> type_expr * type_expr
        (* A special case of unification (with l:'a -> 'b). *)
val filter_method: Env.t -> string -> private_flag -> type_expr -> type_expr
        (* A special case of unification (with {m : 'a; 'b}). *)
val check_filter_method: Env.t -> string -> private_flag -> type_expr -> unit
        (* A special case of unification (with {m : 'a; 'b}), returning unit. *)
val deep_occur: type_expr -> type_expr -> bool
val filter_self_method:
        Env.t -> string -> private_flag -> (Ident.t * type_expr) Meths.t ref ->
        type_expr -> Ident.t * type_expr
val moregeneral: Env.t -> bool -> type_expr -> type_expr -> bool
        (* Check if the first type scheme is more general than the second. *)

val rigidify: type_expr -> type_expr list
        (* "Rigidify" a type and return its type variable *)
val all_distinct_vars: Env.t -> type_expr list -> bool
        (* Check those types are all distinct type variables *)
val matches : Env.t -> type_expr -> type_expr -> bool
        (* Same as [moregeneral false], implemented using the two above
           functions and backtracking. Ignore levels *)

type class_match_failure =
    CM_Virtual_class
  | CM_Parameter_arity_mismatch of int * int
  | CM_Type_parameter_mismatch of (type_expr * type_expr) list
  | CM_Class_type_mismatch of class_type * class_type
  | CM_Parameter_mismatch of (type_expr * type_expr) list
  | CM_Val_type_mismatch of string * (type_expr * type_expr) list
  | CM_Meth_type_mismatch of string * (type_expr * type_expr) list
  | CM_Non_mutable_value of string
  | CM_Non_concrete_value of string
  | CM_Missing_value of string
  | CM_Missing_method of string
  | CM_Hide_public of string
  | CM_Hide_virtual of string * string
  | CM_Public_method of string
  | CM_Private_method of string
  | CM_Virtual_method of string
val match_class_types:
        Env.t -> class_type -> class_type -> class_match_failure list
        (* Check if the first class type is more general than the second. *)
val equal: Env.t -> bool -> type_expr list -> type_expr list -> bool
        (* [equal env [x1...xn] tau [y1...yn] sigma]
           checks whether the parameterized types
           [/\x1.../\xn.tau] and [/\y1.../\yn.sigma] are equivalent. *)
val match_class_declarations:
        Env.t -> type_expr list -> class_type -> type_expr list ->
        class_type -> class_match_failure list
        (* Check if the first class type is more general than the second. *)

val enlarge_type: Env.t -> type_expr -> type_expr * bool
        (* Make a type larger, flag is true if some pruning had to be done *)
val subtype: Env.t -> type_expr -> type_expr -> unit -> unit
        (* [subtype env t1 t2] checks that [t1] is a subtype of [t2].
           It accumulates the constraints the type variables must
           enforce and returns a function that inforce this
           constraints. *)

val nondep_type: Env.t -> Ident.t -> type_expr -> type_expr
        (* Return a type equivalent to the given type but without
           references to the given module identifier. Raise [Not_found]
           if no such type exists. *)
val nondep_type_decl:
        Env.t -> Ident.t -> Ident.t -> bool -> type_declaration ->
        type_declaration
        (* Same for type declarations. *)
val nondep_class_declaration:
        Env.t -> Ident.t -> class_declaration -> class_declaration
        (* Same for class declarations. *)
val nondep_cltype_declaration:
        Env.t -> Ident.t -> cltype_declaration -> cltype_declaration
        (* Same for class type declarations. *)
val correct_abbrev: Env.t -> Path.t -> type_expr list -> type_expr -> unit
val cyclic_abbrev: Env.t -> Ident.t -> type_expr -> bool
val normalize_type: Env.t -> type_expr -> unit

val closed_schema: type_expr -> bool
        (* Check whether the given type scheme contains no non-generic
           type variables *)

val free_variables: type_expr -> type_expr list
val closed_type_decl: type_declaration -> type_expr option
type closed_class_failure =
    CC_Method of type_expr * bool * string * type_expr
  | CC_Value of type_expr * bool * string * type_expr
val closed_class:
        type_expr list -> class_signature -> closed_class_failure option
        (* Check whether all type variables are bound *)

val unalias: type_expr -> type_expr
val signature_of_class_type: class_type -> class_signature
val self_type: class_type -> type_expr
val class_type_arity: class_type -> int
val arity: type_expr -> int
        (* Return the arity (as for curried functions) of the given type. *)

val collapse_conj_params: Env.t -> type_expr list -> unit
        (* Collapse conjunctive types in class parameters *)
why-2.34/ml/typing/printtyp.ml0000644000175000017500000010003712311670312014763 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(* Xavier Leroy and Jerome Vouillon, projet Cristal, INRIA Rocquencourt*)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: printtyp.ml,v 1.2 2008-02-19 15:53:36 bardou Exp $ *)

(* Printing functions *)

open Misc
open Ctype
open Format
open Longident
open Path
open Asttypes
open Types
open Btype
open Outcometree2

(* Print a long identifier *)

let rec longident ppf = function
  | Lident s -> fprintf ppf "%s" s
  | Ldot(p, s) -> fprintf ppf "%a.%s" longident p s
  | Lapply(p1, p2) -> fprintf ppf "%a(%a)" longident p1 longident p2

(* Print an identifier *)

let ident ppf id = fprintf ppf "%s" (Ident.name id)

(* Print a path *)

let ident_pervasive = Ident.create_persistent "Pervasives"

let rec tree_of_path = function
  | Pident id ->
      Oide_ident (Ident.name id)
  | Pdot(Pident id, s, pos) when Ident.same id ident_pervasive ->
      Oide_ident s
  | Pdot(p, s, pos) ->
      Oide_dot (tree_of_path p, s)
  | Papply(p1, p2) ->
      Oide_apply (tree_of_path p1, tree_of_path p2)

let rec path ppf = function
  | Pident id ->
      ident ppf id
  | Pdot(Pident id, s, pos) when Ident.same id ident_pervasive ->
      fprintf ppf "%s" s
  | Pdot(p, s, pos) ->
      fprintf ppf "%a.%s" path p s
  | Papply(p1, p2) ->
      fprintf ppf "%a(%a)" path p1 path p2

(* Print a recursive annotation *)

let tree_of_rec = function
  | Trec_not -> Orec_not
  | Trec_first -> Orec_first
  | Trec_next -> Orec_next

(* Print a raw type expression, with sharing *)

let raw_list pr ppf = function
    [] -> fprintf ppf "[]"
  | a :: l ->
      fprintf ppf "@[<1>[%a%t]@]" pr a
        (fun ppf -> List.iter (fun x -> fprintf ppf ";@,%a" pr x) l)

let rec safe_kind_repr v = function
    Fvar {contents=Some k}  ->
      if List.memq k v then "Fvar loop" else
      safe_kind_repr (k::v) k
  | Fvar _ -> "Fvar None"
  | Fpresent -> "Fpresent"
  | Fabsent -> "Fabsent"

let rec safe_commu_repr v = function
    Cok -> "Cok"
  | Cunknown -> "Cunknown"
  | Clink r ->
      if List.memq r v then "Clink loop" else
      safe_commu_repr (r::v) !r

let rec safe_repr v = function
    {desc = Tlink t} when not (List.memq t v) ->
      safe_repr (t::v) t
  | t -> t

let rec list_of_memo = function
    Mnil -> []
  | Mcons (p, t1, t2, rem) -> p :: list_of_memo rem
  | Mlink rem -> list_of_memo !rem

let visited = ref []
let rec raw_type ppf ty =
  let ty = safe_repr [] ty in
  if List.memq ty !visited then fprintf ppf "{id=%d}" ty.id else begin
    visited := ty :: !visited;
    fprintf ppf "@[<1>{id=%d;level=%d;desc=@,%a}@]" ty.id ty.level
      raw_type_desc ty.desc
  end
and raw_type_list tl = raw_list raw_type tl
and raw_type_desc ppf = function
    Tvar -> fprintf ppf "Tvar"
  | Tarrow(l,t1,t2,c) ->
      fprintf ppf "@[Tarrow(%s,@,%a,@,%a,@,%s)@]"
        l raw_type t1 raw_type t2
        (safe_commu_repr [] c)
  | Ttuple tl ->
      fprintf ppf "@[<1>Ttuple@,%a@]" raw_type_list tl
  | Tconstr (p, tl, abbrev) ->
      fprintf ppf "@[Tconstr(@,%a,@,%a,@,%a)@]" path p
        raw_type_list tl
        (raw_list path) (list_of_memo !abbrev)
  | Tobject (t, nm) ->
      fprintf ppf "@[Tobject(@,%a,@,@[<1>ref%t@])@]" raw_type t
        (fun ppf ->
          match !nm with None -> fprintf ppf " None"
          | Some(p,tl) ->
              fprintf ppf "(Some(@,%a,@,%a))" path p raw_type_list tl)
  | Tfield (f, k, t1, t2) ->
      fprintf ppf "@[Tfield(@,%s,@,%s,@,%a,@;<0 -1>%a)@]" f
        (safe_kind_repr [] k)
        raw_type t1 raw_type t2
  | Tnil -> fprintf ppf "Tnil"
  | Tlink t -> fprintf ppf "@[<1>Tlink@,%a@]" raw_type t
  | Tsubst t -> fprintf ppf "@[<1>Tsubst@,%a@]" raw_type t
  | Tunivar -> fprintf ppf "Tunivar"
  | Tpoly (t, tl) ->
      fprintf ppf "@[Tpoly(@,%a,@,%a)@]"
        raw_type t
        raw_type_list tl
  | Tvariant row ->
      fprintf ppf
        "@[{@[%s@,%a;@]@ @[%s@,%a;@]@ %s%b;@ %s%b;@ @[<1>%s%t@]}@]"
        "row_fields="
        (raw_list (fun ppf (l, f) ->
          fprintf ppf "@[%s,@ %a@]" l raw_field f))
        row.row_fields
        "row_more=" raw_type row.row_more
        "row_closed=" row.row_closed
        "row_fixed=" row.row_fixed
        "row_name="
        (fun ppf ->
          match row.row_name with None -> fprintf ppf "None"
          | Some(p,tl) ->
              fprintf ppf "Some(@,%a,@,%a)" path p raw_type_list tl)

and raw_field ppf = function
    Rpresent None -> fprintf ppf "Rpresent None"
  | Rpresent (Some t) -> fprintf ppf "@[<1>Rpresent(Some@,%a)@]" raw_type t
  | Reither (c,tl,m,e) ->
      fprintf ppf "@[Reither(%b,@,%a,@,%b,@,@[<1>ref%t@])@]" c
        raw_type_list tl m
        (fun ppf ->
          match !e with None -> fprintf ppf " None"
          | Some f -> fprintf ppf "@,@[<1>(%a)@]" raw_field f)
  | Rabsent -> fprintf ppf "Rabsent"

let raw_type_expr ppf t =
  visited := [];
  raw_type ppf t;
  visited := []

(* Print a type expression *)

let names = ref ([] : (type_expr * string) list)
let name_counter = ref 0

let reset_names () = names := []; name_counter := 0

let new_name () =
  let name =
    if !name_counter < 26
    then String.make 1 (Char.chr(97 + !name_counter))
    else String.make 1 (Char.chr(97 + !name_counter mod 26)) ^
           string_of_int(!name_counter / 26) in
  incr name_counter;
  name

let name_of_type t =
  try List.assq t !names with Not_found ->
    let name = new_name () in
    names := (t, name) :: !names;
    name

let check_name_of_type t = ignore(name_of_type t)

let non_gen_mark sch ty =
  if sch && ty.desc = Tvar && ty.level <> generic_level then "_" else ""

let print_name_of_type sch ppf t =
  fprintf ppf "'%s%s" (non_gen_mark sch t) (name_of_type t)

let visited_objects = ref ([] : type_expr list)
let aliased = ref ([] : type_expr list)
let delayed = ref ([] : type_expr list)

let add_delayed t =
  if not (List.memq t !delayed) then delayed := t :: !delayed

let is_aliased ty = List.memq (proxy ty) !aliased
let add_alias ty =
  let px = proxy ty in
  if not (is_aliased px) then aliased := px :: !aliased
let aliasable ty =
  match ty.desc with Tvar | Tunivar | Tpoly _ -> false | _ -> true

let namable_row row =
  row.row_name <> None &&
  List.for_all
    (fun (_, f) ->
       match row_field_repr f with
       | Reither(c, l, _, _) ->
           row.row_closed && if c then l = [] else List.length l = 1
       | _ -> true)
    row.row_fields

let rec mark_loops_rec visited ty =
  let ty = repr ty in
  let px = proxy ty in
  if List.memq px visited && aliasable ty then add_alias px else
    let visited = px :: visited in
    match ty.desc with
    | Tvar -> ()
    | Tarrow(_, ty1, ty2, _) ->
        mark_loops_rec visited ty1; mark_loops_rec visited ty2
    | Ttuple tyl -> List.iter (mark_loops_rec visited) tyl
    | Tconstr(_, tyl, _) ->
        List.iter (mark_loops_rec visited) tyl
    | Tvariant row ->
        if List.memq px !visited_objects then add_alias px else
         begin
          let row = row_repr row in
          if not (static_row row) then
            visited_objects := px :: !visited_objects;
          match row.row_name with
          | Some(p, tyl) when namable_row row ->
              List.iter (mark_loops_rec visited) tyl
          | _ ->
              iter_row (mark_loops_rec visited) {row with row_bound = []}
         end
    | Tobject (fi, nm) ->
        if List.memq px !visited_objects then add_alias px else
         begin
          if opened_object ty then
            visited_objects := px :: !visited_objects;
          begin match !nm with
          | None ->
              let fields, _ = flatten_fields fi in
              List.iter
                (fun (_, kind, ty) ->
                  if field_kind_repr kind = Fpresent then
                    mark_loops_rec visited ty)
                fields
          | Some (_, l) ->
              List.iter (mark_loops_rec visited) (List.tl l)
          end
        end
    | Tfield(_, kind, ty1, ty2) when field_kind_repr kind = Fpresent ->
        mark_loops_rec visited ty1; mark_loops_rec visited ty2
    | Tfield(_, _, _, ty2) ->
        mark_loops_rec visited ty2
    | Tnil -> ()
    | Tsubst ty -> mark_loops_rec visited ty
    | Tlink _ -> fatal_error "Printtyp.mark_loops_rec (2)"
    | Tpoly (ty, tyl) ->
        List.iter (fun t -> add_alias t) tyl;
        mark_loops_rec visited ty
    | Tunivar -> ()

let mark_loops ty =
  normalize_type Env.empty ty;
  mark_loops_rec [] ty;;

let reset_loop_marks () =
  visited_objects := []; aliased := []; delayed := []

let reset () =
  reset_names (); reset_loop_marks ()

let reset_and_mark_loops ty =
  reset (); mark_loops ty

let reset_and_mark_loops_list tyl =
  reset (); List.iter mark_loops tyl

(* Disabled in classic mode when printing an unification error *)
let print_labels = ref true
let print_label ppf l =
  if !print_labels && l <> "" || is_optional l then fprintf ppf "%s:" l

let rec tree_of_typexp sch ty =
  let ty = repr ty in
  let px = proxy ty in
  if List.mem_assq px !names && not (List.memq px !delayed) then
   let mark = is_non_gen sch ty in
   Otyp_var (mark, name_of_type px) else

  let pr_typ () =
    match ty.desc with
    | Tvar ->
        Otyp_var (is_non_gen sch ty, name_of_type ty)
    | Tarrow(l, ty1, ty2, _) ->
        let pr_arrow l ty1 ty2 =
          let lab =
            if !print_labels && l <> "" || is_optional l then l else ""
          in
          let t1 =
            if is_optional l then
              match (repr ty1).desc with
              | Tconstr(path, [ty], _)
                when Path.same path Predef.path_option ->
                  tree_of_typexp sch ty
              | _ -> Otyp_stuff ""
            else tree_of_typexp sch ty1 in
          Otyp_arrow (lab, t1, tree_of_typexp sch ty2) in
        pr_arrow l ty1 ty2
    | Ttuple tyl ->
        Otyp_tuple (tree_of_typlist sch tyl)
    | Tconstr(p, tyl, abbrev) ->
        Otyp_constr (tree_of_path p, tree_of_typlist sch tyl)
    | Tvariant row ->
        let row = row_repr row in
        let fields =
          if row.row_closed then
            List.filter (fun (_, f) -> row_field_repr f <> Rabsent)
              row.row_fields
          else row.row_fields in
        let present =
          List.filter
            (fun (_, f) ->
               match row_field_repr f with
               | Rpresent _ -> true
               | _ -> false)
            fields in
        let all_present = List.length present = List.length fields in
        begin match row.row_name with
        | Some(p, tyl) when namable_row row ->
            let id = tree_of_path p in
            let args = tree_of_typlist sch tyl in
            if row.row_closed && all_present then
              Otyp_constr (id, args)
            else
              let non_gen = is_non_gen sch px in
              let tags =
                if all_present then None else Some (List.map fst present) in
              Otyp_variant (non_gen, Ovar_name(tree_of_path p, args),
                            row.row_closed, tags)
        | _ ->
            let non_gen =
              not (row.row_closed && all_present) && is_non_gen sch px in
            let fields = List.map (tree_of_row_field sch) fields in
            let tags =
              if all_present then None else Some (List.map fst present) in
            Otyp_variant (non_gen, Ovar_fields fields, row.row_closed, tags)
        end
    | Tobject (fi, nm) ->
        tree_of_typobject sch fi nm
    | Tsubst ty ->
        tree_of_typexp sch ty
    | Tlink _ | Tnil | Tfield _ ->
        fatal_error "Printtyp.tree_of_typexp"
    | Tpoly (ty, []) ->
        tree_of_typexp sch ty
    | Tpoly (ty, tyl) ->
        let tyl = List.map repr tyl in
        (* let tyl = List.filter is_aliased tyl in *)
        if tyl = [] then tree_of_typexp sch ty else begin
          let old_delayed = !delayed in
          List.iter add_delayed tyl;
          let tl = List.map name_of_type tyl in
          let tr = Otyp_poly (tl, tree_of_typexp sch ty) in
          delayed := old_delayed; tr
        end
    | Tunivar ->
        Otyp_var (false, name_of_type ty)
  in
  if List.memq px !delayed then delayed := List.filter ((!=) px) !delayed;
  if is_aliased px && aliasable ty then begin
    check_name_of_type px;
    Otyp_alias (pr_typ (), name_of_type px) end
  else pr_typ ()

and tree_of_row_field sch (l, f) =
  match row_field_repr f with
  | Rpresent None | Reither(true, [], _, _) -> (l, false, [])
  | Rpresent(Some ty) -> (l, false, [tree_of_typexp sch ty])
  | Reither(c, tyl, _, _) ->
      if c (* contradiction: un constructeur constant qui a un argument *)
      then (l, true, tree_of_typlist sch tyl)
      else (l, false, tree_of_typlist sch tyl)
  | Rabsent -> (l, false, [] (* une erreur, en fait *))

and tree_of_typlist sch tyl =
  List.map (tree_of_typexp sch) tyl

and tree_of_typobject sch fi nm =
  begin match !nm with
  | None ->
      let pr_fields fi =
        let (fields, rest) = flatten_fields fi in
        let present_fields =
          List.fold_right
            (fun (n, k, t) l ->
               match field_kind_repr k with
               | Fpresent -> (n, t) :: l
               | _ -> l)
            fields [] in
        let sorted_fields =
          Sort.list (fun (n, _) (n', _) -> n <= n') present_fields in
        tree_of_typfields sch rest sorted_fields in
      let (fields, rest) = pr_fields fi in
      Otyp_object (fields, rest)
  | Some (p, ty :: tyl) ->
      let non_gen = is_non_gen sch (repr ty) in
      let args = tree_of_typlist sch tyl in
      Otyp_class (non_gen, tree_of_path p, args)
  | _ ->
      fatal_error "Printtyp.tree_of_typobject"
  end

and is_non_gen sch ty =
    sch && ty.desc = Tvar && ty.level <> generic_level

and tree_of_typfields sch rest = function
  | [] ->
      let rest =
        match rest.desc with
        | Tvar | Tunivar -> Some (is_non_gen sch rest)
        | Tconstr _ -> Some false
        | Tnil -> None
        | _ -> fatal_error "typfields (1)"
      in
      ([], rest)
  | (s, t) :: l ->
      let field = (s, tree_of_typexp sch t) in
      let (fields, rest) = tree_of_typfields sch rest l in
      (field :: fields, rest)

let typexp sch prio ppf ty =
  !Oprint.out_type ppf (tree_of_typexp sch ty)

let type_expr ppf ty = typexp false 0 ppf ty

and type_sch ppf ty = typexp true 0 ppf ty

and type_scheme ppf ty = reset_and_mark_loops ty; typexp true 0 ppf ty

(* Maxence *)
let type_scheme_max ?(b_reset_names=true) ppf ty =
  if b_reset_names then reset_names () ;
  typexp true 0 ppf ty
(* Fin Maxence *)

let tree_of_type_scheme ty = reset_and_mark_loops ty; tree_of_typexp true ty

(* Print one type declaration *)

let tree_of_constraints params =
  List.fold_right
    (fun ty list ->
       let ty' = unalias ty in
       if proxy ty != proxy ty' then
         let tr = tree_of_typexp true ty in
         (tr, tree_of_typexp true ty') :: list
       else list)
    params []

let filter_params tyl =
  let params =
    List.fold_left
      (fun tyl ty ->
        let ty = repr ty in
        if List.memq ty tyl then Btype.newgenty (Tsubst ty) :: tyl
        else ty :: tyl)
      [] tyl
  in List.rev params

let string_of_mutable = function
  | Immutable -> ""
  | Mutable -> "mutable "

let rec tree_of_type_decl id decl =

  reset();

  let params = filter_params decl.type_params in

  List.iter add_alias params;
  List.iter mark_loops params;
  List.iter check_name_of_type (List.map proxy params);
  let ty_manifest =
    match decl.type_manifest with
    | None -> None
    | Some ty ->
        let ty =
          (* Special hack to hide variant name *)
          match repr ty with {desc=Tvariant row} ->
            let row = row_repr row in
            begin match row.row_name with
              Some (Pident id', _) when Ident.same id id' ->
                newgenty (Tvariant {row with row_name = None})
            | _ -> ty
            end
          | _ -> ty
        in
        mark_loops ty;
        Some ty
  in
  begin match decl.type_kind with
  | Type_abstract -> ()
  | Type_variant ([], _) -> ()
  | Type_variant (cstrs, priv) ->
      List.iter (fun (_, args) -> List.iter mark_loops args) cstrs
  | Type_record(l, rep, priv) ->
      List.iter (fun (_, _, ty) -> mark_loops ty) l
  end;

  let type_param =
    function
    | Otyp_var (_, id) -> id
    | _ -> "?"
  in
  let type_defined decl =
    let abstr =
      match decl.type_kind with
        Type_abstract ->
          begin match decl.type_manifest with
            None -> true
          | Some ty -> has_constr_row ty
          end
      | Type_variant(_,p) | Type_record(_,_,p) ->
          p = Private
    in
    let vari =
      List.map2
        (fun ty (co,cn,ct) ->
          if abstr || (repr ty).desc <> Tvar then (co,cn) else (true,true))
        decl.type_params decl.type_variance
    in
    (Ident.name id,
     List.map2 (fun ty cocn -> type_param (tree_of_typexp false ty), cocn)
       params vari)
  in
  let tree_of_manifest ty1 =
    match ty_manifest with
    | None -> ty1
    | Some ty -> Otyp_manifest (tree_of_typexp false ty, ty1)
  in
  let (name, args) = type_defined decl in
  let constraints = tree_of_constraints params in
  let ty, priv =
    match decl.type_kind with
    | Type_abstract ->
        begin match ty_manifest with
        | None -> (Otyp_abstract, Public)
        | Some ty ->
            tree_of_typexp false ty,
            (if has_constr_row ty then Private else Public)
        end
    | Type_variant(cstrs, priv) ->
        tree_of_manifest (Otyp_sum (List.map tree_of_constructor cstrs)), priv
    | Type_record(lbls, rep, priv) ->
        tree_of_manifest (Otyp_record (List.map tree_of_label lbls)), priv
  in
  (name, args, ty, priv, constraints)

and tree_of_constructor (name, args) =
  (name, tree_of_typlist false args)

and tree_of_label (name, mut, arg) =
  (name, mut = Mutable, tree_of_typexp false arg)

let tree_of_type_declaration id decl rs =
  Osig_type (tree_of_type_decl id decl, tree_of_rec rs)

let type_declaration id ppf decl =
  !Oprint.out_sig_item ppf (tree_of_type_declaration id decl Trec_first)

(* Print an exception declaration *)

let tree_of_exception_declaration id decl =
  reset_and_mark_loops_list decl;
  let tyl = tree_of_typlist false decl in
  Osig_exception (Ident.name id, tyl)

let exception_declaration id ppf decl =
  !Oprint.out_sig_item ppf (tree_of_exception_declaration id decl)

(* Print a value declaration *)

let tree_of_value_description id decl =
  let id = Ident.name id in
  let ty = tree_of_type_scheme decl.val_type in
  let prims =
    match decl.val_kind with
    | Val_prim p -> Primitive.description_list p
    | _ -> []
  in
  Osig_value (id, ty, prims)

let value_description id ppf decl =
  !Oprint.out_sig_item ppf (tree_of_value_description id decl)

(* Print a class type *)

let class_var sch ppf l (m, t) =
  fprintf ppf
    "@ @[<2>val %s%s :@ %a@]" (string_of_mutable m) l (typexp sch 0) t

let method_type (_, kind, ty) =
  match field_kind_repr kind, repr ty with
    Fpresent, {desc=Tpoly(ty, _)} -> ty
  | _       , ty                  -> ty

let tree_of_metho sch concrete csil (lab, kind, ty) =
  if lab <> dummy_method then begin
    let kind = field_kind_repr kind in
    let priv = kind <> Fpresent in
    let virt = not (Concr.mem lab concrete) in
    let ty = method_type (lab, kind, ty) in
    Ocsg_method (lab, priv, virt, tree_of_typexp sch ty) :: csil
  end
  else csil

let rec prepare_class_type params = function
  | Tcty_constr (p, tyl, cty) ->
      let sty = Ctype.self_type cty in
      if List.memq (proxy sty) !visited_objects
      || List.exists (fun ty -> (repr ty).desc <> Tvar) params
      || List.exists (deep_occur sty) tyl
      then prepare_class_type params cty
      else List.iter mark_loops tyl
  | Tcty_signature sign ->
      let sty = repr sign.cty_self in
      (* Self may have a name *)
      let px = proxy sty in
      if List.memq px !visited_objects then add_alias sty
      else visited_objects := px :: !visited_objects;
      let (fields, _) =
        Ctype.flatten_fields (Ctype.object_fields sign.cty_self)
      in
      List.iter (fun met -> mark_loops (method_type met)) fields;
      Vars.iter (fun _ (_, _, ty) -> mark_loops ty) sign.cty_vars
  | Tcty_fun (_, ty, cty) ->
      mark_loops ty;
      prepare_class_type params cty

let rec tree_of_class_type sch params =
  function
  | Tcty_constr (p', tyl, cty) ->
      let sty = Ctype.self_type cty in
      if List.memq (proxy sty) !visited_objects
      || List.exists (fun ty -> (repr ty).desc <> Tvar) params
      then
        tree_of_class_type sch params cty
      else
        Octy_constr (tree_of_path p', tree_of_typlist true tyl)
  | Tcty_signature sign ->
      let sty = repr sign.cty_self in
      let self_ty =
        if is_aliased sty then
          Some (Otyp_var (false, name_of_type (proxy sty)))
        else None
      in
      let (fields, _) =
        Ctype.flatten_fields (Ctype.object_fields sign.cty_self)
      in
      let csil = [] in
      let csil =
        List.fold_left
          (fun csil (ty1, ty2) -> Ocsg_constraint (ty1, ty2) :: csil)
          csil (tree_of_constraints params)
      in
      let all_vars =
        Vars.fold (fun l (m, v, t) all -> (l, m, v, t) :: all) sign.cty_vars []
      in
      (* Consequence of PR#3607: order of Map.fold has changed! *)
      let all_vars = List.rev all_vars in
      let csil =
        List.fold_left
          (fun csil (l, m, v, t) ->
            Ocsg_value (l, m = Mutable, v = Virtual, tree_of_typexp sch t)
            :: csil)
          csil all_vars
      in
      let csil =
        List.fold_left (tree_of_metho sch sign.cty_concr) csil fields
      in
      Octy_signature (self_ty, List.rev csil)
  | Tcty_fun (l, ty, cty) ->
      let lab = if !print_labels && l <> "" || is_optional l then l else "" in
      let ty =
       if is_optional l then
         match (repr ty).desc with
         | Tconstr(path, [ty], _) when Path.same path Predef.path_option -> ty
         | _ -> newconstr (Path.Pident(Ident.create "")) []
       else ty in
      let tr = tree_of_typexp sch ty in
      Octy_fun (lab, tr, tree_of_class_type sch params cty)

let class_type ppf cty =
  reset ();
  prepare_class_type [] cty;
  !Oprint.out_class_type ppf (tree_of_class_type false [] cty)

let tree_of_class_param param variance =
  (match tree_of_typexp true param with
    Otyp_var (_, s) -> s
  | _ -> "?"),
  if (repr param).desc = Tvar then (true, true) else variance

let tree_of_class_params params =
  let tyl = tree_of_typlist true params in
  List.map (function Otyp_var (_, s) -> s | _ -> "?") tyl

let tree_of_class_declaration id cl rs =
  let params = filter_params cl.cty_params in

  reset ();
  List.iter add_alias params;
  prepare_class_type params cl.cty_type;
  let sty = self_type cl.cty_type in
  List.iter mark_loops params;

  List.iter check_name_of_type (List.map proxy params);
  if is_aliased sty then check_name_of_type (proxy sty);

  let vir_flag = cl.cty_new = None in
  Osig_class
    (vir_flag, Ident.name id,
     List.map2 tree_of_class_param params cl.cty_variance,
     tree_of_class_type true params cl.cty_type,
     tree_of_rec rs)

let class_declaration id ppf cl =
  !Oprint.out_sig_item ppf (tree_of_class_declaration id cl Trec_first)

let tree_of_cltype_declaration id cl rs =
  let params = List.map repr cl.clty_params in

  reset ();
  List.iter add_alias params;
  prepare_class_type params cl.clty_type;
  let sty = self_type cl.clty_type in
  List.iter mark_loops params;

  List.iter check_name_of_type (List.map proxy params);
  if is_aliased sty then check_name_of_type (proxy sty);

  let sign = Ctype.signature_of_class_type cl.clty_type in

  let virt =
    let (fields, _) =
      Ctype.flatten_fields (Ctype.object_fields sign.cty_self) in
    List.exists
      (fun (lab, _, ty) ->
         not (lab = dummy_method || Concr.mem lab sign.cty_concr))
      fields
    || Vars.fold (fun _ (_,vr,_) b -> vr = Virtual || b) sign.cty_vars false
  in

  Osig_class_type
    (virt, Ident.name id,
     List.map2 tree_of_class_param params cl.clty_variance,
     tree_of_class_type true params cl.clty_type,
     tree_of_rec rs)

let cltype_declaration id ppf cl =
  !Oprint.out_sig_item ppf (tree_of_cltype_declaration id cl Trec_first)

(* Print a module type *)

let rec tree_of_modtype = function
  | Tmty_ident p ->
      Omty_ident (tree_of_path p)
  | Tmty_signature sg ->
      Omty_signature (tree_of_signature sg)
  | Tmty_functor(param, ty_arg, ty_res) ->
      Omty_functor
        (Ident.name param, tree_of_modtype ty_arg, tree_of_modtype ty_res)

and tree_of_signature = function
  | [] -> []
  | Tsig_value(id, decl) :: rem ->
      tree_of_value_description id decl :: tree_of_signature rem
  | Tsig_type(id, _, _) :: rem when is_row_name (Ident.name id) ->
      tree_of_signature rem
  | Tsig_type(id, decl, rs) :: rem ->
      Osig_type(tree_of_type_decl id decl, tree_of_rec rs) ::
      tree_of_signature rem
  | Tsig_exception(id, decl) :: rem ->
      tree_of_exception_declaration id decl :: tree_of_signature rem
  | Tsig_module(id, mty, rs) :: rem ->
      Osig_module (Ident.name id, tree_of_modtype mty, tree_of_rec rs) ::
      tree_of_signature rem
  | Tsig_modtype(id, decl) :: rem ->
      tree_of_modtype_declaration id decl :: tree_of_signature rem
  | Tsig_class(id, decl, rs) :: ctydecl :: tydecl1 :: tydecl2 :: rem ->
      tree_of_class_declaration id decl rs :: tree_of_signature rem
  | Tsig_cltype(id, decl, rs) :: tydecl1 :: tydecl2 :: rem ->
      tree_of_cltype_declaration id decl rs :: tree_of_signature rem
  | _ ->
      assert false

and tree_of_modtype_declaration id decl =
  let mty =
    match decl with
    | Tmodtype_abstract -> Omty_abstract
    | Tmodtype_manifest mty -> tree_of_modtype mty
  in
  Osig_modtype (Ident.name id, mty)

let tree_of_module id mty rs =
  Osig_module (Ident.name id, tree_of_modtype mty, tree_of_rec rs)

let modtype ppf mty = !Oprint.out_module_type ppf (tree_of_modtype mty)
let modtype_declaration id ppf decl =
  !Oprint.out_sig_item ppf (tree_of_modtype_declaration id decl)

(* Print a signature body (used by -i when compiling a .ml) *)

let print_signature ppf tree =
  fprintf ppf "@[%a@]" !Oprint.out_signature tree

let signature ppf sg =
  fprintf ppf "%a" print_signature (tree_of_signature sg)

(* Print an unification error *)

let type_expansion t ppf t' =
  if t == t' then type_expr ppf t else
  let t' = if proxy t == proxy t' then unalias t' else t' in
  fprintf ppf "@[<2>%a@ =@ %a@]" type_expr t type_expr t'

let rec trace fst txt ppf = function
  | (t1, t1') :: (t2, t2') :: rem ->
      if not fst then fprintf ppf "@,";
      fprintf ppf "@[Type@;<1 2>%a@ %s@;<1 2>%a@] %a"
       (type_expansion t1) t1' txt (type_expansion t2) t2'
       (trace false txt) rem
  | _ -> ()

let rec filter_trace = function
  | (t1, t1') :: (t2, t2') :: rem ->
      let rem' = filter_trace rem in
      if t1 == t1' && t2 == t2'
      then rem'
      else (t1, t1') :: (t2, t2') :: rem'
  | _ -> []

(* Hide variant name and var, to force printing the expanded type *)
let hide_variant_name t =
  match repr t with
  | {desc = Tvariant row} as t when (row_repr row).row_name <> None ->
      newty2 t.level
        (Tvariant {(row_repr row) with row_name = None;
                   row_more = newty2 (row_more row).level Tvar})
  | _ -> t

let prepare_expansion (t, t') =
  let t' = hide_variant_name t' in
  mark_loops t; if t != t' then mark_loops t';
  (t, t')

let may_prepare_expansion compact (t, t') =
  match (repr t').desc with
    Tvariant _ | Tobject _ when compact ->
      mark_loops t; (t, t)
  | _ -> prepare_expansion (t, t')

let print_tags ppf fields =
  match fields with [] -> ()
  | (t, _) :: fields ->
      fprintf ppf "`%s" t;
      List.iter (fun (t, _) -> fprintf ppf ",@ `%s" t) fields

let has_explanation unif t3 t4 =
  match t3.desc, t4.desc with
    Tfield _, _ | _, Tfield _
  | Tunivar, Tvar | Tvar, Tunivar
  | Tvariant _, Tvariant _ -> true
  | Tconstr (p, _, _), Tvar | Tvar, Tconstr (p, _, _) ->
      unif && min t3.level t4.level < Path.binding_time p
  | _ -> false

let rec mismatch unif = function
    (_, t) :: (_, t') :: rem ->
      begin match mismatch unif rem with
        Some _ as m -> m
      | None ->
          if has_explanation unif t t' then Some(t,t') else None
      end
  | [] -> None
  | _ -> assert false

let explanation unif t3 t4 ppf =
  match t3.desc, t4.desc with
  | Tfield _, Tvar | Tvar, Tfield _ ->
      fprintf ppf "@,Self type cannot escape its class"
  | Tconstr (p, _, _), Tvar
    when unif && t4.level < Path.binding_time p ->
      fprintf ppf
        "@,@[The type constructor@;<1 2>%a@ would escape its scope@]"
        path p
  | Tvar, Tconstr (p, _, _)
    when unif && t3.level < Path.binding_time p ->
      fprintf ppf
        "@,@[The type constructor@;<1 2>%a@ would escape its scope@]"
        path p
  | Tvar, Tunivar | Tunivar, Tvar ->
      fprintf ppf "@,The universal variable %a would escape its scope"
        type_expr (if t3.desc = Tunivar then t3 else t4)
  | Tfield (lab, _, _, _), _
  | _, Tfield (lab, _, _, _) when lab = dummy_method ->
      fprintf ppf
        "@,Self type cannot be unified with a closed object type"
  | Tfield (l, _, _, _), Tfield (l', _, _, _) when l = l' ->
      fprintf ppf "@,Types for method %s are incompatible" l
  | _, Tfield (l, _, _, _) ->
      fprintf ppf
        "@,@[The first object type has no method %s@]" l
  | Tfield (l, _, _, _), _ ->
      fprintf ppf
        "@,@[The second object type has no method %s@]" l
  | Tvariant row1, Tvariant row2 ->
      let row1 = row_repr row1 and row2 = row_repr row2 in
      begin match
        row1.row_fields, row1.row_closed, row2.row_fields, row2.row_closed with
      | [], true, [], true ->
          fprintf ppf "@,These two variant types have no intersection"
      | [], true, fields, _ ->
          fprintf ppf
            "@,@[The first variant type does not allow tag(s)@ @[%a@]@]"
            print_tags fields
      | fields, _, [], true ->
          fprintf ppf
            "@,@[The second variant type does not allow tag(s)@ @[%a@]@]"
            print_tags fields
      | [l1,_], true, [l2,_], true when l1 = l2 ->
          fprintf ppf "@,Types for tag `%s are incompatible" l1
      | _ -> ()
      end
  | _ -> ()

let explanation unif mis ppf =
  match mis with
    None -> ()
  | Some (t3, t4) -> explanation unif t3 t4 ppf

let unification_error unif tr txt1 ppf txt2 =
  reset ();
  let tr = List.map (fun (t, t') -> (t, hide_variant_name t')) tr in
  let mis = mismatch unif tr in
  match tr with
  | [] | _ :: [] -> assert false
  | t1 :: t2 :: tr ->
    try
      let tr = filter_trace tr in
      let t1, t1' = may_prepare_expansion (tr = []) t1
      and t2, t2' = may_prepare_expansion (tr = []) t2 in
      print_labels := not !Clflags.classic;
      let tr = List.map prepare_expansion tr in
      fprintf ppf
        "@[\
          @[%t@;<1 2>%a@ \
            %t@;<1 2>%a\
          @]%a%t\
         @]"
        txt1 (type_expansion t1) t1'
        txt2 (type_expansion t2) t2'
        (trace false "is not compatible with type") tr
        (explanation unif mis);
      print_labels := true
    with exn ->
      print_labels := true;
      raise exn

let report_unification_error ppf tr txt1 txt2 =
  unification_error true tr txt1 ppf txt2;;

let trace fst txt ppf tr =
  print_labels := not !Clflags.classic;
  try match tr with
    t1 :: t2 :: tr' ->
      if fst then trace fst txt ppf (t1 :: t2 :: filter_trace tr')
      else trace fst txt ppf (filter_trace tr);
      print_labels := true
  | _ -> ()
  with exn ->
    print_labels := true;
    raise exn

let report_subtyping_error ppf tr1 txt1 tr2 =
  reset ();
  let tr1 = List.map prepare_expansion tr1
  and tr2 = List.map prepare_expansion tr2 in
  trace true txt1 ppf tr1;
  if tr2 = [] then () else
  let mis = mismatch true tr2 in
  trace false "is not compatible with type" ppf tr2;
  explanation true mis ppf
why-2.34/ml/typing/typetexp.ml0000644000175000017500000004746712311670312014775 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* typetexp.ml,v 1.34.4.9 2002/01/07 08:39:16 garrigue Exp *)

(* Typechecking of type expressions for the core language *)

open Misc
open Parsetree
open Types
open Ctype

exception Already_bound

type error =
    Unbound_type_variable of string
  | Unbound_type_constructor of Longident.t
  | Unbound_type_constructor_2 of Path.t
  | Type_arity_mismatch of Longident.t * int * int
  | Bound_type_variable of string
  | Recursive_type
  | Unbound_class of Longident.t
  | Unbound_row_variable of Longident.t
  | Type_mismatch of (type_expr * type_expr) list
  | Alias_type_mismatch of (type_expr * type_expr) list
  | Present_has_conjunction of string
  | Present_has_no_type of string
  | Constructor_mismatch of type_expr * type_expr
  | Not_a_variant of type_expr
  | Variant_tags of string * string
  | Invalid_variable_name of string
  | Cannot_quantify of string * type_expr

exception Error of Location.t * error

type variable_context = int * (string, type_expr) Tbl.t

(* Translation of type expressions *)

let type_variables = ref (Tbl.empty : (string, type_expr) Tbl.t)
let univars        = ref ([] : (string * type_expr) list)
let pre_univars    = ref ([] : type_expr list)
let used_variables = ref (Tbl.empty : (string, type_expr * Location.t) Tbl.t)

let reset_type_variables () =
  reset_global_level ();
  type_variables := Tbl.empty

let narrow () =
  (increase_global_level (), !type_variables)

let widen (gl, tv) =
  restore_global_level gl;
  type_variables := tv

let enter_type_variable strict loc name =
  try
    if name <> "" && name.[0] = '_' then
      raise (Error (loc, Invalid_variable_name ("'" ^ name)));
    let v = Tbl.find name !type_variables in
    if strict then raise Already_bound;
    v
  with Not_found ->
    let v = new_global_var() in
    type_variables := Tbl.add name v !type_variables;
    v

let type_variable loc name =
  try
    Tbl.find name !type_variables
  with Not_found ->
    raise(Error(loc, Unbound_type_variable ("'" ^ name)))

let wrap_method ty =
  match (Ctype.repr ty).desc with
    Tpoly _ -> ty
  | _ -> Ctype.newty (Tpoly (ty, []))

let new_pre_univar () =
  let v = newvar () in pre_univars := v :: !pre_univars; v

let rec swap_list = function
    x :: y :: l -> y :: x :: swap_list l
  | l -> l

type policy = Fixed | Extensible | Univars

let rec transl_type env policy styp =
  match styp.ptyp_desc with
    Ptyp_any ->
      if policy = Univars then new_pre_univar () else
      if policy = Fixed then
        raise (Error (styp.ptyp_loc, Unbound_type_variable "_"))
      else newvar ()
  | Ptyp_var name ->
      if name <> "" && name.[0] = '_' then
        raise (Error (styp.ptyp_loc, Invalid_variable_name ("'" ^ name)));
      begin try
        instance (List.assoc name !univars)
      with Not_found -> try
        instance (fst(Tbl.find name !used_variables))
      with Not_found ->
        let v =
          if policy = Univars then new_pre_univar () else newvar () in
        used_variables := Tbl.add name (v, styp.ptyp_loc) !used_variables;
        v
      end
  | Ptyp_arrow(l, st1, st2) ->
      let ty1 = transl_type env policy st1 in
      let ty2 = transl_type env policy st2 in
      newty (Tarrow(l, ty1, ty2, Cok))
  | Ptyp_tuple stl ->
      newty (Ttuple(List.map (transl_type env policy) stl))
  | Ptyp_constr(lid, stl) ->
      let (path, decl) =
        try
          Env.lookup_type lid env
        with Not_found ->
          raise(Error(styp.ptyp_loc, Unbound_type_constructor lid)) in
      if List.length stl <> decl.type_arity then
        raise(Error(styp.ptyp_loc, Type_arity_mismatch(lid, decl.type_arity,
                                                           List.length stl)));
      let args = List.map (transl_type env policy) stl in
      let params = Ctype.instance_list decl.type_params in
      let unify_param =
        match decl.type_manifest with
          None -> unify_var
        | Some ty ->
            if (repr ty).level = Btype.generic_level then unify_var else unify
      in
      List.iter2
        (fun (sty, ty) ty' ->
           try unify_param env ty' ty with Unify trace ->
             raise (Error(sty.ptyp_loc, Type_mismatch (swap_list trace))))
        (List.combine stl args) params;
      let constr = newconstr path args in
      begin try
        Ctype.enforce_constraints env constr
      with Unify trace ->
        raise (Error(styp.ptyp_loc, Type_mismatch trace))
      end;
      constr
  | Ptyp_object fields ->
      newobj (transl_fields env policy fields)
  | Ptyp_class(lid, stl, present) ->
      let (path, decl, is_variant) =
        try
          let (path, decl) = Env.lookup_type lid env in
          let rec check decl =
            match decl.type_manifest with
              None -> raise Not_found
            | Some ty ->
                match (repr ty).desc with
                  Tvariant row when Btype.static_row row -> ()
                | Tconstr (path, _, _) ->
                    check (Env.find_type path env)
                | _ -> raise Not_found
          in check decl;
          Location.prerr_warning styp.ptyp_loc Warnings.Deprecated;
          (path, decl,true)
        with Not_found -> try
          if present <> [] then raise Not_found;
          let lid2 =
            match lid with
              Longident.Lident s     -> Longident.Lident ("#" ^ s)
            | Longident.Ldot(r, s)   -> Longident.Ldot (r, "#" ^ s)
            | Longident.Lapply(_, _) -> fatal_error "Typetexp.transl_type"
          in
          let (path, decl) = Env.lookup_type lid2 env in
          (path, decl, false)
        with Not_found ->
          raise(Error(styp.ptyp_loc, Unbound_class lid))
      in
      if List.length stl <> decl.type_arity then
        raise(Error(styp.ptyp_loc, Type_arity_mismatch(lid, decl.type_arity,
                                                       List.length stl)));
      let args = List.map (transl_type env policy) stl in
      let params = Ctype.instance_list decl.type_params in
      List.iter2
        (fun (sty, ty) ty' ->
           try unify_var env ty' ty with Unify trace ->
             raise (Error(sty.ptyp_loc, Type_mismatch (swap_list trace))))
        (List.combine stl args) params;
      let ty =
        try Ctype.expand_head env (newconstr path args)
        with Unify trace ->
          raise (Error(styp.ptyp_loc, Type_mismatch trace))
      in
      begin match ty.desc with
        Tvariant row ->
          let row = Btype.row_repr row in
          List.iter
            (fun l -> if not (List.mem_assoc l row.row_fields) then
              raise(Error(styp.ptyp_loc, Present_has_no_type l)))
            present;
          let bound = ref row.row_bound in
          let fields =
            List.map
              (fun (l,f) -> l,
                if List.mem l present then f else
                match Btype.row_field_repr f with
                | Rpresent (Some ty) ->
                    bound := ty :: !bound;
                    Reither(false, [ty], false, ref None)
                | Rpresent None ->
                    Reither (true, [], false, ref None)
                | _ -> f)
              row.row_fields
          in
          let row = { row_closed = true; row_fields = fields;
                      row_bound = !bound; row_name = Some (path, args);
                      row_fixed = false; row_more = newvar () } in
          let static = Btype.static_row row in
          let row =
            if static || policy <> Univars then row
            else { row with row_more = new_pre_univar () }
          in
          newty (Tvariant row)
      | Tobject (fi, _) ->
          let _, tv = flatten_fields fi in
          if policy = Univars then pre_univars := tv :: !pre_univars;
          ty
      | _ ->
          assert false
      end
  | Ptyp_alias(st, alias) ->
      begin
        try
          let t =
            try List.assoc alias !univars
            with Not_found ->
              instance (fst(Tbl.find alias !used_variables))
          in
          let ty = transl_type env policy st in
          begin try unify_var env t ty with Unify trace ->
            let trace = swap_list trace in
            raise(Error(styp.ptyp_loc, Alias_type_mismatch trace))
          end;
          ty
        with Not_found ->
          if !Clflags.principal then begin_def ();
          let t = newvar () in
          used_variables := Tbl.add alias (t, styp.ptyp_loc) !used_variables;
          let ty = transl_type env policy st in
          begin try unify_var env t ty with Unify trace ->
            let trace = swap_list trace in
            raise(Error(styp.ptyp_loc, Alias_type_mismatch trace))
          end;
          if !Clflags.principal then begin
            end_def ();
            generalize_structure t;
          end;
          instance t
      end
  | Ptyp_variant(fields, closed, present) ->
      let bound = ref [] and name = ref None in
      let mkfield l f =
        newty (Tvariant {row_fields=[l,f]; row_more=newvar();
                         row_bound=[]; row_closed=true;
                         row_fixed=false; row_name=None}) in
      let add_typed_field loc l f fields =
        try
          let f' = List.assoc l fields in
          let ty = mkfield l f and ty' = mkfield l f' in
          if equal env false [ty] [ty'] then fields else
          try unify env ty ty'; fields
          with Unify trace -> raise(Error(loc, Constructor_mismatch (ty,ty')))
        with Not_found ->
          (l, f) :: fields
      in
      let rec add_field fields = function
          Rtag (l, c, stl) ->
            name := None;
            let f = match present with
              Some present when not (List.mem l present) ->
                let tl = List.map (transl_type env policy) stl in
                bound := tl @ !bound;
                Reither(c, tl, false, ref None)
            | _ ->
                if List.length stl > 1 || c && stl <> [] then
                  raise(Error(styp.ptyp_loc, Present_has_conjunction l));
                match stl with [] -> Rpresent None
                | st :: _ -> Rpresent (Some(transl_type env policy st))
            in
            add_typed_field styp.ptyp_loc l f fields
        | Rinherit sty ->
            let ty = transl_type env policy sty in
            let nm =
              match repr ty with
                {desc=Tconstr(p, tl, _)} -> Some(p, tl)
              | _                        -> None
            in
            name := if fields = [] then nm else None;
            let fl = match expand_head env ty, nm with
              {desc=Tvariant row}, _ when Btype.static_row row ->
                let row = Btype.row_repr row in
                row.row_fields
            | {desc=Tvar}, Some(p, _) ->
                raise(Error(sty.ptyp_loc, Unbound_type_constructor_2 p)) 
            | _ ->
                raise(Error(sty.ptyp_loc, Not_a_variant ty))
            in
            List.fold_left
              (fun fields (l, f) ->
                let f = match present with
                  Some present when not (List.mem l present) ->
                    begin match f with
                      Rpresent(Some ty) ->
                        bound := ty :: !bound;
                        Reither(false, [ty], false, ref None)
                    | Rpresent None ->
                        Reither(true, [], false, ref None)
                    | _ ->
                        assert false
                    end
                | _ -> f
                in
                add_typed_field sty.ptyp_loc l f fields)
              fields fl
      in
      let fields = List.fold_left add_field [] fields in
      begin match present with None -> ()
      | Some present ->
          List.iter
            (fun l -> if not (List.mem_assoc l fields) then
              raise(Error(styp.ptyp_loc, Present_has_no_type l)))
            present
      end;
      (* Check for tag conflicts *)
      let ht = Hashtbl.create (List.length fields + 1) in
      List.iter
        (fun (l,_) ->
          let h = Btype.hash_variant l in
          try
            let l' = Hashtbl.find ht h in
            if l <> l' then raise(Error(styp.ptyp_loc, Variant_tags(l, l')))
          with Not_found ->
            Hashtbl.add ht h l)
        fields;
      let row =
        { row_fields = List.rev fields; row_more = newvar ();
          row_bound = !bound; row_closed = closed;
          row_fixed = false; row_name = !name } in
      let static = Btype.static_row row in
      let row =
        if static || policy <> Univars then row
        else { row with row_more = new_pre_univar () }
      in
      newty (Tvariant row)
  | Ptyp_poly(vars, st) ->
      begin_def();
      let new_univars = List.map (fun name -> name, newvar()) vars in
      let old_univars = !univars in
      univars := new_univars @ !univars;
      let ty = transl_type env policy st in
      univars := old_univars;
      end_def();
      generalize ty;
      let ty_list =
        List.fold_left
          (fun tyl (name, ty1) ->
            let v = Btype.proxy ty1 in
            if deep_occur v ty then begin
              if v.level <> Btype.generic_level || v.desc <> Tvar then
                raise (Error (styp.ptyp_loc, Cannot_quantify (name, v)));
              v.desc <- Tunivar;
              v :: tyl
            end else tyl)
          [] new_univars
      in
      let ty' = Btype.newgenty (Tpoly(ty, List.rev ty_list)) in
      unify_var env (newvar()) ty';
      ty'

and transl_fields env policy =
  function
    [] ->
      newty Tnil
  | {pfield_desc = Pfield_var}::_ ->
      if policy = Univars then new_pre_univar () else newvar ()
  | {pfield_desc = Pfield(s, e)}::l ->
      let ty1 = transl_type env policy e in
      let ty2 = transl_fields env policy l in
        newty (Tfield (s, Fpresent, ty1, ty2))


(* Make the rows "fixed" in this type, to make universal check easier *)
let rec make_fixed_univars ty =
  let ty = repr ty in
  if ty.level >= Btype.lowest_level then begin
    Btype.mark_type_node ty;
    match ty.desc with
    | Tvariant row ->
        let row = Btype.row_repr row in
        if (Btype.row_more row).desc = Tunivar then
          ty.desc <- Tvariant
              {row with row_fixed=true;
               row_fields = List.map
                 (fun (s,f as p) -> match Btype.row_field_repr f with
                   Reither (c, tl, m, r) -> s, Reither (c, tl, true, r)
                 | _ -> p)
                 row.row_fields};
        Btype.iter_row make_fixed_univars row
    | _ ->
        Btype.iter_type_expr make_fixed_univars ty
  end

let make_fixed_univars ty =
  make_fixed_univars ty;
  Btype.unmark_type ty

let globalize_used_variables env fixed =
  let r = ref [] in
  Tbl.iter
    (fun name (ty, loc) ->
      let v = new_global_var () in
      let snap = Btype.snapshot () in
      if try unify env v ty; true with _ -> Btype.backtrack snap; false
      then try
        r := (loc, v,  Tbl.find name !type_variables) :: !r
      with Not_found ->
        if fixed && (repr ty).desc = Tvar then
          raise(Error(loc, Unbound_type_variable ("'"^name)));
        let v2 = new_global_var () in
        r := (loc, v, v2) :: !r;
        type_variables := Tbl.add name v2 !type_variables)
    !used_variables;
  used_variables := Tbl.empty;
  fun () ->
    List.iter
      (function (loc, t1, t2) ->
        try unify env t1 t2 with Unify trace ->
          raise (Error(loc, Type_mismatch trace)))
      !r

let transl_simple_type env fixed styp =
  univars := []; used_variables := Tbl.empty;
  let typ = transl_type env (if fixed then Fixed else Extensible) styp in
  globalize_used_variables env fixed ();
  make_fixed_univars typ;
  typ

let transl_simple_type_univars env styp =
  univars := []; used_variables := Tbl.empty; pre_univars := [];
  begin_def ();
  let typ = transl_type env Univars styp in
  (* Only keep already global variables in used_variables *)
  let new_variables = !used_variables in
  used_variables := Tbl.empty;
  Tbl.iter
    (fun name p ->
      if Tbl.mem name !type_variables then
        used_variables := Tbl.add name p !used_variables)
    new_variables;
  globalize_used_variables env false ();
  end_def ();
  generalize typ;
  let univs =
    List.fold_left
      (fun acc v ->
        let v = repr v in
        if v.level <> Btype.generic_level || v.desc <> Tvar then acc
        else (v.desc <- Tunivar ; v :: acc))
      [] !pre_univars
  in
  make_fixed_univars typ;
  instance (Btype.newgenty (Tpoly (typ, univs)))

let transl_simple_type_delayed env styp =
  univars := []; used_variables := Tbl.empty;
  let typ = transl_type env Extensible styp in
  (typ, globalize_used_variables env false)

let transl_type_scheme env styp =
  reset_type_variables();
  begin_def();
  let typ = transl_simple_type env false styp in
  end_def();
  generalize typ;
  typ

(* Error report *)

open Format
open Printtyp

let report_error ppf = function
  | Unbound_type_variable name ->
      fprintf ppf "Unbound type parameter %s" name
  | Unbound_type_constructor lid ->
      fprintf ppf "Unbound type constructor %a" longident lid
  | Unbound_type_constructor_2 p ->
      fprintf ppf "The type constructor@ %a@ is not yet completely defined"
        path p
  | Type_arity_mismatch(lid, expected, provided) ->
      fprintf ppf
       "@[The type constructor %a@ expects %i argument(s),@ \
        but is here applied to %i argument(s)@]"
       longident lid expected provided
  | Bound_type_variable name ->
      fprintf ppf "Already bound type parameter '%s" name
  | Recursive_type ->
      fprintf ppf "This type is recursive"
  | Unbound_class lid ->
      fprintf ppf "Unbound class %a" longident lid
  | Unbound_row_variable lid ->
      fprintf ppf "Unbound row variable in #%a" longident lid
  | Type_mismatch trace ->
      Printtyp.unification_error true trace
        (function ppf ->
           fprintf ppf "This type")
        ppf
        (function ppf ->
           fprintf ppf "should be an instance of type")
  | Alias_type_mismatch trace ->
      Printtyp.unification_error true trace
        (function ppf ->
           fprintf ppf "This alias is bound to type")
        ppf
        (function ppf ->
           fprintf ppf "but is used as an instance of type")
  | Present_has_conjunction l ->
      fprintf ppf "The present constructor %s has a conjunctive type" l
  | Present_has_no_type l ->
      fprintf ppf "The present constructor %s has no type" l
  | Constructor_mismatch (ty, ty') ->
      Printtyp.reset_and_mark_loops_list [ty; ty'];
      fprintf ppf "@[%s %a@ %s@ %a@]"
        "This variant type contains a constructor"
        Printtyp.type_expr ty
        "which should be"
        Printtyp.type_expr ty'
  | Not_a_variant ty ->
      Printtyp.reset_and_mark_loops ty;
      fprintf ppf "@[The type %a@ is not a polymorphic variant type@]"
        Printtyp.type_expr ty
  | Variant_tags (lab1, lab2) ->
      fprintf ppf
        "Variant tags `%s@ and `%s have same hash value.@ Change one of them."
        lab1 lab2
  | Invalid_variable_name name ->
      fprintf ppf "The type variable name %s is not allowed in programs" name
  | Cannot_quantify (name, v) ->
      fprintf ppf "This type scheme cannot quantify '%s :@ %s." name
        (if v.desc = Tvar then "it escapes this scope" else
         if v.desc = Tunivar then "it is aliased to another variable"
         else "it is not a variable")
why-2.34/ml/typing/mtype.mli0000644000175000017500000000407212311670312014403 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: mtype.mli,v 1.1 2007-11-30 10:16:43 bardou Exp $ *)

(* Operations on module types *)

open Types

val scrape: Env.t -> module_type -> module_type
        (* Expand toplevel module type abbreviations
           till hitting a "hard" module type (signature, functor,
           or abstract module type ident. *)
val freshen: module_type -> module_type
        (* Return an alpha-equivalent copy of the given module type
           where bound identifiers are fresh. *)
val strengthen: Env.t -> module_type -> Path.t -> module_type
        (* Strengthen abstract type components relative to the
           given path. *)
val nondep_supertype: Env.t -> Ident.t -> module_type -> module_type
        (* Return the smallest supertype of the given type
           in which the given ident does not appear.
           Raise [Not_found] if no such type exists. *)
val no_code_needed: Env.t -> module_type -> bool
val no_code_needed_sig: Env.t -> signature -> bool
        (* Determine whether a module needs no implementation code,
           i.e. consists only of type definitions. *)
val enrich_modtype: Env.t -> Path.t -> module_type -> module_type
val enrich_typedecl: Env.t -> Path.t -> type_declaration -> type_declaration
val type_paths: Env.t -> Path.t -> module_type -> Path.t list
why-2.34/ml/typing/primitive.mli0000644000175000017500000000256712311670312015264 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: primitive.mli,v 1.1 2007-11-30 10:16:43 bardou Exp $ *)

(* Description of primitive functions *)

type description =
  { prim_name: string;         (* Name of primitive  or C function *)
    prim_arity: int;           (* Number of arguments *)
    prim_alloc: bool;          (* Does it allocates or raise? *)
    prim_native_name: string;  (* Name of C function for the nat. code gen. *)
    prim_native_float: bool }  (* Does the above operate on unboxed floats? *)

val parse_declaration: int -> string list -> description

val description_list: description -> string list
why-2.34/ml/typing/oprint.mli0000644000175000017500000000244712311670312014564 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*                  Projet Cristal, INRIA Rocquencourt                 *)
(*                                                                     *)
(*  Copyright 2002 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: oprint.mli,v 1.2 2008-02-19 15:53:36 bardou Exp $ *)

open Format
open Outcometree2

val out_value : (formatter -> out_value -> unit) ref
val out_type : (formatter -> out_type -> unit) ref
val out_class_type : (formatter -> out_class_type -> unit) ref
val out_module_type : (formatter -> out_module_type -> unit) ref
val out_sig_item : (formatter -> out_sig_item -> unit) ref
val out_signature : (formatter -> out_sig_item list -> unit) ref
val out_phrase : (formatter -> out_phrase -> unit) ref
why-2.34/ml/typing/btype.mli0000644000175000017500000001354012311670312014370 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: btype.mli,v 1.1 2007-11-30 10:16:43 bardou Exp $ *)

(* Basic operations on core types *)

open Asttypes
open Types

val generic_level: int

val newty2: int -> type_desc -> type_expr
        (* Create a type *)
val newgenty: type_desc -> type_expr
        (* Create a generic type *)
val newgenvar: unit -> type_expr
        (* Return a fresh generic variable *)

(* Use Tsubst instead
val newmarkedvar: int -> type_expr
        (* Return a fresh marked variable *)
val newmarkedgenvar: unit -> type_expr
        (* Return a fresh marked generic variable *)
*)

val repr: type_expr -> type_expr
        (* Return the canonical representative of a type. *)

val field_kind_repr: field_kind -> field_kind
        (* Return the canonical representative of an object field
           kind. *)

val commu_repr: commutable -> commutable
        (* Return the canonical representative of a commutation lock *)

val row_repr: row_desc -> row_desc
        (* Return the canonical representative of a row description *)
val row_field_repr: row_field -> row_field
val row_field: label -> row_desc -> row_field
        (* Return the canonical representative of a row field *)
val row_more: row_desc -> type_expr
        (* Return the extension variable of the row *)
val static_row: row_desc -> bool
        (* Return whether the row is static or not *)
val hash_variant: label -> int
        (* Hash function for variant tags *)

val proxy: type_expr -> type_expr
        (* Return the proxy representative of the type: either itself
           or a row variable *)

(**** Utilities for private types ****)
val has_constr_row: type_expr -> bool
val is_row_name: string -> bool

(**** Utilities for type traversal ****)

val iter_type_expr: (type_expr -> unit) -> type_expr -> unit
        (* Iteration on types *)
val iter_row: (type_expr -> unit) -> row_desc -> unit
        (* Iteration on types in a row *)
val iter_abbrev: (type_expr -> unit) -> abbrev_memo -> unit
        (* Iteration on types in an abbreviation list *)

val copy_type_desc: (type_expr -> type_expr) -> type_desc -> type_desc
        (* Copy on types *)
val copy_row:
    (type_expr -> type_expr) ->
    bool -> row_desc -> bool -> type_expr -> row_desc
val copy_kind: field_kind -> field_kind

val save_desc: type_expr -> type_desc -> unit
        (* Save a type description *)
val dup_kind: field_kind option ref -> unit
        (* Save a None field_kind, and make it point to a fresh Fvar *)
val cleanup_types: unit -> unit
        (* Restore type descriptions *)

val lowest_level: int
        (* Marked type: ty.level < lowest_level *)
val pivot_level: int
        (* Type marking: ty.level <- pivot_level - ty.level *)
val mark_type: type_expr -> unit
        (* Mark a type *)
val mark_type_node: type_expr -> unit
        (* Mark a type node (but not its sons) *)
val mark_type_params: type_expr -> unit
        (* Mark the sons of a type node *)
val unmark_type: type_expr -> unit
val unmark_type_decl: type_declaration -> unit
val unmark_class_type: class_type -> unit
val unmark_class_signature: class_signature -> unit
        (* Remove marks from a type *)

(**** Memorization of abbreviation expansion ****)

val find_expans: Path.t -> abbrev_memo -> type_expr option
        (* Look up a memorized abbreviation *)
val cleanup_abbrev: unit -> unit
        (* Flush the cache of abbreviation expansions.
           When some types are saved (using [output_value]), this
           function MUST be called just before. *)
val memorize_abbrev:
        abbrev_memo ref -> Path.t -> type_expr -> type_expr -> unit
        (* Add an expansion in the cache *)
val forget_abbrev:
        abbrev_memo ref -> Path.t -> unit
        (* Remove an abbreviation from the cache *)

(**** Utilities for labels ****)

val is_optional : label -> bool
val label_name : label -> label
val extract_label :
    label -> (label * 'a) list ->
    label * 'a * (label * 'a) list * (label * 'a) list
    (* actual label, value, before list, after list *)

(**** Utilities for backtracking ****)

type snapshot
        (* A snapshot for backtracking *)
val snapshot: unit -> snapshot
        (* Make a snapshot for later backtracking. Costs nothing *)
val backtrack: snapshot -> unit
        (* Backtrack to a given snapshot. Only possible if you have
           not already backtracked to a previous snapshot.
           Calls [cleanup_abbrev] internally *)

(* Functions to use when modifying a type (only Ctype?) *)
val link_type: type_expr -> type_expr -> unit
        (* Set the desc field of [t1] to [Tlink t2], logging the old
           value if there is an active snapshot *)
val set_level: type_expr -> int -> unit
val set_name:
    (Path.t * type_expr list) option ref ->
    (Path.t * type_expr list) option -> unit
val set_row_field: row_field option ref -> row_field -> unit
val set_univar: type_expr option ref -> type_expr -> unit
val set_kind: field_kind option ref -> field_kind -> unit
val set_commu: commutable ref -> commutable -> unit
        (* Set references, logging the old value *)
val log_type: type_expr -> unit
        (* Log the old value of a type, before modifying it by hand *)
why-2.34/ml/ml_pattern.mli0000644000175000017500000000724112311670312014101 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(** Interpretation of patterns. *)

(** Translate an OCaml pattern to a Jessie pattern. Return the environment
extended with the variables bound by the pattern. *)
val pattern: Ml_env.t -> Ml_ocaml.Typedtree.pattern -> Ml_env.t * Jc_ast.pattern

(** Translate an OCaml pattern to a Jessie pattern-matching term with
a single case.
The second argument is used to get the body of the pattern; its argument is
the environment in which the body should be typed (with the variables bound
by the pattern).
Return value is [vi, t] where [vi] is a Jc_env.var_info which should be bound
to the argument of the pattern-matching. *)
val pattern_term: Ml_env.t -> (Ml_env.t -> Jc_ast.term) ->
  Ml_ocaml.Typedtree.pattern -> Jc_env.var_info * Jc_ast.term

(** Same as [pattern_term] but with a list of arguments instead. *)
val pattern_list_term: Ml_env.t -> (Ml_env.t -> Jc_ast.term) ->
  Ml_ocaml.Typedtree.pattern list -> Jc_env.var_info list * Jc_ast.term

(** Same as [pattern_term] but for assertions. *)
val pattern_assertion: Ml_env.t -> (Ml_env.t -> Jc_ast.assertion) ->
  Ml_ocaml.Typedtree.pattern -> Jc_env.var_info * Jc_ast.assertion

(** Same as [pattern_list_term] but for assertions. *)
val pattern_list_assertion: Ml_env.t -> (Ml_env.t -> Jc_ast.assertion) ->
  Ml_ocaml.Typedtree.pattern list -> Jc_env.var_info list * Jc_ast.assertion

(*
Local Variables: 
compile-command: "unset LANG; make -j -C .. bin/jessica.opt"
End: 
*)
why-2.34/ml/utils/0000755000175000017500000000000012311670312012365 5ustar  rtuserswhy-2.34/ml/utils/consistbl.mli0000644000175000017500000000525512311670312015077 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 2002 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: consistbl.mli,v 1.1 2007-11-30 10:16:44 bardou Exp $ *)

(* Consistency tables: for checking consistency of module CRCs *)

type t

val create: unit -> t

val clear: t -> unit

val check: t -> string -> Digest.t -> string -> unit
      (* [check tbl name crc source]
           checks consistency of ([name], [crc]) with infos previously
           stored in [tbl].  If no CRC was previously associated with
           [name], record ([name], [crc]) in [tbl].
           [source] is the name of the file from which the information
           comes from.  This is used for error reporting. *)

val check_noadd: t -> string -> Digest.t -> string -> unit
      (* Same as [check], but raise [Not_available] if no CRC was previously
           associated with [name]. *)

val set: t -> string -> Digest.t -> string -> unit
      (* [set tbl name crc source] forcefully associates [name] with
         [crc] in [tbl], even if [name] already had a different CRC
         associated with [name] in [tbl]. *)

val source: t -> string -> string
      (* [source tbl name] returns the file name associated with [name]
         if the latter has an associated CRC in [tbl].
         Raise [Not_found] otherwise. *)

val extract: t -> (string * Digest.t) list
      (* Return all bindings ([name], [crc]) contained in the given
         table. *)

val filter: (string -> bool) -> t -> unit
      (* [filter pred tbl] removes from [tbl] table all (name, CRC) pairs
         such that [pred name] is [false]. *)

exception Inconsistency of string * string * string
      (* Raised by [check] when a CRC mismatch is detected.
         First string is the name of the compilation unit.
         Second string is the source that caused the inconsistency.
         Third string is the source that set the CRC. *)

exception Not_available of string
      (* Raised by [check_noadd] when a name doesn't have an associated CRC. *)
why-2.34/ml/utils/config.ml0000644000175000017500000000721012311670312014164 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: config.ml,v 1.1 2007-11-30 10:16:44 bardou Exp $ *)

(* The main OCaml version string has moved to ../VERSION *)
let version = Sys.ocaml_version

let standard_library_default = "/usr/local/lib/ocaml"

let standard_library =
  try
    Sys.getenv "OCAMLLIB"
  with Not_found ->
  try
    Sys.getenv "CAMLLIB"
  with Not_found ->
    standard_library_default

let standard_runtime = "/usr/local/bin/ocamlrun"
let ccomp_type = "cc"
let bytecomp_c_compiler = "gcc -fno-defer-pop -Wall -D_FILE_OFFSET_BITS=64 -D_REENTRANT -fPIC"
let bytecomp_c_linker = "gcc -Wl,-E"
let bytecomp_c_libraries = "-lm  -ldl -lcurses -lpthread"
let native_c_compiler = "gcc -Wall -D_FILE_OFFSET_BITS=64 -D_REENTRANT"
let native_c_linker = "gcc "
let native_c_libraries = "-lm  -ldl"
let native_partial_linker = "ld -r "
let native_pack_linker = "ld -r  -o "
let ranlib = "ranlib"
let cc_profile = "-pg"

let exec_magic_number = "Caml1999X008"
and cmi_magic_number = "Caml1999I010"
and cmo_magic_number = "Caml1999O006"
and cma_magic_number = "Caml1999A007"
and cmx_magic_number = "Caml1999Y011"
and cmxa_magic_number = "Caml1999Z010"
and ast_impl_magic_number = "Caml1999M011"
and ast_intf_magic_number = "Caml1999N010"

let load_path = ref ([] : string list)

let interface_suffix = ref ".mli"

let max_tag = 245
(* This is normally the same as in obj.ml, but we have to define it
   separately because it can differ when we're in the middle of a
   bootstrapping phase. *)
let lazy_tag = 246

let max_young_wosize = 256
let stack_threshold = 256 (* see byterun/config.h *)

let architecture = "i386"
let model = "default"
let system = "linux_elf"

let ext_obj = ".o"
let ext_asm = ".s"
let ext_lib = ".a"
let ext_dll = ".so"

let default_executable_name =
  match Sys.os_type with
    "Unix" -> "a.out"
  | "Win32" | "Cygwin" -> "camlprog.exe"
  | _ -> "camlprog"

let systhread_supported = true;;

let print_config oc =
  let p name valu = Printf.fprintf oc "%s: %s\n" name valu in
  let p_bool name valu = Printf.fprintf oc "%s: %B\n" name valu in
  p "version" version;
  p "standard_library_default" standard_library_default;
  p "standard_library" standard_library;
  p "standard_runtime" standard_runtime;
  p "ccomp_type" ccomp_type;
  p "bytecomp_c_compiler" bytecomp_c_compiler;
  p "bytecomp_c_linker" bytecomp_c_linker;
  p "bytecomp_c_libraries" bytecomp_c_libraries;
  p "native_c_compiler" native_c_compiler;
  p "native_c_linker" native_c_linker;
  p "native_c_libraries" native_c_libraries;
  p "native_partial_linker" native_partial_linker;
  p "ranlib" ranlib;
  p "cc_profile" cc_profile;
  p "architecture" architecture;
  p "model" model;
  p "system" system;
  p "ext_obj" ext_obj;
  p "ext_asm" ext_asm;
  p "ext_lib" ext_lib;
  p "ext_dll" ext_dll;
  p "os_type" Sys.os_type;
  p "default_executable_name" default_executable_name;
  p_bool "systhread_supported" systhread_supported;
  flush oc;
;;
why-2.34/ml/utils/terminfo.ml0000644000175000017500000000232412311670312014543 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: terminfo.ml,v 1.1 2007-11-29 15:11:19 bardou Exp $ *)

(* Basic interface to the terminfo database *)

type status =
  | Uninitialised
  | Bad_term
  | Good_term of int
;;
external setup : out_channel -> status = "caml_terminfo_setup";;
external backup : int -> unit = "caml_terminfo_backup";;
external standout : bool -> unit = "caml_terminfo_standout";;
external resume : int -> unit = "caml_terminfo_resume";;
why-2.34/ml/utils/terminfo.mli0000644000175000017500000000237412311670312014721 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: terminfo.mli,v 1.1 2007-11-29 15:11:19 bardou Exp $ *)

(* Basic interface to the terminfo database *)

type status =
  | Uninitialised
  | Bad_term
  | Good_term of int  (* number of lines of the terminal *)
;;
external setup : out_channel -> status = "caml_terminfo_setup";;
external backup : int -> unit = "caml_terminfo_backup";;
external standout : bool -> unit = "caml_terminfo_standout";;
external resume : int -> unit = "caml_terminfo_resume";;
why-2.34/ml/utils/tbl.ml0000644000175000017500000000621412311670312013503 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: tbl.ml,v 1.1 2007-11-30 10:16:44 bardou Exp $ *)

type ('a, 'b) t =
    Empty
  | Node of ('a, 'b) t * 'a * 'b * ('a, 'b) t * int

let empty = Empty

let height = function
    Empty -> 0
  | Node(_,_,_,_,h) -> h

let create l x d r =
  let hl = height l and hr = height r in
  Node(l, x, d, r, (if hl >= hr then hl + 1 else hr + 1))

let bal l x d r =
  let hl = height l and hr = height r in
  if hl > hr + 1 then
    match l with
    | Node (ll, lv, ld, lr, _) when height ll >= height lr ->
        create ll lv ld (create lr x d r)
    | Node (ll, lv, ld, Node (lrl, lrv, lrd, lrr, _), _) ->
        create (create ll lv ld lrl) lrv lrd (create lrr x d r)
    | _ -> assert false
  else if hr > hl + 1 then
    match r with
    | Node (rl, rv, rd, rr, _) when height rr >= height rl ->
        create (create l x d rl) rv rd rr
    | Node (Node (rll, rlv, rld, rlr, _), rv, rd, rr, _) ->
        create (create l x d rll) rlv rld (create rlr rv rd rr)
    | _ -> assert false
  else
    create l x d r

let rec add x data = function
    Empty ->
      Node(Empty, x, data, Empty, 1)
  | Node(l, v, d, r, h) ->
      let c = compare x v in
      if c = 0 then
        Node(l, x, data, r, h)
      else if c < 0 then
        bal (add x data l) v d r
      else
        bal l v d (add x data r)

let rec find x = function
    Empty ->
      raise Not_found
  | Node(l, v, d, r, _) ->
      let c = compare x v in
      if c = 0 then d
      else find x (if c < 0 then l else r)

let rec mem x = function
    Empty -> false
  | Node(l, v, d, r, _) ->
      let c = compare x v in
      c = 0 || mem x (if c < 0 then l else r)

let rec merge t1 t2 =
  match (t1, t2) with
    (Empty, t) -> t
  | (t, Empty) -> t
  | (Node(l1, v1, d1, r1, h1), Node(l2, v2, d2, r2, h2)) ->
      bal l1 v1 d1 (bal (merge r1 l2) v2 d2 r2)

let rec remove x = function
    Empty ->
      Empty
  | Node(l, v, d, r, h) ->
      let c = compare x v in
      if c = 0 then
        merge l r
      else if c < 0 then
        bal (remove x l) v d r
      else
        bal l v d (remove x r)

let rec iter f = function
    Empty -> ()
  | Node(l, v, d, r, _) ->
      iter f l; f v d; iter f r

open Format

let print print_key print_data ppf tbl =
  let print_tbl ppf tbl =
    iter (fun k d -> fprintf ppf "@[<2>%a ->@ %a;@]@ " print_key k print_data d)
      tbl in
  fprintf ppf "@[[[%a]]@]" print_tbl tbl
why-2.34/ml/utils/tbl.mli0000644000175000017500000000251212311670312013651 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: tbl.mli,v 1.1 2007-11-30 10:16:44 bardou Exp $ *)

(* Association tables from any ordered type to any type.
   We use the generic ordering to compare keys. *)

type ('a, 'b) t

val empty: ('a, 'b) t
val add: 'a -> 'b -> ('a, 'b) t -> ('a, 'b) t
val find: 'a -> ('a, 'b) t -> 'b
val mem: 'a -> ('a, 'b) t -> bool
val remove: 'a -> ('a,  'b) t -> ('a, 'b) t
val iter: ('a -> 'b -> 'c) -> ('a, 'b) t -> unit

open Format

val print: (formatter -> 'a -> unit) -> (formatter -> 'b -> unit) ->
           formatter -> ('a, 'b) t -> unit
why-2.34/ml/utils/clflags.ml0000644000175000017500000001057612311670312014343 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: clflags.ml,v 1.1 2007-11-30 10:16:44 bardou Exp $ *)

(* Command-line parameters *)

let objfiles = ref ([] : string list)   (* .cmo and .cma files *)
and ccobjs = ref ([] : string list)     (* .o, .a, .so and -cclib -lxxx *)
and dllibs = ref ([] : string list)     (* .so and -dllib -lxxx *)

let compile_only = ref false            (* -c *)
and output_name = ref (None : string option) (* -o *)
and include_dirs = ref ([] : string list)(* -I *)
and no_std_include = ref false          (* -nostdlib *)
and print_types = ref false             (* -i *)
and make_archive = ref false            (* -a *)
and debug = ref false                   (* -g *)
and fast = ref false                    (* -unsafe *)
and link_everything = ref false         (* -linkall *)
and custom_runtime = ref false          (* -custom *)
and output_c_object = ref false         (* -output-obj *)
and ccopts = ref ([] : string list)     (* -ccopt *)
and classic = ref false                 (* -nolabels *)
and nopervasives = ref false            (* -nopervasives *)
and preprocessor = ref(None : string option) (* -pp *)
let save_types = ref false              (* -stypes *)
and use_threads = ref false             (* -thread *)
and use_vmthreads = ref false           (* -vmthread *)
and noassert = ref false                (* -noassert *)
and verbose = ref false                 (* -verbose *)
and noprompt = ref false                (* -noprompt *)
and init_file = ref (None : string option)   (* -init *)
and use_prims = ref ""                  (* -use-prims ... *)
and use_runtime = ref ""                (* -use-runtime ... *)
and principal = ref false               (* -principal *)
and recursive_types = ref false         (* -rectypes *)
and make_runtime = ref false            (* -make_runtime *)
and gprofile = ref false                (* -p *)
and c_compiler = ref Config.bytecomp_c_compiler (* -cc *)
and c_linker = ref Config.bytecomp_c_linker (* -cc *)
and no_auto_link = ref false            (* -noautolink *)
and dllpaths = ref ([] : string list)   (* -dllpath *)
and make_package = ref false            (* -pack *)
and for_package = ref (None: string option) (* -for-pack *)
let dump_parsetree = ref false          (* -dparsetree *)
and dump_rawlambda = ref false          (* -drawlambda *)
and dump_lambda = ref false             (* -dlambda *)
and dump_instr = ref false              (* -dinstr *)

let keep_asm_file = ref false           (* -S *)
let optimize_for_speed = ref true       (* -compact *)

and dump_cmm = ref false                (* -dcmm *)
let dump_selection = ref false          (* -dsel *)
let dump_live = ref false               (* -dlive *)
let dump_spill = ref false              (* -dspill *)
let dump_split = ref false              (* -dsplit *)
let dump_scheduling = ref false         (* -dscheduling *)
let dump_interf = ref false             (* -dinterf *)
let dump_prefer = ref false             (* -dprefer *)
let dump_regalloc = ref false           (* -dalloc *)
let dump_reload = ref false             (* -dreload *)
let dump_scheduling = ref false         (* -dscheduling *)
let dump_linear = ref false             (* -dlinear *)
let keep_startup_file = ref false       (* -dstartup *)
let dump_combine = ref false            (* -dcombine *)

let native_code = ref false             (* set to true under ocamlopt *)
let inline_threshold = ref 10

let dont_write_files = ref false        (* set to true under ocamldoc *)

let std_include_flag prefix =
  if !no_std_include then ""
  else (prefix ^ (Filename.quote Config.standard_library))
;;

let std_include_dir () =
  if !no_std_include then [] else [Config.standard_library]
;;
why-2.34/ml/utils/misc.ml0000644000175000017500000001263612311670312013662 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: misc.ml,v 1.1 2007-11-29 15:11:19 bardou Exp $ *)

(* Errors *)

exception Fatal_error

let fatal_error msg =
  prerr_string ">> Fatal error: "; prerr_endline msg; raise Fatal_error

(* Exceptions *)

let try_finally f1 f2 =
  try
    let result = f1 () in
    f2 ();
    result
  with x -> f2 (); raise x
;;

(* List functions *)

let rec map_end f l1 l2 =
  match l1 with
    [] -> l2
  | hd::tl -> f hd :: map_end f tl l2

let rec map_left_right f = function
    [] -> []
  | hd::tl -> let res = f hd in res :: map_left_right f tl

let rec for_all2 pred l1 l2 =
  match (l1, l2) with
    ([], []) -> true
  | (hd1::tl1, hd2::tl2) -> pred hd1 hd2 && for_all2 pred tl1 tl2
  | (_, _) -> false

let rec replicate_list elem n =
  if n <= 0 then [] else elem :: replicate_list elem (n-1)

let rec list_remove x = function
    [] -> []
  | hd :: tl ->
      if hd = x then tl else hd :: list_remove x tl

let rec split_last = function
    [] -> assert false
  | [x] -> ([], x)
  | hd :: tl ->
      let (lst, last) = split_last tl in
      (hd :: lst, last)

let rec samelist pred l1 l2 =
  match (l1, l2) with
  | ([], []) -> true
  | (hd1 :: tl1, hd2 :: tl2) -> pred hd1 hd2 && samelist pred tl1 tl2
  | (_, _) -> false

(* Options *)

let may f = function
    Some x -> f x
  | None -> ()

let may_map f = function
    Some x -> Some (f x)
  | None -> None

(* File functions *)

let find_in_path path name =
  if not (Filename.is_implicit name) then
    if Sys.file_exists name then name else raise Not_found
  else begin
    let rec try_dir = function
      [] -> raise Not_found
    | dir::rem ->
        let fullname = Filename.concat dir name in
        if Sys.file_exists fullname then fullname else try_dir rem
    in try_dir path
  end

let find_in_path_uncap path name =
  let uname = String.uncapitalize name in
  let rec try_dir = function
    [] -> raise Not_found
  | dir::rem ->
      let fullname = Filename.concat dir name
      and ufullname = Filename.concat dir uname in
      if Sys.file_exists ufullname then ufullname
      else if Sys.file_exists fullname then fullname
      else try_dir rem
  in try_dir path

let remove_file filename =
  try
    Sys.remove filename
  with Sys_error msg ->
    ()

(* Expand a -I option: if it starts with +, make it relative to the standard
   library directory *)

let expand_directory alt s =
  if String.length s > 0 && s.[0] = '+'
  then Filename.concat alt
                       (String.sub s 1 (String.length s - 1))
  else s

(* Hashtable functions *)

let create_hashtable size init =
  let tbl = Hashtbl.create size in
  List.iter (fun (key, data) -> Hashtbl.add tbl key data) init;
  tbl

(* File copy *)

let copy_file ic oc =
  let buff = String.create 0x1000 in
  let rec copy () =
    let n = input ic buff 0 0x1000 in
    if n = 0 then () else (output oc buff 0 n; copy())
  in copy()

let copy_file_chunk ic oc len =
  let buff = String.create 0x1000 in
  let rec copy n =
    if n <= 0 then () else begin
      let r = input ic buff 0 (min n 0x1000) in
      if r = 0 then raise End_of_file else (output oc buff 0 r; copy(n-r))
    end
  in copy len

(* Integer operations *)

let rec log2 n =
  if n <= 1 then 0 else 1 + log2(n asr 1)

let align n a =
  if n >= 0 then (n + a - 1) land (-a) else n land (-a)

let no_overflow_add a b = (a lxor b) lor (a lxor (lnot (a+b))) < 0

let no_overflow_sub a b = (a lxor (lnot b)) lor (b lxor (a-b)) < 0

let no_overflow_lsl a = min_int asr 1 <= a && a <= max_int asr 1

(* String operations *)

let chop_extension_if_any fname =
  try Filename.chop_extension fname with Invalid_argument _ -> fname

let chop_extensions file =
  let dirname = Filename.dirname file and basename = Filename.basename file in
  try
    let pos = String.index basename '.' in
    let basename = String.sub basename 0 pos in
    if Filename.is_implicit file && dirname = Filename.current_dir_name then
      basename
    else
      Filename.concat dirname basename
  with Not_found -> file

let search_substring pat str start =
  let rec search i j =
    if j >= String.length pat then i
    else if i + j >= String.length str then raise Not_found
    else if str.[i + j] = pat.[j] then search i (j+1)
    else search (i+1) 0
  in search start 0

let rev_split_words s =
  let rec split1 res i =
    if i >= String.length s then res else begin
      match s.[i] with
        ' ' | '\t' | '\r' | '\n' -> split1 res (i+1)
      | _ -> split2 res i (i+1)
    end
  and split2 res i j =
    if j >= String.length s then String.sub s i (j-i) :: res else begin
      match s.[j] with
        ' ' | '\t' | '\r' | '\n' -> split1 (String.sub s i (j-i) :: res) (j+1)
      | _ -> split2 res i (j+1)
    end
  in split1 [] 0
why-2.34/ml/utils/consistbl.ml0000644000175000017500000000404012311670312014715 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 2002 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: consistbl.ml,v 1.1 2007-11-30 10:16:44 bardou Exp $ *)

(* Consistency tables: for checking consistency of module CRCs *)

type t = (string, Digest.t * string) Hashtbl.t

let create () = Hashtbl.create 13

let clear = Hashtbl.clear

exception Inconsistency of string * string * string

exception Not_available of string

let check tbl name crc source =
  try
    let (old_crc, old_source) = Hashtbl.find tbl name in
    if crc <> old_crc then raise(Inconsistency(name, source, old_source))
  with Not_found ->
    Hashtbl.add tbl name (crc, source)

let check_noadd tbl name crc source =
  try
    let (old_crc, old_source) = Hashtbl.find tbl name in
    if crc <> old_crc then raise(Inconsistency(name, source, old_source))
  with Not_found ->
    raise (Not_available name)

let set tbl name crc source = Hashtbl.add tbl name (crc, source)

let source tbl name = snd (Hashtbl.find tbl name)

let extract tbl =
  Hashtbl.fold (fun name (crc, auth) accu -> (name, crc) :: accu) tbl []

let filter p tbl =
  let to_remove = ref [] in
  Hashtbl.iter
    (fun name (crc, auth) ->
      if not (p name) then to_remove := name :: !to_remove)
    tbl;
  List.iter
    (fun name ->
       while Hashtbl.mem tbl name do Hashtbl.remove tbl name done)
    !to_remove
why-2.34/ml/utils/warnings.ml0000644000175000017500000001513512311670312014554 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Pierre Weis && Damien Doligez, INRIA Rocquencourt        *)
(*                                                                     *)
(*  Copyright 1998 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: warnings.ml,v 1.1 2007-11-29 15:11:19 bardou Exp $ *)

(* Please keep them in alphabetical order *)

type t =                             (* A is all *)
  | Comment_start                    (* C *)
  | Comment_not_end
  | Deprecated                       (* D *)
  | Fragile_match of string          (* E *)
  | Partial_application              (* F *)
  | Labels_omitted                   (* L *)
  | Method_override of string list   (* M *)
  | Partial_match of string          (* P *)
  | Statement_type                   (* S *)
  | Unused_match                     (* U *)
  | Unused_pat
  | Instance_variable_override of string (* V *)
  | Illegal_backslash                (* X *)
  | Implicit_public_methods of string list
  | Unerasable_optional_argument
  | Undeclared_virtual_method of string
  | Not_principal of string
  | Without_principality of string
  | Unused_argument
  | Nonreturning_statement
  | Camlp4 of string
  | All_clauses_guarded
  | Useless_record_with
  | Unused_var of string             (* Y *)
  | Unused_var_strict of string      (* Z *)
;;

let letter = function        (* 'a' is all *)
  | Comment_start
  | Comment_not_end ->          'c'
  | Deprecated ->               'd'
  | Fragile_match _ ->          'e'
  | Partial_application ->      'f'
  | Labels_omitted ->           'l'
  | Method_override _ ->        'm'
  | Partial_match _ ->          'p'
  | Statement_type ->           's'
  | Unused_match
  | Unused_pat ->               'u'
  | Instance_variable_override _ -> 'v'
  | Illegal_backslash
  | Implicit_public_methods _
  | Unerasable_optional_argument
  | Undeclared_virtual_method _
  | Not_principal _
  | Without_principality _
  | Unused_argument
  | Nonreturning_statement
  | Camlp4 _
  | Useless_record_with
  | All_clauses_guarded ->      'x'
  | Unused_var _ ->             'y'
  | Unused_var_strict _ ->      'z'
;;

let active = Array.create 27 true;;
let error = Array.create 27 false;;

let translate c =
  if c >= 'A' && c <= 'Z' then
    (Char.code c - Char.code 'A', true)
  else if c >= 'a' && c <= 'z' then
    (Char.code c - Char.code 'a', false)
  else
    (26, false)
;;

let is_active x =
  let (n, _) = translate (letter x) in
  active.(n)
;;

let is_error x =
  let (n, _) = translate (letter x) in
  error.(n)
;;

let parse_options iserr s =
  let flags = if iserr then error else active in
  for i = 0 to String.length s - 1 do
    if s.[i] = 'A' then Array.fill flags 0 (Array.length flags) true
    else if s.[i] = 'a' then Array.fill flags 0 (Array.length flags) false
    else begin
      let (n, fl) = translate s.[i] in
      flags.(n) <- fl;
    end;
  done
;;

let () = parse_options false "elz";;

let message = function
  | Partial_match "" -> "this pattern-matching is not exhaustive."
  | Partial_match s ->
      "this pattern-matching is not exhaustive.\n\
       Here is an example of a value that is not matched:\n" ^ s
  | Unused_match -> "this match case is unused."
  | Unused_pat   -> "this sub-pattern is unused."
  | Fragile_match "" ->
      "this pattern-matching is fragile."
  | Fragile_match s ->
      "this pattern-matching is fragile.\n\
       It will remain exhaustive when constructors are added to type " ^ s ^ "."
  | Labels_omitted ->
      "labels were omitted in the application of this function."
  | Method_override [lab] ->
      "the method " ^ lab ^ " is overriden in the same class."
  | Method_override (cname :: slist) ->
      String.concat " "
        ("the following methods are overriden by the class"
         :: cname  :: ":\n " :: slist)
  | Method_override [] -> assert false
  | Instance_variable_override lab ->
      "the instance variable " ^ lab ^ " is overriden.\n" ^
      "The behaviour changed in ocaml 3.10 (previous behaviour was hiding.)"
  | Partial_application ->
      "this function application is partial,\n\
       maybe some arguments are missing."
  | Statement_type ->
      "this expression should have type unit."
  | Comment_start -> "this is the start of a comment."
  | Comment_not_end -> "this is not the end of a comment."
  | Deprecated -> "this syntax is deprecated."
  | Unused_var v | Unused_var_strict v -> "unused variable " ^ v ^ "."
  | Illegal_backslash -> "illegal backslash escape in string."
  | Implicit_public_methods l ->
      "the following private methods were made public implicitly:\n "
      ^ String.concat " " l ^ "."
  | Unerasable_optional_argument -> "this optional argument cannot be erased."
  | Undeclared_virtual_method m -> "the virtual method "^m^" is not declared."
  | Not_principal s -> s^" is not principal."
  | Without_principality s -> s^" without principality."
  | Unused_argument -> "this argument will not be used by the function."
  | Nonreturning_statement ->
      "this statement never returns (or has an unsound type.)"
  | Camlp4 s -> s
  | All_clauses_guarded ->
      "bad style, all clauses in this pattern-matching are guarded."
  | Useless_record_with ->
      "this record is defined by a `with' expression,\n\
       but no fields are borrowed from the original."
;;

let nerrors = ref 0;;

let print ppf w =
  let msg = message w in
  let flag = Char.uppercase (letter w) in
  let newlines = ref 0 in
  for i = 0 to String.length msg - 1 do
    if msg.[i] = '\n' then incr newlines;
  done;
  let (out, flush, newline, space) =
    Format.pp_get_all_formatter_output_functions ppf ()
  in
  let countnewline x = incr newlines; newline x in
  Format.pp_set_all_formatter_output_functions ppf out flush countnewline space;
  Format.fprintf ppf "%c: %s" flag msg;
  Format.pp_print_flush ppf ();
  Format.pp_set_all_formatter_output_functions ppf out flush newline space;
  let (n, _) = translate (letter w) in
  if error.(n) then incr nerrors;
  !newlines
;;

exception Errors of int;;

let check_fatal () =
  if !nerrors > 0 then begin
    let e = Errors !nerrors in
    nerrors := 0;
    raise e;
  end;
;;
why-2.34/ml/utils/warnings.mli0000644000175000017500000000412212311670312014717 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Pierre Weis && Damien Doligez, INRIA Rocquencourt        *)
(*                                                                     *)
(*  Copyright 1998 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: warnings.mli,v 1.1 2007-11-29 15:11:19 bardou Exp $ *)

open Format

type t =                             (* A is all *)
  | Comment_start                    (* C *)
  | Comment_not_end
  | Deprecated                       (* D *)
  | Fragile_match of string            (* E *)
  | Partial_application              (* F *)
  | Labels_omitted                   (* L *)
  | Method_override of string list   (* M *)
  | Partial_match of string          (* P *)
  | Statement_type                   (* S *)
  | Unused_match                     (* U *)
  | Unused_pat
  | Instance_variable_override of string (* V *)
  | Illegal_backslash                (* X *)
  | Implicit_public_methods of string list
  | Unerasable_optional_argument
  | Undeclared_virtual_method of string
  | Not_principal of string
  | Without_principality of string
  | Unused_argument
  | Nonreturning_statement
  | Camlp4 of string
  | All_clauses_guarded
  | Useless_record_with
  | Unused_var of string             (* Y *)
  | Unused_var_strict of string      (* Z *)
;;

val parse_options : bool -> string -> unit;;

val is_active : t -> bool;;
val is_error : t -> bool;;

val print : formatter -> t -> int;;
  (* returns the number of newlines in the printed string *)


exception Errors of int;;

val check_fatal : unit -> unit;;
why-2.34/ml/utils/clflags.mli0000644000175000017500000000511512311670312014505 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 2005 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: clflags.mli,v 1.1 2007-11-30 10:16:44 bardou Exp $ *)

val objfiles : string list ref
val ccobjs : string list ref
val dllibs : string list ref
val compile_only : bool ref
val output_name : string option ref
val include_dirs : string list ref
val no_std_include : bool ref
val print_types : bool ref
val make_archive : bool ref
val debug : bool ref
val fast : bool ref
val link_everything : bool ref
val custom_runtime : bool ref
val output_c_object : bool ref
val ccopts : string list ref
val classic : bool ref
val nopervasives : bool ref
val preprocessor : string option ref
val save_types : bool ref
val use_threads : bool ref
val use_vmthreads : bool ref
val noassert : bool ref
val verbose : bool ref
val noprompt : bool ref
val init_file : string option ref
val use_prims : string ref
val use_runtime : string ref
val principal : bool ref
val recursive_types : bool ref
val make_runtime : bool ref
val gprofile : bool ref
val c_compiler : string ref
val c_linker : string ref
val no_auto_link : bool ref
val dllpaths : string list ref
val make_package : bool ref
val for_package : string option ref
val dump_parsetree : bool ref
val dump_rawlambda : bool ref
val dump_lambda : bool ref
val dump_instr : bool ref
val keep_asm_file : bool ref
val optimize_for_speed : bool ref
val dump_cmm : bool ref
val dump_selection : bool ref
val dump_live : bool ref
val dump_spill : bool ref
val dump_split : bool ref
val dump_interf : bool ref
val dump_prefer : bool ref
val dump_regalloc : bool ref
val dump_reload : bool ref
val dump_scheduling : bool ref
val dump_linear : bool ref
val keep_startup_file : bool ref
val dump_combine : bool ref
val native_code : bool ref
val inline_threshold : int ref
val dont_write_files : bool ref
val std_include_flag : string -> string
val std_include_dir : unit -> string list
why-2.34/ml/utils/config.mli0000644000175000017500000001127512311670312014343 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: config.mli,v 1.1 2007-11-30 10:16:44 bardou Exp $ *)

(* System configuration *)

val version: string
        (* The current version number of the system *)

val standard_library: string
        (* The directory containing the standard libraries *)
val standard_runtime: string
        (* The full path to the standard bytecode interpreter ocamlrun *)
val ccomp_type: string
        (* The "kind" of the C compiler: one of
               "cc" (for Unix-style C compilers)
               "msvc" (Microsoft Visual C++)
               "mrc" (Macintosh MPW) *)
val bytecomp_c_compiler: string
        (* The C compiler to use for compiling C files 
           with the bytecode compiler *)
val bytecomp_c_linker: string
        (* The C compiler to use for building custom runtime systems
           with the bytecode compiler *)
val bytecomp_c_libraries: string
        (* The C libraries to link with custom runtimes *)
val native_c_compiler: string
        (* The C compiler to use for compiling C files 
           with the native-code compiler *)
val native_c_linker: string
        (* The C compiler to use for the final linking step
           in the native code compiler *)
val native_c_libraries: string
        (* The C libraries to link with native-code programs *)
val native_partial_linker: string
        (* The linker to use for partial links (ocamlopt -output-obj) *)
val native_pack_linker: string
        (* The linker to use for packaging (ocamlopt -pack) *)
val ranlib: string
        (* Command to randomize a library, or "" if not needed *)
val cc_profile : string
        (* The command line option to the C compiler to enable profiling. *)

val load_path: string list ref
        (* Directories in the search path for .cmi and .cmo files *)

val interface_suffix: string ref
        (* Suffix for interface file names *)

val exec_magic_number: string
        (* Magic number for bytecode executable files *)
val cmi_magic_number: string
        (* Magic number for compiled interface files *)
val cmo_magic_number: string
        (* Magic number for object bytecode files *)
val cma_magic_number: string
        (* Magic number for archive files *)
val cmx_magic_number: string
        (* Magic number for compilation unit descriptions *)
val cmxa_magic_number: string
        (* Magic number for libraries of compilation unit descriptions *)
val ast_intf_magic_number: string
        (* Magic number for file holding an interface syntax tree *)
val ast_impl_magic_number: string
        (* Magic number for file holding an implementation syntax tree *)

val max_tag: int
        (* Biggest tag that can be stored in the header of a regular block. *)
val lazy_tag : int
        (* Normally the same as Obj.lazy_tag.  Separate definition because
           of technical reasons for bootstrapping. *)
val max_young_wosize: int
        (* Maximal size of arrays that are directly allocated in the
           minor heap *)
val stack_threshold: int
        (* Size in words of safe area at bottom of VM stack,
           see byterun/config.h *)

val architecture: string
        (* Name of processor type for the native-code compiler *)
val model: string
        (* Name of processor submodel for the native-code compiler *)
val system: string
        (* Name of operating system for the native-code compiler *)

val ext_obj: string
        (* Extension for object files, e.g. [.o] under Unix. *)
val ext_asm: string
        (* Extension for assembler files, e.g. [.s] under Unix. *)
val ext_lib: string
        (* Extension for library files, e.g. [.a] under Unix. *)
val ext_dll: string
        (* Extension for dynamically-loaded libraries, e.g. [.so] under Unix.*)

val default_executable_name: string
        (* Name of executable produced by linking if none is given with -o,
           e.g. [a.out] under Unix. *)

val systhread_supported : bool
        (* Whether the system thread library is implemented *)

val print_config : out_channel -> unit;;
why-2.34/ml/utils/misc.mli0000644000175000017500000001170412311670312014026 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: misc.mli,v 1.1 2007-11-29 15:11:19 bardou Exp $ *)

(* Miscellaneous useful types and functions *)

val fatal_error: string -> 'a
exception Fatal_error

val try_finally : (unit -> 'a) -> (unit -> unit) -> 'a;;

val map_end: ('a -> 'b) -> 'a list -> 'b list -> 'b list
        (* [map_end f l t] is [map f l @ t], just more efficient. *)
val map_left_right: ('a -> 'b) -> 'a list -> 'b list
        (* Like [List.map], with guaranteed left-to-right evaluation order *)
val for_all2: ('a -> 'b -> bool) -> 'a list -> 'b list -> bool
        (* Same as [List.for_all] but for a binary predicate.
           In addition, this [for_all2] never fails: given two lists
           with different lengths, it returns false. *)
val replicate_list: 'a -> int -> 'a list
        (* [replicate_list elem n] is the list with [n] elements
           all identical to [elem]. *)
val list_remove: 'a -> 'a list -> 'a list
        (* [list_remove x l] returns a copy of [l] with the first
           element equal to [x] removed. *)
val split_last: 'a list -> 'a list * 'a
        (* Return the last element and the other elements of the given list. *)
val samelist: ('a -> 'a -> bool) -> 'a list -> 'a list -> bool
        (* Like [List.for_all2] but returns [false] if the two
           lists have different length. *)

val may: ('a -> unit) -> 'a option -> unit
val may_map: ('a -> 'b) -> 'a option -> 'b option

val find_in_path: string list -> string -> string
        (* Search a file in a list of directories. *)
val find_in_path_uncap: string list -> string -> string
        (* Same, but search also for uncapitalized name, i.e.
           if name is Foo.ml, allow /path/Foo.ml and /path/foo.ml
           to match. *)
val remove_file: string -> unit
        (* Delete the given file if it exists. Never raise an error. *)
val expand_directory: string -> string -> string
        (* [expand_directory alt file] eventually expands a [+] at the
           beginning of file into [alt] (an alternate root directory) *)

val create_hashtable: int -> ('a * 'b) list -> ('a, 'b) Hashtbl.t
        (* Create a hashtable of the given size and fills it with the
           given bindings. *)

val copy_file: in_channel -> out_channel -> unit
        (* [copy_file ic oc] reads the contents of file [ic] and copies
           them to [oc]. It stops when encountering EOF on [ic]. *)
val copy_file_chunk: in_channel -> out_channel -> int -> unit
        (* [copy_file_chunk ic oc n] reads [n] bytes from [ic] and copies
           them to [oc]. It raises [End_of_file] when encountering
           EOF on [ic]. *)

val log2: int -> int
        (* [log2 n] returns [s] such that [n = 1 lsl s] 
           if [n] is a power of 2*)
val align: int -> int -> int
        (* [align n a] rounds [n] upwards to a multiple of [a]
           (a power of 2). *)
val no_overflow_add: int -> int -> bool
        (* [no_overflow_add n1 n2] returns [true] if the computation of
           [n1 + n2] does not overflow. *)
val no_overflow_sub: int -> int -> bool
        (* [no_overflow_add n1 n2] returns [true] if the computation of
           [n1 - n2] does not overflow. *)
val no_overflow_lsl: int -> bool
        (* [no_overflow_add n] returns [true] if the computation of
           [n lsl 1] does not overflow. *)

val chop_extension_if_any: string -> string
        (* Like Filename.chop_extension but returns the initial file
           name if it has no extension *)

val chop_extensions: string -> string
        (* Return the given file name without its extensions. The extensions
           is the longest suffix starting with a period and not including
           a directory separator, [.xyz.uvw] for instance.

           Return the given name if it does not contain an extension. *)

val search_substring: string -> string -> int -> int
        (* [search_substring pat str start] returns the position of the first
           occurrence of string [pat] in string [str].  Search starts
           at offset [start] in [str].  Raise [Not_found] if [pat]
           does not occur. *)

val rev_split_words: string -> string list
        (* [rev_split_words s] splits [s] in blank-separated words, and return
           the list of words in reverse order. *)
why-2.34/ml/parsing/0000755000175000017500000000000012311670312012670 5ustar  rtuserswhy-2.34/ml/parsing/asttypes.mli0000644000175000017500000000252712311670312015255 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: asttypes.mli,v 1.1 2007-11-29 15:11:19 bardou Exp $ *)

(* Auxiliary a.s.t. types used by parsetree and typedtree. *)

type constant =
    Const_int of int
  | Const_char of char
  | Const_string of string
  | Const_float of string
  | Const_int32 of int32
  | Const_int64 of int64
  | Const_nativeint of nativeint

type rec_flag = Nonrecursive | Recursive | Default

type direction_flag = Upto | Downto

type private_flag = Private | Public

type mutable_flag = Immutable | Mutable

type virtual_flag = Virtual | Concrete

type label = string
why-2.34/ml/parsing/longident.ml0000644000175000017500000000311212311670312015202 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: longident.ml,v 1.1 2007-11-29 15:11:19 bardou Exp $ *)

type t =
    Lident of string
  | Ldot of t * string
  | Lapply of t * t

let rec flat accu = function
    Lident s -> s :: accu
  | Ldot(lid, s) -> flat (s :: accu) lid
  | Lapply(l1, l2) -> Misc.fatal_error "Longident.flat"

let flatten lid = flat [] lid

let rec split_at_dots s pos =
  try
    let dot = String.index_from s pos '.' in
    String.sub s pos (dot - pos) :: split_at_dots s (dot + 1)
  with Not_found ->
    [String.sub s pos (String.length s - pos)]

let parse s =
  match split_at_dots s 0 with
    [] -> Lident ""  (* should not happen, but don't put assert false
                        so as not to crash the toplevel (see Genprintval) *)
  | hd :: tl -> List.fold_left (fun p s -> Ldot(p, s)) (Lident hd) tl
why-2.34/ml/parsing/linenum.mll0000644000175000017500000000511712311670312015051 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1997 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: linenum.mll,v 1.1 2007-11-29 15:11:19 bardou Exp $ *)

(* An auxiliary lexer for determining the line number corresponding to
   a file position, honoring the directives # linenum "filename" *)

{
let filename = ref ""
let linenum = ref 0
let linebeg = ref 0

let parse_sharp_line s =
  try
    (* Update the line number and file name *)
    let l1 = ref 0 in
    while let c = s.[!l1] in c < '0' || c > '9' do incr l1 done;
    let l2 = ref (!l1 + 1) in
    while let c = s.[!l2] in c >= '0' && c <= '9' do incr l2 done;
    linenum := int_of_string(String.sub s !l1 (!l2 - !l1));
    let f1 = ref (!l2 + 1) in
    while !f1 < String.length s && s.[!f1] <> '"' do incr f1 done;
    let f2 = ref (!f1 + 1) in 
    while !f2 < String.length s && s.[!f2] <> '"' do incr f2 done;
    if !f1 < String.length s then
      filename := String.sub s (!f1 + 1) (!f2 - !f1 - 1)
  with Failure _ | Invalid_argument _ ->
    Misc.fatal_error "Linenum.parse_sharp_line"
}

rule skip_line = parse
    "#" [' ' '\t']* ['0'-'9']+ [' ' '\t']*
    ("\"" [^ '\n' '\r' '"' (* '"' *) ] * "\"")?
    [^ '\n' '\r'] *
    ('\n' | '\r' | "\r\n")
      { parse_sharp_line(Lexing.lexeme lexbuf);
        linebeg := Lexing.lexeme_start lexbuf;
        Lexing.lexeme_end lexbuf }
  | [^ '\n' '\r'] *
    ('\n' | '\r' | "\r\n")
      { incr linenum;
        linebeg := Lexing.lexeme_start lexbuf;
        Lexing.lexeme_end lexbuf }
  | [^ '\n' '\r'] * eof
      { incr linenum;
        linebeg := Lexing.lexeme_start lexbuf;
        raise End_of_file }

{

let for_position file loc =
  let ic = open_in_bin file in
  let lb = Lexing.from_channel ic in
  filename := file;
  linenum := 1;
  linebeg := 0;
  begin try
    while skip_line lb <= loc do () done
  with End_of_file -> ()
  end;
  close_in ic;
  (!filename, !linenum - 1, !linebeg)

}
why-2.34/ml/parsing/longident.mli0000644000175000017500000000203312311670312015354 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: longident.mli,v 1.1 2007-11-29 15:11:19 bardou Exp $ *)

(* Long identifiers, used in parsetree. *)

type t =
    Lident of string
  | Ldot of t * string
  | Lapply of t * t

val flatten: t -> string list
val parse: string -> t
why-2.34/ml/parsing/lexer.mll0000644000175000017500000004077012311670312014525 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: lexer.mll,v 1.6 2007-12-20 15:00:39 bardou Exp $ *)

(* The lexer definition *)

{
open Lexing
open Misc
open Parser

type error =
  | Illegal_character of char
  | Illegal_escape of string
  | Unterminated_comment
  | Unterminated_string
  | Unterminated_string_in_comment
  | Keyword_as_label of string
  | Literal_overflow of string
  | Unknown_backslash_identifer of string
  | Not_in_annotation
;;

exception Error of error * Location.t;;

let in_annotation = ref false

(* The table of keywords *)

let keyword_table =
  create_hashtable 149 [
    "and", AND;
    "as", AS;
    "assert", ASSERT;
    "begin", BEGIN;
    "class", CLASS;
    "constraint", CONSTRAINT;
    "do", DO;
    "done", DONE;
    "downto", DOWNTO;
    "else", ELSE;
    "end", END;
    "exception", EXCEPTION;
    "external", EXTERNAL;
    "false", FALSE;
    "for", FOR;
    "fun", FUN;
    "function", FUNCTION;
    "functor", FUNCTOR;
    "if", IF;
    "in", IN;
    "include", INCLUDE;
    "inherit", INHERIT;
    "initializer", INITIALIZER;
    "lazy", LAZY;
    "let", LET;
    "match", MATCH;
    "method", METHOD;
    "module", MODULE;
    "mutable", MUTABLE;
    "new", NEW;
    "object", OBJECT;
    "of", OF;
    "open", OPEN;
    "or", OR;
(*  "parser", PARSER; *)
    "private", PRIVATE;
    "rec", REC;
    "sig", SIG;
    "struct", STRUCT;
    "then", THEN;
    "to", TO;
    "true", TRUE;
    "try", TRY;
    "type", TYPE;
    "val", VAL;
    "virtual", VIRTUAL;
    "when", WHEN;
    "while", WHILE;
    "with", WITH;

    "mod", INFIXOP3("mod");
    "land", INFIXOP3("land");
    "lor", INFIXOP3("lor");
    "lxor", INFIXOP3("lxor");
    "lsl", INFIXOP4("lsl");
    "lsr", INFIXOP4("lsr");
    "asr", INFIXOP4("asr")
]

(* The table of annotation-specific keywords *)

let annot_keyword_table =
  create_hashtable 149 [
    "axiom", AXIOM;
    "behavior", BEHAVIOR;
    "ensures", ENSURES;
    "invariant", INVARIANT;
    "logic", LOGIC;
    "predicate", PREDICATE;
    "reads", READS;
    "requires", REQUIRES;
    "variant", VARIANT;
    "\\result", BSRESULT;
    "\\old", BSOLD;
  ]

(* To buffer string literals *)

let initial_string_buffer = String.create 256
let string_buff = ref initial_string_buffer
let string_index = ref 0

let reset_string_buffer () =
  string_buff := initial_string_buffer;
  string_index := 0

let store_string_char c =
  if !string_index >= String.length (!string_buff) then begin
    let new_buff = String.create (String.length (!string_buff) * 2) in
      String.blit (!string_buff) 0 new_buff 0 (String.length (!string_buff));
      string_buff := new_buff
  end;
  String.unsafe_set (!string_buff) (!string_index) c;
  incr string_index

let get_stored_string () =
  let s = String.sub (!string_buff) 0 (!string_index) in
  string_buff := initial_string_buffer;
  s

(* To store the position of the beginning of a string and comment *)
let string_start_loc = ref Location.none;;
let comment_start_loc = ref [];;
let in_comment () = !comment_start_loc <> [];;

(* To translate escape sequences *)

let char_for_backslash = function
  | 'n' -> '\010'
  | 'r' -> '\013'
  | 'b' -> '\008'
  | 't' -> '\009'
  | c   -> c

let char_for_decimal_code lexbuf i =
  let c = 100 * (Char.code(Lexing.lexeme_char lexbuf i) - 48) +
           10 * (Char.code(Lexing.lexeme_char lexbuf (i+1)) - 48) +
                (Char.code(Lexing.lexeme_char lexbuf (i+2)) - 48) in
  if (c < 0 || c > 255) && not (in_comment ())
  then raise (Error(Illegal_escape (Lexing.lexeme lexbuf),
                    Location.curr lexbuf))
  else Char.chr c

let char_for_hexadecimal_code lexbuf i =
  let d1 = Char.code (Lexing.lexeme_char lexbuf i) in
  let val1 = if d1 >= 97 then d1 - 87
             else if d1 >= 65 then d1 - 55
             else d1 - 48
  in
  let d2 = Char.code (Lexing.lexeme_char lexbuf (i+1)) in
  let val2 = if d2 >= 97 then d2 - 87
             else if d2 >= 65 then d2 - 55
             else d2 - 48
  in
  Char.chr (val1 * 16 + val2)

(* Remove underscores from float literals *)

let remove_underscores s =
  let l = String.length s in
  let rec remove src dst =
    if src >= l then
      if dst >= l then s else String.sub s 0 dst
    else
      match s.[src] with
        '_' -> remove (src + 1) dst
      |  c  -> s.[dst] <- c; remove (src + 1) (dst + 1)
  in remove 0 0

(* Update the current location with file name and line number. *)

let update_loc lexbuf file line absolute chars =
  let pos = lexbuf.lex_curr_p in
  let new_file = match file with
                 | None -> pos.pos_fname
                 | Some s -> s
  in
  lexbuf.lex_curr_p <- { pos with
    pos_fname = new_file;
    pos_lnum = if absolute then line else pos.pos_lnum + line;
    pos_bol = pos.pos_cnum - chars;
  }
;;

(* Error report *)

open Format

let report_error ppf = function
  | Illegal_character c ->
      fprintf ppf "Illegal character (%s)" (Char.escaped c)
  | Illegal_escape s ->
      fprintf ppf "Illegal backslash escape in string or character (%s)" s
  | Unterminated_comment ->
      fprintf ppf "Comment not terminated"
  | Unterminated_string ->
      fprintf ppf "String literal not terminated"
  | Unterminated_string_in_comment ->
      fprintf ppf "This comment contains an unterminated string literal"
  | Keyword_as_label kwd ->
      fprintf ppf "`%s' is a keyword, it cannot be used as label name" kwd
  | Literal_overflow ty ->
      fprintf ppf "Integer literal exceeds the range of representable integers of type %s" ty
  | Unknown_backslash_identifer id ->
      fprintf ppf "Unknown annotation identifier (%s)" id
  | Not_in_annotation ->
      fprintf ppf "Not in an annotation"
;;

}

let newline = ('\010' | '\013' | "\013\010")
let blank = [' ' '\009' '\012']
let lowercase = ['a'-'z' '\223'-'\246' '\248'-'\255' '_']
let uppercase = ['A'-'Z' '\192'-'\214' '\216'-'\222']
let identchar =
  ['A'-'Z' 'a'-'z' '_' '\192'-'\214' '\216'-'\246' '\248'-'\255' '\'' '0'-'9']
let symbolchar =
  ['!' '$' '%' '&' '*' '+' '-' '.' '/' ':' '<' '=' '>' '?' '@' '^' '|' '~']
let decimal_literal =
  ['0'-'9'] ['0'-'9' '_']*
let hex_literal =
  '0' ['x' 'X'] ['0'-'9' 'A'-'F' 'a'-'f']['0'-'9' 'A'-'F' 'a'-'f' '_']*
let oct_literal =
  '0' ['o' 'O'] ['0'-'7'] ['0'-'7' '_']*
let bin_literal =
  '0' ['b' 'B'] ['0'-'1'] ['0'-'1' '_']*
let int_literal =
  decimal_literal | hex_literal | oct_literal | bin_literal
let float_literal =
  ['0'-'9'] ['0'-'9' '_']*
  ('.' ['0'-'9' '_']* )?
  (['e' 'E'] ['+' '-']? ['0'-'9'] ['0'-'9' '_']*)?

rule token = parse
  | newline
      { update_loc lexbuf None 1 false 0;
        token lexbuf
      }
  | newline (blank * as spaces) "@"
      { if not !in_annotation then
	  raise (Error(Not_in_annotation, Location.curr lexbuf));
	update_loc lexbuf None 1 false (String.length spaces + 1);
	token lexbuf }
  | blank +
      { token lexbuf }
  | "_"
      { UNDERSCORE }
  | "~"  { TILDE }
  | "~" lowercase identchar * ':'
      { let s = Lexing.lexeme lexbuf in
        let name = String.sub s 1 (String.length s - 2) in
        if Hashtbl.mem keyword_table name then
          raise (Error(Keyword_as_label name, Location.curr lexbuf));
        LABEL name }
  | "?"  { QUESTION }
  | "??" { QUESTIONQUESTION }
  | "?" lowercase identchar * ':'
      { let s = Lexing.lexeme lexbuf in
        let name = String.sub s 1 (String.length s - 2) in
        if Hashtbl.mem keyword_table name then
          raise (Error(Keyword_as_label name, Location.curr lexbuf));
        OPTLABEL name }
  | lowercase identchar *
      { let s = Lexing.lexeme lexbuf in
          try
            Hashtbl.find keyword_table s
          with Not_found ->
            if !in_annotation then
	      try Hashtbl.find annot_keyword_table s with Not_found -> LIDENT s
	    else LIDENT s }
  | "\\" identchar *
      { if !in_annotation then
	  let s = Lexing.lexeme lexbuf in
	  try Hashtbl.find annot_keyword_table s with Not_found ->
	    raise (Error(Unknown_backslash_identifer s, Location.curr lexbuf))
	else
	  raise (Error(Not_in_annotation, Location.curr lexbuf)) }
  | uppercase identchar *
      { UIDENT(Lexing.lexeme lexbuf) }       (* No capitalized keywords *)
  | int_literal
      { try
          INT (int_of_string(Lexing.lexeme lexbuf))
        with Failure _ ->
          raise (Error(Literal_overflow "int", Location.curr lexbuf))
      }
  | float_literal
      { FLOAT (remove_underscores(Lexing.lexeme lexbuf)) }
  | int_literal "l"
      { let s = Lexing.lexeme lexbuf in
        try
          INT32 (Int32.of_string(String.sub s 0 (String.length s - 1)))
        with Failure _ ->
          raise (Error(Literal_overflow "int32", Location.curr lexbuf)) }
  | int_literal "L"
      { let s = Lexing.lexeme lexbuf in
        try
          INT64 (Int64.of_string(String.sub s 0 (String.length s - 1)))
        with Failure _ ->
          raise (Error(Literal_overflow "int64", Location.curr lexbuf)) }
  | int_literal "n"
      { let s = Lexing.lexeme lexbuf in
        try
          NATIVEINT
            (Nativeint.of_string(String.sub s 0 (String.length s - 1)))
        with Failure _ ->
          raise (Error(Literal_overflow "nativeint", Location.curr lexbuf)) }
  | "\""
      { reset_string_buffer();
        let string_start = lexbuf.lex_start_p in
        string_start_loc := Location.curr lexbuf;
        string lexbuf;
        lexbuf.lex_start_p <- string_start;
        STRING (get_stored_string()) }
  | "'" newline "'"
      { update_loc lexbuf None 1 false 1;
        CHAR (Lexing.lexeme_char lexbuf 1) }
  | "'" [^ '\\' '\'' '\010' '\013'] "'"
      { CHAR(Lexing.lexeme_char lexbuf 1) }
  | "'\\" ['\\' '\'' '"' 'n' 't' 'b' 'r' ' '] "'"
      { CHAR(char_for_backslash (Lexing.lexeme_char lexbuf 2)) }
  | "'\\" ['0'-'9'] ['0'-'9'] ['0'-'9'] "'"
      { CHAR(char_for_decimal_code lexbuf 2) }
  | "'\\" 'x' ['0'-'9' 'a'-'f' 'A'-'F'] ['0'-'9' 'a'-'f' 'A'-'F'] "'"
      { CHAR(char_for_hexadecimal_code lexbuf 3) }
  | "'\\" _
      { let l = Lexing.lexeme lexbuf in
        let esc = String.sub l 1 (String.length l - 1) in
        raise (Error(Illegal_escape esc, Location.curr lexbuf))
      }
  | "(*@"
      { in_annotation := true; LANNOT }
  | "(*"
      { comment_start_loc := [Location.curr lexbuf];
        comment lexbuf;
        token lexbuf }
  | "(*)"
      { let loc = Location.curr lexbuf in
        Location.prerr_warning loc Warnings.Comment_start;
        comment_start_loc := [Location.curr lexbuf];
        comment lexbuf;
        token lexbuf
      }
  | "*)"
      { if !in_annotation then begin
	  in_annotation := false;
	  RANNOT
	end else begin
	  let loc = Location.curr lexbuf in
          Location.prerr_warning loc Warnings.Comment_not_end;
          lexbuf.Lexing.lex_curr_pos <- lexbuf.Lexing.lex_curr_pos - 1;
          let curpos = lexbuf.lex_curr_p in
          lexbuf.lex_curr_p <- { curpos with pos_cnum = curpos.pos_cnum - 1 };
          STAR
	end
      }
  | "#" [' ' '\t']* (['0'-'9']+ as num) [' ' '\t']*
        ("\"" ([^ '\010' '\013' '"' ] * as name) "\"")?
        [^ '\010' '\013'] * newline
      { update_loc lexbuf name (int_of_string num) true 0;
        token lexbuf
      }
  | "#"  { SHARP }
  | "&"  { AMPERSAND }
  | "&&" { AMPERAMPER }
  | "`"  { BACKQUOTE }
  | "'"  { QUOTE }
  | "("  { LPAREN }
  | ")"  { RPAREN }
  | "*"  { STAR }
  | ","  { COMMA }
  | "->" { MINUSGREATER }
  | "."  { DOT }
  | ".." { DOTDOT }
  | ":"  { COLON }
  | "::" { COLONCOLON }
  | ":=" { COLONEQUAL }
  | ":>" { COLONGREATER }
  | ";"  { SEMI }
  | ";;" { SEMISEMI }
  | "<"  { LESS }
  | "<-" { LESSMINUS }
  | "="  { EQUAL }
  | "["  { LBRACKET }
  | "[|" { LBRACKETBAR }
  | "[<" { LBRACKETLESS }
  | "[>" { LBRACKETGREATER }
  | "]"  { RBRACKET }
  | "{"  { LBRACE }
  | "{<" { LBRACELESS }
  | "|"  { BAR }
  | "||" { BARBAR }
  | "|]" { BARRBRACKET }
  | ">"  { GREATER }
  | ">]" { GREATERRBRACKET }
  | "}"  { RBRACE }
  | ">}" { GREATERRBRACE }

  | "==>" { if !in_annotation then EQUALEQUALGREATER else INFIXOP0 "==>" }
  | "<==" { if !in_annotation then LESSEQUALEQUAL else INFIXOP0 "<==" }
  | "<=>" { if !in_annotation then LESSEQUALGREATER else INFIXOP0 "<=>" }

  | "!=" { INFIXOP0 "!=" }
  | "+"  { PLUS }
  | "-"  { MINUS }
  | "-." { MINUSDOT }

  | "!" symbolchar *
            { PREFIXOP(Lexing.lexeme lexbuf) }
  | ['~' '?'] symbolchar +
            { PREFIXOP(Lexing.lexeme lexbuf) }
  | ['=' '<' '>' '|' '&' '$'] symbolchar *
            { INFIXOP0(Lexing.lexeme lexbuf) }
  | ['@' '^'] symbolchar *
            { INFIXOP1(Lexing.lexeme lexbuf) }
  | ['+' '-'] symbolchar *
            { INFIXOP2(Lexing.lexeme lexbuf) }
  | "**" symbolchar *
            { INFIXOP4(Lexing.lexeme lexbuf) }
  | ['*' '/' '%'] symbolchar *
            { INFIXOP3(Lexing.lexeme lexbuf) }
  | eof { EOF }
  | _
      { raise (Error(Illegal_character (Lexing.lexeme_char lexbuf 0),
                     Location.curr lexbuf))
      }

and comment = parse
    "(*"
      { comment_start_loc := (Location.curr lexbuf) :: !comment_start_loc;
        comment lexbuf;
      }
  | "*)"
      { match !comment_start_loc with
        | [] -> assert false
        | [x] -> comment_start_loc := [];
        | _ :: l -> comment_start_loc := l;
                    comment lexbuf;
       }
  | "\""
      { reset_string_buffer();
        string_start_loc := Location.curr lexbuf;
        begin try string lexbuf
        with Error (Unterminated_string, _) ->
          match !comment_start_loc with
          | [] -> assert false
          | loc :: _ -> comment_start_loc := [];
                        raise (Error (Unterminated_string_in_comment, loc))
        end;
        reset_string_buffer ();
        comment lexbuf }
  | "''"
      { comment lexbuf }
  | "'" newline "'"
      { update_loc lexbuf None 1 false 1;
        comment lexbuf
      }
  | "'" [^ '\\' '\'' '\010' '\013' ] "'"
      { comment lexbuf }
  | "'\\" ['\\' '"' '\'' 'n' 't' 'b' 'r' ' '] "'"
      { comment lexbuf }
  | "'\\" ['0'-'9'] ['0'-'9'] ['0'-'9'] "'"
      { comment lexbuf }
  | "'\\" 'x' ['0'-'9' 'a'-'f' 'A'-'F'] ['0'-'9' 'a'-'f' 'A'-'F'] "'"
      { comment lexbuf }
  | eof
      { match !comment_start_loc with
        | [] -> assert false
        | loc :: _ -> comment_start_loc := [];
                      raise (Error (Unterminated_comment, loc))
      }
  | newline
      { update_loc lexbuf None 1 false 0;
        comment lexbuf
      }
  | _
      { comment lexbuf }

and string = parse
    '"'
      { () }
  | '\\' newline ([' ' '\t'] * as space)
      { update_loc lexbuf None 1 false (String.length space);
        string lexbuf
      }
  | '\\' ['\\' '\'' '"' 'n' 't' 'b' 'r' ' ']
      { store_string_char(char_for_backslash(Lexing.lexeme_char lexbuf 1));
        string lexbuf }
  | '\\' ['0'-'9'] ['0'-'9'] ['0'-'9']
      { store_string_char(char_for_decimal_code lexbuf 1);
         string lexbuf }
  | '\\' 'x' ['0'-'9' 'a'-'f' 'A'-'F'] ['0'-'9' 'a'-'f' 'A'-'F']
      { store_string_char(char_for_hexadecimal_code lexbuf 2);
         string lexbuf }
  | '\\' _
      { if in_comment ()
        then string lexbuf
        else begin
(*  Should be an error, but we are very lax.
          raise (Error (Illegal_escape (Lexing.lexeme lexbuf),
                        Location.curr lexbuf))
*)
          let loc = Location.curr lexbuf in
          Location.prerr_warning loc Warnings.Illegal_backslash;
          store_string_char (Lexing.lexeme_char lexbuf 0);
          store_string_char (Lexing.lexeme_char lexbuf 1);
          string lexbuf
        end
      }
  | newline
      { update_loc lexbuf None 1 false 0;
        let s = Lexing.lexeme lexbuf in
        for i = 0 to String.length s - 1 do
          store_string_char s.[i];
        done;
        string lexbuf
      }
  | eof
      { raise (Error (Unterminated_string, !string_start_loc)) }
  | _
      { store_string_char(Lexing.lexeme_char lexbuf 0);
        string lexbuf }

and skip_sharp_bang = parse
  | "#!" [^ '\n']* '\n' [^ '\n']* "\n!#\n"
       { update_loc lexbuf None 3 false 0 }
  | "#!" [^ '\n']* '\n'
       { update_loc lexbuf None 1 false 0 }
  | "" { () }
why-2.34/ml/parsing/parsetree.mli0000644000175000017500000002371412311670312015374 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: parsetree.mli,v 1.10 2007-12-20 17:10:01 bardou Exp $ *)

(* Abstract syntax tree produced by parsing *)

open Asttypes

(* Type expressions for the core language *)

type core_type =
  { ptyp_desc: core_type_desc;
    ptyp_loc: Location.t }

and core_type_desc = 
    Ptyp_any
  | Ptyp_var of string
  | Ptyp_arrow of label * core_type * core_type
  | Ptyp_tuple of core_type list
  | Ptyp_constr of Longident.t * core_type list
  | Ptyp_object of core_field_type list
  | Ptyp_class of Longident.t * core_type list * label list
  | Ptyp_alias of core_type * string
  | Ptyp_variant of row_field list * bool * label list option
  | Ptyp_poly of string list * core_type

and core_field_type =
  { pfield_desc: core_field_desc;
    pfield_loc: Location.t }

and core_field_desc =
    Pfield of string * core_type
  | Pfield_var

and row_field =
    Rtag of label * bool * core_type list
  | Rinherit of core_type

(* XXX Type expressions for the class language *)

type 'a class_infos =
  { pci_virt: virtual_flag;
    pci_params: string list * Location.t;
    pci_name: string;
    pci_expr: 'a;
    pci_variance: (bool * bool) list;
    pci_loc: Location.t }

(* Value expressions for the core language *)

type pattern =
  { ppat_desc: pattern_desc;
    ppat_loc: Location.t }

and pattern_desc =
    Ppat_any
  | Ppat_var of string
  | Ppat_alias of pattern * string
  | Ppat_constant of constant
  | Ppat_tuple of pattern list
  | Ppat_construct of Longident.t * pattern option * bool
  | Ppat_variant of label * pattern option
  | Ppat_record of (Longident.t * pattern) list
  | Ppat_array of pattern list
  | Ppat_or of pattern * pattern
  | Ppat_constraint of pattern * core_type
  | Ppat_type of Longident.t

type expression =
  { pexp_desc: expression_desc;
    pexp_loc: Location.t }

and expression_desc =
    Pexp_ident of Longident.t
  | Pexp_constant of constant
  | Pexp_let of rec_flag * (pattern * expression) list * expression
  | Pexp_function of label * expression option * (pattern * expression) list
  | Pexp_apply of expression * (label * expression) list
  | Pexp_match of expression * (pattern * expression) list
  | Pexp_try of expression * (pattern * expression) list
  | Pexp_tuple of expression list
  | Pexp_construct of Longident.t * expression option * bool
  | Pexp_variant of label * expression option
  | Pexp_record of (Longident.t * expression) list * expression option
  | Pexp_field of expression * Longident.t
  | Pexp_setfield of expression * Longident.t * expression
  | Pexp_array of expression list
  | Pexp_ifthenelse of expression * expression * expression option
  | Pexp_sequence of expression * expression
  | Pexp_while of expression * while_spec * expression
  | Pexp_for of string * expression * expression * direction_flag * expression
  | Pexp_constraint of expression * core_type option * core_type option
  | Pexp_when of expression * expression
  | Pexp_send of expression * string
  | Pexp_new of Longident.t
  | Pexp_setinstvar of string * expression
  | Pexp_override of (string * expression) list
  | Pexp_letmodule of string * module_expr * expression
  | Pexp_assert of expression
  | Pexp_assertfalse
  | Pexp_lazy of expression
  | Pexp_poly of expression * core_type option
  | Pexp_object of class_structure
  | Pexp_result
  | Pexp_old of expression
  | Pexp_implies of expression * expression

and while_spec = {
  pws_invariant: expression option;
  pws_variant: expression option;
}

(* Value descriptions *)

and value_description =
  { pval_type: core_type;
    pval_prim: string list }

(* Type declarations *)

and type_declaration =
  { ptype_params: string list;
    ptype_cstrs: (core_type * core_type * Location.t) list;
    ptype_kind: type_kind;
    ptype_manifest: core_type option;
    ptype_variance: (bool * bool) list;
    ptype_loc: Location.t }

and type_kind =
    Ptype_abstract
  | Ptype_variant of (string * core_type list * Location.t) list * private_flag
  | Ptype_record of
      (string * mutable_flag * core_type * Location.t) list * private_flag
  | Ptype_private

and exception_declaration = core_type list

(* Type expressions for the class language *)

and class_type =
  { pcty_desc: class_type_desc;
    pcty_loc: Location.t }

and class_type_desc =
    Pcty_constr of Longident.t * core_type list
  | Pcty_signature of class_signature
  | Pcty_fun of label * core_type * class_type

and class_signature = core_type * class_type_field list

and class_type_field =
    Pctf_inher of class_type
  | Pctf_val of (string * mutable_flag * virtual_flag * core_type * Location.t)
  | Pctf_virt  of (string * private_flag * core_type * Location.t)
  | Pctf_meth  of (string * private_flag * core_type * Location.t)
  | Pctf_cstr  of (core_type * core_type * Location.t)

and class_description = class_type class_infos

and class_type_declaration = class_type class_infos

(* Value expressions for the class language *)

and class_expr =
  { pcl_desc: class_expr_desc;
    pcl_loc: Location.t }

and class_expr_desc =
    Pcl_constr of Longident.t * core_type list
  | Pcl_structure of class_structure
  | Pcl_fun of label * expression option * pattern * class_expr
  | Pcl_apply of class_expr * (label * expression) list
  | Pcl_let of rec_flag * (pattern * expression) list * class_expr
  | Pcl_constraint of class_expr * class_type

and class_structure = pattern * class_field list

and class_field =
    Pcf_inher of class_expr * string option
  | Pcf_valvirt of (string * mutable_flag * core_type * Location.t)
  | Pcf_val   of (string * mutable_flag * expression * Location.t)
  | Pcf_virt  of (string * private_flag * core_type * Location.t)
  | Pcf_meth  of (string * private_flag * expression * Location.t)
  | Pcf_cstr  of (core_type * core_type * Location.t)
  | Pcf_let   of rec_flag * (pattern * expression) list * Location.t
  | Pcf_init  of expression

and class_declaration = class_expr class_infos

(* Type expressions for the module language *)

and module_type =
  { pmty_desc: module_type_desc;
    pmty_loc: Location.t }

and module_type_desc =
    Pmty_ident of Longident.t
  | Pmty_signature of signature
  | Pmty_functor of string * module_type * module_type
  | Pmty_with of module_type * (Longident.t * with_constraint) list

and signature = signature_item list

and signature_item =
  { psig_desc: signature_item_desc;
    psig_loc: Location.t }

and signature_item_desc =
    Psig_value of string * value_description
  | Psig_type of (string * type_declaration) list
  | Psig_exception of string * exception_declaration
  | Psig_module of string * module_type
  | Psig_recmodule of (string * module_type) list
  | Psig_modtype of string * modtype_declaration
  | Psig_open of Longident.t
  | Psig_include of module_type
  | Psig_class of class_description list
  | Psig_class_type of class_type_declaration list

and modtype_declaration =
    Pmodtype_abstract
  | Pmodtype_manifest of module_type

and with_constraint =
    Pwith_type of type_declaration
  | Pwith_module of Longident.t

(* Value expressions for the module language *)

and module_expr =
  { pmod_desc: module_expr_desc;
    pmod_loc: Location.t }

and module_expr_desc =
    Pmod_ident of Longident.t
  | Pmod_structure of structure
  | Pmod_functor of string * module_type * module_expr
  | Pmod_apply of module_expr * module_expr
  | Pmod_constraint of module_expr * module_type

and structure = structure_item list

and structure_item =
  { pstr_desc: structure_item_desc;
    pstr_loc: Location.t }

and structure_item_desc =
    Pstr_eval of expression
  | Pstr_value of rec_flag * (pattern * expression) list
  | Pstr_primitive of string * value_description
  | Pstr_type of (string * type_declaration) list
  | Pstr_exception of string * exception_declaration
  | Pstr_exn_rebind of string * Longident.t
  | Pstr_module of string * module_expr
  | Pstr_recmodule of (string * module_type * module_expr) list
  | Pstr_modtype of string * module_type
  | Pstr_open of Longident.t
  | Pstr_class of class_declaration list
  | Pstr_class_type of class_type_declaration list
  | Pstr_include of module_expr
  | Pstr_function_spec of function_spec
  | Pstr_type_spec of type_spec
  | Pstr_logic_function_spec of logic_function_spec
  | Pstr_logic_type_spec of string
  | Pstr_axiom_spec of axiom_spec

and behavior = {
  pb_name: string;
  pb_ensures: expression;
}

and function_spec = {
  pfs_name: string;
  pfs_arguments: string list;
  pfs_requires: expression option;
  pfs_behaviors: behavior list;
}

and type_invariant = {
  pti_name: string;
  pti_argument: pattern;
  pti_body: expression;
}

and type_spec = {
  pts_name: string;
  pts_invariants: type_invariant list;
}

and read_location =
  | PRLvar of string
  | PRLderef of read_location * string

and optional_body =
  | POBreads of read_location list
  | POBbody of expression

and logic_function_spec = {
  plfs_name: string;
  plfs_arguments: pattern list;
  plfs_return_type: core_type option;
  plfs_body: optional_body;
  plfs_predicate: bool;
}

and axiom_spec = {
  pas_name: string;
  pas_arguments: pattern list;
  pas_body: expression;
}

(* Toplevel phrases *)

type toplevel_phrase =
    Ptop_def of structure
  | Ptop_dir of string * directive_argument

and directive_argument =
    Pdir_none
  | Pdir_string of string
  | Pdir_int of int
  | Pdir_ident of Longident.t
  | Pdir_bool of bool
why-2.34/ml/parsing/syntaxerr.ml0000644000175000017500000000327312311670312015266 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1997 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: syntaxerr.ml,v 1.1 2007-11-29 15:11:19 bardou Exp $ *)

(* Auxiliary type for reporting syntax errors *)

open Format

type error =
    Unclosed of Location.t * string * Location.t * string
  | Other of Location.t

exception Error of error
exception Escape_error

let report_error ppf = function
  | Unclosed(opening_loc, opening, closing_loc, closing) ->
      if String.length !Location.input_name = 0
      && Location.highlight_locations ppf opening_loc closing_loc
      then fprintf ppf "Syntax error: '%s' expected, \
                   the highlighted '%s' might be unmatched" closing opening
      else begin
        fprintf ppf "%aSyntax error: '%s' expected@."
          Location.print closing_loc closing;
        fprintf ppf "%aThis '%s' might be unmatched"
          Location.print opening_loc opening 
      end
  | Other loc ->
      fprintf ppf "%aSyntax error" Location.print loc


why-2.34/ml/parsing/linenum.mli0000644000175000017500000000255712311670312015053 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1997 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: linenum.mli,v 1.1 2007-11-29 15:11:19 bardou Exp $ *)

(* An auxiliary lexer for determining the line number corresponding to
   a file position, honoring the directives # linenum "filename" *)

val for_position: string -> int -> string * int * int
        (* [Linenum.for_position file loc] returns a triple describing
           the location [loc] in the file named [file].
           First result is name of actual source file.
           Second result is line number in that source file.
           Third result is position of beginning of that line in [file]. *)
why-2.34/ml/parsing/location.ml0000644000175000017500000001764512311670312015047 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: location.ml,v 1.1 2007-11-29 15:11:19 bardou Exp $ *)

open Lexing

type t = { loc_start: position; loc_end: position; loc_ghost: bool };;

let none = { loc_start = dummy_pos; loc_end = dummy_pos; loc_ghost = true };;

let in_file name =
  let loc = {
    pos_fname = name;
    pos_lnum = 1;
    pos_bol = 0;
    pos_cnum = -1;
  } in
  { loc_start = loc; loc_end = loc; loc_ghost = true }
;;

let curr lexbuf = {
  loc_start = lexbuf.lex_start_p;
  loc_end = lexbuf.lex_curr_p;
  loc_ghost = false
};;

let init lexbuf fname =
  lexbuf.lex_curr_p <- {
    pos_fname = fname;
    pos_lnum = 1;
    pos_bol = 0;
    pos_cnum = 0;
  }
;;

let symbol_rloc () = {
  loc_start = Parsing.symbol_start_pos ();
  loc_end = Parsing.symbol_end_pos ();
  loc_ghost = false;
};;

let symbol_gloc () = {
  loc_start = Parsing.symbol_start_pos ();
  loc_end = Parsing.symbol_end_pos ();
  loc_ghost = true;
};;

let rhs_loc n = {
  loc_start = Parsing.rhs_start_pos n;
  loc_end = Parsing.rhs_end_pos n;
  loc_ghost = false;
};;

let input_name = ref ""
let input_lexbuf = ref (None : lexbuf option)

(* Terminal info *)

let status = ref Terminfo.Uninitialised

let num_loc_lines = ref 0 (* number of lines already printed after input *)

(* Highlight the location using standout mode. *)

let highlight_terminfo ppf num_lines lb loc1 loc2 =
  (* Char 0 is at offset -lb.lex_abs_pos in lb.lex_buffer. *)
  let pos0 = -lb.lex_abs_pos in
  (* Do nothing if the buffer does not contain the whole phrase. *)
  if pos0 < 0 then raise Exit;
  (* Count number of lines in phrase *)
  let lines = ref !num_loc_lines in
  for i = pos0 to lb.lex_buffer_len - 1 do
    if lb.lex_buffer.[i] = '\n' then incr lines
  done;
  (* If too many lines, give up *)
  if !lines >= num_lines - 2 then raise Exit;
  (* Move cursor up that number of lines *)
  flush stdout; Terminfo.backup !lines;
  (* Print the input, switching to standout for the location *)
  let bol = ref false in
  print_string "# ";
  for pos = 0 to lb.lex_buffer_len - pos0 - 1 do
    if !bol then (print_string "  "; bol := false);
    if pos = loc1.loc_start.pos_cnum || pos = loc2.loc_start.pos_cnum then
      Terminfo.standout true;
    if pos = loc1.loc_end.pos_cnum || pos = loc2.loc_end.pos_cnum then
      Terminfo.standout false;
    let c = lb.lex_buffer.[pos + pos0] in
    print_char c;
    bol := (c = '\n')
  done;
  (* Make sure standout mode is over *)
  Terminfo.standout false;
  (* Position cursor back to original location *)
  Terminfo.resume !num_loc_lines;
  flush stdout

(* Highlight the location by printing it again. *)

let highlight_dumb ppf lb loc =
  (* Char 0 is at offset -lb.lex_abs_pos in lb.lex_buffer. *)
  let pos0 = -lb.lex_abs_pos in
  (* Do nothing if the buffer does not contain the whole phrase. *)
  if pos0 < 0 then raise Exit;
  let end_pos = lb.lex_buffer_len - pos0 - 1 in
  (* Determine line numbers for the start and end points *)
  let line_start = ref 0 and line_end = ref 0 in
  for pos = 0 to end_pos do
    if lb.lex_buffer.[pos + pos0] = '\n' then begin
      if loc.loc_start.pos_cnum > pos then incr line_start;
      if loc.loc_end.pos_cnum   > pos then incr line_end;
    end
  done;
  (* Print character location (useful for Emacs) *)
  Format.fprintf ppf "Characters %i-%i:@."
                 loc.loc_start.pos_cnum loc.loc_end.pos_cnum;
  (* Print the input, underlining the location *)
  print_string "  ";
  let line = ref 0 in
  let pos_at_bol = ref 0 in
  for pos = 0 to end_pos do
    let c = lb.lex_buffer.[pos + pos0] in
    if c <> '\n' then begin
      if !line = !line_start && !line = !line_end then
        (* loc is on one line: print whole line *)
        print_char c
      else if !line = !line_start then
        (* first line of multiline loc: print ... before loc_start *)
        if pos < loc.loc_start.pos_cnum
        then print_char '.'
        else print_char c
      else if !line = !line_end then
        (* last line of multiline loc: print ... after loc_end *)
        if pos < loc.loc_end.pos_cnum
        then print_char c
        else print_char '.'
      else if !line > !line_start && !line < !line_end then
        (* intermediate line of multiline loc: print whole line *)
        print_char c
    end else begin
      if !line = !line_start && !line = !line_end then begin
        (* loc is on one line: underline location *)
        print_string "\n  ";
        for i = !pos_at_bol to loc.loc_start.pos_cnum - 1 do
          print_char ' '
        done;
        for i = loc.loc_start.pos_cnum to loc.loc_end.pos_cnum - 1 do
          print_char '^'
        done
      end;
      if !line >= !line_start && !line <= !line_end then begin
        print_char '\n';
        if pos < loc.loc_end.pos_cnum then print_string "  "
      end;
      incr line;
      pos_at_bol := pos + 1;
    end
  done

(* Highlight the location using one of the supported modes. *)

let rec highlight_locations ppf loc1 loc2 =
  match !status with
    Terminfo.Uninitialised ->
      status := Terminfo.setup stdout; highlight_locations ppf loc1 loc2
  | Terminfo.Bad_term ->
      begin match !input_lexbuf with
        None -> false
      | Some lb ->
          let norepeat =
            try Sys.getenv "TERM" = "norepeat" with Not_found -> false in
          if norepeat then false else
            try highlight_dumb ppf lb loc1; true
            with Exit -> false
      end
  | Terminfo.Good_term num_lines ->
      begin match !input_lexbuf with
        None -> false
      | Some lb ->
          try highlight_terminfo ppf num_lines lb loc1 loc2; true
          with Exit -> false
      end

(* Print the location in some way or another *)

open Format

let reset () =
  num_loc_lines := 0

let (msg_file, msg_line, msg_chars, msg_to, msg_colon, msg_head) =
  ("File \"", "\", line ", ", characters ", "-", ":", "")

(* return file, line, char from the given position *)
let get_pos_info pos =
  let (filename, linenum, linebeg) =
    if pos.pos_fname = "" && !input_name = "" then
      ("", -1, 0)
    else if pos.pos_fname = "" then
      Linenum.for_position !input_name pos.pos_cnum
    else
      (pos.pos_fname, pos.pos_lnum, pos.pos_bol)
  in
  (filename, linenum, pos.pos_cnum - linebeg)
;;

let print ppf loc =
  let (file, line, startchar) = get_pos_info loc.loc_start in
  let endchar = loc.loc_end.pos_cnum - loc.loc_start.pos_cnum + startchar in
  let (startchar, endchar) =
    if startchar < 0 then (0, 1) else (startchar, endchar)
  in
  if file = "" then begin
    if highlight_locations ppf loc none then () else
      fprintf ppf "Characters %i-%i:@."
              loc.loc_start.pos_cnum loc.loc_end.pos_cnum
  end else begin
    fprintf ppf "%s%s%s%i" msg_file file msg_line line;
    fprintf ppf "%s%i" msg_chars startchar;
    fprintf ppf "%s%i%s@.%s" msg_to endchar msg_colon msg_head;
  end

let print_warning loc ppf w =
  if Warnings.is_active w then begin
    let printw ppf w =
      let n = Warnings.print ppf w in
      num_loc_lines := !num_loc_lines + n
    in
    fprintf ppf "%a" print loc;
    fprintf ppf "Warning %a@." printw w;
    pp_print_flush ppf ();
    incr num_loc_lines;
  end
;;

let prerr_warning loc w = print_warning loc err_formatter w;;

let echo_eof () =
  print_newline ();
  incr num_loc_lines
why-2.34/ml/parsing/syntaxerr.mli0000644000175000017500000000215512311670312015435 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1997 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: syntaxerr.mli,v 1.1 2007-11-29 15:11:19 bardou Exp $ *)

(* Auxiliary type for reporting syntax errors *)

open Format

type error =
    Unclosed of Location.t * string * Location.t * string
  | Other of Location.t

exception Error of error
exception Escape_error

val report_error: formatter -> error -> unit
why-2.34/ml/parsing/location.mli0000644000175000017500000000422412311670312015205 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: location.mli,v 1.1 2007-11-29 15:11:19 bardou Exp $ *)

(* Source code locations (ranges of positions), used in parsetree. *)

open Format

type t = {
  loc_start: Lexing.position;
  loc_end: Lexing.position;
  loc_ghost: bool;
}

(* Note on the use of Lexing.position in this module.
   If [pos_fname = ""], then use [!input_name] instead.
   If [pos_lnum = -1], then [pos_bol = 0]. Use [pos_cnum] and
     re-parse the file to get the line and character numbers.
   Else all fields are correct.
*)

val none : t
(** An arbitrary value of type [t]; describes an empty ghost range. *)
val in_file : string -> t;;
(** Return an empty ghost range located in a given file. *)
val init : Lexing.lexbuf -> string -> unit
(** Set the file name and line number of the [lexbuf] to be the start
    of the named file. *)
val curr : Lexing.lexbuf -> t
(** Get the location of the current token from the [lexbuf]. *)

val symbol_rloc: unit -> t
val symbol_gloc: unit -> t
val rhs_loc: int -> t

val input_name: string ref
val input_lexbuf: Lexing.lexbuf option ref

val get_pos_info : Lexing.position -> string * int * int (* file, line, char *)
val print: formatter -> t -> unit
val print_warning: t -> formatter -> Warnings.t -> unit
val prerr_warning: t -> Warnings.t -> unit
val echo_eof: unit -> unit
val reset: unit -> unit

val highlight_locations: formatter -> t -> t -> bool
why-2.34/ml/parsing/lexer.mli0000644000175000017500000000257512311670312014523 0ustar  rtusers(***********************************************************************)
(*                                                                     *)
(*                           Objective Caml                            *)
(*                                                                     *)
(*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         *)
(*                                                                     *)
(*  Copyright 1996 Institut National de Recherche en Informatique et   *)
(*  en Automatique.  All rights reserved.  This file is distributed    *)
(*  under the terms of the Q Public License version 1.0.               *)
(*                                                                     *)
(***********************************************************************)

(* $Id: lexer.mli,v 1.2 2007-12-05 15:12:51 bardou Exp $ *)

(* The lexical analyzer *)

val token: Lexing.lexbuf -> Parser.token
val skip_sharp_bang: Lexing.lexbuf -> unit

type error =
  | Illegal_character of char
  | Illegal_escape of string
  | Unterminated_comment
  | Unterminated_string
  | Unterminated_string_in_comment
  | Keyword_as_label of string
  | Literal_overflow of string
  | Unknown_backslash_identifer of string
  | Not_in_annotation
;;

exception Error of error * Location.t

open Format

val report_error: formatter -> error -> unit

val in_comment : unit -> bool;;
why-2.34/ml/parsing/parser.mly0000644000175000017500000015643212311670312014722 0ustar  rtusers/***********************************************************************/
/*                                                                     */
/*                           Objective Caml                            */
/*                                                                     */
/*            Xavier Leroy, projet Cristal, INRIA Rocquencourt         */
/*                                                                     */
/*  Copyright 1996 Institut National de Recherche en Informatique et   */
/*  en Automatique.  All rights reserved.  This file is distributed    */
/*  under the terms of the Q Public License version 1.0.               */
/*                                                                     */
/***********************************************************************/

/* $Id: parser.mly,v 1.10 2007-12-20 17:10:01 bardou Exp $ */

/* The parser definition */

%{
open Location
open Asttypes
open Longident
open Parsetree

let mktyp d =
  { ptyp_desc = d; ptyp_loc = symbol_rloc() }
let mkpat d =
  { ppat_desc = d; ppat_loc = symbol_rloc() }
let mkexp d =
  { pexp_desc = d; pexp_loc = symbol_rloc() }
let mkmty d =
  { pmty_desc = d; pmty_loc = symbol_rloc() }
let mksig d =
  { psig_desc = d; psig_loc = symbol_rloc() }
let mkmod d =
  { pmod_desc = d; pmod_loc = symbol_rloc() }
let mkstr d =
  { pstr_desc = d; pstr_loc = symbol_rloc() }
let mkfield d =
  { pfield_desc = d; pfield_loc = symbol_rloc() }
let mkclass d =
  { pcl_desc = d; pcl_loc = symbol_rloc() }
let mkcty d =
  { pcty_desc = d; pcty_loc = symbol_rloc() }

let reloc_pat x = { x with ppat_loc = symbol_rloc () };;
let reloc_exp x = { x with pexp_loc = symbol_rloc () };;

let mkoperator name pos =
  { pexp_desc = Pexp_ident(Lident name); pexp_loc = rhs_loc pos }

(*
  Ghost expressions and patterns:
  expressions and patterns that do not appear explicitely in the
  source file they have the loc_ghost flag set to true.
  Then the profiler will not try to instrument them and the
  -stypes option will not try to display their type.

  Every grammar rule that generates an element with a location must
  make at most one non-ghost element, the topmost one.

  How to tell whether your location must be ghost:
  A location corresponds to a range of characters in the source file.
  If the location contains a piece of code that is syntactically
  valid (according to the documentation), and corresponds to the
  AST node, then the location must be real; in all other cases,
  it must be ghost.
*)
let ghexp d = { pexp_desc = d; pexp_loc = symbol_gloc () };;
let ghpat d = { ppat_desc = d; ppat_loc = symbol_gloc () };;
let ghtyp d = { ptyp_desc = d; ptyp_loc = symbol_gloc () };;

let mkassert e =
  match e with
  | {pexp_desc = Pexp_construct (Lident "false", None, false) } ->
         mkexp (Pexp_assertfalse)
  | _ -> mkexp (Pexp_assert (e))
;;

let mkinfix arg1 name arg2 =
  mkexp(Pexp_apply(mkoperator name 2, ["", arg1; "", arg2]))

let neg_float_string f =
  if String.length f > 0 && f.[0] = '-'
  then String.sub f 1 (String.length f - 1)
  else "-" ^ f

let mkuminus name arg =
  match name, arg.pexp_desc with
  | "-", Pexp_constant(Const_int n) ->
      mkexp(Pexp_constant(Const_int(-n)))
  | "-", Pexp_constant(Const_int32 n) ->
      mkexp(Pexp_constant(Const_int32(Int32.neg n)))
  | "-", Pexp_constant(Const_int64 n) ->
      mkexp(Pexp_constant(Const_int64(Int64.neg n)))
  | "-", Pexp_constant(Const_nativeint n) ->
      mkexp(Pexp_constant(Const_nativeint(Nativeint.neg n)))
  | _, Pexp_constant(Const_float f) ->
      mkexp(Pexp_constant(Const_float(neg_float_string f)))
  | _ ->
      mkexp(Pexp_apply(mkoperator ("~" ^ name) 1, ["", arg]))

let rec mktailexp = function
    [] ->
      ghexp(Pexp_construct(Lident "[]", None, false))
  | e1 :: el ->
      let exp_el = mktailexp el in
      let l = {loc_start = e1.pexp_loc.loc_start;
               loc_end = exp_el.pexp_loc.loc_end;
               loc_ghost = true}
      in
      let arg = {pexp_desc = Pexp_tuple [e1; exp_el]; pexp_loc = l} in
      {pexp_desc = Pexp_construct(Lident "::", Some arg, false); pexp_loc = l}

let rec mktailpat = function
    [] ->
      ghpat(Ppat_construct(Lident "[]", None, false))
  | p1 :: pl ->
      let pat_pl = mktailpat pl in
      let l = {loc_start = p1.ppat_loc.loc_start;
               loc_end = pat_pl.ppat_loc.loc_end;
               loc_ghost = true}
      in
      let arg = {ppat_desc = Ppat_tuple [p1; pat_pl]; ppat_loc = l} in
      {ppat_desc = Ppat_construct(Lident "::", Some arg, false); ppat_loc = l}

let ghstrexp e =
  { pstr_desc = Pstr_eval e; pstr_loc = {e.pexp_loc with loc_ghost = true} }

let array_function str name =
(* commented to simplify (so we don't use utils/clflags and utils/config)
  Ldot(Lident str, (if !Clflags.fast then "unsafe_" ^ name else name))*)
  Ldot(Lident str, name)

let rec deep_mkrangepat c1 c2 =
  if c1 = c2 then ghpat(Ppat_constant(Const_char c1)) else
  ghpat(Ppat_or(ghpat(Ppat_constant(Const_char c1)),
                deep_mkrangepat (Char.chr(Char.code c1 + 1)) c2))

let rec mkrangepat c1 c2 =
  if c1 > c2 then mkrangepat c2 c1 else
  if c1 = c2 then mkpat(Ppat_constant(Const_char c1)) else
  reloc_pat (deep_mkrangepat c1 c2)

let syntax_error () =
  raise Syntaxerr.Escape_error

let unclosed opening_name opening_num closing_name closing_num =
  raise(Syntaxerr.Error(Syntaxerr.Unclosed(rhs_loc opening_num, opening_name,
                                           rhs_loc closing_num, closing_name)))

let bigarray_function str name =
  Ldot(Ldot(Lident "Bigarray", str), name)

let bigarray_untuplify = function
    { pexp_desc = Pexp_tuple explist} -> explist
  | exp -> [exp]

let bigarray_get arr arg =
  match bigarray_untuplify arg with
    [c1] ->
      mkexp(Pexp_apply(ghexp(Pexp_ident(bigarray_function "Array1" "get")),
                       ["", arr; "", c1]))
  | [c1;c2] ->
      mkexp(Pexp_apply(ghexp(Pexp_ident(bigarray_function "Array2" "get")),
                       ["", arr; "", c1; "", c2]))
  | [c1;c2;c3] ->
      mkexp(Pexp_apply(ghexp(Pexp_ident(bigarray_function "Array3" "get")),
                       ["", arr; "", c1; "", c2; "", c3]))
  | coords ->
      mkexp(Pexp_apply(ghexp(Pexp_ident(bigarray_function "Genarray" "get")),
                       ["", arr; "", ghexp(Pexp_array coords)]))

let bigarray_set arr arg newval =
  match bigarray_untuplify arg with
    [c1] ->
      mkexp(Pexp_apply(ghexp(Pexp_ident(bigarray_function "Array1" "set")),
                       ["", arr; "", c1; "", newval]))
  | [c1;c2] ->
      mkexp(Pexp_apply(ghexp(Pexp_ident(bigarray_function "Array2" "set")),
                       ["", arr; "", c1; "", c2; "", newval]))
  | [c1;c2;c3] ->
      mkexp(Pexp_apply(ghexp(Pexp_ident(bigarray_function "Array3" "set")),
                       ["", arr; "", c1; "", c2; "", c3; "", newval]))
  | coords ->
      mkexp(Pexp_apply(ghexp(Pexp_ident(bigarray_function "Genarray" "set")),
                       ["", arr;
                        "", ghexp(Pexp_array coords);
                        "", newval]))
%}

/* Tokens */

%token AMPERAMPER
%token AMPERSAND
%token AND
%token AS
%token ASSERT
%token BACKQUOTE
%token BAR
%token BARBAR
%token BARRBRACKET
%token BEGIN
%token  CHAR
%token CLASS
%token COLON
%token COLONCOLON
%token COLONEQUAL
%token COLONGREATER
%token COMMA
%token CONSTRAINT
%token DO
%token DONE
%token DOT
%token DOTDOT
%token DOWNTO
%token ELSE
%token END
%token EOF
%token EQUAL
%token EXCEPTION
%token EXTERNAL
%token FALSE
%token  FLOAT
%token FOR
%token FUN
%token FUNCTION
%token FUNCTOR
%token GREATER
%token GREATERRBRACE
%token GREATERRBRACKET
%token IF
%token IN
%token INCLUDE
%token  INFIXOP0
%token  INFIXOP1
%token  INFIXOP2
%token  INFIXOP3
%token  INFIXOP4
%token INHERIT
%token INITIALIZER
%token  INT
%token  INT32
%token  INT64
%token  LABEL
%token LAZY
%token LBRACE
%token LBRACELESS
%token LBRACKET
%token LBRACKETBAR
%token LBRACKETLESS
%token LBRACKETGREATER
%token LESS
%token LESSMINUS
%token LET
%token  LIDENT
%token LPAREN
%token MATCH
%token METHOD
%token MINUS
%token MINUSDOT
%token MINUSGREATER
%token MODULE
%token MUTABLE
%token  NATIVEINT
%token NEW
%token OBJECT
%token OF
%token OPEN
%token  OPTLABEL
%token OR
/* %token PARSER */
%token PLUS
%token  PREFIXOP
%token PRIVATE
%token QUESTION
%token QUESTIONQUESTION
%token QUOTE
%token RBRACE
%token RBRACKET
%token REC
%token RPAREN
%token SEMI
%token SEMISEMI
%token SHARP
%token SIG
%token STAR
%token  STRING
%token STRUCT
%token THEN
%token TILDE
%token TO
%token TRUE
%token TRY
%token TYPE
%token  UIDENT
%token UNDERSCORE
%token VAL
%token VIRTUAL
%token WHEN
%token WHILE
%token WITH

%token AXIOM
%token BEHAVIOR
%token BSOLD
%token BSRESULT
%token ENSURES
%token EQUALEQUALGREATER
%token INVARIANT
%token LANNOT
%token LESSEQUALEQUAL
%token LESSEQUALGREATER
%token LOGIC
%token PREDICATE
%token RANNOT
%token READS
%token REQUIRES
%token VARIANT

/* Precedences and associativities.

Tokens and rules have precedences.  A reduce/reduce conflict is resolved
in favor of the first rule (in source file order).  A shift/reduce conflict
is resolved by comparing the precedence and associativity of the token to
be shifted with those of the rule to be reduced.

By default, a rule has the precedence of its rightmost terminal (if any).

When there is a shift/reduce conflict between a rule and a token that
have the same precedence, it is resolved using the associativity:
if the token is left-associative, the parser will reduce; if
right-associative, the parser will shift; if non-associative,
the parser will declare a syntax error.

We will only use associativities with operators of the kind  x * x -> x
for example, in the rules of the form    expr: expr BINOP expr
in all other cases, we define two precedences if needed to resolve
conflicts.

The precedences must be listed from low to high.
*/

%nonassoc IN
%nonassoc below_SEMI
%nonassoc SEMI                          /* below EQUAL ({lbl=...; lbl=...}) */
%nonassoc LET                           /* above SEMI ( ...; let ... in ...) */
%nonassoc below_WITH
%nonassoc FUNCTION WITH                 /* below BAR  (match ... with ...) */
%nonassoc AND             /* above WITH (module rec A: SIG with ... and ...) */
%nonassoc THEN                          /* below ELSE (if ... then ...) */
%nonassoc ELSE                          /* (if ... then ... else ...) */
%nonassoc LESSMINUS                     /* below COLONEQUAL (lbl <- x := e) */
%right    COLONEQUAL                    /* expr (e := e := e) */
%nonassoc AS
%left     BAR                           /* pattern (p|p|p) */
%nonassoc below_COMMA
%left     COMMA                         /* expr/expr_comma_list (e,e,e) */
%right    MINUSGREATER                  /* core_type2 (t -> t -> t) */
%right    OR BARBAR                     /* expr (e || e || e) */
%right    AMPERSAND AMPERAMPER          /* expr (e && e && e) */
%nonassoc below_EQUAL
%right    EQUALEQUALGREATER
%left     LESSEQUALEQUAL LESSEQUALGREATER
%left     INFIXOP0 EQUAL LESS GREATER   /* expr (e OP e OP e) */
%right    INFIXOP1                      /* expr (e OP e OP e) */
%right    COLONCOLON                    /* expr (e :: e :: e) */
%left     INFIXOP2 PLUS MINUS MINUSDOT  /* expr (e OP e OP e) */
%left     INFIXOP3 STAR                 /* expr (e OP e OP e) */
%right    INFIXOP4                      /* expr (e OP e OP e) */
%nonassoc prec_unary_minus              /* unary - */
%nonassoc prec_constant_constructor     /* cf. simple_expr (C versus C x) */
%nonassoc prec_constr_appl              /* above AS BAR COLONCOLON COMMA */
%nonassoc below_SHARP
%nonassoc SHARP                         /* simple_expr/toplevel_directive */
%nonassoc BSOLD
%nonassoc below_DOT
%nonassoc DOT
/* Finally, the first tokens of simple_expr are above everything else. */
%nonassoc BACKQUOTE BEGIN CHAR FALSE FLOAT INT INT32 INT64
          LBRACE LBRACELESS LBRACKET LBRACKETBAR LIDENT LPAREN
          NEW NATIVEINT PREFIXOP STRING TRUE UIDENT BSRESULT


/* Entry points */

%start implementation                   /* for implementation files */
%type  implementation
%start interface                        /* for interface files */
%type  interface
%start toplevel_phrase                  /* for interactive use */
%type  toplevel_phrase
%start use_file                         /* for the #use directive */
%type  use_file

%%

/* Entry points */

implementation:
    structure EOF                        { $1 }
;
interface:
    signature EOF                        { List.rev $1 }
;
toplevel_phrase:
    top_structure SEMISEMI               { Ptop_def $1 }
  | seq_expr SEMISEMI                    { Ptop_def[ghstrexp $1] }
  | toplevel_directive SEMISEMI          { $1 }
  | EOF                                  { raise End_of_file }
;
top_structure:
    structure_item                       { [$1] }
  | structure_item top_structure         { $1 :: $2 }
;
use_file:
    use_file_tail                        { $1 }
  | seq_expr use_file_tail               { Ptop_def[ghstrexp $1] :: $2 }
;
use_file_tail:
    EOF                                         { [] }
  | SEMISEMI EOF                                { [] }
  | SEMISEMI seq_expr use_file_tail             { Ptop_def[ghstrexp $2] :: $3 }
  | SEMISEMI structure_item use_file_tail       { Ptop_def[$2] :: $3 }
  | SEMISEMI toplevel_directive use_file_tail   { $2 :: $3 }
  | structure_item use_file_tail                { Ptop_def[$1] :: $2 }
  | toplevel_directive use_file_tail            { $1 :: $2 }
;

/* Module expressions */

module_expr:
    mod_longident
      { mkmod(Pmod_ident $1) }
  | STRUCT structure END
      { mkmod(Pmod_structure($2)) }
  | STRUCT structure error
      { unclosed "struct" 1 "end" 3 }
  | FUNCTOR LPAREN UIDENT COLON module_type RPAREN MINUSGREATER module_expr
      { mkmod(Pmod_functor($3, $5, $8)) }
  | module_expr LPAREN module_expr RPAREN
      { mkmod(Pmod_apply($1, $3)) }
  | module_expr LPAREN module_expr error
      { unclosed "(" 2 ")" 4 }
  | LPAREN module_expr COLON module_type RPAREN
      { mkmod(Pmod_constraint($2, $4)) }
  | LPAREN module_expr COLON module_type error
      { unclosed "(" 1 ")" 5 }
  | LPAREN module_expr RPAREN
      { $2 }
  | LPAREN module_expr error
      { unclosed "(" 1 ")" 3 }
;
structure:
    structure_tail                              { $1 }
  | seq_expr structure_tail                     { ghstrexp $1 :: $2 }
;
structure_tail:
    /* empty */                                 { [] }
  | SEMISEMI                                    { [] }
  | SEMISEMI seq_expr structure_tail            { ghstrexp $2 :: $3 }
  | SEMISEMI structure_item structure_tail      { $2 :: $3 }
  | structure_item structure_tail               { $1 :: $2 }
;
structure_item:
    LET rec_flag let_bindings
      { match $3 with
          [{ppat_desc = Ppat_any}, exp] -> mkstr(Pstr_eval exp)
        | _ -> mkstr(Pstr_value($2, List.rev $3)) }
  | EXTERNAL val_ident_colon core_type EQUAL primitive_declaration
      { mkstr(Pstr_primitive($2, {pval_type = $3; pval_prim = $5})) }
  | TYPE type_declarations
      { mkstr(Pstr_type(List.rev $2)) }
  | EXCEPTION UIDENT constructor_arguments
      { mkstr(Pstr_exception($2, $3)) }
  | EXCEPTION UIDENT EQUAL constr_longident
      { mkstr(Pstr_exn_rebind($2, $4)) }
  | MODULE UIDENT module_binding
      { mkstr(Pstr_module($2, $3)) }
  | MODULE REC module_rec_bindings
      { mkstr(Pstr_recmodule(List.rev $3)) }
  | MODULE TYPE ident EQUAL module_type
      { mkstr(Pstr_modtype($3, $5)) }
  | OPEN mod_longident
      { mkstr(Pstr_open $2) }
  | CLASS class_declarations
      { mkstr(Pstr_class (List.rev $2)) }
  | CLASS TYPE class_type_declarations
      { mkstr(Pstr_class_type (List.rev $3)) }
  | INCLUDE module_expr
      { mkstr(Pstr_include $2) }
  | LANNOT function_spec RANNOT
      { mkstr(Pstr_function_spec $2) }
  | LANNOT type_spec RANNOT
      { mkstr(Pstr_type_spec $2) }
  | LANNOT logic_type_spec RANNOT
      { mkstr(Pstr_logic_type_spec $2) }
  | LANNOT logic_function_spec RANNOT
      { mkstr(Pstr_logic_function_spec $2) }
  | LANNOT axiom_spec RANNOT
      { mkstr(Pstr_axiom_spec $2) }
;
module_binding:
    EQUAL module_expr
      { $2 }
  | COLON module_type EQUAL module_expr
      { mkmod(Pmod_constraint($4, $2)) }
  | LPAREN UIDENT COLON module_type RPAREN module_binding
      { mkmod(Pmod_functor($2, $4, $6)) }
;
module_rec_bindings:
    module_rec_binding                            { [$1] }
  | module_rec_bindings AND module_rec_binding    { $3 :: $1 }
;
module_rec_binding:
    UIDENT COLON module_type EQUAL module_expr    { ($1, $3, $5) }
;

/* Module types */

module_type:
    mty_longident
      { mkmty(Pmty_ident $1) }
  | SIG signature END
      { mkmty(Pmty_signature(List.rev $2)) }
  | SIG signature error
      { unclosed "sig" 1 "end" 3 }
  | FUNCTOR LPAREN UIDENT COLON module_type RPAREN MINUSGREATER module_type
      %prec below_WITH
      { mkmty(Pmty_functor($3, $5, $8)) }
  | module_type WITH with_constraints
      { mkmty(Pmty_with($1, List.rev $3)) }
  | LPAREN module_type RPAREN
      { $2 }
  | LPAREN module_type error
      { unclosed "(" 1 ")" 3 }
;
signature:
    /* empty */                                 { [] }
  | signature signature_item                    { $2 :: $1 }
  | signature signature_item SEMISEMI           { $2 :: $1 }
;
signature_item:
    VAL val_ident_colon core_type
      { mksig(Psig_value($2, {pval_type = $3; pval_prim = []})) }
  | EXTERNAL val_ident_colon core_type EQUAL primitive_declaration
      { mksig(Psig_value($2, {pval_type = $3; pval_prim = $5})) }
  | TYPE type_declarations
      { mksig(Psig_type(List.rev $2)) }
  | EXCEPTION UIDENT constructor_arguments
      { mksig(Psig_exception($2, $3)) }
  | MODULE UIDENT module_declaration
      { mksig(Psig_module($2, $3)) }
  | MODULE REC module_rec_declarations
      { mksig(Psig_recmodule(List.rev $3)) }
  | MODULE TYPE ident
      { mksig(Psig_modtype($3, Pmodtype_abstract)) }
  | MODULE TYPE ident EQUAL module_type
      { mksig(Psig_modtype($3, Pmodtype_manifest $5)) }
  | OPEN mod_longident
      { mksig(Psig_open $2) }
  | INCLUDE module_type
      { mksig(Psig_include $2) }
  | CLASS class_descriptions
      { mksig(Psig_class (List.rev $2)) }
  | CLASS TYPE class_type_declarations
      { mksig(Psig_class_type (List.rev $3)) }
;

module_declaration:
    COLON module_type
      { $2 }
  | LPAREN UIDENT COLON module_type RPAREN module_declaration
      { mkmty(Pmty_functor($2, $4, $6)) }
;
module_rec_declarations:
    module_rec_declaration                              { [$1] }
  | module_rec_declarations AND module_rec_declaration  { $3 :: $1 }
;
module_rec_declaration:
    UIDENT COLON module_type                            { ($1, $3) }
;

/* Class expressions */

class_declarations:
    class_declarations AND class_declaration    { $3 :: $1 }
  | class_declaration                           { [$1] }
;
class_declaration:
    virtual_flag class_type_parameters LIDENT class_fun_binding
      { let params, variance = List.split (fst $2) in
        {pci_virt = $1; pci_params = params, snd $2;
         pci_name = $3; pci_expr = $4; pci_variance = variance;
         pci_loc = symbol_rloc ()} }
;
class_fun_binding:
    EQUAL class_expr
      { $2 }
  | COLON class_type EQUAL class_expr
      { mkclass(Pcl_constraint($4, $2)) }
  | labeled_simple_pattern class_fun_binding
      { let (l,o,p) = $1 in mkclass(Pcl_fun(l, o, p, $2)) }
;
class_type_parameters:
    /*empty*/                                   { [], symbol_gloc () }
  | LBRACKET type_parameter_list RBRACKET       { List.rev $2, symbol_rloc () }
;
class_fun_def:
    labeled_simple_pattern MINUSGREATER class_expr
      { let (l,o,p) = $1 in mkclass(Pcl_fun(l, o, p, $3)) }
  | labeled_simple_pattern class_fun_def
      { let (l,o,p) = $1 in mkclass(Pcl_fun(l, o, p, $2)) }
;
class_expr:
    class_simple_expr
      { $1 }
  | FUN class_fun_def
      { $2 }
  | class_simple_expr simple_labeled_expr_list
      { mkclass(Pcl_apply($1, List.rev $2)) }
  | LET rec_flag let_bindings IN class_expr
      { mkclass(Pcl_let ($2, List.rev $3, $5)) }
;
class_simple_expr:
    LBRACKET core_type_comma_list RBRACKET class_longident
      { mkclass(Pcl_constr($4, List.rev $2)) }
  | class_longident
      { mkclass(Pcl_constr($1, [])) }
  | OBJECT class_structure END
      { mkclass(Pcl_structure($2)) }
  | OBJECT class_structure error
      { unclosed "object" 1 "end" 3 }
  | LPAREN class_expr COLON class_type RPAREN
      { mkclass(Pcl_constraint($2, $4)) }
  | LPAREN class_expr COLON class_type error
      { unclosed "(" 1 ")" 5 }
  | LPAREN class_expr RPAREN
      { $2 }
  | LPAREN class_expr error
      { unclosed "(" 1 ")" 3 }
;
class_structure:
    class_self_pattern class_fields
      { $1, List.rev $2 }
;
class_self_pattern:
    LPAREN pattern RPAREN
      { reloc_pat $2 }
  | LPAREN pattern COLON core_type RPAREN
      { mkpat(Ppat_constraint($2, $4)) }
  | /* empty */
      { ghpat(Ppat_any) }
;
class_fields:
    /* empty */
      { [] }
  | class_fields INHERIT class_expr parent_binder
      { Pcf_inher ($3, $4) :: $1 }
  | class_fields VAL virtual_value
      { Pcf_valvirt $3 :: $1 }
  | class_fields VAL value
      { Pcf_val $3 :: $1 }
  | class_fields virtual_method
      { Pcf_virt $2 :: $1 }
  | class_fields concrete_method
      { Pcf_meth $2 :: $1 }
  | class_fields CONSTRAINT constrain
      { Pcf_cstr $3 :: $1 }
  | class_fields INITIALIZER seq_expr
      { Pcf_init $3 :: $1 }
;
parent_binder:
    AS LIDENT
          { Some $2 }
  | /* empty */
          { None }
;
virtual_value:
    MUTABLE VIRTUAL label COLON core_type
      { $3, Mutable, $5, symbol_rloc () }
  | VIRTUAL mutable_flag label COLON core_type
      { $3, $2, $5, symbol_rloc () }
;
value:
    mutable_flag label EQUAL seq_expr
      { $2, $1, $4, symbol_rloc () }
  | mutable_flag label type_constraint EQUAL seq_expr
      { $2, $1, (let (t, t') = $3 in ghexp(Pexp_constraint($5, t, t'))),
        symbol_rloc () }
;
virtual_method:
    METHOD PRIVATE VIRTUAL label COLON poly_type
      { $4, Private, $6, symbol_rloc () }
  | METHOD VIRTUAL private_flag label COLON poly_type
      { $4, $3, $6, symbol_rloc () }
;
concrete_method :
    METHOD private_flag label strict_binding
      { $3, $2, ghexp(Pexp_poly ($4, None)), symbol_rloc () }
  | METHOD private_flag label COLON poly_type EQUAL seq_expr
      { $3, $2, ghexp(Pexp_poly($7,Some $5)), symbol_rloc () }
  | METHOD private_flag LABEL poly_type EQUAL seq_expr
      { $3, $2, ghexp(Pexp_poly($6,Some $4)), symbol_rloc () }
;

/* Class types */

class_type:
    class_signature
      { $1 }
  | QUESTION LIDENT COLON simple_core_type_or_tuple MINUSGREATER class_type
      { mkcty(Pcty_fun("?" ^ $2 ,
                       {ptyp_desc = Ptyp_constr(Lident "option", [$4]);
                        ptyp_loc = $4.ptyp_loc},
                       $6)) }
  | OPTLABEL simple_core_type_or_tuple MINUSGREATER class_type
      { mkcty(Pcty_fun("?" ^ $1 ,
                       {ptyp_desc = Ptyp_constr(Lident "option", [$2]);
                        ptyp_loc = $2.ptyp_loc},
                       $4)) }
  | LIDENT COLON simple_core_type_or_tuple MINUSGREATER class_type
      { mkcty(Pcty_fun($1, $3, $5)) }
  | simple_core_type_or_tuple MINUSGREATER class_type
      { mkcty(Pcty_fun("", $1, $3)) }
;
class_signature:
    LBRACKET core_type_comma_list RBRACKET clty_longident
      { mkcty(Pcty_constr ($4, List.rev $2)) }
  | clty_longident
      { mkcty(Pcty_constr ($1, [])) }
  | OBJECT class_sig_body END
      { mkcty(Pcty_signature $2) }
  | OBJECT class_sig_body error
      { unclosed "object" 1 "end" 3 }
;
class_sig_body:
    class_self_type class_sig_fields
      { $1, List.rev $2 }
;
class_self_type:
    LPAREN core_type RPAREN
      { $2 }
  | /* empty */
      { mktyp(Ptyp_any) }
;
class_sig_fields:
    /* empty */                                 { [] }
  | class_sig_fields INHERIT class_signature    { Pctf_inher $3 :: $1 }
  | class_sig_fields VAL value_type             { Pctf_val   $3 :: $1 }
  | class_sig_fields virtual_method             { Pctf_virt  $2 :: $1 }
  | class_sig_fields method_type                { Pctf_meth  $2 :: $1 }
  | class_sig_fields CONSTRAINT constrain       { Pctf_cstr  $3 :: $1 }
;
value_type:
    VIRTUAL mutable_flag label COLON core_type
      { $3, $2, Virtual, $5, symbol_rloc () }
  | MUTABLE virtual_flag label COLON core_type
      { $3, Mutable, $2, $5, symbol_rloc () }
  | label COLON core_type
      { $1, Immutable, Concrete, $3, symbol_rloc () }
;
method_type:
    METHOD private_flag label COLON poly_type
      { $3, $2, $5, symbol_rloc () }
;
constrain:
        core_type EQUAL core_type          { $1, $3, symbol_rloc () }
;
class_descriptions:
    class_descriptions AND class_description    { $3 :: $1 }
  | class_description                           { [$1] }
;
class_description:
    virtual_flag class_type_parameters LIDENT COLON class_type
      { let params, variance = List.split (fst $2) in
        {pci_virt = $1; pci_params = params, snd $2;
         pci_name = $3; pci_expr = $5; pci_variance = variance;
         pci_loc = symbol_rloc ()} }
;
class_type_declarations:
    class_type_declarations AND class_type_declaration  { $3 :: $1 }
  | class_type_declaration                              { [$1] }
;
class_type_declaration:
    virtual_flag class_type_parameters LIDENT EQUAL class_signature
      { let params, variance = List.split (fst $2) in
        {pci_virt = $1; pci_params = params, snd $2;
         pci_name = $3; pci_expr = $5; pci_variance = variance;
         pci_loc = symbol_rloc ()} }
;

/* Core expressions */

seq_expr:
  | expr        %prec below_SEMI  { $1 }
  | expr SEMI                     { reloc_exp $1 }
  | expr SEMI seq_expr            { mkexp(Pexp_sequence($1, $3)) }
;
labeled_simple_pattern:
    QUESTION LPAREN label_let_pattern opt_default RPAREN
      { ("?" ^ fst $3, $4, snd $3) }
  | QUESTION label_var
      { ("?" ^ fst $2, None, snd $2) }
  | OPTLABEL LPAREN let_pattern opt_default RPAREN
      { ("?" ^ $1, $4, $3) }
  | OPTLABEL pattern_var
      { ("?" ^ $1, None, $2) }
  | TILDE LPAREN label_let_pattern RPAREN
      { (fst $3, None, snd $3) }
  | TILDE label_var
      { (fst $2, None, snd $2) }
  | LABEL simple_pattern
      { ($1, None, $2) }
  | simple_pattern
      { ("", None, $1) }
;
pattern_var:
    LIDENT            { mkpat(Ppat_var $1) }
  | UNDERSCORE        { mkpat Ppat_any }
;
opt_default:
    /* empty */                         { None }
  | EQUAL seq_expr                      { Some $2 }
;
label_let_pattern:
    label_var
      { $1 }
  | label_var COLON core_type
      { let (lab, pat) = $1 in (lab, mkpat(Ppat_constraint(pat, $3))) }
;
label_var:
    LIDENT    { ($1, mkpat(Ppat_var $1)) }
;
let_pattern:
    pattern
      { $1 }
  | pattern COLON core_type
      { mkpat(Ppat_constraint($1, $3)) }
;
expr:
    simple_expr %prec below_SHARP
      { $1 }
  | simple_expr simple_labeled_expr_list
      { mkexp(Pexp_apply($1, List.rev $2)) }
  | LET rec_flag let_bindings IN seq_expr
      { mkexp(Pexp_let($2, List.rev $3, $5)) }
  | LET MODULE UIDENT module_binding IN seq_expr
      { mkexp(Pexp_letmodule($3, $4, $6)) }
  | FUNCTION opt_bar match_cases
      { mkexp(Pexp_function("", None, List.rev $3)) }
  | FUN labeled_simple_pattern fun_def
      { let (l,o,p) = $2 in mkexp(Pexp_function(l, o, [p, $3])) }
  | MATCH seq_expr WITH opt_bar match_cases
      { mkexp(Pexp_match($2, List.rev $5)) }
  | TRY seq_expr WITH opt_bar match_cases
      { mkexp(Pexp_try($2, List.rev $5)) }
  | TRY seq_expr WITH error
      { syntax_error() }
  | expr_comma_list %prec below_COMMA
      { mkexp(Pexp_tuple(List.rev $1)) }
  | constr_longident simple_expr %prec below_SHARP
      { mkexp(Pexp_construct($1, Some $2, false)) }
  | name_tag simple_expr %prec below_SHARP
      { mkexp(Pexp_variant($1, Some $2)) }
  | IF seq_expr THEN expr ELSE expr
      { mkexp(Pexp_ifthenelse($2, $4, Some $6)) }
  | IF seq_expr THEN expr
      { mkexp(Pexp_ifthenelse($2, $4, None)) }
  | WHILE seq_expr DO while_spec seq_expr DONE
      { mkexp(Pexp_while($2, $4, $5)) }
  | FOR val_ident EQUAL seq_expr direction_flag seq_expr DO seq_expr DONE
      { mkexp(Pexp_for($2, $4, $6, $5, $8)) }
  | expr COLONCOLON expr
      { mkexp(Pexp_construct(Lident "::",
                             Some(ghexp(Pexp_tuple[$1;$3])),
                             false)) }
  | LPAREN COLONCOLON RPAREN LPAREN expr COMMA expr RPAREN
      { mkexp(Pexp_construct(Lident "::",
                             Some(ghexp(Pexp_tuple[$5;$7])),
                             false)) }
  | expr INFIXOP0 expr
      { mkinfix $1 $2 $3 }
  | expr INFIXOP1 expr
      { mkinfix $1 $2 $3 }
  | expr INFIXOP2 expr
      { mkinfix $1 $2 $3 }
  | expr INFIXOP3 expr
      { mkinfix $1 $2 $3 }
  | expr INFIXOP4 expr
      { mkinfix $1 $2 $3 }
  | expr PLUS expr
      { mkinfix $1 "+" $3 }
  | expr MINUS expr
      { mkinfix $1 "-" $3 }
  | expr MINUSDOT expr
      { mkinfix $1 "-." $3 }
  | expr STAR expr
      { mkinfix $1 "*" $3 }
  | expr EQUAL expr
      { mkinfix $1 "=" $3 }
  | expr LESS expr
      { mkinfix $1 "<" $3 }
  | expr GREATER expr
      { mkinfix $1 ">" $3 }
  | expr OR expr
      { mkinfix $1 "or" $3 }
  | expr BARBAR expr
      { mkinfix $1 "||" $3 }
  | expr AMPERSAND expr
      { mkinfix $1 "&" $3 }
  | expr AMPERAMPER expr
      { mkinfix $1 "&&" $3 }
  | expr COLONEQUAL expr
      { mkinfix $1 ":=" $3 }
  | subtractive expr %prec prec_unary_minus
      { mkuminus $1 $2 }
  | simple_expr DOT label_longident LESSMINUS expr
      { mkexp(Pexp_setfield($1, $3, $5)) }
  | simple_expr DOT LPAREN seq_expr RPAREN LESSMINUS expr
      { mkexp(Pexp_apply(ghexp(Pexp_ident(array_function "Array" "set")),
                         ["",$1; "",$4; "",$7])) }
  | simple_expr DOT LBRACKET seq_expr RBRACKET LESSMINUS expr
      { mkexp(Pexp_apply(ghexp(Pexp_ident(array_function "String" "set")),
                         ["",$1; "",$4; "",$7])) }
  | simple_expr DOT LBRACE expr RBRACE LESSMINUS expr
      { bigarray_set $1 $4 $7 }
  | label LESSMINUS expr
      { mkexp(Pexp_setinstvar($1, $3)) }
  | ASSERT simple_expr %prec below_SHARP
      { mkassert $2 }
  | LAZY simple_expr %prec below_SHARP
      { mkexp (Pexp_lazy ($2)) }
  | OBJECT class_structure END
      { mkexp (Pexp_object($2)) }
  | OBJECT class_structure error
      { unclosed "object" 1 "end" 3 }
  | expr EQUALEQUALGREATER expr
      { mkexp (Pexp_implies($1, $3)) }
  | expr LESSEQUALEQUAL expr
      { mkexp (Pexp_implies($3, $1)) }
  | expr LESSEQUALGREATER expr
      { mkexp (Pexp_apply(ghexp(Pexp_ident(Lident "&&")),
			  [ "", mkexp (Pexp_implies($1, $3));
			    "", mkexp (Pexp_implies($3, $1)) ])) }
;
simple_expr:
    val_longident
      { mkexp(Pexp_ident $1) }
  | constant
      { mkexp(Pexp_constant $1) }
  | constr_longident %prec prec_constant_constructor
      { mkexp(Pexp_construct($1, None, false)) }
  | name_tag %prec prec_constant_constructor
      { mkexp(Pexp_variant($1, None)) }
  | LPAREN seq_expr RPAREN
      { reloc_exp $2 }
  | LPAREN seq_expr error
      { unclosed "(" 1 ")" 3 }
  | BEGIN seq_expr END
      { reloc_exp $2 }
  | BEGIN END
      { mkexp (Pexp_construct (Lident "()", None, false)) }
  | BEGIN seq_expr error
      { unclosed "begin" 1 "end" 3 }
  | LPAREN seq_expr type_constraint RPAREN
      { let (t, t') = $3 in mkexp(Pexp_constraint($2, t, t')) }
  | simple_expr DOT label_longident
      { mkexp(Pexp_field($1, $3)) }
  | simple_expr DOT LPAREN seq_expr RPAREN
      { mkexp(Pexp_apply(ghexp(Pexp_ident(array_function "Array" "get")),
                         ["",$1; "",$4])) }
  | simple_expr DOT LPAREN seq_expr error
      { unclosed "(" 3 ")" 5 }
  | simple_expr DOT LBRACKET seq_expr RBRACKET
      { mkexp(Pexp_apply(ghexp(Pexp_ident(array_function "String" "get")),
                         ["",$1; "",$4])) }
  | simple_expr DOT LBRACKET seq_expr error
      { unclosed "[" 3 "]" 5 }
  | simple_expr DOT LBRACE expr RBRACE
      { bigarray_get $1 $4 }
  | simple_expr DOT LBRACE expr_comma_list error
      { unclosed "{" 3 "}" 5 }
  | LBRACE record_expr RBRACE
      { let (exten, fields) = $2 in mkexp(Pexp_record(fields, exten)) }
  | LBRACE record_expr error
      { unclosed "{" 1 "}" 3 }
  | LBRACKETBAR expr_semi_list opt_semi BARRBRACKET
      { mkexp(Pexp_array(List.rev $2)) }
  | LBRACKETBAR expr_semi_list opt_semi error
      { unclosed "[|" 1 "|]" 4 }
  | LBRACKETBAR BARRBRACKET
      { mkexp(Pexp_array []) }
  | LBRACKET expr_semi_list opt_semi RBRACKET
      { reloc_exp (mktailexp (List.rev $2)) }
  | LBRACKET expr_semi_list opt_semi error
      { unclosed "[" 1 "]" 4 }
  | PREFIXOP simple_expr
      { mkexp(Pexp_apply(mkoperator $1 1, ["",$2])) }
  | NEW class_longident
      { mkexp(Pexp_new($2)) }
  | LBRACELESS field_expr_list opt_semi GREATERRBRACE
      { mkexp(Pexp_override(List.rev $2)) }
  | LBRACELESS field_expr_list opt_semi error
      { unclosed "{<" 1 ">}" 4 }
  | LBRACELESS GREATERRBRACE
      { mkexp(Pexp_override []) }
  | simple_expr SHARP label
      { mkexp(Pexp_send($1, $3)) }
  | BSRESULT
      { mkexp Pexp_result }
  | BSOLD simple_expr
      { mkexp(Pexp_old $2) }
;
simple_labeled_expr_list:
    labeled_simple_expr
      { [$1] }
  | simple_labeled_expr_list labeled_simple_expr
      { $2 :: $1 }
;
labeled_simple_expr:
    simple_expr %prec below_SHARP
      { ("", $1) }
  | label_expr
      { $1 }
;
label_expr:
    LABEL simple_expr %prec below_SHARP
      { ($1, $2) }
  | TILDE label_ident
      { $2 }
  | QUESTION label_ident
      { ("?" ^ fst $2, snd $2) }
  | OPTLABEL simple_expr %prec below_SHARP
      { ("?" ^ $1, $2) }
;
label_ident:
    LIDENT   { ($1, mkexp(Pexp_ident(Lident $1))) }
;
let_bindings:
    let_binding                                 { [$1] }
  | let_bindings AND let_binding                { $3 :: $1 }
;
let_binding:
    val_ident fun_binding
      { ({ppat_desc = Ppat_var $1; ppat_loc = rhs_loc 1}, $2) }
  | pattern EQUAL seq_expr
      { ($1, $3) }
;
fun_binding:
    strict_binding
      { $1 }
  | type_constraint EQUAL seq_expr
      { let (t, t') = $1 in ghexp(Pexp_constraint($3, t, t')) }
;
strict_binding:
    EQUAL seq_expr
      { $2 }
  | labeled_simple_pattern fun_binding
      { let (l, o, p) = $1 in ghexp(Pexp_function(l, o, [p, $2])) }
;
match_cases:
    pattern match_action                        { [$1, $2] }
  | match_cases BAR pattern match_action        { ($3, $4) :: $1 }
;
fun_def:
    match_action                                { $1 }
  | labeled_simple_pattern fun_def
      { let (l,o,p) = $1 in ghexp(Pexp_function(l, o, [p, $2])) }
;
match_action:
    MINUSGREATER seq_expr                       { $2 }
  | WHEN seq_expr MINUSGREATER seq_expr         { mkexp(Pexp_when($2, $4)) }
;
expr_comma_list:
    expr_comma_list COMMA expr                  { $3 :: $1 }
  | expr COMMA expr                             { [$3; $1] }
;
record_expr:
    simple_expr WITH lbl_expr_list opt_semi     { (Some $1, List.rev $3) }
  | lbl_expr_list opt_semi                      { (None, List.rev $1) }
;
lbl_expr_list:
    label_longident EQUAL expr
      { [$1,$3] }
  | lbl_expr_list SEMI label_longident EQUAL expr
      { ($3, $5) :: $1 }
;
field_expr_list:
    label EQUAL expr
      { [$1,$3] }
  | field_expr_list SEMI label EQUAL expr
      { ($3, $5) :: $1 }
;
expr_semi_list:
    expr                                        { [$1] }
  | expr_semi_list SEMI expr                    { $3 :: $1 }
;
type_constraint:
    COLON core_type                             { (Some $2, None) }
  | COLON core_type COLONGREATER core_type      { (Some $2, Some $4) }
  | COLONGREATER core_type                      { (None, Some $2) }
  | COLON error                                 { syntax_error() }
  | COLONGREATER error                          { syntax_error() }
;

/* Patterns */

pattern:
    simple_pattern
      { $1 }
  | pattern AS val_ident
      { mkpat(Ppat_alias($1, $3)) }
  | pattern_comma_list  %prec below_COMMA
      { mkpat(Ppat_tuple(List.rev $1)) }
  | constr_longident pattern %prec prec_constr_appl
      { mkpat(Ppat_construct($1, Some $2, false)) }
  | name_tag pattern %prec prec_constr_appl
      { mkpat(Ppat_variant($1, Some $2)) }
  | pattern COLONCOLON pattern
      { mkpat(Ppat_construct(Lident "::", Some(ghpat(Ppat_tuple[$1;$3])),
                             false)) }
  | LPAREN COLONCOLON RPAREN LPAREN pattern COMMA pattern RPAREN
      { mkpat(Ppat_construct(Lident "::", Some(ghpat(Ppat_tuple[$5;$7])),
                             false)) }
  | pattern BAR pattern
      { mkpat(Ppat_or($1, $3)) }
;
simple_pattern:
    val_ident %prec below_EQUAL
      { mkpat(Ppat_var $1) }
  | UNDERSCORE
      { mkpat(Ppat_any) }
  | signed_constant
      { mkpat(Ppat_constant $1) }
  | CHAR DOTDOT CHAR
      { mkrangepat $1 $3 }
  | constr_longident
      { mkpat(Ppat_construct($1, None, false)) }
  | name_tag
      { mkpat(Ppat_variant($1, None)) }
  | SHARP type_longident
      { mkpat(Ppat_type $2) }
  | LBRACE lbl_pattern_list opt_semi RBRACE
      { mkpat(Ppat_record(List.rev $2)) }
  | LBRACE lbl_pattern_list opt_semi error
      { unclosed "{" 1 "}" 4 }
  | LBRACKET pattern_semi_list opt_semi RBRACKET
      { reloc_pat (mktailpat (List.rev $2)) }
  | LBRACKET pattern_semi_list opt_semi error
      { unclosed "[" 1 "]" 4 }
  | LBRACKETBAR pattern_semi_list opt_semi BARRBRACKET
      { mkpat(Ppat_array(List.rev $2)) }
  | LBRACKETBAR BARRBRACKET
      { mkpat(Ppat_array []) }
  | LBRACKETBAR pattern_semi_list opt_semi error
      { unclosed "[|" 1 "|]" 4 }
  | LPAREN pattern RPAREN
      { reloc_pat $2 }
  | LPAREN pattern error
      { unclosed "(" 1 ")" 3 }
  | LPAREN pattern COLON core_type RPAREN
      { mkpat(Ppat_constraint($2, $4)) }
  | LPAREN pattern COLON core_type error
      { unclosed "(" 1 ")" 5 }
;

pattern_comma_list:
    pattern_comma_list COMMA pattern            { $3 :: $1 }
  | pattern COMMA pattern                       { [$3; $1] }
;
pattern_semi_list:
    pattern                                     { [$1] }
  | pattern_semi_list SEMI pattern              { $3 :: $1 }
;
lbl_pattern_list:
    label_longident EQUAL pattern               { [($1, $3)] }
  | lbl_pattern_list SEMI label_longident EQUAL pattern { ($3, $5) :: $1 }
;

/* Primitive declarations */

primitive_declaration:
    STRING                                      { [$1] }
  | STRING primitive_declaration                { $1 :: $2 }
;

/* Type declarations */

type_declarations:
    type_declaration                            { [$1] }
  | type_declarations AND type_declaration      { $3 :: $1 }
;

type_declaration:
    type_parameters LIDENT type_kind constraints
      { let (params, variance) = List.split $1 in
        let (kind, manifest) = $3 in
        ($2, {ptype_params = params;
              ptype_cstrs = List.rev $4;
              ptype_kind = kind;
              ptype_manifest = manifest;
              ptype_variance = variance;
              ptype_loc = symbol_rloc()}) }
;
constraints:
        constraints CONSTRAINT constrain        { $3 :: $1 }
      | /* empty */                             { [] }
;
type_kind:
    /*empty*/
      { (Ptype_abstract, None) }
  | EQUAL core_type
      { (Ptype_abstract, Some $2) }
  | EQUAL constructor_declarations
      { (Ptype_variant(List.rev $2, Public), None) }
  | EQUAL PRIVATE constructor_declarations
      { (Ptype_variant(List.rev $3, Private), None) }
  | EQUAL private_flag BAR constructor_declarations
      { (Ptype_variant(List.rev $4, $2), None) }
  | EQUAL private_flag LBRACE label_declarations opt_semi RBRACE
      { (Ptype_record(List.rev $4, $2), None) }
  | EQUAL core_type EQUAL private_flag opt_bar constructor_declarations
      { (Ptype_variant(List.rev $6, $4), Some $2) }
  | EQUAL core_type EQUAL private_flag LBRACE label_declarations opt_semi RBRACE
      { (Ptype_record(List.rev $6, $4), Some $2) }
  | EQUAL PRIVATE core_type
      { (Ptype_private, Some $3) }
;
type_parameters:
    /*empty*/                                   { [] }
  | type_parameter                              { [$1] }
  | LPAREN type_parameter_list RPAREN           { List.rev $2 }
;
type_parameter:
    type_variance QUOTE ident                   { $3, $1 }
;
type_variance:
    /* empty */                                 { false, false }
  | PLUS                                        { true, false }
  | MINUS                                       { false, true }
;
type_parameter_list:
    type_parameter                              { [$1] }
  | type_parameter_list COMMA type_parameter    { $3 :: $1 }
;
constructor_declarations:
    constructor_declaration                     { [$1] }
  | constructor_declarations BAR constructor_declaration { $3 :: $1 }
;
constructor_declaration:
    constr_ident constructor_arguments          { ($1, $2, symbol_rloc()) }
;
constructor_arguments:
    /*empty*/                                   { [] }
  | OF core_type_list                           { List.rev $2 }
;
label_declarations:
    label_declaration                           { [$1] }
  | label_declarations SEMI label_declaration   { $3 :: $1 }
;
label_declaration:
    mutable_flag label COLON poly_type          { ($2, $1, $4, symbol_rloc()) }
;

/* "with" constraints (additional type equations over signature components) */

with_constraints:
    with_constraint                             { [$1] }
  | with_constraints AND with_constraint        { $3 :: $1 }
;
with_constraint:
    TYPE type_parameters label_longident with_type_binder core_type constraints
      { let params, variance = List.split $2 in
        ($3, Pwith_type {ptype_params = params;
                         ptype_cstrs = List.rev $6;
                         ptype_kind = $4;
                         ptype_manifest = Some $5;
                         ptype_variance = variance;
                         ptype_loc = symbol_rloc()}) }
    /* used label_longident instead of type_longident to disallow
       functor applications in type path */
  | MODULE mod_longident EQUAL mod_ext_longident
      { ($2, Pwith_module $4) }
;
with_type_binder:
    EQUAL          { Ptype_abstract }
  | EQUAL PRIVATE  { Ptype_private }
;

/* Polymorphic types */

typevar_list:
        QUOTE ident                             { [$2] }
      | typevar_list QUOTE ident                { $3 :: $1 }
;
poly_type:
        core_type
          { mktyp(Ptyp_poly([], $1)) }
      | typevar_list DOT core_type
          { mktyp(Ptyp_poly(List.rev $1, $3)) }
;

/* Core types */

core_type:
    core_type2
      { $1 }
  | core_type2 AS QUOTE ident
      { mktyp(Ptyp_alias($1, $4)) }
;
core_type2:
    simple_core_type_or_tuple
      { $1 }
  | QUESTION LIDENT COLON core_type2 MINUSGREATER core_type2
      { mktyp(Ptyp_arrow("?" ^ $2 ,
               {ptyp_desc = Ptyp_constr(Lident "option", [$4]);
                ptyp_loc = $4.ptyp_loc}, $6)) }
  | OPTLABEL core_type2 MINUSGREATER core_type2
      { mktyp(Ptyp_arrow("?" ^ $1 ,
               {ptyp_desc = Ptyp_constr(Lident "option", [$2]);
                ptyp_loc = $2.ptyp_loc}, $4)) }
  | LIDENT COLON core_type2 MINUSGREATER core_type2
      { mktyp(Ptyp_arrow($1, $3, $5)) }
  | core_type2 MINUSGREATER core_type2
      { mktyp(Ptyp_arrow("", $1, $3)) }
;

simple_core_type:
    simple_core_type2  %prec below_SHARP
      { $1 }
  | LPAREN core_type_comma_list RPAREN %prec below_SHARP
      { match $2 with [sty] -> sty | _ -> raise Parse_error }
;
simple_core_type2:
    QUOTE ident
      { mktyp(Ptyp_var $2) }
  | UNDERSCORE
      { mktyp(Ptyp_any) }
  | type_longident
      { mktyp(Ptyp_constr($1, [])) }
  | simple_core_type2 type_longident
      { mktyp(Ptyp_constr($2, [$1])) }
  | LPAREN core_type_comma_list RPAREN type_longident
      { mktyp(Ptyp_constr($4, List.rev $2)) }
  | LESS meth_list GREATER
      { mktyp(Ptyp_object $2) }
  | LESS GREATER
      { mktyp(Ptyp_object []) }
  | SHARP class_longident opt_present
      { mktyp(Ptyp_class($2, [], $3)) }
  | simple_core_type2 SHARP class_longident opt_present
      { mktyp(Ptyp_class($3, [$1], $4)) }
  | LPAREN core_type_comma_list RPAREN SHARP class_longident opt_present
      { mktyp(Ptyp_class($5, List.rev $2, $6)) }
  | LBRACKET tag_field RBRACKET
      { mktyp(Ptyp_variant([$2], true, None)) }
/* PR#3835: this is not LR(1), would need lookahead=2
  | LBRACKET simple_core_type2 RBRACKET
      { mktyp(Ptyp_variant([$2], true, None)) }
*/
  | LBRACKET BAR row_field_list RBRACKET
      { mktyp(Ptyp_variant(List.rev $3, true, None)) }
  | LBRACKET row_field BAR row_field_list RBRACKET
      { mktyp(Ptyp_variant($2 :: List.rev $4, true, None)) }
  | LBRACKETGREATER opt_bar row_field_list RBRACKET
      { mktyp(Ptyp_variant(List.rev $3, false, None)) }
  | LBRACKETGREATER RBRACKET
      { mktyp(Ptyp_variant([], false, None)) }
  | LBRACKETLESS opt_bar row_field_list RBRACKET
      { mktyp(Ptyp_variant(List.rev $3, true, Some [])) }
  | LBRACKETLESS opt_bar row_field_list GREATER name_tag_list RBRACKET
      { mktyp(Ptyp_variant(List.rev $3, true, Some (List.rev $5))) }
;
row_field_list:
    row_field                                   { [$1] }
  | row_field_list BAR row_field                { $3 :: $1 }
;
row_field:
    tag_field                                   { $1 }
  | simple_core_type2                           { Rinherit $1 }
;
tag_field:
    name_tag OF opt_ampersand amper_type_list
      { Rtag ($1, $3, List.rev $4) }
  | name_tag
      { Rtag ($1, true, []) }
;
opt_ampersand:
    AMPERSAND                                   { true }
  | /* empty */                                 { false }
;
amper_type_list:
    core_type                                   { [$1] }
  | amper_type_list AMPERSAND core_type         { $3 :: $1 }
;
opt_present:
    LBRACKETGREATER name_tag_list RBRACKET      { List.rev $2 }
  | /* empty */                                 { [] }
;
name_tag_list:
    name_tag                                    { [$1] }
  | name_tag_list name_tag                      { $2 :: $1 }
;
simple_core_type_or_tuple:
    simple_core_type                            { $1 }
  | simple_core_type STAR core_type_list
      { mktyp(Ptyp_tuple($1 :: List.rev $3)) }
;
core_type_comma_list:
    core_type                                   { [$1] }
  | core_type_comma_list COMMA core_type        { $3 :: $1 }
;
core_type_list:
    simple_core_type                            { [$1] }
  | core_type_list STAR simple_core_type        { $3 :: $1 }
;
meth_list:
    field SEMI meth_list                        { $1 :: $3 }
  | field opt_semi                              { [$1] }
  | DOTDOT                                      { [mkfield Pfield_var] }
;
field:
    label COLON poly_type                       { mkfield(Pfield($1, $3)) }
;
label:
    LIDENT                                      { $1 }
;

/* Constants */

constant:
    INT                                         { Const_int $1 }
  | CHAR                                        { Const_char $1 }
  | STRING                                      { Const_string $1 }
  | FLOAT                                       { Const_float $1 }
  | INT32                                       { Const_int32 $1 }
  | INT64                                       { Const_int64 $1 }
  | NATIVEINT                                   { Const_nativeint $1 }
;
signed_constant:
    constant                                    { $1 }
  | MINUS INT                                   { Const_int(- $2) }
  | MINUS FLOAT                                 { Const_float("-" ^ $2) }
  | MINUS INT32                                 { Const_int32(Int32.neg $2) }
  | MINUS INT64                                 { Const_int64(Int64.neg $2) }
  | MINUS NATIVEINT                             { Const_nativeint(Nativeint.neg $2) }
;
/* Identifiers and long identifiers */

ident:
    UIDENT                                      { $1 }
  | LIDENT                                      { $1 }
;
val_ident:
    LIDENT                                      { $1 }
  | LPAREN operator RPAREN                      { $2 }
;
val_ident_colon:
    LIDENT COLON                                { $1 }
  | LPAREN operator RPAREN COLON                { $2 }
  | LABEL                                       { $1 }
;
operator:
    PREFIXOP                                    { $1 }
  | INFIXOP0                                    { $1 }
  | INFIXOP1                                    { $1 }
  | INFIXOP2                                    { $1 }
  | INFIXOP3                                    { $1 }
  | INFIXOP4                                    { $1 }
  | PLUS                                        { "+" }
  | MINUS                                       { "-" }
  | MINUSDOT                                    { "-." }
  | STAR                                        { "*" }
  | EQUAL                                       { "=" }
  | LESS                                        { "<" }
  | GREATER                                     { ">" }
  | OR                                          { "or" }
  | BARBAR                                      { "||" }
  | AMPERSAND                                   { "&" }
  | AMPERAMPER                                  { "&&" }
  | COLONEQUAL                                  { ":=" }
;
constr_ident:
    UIDENT                                      { $1 }
/*  | LBRACKET RBRACKET                           { "[]" } */
  | LPAREN RPAREN                               { "()" }
  | COLONCOLON                                  { "::" }
/*  | LPAREN COLONCOLON RPAREN                    { "::" } */
  | FALSE                                       { "false" }
  | TRUE                                        { "true" }
;

val_longident:
    val_ident                                   { Lident $1 }
  | mod_longident DOT val_ident                 { Ldot($1, $3) }
;
constr_longident:
    mod_longident       %prec below_DOT         { $1 }
  | LBRACKET RBRACKET                           { Lident "[]" }
  | LPAREN RPAREN                               { Lident "()" }
  | FALSE                                       { Lident "false" }
  | TRUE                                        { Lident "true" }
;
label_longident:
    LIDENT                                      { Lident $1 }
  | mod_longident DOT LIDENT                    { Ldot($1, $3) }
;
type_longident:
    LIDENT                                      { Lident $1 }
  | mod_ext_longident DOT LIDENT                { Ldot($1, $3) }
;
mod_longident:
    UIDENT                                      { Lident $1 }
  | mod_longident DOT UIDENT                    { Ldot($1, $3) }
;
mod_ext_longident:
    UIDENT                                      { Lident $1 }
  | mod_ext_longident DOT UIDENT                { Ldot($1, $3) }
  | mod_ext_longident LPAREN mod_ext_longident RPAREN { Lapply($1, $3) }
;
mty_longident:
    ident                                       { Lident $1 }
  | mod_ext_longident DOT ident                 { Ldot($1, $3) }
;
clty_longident:
    LIDENT                                      { Lident $1 }
  | mod_ext_longident DOT LIDENT                { Ldot($1, $3) }
;
class_longident:
    LIDENT                                      { Lident $1 }
  | mod_longident DOT LIDENT                    { Ldot($1, $3) }
;

/* Toplevel directives */

toplevel_directive:
    SHARP ident                 { Ptop_dir($2, Pdir_none) }
  | SHARP ident STRING          { Ptop_dir($2, Pdir_string $3) }
  | SHARP ident INT             { Ptop_dir($2, Pdir_int $3) }
  | SHARP ident val_longident   { Ptop_dir($2, Pdir_ident $3) }
  | SHARP ident FALSE           { Ptop_dir($2, Pdir_bool false) }
  | SHARP ident TRUE            { Ptop_dir($2, Pdir_bool true) }
;

/* Miscellaneous */

name_tag:
    BACKQUOTE ident                             { $2 }
;
rec_flag:
    /* empty */                                 { Nonrecursive }
  | REC                                         { Recursive }
;
direction_flag:
    TO                                          { Upto }
  | DOWNTO                                      { Downto }
;
private_flag:
    /* empty */                                 { Public }
  | PRIVATE                                     { Private }
;
mutable_flag:
    /* empty */                                 { Immutable }
  | MUTABLE                                     { Mutable }
;
virtual_flag:
    /* empty */                                 { Concrete }
  | VIRTUAL                                     { Virtual }
;
opt_bar:
    /* empty */                                 { () }
  | BAR                                         { () }
;
opt_semi:
  | /* empty */                                 { () }
  | SEMI                                        { () }
;
subtractive:
  | MINUS                                       { "-" }
  | MINUSDOT                                    { "-." }
;

/* Annotations */

function_requires:
  | REQUIRES expr
      { Some $2 }
  |
      { None }
;

function_ensures:
  | ENSURES expr
      { Some $2 }
  |
      { None }
;

function_behaviors:
  | BEHAVIOR LIDENT COLON ENSURES expr function_behaviors
      { {
	  pb_name = $2;
	  pb_ensures = $5;
	}::$6 }
  |
      { [] }
;

lident_list:
  |
      { [] }
  | LIDENT lident_list
      { $1::$2 }
;

function_spec:
  | FUNCTION val_ident lident_list COLON function_requires function_ensures
      function_behaviors
      { { pfs_name = $2;
	  pfs_arguments = $3;
	  pfs_requires = $5;
	  pfs_behaviors =
	    match $6 with
	      | None -> $7
	      | Some x -> { pb_name = "default"; pb_ensures = x }::$7; } }
;

type_invariant:
  | INVARIANT LIDENT pattern EQUAL expr
      { { pti_name = $2;
	  pti_argument = $3;
	  pti_body = $5; } }
;

type_invariants:
  | type_invariant type_invariants
      { $1::$2 }
  |
      { [] }
;

type_spec:
  | TYPE LIDENT COLON type_invariants
      { { pts_name = $2;
	  pts_invariants = $4 } }
;

while_spec:
  | LANNOT INVARIANT expr VARIANT expr RANNOT
      { { pws_invariant = Some $3;
	  pws_variant = Some $5 } }
  | LANNOT VARIANT expr INVARIANT expr RANNOT
      { { pws_invariant = Some $5;
	  pws_variant = Some $3 } }
  | LANNOT INVARIANT expr RANNOT
      { { pws_invariant = Some $3;
	  pws_variant = None } }
  | LANNOT VARIANT expr RANNOT
      { { pws_invariant = None;
	  pws_variant = Some $3 } }
  | LANNOT RANNOT
      { { pws_invariant = None;
	  pws_variant = None } }
  |
      { { pws_invariant = None;
	  pws_variant = None } }
;

let_pattern_list:
  | LPAREN let_pattern RPAREN let_pattern_list
      { $2::$4 }
  | LIDENT let_pattern_list
      { (mkpat (Ppat_var $1))::$2 }
  | LPAREN let_pattern RPAREN
      { [ $2 ] }
  | LIDENT
      { [ mkpat (Ppat_var $1) ] }
;

read_location:
  | LIDENT
      { PRLvar $1 }
  | read_location DOT LIDENT
      { PRLderef($1, $3) }
;

read_location_list:
  | read_location COMMA read_location_list
      { $1::$3 }
  | read_location
      { [ $1 ] }
;

logic_type_spec:
  | LOGIC TYPE LIDENT
      { $3 }
;

optional_body:
  | READS read_location_list
      { POBreads $2 }
  | EQUAL expr
      { POBbody $2 }
  |
      { POBreads [] }
;

optional_type:
  | COLON core_type
      { Some $2 }
  |
      { None }
;

logic_function_spec:
  | PREDICATE LIDENT let_pattern_list optional_body
      { { plfs_name = $2;
	  plfs_arguments = $3;
	  plfs_return_type = Some(mktyp (Ptyp_constr(Lident "bool", [])));
	  plfs_body = $4;
	  plfs_predicate = true; } }
  | LOGIC FUN LIDENT let_pattern_list optional_type optional_body
      { { plfs_name = $3;
	  plfs_arguments = $4;
	  plfs_return_type = $5;
	  plfs_body = $6;
	  plfs_predicate = false; } }
  | LOGIC FUNCTION LIDENT let_pattern_list optional_type optional_body
      { { plfs_name = $3;
	  plfs_arguments = $4;
	  plfs_return_type = $5;
	  plfs_body = $6;
	  plfs_predicate = false; } }
  | LOGIC VAL LIDENT COLON core_type
      { { plfs_name = $3;
	  plfs_arguments = [];
	  plfs_return_type = Some $5;
	  plfs_body = POBreads [];
	  plfs_predicate = false; } }
  | LOGIC VAL LIDENT COLON core_type EQUAL expr
      { { plfs_name = $3;
	  plfs_arguments = [];
	  plfs_return_type = Some $5;
	  plfs_body = POBbody $7;
	  plfs_predicate = false; } }
;

axiom_spec:
  | AXIOM LIDENT let_pattern_list EQUAL expr
      { { pas_name = $2;
	  pas_arguments = $3;
	  pas_body = $5; } }
;

%%
why-2.34/ml/ml_env.ml0000644000175000017500000001472212311670312013045 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Ml_misc
open Jc_env
open Jc_fenv

exception Not_found_str of string

module IdentMap = Map.Make(
  struct
    type t = Ml_ocaml.Ident.t
    let compare x y = String.compare (Ml_ocaml.Ident.unique_name x)
      (Ml_ocaml.Ident.unique_name y)
  end)

type t = {
  vars: Jc_env.var_info StringMap.t;
  funs: Jc_fenv.fun_info StringMap.t;
  (*fields: Jc_env.field_info StringMap.t;
  constructors: (Jc_env.struct_info * int * Jc_env.field_info list) StringMap.t;
  structs: Jc_env.struct_info StringMap.t;*)
  logic_funs: Jc_fenv.logic_info StringMap.t;
  (*tags: Jc_env.field_info StringMap.t;*)
  fun_specs: Ml_ocaml.Typedtree.function_spec IdentMap.t;
  (*type_specs: Ml_ocaml.Typedtree.type_spec IdentMap.t;*)
}

let empty = {
  vars = StringMap.empty;
  funs = StringMap.empty;
  (*fields = StringMap.empty;
  constructors = StringMap.empty;
  structs = StringMap.empty;*)
  logic_funs = StringMap.empty;
  (*tags = StringMap.empty;*)
  fun_specs = IdentMap.empty;
  (*type_specs = IdentMap.empty;*)
}

let add_var name ty env =
  let vi = make_var name ty in
  { env with vars = StringMap.add name vi env.vars }, vi

let add_fun name params return_type env =
  let jc_name = identifier_of_symbol name in
  let fi = make_fun_info jc_name return_type params () in
  { env with funs = StringMap.add name fi env.funs }

(*let add_field name ty si env =
  let fi = {
    jc_field_info_tag = fresh_int ();
    jc_field_info_name = name;
    jc_field_info_final_name = name;
    jc_field_info_type = ty;
    jc_field_info_struct = si;
    jc_field_info_root = si.jc_struct_info_root;
    jc_field_info_rep = false;
  } in
  { env with fields = StringMap.add name fi env.fields }, fi

let add_constructor name tyl si i env =
  let _, fil = list_fold_map
    (fun cnt ty -> cnt + 1,
       let name = name^"_"^string_of_int cnt in
       {
	 jc_field_info_tag = fresh_int ();
	 jc_field_info_name = name;
	 jc_field_info_final_name = name;
	 jc_field_info_type = ty;
	 jc_field_info_struct = si;
	 jc_field_info_root = si.jc_struct_info_root;
	 jc_field_info_rep = false;
       })
    0 tyl
  in
  { env with constructors = StringMap.add name (si, i, fil) env.constructors },
  fil

let add_struct si env =
  { env with structs = StringMap.add si.jc_struct_info_name si env.structs }

let add_tag si env =
  let fi = {
    jc_field_info_tag = fresh_int ();
    jc_field_info_name = "jessica_tag";
    jc_field_info_final_name = "jessica_tag";
    jc_field_info_type = JCTnative Tinteger;
    jc_field_info_struct = si;
    jc_field_info_root = si.jc_struct_info_root;
    jc_field_info_rep = false;
  } in
  { env with tags = StringMap.add si.jc_struct_info_name fi env.tags }, fi*)

let add_logic_fun name params return_type env =
  let li = {
    jc_logic_info_tag = fresh_int ();
    jc_logic_info_name = name;
    jc_logic_info_final_name = name;
    jc_logic_info_result_type = return_type;
    jc_logic_info_parameters = params;
    jc_logic_info_effects = Jc_pervasives.empty_effects; (* ! *)
    jc_logic_info_calls = [];
    jc_logic_info_result_region = default_region;
    jc_logic_info_param_regions = [];
    jc_logic_info_labels = [];
  } in
  { env with logic_funs = StringMap.add name li env.logic_funs }, li

let add_fun_spec id spec env =
  { env with fun_specs = IdentMap.add id spec env.fun_specs }

(*let add_type_spec id spec env =
  { env with type_specs = IdentMap.add id spec env.type_specs }*)

let nf s f k m =
  try
    f k m
  with Not_found ->
    raise (Not_found_str s)

let find_var name env = nf name StringMap.find name env.vars
let find_fun name env = nf name StringMap.find name env.funs
(*let find_field name env = nf name StringMap.find name env.fields
let find_constructor name env = nf name StringMap.find name env.constructors
let find_struct name env = nf name StringMap.find name env.structs*)
let find_logic_fun name env = nf name StringMap.find name env.logic_funs
(*let find_tag si env =
  let name = si.jc_struct_info_name in
  nf name StringMap.find name env.tags*)
let find_fun_spec id env =
  nf (Ml_ocaml.Ident.name id) IdentMap.find id env.fun_specs
(*let find_type_spec id env =
  nf (Ml_ocaml.Ident.name id) IdentMap.find id env.type_specs*)

(*
Local Variables: 
compile-command: "unset LANG; make -C .. -f build.makefile jessica.all"
End: 
*)
why-2.34/config/0000755000175000017500000000000012311670312012062 5ustar  rtuserswhy-2.34/config/check_ocamlgraph.ml0000644000175000017500000000456212311670312015675 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(* checking ocamlgraph version *)

open Graph.Pack.Graph
let g = create ()
let a = Components.scc_array g

why-2.34/mix/0000755000175000017500000000000012311670312011412 5ustar  rtuserswhy-2.34/mix/mix_interp.ml0000644000175000017500000001417412311670312014131 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(* Mix to Why *)

open Format
open Mix_ast
open Mix_seq.X
open Mix_seq

type term = 
  | Tvar of string
  | Tconst of string
  | Tapp of string * term list

type why_stmt = 
  | Wvoid
  | Wassume of predicate
  | Wassert of predicate
  | Wseq of why_stmt * why_stmt
  | Wassign of string * term

type why_code = { why_pre : predicate option; why_code : why_stmt }

let index a = function
  | None -> a
  | Some i -> Tapp ("add_int", [a; Tvar ("!i" ^ i)])

let rec value_addr loc = function
  | PAself -> error loc UnsupportedInstruction
  | PAconst s -> Tconst s
  | PAident s -> Tvar s
  | PAplus (a1, a2) -> Tapp ("add_int", [value_addr loc a1; value_addr loc a2])
  | PAminus (a1, a2) -> Tapp ("sub_int",[value_addr loc a1; value_addr loc a2])
  | PAuminus a -> Tapp ("neg_int", [value_addr loc a])

let value_op loc op = match op.pop_address, op.pop_index, op.pop_field with
  | Some a, i, None -> index (value_addr loc a) i
  | _ -> assert false (*TODO*)

let value_at loc op = Tapp ("access", [Tvar "!mem"; value_op loc op])

let register_value = function
  | A -> "!a" | X -> "!x"
  | I1 -> "!i1" | I2 -> "!i2" | I3 -> "!i3" 
  | I4 -> "!i4" | I5 -> "!i5" | I6 -> "!i6" 

let interp_instr loc i op = match i with
  | Ld r -> 
      Wassign (register_name r, value_at loc op)
  | Ldn r -> 
      Wassign (register_name r, Tapp ("neg_int", [value_at loc op]))
  | St r ->
      Wassign ("mem", 
	       Tapp ("update", 
		     [Tvar "!mem"; value_op loc op; Tvar (register_value r)]))
  | Stz ->
      Wassign ("mem", 
	       Tapp ("update", [Tvar "!mem"; value_op loc op; Tconst "0"]))
  | Stj -> 
      error loc UnsupportedInstruction
  | Add | Sub | Mul | Div -> (* TODO: actually incorrect for Mul and Div *)
      let aop = match i with
	| Add -> "add_int" | Sub -> "sub_int"
	| Mul -> "mul_int" | Div -> "div_int" | _ -> assert false
      in
      Wassign ("a", Tapp (aop, [Tvar "!a"; value_at loc op]))
  | Srb ->
      begin match op.pop_address, op.pop_index, op.pop_field with
	| Some (PAconst "1"), None, None -> 
	    Wassign ("a", Tapp ("div_int", [Tvar "!a"; Tconst "2"]))
	| _ -> error loc UnsupportedInstruction
      end
  | Cmp r -> 
      Wassign ("cmp", 
	       Tapp ("sub_int", [Tvar (register_value r); value_at loc op]))
  | Ent r ->
      Wassign (register_name r, value_op loc op)
  | Enn r ->
      Wassign (register_name r, Tapp ("neg_int", [value_op loc op]))
  | Inc r ->
      Wassign (register_name r, 
	      Tapp ("add_int", [Tvar (register_value r); value_op loc op]))
  | Dec r ->
      Wassign (register_name r, 
	       Tapp ("sub_int", [Tvar (register_value r); value_op loc op]))
  | Nop ->
      Wvoid
  | Jmp | Jsj 
  | Jl | Je | Jg | Jge | Jne | Jle
  | Jn _ | Jz _ | Jp _ | Jnn _ | Jnz _ | Jnp _
  | Hlt -> 
      assert false 

let rec interp_stmt = function
  | Void -> Wvoid
  | Mix { node = PSassert p } -> Wassert p
  | Mix { node = PSinvariant _ } -> assert false
  | Mix { loc = loc; node = PSinstr (i, op) } -> interp_instr loc i op
  | Assume p -> Wassume p
  | Seq (s1, s2) -> Wseq (interp_stmt s1, interp_stmt s2)

let interp_seq c = { why_pre = c.seq_pre; why_code = interp_stmt c.seq_code }

let interp = List.map interp_seq

(* pretty-printing *)

let counter = ref 0

let rec term fmt = function
  | Tvar s | Tconst s -> fprintf fmt "%s" s
  | Tapp (f, l) -> fprintf fmt "@[(%s@ %a)@]" f (Pp.print_list Pp.space term) l

let rec print_why fmt = function
  | Wvoid -> fprintf fmt "void"
  | Wassume p -> fprintf fmt "[{} unit {%s}]" p
  | Wassert p -> fprintf fmt "(assert {%s}; void)" p
  | Wseq (s1, s2) -> fprintf fmt "%a;@ %a" print_why s1 print_why s2
  | Wassign (id, t) -> fprintf fmt "%s := %a" id term t

let print_why_code fmt c =
  incr counter;
  fprintf fmt "let seq%d () =@\n" !counter;
  begin match c.why_pre with
    | Some p -> fprintf fmt "  @[{ %s }@]@\n" (X.string_of_predicate p)
    | None -> ()
  end;
  fprintf fmt "  @[%a@]@\n@\n" print_why c.why_code


why-2.34/mix/mix_parser.mly0000644000175000017500000001011112311670312014300 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

%{
  open Mix_ast
  open Parsing

  let locate n = { node = n; loc = symbol_start_pos () }
%}

/* Tokens */ 

%token  IDENT
%token  LABEL
%token  VERBATIM
%token  INVARIANT
%token  ASSERT
%token  INTEGER
%token  STRING
%token  INSTR
%token COLON COMMA LPAR RPAR PLUS STAR MINUS
%token EQU ORIG
%token EOF

/* Precedences */

%left PLUS MINUS
%nonassoc uminus

/* Entry points */

%type  file
%start file

%%

file:
| list0_pseudo list1_stmt EOF 
   { List.rev $1, List.rev $2 }
| EOF 
   { [], [] }
;

list0_pseudo:
| /* epsilon */ { [] }
| list0_pseudo pseudo { $2 :: $1 }
;

pseudo:
| IDENT EQU address  { locate (Equ_addr ($1, $3)) }
| IDENT EQU INTEGER COLON INTEGER { locate (Equ_field ($1, PFrange ($3, $5))) }
| ORIG address       { locate (Orig (None, $2)) }
| IDENT ORIG address { locate (Orig (Some $1, $3)) } 
| VERBATIM           { locate (Verbatim $1) }
;

list1_stmt:
| stmt
   { [$1] }
| list1_stmt stmt
   { $2 :: $1 }
;

stmt:
| opt_label stmt_kind { $1, $2 }
;

stmt_kind:
| INVARIANT { locate (PSinvariant $1) }
| ASSERT { locate (PSassert $1) }
| INSTR operand { locate (PSinstr ($1, $2)) }
;

opt_label:
| LABEL         { Some $1 }
| /* epsilon */ { None }
;

operand:
  address_opt index_opt field_opt 
    { { pop_address = $1; pop_index = $2; pop_field = $3 } }
;

address_opt:
| address { Some $1 }
| /* epsilon */  { None }
;

address:
| STAR { PAself }
| IDENT { PAident $1 }
| INTEGER { PAconst $1 }
| address PLUS address { PAplus ($1, $3) }
| address MINUS address { PAminus ($1, $3) }
| MINUS address %prec uminus { PAuminus $2 }
;

index_opt:
| COMMA INTEGER { Some $2 }
| /* epsilon */ { None }
;

field_opt:
| LPAR INTEGER COLON INTEGER RPAR { Some (PFrange ($2, $4)) }
| LPAR IDENT RPAR { Some (PFident $2) }
| /* epsilon */ { None }
;

why-2.34/mix/mix_main.ml0000644000175000017500000001153112311670312013546 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Format
open Lexing
open Mix_ast
open Mix_seq
open Mix_interp

let report_lb lb =
  let b,e = lexeme_start_p lb, lexeme_end_p lb in
  eprintf "File \"%s\", " b.pos_fname;
  let l = b.pos_lnum in
  let fc = b.pos_cnum - b.pos_bol + 1 in
  let lc = e.pos_cnum - b.pos_bol + 1 in
  eprintf "line %d, characters %d-%d:@\n" l fc lc

let report_loc loc =
  if loc != Lexing.dummy_pos then begin
    eprintf "File \"%s\", " loc.pos_fname;
    let l = loc.pos_lnum in
    let fc = loc.pos_cnum - loc.pos_bol + 1 in
    eprintf "line %d, character %d:@\n" l fc
  end

(* command line *)

let file = ref None
let entry = ref "init"
let gwhy = ref false
let show_graph = ref false

let spec = 
  ["-entry", Arg.Set_string entry, "
This Java Card class's functionality is a strict subset of the definition in the
   * Java Platform Core API Specification.

   */
public class Object {

  /*  public normal_behavior 
         requires true;
       assignable \nothing;
          ensures true;
    @*/
  public Object() {}

 /**
  * Compares two Objects for equality. 

  * The equals method implements an equivalence relation:
  * 

  * 

  * The equals method for class Object implements the most discriminating possible equivalence
  * relation on objects; that is, for any reference values x and y,
  * this method returns true if and only if x and y
  * refer to the same object (x==y has the value true).
  * @param obj the reference object with which to compare.
  * @return true if this object is the same as the obj argument; false otherwise.
  */

  /*  public normal_behavior 
    @  requires true;
    @  assignable \nothing;
    @  ensures \result <==> this==obj;
    @*/
    public /* pure @*/ boolean equals(Object obj){ return (this==obj); }

}
why-2.34/lib/javacard_api/java/lang/ArrayIndexOutOfBoundsException.java0000644000175000017500000000076412311670312024560 0ustar  rtusers/*
 * JML specs for the JavaCard API 2.1.1
 * by Engelbert Hubbers and Erik Poll
 * Copyright 2002 University of Nijmegen, the Netherlands 
 *
 * The JavaCard API 2.1.1 itself is copyright (c) 2000 Sun Microsystems, Inc.
 */

package java.lang;

public class ArrayIndexOutOfBoundsException extends IndexOutOfBoundsException { 

  /*  public normal_behavior
         requires true;
       assignable \nothing;
          ensures true;
    @*/

  public ArrayIndexOutOfBoundsException() 
  
   {} 

 } 
why-2.34/lib/javacard_api/java/lang/Exception.java0000644000175000017500000000317312311670312020436 0ustar  rtusers/*
* $Workfile: Exception.java $	$Revision: 1.2 $, $Date: 2007-09-28 13:41:14 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: Exception.java $
// $Revision: 1.2 $
// $Date: 2007-09-28 13:41:14 $
// $Author: marche $
// $Archive: /Products/Europa/api21/java/lang/Exception.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package java.lang;

/**
  * The class Exception and its subclasses are a form of Throwable that indicates
  * conditions that a reasonable applet might want to catch.
  * 
This Java Card class's functionality is a strict subset of the definition in the 
  * Java Platform Core API Specification.

  */

public class Exception extends Throwable{

  /**
   * Constructs an Exception instance. 
   */
  /*  public normal_behavior 
         requires true;
       assignable \nothing;
          ensures true;
    @*/
  public Exception() {}
  
}
why-2.34/lib/javacard_api/java/lang/RuntimeException.java0000644000175000017500000000333612311670312022003 0ustar  rtusers/*
* $Workfile: RuntimeException.java $	$Revision: 1.1 $, $Date: 2007-09-26 14:37:49 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: RuntimeException.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:37:49 $
// $Author: marche $
// $Archive: /Products/Europa/api21/java/lang/RuntimeException.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package java.lang;

/**
 * RuntimeException is the superclass of those exceptions that can be thrown
 * during the normal operation of the Java Card Virtual Machine.
 
 * A method is not required to declare in its throws clause any subclasses of
 * RuntimeException that might be thrown during the execution of the
 * method but not caught.
 * 
This Java Card class's functionality is a strict subset of the definition in the 
 * Java Platform Core API Specification.
 
 */

public class RuntimeException extends Exception {

  /**
   * Constructs a RuntimeException instance.
   */
  public RuntimeException() {}

}
why-2.34/lib/javacard_api/java/lang/IndexOutOfBoundsException.java0000644000175000017500000000074212311670312023555 0ustar  rtusers/*
 * JML specs for the JavaCard API 2.1.1
 * by Engelbert Hubbers and Erik Poll
 * Copyright 2002 University of Nijmegen, the Netherlands 
 *
 * The JavaCard API 2.1.1 itself is copyright (c) 2000 Sun Microsystems, Inc.
 */

package java.lang;

public class IndexOutOfBoundsException extends RuntimeException { 

  /*  public normal_behavior
         requires true;
       assignable \nothing;
          ensures true;
    @*/

  public IndexOutOfBoundsException() 
   
   {} 

 } 
why-2.34/lib/javacard_api/java/lang/Throwable.java0000644000175000017500000000340112311670312020421 0ustar  rtusers/*
* $Workfile: Throwable.java $	$Revision: 1.1 $, $Date: 2007-09-26 14:37:49 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: Throwable.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:37:49 $
// $Author: marche $
// $Archive: /Products/Europa/api21/java/lang/Throwable.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package java.lang;

  /**
   * The Throwable class is the superclass of all errors and exceptions in the Java Card subset
   * of the Java language.
   * Only objects that are instances of this class (or of one of its
   * subclasses) are thrown by the Java Card Virtual Machine
   * or can be thrown by the Java throw statement.
   * Similarly, only this class or one of its subclasses
   * can be the argument type in a catch clause.
   * 
This Java Card class's functionality is a strict subset of the definition in the 
   * Java Platform Core API Specification.

   */
public class Throwable {

  /**
   * Constructs a new Throwable. 
   */
  public Throwable() {}
  
}
why-2.34/lib/javacard_api/javacard/0000755000175000017500000000000012311670312015542 5ustar  rtuserswhy-2.34/lib/javacard_api/javacard/security/0000755000175000017500000000000012311670312017411 5ustar  rtuserswhy-2.34/lib/javacard_api/javacard/security/RSAPrivateKey.java0000644000175000017500000001162612311670312022713 0ustar  rtusers/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: RSAPrivateKey.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/RSAPrivateKey.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Andy
// */

package javacard.security;

/**
 * The RSAPrivateKey class is used to sign data using the RSA algorithm
 * in its modulus/exponent form. It may also be used by the javacardx.crypto.Cipher class
 * to encrypt/decrypt messages.
 * 
When both the modulus and exponent of the key are set, the key is
 * initialized and ready for use.
 *
 * @see RSAPublicKey
 * @see RSAPrivateCrtKey
 * @see KeyBuilder
 * @see Signature
 * @see javacardx.crypto.Cipher
 * @see javacardx.crypto.KeyEncryption
 *
 */

public interface RSAPrivateKey extends PrivateKey {

  /**
   * Sets the modulus value of the key.
   * The plaintext data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte). Input modulus data is copied into the internal representation.
   * @param buffer the input buffer
   * @param offset the offset into the input buffer at which the modulus value begins
   * @param length the length of the modulus
   * @exception CryptoException with the following reason code:
    
   * 
  • CryptoException.ILLEGAL_VALUE if the input modulus data length is inconsistent
   * with the implementation or if input data decryption is required and fails.
   * 

   * 
Note:
    
   * 
  • If the key object implements the javacardx.crypto.KeyEncryption
   * interface and the Cipher object specified via setKeyCipher()
   * is not null, the modulus value is decrypted using the Cipher object.
   * 

   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    void setModulus( byte[] buffer, short offset, short length) throws CryptoException;

  /**
   * Sets the private exponent value of the key.
   * The plaintext data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte). Input exponent data is copied into the internal representation.
   * @param buffer the input buffer
   * @param offset the offset into the input buffer at which the exponent value begins
   * @param length the length of the exponent
   * @exception CryptoException with the following reason code:
    
   * 
  • CryptoException.ILLEGAL_VALUE if the input exponent data length is inconsistent
   * with the implementation or if input data decryption is required and fails.
   * 

   * 
Note:
    
   * 
  • If the key object implements the javacardx.crypto.KeyEncryption
   * interface and the Cipher object specified via setKeyCipher()
   * is not null, the exponent value is decrypted using the Cipher object.
   * 

   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    void setExponent( byte[] buffer, short offset, short length) throws CryptoException;

  /**
   * Returns the modulus value of the key in plain text.
   * The data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte).
   * @param buffer the output buffer
   * @param offset the offset into the output buffer at which the modulus value starts
   * @return the byte length of the modulus value returned
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    short getModulus( byte[] buffer, short offset );

  /**
   * Returns the private exponent value of the key in plain text.
   * The data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte).
   * @param buffer the output buffer
   * @param offset the offset into the output buffer at which the exponent value begins
   * @return the byte length of the private exponent value returned
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    short getExponent( byte[] buffer, short offset );

 }
why-2.34/lib/javacard_api/javacard/security/Signature.java0000644000175000017500000004466612311670312022235 0ustar  rtusers/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: Signature.java $
// $Revision: 1.4 $
// $Date: 2008-01-31 18:27:25 $
// $Author: nrousset $
// $Archive: /Products/Europa/api21/javacard/security/Signature.java $
// $Modtime: 5/02/00 8:48p $
// Original author:  Andy
// */

package javacard.security;

/**
 * The Signature class is the base class for Signature algorithms. Implementations of Signature
 * algorithms must extend this class and implement all the abstract methods.
 * 
The term "pad" is used in the public key signature algorithms below to refer to all the
 * operations specified in the referenced scheme to transform the message digest into
 * the encryption block size.
 * 
 A tear or card reset event resets an initialized 
 * Signature object to the state it was in when previously initialized
 * via a call to init().

 * 
Note:
    
 * 
  • On a tear or card reset event, the DES and triple DES algorithms in outer CBC mode
 * reset the initial vector(IV) to 0. The initial vector(IV) can be re-initialized using the
 * init(Key, byte, byte[], short, short) method.
 * 

 */
abstract public class Signature{


    // algorithm options
    /**
     * Signature algorithm ALG_DES_MAC4_NOPAD generates a 4 byte MAC
     * (most significant 4 bytes of encrypted block) using DES or triple DES in CBC mode. 
     * This algorithm uses outer CBC for triple DES. 
     * This algorithm does not pad input data.
     * If the input data is not (8 byte) block aligned it throws CryptoException
     * with the reason code ILLEGAL_USE.
     *
     */
    public static final byte ALG_DES_MAC4_NOPAD           = 1;

    /**
     * Signature algorithm ALG_DES_MAC_8_NOPAD generates a 8 byte MAC
     * using DES or triple DES in CBC mode. This algorithm uses outer CBC for triple DES. 
     * This algorithm does not pad input data.
     * If the input data is not (8 byte) block aligned it throws CryptoException
     * with the reason code ILLEGAL_USE.
     * 
Note:
     * 
  • This algorithm must not be implemented if export restrictions apply.

     */
    public static final byte ALG_DES_MAC8_NOPAD           = 2;

    /**
     * Signature algorithm ALG_DES_MAC4_ISO9797_M1 generates a 4 byte MAC
     * (most significant 4 bytes of encrypted block) using DES or triple DES in CBC mode. 
     * This algorithm uses outer CBC for triple DES. 
     * Input data is padded according to the ISO 9797 method 1 scheme.
     */
    public static final byte ALG_DES_MAC4_ISO9797_M1      = 3;

    /**
     * Signature algorithm ALG_DES_MAC8_ISO9797_M1 generates a 8 byte MAC
     * using DES or triple DES in CBC mode. This algorithm uses outer CBC for triple DES. 
     * Input data is padded according to the ISO 9797 method 1 scheme.
     * 
Note:
     * 
  • This algorithm must not be implemented if export restrictions apply.

     */
    public static final byte ALG_DES_MAC8_ISO9797_M1      = 4;

    /**
     * Signature algorithm ALG_DES_MAC4_ISO9797_M2 generates a 4 byte MAC
     * (most significant 4 bytes of encrypted block) using DES or triple DES in CBC mode. 
     * This algorithm uses outer CBC for triple DES. 
     * Input data is padded according to the ISO 9797 method 2 (ISO 7816-4, EMV'96) scheme.
     */
    public static final byte ALG_DES_MAC4_ISO9797_M2      = 5;

    /**
     * Signature algorithm ALG_DES_MAC8_ISO9797_M2 generates a 8 byte MAC
     * using DES or triple DES in CBC mode. This algorithm uses outer CBC for triple DES. 
     * Input data is padded according to the ISO 9797 method 2 (ISO 7816-4, EMV'96) scheme.
     * 
Note:
     * 
  • This algorithm must not be implemented if export restrictions apply.

     */
    public static final byte ALG_DES_MAC8_ISO9797_M2      = 6;

    /**
     * Signature algorithm ALG_DES_MAC4_PKCS5 generates a 4 byte MAC
     * (most significant 4 bytes of encrypted block) using DES or triple DES in CBC mode. 
     * This algorithm uses outer CBC for triple DES. 
     * Input data is padded according to the PKCS#5 scheme.
     */
    public static final byte ALG_DES_MAC4_PKCS5           = 7;

    /**
     * Signature algorithm ALG_DES_MAC8_PKCS5 generates a 8 byte MAC
     * using DES or triple DES in CBC mode. This algorithm uses outer CBC for triple DES. 
     * Input data is padded according to the PKCS#5 scheme.
     * 
Note:
     * 
  • This algorithm must not be implemented if export restrictions apply.

     */
    public static final byte ALG_DES_MAC8_PKCS5           = 8;

    /**
     * Signature algorithm ALG_RSA_SHA_ISO9796 encrypts the 20 byte SHA digest using RSA. 
     * The digest is padded according to the ISO 9796 (EMV'96) scheme.
     */
    public static final byte ALG_RSA_SHA_ISO9796          = 9;

    /**
     * Signature algorithm ALG_RSA_SHA_PKCS1 encrypts the 20 byte SHA digest using RSA. 
     * The digest is padded according to the PKCS#1 (v1.5) scheme.
     * 
Note:
    
     * 
  •  The encryption block(EB) during signing is built as follows:
    
     *   EB = 00 || 01 || PS || 00 || T
    
     *       :: where T is the DER encoding of :
    
     *             digestInfo ::= SEQUENCE {
    
     *             digestAlgorithm AlgorithmIdentifier of SHA-1,
    
     *             digest OCTET STRING
    
     *             }
    
     *       :: PS is an octet string of length k-3-||T|| with value FF.
     * The length of PS must be at least 8 octets.
    
     *       :: k is the RSA modulus size. 
    
     * 

     */
    public static final byte ALG_RSA_SHA_PKCS1            = 10;

    /**
     * Signature algorithm ALG_RSA_MD5_PKCS1 encrypts the 16 byte MD5 digest using RSA. 
     * The digest is padded according to the PKCS#1 (v1.5) scheme.
     * 
Note:
    
     * 
  •  The encryption block(EB) during signing is built as follows:
    
     * <  EB = 00 || 01 || PS || 00 || T
    
     *       :: where T is the DER encoding of :
    
     *             digestInfo ::= SEQUENCE {
    
     *             digestAlgorithm AlgorithmIdentifier of MD5,
    
     *             digest OCTET STRING
    
     *             }
    
     *       :: PS is an octet string of length k-3-||T|| with value FF.
     * The length of PS must be at least 8 octets.
    
     *       :: k is the RSA modulus size. 
    
     * 

     */
    public static final byte ALG_RSA_MD5_PKCS1           = 11;

    /**
     * Signature algorithm ALG_RSA_RIPEMD160_ISO9796 encrypts the 20 byte RIPE MD-160 digest
     * using RSA. The digest is padded according to the ISO 9796 scheme.
     */
    public static final byte ALG_RSA_RIPEMD160_ISO9796    = 12;

    /**
     * Signature algorithm ALG_RSA_RIPEMD160_PKCS1 encrypts the 20 byte RIPE MD-160 digest
     * using RSA. The digest is padded according to the PKCS#1 (v1.5) scheme.
     * 
Note:
    
     * 
  •  The encryption block(EB) during signing is built as follows:
    
     * <  EB = 00 || 01 || PS || 00 || T
    
     *       :: where T is the DER encoding of :
    
     *             digestInfo ::= SEQUENCE {
    
     *             digestAlgorithm AlgorithmIdentifier of RIPEMD160,
    
     *             digest OCTET STRING
    
     *             }
    
     *       :: PS is an octet string of length k-3-||T|| with value FF.
     * The length of PS must be at least 8 octets.
    
     *       :: k is the RSA modulus size. 
    
     * 

     */
    public static final byte ALG_RSA_RIPEMD160_PKCS1      = 13;

    /**
     * Signature algorithm ALG_DSA_SHA signs/verifies the 20 byte SHA digest using DSA.
     */
    public static final byte ALG_DSA_SHA                  = 14;

    /**
     * Signature algorithm ALG_RSA_SHA_RFC2409 encrypts the 20 byte SHA digest using RSA. 
     * The digest is padded according to the RFC2409 scheme.
     */
    public static final byte ALG_RSA_SHA_RFC2409          = 15;

    /**
     * Signature algorithm ALG_RSA_MD5_RFC2409 encrypts the 16 byte MD5 digest using RSA. 
     * The digest is padded according to the RFC2409 scheme.
     */
    public static final byte ALG_RSA_MD5_RFC2409          = 16;

    // mode options
    /**
     * Used in init() methods to indicate signature sign mode.
     */
    public static final byte MODE_SIGN                    = 1;
    
    /**
     * Used in init() methods to indicate signature verify mode.
     */
    public static final byte MODE_VERIFY                  = 2;
    
    /**
     * Creates a Signature object instance of the selected algorithm.
     * @param algorithm the desired Signature algorithm. See above.
     * @param externalAccess if true indicates that the instance will be shared among
     * multiple applet instances and that the Signature instance will also be accessed (via a Shareable
     * interface) when the owner of the Signature instance is not the currently selected applet.
     * @return the Signature object instance of the requested algorithm.
     * @exception CryptoException with the following reason codes:
    
     * 
  • CryptoException.NO_SUCH_ALGORITHM if the requested algorithm is not supported.

     */

    /*@ behavior normal:
      @   ensures \result != null;
      @*/
    public static final Signature getInstance(byte algorithm, boolean externalAccess) 
	throws CryptoException{
	switch ( algorithm ){
	default :
	    CryptoException.throwIt( CryptoException.NO_SUCH_ALGORITHM );
	}
	return null;
    }
    
    /**
     * Initializes the Signature object with the appropriate Key. This method should be used
     * for algorithms which do not need initialization parameters or use default parameter
     * values.
     * 
Note:
    
     * 
  • DES and triple DES algorithms in CBC mode will use 0 for initial vector(IV) if this
     * method is used.
     * 

     * @param theKey the key object to use for signing or verifying
     * @param theMode one of MODE_SIGN or MODE_VERIFY
     * @exception CryptoException with the following reason codes:
    
     * 
  • CryptoException.ILLEGAL_VALUE if theMode option is an undefined value or
     * if the Key is inconsistent with theMode
     * or with the Signature implementation.
     * 

     */
    abstract public void init ( Key theKey, byte theMode ) throws CryptoException;
    
    /*
     * Initializes the Signature object with the appropriate Key and algorithm specific
     * parameters.
     * 
Note:
    
     * 
  • DES and triple DES algorithms in outer CBC mode expect an 8 byte parameter value for
     * the initial vector(IV) in bArray.
     * 
  • RSA and DSA algorithms throw CryptoException.ILLEGAL_VALUE.
     * 

     * @param theKey the key object to use for signing
     * @param theMode one of MODE_SIGN or MODE_VERIFY
     * @param bArray byte array containing algorithm specific initialization info.
     * @param bOff offset within bArray where the algorithm specific data begins.
     * @param bLen byte length of algorithm specific parameter data
     * @exception CryptoException with the following reason codes:
    
     * 
  • CryptoException.ILLEGAL_VALUE if theMode option is an undefined value
     * or if a byte array parameter option is not supported by the algorithm or if
     * the bLen is an incorrect byte length for the algorithm specific data or
     * if the Key is inconsistent with theMode
     * or with the Signature implementation.
     * 

     */
    abstract public void init ( Key theKey, byte theMode, byte[] bArray, short bOff, short bLen )
	throws CryptoException;
    
    /**
     * Protected Constructor
     *
     */
    protected Signature() {}

    /**
     * Gets the Signature algorithm.
     * @return the algorithm code defined above.
     */
    abstract public byte getAlgorithm();
    
    /**
     * Returns the byte length of the signature data.
     * @return the byte length of the signature data.
     */
    abstract public short getLength();

    /**
     * Accumulates a signature of the input data. This method requires temporary storage of 
     * intermediate results. In addition, if the input data length is not block aligned
     * (multiple of block size)
     * then additional internal storage may be allocated at this time to store a partial
     * input data block.
     * This may result in additional resource consumption and/or slow performance.
     * This method should only be used if all the input data required for signing/verifying
     * is not available in one byte array. The sign() or
     * verify() method is recommended whenever possible.
     * @param inBuff the input buffer of data to be signed
     * @param inOffset the offset into the input buffer at which to begin signature generation
     * @param inLength the byte length to sign
     * @exception CryptoException with the following reason codes:
    
     * 
  • CryptoException.UNINITIALIZED_KEY if key not initialized.

     * @see #sign(byte[], short, short, byte[], short)
     * @see #verify(byte[], short, short, byte[], short, short)
     */
    abstract public void update(
        byte[] inBuff,
        short inOffset,
        short inLength) throws CryptoException;

    /**
     * Generates the signature of all/last input data.
     * A call to this method also resets this Signature object to the state it was in
     * when previously initialized via a call to init().
     * That is, the object is reset and available to sign another message.
     * 
Note:
    
     * 
  • DES and triple DES algorithms in outer CBC mode reset the initial vector(IV)
     * to 0. The initial vector(IV) can be re-initialized using the
     * init(Key, byte, byte[], short, short) method.
     * 

     * 
The input and output buffer data may overlap.
     * @param inBuff the input buffer of data to be signed
     * @param inOffset the offset into the input buffer at which to begin signature generation
     * @param inLength the byte length to sign
     * @param sigBuff the output buffer to store signature data
     * @param sigOffset the offset into sigBuff at which to begin signature data
     * @return number of bytes of signature output in sigBuff
     * @exception CryptoException with the following reason codes:
    
     * 
  • CryptoException.UNINITIALIZED_KEY if key not initialized.
     * 
  • CryptoException.INVALID_INIT if this Signature object is
     * not initialized or initialized for signature verify mode.
     * 
  • CryptoException.ILLEGAL_USE if this Signature algorithm
     * does not pad the message and the message is not block aligned.
     * 

     */
    abstract public short sign (
        byte[] inBuff,
        short inOffset,
        short inLength,
        byte[] sigBuff,
        short sigOffset) throws CryptoException;

    /**
     * Verifies the signature of all/last input data against the passed in signature.
     * A call to this method also resets this Signature object to the state it was in
     * when previously initialized via a call to init().
     * That is, the object is reset and available to verify another message.
     * 
Note:
    
     * 
  • DES and triple DES algorithms in outer CBC mode reset the initial vector(IV)
     * to 0. The initial vector(IV) can be re-initialized using the
     * init(Key, byte, byte[], short, short) method.
     * 

     * @param inBuff the input buffer of data to be verified
     * @param inOffset the offset into the input buffer at which to begin signature generation
     * @param inLength the byte length to sign
     * @param sigBuff the input buffer containing signature data
     * @param sigOffset the offset into sigBuff where signature data begins.
     * @param sigLength the byte length of the signature data
     * @return true if signature verifies false otherwise.
     * @exception CryptoException with the following reason codes:
    
     * 
  • CryptoException.UNINITIALIZED_KEY if key not initialized.
     * 
  • CryptoException.INVALID_INIT if this Signature object is
     * not initialized or initialized for signature sign mode.
     * 
  • CryptoException.ILLEGAL_USE if this Signature algorithm
     * does not pad the message and the message is not block aligned.
     * 

     */
    abstract public boolean verify (
        byte[] inBuff,
        short inOffset,
        short inLength,
        byte[] sigBuff,
        short sigOffset,
        short sigLength) throws CryptoException;

}









why-2.34/lib/javacard_api/javacard/security/DSAPrivateKey.java0000644000175000017500000000635112311670312022674 0ustar  rtusers/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: DSAPrivateKey.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/DSAPrivateKey.java $
// $Modtime: 5/02/00 8:48p $
// Original author:  Andy
// */

package javacard.security;

/**
 * The DSAPrivateKey interface is used to sign data using the DSA algorithm. An
 * implementation of  DSAPrivateKey interface must also implement
 * the DSAKey interface methods.
 * 
When all four components of the key (X,P,Q,G) are set, the key is
 * initialized and ready for use.
 * 

 *
 * @see DSAPublicKey
 * @see KeyBuilder
 * @see Signature
 * @see javacardx.crypto.KeyEncryption
 *
 */

public interface DSAPrivateKey extends PrivateKey, DSAKey {

  /**
   * Sets the value of the key. When the base, prime and subprime parameters are initialized
   * and the key value is set, the key is ready for use.
   * The plaintext data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte). Input key data is copied into the internal representation.
   * @param buffer the input buffer
   * @param offset the offset into the input buffer at which the modulus value begins
   * @param length the length of the modulus
   * @exception CryptoException with the following reason code:
    
   * 
  • CryptoException.ILLEGAL_VALUE if the input key data length is inconsistent
   * with the implementation or if input data decryption is required and fails.
   * 

   * 
Note:
    
   * 
  • If the key object implements the javacardx.crypto.KeyEncryption
   * interface and the Cipher object specified via setKeyCipher()
   * is not null, the key value is decrypted using the Cipher object.
   * 

   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    void setX( byte[] buffer, short offset, short length) throws CryptoException;

  /**
   * Returns the value of the key in plain text.
   * The data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte).
   * @param buffer the output buffer
   * @param offset the offset into the output buffer at which the key value starts
   * @return the byte length of the key value returned
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    short getX( byte[] buffer, short offset );

 }
why-2.34/lib/javacard_api/javacard/security/MessageDigest.java0000644000175000017500000001165612311670312023011 0ustar  rtusers/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: MessageDigest.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/MessageDigest.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Andy
// */

package javacard.security;

/**
 * The MessageDigest class is the base class for hashing algorithms. Implementations of MessageDigest
 * algorithms must extend this class and implement all the abstract methods.
 * 
 A tear or card reset event resets a 
 * MessageDigest object to the initial state (state upon construction).
 */

abstract public class MessageDigest{


    // algorithm options

    /**
     * Message Digest algorithm SHA.
    */
    public static final byte ALG_SHA        = 1;

    /**
     * Message Digest algorithm MD5.
     */
     public static final byte ALG_MD5       = 2;

    /**
     * Message Digest algorithm RIPE MD-160.
     */
     public static final byte ALG_RIPEMD160 = 3;

	/**
	 * Creates a MessageDigest object instance of the selected algorithm.
	 * @param algorithm the desired message digest algorithm. Valid codes listed in ALG_.. constants. See above.
	 * @param externalAccess if true indicates that the instance will be shared among
	 * multiple applet instances and that the MessageDigest instance will also be accessed (via a Shareable
	 * interface) when the owner of the MessageDigest instance is not the currently selected applet.
	 * @return the MessageDigest object instance of the requested algorithm.
	 * @exception CryptoException with the following reason codes:
    
     * 
  • CryptoException.NO_SUCH_ALGORITHM if the requested algorithm is not supported.

	*/
	public static final MessageDigest getInstance(byte algorithm, boolean externalAccess) throws CryptoException{
	    CryptoException.throwIt( CryptoException.NO_SUCH_ALGORITHM);
	    return null;
	    }

	/**
	 *  Protected Constructor
	 */
	protected MessageDigest(){}

	/**
	 * Gets the Message digest algorithm.
	 * @return the algorithm code defined above.
	*/
	abstract public byte getAlgorithm();

      /**
	   * Returns the byte length of the hash.
	   * @return hash length
	   */
    abstract public byte getLength();

	  /**
	   * Generates a hash of all/last input data.
	   * Completes and returns the hash computation after performing final operations such as padding.
	   * The MessageDigest object is reset to the initial state after this call is made.
	   * 
The input and output buffer data may overlap.
	   * @param inBuff the input buffer of data to be hashed
	   * @param inOffset the offset into the input buffer at which to begin hash generation
	   * @param inLength the byte length to hash
	   * @param outBuff the output buffer, may be the same as the input buffer
	   * @param outOffset the offset into the output buffer where the resulting hash value begins
	   * @return number of bytes of hash output in outBuff
	   */
    abstract public short doFinal(
        byte[] inBuff,
        short inOffset,
        short inLength,
        byte[] outBuff,
        short outOffset);

      /**
	   * Accumulates a hash of the input data. This method requires temporary storage of 
	   * intermediate results. In addition, if the input data length is not block aligned
	   * (multiple of block size)
	   * then additional internal storage may be allocated at this time to store a partial
	   * input data block.
	   * This may result in additional resource consumption and/or slow performance.
	   * This method should only be used if all the input data required for the hash
	   * is not available in one byte array. The doFinal() method
	   * is recommended whenever possible.
	   * @param inBuff the input buffer of data to be hashed
	   * @param inOffset the offset into the input buffer at which to begin hash generation
	   * @param inLength the byte length to hash
	   * @see #doFinal
	   */
    abstract public void update(
        byte[] inBuff,
        short inOffset,
        short inLength);

      /**
	   * Resets the MessageDigest object to the initial state for further use.
	   */
    abstract public void reset();
}
why-2.34/lib/javacard_api/javacard/security/PublicKey.java0000644000175000017500000000224612311670312022147 0ustar  rtusers/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: PublicKey.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/PublicKey.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Andy
// */

package javacard.security;

/**
 * The PublicKey interface is the base interface for public keys used in asymmetric algorithms.
 *
 */

 public interface PublicKey extends Key {}

    
why-2.34/lib/javacard_api/javacard/security/RSAPrivateCrtKey.java0000644000175000017500000002473312311670312023367 0ustar  rtusers/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: RSAPrivateCrtKey.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/RSAPrivateCrtKey.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Andy
// */

package javacard.security;

/**
 * The RSAPrivateCrtKey interface is used to sign data using the RSA algorithm
 * in its Chinese Remainder Theorem form. It may also be used by the javacardx.crypto.Cipher class
 * to encrypt/decrypt messages.
 * 

 * Let S = md mod n,
 * where m is the data to be signed, d is the private key exponent,
 * and n is private key modulus composed of
 * two prime numbers p and q.
 * The following names are used in the initializer methods in this interface:
 * 

 * P, the prime factor p

 * Q, the prime factor q.

 * PQ = q-1 mod p

 * DP1 = d mod (p - 1)

 * DQ1 = d mod (q - 1)

 * 
When all five components (P,Q,PQ,DP1,DQ1) of the key are set, the key is
 * initialized and ready for use.
 *
 * @see RSAPrivateKey
 * @see RSAPublicKey
 * @see KeyBuilder
 * @see Signature
 * @see javacardx.crypto.Cipher
 * @see javacardx.crypto.KeyEncryption
 *
 */

public interface RSAPrivateCrtKey extends PrivateKey {

  /**
   * Sets the value of the P parameter.
   * The plaintext data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte). Input P parameter data is copied into the internal representation.
   * @param buffer the input buffer
   * @param offset the offset into the input buffer at which the parameter value begins
   * @param length the length of the parameter
   * @exception CryptoException with the following reason code:
    
   * 
  • CryptoException.ILLEGAL_VALUE if the input parameter data length is inconsistent
   * with the implementation or if input data decryption is required and fails.
   * 

   * 
Note:
    
   * 
  • If the key object implements the javacardx.crypto.KeyEncryption
   * interface and the Cipher object specified via setKeyCipher()
   * is not null, the P parameter value is decrypted using the Cipher object.
   * 

   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    void setP( byte[] buffer, short offset, short length) throws CryptoException;

  /**
   * Sets the value of the Q parameter.
   * The plaintext data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte). Input Q parameter data is copied into the internal representation.
   * @param buffer the input buffer
   * @param offset the offset into the input buffer at which the parameter value begins
   * @param length the length of the parameter
   * @exception CryptoException with the following reason code:
    
   * 
  • CryptoException.ILLEGAL_VALUE if the input parameter data length is inconsistent
   * with the implementation or if input data decryption is required and fails.
   * 

   * 
Note:
    
   * 
  • If the key object implements the javacardx.crypto.KeyEncryption
   * interface and the Cipher object specified via setKeyCipher()
   * is not null, the Q parameter value is decrypted using the Cipher object.
   * 

   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    void setQ( byte[] buffer, short offset, short length) throws CryptoException;

  /**
   * Sets the value of the DP1 parameter.
   * The plaintext data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte). Input DP1 parameter data is copied into the internal representation.
   * @param buffer the input buffer
   * @param offset the offset into the input buffer at which the parameter value begins
   * @param length the length of the parameter
   * @exception CryptoException with the following reason code:
    
   * 
  • CryptoException.ILLEGAL_VALUE if the input parameter data length is inconsistent
   * with the implementation or if input data decryption is required and fails.
   * 

   * 
Note:
    
   * 
  • If the key object implements the javacardx.crypto.KeyEncryption
   * interface and the Cipher object specified via setKeyCipher()
   * is not null, the DP1 parameter value is decrypted using the Cipher object.
   * 

   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    void setDP1( byte[] buffer, short offset, short length) throws CryptoException;

  /**
   * Sets the value of the DQ1 parameter.
   * The plaintext data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte). Input DQ1 parameter data is copied into the internal representation.
   * @param buffer the input buffer
   * @param offset the offset into the input buffer at which the parameter value begins
   * @param length the length of the parameter
   * @exception CryptoException with the following reason code:
    
   * 
  • CryptoException.ILLEGAL_VALUE if the input parameter data length is inconsistent
   * with the implementation or if input data decryption is required and fails.
   * 

   * 
Note:
    
   * 
  • If the key object implements the javacardx.crypto.KeyEncryption
   * interface and the Cipher object specified via setKeyCipher()
   * is not null, the DQ1 parameter value is decrypted using the Cipher object.
   * 

   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    void setDQ1( byte[] buffer, short offset, short length) throws CryptoException;

  /**
   * Sets the value of the PQ parameter.
   * The plaintext data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte). Input PQ parameter data is copied into the internal representation.
   * @param buffer the input buffer
   * @param offset the offset into the input buffer at which the parameter value begins
   * @param length the length of the parameter
   * @exception CryptoException with the following reason code:
    
   * 
  • CryptoException.ILLEGAL_VALUE if the input parameter data length is inconsistent
   * with the implementation or if input data decryption is required and fails.
   * 

   * 
Note:
    
   * 
  • If the key object implements the javacardx.crypto.KeyEncryption
   * interface and the Cipher object specified via setKeyCipher()
   * is not null, the PQ parameter value is decrypted using the Cipher object.
   * 

   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    void setPQ( byte[] buffer, short offset, short length) throws CryptoException;

  /**
   * Returns the value of the P parameter in plain text.
   * The data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte).
   * @param buffer the output buffer
   * @param offset the offset into the output buffer at which the parameter value begins
   * @return the byte length of the P parameter value returned
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    short getP( byte[] buffer, short offset );

  /**
   * Returns the value of the Q parameter in plain text.
   * The data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte).
   * @param buffer the output buffer
   * @param offset the offset into the output buffer at which the parameter value begins
   * @return the byte length of the Q parameter value returned
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    short getQ( byte[] buffer, short offset );

  /**
   * Returns the value of the DP1 parameter in plain text.
   * The data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte).
   * @param buffer the output buffer
   * @param offset the offset into the output buffer at which the parameter value begins
   * @return the byte length of the DP1 parameter value returned
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    short getDP1( byte[] buffer, short offset );

  /**
   * Returns the value of the DQ1 parameter in plain text.
   * The data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte).
   * @param buffer the output buffer
   * @param offset the offset into the output buffer at which the parameter value begins
   * @return the byte length of the DQ1 parameter value returned
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    short getDQ1( byte[] buffer, short offset );

  /**
   * Returns the value of the PQ parameter in plain text.
   * The data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte).
   * @param buffer the output buffer
   * @param offset the offset into the output buffer at which the parameter value begins
   * @return the byte length of the PQ parameter value returned
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    short getPQ( byte[] buffer, short offset );

 }

why-2.34/lib/javacard_api/javacard/security/PrivateKey.java0000644000175000017500000000224612311670312022343 0ustar  rtusers/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: PrivateKey.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/PrivateKey.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Andy
// */

package javacard.security;

/**
 * The PrivateKey interface is the base interface for private keys used in asymmetric algorithms.
 *
 */

 public interface PrivateKey extends Key {}

why-2.34/lib/javacard_api/javacard/security/SecretKey.java0000644000175000017500000000224212311670312022152 0ustar  rtusers/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: SecretKey.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/SecretKey.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Andy
// */

package javacard.security;

/**
 * The SecretKey class is the base interface for keys used in symmetric algorithms (e.g. DES).
 *
 */

public interface SecretKey extends Key{}
why-2.34/lib/javacard_api/javacard/security/RandomData.java0000644000175000017500000000627112311670312022274 0ustar  rtusers/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: RandomData.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/RandomData.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Andy
// */

package javacard.security;

//
/**
 * The RandomData abstract class is the base class for random number generation. Implementations of RandomData
 * algorithms must extend this class and implement all the abstract methods.
 */

abstract public class RandomData{

  // Random Number algorithm options

    /**
     * Utility pseudo random number generation algorithms.
    */
    public static final byte ALG_PSEUDO_RANDOM        = 1;

    /**
     * Cryptographically secure random number generation algorithms.
    */
    public static final byte ALG_SECURE_RANDOM        = 2;


  /**
   * Protected constructor for subclassing.
   */
    protected RandomData(){}

  /**
    * Creates a RandomData instance of the selected algorithm.
    * The pseudo random RandomData instance's seed is initialized to a internal default value.
	* @param algorithm the desired random number algorithm. Valid codes listed in ALG_.. constants. See above.
	* @return the RandomData object instance of the requested algorithm.
	* @exception CryptoException with the following reason codes:
    
    * 
  • CryptoException.NO_SUCH_ALGORITHM if the requested algorithm is not supported.

	*/
	public static final RandomData getInstance(byte algorithm) throws CryptoException{

	    switch ( algorithm ){
	        case ALG_PSEUDO_RANDOM :
	        case ALG_SECURE_RANDOM :
	            CryptoException.throwIt( CryptoException.NO_SUCH_ALGORITHM);
	            return null;
	    }
	    return null;
	 }


  /**
   * Generates random data.
   * @param buffer the output buffer
   * @param offset the offset into the output buffer
   * @param length the length of random data to generate
   */
   abstract public void generateData(
        byte[] buffer,
        short offset,
        short length);
 //   {
 //   	Randomness.generate(buffer,offset,length);
 //   }

  /**
   * Seeds the random data generator.
   * @param buffer the input buffer
   * @param offset the offset into the input buffer
   * @param length the length of the seed data
   */
    abstract public void setSeed(
        byte[] buffer,
        short offset,
        short length);
//    {
//    	Randomness.setSeed(buffer,offset,length);
//    }
}
why-2.34/lib/javacard_api/javacard/security/Key.java0000644000175000017500000000425712311670312021014 0ustar  rtusers/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: Key.java $
// $Revision: 1.2 $
// $Date: 2007-10-16 11:03:17 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/Key.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Andy
// */

package javacard.security;

/**
 * The Key interface is the base interface for all keys.
 *

 * @see KeyBuilder
 */
public interface Key{
  	
  	/**
   	 * Reports the initialized state of the key. Keys must be initialized before
   	 * being used.
   	 * 
A Key object sets its initialized state to true only when all the associated set
   	 * methods have been invoked at least once since the time the initialized state was set to false.
   	 * 
A newly created Key object sets its initialized state to false. Invocation of the
   	 * clearKey() method sets the initialized state to false. A key with transient key data
   	 * sets its initialized state to false on the associated clear events.
	 * @return true if the key has been initialized.
   	 */

    boolean isInitialized();

  	/**
   	 * Clears the key and sets its initialized state to false.
   	 */
  	
    void clearKey();
	
	/**
	 * Returns the key interface type.
   	 * @return the key interface type.
   	 *

     * @see KeyBuilder 
   	 */


    byte getType();
	
	/**
	 * Returns the key size in number of bits.
   	 * @return the key size in number of bits.
   	 */
	
    short getSize();
	
	
	
}
why-2.34/lib/javacard_api/javacard/security/KeyBuilder.java0000644000175000017500000001324412311670312022317 0ustar  rtusers/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: KeyBuilder.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/KeyBuilder.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Andy
// */

package javacard.security;

/**
 * The KeyBuilder class is a key object factory.
 *
 */

public class KeyBuilder{

	// keyType parameter options

	/**
     * Key object which implements interface type DESKey
     * with CLEAR_ON_RESET transient key data.
     * 
This Key object implicitly performs a clearKey() on
     * power on or card reset.
     */
	public static final byte TYPE_DES_TRANSIENT_RESET      = 1;

	/**
     * Key object which implements interface type DESKey
     * with CLEAR_ON_DESELECT transient key data.
     * 
This Key object implicitly performs a clearKey() on
     * power on, card reset and applet deselection.
     */
	public static final byte TYPE_DES_TRANSIENT_DESELECT   = 2;

	/**
     * Key object which implements interface type DESKey with persistent key data.
     */
	public static final byte TYPE_DES                      = 3;

	/**
     * Key object which implements interface type RSAPublicKey.
     */
	public static final byte TYPE_RSA_PUBLIC               = 4;

	/**
     * Key object which implements interface type RSAPrivateKey which
     * uses modulus/exponent form.
     */
	public static final byte TYPE_RSA_PRIVATE              = 5;

	/**
     * Key object which implements interface type RSAPrivateCrtKey which
     * uses Chinese Remainder Theorem.
     */
	public static final byte TYPE_RSA_CRT_PRIVATE          = 6;

	/**
     * Key object which implements the interface type DSAPublicKey
     * for the DSA algorithm.
     */
	public static final byte TYPE_DSA_PUBLIC               = 7;

	/**
     * Key object which implements the interface type DSAPrivateKey
     * for the DSA algorithm.
     */
	public static final byte TYPE_DSA_PRIVATE              = 8;

	// keyLength parameter options
   /**
     * DES Key Length LENGTH_DES = 64.
     */
	public static final short LENGTH_DES  = 64;

	/**
     * DES Key Length LENGTH_DES3_2KEY = 128.
     */
	public static final short LENGTH_DES3_2KEY = 128;

	/**
     * DES Key Length LENGTH_DES3_3KEY = 192.
     */
	public static final short LENGTH_DES3_3KEY = 192;

	/**
     * RSA Key Length LENGTH_RSA_512 = 512.
     */
	public static final short LENGTH_RSA_512 = (short)512;

	/**
     * RSA Key Length LENGTH_RSA_768 = 768.
     */
	public static final short LENGTH_RSA_768 = (short)768;

	/**
     * RSA Key Length LENGTH_RSA_1024 = 1024.
     */
	public static final short LENGTH_RSA_1024 = (short)1024;

	/**
     * RSA Key Length LENGTH_RSA_2048 = 2048.
     */
	public static final short LENGTH_RSA_2048 = (short)2048;

	/**
     * DSA Key Length LENGTH_DSA_512 = 512.
     */
	public static final short LENGTH_DSA_512 = (short)512;

	/**
     * DSA Key Length LENGTH_DSA_768 = 768.
     */
	public static final short LENGTH_DSA_768 = (short)768;

	/**
     * DSA Key Length LENGTH_DSA_1024 = 1024.
     */
	public static final short LENGTH_DSA_1024 = (short)1024;

	/**
	 * Creates uninitialized cryptographic keys for signature and cipher algorithms. Instances created
	 * by this method may be the only key objects used to initialize instances of
	 * Signature and Cipher.
	 * Note that the object returned must be cast to their appropriate key type interface.
	 * @param keyType the type of key to be generated. Valid codes listed in TYPE.. constants.
	 * @param keyLength the key size in bits. The valid key bit lengths are key type dependent. See above.
	 * @param keyEncryption if true this boolean requests a key implementation
	 * which implements the javacardx.crypto.KeyEncryption interface.
	 * The key implementation returned may implement the javacardx.crypto.KeyEncryption
	 * interface even when this parameter is false.
	 * @return the key object instance of the requested key type, length and encrypted access.
	 * @exception CryptoException with the following reason codes:
    
     * 
  • CryptoException.NO_SUCH_ALGORITHM if the requested algorithm
     * associated with the specified type, size of key and key encryption interface is not supported.

	*/
	public static Key buildKey( byte keyType, short keyLength, boolean keyEncryption ) throws CryptoException {

	    switch ( keyType ){
	        default :
	            CryptoException.throwIt( CryptoException.NO_SUCH_ALGORITHM );
	    }
	    return null;
	}

	/**
	 * No constructor
	 */
	KeyBuilder() {}

}
why-2.34/lib/javacard_api/javacard/security/DESKey.java0000644000175000017500000000610212311670312021337 0ustar  rtusers/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: DESKey.java $
// $Revision: 1.3 $
// $Date: 2007-10-22 07:38:21 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/DESKey.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Andy
// */

package javacard.security;

/**
 * DESKey contains an 8/16/24 byte key for single/2 key triple DES/3 key triple DES
 * operations.
 * 
When the key data is set, the key is initialized and ready for use.
 *

 * @see KeyBuilder
 * @see Signature
 * @see javacardx.crypto.Cipher
 * @see javacardx.crypto.KeyEncryption
 */
public interface DESKey extends SecretKey{
    
    /**
     * Sets the Key data. The plaintext length of input key data is 8 bytes for DES,
     * 16 bytes for 2 key triple DES and 24 bytes for 3 key triple DES.
     * The data format is big-endian and right-aligned (the least significant bit is the least significant
     * bit of last byte). Input key data is copied into the internal representation.
     * @param keyData byte array containing key initialization data
     * @param kOff offset within keyData to start
     * @exception CryptoException with the following reason code:
    
     * 
  • CryptoException.ILLEGAL_VALUE if the input key data length is inconsistent
     * with the implementation or if input data decryption is required and fails.
     * 

     * 
Note:
    
     * 
  • If the key object implements the javacardx.crypto.KeyEncryption
     * interface and the Cipher object specified via setKeyCipher()
     * is not null, keyData is decrypted using the Cipher object.
     * 

     */
    void setKey( byte[] keyData, short kOff ) throws CryptoException;

    /**
     * Returns the Key data in plain text. The length of output key data is 8 bytes for DES,
     * 16 bytes for 2 key triple DES and 24 bytes for 3 key triple DES.
     * The data format is big-endian and right-aligned (the least significant bit is the least significant
     * bit of last byte).
     * @param keyData byte array to return key data
     * @param kOff offset within keyData to start.
     * @return the byte length of the key data returned.
     */
    byte getKey( byte[] keyData, short kOff );

    }
why-2.34/lib/javacard_api/javacard/security/DSAPublicKey.java0000644000175000017500000000635412311670312022503 0ustar  rtusers/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: DSAPublicKey.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/DSAPublicKey.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Andy
// */

package javacard.security;

/**
 * The DSAPublicKey interface is used to verify signatures
 * on signed data using the DSA algorithm.
 * An implementation of DSAPublicKey interface must also implement
 * the DSAKey interface methods.
 * 
When all four components of the key (Y,P,Q,G) are set, the key is
 * initialized and ready for use.
 * @see DSAPrivateKey
 * @see KeyBuilder
 * @see Signature
 * @see javacardx.crypto.KeyEncryption
 */

public interface DSAPublicKey extends PublicKey, DSAKey{

   /**
   * Sets the value of the key. When the base, prime and subprime parameters are initialized
   * and the key value is set, the key is ready for use.
   * The plaintext data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte). Input key data is copied into the internal representation.
   * @param buffer the input buffer
   * @param offset the offset into the input buffer at which the key value begins
   * @param length the length of the key value
   * @exception CryptoException with the following reason code:
    
   * 
  • CryptoException.ILLEGAL_VALUE if the input key data length is inconsistent
   * with the implementation or if input data decryption is required and fails.
   * 

   * 
Note:
    
   * 
  • If the key object implements the javacardx.crypto.KeyEncryption
   * interface and the Cipher object specified via setKeyCipher()
   * is not null, the key value is decrypted using the Cipher object.
   * 

   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    void setY( byte[] buffer, short offset, short length) throws CryptoException;

  /**
   * Returns the value of the key in plain text.
   * The data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte).
   * @param buffer the output buffer
   * @param offset the offset into the input buffer at which the key value starts
   * @return the byte length of the key value returned
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    short getY( byte[] buffer, short offset );
 }
why-2.34/lib/javacard_api/javacard/security/KeyPair.java0000644000175000017500000001452412311670312021626 0ustar  rtusers/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: KeyPair.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/KeyPair.java $
// $Modtime: 5/02/00 8:48p $
// Original author:  Andy
// */

package javacard.security;

/**
 * This class is a container for a key pair (a public key and a
 * private key). It does not enforce any security, and, when initialized,
 * should be treated like a PrivateKey.
 * 
In addition, this class features a key generation method.
 *
 * @see PublicKey
 * @see PrivateKey
 */

public final class KeyPair {

    /**
     * KeyPair object containing a RSA key pair.
     */
	public static final byte ALG_RSA               = 1;
	
	/**
     * KeyPair object containing a RSA key pair with private key in
     * its Chinese Remainder Theorem form.
     */
	public static final byte ALG_RSA_CRT           = 2;
	
	
	/**
     * KeyPair object containing a DSA key pair.
     */
	public static final byte ALG_DSA               = 3;
	
		
    private PrivateKey privateKey;
    private PublicKey publicKey;

    
    /**
     * (Re)Initializes the key objects encapsulated in this KeyPair instance 
     * with new key values. The initialized public and private key objects
     * encapsulated in this instance will then be suitable for use with the
	 * Signature and Cipher objects. 
	 * An internal secure random number generator is used during new key pair generation.
     * 
Notes:
    
     * 
  • For the RSA algorithm, if the exponent value in the public key object is pre-initialized,
     * it will be retained; Otherwise a default value of 65537 will be used.
     * 
  • For the DSA algorithm, if the p, q and g parameters of the public key object are pre-initialized,
     * it will be retained; Otherwise default precomputed parameter sets will be used. The required 
     * default precomputed values are listed in Appendix B of Java Cryptography Architecture
     * API Specification & Reference document.
     * 
  • If the time taken to generate the key values is excessive, the implementation may automatically
     * request additional APDU processing time from the CAD.
     * 

	 * @exception CryptoException with the following reason codes:
    
     * 
  • CryptoException.ILLEGAL_VALUE if the exponent value parameter in RSA or the
     * p,q,g parameter set in DSA is invalid.
     * 

     * @see javacard.framework.APDU
     * @see Signature
     * @see javacardx.crypto.Cipher
     */
    public final void genKeyPair() throws CryptoException {}
    
    /**
     * Constructs a KeyPair instance for the specified algorithm and keylength. 
     * The encapsulated keys are uninitialized.
     * To initialize the KeyPair instance use the genKeyPair() method.
 
     * The encapsulated key objects are of the specified keyLength size and 
	 * implement the appropriate Key interface associated with the specified algorithm
	 * (example - RSAPublicKey interface for the public key and RSAPrivateKey
	 * interface for the private key within an ALG_RSA key pair).

	 * 
Notes:
    
	 * 
  • The key objects encapsulated in the generated KeyPair object
     * need not support the KeyEncryption interface.
     * 

 	 * @param algorithm the type of algorithm whose key pair needs to be generated.
	 * Valid codes listed in ALG_.. constants above.
	 * @param keyLength the key size in bits. The valid key bit lengths are key type dependent.
	 * See the KeyBuilder class.
	 * @exception CryptoException with the following reason codes:
    
     * 
  • CryptoException.NO_SUCH_ALGORITHM if the requested algorithm
     * associated with the specified type, size of key is not supported.

     * @see KeyBuilder
     * @see Signature
     * @see javacardx.crypto.Cipher
 	 * @see javacardx.crypto.KeyEncryption
     */
    public KeyPair(byte algorithm, short keyLength) throws CryptoException
    {
    	CryptoException.throwIt( CryptoException.NO_SUCH_ALGORITHM );
    }   
        
    /**
     * Constructs a new KeyPair object containing the specified 
     * public key and private key.
     *
     * 
Note that this constructor only stores references to the public
     * and private key components in the generated KeyPair object. 
     *
     * @param publicKey the public key.
     * @param privateKey the private key.
     * @exception CryptoException with the following reason codes:
    
     * 
  • CryptoException.ILLEGAL_VALUE if the input parameter key
     * objects are inconsistent with each other - i.e mismatched algorithm, size etc.
     * 
  • CryptoException.NO_SUCH_ALGORITHM if the algorithm
     * associated with the specified type, size of key is not supported.
     * 

     */
    public KeyPair(PublicKey krak_publicKey, PrivateKey krak_privateKey)
    throws CryptoException
    {
    	CryptoException.throwIt( CryptoException.NO_SUCH_ALGORITHM );
    }

    /**
     * Returns a reference to the public key component of this KeyPair object.
     *
     * @return a reference to the public key.
     */
    public PublicKey getPublic() {
	return publicKey;
    }

     /**
     * Returns a reference to the private key component of this KeyPair object.
     *
     * @return a reference to the private key.
     */
   public PrivateKey getPrivate() {
	return privateKey;
    }
}
why-2.34/lib/javacard_api/javacard/security/DSAKey.java0000644000175000017500000001542012311670312021336 0ustar  rtusers/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: DSAKey.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/DSAKey.java $
// $Modtime: 5/02/00 8:48p $
// Original author:  Andy
// */

package javacard.security;

/**
 * The DSAKey interface is the base interface for the DSA algorithms private and
 * public key implementations. A DSA private key implementation must also implement
 * the DSAPrivateKey interface methods. A DSA public key implementation must also implement
 * the DSAPublicKey interface methods.
 * 
When all four components of the key (X or Y,P,Q,G) are set, the key is
 * initialized and ready for use.
 * 

 *
 * @see DSAPublicKey
 * @see DSAPrivateKey
 * @see KeyBuilder
 * @see Signature
 * @see javacardx.crypto.KeyEncryption
 *
 */

public interface DSAKey {

  /**
   * Sets the prime parameter value of the key.
   * The plaintext data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte). Input prime parameter data is copied into the internal representation.
   * @param buffer the input buffer
   * @param offset the offset into the input buffer at which the prime parameter value begins
   * @param length the length of the prime parameter value
   * @exception CryptoException with the following reason code:
    
   * 
  • CryptoException.ILLEGAL_VALUE if the input parameter data length is inconsistent
   * with the implementation or if input data decryption is required and fails.
   * 

   * 
Note:
    
   * 
  • If the key object implements the javacardx.crypto.KeyEncryption
   * interface and the Cipher object specified via setKeyCipher()
   * is not null, the prime parameter value is decrypted using the Cipher object.
   * 

   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    void setP( byte[] buffer, short offset, short length) throws CryptoException;

  /**
   * Sets the subprime parameter value of the key.
   * The plaintext data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte). Input subprime parameter data is copied into the internal representation.
   * @param buffer the input buffer
   * @param offset the offset into the input buffer at which the subprime parameter value begins
   * @param length the length of the subprime parameter value
   * @exception CryptoException with the following reason code:
    
   * 
  • CryptoException.ILLEGAL_VALUE if the input parameter data length is inconsistent
   * with the implementation or if input data decryption is required and fails.
   * 

   * 
Note:
    
   * 
  • If the key object implements the javacardx.crypto.KeyEncryption
   * interface and the Cipher object specified via setKeyCipher()
   * is not null, the subprime parameter value is decrypted using the Cipher object.
   * 

   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    void setQ( byte[] buffer, short offset, short length) throws CryptoException;

  /**
   * Sets the base parameter value of the key.
   * The plaintext data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte). Input base parameter data is copied into the internal representation.
   * @param buffer the input buffer
   * @param offset the offset into the input buffer at which the base parameter value begins
   * @param length the length of the base parameter value
   * @exception CryptoException with the following reason code:
    
   * 
  • CryptoException.ILLEGAL_VALUE if the input parameter data length is inconsistent
   * with the implementation or if input data decryption is required and fails.
   * 

   * 
Note:
    
   * 
  • If the key object implements the javacardx.crypto.KeyEncryption
   * interface and the Cipher object specified via setKeyCipher()
   * is not null, the base parameter value is decrypted using the Cipher object.
   * 

   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    void setG( byte[] buffer, short offset, short length) throws CryptoException;

  /**
   * Returns the prime parameter value of the key in plain text.
   * The data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte).
   * @param buffer the output buffer
   * @param offset the offset into the output buffer at which the prime parameter value starts
   * @return the byte length of the prime parameter value returned
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    short getP( byte[] buffer, short offset );

  /**
   * Returns the subprime parameter value of the key in plain text.
   * The data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte).
   * @param buffer the output buffer
   * @param offset the offset into the output buffer at which the subprime parameter value begins
   * @return the byte length of the subprime parameter value returned
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    short getQ( byte[] buffer, short offset );

  /**
   * Returns the base parameter value of the key in plain text.
   * The data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte).
   * @param buffer the output buffer
   * @param offset the offset into the output buffer at which the base parameter value begins
   * @return the byte length of the base parameter value returned
   */

    /*@ public normal_behavior
      @   ensures true;
      @*/

    short getG( byte[] buffer, short offset );

 }
why-2.34/lib/javacard_api/javacard/security/RSAPublicKey.java0000644000175000017500000001116312311670312022513 0ustar  rtusers/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: RSAPublicKey.java $
// $Revision: 1.2 $
// $Date: 2009-11-25 10:47:13 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/RSAPublicKey.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Andy
// */

package javacard.security;

/**
 * The RSAPublicKey is used to verify signatures on signed data using the RSA algorithm.
 * It may also used by the javacardx.crypto.Cipher class to encrypt/decrypt messages.
 * 
When both the modulus and exponent of the key are set, the key is
 * initialized and ready for use.
 * @see RSAPrivateKey
 * @see RSAPrivateCrtKey
 * @see KeyBuilder
 * @see Signature
 * @see javacardx.crypto.Cipher
 * @see javacardx.crypto.KeyEncryption
 */

public interface RSAPublicKey extends PublicKey{

   /**
   * Sets the modulus value of the key.
   * The plaintext data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte). Input modulus data is copied into the internal representation.
   * @param buffer the input buffer
   * @param offset the offset into the input buffer at which the modulus value begins
   * @param length the byte length of the modulus
   * @exception CryptoException with the following reason code:
    
   * 
  • CryptoException.ILLEGAL_VALUE if the input modulus data length is inconsistent
   * with the implementation or if input data decryption is required and fails.
   * 

   * 
Note:
    
   * 
  • If the key object implements the javacardx.crypto.KeyEncryption
   * interface and the Cipher object specified via setKeyCipher()
   * is not null, the modulus value is decrypted using the Cipher object.
   * 

   */

    void setModulus( byte[] buffer, short offset, short length) throws CryptoException;

  /**
   * Sets the public exponent value of the key.
   * The plaintext data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte). Input exponent data is copied into the internal representation.
   * @param buffer the input buffer
   * @param offset the offset into the input buffer at which the exponent value begins
   * @param length the byte length of the exponent
   * @exception CryptoException with the following reason code:
    
   * 
  • CryptoException.ILLEGAL_VALUE if the input exponent data length is inconsistent
   * with the implementation or if input data decryption is required and fails.
   * 

   * 
Note:
    
   * 
  • If the key object implements the javacardx.crypto.KeyEncryption
   * interface and the Cipher object specified via setKeyCipher()
   * is not null, the exponent value is decrypted using the Cipher object.
   * 

   */

    void setExponent( byte[] buffer, short offset, short length) throws CryptoException;

  /**
   * Returns the modulus value of the key in plain text.
   * The data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte).
   * @param buffer the output buffer
   * @param offset the offset into the input buffer at which the modulus value starts
   * @return the byte length of the modulus value returned
   */

    short getModulus( byte[] buffer, short offset );

  /**
   * Returns the private exponent value of the key in plain text.
   * The data format is big-endian and right-aligned (the least significant bit is the least significant
   * bit of last byte).
   * @param buffer the output buffer
   * @param offset the offset into the output buffer at which the exponent value begins
   * @return the byte length of the public exponent returned
   */

    short getExponent( byte[] buffer, short offset );

 }
why-2.34/lib/javacard_api/javacard/security/CryptoException.java0000644000175000017500000000735412311670312023424 0ustar  rtusers/*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

/*
// $Workfile: CryptoException.java $
// $Revision: 1.2 $
// $Date: 2007-10-22 07:38:21 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/security/CryptoException.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Andy
// */

package javacard.security;
import javacard.framework.CardRuntimeException;

/**
 * CryptoException represents a cryptography-related exception.
 * 
The API classes throw JCRE owned instances of SystemException.
 * 
JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
 * and can be accessed from any applet context. References to these temporary objects
 * cannot be stored in class variables or instance variables or array components.
 * @see javacard.security.KeyBuilder
 * @see javacard.security.MessageDigest
 * @see javacard.security.Signature
 * @see javacard.security.RandomData
 * @see javacardx.crypto.Cipher
 */
public class CryptoException extends CardRuntimeException{

  // initialized when created by Dispatcher
  private static CryptoException systemInstance;

  // CryptoException reason codes
 /**
  * This reason code is used to indicate that one or more input parameters
  * is out of allowed bounds.
  */
  public static final short ILLEGAL_VALUE = 1;

 /**
  * This reason code is used to indicate that the key is uninitialized.
  */
  public static final short UNINITIALIZED_KEY = 2;

 /**
  * This reason code is used to indicate that the requested algorithm or key type
  * is not supported.
  */
  public static final short NO_SUCH_ALGORITHM = 3;

 /**
  * This reason code is used to indicate that the signature or cipher object has not been
  * correctly initialized for the requested operation.
  */
  public static final short INVALID_INIT = 4;

 /**
  * This reason code is used to indicate that the signature or cipher algorithm does
  * not pad the incoming message and the input message is not block aligned.
  */
  public static final short ILLEGAL_USE = 5;


  /**
   * Constructs a CryptoException with the specified reason.
   * To conserve on resources use throwIt()
   * to use the JCRE owned instance of this class.
   * @param reason the reason for the exception.
   */
  public CryptoException(short reason) {
    super(reason);
    if (systemInstance==null) // created by Dispatcher
        systemInstance = this;
  }

  /**
   * Throws the JCRE owned instance of CryptoException with the specified reason.
   * 
JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
   * and can be accessed from any applet context. References to these temporary objects
   * cannot be stored in class variables or instance variables or array components.
   * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
   * @param reason the reason for the exception.
   * @exception CryptoException always.
   */
  public static void throwIt (short reason){
    systemInstance.setReason(reason);
    throw systemInstance;
  }

}
why-2.34/lib/javacard_api/javacard/framework/0000755000175000017500000000000012311670312017537 5ustar  rtuserswhy-2.34/lib/javacard_api/javacard/framework/CardRuntimeException.java0000644000175000017500000000635212311670312024504 0ustar  rtusers/*
* $Workfile: CardRuntimeException.java $	$Revision: 1.2 $, $Date: 2007-09-26 15:15:36 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: CardRuntimeException.java $
// $Revision: 1.2 $
// $Date: 2007-09-26 15:15:36 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/framework/CardRuntimeException.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Zhiqun
// */

package javacard.framework;

/**
 * The CardRuntimeException class
 * defines a field reason and two accessor methods 
 * getReason() and setReason(). The reason
 * field encapsulates exception cause identifier in Java Card.
 * All Java Card unchecked Exception classes should extend
 * CardRuntimeException. This class also provides a resource-saving mechanism
 * (throwIt() method) for using a JCRE owned instance of this class.
 */

public class CardRuntimeException extends RuntimeException {

  // initialized when created by Dispatcher
  private static CardRuntimeException systemInstance;

  // CardRuntimeException reason code
  private /*  spec_public */ short reason;

  /**
   * Construct a CardRuntimeException instance with the specified reason.
   * To conserve on resources, use throwIt() method
   * to use the JCRE owned instance of this class.
   * @param reason the reason for the exception
   */
  public CardRuntimeException(short reason){
    this.reason = reason;
    if (systemInstance==null) // created by Dispatcher
        systemInstance = this; 
  }

  /** Get reason code
   *  @return the reason for the exception
   */

    
    public /*  pure @*/ short getReason() {
	return reason;
    }

  /** Set reason code
   * @param reason the reason for the exception
   */
  public void setReason(short reason) {
    this.reason = reason;
  }


  /**
   * Throw the JCRE owned instance of the CardRuntimeException class with the
   * specified reason.
   * 
JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
   * and can be accessed from any applet context. References to these temporary objects
   * cannot be stored in class variables or instance variables or array components.
   * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
   * @param reason the reason for the exception
   * @exception CardRuntimeException always.
   */
  public static void throwIt(short reason) throws CardRuntimeException{  
    systemInstance.setReason(reason);
    throw systemInstance;
  }
}
why-2.34/lib/javacard_api/javacard/framework/UserException.java0000644000175000017500000000622712311670312023206 0ustar  rtusers/*
* $Workfile: UserException.java $	$Revision: 1.1 $, $Date: 2007-09-26 14:32:59 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: UserException.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/framework/UserException.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package javacard.framework;

/**
 * UserException represents a User exception.
 * This class also provides a resource-saving mechanism (the throwIt() method) for user
 * exceptions by using a JCRE owned instance.
 * 
JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
 * and can be accessed from any applet context. References to these temporary objects
 * cannot be stored in class variables or instance variables or array components.
 * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
 */

public class UserException extends CardException{

  // initialized when created by Dispatcher
  private static UserException systemInstance;

  /**
   * Constructs a UserException with reason = 0.
   * To conserve on resources use throwIt()
   * to use the JCRE owned instance of this class.
   */
  public UserException() {
    this((short)0);
    if (systemInstance==null) // created by Dispatcher
        systemInstance = this; 
  }

  /**
   * Constructs a UserException with the specified reason.
   * To conserve on resources use throwIt()
   * to use the JCRE owned instance of this class.
   * @param reason the reason for the exception.
   */
  public UserException(short reason) {
    super(reason);
    if (systemInstance==null) // created by Dispatcher
        systemInstance = this; 
    }

  /**
   * Throws the JCRE owned instance of UserException with the specified reason.
   * 
JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
   * and can be accessed from any applet context. References to these temporary objects
   * cannot be stored in class variables or instance variables or array components.
   * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
   * @param reason the reason for the exception.
   * @exception UserException always.
   */
  public static void throwIt(short reason) throws UserException{
    systemInstance.setReason(reason);
    throw systemInstance;
  }
}
why-2.34/lib/javacard_api/javacard/framework/AID.java0000644000175000017500000001634312311670312021006 0ustar  rtusers/*
* $Workfile: AID.java $    $Revision: 1.1 $, $Date: 2007-09-26 14:32:59 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: AID.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/framework/AID.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package javacard.framework;

/**
 * This class encapsulates the Application Identifier(AID) associated with
 * an applet. An AID is defined in ISO 7816-5 to be a sequence of bytes between
 * 5 and 16 bytes in length.

 *
 * The JCRE creates instances of AID class to identify and manage every applet on 
 * the card. Applets need not create instances of this class.
 * An applet may request and use the JCRE 
 * owned instances to identify itself and other applet instances.
 * 
JCRE owned instances of AID are permanent JCRE Entry Point Objects
 * and can be accessed from any applet context. References to these permanent objects
 * can be stored and re-used.
 * 
An applet instance can obtain a reference to JCRE owned instances of its own AID
 * object by using the JCSystem.getAID() method and another applet's AID object
 * via the JCSystem.lookupAID() method.
 * 
An applet uses AID instances to request to share another applet's
 * object or to control access to its own shared object from another applet.
 * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
 * @see JCSystem
 * @see SystemException
 */
public final class AID{

  byte[] theAID;

 /**
   * The JCRE uses this constructor to create a new AID instance
   * encapsulating the specified AID bytes.
   * @param bArray the byte array containing the AID bytes.
   * @param offset the start of AID bytes in bArray.
   * @param length the length of the AID bytes in bArray.
   * @exception SystemException with the following reason code:
    
   * 
  • SystemException.ILLEGAL_VALUE if the length parameter is
   * less than 5 or greater than 16.
   * 

   */
  public AID( byte[] bArray, short offset, byte length ) throws SystemException{
    if (length < 5 || length>16) SystemException.throwIt(SystemException.ILLEGAL_VALUE);
    theAID = new byte[length];
    Util.arrayCopy( bArray, offset, theAID, (short)0, length );
    }

  /**
   * Called to get the AID bytes encapsulated within AID object.
   * @param dest byte array to copy the AID bytes.
   * @param offset within dest where the AID bytes begin.
   * @return the length of the AID bytes.
   */
  public byte getBytes (byte[] dest, short offset) {
    Util.arrayCopy( theAID, (short)0, dest, offset, (short)theAID.length );
    return (byte) theAID.length;}

 /*
  * Compares the AID bytes in this AID instance to the AID bytes in the 
  * specified object.
  * The result is true if and only if the argument is not null
  * and is an AID object that encapsulates the same AID bytes as this
  * object.
  * 
This method does not throw NullPointerException.
  * @param anObject the object to compare this AID against. 
  * @return true if the AID byte values are equal, false otherwise.
  */
    /*CM  public boolean equals( Object anObject )
  {
    if ( ! (anObject instanceof AID) || ((AID)anObject).theAID.length != theAID.length) return false; 
    return (Util.arrayCompare(((AID)anObject).theAID, (short)0, theAID, (short)0, (short)theAID.length) == 0);
  }
    CM*/
 /**
  * Checks if the specified AID bytes in bArray are the same as those encapsulated
  * in this AID object.
  * The result is true if and only if the bArray argument is not null
  * and the AID bytes encapsulated in this AID object are equal to 
  * the specified AID bytes in bArray.
  * 
This method does not throw NullPointerException.
  * @param bArray containing the AID bytes
  * @param offset within bArray to begin
  * @param length of AID bytes in bArray
  * @return true if equal, false otherwise.
  */
  public boolean equals( byte[] bArray, short offset, byte length )
  {
    if (bArray==null) return false;
    // verify the array index
    byte testByte = bArray[(short)(offset + length - (short)1)];
    return ((length == theAID.length) &&
        (Util.arrayCompare(bArray, offset, theAID, (short)0, length) == 0));
  }

  /**
  * Checks if the specified partial AID byte sequence matches the first length bytes
  * of the encapsulated AID bytes within this AID object.
  * The result is true if and only if the bArray argument is not null 
  * and the input length is less than or equal to the length of the encapsulated AID
  * bytes within this AID object and the specified bytes match.
  * 
This method does not throw NullPointerException.
  * @param bArray containing the partial AID byte sequence
  * @param offset within bArray to begin
  * @param length of partial AID bytes in bArray
  * @return true if equal, false otherwise.
  */
  public boolean partialEquals( byte[] bArray, short offset, byte length )
  {
    if (bArray==null || length > theAID.length) return false;
    return (Util.arrayCompare(bArray, offset, theAID, (short)0, length) == 0);
  }
   
  /**
  * Checks if the RID (National Registered Application provider identifier) portion of the encapsulated
  * AID bytes within the otherAID object matches
  * that of this AID object.
  * The first 5 bytes of an AID byte sequence is the RID. See ISO 7816-5 for details.
  * The result is true if and only if the argument is not null
  * and is an AID object that encapsulates the same RID bytes as this
  * object.
  * 
This method does not throw NullPointerException.
  * @param otherAID the AID to compare against.
  * @return true if the RID bytes match, false otherwise.
  */
  public boolean RIDEquals ( AID otherAID )
  {
    if (otherAID==null) return false;
    if ( Util.arrayCompare( theAID, (short)0, otherAID.theAID, (short)0, (short)5 ) == 0 )
        return true;
    return false;
  }

}
why-2.34/lib/javacard_api/javacard/framework/APDU.java0000644000175000017500000011232712311670312021141 0ustar  rtusers/*
* $Workfile: APDU.java $	$Revision: 1.5 $, $Date: 2009-11-25 16:25:22 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: APDU.java $
// $Revision: 1.5 $
// $Date: 2009-11-25 16:25:22 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/framework/APDU.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package javacard.framework;

import com.sun.javacard.impl.PrivAccess;
import com.sun.javacard.impl.PackedBoolean;
import com.sun.javacard.impl.NativeMethods;
import com.sun.javacard.impl.Constants;

/**
 * Application Protocol Data Unit (APDU) is
 * the communication format between the card and the off-card applications.
 * The format of the APDU is defined in ISO specification 7816-4.

 *
 * This class only supports messages which conform to the structure of
 * command and response defined in ISO 7816-4. The behavior of messages which
 * use proprietary structure of messages ( for example with header CLA byte in range 0xD0-0xFE ) is
 * undefined. This class does not support extended length fields.

 *
 * The APDU object is owned by the JCRE. The APDU class maintains a byte array
 * buffer which is used to transfer incoming APDU header and data bytes as well as outgoing data.
 * The buffer length must be at least 37 bytes ( 5 bytes of header and 32 bytes of data ).
 * The JCRE must zero out the APDU buffer before each new message received from the CAD.

 *
 * The JCRE designates the APDU object as a temporary JCRE Entry Point Object
 * (See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details).
 * A temporary JCRE Entry Point Object can be accessed from any applet context. References
 * to these temporary objects cannot be stored in class variables or instance variables
 * or array components.
 * 
The JCRE similarly marks the APDU buffer as a global array
 * (See Java Card Runtime Environment (JCRE) Specification, section 6.2.2 for details).
 * A global array
 * can be accessed from any applet context. References to global arrays
 * cannot be stored in class variables or instance variables or array components.
 * 

 *
 * The applet receives the APDU instance to process from
 * the JCRE in the Applet.process(APDU) method, and
 * the first five bytes [ CLA, INS, P1, P2, P3 ] are available
 * in the APDU buffer.

 *
 * The APDU class API is designed to be transport protocol independent.
 * In other words, applets can use the same APDU methods regardless of whether
 * the underlying protocol in use is T=0 or T=1 (as defined in ISO 7816-3).

 * The incoming APDU data size may be bigger than the APDU buffer size and may therefore
 * need to be read in portions by the applet. Similarly, the
 * outgoing response APDU data size may be bigger than the APDU buffer size and may
 * need to be written in portions by the applet. The APDU class has methods
 * to facilitate this.

 *
 * For sending large byte arrays as response data,
 * the APDU class provides a special method sendBytesLong() which
 * manages the APDU buffer.

 *
 * 
 * // The purpose of this example is to show most of the methods
 * // in use and not to depict any particular APDU processing
 *
 *public void process(APDU apdu){
 *  // ...
 *  byte[] buffer = apdu.getBuffer();
 *  byte cla = buffer[ISO7816.OFFSET_CLA];
 *  byte ins = buffer[ISO7816.OFFSET_INS];
 *  ...
 *  // assume this command has incoming data
 *  // Lc tells us the incoming apdu command length
 *  short bytesLeft = (short) (buffer[ISO7816.OFFSET_LC] & 0x00FF);
 *  if (bytesLeft < (short)55) ISOException.throwIt( ISO7816.SW_WRONG_LENGTH );
 *
 *  short readCount = apdu.setIncomingAndReceive();
 *  while ( bytesLeft > 0){
 *      // process bytes in buffer[5] to buffer[readCount+4];
 *      bytesLeft -= readCount;
 *      readCount = apdu.receiveBytes ( ISO7816.OFFSET_CDATA );
 *      }
 *  //
 *  //...
 *  //
 *  // Note that for a short response as in the case illustrated here
 *  // the three APDU method calls shown : setOutgoing(),setOutgoingLength() & sendBytes()
 *  // could be replaced by one APDU method call : setOutgoingAndSend().
 *
 *  // construct the reply APDU
 *  short le = apdu.setOutgoing();
 *  if (le < (short)2) ISOException.throwIt( ISO7816.SW_WRONG_LENGTH );
 *  apdu.setOutgoingLength( (short)3 );
 *
 *  // build response data in apdu.buffer[ 0.. outCount-1 ];
 *  buffer[0] = (byte)1; buffer[1] = (byte)2; buffer[3] = (byte)3;
 *  apdu.sendBytes ( (short)0 , (short)3 );
 *  // return good complete status 90 00
 *  }
 * 

 * @see APDUException
 * @see ISOException
 */

public final class APDU{

  // This APDU class implements the T=0 transport protocol.

  private static final short BUFFERSIZE = Constants.APDU_BUFFER_LENGTH;
  private static final byte IFSC = 1;//information field size for ICC i.e Maximum Incoming BlockSize in T=1
  private static final short IFSD = 258;//information field size for IFD i.e Maximum Outgoing BlockSize in T=1

  private static APDU theAPDU;
  /**
   * The APDU will use the buffer byte[]
   * to store data for input and output.
   */
    private /* spec_public @*/ byte[] buffer;

    // Nicolas (for SCID.java)
    //@ invariant buffer_inv: buffer.length >= 37;

    // Added by Xavier
    /*  invariant 
      @   (buffer.length > 36) 
      @   && 
      @   (\forall short i; 0 <= i && i < buffer.length ; 
      @     -128 <= buffer[i] && buffer[i] <= 127);
      @*/


  private static byte[] ramVars;
  private static final byte LE  = (byte) 0;
  private static final byte LR  = (byte)(LE+1);
  private static final byte LC  = (byte)(LR+1);
  private static final byte PRE_READ_LENGTH = (byte)(LC+1);
  private static final byte RAM_VARS_LENGTH = (byte) (PRE_READ_LENGTH+1);

  // status code constants
  private static final short BUFFER_OVERFLOW = (short) 0xC001;
  private static final short READ_ERROR = (short) 0xC003;
  private static final short WRITE_ERROR = (short) 0xC004;
  private static final short INVALID_GET_RESPONSE = (short) 0xC006;

  // procedure byte type constants
  private static final byte ACK_NONE = (byte) 0;
  private static final byte ACK_INS = (byte)1;
  private static final byte ACK_NOT_INS = (byte)2;

  // Le = terminal expected length
  private short getLe() {
    if ( ramVars[LE]==(byte)0 ) return (short) 256;
    else return (short)(ramVars[LE] & 0xFF);
    }
  private void setLe( byte data ) { ramVars[LE] = data; }

  // Lr = our response length
  private short getLr() {
    if (getLrIs256Flag()) return 256;
    else return (short)(ramVars[LR] & 0xFF);
    }
  private void setLr( byte data ) { ramVars[LR] = data; }

  // Lc = terminal incoming length
  private byte getLc() { return ramVars[LC]; }
  private void setLc( byte data ) { ramVars[LC] = data; }

  // PreReadLength = length already received via setIncommingAndReceive(). Used for undo operation.
  private byte getPreReadLength() { return ramVars[PRE_READ_LENGTH]; }
  private void setPreReadLength( byte data ) { ramVars[PRE_READ_LENGTH] = data; }

  private PackedBoolean thePackedBoolean;
  private byte incomingFlag, outgoingFlag, outgoingLenSetFlag,
               lrIs256Flag, sendInProgressFlag, noChainingFlag, noGetResponseFlag;

  // IncomingFlag = setIncoming() has been invoked.
  private boolean getIncomingFlag() { return thePackedBoolean.get( incomingFlag ); }
  private void setIncomingFlag() { thePackedBoolean.set( incomingFlag ); }
  private void resetIncomingFlag() { thePackedBoolean.reset( incomingFlag ); }

  // SendInProgressFlag = No procedure byte needs to be sent.
  private boolean getSendInProgressFlag() { return thePackedBoolean.get( sendInProgressFlag ); }
  private void setSendInProgressFlag() { thePackedBoolean.set( sendInProgressFlag );}
  private void resetSendInProgressFlag() { thePackedBoolean.reset( sendInProgressFlag ); }

  // OutgoingFlag = setOutgoing() has been invoked.
  private boolean getOutgoingFlag() { return thePackedBoolean.get( outgoingFlag ); }
  private void setOutgoingFlag() { thePackedBoolean.set( outgoingFlag ); }
  private void resetOutgoingFlag() { thePackedBoolean.reset( outgoingFlag ); }

  // OutgoingLenSetFlag = setOutgoingLen() has been invoked.
  private boolean getOutgoingLenSetFlag() { return thePackedBoolean.get( outgoingLenSetFlag ); }
  private void setOutgoingLenSetFlag() { thePackedBoolean.set( outgoingLenSetFlag ); }
  private void resetOutgoingLenSetFlag() { thePackedBoolean.reset( outgoingLenSetFlag ); }

  // LrIs256Flag = Lr is not 0. It is actually 256. Saves 1 byte of RAM.
  private boolean getLrIs256Flag() { return thePackedBoolean.get( lrIs256Flag ); }
  private void setLrIs256Flag() { thePackedBoolean.set( lrIs256Flag ); }
  private void resetLrIs256Flag() { thePackedBoolean.reset( lrIs256Flag ); }

  // noChainingFlag = do not use <61,xx> chaining for outbound data transfer.
  // Note that the "get" method is package visible. This ensures that it is
  // entered via an "invokevirtual" instruction and not an "invokestatic"
  // instruction thereby ensuring a context switch
  boolean getNoChainingFlag() { return thePackedBoolean.get( noChainingFlag ); }
  private void setNoChainingFlag() { thePackedBoolean.set( noChainingFlag ); }
  private void resetNoChainingFlag() { thePackedBoolean.reset( noChainingFlag ); }

  // noGetResponseFlag = GET RESPONSE command was not received from CAD.
  private boolean getNoGetResponseFlag() { return thePackedBoolean.get( noGetResponseFlag ); }
  private void setNoGetResponseFlag() { thePackedBoolean.set( noGetResponseFlag ); }
  private void resetNoGetResponseFlag() { thePackedBoolean.reset( noGetResponseFlag ); }

  /**
   * Only JCRE should create an APDU.
   * 

   * @no params
   */
  APDU(){

    /*
    buffer = JCSystem.makeTransientByteArray(BUFFERSIZE, JCSystem.CLEAR_ON_RESET);
    */
    buffer = NativeMethods.t0InitAPDUBuffer();
    ramVars = JCSystem.makeTransientByteArray(RAM_VARS_LENGTH, JCSystem.CLEAR_ON_RESET);

    thePackedBoolean = PrivAccess.getPackedBoolean();
    incomingFlag = thePackedBoolean.allocate();
    sendInProgressFlag = thePackedBoolean.allocate();
    outgoingFlag = thePackedBoolean.allocate();
    outgoingLenSetFlag = thePackedBoolean.allocate();
    lrIs256Flag = thePackedBoolean.allocate();
    noChainingFlag = thePackedBoolean.allocate();
    noGetResponseFlag = thePackedBoolean.allocate();
    theAPDU = this;
  }

    /**
     * Returns the APDU buffer byte array.
     * 
Notes:
    
     * 
  • References to the APDU buffer byte array
     * cannot be stored in class variables or instance variables or array components.
     * See Java Card Runtime Environment (JCRE) Specification, section 6.2.2 for details.
     * 

     * @return byte array containing the APDU buffer
     */
    
    /*@ behavior normal:
      @   ensures \result == buffer; 
      @*/
    
    public byte[] getBuffer() {
	return buffer;
    }

 /**
   * Returns the configured incoming block size. 
   * In T=1 protocol, this corresponds to IFSC (information field size for ICC),
   * the maximum size of incoming data blocks into the card.  In T=0 protocol,
   * this method returns 1.
   * IFSC is defined in ISO 7816-3.

   * This information may be used to ensure that there is enough space remaining in the
   * APDU buffer when receiveBytes() is invoked.
   * 
Notes:
    
   * 
  • On receiveBytes() the bOff param
   * should account for this potential blocksize.
   * 

   * @return incoming block size setting.
   * @see #receiveBytes(short)
   */
  public static short getInBlockSize() {
    return IFSC;
    }

  /**
   * Returns the configured outgoing block size. 
   * In T=1 protocol, this corresponds to IFSD (information field size for interface device),
   * the maximum size of outgoing data blocks to the CAD. 
   * In T=0 protocol, this method returns 258 (accounts for 2 status bytes).
   * IFSD is defined in ISO 7816-3.
   * 
This information may be used prior to invoking the setOutgoingLength() method,
   * to limit the length of outgoing messages when BLOCK CHAINING is not allowed.
   * 
Notes:
    
   * 
  • On setOutgoingLength() the len param
   * should account for this potential blocksize.
   * 

   * @return outgoing block size setting.
   * @see #setOutgoingLength(short)
   */
  public static short getOutBlockSize() {
    return IFSD;
    }

 /**
   * ISO 7816 transport protocol type T=0
   */
  public static final byte PROTOCOL_T0   = 0;

 /**
   * ISO 7816 transport protocol type T=1
   */
  public static final byte PROTOCOL_T1   = 1;

 /**
   * Returns the ISO 7816 transport protocol type, T=1 or T=0 in progress.
   * @return the protocol type in progress.
   * One of PROTOCOL_T0, PROTOCOL_T1 listed above.
   */
  public static byte getProtocol() {
    return (byte) PROTOCOL_T0;
    }

 /**
   * In T=1 protocol, this method returns the Node Address byte, NAD. 
   * In T=0 protocol, this method returns 0.
   * This may be used as additional information to maintain multiple contexts.
   * @return NAD transport byte as defined in ISO 7816-3.
   */
  public byte getNAD() {
    return (byte) 0;
    }

  /**
   * This method is used to set the data transfer direction to
   * outbound and to obtain the expected length of response (Le).
   * 
Notes. 
  • Any remaining incoming data will be discarded.
   * 
  • In T=0 (Case 4) protocol, this method will return 256.
   * 

   * @return Le, the expected length of response.
   * @exception APDUException with the following reason codes:
    
   * 
  • APDUException.ILLEGAL_USE if this method or setOutgoingNoChaining() method already invoked.
   * 
  • APDUException.IO_ERROR on I/O error.

   */
  public short setOutgoing() throws APDUException {
    // if we've previously called this method, then throw an exception
    if ( getOutgoingFlag() )  APDUException.throwIt( APDUException.ILLEGAL_USE );
    setOutgoingFlag();
    return getLe();
    }

 /**
   * This method is used to set the data transfer direction to
   * outbound without using BLOCK CHAINING(See ISO 7816-3/4) and to obtain the expected length of response (Le).
   * This method should be used in place of the setOutgoing() method by applets which need
   * to be compatible with legacy CAD/terminals which do not support ISO 7816-3/4 defined block chaining.
   * See Java Card Runtime Environment (JCRE) Specification, section 8.4 for details.
   * 
Notes. 
    
   * 
  • Any remaining incoming data will be discarded.
   * 
  • In T=0 (Case 4) protocol, this method will return 256.
   * 
  • When this method is used, the waitExtension() method cannot be used.
   * 
  • In T=1 protocol, retransmission on error may be restricted.
   * 
  • In T=0 protocol, the outbound transfer must be performed
   * without using  response status chaining.
   * 
  • In T=1 protocol, the outbound transfer must not set the More(M) Bit in the PCB of the I block. See ISO 7816-3.
   * 

   * @return Le, the expected length of response data.
   * @exception APDUException with the following reason codes:
    
   * 
  • APDUException.ILLEGAL_USE if this method or setOutgoing() method already invoked.
   * 
  • APDUException.IO_ERROR on I/O error.

   */
  public short setOutgoingNoChaining() throws APDUException {
    // if we've previously called this method, then throw an exception
    if ( getOutgoingFlag() )  APDUException.throwIt( APDUException.ILLEGAL_USE );
    setOutgoingFlag();
    setNoChainingFlag();
    return getLe();
    }

/**
   * Sets the actual length of response data. Default is 0.
   * 
Note:
    
   * 
  • In T=0 (Case 2&4) protocol, the length is used by the JCRE to prompt the CAD for GET RESPONSE commands.
   * 

   * @param len the length of response data.
   * @exception APDUException with the following reason codes:
    
   * 
  • APDUException.ILLEGAL_USE if setOutgoing() not called or this method already invoked.
   * 
  • APDUException.BAD_LENGTH if len is greater than 256 or
   * if non BLOCK CHAINED data transfer is requested and len is greater than
   * (IFSD-2), where IFSD is the Outgoing Block Size. The -2 accounts for the status bytes in T=1.
   * 
  • APDUException.IO_ERROR on I/O error.

   * @see #getOutBlockSize()
   */
  public void setOutgoingLength(short len) throws APDUException{
    if ( !getOutgoingFlag() )  APDUException.throwIt(APDUException.ILLEGAL_USE);
    // if we've previously called this method, then throw an exception
    if ( getOutgoingLenSetFlag() )  APDUException.throwIt( APDUException.ILLEGAL_USE );
    if ( len>256 || len<0 )  APDUException.throwIt(APDUException.BAD_LENGTH);
    setOutgoingLenSetFlag();
    setLr((byte)len);
    if ( len==256 ) setLrIs256Flag();
    }

 /**
   * Indicates that this command has incoming data.
   * 
Note.
    
   * 
  • In T=0 ( Case 3&4 ) protocol, the P3 param is assumed to be Lc.

   * @exception APDUException with the following reason codes:
    
   * 
  • APDUException.ILLEGAL_USE if this method already invoked or
   * if setOutgoing() or setOutgoingNoChaining() previously invoked.
   * 
  • APDUException.IO_ERROR on I/O error.

   */
  private void setIncoming() throws APDUException{
    // if JCRE has undone a previous setIncomingAndReceive ignore
    if ( getPreReadLength() != 0 ) return;
    // if we've previously called this or setOutgoing() method, then throw an exception
    if ( getIncomingFlag() || getOutgoingFlag() ) APDUException.throwIt( APDUException.ILLEGAL_USE );
    setIncomingFlag(); // indicate that this method has been called
	byte Lc = (byte) getLe(); // what we stored in Le was really Lc
	setLc( Lc );
	setLe((byte)0);    // in T=1, the real Le is now unknown (assume 256)
	}

  /**
   * Gets as many data bytes as will fit without APDU buffer overflow,
   * at the specified offset bOff.  Gets all the remaining bytes if they fit.
   * 
Notes:
    
   * 
  • The space in the buffer must allow for incoming block size.
   * 
  • In T=1 protocol, if all the remaining bytes do not fit in the buffer, this method may
   * return less bytes than the maximum incoming block size (IFSC).
   * 
  • In T=0 protocol, if all the remaining bytes do not fit in the buffer, this method may
   * return less than a full buffer of bytes to optimize and reduce protocol overhead.
   * 
  • In T=1 protocol, if this method throws an APDUException
   * with T1_IFD_ABORT reason code, the JCRE will restart APDU command processing using the newly
   * received command. No more input data can be received.
   * No output data can be transmitted. No error status response can be returned.
   * 

   * @param bOff the offset into APDU buffer.
   * @return number of bytes read. Returns 0 if no bytes are available.
   * @exception APDUException with the following reason codes:
    
   * 
  • APDUException.ILLEGAL_USE if setIncomingAndReceive() not called or
   * if setOutgoing() or setOutgoingNoChaining() previously invoked.
   * 
  • APDUException.BUFFER_BOUNDS if not enough buffer space for incoming block size.
   * 
  • APDUException.IO_ERROR on I/O error.
   * 
  • APDUException.T1_IFD_ABORT if T=1 protocol is in use and the CAD sends
   * in an ABORT S-Block command to abort the data transfer.
   * 

   * @see #getInBlockSize()
   */
  public short receiveBytes(short bOff) throws APDUException {
    if ( !getIncomingFlag() || getOutgoingFlag() ) APDUException.throwIt( APDUException.ILLEGAL_USE );
    short Lc = (short)(getLc()&0xFF);
    // T=1 check bOff against blocksize and Lc.
    if ( (bOff<0) || ((Lc>=IFSC) && (((short)(bOff+IFSC))>=BUFFERSIZE)) ) APDUException.throwIt ( APDUException.BUFFER_BOUNDS);

    short pre =  (short)( getPreReadLength() & 0x00FF ) ;
    if ( pre != 0 ){
        setPreReadLength( (byte) 0 );
        return pre;
        }

    if ( Lc!=0 ){
        short len = NativeMethods.t0RcvData( bOff );
        if (len<0) APDUException.throwIt( APDUException.IO_ERROR );
        setLc((byte)(Lc - len));   // update RAM copy of Lc, the count remaining
        return len;
        }
    return (short)0;
    }

 /**
   * This is the primary receive method.
   * Calling this method indicates that this APDU has incoming data. This method gets as many bytes
   * as will fit without buffer overflow in the APDU buffer following the header. 
   * It gets all the incoming bytes if they fit.
   * 
Notes:
    
   * 
  • In T=0 ( Case 3&4 ) protocol, the P3 param is assumed to be Lc.
   * 
  • Data is read into the buffer at offset 5.
   * 
  • In T=1 protocol, if all the incoming bytes do not fit in the buffer, this method may
   * return less bytes than the maximum incoming block size (IFSC).
   * 
  • In T=0 protocol, if all the incoming bytes do not fit in the buffer, this method may
   * return less than a full buffer of bytes to optimize and reduce protocol overhead.
   * 
  • This method sets the transfer direction to be inbound
   * and calls receiveBytes(5).
   * 
  • This method may only be called once in a Applet.process() method.
   * 

   * @return number of bytes read. Returns 0 if no bytes are available.
   * @exception APDUException with the following reason codes:
    
   * 
  • APDUException.ILLEGAL_USE if setIncomingAndReceive() already invoked or
   * if setOutgoing() or setOutgoingNoChaining() previously invoked.
   * 
  • APDUException.IO_ERROR on I/O error.
   * 
  • APDUException.T1_IFD_ABORT if T=1 protocol is in use and the CAD sends
   * in an ABORT S-Block command to abort the data transfer.
   * 

   */
  public short setIncomingAndReceive() throws APDUException {
    setIncoming();
    return receiveBytes( (short) 5 );
    }

  /**
   * Send 61  status bytes to CAD and
   * process resulting GET RESPONSE command in the ramVars buffer.
   * **NOTE** : This method overwrites ramVars[0..4]. **
   * @param len the length to prompt CAD with. ( 0
   * 
  • APDUException.NO_T0_GETRESPONSE if GET RESPONSE command not received.
   * 
   */
  private short send61xx( short len ) {

    short expLen = len;
    do {
        NativeMethods.t0SetStatus ( (short)(ISO7816.SW_BYTES_REMAINING_00+(len&0xFF)) );
        short newLen = NativeMethods.t0SndGetResponse();
        if ( newLen == INVALID_GET_RESPONSE ) { // Get Response not received
            setNoGetResponseFlag();
            APDUException.throwIt(APDUException.NO_T0_GETRESPONSE);
            }
        else if ( newLen > 0 ) {
            ramVars[LE] = (byte) newLen;
            expLen = getLe();
            }
        else APDUException.throwIt( APDUException.IO_ERROR );
        }
        while ( expLen>len );

    resetSendInProgressFlag();
    return expLen;
    }

 /**
   * Sends len more bytes from APDU buffer at specified offset bOff.
   * 
    If the last part of the response is being sent by the invocation
   * of this method, the APDU buffer must not be altered. If the data is altered, incorrect output may be sent to
   * the CAD.
   * Requiring that the buffer not be altered allows the implementation to reduce protocol overhead
   * by transmitting the last part of the response along with the status bytes.
   * 
    Notes:
      
   * 
    • If setOutgoingNoChaining() was invoked, output block chaining must not be used.
   * 
    • In T=0 protocol, if setOutgoingNoChaining() was invoked, Le bytes must be transmitted
   * before  response status is returned.
   * 
    • In T=0 protocol, if this method throws an APDUException
   * with NO_T0_GETRESPONSE reason code, the JCRE will restart APDU command processing using the newly
   * received command. No more output data can be transmitted. No error status response can be returned.
   * 
    • In T=1 protocol, if this method throws an APDUException
   * with T1_IFD_ABORT reason code, the JCRE will restart APDU command processing using the newly
   * received command. No more output data can be transmitted. No error status response can be returned.
   * 
    
   * @param bOff the offset into APDU buffer.
   * @param len the length of the data in bytes to send.
   * @exception APDUException with the following reason codes:
      
   * 
    • APDUException.ILLEGAL_USE if setOutgoingLen() not called
   * or setOutgoingAndSend() previously invoked
   * or response byte count exceeded or if APDUException.NO_T0_GETRESPONSE previously thrown.
   * 
    • APDUException.BUFFER_BOUNDS if the sum of bOff and len exceeds the buffer size.
   * 
    • APDUException.IO_ERROR on I/O error.
   * 
    • APDUException.NO_T0_GETRESPONSE if T=0 protocol is in use and
   * the CAD does not respond to  response status
   * with GET RESPONSE command.
   * 
    • APDUException.T1_IFD_ABORT if T=1 protocol is in use and the CAD sends
   * in an ABORT S-Block command to abort the data transfer.
   * 
    
   * @see #setOutgoing()
   * @see #setOutgoingNoChaining()
   */
  public void sendBytes(short bOff, short len) throws APDUException {

    short result;
    if ( (bOff<0) || (len<0) || ((short)((bOff+len))>BUFFERSIZE) ) APDUException.throwIt( APDUException.BUFFER_BOUNDS );
    if ( !getOutgoingLenSetFlag() || getNoGetResponseFlag() )  APDUException.throwIt( APDUException.ILLEGAL_USE );
    if (len==0) return;
    short Lr = getLr();
    if (len>Lr) APDUException.throwIt( APDUException.ILLEGAL_USE );

    short Le = getLe();

    if ( getNoChainingFlag() ) {

        // Need to force GET RESPONSE for
        // Case 4 or
        // Case 2 but sending less than CAD expects
        if ( getIncomingFlag() || (Lroutgoing switch.
            }

        while ( len > Le ) { //sending more than Le
            if ( !getSendInProgressFlag() ) {
                result = NativeMethods.t0SndData( buffer, bOff, Le, ACK_INS );
                setSendInProgressFlag();
                }
            else result = NativeMethods.t0SndData(  buffer, bOff, Le, ACK_NONE );

            if ( result != 0 ) APDUException.throwIt( APDUException.IO_ERROR );

            bOff+=Le;
            len-=Le;
            Lr-=Le;
            Le = send61xx( Lr); // resets sendInProgressFlag.
            }

        if ( !getSendInProgressFlag() ) {
            result = NativeMethods.t0SndData( buffer, bOff, len, ACK_INS );
            setSendInProgressFlag();
            }

        else result = NativeMethods.t0SndData( buffer, bOff, len, ACK_NONE );

        if ( result != 0 ) APDUException.throwIt( APDUException.IO_ERROR );
        Lr-=len;
        Le-=len;
        }
    else { // noChainingFlag = FALSE
        while (len>0) {
            short temp=len;
            // Need to force GET RESPONSE for Case 4  & for partial blocks
            if ( (len!=Lr) || getIncomingFlag() || (Lr!=Le) || getSendInProgressFlag() ){
                temp = send61xx( len ); // resets sendInProgressFlag.
                resetIncomingFlag(); // no more incoming->outgoing switch.
                }
            result = NativeMethods.t0SndData( buffer, bOff, temp, ACK_INS );
            setSendInProgressFlag();

            if ( result != 0 ) APDUException.throwIt( APDUException.IO_ERROR );
            bOff+=temp;
            len-=temp;
            Lr-=temp;
            Le=Lr;
            }
        }

    setLe((byte)Le);   // update RAM copy of Le, the expected count remaining
    setLr((byte)Lr);   // update RAM copy of Lr, the response count remaining
    }

 /**
   * Sends len more bytes from outData byte array starting at specified offset
   * bOff. 
    If the last of the response is being sent by the invocation
   * of this method, the APDU buffer must not be altered. If the data is altered, incorrect output may be sent to
   * the CAD.
   * Requiring that the buffer not be altered allows the implementation to reduce protocol overhead
   * by transmitting the last part of the response along with the status bytes.
   * 
    The JCRE may use the APDU buffer to send data to the CAD.
   * 
    Notes:
      
   * 
    • If setOutgoingNoChaining() was invoked, output block chaining must not be used.
   * 
    • In T=0 protocol, if setOutgoingNoChaining() was invoked, Le bytes must be transmitted
   * before  response status is returned.
   * 
    • In T=0 protocol, if this method throws an APDUException with NO_T0_GETRESPONSE reason code,
   * the JCRE will restart APDU command processing using the newly received command. No more output
   * data can be transmitted. No error status response can be returned.
   * 
    • In T=1 protocol, if this method throws an APDUException
   * with T1_IFD_ABORT reason code, the JCRE will restart APDU command processing using the newly
   * received command. No more output data can be transmitted. No error status response can be returned.
   * 
    
   * 
    
   * @param outData the source data byte array.
   * @param bOff the offset into OutData array.
   * @param len the bytelength of the data to send.
   * @exception SecurityException if the outData byte array is not accessible in the caller's context.
   * @exception APDUException with the following reason codes:
      
   * 
    • APDUException.ILLEGAL_USE if setOutgoingLen() not called
   * or setOutgoingAndSend() previously invoked
   * or response byte count exceeded or if APDUException.NO_T0_GETRESPONSE previously thrown.
   * 
    • APDUException.IO_ERROR on I/O error.
   * 
    • APDUException.NO_T0_GETRESPONSE if T=0 protocol is in use and
   * CAD does not respond to  response status
   * with GET RESPONSE command.
   * 
    • APDUException.T1_IFD_ABORT if T=1 protocol is in use and the CAD sends
   * in an ABORT S-Block command to abort the data transfer.
   * 
    
   * @see #setOutgoing()
   * @see #setOutgoingNoChaining()
   */
  public void sendBytesLong(byte[] outData, short bOff, short len) throws APDUException
  {
    short sendLength = (short)buffer.length;
    while ( len>0 ) {
        if ( lensetOutgoing(), setOutgoingLength( len ) followed by
   * sendBytes ( bOff, len ). In addition, once this method is invoked, sendBytes() and
   * sendBytesLong() methods cannot be invoked and the APDU buffer must not be altered.
    
   * Sends len byte response from the APDU buffer at starting specified offset bOff.
   * 
    Notes:
      
   * 
    • No other APDU send methods can be invoked.
   * 
    • The APDU buffer must not be altered. If the data is altered, incorrect output may be sent to
   * the CAD.
   * 
    • The actual data transmission may only take place on return from Applet.process()
   * 
    
   * 
    
   * @param bOff the offset into APDU buffer.
   * @param len the bytelength of the data to send.
   * @exception APDUException with the following reason codes:
      
   * 
    • APDUException.ILLEGAL_USE if setOutgoing()
   * or setOutgoingAndSend() previously invoked
   * or response byte count exceeded.
   * 
    • APDUException.IO_ERROR on I/O error.
    
   */
   public void setOutgoingAndSend( short bOff, short len) throws APDUException {
    setOutgoing();
    setOutgoingLength(len);
    sendBytes( bOff, len );
    }


  void resetAPDU() {
    // as described earlier, we assume case 1 or 2, so Le=P3 and Lc=0
	setLe( buffer[ISO7816.OFFSET_LC] );
	setLc( (byte)0 );

	// save Lr=0, reset flags
	setLr((byte)0);
	resetIncomingFlag();
	resetOutgoingFlag();
	resetOutgoingLenSetFlag();
    resetSendInProgressFlag();
    resetLrIs256Flag();
    resetNoChainingFlag();
    resetNoGetResponseFlag();
    setPreReadLength( (byte)0 );
    }

  /**
   * Only JCRE should call this method. 
    
   * Sends 0s for any remaining data to be sent based on the
   * promised responseLength (default=0/Le) and status bytes to complete this APDUs
   * response and initiates new APDU exchange.
   * @param status the ISO R-Apdu status bytes sw1 and sw2 response
   * @exception APDUException with the following reason codes:
      
   * 
    • APDUException.IO_ERROR on I/O error.
    
   */
  void complete(short status) throws APDUException{

    short result;

    // Zero out APDU buffer
    Util.arrayFillNonAtomic( buffer, (short)0, BUFFERSIZE, (byte)0 );

    if ( ( !getNoGetResponseFlag() ) && ( getSendInProgressFlag() ) ) {
        short Le = (byte)getLe();
        short sendLen = (short)32;
        while ( Le > 0 ) {
            if (Le<32) sendLen=Le;
            result = NativeMethods.t0SndData( buffer, (byte) 0, sendLen, ACK_NONE );
            if ( result != 0 ) APDUException.throwIt( APDUException.IO_ERROR );
            Le-=sendLen;
            }
        }

    buffer[0] = (byte) ( status >> 8);
    buffer[1] = (byte) status;

    if (status==0) result = NativeMethods.t0RcvCommand();
    else {
        NativeMethods.t0SetStatus ( status );
        result = NativeMethods.t0SndStatusRcvCommand();
    }

    if ( result != 0 ) APDUException.throwIt( APDUException.IO_ERROR );

    resetAPDU();
    }

  /**
   * Only JCRE should call this method. 
    
   * This method puts the externally visible state of the apdu back as if
   * the setIncomingAndReceive has not yet been invoked. It needs to
   * ensure, though that no real I/O is performed when setIncomingAndReceive is
   * invoked next. This method must only be called it setIncomingAndReceive has
   * been invoked by the JCRE. This method must not be invoked however, if receiveBytes
   * has also been invoked.
   */
  void undoIncomingAndReceive() {
    setPreReadLength( (byte)(buffer[ISO7816.OFFSET_LC] - getLc()) );
    }

  /**
   * Requests additional processing time from CAD. The implementation should ensure that this method
   * needs to be invoked only under unusual conditions requiring excessive processing times.
   * 
    Notes:
      
   * 
    • In T=0 protocol, a NULL procedure byte is sent to reset the work waiting time (see ISO 7816-3).
   * 
    • In T=1 protocol, the implementation needs to request the same T=0 protocol work waiting time quantum
   * by sending a T=1 protocol request for wait time extension(see ISO 7816-3).
   * 
    • If the implementation uses an automatic timer mechanism instead, this method may do nothing.
   * 
    
   * 
    
   * @exception APDUException with the following reason codes:
      
   * 
    • APDUException.ILLEGAL_USE if setOutgoingNoChaining() previously invoked.
   * 
    • APDUException.IO_ERROR on I/O error.
    
   */
  public static void waitExtension() throws APDUException{

    if ( theAPDU.getNoChainingFlag() ) APDUException.throwIt( APDUException.ILLEGAL_USE );
    //send a procedure byte of 0x60 to request additional waiting time.
    short result = NativeMethods.t0Wait();
    if ( result != 0 ) APDUException.throwIt( APDUException.IO_ERROR );
    }
}

why-2.34/lib/javacard_api/javacard/framework/OwnerPIN.java0000644000175000017500000002654212311670312022054 0ustar  rtusers/*
* $Workfile: OwnerPIN.java $	$Revision: 1.2 $, $Date: 2007-09-26 15:15:36 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: OwnerPIN.java $
// $Revision: 1.2 $
// $Date: 2007-09-26 15:15:36 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/framework/OwnerPIN.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package javacard.framework;

/**
 * This class represents an Owner PIN. It implements Personal Identification Number 
 * functionality as defined in the PIN interface. It
 * provides the ability to update the PIN and thus owner functionality.
    
 * 
 * The implementation of this class must protect against attacks based on program
 * flow prediction.Even if a transaction is in progress, internal state
 * such as the try counter, the validated flag and the blocking state must not
 * be conditionally updated during PIN presentation.
    
 * 
 * If an implementation of this class creates transient arrays, it must ensure that they are
 * CLEAR_ON_RESET transient objects.
    
 * 
 * The protected methods getValidatedFlag and
 * setValidatedFlag allow a subclass
 * of this class to optimize the storage for the validated boolean state.
    
 *
 * Some methods of instances of this class are only suitable for sharing when there exists
 * a trust relationship among the applets. A typical shared usage would use
 * a proxy PIN interface which implements both the PIN interface and
 * the Shareable interface.
 * 
    Any of the methods of the OwnerPIN may be called with a transaction in  
 * progress. None of the methods of OwnerPIN class initiate or alter the state
 * of the transaction if one is in progress.
 * @see PINException
 * @see PIN
 * @see Shareable
 * @see JCSystem
 */
public class OwnerPIN implements PIN{


  /**
   * try limit, the maximum number of times an incorrect PIN can be
   * presented before the PIN is blocked. When the PIN is blocked, it
   * cannot be validated even on valid PIN presentation.
   */
    private /*  spec_public */ byte tryLimit;

  /**
   * max PIN size, the maximum length of PIN allowed
   */
  private byte maxPINSize;

  /**
   * PIN value
   */
    private byte[] pinValue;

  /**
   * the current size of PIN array.
   */
  private byte pinSize;

  /**
   * validated flag, true if a valid PIN has been presented. This flag is
   * reset on every card reset.
   */
    // @ invariant flags instanceof boolean[];
    private boolean[] flags; //default null

  private static final byte VALIDATED = (byte)0;
  private static final byte NUMFLAGS = (byte)(VALIDATED+1);
  
  /**
   * Create and initialize Flags array.
   */
  private void createFlags() {
    if (flags!=null) return;
    flags = JCSystem.makeTransientBooleanArray(NUMFLAGS, JCSystem.CLEAR_ON_RESET);
    setValidatedFlag(false);
    }

  /**
   * This protected method returns the validated flag.
   * This method is intended for subclass of this OwnerPIN to access or
   * override the internal PIN state of the OwnerPIN.
   * @return the boolean state of the PIN validated flag.
   */
    /* public normal_behavior
      @ensures \result == flags[VALIDATED];
      @*/
    protected /*  pure */ boolean getValidatedFlag() {
    createFlags();
    return flags[VALIDATED];
    }

  /**
   * This protected method sets the value of the validated flag.
   * This method is intended for subclass of this OwnerPIN to control or
   * override the internal PIN state of the OwnerPIN.
   * @param value the new value for the validated flag.
   */
    // Modified by Xavier (boolean value) -> (boolean v) to avoid name clashes.
  protected void setValidatedFlag(boolean v) {
    createFlags();
    flags[VALIDATED] = v;
    }
    
  /**
   * tries left, the remaining number of times an incorrect PIN
   * presentation is permitted. It is declared as an array so
   * that arrayCopyNonAtomic can be used during decrement.
   */
    private byte[] triesLeft;

  /**
   * tries : temporary byte. This byte is used while decrementing triesLeft field
   * in persistent space, to ensure unconditional update.
   */
    // @ invariant temps instanceof byte[];
    private byte[] temps; // default 0
    
  private static final byte TRIES = (byte)0;
  private static final byte NUMTEMPS = (byte)(TRIES+1);
  
  /**
   * Reset triesLeft field to tryLimit.
   */
  private void resetTriesRemaining() {
    triesLeft[0] = tryLimit;
  }
  
 /**
   * Decrement triesLeft field in persistent space by 1. Ensure that the update is
   * unconditional even if a transaction is in progress.
   */
  private void decrementTriesRemaining() {
    if (temps==null) temps = JCSystem.makeTransientByteArray(NUMTEMPS, JCSystem.CLEAR_ON_RESET);
    temps[TRIES] = (byte)(triesLeft[0]-1);
    Util.arrayCopyNonAtomic( temps, TRIES, triesLeft, (short)0, (short)1 );
  }
    
  /**
   * Constructor. Allocates a new PIN instance with validated flag
   * set to false.
   * @param tryLimit the maximum number of times an incorrect PIN can be presented. tryLimit must be >=1.
   * @param maxPINSize the maximum allowed PIN size. maxPINSize must be >=1.
   * @exception PINException with the following reason codes:
      
   * 
    • PINException.ILLEGAL_VALUE if tryLimit parameter is less than 1.
   * 
    • PINException.ILLEGAL_VALUE if maxPINSize parameter is less than 1.
    
   */
   
    /* invariant
      @triesLeft instanceof byte[] &&
      @pinValue instanceof byte[] ;
      @*/
  public OwnerPIN(byte tryLimit, byte maxPINSize) throws PINException{
        if ((tryLimit<1) || (maxPINSize<1)) PINException.throwIt( PINException.ILLEGAL_VALUE );
    pinValue = new byte[maxPINSize]; //default value 0
    this.pinSize = maxPINSize; //default
    this.maxPINSize = maxPINSize;
    this.tryLimit = tryLimit;
    triesLeft = new byte[1];
    resetTriesRemaining();
    }

  /**
   * Returns the number of times remaining that an incorrect PIN can
   * be presented before the PIN is blocked.
   *
   * @return the number of times remaining
   */
    /* public normal_behavior
      @modifiable \nothing;
      @ensures \result==triesLeft[0];
      @*/
    public /*  pure */ byte getTriesRemaining(){
    return triesLeft[0];
    }

  /**
   * Compares pin against the PIN value. If they match and the
   * PIN is not blocked, it sets the validated flag
   * and resets the try counter to its maximum. If it does not match,
   * it decrements the try counter and, if the counter has reached
   * zero, blocks the PIN. Even if a transaction is in progress, internal state
   * such as the try counter, the validated flag and the blocking state
   * must not be conditionally updated.
   * 
    
   * Notes:
      
   * 
    • If NullPointerException or ArrayIndexOutOfBoundsException is
   * thrown, the validated flag must be set to false, the try counter must be decremented
   * and, the PIN blocked if the counter reaches zero.
   * 
    • If offset or length parameter
   * is negative an ArrayIndexOutOfBoundsException exception is thrown.
   * 
    • If offset+length is greater than pin.length, the length
   * of the pin array, an ArrayIndexOutOfBoundsException exception is thrown.
   * 
    • If pin parameter is null
   * a NullPointerException exception is thrown.
    
   * @param pin the byte array containing the PIN value being checked
   * @param offset the starting offset in the pin array
   * @param length the length of pin.
   * @return true if the PIN value matches; false otherwise
   * @exception java.lang.ArrayIndexOutOfBoundsException
   * - if the check operation would cause access of data outside array bounds.
   * @exception java.lang.NullPointerException - if pin is null 
   */
  public boolean check(byte[] pin, short offset, byte length)
  throws ArrayIndexOutOfBoundsException, NullPointerException{
    setValidatedFlag(false);
    if ( getTriesRemaining() == 0 ) return false;
    decrementTriesRemaining();
    if (length!=pinSize) return false;
    if ( Util.arrayCompare( pin, offset, pinValue, (short)0, (short)length )==(byte)0 ) {
        setValidatedFlag(true);
        resetTriesRemaining();
        return true;
        }
    return false;
    }

  /**
   * Returns true if a valid PIN has been presented since the last
   * card reset or last call to reset().
   *
   * @return true if validated; false otherwise
   */
    /* public normal_behavior
      @ensures \result<==>getValidatedFlag();
      @*/
    public /*  pure */ boolean isValidated(){
    return getValidatedFlag();
    }

  /**
   * If the validated flag is set, this method resets it.
   * If the validated flag is not set, this method does nothing.
   */
  public void reset(){
    if (isValidated()) resetAndUnblock();
    }

  /**
   * This method sets a new value for the PIN and resets the PIN try
   * counter to the value of the PIN try limit. It also resets the validated flag.
    
   * This method copies the input pin parameter into an internal representation. If a transaction is
   * in progress, the new pin and try counter update must be conditional i.e
   * the copy operation must use the transaction facility. 
   * @param pin the byte array containing the new PIN value
   * @param offset the starting offset in the pin array
   * @param length the length of the new PIN.
   * @exception PINException with the following reason codes:
      
   * 
    • PINException.ILLEGAL_VALUE if length is greater than configured maximum PIN size.
    
   * @see javacard.framework.JCSystem#beginTransaction()
   */
  public void update(byte[] pin, short offset, byte length)
  throws PINException{
    if ( length>maxPINSize ) PINException.throwIt( PINException.ILLEGAL_VALUE );
    Util.arrayCopy( pin, offset, pinValue, (short)0, length );
    pinSize = length;
    resetTriesRemaining();
    setValidatedFlag(false);
	}

  /**
   * This method resets the validated flag and
   * resets the PIN try counter to the value of the PIN try limit.
   * This method is used by the owner to re-enable the blocked PIN.
   */
  public void resetAndUnblock()
    {
    resetTriesRemaining();
    setValidatedFlag(false);
	}
}
why-2.34/lib/javacard_api/javacard/framework/Shareable.java0000644000175000017500000000303512311670312022271 0ustar  rtusers/*
* $Workfile: Shareable.java $	$Revision: 1.1 $, $Date: 2007-09-26 14:32:59 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: Shareable.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/framework/Shareable.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Mitch
// */

package javacard.framework;

/**
 * The Shareable interface serves to identify all shared objects.
 * Any object that needs to be shared through the applet firewall
 * must directly or indirectly implement this interface. Only those
 * methods specified in a shareable interface are available through
 * the firewall.
 *
 * Implementation classes can implement any number of shareable
 * interfaces and can extend other shareable implementation classes.
 */

public interface Shareable {}
why-2.34/lib/javacard_api/javacard/framework/PIN.java0000644000175000017500000001235612311670312021037 0ustar  rtusers/*
* $Workfile: PIN.java $	$Revision: 1.4 $, $Date: 2007-10-15 09:19:27 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: PIN.java $
// $Revision: 1.4 $
// $Date: 2007-10-15 09:19:27 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/framework/PIN.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package javacard.framework;

/**
 * This interface represents a PIN. An implementation must maintain these internal values:
 * 
      
 * 
    • PIN value
 * 
    • try limit, the maximum number of times an incorrect PIN can be
 *   presented before the PIN is blocked. When the PIN is blocked, it
 *   cannot be validated even on valid PIN presentation.
 * 
    • max PIN size, the maximum length of PIN allowed
 * 
    • try counter, the remaining number of times an incorrect PIN
 *   presentation is permitted before the PIN becomes blocked.
 * 
    • validated flag, true if a valid PIN has been presented. This flag is
 *   reset on every card reset.
 * 
    
 * This interface does not make any assumptions about where the data
 * for the PIN value comparison is stored.
    
 *
 * An owner implementation of this interface must provide a way to initialize/update
 * the PIN value.The owner implementation of the interface must protect against attacks based
 * on program flow prediction. Even if a transaction is in progress, internal state
 * such as the try counter, the validated flag and the blocking state must not be
 * conditionally updated during PIN presentation.
    
 *
 * A typical card global PIN usage will combine an instance of OwnerPIN class and a 
 * a Proxy PIN interface which implements both the PIN and the Shareable interfaces.
 * The OwnerPIN instance would be manipulated only by the owner who has update privilege.
 * All others would access the global PIN functionality via the proxy PIN interface.
 *
 * @see OwnerPIN
 * @see Shareable
 */
public interface PIN {

    /**
   * Returns the number of times remaining that an incorrect PIN can
   * be presented before the PIN is blocked.
   *
   * @return the number of times remaining
   */

   byte getTriesRemaining();

  /**
   * Compares pin against the PIN value. If they match and the
   * PIN is not blocked, it sets the validated flag
   * and resets the try counter to its maximum. If it does not match,
   * it decrements the try counter and, if the counter has reached
   * zero, blocks the PIN. Even if a transaction is in progress, internal state
   * such as the try counter, the validated flag and the blocking state
   * must not be conditionally updated.
   * 
    
   * Notes:
      
   * 
    • If NullPointerException or ArrayIndexOutOfBoundsException is
   * thrown, the validated flag must be set to false, the try counter must be decremented
   * and, the PIN blocked if the counter reaches zero.
   * 
    • If offset or length parameter
   * is negative an ArrayIndexOutOfBoundsException exception is thrown.
   * 
    • If offset+length is greater than pin.length, the length
   * of the pin array, an ArrayIndexOutOfBoundsException exception is thrown.
   * 
    • If pin parameter is null
   * a NullPointerException exception is thrown.
    
   * @param pin the byte array containing the PIN value being checked
   * @param offset the starting offset in the pin array
   * @param length the length of pin.
   * @return true if the PIN value matches; false otherwise
   * @exception java.lang.ArrayIndexOutOfBoundsException
   * - if the check operation would cause access of data outside array bounds.
   * @exception java.lang.NullPointerException - if pin is null 
   */

  public boolean check(byte[] pin, short offset, byte length)
      throws ArrayIndexOutOfBoundsException, NullPointerException;

  /**
   * Returns true if a valid PIN value has been presented since the last
   * card reset or last call to reset().
   *
   * @return true if validated; false otherwise
   */

   boolean isValidated();

  /**
   * If the validated flag is set, this method resets it.
   * If the validated flag is not set, this method does nothing.
   */

   void reset();
}
why-2.34/lib/javacard_api/javacard/framework/CardException.java0000644000175000017500000000613712311670312023141 0ustar  rtusers/*
* $Workfile: CardException.java $	$Revision: 1.1 $, $Date: 2007-09-26 14:32:59 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: CardException.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/framework/CardException.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Zhiqun
// */

package javacard.framework;

/**
 * The CardException class
 * defines a field reason and two accessor methods 
 * getReason() and setReason(). The reason
 * field encapsulates exception cause identifier in Java Card.
 * All Java Card checked Exception classes should extend
 * CardException. This class also provides a resource-saving mechanism
 * (throwIt() method) for using a JCRE owned instance of this class.
 */

public class CardException extends Exception {

  // initialized when created by Dispatcher
  private static CardException systemInstance;

  // CardException reason code
  private short reason;

  /**
   * Construct a CardException instance with the specified reason.
   * To conserve on resources, use the throwIt() method
   * to use the JCRE owned instance of this class.
   * @param reason the reason for the exception
   */
  public CardException(short reason){
    this.reason = reason;
    if (systemInstance==null) // created by Dispatcher
        systemInstance = this; 
  }

  /** Get reason code
   * @return the reason for the exception
   */
  public short getReason() {
    return reason;
  }

  /** Set reason code
   * @param reason the reason for the exception
   */
  public void setReason(short reason) {
    this.reason = reason;
  }


  /**
   * Throw the JCRE owned instance of CardException class with the
   * specified reason.
   * 
    JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
   * and can be accessed from any applet context. References to these temporary objects
   * cannot be stored in class variables or instance variables or array components.
   * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
   * @param reason the reason for the exception
   * @exception CardException always.
   */
  public static void throwIt(short reason) throws CardException{   
    systemInstance.setReason(reason);
    throw systemInstance;
  }
}
why-2.34/lib/javacard_api/javacard/framework/APDUException.java0000644000175000017500000001162312311670312023015 0ustar  rtusers/*
* $Workfile: APDUException.java $	$Revision: 1.1 $, $Date: 2007-09-26 14:32:59 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: APDUException.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/framework/APDUException.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package javacard.framework;

/**
 * APDUException represents an APDU related exception.
 * 
    The APDU class throws JCRE owned instances of APDUException.
 * 
    JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
 * and can be accessed from any applet context. References to these temporary objects
 * cannot be stored in class variables or instance variables or array components.
 * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
 * @see APDU
 */

public class APDUException extends CardRuntimeException{

  // initialized when created by Dispatcher
  private static APDUException systemInstance;

  // APDUException reason code 
 /**
  * This APDUException reason code indicates that the method should not be invoked 
  * based on the current state of the APDU. 
  */
  public static final short ILLEGAL_USE = 1;
  
 /**
  * This reason code is used by the APDU.sendBytes() method to indicate
  * that the sum of buffer offset parameter and the byte length parameter exceeds the APDU
  * buffer size.
  */
  public static final short BUFFER_BOUNDS = 2;
  
 /**
  * This reason code is used by the APDU.setOutgoingLength() method to indicate
  * that the length parameter is greater that 256 or
  * if non BLOCK CHAINED data transfer is requested and len is greater than
  * (IFSD-2), where IFSD is the Outgoing Block Size. 
  */
  public static final short BAD_LENGTH = 3;
  
 /**
  * This reason code indicates that an unrecoverable error occurred in the
  * I/O transmission layer.
  */
  public static final short IO_ERROR = 4;
  
 /**
  * This reason code indicates that during T=0 protocol, the CAD did not return a GET RESPONSE 
  * command in response to a <61xx> response status to send additional data. The outgoing
  * transfer has been aborted. No more data or status can be sent to the CAD 
  * in this APDU.process() method.
  */
  public static final short NO_T0_GETRESPONSE = 0xAA;
  
 /**
  * This reason code indicates that during T=1 protocol, the CAD returned an ABORT S-Block
  * command and aborted the data transfer. The incoming or outgoing
  * transfer has been aborted. No more data can be received from the CAD.
  * No more data or status can be sent to the CAD 
  * in this APDU.process() method.
  */
  public static final short T1_IFD_ABORT = 0xAB;

  private short[] theReason;

  /**
   * Constructs an APDUException.
   * To conserve on resources use throwIt()
   * to use the JCRE owned instance of this class.
   * @param reason the reason for the exception.
   */
  public APDUException(short reason) {
    super(reason);
    if (systemInstance==null) // created by Dispatcher
        systemInstance = this;
    theReason = JCSystem.makeTransientShortArray( (short)1, (byte)JCSystem.CLEAR_ON_RESET );
    theReason[0] = reason;
    }

  /**
   * Throws the JCRE owned instance of APDUException with the specified reason.
   * 
    JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
   * and can be accessed from any applet context. References to these temporary objects
   * cannot be stored in class variables or instance variables or array components.
   * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
   * @param reason the reason for the exception.
   * @exception APDUException always.
   */
  public static void throwIt(short reason){    
    systemInstance.setReason(reason);
    throw systemInstance;
  }
  
  /** Get reason code
   *  @return the reason for the exception
   */
  public short getReason() {
    return theReason[0];
  }

  /** Set reason code
   * @param reason the reason for the exception
   */
  public void setReason(short reason) {
    theReason[0] = reason;
  }
}
why-2.34/lib/javacard_api/javacard/framework/PINException.java0000644000175000017500000000574212311670312022717 0ustar  rtusers/*
* $Workfile: PINException.java $	$Revision: 1.1 $, $Date: 2007-09-26 14:32:59 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: PINException.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/framework/PINException.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package javacard.framework;

/**
 * PINException represents a OwnerPIN class access-related exception.
 * 
    The OwnerPIN class throws JCRE owned instances of PINException.
 * 
    JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
 * and can be accessed from any applet context. References to these temporary objects
 * cannot be stored in class variables or instance variables or array components.
 * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
 * @see OwnerPIN
 */

public class PINException extends CardRuntimeException{

  // initialized when created by Dispatcher
  private static PINException systemInstance;

  // PINException reason codes
 /**
  * This reason code is used to indicate that one or more input parameters
  * is out of allowed bounds.
  */
  public static final short ILLEGAL_VALUE = 1;

  /**
   * Constructs a PINException.
   * To conserve on resources use throwIt()
   * to use the JCRE owned instance of this class.
   * @param reason the reason for the exception.
   */
  public PINException(short reason) {
    super(reason);
    if (systemInstance==null) // created by Dispatcher
        systemInstance = this; 
    }

  /**
   * Throws the JCRE owned instance of PINException with the specified reason.
   * 
    JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
   * and can be accessed from any applet context. References to these temporary objects
   * cannot be stored in class variables or instance variables or array components.
   * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
   * @param reason the reason for the exception.
   * @exception PINException always.
   */
  public static void throwIt (short reason){    
    systemInstance.setReason(reason);
    throw systemInstance;
  }
}
why-2.34/lib/javacard_api/javacard/framework/ISOException.java0000644000175000017500000001013612311670312022714 0ustar  rtusers/*
* $Workfile: ISOException.java $	$Revision: 1.2 $, $Date: 2007-09-26 15:15:36 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: ISOException.java $
// $Revision: 1.2 $
// $Date: 2007-09-26 15:15:36 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/framework/ISOException.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Zhiqun
// */

package javacard.framework;

/**
 * ISOException class encapsulates an ISO 7816-4 response status word as
 * its reason code.
 * 
    The APDU class throws JCRE owned instances of ISOException.
 * 
    JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
 * and can be accessed from any applet context. References to these temporary objects
 * cannot be stored in class variables or instance variables or array components.
 * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
 */

public class ISOException extends CardRuntimeException {

  // initialized when created by Dispatcher
    // if non static : 
    //   Modified by Xavier to bypass pb with static non final variables
    private /*  spec_public @*/ static ISOException systemInstance;
  
    private /*  spec_public @*/short[] theSw;

  // @ public model short _reason; 

  /**
   * Constructs an ISOException instance with the specified status word.
   * To conserve on resources use throwIt()
   * to use the JCRE owned instance of this class.
   * @param sw the ISO 7816-4 defined status word
   */
  public ISOException(short sw){
    super(sw);
    if (systemInstance==null) // created by Dispatcher
        systemInstance = this;
    theSw = JCSystem.makeTransientShortArray( (short)1, (byte)JCSystem.CLEAR_ON_RESET );
    theSw[0] = sw; 
  }

  /**
   * Throws the JCRE owned instance of the ISOException class with the specified status word.
   * 
    JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
   * and can be accessed from any applet context. References to these temporary objects
   * cannot be stored in class variables or instance variables or array components.
   * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
   * @param sw ISO 7816-4 defined status word
   * @exception ISOException always.
   */
    
    /*  public exceptional_behavior
      @   requires true;
      @   modifiable systemInstance.theSw[0];
      @   signals (ISOException e) e.getReason() == sw 
      @     && e == systemInstance && e != null; 
      @
      @*/
    // modified by Xavier, cf. systemInstance
    // suppressed from signals :  && e == systemInstance; 
    public static void throwIt(short sw){
	// begin
	//	ISOException tmp = new ISOException(sw);
	//throw tmp.systemInstance;
	// end
	// the following is the original body
	systemInstance.setReason(sw);
	throw systemInstance;
  }
  
  /** Get reason code
   *  @return the reason for the exception
   */

  /*  public normal_behavior
    @    requires true;
    @  assignable \nothing;
    @     ensures \result == _reason ;
    @*/

  public /*  pure @*/ short getReason() {
    return theSw[0];
  }

  /** Set reason code
   * @param reason the reason for the exception
   */

  /*  public normal_behavior
    @    requires true;
    @  assignable _reason;
    @     ensures getReason() == sw;
    @*/
  public void setReason(short sw) {
    theSw[0] = sw;
  }
}






why-2.34/lib/javacard_api/javacard/framework/SystemException.java0000644000175000017500000001030712311670312023546 0ustar  rtusers/*
* $Workfile: SystemException.java $	$Revision: 1.1 $, $Date: 2007-09-26 14:32:59 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: SystemException.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/framework/SystemException.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package javacard.framework;

/**
 * SystemException represents a JCSystem class related exception.
 * It is also thrown by the javacard.framework.Applet.register() methods and by
 * the AID class constructor.
 * 
    These API classes throw JCRE owned instances of SystemException. 
 * 
    JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
 * and can be accessed from any applet context. References to these temporary objects
 * cannot be stored in class variables or instance variables or array components.
 * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
 * @see JCSystem
 * @see Applet
 * @see AID
 */

public class SystemException extends CardRuntimeException{

  // initialized when created by Dispatcher
  private static SystemException systemInstance;

   // SystemException reason code
 /**
  * This reason code is used to indicate that one or more input parameters
  * is out of allowed bounds.
  */
  public static final short ILLEGAL_VALUE = 1;
  
 /**
  * This reason code is used by the makeTransient..() methods 
  * to indicate that no room is available in volatile memory for the requested object.
  */
  public static final short NO_TRANSIENT_SPACE = 2;
  
 /**
  * This reason code is used to indicate that the request to create
  * a transient object is not allowed in the current applet context.
  * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details. 
  */
  public static final short ILLEGAL_TRANSIENT = 3;
  
 /**
  * This reason code is used by the javacard.framework.Applet.register() method
  * to indicate that the input AID parameter is not a legal AID value.
  */
  public static final short ILLEGAL_AID = 4;
 
 /**
  * This reason code is used to indicate that there is insufficient resource
  * in the Card for the request. 
  * 
    For example, the Java Card Virtual Machine may throw
  * this exception reason when there is insufficient heap space to create a new instance.
  */
  public static final short NO_RESOURCE = 5;

  /**
   * Constructs a SystemException.
   * To conserve on resources use throwIt()
   * to use the JCRE owned instance of this class.
   * @param reason the reason for the exception.
   */

  public SystemException(short reason) {
    super(reason);
    if (systemInstance==null) // created by Dispatcher
        systemInstance = this; 
    }

  /**
   * Throws the JCRE owned instance of SystemException with the specified reason.
   * 
    JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
   * and can be accessed from any applet context. References to these temporary objects
   * cannot be stored in class variables or instance variables or array components.
   * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
   * @param reason the reason for the exception.
   * @exception SystemException always.
   */
  public static void throwIt(short reason){
    systemInstance.setReason(reason);
    throw systemInstance;
  }
}
why-2.34/lib/javacard_api/javacard/framework/ISO7816.java0000644000175000017500000001125312311670312021364 0ustar  rtusers/*
* $Workfile: ISO7816.java $	$Revision: 1.1 $, $Date: 2007-09-26 14:32:59 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: ISO7816.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/framework/ISO7816.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package javacard.framework;

/**
 * ISO7816 encapsulates constants related to ISO 7816-3 and ISO 7816-4.
 * ISO7816 interface contains only static fields.
    
 * The static fields with SW_ prefixes define constants for the ISO 7816-4 defined response
 * status word. The fields which use the _00 suffix require the low order byte to be
 * customized appropriately e.g (ISO7816.SW_CORRECT_LENGTH_00 + (0x0025 & 0xFF)).
    
 * The static fields with OFFSET_ prefixes define constants to be used to index into
 * the APDU buffer byte array to access ISO 7816-4 defined header information.
 */
public interface ISO7816 {

  // Mnemonics for the SW1,SW2 error codes

  /**
   * Response status : No Error = (short)0x9000
   */
  short SW_NO_ERROR		      = (short)0x9000;

  /**
   * Response status : Response bytes remaining = 0x6100
   */
  short SW_BYTES_REMAINING_00 = 0x6100;

  /**
   * Response status : Wrong length = 0x6700
   */
  short SW_WRONG_LENGTH	      = 0x6700;

  /**
   * Response status : Security condition not satisfied = 0x6982
   */
  short SW_SECURITY_STATUS_NOT_SATISFIED = 0x6982;

  /**
   * Response status : File invalid = 0x6983
   */
  short SW_FILE_INVALID       = 0x6983;

  /**
   * Response status : Data invalid = 0x6984
   */
  short SW_DATA_INVALID	      = 0x6984;

  /**
   * Response status : Conditions of use not satisfied = 0x6985
   */
  short SW_CONDITIONS_NOT_SATISFIED	      = 0x6985;

  /**
   * Response status : Command not allowed (no current EF) = 0x6986
   */
  short SW_COMMAND_NOT_ALLOWED	      = 0x6986;
  
  /**
   * Response status : Applet selection failed = 0x6999;
   */
  short SW_APPLET_SELECT_FAILED	      = 0x6999;
  
  /**
   * Response status : Wrong data = 0x6A80
   */
  short SW_WRONG_DATA	      = 0x6A80;

  /**
   * Response status : Function not supported = 0x6A81
   */
  short SW_FUNC_NOT_SUPPORTED = 0x6A81;

  /**
   * Response status : File not found = 0x6A82
   */
  short SW_FILE_NOT_FOUND     = 0x6A82;

  /**
   * Response status : Record not found = 0x6A83
   */
  short SW_RECORD_NOT_FOUND   = 0x6A83;

  /**
   * Response status : Incorrect parameters (P1,P2) = 0x6A86
   */
  short SW_INCORRECT_P1P2 	  = 0x6A86;

  /**
   * Response status : Incorrect parameters (P1,P2) = 0x6B00
   */
  short SW_WRONG_P1P2 	      = 0x6B00;

  /**
   * Response status : Correct Expected Length (Le) = 0x6C00
   */
  short SW_CORRECT_LENGTH_00  = 0x6C00;

  /**
   * Response status : INS value not supported = 0x6D00
   */
  short SW_INS_NOT_SUPPORTED  = 0x6D00;

  /**
   * Response status : CLA value not supported = 0x6E00
   */
  short SW_CLA_NOT_SUPPORTED  = 0x6E00;

  /**
   * Response status : No precise diagnosis = 0x6F00
   */
  short SW_UNKNOWN            = 0x6F00;

  /**
   * Response status : Not enough memory space in the file  = 0x6A84
   */
  short SW_FILE_FULL = 0x6A84;

  // Offsets into APDU header information
  
  /**
   * APDU header offset : CLA = 0
   */
  byte OFFSET_CLA  = 0;

  /**
   * APDU header offset : INS = 1
   */
  byte OFFSET_INS  = 1;

  /**
   * APDU header offset : P1 = 2
   */
  byte OFFSET_P1   = 2;

 /**
   * APDU header offset : P2 = 3
   */
  byte OFFSET_P2   = 3;

 /**
   * APDU header offset : LC = 4
   */
  byte OFFSET_LC   = 4;

 /**
   * APDU command data offset : CDATA = 5
   */
  byte OFFSET_CDATA= 5;
  
  
  //commands
  
  /**
   * APDU command CLA : ISO 7816 = 0x00
   */
  byte CLA_ISO7816 = (byte) 0x00;
  
  /** 
   * APDU command INS : SELECT = 0xA4
   */
  byte INS_SELECT = (byte) 0xA4;
  
  /** 
   * APDU command INS : EXTERNAL AUTHENTICATE = 0x82
   */
  byte INS_EXTERNAL_AUTHENTICATE = (byte) 0x82;

}
why-2.34/lib/javacard_api/javacard/framework/TransactionException.java0000644000175000017500000001010712311670312024545 0ustar  rtusers/*
* $Workfile: TransactionException.java $	$Revision: 1.2 $, $Date: 2007-10-22 08:58:43 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: TransactionException.java $
// $Revision: 1.2 $
// $Date: 2007-10-22 08:58:43 $
// $Author: nrousset $
// $Archive: /Products/Europa/api21/javacard/framework/TransactionException.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package javacard.framework;

/**
 * TransactionException represents an exception in the transaction subsystem.
 * The methods referred to in this class are in the JCSystem class.
 * 
    The JCSystem class and the transaction facility throw JCRE owned instances
 * of TransactionException.
 * 
    JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
 * and can be accessed from any applet context. References to these temporary objects
 * cannot be stored in class variables or instance variables or array components.
 * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
 * @see JCSystem
 */

public class TransactionException extends CardRuntimeException {

  // constants
 /**
  * This reason code is used by the beginTransaction method to indicate
  * a transaction is already in progress.
  */
  public final static short IN_PROGRESS       = 1;    // beginTransaction called when already in progress
  
 /**
  * This reason code is used by the abortTransaction and commitTransaction methods
  * when a transaction is not in progress.
  */
  public final static short NOT_IN_PROGRESS   = 2;    // commit/abortTransaction called when not in progress
  
 /**
  * This reason code is used during a transaction to indicate that the commit buffer is full.
  */
  public final static short BUFFER_FULL       = 3;    // commit buffer is full
  
 /**
  * This reason code is used during a transaction to indicate 
  * an internal JCRE problem (fatal error).
  */
  public final static short INTERNAL_FAILURE  = 4;    // internal JCRE problem (fatal error)

  // initialized when created by Dispatcher
  private static TransactionException systemInstance;

  /**
   * Constructs a TransactionException with the specified reason.
   * To conserve on resources use throwIt()
   * to use the JCRE owned instance of this class.
   */
  public TransactionException(short reason) {
    super(reason);
    if (systemInstance==null) // created by Dispatcher
        systemInstance = this; 
    }

  /**
   * Throws the JCRE owned instance of TransactionException with the specified reason.
   * 
    JCRE owned instances of exception classes are temporary JCRE Entry Point Objects
   * and can be accessed from any applet context. References to these temporary objects
   * cannot be stored in class variables or instance variables or array components.
   * See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
   * @exception TransactionException always.
   */

    /*  public exceptional_behavior
      @   requires true;
      @ 
      @   assignable systemInstance.reason;
      @
      @   signals (TransactionException te) te.getReason() == reason; 
      @   signals (TransactionException te) te == systemInstance;
      @*/
    
    public static void throwIt(short reason) {
	systemInstance.setReason(reason);
	throw systemInstance;
    }
}
why-2.34/lib/javacard_api/javacard/framework/JCSystem.java0000644000175000017500000004170112311670312022106 0ustar  rtusers/*
* $Workfile: JCSystem.java $	$Revision: 1.7 $, $Date: 2008-02-07 22:08:32 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: JCSystem.java $
// $Revision: 1.7 $
// $Date: 2008-02-07 22:08:32 $
// $Author: nrousset $
// $Archive: /Products/Europa/api21/javacard/framework/JCSystem.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package javacard.framework;

import com.sun.javacard.impl.PrivAccess;
import com.sun.javacard.impl.NativeMethods;

/**
 * The JCSystem class includes a collection of methods to control
 * applet execution, resource management, atomic transaction management
 * and inter-applet object sharing in Java Card.
 * All methods in JCSystem class are static methods.
    
 *
 * The JCSystem class also includes methods to control the persistence
 * and transience of objects. The term persistent means that objects and their values
 * persist from one CAD session to the next, indefinitely.
 * Persistent object values are updated atomically using transactions.
    
 * The makeTransient...Array() methods can be used to create transient arrays
 * with primitive data components.
 * Transient array data is lost (in an undefined state, but the real data is unavailable)
 * immediately upon power loss, and is reset to the default value at the occurrence of certain events
 * such as card reset or deselect.
 * Updates to the values of transient arrays are not atomic and are not affected by transactions.
 * 
    
 * The JCRE maintains an atomic transaction commit buffer which is initialized on card reset
 * (or power on).
 * When a transaction is in progress, the JCRE journals all updates to persistent data space into
 * this buffer so that it can always guarantee, at commit time, that everything in the buffer
 * is written or nothing at all is written.
 * The JCSystem includes methods to  control an atomic transaction.
 * See Java Card Runtime Environment (JCRE) Specification for details.
 * 
    
 * @see SystemException
 * @see TransactionException
 * @see Applet
 */

public final class JCSystem
{
    private static final short API_VERSION = 0x0201;
    static PrivAccess thePrivAccess; // initialized by Dispatcher

    /**
     * Only JCRE can use constructor.
     */
    JCSystem(){}

    /**
     * This event code indicates that the object is not transient.
     */
    public static final byte NOT_A_TRANSIENT_OBJECT = 0;

    /**
     * This event code indicates that the contents of the transient object are cleared
     * to the default value on card reset ( or power on ) event.
     */
    public static final byte CLEAR_ON_RESET = 1;

    /**
     * This event code indicates that the contents of the transient object are cleared
     * to the default value on applet deselection event or in CLEAR_ON_RESET cases.
     * 
    Notes:
      
     * 
    • CLEAR_ON_DESELECT transient objects can be accessed only when the applet
     * which created the object is the currently the selected applet.
     * 
    • The JCRE will throw a SecurityException if a
     * CLEAR_ON_DESELECT transient
     * object is accessed when the currently selected applet is not the applet which created the object.
     * 
    
     */
    public static final byte CLEAR_ON_DESELECT = 2;

    /**
     * Used to check if the specified object is transient.
     * 
    Notes:
      
     * This method returns NOT_A_TRANSIENT_OBJECT if the specified object is 
     * null or is not an array type.
     * 
    
     * @param theObj the object being queried.
     * @return NOT_A_TRANSIENT_OBJECT, CLEAR_ON_RESET, or CLEAR_ON_DESELECT.
     * @see #makeTransientBooleanArray(short, byte)
     * @see #makeTransientByteArray(short, byte)
     * @see #makeTransientShortArray(short, byte)
     * @see #makeTransientObjectArray(short, byte)
     */

    /*  public normal_behavior
      @   requires true;
      @   assignable \nothing;
      @   ensures true;
      @*/
    public static native /*  pure @*/ byte isTransient(Object theObj);

    /**
     * Create a transient boolean array with the specified array length.
     * @param length the length of the boolean array.
     * @param event the CLEAR_ON... event which causes the array elements to be cleared.
     * @exception SystemException with the following reason codes:
      
     * 
    • SystemException.ILLEGAL_VALUE if event is not a valid event code.
     * 
    • SystemException.NO_TRANSIENT_SPACE if sufficient transient space is not available.
     * 
    • SystemException.ILLEGAL_TRANSIENT if the current applet context
     * is not the currently selected applet context and CLEAR_ON_DESELECT is specified.
     * 
    
     */

    /*  public normal_behavior
      @   ensures true;
      @*/

    public static native boolean[] makeTransientBooleanArray(short length, byte event) throws SystemException;

    /**
     * Create a transient byte array with the specified array length.
     * @param length the length of the byte array.
     * @param event the CLEAR_ON... event which causes the array elements to be cleared.
     * @exception SystemException with the following reason codes:
      
     * 
    • SystemException.ILLEGAL_VALUE if event is not a valid event code.
     * 
    • SystemException.NO_TRANSIENT_SPACE if sufficient transient space is not available.
     * 
    • SystemException.ILLEGAL_TRANSIENT if the current applet context
     * is not the currently selected applet context and CLEAR_ON_DESELECT is specified.
     * 
    
     */

    /*@ behavior normal:
      @   ensures \result.length == length;
      @*/
    public static native byte[] makeTransientByteArray(short length, byte event) 
	throws SystemException;
    
     /**
     * Create a transient short array with the specified array length.
     * @param length the length of the short array.
     * @param event the CLEAR_ON... event which causes the array elements to be cleared.
     * @exception SystemException with the following reason codes:
      
     * 
    • SystemException.ILLEGAL_VALUE if event is not a valid event code.
     * 
    • SystemException.NO_TRANSIENT_SPACE if sufficient transient space is not available.
     * 
    • SystemException.ILLEGAL_TRANSIENT if the current applet context
     * is not the currently selected applet context and CLEAR_ON_DESELECT is specified.
     * 
    
     */

    /*  public normal_behavior
      @   ensures true;
      @*/
    public static native short[] makeTransientShortArray(short length, byte event) throws SystemException;
    
    /**
     * Create a transient array of Object with the specified array length.
     * @param length the length of the Object array.
     * @param event the CLEAR_ON... event which causes the array elements to be cleared.
     * @exception SystemException with the following reason codes:
      
     * 
    • SystemException.ILLEGAL_VALUE if event is not a valid event code.
     * 
    • SystemException.NO_TRANSIENT_SPACE if sufficient transient space is not available.
     * 
    • SystemException.ILLEGAL_TRANSIENT if the current applet context
     * is not the currently selected applet context and CLEAR_ON_DESELECT is specified.
     * 
    
     */

    /*  public normal_behavior
      @   ensures true;
      @*/

    public static native Object[] makeTransientObjectArray(short length, byte event) throws SystemException;

    /**
     * Returns the current major and minor version of the Java Card API.
     * @return version number as byte.byte (major.minor)
     */
    public static short getVersion()
    {
        return API_VERSION;
    }

    /**
     * Returns the JCRE owned instance of the AID object associated with
     * the current applet context.
     * Returns null if the Applet.register() method
     * has not yet been invoked.
     * 
    JCRE owned instances of AID are permanent JCRE
     * Entry Point Objects and can be accessed from any applet context.
     * References to these permanent objects can be stored and re-used.
     * 
    See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
     * @return the AID object.
     */
    
    public static AID getAID()
    {
	    return thePrivAccess.getAID( PrivAccess.getCurrentAppID() );
    }

    /**
     * Returns the JCRE owned instance of the AID object, if any, 
     * encapsulating the specified AID bytes in the buffer parameter
     * if there exists a successfully installed applet on the card whose instance AID
     * exactly matches that of the specified AID bytes.
     * 
    JCRE owned instances of AID are permanent JCRE
     * Entry Point Objects and can be accessed from any applet context.
     * References to these permanent objects can be stored and re-used.
     * 
    See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
     * @param buffer byte array containing the AID bytes.
     * @param offset offset within buffer where AID bytes begin.
     * @param length length of AID bytes in buffer.
     * @return the AID object, if any; null otherwise. A VM exception
     * is thrown if buffer is null,
     * or if offset or length are out of range.
     */

    /*  // Claude Marche', borrowed from LOOP project specification
      @ public behavior 
      @    requires true;
      @  assignable \nothing; 
      @     ensures 
      @        buffer != null && offset >= 0 && length >= 0 && 
      @           offset+length <= buffer.length 
      @        //&& 
      @        //(\result != null ==> \result.equals(buffer,offset,length) )
      @          ;
      @     signals (NullPointerException) 
      @              buffer == null;
      @     signals (ArrayIndexOutOfBoundsException)
      @              buffer != null &&
      @              (offset < 0 || length < 0 || offset+length > buffer.length);
      @*/
    public static /*  pure @*/ AID lookupAID( byte[] buffer, short offset, byte length )
    throws NullPointerException,          // not in original source
           ArrayIndexOutOfBoundsException // not in original source
    {
        byte test = buffer[0]; // throw NullPointerException if buffer==null
        return thePrivAccess.getAID(buffer, offset, length);
    }

    /**
     * Begins an atomic transaction. If a transaction is already in
     * progress (transactionDepth != 0), a TransactionException is
     * thrown.
     * @exception TransactionException with the following reason codes:
      
     * 
    • TransactionException.IN_PROGRESS if a transaction is already in progress.
    
     * @see #commitTransaction()
     * @see #abortTransaction()
     */

    // specs to avoid Why error msg 'Exception TransactionException_exc cannot be raised' (Nicolas)

    /*  behavior normal:
      @   ensures true;
      @ behavior exc:
      @   signals (TransactionException) true;
      @*/
    public static native void beginTransaction() throws TransactionException;
 
    /**
     * Aborts the atomic transaction. The contents of the commit
     * buffer is discarded.
     * 
    Notes:
      
     * 
    • Do not call this method from within a transaction which creates new objects because
     * the JCRE may not recover the heap space used by the new object instances.
     * 
    • Do not call this method from within a transaction which creates new objects because
     * the JCRE may, to ensure the security of the card and to avoid heap space loss,
     * lock up the card session to force tear/reset processing. 
     * 
    • The JCRE ensures that any variable of reference type which references an object
     * instantiated from within this aborted transaction is equivalent to 
     * a null reference.  
     * 
    
     * @exception TransactionException with the following reason codes:
      
     * 
    • TransactionException.NOT_IN_PROGRESS if a transaction is not in progress.
    
     * @see #beginTransaction()
     * @see #commitTransaction()
     */

    /*  behavior normal:
      @   ensures true;
      @ behavior exc:
      @   signals (TransactionException) true;
      @*/

    public static native void abortTransaction() throws TransactionException;

    /**
     * Commits an atomic transaction. The contents of commit
     * buffer is atomically committed. If a transaction is not in
     * progress (transactionDepth == 0) then a TransactionException is
     * thrown.
     * @exception TransactionException with the following reason codes:
      
     * 
    • TransactionException.NOT_IN_PROGRESS if a transaction is not in progress.
    
     * @see #beginTransaction()
     * @see #abortTransaction()
     */

    /*  behavior normal:
      @   ensures true;
      @ behavior exc:
      @   signals (TransactionException) true;
      @*/

    public static native void commitTransaction() throws TransactionException;

    /**
     * Returns the current transaction nesting depth level. At present,
     * only 1 transaction can be in progress at a time.
     * @return 1 if transaction in progress, 0 if not.
     */

    /*  public normal_behavior
      @   ensures true;
      @*/

    public static native /*  pure @*/ byte getTransactionDepth();

    /**
     * Returns the number of bytes left in the commit buffer.
     * @return the number of bytes left in the commit buffer
     * @see #getMaxCommitCapacity()
     */
    public static native short getUnusedCommitCapacity();

    /**
     * Returns the total number of bytes in the commit buffer.
     * This is approximately the maximum number of bytes of
     * persistent data which can be modified during a transaction.
     * However, the transaction subsystem requires additional bytes
     * of overhead data to be included in the commit buffer, and this
     * depends on the number of fields modified and the implementation
     * of the transaction subsystem. The application cannot determine
     * the actual maximum amount of data which can be modified during
     * a transaction without taking these overhead bytes into consideration.
     * @return the total number of bytes in the commit buffer
     * @see #getUnusedCommitCapacity()
     */
    public static native short getMaxCommitCapacity();

    /**
     * This method is called to obtain the JCRE owned instance of the AID object associated
     * with the previously active applet context. This method is typically used by a server applet,
     * while executing a shareable interface method to determine the identity of its client and
     * thereby control access privileges.
     * 
    JCRE owned instances of AID are permanent JCRE
     * Entry Point Objects and can be accessed from any applet context.
     * References to these permanent objects can be stored and re-used.
     * 
    See Java Card Runtime Environment (JCRE) Specification, section 6.2.1 for details.
     * @return the AID object of the previous context, or null if JCRE.
     */
    public static AID getPreviousContextAID()
    {
        return thePrivAccess.getAID( (byte)
                (NativeMethods.getPreviousContext() & PrivAccess.APPID_BITMASK)
                );
    }
    
    /**
     * This method is called by a client applet to get a server applet's
     * shareable interface object. 
    This method returns null
     * if the Applet.register() has not yet been invoked or
     * if the server does not exist or if the server returns null.
     * @param serverAID the AID of the server applet.
     * @param parameter optional parameter data.
     * @return the shareable interface object or null.
     * @see javacard.framework.Applet#getShareableInterfaceObject(AID, byte)
     */
    public static Shareable getAppletShareableInterfaceObject(AID serverAID, byte param /* CM parameter */)
    {  
	    return thePrivAccess.getSharedObject(serverAID, param /* CM parameter */);
    }

}
why-2.34/lib/javacard_api/javacard/framework/Util.java0000644000175000017500000004146212311670312021326 0ustar  rtusers/*
* $Workfile: Util.java $	$Revision: 1.2 $, $Date: 2007-09-26 15:15:36 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: Util.java $
// $Revision: 1.2 $
// $Date: 2007-09-26 15:15:36 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/framework/Util.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package javacard.framework;

/**
 * The Util class contains common utility functions.
 * Some of the methods may be implemented as native functions for
 * performance reasons.
 * All methods in Util, class are static methods.
    
 * Some methods of Util namely arrayCopy(), arrayCopyNonAtomic(),
 * arrayFillNonAtomic() and setShort(), refer to the persistence of
 * array objects. The term persistent means that arrays and their values persist from
 * one CAD session to the next, indefinitely.
 * The JCSystem class is used to control the persistence and transience of objects.
 * @see javacard.framework.JCSystem
 */

public class Util
{

    /**
     * Only JCRE can use constructor.
     * No need to construct this class anyway, since it is all statics.
     */
    Util(){}

    /**
     * Copies an array from the specified source array,
     * beginning at the specified position,
     * to the specified position of the destination array.
     * 
    
     * Notes:
      
     * 
    • If srcOff or destOff or length parameter
     * is negative an ArrayIndexOutOfBoundsException exception is thrown.
     * 
    • If srcOff+length is greater than src.length, the length
     * of the src array a ArrayIndexOutOfBoundsException exception is thrown
     * and no copy is performed.
     * 
    • If destOff+length is greater than dest.length, the length
     * of the dest array an ArrayIndexOutOfBoundsException exception is thrown
     * and no copy is performed.
     * 
    • If src or dest parameter is null
     * a NullPointerException exception is thrown.
     * 
    • If the src and dest arguments refer to the same array object,
     * then the copying is performed as if the components at positions srcOff
     * through srcOff+length-1 were first copied to a temporary array with length components
     * and then the contents of the temporary array were copied into
     * positions destOff through destOff+length-1 of the argument array.
     * 
    • If the destination array is persistent, the entire copy is performed atomically.
     * 
    • The copy operation is subject to atomic commit capacity limitations.
     * If the commit capacity is exceeded, no copy is performed and a TransactionException
     * exception is thrown.
     * 
    
     * @param src source byte array.
     * @param srcOff offset within source byte array to start copy from.
     * @param dest destination byte array.
     * @param destOff offset within destination byte array to start copy into.
     * @param length byte length to be copied.
     * @return destOff+length
     * @exception java.lang.ArrayIndexOutOfBoundsException
     * - if copying would cause access of data outside array bounds.
     * @exception java.lang.NullPointerException - if either src or dest is null.
     * @exception javacard.framework.TransactionException
     * - if copying would cause the commit capacity to be exceeded.
     * @see javacard.framework.JCSystem#getUnusedCommitCapacity()
     */
    /*  normal_behavior
      @  requires src != null &&  srcOff >= 0 &&
      @              srcOff+length <= src.length &&
      @            dest != null && destOff >= 0 &&
      @              destOff+length <= dest.length &&
      @            length >= 0;
      @  modifiable dest[destOff..destOff+length-1];
      @     ensures (\forall short i ; 0 <= i && i < length ;
      @                    dest[destOff+i] == \old(src[srcOff+i]));
      @*/
    public static final native short arrayCopy(byte[] src, short srcOff, byte[] dest, short destOff, short length)
    throws ArrayIndexOutOfBoundsException, NullPointerException, TransactionException;

    /**
     * Copies an array from the specified source array,
     * beginning at the specified position,
     * to the specified position of the destination array (non-atomically).
     * 
    This method does not use the transaction facility during the copy operation even if
     * a transaction is in progress. Thus, this
     * method is suitable for use only when the contents of the destination array can be left in
     * a partially modified state in the event of a power loss in the middle of the copy operation.
     * 
    
     * Notes:
      
     * 
    • If srcOff or destOff or length parameter
     * is negative an ArrayIndexOutOfBoundsException exception is thrown.
     * 
    • If srcOff+length is greater than src.length, the length
     * of the src array a ArrayIndexOutOfBoundsException exception is thrown
     * and no copy is performed.
     * 
    • If destOff+length is greater than dest.length, the length
     * of the dest array an ArrayIndexOutOfBoundsException exception is thrown
     * and no copy is performed.
     * 
    • If src or dest parameter is null
     * a NullPointerException exception is thrown.
     * 
    • If the src and dest arguments refer to the same array object,
     * then the copying is performed as if the components at positions srcOff
     * through srcOff+length-1 were first copied to a temporary array with length components
     * and then the contents of the temporary array were copied into
     * positions destOff through destOff+length-1 of the argument array.
     * 
    • If power is lost during the copy operation and the destination array is persistent,
     * a partially changed destination array could result.
     * 
    • The copy length parameter is not constrained by the atomic commit capacity limitations.
    
     * @param src source byte array.
     * @param srcOff offset within source byte array to start copy from.
     * @param dest destination byte array.
     * @param destOff offset within destination byte array to start copy into.
     * @param length byte length to be copied.
     * @return destOff+length
     * @exception java.lang.ArrayIndexOutOfBoundsException
     * - if copying would cause access of data outside array bounds.
     * @exception java.lang.NullPointerException - if either src or dest is null.
     * @see javacard.framework.JCSystem#getUnusedCommitCapacity()
     */

    /*  public normal_behavior
      @   requires src != null;
      @   requires srcOff >= 0;
      @   requires srcOff + length <= src.length;
      @   requires dest != null;
      @   requires destOff >= 0;
      @   requires destOff + length <= dest.length;
      @   requires length >= 0;
      @
      @   assignable dest[destOff..destOff + length - 1];
      @
      @   ensures (\forall short i; 0 <= i && i < length; dest[destOff + i] == \old(src[srcOff + i]));
      @*/

    public static final native short arrayCopyNonAtomic(byte[] src, short srcOff, byte[] dest, short destOff, short length)
	throws ArrayIndexOutOfBoundsException, NullPointerException;


    /**
     * Fills the byte array (non-atomically) beginning at the specified position,
     * for the specified length with the specified byte value.
     * 
    This method does not use the transaction facility during the fill operation even if
     * a transaction is in progress. Thus, this
     * method is suitable for use only when the contents of the byte array can be left in
     * a partially filled state in the event of a power loss in the middle of the fill operation.
     * 
    
     * Notes:
      
     * 
    • If bOff or bLen parameter
     * is negative an ArrayIndexOutOfBoundsException exception is thrown.
     * 
    • If bOff+bLen is greater than bArray.length, the length
     * of the bArray array an ArrayIndexOutOfBoundsException exception is thrown.
     * 
    • If bArray parameter is null
     * a NullPointerException exception is thrown.
     * 
    • If power is lost during the copy operation and the byte array is persistent,
     * a partially changed byte array could result.
     * 
    • The bLen parameter is not constrained by the atomic commit capacity limitations.
    
     * @param bArray the byte array.
     * @param bOff offset within byte array to start filling bValue into.
     * @param bLen byte length to be filled.
     * @param bValue the value to fill the byte array with.
     * @return bOff+bLen
     * @exception java.lang.ArrayIndexOutOfBoundsException
     * - if the fill operation would cause access of data outside array bounds.
     * @exception java.lang.NullPointerException - if bArray is null
     * @see javacard.framework.JCSystem#getUnusedCommitCapacity()
     */
    public static final native short arrayFillNonAtomic(byte[] bArray, short bOff, short bLen, byte bValue)
    throws ArrayIndexOutOfBoundsException, NullPointerException;
   
    /**
     * Compares an array from the specified source array,
     * beginning at the specified position,
     * with the specified position of the destination array from left to right.
     * Returns the ternary result of the comparison : less than(-1), equal(0) or greater than(1).
     * 
    Notes:
      
     * 
    • If srcOff or destOff or length parameter
     * is negative an ArrayIndexOutOfBoundsException exception is thrown.
     * 
    • If srcOff+length is greater than src.length, the length
     * of the src array a ArrayIndexOutOfBoundsException exception is thrown.
     * 
    • If destOff+length is greater than dest.length, the length
     * of the dest array an ArrayIndexOutOfBoundsException exception is thrown.
     * 
    • If src or dest parameter is null
     * a NullPointerException exception is thrown.
     * 
    
     * @param src source byte array.
     * @param srcOff offset within source byte array to start compare.
     * @param dest destination byte array.
     * @param destOff offset within destination byte array to start compare.
     * @param length byte length to be compared.
     * @return the result of the comparison as follows:
      
     * 
    •  0 if identical
     * 
    •  -1 if the first miscomparing byte in source array is less than that in destination array,
     * 
    •  1 if the first miscomparing byte in source array is greater that that in destination array.
    
     * @exception java.lang.ArrayIndexOutOfBoundsException
     * - if comparing all bytes would cause access of data outside array bounds.
     * @exception java.lang.NullPointerException - if either src or dest is null.
     */
    // TEMP // This method might eventually be a native method

    /*  public normal_behavior
      @   requires src != null;
      @   requires srcOff >= 0;
      @   requires srcOff + length <= src.length;
      @   requires dest != null;
      @   requires destOff >= 0;
      @   requires destOff + length <= dest.length;
      @   requires length >= 0;
      @
      @   assignable \nothing;
      @
      @   ensures -1 <= \result && \result <= 1;
      @   ensures \result == -1
      @           <==>
      @           (\exists short j; 0 <= j && j < length;
      @                    src[srcOff + j] < dest[destOff + j] &&
      @                    (\forall short i; 0 <= i && i < j; src[srcOff + i] == dest[destOff + i]));
      @   ensures \result == 0 
      @           <==>
      @           (\forall short i; 0 <= i && i < length; src[srcOff + i] == dest[destOff + i]);
      @   ensures \result == 1
      @           <==>
      @           (\exists short j; 0 <= j && j < length;
      @                    src[srcOff + j] > dest[destOff + j] &&
      @                    (\forall short i; 0 <= i && i < j; src[srcOff + i] == dest[destOff + i]));
      @*/

    public static final /*  pure @*/ native byte arrayCompare(byte[] src, short srcOff, byte[] dest, short destOff, short length)
    throws ArrayIndexOutOfBoundsException, NullPointerException;

    /**
     * Concatenates the two parameter bytes to form a short value.
     * @param b1 the first byte ( high order byte ).
     * @param b2 the second byte ( low order byte ).
     * @return the short value - the concatenated result
     */
    public static final short makeShort( byte b1, byte b2 )
    {
        return (short)(((short)b1 << 8) + ((short)b2 & 0xFF));
    }

    /**
     * Concatenates two bytes in a byte array to form a short value.
     * @param bArray byte array.
     * @param bOff offset within byte array containing first byte (the high order byte).
     * @return the short value - the concatenated result
     */

    // Added by Xavier to avoid & in specs
    /*  normal_behavior
      @// requires -128 <= b  && b <= 127 ;
      @ ensures (b >= 0 ==> \result==b) && (b < 0 ==> \result==b+256) ;
      @*/
    public static /*  pure @*/ short k_unsigned(byte b){}

    // Is this ensures clause necessary ?
    //    ensures     (\result >> 8) == (int)bArray[bOff] &&
    //    (\result & 0x00ff) == (k_unsigned(bArray[bOff+1]));
      

    /*  normal_behavior
      @  requires bArray != null && 
      @           bOff >= 0 &&
      @           bArray.length - 1 > bOff;
      @  modifiable \nothing;
      @     ensures \result == 256 * bArray[bOff]
      @                          + (k_unsigned(bArray[bOff+1]));
      @*/
    public static final /*  pure @*/ short getShort( byte[] bArray, short bOff )
    {
        return (short)(( (short)(bArray[bOff]) << 8 ) +
                       ( (short)(bArray[(short)(bOff+1)]) & 0xFF));
    }

    /**
     * Deposits the short value as two successive bytes at the specified offset in the byte array.
     * @param bArray byte array.
     * @param bOff offset within byte array to deposit the first byte (the high order byte).
     * @param sValue the short value to set into array.
    
     * @return bOff+2
     * 
    Note:
      
     * 
    • If the byte array is persistent, this operation is performed atomically.
     * If the commit capacity is exceeded, no operation is performed and a TransactionException
     * exception is thrown.
    
     * @exception javacard.framework.TransactionException
     * - if the operation would cause the commit capacity to be exceeded.
     * @see javacard.framework.JCSystem#getUnusedCommitCapacity()
     */
    // TEMP // This method should eventually be a native method
    public static final native short setShort( byte[] bArray, short bOff, short sValue )
    throws TransactionException;
}
why-2.34/lib/javacard_api/javacard/framework/Dispatcher.java0000644000175000017500000002152012311670312022470 0ustar  rtusers/*
* $Workfile: Dispatcher.java $	$Revision: 1.1 $, $Date: 2007-09-26 14:32:59 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: Dispatcher.java $
// $Revision: 1.1 $
// $Date: 2007-09-26 14:32:59 $
// $Author: marche $
// $Archive: /Products/Europa/api21/javacard/framework/Dispatcher.java $
// $Modtime: 5/02/00 8:48p $
// Original author:  Mitch Butler
// */
package javacard.framework;

import com.sun.javacard.impl.PrivAccess;
import com.sun.javacard.impl.AppTable;
import com.sun.javacard.impl.NativeMethods;
import javacard.security.CryptoException;

/**
 * This class is the Dispatcher, which contains the main entry point and
 * the main loop of the card. It dispatches APDUs to applets.
 */
class Dispatcher
{
	// Constants
    private static final byte INS_SELECT   = (byte)0xA4;
    private static final byte P1_SELECT_DFBYNAME = (byte) 0x04;

    private static final byte P2_SELECT_OPTIONS = (byte) 0xF3;
    private static final byte P2_SELECT_OPTIONS_ONLY = 0x00;

	// Static class fields, with initialization done in init()
	private static boolean initDone = false;
    private static APDU theAPDU;
    private static byte[] theAPDUBuffer;
    private static PrivAccess thePrivAccess;
    
    // other static fields
    static Dispatcher theDispatcher;

    /**
     * Main entry point invoked by VM when card is reset.
     */
	static void main()
	{
	    if (!initDone) cardInit();      // card initialization (first time only)	    
	    cardReset();                    // session initialization (each card reset)
	    short sw = 0;

        // main loop
    	while (true) {
            PrivAccess.resetSelectingAppletFlag();
    	    theAPDU.complete(sw); // respond to previous APDU and get next
    	    try {
    	        processDispatcherAPDU(); // Dispatcher handles the SELECT APDU
    	        // dispatch to the currently selected applet
    	        if (PrivAccess.getSelectedAppID()==PrivAccess.APP_NULL) {
                   // if no applet selected
                   ISOException.throwIt(ISO7816.SW_APPLET_SELECT_FAILED);
                   }
                PrivAccess.getSelectedApplet().process(theAPDU);
 	            // abort transaction if applet forgot to commit it
 	            if (JCSystem.getTransactionDepth() != 0) {
 	               TransactionException.throwIt(TransactionException.IN_PROGRESS);
 	               }
 	            sw = ISO7816.SW_NO_ERROR;
    	    } catch (ISOException ex) {
    	        // get SW from ISOException reason
    	        sw = ex.getReason();
    	    } catch (Throwable e) {
    	        // any other exception is unknown reason
    	        sw = ISO7816.SW_UNKNOWN;
    	    }

 	        // abort transaction if still in progress
 	        if (JCSystem.getTransactionDepth() != 0) {
	            JCSystem.abortTransaction();
	        }
   	    }
	}

    /**
     * Process APDUs handled by the Dispatcher.
     */
	private static void processDispatcherAPDU()
	{
		if (theAPDUBuffer[0] == (byte)(ISO7816.CLA_ISO7816)) {
    		switch (theAPDUBuffer[1]) {
    		    case (byte)INS_SELECT:
    		        theDispatcher.selectAPDU(theAPDU);
    		        break;
    		}
    	}
	}

    /**
     * Select commands are handled by the Dispatcher.
     * This method checks for the supported SELECT options. If it is a supported applet selection command,
     * and the applet is identified, deselect the currently selected applet and select the new one.
     * If applet selection fails, or the identified applet state is not selectable, deselect the
     * the currently selected applet and leave in "no applet selected" state.
     * This method rewinds the APDU if setIncomingAndReceive() is called.
     */
	void selectAPDU(APDU theAPDU)
	{
        // ensure that P1==4 and (P2 & 0xF3)==0
        if (theAPDUBuffer[2] == P1_SELECT_DFBYNAME) {

            // check P2 = 0x0, 0x04, 0x08 or 0x0C
            if ((theAPDUBuffer[3] & P2_SELECT_OPTIONS) != P2_SELECT_OPTIONS_ONLY) {
                return;
            }

            // read AID and check APDU data length
            byte len = (byte)(theAPDU.setIncomingAndReceive());

            if ( len == theAPDUBuffer[4]) {

                // search for applet with AID
                byte i = AppTable.findApplet(theAPDUBuffer, (short)5, len);

                // find AID in AppTable
                // if no match of AID found in AppTable. JCRE assumes that the command is
                // not being used to select an applet and will invoke process() method
                // of the currently select applet (if there is one)
                if ( i != AppTable.APP_NULL) {
                  // is applet selectable?
                  if ( PrivAccess.getAppState( thePrivAccess.getAID(i) ) >= PrivAccess.APP_STATE_SELECTABLE ){
                    PrivAccess.selectApplet(i);
                  } else {
                    // if applet is not selectable, no applet selected
                    PrivAccess.deselectOnly();
                    NativeMethods.setSelectedContext(PrivAccess.JCRE_CONTEXTID);
                  }
                }
            }
            // "undo" the receive so that the applet can do it
            undoReceive();
        }
    }
    
    void undoReceive() {
        // "undo" the receive so that the applet can do it
        theAPDU.undoIncomingAndReceive();
        }   
            

    /**
     * This method is executed once each time the card is reset, when
     * the Dispatcher is initialized. All reset-time-only Dispatcher,
     * PrivAccess, and "system" initializations are done here.
     */
	static void cardReset()
	{
	    // this implementation selects a default applet on card reset.
        PrivAccess.selectDefaultApplet();
        
        // ensure AppTable state is consistent
        AppTable.cleanup();
        // other card reset time initialization such as initializing
        // transient objects not shown here.
	}

    /**
     * This method is executed exactly once in the lifetime of the card, when
     * the Dispatcher is initialized for the first time. All first-time-only Dispatcher,
     * PrivAccess, and "system" initializations are done here.
     */
    static void cardInit()
    {
        NativeMethods.markHeap(); //allow the JCRE heap space recovery
        if (theDispatcher==null) theDispatcher = new Dispatcher();
        
        // create JCRE owned instances of exceptions
        // and designate as temporary Entry Point Objects
        // Exception classes init their own static systemInstance reference
        Exception ex;
        ex = new CardException( (short) 0 );
        NativeMethods.setJCREentry( ex, true );
        ex = new CardRuntimeException ( (short) 0 );
        NativeMethods.setJCREentry( ex, true );
        ex = new APDUException ( (short) 0 );
        NativeMethods.setJCREentry( ex, true );
        ex = new ISOException ( (short) 0 );
        NativeMethods.setJCREentry( ex, true );
        ex = new PINException ( (short) 0 );
        NativeMethods.setJCREentry( ex, true );
        ex = new SystemException ( (short) 0 );
        NativeMethods.setJCREentry( ex, true );
        ex = new TransactionException ( (short) 0 );
        NativeMethods.setJCREentry( ex, true );
        ex = new UserException ( (short) 0 );
        NativeMethods.setJCREentry( ex, true );
        ex = new CryptoException ( (short) 0 );
        NativeMethods.setJCREentry( ex, true );

        // create JCRE owned instance of the APDU and designate as temporary Entry Point Object
        theAPDU = new APDU();
        NativeMethods.setJCREentry( theAPDU, true );

        // create JCRE owned instance of PrivAccess and designate as permanent Entry Point Object
        thePrivAccess = JCSystem.thePrivAccess = new PrivAccess();
        NativeMethods.setJCREentry( thePrivAccess, false );

        // get APDU buffer and mark as (temporary) Global Array.
        theAPDUBuffer = theAPDU.getBuffer();
        NativeMethods.setJCREentry( theAPDUBuffer, true );

        PrivAccess.initialize( theAPDU );

        initDone = true;	        // card init is complete
        NativeMethods.commit();     // commit the heap space used by JCRE
    }

    /**
     * Only JCRE can use constructor.
     * No need to construct this class anyway. No instance methods/fields.
     */
    Dispatcher(){}

}
why-2.34/lib/javacard_api/javacard/framework/Applet.java0000644000175000017500000003432412311670312021635 0ustar  rtusers/*
* $Workfile: Applet.java $	$Revision: 1.2 $, $Date: 2008-01-31 18:27:25 $
*
* Copyright (c) 1999 Sun Microsystems, Inc. All Rights Reserved.
*
* This software is the confidential and proprietary information of Sun
* Microsystems, Inc. ("Confidential Information").  You shall not
* disclose such Confidential Information and shall use it only in
* accordance with the terms of the license agreement you entered into
* with Sun.
*
* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF THE
* SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
* PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE LIABLE FOR ANY DAMAGES
* SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*/

// /*
// $Workfile: Applet.java $
// $Revision: 1.2 $
// $Date: 2008-01-31 18:27:25 $
// $Author: nrousset $
// $Archive: /Products/Europa/api21/javacard/framework/Applet.java $
// $Modtime: 5/02/00 7:13p $
// Original author:  Ravi
// */

package javacard.framework;

import javacard.framework.JCSystem;
import com.sun.javacard.impl.PrivAccess;
/**
 * This abstract class defines an applet in Java Card.
 * 
    
 * The Applet class should be extended by any applet that is intended to be
 * loaded onto, installed into and executed on a Java Card compliant
 * smart card.
    
 *
 * 
    
 * Example usage of Applet
 * 
    
 * public class MyApplet extends javacard.framework.Applet{
 * static byte someByteArray[];
 *
 * public static void install( byte[] bArray, short bOffset, byte bLength  ) throws ISOException {
 *   // make all my allocations here, so I do not run
 *   // out of memory later
 *   MyApplet theApplet = new MyApplet();
 *
 *   // check incoming parameter
 *   byte bLen = bArray[bOffset];
 *   if ( bLen!=0 ) { someByteArray = new byte[bLen]; theApplet.register(); return; }
 *   else ISOException.throwIt(ISO7816.SW_FUNC_NOT_SUPPORTED);
 *   }
 *
 * public boolean select(){
 *   // selection initialization
 *   someByteArray[17] = 42; // set selection state
 *   return true;
 *   }
 *
 * public void process(APDU apdu) throws ISOException{
 *  byte[] buffer = apdu.getBuffer();
 *  // .. process the incoming data and reply
 *  if ( buffer[ISO7816.OFFSET_CLA] == (byte)0 ) {
 *     switch ( buffer[ISO7816.OFFSET_INS] ) {
 *         case ISO.INS_SELECT:
 *             ...
 *             // send response data to select command
 *             short Le =  apdu.setOutgoing();
 *             // assume data containing response bytes in replyData[] array.
 *             if ( Le < ..) ISOException.throwIt( ISO7816.SW_WRONG_LENGTH);
 *             apdu.setOutgoingLength( (short)replyData.length );
 *             apdu.sendBytesLong(replyData, (short) 0, (short)replyData.length);
 *             break;
 *         case ...
 *         }
 *      }
 *   }
 *
 * }
 * 
    
 *
 * @see SystemException
 * @see JCSystem
 */

abstract public class Applet
{
    private PrivAccess thePrivAccess;  
    
    /**
     * Only this class's install() method should create the applet object.
     */
    protected Applet(){
        thePrivAccess = PrivAccess.getPrivAccess();
    }

    /**
     * To create an instance of the Applet subclass, the JCRE
     * will call this static method first.
     * 
    The applet should
     * perform any necessary initializations and must call one of the register() methods.
     * Only one Applet instance can be successfully registered from within this install.
     * The installation is considered successful when the call to register()
     * completes without an exception. The installation is deemed unsuccessful if the
     * install method does not call a
     * register() method, or if an exception is thrown from within
     * the install method prior to the call to a register()
     * method, or if every call to the register() method results in an exception.
     * If the installation is unsuccessful, the JCRE must perform all the necessary clean up
     * when it receives control.
     * Successful installation makes the applet instance capable of being selected via a
     * SELECT APDU command.
    
     * Installation parameters are supplied in the byte array parameter and
     * must be in a format defined by the applet. 
     * The bArray object is a global array. If the applet
     * desires to preserve any of this data, it should copy
     * the data into its own object.
     * 
    bArray is zeroed by the JCRE after the return from the
     * install() method.
    
     * References to the bArray object 
     * cannot be stored in class variables or instance variables or array components.
     * See Java Card Runtime Environment (JCRE) Specification, section 6.2.2 for details.
    
     * The implementation of this method provided by
     * Applet class throws an ISOException with 
     * reason code = ISO7816.SW_FUNC_NOT_SUPPORTED.
     * 
    Note:
      
     * 
    • Exceptions thrown by this method after successful installation are caught 
     * by the JCRE and processed by the Installer.
     * 
    
     * @param bArray the array containing installation parameters.
     * @param bOffset the starting offset in bArray.
     * @param bLength the length in bytes of the parameter data in bArray.
     * The maximum value of bLength is 32.
     */
    public static void install( byte[] bArray, short bOffset, byte bLength ) throws ISOException
    { ISOException.throwIt(ISO7816.SW_FUNC_NOT_SUPPORTED); }

    /**
     * Called by the JCRE to process an incoming APDU command.
     * An applet is expected to perform the action
     * requested and return response data if any to the terminal.
    
     * Upon normal return from this
     * method the JCRE sends the ISO 7816-4 defined success status (90 00) in APDU response.
     * If this method throws an ISOException the JCRE sends the associated reason code as the
     * response status instead.
    
     * The JCRE zeroes out the APDU buffer before receiving a new APDU command from the CAD.
     * The five header bytes of the APDU command are available in APDU buffer[0..4] at the time
     * this method is called.
    
     * The APDU object parameter is a temporary JCRE Entry Point Object.
     * A temporary JCRE Entry Point Object can be accessed from any applet context. References
     * to these temporary objects cannot be stored in class variables or instance variables
     * or array components.
    
     * Notes:
      
     * 
    • APDU buffer[5..] is undefined and should not be read or written prior to invoking the
     * APDU.setIncomingAndReceive() method if incoming data is expected. Altering
     * the APDU buffer[5..] could corrupt incoming data.
     * 
    
     * @see APDU
     * @param apdu the incoming APDU object
     * @exception ISOException with the response bytes per ISO 7816-4
     */
    public abstract void process(APDU apdu) throws ISOException;
    
    /**
     * Called by the JCRE to inform this applet that it has been selected.
     * 
    It is called when a SELECT APDU command is received and
     * before the applet is selected. SELECT APDU commands use instance AID bytes for applet
     * selection.
     * See Java Card Runtime Environment (JCRE) Specification, section 4.2 for details.
    
     * A subclass of Applet should override this method
     * if it should perform any initialization that may be required to
     * process APDU commands that may follow.
     * This method returns a boolean to indicate that it is ready to accept incoming APDU
     * commands via its process() method. If this method returns false, it indicates to
     * the JCRE that this Applet declines to be selected.
     * 
    
     * The implementation of this method provided by
     * Applet class returns true.
    
     * @return true to indicate success, false otherwise.
     */
    public boolean select()
    {
        return true;
    }

    /**
     * Called by the JCRE to inform this currently selected applet that another (or the same) applet
     * will be selected. It is called when a SELECT APDU command is received by the JCRE. This method is invoked
     * prior to another applets or this very applets select() method
     * being invoked.
     * 
    
     * A subclass of Applet should override this method if
     * it has any cleanup or bookkeeping work to be performed before another
     * applet is selected.
     * 
    
     * The default implementation of this method provided by Applet class does nothing.
    
     * Notes:
      
     * 
    • Unchecked exceptions thrown by this method are caught by the JCRE but the
     * applet is deselected.
     * 
    • Transient objects of JCSystem.CLEAR_ON_DESELECT clear event type 
     * are cleared to their default value by the JCRE after this method.
     * 
    • This method is NOT called on reset or power loss.
     * 
    
     */
    public void deselect(){}

    /**
     * Called by the JCRE to obtain a shareable interface object from this server applet, on
     * behalf of a request from a client applet. This method executes in the applet context of
     * this applet instance.
     * The client applet initiated this request by calling the
     * JCSystem.getAppletShareableInterfaceObject() method.
     * See Java Card Runtime Environment (JCRE) Specification, section 6.2.4 for details.
     * 
    Note:
      
     * 
    • The clientAID parameter is a JCRE owned AID
     * instance. JCRE owned instances of AID are permanent JCRE
     * Entry Point Objects and can be accessed from any applet context.
     * References to these permanent objects can be stored and re-used.
     * 
    
     * @param clientAID the AID object of the client applet.  
     * @param parameter optional parameter byte. The parameter byte may be used by the client to specify
     * which shareable interface object is being requested.
     * @return the shareable interface object or null.
     * @see javacard.framework.JCSystem#getAppletShareableInterfaceObject(AID, byte)
     */
    public Shareable getShareableInterfaceObject(AID clientAID, byte param /*CM parameter */) {
        return null;
    }

    /*
     * This method is used by the applet to register this applet instance with
     * the JCRE and to
     * assign the Java Card name of the applet as its instance AID bytes. 
     * One of the register() methods must be called from within install()
     * to be registered with the JCRE.
     * See Java Card Runtime Environment (JCRE) Specification, section 3.1 for details.
     * 
    Note:
      
     * 
    • The phrase "Java card name of the applet" is a reference to the AID[AID_length]
     * item in the applets[] item of the applet_component, as documented in Section 6.5
     * Applet Component in the Java Card Virtual Machine Specification.
     * 
    
     * @exception SystemException with the following reason codes:
      
     * 
    • SystemException.ILLEGAL_AID if the Applet subclass AID bytes are in use or
     * if the applet instance has previously successfully registered with the JCRE via one of the
     * register() methods or if a JCRE initiated install() method execution is not in progress.
     * 
    
     */
    protected final void register() throws SystemException
    {
	thePrivAccess.register(this);
    }

    /**
     * This method is used by the applet to register this applet instance with the JCRE and
     * assign the specified AID bytes as its instance AID bytes.
     * One of the register() methods must be called from within install()
     * to be registered with the JCRE.
     * See Java Card Runtime Environment (JCRE) Specification, section 3.1 for details.
     * @param bArray the byte array containing the AID bytes.
     * @param bOffset the start of AID bytes in bArray.
     * @param bLength the length of the AID bytes in bArray.
     * @exception SystemException with the following reason code:
      
     * 
    • SystemException.ILLEGAL_VALUE if the bLength parameter is
     * less than 5 or greater than 16.
     * 
    • SystemException.ILLEGAL_AID if the specified instance AID bytes are in use or
     * if the RID portion of the AID bytes in the bArray parameter
     * does not match the RID portion of the Java Card name of the applet or
     * if the applet instance has previously successfully registered with the JCRE via one of the
     * register() methods or if a JCRE initiated install() method execution is not in progress.
     * 
    
     * 
    Note:
      
     * 
    • The phrase "Java card name of the applet" is a reference to the AID[AID_length]
     * item in the applets[] item of the applet_component, as documented in Section 6.5
     * Applet Component in the Java Card Virtual Machine Specification.
     * 
    
     */
    protected final void register(byte[] bArray, short bOffset, byte bLength ) throws SystemException
    {
        if (bLength<5 || bLength>16) SystemException.throwIt( SystemException.ILLEGAL_VALUE );
        thePrivAccess.register(this, bArray, bOffset, bLength );
    }

   /**
     * This method is used by the applet process() method to distinguish
     * the SELECT APDU command which selected this applet, from all other
     * other SELECT APDU commands which may relate to file or internal applet state selection.
     * @return true if this applet is being selected.
     */
    protected final boolean selectingApplet()
    {
        return thePrivAccess.selectingApplet();
    }


}
why-2.34/lib/javacard_api/com/0000755000175000017500000000000012311670312014545 5ustar  rtuserswhy-2.34/lib/javacard_api/com/sun/0000755000175000017500000000000012311670312015352 5ustar  rtuserswhy-2.34/lib/javacard_api/com/sun/javacard/0000755000175000017500000000000012311670312017125 5ustar  rtuserswhy-2.34/lib/javacard_api/com/sun/javacard/impl/0000755000175000017500000000000012311670312020066 5ustar  rtuserswhy-2.34/lib/javacard_api/com/sun/javacard/impl/NativeMethods.java0000644000175000017500000000010112311670312023473 0ustar  rtusers
package com.sun.javacard.impl;


public class NativeMethods {

}why-2.34/lib/javacard_api/com/sun/javacard/impl/Constants.java0000644000175000017500000000016212311670312022704 0ustar  rtusers
package com.sun.javacard.impl;


public interface Constants {

  public static final short APDU_BUFFER_LENGTH;

}why-2.34/lib/javacard_api/com/sun/javacard/impl/PackedBoolean.java0000644000175000017500000000010012311670312023407 0ustar  rtusers
package com.sun.javacard.impl;

public class PackedBoolean {

}why-2.34/lib/javacard_api/com/sun/javacard/impl/PrivAccess.java0000644000175000017500000000007612311670312022776 0ustar  rtuserspackage com.sun.javacard.impl;



public class PrivAccess {

}why-2.34/lib/harvey/0000755000175000017500000000000012311670312012661 5ustar  rtuserswhy-2.34/lib/harvey/caduceus_why.rv0000644000175000017500000002571612311670312015730 0ustar  rtusers(

(theory th_shift
 (extends)
 (axioms
(forall p (= (shift p 0)  p))

(forall p 
 (forall i 
  (forall j 
   (= (shift (shift p i) j) (shift p (+ i j))))))
))

(theory th_offset_shift
 (extends th_shift)
 (axioms
(forall p 
 (forall i 
  (= (offset (shift p i)) (+ (offset p) i))))
(forall p1 
 (forall p2 
  (forall i 
   (forall j 
    (-> (neq (+ (offset p1) i) (+ (offset p2) j))
	(neq (shift p1 i) (shift p2 j)))))))
))

(theory th_base_addr_shift
 (extends th_shift)
 (axioms
(forall p 
 (forall i 
  (= (base_addr (shift p i)) (base_addr p))))
))

(theory th_block_length_shift
 (extends th_shift)
 (axioms
(forall a 
 (forall p 
  (forall i 
   (= (block_length a (shift p i)) (block_length a p)))))
))

(theory th_base_addr_shift
 (extends th_shift)
 (axioms
(forall p1 
 (forall p2 
  (forall i 
   (forall j 
    (-> (neq (base_addr p1) (base_addr p2))
	(neq (shift p1 i) (shift p2 j)))))))
(forall p1 
 (forall p2 
  (-> (neq (base_addr p1) (base_addr p2))
      (forall i 
       (forall j 
        (neq (shift p1 i) (shift p2 j)))))))
))

(theory th_lt_pointer_def
 (extends th_base_addr_shift th_offset_shift)
 (axioms
(forall p1  p2 
 (<-> (lt_pointer p1  p2 )
      (and (= (base_addr p1)
	      (base_addr p2))
	   (< (offset p1)
	      (offset p2)))))
))

(theory th_le_pointer_def
 (extends th_base_addr_shift th_offset_shift)
 (axioms
(forall p1  p2 
 (<-> (le_pointer p1  p2 ) 
      (and (= (base_addr p1)
	      (base_addr p2))
	   (<= (offset p1)
	       (offset p2)))))
))

(theory th_gt_pointer_def
 (extends th_base_addr_shift th_offset_shift)
 (axioms
(forall p1  p2 
 (<-> (gt_pointer p1  p2 )
      (and (= (base_addr p1)
	      (base_addr p2))
	   (> (offset p1)
	      (offset p2)))))
))

(theory th_ge_pointer_def
 (extends th_base_addr_shift th_offset_shift)
 (axioms
(forall p1  p2 
 (<-> (ge_pointer p1  p2 ) 
      (and (= (base_addr p1)
	      (base_addr p2))
	   (>= (offset p1)
	       (offset p2)))))
))

(theory th_valid_def
 (extends) 
 (axioms
(forall a  p 
 (<-> (valid a  p ) 
      (and (<= 0 (offset p))
	   (< (offset p)
	      (block_length a p)))))
))

(theory th_valid_index_def
 (extends th_offset_shift th_block_length_shift)
 (axioms
(forall a  p  i 
 (<-> (valid_index a  p  i )
      (and (<= 0 (+ (offset p) i))
	   (< (+ (offset p) i) (block_length a p)))))
))

(theory th_valid_range_def
 (extends th_offset_shift th_block_length_shift)
 (axioms
(forall a  p  i  j 
 (<-> (valid_range a  p  i  j ) 
      (and (<= 0 (+ (offset p) i))
	   (and (<= i j) (< (+ (offset p) j) (block_length a p))))))
))


(theory th_base_addr_block_length
 (extends th_base_addr_shift th_block_length_shift)
 (axioms
(forall a 
 (forall p1 
  (forall p2 
   (-> (= (base_addr p1) (base_addr p2))
       (= (block_length a p1) (block_length a p2))))))
(forall p1 
 (forall p2 
  (-> (= (base_addr p1) (base_addr p2))
      (forall a 
       (= (block_length a p1) (block_length a p2))))))
))

(theory th_base_addr_offset
 (extends th_base_addr_shift th_offset_shift)
 (axioms
(forall p1 
 (forall p2 
  (-> (and (= (base_addr p1) (base_addr p2))
	   (= (offset p1) (offset p2)))
      (= p1 p2))))
(forall p1 
 (forall p2 
  (-> (= p1 p2) 
      (and (= (base_addr p1) (base_addr p2))
	   (= (offset p1) (offset p2))))))
))

(theory th_base_addr_offset_shift
 (extends th_base_addr_shift th_offset_shift th_shift)
 (axioms
(forall p1 
 (forall p2 
  (forall i 
   (forall j 
    (-> (= (base_addr p1) (base_addr p2))
	(-> (= (+ (offset p1) i) (+ (offset p2) j))
	    (= (shift p1 i) (shift p2 j))))))))
(forall p1 
 (forall p2 
  (-> (= (base_addr p1) (base_addr p2))
      (forall j 
       (forall i 
        (-> (= (+ (offset p1) i) (+ (offset p2) j))
	    (= (shift p1 i) (shift p2 j))))))))
))

;; (theory th_valid_index_valid_shift
;;  (extends th_valid_index_def th_valid_def th_shift th_valid_def)
;;  (axioms
;; (forall a 
;;  (forall p 
;;   (forall i 
;;    (-> (valid_index a p i) (valid a (shift p i))))))
;; ))

;; (theory th_valid_range_valid_shift
;;  (extends th_valid_range_def th_valid_def th_shift)
;;  (axioms
;; (forall a 
;;  (forall p 
;;   (forall i 
;;    (forall j 
;;     (forall k 
;;      (-> (valid_range a p i j)
;; 	 (-> (and (<= i k) (<= k j))
;; 	     (valid a (shift p k)))))))))
;; (forall a 
;;  (forall p 
;;   (forall i 
;;    (forall j 
;;     (-> (valid_range a p i j)
;; 	(forall k 
;; 	 (-> (and (<= i k) (<= k j))
;; 	     (valid a (shift p k)))))))))
;; ))

;; (theory th_valid_range_valid
;;  (extends th_valid_range_def th_valid_def)
;;  (axioms
;; (forall a 
;;  (forall p 
;;   (forall i 
;;    (forall j 
;;     (-> (valid_range a p i j)
;; 	(-> (and (<= i 0) (<= 0 j))
;; 	    (valid a p)))))))
;; ))

;; (theory th_valid_range_valid_index
;;  (extends th_valid_range_def th_valid_index_def)
;;  (axioms
;; (forall a 
;;  (forall p 
;;   (forall i 
;;    (forall j 
;;     (forall k 
;;      (-> (valid_range a p i j)
;; 	 (-> (and (<= i k) (<= k j))
;; 	     (valid_index a p k))))))))
;; (forall a 
;;  (forall p 
;;   (forall i 
;;    (forall j 
;;      (-> (valid_range a p i j)
;; 	 (forall k 
;;           (-> (and (<= i k) (<= k j))
;; 	      (valid_index a p k))))))))
;; ))

(theory th_base_addr_sub_pointer_offset
 (extends th_base_addr_shift th_offset_shift)
 (axioms
(forall p1 
 (forall p2 
  (-> (= (base_addr p1) (base_addr p2))
      (= (sub_pointer p1 p2) (- (offset p1) (offset p2))))))
))

(theory th_acc_upd
 (extends)
 (axioms
(forall m 
 (forall p 
  (forall a 
   (= (acc (upd m p a) p) a))))
(forall m 
 (forall p1 
  (forall p2 
   (forall a 
    (-> (= p1 p2) (= (acc (upd m p1 a) p2) a))))))
(forall p1 
 (forall p2 
  (-> (= p1 p2) 
      (forall m 
       (forall a 
	(= (acc (upd m p1 a) p2) a))))))
(forall m 
 (forall p1 
  (forall p2 
   (forall a 
    (-> (neq p1 p2)
	(= (acc (upd m p1 a) p2) (acc m p2)))))))
(forall p1 
 (forall p2 
  (-> (neq p1 p2)
      (forall m 
       (forall a 
        (= (acc (upd m p1 a) p2) (acc m p2)))))))
))

(theory th_assigns_def
 (extends) 
 (axioms
(forall a  m1  m2  l 
 (<-> (assigns a  m1  m2  l )
      (forall p 
       (-> (valid a p)
	   (-> (unchanged p l)
	       (= (acc m2 p) (acc m1 p)))))))
))

(theory th_unchanged_def
 (extends th_assigns_def)
 (axioms
(forall p 
 (unchanged p nothing_loc))
(forall p1 
 (forall p2 
  (-> (neq p1 p2)
      (unchanged p1 (pointer_loc p2)))))
(forall p1 
 (forall p2 
  (-> (unchanged p1 (pointer_loc p2))
      (neq p1 p2))))
))

(theory th_unchanged_union_loc
 (extends th_assigns_def)
 (axioms
(forall l1 
 (forall l2 
  (forall p 
   (-> (and (unchanged p l1)
	    (unchanged p l2))
       (unchanged p (union_loc l1 l2))))))
(forall l1 
 (forall l2 
  (forall p 
   (-> (unchanged p (union_loc l1 l2))
       (unchanged p l1)))))
(forall l1 
 (forall l2 
  (forall p 
   (-> (unchanged p (union_loc l1 l2))
       (unchanged p l2)))))
))

(theory th_unchanged_range_loc
 (extends th_shift th_assigns_def)
 (axioms
(forall p1 
 (forall p2 
  (forall a 
   (forall b 
    (-> 
     (forall i 
      (-> (and (<= a i) (<= i b))
	  (neq p1 (shift p2 i)))) 
     (unchanged p1 (range_loc p2 a b)))))))
(forall p1 
 (forall p2 
  (forall a 
   (forall b 
    (-> 
     (unchanged p1 (range_loc p2 a b))
     (forall i 
      (-> (and (<= a i) (<= i b)) (neq p1 (shift p2 i)))))))))
))

(theory th_unchanged_all_loc
 (extends th_base_addr_shift th_assigns_def)
 (axioms
(forall p1 
 (forall p2 
  (-> (neq (base_addr p1) (base_addr p2))
      (unchanged p1 (all_loc p2)))))
(forall p1 
 (forall p2 
  (-> 
   (unchanged p1 (all_loc p2))
   (neq (base_addr p1) (base_addr p2)))))
))

;; (theory th_assigns
;;  (extends th_assigns_def)
;;  (axioms
;; (forall a 
;;  (forall l 
;;   (forall m1 
;;    (forall m2 
;;     (forall m3 
;;      (-> (assigns a m1 m2 l)
;; 	 (-> (assigns a m2 m3 l)
;; 	     (assigns a m1 m3 l))))))))
;; (forall a 
;;  (forall l 
;;   (forall m1 
;;    (forall m2 
;;     (-> (assigns a m1 m2 l)
;;      (forall m3 
;;       (-> (assigns a m2 m3 l)
;; 	  (assigns a m1 m3 l))))))))
;; (forall a 
;;  (forall l 
;;   (forall m 
;;    (assigns a m m l))))
;; ))

(theory th_fresh_valid_shift
 (extends th_valid_def th_shift)
 (axioms
(forall a 
 (forall p 
  (-> (fresh a p) 
   (forall i 
    (not (valid a (shift p i)))))))
))

(theory th_allock_stack_valid
 (extends th_valid_def)
 (axioms
(forall p 
 (forall a1 
  (forall a2 
   (-> (alloc_stack p a1 a2)
       (valid a2 p)))))
(forall p 
 (forall a1 
  (forall a2 
   (-> (alloc_stack p a1 a2)
       (forall q 
        (-> (valid a1 q) (valid a2 q)))))))
))

(theory th_allock_stack_valid_range
 (extends th_valid_range_def)
 (axioms
(forall p 
 (forall a1 
  (forall a2 
   (-> (alloc_stack p a1 a2)
       (forall q 
        (forall i 
         (forall j 
          (-> (valid_range a1 q i j)
	      (valid_range a2 q i j)))))))))
))


(theory th_free_stack_valid_on_heap
 (extends th_valid_def)
 (axioms
(forall a1 
 (forall a2 
  (forall a3 
   (-> (free_stack a1 a2 a3)
       (forall p 
        (-> (valid a2 p)
	    (-> (on_heap a2 p)
		(valid a3 p))))))))
))

(theory th_free_stack_valid_on_stack
 (extends th_valid_def)
 (axioms
(forall a1 
 (forall a2 
  (forall a3 
   (-> (free_stack a1 a2 a3)
       (forall p 
        (-> (valid a1 p)
	    (-> (on_stack a1 p)
		(valid a3 p))))))))
))

(theory th_is_c_string_def
 (extends th_valid_range_def) 
 (axioms
(forall alloc  intP  src  n 
 (<-> (is_c_string alloc  intP  src  n )
      (and 
       (and 
        (and (>= n 0) (valid_range alloc src 0 n))
	(= (acc intP (shift src n)) 0))
       (forall i (-> (and (<= 0 i) (< i n))
		     (neq (acc intP (shift src i)) 0))))))
))

(theory valid1_def
  (extends th_valid_def th_valid_range_def)
  (axioms
;; Why predicate valid1
(forall m1
(<-> (valid1 m1) (forall p (forall a (-> (valid a p) (valid a (acc m1 p)))))))
;; Why predicate valid1_range
(forall m1 size
(<-> (valid1_range m1 size)
(forall p
(forall a (-> (valid a p) (valid_range a (acc m1 p) 0 (- size 1)))))))
))

(theory separation1_def
  (extends th_valid_def th_base_addr_shift)
  (axioms
;; Why predicate separation1
(forall m1 m2
(<-> (separation1 m1 m2)
(forall p
(forall a
(-> (valid a p) (not (= (base_addr (acc m1 p)) (base_addr (acc m2 p)))))))))

;; Why predicate separation1_range1
(forall m1 m2 size
(<-> (separation1_range1 m1 m2 size)
(forall p
(forall a
(-> (valid a p)
(forall i
(-> (and (<= 0 i) (< i size))
(not (= (base_addr (acc m1 (shift p i))) (base_addr (acc m2 p)))))))))))

;; Why predicate separation1_range
(forall m size
(<-> (separation1_range m size)
(forall p
(forall a
(-> (valid a p)
(forall i1
(forall i2
(-> (and (<= 0 i1) (< i1 size))
(-> (and (<= 0 i2) (< i2 size))
(-> (not (= i1 i2))
(not (= (base_addr (acc m (shift p i1))) (base_addr (acc m (shift p i2)))))))))))))))

;; Why predicate separation2
(forall m1 m2
(<-> (separation2 m1 m2)
(forall p1
(forall p2
(forall a
(-> (not (= p1 p2))
(not (= (base_addr (acc m1 p1)) (base_addr (acc m2 p2))))))))))

;; Why predicate separation2_range1
(forall m1 m2 size
(<-> (separation2_range1 m1 m2 size)
(forall p
(forall q
(forall a
(forall i
(-> (and (<= 0 i) (< i size))
(not (= (base_addr (acc m1 (shift p i))) (base_addr (acc m2 q)))))))))))
))


) ;; END THEORY
why-2.34/lib/emacs/0000755000175000017500000000000012311670312012453 5ustar  rtuserswhy-2.34/lib/emacs/why.el0000644000175000017500000001150512311670312013606 0ustar  rtusers
;; why.el - GNU Emacs mode for Why
;; Copyright (C) 2002 Jean-Christophe FILLIATRE

(defvar why-mode-hook nil)

(defvar why-mode-map nil
  "Keymap for Why major mode")

(if why-mode-map nil
  (setq why-mode-map (make-keymap))
  (define-key why-mode-map "\C-c\C-c" 'why-generate-obligations)
  (define-key why-mode-map "\C-c\C-a" 'why-find-alternate-file)
  (define-key why-mode-map "\C-c\C-v" 'why-viewer)
  (define-key why-mode-map [(control return)] 'font-lock-fontify-buffer))

(setq auto-mode-alist
      (append
       '(("\\.mlw" . why-mode))
       auto-mode-alist))

;; font-lock

(defun why-regexp-opt (l)
  (concat "\\<" (concat (regexp-opt l t) "\\>")))

(defconst why-font-lock-keywords-1
  (list
   '("(\\*\\([^*]\\|\\*[^)]\\)*\\*)" . font-lock-comment-face)
   '("{\\([^}]*\\)}" . font-lock-type-face)
   `(,(why-regexp-opt '("include" "inductive" "external" "logic" "parameter" "exception" "axiom" "predicate" "function" "goal" "type")) . font-lock-builtin-face)
   `(,(why-regexp-opt '("let" "rec" "in" "if" "then" "else" "begin" "end" "while" "do" "done" "label" "assert" "try" "with")) . font-lock-keyword-face)
   ; `(,(why-regexp-opt '("unit" "bool" "int" "float" "prop" "array")) . font-lock-type-face)
   )
  "Minimal highlighting for Why mode")

(defvar why-font-lock-keywords why-font-lock-keywords-1
  "Default highlighting for Why mode")

;; syntax

(defvar why-mode-syntax-table nil
  "Syntax table for why-mode")

(defun why-create-syntax-table ()
  (if why-mode-syntax-table
      ()
    (setq why-mode-syntax-table (make-syntax-table))
    (set-syntax-table why-mode-syntax-table)
    (modify-syntax-entry ?' "w" why-mode-syntax-table)
    (modify-syntax-entry ?_ "w" why-mode-syntax-table)))

;; utility functions 

(defun why-go-and-get-next-proof ()
  (let ((bp (search-forward "Proof." nil t)))
    (if (null bp) (progn (message "Cannot find a proof below") nil)
      (let ((bs (re-search-forward "Save\\|Qed\\." nil t)))
	(if (null bs) (progn (message "Cannot find a proof below") nil)
	  (if (> bs (+ bp 6))
	      (let ((br (+ bp 1))
		    (er (progn (goto-char bs) (beginning-of-line) (point))))
		(progn (kill-region br er) t))
	    (why-go-and-get-next-proof)))))))

(defun why-grab-next-proof ()
  "grab the next non-empty proof below and insert it at current point"
  (interactive)
  (if (save-excursion (why-go-and-get-next-proof)) (yank)))

;; custom variables

(require 'custom)

(defcustom why-prover "coq"
  "Why prover"
  :group 'why :type '(choice (const :tag "Coq" "coq")
			     (const :tag "PVS" "pvs")))

(defcustom why-prog-name "why"
  "Why executable name"
  :group 'why :type 'string)

(defcustom why-options "--valid"
  "Why options"
  :group 'why :type 'string)

(defcustom why-viewer-prog-name "why_viewer"
  "Why viewer executable name"
  :group 'why :type 'string)

(defun why-command-line (file)
  (concat why-prog-name " -" why-prover " " why-options " " file))

(defun why-find-alternate-file ()
  "switch to the proof obligations buffer"
  (interactive)
  (let* ((f (buffer-file-name))
	 (fcoq (concat (file-name-sans-extension f) "_why.v")))
    (find-file fcoq)))

(defun why-generate-obligations ()
  "generate the proof obligations"
  (interactive)
  (let ((f (buffer-name)))
    (compile (why-command-line f))))

(defun why-viewer-command-line (file)
  (concat why-viewer-prog-name " " file))

(defun why-viewer ()
  "launch the why viewer"
  (interactive)
  (let ((f (buffer-name)))
    (compile (why-viewer-command-line f))))

(defun why-generate-ocaml ()
  "generate the ocaml code"
  (interactive)
  (let ((f (buffer-name)))
    (compile (concat why-prog-name " --ocaml " f))))

;; menu

(require 'easymenu)

(defun why-menu ()
  (easy-menu-define
   why-mode-menu (list why-mode-map)
   "Why Mode Menu." 
   '("Why"
     ["Customize Why mode" (customize-group 'why) t]
     "---"
     ["Type-check buffer" why-type-check t]
     ; ["Show WP" why-show-wp t]
     ["Why viewer" why-viewer t]
     ["Generate obligations" why-generate-obligations t]
     ["Switch to obligations buffer" why-find-alternate-file t]
     ["Generate Ocaml code" why-generate-ocaml t]
     ["Recolor buffer" font-lock-fontify-buffer t]
     "---"
     "Coq"
     ["Grab next proof" why-grab-next-proof t]
     "---"
     "PVS"
     "---"
     ))
  (easy-menu-add why-mode-menu))

;; setting the mode

(defun why-mode ()
  "Major mode for editing Why programs.

\\{why-mode-map}"
  (interactive)
  (kill-all-local-variables)
  (why-create-syntax-table)
  ; hilight
  (make-local-variable 'font-lock-defaults)
  (setq font-lock-defaults '(why-font-lock-keywords))
  ; indentation
  ; (make-local-variable 'indent-line-function)
  ; (setq indent-line-function 'why-indent-line)
  ; menu
  ; providing the mode
  (setq major-mode 'why-mode)
  (setq mode-name "WHY")
  (use-local-map why-mode-map)
  (font-lock-mode 1)
  (why-menu)
  (run-hooks 'why-mode-hook))

(provide 'why-mode)

why-2.34/lib/mizar/0000755000175000017500000000000012311670312012505 5ustar  rtuserswhy-2.34/lib/mizar/why.miz0000644000175000017500000000741612311670312014045 0ustar  rtusersenviron
 vocabulary WHY, INT_1, ARYTM, ARYTM_1, AFINSQ_1, FINSEQ_1, FUNCT_1,
  FUNCT_4, MARGREL1, ALGSTR_1, RELAT_1, BOOLE, XCMPLX_0, FINSEQ_7;
 notation TARSKI, XBOOLE_0, SUBSET_1, INT_1, XREAL_0, ARYTM_0, XCMPLX_0,
  FUNCT_1, REAL_1, MARGREL1, ALGSTR_1, NAT_1, AFINSQ_1;
 constructors INT_1, AFINSQ_1, MARGREL1, ALGSTR_1, CQC_LANG, NAT_1;
 clusters INT_1, MARGREL1, XREAL_0, ARYTM_0, XCMPLX_0;
 requirements REAL, NUMERALS, BOOLE, SUBSET, ARITHM;
 theorems INT_1, XCMPLX_1, REAL_1, AXIOMS, SQUARE_1, MARGREL1,
  TARSKI, FUNCT_1, ORDINAL1, FUNCT_7;

begin :: if-then-else

definition
 let b be Element of BOOLEAN;
 let x,y be set;
 func if-then-else(b,x,y) -> set means :Def1:
  b = TRUE & it = x or b = FALSE & it = y;
 existence
 proof
  b = TRUE or b = FALSE by MARGREL1:39;
  hence thesis;
 end;
 uniqueness by MARGREL1:38;
end;

definition
 let A be set;
 let b be Element of BOOLEAN;
 let x,y be Element of A;
 redefine func if-then-else(b,x,y) -> Element of A;
 coherence by Def1;
end;

definition
 let b be Element of BOOLEAN;
 let x,y be Integer;
 redefine func if-then-else(b,x,y) -> Integer;
 coherence by Def1;
end;

theorem for x,y being set holds
 if-then-else(TRUE,x,y) = x by Def1;

theorem for x,y being set holds
 if-then-else(FALSE,x,y) = y by Def1;

theorem for b being Element of BOOLEAN, x being set holds
 if-then-else(b,x,x) = x by Def1;

begin :: redefining the array funcs to have the right types

definition
 let A be set;
 attr A is zero_containing means :Def2:
  0 in A;
end;

definition
 cluster zero_containing -> non empty set;
 coherence by Def2;
end;

definition
 cluster {0} -> zero_containing;
 coherence
 proof
  0 in {0} by TARSKI:def 1;
  hence thesis by Def2;
 end;
end;

definition
 cluster BOOLEAN -> zero_containing;
 coherence
 proof
  0 in {0,1} by TARSKI:def 2;
  hence thesis by Def2,MARGREL1:def 12;
 end;
end;

definition
 cluster INT -> zero_containing;
 coherence
 proof
  0 is Element of INT by INT_1:def 2;
  hence thesis by Def2;
 end;
end;

definition
 cluster REAL -> zero_containing;
 coherence by Def2;
end;

definition
 cluster zero_containing set;
 existence
 proof
  take {0};
  thus thesis;
 end;
end;

definition
 let A be zero_containing set;
 let a be XFinSequence of A;
 let i be number;
 redefine func a.i -> Element of A;
 coherence
 proof
A1: rng a c= A by ORDINAL1:def 8;
  per cases;
  suppose i in dom a;
   then a.i in rng a by FUNCT_1:12;
   hence thesis by A1;
  suppose not i in dom a;
   then a.i = {} by FUNCT_1:def 4;
   hence thesis by Def2;
 end;
end;

definition
 let A be non empty set;
 let a be XFinSequence of A;
 let i be number;
 let x be Element of A;
 redefine func a+*(i,x) -> XFinSequence of A;
 coherence
 proof
  per cases;
  suppose i in dom a;
   then reconsider i' = i as Nat;
   Replace(a,i',x) is XFinSequence of A;
   hence thesis;
  suppose not i in dom a;
   hence thesis by FUNCT_7:def 3;
 end;
end;

definition
 let a be XFinSequence of INT;
 let i be number;
 let x be Integer;
 redefine func a+*(i,x) -> XFinSequence of INT;
 coherence
 proof
  reconsider x' = x as Element of INT by INT_1:def 2;
  a+*(i,x') is XFinSequence of INT;
  hence thesis;
 end;
end;

begin :: a few handy lemmas (are they already somewhere else in MML?)

 reserve i,j for integer number;
 reserve a,b,c for complex number;

theorem Th4: i <= j iff i < j + 1
proof
 hereby
  assume
A1: i <= j;
  j + 0 < j + 1 by REAL_1:67;
  hence i < j + 1 by A1,AXIOMS:22;
 end;
 thus thesis by INT_1:20;
end;

theorem Th5: i < j iff i <= j - 1
proof
 j = (j - 1) + 1 by XCMPLX_1:27;
 hence thesis by Th4;
end;

theorem Th6: i < j + 1 iff i < j or i = j
proof
 (i < j + 1 iff i <= j) & (i <= j iff i < j or i = j) by Th4,AXIOMS:21;
 hence thesis;
end;

theorem Th7: (a + c) + (b - c) = a + b
proof
 thus a + c + (b - c) = a + (b - c + c) by XCMPLX_1:1
  .= a + b by XCMPLX_1:27;
end;

why-2.34/lib/mizar/dict/0000755000175000017500000000000012311670312013430 5ustar  rtuserswhy-2.34/lib/mizar/dict/why.voc0000644000175000017500000000003712311670312014750 0ustar  rtusersOif-then-else
Vzero_containing
why-2.34/lib/pvs/0000755000175000017500000000000012311670312012173 5ustar  rtuserswhy-2.34/lib/pvs/whyfloat.pvs0000644000175000017500000000651012311670312014564 0ustar  rtusersfloatbis[radix:above(1)]: THEORY

BEGIN
  IMPORTING float@float[radix]

  b  : VAR Format
  r  : VAR real

  RND_Zero(b)(x:real): (Fcanonic?(b)) =
     if (0 <= x) 
        then RND_Min(b)(x)
        else RND_Max(b)(x)
     endif

  RND_AFZClosest(b)(x:real): (Fcanonic?(b)) =
   if     abs(RND_Min(b)(x)-x) < abs(RND_Max(b)(x)-x) then RND_Min(b)(x)
    elsif abs(RND_Max(b)(x)-x) < abs(RND_Min(b)(x)-x) then RND_Max(b)(x)
    elsif RND_Min(b)(x)=RND_Max(b)(x)::real then RND_Min(b)(x)
    elsif (0 <= x) then RND_Max(b)(x)
    else  RND_Min(b)(x)
   endif


  RND_Zero_isToZero: lemma ToZero?(b)(r,RND_Zero(b)(r))
  RND_AClosest_isAFZclosest : lemma AFZClosest?(b)(r,RND_AFZClosest(b)(r))

END floatbis



whyfloat: THEORY

BEGIN
  IMPORTING reals@sqrt
  IMPORTING floatbis[2]


  mode: TYPE = { nearest_even, to_zero, up, down, nearest_away }


  % IEEE-754 DOUBLE PRECISION
  bdouble: Format = (# Prec :=53, dExp :=1074 #)

  double: TYPE = [# float:(Fcanonic?(bdouble)), 
                    d_to_exact:real, d_to_model:real #] 
 
  d_to_r(f:double):real = FtoR(float(f))
  double_round_error(f:double):real = abs(d_to_exact(f) - d_to_r(f))
  double_total_error(f:double):real = abs(d_to_model(f) - d_to_r(f))
  double_set_model(f:double)(r:real):double = 
           (# float:=float(f), d_to_exact:=d_to_exact(f),
              d_to_model:=r #)

  r_to_d_aux(m:mode)(r,r1,r2:real):double =
    cases m of
      nearest_even:(# float:= RND_EClosest(bdouble)(r),
           d_to_exact:=r1, d_to_model:= r2 #), 
      up:          (# float:= RND_Max(bdouble)(r),
           d_to_exact:=r1, d_to_model:= r2 #),
      down:        (# float:= RND_Min(bdouble)(r),
           d_to_exact:=r1, d_to_model:= r2 #),
      to_zero:     (# float:= RND_Zero(bdouble)(r),
           d_to_exact:=r1, d_to_model:= r2 #),
      nearest_away:(# float:= RND_AFZClosest(bdouble)(r),
           d_to_exact:=r1, d_to_model:= r2 #)
    endcases

  r_to_d(m:mode,r:real):double = r_to_d_aux(m)(r,r,r)

  add_double(m:mode,f1,f2:double):double =
     r_to_d_aux(m)(d_to_r(f1)+d_to_r(f2), 
                  d_to_exact(f1)+d_to_exact(f2),
                  d_to_model(f1)+d_to_model(f2))

  sub_double(m:mode,f1,f2:double):double =
     r_to_d_aux(m)(d_to_r(f1)-d_to_r(f2), 
                  d_to_exact(f1)-d_to_exact(f2),
                  d_to_model(f1)-d_to_model(f2))

  mul_double(m:mode,f1,f2:double):double =
     r_to_d_aux(m)(d_to_r(f1)*d_to_r(f2), 
                  d_to_exact(f1)*d_to_exact(f2),
                  d_to_model(f1)*d_to_model(f2))

  div_double(m:mode,f1:double,f2:double | d_to_r(f2) /= 0 
          AND d_to_exact(f2) /= 0 AND d_to_model(f2) /= 0):double =
     r_to_d_aux(m)(d_to_r(f1)/d_to_r(f2), 
                  d_to_exact(f1)/d_to_exact(f2),
                  d_to_model(f1)/d_to_model(f2))

  sqrt_double(m:mode,f1:double | d_to_r(f1) >= 0 
          AND d_to_exact(f1) >= 0 AND d_to_model(f1) >= 0):double =
     r_to_d_aux(m)(sqrt(d_to_r(f1)), 
                   sqrt(d_to_exact(f1)),
                   sqrt(d_to_model(f1)))

  neg_double(m:mode,f1:double):double =
      (# float:= Fopp(float(f1)),
         d_to_exact:=-d_to_exact(f1), d_to_model:= -d_to_model(f1) #) 

  abs_double(m:mode,f1:double):double =
      (# float:= Fabs(float(f1)),
         d_to_exact:=abs(d_to_exact(f1)), d_to_model:= abs(d_to_model(f1)) #) 

  max_double:real = ((2-2^(-52))*2^1023)

END whyfloat
why-2.34/lib/pvs/pvscontext.el0000644000175000017500000000012712311670312014732 0ustar  rtusers(let ((current-prefix-arg t))
  (typecheck-prove-importchain "top")
  (save-context))

why-2.34/lib/pvs/jessie.prf0000644000175000017500000005704512311670312014201 0ustar  rtusers(jessie_why)
(jessie_why_decls0
 (shift_TCC1 0
  (shift_TCC1-1 nil 3425207131 3425207173 ("" (subtype-tcc) nil nil)
   unchecked ((same_block const-decl "bool" jessie_why_decls0 nil)) 6 0
   nil nil)))
(jessie_why_axioms0
 (null_not_valid 0
  (null_not_valid-1 nil 3425206051 3425206070 ("" (grind) nil nil)
   unchecked
   ((null const-decl "pointer" jessie_why_decls0 nil)
    (offset_min const-decl "int" jessie_why_decls0 nil)
    (offset_max const-decl "int" jessie_why_decls0 nil)
    (valid const-decl "bool" jessie_why_decls0 nil))
   1902 10 t shostak))
 (null_pointer 0
  (null_pointer-1 nil 3425206090 3425206558 ("" (grind) nil nil)
   unfinished
   ((null const-decl "pointer" jessie_why_decls0 nil)
    (offset_min const-decl "int" jessie_why_decls0 nil)
    (offset_max const-decl "int" jessie_why_decls0 nil))
   3531 10 t shostak))
 (sub_pointer_shift 0
  (sub_pointer_shift-1 nil 3425207372 3425207374 ("" (grind) nil nil)
   unchecked
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (address nonempty-type-decl nil jessie_why_decls0 nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (pointer type-eq-decl nil jessie_why_decls0 nil)
    (same_block const-decl "bool" jessie_why_decls0 nil)
    (sub_pointer const-decl "int" jessie_why_decls0 nil)
    (shift const-decl "(same_block(p))" jessie_why_decls0 nil)
    (minus_odd_is_odd application-judgement "odd_int" integers nil))
   1869 20 t shostak))
 (sub_pointer_self_TCC1 0
  (sub_pointer_self_TCC1-1 nil 3425206935 3425207216
   ("" (grind) nil nil) unchecked
   ((same_block const-decl "bool" jessie_why_decls0 nil)) 4 0 t nil))
 (sub_pointer_self 0
  (sub_pointer_self-1 nil 3425207264 3425207267 ("" (grind) nil nil)
   unchecked ((sub_pointer const-decl "int" jessie_why_decls0 nil))
   2359 10 t shostak))
 (sub_pointer_zero 0
  (sub_pointer_zero-1 nil 3425207421 3425207469
   ("" (grind) (("" (decompose-equality 1) nil nil)) nil) unchecked
   ((int_minus_int_is_int application-judgement "int" integers nil)
    (boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (address nonempty-type-decl nil jessie_why_decls0 nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (pointer type-eq-decl nil jessie_why_decls0 nil)
    (same_block const-decl "bool" jessie_why_decls0 nil)
    (minus_odd_is_odd application-judgement "odd_int" integers nil)
    (sub_pointer const-decl "int" jessie_why_decls0 nil))
   18031 40 t shostak))
 (sub_pointer_shift_left_TCC1 0
  (sub_pointer_shift_left_TCC1-1 nil 3425205007 3425207216
   ("" (subtype-tcc) nil nil) unchecked
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (address nonempty-type-decl nil jessie_why_decls0 nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (pointer type-eq-decl nil jessie_why_decls0 nil)
    (shift const-decl "(same_block(p))" jessie_why_decls0 nil)
    (same_block const-decl "bool" jessie_why_decls0 nil))
   15 20 nil nil))
 (sub_pointer_shift_left 0
  (sub_pointer_shift_left-1 nil 3425207489 3425207491
   ("" (grind) nil nil) unchecked
   ((shift const-decl "(same_block(p))" jessie_why_decls0 nil)
    (sub_pointer const-decl "int" jessie_why_decls0 nil)
    (int_minus_int_is_int application-judgement "int" integers nil)
    (minus_odd_is_odd application-judgement "odd_int" integers nil))
   1938 20 t shostak))
 (sub_pointer_shift_right_TCC1 0
  (sub_pointer_shift_right_TCC1-1 nil 3425206935 3425207216
   ("" (subtype-tcc) nil nil) unchecked
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (address nonempty-type-decl nil jessie_why_decls0 nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (pointer type-eq-decl nil jessie_why_decls0 nil)
    (shift const-decl "(same_block(p))" jessie_why_decls0 nil)
    (same_block const-decl "bool" jessie_why_decls0 nil))
   14 10 nil nil))
 (sub_pointer_shift_right 0
  (sub_pointer_shift_right-1 nil 3425207506 3425207507
   ("" (grind) nil nil) unchecked
   ((minus_odd_is_odd application-judgement "odd_int" integers nil)
    (mult_divides1 application-judgement "(divides(n))" divides nil)
    (mult_divides2 application-judgement "(divides(m))" divides nil)
    (int_minus_int_is_int application-judgement "int" integers nil)
    (sub_pointer const-decl "int" jessie_why_decls0 nil)
    (shift const-decl "(same_block(p))" jessie_why_decls0 nil))
   1616 40 t shostak))
 (valid_pset_empty 0
  (valid_pset_empty-1 nil 3425208201 3425208203 ("" (grind) nil nil)
   unchecked
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (= const-decl "[T, T -> boolean]" equalities nil)
    (address nonempty-type-decl nil jessie_why_decls0 nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (null_address const-decl "address" jessie_why_decls0 nil)
    (numfield nonempty-type-eq-decl nil number_fields nil)
    (- const-decl "[numfield -> numfield]" number_fields nil)
    (alloc_table type-eq-decl nil jessie_why_decls0 nil)
    (emptyset const-decl "set" sets nil)
    (pset type-eq-decl nil jessie_why_decls0 nil)
    (pointer type-eq-decl nil jessie_why_decls0 nil)
    (offset_min const-decl "int" jessie_why_decls0 nil)
    (offset_max const-decl "int" jessie_why_decls0 nil)
    (valid const-decl "bool" jessie_why_decls0 nil)
    (valid_pset const-decl "bool" jessie_why_decls0 nil)
    (finite_emptyset name-judgement "finite_set" finite_sets nil)
    (minus_odd_is_odd application-judgement "odd_int" integers nil)
    (int_minus_int_is_int application-judgement "int" integers nil))
   1838 40 t shostak))
 (valid_pset_singleton 0
  (valid_pset_singleton-1 nil 3425208215 3425208217
   ("" (grind) nil nil) unchecked
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (= const-decl "[T, T -> boolean]" equalities nil)
    (address nonempty-type-decl nil jessie_why_decls0 nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (null_address const-decl "address" jessie_why_decls0 nil)
    (numfield nonempty-type-eq-decl nil number_fields nil)
    (- const-decl "[numfield -> numfield]" number_fields nil)
    (alloc_table type-eq-decl nil jessie_why_decls0 nil)
    (pointer type-eq-decl nil jessie_why_decls0 nil)
    (set type-eq-decl nil sets nil)
    (singleton? const-decl "bool" sets nil)
    (real_le_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (minus_int_is_int application-judgement "int" integers nil)
    (real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (offset_min const-decl "int" jessie_why_decls0 nil)
    (offset_max const-decl "int" jessie_why_decls0 nil)
    (valid const-decl "bool" jessie_why_decls0 nil)
    (valid_pset const-decl "bool" jessie_why_decls0 nil)
    (nonempty_singleton_finite application-judgement
     "non_empty_finite_set" finite_sets nil)
    (minus_odd_is_odd application-judgement "odd_int" integers nil)
    (int_minus_int_is_int application-judgement "int" integers nil)
    (singleton const-decl "(singleton?)" sets nil))
   1759 100 t shostak))
 (valid_pset_range 0
  (valid_pset_range-1 nil 3425208233 3425208919
   ("" (skeep)
    (("" (skeep)
      (("" (skeep)
        (("" (skeep)
          (("" (split)
            (("1" (flatten)
              (("1" (skeep)
                (("1" (skeep)
                  (("1" (expand "valid_pset")
                    (("1" (inst? -1)
                      (("1" (expand "pset_range")
                        (("1" (inst 1 "r" "i")
                          (("1" (assert) nil nil)
                           ("2" (expand "member")
                            (("2" (propax) nil nil)) nil))
                          nil))
                        nil))
                      nil))
                    nil))
                  nil))
                nil))
              nil)
             ("2" (flatten)
              (("2" (expand "valid_pset")
                (("2" (skeep 1)
                  (("2" (typepred "p")
                    (("2" (expand "pset_range")
                      (("2" (skeep -1)
                        (("2" (inst -2 "k")
                          (("2" (inst -2 "p_1") (("2" (grind) nil nil))
                            nil))
                          nil))
                        nil))
                      nil))
                    nil))
                  nil))
                nil))
              nil))
            nil))
          nil))
        nil))
      nil))
    nil)
   unchecked
   ((valid const-decl "bool" jessie_why_decls0 nil)
    (offset_max const-decl "int" jessie_why_decls0 nil)
    (offset_min const-decl "int" jessie_why_decls0 nil)
    (int_plus_int_is_int application-judgement "int" integers nil)
    (minus_int_is_int application-judgement "int" integers nil)
    (real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (int_minus_int_is_int application-judgement "int" integers nil)
    (minus_odd_is_odd application-judgement "odd_int" integers nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (address nonempty-type-decl nil jessie_why_decls0 nil)
    (number nonempty-type-decl nil numbers nil)
    (boolean nonempty-type-decl nil booleans nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (pointer type-eq-decl nil jessie_why_decls0 nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (pset type-eq-decl nil jessie_why_decls0 nil)
    (pset_range const-decl "pset" jessie_why_decls0 nil)
    (same_block const-decl "bool" jessie_why_decls0 nil)
    (shift const-decl "(same_block(p))" jessie_why_decls0 nil)
    (real_le_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (subrange type-eq-decl nil integers nil)
    (<= const-decl "bool" reals nil)
    (AND const-decl "[bool, bool -> bool]" booleans nil)
    (member const-decl "bool" sets nil)
    (valid_pset const-decl "bool" jessie_why_decls0 nil))
   106928 150 t shostak))
 (valid_pset_union 0
  (valid_pset_union-1 nil 3425209008 3425209016
   ("" (skeep)
    (("" (skeep) (("" (skeep) (("" (grind) nil nil)) nil)) nil)) nil)
   unfinished
   ((member const-decl "bool" sets nil)
    (union const-decl "set" sets nil)
    (minus_int_is_int application-judgement "int" integers nil)
    (boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (address nonempty-type-decl nil jessie_why_decls0 nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (pointer type-eq-decl nil jessie_why_decls0 nil)
    (pset type-eq-decl nil jessie_why_decls0 nil)
    (set type-eq-decl nil sets nil)
    (real_le_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (offset_min const-decl "int" jessie_why_decls0 nil)
    (offset_max const-decl "int" jessie_why_decls0 nil)
    (valid const-decl "bool" jessie_why_decls0 nil)
    (valid_pset const-decl "bool" jessie_why_decls0 nil)
    (minus_odd_is_odd application-judgement "odd_int" integers nil)
    (int_minus_int_is_int application-judgement "int" integers nil)
    (real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil))
   7567 400 t shostak))
 (alloc_extends_offset_min 0
  (alloc_extends_offset_min-1 nil 3425209324 3425209326
   ("" (grind) nil nil) unchecked
   ((alloc_extends const-decl "bool" jessie_why_decls0 nil)
    (offset_min const-decl "int" jessie_why_decls0 nil))
   1867 10 t shostak))
 (alloc_extends_offset_max 0
  (alloc_extends_offset_max-1 nil 3425209334 3425209862
   ("" (grind) nil nil) untried
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (= const-decl "[T, T -> boolean]" equalities nil)
    (address nonempty-type-decl nil jessie_why_decls0 nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (null_address const-decl "address" jessie_why_decls0 nil)
    (numfield nonempty-type-eq-decl nil number_fields nil)
    (- const-decl "[numfield -> numfield]" number_fields nil)
    (alloc_table type-eq-decl nil jessie_why_decls0 nil)
    (alloc_extends const-decl "bool" jessie_why_decls0 nil)
    (offset_max const-decl "int" jessie_why_decls0 nil)
    (minus_odd_is_odd application-judgement "odd_int" integers nil)
    (int_minus_int_is_int application-judgement "int" integers nil))
   4428 30 t shostak)))
(jessie_why_decls1)
(jessie_why_axioms1
 (not_assigns_refl 0
  (not_assigns_refl-1 nil 3425209912 3425209914 ("" (grind) nil nil)
   unchecked
   ((A formal-nonempty-type-decl nil jessie_why_axioms1 nil)
    (not_assigns const-decl "bool" jessie_why_decls1 nil))
   2086 10 t shostak))
 (not_assigns_trans 0
  (not_assigns_trans-1 nil 3425209930 3425209932 ("" (grind) nil nil)
   unchecked
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (= const-decl "[T, T -> boolean]" equalities nil)
    (address nonempty-type-decl nil jessie_why_decls0 nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (null_address const-decl "address" jessie_why_decls0 nil)
    (numfield nonempty-type-eq-decl nil number_fields nil)
    (- const-decl "[numfield -> numfield]" number_fields nil)
    (alloc_table type-eq-decl nil jessie_why_decls0 nil)
    (pointer type-eq-decl nil jessie_why_decls0 nil)
    (real_le_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (minus_int_is_int application-judgement "int" integers nil)
    (real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (offset_min const-decl "int" jessie_why_decls0 nil)
    (offset_max const-decl "int" jessie_why_decls0 nil)
    (valid const-decl "bool" jessie_why_decls0 nil)
    (member const-decl "bool" sets nil)
    (A formal-nonempty-type-decl nil jessie_why_axioms1 nil)
    (not_assigns const-decl "bool" jessie_why_decls1 nil)
    (minus_odd_is_odd application-judgement "odd_int" integers nil)
    (int_minus_int_is_int application-judgement "int" integers nil))
   2086 120 t shostak)))
(jessie_why_deref
 (in_pset_deref 0
  (in_pset_deref-1 nil 3425210116 3425210190
   ("" (skeep)
    (("" (skeep)
      (("" (skeep)
        (("" (split)
          (("1" (flatten)
            (("1" (expand "member")
              (("1" (expand "pset_deref")
                (("1" (skeep -1)
                  (("1" (inst 1 "r") (("1" (assert) nil nil)) nil))
                  nil))
                nil))
              nil))
            nil)
           ("2" (flatten)
            (("2" (skeep -1)
              (("2" (expand "member")
                (("2" (expand "pset_deref")
                  (("2" (inst 1 "r") nil nil)) nil))
                nil))
              nil))
            nil))
          nil))
        nil))
      nil))
    nil)
   proved
   ((member const-decl "bool" sets nil)
    (pset type-eq-decl nil jessie_why_decls0 nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (pointer type-eq-decl nil jessie_why_decls0 nil)
    (int nonempty-type-eq-decl nil integers nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (real nonempty-type-from-decl nil reals nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (boolean nonempty-type-decl nil booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (address nonempty-type-decl nil jessie_why_decls0 nil)
    (pset_deref const-decl "pset" jessie_why_deref nil)
    (q skolem-const-decl "pset" jessie_why_deref nil)
    (r skolem-const-decl "pointer" jessie_why_deref nil))
   74732 130 t shostak))
 (valid_pset_deref 0
  (valid_pset_deref-1 nil 3425210230 3425210349
   ("" (skeep)
    (("" (skeep)
      (("" (skeep)
        (("" (split)
          (("1" (flatten)
            (("1" (expand "valid_pset")
              (("1" (skeep)
                (("1" (skeep)
                  (("1" (inst? -1) (("1" (grind) nil nil)) nil)) nil))
                nil))
              nil))
            nil)
           ("2" (flatten)
            (("2" (expand "valid_pset")
              (("2" (skeep)
                (("2" (typepred "p")
                  (("2" (expand "pset_deref")
                    (("2" (skeep -1)
                      (("2" (inst -2 "r")
                        (("2" (inst -2 "p") (("2" (grind) nil nil))
                          nil))
                        nil))
                      nil))
                    nil))
                  nil))
                nil))
              nil))
            nil))
          nil))
        nil))
      nil))
    nil)
   proved
   ((valid_pset const-decl "bool" jessie_why_decls0 nil)
    (minus_odd_is_odd application-judgement "odd_int" integers nil)
    (int_minus_int_is_int application-judgement "int" integers nil)
    (real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (minus_int_is_int application-judgement "int" integers nil)
    (real_le_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (member const-decl "bool" sets nil)
    (offset_min const-decl "int" jessie_why_decls0 nil)
    (offset_max const-decl "int" jessie_why_decls0 nil)
    (valid const-decl "bool" jessie_why_decls0 nil)
    (m skolem-const-decl "memory[pointer]" jessie_why_deref nil)
    (q skolem-const-decl "pset" jessie_why_deref nil)
    (p skolem-const-decl "pointer" jessie_why_deref nil)
    (pset_deref const-decl "pset" jessie_why_deref nil)
    (pset type-eq-decl nil jessie_why_decls0 nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (memory type-eq-decl nil jessie_why_decls1 nil)
    (pointer type-eq-decl nil jessie_why_decls0 nil)
    (int nonempty-type-eq-decl nil integers nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (real nonempty-type-from-decl nil reals nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (boolean nonempty-type-decl nil booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (address nonempty-type-decl nil jessie_why_decls0 nil)
    (NOT const-decl "[bool -> bool]" booleans nil))
   115971 80 t nil)))
(jessie_why_fully_packed)
why-2.34/lib/pvs/top.pvs0000644000175000017500000000007712311670312013533 0ustar  rtuserstop : THEORY
BEGIN

  IMPORTING why, whyfloat, jessie

END top
why-2.34/lib/pvs/jessie.pvs0000644000175000017500000002372612311670312014221 0ustar  rtusers
jessie: THEORY
BEGIN

  IMPORTING why

  IMPORTING jessie_bw_ops, jessie_pointers, jessie_memory, jessie_psets, jessie_tags 

END jessie

jessie_bw_ops: THEORY
BEGIN

 bw_compl: [int -> int]

 bw_and: [int, int -> int]

 bw_xor: [int, int -> int]

 bw_or: [int, int -> int]

 lsl: [int, int -> int]

 lsr: [int, int -> int]

 asr: [int, int -> int]

 %% Why axiom bw_and_not_null
 bw_and_not_null: AXIOM
   (FORALL (a: int):
   (FORALL (b: int):
   (bw_and(a, b) /= 0 IMPLIES a /= 0 AND b /= 0)))

 %% Why axiom lsl_left_positive_returns_positive
 lsl_left_positive_returns_positive: AXIOM
   (FORALL (a: int):
   (FORALL (b: int):
   (0 <= a AND 0 <= b IMPLIES 0 <= lsl(a, b))))

 %% Why axiom lsl_left_positive_monotone
 lsl_left_positive_monotone: AXIOM
   (FORALL (a1: int):
   (FORALL (a2: int):
   (FORALL (b: int):
   (0 <= a1 AND (a1 <= a2 AND 0 <= b) IMPLIES
   lsl(a1, b) <= lsl(a2, b)))))

 %% Why axiom lsr_left_positive_returns_positive
 lsr_left_positive_returns_positive: AXIOM
   (FORALL (a: int):
   (FORALL (b: int):
   (0 <= a AND 0 <= b IMPLIES 0 <= lsr(a, b))))

 %% Why axiom lsr_left_positive_decreases
 lsr_left_positive_decreases: AXIOM
   (FORALL (a: int):
   (FORALL (b: int):
   (0 <= a AND 0 <= b IMPLIES lsr(a, b) <= a)))

 %% Why axiom asr_positive_on_positive
 asr_positive_on_positive: AXIOM
   (FORALL (a: int):
   (FORALL (b: int):
   (0 <= a AND 0 <= b IMPLIES 0 <= asr(a, b))))

 %% Why axiom asr_decreases_on_positive
 asr_decreases_on_positive: AXIOM
   (FORALL (a: int):
   (FORALL (b: int):
   (0 <= a AND 0 <= b IMPLIES asr(a, b) <= a)))

 %% Why axiom asr_lsr_same_on_positive
 asr_lsr_same_on_positive: AXIOM
   (FORALL (a: int):
   (FORALL (b: int):
   (0 <= a AND 0 <= b IMPLIES asr(a, b) = lsr(a, b))))

 %% Why axiom lsl_of_lsr_decreases_on_positive
 lsl_of_lsr_decreases_on_positive: AXIOM
   (FORALL (a: int):
   (FORALL (b: int):
   (0 <= a AND 0 <= b IMPLIES lsl(lsr(a, b), b) <= a)))

 %% Why axiom lsr_of_lsl_identity_on_positive
 lsr_of_lsl_identity_on_positive: AXIOM
   (FORALL (a: int):
   (FORALL (b: int):
   (0 <= a AND 0 <= b IMPLIES lsr(lsl(a, b), b) = a)))

END jessie_bw_ops

jessie_pointers: THEORY
BEGIN

 address : TYPE+ 

 pointer : TYPE = [address,int] 

 same_block(p:pointer)(q:pointer): bool = p`1 = q`1

 null_address : address

 null : pointer = (null_address,0)

 alloc_table: TYPE = {f:[address -> int] | f(null_address) = -1}

 offset_min(a:alloc_table,p:pointer) : int = -p`2

 offset_max(a:alloc_table,p:pointer) : int = a(p`1) - p`2 - 1

 valid(a:alloc_table)(p:pointer) : bool =
   offset_min(a, p) <= 0 AND 
   offset_max(a, p) >= 0

 %% Why axiom null_not_valid
 null_not_valid: LEMMA
   (FORALL (a: alloc_table): NOT valid(a)(null))

 %% Why axiom null_pointer
 null_pointer: LEMMA
   (FORALL (a: alloc_table):
   offset_min(a, null) >= 0 AND
   offset_max(a, null) <= -2)

 %% Why logic alloc_extends (at2 extends at1)
 alloc_extends(at1,at2:alloc_table) : bool =
   FORALL (p:(valid(at1))) : at1(p`1) = at2(p`1)

 %% Why axiom alloc_extends_offset_min
 alloc_extends_offset_min: LEMMA
   (FORALL (a1: alloc_table):
   (FORALL (a2: alloc_table):
   (alloc_extends(a1, a2) IMPLIES
   (FORALL (p: pointer): offset_min(a1, p) = offset_min(a2, p)))))

 %% Why axiom alloc_extends_offset_max
 alloc_extends_offset_max: LEMMA
   (FORALL (a1: alloc_table):
   (FORALL (a2: alloc_table):
   (alloc_extends(a1, a2) IMPLIES
   (FORALL (p:(valid(a1))): offset_max(a1, p) = offset_max(a2, p)))))


 shift(p:pointer,i:int) : (same_block(p)) = (p`1,p`2+i)



 %%%%%%% sub_pointer %%%%%%%%%%%%%

 sub_pointer(p:pointer, q:(same_block(p))) : int = p`2 - q`2

 %% Why axiom sub_pointer_shift
 sub_pointer_shift: LEMMA
   (FORALL (p: pointer):
   (FORALL (q: (same_block(p))): p = shift(q, sub_pointer(p, q))))

 %% Why axiom sub_pointer_self
 sub_pointer_self: LEMMA
   FORALL (p: pointer): sub_pointer(p, p) = 0

 %% Why axiom sub_pointer_zero
 sub_pointer_zero: LEMMA
   (FORALL (p: pointer):
   (FORALL (q: (same_block(p))):
   (sub_pointer(p, q) = 0 IMPLIES p = q)))

 %% Why axiom sub_pointer_shift_left
 sub_pointer_shift_left: LEMMA
   (FORALL (p: pointer):
   (FORALL (q: (same_block(p))):
   (FORALL (i: int):
   sub_pointer(shift(p, i), q) = sub_pointer(p, q) + i)))

 %% Why axiom sub_pointer_shift_right
 sub_pointer_shift_right: LEMMA
   (FORALL (p: pointer):
   (FORALL (q: (same_block(p))):
   (FORALL (i: int):
   sub_pointer(p, shift(q, i)) = sub_pointer(p, q) - i)))


 %% [CM] eq_pointer_bool: MACRO [pointer, pointer -> bool]

 %% [CM] neq_pointer_bool: [pointer, pointer -> bool]


 %%%%%%% sets of pointers %%%%%%%%%%%%%

 pset: TYPE = set[pointer] 

 pset_empty: MACRO pset = emptyset % [CM]

 pset_singleton: MACRO [pointer -> pset] = singleton % [CM]

 pset_union: MACRO [pset, pset -> pset] = union % [CM]

 pset_disjoint : MACRO [pset, pset -> bool] = disjoint? % [CM]

 pset_all(ps:pset) : pset = 
   {a:pointer | EXISTS (p:(ps),i:int) : a=shift(p,i)}

 pset_range(ps:pset,i,j:int) : pset =
   {a:pointer | EXISTS (p:(ps),k:subrange(i,j)) : a=shift(p,k)}

 pset_range_left(ps:pset,i:int) : pset =
   {a:pointer | EXISTS (p:(ps),k:upfrom(i)) : a=shift(p,i)}

 pset_range_right(ps:pset,i:int) : pset =
   {a:pointer | EXISTS (p:(ps),k:upto(i)) : a=shift(p,i)}

 in_pset: MACRO [pointer, pset -> bool] = member % [CM]

 %% Why logic valid_pset
 valid_pset(a:alloc_table)(ps:pset) : bool = 
   FORALL (p:(ps)) : valid(a)(p)

 %% Why axiom in_pset_empty
 %% [CM] in_pset_empty: AXIOM
 %% [CM]  (FORALL (p: pointer): NOT in_pset(p, pset_empty))

 %% Why axiom in_pset_singleton
 %% [CM] in_pset_singleton: AXIOM
 %% [CM]   (FORALL (p: pointer):
 %% [CM]   (FORALL (q: pointer):
 %% [CM]   (in_pset(p, pset_singleton(q)) IFF p = q)))

 %% Why axiom in_pset_union
 %% [CM] in_pset_union: AXIOM
 %% [CM]   (FORALL (p: pointer):
 %% [CM]   (FORALL (s1: pset):
 %% [CM]   (FORALL (s2: pset):
 %% [CM]   (in_pset(p, pset_union(s1, s2)) IFF in_pset(p, s1) OR
 %% [CM]   in_pset(p, s2)))))

 %% Why axiom valid_pset_empty
 valid_pset_empty: LEMMA
   (FORALL (a: alloc_table): valid_pset(a)(pset_empty))

 %% Why axiom valid_pset_singleton
 valid_pset_singleton: LEMMA
   (FORALL (a: alloc_table):
   (FORALL (p: pointer):
   (valid_pset(a)(pset_singleton(p)) IFF valid(a)(p))))

 %% Why axiom valid_pset_range
 valid_pset_range: LEMMA
   (FORALL (a: alloc_table):
   (FORALL (q: pset):
   (FORALL (c: int):
   (FORALL (d: int):
   (valid_pset(a)(pset_range(q, c, d)) IFF
   (FORALL (i: int):
   (FORALL (r: pointer):
   (in_pset(r, q) AND (c <= i AND i <= d) IMPLIES
   valid(a)(shift(r, i))))))))))

 %% Why axiom valid_pset_union
 valid_pset_union: LEMMA
   (FORALL (a: alloc_table):
   (FORALL (s1: pset):
   (FORALL (s2: pset):
   (valid_pset(a)(pset_union(s1, s2)) IFF valid_pset(a)(s1) AND
   valid_pset(a)(s2)))))


END jessie_pointers


jessie_memory[A: TYPE+]: THEORY
BEGIN

 IMPORTING jessie_pointers

 memory: TYPE = ARRAY[pointer -> A] % [CM]

 %% Why logic select
 %% [CM] select: [memory, pointer -> A]
 select(m:memory,p:pointer) : MACRO A = m(p) % [CM]

 %% Why logic store
 %% [CM] store: [memory, pointer, A -> memory] % [CM]
 store(m:memory,p:pointer,a:A) : MACRO memory = m WITH [(p) := a]

 not_assigns(a:alloc_table, m1:memory, m2:memory,
             l:pset) : bool =
   (FORALL (p: pointer):
   (valid(a)(p) AND NOT in_pset(p, l) IMPLIES
   select(m2, p) = select(m1, p)))

 %% Why axiom select_store_eq
 %% [CM] select_store_eq: AXIOM
 %% [CM]  (FORALL (m: memory):
 %% [CM]  (FORALL (p: pointer):    % [CM]
 %% [CM]  (FORALL (a: A):
 %% [CM]  (select(store(m, p, a), p) = a))))

 %% Why axiom select_store_neq
 select_store_neq: AXIOM
   (FORALL (m: memory):
   (FORALL (p1: pointer):
   (FORALL (p2: pointer):
   (FORALL (a: A):
   (p1 /= p2 IMPLIES
   select(store(m, p1, a), p2) = select(m, p2))))))

 %% Why axiom not_assigns_refl
 not_assigns_refl: LEMMA
   (FORALL (a: alloc_table):
   (FORALL (m: memory):
   (FORALL (l: pset): not_assigns(a, m, m, l))))

 %% Why axiom not_assigns_trans
 not_assigns_trans: LEMMA
   (FORALL (a: alloc_table):
   (FORALL (m1: memory):
   (FORALL (m2: memory):
   (FORALL (m3: memory):
   (FORALL (l: pset):
   (not_assigns(a, m1, m2, l) IMPLIES
   (not_assigns(a, m2, m3, l) IMPLIES not_assigns(a, m1, m3, l))))))))

END jessie_memory

jessie_psets : THEORY
BEGIN

 IMPORTING jessie_memory

 %% Why logic pset_deref
 pset_deref(m:memory[pointer],q:pset) : pset =
   {p:pointer | EXISTS (r:(q)): p = select(m,r) }

 %% Why axiom in_pset_deref
 in_pset_deref: LEMMA
   (FORALL (p: pointer):
   (FORALL (m: memory[pointer]):
   (FORALL (q: pset):
   (in_pset(p, pset_deref(m, q)) IFF
   (EXISTS (r: pointer): in_pset(r, q) AND
    p = select(m, r))))))

 %% Why axiom valid_pset_deref
 valid_pset_deref: LEMMA
   (FORALL (a: alloc_table):
   (FORALL (m: memory[pointer]):
   (FORALL (q: pset):
   (valid_pset(a)(pset_deref(m, q)) IFF
   (FORALL (r: pointer):
   (FORALL (p: pointer):
   (in_pset(r, q) AND p = select(m, r) IMPLIES
   valid(a)(p))))))))

END jessie_psets


jessie_tags : THEORY
BEGIN

 IMPORTING jessie_pointers, jessie_memory

 tag_id: TYPE = string

 tag_table: TYPE = [pointer -> tag_id]

 int_of_tag: [tag_id -> int]

 typeof(tt:tag_table,p:pointer) : tag_id = tt(p)

 parenttag: [tag_id, tag_id -> bool]

 subtag(ti1,ti2:tag_id) : INDUCTIVE bool =
   ti1 = ti2 OR
   EXISTS (ti:tag_id) : subtag(ti1,ti) AND parenttag(ti,ti2)

 subtag_bool: MACRO [tag_id, tag_id -> bool] = subtag

 instanceof(tt:tag_table, p:pointer, ti:tag_id) : bool =
   subtag(typeof(tt, p), ti)

 downcast(tt:tag_table,p:pointer,ti:tag_id|instanceof(tt,p,ti)) : pointer =
   p 

 bottom_tag: tag_id

 root_tag(t:tag_id) : bool = parenttag(t, bottom_tag)

 %% Why axiom bottom_tag_axiom
 bottom_tag_axiom: AXIOM
   (FORALL (t: tag_id): subtag(t, bottom_tag))

 %% Why axiom root_subtag
 root_subtag: AXIOM
   (FORALL (a: tag_id):
   (FORALL (b: tag_id):
   (FORALL (c: tag_id):
   (root_tag(a) IMPLIES
   (root_tag(b) IMPLIES
   (a /= b IMPLIES (subtag(c, a) IMPLIES NOT subtag(c, b))))))))

 fully_packed(tag_table:tag_table, mutable:memory[tag_id],
              this:pointer) : bool =
   select(mutable, this) = typeof(tag_table, this)

END jessie_tags



why-2.34/lib/pvs/why.pvs0000644000175000017500000000562212311670312013541 0ustar  rtuserswhy: THEORY
BEGIN

  IMPORTING why_arrays, why_array_pred, why_int_array_pred
  
  unit: TYPE = int
  unit: unit = 0

  c,x,y : VAR int
  nzy : VAR nzint

  %% integer division and modulo

  importing ints@div, ints@rem

  % div(x, nzy) : int = div(x, nzy)
  mod(x, nzy) : macro int = rem(x, nzy)

  %% well founded relations
  zwf(c) : [int, int -> bool] = (lambda x,y: c <= y and x < y)
  zwf_zero : [int, int -> bool] = zwf(0)

  zwf_wf : AXIOM forall c: well_founded?(zwf(c))

END why


why_arrays[T: TYPE]: THEORY
BEGIN

  warray: TYPE = [ n:nat, [ below(n) -> T ] ]

  i,j : VAR int
  v : VAR T

  array_length(t:warray) : int = proj_1(t)

  access(t:warray, i:below(proj_1(t))) : T = proj_2(t)(i)

  update(t:warray, i:below(proj_1(t)), v): warray = 
    (proj_1(t), 
     (LAMBDA (j:below(proj_1(t))): IF j = i THEN v ELSE proj_2(t)(j) ENDIF))

END why_arrays

% predicates over integers arrays
why_int_array_pred: THEORY
BEGIN

  IMPORTING why_arrays

  t,u : VAR warray[int]
  i,j,k : VAR int
  
  % t[i..j] is sorted
  sorted_array(t:warray[int], i, j) : bool =
    forall (k:below(proj_1(t)-1)): 
    i <= k and k < j implies access(t,k) <= access(t,k+1)

END why_int_array_pred

% predicates over arrays
why_array_pred[T: TYPE]: THEORY
BEGIN

  IMPORTING why_arrays[T]

  t,u,v : VAR warray[T]

  i,j,k,l,r : VAR int

  % t[i..j] = u[i..j]
  array_id(t:warray[T], u:warray[T], 
	   i:below(min(proj_1(t),proj_1(u))),
	   j:below(min(proj_1(t),proj_1(u)))) : bool = 
    forall k: i <= k and k <= j implies access(t,k) = access(u,k)

  % swap of elements at i and j
  exchange(t, u, i, j) : bool = 
    array_length(t) = array_length(u) and
    0 <= i and i < array_length(t) and 0 <= j and j < array_length(t) and
    access(t,i) = access(u,j) and
    access(t,j) = access(u,i) and
    forall k: 0 <= k and k < array_length(t) implies 
      k /= i implies k /= j implies access(t,k) = access(u,k)

  % permut is the smallest equivalence relation containing exchange
  permut(t, u) : bool
  
  permut_exchange : 
    AXIOM forall t,u,i,j: exchange(t,u,i,j) implies permut(t,u)
  permut_refl     : 
    AXIOM forall t: permut(t,t)
  permut_sym      : 
    AXIOM forall t,u: permut(t,u) implies permut(u,t)
  permut_trans    : 
    AXIOM forall t,u,v : permut(t,u) implies permut(u,v) implies permut(t,v)

  % sub_permut(t,u,i,j) defines a permutation on the sub-array i..j,
  % other elements being equal
  sub_permut(l, r, t, u) : bool
  
  sub_permut_exchange : 
    AXIOM forall l,r,t,u,i,j: 
      l <= i and i <= r implies l <= j and j <= r implies 
      exchange(t,u,i,j) implies sub_permut(l,r,t,u)
  sub_permut_refl     : 
    AXIOM forall l,r,t: sub_permut(l,r,t,t)
  sub_permut_sym      : 
    AXIOM forall l,r,t,u: sub_permut(l,r,t,u) implies sub_permut(l,r,u,t)
  sub_permut_trans    : 
    AXIOM forall l,r,t,u,v : sub_permut(l,r,t,u) implies sub_permut(l,r,u,v) 
	                     implies sub_permut(l,r,t,v)

END why_array_pred


why-2.34/lib/pvs/whyfloat.prf0000644000175000017500000006563412311670312014557 0ustar  rtusers(floatbis
 (RND_Zero_isToZero_TCC1 0
  (RND_Zero_isToZero_TCC1-1 nil 3424513819 3424583684
   ("" (skeep) (("" (rewrite "FcanonicBounded") nil nil)) nil) proved
   ((FcanonicBounded formula-decl nil float "float/")
    (nat nonempty-type-eq-decl nil naturalnumbers nil)
    (Format type-eq-decl nil float "float/")
    (float type-eq-decl nil float "float/")
    (Fcanonic? const-decl "bool" float "float/")
    (RND_Zero const-decl "(Fcanonic?(b))" floatbis nil)
    (number nonempty-type-decl nil numbers nil)
    (boolean nonempty-type-decl nil booleans nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (> const-decl "bool" reals nil)
    (above nonempty-type-eq-decl nil integers nil)
    (radix formal-const-decl "above(1)" floatbis nil))
   200 90 t nil))
 (RND_Zero_isToZero 0
  (RND_Zero_isToZero-1 nil 3424514932 3424583687
   ("" (skeep)
    (("" (expand RND_Zero)
      (("" (expand ToZero?)
        (("" (rewrite RND_Min_isMin)
          (("" (rewrite RND_Max_isMax) (("" (ground) nil nil)) nil))
          nil))
        nil))
      nil))
    nil)
   proved
   ((RND_Zero const-decl "(Fcanonic?(b))" floatbis nil)
    (RND_Min_isMin formula-decl nil float "float/")
    (nat nonempty-type-eq-decl nil naturalnumbers nil)
    (Format type-eq-decl nil float "float/")
    (number nonempty-type-decl nil numbers nil)
    (boolean nonempty-type-decl nil booleans nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (> const-decl "bool" reals nil)
    (above nonempty-type-eq-decl nil integers nil)
    (radix formal-const-decl "above(1)" floatbis nil)
    (RND_Max_isMax formula-decl nil float "float/")
    (ToZero? const-decl "bool" float "float/"))
   3032 90 t shostak))
 (RND_AClosest_isAFZclosest_TCC1 0
  (RND_AClosest_isAFZclosest_TCC1-1 nil 3424513819 3424583687
   ("" (skeep) (("" (rewrite "FcanonicBounded") nil nil)) nil) proved
   ((FcanonicBounded formula-decl nil float "float/")
    (nat nonempty-type-eq-decl nil naturalnumbers nil)
    (Format type-eq-decl nil float "float/")
    (float type-eq-decl nil float "float/")
    (Fcanonic? const-decl "bool" float "float/")
    (RND_AFZClosest const-decl "(Fcanonic?(b))" floatbis nil)
    (number nonempty-type-decl nil numbers nil)
    (boolean nonempty-type-decl nil booleans nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (> const-decl "bool" reals nil)
    (above nonempty-type-eq-decl nil integers nil)
    (radix formal-const-decl "above(1)" floatbis nil))
   48 20 t nil))
 (RND_AClosest_isAFZclosest 0
  (RND_AClosest_isAFZclosest-1 nil 3424515088 3424583732
   ("" (skeep)
    (("" (expand RND_AFZClosest)
      (("" (grind-reals)
        (("1" (expand AFZClosest?)
          (("1" (case "Closest?(b)(r, RND_Min(b)(r))")
            (("1" (split)
              (("1" (propax) nil nil)
               ("2" (skosimp*)
                (("2" (lemma "Closest_MinOrMax")
                  (("2" (expand "MinOrMax?")
                    (("2" (inst -1 b r f!1)
                      (("2" (split)
                        (("1" (lemma "isMin_Unique")
                          (("1" (expand "Unique?")
                            (("1" (inst -1 b r f!1 "RND_Min(b)(r)")
                              (("1"
                                (assert)
                                (("1"
                                  (rewrite "RND_Min_isMin")
                                  nil
                                  nil))
                                nil))
                              nil))
                            nil))
                          nil)
                         ("2" (expand "Closest?" -2)
                          (("2" (inst -2 "RND_Min(b)(r)")
                            (("2" (flip-ineq -2)
                              (("2"
                                (case-replace
                                 "FtoR(f!1) = FtoR(RND_Max(b)(r))")
                                (("1" (assert) nil nil)
                                 ("2"
                                  (lemma "isMax_Unique")
                                  (("2"
                                    (expand Unique?)
                                    (("2"
                                      (inst -1 b r f!1 "RND_Max(b)(r)")
                                      (("1"
                                        (assert)
                                        (("1"
                                          (rewrite "RND_Max_isMax")
                                          nil
                                          nil))
                                        nil)
                                       ("2"
                                        (rewrite "FcanonicBounded")
                                        nil
                                        nil))
                                      nil))
                                    nil))
                                  nil))
                                nil))
                              nil))
                            nil))
                          nil)
                         ("3" (propax) nil nil))
                        nil))
                      nil))
                    nil))
                  nil))
                nil))
              nil)
             ("2" (hide 2)
              (("2" (lemma "RND_Min_isMin" :subst ("b" "b" "r" "r"))
                (("2" (lemma "RND_Max_isMax" :subst ("b" "b" "r" "r"))
                  (("2" (expand* "isMin?" "isMax?" "Closest?")
                    (("2" (flatten)
                      (("2" (skosimp*)
                        (("2" (case "FtoR(f!1) <= r")
                          (("1" (expand abs)
                            (("1" (grind-reals) nil nil)) nil)
                           ("2" (expand abs)
                            (("2" (grind-reals) nil nil)) nil))
                          nil))
                        nil))
                      nil))
                    nil))
                  nil))
                nil))
              nil)
             ("3" (rewrite "FcanonicBounded") nil nil))
            nil))
          nil)
         ("2" (hide 1)
          (("2" (expand "AFZClosest?")
            (("2" (case "Closest?(b)(r, RND_Max(b)(r))")
              (("1" (split)
                (("1" (propax) nil nil)
                 ("2" (skosimp*)
                  (("2" (lemma "Closest_MinOrMax")
                    (("2" (expand "MinOrMax?")
                      (("2" (inst -1 "b" "r" "f!1")
                        (("2" (split)
                          (("1" (expand "Closest?" -2)
                            (("1" (inst -2 "RND_Max(b)(r)")
                              (("1"
                                (flip-ineq -2)
                                (("1"
                                  (case-replace
                                   "FtoR(f!1) = FtoR(RND_Min(b)(r))")
                                  (("1" (assert) nil nil)
                                   ("2"
                                    (lemma "isMin_Unique")
                                    (("2"
                                      (expand "Unique?")
                                      (("2"
                                        (inst
                                         -1
                                         b
                                         r
                                         f!1
                                         "RND_Min(b)(r)")
                                        (("1"
                                          (assert)
                                          (("1"
                                            (rewrite "RND_Min_isMin")
                                            nil
                                            nil))
                                          nil)
                                         ("2"
                                          (rewrite "FcanonicBounded")
                                          nil
                                          nil))
                                        nil))
                                      nil))
                                    nil))
                                  nil))
                                nil))
                              nil))
                            nil)
                           ("2" (lemma "isMax_Unique")
                            (("2" (expand "Unique?")
                              (("2"
                                (inst -1 b r f!1 "RND_Max(b)(r)")
                                (("2"
                                  (assert)
                                  (("2"
                                    (rewrite "RND_Max_isMax")
                                    nil
                                    nil))
                                  nil))
                                nil))
                              nil))
                            nil)
                           ("3" (propax) nil nil))
                          nil))
                        nil))
                      nil))
                    nil))
                  nil))
                nil)
               ("2" (hide 2)
                (("2" (lemma "RND_Min_isMin" :subst ("b" "b" "r" "r"))
                  (("2"
                    (lemma "RND_Max_isMax" :subst ("b" "b" "r" "r"))
                    (("2" (expand* "isMin?" "isMax?" "Closest?")
                      (("2" (flatten)
                        (("2" (skosimp*)
                          (("2" (case "FtoR(f!1) <= r")
                            (("1" (expand abs)
                              (("1" (grind-reals) nil nil)) nil)
                             ("2" (expand "abs")
                              (("2" (grind-reals) nil nil)) nil))
                            nil))
                          nil))
                        nil))
                      nil))
                    nil))
                  nil))
                nil)
               ("3" (rewrite "FcanonicBounded") nil nil))
              nil))
            nil))
          nil)
         ("3" (expand AFZClosest?)
          (("3" (flip-ineq 1)
            (("3" (case "Closest?(b)(r, RND_Max(b)(r))")
              (("1" (split)
                (("1" (propax) nil nil)
                 ("2" (skosimp*)
                  (("2" (case (r <= FtoR (RND_Max (b) (r))))
                    (("1" (expand abs) (("1" (grind-reals) nil nil))
                      nil)
                     ("2" (lemma RND_Max_isMax)
                      (("2" (inst -1 b r)
                        (("2" (expand isMax?) (("2" (grind) nil nil))
                          nil))
                        nil))
                      nil))
                    nil))
                  nil))
                nil)
               ("2" (hide 2)
                (("2" (lemma "RND_Min_isMin" :subst ("b" "b" "r" "r"))
                  (("2"
                    (lemma "RND_Max_isMax" :subst ("b" "b" "r" "r"))
                    (("2" (expand* "isMin?" "isMax?" "Closest?")
                      (("2" (flatten)
                        (("2" (skosimp*)
                          (("2" (case "FtoR(f!1) <= r")
                            (("1" (expand "abs")
                              (("1" (grind-reals) nil nil)) nil)
                             ("2" (expand abs)
                              (("2" (grind-reals) nil nil)) nil))
                            nil))
                          nil))
                        nil))
                      nil))
                    nil))
                  nil))
                nil)
               ("3" (rewrite "FcanonicBounded") nil nil))
              nil))
            nil))
          nil)
         ("4" (expand "AFZClosest?")
          (("4" (case "Closest?(b)(r, RND_Min(b)(r))")
            (("1" (split)
              (("1" (propax) nil nil)
               ("2" (skosimp*)
                (("2" (lemma "Closest_MinOrMax")
                  (("2" (expand MinOrMax?)
                    (("2" (inst -1 b r f!1)
                      (("2" (split)
                        (("1" (lemma "isMin_Unique")
                          (("1" (expand "Unique?")
                            (("1" (inst -1 b r f!1 "RND_Min(b)(r)")
                              (("1"
                                (assert)
                                (("1"
                                  (rewrite "RND_Min_isMin")
                                  nil
                                  nil))
                                nil))
                              nil))
                            nil))
                          nil)
                         ("2" (lemma "isMax_Unique")
                          (("2" (expand "Unique?")
                            (("2" (inst -1 b r f!1 "RND_Max(b)(r)")
                              (("1"
                                (assert)
                                (("1" (rewrite RND_Max_isMax) nil nil))
                                nil)
                               ("2"
                                (rewrite "FcanonicBounded")
                                nil
                                nil))
                              nil))
                            nil))
                          nil)
                         ("3" (propax) nil nil))
                        nil))
                      nil))
                    nil))
                  nil))
                nil))
              nil)
             ("2" (hide 2)
              (("2" (lemma "RND_Min_isMin" :subst ("b" "b" "r" "r"))
                (("2" (lemma "RND_Max_isMax" :subst ("b" "b" "r" "r"))
                  (("2" (expand* "isMin?" "isMax?" "Closest?")
                    (("2" (flatten)
                      (("2" (skosimp*)
                        (("2" (case "FtoR(f!1) <= r")
                          (("1" (expand abs)
                            (("1" (grind-reals) nil nil)) nil)
                           ("2" (expand abs)
                            (("2" (grind-reals) nil nil)) nil))
                          nil))
                        nil))
                      nil))
                    nil))
                  nil))
                nil))
              nil)
             ("3" (rewrite "FcanonicBounded") nil nil))
            nil))
          nil)
         ("5" (flip-ineq 2)
          (("5" (flip-ineq 2)
            (("5" (expand "AFZClosest?")
              (("5" (case "Closest?(b)(r, RND_Min(b)(r))")
                (("1" (split)
                  (("1" (propax) nil nil)
                   ("2" (case ((RND_Min (b) (r) <= r)))
                    (("1" (expand abs) (("1" (grind-reals) nil nil))
                      nil)
                     ("2" (lemma RND_Min_isMin)
                      (("2" (inst -1 b r)
                        (("2" (expand isMin?) (("2" (grind) nil nil))
                          nil))
                        nil))
                      nil))
                    nil))
                  nil)
                 ("2" (hide 2)
                  (("2"
                    (lemma "RND_Min_isMin" :subst ("b" "b" "r" "r"))
                    (("2"
                      (lemma "RND_Max_isMax" :subst ("b" "b" "r" "r"))
                      (("2" (expand* "isMin?" "isMax?" "Closest?")
                        (("2" (flatten)
                          (("2" (skosimp*)
                            (("2" (case "FtoR(f!1) <= r")
                              (("1"
                                (expand abs)
                                (("1" (grind-reals) nil nil))
                                nil)
                               ("2"
                                (expand abs)
                                (("2" (grind-reals) nil nil))
                                nil))
                              nil))
                            nil))
                          nil))
                        nil))
                      nil))
                    nil))
                  nil)
                 ("3" (rewrite "FcanonicBounded") nil nil))
                nil))
              nil))
            nil))
          nil))
        nil))
      nil))
    nil)
   proved
   ((minus_odd_is_odd application-judgement "odd_int" integers nil)
    (real_minus_real_is_real application-judgement "real" reals nil)
    (RND_AFZClosest const-decl "(Fcanonic?(b))" floatbis nil)
    (both_sides_minus_lt2 formula-decl nil real_props nil)
    (le_minus_le formula-decl nil real_props nil)
    (posint_exp application-judgement "posint" exponentiation nil)
    (nnreal_times_nnreal_is_nnreal application-judgement "nnreal"
     real_types nil)
    (nnrat_exp application-judgement "nnrat" exponentiation nil)
    (posrat_exp application-judgement "posrat" exponentiation nil)
    (mult_divides1 application-judgement "(divides(n))" divides nil)
    (mult_divides2 application-judgement "(divides(m))" divides nil)
    (real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (both_sides_minus_le1 formula-decl nil real_props nil)
    (AFZClosest? const-decl "bool" float "float/")
    (<= const-decl "bool" reals nil)
    (minus_real_is_real application-judgement "real" reals nil)
    (isMin? const-decl "bool" float "float/")
    (isMax? const-decl "bool" float "float/")
    (Closest_MinOrMax formula-decl nil float "float/")
    (FtoR const-decl "real" float "float/")
    (- const-decl "[numfield, numfield -> numfield]" number_fields nil)
    (abs const-decl "{n: nonneg_real | n >= m AND n >= -m}" real_defs
         nil)
    (- const-decl "[numfield -> numfield]" number_fields nil)
    (numfield nonempty-type-eq-decl nil number_fields nil)
    (AND const-decl "[bool, bool -> bool]" booleans nil)
    (nonneg_real nonempty-type-eq-decl nil real_types nil)
    (>= const-decl "bool" reals nil)
    (real_gt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (isMax_Unique formula-decl nil float "float/")
    (r skolem-const-decl "real" floatbis nil)
    (b skolem-const-decl "Format[radix]" floatbis nil)
    (RND_Max_isMax formula-decl nil float "float/")
    (FcanonicBounded formula-decl nil float "float/")
    (= const-decl "[T, T -> boolean]" equalities nil)
    (RND_Max const-decl "(Fcanonic?(b))" float "float/")
    (isMin_Unique formula-decl nil float "float/")
    (RND_Min_isMin formula-decl nil float "float/")
    (Unique? const-decl "bool" float "float/")
    (MinOrMax? const-decl "bool" float "float/")
    (above nonempty-type-eq-decl nil integers nil)
    (nat nonempty-type-eq-decl nil naturalnumbers nil)
    (number nonempty-type-decl nil numbers nil)
    (boolean nonempty-type-decl nil booleans nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (> const-decl "bool" reals nil)
    (radix formal-const-decl "above(1)" floatbis nil)
    (Format type-eq-decl nil float "float/")
    (float type-eq-decl nil float "float/")
    (Fbounded? const-decl "bool" float "float/")
    (Closest? const-decl "bool" float "float/")
    (Fcanonic? const-decl "bool" float "float/")
    (RND_Min const-decl "(Fcanonic?(b))" float "float/")
    (real_lt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (real_le_is_total_order name-judgement "(total_order?[real])"
     real_props nil))
   44409 12530 t shostak)))
(whyfloat
 (div_double_TCC1 0
  (div_double_TCC1-1 nil 3424583899 3424583919
   ("" (subtype-tcc) nil nil) proved
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (/= const-decl "boolean" notequal nil)
    (real nonempty-type-from-decl nil reals nil)
    (above nonempty-type-eq-decl nil integers nil)
    (nat nonempty-type-eq-decl nil naturalnumbers nil)
    (Format type-eq-decl nil float "float/")
    (int nonempty-type-eq-decl nil integers nil)
    (float type-eq-decl nil float "float/")
    (Fcanonic? const-decl "bool" float "float/")
    (bdouble const-decl "Format" whyfloat nil)
    (double type-eq-decl nil whyfloat nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (AND const-decl "[bool, bool -> bool]" booleans nil)
    (real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (rat_times_rat_is_rat application-judgement "rat" rationals nil)
    (d_to_r const-decl "real" whyfloat nil)
    (FtoR const-decl "real" float "float/")
    (nnrat_exp application-judgement "nnrat" exponentiation nil)
    (posrat_exp application-judgement "posrat" exponentiation nil)
    (even_times_int_is_even application-judgement "even_int" integers
     nil)
    (mult_divides1 application-judgement "(divides(n))" divides nil)
    (mult_divides2 application-judgement "(divides(m))" divides nil))
   527 350 nil nil))
 (div_double_TCC2 0
  (div_double_TCC2-1 nil 3424583899 3424583920
   ("" (subtype-tcc) nil nil) proved
   ((even_times_int_is_even application-judgement "even_int" integers
     nil)
    (mult_divides1 application-judgement "(divides(n))" divides nil)
    (mult_divides2 application-judgement "(divides(m))" divides nil))
   408 200 nil nil))
 (div_double_TCC3 0
  (div_double_TCC3-1 nil 3424583899 3424583920
   ("" (subtype-tcc) nil nil) proved
   ((even_times_int_is_even application-judgement "even_int" integers
     nil)
    (mult_divides1 application-judgement "(divides(n))" divides nil)
    (mult_divides2 application-judgement "(divides(m))" divides nil))
   348 200 nil nil))
 (sqrt_double_TCC1 0
  (sqrt_double_TCC1-1 nil 3424583899 3424583921
   ("" (subtype-tcc) nil nil) proved
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (>= const-decl "bool" reals nil)
    (above nonempty-type-eq-decl nil integers nil)
    (nat nonempty-type-eq-decl nil naturalnumbers nil)
    (Format type-eq-decl nil float "float/")
    (int nonempty-type-eq-decl nil integers nil)
    (float type-eq-decl nil float "float/")
    (Fcanonic? const-decl "bool" float "float/")
    (bdouble const-decl "Format" whyfloat nil)
    (double type-eq-decl nil whyfloat nil)
    (AND const-decl "[bool, bool -> bool]" booleans nil)
    (real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (rat_times_rat_is_rat application-judgement "rat" rationals nil)
    (d_to_r const-decl "real" whyfloat nil)
    (FtoR const-decl "real" float "float/")
    (nnrat_exp application-judgement "nnrat" exponentiation nil)
    (posrat_exp application-judgement "posrat" exponentiation nil)
    (even_times_int_is_even application-judgement "even_int" integers
     nil)
    (mult_divides1 application-judgement "(divides(n))" divides nil)
    (mult_divides2 application-judgement "(divides(m))" divides nil))
   478 270 nil nil))
 (sqrt_double_TCC2 0
  (sqrt_double_TCC2-1 nil 3424583899 3424583921
   ("" (subtype-tcc) nil nil) proved
   ((even_times_int_is_even application-judgement "even_int" integers
     nil)
    (mult_divides1 application-judgement "(divides(n))" divides nil)
    (mult_divides2 application-judgement "(divides(m))" divides nil))
   607 190 nil nil))
 (sqrt_double_TCC3 0
  (sqrt_double_TCC3-1 nil 3424583899 3424583922
   ("" (subtype-tcc) nil nil) proved
   ((even_times_int_is_even application-judgement "even_int" integers
     nil)
    (mult_divides1 application-judgement "(divides(n))" divides nil)
    (mult_divides2 application-judgement "(divides(m))" divides nil))
   868 200 nil nil))
 (neg_double_TCC1 0
  (neg_double_TCC1-1 nil 3424583899 3424584091
   ("" (skeep)
    (("" (lemma FcanonicOpp)
      (("" (inst -1 bdouble "float(f1)") (("" (assert) nil nil)) nil))
      nil))
    nil)
   proved
   ((FcanonicOpp formula-decl nil float "float/")
    (double type-eq-decl nil whyfloat nil)
    (Fcanonic? const-decl "bool" float "float/")
    (bool nonempty-type-eq-decl nil booleans nil)
    (boolean nonempty-type-decl nil booleans nil)
    (real nonempty-type-from-decl nil reals nil)
    (float type-eq-decl nil float "float/")
    (int nonempty-type-eq-decl nil integers nil)
    (bdouble const-decl "Format" whyfloat nil)
    (Format type-eq-decl nil float "float/")
    (nat nonempty-type-eq-decl nil naturalnumbers nil)
    (above nonempty-type-eq-decl nil integers nil))
   135922 40 t nil))
 (abs_double_TCC1 0
  (abs_double_TCC1-1 nil 3424583899 3424584140
   ("" (skeep) (("" (rewrite FabsCanonic) nil nil)) nil) proved
   ((FabsCanonic formula-decl nil float "float/")
    (above nonempty-type-eq-decl nil integers nil)
    (nat nonempty-type-eq-decl nil naturalnumbers nil)
    (Format type-eq-decl nil float "float/")
    (bdouble const-decl "Format" whyfloat nil)
    (int nonempty-type-eq-decl nil integers nil)
    (float type-eq-decl nil float "float/")
    (real nonempty-type-from-decl nil reals nil)
    (boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (Fcanonic? const-decl "bool" float "float/")
    (double type-eq-decl nil whyfloat nil))
   32680 670 t nil)))

why-2.34/lib/pvs/why.prf0000644000175000017500000000361312311670312013516 0ustar  rtusers(why
 (zwf_wf 0
  (zwf_wf-1 nil 3256035585 nil ("" (postpone) nil nil) unfinished nil
   nil nil nil nil)))
(why_arrays)
(why_int_array_pred
 (sorted_array_TCC1 0
  (sorted_array_TCC1-1 nil 3256035584 nil nil untried nil nil nil nil
   shostak))
 (sorted_array_TCC2 0
  (sorted_array_TCC2-1 nil 3256035584 nil nil untried nil nil nil nil
   shostak)))
(why_array_pred
 (array_id_TCC1 0
  (array_id_TCC1-1 nil 3256035585 nil nil untried nil nil nil nil
   shostak))
 (array_id_TCC2 0
  (array_id_TCC2-1 nil 3256035585 nil nil untried nil nil nil nil
   shostak))
 (exchange_TCC1 0
  (exchange_TCC1-1 nil 3256035585 nil nil untried nil nil nil nil
   shostak))
 (exchange_TCC2 0
  (exchange_TCC2-1 nil 3256035585 nil nil untried nil nil nil nil
   shostak))
 (exchange_TCC3 0
  (exchange_TCC3-1 nil 3256035585 nil nil untried nil nil nil nil
   shostak))
 (exchange_TCC4 0
  (exchange_TCC4-1 nil 3256035585 nil nil untried nil nil nil nil
   shostak))
 (exchange_TCC5 0
  (exchange_TCC5-1 nil 3256035585 nil nil untried nil nil nil nil
   shostak))
 (exchange_TCC6 0
  (exchange_TCC6-1 nil 3256035585 nil nil untried nil nil nil nil
   shostak))
 (permut_exchange 0
  (permut_exchange-1 nil 3256035585 3256035623 ("" (postpone) nil nil)
   unfinished nil 14961 280 t shostak))
 (permut_refl 0
  (permut_refl-1 nil 3256035585 nil nil nil nil nil nil nil shostak))
 (permut_sym 0
  (permut_sym-1 nil 3256035585 nil nil nil nil nil nil nil shostak))
 (permut_trans 0
  (permut_trans-1 nil 3256035585 nil nil nil nil nil nil nil shostak))
 (sub_permut_exchange 0
  (sub_permut_exchange-1 nil 3256035585 nil nil nil nil nil nil nil
   shostak))
 (sub_permut_refl 0
  (sub_permut_refl-1 nil 3256035585 nil nil nil nil nil nil nil
   shostak))
 (sub_permut_sym 0
  (sub_permut_sym-1 nil 3256035585 nil nil nil nil nil nil nil
   shostak))
 (sub_permut_trans 0
  (sub_permut_trans-1 nil 3256035585 nil nil nil nil nil nil nil
   shostak)))

why-2.34/lib/why/0000755000175000017500000000000012311670312012172 5ustar  rtuserswhy-2.34/lib/why/jessie.why0000644000175000017500000006736412311670312014225 0ustar  rtusersinclude "bool.why"
include "integer.why"
include "real.why"
include "divisions.why"

(*****************************************************************************)
(* pointers, allocation, validity                                            *)
(*****************************************************************************)

type 't alloc_table
type 't pointer
type 't block

(* memory model *)

logic base_block: 't pointer -> 't block
logic offset_max: 't alloc_table, 't pointer -> int
logic offset_min: 't alloc_table, 't pointer -> int

(* shortcuts *)

predicate valid(a:'t alloc_table, p:'t pointer) = 
  offset_min(a,p) <= 0 and offset_max(a,p) >= 0

predicate same_block(p: 't pointer, q:'t pointer) =
  base_block(p) = base_block(q)

(* pointer arithmetic *)

logic sub_pointer: 't pointer, 't pointer -> int
logic shift: 't pointer, int -> 't pointer

parameter sub_pointer_: p:'t pointer -> q:'t pointer -> 
  { same_block(p,q) } int { result = sub_pointer(p,q) }
 
parameter safe_sub_pointer_: p:'t pointer -> q:'t pointer -> 
  { } int { result = sub_pointer(p,q) }

(* null pointer*)

logic null: 't pointer

(* address *)

logic pointer_address: 't pointer -> unit pointer
logic absolute_address: int -> unit pointer
logic address: 't pointer -> int

axiom address_injective:
  forall p:'t pointer. forall q:'t pointer.
    p = q <-> address(p) = address(q)

axiom address_null:
  address(null) = 0


(* INCONSISTENT -> removed 
axiom address_positive:
  forall p:'t pointer. 0 <= address(p)
*)

axiom address_shift_lt:
  forall p:'t pointer. forall i:int. forall j:int 
  [address(shift(p,i)), address(shift(p,j))]. 
    address(shift(p,i)) < address(shift(p,j)) <-> i < j

axiom address_shift_le:
  forall p:'t pointer. forall i:int. forall j:int 
  [address(shift(p,i)), address(shift(p,j))]. 
    address(shift(p,i)) <= address(shift(p,j)) <-> i <= j


(* shift *)

axiom shift_zero:
  forall p:'t pointer [shift(p,0)]. shift(p,0) = p

axiom shift_shift:
  forall p:'t pointer. forall i:int. forall j:int [shift(shift(p,i),j)].
    shift(shift(p,i),j) = shift(p,i+j)

axiom offset_max_shift:
  forall a:'t alloc_table. forall p: 't pointer. forall i:int.
    offset_max(a,shift(p,i)) = offset_max(a,p)-i

axiom offset_min_shift: 
  forall a:'t alloc_table. forall p: 't pointer. forall i:int.
    offset_min(a,shift(p,i)) = offset_min(a,p)-i

axiom neq_shift:
  forall p:'t pointer. forall i:int. forall j:int [shift(p,i),shift(p,j)].
    i <> j -> shift(p,i) <> shift(p,j) 

(* null *)

axiom null_not_valid: 
  forall a:'t alloc_table. not valid(a, null)

axiom null_pointer: 
  forall a:'t alloc_table.
    offset_min(a, null) >= 0 and offset_max(a, null) <= -2

(* pointer comparison *)

parameter eq_pointer: 
  p: 't pointer -> q: 't pointer -> 
    { same_block(p,q) or p = null or q = null } 
    bool 
    { if result then p=q else p<>q }

parameter safe_eq_pointer: 
  p: 't pointer -> q: 't pointer -> 
    {} bool { if result then p=q else p<>q }

parameter neq_pointer: 
  p: 't pointer -> q: 't pointer -> 
    { same_block(p,q) or p = null or q = null } 
    bool
    { if result then p<>q else p=q }

parameter safe_neq_pointer: 
  p: 't pointer -> q: 't pointer -> 
    {} bool { if result then p<>q else p=q }

logic eq_pointer_bool: 't pointer, 't pointer -> bool
logic neq_pointer_bool: 't pointer, 't pointer -> bool

axiom eq_pointer_bool_def:
  forall p1: 't pointer. forall p2: 't pointer.
    eq_pointer_bool(p1, p2) = true <-> p1 = p2

axiom neq_pointer_bool_def:
  forall p1: 't pointer. forall p2: 't pointer.
    neq_pointer_bool(p1, p2) = true <-> p1 <> p2

(* make Simplify loop on bench/java/Arrays.java !!!
axiom same_block_shift:
  forall p: 't pointer. forall i:int.
    same_block(p,shift(p,i))
*)

axiom same_block_shift_right:
  forall p: 't pointer. forall q:'t pointer. forall i:int
  [same_block(p,shift(q,i))].
    same_block(p,q) -> same_block(p,shift(q,i))

axiom same_block_shift_left:
  forall p: 't pointer. forall q:'t pointer. forall i:int
  [same_block(shift(q,i),p)].
    same_block(q,p) -> same_block(shift(q,i),p)


(* make Simplify loop on Jessie test roux.c 
axiom sub_pointer_same_block:
  forall p:'t pointer. forall q:'t pointer [sub_pointer(p,q),same_block(p,q)]. 
    sub_pointer(p,q) = 0 -> same_block(p,q)
*)

(* sub_pointer *)

axiom sub_pointer_shift:
  forall p:'t pointer. forall q:'t pointer [sub_pointer(p,q)]. 
    same_block(p,q) ->
      p = shift(q,sub_pointer(p,q))

axiom sub_pointer_self:
  forall p:'t pointer [sub_pointer(p,p)]. sub_pointer(p,p) = 0

axiom sub_pointer_zero:
  forall p:'t pointer. forall q:'t pointer [sub_pointer(p,q)]. 
    same_block(p,q) ->
      sub_pointer(p,q) = 0 -> p = q

axiom sub_pointer_shift_left:
  forall p:'t pointer. forall q:'t pointer. 
    forall i:int [sub_pointer(shift(p,i),q)].
      sub_pointer(shift(p,i),q) = sub_pointer(p,q) + i

axiom sub_pointer_shift_right:
  forall p:'t pointer. forall q:'t pointer. 
    forall i:int [sub_pointer(p,shift(q,i))].
      sub_pointer(p,shift(q,i)) = sub_pointer(p,q) - i

(*****************************************************************************)
(* heap memories, select and store                                           *)
(*****************************************************************************)

type ('t,'v) memory

logic select: ('t,'v) memory, 't pointer -> 'v 
logic store: ('t,'v) memory, 't pointer, 'v -> ('t,'v) memory

axiom select_store_eq:
  forall m: ('t,'v) memory. 
  forall p1: 't pointer. 
  forall p2: 't pointer. 
  forall a: 'v [store(m,p1,a),p2].
    p1=p2 -> select(store(m,p1,a),p2) = a

(* redundant
axiom select_store:
  forall m: ('t,'v) memory. 
  forall p: 't pointer. 
  forall a: 'v [select(store(m,p,a),p)].
    select(store(m,p,a),p) = a
*)
 
axiom select_store_neq: 
  forall m: ('t,'v) memory. 
  forall p1: 't pointer. 
  forall p2: 't pointer. 
  forall a: 'v [store(m,p1,a),p2] .
    p1 <> p2 -> select(store(m,p1,a),p2) = select(m,p2)


(*****************************************************************************)
(* access and update side-effect functions                                   *)
(*****************************************************************************)

(* normal access *)
parameter acc_: 
  alloc:'t alloc_table -> m:('t,'v) memory -> p:'t pointer -> 
  { offset_min(alloc,p) <= 0 and 0 <= offset_max(alloc,p) }
  'v 
  { result = select(m,p) }

(* offset access *)
parameter offset_acc_: 
  alloc:'t alloc_table -> m:('t,'v) memory -> 
  p:'t pointer -> off:int ->
  { offset_min(alloc,p) <= off and off <= offset_max(alloc,p) }
  'v 
  { result = select(m,shift(p,off)) }

(* safe access *)
parameter safe_acc_: 
  m: ('t,'v) memory -> p:'t pointer ->
  { }
  'v 
  { result = select(m,p) }

(* bounded access *)
parameter bound_acc_: 
  m: ('t,'v) memory -> p:'t pointer -> off:int -> lb:int -> rb:int -> 
  { lb <= off and off <= rb }
  'v 
  { result = select(m,shift(p,off)) }

(* bounded access with safe left bound *)
parameter lsafe_bound_acc_: 
  m: ('t,'v) memory -> p:'t pointer -> off:int -> rb:int -> 
  { off <= rb }
  'v 
  { result = select(m,shift(p,off)) }

(* bounded access with safe right bound *)
parameter rsafe_bound_acc_: 
  m: ('t,'v) memory -> p:'t pointer -> off:int -> lb:int -> 
  { lb <= off }
  'v 
  { result = select(m,shift(p,off)) }

(* left bounded access *)
parameter lbound_acc_: 
  alloc:'t alloc_table -> m: ('t,'v) memory -> p:'t pointer -> 
  off:int -> lb:int -> 
  { lb <= off and off <= offset_max(alloc,p) }
  'v 
  { result = select(m,shift(p,off)) }

(* left bounded access with safe left bound *)
parameter lsafe_lbound_acc_: 
  alloc:'t alloc_table -> m: ('t,'v) memory -> p:'t pointer -> 
  off:int -> 
  { off <= offset_max(alloc,p) }
  'v 
  { result = select(m,shift(p,off)) }

(* right bounded access *)
parameter rbound_acc_: 
  alloc:'t alloc_table -> m: ('t,'v) memory -> p:'t pointer -> 
  off:int -> rb:int -> 
  { offset_min(alloc,p) <= off and off <= rb }
  'v 
  { result = select(m,shift(p,off)) }

(* right bounded access with safe right bound *)
parameter rsafe_rbound_acc_: 
  alloc:'t alloc_table -> m: ('t,'v) memory -> p:'t pointer -> 
  off:int -> 
  { offset_min(alloc,p) <= off }
  'v 
  { result = select(m,shift(p,off)) }

(* normal update *)
parameter upd_: 
  alloc:'t alloc_table -> m: ('t,'v) memory ref -> p:'t pointer -> v:'v ->
  { offset_min(alloc,p) <= 0 and 0 <= offset_max(alloc,p) }
  (* and select(mutable,p) = true *)
  unit
  reads m (* ,mutable *)
  writes m
  { m = store(m@,p,v) }

(* offset update *)
parameter offset_upd_: 
  alloc:'t alloc_table -> m: ('t,'v) memory ref -> p:'t pointer ->
   off:int -> v:'v ->
  { offset_min(alloc,p) <= off and off <= offset_max(alloc,p) }
  (* and select(mutable,p) = true *)
  unit
  reads m (* ,mutable *)
  writes m
  { m = store(m@,shift(p,off),v) }

(* safe update *)
parameter safe_upd_: m: ('t,'v) memory ref -> p:'t pointer -> v:'v ->
  { (* select(mutable,p) = true *) }
  unit
  reads m (* ,mutable *) 
  writes m
  { m = store(m@,p,v) }

(* bounded update *)
parameter bound_upd_: 
  m: ('t,'v) memory ref -> p:'t pointer -> off:int -> lb:int -> rb:int -> 
  v:'v ->
  { lb <= off and off <= rb }
  unit
  reads m
  writes m
  { m = store(m@,shift(p,off),v) }

(* bounded update with safe left bound *)
(* unused
parameter lsafe_bound_upd_: 
  m: ('t,'v) memory ref -> p:'t pointer -> off:int -> rb:int -> v:'v ->
  { off <= rb }
  unit
  reads m
  writes m
  { m = store(m@,shift(p,off),v) }
*)

(* bounded update with safe right bound *)
parameter rsafe_bound_upd_: 
  m: ('t,'v) memory ref -> p:'t pointer -> off:int -> lb:int -> v:'v ->
  { lb <= off }
  unit
  reads m
  writes m
  { m = store(m@,shift(p,off),v) }

(* left bounded update *)
parameter lbound_upd_: 
  alloc:'t alloc_table -> m: ('t,'v) memory ref -> p:'t pointer -> 
  off:int -> lb:int -> v:'v ->
  { lb <= off and off <= offset_max(alloc,p) }
  unit
  reads m
  writes m
  { m = store(m@,shift(p,off),v) }

(* left bounded update with safe left bound *)
parameter lsafe_lbound_upd_: 
  alloc:'t alloc_table -> m: ('t,'v) memory ref -> p:'t pointer -> 
  off:int -> v:'v ->
  { off <= offset_max(alloc,p) }
  unit
  reads m
  writes m
  { m = store(m@,shift(p,off),v) }

(* right bounded update *)
parameter rbound_upd_: 
  alloc:'t alloc_table -> m: ('t,'v) memory ref -> p:'t pointer -> 
  off:int -> rb:int -> v:'v ->
  { offset_min(alloc,p) <= off and off <= rb }
  unit
  reads m
  writes m
  { m = store(m@,shift(p,off),v) }

(* right bounded update with safe right bound *)
parameter rsafe_rbound_upd_: 
  alloc:'t alloc_table -> m: ('t,'v) memory ref -> p:'t pointer -> 
  off:int -> v:'v ->
  { offset_min(alloc,p) <= off }
  unit
  reads m
  writes m
  { m = store(m@,shift(p,off),v) }


(*****************************************************************************)
(* memory locations, not_assigns predicate, separation                       *)
(*****************************************************************************)

type 't pset

logic pset_empty: 't pset
logic pset_singleton: 't pointer -> 't pset
logic pset_deref: ('t,'v pointer) memory, 't pset -> 'v pset
logic pset_union: 't pset, 't pset -> 't pset
logic pset_all: 'z pset -> 'z pset (* l(..) *)
logic pset_range: 't pset, int, int -> 't pset (* l(a..b) *)
logic pset_range_left: 'z pset, int -> 'z pset (* l(..b) *)
logic pset_range_right: 'z pset, int -> 'z pset (* l(a..) *)

logic in_pset: 't pointer, 't pset -> prop
logic valid_pset: 't alloc_table, 't pset -> prop

predicate pset_disjoint(ps1:'t pset, ps2:'t pset) =
  forall p:'t pointer.
    not (in_pset(p,ps1) and in_pset(p,ps2))

predicate pset_included(ps1:'t pset, ps2:'t pset) =
  forall p:'t pointer.
    in_pset(p,ps1) -> in_pset(p,ps2)

axiom pset_included_self:
  forall ps:'t pset. pset_included(ps,ps)

axiom pset_included_range:
  forall ps:'t pset. forall a:int. forall b:int. forall c:int. forall d:int
  [pset_included(pset_range(ps,a,b),pset_range(ps,c,d))].
    c <= a and b <= d -> 
      pset_included(pset_range(ps,a,b),pset_range(ps,c,d))

axiom pset_included_range_all:
  forall ps:'t pset. forall a:int. forall b:int. forall c:int. forall d:int
  [pset_included(pset_range(ps,a,b),pset_range(ps,c,d))].
    pset_included(pset_range(ps,a,b),pset_all(ps))

axiom in_pset_empty:
  forall p:'t pointer. not in_pset(p,pset_empty)

axiom in_pset_singleton:
  forall p:'t pointer. 
  forall q:'t pointer.
    in_pset(p,pset_singleton(q)) <-> p=q

axiom in_pset_deref:
  forall p:'v pointer. 
  forall m:('t,'v pointer) memory.
  forall q:'t pset.
    in_pset(p,pset_deref(m,q)) <-> 
	exists r:'t pointer. in_pset(r,q) and p = select(m,r)

axiom in_pset_all:
  forall p:'t pointer. 
  forall q:'t pset.
    in_pset(p,pset_all(q)) <-> 
	exists i:int. exists r:'t pointer.
          in_pset(r,q) and p=shift(r,i)

axiom in_pset_range:
  forall p:'t pointer. 
  forall q:'t pset.
  forall a:int. forall b:int.
    in_pset(p,pset_range(q,a,b)) <-> 
	exists i:int. exists r:'t pointer.
          a <= i and i <= b and in_pset(r,q) and p=shift(r,i)

axiom in_pset_range_left:
  forall p:'t pointer. 
  forall q:'t pset.
  forall b:int.
    in_pset(p,pset_range_left(q,b)) <-> 
	exists i:int. exists r:'t pointer.
          i <= b and in_pset(r,q) and p=shift(r,i)

axiom in_pset_range_right:
  forall p:'t pointer. 
  forall q:'t pset.
  forall a:int.
    in_pset(p,pset_range_right(q,a)) <-> 
	exists i:int. exists r:'t pointer.
          a <= i and in_pset(r,q) and p=shift(r,i)

axiom in_pset_union:
  forall p:'t pointer. 
  forall s1:'t pset.
  forall s2:'t pset.
    in_pset(p,pset_union(s1,s2)) <-> in_pset(p,s1) or in_pset(p,s2)

axiom valid_pset_empty:
  forall a:'t alloc_table. valid_pset(a,pset_empty)

axiom valid_pset_singleton:
  forall a:'t alloc_table. 
  forall p:'t pointer. 
    valid_pset(a,pset_singleton(p)) <-> valid(a,p)

axiom valid_pset_deref:
  forall a:'v alloc_table. 
  forall m:('t,'v pointer) memory.
  forall q:'t pset.
    valid_pset(a,pset_deref(m,q)) <-> 
      forall r:'t pointer. forall p:'v pointer. 
        in_pset(r,q) and p = select(m,r) -> valid(a,p)

axiom valid_pset_range:
  forall a:'t alloc_table. 
  forall q:'t pset.
  forall c:int. forall d:int.
    valid_pset(a,pset_range(q,c,d)) <-> 
	forall i:int. forall r:'t pointer. 
          in_pset(r,q) and c <= i and i <= d -> valid(a,shift(r,i))

axiom valid_pset_union:
  forall a:'t alloc_table. 
  forall s1:'t pset.
  forall s2:'t pset.
    valid_pset(a,pset_union(s1,s2)) <-> valid_pset(a,s1) and valid_pset(a,s2)
 
predicate not_assigns 
  (a:'t alloc_table, m1:('t,'v) memory, m2:('t,'v) memory, l:'t pset) =
    forall p:'t pointer. 
      valid(a,p) and not in_pset(p,l) -> select(m2,p)=select(m1,p)

axiom not_assigns_refl:
  forall a: 't alloc_table. 
  forall m: ('t,'v) memory.
  forall l:'t pset.
    not_assigns(a,m,m,l)

axiom not_assigns_trans:
  forall a: 't alloc_table. 
  forall m1: ('t,'v) memory.
  forall m2: ('t,'v) memory.
  forall m3: ('t,'v) memory.
  forall l:'t pset [not_assigns(a,m1,m2,l), not_assigns(a,m1,m3,l)] .
    not_assigns(a,m1,m2,l) ->
    not_assigns(a,m2,m3,l) ->
    not_assigns(a,m1,m3,l) 

logic full_separated: 't1 pointer, 't2 pointer -> prop

axiom full_separated_shift1:
  forall p: 'z pointer. forall q: 'z pointer.
    forall i: int [full_separated(p,q),shift(q,i)].
      full_separated(p,q) -> full_separated(p,shift(q,i))

axiom full_separated_shift2:
  forall p: 'z pointer. forall q: 'z pointer. 
    forall i: int [full_separated(p,q),shift(q,i)].
      full_separated(p,q) -> full_separated(shift(q,i),p)

axiom full_separated_shift3:
  forall p: 'z pointer. forall q: 'z pointer. 
    forall i: int [full_separated(q,p),shift(q,i)].
      full_separated(q,p) -> full_separated(shift(q,i),p)

axiom full_separated_shift4:
  forall p: 'z pointer. forall q: 'z pointer.
    forall i: int [full_separated(q,p),shift(q,i)].
      full_separated(q,p) -> full_separated(p,shift(q,i))


(*****************************************************************************)
(* lattice of structures                                                     *)
(*****************************************************************************)

(*****
typeof gives the dynamic type of an object.

parenttag is defined by axioms in jc_interp, and defines the hierarchy.
  parenttag(t1, t2) <-> t2 is the immediate superclass of t1

subtag is axiomatized from parenttag, and is the reflexive, transitive
  closure of parenttag.

subtag_ is the same as subtag but for booleans.

instanceof is defined from typeof and subtag.

int_of_tag gives a different integer to each tags to differenciate them.
*****)

type 't tag_table

type 't tag_id

logic int_of_tag: 't tag_id -> int

logic typeof: 't tag_table, 't pointer -> 't tag_id

logic parenttag: 't tag_id, 't tag_id -> prop

logic subtag: 't tag_id, 't tag_id -> prop

logic subtag_bool: 't tag_id, 't tag_id -> bool

axiom subtag_bool_def:
  forall t1: 't tag_id.
  forall t2: 't tag_id.
    subtag_bool(t1, t2) = true <-> subtag(t1, t2)

axiom subtag_refl:
  forall t: 't tag_id.
    subtag(t, t)

axiom subtag_parent:
  forall t1: 't tag_id.
  forall t2: 't tag_id.
  forall t3: 't tag_id.
    subtag(t1, t2) -> parenttag(t2, t3) -> subtag(t1, t3)

predicate instanceof (a: 't tag_table, p: 't pointer, t: 't tag_id) =
  subtag(typeof(a, p), t)

parameter instanceof_: 
  a:'t tag_table -> p:'t pointer -> s:'t tag_id ->
  { } 
  bool 
  { if result then instanceof(a,p,s) else not instanceof(a,p,s) }

logic downcast: 't tag_table, 't pointer, 't tag_id -> 't pointer

axiom downcast_instanceof:
  forall a:'t tag_table.
  forall p:'t pointer.
  forall s:'t tag_id.
   instanceof(a,p,s) -> downcast(a,p,s)=p

parameter downcast_: 
  a:'t tag_table -> p:'t pointer -> s:'t tag_id ->
  { instanceof(a,p,s) } 
  't pointer 
  { result=p }

parameter safe_downcast_: 
  a:'t tag_table -> p:'t pointer -> s:'t tag_id ->
  { } 
  't pointer 
  { result=p }

logic bottom_tag: 'a tag_id

axiom bottom_tag_axiom:
  forall t: 't tag_id.
    subtag(t, bottom_tag)

predicate root_tag(t: 't tag_id) = parenttag(t, bottom_tag)

axiom root_subtag:
  forall a: 't tag_id.
  forall b: 't tag_id.
  forall c: 't tag_id.
    root_tag(a) -> root_tag(b) -> a <> b -> subtag(c, a) -> not subtag(c, b)

(*****************************************************************************)
(* structure invariants                                                      *)
(*****************************************************************************)

predicate fully_packed(
  tag_table: 'a tag_table,
  mutable: ('a, 'a tag_id) memory,
  this: 'a pointer) =
    select(mutable, this) = typeof(tag_table, this)


(*****************************************************************************)
(* default values                                                            *)
(*****************************************************************************)

parameter any_pointer: unit -> {} 'z pointer { true }

parameter any_memory: unit -> {} ('t,'v) memory { true }

parameter any_alloc_table: unit -> {} 't alloc_table { true }

parameter any_tag_table: unit -> {} 't tag_table { true }


(*****************************************************************************)
(* bitwise operations                                                        *)
(*****************************************************************************)
(* TODO: use bitvector.why instead *)

logic bw_compl: int -> int

logic bw_and: int,int -> int

(* Yannick: added for CVE-2003-0161-min-ok *)
axiom bw_and_not_null:
  forall a:int. forall b:int. bw_and(a,b) <> 0 -> a <> 0 and b <> 0

logic bw_xor: int,int -> int

logic bw_or: int,int -> int

(* logical left shift *)

logic lsl: int,int -> int

axiom lsl_left_positive_returns_positive:
  forall a:int. forall b:int. 0 <= a and 0 <= b -> 0 <= lsl(a,b)

axiom lsl_left_positive_monotone:
  forall a1:int. forall a2:int. forall b:int. 
    0 <= a1 and a1 <= a2 and 0 <= b -> lsl(a1,b) <= lsl(a2,b)

(* logical right shift *)

logic lsr: int,int -> int

axiom lsr_left_positive_returns_positive:
  forall a:int. forall b:int. 0 <= a and 0 <= b -> 0 <= lsr(a,b)

axiom lsr_left_positive_decreases:
  forall a:int. forall b:int. 0 <= a and 0 <= b -> lsr(a,b) <= a

(* arithmetic right shift *)

logic asr: int,int -> int

axiom asr_positive_on_positive:
  forall a:int. forall b:int. 0 <= a and 0 <= b -> 0 <= asr(a,b)

axiom asr_decreases_on_positive:
  forall a:int. forall b:int. 0 <= a and 0 <= b -> asr(a,b) <= a

(* combining shifts *)

axiom asr_lsr_same_on_positive:
  forall a:int. forall b:int. 0 <= a and 0 <= b -> asr(a,b) = lsr(a,b)

axiom lsl_of_lsr_decreases_on_positive:
  forall a:int. forall b:int. 0 <= a and 0 <= b -> lsl(lsr(a,b),b) <= a

axiom lsr_of_lsl_identity_on_positive:
  forall a:int. forall b:int. 0 <= a and 0 <= b -> lsr(lsl(a,b),b) = a

(*****************************************************************************)
(* dynamic allocation/deallocation                                           *)
(*****************************************************************************)

logic alloc_extends: 't alloc_table, 't alloc_table -> prop

predicate alloc_fresh(a:'t alloc_table, p:'t pointer, n:int) = 
  forall i:int. 0 <= i and i < n -> not valid(a,shift(p,i))

axiom alloc_extends_offset_min: 
  forall a1:'t alloc_table. forall a2:'t alloc_table [alloc_extends(a1,a2)]. 
    alloc_extends(a1,a2) -> 
      forall p:'t pointer. 
        valid(a1,p) -> offset_min(a1,p) = offset_min(a2,p)

axiom alloc_extends_offset_max: 
  forall a1:'t alloc_table. forall a2:'t alloc_table [alloc_extends(a1,a2)]. 
    alloc_extends(a1,a2) -> 
      forall p:'t pointer.
        valid(a1,p) -> offset_max(a1,p) = offset_max(a2,p)

axiom alloc_extends_not_assigns_empty: 
  forall a1:'t alloc_table. forall a2:'t alloc_table. 
  forall m1: ('t,'v) memory. forall m2: ('t,'v) memory. 
  forall l:'t pset. forall p:'t pointer. forall n:int
  [alloc_extends(a1,a2),alloc_fresh(a1,p,n),not_assigns(a2,m1,m2,l)].
    alloc_extends(a1,a2) and alloc_fresh(a1,p,n) and not_assigns(a2,m1,m2,l)
    and pset_included(l,pset_all(pset_singleton(p))) -> 
      not_assigns(a1,m1,m2,pset_empty)

(*
axiom alloc_fresh_def:
  forall a:'t alloc_table. forall p:'t pointer [alloc_fresh(a,p)]. 
    alloc_fresh(a,p) -> 
      forall q:'t pset.
        valid_pset(a,q) -> not in_pset(p,q)
*)

logic alloc_extends_except: 't alloc_table, 't alloc_table, 't pset -> prop

axiom alloc_extends_except_offset_min:
 forall a1:'t alloc_table. forall a2:'t alloc_table. forall l:'t pset
 [alloc_extends_except(a1,a2,l)].
   alloc_extends_except(a1,a2,l) ->
     forall p:'t pointer.
       valid(a1,p) and not in_pset(p,l) -> offset_min(a1,p) = offset_min(a2,p)

axiom alloc_extends_except_offset_max:
 forall a1:'t alloc_table. forall a2:'t alloc_table. forall l:'t pset
 [alloc_extends_except(a1,a2,l)].
   alloc_extends_except(a1,a2,l) ->
     forall p:'t pointer.
       valid(a1,p) and not in_pset(p,l) -> offset_max(a1,p) = offset_max(a2,p)

parameter alloc_parameter_ownership: 
  a:'t alloc_table ref -> mut:('t,'t tag_id) memory ref ->
  com:('t,bool) memory ref -> at:'t tag_table ref -> s:'t tag_id -> n:int -> 
  { n > 0 }
  't pointer 
  reads mut, com
  writes a, at
  { alloc_extends(a@,a) and alloc_fresh(a@,result,n)
    and offset_min(a,result) = 0 and offset_max(a,result) = n-1 
    and instanceof(at,result,s) and select(mut,result) = bottom_tag 
    and select(com,result) = false }

parameter free_parameter_ownership: 
  a:'t alloc_table ref -> com:('t,bool) memory ref -> p:'t pointer -> 
  { (*Cannot express yet offset_min(a,p) = 0 and*) offset_max(a,p) >= 0 
	and select(com,p) = false }
  unit
  reads com
  writes a
  { offset_max(a,p) < offset_min(a,p) }

(* With -inv-sem <> ownership *)

parameter alloc_parameter: 
  a:'t alloc_table ref -> at:'t tag_table ref -> s:'t tag_id -> n:int -> 
  { n > 0 }
  't pointer 
  writes a, at
  { alloc_extends(a@,a) and alloc_fresh(a@,result,n)
    and offset_min(a,result) = 0 and offset_max(a,result) = n-1 
    and instanceof(at,result,s) }

parameter safe_alloc_parameter: 
  a:'t alloc_table ref -> at:'t tag_table ref -> s:'t tag_id -> n:int -> 
  { }
  't pointer 
  writes a, at
  { alloc_extends(a@,a) and alloc_fresh(a@,result,n)
    and offset_min(a,result) = 0 and offset_max(a,result) = n-1 
    and instanceof(at,result,s) }

parameter free_parameter: 
  a:'t alloc_table ref -> p:'t pointer -> 
  { p = null (* allowed, see man 3 free *) or
  (*Cannot express yet offset_min(a,p) = 0 and*) offset_max(a,p) >= 0 }
  unit
  writes a
  { (p = null -> a = a@) and (p <> null ->
     alloc_extends_except(a@,a,pset_range(pset_singleton(p),0,offset_max(a@,p)))
     and offset_max(a,p) < offset_min(a,p)) }

parameter safe_free_parameter: 
  a:'t alloc_table ref -> p:'t pointer -> 
  { }
  unit
  writes a
  { alloc_extends_except(a@,a,pset_range(pset_singleton(p),0,offset_max(a@,p)))
    and offset_max(a,p) < offset_min(a,p) }


(*****************************************************************************)
(* exceptions for control flow handling                                      *)
(*****************************************************************************)

exception Return


(* Frame predicate *)
(* Logic definitions used for separation pragma *)
(* For in *)
type 'a mybag

logic in_mybag : 'a,'a mybag -> prop

logic disj_mybag : 'a mybag, 'a mybag -> prop

axiom disj_sym : forall s1,s2 : 'a mybag[disj_mybag(s1,s2)]. disj_mybag(s1,s2) -> disj_mybag(s2,s1)

logic sub_mybag : 'a mybag, 'a mybag -> prop

(* Ne doit plus servir en théorie *)
axiom sub_refl :
      forall sa : 'a pointer mybag[sub_mybag(sa,sa)].
      sub_mybag(sa,sa)

axiom sub_disj : forall s1,s2,s3 : 'a mybag
      [disj_mybag(s1,s2),sub_mybag(s2,s3)|disj_mybag(s1,s3),sub_mybag(s2,s3)].
      disj_mybag(s1,s3) -> sub_mybag(s2,s3) -> disj_mybag(s1,s2)

axiom sub_in : forall s1,s2 : 'a mybag. forall p : 'a
      [in_mybag(p,s1),sub_mybag(s1,s2)|in_mybag(p,s2),sub_mybag(s1,s2)].
      (not in_mybag(p,s2)) -> sub_mybag(s1,s2) -> (not in_mybag(p,s1))


axiom sub_sub : forall s1,s2,s3: 'a mybag
  [sub_mybag(s1,s3), sub_mybag(s2,s3)|sub_mybag(s1,s3), sub_mybag(s1,s2)].
      sub_mybag(s1,s2) -> sub_mybag(s2,s3) -> sub_mybag(s1,s3)

(* for the frame_rule *)

(* footprint, memory after, memory before *)
logic frame_between : 'a pointer mybag, ('a,'b) memory, ('a,'b) memory -> prop

axiom frame_between_refl :
      forall sa : 'a pointer mybag.
      forall m : ('a,'b) memory[frame_between(sa,m,m)].
      frame_between(sa,m,m)

axiom frame_between_gen :
      forall sa : 'a pointer mybag.
      forall m1,m2 : ('a,'b) memory.
      forall p : 'a pointer.
      forall v : 'b[frame_between(sa,m1,store(m2,p,v))].
      frame_between(sa,m1,m2) -> in_mybag(p,sa) -> 
      frame_between(sa,store(m1,p,v),m2)

axiom frame_between_gen2 :
      forall sa : 'a pointer mybag.
      forall m1,m2,m3 : ('a,'b) memory
      [frame_between(sa,m1,m2),frame_between(sa,m1,m3)|
       frame_between(sa,m2,m3),frame_between(sa,m1,m3)].
      frame_between(sa,m1,m2) -> frame_between(sa,m2,m3) ->
      frame_between(sa,m1,m3)

axiom frame_between_gen_sub1 :
      forall s12,s23,s13 : 'a pointer mybag.
      forall m1,m2,m3 : ('a,'b) memory
      [frame_between(s12,m1,m2),frame_between(s13,m1,m3)].
      sub_mybag(s12,s13) -> frame_between(s12,m1,m2) ->
      frame_between(s23,m2,m3) ->
      frame_between(s13,m1,m3)

axiom frame_between_gen_sub2 :
      forall s12,s23,s13 : 'a pointer mybag.
      forall m1,m2,m3 : ('a,'b) memory
      [frame_between(s23,m2,m3),frame_between(s13,m1,m3)].
      frame_between(s12,m1,m2) ->
      sub_mybag(s23,s13) -> frame_between(s23,m2,m3) ->
      frame_between(s13,m1,m3)

axiom frame_between_pointer :
      forall sa : 'a pointer mybag.
      forall m1,m2 : ('a,'b) memory.
      forall p : 'a pointer.
      forall v : 'b[frame_between(sa,m1,m2),select(m1,p)|
                    frame_between(sa,m1,m2),select(m2,p)].
      frame_between(sa,m1,m2) -> not in_mybag(p,sa) -> 
      select(m1,p) = select(m2,p)

axiom frame_between_sub :
      forall sa : 'a pointer mybag.
      forall sb : 'a pointer mybag.
      forall m1,m2 : ('a,'b) memory
      [frame_between(sa,m1,m2),sub_mybag(sa,sb)].
      frame_between(sa,m1,m2) -> sub_mybag(sa,sb) ->
      frame_between(sb,m1,m2)why-2.34/lib/why/mix.why0000644000175000017500000000031212311670312013514 0ustar  rtusers
include "arrays.why"

(* MIX model *)

parameter mem : int array

parameter a,x,i1,i2,i3,i4,i5,i6 : int ref

parameter cmp : int ref
parameter cmp_ : x:int -> y:int -> {} unit writes cmp { cmp = x-y }
why-2.34/lib/why/jessie_bitvectors.why0000644000175000017500000001467712311670312016470 0ustar  rtusers

(*****************************************************************************)
(* bitvectors                                                                *)
(*****************************************************************************)

include "jessie.why"

type bitvector

logic concat_bitvector: bitvector, bitvector -> bitvector

(* offsets in bytes *)

logic offset_min_bytes: 't alloc_table, 't pointer, int -> int
logic offset_max_bytes: 't alloc_table, 't pointer, int -> int

axiom offset_min_bytes_def:
  forall a:'t alloc_table. forall p:'t pointer. forall s:int
  [offset_min_bytes(a,p,s)].
    0 < s ->
      offset_min(a,p) <= s * offset_min_bytes(a,p,s)
      and s * offset_min_bytes(a,p,s) - s < offset_min(a,p)

axiom offset_max_bytes_def:
  forall a:'t alloc_table. forall p:'t pointer. forall s:int
  [offset_max_bytes(a,p,s)].
    0 < s ->
      s * offset_max_bytes(a,p,s) + s - 1 <= offset_max(a,p)
      and offset_max(a,p) < s * offset_max_bytes(a,p,s) + s + s - 1

(* encoding of unions *)

logic extract_bytes: bitvector, int, int -> bitvector
      (* extract_bytes(v,i,j) returns the subvector of v between i and j *) 
logic replace_bytes: bitvector, int, int, bitvector -> bitvector
      (* replace_bytes(v,i,j,w) returns the vector v obtained
        by putting w between i and j *) 

axiom select_store_eq_union:
  forall o1:int. forall s1:int. forall o2:int. forall s2:int.
  forall v1:bitvector. forall v2:bitvector
  [extract_bytes(replace_bytes(v1,o1,s1,v2),o2,s2)].
  o1 = o2 and s1 = s2
    -> extract_bytes(replace_bytes(v1,o1,s1,v2),o2,s2) = v2
  (* { v1 with o1..s1 = v2 } [o1..s1] == v2 *)

axiom select_store_neq_union:
  forall o1:int. forall s1:int. forall o2:int. forall s2:int.
  forall v1:bitvector. forall v2:bitvector
  [extract_bytes(replace_bytes(v1,o1,s1,v2),o2,s2)].
  (o2 + s2 <= o1 or o1 + s2 <= o2)
    -> extract_bytes(replace_bytes(v1,o1,s1,v2),o2,s2)
       = extract_bytes(v1,o2,s2)

axiom concat_replace_bytes_up:
  forall o1:int. forall s1:int. forall o2:int. forall s2:int.
  forall v1:bitvector. forall v2:bitvector. forall v3:bitvector
  [replace_bytes(replace_bytes(v1,o1,s1,v2),o2,s2,v3)].
    o1 + s1 = o2
    -> replace_bytes(replace_bytes(v1,o1,s1,v2),o2,s2,v3)
       = replace_bytes(v1,o1,s1+s2,concat_bitvector(v2,v3))

axiom concat_replace_bytes_down:
  forall o1:int. forall s1:int. forall o2:int. forall s2:int.
  forall v1:bitvector. forall v2:bitvector. forall v3:bitvector
  [replace_bytes(replace_bytes(v1,o1,s1,v2),o2,s2,v3)].
    o2 + s2 = o1
    -> replace_bytes(replace_bytes(v1,o1,s1,v2),o2,s2,v3)
       = replace_bytes(v1,o2,s1+s2,concat_bitvector(v3,v2))

axiom concat_extract_bytes:
  forall o1:int. forall s1:int. forall o2:int. forall s2:int.
  forall v:bitvector
  [concat_bitvector(extract_bytes(v,o1,s1),extract_bytes(v,o2,s2))].
    o1 + s1 = o2
    -> concat_bitvector(extract_bytes(v,o1,s1),extract_bytes(v,o2,s2))
       = extract_bytes(v,o1,s1+s2)

(* encoding of byte-level accesses *)

logic select_bytes:
      ('t,bitvector) memory, 't pointer, int, int -> bitvector
logic store_bytes:
      ('t,bitvector) memory, 't pointer, int, int, bitvector
      -> ('t,bitvector) memory

axiom select_store_eq_bytes:
  forall m:('t,bitvector) memory.
  forall p1:'t pointer. forall p2:'t pointer.
  forall o1:int. forall s1:int. forall o2:int. forall s2:int.
  forall v:bitvector
  [select_bytes(store_bytes(m,p1,o1,s1,v),p2,o2,s2)].
    p1 = p2 and o1 = o2 and s1 = s2
    -> select_bytes(store_bytes(m,p1,o1,s1,v),p2,o2,s2) = v

axiom select_store_neq_bytes:
  forall m:('t,bitvector) memory.
  forall p1:'t pointer. forall p2:'t pointer.
  forall o1:int. forall s1:int. forall o2:int. forall s2:int.
  forall v:bitvector
  [select_bytes(store_bytes(m,p1,o1,s1,v),p2,o2,s2)].
    pset_disjoint(pset_range(pset_singleton(p1),o1,o1+s1),
                  pset_range(pset_singleton(p2),o2,o2+s2))
    -> select_bytes(store_bytes(m,p1,o1,s1,v),p2,o2,s2)
       = select_bytes(m,p2,o2,s2)

axiom shift_store_bytes:
  forall m:('t,bitvector) memory.
  forall p:'t pointer.
  forall i:int. forall o:int. forall s:int.
  forall v:bitvector
  [store_bytes(m,shift(p,i),o,s,v)].
    store_bytes(m,shift(p,i),o,s,v) = store_bytes(m,p,o+i,s,v)

axiom shift_select_bytes:
  forall m:('t,bitvector) memory.
  forall p:'t pointer.
  forall i:int. forall o:int. forall s:int.
  forall v:bitvector
  [select_bytes(m,shift(p,i),o,s)].
    select_bytes(m,shift(p,i),o,s) = select_bytes(m,p,o+i,s)

axiom concat_store_bytes_up:
  forall m:('t,bitvector) memory.
  forall p:'t pointer.
  forall o1:int. forall s1:int. forall o2:int. forall s2:int.
  forall v1:bitvector. forall v2:bitvector
  [store_bytes(store_bytes(m,p,o1,s1,v1),p,o2,s2,v2)].
    o1 + s1 = o2
    -> store_bytes(store_bytes(m,p,o1,s1,v1),p,o2,s2,v2)
       = store_bytes(m,p,o1,s1+s2,concat_bitvector(v1,v2))

axiom concat_store_bytes_down:
  forall m:('t,bitvector) memory.
  forall p:'t pointer.
  forall o1:int. forall s1:int. forall o2:int. forall s2:int.
  forall v1:bitvector. forall v2:bitvector
  [store_bytes(store_bytes(m,p,o1,s1,v1),p,o2,s2,v2)].
    o2 + s2 = o1
    -> store_bytes(store_bytes(m,p,o1,s1,v1),p,o2,s2,v2)
       = store_bytes(m,p,o2,s1+s2,concat_bitvector(v2,v1))

axiom concat_select_bytes:
  forall m:('t,bitvector) memory.
  forall p:'t pointer.
  forall o1:int. forall s1:int. forall o2:int. forall s2:int
  [concat_bitvector(select_bytes(m,p,o1,s1),select_bytes(m,p,o2,s2))].
    o1 + s1 = o2
    -> concat_bitvector(select_bytes(m,p,o1,s1),select_bytes(m,p,o2,s2))
       = select_bytes(m,p,o1,s1+s2)

(* access and update side-effect functions *)

parameter acc_bytes_:
  a:'t alloc_table -> m:('t,bitvector) memory -> p:'t pointer ->
  o:int -> s:int ->
  { offset_min(a,p) <= o and o + s - 1 <= offset_max(a,p) }
  bitvector
  { result = select_bytes(m,p,o,s) }

parameter safe_acc_bytes_:
  m:('t,bitvector) memory -> p:'t pointer -> o:int -> s:int ->
  { }
  bitvector
  { result = select_bytes(m,p,o,s) }

parameter upd_bytes_:
  a:'t alloc_table -> m:('t,bitvector) memory ref -> p:'t pointer ->
  o:int -> s:int -> v:bitvector ->
  { offset_min(a,p) <= o and o + s - 1 <= offset_max(a,p) }
  unit
  reads m
  writes m
  { m = store_bytes(m@,p,o,s,v) }

parameter safe_upd_bytes_:
  m:('t,bitvector) memory ref -> p:'t pointer ->
  o:int -> s:int -> v:bitvector ->
  { }
  unit
  reads m
  writes m
  { m = store_bytes(m@,p,o,s,v) }

(* conversion functions *)

logic integer_of_bitvector : bitvector -> int
logic bitvector_of_integer : int -> bitvector
logic real_of_bitvector : bitvector -> real
why-2.34/lib/why/divisions.why0000644000175000017500000000254012311670312014733 0ustar  rtusersinclude "integer.why"

(****************************************************************************)
(* division and modulo                                                      *)
(****************************************************************************)

logic computer_div : int, int -> int
logic computer_mod : int, int -> int
logic math_div : int, int -> int
logic math_mod : int, int -> int

parameter computer_div_ : x:int -> y:int ->
  { y<>0 } int { result = computer_div(x,y) }
parameter computer_mod_ : x:int -> y:int ->
  { y<>0 } int { result = computer_mod(x,y) }

axiom math_div_mod:
  forall x,y:int. y <> 0 -> x = y * math_div(x,y) + math_mod(x,y)

axiom math_mod_bound:
  forall x,y:int. y <> 0 -> 0 <= math_mod(x,y) < abs_int(y)

axiom computer_div_mod:
  forall x,y:int [computer_div(x,y), computer_mod(x,y)].
    y <> 0 -> x = y * computer_div(x,y) + computer_mod(x,y)

axiom computer_div_bound:
  forall x,y:int. x >= 0 and  y > 0 -> 0 <= computer_div(x,y) <= x

axiom computer_mod_bound:
  forall x,y:int. y <> 0 -> abs_int(computer_mod(x,y)) < abs_int(y)

axiom computer_mod_sign_pos:
  forall x,y:int. x >= 0 and y <> 0 -> computer_mod(x,y) >= 0

axiom computer_mod_sign_neg:
  forall x,y:int. x <= 0 and y <> 0 -> computer_mod(x,y) <= 0

axiom computer_rounds_toward_zero:
  forall x,y:int. y <> 0 -> abs_int(computer_div(x,y) * y) <= abs_int(x)
why-2.34/lib/why/caduceus_arith.why0000644000175000017500000006100412311670312015707 0ustar  rtusers
(* axiomatization of a memory model in which:
	- validity is checked based on arithmetic predicate
	- allocation table is still used
*)

(* bitwise operations *)
logic bw_compl : int -> int

logic bw_and : int,int -> int

logic bw_xor : int,int -> int

logic bw_or : int,int -> int

logic lsl : int,int -> int

logic lsr : int,int -> int

(* default variable initialisation *)

type 'z pointer

parameter any_pointer: unit -> {} 'z pointer { true }

(* pointer arithmetic *)

type 'z addr
type alloc_table
type ('a, 'z) memory

parameter alloc : alloc_table ref

logic null : 'z pointer

logic base_addr: 'z pointer -> 'z addr
logic offset: 'z pointer -> int
logic shift: 'z pointer,int -> 'z pointer
logic sub_pointer: 'z pointer, 'z pointer -> int
(* [arrlen(a,p)] returns the array length of pointer [p], i.e. the number
   of elements that can be accessed in p[0], p[1], etc. *)
logic arrlen: alloc_table, 'z pointer -> int
(* [strlen(m,p)] returns the string length of pointer [p] in memory [m],
   i.e. the number of non-null elements that can be accessed before 
   some null element (usually a byte). *)
logic strlen: ('a, 'z) memory, 'z pointer -> int
(* [full_separated(p,q)] is true when memory zones for pointers [p] and [q] are
   disjoint. *)
predicate full_separated(p:'z pointer,q:'z pointer) =
  p = null or q = null or base_addr(p) <> base_addr(q)

predicate lt_pointer(p1:'z pointer,p2: 'z pointer) =
  base_addr(p1) = base_addr(p2) and offset(p1) < offset(p2)
predicate le_pointer(p1:'z pointer,p2: 'z pointer) =
  base_addr(p1) = base_addr(p2) and offset(p1) <= offset(p2)
predicate gt_pointer(p1:'z pointer,p2: 'z pointer) =
  base_addr(p1) = base_addr(p2) and offset(p1) > offset(p2)
predicate ge_pointer(p1: 'z pointer,p2: 'z pointer) =
  base_addr(p1) = base_addr(p2) and offset(p1) >= offset(p2)

parameter eq_pointer : 
  p:'z pointer -> q: 'z pointer -> {} bool { if result then p=q else p<>q }
parameter neq_pointer : 
  p: 'z pointer -> q: 'z pointer -> {} bool { if result then p<>q else p=q }

(* a pointer [p] is valid iff its array length is strictly positive *)
predicate valid(a:alloc_table, p: 'z pointer) = 
	arrlen(a,p) > 0

(* an index [i] from a pointer [p] is valid iff [i] is strictly less than 
   its array length, and greater than 0 *)
predicate valid_index(a:alloc_table, p: 'z pointer, i:int) =
	0 <= i < arrlen(a,p)

(* a range [i,j] from a pointer [p] is valid iff both integers are valid 
   indices, and form a range *)
predicate valid_range(a:alloc_table, p: 'z pointer, i:int, j:int) =
	0 <= i <= j < arrlen(a,p)

axiom offset_shift :
(*   forall p: 'z pointer. forall i:int.  *)
  forall p: 'z pointer. forall i:int [offset(shift(p,i))]. 
  offset(shift(p,i)) = offset(p)+i

axiom shift_zero :
(*   forall p: 'z pointer. shift(p,0) = p *)
  forall p: 'z pointer [shift(p,0)]. shift(p,0) = p

axiom shift_shift :
(*   forall p:'z pointer. forall i:int. forall j:int. *)
  forall p:'z pointer. forall i:int. forall j:int [shift(shift(p,i),j)].
  shift(shift(p,i),j) = shift(p,i+j)

axiom base_addr_shift :
(*   forall p:'z pointer. forall i:int. *)
  forall p:'z pointer. forall i:int [base_addr(shift(p,i))].
  base_addr(shift(p,i)) = base_addr(p)

axiom pointer_pair_1 :
  forall p1:'z pointer. forall p2:'z pointer.
  (base_addr(p1) = base_addr(p2) and offset(p1) = offset(p2)) -> p1 = p2

axiom pointer_pair_2 :
  forall p1:'z pointer. forall p2:'z pointer.
  p1 = p2 -> (base_addr(p1) = base_addr(p2) and offset(p1) = offset(p2))

(* the following properties can be proved; here to help Simplify *)
axiom neq_base_addr_neq_shift :
  forall p1:'z pointer. forall p2: 'z pointer.
  forall i:int. forall j:int.
  base_addr(p1) <> base_addr(p2) -> shift(p1,i) <> shift(p2,j)

axiom neq_offset_neq_shift :
  forall p1: 'z pointer. forall p2: 'z pointer.
  forall i:int. forall j:int.
  offset(p1)+i <> offset(p2)+j -> shift(p1,i) <> shift(p2,j)

axiom eq_offset_eq_shift :
  forall p1:'z pointer. forall p2: 'z pointer.
  forall i:int. forall j:int.
  base_addr(p1) = base_addr(p2) -> 
	offset(p1)+i = offset(p2)+j -> shift(p1,i) = shift(p2,j)

axiom valid_index_valid_shift :
  forall a:alloc_table. forall p:'z pointer. forall i:int. 
  valid_index(a,p,i) -> valid(a,shift(p,i))

(* redondant avec le predecent et le suivant, mais utile *)
axiom valid_range_valid_shift :
  forall a:alloc_table. forall p:'z pointer. forall i:int. forall j:int. forall k:int.
  valid_range(a,p,i,j) -> i <= k <= j -> valid(a,shift(p,k))

axiom valid_range_valid :
  forall a:alloc_table. forall p:'z pointer. forall i:int. forall j:int. 
  valid_range(a,p,i,j) -> i <= 0 <= j -> valid(a,p)

axiom valid_range_valid_index :
  forall a:alloc_table. forall p:'z pointer. forall i:int. forall j:int. forall k:int.
  valid_range(a,p,i,j) -> i <= k <= j -> valid_index(a,p,k)

axiom sub_pointer_def :
  forall p1:'z pointer. forall p2:'z pointer.
  base_addr(p1) = base_addr(p2) -> sub_pointer(p1,p2) = offset(p1)-offset(p2)

axiom sub_pointer_self :
  forall p:'z pointer. sub_pointer(p,p) = 0

axiom sub_pointer_shift1 :
  forall p:'z pointer. forall q:'z pointer. forall i:int.
    sub_pointer(shift(p,i),q) = sub_pointer(p,q) + i

axiom sub_pointer_shift2 :
  forall p:'z pointer. forall q:'z pointer. forall i:int.
    sub_pointer(p,shift(q,i)) = sub_pointer(p,q) - i

axiom shift_sub_pointer :
  forall p:'z pointer. forall q:'z pointer [sub_pointer(p,q)].
    p = shift(q,sub_pointer(p,q))

parameter shift_ : p:'z pointer -> i:int -> 
  { } 'z pointer { result = shift(p,i) }

parameter sub_pointer_ : p1:'z pointer -> p2:'z pointer ->
  { base_addr(p1) = base_addr(p2) } int { result = offset(p1) - offset(p2) }

parameter lt_pointer_ : p1:'z pointer -> p2:'z pointer ->
  { base_addr(p1) = base_addr(p2) } bool 
  { if result then offset(p1) < offset(p2) else offset(p1) >= offset(p2) }

parameter le_pointer_ : p1:'z pointer -> p2:'z pointer ->
  { base_addr(p1) = base_addr(p2) } bool 
  { if result then offset(p1) <= offset(p2) else offset(p1) > offset(p2) }

parameter gt_pointer_ : p1:'z pointer -> p2:'z pointer ->
  { base_addr(p1) = base_addr(p2) } bool 
  { if result then offset(p1) > offset(p2) else offset(p1) <= offset(p2) }

parameter ge_pointer_ : p1:'z pointer -> p2:'z pointer ->
  { base_addr(p1) = base_addr(p2) } bool 
  { if result then offset(p1) >= offset(p2) else offset(p1) < offset(p2) }

(* pointer access *)
logic acc: ('a,'z) memory, 'z pointer -> 'a
parameter acc_ : m: ('a,'z) memory ref -> p:'z pointer -> 
  { valid(alloc,p) }
  'a reads alloc,m
  { result = acc(m,p) }
parameter acc_offset : m: ('a,'z) memory ref -> p:'z pointer -> 
	i : int -> n : int ->
  { 0 <= i < n }
  'a reads alloc,m
  { result = acc(m,p) }
parameter safe_acc_ : m: ('a,'z) memory ref -> p:'z pointer -> 
  { }
  'a reads alloc,m
  { result = acc(m,p) }

(* pointer update *)
logic upd: ('a,'z) memory, 'z pointer, 'a -> ('a,'z) memory
parameter upd_ : m:('a,'z) memory ref -> p:'z pointer -> v:'a -> 
  { valid(alloc,p) }
  unit reads alloc,m writes m
  { m = upd(m@,p,v) }
parameter upd_offset : m:('a,'z) memory ref -> p:'z pointer -> v:'a -> i:int ->
	size:int -> 
  { 0<= i < size }
  unit reads alloc,m writes m
  { m = upd(m@,p,v) }
parameter safe_upd_ : m:('a,'z) memory ref -> p:'z pointer -> v:'a -> 
  { }
  unit reads alloc,m writes m
  { m = upd(m@,p,v) }

axiom acc_upd : 
  forall m : ('a,'z) memory. forall p : 'z pointer. forall a: 'a [acc(upd(m,p,a),p)].
    acc(upd(m,p,a),p) = a
 
axiom acc_upd_eq : 
  forall m : ('a,'z) memory. forall p1: 'z pointer. forall p2 : 'z pointer. 
  forall a: 'a [acc(upd(m,p1,a),p2)].
    p1=p2 -> acc(upd(m,p1,a),p2) = a
 
axiom acc_upd_neq : 
  forall m : ('a,'z) memory. forall p1: 'z pointer. forall p2 : 'z pointer. 
  forall a: 'a [acc(upd(m,p1,a),p2)].
    p1 <> p2 -> acc(upd(m,p1,a),p2) = acc(m,p2)

(* axiomatic definition of [arrlen] *)
axiom arrlen_shift :
  forall a:alloc_table. forall p: 'z pointer. 
  forall i:int [arrlen(a,shift(p,i))].
    i >= 0 -> arrlen(a,shift(p,i)) = arrlen(a,p)-i

axiom arrlen_sub_pointer :
  forall a:alloc_table. forall p: 'z pointer. forall q:'z pointer
  [sub_pointer(q,p)].
    0 <= sub_pointer(q,p) -> arrlen(a,q) = arrlen(a,p) - sub_pointer(q,p)

(* axiomatic definition of [strlen] *)
axiom strlen_create :
  forall m : (int,'z) memory. forall p: 'z pointer. 
  forall i:int [strlen(upd(m,shift(p,i),0),p)].
    i >= 0 -> 0 <= strlen(upd(m,shift(p,i),0),p) <= i

axiom strlen_init :
  forall m : (int,'z) memory. forall p: 'z pointer. 
  forall i:int [strlen(upd(m,shift(p,i),0),p)]. 
    i >= 0 and (forall j:int. 0 <= j < i -> acc(m,shift(p,j)) <> 0)
    -> strlen(upd(m,shift(p,i),0),p) = i

axiom strlen_is_zero :
  forall m : (int,'z) memory. 
  forall p: 'z pointer [acc(m,shift(p,strlen(m,p)))]. 
    strlen(m,p) >= 0 -> acc(m,shift(p,strlen(m,p))) = 0

axiom strlen_not_zero :
  forall m : (int,'z) memory. forall p: 'z pointer. 
  forall i:int [strlen(m,p),acc(m,shift(p,i))]. 
    0 <= i <= strlen(m,p) and acc(m,shift(p,i)) <> 0 -> i < strlen(m,p)

axiom strlen_zero :
  forall m : (int,'z) memory. forall p: 'z pointer. 
  forall i:int [strlen(m,p),acc(m,shift(p,i))]. 
    0 <= i <= strlen(m,p) and acc(m,shift(p,i)) = 0 -> i = strlen(m,p)

axiom strlen_shift :
  forall m : ('a,'z) memory. forall p: 'z pointer. 
  forall i:int [strlen(m,shift(p,i))].
  0 <= i -> strlen(m,shift(p,i)) = strlen(m,p)-i

axiom strlen_update_before :
  forall m : ('a,'z) memory. forall p: 'z pointer. 
  forall v:'a. forall i:int [strlen(upd(m,shift(p,i),v),p)]. 
    0 <= i < strlen(m,p) -> strlen(upd(m,shift(p,i),v),p) <= strlen(m,p)

axiom strlen_update_before_not_zero :
  forall m : (int,'z) memory. forall p: 'z pointer. 
  forall v:int. forall i:int [strlen(upd(m,shift(p,i),v),p)]. 
    0 <= i < strlen(m,p) and v <> 0 
      -> strlen(upd(m,shift(p,i),v),p) = strlen(m,p)

axiom strlen_update_zero :
  forall m : (int,'z) memory. forall p: 'z pointer. 
  forall i:int [strlen(upd(m,shift(p,i),0),p)]. 
    0 <= i <= strlen(m,p) -> strlen(upd(m,shift(p,i),0),p) = i

(* axiom linking [arrlen] and [strlen] *)
axiom arrlen_strlen :
  forall a:alloc_table. forall m : ('a,'z) memory. 
  forall p: 'z pointer [strlen(m,p), arrlen(a,p)]. 
    strlen(m,p) >= 0 -> strlen(m,p) < arrlen(a,p)

(* axioms only to help automatic proof *)
axiom full_separated_strlen_upd :
  forall m : ('a,'z) memory. forall p: 'z pointer. forall q : 'z pointer.
    forall v:'a. forall i:int [strlen(upd(m,shift(p,i),v),q)]. 
      full_separated(p,q) -> strlen(upd(m,shift(p,i),v),q) = strlen(m,q)

axiom full_separated_shift1 :
  forall p: 'z pointer. forall q : 'z pointer. forall i: int.
    full_separated(p,q) -> full_separated(p,shift(q,i))

axiom full_separated_shift2 :
  forall p: 'z pointer. forall q : 'z pointer. forall i: int.
    full_separated(p,q) -> full_separated(shift(q,i),p)

axiom full_separated_shift3 :
  forall p: 'z pointer. forall q : 'z pointer. forall i: int.
    full_separated(q,p) -> full_separated(shift(q,i),p)

axiom full_separated_shift4 :
  forall p: 'z pointer. forall q : 'z pointer. forall i: int.
    full_separated(q,p) -> full_separated(p,shift(q,i))

(* min/max *)

logic min: int,int -> int
logic max: int,int -> int

axiom min_below :
  forall i:int. forall j:int. min(i,j) <= i and min(i,j) <= j

axiom min_above :
  forall i:int. forall j:int. min(i,j) >= i or min(i,j) >= j

axiom max_above :
  forall i:int. forall j:int. max(i,j) >= i and max(i,j) >= j

axiom max_below :
  forall i:int. forall j:int. max(i,j) <= i or max(i,j) <= j

(* exceptions *)
exception Break
exception Continue
exception Return
exception Return_int of int
exception Return_real of real
exception Return_pointer (*of 'z pointer*)

(* for Simplify *)

axiom false_not_true : false <> true

(* modeling assigns clauses 
   the type (pset) represents a set of pointers *)

type 'z pset

logic pset_empty : -> 'z pset
logic pset_singleton : 'z pointer -> 'z pset
logic pset_star : 'z pset, ('y pointer,'z) memory -> 'y pset (* *l or l->x *)

logic pset_all : 'z pset -> 'z pset (* l(..) *)
logic pset_range : 'z pset, int, int -> 'z pset (* l(a..b) *)
logic pset_range_left : 'z pset, int -> 'z pset (* l(..b) *)
logic pset_range_right : 'z pset, int -> 'z pset (* l(a..) *)

logic pset_acc_all : 'z pset, ('y pointer,'z) memory -> 'y pset (* l(..) *)
logic pset_acc_range : 'z pset, ('y pointer,'z) memory, int, int -> 'y pset (* l(a..b) *)
logic pset_acc_range_left : 'z pset, ('y pointer,'z) memory, int -> 'y pset (* l(..b) *)
logic pset_acc_range_right : 'z pset, ('y pointer,'z) memory, int -> 'y pset (* l(a..) *)

logic pset_union : 'z pset, 'z pset -> 'z pset

logic not_in_pset : 'z pointer, 'z pset -> prop (* not_in_pset(p,s) = p is not in s *)

predicate not_assigns 
	(a:alloc_table,m1:('a,'z) memory,m2:('a,'z) memory,l:'z pset) =
 forall p:'z pointer.
    valid(a,p) -> not_in_pset(p,l) -> acc(m2,p)=acc(m1,p)

axiom pset_empty_intro :
  forall p:'z pointer. not_in_pset(p, pset_empty)

axiom pset_singleton_intro : 
  forall p1:'z pointer.forall p2:'z pointer [not_in_pset(p1, pset_singleton(p2))].
    p1 <> p2 -> not_in_pset(p1, pset_singleton(p2))

axiom pset_singleton_elim : 
  forall p1:'z pointer. forall p2:'z pointer [not_in_pset(p1, pset_singleton(p2))].
    not_in_pset(p1, pset_singleton(p2)) -> p1 <> p2

axiom not_not_in_singleton :
  forall p:'z pointer. not not_in_pset(p, pset_singleton(p))

axiom pset_union_intro : 
  forall l1:'z pset. forall l2:'z pset. forall p:'z pointer
	[not_in_pset(p, pset_union(l1,l2))].
     not_in_pset(p, l1) and not_in_pset(p, l2) -> 
     not_in_pset(p, pset_union(l1,l2))

axiom pset_union_elim1 : 
  forall l1:'z pset. forall l2:'z pset. forall p:'z pointer
	[not_in_pset(p, pset_union(l1,l2))].
    not_in_pset(p, pset_union(l1,l2)) -> not_in_pset(p,l1) 

axiom pset_union_elim2 : 
  forall l1:'z pset. forall l2:'z pset. forall p:'z pointer
	[not_in_pset(p, pset_union(l1,l2))].
    not_in_pset(p, pset_union(l1,l2)) -> not_in_pset(p,l2)

axiom pset_star_intro :
  forall l:'z pset. forall m:('y pointer,'z) memory. forall p:'y pointer
	[not_in_pset(p, pset_star(l, m))].
    (forall p1:'z pointer. p = acc(m,p1) -> not_in_pset(p1, l)) ->
    not_in_pset(p, pset_star(l, m))

axiom pset_star_elim :
  forall l:'z pset. forall m:('y pointer,'z) memory. forall p:'y pointer
	[not_in_pset(p, pset_star(l, m))].
    not_in_pset(p, pset_star(l, m)) ->
    (forall p1:'z pointer. p = acc(m,p1) -> not_in_pset(p1, l))

(* s(..) *)

axiom pset_all_intro :
  forall p:'z pointer. forall l:'z pset [not_in_pset(p, pset_all(l))].
    (forall p1:'z pointer. 
       (not not_in_pset(p1,l)) -> base_addr(p) <> base_addr(p1)) ->
    not_in_pset(p, pset_all(l))

axiom pset_all_elim :
  forall p:'z pointer. forall l:'z pset [not_in_pset(p, pset_all(l))].
    not_in_pset(p, pset_all(l)) ->
    (forall p1:'z pointer. 
       (not not_in_pset(p1,l)) -> base_addr(p) <> base_addr(p1))

axiom pset_range_intro :
  forall p:'z pointer. forall l:'z pset. forall a:int. forall b:int
	[not_in_pset(p, pset_range(l,a,b))].
    (forall p1:'z pointer. not_in_pset(p1, l) or
	forall i:int. (a <= i <= b) -> (p <> shift(p1,i))) -> 
    not_in_pset(p, pset_range(l,a,b))	

axiom pset_range_elim :
  forall p:'z pointer. forall l:'z pset. forall a:int. forall b:int
	[not_in_pset(p, pset_range(l,a,b))].
    not_in_pset(p, pset_range(l,a,b)) ->
      forall p1:'z pointer. (not not_in_pset(p1, l)) ->
	forall i:int. a <= i <= b -> shift(p1,i) <> p

axiom pset_range_left_intro :
  forall p:'z pointer. forall l:'z pset. forall a:int
	[not_in_pset(p, pset_range_left(l,a))].
    (forall p1:'z pointer. not_in_pset(p1, l) or
	forall i:int. (i <= a) -> (p <> shift(p1,i))) -> 
    not_in_pset(p, pset_range_left(l,a))	

axiom pset_range_left_elim :
  forall p:'z pointer. forall l:'z pset. forall a:int
	[not_in_pset(p, pset_range_left(l,a))]. 
    not_in_pset(p, pset_range_left(l,a)) ->
      forall p1:'z pointer. (not not_in_pset(p1, l)) ->
	forall i:int. i <= a -> shift(p1,i) <> p

axiom pset_range_right_intro :
  forall p:'z pointer. forall l:'z pset. forall a:int
	[not_in_pset(p, pset_range_right(l,a))].
    (forall p1:'z pointer. not_in_pset(p1, l) or
	forall i:int. (a <= i) -> (p <> shift(p1,i))) -> 
    not_in_pset(p, pset_range_right(l,a))	

axiom pset_range_right_elim :
  forall p:'z pointer. forall l:'z pset. forall a:int
	[not_in_pset(p, pset_range_right(l,a))].
    not_in_pset(p, pset_range_right(l,a)) ->
      forall p1:'z pointer. (not not_in_pset(p1, l)) ->
	forall i:int. a <= i -> shift(p1,i) <> p

(* elements of s(..) *)
axiom pset_acc_all_intro :
  forall p:'y pointer. forall l:'z pset. forall m:('y pointer,'z) memory
	[not_in_pset(p, pset_acc_all(l, m))].
    (forall p1:'z pointer.
      (not not_in_pset(p1,l)) -> forall i:int. p <> acc(m, shift(p1,i))) ->
    not_in_pset(p, pset_acc_all(l, m))

axiom pset_acc_all_elim :
  forall p:'y pointer. forall l:'z pset. forall m:('y pointer,'z) memory
	[not_in_pset(p, pset_acc_all(l, m))].
    not_in_pset(p, pset_acc_all(l, m)) ->
    forall p1:'z pointer.
      (not not_in_pset(p1,l)) -> forall i:int. acc(m, shift(p1,i)) <> p

axiom pset_acc_range_intro :
  forall p:'y pointer. forall l:'z pset. forall m:('y pointer,'z) memory. 
  forall a:int. forall b:int [not_in_pset(p, pset_acc_range(l, m, a, b))].
    (forall p1:'z pointer.
      (not not_in_pset(p1,l)) -> 
      forall i:int. a <= i <= b -> p <> acc(m, shift(p1,i))) ->
    not_in_pset(p, pset_acc_range(l, m, a, b))

axiom pset_acc_range_elim :
  forall p:'y pointer. forall l:'z pset. forall m:('y pointer,'z) memory.
  forall a:int. forall b:int.
    not_in_pset(p, pset_acc_range(l, m, a, b)) ->
    forall p1:'z pointer.
      (not not_in_pset(p1,l)) -> 
	 forall i:int. a <= i <= b -> acc(m, shift(p1,i)) <> p

axiom pset_acc_range_left_intro :
  forall p:'y pointer. forall l:'z pset. forall m:('y pointer,'z) memory. 
  forall a:int [not_in_pset(p, pset_acc_range_left(l, m, a))].
    (forall p1:'z pointer.
      (not not_in_pset(p1,l)) -> 
      forall i:int. i <= a -> p <> acc(m, shift(p1,i))) ->
    not_in_pset(p, pset_acc_range_left(l, m, a))

axiom pset_acc_range_left_elim :
  forall p:'y pointer. forall l:'z pset. forall m:('y pointer,'z) memory.
  forall a:int [not_in_pset(p, pset_acc_range_left(l, m, a))].
    not_in_pset(p, pset_acc_range_left(l, m, a)) ->
    forall p1:'z pointer.
      (not not_in_pset(p1,l)) -> 
	 forall i:int. i <= a -> acc(m, shift(p1,i)) <> p

axiom pset_acc_range_right_intro :
  forall p:'y pointer. forall l:'z pset. forall m:('y pointer,'z) memory. 
  forall a:int [not_in_pset(p, pset_acc_range_right(l, m, a))].
    (forall p1:'z pointer.
      (not not_in_pset(p1,l)) -> 
      forall i:int. a <= i -> p <> acc(m, shift(p1,i))) ->
    not_in_pset(p, pset_acc_range_right(l, m, a))

axiom pset_acc_range_right_elim :
  forall p:'y pointer. forall l:'z pset. forall m:('y pointer,'z) memory.
  forall a:int [not_in_pset(p, pset_acc_range_right(l, m, a))].
    not_in_pset(p, pset_acc_range_right(l, m, a)) ->
    forall p1:'z pointer.
      (not not_in_pset(p1,l)) -> 
	 forall i:int. a <= i -> acc(m, shift(p1,i)) <> p

(* lemmas on not_assigns *)

axiom not_assigns_trans :
  forall a:alloc_table. forall l:'z pset. 
  forall m1:('a,'z) memory. forall m2:('a,'z) memory. forall m3: ('a,'z) memory.
  not_assigns(a,m1,m2,l) -> not_assigns(a,m2,m3,l) -> not_assigns(a,m1,m3,l)

axiom not_assigns_refl :
  forall a:alloc_table. forall l:'z pset. 
  forall m:('a,'z) memory. not_assigns(a,m,m,l)

(* validity *)

predicate valid_acc(m1: ('y pointer,'z) memory) =
	forall p : 'z pointer. forall a : alloc_table.
	valid(a,p) -> valid(a,acc(m1, p)) 

predicate valid_acc_range (m1: ('y pointer,'z) memory, size : int) =
	forall p : 'z pointer. forall a : alloc_table.
	valid(a,p) -> valid_range (a,acc (m1, p), 0, size-1) 

axiom valid_acc_range_valid : 
  forall m1: ('y pointer,'z) memory.
  forall size : int. forall p : 'z pointer. forall a : alloc_table.
  valid_acc_range(m1,size) -> valid(a,p) -> valid(a, acc(m1,p))

(* separation *)

predicate separation1(m1:('y pointer,'z) memory, m2:('y pointer,'z) memory) =
  forall p:'z pointer. forall a : alloc_table.
    valid(a, p) -> base_addr(acc(m1, p)) <> base_addr(acc(m2, p))

predicate separation1_range1(m1:('y pointer,'z) memory,
	m2:('y pointer,'z) memory, size : int) =
	forall p : 'z pointer.forall a : alloc_table.
	valid(a,p) -> forall i : int . 0 <= i < size ->
	base_addr(acc(m1,(shift (p,i)))) <> base_addr(acc(m2, p))	

predicate separation1_range(m:('y pointer,'z) memory, size:int) =
	forall p : 'z pointer.forall a : alloc_table.
	valid(a,p) -> forall i1 : int. forall i2 : int. 
	0 <= i1 < size -> 0 <= i2 < size -> i1 <> i2 -> 
	base_addr(acc(m,(shift (p,i1)))) <> base_addr(acc(m,shift (p,i2)))  


predicate separation2(m1:('y pointer,'z) memory, m2:('y pointer,'z) memory) =
  forall p1:'z pointer. forall p2:'z pointer.
    p1 <> p2 -> base_addr(acc(m1, p1)) <> base_addr(acc(m2, p2))
	
predicate separation2_range1(m1:('y pointer,'z) memory,
	m2:('y pointer,'z) memory, size : int) =
	forall p : 'z pointer. forall q : 'z pointer.forall a : alloc_table.
	forall i : int . 0 <= i < size ->
	base_addr(acc(m1,(shift (p,i)))) <> base_addr(acc(m2, q))

(* memory allocation *)

logic on_heap : alloc_table, 'z pointer -> prop
logic on_stack : alloc_table, 'z pointer -> prop

(* fresh(a,p) means that the memory block of p is not allocated in a *)
logic fresh : alloc_table,'z pointer -> prop

axiom fresh_not_valid :
  forall a:alloc_table. forall p:'z pointer. 
    fresh(a,p) -> not(valid(a,p))

axiom fresh_not_valid_shift :
  forall a:alloc_table. forall p:'z pointer. 
    fresh(a,p) -> forall i:int. not(valid(a,shift(p,i)))

axiom fresh_full_separated :
  forall a:alloc_table. forall p:'z pointer. forall q:'z pointer. 
    fresh(a,p) -> valid(a,q) -> full_separated(p,q)

(***
predicate alloc_heap(a1 : alloc_table, a2 : alloc_table) =
  forall p:'z pointer. 
    arrlen(a1,p) > 0 -> arrlen(a1,p) = arrlen(a2,p)

axiom alloc_heap_valid : 
  forall a1:alloc_table. forall a2:alloc_table.
    alloc_heap(a1,a2) -> forall p:'z pointer. valid(a1,p) -> valid(a2,p)

axiom alloc_heap_valid_range : 
  forall a1:alloc_table. forall a2:alloc_table.
    alloc_heap(a1,a2) -> 
    forall p:'z pointer. forall i:int. forall j:int.
      valid_range(a1,p,i,j) -> valid_range(a2,p,i,j)
***)

logic alloc_extends : alloc_table, alloc_table -> prop

axiom alloc_extends_valid : 
  forall a1:alloc_table. forall a2:alloc_table.
    alloc_extends(a1,a2) -> forall q:'y pointer. valid(a1,q) -> valid(a2,q)

axiom alloc_extends_arrlen : 
  forall a1:alloc_table. forall a2:alloc_table.
    alloc_extends(a1,a2) -> forall q:'y pointer. 
      valid(a1,q) -> arrlen(a2,q) = arrlen(a1,q)

axiom alloc_extends_valid_index : 
  forall a1:alloc_table. forall a2:alloc_table.
    alloc_extends(a1,a2) -> 
    forall q:'y pointer. forall i:int.
      valid_index(a1,q,i) -> valid_index(a2,q,i)

axiom alloc_extends_valid_range : 
  forall a1:alloc_table. forall a2:alloc_table.
    alloc_extends(a1,a2) -> 
    forall q:'y pointer. forall i:int. forall j:int.
      valid_range(a1,q,i,j) -> valid_range(a2,q,i,j)

axiom alloc_extends_refl : forall a:alloc_table. alloc_extends(a,a) 

axiom alloc_extends_trans : 
  forall a1,a2,a3:alloc_table [alloc_extends(a1,a2), alloc_extends(a2,a3)]. 
    alloc_extends(a1,a2) -> 
    alloc_extends(a2,a3) -> 
    alloc_extends(a1,a3) 

(*
logic free_heap : 'z pointer, alloc_table, alloc_table -> prop

parameter free_block : p:'z pointer -> 
	{ valid(alloc,p) and offset(p) = 0 and on_heap(alloc,p) }
	unit writes alloc
	{ free_heap(p, alloc@, alloc) }
*)

(*

  (free_stack(a1,a2,a3)) specifies the relations between states of allocation table before and after a function body is executed :

  a1 : alloc_table at beginning
  a2 : alloc_table before return: some allocations occured in (a1) both 
       on heap and on stack 
  a3 : alloc_table after return: allocations on stack between (a1) and 
       (a2) are not valid anymore

*)

logic free_stack : alloc_table, alloc_table, alloc_table -> prop

axiom free_stack_heap : 
  forall a1 : alloc_table. forall a2 : alloc_table. forall a3 : alloc_table. 
    free_stack(a1,a2,a3) -> 
      (forall p : 'z pointer. valid(a2, p) -> on_heap(a2,p) -> valid(a3, p))

axiom free_stack_stack : 
  forall a1 : alloc_table. forall a2 : alloc_table. forall a3 : alloc_table. 
     free_stack(a1,a2,a3) -> 
      (forall p : 'z pointer. valid(a1, p) -> on_stack(a1,p) -> valid(a3, p))

parameter alloca_parameter : n:int -> 
	{ n >= 0 }
	'z pointer writes alloc
	{ valid(alloc,result) and offset(result) = 0 and 	
	  arrlen(alloc,result) = n and valid_range(alloc,result,0,n-1)
	  and fresh(alloc@,result) and on_stack(alloc,result) 
	  and alloc_extends (alloc@,alloc) }

parameter malloc_parameter : n:int -> 
	{ n >= 0 }
	'z pointer writes alloc
	{ valid(alloc,result) and offset(result) = 0 and 	
	  arrlen(alloc,result) = n and valid_range(alloc,result,0,n-1)
	  and fresh(alloc@,result) and on_heap(alloc,result)
	  and alloc_extends (alloc@,alloc) }


why-2.34/lib/why/floats_multi_rounding.why0000644000175000017500000003031412311670312017333 0ustar  rtusers

(************************************************************************)
(************************************************************************)
(****** Jessie prelude for floating-point arithmetic, multi-rounding mode *******) 

(************************************************************************)
(************************************************************************)


include "floats_common.why"


logic cond_sub_double: mode,double,double -> int

axiom cond_sub_double_axiom1: 
          forall m:mode. forall x:double.
	  forall y:double.
	  (abs_real(double_value(x) - double_value(y)) >= 0x1p-1022) -> cond_sub_double(m,x,y) = 1

axiom cond_sub_double_axiom2: 
          forall m:mode. forall x:double.
	  forall y:double.
	  (0x1p-1075 <=abs_real(double_value(x) - double_value(y)) <= 0x1p-1022
	  and
	  abs_real(double_value(x) - double_value(y)) <> 0x1p-1022
	  and
	  abs_real(double_value(x) - double_value(y)) <> 0x1p-1075) -> cond_sub_double(m,x,y) = 2

axiom cond_sub_double_axiom3: 
          forall m:mode. forall x:double.
	  forall y:double.
	  (0.0 <=abs_real(double_value(x) - double_value(y)) <= 0x1p-1075) -> cond_sub_double(m,x,y) = 3
      		       

logic post_cond_sub_double: mode,double,double,double -> int

axiom post_cond_sub_double_axiom1: 
          forall m:mode. forall x:double.
	  forall y:double. forall result:double.
	  post_cond_sub_double(m,x,y,result) = 1 -> (abs_real((double_value(result) -(double_value(x)-double_value(y)))/ (double_value(x)-double_value(y)))<=0x1p-53)    			    
axiom post_cond_sub_double_axiom2: 
          forall m:mode. forall x:double.
	  forall y:double. forall result:double.
	  post_cond_sub_double(m,x,y,result) = 2 -> (double_value(result) =(double_value(x)-double_value(y))) 

axiom post_cond_sub_double_axiom3: 
          forall m:mode. forall x:double.
	  forall y:double. forall result:double.
	  post_cond_sub_double(m,x,y,result) = 3 -> (double_value(result) = 0.0) 

(***************************************************)
(** specification of unary and binary operations ***)
(***************************************************)


predicate double_of_real_post(m:mode,x:real,res:double) =
    double_value(res) = round_double(m,x)
    and
    double_exact(res) = x
    and
    double_model(res) = x



parameter double_of_real : 
   m:mode -> x:real ->
  { no_overflow_double(m,x) }
  double
  { double_of_real_post(m,x,result) }

parameter double_of_real_exact : x:real ->
  { }
  double
  { double_value(result) = x and
    double_exact(result) = x and
    double_model(result) = x }


parameter double_of_real_safe : 
  m:mode -> x:real ->
  { }
  double
  { no_overflow_double(m,x) and
    double_of_real_post(m,x,result) }

(*
predicate add_gen_double_post(f:double_format,m:mode,
                             x:gen_double,y:gen_double,res:gen_double) =
    double_value(res) = round_double(m,double_value(x) + double_value(y))
    and 
    double_exact(res) = double_exact(x) + double_exact(y)
    and 
    double_model(res) = double_model(x) + double_model(y)

*)
(*********************************************************)

predicate add_double_post(m:mode,
	                  x:double,y:double,result:double) =

(*CASE 1:*)
(
    (abs_real(double_value(x)+double_value(y))>=0x1p-1022  and
      (abs_real((double_value(result) -(double_value(x)+double_value(y))) ) <= 0x1.004p-53*abs_real(double_value(x)+double_value(y))  )) 
or

(*CASE 2: *)
     ((abs_real(double_value(x) + double_value(y)) <= 0x1p-1022) and
     (abs_real(double_value(result)-(double_value(x) + double_value(y))) <=  0x1.002p-1075 ))
)
and
    double_exact(result) = double_exact(x) + double_exact(y)
and
    double_model(result) = double_model(x) + double_model(y)

(*********************************************************)

parameter add_double : 
  m:mode -> x:double -> y:double -> 
  { no_overflow_double(m,double_value(x) + double_value(y)) }
  double
  { add_double_post(m,x,y,result) }



parameter add_double_safe : 
  m:mode -> x:double -> y:double -> 
  { }
  double
  { no_overflow_double(m,double_value(x) + double_value(y)) and
    add_double_post(m,x,y,result) }


(*
predicate sub_gen_double_post(f:double_format,m:mode,
	                     x:gen_double,y:gen_double,res:gen_double) =
    double_value(res) = round_double(m,double_value(x) - double_value(y))
    and 
    double_exact(res) = double_exact(x) - double_exact(y)
    and 
    double_model(res) = double_model(x) - double_model(y)
*)
(*********************************************************)

predicate sub_double_post(m:mode,
	                  x:double,y:double,result:double) =

(*CASE 1:*)
(
    (abs_real(double_value(x)-double_value(y))>=0x1p-1022  and

    (abs_real((double_value(result) -(double_value(x)-double_value(y))) ) <= 0x1.004p-53*abs_real(double_value(x)-double_value(y))  ))

or

(*CASE 2: *)
  ((0.0 <= abs_real(double_value(x) - double_value(y)) <= 0x1p-1022) and

  (abs_real(double_value(result)-(double_value(x) - double_value(y))) <= 0x1.002p-1075  ))
)
and
     double_exact(result) = double_exact(x) - double_exact(y)
and
     double_model(result) = double_model(x) - double_model(y)

(*********************************************************)
parameter sub_double : 
  m:mode -> x:double -> y:double -> 
  { no_overflow_double(m,double_value(x) - double_value(y)) }
  double
  {sub_double_post(m,x,y,result)}

parameter sub_double_safe : 
  m:mode -> x:double -> y:double -> 
  {}
  double
  { no_overflow_double(m,double_value(x) - double_value(y)) 
    and 
    sub_double_post(m,x,y,result)
  
  }

predicate neg_double_post(m:mode,
	                  x:double,result:double) =

(*CASE 1:*)
(
    (abs_real(-double_value(x))>=0x1p-1022  and

    (abs_real((double_value(result) + double_value(x))/ double_value(x)) <= 0x1.004p-53))

or

(*CASE 2: *)
  ((0.0 <= abs_real(-double_value(x)) <= 0x1p-1022) and

  (abs_real(double_value(result)+double_value(x)) <= 0x1.002p-1075  ))
)
and 
    double_exact(result) = -(double_exact(x))
and 
    double_model(result) = -(double_model(x))

parameter neg_double : 
  m:mode -> x:double -> 
  { no_overflow_double(m,-(double_value(x))) }
  double
  { neg_double_post(m,x,result) }



parameter neg_double_safe : 
  m:mode -> x:double -> 
  { }
  double
  { no_overflow_double(m,-(double_value(x))) and
    neg_double_post(m,x,result) }

predicate mul_double_post(m:mode,
	                     x:double,y:double,result:double) =

(*CASE 1:*)

(   (abs_real(double_value(x)*double_value(y))>=0x1p-1022  and

   (abs_real((double_value(result) -(double_value(x)*double_value(y))) ) <= 0x1.004p-53*abs_real(double_value(x)*double_value(y))))

or

(*CASE 2: *)    

  ((abs_real(double_value(x) * double_value(y)) <= 0x1p-1022) and

  (abs_real(double_value(result) -double_value(x)*double_value(y)) <= 0x1.002p-1075 ))
)

and
   double_exact(result) = double_exact(x) * double_exact(y)
    and 
    double_model(result) = double_model(x) * double_model(y)

(*********************************************************)
parameter mul_double : 
  m:mode -> x:double -> y:double -> 
  { no_overflow_double(m,double_value(x)*double_value(y)) }
  double
 { mul_double_post(m,x,y,result)} 


parameter mul_double_safe : 
  m:mode -> x:double -> y:double -> 
  { }
  double
  { no_overflow_double(m,double_value(x)*double_value(y)) and
   mul_double_post(m,x,y,result)

}

(*
predicate div_double_post(m:mode,
                          x:double,y:double,res:double) =
    double_value(res) = round_double(m,double_value(x)/double_value(y))
    and 
    double_exact(res) = double_exact(x)/double_exact(y)
    and 
    double_model(res) = double_model(x)/double_model(y)
*)

predicate div_double_post(m:mode,
                          x:double,y:double,result:double) =

(*CASE 1: *)
(
    (abs_real(double_value(x)/double_value(y))>=0x1p-1022  and
 
    (abs_real((double_value(result) - double_value(x)/double_value(y))) <= 0x1.004p-53* abs_real(double_value(x)/double_value(y)) )) 

or

(*CASE 2: *)

     ((abs_real(double_value(x)/double_value(y)) <= 0x1p-1022) and

     (abs_real(double_value(result)-(double_value(x)/double_value(y))) <= 0x1.002p-1075 ))
)
and

     double_exact(result) = double_exact(x) / double_exact(y)
and 
    double_model(result) = double_model(x)/double_model(y)

parameter div_double : 
  m:mode -> x:double -> y:double -> 
  { double_value(y) <> 0.0 
    and 
    no_overflow_double(m,double_value(x)/double_value(y)) }
  double
  { div_double_post(m,x,y,result) }



parameter div_double_safe : 
  m:mode -> x:double -> y:double -> 
  { }
  double
  { double_value(y) <> 0.0 
    and 
    no_overflow_double(m,double_value(x)/double_value(y))
    and div_double_post(m,x,y,result) }


predicate sqrt_double_post(m:mode,
                           x:double,result:double) =

(*CASE 1: *)
(
    (abs_real(sqrt_real(double_value(x)))>=0x1p-1022  and
 
    (abs_real(double_value(result) - sqrt_real(double_value(x))) <= 0x1.004p-53*abs_real(sqrt_real(double_value(x))) )) 

or

(*CASE 2: *)

     ((abs_real(sqrt_real(double_value(x))) <= 0x1p-1022) and

     (abs_real(double_value(result)-sqrt_real(double_value(x))) <= 0x1.002p-1075  ))
) 
and

     double_exact(result) = sqrt_real(double_exact(x))
and 
     double_model(result) = sqrt_real(double_model(x))	


parameter sqrt_double_requires : 
  m:mode -> x:double -> 
  { double_value(x) >= 0.0 
    and 
    no_overflow_double(m,sqrt_real(double_value(x))) }
  double
  { sqrt_double_post(m,x,result)
  }



parameter sqrt_double : 
  m:mode -> x:double -> 
   {  }
  double
  { 
    no_overflow_double(m,sqrt_real(double_value(x)))
    and
    sqrt_double_post(m,x,result)
   
  }


predicate abs_double_post(m:mode,
                             x:double,result:double) =

(*CASE 1: *)
(
    (abs_real(double_value(x))>=0x1p-1022  and
 
    (abs_real(double_value(result) - abs_real(double_value(x))) <= 0x1.004p-53*abs_real(abs_real(double_value(x)))   )) 

or

(*CASE 2: *)

     ((abs_real(double_value(x)) <= 0x1p-1022) and

     (abs_real(double_value(result)-abs_real(double_value(x))) <= 0x1.002p-1075  ))
) 
and
     double_exact(result) = abs_real(double_exact(x))
and
     double_model(result) = abs_real(double_model(x))

parameter abs_double_requires : 
  m:mode -> x:double -> 
  { no_overflow_double(m,abs_real(double_value(x))) }
  double
  { abs_double_post(m,x,result)
  }


parameter abs_double : 
  m:mode -> x:double -> 
  {  }
  double
  { 
    no_overflow_double(m,abs_real(double_value(x)))
    and
    abs_double_post(m,x,result)

  }


(***************************************************)
(******** comparisons of doubles in the code ********)
(***************************************************)

parameter lt_double_ :
  x:double -> y:double -> 
  {} bool { if result then double_value(x) < double_value(y) 
            else double_value(x) >= double_value(y) }

parameter le_double_ :
  x:double -> y:double -> 
  {} bool { if result then double_value(x) <= double_value(y) 
            else double_value(x) > double_value(y) }

parameter gt_double_ :
  x:double -> y:double -> 
  {} bool { if result then double_value(x) > double_value(y) 
            else double_value(x) <= double_value(y) }

parameter ge_double_ :
  x:double -> y:double -> 
  {} bool { if result then double_value(x) >= double_value(y) 
            else double_value(x) < double_value(y) }

parameter eq_double_ :
  x:double -> y:double -> 
  {} bool { if result then double_value(x) = double_value(y) 
            else double_value(x) <> double_value(y) }

parameter neq_double_ :
  x:double -> y:double -> 
  {} bool { if result then double_value(x) <> double_value(y) 
            else double_value(x) = double_value(y) }



(***************************************************)
(*********** conversions between formats ***********)
(***************************************************)
(* ??
predicate cast_double_post(f:double_format,m:mode,x:gen_double,res:gen_double) =
    double_value(res) = round_double(m,double_value(x))
    and
    double_exact(res) = double_exact(x)
    and
    double_model(res) = double_model(x)

parameter cast_double : f:double_format -> m:mode -> x:gen_double ->
  { no_overflow_double(m,double_value(x)) }
  gen_double
  { cast_double_post(m,x,result) }

parameter cast_double_safe : f:double_format -> m:mode -> x:gen_double ->
  { }
  gen_double
  { no_overflow_double(m,double_value(x)) and
    cast_double_post(m,x,result) }
*)


why-2.34/lib/why/integer.why0000644000175000017500000000277612311670312014374 0ustar  rtusers(* boolean versions of the comparisons and the corresponding axioms *)
logic lt_int_bool : int,int -> bool
logic le_int_bool : int,int -> bool
logic gt_int_bool : int,int -> bool
logic ge_int_bool : int,int -> bool
logic eq_int_bool : int,int -> bool
logic neq_int_bool : int,int -> bool

axiom lt_int_bool_axiom : 
  forall x:int. forall y:int. lt_int_bool(x,y)=true <-> x x<=y
axiom gt_int_bool_axiom : 
  forall x:int. forall y:int. gt_int_bool(x,y)=true <-> x>y
axiom ge_int_bool_axiom : 
  forall x:int. forall y:int. ge_int_bool(x,y)=true <-> x>=y
axiom eq_int_bool_axiom : 
  forall x:int. forall y:int. eq_int_bool(x,y)=true <-> x=y
axiom neq_int_bool_axiom : 
  forall x:int. forall y:int. neq_int_bool(x,y)=true <-> x<>y



logic abs_int : int -> int


axiom abs_int_pos: forall x:int. x >= 0 -> abs_int(x) = x
axiom abs_int_neg: forall x:int. x <= 0 -> abs_int(x) = -x

(* min and max *)

(* TODO: rename to max_int and min_int *)

logic int_max : int, int -> int
logic int_min : int, int -> int

axiom int_max_is_ge :  
  forall x:int. forall y:int. 
  int_max(x,y) >= x and int_max(x,y) >= y

axiom int_max_is_some :  
  forall x:int. forall y:int. 
  (int_max(x,y) = x or int_max(x,y) = y) 

axiom int_min_is_le :  
  forall x:int. forall y:int. 
  int_min(x,y) <= x and int_min(x,y) <= y

axiom int_min_is_some :  
  forall x:int. forall y:int. 
  (int_min(x,y) = x or int_min(x,y) = y) 


parameter any_int : unit -> {} int { true }
why-2.34/lib/why/floats_full.why0000644000175000017500000012263712311670312015250 0ustar  rtusers(***************************************************************************)
(***************************************************************************)
(*** Jessie prelude for floating-point arithmetic: Full mode ***************)
(***************************************************************************)
(***************************************************************************)

include "floats_common.why"


function min_single() : real =  0x1p-149
function min_double() : real =  0x1p-1074


(***************************************************)
(*************** additional views ******************)
(***************************************************)

type Float_class = Finite | Infinite | NaN

type sign = Negative | Positive

logic single_class : single -> Float_class
logic double_class : double -> Float_class

logic single_sign : single -> sign
logic double_sign : double -> sign


inductive same_sign_real_bool : sign, real -> prop =
 | neg_case : forall x:real. x < 0.0 -> same_sign_real_bool(Negative,x)
 | pos_case : forall x:real. x > 0.0 -> same_sign_real_bool(Positive,x)



(***************************************************)
(*********** axioms on float_sign ******************)
(***************************************************)

(* useful ???

axiom single_sign_not_pos_neg : forall x:single.
      single_sign(x) <> Positive -> single_sign(x) = Negative
axiom single_sign_not_neg_pos : forall x:single.
      single_sign(x) <> Negative -> single_sign(x) = Positive

axiom double_sign_not_pos_neg : forall x:double.
      double_sign(x) <> Positive -> double_sign(x) = Negative
axiom double_sign_not_neg_pos : forall x:double.
      double_sign(x) <> Negative -> double_sign(x) = Positive
*)

axiom same_sign_real_bool_zero1 : forall b:sign. not same_sign_real_bool(b,0.0)
axiom same_sign_real_bool_zero2 : forall x:real.
         same_sign_real_bool(Negative,x) and
         same_sign_real_bool(Positive,x) -> false
axiom same_sign_real_bool_zero3 : forall b:sign. forall x:real.
         same_sign_real_bool(b,x) -> x <> 0.0
axiom same_sign_real_bool_correct2 : forall b:sign. forall x:real.
         same_sign_real_bool(b,x) -> (x < 0.0 <-> b = Negative)
axiom same_sign_real_bool_correct3 : forall b:sign. forall x:real.
         same_sign_real_bool(b,x) -> (x > 0.0 <-> b = Positive)



(***************************************************)
(******** predicates to deal with float_sign *******)
(***************************************************)

predicate single_same_sign_real (x:single,y:real) = same_sign_real_bool(single_sign(x),y)
predicate single_same_sign(x:single,y:single)  = single_sign(x) = single_sign(y)
predicate single_diff_sign(x:single,y:single)  = single_sign(x) <> single_sign(y)

predicate single_product_sign(z:single,x:single,y:single) =
	  (single_same_sign(x,y) -> single_sign(z)= Positive) and
          (single_diff_sign(x,y) -> single_sign(z)= Negative)

predicate double_same_sign_real (x:double,y:real) = same_sign_real_bool(double_sign(x),y)
predicate double_same_sign(x:double,y:double)  = double_sign(x) = double_sign(y)
predicate double_diff_sign(x:double,y:double)  = double_sign(x) <> double_sign(y)

predicate double_product_sign(z:double,x:double,y:double) =
	  (double_same_sign(x,y) -> double_sign(z)= Positive) and
          (double_diff_sign(x,y) -> double_sign(z)= Negative)



(***************************************************)
(******* predicates to deal with float_class *******)
(***************************************************)

predicate single_same_class(x:single,y:single) = single_class(x) = single_class(y)
predicate singlediff_class(x:single,y:single) = single_class(x) <> single_class(y)
predicate double_same_class(x:double,y:double) = double_class(x) = double_class(y)
predicate doublediff_class(x:double,y:double) = double_class(x) <> double_class(y)



(***************************************************)
(******* axioms on sign of finite gen_float ********)
(***************************************************)

(* non-zero finite gen_float has the same sign as its float_value *)
axiom single_finite_sign : forall x:single.
      (single_class(x) = Finite and single_value(x) <> 0.0) ->
       single_same_sign_real(x,single_value(x))

axiom single_finite_sign_neg1: forall x:single.
      single_class(x) = Finite and single_value(x) < 0.0 ->
                                  single_sign(x) = Negative
axiom single_finite_sign_neg2: forall x:single.
      single_class(x) = Finite and single_value(x) <> 0.0
      and single_sign(x) = Negative -> single_value(x) < 0.0
axiom single_finite_sign_pos1: forall x:single.
      single_class(x) = Finite and single_value(x) > 0.0 ->
                                  single_sign(x) = Positive
axiom single_finite_sign_pos2: forall x:single.
      single_class(x) = Finite and single_value(x) <> 0.0
      and single_sign(x) = Positive -> single_value(x) > 0.0
axiom single_diff_sign_trans: forall x:single. forall y:single. forall z:single.
      single_diff_sign(x,y) and single_diff_sign(y,z) -> single_same_sign(x,z)

axiom single_same_sign_product: forall x:single. forall y:single.
      single_class(x) = Finite and single_class(y) = Finite and
      single_same_sign(x,y) -> single_value(x) * single_value(y) >= 0.0

axiom single_diff_sign_product: forall x:single. forall y:single.
      single_class(x) = Finite and single_class(y) = Finite and
      single_value(x) * single_value(y) < 0.0 -> single_diff_sign(x,y)

axiom double_finite_sign : forall x:double.
      (double_class(x) = Finite and double_value(x) <> 0.0) ->
       double_same_sign_real(x,double_value(x))

axiom double_finite_sign_neg1: forall x:double.
      double_class(x) = Finite and double_value(x) < 0.0 ->
                                  double_sign(x) = Negative
axiom double_finite_sign_neg2: forall x:double.
      double_class(x) = Finite and double_value(x) <> 0.0
      and double_sign(x) = Negative -> double_value(x) < 0.0
axiom double_finite_sign_pos1: forall x:double.
      double_class(x) = Finite and double_value(x) > 0.0 ->
                                  double_sign(x) = Positive
axiom double_finite_sign_pos2: forall x:double.
      double_class(x) = Finite and double_value(x) <> 0.0
      and double_sign(x) = Positive -> double_value(x) > 0.0
axiom double_diff_sign_trans: forall x:double. forall y:double. forall z:double.
      double_diff_sign(x,y) and double_diff_sign(y,z) -> double_same_sign(x,z)

axiom double_same_sign_product: forall x:double. forall y:double.
      double_class(x) = Finite and double_class(y) = Finite and
      double_same_sign(x,y) -> double_value(x) * double_value(y) >= 0.0

axiom double_diff_sign_product: forall x:double. forall y:double.
      double_class(x) = Finite and double_class(y) = Finite and
      double_value(x) * double_value(y) < 0.0 -> double_diff_sign(x,y)


(***************************************************)
(************** usefull predicates *****************)
(***************************************************)

predicate single_is_finite(x:single) = single_class(x) = Finite
predicate single_is_infinite(x:single) = single_class(x) = Infinite
predicate single_is_NaN(x:single) = single_class(x) = NaN
predicate single_is_not_NaN(x:single) = single_is_finite(x) or single_is_infinite(x)
predicate single_is_minus_infinity(x:single)
    = single_is_infinite(x) and single_sign(x) = Negative
predicate single_is_plus_infinity(x:single)
    = single_is_infinite(x) and single_sign(x) = Positive
predicate single_is_gen_zero(x:single)= single_is_finite(x) and single_value(x) = 0.0
predicate single_is_gen_zero_plus(x:single)
    = single_is_gen_zero(x) and single_sign(x) = Positive
predicate single_is_gen_zero_minus(x:single)
    = single_is_gen_zero(x) and single_sign(x) = Negative

predicate double_is_finite(x:double) = double_class(x) = Finite
predicate double_is_infinite(x:double) = double_class(x) = Infinite
predicate double_is_NaN(x:double) = double_class(x) = NaN
predicate double_is_not_NaN(x:double) = double_is_finite(x) or double_is_infinite(x)
predicate double_is_minus_infinity(x:double)
    = double_is_infinite(x) and double_sign(x) = Negative
predicate double_is_plus_infinity(x:double)
    = double_is_infinite(x) and double_sign(x) = Positive
predicate double_is_gen_zero(x:double)= double_is_finite(x) and double_value(x) = 0.0
predicate double_is_gen_zero_plus(x:double)
    = double_is_gen_zero(x) and double_sign(x) = Positive
predicate double_is_gen_zero_minus(x:double)
    = double_is_gen_zero(x) and double_sign(x) = Negative


(* predicate to use in case of overflow result of an operation *)
predicate single_overflow_value(m:mode,x:single) =
         (m = down -> (single_sign(x) = Negative -> single_is_infinite(x)) and
	              (single_sign(x) = Positive -> single_is_finite(x) and
                                                   single_value(x)= max_single))
          and
         (m = up -> (single_sign(x) = Negative -> single_is_finite(x) and
                                                 single_value(x)= - max_single) and
                    (single_sign(x) = Positive -> single_is_infinite(x)))
          and
         (m = to_zero -> single_is_finite(x) and
                 (single_sign(x) = Negative -> single_value(x)= - max_single) and
                 (single_sign(x) = Positive -> single_value(x)=   max_single))
          and
         (m = nearest_away or m = nearest_even -> single_is_infinite(x))

predicate double_overflow_value(m:mode,x:double) =
         (m = down -> (double_sign(x) = Negative -> double_is_infinite(x)) and
	              (double_sign(x) = Positive -> double_is_finite(x) and
                                                   double_value(x)= max_double))
          and
         (m = up -> (double_sign(x) = Negative -> double_is_finite(x) and
                                                 double_value(x)= - max_double) and
                    (double_sign(x) = Positive -> double_is_infinite(x)))
          and
         (m = to_zero -> double_is_finite(x) and
                 (double_sign(x) = Negative -> double_value(x)= - max_double) and
                 (double_sign(x) = Positive -> double_value(x)=   max_double))
          and
         (m = nearest_away or m = nearest_even -> double_is_infinite(x))


(* predicate to use in case of underflow result of an operation *)
predicate single_underflow_value(m:mode,x:single) =
          single_is_finite(x)
          and
          (single_sign(x) = Positive ->
              (m = down or m = to_zero or m = nearest_even or m = nearest_away ->
                                      single_value(x) = 0.0)
               and
              (m = up -> single_value(x) = min_single))
          and
          (single_sign(x) = Negative ->
              (m = up or m = to_zero or m = nearest_even or m = nearest_away ->
                                      single_value(x) = 0.0)
               and
               (m = down -> single_value(x) = - min_single))

predicate double_underflow_value(m:mode,x:double) =
          double_is_finite(x)
          and
          (double_sign(x) = Positive ->
              (m = down or m = to_zero or m = nearest_even or m = nearest_away ->
                                      double_value(x) = 0.0)
               and
              (m = up -> double_value(x) = min_double))
          and
          (double_sign(x) = Negative ->
              (m = up or m = to_zero or m = nearest_even or m = nearest_away ->
                                      double_value(x) = 0.0)
               and
               (m = down -> double_value(x) = - min_double))


(* predicate to get the sign of a zero result of an operation *)
predicate single_sign_zero_result(m:mode,x:single) =
           single_value(x) = 0.0 ->
          ((m = down -> single_sign(x) = Negative)
           and
           (m <> down -> single_sign(x) = Positive))

predicate double_sign_zero_result(m:mode,x:double) =
           double_value(x) = 0.0 ->
          ((m = down -> double_sign(x) = Negative)
           and
           (m <> down -> double_sign(x) = Positive))


(**** Comparisons of floats in the logic ****)
predicate le_single_full(x:single,y:single) =
          (single_is_finite(x) and single_is_finite(y)
              and single_value(x) <= single_value(y))
           or (single_is_minus_infinity(x) and single_is_not_NaN(y))
           or (single_is_not_NaN(x) and single_is_plus_infinity(y))

predicate lt_single_full(x:single,y:single) =
          (single_is_finite(x) and single_is_finite(y)
              and single_value(x) < single_value(y))
           or (single_is_minus_infinity(x) and single_is_not_NaN(y)
               and not single_is_minus_infinity(y))
           or (single_is_not_NaN(x) and not single_is_plus_infinity(x)
               and single_is_plus_infinity(y))

predicate ge_single_full(x:single,y:single) = le_single_full(y,x)

predicate gt_single_full(x:single,y:single) = lt_single_full(y,x)

predicate eq_single_full(x:single,y:single) =
          single_is_not_NaN(x) and single_is_not_NaN(y) and
          ((single_is_finite(x) and single_is_finite(y)
             and single_value(x) = single_value(y))
           or
          (single_is_infinite(x) and single_is_infinite(y)
             and single_same_sign(x,y)))

predicate ne_single_full(x:single,y:single) = not eq_single_full(x,y)


predicate le_double_full(x:double,y:double) =
          (double_is_finite(x) and double_is_finite(y)
              and double_value(x) <= double_value(y))
           or (double_is_minus_infinity(x) and double_is_not_NaN(y))
           or (double_is_not_NaN(x) and double_is_plus_infinity(y))

predicate lt_double_full(x:double,y:double) =
          (double_is_finite(x) and double_is_finite(y)
              and double_value(x) < double_value(y))
           or (double_is_minus_infinity(x) and double_is_not_NaN(y)
               and not double_is_minus_infinity(y))
           or (double_is_not_NaN(x) and not double_is_plus_infinity(x)
               and double_is_plus_infinity(y))

predicate ge_double_full(x:double,y:double) = le_double_full(y,x)

predicate gt_double_full(x:double,y:double) = lt_double_full(y,x)

predicate eq_double_full(x:double,y:double) =
          double_is_not_NaN(x) and double_is_not_NaN(y) and
          ((double_is_finite(x) and double_is_finite(y)
             and double_value(x) = double_value(y))
           or
          (double_is_infinite(x) and double_is_infinite(y)
             and double_same_sign(x,y)))

predicate ne_double_full(x:double,y:double) = not eq_double_full(x,y)


axiom le_lt_double_trans:
      forall x,y,z:double.
         le_double_full(x,y) and lt_double_full(y,z) -> lt_double_full(x,z)

axiom lt_le_double_trans:
      forall x,y,z:double.
         lt_double_full(x,y) and le_double_full(y,z) -> lt_double_full(x,z)



(***************************************************)
(******** axioms on gen_float_of_real_logic ********)
(***************************************************)

axiom round_single1 : forall m:mode. forall x:real.
           no_overflow_single(m,x) ->
           (single_is_finite(round_single_logic(m,x)) and
           single_value(round_single_logic(m,x)) = round_single(m,x))

axiom round_single2 : forall m:mode. forall x:real.
           not no_overflow_single(m,x) ->
           (single_same_sign_real(round_single_logic(m,x),x) and
            single_overflow_value(m,round_single_logic(m,x)))

axiom round_single3 : forall m:mode. forall x:real.
           single_exact(round_single_logic(m,x)) = x

axiom round_single4 : forall m:mode. forall x:real.
           single_model(round_single_logic(m,x)) = x

axiom single_of_zero : forall m:mode.
            single_is_gen_zero(round_single_logic(m,0.0))


axiom round_single_logic_le : forall m:mode. forall x:real.
      single_is_finite(round_single_logic(m,x)) ->
      abs_real(single_value(round_single_logic(m,x))) <= max_single

axiom round_single_no_overflow : forall m:mode. forall x:real.
          abs_real(x) <= max_single ->
          (single_is_finite(round_single_logic(m,x)) and
          single_value(round_single_logic(m,x)) = round_single(m,x))

axiom single_positive_constant : forall m:mode. forall x:real.
          min_single <= x <= max_single ->
          single_is_finite(round_single_logic(m,x)) and
          single_value(round_single_logic(m,x)) > 0.0  and
          single_sign(round_single_logic(m,x)) = Positive

axiom single_negative_constant : forall m:mode. forall x:real.
          - max_single <= x <= - min_single ->
          single_is_finite(round_single_logic(m,x)) and
          single_value(round_single_logic(m,x)) < 0.0  and
          single_sign(round_single_logic(m,x)) = Negative


axiom round_double1 : forall m:mode. forall x:real.
           no_overflow_double(m,x) ->
           (double_is_finite(round_double_logic(m,x)) and
           double_value(round_double_logic(m,x)) = round_double(m,x))

axiom round_double2 : forall m:mode. forall x:real.
           not no_overflow_double(m,x) ->
           (double_same_sign_real(round_double_logic(m,x),x) and
            double_overflow_value(m,round_double_logic(m,x)))

axiom round_double3 : forall m:mode. forall x:real.
           double_exact(round_double_logic(m,x)) = x

axiom round_double4 : forall m:mode. forall x:real.
           double_model(round_double_logic(m,x)) = x

axiom double_of_zero : forall m:mode.
            double_is_gen_zero(round_double_logic(m,0.0))


axiom round_double_logic_le : forall m:mode. forall x:real.
      double_is_finite(round_double_logic(m,x)) ->
      abs_real(double_value(round_double_logic(m,x))) <= max_double

axiom round_double_no_overflow : forall m:mode. forall x:real.
          abs_real(x) <= max_double ->
          (double_is_finite(round_double_logic(m,x)) and
          double_value(round_double_logic(m,x)) = round_double(m,x))

axiom double_positive_constant : forall m:mode. forall x:real.
          min_double <= x <= max_double ->
          double_is_finite(round_double_logic(m,x)) and
          double_value(round_double_logic(m,x)) > 0.0  and
          double_sign(round_double_logic(m,x)) = Positive

axiom double_negative_constant : forall m:mode. forall x:real.
          - max_double <= x <= - min_double ->
          double_is_finite(round_double_logic(m,x)) and
          double_value(round_double_logic(m,x)) < 0.0  and
          double_sign(round_double_logic(m,x)) = Negative



(***************************************************)
(************** axioms on gen_zero *****************)
(***************************************************)

axiom single_is_gen_zero_comp1 : forall x:single. forall y:single.
      single_is_gen_zero(x) and single_value(x) = single_value(y)
       and single_is_finite(y) ->  single_is_gen_zero(y)

axiom single_is_gen_zero_comp2 : forall x:single. forall y:single.
      single_is_finite(x) and not single_is_gen_zero(x)
       and single_value(x) = single_value(y) -> not single_is_gen_zero(y)

axiom double_is_gen_zero_comp1 : forall x:double. forall y:double.
      double_is_gen_zero(x) and double_value(x) = double_value(y)
       and double_is_finite(y) ->  double_is_gen_zero(y)

axiom double_is_gen_zero_comp2 : forall x:double. forall y:double.
      double_is_finite(x) and not double_is_gen_zero(x)
       and double_value(x) = double_value(y) -> not double_is_gen_zero(y)



(***************************************************)
(** specification of unary and binary operations ***)
(***************************************************)

(* in single *)

parameter single_of_real : m:mode -> x:real ->
{ }
single
{ (*result = single_round_logic(m,x) *)
  (no_overflow_single(m,x)
     -> (single_is_finite(result) and single_value(result) = round_single(m,x)))
  and
   (not no_overflow_single(m,x)
     -> (single_same_sign_real(result,x) and single_overflow_value(m,result)))
  and single_exact(result) = x
  and single_model(result) = x
}



parameter add_single : m:mode -> x:single -> y:single ->
{ }
single
{ (single_is_NaN(x) or single_is_NaN(y) -> single_is_NaN(result))
  and
  ((single_is_finite(x) and single_is_infinite(y))
          -> (single_is_infinite(result) and single_same_sign(result,y)))
  and
  ((single_is_infinite(x) and single_is_finite(y))
          -> (single_is_infinite(result) and single_same_sign(result,x)))
  and
  ((single_is_infinite(x) and single_is_infinite(y) and single_same_sign(x,y))
          -> (single_is_infinite(result) and single_same_sign(result,x)))
  and
  ((single_is_infinite(x) and single_is_infinite(y) and single_diff_sign(x,y))
          -> single_is_NaN(result))
  and
  ((single_is_finite(x) and single_is_finite(y)
     and no_overflow_single(m,single_value(x)+single_value(y)))
          -> (single_is_finite(result) and
 	     single_value(result) = round_single(m,single_value(x)+single_value(y)) and
             single_sign_zero_result(m,result)))
  and
  ((single_is_finite(x) and single_is_finite(y)
     and not no_overflow_single(m,single_value(x)+single_value(y)))
          -> (single_same_sign_real(result,single_value(x)+single_value(y)) and
	             single_overflow_value(m,result)))
  and
  single_exact(result) = single_exact(x) + single_exact(y) and
  single_model(result) = single_model(x) + single_model(y)
}



parameter sub_single : m:mode -> x:single -> y:single ->
{ }
single
{ ((single_is_NaN(x) or single_is_NaN(y)) -> single_is_NaN(result))
  and
  ((single_is_finite(x) and single_is_infinite(y))
          -> (single_is_infinite(result) and single_diff_sign(result,y)))
  and
  ((single_is_infinite(x) and single_is_finite(y))
          -> (single_is_infinite(result) and single_same_sign(result,x)))
  and
  ((single_is_infinite(x) and single_is_infinite(y) and single_same_sign(x,y))
          -> single_is_NaN(result))
  and
  ((single_is_infinite(x) and single_is_infinite(y) and single_diff_sign(x,y))
          -> (single_is_infinite(result) and single_same_sign(result,x)))
  and
  ((single_is_finite(x) and single_is_finite(y)
     and no_overflow_single(m,single_value(x)-single_value(y)))
          -> (single_is_finite(result) and
	      single_value(result)= round_single(m,single_value(x)-single_value(y))and
	      single_sign_zero_result(m,result)))
  and
  ((single_is_finite(x) and single_is_finite(y)
     and not no_overflow_single(m,single_value(x)-single_value(y)))
          -> (single_same_sign_real(result,single_value(x)-single_value(y)) and
              single_overflow_value(m,result)))
  and
  single_exact(result) = single_exact(x) - single_exact(y) and
  single_model(result) = single_model(x) - single_model(y)
}




parameter abs_single : m:mode -> x:single ->
{ }
single
{ (single_is_NaN(x)  -> single_is_NaN(result))
and
  (single_is_infinite(x) -> single_is_infinite(result))
and
  (single_is_finite(x)  -> (single_is_finite(result) and
           single_value(result)= abs_real(single_value(x))))
and
  single_sign(result) = Positive and
  single_exact(result) = abs_real(single_exact(x)) and
  single_model(result) = abs_real(single_model(x))
}



parameter mul_single : m:mode -> x:single -> y:single ->
{ }
single
{ ((single_is_NaN(x)  or  single_is_NaN(y)) -> single_is_NaN(result))
and
  ((single_is_gen_zero(x) and single_is_infinite(y)) -> single_is_NaN(result))
and
  ((single_is_finite(x) and single_is_infinite(y) and single_value(x) <> 0.0)
     -> single_is_infinite(result))
and
  ((single_is_infinite(x) and single_is_gen_zero(y)) -> single_is_NaN(result))
and
  ((single_is_infinite(x) and single_is_finite(y) and single_value(y) <> 0.0)
     -> single_is_infinite(result))
and
  ((single_is_infinite(x) and single_is_infinite(y)) -> single_is_infinite(result))
and
  ((single_is_finite(x) and single_is_finite(y)
     and no_overflow_single(m,single_value(x)*single_value(y)))
     ->	(single_is_finite(result) and
	 single_value(result) = round_single(m,single_value(x) * single_value(y))))
and
  ((single_is_finite(x) and single_is_finite(y)
     and not no_overflow_single(m,single_value(x)*single_value(y)))
     -> (single_overflow_value(m,result)))
and
  single_product_sign(result,x,y)
and
  single_exact(result) = single_exact(x) * single_exact(y) and
  single_model(result) = single_model(x) * single_model(y)
}




parameter div_single : m:mode -> x:single -> y:single ->
{ }
single
{ ((single_is_NaN(x) or single_is_NaN(y)) -> single_is_NaN(result))
and
  ((single_is_finite(x) and single_is_infinite(y)) -> single_is_gen_zero(result))
and
  ((single_is_infinite(x) and single_is_finite(y)) -> single_is_infinite(result))
and
  ((single_is_infinite(x) and single_is_infinite(y)) -> single_is_NaN(result))
and
  ((single_is_finite(x) and single_is_finite(y) and single_value(y) <> 0.0 and
     no_overflow_single(m,single_value(x)/single_value(y)))
      -> (single_is_finite(result) and
          single_value(result)= round_single(m,single_value(x)/single_value(y))))
and
  ((single_is_finite(x) and single_is_finite(y) and single_value(y) <> 0.0 and
     not no_overflow_single(m,single_value(x)/single_value(y)))
      -> single_overflow_value(m,result))
and
  ((single_is_finite(x) and single_is_gen_zero(y) and single_value(x) <> 0.0)
      -> single_is_infinite(result))
and
  ((single_is_gen_zero(x) and single_is_gen_zero(y)) -> single_is_NaN(result))
and
  single_product_sign(result,x,y)
and
  single_exact(result) = single_exact(x)/single_exact(y) and
  single_model(result) = single_model(x)/single_model(y)
}



parameter sqrt_single :  m:mode -> x:single ->
{ }
single
{ (single_is_NaN(x)  -> single_is_NaN(result))
and
  (single_is_minus_infinity(x) -> single_is_NaN(result))
and
  (single_is_plus_infinity(x) -> single_is_infinite(result))
and
  ((single_is_finite(x) and single_value(x)< 0.0) -> single_is_NaN(result))
and
  (single_is_finite(x) and single_value(x) >= 0.0
       ->  (single_is_finite(result) and
          single_value(result)= round_single(m,sqrt_real(single_value(x)))))
and
   (* not always positive because sqrt(-0) = -0 *)
   single_same_sign(result,x)
and
   single_exact(result) = sqrt_real(single_exact(x)) and
   single_model(result) = sqrt_real(single_model(x))
}




parameter neg_single : x:single ->
{ }
single
{ (single_is_NaN(x)  -> single_is_NaN(result))
and
  (single_is_infinite(x) -> single_is_infinite(result))
and
  (single_is_finite(x)
     -> (single_is_finite(result) and
         single_value(result) = neg_real(single_value(x))))
and
  single_diff_sign(result,x)
and
  single_exact(result) = neg_real(single_exact(x)) and
  single_model(result) = neg_real(single_model(x))
}



parameter lt_single : x:single -> y:single ->
{ }
bool
{
if result then
single_is_not_NaN(x) and single_is_not_NaN(y) and
   (single_is_finite(x) and single_is_finite(y) and single_value(x) < single_value(y))
    or
   (single_is_minus_infinity(x) and single_is_plus_infinity(y))
    or
   (single_is_minus_infinity(x) and single_is_finite(y))
    or
   (single_is_finite(x) and single_is_plus_infinity(y))
else (single_is_NaN(x) or single_is_NaN(y)
    or
    (single_is_finite(x) and single_is_finite(y) and single_value(x) >= single_value(y))
    or
     single_is_plus_infinity(x)
    or
     single_is_minus_infinity(y))
}


parameter le_single : x:single -> y:single ->
{ }
bool
{ ((single_is_NaN(x) or single_is_NaN(y)) -> result = false)
and
  ((single_is_finite(x) and single_is_infinite(y))
        -> if result then single_sign(y) = Positive
  	    	     else single_sign(y) = Negative)
and
  ((single_is_infinite(x) and single_is_finite(y))
        -> if result then single_sign(x) = Negative
    		     else single_sign(x) = Positive)
and
  ((single_is_infinite(x) and single_is_infinite(y)) ->
                    if result then (single_sign(x)= Negative or
                                    single_sign(y)= Positive)
			      else (single_sign(x)= Positive and
                                    single_sign(y)= Negative))
and
 ((single_is_finite(x) and single_is_finite(y))
      -> if result then single_value(x) <= single_value(y)
 		   else single_value(x) > single_value(y))
}




parameter gt_single : x:single -> y:single ->
{ }
bool
{
if result then single_is_not_NaN(x) and single_is_not_NaN(y) and
   (single_is_finite(x) and single_is_finite(y) and single_value(x) > single_value(y))
    or
   (single_is_plus_infinity(x) and single_is_minus_infinity(y))
    or
   (single_is_plus_infinity(x) and single_is_finite(y))
    or
   (single_is_finite(x) and single_is_minus_infinity(y))
else (single_is_NaN(x) or single_is_NaN(y)
    or
    (single_is_finite(x) and single_is_finite(y) and single_value(x) <= single_value(y))
    or
     single_is_minus_infinity(x)
    or
     single_is_plus_infinity(y))
}



parameter ge_single : x:single -> y:single ->
{}
bool
{ ((single_is_NaN(x) or single_is_NaN(y)) -> result = false)
and
  ((single_is_finite(x) and single_is_infinite(y))
     -> if result then single_sign(y)= Negative
   	          else single_sign(y)= Positive)
and
  ((single_is_infinite(x) and single_is_finite(y))
     -> if result then single_sign(x)= Positive
   	       	  else single_sign(x)= Negative)
and
  ((single_is_infinite(x) and single_is_infinite(y))
     -> if result then (single_sign(x)= Positive or single_sign(y)= Negative)
                  else (single_sign(x)= Negative and single_sign(y)= Positive))
and
 ((single_is_finite(x) and single_is_finite(y))
     -> if result then single_value(x) >= single_value(y)
 		  else single_value(x) < single_value(y))
}




parameter eq_single :
x:single -> y:single ->
{ }
bool
{ ((single_is_NaN(x) or single_is_NaN(y)) -> result = false)
and
  ((single_is_finite(x) and single_is_infinite(y)) -> result = false)
and
  ((single_is_infinite(x) and single_is_finite(y)) -> result = false)
and
  ((single_is_infinite(x) and single_is_infinite(y))
     -> if result then single_same_sign(x,y) else single_diff_sign(x,y))
and
 ((single_is_finite(x) and single_is_finite(y))
     -> if result then single_value(x) = single_value(y)
 		  else single_value(x) <> single_value(y))
}



parameter neq_single :
x:single -> y:single ->
{ }
bool
{ ((single_is_NaN(x) or single_is_NaN(y)) -> result = true)
and
  ((single_is_finite(x) and single_is_infinite(y)) -> result = true)
and
  ((single_is_infinite(x) and single_is_finite(y)) -> result = true)
and
  ((single_is_infinite(x) and single_is_infinite(y))
     -> if result then single_diff_sign(x,y) else single_same_sign(x,y))
and
 ((single_is_finite(x) and single_is_finite(y))
     -> if result then single_value(x) <> single_value(y)
 		  else single_value(x) = single_value(y))
}

(* in double *)

(* Parameters in double precision *)

parameter double_of_real : m:mode -> x:real ->
{ }
double
{ (*result = double_round_logic(m,x) *)
  (no_overflow_double(m,x)
     -> (double_is_finite(result) and double_value(result) = round_double(m,x)))
  and
   (not no_overflow_double(m,x)
     -> (double_same_sign_real(result,x) and double_overflow_value(m,result)))
  and double_exact(result) = x
  and double_model(result) = x
}

(*
parameter double_of_real : m:mode -> x:real ->
  { no_overflow_double(m,x) }
  double
  { double_of_real_post(m,x,result) }
parameter double_of_real_safe : m:mode -> x:real ->
  { }
  double
  { no_overflow_double(m,x) and
    double_of_real_post(m,x,result) }
*)

parameter double_of_real_exact : x:real ->
  { }
  double
  { double_is_finite(result) and
    double_value(result) = x and
    double_exact(result) = x and
    double_model(result) = x }




parameter add_double : m:mode -> x:double -> y:double ->
{ }
double
{ (double_is_NaN(x) or double_is_NaN(y) -> double_is_NaN(result))
  and
  ((double_is_finite(x) and double_is_infinite(y))
          -> (double_is_infinite(result) and double_same_sign(result,y)))
  and
  ((double_is_infinite(x) and double_is_finite(y))
          -> (double_is_infinite(result) and double_same_sign(result,x)))
  and
  ((double_is_infinite(x) and double_is_infinite(y) and double_same_sign(x,y))
          -> (double_is_infinite(result) and double_same_sign(result,x)))
  and
  ((double_is_infinite(x) and double_is_infinite(y) and double_diff_sign(x,y))
          -> double_is_NaN(result))
  and
  ((double_is_finite(x) and double_is_finite(y)
     and no_overflow_double(m,double_value(x)+double_value(y)))
          -> (double_is_finite(result) and
 	     double_value(result) = round_double(m,double_value(x)+double_value(y)) and
             double_sign_zero_result(m,result)))
  and
  ((double_is_finite(x) and double_is_finite(y)
     and not no_overflow_double(m,double_value(x)+double_value(y)))
          -> (double_same_sign_real(result,double_value(x)+double_value(y)) and
	             double_overflow_value(m,result)))
  and
  double_exact(result) = double_exact(x) + double_exact(y) and
  double_model(result) = double_model(x) + double_model(y)
}



parameter sub_double : m:mode -> x:double -> y:double ->
{ }
double
{ ((double_is_NaN(x) or double_is_NaN(y)) -> double_is_NaN(result))
  and
  ((double_is_finite(x) and double_is_infinite(y))
          -> (double_is_infinite(result) and double_diff_sign(result,y)))
  and
  ((double_is_infinite(x) and double_is_finite(y))
          -> (double_is_infinite(result) and double_same_sign(result,x)))
  and
  ((double_is_infinite(x) and double_is_infinite(y) and double_same_sign(x,y))
          -> double_is_NaN(result))
  and
  ((double_is_infinite(x) and double_is_infinite(y) and double_diff_sign(x,y))
          -> (double_is_infinite(result) and double_same_sign(result,x)))
  and
  ((double_is_finite(x) and double_is_finite(y)
     and no_overflow_double(m,double_value(x)-double_value(y)))
          -> (double_is_finite(result) and
	      double_value(result)= round_double(m,double_value(x)-double_value(y))and
	      double_sign_zero_result(m,result)))
  and
  ((double_is_finite(x) and double_is_finite(y)
     and not no_overflow_double(m,double_value(x)-double_value(y)))
          -> (double_same_sign_real(result,double_value(x)-double_value(y)) and
              double_overflow_value(m,result)))
  and
  double_exact(result) = double_exact(x) - double_exact(y) and
  double_model(result) = double_model(x) - double_model(y)
}




parameter abs_double : m:mode -> x:double ->
{ }
double
{ (double_is_NaN(x)  -> double_is_NaN(result))
and
  (double_is_infinite(x) -> double_is_infinite(result))
and
  (double_is_finite(x)  -> (double_is_finite(result) and
           double_value(result)= abs_real(double_value(x))))
and
  double_sign(result) = Positive and
  double_exact(result) = abs_real(double_exact(x)) and
  double_model(result) = abs_real(double_model(x))
}



parameter mul_double : m:mode -> x:double -> y:double ->
{ }
double
{ ((double_is_NaN(x)  or  double_is_NaN(y)) -> double_is_NaN(result))
and
  ((double_is_gen_zero(x) and double_is_infinite(y)) -> double_is_NaN(result))
and
  ((double_is_finite(x) and double_is_infinite(y) and double_value(x) <> 0.0)
     -> double_is_infinite(result))
and
  ((double_is_infinite(x) and double_is_gen_zero(y)) -> double_is_NaN(result))
and
  ((double_is_infinite(x) and double_is_finite(y) and double_value(y) <> 0.0)
     -> double_is_infinite(result))
and
  ((double_is_infinite(x) and double_is_infinite(y)) -> double_is_infinite(result))
and
  ((double_is_finite(x) and double_is_finite(y)
     and no_overflow_double(m,double_value(x)*double_value(y)))
     ->	(double_is_finite(result) and
	 double_value(result) = round_double(m,double_value(x) * double_value(y))))
and
  ((double_is_finite(x) and double_is_finite(y)
     and not no_overflow_double(m,double_value(x)*double_value(y)))
     -> (double_overflow_value(m,result)))
and
  double_product_sign(result,x,y)
and
  double_exact(result) = double_exact(x) * double_exact(y) and
  double_model(result) = double_model(x) * double_model(y)
}




parameter div_double : m:mode -> x:double -> y:double ->
{ }
double
{ ((double_is_NaN(x) or double_is_NaN(y)) -> double_is_NaN(result))
and
  ((double_is_finite(x) and double_is_infinite(y)) -> double_is_gen_zero(result))
and
  ((double_is_infinite(x) and double_is_finite(y)) -> double_is_infinite(result))
and
  ((double_is_infinite(x) and double_is_infinite(y)) -> double_is_NaN(result))
and
  ((double_is_finite(x) and double_is_finite(y) and double_value(y) <> 0.0 and
     no_overflow_double(m,double_value(x)/double_value(y)))
      -> (double_is_finite(result) and
          double_value(result)= round_double(m,double_value(x)/double_value(y))))
and
  ((double_is_finite(x) and double_is_finite(y) and double_value(y) <> 0.0 and
     not no_overflow_double(m,double_value(x)/double_value(y)))
      -> double_overflow_value(m,result))
and
  ((double_is_finite(x) and double_is_gen_zero(y) and double_value(x) <> 0.0)
      -> double_is_infinite(result))
and
  ((double_is_gen_zero(x) and double_is_gen_zero(y)) -> double_is_NaN(result))
and
  double_product_sign(result,x,y)
and
  double_exact(result) = double_exact(x)/double_exact(y) and
  double_model(result) = double_model(x)/double_model(y)
}



parameter sqrt_double :  m:mode -> x:double ->
{ }
double
{ (double_is_NaN(x)  -> double_is_NaN(result))
and
  (double_is_minus_infinity(x) -> double_is_NaN(result))
and
  (double_is_plus_infinity(x) -> double_is_infinite(result))
and
  ((double_is_finite(x) and double_value(x)< 0.0) -> double_is_NaN(result))
and
  (double_is_finite(x) and double_value(x) >= 0.0
       ->  (double_is_finite(result) and
          double_value(result)= round_double(m,sqrt_real(double_value(x)))))
and
   (* not always positive because sqrt(-0) = -0 *)
   double_same_sign(result,x)
and
   double_exact(result) = sqrt_real(double_exact(x)) and
   double_model(result) = sqrt_real(double_model(x))
}




parameter neg_double : x:double ->
{ }
double
{ (double_is_NaN(x)  -> double_is_NaN(result))
and
  (double_is_infinite(x) -> double_is_infinite(result))
and
  (double_is_finite(x)
     -> (double_is_finite(result) and
         double_value(result) = neg_real(double_value(x))))
and
  double_diff_sign(result,x)
and
  double_exact(result) = neg_real(double_exact(x)) and
  double_model(result) = neg_real(double_model(x))
}



parameter lt_double_ : x:double -> y:double ->
{ }
bool
{
if result then lt_double_full(x,y) else not lt_double_full(x,y)

(*
double_is_not_NaN(x) and double_is_not_NaN(y) and
   (double_is_finite(x) and double_is_finite(y) and double_value(x) < double_value(y))
    or
   (double_is_minus_infinity(x) and double_is_plus_infinity(y))
    or
   (double_is_minus_infinity(x) and double_is_finite(y))
    or
   (double_is_finite(x) and double_is_plus_infinity(y))
else (double_is_NaN(x) or double_is_NaN(y)
    or
    (double_is_finite(x) and double_is_finite(y) and double_value(x) >= double_value(y))
    or
     double_is_plus_infinity(x)
    or
     double_is_minus_infinity(y))
*)
}



parameter le_double_ : x:double -> y:double ->
{ }
bool
{ ((double_is_NaN(x) or double_is_NaN(y)) -> result = false)
and
  ((double_is_finite(x) and double_is_infinite(y))
        -> if result then double_sign(y) = Positive
  	    	     else double_sign(y) = Negative)
and
  ((double_is_infinite(x) and double_is_finite(y))
        -> if result then double_sign(x) = Negative
    		     else double_sign(x) = Positive)
and
  ((double_is_infinite(x) and double_is_infinite(y)) ->
                    if result then (double_sign(x)= Negative or
                                    double_sign(y)= Positive)
			      else (double_sign(x)= Positive and
                                    double_sign(y)= Negative))
and
 ((double_is_finite(x) and double_is_finite(y))
      -> if result then double_value(x) <= double_value(y)
 		   else double_value(x) > double_value(y))
}




parameter gt_double_ : x:double -> y:double ->
{ }
bool
{
if result then gt_double_full(x,y) else not gt_double_full(x,y)

(*
double_is_not_NaN(x) and double_is_not_NaN(y) and
   (double_is_finite(x) and double_is_finite(y) and double_value(x) > double_value(y))
    or
   (double_is_plus_infinity(x) and double_is_minus_infinity(y))
    or
   (double_is_plus_infinity(x) and double_is_finite(y))
    or
   (double_is_finite(x) and double_is_minus_infinity(y))
else (double_is_NaN(x) or double_is_NaN(y)
    or
    (double_is_finite(x) and double_is_finite(y) and double_value(x) <= double_value(y))
    or
     double_is_minus_infinity(x)
    or
     double_is_plus_infinity(y))
*)
}



parameter ge_double_ : x:double -> y:double ->
{}
bool
{ ((double_is_NaN(x) or double_is_NaN(y)) -> result = false)
and
  ((double_is_finite(x) and double_is_infinite(y))
     -> if result then double_sign(y)= Negative
   	          else double_sign(y)= Positive)
and
  ((double_is_infinite(x) and double_is_finite(y))
     -> if result then double_sign(x)= Positive
   	       	  else double_sign(x)= Negative)
and
  ((double_is_infinite(x) and double_is_infinite(y))
     -> if result then (double_sign(x)= Positive or double_sign(y)= Negative)
                  else (double_sign(x)= Negative and double_sign(y)= Positive))
and
 ((double_is_finite(x) and double_is_finite(y))
     -> if result then double_value(x) >= double_value(y)
 		  else double_value(x) < double_value(y))
}




parameter eq_double_ :
x:double -> y:double ->
{ }
bool
{ ((double_is_NaN(x) or double_is_NaN(y)) -> result = false)
and
  ((double_is_finite(x) and double_is_infinite(y)) -> result = false)
and
  ((double_is_infinite(x) and double_is_finite(y)) -> result = false)
and
  ((double_is_infinite(x) and double_is_infinite(y))
     -> if result then double_same_sign(x,y) else double_diff_sign(x,y))
and
 ((double_is_finite(x) and double_is_finite(y))
     -> if result then double_value(x) = double_value(y)
 		  else double_value(x) <> double_value(y))
}



parameter neq_double_ :
x:double -> y:double ->
{ }
bool
{ ((double_is_NaN(x) or double_is_NaN(y)) -> result = true)
and
  ((double_is_finite(x) and double_is_infinite(y)) -> result = true)
and
  ((double_is_infinite(x) and double_is_finite(y)) -> result = true)
and
  ((double_is_infinite(x) and double_is_infinite(y))
     -> if result then double_diff_sign(x,y) else double_same_sign(x,y))
and
 ((double_is_finite(x) and double_is_finite(y))
     -> if result then double_value(x) <> double_value(y)
 		  else double_value(x) = double_value(y))
}
why-2.34/lib/why/real.why0000644000175000017500000001327012311670312013651 0ustar  rtusers(*********)
(* Reals *)
(*********)

(* real comparisons in logic... *)
logic lt_real : real,real -> prop
logic le_real : real,real -> prop
logic gt_real : real,real -> prop
logic ge_real : real,real -> prop
logic eq_real : real,real -> prop
logic neq_real : real,real -> prop

(* ... and in programs: *)
parameter lt_real_ : x:real -> y:real -> {} bool {if result then x=y}
parameter le_real_ : x:real -> y:real -> {} bool {if result then x<=y else x>y}
parameter gt_real_ : x:real -> y:real -> {} bool {if result then x>y else x<=y}
parameter ge_real_ : x:real -> y:real -> {} bool {if result then x>=y else x y:real -> {} bool {if result then x=y else x<>y}
parameter neq_real_: x:real -> y:real -> {} bool {if result then x<>y else x=y}

logic add_real : real,real -> real (* + *)
logic sub_real : real,real -> real (* - *)
logic mul_real : real,real -> real (* * *)
logic div_real : real,real -> real (* / *)
logic neg_real : real -> real      (* prefix - *)

(* / in programs: *)
parameter div_real_ : x:real -> y:real -> { y<>0.0 } real { result = x / y }


(* conversion from integers *)

logic real_of_int : int -> real

axiom real_of_int_zero: real_of_int(0) = 0.0
axiom real_of_int_one: real_of_int(1) = 1.0

axiom real_of_int_add:
  forall x,y:int.
    real_of_int(x+y) = real_of_int(x) + real_of_int(y)

axiom real_of_int_sub:
  forall x,y:int.
    real_of_int(x-y) = real_of_int(x) - real_of_int(y)

(* conversions to integers *)

(* truncate_real_to_int: rounds towards zero *)

logic truncate_real_to_int : real -> int

(*
axiom truncate_int :
  forall i:int. truncate_real_to_int(real_of_int(i)) = i
*)

axiom truncate_down_pos:
  forall x:real.
    x >= 0.0 ->
       real_of_int(truncate_real_to_int(x)) <= x < real_of_int(truncate_real_to_int(x) + 1)

axiom truncate_up_neg:
  forall x:real.
    x <= 0.0 ->
      real_of_int(truncate_real_to_int(x)-1) < x <= real_of_int(truncate_real_to_int(x))

(*
axiom real_of_truncate:
  forall x:real.
      x-1.0 <= real_of_int(truncate_real_to_int(x)) <= x+1.0

axiom truncate_monotonic:
  forall x,y:real.
    x <= y -> truncate_real_to_int(x) <= truncate_real_to_int(y)

axiom truncate_monotonic_int1:
  forall x:real. forall i:int.
     x <= real_of_int(i) -> truncate_real_to_int(x) <= i

axiom truncate_monotonic_int2:
  forall x:real. forall i:int.
      real_of_int(i) <= x -> i <= truncate_real_to_int(x)
*)

(* roundings up and down *)

logic floor_real_to_int: real -> int
logic ceil_real_to_int: real -> int

(* todo: axiomatization *)

(* boolean versions of the comparisons and the corresponding axioms *)
logic lt_real_bool : real,real -> bool
logic le_real_bool : real,real -> bool
logic gt_real_bool : real,real -> bool
logic ge_real_bool : real,real -> bool
logic eq_real_bool : real,real -> bool
logic neq_real_bool : real,real -> bool

axiom lt_real_bool_axiom :
  forall x:real. forall y:real. lt_real_bool(x,y)=true <-> x x<=y
axiom gt_real_bool_axiom :
  forall x:real. forall y:real. gt_real_bool(x,y)=true <-> x>y
axiom ge_real_bool_axiom :
  forall x:real. forall y:real. ge_real_bool(x,y)=true <-> x>=y
axiom eq_real_bool_axiom :
  forall x:real. forall y:real. eq_real_bool(x,y)=true <-> x=y
axiom neq_real_bool_axiom :
  forall x:real. forall y:real. neq_real_bool(x,y)=true <-> x<>y


(* min and max *)

logic real_max : real, real -> real
logic real_min : real, real -> real

axiom real_max_is_ge :
  forall x:real. forall y:real.
  real_max(x,y) >= x and real_max(x,y) >= y

axiom real_max_is_some :
  forall x:real. forall y:real.
  (real_max(x,y) = x or real_max(x,y) = y)

axiom real_min_is_le :
  forall x:real. forall y:real.
  real_min(x,y) <= x and real_min(x,y) <= y

axiom real_min_is_some :
  forall x:real. forall y:real.
  (real_min(x,y) = x or real_min(x,y) = y)


(* square root *)

function sqr_real(x:real):real = x * x

logic sqrt_real : real -> real

axiom sqrt_pos:
  forall x:real. x >= 0.0 -> sqrt_real(x) >= 0.0

axiom sqrt_sqr:
  forall x:real. x >= 0.0 -> sqr_real(sqrt_real(x)) = x

axiom sqr_sqrt:
  forall x:real. x >= 0.0 -> sqrt_real(x*x) = x

parameter sqrt_real_ :
	  x:real -> { x >= 0.0 } real { result = sqrt_real(x) }

logic abs_real : real -> real

axiom abs_real_pos: forall x:real [abs_real(x)]. x >= 0.0 -> abs_real(x) = x
axiom abs_real_neg: forall x:real [abs_real(x)]. x <= 0.0 -> abs_real(x) = -x

(* exp and log *)

logic exp : real -> real
logic log : real -> real
logic log10 : real -> real

axiom log_exp: forall x:real. log(exp(x)) = x

axiom exp_log: forall x:real. x > 0.0 -> exp(log(x)) = x

(* power functions *)

logic pow_real_int : real,int -> real
logic pow_real : real,real -> real

(* trigonometric functions *)

logic cos : real -> real
logic sin : real -> real
logic tan : real -> real
logic pi : real
logic cosh : real -> real
logic sinh : real -> real
logic tanh : real -> real
logic acos : real -> real
logic asin : real -> real
logic atan : real -> real
logic atan2 : real, real -> real
logic hypot : real, real -> real

(*
axiom pi_interval:
   3.14159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852110555964462294895493038196
   < pi <
   3.14159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852110555964462294895493038197
*)

parameter any_real : unit -> {} real { true }

(* helper axioms *)

axiom prod_pos:
  forall x:real. forall y:real.
  (x > 0.0 and y > 0.0 -> x * y > 0.0) and (x < 0.0 and y < 0.0 -> x * y > 0.0)

axiom abs_minus:
  forall x:real. abs_real(-x) = abs_real(x)
why-2.34/lib/why/floats_strict.why0000644000175000017500000002623512311670312015613 0ustar  rtusers(***************************************************************************)
(***************************************************************************)
(*** Jessie prelude for floating-point arithmetic: Strict mode *************)
(***************************************************************************)
(***************************************************************************)

include "floats_common.why"

axiom single_value_is_bounded:
  forall x:single. abs_real(single_value(x)) <= max_single

axiom double_value_is_bounded:
  forall x:double. abs_real(double_value(x)) <= max_double

(* Specification of operations in single precision *)
predicate single_of_real_post(m:mode,x:real,res:single) =
    single_value(res) = round_single(m,x)
    and
    single_exact(res) = x
    and
    single_model(res) = x

predicate single_of_double_post(m:mode,x:double,res:single) =
    single_value(res) = round_single(m, double_value(x))
    and
    single_exact(res) = double_exact(x)
    and
    single_model(res) = double_model(x)

predicate add_single_post(m:mode,x:single,y:single,res:single) =
    single_value(res) = round_single(m,single_value(x) + single_value(y))
    and 
    single_exact(res) = single_exact(x) + single_exact(y)
    and 
    single_model(res) = single_model(x) + single_model(y)

predicate sub_single_post(m:mode,x:single,y:single,res:single) =
    single_value(res) = round_single(m,single_value(x) - single_value(y))
    and 
    single_exact(res) = single_exact(x) - single_exact(y)
    and 
    single_model(res) = single_model(x) - single_model(y)

predicate mul_single_post(m:mode,x:single,y:single,res:single) =
    single_value(res) = round_single(m,single_value(x) * single_value(y))
    and 
    single_exact(res) = single_exact(x) * single_exact(y)
    and 
    single_model(res) = single_model(x) * single_model(y)

predicate div_single_post(m:mode,x:single,y:single,res:single) =
    single_value(res) = round_single(m,single_value(x) / single_value(y))
    and 
    single_exact(res) = single_exact(x) / single_exact(y)
    and 
    single_model(res) = single_model(x) / single_model(y)

predicate sqrt_single_post(m:mode,x:single,res:single) =
    single_value(res) = round_single(m,sqrt_real(single_value(x)))
    and 
    single_exact(res) = sqrt_real(single_exact(x))
    and 
    single_model(res) = sqrt_real(single_model(x))

predicate neg_single_post(x:single,res:single) =
    single_value(res) = -single_value(x)
    and 
    single_exact(res) = -single_exact(x)
    and 
    single_model(res) = -single_model(x)

predicate abs_single_post(x:single,res:single) =
    single_value(res) = abs_real(single_value(x))
    and 
    single_exact(res) = abs_real(single_exact(x))
    and 
    single_model(res) = abs_real(single_model(x))


(* Specification of operations in double precision *)
predicate double_of_real_post(m:mode,x:real,res:double) =
    double_value(res) = round_double(m,x)
    and
    double_exact(res) = x
    and
    double_model(res) = x

predicate double_of_single_post(x:single,res:double) =
    double_value(res) = single_value(x)
    and
    double_exact(res) = single_exact(x)
    and
    double_model(res) = single_model(x)

predicate add_double_post(m:mode,x:double,y:double,res:double) =
    double_value(res) = round_double(m,double_value(x) + double_value(y))
    and 
    double_exact(res) = double_exact(x) + double_exact(y)
    and 
    double_model(res) = double_model(x) + double_model(y)

predicate sub_double_post(m:mode,x:double,y:double,res:double) =
    double_value(res) = round_double(m,double_value(x) - double_value(y))
    and 
    double_exact(res) = double_exact(x) - double_exact(y)
    and 
    double_model(res) = double_model(x) - double_model(y)

predicate mul_double_post(m:mode,x:double,y:double,res:double) =
    double_value(res) = round_double(m,double_value(x) * double_value(y))
    and 
    double_exact(res) = double_exact(x) * double_exact(y)
    and 
    double_model(res) = double_model(x) * double_model(y)

predicate div_double_post(m:mode,x:double,y:double,res:double) =
    double_value(res) = round_double(m,double_value(x) / double_value(y))
    and 
    double_exact(res) = double_exact(x) / double_exact(y)
    and 
    double_model(res) = double_model(x) / double_model(y)

predicate sqrt_double_post(m:mode,x:double,res:double) =
    double_value(res) = round_double(m,sqrt_real(double_value(x)))
    and 
    double_exact(res) = sqrt_real(double_exact(x))
    and 
    double_model(res) = sqrt_real(double_model(x))

predicate neg_double_post(x:double,res:double) =
    double_value(res) = -double_value(x)
    and 
    double_exact(res) = -double_exact(x)
    and 
    double_model(res) = -double_model(x)

predicate abs_double_post(x:double,res:double) =
    double_value(res) = abs_real(double_value(x))
    and 
    double_exact(res) = abs_real(double_exact(x))
    and 
    double_model(res) = abs_real(double_model(x))



(* Parameters in single precision *)
parameter single_of_real : m:mode -> x:real ->
  { no_overflow_single(m,x) }
  single
  { single_of_real_post(m,x,result) }
parameter single_of_real_safe : m:mode -> x:real ->
  { }
  single
  { single_of_real_post(m,x,result) }
parameter single_of_real_exact : x:real ->
  { }
  single
  { single_value(result) = x and
    single_exact(result) = x and
    single_model(result) = x }

parameter single_of_double : m:mode -> x:double ->
  { no_overflow_single(m, double_value(x)) }
  single
  { single_of_double_post(m,x,result) }
parameter single_of_double_safe : m:mode -> x:double ->
  { }
  single
  { single_of_double_post(m,x,result) }

parameter add_single : m:mode -> x:single -> y:single -> 
  { no_overflow_single(m,single_value(x) + single_value(y)) }
  single
  { add_single_post(m,x,y,result) }
parameter add_single_safe : m:mode -> x:single -> y:single -> 
  { }
  single
  { add_single_post(m,x,y,result) }

parameter sub_single : m:mode -> x:single -> y:single -> 
  { no_overflow_single(m,single_value(x) - single_value(y)) }
  single
  { sub_single_post(m,x,y,result) }
parameter sub_single_safe : m:mode -> x:single -> y:single -> 
  { }
  single
  { sub_single_post(m,x,y,result) }

parameter mul_single : m:mode -> x:single -> y:single -> 
  { no_overflow_single(m,single_value(x) * single_value(y)) }
  single
  { mul_single_post(m,x,y,result) }
parameter mul_single_safe : m:mode -> x:single -> y:single -> 
  { }
  single
  { mul_single_post(m,x,y,result) }

parameter div_single : m:mode -> x:single -> y:single -> 
  { single_value(y) <> 0.0 
    and
    no_overflow_single(m,single_value(x) / single_value(y)) }
  single
  { div_single_post(m,x,y,result) }
parameter div_single_safe : m:mode -> x:single -> y:single -> 
  { }
  single
  { single_value(y) <> 0.0  and
    div_single_post(m,x,y,result) }

parameter sqrt_single : m:mode -> x:single -> 
  { single_value(x) >= 0.0 }
  single
  { sqrt_single_post(m,x,result) }
parameter sqrt_single_safe : m:mode -> x:single ->
  { }
  single
  { single_value(x) >= 0.0  and
    sqrt_single_post(m,x,result) }

parameter neg_single : x:single -> 
  { }
  single
  { neg_single_post(x,result) }
parameter abs_single : x:single -> 
  { }
  single
  { abs_single_post(x,result) }

(* Parameters in double precision *)
parameter double_of_real : m:mode -> x:real ->
  { no_overflow_double(m,x) }
  double
  { double_of_real_post(m,x,result) }
parameter double_of_real_safe : m:mode -> x:real ->
  { }
  double
  { double_of_real_post(m,x,result) }
parameter double_of_real_exact : x:real ->
  { }
  double
  { double_value(result) = x and
    double_exact(result) = x and
    double_model(result) = x }

parameter double_of_single : x:single ->
  { }
  double
  { double_of_single_post(x,result) }

parameter add_double : m:mode -> x:double -> y:double -> 
  { no_overflow_double(m,double_value(x) + double_value(y)) }
  double
  { add_double_post(m,x,y,result) }
parameter add_double_safe : m:mode -> x:double -> y:double -> 
  { }
  double
  { add_double_post(m,x,y,result) }

parameter sub_double : m:mode -> x:double -> y:double -> 
  { no_overflow_double(m,double_value(x) - double_value(y)) }
  double
  { sub_double_post(m,x,y,result) }
parameter sub_double_safe : m:mode -> x:double -> y:double -> 
  { }
  double
  { sub_double_post(m,x,y,result) }

parameter mul_double : m:mode -> x:double -> y:double -> 
  { no_overflow_double(m,double_value(x) * double_value(y)) }
  double
  { mul_double_post(m,x,y,result) }
parameter mul_double_safe : m:mode -> x:double -> y:double -> 
  { }
  double
  { mul_double_post(m,x,y,result) }

parameter div_double : m:mode -> x:double -> y:double -> 
  { double_value(y) <> 0.0 
    and
    no_overflow_double(m,double_value(x) / double_value(y)) }
  double
  { div_double_post(m,x,y,result) }
parameter div_double_safe : m:mode -> x:double -> y:double -> 
  { }
  double
  { double_value(y) <> 0.0  and
    div_double_post(m,x,y,result) }

parameter sqrt_double : m:mode -> x:double -> 
  { double_value(x) >= 0.0 }
  double
  { sqrt_double_post(m,x,result) }
parameter sqrt_double_safe : m:mode -> x:double ->
  { }
  double
  { double_value(x) >= 0.0  and
    sqrt_double_post(m,x,result) }

parameter neg_double : x:double -> 
  { }
  double
  { neg_double_post(x,result) }
parameter abs_double : x:double -> 
  { }
  double
  { abs_double_post(x,result) }


(* Comparisons in single precision *)
parameter lt_single_ : x:single -> y:single -> 
  {} bool { if result then single_value(x) < single_value(y) 
            else single_value(x) >= single_value(y) }
parameter le_single_ : x:single -> y:single -> 
  {} bool { if result then single_value(x) <= single_value(y) 
            else single_value(x) > single_value(y) }
parameter gt_single_ : x:single -> y:single -> 
  {} bool { if result then single_value(x) > single_value(y) 
            else single_value(x) <= single_value(y) }
parameter ge_single_ : x:single -> y:single -> 
  {} bool { if result then single_value(x) >= single_value(y) 
            else single_value(x) < single_value(y) }
parameter eq_single_ : x:single -> y:single -> 
  {} bool { if result then single_value(x) = single_value(y) 
            else single_value(x) <> single_value(y) }
parameter ne_single_ : x:single -> y:single -> 
  {} bool { if result then single_value(x) <> single_value(y) 
            else single_value(x) = single_value(y) }


(* Comparisons in double precision *)
parameter lt_double_ : x:double -> y:double -> 
  {} bool { if result then double_value(x) < double_value(y) 
            else double_value(x) >= double_value(y) }
parameter le_double_ : x:double -> y:double -> 
  {} bool { if result then double_value(x) <= double_value(y) 
            else double_value(x) > double_value(y) }
parameter gt_double_ : x:double -> y:double -> 
  {} bool { if result then double_value(x) > double_value(y) 
            else double_value(x) <= double_value(y) }
parameter ge_double_ : x:double -> y:double -> 
  {} bool { if result then double_value(x) >= double_value(y) 
            else double_value(x) < double_value(y) }
parameter eq_double_ : x:double -> y:double -> 
  {} bool { if result then double_value(x) = double_value(y) 
            else double_value(x) <> double_value(y) }
parameter ne_double_ : x:double -> y:double -> 
  {} bool { if result then double_value(x) <> double_value(y) 
            else double_value(x) = double_value(y) }

why-2.34/lib/why/arrays.why0000644000175000017500000000524712311670312014234 0ustar  rtusers
(* Arrays.
   Type 'a array is a built-in shortcut for 'a farray ref, where 'a farray
   is the following abstract type for purely applicative arrays *)

type 'a farray

logic access : 'a farray, int -> 'a
logic update : 'a farray, int, 'a -> 'a farray

axiom access_update : 
  forall a : 'a farray. forall i : int. forall v : 'a.
  access(update(a,i,v), i) = v

axiom access_update_neq : 
  forall a : 'a farray. forall i : int. forall j : int. forall v : 'a.
  i <> j -> access(update(a,i,v), j) = access(a,j)

(* Length *)

logic array_length : 'a farray -> int

parameter array_length_ : 
  a:'a array -> {} int reads a { result=array_length(a) }

(* t[e] is syntactic sugar for (array_get t e) *)
parameter array_get :
  a:'a array -> i:int -> 
    { 0 <= i < array_length(a) } 'a reads a { result = access(a,i) }

(* t [e1] := e2 is syntactic sugar for (array_set t e1 e2) *)
parameter array_set : 
  a:'a array -> i:int -> v:'a -> 
    { 0 <= i < array_length(a) } unit writes a { a = update(a@,i,v) }

(* Sorted arrays *)

predicate sorted_array(t:int farray, i:int, j:int) = 
  forall k1,k2:int. i <= k1 <= k2 <= j -> t[k1] <= t[k2]

(* Arrays permutations *)

predicate exchange(a1:'a farray, a2:'a farray, i:int, j:int) = 
  array_length(a1) = array_length(a2) and
  a1[i] = a2[j] and a2[i] = a1[j] and
  forall k:int. (k <> i and k <> j) -> a1[k] = a2[k]

logic permut : 'a farray, 'a farray, int, int -> prop

axiom permut_refl :
  forall t:'a farray. forall l,u:int. permut(t,t,l,u)

axiom permut_sym :
  forall t1,t2:'a farray. forall l,u:int.
  permut(t1,t2,l,u) -> permut(t2,t1,l,u)

axiom permut_trans :
  forall t1,t2,t3:'a farray. forall l,u:int.
  permut(t1,t2,l,u) -> permut(t2,t3,l,u) -> permut(t1,t3,l,u)

axiom permut_exchange :
  forall a1,a2:'a farray. forall l,u,i,j:int. 
  l <= i <= u -> l <= j <= u -> exchange(a1,a2,i,j) -> permut(a1,a2,l,u)

axiom exchange_upd :
  forall a:'a farray. forall i,j:int.
  exchange(a,update(update(a,i,a[j]),j,a[i]),i,j)

axiom permut_weakening :
  forall a1,a2:'a farray. forall l1,r1,l2,r2:int.
  (*forall x_,y_:'a farray [permut(a1,a2,l2,r2),permut(x_,y_,l1,r1)].*)
  l1 <= l2 <= r2 <= r1 -> permut(a1,a2,l2,r2) -> permut(a1,a2,l1,r1)

axiom permut_eq :
  forall a1,a2:'a farray. forall l,u:int.
  l <= u -> permut(a1,a2,l,u) ->
  forall i:int. (i < l or u < i) -> a2[i] = a1[i]

predicate permutation(a1:'a array, a2:'a array) =
  permut(a1,a2,0,array_length(a1)-1)


(* Axioms about array_length *)

axiom array_length_update :
  forall a:'a farray. forall i:int. forall v:'a.
  array_length(update(a,i,v)) = array_length(a)

axiom permut_array_length :
  forall a1,a2:'a farray. forall l,u:int. 
  permut(a1,a2,l,u) -> array_length(a1) = array_length(a2)

why-2.34/lib/why/floats_common.why0000644000175000017500000001060312311670312015563 0ustar  rtusers
(***************************************************************************)
(***************************************************************************)
(*** Jessie prelude for floating-point arithmetic (Strict and Full mode) ***)
(***************************************************************************)
(***************************************************************************)


include "real.why"

type mode = nearest_even | to_zero | up | down | nearest_away

parameter current_rounding_mode : mode ref

(***************************)    
(* About the double format *)
(***************************)    

type double

logic round_double : mode, real -> real
logic round_double_logic : mode, real -> double

logic double_value : double -> real
logic double_exact : double -> real
logic double_model : double -> real

function double_round_error(x:double) : real = 
	 abs_real(double_value(x) - double_exact(x))
function double_total_error(x:double) : real = 
	 abs_real(double_value(x) - double_model(x))

parameter double_set_model : x:double ref -> y:real ->
  { } 
  unit writes x
  { double_value(x) = double_value(x@)
    and double_exact(x) = double_exact(x@)
    and double_model(x) = y }

function max_double() : real = 0x1.FFFFFFFFFFFFFp1023
parameter any_double : unit -> { } double { true }

predicate no_overflow_double(m:mode,x:real) = 
	  abs_real(round_double(m,x)) <= max_double

axiom bounded_real_no_overflow_double : forall m:mode. forall x:real. 
      abs_real(x) <= max_double -> no_overflow_double(m,x)

axiom round_double_monotonic: 
  forall x,y:real. forall m:mode.
   x <= y -> round_double(m,x) <= round_double(m,y)

axiom exact_round_double_for_integers:
  forall i:int. forall m:mode.
     -9007199254740992 <= i <= 9007199254740992 (* 2^53 *) ->
     round_double(m,real_of_int(i)) = real_of_int(i)

axiom exact_round_double_for_doubles:
  forall x:double. forall m:mode.
     round_double(m,double_value(x)) = double_value(x)

axiom round_double_idempotent:
      forall m1:mode. forall m2:mode. forall x:real. 
      round_double(m1,round_double(m2,x)) = round_double(m2,x)

(* rounding and negation *)

axiom round_down_double_neg: forall x:real. 
     round_double(down,-x) = -round_double(up,x)
axiom round_up_double_neg: forall x:real. 
     round_double(up,-x) = -round_double(down,x)

(* rounding up and down *)
axiom round_double_down_le: forall x:real. 
      round_double(down,x) <= x
axiom round_up_double_ge: forall x:real. 
      round_double(up,x) >= x


(***************************)    
(* About the single format *)
(***************************)    

type single

logic round_single : mode, real -> real
logic round_single_logic : mode, real -> single

logic single_value : single -> real
logic single_exact : single -> real
logic single_model : single -> real

function single_round_error(x:single) : real = 
	 abs_real(single_value(x) - single_exact(x))
function single_total_error(x:single) : real = 
	 abs_real(single_value(x) - single_model(x))

parameter single_set_model : x:single ref -> y:real ->
  { } 
  unit writes x
  { single_value(x) = single_value(x@)
    and single_exact(x) = single_exact(x@)
    and single_model(x) = y }

function max_single() : real = 0x1.FFFFFEp127
parameter any_single : unit -> { } single { true }

predicate no_overflow_single(m:mode,x:real) = 
	  abs_real(round_single(m,x)) <= max_single

axiom bounded_real_no_overflow_single : forall m:mode. forall x:real. 
      abs_real(x) <= max_single -> no_overflow_single(m,x)

axiom round_single_monotonic: 
  forall x,y:real. forall m:mode.
   x <= y -> round_single(m,x) <= round_single(m,y)

axiom exact_round_single_for_integers:
  forall i:int. forall m:mode.
     -16777216 <= i <= 16777216 (* 2^24 *) ->
     round_single(m,real_of_int(i)) = real_of_int(i)

axiom exact_round_single_for_singles:
  forall x:single. forall m:mode.
     round_single(m,single_value(x)) = single_value(x)

axiom round_single_idempotent:
      forall m1:mode. forall m2:mode. forall x:real. 
      round_single(m1,round_single(m2,x)) = round_single(m2,x)

(* rounding and negation *)
axiom round_down_single_neg: forall x:real. 
     round_single(down,-x) = -round_single(up,x)

axiom round_up_single_neg: forall x:real. 
     round_single(up,-x) = -round_single(down,x)

(* rounding up and down *)
axiom round_single_down_le: forall x:real. 
      round_single(down,x) <= x

axiom round_up_single_ge: forall x:real. 
      round_single(up,x) >= x
why-2.34/lib/why/mybag.why0000644000175000017500000000000012311670312014010 0ustar  rtuserswhy-2.34/lib/why/bool.why0000644000175000017500000000122512311670312013656 0ustar  rtusers

logic bool_and : bool, bool -> bool
logic bool_or  : bool, bool -> bool
logic bool_xor : bool, bool -> bool
logic bool_not : bool -> bool

axiom bool_and_def: forall a,b:bool. bool_and(a,b) = true <-> a=true and b=true
axiom bool_or_def: forall a,b:bool. bool_or(a,b) = true <-> a=true or b=true
axiom bool_xor_def: forall a,b:bool. bool_xor(a,b) = true <-> a <> b
axiom bool_not_def: forall a:bool. bool_not(a) = true <-> a=false

(* if-then-else function symbol *)

logic ite : bool,'a,'a -> 'a

axiom ite_true : forall x, y : 'a. ite(true, x, y) = x
axiom ite_false : forall x, y : 'a. ite(false, x, y) = y


parameter any_bool : unit -> { } bool { true }
why-2.34/lib/why/arith.why0000644000175000017500000000126112311670312014032 0ustar  rtusers
(* integer arithmetic prelude for provers which know nothing about it *)

axiom add_zero_l : forall x:int. 0 + x = x

axiom add_zero_r : forall x:int. x + 0 = x

axiom add_comm : forall x,y:int. x + y = y + x

axiom add_assoc: forall x,y,z:int. x + (y + z) = (x + y) + z

axiom add_sub : forall x,y,z:int. (x+y)-z = x+(y-z)

axiom sub_x_x : forall x:int. x - x = 0

axiom lt_le : forall x,y:int. x < y <-> x <= y-1

axiom le_trans : forall x,y,z:int. x <= y -> y <= z -> x <= z

axiom le_eq : forall x,y:int. x <= y -> y <= x -> x = y

axiom tighten_bounds_right : forall x,y:int. x <= y -> (x <= y-1 or x = y)

axiom tighten_bounds_left  : forall x,y:int. x <= y -> (x = y or x+1 <= y)

why-2.34/lib/why/lbmm.why0000644000175000017500000002445012311670312013657 0ustar  rtusers
(* Leroy-Blazy low-level memory model

   Why theory translated from Coq theory at
   cf http://pauillac.inria.fr/~xleroy/memory-model/ *)

(* 1. Why prelude *)

type 'a option
logic None : 'a option
logic Some : 'a -> 'a option
axiom None_neq_Some : forall v:'a. None <> Some(v)
axiom Some_inj : forall x, y:'a. Some(x) = Some(y) -> x=y

exception Undef
parameter out_some_or_fail : 
  x:'a option -> {} 'a raises Undef { x = Some(result) | Undef => x = None }
parameter out_some : 
  x:'a option -> { x <> None } 'a { x = Some(result) }

type ('a, 'b) pair
logic pair : 'a, 'b -> ('a, 'b) pair
logic fst : ('a, 'b) pair -> 'a
logic snd : ('a, 'b) pair -> 'b
axiom fst_pair : forall x:'a. forall y:'b. fst(pair(x,y)) = x
axiom snd_pair : forall x:'a. forall y:'b. snd(pair(x,y)) = y
axiom fst_snd : forall x:('a, 'b) pair. x = pair(fst(x), snd(x))

predicate divides(d : int, n : int) = exists k:int. n = k * d
axiom divides_1_n : forall n:int. divides(1, n)

(* 2. Values and types *)

type val
logic vundef : val

type memtype

logic compat: memtype,memtype -> prop
logic sizeof: memtype -> int
logic alignof: memtype -> int

logic convert: memtype, val -> val

axiom sizeof_pos: forall ty:memtype. sizeof(ty) > 0

axiom compat_sizeof:
  forall ty, ty':memtype. compat(ty, ty') -> sizeof(ty') = sizeof(ty)

axiom alignof_pos: forall ty:memtype. alignof(ty) > 0

logic max_alignment: int

axiom alignof_div: forall ty:memtype. divides(alignof(ty), max_alignment)

axiom compat_alignof:
  forall ty, ty':memtype. compat(ty, ty') -> alignof(ty') = alignof(ty)

(* 3. (Abstract) Memory Model *)

type block
type mem

logic empty: mem
logic alloc: mem, int, int -> (block, mem) pair option
logic load: memtype, mem, block, int -> val option
logic store: memtype, mem, block, int, val -> mem option
logic free: mem, block -> mem option

axiom load_alloc_other:
  forall m:mem. forall lo,hi:int. forall b:block. 
  forall m':mem. forall ty:memtype. forall b':block. forall ofs:int.
  alloc(m, lo, hi) = Some (pair (b, m')) ->
  b' <> b ->
  load(ty, m', b', ofs) = load(ty, m, b', ofs)

axiom load_store_same:
  forall ty:memtype. forall m:mem. forall b:block. forall ofs:int.
  forall v:val. forall m':mem. forall ty':memtype.
  store(ty, m, b, ofs, v) = Some(m') ->
  compat(ty, ty') ->
  load(ty', m', b, ofs) = Some (convert(ty', v))

axiom load_store_disjoint:
  forall ty:memtype. forall m:mem. forall b:block. forall ofs:int.
  forall v:val. forall m':mem. forall ty':memtype.
  forall b':block. forall ofs':int.
  store(ty, m, b, ofs, v) = Some(m') ->
  (b' <> b or ofs' + sizeof(ty') <= ofs or ofs + sizeof(ty) <= ofs') ->
  load(ty', m', b', ofs') = load(ty', m, b', ofs')

axiom load_free_other:
  forall m:mem. forall b:block.  forall m':mem. forall ty:memtype.
  forall b':block. forall ofs:int.
  free(m, b) = Some(m') ->
  b' <> b ->
  load(ty, m', b', ofs) = load(ty, m, b', ofs)

logic valid_block: mem, block -> prop

axiom alloc_valid_block:
  forall m:mem. forall lo, hi:int. 
  forall b:block. forall m':mem. forall b':block.
  alloc(m, lo, hi) = Some(pair (b, m')) ->
  (valid_block(m', b') <-> (b' = b or valid_block(m, b')))
axiom alloc_not_valid_block:
  forall m:mem. forall lo, hi:int. forall b:block. forall m':mem. 
  alloc(m, lo, hi) = Some(pair(b, m')) -> not valid_block(m, b)
axiom load_valid_block:
  forall ty:memtype. forall m:mem.  
  forall b:block. forall ofs:int. forall v:val.
  load(ty, m, b, ofs) = Some(v) -> valid_block(m, b)
axiom store_valid_block:
  forall ty:memtype. forall m:mem. 
  forall b:block. forall ofs:int. forall v:val. forall m':mem.
  store(ty, m, b, ofs, v) = Some(m') -> valid_block(m, b)
axiom store_valid_block_inv:
  forall ty:memtype. forall m:mem. 
  forall b:block. forall ofs:int. forall v:val. forall m':mem. forall b':block.
  store(ty, m, b, ofs, v) = Some(m') -> 
  (valid_block(m', b') <-> valid_block(m, b'))
axiom free_valid_block:
  forall m:mem. forall b:block. forall m':mem.  forall b':block.
  free(m, b) = Some(m') -> b' <> b -> 
  (valid_block(m', b') <-> valid_block(m, b'))
axiom valid_block_free:
  forall m:mem. forall b:block.
  valid_block(m, b) -> exists m':mem. free(m, b) = Some(m')

logic bounds: mem, block -> (int, int) pair

axiom alloc_result_bounds:
  forall m:mem. forall lo, hi:int. forall b:block. forall m':mem.
  alloc(m, lo, hi) = Some(pair (b, m')) -> bounds(m', b) = pair (lo, hi)
axiom alloc_bounds_inv:
  forall m:mem. forall lo, hi:int. forall b:block. forall m':mem.
  forall b':block.
  alloc(m, lo, hi) = Some(pair (b, m')) -> b' <> b -> 
  bounds(m', b') = bounds(m, b')
axiom store_bounds_inv:
  forall ty:memtype. forall m:mem. forall b:block.
  forall ofs:int. forall v:val. forall m':mem. forall b':block.
  store(ty, m, b, ofs, v) = Some(m') -> bounds(m', b') = bounds(m, b')
axiom free_bounds_inv:
  forall m:mem. forall b:block. forall m':mem. forall b':block.
  free(m, b) = Some(m') -> b' <> b -> bounds(m', b') = bounds(m, b')

predicate valid_pointer (ty: memtype, m: mem, b: block, ofs: int) =
  valid_block(m, b)
  and divides(alignof(ty), ofs)
  and fst (bounds(m, b)) <= ofs
  and ofs + sizeof(ty) <= snd (bounds(m, b))

axiom valid_pointer_store:
  forall ty:memtype. forall m: mem. forall b: block. forall ofs: int.
  forall v:val.
  valid_pointer(ty, m, b, ofs) ->
  exists m':mem. store(ty, m, b, ofs, v) = Some(m')

(* Derived properties *)

axiom alloc_valid_block_inv: (* proved by Ergo *)
  forall m:mem. forall lo, hi:int. forall b:block. 
  forall m':mem. forall b':block.
  alloc(m, lo, hi) = Some(pair (b, m')) -> 
  valid_block(m, b') -> valid_block(m', b')

axiom alloc_not_valid_block_2: (* proved by Ergo *)
  forall m:mem. forall lo, hi:int. forall b:block. 
  forall m':mem. forall b':block.
  alloc(m, lo, hi) = Some(pair (b, m')) -> valid_block(m, b') -> b' <> b

axiom load_alloc_other_2: (* proved by Ergo *)
  forall m:mem. forall lo, hi:int. forall b:block. 
  forall m':mem. forall b':block.
  forall ty:memtype. forall ofs:int. forall v:val.
  alloc(m, lo, hi) = Some(pair (b, m')) ->
  load(ty, m, b', ofs) = Some(v) ->
  load(ty, m', b', ofs) = Some(v)

axiom alloc_result_valid_pointer: (* proved by Ergo *)
  forall m:mem. forall lo, hi:int. forall b:block. 
  forall m':mem. forall ty:memtype. forall ofs:int. 
  alloc(m, lo, hi) = Some(pair (b, m')) ->
  divides(alignof(ty), ofs) -> lo <= ofs -> ofs + sizeof(ty) <= hi ->
  valid_pointer(ty, m', b, ofs)

axiom alloc_valid_pointer_inv: (* proved by Ergo *)
  forall m:mem. forall lo, hi:int. forall b:block. 
  forall m':mem. forall ty:memtype. forall b':block. forall ofs:int. 
  alloc(m, lo, hi) = Some(pair (b, m')) ->
  valid_pointer(ty, m, b', ofs) -> valid_pointer(ty, m', b', ofs)

axiom store_valid_pointer_inv: (* proved by Ergo *)
  forall ty:memtype. forall m:mem. forall b:block. forall ofs:int. 
  forall v:val. forall m':mem. forall ty':memtype. forall b':block.
  forall ofs':int. 
  store(ty, m, b, ofs, v) = Some(m') ->
  (valid_pointer(ty', m', b', ofs') <-> valid_pointer(ty', m, b', ofs'))

axiom free_valid_pointer_inv: (* proved by Ergo *)
  forall m:mem. forall b:block. forall m':mem. forall ty:memtype. 
  forall b':block. forall ofs:int. 
  free(m, b) = Some(m') -> b' <> b ->
  (valid_pointer(ty, m', b', ofs) <-> valid_pointer(ty, m, b', ofs))

(* C types *)

logic int32 : memtype
logic char : memtype
axiom sizeof_int32: sizeof(int32) = 4
axiom alignof_int32 : alignof(int32) = 1
axiom sizeof_char: sizeof(char) = 1
axiom alignof_char : alignof(char) = 1

logic val_of_int : int -> val
logic int_of_val : val -> int
axiom int_val_int : forall n:int. int_of_val(val_of_int(n)) = n

(* ADDED *)
axiom convert_int32 : forall v:val. convert(int32, v) = v

(* ADDED *)
axiom compat_refl : forall ty:memtype. compat(ty,ty)

(* Tests *)

let test1 (m:mem) =
  let xm = alloc m 0 8 in
  let xm = out_some_or_fail xm in
  let x = fst xm in
  let m = snd xm in
  assert { valid_pointer(int32, m, x, 0) };
  let ym = alloc m 0 4 in
  let ym = out_some_or_fail ym in
  let y = fst ym in
  let m = snd ym in
  assert { x <> y and 
	   valid_pointer(int32, m, x, 0) and
	   valid_pointer(int32, m, y, 0) };
  let m = store int32 m x 0 (val_of_int 0) in
  let m = out_some_or_fail m in
  assert { load(int32,m,x,0) = Some(val_of_int(0)) };
  let m = store int32 m x 4 (val_of_int 1) in
  let m = out_some_or_fail m in
  assert { load(int32,m,x,0) = Some(val_of_int(0)) and
           load(int32,m,x,4) = Some(val_of_int(1)) };
  let t = load int32 m x 0 in
  let t = out_some_or_fail t in
  assert { t = val_of_int(0) };
  let m = store int32 m y 0 t in
  let m = out_some_or_fail m in
  assert { load(int32,m,x,0) = Some(val_of_int(0)) and
           load(int32,m,x,4) = Some(val_of_int(1)) and
           load(int32,m,y,0) = Some(val_of_int(0)) };
  let t = load int32 m x 4 in
  let t = out_some_or_fail t in
  assert { t = val_of_int(1) };
  let m = store int32 m x 0 t in
  let m = out_some_or_fail m in
  assert { load(int32,m,x,0) = Some(val_of_int(1)) and
           load(int32,m,x,4) = Some(val_of_int(1)) and
           load(int32,m,y,0) = Some(val_of_int(0)) };
  let t = load int32 m y 0 in
  let t = out_some_or_fail t in
  assert { t = val_of_int(0) };
  let m = store int32 m x 4 t in
  let m = out_some_or_fail m in
  assert { load(int32,m,x,0) = Some(val_of_int(1)) and
           load(int32,m,x,4) = Some(val_of_int(0)) and
           load(int32,m,y,0) = Some(val_of_int(0)) };
  void
  { true | Undef => false }


(*
   int x[4];
   int y[2];
   x[0] = 42;
   y[0] = 1;
   //@ assert x[0] - y[0] == 41;
*)

let test2 
  (memx:mem) (x:block) 
  (memy:mem) (y:block) = 
  { (forall i:int. 0 <= i <= 3 -> valid_pointer(int32, memx, x, i)) and
    (forall i:int. 0 <= i <= 1 -> valid_pointer(int32, memy, y, i)) }
  let memx = store int32 memx x 0 (val_of_int 42) in
  let memx = out_some_or_fail memx in

  let memy = store int32 memy y 0 (val_of_int 1) in
  let memy = out_some_or_fail memy in
  
  assert { forall vx,vy:val.
           load(int32, memx, x, 0) = Some(vx) ->
	   load(int32, memy, y, 0) = Some(vy) ->
	   int_of_val(vx) - int_of_val(vy) = 41 };

  void

(*
  //@ requires \valid(x)
  void change_endianness(int * x) {
    char * p = (char* ) x;
    int t = *(p+3) + *(p+2)<<8 + *(p+1)<<16 + *p<<24;
    *x = t;
  }
*)

let test3 (m : mem ref) (bx:block) (ofsx:int) =
  { valid_pointer(int32, m, bx, ofsx) }
  let bp = bx in
  let ofsp = ofsx in
  let t = load char !m bp (ofsp+3) (* + ... *) in
  let t = out_some t in
  let m' = store int32 !m bx ofsx t in
  m := out_some m'

why-2.34/lib/why/caduceus_noalloc.why0000644000175000017500000004534712311670312016243 0ustar  rtusers
(* axiomatization of a memory model in which:
	- validity is checked based on arithmetic predicate
	- allocation table is useless 
*)

(* bitwise operations *)
logic bw_compl : int -> int

logic bw_and : int,int -> int

logic bw_xor : int,int -> int

logic bw_or : int,int -> int

logic lsl : int,int -> int

logic lsr : int,int -> int

(* default variable initialisation *)

type 'z pointer

parameter any_pointer: unit -> {} 'z pointer { true }

(* pointer arithmetic *)

type 'z addr
type ('a, 'z) memory

logic null : 'z pointer

logic base_addr: 'z pointer -> 'z addr
logic offset: 'z pointer -> int
logic shift: 'z pointer,int -> 'z pointer
logic sub_pointer: 'z pointer, 'z pointer -> int
(* [arrlen(p)] returns the array length of pointer [p], i.e. the number
   of elements that can be accessed in p[0], p[1], etc. *)
logic arrlen: 'z pointer -> int
(* [strlen(m,p)] returns the string length of pointer [p] in memory [m],
   i.e. the number of non-null elements that can be accessed before 
   some null element (usually a byte). *)
logic strlen: ('a, 'z) memory, 'z pointer -> int
(* [full_separated(p,q)] is true when memory zones for pointers [p] and [q] are
   disjoint. *)
predicate full_separated(p:'z pointer,q:'z pointer) =
  base_addr(p) <> base_addr(q)

predicate lt_pointer(p1:'z pointer,p2: 'z pointer) =
  base_addr(p1) = base_addr(p2) and offset(p1) < offset(p2)
predicate le_pointer(p1:'z pointer,p2: 'z pointer) =
  base_addr(p1) = base_addr(p2) and offset(p1) <= offset(p2)
predicate gt_pointer(p1:'z pointer,p2: 'z pointer) =
  base_addr(p1) = base_addr(p2) and offset(p1) > offset(p2)
predicate ge_pointer(p1: 'z pointer,p2: 'z pointer) =
  base_addr(p1) = base_addr(p2) and offset(p1) >= offset(p2)

parameter eq_pointer : 
  p:'z pointer -> q: 'z pointer -> {} bool { if result then p=q else p<>q }
parameter neq_pointer : 
  p: 'z pointer -> q: 'z pointer -> {} bool { if result then p<>q else p=q }

(* a pointer [p] is valid iff its array length is strictly positive *)
predicate valid(p: 'z pointer) = 
	arrlen(p) > 0

(* an index [i] from a pointer [p] is valid iff [i] is strictly less than 
   its array length, and greater than 0 *)
predicate valid_index(p: 'z pointer, i:int) =
	0 <= i < arrlen(p)

(* a range [i,j] from a pointer [p] is valid iff both integers are valid 
   indices, and form a range *)
predicate valid_range(p: 'z pointer, i:int, j:int) =
	0 <= i <= j < arrlen(p)

axiom offset_shift :
(*   forall p: 'z pointer. forall i:int.  *)
  forall p: 'z pointer. forall i:int [offset(shift(p,i))]. 
  offset(shift(p,i)) = offset(p)+i

axiom shift_zero :
(*   forall p: 'z pointer. shift(p,0) = p *)
  forall p: 'z pointer [shift(p,0)]. shift(p,0) = p

axiom shift_shift :
(*   forall p:'z pointer. forall i:int. forall j:int. *)
  forall p:'z pointer. forall i:int. forall j:int [shift(shift(p,i),j)].
  shift(shift(p,i),j) = shift(p,i+j)

axiom base_addr_shift :
(*   forall p:'z pointer. forall i:int. *)
  forall p:'z pointer. forall i:int [base_addr(shift(p,i))].
  base_addr(shift(p,i)) = base_addr(p)

axiom pointer_pair_1 :
  forall p1:'z pointer. forall p2:'z pointer.
  (base_addr(p1) = base_addr(p2) and offset(p1) = offset(p2)) -> p1 = p2

axiom pointer_pair_2 :
  forall p1:'z pointer. forall p2:'z pointer.
  p1 = p2 -> (base_addr(p1) = base_addr(p2) and offset(p1) = offset(p2))

(* the following properties can be proved; here to help Simplify *)
axiom neq_base_addr_neq_shift :
  forall p1:'z pointer. forall p2: 'z pointer.
  forall i:int. forall j:int.
  base_addr(p1) <> base_addr(p2) -> shift(p1,i) <> shift(p2,j)

axiom neq_offset_neq_shift :
  forall p1: 'z pointer. forall p2: 'z pointer.
  forall i:int. forall j:int.
  offset(p1)+i <> offset(p2)+j -> shift(p1,i) <> shift(p2,j)

axiom eq_offset_eq_shift :
  forall p1:'z pointer. forall p2: 'z pointer.
  forall i:int. forall j:int.
  base_addr(p1) = base_addr(p2) -> 
	offset(p1)+i = offset(p2)+j -> shift(p1,i) = shift(p2,j)

axiom valid_index_valid_shift :
  forall p:'z pointer. forall i:int. 
  valid_index(p,i) -> valid(shift(p,i))

(* redondant avec le predecent et le suivant, mais utile *)
axiom valid_range_valid_shift :
  forall p:'z pointer. forall i:int. forall j:int. forall k:int.
  valid_range(p,i,j) -> i <= k <= j -> valid(shift(p,k))

axiom valid_range_valid :
  forall p:'z pointer. forall i:int. forall j:int. 
  valid_range(p,i,j) -> i <= 0 <= j -> valid(p)

axiom valid_range_valid_index :
  forall p:'z pointer. forall i:int. forall j:int. forall k:int.
  valid_range(p,i,j) -> i <= k <= j -> valid_index(p,k)

axiom sub_pointer_def :
  forall p1:'z pointer. forall p2:'z pointer.
  base_addr(p1) = base_addr(p2) -> sub_pointer(p1,p2) = offset(p1)-offset(p2)

parameter shift_ : p:'z pointer -> i:int -> 
  { } 'z pointer { result = shift(p,i) }

parameter sub_pointer_ : p1:'z pointer -> p2:'z pointer ->
  { base_addr(p1) = base_addr(p2) } int { result = offset(p1) - offset(p2) }

parameter lt_pointer_ : p1:'z pointer -> p2:'z pointer ->
  { base_addr(p1) = base_addr(p2) } bool 
  { if result then offset(p1) < offset(p2) else offset(p1) >= offset(p2) }

parameter le_pointer_ : p1:'z pointer -> p2:'z pointer ->
  { base_addr(p1) = base_addr(p2) } bool 
  { if result then offset(p1) <= offset(p2) else offset(p1) > offset(p2) }

parameter gt_pointer_ : p1:'z pointer -> p2:'z pointer ->
  { base_addr(p1) = base_addr(p2) } bool 
  { if result then offset(p1) > offset(p2) else offset(p1) <= offset(p2) }

parameter ge_pointer_ : p1:'z pointer -> p2:'z pointer ->
  { base_addr(p1) = base_addr(p2) } bool 
  { if result then offset(p1) >= offset(p2) else offset(p1) < offset(p2) }

(* pointer access *)
logic acc: ('a,'z) memory, 'z pointer -> 'a
parameter acc_ : m: ('a,'z) memory ref -> p:'z pointer -> 
  { valid(p) }
  'a reads m
  { result = acc(m,p) }
parameter acc_offset : m: ('a,'z) memory ref -> p:'z pointer -> 
	i : int -> n : int ->
  { 0 <= i < n }
  'a reads m
  { result = acc(m,p) }
parameter safe_acc_ : m: ('a,'z) memory ref -> p:'z pointer -> 
  { }
  'a reads m
  { result = acc(m,p) }

(* pointer update *)
logic upd: ('a,'z) memory, 'z pointer, 'a -> ('a,'z) memory
parameter upd_ : m:('a,'z) memory ref -> p:'z pointer -> v:'a -> 
  { valid(p) }
  unit reads m writes m
  { m = upd(m@,p,v) }
parameter upd_offset : m:('a,'z) memory ref -> p:'z pointer -> v:'a -> i:int ->
	size:int -> 
  { 0<= i < size }
  unit reads m writes m
  { m = upd(m@,p,v) }
parameter safe_upd_ : m:('a,'z) memory ref -> p:'z pointer -> v:'a -> 
  { }
  unit reads m writes m
  { m = upd(m@,p,v) }

axiom acc_upd : 
  forall m : ('a,'z) memory. forall p : 'z pointer. forall a: 'a [acc(upd(m,p,a),p)].
    acc(upd(m,p,a),p) = a
 
axiom acc_upd_eq : 
  forall m : ('a,'z) memory. forall p1: 'z pointer. forall p2 : 'z pointer. 
  forall a: 'a [acc(upd(m,p1,a),p2)].
    p1=p2 -> acc(upd(m,p1,a),p2) = a
 
axiom acc_upd_neq : 
  forall m : ('a,'z) memory. forall p1: 'z pointer. forall p2 : 'z pointer. 
  forall a: 'a [acc(upd(m,p1,a),p2)].
    p1 <> p2 -> acc(upd(m,p1,a),p2) = acc(m,p2)

(* axiomatic definition of [arrlen] *)
axiom arrlen_shift :
  forall p: 'z pointer. forall i:int [arrlen(shift(p,i))].
  i >= 0 -> arrlen(shift(p,i)) = arrlen(p)-i

(* axiomatic definition of [strlen] *)
axiom strlen_create :
  forall m : ('a,'z) memory. forall p: 'z pointer. 
  forall i:int [strlen(upd(m,shift(p,i),0),p)].
    i >= 0 -> 0 <= strlen(upd(m,shift(p,i),0),p) <= i

axiom strlen_init :
  forall m : ('a,'z) memory. forall p: 'z pointer. 
  forall i:int [strlen(upd(m,shift(p,i),0),p)]. 
    i >= 0 and (forall j:int. 0 <= j < i -> acc(m,shift(p,j)) <> 0)
    -> strlen(upd(m,shift(p,i),0),p) = i

axiom strlen_zero :
  forall m : ('a,'z) memory. 
  forall p: 'z pointer [acc(m,shift(p,strlen(m,p)))]. 
    strlen(m,p) >= 0 -> acc(m,shift(p,strlen(m,p))) = 0

axiom strlen_not_zero :
  forall m : ('a,'z) memory. forall p: 'z pointer. 
  forall i:int [strlen(m,p),acc(m,shift(p,i))]. 
    0 <= i <= strlen(m,p) and acc(m,shift(p,i)) <> 0 -> i < strlen(m,p)

axiom strlen_shift :
  forall m : ('a,'z) memory. forall p: 'z pointer. 
  forall i:int [strlen(m,shift(p,i))].
  0 <= i -> strlen(m,shift(p,i)) = strlen(m,p)-i

axiom strlen_update_before :
  forall m : ('a,'z) memory. forall p: 'z pointer. 
  forall v:'a. forall i:int [strlen(upd(m,shift(p,i),v),p)]. 
    0 <= i < strlen(m,p) -> strlen(upd(m,shift(p,i),v),p) <= strlen(m,p)

axiom strlen_update_before_not_zero :
  forall m : ('a,'z) memory. forall p: 'z pointer. 
  forall v:'a. forall i:int [strlen(upd(m,shift(p,i),v),p)]. 
    0 <= i < strlen(m,p) and v <> 0 
      -> strlen(upd(m,shift(p,i),v),p) = strlen(m,p)

axiom strlen_update_zero :
  forall m : ('a,'z) memory. forall p: 'z pointer. 
  forall i:int [strlen(upd(m,shift(p,i),0),p)]. 
    0 <= i <= strlen(m,p) -> strlen(upd(m,shift(p,i),0),p) = i

(* axiom linking [arrlen] and [strlen] *)
axiom arrlen_strlen :
  forall m : ('a,'z) memory. forall p: 'z pointer [strlen(m,p)]. 
    strlen(m,p) >= 0 -> strlen(m,p) < arrlen(p)

(* axioms only to help automatic proof *)
axiom full_separated_strlen_upd :
  forall m : ('a,'z) memory. forall p: 'z pointer. forall q : 'z pointer.
    forall v:'z. forall i:int [strlen(upd(m,shift(p,i),v),q)]. 
      full_separated(p,q) -> strlen(upd(m,shift(p,i),v),q) = strlen(m,q)

(* exceptions *)
exception Break
exception Continue
exception Return
exception Return_int of int
exception Return_real of real
exception Return_pointer (*of 'z pointer*)

(* for Simplify *)

axiom false_not_true : false <> true

(* modeling assigns clauses 
   the type (pset) represents a set of pointers *)

type 'z pset

logic pset_empty : -> 'z pset
logic pset_singleton : 'z pointer -> 'z pset
logic pset_star : 'z pset, ('y pointer,'z) memory -> 'y pset (* *l or l->x *)

logic pset_all : 'z pset -> 'z pset (* l(..) *)
logic pset_range : 'z pset, int, int -> 'z pset (* l(a..b) *)
logic pset_range_left : 'z pset, int -> 'z pset (* l(..b) *)
logic pset_range_right : 'z pset, int -> 'z pset (* l(a..) *)

logic pset_acc_all : 'z pset, ('y pointer,'z) memory -> 'y pset (* l(..) *)
logic pset_acc_range : 'z pset, ('y pointer,'z) memory, int, int -> 'y pset (* l(a..b) *)
logic pset_acc_range_left : 'z pset, ('y pointer,'z) memory, int -> 'y pset (* l(..b) *)
logic pset_acc_range_right : 'z pset, ('y pointer,'z) memory, int -> 'y pset (* l(a..) *)

logic pset_union : 'z pset, 'z pset -> 'z pset

logic not_in_pset : 'z pointer, 'z pset -> prop (* not_in_pset(p,s) = p is not in s *)

predicate not_assigns (m1:('a,'z) memory,m2:('a,'z) memory,l:'z pset) =
 forall p:'z pointer.
    valid(p) -> not_in_pset(p,l) -> acc(m2,p)=acc(m1,p)

axiom pset_empty_intro :
  forall p:'z pointer. not_in_pset(p, pset_empty)

axiom pset_singleton_intro : 
  forall p1:'z pointer.forall p2:'z pointer [not_in_pset(p1, pset_singleton(p2))].
    p1 <> p2 -> not_in_pset(p1, pset_singleton(p2))

axiom pset_singleton_elim : 
  forall p1:'z pointer. forall p2:'z pointer [not_in_pset(p1, pset_singleton(p2))].
    not_in_pset(p1, pset_singleton(p2)) -> p1 <> p2

axiom not_not_in_singleton :
  forall p:'z pointer. not not_in_pset(p, pset_singleton(p))

axiom pset_union_intro : 
  forall l1:'z pset. forall l2:'z pset. forall p:'z pointer
	[not_in_pset(p, pset_union(l1,l2))].
     not_in_pset(p, l1) and not_in_pset(p, l2) -> 
     not_in_pset(p, pset_union(l1,l2))

axiom pset_union_elim1 : 
  forall l1:'z pset. forall l2:'z pset. forall p:'z pointer
	[not_in_pset(p, pset_union(l1,l2))].
    not_in_pset(p, pset_union(l1,l2)) -> not_in_pset(p,l1) 

axiom pset_union_elim2 : 
  forall l1:'z pset. forall l2:'z pset. forall p:'z pointer
	[not_in_pset(p, pset_union(l1,l2))].
    not_in_pset(p, pset_union(l1,l2)) -> not_in_pset(p,l2)

axiom pset_star_intro :
  forall l:'z pset. forall m:('y pointer,'z) memory. forall p:'y pointer
	[not_in_pset(p, pset_star(l, m))].
    (forall p1:'z pointer. p = acc(m,p1) -> not_in_pset(p1, l)) ->
    not_in_pset(p, pset_star(l, m))

axiom pset_star_elim :
  forall l:'z pset. forall m:('y pointer,'z) memory. forall p:'y pointer
	[not_in_pset(p, pset_star(l, m))].
    not_in_pset(p, pset_star(l, m)) ->
    (forall p1:'z pointer. p = acc(m,p1) -> not_in_pset(p1, l))

(* s(..) *)

axiom pset_all_intro :
  forall p:'z pointer. forall l:'z pset [not_in_pset(p, pset_all(l))].
    (forall p1:'z pointer. 
       (not not_in_pset(p1,l)) -> base_addr(p) <> base_addr(p1)) ->
    not_in_pset(p, pset_all(l))

axiom pset_all_elim :
  forall p:'z pointer. forall l:'z pset [not_in_pset(p, pset_all(l))].
    not_in_pset(p, pset_all(l)) ->
    (forall p1:'z pointer. 
       (not not_in_pset(p1,l)) -> base_addr(p) <> base_addr(p1))

axiom pset_range_intro :
  forall p:'z pointer. forall l:'z pset. forall a:int. forall b:int
	[not_in_pset(p, pset_range(l,a,b))].
    (forall p1:'z pointer. not_in_pset(p1, l) or
	forall i:int. (a <= i <= b) -> (p <> shift(p1,i))) -> 
    not_in_pset(p, pset_range(l,a,b))	

axiom pset_range_elim :
  forall p:'z pointer. forall l:'z pset. forall a:int. forall b:int
	[not_in_pset(p, pset_range(l,a,b))].
    not_in_pset(p, pset_range(l,a,b)) ->
      forall p1:'z pointer. (not not_in_pset(p1, l)) ->
	forall i:int. a <= i <= b -> shift(p1,i) <> p

axiom pset_range_left_intro :
  forall p:'z pointer. forall l:'z pset. forall a:int
	[not_in_pset(p, pset_range_left(l,a))].
    (forall p1:'z pointer. not_in_pset(p1, l) or
	forall i:int. (i <= a) -> (p <> shift(p1,i))) -> 
    not_in_pset(p, pset_range_left(l,a))	

axiom pset_range_left_elim :
  forall p:'z pointer. forall l:'z pset. forall a:int
	[not_in_pset(p, pset_range_left(l,a))]. 
    not_in_pset(p, pset_range_left(l,a)) ->
      forall p1:'z pointer. (not not_in_pset(p1, l)) ->
	forall i:int. i <= a -> shift(p1,i) <> p

axiom pset_range_right_intro :
  forall p:'z pointer. forall l:'z pset. forall a:int
	[not_in_pset(p, pset_range_right(l,a))].
    (forall p1:'z pointer. not_in_pset(p1, l) or
	forall i:int. (a <= i) -> (p <> shift(p1,i))) -> 
    not_in_pset(p, pset_range_right(l,a))	

axiom pset_range_right_elim :
  forall p:'z pointer. forall l:'z pset. forall a:int
	[not_in_pset(p, pset_range_right(l,a))].
    not_in_pset(p, pset_range_right(l,a)) ->
      forall p1:'z pointer. (not not_in_pset(p1, l)) ->
	forall i:int. a <= i -> shift(p1,i) <> p

(* elements of s(..) *)
axiom pset_acc_all_intro :
  forall p:'y pointer. forall l:'z pset. forall m:('y pointer,'z) memory
	[not_in_pset(p, pset_acc_all(l, m))].
    (forall p1:'z pointer.
      (not not_in_pset(p1,l)) -> forall i:int. p <> acc(m, shift(p1,i))) ->
    not_in_pset(p, pset_acc_all(l, m))

axiom pset_acc_all_elim :
  forall p:'y pointer. forall l:'z pset. forall m:('y pointer,'z) memory
	[not_in_pset(p, pset_acc_all(l, m))].
    not_in_pset(p, pset_acc_all(l, m)) ->
    forall p1:'z pointer.
      (not not_in_pset(p1,l)) -> forall i:int. acc(m, shift(p1,i)) <> p

axiom pset_acc_range_intro :
  forall p:'y pointer. forall l:'z pset. forall m:('y pointer,'z) memory. 
  forall a:int. forall b:int [not_in_pset(p, pset_acc_range(l, m, a, b))].
    (forall p1:'z pointer.
      (not not_in_pset(p1,l)) -> 
      forall i:int. a <= i <= b -> p <> acc(m, shift(p1,i))) ->
    not_in_pset(p, pset_acc_range(l, m, a, b))

axiom pset_acc_range_elim :
  forall p:'y pointer. forall l:'z pset. forall m:('y pointer,'z) memory.
  forall a:int. forall b:int.
    not_in_pset(p, pset_acc_range(l, m, a, b)) ->
    forall p1:'z pointer.
      (not not_in_pset(p1,l)) -> 
	 forall i:int. a <= i <= b -> acc(m, shift(p1,i)) <> p

axiom pset_acc_range_left_intro :
  forall p:'y pointer. forall l:'z pset. forall m:('y pointer,'z) memory. 
  forall a:int [not_in_pset(p, pset_acc_range_left(l, m, a))].
    (forall p1:'z pointer.
      (not not_in_pset(p1,l)) -> 
      forall i:int. i <= a -> p <> acc(m, shift(p1,i))) ->
    not_in_pset(p, pset_acc_range_left(l, m, a))

axiom pset_acc_range_left_elim :
  forall p:'y pointer. forall l:'z pset. forall m:('y pointer,'z) memory.
  forall a:int [not_in_pset(p, pset_acc_range_left(l, m, a))].
    not_in_pset(p, pset_acc_range_left(l, m, a)) ->
    forall p1:'z pointer.
      (not not_in_pset(p1,l)) -> 
	 forall i:int. i <= a -> acc(m, shift(p1,i)) <> p

axiom pset_acc_range_right_intro :
  forall p:'y pointer. forall l:'z pset. forall m:('y pointer,'z) memory. 
  forall a:int [not_in_pset(p, pset_acc_range_right(l, m, a))].
    (forall p1:'z pointer.
      (not not_in_pset(p1,l)) -> 
      forall i:int. a <= i -> p <> acc(m, shift(p1,i))) ->
    not_in_pset(p, pset_acc_range_right(l, m, a))

axiom pset_acc_range_right_elim :
  forall p:'y pointer. forall l:'z pset. forall m:('y pointer,'z) memory.
  forall a:int [not_in_pset(p, pset_acc_range_right(l, m, a))].
    not_in_pset(p, pset_acc_range_right(l, m, a)) ->
    forall p1:'z pointer.
      (not not_in_pset(p1,l)) -> 
	 forall i:int. a <= i -> acc(m, shift(p1,i)) <> p

(* lemmas on not_assigns *)

axiom not_assigns_trans :
  forall l:'z pset. 
  forall m1:('a,'z) memory. forall m2:('a,'z) memory. forall m3: ('a,'z) memory.
  not_assigns(m1,m2,l) -> not_assigns(m2,m3,l) -> not_assigns(m1,m3,l)

axiom not_assigns_refl :
  forall l:'z pset. 
  forall m:('a,'z) memory. not_assigns(m,m,l)

(* validity *)

predicate valid_acc(m1: ('y pointer,'z) memory) =
	forall p : 'z pointer.
	valid(p) -> valid(acc(m1, p)) 

predicate valid_acc_range (m1: ('y pointer,'z) memory, size : int) =
	forall p : 'z pointer.
	valid(p) -> valid_range (acc (m1, p), 0, size-1) 

axiom valid_acc_range_valid : 
  forall m1: ('y pointer,'z) memory.
  forall size : int. forall p : 'z pointer.
  valid_acc_range(m1,size) -> valid(p) -> valid( acc(m1,p))

(* separation *)

predicate separation1(m1:('y pointer,'z) memory, m2:('y pointer,'z) memory) =
  forall p:'z pointer.
    valid( p) -> base_addr(acc(m1, p)) <> base_addr(acc(m2, p))

predicate separation1_range1(m1:('y pointer,'z) memory,
	m2:('y pointer,'z) memory, size : int) =
	forall p : 'z pointer.
	valid(p) -> forall i : int . 0 <= i < size ->
	base_addr(acc(m1,(shift (p,i)))) <> base_addr(acc(m2, p))	

predicate separation1_range(m:('y pointer,'z) memory, size:int) =
	forall p : 'z pointer.
	valid(p) -> forall i1 : int. forall i2 : int. 
	0 <= i1 < size -> 0 <= i2 < size -> i1 <> i2 -> 
	base_addr(acc(m,(shift (p,i1)))) <> base_addr(acc(m,shift (p,i2)))  


predicate separation2(m1:('y pointer,'z) memory, m2:('y pointer,'z) memory) =
  forall p1:'z pointer. forall p2:'z pointer.
    p1 <> p2 -> base_addr(acc(m1, p1)) <> base_addr(acc(m2, p2))
	
predicate separation2_range1(m1:('y pointer,'z) memory,
	m2:('y pointer,'z) memory, size : int) =
	forall p : 'z pointer. forall q : 'z pointer.
	forall i : int . 0 <= i < size ->
	base_addr(acc(m1,(shift (p,i)))) <> base_addr(acc(m2, q))

(* memory allocation *)

logic on_heap : 'z pointer -> prop
logic on_stack : 'z pointer -> prop

parameter alloca_parameter : n:int -> 
	{ n >= 1 }
	'z pointer
	{ valid(result) and offset(result) = 0 and 	
	  arrlen(result) = n and valid_range(result,0,n-1) }

parameter malloc_parameter : n:int -> 
	{ n >= 1 }
	'z pointer
	{ valid(result) and offset(result) = 0 and 	
	  arrlen(result) = n and valid_range(result,0,n-1) }



why-2.34/lib/why/caduceus.why0000644000175000017500000006133412311670312014526 0ustar  rtusers
(* bitwise operations *)
logic bw_compl : int -> int

logic bw_and : int,int -> int

logic bw_xor : int,int -> int

logic bw_or : int,int -> int

logic lsl : int,int -> int

logic lsr : int,int -> int

parameter any_int: unit -> {} int { true }

(* pointers *)

type 'z pointer

parameter any_pointer: unit -> {} 'z pointer { true }

type 'z addr
type alloc_table

logic block_length: alloc_table, 'z pointer -> int
logic base_addr: 'z pointer -> 'z addr
logic offset: 'z pointer -> int
logic shift: 'z pointer,int -> 'z pointer
logic sub_pointer: 'z pointer, 'z pointer -> int

predicate lt_pointer(p1:'z pointer,p2: 'z pointer) =
  base_addr(p1) = base_addr(p2) and offset(p1) < offset(p2)
predicate le_pointer(p1:'z pointer,p2: 'z pointer) =
  base_addr(p1) = base_addr(p2) and offset(p1) <= offset(p2)
predicate gt_pointer(p1:'z pointer,p2: 'z pointer) =
  base_addr(p1) = base_addr(p2) and offset(p1) > offset(p2)
predicate ge_pointer(p1: 'z pointer,p2: 'z pointer) =
  base_addr(p1) = base_addr(p2) and offset(p1) >= offset(p2)

parameter eq_pointer : 
  p:'z pointer -> q: 'z pointer -> {} bool { if result then p=q else p<>q }
parameter neq_pointer : 
  p: 'z pointer -> q: 'z pointer -> {} bool { if result then p<>q else p=q }

parameter alloc : alloc_table ref

predicate valid(a:alloc_table, p: 'z pointer) = 
	0 <= offset(p)
	and offset(p) < block_length(a,p)

predicate valid_index(a:alloc_table, p: 'z pointer, i:int) =
	0 <= offset(p)+i 
	and offset(p)+i < block_length(a,p)

predicate valid_range(a:alloc_table, p: 'z pointer, i:int, j:int) =
	0 <= offset(p)+i 
	(*and i <= j*)
	and offset(p)+j < block_length(a,p)

axiom offset_shift :
(*   forall p: 'z pointer. forall i:int.  *)
  forall p: 'z pointer. forall i:int [offset(shift(p,i))]. 
  offset(shift(p,i)) = offset(p)+i

axiom shift_zero :
(*   forall p: 'z pointer. shift(p,0) = p *)
  forall p: 'z pointer [shift(p,0)]. shift(p,0) = p

axiom shift_shift :
(*   forall p:'z pointer. forall i:int. forall j:int. *)
  forall p:'z pointer. forall i:int. forall j:int [shift(shift(p,i),j)].
  shift(shift(p,i),j) = shift(p,i+j)

axiom base_addr_shift :
(*   forall p:'z pointer. forall i:int. *)
  forall p:'z pointer. forall i:int [base_addr(shift(p,i))].
  base_addr(shift(p,i)) = base_addr(p)

axiom block_length_shift :
(*   forall a:alloc_table. forall p:'z pointer. forall i:int. *)
  forall a:alloc_table. forall p:'z pointer. forall i:int [block_length(a,shift(p,i))].
  block_length(a,shift(p,i)) = block_length(a,p)

axiom base_addr_block_length :
  forall a:alloc_table. forall p1: 'z pointer. forall p2: 'z pointer.
  base_addr(p1) = base_addr(p2) -> block_length(a,p1) = block_length(a,p2)

axiom pointer_pair_1 :
  forall p1:'z pointer. forall p2:'z pointer.
  (base_addr(p1) = base_addr(p2) and offset(p1) = offset(p2)) -> p1 = p2

axiom pointer_pair_2 :
  forall p1:'z pointer. forall p2:'z pointer.
  p1 = p2 -> (base_addr(p1) = base_addr(p2) and offset(p1) = offset(p2))

(* the following properties can be proved; here to help Simplify *)
axiom neq_base_addr_neq_shift :
  forall p1:'z pointer. forall p2: 'z pointer.
  forall i:int. forall j:int.
  base_addr(p1) <> base_addr(p2) -> shift(p1,i) <> shift(p2,j)

axiom neq_offset_neq_shift :
  forall p1: 'z pointer. forall p2: 'z pointer.
  forall i:int. forall j:int.
  offset(p1)+i <> offset(p2)+j -> shift(p1,i) <> shift(p2,j)

axiom eq_offset_eq_shift :
  forall p1:'z pointer. forall p2: 'z pointer.
  forall i:int. forall j:int.
  base_addr(p1) = base_addr(p2) -> 
	offset(p1)+i = offset(p2)+j -> shift(p1,i) = shift(p2,j)

axiom valid_index_valid_shift :
  forall a:alloc_table. forall p:'z pointer. forall i:int. 
  valid_index(a,p,i) -> valid(a,shift(p,i))

(* redondant avec le predecent et le suivant, mais utile *)
axiom valid_range_valid_shift :
  forall a:alloc_table. forall p:'z pointer. forall i:int. forall j:int. forall k:int.
  valid_range(a,p,i,j) -> i <= k <= j -> valid(a,shift(p,k))

axiom valid_range_valid :
  forall a:alloc_table. forall p:'z pointer. forall i:int. forall j:int. 
  valid_range(a,p,i,j) -> i <= 0 <= j -> valid(a,p)

axiom valid_range_valid_index :
  forall a:alloc_table. forall p:'z pointer. forall i:int. forall j:int. forall k:int.
  valid_range(a,p,i,j) -> i <= k <= j -> valid_index(a,p,k)

axiom sub_pointer_def :
  forall p1:'z pointer. forall p2:'z pointer.
  base_addr(p1) = base_addr(p2) -> sub_pointer(p1,p2) = offset(p1)-offset(p2)

parameter shift_ : p:'z pointer -> i:int -> 
  { } 'z pointer { result = shift(p,i) }

parameter sub_pointer_ : p1:'z pointer -> p2:'z pointer ->
  { base_addr(p1) = base_addr(p2) } int { result = offset(p1) - offset(p2) }

parameter lt_pointer_ : p1:'z pointer -> p2:'z pointer ->
  { base_addr(p1) = base_addr(p2) } bool 
  { if result then offset(p1) < offset(p2) else offset(p1) >= offset(p2) }

parameter le_pointer_ : p1:'z pointer -> p2:'z pointer ->
  { base_addr(p1) = base_addr(p2) } bool 
  { if result then offset(p1) <= offset(p2) else offset(p1) > offset(p2) }

parameter gt_pointer_ : p1:'z pointer -> p2:'z pointer ->
  { base_addr(p1) = base_addr(p2) } bool 
  { if result then offset(p1) > offset(p2) else offset(p1) <= offset(p2) }

parameter ge_pointer_ : p1:'z pointer -> p2:'z pointer ->
  { base_addr(p1) = base_addr(p2) } bool 
  { if result then offset(p1) >= offset(p2) else offset(p1) < offset(p2) }

type ('a, 'z) memory

(* pointer access *)

logic acc: ('a,'z) memory, 'z pointer -> 'a

parameter acc_ : m: ('a,'z) memory ref -> p:'z pointer -> 
  { valid(alloc,p) }
  'a reads alloc,m
  { result = acc(m,p) }

parameter acc_offset : m: ('a,'z) memory ref -> p:'z pointer -> 
	n : int ->
  { 0 <= offset(p) < n }
  'a reads alloc,m
  { result = acc(m,p) }

parameter safe_acc_ : m: ('a,'z) memory ref -> p:'z pointer -> 
  { }
  'a reads alloc,m
  { result = acc(m,p) }

(* pointer update *)
logic upd: ('a,'z) memory, 'z pointer, 'a -> ('a,'z) memory
parameter upd_ : m:('a,'z) memory ref -> p:'z pointer -> v:'a -> 
  { valid(alloc,p) }
  unit reads alloc,m writes m
  { m = upd(m@,p,v) }
parameter upd_offset : m:('a,'z) memory ref -> p:'z pointer -> v:'a -> size:int -> 
  { 0<= offset(p) < size }
  unit reads alloc,m writes m
  { m = upd(m@,p,v) }
parameter safe_upd_ : m:('a,'z) memory ref -> p:'z pointer -> v:'a -> 
  { }
  unit reads alloc,m writes m
  { m = upd(m@,p,v) }

axiom acc_upd : 
  forall m : ('a,'z) memory. forall p : 'z pointer. forall a: 'a [acc(upd(m,p,a),p)].
    acc(upd(m,p,a),p) = a

(*
axiom acc_upd_eq : 
  forall m : ('a,'z) memory. forall p1: 'z pointer. forall p2 : 'z pointer. 
  forall a: 'a [acc(upd(m,p1,a),p2)].
    p1=p2 -> acc(upd(m,p1,a),p2) = a
*)

axiom acc_upd_neq : 
  forall m : ('a,'z) memory. forall p1: 'z pointer. forall p2 : 'z pointer. 
  forall a: 'a [acc(upd(m,p1,a),p2)].
    p1 <> p2 -> acc(upd(m,p1,a),p2) = acc(m,p2)

(* exceptions *)
exception Break
exception Continue
exception Return
exception Return_int of int
exception Return_real of real
exception Return_pointer (*of 'z pointer*)

(* for Simplify *)

axiom false_not_true : false <> true

(* modeling assigns clauses 
   the type (pset) represents a set of pointers *)

type 'z pset

logic pset_empty : -> 'z pset
logic pset_singleton : 'z pointer -> 'z pset
logic pset_star : 'z pset, ('y pointer,'z) memory -> 'y pset (* *l or l->x *)

logic pset_all : 'z pset -> 'z pset (* l(..) *)
logic pset_range : 'z pset, int, int -> 'z pset (* l(a..b) *)
logic pset_range_left : 'z pset, int -> 'z pset (* l(..b) *)
logic pset_range_right : 'z pset, int -> 'z pset (* l(a..) *)

logic pset_acc_all : 'z pset, ('y pointer,'z) memory -> 'y pset (* l(..) *)
logic pset_acc_range : 'z pset, ('y pointer,'z) memory, int, int -> 'y pset (* l(a..b) *)
logic pset_acc_range_left : 'z pset, ('y pointer,'z) memory, int -> 'y pset (* l(..b) *)
logic pset_acc_range_right : 'z pset, ('y pointer,'z) memory, int -> 'y pset (* l(a..) *)

logic pset_union : 'z pset, 'z pset -> 'z pset

logic not_in_pset : 'z pointer, 'z pset -> prop (* not_in_pset(p,s) = p is not in s *)
(*
logic in_pset : 'z pointer, 'z pset -> prop

logic subset : 'z pset, 'z pset -> prop
*)
predicate not_assigns (a:alloc_table,m1:('a,'z) memory,m2:('a,'z) memory,l:'z pset) =
 forall p:'z pointer.
    valid(a,p) -> not_in_pset(p,l) -> acc(m2,p)=acc(m1,p)

axiom pset_empty_intro :
  forall p:'z pointer. not_in_pset(p, pset_empty)

axiom pset_singleton_intro : 
  forall p1:'z pointer.forall p2:'z pointer [not_in_pset(p1, pset_singleton(p2))].
    p1 <> p2 -> not_in_pset(p1, pset_singleton(p2))

axiom pset_singleton_elim : 
  forall p1:'z pointer. forall p2:'z pointer [not_in_pset(p1, pset_singleton(p2))].
    not_in_pset(p1, pset_singleton(p2)) -> p1 <> p2

axiom not_not_in_singleton :
  forall p:'z pointer. not not_in_pset(p, pset_singleton(p))

axiom pset_union_intro : 
  forall l1:'z pset. forall l2:'z pset. forall p:'z pointer
	[not_in_pset(p, pset_union(l1,l2))].
     not_in_pset(p, l1) and not_in_pset(p, l2) -> 
     not_in_pset(p, pset_union(l1,l2))

axiom pset_union_elim1 : 
  forall l1:'z pset. forall l2:'z pset. forall p:'z pointer
	[not_in_pset(p, pset_union(l1,l2))].
    not_in_pset(p, pset_union(l1,l2)) -> not_in_pset(p,l1) 

axiom pset_union_elim2 : 
  forall l1:'z pset. forall l2:'z pset. forall p:'z pointer
	[not_in_pset(p, pset_union(l1,l2))].
    not_in_pset(p, pset_union(l1,l2)) -> not_in_pset(p,l2)

axiom pset_star_intro :
  forall l:'z pset. forall m:('y pointer,'z) memory. forall p:'y pointer
	[not_in_pset(p, pset_star(l, m))].
    (forall p1:'z pointer. p = acc(m,p1) -> not_in_pset(p1, l)) ->
    not_in_pset(p, pset_star(l, m))

axiom pset_star_elim :
  forall l:'z pset. forall m:('y pointer,'z) memory. forall p:'y pointer
	[not_in_pset(p, pset_star(l, m))].
    not_in_pset(p, pset_star(l, m)) ->
    (forall p1:'z pointer. p = acc(m,p1) -> not_in_pset(p1, l))

(* s(..) *)

axiom pset_all_intro :
  forall p:'z pointer. forall l:'z pset [not_in_pset(p, pset_all(l))].
    (forall p1:'z pointer. 
       (not not_in_pset(p1,l)) -> base_addr(p) <> base_addr(p1)) ->
    not_in_pset(p, pset_all(l))

axiom pset_all_elim :
  forall p:'z pointer. forall l:'z pset [not_in_pset(p, pset_all(l))].
    not_in_pset(p, pset_all(l)) ->
    (forall p1:'z pointer. 
       (not not_in_pset(p1,l)) -> base_addr(p) <> base_addr(p1))

axiom pset_range_intro :
  forall p:'z pointer. forall l:'z pset. forall a:int. forall b:int
	[not_in_pset(p, pset_range(l,a,b))].
    (forall p1:'z pointer. not_in_pset(p1, l) or
	forall i:int. (a <= i <= b) -> (p <> shift(p1,i))) -> 
    not_in_pset(p, pset_range(l,a,b))	

axiom pset_range_elim :
  forall p:'z pointer. forall l:'z pset. forall a:int. forall b:int
	[not_in_pset(p, pset_range(l,a,b))].
    not_in_pset(p, pset_range(l,a,b)) ->
      forall p1:'z pointer. (not not_in_pset(p1, l)) ->
	forall i:int. a <= i <= b -> shift(p1,i) <> p

axiom pset_range_left_intro :
  forall p:'z pointer. forall l:'z pset. forall a:int
	[not_in_pset(p, pset_range_left(l,a))].
    (forall p1:'z pointer. not_in_pset(p1, l) or
	forall i:int. (i <= a) -> (p <> shift(p1,i))) -> 
    not_in_pset(p, pset_range_left(l,a))	

axiom pset_range_left_elim :
  forall p:'z pointer. forall l:'z pset. forall a:int
	[not_in_pset(p, pset_range_left(l,a))]. 
    not_in_pset(p, pset_range_left(l,a)) ->
      forall p1:'z pointer. (not not_in_pset(p1, l)) ->
	forall i:int. i <= a -> shift(p1,i) <> p

axiom pset_range_right_intro :
  forall p:'z pointer. forall l:'z pset. forall a:int
	[not_in_pset(p, pset_range_right(l,a))].
    (forall p1:'z pointer. not_in_pset(p1, l) or
	forall i:int. (a <= i) -> (p <> shift(p1,i))) -> 
    not_in_pset(p, pset_range_right(l,a))	

axiom pset_range_right_elim :
  forall p:'z pointer. forall l:'z pset. forall a:int
	[not_in_pset(p, pset_range_right(l,a))].
    not_in_pset(p, pset_range_right(l,a)) ->
      forall p1:'z pointer. (not not_in_pset(p1, l)) ->
	forall i:int. a <= i -> shift(p1,i) <> p

(* elements of s(..) *)
axiom pset_acc_all_intro :
  forall p:'y pointer. forall l:'z pset. forall m:('y pointer,'z) memory
	[not_in_pset(p, pset_acc_all(l, m))].
    (forall p1:'z pointer.
      (not not_in_pset(p1,l)) -> forall i:int. p <> acc(m, shift(p1,i))) ->
    not_in_pset(p, pset_acc_all(l, m))

axiom pset_acc_all_elim :
  forall p:'y pointer. forall l:'z pset. forall m:('y pointer,'z) memory
	[not_in_pset(p, pset_acc_all(l, m))].
    not_in_pset(p, pset_acc_all(l, m)) ->
    forall p1:'z pointer.
      (not not_in_pset(p1,l)) -> forall i:int. acc(m, shift(p1,i)) <> p

axiom pset_acc_range_intro :
  forall p:'y pointer. forall l:'z pset. forall m:('y pointer,'z) memory. 
  forall a:int. forall b:int [not_in_pset(p, pset_acc_range(l, m, a, b))].
    (forall p1:'z pointer.
      (not not_in_pset(p1,l)) -> 
      forall i:int. a <= i <= b -> p <> acc(m, shift(p1,i))) ->
    not_in_pset(p, pset_acc_range(l, m, a, b))

axiom pset_acc_range_elim :
  forall p:'y pointer. forall l:'z pset. forall m:('y pointer,'z) memory.
  forall a:int. forall b:int.
    not_in_pset(p, pset_acc_range(l, m, a, b)) ->
    forall p1:'z pointer.
      (not not_in_pset(p1,l)) -> 
	 forall i:int. a <= i <= b -> acc(m, shift(p1,i)) <> p

axiom pset_acc_range_left_intro :
  forall p:'y pointer. forall l:'z pset. forall m:('y pointer,'z) memory. 
  forall a:int [not_in_pset(p, pset_acc_range_left(l, m, a))].
    (forall p1:'z pointer.
      (not not_in_pset(p1,l)) -> 
      forall i:int. i <= a -> p <> acc(m, shift(p1,i))) ->
    not_in_pset(p, pset_acc_range_left(l, m, a))

axiom pset_acc_range_left_elim :
  forall p:'y pointer. forall l:'z pset. forall m:('y pointer,'z) memory.
  forall a:int [not_in_pset(p, pset_acc_range_left(l, m, a))].
    not_in_pset(p, pset_acc_range_left(l, m, a)) ->
    forall p1:'z pointer.
      (not not_in_pset(p1,l)) -> 
	 forall i:int. i <= a -> acc(m, shift(p1,i)) <> p

axiom pset_acc_range_right_intro :
  forall p:'y pointer. forall l:'z pset. forall m:('y pointer,'z) memory. 
  forall a:int [not_in_pset(p, pset_acc_range_right(l, m, a))].
    (forall p1:'z pointer.
      (not not_in_pset(p1,l)) -> 
      forall i:int. a <= i -> p <> acc(m, shift(p1,i))) ->
    not_in_pset(p, pset_acc_range_right(l, m, a))

axiom pset_acc_range_right_elim :
  forall p:'y pointer. forall l:'z pset. forall m:('y pointer,'z) memory.
  forall a:int [not_in_pset(p, pset_acc_range_right(l, m, a))].
    not_in_pset(p, pset_acc_range_right(l, m, a)) ->
    forall p1:'z pointer.
      (not not_in_pset(p1,l)) -> 
	 forall i:int. a <= i -> acc(m, shift(p1,i)) <> p

(* lemmas on not_assigns *)

axiom not_assigns_trans :
  forall a:alloc_table. forall l:'z pset. 
  forall m1:('a,'z) memory. forall m2:('a,'z) memory. forall m3: ('a,'z) memory.
  not_assigns(a,m1,m2,l) -> not_assigns(a,m2,m3,l) -> not_assigns(a,m1,m3,l)

axiom not_assigns_refl :
  forall a:alloc_table. forall l:'z pset. 
  forall m:('a,'z) memory. not_assigns(a,m,m,l)
(*
axiom not_assigns_subset : 
  forall a:alloc_table. forall l1:'z pset. forall l2:'z pset.
  forall m1:('a,'z) memory. forall m2:('a,'z) memory.
    not_assigns(a,m1,m2,l1) -> subset (l1,l2) ->  not_assigns(a,m1,m2,l2) 

axiom not_assigns_upd :
  forall a:alloc_table. forall l:'z pset. forall m1:('a,'z) memory.
  forall m2:('a,'z) memory. forall p : 'z pointer. forall v : 'a.
    m2 = upd (m1,p,v) -> in_pset (p,l) ->not_assigns(a,m1,m2,l)
*)
(* lemma for subset  

axiom subset_in_pset :
  forall l1:'z pset. forall l2:'z pset.
   (forall p : 'z pointer. in_pset(p,l1) -> in_pset(p,l2)) -> subset(l1,l2)

axiom in_pset_singleton1 :
  forall p1 : 'z pointer. forall p2 : 'z pointer.
    in_pset (p1,pset_singleton (p2)) -> p1 = p2 

axiom in_pset_singleton2 :
  forall p1 : 'z pointer. forall p2 : 'z pointer.
    p1 = p2 -> in_pset (p1,pset_singleton (p2))

axiom in_pset_union1 :
  forall l1:'z pset. forall l2:'z pset. forall p:'z pointer.
    in_pset(p,pset_union(l1,l2)) -> (in_pset(p,l1) or in_pset(p,l2))

axiom in_pset_union2 :
  forall l1:'z pset. forall l2:'z pset. forall p:'z pointer.
    (in_pset(p,l1) or in_pset(p,l2)) -> in_pset(p,pset_union(l1,l2))

axiom in_pset_star1 : 
  forall l:'z pset. forall p:'y pointer. forall m:('y pointer,'z) memory.
    in_pset(p, pset_star(l,m)) -> 
     exists y : 'z pointer. (in_pset (y,l) and p = acc(m,y))

axiom in_pset_star2 :
  forall l:'z pset. forall p:'z pointer. forall m:('y pointer,'z) memory.
    in_pset(p,l) -> in_pset(acc(m,p),pset_star(l,m))

axiom in_pset_all1 :
  forall l:'z pset. forall p:'z pointer.
    in_pset(p,pset_all(l)) -> 
      exists y : 'z1 pointer. (in_pset (y,l) and 
	exists i : int. p = shift(y,i))

axiom in_pset_all2 :
 forall l:'z pset. forall p:'z pointer.forall i : int. 
    in_pset(p,l) -> in_pset(shift(p,i),pset_all(l))

axiom in_pset_range1 :
  forall l:'z pset. forall p:'z pointer. forall a : int. forall b : int.
    in_pset(p,pset_range(l,a,b)) -> 
      exists y : 'z1 pointer. (in_pset (y,l) and 
	exists i : int. a <= i <= b -> p = shift(y,i))

axiom in_pset_range2 :
 forall l:'z pset. forall p:'z pointer. forall a : int. forall b : int.
 forall i : int.  
    a <= i <= b -> in_pset(p,l) -> in_pset(shift(p,i),pset_range(l,a,b))

axiom in_pset_range_left1 :
  forall l:'z pset. forall p:'z pointer. forall a : int. 
    in_pset(p,pset_range_left(l,a)) -> 
      exists y : 'z1 pointer. (in_pset (y,l) and 
	exists i : int. i <= a -> p = shift(y,i))

axiom in_pset_range_left2 :
 forall l:'z pset. forall p:'z pointer. forall a : int. forall b : int.
 forall i : int.  
   i <= a -> in_pset(p,l) -> in_pset(shift(p,i),pset_range_left(l,a))

axiom in_pset_range_right1 :
  forall l:'z pset. forall p:'z pointer. forall a : int. 
    in_pset(p,pset_range_right(l,a)) -> 
      exists y : 'z1 pointer. (in_pset (y,l) and 
	exists i : int. a <= i -> p = shift(y,i))

axiom in_pset_range_right2 :
 forall l:'z pset. forall p:'z pointer. forall a : int. forall b : int.
 forall i : int.  
   i <= a -> in_pset(p,l) -> in_pset(shift(p,i),pset_range_right(l,a))

axiom in_pset_acc_all1 :
  forall l:'z pset. forall p:'y pointer. forall m:('y pointer,'z) memory.
    in_pset(p,pset_acc_all(l,m)) -> 
      exists y : 'z pointer. (in_pset (y,l) and 
	exists i : int. p = acc (m,shift(y,i)))

axiom in_pset_acc_all2 :
 forall l:'z pset. forall p:'z pointer. forall i : int. 
 forall m:('a,'z) memory. 
    in_pset(p,l) -> in_pset(acc(m,shift(p,i)),pset_acc_all(l,m))

axiom in_pset_acc_range1 :
  forall l:'z pset. forall p:'y pointer. forall a : int. forall b : int.
  forall m:('y pointer,'z) memory.
    in_pset(p,pset_acc_range(l,m,a,b)) -> 
      exists y : 'z pointer. (in_pset (y,l) and 
	exists i : int. a <= i <= b -> p = acc(m,shift(y,i)))

axiom in_pset_acc_range2 :
 forall l:'z pset. forall p:'z pointer. forall a : int. forall b : int.
 forall i : int. forall m:('a,'z) memory. 
    a <= i <= b -> in_pset(p,l) -> 
	in_pset(acc(m,shift(p,i)),pset_acc_range(l,m,a,b))

axiom in_pset_acc_range_left1 :
  forall l:'z pset. forall p:'y pointer. forall a : int. 
  forall m:('y pointer,'z) memory.
    in_pset(p,pset_acc_range_left(l,m,a)) -> 
      exists y : 'z pointer. (in_pset (y,l) and 
	exists i : int. i <= a -> p = acc(m,shift(y,i)))

axiom in_pset_acc_range_left2 :
 forall l:'z pset. forall p:'z pointer. forall a : int. forall b : int.
 forall i : int. forall m:('a,'z) memory.  
   i <= a -> in_pset(p,l) -> 
	in_pset(acc(m,shift(p,i)),pset_acc_range_left(l,m,a))

axiom in_pset_acc_range_right1 :
  forall l:'z pset. forall p:'y pointer. forall a : int. 
  forall m:('y pointer,'z) memory. 
    in_pset(p,pset_acc_range_right(l,m,a)) -> 
      exists y : 'z pointer. (in_pset (y,l) and 
	exists i : int. a <= i -> p = acc(m,shift(y,i)))

axiom in_pset_acc_range_right2 :
 forall l:'z pset. forall p:'z pointer. forall a : int. forall b : int.
 forall i : int. forall m:('a,'z) memory.   
   i <= a -> in_pset(p,l) -> 
	in_pset(acc(m,shift(p,i)),pset_acc_range_right(l,m,a))
*)

(* validity *)

predicate valid_acc(m1: ('y pointer,'z) memory) =
	forall p : 'z pointer. forall a : alloc_table.
	valid(a,p) -> valid(a,acc(m1, p)) 

predicate valid_acc_range (m1: ('y pointer,'z) memory, size : int) =
	forall p : 'z pointer. forall a : alloc_table.
	valid(a,p) -> valid_range (a,acc (m1, p), 0, size-1) 

axiom valid_acc_range_valid : 
  forall m1: ('y pointer,'z) memory.
  forall size : int. forall p : 'z pointer. forall a : alloc_table.
  valid_acc_range(m1,size) -> valid(a,p) -> valid(a, acc(m1,p))

(* separation *)

predicate separation1(m1:('y pointer,'z) memory, m2:('y pointer,'z) memory) =
  forall p:'z pointer. forall a : alloc_table.
    valid(a, p) -> base_addr(acc(m1, p)) <> base_addr(acc(m2, p))

predicate separation1_range1(m1:('y pointer,'z) memory,
	m2:('y pointer,'z) memory, size : int) =
	forall p : 'z pointer.forall a : alloc_table.
	valid(a,p) -> forall i1 : int . forall i2 : int. 
	0 <= i1 < size -> 0 <= i2 < size ->
	base_addr(acc(m1,(shift (p,i1)))) <> base_addr(acc(m2, (shift (p,i2))))

predicate separation1_range(m:('y pointer,'z) memory, size:int) =
	forall p : 'z pointer.forall a : alloc_table.
	valid(a,p) -> forall i1 : int. 
	0 <= i1 < size -> 
	base_addr(acc(m,(shift (p,i1)))) <> base_addr(acc(m,p))  


predicate separation2(m1:('y pointer,'z) memory, m2:('y pointer,'z) memory) =
  forall p1:'z pointer. forall p2:'z pointer.
    p1 <> p2 -> base_addr(acc(m1, p1)) <> base_addr(acc(m2, p2))
	
predicate separation2_range1(m1:('y pointer,'z) memory,
	m2:('y pointer,'z) memory, size : int) =
	forall p : 'z pointer. forall q : 'z pointer.forall a : alloc_table.
	forall i : int . 0 <= i < size ->
	base_addr(acc(m1,(shift (p,i)))) <> base_addr(acc(m2, q))

(* memory allocation *)

logic on_heap : alloc_table, 'z pointer -> prop
logic on_stack : alloc_table, 'z pointer -> prop

(* fresh(a,p) means that the memory block of p is not allocated in a *)
logic fresh : alloc_table,'z pointer -> prop

axiom fresh_not_valid :
  forall a:alloc_table. forall p:'z pointer. 
    fresh(a,p) -> not(valid(a,p))

axiom fresh_not_valid_shift :
  forall a:alloc_table. forall p:'z pointer. 
    fresh(a,p) -> forall i:int. not(valid(a,shift(p,i)))

(***
predicate alloc_heap(a1 : alloc_table, a2 : alloc_table) =
  forall p:'z pointer. 
    block_length(a1,p) > 0 -> block_length(a1,p) = block_length(a2,p)

axiom alloc_heap_valid : 
  forall a1:alloc_table. forall a2:alloc_table.
    alloc_heap(a1,a2) -> forall p:'z pointer. valid(a1,p) -> valid(a2,p)

axiom alloc_heap_valid_range : 
  forall a1:alloc_table. forall a2:alloc_table.
    alloc_heap(a1,a2) -> 
    forall p:'z pointer. forall i:int. forall j:int.
      valid_range(a1,p,i,j) -> valid_range(a2,p,i,j)
***)

logic alloc_extends : alloc_table, alloc_table -> prop

axiom alloc_extends_valid : 
  forall a1:alloc_table. forall a2:alloc_table.
    alloc_extends(a1,a2) -> forall q:'y pointer. valid(a1,q) -> valid(a2,q)

axiom alloc_extends_valid_index : 
  forall a1:alloc_table. forall a2:alloc_table.
    alloc_extends(a1,a2) -> 
    forall q:'y pointer. forall i:int.
      valid_index(a1,q,i) -> valid_index(a2,q,i)

axiom alloc_extends_valid_range : 
  forall a1:alloc_table. forall a2:alloc_table.
    alloc_extends(a1,a2) -> 
    forall q:'y pointer. forall i:int. forall j:int.
      valid_range(a1,q,i,j) -> valid_range(a2,q,i,j)

axiom alloc_extends_refl : forall a:alloc_table. alloc_extends(a,a) 

axiom alloc_extends_trans : 
  forall a1,a2,a3:alloc_table [alloc_extends(a1,a2), alloc_extends(a2,a3)]. 
    alloc_extends(a1,a2) -> 
    alloc_extends(a2,a3) -> 
    alloc_extends(a1,a3) 

(*
logic free_heap : 'z pointer, alloc_table, alloc_table -> prop

parameter free_block : p:'z pointer -> 
	{ valid(alloc,p) and offset(p) = 0 and on_heap(alloc,p) }
	unit writes alloc
	{ free_heap(p, alloc@, alloc) }
*)

(*

  (free_stack(a1,a2,a3)) specifies the relations between states of allocation table before and after a function body is executed :

  a1 : alloc_table at beginning
  a2 : alloc_table before return: some allocations occured in (a1) both 
       on heap and on stack 
  a3 : alloc_table after return: allocations on stack between (a1) and 
       (a2) are not valid anymore

*)

logic free_stack : alloc_table, alloc_table, alloc_table -> prop

axiom free_stack_heap : 
  forall a1 : alloc_table. forall a2 : alloc_table. forall a3 : alloc_table. 
    free_stack(a1,a2,a3) -> 
      (forall p : 'z pointer. valid(a2, p) -> on_heap(a2,p) -> valid(a3, p))

axiom free_stack_stack : 
  forall a1 : alloc_table. forall a2 : alloc_table. forall a3 : alloc_table. 
     free_stack(a1,a2,a3) -> 
      (forall p : 'z pointer. valid(a1, p) -> on_stack(a1,p) -> valid(a3, p))

parameter alloca_parameter : n:int -> 
	{ n >= 0 }
	'z pointer writes alloc
	{ valid(alloc,result) and offset(result) = 0 and 	
	  block_length(alloc,result) = n and valid_range(alloc,result,0,n-1)
	  and fresh(alloc@,result) and on_stack(alloc,result) 
	  and alloc_extends (alloc@,alloc) }

parameter malloc_parameter : n:int -> 
	{ n >= 0 }
	'z pointer writes alloc
	{ valid(alloc,result) and offset(result) = 0 and 	
	  block_length(alloc,result) = n and valid_range(alloc,result,0,n-1)
	  and fresh(alloc@,result) and on_heap(alloc,result)
	  and alloc_extends (alloc@,alloc) }


(* the null pointer *)

logic null : 'z pointer

axiom null_not_valid: forall a:alloc_table. not valid(a,null)
why-2.34/lib/why/bitvector.why0000644000175000017500000000641312311670312014730 0ustar  rtusers
include "bool.why"

type bitvector (* infinite bitvector *)

logic bv_nth : bitvector,int -> bool

logic bv_length : bitvector -> int

(* constants *)

logic bv_zero: int -> bitvector

axiom bv_zero_length: 
  forall n:int. n >= 0 ->
    bv_length(bv_zero(n)) = n

axiom bv_zero_nth: 
  forall n,s:int.
    bv_nth(bv_zero(n),s) = false

logic bv_one: int -> bitvector

axiom bv_one_length: 
  forall n:int. n >= 0 ->
    bv_length(bv_one(n)) = n

axiom bv_one_nth: 
  forall n,s:int.
    bv_nth(bv_one(n),s) = true

function bv_zero32() : bitvector = bv_zero(32)
function bv_one32() : bitvector = bv_one(32)


predicate bv_eq(b1:bitvector,b2:bitvector) =
    bv_length(b1) = bv_length(b2) and
    forall n:int. 0 <= n < bv_length(b1) -> bv_nth(b1,n) = bv_nth(b2,n)

axiom bv_eq_ext :
  forall b1,b2:bitvector (* trigger [ b1 = b2 ] does not work *) . 
    bv_eq(b1,b2) -> b1 = b2

(* and, or, not *)

logic bv_and : bitvector, bitvector -> bitvector

axiom bv_and_nth:
  forall b1,b2:bitvector. forall n:int. 
    bv_nth(bv_and(b1,b2),n) = bool_and(bv_nth(b1,n),bv_nth(b2,n))

axiom bv_and_length:
  forall b1,b2:bitvector. forall n:int. 
    bv_length(b1) = n and bv_length(b2) = n ->	
    bv_length(bv_and(b1,b2)) = n 

goal test_and_1:
  let b = bv_and(bv_zero32,bv_one32) in bv_nth(b,1) = false

let test_and_2 () =
  let x3 = [ { } bitvector { 
bv_length(result) = 32 and
bv_nth(result,0) = true and
bv_nth(result,1) = true and
forall n:int. n >= 2 -> bv_nth(result,n) = false
} ]
  in
  let x1 = [ { } bitvector { 
bv_length(result) = 32 and
bv_nth(result,0) = true and
forall n:int. n >= 1 -> bv_nth(result,n) = false
} ]
  in 
  (* not proved by any prover: 
     assert { bv_and(x3,x1) = x1 }; *)
  assert { bv_eq(bv_and(x3,x1),x1) };
  (* easy from assert above and axiom bv_eq_ext: *)
  assert { bv_and(x3,x1) = x1 }; 
  void




(* shift *)

logic lsr : bitvector, int -> bitvector

axiom lsr_length:
  forall b:bitvector. forall s:int.
    bv_length(lsr(b,s)) = bv_length(b)

axiom lsr_nth_low:
  forall b:bitvector. forall n,s:int.
    n+s < bv_length(b) -> 
      bv_nth(lsr(b,s),n) = bv_nth(b,n+s)

axiom lsr_nth_high:
  forall b:bitvector. forall n,s:int.
    n+s >= bv_length(b) -> 
      bv_nth(lsr(b,s),n) = false

goal test2:
  let b = lsr(bv_one32,16) in bv_nth(b,15) = true
     
goal test3:
  let b = lsr(bv_one32,16) in bv_nth(b,16) = false
     
logic asr : bitvector, int -> bitvector

axiom asr_length:
  forall b:bitvector. forall s:int.
    bv_length(asr(b,s)) = bv_length(b)

axiom asr_nth_low:
  forall b:bitvector. forall n,s:int.
    n+s < bv_length(b) -> 
      bv_nth(asr(b,s),n) = bv_nth(b,n+s)

axiom asr_nth_high:
  forall b:bitvector. forall n,s:int.
    n+s >= bv_length(b) -> 
      bv_nth(asr(b,s),n) = bv_nth(b,bv_length(b)-1)

goal test4:
  let b = asr(bv_one32,16) in bv_nth(b,15) = true
     
goal test5:
  let b = asr(bv_one32,16) in bv_nth(b,16) = true

goal test6:
  let b = asr(lsr(bv_one32,1),16) in bv_nth(b,16) = false
     
logic lsl : bitvector, int -> bitvector

axiom lsl_length:
  forall b:bitvector. forall s:int.
    bv_length(lsl(b,s)) = bv_length(b)

axiom lsl_nth_high:
  forall b:bitvector. forall n,s:int.
    n-s >= 0 -> 
      bv_nth(lsl(b,s),n) = bv_nth(b,n-s)

axiom lsl_nth_low:
  forall b:bitvector. forall n,s:int.
    n-s < 0 -> 
      bv_nth(lsl(b,s),n) = false

why-2.34/lib/why/prelude.why0000644000175000017500000000512212311670312014363 0ustar  rtusers
(* Built-in types: unit, bool, int, real *)

(********)
(* unit *)
(********)

logic eq_unit : unit,unit -> prop
logic neq_unit : unit,unit -> prop

parameter eq_unit_ : x:unit -> y:unit -> {} bool {if result then x=y else x<>y}
parameter neq_unit_: x:unit -> y:unit -> {} bool {if result then x<>y else x=y}


(********)
(* bool *)
(********)

logic eq_bool : bool,bool -> prop
logic neq_bool : bool,bool -> prop

parameter eq_bool_ : x:bool -> y:bool -> {} bool {if result then x=y else x<>y}
parameter neq_bool_: x:bool -> y:bool -> {} bool {if result then x<>y else x=y}

(* these are needed for WP *)

parameter strict_bool_and_ : 
  b1:bool -> b2:bool ->  
  {} bool { if result then b1=true and b2=true 
                      else (b1=false or b1=true and b2=false) }

parameter strict_bool_or_ : 
  b1:bool -> b2:bool -> 
  {} bool { if result then b1=true or b1=false and b2=true 
                      else (b1=false and b2=false) }

parameter bool_not_ : 
  b:bool -> {} bool { if result then b=false else b=true }


(* non built-in are in bool.why *)

(************)
(* Integers *)
(************)

logic lt_int : int,int -> prop  (* <  *)
logic le_int : int,int -> prop  (* <= *)
logic gt_int : int,int -> prop  (* >  *)
logic ge_int : int,int -> prop  (* >= *)
logic eq_int : int,int -> prop  (* =  *)
logic neq_int : int,int -> prop (* <> *)

(* < <= > >= = and <> in programs: *)
parameter lt_int_ : x:int -> y:int -> {} bool { if result then x=y }
parameter le_int_ : x:int -> y:int -> {} bool { if result then x<=y else x>y }
parameter gt_int_ : x:int -> y:int -> {} bool { if result then x>y else x<=y }
parameter ge_int_ : x:int -> y:int -> {} bool { if result then x>=y else x y:int -> {} bool { if result then x=y else x<>y }
parameter neq_int_ : x:int -> y:int -> {} bool { if result then x<>y else x=y }

logic add_int : int,int -> int (* + *)
logic sub_int : int,int -> int (* - *)
logic mul_int : int,int -> int (* * *)
(*
logic div_int : int,int -> int (* / in logic only *)
logic mod_int : int,int -> int (* % in logic only *)
*)
logic neg_int : int -> int     (* prefix - *)

(* / and % in programs: *)
(*
parameter div_int_ : x:int -> y:int -> { y<>0 } int { result = x / y }
parameter mod_int_ : x:int -> y:int -> { y<>0 } int { result = x % y }
*)

(* Default well-founded ordering over integers *)

predicate zwf_zero(a:int, b:int) = 0 <= b and a < b

(**************)
(* references *)
(**************)

(* Built-in type constructor: 'a ref *)
(* References. := is syntactic sugar for ref_set: *)

parameter ref_set : x:'a ref -> v:'a -> {} unit writes x { x = v }

why-2.34/lib/java_api/0000755000175000017500000000000012311670312013135 5ustar  rtuserswhy-2.34/lib/java_api/java/0000755000175000017500000000000012311670312014056 5ustar  rtuserswhy-2.34/lib/java_api/java/util/0000755000175000017500000000000012311670312015033 5ustar  rtuserswhy-2.34/lib/java_api/java/util/HashMap.java0000644000175000017500000010334312311670312017223 0ustar  rtusers/*
 * @(#)HashMap.java	1.57 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.util;
import  java.io.*;

/**
 * Hash table based implementation of the Map interface.  This
 * implementation provides all of the optional map operations, and permits
 * null values and the null key.  (The HashMap
 * class is roughly equivalent to Hashtable, except that it is
 * unsynchronized and permits nulls.)  This class makes no guarantees as to
 * the order of the map; in particular, it does not guarantee that the order
 * will remain constant over time.
 *
 * 
    This implementation provides constant-time performance for the basic
 * operations (get and put), assuming the hash function
 * disperses the elements properly among the buckets.  Iteration over
 * collection views requires time proportional to the "capacity" of the
 * HashMap instance (the number of buckets) plus its size (the number
 * of key-value mappings).  Thus, it's very important not to set the initial
 * capacity too high (or the load factor too low) if iteration performance is
 * important.
 *
 * 
    An instance of HashMap has two parameters that affect its
 * performance: initial capacity and load factor.  The
 * capacity is the number of buckets in the hash table, and the initial
 * capacity is simply the capacity at the time the hash table is created.  The
 * load factor is a measure of how full the hash table is allowed to
 * get before its capacity is automatically increased.  When the number of
 * entries in the hash table exceeds the product of the load factor and the
 * current capacity, the capacity is roughly doubled by calling the
 * rehash method.
 *
 * 
    As a general rule, the default load factor (.75) offers a good tradeoff
 * between time and space costs.  Higher values decrease the space overhead
 * but increase the lookup cost (reflected in most of the operations of the
 * HashMap class, including get and put).  The
 * expected number of entries in the map and its load factor should be taken
 * into account when setting its initial capacity, so as to minimize the
 * number of rehash operations.  If the initial capacity is greater
 * than the maximum number of entries divided by the load factor, no
 * rehash operations will ever occur.
 *
 * 
    If many mappings are to be stored in a HashMap instance,
 * creating it with a sufficiently large capacity will allow the mappings to
 * be stored more efficiently than letting it perform automatic rehashing as
 * needed to grow the table.
 *
 * 
    Note that this implementation is not synchronized. If multiple
 * threads access this map concurrently, and at least one of the threads
 * modifies the map structurally, it must be synchronized externally.
 * (A structural modification is any operation that adds or deletes one or
 * more mappings; merely changing the value associated with a key that an
 * instance already contains is not a structural modification.)  This is
 * typically accomplished by synchronizing on some object that naturally
 * encapsulates the map.  If no such object exists, the map should be
 * "wrapped" using the Collections.synchronizedMap method.  This is
 * best done at creation time, to prevent accidental unsynchronized access to
 * the map: 
     Map m = Collections.synchronizedMap(new HashMap(...));
 * 
    
 *
 * 
    The iterators returned by all of this class's "collection view methods"
 * are fail-fast: if the map is structurally modified at any time after
 * the iterator is created, in any way except through the iterator's own
 * remove or add methods, the iterator will throw a
 * ConcurrentModificationException.  Thus, in the face of concurrent
 * modification, the iterator fails quickly and cleanly, rather than risking
 * arbitrary, non-deterministic behavior at an undetermined time in the
 * future.
 *
 * 
    Note that the fail-fast behavior of an iterator cannot be guaranteed
 * as it is, generally speaking, impossible to make any hard guarantees in the
 * presence of unsynchronized concurrent modification.  Fail-fast iterators
 * throw ConcurrentModificationException on a best-effort basis. 
 * Therefore, it would be wrong to write a program that depended on this
 * exception for its correctness: the fail-fast behavior of iterators
 * should be used only to detect bugs.
 *
 * 
    This class is a member of the 
 * 
 * Java Collections Framework.
 *
 * @author  Doug Lea
 * @author  Josh Bloch
 * @author  Arthur van Hoff
 * @version 1.57, 01/23/03
 * @see     Object#hashCode()
 * @see     Collection
 * @see	    Map
 * @see	    TreeMap
 * @see	    Hashtable
 * @since   1.2
 */

public class HashMap extends AbstractMap implements Map, Cloneable,
    Serializable
{
    //@ model Class key_type;
    //@ model Class value_type;

    /**
     * The default initial capacity - MUST be a power of two.
     */
    static final int DEFAULT_INITIAL_CAPACITY = 16;

    /**
     * The maximum capacity, used if a higher value is implicitly specified
     * by either of the constructors with arguments.
     * MUST be a power of two <= 1<<30.
     */
    static final int MAXIMUM_CAPACITY = 1 << 30;

    /**
     * The load factor used when none specified in constructor.
     **/
    static final float DEFAULT_LOAD_FACTOR = 0.75f;

    /**
     * The table, resized as necessary. Length MUST Always be a power of two.
     */
    //KML transient Entry[] table;

    /**
     * The number of key-value mappings contained in this identity hash map.
     */
    transient int size;
  
    /**
     * The next size value at which to resize (capacity * load factor).
     * @serial
     */
    int threshold;
  
    /**
     * The load factor for the hash table.
     *
     * @serial
     */
    final float loadFactor;

    /**
     * The number of times this HashMap has been structurally modified
     * Structural modifications are those that change the number of mappings in
     * the HashMap or otherwise modify its internal structure (e.g.,
     * rehash).  This field is used to make iterators on Collection-views of
     * the HashMap fail-fast.  (See ConcurrentModificationException).
     */
    transient volatile int modCount;

    /**
     * Constructs an empty HashMap with the specified initial
     * capacity and load factor.
     *
     * @param  initialCapacity The initial capacity.
     * @param  loadFactor      The load factor.
     * @throws IllegalArgumentException if the initial capacity is negative
     *         or the load factor is nonpositive.
     */
    public HashMap(int initialCapacity, float loadFactor) {
        if (initialCapacity < 0)
            throw new IllegalArgumentException("Illegal initial capacity: " +
                                               initialCapacity);
        if (initialCapacity > MAXIMUM_CAPACITY)
            initialCapacity = MAXIMUM_CAPACITY;
        if (loadFactor <= 0 || Float.isNaN(loadFactor))
            throw new IllegalArgumentException("Illegal load factor: " +
                                               loadFactor);

        // Find a power of 2 >= initialCapacity
        int capacity = 1;
        while (capacity < initialCapacity) 
            capacity <<= 1;
    
        this.loadFactor = loadFactor;
        threshold = (int)(capacity * loadFactor);
        table = new Entry[capacity];
        init();
    }
  
    /**
     * Constructs an empty HashMap with the specified initial
     * capacity and the default load factor (0.75).
     *
     * @param  initialCapacity the initial capacity.
     * @throws IllegalArgumentException if the initial capacity is negative.
     */
    public HashMap(int initialCapacity) {
        this(initialCapacity, DEFAULT_LOAD_FACTOR);
    }

    /**
     * Constructs an empty HashMap with the default initial capacity
     * (16) and the default load factor (0.75).
     */
    public HashMap() {
        this.loadFactor = DEFAULT_LOAD_FACTOR;
        threshold = (int)(DEFAULT_INITIAL_CAPACITY * DEFAULT_LOAD_FACTOR);
        table = new Entry[DEFAULT_INITIAL_CAPACITY];
        init();
    }

    /**
     * Constructs a new HashMap with the same mappings as the
     * specified Map.  The HashMap is created with
     * default load factor (0.75) and an initial capacity sufficient to
     * hold the mappings in the specified Map.
     *
     * @param   m the map whose mappings are to be placed in this map.
     * @throws  NullPointerException if the specified map is null.
     */
    public HashMap(Map m) {
        this(Math.max((int) (m.size() / DEFAULT_LOAD_FACTOR) + 1,
                      DEFAULT_INITIAL_CAPACITY), DEFAULT_LOAD_FACTOR);
        putAllForCreate(m);
    }

    // internal utilities

    /**
     * Initialization hook for subclasses. This method is called
     * in all constructors and pseudo-constructors (clone, readObject)
     * after HashMap has been initialized but before any entries have
     * been inserted.  (In the absence of this method, readObject would
     * require explicit knowledge of subclasses.)
     */
    void init() {
    }

    /**
     * Value representing null keys inside tables.
     */
    static final Object NULL_KEY = new Object();

    /**
     * Returns internal representation for key. Use NULL_KEY if key is null.
     */
    static Object maskNull(Object key) {
        return (key == null ? NULL_KEY : key);
    }

    /**
     * Returns key represented by specified internal representation.
     */
    static Object unmaskNull(Object key) {
        return (key == NULL_KEY ? null : key);
    }

    /**
     * Returns a hash value for the specified object.  In addition to 
     * the object's own hashCode, this method applies a "supplemental
     * hash function," which defends against poor quality hash functions.
     * This is critical because HashMap uses power-of two length 
     * hash tables.
    
     *
     * The shift distances in this function were chosen as the result
     * of an automated search over the entire four-dimensional search space.
     */
    static int hash(Object x) {
        int h = x.hashCode();

        h += ~(h << 9);
        h ^=  (h >>> 14);
        h +=  (h << 4);
        h ^=  (h >>> 10);
        return h;
    }

    /** 
     * Check for equality of non-null reference x and possibly-null y. 
     */
    static boolean eq(Object x, Object y) {
        return x == y || x.equals(y);
    }

    /**
     * Returns index for hash code h. 
     */
    static int indexFor(int h, int length) {
        return h & (length-1);
    }
 
    /**
     * Returns the number of key-value mappings in this map.
     *
     * @return the number of key-value mappings in this map.
     */
    public int size() {
        return size;
    }
  
    /**
     * Returns true if this map contains no key-value mappings.
     *
     * @return true if this map contains no key-value mappings.
     */
    public boolean isEmpty() {
        return size == 0;
    }

    /**
     * Returns the value to which the specified key is mapped in this identity
     * hash map, or null if the map contains no mapping for this key.
     * A return value of null does not necessarily indicate
     * that the map contains no mapping for the key; it is also possible that
     * the map explicitly maps the key to null. The
     * containsKey method may be used to distinguish these two cases.
     *
     * @param   key the key whose associated value is to be returned.
     * @return  the value to which this map maps the specified key, or
     *          null if the map contains no mapping for this key.
     * @see #put(Object, Object)
     */
    /*@
      @ ensures \result instanceof value_type;
      @*/
    public Object get(Object key) {
        Object k = maskNull(key);
        int hash = hash(k);
        int i = indexFor(hash, table.length);
        Entry e = table[i]; 
        while (true) {
            if (e == null)
                return e;
            if (e.hash == hash && eq(k, e.key)) 
                return e.value;
            e = e.next;
        }
    }

    /**
     * Returns true if this map contains a mapping for the
     * specified key.
     *
     * @param   key   The key whose presence in this map is to be tested
     * @return true if this map contains a mapping for the specified
     * key.
     */
    public boolean containsKey(Object key) {
        Object k = maskNull(key);
        int hash = hash(k);
        int i = indexFor(hash, table.length);
        Entry e = table[i]; 
        while (e != null) {
            if (e.hash == hash && eq(k, e.key)) 
                return true;
            e = e.next;
        }
        return false;
    }

    /**
     * Returns the entry associated with the specified key in the
     * HashMap.  Returns null if the HashMap contains no mapping
     * for this key.
     */
    /*KML
    Entry getEntry(Object key) {
        Object k = maskNull(key);
        int hash = hash(k);
        int i = indexFor(hash, table.length);
        Entry e = table[i]; 
        while (e != null && !(e.hash == hash && eq(k, e.key)))
            e = e.next;
        return e;
    }
    KML*/
  
    /**
     * Associates the specified value with the specified key in this map.
     * If the map previously contained a mapping for this key, the old
     * value is replaced.
     *
     * @param key key with which the specified value is to be associated.
     * @param value value to be associated with the specified key.
     * @return previous value associated with specified key, or null
     *	       if there was no mapping for key.  A null return can
     *	       also indicate that the HashMap previously associated
     *	       null with the specified key.
     */
    public Object put(Object key, Object value) {
        Object k = maskNull(key);
        int hash = hash(k);
        int i = indexFor(hash, table.length);

        for (Entry e = table[i]; e != null; e = e.next) {
            if (e.hash == hash && eq(k, e.key)) {
                Object oldValue = e.value;
                e.value = value;
                e.recordAccess(this);
                return oldValue;
            }
        }

        modCount++;
        addEntry(hash, k, value, i);
        return null;
    }

    /**
     * This method is used instead of put by constructors and
     * pseudoconstructors (clone, readObject).  It does not resize the table,
     * check for comodification, etc.  It calls createEntry rather than
     * addEntry.
     */
    private void putForCreate(Object key, Object value) {
        Object k = maskNull(key);
        int hash = hash(k);
        int i = indexFor(hash, table.length);

        /**
         * Look for preexisting entry for key.  This will never happen for
         * clone or deserialize.  It will only happen for construction if the
         * input Map is a sorted map whose ordering is inconsistent w/ equals.
         */
        for (Entry e = table[i]; e != null; e = e.next) {
            if (e.hash == hash && eq(k, e.key)) {
                e.value = value;
                return;
            }
        }

        createEntry(hash, k, value, i);
    }

    void putAllForCreate(Map m) {
        for (Iterator i = m.entrySet().iterator(); i.hasNext(); ) {
            Map.Entry e = (Map.Entry) i.next();
            putForCreate(e.getKey(), e.getValue());
        }
    }

    /**
     * Rehashes the contents of this map into a new array with a
     * larger capacity.  This method is called automatically when the
     * number of keys in this map reaches its threshold.
     *
     * If current capacity is MAXIMUM_CAPACITY, this method does not
     * resize the map, but but sets threshold to Integer.MAX_VALUE.
     * This has the effect of preventing future calls.
     *
     * @param newCapacity the new capacity, MUST be a power of two;
     *        must be greater than current capacity unless current
     *        capacity is MAXIMUM_CAPACITY (in which case value
     *        is irrelevant).
     */
    void resize(int newCapacity) {
        Entry[] oldTable = table;
        int oldCapacity = oldTable.length;
        if (oldCapacity == MAXIMUM_CAPACITY) {
            threshold = Integer.MAX_VALUE;
            return;
        }

        Entry[] newTable = new Entry[newCapacity];
        transfer(newTable);
        table = newTable;
        threshold = (int)(newCapacity * loadFactor);
    }

    /** 
     * Transfer all entries from current table to newTable.
     */
    /*KML
      void transfer(Entry[] newTable) {
        Entry[] src = table;
        int newCapacity = newTable.length;
        for (int j = 0; j < src.length; j++) {
            Entry e = src[j];
            if (e != null) {
                src[j] = null;
                do {
                    Entry next = e.next;
                    int i = indexFor(e.hash, newCapacity);  
                    e.next = newTable[i];
                    newTable[i] = e;
                    e = next;
                } while (e != null);
            }
        }
    }
    KML*/

    /**
     * Copies all of the mappings from the specified map to this map
     * These mappings will replace any mappings that
     * this map had for any of the keys currently in the specified map.
     *
     * @param m mappings to be stored in this map.
     * @throws NullPointerException if the specified map is null.
     */
    public void putAll(Map m) {
        int numKeysToBeAdded = m.size();
        if (numKeysToBeAdded == 0)
            return;

        /*
         * Expand the map if the map if the number of mappings to be added
         * is greater than or equal to threshold.  This is conservative; the
         * obvious condition is (m.size() + size) >= threshold, but this
         * condition could result in a map with twice the appropriate capacity,
         * if the keys to be added overlap with the keys already in this map.
         * By using the conservative calculation, we subject ourself
         * to at most one extra resize.
         */
        if (numKeysToBeAdded > threshold) {
            int targetCapacity = (int)(numKeysToBeAdded / loadFactor + 1);
            if (targetCapacity > MAXIMUM_CAPACITY)
                targetCapacity = MAXIMUM_CAPACITY;
            int newCapacity = table.length;
            while (newCapacity < targetCapacity)
                newCapacity <<= 1;
            if (newCapacity > table.length)
                resize(newCapacity);
        }

        for (Iterator i = m.entrySet().iterator(); i.hasNext(); ) {
            Map.Entry e = (Map.Entry) i.next();
            put(e.getKey(), e.getValue());
        }
    }
  
    /**
     * Removes the mapping for this key from this map if present.
     *
     * @param  key key whose mapping is to be removed from the map.
     * @return previous value associated with specified key, or null
     *	       if there was no mapping for key.  A null return can
     *	       also indicate that the map previously associated null
     *	       with the specified key.
     */
    public Object remove(Object key) {
        Entry e = removeEntryForKey(key);
        return (e == null ? e : e.value);
    }

    /**
     * Removes and returns the entry associated with the specified key
     * in the HashMap.  Returns null if the HashMap contains no mapping
     * for this key.
     */
    /*KML
    Entry removeEntryForKey(Object key) {
        Object k = maskNull(key);
        int hash = hash(k);
        int i = indexFor(hash, table.length);
        Entry prev = table[i];
        Entry e = prev;

        while (e != null) {
            Entry next = e.next;
            if (e.hash == hash && eq(k, e.key)) {
                modCount++;
                size--;
                if (prev == e) 
                    table[i] = next;
                else
                    prev.next = next;
                e.recordRemoval(this);
                return e;
            }
            prev = e;
            e = next;
        }
   
        return e;
    }
    KML*/

    /**
     * Special version of remove for EntrySet.
     */
    /*KML
      Entry removeMapping(Object o) {
        if (!(o instanceof Map.Entry))
            return null;

        Map.Entry entry = (Map.Entry)o;
        Object k = maskNull(entry.getKey());
        int hash = hash(k);
        int i = indexFor(hash, table.length);
        Entry prev = table[i];
        Entry e = prev;

        while (e != null) {
            Entry next = e.next;
            if (e.hash == hash && e.equals(entry)) {
                modCount++;
                size--;
                if (prev == e) 
                    table[i] = next;
                else
                    prev.next = next;
                e.recordRemoval(this);
                return e;
            }
            prev = e;
            e = next;
        }
   
        return e;
    }
    KML*/

    /**
     * Removes all mappings from this map.
     */
    public void clear() {
        modCount++;
        Entry tab[] = table;
        for (int i = 0; i < tab.length; i++) 
            tab[i] = null;
        size = 0;
    }

    /**
     * Returns true if this map maps one or more keys to the
     * specified value.
     *
     * @param value value whose presence in this map is to be tested.
     * @return true if this map maps one or more keys to the
     *         specified value.
     */
    public boolean containsValue(Object value) {
	if (value == null) 
            return containsNullValue();

	Entry tab[] = table;
        for (int i = 0; i < tab.length ; i++)
            for (Entry e = tab[i] ; e != null ; e = e.next)
                if (value.equals(e.value))
                    return true;
	return false;
    }

    /**
     * Special-case code for containsValue with null argument
     **/
    private boolean containsNullValue() {
	Entry tab[] = table;
        for (int i = 0; i < tab.length ; i++)
            for (Entry e = tab[i] ; e != null ; e = e.next)
                if (e.value == null)
                    return true;
	return false;
    }

    /**
     * Returns a shallow copy of this HashMap instance: the keys and
     * values themselves are not cloned.
     *
     * @return a shallow copy of this map.
     */
    public Object clone() {
        HashMap result = null;
	try { 
	    result = (HashMap)super.clone();
	} catch (CloneNotSupportedException e) { 
	    // assert false;
	}
        result.table = new Entry[table.length];
        result.entrySet = null;
        result.modCount = 0;
        result.size = 0;
        result.init();
        result.putAllForCreate(this);

        return result;
    }

    static class Entry implements Map.Entry {
        final Object key;
        Object value;
        final int hash;
        Entry next;

        /**
         * Create new entry.
         */
        Entry(int h, Object k, Object v, Entry n) { 
            value = v; 
            next = n;
            key = k;
            hash = h;
        }

        public Object getKey() {
            return unmaskNull(key);
        }

        public Object getValue() {
            return value;
        }
    
        public Object setValue(Object newValue) {
            Object oldValue = value;
            value = newValue;
            return oldValue;
        }
    
        public boolean equals(Object o) {
            if (!(o instanceof Map.Entry))
                return false;
            Map.Entry e = (Map.Entry)o;
            Object k1 = getKey();
            Object k2 = e.getKey();
            if (k1 == k2 || (k1 != null && k1.equals(k2))) {
                Object v1 = getValue();
                Object v2 = e.getValue();
                if (v1 == v2 || (v1 != null && v1.equals(v2))) 
                    return true;
            }
            return false;
        }
    
        public int hashCode() {
            return (key==NULL_KEY ? 0 : key.hashCode()) ^
                   (value==null   ? 0 : value.hashCode());
        }
    
        public String toString() {
            return getKey() + "=" + getValue();
        }

        /**
         * This method is invoked whenever the value in an entry is
         * overwritten by an invocation of put(k,v) for a key k that's already
         * in the HashMap.
         */
        void recordAccess(HashMap m) {
        }

        /**
         * This method is invoked whenever the entry is
         * removed from the table.
         */
        void recordRemoval(HashMap m) {
        }
    }

    /**
     * Add a new entry with the specified key, value and hash code to
     * the specified bucket.  It is the responsibility of this 
     * method to resize the table if appropriate.
     *
     * Subclass overrides this to alter the behavior of put method.
     */
    void addEntry(int hash, Object key, Object value, int bucketIndex) {
        table[bucketIndex] = new Entry(hash, key, value, table[bucketIndex]);
        if (size++ >= threshold) 
            resize(2 * table.length);
    }

    /**
     * Like addEntry except that this version is used when creating entries
     * as part of Map construction or "pseudo-construction" (cloning,
     * deserialization).  This version needn't worry about resizing the table.
     *
     * Subclass overrides this to alter the behavior of HashMap(Map),
     * clone, and readObject.
     */
    void createEntry(int hash, Object key, Object value, int bucketIndex) {
        table[bucketIndex] = new Entry(hash, key, value, table[bucketIndex]);
        size++;
    }

    private abstract class HashIterator implements Iterator {
        Entry next;                  // next entry to return
        int expectedModCount;        // For fast-fail 
        int index;                   // current slot 
        Entry current;               // current entry

        HashIterator() {
            expectedModCount = modCount;
            Entry[] t = table;
            int i = t.length;
            Entry n = null;
            if (size != 0) { // advance to first entry
                while (i > 0 && (n = t[--i]) == null)
                    ;
            }
            next = n;
            index = i;
        }

        public boolean hasNext() {
            return next != null;
        }

        Entry nextEntry() { 
            if (modCount != expectedModCount)
                throw new ConcurrentModificationException();
            Entry e = next;
            if (e == null) 
                throw new NoSuchElementException();
                
            Entry n = e.next;
            Entry[] t = table;
            int i = index;
            while (n == null && i > 0)
                n = t[--i];
            index = i;
            next = n;
            return current = e;
        }

        public void remove() {
            if (current == null)
                throw new IllegalStateException();
            if (modCount != expectedModCount)
                throw new ConcurrentModificationException();
            Object k = current.key;
            current = null;
            HashMap.this.removeEntryForKey(k);
            expectedModCount = modCount;
        }

    }

    private class ValueIterator extends HashIterator {
        public Object next() {
            return nextEntry().value;
        }
    }

    private class KeyIterator extends HashIterator {
        public Object next() {
            return nextEntry().getKey();
        }
    }

    private class EntryIterator extends HashIterator {
        public Object next() {
            return nextEntry();
        }
    }

    // Subclass overrides these to alter behavior of views' iterator() method
    Iterator newKeyIterator()   {
        return new KeyIterator();
    }
    Iterator newValueIterator()   {
        return new ValueIterator();
    }
    Iterator newEntryIterator()   {
        return new EntryIterator();
    }


    // Views

    private transient Set entrySet = null;

    /**
     * Returns a set view of the keys contained in this map.  The set is
     * backed by the map, so changes to the map are reflected in the set, and
     * vice-versa.  The set supports element removal, which removes the
     * corresponding mapping from this map, via the Iterator.remove,
     * Set.remove, removeAll, retainAll, and
     * clear operations.  It does not support the add or
     * addAll operations.
     *
     * @return a set view of the keys contained in this map.
     */
    public Set keySet() {
        Set ks = keySet;
        return (ks != null ? ks : (keySet = new KeySet()));
    }

    private class KeySet extends AbstractSet {
        public Iterator iterator() {
            return newKeyIterator();
        }
        public int size() {
            return size;
        }
        public boolean contains(Object o) {
            return containsKey(o);
        }
        public boolean remove(Object o) {
            return HashMap.this.removeEntryForKey(o) != null;
        }
        public void clear() {
            HashMap.this.clear();
        }
    }

    /**
     * Returns a collection view of the values contained in this map.  The
     * collection is backed by the map, so changes to the map are reflected in
     * the collection, and vice-versa.  The collection supports element
     * removal, which removes the corresponding mapping from this map, via the
     * Iterator.remove, Collection.remove,
     * removeAll, retainAll, and clear operations.
     * It does not support the add or addAll operations.
     *
     * @return a collection view of the values contained in this map.
     */
    public Collection values() {
        Collection vs = values;
        return (vs != null ? vs : (values = new Values()));
    }

    private class Values extends AbstractCollection {
        public Iterator iterator() {
            return newValueIterator();
        }
        public int size() {
            return size;
        }
        public boolean contains(Object o) {
            return containsValue(o);
        }
        public void clear() {
            HashMap.this.clear();
        }
    }

    /**
     * Returns a collection view of the mappings contained in this map.  Each
     * element in the returned collection is a Map.Entry.  The
     * collection is backed by the map, so changes to the map are reflected in
     * the collection, and vice-versa.  The collection supports element
     * removal, which removes the corresponding mapping from the map, via the
     * Iterator.remove, Collection.remove,
     * removeAll, retainAll, and clear operations.
     * It does not support the add or addAll operations.
     *
     * @return a collection view of the mappings contained in this map.
     * @see Map.Entry
     */
    public Set entrySet() {
        Set es = entrySet;
        return (es != null ? es : (entrySet = new EntrySet()));
    }

    private class EntrySet extends AbstractSet {
        public Iterator iterator() {
            return newEntryIterator();
        }
        public boolean contains(Object o) {
            if (!(o instanceof Map.Entry))
                return false;
            Map.Entry e = (Map.Entry)o;
            Entry candidate = getEntry(e.getKey());
            return candidate != null && candidate.equals(e);
        }
        public boolean remove(Object o) {
            return removeMapping(o) != null;
        }
        public int size() {
            return size;
        }
        public void clear() {
            HashMap.this.clear();
        }
    }

    /**
     * Save the state of the HashMap instance to a stream (i.e.,
     * serialize it).
     *
     * @serialData The capacity of the HashMap (the length of the
     *		   bucket array) is emitted (int), followed  by the
     *		   size of the HashMap (the number of key-value
     *		   mappings), followed by the key (Object) and value (Object)
     *		   for each key-value mapping represented by the HashMap
     *             The key-value mappings are emitted in the order that they
     *             are returned by entrySet().iterator().
     * 
     */
    /*KML
    private void writeObject(java.io.ObjectOutputStream s)
        throws IOException
    {
	// Write out the threshold, loadfactor, and any hidden stuff
	s.defaultWriteObject();

	// Write out number of buckets
	s.writeInt(table.length);

	// Write out size (number of Mappings)
	s.writeInt(size);

        // Write out keys and values (alternating)
        for (Iterator i = entrySet().iterator(); i.hasNext(); ) {
            Map.Entry e = (Map.Entry) i.next();
            s.writeObject(e.getKey());
            s.writeObject(e.getValue());
        }
    }
    KML*/

    private static final long serialVersionUID = 362498820763181265L;

    /**
     * Reconstitute the HashMap instance from a stream (i.e.,
     * deserialize it).
     */
    /*KML
      private void readObject(java.io.ObjectInputStream s)
         throws IOException, ClassNotFoundException
    {
	// Read in the threshold, loadfactor, and any hidden stuff
	s.defaultReadObject();

	// Read in number of buckets and allocate the bucket array;
	int numBuckets = s.readInt();
	table = new Entry[numBuckets];

        init();  // Give subclass a chance to do its thing.

	// Read in size (number of Mappings)
	int size = s.readInt();

	// Read the keys and values, and put the mappings in the HashMap
	for (int i=0; iMap
 * interface, to minimize the effort required to implement this interface. 
    
 *
 * To implement an unmodifiable map, the programmer needs only to extend this
 * class and provide an implementation for the entrySet method, which
 * returns a set-view of the map's mappings.  Typically, the returned set
 * will, in turn, be implemented atop AbstractSet.  This set should
 * not support the add or remove methods, and its iterator
 * should not support the remove method.
    
 *
 * To implement a modifiable map, the programmer must additionally override
 * this class's put method (which otherwise throws an
 * UnsupportedOperationException), and the iterator returned by
 * entrySet().iterator() must additionally implement its
 * remove method.
    
 *
 * The programmer should generally provide a void (no argument) and map
 * constructor, as per the recommendation in the Map interface
 * specification.
    
 *
 * The documentation for each non-abstract methods in this class describes its
 * implementation in detail.  Each of these methods may be overridden if the
 * map being implemented admits a more efficient implementation.
    
 *
 * This class is a member of the 
 * 
 * Java Collections Framework.
 *
 * @author  Josh Bloch
 * @version 1.34, 01/23/03
 * @see Map
 * @see Collection
 * @since 1.2
 */

public abstract class AbstractMap implements Map {
    /**
     * Sole constructor.  (For invocation by subclass constructors, typically
     * implicit.)
     */
    protected AbstractMap() {
    }

    // Query Operations

    /**
     * Returns the number of key-value mappings in this map.  If the map
     * contains more than Integer.MAX_VALUE elements, returns
     * Integer.MAX_VALUE.
    
     *
     * This implementation returns entrySet().size().
     *
     * @return the number of key-value mappings in this map.
     */
    public int size() {
	return entrySet().size();
    }

    /**
     * Returns true if this map contains no key-value mappings. 
    
     *
     * This implementation returns size() == 0.
     *
     * @return true if this map contains no key-value mappings.
     */
    public boolean isEmpty() {
	return size() == 0;
    }

    /**
     * Returns true if this map maps one or more keys to this value.
     * More formally, returns true if and only if this map contains
     * at least one mapping to a value v such that (value==null ?
     * v==null : value.equals(v)).  This operation will probably require
     * time linear in the map size for most implementations of map.
    
     *
     * This implementation iterates over entrySet() searching for an entry
     * with the specified value.  If such an entry is found, true is
     * returned.  If the iteration terminates without finding such an entry,
     * false is returned.  Note that this implementation requires
     * linear time in the size of the map.
     *
     * @param value value whose presence in this map is to be tested.
     * 
     * @return true if this map maps one or more keys to this value.
     */
    public boolean containsValue(Object value) {
	Iterator i = entrySet().iterator();
	if (value==null) {
	    while (i.hasNext()) {
		Entry e = (Entry) i.next();
		if (e.getValue()==null)
		    return true;
	    }
	} else {
	    while (i.hasNext()) {
		Entry e = (Entry) i.next();
		if (value.equals(e.getValue()))
		    return true;
	    }
	}
	return false;
    }

    /**
     * Returns true if this map contains a mapping for the specified
     * key. 
    
     *
     * This implementation iterates over entrySet() searching for an
     * entry with the specified key.  If such an entry is found, true
     * is returned.  If the iteration terminates without finding such an
     * entry, false is returned.  Note that this implementation
     * requires linear time in the size of the map; many implementations will
     * override this method.
     *
     * @param key key whose presence in this map is to be tested.
     * @return true if this map contains a mapping for the specified
     *            key.
     * 
     * @throws NullPointerException key is null and this map does not
     *            not permit null keys.
     */
    public boolean containsKey(Object key) {
	Iterator i = entrySet().iterator();
	if (key==null) {
	    while (i.hasNext()) {
		Entry e = (Entry) i.next();
		if (e.getKey()==null)
		    return true;
	    }
	} else {
	    while (i.hasNext()) {
		Entry e = (Entry) i.next();
		if (key.equals(e.getKey()))
		    return true;
	    }
	}
	return false;
    }

    /**
     * Returns the value to which this map maps the specified key.  Returns
     * null if the map contains no mapping for this key.  A return
     * value of null does not necessarily indicate that the
     * map contains no mapping for the key; it's also possible that the map
     * explicitly maps the key to null.  The containsKey operation
     * may be used to distinguish these two cases. 
    
     *
     * This implementation iterates over entrySet() searching for an
     * entry with the specified key.  If such an entry is found, the entry's
     * value is returned.  If the iteration terminates without finding such an
     * entry, null is returned.  Note that this implementation
     * requires linear time in the size of the map; many implementations will
     * override this method.
     *
     * @param key key whose associated value is to be returned.
     * @return the value to which this map maps the specified key.
     * 
     * @throws NullPointerException if the key is null and this map
     *		  does not not permit null keys.
     * 
     * @see #containsKey(Object)
     */
    public Object get(Object key) {
	Iterator i = entrySet().iterator();
	if (key==null) {
	    while (i.hasNext()) {
		Entry e = (Entry) i.next();
		if (e.getKey()==null)
		    return e.getValue();
	    }
	} else {
	    while (i.hasNext()) {
		Entry e = (Entry) i.next();
		if (key.equals(e.getKey()))
		    return e.getValue();
	    }
	}
	return null;
    }


    // Modification Operations

    /**
     * Associates the specified value with the specified key in this map
     * (optional operation).  If the map previously contained a mapping for
     * this key, the old value is replaced.
    
     *
     * This implementation always throws an
     * UnsupportedOperationException.
     *
     * @param key key with which the specified value is to be associated.
     * @param value value to be associated with the specified key.
     * 
     * @return previous value associated with specified key, or null
     *	       if there was no mapping for key.  (A null return can
     *	       also indicate that the map previously associated null
     *	       with the specified key, if the implementation supports
     *	       null values.)
     * 
     * @throws UnsupportedOperationException if the put operation is
     *	          not supported by this map.
     * 
     * @throws ClassCastException if the class of the specified key or value
     * 	          prevents it from being stored in this map.
     * 
     * @throws IllegalArgumentException if some aspect of this key or value *
     *            prevents it from being stored in this map.
     * 
     * @throws NullPointerException this map does not permit null
     *            keys or values, and the specified key or value is
     *            null.
     */
    public Object put(Object key, Object value) {
	throw new UnsupportedOperationException();
    }

    /**
     * Removes the mapping for this key from this map if present (optional
     * operation). 
    
     *
     * This implementation iterates over entrySet() searching for an
     * entry with the specified key.  If such an entry is found, its value is
     * obtained with its getValue operation, the entry is is removed
     * from the Collection (and the backing map) with the iterator's
     * remove operation, and the saved value is returned.  If the
     * iteration terminates without finding such an entry, null is
     * returned.  Note that this implementation requires linear time in the
     * size of the map; many implementations will override this method.
    
     *
     * Note that this implementation throws an
     * UnsupportedOperationException if the entrySet iterator
     * does not support the remove method and this map contains a
     * mapping for the specified key.
     *
     * @param key key whose mapping is to be removed from the map.
     * @return previous value associated with specified key, or null
     *	       if there was no entry for key.  (A null return can
     *	       also indicate that the map previously associated null
     *	       with the specified key, if the implementation supports
     *	       null values.)
     * @throws UnsupportedOperationException if the remove operation
     * 		  is not supported by this map.
     */
    public Object remove(Object key) {
	Iterator i = entrySet().iterator();
	Entry correctEntry = null;
	if (key==null) {
	    while (correctEntry==null && i.hasNext()) {
		Entry e = (Entry) i.next();
		if (e.getKey()==null)
		    correctEntry = e;
	    }
	} else {
	    while (correctEntry==null && i.hasNext()) {
		Entry e = (Entry) i.next();
		if (key.equals(e.getKey()))
		    correctEntry = e;
	    }
	}

	Object oldValue = null;
	if (correctEntry !=null) {
	    oldValue = correctEntry.getValue();
	    i.remove();
	}
	return oldValue;
    }


    // Bulk Operations

    /**
     * Copies all of the mappings from the specified map to this map
     * (optional operation).  These mappings will replace any mappings that
     * this map had for any of the keys currently in the specified map.
    
     *
     * This implementation iterates over the specified map's
     * entrySet() collection, and calls this map's put
     * operation once for each entry returned by the iteration.
    
     *
     * Note that this implementation throws an
     * UnsupportedOperationException if this map does not support
     * the put operation and the specified map is nonempty.
     *
     * @param t mappings to be stored in this map.
     * 
     * @throws UnsupportedOperationException if the putAll operation
     * 		  is not supported by this map.
     * 
     * @throws ClassCastException if the class of a key or value in the
     * 	          specified map prevents it from being stored in this map.
     * 
     * @throws IllegalArgumentException if some aspect of a key or value in
     *	          the specified map prevents it from being stored in this map.
     * @throws NullPointerException the specified map is null, or if
     *         this map does not permit null keys or values, and the
     *         specified map contains null keys or values.
     */
    public void putAll(Map t) {
	Iterator i = t.entrySet().iterator();
	while (i.hasNext()) {
	    Entry e = (Entry) i.next();
	    put(e.getKey(), e.getValue());
	}
    }

    /**
     * Removes all mappings from this map (optional operation). 
    
     *
     * This implementation calls entrySet().clear().
     *
     * Note that this implementation throws an
     * UnsupportedOperationException if the entrySet
     * does not support the clear operation.
     *
     * @throws    UnsupportedOperationException clear is not supported
     * 		  by this map.
     */
    public void clear() {
	entrySet().clear();
    }


    // Views

    /**
     * Each of these fields are initialized to contain an instance of the
     * appropriate view the first time this view is requested.  The views are
     * stateless, so there's no reason to create more than one of each.
     */
    transient volatile Set        keySet = null;
    transient volatile Collection values = null;

    /**
     * Returns a Set view of the keys contained in this map.  The Set is
     * backed by the map, so changes to the map are reflected in the Set,
     * and vice-versa.  (If the map is modified while an iteration over
     * the Set is in progress, the results of the iteration are undefined.)
     * The Set supports element removal, which removes the corresponding entry
     * from the map, via the Iterator.remove, Set.remove,  removeAll
     * retainAll, and clear operations.  It does not support the add or
     * addAll operations.
    
     *
     * This implementation returns a Set that subclasses
     * AbstractSet.  The subclass's iterator method returns a "wrapper
     * object" over this map's entrySet() iterator.  The size method delegates
     * to this map's size method and the contains method delegates to this
     * map's containsKey method.
    
     *
     * The Set is created the first time this method is called,
     * and returned in response to all subsequent calls.  No synchronization
     * is performed, so there is a slight chance that multiple calls to this
     * method will not all return the same Set.
     *
     * @return a Set view of the keys contained in this map.
     */
    public Set keySet() {
	if (keySet == null) {
	    keySet = new AbstractSet() {
		public Iterator iterator() {
		    return new Iterator() {
			private Iterator i = entrySet().iterator();

			public boolean hasNext() {
			    return i.hasNext();
			}

			public Object next() {
			    return ((Entry)i.next()).getKey();
			}

			public void remove() {
			    i.remove();
			}
                    };
		}

		public int size() {
		    return AbstractMap.this.size();
		}

		public boolean contains(Object k) {
		    return AbstractMap.this.containsKey(k);
		}
	    };
	}
	return keySet;
    }

    /**
     * Returns a collection view of the values contained in this map.  The
     * collection is backed by the map, so changes to the map are reflected in
     * the collection, and vice-versa.  (If the map is modified while an
     * iteration over the collection is in progress, the results of the
     * iteration are undefined.)  The collection supports element removal,
     * which removes the corresponding entry from the map, via the
     * Iterator.remove, Collection.remove,
     * removeAll, retainAll and clear operations.
     * It does not support the add or addAll operations.
    
     *
     * This implementation returns a collection that subclasses abstract
     * collection.  The subclass's iterator method returns a "wrapper object"
     * over this map's entrySet() iterator.  The size method
     * delegates to this map's size method and the contains method delegates
     * to this map's containsValue method.
    
     *
     * The collection is created the first time this method is called, and
     * returned in response to all subsequent calls.  No synchronization is
     * performed, so there is a slight chance that multiple calls to this
     * method will not all return the same Collection.
     *
     * @return a collection view of the values contained in this map.
     */
    public Collection values() {
	if (values == null) {
	    values = new AbstractCollection() {
		public Iterator iterator() {
		    return new Iterator() {
			private Iterator i = entrySet().iterator();

			public boolean hasNext() {
			    return i.hasNext();
			}

			public Object next() {
			    return ((Entry)i.next()).getValue();
			}

			public void remove() {
			    i.remove();
			}
                    };
                }

		public int size() {
		    return AbstractMap.this.size();
		}

		public boolean contains(Object v) {
		    return AbstractMap.this.containsValue(v);
		}
	    };
	}
	return values;
    }

    /**
     * Returns a set view of the mappings contained in this map.  Each element
     * in this set is a Map.Entry.  The set is backed by the map, so changes
     * to the map are reflected in the set, and vice-versa.  (If the map is
     * modified while an iteration over the set is in progress, the results of
     * the iteration are undefined.)  The set supports element removal, which
     * removes the corresponding entry from the map, via the
     * Iterator.remove, Set.remove, removeAll,
     * retainAll and clear operations.  It does not support
     * the add or addAll operations.
     *
     * @return a set view of the mappings contained in this map.
     */
    public abstract Set entrySet();


    // Comparison and hashing

    /**
     * Compares the specified object with this map for equality.  Returns
     * true if the given object is also a map and the two maps
     * represent the same mappings.  More formally, two maps t1 and
     * t2 represent the same mappings if
     * t1.keySet().equals(t2.keySet()) and for every key k
     * in t1.keySet(),  (t1.get(k)==null ? t2.get(k)==null :
     * t1.get(k).equals(t2.get(k))) .  This ensures that the
     * equals method works properly across different implementations
     * of the map interface.
    
     *
     * This implementation first checks if the specified object is this map;
     * if so it returns true.  Then, it checks if the specified
     * object is a map whose size is identical to the size of this set; if
     * not, it it returns false.  If so, it iterates over this map's
     * entrySet collection, and checks that the specified map
     * contains each mapping that this map contains.  If the specified map
     * fails to contain such a mapping, false is returned.  If the
     * iteration completes, true is returned.
     *
     * @param o object to be compared for equality with this map.
     * @return true if the specified object is equal to this map.
     */
    public boolean equals(Object o) {
	if (o == this)
	    return true;

	if (!(o instanceof Map))
	    return false;
	Map t = (Map) o;
	if (t.size() != size())
	    return false;

        try {
            Iterator i = entrySet().iterator();
            while (i.hasNext()) {
                Entry e = (Entry) i.next();
                Object key = e.getKey();
                Object value = e.getValue();
                if (value == null) {
                    if (!(t.get(key)==null && t.containsKey(key)))
                        return false;
                } else {
                    if (!value.equals(t.get(key)))
                        return false;
                }
            }
        } catch(ClassCastException unused)   {
            return false;
        } catch(NullPointerException unused) {
            return false;
        }

	return true;
    }

    /**
     * Returns the hash code value for this map.  The hash code of a map is
     * defined to be the sum of the hash codes of each entry in the map's
     * entrySet() view.  This ensures that t1.equals(t2)
     * implies that t1.hashCode()==t2.hashCode() for any two maps
     * t1 and t2, as required by the general contract of
     * Object.hashCode.
    
     *
     * This implementation iterates over entrySet(), calling
     * hashCode on each element (entry) in the Collection, and adding
     * up the results.
     *
     * @return the hash code value for this map.
     * @see Map.Entry#hashCode()
     * @see Object#hashCode()
     * @see Object#equals(Object)
     * @see Set#equals(Object)
     */
    public int hashCode() {
	int h = 0;
	Iterator i = entrySet().iterator();
	while (i.hasNext())
	    h += i.next().hashCode();
	return h;
    }

    /**
     * Returns a string representation of this map.  The string representation
     * consists of a list of key-value mappings in the order returned by the
     * map's entrySet view's iterator, enclosed in braces
     * ("{}").  Adjacent mappings are separated by the characters
     * ", " (comma and space).  Each key-value mapping is rendered as
     * the key followed by an equals sign ("=") followed by the
     * associated value.  Keys and values are converted to strings as by
     * String.valueOf(Object).
    
     *
     * This implementation creates an empty string buffer, appends a left
     * brace, and iterates over the map's entrySet view, appending
     * the string representation of each map.entry in turn.  After
     * appending each entry except the last, the string ", " is
     * appended.  Finally a right brace is appended.  A string is obtained
     * from the stringbuffer, and returned.
     *
     * @return a String representation of this map.
     */
    public String toString() {
	StringBuffer buf = new StringBuffer();
	buf.append("{");

	Iterator i = entrySet().iterator();
        boolean hasNext = i.hasNext();
        while (hasNext) {
	    Entry e = (Entry) (i.next());
            Object key = e.getKey();
            Object value = e.getValue();
            buf.append((key == this ?  "(this Map)" : key) + "=" + 
                       (value == this ? "(this Map)": value));

            hasNext = i.hasNext();
            if (hasNext)
                buf.append(", ");
        }

	buf.append("}");
	return buf.toString();
    }
    
    /**
     * Returns a shallow copy of this AbstractMap instance: the keys
     * and values themselves are not cloned.
     *
     * @return a shallow copy of this map.
     */
    protected Object clone() throws CloneNotSupportedException {
        AbstractMap result = (AbstractMap)super.clone();
        result.keySet = null;
        result.values = null;
        return result;
    }

    /**
     * This should be made public as soon as possible.  It greately simplifies
     * the task of implementing Map.
     */
    static class SimpleEntry implements Entry {
	Object key;
	Object value;

	public SimpleEntry(Object key, Object value) {
	    this.key   = key;
            this.value = value;
	}

	public SimpleEntry(Map.Entry e) {
	    this.key   = e.getKey();
            this.value = e.getValue();
	}

	public Object getKey() {
	    return key;
	}

	public Object getValue() {
	    return value;
	}

	public Object setValue(Object value) {
	    Object oldValue = this.value;
	    this.value = value;
	    return oldValue;
	}

	public boolean equals(Object o) {
	    if (!(o instanceof Map.Entry))
		return false;
	    Map.Entry e = (Map.Entry)o;
	    return eq(key, e.getKey()) &&  eq(value, e.getValue());
	}

	public int hashCode() {
	    Object v;
	    return ((key   == null)   ? 0 :   key.hashCode()) ^
		   ((value == null)   ? 0 : value.hashCode());
	}

	public String toString() {
	    return key + "=" + value;
	}

        private static boolean eq(Object o1, Object o2) {
            return (o1 == null ? o2 == null : o1.equals(o2));
        }
    }
}
why-2.34/lib/java_api/java/util/Set.java0000644000175000017500000003450612311670312016441 0ustar  rtusers/*
 * @(#)Set.java	1.29 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.util;

/**
 * A collection that contains no duplicate elements.  More formally, sets
 * contain no pair of elements e1 and e2 such that
 * e1.equals(e2), and at most one null element.  As implied by
 * its name, this interface models the mathematical set abstraction.
    
 *
 * The Set interface places additional stipulations, beyond those
 * inherited from the Collection interface, on the contracts of all
 * constructors and on the contracts of the add, equals and
 * hashCode methods.  Declarations for other inherited methods are
 * also included here for convenience.  (The specifications accompanying these
 * declarations have been tailored to the Set interface, but they do
 * not contain any additional stipulations.)
    
 *
 * The additional stipulation on constructors is, not surprisingly,
 * that all constructors must create a set that contains no duplicate elements
 * (as defined above).
    
 *
 * Note: Great care must be exercised if mutable objects are used as set
 * elements.  The behavior of a set is not specified if the value of an object
 * is changed in a manner that affects equals comparisons while the object is
 * an element in the set.  A special case of this prohibition is that it is
 * not permissible for a set to contain itself as an element.
 *
 * 
    Some set implementations have restrictions on the elements that
 * they may contain.  For example, some implementations prohibit null elements,
 * and some have restrictions on the types of their elements.  Attempting to
 * add an ineligible element throws an unchecked exception, typically
 * NullPointerException or ClassCastException.  Attempting
 * to query the presence of an ineligible element may throw an exception,
 * or it may simply return false; some implementations will exhibit the former
 * behavior and some will exhibit the latter.  More generally, attempting an
 * operation on an ineligible element whose completion would not result in
 * the insertion of an ineligible element into the set may throw an
 * exception or it may succeed, at the option of the implementation.
 * Such exceptions are marked as "optional" in the specification for this
 * interface. 
 *
 * 
    This interface is a member of the 
 * 
 * Java Collections Framework.
 *
 * @author  Josh Bloch
 * @version 1.29, 01/23/03
 * @see Collection
 * @see List
 * @see SortedSet
 * @see HashSet
 * @see TreeSet
 * @see AbstractSet
 * @see Collections#singleton(java.lang.Object)
 * @see Collections#EMPTY_SET
 * @since 1.2
 */

public interface Set extends Collection {
    // Query Operations

    /**
     * Returns the number of elements in this set (its cardinality).  If this
     * set contains more than Integer.MAX_VALUE elements, returns
     * Integer.MAX_VALUE.
     *
     * @return the number of elements in this set (its cardinality).
     */
    int size();

    /**
     * Returns true if this set contains no elements.
     *
     * @return true if this set contains no elements.
     */
    boolean isEmpty();

    /**
     * Returns true if this set contains the specified element.  More
     * formally, returns true if and only if this set contains an
     * element e such that (o==null ? e==null :
     * o.equals(e)).
     *
     * @param o element whose presence in this set is to be tested.
     * @return true if this set contains the specified element.
     * @throws ClassCastException if the type of the specified element
     * 	       is incompatible with this set (optional).
     * @throws NullPointerException if the specified element is null and this
     *         set does not support null elements (optional).
     */
    boolean contains(Object o);

    /**
     * Returns an iterator over the elements in this set.  The elements are
     * returned in no particular order (unless this set is an instance of some
     * class that provides a guarantee).
     *
     * @return an iterator over the elements in this set.
     */
    Iterator iterator();

    /**
     * Returns an array containing all of the elements in this set.
     * Obeys the general contract of the Collection.toArray method.
     *
     * @return an array containing all of the elements in this set.
     */
    Object[] toArray();

    /**
     * Returns an array containing all of the elements in this set; the 
     * runtime type of the returned array is that of the specified array. 
     * Obeys the general contract of the 
     * Collection.toArray(Object[]) method.
     *
     * @param a the array into which the elements of this set are to
     *		be stored, if it is big enough; otherwise, a new array of the
     * 		same runtime type is allocated for this purpose.
     * @return an array containing the elements of this set.
     * @throws    ArrayStoreException the runtime type of a is not a supertype
     *            of the runtime type of every element in this set.
     * @throws NullPointerException if the specified array is null.
     */
    Object[] toArray(Object a[]);


    // Modification Operations

    /**
     * Adds the specified element to this set if it is not already present
     * (optional operation).  More formally, adds the specified element,
     * o, to this set if this set contains no element
     * e such that (o==null ? e==null :
     * o.equals(e)).  If this set already contains the specified
     * element, the call leaves this set unchanged and returns false.
     * In combination with the restriction on constructors, this ensures that
     * sets never contain duplicate elements.
    
     *
     * The stipulation above does not imply that sets must accept all
     * elements; sets may refuse to add any particular element, including
     * null, and throwing an exception, as described in the
     * specification for Collection.add.  Individual set
     * implementations should clearly document any restrictions on the the
     * elements that they may contain.
     *
     * @param o element to be added to this set.
     * @return true if this set did not already contain the specified
     *         element.
     * 
     * @throws UnsupportedOperationException if the add method is not
     * 	       supported by this set.
     * @throws ClassCastException if the class of the specified element
     * 	       prevents it from being added to this set.
     * @throws NullPointerException if the specified element is null and this
     *         set does not support null elements.
     * @throws IllegalArgumentException if some aspect of the specified element
     *         prevents it from being added to this set.
     */
    boolean add(Object o);


    /**
     * Removes the specified element from this set if it is present (optional
     * operation).  More formally, removes an element e such that
     * (o==null ?  e==null : o.equals(e)), if the set contains
     * such an element.  Returns true if the set contained the
     * specified element (or equivalently, if the set changed as a result of
     * the call).  (The set will not contain the specified element once the
     * call returns.)
     *
     * @param o object to be removed from this set, if present.
     * @return true if the set contained the specified element.
     * @throws ClassCastException if the type of the specified element
     * 	       is incompatible with this set (optional).
     * @throws NullPointerException if the specified element is null and this
     *         set does not support null elements (optional).
     * @throws UnsupportedOperationException if the remove method is
     *         not supported by this set.
     */
    boolean remove(Object o);


    // Bulk Operations

    /**
     * Returns true if this set contains all of the elements of the
     * specified collection.  If the specified collection is also a set, this
     * method returns true if it is a subset of this set.
     *
     * @param  c collection to be checked for containment in this set.
     * @return true if this set contains all of the elements of the
     * 	       specified collection.
     * @throws ClassCastException if the types of one or more elements
     *         in the specified collection are incompatible with this
     *         set (optional).
     * @throws NullPointerException if the specified collection contains one
     *         or more null elements and this set does not support null
     *         elements (optional).
     * @throws NullPointerException if the specified collection is
     *         null.
     * @see    #contains(Object)
     */
    boolean containsAll(Collection c);

    /**
     * Adds all of the elements in the specified collection to this set if
     * they're not already present (optional operation).  If the specified
     * collection is also a set, the addAll operation effectively
     * modifies this set so that its value is the union of the two
     * sets.  The behavior of this operation is unspecified if the specified
     * collection is modified while the operation is in progress.
     *
     * @param c collection whose elements are to be added to this set.
     * @return true if this set changed as a result of the call.
     * 
     * @throws UnsupportedOperationException if the addAll method is
     * 		  not supported by this set.
     * @throws ClassCastException if the class of some element of the
     * 		  specified collection prevents it from being added to this
     * 		  set.
     * @throws NullPointerException if the specified collection contains one
     *           or more null elements and this set does not support null
     *           elements, or if the specified collection is null.
     * @throws IllegalArgumentException if some aspect of some element of the
     *		  specified collection prevents it from being added to this
     *		  set.
     * @see #add(Object)
     */
    boolean addAll(Collection c);

    /**
     * Retains only the elements in this set that are contained in the
     * specified collection (optional operation).  In other words, removes
     * from this set all of its elements that are not contained in the
     * specified collection.  If the specified collection is also a set, this
     * operation effectively modifies this set so that its value is the
     * intersection of the two sets.
     *
     * @param c collection that defines which elements this set will retain.
     * @return true if this collection changed as a result of the
     *         call.
     * @throws UnsupportedOperationException if the retainAll method
     * 		  is not supported by this Collection.
     * @throws ClassCastException if the types of one or more elements in this
     *            set are incompatible with the specified collection
     *            (optional).
     * @throws NullPointerException if this set contains a null element and
     *            the specified collection does not support null elements
     *            (optional). 
     * @throws NullPointerException if the specified collection is
     *           null.
     * @see #remove(Object)
     */
    boolean retainAll(Collection c);


    /**
     * Removes from this set all of its elements that are contained in the
     * specified collection (optional operation).  If the specified
     * collection is also a set, this operation effectively modifies this
     * set so that its value is the asymmetric set difference of
     * the two sets.
     *
     * @param  c collection that defines which elements will be removed from
     *           this set.
     * @return true if this set changed as a result of the call.
     * 
     * @throws UnsupportedOperationException if the removeAll
     * 		  method is not supported by this Collection.
     * @throws ClassCastException if the types of one or more elements in this
     *            set are incompatible with the specified collection
     *            (optional).
     * @throws NullPointerException if this set contains a null element and
     *            the specified collection does not support null elements
     *            (optional). 
     * @throws NullPointerException if the specified collection is
     *           null.
     * @see    #remove(Object)
     */
    boolean removeAll(Collection c);

    /**
     * Removes all of the elements from this set (optional operation).
     * This set will be empty after this call returns (unless it throws an
     * exception).
     *
     * @throws UnsupportedOperationException if the clear method
     * 		  is not supported by this set.
     */
    void clear();


    // Comparison and hashing

    /**
     * Compares the specified object with this set for equality.  Returns
     * true if the specified object is also a set, the two sets
     * have the same size, and every member of the specified set is
     * contained in this set (or equivalently, every member of this set is
     * contained in the specified set).  This definition ensures that the
     * equals method works properly across different implementations of the
     * set interface.
     *
     * @param o Object to be compared for equality with this set.
     * @return true if the specified Object is equal to this set.
     */
    boolean equals(Object o);

    /**
     * 
     * Returns the hash code value for this set.  The hash code of a set is
     * defined to be the sum of the hash codes of the elements in the set,
     * where the hashcode of a null element is defined to be zero.
     * This ensures that s1.equals(s2) implies that
     * s1.hashCode()==s2.hashCode() for any two sets
     * s1 and s2, as required by the general
     * contract of the Object.hashCode method.
     *
     * @return the hash code value for this set.
     * @see Object#hashCode()
     * @see Object#equals(Object)
     * @see Set#equals(Object)
     */
    int hashCode();
}
why-2.34/lib/java_api/java/util/HashMapIntegerLong.java0000644000175000017500000000142112311670312021353 0ustar  rtusers
package java.util;

class HashMapIntegerLong {

    //@ model mappings hashmap_model;


    /*@ ensures this.hashmap_model == empty_mappings();
      @*/
    HashMapIntegerLong();

    /*@ requires x != null;
      @ assigns hashmap_model;
      @ ensures 
      @   this.hashmap_model == update(\old(this.hashmap_model),x,y);
      @*/
    void put(Integer x, Long y);

    /*@ requires x != null;
      @ assigns \nothing;
      @ behavior key_found:
      @   ensures \result != null ==>
      @    containsKey(this.hashmap_model,x) &&
      @    \result == access(this.hashmap_model,x) ;
      @ behavior null_found:
      @   assumes containsKey(this.hashmap_model,x);
      @   ensures access(this.hashmap_model,x) == null ;
      @       
      @*/
    Long get(Integer x);

}
why-2.34/lib/java_api/java/util/Iterator.java0000644000175000017500000000416512311670312017475 0ustar  rtusers/*
 * @(#)Iterator.java	1.18 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.util;

/**
 * An iterator over a collection.  Iterator takes the place of Enumeration in
 * the Java collections framework.  Iterators differ from enumerations in two
 * ways: 
      
 *	
    •  Iterators allow the caller to remove elements from the
 *	     underlying collection during the iteration with well-defined
 * 	     semantics.
 *	
    •  Method names have been improved.
 * 
    
 *
 * This interface is a member of the 
 * 
 * Java Collections Framework.
 *
 * @author  Josh Bloch
 * @version 1.18, 01/23/03
 * @see Collection
 * @see ListIterator
 * @see Enumeration
 * @since 1.2
 */
public interface Iterator {
    /**
     * Returns true if the iteration has more elements. (In other
     * words, returns true if next would return an element
     * rather than throwing an exception.)
     *
     * @return true if the iterator has more elements.
     */
    boolean hasNext();

    /**
     * Returns the next element in the iteration.
     *
     * @return the next element in the iteration.
     * @exception NoSuchElementException iteration has no more elements.
     */
    Object next();

    /**
     * 
     * Removes from the underlying collection the last element returned by the
     * iterator (optional operation).  This method can be called only once per
     * call to next.  The behavior of an iterator is unspecified if
     * the underlying collection is modified while the iteration is in
     * progress in any way other than by calling this method.
     *
     * @exception UnsupportedOperationException if the remove
     *		  operation is not supported by this Iterator.
     
     * @exception IllegalStateException if the next method has not
     *		  yet been called, or the remove method has already
     *		  been called after the last call to the next
     *		  method.
     */
    void remove();
}
why-2.34/lib/java_api/java/util/Map.java0000644000175000017500000004517512311670312016427 0ustar  rtusers/*
 * @(#)Map.java	1.39 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.util;

/**
 * An object that maps keys to values.  A map cannot contain duplicate keys;
 * each key can map to at most one value.
 *
 * 
    This interface takes the place of the Dictionary class, which
 * was a totally abstract class rather than an interface.
 *
 * 
    The Map interface provides three collection views, which
 * allow a map's contents to be viewed as a set of keys, collection of values,
 * or set of key-value mappings.  The order of a map is defined as
 * the order in which the iterators on the map's collection views return their
 * elements.  Some map implementations, like the TreeMap class, make
 * specific guarantees as to their order; others, like the HashMap
 * class, do not.
 *
 * 
    Note: great care must be exercised if mutable objects are used as map
 * keys.  The behavior of a map is not specified if the value of an object is
 * changed in a manner that affects equals comparisons while the object is a
 * key in the map.  A special case of this prohibition is that it is not
 * permissible for a map to contain itself as a key.  While it is permissible
 * for a map to contain itself as a value, extreme caution is advised: the
 * equals and hashCode methods are no longer well defined on a such a map.
 *
 * 
    All general-purpose map implementation classes should provide two
 * "standard" constructors: a void (no arguments) constructor which creates an
 * empty map, and a constructor with a single argument of type Map,
 * which creates a new map with the same key-value mappings as its argument.
 * In effect, the latter constructor allows the user to copy any map,
 * producing an equivalent map of the desired class.  There is no way to
 * enforce this recommendation (as interfaces cannot contain constructors) but
 * all of the general-purpose map implementations in the SDK comply.
 *
 * 
    The "destructive" methods contained in this interface, that is, the
 * methods that modify the map on which they operate, are specified to throw
 * UnsupportedOperationException if this map does not support the
 * operation.  If this is the case, these methods may, but are not required
 * to, throw an UnsupportedOperationException if the invocation would
 * have no effect on the map.  For example, invoking the {@link #putAll(Map)}
 * method on an unmodifiable map may, but is not required to, throw the
 * exception if the map whose mappings are to be "superimposed" is empty.
 *
 * 
    Some map implementations have restrictions on the keys and values they
 * may contain.  For example, some implementations prohibit null keys and
 * values, and some have restrictions on the types of their keys.  Attempting
 * to insert an ineligible key or value throws an unchecked exception,
 * typically NullPointerException or ClassCastException.
 * Attempting to query the presence of an ineligible key or value may throw an
 * exception, or it may simply return false; some implementations will exhibit
 * the former behavior and some will exhibit the latter.  More generally,
 * attempting an operation on an ineligible key or value whose completion
 * would not result in the insertion of an ineligible element into the map may
 * throw an exception or it may succeed, at the option of the implementation.
 * Such exceptions are marked as "optional" in the specification for this
 * interface.
 *
 * 
    This interface is a member of the 
 * 
 * Java Collections Framework.
 *
 * @author  Josh Bloch
 * @version 1.39, 01/23/03
 * @see HashMap
 * @see TreeMap
 * @see Hashtable
 * @see SortedMap
 * @see Collection
 * @see Set
 * @since 1.2
 */
public interface Map {
    // Query Operations

    /**
     * Returns the number of key-value mappings in this map.  If the
     * map contains more than Integer.MAX_VALUE elements, returns
     * Integer.MAX_VALUE.
     *
     * @return the number of key-value mappings in this map.
     */
    int size();

    /**
     * Returns true if this map contains no key-value mappings.
     *
     * @return true if this map contains no key-value mappings.
     */
    boolean isEmpty();

    /**
     * Returns true if this map contains a mapping for the specified
     * key.  More formally, returns true if and only if
     * this map contains at a mapping for a key k such that
     * (key==null ? k==null : key.equals(k)).  (There can be
     * at most one such mapping.)
     *
     * @param key key whose presence in this map is to be tested.
     * @return true if this map contains a mapping for the specified
     *         key.
     * 
     * @throws ClassCastException if the key is of an inappropriate type for
     * 		  this map (optional).
     * @throws NullPointerException if the key is null and this map
     *            does not not permit null keys (optional).
     */
    boolean containsKey(Object key);

    /**
     * Returns true if this map maps one or more keys to the
     * specified value.  More formally, returns true if and only if
     * this map contains at least one mapping to a value v such that
     * (value==null ? v==null : value.equals(v)).  This operation
     * will probably require time linear in the map size for most
     * implementations of the Map interface.
     *
     * @param value value whose presence in this map is to be tested.
     * @return true if this map maps one or more keys to the
     *         specified value.
     * @throws ClassCastException if the value is of an inappropriate type for
     * 		  this map (optional).
     * @throws NullPointerException if the value is null and this map
     *            does not not permit null values (optional).
     */
    boolean containsValue(Object value);

    /**
     * Returns the value to which this map maps the specified key.  Returns
     * null if the map contains no mapping for this key.  A return
     * value of null does not necessarily indicate that the
     * map contains no mapping for the key; it's also possible that the map
     * explicitly maps the key to null.  The containsKey
     * operation may be used to distinguish these two cases.
     *
     * 
    More formally, if this map contains a mapping from a key
     * k to a value v such that (key==null ? k==null :
     * key.equals(k)), then this method returns v; otherwise
     * it returns null.  (There can be at most one such mapping.)
     *
     * @param key key whose associated value is to be returned.
     * @return the value to which this map maps the specified key, or
     *	       null if the map contains no mapping for this key.
     * 
     * @throws ClassCastException if the key is of an inappropriate type for
     * 		  this map (optional).
     * @throws NullPointerException key is null and this map does not
     *		  not permit null keys (optional).
     * 
     * @see #containsKey(Object)
     */
    Object get(Object key);

    // Modification Operations

    /**
     * Associates the specified value with the specified key in this map
     * (optional operation).  If the map previously contained a mapping for
     * this key, the old value is replaced by the specified value.  (A map
     * m is said to contain a mapping for a key k if and only
     * if {@link #containsKey(Object) m.containsKey(k)} would return
     * true.)) 
     *
     * @param key key with which the specified value is to be associated.
     * @param value value to be associated with the specified key.
     * @return previous value associated with specified key, or null
     *	       if there was no mapping for key.  A null return can
     *	       also indicate that the map previously associated null
     *	       with the specified key, if the implementation supports
     *	       null values.
     * 
     * @throws UnsupportedOperationException if the put operation is
     *	          not supported by this map.
     * @throws ClassCastException if the class of the specified key or value
     * 	          prevents it from being stored in this map.
     * @throws IllegalArgumentException if some aspect of this key or value
     *	          prevents it from being stored in this map.
     * @throws NullPointerException this map does not permit null
     *            keys or values, and the specified key or value is
     *            null.
     */
    Object put(Object key, Object value);

    /**
     * Removes the mapping for this key from this map if it is present
     * (optional operation).   More formally, if this map contains a mapping
     * from key k to value v such that
     * (key==null ?  k==null : key.equals(k)), that mapping
     * is removed.  (The map can contain at most one such mapping.)
     *
     * 
    Returns the value to which the map previously associated the key, or
     * null if the map contained no mapping for this key.  (A
     * null return can also indicate that the map previously
     * associated null with the specified key if the implementation
     * supports null values.)  The map will not contain a mapping for
     * the specified  key once the call returns.
     *
     * @param key key whose mapping is to be removed from the map.
     * @return previous value associated with specified key, or null
     *	       if there was no mapping for key.
     *
     * @throws ClassCastException if the key is of an inappropriate type for
     * 		  this map (optional).
     * @throws NullPointerException if the key is null and this map
     *            does not not permit null keys (optional).
     * @throws UnsupportedOperationException if the remove method is
     *         not supported by this map.
     */
    Object remove(Object key);


    // Bulk Operations

    /**
     * Copies all of the mappings from the specified map to this map
     * (optional operation).  The effect of this call is equivalent to that
     * of calling {@link #put(Object,Object) put(k, v)} on this map once
     * for each mapping from key k to value v in the 
     * specified map.  The behavior of this operation is unspecified if the
     * specified map is modified while the operation is in progress.
     *
     * @param t Mappings to be stored in this map.
     * 
     * @throws UnsupportedOperationException if the putAll method is
     * 		  not supported by this map.
     * 
     * @throws ClassCastException if the class of a key or value in the
     * 	          specified map prevents it from being stored in this map.
     * 
     * @throws IllegalArgumentException some aspect of a key or value in the
     *	          specified map prevents it from being stored in this map.
     * @throws NullPointerException the specified map is null, or if
     *         this map does not permit null keys or values, and the
     *         specified map contains null keys or values.
     */
    void putAll(Map t);

    /**
     * Removes all mappings from this map (optional operation).
     *
     * @throws UnsupportedOperationException clear is not supported by this
     * 		  map.
     */
    void clear();


    // Views

    /**
     * Returns a set view of the keys contained in this map.  The set is
     * backed by the map, so changes to the map are reflected in the set, and
     * vice-versa.  If the map is modified while an iteration over the set is
     * in progress, the results of the iteration are undefined.  The set
     * supports element removal, which removes the corresponding mapping from
     * the map, via the Iterator.remove, Set.remove,
     * removeAll retainAll, and clear operations.
     * It does not support the add or addAll operations.
     *
     * @return a set view of the keys contained in this map.
     */
    Set keySet();

    /**
     * Returns a collection view of the values contained in this map.  The
     * collection is backed by the map, so changes to the map are reflected in
     * the collection, and vice-versa.  If the map is modified while an
     * iteration over the collection is in progress, the results of the
     * iteration are undefined.  The collection supports element removal,
     * which removes the corresponding mapping from the map, via the
     * Iterator.remove, Collection.remove,
     * removeAll, retainAll and clear operations.
     * It does not support the add or addAll operations.
     *
     * @return a collection view of the values contained in this map.
     */
    Collection values();

    /**
     * Returns a set view of the mappings contained in this map.  Each element
     * in the returned set is a {@link Map.Entry}.  The set is backed by the
     * map, so changes to the map are reflected in the set, and vice-versa.
     * If the map is modified while an iteration over the set is in progress,
     * the results of the iteration are undefined.  The set supports element
     * removal, which removes the corresponding mapping from the map, via the
     * Iterator.remove, Set.remove, removeAll,
     * retainAll and clear operations.  It does not support
     * the add or addAll operations.
     *
     * @return a set view of the mappings contained in this map.
     */
    Set entrySet();

    /**
     * A map entry (key-value pair).  The Map.entrySet method returns
     * a collection-view of the map, whose elements are of this class.  The
     * only way to obtain a reference to a map entry is from the
     * iterator of this collection-view.  These Map.Entry objects are
     * valid only for the duration of the iteration; more formally,
     * the behavior of a map entry is undefined if the backing map has been
     * modified after the entry was returned by the iterator, except through
     * the iterator's own remove operation, or through the
     * setValue operation on a map entry returned by the iterator.
     *
     * @see Map#entrySet()
     * @since 1.2
     */
    interface Entry {
    	/**
	 * Returns the key corresponding to this entry.
	 *
	 * @return the key corresponding to this entry.
	 */
	Object getKey();

    	/**
	 * Returns the value corresponding to this entry.  If the mapping
	 * has been removed from the backing map (by the iterator's
	 * remove operation), the results of this call are undefined.
	 *
	 * @return the value corresponding to this entry.
	 */
	Object getValue();

    	/**
	 * Replaces the value corresponding to this entry with the specified
	 * value (optional operation).  (Writes through to the map.)  The
	 * behavior of this call is undefined if the mapping has already been
	 * removed from the map (by the iterator's remove operation).
	 *
	 * @param value new value to be stored in this entry.
	 * @return old value corresponding to the entry.
         * 
	 * @throws UnsupportedOperationException if the put operation
	 *	      is not supported by the backing map.
	 * @throws ClassCastException if the class of the specified value
	 * 	      prevents it from being stored in the backing map.
	 * @throws    IllegalArgumentException if some aspect of this value
	 *	      prevents it from being stored in the backing map.
	 * @throws NullPointerException the backing map does not permit
	 *	      null values, and the specified value is
	 *	      null.
         */
	Object setValue(Object value);

	/**
	 * Compares the specified object with this entry for equality.
	 * Returns true if the given object is also a map entry and
	 * the two entries represent the same mapping.  More formally, two
	 * entries e1 and e2 represent the same mapping
	 * if
             *     (e1.getKey()==null ?
         *      e2.getKey()==null : e1.getKey().equals(e2.getKey()))  &&
         *     (e1.getValue()==null ?
         *      e2.getValue()==null : e1.getValue().equals(e2.getValue()))
         * 
    
	 * This ensures that the equals method works properly across
	 * different implementations of the Map.Entry interface.
	 *
	 * @param o object to be compared for equality with this map entry.
	 * @return true if the specified object is equal to this map
	 *         entry.
         */
	boolean equals(Object o);

	/**
	 * Returns the hash code value for this map entry.  The hash code
	 * of a map entry e is defined to be: 
    	 *     (e.getKey()==null   ? 0 : e.getKey().hashCode()) ^
	 *     (e.getValue()==null ? 0 : e.getValue().hashCode())
         * 
    
	 * This ensures that e1.equals(e2) implies that
	 * e1.hashCode()==e2.hashCode() for any two Entries
	 * e1 and e2, as required by the general
	 * contract of Object.hashCode.
	 *
	 * @return the hash code value for this map entry.
	 * @see Object#hashCode()
	 * @see Object#equals(Object)
	 * @see #equals(Object)
	 */
	int hashCode();
    }

    // Comparison and hashing

    /**
     * Compares the specified object with this map for equality.  Returns
     * true if the given object is also a map and the two Maps
     * represent the same mappings.  More formally, two maps t1 and
     * t2 represent the same mappings if
     * t1.entrySet().equals(t2.entrySet()).  This ensures that the
     * equals method works properly across different implementations
     * of the Map interface.
     *
     * @param o object to be compared for equality with this map.
     * @return true if the specified object is equal to this map.
     */
    boolean equals(Object o);

    /**
     * Returns the hash code value for this map.  The hash code of a map
     * is defined to be the sum of the hashCodes of each entry in the map's
     * entrySet view.  This ensures that t1.equals(t2) implies
     * that t1.hashCode()==t2.hashCode() for any two maps
     * t1 and t2, as required by the general
     * contract of Object.hashCode.
     *
     * @return the hash code value for this map.
     * @see Map.Entry#hashCode()
     * @see Object#hashCode()
     * @see Object#equals(Object)
     * @see #equals(Object)
     */
    int hashCode();
}
why-2.34/lib/java_api/java/util/Collection.java0000644000175000017500000004464212311670312020003 0ustar  rtusers/*
 * @(#)Collection.java	1.39 03/01/17
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.util;

/**
 * The root interface in the collection hierarchy.  A collection
 * represents a group of objects, known as its elements.  Some
 * collections allow duplicate elements and others do not.  Some are ordered
 * and others unordered.  The SDK does not provide any direct
 * implementations of this interface: it provides implementations of more
 * specific subinterfaces like Set and List.  This interface
 * is typically used to pass collections around and manipulate them where
 * maximum generality is desired.
 *
 * 
    Bags or multisets (unordered collections that may contain
 * duplicate elements) should implement this interface directly.
 *
 * 
    All general-purpose Collection implementation classes (which
 * typically implement Collection indirectly through one of its
 * subinterfaces) should provide two "standard" constructors: a void (no
 * arguments) constructor, which creates an empty collection, and a
 * constructor with a single argument of type Collection, which
 * creates a new collection with the same elements as its argument.  In
 * effect, the latter constructor allows the user to copy any collection,
 * producing an equivalent collection of the desired implementation type.
 * There is no way to enforce this convention (as interfaces cannot contain
 * constructors) but all of the general-purpose Collection
 * implementations in the Java platform libraries comply.
 *
 * 
    The "destructive" methods contained in this interface, that is, the
 * methods that modify the collection on which they operate, are specified to
 * throw UnsupportedOperationException if this collection does not
 * support the operation.  If this is the case, these methods may, but are not
 * required to, throw an UnsupportedOperationException if the
 * invocation would have no effect on the collection.  For example, invoking
 * the {@link #addAll(Collection)} method on an unmodifiable collection may,
 * but is not required to, throw the exception if the collection to be added
 * is empty.
 *
 * 
    Some collection implementations have restrictions on the elements that
 * they may contain.  For example, some implementations prohibit null elements,
 * and some have restrictions on the types of their elements.  Attempting to
 * add an ineligible element throws an unchecked exception, typically
 * NullPointerException or ClassCastException.  Attempting
 * to query the presence of an ineligible element may throw an exception,
 * or it may simply return false; some implementations will exhibit the former
 * behavior and some will exhibit the latter.  More generally, attempting an
 * operation on an ineligible element whose completion would not result in
 * the insertion of an ineligible element into the collection may throw an
 * exception or it may succeed, at the option of the implementation.
 * Such exceptions are marked as "optional" in the specification for this
 * interface. 
 *
 * 
    This interface is a member of the 
 * 
 * Java Collections Framework.
 *
 * @author  Josh Bloch
 * @version 1.40, 01/23/03
 * @see	    Set
 * @see	    List
 * @see	    Map
 * @see	    SortedSet
 * @see	    SortedMap
 * @see	    HashSet
 * @see	    TreeSet
 * @see	    ArrayList
 * @see	    LinkedList
 * @see	    Vector
 * @see     Collections
 * @see	    Arrays
 * @see	    AbstractCollection
 * @since 1.2
 */

public interface Collection {
    // Query Operations

    /**
     * Returns the number of elements in this collection.  If this collection
     * contains more than Integer.MAX_VALUE elements, returns
     * Integer.MAX_VALUE.
     * 
     * @return the number of elements in this collection
     */
    int size();

    /**
     * Returns true if this collection contains no elements.
     *
     * @return true if this collection contains no elements
     */
    boolean isEmpty();

    /**
     * Returns true if this collection contains the specified
     * element.  More formally, returns true if and only if this
     * collection contains at least one element e such that
     * (o==null ? e==null : o.equals(e)).
     *
     * @param o element whose presence in this collection is to be tested.
     * @return true if this collection contains the specified
     *         element
     * @throws ClassCastException if the type of the specified element
     * 	       is incompatible with this collection (optional).
     * @throws NullPointerException if the specified element is null and this
     *         collection does not support null elements (optional).
     */
    boolean contains(Object o);

    /**
     * Returns an iterator over the elements in this collection.  There are no
     * guarantees concerning the order in which the elements are returned
     * (unless this collection is an instance of some class that provides a
     * guarantee).
     * 
     * @return an Iterator over the elements in this collection
     */
    Iterator iterator();

    /**
     * Returns an array containing all of the elements in this collection.  If
     * the collection makes any guarantees as to what order its elements are
     * returned by its iterator, this method must return the elements in the
     * same order.
    
     *
     * The returned array will be "safe" in that no references to it are
     * maintained by this collection.  (In other words, this method must
     * allocate a new array even if this collection is backed by an array).
     * The caller is thus free to modify the returned array.
    
     *
     * This method acts as bridge between array-based and collection-based
     * APIs.
     *
     * @return an array containing all of the elements in this collection
     */
    Object[] toArray();

    /**
     * Returns an array containing all of the elements in this collection; 
     * the runtime type of the returned array is that of the specified array.  
     * If the collection fits in the specified array, it is returned therein.  
     * Otherwise, a new array is allocated with the runtime type of the 
     * specified array and the size of this collection.
    
     *
     * If this collection fits in the specified array with room to spare
     * (i.e., the array has more elements than this collection), the element
     * in the array immediately following the end of the collection is set to
     * null.  This is useful in determining the length of this
     * collection only if the caller knows that this collection does
     * not contain any null elements.)
    
     *
     * If this collection makes any guarantees as to what order its elements
     * are returned by its iterator, this method must return the elements in
     * the same order.
    
     *
     * Like the toArray method, this method acts as bridge between
     * array-based and collection-based APIs.  Further, this method allows
     * precise control over the runtime type of the output array, and may,
     * under certain circumstances, be used to save allocation costs
    
     *
     * Suppose l is a List known to contain only strings.
     * The following code can be used to dump the list into a newly allocated
     * array of String:
     *
     * 
         *     String[] x = (String[]) v.toArray(new String[0]);
     * 
    
     *
     * Note that toArray(new Object[0]) is identical in function to
     * toArray().
     *
     * @param a the array into which the elements of this collection are to be
     *        stored, if it is big enough; otherwise, a new array of the same
     *        runtime type is allocated for this purpose.
     * @return an array containing the elements of this collection
     * 
     * @throws ArrayStoreException the runtime type of the specified array is
     *         not a supertype of the runtime type of every element in this
     *         collection.
     * @throws NullPointerException if the specified array is null.
     */
    
    Object[] toArray(Object a[]);

    // Modification Operations

    /**
     * Ensures that this collection contains the specified element (optional
     * operation).  Returns true if this collection changed as a
     * result of the call.  (Returns false if this collection does
     * not permit duplicates and already contains the specified element.)
    
     *
     * Collections that support this operation may place limitations on what
     * elements may be added to this collection.  In particular, some
     * collections will refuse to add null elements, and others will
     * impose restrictions on the type of elements that may be added.
     * Collection classes should clearly specify in their documentation any
     * restrictions on what elements may be added.
    
     *
     * If a collection refuses to add a particular element for any reason
     * other than that it already contains the element, it must throw
     * an exception (rather than returning false).  This preserves
     * the invariant that a collection always contains the specified element
     * after this call returns.
     *
     * @param o element whose presence in this collection is to be ensured.
     * @return true if this collection changed as a result of the
     *         call
     * 
     * @throws UnsupportedOperationException add is not supported by
     *         this collection.
     * @throws ClassCastException class of the specified element prevents it
     *         from being added to this collection.
     * @throws NullPointerException if the specified element is null and this
     *         collection does not support null elements.
     * @throws IllegalArgumentException some aspect of this element prevents
     *         it from being added to this collection.
     */
    boolean add(Object o);

    /**
     * Removes a single instance of the specified element from this
     * collection, if it is present (optional operation).  More formally,
     * removes an element e such that (o==null ?  e==null :
     * o.equals(e)), if this collection contains one or more such
     * elements.  Returns true if this collection contained the specified
     * element (or equivalently, if this collection changed as a result of the
     * call).
     *
     * @param o element to be removed from this collection, if present.
     * @return true if this collection changed as a result of the
     *         call
     * 
     * @throws ClassCastException if the type of the specified element
     * 	       is incompatible with this collection (optional).
     * @throws NullPointerException if the specified element is null and this
     *         collection does not support null elements (optional).
     * @throws UnsupportedOperationException remove is not supported by this
     *         collection.
     */
    boolean remove(Object o);


    // Bulk Operations

    /**
     * Returns true if this collection contains all of the elements
     * in the specified collection.
     *
     * @param  c collection to be checked for containment in this collection.
     * @return true if this collection contains all of the elements
     *	       in the specified collection
     * @throws ClassCastException if the types of one or more elements
     *         in the specified collection are incompatible with this
     *         collection (optional).
     * @throws NullPointerException if the specified collection contains one
     *         or more null elements and this collection does not support null
     *         elements (optional).
     * @throws NullPointerException if the specified collection is
     *         null.
     * @see    #contains(Object)
     */
    boolean containsAll(Collection c);

    /**
     * Adds all of the elements in the specified collection to this collection
     * (optional operation).  The behavior of this operation is undefined if
     * the specified collection is modified while the operation is in progress.
     * (This implies that the behavior of this call is undefined if the
     * specified collection is this collection, and this collection is
     * nonempty.)
     *
     * @param c elements to be inserted into this collection.
     * @return true if this collection changed as a result of the
     *         call
     * 
     * @throws UnsupportedOperationException if this collection does not
     *         support the addAll method.
     * @throws ClassCastException if the class of an element of the specified
     * 	       collection prevents it from being added to this collection.
     * @throws NullPointerException if the specified collection contains one
     *         or more null elements and this collection does not support null
     *         elements, or if the specified collection is null.
     * @throws IllegalArgumentException some aspect of an element of the
     *	       specified collection prevents it from being added to this
     *	       collection.
     * @see #add(Object)
     */
    boolean addAll(Collection c);

    /**
     * 
     * Removes all this collection's elements that are also contained in the
     * specified collection (optional operation).  After this call returns,
     * this collection will contain no elements in common with the specified
     * collection.
     *
     * @param c elements to be removed from this collection.
     * @return true if this collection changed as a result of the
     *         call
     * 
     * @throws UnsupportedOperationException if the removeAll method
     * 	       is not supported by this collection.
     * @throws ClassCastException if the types of one or more elements
     *         in this collection are incompatible with the specified
     *         collection (optional).
     * @throws NullPointerException if this collection contains one or more
     *         null elements and the specified collection does not support
     *         null elements (optional).
     * @throws NullPointerException if the specified collection is
     *         null.
     * @see #remove(Object)
     * @see #contains(Object)
     */
    boolean removeAll(Collection c);

    /**
     * Retains only the elements in this collection that are contained in the
     * specified collection (optional operation).  In other words, removes from
     * this collection all of its elements that are not contained in the
     * specified collection.
     *
     * @param c elements to be retained in this collection.
     * @return true if this collection changed as a result of the
     *         call
     * 
     * @throws UnsupportedOperationException if the retainAll method
     * 	       is not supported by this Collection.
     * @throws ClassCastException if the types of one or more elements
     *         in this collection are incompatible with the specified
     *         collection (optional).
     * @throws NullPointerException if this collection contains one or more
     *         null elements and the specified collection does not support null 
     *         elements (optional).
     * @throws NullPointerException if the specified collection is
     *         null.
     * @see #remove(Object)
     * @see #contains(Object)
     */
    boolean retainAll(Collection c);

    /**
     * Removes all of the elements from this collection (optional operation).
     * This collection will be empty after this method returns unless it
     * throws an exception.
     *
     * @throws UnsupportedOperationException if the clear method is
     *         not supported by this collection.
     */
    void clear();


    // Comparison and hashing

    /**
     * Compares the specified object with this collection for equality. 
    
     *
     * While the Collection interface adds no stipulations to the
     * general contract for the Object.equals, programmers who
     * implement the Collection interface "directly" (in other words,
     * create a class that is a Collection but is not a Set
     * or a List) must exercise care if they choose to override the
     * Object.equals.  It is not necessary to do so, and the simplest
     * course of action is to rely on Object's implementation, but
     * the implementer may wish to implement a "value comparison" in place of
     * the default "reference comparison."  (The List and
     * Set interfaces mandate such value comparisons.)
    
     *
     * The general contract for the Object.equals method states that
     * equals must be symmetric (in other words, a.equals(b) if and
     * only if b.equals(a)).  The contracts for List.equals
     * and Set.equals state that lists are only equal to other lists,
     * and sets to other sets.  Thus, a custom equals method for a
     * collection class that implements neither the List nor
     * Set interface must return false when this collection
     * is compared to any list or set.  (By the same logic, it is not possible
     * to write a class that correctly implements both the Set and
     * List interfaces.)
     *
     * @param o Object to be compared for equality with this collection.
     * @return true if the specified object is equal to this
     * collection
     * 
     * @see Object#equals(Object)
     * @see Set#equals(Object)
     * @see List#equals(Object)
     */
    boolean equals(Object o);

    /**
     * Returns the hash code value for this collection.  While the
     * Collection interface adds no stipulations to the general
     * contract for the Object.hashCode method, programmers should
     * take note that any class that overrides the Object.equals
     * method must also override the Object.hashCode method in order
     * to satisfy the general contract for the Object.hashCodemethod.
     * In particular, c1.equals(c2) implies that
     * c1.hashCode()==c2.hashCode().
     *
     * @return the hash code value for this collection
     * 
     * @see Object#hashCode()
     * @see Object#equals(Object)
     */
    int hashCode();
}
why-2.34/lib/java_api/java/util/Locale.java0000644000175000017500000000004712311670312017076 0ustar  rtusers
import java.text.*;

class Locale {

}why-2.34/lib/java_api/java/util/HashMapIntegerInteger.java0000644000175000017500000000137112311670312022055 0ustar  rtusers
package java.util;

class HashMapIntegerInteger {

    //@ model mappings hashmap_model;


    /*@ ensures this.hashmap_model == empty_mappings();
      @*/
    HashMapIntegerInteger();

    /*@ requires x != null;
      @ assigns hashmap_model;
      @ ensures 
      @   this.hashmap_model == update_int(\old(this.hashmap_model),x,y);
      @*/
    void put(Integer x, Integer y);

    /*@ requires x != null;
      @ assigns \nothing;
      @ behavior key_found:
      @   ensures \result != null ==>
      @    \result == access_int(this.hashmap_model,x) ;
      @ behavior null_found:
      @   assumes containsKey(this.hashmap_model,x);
      @   ensures access_int(this.hashmap_model,x) == null ;
      @       
      @*/
    Integer get(Integer x);

}
why-2.34/lib/java_api/java/lang/0000755000175000017500000000000012311670312014777 5ustar  rtuserswhy-2.34/lib/java_api/java/lang/Object.java0000644000175000017500000005615112311670312017060 0ustar  rtusers/*
 * @(#)Object.java	1.61 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

/**
 * Class Object is the root of the class hierarchy. 
 * Every class has Object as a superclass. All objects, 
 * including arrays, implement the methods of this class. 
 *
 * @author  unascribed
 * @version 1.61, 01/23/03
 * @see     java.lang.Class
 * @since   JDK1.0
 */
public class Object {

    private static native void registerNatives();
    static {
        registerNatives();
    }

    /**
     * Returns the runtime class of an object. That Class 
     * object is the object that is locked by static synchronized 
     * methods of the represented class.
     *
     * @return  the object of type Class that represents the
     *          runtime class of the object.
     */
    /*KML
    public final native Class getClass();
    */

    /**
     * Returns a hash code value for the object. This method is 
     * supported for the benefit of hashtables such as those provided by 
     * java.util.Hashtable. 
     * 
    
     * The general contract of hashCode is: 
     * 
      
     * 
    • Whenever it is invoked on the same object more than once during 
     *     an execution of a Java application, the hashCode method 
     *     must consistently return the same integer, provided no information 
     *     used in equals comparisons on the object is modified.
     *     This integer need not remain consistent from one execution of an
     *     application to another execution of the same application. 
     * 
    • If two objects are equal according to the equals(Object)
     *     method, then calling the hashCode method on each of 
     *     the two objects must produce the same integer result. 
     * 
    • It is not required that if two objects are unequal 
     *     according to the {@link java.lang.Object#equals(java.lang.Object)} 
     *     method, then calling the hashCode method on each of the 
     *     two objects must produce distinct integer results.  However, the 
     *     programmer should be aware that producing distinct integer results 
     *     for unequal objects may improve the performance of hashtables.
     * 
    
     * 
    
     * As much as is reasonably practical, the hashCode method defined by 
     * class Object does return distinct integers for distinct 
     * objects. (This is typically implemented by converting the internal 
     * address of the object into an integer, but this implementation 
     * technique is not required by the 
     * JavaTM programming language.)
     *
     * @return  a hash code value for this object.
     * @see     java.lang.Object#equals(java.lang.Object)
     * @see     java.util.Hashtable
     */
    public native int hashCode();

    /**
     * Indicates whether some other object is "equal to" this one.
     * 
    
     * The equals method implements an equivalence relation
     * on non-null object references:
     * 
      
     * 
    • It is reflexive: for any non-null reference value
     *     x, x.equals(x) should return
     *     true.
     * 
    • It is symmetric: for any non-null reference values
     *     x and y, x.equals(y)
     *     should return true if and only if
     *     y.equals(x) returns true.
     * 
    • It is transitive: for any non-null reference values
     *     x, y, and z, if
     *     x.equals(y) returns true and
     *     y.equals(z) returns true, then
     *     x.equals(z) should return true.
     * 
    • It is consistent: for any non-null reference values
     *     x and y, multiple invocations of
     *     x.equals(y) consistently return true
     *     or consistently return false, provided no
     *     information used in equals comparisons on the
     *     objects is modified.
     * 
    • For any non-null reference value x,
     *     x.equals(null) should return false.
     * 
    
     * 
    
     * The equals method for class Object implements 
     * the most discriminating possible equivalence relation on objects; 
     * that is, for any non-null reference values x and
     * y, this method returns true if and only
     * if x and y refer to the same object
     * (x == y has the value true).
     * 
    
     * Note that it is generally necessary to override the hashCode
     * method whenever this method is overridden, so as to maintain the
     * general contract for the hashCode method, which states
     * that equal objects must have equal hash codes. 
     *
     * @param   obj   the reference object with which to compare.
     * @return  true if this object is the same as the obj
     *          argument; false otherwise.
     * @see     #hashCode()
     * @see     java.util.Hashtable
     */
    public boolean equals(Object obj) {
	return (this == obj);
    }

    /**
     * Creates and returns a copy of this object.  The precise meaning 
     * of "copy" may depend on the class of the object. The general 
     * intent is that, for any object x, the expression:
     * 
    
     * 
         * x.clone() != x
    
     * will be true, and that the expression:
     * 
    
     * 
         * x.clone().getClass() == x.getClass()
    
     * will be true, but these are not absolute requirements. 
     * While it is typically the case that:
     * 
    
     * 
         * x.clone().equals(x)
    
     * will be true, this is not an absolute requirement. 
     * 
    
     * By convention, the returned object should be obtained by calling
     * super.clone.  If a class and all of its superclasses (except
     * Object) obey this convention, it will be the case that
     * x.clone().getClass() == x.getClass().
     * 
    
     * By convention, the object returned by this method should be independent
     * of this object (which is being cloned).  To achieve this independence,
     * it may be necessary to modify one or more fields of the object returned
     * by super.clone before returning it.  Typically, this means
     * copying any mutable objects that comprise the internal "deep structure"
     * of the object being cloned and replacing the references to these
     * objects with references to the copies.  If a class contains only
     * primitive fields or references to immutable objects, then it is usually
     * the case that no fields in the object returned by super.clone
     * need to be modified.
     * 
    
     * The method clone for class Object performs a 
     * specific cloning operation. First, if the class of this object does 
     * not implement the interface Cloneable, then a 
     * CloneNotSupportedException is thrown. Note that all arrays 
     * are considered to implement the interface Cloneable. 
     * Otherwise, this method creates a new instance of the class of this 
     * object and initializes all its fields with exactly the contents of 
     * the corresponding fields of this object, as if by assignment; the
     * contents of the fields are not themselves cloned. Thus, this method 
     * performs a "shallow copy" of this object, not a "deep copy" operation.
     * 
    
     * The class Object does not itself implement the interface 
     * Cloneable, so calling the clone method on an object 
     * whose class is Object will result in throwing an
     * exception at run time.
     *
     * @return     a clone of this instance.
     * @exception  CloneNotSupportedException  if the object's class does not
     *               support the Cloneable interface. Subclasses
     *               that override the clone method can also
     *               throw this exception to indicate that an instance cannot
     *               be cloned.
     * @see java.lang.Cloneable
     */
    protected native Object clone() throws CloneNotSupportedException;

    /**
     * Returns a string representation of the object. In general, the 
     * toString method returns a string that 
     * "textually represents" this object. The result should 
     * be a concise but informative representation that is easy for a 
     * person to read.
     * It is recommended that all subclasses override this method.
     * 
    
     * The toString method for class Object 
     * returns a string consisting of the name of the class of which the 
     * object is an instance, the at-sign character `@', and 
     * the unsigned hexadecimal representation of the hash code of the 
     * object. In other words, this method returns a string equal to the 
     * value of:
     * 
    
     * 
         * getClass().getName() + '@' + Integer.toHexString(hashCode())
     * 
    
     *
     * @return  a string representation of the object.
     */
    public String toString() {
	//KML return getClass().getName() + "@" + Integer.toHexString(hashCode());
    }

    /**
     * Wakes up a single thread that is waiting on this object's 
     * monitor. If any threads are waiting on this object, one of them 
     * is chosen to be awakened. The choice is arbitrary and occurs at 
     * the discretion of the implementation. A thread waits on an object's 
     * monitor by calling one of the wait methods.
     * 
    
     * The awakened thread will not be able to proceed until the current 
     * thread relinquishes the lock on this object. The awakened thread will 
     * compete in the usual manner with any other threads that might be 
     * actively competing to synchronize on this object; for example, the 
     * awakened thread enjoys no reliable privilege or disadvantage in being 
     * the next thread to lock this object.
     * 
    
     * This method should only be called by a thread that is the owner 
     * of this object's monitor. A thread becomes the owner of the 
     * object's monitor in one of three ways: 
     * 
      
     * 
    • By executing a synchronized instance method of that object. 
     * 
    • By executing the body of a synchronized statement 
     *     that synchronizes on the object. 
     * 
    • For objects of type Class, by executing a 
     *     synchronized static method of that class. 
     * 
    
     * 
    
     * Only one thread at a time can own an object's monitor. 
     *
     * @exception  IllegalMonitorStateException  if the current thread is not
     *               the owner of this object's monitor.
     * @see        java.lang.Object#notifyAll()
     * @see        java.lang.Object#wait()
     */
    public final native void notify();

    /**
     * Wakes up all threads that are waiting on this object's monitor. A 
     * thread waits on an object's monitor by calling one of the 
     * wait methods.
     * 
    
     * The awakened threads will not be able to proceed until the current 
     * thread relinquishes the lock on this object. The awakened threads 
     * will compete in the usual manner with any other threads that might 
     * be actively competing to synchronize on this object; for example, 
     * the awakened threads enjoy no reliable privilege or disadvantage in 
     * being the next thread to lock this object.
     * 
    
     * This method should only be called by a thread that is the owner 
     * of this object's monitor. See the notify method for a 
     * description of the ways in which a thread can become the owner of 
     * a monitor. 
     *
     * @exception  IllegalMonitorStateException  if the current thread is not
     *               the owner of this object's monitor.
     * @see        java.lang.Object#notify()
     * @see        java.lang.Object#wait()
     */
    public final native void notifyAll();

    /**
     * Causes current thread to wait until either another thread invokes the 
     * {@link java.lang.Object#notify()} method or the 
     * {@link java.lang.Object#notifyAll()} method for this object, or a 
     * specified amount of time has elapsed. 
     * 
    
     * The current thread must own this object's monitor. 
     * 
    
     * This method causes the current thread (call it T) to 
     * place itself in the wait set for this object and then to relinquish 
     * any and all synchronization claims on this object. Thread T 
     * becomes disabled for thread scheduling purposes and lies dormant 
     * until one of four things happens:
     * 
      
     * 
    • Some other thread invokes the notify method for this 
     * object and thread T happens to be arbitrarily chosen as 
     * the thread to be awakened. 
     * 
    • Some other thread invokes the notifyAll method for this 
     * object. 
     * 
    • Some other thread {@link java.lang.Thread#interrupt() interrupts} 
     * thread T. 
     * 
    • The specified amount of real time has elapsed, more or less.  If 
     * timeout is zero, however, then real time is not taken into 
     * consideration and the thread simply waits until notified. 
     * 
    
     * The thread T is then removed from the wait set for this 
     * object and re-enabled for thread scheduling. It then competes in the 
     * usual manner with other threads for the right to synchronize on the 
     * object; once it has gained control of the object, all its 
     * synchronization claims on the object are restored to the status quo 
     * ante - that is, to the situation as of the time that the wait 
     * method was invoked. Thread T then returns from the 
     * invocation of the wait method. Thus, on return from the 
     * wait method, the synchronization state of the object and of 
     * thread T is exactly as it was when the wait method 
     * was invoked. 
     * 
    
     * If the current thread is 
     * {@link java.lang.Thread#interrupt() interrupted} by another thread 
     * while it is waiting, then an InterruptedException is thrown. 
     * This exception is not thrown until the lock status of this object has 
     * been restored as described above.
     * 
    
     * Note that the wait method, as it places the current thread 
     * into the wait set for this object, unlocks only this object; any 
     * other objects on which the current thread may be synchronized remain 
     * locked while the thread waits.
     * 
    
     * This method should only be called by a thread that is the owner 
     * of this object's monitor. See the notify method for a 
     * description of the ways in which a thread can become the owner of 
     * a monitor. 
     *
     * @param      timeout   the maximum time to wait in milliseconds.
     * @exception  IllegalArgumentException      if the value of timeout is
     *		     negative.
     * @exception  IllegalMonitorStateException  if the current thread is not
     *               the owner of the object's monitor.
     * @exception  InterruptedException if another thread has interrupted
     *             the current thread.  The interrupted status of the
     *             current thread is cleared when this exception is thrown.
     * @see        java.lang.Object#notify()
     * @see        java.lang.Object#notifyAll()
     */
    public final native void wait(long timeout) throws InterruptedException;

    /**
     * Causes current thread to wait until another thread invokes the 
     * {@link java.lang.Object#notify()} method or the 
     * {@link java.lang.Object#notifyAll()} method for this object, or 
     * some other thread interrupts the current thread, or a certain 
     * amount of real time has elapsed. 
     * 
    
     * This method is similar to the wait method of one 
     * argument, but it allows finer control over the amount of time to 
     * wait for a notification before giving up. The amount of real time, 
     * measured in nanoseconds, is given by:
     * 
    
     * 
         * 1000000*timeout+nanos
    
     * 
    
     * In all other respects, this method does the same thing as the 
     * method {@link #wait(long)} of one argument. In particular, 
     * wait(0, 0) means the same thing as wait(0).
     * 
    
     * The current thread must own this object's monitor. The thread 
     * releases ownership of this monitor and waits until either of the 
     * following two conditions has occurred: 
     * 
      
     * 
    • Another thread notifies threads waiting on this object's monitor 
     *     to wake up either through a call to the notify method 
     *     or the notifyAll method. 
     * 
    • The timeout period, specified by timeout 
     *     milliseconds plus nanos nanoseconds arguments, has 
     *     elapsed. 
     * 
    
     * 
    
     * The thread then waits until it can re-obtain ownership of the 
     * monitor and resumes execution.
     * 
    
     * This method should only be called by a thread that is the owner 
     * of this object's monitor. See the notify method for a 
     * description of the ways in which a thread can become the owner of 
     * a monitor. 
     *
     * @param      timeout   the maximum time to wait in milliseconds.
     * @param      nanos      additional time, in nanoseconds range
     *                       0-999999.
     * @exception  IllegalArgumentException      if the value of timeout is
     *			    negative or the value of nanos is
     *			    not in the range 0-999999.
     * @exception  IllegalMonitorStateException  if the current thread is not
     *               the owner of this object's monitor.
     * @exception  InterruptedException if another thread has interrupted
     *             the current thread.  The interrupted status of the
     *             current thread is cleared when this exception is thrown.
     */
    public final void wait(long timeout, int nanos) throws InterruptedException {
        if (timeout < 0) {
            throw new IllegalArgumentException("timeout value is negative");
        }

        if (nanos < 0 || nanos > 999999) {
            throw new IllegalArgumentException(
				"nanosecond timeout value out of range");
        }

	if (nanos >= 500000 || (nanos != 0 && timeout == 0)) {
	    timeout++;
	}

	wait(timeout);
    }

    /**
     * Causes current thread to wait until another thread invokes the 
     * {@link java.lang.Object#notify()} method or the 
     * {@link java.lang.Object#notifyAll()} method for this object. 
     * In other words, this method behaves exactly as if it simply 
     * performs the call wait(0).
     * 
    
     * The current thread must own this object's monitor. The thread 
     * releases ownership of this monitor and waits until another thread 
     * notifies threads waiting on this object's monitor to wake up 
     * either through a call to the notify method or the 
     * notifyAll method. The thread then waits until it can 
     * re-obtain ownership of the monitor and resumes execution. 
     * 
    
     * This method should only be called by a thread that is the owner 
     * of this object's monitor. See the notify method for a 
     * description of the ways in which a thread can become the owner of 
     * a monitor. 
     *
     * @exception  IllegalMonitorStateException  if the current thread is not
     *               the owner of the object's monitor.
     * @exception  InterruptedException if another thread has interrupted
     *             the current thread.  The interrupted status of the
     *             current thread is cleared when this exception is thrown.
     * @see        java.lang.Object#notify()
     * @see        java.lang.Object#notifyAll()
     */
    public final void wait() throws InterruptedException {
	wait(0);
    }

    /**
     * Called by the garbage collector on an object when garbage collection
     * determines that there are no more references to the object.
     * A subclass overrides the finalize method to dispose of
     * system resources or to perform other cleanup. 
     * 
    
     * The general contract of finalize is that it is invoked 
     * if and when the JavaTM virtual 
     * machine has determined that there is no longer any
     * means by which this object can be accessed by any thread that has
     * not yet died, except as a result of an action taken by the
     * finalization of some other object or class which is ready to be
     * finalized. The finalize method may take any action, including
     * making this object available again to other threads; the usual purpose
     * of finalize, however, is to perform cleanup actions before 
     * the object is irrevocably discarded. For example, the finalize method 
     * for an object that represents an input/output connection might perform
     * explicit I/O transactions to break the connection before the object is
     * permanently discarded. 
     * 
    
     * The finalize method of class Object performs no 
     * special action; it simply returns normally. Subclasses of 
     * Object may override this definition.
     * 
    
     * The Java programming language does not guarantee which thread will 
     * invoke the finalize method for any given object. It is 
     * guaranteed, however, that the thread that invokes finalize will not 
     * be holding any user-visible synchronization locks when finalize is 
     * invoked. If an uncaught exception is thrown by the finalize method, 
     * the exception is ignored and finalization of that object terminates.
     * 
    
     * After the finalize method has been invoked for an object, no 
     * further action is taken until the Java virtual machine has again 
     * determined that there is no longer any means by which this object can 
     * be accessed by any thread that has not yet died, including possible
     * actions by other objects or classes which are ready to be finalized, 
     * at which point the object may be discarded.
     * 
    
     * The finalize method is never invoked more than once by a Java
     * virtual machine for any given object.
     * 
    
     * Any exception thrown by the finalize method causes 
     * the finalization of this object to be halted, but is otherwise 
     * ignored. 
     *
     * @throws Throwable the Exception raised by this method
     */
    protected void finalize() throws Throwable { }
}
why-2.34/lib/java_api/java/lang/Comparable.java0000644000175000017500000001314212311670312017710 0ustar  rtusers/*
 * @(#)Comparable.java	1.20 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

/**
 * This interface imposes a total ordering on the objects of each class that
 * implements it.  This ordering is referred to as the class's natural
 * ordering, and the class's compareTo method is referred to as
 * its natural comparison method.
    
 *
 * Lists (and arrays) of objects that implement this interface can be sorted
 * automatically by Collections.sort (and Arrays.sort).
 * Objects that implement this interface can be used as keys in a sorted map
 * or elements in a sorted set, without the need to specify a comparator.
    
 *
 * The natural ordering for a class C is said to be consistent
 * with equals if and only if (e1.compareTo((Object)e2) == 0) has
 * the same boolean value as e1.equals((Object)e2) for every
 * e1 and e2 of class C.  Note that null
 * is not an instance of any class, and e.compareTo(null) should
 * throw a NullPointerException even though e.equals(null)
 * returns false.
    
 *
 * It is strongly recommended (though not required) that natural orderings be
 * consistent with equals.  This is so because sorted sets (and sorted maps)
 * without explicit comparators behave "strangely" when they are used with
 * elements (or keys) whose natural ordering is inconsistent with equals.  In
 * particular, such a sorted set (or sorted map) violates the general contract
 * for set (or map), which is defined in terms of the equals
 * method.
    
 *
 * For example, if one adds two keys a and b such that
 * (!a.equals((Object)b) && a.compareTo((Object)b) == 0) to a sorted
 * set that does not use an explicit comparator, the second add
 * operation returns false (and the size of the sorted set does not increase)
 * because a and b are equivalent from the sorted set's
 * perspective.
    
 *
 * Virtually all Java core classes that implement comparable have natural
 * orderings that are consistent with equals.  One exception is
 * java.math.BigDecimal, whose natural ordering equates
 * BigDecimal objects with equal values and different precisions 
 * (such as 4.0 and 4.00).
    
 *
 * For the mathematically inclined, the relation that defines
 * the natural ordering on a given class C is:
     *       {(x, y) such that x.compareTo((Object)y) <= 0}.
 * 
     The quotient for this total order is: 
     *       {(x, y) such that x.compareTo((Object)y) == 0}.
 * 
    
 *
 * It follows immediately from the contract for compareTo that the
 * quotient is an equivalence relation on C, and that the
 * natural ordering is a total order on C.  When we say that a
 * class's natural ordering is consistent with equals, we mean that the
 * quotient for the natural ordering is the equivalence relation defined by
 * the class's equals(Object) method:
     *     {(x, y) such that x.equals((Object)y)}.
 * 
    
 *
 * This interface is a member of the 
 * 
 * Java Collections Framework.
 *
 * @author  Josh Bloch
 * @version 1.20, 01/23/03
 * @see java.util.Comparator
 * @see java.util.Collections#sort(java.util.List)
 * @see java.util.Arrays#sort(Object[])
 * @see java.util.SortedSet
 * @see java.util.SortedMap
 * @see java.util.TreeSet
 * @see java.util.TreeMap
 * @since 1.2
 */

public interface Comparable {
    /**
     * Compares this object with the specified object for order.  Returns a
     * negative integer, zero, or a positive integer as this object is less
     * than, equal to, or greater than the specified object.
    
     *
     * In the foregoing description, the notation
     * sgn(expression) designates the mathematical
     * signum function, which is defined to return one of -1,
     * 0, or 1 according to whether the value of expression
     * is negative, zero or positive.
     *
     * The implementor must ensure sgn(x.compareTo(y)) ==
     * -sgn(y.compareTo(x)) for all x and y.  (This
     * implies that x.compareTo(y) must throw an exception iff
     * y.compareTo(x) throws an exception.)
    
     *
     * The implementor must also ensure that the relation is transitive:
     * (x.compareTo(y)>0 && y.compareTo(z)>0) implies
     * x.compareTo(z)>0.
    
     *
     * Finally, the implementer must ensure that x.compareTo(y)==0
     * implies that sgn(x.compareTo(z)) == sgn(y.compareTo(z)), for
     * all z.
    
     *
     * It is strongly recommended, but not strictly required that
     * (x.compareTo(y)==0) == (x.equals(y)).  Generally speaking, any
     * class that implements the Comparable interface and violates
     * this condition should clearly indicate this fact.  The recommended
     * language is "Note: this class has a natural ordering that is
     * inconsistent with equals."
     * 
     * @param   o the Object to be compared.
     * @return  a negative integer, zero, or a positive integer as this object
     *		is less than, equal to, or greater than the specified object.
     * 
     * @throws ClassCastException if the specified object's type prevents it
     *         from being compared to this Object.
     */
    public int compareTo(Object o);
}
why-2.34/lib/java_api/java/lang/CharSequence.java0000644000175000017500000000577312311670312020224 0ustar  rtusers/*
 * @(#)CharSequence.java	1.6 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;


/**
 * A CharSequence is a readable sequence of characters.  This
 * interface provides uniform, read-only access to many different kinds of
 * character sequences.
 *
 * 
     This interface does not refine the general contracts of the {@link
 * java.lang.Object#equals(java.lang.Object) equals} and {@link
 * java.lang.Object#hashCode() hashCode} methods.  The result of comparing two
 * objects that implement CharSequence is therefore, in general,
 * undefined.  Each object may be implemented by a different class, and there
 * is no guarantee that each class will be capable of testing its instances
 * for equality with those of the other.  It is therefore inappropriate to use
 * arbitrary CharSequence instances as elements in a set or as keys in
 * a map. 
    
 *
 * @author Mike McCloskey
 * @version 1.6 03/01/23
 * @since 1.4
 * @spec JSR-51
 */

public interface CharSequence {

    /**
     * Returns the length of this character sequence.  The length is the number
     * of 16-bit Unicode characters in the sequence. 
    
     *
     * @return  the number of characters in this sequence
     */
    int length();

    /**
     * Returns the character at the specified index.  An index ranges from zero
     * to length() - 1.  The first character of the sequence is at
     * index zero, the next at index one, and so on, as for array
     * indexing. 
    
     *
     * @param   index   the index of the character to be returned
     *
     * @return  the specified character
     *
     * @throws  IndexOutOfBoundsException
     *          if the index argument is negative or not less than
     *          length()
     */
    char charAt(int index);

    /**
     * Returns a new character sequence that is a subsequence of this sequence.
     * The subsequence starts with the character at the specified index and
     * ends with the character at index end - 1.  The length of the
     * returned sequence is end - start, so if start == end
     * then an empty sequence is returned. 
    
     * 
     * @param   start   the start index, inclusive
     * @param   end     the end index, exclusive
     *
     * @return  the specified subsequence
     *
     * @throws  IndexOutOfBoundsException
     *          if start or end are negative,
     *          if end is greater than length(),
     *          or if start is greater than end
     */
    CharSequence subSequence(int start, int end);

    /**
     * Returns a string containing the characters in this sequence in the same
     * order as this sequence.  The length of the string will be the length of
     * this sequence. 
    
     *
     * @return  a string consisting of exactly this sequence of characters
     */
    public String toString();

}
why-2.34/lib/java_api/java/lang/Exception.java0000644000175000017500000000532412311670312017604 0ustar  rtusers/*
 * @(#)Exception.java	1.30 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

/**
 * The class Exception and its subclasses are a form of 
 * Throwable that indicates conditions that a reasonable 
 * application might want to catch.
 *
 * @author  Frank Yellin
 * @version 1.30, 01/23/03
 * @see     java.lang.Error
 * @since   JDK1.0
 */
public class Exception extends Throwable {
    static final long serialVersionUID = -3387516993124229948L;

    /**
     * Constructs a new exception with null as its detail message.
     * The cause is not initialized, and may subsequently be initialized by a
     * call to {@link #initCause}.
     */
    public Exception() {
	super();
    }

    /**
     * Constructs a new exception with the specified detail message.  The
     * cause is not initialized, and may subsequently be initialized by
     * a call to {@link #initCause}.
     *
     * @param   message   the detail message. The detail message is saved for 
     *          later retrieval by the {@link #getMessage()} method.
     */
    public Exception(String message) {
	super(message);
    }

    /**
     * Constructs a new exception with the specified detail message and
     * cause.  
    Note that the detail message associated with
     * cause is not automatically incorporated in
     * this exception's detail message.
     *
     * @param  message the detail message (which is saved for later retrieval
     *         by the {@link #getMessage()} method).
     * @param  cause the cause (which is saved for later retrieval by the
     *         {@link #getCause()} method).  (A null value is
     *         permitted, and indicates that the cause is nonexistent or
     *         unknown.)
     * @since  1.4
     */
    public Exception(String message, Throwable cause) {
        super(message, cause);
    }

    /**
     * Constructs a new exception with the specified cause and a detail
     * message of (cause==null ? null : cause.toString()) (which
     * typically contains the class and detail message of cause).
     * This constructor is useful for exceptions that are little more than
     * wrappers for other throwables (for example, {@link
     * java.security.PrivilegedActionException}).
     *
     * @param  cause the cause (which is saved for later retrieval by the
     *         {@link #getCause()} method).  (A null value is
     *         permitted, and indicates that the cause is nonexistent or
     *         unknown.)
     * @since  1.4
     */
    public Exception(Throwable cause) {
        super(cause);
    }
}
why-2.34/lib/java_api/java/lang/Number.java0000644000175000017500000000600012311670312017066 0ustar  rtusers/*
 * @(#)Number.java	1.28 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

/**
 * The abstract class Number is the superclass of classes
 * BigDecimal, BigInteger,
 * Byte, Double, Float,
 * Integer, Long, and Short.
 * 
    
 * Subclasses of Number must provide methods to convert 
 * the represented numeric value to byte, double,
 * float, int, long, and
 * short.
 *
 * @author	Lee Boynton
 * @author	Arthur van Hoff
 * @version 1.28, 01/23/03
 * @see     java.lang.Byte
 * @see     java.lang.Double
 * @see     java.lang.Float
 * @see     java.lang.Integer
 * @see     java.lang.Long
 * @see     java.lang.Short
 * @since   JDK1.0
 */
public abstract class Number implements java.io.Serializable {
    /**
     * Returns the value of the specified number as an int.
     * This may involve rounding or truncation.
     *
     * @return  the numeric value represented by this object after conversion
     *          to type int.
     */
    public abstract int intValue();

    /**
     * Returns the value of the specified number as a long.
     * This may involve rounding or truncation.
     *
     * @return  the numeric value represented by this object after conversion
     *          to type long.
     */
    public abstract long longValue();

    /**
     * Returns the value of the specified number as a float.
     * This may involve rounding.
     *
     * @return  the numeric value represented by this object after conversion
     *          to type float.
     */
    public abstract float floatValue();

    /**
     * Returns the value of the specified number as a double.
     * This may involve rounding.
     *
     * @return  the numeric value represented by this object after conversion
     *          to type double.
     */
    public abstract double doubleValue();

    /**
     * Returns the value of the specified number as a byte.
     * This may involve rounding or truncation.
     *
     * @return  the numeric value represented by this object after conversion
     *          to type byte.
     * @since   JDK1.1
     */
    public byte byteValue() {
	return (byte)intValue();
    }

    /**
     * Returns the value of the specified number as a short.
     * This may involve rounding or truncation.
     *
     * @return  the numeric value represented by this object after conversion
     *          to type short.
     * @since   JDK1.1
     */
    public short shortValue() {
	return (short)intValue();
    }

    /** use serialVersionUID from JDK 1.0.2 for interoperability */
    private static final long serialVersionUID = -8742448824652078965L;
}
why-2.34/lib/java_api/java/lang/Long.java0000644000175000017500000010256512311670312016552 0ustar  rtusers/*
 * @(#)Long.java	1.66 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

/**
 * The Long class wraps a value of the primitive type
 * long in an object. An object of type Long
 * contains a single field whose type is long.
 *
 * 
     
 *
 * In addition, this class provides several methods for converting a
 * long to a String and a
 * String to a long, as well as other
 * constants and methods useful when dealing with a long.
 *
 * @author  Lee Boynton
 * @author  Arthur van Hoff
 * @version 1.66, 01/23/03
 * @since   JDK1.0
 */
public final class Long extends Number implements Comparable {
    /**
     * A constant holding the minimum value a long can
     * have, -263.
     */
    public static final long MIN_VALUE = 0x8000000000000000L;

    /**
     * A constant holding the maximum value a long can
     * have, 263-1.
     */
    public static final long MAX_VALUE = 0x7fffffffffffffffL;

    /**
     * The Class instance representing the primitive type
     * long.
     *
     * @since   JDK1.1
     */
    public static final Class	TYPE = Class.getPrimitiveClass("long");

    /**
     * Returns a string representation of the first argument in the
     * radix specified by the second argument.
     * 
    
     * If the radix is smaller than Character.MIN_RADIX
     * or larger than Character.MAX_RADIX, then the radix
     * 10 is used instead.
     * 
    
     * If the first argument is negative, the first element of the
     * result is the ASCII minus sign '-'
     * ('\u002d'). If the first argument is not
     * negative, no sign character appears in the result.
     * 
    
     * The remaining characters of the result represent the magnitude
     * of the first argument. If the magnitude is zero, it is
     * represented by a single zero character '0'
     * ('\u0030'); otherwise, the first character of
     * the representation of the magnitude will not be the zero
     * character.  The following ASCII characters are used as digits:
     * 
         *   0123456789abcdefghijklmnopqrstuvwxyz
     * 
    
     * These are '\u0030' through
     * '\u0039' and '\u0061' through
     * '\u007a'. If radix is
     * N, then the first N of these characters
     * are used as radix-N digits in the order shown. Thus,
     * the digits for hexadecimal (radix 16) are
     * 0123456789abcdef. If uppercase letters are
     * desired, the {@link java.lang.String#toUpperCase()} method may
     * be called on the result:
     * 
         * Long.toString(n, 16).toUpperCase()
     * 
    
     * 
     * @param   i       a longto be converted to a string.
     * @param   radix   the radix to use in the string representation.
     * @return  a string representation of the argument in the specified radix.
     * @see     java.lang.Character#MAX_RADIX
     * @see     java.lang.Character#MIN_RADIX
     */
    public static String toString(long i, int radix) {
        if (radix < Character.MIN_RADIX || radix > Character.MAX_RADIX)
	    radix = 10;
        if (radix == 10)
            return toString(i);
        char[] buf = new char[65];
        int charPos = 64;
        boolean negative = (i < 0);

        if (!negative) {
            i = -i;
        }

        while (i <= -radix) {
            buf[charPos--] = Integer.digits[(int)(-(i % radix))];
            i = i / radix;
        }
        buf[charPos] = Integer.digits[(int)(-i)];

        if (negative) { 
            buf[--charPos] = '-';
        }

        return new String(buf, charPos, (65 - charPos));
    }

    /**
     * Returns a string representation of the long
     * argument as an unsigned integer in base 16.
     * 
    
     * The unsigned long value is the argument plus
     * 264 if the argument is negative; otherwise, it is
     * equal to the argument.  This value is converted to a string of
     * ASCII digits in hexadecimal (base 16) with no extra
     * leading 0s.  If the unsigned magnitude is zero, it
     * is represented by a single zero character '0'
     * ('\u0030'); otherwise, the first character of
     * the representation of the unsigned magnitude will not be the
     * zero character. The following characters are used as
     * hexadecimal digits:
     * 
         * 0123456789abcdef
     * 
    
     * These are the characters '\u0030' through
     * '\u0039' and  '\u0061' through
     * '\u0066'.  If uppercase letters are desired,
     * the {@link java.lang.String#toUpperCase()} method may be called
     * on the result:
     * 
         * Long.toHexString(n).toUpperCase()
     * 
    
     *
     * @param   i   a long to be converted to a string.
     * @return  the string representation of the unsigned long
     * 		value represented by the argument in hexadecimal
     *		(base 16).
     * @since   JDK 1.0.2
     */
    public static String toHexString(long i) {
	return toUnsignedString(i, 4);
    }

    /**
     * Returns a string representation of the long
     * argument as an unsigned integer in base 8.
     * 
    
     * The unsigned long value is the argument plus
     * 264 if the argument is negative; otherwise, it is
     * equal to the argument.  This value is converted to a string of
     * ASCII digits in octal (base 8) with no extra leading
     * 0s.
     * 
    
     * If the unsigned magnitude is zero, it is represented by a
     * single zero character '0'
     * ('\u0030'); otherwise, the first character of
     * the representation of the unsigned magnitude will not be the
     * zero character. The following characters are used as octal
     * digits:
     * 
         * 01234567
     * 
    
     * These are the characters '\u0030' through 
     * '\u0037'. 
     *
     * @param   i   a long to be converted to a string.
     * @return  the string representation of the unsigned long 
     *		value represented by the argument in octal (base 8).
     * @since   JDK 1.0.2
     */
    public static String toOctalString(long i) {
	return toUnsignedString(i, 3);
    }

    /**
     * Returns a string representation of the long
     * argument as an unsigned integer in base 2.
     * 
    
     * The unsigned long value is the argument plus
     * 264 if the argument is negative; otherwise, it is
     * equal to the argument.  This value is converted to a string of
     * ASCII digits in binary (base 2) with no extra leading
     * 0s.  If the unsigned magnitude is zero, it is
     * represented by a single zero character '0'
     * ('\u0030'); otherwise, the first character of
     * the representation of the unsigned magnitude will not be the
     * zero character. The characters '0'
     * ('\u0030') and '1'
     * ('\u0031') are used as binary digits.
     *
     * @param   i   a long to be converted to a string.
     * @return  the string representation of the unsigned long 
     *          value represented by the argument in binary (base 2).
     * @since   JDK 1.0.2
     */
    public static String toBinaryString(long i) {
	return toUnsignedString(i, 1);
    }

    /**
     * Convert the integer to an unsigned number.
     */
    private static String toUnsignedString(long i, int shift) {
	char[] buf = new char[64];
	int charPos = 64;
	int radix = 1 << shift;
	long mask = radix - 1;
	do {
	    buf[--charPos] = Integer.digits[(int)(i & mask)];
	    i >>>= shift;
	} while (i != 0);
	return new String(buf, charPos, (64 - charPos));
    }

    /**
     * Returns a String object representing the specified
     * long.  The argument is converted to signed decimal
     * representation and returned as a string, exactly as if the
     * argument and the radix 10 were given as arguments to the {@link
     * #toString(long, int)} method.
     *
     * @param   i   a long to be converted.
     * @return  a string representation of the argument in base 10.
     */
    public static String toString(long i) {
        if (i == Long.MIN_VALUE)
            return "-9223372036854775808";
        char[] buf = (char[])(perThreadBuffer.get());
        int charPos = getChars(i, buf);
        return new String(buf, charPos, (20 - charPos));
    }

    // Per-thread buffer for string/stringbuffer conversion
    /*KML
      private static ThreadLocal perThreadBuffer = new ThreadLocal() {
        protected synchronized Object initialValue() {
            return new char[20];
        }
    };
    */

    private static int getChars(long i, char[] buf) {
        long q;
        int r;
        int charPos = 20;
        char sign = 0;

        if (i < 0) {
            sign = '-';
            i = -i;
        }

        // Get 2 digits/iteration using longs until quotient fits into an int
        while (i > Integer.MAX_VALUE) { 
            q = i / 100;
            // really: r = i - (q * 100);
            r = (int)(i - ((q << 6) + (q << 5) + (q << 2)));
            i = q;
            buf[--charPos] = Integer.DigitOnes[r];
            buf[--charPos] = Integer.DigitTens[r];
        }

        // Get 2 digits/iteration using ints
        int q2;
        int i2 = (int)i;
        while (i2 >= 65536) {
            q2 = i2 / 100;
            // really: r = i2 - (q * 100);
            r = i2 - ((q2 << 6) + (q2 << 5) + (q2 << 2));
            i2 = q2;
            buf[--charPos] = Integer.DigitOnes[r];
            buf[--charPos] = Integer.DigitTens[r];
        }

        // Fall thru to fast mode for smaller numbers
        // assert(i2 <= 65536, i2);
        for (;;) {
            q2 = (i2 * 52429) >>> (16+3);
            r = i2 - ((q2 << 3) + (q2 << 1));  // r = i2-(q2*10) ...
            buf[--charPos] = Integer.digits[r];
            i2 = q2;
            if (i2 == 0) break;
        }
        if (sign != 0) {
            buf[--charPos] = sign;
        }
        return charPos;
    }

    static void appendTo(long i, StringBuffer sb) {
        if (i == Long.MIN_VALUE) {
            sb.append("-9223372036854775808");
            return;
        }
        char[] buf = (char[])(perThreadBuffer.get());
        int charPos = getChars(i, buf);
        sb.append(buf, charPos, (20 - charPos));
        return;
    }

    /**
     * Parses the string argument as a signed long in the
     * radix specified by the second argument. The characters in the
     * string must all be digits of the specified radix (as determined
     * by whether {@link java.lang.Character#digit(char, int)} returns
     * a nonnegative value), except that the first character may be an
     * ASCII minus sign '-' ('\u002D') to
     * indicate a negative value. The resulting long
     * value is returned.
     * 
    
     * Note that neither the character L
     * ('\u004C') nor l
     * ('\u006C') is permitted to appear at the end
     * of the string as a type indicator, as would be permitted in
     * Java programming language source code - except that either
     * L or l may appear as a digit for a
     * radix greater than 22.
     * 
    
     * An exception of type NumberFormatException is
     * thrown if any of the following situations occurs:
     * 
      
     * 
    • The first argument is null or is a string of
     * length zero.
     * 
    • The radix is either smaller than {@link
     * java.lang.Character#MIN_RADIX} or larger than {@link
     * java.lang.Character#MAX_RADIX}.
     * 
    • Any character of the string is not a digit of the specified
     * radix, except that the first character may be a minus sign
     * '-' ('\u002d') provided that the
     * string is longer than length 1.
     * 
    • The value represented by the string is not a value of type
     *      long. 
     * 
    
     * Examples:
     * 
         * parseLong("0", 10) returns 0L
     * parseLong("473", 10) returns 473L
     * parseLong("-0", 10) returns 0L
     * parseLong("-FF", 16) returns -255L
     * parseLong("1100110", 2) returns 102L
     * parseLong("99", 8) throws a NumberFormatException
     * parseLong("Hazelnut", 10) throws a NumberFormatException
     * parseLong("Hazelnut", 36) returns 1356099454469L
     * 
    
     * 
     * @param      s       the String containing the
     *                     long representation to be parsed.
     * @param      radix   the radix to be used while parsing s.
     * @return     the long represented by the string argument in
     *             the specified radix.
     * @exception  NumberFormatException  if the string does not contain a
     *               parsable long.
     */
    public static long parseLong(String s, int radix)
              throws NumberFormatException
    {
        if (s == null) {
            throw new NumberFormatException("null");
        }

	if (radix < Character.MIN_RADIX) {
	    throw new NumberFormatException("radix " + radix +
					    " less than Character.MIN_RADIX");
	}
	if (radix > Character.MAX_RADIX) {
	    throw new NumberFormatException("radix " + radix +
					    " greater than Character.MAX_RADIX");
	}

	long result = 0;
	boolean negative = false;
	int i = 0, max = s.length();
	long limit;
	long multmin;
	int digit;

	if (max > 0) {
	    if (s.charAt(0) == '-') {
		negative = true;
		limit = Long.MIN_VALUE;
		i++;
	    } else {
		limit = -Long.MAX_VALUE;
	    }
	    multmin = limit / radix;
            if (i < max) {
                digit = Character.digit(s.charAt(i++),radix);
		if (digit < 0) {
		    throw NumberFormatException.forInputString(s);
		} else {
		    result = -digit;
		}
	    }
	    while (i < max) {
		// Accumulating negatively avoids surprises near MAX_VALUE
		digit = Character.digit(s.charAt(i++),radix);
		if (digit < 0) {
		    throw NumberFormatException.forInputString(s);
		}
		if (result < multmin) {
		    throw NumberFormatException.forInputString(s);
		}
		result *= radix;
		if (result < limit + digit) {
		    throw NumberFormatException.forInputString(s);
		}
		result -= digit;
	    }
	} else {
	    throw NumberFormatException.forInputString(s);
	}
	if (negative) {
	    if (i > 1) {
		return result;
	    } else {	/* Only got "-" */
		throw NumberFormatException.forInputString(s);
	    }
	} else {
	    return -result;
	}
    }

    /**
     * Parses the string argument as a signed decimal
     * long.  The characters in the string must all be
     * decimal digits, except that the first character may be an ASCII
     * minus sign '-' (\u002D') to
     * indicate a negative value. The resulting long
     * value is returned, exactly as if the argument and the radix
     * 10 were given as arguments to the {@link
     * #parseLong(java.lang.String, int)} method.
     * 
    
     * Note that neither the character L
     * ('\u004C') nor l
     * ('\u006C') is permitted to appear at the end
     * of the string as a type indicator, as would be permitted in
     * Java programming language source code.
     *
     * @param      s   a String containing the long
     *             representation to be parsed
     * @return     the long represented by the argument in 
     *		   decimal.
     * @exception  NumberFormatException  if the string does not contain a
     *               parsable long.
     */
    public static long parseLong(String s) throws NumberFormatException {
	return parseLong(s, 10);
    }

    /**
     * Returns a Long object holding the value
     * extracted from the specified String when parsed
     * with the radix given by the second argument.  The first
     * argument is interpreted as representing a signed
     * long in the radix specified by the second
     * argument, exactly as if the arguments were given to the {@link
     * #parseLong(java.lang.String, int)} method. The result is a
     * Long object that represents the long
     * value specified by the string.
     * 
    
     * In other words, this method returns a Long object equal 
     * to the value of:
     *
     * 
    
     * new Long(Long.parseLong(s, radix))
     * 
    
     *
     * @param      s       the string to be parsed
     * @param      radix   the radix to be used in interpreting s
     * @return     a Long object holding the value
     *             represented by the string argument in the specified
     *             radix.
     * @exception  NumberFormatException  If the String does not
     *             contain a parsable long.
     */
    public static Long valueOf(String s, int radix) throws NumberFormatException {
	return new Long(parseLong(s, radix));
    }

    /**
     * Returns a Long object holding the value
     * of the specified String. The argument is
     * interpreted as representing a signed decimal long,
     * exactly as if the argument were given to the {@link
     * #parseLong(java.lang.String)} method. The result is a
     * Long object that represents the integer value
     * specified by the string.
     * 
    
     * In other words, this method returns a Long object
     * equal to the value of:
     *
     * 
         * new Long(Long.parseLong(s))
     * 
    
     *
     * @param      s   the string to be parsed.
     * @return     a Long object holding the value
     *             represented by the string argument.
     * @exception  NumberFormatException  If the string cannot be parsed
     *              as a long.
     */
    public static Long valueOf(String s) throws NumberFormatException
    {
	return new Long(parseLong(s, 10));
    }

    /**
     * Decodes a String into a Long.
     * Accepts decimal, hexadecimal, and octal numbers given by the
     * following grammar:
     *
     * 
    
     * 
    
     * 
    DecodableString:
     * 
    Signopt DecimalNumeral
     * 
    Signopt 0x HexDigits
     * 
    Signopt 0X HexDigits
     * 
    Signopt # HexDigits
     * 
    Signopt 0 OctalDigits
     * 
    
     * 
    Sign:
     * 
    -
     * 
    
     * 
    
     *
     * DecimalNumeral, HexDigits, and OctalDigits
     * are defined in §3.10.1 
     * of the Java 
     * Language Specification.
     * 
    
     * The sequence of characters following an (optional) negative
     * sign and/or radix specifier ("0x",
     * "0X", "#", or
     * leading zero) is parsed as by the Long.parseLong
     * method with the indicated radix (10, 16, or 8).  This sequence
     * of characters must represent a positive value or a {@link
     * NumberFormatException} will be thrown.  The result is negated
     * if first character of the specified String is the
     * minus sign.  No whitespace characters are permitted in the
     * String.
     *
     * @param     nm the String to decode.
     * @return    a Long object holding the long
     *		  value represented by nm
     * @exception NumberFormatException  if the String does not
     *            contain a parsable long.
     * @see java.lang.Long#parseLong(String, int)
     * @since 1.2
     */
    public static Long decode(String nm) throws NumberFormatException {
        int radix = 10;
        int index = 0;
        boolean negative = false;
        Long result;

        // Handle minus sign, if present
        if (nm.startsWith("-")) {
            negative = true;
            index++;
        }

        // Handle radix specifier, if present
	if (nm.startsWith("0x", index) || nm.startsWith("0X", index)) {
	    index += 2;
            radix = 16;
	}
	else if (nm.startsWith("#", index)) {
	    index ++;
            radix = 16;
	}
	else if (nm.startsWith("0", index) && nm.length() > 1 + index) {
	    index ++;
            radix = 8;
	}

        if (nm.startsWith("-", index))
            throw new NumberFormatException("Negative sign in wrong position");

        try {
            result = Long.valueOf(nm.substring(index), radix);
            result = negative ? new Long((long)-result.longValue()) : result;
        } catch (NumberFormatException e) {
            // If number is Long.MIN_VALUE, we'll end up here. The next line
            // handles this case, and causes any genuine format error to be
            // rethrown.
            String constant = negative ? new String("-" + nm.substring(index))
                                       : nm.substring(index);
            result = Long.valueOf(constant, radix);
        }
        return result;
    }

    /**
     * The value of the Long.
     *
     * @serial
     */
    private long value;

    /**
     * Constructs a newly allocated Long object that
     * represents the specified long argument.
     *
     * @param   value   the value to be represented by the 
     *          Long object.
     */
    public Long(long value) {
	this.value = value;
    }

    /**
     * Constructs a newly allocated Long object that
     * represents the long value indicated by the
     * String parameter. The string is converted to a
     * long value in exactly the manner used by the
     * parseLong method for radix 10.
     *
     * @param      s   the String to be converted to a 
     *		   Long.
     * @exception  NumberFormatException  if the String does not
     *               contain a parsable long.
     * @see        java.lang.Long#parseLong(java.lang.String, int)
     */
    public Long(String s) throws NumberFormatException {
	this.value = parseLong(s, 10);
    }

    /**
     * Returns the value of this Long as a
     * byte.
     */
    public byte byteValue() {
	return (byte)value;
    }

    /**
     * Returns the value of this Long as a
     * short.
     */
    public short shortValue() {
	return (short)value;
    }

    /**
     * Returns the value of this Long as an
     * int.
     */
    public int intValue() {
	return (int)value;
    }

    /**
     * Returns the value of this Long as a
     * long value.
     */
    public long longValue() {
	return (long)value;
    }

    /**
     * Returns the value of this Long as a
     * float.
     */
    public float floatValue() {
	return (float)value;
    }

    /**
     * Returns the value of this Long as a
     * double.
     */
    public double doubleValue() {
	return (double)value;
    }

    /**
     * Returns a String object representing this
     * Long's value.  The value is converted to signed
     * decimal representation and returned as a string, exactly as if
     * the long value were given as an argument to the
     * {@link java.lang.Long#toString(long)} method.
     *
     * @return  a string representation of the value of this object in
     *		base 10.
     */
    public String toString() {
	return String.valueOf(value);
    }

    /**
     * Returns a hash code for this Long. The result is
     * the exclusive OR of the two halves of the primitive
     * long value held by this Long
     * object. That is, the hashcode is the value of the expression:
     * 
         * (int)(this.longValue()^(this.longValue()>>>32))
     * 
    
     *
     * @return  a hash code value for this object.
     */
    public int hashCode() {
	return (int)(value ^ (value >>> 32));
    }

    /**
     * Compares this object to the specified object.  The result is
     * true if and only if the argument is not
     * null and is a Long object that
     * contains the same long value as this object.
     *
     * @param   obj   the object to compare with.
     * @return  true if the objects are the same;
     *          false otherwise.
     */
    public boolean equals(Object obj) {
	if (obj instanceof Long) {
	    return value == ((Long)obj).longValue();
	}
	return false;
    }

    /**
     * Determines the long value of the system property
     * with the specified name.
     * 
    
     * The first argument is treated as the name of a system property.
     * System properties are accessible through the {@link
     * java.lang.System#getProperty(java.lang.String)} method. The
     * string value of this property is then interpreted as a
     * long value and a Long object
     * representing this value is returned.  Details of possible
     * numeric formats can be found with the definition of
     * getProperty.
     * 
    
     * If there is no property with the specified name, if the
     * specified name is empty or null, or if the
     * property does not have the correct numeric format, then
     * null is returned.
     * 
    
     * In other words, this method returns a Long object equal to 
     * the value of:
     * 
    
     * getLong(nm, null)
     * 
    
     *
     * @param   nm   property name.
     * @return  the Long value of the property.
     * @see     java.lang.System#getProperty(java.lang.String)
     * @see     java.lang.System#getProperty(java.lang.String, java.lang.String)
     */
    public static Long getLong(String nm) {
	return getLong(nm, null);
    }

    /**
     * Determines the long value of the system property
     * with the specified name.
     * 
    
     * The first argument is treated as the name of a system property.
     * System properties are accessible through the {@link
     * java.lang.System#getProperty(java.lang.String)} method. The
     * string value of this property is then interpreted as a
     * long value and a Long object
     * representing this value is returned.  Details of possible
     * numeric formats can be found with the definition of
     * getProperty.
     * 
    
     * The second argument is the default value. A Long object
     * that represents the value of the second argument is returned if there
     * is no property of the specified name, if the property does not have
     * the correct numeric format, or if the specified name is empty or null.
     * 
    
     * In other words, this method returns a Long object equal 
     * to the value of:
     * 
    
     * getLong(nm, new Long(val))
     * 
    
     * but in practice it may be implemented in a manner such as: 
     * 
         * Long result = getLong(nm, null);
     * return (result == null) ? new Long(val) : result;
     * 
    
     * to avoid the unnecessary allocation of a Long object when 
     * the default value is not needed. 
     *
     * @param   nm    property name.
     * @param   val   default value.
     * @return  the Long value of the property.
     * @see     java.lang.System#getProperty(java.lang.String)
     * @see     java.lang.System#getProperty(java.lang.String, java.lang.String)
     */
    public static Long getLong(String nm, long val) {
        Long result = Long.getLong(nm, null);
        return (result == null) ? new Long(val) : result;
    }

    /**
     * Returns the long value of the system property with
     * the specified name.  The first argument is treated as the name
     * of a system property.  System properties are accessible through
     * the {@link java.lang.System#getProperty(java.lang.String)}
     * method. The string value of this property is then interpreted
     * as a long value, as per the
     * Long.decode method, and a Long object
     * representing this value is returned.
     * 
      
     * 
    • If the property value begins with the two ASCII characters
     * 0x or the ASCII character #, not followed by 
     * a minus sign, then the rest of it is parsed as a hexadecimal integer
     * exactly as for the method {@link #valueOf(java.lang.String, int)} 
     * with radix 16. 
     * 
    • If the property value begins with the ASCII character
     * 0 followed by another character, it is parsed as
     * an octal integer exactly as by the method {@link
     * #valueOf(java.lang.String, int)} with radix 8.
     * 
    • Otherwise the property value is parsed as a decimal
     * integer exactly as by the method 
     * {@link #valueOf(java.lang.String, int)} with radix 10.
     * 
    
     * 
    
     * Note that, in every case, neither L
     * ('\u004C') nor l
     * ('\u006C') is permitted to appear at the end
     * of the property value as a type indicator, as would be
     * permitted in Java programming language source code.
     * 
    
     * The second argument is the default value. The default value is
     * returned if there is no property of the specified name, if the
     * property does not have the correct numeric format, or if the
     * specified name is empty or null.
     *
     * @param   nm   property name.
     * @param   val   default value.
     * @return  the Long value of the property.
     * @see     java.lang.System#getProperty(java.lang.String)
     * @see java.lang.System#getProperty(java.lang.String, java.lang.String)
     * @see java.lang.Long#decode
     */
    public static Long getLong(String nm, Long val) {
        String v = null;
        try {
            v = System.getProperty(nm);
        } catch (IllegalArgumentException e) {
        } catch (NullPointerException e) {
        }
	if (v != null) {
	    try {
		return Long.decode(v);
	    } catch (NumberFormatException e) {
	    }
	}
	return val;
    }

    /**
     * Compares two Long objects numerically.
     *
     * @param   anotherLong   the Long to be compared.
     * @return	the value 0 if this Long is
     * 		equal to the argument Long; a value less than
     * 		0 if this Long is numerically less
     * 		than the argument Long; and a value greater 
     * 		than 0 if this Long is numerically
     * 		 greater than the argument Long (signed
     * 		 comparison).
     * @since   1.2
     */
    public int compareTo(Long anotherLong) {
	long thisVal = this.value;
	long anotherVal = anotherLong.value;
	return (thisValLong object to another object.  If
     * the object is a Long, this function behaves like
     * compareTo(Long).  Otherwise, it throws a
     * ClassCastException (as Long objects
     * are comparable only to other Long objects).
     *
     * @param   o the Object to be compared.
     * @return  the value 0 if the argument is a 
     *		Long numerically equal to this 
     *		Long; a value less than 0 
     *		if the argument is a Long numerically 
     *		greater than this Long; and a value 
     *		greater than 0 if the argument is a 
     *		Long numerically less than this 
     *		Long.
     * @exception ClassCastException if the argument is not a
     *		  Long.
     * @see     java.lang.Comparable
     * @since   1.2
     */
    public int compareTo(Object o) {
	return compareTo((Long)o);
    }

    /** use serialVersionUID from JDK 1.0.2 for interoperability */
    private static final long serialVersionUID = 4290774380558885855L;
}
why-2.34/lib/java_api/java/lang/RuntimeException.java0000644000175000017500000000556712311670312021161 0ustar  rtusers/*
 * @(#)RuntimeException.java	1.12 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

/**
 * RuntimeException is the superclass of those 
 * exceptions that can be thrown during the normal operation of the 
 * Java Virtual Machine. 
 * 
    
 * A method is not required to declare in its throws 
 * clause any subclasses of RuntimeException that might 
 * be thrown during the execution of the method but not caught. 
 *
 *
 * @author  Frank Yellin
 * @version 1.12, 01/23/03
 * @since   JDK1.0
 */
public class RuntimeException extends Exception {
    static final long serialVersionUID = -7034897190745766939L;

    /** Constructs a new runtime exception with null as its
     * detail message.  The cause is not initialized, and may subsequently be
     * initialized by a call to {@link #initCause}.
     */
    public RuntimeException() {
	super();
    }

    /** Constructs a new runtime exception with the specified detail message.
     * The cause is not initialized, and may subsequently be initialized by a
     * call to {@link #initCause}.
     *
     * @param   message   the detail message. The detail message is saved for 
     *          later retrieval by the {@link #getMessage()} method.
     */
    public RuntimeException(String message) {
	super(message);
    }

    /**
     * Constructs a new runtime exception with the specified detail message and
     * cause.  
    Note that the detail message associated with
     * cause is not automatically incorporated in
     * this runtime exception's detail message.
     *
     * @param  message the detail message (which is saved for later retrieval
     *         by the {@link #getMessage()} method).
     * @param  cause the cause (which is saved for later retrieval by the
     *         {@link #getCause()} method).  (A null value is
     *         permitted, and indicates that the cause is nonexistent or
     *         unknown.)
     * @since  1.4
     */
    public RuntimeException(String message, Throwable cause) {
        super(message, cause);
    }

    /** Constructs a new runtime exception with the specified cause and a
     * detail message of (cause==null ? null : cause.toString())
     * (which typically contains the class and detail message of
     * cause).  This constructor is useful for runtime exceptions
     * that are little more than wrappers for other throwables.
     *
     * @param  cause the cause (which is saved for later retrieval by the
     *         {@link #getCause()} method).  (A null value is
     *         permitted, and indicates that the cause is nonexistent or
     *         unknown.)
     * @since  1.4
     */
    public RuntimeException(Throwable cause) {
        super(cause);
    }
}
why-2.34/lib/java_api/java/lang/ArrayStoreException.java0000644000175000017500000000200412311670312021610 0ustar  rtusers/*
 * @(#)ArrayStoreException.java	1.10 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

/**
 * Thrown to indicate that an attempt has been made to store the 
 * wrong type of object into an array of objects. For example, the 
 * following code generates an ArrayStoreException: 
 * 
     *     Object x[] = new String[3];
 *     x[0] = new Integer(0);
 * 
    
 *
 * @author  unascribed
 * @version 1.10, 01/23/03
 * @since   JDK1.0
 */
public
class ArrayStoreException extends RuntimeException {
    /**
     * Constructs an ArrayStoreException with no detail message. 
     */
    public ArrayStoreException() {
	super();
    }

    /**
     * Constructs an ArrayStoreException with the specified 
     * detail message. 
     *
     * @param   s   the detail message.
     */
    public ArrayStoreException(String s) {
	super(s);
    }
}

why-2.34/lib/java_api/java/lang/Class.java0000644000175000017500000025714312311670312016723 0ustar  rtusers/*
 * @(#)Class.java	1.154 04/05/06
 *
 * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

// import java.lang.reflect.Member;
// import java.lang.reflect.Field;
// import java.lang.reflect.Method;
// import java.lang.reflect.Constructor;
// import java.lang.reflect.Modifier;
// import java.lang.reflect.InvocationTargetException;
// import java.lang.ref.SoftReference;
// import java.io.InputStream;
// import java.io.ObjectStreamClass;
// import java.io.ObjectStreamField;
// import java.security.AccessController;
// import java.security.PrivilegedAction;
// import java.util.ArrayList;
// import java.util.Collection;
// import java.util.HashSet;
// import java.util.Iterator;
// import java.util.List;
// import java.util.LinkedList;
// import java.util.LinkedHashSet;
// import java.util.Set;
// import sun.misc.Unsafe;
// import sun.reflect.Reflection;
// import sun.reflect.ReflectionFactory;
// import sun.reflect.SignatureIterator;
// import sun.security.util.SecurityConstants;


/**
 * Instances of the class Class represent classes and interfaces
 * in a running Java application.  Every array also belongs to a class that is
 * reflected as a Class object that is shared by all arrays with
 * the same element type and number of dimensions.  The primitive Java types
 * (boolean, byte, char,
 * short, int, long,
 * float, and double), and the keyword
 * void are also represented as Class objects.
 *
 * 
     Class has no public constructor. Instead Class
 * objects are constructed automatically by the Java Virtual Machine as classes
 * are loaded and by calls to the defineClass method in the class
 * loader.
 *
 * 
     The following example uses a Class object to print the
 * class name of an object:
 *
 * 
     
     *     void printClassName(Object obj) {
 *         System.out.println("The class of " + obj +
 *                            " is " + obj.getClass().getName());
 *     }
 * 
    
 * 
 * 
     It is also possible to get the Class object for a named
 * type (or for void) using a class literal 
 * (JLS Section 15.8.2). 
 * For example:
 *
 * 
     
     *     System.out.println("The name of class Foo is: "+Foo.class.getName());
 * 
    
 *
 * @author  unascribed
 * @version 1.135, 05/25/01
 * @see     java.lang.ClassLoader#defineClass(byte[], int, int)
 * @since   JDK1.0
 */
public final
class Class implements java.io.Serializable {

    private static native void registerNatives();
    static {
        registerNatives();
    }

    /*
     * Constructor. Only the Java Virtual Machine creates Class
     * objects.
     */
    private Class() {}


    /**
     * Converts the object to a string. The string representation is the
     * string "class" or "interface", followed by a space, and then by the
     * fully qualified name of the class in the format returned by
     * getName.  If this Class object represents a
     * primitive type, this method returns the name of the primitive type.  If
     * this Class object represents void this method returns
     * "void".
     *
     * @return a string representation of this class object.
     */
    public String toString() {
        return (isInterface() ? "interface " : (isPrimitive() ? "" : "class "))
            + getName();
    }


    /**
     * Returns the Class object associated with the class or
     * interface with the given string name.  Invoking this method is
     * equivalent to:
     *
     * 
         *  Class.forName(className, true, currentLoader)
     * 
    
     *
     * where currentLoader denotes the defining class loader of
     * the current class.
     *
     * 
     For example, the following code fragment returns the
     * runtime Class descriptor for the class named
     * java.lang.Thread:
     *
     * 
         *   Class t = Class.forName("java.lang.Thread")
     * 
    
     * 
    
     * A call to forName("X") causes the class named 
     * X to be initialized.
     *
     * @param      className   the fully qualified name of the desired class.
     * @return     the Class object for the class with the
     *             specified name.
     * @exception LinkageError if the linkage fails
     * @exception ExceptionInInitializerError if the initialization provoked
     *            by this method fails
     * @exception ClassNotFoundException if the class cannot be located
     */
    public static Class forName(String className) 
                throws ClassNotFoundException {
        return forName0(className, true, ClassLoader.getCallerClassLoader());
    }


    /**
     * Returns the Class object associated with the class or
     * interface with the given string name, using the given class loader.
     * Given the fully qualified name for a class or interface (in the same
     * format returned by getName) this method attempts to
     * locate, load, and link the class or interface.  The specified class
     * loader is used to load the class or interface.  If the parameter
     * loader is null, the class is loaded through the bootstrap
     * class loader.  The class is initialized only if the
     * initialize parameter is true and if it has
     * not been initialized earlier.
     *
     * 
     If name denotes a primitive type or void, an attempt
     * will be made to locate a user-defined class in the unnamed package whose
     * name is name. Therefore, this method cannot be used to
     * obtain any of the Class objects representing primitive
     * types or void.
     *
     * 
     If name denotes an array class, the component type of
     * the array class is loaded but not initialized.
     *
     * 
     For example, in an instance method the expression:
     *
     * 
         *  Class.forName("Foo")
     * 
    
     *
     * is equivalent to:
     *
     * 
         *  Class.forName("Foo", true, this.getClass().getClassLoader())
     * 
    
     *
     * Note that this method throws errors related to loading, linking or
     * initializing as specified in Sections 12.2, 12.3 and 12.4 of The
     * Java Language Specification.
     * Note that this method does not check whether the requested class 
     * is accessible to its caller.
     *
     * 
     If the loader is null, and a security
     * manager is present, and the caller's class loader is not null, then this
     * method calls the security manager's checkPermission method
     * with a RuntimePermission("getClassLoader") permission to
     * ensure it's ok to access the bootstrap class loader.
     *
     * @param name       fully qualified name of the desired class
     * @param initialize whether the class must be initialized
     * @param loader     class loader from which the class must be loaded
     * @return           class object representing the desired class
     * 
     * @exception LinkageError if the linkage fails
     * @exception ExceptionInInitializerError if the initialization provoked
     *            by this method fails
     * @exception ClassNotFoundException if the class cannot be located by
     *            the specified class loader
     *
     * @see 	  java.lang.Class#forName(String) 
     * @see 	  java.lang.ClassLoader
     * @since 	  1.2
     */
    /*KML
    public static Class forName(String name, boolean initialize,
				ClassLoader loader)
        throws ClassNotFoundException
    {
	if (loader == null) {
	    SecurityManager sm = System.getSecurityManager();
	    if (sm != null) {
		ClassLoader ccl = ClassLoader.getCallerClassLoader();
		if (ccl != null) {
		    sm.checkPermission(
			SecurityConstants.GET_CLASSLOADER_PERMISSION);
		}
	    }
	}
	return forName0(name, initialize, loader);
    }
    */

    /** Called after security checks have been made. */
    /*KML
    private static native Class forName0(String name, boolean initialize,
					 ClassLoader loader)
	throws ClassNotFoundException;

    */

    /**
     * Creates a new instance of the class represented by this Class
     * object.  The class is instantiated as if by a new
     * expression with an empty argument list.  The class is initialized if it
     * has not already been initialized.
     *
     * 
    If there is a security manager, this method first calls the security
     * manager's checkMemberAccess method with this
     * and Member.PUBLIC as its arguments. If the class is in a
     * package, then this method also calls the security manager's
     * checkPackageAccess method with the package name as its
     * argument. Either of these calls could result in a SecurityException.
     *
     * @return     a newly allocated instance of the class represented by this
     *             object.
     * @exception  IllegalAccessException  if the class or its nullary 
     *               constructor is not accessible.
     * @exception  InstantiationException 
     *               if this Class represents an abstract class,
     *               an interface, an array class, a primitive type, or void;
     *               or if the class has no nullary constructor;
     *               or if the instantiation fails for some other reason.
     * @exception  ExceptionInInitializerError if the initialization
     *               provoked by this method fails.
     * @exception  SecurityException if there is no permission to create a new
     *               instance.
     *
     */
    public Object newInstance() 
        throws InstantiationException, IllegalAccessException
    {
	if (System.getSecurityManager() != null) {
	    checkMemberAccess(Member.PUBLIC, ClassLoader.getCallerClassLoader());
	}
	return newInstance0();
    }

    private Object newInstance0()
        throws InstantiationException, IllegalAccessException
    {
        // NOTE: the following code may not be strictly correct under
        // the current Java memory model.

        // Constructor lookup
        if (cachedConstructor == null) {
            if (this == Class.class) {
                throw new IllegalAccessException(
                    "Can not call newInstance() on the Class for java.lang.Class"
                );
            }
            try {
                final Constructor c =
                  getConstructor0(new Class[] {}, Member.DECLARED);
                // Disable accessibility checks on the constructor
                // since we have to do the security check here anyway
                // (the stack depth is wrong for the Constructor's
                // security check to work)
                java.security.AccessController.doPrivileged
                    (new java.security.PrivilegedAction() {
                            public Object run() {
                                c.setAccessible(true);
                                return null;
                            }
                        });
                cachedConstructor = c;
            } catch (NoSuchMethodException e) {
                throw new InstantiationException(getName());
            }
        }
        Constructor tmpConstructor = cachedConstructor;
        // Security check (same as in java.lang.reflect.Constructor)
        int modifiers = tmpConstructor.getModifiers();
        if (!Reflection.quickCheckMemberAccess(this, modifiers)) {
            Class caller = Reflection.getCallerClass(3);
            if (newInstanceCallerCache != caller) {
                Reflection.ensureMemberAccess(caller, this, null, modifiers);
                newInstanceCallerCache = caller;
            }
        }
        // Run constructor
        try {
            return tmpConstructor.newInstance(null);
        } catch (InvocationTargetException e) {
            Unsafe.getUnsafe().throwException(e.getTargetException());
            // Not reached
            return null;
        }
    }
    //KML private volatile transient Constructor cachedConstructor;
    //KML private volatile transient Class       newInstanceCallerCache;


    /**
     * Determines if the specified Object is assignment-compatible
     * with the object represented by this Class.  This method is
     * the dynamic equivalent of the Java language instanceof
     * operator. The method returns true if the specified
     * Object argument is non-null and can be cast to the
     * reference type represented by this Class object without
     * raising a ClassCastException. It returns false
     * otherwise.
     *
     * 
     Specifically, if this Class object represents a
     * declared class, this method returns true if the specified
     * Object argument is an instance of the represented class (or
     * of any of its subclasses); it returns false otherwise. If
     * this Class object represents an array class, this method
     * returns true if the specified Object argument
     * can be converted to an object of the array class by an identity
     * conversion or by a widening reference conversion; it returns
     * false otherwise. If this Class object
     * represents an interface, this method returns true if the
     * class or any superclass of the specified Object argument
     * implements this interface; it returns false otherwise. If
     * this Class object represents a primitive type, this method
     * returns false.
     *
     * @param   obj the object to check
     * @return  true if obj is an instance of this class
     *
     * @since JDK1.1
     */
    public native boolean isInstance(Object obj);


    /**
     * Determines if the class or interface represented by this
     * Class object is either the same as, or is a superclass or
     * superinterface of, the class or interface represented by the specified
     * Class parameter. It returns true if so;
     * otherwise it returns false. If this Class
     * object represents a primitive type, this method returns
     * true if the specified Class parameter is
     * exactly this Class object; otherwise it returns
     * false.
     *
     * 
     Specifically, this method tests whether the type represented by the
     * specified Class parameter can be converted to the type
     * represented by this Class object via an identity conversion
     * or via a widening reference conversion. See The Java Language
     * Specification, sections 5.1.1 and 5.1.4 , for details.
     * 
     * @param cls the Class object to be checked
     * @return the boolean value indicating whether objects of the
     * type cls can be assigned to objects of this class
     * @exception NullPointerException if the specified Class parameter is
     *            null.
     * @since JDK1.1
     */
    public native boolean isAssignableFrom(Class cls);


    /**
     * Determines if the specified Class object represents an
     * interface type.
     *
     * @return  true if this object represents an interface;
     *          false otherwise.
     */
    public native boolean isInterface();


    /**
     * Determines if this Class object represents an array class.
     *
     * @return  true if this object represents an array class;
     *          false otherwise.
     * @since   JDK1.1
     */
    public native boolean isArray();


    /**
     * Determines if the specified Class object represents a
     * primitive type.
     *
     * 
     There are nine predefined Class objects to represent
     * the eight primitive types and void.  These are created by the Java
     * Virtual Machine, and have the same names as the primitive types that
     * they represent, namely boolean, byte,
     * char, short, int,
     * long, float, and double.
     *
     * 
     These objects may only be accessed via the following public static
     * final variables, and are the only Class objects for which
     * this method returns true.
     *
     * @return true if and only if this class represents a primitive type
     *
     * @see     java.lang.Boolean#TYPE
     * @see     java.lang.Character#TYPE
     * @see     java.lang.Byte#TYPE
     * @see     java.lang.Short#TYPE
     * @see     java.lang.Integer#TYPE
     * @see     java.lang.Long#TYPE
     * @see     java.lang.Float#TYPE
     * @see     java.lang.Double#TYPE
     * @see     java.lang.Void#TYPE
     * @since JDK1.1
     */
    public native boolean isPrimitive();

    /**
     * Returns the  name of the entity (class, interface, array class,
     * primitive type, or void) represented by this Class object,
     * as a String.
     * 
     * 
     If this class object represents a reference type that is not an
     * array type then the binary name of the class is returned, as specified
     * by the Java Language Specification, Second Edition.
     *
     * 
     If this class object represents a primitive type or void, then the
     * name returned is a String equal to the Java language
     * keyword corresponding to the primitive type or void.
     * 
     * 
     If this class object represents a class of arrays, then the internal
     * form of the name consists of the name of the element type preceded by
     * one or more '[' characters representing the depth of the array
     * nesting.  The encoding of element type names is as follows:
     *
     * 
    
     * 
     Element Type  Encoding
     * 
     boolean       Z
     * 
     byte          B
     * 
     char          C
     * 
     class or interface   Lclassname;
     * 
     double        D
     * 
     float         F
     * 
     int           I
     * 
     long          J
     * 
     short         S
     * 
    
     *
     * 
     The class or interface name classname is the binary name of
     * the class specified above.
     *
     * 
     Examples:
     * 
         * String.class.getName()
     *     returns "java.lang.String"
     * byte.class.getName()
     *     returns "byte"
     * (new Object[3]).getClass().getName()
     *     returns "[Ljava.lang.Object;"
     * (new int[3][4][5][6][7][8][9]).getClass().getName()
     *     returns "[[[[[[[I"
     * 
    
     *
     * @return  the name of the class or interface
     *          represented by this object.
     */
    public String getName() {
      if (name == null)
          name = getName0();
      return name;
    }
 
    // cache the name to reduce the number of calls into the VM
    private transient String name;
    private native String getName0();


    /**
     * Returns the class loader for the class.  Some implementations may use
     * null to represent the bootstrap class loader. This method will return
     * null in such implementations if this class was loaded by the bootstrap
     * class loader.
     *
     * 
     If a security manager is present, and the caller's class loader is
     * not null and the caller's class loader is not the same as or an ancestor of
     * the class loader for the class whose class loader is requested, then
     * this method calls the security manager's checkPermission 
     * method with a RuntimePermission("getClassLoader") 
     * permission to ensure it's ok to access the class loader for the class.
     * 
     * 
    If this object
     * represents a primitive type or void, null is returned.
     *
     * @return  the class loader that loaded the class or interface
     *          represented by this object.
     * @throws SecurityException
     *    if a security manager exists and its 
     *    checkPermission method denies
     *    access to the class loader for the class.
     * @see java.lang.ClassLoader
     * @see SecurityManager#checkPermission
     * @see java.lang.RuntimePermission
     */
    /*KML
    public ClassLoader getClassLoader() {
        ClassLoader cl = getClassLoader0();
        if (cl == null)
            return null;
        SecurityManager sm = System.getSecurityManager();
        if (sm != null) {
            ClassLoader ccl = ClassLoader.getCallerClassLoader();
            if (ccl != null && ccl != cl && !cl.isAncestor(ccl)) {
                sm.checkPermission(SecurityConstants.GET_CLASSLOADER_PERMISSION);
            }
        }
        return cl;
    }
    */

    // Package-private to allow ClassLoader access
    //KML native ClassLoader getClassLoader0();


    /**
     * Returns the Class representing the superclass of the entity
     * (class, interface, primitive type or void) represented by this
     * Class.  If this Class represents either the
     * Object class, an interface, a primitive type, or void, then
     * null is returned.  If this object represents an array class then the
     * Class object representing the Object class is
     * returned.
     *
     * @return the superclass of the class represented by this object.
     */
    public native Class getSuperclass();


    /**
     * Gets the package for this class.  The class loader of this class is used
     * to find the package.  If the class was loaded by the bootstrap class
     * loader the set of packages loaded from CLASSPATH is searched to find the
     * package of the class. Null is returned if no package object was created
     * by the class loader of this class.
     *
     * 
     Packages have attributes for versions and specifications only if the
     * information was defined in the manifests that accompany the classes, and
     * if the class loader created the package instance with the attributes
     * from the manifest.
     *
     * @return the package of the class, or null if no package
     *         information is available from the archive or codebase.
     */
    /*KML
      public Package getPackage() {
        return Package.getPackage(this);
    }
    */


    /**
     * Determines the interfaces implemented by the class or interface
     * represented by this object.
     *
     * 
     If this object represents a class, the return value is an array
     * containing objects representing all interfaces implemented by the
     * class. The order of the interface objects in the array corresponds to
     * the order of the interface names in the implements clause
     * of the declaration of the class represented by this object. For 
     * example, given the declaration:
     * 
         * class Shimmer implements FloorWax, DessertTopping { ... }
     * 
    
     * suppose the value of s is an instance of 
     * Shimmer; the value of the expression:
     * 
         * s.getClass().getInterfaces()[0]
     * 
    
     * is the Class object that represents interface 
     * FloorWax; and the value of:
     * 
         * s.getClass().getInterfaces()[1]
     * 
    
     * is the Class object that represents interface 
     * DessertTopping.
     *
     * 
     If this object represents an interface, the array contains objects
     * representing all interfaces extended by the interface. The order of the
     * interface objects in the array corresponds to the order of the interface
     * names in the extends clause of the declaration of the
     * interface represented by this object.
     *
     * 
     If this object represents a class or interface that implements no
     * interfaces, the method returns an array of length 0.
     *
     * 
     If this object represents a primitive type or void, the method
     * returns an array of length 0.
     *
     * @return an array of interfaces implemented by this class.
     */
    public native Class[] getInterfaces();


    /**
     * Returns the Class representing the component type of an
     * array.  If this class does not represent an array class this method
     * returns null.
     *
     * @return the Class representing the component type of this
     * class if this class is an array
     * @see     java.lang.reflect.Array
     * @since JDK1.1
     */
    public native Class getComponentType();


    /**
     * Returns the Java language modifiers for this class or interface, encoded
     * in an integer. The modifiers consist of the Java Virtual Machine's
     * constants for public, protected,
     * private, final, static,
     * abstract and interface; they should be decoded
     * using the methods of class Modifier.
     *
     * 
     If the underlying class is an array class, then its
     * public, private and protected
     * modifiers are the same as those of its component type.  If this
     * Class represents a primitive type or void, its
     * public modifier is always true, and its
     * protected and private modifiers are always
     * false. If this object represents an array class, a
     * primitive type or void, then its final modifier is always
     * true and its interface modifier is always
     * false. The values of its other modifiers are not determined
     * by this specification.
     *
     * 
     The modifier encodings are defined in The Java Virtual Machine
     * Specification, table 4.1.
     *
     * @return the int representing the modifiers for this class
     * @see     java.lang.reflect.Modifier
     * @since JDK1.1
     */
    public native int getModifiers();


    /**
     * Gets the signers of this class.
     *
     * @return  the signers of this class, or null if there are no signers.  In
     * 		particular, this method returns null if this object represents
     * 		a primitive type or void.
     * @since 	JDK1.1
     */
    public native Object[] getSigners();
        

    /**
     * Set the signers of this class.
     */
    native void setSigners(Object[] signers);


    /**
     * If the class or interface represented by this Class object
     * is a member of another class, returns the Class object
     * representing the class in which it was declared.  This method returns
     * null if this class or interface is not a member of any other class.  If
     * this Class object represents an array class, a primitive
     * type, or void,then this method returns null.
     *
     * @return the declaring class for this class
     * @since JDK1.1
     */
    public native Class getDeclaringClass();


    /**
     * Returns an array containing Class objects representing all
     * the public classes and interfaces that are members of the class
     * represented by this Class object.  This includes public
     * class and interface members inherited from superclasses and public class
     * and interface members declared by the class.  This method returns an
     * array of length 0 if this Class object has no public member
     * classes or interfaces.  This method also returns an array of length 0 if
     * this Class object represents a primitive type, an array
     * class, or void.
     * 
     * 
    For this class and each of its superclasses, the following
     * security checks are performed:
     * If there is a security manager, the security manager's
     * checkMemberAccess method is called with this
     * and Member.PUBLIC as its arguments, where this
     * is this class or the superclass whose members are being determined. If
     * the class is in a package, then the security manager's
     * checkPackageAccess method is also called with the package
     * name as its argument. Either of these calls could result in a
     * SecurityException.
     *
     * @return the array of Class objects representing the public
     * members of this class
     * @exception SecurityException    if access to the information is denied.
     * @see       SecurityManager#checkMemberAccess(Class, int)
     * @see       SecurityManager#checkPackageAccess(String)
     *
     * @since JDK1.1
     */
    public Class[] getClasses() {
	// be very careful not to change the stack depth of this
	// checkMemberAccess call for security reasons 
	// see java.lang.SecurityManager.checkMemberAccess
        checkMemberAccess(Member.PUBLIC, ClassLoader.getCallerClassLoader());

	// Privileged so this implementation can look at DECLARED classes,
	// something the caller might not have privilege to do.  The code here
	// is allowed to look at DECLARED classes because (1) it does not hand
	// out anything other than public members and (2) public member access
	// has already been ok'd by the SecurityManager.

	Class[] result = (Class[]) java.security.AccessController.doPrivileged
	    (new java.security.PrivilegedAction() {
	        public Object run() {
		    java.util.List list = new java.util.ArrayList();
		    Class currentClass = Class.this;
		    while (currentClass != null) {
			Class[] members = currentClass.getDeclaredClasses();
			for (int i = 0; i < members.length; i++) {
			    if (Modifier.isPublic(members[i].getModifiers())) {
				list.add(members[i]);
			    }
			}
			currentClass = currentClass.getSuperclass();
		    }
		    return list.toArray(new Class[0]);
		}
	    });

        return result;
    }


    /**
     * Returns an array containing Field objects reflecting all
     * the accessible public fields of the class or interface represented by
     * this Class object.  The elements in the array returned are
     * not sorted and are not in any particular order.  This method returns an
     * array of length 0 if the class or interface has no accessible public
     * fields, or if it represents an array class, a primitive type, or void.
     *
     * 
     Specifically, if this Class object represents a class,
     * this method returns the public fields of this class and of all its
     * superclasses.  If this Class object represents an
     * interface, this method returns the fields of this interface and of all
     * its superinterfaces.
     *
     * 
    If there is a security manager, this method first
     * calls the security manager's checkMemberAccess method
     * with this and Member.PUBLIC 
     * as its arguments. If the class is in a package, then this method
     * also calls the security manager's checkPackageAccess 
     * method with the package name as its argument. Either of these calls
     * could result in a SecurityException.
     * 
     * 
     The implicit length field for array class is not reflected by this
     * method. User code should use the methods of class Array to
     * manipulate arrays.
     *
     * 
     See The Java Language Specification, sections 8.2 and 8.3.
     *
     * @return the array of Field objects representing the
     * public fields
     * @exception SecurityException    if access to the information is denied.
     * @see       java.lang.reflect.Field
     * @see       SecurityManager#checkMemberAccess(Class, int)
     * @see       SecurityManager#checkPackageAccess(String)
     * @since JDK1.1
     */

    /*KML
    public Field[] getFields() throws SecurityException {
	// be very careful not to change the stack depth of this
	// checkMemberAccess call for security reasons 
	// see java.lang.SecurityManager.checkMemberAccess
        checkMemberAccess(Member.PUBLIC, ClassLoader.getCallerClassLoader());
        return copyFields(privateGetPublicFields(null));
    }
    */


    /**
     * Returns an array containing Method objects reflecting all
     * the public member methods of the class or interface represented
     * by this Class object, including those declared by the class
     * or interface and and those inherited from superclasses and
     * superinterfaces.  The elements in the array returned are not sorted and
     * are not in any particular order.  This method returns an array of length
     * 0 if this Class object represents a class or interface that
     * has no public member methods, or if this Class object
     * represents an array class, primitive type, or void.
     *
     * 
    If there is a security manager, this method first
     * calls the security manager's checkMemberAccess method
     * with this and Member.PUBLIC 
     * as its arguments. If the class is in a package, then this method
     * also calls the security manager's checkPackageAccess 
     * method with the package name 
     * as its argument. Either of these calls could result in a SecurityException.
     * 
     * 
     The class initialization method <clinit> is not
     * included in the returned array. If the class declares multiple public
     * member methods with the same parameter types, they are all included in
     * the returned array.
     *
     * 
     See The Java Language Specification, sections 8.2 and 8.4.
     *
     * @return the array of Method objects representing the
     * public methods of this class
     * @exception SecurityException    if access to the information is denied.
     * @see       java.lang.reflect.Method
     * @see       SecurityManager#checkMemberAccess(Class, int)
     * @see       SecurityManager#checkPackageAccess(String)
     * @since JDK1.1
     */
    /*KML
    public Method[] getMethods() throws SecurityException {
	// be very careful not to change the stack depth of this
	// checkMemberAccess call for security reasons 
	// see java.lang.SecurityManager.checkMemberAccess
        checkMemberAccess(Member.PUBLIC, ClassLoader.getCallerClassLoader());
        return copyMethods(privateGetPublicMethods());
    }
    */

    /**
     * Returns an array containing Constructor objects reflecting
     * all the public constructors of the class represented by this
     * Class object.  An array of length 0 is returned if the
     * class has no public constructors, or if the class is an array class, or
     * if the class reflects a primitive type or void.
     *
     * 
    If there is a security manager, this method first
     * calls the security manager's checkMemberAccess method
     * with this and Member.PUBLIC 
     * as its arguments. If the class is in a package, then this method
     * also calls the security manager's checkPackageAccess 
     * method with the package name 
     * as its argument. Either of these calls could result in a SecurityException.
     * 
     * @return the array containing Method objects for all the
     * declared public constructors of this class matches the specified
     * parameterTypes
     * @exception SecurityException    if access to the information is denied.
     * @see       java.lang.reflect.Constructor
     * @see       SecurityManager#checkMemberAccess(Class, int)
     * @see       SecurityManager#checkPackageAccess(String)
     * @since JDK1.1
     */
    /*KML
    public Constructor[] getConstructors() throws SecurityException {
	// be very careful not to change the stack depth of this
	// checkMemberAccess call for security reasons 
	// see java.lang.SecurityManager.checkMemberAccess
        checkMemberAccess(Member.PUBLIC, ClassLoader.getCallerClassLoader());
        return copyConstructors(privateGetDeclaredConstructors(true));
    }
    */


    /**
     * Returns a Field object that reflects the specified public
     * member field of the class or interface represented by this
     * Class object. The name parameter is a
     * String specifying the simple name of the desired field.
     *
     * 
    If there is a security manager, this method first
     * calls the security manager's checkMemberAccess method
     * with this and Member.PUBLIC 
     * as its arguments. If the class is in a package, then this method
     * also calls the security manager's checkPackageAccess 
     * method with the package name 
     * as its argument. Either of these calls could result in a SecurityException.
     *
     * 
     The field to be reflected is determined by the algorithm that
     * follows.  Let C be the class represented by this object:
     * 
      
     * 
    1.  If C declares a public field with the name specified, that is the
     *      field to be reflected.
      2. 
     * 
    2.  If no field was found in step 1 above, this algorithm is applied
     * 	    recursively to each direct superinterface of C. The direct
     * 	    superinterfaces are searched in the order they were declared.
      3. 
     * 
    3.  If no field was found in steps 1 and 2 above, and C has a
     *      superclass S, then this algorithm is invoked recursively upon S.
     *      If C has no superclass, then a NoSuchFieldException
     *      is thrown.
      4. 
     * 
    
     *
     * 
     See The Java Language Specification, sections 8.2 and 8.3.
     * 
     * @param name the field name
     * @return  the Field object of this class specified by 
     * name
     * @exception NoSuchFieldException if a field with the specified name is
     *              not found.
     * @exception NullPointerException if name is null
     * @exception SecurityException    if access to the information is denied.
     * @see       java.lang.reflect.Field
     * @see       SecurityManager#checkMemberAccess(Class, int)
     * @see       SecurityManager#checkPackageAccess(String)
     * @since JDK1.1
     */
    /*KML
    public Field getField(String name)
        throws NoSuchFieldException, SecurityException {
	// be very careful not to change the stack depth of this
	// checkMemberAccess call for security reasons 
	// see java.lang.SecurityManager.checkMemberAccess
        checkMemberAccess(Member.PUBLIC, ClassLoader.getCallerClassLoader());
        Field field = getField0(name);
        if (field == null) {
            throw new NoSuchFieldException(name);
        }
        return field;
    }
    */


    /**
     * Returns a Method object that reflects the specified public
     * member method of the class or interface represented by this
     * Class object. The name parameter is a
     * String specifying the simple name the desired method. The
     * parameterTypes parameter is an array of Class
     * objects that identify the method's formal parameter types, in declared
     * order. If parameterTypes is null, it is 
     * treated as if it were an empty array.
     *
     * 
    If there is a security manager, this method first
     * calls the security manager's checkMemberAccess method
     * with this and Member.PUBLIC 
     * as its arguments. If the class is in a package, then this method
     * also calls the security manager's checkPackageAccess 
     * method with the package name 
     * as its argument. Either of these calls could result in a SecurityException.
     *
     * 
     If the name is "<init>"or "<clinit>" a
     * NoSuchMethodException is raised. Otherwise, the method to
     * be reflected is determined by the algorithm that follows.  Let C be the
     * class represented by this object:
     * 
      
     * 
    1.  C is searched for any matching methods. If no matching
     * 	    method is found, the algorithm of step 1 is invoked recursively on
     * 	    the superclass of C.
      2. 
     * 
    2.  If no method was found in step 1 above, the superinterfaces of C
     *      are searched for a matching method. If any such method is found, it
     *      is reflected.
      3. 
     * 
    
     *
     * To find a matching method in a class C:  If C declares exactly one
     * public method with the specified name and exactly the same formal
     * parameter types, that is the method reflected. If more than one such
     * method is found in C, and one of these methods has a return type that is
     * more specific than any of the others, that method is reflected;
     * otherwise one of the methods is chosen arbitrarily.
     *
     * 
     See The Java Language Specification, sections 8.2 and 8.4.
     *
     * @param name the name of the method
     * @param parameterTypes the list of parameters
     * @return the Method object that matches the specified
     * name and parameterTypes
     * @exception NoSuchMethodException if a matching method is not found
     *            or if the name is "<init>"or "<clinit>".
     * @exception NullPointerException if name is null
     * @exception SecurityException    if access to the information is denied.
     * @see       java.lang.reflect.Method
     * @see       SecurityManager#checkMemberAccess(Class, int)
     * @see       SecurityManager#checkPackageAccess(String)
     * @since JDK1.1
     */
    /*KML
    public Method getMethod(String name, Class[] parameterTypes)
        throws NoSuchMethodException, SecurityException {
	// be very careful not to change the stack depth of this
	// checkMemberAccess call for security reasons 
	// see java.lang.SecurityManager.checkMemberAccess
        checkMemberAccess(Member.PUBLIC, ClassLoader.getCallerClassLoader());
        Method method = getMethod0(name, parameterTypes);
        if (method == null) {
            throw new NoSuchMethodException(getName() + "." + name + argumentTypesToString(parameterTypes));
        }
        return method;
    }
    */

    /**
     * Returns a Constructor object that reflects the specified
     * public constructor of the class represented by this Class
     * object. The parameterTypes parameter is an array of
     * Class objects that identify the constructor's formal
     * parameter types, in declared order.
     *
     * 
     The constructor to reflect is the public constructor of the class
     * represented by this Class object whose formal parameter
     * types match those specified by parameterTypes.
     *
     * 
    If there is a security manager, this method first
     * calls the security manager's checkMemberAccess method
     * with this and Member.PUBLIC 
     * as its arguments. If the class is in a package, then this method
     * also calls the security manager's checkPackageAccess method
     * with the package name as its argument. Either of these calls could
     * result in a SecurityException.
     *
     * @param parameterTypes the parameter array
     * @return the Method object of the public constructor that
     * matches the specified parameterTypes
     * @exception NoSuchMethodException if a matching method is not found.
     * @exception SecurityException     if access to the information is denied.
     * @see       java.lang.reflect.Constructor
     * @see       SecurityManager#checkMemberAccess(Class, int)
     * @see       SecurityManager#checkPackageAccess(String)
     * @since JDK1.1
     */
    /*KML
    public Constructor getConstructor(Class[] parameterTypes)
        throws NoSuchMethodException, SecurityException {
	// be very careful not to change the stack depth of this
	// checkMemberAccess call for security reasons 
	// see java.lang.SecurityManager.checkMemberAccess
        checkMemberAccess(Member.PUBLIC, ClassLoader.getCallerClassLoader());
        return getConstructor0(parameterTypes, Member.PUBLIC);
    }
    */


    /**
     * Returns an array of Class objects reflecting all the
     * classes and interfaces declared as members of the class represented by
     * this Class object. This includes public, protected, default
     * (package) access, and private classes and interfaces declared by the
     * class, but excludes inherited classes and interfaces.  This method
     * returns an array of length 0 if the class declares no classes or
     * interfaces as members, or if this Class object represents a
     * primitive type, an array class, or void.
     *
     * 
    If there is a security manager, this method first
     * calls the security manager's checkMemberAccess method
     * with this and Member.DECLARED 
     * as its arguments. If the class is in a package, then this method also
     * calls the security manager's checkPackageAccess method with
     * the package name as its argument. Either of these calls could result in
     * a SecurityException.
     *
     * @return the array of Class objects representing all the 
     * declared members of this class
     * @exception SecurityException    if access to the information is denied.
     * @see       SecurityManager#checkMemberAccess(Class, int)
     * @see       SecurityManager#checkPackageAccess(String)
     * @since JDK1.1
     */
    public Class[] getDeclaredClasses() throws SecurityException {
	// be very careful not to change the stack depth of this
	// checkMemberAccess call for security reasons 
	// see java.lang.SecurityManager.checkMemberAccess
        checkMemberAccess(Member.DECLARED, ClassLoader.getCallerClassLoader());
        return getDeclaredClasses0();
    }


    /**
     * Returns an array of Field objects reflecting all the fields
     * declared by the class or interface represented by this
     * Class object. This includes public, protected, default
     * (package) access, and private fields, but excludes inherited fields.
     * The elements in the array returned are not sorted and are not in any
     * particular order.  This method returns an array of length 0 if the class
     * or interface declares no fields, or if this Class object
     * represents a primitive type, an array class, or void.
     *
     * 
     See The Java Language Specification, sections 8.2 and 8.3.
     *
     * 
    If there is a security manager, this method first
     * calls the security manager's checkMemberAccess method with
     * this and Member.DECLARED as its arguments. If
     * the class is in a package, then this method also calls the security
     * manager's checkPackageAccess method with the package name
     * as its argument. Either of these calls could result in a
     * SecurityException.
     *
     * @return    the array of Field objects representing all the
     * declared fields of this class
     * @exception SecurityException    if access to the information is denied.
     * @see       java.lang.reflect.Field
     * @see       SecurityManager#checkMemberAccess(Class, int)
     * @see       SecurityManager#checkPackageAccess(String)
     * @since JDK1.1
     */
    /*KML
    public Field[] getDeclaredFields() throws SecurityException {
	// be very careful not to change the stack depth of this
	// checkMemberAccess call for security reasons 
	// see java.lang.SecurityManager.checkMemberAccess
        checkMemberAccess(Member.DECLARED, ClassLoader.getCallerClassLoader());
        return copyFields(privateGetDeclaredFields(false));
    }
    */



    /**
     * Returns an array of Method objects reflecting all the
     * methods declared by the class or interface represented by this
     * Class object. This includes public, protected, default
     * (package) access, and private methods, but excludes inherited methods.
     * The elements in the array returned are not sorted and are not in any
     * particular order.  This method returns an array of length 0 if the class
     * or interface declares no methods, or if this Class object
     * represents a primitive type, an array class, or void.  The class
     * initialization method <clinit> is not included in the
     * returned array. If the class declares multiple public member methods
     * with the same parameter types, they are all included in the returned
     * array.
     *
     * 
     See The Java Language Specification, section 8.2.
     *
     * 
    If there is a security manager, this method first
     * calls the security manager's checkMemberAccess method
     * with this and Member.DECLARED 
     * as its arguments. If the class is in a package, then this method
     * also calls the security manager's checkPackageAccess method
     * with the package name as its argument. Either of these calls could
     * result in a SecurityException.
     *
     * @return    the array of Method objects representing all the
     * declared methods of this class
     * @exception SecurityException    if access to the information is denied.
     * @see       java.lang.reflect.Method
     * @see       SecurityManager#checkMemberAccess(Class, int)
     * @see       SecurityManager#checkPackageAccess(String)
     * @since JDK1.1
     */
    /*KML
    public Method[] getDeclaredMethods() throws SecurityException {
	// be very careful not to change the stack depth of this
	// checkMemberAccess call for security reasons 
	// see java.lang.SecurityManager.checkMemberAccess
        checkMemberAccess(Member.DECLARED, ClassLoader.getCallerClassLoader());
        return copyMethods(privateGetDeclaredMethods(false));
    }
    */


    /**
     * Returns an array of Constructor objects reflecting all the
     * constructors declared by the class represented by this
     * Class object. These are public, protected, default
     * (package) access, and private constructors.  The elements in the array
     * returned are not sorted and are not in any particular order.  If the
     * class has a default constructor, it is included in the returned array.
     * This method returns an array of length 0 if this Class
     * object represents an interface, a primitive type, an array class, or
     * void.
     *
     * 
     See The Java Language Specification, section 8.2.
     *
     * 
    If there is a security manager, this method first
     * calls the security manager's checkMemberAccess method
     * with this and Member.DECLARED 
     * as its arguments. If the class is in a package, then this method
     * also calls the security manager's checkPackageAccess method
     * with the package name as its argument. Either of these calls could
     * result in a SecurityException.
     *
     * @return    the array of Method objects representing all the
     * declared constructors of this class
     * @exception SecurityException    if access to the information is denied.
     * @see       java.lang.reflect.Constructor
     * @see       SecurityManager#checkMemberAccess(Class, int)
     * @see       SecurityManager#checkPackageAccess(String)
     * @since JDK1.1
     */
    /*KML
    public Constructor[] getDeclaredConstructors() throws SecurityException {
	// be very careful not to change the stack depth of this
	// checkMemberAccess call for security reasons 
	// see java.lang.SecurityManager.checkMemberAccess
        checkMemberAccess(Member.DECLARED, ClassLoader.getCallerClassLoader());
        return copyConstructors(privateGetDeclaredConstructors(false));
    }
    */


    /**
     * Returns a Field object that reflects the specified declared
     * field of the class or interface represented by this Class
     * object. The name parameter is a String that
     * specifies the simple name of the desired field.  Note that this method
     * will not reflect the length field of an array class.
     *
     * 
    If there is a security manager, this method first
     * calls the security manager's checkMemberAccess method
     * with this and Member.DECLARED 
     * as its arguments. If the class is in a package, then this method
     * also calls the security manager's checkPackageAccess method
     * with the package name as its argument. Either of these calls could
     * result in a SecurityException.
     *
     * @param name the name of the field
     * @return the Field object for the specified field in this
     * class
     * @exception NoSuchFieldException if a field with the specified name is
     *              not found.
     * @exception NullPointerException if name is null
     * @exception SecurityException    if access to the information is denied.
     * @see       java.lang.reflect.Field
     * @see       SecurityManager#checkMemberAccess(Class, int)
     * @see       SecurityManager#checkPackageAccess(String)
     * @since JDK1.1
     */
    /*KML
    public Field getDeclaredField(String name)
        throws NoSuchFieldException, SecurityException {
	// be very careful not to change the stack depth of this
	// checkMemberAccess call for security reasons 
	// see java.lang.SecurityManager.checkMemberAccess
        checkMemberAccess(Member.DECLARED, ClassLoader.getCallerClassLoader());
        Field field = searchFields(privateGetDeclaredFields(false), name);
        if (field == null) {
            throw new NoSuchFieldException(name);
        }
        return field;
    }
    */

    /**
     * Returns a Method object that reflects the specified
     * declared method of the class or interface represented by this
     * Class object. The name parameter is a
     * String that specifies the simple name of the desired
     * method, and the parameterTypes parameter is an array of
     * Class objects that identify the method's formal parameter
     * types, in declared order.  If more than one method with the same
     * parameter types is declared in a class, and one of these methods has a
     * return type that is more specific than any of the others, that method is
     * returned; otherwise one of the methods is chosen arbitrarily.  If the
     * name is "<init>"or "<clinit>" a NoSuchMethodException
     * is raised.
     *
     * 
    If there is a security manager, this method first
     * calls the security manager's checkMemberAccess method
     * with this and Member.DECLARED 
     * as its arguments. If the class is in a package, then this method also
     * calls the security manager's checkPackageAccess method with
     * the package name as its argument. Either of these calls could result in
     * a SecurityException.
     *
     * @param name the name of the method
     * @param parameterTypes the parameter array
     * @return    the Method object for the method of this class
     * matching the specified name and parameters
     * @exception NoSuchMethodException if a matching method is not found.
     * @exception NullPointerException if name is null
     * @exception SecurityException     if access to the information is denied.
     * @see       java.lang.reflect.Method
     * @see       SecurityManager#checkMemberAccess(Class, int)
     * @see       SecurityManager#checkPackageAccess(String)
     * @since JDK1.1
     */
    /*KML
    public Method getDeclaredMethod(String name, Class[] parameterTypes)
        throws NoSuchMethodException, SecurityException {
	// be very careful not to change the stack depth of this
	// checkMemberAccess call for security reasons 
	// see java.lang.SecurityManager.checkMemberAccess
        checkMemberAccess(Member.DECLARED, ClassLoader.getCallerClassLoader());
        Method method = searchMethods(privateGetDeclaredMethods(false), name, parameterTypes);
        if (method == null) {
            throw new NoSuchMethodException(getName() + "." + name + argumentTypesToString(parameterTypes));
        }
        return method;
    }
    */

    /**
     * Returns a Constructor object that reflects the specified
     * constructor of the class or interface represented by this
     * Class object.  The parameterTypes parameter is
     * an array of Class objects that identify the constructor's
     * formal parameter types, in declared order.
     *
     * 
    If there is a security manager, this method first
     * calls the security manager's checkMemberAccess method
     * with this and Member.DECLARED 
     * as its arguments. If the class is in a package, then this method
     * also calls the security manager's checkPackageAccess 
     * method with the package name 
     * as its argument. Either of these calls could result in a SecurityException.
     *
     * @param parameterTypes the parameter array
     * @return    The Method object for the constructor with the
     * specified parameter list
     * @exception NoSuchMethodException if a matching method is not found.
     * @exception SecurityException     if access to the information is denied.
     * @see       java.lang.reflect.Constructor
     * @see       SecurityManager#checkMemberAccess(Class, int)
     * @see       SecurityManager#checkPackageAccess(String)
     * @since JDK1.1
     */
    /*KML
    public Constructor getDeclaredConstructor(Class[] parameterTypes)
        throws NoSuchMethodException, SecurityException {
	// be very careful not to change the stack depth of this
	// checkMemberAccess call for security reasons 
	// see java.lang.SecurityManager.checkMemberAccess
        checkMemberAccess(Member.DECLARED, ClassLoader.getCallerClassLoader());
        return getConstructor0(parameterTypes, Member.DECLARED);
    }
    */


    /**
     * Finds a resource with a given name.  This method returns null if no
     * resource with this name is found.  The rules for searching
     * resources associated with a given class are implemented by the
     * defining class loader of the class.
     *
     * 
     This method delegates the call to its class loader, after making
     * these changes to the resource name: if the resource name starts with
     * "/", it is unchanged; otherwise, the package name is prepended to the
     * resource name after converting "." to "/".  If this object was loaded by
     * the bootstrap loader, the call is delegated to
     * ClassLoader.getSystemResourceAsStream.
     *
     * @param name  name of the desired resource
     * @return      a java.io.InputStream object.
     * @throws NullPointerException if name is null.
     * @see         java.lang.ClassLoader
     * @since JDK1.1
     */
    /*KML
    public InputStream getResourceAsStream(String name) {
        name = resolveName(name);
        ClassLoader cl = getClassLoader0();
        if (cl==null) {
            // A system class.
            return ClassLoader.getSystemResourceAsStream(name);
        }
        return cl.getResourceAsStream(name);
    }
    */


    /**
     * Finds a resource with a given name.  This method returns null if no
     * resource with this name is found.  The rules for searching resources
     * associated with a given class are implemented by the * defining class
     * loader of the class.
     *
     * 
     This method delegates the call to its class loader, after making
     * these changes to the resource name: if the resource name starts with
     * "/", it is unchanged; otherwise, the package name is prepended to the
     * resource name after converting "." to "/".  If this object was loaded by
     * the bootstrap loader, the call is delegated to
     * ClassLoader.getSystemResource.
     *
     * @param name  name of the desired resource
     * @return      a java.net.URL object.
     * @see         java.lang.ClassLoader
     * @since JDK1.1
     */
    /*KML
    public java.net.URL getResource(String name) {
        name = resolveName(name);
        ClassLoader cl = getClassLoader0();
        if (cl==null) {
            // A system class.
            return ClassLoader.getSystemResource(name);
        }
        return cl.getResource(name);
    }
    */



    /** protection domain returned when the internal domain is null */
    //KML private static java.security.ProtectionDomain allPermDomain;


    /**
     * Returns the ProtectionDomain of this class.  If there is a
     * security manager installed, this method first calls the security
     * manager's checkPermission method with a
     * RuntimePermission("getProtectionDomain") permission to
     * ensure it's ok to get the
     * ProtectionDomain.
     *
     * @return the ProtectionDomain of this class
     *
     * @throws SecurityException
     *        if a security manager exists and its 
     *        checkPermission method doesn't allow 
     *        getting the ProtectionDomain.
     *
     * @see java.security.ProtectionDomain
     * @see SecurityManager#checkPermission
     * @see java.lang.RuntimePermission
     * @since 1.2
     */
    /*KML
    public java.security.ProtectionDomain getProtectionDomain() {
        SecurityManager sm = System.getSecurityManager();
        if (sm != null) {
            sm.checkPermission(SecurityConstants.GET_PD_PERMISSION);
        }
        java.security.ProtectionDomain pd = getProtectionDomain0();
        if (pd == null) {
            if (allPermDomain == null) {
                java.security.Permissions perms = 
                    new java.security.Permissions();
                perms.add(SecurityConstants.ALL_PERMISSION);
                allPermDomain = 
                    new java.security.ProtectionDomain(null, perms);
            }
            pd = allPermDomain;
        }
        return pd;
    }
    */


    /**
     * Returns the ProtectionDomain of this class.
     */
    //KML private native java.security.ProtectionDomain getProtectionDomain0();


    /**
     * Set the ProtectionDomain for this class. Called by
     * ClassLoader.defineClass.
     */
    //KML native void setProtectionDomain0(java.security.ProtectionDomain pd);


    /*
     * Return the Virtual Machine's Class object for the named
     * primitive type.
     */
    static native Class getPrimitiveClass(String name);


    /*
     * Check if client is allowed to access members.  If access is denied,
     * throw a SecurityException.
     *
     * Be very careful not to change the stack depth of this checkMemberAccess
     * call for security reasons reasons see
     * java.lang.SecurityManager.checkMemberAccess
     *
     * 
     Default policy: allow all clients access with normal Java access
     * control.
     */
    /*KML
    private void checkMemberAccess(int which, ClassLoader ccl) {
        SecurityManager s = System.getSecurityManager();
        if (s != null) {
            s.checkMemberAccess(this, which);
	    ClassLoader cl = getClassLoader0();
            if ((ccl != null) && (ccl != cl) && 
                  ((cl == null) || !cl.isAncestor(ccl))) {
		String name = this.getName();
		int i = name.lastIndexOf('.');
		if (i != -1) {
		    s.checkPackageAccess(name.substring(0, i));
		}
	    }
	}
    }
    */

    /**
     * Add a package name prefix if the name is not absolute Remove leading "/"
     * if name is absolute
     */
    private String resolveName(String name) {
        if (name == null) {
            return name;
        }
        if (!name.startsWith("/")) {
            Class c = this;
            while (c.isArray()) {
                c = c.getComponentType();
            }
            String baseName = c.getName();
            int index = baseName.lastIndexOf('.');
            if (index != -1) {
                name = baseName.substring(0, index).replace('.', '/')
                    +"/"+name;
            }
        } else {
            name = name.substring(1);
        }
        return name;
    }

    /**
     * Reflection support.
     */

    // Caches for certain reflective results
    /*KML
    private static boolean useCaches = true;
    private volatile transient SoftReference declaredFields;
    private volatile transient SoftReference publicFields;
    private volatile transient SoftReference declaredMethods;
    private volatile transient SoftReference publicMethods;
    private volatile transient SoftReference declaredConstructors;
    private volatile transient SoftReference publicConstructors;
    // Intermediate results for getFields and getMethods
    private volatile transient SoftReference declaredPublicFields;
    private volatile transient SoftReference declaredPublicMethods;
    */

    //
    //
    // java.lang.reflect.Field handling
    //
    //

    // Returns an array of "root" fields. These Field objects must NOT
    // be propagated to the outside world, but must instead be copied
    // via ReflectionFactory.copyField.
    /*KML
    private Field[] privateGetDeclaredFields(boolean publicOnly) {
        checkInitted();
        Field[] res = null;
        if (useCaches) {
            if (publicOnly) {
                if (declaredPublicFields != null) {
                    res = (Field[]) declaredPublicFields.get();
                }
            } else {
                if (declaredFields != null) {
                    res = (Field[]) declaredFields.get();
                }
            }
            if (res != null) return res;
        }
        // No cached value available; request value from VM
        res = getDeclaredFields0(publicOnly);
        if (useCaches) {
            if (publicOnly) {
                declaredPublicFields = new SoftReference(res);
            } else {
                declaredFields = new SoftReference(res);
            }
        }
        return res;
    }
    */

    // Returns an array of "root" fields. These Field objects must NOT
    // be propagated to the outside world, but must instead be copied
    // via ReflectionFactory.copyField.
    /*KML
    private Field[] privateGetPublicFields(Set traversedInterfaces) {
        checkInitted();
        Field[] res = null;
        if (useCaches) {
            if (publicFields != null) {
                res = (Field[]) publicFields.get();
            }
            if (res != null) return res;
        }

        // No cached value available; compute value recursively.
        // Traverse in correct order for getField().
        List fields = new ArrayList();
        if (traversedInterfaces == null) {
            traversedInterfaces = new HashSet();
        }
        
        // Local fields
        Field[] tmp = privateGetDeclaredFields(true);
        addAll(fields, tmp);

        // Direct superinterfaces, recursively
        Class[] interfaces = getInterfaces();
        for (int i = 0; i < interfaces.length; i++) {
            Class c = interfaces[i];
            if (!traversedInterfaces.contains(c)) {
                traversedInterfaces.add(c);
                addAll(fields, c.privateGetPublicFields(traversedInterfaces));
            }
        }

        // Direct superclass, recursively
        if (!isInterface()) {
            Class c = getSuperclass();
            if (c != null) {
                addAll(fields, c.privateGetPublicFields(traversedInterfaces));
            }
        }

        res = new Field[fields.size()];
        fields.toArray(res);
        if (useCaches) {
            publicFields = new SoftReference(res);
        }
        return res;
    }
    */

    /*KML
    private static void addAll(Collection c, Field[] o) {
        for (int i = 0; i < o.length; i++) {
            c.add(o[i]);
        }
    }
    */

    //
    //
    // java.lang.reflect.Constructor handling
    //
    //

    // Returns an array of "root" constructors. These Constructor
    // objects must NOT be propagated to the outside world, but must
    // instead be copied via ReflectionFactory.copyConstructor.
    /*KML
      private Constructor[] privateGetDeclaredConstructors(boolean publicOnly) {
        checkInitted();
        Constructor[] res = null;
        if (useCaches) {
            if (publicOnly) {
                if (publicConstructors != null) {
                    res = (Constructor[]) publicConstructors.get();
                }
            } else {
                if (declaredConstructors != null) {
                    res = (Constructor[]) declaredConstructors.get();
                }
            }
            if (res != null) return res;
        }
        // No cached value available; request value from VM
        if (isInterface()) {
            res = new Constructor[0];
        } else {
            res = getDeclaredConstructors0(publicOnly);
        }
        if (useCaches) {
            if (publicOnly) {
                publicConstructors = new SoftReference(res);
            } else {
                declaredConstructors = new SoftReference(res);
            }
        }
        return res;
    }
    */

    //
    //
    // java.lang.reflect.Method handling
    //
    //

    // Returns an array of "root" methods. These Method objects must NOT
    // be propagated to the outside world, but must instead be copied
    // via ReflectionFactory.copyMethod.
    /*KML
      private Method[] privateGetDeclaredMethods(boolean publicOnly) {
        checkInitted();
        Method[] res = null;
        if (useCaches) {
            if (publicOnly) {
                if (declaredPublicMethods != null) {
                    res = (Method[]) declaredPublicMethods.get();
                }
            } else {
                if (declaredMethods != null) {
                    res = (Method[]) declaredMethods.get();
                }
            }
            if (res != null) return res;
        }
        // No cached value available; request value from VM
        res = getDeclaredMethods0(publicOnly);
        if (useCaches) {
            if (publicOnly) {
                declaredPublicMethods = new SoftReference(res);
            } else {
                declaredMethods = new SoftReference(res);
            }
        }
        return res;
    }
    */

    static class MethodArray {
        private Method[] methods;
        private int length;

        MethodArray() {
            methods = new Method[20];
            length = 0;
        }
        
        void add(Method m) {
            if (length == methods.length) {
                Method[] newMethods = new Method[2 * methods.length];
                System.arraycopy(methods, 0, newMethods, 0, methods.length);
                methods = newMethods;
            }
            methods[length++] = m;
        }

        void addAll(Method[] ma) {
            for (int i = 0; i < ma.length; i++) {
                add(ma[i]);
            }
        }

        void addAll(MethodArray ma) {
            for (int i = 0; i < ma.length(); i++) {
                add(ma.get(i));
            }
        }

        void addIfNotPresent(Method newMethod) {
            for (int i = 0; i < length; i++) {
                Method m = methods[i];
                if (m == newMethod || (m != null && m.equals(newMethod))) {
                    return;
                }
            }
            add(newMethod);
        }

        void addAllIfNotPresent(MethodArray newMethods) {
            for (int i = 0; i < newMethods.length(); i++) {
                Method m = newMethods.get(i);
                if (m != null) {
                    addIfNotPresent(m);
                }
            }
        }

        int length() {
            return length;
        }

        Method get(int i) {
            return methods[i];
        }

        void removeByNameAndSignature(Method toRemove) {
            for (int i = 0; i < length; i++) {
                Method m = methods[i];
                if (m != null &&
                    m.getReturnType() == toRemove.getReturnType() &&
                    m.getName() == toRemove.getName() &&
                    arrayContentsEq(m.getParameterTypes(),
                                    toRemove.getParameterTypes())) {
                    methods[i] = null;
                }
            }
        }

        void compactAndTrim() {
            int newPos = 0;
            // Get rid of null slots
            for (int pos = 0; pos < length; pos++) {
                Method m = methods[pos];
                if (m != null) {
                    if (pos != newPos) {
                        methods[newPos] = m;
                    }
                    newPos++;
                }
            }
            if (newPos != methods.length) {
                Method[] newMethods = new Method[newPos];
                System.arraycopy(methods, 0, newMethods, 0, newPos);
                methods = newMethods;
            }
        }

        Method[] getArray() {
            return methods;
        }
    }


    // Returns an array of "root" methods. These Method objects must NOT
    // be propagated to the outside world, but must instead be copied
    // via ReflectionFactory.copyMethod.
    /*KML
      private Method[] privateGetPublicMethods() {
        checkInitted();
        Method[] res = null;
        if (useCaches) {
            if (publicMethods != null) {
                res = (Method[]) publicMethods.get();
            }
            if (res != null) return res;
        }

        // No cached value available; compute value recursively.
        // Start by fetching public declared methods
        MethodArray methods = new MethodArray();
        {
            Method[] tmp = privateGetDeclaredMethods(true);
            methods.addAll(tmp);
        }
        // Now recur over superclass and direct superinterfaces.
        // Go over superinterfaces first so we can more easily filter
        // out concrete implementations inherited from superclasses at
        // the end.
        MethodArray inheritedMethods = new MethodArray();
        Class[] interfaces = getInterfaces();
        for (int i = 0; i < interfaces.length; i++) {
            inheritedMethods.addAll(interfaces[i].privateGetPublicMethods());
        }
        if (!isInterface()) {
            Class c = getSuperclass();
            if (c != null) {
                MethodArray supers = new MethodArray();
                supers.addAll(c.privateGetPublicMethods());
                // Filter out concrete implementations of any
                // interface methods
                for (int i = 0; i < supers.length(); i++) {
                    Method m = supers.get(i);
                    if (m != null && !Modifier.isAbstract(m.getModifiers())) {
                        inheritedMethods.removeByNameAndSignature(m);
                    }
                }
                // Insert superclass's inherited methods before
                // superinterfaces' to satisfy getMethod's search
                // order
                supers.addAll(inheritedMethods);
                inheritedMethods = supers;
            }
        }
        // Filter out all local methods from inherited ones
        for (int i = 0; i < methods.length(); i++) {
            Method m = methods.get(i);
            inheritedMethods.removeByNameAndSignature(m);
        }
        methods.addAllIfNotPresent(inheritedMethods);
        methods.compactAndTrim();
        res = methods.getArray();
        if (useCaches) {
            publicMethods = new SoftReference(res);
        }
        return res;
    }
    */


    //
    // Helpers for fetchers of one field, method, or constructor
    //

    /*KML
    private Field searchFields(Field[] fields, String name) {
        String internedName = name.intern();
        for (int i = 0; i < fields.length; i++) {
            if (fields[i].getName() == internedName) {
                return getReflectionFactory().copyField(fields[i]);
            }
        }
        return null;
    }
    */

    /*KML
    private Field getField0(String name) throws NoSuchFieldException {
        // Note: the intent is that the search algorithm this routine
        // uses be equivalent to the ordering imposed by
        // privateGetPublicFields(). It fetches only the declared
        // public fields for each class, however, to reduce the number
        // of Field objects which have to be created for the common
        // case where the field being requested is declared in the
        // class which is being queried.
        Field res = null;
        // Search declared public fields
        if ((res = searchFields(privateGetDeclaredFields(true), name)) != null) {
            return res;
        }
        // Direct superinterfaces, recursively
        Class[] interfaces = getInterfaces();
        for (int i = 0; i < interfaces.length; i++) {
            Class c = interfaces[i];
            if ((res = c.getField0(name)) != null) {
                return res;
            }
        }
        // Direct superclass, recursively
        if (!isInterface()) {
            Class c = getSuperclass();
            if (c != null) {
                if ((res = c.getField0(name)) != null) {
                    return res;
                }
            }
        }
        return null;
    }
    */

    /*KML
    private static Method searchMethods(Method[] methods,
                                        String name,
                                        Class[] parameterTypes)
    {
 	Method res = null;
        String internedName = name.intern();
        for (int i = 0; i < methods.length; i++) {
	    Method m = methods[i];
            if (m.getName() == internedName
		&& arrayContentsEq(parameterTypes, m.getParameterTypes())
		&& (res == null
		    || res.getReturnType().isAssignableFrom(m.getReturnType())))
		res = m;
        }

	return (res == null ? res : getReflectionFactory().copyMethod(res));
    }
    *.
  

    private Method getMethod0(String name, Class[] parameterTypes) {
        // Note: the intent is that the search algorithm this routine
        // uses be equivalent to the ordering imposed by
        // privateGetPublicMethods(). It fetches only the declared
        // public methods for each class, however, to reduce the
        // number of Method objects which have to be created for the
        // common case where the method being requested is declared in
        // the class which is being queried.
        Method res = null;
        // Search declared public methods
        if ((res = searchMethods(privateGetDeclaredMethods(true),
                                 name,
                                 parameterTypes)) != null) {
            return res;
        }
        // Search superclass's methods
        if (!isInterface()) {
            Class c = getSuperclass();
            if (c != null) {
                if ((res = c.getMethod0(name, parameterTypes)) != null) {
                    return res;
                }
            }
        }
        // Search superinterfaces' methods
        Class[] interfaces = getInterfaces();
        for (int i = 0; i < interfaces.length; i++) {
            Class c = interfaces[i];
            if ((res = c.getMethod0(name, parameterTypes)) != null) {
                return res;
            }
        }
        // Not found
        return null;
    }

    private Constructor getConstructor0(Class[] parameterTypes,
                                        int which) throws NoSuchMethodException
    {
        Constructor[] constructors = privateGetDeclaredConstructors((which == Member.PUBLIC));
        for (int i = 0; i < constructors.length; i++) {
            if (arrayContentsEq(parameterTypes,
                                constructors[i].getParameterTypes())) {
                return getReflectionFactory().copyConstructor(constructors[i]);
            }
        }
        throw new NoSuchMethodException(getName() + "." + argumentTypesToString(parameterTypes));
    }

    //
    // Other helpers and base implementation
    //

    private static boolean arrayContentsEq(Object[] a1, Object[] a2) {
        if (a1 == null) {
            return a2 == null || a2.length == 0;
        }

        if (a2 == null) {
            return a1.length == 0;
        }

        if (a1.length != a2.length) {
            return false;
        }

        for (int i = 0; i < a1.length; i++) {
            if (a1[i] != a2[i]) {
                return false;
            }
        }

        return true;
    }

    private static Field[] copyFields(Field[] arg) {
        Field[] out = new Field[arg.length];
        ReflectionFactory fact = getReflectionFactory();
        for (int i = 0; i < arg.length; i++) {
            out[i] = fact.copyField(arg[i]);
        }
        return out;
    }

    private static Method[] copyMethods(Method[] arg) {
        Method[] out = new Method[arg.length];
        ReflectionFactory fact = getReflectionFactory();
        for (int i = 0; i < arg.length; i++) {
            out[i] = fact.copyMethod(arg[i]);
        }
        return out;
    }

    private static Constructor[] copyConstructors(Constructor[] arg) {
        Constructor[] out = new Constructor[arg.length];
        ReflectionFactory fact = getReflectionFactory();
        for (int i = 0; i < arg.length; i++) {
            out[i] = fact.copyConstructor(arg[i]);
        }
        return out;
    }

    private native Field[]       getDeclaredFields0(boolean publicOnly);
    private native Method[]      getDeclaredMethods0(boolean publicOnly);
    private native Constructor[] getDeclaredConstructors0(boolean publicOnly);
    private native Class[]       getDeclaredClasses0();

    private static String        argumentTypesToString(Class[] argTypes) {
        StringBuffer buf = new StringBuffer();
        buf.append("(");
        if (argTypes != null) {
            for (int i = 0; i < argTypes.length; i++) {
                if (i > 0) {
                    buf.append(", ");
                }
		Class c = argTypes[i];
		buf.append((c == null) ? "null" : c.getName());
            }
        }
        buf.append(")");
        return buf.toString();
    }

    /** use serialVersionUID from JDK 1.1 for interoperability */
    private static final long serialVersionUID = 3206093459760846163L;


    /**
     * Class Class is special cased within the Serialization Stream Protocol. 
     *
     * A Class instance is written intially into an ObjectOutputStream in the 
     * following format:
     * 
         *      TC_CLASS ClassDescriptor
     *      A ClassDescriptor is a special cased serialization of 
     *      a java.io.ObjectStreamClass instance. 
     * 
    
     * A new handle is generated for the initial time the class descriptor
     * is written into the stream. Future references to the class descriptor
     * are written as references to the initial class descriptor instance.
     *
     * @see java.io.ObjectStreamClass
     */
    /*KML
      private static final ObjectStreamField[] serialPersistentFields = 
        ObjectStreamClass.NO_FIELDS;
    */


    /**
     * Returns the assertion status that would be assigned to this
     * class if it were to be initialized at the time this method is invoked.
     * If this class has had its assertion status set, the most recent
     * setting will be returned; otherwise, if any package default assertion
     * status pertains to this class, the most recent setting for the most
     * specific pertinent package default assertion status is returned;
     * otherwise, if this class is not a system class (i.e., it has a
     * class loader) its class loader's default assertion status is returned;
     * otherwise, the system class default assertion status is returned.
     * 
    
     * Few programmers will have any need for this method; it is provided
     * for the benefit of the JRE itself.  (It allows a class to determine at
     * the time that it is initialized whether assertions should be enabled.)
     * Note that this method is not guaranteed to return the actual
     * assertion status that was (or will be) associated with the specified
     * class when it was (or will be) initialized.
     *
     * @return the desired assertion status of the specified class.
     * @see    java.lang.ClassLoader#setClassAssertionStatus
     * @see    java.lang.ClassLoader#setPackageAssertionStatus
     * @see    java.lang.ClassLoader#setDefaultAssertionStatus
     * @since  1.4
     */
    public boolean desiredAssertionStatus() {
        ClassLoader loader = getClassLoader();
        // If the loader is null this is a system class, so ask the VM
        if (loader == null)
            return desiredAssertionStatus0(this);

        synchronized(loader) {
            // If the classloader has been initialized with
            // the assertion directives, ask it. Otherwise,
            // ask the VM.
            return (loader.classAssertionStatus == null ?
                    desiredAssertionStatus0(this) :
                    loader.desiredAssertionStatus(getName()));
        }
    }

    // Retrieves the desired assertion status of this class from the VM
    private static native boolean desiredAssertionStatus0(Class clazz);

    // Fetches the factory for reflective objects
    /*KML
    private static ReflectionFactory getReflectionFactory() {
        if (reflectionFactory == null) {
            reflectionFactory =  (ReflectionFactory)
                java.security.AccessController.doPrivileged
                    (new sun.reflect.ReflectionFactory.GetReflectionFactoryAction());
        }
        return reflectionFactory;
    }
    */
    //KML private static ReflectionFactory reflectionFactory;

    // To be able to query system properties as soon as they're available
    private static boolean initted = false;
    private static void checkInitted() {
        if (initted) return;
        AccessController.doPrivileged(new PrivilegedAction() {
                public Object run() {
                    // Tests to ensure the system properties table is fully
                    // initialized. This is needed because reflection code is
                    // called very early in the initialization process (before
                    // command-line arguments have been parsed and therefore
                    // these user-settable properties installed.) We assume that
                    // if System.out is non-null then the System class has been
                    // fully initialized and that the bulk of the startup code
                    // has been run.

                    if (System.out == null) {
                        // java.lang.System not yet fully initialized
                        return null;
                    }

                    String val =
                        System.getProperty("sun.reflect.noCaches");
                    if (val != null && val.equals("true")) {
                        useCaches = false;
                    }
          
                    initted = true;
                    return null;
                }
            });
    }

}
why-2.34/lib/java_api/java/lang/Character.java0000644000175000017500000022176212311670312017550 0ustar  rtusers// This file was generated AUTOMATICALLY from a template file Sat Jan 15 11:52:14 PST 2005
/* @(#)Character.java.template	1.7 03/01/13
 *
 * Copyright 1994-2002 Sun Microsystems, Inc. All Rights Reserved.
 *
 * This software is the proprietary information of Sun Microsystems, Inc.
 * Use is subject to license terms.
 *
 */

package java.lang;

/**
 * The Character class wraps a value of the primitive
 * type char in an object. An object of type
 * Character contains a single field whose type is
 * char.
 * 
    
 * In addition, this class provides several methods for determining
 * a character's category (lowercase letter, digit, etc.) and for converting
 * characters from uppercase to lowercase and vice versa.
 * 
    
 * Character information is based on the Unicode Standard, version 3.0.
 * 
    
 * The methods and data of class Character are defined by
 * the information in the UnicodeData file that is part of the
 * Unicode Character Database maintained by the Unicode
 * Consortium. This file specifies various properties including name
 * and general category for every defined Unicode code point or
 * character range.
 * 
    
 * The file and its description are available from the Unicode Consortium at:

 * 
    
 *
 * @author  Lee Boynton
 * @author  Guy Steele
 * @author  Akira Tanaka
 * @since   1.0
 */
public final
class Character extends Object implements java.io.Serializable, Comparable {
    /**
     * The minimum radix available for conversion to and from strings.
     * The constant value of this field is the smallest value permitted
     * for the radix argument in radix-conversion methods such as the
     * digit method, the forDigit
     * method, and the toString method of class
     * Integer.
     *
     * @see     java.lang.Character#digit(char, int)
     * @see     java.lang.Character#forDigit(int, int)
     * @see     java.lang.Integer#toString(int, int)
     * @see     java.lang.Integer#valueOf(java.lang.String)
     */
    public static final int MIN_RADIX = 2;

    /**
     * The maximum radix available for conversion to and from strings.
     * The constant value of this field is the largest value permitted
     * for the radix argument in radix-conversion methods such as the
     * digit method, the forDigit
     * method, and the toString method of class
     * Integer.
     *
     * @see     java.lang.Character#digit(char, int)
     * @see     java.lang.Character#forDigit(int, int)
     * @see     java.lang.Integer#toString(int, int)
     * @see     java.lang.Integer#valueOf(java.lang.String)
     */
    public static final int MAX_RADIX = 36;

    /**
     * The constant value of this field is the smallest value of type
     * char, '\u0000'.
     *
     * @since   1.0.2
     */
    public static final char   MIN_VALUE = '\u0000';

    /**
     * The constant value of this field is the largest value of type
     * char, '\uFFFF'.
     *
     * @since   1.0.2
     */
    public static final char   MAX_VALUE = '\uffff';

    /**
     * The Class instance representing the primitive type
     * char.
     *
     * @since   1.1
     */
    public static final Class TYPE = Class.getPrimitiveClass("char");

   /*
    * Normative general types
    */

   /*
    * General character types
    */

   /**
    * General category "Cn" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        UNASSIGNED                  = 0;

   /**
    * General category "Lu" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        UPPERCASE_LETTER            = 1;

   /**
    * General category "Ll" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        LOWERCASE_LETTER            = 2;

   /**
    * General category "Lt" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        TITLECASE_LETTER            = 3;

   /**
    * General category "Lm" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        MODIFIER_LETTER             = 4;

   /**
    * General category "Lo" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        OTHER_LETTER                = 5;

   /**
    * General category "Mn" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        NON_SPACING_MARK            = 6;

   /**
    * General category "Me" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        ENCLOSING_MARK              = 7;

   /**
    * General category "Mc" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        COMBINING_SPACING_MARK      = 8;

   /**
    * General category "Nd" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        DECIMAL_DIGIT_NUMBER        = 9;

   /**
    * General category "Nl" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        LETTER_NUMBER               = 10;

   /**
    * General category "No" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        OTHER_NUMBER                = 11;

   /**
    * General category "Zs" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        SPACE_SEPARATOR             = 12;

   /**
    * General category "Zl" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        LINE_SEPARATOR              = 13;

   /**
    * General category "Zp" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        PARAGRAPH_SEPARATOR         = 14;

   /**
    * General category "Cc" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        CONTROL                     = 15;

   /**
    * General category "Cf" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        FORMAT                      = 16;

   /**
    * General category "Co" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        PRIVATE_USE                 = 18;

   /**
    * General category "Cs" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        SURROGATE                   = 19;

   /**
    * General category "Pd" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        DASH_PUNCTUATION            = 20;

   /**
    * General category "Ps" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        START_PUNCTUATION           = 21;

   /**
    * General category "Pe" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        END_PUNCTUATION             = 22;

   /**
    * General category "Pc" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        CONNECTOR_PUNCTUATION       = 23;

   /**
    * General category "Po" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        OTHER_PUNCTUATION           = 24;

   /**
    * General category "Sm" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        MATH_SYMBOL                 = 25;

   /**
    * General category "Sc" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        CURRENCY_SYMBOL             = 26;

   /**
    * General category "Sk" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        MODIFIER_SYMBOL             = 27;

   /**
    * General category "So" in the Unicode specification.
    * @since   1.1
    */
    public static final byte
        OTHER_SYMBOL                = 28;

   /**
    * General category "Pi" in the Unicode specification.
    * @since   1.4
    */
    public static final byte
        INITIAL_QUOTE_PUNCTUATION   = 29;

   /**
    * General category "Pf" in the Unicode specification.
    * @since   1.4
    */
    public static final byte
        FINAL_QUOTE_PUNCTUATION     = 30;

    /**
     * Error or non-char flag
     * @since 1.4
     */
     static final char CHAR_ERROR = '\uFFFF';


    /**
     * Undefined bidirectional character type. Undefined char
     * values have undefined directionality in the Unicode specification.
     * @since 1.4
     */
     public static final byte DIRECTIONALITY_UNDEFINED = -1;

    /**
     * Strong bidirectional character type "L" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_LEFT_TO_RIGHT = 0;

    /**
     * Strong bidirectional character type "R" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_RIGHT_TO_LEFT = 1;

    /**
    * Strong bidirectional character type "AL" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_RIGHT_TO_LEFT_ARABIC = 2;

    /**
     * Weak bidirectional character type "EN" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_EUROPEAN_NUMBER = 3;

    /**
     * Weak bidirectional character type "ES" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_EUROPEAN_NUMBER_SEPARATOR = 4;

    /**
     * Weak bidirectional character type "ET" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_EUROPEAN_NUMBER_TERMINATOR = 5;

    /**
     * Weak bidirectional character type "AN" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_ARABIC_NUMBER = 6;

    /**
     * Weak bidirectional character type "CS" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_COMMON_NUMBER_SEPARATOR = 7;

    /**
     * Weak bidirectional character type "NSM" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_NONSPACING_MARK = 8;

    /**
     * Weak bidirectional character type "BN" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_BOUNDARY_NEUTRAL = 9;

    /**
     * Neutral bidirectional character type "B" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_PARAGRAPH_SEPARATOR = 10;

    /**
     * Neutral bidirectional character type "S" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_SEGMENT_SEPARATOR = 11;

    /**
     * Neutral bidirectional character type "WS" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_WHITESPACE = 12;

    /**
     * Neutral bidirectional character type "ON" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_OTHER_NEUTRALS = 13;

    /**
     * Strong bidirectional character type "LRE" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_LEFT_TO_RIGHT_EMBEDDING = 14;

    /**
     * Strong bidirectional character type "LRO" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_LEFT_TO_RIGHT_OVERRIDE = 15;

    /**
     * Strong bidirectional character type "RLE" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_RIGHT_TO_LEFT_EMBEDDING = 16;

    /**
     * Strong bidirectional character type "RLO" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_RIGHT_TO_LEFT_OVERRIDE = 17;

    /**
     * Weak bidirectional character type "PDF" in the Unicode specification.
     * @since 1.4
     */
    public static final byte DIRECTIONALITY_POP_DIRECTIONAL_FORMAT = 18;

    // Maximum character handled by internal fast-path code which
    // avoids initializing large tables.
    // Note: performance of this "fast-path" code may be sub-optimal
    // in negative cases for some accessors due to complicated ranges.
    // Should revisit after optimization of table initialization.
    private static final int FAST_PATH_MAX = 255;

    /**
     * Instances of this class represent particular subsets of the Unicode
     * character set.  The only family of subsets defined in the
     * Character class is {@link Character.UnicodeBlock
     * UnicodeBlock}.  Other portions of the Java API may define other
     * subsets for their own purposes.
     *
     * @since 1.2
     */
    public static class Subset  {

        private String name;

        /**
         * Constructs a new Subset instance.
         *
         * @exception NullPointerException if name is null
         * @param  name  The name of this subset
         */
        protected Subset(String name) {
            if (name == null) {
                throw new NullPointerException("name");
            }
            this.name = name;
        }

        /**
         * Compares two Subset objects for equality.
         * This method returns true if and only if
         * this and the argument refer to the same
         * object; since this method is final, this
         * guarantee holds for all subclasses.
         */
        public final boolean equals(Object obj) {
            return (this == obj);
        }

        /**
         * Returns the standard hash code as defined by the
         * {@link Object#hashCode} method.  This method
         * is final in order to ensure that the
         * equals and hashCode methods will
         * be consistent in all subclasses.
         */
        public final int hashCode() {
            return super.hashCode();
        }

        /**
         * Returns the name of this subset.
         */
        public final String toString() {
            return name;
        }
    }

    /**
     * A family of character subsets representing the character blocks in the
     * Unicode specification. Character blocks generally define characters
     * used for a specific script or purpose. A character is contained by
     * at most one Unicode block.
     *
     * @since 1.2
     */
    public static final class UnicodeBlock extends Subset {

        private UnicodeBlock(String name) {
            super(name);
        }

        /**
         * Constant for the Unicode character block of the same name.
         */
        public static final UnicodeBlock
            BASIC_LATIN
                = new UnicodeBlock("BASIC_LATIN"),
            LATIN_1_SUPPLEMENT
                = new UnicodeBlock("LATIN_1_SUPPLEMENT"),
            LATIN_EXTENDED_A
                = new UnicodeBlock("LATIN_EXTENDED_A"),
            LATIN_EXTENDED_B
                = new UnicodeBlock("LATIN_EXTENDED_B"),
            IPA_EXTENSIONS
                = new UnicodeBlock("IPA_EXTENSIONS"),
            SPACING_MODIFIER_LETTERS
                = new UnicodeBlock("SPACING_MODIFIER_LETTERS"),
            COMBINING_DIACRITICAL_MARKS
                = new UnicodeBlock("COMBINING_DIACRITICAL_MARKS"),
            GREEK
                = new UnicodeBlock("GREEK"),
            CYRILLIC
                = new UnicodeBlock("CYRILLIC"),
            ARMENIAN
                = new UnicodeBlock("ARMENIAN"),
            HEBREW
                = new UnicodeBlock("HEBREW"),
            ARABIC
                = new UnicodeBlock("ARABIC"),
            DEVANAGARI
                = new UnicodeBlock("DEVANAGARI"),
            BENGALI
                = new UnicodeBlock("BENGALI"),
            GURMUKHI
                = new UnicodeBlock("GURMUKHI"),
            GUJARATI
                = new UnicodeBlock("GUJARATI"),
            ORIYA
                = new UnicodeBlock("ORIYA"),
            TAMIL
                = new UnicodeBlock("TAMIL"),
            TELUGU
                = new UnicodeBlock("TELUGU"),
            KANNADA
                = new UnicodeBlock("KANNADA"),
            MALAYALAM
                = new UnicodeBlock("MALAYALAM"),
            THAI
                = new UnicodeBlock("THAI"),
            LAO
                = new UnicodeBlock("LAO"),
            TIBETAN
                = new UnicodeBlock("TIBETAN"),
            GEORGIAN
                = new UnicodeBlock("GEORGIAN"),
            HANGUL_JAMO
                = new UnicodeBlock("HANGUL_JAMO"),
            LATIN_EXTENDED_ADDITIONAL
                = new UnicodeBlock("LATIN_EXTENDED_ADDITIONAL"),
            GREEK_EXTENDED
                = new UnicodeBlock("GREEK_EXTENDED"),
            GENERAL_PUNCTUATION
                = new UnicodeBlock("GENERAL_PUNCTUATION"),
            SUPERSCRIPTS_AND_SUBSCRIPTS
                = new UnicodeBlock("SUPERSCRIPTS_AND_SUBSCRIPTS"),
            CURRENCY_SYMBOLS
                = new UnicodeBlock("CURRENCY_SYMBOLS"),
            COMBINING_MARKS_FOR_SYMBOLS
                = new UnicodeBlock("COMBINING_MARKS_FOR_SYMBOLS"),
            LETTERLIKE_SYMBOLS
                = new UnicodeBlock("LETTERLIKE_SYMBOLS"),
            NUMBER_FORMS
                = new UnicodeBlock("NUMBER_FORMS"),
            ARROWS
                = new UnicodeBlock("ARROWS"),
            MATHEMATICAL_OPERATORS
                = new UnicodeBlock("MATHEMATICAL_OPERATORS"),
            MISCELLANEOUS_TECHNICAL
                = new UnicodeBlock("MISCELLANEOUS_TECHNICAL"),
            CONTROL_PICTURES
                = new UnicodeBlock("CONTROL_PICTURES"),
            OPTICAL_CHARACTER_RECOGNITION
                = new UnicodeBlock("OPTICAL_CHARACTER_RECOGNITION"),
            ENCLOSED_ALPHANUMERICS
                = new UnicodeBlock("ENCLOSED_ALPHANUMERICS"),
            BOX_DRAWING
                = new UnicodeBlock("BOX_DRAWING"),
            BLOCK_ELEMENTS
                = new UnicodeBlock("BLOCK_ELEMENTS"),
            GEOMETRIC_SHAPES
                = new UnicodeBlock("GEOMETRIC_SHAPES"),
            MISCELLANEOUS_SYMBOLS
                = new UnicodeBlock("MISCELLANEOUS_SYMBOLS"),
            DINGBATS
                = new UnicodeBlock("DINGBATS"),
            CJK_SYMBOLS_AND_PUNCTUATION
                = new UnicodeBlock("CJK_SYMBOLS_AND_PUNCTUATION"),
            HIRAGANA
                = new UnicodeBlock("HIRAGANA"),
            KATAKANA
                = new UnicodeBlock("KATAKANA"),
            BOPOMOFO
                = new UnicodeBlock("BOPOMOFO"),
            HANGUL_COMPATIBILITY_JAMO
                = new UnicodeBlock("HANGUL_COMPATIBILITY_JAMO"),
            KANBUN
                = new UnicodeBlock("KANBUN"),
            ENCLOSED_CJK_LETTERS_AND_MONTHS
                = new UnicodeBlock("ENCLOSED_CJK_LETTERS_AND_MONTHS"),
            CJK_COMPATIBILITY
                = new UnicodeBlock("CJK_COMPATIBILITY"),
            CJK_UNIFIED_IDEOGRAPHS
                = new UnicodeBlock("CJK_UNIFIED_IDEOGRAPHS"),
            HANGUL_SYLLABLES
                = new UnicodeBlock("HANGUL_SYLLABLES"),
            SURROGATES_AREA
                = new UnicodeBlock("SURROGATES_AREA"),
            PRIVATE_USE_AREA
                = new UnicodeBlock("PRIVATE_USE_AREA"),
            CJK_COMPATIBILITY_IDEOGRAPHS
                = new UnicodeBlock("CJK_COMPATIBILITY_IDEOGRAPHS"),
            ALPHABETIC_PRESENTATION_FORMS
                = new UnicodeBlock("ALPHABETIC_PRESENTATION_FORMS"),
            ARABIC_PRESENTATION_FORMS_A
                = new UnicodeBlock("ARABIC_PRESENTATION_FORMS_A"),
            COMBINING_HALF_MARKS
                = new UnicodeBlock("COMBINING_HALF_MARKS"),
            CJK_COMPATIBILITY_FORMS
                = new UnicodeBlock("CJK_COMPATIBILITY_FORMS"),
            SMALL_FORM_VARIANTS
                = new UnicodeBlock("SMALL_FORM_VARIANTS"),
            ARABIC_PRESENTATION_FORMS_B
                = new UnicodeBlock("ARABIC_PRESENTATION_FORMS_B"),
            HALFWIDTH_AND_FULLWIDTH_FORMS
                = new UnicodeBlock("HALFWIDTH_AND_FULLWIDTH_FORMS"),
            SPECIALS
                = new UnicodeBlock("SPECIALS");

        /**
         * Constant for the Unicode character block of the same name.
         *
         * @since 1.4
         */
        public static final UnicodeBlock
            SYRIAC
                = new UnicodeBlock("SYRIAC"),
            THAANA
                = new UnicodeBlock("THAANA"),
            SINHALA
                = new UnicodeBlock("SINHALA"),
            MYANMAR
                = new UnicodeBlock("MYANMAR"),
            ETHIOPIC
                = new UnicodeBlock("ETHIOPIC"),
            CHEROKEE
                = new UnicodeBlock("CHEROKEE"),
            UNIFIED_CANADIAN_ABORIGINAL_SYLLABICS
                = new UnicodeBlock("UNIFIED_CANADIAN_ABORIGINAL_SYLLABICS"),
            OGHAM
                = new UnicodeBlock("OGHAM"),
            RUNIC
                = new UnicodeBlock("RUNIC"),
            KHMER
                = new UnicodeBlock("KHMER"),
            MONGOLIAN
                = new UnicodeBlock("MONGOLIAN"),
            BRAILLE_PATTERNS
                = new UnicodeBlock("BRAILLE_PATTERNS"),
            CJK_RADICALS_SUPPLEMENT
                = new UnicodeBlock("CJK_RADICALS_SUPPLEMENT"),
            KANGXI_RADICALS
                = new UnicodeBlock("KANGXI_RADICALS"),
            IDEOGRAPHIC_DESCRIPTION_CHARACTERS =
                new UnicodeBlock("IDEOGRAPHIC_DESCRIPTION_CHARACTERS"),
            BOPOMOFO_EXTENDED
                = new UnicodeBlock("BOPOMOFO_EXTENDED"),
            CJK_UNIFIED_IDEOGRAPHS_EXTENSION_A
                = new UnicodeBlock("CJK_UNIFIED_IDEOGRAPHS_EXTENSION_A"),
            YI_SYLLABLES
                = new UnicodeBlock("YI_SYLLABLES"),
            YI_RADICALS
                = new UnicodeBlock("YI_RADICALS");

        private static final char blockStarts[] = {
            '\u0000', // Basic Latin
            '\u0080', // Latin-1 Supplement
            '\u0100', // Latin Extended-A
            '\u0180', // Latin Extended-B
            '\u0250', // IPA Extensions
            '\u02B0', // Spacing Modifier Letters
            '\u0300', // Combining Diacritical Marks
            '\u0370', // Greek
            '\u0400', // Cyrillic
            '\u0500', // unassigned
            '\u0530', // Armenian
            '\u0590', // Hebrew
            '\u0600', // Arabic
            '\u0700', // Syriac
            '\u0750', // unassigned
            '\u0780', // Thaana
            '\u07C0', // unassigned
            '\u0900', // Devanagari
            '\u0980', // Bengali
            '\u0A00', // Gurmukhi
            '\u0A80', // Gujarati
            '\u0B00', // Oriya
            '\u0B80', // Tamil
            '\u0C00', // Telugu
            '\u0C80', // Kannada
            '\u0D00', // Malayalam
            '\u0D80', // Sinhala
            '\u0E00', // Thai
            '\u0E80', // Lao
            '\u0F00', // Tibetan
            '\u1000', // Myanmar
            '\u10A0', // Georgian
            '\u1100', // Hangul Jamo
            '\u1200', // Ethiopic
            '\u1380', // unassigned
            '\u13A0', // Cherokee
            '\u1400', // Unified Canadian Aboriginal Syllabics
            '\u1680', // Ogham
            '\u16A0', // Runic
            '\u1700', // unassigned
            '\u1780', // Khmer
            '\u1800', // Mongolian
            '\u18B0', // unassigned
            '\u1E00', // Latin Extended Additional
            '\u1F00', // Greek Extended
            '\u2000', // General Punctuation
            '\u2070', // Superscripts and Subscripts
            '\u20A0', // Currency Symbols
            '\u20D0', // Combining Marks for Symbols
            '\u2100', // Letterlike Symbols
            '\u2150', // Number Forms
            '\u2190', // Arrows
            '\u2200', // Mathematical Operators
            '\u2300', // Miscellaneous Technical
            '\u2400', // Control Pictures
            '\u2440', // Optical Character Recognition
            '\u2460', // Enclosed Alphanumerics
            '\u2500', // Box Drawing
            '\u2580', // Block Elements
            '\u25A0', // Geometric Shapes
            '\u2600', // Miscellaneous Symbols
            '\u2700', // Dingbats
            '\u27C0', // unassigned
            '\u2800', // Braille Patterns
            '\u2900', // unassigned
            '\u2E80', // CJK Radicals Supplement
            '\u2F00', // Kangxi Radicals
            '\u2FE0', // unassigned
            '\u2FF0', // Ideographic Description Characters
            '\u3000', // CJK Symbols and Punctuation
            '\u3040', // Hiragana
            '\u30A0', // Katakana
            '\u3100', // Bopomofo
            '\u3130', // Hangul Compatibility Jamo
            '\u3190', // Kanbun
            '\u31A0', // Bopomofo Extended
            '\u31C0', // unassigned
            '\u3200', // Enclosed CJK Letters and Months
            '\u3300', // CJK Compatibility
            '\u3400', // CJK Unified Ideographs Extension A
            '\u4DB6', // unassigned
            '\u4E00', // CJK Unified Ideographs
            '\uA000', // Yi Syllables
            '\uA490', // Yi Radicals
            '\uA4D0', // unassigned
            '\uAC00', // Hangul Syllables
            '\uD7A4', // unassigned
            '\uD800', // Surrogates
            '\uE000', // Private Use
            '\uF900', // CJK Compatibility Ideographs
            '\uFB00', // Alphabetic Presentation Forms
            '\uFB50', // Arabic Presentation Forms-A
            '\uFE00', // unassigned
            '\uFE20', // Combining Half Marks
            '\uFE30', // CJK Compatibility Forms
            '\uFE50', // Small Form Variants
            '\uFE70', // Arabic Presentation Forms-B
            '\uFEFF', // Specials
            '\uFF00', // Halfwidth and Fullwidth Forms
            '\uFFF0', // Specials
            '\uFFFE', // non-characters
        };

        private static final UnicodeBlock[] blocks = {
            BASIC_LATIN,
            LATIN_1_SUPPLEMENT,
            LATIN_EXTENDED_A,
            LATIN_EXTENDED_B,
            IPA_EXTENSIONS,
            SPACING_MODIFIER_LETTERS,
            COMBINING_DIACRITICAL_MARKS,
            GREEK,
            CYRILLIC,
            null,
            ARMENIAN,
            HEBREW,
            ARABIC,
            SYRIAC,
            null,
            THAANA,
            null,
            DEVANAGARI,
            BENGALI,
            GURMUKHI,
            GUJARATI,
            ORIYA,
            TAMIL,
            TELUGU,
            KANNADA,
            MALAYALAM,
            SINHALA,
            THAI,
            LAO,
            TIBETAN,
            MYANMAR,
            GEORGIAN,
            HANGUL_JAMO,
            ETHIOPIC,
            null,
            CHEROKEE,
            UNIFIED_CANADIAN_ABORIGINAL_SYLLABICS,
            OGHAM,
            RUNIC,
            null,
            KHMER,
            MONGOLIAN,
            null,
            LATIN_EXTENDED_ADDITIONAL,
            GREEK_EXTENDED,
            GENERAL_PUNCTUATION,
            SUPERSCRIPTS_AND_SUBSCRIPTS,
            CURRENCY_SYMBOLS,
            COMBINING_MARKS_FOR_SYMBOLS,
            LETTERLIKE_SYMBOLS,
            NUMBER_FORMS,
            ARROWS,
            MATHEMATICAL_OPERATORS,
            MISCELLANEOUS_TECHNICAL,
            CONTROL_PICTURES,
            OPTICAL_CHARACTER_RECOGNITION,
            ENCLOSED_ALPHANUMERICS,
            BOX_DRAWING,
            BLOCK_ELEMENTS,
            GEOMETRIC_SHAPES,
            MISCELLANEOUS_SYMBOLS,
            DINGBATS,
            null,
            BRAILLE_PATTERNS,
            null,
            CJK_RADICALS_SUPPLEMENT,
            KANGXI_RADICALS,
            null,
            IDEOGRAPHIC_DESCRIPTION_CHARACTERS,
            CJK_SYMBOLS_AND_PUNCTUATION,
            HIRAGANA,
            KATAKANA,
            BOPOMOFO,
            HANGUL_COMPATIBILITY_JAMO,
            KANBUN,
            BOPOMOFO_EXTENDED,
            null,
            ENCLOSED_CJK_LETTERS_AND_MONTHS,
            CJK_COMPATIBILITY,
            CJK_UNIFIED_IDEOGRAPHS_EXTENSION_A,
            null,
            CJK_UNIFIED_IDEOGRAPHS,
            YI_SYLLABLES,
            YI_RADICALS,
            null,
            HANGUL_SYLLABLES,
            null,
            SURROGATES_AREA,
            PRIVATE_USE_AREA,
            CJK_COMPATIBILITY_IDEOGRAPHS,
            ALPHABETIC_PRESENTATION_FORMS,
            ARABIC_PRESENTATION_FORMS_A,
            null,
            COMBINING_HALF_MARKS,
            CJK_COMPATIBILITY_FORMS,
            SMALL_FORM_VARIANTS,
            ARABIC_PRESENTATION_FORMS_B,
            SPECIALS,
            HALFWIDTH_AND_FULLWIDTH_FORMS,
            SPECIALS,
            null,
        };

        /**
         * Returns the object representing the Unicode block containing the
         * given character, or null if the character is not a
         * member of a defined block.
         *
         * @param   c  The character in question
         * @return  The UnicodeBlock instance representing the
         *          Unicode block of which this character is a member, or
         *          null if the character is not a member of any
         *          Unicode block
         */
        public static UnicodeBlock of(char c) {
            int top, bottom, current;
            bottom = 0;
            top = blockStarts.length;
            current = top/2;
            // invariant: top > current >= bottom && ch >= unicodeBlockStarts[bottom]
            while (top - bottom > 1) {
                if (c >= blockStarts[current]) {
                    bottom = current;
                } else {
                    top = current;
                }
                current = (top + bottom) / 2;
            }
            return blocks[current];
        }
    }

    /**
     * The value of the Character.
     *
     * @serial
     */
    private char value;

    /** use serialVersionUID from JDK 1.0.2 for interoperability */
    private static final long serialVersionUID = 3786198910865385080L;

    /**
     * Constructs a newly allocated Character object that
     * represents the specified char value.
     *
     * @param  value   the value to be represented by the 
     *			Character object.
     */
    public Character(char value) {
        this.value = value;
    }

    /**
     * Returns the value of this Character object.
     * @return  the primitive char value represented by
     *          this object.
     */
    public char charValue() {
        return value;
    }

    /**
     * Returns a hash code for this Character.
     * @return  a hash code value for this object.
     */
    public int hashCode() {
        return (int)value;
    }

    /**
     * Compares this object against the specified object.
     * The result is true if and only if the argument is not
     * null and is a Character object that
     * represents the same char value as this object.
     *
     * @param   obj   the object to compare with.
     * @return  true if the objects are the same;
     *          false otherwise.
     */
    public boolean equals(Object obj) {
        if (obj instanceof Character) {
            return value == ((Character)obj).charValue();
        }
        return false;
    }

    /**
     * Returns a String object representing this
     * Character's value.  The result is a string of
     * length 1 whose sole component is the primitive
     * char value represented by this
     * Character object.
     *
     * @return  a string representation of this object.
     */
    public String toString() {
        char buf[] = {value};
        return String.valueOf(buf);
    }

    /**
     * Returns a String object representing the
     * specified char.  The result is a string of length
     * 1 consisting solely of the specified char.
     *
     * @param c the char to be converted
     * @return the string representation of the specified char
     * @since 1.4
     */
    public static String toString(char c) {
        return String.valueOf(c);
    }


   /**
     * Determines if the specified character is a lowercase character.
     * 
    
     * A character is lowercase if its general category type, provided
     * by Character.getType(ch), is
     * LOWERCASE_LETTER.
     * 
    
     * The following are examples of lowercase characters:
     * 
         * a b c d e f g h i j k l m n o p q r s t u v w x y z
     * '\u00DF' '\u00E0' '\u00E1' '\u00E2' '\u00E3' '\u00E4' '\u00E5' '\u00E6' 
     * '\u00E7' '\u00E8' '\u00E9' '\u00EA' '\u00EB' '\u00EC' '\u00ED' '\u00EE'
     * '\u00EF' '\u00F0' '\u00F1' '\u00F2' '\u00F3' '\u00F4' '\u00F5' '\u00F6'
     * '\u00F8' '\u00F9' '\u00FA' '\u00FB' '\u00FC' '\u00FD' '\u00FE' '\u00FF'
     * 
    
     * 
     Many other Unicode characters are lowercase too.
     * 
    
     *
     * @param   ch   the character to be tested.
     * @return  true if the character is lowercase;
     *          false otherwise.
     * @see     java.lang.Character#isLowerCase(char)
     * @see     java.lang.Character#isTitleCase(char)
     * @see     java.lang.Character#toLowerCase(char)
     * @see     java.lang.Character#getType(char)
     */
    public static boolean isLowerCase(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.isLowerCase(ch);
        } else {
            return CharacterData.isLowerCase(ch);
        }
    }

   /**
     * Determines if the specified character is an uppercase character.
     * 
    
     * A character is uppercase if its general category type, provided by
     * Character.getType(ch), is UPPERCASE_LETTER.
     * 
    
     * The following are examples of uppercase characters:
     * 
         * A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
     * '\u00C0' '\u00C1' '\u00C2' '\u00C3' '\u00C4' '\u00C5' '\u00C6' '\u00C7'
     * '\u00C8' '\u00C9' '\u00CA' '\u00CB' '\u00CC' '\u00CD' '\u00CE' '\u00CF'
     * '\u00D0' '\u00D1' '\u00D2' '\u00D3' '\u00D4' '\u00D5' '\u00D6' '\u00D8'
     * '\u00D9' '\u00DA' '\u00DB' '\u00DC' '\u00DD' '\u00DE'
     * 
    
     * 
     Many other Unicode characters are uppercase too.
    
     *
     * @param   ch   the character to be tested.
     * @return  true if the character is uppercase;
     *          false otherwise.
     * @see     java.lang.Character#isLowerCase(char)
     * @see     java.lang.Character#isTitleCase(char)
     * @see     java.lang.Character#toUpperCase(char)
     * @see     java.lang.Character#getType(char)
     * @since   1.0
     */
    public static boolean isUpperCase(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.isUpperCase(ch);
        } else {
            return CharacterData.isUpperCase(ch);
        }
    }

    /**
     * Determines if the specified character is a titlecase character.
     * 
     
     * A character is a titlecase character if its general
     * category type, provided by Character.getType(ch),
     * is TITLECASE_LETTER.
     * 
    
     * Some characters look like pairs of Latin letters. For example, there
     * is an uppercase letter that looks like "LJ" and has a corresponding
     * lowercase letter that looks like "lj". A third form, which looks like "Lj",
     * is the appropriate form to use when rendering a word in lowercase
     * with initial capitals, as for a book title.
     * 
    
     * These are some of the Unicode characters for which this method returns
     * true:
     * 
      
     * 
    • LATIN CAPITAL LETTER D WITH SMALL LETTER Z WITH CARON
     * 
    • LATIN CAPITAL LETTER L WITH SMALL LETTER J
     * 
    • LATIN CAPITAL LETTER N WITH SMALL LETTER J
     * 
    • LATIN CAPITAL LETTER D WITH SMALL LETTER Z
     * 
    
     * 
     Many other Unicode characters are titlecase too.
    
     *
     * @param   ch   the character to be tested.
     * @return  true if the character is titlecase;
     *          false otherwise.
     * @see     java.lang.Character#isLowerCase(char)
     * @see     java.lang.Character#isUpperCase(char)
     * @see     java.lang.Character#toTitleCase(char)
     * @see     java.lang.Character#getType(char)
     * @since   1.0.2
     */
    public static boolean isTitleCase(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.isTitleCase(ch);
        } else {
            return CharacterData.isTitleCase(ch);
        }
    }

    /**
     * Determines if the specified character is a digit.
     * 
    
     * A character is a digit if its general category type, provided
     * by Character.getType(ch), is
     * DECIMAL_DIGIT_NUMBER.
     * 
    
     * Some Unicode character ranges that contain digits:
     * 
      
     * 
    • '\u0030' through '\u0039', 
     *	   ISO-LATIN-1 digits ('0' through '9')
     * 
    • '\u0660' through '\u0669',
     *	   Arabic-Indic digits
     * 
    • '\u06F0' through '\u06F9',
     * 	   Extended Arabic-Indic digits
     * 
    • '\u0966' through '\u096F',
     *	   Devanagari digits
     * 
    • '\uFF10' through '\uFF19',
     *	   Fullwidth digits
     * 
    
     *
     * Many other character ranges contain digits as well.
     *
     * @param   ch   the character to be tested.
     * @return  true if the character is a digit;
     *          false otherwise.
     * @see     java.lang.Character#digit(char, int)
     * @see     java.lang.Character#forDigit(int, int)
     * @see     java.lang.Character#getType(char)
     */
    public static boolean isDigit(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.isDigit(ch);
        } else {
            return CharacterData.isDigit(ch);
        }
    }

    /**
     * Determines if a character is defined in Unicode.
     * 
    
     * A character is defined if at least one of the following is true:
     * 
      
     * 
    • It has an entry in the UnicodeData file.
     * 
    • It has a value in a range defined by the UnicodeData file.
     * 
    
     *
     * @param   ch   the character to be tested
     * @return  true if the character has a defined meaning
     *          in Unicode; false otherwise.
     * @see     java.lang.Character#isDigit(char)
     * @see     java.lang.Character#isLetter(char)
     * @see     java.lang.Character#isLetterOrDigit(char)
     * @see     java.lang.Character#isLowerCase(char)
     * @see     java.lang.Character#isTitleCase(char)
     * @see     java.lang.Character#isUpperCase(char)
     * @since   1.0.2
     */
    public static boolean isDefined(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.isDefined(ch);
        } else {
            return CharacterData.isDefined(ch);
        }
    }

    /**
     * Determines if the specified character is a letter.
     * 
    
     * A character is considered to be a letter if its general
     * category type, provided by Character.getType(ch),
     * is any of the following:
     * 
      
     * 
    •  UPPERCASE_LETTER
     * 
    •  LOWERCASE_LETTER
     * 
    •  TITLECASE_LETTER
     * 
    •  MODIFIER_LETTER
     * 
    •  OTHER_LETTER
     * 
    
     *
     * Not all letters have case. Many characters are
     * letters but are neither uppercase nor lowercase nor titlecase.
     *
     * @param   ch   the character to be tested.
     * @return  true if the character is a letter;
     *          false otherwise.
     * @see     java.lang.Character#isDigit(char)
     * @see     java.lang.Character#isJavaIdentifierStart(char)
     * @see     java.lang.Character#isJavaLetter(char)
     * @see     java.lang.Character#isJavaLetterOrDigit(char)
     * @see     java.lang.Character#isLetterOrDigit(char)
     * @see     java.lang.Character#isLowerCase(char)
     * @see     java.lang.Character#isTitleCase(char)
     * @see     java.lang.Character#isUnicodeIdentifierStart(char)
     * @see     java.lang.Character#isUpperCase(char)
     */
    public static boolean isLetter(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.isLetter(ch);
        } else {
            return CharacterData.isLetter(ch);
        }
    }

    /**
     * Determines if the specified character is a letter or digit.
     * 
    
     * A character is considered to be a letter or digit if either
     * Character.isLetter(char ch) or
     * Character.isDigit(char ch) returns
     * true for the character.
     *
     * @param   ch   the character to be tested.
     * @return  true if the character is a letter or digit;
     *          false otherwise.
     * @see     java.lang.Character#isDigit(char)
     * @see     java.lang.Character#isJavaIdentifierPart(char)
     * @see     java.lang.Character#isJavaLetter(char)
     * @see     java.lang.Character#isJavaLetterOrDigit(char)
     * @see     java.lang.Character#isLetter(char)
     * @see     java.lang.Character#isUnicodeIdentifierPart(char)
     * @since   1.0.2
     */
    public static boolean isLetterOrDigit(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.isLetterOrDigit(ch);
        } else {
            return CharacterData.isLetterOrDigit(ch);
        }
    }

    /**
     * Determines if the specified character is permissible as the first
     * character in a Java identifier.
     * 
    
     * A character may start a Java identifier if and only if
     * one of the following is true:
     * 
      
     * 
    •  {@link #isLetter(char) isLetter(ch)} returns true
     * 
    •  {@link #getType(char) getType(ch)} returns LETTER_NUMBER
     * 
    •  ch is a currency symbol (such as "$")
     * 
    •  ch is a connecting punctuation character (such as "_").
     * 
    
     *
     * @param   ch the character to be tested.
     * @return  true if the character may start a Java
     *          identifier; false otherwise.
     * @see     java.lang.Character#isJavaLetterOrDigit(char)
     * @see     java.lang.Character#isJavaIdentifierStart(char)
     * @see     java.lang.Character#isJavaIdentifierPart(char)
     * @see     java.lang.Character#isLetter(char)
     * @see     java.lang.Character#isLetterOrDigit(char)
     * @see     java.lang.Character#isUnicodeIdentifierStart(char)
     * @since   1.02
     * @deprecated Replaced by isJavaIdentifierStart(char).
     */
    public static boolean isJavaLetter(char ch) {
        return isJavaIdentifierStart(ch);
    }

    /**
     * Determines if the specified character may be part of a Java
     * identifier as other than the first character.
     * 
    
     * A character may be part of a Java identifier if and only if any
     * of the following are true:
     * 
      
     * 
    •   it is a letter
     * 
    •   it is a currency symbol (such as '$')
     * 
    •   it is a connecting punctuation character (such as '_')
     * 
    •   it is a digit
     * 
    •   it is a numeric letter (such as a Roman numeral character)
     * 
    •   it is a combining mark
     * 
    •   it is a non-spacing mark
     * 
    •  isIdentifierIgnorable returns
     * true for the character.
     * 
    
     *
     * @param   ch the character to be tested.
     * @return  true if the character may be part of a
     *          Java identifier; false otherwise.
     * @see     java.lang.Character#isJavaLetter(char)
     * @see     java.lang.Character#isJavaIdentifierStart(char)
     * @see     java.lang.Character#isJavaIdentifierPart(char)
     * @see     java.lang.Character#isLetter(char)
     * @see     java.lang.Character#isLetterOrDigit(char)
     * @see     java.lang.Character#isUnicodeIdentifierPart(char)
     * @see     java.lang.Character#isIdentifierIgnorable(char)
     * @since   1.02
     * @deprecated Replaced by isJavaIdentifierPart(char).
     */
    public static boolean isJavaLetterOrDigit(char ch) {
        return isJavaIdentifierPart(ch);
    }

    /**
     * Determines if the specified character is
     * permissible as the first character in a Java identifier.
     * 
    
     * A character may start a Java identifier if and only if
     * one of the following conditions is true:
     * 
      
     * 
    •  {@link #isLetter(char) isLetter(ch)} returns true
     * 
    •  {@link #getType(char) getType(ch)} returns LETTER_NUMBER
     * 
    •  ch is a currency symbol (such as "$")
     * 
    •  ch is a connecting punctuation character (such as "_").
     * 
    
     *
     * @param   ch the character to be tested.
     * @return  true if the character may start a Java identifier;
     *          false otherwise.
     * @see     java.lang.Character#isJavaIdentifierPart(char)
     * @see     java.lang.Character#isLetter(char)
     * @see     java.lang.Character#isUnicodeIdentifierStart(char)
     * @since   1.1
     */
    public static boolean isJavaIdentifierStart(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.isJavaIdentifierStart(ch);
        } else {
            return CharacterData.isJavaIdentifierStart(ch);
        }
    }

    /**
     * Determines if the specified character may be part of a Java
     * identifier as other than the first character.
     * 
    
     * A character may be part of a Java identifier if any of the following
     * are true:
     * 
      
     * 
    •   it is a letter
     * 
    •   it is a currency symbol (such as '$')
     * 
    •   it is a connecting punctuation character (such as '_')
     * 
    •   it is a digit
     * 
    •   it is a numeric letter (such as a Roman numeral character)
     * 
    •   it is a combining mark
     * 
    •   it is a non-spacing mark
     * 
    •  isIdentifierIgnorable returns
     * true for the character
     * 
    
     *
     * @param   ch	the character to be tested.
     * @return true if the character may be part of a
     * 		Java identifier; false otherwise.
     * @see     java.lang.Character#isIdentifierIgnorable(char)
     * @see     java.lang.Character#isJavaIdentifierStart(char)
     * @see     java.lang.Character#isLetterOrDigit(char)
     * @see     java.lang.Character#isUnicodeIdentifierPart(char)
     * @since   1.1
     */
    public static boolean isJavaIdentifierPart(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.isJavaIdentifierPart(ch);
        } else {
            return CharacterData.isJavaIdentifierPart(ch);
        }
    }

    /**
     * Determines if the specified character is permissible as the
     * first character in a Unicode identifier.
     * 
    
     * A character may start a Unicode identifier if and only if
     * one of the following conditions is true:
     * 
      
     * 
    •  {@link #isLetter(char) isLetter(ch)} returns true
     * 
    •  {@link #getType(char) getType(ch)} returns 
     *      LETTER_NUMBER.
     * 
    
     * @param   ch	the character to be tested.
     * @return  true if the character may start a Unicode 
     *          identifier; false otherwise.
     * @see     java.lang.Character#isJavaIdentifierStart(char)
     * @see     java.lang.Character#isLetter(char)
     * @see     java.lang.Character#isUnicodeIdentifierPart(char)
     * @since   1.1
     */
    public static boolean isUnicodeIdentifierStart(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.isUnicodeIdentifierStart(ch);
        } else {
            return CharacterData.isUnicodeIdentifierStart(ch);
        }
    }

    /**
     * Determines if the specified character may be part of a Unicode
     * identifier as other than the first character.
     * 
    
     * A character may be part of a Unicode identifier if and only if
     * one of the following statements is true:
     * 
      
     * 
    •   it is a letter
     * 
    •   it is a connecting punctuation character (such as '_')
     * 
    •   it is a digit
     * 
    •   it is a numeric letter (such as a Roman numeral character)
     * 
    •   it is a combining mark
     * 
    •   it is a non-spacing mark
     * 
    •  isIdentifierIgnorable returns
     * true for this character.
     * 
    
     *
     * @param   ch	the character to be tested.
     * @return  true if the character may be part of a 
     *          Unicode identifier; false otherwise.
     * @see     java.lang.Character#isIdentifierIgnorable(char)
     * @see     java.lang.Character#isJavaIdentifierPart(char)
     * @see     java.lang.Character#isLetterOrDigit(char)
     * @see     java.lang.Character#isUnicodeIdentifierStart(char)
     * @since   1.1
     */
    public static boolean isUnicodeIdentifierPart(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.isUnicodeIdentifierPart(ch);
        } else {
            return CharacterData.isUnicodeIdentifierPart(ch);
        }
    }

    /**
     * Determines if the specified character should be regarded as
     * an ignorable character in a Java identifier or a Unicode identifier.
     * 
    
     * The following Unicode characters are ignorable in a Java identifier
     * or a Unicode identifier:
     * 
      
     * 
    • ISO control characters that are not whitespace
     * 
        
     * 
      • '\u0000' through '\u0008'
     * 
      • '\u000E' through '\u001B'
     * 
      • '\u007F' through '\u009F'
     * 
      
     *
     * 
    • all characters that have the FORMAT general
     * category value
     * 
    
     *
     * @param   ch	the character to be tested.
     * @return 	true if the character is an ignorable control 
     *          character that may be part of a Java or Unicode identifier;
     *		 false otherwise.
     * @see     java.lang.Character#isJavaIdentifierPart(char)
     * @see     java.lang.Character#isUnicodeIdentifierPart(char)
     * @since   1.1
     */
    public static boolean isIdentifierIgnorable(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.isIdentifierIgnorable(ch);
        } else {
            return CharacterData.isIdentifierIgnorable(ch);
        }
    }

    /**
     * Converts the character argument to lowercase using case
     * mapping information from the UnicodeData file.
     * 
    
     * Note that
     * Character.isLowerCase(Character.toLowerCase(ch))
     * does not always return true for some ranges of
     * characters, particularly those that are symbols or ideographs.
     *
     * @param   ch   the character to be converted.
     * @return  the lowercase equivalent of the character, if any;
     *          otherwise, the character itself.
     * @see     java.lang.Character#isLowerCase(char)
     * @see     java.lang.Character#isUpperCase(char)
     * @see     java.lang.Character#toTitleCase(char)
     * @see     java.lang.Character#toUpperCase(char)
     */
    public static char toLowerCase(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.toLowerCase(ch);
        } else {
            return CharacterData.toLowerCase(ch);
        }
    }

    /**
     * Converts the character argument to uppercase using case mapping
     * information from the UnicodeData file.
     * 
    
     * Note that
     * Character.isUpperCase(Character.toUpperCase(ch))
     * does not always return true for some ranges of
     * characters, particularly those that are symbols or ideographs.
     *
     * @param   ch   the character to be converted.
     * @return  the uppercase equivalent of the character, if any;
     *          otherwise, the character itself.
     * @see     java.lang.Character#isLowerCase(char)
     * @see     java.lang.Character#isUpperCase(char)
     * @see     java.lang.Character#toLowerCase(char)
     * @see     java.lang.Character#toTitleCase(char)
     */
    public static char toUpperCase(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.toUpperCase(ch);
        } else {
            return CharacterData.toUpperCase(ch);
        }
    }

    /**
     * Converts the character argument to titlecase using case mapping
     * information from the UnicodeData file. If a character has no
     * explicit titlecase mapping and is not itself a titlecase char
     * according to UnicodeData, then the uppercase mapping is
     * returned as an equivalent titlecase mapping. If the
     * char argument is already a titlecase
     * char, the same char value will be
     * returned.
     * 
    
     * Note that
     * Character.isTitleCase(Character.toTitleCase(ch))
     * does not always return true for some ranges of
     * characters.
     *
     * @param   ch   the character to be converted.
     * @return  the titlecase equivalent of the character, if any;
     *          otherwise, the character itself.
     * @see     java.lang.Character#isTitleCase(char)
     * @see     java.lang.Character#toLowerCase(char)
     * @see     java.lang.Character#toUpperCase(char)
     * @since   1.0.2
     */
    public static char toTitleCase(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.toTitleCase(ch);
        } else {
            return CharacterData.toTitleCase(ch);
        }
    }

    /**
     * Returns the numeric value of the character ch in the
     * specified radix.
     * 
    
     * If the radix is not in the range MIN_RADIX <=
     * radix <= MAX_RADIX or if the
     * value of ch is not a valid digit in the specified
     * radix, -1 is returned. A character is a valid digit
     * if at least one of the following is true:
     * 
      
     * 
    • The method isDigit is true of the character
     *     and the Unicode decimal digit value of the character (or its
     *     single-character decomposition) is less than the specified radix.
     *     In this case the decimal digit value is returned.
     * 
    • The character is one of the uppercase Latin letters
     *     'A' through 'Z' and its code is less than
     *     radix + 'A' - 10.
     *     In this case, ch - 'A' + 10
     *     is returned.
     * 
    • The character is one of the lowercase Latin letters
     *     'a' through 'z' and its code is less than
     *     radix + 'a' - 10.
     *     In this case, ch - 'a' + 10
     *     is returned.
     * 
    
     *
     * @param   ch      the character to be converted.
     * @param   radix   the radix.
     * @return  the numeric value represented by the character in the
     *          specified radix.
     * @see     java.lang.Character#forDigit(int, int)
     * @see     java.lang.Character#isDigit(char)
     */
    public static int digit(char ch, int radix) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.digit(ch, radix);
        } else {
            return CharacterData.digit(ch, radix);
        }
    }

    /**
     * Returns the int value that the specified Unicode
     * character represents. For example, the character
     * '\u216C' (the roman numeral fifty) will return
     * an int with a value of 50.
     * 
    
     * The letters A-Z in their uppercase ('\u0041' through
     * '\u005A'), lowercase
     * ('\u0061' through '\u007A'), and
     * full width variant ('\uFF21' through
     * '\uFF3A' and '\uFF41' through
     * '\uFF5A') forms have numeric values from 10
     * through 35. This is independent of the Unicode specification,
     * which does not assign numeric values to these char
     * values.
     * 
    
     * If the character does not have a numeric value, then -1 is returned.
     * If the character has a numeric value that cannot be represented as a
     * nonnegative integer (for example, a fractional value), then -2
     * is returned.
     *
     * @param   ch	the character to be converted.
     * @return  the numeric value of the character, as a nonnegative int
     *           value; -2 if the character has a numeric value that is not a
     *          nonnegative integer; -1 if the character has no numeric value.
     * @see     java.lang.Character#forDigit(int, int)
     * @see     java.lang.Character#isDigit(char)
     * @since   1.1
     */
    public static int getNumericValue(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.getNumericValue(ch);
        } else {
            return CharacterData.getNumericValue(ch);
        }
    }

    /**
     * Determines if the specified character is ISO-LATIN-1 white space.
     * This method returns true for the following five
     * characters only:
     * 
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
    '\t'            '\u0009'HORIZONTAL TABULATION
    '\n'            '\u000A'NEW LINE
    '\f'            '\u000C'FORM FEED
    '\r'            '\u000D'CARRIAGE RETURN
    ' '  '\u0020'SPACE
    
     *
     * @param      ch   the character to be tested.
     * @return     true if the character is ISO-LATIN-1 white
     *             space; false otherwise.
     * @see        java.lang.Character#isSpaceChar(char)
     * @see        java.lang.Character#isWhitespace(char)
     * @deprecated Replaced by isWhitespace(char).
     */
    public static boolean isSpace(char ch) {
        return (ch <= 0x0020) &&
            (((((1L << 0x0009) |
            (1L << 0x000A) |
            (1L << 0x000C) |
            (1L << 0x000D) |
            (1L << 0x0020)) >> ch) & 1L) != 0);
    }

    /**
     * Determines if the specified character is a Unicode space character.
     * A character is considered to be a space character if and only if
     * it is specified to be a space character by the Unicode standard. This
     * method returns true if the character's general category type is any of
     * the following:
     * 
      
     * 
    •  SPACE_SEPARATOR
     * 
    •  LINE_SEPARATOR
     * 
    •  PARAGRAPH_SEPARATOR
     * 
    
     *
     * @param   ch	the character to be tested.
     * @return 	true if the character is a space character; 
     *		false otherwise.
     * @see     java.lang.Character#isWhitespace(char)
     * @since   1.1
     */
    public static boolean isSpaceChar(char ch) {
        if (ch <=  FAST_PATH_MAX) {
            return CharacterDataLatin1.isSpaceChar(ch);
        } else {
            return CharacterData.isSpaceChar(ch);
        }
    }

    /**
     * Determines if the specified character is white space according to Java.
     * A character is a Java whitespace character if and only if it satisfies
     * one of the following criteria:
     * 
      
     * 
    •  It is a Unicode space character (SPACE_SEPARATOR,
     * 	    LINE_SEPARATOR, or PARAGRAPH_SEPARATOR) 
     *      but is not also a non-breaking space ('\u00A0',
     *      '\u2007', '\u202F').
     * 
    •  It is '\u0009', HORIZONTAL TABULATION.
     * 
    •  It is '\u000A', LINE FEED.
     * 
    •  It is '\u000B', VERTICAL TABULATION.
     * 
    •  It is '\u000C', FORM FEED.
     * 
    •  It is '\u000D', CARRIAGE RETURN.
     * 
    •  It is '\u001C', FILE SEPARATOR.
     * 
    •  It is '\u001D', GROUP SEPARATOR.
     * 
    •  It is '\u001E', RECORD SEPARATOR.
     * 
    •  It is '\u001F', UNIT SEPARATOR.
     * 
    
     *
     * @param   ch the character to be tested.
     * @return  true if the character is a Java whitespace
     *          character; false otherwise.
     * @see     java.lang.Character#isSpaceChar(char)
     * @since   1.1
     */
    public static boolean isWhitespace(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.isWhitespace(ch);
        } else {
            return CharacterData.isWhitespace(ch);
        }
    }

    /**
     * Determines if the specified character is an ISO control
     * character.  A character is considered to be an ISO control
     * character if its code is in the range '\u0000'
     * through '\u001F' or in the range
     * '\u007F' through '\u009F'.
     *
     * @param   ch	the character to be tested.
     * @return  true if the character is an ISO control character;
     *          false otherwise.
     *
     * @see     java.lang.Character#isSpaceChar(char)
     * @see     java.lang.Character#isWhitespace(char)
     * @since   1.1
     */
    public static boolean isISOControl(char ch) {
        return (ch <= 0x009F) && ((ch <= 0x001F) || (ch >= 0x007F));
    }

    /**
     * Returns a value indicating a character's general category.
     *
     * @param   ch      the character to be tested.
     * @return  a value of type int representing the 
     *		character's general category.
     * @see     java.lang.Character#COMBINING_SPACING_MARK
     * @see     java.lang.Character#CONNECTOR_PUNCTUATION
     * @see     java.lang.Character#CONTROL
     * @see     java.lang.Character#CURRENCY_SYMBOL
     * @see     java.lang.Character#DASH_PUNCTUATION
     * @see     java.lang.Character#DECIMAL_DIGIT_NUMBER
     * @see     java.lang.Character#ENCLOSING_MARK
     * @see     java.lang.Character#END_PUNCTUATION
     * @see     java.lang.Character#FINAL_QUOTE_PUNCTUATION
     * @see     java.lang.Character#FORMAT
     * @see     java.lang.Character#INITIAL_QUOTE_PUNCTUATION
     * @see     java.lang.Character#LETTER_NUMBER
     * @see     java.lang.Character#LINE_SEPARATOR
     * @see     java.lang.Character#LOWERCASE_LETTER
     * @see     java.lang.Character#MATH_SYMBOL
     * @see     java.lang.Character#MODIFIER_LETTER
     * @see     java.lang.Character#MODIFIER_SYMBOL
     * @see     java.lang.Character#NON_SPACING_MARK
     * @see     java.lang.Character#OTHER_LETTER
     * @see     java.lang.Character#OTHER_NUMBER
     * @see     java.lang.Character#OTHER_PUNCTUATION
     * @see     java.lang.Character#OTHER_SYMBOL
     * @see     java.lang.Character#PARAGRAPH_SEPARATOR
     * @see     java.lang.Character#PRIVATE_USE
     * @see     java.lang.Character#SPACE_SEPARATOR
     * @see     java.lang.Character#START_PUNCTUATION
     * @see     java.lang.Character#SURROGATE
     * @see     java.lang.Character#TITLECASE_LETTER
     * @see     java.lang.Character#UNASSIGNED
     * @see     java.lang.Character#UPPERCASE_LETTER
     * @since   1.1
     */
    public static int getType(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.getType(ch);
        } else {
            return CharacterData.getType(ch);
        }
    }

    /**
     * Determines the character representation for a specific digit in
     * the specified radix. If the value of radix is not a
     * valid radix, or the value of digit is not a valid
     * digit in the specified radix, the null character
     * ('\u0000') is returned.
     * 
    
     * The radix argument is valid if it is greater than or
     * equal to MIN_RADIX and less than or equal to
     * MAX_RADIX. The digit argument is valid if
     * 0 <=digit < radix.
     * 
    
     * If the digit is less than 10, then
     * '0' + digit is returned. Otherwise, the value
     * 'a' + digit - 10 is returned.
     *
     * @param   digit   the number to convert to a character.
     * @param   radix   the radix.
     * @return  the char representation of the specified digit
     *          in the specified radix.
     * @see     java.lang.Character#MIN_RADIX
     * @see     java.lang.Character#MAX_RADIX
     * @see     java.lang.Character#digit(char, int)
     */
    public static char forDigit(int digit, int radix) {
        if ((digit >= radix) || (digit < 0)) {
            return '\0';
        }
        if ((radix < MIN_RADIX) || (radix > MAX_RADIX)) {
            return '\0';
        }
        if (digit < 10) {
            return (char)('0' + digit);
        }
        return (char)('a' - 10 + digit);
    }

    /**
     * Returns the Unicode directionality property for the given
     * character.  Character directionality is used to calculate the
     * visual ordering of text. The directionality value of undefined
     * char values is DIRECTIONALITY_UNDEFINED.
     *
     * @param  ch char for which the directionality property 
     *            is requested.
     * @return the directionality property of the char value.
     *
     * @see Character#DIRECTIONALITY_UNDEFINED
     * @see Character#DIRECTIONALITY_LEFT_TO_RIGHT
     * @see Character#DIRECTIONALITY_RIGHT_TO_LEFT
     * @see Character#DIRECTIONALITY_RIGHT_TO_LEFT_ARABIC
     * @see Character#DIRECTIONALITY_EUROPEAN_NUMBER
     * @see Character#DIRECTIONALITY_EUROPEAN_NUMBER_SEPARATOR
     * @see Character#DIRECTIONALITY_EUROPEAN_NUMBER_TERMINATOR
     * @see Character#DIRECTIONALITY_ARABIC_NUMBER
     * @see Character#DIRECTIONALITY_COMMON_NUMBER_SEPARATOR
     * @see Character#DIRECTIONALITY_NONSPACING_MARK
     * @see Character#DIRECTIONALITY_BOUNDARY_NEUTRAL
     * @see Character#DIRECTIONALITY_PARAGRAPH_SEPARATOR
     * @see Character#DIRECTIONALITY_SEGMENT_SEPARATOR
     * @see Character#DIRECTIONALITY_WHITESPACE
     * @see Character#DIRECTIONALITY_OTHER_NEUTRALS
     * @see Character#DIRECTIONALITY_LEFT_TO_RIGHT_EMBEDDING
     * @see Character#DIRECTIONALITY_LEFT_TO_RIGHT_OVERRIDE
     * @see Character#DIRECTIONALITY_RIGHT_TO_LEFT_EMBEDDING
     * @see Character#DIRECTIONALITY_RIGHT_TO_LEFT_OVERRIDE
     * @see Character#DIRECTIONALITY_POP_DIRECTIONAL_FORMAT
     * @since 1.4
     */
    public static byte getDirectionality(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.getDirectionality(ch);
        } else {
            return CharacterData.getDirectionality(ch);
        }
    }

    /**
     * Determines whether the character is mirrored according to the
     * Unicode specification.  Mirrored characters should have their
     * glyphs horizontally mirrored when displayed in text that is
     * right-to-left.  For example, '\u0028' LEFT
     * PARENTHESIS is semantically defined to be an opening
     * parenthesis.  This will appear as a "(" in text that is
     * left-to-right but as a ")" in text that is right-to-left.
     *
     * @param  ch char for which the mirrored property is requested
     * @return true if the char is mirrored, false
     *         if the char is not mirrored or is not defined.
     * @since 1.4
     */
    public static boolean isMirrored(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.isMirrored(ch);
        } else {
            return CharacterData.isMirrored(ch);
        }
    }

    /**
     * Compares two Character objects numerically.
     *
     * @param   anotherCharacter   the Character to be compared.

     * @return  the value 0 if the argument Character 
     *          is equal to this Character; a value less than 
     *          0 if this Character is numerically less 
     *          than the Character argument; and a value greater than 
     *          0 if this Character is numerically greater 
     *	        than the Character argument (unsigned comparison).  
     *	        Note that this is strictly a numerical comparison; it is not 
     *		locale-dependent.
     * @since   1.2
     */
    public int compareTo(Character anotherCharacter) {
        return this.value - anotherCharacter.value;
    }

    /**
     * Compares this Character object to another object.
     * If the object is a Character, this function
     * behaves like compareTo(Character).  Otherwise, it
     * throws a ClassCastException (as
     * Character objects are comparable only to other
     * Character objects).
     *
     * @param   o the Object to be compared.
     * @return  the value 0 if the argument is a Character
     *		numerically equal to this Character; a value less than
     *		0 if the argument is a Character numerically
     *		greater than this Character; and a value greater than
     *		0 if the argument is a Character numerically
     *		less than this Character.
     * @exception ClassCastException if the argument is not a
     *		  Character.
     * @see     java.lang.Comparable
     * @since 1.2 */
    public int compareTo(Object o) {
        return compareTo((Character)o);
    }


    /**
     * Converts the character argument to uppercase using case mapping
     * information from the UnicodeData file.
     * 
    
     *
     * @param   ch   the char to be converted.
     * @return  either the uppercase equivalent of the character, if 
     *          any, or an error flag (Character.CHAR_ERROR) 
     *          that indicates that a 1:M char mapping exists.
     * @see     java.lang.Character#isLowerCase(char)
     * @see     java.lang.Character#isUpperCase(char)
     * @see     java.lang.Character#toLowerCase(char)
     * @see     java.lang.Character#toTitleCase(char)
     * @since 1.4
     */
    static char toUpperCaseEx(char ch) {
        if (ch <= FAST_PATH_MAX) {
            return CharacterDataLatin1.toUpperCaseEx(ch);
        } else {
            return CharacterData.toUpperCaseEx(ch);
        }
    }

    /**
     * Converts the char argument to uppercase using case
     * mapping information from the SpecialCasing file in the Unicode
     * specification. If a character has no explicit uppercase
     * mapping, then the char itself is returned in the
     * char[].
     *
     * @param ch the char to uppercase
     * @return a char[] with the uppercased character.
     * @since 1.4
     */
    static char[] sharpsMap = new char[] {'S', 'S'};
    
    static char[] toUpperCaseCharArray(char ch) {
        char[] upperMap = {ch};
        if (ch <= FAST_PATH_MAX) {
            if (ch == '\u00DF') {
                upperMap = sharpsMap;
            }
            // else ch -> ch
        } else {
	    int location = findInCharMap(ch);
	    if (location != -1) {
	        upperMap = CharacterData.charMap[location][1];
	    }
        }
        return upperMap;
    }


    /**
     * Finds the character in the uppercase mapping table.
     *
     * @param ch the char to search
     * @return the index location ch in the table or -1 if not found
     * @since 1.4
     */
    static  int findInCharMap(char ch) {
        int top, bottom, current;
        bottom = 0;
        top = CharacterData.charMap.length;
        current = top/2;
        // invariant: top > current >= bottom && ch >= CharacterData.charMap[bottom][0]
        while (top - bottom > 1) {
            if (ch >= CharacterData.charMap[current][0][0]) {
                bottom = current;
            } else {
                top = current;
            }
            current = (top + bottom) / 2;
        }
        if (ch == CharacterData.charMap[current][0][0]) return current;
        else return -1;
    }
}
why-2.34/lib/java_api/java/lang/Integer.java0000644000175000017500000010564612311670312017253 0ustar  rtusers/*
 * @(#)Integer.java	1.76 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

/**
 * The Integer class wraps a value of the primitive type
 * int in an object. An object of type
 * Integer contains a single field whose type is
 * int.
 *
 *  
    
 * 
 * In addition, this class provides several methods for converting an
 * int to a String and a String
 * to an int, as well as other constants and methods
 * useful when dealing with an int.
 *
 * @author  Lee Boynton
 * @author  Arthur van Hoff
 * @version 1.76, 01/23/03
 * @since   JDK1.0
 */
public final class Integer extends Number implements Comparable {
    /**
     * A constant holding the minimum value an int can
     * have, -231.
     */
    public static final int   MIN_VALUE = 0x80000000;

    /**
     * A constant holding the maximum value an int can
     * have, 231-1.
     */
    public static final int   MAX_VALUE = 0x7fffffff;

    /**
     * The Class instance representing the primitive type
     * int.
     *
     * @since   JDK1.1
     */
    //KML public static final Class	TYPE = Class.getPrimitiveClass("int");

    /**
     * All possible chars for representing a number as a String
     */
    /* KML
    final static char[] digits = {
	'0' , '1' , '2' , '3' , '4' , '5' ,
	'6' , '7' , '8' , '9' , 'a' , 'b' ,
	'c' , 'd' , 'e' , 'f' , 'g' , 'h' ,
	'i' , 'j' , 'k' , 'l' , 'm' , 'n' ,
	'o' , 'p' , 'q' , 'r' , 's' , 't' ,
	'u' , 'v' , 'w' , 'x' , 'y' , 'z'
    };
    */

    /**
     * Returns a string representation of the first argument in the
     * radix specified by the second argument.
     * 
    
     * If the radix is smaller than Character.MIN_RADIX
     * or larger than Character.MAX_RADIX, then the radix
     * 10 is used instead.
     * 
    
     * If the first argument is negative, the first element of the
     * result is the ASCII minus character '-'
     * ('\u002D'). If the first argument is not
     * negative, no sign character appears in the result.
     * 
    
     * The remaining characters of the result represent the magnitude
     * of the first argument. If the magnitude is zero, it is
     * represented by a single zero character '0'
     * ('\u0030'); otherwise, the first character of
     * the representation of the magnitude will not be the zero
     * character.  The following ASCII characters are used as digits: 
     * 
         *   0123456789abcdefghijklmnopqrstuvwxyz
     * 
    
     * These are '\u0030' through
     * '\u0039' and '\u0061' through
     * '\u007A'. If radix is
     * N, then the first N of these characters
     * are used as radix-N digits in the order shown. Thus,
     * the digits for hexadecimal (radix 16) are
     * 0123456789abcdef. If uppercase letters are
     * desired, the {@link java.lang.String#toUpperCase()} method may
     * be called on the result:
     * 
         * Integer.toString(n, 16).toUpperCase()
     * 
    
     *
     * @param   i       an integer to be converted to a string.
     * @param   radix   the radix to use in the string representation.
     * @return  a string representation of the argument in the specified radix.
     * @see     java.lang.Character#MAX_RADIX
     * @see     java.lang.Character#MIN_RADIX
     */
    public static String toString(int i, int radix) {

        if (radix < Character.MIN_RADIX || radix > Character.MAX_RADIX)
	    radix = 10;

	/* Use the faster version */
	if (radix == 10) {
	    return toString(i);
	}

	char buf[] = new char[33];
	boolean negative = (i < 0);
	int charPos = 32;

	if (!negative) {
	    i = -i;
	}

	while (i <= -radix) {
	    buf[charPos--] = digits[-(i % radix)];
	    i = i / radix;
	}
	buf[charPos] = digits[-i];

	if (negative) {
	    buf[--charPos] = '-';
	}

	return new String(buf, charPos, (33 - charPos));
    }

    /**
     * Returns a string representation of the integer argument as an
     * unsigned integer in base 16.
     * 
    
     * The unsigned integer value is the argument plus 232
     * if the argument is negative; otherwise, it is equal to the
     * argument.  This value is converted to a string of ASCII digits
     * in hexadecimal (base 16) with no extra leading
     * 0s. If the unsigned magnitude is zero, it is
     * represented by a single zero character '0'
     * ('\u0030'); otherwise, the first character of
     * the representation of the unsigned magnitude will not be the
     * zero character. The following characters are used as
     * hexadecimal digits:
     * 
         * 0123456789abcdef
     * 
    
     * These are the characters '\u0030' through
     * '\u0039' and '\u0061' through
     * '\u0066'. If uppercase letters are
     * desired, the {@link java.lang.String#toUpperCase()} method may
     * be called on the result:
     * 
         * Integer.toHexString(n).toUpperCase()
     * 
    
     *
     * @param   i   an integer to be converted to a string.
     * @return  the string representation of the unsigned integer value
     *          represented by the argument in hexadecimal (base 16).
     * @since   JDK1.0.2
     */
    public static String toHexString(int i) {
	return toUnsignedString(i, 4);
    }

    /**
     * Returns a string representation of the integer argument as an
     * unsigned integer in base 8.
     * 
    
     * The unsigned integer value is the argument plus 232
     * if the argument is negative; otherwise, it is equal to the
     * argument.  This value is converted to a string of ASCII digits
     * in octal (base 8) with no extra leading 0s.
     * 
    
     * If the unsigned magnitude is zero, it is represented by a
     * single zero character '0'
     * ('\u0030'); otherwise, the first character of
     * the representation of the unsigned magnitude will not be the
     * zero character. The following characters are used as octal
     * digits:
     * 
         * 01234567
     * 
    
     * These are the characters '\u0030' through
     * '\u0037'.
     *
     * @param   i   an integer to be converted to a string.
     * @return  the string representation of the unsigned integer value
     *          represented by the argument in octal (base 8).
     * @since   JDK1.0.2
     */
    public static String toOctalString(int i) {
	return toUnsignedString(i, 3);
    }

    /**
     * Returns a string representation of the integer argument as an
     * unsigned integer in base 2.
     * 
    
     * The unsigned integer value is the argument plus 232
     * if the argument is negative; otherwise it is equal to the
     * argument.  This value is converted to a string of ASCII digits
     * in binary (base 2) with no extra leading 0s.
     * If the unsigned magnitude is zero, it is represented by a
     * single zero character '0'
     * ('\u0030'); otherwise, the first character of
     * the representation of the unsigned magnitude will not be the
     * zero character. The characters '0'
     * ('\u0030') and '1'
     * ('\u0031') are used as binary digits.
     *
     * @param   i   an integer to be converted to a string.
     * @return  the string representation of the unsigned integer value
     *          represented by the argument in binary (base 2).
     * @since   JDK1.0.2
     */
    public static String toBinaryString(int i) {
	return toUnsignedString(i, 1);
    }

    /**
     * Convert the integer to an unsigned number.
     */
    private static String toUnsignedString(int i, int shift) {
	char[] buf = new char[32];
	int charPos = 32;
	int radix = 1 << shift;
	int mask = radix - 1;
	do {
	    buf[--charPos] = digits[i & mask];
	    i >>>= shift;
	} while (i != 0);

	return new String(buf, charPos, (32 - charPos));
    }

    /* KML
    final static char [] DigitTens = {
	'0', '0', '0', '0', '0', '0', '0', '0', '0', '0',
	'1', '1', '1', '1', '1', '1', '1', '1', '1', '1',
	'2', '2', '2', '2', '2', '2', '2', '2', '2', '2',
	'3', '3', '3', '3', '3', '3', '3', '3', '3', '3',
	'4', '4', '4', '4', '4', '4', '4', '4', '4', '4',
	'5', '5', '5', '5', '5', '5', '5', '5', '5', '5',
	'6', '6', '6', '6', '6', '6', '6', '6', '6', '6',
	'7', '7', '7', '7', '7', '7', '7', '7', '7', '7',
	'8', '8', '8', '8', '8', '8', '8', '8', '8', '8',
	'9', '9', '9', '9', '9', '9', '9', '9', '9', '9',
	} ; 

    final static char [] DigitOnes = { 
	'0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
	'0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
	'0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
	'0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
	'0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
	'0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
	'0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
	'0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
	'0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
	'0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
	} ;
    */
	// I use the "invariant division by multiplication" trick to
	// accelerate Integer.toString.  In particular we want to
	// avoid division by 10.
	//
	// The "trick" has roughly the same performance characterists
	// as the "classic" Integer.toString code on a non-JIT VM.
	// The trick avoids .rem and .div calls but has a longer code
	// path and is thus dominated by dispatch overhead.  In the
	// JIT case the dispatch overhead doesn't exist and the
	// "trick" is considerably faster than the classic code.
	//
	// TODO-FIXME: convert (x * 52429) into the equiv shift-add
	// sequence.
	//
	// RE:  Division by Invariant Integers using Multiplication
	//      T Gralund, P Montgomery
	//      ACM PLDI 1994
	//

    /**
     * Returns a String object representing the
     * specified integer. The argument is converted to signed decimal
     * representation and returned as a string, exactly as if the
     * argument and radix 10 were given as arguments to the {@link
     * #toString(int, int)} method.
     *
     * @param   i   an integer to be converted.
     * @return  a string representation of the argument in base 10.
     */
    public static String toString(int i) {
        switch(i) {
            case Integer.MIN_VALUE: return "-2147483648";
            case -3: return "-3";
            case -2: return "-2";
            case -1: return "-1";
            case 0: return "0";
            case 1: return "1";
            case 2: return "2";
            case 3: return "3";
            case 4: return "4";
            case 5: return "5";
            case 6: return "6";
            case 7: return "7";
            case 8: return "8";
            case 9: return "9";
            case 10: return "10";
        }
        char[] buf = (char[])(perThreadBuffer.get());
        int charPos = getChars(i, buf);
        return new String(buf, charPos, 12 - charPos);
    }

    // Per-thread buffer for string/stringbuffer conversion
    // private static ThreadLocal perThreadBuffer = new ThreadLocal() {
    //    protected synchronized Object initialValue() {
    //        return new char[12];
    //    }
    //};

    private static int getChars(int i, char[] buf) {
        int q, r;
        int charPos = 12;
        char sign = 0;

        if (i < 0) { 
            sign = '-';
            i = -i;
        }

        // Generate two digits per iteration
        while (i >= 65536) {
            q = i / 100;
        // really: r = i - (q * 100);
            r = i - ((q << 6) + (q << 5) + (q << 2));
            i = q;
            buf [--charPos] = DigitOnes[r];
            buf [--charPos] = DigitTens[r];
        }

        // Fall thru to fast mode for smaller numbers
        // assert(i <= 65536, i);
        for (;;) { 
            q = (i * 52429) >>> (16+3);
            r = i - ((q << 3) + (q << 1));  // r = i-(q*10) ...
            buf [--charPos] = digits [r];
            i = q;
            if (i == 0) break;
        }
        if (sign != 0) {
            buf [--charPos] = sign;
        }
        return charPos;
    }
 
    static void appendTo(int i, StringBuffer sb) {
        switch(i) {
            case Integer.MIN_VALUE:
                sb.append("-2147483648");
                return;
            case -3: sb.append("-3"); return;
            case -2: sb.append("-2"); return;
            case -1: sb.append("-1"); return;
            case 0: sb.append("0"); return;
            case 1: sb.append("1"); return;
            case 2: sb.append("2"); return;
            case 3: sb.append("3"); return;
            case 4: sb.append("4"); return;
            case 5: sb.append("5"); return;
            case 6: sb.append("6"); return;
            case 7: sb.append("7"); return;
            case 8: sb.append("8"); return;
            case 9: sb.append("9"); return;
            case 10: sb.append("10"); return;
        }
        char[] buf = (char[])(perThreadBuffer.get());
        int charPos = getChars(i, buf);
        sb.append(buf, charPos, 12 - charPos);
    }
    
    /**
     * Parses the string argument as a signed integer in the radix 
     * specified by the second argument. The characters in the string 
     * must all be digits of the specified radix (as determined by 
     * whether {@link java.lang.Character#digit(char, int)} returns a 
     * nonnegative value), except that the first character may be an 
     * ASCII minus sign '-' ('\u002D') to 
     * indicate a negative value. The resulting integer value is returned. 
     * 
    
     * An exception of type NumberFormatException is
     * thrown if any of the following situations occurs:
     * 
      
     * 
    • The first argument is null or is a string of
     * length zero.
     * 
    • The radix is either smaller than 
     * {@link java.lang.Character#MIN_RADIX} or
     * larger than {@link java.lang.Character#MAX_RADIX}. 
     * 
    • Any character of the string is not a digit of the specified
     * radix, except that the first character may be a minus sign
     * '-' ('\u002D') provided that the
     * string is longer than length 1.
     * 
    • The value represented by the string is not a value of type
     * int. 
     * 
    
     * Examples:
     * 
         * parseInt("0", 10) returns 0
     * parseInt("473", 10) returns 473
     * parseInt("-0", 10) returns 0
     * parseInt("-FF", 16) returns -255
     * parseInt("1100110", 2) returns 102
     * parseInt("2147483647", 10) returns 2147483647
     * parseInt("-2147483648", 10) returns -2147483648
     * parseInt("2147483648", 10) throws a NumberFormatException
     * parseInt("99", 8) throws a NumberFormatException
     * parseInt("Kona", 10) throws a NumberFormatException
     * parseInt("Kona", 27) returns 411787
     * 
    
     *
     * @param      s   the String containing the integer 
     * 			representation to be parsed
     * @param      radix   the radix to be used while parsing s.
     * @return     the integer represented by the string argument in the
     *             specified radix.
     * @exception  NumberFormatException if the String
     * 		   does not contain a parsable int.
     */
    public static int parseInt(String s, int radix)
		throws NumberFormatException
    {
        if (s == null) {
            throw new NumberFormatException("null");
        }

	/*KML
	if (radix < Character.MIN_RADIX) {
	    throw new NumberFormatException("radix " + radix +
					    " less than Character.MIN_RADIX");
	}

	if (radix > Character.MAX_RADIX) {
	    throw new NumberFormatException("radix " + radix +
					    " greater than Character.MAX_RADIX");
	}
	*/

	int result = 0;
	boolean negative = false;
	int i = 0, max = s.length();
	int limit;
	int multmin;
	int digit;

	if (max > 0) {
	    if (s.charAt(0) == '-') {
		negative = true;
		limit = Integer.MIN_VALUE;
		i++;
	    } else {
		limit = -Integer.MAX_VALUE;
	    }
	    multmin = limit / radix;
	    if (i < max) {
		digit = Character.digit(s.charAt(i++),radix);
		if (digit < 0) {
		    throw NumberFormatException.forInputString(s);
		} else {
		    result = -digit;
		}
	    }
	    while (i < max) {
		// Accumulating negatively avoids surprises near MAX_VALUE
		digit = Character.digit(s.charAt(i++),radix);
		if (digit < 0) {
		    throw NumberFormatException.forInputString(s);
		}
		if (result < multmin) {
		    throw NumberFormatException.forInputString(s);
		}
		result *= radix;
		if (result < limit + digit) {
		    throw NumberFormatException.forInputString(s);
		}
		result -= digit;
	    }
	} else {
	    throw NumberFormatException.forInputString(s);
	}
	if (negative) {
	    if (i > 1) {
		return result;
	    } else {	/* Only got "-" */
		throw NumberFormatException.forInputString(s);
	    }
	} else {
	    return -result;
	}
    }

    /**
     * Parses the string argument as a signed decimal integer. The 
     * characters in the string must all be decimal digits, except that 
     * the first character may be an ASCII minus sign '-' 
     * ('\u002D') to indicate a negative value. The resulting 
     * integer value is returned, exactly as if the argument and the radix 
     * 10 were given as arguments to the 
     * {@link #parseInt(java.lang.String, int)} method.
     *
     * @param s	   a String containing the int
     *             representation to be parsed
     * @return     the integer value represented by the argument in decimal.
     * @exception  NumberFormatException  if the string does not contain a
     *               parsable integer.
     */
    public static int parseInt(String s) throws NumberFormatException {
	return parseInt(s,10);
    }

    /**
     * Returns an Integer object holding the value
     * extracted from the specified String when parsed
     * with the radix given by the second argument. The first argument
     * is interpreted as representing a signed integer in the radix
     * specified by the second argument, exactly as if the arguments
     * were given to the {@link #parseInt(java.lang.String, int)}
     * method. The result is an Integer object that
     * represents the integer value specified by the string.
     * 
    
     * In other words, this method returns an Integer
     * object equal to the value of:
     *
     * 
    
     * new Integer(Integer.parseInt(s, radix))  
     * 
    
     *
     * @param      s   the string to be parsed.
     * @param      radix the radix to be used in interpreting s
     * @return     an Integer object holding the value
     *             represented by the string argument in the specified
     *             radix.
     * @exception NumberFormatException if the String
     * 		  does not contain a parsable int.
     */
    public static Integer valueOf(String s, int radix) throws NumberFormatException {
	return new Integer(parseInt(s,radix));
    }

    /**
     * Returns an Integer object holding the
     * value of the specified String. The argument is
     * interpreted as representing a signed decimal integer, exactly
     * as if the argument were given to the {@link
     * #parseInt(java.lang.String)} method. The result is an
     * Integer object that represents the integer value
     * specified by the string.
     * 
    
     * In other words, this method returns an Integer
     * object equal to the value of:
     *
     * 
    
     * new Integer(Integer.parseInt(s))
     * 
    
     *
     * @param      s   the string to be parsed.
     * @return     an Integer object holding the value
     *             represented by the string argument.
     * @exception  NumberFormatException  if the string cannot be parsed 
     *             as an integer.
     */
    public static Integer valueOf(String s) throws NumberFormatException
    {
	return new Integer(parseInt(s, 10));
    }

    /**
     * The value of the Integer.
     *
     * @serial
     */
    private int value;

    /**
     * Constructs a newly allocated Integer object that
     * represents the specified int value.
     *
     * @param   value   the value to be represented by the 
     *			Integer object.
     */
    /*@ ensures this.value == value;
      @*/
    public Integer(int value) {
	this.value = value;
    }

    /**
     * Constructs a newly allocated Integer object that
     * represents the int value indicated by the
     * String parameter. The string is converted to an
     * int value in exactly the manner used by the
     * parseInt method for radix 10.
     *
     * @param      s   the String to be converted to an
     *                 Integer.
     * @exception  NumberFormatException  if the String does not
     *               contain a parsable integer.
     * @see        java.lang.Integer#parseInt(java.lang.String, int)
     */
    public Integer(String s) throws NumberFormatException {
	this.value = parseInt(s, 10);
    }

    /**
     * Returns the value of this Integer as a
     * byte.
     */
    public byte byteValue() {
	return (byte)value;
    }

    /**
     * Returns the value of this Integer as a
     * short.
     */
    public short shortValue() {
	return (short)value;
    }

    /**
     * Returns the value of this Integer as an
     * int.
     */
    /*@ ensures \result == this.value;
      @*/
    public int intValue() {
	return value;
    }

    /**
     * Returns the value of this Integer as a
     * long.
     */
    public long longValue() {
	return (long)value;
    }

    /**
     * Returns the value of this Integer as a
     * float.
     */
    public float floatValue() {
	return (float)value;
    }

    /**
     * Returns the value of this Integer as a
     * double.
     */
    public double doubleValue() {
	return (double)value;
    }

    /**
     * Returns a String object representing this
     * Integer's value. The value is converted to signed
     * decimal representation and returned as a string, exactly as if
     * the integer value were given as an argument to the {@link
     * java.lang.Integer#toString(int)} method.
     *
     * @return  a string representation of the value of this object in
     *          base 10.
     */
    public String toString() {
	return String.valueOf(value);
    }

    /**
     * Returns a hash code for this Integer.
     *
     * @return  a hash code value for this object, equal to the 
     *          primitive int value represented by this 
     *          Integer object. 
     */
    public int hashCode() {
	return value;
    }

    /**
     * Compares this object to the specified object.  The result is
     * true if and only if the argument is not
     * null and is an Integer object that
     * contains the same int value as this object.
     *
     * @param   obj   the object to compare with.
     * @return  true if the objects are the same;
     *          false otherwise.
     */
    public boolean equals(Object obj) {
	if (obj instanceof Integer) {
	    return value == ((Integer)obj).intValue();
	}
	return false;
    }

    /**
     * Determines the integer value of the system property with the
     * specified name.
     * 
    
     * The first argument is treated as the name of a system property. 
     * System properties are accessible through the 
     * {@link java.lang.System#getProperty(java.lang.String)} method. The 
     * string value of this property is then interpreted as an integer 
     * value and an Integer object representing this value is 
     * returned. Details of possible numeric formats can be found with 
     * the definition of getProperty. 
     * 
    
     * If there is no property with the specified name, if the specified name
     * is empty or null, or if the property does not have 
     * the correct numeric format, then null is returned.
     * 
    
     * In other words, this method returns an Integer
     * object equal to the value of:
     *
     * 
    
     * getInteger(nm, null)
     * 
    
     *
     * @param   nm   property name.
     * @return  the Integer value of the property.
     * @see     java.lang.System#getProperty(java.lang.String)
     * @see     java.lang.System#getProperty(java.lang.String, java.lang.String)
     */
    public static Integer getInteger(String nm) {
	return getInteger(nm, null);
    }

    /**
     * Determines the integer value of the system property with the
     * specified name.
     * 
    
     * The first argument is treated as the name of a system property.
     * System properties are accessible through the {@link
     * java.lang.System#getProperty(java.lang.String)} method. The 
     * string value of this property is then interpreted as an integer 
     * value and an Integer object representing this value is 
     * returned. Details of possible numeric formats can be found with 
     * the definition of getProperty. 
     * 
    
     * The second argument is the default value. An Integer object
     * that represents the value of the second argument is returned if there
     * is no property of the specified name, if the property does not have
     * the correct numeric format, or if the specified name is empty or
     *  null.
     * 
    
     * In other words, this method returns an Integer object 
     * equal to the value of:
     * 
    
     * getInteger(nm, new Integer(val))
     * 
    
     * but in practice it may be implemented in a manner such as: 
     * 
         * Integer result = getInteger(nm, null);
     * return (result == null) ? new Integer(val) : result;
     * 
    
     * to avoid the unnecessary allocation of an Integer 
     * object when the default value is not needed. 
     *
     * @param   nm   property name.
     * @param   val   default value.
     * @return  the Integer value of the property.
     * @see     java.lang.System#getProperty(java.lang.String)
     * @see     java.lang.System#getProperty(java.lang.String, java.lang.String)
     */
    public static Integer getInteger(String nm, int val) {
        Integer result = getInteger(nm, null);
        return (result == null) ? new Integer(val) : result;
    }

    /**
     * Returns the integer value of the system property with the
     * specified name.  The first argument is treated as the name of a
     * system property.  System properties are accessible through the
     * {@link java.lang.System#getProperty(java.lang.String)} method.
     * The string value of this property is then interpreted as an
     * integer value, as per the Integer.decode method,
     * and an Integer object representing this value is
     * returned.
     * 
    
     * 
    • If the property value begins with the two ASCII characters 
     *         0x or the ASCII character #, not 
     *      followed by a minus sign, then the rest of it is parsed as a 
     *      hexadecimal integer exactly as by the method 
     *      {@link #valueOf(java.lang.String, int)} with radix 16. 
     * 
    • If the property value begins with the ASCII character 
     *     0 followed by another character, it is parsed as an 
     *     octal integer exactly as by the method 
     *     {@link #valueOf(java.lang.String, int)} with radix 8. 
     * 
    • Otherwise, the property value is parsed as a decimal integer 
     * exactly as by the method {@link #valueOf(java.lang.String, int)} 
     * with radix 10. 
     * 
    
     * The second argument is the default value. The default value is
     * returned if there is no property of the specified name, if the
     * property does not have the correct numeric format, or if the
     * specified name is empty or null.
     *
     * @param   nm   property name.
     * @param   val   default value.
     * @return  the Integer value of the property.
     * @see     java.lang.System#getProperty(java.lang.String)
     * @see java.lang.System#getProperty(java.lang.String, java.lang.String)
     * @see java.lang.Integer#decode
     */
    public static Integer getInteger(String nm, Integer val) {
	/*KML
	  String v = null;
        try {
            v = System.getProperty(nm);
        } catch (IllegalArgumentException e) {
        } catch (NullPointerException e) {
        }
	if (v != null) {
	    try {
		return Integer.decode(v);
	    } catch (NumberFormatException e) {
	    }
	}
	*/
	return val;
    }

    /**
     * Decodes a String into an Integer.
     * Accepts decimal, hexadecimal, and octal numbers numbers given
     * by the following grammar:
     *
     * 
    
     * 
    
     * 
    DecodableString:
     * 
    Signopt DecimalNumeral
     * 
    Signopt 0x HexDigits
     * 
    Signopt 0X HexDigits
     * 
    Signopt # HexDigits
     * 
    Signopt 0 OctalDigits
     * 
    
     * 
    Sign:
     * 
    -
     * 
    
     * 
    
     *
     * DecimalNumeral, HexDigits, and OctalDigits
     * are defined in §3.10.1 
     * of the Java 
     * Language Specification.
     * 
    
     * The sequence of characters following an (optional) negative
     * sign and/or radix specifier ("0x",
     * "0X", "#", or
     * leading zero) is parsed as by the Integer.parseInt
     * method with the indicated radix (10, 16, or 8).  This sequence
     * of characters must represent a positive value or a {@link
     * NumberFormatException} will be thrown.  The result is negated
     * if first character of the specified String is the
     * minus sign.  No whitespace characters are permitted in the
     * String.
     *
     * @param     nm the String to decode.
     * @return    a Integer object holding the int
     *		   value represented by nm
     * @exception NumberFormatException  if the String does not
     *            contain a parsable integer.
     * @see java.lang.Integer#parseInt(java.lang.String, int)
     * @since 1.2
     */
    public static Integer decode(String nm) throws NumberFormatException {
        int radix = 10;
        int index = 0;
        boolean negative = false;
        Integer result;

        // Handle minus sign, if present
        if (nm.startsWith("-")) {
            negative = true;
            index++;
        }

        // Handle radix specifier, if present
	if (nm.startsWith("0x", index) || nm.startsWith("0X", index)) {
	    index += 2;
            radix = 16;
	}
	else if (nm.startsWith("#", index)) {
	    index ++;
            radix = 16;
	}
	else if (nm.startsWith("0", index) && nm.length() > 1 + index) {
	    index ++;
            radix = 8;
	}

        if (nm.startsWith("-", index))
            throw new NumberFormatException("Negative sign in wrong position");

        try {
            result = Integer.valueOf(nm.substring(index), radix);
            result = negative ? new Integer(-result.intValue()) : result;
        } catch (NumberFormatException e) {
            // If number is Integer.MIN_VALUE, we'll end up here. The next line
            // handles this case, and causes any genuine format error to be
            // rethrown.
            String constant = negative ? new String("-" + nm.substring(index))
                                       : nm.substring(index);
            result = Integer.valueOf(constant, radix);
        }
        return result;
    }

    /**
     * Compares two Integer objects numerically.
     *
     * @param   anotherInteger   the Integer to be compared.
     * @return	the value 0 if this Integer is
     * 		equal to the argument Integer; a value less than
     * 		0 if this Integer is numerically less
     * 		than the argument Integer; and a value greater 
     * 		than 0 if this Integer is numerically
     * 		 greater than the argument Integer (signed
     * 		 comparison).
     * @since   1.2
     */
    public int compareTo(Integer anotherInteger) {
	int thisVal = this.value;
	int anotherVal = anotherInteger.value;
	return (thisValInteger object to another object.
     * If the object is an Integer, this function behaves
     * like compareTo(Integer).  Otherwise, it throws a
     * ClassCastException (as Integer
     * objects are only comparable to other Integer
     * objects).
     *
     * @param   o the Object to be compared.
     * @return  the value 0 if the argument is a 
     *		Integer numerically equal to this 
     *		Integer; a value less than 0 
     *		if the argument is a Integer numerically 
     *		greater than this Integer; and a value 
     *		greater than 0 if the argument is a 
     *		Integer numerically less than this 
     *		Integer.
     * @exception ClassCastException if the argument is not an
     *		  Integer.
     * @see     java.lang.Comparable
     * @since   1.2
     */
    public int compareTo(Object o) {
	return compareTo((Integer)o);
    }

    /** use serialVersionUID from JDK 1.0.2 for interoperability */
    private static final long serialVersionUID = 1360826667806852920L;
}
why-2.34/lib/java_api/java/lang/Math.java0000644000175000017500000011057212311670312016541 0ustar  rtusers/*
 * @(#)Math.java	1.57 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;
//KML import java.util.Random;


/**
 * The class Math contains methods for performing basic
 * numeric operations such as the elementary exponential, logarithm,
 * square root, and trigonometric functions.
 * 
    
 * Unlike some of the numeric methods of class
 * StrictMath, all implementations of the equivalent
 * functions of class Math are not defined to return the
 * bit-for-bit same results.  This relaxation permits
 * better-performing implementations where strict reproducibility is
 * not required.
 * 
    
 * By default many of the Math methods simply call
 * the equivalent method in StrictMath for their
 * implementation.  Code generators are encouraged to use
 * platform-specific native libraries or microprocessor instructions,
 * where available, to provide higher-performance implementations of
 * Math methods.  Such higher-performance
 * implementations still must conform to the specification for
 * Math.
 * 
    
 * The quality of implementation specifications concern two
 * properties, accuracy of the returned result and monotonicity of the
 * method.  Accuracy of the floating-point Math methods
 * is measured in terms of ulps, units in the last place.  For
 * a given floating-point format, an ulp of a specific real number
 * value is the difference between the two floating-point values
 * closest to that numerical value.  When discussing the accuracy of a
 * method as a whole rather than at a specific argument, the number of
 * ulps cited is for the worst-case error at any argument.  If a
 * method always has an error less than 0.5 ulps, the method always
 * returns the floating-point number nearest the exact result; such a
 * method is correctly rounded.  A correctly rounded method is
 * generally the best a floating-point approximation can be; however,
 * it is impractical for many floating-point methods to be correctly
 * rounded.  Instead, for the Math class, a larger error
 * bound of 1 or 2 ulps is allowed for certain methods.  Informally,
 * with a 1 ulp error bound, when the exact result is a representable
 * number the exact result should be returned; otherwise, either of
 * the two floating-point numbers closest to the exact result may be
 * returned.  Besides accuracy at individual arguments, maintaining
 * proper relations between the method at different arguments is also
 * important.  Therefore, methods with more than 0.5 ulp errors are
 * required to be semi-monotonic: whenever the mathematical
 * function is non-decreasing, so is the floating-point approximation,
 * likewise, whenever the mathematical function is non-increasing, so
 * is the floating-point approximation.  Not all approximations that
 * have 1 ulp accuracy will automatically meet the monotonicity
 * requirements.
 * 
 * @author  unascribed
 * @version 1.57, 01/23/03
 * @since   JDK1.0
 */

public final strictfp class Math {

    /**
     * Don't let anyone instantiate this class.
     */
    private Math() {}

    /**
     * The double value that is closer than any other to
     * e, the base of the natural logarithms.
     */
    public static final double E = 2.7182818284590452354;

    /**
     * The double value that is closer than any other to
     * pi, the ratio of the circumference of a circle to its
     * diameter.
     */
    public static final double PI = 3.14159265358979323846;

    /**
     * Returns the trigonometric sine of an angle.  Special cases:
     * 
    • If the argument is NaN or an infinity, then the 
     * result is NaN.
     * 
    • If the argument is zero, then the result is a zero with the
     * same sign as the argument.
    
     * 
    
     * A result must be within 1 ulp of the correctly rounded result.  Results
     * must be semi-monotonic.
     *
     * @param   a   an angle, in radians.
     * @return  the sine of the argument.
     */
    public static double sin(double a) {
	//KML return StrictMath.sin(a); // default impl. delegates to StrictMath
    }
    
    /**
     * Returns the trigonometric cosine of an angle. Special cases:
     * 
    • If the argument is NaN or an infinity, then the 
     * result is NaN.
    
     * 
    
     * A result must be within 1 ulp of the correctly rounded result.  Results
     * must be semi-monotonic.
     *
     * @param   a   an angle, in radians.
     * @return  the cosine of the argument.
     */
    public static double cos(double a) {
	//KML return StrictMath.cos(a); // default impl. delegates to StrictMath
    }
   
    /**
     * Returns the trigonometric tangent of an angle.  Special cases:
     * 
    • If the argument is NaN or an infinity, then the result 
     * is NaN.
     * 
    • If the argument is zero, then the result is a zero with the
     * same sign as the argument.
    
     * 
    
     * A result must be within 1 ulp of the correctly rounded result.  Results
     * must be semi-monotonic.
     *
     * @param   a   an angle, in radians.
     * @return  the tangent of the argument.
     */
    public static double tan(double a) {
	//KML return StrictMath.tan(a); // default impl. delegates to StrictMath
    }

    /**
     * Returns the arc sine of an angle, in the range of -pi/2 through
     * pi/2. Special cases: 
     * 
    • If the argument is NaN or its absolute value is greater 
     * than 1, then the result is NaN.
     * 
    • If the argument is zero, then the result is a zero with the
     * same sign as the argument.
    
     * 
    
     * A result must be within 1 ulp of the correctly rounded result.  Results
     * must be semi-monotonic.
     *
     * @param   a   the value whose arc sine is to be returned.
     * @return  the arc sine of the argument.
     */
    public static double asin(double a) {
	//KML return StrictMath.asin(a); // default impl. delegates to StrictMath
    }

    /**
     * Returns the arc cosine of an angle, in the range of 0.0 through
     * pi.  Special case:
     * 
    • If the argument is NaN or its absolute value is greater 
     * than 1, then the result is NaN.
    
     * 
    
     * A result must be within 1 ulp of the correctly rounded result.  Results 
     * must be semi-monotonic.
     *
     * @param   a   the value whose arc cosine is to be returned.
     * @return  the arc cosine of the argument.
     */
    public static double acos(double a) {
	//KML return StrictMath.acos(a); // default impl. delegates to StrictMath
    }

    /**
     * Returns the arc tangent of an angle, in the range of -pi/2
     * through pi/2.  Special cases: 
     * 
    • If the argument is NaN, then the result is NaN.
     * 
    • If the argument is zero, then the result is a zero with the
     * same sign as the argument.
    
     * 
    
     * A result must be within 1 ulp of the correctly rounded result.  Results
     * must be semi-monotonic.
     *
     * @param   a   the value whose arc tangent is to be returned.
     * @return  the arc tangent of the argument.
     */
    public static double atan(double a) {
	//KML return StrictMath.atan(a); // default impl. delegates to StrictMath
    }

    /**
     * Converts an angle measured in degrees to an approximately
     * equivalent angle measured in radians.  The conversion from
     * degrees to radians is generally inexact.
     *
     * @param   angdeg   an angle, in degrees
     * @return  the measurement of the angle angdeg
     *          in radians.
     * @since   1.2
     */
    public static double toRadians(double angdeg) {
	return angdeg / 180.0 * PI;
    }

    /**
     * Converts an angle measured in radians to an approximately
     * equivalent angle measured in degrees.  The conversion from
     * radians to degrees is generally inexact; users should
     * not expect cos(toRadians(90.0)) to exactly
     * equal 0.0.
     *
     * @param   angrad   an angle, in radians
     * @return  the measurement of the angle angrad
     *          in degrees.
     * @since   1.2
     */
    public static double toDegrees(double angrad) {
	return angrad * 180.0 / PI;
    }

    /**
     * Returns Euler's number e raised to the power of a
     * double value.  Special cases:
     * 
    • If the argument is NaN, the result is NaN.
     * 
    • If the argument is positive infinity, then the result is 
     * positive infinity.
     * 
    • If the argument is negative infinity, then the result is 
     * positive zero.
    
     * 
    
     * A result must be within 1 ulp of the correctly rounded result.  Results
     * must be semi-monotonic.
     *
     * @param   a   the exponent to raise e to.
     * @return  the value ea, 
     *          where e is the base of the natural logarithms.
     */
    public static double exp(double a) {
	//KML return StrictMath.exp(a); // default impl. delegates to StrictMath
    }

    /**
     * Returns the natural logarithm (base e) of a double
     * value.  Special cases:
     * 
    • If the argument is NaN or less than zero, then the result 
     * is NaN.
     * 
    • If the argument is positive infinity, then the result is 
     * positive infinity.
     * 
    • If the argument is positive zero or negative zero, then the 
     * result is negative infinity.
    
     * 
    
     * A result must be within 1 ulp of the correctly rounded result.  Results
     * must be semi-monotonic.
     *
     * @param   a   a number greater than 0.0.
     * @return  the value ln a, the natural logarithm of
     *          a.
     */
    public static double log(double a) {
	//KML return StrictMath.log(a); // default impl. delegates to StrictMath
    }

    /**
     * Returns the correctly rounded positive square root of a 
     * double value.
     * Special cases:
     * 
    • If the argument is NaN or less than zero, then the result 
     * is NaN. 
     * 
    • If the argument is positive infinity, then the result is positive 
     * infinity. 
     * 
    • If the argument is positive zero or negative zero, then the 
     * result is the same as the argument.
    
     * Otherwise, the result is the double value closest to 
     * the true mathematical square root of the argument value.
     * 
     * @param   a   a value.
     * 
     * @return  the positive square root of a.
     *          If the argument is NaN or less than zero, the result is NaN.
     */
    /*@ requires a >= 0.0;
      @ ensures \result * \result == a;
      @*/
    public static double sqrt(double a) {
	/*KML
	return StrictMath.sqrt(a); // default impl. delegates to StrictMath
				   // Note that hardware sqrt instructions
				   // frequently can be directly used by JITs
				   // and should be much faster than doing
				   // Math.sqrt in software.
				   */
    }

    /**
     * Computes the remainder operation on two arguments as prescribed 
     * by the IEEE 754 standard.
     * The remainder value is mathematically equal to 
     * f1 - f2 × n,
     * where n is the mathematical integer closest to the exact 
     * mathematical value of the quotient f1/f2, and if two 
     * mathematical integers are equally close to f1/f2, 
     * then n is the integer that is even. If the remainder is 
     * zero, its sign is the same as the sign of the first argument. 
     * Special cases:
     * 
    • If either argument is NaN, or the first argument is infinite, 
     * or the second argument is positive zero or negative zero, then the 
     * result is NaN.
     * 
    • If the first argument is finite and the second argument is 
     * infinite, then the result is the same as the first argument.
    
     *
     * @param   f1   the dividend.
     * @param   f2   the divisor.
     * @return  the remainder when f1 is divided by
     *          f2.
     */
    public static double IEEEremainder(double f1, double f2) {
        //KML return StrictMath.IEEEremainder(f1, f2); // delegate to StrictMath
    }

    /**
     * Returns the smallest (closest to negative infinity) 
     * double value that is not less than the argument and is 
     * equal to a mathematical integer. Special cases:
     * 
    • If the argument value is already equal to a mathematical 
     * integer, then the result is the same as the argument. 
     * 
    • If the argument is NaN or an infinity or positive zero or negative 
     * zero, then the result is the same as the argument. 
     * 
    • If the argument value is less than zero but greater than -1.0, 
     * then the result is negative zero.
    
     * Note that the value of Math.ceil(x) is exactly the 
     * value of -Math.floor(-x).
     *
     * @param   a   a value.
     * 
     * @return  the smallest (closest to negative infinity) 
     *          floating-point value that is not less than the argument
     *          and is equal to a mathematical integer. 
     */
    public static double ceil(double a) {
	//KML return StrictMath.ceil(a); // default impl. delegates to StrictMath
    }

    /**
     * Returns the largest (closest to positive infinity) 
     * double value that is not greater than the argument and 
     * is equal to a mathematical integer. Special cases:
     * 
    • If the argument value is already equal to a mathematical 
     * integer, then the result is the same as the argument. 
     * 
    • If the argument is NaN or an infinity or positive zero or 
     * negative zero, then the result is the same as the argument.
    
     *
     * @param   a   a value.
     * 
     * @return  the largest (closest to positive infinity) 
     *          floating-point value that is not greater than the argument
     *          and is equal to a mathematical integer. 
     */
    public static double floor(double a) {
	//KML return StrictMath.floor(a); // default impl. delegates to StrictMath
    }

    /**
     * Returns the double value that is closest in value
     * to the argument and is equal to a mathematical integer. If two
     * double values that are mathematical integers are
     * equally close, the result is the integer value that is
     * even. Special cases:
     * 
    • If the argument value is already equal to a mathematical 
     * integer, then the result is the same as the argument. 
     * 
    • If the argument is NaN or an infinity or positive zero or negative 
     * zero, then the result is the same as the argument.
    
     *
     * @param   a   a double value.
     * @return  the closest floating-point value to a that is
     *          equal to a mathematical integer.
     */
    public static double rint(double a) {
	//KML return StrictMath.rint(a); // default impl. delegates to StrictMath
    }

    /**
     * Converts rectangular coordinates (xy)
     * to polar (r, theta).
     * This method computes the phase theta by computing an arc tangent
     * of y/x in the range of -pi to pi. Special 
     * cases:
     * 
    • If either argument is NaN, then the result is NaN. 
     * 
    • If the first argument is positive zero and the second argument 
     * is positive, or the first argument is positive and finite and the 
     * second argument is positive infinity, then the result is positive 
     * zero. 
     * 
    • If the first argument is negative zero and the second argument 
     * is positive, or the first argument is negative and finite and the 
     * second argument is positive infinity, then the result is negative zero. 
     * 
    • If the first argument is positive zero and the second argument 
     * is negative, or the first argument is positive and finite and the 
     * second argument is negative infinity, then the result is the 
     * double value closest to pi. 
     * 
    • If the first argument is negative zero and the second argument 
     * is negative, or the first argument is negative and finite and the 
     * second argument is negative infinity, then the result is the 
     * double value closest to -pi. 
     * 
    • If the first argument is positive and the second argument is 
     * positive zero or negative zero, or the first argument is positive 
     * infinity and the second argument is finite, then the result is the 
     * double value closest to pi/2. 
     * 
    • If the first argument is negative and the second argument is 
     * positive zero or negative zero, or the first argument is negative 
     * infinity and the second argument is finite, then the result is the 
     * double value closest to -pi/2. 
     * 
    • If both arguments are positive infinity, then the result is the 
     * double value closest to pi/4. 
     * 
    • If the first argument is positive infinity and the second argument 
     * is negative infinity, then the result is the double 
     * value closest to 3*pi/4. 
     * 
    • If the first argument is negative infinity and the second argument 
     * is positive infinity, then the result is the double value 
     * closest to -pi/4. 
     * 
    • If both arguments are negative infinity, then the result is the 
     * double value closest to -3*pi/4.
    
     * 
    
     * A result must be within 2 ulps of the correctly rounded result.  Results
     * must be semi-monotonic.
     *
     * @param   y   the ordinate coordinate
     * @param   x   the abscissa coordinate
     * @return  the theta component of the point
     *          (rtheta)
     *          in polar coordinates that corresponds to the point
     *          (xy) in Cartesian coordinates.
     */
    public static double atan2(double y, double x) {
	//KML return StrictMath.atan2(y, x); // default impl. delegates to StrictMath
    }

    /**
     * Returns the value of the first argument raised to the power of the
     * second argument. Special cases:
     *
     * 
    • If the second argument is positive or negative zero, then the 
     * result is 1.0. 
     * 
    • If the second argument is 1.0, then the result is the same as the 
     * first argument.
     * 
    • If the second argument is NaN, then the result is NaN. 
     * 
    • If the first argument is NaN and the second argument is nonzero, 
     * then the result is NaN. 
     *
     * 
    • If
     * 
        
     * 
      • the absolute value of the first argument is greater than 1
     * and the second argument is positive infinity, or
     * 
      • the absolute value of the first argument is less than 1 and
     * the second argument is negative infinity,
     * 
      
     * then the result is positive infinity. 
     *
     * 
    • If 
     * 
        
     * 
      • the absolute value of the first argument is greater than 1 and 
     * the second argument is negative infinity, or 
     * 
      • the absolute value of the 
     * first argument is less than 1 and the second argument is positive 
     * infinity,
     * 
      
     * then the result is positive zero. 
     *
     * 
    • If the absolute value of the first argument equals 1 and the 
     * second argument is infinite, then the result is NaN. 
     *
     * 
    • If 
     * 
        
     * 
      • the first argument is positive zero and the second argument
     * is greater than zero, or
     * 
      • the first argument is positive infinity and the second
     * argument is less than zero,
     * 
      
     * then the result is positive zero. 
     *
     * 
    • If 
     * 
        
     * 
      • the first argument is positive zero and the second argument
     * is less than zero, or
     * 
      • the first argument is positive infinity and the second
     * argument is greater than zero,
     * 
      
     * then the result is positive infinity.
     *
     * 
    • If 
     * 
        
     * 
      • the first argument is negative zero and the second argument
     * is greater than zero but not a finite odd integer, or
     * 
      • the first argument is negative infinity and the second
     * argument is less than zero but not a finite odd integer,
     * 
      
     * then the result is positive zero. 
     *
     * 
    • If 
     * 
        
     * 
      • the first argument is negative zero and the second argument
     * is a positive finite odd integer, or
     * 
      • the first argument is negative infinity and the second
     * argument is a negative finite odd integer,
     * 
      
     * then the result is negative zero. 
     *
     * 
    • If
     * 
        
     * 
      • the first argument is negative zero and the second argument
     * is less than zero but not a finite odd integer, or
     * 
      • the first argument is negative infinity and the second
     * argument is greater than zero but not a finite odd integer,
     * 
      
     * then the result is positive infinity. 
     *
     * 
    • If 
     * 
        
     * 
      • the first argument is negative zero and the second argument
     * is a negative finite odd integer, or
     * 
      • the first argument is negative infinity and the second
     * argument is a positive finite odd integer,
     * 
      
     * then the result is negative infinity. 
     *
     * 
    • If the first argument is finite and less than zero
     * 
        
     * 
      •  if the second argument is a finite even integer, the
     * result is equal to the result of raising the absolute value of
     * the first argument to the power of the second argument
     *
     * 
      • if the second argument is a finite odd integer, the result
     * is equal to the negative of the result of raising the absolute
     * value of the first argument to the power of the second
     * argument
     *
     * 
      • if the second argument is finite and not an integer, then
     * the result is NaN.
     * 
      
     *
     * 
    • If both arguments are integers, then the result is exactly equal 
     * to the mathematical result of raising the first argument to the power 
     * of the second argument if that result can in fact be represented 
     * exactly as a double value.
    
     * 
     * 
    (In the foregoing descriptions, a floating-point value is
     * considered to be an integer if and only if it is finite and a
     * fixed point of the method {@link #ceil ceil} or,
     * equivalently, a fixed point of the method {@link #floor
     * floor}. A value is a fixed point of a one-argument
     * method if and only if the result of applying the method to the
     * value is equal to the value.)
     *
     * 
    A result must be within 1 ulp of the correctly rounded
     * result.  Results must be semi-monotonic.
     *
     * @param   a   the base.
     * @param   b   the exponent.
     * @return  the value ab.
     */
    public static double pow(double a, double b) {
	//KML return StrictMath.pow(a, b); // default impl. delegates to StrictMath
    }

    /**
     * Returns the closest int to the argument. The 
     * result is rounded to an integer by adding 1/2, taking the 
     * floor of the result, and casting the result to type int. 
     * In other words, the result is equal to the value of the expression:
     * 
    (int)Math.floor(a + 0.5f)
    
     * 
    
     * Special cases:
     * 
    • If the argument is NaN, the result is 0.
     * 
    • If the argument is negative infinity or any value less than or 
     * equal to the value of Integer.MIN_VALUE, the result is 
     * equal to the value of Integer.MIN_VALUE. 
     * 
    • If the argument is positive infinity or any value greater than or 
     * equal to the value of Integer.MAX_VALUE, the result is 
     * equal to the value of Integer.MAX_VALUE.
     
     *
     * @param   a   a floating-point value to be rounded to an integer.
     * @return  the value of the argument rounded to the nearest
     *          int value.
     * @see     java.lang.Integer#MAX_VALUE
     * @see     java.lang.Integer#MIN_VALUE
     */
    public static int round(float a) {
	return (int)floor(a + 0.5f);
    }

    /**
     * Returns the closest long to the argument. The result 
     * is rounded to an integer by adding 1/2, taking the floor of the 
     * result, and casting the result to type long. In other 
     * words, the result is equal to the value of the expression:
     * 
    (long)Math.floor(a + 0.5d)
    
     * 
    
     * Special cases:
     * 
    • If the argument is NaN, the result is 0.
     * 
    • If the argument is negative infinity or any value less than or 
     * equal to the value of Long.MIN_VALUE, the result is 
     * equal to the value of Long.MIN_VALUE. 
     * 
    • If the argument is positive infinity or any value greater than or 
     * equal to the value of Long.MAX_VALUE, the result is 
     * equal to the value of Long.MAX_VALUE.
     
     *
     * @param   a   a floating-point value to be rounded to a 
     *		long.
     * @return  the value of the argument rounded to the nearest
     *          long value.
     * @see     java.lang.Long#MAX_VALUE
     * @see     java.lang.Long#MIN_VALUE
     */
    public static long round(double a) {
	return (long)floor(a + 0.5d);
    }

    //KML private static Random randomNumberGenerator;

    private static synchronized void initRNG() {
        /*KML
	  if (randomNumberGenerator == null) 
            randomNumberGenerator = new Random();
	*/
    }

    /**
     * Returns a double value with a positive sign, greater 
     * than or equal to 0.0 and less than 1.0. 
     * Returned values are chosen pseudorandomly with (approximately) 
     * uniform distribution from that range. 
     * 
    
     * When this method is first called, it creates a single new 
     * pseudorandom-number generator, exactly as if by the expression 
     * 
    new java.util.Random
    
     * This new pseudorandom-number generator is used thereafter for all 
     * calls to this method and is used nowhere else. 
     * 
    
     * This method is properly synchronized to allow correct use by more 
     * than one thread. However, if many threads need to generate 
     * pseudorandom numbers at a great rate, it may reduce contention for 
     * each thread to have its own pseudorandom-number generator.
     *  
     * @return  a pseudorandom double greater than or equal 
     * to 0.0 and less than 1.0.
     * @see     java.util.Random#nextDouble()
     */
    public static double random() {
        /*KML
	  if (randomNumberGenerator == null) initRNG();
	  return randomNumberGenerator.nextDouble();
	*/

    }

    /**
     * Returns the absolute value of an int value.
     * If the argument is not negative, the argument is returned.
     * If the argument is negative, the negation of the argument is returned. 
     * 
    
     * Note that if the argument is equal to the value of 
     * Integer.MIN_VALUE, the most negative representable 
     * int value, the result is that same value, which is 
     * negative. 
     *
     * @param   a   the argument whose absolute value is to be determined
     * @return  the absolute value of the argument.
     * @see     java.lang.Integer#MIN_VALUE
     */
    public static int abs(int a) {
	return (a < 0) ? -a : a;
    }

    /**
     * Returns the absolute value of a long value.
     * If the argument is not negative, the argument is returned.
     * If the argument is negative, the negation of the argument is returned. 
     * 
    
     * Note that if the argument is equal to the value of 
     * Long.MIN_VALUE, the most negative representable 
     * long value, the result is that same value, which is 
     * negative. 
     *
     * @param   a   the argument whose absolute value is to be determined
     * @return  the absolute value of the argument.
     * @see     java.lang.Long#MIN_VALUE
     */
    public static long abs(long a) {
	return (a < 0) ? -a : a;
    }

    /**
     * Returns the absolute value of a float value.
     * If the argument is not negative, the argument is returned.
     * If the argument is negative, the negation of the argument is returned.
     * Special cases:
     * 
    • If the argument is positive zero or negative zero, the 
     * result is positive zero. 
     * 
    • If the argument is infinite, the result is positive infinity. 
     * 
    • If the argument is NaN, the result is NaN.
    
     * In other words, the result is the same as the value of the expression: 
     * 
    Float.intBitsToFloat(0x7fffffff & Float.floatToIntBits(a))
    
     *
     * @param   a   the argument whose absolute value is to be determined
     * @return  the absolute value of the argument.
     */
    public static float abs(float a) {
        return (a <= 0.0F) ? 0.0F - a : a;
    }
  
    /**
     * Returns the absolute value of a double value.
     * If the argument is not negative, the argument is returned.
     * If the argument is negative, the negation of the argument is returned.
     * Special cases:
     * 
    • If the argument is positive zero or negative zero, the result 
     * is positive zero. 
     * 
    • If the argument is infinite, the result is positive infinity. 
     * 
    • If the argument is NaN, the result is NaN.
    
     * In other words, the result is the same as the value of the expression: 
     * 
    Double.longBitsToDouble((Double.doubleToLongBits(a)<<1)>>>1) 
     *
     * @param   a   the argument whose absolute value is to be determined
     * @return  the absolute value of the argument.
     */
    /*@ ensures \result == \real_abs(a);
      @*/
    public static double abs(double a) {
        return (a <= 0.0D) ? 0.0D - a : a;
    }

    /**
     * Returns the greater of two int values. That is, the 
     * result is the argument closer to the value of 
     * Integer.MAX_VALUE. If the arguments have the same value, 
     * the result is that same value.
     *
     * @param   a   an argument.
     * @param   b   another argument.
     * @return  the larger of a and b.
     * @see     java.lang.Long#MAX_VALUE
     */
    /*@ ensures \result == \int_max(a,b);
      @*/
    public static int max(int a, int b) {
	return (a >= b) ? a : b;
    }

    /**
     * Returns the greater of two long values. That is, the 
     * result is the argument closer to the value of 
     * Long.MAX_VALUE. If the arguments have the same value, 
     * the result is that same value. 
     *
     * @param   a   an argument.
     * @param   b   another argument.
     * @return  the larger of a and b.
     * @see     java.lang.Long#MAX_VALUE
     */
    /*@ ensures \result == \int_max(a,b);
      @*/
    public static long max(long a, long b) {
	return (a >= b) ? a : b;
    }

    //KML private static long negativeZeroFloatBits = Float.floatToIntBits(-0.0f);
    //KML private static long negativeZeroDoubleBits = Double.doubleToLongBits(-0.0d);

    /**
     * Returns the greater of two float values.  That is,
     * the result is the argument closer to positive infinity. If the
     * arguments have the same value, the result is that same
     * value. If either value is NaN, then the result is NaN.  Unlike
     * the the numerical comparison operators, this method considers
     * negative zero to be strictly smaller than positive zero. If one
     * argument is positive zero and the other negative zero, the
     * result is positive zero.
     *
     * @param   a   an argument.
     * @param   b   another argument.
     * @return  the larger of a and b.
     */
    /*@ ensures \result == \real_max(a,b);
      @*/
    public static float max(float a, float b) {
        if (a != a) return a;	// a is NaN
	/*KML
	  if ((a == 0.0f) && (b == 0.0f)
	    && (Float.floatToIntBits(a) == negativeZeroFloatBits)) {
	    return b;
	}
	*/
	return (a >= b) ? a : b;
    }

    /**
     * Returns the greater of two double values.  That
     * is, the result is the argument closer to positive infinity. If
     * the arguments have the same value, the result is that same
     * value. If either value is NaN, then the result is NaN.  Unlike
     * the the numerical comparison operators, this method considers
     * negative zero to be strictly smaller than positive zero. If one
     * argument is positive zero and the other negative zero, the
     * result is positive zero.
     *
     * @param   a   an argument.
     * @param   b   another argument.
     * @return  the larger of a and b.
     */
    /*@ ensures \result == \real_max(a,b);
      @*/
    public static double max(double a, double b) {
        if (a != a) return a;	// a is NaN
	/*KML
	  if ((a == 0.0d) && (b == 0.0d)
	    && (Double.doubleToLongBits(a) == negativeZeroDoubleBits)) {
	    return b;
	}
	*/
	return (a >= b) ? a : b;
    }

    /**
     * Returns the smaller of two int values. That is,
     * the result the argument closer to the value of
     * Integer.MIN_VALUE.  If the arguments have the same
     * value, the result is that same value.
     *
     * @param   a   an argument.
     * @param   b   another argument.
     * @return  the smaller of a and b.
     * @see     java.lang.Long#MIN_VALUE
     */
    /*@ ensures \result == \int_min(a,b);
      @*/
    public static int min(int a, int b) {
	return (a <= b) ? a : b;
    }

    /**
     * Returns the smaller of two long values. That is,
     * the result is the argument closer to the value of
     * Long.MIN_VALUE. If the arguments have the same
     * value, the result is that same value.
     *
     * @param   a   an argument.
     * @param   b   another argument.
     * @return  the smaller of a and b.
     * @see     java.lang.Long#MIN_VALUE
     */
    /*@ ensures \result == \int_min(a,b);
      @*/
    public static long min(long a, long b) {
	return (a <= b) ? a : b;
    }

    /**
     * Returns the smaller of two float values.  That is,
     * the result is the value closer to negative infinity. If the
     * arguments have the same value, the result is that same
     * value. If either value is NaN, then the result is NaN.  Unlike
     * the the numerical comparison operators, this method considers
     * negative zero to be strictly smaller than positive zero.  If
     * one argument is positive zero and the other is negative zero,
     * the result is negative zero.
     *
     * @param   a   an argument.
     * @param   b   another argument.
     * @return  the smaller of a and b.
     */
    /*@ ensures \result == \real_min(a,b);
      @*/
    public static float min(float a, float b) {
        if (a != a) return a;	// a is NaN
	/*KML
	  if ((a == 0.0f) && (b == 0.0f)
	    && (Float.floatToIntBits(b) == negativeZeroFloatBits)) {
	    return b;
	}
	*/
	return (a <= b) ? a : b;
    }

    /**
     * Returns the smaller of two double values.  That
     * is, the result is the value closer to negative infinity. If the
     * arguments have the same value, the result is that same
     * value. If either value is NaN, then the result is NaN.  Unlike
     * the the numerical comparison operators, this method considers
     * negative zero to be strictly smaller than positive zero. If one
     * argument is positive zero and the other is negative zero, the
     * result is negative zero.
     *
     * @param   a   an argument.
     * @param   b   another argument.
     * @return  the smaller of a and b.
     */
    /*@ ensures \result == \real_min(a,b);
      @*/
    public static double min(double a, double b) {
        if (a != a) return a;	// a is NaN
	/*KML
	  if ((a == 0.0d) && (b == 0.0d)
	    && (Double.doubleToLongBits(b) == negativeZeroDoubleBits)) {
	    return b;
	}
	*/
	return (a <= b) ? a : b;
    }

}
why-2.34/lib/java_api/java/lang/IllegalArgumentException.java0000644000175000017500000000157512311670312022605 0ustar  rtusers/*
 * @(#)IllegalArgumentException.java	1.19 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

/**
 * Thrown to indicate that a method has been passed an illegal or 
 * inappropriate argument.
 *
 * @author  unascribed
 * @version 1.19, 01/23/03
 * @see	    java.lang.Thread#setPriority(int)
 * @since   JDK1.0
 */
public
class IllegalArgumentException extends RuntimeException {
    /**
     * Constructs an IllegalArgumentException with no 
     * detail message. 
     */
    public IllegalArgumentException() {
	super();
    }

    /**
     * Constructs an IllegalArgumentException with the 
     * specified detail message. 
     *
     * @param   s   the detail message.
     */
    public IllegalArgumentException(String s) {
	super(s);
    }
}
why-2.34/lib/java_api/java/lang/StringBuffer.java0000644000175000017500000014265112311670312020253 0ustar  rtusers/*
 * @(#)StringBuffer.java	1.78 03/05/16
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

/**
 * A string buffer implements a mutable sequence of characters. 
 * A string buffer is like a {@link String}, but can be modified. At any 
 * point in time it contains some particular sequence of characters, but 
 * the length and content of the sequence can be changed through certain 
 * method calls.
 * 
    
 * String buffers are safe for use by multiple threads. The methods 
 * are synchronized where necessary so that all the operations on any 
 * particular instance behave as if they occur in some serial order 
 * that is consistent with the order of the method calls made by each of 
 * the individual threads involved. 
 * 
    
 * String buffers are used by the compiler to implement the binary 
 * string concatenation operator +. For example, the code:
 * 
     *     x = "a" + 4 + "c"
 * 
    
 * is compiled to the equivalent of: 
 * 
     *     x = new StringBuffer().append("a").append(4).append("c")
 *                           .toString()
 * 
    
 * which creates a new string buffer (initially empty), appends the string
 * representation of each operand to the string buffer in turn, and then
 * converts the contents of the string buffer to a string. Overall, this avoids
 * creating many temporary strings.
 * 
    
 * The principal operations on a StringBuffer are the 
 * append and insert methods, which are 
 * overloaded so as to accept data of any type. Each effectively 
 * converts a given datum to a string and then appends or inserts the 
 * characters of that string to the string buffer. The 
 * append method always adds these characters at the end 
 * of the buffer; the insert method adds the characters at 
 * a specified point. 
 * 
    
 * For example, if z refers to a string buffer object 
 * whose current contents are "start", then 
 * the method call z.append("le") would cause the string 
 * buffer to contain "startle", whereas 
 * z.insert(4, "le") would alter the string buffer to 
 * contain "starlet". 
 * 
    
 * In general, if sb refers to an instance of a StringBuffer, 
 * then sb.append(x) has the same effect as 
 * sb.insert(sb.length(), x).
 * 
    
 * Every string buffer has a capacity. As long as the length of the 
 * character sequence contained in the string buffer does not exceed 
 * the capacity, it is not necessary to allocate a new internal 
 * buffer array. If the internal buffer overflows, it is 
 * automatically made larger. 
 *
 * @author	Arthur van Hoff
 * @version 	1.78, 05/16/03
 * @see     java.io.ByteArrayOutputStream
 * @see     java.lang.String
 * @since   JDK1.0
 */
 
public final class StringBuffer
    implements java.io.Serializable, CharSequence
{
    /**
     * The value is used for character storage.
     * 
     * @serial
     */
    private char value[];

    /** 
     * The count is the number of characters in the buffer.
     * 
     * @serial
     */
    private int count;

    /**
     * A flag indicating whether the buffer is shared 
     *
     * @serial
     */
    private boolean shared;

    /** use serialVersionUID from JDK 1.0.2 for interoperability */
    static final long serialVersionUID = 3388685877147921107L;

    /**
     * Constructs a string buffer with no characters in it and an 
     * initial capacity of 16 characters. 
     */
    public StringBuffer() {
	this(16);
    }

    /**
     * Constructs a string buffer with no characters in it and an 
     * initial capacity specified by the length argument. 
     *
     * @param      length   the initial capacity.
     * @exception  NegativeArraySizeException  if the length
     *               argument is less than 0.
     */
    public StringBuffer(int length) {
	value = new char[length];
	shared = false;
    }

    /**
     * Constructs a string buffer so that it represents the same 
     * sequence of characters as the string argument; in other
     * words, the initial contents of the string buffer is a copy of the 
     * argument string. The initial capacity of the string buffer is 
     * 16 plus the length of the string argument. 
     *
     * @param   str   the initial contents of the buffer.
     * @exception NullPointerException if str is null
     */
    public StringBuffer(String str) {
	this(str.length() + 16);
	append(str);
    }

    /**
     * Returns the length (character count) of this string buffer.
     *
     * @return  the length of the sequence of characters currently 
     *          represented by this string buffer.
     */
    public synchronized int length() {
	return count;
    }

    /**
     * Returns the current capacity of the String buffer. The capacity
     * is the amount of storage available for newly inserted
     * characters; beyond which an allocation will occur.
     *
     * @return  the current capacity of this string buffer.
     */
    public synchronized int capacity() {
	return value.length;
    }

    /**
     * Copies the buffer value.  This is normally only called when shared
     * is true.  It should only be called from a synchronized method.
     */
    private final void copy() {
	char newValue[] = new char[value.length];
	System.arraycopy(value, 0, newValue, 0, count);
	value = newValue;
	shared = false;
    }

    /**
     * Ensures that the capacity of the buffer is at least equal to the
     * specified minimum.
     * If the current capacity of this string buffer is less than the 
     * argument, then a new internal buffer is allocated with greater 
     * capacity. The new capacity is the larger of: 
     * 
      
     * 
    • The minimumCapacity argument. 
     * 
    • Twice the old capacity, plus 2. 
     * 
    
     * If the minimumCapacity argument is nonpositive, this
     * method takes no action and simply returns.
     *
     * @param   minimumCapacity   the minimum desired capacity.
     */
    public synchronized void ensureCapacity(int minimumCapacity) {
	if (minimumCapacity > value.length) {
	    expandCapacity(minimumCapacity);
	}
    }

    /**
     * This implements the expansion semantics of ensureCapacity but is
     * unsynchronized for use internally by methods which are already
     * synchronized.
     *
     * @see java.lang.StringBuffer#ensureCapacity(int)
     */
    private void expandCapacity(int minimumCapacity) {
	int newCapacity = (value.length + 1) * 2;
        if (newCapacity < 0) {
            newCapacity = Integer.MAX_VALUE;
        } else if (minimumCapacity > newCapacity) {
	    newCapacity = minimumCapacity;
	}
	
	char newValue[] = new char[newCapacity];
	System.arraycopy(value, 0, newValue, 0, count);
	value = newValue;
	shared = false;
    }

    /**
     * Sets the length of this String buffer.
     * This string buffer is altered to represent a new character sequence 
     * whose length is specified by the argument. For every nonnegative 
     * index k less than newLength, the character at 
     * index k in the new character sequence is the same as the 
     * character at index k in the old sequence if k is less 
     * than the length of the old character sequence; otherwise, it is the 
     * null character '\u0000'. 
     *  
     * In other words, if the newLength argument is less than 
     * the current length of the string buffer, the string buffer is 
     * truncated to contain exactly the number of characters given by the 
     * newLength argument. 
     * 
    
     * If the newLength argument is greater than or equal 
     * to the current length, sufficient null characters 
     * ('\u0000') are appended to the string buffer so that 
     * length becomes the newLength argument. 
     * 
    
     * The newLength argument must be greater than or equal 
     * to 0. 
     *
     * @param      newLength   the new length of the buffer.
     * @exception  IndexOutOfBoundsException  if the
     *               newLength argument is negative.
     * @see        java.lang.StringBuffer#length()
     */
    public synchronized void setLength(int newLength) {
	if (newLength < 0) {
	    throw new StringIndexOutOfBoundsException(newLength);
	}
	
	if (newLength > value.length) {
	    expandCapacity(newLength);
	}

	if (count < newLength) {
	    if (shared) copy();
	    for (; count < newLength; count++) {
		value[count] = '\0';
	    }
	} else {
            count = newLength;
            if (shared) {
                if (newLength > 0) {
                    copy();
                } else {
                    // If newLength is zero, assume the StringBuffer is being
                    // stripped for reuse; Make new buffer of default size
                    value = new char[16];
                    shared = false;
                }
            }
        }
    }

    /**
     * The specified character of the sequence currently represented by 
     * the string buffer, as indicated by the index argument, 
     * is returned. The first character of a string buffer is at index 
     * 0, the next at index 1, and so on, for 
     * array indexing. 
     * 
    
     * The index argument must be greater than or equal to 
     * 0, and less than the length of this string buffer. 
     *
     * @param      index   the index of the desired character.
     * @return     the character at the specified index of this string buffer.
     * @exception  IndexOutOfBoundsException  if index is 
     *             negative or greater than or equal to length().
     * @see        java.lang.StringBuffer#length()
     */
    public synchronized char charAt(int index) {
	if ((index < 0) || (index >= count)) {
	    throw new StringIndexOutOfBoundsException(index);
	}
	return value[index];
    }

    /**
     * Characters are copied from this string buffer into the 
     * destination character array dst. The first character to 
     * be copied is at index srcBegin; the last character to 
     * be copied is at index srcEnd-1. The total number of 
     * characters to be copied is srcEnd-srcBegin. The 
     * characters are copied into the subarray of dst starting 
     * at index dstBegin and ending at index:
     * 
         * dstbegin + (srcEnd-srcBegin) - 1
     * 
    
     *
     * @param      srcBegin   start copying at this offset in the string buffer.
     * @param      srcEnd     stop copying at this offset in the string buffer.
     * @param      dst        the array to copy the data into.
     * @param      dstBegin   offset into dst.
     * @exception  NullPointerException if dst is 
     *             null.
     * @exception  IndexOutOfBoundsException  if any of the following is true:
     *             
      
     *             
    • srcBegin is negative
     *             
    • dstBegin is negative
     *             
    • the srcBegin argument is greater than 
     *             the srcEnd argument.
     *             
    • srcEnd is greater than 
     *             this.length(), the current length of this 
     *             string buffer.
     *             
    • dstBegin+srcEnd-srcBegin is greater than 
     *             dst.length
     *             
    
     */
    public synchronized void getChars(int srcBegin, int srcEnd, char dst[], int dstBegin) {
	if (srcBegin < 0) {
	    throw new StringIndexOutOfBoundsException(srcBegin);
	}
	if ((srcEnd < 0) || (srcEnd > count)) {
	    throw new StringIndexOutOfBoundsException(srcEnd);
	}
        if (srcBegin > srcEnd) {
            throw new StringIndexOutOfBoundsException("srcBegin > srcEnd");
        }
	System.arraycopy(value, srcBegin, dst, dstBegin, srcEnd - srcBegin);
    }

    /**
     * The character at the specified index of this string buffer is set 
     * to ch. The string buffer is altered to represent a new 
     * character sequence that is identical to the old character sequence, 
     * except that it contains the character ch at position 
     * index. 
     * 
    
     * The index argument must be greater than or equal to 
     * 0, and less than the length of this string buffer. 
     *
     * @param      index   the index of the character to modify.
     * @param      ch      the new character.
     * @exception  IndexOutOfBoundsException  if index is 
     *             negative or greater than or equal to length().
     * @see        java.lang.StringBuffer#length()
     */
    public synchronized void setCharAt(int index, char ch) {
	if ((index < 0) || (index >= count)) {
	    throw new StringIndexOutOfBoundsException(index);
	}
	if (shared) copy();
	value[index] = ch;
    }

    /**
     * Appends the string representation of the Object 
     * argument to this string buffer. 
     * 
    
     * The argument is converted to a string as if by the method 
     * String.valueOf, and the characters of that 
     * string are then appended to this string buffer. 
     *
     * @param   obj   an Object.
     * @return  a reference to this StringBuffer object.
     * @see     java.lang.String#valueOf(java.lang.Object)
     * @see     java.lang.StringBuffer#append(java.lang.String)
     */
    public synchronized StringBuffer append(Object obj) {
	return append(String.valueOf(obj));
    }

    /**
     * Appends the string to this string buffer. 
     * 
    
     * The characters of the String argument are appended, in 
     * order, to the contents of this string buffer, increasing the 
     * length of this string buffer by the length of the argument. 
     * If str is null, then the four characters 
     * "null" are appended to this string buffer.
     * 
    
     * Let n be the length of the old character sequence, the one 
     * contained in the string buffer just prior to execution of the 
     * append method. Then the character at index k in 
     * the new character sequence is equal to the character at index k 
     * in the old character sequence, if k is less than n; 
     * otherwise, it is equal to the character at index k-n in the 
     * argument str.
     *
     * @param   str   a string.
     * @return  a reference to this StringBuffer.
     */
    public synchronized StringBuffer append(String str) {
	if (str == null) {
	    str = String.valueOf(str);
	}

	int len = str.length();
	int newcount = count + len;
	if (newcount > value.length)
	    expandCapacity(newcount);
	str.getChars(0, len, value, count);
	count = newcount;
	return this;
    }

    /**
     * Appends the specified StringBuffer to this
     * StringBuffer.
     * 
    
     * The characters of the StringBuffer argument are appended, 
     * in order, to the contents of this StringBuffer, increasing the 
     * length of this StringBuffer by the length of the argument. 
     * If sb is null, then the four characters 
     * "null" are appended to this StringBuffer.
     * 
    
     * Let n be the length of the old character sequence, the one 
     * contained in the StringBuffer just prior to execution of the 
     * append method. Then the character at index k in 
     * the new character sequence is equal to the character at index k 
     * in the old character sequence, if k is less than n; 
     * otherwise, it is equal to the character at index k-n in the 
     * argument sb.
     * 
    
     * The method ensureCapacity is first called on this
     * StringBuffer with the new buffer length as its argument.
     * (This ensures that the storage of this StringBuffer is
     * adequate to contain the additional characters being appended.)
     *
     * @param   sb         the StringBuffer to append.
     * @return  a reference to this StringBuffer.
     * @since 1.4
     */
    public synchronized StringBuffer append(StringBuffer sb) {
	if (sb == null) {
	    sb = NULL;
	}

	int len = sb.length();
	int newcount = count + len;
	if (newcount > value.length)
	    expandCapacity(newcount);
	sb.getChars(0, len, value, count);
	count = newcount;
	return this;
    }

    private static final StringBuffer NULL =  new StringBuffer("null");

    /**
     * Appends the string representation of the char array 
     * argument to this string buffer. 
     * 
    
     * The characters of the array argument are appended, in order, to 
     * the contents of this string buffer. The length of this string 
     * buffer increases by the length of the argument. 
     * 
    
     * The overall effect is exactly as if the argument were converted to 
     * a string by the method {@link String#valueOf(char[])} and the 
     * characters of that string were then {@link #append(String) appended} 
     * to this StringBuffer object.
     *
     * @param   str   the characters to be appended.
     * @return  a reference to this StringBuffer object.
     */
    public synchronized StringBuffer append(char str[]) { 
	int len = str.length;
	int newcount = count + len;
	if (newcount > value.length)
	    expandCapacity(newcount);
	System.arraycopy(str, 0, value, count, len);
	count = newcount;
	return this;
    }

    /**
     * Appends the string representation of a subarray of the 
     * char array argument to this string buffer. 
     * 
    
     * Characters of the character array str, starting at 
     * index offset, are appended, in order, to the contents 
     * of this string buffer. The length of this string buffer increases 
     * by the value of len. 
     * 
    
     * The overall effect is exactly as if the arguments were converted to 
     * a string by the method {@link String#valueOf(char[],int,int)} and the
     * characters of that string were then {@link #append(String) appended} 
     * to this StringBuffer object.
     *
     * @param   str      the characters to be appended.
     * @param   offset   the index of the first character to append.
     * @param   len      the number of characters to append.
     * @return  a reference to this StringBuffer object.
     */
    public synchronized StringBuffer append(char str[], int offset, int len) {
        int newcount = count + len;
	if (newcount > value.length)
	    expandCapacity(newcount);
	System.arraycopy(str, offset, value, count, len);
	count = newcount;
	return this;
    }

    /**
     * Appends the string representation of the boolean 
     * argument to the string buffer. 
     * 
    
     * The argument is converted to a string as if by the method 
     * String.valueOf, and the characters of that 
     * string are then appended to this string buffer. 
     *
     * @param   b   a boolean.
     * @return  a reference to this StringBuffer.
     * @see     java.lang.String#valueOf(boolean)
     * @see     java.lang.StringBuffer#append(java.lang.String)
     */
    public synchronized StringBuffer append(boolean b) {
        if (b) {
            int newcount = count + 4;
            if (newcount > value.length)
                expandCapacity(newcount);
            value[count++] = 't';
            value[count++] = 'r';
            value[count++] = 'u';
            value[count++] = 'e';
        } else {
            int newcount = count + 5;
            if (newcount > value.length)
                expandCapacity(newcount);
            value[count++] = 'f';
            value[count++] = 'a';
            value[count++] = 'l';
            value[count++] = 's';
            value[count++] = 'e';
        }
	return this;
    }

    /**
     * Appends the string representation of the char 
     * argument to this string buffer. 
     * 
    
     * The argument is appended to the contents of this string buffer. 
     * The length of this string buffer increases by 1. 
     * 
    
     * The overall effect is exactly as if the argument were converted to 
     * a string by the method {@link String#valueOf(char)} and the character 
     * in that string were then {@link #append(String) appended} to this 
     * StringBuffer object.
     *
     * @param   c   a char.
     * @return  a reference to this StringBuffer object.
     */
    public synchronized StringBuffer append(char c) {
        int newcount = count + 1;
	if (newcount > value.length)
	    expandCapacity(newcount);
	value[count++] = c;
	return this;
    }

    /**
     * Appends the string representation of the int 
     * argument to this string buffer. 
     * 
    
     * The argument is converted to a string as if by the method 
     * String.valueOf, and the characters of that 
     * string are then appended to this string buffer. 
     *
     * @param   i   an int.
     * @return  a reference to this StringBuffer object.
     * @see     java.lang.String#valueOf(int)
     * @see     java.lang.StringBuffer#append(java.lang.String)
     */
    public synchronized StringBuffer append(int i) {
	Integer.appendTo(i, this);
        return this;
    }

    /**
     * Appends the string representation of the long 
     * argument to this string buffer. 
     * 
    
     * The argument is converted to a string as if by the method 
     * String.valueOf, and the characters of that 
     * string are then appended to this string buffer. 
     *
     * @param   l   a long.
     * @return  a reference to this StringBuffer object.
     * @see     java.lang.String#valueOf(long)
     * @see     java.lang.StringBuffer#append(java.lang.String)
     */
    public synchronized StringBuffer append(long l) {
        Long.appendTo(l, this);
	return this;
    }

    /**
     * Appends the string representation of the float 
     * argument to this string buffer. 
     * 
    
     * The argument is converted to a string as if by the method 
     * String.valueOf, and the characters of that 
     * string are then appended to this string buffer. 
     *
     * @param   f   a float.
     * @return  a reference to this StringBuffer object.
     * @see     java.lang.String#valueOf(float)
     * @see     java.lang.StringBuffer#append(java.lang.String)
     */
    public synchronized StringBuffer append(float f) {
        new FloatingDecimal(f).appendTo(this);
	return this;
    }

    /**
     * Appends the string representation of the double 
     * argument to this string buffer. 
     * 
    
     * The argument is converted to a string as if by the method 
     * String.valueOf, and the characters of that 
     * string are then appended to this string buffer. 
     *
     * @param   d   a double.
     * @return  a reference to this StringBuffer object.
     * @see     java.lang.String#valueOf(double)
     * @see     java.lang.StringBuffer#append(java.lang.String)
     */
    public synchronized StringBuffer append(double d) {
        new FloatingDecimal(d).appendTo(this);
	return this;
    }

    /**
     * Removes the characters in a substring of this StringBuffer.
     * The substring begins at the specified start and extends to
     * the character at index end - 1 or to the end of the
     * StringBuffer if no such character exists. If
     * start is equal to end, no changes are made.
     *
     * @param      start  The beginning index, inclusive.
     * @param      end    The ending index, exclusive.
     * @return     This string buffer.
     * @exception  StringIndexOutOfBoundsException  if start
     *             is negative, greater than length(), or
     *		   greater than end.
     * @since      1.2
     */
    public synchronized StringBuffer delete(int start, int end) {
	if (start < 0)
	    throw new StringIndexOutOfBoundsException(start);
	if (end > count)
	    end = count;
	if (start > end)
	    throw new StringIndexOutOfBoundsException();

        int len = end - start;
        if (len > 0) {
            if (shared)
                copy();
            System.arraycopy(value, start+len, value, start, count-end);
            count -= len;
        }
        return this;
    }

    /**
     * Removes the character at the specified position in this
     * StringBuffer (shortening the StringBuffer
     * by one character).
     *
     * @param       index  Index of character to remove
     * @return      This string buffer.
     * @exception   StringIndexOutOfBoundsException  if the index
     *		    is negative or greater than or equal to
     *		    length().
     * @since       1.2
     */
    public synchronized StringBuffer deleteCharAt(int index) {
        if ((index < 0) || (index >= count))
	    throw new StringIndexOutOfBoundsException();
	if (shared)
	    copy();
	System.arraycopy(value, index+1, value, index, count-index-1);
	count--;
        return this;
    }

    /**
     * Replaces the characters in a substring of this StringBuffer
     * with characters in the specified String. The substring
     * begins at the specified start and extends to the character
     * at index end - 1 or to the end of the
     * StringBuffer if no such character exists. First the
     * characters in the substring are removed and then the specified
     * String is inserted at start. (The
     * StringBuffer will be lengthened to accommodate the
     * specified String if necessary.)
     * 
     * @param      start    The beginning index, inclusive.
     * @param      end      The ending index, exclusive.
     * @param      str   String that will replace previous contents.
     * @return     This string buffer.
     * @exception  StringIndexOutOfBoundsException  if start
     *             is negative, greater than length(), or
     *		   greater than end.
     * @since      1.2
     */ 
    public synchronized StringBuffer replace(int start, int end, String str) {
        if (start < 0)
	    throw new StringIndexOutOfBoundsException(start);
	if (end > count)
	    end = count;
	if (start > end)
	    throw new StringIndexOutOfBoundsException();

	int len = str.length();
	int newCount = count + len - (end - start);
	if (newCount > value.length)
	    expandCapacity(newCount);
	else if (shared)
	    copy();

        System.arraycopy(value, end, value, start + len, count - end);
        str.getChars(0, len, value, start);
        count = newCount;
        return this;
    }

    /**
     * Returns a new String that contains a subsequence of
     * characters currently contained in this StringBuffer.The 
     * substring begins at the specified index and extends to the end of the
     * StringBuffer.
     * 
     * @param      start    The beginning index, inclusive.
     * @return     The new string.
     * @exception  StringIndexOutOfBoundsException  if start is
     *             less than zero, or greater than the length of this
     *             StringBuffer.
     * @since      1.2
     */
    public synchronized String substring(int start) {
        return substring(start, count);
    }

    /**
     * Returns a new character sequence that is a subsequence of this sequence.
     *
     * 
     An invocation of this method of the form
     *
     * 
         * sb.subSequence(begin, end)
    
     *
     * behaves in exactly the same way as the invocation
     *
     * 
         * sb.substring(begin, end)
    
     *
     * This method is provided so that the StringBuffer class can
     * implement the {@link CharSequence} interface. 
    
     *
     * @param      start   the start index, inclusive.
     * @param      end     the end index, exclusive.
     * @return     the specified subsequence.
     *
     * @throws  IndexOutOfBoundsException
     *          if start or end are negative,
     *          if end is greater than length(),
     *          or if start is greater than end
     *
     * @since 1.4
     * @spec JSR-51
     */
    public CharSequence subSequence(int start, int end) {
        return this.substring(start, end);
    }

    /**
     * Returns a new String that contains a subsequence of
     * characters currently contained in this StringBuffer. The 
     * substring begins at the specified start and 
     * extends to the character at index end - 1. An
     * exception is thrown if 
     *
     * @param      start    The beginning index, inclusive.
     * @param      end      The ending index, exclusive.
     * @return     The new string.
     * @exception  StringIndexOutOfBoundsException  if start
     *             or end are negative or greater than
     *		   length(), or start is
     *		   greater than end.
     * @since      1.2 
     */
    public synchronized String substring(int start, int end) {
	if (start < 0)
	    throw new StringIndexOutOfBoundsException(start);
	if (end > count)
	    throw new StringIndexOutOfBoundsException(end);
	if (start > end)
	    throw new StringIndexOutOfBoundsException(end - start);
        return new String(value, start, end - start);
    }

    /**
     * Inserts the string representation of a subarray of the str
     * array argument into this string buffer. The subarray begins at the
     * specified offset and extends len characters.
     * The characters of the subarray are inserted into this string buffer at
     * the position indicated by index. The length of this
     * StringBuffer increases by len characters.
     *
     * @param      index    position at which to insert subarray.
     * @param      str       A character array.
     * @param      offset   the index of the first character in subarray to
     *		   to be inserted.
     * @param      len      the number of characters in the subarray to
     *		   to be inserted.
     * @return     This string buffer.
     * @exception  StringIndexOutOfBoundsException  if index
     *             is negative or greater than length(), or
     *		   offset or len are negative, or
     *		   (offset+len) is greater than
     *		   str.length.
     * @since 1.2
     */
    public synchronized StringBuffer insert(int index, char str[], int offset,
                                                                   int len) {
        if ((index < 0) || (index > count))
	    throw new StringIndexOutOfBoundsException();
	if ((offset < 0) || (offset + len < 0) || (offset + len > str.length))
	    throw new StringIndexOutOfBoundsException(offset);
	if (len < 0)
	    throw new StringIndexOutOfBoundsException(len);
	int newCount = count + len;
	if (newCount > value.length)
	    expandCapacity(newCount);
	else if (shared)
	    copy();
	System.arraycopy(value, index, value, index + len, count - index);
	System.arraycopy(str, offset, value, index, len);
	count = newCount;
	return this;
    }

    /**
     * Inserts the string representation of the Object 
     * argument into this string buffer. 
     * 
    
     * The second argument is converted to a string as if by the method 
     * String.valueOf, and the characters of that 
     * string are then inserted into this string buffer at the indicated 
     * offset. 
     * 
    
     * The offset argument must be greater than or equal to 
     * 0, and less than or equal to the length of this 
     * string buffer. 
     *
     * @param      offset   the offset.
     * @param      obj      an Object.
     * @return     a reference to this StringBuffer object.
     * @exception  StringIndexOutOfBoundsException  if the offset is invalid.
     * @see        java.lang.String#valueOf(java.lang.Object)
     * @see        java.lang.StringBuffer#insert(int, java.lang.String)
     * @see        java.lang.StringBuffer#length()
     */
    public synchronized StringBuffer insert(int offset, Object obj) {
	return insert(offset, String.valueOf(obj));
    }

    /**
     * Inserts the string into this string buffer. 
     * 
    
     * The characters of the String argument are inserted, in 
     * order, into this string buffer at the indicated offset, moving up any 
     * characters originally above that position and increasing the length 
     * of this string buffer by the length of the argument. If 
     * str is null, then the four characters 
     * "null" are inserted into this string buffer.
     * 
    
     * The character at index k in the new character sequence is 
     * equal to:
     * 
      
     * 
    • the character at index k in the old character sequence, if 
     * k is less than offset 
     * 
    • the character at index k-offset in the 
     * argument str, if k is not less than 
     * offset but is less than offset+str.length() 
     * 
    • the character at index k-str.length() in the 
     * old character sequence, if k is not less than 
     * offset+str.length()
     * 
    
     * The offset argument must be greater than or equal to 
     * 0, and less than or equal to the length of this 
     * string buffer. 
     *
     * @param      offset   the offset.
     * @param      str      a string.
     * @return     a reference to this StringBuffer object.
     * @exception  StringIndexOutOfBoundsException  if the offset is invalid.
     * @see        java.lang.StringBuffer#length()
     */
    public synchronized StringBuffer insert(int offset, String str) {
	if ((offset < 0) || (offset > count)) {
	    throw new StringIndexOutOfBoundsException();
	}

	if (str == null) {
	    str = String.valueOf(str);
	}
	int len = str.length();
	int newcount = count + len;
	if (newcount > value.length)
	    expandCapacity(newcount);
	else if (shared)
	    copy();
	System.arraycopy(value, offset, value, offset + len, count - offset);
	str.getChars(0, len, value, offset);
	count = newcount;
	return this;
    }

    /**
     * Inserts the string representation of the char array 
     * argument into this string buffer. 
     * 
    
     * The characters of the array argument are inserted into the 
     * contents of this string buffer at the position indicated by 
     * offset. The length of this string buffer increases by 
     * the length of the argument. 
     * 
    
     * The overall effect is exactly as if the argument were converted to 
     * a string by the method {@link String#valueOf(char[])} and the 
     * characters of that string were then 
     * {@link #insert(int,String) inserted} into this 
     * StringBuffer  object at the position indicated by
     * offset.
     *
     * @param      offset   the offset.
     * @param      str      a character array.
     * @return     a reference to this StringBuffer object.
     * @exception  StringIndexOutOfBoundsException  if the offset is invalid.
     */
    public synchronized StringBuffer insert(int offset, char str[]) {
	if ((offset < 0) || (offset > count)) {
	    throw new StringIndexOutOfBoundsException();
	}
	int len = str.length;
	int newcount = count + len;
	if (newcount > value.length)
	    expandCapacity(newcount);
	else if (shared)
	    copy();
	System.arraycopy(value, offset, value, offset + len, count - offset);
	System.arraycopy(str, 0, value, offset, len);
	count = newcount;
	return this;
    }

    /**
     * Inserts the string representation of the boolean 
     * argument into this string buffer. 
     * 
    
     * The second argument is converted to a string as if by the method 
     * String.valueOf, and the characters of that 
     * string are then inserted into this string buffer at the indicated 
     * offset. 
     * 
    
     * The offset argument must be greater than or equal to 
     * 0, and less than or equal to the length of this 
     * string buffer. 
     *
     * @param      offset   the offset.
     * @param      b        a boolean.
     * @return     a reference to this StringBuffer object.
     * @exception  StringIndexOutOfBoundsException  if the offset is invalid.
     * @see        java.lang.String#valueOf(boolean)
     * @see        java.lang.StringBuffer#insert(int, java.lang.String)
     * @see        java.lang.StringBuffer#length()
     */
    public StringBuffer insert(int offset, boolean b) {
	return insert(offset, String.valueOf(b));
    }

    /**
     * Inserts the string representation of the char 
     * argument into this string buffer. 
     * 
    
     * The second argument is inserted into the contents of this string 
     * buffer at the position indicated by offset. The length 
     * of this string buffer increases by one. 
     * 
    
     * The overall effect is exactly as if the argument were converted to 
     * a string by the method {@link String#valueOf(char)} and the character 
     * in that string were then {@link #insert(int, String) inserted} into 
     * this StringBuffer object at the position indicated by
     * offset.
     * 
    
     * The offset argument must be greater than or equal to 
     * 0, and less than or equal to the length of this 
     * string buffer. 
     *
     * @param      offset   the offset.
     * @param      c        a char.
     * @return     a reference to this StringBuffer object.
     * @exception  IndexOutOfBoundsException  if the offset is invalid.
     * @see        java.lang.StringBuffer#length()
     */
    public synchronized StringBuffer insert(int offset, char c) {
	int newcount = count + 1;
	if (newcount > value.length)
	    expandCapacity(newcount);
	else if (shared)
	    copy();
	System.arraycopy(value, offset, value, offset + 1, count - offset);
	value[offset] = c;
	count = newcount;
	return this;
    }

    /**
     * Inserts the string representation of the second int 
     * argument into this string buffer. 
     * 
    
     * The second argument is converted to a string as if by the method 
     * String.valueOf, and the characters of that 
     * string are then inserted into this string buffer at the indicated 
     * offset. 
     * 
    
     * The offset argument must be greater than or equal to 
     * 0, and less than or equal to the length of this 
     * string buffer. 
     *
     * @param      offset   the offset.
     * @param      i        an int.
     * @return     a reference to this StringBuffer object.
     * @exception  StringIndexOutOfBoundsException  if the offset is invalid.
     * @see        java.lang.String#valueOf(int)
     * @see        java.lang.StringBuffer#insert(int, java.lang.String)
     * @see        java.lang.StringBuffer#length()
     */
    public StringBuffer insert(int offset, int i) {
	return insert(offset, String.valueOf(i));
    }

    /**
     * Inserts the string representation of the long 
     * argument into this string buffer. 
     * 
    
     * The second argument is converted to a string as if by the method 
     * String.valueOf, and the characters of that 
     * string are then inserted into this string buffer at the position 
     * indicated by offset. 
     * 
    
     * The offset argument must be greater than or equal to 
     * 0, and less than or equal to the length of this 
     * string buffer. 
     *
     * @param      offset   the offset.
     * @param      l        a long.
     * @return     a reference to this StringBuffer object.
     * @exception  StringIndexOutOfBoundsException  if the offset is invalid.
     * @see        java.lang.String#valueOf(long)
     * @see        java.lang.StringBuffer#insert(int, java.lang.String)
     * @see        java.lang.StringBuffer#length()
     */
    public StringBuffer insert(int offset, long l) {
	return insert(offset, String.valueOf(l));
    }

    /**
     * Inserts the string representation of the float 
     * argument into this string buffer. 
     * 
    
     * The second argument is converted to a string as if by the method 
     * String.valueOf, and the characters of that 
     * string are then inserted into this string buffer at the indicated 
     * offset. 
     * 
    
     * The offset argument must be greater than or equal to 
     * 0, and less than or equal to the length of this 
     * string buffer. 
     *
     * @param      offset   the offset.
     * @param      f        a float.
     * @return     a reference to this StringBuffer object.
     * @exception  StringIndexOutOfBoundsException  if the offset is invalid.
     * @see        java.lang.String#valueOf(float)
     * @see        java.lang.StringBuffer#insert(int, java.lang.String)
     * @see        java.lang.StringBuffer#length()
     */
    public StringBuffer insert(int offset, float f) {
	return insert(offset, String.valueOf(f));
    }

    /**
     * Inserts the string representation of the double 
     * argument into this string buffer. 
     * 
    
     * The second argument is converted to a string as if by the method 
     * String.valueOf, and the characters of that 
     * string are then inserted into this string buffer at the indicated 
     * offset. 
     * 
    
     * The offset argument must be greater than or equal to 
     * 0, and less than or equal to the length of this 
     * string buffer. 
     *
     * @param      offset   the offset.
     * @param      d        a double.
     * @return     a reference to this StringBuffer object.
     * @exception  StringIndexOutOfBoundsException  if the offset is invalid.
     * @see        java.lang.String#valueOf(double)
     * @see        java.lang.StringBuffer#insert(int, java.lang.String)
     * @see        java.lang.StringBuffer#length()
     */
    public StringBuffer insert(int offset, double d) {
	return insert(offset, String.valueOf(d));
    }

    /**
     * Returns the index within this string of the first occurrence of the
     * specified substring. The integer returned is the smallest value 
     * k such that:
     * 
         * this.toString().startsWith(str, k)
     * 
    
     * is true.
     *
     * @param   str   any string.
     * @return  if the string argument occurs as a substring within this
     *          object, then the index of the first character of the first
     *          such substring is returned; if it does not occur as a
     *          substring, -1 is returned.
     * @exception java.lang.NullPointerException if str is 
     *          null.
     * @since   1.4
     */
    public int indexOf(String str) {
	return indexOf(str, 0);
    }

    /**
     * Returns the index within this string of the first occurrence of the
     * specified substring, starting at the specified index.  The integer
     * returned is the smallest value k for which:
     * 
         *     k >= Math.min(fromIndex, str.length()) &&
     *                   this.toString().startsWith(str, k)
     * 
    
     * If no such value of k exists, then -1 is returned.
     *
     * @param   str         the substring for which to search.
     * @param   fromIndex   the index from which to start the search.
     * @return  the index within this string of the first occurrence of the
     *          specified substring, starting at the specified index.
     * @exception java.lang.NullPointerException if str is
     *            null.
     * @since   1.4
     */
    public synchronized int indexOf(String str, int fromIndex) {
        return String.indexOf(value, 0, count,
                              str.toCharArray(), 0, str.length(), fromIndex);
    }

    /**
     * Returns the index within this string of the rightmost occurrence
     * of the specified substring.  The rightmost empty string "" is
     * considered to occur at the index value this.length(). 
     * The returned index is the largest value k such that 
     * 
         * this.toString().startsWith(str, k)
     * 
    
     * is true.
     *
     * @param   str   the substring to search for.
     * @return  if the string argument occurs one or more times as a substring
     *          within this object, then the index of the first character of
     *          the last such substring is returned. If it does not occur as
     *          a substring, -1 is returned.
     * @exception java.lang.NullPointerException  if str is 
     *          null.
     * @since   1.4
     */
    public synchronized int lastIndexOf(String str) {
        return lastIndexOf(str, count);
    }

    /**
     * Returns the index within this string of the last occurrence of the
     * specified substring. The integer returned is the largest value k
     * such that:
     * 
         *     k <= Math.min(fromIndex, str.length()) &&
     *                   this.toString().startsWith(str, k)
     * 
    
     * If no such value of k exists, then -1 is returned.
     * 
     * @param   str         the substring to search for.
     * @param   fromIndex   the index to start the search from.
     * @return  the index within this string of the last occurrence of the
     *          specified substring.
     * @exception java.lang.NullPointerException if str is 
     *          null.
     * @since   1.4
     */
    public synchronized int lastIndexOf(String str, int fromIndex) {
        return String.lastIndexOf(value, 0, count,
                              str.toCharArray(), 0, str.length(), fromIndex);
    }

    /**
     * The character sequence contained in this string buffer is 
     * replaced by the reverse of the sequence. 
     * 
    
     * Let n be the length of the old character sequence, the one 
     * contained in the string buffer just prior to execution of the 
     * reverse method. Then the character at index k in 
     * the new character sequence is equal to the character at index 
     * n-k-1 in the old character sequence.
     *
     * @return  a reference to this StringBuffer object.
     * @since   JDK1.0.2
     */
    public synchronized StringBuffer reverse() {
	if (shared) copy();
	int n = count - 1;
	for (int j = (n-1) >> 1; j >= 0; --j) {
	    char temp = value[j];
	    value[j] = value[n - j];
	    value[n - j] = temp;
	}
	return this;
    }

    /**
     * Converts to a string representing the data in this string buffer.
     * A new String object is allocated and initialized to 
     * contain the character sequence currently represented by this 
     * string buffer. This String is then returned. Subsequent 
     * changes to the string buffer do not affect the contents of the 
     * String. 
     * 
    
     * Implementation advice: This method can be coded so as to create a new
     * String object without allocating new memory to hold a 
     * copy of the character sequence. Instead, the string can share the 
     * memory used by the string buffer. Any subsequent operation that alters 
     * the content or capacity of the string buffer must then make a copy of 
     * the internal buffer at that time. This strategy is effective for 
     * reducing the amount of memory allocated by a string concatenation 
     * operation when it is implemented using a string buffer.
     *
     * @return  a string representation of the string buffer.
     */
    public String toString() {
	return new String(this);
    }

    //
    // The following two methods are needed by String to efficiently
    // convert a StringBuffer into a String.  They are not public.
    // They shouldn't be called by anyone but String.
    final void setShared() { shared = true; } 
    final char[] getValue() { return value; }

    /**
     * readObject is called to restore the state of the StringBuffer from
     * a stream.
     */
    private synchronized void readObject(java.io.ObjectInputStream s)
         throws java.io.IOException, ClassNotFoundException {
	s.defaultReadObject();
	value = (char[]) value.clone();
	shared = false;
    }
}
why-2.34/lib/java_api/java/lang/Double.java0000644000175000017500000007024012311670312017057 0ustar  rtusers/*
 * @(#)Double.java	1.82 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

/**
 * The Double class wraps a value of the primitive type
 * double in an object. An object of type
 * Double contains a single field whose type is
 * double.
 * 
    
 * In addition, this class provides several methods for converting a
 * double to a String and a
 * String to a double, as well as other
 * constants and methods useful when dealing with a
 * double.
 *
 * @author  Lee Boynton
 * @author  Arthur van Hoff
 * @version 1.82, 01/23/03
 * @since JDK1.0
 */
public final class Double extends Number implements Comparable {
    /**
     * A constant holding the positive infinity of type
     * double. It is equal to the value returned by
     * Double.longBitsToDouble(0x7ff0000000000000L).
     */
    public static final double POSITIVE_INFINITY = 1.0 / 0.0;

    /**
     * A constant holding the negative infinity of type
     * double. It is equal to the value returned by
     * Double.longBitsToDouble(0xfff0000000000000L).
     */
    public static final double NEGATIVE_INFINITY = -1.0 / 0.0;

    /** 
     * A constant holding a Not-a-Number (NaN) value of type
     * double. It is equivalent to the value returned by
     * Double.longBitsToDouble(0x7ff8000000000000L).
     */
    public static final double NaN = 0.0d / 0.0;

    /**
     * A constant holding the largest positive finite value of type
     * double, (2-2-52)·21023.
     * It is equal to the value returned by:
     * Double.longBitsToDouble(0x7fefffffffffffffL).
     */
    public static final double MAX_VALUE = 1.7976931348623157e+308;

    /**
     * A constant holding the smallest positive nonzero value of type
     * double, 2-1074. It is equal to the
     * value returned by Double.longBitsToDouble(0x1L).
     */
    public static final double MIN_VALUE = 4.9e-324;

    /**
     * The Class instance representing the primitive type
     * double.
     *
     * @since JDK1.1 
     */
    public static final Class	TYPE = Class.getPrimitiveClass("double");

    /**
     * Returns a string representation of the double 
     * argument. All characters mentioned below are ASCII characters.
     * 
      
     * 
    • If the argument is NaN, the result is the string
     *     "NaN".
     * 
    • Otherwise, the result is a string that represents the sign and 
     * magnitude (absolute value) of the argument. If the sign is negative, 
     * the first character of the result is '-' 
     * ('\u002D'); if the sign is positive, no sign character 
     * appears in the result. As for the magnitude m:
     * 
        
     * 
      • If m is infinity, it is represented by the characters 
     * "Infinity"; thus, positive infinity produces the result 
     * "Infinity" and negative infinity produces the result 
     * "-Infinity".
     *
     * 
      • If m is zero, it is represented by the characters 
     * "0.0"; thus, negative zero produces the result 
     * "-0.0" and positive zero produces the result 
     * "0.0". 
     *
     * 
      • If m is greater than or equal to 10-3 but less 
     * than 107, then it is represented as the integer part of 
     * m, in decimal form with no leading zeroes, followed by 
     * '.' ('\u002E'), followed by one or 
     * more decimal digits representing the fractional part of m. 
     *
     * 
      • If m is less than 10-3 or greater than or
     * equal to 107, then it is represented in so-called
     * "computerized scientific notation." Let n be the unique
     * integer such that 10n <= m <
     * 10n+1; then let a be the
     * mathematically exact quotient of m and
     * 10n so that 1 <= a < 10. The
     * magnitude is then represented as the integer part of a,
     * as a single decimal digit, followed by '.'
     * ('\u002E'), followed by decimal digits
     * representing the fractional part of a, followed by the
     * letter 'E' ('\u0045'), followed
     * by a representation of n as a decimal integer, as
     * produced by the method {@link Integer#toString(int)}.
     * 
      
     * 
    
     * How many digits must be printed for the fractional part of 
     * m or a? There must be at least one digit to represent 
     * the fractional part, and beyond that as many, but only as many, more 
     * digits as are needed to uniquely distinguish the argument value from
     * adjacent values of type double. That is, suppose that 
     * x is the exact mathematical value represented by the decimal 
     * representation produced by this method for a finite nonzero argument 
     * d. Then d must be the double value nearest 
     * to x; or if two double values are equally close 
     * to x, then d must be one of them and the least
     * significant bit of the significand of d must be 0.
     * 
    
     * To create localized string representations of a floating-point
     * value, use subclasses of {@link java.text.NumberFormat}.
     *
     * @param   d   the double to be converted.
     * @return a string representation of the argument.
     */
    public static String toString(double d) {
	return new FloatingDecimal(d).toJavaFormatString();
    }

    /**
     * Returns a Double object holding the
     * double value represented by the argument string
     * s.
     * 
    
     * If s is null, then a 
     * NullPointerException is thrown.
     * 
    
     * Leading and trailing whitespace characters in s
     * are ignored. The rest of s should constitute a
     * FloatValue as described by the lexical rule:
     * 
    
     * 
    
     * 
    FloatValue:
     * 
    Signopt NaN
     * 
    Signopt Infinity
     * 
    Signopt FloatingPointLiteral
     * 
    
     * 
    
     * where Sign and FloatingPointLiteral are as
     * defined in 
     * §3.10.2
     * of the Java 
     * Language Specification. If s does not have the 
     * form of a FloatValue, then a NumberFormatException
     * is thrown. Otherwise, s is regarded as
     * representing an exact decimal value in the usual "computerized
     * scientific notation"; this exact decimal value is then
     * conceptually converted to an "infinitely precise" binary value
     * that is then rounded to type double by the usual
     * round-to-nearest rule of IEEE 754 floating-point arithmetic,
     * which includes preserving the sign of a zero value. Finally, a
     * Double object representing this
     * double value is returned.
     * 
    
     * To interpret localized string representations of a
     * floating-point value, use subclasses of {@link
     * java.text.NumberFormat}.
     *
     * 
    Note that trailing format specifiers, specifiers that
     * determine the type of a floating-point literal
     * (1.0f is a float value;
     * 1.0d is a double value), do
     * not influence the results of this method.  In other
     * words, the numerical value of the input string is converted
     * directly to the target floating-point type.  The two-step
     * sequence of conversions, string to float followed
     * by float to double, is not
     * equivalent to converting a string directly to
     * double. For example, the float
     * literal 0.1f is equal to the double
     * value 0.10000000149011612; the float
     * literal 0.1f represents a different numerical
     * value than the double literal
     * 0.1. (The numerical value 0.1 cannot be exactly
     * represented in a binary floating-point number.)
     *
     * @param      s   the string to be parsed.
     * @return     a Double object holding the value
     *             represented by the String argument.
     * @exception  NumberFormatException  if the string does not contain a
     *               parsable number.
     */
    public static Double valueOf(String s) throws NumberFormatException {
	return new Double(FloatingDecimal.readJavaFormatString(s).doubleValue());
    }

    /**
     * Returns a new double initialized to the value
     * represented by the specified String, as performed
     * by the valueOf method of class
     * Double.
     *
     * @param      s   the string to be parsed.
     * @return the double value represented by the string
     *         argument.
     * @exception NumberFormatException if the string does not contain
     *            a parsable double.
     * @see        java.lang.Double#valueOf(String)
     * @since 1.2
     */
    public static double parseDouble(String s) throws NumberFormatException {
	return FloatingDecimal.readJavaFormatString(s).doubleValue();
    }

    /**
     * Returns true if the specified number is a
     * Not-a-Number (NaN) value, false otherwise.
     *
     * @param   v   the value to be tested.
     * @return  true if the value of the argument is NaN;
     *          false otherwise.
     */
    static public boolean isNaN(double v) {
	return (v != v);
    }

    /**
     * Returns true if the specified number is infinitely
     * large in magnitude, false otherwise.
     *
     * @param   v   the value to be tested.
     * @return  true if the value of the argument is positive
     *          infinity or negative infinity; false otherwise.
     */
    static public boolean isInfinite(double v) {
	return (v == POSITIVE_INFINITY) || (v == NEGATIVE_INFINITY);
    }

    /**
     * The value of the Double.
     *
     * @serial
     */
    private double value;

    /**
     * Constructs a newly allocated Double object that
     * represents the primitive double argument.
     *
     * @param   value   the value to be represented by the Double.
     */
    public Double(double value) {
	this.value = value;
    }

    /**
     * Constructs a newly allocated Double object that
     * represents the floating-point value of type double
     * represented by the string. The string is converted to a
     * double value as if by the valueOf method.
     *
     * @param      s   a string to be converted to a Double.
     * @exception  NumberFormatException  if the string does not contain a
     *               parsable number.
     * @see        java.lang.Double#valueOf(java.lang.String)
     */
    public Double(String s) throws NumberFormatException {
	// REMIND: this is inefficient
	this(valueOf(s).doubleValue());
    }

    /**
     * Returns true if this Double value is
     * a Not-a-Number (NaN), false otherwise.
     *
     * @return  true if the value represented by this object is
     *          NaN; false otherwise.
     */
    public boolean isNaN() {
	return isNaN(value);
    }

    /**
     * Returns true if this Double value is
     * infinitely large in magnitude, false otherwise.
     *
     * @return  true if the value represented by this object is
     *          positive infinity or negative infinity;
     *          false otherwise.
     */
    public boolean isInfinite() {
	return isInfinite(value);
    }

    /**
     * Returns a string representation of this Double object.
     * The primitive double value represented by this
     * object is converted to a string exactly as if by the method
     * toString of one argument.
     *
     * @return  a String representation of this object.
     * @see java.lang.Double#toString(double)
     */
    public String toString() {
	return String.valueOf(value);
    }

    /**
     * Returns the value of this Double as a byte (by
     * casting to a byte).
     *
     * @return  the double value represented by this object
     *          converted to type byte
     * @since JDK1.1 
     */
    public byte byteValue() {
	return (byte)value;
    }

    /**
     * Returns the value of this Double as a
     * short (by casting to a short).
     *
     * @return  the double value represented by this object
     *          converted to type short
     * @since JDK1.1 
     */
    public short shortValue() {
	return (short)value;
    }

    /**
     * Returns the value of this Double as an
     * int (by casting to type int).
     *
     * @return  the double value represented by this object
     *          converted to type int
     */
    public int intValue() {
	return (int)value;
    }

    /**
     * Returns the value of this Double as a
     * long (by casting to type long).
     *
     * @return  the double value represented by this object
     *          converted to type long
     */
    public long longValue() {
	return (long)value;
    }

    /**
     * Returns the float value of this
     * Double object.
     *
     * @return  the double value represented by this object
     *          converted to type float
     * @since JDK1.0 
     */
    public float floatValue() {
	return (float)value;
    }

    /**
     * Returns the double value of this
     * Double object.
     *
     * @return the double value represented by this object
     */
    public double doubleValue() {
	return (double)value;
    }

    /**
     * Returns a hash code for this Double object. The
     * result is the exclusive OR of the two halves of the
     * long integer bit representation, exactly as
     * produced by the method {@link #doubleToLongBits(double)}, of
     * the primitive double value represented by this
     * Double object. That is, the hash code is the value
     * of the expression:
     * 
         * (int)(v^(v>>>32))
     * 
    
     * where v is defined by: 
     * 
         * long v = Double.doubleToLongBits(this.doubleValue());
     * 
    
     *
     * @return  a hash code value for this object.
     */
    public int hashCode() {
	long bits = doubleToLongBits(value);
	return (int)(bits ^ (bits >>> 32));
    }

    /**
     * Compares this object against the specified object.  The result
     * is true if and only if the argument is not
     * null and is a Double object that
     * represents a double that has the same value as the
     * double represented by this object. For this
     * purpose, two double values are considered to be
     * the same if and only if the method {@link
     * #doubleToLongBits(double)} returns the identical
     * long value when applied to each.
     * 
    
     * Note that in most cases, for two instances of class
     * Double, d1 and d2, the
     * value of d1.equals(d2) is true if and
     * only if
     * 
         *   d1.doubleValue() == d2.doubleValue()
     * 
    
     * 
    
     * also has the value true. However, there are two
     * exceptions:
     * 
      
     * 
    • If d1 and d2 both represent
     *     Double.NaN, then the equals method
     *     returns true, even though
     *     Double.NaN==Double.NaN has the value
     *     false.
     * 
    • If d1 represents +0.0 while
     *     d2 represents -0.0, or vice versa,
     *     the equal test has the value false,
     *     even though +0.0==-0.0 has the value true.
     * 
    
     * This definition allows hash tables to operate properly.
     * @param   obj   the object to compare with.
     * @return  true if the objects are the same;
     *          false otherwise.
     * @see java.lang.Double#doubleToLongBits(double)
     */
    public boolean equals(Object obj) {
	return (obj instanceof Double)
	       && (doubleToLongBits(((Double)obj).value) ==
		      doubleToLongBits(value));
    }

    /**
     * Returns a representation of the specified floating-point value
     * according to the IEEE 754 floating-point "double
     * format" bit layout.
     * 
    
     * Bit 63 (the bit that is selected by the mask 
     * 0x8000000000000000L) represents the sign of the 
     * floating-point number. Bits 
     * 62-52 (the bits that are selected by the mask 
     * 0x7ff0000000000000L) represent the exponent. Bits 51-0 
     * (the bits that are selected by the mask 
     * 0x000fffffffffffffL) represent the significand 
     * (sometimes called the mantissa) of the floating-point number. 
     * 
    
     * If the argument is positive infinity, the result is
     * 0x7ff0000000000000L.
     * 
    
     * If the argument is negative infinity, the result is
     * 0xfff0000000000000L.
     * 
    
     * If the argument is NaN, the result is 
     * 0x7ff8000000000000L. 
     * 
    
     * In all cases, the result is a long integer that, when 
     * given to the {@link #longBitsToDouble(long)} method, will produce a 
     * floating-point value the same as the argument to 
     * doubleToLongBits (except all NaN values are
     * collapsed to a single "canonical" NaN value).
     *
     * @param   value   a double precision floating-point number.
     * @return the bits that represent the floating-point number.  
     */
    public static native long doubleToLongBits(double value);

    /**
     * Returns a representation of the specified floating-point value
     * according to the IEEE 754 floating-point "double
     * format" bit layout, preserving Not-a-Number (NaN) values.
     * 
    
     * Bit 63 (the bit that is selected by the mask 
     * 0x8000000000000000L) represents the sign of the 
     * floating-point number. Bits 
     * 62-52 (the bits that are selected by the mask 
     * 0x7ff0000000000000L) represent the exponent. Bits 51-0 
     * (the bits that are selected by the mask 
     * 0x000fffffffffffffL) represent the significand 
     * (sometimes called the mantissa) of the floating-point number. 
     * 
    
     * If the argument is positive infinity, the result is
     * 0x7ff0000000000000L.
     * 
    
     * If the argument is negative infinity, the result is
     * 0xfff0000000000000L.
     * 
    
     * If the argument is NaN, the result is the long
     * integer representing the actual NaN value.  Unlike the
     * doubleToLongBits method,
     * doubleToRawLongBits does not collapse all the bit
     * patterns encoding a NaN to a single "canonical" NaN
     * value.
     * 
    
     * In all cases, the result is a long integer that,
     * when given to the {@link #longBitsToDouble(long)} method, will
     * produce a floating-point value the same as the argument to
     * doubleToRawLongBits.
     *
     * @param   value   a double precision floating-point number.
     * @return the bits that represent the floating-point number.
     */
    public static native long doubleToRawLongBits(double value);

    /**
     * Returns the double value corresponding to a given
     * bit representation.
     * The argument is considered to be a representation of a
     * floating-point value according to the IEEE 754 floating-point
     * "double format" bit layout.
     * 
    
     * If the argument is 0x7ff0000000000000L, the result 
     * is positive infinity. 
     * 
    
     * If the argument is 0xfff0000000000000L, the result 
     * is negative infinity. 
     * 
    
     * If the argument is any value in the range
     * 0x7ff0000000000001L through
     * 0x7fffffffffffffffL or in the range
     * 0xfff0000000000001L through
     * 0xffffffffffffffffL, the result is a NaN.  No IEEE
     * 754 floating-point operation provided by Java can distinguish
     * between two NaN values of the same type with different bit
     * patterns.  Distinct values of NaN are only distinguishable by
     * use of the Double.doubleToRawLongBits method.
     * 
    
     * In all other cases, let s, e, and m be three 
     * values that can be computed from the argument: 
     * 
         * int s = ((bits >> 63) == 0) ? 1 : -1;
     * int e = (int)((bits >> 52) & 0x7ffL);
     * long m = (e == 0) ?
     *                 (bits & 0xfffffffffffffL) << 1 :
     *                 (bits & 0xfffffffffffffL) | 0x10000000000000L;
     * 
    
     * Then the floating-point result equals the value of the mathematical 
     * expression s·m·2e-1075.
     *
    
     * Note that this method may not be able to return a
     * double NaN with exactly same bit pattern as the
     * long argument.  IEEE 754 distinguishes between two
     * kinds of NaNs, quiet NaNs and signaling NaNs.  The
     * differences between the two kinds of NaN are generally not
     * visible in Java.  Arithmetic operations on signaling NaNs turn
     * them into quiet NaNs with a different, but often similar, bit
     * pattern.  However, on some processors merely copying a
     * signaling NaN also performs that conversion.  In particular,
     * copying a signaling NaN to return it to the calling method
     * may perform this conversion.  So longBitsToDouble
     * may not be able to return a double with a
     * signaling NaN bit pattern.  Consequently, for some
     * long values,
     * doubleToRawLongBits(longBitsToDouble(start)) may
     * not equal start.  Moreover, which
     * particular bit patterns represent signaling NaNs is platform
     * dependent; although all NaN bit patterns, quiet or signaling,
     * must be in the NaN range identified above.
     *
     * @param   bits   any long integer.
     * @return  the double floating-point value with the same
     *          bit pattern.
     */
    public static native double longBitsToDouble(long bits);

    /**
     * Compares two Double objects numerically.  There
     * are two ways in which comparisons performed by this method
     * differ from those performed by the Java language numerical
     * comparison operators (<, <=, ==, >= >)
     * when applied to primitive double values:
     * 
    • 
     *		Double.NaN is considered by this method
     *		to be equal to itself and greater than all other
     *		double values (including
     *		Double.POSITIVE_INFINITY).
     * 
    • 
     *		0.0d is considered by this method to be greater
     *		than -0.0d.
     * 
    
     * This ensures that Double.compareTo(Object) (which
     * forwards its behavior to this method) obeys the general
     * contract for Comparable.compareTo, and that the
     * natural order on Doubles is consistent
     * with equals.
     *
     * @param   anotherDouble   the Double to be compared.
     * @return  the value 0 if anotherDouble is
     *		numerically equal to this Double; a value
     *		less than 0 if this Double
     *		is numerically less than anotherDouble;
     *		and a value greater than 0 if this
     *		Double is numerically greater than
     *		anotherDouble.
     *		
     * @since   1.2
     * @see Comparable#compareTo(Object)
     */
    public int compareTo(Double anotherDouble) {
        return Double.compare(value, anotherDouble.value);
    }

    /**
     * Compares this Double object to another object.  If
     * the object is a Double, this function behaves like
     * compareTo(Double).  Otherwise, it throws a
     * ClassCastException (as Double objects
     * are comparable only to other Double objects).
     *
     * @param   o the Object to be compared.
     * @return the value 0 if the argument is a
     *		Double numerically equal to this
     *		Double; a value less than 0
     *		if the argument is a Double numerically
     *		greater than this Double; and a value
     *		greater than 0 if the argument is a
     *		Double numerically less than this
     *		Double.
     * @exception ClassCastException if the argument is not a
     *		  Double.
     * @see     java.lang.Comparable
     * @since 1.2
     */
    public int compareTo(Object o) {
	return compareTo((Double)o);
    }

    /**
     * Compares the two specified double values. The sign
     * of the integer value returned is the same as that of the
     * integer that would be returned by the call:
     * 
         *    new Double(d1).compareTo(new Double(d2))
     * 
    
     *
     * @param   d1        the first double to compare
     * @param   d2        the second double to compare
     * @return  the value 0 if d1 is
     *		numerically equal to d2; a value less than
     *          0 if d1 is numerically less than
     *		d2; and a value greater than 0
     *		if d1 is numerically greater than
     *		d2.
     * @since 1.4
     */
    public static int compare(double d1, double d2) {
        if (d1 < d2)
            return -1;		 // Neither val is NaN, thisVal is smaller
        if (d1 > d2)
            return 1;		 // Neither val is NaN, thisVal is larger

        long thisBits = Double.doubleToLongBits(d1);
        long anotherBits = Double.doubleToLongBits(d2);

        return (thisBits == anotherBits ?  0 : // Values are equal
                (thisBits < anotherBits ? -1 : // (-0.0, 0.0) or (!NaN, NaN)
                 1));                          // (0.0, -0.0) or (NaN, !NaN)
    }

    /** use serialVersionUID from JDK 1.0.2 for interoperability */
    private static final long serialVersionUID = -9172774392245257468L;
}
why-2.34/lib/java_api/java/lang/NumberFormatException.java0000644000175000017500000000251412311670312022124 0ustar  rtusers/*
 * @(#)NumberFormatException.java	1.19 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

/**
 * Thrown to indicate that the application has attempted to convert 
 * a string to one of the numeric types, but that the string does not 
 * have the appropriate format. 
 *
 * @author  unascribed
 * @version 1.19, 01/23/03
 * @see     java.lang.Integer#toString()
 * @since   JDK1.0
 */
public
class NumberFormatException extends IllegalArgumentException {
    static final long serialVersionUID = -2848938806368998894L;

    /**
     * Constructs a NumberFormatException with no detail message.
     */
    public NumberFormatException () {
	super();
    }

    /**
     * Constructs a NumberFormatException with the 
     * specified detail message. 
     *
     * @param   s   the detail message.
     */
    public NumberFormatException (String s) {
	super (s);
    }

    /**
     * Factory method for making a NumberFormatException
     * given the specified input which caused the error.
     *
     * @param   s   the input causing the error
     */
    static NumberFormatException forInputString(String s) {
        return new NumberFormatException("For input string: \"" + s + "\"");
    }
}
why-2.34/lib/java_api/java/lang/String.java0000644000175000017500000026105112311670312017115 0ustar  rtusers/*
 * @(#)String.java	1.159 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

//*KML import java.io.ObjectStreamClass;
//*KML import java.io.ObjectStreamField;
//*KML import java.io.UnsupportedEncodingException;
//*KML import java.util.ArrayList;
//*KML import java.util.Comparator;
//*KML import java.util.Locale;
//*KML import java.util.regex.Matcher;
//*KML import java.util.regex.Pattern;
//*KML import java.util.regex.PatternSyntaxException;


/**
 * The String class represents character strings. All
 * string literals in Java programs, such as "abc", are
 * implemented as instances of this class.
 * 
    
 * Strings are constant; their values cannot be changed after they
 * are created. String buffers support mutable strings.
 * Because String objects are immutable they can be shared. For example:
 * 
     *     String str = "abc";
 * 
    
 * is equivalent to:
 * 
     *     char data[] = {'a', 'b', 'c'};
 *     String str = new String(data);
 * 
    
 * Here are some more examples of how strings can be used:
 * 
     *     System.out.println("abc");
 *     String cde = "cde";
 *     System.out.println("abc" + cde);
 *     String c = "abc".substring(2,3);
 *     String d = cde.substring(1, 2);
 * 
    
 * 
    
 * The class String includes methods for examining
 * individual characters of the sequence, for comparing strings, for
 * searching strings, for extracting substrings, and for creating a
 * copy of a string with all characters translated to uppercase or to
 * lowercase. Case mapping relies heavily on the information provided
 * by the Unicode Consortium's Unicode 3.0 specification. The
 * specification's UnicodeData.txt and SpecialCasing.txt files are
 * used extensively to provide case mapping.
 * 
    
 * The Java language provides special support for the string
 * concatenation operator ( + ), and for conversion of
 * other objects to strings. String concatenation is implemented
 * through the StringBuffer class and its
 * append method.
 * String conversions are implemented through the method
 * toString, defined by Object and
 * inherited by all classes in Java. For additional information on
 * string concatenation and conversion, see Gosling, Joy, and Steele,
 * The Java Language Specification.
 *
 * 
     Unless otherwise noted, passing a null argument to a constructor
 * or method in this class will cause a {@link NullPointerException} to be
 * thrown.
 *
 * @author  Lee Boynton
 * @author  Arthur van Hoff
 * @version 1.152, 02/01/03
 * @see     java.lang.Object#toString()
 * @see     java.lang.StringBuffer
 * @see     java.lang.StringBuffer#append(boolean)
 * @see     java.lang.StringBuffer#append(char)
 * @see     java.lang.StringBuffer#append(char[])
 * @see     java.lang.StringBuffer#append(char[], int, int)
 * @see     java.lang.StringBuffer#append(double)
 * @see     java.lang.StringBuffer#append(float)
 * @see     java.lang.StringBuffer#append(int)
 * @see     java.lang.StringBuffer#append(long)
 * @see     java.lang.StringBuffer#append(java.lang.Object)
 * @see     java.lang.StringBuffer#append(java.lang.String)
 * @see     java.nio.charset.Charset
 * @since   JDK1.0
 */

public final class String
    implements java.io.Serializable, Comparable, CharSequence
{
    /** The value is used for character storage. */
    private char value[];

    /** The offset is the first index of the storage that is used. */
    private int offset;

    /** The count is the number of characters in the String. */
    private int count;

    /** Cache the hash code for the string */
    private int hash = 0;

    /** use serialVersionUID from JDK 1.0.2 for interoperability */
    private static final long serialVersionUID = -6849794470754667710L;

    /**
     * Class String is special cased within the Serialization Stream Protocol.
     *
     * A String instance is written intially into an ObjectOutputStream in the
     * following format:
     * 
         *      TC_STRING (utf String)
     * 
    
     * The String is written by method DataOutput.writeUTF.
     * A new handle is generated to  refer to all future references to the
     * string instance within the stream.
     */
    /*KML
    private static final ObjectStreamField[] serialPersistentFields =
        new ObjectStreamField[0];
    KML*/

    /**
     * Initializes a newly created String object so that it
     * represents an empty character sequence.  Note that use of this 
     * constructor is unnecessary since Strings are immutable. 
     */
    public String() {
        value = new char[0];
    }

    /**
     * Initializes a newly created String object so that it
     * represents the same sequence of characters as the argument; in other
     * words, the newly created string is a copy of the argument string. Unless 
     * an explicit copy of original is needed, use of this 
     * constructor is unnecessary since Strings are immutable. 
     *
     * @param   original   a String.
     */
    public String(String original) {
 	this.count = original.count;
 	if (original.value.length > this.count) {
 	    // The array representing the String is bigger than the new
 	    // String itself.  Perhaps this constructor is being called
 	    // in order to trim the baggage, so make a copy of the array.
 	    this.value = new char[this.count];
 	    System.arraycopy(original.value, original.offset,
 			     this.value, 0, this.count);
 	} else {
 	    // The array representing the String is the same
 	    // size as the String, so no point in making a copy.
 	    this.value = original.value;
 	}
    }

    /**
     * Allocates a new String so that it represents the
     * sequence of characters currently contained in the character array
     * argument. The contents of the character array are copied; subsequent
     * modification of the character array does not affect the newly created
     * string.
     *
     * @param  value   the initial value of the string.
     */
    public String(char value[]) {
        this.count = value.length;
        this.value = new char[count];
        System.arraycopy(value, 0, this.value, 0, count);
    }

    /**
     * Allocates a new String that contains characters from
     * a subarray of the character array argument. The offset
     * argument is the index of the first character of the subarray and
     * the count argument specifies the length of the
     * subarray. The contents of the subarray are copied; subsequent
     * modification of the character array does not affect the newly
     * created string.
     *
     * @param      value    array that is the source of characters.
     * @param      offset   the initial offset.
     * @param      count    the length.
     * @exception  IndexOutOfBoundsException  if the offset
     *               and count arguments index characters outside
     *               the bounds of the value array.
     */
    public String(char value[], int offset, int count) {
        if (offset < 0) {
            throw new StringIndexOutOfBoundsException(offset);
        }
        if (count < 0) {
            throw new StringIndexOutOfBoundsException(count);
        }
        // Note: offset or count might be near -1>>>1.
        if (offset > value.length - count) {
            throw new StringIndexOutOfBoundsException(offset + count);
        }

        this.value = new char[count];
        this.count = count;
        System.arraycopy(value, offset, this.value, 0, count);
    }

    /**
     * Allocates a new String constructed from a subarray
     * of an array of 8-bit integer values.
     * 
    
     * The offset argument is the index of the first byte
     * of the subarray, and the count argument specifies the
     * length of the subarray.
     * 
    
     * Each byte in the subarray is converted to a
     * char as specified in the method above.
     *
     * @deprecated This method does not properly convert bytes into characters.
     * As of JDK 1.1, the preferred way to do this is via the
     * String constructors that take a charset name or that use
     * the platform's default charset.
     *
     * @param      ascii     the bytes to be converted to characters.
     * @param      hibyte    the top 8 bits of each 16-bit Unicode character.
     * @param      offset    the initial offset.
     * @param      count     the length.
     * @exception  IndexOutOfBoundsException  if the offset
     *               or count argument is invalid.
     * @see        java.lang.String#String(byte[], int)
     * @see        java.lang.String#String(byte[], int, int, java.lang.String)
     * @see        java.lang.String#String(byte[], int, int)
     * @see        java.lang.String#String(byte[], java.lang.String)
     * @see        java.lang.String#String(byte[])
     */
    public String(byte ascii[], int hibyte, int offset, int count) {
	checkBounds(ascii, offset, count);

        char value[] = new char[count];
        this.count = count;
        this.value = value;

        if (hibyte == 0) {
            for (int i = count ; i-- > 0 ;) {
                value[i] = (char) (ascii[i + offset] & 0xff);
            }
        } else {
            hibyte <<= 8;
            for (int i = count ; i-- > 0 ;) {
                value[i] = (char) (hibyte | (ascii[i + offset] & 0xff));
            }
        }
    }

    /**
     * Allocates a new String containing characters
     * constructed from an array of 8-bit integer values. Each character
     * cin the resulting string is constructed from the
     * corresponding component b in the byte array such that:
     * 
         *     c == (char)(((hibyte & 0xff) << 8)
     *                         | (b & 0xff))
     * 
    
     *
     * @deprecated This method does not properly convert bytes into characters.
     * As of JDK 1.1, the preferred way to do this is via the
     * String constructors that take a charset name or
     * that use the platform's default charset.
     *
     * @param      ascii    the bytes to be converted to characters.
     * @param      hibyte   the top 8 bits of each 16-bit Unicode character.
     * @see        java.lang.String#String(byte[], int, int, java.lang.String)
     * @see        java.lang.String#String(byte[], int, int)
     * @see        java.lang.String#String(byte[], java.lang.String)
     * @see        java.lang.String#String(byte[])
     */
    public String(byte ascii[], int hibyte) {
        this(ascii, hibyte, 0, ascii.length);
    }

    /* Common private utility method used to bounds check the byte array
     * and requested offset & length values used by the String(byte[],..)
     * constructors.
     */
    private static void checkBounds(byte[] bytes, int offset, int length) {
	if (length < 0)
	    throw new StringIndexOutOfBoundsException(length);
	if (offset < 0)
	    throw new StringIndexOutOfBoundsException(offset);
	if (offset > bytes.length - length)
	    throw new StringIndexOutOfBoundsException(offset + length);
    }

    /**
     * Constructs a new String by decoding the specified subarray of
     * bytes using the specified charset.  The length of the new
     * String is a function of the charset, and hence may not be equal
     * to the length of the subarray.
     *
     * 
     The behavior of this constructor when the given bytes are not valid
     * in the given charset is unspecified.  The {@link
     * java.nio.charset.CharsetDecoder} class should be used when more control
     * over the decoding process is required.
     *
     * @param  bytes   the bytes to be decoded into characters
     * @param  offset  the index of the first byte to decode
     * @param  length  the number of bytes to decode
     * @param  charsetName  the name of a supported
     *                 {@link java.nio.charset.Charset charset}
     * @throws  UnsupportedEncodingException
     *          if the named charset is not supported
     * @throws  IndexOutOfBoundsException
     *          if the offset and length arguments
     *          index characters outside the bounds of the bytes
     *          array
     * @since JDK1.1
     */
    public String(byte bytes[], int offset, int length, String charsetName)
	throws UnsupportedEncodingException
    {
	if (charsetName == null)
	    throw new NullPointerException("charsetName");
	checkBounds(bytes, offset, length);
	value = StringCoding.decode(charsetName, bytes, offset, length);
	count = value.length;
    }

    /**
     * Constructs a new String by decoding the specified array of
     * bytes using the specified charset.  The length of the new
     * String is a function of the charset, and hence may not be equal
     * to the length of the byte array.
     *
     * 
     The behavior of this constructor when the given bytes are not valid
     * in the given charset is unspecified.  The {@link
     * java.nio.charset.CharsetDecoder} class should be used when more control
     * over the decoding process is required.
     *
     * @param  bytes   the bytes to be decoded into characters
     * @param  charsetName  the name of a supported
     *                 {@link java.nio.charset.Charset charset}
     *
     * @exception  UnsupportedEncodingException
     *             If the named charset is not supported
     * @since      JDK1.1
     */
    public String(byte bytes[], String charsetName)
	throws UnsupportedEncodingException
    {
	this(bytes, 0, bytes.length, charsetName);
    }

    /**
     * Constructs a new String by decoding the specified subarray of
     * bytes using the platform's default charset.  The length of the new
     * String is a function of the charset, and hence may not be equal
     * to the length of the subarray.
     *
     * 
     The behavior of this constructor when the given bytes are not valid
     * in the default charset is unspecified.  The {@link
     * java.nio.charset.CharsetDecoder} class should be used when more control
     * over the decoding process is required.
     *
     * @param  bytes   the bytes to be decoded into characters
     * @param  offset  the index of the first byte to decode
     * @param  length  the number of bytes to decode
     * @throws IndexOutOfBoundsException
     *         if the offset and the length
     *         arguments index characters outside the bounds of the
     *         bytes array
     * @since  JDK1.1
     */
    public String(byte bytes[], int offset, int length) {
	checkBounds(bytes, offset, length);
	value = StringCoding.decode(bytes, offset, length);
	count = value.length;
    }

    /**
     * Constructs a new String by decoding the specified array of
     * bytes using the platform's default charset.  The length of the new
     * String is a function of the charset, and hence may not be equal
     * to the length of the byte array.
     *
     * 
     The behavior of this constructor when the given bytes are not valid
     * in the default charset is unspecified.  The {@link
     * java.nio.charset.CharsetDecoder} class should be used when more control
     * over the decoding process is required.
     *
     * @param  bytes   the bytes to be decoded into characters
     * @since  JDK1.1
     */
    public String(byte bytes[]) {
	this(bytes, 0, bytes.length);
    }

    /**
     * Allocates a new string that contains the sequence of characters
     * currently contained in the string buffer argument. The contents of
     * the string buffer are copied; subsequent modification of the string
     * buffer does not affect the newly created string.
     *
     * @param   buffer   a StringBuffer.
     */
    public String (StringBuffer buffer) {
        synchronized(buffer) {
            buffer.setShared();
            this.value = buffer.getValue();
            this.offset = 0;
            this.count = buffer.length();
        }
    }

    // Package private constructor which shares value array for speed.
    String(int offset, int count, char value[]) {
	this.value = value;
	this.offset = offset;
	this.count = count;
    }

    /**
     * Returns the length of this string.
     * The length is equal to the number of 16-bit
     * Unicode characters in the string.
     *
     * @return  the length of the sequence of characters represented by this
     *          object.
     */
    public int length() {
        return count;
    }

    /**
     * Returns the character at the specified index. An index ranges
     * from 0 to length() - 1. The first character
     * of the sequence is at index 0, the next at index
     * 1, and so on, as for array indexing.
     *
     * @param      index   the index of the character.
     * @return     the character at the specified index of this string.
     *             The first character is at index 0.
     * @exception  IndexOutOfBoundsException  if the index
     *             argument is negative or not less than the length of this
     *             string.
     */
    public char charAt(int index) {
        if ((index < 0) || (index >= count)) {
            throw new StringIndexOutOfBoundsException(index);
        }
        return value[index + offset];
    }

    /**
     * Copies characters from this string into the destination character
     * array.
     * 
    
     * The first character to be copied is at index srcBegin;
     * the last character to be copied is at index srcEnd-1
     * (thus the total number of characters to be copied is
     * srcEnd-srcBegin). The characters are copied into the
     * subarray of dst starting at index dstBegin
     * and ending at index:
     * 
         *     dstbegin + (srcEnd-srcBegin) - 1
     * 
    
     *
     * @param      srcBegin   index of the first character in the string
     *                        to copy.
     * @param      srcEnd     index after the last character in the string
     *                        to copy.
     * @param      dst        the destination array.
     * @param      dstBegin   the start offset in the destination array.
     * @exception IndexOutOfBoundsException If any of the following
     *            is true:
     *            
    • srcBegin is negative.
     *            
    • srcBegin is greater than srcEnd
     *            
    • srcEnd is greater than the length of this
     *                string
     *            
    • dstBegin is negative
     *            
    • dstBegin+(srcEnd-srcBegin) is larger than
     *                dst.length
    
     */
    public void getChars(int srcBegin, int srcEnd, char dst[], int dstBegin) {
        if (srcBegin < 0) {
            throw new StringIndexOutOfBoundsException(srcBegin);
        }
        if (srcEnd > count) {
            throw new StringIndexOutOfBoundsException(srcEnd);
        }
        if (srcBegin > srcEnd) {
            throw new StringIndexOutOfBoundsException(srcEnd - srcBegin);
        }
        System.arraycopy(value, offset + srcBegin, dst, dstBegin,
             srcEnd - srcBegin);
    }

    /**
     * Copies characters from this string into the destination byte
     * array. Each byte receives the 8 low-order bits of the
     * corresponding character. The eight high-order bits of each character
     * are not copied and do not participate in the transfer in any way.
     * 
    
     * The first character to be copied is at index srcBegin;
     * the last character to be copied is at index srcEnd-1.
     * The total number of characters to be copied is
     * srcEnd-srcBegin. The characters, converted to bytes,
     * are copied into the subarray of dst starting at index
     * dstBegin and ending at index:
     * 
         *     dstbegin + (srcEnd-srcBegin) - 1
     * 
    
     *
     * @deprecated This method does not properly convert characters into bytes.
     * As of JDK 1.1, the preferred way to do this is via the
     * the getBytes() method, which uses the platform's default
     * charset.
     *
     * @param      srcBegin   index of the first character in the string
     *                        to copy.
     * @param      srcEnd     index after the last character in the string
     *                        to copy.
     * @param      dst        the destination array.
     * @param      dstBegin   the start offset in the destination array.
     * @exception IndexOutOfBoundsException if any of the following
     *            is true:
     *           
    • srcBegin is negative
     *           
    • srcBegin is greater than srcEnd
     *           
    • srcEnd is greater than the length of this
     *            String
     *           
    • dstBegin is negative
     *           
    • dstBegin+(srcEnd-srcBegin) is larger than
     *            dst.length
    
     */
    public void getBytes(int srcBegin, int srcEnd, byte dst[], int dstBegin) {
        if (srcBegin < 0) {
            throw new StringIndexOutOfBoundsException(srcBegin);
        }
        if (srcEnd > count) {
            throw new StringIndexOutOfBoundsException(srcEnd);
        }
        if (srcBegin > srcEnd) {
            throw new StringIndexOutOfBoundsException(srcEnd - srcBegin);
        }
        int j = dstBegin;
        int n = offset + srcEnd;
        int i = offset + srcBegin;
        char[] val = value;   /* avoid getfield opcode */

        while (i < n) {
            dst[j++] = (byte)val[i++];
        }
    }

    /**
     * Encodes this String into a sequence of bytes using the
     * named charset, storing the result into a new byte array.
     *
     * 
     The behavior of this method when this string cannot be encoded in
     * the given charset is unspecified.  The {@link
     * java.nio.charset.CharsetEncoder} class should be used when more control
     * over the encoding process is required.
     *
     * @param  charsetName
     *         the name of a supported
     *         {@link java.nio.charset.Charset charset}
     *
     * @return  The resultant byte array
     *
     * @exception  UnsupportedEncodingException
     *             If the named charset is not supported
     *
     * @since      JDK1.1
     */
    public byte[] getBytes(String charsetName)
	throws UnsupportedEncodingException
    {
	return StringCoding.encode(charsetName, value, offset, count);
    }

    /**
     * Encodes this String into a sequence of bytes using the
     * platform's default charset, storing the result into a new byte array.
     *
     * 
     The behavior of this method when this string cannot be encoded in
     * the default charset is unspecified.  The {@link
     * java.nio.charset.CharsetEncoder} class should be used when more control
     * over the encoding process is required.
     *
     * @return  The resultant byte array
     *
     * @since      JDK1.1
     */
    public byte[] getBytes() {
	return StringCoding.encode(value, offset, count);
    }

    /**
     * Compares this string to the specified object.
     * The result is true if and only if the argument is not
     * null and is a String object that represents
     * the same sequence of characters as this object.
     *
     * @param   anObject   the object to compare this String
     *                     against.
     * @return  true if the String are equal;
     *          false otherwise.
     * @see     java.lang.String#compareTo(java.lang.String)
     * @see     java.lang.String#equalsIgnoreCase(java.lang.String)
     */
    public boolean equals(Object anObject) {
	if (this == anObject) {
	    return true;
	}
	if (anObject instanceof String) {
	    String anotherString = (String)anObject;
	    int n = count;
	    if (n == anotherString.count) {
		char v1[] = value;
		char v2[] = anotherString.value;
		int i = offset;
		int j = anotherString.offset;
		while (n-- != 0) {
		    if (v1[i++] != v2[j++])
			return false;
		}
		return true;
	    }
	}
	return false;
    }

    /**
     * Returns true if and only if this String represents
     * the same sequence of characters as the specified StringBuffer.
     *
     * @param   sb         the StringBuffer to compare to.
     * @return  true if and only if this String represents
     *          the same sequence of characters as the specified
     *          StringBuffer, otherwise false.
     * @since 1.4
     */
    public boolean contentEquals(StringBuffer sb) {
        synchronized(sb) {
            if (count != sb.length())
                return false;
            char v1[] = value;
            char v2[] = sb.getValue();
            int i = offset;
            int j = 0;
            int n = count;
            while (n-- != 0) {
                if (v1[i++] != v2[j++])
                    return false;
            }
        }
        return true;
    }

    /**
     * Compares this String to another String,
     * ignoring case considerations.  Two strings are considered equal
     * ignoring case if they are of the same length, and corresponding
     * characters in the two strings are equal ignoring case.
     * 
    
     * Two characters c1 and c2 are considered
     * the same, ignoring case if at least one of the following is true:
     * 
    • The two characters are the same (as compared by the
     * == operator).
     * 
    • Applying the method {@link java.lang.Character#toUpperCase(char)}
     * to each character produces the same result.
     * 
    • Applying the method {@link java.lang.Character#toLowerCase(char)}
     * to each character produces the same result.
    
     *
     * @param   anotherString   the String to compare this
     *                          String against.
     * @return  true if the argument is not null
     *          and the Strings are equal,
     *          ignoring case; false otherwise.
     * @see     #equals(Object)
     * @see     java.lang.Character#toLowerCase(char)
     * @see java.lang.Character#toUpperCase(char)
     */
    public boolean equalsIgnoreCase(String anotherString) {
        return (this == anotherString) ? true :
               (anotherString != null) && (anotherString.count == count) &&
	       regionMatches(true, 0, anotherString, 0, count);
    }

    /**
     * Compares two strings lexicographically.
     * The comparison is based on the Unicode value of each character in
     * the strings. The character sequence represented by this
     * String object is compared lexicographically to the
     * character sequence represented by the argument string. The result is
     * a negative integer if this String object
     * lexicographically precedes the argument string. The result is a
     * positive integer if this String object lexicographically
     * follows the argument string. The result is zero if the strings
     * are equal; compareTo returns 0 exactly when
     * the {@link #equals(Object)} method would return true.
     * 
    
     * This is the definition of lexicographic ordering. If two strings are
     * different, then either they have different characters at some index
     * that is a valid index for both strings, or their lengths are different,
     * or both. If they have different characters at one or more index
     * positions, let k be the smallest such index; then the string
     * whose character at position k has the smaller value, as
     * determined by using the < operator, lexicographically precedes the
     * other string. In this case, compareTo returns the
     * difference of the two character values at position k in
     * the two string -- that is, the value:
     * 
         * this.charAt(k)-anotherString.charAt(k)
     * 
    
     * If there is no index position at which they differ, then the shorter
     * string lexicographically precedes the longer string. In this case,
     * compareTo returns the difference of the lengths of the
     * strings -- that is, the value:
     * 
         * this.length()-anotherString.length()
     * 
    
     *
     * @param   anotherString   the String to be compared.
     * @return  the value 0 if the argument string is equal to
     *          this string; a value less than 0 if this string
     *          is lexicographically less than the string argument; and a
     *          value greater than 0 if this string is
     *          lexicographically greater than the string argument.
     */
    public int compareTo(String anotherString) {
	int len1 = count;
	int len2 = anotherString.count;
	int n = Math.min(len1, len2);
	char v1[] = value;
	char v2[] = anotherString.value;
	int i = offset;
	int j = anotherString.offset;

	if (i == j) {
	    int k = i;
	    int lim = n + i;
	    while (k < lim) {
		char c1 = v1[k];
		char c2 = v2[k];
		if (c1 != c2) {
		    return c1 - c2;
		}
		k++;
	    }
	} else {
	    while (n-- != 0) {
		char c1 = v1[i++];
		char c2 = v2[j++];
		if (c1 != c2) {
		    return c1 - c2;
		}
	    }
	}
	return len1 - len2;
    }

    /**
     * Compares this String to another Object.  If the Object is a String,
     * this function behaves like compareTo(String).  Otherwise,
     * it throws a ClassCastException (as Strings are comparable
     * only to other Strings).
     *
     * @param   o the Object to be compared.
     * @return  the value 0 if the argument is a string
     *		lexicographically equal to this string; a value less than
     *		0 if the argument is a string lexicographically
     *		greater than this string; and a value greater than
     *		0 if the argument is a string lexicographically
     *		less than this string.
     * @exception ClassCastException if the argument is not a
     *		  String.
     * @see     java.lang.Comparable
     * @since   1.2
     */
    public int compareTo(Object o) {
	return compareTo((String)o);
    }

    /**
     * A Comparator that orders String objects as by
     * compareToIgnoreCase. This comparator is serializable.
     * 
    
     * Note that this Comparator does not take locale into account,
     * and will result in an unsatisfactory ordering for certain locales.
     * The java.text package provides Collators to allow
     * locale-sensitive ordering.
     *
     * @see     java.text.Collator#compare(String, String)
     * @since   1.2
     */
    /* KML
    public static final Comparator CASE_INSENSITIVE_ORDER
                                         = new CaseInsensitiveComparator();
    private static class CaseInsensitiveComparator
                         implements Comparator, java.io.Serializable {
	// use serialVersionUID from JDK 1.2.2 for interoperability
	private static final long serialVersionUID = 8575799808933029326L;

        public int compare(Object o1, Object o2) {
            String s1 = (String) o1;
            String s2 = (String) o2;
            int n1=s1.length(), n2=s2.length();
            for (int i1=0, i2=0; i1compareTo with normalized versions of the strings
     * where case differences have been eliminated by calling
     * Character.toLowerCase(Character.toUpperCase(character)) on
     * each character.
     * 
    
     * Note that this method does not take locale into account,
     * and will result in an unsatisfactory ordering for certain locales.
     * The java.text package provides collators to allow
     * locale-sensitive ordering.
     *
     * @param   str   the String to be compared.
     * @return  a negative integer, zero, or a positive integer as the
     *		the specified String is greater than, equal to, or less
     *		than this String, ignoring case considerations.
     * @see     java.text.Collator#compare(String, String)
     * @since   1.2
     */
    public int compareToIgnoreCase(String str) {
        return CASE_INSENSITIVE_ORDER.compare(this, str);
    }

    /**
     * Tests if two string regions are equal.
     * 
    
     * A substring of this String object is compared to a substring
     * of the argument other. The result is true if these substrings
     * represent identical character sequences. The substring of this
     * String object to be compared begins at index toffset
     * and has length len. The substring of other to be compared
     * begins at index ooffset and has length len. The
     * result is false if and only if at least one of the following
     * is true:
     * 
    • toffset is negative.
     * 
    • ooffset is negative.
     * 
    • toffset+len is greater than the length of this
     * String object.
     * 
    • ooffset+len is greater than the length of the other
     * argument.
     * 
    • There is some nonnegative integer k less than len
     * such that:
     * this.charAt(toffset+k) != other.charAt(ooffset+k)
     * 
    
     *
     * @param   toffset   the starting offset of the subregion in this string.
     * @param   other     the string argument.
     * @param   ooffset   the starting offset of the subregion in the string
     *                    argument.
     * @param   len       the number of characters to compare.
     * @return  true if the specified subregion of this string
     *          exactly matches the specified subregion of the string argument;
     *          false otherwise.
     */
    public boolean regionMatches(int toffset, String other, int ooffset,
				 int len) {
	char ta[] = value;
	int to = offset + toffset;
	char pa[] = other.value;
	int po = other.offset + ooffset;
	// Note: toffset, ooffset, or len might be near -1>>>1.
	if ((ooffset < 0) || (toffset < 0) || (toffset > (long)count - len)
	    || (ooffset > (long)other.count - len)) {
	    return false;
	}
	while (len-- > 0) {
	    if (ta[to++] != pa[po++]) {
	        return false;
	    }
	}
	return true;
    }

    /**
     * Tests if two string regions are equal.
     * 
    
     * A substring of this String object is compared to a substring
     * of the argument other. The result is true if these
     * substrings represent character sequences that are the same, ignoring
     * case if and only if ignoreCase is true. The substring of
     * this String object to be compared begins at index
     * toffset and has length len. The substring of
     * other to be compared begins at index ooffset and
     * has length len. The result is false if and only if
     * at least one of the following is true:
     * 
    • toffset is negative.
     * 
    • ooffset is negative.
     * 
    • toffset+len is greater than the length of this
     * String object.
     * 
    • ooffset+len is greater than the length of the other
     * argument.
     * 
    • ignoreCase is false and there is some nonnegative
     * integer k less than len such that:
     * 
           * this.charAt(toffset+k) != other.charAt(ooffset+k)
     * 
      
     * 
    • ignoreCase is true and there is some nonnegative
     * integer k less than len such that:
     * 
           * Character.toLowerCase(this.charAt(toffset+k)) !=
               Character.toLowerCase(other.charAt(ooffset+k))
     * 
      
     * and:
     * 
           * Character.toUpperCase(this.charAt(toffset+k)) !=
     *         Character.toUpperCase(other.charAt(ooffset+k))
     * 
      
     * 
    
     *
     * @param   ignoreCase   if true, ignore case when comparing
     *                       characters.
     * @param   toffset      the starting offset of the subregion in this
     *                       string.
     * @param   other        the string argument.
     * @param   ooffset      the starting offset of the subregion in the string
     *                       argument.
     * @param   len          the number of characters to compare.
     * @return  true if the specified subregion of this string
     *          matches the specified subregion of the string argument;
     *          false otherwise. Whether the matching is exact
     *          or case insensitive depends on the ignoreCase
     *          argument.
     */
    public boolean regionMatches(boolean ignoreCase, int toffset,
                           String other, int ooffset, int len) {
        char ta[] = value;
        int to = offset + toffset;
        char pa[] = other.value;
        int po = other.offset + ooffset;
        // Note: toffset, ooffset, or len might be near -1>>>1.
        if ((ooffset < 0) || (toffset < 0) || (toffset > (long)count - len) ||
                (ooffset > (long)other.count - len)) {
            return false;
        }
        while (len-- > 0) {
            char c1 = ta[to++];
            char c2 = pa[po++];
            if (c1 == c2) {
                continue;
            }
            if (ignoreCase) {
                // If characters don't match but case may be ignored,
                // try converting both characters to uppercase.
                // If the results match, then the comparison scan should
                // continue.
                char u1 = Character.toUpperCase(c1);
                char u2 = Character.toUpperCase(c2);
                if (u1 == u2) {
                    continue;
                }
                // Unfortunately, conversion to uppercase does not work properly
                // for the Georgian alphabet, which has strange rules about case
                // conversion.  So we need to make one last check before
                // exiting.
                if (Character.toLowerCase(u1) == Character.toLowerCase(u2)) {
                    continue;
                }
            }
            return false;
        }
        return true;
    }

    /**
     * Tests if this string starts with the specified prefix beginning
     * a specified index.
     *
     * @param   prefix    the prefix.
     * @param   toffset   where to begin looking in the string.
     * @return  true if the character sequence represented by the
     *          argument is a prefix of the substring of this object starting
     *          at index toffset; false otherwise.
     *          The result is false if toffset is
     *          negative or greater than the length of this
     *          String object; otherwise the result is the same
     *          as the result of the expression
     *          
         *          this.subString(toffset).startsWith(prefix)
     *          
    
     */
    public boolean startsWith(String prefix, int toffset) {
	char ta[] = value;
	int to = offset + toffset;
	char pa[] = prefix.value;
	int po = prefix.offset;
	int pc = prefix.count;
	// Note: toffset might be near -1>>>1.
	if ((toffset < 0) || (toffset > count - pc)) {
	    return false;
	}
	while (--pc >= 0) {
	    if (ta[to++] != pa[po++]) {
	        return false;
	    }
	}
	return true;
    }

    /**
     * Tests if this string starts with the specified prefix.
     *
     * @param   prefix   the prefix.
     * @return  true if the character sequence represented by the
     *          argument is a prefix of the character sequence represented by
     *          this string; false otherwise.
     *          Note also that true will be returned if the
     *          argument is an empty string or is equal to this
     *          String object as determined by the
     *          {@link #equals(Object)} method.
     * @since   1. 0
     */
    public boolean startsWith(String prefix) {
	return startsWith(prefix, 0);
    }

    /**
     * Tests if this string ends with the specified suffix.
     *
     * @param   suffix   the suffix.
     * @return  true if the character sequence represented by the
     *          argument is a suffix of the character sequence represented by
     *          this object; false otherwise. Note that the
     *          result will be true if the argument is the
     *          empty string or is equal to this String object
     *          as determined by the {@link #equals(Object)} method.
     */
    public boolean endsWith(String suffix) {
	return startsWith(suffix, count - suffix.count);
    }

    /**
     * Returns a hash code for this string. The hash code for a
     * String object is computed as
     * 
         * s[0]*31^(n-1) + s[1]*31^(n-2) + ... + s[n-1]
     * 
    
     * using int arithmetic, where s[i] is the
     * ith character of the string, n is the length of
     * the string, and ^ indicates exponentiation.
     * (The hash value of the empty string is zero.)
     *
     * @return  a hash code value for this object.
     */
    public int hashCode() {
	int h = hash;
	if (h == 0) {
	    int off = offset;
	    char val[] = value;
	    int len = count;

            for (int i = 0; i < len; i++) {
                h = 31*h + val[off++];
            }
            hash = h;
        }
        return h;
    }

    /**
     * Returns the index within this string of the first occurrence of the
     * specified character. If a character with value ch occurs
     * in the character sequence represented by this String
     * object, then the index of the first such occurrence is returned --
     * that is, the smallest value k such that:
     * 
         * this.charAt(k) == ch
     * 
    
     * is true. If no such character occurs in this string,
     * then -1 is returned.
     *
     * @param   ch   a character.
     * @return  the index of the first occurrence of the character in the
     *          character sequence represented by this object, or
     *          -1 if the character does not occur.
     */
    public int indexOf(int ch) {
	return indexOf(ch, 0);
    }

    /**
     * Returns the index within this string of the first occurrence of the
     * specified character, starting the search at the specified index.
     * 
    
     * If a character with value ch occurs in the character
     * sequence represented by this String object at an index
     * no smaller than fromIndex, then the index of the first
     * such occurrence is returned--that is, the smallest value k
     * such that:
     * 
         * (this.charAt(k) == ch) && (k >= fromIndex)
     * 
    
     * is true. If no such character occurs in this string at or after
     * position fromIndex, then -1 is returned.
     * 
    
     * There is no restriction on the value of fromIndex. If it
     * is negative, it has the same effect as if it were zero: this entire
     * string may be searched. If it is greater than the length of this
     * string, it has the same effect as if it were equal to the length of
     * this string: -1 is returned.
     *
     * @param   ch          a character.
     * @param   fromIndex   the index to start the search from.
     * @return  the index of the first occurrence of the character in the
     *          character sequence represented by this object that is greater
     *          than or equal to fromIndex, or -1
     *          if the character does not occur.
     */
    public int indexOf(int ch, int fromIndex) {
	int max = offset + count;
	char v[] = value;

	if (fromIndex < 0) {
	    fromIndex = 0;
	} else if (fromIndex >= count) {
	    // Note: fromIndex might be near -1>>>1.
	    return -1;
	}
	for (int i = offset + fromIndex ; i < max ; i++) {
	    if (v[i] == ch) {
		return i - offset;
	    }
	}
	return -1;
    }

    /**
     * Returns the index within this string of the last occurrence of the
     * specified character. That is, the index returned is the largest
     * value k such that:
     * 
         * this.charAt(k) == ch
     * 
    
     * is true.
     * The String is searched backwards starting at the last character.
     *
     * @param   ch   a character.
     * @return  the index of the last occurrence of the character in the
     *          character sequence represented by this object, or
     *          -1 if the character does not occur.
     */
    public int lastIndexOf(int ch) {
	return lastIndexOf(ch, count - 1);
    }

    /**
     * Returns the index within this string of the last occurrence of the
     * specified character, searching backward starting at the specified
     * index. That is, the index returned is the largest value k
     * such that:
     * 
         * this.charAt(k) == ch) && (k <= fromIndex)
     * 
    
     * is true.
     *
     * @param   ch          a character.
     * @param   fromIndex   the index to start the search from. There is no
     *          restriction on the value of fromIndex. If it is
     *          greater than or equal to the length of this string, it has
     *          the same effect as if it were equal to one less than the
     *          length of this string: this entire string may be searched.
     *          If it is negative, it has the same effect as if it were -1:
     *          -1 is returned.
     * @return  the index of the last occurrence of the character in the
     *          character sequence represented by this object that is less
     *          than or equal to fromIndex, or -1
     *          if the character does not occur before that point.
     */
    public int lastIndexOf(int ch, int fromIndex) {
	int min = offset;
	char v[] = value;

	for (int i = offset + ((fromIndex >= count) ? count - 1 : fromIndex) ; i >= min ; i--) {
	    if (v[i] == ch) {
		return i - offset;
	    }
	}
	return -1;
    }

    /**
     * Returns the index within this string of the first occurrence of the
     * specified substring. The integer returned is the smallest value
     * k such that:
     * 
         * this.startsWith(str, k)
     * 
    
     * is true.
     *
     * @param   str   any string.
     * @return  if the string argument occurs as a substring within this
     *          object, then the index of the first character of the first
     *          such substring is returned; if it does not occur as a
     *          substring, -1 is returned.
     */
    public int indexOf(String str) {
	return indexOf(str, 0);
    }

    /**
     * Returns the index within this string of the first occurrence of the
     * specified substring, starting at the specified index.  The integer
     * returned is the smallest value k for which:
     * 
         *     k >= Math.min(fromIndex, str.length()) && this.startsWith(str, k)
     * 
    
     * If no such value of k exists, then -1 is returned.
     *
     * @param   str         the substring for which to search.
     * @param   fromIndex   the index from which to start the search.
     * @return  the index within this string of the first occurrence of the
     *          specified substring, starting at the specified index.
     */
    public int indexOf(String str, int fromIndex) {
        return indexOf(value, offset, count,
                       str.value, str.offset, str.count, fromIndex);
    }

    /**
     * Code shared by String and StringBuffer to do searches. The
     * source is the character array being searched, and the target
     * is the string being searched for.
     *
     * @param   source       the characters being searched.
     * @param   sourceOffset offset of the source string.
     * @param   sourceCount  count of the source string.
     * @param   target       the characters being searched for.
     * @param   targetOffset offset of the target string.
     * @param   targetCount  count of the target string.
     * @param   fromIndex    the index to begin searching from.
     */
    static int indexOf(char[] source, int sourceOffset, int sourceCount,
                       char[] target, int targetOffset, int targetCount,
                       int fromIndex) {
	if (fromIndex >= sourceCount) {
            return (targetCount == 0 ? sourceCount : -1);
	}
    	if (fromIndex < 0) {
    	    fromIndex = 0;
    	}
	if (targetCount == 0) {
	    return fromIndex;
	}

        char first  = target[targetOffset];
        int i = sourceOffset + fromIndex;
        int max = sourceOffset + (sourceCount - targetCount);

    startSearchForFirstChar:
        while (true) {
	    /* Look for first character. */
	    while (i <= max && source[i] != first) {
		i++;
	    }
	    if (i > max) {
		return -1;
	    }

	    /* Found first character, now look at the rest of v2 */
	    int j = i + 1;
	    int end = j + targetCount - 1;
	    int k = targetOffset + 1;
	    while (j < end) {
		if (source[j++] != target[k++]) {
		    i++;
		    /* Look for str's first char again. */
		    continue startSearchForFirstChar;
		}
	    }
	    return i - sourceOffset;	/* Found whole string. */
        }
    }

    /**
     * Returns the index within this string of the rightmost occurrence
     * of the specified substring.  The rightmost empty string "" is
     * considered to occur at the index value this.length().
     * The returned index is the largest value k such that
     * 
         * this.startsWith(str, k)
     * 
    
     * is true.
     *
     * @param   str   the substring to search for.
     * @return  if the string argument occurs one or more times as a substring
     *          within this object, then the index of the first character of
     *          the last such substring is returned. If it does not occur as
     *          a substring, -1 is returned.
     */
    public int lastIndexOf(String str) {
	return lastIndexOf(str, count);
    }

    /**
     * Returns the index within this string of the last occurrence of the
     * specified substring, searching backward starting at the specified index.
     * The integer returned is the largest value k such that:
     * 
         *     k <= Math.min(fromIndex, str.length()) && this.startsWith(str, k)
     * 
    
     * If no such value of k exists, then -1 is returned.
     * 
     * @param   str         the substring to search for.
     * @param   fromIndex   the index to start the search from.
     * @return  the index within this string of the last occurrence of the
     *          specified substring.
     */
    public int lastIndexOf(String str, int fromIndex) {
        return lastIndexOf(value, offset, count,
                           str.value, str.offset, str.count, fromIndex);
    }

    /**
     * Code shared by String and StringBuffer to do searches. The
     * source is the character array being searched, and the target
     * is the string being searched for.
     *
     * @param   source       the characters being searched.
     * @param   sourceOffset offset of the source string.
     * @param   sourceCount  count of the source string.
     * @param   target       the characters being searched for.
     * @param   targetOffset offset of the target string.
     * @param   targetCount  count of the target string.
     * @param   fromIndex    the index to begin searching from.
     */
    static int lastIndexOf(char[] source, int sourceOffset, int sourceCount,
                           char[] target, int targetOffset, int targetCount,
                           int fromIndex) {
        /*
	 * Check arguments; return immediately where possible. For
	 * consistency, don't check for null str.
	 */
        int rightIndex = sourceCount - targetCount;
	if (fromIndex < 0) {
	    return -1;
	}
	if (fromIndex > rightIndex) {
	    fromIndex = rightIndex;
	}
	/* Empty string always matches. */
	if (targetCount == 0) {
	    return fromIndex;
	}

        int strLastIndex = targetOffset + targetCount - 1;
	char strLastChar = target[strLastIndex];
	int min = sourceOffset + targetCount - 1;
	int i = min + fromIndex;

    startSearchForLastChar:
	while (true) {
	    while (i >= min && source[i] != strLastChar) {
		i--;
	    }
	    if (i < min) {
		return -1;
	    }
	    int j = i - 1;
	    int start = j - (targetCount - 1);
	    int k = strLastIndex - 1;

	    while (j > start) {
	        if (source[j--] != target[k--]) {
		    i--;
		    continue startSearchForLastChar;
		}
	    }
	    return start - sourceOffset + 1;
	}
    }

    /**
     * Returns a new string that is a substring of this string. The
     * substring begins with the character at the specified index and
     * extends to the end of this string. 
    
     * Examples:
     * 
         * "unhappy".substring(2) returns "happy"
     * "Harbison".substring(3) returns "bison"
     * "emptiness".substring(9) returns "" (an empty string)
     * 
    
     *
     * @param      beginIndex   the beginning index, inclusive.
     * @return     the specified substring.
     * @exception  IndexOutOfBoundsException  if
     *             beginIndex is negative or larger than the
     *             length of this String object.
     */
    public String substring(int beginIndex) {
	return substring(beginIndex, count);
    }

    /**
     * Returns a new string that is a substring of this string. The
     * substring begins at the specified beginIndex and
     * extends to the character at index endIndex - 1.
     * Thus the length of the substring is endIndex-beginIndex.
     * 
    
     * Examples:
     * 
         * "hamburger".substring(4, 8) returns "urge"
     * "smiles".substring(1, 5) returns "mile"
     * 
    
     *
     * @param      beginIndex   the beginning index, inclusive.
     * @param      endIndex     the ending index, exclusive.
     * @return     the specified substring.
     * @exception  IndexOutOfBoundsException  if the
     *             beginIndex is negative, or
     *             endIndex is larger than the length of
     *             this String object, or
     *             beginIndex is larger than
     *             endIndex.
     */
    public String substring(int beginIndex, int endIndex) {
	if (beginIndex < 0) {
	    throw new StringIndexOutOfBoundsException(beginIndex);
	}
	if (endIndex > count) {
	    throw new StringIndexOutOfBoundsException(endIndex);
	}
	if (beginIndex > endIndex) {
	    throw new StringIndexOutOfBoundsException(endIndex - beginIndex);
	}
	return ((beginIndex == 0) && (endIndex == count)) ? this :
	    new String(offset + beginIndex, endIndex - beginIndex, value);
    }

    /**
     * Returns a new character sequence that is a subsequence of this sequence.
     *
     * 
     An invocation of this method of the form
     *
     * 
         * str.subSequence(begin, end)
    
     *
     * behaves in exactly the same way as the invocation
     *
     * 
         * str.substring(begin, end)
    
     *
     * This method is defined so that the String class can implement
     * the {@link CharSequence} interface. 
    
     *
     * @param      beginIndex   the begin index, inclusive.
     * @param      endIndex     the end index, exclusive.
     * @return     the specified subsequence.
     *
     * @throws  IndexOutOfBoundsException
     *          if beginIndex or endIndex are negative,
     *          if endIndex is greater than length(),
     *          or if beginIndex is greater than startIndex
     *
     * @since 1.4
     * @spec JSR-51
     */
    public CharSequence subSequence(int beginIndex, int endIndex) {
        return this.substring(beginIndex, endIndex);
    }

    /**
     * Concatenates the specified string to the end of this string.
     * 
    
     * If the length of the argument string is 0, then this
     * String object is returned. Otherwise, a new
     * String object is created, representing a character
     * sequence that is the concatenation of the character sequence
     * represented by this String object and the character
     * sequence represented by the argument string.
    
     * Examples:
     * 
         * "cares".concat("s") returns "caress"
     * "to".concat("get").concat("her") returns "together"
     * 
    
     *
     * @param   str   the String that is concatenated to the end
     *                of this String.
     * @return  a string that represents the concatenation of this object's
     *          characters followed by the string argument's characters.
     */
    public String concat(String str) {
	int otherLen = str.length();
	if (otherLen == 0) {
	    return this;
	}
	char buf[] = new char[count + otherLen];
	getChars(0, count, buf, 0);
	str.getChars(0, otherLen, buf, count);
	return new String(0, count + otherLen, buf);
    }

    /**
     * Returns a new string resulting from replacing all occurrences of
     * oldChar in this string with newChar.
     * 
    
     * If the character oldChar does not occur in the
     * character sequence represented by this String object,
     * then a reference to this String object is returned.
     * Otherwise, a new String object is created that
     * represents a character sequence identical to the character sequence
     * represented by this String object, except that every
     * occurrence of oldChar is replaced by an occurrence
     * of newChar.
     * 
    
     * Examples:
     * 
         * "mesquite in your cellar".replace('e', 'o')
     *         returns "mosquito in your collar"
     * "the war of baronets".replace('r', 'y')
     *         returns "the way of bayonets"
     * "sparring with a purple porpoise".replace('p', 't')
     *         returns "starring with a turtle tortoise"
     * "JonL".replace('q', 'x') returns "JonL" (no change)
     * 
    
     *
     * @param   oldChar   the old character.
     * @param   newChar   the new character.
     * @return  a string derived from this string by replacing every
     *          occurrence of oldChar with newChar.
     */
    public String replace(char oldChar, char newChar) {
	if (oldChar != newChar) {
	    int len = count;
	    int i = -1;
	    char[] val = value; /* avoid getfield opcode */
	    int off = offset;   /* avoid getfield opcode */

	    while (++i < len) {
		if (val[off + i] == oldChar) {
		    break;
		}
	    }
	    if (i < len) {
		char buf[] = new char[len];
		for (int j = 0 ; j < i ; j++) {
		    buf[j] = val[off+j];
		}
		while (i < len) {
		    char c = val[off + i];
		    buf[i] = (c == oldChar) ? newChar : c;
		    i++;
		}
		return new String(0, len, buf);
	    }
	}
	return this;
    }

    /**
     * Tells whether or not this string matches the given regular expression.
     *
     * 
     An invocation of this method of the form
     * str.matches(regex) yields exactly the
     * same result as the expression
     *
     * 
     {@link java.util.regex.Pattern}.{@link
     * java.util.regex.Pattern#matches(String,CharSequence)
     * matches}(regex, str)
    
     *
     * @param   regex
     *          the regular expression to which this string is to be matched
     *
     * @return  true if, and only if, this string matches the
     *          given regular expression
     *
     * @throws  PatternSyntaxException
     *          if the regular expression's syntax is invalid
     *
     * @see java.util.regex.Pattern
     *
     * @since 1.4
     * @spec JSR-51
     */
    public boolean matches(String regex) {
        return Pattern.matches(regex, this);
    }

    /**
     * Replaces the first substring of this string that matches the given regular expression with the
     * given replacement.
     *
     * 
     An invocation of this method of the form
     * str.replaceFirst(regex, repl)
     * yields exactly the same result as the expression
     *
     * 
    
     * {@link java.util.regex.Pattern}.{@link java.util.regex.Pattern#compile
     * compile}(regex).{@link
     * java.util.regex.Pattern#matcher(java.lang.CharSequence)
     * matcher}(str).{@link java.util.regex.Matcher#replaceFirst
     * replaceFirst}(repl)
    
     *
     * @param   regex
     *          the regular expression to which this string is to be matched
     *
     * @return  The resulting String
     *
     * @throws  PatternSyntaxException
     *          if the regular expression's syntax is invalid
     *
     * @see java.util.regex.Pattern
     *
     * @since 1.4
     * @spec JSR-51
     */
    public String replaceFirst(String regex, String replacement) {
	return Pattern.compile(regex).matcher(this).replaceFirst(replacement);
    }

    /**
     * Replaces each substring of this string that matches the given regular expression with the
     * given replacement.
     *
     * 
     An invocation of this method of the form
     * str.replaceAll(regex, repl)
     * yields exactly the same result as the expression
     *
     * 
    
     * {@link java.util.regex.Pattern}.{@link java.util.regex.Pattern#compile
     * compile}(regex).{@link
     * java.util.regex.Pattern#matcher(java.lang.CharSequence)
     * matcher}(str).{@link java.util.regex.Matcher#replaceAll
     * replaceAll}(repl)
    
     *
     * @param   regex
     *          the regular expression to which this string is to be matched
     *
     * @return  The resulting String
     *
     * @throws  PatternSyntaxException
     *          if the regular expression's syntax is invalid
     *
     * @see java.util.regex.Pattern
     *
     * @since 1.4
     * @spec JSR-51
     */
    public String replaceAll(String regex, String replacement) {
	return Pattern.compile(regex).matcher(this).replaceAll(replacement);
    }

    /**
     * Splits this string around matches of the given regular expression.
     *
     * 
     The array returned by this method contains each substring of this
     * string that is terminated by another substring that matches the given
     * expression or is terminated by the end of the string.  The substrings in
     * the array are in the order in which they occur in this string.  If the
     * expression does not match any part of the input then the resulting array
     * has just one element, namely this string.
     *
     * 
     The limit parameter controls the number of times the
     * pattern is applied and therefore affects the length of the resulting
     * array.  If the limit n is greater than zero then the pattern
     * will be applied at most n - 1 times, the array's
     * length will be no greater than n, and the array's last entry
     * will contain all input beyond the last matched delimiter.  If n
     * is non-positive then the pattern will be applied as many times as
     * possible and the array can have any length.  If n is zero then
     * the pattern will be applied as many times as possible, the array can
     * have any length, and trailing empty strings will be discarded.
     *
     * 
     The string "boo:and:foo", for example, yields the
     * following results with these parameters:
     *
     * 
    
     * 
     *     
     *     
     *     
     * 
     * 
     *     
     *     
     * 
     *     
     *     
     * 
     *     
     *     
     * 
     *     
     *     
     * 
     *     
     *     
     * 
     *     
     *     
     * 
    RegexLimitResult
    :2{ "boo", "and:foo" }
    :5{ "boo", "and", "foo" }
    :-2{ "boo", "and", "foo" }
    o5{ "b", "", ":and:f", "", "" }
    o-2{ "b", "", ":and:f", "", "" }
    o0{ "b", "", ":and:f" }
    
     *
     * 
     An invocation of this method of the form
     * str.split(regex, n)
     * yields the same result as the expression
     *
     * 
    
     * {@link java.util.regex.Pattern}.{@link java.util.regex.Pattern#compile
     * compile}(regex).{@link
     * java.util.regex.Pattern#split(java.lang.CharSequence,int)
     * split}(str, n)
     * 
    
     *
     *
     * @param  regex
     *         the delimiting regular expression
     *
     * @param  limit
     *         the result threshold, as described above
     *
     * @return  the array of strings computed by splitting this string
     *          around matches of the given regular expression
     *
     * @throws  PatternSyntaxException
     *          if the regular expression's syntax is invalid
     *
     * @see java.util.regex.Pattern
     *
     * @since 1.4
     * @spec JSR-51
     */
    public String[] split(String regex, int limit) {
	return Pattern.compile(regex).split(this, limit);
    }

    /**
     * Splits this string around matches of the given regular expression.
     *
     * 
     This method works as if by invoking the two-argument {@link
     * #split(String, int) split} method with the given expression and a limit
     * argument of zero.  Trailing empty strings are therefore not included in
     * the resulting array.
     *
     * 
     The string "boo:and:foo", for example, yields the following
     * results with these expressions:
     *
     * 
    
     * 
     *  
     *  
     * 
     * 
     *     
     * 
     *     
     * 
    RegexResult
    :{ "boo", "and", "foo" }
    o{ "b", "", ":and:f" }
    
     *
     *
     * @param  regex
     *         the delimiting regular expression
     *
     * @return  the array of strings computed by splitting this string
     *          around matches of the given regular expression
     *
     * @throws  PatternSyntaxException
     *          if the regular expression's syntax is invalid
     *
     * @see java.util.regex.Pattern
     *
     * @since 1.4
     * @spec JSR-51
     */
    public String[] split(String regex) {
        return split(regex, 0);
    }

    /**
     * Converts all of the characters in this String to lower
     * case using the rules of the given Locale.  Case mappings rely
     * heavily on the Unicode specification's character data. Since case
     * mappings are not always 1:1 char mappings, the resulting String
     * may be a different length than the original String.
     * 
    
     * Examples of lowercase  mappings are in the following table:
     * 
     * 
     *   
     *   
     *   
     *   
     * 
     * 
     *   
     *   
     *   
     *   
     * 
     * 
     *   
     *   
     *   
     *   
     * 
     * 
     *   
     *   
     *   
     *   
     * 
     * 
     *   
     *   
     *   
     *   
     * 
     * 
    Language Code of LocaleUpper CaseLower CaseDescription
    tr (Turkish)\u0130\u0069capital letter I with dot above -> small letter i
    tr (Turkish)\u0049\u0131capital letter I -> small letter dotless i 
    (all)French Friesfrench frieslowercased all chars in String
    (all)capiotacapchi
     *       capthetacapupsil
     *       capsigmaiotachi
     *       thetaupsilon
     *       sigmalowercased all chars in String
    
     *
     * @param locale use the case transformation rules for this locale
     * @return the String, converted to lowercase.
     * @see     java.lang.String#toLowerCase()
     * @see     java.lang.String#toUpperCase()
     * @see     java.lang.String#toUpperCase(Locale)
     * @since   1.1
     */
    /*KML
    public String toLowerCase(Locale locale) {
	if (locale == null)
	    throw new NullPointerException();
	
        int     len        = count;
        int     off        = offset;
        char[]  val        = value;
        int     firstUpper;

	/* Now check if there are any characters that need to be changed. *KML/
	scan: {
	    for (firstUpper = 0 ; firstUpper < len ; firstUpper++) {
		char c = value[off+firstUpper];
		if (c != Character.toLowerCase(c)) {break scan;}
	    }
	    return this;
	}

        char[]  result = new char[count];

        /* Just copy the first few lowerCase characters. *KML/
        System.arraycopy(val, off, result, 0, firstUpper);

        if (locale.getLanguage().equals("tr")) {
            // special loop for Turkey
            for (int i = firstUpper; i < len; ++i) {
                char ch = val[off+i];
                if (ch == 'I') {
                    result[i] = '\u0131'; // dotless small i
                    continue;
                }
                if (ch == '\u0130') {       // dotted I
                    result[i] = 'i';      // dotted i
                    continue;
                }
                result[i] = Character.toLowerCase(ch);
            }
        } else {
            // normal, fast loop
            for (int i = firstUpper; i < len; ++i) {
                result[i] = Character.toLowerCase(val[off+i]);
            }
        }
        return new String(0, result.length, result);
    }
    KML*/

    /**
     * Converts all of the characters in this String to lower
     * case using the rules of the default locale. This is equivalent to calling
     * toLowerCase(Locale.getDefault()).
     * 
    
     * @return  the String, converted to lowercase.
     * @see     java.lang.String#toLowerCase(Locale)
     */
    public String toLowerCase() {
        return toLowerCase(Locale.getDefault());
    }

    /**
     * Converts all of the characters in this String to upper
     * case using the rules of the given Locale. Case mappings rely
     * heavily on the Unicode specification's character data. Since case mappings
     * are not always 1:1 char mappings, the resulting String may
     * be a different length than the original String.
     * 
    
     * Examples of locale-sensitive and 1:M case mappings are in the following table.
     * 
    
     * 
     * 
     *   
     *   
     *   
     *   
     * 
     * 
     *   
     *   
     *   
     *   
     * 
     * 
     *   
     *   
     *   
     *   
     * 
     * 
     *   
     *   
     *   
     *   
     * 
     * 
     *   
     *   
     *   
     *   
     * 
     * 
    Language Code of LocaleLower CaseUpper CaseDescription
    tr (Turkish)\u0069\u0130small letter i -> capital letter I with dot above
    tr (Turkish)\u0131\u0049small letter dotless i -> capital letter I
    (all)\u00df\u0053 \u0053small letter sharp s -> two letters: SS
    (all)FahrvergnügenFAHRVERGNÜGEN
    
     * @param locale use the case transformation rules for this locale
     * @return the String, converted to uppercase.
     * @see     java.lang.String#toUpperCase()
     * @see     java.lang.String#toLowerCase()
     * @see     java.lang.String#toLowerCase(Locale)
     * @since   1.1
     */
    /*KML
    public String toUpperCase(Locale locale) {
        int     len        = count;
        int     off        = offset;
        char[]  val        = value;
        int     firstLower;

        /* Now check if there are any characters that need changing. *KML/
        scan: {
            char upperCaseChar;
            char c;
            for (firstLower = 0 ; firstLower < len ; firstLower++) {
                c = value[off+firstLower];
                upperCaseChar = Character.toUpperCaseEx(c);
                if (upperCaseChar == Character.CHAR_ERROR || c != upperCaseChar) {
                    break scan;
                }
            }
            return this;
        }

        char[]  result       = new char[len]; /* might grow! *KML/
	int     resultOffset = 0;  /* result grows, so i+resultOffset
				    * is the write location in result *KML/

	/* Just copy the first few upperCase characters. *KML/
	System.arraycopy(val, off, result, 0, firstLower);

        if (locale.getLanguage().equals("tr")) {
            // special loop for Turkey
            char[] upperCharArray;
            char upperChar;
            char ch;

            for (int i = firstLower; i < len; ++i) {
                ch = val[off+i];
                if (ch == 'i') {
                    result[i+resultOffset] = '\u0130';  // dotted cap i
                    continue;
                }
                if (ch == '\u0131') {                   // dotless i
                    result[i+resultOffset] = 'I';       // cap I
                    continue;
                }
                upperChar = Character.toUpperCaseEx(ch);
                if (upperChar == Character.CHAR_ERROR) {
                    upperCharArray = Character.toUpperCaseCharArray(ch);
                    /* Grow result. *KML/
                    int mapLen = upperCharArray.length;
                    char[] result2 = new char[result.length + mapLen - 1];
                    System.arraycopy(result, 0, result2, 0,
                        i + 1 + resultOffset);
                    for (int x=0; xString to upper
     * case using the rules of the default locale. This method is equivalent to
     * toUpperCase(Locale.getDefault()).
     * 
    
     * @return  the String, converted to uppercase.
     * @see     java.lang.String#toUpperCase(Locale)
     */
    public String toUpperCase() {
        return toUpperCase(Locale.getDefault());
    }

    /**
     * Returns a copy of the string, with leading and trailing whitespace
     * omitted.
     * 
    
     * If this String object represents an empty character
     * sequence, or the first and last characters of character sequence
     * represented by this String object both have codes
     * greater than '\u0020' (the space character), then a
     * reference to this String object is returned.
     * 
    
     * Otherwise, if there is no character with a code greater than
     * '\u0020' in the string, then a new
     * String object representing an empty string is created
     * and returned.
     * 
    
     * Otherwise, let k be the index of the first character in the
     * string whose code is greater than '\u0020', and let
     * m be the index of the last character in the string whose code
     * is greater than '\u0020'. A new String
     * object is created, representing the substring of this string that
     * begins with the character at index k and ends with the
     * character at index m-that is, the result of
     * this.substring(km+1).
     * 
    
     * This method may be used to trim
     * {@link Character#isSpace(char) whitespace} from the beginning and end
     * of a string; in fact, it trims all ASCII control characters as well.
     *
     * @return  A copy of this string with leading and trailing white
     *          space removed, or this string if it has no leading or
     *          trailing white space.
     */
    public String trim() {
	int len = count;
	int st = 0;
	int off = offset;      /* avoid getfield opcode */
	char[] val = value;    /* avoid getfield opcode */

	while ((st < len) && (val[off + st] <= ' ')) {
	    st++;
	}
	while ((st < len) && (val[off + len - 1] <= ' ')) {
	    len--;
	}
	return ((st > 0) || (len < count)) ? substring(st, len) : this;
    }

    /**
     * This object (which is already a string!) is itself returned.
     *
     * @return  the string itself.
     */
    public String toString() {
	return this;
    }

    /**
     * Converts this string to a new character array.
     *
     * @return  a newly allocated character array whose length is the length
     *          of this string and whose contents are initialized to contain
     *          the character sequence represented by this string.
     */
    public char[] toCharArray() {
	char result[] = new char[count];
	getChars(0, count, result, 0);
	return result;
    }

    /**
     * Returns the string representation of the Object argument.
     *
     * @param   obj   an Object.
     * @return  if the argument is null, then a string equal to
     *          "null"; otherwise, the value of
     *          obj.toString() is returned.
     * @see     java.lang.Object#toString()
     */
    public static String valueOf(Object obj) {
	return (obj == null) ? "null" : obj.toString();
    }

    /**
     * Returns the string representation of the char array
     * argument. The contents of the character array are copied; subsequent
     * modification of the character array does not affect the newly
     * created string.
     *
     * @param   data   a char array.
     * @return  a newly allocated string representing the same sequence of
     *          characters contained in the character array argument.
     */
    public static String valueOf(char data[]) {
	return new String(data);
    }

    /**
     * Returns the string representation of a specific subarray of the
     * char array argument.
     * 
    
     * The offset argument is the index of the first
     * character of the subarray. The count argument
     * specifies the length of the subarray. The contents of the subarray
     * are copied; subsequent modification of the character array does not
     * affect the newly created string.
     *
     * @param   data     the character array.
     * @param   offset   the initial offset into the value of the
     *                  String.
     * @param   count    the length of the value of the String.
     * @return  a string representing the sequence of characters contained 
     *          in the subarray of the character array argument.
     * @exception IndexOutOfBoundsException if offset is
     *          negative, or count is negative, or
     *          offset+count is larger than
     *          data.length.
     */
    public static String valueOf(char data[], int offset, int count) {
	return new String(data, offset, count);
    }

    /**
     * Returns a String that represents the character sequence in the
     * array specified.
     *
     * @param   data     the character array.
     * @param   offset   initial offset of the subarray.
     * @param   count    length of the subarray.
     * @return  a String that contains the characters of the
     *          specified subarray of the character array.
     */
    public static String copyValueOf(char data[], int offset, int count) {
	// All public String constructors now copy the data.
	return new String(data, offset, count);
    }

    /**
     * Returns a String that represents the character sequence in the
     * array specified.
     *
     * @param   data   the character array.
     * @return  a String that contains the characters of the
     *          character array.
     */
    public static String copyValueOf(char data[]) {
	return copyValueOf(data, 0, data.length);
    }

    /**
     * Returns the string representation of the boolean argument.
     *
     * @param   b   a boolean.
     * @return  if the argument is true, a string equal to
     *          "true" is returned; otherwise, a string equal to
     *          "false" is returned.
     */
    public static String valueOf(boolean b) {
	return b ? "true" : "false";
    }

    /**
     * Returns the string representation of the char
     * argument.
     *
     * @param   c   a char.
     * @return  a string of length 1 containing
     *          as its single character the argument c.
     */
    public static String valueOf(char c) {
	char data[] = {c};
	return new String(0, 1, data);
    }

    /**
     * Returns the string representation of the int argument.
     * 
    
     * The representation is exactly the one returned by the
     * Integer.toString method of one argument.
     *
     * @param   i   an int.
     * @return  a string representation of the int argument.
     * @see     java.lang.Integer#toString(int, int)
     */
    public static String valueOf(int i) {
        return Integer.toString(i, 10);
    }

    /**
     * Returns the string representation of the long argument.
     * 
    
     * The representation is exactly the one returned by the
     * Long.toString method of one argument.
     *
     * @param   l   a long.
     * @return  a string representation of the long argument.
     * @see     java.lang.Long#toString(long)
     */
    public static String valueOf(long l) {
        return Long.toString(l, 10);
    }

    /**
     * Returns the string representation of the float argument.
     * 
    
     * The representation is exactly the one returned by the
     * Float.toString method of one argument.
     *
     * @param   f   a float.
     * @return  a string representation of the float argument.
     * @see     java.lang.Float#toString(float)
     */
    public static String valueOf(float f) {
	return Float.toString(f);
    }

    /**
     * Returns the string representation of the double argument.
     * 
    
     * The representation is exactly the one returned by the
     * Double.toString method of one argument.
     *
     * @param   d   a double.
     * @return  a  string representation of the double argument.
     * @see     java.lang.Double#toString(double)
     */
    public static String valueOf(double d) {
	return Double.toString(d);
    }

    /**
     * Returns a canonical representation for the string object.
     * 
    
     * A pool of strings, initially empty, is maintained privately by the
     * class String.
     * 
    
     * When the intern method is invoked, if the pool already contains a
     * string equal to this String object as determined by
     * the {@link #equals(Object)} method, then the string from the pool is
     * returned. Otherwise, this String object is added to the
     * pool and a reference to this String object is returned.
     * 
    
     * It follows that for any two strings s and t,
     * s.intern() == t.intern() is true
     * if and only if s.equals(t) is true.
     * 
    
     * All literal strings and string-valued constant expressions are
     * interned. String literals are defined in §3.10.5 of the
     * Java Language
     * Specification
     *
     * @return  a string that has the same contents as this string, but is
     *          guaranteed to be from a pool of unique strings.
     */
    public native String intern();

}
why-2.34/lib/java_api/java/lang/Cloneable.java0000644000175000017500000000251112311670312017525 0ustar  rtusers/*
 * @(#)Cloneable.java	1.14 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

/**
 * A class implements the Cloneable interface to 
 * indicate to the {@link java.lang.Object#clone()} method that it 
 * is legal for that method to make a 
 * field-for-field copy of instances of that class. 
 * 
    
 * Invoking Object's clone method on an instance that does not implement the 
 * Cloneable interface results in the exception 
 * CloneNotSupportedException being thrown.
 * 
    
 * By convention, classes that implement this interface should override 
 * Object.clone (which is protected) with a public method.
 * See {@link java.lang.Object#clone()} for details on overriding this
 * method.
 * 
    
 * Note that this interface does not contain the clone method.
 * Therefore, it is not possible to clone an object merely by virtue of the
 * fact that it implements this interface.  Even if the clone method is invoked
 * reflectively, there is no guarantee that it will succeed.
 *
 * @author  unascribed
 * @version 1.14, 01/23/03
 * @see     java.lang.CloneNotSupportedException
 * @see     java.lang.Object#clone()
 * @since   JDK1.0
 */
public interface Cloneable { 
}
why-2.34/lib/java_api/java/lang/System.java0000644000175000017500000011225612311670312017135 0ustar  rtusers/*
 * @(#)System.java	1.131 03/01/29
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;

import java.io.*;
//KML import java.util.Properties;
//KML import java.util.PropertyPermission;
//KML import java.util.StringTokenizer;
//KML import java.security.AccessController;
//KML import java.security.PrivilegedAction;
//KML import java.security.AllPermission;
//KML import sun.net.InetAddressCachePolicy;
//KML import sun.reflect.Reflection;
//KML import sun.security.util.SecurityConstants;

/**
 * The System class contains several useful class fields
 * and methods. It cannot be instantiated.
 * 
    
 * Among the facilities provided by the System class
 * are standard input, standard output, and error output streams;
 * access to externally defined "properties"; a means of
 * loading files and libraries; and a utility method for quickly
 * copying a portion of an array.
 *
 * @author  Arthur van Hoff
 * @version 1.131, 01/29/03
 * @since   JDK1.0
 */
public final class System {

    /* First thing---register the natives */
    private static native void registerNatives();
    static {
        registerNatives();
    }

    /** Don't let anyone instantiate this class */
    private System() {
    }

    /**
     * The "standard" input stream. This stream is already
     * open and ready to supply input data. Typically this stream
     * corresponds to keyboard input or another input source specified by
     * the host environment or user.
     */
    public final static InputStream in = nullInputStream();

    /**
     * The "standard" output stream. This stream is already
     * open and ready to accept output data. Typically this stream
     * corresponds to display output or another output destination
     * specified by the host environment or user.
     * 
    
     * For simple stand-alone Java applications, a typical way to write
     * a line of output data is:
     * 
         *     System.out.println(data)
     * 
    
     * 
    
     * See the println methods in class PrintStream.
     *
     * @see     java.io.PrintStream#println()
     * @see     java.io.PrintStream#println(boolean)
     * @see     java.io.PrintStream#println(char)
     * @see     java.io.PrintStream#println(char[])
     * @see     java.io.PrintStream#println(double)
     * @see     java.io.PrintStream#println(float)
     * @see     java.io.PrintStream#println(int)
     * @see     java.io.PrintStream#println(long)
     * @see     java.io.PrintStream#println(java.lang.Object)
     * @see     java.io.PrintStream#println(java.lang.String)
     */
    public final static PrintStream out = nullPrintStream();

    /**
     * The "standard" error output stream. This stream is already
     * open and ready to accept output data.
     * 
    
     * Typically this stream corresponds to display output or another
     * output destination specified by the host environment or user. By
     * convention, this output stream is used to display error messages
     * or other information that should come to the immediate attention
     * of a user even if the principal output stream, the value of the
     * variable out, has been redirected to a file or other
     * destination that is typically not continuously monitored.
     */
    public final static PrintStream err = nullPrintStream();

    /* The security manager for the system.
     */
    //KML private static SecurityManager security = null;

    /**
     * Reassigns the "standard" input stream.
     *
     * 
    First, if there is a security manager, its checkPermission
     * method is called with a RuntimePermission("setIO") permission
     *  to see if it's ok to reassign the "standard" input stream.
     * 
    
     *
     * @param in the new standard input stream.
     *
     * @throws SecurityException
     *        if a security manager exists and its
     *        checkPermission method doesn't allow
     *        reassigning of the standard input stream.
     *
     * @see SecurityManager#checkPermission
     * @see java.lang.RuntimePermission
     *
     * @since   JDK1.1
     */
    /*KML
    public static void setIn(InputStream in) {
	checkIO();
	setIn0(in);
    }
    KML*/

    /**
     * Reassigns the "standard" output stream.
     *
     * 
    First, if there is a security manager, its checkPermission
     * method is called with a RuntimePermission("setIO") permission
     *  to see if it's ok to reassign the "standard" output stream.
     *
     * @param out the new standard output stream
     *
     * @throws SecurityException
     *        if a security manager exists and its
     *        checkPermission method doesn't allow
     *        reassigning of the standard output stream.
     *
     * @see SecurityManager#checkPermission
     * @see java.lang.RuntimePermission
     *
     * @since   JDK1.1
     */
    public static void setOut(PrintStream out) {
	checkIO();
	setOut0(out);
    }

    /**
     * Reassigns the "standard" error output stream.
     *
     * 
    First, if there is a security manager, its checkPermission
     * method is called with a RuntimePermission("setIO") permission
     *  to see if it's ok to reassign the "standard" error output stream.
     *
     * @param err the new standard error output stream.
     *
     * @throws SecurityException
     *        if a security manager exists and its
     *        checkPermission method doesn't allow
     *        reassigning of the standard error output stream.
     *
     * @see SecurityManager#checkPermission
     * @see java.lang.RuntimePermission
     *
     * @since   JDK1.1
     */
    public static void setErr(PrintStream err) {
	checkIO();
	setErr0(err);
    }

    private static void checkIO() {
        if (security != null)
	    security.checkPermission(new RuntimePermission("setIO"));
    }

    //KML private static native void setIn0(InputStream in);
    private static native void setOut0(PrintStream out);
    private static native void setErr0(PrintStream err);

    /**
     * Sets the System security.
     *
     * 
     If there is a security manager already installed, this method first
     * calls the security manager's checkPermission method
     * with a RuntimePermission("setSecurityManager")
     * permission to ensure it's ok to replace the existing
     * security manager.
     * This may result in throwing a SecurityException.
     *
     * 
     Otherwise, the argument is established as the current
     * security manager. If the argument is null and no
     * security manager has been established, then no action is taken and
     * the method simply returns.
     *
     * @param      s   the security manager.
     * @exception  SecurityException  if the security manager has already
     *             been set and its checkPermission method
     *             doesn't allow it to be replaced.
     * @see #getSecurityManager
     * @see SecurityManager#checkPermission
     * @see java.lang.RuntimePermission
     */
    /*KML
    public static
    void setSecurityManager(final SecurityManager s) {
        try {
            s.checkPackageAccess("java.lang");
        } catch (Exception e) {
            // no-op
        }
        setSecurityManager0(s);
    }

    private static synchronized
    void setSecurityManager0(final SecurityManager s) {
	if (security != null) {
 	    // ask the currently installed security manager if we
 	    // can replace it.
 	    security.checkPermission(new RuntimePermission
				     ("setSecurityManager"));
	}

	if ((s != null) && (s.getClass().getClassLoader() != null)) {
	    // New security manager class is not on bootstrap classpath.
	    // Cause policy to get initialized before we install the new
	    // security manager, in order to prevent infinite loops when
	    // trying to initialize the policy (which usually involves
	    // accessing some security and/or system properties, which in turn
	    // calls the installed security manager's checkPermission method
	    // which will loop infinitely if there is a non-system class
	    // (in this case: the new security manager class) on the stack).
	    AccessController.doPrivileged(new PrivilegedAction() {
		public Object run() {
		    s.getClass().getProtectionDomain().implies
			(SecurityConstants.ALL_PERMISSION);
		    return null;
		}
	    });
	}

	security = s;
	InetAddressCachePolicy.setIfNotSet(InetAddressCachePolicy.FOREVER);
    }
    KML*/

    /**
     * Gets the system security interface.
     *
     * @return  if a security manager has already been established for the
     *          current application, then that security manager is returned;
     *          otherwise, null is returned.
     * @see     #setSecurityManager
     */
    /*KML
    public static SecurityManager getSecurityManager() {
	return security;
    }
    KML*/

    /**
     * Returns the current time in milliseconds.  Note that
     * while the unit of time of the return value is a millisecond,
     * the granularity of the value depends on the underlying
     * operating system and may be larger.  For example, many
     * operating systems measure time in units of tens of
     * milliseconds.
     *
     * 
     See the description of the class Date for
     * a discussion of slight discrepancies that may arise between
     * "computer time" and coordinated universal time (UTC).
     *
     * @return  the difference, measured in milliseconds, between
     *          the current time and midnight, January 1, 1970 UTC.
     * @see     java.util.Date
     */
    public static native long currentTimeMillis();

    /**
     * Copies an array from the specified source array, beginning at the
     * specified position, to the specified position of the destination array.
     * A subsequence of array components are copied from the source
     * array referenced by src to the destination array
     * referenced by dest. The number of components copied is
     * equal to the length argument. The components at
     * positions srcPos through
     * srcPos+length-1 in the source array are copied into
     * positions destPos through
     * destPos+length-1, respectively, of the destination
     * array.
     * 
    
     * If the src and dest arguments refer to the
     * same array object, then the copying is performed as if the
     * components at positions srcPos through
     * srcPos+length-1 were first copied to a temporary
     * array with length components and then the contents of
     * the temporary array were copied into positions
     * destPos through destPos+length-1 of the
     * destination array.
     * 
    
     * If dest is null, then a
     * NullPointerException is thrown.
     * 
    
     * If src is null, then a
     * NullPointerException is thrown and the destination
     * array is not modified.
     * 
    
     * Otherwise, if any of the following is true, an
     * ArrayStoreException is thrown and the destination is
     * not modified:
     * 
      
     * 
    • The src argument refers to an object that is not an
     *     array.
     * 
    • The dest argument refers to an object that is not an
     *     array.
     * 
    • The src argument and dest argument refer
     *     to arrays whose component types are different primitive types.
     * 
    • The src argument refers to an array with a primitive
     *    component type and the dest argument refers to an array
     *     with a reference component type.
     * 
    • The src argument refers to an array with a reference
     *    component type and the dest argument refers to an array
     *     with a primitive component type.
     * 
    
     * 
    
     * Otherwise, if any of the following is true, an
     * IndexOutOfBoundsException is
     * thrown and the destination is not modified:
     * 
      
     * 
    • The srcPos argument is negative.
     * 
    • The destPos argument is negative.
     * 
    • The length argument is negative.
     * 
    • srcPos+length is greater than
     *     src.length, the length of the source array.
     * 
    • destPos+length is greater than
     *     dest.length, the length of the destination array.
     * 
    
     * 
    
     * Otherwise, if any actual component of the source array from
     * position srcPos through
     * srcPos+length-1 cannot be converted to the component
     * type of the destination array by assignment conversion, an
     * ArrayStoreException is thrown. In this case, let
     * k be the smallest nonnegative integer less than
     * length such that src[srcPos+k]
     * cannot be converted to the component type of the destination
     * array; when the exception is thrown, source array components from
     * positions srcPos through
     * srcPos+k-1
     * will already have been copied to destination array positions
     * destPos through
     * destPos+k-1 and no other
     * positions of the destination array will have been modified.
     * (Because of the restrictions already itemized, this
     * paragraph effectively applies only to the situation where both
     * arrays have component types that are reference types.)
     *
     * @param      src      the source array.
     * @param      srcPos   starting position in the source array.
     * @param      dest     the destination array.
     * @param      destPos  starting position in the destination data.
     * @param      length   the number of array elements to be copied.
     * @exception  IndexOutOfBoundsException  if copying would cause
     *               access of data outside array bounds.
     * @exception  ArrayStoreException  if an element in the src
     *               array could not be stored into the dest array
     *               because of a type mismatch.
     * @exception  NullPointerException if either src or
     *               dest is null.
     */
    public static native void arraycopy(Object src,  int  srcPos,
                                        Object dest, int destPos,
                                        int length);

    /**
     * Returns the same hash code for the given object as
     * would be returned by the default method hashCode(),
     * whether or not the given object's class overrides
     * hashCode().
     * The hash code for the null reference is zero.
     *
     * @param x object for which the hashCode is to be calculated
     * @return  the hashCode
     * @since   JDK1.1
     */
    public static native int identityHashCode(Object x);

    /**
     * System properties. The following properties are guaranteed to be defined:
     * 
    
     * 
    java.version		
    Java version number
     * 
    java.vendor		
    Java vendor specific string
     * 
    java.vendor.url	
    Java vendor URL
     * 
    java.home		
    Java installation directory
     * 
    java.class.version	
    Java class version number
     * 
    java.class.path	
    Java classpath
     * 
    os.name		
    Operating System Name
     * 
    os.arch		
    Operating System Architecture
     * 
    os.version		
    Operating System Version
     * 
    file.separator	
    File separator ("/" on Unix)
     * 
    path.separator	
    Path separator (":" on Unix)
     * 
    line.separator	
    Line separator ("\n" on Unix)
     * 
    user.name		
    User account name
     * 
    user.home		
    User home directory
     * 
    user.dir		
    User's current working directory
     * 
    
     */

    //KML private static Properties props;
    //KML private static native Properties initProperties(Properties props);

    /**
     * Determines the current system properties.
     * 
    
     * First, if there is a security manager, its
     * checkPropertiesAccess method is called with no
     * arguments. This may result in a security exception.
     * 
    
     * The current set of system properties for use by the 
     * {@link #getProperty(String)} method is returned as a 
     * Properties object. If there is no current set of 
     * system properties, a set of system properties is first created and 
     * initialized. This set of system properties always includes values 
     * for the following keys: 
     * 
     * 
     *     
     * 
     *     
     * 
     *     
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
     *     
     * 
    KeyDescription of Associated Value
    java.versionJava Runtime Environment version
    java.vendorJava Runtime Environment vendor
    java.vendor.urlJava vendor URL
    java.homeJava installation directory
    java.vm.specification.versionJava Virtual Machine specification version
    java.vm.specification.vendorJava Virtual Machine specification vendor
    java.vm.specification.nameJava Virtual Machine specification name
    java.vm.versionJava Virtual Machine implementation version
    java.vm.vendorJava Virtual Machine implementation vendor
    java.vm.nameJava Virtual Machine implementation name
    java.specification.versionJava Runtime Environment specification  version
    java.specification.vendorJava Runtime Environment specification  vendor
    java.specification.nameJava Runtime Environment specification  name
    java.class.versionJava class format version number
    java.class.pathJava class path
    java.library.pathList of paths to search when loading libraries
    java.io.tmpdirDefault temp file path
    java.compilerName of JIT compiler to use
    java.ext.dirsPath of extension directory or directories
    os.nameOperating system name
    os.archOperating system architecture
    os.versionOperating system version
    file.separatorFile separator ("/" on UNIX)
    path.separatorPath separator (":" on UNIX)
    line.separatorLine separator ("\n" on UNIX)
    user.nameUser's account name
    user.homeUser's home directory
    user.dirUser's current working directory
    
     * 
    
     * Multiple paths in a system property value are separated by the path
     * separator character of the platform.
     * 
    
     * Note that even if the security manager does not permit the
     * getProperties operation, it may choose to permit the
     * {@link #getProperty(String)} operation.
     *
     * @return     the system properties
     * @exception  SecurityException  if a security manager exists and its
     *             checkPropertiesAccess method doesn't allow access
     *              to the system properties.
     * @see        #setProperties
     * @see        java.lang.SecurityException
     * @see        java.lang.SecurityManager#checkPropertiesAccess()
     * @see        java.util.Properties
     */
    /*KML
    public static Properties getProperties() {
	if (security != null) {
	    security.checkPropertiesAccess();
	}
	return props;
    }
    KML*/

    /**
     * Sets the system properties to the Properties
     * argument.
     * 
    
     * First, if there is a security manager, its
     * checkPropertiesAccess method is called with no
     * arguments. This may result in a security exception.
     * 
    
     * The argument becomes the current set of system properties for use
     * by the {@link #getProperty(String)} method. If the argument is
     * null, then the current set of system properties is
     * forgotten.
     *
     * @param      props   the new system properties.
     * @exception  SecurityException  if a security manager exists and its
     *             checkPropertiesAccess method doesn't allow access
     *              to the system properties.
     * @see        #getProperties
     * @see        java.util.Properties
     * @see        java.lang.SecurityException
     * @see        java.lang.SecurityManager#checkPropertiesAccess()
     */
    /*KML
    public static void setProperties(Properties props) {
	if (security != null) {
	    security.checkPropertiesAccess();
	}
        if (props == null) {
            props = new Properties();
            initProperties(props);
        }
	System.props = props;
    }
    KML*/

    /**
     * Gets the system property indicated by the specified key.
     * 
    
     * First, if there is a security manager, its
     * checkPropertyAccess method is called with the key as
     * its argument. This may result in a SecurityException.
     * 
    
     * If there is no current set of system properties, a set of system
     * properties is first created and initialized in the same manner as
     * for the getProperties method.
     *
     * @param      key   the name of the system property.
     * @return     the string value of the system property,
     *             or null if there is no property with that key.
     *
     * @exception  SecurityException  if a security manager exists and its
     *             checkPropertyAccess method doesn't allow
     *              access to the specified system property.
     * @exception  NullPointerException if key is
     *             null.
     * @exception  IllegalArgumentException if key is empty.
     * @see        #setProperty
     * @see        java.lang.SecurityException
     * @see        java.lang.SecurityManager#checkPropertyAccess(java.lang.String)
     * @see        java.lang.System#getProperties()
     */
    public static String getProperty(String key) {
	if (key == null) {
	    throw new NullPointerException("key can't be null");
	}
	if (key.equals("")) {
	    throw new IllegalArgumentException("key can't be empty");
	}
	if (security != null) {
	    security.checkPropertyAccess(key);
	}
	return props.getProperty(key);
    }

    /**
     * Gets the system property indicated by the specified key.
     * 
    
     * First, if there is a security manager, its
     * checkPropertyAccess method is called with the
     * key as its argument.
     * 
    
     * If there is no current set of system properties, a set of system
     * properties is first created and initialized in the same manner as
     * for the getProperties method.
     *
     * @param      key   the name of the system property.
     * @param      def   a default value.
     * @return     the string value of the system property,
     *             or the default value if there is no property with that key.
     *
     * @exception  SecurityException  if a security manager exists and its
     *             checkPropertyAccess method doesn't allow
     *             access to the specified system property.
     * @exception  NullPointerException if key is
     *             null.
     * @exception  IllegalArgumentException if key is empty.
     * @see        #setProperty
     * @see        java.lang.SecurityManager#checkPropertyAccess(java.lang.String)
     * @see        java.lang.System#getProperties()
     */
    public static String getProperty(String key, String def) {
	if (key == null) {
	    throw new NullPointerException("key can't be null");
	}
	if (key.equals("")) {
	    throw new IllegalArgumentException("key can't be empty");
	}
	if (security != null) {
	    security.checkPropertyAccess(key);
	}
	return props.getProperty(key, def);
    }

    /**
     * Sets the system property indicated by the specified key.
     * 
    
     * First, if a security manager exists, its
     * SecurityManager.checkPermission method
     * is called with a PropertyPermission(key, "write")
     * permission. This may result in a SecurityException being thrown.
     * If no exception is thrown, the specified property is set to the given
     * value.
     * 
    
     *
     * @param      key   the name of the system property.
     * @param      value the value of the system property.
     * @return     the previous value of the system property,
     *             or null if it did not have one.
     *
     * @exception  SecurityException  if a security manager exists and its
     *             checkPermission method doesn't allow
     *             setting of the specified property.
     * @exception  NullPointerException if key is
     *             null.
     * @exception  IllegalArgumentException if key is empty.
     * @see        #getProperty
     * @see        java.lang.System#getProperty(java.lang.String)
     * @see        java.lang.System#getProperty(java.lang.String, java.lang.String)
     * @see        java.util.PropertyPermission
     * @see        SecurityManager#checkPermission
     * @since      1.2
     */
    public static String setProperty(String key, String value) {
	if (key == null) {
	    throw new NullPointerException("key can't be null");
	}
	if (key.equals("")) {
	    throw new IllegalArgumentException("key can't be empty");
	}
	if (security != null)
	    security.checkPermission(new PropertyPermission(key,
		SecurityConstants.PROPERTY_WRITE_ACTION));
	return (String) props.setProperty(key, value);
    }

    /**
     * Gets an environment variable. An environment variable is a
     * system-dependent external variable that has a string value.
     *
     * @deprecated The preferred way to extract system-dependent information
     *             is the system properties of the
     *             java.lang.System.getProperty methods and the
     *             corresponding getTypeName methods of
     *             the Boolean, Integer, and
     *             Long primitive types.  For example:
     * 
         *     String classPath = System.getProperty("java.class.path",".");
     * 
    
     *     if (Boolean.getBoolean("myapp.exper.mode"))
     *         enableExpertCommands();
     * 
    
     *
     * @param  name of the environment variable
     * @return the value of the variable, or null if the variable
     *           is not defined.
     * @see    java.lang.Boolean#getBoolean(java.lang.String)
     * @see    java.lang.Integer#getInteger(java.lang.String)
     * @see    java.lang.Integer#getInteger(java.lang.String, int)
     * @see    java.lang.Integer#getInteger(java.lang.String, java.lang.Integer)
     * @see    java.lang.Long#getLong(java.lang.String)
     * @see    java.lang.Long#getLong(java.lang.String, long)
     * @see    java.lang.Long#getLong(java.lang.String, java.lang.Long)
     * @see    java.lang.System#getProperties()
     * @see    java.lang.System#getProperty(java.lang.String)
     * @see    java.lang.System#getProperty(java.lang.String, java.lang.String)
     */
    public static String getenv(String name) {
	throw new Error("getenv no longer supported, use properties and -D instead: " + name);
    }

    /**
     * Terminates the currently running Java Virtual Machine. The
     * argument serves as a status code; by convention, a nonzero status
     * code indicates abnormal termination.
     * 
    
     * This method calls the exit method in class
     * Runtime. This method never returns normally.
     * 
    
     * The call System.exit(n) is effectively equivalent to
     * the call:
     * 
         * Runtime.getRuntime().exit(n)
     * 
    
     *
     * @param      status   exit status.
     * @throws  SecurityException
     *        if a security manager exists and its checkExit
     *        method doesn't allow exit with the specified status.
     * @see        java.lang.Runtime#exit(int)
     */
    public static void exit(int status) {
	Runtime.getRuntime().exit(status);
    }

    /**
     * Runs the garbage collector.
     * 
    
     * Calling the gc method suggests that the Java Virtual
     * Machine expend effort toward recycling unused objects in order to
     * make the memory they currently occupy available for quick reuse.
     * When control returns from the method call, the Java Virtual
     * Machine has made a best effort to reclaim space from all discarded
     * objects.
     * 
    
     * The call System.gc() is effectively equivalent to the
     * call:
     * 
         * Runtime.getRuntime().gc()
     * 
    
     *
     * @see     java.lang.Runtime#gc()
     */
    public static void gc() {
	Runtime.getRuntime().gc();
    }

    /**
     * Runs the finalization methods of any objects pending finalization.
     * 
    
     * Calling this method suggests that the Java Virtual Machine expend
     * effort toward running the finalize methods of objects
     * that have been found to be discarded but whose finalize
     * methods have not yet been run. When control returns from the
     * method call, the Java Virtual Machine has made a best effort to
     * complete all outstanding finalizations.
     * 
    
     * The call System.runFinalization() is effectively
     * equivalent to the call:
     * 
         * Runtime.getRuntime().runFinalization()
     * 
    
     *
     * @see     java.lang.Runtime#runFinalization()
     */
    public static void runFinalization() {
	Runtime.getRuntime().runFinalization();
    }

    /**
     * Enable or disable finalization on exit; doing so specifies that the
     * finalizers of all objects that have finalizers that have not yet been
     * automatically invoked are to be run before the Java runtime exits.
     * By default, finalization on exit is disabled.
     *
     * 
    If there is a security manager,
     * its checkExit method is first called
     * with 0 as its argument to ensure the exit is allowed.
     * This could result in a SecurityException.
     *
     * @deprecated  This method is inherently unsafe.  It may result in
     * 	    finalizers being called on live objects while other threads are
     *      concurrently manipulating those objects, resulting in erratic
     *	    behavior or deadlock.
     * @param value indicating enabling or disabling of finalization
     * @throws  SecurityException
     *        if a security manager exists and its checkExit
     *        method doesn't allow the exit.
     *
     * @see     java.lang.Runtime#exit(int)
     * @see     java.lang.Runtime#gc()
     * @see     java.lang.SecurityManager#checkExit(int)
     * @since   JDK1.1
     */
    public static void runFinalizersOnExit(boolean value) {
	Runtime.getRuntime().runFinalizersOnExit(value);
    }

    /**
     * Loads a code file with the specified filename from the local file
     * system as a dynamic library. The filename
     * argument must be a complete path name.
     * 
    
     * The call System.load(name) is effectively equivalent
     * to the call:
     * 
         * Runtime.getRuntime().load(name)
     * 
    
     *
     * @param      filename   the file to load.
     * @exception  SecurityException  if a security manager exists and its
     *             checkLink method doesn't allow
     *             loading of the specified dynamic library
     * @exception  UnsatisfiedLinkError  if the file does not exist.
     * @see        java.lang.Runtime#load(java.lang.String)
     * @see        java.lang.SecurityManager#checkLink(java.lang.String)
     */
    public static void load(String filename) {
	Runtime.getRuntime().load0(getCallerClass(), filename);
    }

    /**
     * Loads the system library specified by the libname
     * argument. The manner in which a library name is mapped to the
     * actual system library is system dependent.
     * 
    
     * The call System.loadLibrary(name) is effectively
     * equivalent to the call
     * 
         * Runtime.getRuntime().loadLibrary(name)
     * 
    
     *
     * @param      libname   the name of the library.
     * @exception  SecurityException  if a security manager exists and its
     *             checkLink method doesn't allow
     *             loading of the specified dynamic library
     * @exception  UnsatisfiedLinkError  if the library does not exist.
     * @see        java.lang.Runtime#loadLibrary(java.lang.String)
     * @see        java.lang.SecurityManager#checkLink(java.lang.String)
     */
    public static void loadLibrary(String libname) {
	Runtime.getRuntime().loadLibrary0(getCallerClass(), libname);
    }

    /**
     * Maps a library name into a platform-specific string representing
     * a native library.
     *
     * @param      libname the name of the library.
     * @return     a platform-dependent native library name.
     * @see        java.lang.System#loadLibrary(java.lang.String)
     * @see        java.lang.ClassLoader#findLibrary(java.lang.String)
     * @since      1.2
     */
    public static native String mapLibraryName(String libname);

    /**
     * The following two methods exist because in, out, and err must be
     * initialized to null.  The compiler, however, cannot be permitted to
     * inline access to them, since they are later set to more sensible values
     * by initializeSystemClass().
     */
    private static InputStream nullInputStream() throws NullPointerException;
    /*KML {
	if (currentTimeMillis() > 0)
	    return null;
	throw new NullPointerException();
    }
    KML*/

    private static PrintStream nullPrintStream() throws NullPointerException {
	if (currentTimeMillis() > 0)
	    return null;
	throw new NullPointerException();
    }

    /**
     * Initialize the system class.  Called after thread initialization.
     */
    private static void initializeSystemClass() {
	props = new Properties();
	initProperties(props);
	sun.misc.Version.init();
	FileInputStream fdIn = new FileInputStream(FileDescriptor.in);
	FileOutputStream fdOut = new FileOutputStream(FileDescriptor.out);
	FileOutputStream fdErr = new FileOutputStream(FileDescriptor.err);
	setIn0(new BufferedInputStream(fdIn));
	setOut0(new PrintStream(new BufferedOutputStream(fdOut, 128), true));
	setErr0(new PrintStream(new BufferedOutputStream(fdErr, 128), true));

	// Load the zip library now in order to keep java.util.zip.ZipFile
	// from trying to use itself to load this library later.
	loadLibrary("zip");

        // Currently File.deleteOnExit is built on JVM_Exit, which is a
        // separate mechanism from shutdown hooks. Unfortunately in order to
        // work properly JVM_Exit implicitly requires that Java signal
        // handlers be set up for HUP, TERM, and INT (where available). If
        // File.deleteOnExit were implemented in terms of shutdown hooks this
        // call to Terminator.setup() could be removed.
        Terminator.setup();

	// Set the maximum amount of direct memory.  This value is controlled
	// by the vm option -XX:MaxDirectMemorySize=.  This method acts
	// as an initializer only if it is called before sun.misc.VM.booted().
 	sun.misc.VM.maxDirectMemory();

	// Subsystems that are invoked during initialization can invoke
	// sun.misc.VM.isBooted() in order to avoid doing things that should
	// wait until the application class loader has been set up.
	sun.misc.VM.booted();
    }

    /* returns the class of the caller. */
    /*KML
    static Class getCallerClass() {
        // NOTE use of more generic Reflection.getCallerClass()
        return Reflection.getCallerClass(3);
    }
    KML*/
}
why-2.34/lib/java_api/java/lang/Throwable.java0000644000175000017500000006455112311670312017604 0ustar  rtusers/*
 * @(#)Throwable.java	1.51 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.lang;
import  java.io.*;

/**
 * The Throwable class is the superclass of all errors and
 * exceptions in the Java language. Only objects that are instances of this
 * class (or one of its subclasses) are thrown by the Java Virtual Machine or
 * can be thrown by the Java throw statement. Similarly, only
 * this class or one of its subclasses can be the argument type in a
 * catch clause.
 * 
 * 
    Instances of two subclasses, {@link java.lang.Error} and 
 * {@link java.lang.Exception}, are conventionally used to indicate 
 * that exceptional situations have occurred. Typically, these instances 
 * are freshly created in the context of the exceptional situation so 
 * as to include relevant information (such as stack trace data).
 * 
 * 
    A throwable contains a snapshot of the execution stack of its thread at
 * the time it was created. It can also contain a message string that gives
 * more information about the error. Finally, it can contain a cause:
 * another throwable that caused this throwable to get thrown.  The cause
 * facility is new in release 1.4.  It is also known as the chained
 * exception facility, as the cause can, itself, have a cause, and so on,
 * leading to a "chain" of exceptions, each caused by another.
 *
 * 
    One reason that a throwable may have a cause is that the class that
 * throws it is built atop a lower layered abstraction, and an operation on
 * the upper layer fails due to a failure in the lower layer.  It would be bad
 * design to let the throwable thrown by the lower layer propagate outward, as
 * it is generally unrelated to the abstraction provided by the upper layer.
 * Further, doing so would tie the API of the upper layer to the details of
 * its implementation, assuming the lower layer's exception was a checked
 * exception.  Throwing a "wrapped exception" (i.e., an exception containing a
 * cause) allows the upper layer to communicate the details of the failure to
 * its caller without incurring either of these shortcomings.  It preserves
 * the flexibility to change the implementation of the upper layer without
 * changing its API (in particular, the set of exceptions thrown by its
 * methods).
 *
 * 
    A second reason that a throwable may have a cause is that the method
 * that throws it must conform to a general-purpose interface that does not
 * permit the method to throw the cause directly.  For example, suppose
 * a persistent collection conforms to the {@link java.util.Collection
 * Collection} interface, and that its persistence is implemented atop
 * java.io.  Suppose the internals of the put method 
 * can throw an {@link java.io.IOException IOException}.  The implementation
 * can communicate the details of the IOException to its caller
 * while conforming to the Collection interface by wrapping the
 * IOException in an appropriate unchecked exception.  (The
 * specification for the persistent collection should indicate that it is
 * capable of throwing such exceptions.)
 *
 * 
    A cause can be associated with a throwable in two ways: via a
 * constructor that takes the cause as an argument, or via the
 * {@link #initCause(Throwable)} method.  New throwable classes that
 * wish to allow causes to be associated with them should provide constructors
 * that take a cause and delegate (perhaps indirectly) to one of the
 * Throwable constructors that takes a cause.  For example:
 * 
     *     try {
 *         lowLevelOp();
 *     } catch (LowLevelException le) {
 *         throw new HighLevelException(le);  // Chaining-aware constructor
 *     }
 * 
    
 * Because the initCause method is public, it allows a cause to be
 * associated with any throwable, even a "legacy throwable" whose
 * implementation predates the addition of the exception chaining mechanism to
 * Throwable. For example:
 * 
     *     try {
 *         lowLevelOp();
 *     } catch (LowLevelException le) {
 *         throw (HighLevelException)
                 new HighLevelException().initCause(le);  // Legacy constructor
 *     }
 * 
    
 *
 * 
    Prior to release 1.4, there were many throwables that had their own
 * non-standard exception chaining mechanisms (
 * {@link ExceptionInInitializerError}, {@link ClassNotFoundException},
 * {@link java.lang.reflect.UndeclaredThrowableException},
 * {@link java.lang.reflect.InvocationTargetException}, 
 * {@link java.io.WriteAbortedException},
 * {@link java.security.PrivilegedActionException},
 * {@link java.awt.print.PrinterIOException} and
 * {@link java.rmi.RemoteException}).
 * As of release 1.4, all of these throwables have been retrofitted to 
 * use the standard exception chaining mechanism, while continuing to
 * implement their "legacy" chaining mechanisms for compatibility.
 *
 * 
    Further, as of release 1.4, many general purpose Throwable
 * classes (for example {@link Exception}, {@link RuntimeException},
 * {@link Error}) have been retrofitted with constructors that take
 * a cause.  This was not strictly necessary, due to the existence of the
 * initCause method, but it is more convenient and expressive to
 * delegate to a constructor that takes a cause.
 * 
 * 
    By convention, class Throwable and its subclasses have two
 * constructors, one that takes no arguments and one that takes a
 * String argument that can be used to produce a detail message.
 * Further, those subclasses that might likely have a cause associated with
 * them should have two more constructors, one that takes a
 * Throwable (the cause), and one that takes a
 * String (the detail message) and a Throwable (the
 * cause).
 *
 * 
    Also introduced in release 1.4 is the {@link #getStackTrace()} method,
 * which allows programmatic access to the stack trace information that was
 * previously available only in text form, via the various forms of the
 * {@link #printStackTrace()} method.  This information has been added to the
 * serialized representation of this class so getStackTrace
 * and printStackTrace will operate properly on a throwable that
 * was obtained by deserialization.
 *
 * @author  unascribed
 * @author  Josh Bloch (Added exception chaining and programmatic access to
 *          stack trace in 1.4.)
 * @version 1.51, 01/23/03
 * @since JDK1.0
 */
public class Throwable implements Serializable {
    /** use serialVersionUID from JDK 1.0.2 for interoperability */
    private static final long serialVersionUID = -3042686055658047285L;

    /**
     * Native code saves some indication of the stack backtrace in this slot.
     */
    private transient Object backtrace; 

    /**
     * Specific details about the Throwable.  For example, for
     * FileNotFoundException, this contains the name of
     * the file that could not be found.
     *
     * @serial
     */
    private String detailMessage;

    /**
     * The throwable that caused this throwable to get thrown, or null if this
     * throwable was not caused by another throwable, or if the causative
     * throwable is unknown.  If this field is equal to this throwable itself,
     * it indicates that the cause of this throwable has not yet been
     * initialized.
     *
     * @serial
     * @since 1.4
     */
    private Throwable cause = this;

    /**
     * The stack trace, as returned by {@link #getStackTrace()}.
     *
     * @serial
     * @since 1.4
     */
    //*KML private StackTraceElement[] stackTrace;
    /*
     * This field is lazily initialized on first use or serialization and
     * nulled out when fillInStackTrace is called.
     */

    /**
     * Constructs a new throwable with null as its detail message.
     * The cause is not initialized, and may subsequently be initialized by a
     * call to {@link #initCause}.
     *
     * 
    The {@link #fillInStackTrace()} method is called to initialize
     * the stack trace data in the newly created throwable.
     */
    public Throwable() {
        fillInStackTrace();
    }

    /**
     * Constructs a new throwable with the specified detail message.  The
     * cause is not initialized, and may subsequently be initialized by
     * a call to {@link #initCause}.
     *
     * 
    The {@link #fillInStackTrace()} method is called to initialize
     * the stack trace data in the newly created throwable.
     *
     * @param   message   the detail message. The detail message is saved for 
     *          later retrieval by the {@link #getMessage()} method.
     */
    public Throwable(String message) {
        fillInStackTrace();
        detailMessage = message;
    }

    /**
     * Constructs a new throwable with the specified detail message and
     * cause.  
    Note that the detail message associated with
     * cause is not automatically incorporated in
     * this throwable's detail message.
     *
     * 
    The {@link #fillInStackTrace()} method is called to initialize
     * the stack trace data in the newly created throwable.
     *
     * @param  message the detail message (which is saved for later retrieval
     *         by the {@link #getMessage()} method).
     * @param  cause the cause (which is saved for later retrieval by the
     *         {@link #getCause()} method).  (A null value is
     *         permitted, and indicates that the cause is nonexistent or
     *         unknown.)
     * @since  1.4
     */
    public Throwable(String message, Throwable cause) {
        fillInStackTrace();
        detailMessage = message;
        this.cause = cause;
    }

    /**
     * Constructs a new throwable with the specified cause and a detail
     * message of (cause==null ? null : cause.toString()) (which
     * typically contains the class and detail message of cause).
     * This constructor is useful for throwables that are little more than
     * wrappers for other throwables (for example, {@link
     * java.security.PrivilegedActionException}).
     *
     * 
    The {@link #fillInStackTrace()} method is called to initialize
     * the stack trace data in the newly created throwable.
     *
     * @param  cause the cause (which is saved for later retrieval by the
     *         {@link #getCause()} method).  (A null value is
     *         permitted, and indicates that the cause is nonexistent or
     *         unknown.)
     * @since  1.4
     */
    public Throwable(Throwable cause) {
        fillInStackTrace();
        detailMessage = (cause==null ? null : cause.toString());
        this.cause = cause;
    }

    /**
     * Returns the detail message string of this throwable.
     *
     * @return  the detail message string of this Throwable instance
     *          (which may be null).
     */
    public String getMessage() {
        return detailMessage;
    }

    /**
     * Creates a localized description of this throwable.
     * Subclasses may override this method in order to produce a
     * locale-specific message.  For subclasses that do not override this
     * method, the default implementation returns the same result as
     * getMessage().
     *
     * @return  The localized description of this throwable.
     * @since   JDK1.1
     */
    public String getLocalizedMessage() {
        return getMessage();
    }

    /**
     * Returns the cause of this throwable or null if the
     * cause is nonexistent or unknown.  (The cause is the throwable that
     * caused this throwable to get thrown.)
     *
     * 
    This implementation returns the cause that was supplied via one of
     * the constructors requiring a Throwable, or that was set after
     * creation with the {@link #initCause(Throwable)} method.  While it is
     * typically unnecessary to override this method, a subclass can override
     * it to return a cause set by some other means.  This is appropriate for
     * a "legacy chained throwable" that predates the addition of chained
     * exceptions to Throwable.  Note that it is not
     * necessary to override any of the PrintStackTrace methods,
     * all of which invoke the getCause method to determine the
     * cause of a throwable.
     *
     * @return  the cause of this throwable or null if the
     *          cause is nonexistent or unknown.
     * @since 1.4
     */
    public Throwable getCause() {
        return (cause==this ? null : cause);
    }

    /**
     * Initializes the cause of this throwable to the specified value.
     * (The cause is the throwable that caused this throwable to get thrown.) 
     *
     * 
    This method can be called at most once.  It is generally called from 
     * within the constructor, or immediately after creating the
     * throwable.  If this throwable was created
     * with {@link #Throwable(Throwable)} or
     * {@link #Throwable(String,Throwable)}, this method cannot be called
     * even once.
     *
     * @param  cause the cause (which is saved for later retrieval by the
     *         {@link #getCause()} method).  (A null value is
     *         permitted, and indicates that the cause is nonexistent or
     *         unknown.)
     * @return  a reference to this Throwable instance.
     * @throws IllegalArgumentException if cause is this
     *         throwable.  (A throwable cannot be its own cause.)
     * @throws IllegalStateException if this throwable was
     *         created with {@link #Throwable(Throwable)} or
     *         {@link #Throwable(String,Throwable)}, or this method has already
     *         been called on this throwable.
     * @since  1.4
     */
    public synchronized Throwable initCause(Throwable cause) {
        if (this.cause != this)
            throw new IllegalStateException("Can't overwrite cause");
        if (cause == this)
            throw new IllegalArgumentException("Self-causation not permitted");
        this.cause = cause;
        return this;
    }

    /**
     * Returns a short description of this throwable.
     * If this Throwable object was created with a non-null detail
     * message string, then the result is the concatenation of three strings: 
     * 
      
     * 
    • The name of the actual class of this object 
     * 
    • ": " (a colon and a space)
     * 
    • The result of the {@link #getMessage} method for this object 
     * 
    
     * If this Throwable object was created with a null
     * detail message string, then the name of the actual class of this object
     * is returned. 
     *
     * @return a string representation of this throwable.
     */
    public String toString() {
        String s = getClass().getName();
        String message = getLocalizedMessage();
        return (message != null) ? (s + ": " + message) : s;
    }

    /**
     * Prints this throwable and its backtrace to the 
     * standard error stream. This method prints a stack trace for this 
     * Throwable object on the error output stream that is 
     * the value of the field System.err. The first line of 
     * output contains the result of the {@link #toString()} method for 
     * this object.  Remaining lines represent data previously recorded by 
     * the method {@link #fillInStackTrace()}. The format of this 
     * information depends on the implementation, but the following 
     * example may be regarded as typical: 
     * 
         * java.lang.NullPointerException
     *         at MyClass.mash(MyClass.java:9)
     *         at MyClass.crunch(MyClass.java:6)
     *         at MyClass.main(MyClass.java:3)
     * 
    
     * This example was produced by running the program: 
     * 
         * class MyClass {
     *     public static void main(String[] args) {
     *         crunch(null);
     *     }
     *     static void crunch(int[] a) {
     *         mash(a);
     *     }
     *     static void mash(int[] b) {
     *         System.out.println(b[0]);
     *     }
     * }
     * 
    
     * The backtrace for a throwable with an initialized, non-null cause
     * should generally include the backtrace for the cause.  The format
     * of this information depends on the implementation, but the following
     * example may be regarded as typical:
     * 
         * HighLevelException: MidLevelException: LowLevelException
     *         at Junk.a(Junk.java:13)
     *         at Junk.main(Junk.java:4)
     * Caused by: MidLevelException: LowLevelException
     *         at Junk.c(Junk.java:23)
     *         at Junk.b(Junk.java:17)
     *         at Junk.a(Junk.java:11)
     *         ... 1 more
     * Caused by: LowLevelException
     *         at Junk.e(Junk.java:30)
     *         at Junk.d(Junk.java:27)
     *         at Junk.c(Junk.java:21)
     *         ... 3 more
     * 
    
     * Note the presence of lines containing the characters "...".
     * These lines indicate that the remainder of the stack trace for this
     * exception matches the indicated number of frames from the bottom of the
     * stack trace of the exception that was caused by this exception (the
     * "enclosing" exception).  This shorthand can greatly reduce the length
     * of the output in the common case where a wrapped exception is thrown
     * from same method as the "causative exception" is caught.  The above
     * example was produced by running the program:
     * 
         * public class Junk {
     *     public static void main(String args[]) { 
     *         try {
     *             a();
     *         } catch(HighLevelException e) {
     *             e.printStackTrace();
     *         }
     *     }
     *     static void a() throws HighLevelException {
     *         try {
     *             b();
     *         } catch(MidLevelException e) {
     *             throw new HighLevelException(e);
     *         }
     *     }
     *     static void b() throws MidLevelException {
     *         c();
     *     }   
     *     static void c() throws MidLevelException {
     *         try {
     *             d();
     *         } catch(LowLevelException e) {
     *             throw new MidLevelException(e);
     *         }
     *     }
     *     static void d() throws LowLevelException { 
     *        e();
     *     }
     *     static void e() throws LowLevelException {
     *         throw new LowLevelException();
     *     }
     * }
     *
     * class HighLevelException extends Exception {
     *     HighLevelException(Throwable cause) { super(cause); }
     * }
     *
     * class MidLevelException extends Exception {
     *     MidLevelException(Throwable cause)  { super(cause); }
     * }
     * 
     * class LowLevelException extends Exception {
     * }
     * 
    
     */
    public void printStackTrace() { 
        printStackTrace(System.err);
    }

    /**
     * Prints this throwable and its backtrace to the specified print stream.
     *
     * @param s PrintStream to use for output
     */
    public void printStackTrace(PrintStream s) {
        synchronized (s) {
            s.println(this);
            StackTraceElement[] trace = getOurStackTrace();
            for (int i=0; i < trace.length; i++)
                s.println("\tat " + trace[i]);

            Throwable ourCause = getCause();
            if (ourCause != null)
                ourCause.printStackTraceAsCause(s, trace);
        }
    }

    /**
     * Print our stack trace as a cause for the specified stack trace.
     */
    /*KML
    private void printStackTraceAsCause(PrintStream s,
                                        StackTraceElement[] causedTrace)
    {
        // assert Thread.holdsLock(s);

        // Compute number of frames in common between this and caused
        StackTraceElement[] trace = getOurStackTrace();
        int m = trace.length-1, n = causedTrace.length-1;
        while (m >= 0 && n >=0 && trace[m].equals(causedTrace[n])) {
            m--; n--;
        }
        int framesInCommon = trace.length - 1 - m;

        s.println("Caused by: " + this);
        for (int i=0; i <= m; i++)
            s.println("\tat " + trace[i]);
        if (framesInCommon != 0)
            s.println("\t... " + framesInCommon + " more");

        // Recurse if we have a cause
        Throwable ourCause = getCause();
        if (ourCause != null)
            ourCause.printStackTraceAsCause(s, trace);
    }
    KML*/

    /**
     * Prints this throwable and its backtrace to the specified
     * print writer.
     *
     * @param s PrintWriter to use for output
     * @since   JDK1.1
     */
    /*KML
    public void printStackTrace(PrintWriter s) { 
        synchronized (s) {
            s.println(this);
            StackTraceElement[] trace = getOurStackTrace();
            for (int i=0; i < trace.length; i++)
                s.println("\tat " + trace[i]);

            Throwable ourCause = getCause();
            if (ourCause != null)
                ourCause.printStackTraceAsCause(s, trace);
        }
    }
    KML*/

    /**
     * Print our stack trace as a cause for the specified stack trace.
     */
    /*KML
    private void printStackTraceAsCause(PrintWriter s,
                                        StackTraceElement[] causedTrace)
    {
        // assert Thread.holdsLock(s);

        // Compute number of frames in common between this and caused
        StackTraceElement[] trace = getOurStackTrace();
        int m = trace.length-1, n = causedTrace.length-1;
        while (m >= 0 && n >=0 && trace[m].equals(causedTrace[n])) {
            m--; n--;
        }
        int framesInCommon = trace.length - 1 - m;

        s.println("Caused by: " + this);
        for (int i=0; i <= m; i++)
            s.println("\tat " + trace[i]);
        if (framesInCommon != 0)
            s.println("\t... " + framesInCommon + " more");

        // Recurse if we have a cause
        Throwable ourCause = getCause();
        if (ourCause != null)
            ourCause.printStackTraceAsCause(s, trace);
    }
    KML*/

    /**
     * Fills in the execution stack trace. This method records within this 
     * Throwable object information about the current state of 
     * the stack frames for the current thread.
     *
     * @return  a reference to this Throwable instance.
     * @see     java.lang.Throwable#printStackTrace()
     */
    public synchronized native Throwable fillInStackTrace();

    /**
     * Provides programmatic access to the stack trace information printed by
     * {@link #printStackTrace()}.  Returns an array of stack trace elements,
     * each representing one stack frame.  The zeroth element of the array
     * (assuming the array's length is non-zero) represents the top of the
     * stack, which is the last method invocation in the sequence.  Typically,
     * this is the point at which this throwable was created and thrown.
     * The last element of the array (assuming the array's length is non-zero)
     * represents the bottom of the stack, which is the first method invocation
     * in the sequence.
     *
     * 
    Some virtual machines may, under some circumstances, omit one
     * or more stack frames from the stack trace.  In the extreme case,
     * a virtual machine that has no stack trace information concerning
     * this throwable is permitted to return a zero-length array from this
     * method.  Generally speaking, the array returned by this method will
     * contain one element for every frame that would be printed by
     * printStackTrace.
     *
     * @return an array of stack trace elements representing the stack trace
     *         pertaining to this throwable.
     * @since  1.4
     */
    /*KML
    public StackTraceElement[] getStackTrace() {
        return (StackTraceElement[]) getOurStackTrace().clone();
    }
    KML*/

    /*KML
    private synchronized StackTraceElement[] getOurStackTrace() {
        // Initialize stack trace if this is the first call to this method
        if (stackTrace == null) {
            int depth = getStackTraceDepth();
            stackTrace = new StackTraceElement[depth];
            for (int i=0; i < depth; i++)
                stackTrace[i] = getStackTraceElement(i);
        }
        return stackTrace;
    }
    KML*/

    /**
     * Sets the stack trace elements that will be returned by
     * {@link #getStackTrace()} and printed by {@link #printStackTrace()}
     * and related methods.
     *
     * This method, which is designed for use by RPC frameworks and other
     * advanced systems, allows the client to override the default
     * stack trace that is either generated by {@link #fillInStackTrace()}
     * when a throwable is constructed or deserialized when a throwable is
     * read from a serialization stream.
     *
     * @param   stackTrace the stack trace elements to be associated with
     * this Throwable.  The specified array is copied by this
     * call; changes in the specified array after the method invocation
     * returns will have no affect on this Throwable's stack
     * trace.
     *
     * @throws NullPointerException if stackTrace is
     *         null, or if any of the elements of
     *         stackTrace are null
     *
     * @since  1.4
     */
    /*KML
    public void setStackTrace(StackTraceElement[] stackTrace) {
        StackTraceElement[] defensiveCopy =
            (StackTraceElement[]) stackTrace.clone();
        for (int i = 0; i < defensiveCopy.length; i++)
            if (defensiveCopy[i] == null)
                throw new NullPointerException("stackTrace[" + i + "]");

        this.stackTrace = defensiveCopy;
    }
    KML*/

    /**
     * Returns the number of elements in the stack trace (or 0 if the stack
     * trace is unavailable).
     */
    private native int getStackTraceDepth();

    /**
     * Returns the specified element of the stack trace.
     *
     * @param index index of the element to return.
     * @throws IndexOutOfBoundsException if index %lt; 0 ||
     *         index >= getStackTraceDepth() 
     */
    /*KML
    private native StackTraceElement getStackTraceElement(int index);
    KML*/

    /*KML
    private synchronized void writeObject(java.io.ObjectOutputStream s)
        throws IOException
    {
        getOurStackTrace();  // Ensure that stackTrace field is initialized.
        s.defaultWriteObject();
    }
    KML*/

}
why-2.34/lib/java_api/java/io/0000755000175000017500000000000012311670312014465 5ustar  rtuserswhy-2.34/lib/java_api/java/io/InputStreamReader.java0000644000175000017500000001314412311670312020731 0ustar  rtusers/*
 * @(#)InputStreamReader.java	1.43 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;

/*KML
import java.nio.charset.Charset;
import java.nio.charset.CharsetDecoder;
import sun.nio.cs.StreamDecoder;
KML*/

/**
 * An InputStreamReader is a bridge from byte streams to character streams: It
 * reads bytes and decodes them into characters using a specified {@link
 * java.nio.charset.Charset charset}.  The charset that it uses
 * may be specified by name or may be given explicitly, or the platform's
 * default charset may be accepted.
 *
 * 
     Each invocation of one of an InputStreamReader's read() methods may
 * cause one or more bytes to be read from the underlying byte-input stream.
 * To enable the efficient conversion of bytes to characters, more bytes may
 * be read ahead from the underlying stream than are necessary to satisfy the
 * current read operation.
 *
 * 
     For top efficiency, consider wrapping an InputStreamReader within a
 * BufferedReader.  For example:
 *
 * 
     * BufferedReader in
 *   = new BufferedReader(new InputStreamReader(System.in));
 * 
    
 *
 * @see BufferedReader
 * @see InputStream
 * @see java.nio.charset.Charset
 *
 * @version     1.43, 03/01/23
 * @author      Mark Reinhold
 * @since       JDK1.1
 */

public class InputStreamReader extends Reader {

    //KML private final StreamDecoder sd;

    /**
     * Create an InputStreamReader that uses the default charset.
     *
     * @param  in   An InputStream
     */
    public InputStreamReader(InputStream in) {
	super(in);
        try {
	    sd = StreamDecoder.forInputStreamReader(in, this, (String)null); // ## check lock object
        } catch (UnsupportedEncodingException e) {
	    // The default encoding should always be available
	    throw new Error(e);
	}
    }

    /**
     * Create an InputStreamReader that uses the named charset.
     *
     * @param  in
     *         An InputStream
     *
     * @param  charsetName
     *         The name of a supported
     *         {@link java.nio.charset.Charset charset}
     *
     * @exception  UnsupportedEncodingException
     *             If the named charset is not supported
     */
    public InputStreamReader(InputStream in, String charsetName)
        throws UnsupportedEncodingException
    {
	super(in);
	if (charsetName == null)
	    throw new NullPointerException("charsetName");
	sd = StreamDecoder.forInputStreamReader(in, this, charsetName);
    }

    /**
     * Create an InputStreamReader that uses the given charset. 
    
     *
     * @param  in       An InputStream
     * @param  cs       A charset
     *
     * @since 1.4
     * @spec JSR-51
     */
    /*KML
      public InputStreamReader(InputStream in, Charset cs) {
        super(in);
	if (cs == null)
	    throw new NullPointerException("charset");
	sd = StreamDecoder.forInputStreamReader(in, this, cs);
    }
    KML*/

    /**
     * Create an InputStreamReader that uses the given charset decoder.  
    
     *
     * @param  in       An InputStream
     * @param  dec      A charset decoder
     *
     * @since 1.4
     * @spec JSR-51
     */
    /*KML
      public InputStreamReader(InputStream in, CharsetDecoder dec) {
        super(in);
	if (dec == null)
	    throw new NullPointerException("charset decoder");
	sd = StreamDecoder.forInputStreamReader(in, this, dec);
    }
    KML*/

    /**
     * Return the name of the character encoding being used by this stream.
     *
     * 
     If the encoding has an historical name then that name is returned;
     * otherwise the encoding's canonical name is returned.
     *
     * 
     If this instance was created with the {@link
     * #InputStreamReader(InputStream, String)} constructor then the returned
     * name, being unique for the encoding, may differ from the name passed to
     * the constructor.  This method may return null if the stream
     * has been closed. 
    
     *
     * @return The historical name of this encoding, or possibly
     *         null if the stream has been closed
     *
     * @see java.nio.charset.Charset
     *
     * @revised 1.4
     * @spec JSR-51
     */
    public String getEncoding() {
	return sd.getEncoding();
    }

    /**
     * Read a single character.
     *
     * @return The character read, or -1 if the end of the stream has been
     *         reached
     *
     * @exception  IOException  If an I/O error occurs
     */
    public int read() throws IOException {
        return sd.read();
    }

    /**
     * Read characters into a portion of an array.
     *
     * @param      cbuf     Destination buffer
     * @param      offset   Offset at which to start storing characters
     * @param      length   Maximum number of characters to read
     *
     * @return     The number of characters read, or -1 if the end of the 
     *             stream has been reached
     *
     * @exception  IOException  If an I/O error occurs
     */
    public int read(char cbuf[], int offset, int length) throws IOException {
	return sd.read(cbuf, offset, length);
    }

    /**
     * Tell whether this stream is ready to be read.  An InputStreamReader is
     * ready if its input buffer is not empty, or if bytes are available to be
     * read from the underlying byte stream.
     *
     * @exception  IOException  If an I/O error occurs
     */
    public boolean ready() throws IOException {
	return sd.ready();
    }

    /**
     * Close the stream.
     *
     * @exception  IOException  If an I/O error occurs
     */
    public void close() throws IOException {
	sd.close();
    }

}
why-2.34/lib/java_api/java/io/Serializable.java0000644000175000017500000001112712311670312017740 0ustar  rtusers/*
 * @(#)Serializable.java	1.20 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;

/**
 * Serializability of a class is enabled by the class implementing the
 * java.io.Serializable interface. Classes that do not implement this
 * interface will not have any of their state serialized or
 * deserialized.  All subtypes of a serializable class are themselves
 * serializable.  The serialization interface has no methods or fields
 * and serves only to identify the semantics of being serializable. 
    
 *
 * To allow subtypes of non-serializable classes to be serialized, the
 * subtype may assume responsibility for saving and restoring the
 * state of the supertype's public, protected, and (if accessible)
 * package fields.  The subtype may assume this responsibility only if
 * the class it extends has an accessible no-arg constructor to
 * initialize the class's state.  It is an error to declare a class
 * Serializable if this is not the case.  The error will be detected at runtime. 
    
 *
 * During deserialization, the fields of non-serializable classes will
 * be initialized using the public or protected no-arg constructor of
 * the class.  A no-arg constructor must be accessible to the subclass
 * that is serializable.  The fields of serializable subclasses will
 * be restored from the stream. 
    
 *
 * When traversing a graph, an object may be encountered that does not
 * support the Serializable interface. In this case the
 * NotSerializableException will be thrown and will identify the class
 * of the non-serializable object. 
    
 *
 * Classes that require special handling during the serialization and
 * deserialization process must implement special methods with these exact
 * signatures: 
    
 *
 * 
     * private void writeObject(java.io.ObjectOutputStream out)
 *     throws IOException
 * private void readObject(java.io.ObjectInputStream in)
 *     throws IOException, ClassNotFoundException;
 * 
    
 *
 * The writeObject method is responsible for writing the state of the
 * object for its particular class so that the corresponding
 * readObject method can restore it.  The default mechanism for saving
 * the Object's fields can be invoked by calling
 * out.defaultWriteObject. The method does not need to concern
 * itself with the state belonging to its superclasses or subclasses.
 * State is saved by writing the individual fields to the
 * ObjectOutputStream using the writeObject method or by using the
 * methods for primitive data types supported by DataOutput. 
    
 *
 * The readObject method is responsible for reading from the stream and
 * restoring the classes fields. It may call in.defaultReadObject to invoke
 * the default mechanism for restoring the object's non-static and non-transient
 * fields.  The defaultReadObject method uses information in the stream to
 * assign the fields of the object saved in the stream with the correspondingly
 * named fields in the current object.  This handles the case when the class
 * has evolved to add new fields. The method does not need to concern
 * itself with the state belonging to its superclasses or subclasses.
 * State is saved by writing the individual fields to the
 * ObjectOutputStream using the writeObject method or by using the
 * methods for primitive data types supported by DataOutput. 
    
 *
 * Serializable classes that need to designate an alternative object to be
 * used when writing an object to the stream should implement this
 * special method with the exact signature: 
    
 *
 * 
     * ANY-ACCESS-MODIFIER Object writeReplace() throws ObjectStreamException;
 * 
    
 *
 * This writeReplace method is invoked by serialization if the method
 * exists and it would be accessible from a method defined within the
 * class of the object being serialized. Thus, the method can have private,
 * protected and package-private access. Subclass access to this method
 * follows java accessibility rules. 
    
 *
 * Classes that need to designate a replacement when an instance of it
 * is read from the stream should implement this special method with the
 * exact signature.
    
 *
 * 
     * ANY-ACCESS-MODIFIER Object readResolve() throws ObjectStreamException;
 * 
    
 *
 * This readResolve method follows the same invocation rules and
 * accessibility rules as writeReplace.
 *
 * @author  unascribed
 * @version 1.20, 01/23/03
 * @see java.io.ObjectOutputStream
 * @see java.io.ObjectInputStream
 * @see java.io.ObjectOutput
 * @see java.io.ObjectInput
 * @see java.io.Externalizable
 * @since   JDK1.1
 */
public interface Serializable {
}
why-2.34/lib/java_api/java/io/StreamTokenizer.java0000644000175000017500000006223112311670312020462 0ustar  rtusers/*
 * @(#)StreamTokenizer.java	1.39 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;


/**
 * The StreamTokenizer class takes an input stream and
 * parses it into "tokens", allowing the tokens to be
 * read one at a time. The parsing process is controlled by a table
 * and a number of flags that can be set to various states. The
 * stream tokenizer can recognize identifiers, numbers, quoted
 * strings, and various comment styles.
 * 
    
 * Each byte read from the input stream is regarded as a character
 * in the range '\u0000' through '\u00FF'.
 * The character value is used to look up five possible attributes of
 * the character: white space, alphabetic,
 * numeric, string quote, and comment character.
 * Each character can have zero or more of these attributes.
 * 
    
 * In addition, an instance has four flags. These flags indicate:
 * 
      
 * 
    • Whether line terminators are to be returned as tokens or treated
 *     as white space that merely separates tokens.
 * 
    • Whether C-style comments are to be recognized and skipped.
 * 
    • Whether C++-style comments are to be recognized and skipped.
 * 
    • Whether the characters of identifiers are converted to lowercase.
 * 
    
 * 
    
 * A typical application first constructs an instance of this class,
 * sets up the syntax tables, and then repeatedly loops calling the
 * nextToken method in each iteration of the loop until
 * it returns the value TT_EOF.
 *
 * @author  James Gosling
 * @version 1.39, 01/23/03
 * @see     java.io.StreamTokenizer#nextToken()
 * @see     java.io.StreamTokenizer#TT_EOF
 * @since   JDK1.0
 */

public class StreamTokenizer {

    /* Only one of these will be non-null */
    private Reader reader = null;
    private InputStream input = null;

    private char buf[] = new char[20];

    /**
     * The next character to be considered by the nextToken method.  May also
     * be NEED_CHAR to indicate that a new character should be read, or SKIP_LF
     * to indicate that a new character should be read and, if it is a '\n'
     * character, it should be discarded and a second new character should be
     * read.
     */
    private int peekc = NEED_CHAR;

    private static final int NEED_CHAR = Integer.MAX_VALUE;
    private static final int SKIP_LF = Integer.MAX_VALUE - 1;

    private boolean pushedBack;
    private boolean forceLower;
    /** The line number of the last token read */
    private int LINENO = 1;

    private boolean eolIsSignificantP = false;
    private boolean slashSlashCommentsP = false;
    private boolean slashStarCommentsP = false;

    private byte ctype[] = new byte[256];
    private static final byte CT_WHITESPACE = 1;
    private static final byte CT_DIGIT = 2;
    private static final byte CT_ALPHA = 4;
    private static final byte CT_QUOTE = 8;
    private static final byte CT_COMMENT = 16;

    /**
     * After a call to the nextToken method, this field
     * contains the type of the token just read. For a single character
     * token, its value is the single character, converted to an integer.
     * For a quoted string token (see , its value is the quote character.
     * Otherwise, its value is one of the following:
     * 
      
     * 
    • TT_WORD indicates that the token is a word.
     * 
    • TT_NUMBER indicates that the token is a number.
     * 
    • TT_EOL indicates that the end of line has been read.
     *     The field can only have this value if the
     *     eolIsSignificant method has been called with the
     *     argument true.
     * 
    • TT_EOF indicates that the end of the input stream
     *     has been reached.
     * 
    
     * 
    
     * The initial value of this field is -4.
     *
     * @see     java.io.StreamTokenizer#eolIsSignificant(boolean)
     * @see     java.io.StreamTokenizer#nextToken()
     * @see     java.io.StreamTokenizer#quoteChar(int)
     * @see     java.io.StreamTokenizer#TT_EOF
     * @see     java.io.StreamTokenizer#TT_EOL
     * @see     java.io.StreamTokenizer#TT_NUMBER
     * @see     java.io.StreamTokenizer#TT_WORD
     */
    public int ttype = TT_NOTHING;

    /**
     * A constant indicating that the end of the stream has been read.
     */
    public static final int TT_EOF = -1;

    /**
     * A constant indicating that the end of the line has been read.
     */
    public static final int TT_EOL = '\n';

    /**
     * A constant indicating that a number token has been read.
     */
    public static final int TT_NUMBER = -2;

    /**
     * A constant indicating that a word token has been read.
     */
    public static final int TT_WORD = -3;

    /* A constant indicating that no token has been read, used for
     * initializing ttype.  FIXME This could be made public and
     * made available as the part of the API in a future release.
     */
    private static final int TT_NOTHING = -4;

    /**
     * If the current token is a word token, this field contains a
     * string giving the characters of the word token. When the current
     * token is a quoted string token, this field contains the body of
     * the string.
     * 
    
     * The current token is a word when the value of the
     * ttype field is TT_WORD. The current token is
     * a quoted string token when the value of the ttype field is
     * a quote character.
     * 
    
     * The initial value of this field is null.
     *
     * @see     java.io.StreamTokenizer#quoteChar(int)
     * @see     java.io.StreamTokenizer#TT_WORD
     * @see     java.io.StreamTokenizer#ttype
     */
    public String sval;

    /**
     * If the current token is a number, this field contains the value
     * of that number. The current token is a number when the value of
     * the ttype field is TT_NUMBER.
     * 
    
     * The initial value of this field is 0.0.
     *
     * @see     java.io.StreamTokenizer#TT_NUMBER
     * @see     java.io.StreamTokenizer#ttype
     */
    public double nval;

    /** Private constructor that initializes everything except the streams. */
    private StreamTokenizer() {
	wordChars('a', 'z');
	wordChars('A', 'Z');
	wordChars(128 + 32, 255);
	whitespaceChars(0, ' ');
	commentChar('/');
	quoteChar('"');
	quoteChar('\'');
	parseNumbers();
    }

    /**
     * Creates a stream tokenizer that parses the specified input
     * stream. The stream tokenizer is initialized to the following
     * default state:
     * 
      
     * 
    • All byte values 'A' through 'Z',
     *     'a' through 'z', and
     *     '\u00A0' through '\u00FF' are
     *     considered to be alphabetic.
     * 
    • All byte values '\u0000' through
     *     '\u0020' are considered to be white space.
     * 
    • '/' is a comment character.
     * 
    • Single quote '\'' and double quote '"'
     *     are string quote characters.
     * 
    • Numbers are parsed.
     * 
    • Ends of lines are treated as white space, not as separate tokens.
     * 
    • C-style and C++-style comments are not recognized.
     * 
    
     *
     * @deprecated As of JDK version 1.1, the preferred way to tokenize an
     * input stream is to convert it into a character stream, for example:
     * 
         *   Reader r = new BufferedReader(new InputStreamReader(is));
     *   StreamTokenizer st = new StreamTokenizer(r);
     * 
    
     *
     * @param      is        an input stream.
     * @see        java.io.BufferedReader
     * @see        java.io.InputStreamReader
     * @see        java.io.StreamTokenizer#StreamTokenizer(java.io.Reader)
     */
    public StreamTokenizer(InputStream is) {
	this();
        if (is == null) {
            throw new NullPointerException();
        }
	input = is;
    }

    /**
     * Create a tokenizer that parses the given character stream.
     *
     * @param r  a Reader object providing the input stream.
     * @since   JDK1.1
     */
    public StreamTokenizer(Reader r) {
	this();
        if (r == null) {
            throw new NullPointerException();
        }
	reader = r;
    }

    /**
     * Resets this tokenizer's syntax table so that all characters are
     * "ordinary." See the ordinaryChar method
     * for more information on a character being ordinary.
     *
     * @see     java.io.StreamTokenizer#ordinaryChar(int)
     */
    public void resetSyntax() {
	for (int i = ctype.length; --i >= 0;)
	    ctype[i] = 0;
    }

    /**
     * Specifies that all characters c in the range
     * low <= c <= high
     * are word constituents. A word token consists of a word constituent
     * followed by zero or more word constituents or number constituents.
     *
     * @param   low   the low end of the range.
     * @param   hi    the high end of the range.
     */
    public void wordChars(int low, int hi) {
	if (low < 0)
	    low = 0;
	if (hi >= ctype.length)
	    hi = ctype.length - 1;
	while (low <= hi)
	    ctype[low++] |= CT_ALPHA;
    }

    /**
     * Specifies that all characters c in the range
     * low <= c <= high
     * are white space characters. White space characters serve only to
     * separate tokens in the input stream.
     *
     * 
    Any other attribute settings for the characters in the specified
     * range are cleared.
     *
     * @param   low   the low end of the range.
     * @param   hi    the high end of the range.
     */
    public void whitespaceChars(int low, int hi) {
	if (low < 0)
	    low = 0;
	if (hi >= ctype.length)
	    hi = ctype.length - 1;
	while (low <= hi)
	    ctype[low++] = CT_WHITESPACE;
    }

    /**
     * Specifies that all characters c in the range
     * low <= c <= high
     * are "ordinary" in this tokenizer. See the
     * ordinaryChar method for more information on a
     * character being ordinary.
     *
     * @param   low   the low end of the range.
     * @param   hi    the high end of the range.
     * @see     java.io.StreamTokenizer#ordinaryChar(int)
     */
    public void ordinaryChars(int low, int hi) {
	if (low < 0)
	    low = 0;
	if (hi >= ctype.length)
	    hi = ctype.length - 1;
	while (low <= hi)
	    ctype[low++] = 0;
    }

    /**
     * Specifies that the character argument is "ordinary"
     * in this tokenizer. It removes any special significance the
     * character has as a comment character, word component, string
     * delimiter, white space, or number character. When such a character
     * is encountered by the parser, the parser treates it as a
     * single-character token and sets ttype field to the
     * character value.
     *
     * @param   ch   the character.
     * @see     java.io.StreamTokenizer#ttype
     */
    public void ordinaryChar(int ch) {
        if (ch >= 0 && ch < ctype.length)
  	    ctype[ch] = 0;
    }

    /**
     * Specified that the character argument starts a single-line
     * comment. All characters from the comment character to the end of
     * the line are ignored by this stream tokenizer.
     *
     * 
    Any other attribute settings for the specified character are cleared.
     *
     * @param   ch   the character.
     */
    public void commentChar(int ch) {
        if (ch >= 0 && ch < ctype.length)
	    ctype[ch] = CT_COMMENT;
    }

    /**
     * Specifies that matching pairs of this character delimit string
     * constants in this tokenizer.
     * 
    
     * When the nextToken method encounters a string
     * constant, the ttype field is set to the string
     * delimiter and the sval field is set to the body of
     * the string.
     * 
    
     * If a string quote character is encountered, then a string is
     * recognized, consisting of all characters after (but not including)
     * the string quote character, up to (but not including) the next
     * occurrence of that same string quote character, or a line
     * terminator, or end of file. The usual escape sequences such as
     * "\n" and "\t" are recognized and
     * converted to single characters as the string is parsed.
     *
     * 
    Any other attribute settings for the specified character are cleared.
     *
     * @param   ch   the character.
     * @see     java.io.StreamTokenizer#nextToken()
     * @see     java.io.StreamTokenizer#sval
     * @see     java.io.StreamTokenizer#ttype
     */
    public void quoteChar(int ch) {
        if (ch >= 0 && ch < ctype.length)
 	    ctype[ch] = CT_QUOTE;
    }

    /**
     * Specifies that numbers should be parsed by this tokenizer. The
     * syntax table of this tokenizer is modified so that each of the twelve
     * characters:
     * 
         *      0 1 2 3 4 5 6 7 8 9 . -
     * 
    
     * 
    
     * has the "numeric" attribute.
     * 
    
     * When the parser encounters a word token that has the format of a
     * double precision floating-point number, it treats the token as a
     * number rather than a word, by setting the the ttype
     * field to the value TT_NUMBER and putting the numeric
     * value of the token into the nval field.
     *
     * @see     java.io.StreamTokenizer#nval
     * @see     java.io.StreamTokenizer#TT_NUMBER
     * @see     java.io.StreamTokenizer#ttype
     */
    public void parseNumbers() {
	for (int i = '0'; i <= '9'; i++)
	    ctype[i] |= CT_DIGIT;
	ctype['.'] |= CT_DIGIT;
	ctype['-'] |= CT_DIGIT;
    }

    /**
     * Determines whether or not ends of line are treated as tokens.
     * If the flag argument is true, this tokenizer treats end of lines
     * as tokens; the nextToken method returns
     * TT_EOL and also sets the ttype field to
     * this value when an end of line is read.
     * 
    
     * A line is a sequence of characters ending with either a
     * carriage-return character ('\r') or a newline
     * character ('\n'). In addition, a carriage-return
     * character followed immediately by a newline character is treated
     * as a single end-of-line token.
     * 
    
     * If the flag is false, end-of-line characters are
     * treated as white space and serve only to separate tokens.
     *
     * @param   flag   true indicates that end-of-line characters
     *                 are separate tokens; false indicates that
     *                 end-of-line characters are white space.
     * @see     java.io.StreamTokenizer#nextToken()
     * @see     java.io.StreamTokenizer#ttype
     * @see     java.io.StreamTokenizer#TT_EOL
     */
    public void eolIsSignificant(boolean flag) {
	eolIsSignificantP = flag;
    }

    /**
     * Determines whether or not the tokenizer recognizes C-style comments.
     * If the flag argument is true, this stream tokenizer
     * recognizes C-style comments. All text between successive
     * occurrences of /* and */ are discarded.
     * 
    
     * If the flag argument is false, then C-style comments
     * are not treated specially.
     *
     * @param   flag   true indicates to recognize and ignore
     *                 C-style comments.
     */
    public void slashStarComments(boolean flag) {
	slashStarCommentsP = flag;
    }

    /**
     * Determines whether or not the tokenizer recognizes C++-style comments.
     * If the flag argument is true, this stream tokenizer
     * recognizes C++-style comments. Any occurrence of two consecutive
     * slash characters ('/') is treated as the beginning of
     * a comment that extends to the end of the line.
     * 
    
     * If the flag argument is false, then C++-style
     * comments are not treated specially.
     *
     * @param   flag   true indicates to recognize and ignore
     *                 C++-style comments.
     */
    public void slashSlashComments(boolean flag) {
	slashSlashCommentsP = flag;
    }

    /**
     * Determines whether or not word token are automatically lowercased.
     * If the flag argument is true, then the value in the
     * sval field is lowercased whenever a word token is
     * returned (the ttype field has the
     * value TT_WORD by the nextToken method
     * of this tokenizer.
     * 
    
     * If the flag argument is false, then the
     * sval field is not modified.
     *
     * @param   fl   true indicates that all word tokens should
     *               be lowercased.
     * @see     java.io.StreamTokenizer#nextToken()
     * @see     java.io.StreamTokenizer#ttype
     * @see     java.io.StreamTokenizer#TT_WORD
     */
    public void lowerCaseMode(boolean fl) {
	forceLower = fl;
    }

    /** Read the next character */
    private int read() throws IOException {
	if (reader != null)
	    return reader.read();
	else if (input != null)
	    return input.read();
	else
	    throw new IllegalStateException();
    }

    /**
     * Parses the next token from the input stream of this tokenizer.
     * The type of the next token is returned in the ttype
     * field. Additional information about the token may be in the
     * nval field or the sval field of this
     * tokenizer.
     * 
    
     * Typical clients of this
     * class first set up the syntax tables and then sit in a loop
     * calling nextToken to parse successive tokens until TT_EOF
     * is returned.
     *
     * @return     the value of the ttype field.
     * @exception  IOException  if an I/O error occurs.
     * @see        java.io.StreamTokenizer#nval
     * @see        java.io.StreamTokenizer#sval
     * @see        java.io.StreamTokenizer#ttype
     */
    public int nextToken() throws IOException {
	if (pushedBack) {
	    pushedBack = false;
	    return ttype;
	}
	byte ct[] = ctype;
	sval = null;

	int c = peekc;
	if (c < 0)
	    c = NEED_CHAR;
	if (c == SKIP_LF) {
	    c = read();
	    if (c < 0)
		return ttype = TT_EOF;
	    if (c == '\n')
		c = NEED_CHAR;
	}
	if (c == NEED_CHAR) {
	    c = read();
	    if (c < 0)
		return ttype = TT_EOF;
	}
	ttype = c;		/* Just to be safe */

	/* Set peekc so that the next invocation of nextToken will read
	 * another character unless peekc is reset in this invocation
	 */
	peekc = NEED_CHAR;

	int ctype = c < 256 ? ct[c] : CT_ALPHA;
	while ((ctype & CT_WHITESPACE) != 0) {
	    if (c == '\r') {
		LINENO++;
		if (eolIsSignificantP) {
		    peekc = SKIP_LF;
		    return ttype = TT_EOL;
		}
		c = read();
		if (c == '\n')
		    c = read();
	    } else {
		if (c == '\n') {
		    LINENO++;
		    if (eolIsSignificantP) {
			return ttype = TT_EOL;
		    }
		}
		c = read();
	    }
	    if (c < 0)
		return ttype = TT_EOF;
	    ctype = c < 256 ? ct[c] : CT_ALPHA;
	}

	if ((ctype & CT_DIGIT) != 0) {
	    boolean neg = false;
	    if (c == '-') {
		c = read();
		if (c != '.' && (c < '0' || c > '9')) {
		    peekc = c;
		    return ttype = '-';
		}
		neg = true;
	    }
	    double v = 0;
	    int decexp = 0;
	    int seendot = 0;
	    while (true) {
		if (c == '.' && seendot == 0)
		    seendot = 1;
		else if ('0' <= c && c <= '9') {
		    v = v * 10 + (c - '0');
		    decexp += seendot;
		} else
		    break;
		c = read();
	    }
	    peekc = c;
	    if (decexp != 0) {
		double denom = 10;
		decexp--;
		while (decexp > 0) {
		    denom *= 10;
		    decexp--;
		}
		/* Do one division of a likely-to-be-more-accurate number */
		v = v / denom;
	    }
	    nval = neg ? -v : v;
	    return ttype = TT_NUMBER;
	}

	if ((ctype & CT_ALPHA) != 0) {
	    int i = 0;
	    do {
		if (i >= buf.length) {
		    char nb[] = new char[buf.length * 2];
		    System.arraycopy(buf, 0, nb, 0, buf.length);
		    buf = nb;
		}
		buf[i++] = (char) c;
		c = read();
		ctype = c < 0 ? CT_WHITESPACE : c < 256 ? ct[c] : CT_ALPHA;
	    } while ((ctype & (CT_ALPHA | CT_DIGIT)) != 0);
	    peekc = c;
	    sval = String.copyValueOf(buf, 0, i);
	    if (forceLower)
		sval = sval.toLowerCase();
	    return ttype = TT_WORD;
	}

	if ((ctype & CT_QUOTE) != 0) {
	    ttype = c;
	    int i = 0;
	    /* Invariants (because \Octal needs a lookahead):
	     *   (i)  c contains char value
	     *   (ii) d contains the lookahead
	     */
	    int d = read();
	    while (d >= 0 && d != ttype && d != '\n' && d != '\r') {
	        if (d == '\\') {
   		    c = read();
		    int first = c;   /* To allow \377, but not \477 */
		    if (c >= '0' && c <= '7') {
			c = c - '0';
			int c2 = read();
			if ('0' <= c2 && c2 <= '7') {
			    c = (c << 3) + (c2 - '0');
			    c2 = read();
			    if ('0' <= c2 && c2 <= '7' && first <= '3') {
				c = (c << 3) + (c2 - '0');
				d = read();
			    } else
				d = c2;
			} else
			  d = c2;
		    } else {
  		        switch (c) {
			case 'a':
			    c = 0x7;
			    break;
			case 'b':
			    c = '\b';
			    break;
			case 'f':
			    c = 0xC;
			    break;
			case 'n':
			    c = '\n';
			    break;
		        case 'r':
			    c = '\r';
			    break;
			case 't':
			    c = '\t';
			    break;
			case 'v':
			    c = 0xB;
			    break;
			}
			d = read();
		    }
		} else {
		    c = d;
		    d = read();
		}
		if (i >= buf.length) {
		    char nb[] = new char[buf.length * 2];
		    System.arraycopy(buf, 0, nb, 0, buf.length);
		    buf = nb;
		}
		buf[i++] = (char)c;
	    }

	    /* If we broke out of the loop because we found a matching quote
	     * character then arrange to read a new character next time
	     * around; otherwise, save the character.
	     */
	    peekc = (d == ttype) ? NEED_CHAR : d;

	    sval = String.copyValueOf(buf, 0, i);
	    return ttype;
	}

	if (c == '/' && (slashSlashCommentsP || slashStarCommentsP)) {
	    c = read();
	    if (c == '*' && slashStarCommentsP) {
		int prevc = 0;
		while ((c = read()) != '/' || prevc != '*') {
		    if (c == '\r') {
			LINENO++;
			c = read();
			if (c == '\n') {
			    c = read();
			}
		    } else {
		        if (c == '\n') {
			    LINENO++;
			    c = read();
			}
		    }
		    if (c < 0)
		        return ttype = TT_EOF;
		    prevc = c;
		}
		return nextToken();
	    } else if (c == '/' && slashSlashCommentsP) {
	        while ((c = read()) != '\n' && c != '\r' && c >= 0);
	        peekc = c;
		return nextToken();
	    } else {
                /* Now see if it is still a single line comment */
                if ((ct['/'] & CT_COMMENT) != 0) {
                    while ((c = read()) != '\n' && c != '\r' && c >= 0);
                    peekc = c;
                    return nextToken();
                } else {
                    peekc = c;
                    return ttype = '/';
                }
	    }
        }

        if ((ctype & CT_COMMENT) != 0) {
            while ((c = read()) != '\n' && c != '\r' && c >= 0);
            peekc = c;
            return nextToken();
        }

	return ttype = c;
    }

    /**
     * Causes the next call to the nextToken method of this
     * tokenizer to return the current value in the ttype
     * field, and not to modify the value in the nval or
     * sval field.
     *
     * @see     java.io.StreamTokenizer#nextToken()
     * @see     java.io.StreamTokenizer#nval
     * @see     java.io.StreamTokenizer#sval
     * @see     java.io.StreamTokenizer#ttype
     */
    public void pushBack() {
        if (ttype != TT_NOTHING)   /* No-op if nextToken() not called */
	    pushedBack = true;
    }

    /**
     * Return the current line number.
     *
     * @return  the current line number of this stream tokenizer.
     */
    public int lineno() {
	return LINENO;
    }

    /**
     * Returns the string representation of the current stream token and
     * the line number it occurs on.
     *
     * 
    The precise string returned is unspecified, although the following
     * example can be considered typical:
     *
     * 
    Token['a'], line 10
    
     *
     * @return  a string representation of the token
     * @see     java.io.StreamTokenizer#nval
     * @see     java.io.StreamTokenizer#sval
     * @see     java.io.StreamTokenizer#ttype
     */
    public String toString() {
	String ret;
	switch (ttype) {
	  case TT_EOF:
	    ret = "EOF";
	    break;
	  case TT_EOL:
	    ret = "EOL";
	    break;
	  case TT_WORD:
	    ret = sval;
	    break;
	  case TT_NUMBER:
	    ret = "n=" + nval;
	    break;
   	  case TT_NOTHING:
	    ret = "NOTHING";
	    break;
	  default: {
		/* 
		 * ttype is the first character of either a quoted string or
		 * is an ordinary character. ttype can definitely not be less
		 * than 0, since those are reserved values used in the previous
		 * case statements
		 */
		if (ttype < 256 && 
		    ((ctype[ttype] & CT_QUOTE) != 0)) {
		    ret = sval;
		    break;
		}

		char s[] = new char[3];
		s[0] = s[2] = '\'';
		s[1] = (char) ttype;
		ret = new String(s);
		break;
	    }
	}
	return "Token[" + ret + "], line " + LINENO;
    }

}
why-2.34/lib/java_api/java/io/ObjectStreamClass.java0000644000175000017500000017632512311670312020716 0ustar  rtusers/*
 * @(#)ObjectStreamClass.java	1.130 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;

//*KML import java.lang.reflect.Constructor;
//*KML import java.lang.reflect.Field;
//*KML import java.lang.reflect.InvocationTargetException;
//*KML import java.lang.reflect.Member;
//*KML import java.lang.reflect.Method;
//*KML import java.lang.reflect.Modifier;
//*KML import java.lang.reflect.Proxy;
//*KML import java.security.AccessController;
//*KML import java.security.MessageDigest;
//*KML import java.security.NoSuchAlgorithmException;
//*KML import java.security.PrivilegedAction;
//*KML import java.util.ArrayList;
//*KML import java.util.Arrays;
//*KML import java.util.Collections;
//*KML import java.util.Comparator;
//*KML import java.util.HashSet;
//*KML import java.util.Set;
//*KML import sun.misc.SoftCache;
//*KML import sun.misc.Unsafe;
//*KML import sun.reflect.ReflectionFactory;

/**
 * Serialization's descriptor for classes.  It contains the name and
 * serialVersionUID of the class.  The ObjectStreamClass for a specific class
 * loaded in this Java VM can be found/created using the lookup method.
 * 
 * 
    The algorithm to compute the SerialVersionUID is described in 
 * Object
 * Serialization Specification, Section 4.4, Stream Unique Identifiers.
 *
 * @author	Mike Warres
 * @author	Roger Riggs
 * @version 1.98 02/02/00
 * @see ObjectStreamField
 * @see Object Serialization Specification, Section 4, Class Descriptors
 * @since   JDK1.1
 */
public class ObjectStreamClass implements Serializable {

    /** serialPersistentFields value indicating no serializable fields */
    public static final ObjectStreamField[] NO_FIELDS = 
	new ObjectStreamField[0];
    
    private static final long serialVersionUID = -6120832682080437368L;
    private static final ObjectStreamField[] serialPersistentFields =
	NO_FIELDS;
    
    /** reflection factory for obtaining serialization constructors */
    private static final ReflectionFactory reflFactory = (ReflectionFactory)
	AccessController.doPrivileged(
	    new ReflectionFactory.GetReflectionFactoryAction());

    /** cache mapping local classes -> descriptors */
    private static final SoftCache localDescs = new SoftCache(10);
    /** cache mapping field group/local desc pairs -> field reflectors */
    private static final SoftCache reflectors = new SoftCache(10);

    /** class associated with this descriptor (if any) */
    private Class cl;
    /** name of class represented by this descriptor */
    private String name;
    /** serialVersionUID of represented class (null if not computed yet) */
    private volatile Long suid;

    /** true if represents dynamic proxy class */
    private boolean isProxy;
    /** true if represented class implements Serializable */
    private boolean serializable;
    /** true if represented class implements Externalizable */
    private boolean externalizable;
    /** true if desc has data written by class-defined writeObject method */
    private boolean hasWriteObjectData;
    /** 
     * true if desc has externalizable data written in block data format; this
     * must be true by default to accomodate ObjectInputStream subclasses which
     * override readClassDescriptor() to return class descriptors obtained from
     * ObjectStreamClass.lookup() (see 4461737)
     */
    private boolean hasBlockExternalData = true;

    /** exception (if any) thrown while attempting to resolve class */
    private ClassNotFoundException resolveEx;
    /** exception (if any) to be thrown if deserialization attempted */
    private InvalidClassException deserializeEx;
    /** exception (if any) to be thrown if serialization attempted */
    private InvalidClassException serializeEx;
    /** exception (if any) to be thrown if default serialization attempted */
    private InvalidClassException defaultSerializeEx;

    /** serializable fields */
    private ObjectStreamField[] fields;
    /** aggregate marshalled size of primitive fields */
    private int primDataSize;
    /** number of non-primitive fields */
    private int numObjFields;
    /** reflector for setting/getting serializable field values */
    private FieldReflector fieldRefl;
    /** data layout of serialized objects described by this class desc */
    private volatile ClassDataSlot[] dataLayout;

    /** serialization-appropriate constructor, or null if none */
    private Constructor cons;
    /** class-defined writeObject method, or null if none */
    private Method writeObjectMethod;
    /** class-defined readObject method, or null if none */
    private Method readObjectMethod;
    /** class-defined readObjectNoData method, or null if none */
    private Method readObjectNoDataMethod;
    /** class-defined writeReplace method, or null if none */
    private Method writeReplaceMethod;
    /** class-defined readResolve method, or null if none */
    private Method readResolveMethod;

    /** local class descriptor for represented class (may point to self) */
    private ObjectStreamClass localDesc;
    /** superclass descriptor appearing in stream */
    private ObjectStreamClass superDesc;
    
    /**
     * Initializes native code.
     */
    private static native void initNative();
    static {
	initNative();
    }

    /** 
     * Find the descriptor for a class that can be serialized.  Creates an
     * ObjectStreamClass instance if one does not exist yet for class. Null is
     * returned if the specified class does not implement java.io.Serializable
     * or java.io.Externalizable.
     *
     * @param	cl class for which to get the descriptor
     * @return	the class descriptor for the specified class
     */
    public static ObjectStreamClass lookup(Class cl) {
	return lookup(cl, false);
    }
    
    /**
     * The name of the class described by this descriptor.
     *
     * @return	a String representing the fully qualified name of
     * 		the class
     */
    public String getName() {
	return name;
    }

    /**
     * Return the serialVersionUID for this class.  The serialVersionUID
     * defines a set of classes all with the same name that have evolved from a
     * common root class and agree to be serialized and deserialized using a
     * common format.  NonSerializable classes have a serialVersionUID of 0L.
     *
     * @return	the SUID of the class described by this descriptor
     */
    public long getSerialVersionUID() {
	// REMIND: synchronize instead of relying on volatile?
	if (suid == null) {
	    suid = (Long) AccessController.doPrivileged(
		new PrivilegedAction() {
		    public Object run() {
			return new Long(computeDefaultSUID(cl));
		    }
		}
	    );
	}
	return suid.longValue();
    }

    /**
     * Return the class in the local VM that this version is mapped to.  Null
     * is returned if there is no corresponding local class.
     *
     * @return	the Class instance that this descriptor represents
     */
    public Class forClass() {
	return cl;
    }
    
    /**
     * Return an array of the fields of this serializable class.
     *
     * @return	an array containing an element for each persistent field of
     * 		this class. Returns an array of length zero if there are no
     * 		fields.
     * @since 1.2
     */
    public ObjectStreamField[] getFields() {
	return getFields(true);
    }

    /**
     * Get the field of this class by name.
     *
     * @param	name the name of the data field to look for
     * @return	The ObjectStreamField object of the named field or null if
     * 		there is no such named field.
     */
    public ObjectStreamField getField(String name) {
	return getField(name, null);
    }

    /**
     * Return a string describing this ObjectStreamClass.
     */
    public String toString() {
	return name + ": static final long serialVersionUID = " + 
	    getSerialVersionUID() + "L;";
    }
    
    /**
     * Looks up and returns class descriptor for given class, or null if class
     * is non-serializable and "all" is set to false.
     * 
     * @param	cl class to look up
     * @param	all if true, return descriptors for all classes; if false, only
     * 		return descriptors for serializable classes
     */
    static ObjectStreamClass lookup(Class cl, boolean all) {
	/*KML
	  if (!(all || Serializable.class.isAssignableFrom(cl))) {
	    return null;
	}
	KML*/
	/*
	 * Note: using the class directly as the key for storing entries does
	 * not pin the class indefinitely, since SoftCache removes strong refs
	 * to keys when the corresponding values are gc'ed.
	 */
	Object entry;
	EntryFuture future = null;
	synchronized (localDescs) {
	    if ((entry = localDescs.get(cl)) == null) {
		localDescs.put(cl, future = new EntryFuture());
	    }
	}
	
	if (entry instanceof ObjectStreamClass) {  // check common case first
	    return (ObjectStreamClass) entry;
	} else if (entry instanceof EntryFuture) {
	    entry = ((EntryFuture) entry).get();
	} else if (entry == null) {
	    try {
		entry = new ObjectStreamClass(cl);
	    } catch (Throwable th) {
		entry = th;
	    }
	    future.set(entry);
	    synchronized (localDescs) {
		localDescs.put(cl, entry);
	    }
	}
	
	if (entry instanceof ObjectStreamClass) {
	    return (ObjectStreamClass) entry;
	} else if (entry instanceof RuntimeException) {
	    throw (RuntimeException) entry;
	} else if (entry instanceof Error) {
	    throw (Error) entry;
	} else {
	    throw new InternalError("unexpected entry: " + entry);
	}
    }

    /**
     * Placeholder used in class descriptor and field reflector lookup tables
     * for an entry in the process of being initialized.  (Internal) callers
     * which receive an EntryFuture as the result of a lookup should call the
     * get() method of the EntryFuture; this will return the actual entry once
     * it is ready for use and has been set().  To conserve objects,
     * EntryFutures synchronize on themselves.
     */
    /*KML
    private static class EntryFuture {
	
	private static final Object unset = new Object();
	private Object entry = unset;

	synchronized void set(Object entry) {
	    if (this.entry != unset) {
		throw new IllegalStateException();
	    }
	    this.entry = entry;
	    notifyAll();
	}
	
	synchronized Object get() {
	    boolean interrupted = false;
	    while (entry == unset) {
		try { 
		    wait(); 
		} catch (InterruptedException ex) {
		    interrupted = true;
		}
	    }
	    if (interrupted) {
		AccessController.doPrivileged(
		    new PrivilegedAction() {
			public Object run() {
			    Thread.currentThread().interrupt();
			    return null;
			}
		    }
		);
	    }
	    return entry;
	}
    }
    KML*/

    /**
     * Creates local class descriptor representing given class.
     */
    private ObjectStreamClass(final Class cl) {
	this.cl = cl;
	name = cl.getName();
	isProxy = Proxy.isProxyClass(cl);
	/*KML
	serializable = Serializable.class.isAssignableFrom(cl);
	externalizable = Externalizable.class.isAssignableFrom(cl);
	KML*/

	Class superCl = cl.getSuperclass();
	superDesc = (superCl != null) ? lookup(superCl, false) : null;
	localDesc = this;
	/*KML
	if (serializable) {
	    AccessController.doPrivileged(new PrivilegedAction() {
		public Object run() {
		    suid = getDeclaredSUID(cl);
		    try {
			fields = getSerialFields(cl);
			computeFieldOffsets();
		    } catch (InvalidClassException e) {
			serializeEx = deserializeEx = e;
			fields = NO_FIELDS;
		    }
		    
		    if (externalizable) {
			cons = getExternalizableConstructor(cl);
		    } else {
			cons = getSerializableConstructor(cl);
			writeObjectMethod = getPrivateMethod(cl, "writeObject", 
			    new Class[] { ObjectOutputStream.class }, 
			    Void.TYPE);
			readObjectMethod = getPrivateMethod(cl, "readObject", 
			    new Class[] { ObjectInputStream.class }, 
			    Void.TYPE);
			readObjectNoDataMethod = getPrivateMethod(
			    cl, "readObjectNoData", 
			    new Class[0], Void.TYPE);
			hasWriteObjectData = (writeObjectMethod != null);
		    }
		    writeReplaceMethod = getInheritableMethod(
			cl, "writeReplace", new Class[0], Object.class);
		    readResolveMethod = getInheritableMethod(
			cl, "readResolve", new Class[0], Object.class);
		    return null;
		}
	    });
	} else {
	    suid = new Long(0);
	    fields = NO_FIELDS;
	}
	KML*/
	try {
	    fieldRefl = getReflector(fields, this);
	} catch (InvalidClassException ex) {
	    // field mismatches impossible when matching local fields vs. self
	    throw new InternalError();
	}

	if (cons == null) {
	    deserializeEx = new InvalidClassException(
		name, "no valid constructor");
	}
	for (int i = 0; i < fields.length; i++) {
	    if (fields[i].getField() == null) {
		defaultSerializeEx = new InvalidClassException(
		    name, "unmatched serializable field(s) declared");
	    }
	}
    }

    /**
     * Creates blank class descriptor which should be initialized via a
     * subsequent call to initProxy(), initNonProxy() or readNonProxy().
     */
    ObjectStreamClass() {
    }
    
    /**
     * Initializes class descriptor representing a proxy class.
     */
    void initProxy(Class cl, 
		   ClassNotFoundException resolveEx, 
		   ObjectStreamClass superDesc) 
	throws InvalidClassException
    {
	this.cl = cl;
	this.resolveEx = resolveEx;
	this.superDesc = superDesc;
	isProxy = true;
	serializable = true;
	suid = new Long(0);
	fields = NO_FIELDS;
	
	if (cl != null) {
	    localDesc = lookup(cl, true);
	    if (!localDesc.isProxy) {
		throw new InvalidClassException(
		    "cannot bind proxy descriptor to a non-proxy class");
	    }
	    name = localDesc.name;
	    externalizable = localDesc.externalizable;
	    cons = localDesc.cons;
	    writeReplaceMethod = localDesc.writeReplaceMethod;
	    readResolveMethod = localDesc.readResolveMethod;
	    deserializeEx = localDesc.deserializeEx;
	}
	fieldRefl = getReflector(fields, localDesc);
    }
    
    /**
     * Initializes class descriptor representing a non-proxy class.
     */
    void initNonProxy(ObjectStreamClass model, 
		      Class cl, 
		      ClassNotFoundException resolveEx,
		      ObjectStreamClass superDesc)
	throws InvalidClassException
    {
	this.cl = cl;
	this.resolveEx = resolveEx;
	this.superDesc = superDesc;
	name = model.name;
	suid = new Long(model.getSerialVersionUID());
	isProxy = false;
	serializable = model.serializable;
	externalizable = model.externalizable;
	hasBlockExternalData = model.hasBlockExternalData;
	hasWriteObjectData = model.hasWriteObjectData;
	fields = model.fields;
	primDataSize = model.primDataSize;
	numObjFields = model.numObjFields;
	
	if (cl != null) {
	    localDesc = lookup(cl, true);
	    if (localDesc.isProxy) {
		throw new InvalidClassException(
		    "cannot bind non-proxy descriptor to a proxy class");
	    }
	    
	    if (serializable == localDesc.serializable &&
		!cl.isArray() &&
		suid.longValue() != localDesc.getSerialVersionUID())
	    {
		throw new InvalidClassException(localDesc.name, 
		    "local class incompatible: " +
		    "stream classdesc serialVersionUID = " + suid +
		    ", local class serialVersionUID = " +
		    localDesc.getSerialVersionUID());
	    }
		
	    if (!classNamesEqual(name, localDesc.name)) {
		throw new InvalidClassException(localDesc.name,
		    "local class name incompatible with stream class " +
		    "name \"" + name + "\"");
	    }
	    
	    if ((serializable == localDesc.serializable) &&
		(externalizable != localDesc.externalizable))
	    {
		throw new InvalidClassException(localDesc.name, 
		    "Serializable incompatible with Externalizable");
	    }

	    if ((serializable != localDesc.serializable) ||
		(externalizable != localDesc.externalizable) ||
		!(serializable || externalizable))
	    {
		deserializeEx = new InvalidClassException(localDesc.name,
		    "class invalid for deserialization");
	    }
	    
	    cons = localDesc.cons;
	    writeObjectMethod = localDesc.writeObjectMethod;
	    readObjectMethod = localDesc.readObjectMethod;
	    readObjectNoDataMethod = localDesc.readObjectNoDataMethod;
	    writeReplaceMethod = localDesc.writeReplaceMethod;
	    readResolveMethod = localDesc.readResolveMethod;
	    if (deserializeEx == null) {
		deserializeEx = localDesc.deserializeEx;
	    }
	}
	fieldRefl = getReflector(fields, localDesc);
	// reassign to matched fields so as to reflect local unshared settings
	fields = fieldRefl.getFields();
    }
    
    /**
     * Reads non-proxy class descriptor information from given input stream.
     * The resulting class descriptor is not fully functional; it can only be
     * used as input to the ObjectInputStream.resolveClass() and
     * ObjectStreamClass.initNonProxy() methods.
     */
    void readNonProxy(ObjectInputStream in) 
	throws IOException, ClassNotFoundException
    {
	name = in.readUTF();
	suid = new Long(in.readLong());
	isProxy = false;

	byte flags = in.readByte();
	hasWriteObjectData = 
	    ((flags & ObjectStreamConstants.SC_WRITE_METHOD) != 0);
	hasBlockExternalData = 
	    ((flags & ObjectStreamConstants.SC_BLOCK_DATA) != 0);
	externalizable = 
	    ((flags & ObjectStreamConstants.SC_EXTERNALIZABLE) != 0);
	boolean sflag = 
	    ((flags & ObjectStreamConstants.SC_SERIALIZABLE) != 0);
	if (externalizable && sflag) {
	    throw new InvalidClassException(
		name, "serializable and externalizable flags conflict");
	}
	serializable = externalizable || sflag;
	
	int numFields = in.readShort();
	fields = (numFields > 0) ? 
	    new ObjectStreamField[numFields] : NO_FIELDS;
	for (int i = 0; i < numFields; i++) {
	    char tcode = (char) in.readByte();
	    String fname = in.readUTF();
	      String signature = ((tcode == 'L') || (tcode == '[')) ?
		in.readTypeString() : new String(new char[] { tcode });
	    try {
		fields[i] = new ObjectStreamField(fname, signature, false);
	    } catch (RuntimeException e) {
		throw (IOException) new InvalidClassException(name, 
		    "invalid descriptor for field " + fname).initCause(e);
		    }
		    
	}
	computeFieldOffsets();
    }

    /**
     * Writes non-proxy class descriptor information to given output stream.
     */
    void writeNonProxy(ObjectOutputStream out) throws IOException {
	out.writeUTF(name);
	out.writeLong(getSerialVersionUID());

	byte flags = 0;
	if (externalizable) {
	    flags |= ObjectStreamConstants.SC_EXTERNALIZABLE;
	    int protocol = out.getProtocolVersion();
	    if (protocol != ObjectStreamConstants.PROTOCOL_VERSION_1) {
		flags |= ObjectStreamConstants.SC_BLOCK_DATA;
	    }
	} else if (serializable) {
	    flags |= ObjectStreamConstants.SC_SERIALIZABLE;
	}
	if (hasWriteObjectData) {
	    flags |= ObjectStreamConstants.SC_WRITE_METHOD;
	}
	out.writeByte(flags);
	
	out.writeShort(fields.length);
	for (int i = 0; i < fields.length; i++) {
	    ObjectStreamField f = fields[i];
	    out.writeByte(f.getTypeCode());
	    out.writeUTF(f.getName());
	    if (!f.isPrimitive()) {
		out.writeTypeString(f.getTypeString());
	    }
	}
    }
    
    /**
     * Returns ClassNotFoundException (if any) thrown while attempting to
     * resolve local class corresponding to this class descriptor.
     */
    ClassNotFoundException getResolveException() {
	return resolveEx;
    }

    /**
     * Throws an InvalidClassException if object instances referencing this
     * class descriptor should not be allowed to deserialize.
     */
    void checkDeserialize() throws InvalidClassException {
	if (deserializeEx != null) {
	    throw deserializeEx;
	}
    }
    
    /**
     * Throws an InvalidClassException if objects whose class is represented by
     * this descriptor should not be allowed to serialize.
     */
    void checkSerialize() throws InvalidClassException {
	if (serializeEx != null) {
	    throw serializeEx;
	}
    }

    /**
     * Throws an InvalidClassException if objects whose class is represented by
     * this descriptor should not be permitted to use default serialization
     * (e.g., if the class declares serializable fields that do not correspond
     * to actual fields, and hence must use the GetField API).
     */
    void checkDefaultSerialize() throws InvalidClassException {
	if (defaultSerializeEx != null) {
	    throw defaultSerializeEx;
	}
    }

    /**
     * Returns superclass descriptor.  Note that on the receiving side, the
     * superclass descriptor may be bound to a class that is not a superclass
     * of the subclass descriptor's bound class.
     */
    ObjectStreamClass getSuperDesc() {
	return superDesc;
    }
    
    /**
     * Returns the "local" class descriptor for the class associated with this
     * class descriptor (i.e., the result of
     * ObjectStreamClass.lookup(this.forClass())) or null if there is no class
     * associated with this descriptor.
     */
    ObjectStreamClass getLocalDesc() {
	return localDesc;
    }

    /**
     * Returns arrays of ObjectStreamFields representing the serializable
     * fields of the represented class.  If copy is true, a clone of this class
     * descriptor's field array is returned, otherwise the array itself is
     * returned.
     */
    ObjectStreamField[] getFields(boolean copy) {
	return copy ? (ObjectStreamField[]) fields.clone() : fields;
    }
    
    /**
     * Looks up a serializable field of the represented class by name and type.
     * A specified type of null matches all types, Object.class matches all
     * non-primitive types, and any other non-null type matches assignable
     * types only.  Returns matching field, or null if no match found.
     */
    ObjectStreamField getField(String name, Class type) {
	/*KML
	  for (int i = 0; i < fields.length; i++) {
	    ObjectStreamField f = fields[i];
	    if (f.getName().equals(name)) {
		if (type == null || 
		    (type == Object.class && !f.isPrimitive()))
		{
		    return f;
		}
		Class ftype = f.getType();
		if (ftype != null && type.isAssignableFrom(ftype)) {
		    return f;
		}
	    }
	}
	KML*/
	return null;
    }

    /**
     * Returns true if class descriptor represents a dynamic proxy class, false
     * otherwise.
     */
    boolean isProxy() {
	return isProxy;
    }
    
    /**
     * Returns true if represented class implements Externalizable, false
     * otherwise.
     */
    boolean isExternalizable() {
	return externalizable;
    }
    
    /**
     * Returns true if represented class implements Serializable, false
     * otherwise.
     */
    boolean isSerializable() {
	return serializable;
    }

    /**
     * Returns true if class descriptor represents externalizable class that
     * has written its data in 1.2 (block data) format, false otherwise.
     */
    boolean hasBlockExternalData() {
	return hasBlockExternalData;
    }
    
    /**
     * Returns true if class descriptor represents serializable (but not
     * externalizable) class which has written its data via a custom
     * writeObject() method, false otherwise.
     */
    boolean hasWriteObjectData() {
	return hasWriteObjectData;
    }
    
    /**
     * Returns true if represented class is serializable/externalizable and can
     * be instantiated by the serialization runtime--i.e., if it is
     * externalizable and defines a public no-arg constructor, or if it is
     * non-externalizable and its first non-serializable superclass defines an
     * accessible no-arg constructor.  Otherwise, returns false.
     */
    boolean isInstantiable() {
	return (cons != null);
    }
    
    /**
     * Returns true if represented class is serializable (but not
     * externalizable) and defines a conformant writeObject method.  Otherwise,
     * returns false.
     */
    boolean hasWriteObjectMethod() {
	return (writeObjectMethod != null);
    }
    
    /**
     * Returns true if represented class is serializable (but not
     * externalizable) and defines a conformant readObject method.  Otherwise,
     * returns false.
     */
    boolean hasReadObjectMethod() {
	return (readObjectMethod != null);
    }
    
    /**
     * Returns true if represented class is serializable (but not
     * externalizable) and defines a conformant readObjectNoData method.
     * Otherwise, returns false.
     */
    boolean hasReadObjectNoDataMethod() {
	return (readObjectNoDataMethod != null);
    }
    
    /**
     * Returns true if represented class is serializable or externalizable and
     * defines a conformant writeReplace method.  Otherwise, returns false.
     */
    boolean hasWriteReplaceMethod() {
	return (writeReplaceMethod != null);
    }
    
    /**
     * Returns true if represented class is serializable or externalizable and
     * defines a conformant readResolve method.  Otherwise, returns false.
     */
    boolean hasReadResolveMethod() {
	return (readResolveMethod != null);
    }
    
    /**
     * Creates a new instance of the represented class.  If the class is
     * externalizable, invokes its public no-arg constructor; otherwise, if the
     * class is serializable, invokes the no-arg constructor of the first
     * non-serializable superclass.  Throws UnsupportedOperationException if
     * this class descriptor is not associated with a class, if the associated
     * class is non-serializable or if the appropriate no-arg constructor is
     * inaccessible/unavailable.
     */
    Object newInstance()
	throws InstantiationException, InvocationTargetException,
	       UnsupportedOperationException
    {
	if (cons != null) {
	    try {
		return cons.newInstance(new Object[0]);
	    } catch (IllegalAccessException ex) {
		// should not occur, as access checks have been suppressed
		throw new InternalError();
	    }
	} else {
	    throw new UnsupportedOperationException();
	}
    }
	       
    /**
     * Invokes the writeObject method of the represented serializable class.
     * Throws UnsupportedOperationException if this class descriptor is not
     * associated with a class, or if the class is externalizable,
     * non-serializable or does not define writeObject.
     */
    void invokeWriteObject(Object obj, ObjectOutputStream out)
	throws IOException, UnsupportedOperationException
    {
	if (writeObjectMethod != null) {
	    try {
		writeObjectMethod.invoke(obj, new Object[]{ out });
	    } catch (InvocationTargetException ex) {
		Throwable th = ex.getTargetException();
		if (th instanceof IOException) {
		    throw (IOException) th;
		} else {
		    throwMiscException(th);
		}
	    } catch (IllegalAccessException ex) {
		// should not occur, as access checks have been suppressed
		throw new InternalError();
	    }
	} else {
	    throw new UnsupportedOperationException();
	}
    }
    
    /**
     * Invokes the readObject method of the represented serializable class.
     * Throws UnsupportedOperationException if this class descriptor is not
     * associated with a class, or if the class is externalizable,
     * non-serializable or does not define readObject.
     */
    void invokeReadObject(Object obj, ObjectInputStream in)
	throws ClassNotFoundException, IOException, 
	       UnsupportedOperationException
    {
	if (readObjectMethod != null) {
	    try {
		readObjectMethod.invoke(obj, new Object[]{ in });
	    } catch (InvocationTargetException ex) {
		Throwable th = ex.getTargetException();
		if (th instanceof ClassNotFoundException) {
		    throw (ClassNotFoundException) th;
		} else if (th instanceof IOException) {
		    throw (IOException) th;
		} else {
		    throwMiscException(th);
		}
	    } catch (IllegalAccessException ex) {
		// should not occur, as access checks have been suppressed
		throw new InternalError();
	    }
	} else {
	    throw new UnsupportedOperationException();
	}
    }

    /**
     * Invokes the readObjectNoData method of the represented serializable
     * class.  Throws UnsupportedOperationException if this class descriptor is
     * not associated with a class, or if the class is externalizable,
     * non-serializable or does not define readObjectNoData.
     */
    void invokeReadObjectNoData(Object obj)
	throws IOException, UnsupportedOperationException
    {
	if (readObjectNoDataMethod != null) {
	    try {
		readObjectNoDataMethod.invoke(obj, new Object[0]);
	    } catch (InvocationTargetException ex) {
		Throwable th = ex.getTargetException();
		if (th instanceof ObjectStreamException) {
		    throw (ObjectStreamException) th;
		} else {
		    throwMiscException(th);
		}
	    } catch (IllegalAccessException ex) {
		// should not occur, as access checks have been suppressed
		throw new InternalError();
	    }
	} else {
	    throw new UnsupportedOperationException();
	}
    }

    /**
     * Invokes the writeReplace method of the represented serializable class and
     * returns the result.  Throws UnsupportedOperationException if this class
     * descriptor is not associated with a class, or if the class is
     * non-serializable or does not define writeReplace.
     */
    Object invokeWriteReplace(Object obj)
	throws IOException, UnsupportedOperationException
    {
	if (writeReplaceMethod != null) {
	    try {
		return writeReplaceMethod.invoke(obj, new Object[0]);
	    } catch (InvocationTargetException ex) {
		Throwable th = ex.getTargetException();
		if (th instanceof ObjectStreamException) {
		    throw (ObjectStreamException) th;
		} else {
		    throwMiscException(th);
		    throw new InternalError();	// never reached
		}
	    } catch (IllegalAccessException ex) {
		// should not occur, as access checks have been suppressed
		throw new InternalError();
	    }
	} else {
	    throw new UnsupportedOperationException();
	}
    }

    /**
     * Invokes the readResolve method of the represented serializable class and
     * returns the result.  Throws UnsupportedOperationException if this class
     * descriptor is not associated with a class, or if the class is
     * non-serializable or does not define readResolve.
     */
    Object invokeReadResolve(Object obj)
	throws IOException, UnsupportedOperationException
    {
	if (readResolveMethod != null) {
	    try {
		return readResolveMethod.invoke(obj, new Object[0]);
	    } catch (InvocationTargetException ex) {
		Throwable th = ex.getTargetException();
		if (th instanceof ObjectStreamException) {
		    throw (ObjectStreamException) th;
		} else {
		    throwMiscException(th);
		    throw new InternalError();	// never reached
		}
	    } catch (IllegalAccessException ex) {
		// should not occur, as access checks have been suppressed
		throw new InternalError();
	    }
	} else {
	    throw new UnsupportedOperationException();
	}
    }

    /**
     * Class representing the portion of an object's serialized form allotted
     * to data described by a given class descriptor.  If "hasData" is false,
     * the object's serialized form does not contain data associated with the
     * class descriptor.
     */
    /*KML
    static class ClassDataSlot {

	/** class descriptor "occupying" this slot *KML/
	final ObjectStreamClass desc;
	/** true if serialized form includes data for this slot's descriptor *KML/
	final boolean hasData;
	
	ClassDataSlot(ObjectStreamClass desc, boolean hasData) {
	    this.desc = desc;
	    this.hasData = hasData;
	}
    }
    KML*/

    /**
     * Returns array of ClassDataSlot instances representing the data layout
     * (including superclass data) for serialized objects described by this
     * class descriptor.  ClassDataSlots are ordered by inheritance with those
     * containing "higher" superclasses appearing first.  The final
     * ClassDataSlot contains a reference to this descriptor.
     */
    ClassDataSlot[] getClassDataLayout() throws InvalidClassException {
	// REMIND: synchronize instead of relying on volatile?
	if (dataLayout == null) {
	    dataLayout = getClassDataLayout0();
	}
	return dataLayout;
    }
    
    private ClassDataSlot[] getClassDataLayout0() 
	throws InvalidClassException 
    {
	ArrayList slots = new ArrayList();
	Class start = cl, end = cl;
	/*KML
	// locate closest non-serializable superclass
	while (end != null && Serializable.class.isAssignableFrom(end)) {
	    end = end.getSuperclass();
	}
	KML*/
	for (ObjectStreamClass d = this; d != null; d = d.superDesc) {
	    
	    // search up inheritance heirarchy for class with matching name
	    String searchName = (d.cl != null) ? d.cl.getName() : d.name;
	    Class match = null;
	    for (Class c = start; c != end; c = c.getSuperclass()) {
		if (searchName.equals(c.getName())) {
		    match = c;
		    break;
		}
	    }

	    // add "no data" slot for each unmatched class below match
	    if (match != null) {
		for (Class c = start; c != match; c = c.getSuperclass()) {
		    slots.add(new ClassDataSlot(
			ObjectStreamClass.lookup(c, true), false));
		}
		start = match.getSuperclass();
	    }
	    
	    // record descriptor/class pairing
	    slots.add(new ClassDataSlot(d.getVariantFor(match), true));
	}
	
	// add "no data" slot for any leftover unmatched classes
	for (Class c = start; c != end; c = c.getSuperclass()) {
	    slots.add(new ClassDataSlot(
		ObjectStreamClass.lookup(c, true), false));
	}

	// order slots from superclass -> subclass
	Collections.reverse(slots);
	return (ClassDataSlot[]) 
	    slots.toArray(new ClassDataSlot[slots.size()]);
    }
    
    /**
     * Returns aggregate size (in bytes) of marshalled primitive field values
     * for represented class.
     */
    int getPrimDataSize() {
	return primDataSize;
    }
    
    /**
     * Returns number of non-primitive serializable fields of represented
     * class.
     */
    int getNumObjFields() {
	return numObjFields;
    }
    
    /**
     * Fetches the serializable primitive field values of object obj and
     * marshals them into byte array buf starting at offset 0.  It is the
     * responsibility of the caller to ensure that obj is of the proper type if
     * non-null.
     */
    void getPrimFieldValues(Object obj, byte[] buf) {
	fieldRefl.getPrimFieldValues(obj, buf);
    }

    /**
     * Sets the serializable primitive fields of object obj using values
     * unmarshalled from byte array buf starting at offset 0.  It is the
     * responsibility of the caller to ensure that obj is of the proper type if
     * non-null.
     */
    void setPrimFieldValues(Object obj, byte[] buf) {
	fieldRefl.setPrimFieldValues(obj, buf);
    }
    
    /**
     * Fetches the serializable object field values of object obj and stores
     * them in array vals starting at offset 0.  It is the responsibility of
     * the caller to ensure that obj is of the proper type if non-null.
     */
    void getObjFieldValues(Object obj, Object[] vals) {
	fieldRefl.getObjFieldValues(obj, vals);
    }
    
    /**
     * Sets the serializable object fields of object obj using values from
     * array vals starting at offset 0.  It is the responsibility of the caller
     * to ensure that obj is of the proper type if non-null.
     */
    void setObjFieldValues(Object obj, Object[] vals) {
	fieldRefl.setObjFieldValues(obj, vals);
    }
    
    /**
     * Calculates and sets serializable field offsets, as well as primitive
     * data size and object field count totals.  Throws InvalidClassException
     * if fields are illegally ordered.
     */
    private void computeFieldOffsets() throws InvalidClassException {
	primDataSize = 0;
	numObjFields = 0;
	int firstObjIndex = -1;

	for (int i = 0; i < fields.length; i++) {
	    ObjectStreamField f = fields[i];
	    switch (f.getTypeCode()) {
		case 'Z':
		case 'B':
		    f.setOffset(primDataSize++);
		    break;

		case 'C':
		case 'S':
		    f.setOffset(primDataSize);
		    primDataSize += 2;
		    break;

		case 'I':
		case 'F':
		    f.setOffset(primDataSize);
		    primDataSize += 4;
		    break;

		case 'J':
		case 'D':
		    f.setOffset(primDataSize);
		    primDataSize += 8;
		    break;

		case '[':
		case 'L':
		    f.setOffset(numObjFields++);
		    if (firstObjIndex == -1) {
			firstObjIndex = i;
		    }
		    break;

		default:
		    throw new InternalError();
	    }
	}
	if (firstObjIndex != -1 && 
	    firstObjIndex + numObjFields != fields.length)
	{
	    throw new InvalidClassException(name, "illegal field order");
	}
    }
    
    /**
     * If given class is the same as the class associated with this class
     * descriptor, returns reference to this class descriptor.  Otherwise,
     * returns variant of this class descriptor bound to given class.
     */
    private ObjectStreamClass getVariantFor(Class cl) 
	throws InvalidClassException 
    {
	if (this.cl == cl) {
	    return this;
	}
	ObjectStreamClass desc = new ObjectStreamClass();
	if (isProxy) {
	    desc.initProxy(cl, null, superDesc);
	} else {
	    desc.initNonProxy(this, cl, null, superDesc);
	}
	return desc;
    }

    /**
     * Returns public no-arg constructor of given class, or null if none found.
     * Access checks are disabled on the returned constructor (if any), since
     * the defining class may still be non-public.
     */
    private static Constructor getExternalizableConstructor(Class cl) {
	try {
	    Constructor cons = cl.getDeclaredConstructor(new Class[0]);
	    cons.setAccessible(true);
	    return ((cons.getModifiers() & Modifier.PUBLIC) != 0) ? 
		cons : null;
	} catch (NoSuchMethodException ex) {
	    return null;
	}
    }

    /**
     * Returns subclass-accessible no-arg constructor of first non-serializable
     * superclass, or null if none found.  Access checks are disabled on the
     * returned constructor (if any).
     */
    private static Constructor getSerializableConstructor(Class cl) {
	Class initCl = cl;
	/*KML
	while (Serializable.class.isAssignableFrom(initCl)) {
	    if ((initCl = initCl.getSuperclass()) == null) {
		return null;
	    }
	}
	KML*/
	try {
	    Constructor cons = initCl.getDeclaredConstructor(new Class[0]);
	    int mods = cons.getModifiers();
	    if ((mods & Modifier.PRIVATE) != 0 ||
		((mods & (Modifier.PUBLIC | Modifier.PROTECTED)) == 0 &&
		 !packageEquals(cl, initCl)))
	    {
		return null;
	    }
	    cons = reflFactory.newConstructorForSerialization(cl, cons);
	    cons.setAccessible(true);
	    return cons;
	} catch (NoSuchMethodException ex) {
	    return null;
	}
    }

    /**
     * Returns non-static, non-abstract method with given signature provided it
     * is defined by or accessible (via inheritance) by the given class, or
     * null if no match found.  Access checks are disabled on the returned
     * method (if any).
     */
    private static Method getInheritableMethod(Class cl, String name,
					       Class[] argTypes,
					       Class returnType)
    {
	Method meth = null;
	Class defCl = cl;
	while (defCl != null) {
	    try {
		meth = defCl.getDeclaredMethod(name, argTypes);
		break;
	    } catch (NoSuchMethodException ex) {
		defCl = defCl.getSuperclass();
	    }
	}

	if ((meth == null) || (meth.getReturnType() != returnType)) {
	    return null;
	}
	meth.setAccessible(true);
	int mods = meth.getModifiers();
	if ((mods & (Modifier.STATIC | Modifier.ABSTRACT)) != 0) {
	    return null;
	} else if ((mods & (Modifier.PUBLIC | Modifier.PROTECTED)) != 0) {
	    return meth;
	} else if ((mods & Modifier.PRIVATE) != 0) {
	    return (cl == defCl) ? meth : null;
	} else {
	    return packageEquals(cl, defCl) ? meth : null;
	}
    }

    /**
     * Returns non-static private method with given signature defined by given
     * class, or null if none found.  Access checks are disabled on the
     * returned method (if any).
     */
    private static Method getPrivateMethod(Class cl, String name, 
					   Class[] argTypes,
					   Class returnType)
    {
	try {
	    Method meth = cl.getDeclaredMethod(name, argTypes);
	    meth.setAccessible(true);
	    int mods = meth.getModifiers();
	    return ((meth.getReturnType() == returnType) &&
		    ((mods & Modifier.STATIC) == 0) &&
		    ((mods & Modifier.PRIVATE) != 0)) ? meth : null;
	} catch (NoSuchMethodException ex) {
	    return null;
	}
    }

    /**
     * Returns true if classes are defined in the same runtime package, false
     * otherwise.
     */
    private static boolean packageEquals(Class cl1, Class cl2) {
	return (cl1.getClassLoader() == cl2.getClassLoader() &&
		getPackageName(cl1).equals(getPackageName(cl2)));
    }

    /**
     * Returns package name of given class.
     */
    private static String getPackageName(Class cl) {
	String s = cl.getName();
	int i = s.lastIndexOf('[');
	if (i >= 0) {
	    s = s.substring(i + 2);
	}
	i = s.lastIndexOf('.');
	return (i >= 0) ? s.substring(0, i) : "";
    }

    /**
     * Compares class names for equality, ignoring package names.  Returns true
     * if class names equal, false otherwise.
     */
    private static boolean classNamesEqual(String name1, String name2) {
	name1 = name1.substring(name1.lastIndexOf('.') + 1);
	name2 = name2.substring(name2.lastIndexOf('.') + 1);
	return name1.equals(name2);
    }
    
    /**
     * Returns JVM type signature for given class.
     */
    static String getClassSignature(Class cl) {
	StringBuffer sbuf = new StringBuffer();
	while (cl.isArray()) {
	    sbuf.append('[');
	    cl = cl.getComponentType();
	}
	if (cl.isPrimitive()) {
	    if (cl == Integer.TYPE) {
		sbuf.append('I');
	    } else if (cl == Byte.TYPE) {
		sbuf.append('B');
	    } else if (cl == Long.TYPE) {
		sbuf.append('J');
	    } else if (cl == Float.TYPE) {
		sbuf.append('F');
	    } else if (cl == Double.TYPE) {
		sbuf.append('D');
	    } else if (cl == Short.TYPE) {
		sbuf.append('S');
	    } else if (cl == Character.TYPE) {
		sbuf.append('C');
	    } else if (cl == Boolean.TYPE) {
		sbuf.append('Z');
	    } else if (cl == Void.TYPE) {
		sbuf.append('V');
	    } else {
		throw new InternalError();
	    }
	} else {
	    sbuf.append('L' + cl.getName().replace('.', '/') + ';');
	}
	return sbuf.toString();
    }

    /**
     * Returns JVM type signature for given list of parameters and return type.
     */
    private static String getMethodSignature(Class[] paramTypes, 
					     Class retType) 
    {
	StringBuffer sbuf = new StringBuffer();
	sbuf.append('(');
	for (int i = 0; i < paramTypes.length; i++) {
	    sbuf.append(getClassSignature(paramTypes[i]));
	}
	sbuf.append(')');
	sbuf.append(getClassSignature(retType));
	return sbuf.toString();
    }

    /**
     * Convenience method for throwing an exception that is either a
     * RuntimeException, Error, or of some unexpected type (in which case it is
     * wrapped inside an IOException).
     */
    private static void throwMiscException(Throwable th) throws IOException {
	if (th instanceof RuntimeException) {
	    throw (RuntimeException) th;
	} else if (th instanceof Error) {
	    throw (Error) th;
	} else {
	    IOException ex = new IOException("unexpected exception type");
	    ex.initCause(th);
	    throw ex;
	}
    }

    /**
     * Returns ObjectStreamField array describing the serializable fields of
     * the given class.  Serializable fields backed by an actual field of the
     * class are represented by ObjectStreamFields with corresponding non-null
     * Field objects.  Throws InvalidClassException if the (explicitly
     * declared) serializable fields are invalid.
     */
    private static ObjectStreamField[] getSerialFields(Class cl) 
	throws InvalidClassException
    {
	ObjectStreamField[] fields;
	/*KML
	if (Serializable.class.isAssignableFrom(cl) &&
	    !Externalizable.class.isAssignableFrom(cl) &&
	    !Proxy.isProxyClass(cl) &&
	    !cl.isInterface())
	{
	    if ((fields = getDeclaredSerialFields(cl)) == null) {
		fields = getDefaultSerialFields(cl);
	    }
	    Arrays.sort(fields);
	} else {
	    fields = NO_FIELDS;
	}
	KML*/
	return fields;
    }
    
    /**
     * Returns serializable fields of given class as defined explicitly by a
     * "serialPersistentFields" field, or null if no appropriate
     * "serialPersistendFields" field is defined.  Serializable fields backed
     * by an actual field of the class are represented by ObjectStreamFields
     * with corresponding non-null Field objects.  For compatibility with past
     * releases, a "serialPersistentFields" field with a null value is
     * considered equivalent to not declaring "serialPersistentFields".  Throws
     * InvalidClassException if the declared serializable fields are
     * invalid--e.g., if multiple fields share the same name.
     */
    private static ObjectStreamField[] getDeclaredSerialFields(Class cl) 
	throws InvalidClassException
    {
	ObjectStreamField[] serialPersistentFields = null;
	try {
	    Field f = cl.getDeclaredField("serialPersistentFields");
	    int mask = Modifier.PRIVATE | Modifier.STATIC | Modifier.FINAL;
	    if ((f.getModifiers() & mask) == mask) {
		f.setAccessible(true);
		serialPersistentFields = (ObjectStreamField[]) f.get(null);
	    }
	} catch (Exception ex) {
	}
	if (serialPersistentFields == null) {
	    return null;
	} else if (serialPersistentFields.length == 0) {
	    return NO_FIELDS;
	}
	
	ObjectStreamField[] boundFields = 
	    new ObjectStreamField[serialPersistentFields.length];
	Set fieldNames = new HashSet(serialPersistentFields.length);

	for (int i = 0; i < serialPersistentFields.length; i++) {
	    ObjectStreamField spf = serialPersistentFields[i];

	    String fname = spf.getName();
	    if (fieldNames.contains(fname)) {
		throw new InvalidClassException(
		    "multiple serializable fields named " + fname);
	    }
	    fieldNames.add(fname);

	    try {
		Field f = cl.getDeclaredField(fname);
		if ((f.getType() == spf.getType()) &&
		    ((f.getModifiers() & Modifier.STATIC) == 0))
		{
		    boundFields[i] = 
			new ObjectStreamField(f, spf.isUnshared(), true);
		}
	    } catch (NoSuchFieldException ex) {
	    }
	    if (boundFields[i] == null) {
		boundFields[i] = new ObjectStreamField(
		    fname, spf.getType(), spf.isUnshared());
	    }
	}
	return boundFields;
    }

    /**
     * Returns array of ObjectStreamFields corresponding to all non-static
     * non-transient fields declared by given class.  Each ObjectStreamField
     * contains a Field object for the field it represents.  If no default
     * serializable fields exist, NO_FIELDS is returned.
     */
    private static ObjectStreamField[] getDefaultSerialFields(Class cl) {
	Field[] clFields = cl.getDeclaredFields();
	ArrayList list = new ArrayList();
	int mask = Modifier.STATIC | Modifier.TRANSIENT;

	for (int i = 0; i < clFields.length; i++) {
	    if ((clFields[i].getModifiers() & mask) == 0) {
		list.add(new ObjectStreamField(clFields[i], false, true));
	    }
	}
	int size = list.size();
	return (size == 0) ? NO_FIELDS :
	    (ObjectStreamField[]) list.toArray(new ObjectStreamField[size]);
    }

    /**
     * Returns explicit serial version UID value declared by given class, or
     * null if none.
     */
    private static Long getDeclaredSUID(Class cl) {
	try {
	    Field f = cl.getDeclaredField("serialVersionUID");
	    int mask = Modifier.STATIC | Modifier.FINAL;
	    if ((f.getModifiers() & mask) == mask) {
		f.setAccessible(true);
		return new Long(f.getLong(null));
	    }
	} catch (Exception ex) {
	}
	return null;
    }

    /**
     * Computes the default serial version UID value for the given class.
     */
    private static long computeDefaultSUID(Class cl) {
	/*KML
	if (!Serializable.class.isAssignableFrom(cl) || Proxy.isProxyClass(cl))
	{
	    return 0L;
	}
	KML*/
	try {
	    ByteArrayOutputStream bout = new ByteArrayOutputStream();
	    DataOutputStream dout = new DataOutputStream(bout);

	    dout.writeUTF(cl.getName());
	    
	    int classMods = cl.getModifiers() &
		(Modifier.PUBLIC | Modifier.FINAL |
		 Modifier.INTERFACE | Modifier.ABSTRACT);

	    /*
	     * compensate for javac bug in which ABSTRACT bit was set for an
	     * interface only if the interface declared methods
	     */
	    Method[] methods = cl.getDeclaredMethods();
	    if ((classMods & Modifier.INTERFACE) != 0) {
		classMods = (methods.length > 0) ?
		    (classMods | Modifier.ABSTRACT) :
		    (classMods & ~Modifier.ABSTRACT);
	    }
	    dout.writeInt(classMods);
	    
	    if (!cl.isArray()) {
		/*
		 * compensate for change in 1.2FCS in which
		 * Class.getInterfaces() was modified to return Cloneable and
		 * Serializable for array classes.
		 */
		Class[] interfaces = cl.getInterfaces();
		String[] ifaceNames = new String[interfaces.length];
		for (int i = 0; i < interfaces.length; i++) {
		    ifaceNames[i] = interfaces[i].getName();
		}
		Arrays.sort(ifaceNames);
		for (int i = 0; i < ifaceNames.length; i++) {
		    dout.writeUTF(ifaceNames[i]);
		}
	    }
	    
	    Field[] fields = cl.getDeclaredFields();
	    MemberSignature[] fieldSigs = new MemberSignature[fields.length];
	    for (int i = 0; i < fields.length; i++) {
		fieldSigs[i] = new MemberSignature(fields[i]);
	    }
	    Arrays.sort(fieldSigs, new Comparator() {
		public int compare(Object o1, Object o2) {
		    String name1 = ((MemberSignature) o1).name;
		    String name2 = ((MemberSignature) o2).name;
		    return name1.compareTo(name2);
		}
	    });
	    for (int i = 0; i < fieldSigs.length; i++) {
		MemberSignature sig = fieldSigs[i];
		int mods = sig.member.getModifiers();
		if (((mods & Modifier.PRIVATE) == 0) ||
		    ((mods & (Modifier.STATIC | Modifier.TRANSIENT)) == 0))
		{
		    dout.writeUTF(sig.name);
		    dout.writeInt(mods);
		    dout.writeUTF(sig.signature);
		}
	    }
	    
	    if (hasStaticInitializer(cl)) {
		dout.writeUTF("");
		dout.writeInt(Modifier.STATIC);
		dout.writeUTF("()V");
	    }

	    Constructor[] cons = cl.getDeclaredConstructors();
	    MemberSignature[] consSigs = new MemberSignature[cons.length];
	    for (int i = 0; i < cons.length; i++) {
		consSigs[i] = new MemberSignature(cons[i]);
	    }
	    Arrays.sort(consSigs, new Comparator() {
		public int compare(Object o1, Object o2) {
		    String sig1 = ((MemberSignature) o1).signature;
		    String sig2 = ((MemberSignature) o2).signature;
		    return sig1.compareTo(sig2);
		}
	    });
	    for (int i = 0; i < consSigs.length; i++) {
		MemberSignature sig = consSigs[i];
		int mods = sig.member.getModifiers();
		if ((mods & Modifier.PRIVATE) == 0) {
		    dout.writeUTF("");
		    dout.writeInt(mods);
		    dout.writeUTF(sig.signature.replace('/', '.'));
		}
	    }
	    
	    MemberSignature[] methSigs = new MemberSignature[methods.length];
	    for (int i = 0; i < methods.length; i++) {
		methSigs[i] = new MemberSignature(methods[i]);
	    }
	    Arrays.sort(methSigs, new Comparator() {
		public int compare(Object o1, Object o2) {
		    MemberSignature ms1 = (MemberSignature) o1;
		    MemberSignature ms2 = (MemberSignature) o2;
		    int comp = ms1.name.compareTo(ms2.name);
		    if (comp == 0) {
			comp = ms1.signature.compareTo(ms2.signature);
		    }
		    return comp;
		}
	    });
	    for (int i = 0; i < methSigs.length; i++) {
		MemberSignature sig = methSigs[i];
		int mods = sig.member.getModifiers();
		if ((mods & Modifier.PRIVATE) == 0) {
		    dout.writeUTF(sig.name);
		    dout.writeInt(mods);
		    dout.writeUTF(sig.signature.replace('/', '.'));
		}
	    }

	    dout.flush();

	    MessageDigest md = MessageDigest.getInstance("SHA");
	    byte[] hashBytes = md.digest(bout.toByteArray());
	    long hash = 0;
	    for (int i = Math.min(hashBytes.length, 8) - 1; i >= 0; i--) {
		hash = (hash << 8) | (hashBytes[i] & 0xFF);
	    }
	    return hash;
	} catch (IOException ex) {
	    throw new InternalError();
	} catch (NoSuchAlgorithmException ex) {
	    throw new SecurityException(ex.getMessage());
	}
    }

    /**
     * Returns true if the given class defines a static initializer method,
     * false otherwise.
     */
    private native static boolean hasStaticInitializer(Class cl);

    /**
     * Class for computing and caching field/constructor/method signatures
     * during serialVersionUID calculation.
     */
    private static class MemberSignature {

	public final Member member;
	public final String name;
	public final String signature;
	
	public MemberSignature(Field field) {
	    member = field;
	    name = field.getName();
	    signature = getClassSignature(field.getType());
	}
	
	public MemberSignature(Constructor cons) {
	    member = cons;
	    name = cons.getName();
	    signature = getMethodSignature(
		cons.getParameterTypes(), Void.TYPE);
	}
	
	public MemberSignature(Method meth) {
	    member = meth;
	    name = meth.getName();
	    signature = getMethodSignature(
		meth.getParameterTypes(), meth.getReturnType());
	}
    }
    
    /**
     * Class for setting and retrieving serializable field values in batch.
     */
    // REMIND: dynamically generate these?
    private static class FieldReflector {
	
	/** handle for performing unsafe operations */
	private static final Unsafe unsafe = Unsafe.getUnsafe();

	/** fields to operate on */
	private final ObjectStreamField[] fields;
	/** number of primitive fields */
	private final int numPrimFields;
	/** unsafe field keys */
	private final long[] keys;
	/** field data offsets */
	private final int[] offsets;
	/** field type codes */
	private final char[] typeCodes;
	/** field types */
	private final Class[] types;

	/**
	 * Constructs FieldReflector capable of setting/getting values from the
	 * subset of fields whose ObjectStreamFields contain non-null
	 * reflective Field objects.  ObjectStreamFields with null Fields are
	 * treated as filler, for which get operations return default values
	 * and set operations discard given values.
	 */
	FieldReflector(ObjectStreamField[] fields) {
	    this.fields = fields;
	    int nfields = fields.length;
	    keys = new long[nfields];
	    offsets = new int[nfields];
	    typeCodes = new char[nfields];
	    ArrayList typeList = new ArrayList();
	    
	    for (int i = 0; i < nfields; i++) {
		ObjectStreamField f = fields[i];
		Field rf = f.getField();
		keys[i] = (rf != null) ? 
		    unsafe.objectFieldOffset(rf) : Unsafe.INVALID_FIELD_OFFSET;
		offsets[i] = f.getOffset();
		typeCodes[i] = f.getTypeCode();
		if (!f.isPrimitive()) {
		    typeList.add((rf != null) ? rf.getType() : null);
		}
	    }
	    
	    types = (Class[]) typeList.toArray(new Class[typeList.size()]);
	    numPrimFields = nfields - types.length;
	}

	/**
	 * Returns list of ObjectStreamFields representing fields operated on
	 * by this reflector.  The shared/unshared values and Field objects
	 * contained by ObjectStreamFields in the list reflect their bindings
	 * to locally defined serializable fields.
	 */
	ObjectStreamField[] getFields() {
	    return fields;
	}

	/**
	 * Fetches the serializable primitive field values of object obj and
	 * marshals them into byte array buf starting at offset 0.  The caller
	 * is responsible for ensuring that obj is of the proper type.
	 */
	void getPrimFieldValues(Object obj, byte[] buf) {
	    if (obj == null) {
		throw new NullPointerException();
	    }
	    /* assuming checkDefaultSerialize() has been called on the class
	     * descriptor this FieldReflector was obtained from, no field keys
	     * in array should be equal to Unsafe.INVALID_FIELD_OFFSET.
	     */
	    for (int i = 0; i < numPrimFields; i++) {
		long key = keys[i];
		int off = offsets[i];
		switch (typeCodes[i]) {
		    case 'Z':
			Bits.putBoolean(buf, off, unsafe.getBoolean(obj, key));
			break;

		    case 'B':
			buf[off] = unsafe.getByte(obj, key);
			break;

		    case 'C':
			Bits.putChar(buf, off, unsafe.getChar(obj, key));
			break;

		    case 'S':
			Bits.putShort(buf, off, unsafe.getShort(obj, key));
			break;

		    case 'I':
			Bits.putInt(buf, off, unsafe.getInt(obj, key));
			break;

		    case 'F':
			Bits.putFloat(buf, off, unsafe.getFloat(obj, key));
			break;

		    case 'J':
			Bits.putLong(buf, off, unsafe.getLong(obj, key));
			break;

		    case 'D':
			Bits.putDouble(buf, off, unsafe.getDouble(obj, key));
			break;

		    default:
			throw new InternalError();
		}
	    }
	}

	/**
	 * Sets the serializable primitive fields of object obj using values
	 * unmarshalled from byte array buf starting at offset 0.  The caller
	 * is responsible for ensuring that obj is of the proper type.
	 */
	void setPrimFieldValues(Object obj, byte[] buf) {
	    if (obj == null) {
		throw new NullPointerException();
	    }
	    for (int i = 0; i < numPrimFields; i++) {
		long key = keys[i];
		if (key == Unsafe.INVALID_FIELD_OFFSET) {
		    continue;		// discard value
		}
		int off = offsets[i];
		switch (typeCodes[i]) {
		    case 'Z':
			unsafe.putBoolean(obj, key, Bits.getBoolean(buf, off));
			break;

		    case 'B':
			unsafe.putByte(obj, key, buf[off]);
			break;

		    case 'C':
			unsafe.putChar(obj, key, Bits.getChar(buf, off));
			break;

		    case 'S':
			unsafe.putShort(obj, key, Bits.getShort(buf, off));
			break;

		    case 'I':
			unsafe.putInt(obj, key, Bits.getInt(buf, off));
			break;

		    case 'F':
			unsafe.putFloat(obj, key, Bits.getFloat(buf, off));
			break;

		    case 'J':
			unsafe.putLong(obj, key, Bits.getLong(buf, off));
			break;

		    case 'D':
			unsafe.putDouble(obj, key, Bits.getDouble(buf, off));
			break;

		    default:
			throw new InternalError();
		}
	    }
	}

	/**
	 * Fetches the serializable object field values of object obj and
	 * stores them in array vals starting at offset 0.  The caller is
	 * responsible for ensuring that obj is of the proper type.
	 */
	void getObjFieldValues(Object obj, Object[] vals) {
	    if (obj == null) {
		throw new NullPointerException();
	    }
	    /* assuming checkDefaultSerialize() has been called on the class
	     * descriptor this FieldReflector was obtained from, no field keys
	     * in array should be equal to Unsafe.INVALID_FIELD_OFFSET.
	     */
	    for (int i = numPrimFields; i < fields.length; i++) {
		switch (typeCodes[i]) {
		    case 'L':
		    case '[':
			vals[offsets[i]] = unsafe.getObject(obj, keys[i]);
			break;
			
		    default:
			throw new InternalError();
		}
	    }
	}

	/**
	 * Sets the serializable object fields of object obj using values from
	 * array vals starting at offset 0.  The caller is responsible for
	 * ensuring that obj is of the proper type; however, attempts to set a
	 * field with a value of the wrong type will trigger an appropriate
	 * ClassCastException.
	 */
	void setObjFieldValues(Object obj, Object[] vals) {
	    if (obj == null) {
		throw new NullPointerException();
	    }
	    for (int i = numPrimFields; i < fields.length; i++) {
		long key = keys[i];
		if (key == Unsafe.INVALID_FIELD_OFFSET) {
		    continue;		// discard value
		}
		switch (typeCodes[i]) {
		    case 'L':
		    case '[':
			Object val = vals[offsets[i]];
			if (val != null && 
			    !types[i - numPrimFields].isInstance(val))
			{
			    Field f = fields[i].getField();
			    throw new ClassCastException(
				"cannot assign instance of " + 
				val.getClass().getName() + " to field " +
				f.getDeclaringClass().getName() + "." +
				f.getName() + " of type " +
				f.getType().getName() + " in instance of " +
				obj.getClass().getName());
			}
			unsafe.putObject(obj, key, val);
			break;
			
		    default:
			throw new InternalError();
		}
	    }
	}
    }
    
    /**
     * Matches given set of serializable fields with serializable fields
     * described by the given local class descriptor, and returns a
     * FieldReflector instance capable of setting/getting values from the
     * subset of fields that match (non-matching fields are treated as filler,
     * for which get operations return default values and set operations
     * discard given values).  Throws InvalidClassException if unresolvable
     * type conflicts exist between the two sets of fields.
     */
    private static FieldReflector getReflector(ObjectStreamField[] fields,
					       ObjectStreamClass localDesc)
	throws InvalidClassException
    {
	// class irrelevant if no fields
	Class cl = (localDesc != null && fields.length > 0) ? 
	    localDesc.cl : null;
	Object key = new FieldReflectorKey(cl, fields);
	Object entry;
	EntryFuture future = null;
	
	synchronized (reflectors) {
	    if ((entry = reflectors.get(key)) == null) {
		reflectors.put(key, future = new EntryFuture());
	    }
	}
	
	if (entry instanceof FieldReflector) {	// check common case first
	    return (FieldReflector) entry;
	} else if (entry instanceof EntryFuture) {
	    entry = ((EntryFuture) entry).get();
	} else if (entry == null) {
	    try {
		entry = new FieldReflector(matchFields(fields, localDesc));
	    } catch (Throwable th) {
		entry = th;
	    }
	    future.set(entry);
	    synchronized (reflectors) {
		reflectors.put(key, entry);
	    }
	}
	
	if (entry instanceof FieldReflector) {
	    return (FieldReflector) entry;
	} else if (entry instanceof InvalidClassException) {
	    throw (InvalidClassException) entry;
	} else if (entry instanceof RuntimeException) {
	    throw (RuntimeException) entry;
	} else if (entry instanceof Error) {
	    throw (Error) entry;
	} else {
	    throw new InternalError("unexpected entry: " + entry);
	}
    }
    
    /**
     * FieldReflector cache lookup key.  Keys are considered equal if they
     * refer to the same class and equivalent field formats.
     */
    private static class FieldReflectorKey {
	
	private final Class cl;
	private final String sigs;
	private final int hash;
	
	FieldReflectorKey(Class cl, ObjectStreamField[] fields) {
	    /*
	     * Note: maintaining a direct reference to the class does not pin
	     * it indefinitely, since SoftCache removes strong refs to keys
	     * when the corresponding values are gc'ed.
	     */
	    this.cl = cl;

	    StringBuffer sbuf = new StringBuffer();
	    for (int i = 0; i < fields.length; i++) {
		ObjectStreamField f = fields[i];
		sbuf.append(f.getName()).append(f.getSignature());
	    }
	    sigs = sbuf.toString();
	    hash = System.identityHashCode(cl) + sigs.hashCode();
	}
	
	public int hashCode() {
	    return hash;
	}
	
	public boolean equals(Object obj) {
	    if (!(obj instanceof FieldReflectorKey)) {
		return false;
	    }
	    FieldReflectorKey key = (FieldReflectorKey) obj;
	    return (cl == key.cl && sigs.equals(key.sigs));
	}
    }
    
    /**
     * Matches given set of serializable fields with serializable fields
     * obtained from the given local class descriptor (which contain bindings
     * to reflective Field objects).  Returns list of ObjectStreamFields in
     * which each ObjectStreamField whose signature matches that of a local
     * field contains a Field object for that field; unmatched
     * ObjectStreamFields contain null Field objects.  Shared/unshared settings
     * of the returned ObjectStreamFields also reflect those of matched local
     * ObjectStreamFields.  Throws InvalidClassException if unresolvable type
     * conflicts exist between the two sets of fields.
     */
    private static ObjectStreamField[] matchFields(ObjectStreamField[] fields,
						   ObjectStreamClass localDesc)
	throws InvalidClassException
    {
	ObjectStreamField[] localFields = (localDesc != null) ?
	    localDesc.fields : NO_FIELDS;
	
	/*
	 * Even if fields == localFields, we cannot simply return localFields
	 * here.  In previous implementations of serialization,
	 * ObjectStreamField.getType() returned Object.class if the
	 * ObjectStreamField represented a non-primitive field and belonged to
	 * a non-local class descriptor.  To preserve this (questionable)
	 * behavior, the ObjectStreamField instances returned by matchFields
	 * cannot report non-primitive types other than Object.class; hence
	 * localFields cannot be returned directly.
	 */
	
	ObjectStreamField[] matches = new ObjectStreamField[fields.length];
	for (int i = 0; i < fields.length; i++) {
	    ObjectStreamField f = fields[i], m = null;
	    for (int j = 0; j < localFields.length; j++) {
		ObjectStreamField lf = localFields[j];
		if (f.getName().equals(lf.getName())) {
		    if ((f.isPrimitive() || lf.isPrimitive()) &&
			f.getTypeCode() != lf.getTypeCode())
		    {
			throw new InvalidClassException(localDesc.name,
			    "incompatible types for field " + f.getName());
		    }
		    if (lf.getField() != null) {
			m = new ObjectStreamField(
			    lf.getField(), lf.isUnshared(), false);
		    } else {
			m = new ObjectStreamField(
			    lf.getName(), lf.getSignature(), lf.isUnshared());
		    }
		}
	    }
	    if (m == null) {
		m = new ObjectStreamField(
		    f.getName(), f.getSignature(), false);
	    }
	    m.setOffset(f.getOffset());
	    matches[i] = m;
	}
	return matches;
    }
}
why-2.34/lib/java_api/java/io/FilterOutputStream.java0000644000175000017500000001204012311670312021147 0ustar  rtusers/*
 * @(#)FilterOutputStream.java	1.30 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;

/**
 * This class is the superclass of all classes that filter output 
 * streams. These streams sit on top of an already existing output 
 * stream (the underlying output stream) which it uses as its 
 * basic sink of data, but possibly transforming the data along the 
 * way or providing additional functionality. 
 * 
    
 * The class FilterOutputStream itself simply overrides 
 * all methods of OutputStream with versions that pass 
 * all requests to the underlying output stream. Subclasses of 
 * FilterOutputStream may further override some of these 
 * methods as well as provide additional methods and fields. 
 *
 * @author  Jonathan Payne
 * @version 1.30, 01/23/03
 * @since   JDK1.0
 */
public
class FilterOutputStream extends OutputStream {
    /**
     * The underlying output stream to be filtered. 
     */
    protected OutputStream out;

    /**
     * Creates an output stream filter built on top of the specified 
     * underlying output stream. 
     *
     * @param   out   the underlying output stream to be assigned to 
     *                the field this.out for later use, or 
     *                null if this instance is to be 
     *                created without an underlying stream.
     */
    public FilterOutputStream(OutputStream out) {
	this.out = out;
    }

    /**
     * Writes the specified byte to this output stream. 
     * 
    
     * The write method of FilterOutputStream 
     * calls the write method of its underlying output stream, 
     * that is, it performs out.write(b).
     * 
    
     * Implements the abstract write method of OutputStream. 
     *
     * @param      b   the byte.
     * @exception  IOException  if an I/O error occurs.
     */
    public void write(int b) throws IOException {
	out.write(b);
    }

    /**
     * Writes b.length bytes to this output stream. 
     * 
    
     * The write method of FilterOutputStream 
     * calls its write method of three arguments with the 
     * arguments b, 0, and 
     * b.length. 
     * 
    
     * Note that this method does not call the one-argument 
     * write method of its underlying stream with the single 
     * argument b. 
     *
     * @param      b   the data to be written.
     * @exception  IOException  if an I/O error occurs.
     * @see        java.io.FilterOutputStream#write(byte[], int, int)
     */
    public void write(byte b[]) throws IOException {
	write(b, 0, b.length);
    }

    /**
     * Writes len bytes from the specified 
     * byte array starting at offset off to 
     * this output stream. 
     * 
    
     * The write method of FilterOutputStream 
     * calls the write method of one argument on each 
     * byte to output. 
     * 
    
     * Note that this method does not call the write method 
     * of its underlying input stream with the same arguments. Subclasses 
     * of FilterOutputStream should provide a more efficient 
     * implementation of this method. 
     *
     * @param      b     the data.
     * @param      off   the start offset in the data.
     * @param      len   the number of bytes to write.
     * @exception  IOException  if an I/O error occurs.
     * @see        java.io.FilterOutputStream#write(int)
     */
    public void write(byte b[], int off, int len) throws IOException {
	if ((off | len | (b.length - (len + off)) | (off + len)) < 0)
	    throw new IndexOutOfBoundsException();

	for (int i = 0 ; i < len ; i++) {
	    write(b[off + i]);
	}
    }

    /**
     * Flushes this output stream and forces any buffered output bytes 
     * to be written out to the stream. 
     * 
    
     * The flush method of FilterOutputStream 
     * calls the flush method of its underlying output stream. 
     *
     * @exception  IOException  if an I/O error occurs.
     * @see        java.io.FilterOutputStream#out
     */
    public void flush() throws IOException {
	out.flush();
    }

    /**
     * Closes this output stream and releases any system resources 
     * associated with the stream. 
     * 
    
     * The close method of FilterOutputStream 
     * calls its flush method, and then calls the 
     * close method of its underlying output stream. 
     *
     * @exception  IOException  if an I/O error occurs.
     * @see        java.io.FilterOutputStream#flush()
     * @see        java.io.FilterOutputStream#out
     */
    public void close() throws IOException {
	try {
	  flush();
	} catch (IOException ignored) {
	}
	out.close();
    }
}
why-2.34/lib/java_api/java/io/FileNotFoundException.java0000644000175000017500000000361412311670312021547 0ustar  rtusers/*
 * @(#)FileNotFoundException.java	1.22 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;


/**
 * Signals that an attempt to open the file denoted by a specified pathname
 * has failed.
 *
 * 
     This exception will be thrown by the {@link FileInputStream}, {@link
 * FileOutputStream}, and {@link RandomAccessFile} constructors when a file
 * with the specified pathname does not exist.  It will also be thrown by these
 * constructors if the file does exist but for some reason is inaccessible, for
 * example when an attempt is made to open a read-only file for writing.
 *
 * @author  unascribed
 * @version 1.22, 01/23/03
 * @since   JDK1.0
 */

public class FileNotFoundException extends IOException {

    /**
     * Constructs a FileNotFoundException with
     * null as its error detail message.
     */
    public FileNotFoundException() {
	super();
    }

    /**
     * Constructs a FileNotFoundException with the
     * specified detail message. The string s can be
     * retrieved later by the
     * {@link java.lang.Throwable#getMessage}
     * method of class java.lang.Throwable.
     *
     * @param   s   the detail message.
     */
    public FileNotFoundException(String s) {
	super(s);
    }

    /**
     * Constructs a FileNotFoundException with a detail message
     * consisting of the given pathname string followed by the given reason
     * string.  If the reason argument is null then
     * it will be omitted.  This private constructor is invoked only by native
     * I/O methods.
     *
     * @since 1.2
     */
    private FileNotFoundException(String path, String reason) {
	super(path + ((reason == null)
		      ? ""
		      : " (" + reason + ")"));
    }

}
why-2.34/lib/java_api/java/io/OutputStream.java0000644000175000017500000001173212311670312020010 0ustar  rtusers/*
 * @(#)OutputStream.java	1.25 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;

/**
 * This abstract class is the superclass of all classes representing 
 * an output stream of bytes. An output stream accepts output bytes 
 * and sends them to some sink.
 * 
    
 * Applications that need to define a subclass of 
 * OutputStream must always provide at least a method 
 * that writes one byte of output. 
 *
 * @author  Arthur van Hoff
 * @version 1.25, 01/23/03
 * @see     java.io.BufferedOutputStream
 * @see     java.io.ByteArrayOutputStream
 * @see     java.io.DataOutputStream
 * @see     java.io.FilterOutputStream
 * @see     java.io.InputStream
 * @see     java.io.OutputStream#write(int)
 * @since   JDK1.0
 */
public abstract class OutputStream {
    /**
     * Writes the specified byte to this output stream. The general 
     * contract for write is that one byte is written 
     * to the output stream. The byte to be written is the eight 
     * low-order bits of the argument b. The 24 
     * high-order bits of b are ignored.
     * 
    
     * Subclasses of OutputStream must provide an 
     * implementation for this method. 
     *
     * @param      b   the byte.
     * @exception  IOException  if an I/O error occurs. In particular, 
     *             an IOException may be thrown if the 
     *             output stream has been closed.
     */
    public abstract void write(int b) throws IOException;

    /**
     * Writes b.length bytes from the specified byte array 
     * to this output stream. The general contract for write(b) 
     * is that it should have exactly the same effect as the call 
     * write(b, 0, b.length).
     *
     * @param      b   the data.
     * @exception  IOException  if an I/O error occurs.
     * @see        java.io.OutputStream#write(byte[], int, int)
     */
    public void write(byte b[]) throws IOException {
	write(b, 0, b.length);
    }

    /**
     * Writes len bytes from the specified byte array 
     * starting at offset off to this output stream. 
     * The general contract for write(b, off, len) is that 
     * some of the bytes in the array b are written to the 
     * output stream in order; element b[off] is the first 
     * byte written and b[off+len-1] is the last byte written 
     * by this operation.
     * 
    
     * The write method of OutputStream calls 
     * the write method of one argument on each of the bytes to be 
     * written out. Subclasses are encouraged to override this method and 
     * provide a more efficient implementation. 
     * 
    
     * If b is null, a 
     * NullPointerException is thrown.
     * 
    
     * If off is negative, or len is negative, or 
     * off+len is greater than the length of the array 
     * b, then an IndexOutOfBoundsException is thrown.
     *
     * @param      b     the data.
     * @param      off   the start offset in the data.
     * @param      len   the number of bytes to write.
     * @exception  IOException  if an I/O error occurs. In particular, 
     *             an IOException is thrown if the output 
     *             stream is closed.
     */
    public void write(byte b[], int off, int len) throws IOException {
	if (b == null) {
	    throw new NullPointerException();
	} else if ((off < 0) || (off > b.length) || (len < 0) ||
		   ((off + len) > b.length) || ((off + len) < 0)) {
	    throw new IndexOutOfBoundsException();
	} else if (len == 0) {
	    return;
	}
	for (int i = 0 ; i < len ; i++) {
	    write(b[off + i]);
	}
    }

    /**
     * Flushes this output stream and forces any buffered output bytes 
     * to be written out. The general contract of flush is 
     * that calling it is an indication that, if any bytes previously 
     * written have been buffered by the implementation of the output 
     * stream, such bytes should immediately be written to their 
     * intended destination.
     * 
    
     * The flush method of OutputStream does nothing.
     *
     * @exception  IOException  if an I/O error occurs.
     */
    public void flush() throws IOException {
    }

    /**
     * Closes this output stream and releases any system resources 
     * associated with this stream. The general contract of close 
     * is that it closes the output stream. A closed stream cannot perform 
     * output operations and cannot be reopened.
     * 
    
     * The close method of OutputStream does nothing.
     *
     * @exception  IOException  if an I/O error occurs.
     */
    public void close() throws IOException {
    }

}
why-2.34/lib/java_api/java/io/OutputStreamWriter.java0000644000175000017500000001520412311670312021203 0ustar  rtusers/*
 * @(#)OutputStreamWriter.java	1.45 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;

//KML import java.nio.charset.Charset;
//KML import java.nio.charset.CharsetEncoder;
//KML import sun.nio.cs.StreamEncoder;


/**
 * An OutputStreamWriter is a bridge from character streams to byte streams:
 * Characters written to it are encoded into bytes using a specified {@link
 * java.nio.charset.Charset charset}.  The charset that it uses
 * may be specified by name or may be given explicitly, or the platform's
 * default charset may be accepted.
 *
 * 
     Each invocation of a write() method causes the encoding converter to be
 * invoked on the given character(s).  The resulting bytes are accumulated in a
 * buffer before being written to the underlying output stream.  The size of
 * this buffer may be specified, but by default it is large enough for most
 * purposes.  Note that the characters passed to the write() methods are not
 * buffered.
 *
 * 
     For top efficiency, consider wrapping an OutputStreamWriter within a
 * BufferedWriter so as to avoid frequent converter invocations.  For example:
 *
 * 
     * Writer out
 *   = new BufferedWriter(new OutputStreamWriter(System.out));
 * 
    
 *
 * 
     A surrogate pair is a character represented by a sequence of two
 * char values: A high surrogate in the range '\uD800' to
 * '\uDBFF' followed by a low surrogate in the range '\uDC00' to
 * '\uDFFF'.  If the character represented by a surrogate pair cannot be
 * encoded by a given charset then a charset-dependent substitution
 * sequence is written to the output stream.
 *
 * 
     A malformed surrogate element is a high surrogate that is not
 * followed by a low surrogate or a low surrogate that is not preceeded by a
 * high surrogate.  It is illegal to attempt to write a character stream
 * containing malformed surrogate elements.  The behavior of an instance of
 * this class when a malformed surrogate element is written is not specified.
 *
 * @see BufferedWriter
 * @see OutputStream
 * @see java.nio.charset.Charset
 *
 * @version 	1.45, 03/01/23
 * @author	Mark Reinhold
 * @since	JDK1.1
 */

public class OutputStreamWriter extends Writer {

    private final StreamEncoder se;

    /**
     * Create an OutputStreamWriter that uses the named charset.
     *
     * @param  out
     *         An OutputStream
     *
     * @param  charsetName
     *         The name of a supported
     *         {@link java.nio.charset.Charset charset}
     *
     * @exception  UnsupportedEncodingException
     *             If the named encoding is not supported
     */
    public OutputStreamWriter(OutputStream out, String charsetName)
	throws UnsupportedEncodingException
    {
	super(out);
	if (charsetName == null)
	    throw new NullPointerException("charsetName");
	se = StreamEncoder.forOutputStreamWriter(out, this, charsetName);
    }

    /**
     * Create an OutputStreamWriter that uses the default character encoding.
     *
     * @param  out  An OutputStream
     */
    public OutputStreamWriter(OutputStream out) {
	super(out);
	try {
	    se = StreamEncoder.forOutputStreamWriter(out, this, (String)null);
	} catch (UnsupportedEncodingException e) {
	    throw new Error(e);
        }
    }

    /**
     * Create an OutputStreamWriter that uses the given charset. 
    
     *
     * @param  out
     *         An OutputStream
     *
     * @param  cs
     *         A charset
     *
     * @since 1.4
     * @spec JSR-51
     */
    public OutputStreamWriter(OutputStream out, Charset cs) {
	super(out);
	if (cs == null)
	    throw new NullPointerException("charset");
	se = StreamEncoder.forOutputStreamWriter(out, this, cs);
    }

    /**
     * Create an OutputStreamWriter that uses the given charset encoder.  
    
     *
     * @param  out
     *         An OutputStream
     *
     * @param  enc
     *         A charset encoder
     *
     * @since 1.4
     * @spec JSR-51
     */
    public OutputStreamWriter(OutputStream out, CharsetEncoder enc) {
	super(out);
	if (enc == null)
	    throw new NullPointerException("charset encoder");
	se = StreamEncoder.forOutputStreamWriter(out, this, enc);
    }

    /**
     * Return the name of the character encoding being used by this stream.
     *
     * 
     If the encoding has an historical name then that name is returned;
     * otherwise the encoding's canonical name is returned.
     *
     * 
     If this instance was created with the {@link
     * #OutputStreamWriter(OutputStream, String)} constructor then the returned
     * name, being unique for the encoding, may differ from the name passed to
     * the constructor.  This method may return null if the stream has
     * been closed. 
    
     *
     * @return The historical name of this encoding, or possibly
     *         null if the stream has been closed
     *
     * @see java.nio.charset.Charset
     *
     * @revised 1.4
     * @spec JSR-51
     */
    public String getEncoding() {
	return se.getEncoding();
    }



    /**
     * Flush the output buffer to the underlying byte stream, without flushing
     * the byte stream itself.  This method is non-private only so that it may
     * be invoked by PrintStream.
     */
    void flushBuffer() throws IOException {
	se.flushBuffer();
    }

    /**
     * Write a single character.
     *
     * @exception  IOException  If an I/O error occurs
     */
    public void write(int c) throws IOException {
	se.write(c);
    }

    /**
     * Write a portion of an array of characters.
     *
     * @param  cbuf  Buffer of characters
     * @param  off   Offset from which to start writing characters
     * @param  len   Number of characters to write
     *
     * @exception  IOException  If an I/O error occurs
     */
    public void write(char cbuf[], int off, int len) throws IOException {
	se.write(cbuf, off, len);
    }

    /**
     * Write a portion of a string.
     *
     * @param  str  A String
     * @param  off  Offset from which to start writing characters
     * @param  len  Number of characters to write
     *
     * @exception  IOException  If an I/O error occurs
     */
    public void write(String str, int off, int len) throws IOException {
	se.write(str, off, len);
    }

    /**
     * Flush the stream.
     *
     * @exception  IOException  If an I/O error occurs
     */
    public void flush() throws IOException {
	se.flush();
    }

    /**
     * Close the stream.
     *
     * @exception  IOException  If an I/O error occurs
     */
    public void close() throws IOException {
	se.close();
    }

}
why-2.34/lib/java_api/java/io/FileReader.java0000644000175000017500000000405512311670312017336 0ustar  rtusers/*
 * @(#)FileReader.java	1.14 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;


/**
 * Convenience class for reading character files.  The constructors of this
 * class assume that the default character encoding and the default byte-buffer
 * size are appropriate.  To specify these values yourself, construct an
 * InputStreamReader on a FileInputStream.
 *
 * 
    FileReader is meant for reading streams of characters.
 * For reading streams of raw bytes, consider using a
 * FileInputStream.
 *
 * @see InputStreamReader
 * @see FileInputStream
 *
 * @version 	1.14, 03/01/23
 * @author	Mark Reinhold
 * @since	JDK1.1
 */
public class FileReader extends InputStreamReader {

   /**
    * Creates a new FileReader, given the name of the
    * file to read from.
    *
    * @param fileName the name of the file to read from
    * @exception  FileNotFoundException  if the named file does not exist,
    *                   is a directory rather than a regular file,
    *                   or for some other reason cannot be opened for
    *                   reading.
    */
    public FileReader(String fileName) throws FileNotFoundException {
	super(new FileInputStream(fileName));
    }

   /**
    * Creates a new FileReader, given the File 
    * to read from.
    *
    * @param file the File to read from
    * @exception  FileNotFoundException  if the file does not exist,
    *                   is a directory rather than a regular file,
    *                   or for some other reason cannot be opened for
    *                   reading.
    */
    public FileReader(File file) throws FileNotFoundException {
	super(new FileInputStream(file));
    }

   /**
    * Creates a new FileReader, given the 
    * FileDescriptor to read from.
    *
    * @param fd the FileDescriptor to read from
    */
    public FileReader(FileDescriptor fd) {
	super(new FileInputStream(fd));
    }

}

why-2.34/lib/java_api/java/io/FileDescriptor.java0000644000175000017500000000753112311670312020254 0ustar  rtusers/*
 * @(#)FileDescriptor.java	1.20 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;

/**
 * Instances of the file descriptor class serve as an opaque handle
 * to the underlying machine-specific structure representing an open
 * file, an open socket, or another source or sink of bytes. The
 * main practical use for a file descriptor is to create a
 * FileInputStream or FileOutputStream to
 * contain it.
 * 
    
 * Applications should not create their own file descriptors.
 *
 * @author  Pavani Diwanji
 * @version 1.20, 01/23/03
 * @see	    java.io.FileInputStream
 * @see	    java.io.FileOutputStream
 * @since   JDK1.0
 */
public final class FileDescriptor {

    private int fd;

    /**
     * Constructs an (invalid) FileDescriptor
     * object.
     */
    public /**/ FileDescriptor() {
	fd = -1;
    }

    private /* */ FileDescriptor(int fd) {
	this.fd = fd;
    }

    /**
     * A handle to the standard input stream. Usually, this file
     * descriptor is not used directly, but rather via the input stream
     * known as System.in.
     *
     * @see     java.lang.System#in
     */
    public static final FileDescriptor in = new FileDescriptor(0);

    /**
     * A handle to the standard output stream. Usually, this file
     * descriptor is not used directly, but rather via the output stream
     * known as System.out.
     * @see     java.lang.System#out
     */
    public static final FileDescriptor out = new FileDescriptor(1);

    /**
     * A handle to the standard error stream. Usually, this file
     * descriptor is not used directly, but rather via the output stream
     * known as System.err.
     *
     * @see     java.lang.System#err
     */
    public static final FileDescriptor err = new FileDescriptor(2);

    /**
     * Tests if this file descriptor object is valid.
     *
     * @return  true if the file descriptor object represents a
     *          valid, open file, socket, or other active I/O connection;
     *          false otherwise.
     */
    public boolean valid() {
	return fd != -1;
    }

    /**
     * Force all system buffers to synchronize with the underlying
     * device.  This method returns after all modified data and
     * attributes of this FileDescriptor have been written to the
     * relevant device(s).  In particular, if this FileDescriptor
     * refers to a physical storage medium, such as a file in a file
     * system, sync will not return until all in-memory modified copies
     * of buffers associated with this FileDesecriptor have been
     * written to the physical medium.
     *
     * sync is meant to be used by code that requires physical
     * storage (such as a file) to be in a known state  For
     * example, a class that provided a simple transaction facility
     * might use sync to ensure that all changes to a file caused
     * by a given transaction were recorded on a storage medium.
     *
     * sync only affects buffers downstream of this FileDescriptor.  If
     * any in-memory buffering is being done by the application (for
     * example, by a BufferedOutputStream object), those buffers must
     * be flushed into the FileDescriptor (for example, by invoking
     * OutputStream.flush) before that data will be affected by sync.
     *
     * @exception SyncFailedException
     *	      Thrown when the buffers cannot be flushed,
     *	      or because the system cannot guarantee that all the
     *	      buffers have been synchronized with physical media.
     * @since     JDK1.1
     */
    public native void sync() throws SyncFailedException;

    /* This routine initializes JNI field offsets for the class */
    private static native void initIDs();

    static {
	initIDs();
    }
}
why-2.34/lib/java_api/java/io/Reader.java0000644000175000017500000001614412311670312016540 0ustar  rtusers/*
 * @(#)Reader.java	1.24 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;


/**
 * Abstract class for reading character streams.  The only methods that a
 * subclass must implement are read(char[], int, int) and close().  Most
 * subclasses, however, will override some of the methods defined here in order
 * to provide higher efficiency, additional functionality, or both.
 *
 * 
 * @see BufferedReader
 * @see   LineNumberReader
 * @see CharArrayReader
 * @see InputStreamReader
 * @see   FileReader
 * @see FilterReader
 * @see   PushbackReader
 * @see PipedReader
 * @see StringReader
 * @see Writer
 *
 * @version 	1.24, 03/01/23
 * @author	Mark Reinhold
 * @since	JDK1.1
 */

public abstract class Reader {

    /**
     * The object used to synchronize operations on this stream.  For
     * efficiency, a character-stream object may use an object other than
     * itself to protect critical sections.  A subclass should therefore use
     * the object in this field rather than this or a synchronized
     * method.
     */
    protected Object lock;

    /**
     * Create a new character-stream reader whose critical sections will
     * synchronize on the reader itself.
     */
    protected Reader() {
	this.lock = this;
    }

    /**
     * Create a new character-stream reader whose critical sections will
     * synchronize on the given object.
     *
     * @param lock  The Object to synchronize on.
     */
    protected Reader(Object lock) {
	if (lock == null) {
	    throw new NullPointerException();
	}
	this.lock = lock;
    }

    /**
     * Read a single character.  This method will block until a character is
     * available, an I/O error occurs, or the end of the stream is reached.
     *
     * 
     Subclasses that intend to support efficient single-character input
     * should override this method.
     *
     * @return     The character read, as an integer in the range 0 to 65535
     *             (0x00-0xffff), or -1 if the end of the stream has
     *             been reached
     *
     * @exception  IOException  If an I/O error occurs
     */
    public int read() throws IOException {
	char cb[] = new char[1];
	if (read(cb, 0, 1) == -1)
	    return -1;
	else
	    return cb[0];
    }

    /**
     * Read characters into an array.  This method will block until some input
     * is available, an I/O error occurs, or the end of the stream is reached.
     *
     * @param       cbuf  Destination buffer
     *
     * @return      The number of characters read, or -1 
     *              if the end of the stream
     *              has been reached
     *
     * @exception   IOException  If an I/O error occurs
     */
    public int read(char cbuf[]) throws IOException {
	return read(cbuf, 0, cbuf.length);
    }

    /**
     * Read characters into a portion of an array.  This method will block
     * until some input is available, an I/O error occurs, or the end of the
     * stream is reached.
     *
     * @param      cbuf  Destination buffer
     * @param      off   Offset at which to start storing characters
     * @param      len   Maximum number of characters to read
     *
     * @return     The number of characters read, or -1 if the end of the
     *             stream has been reached
     *
     * @exception  IOException  If an I/O error occurs
     */
    abstract public int read(char cbuf[], int off, int len) throws IOException;

    /** Maximum skip-buffer size */
    private static final int maxSkipBufferSize = 8192;

    /** Skip buffer, null until allocated */
    private char skipBuffer[] = null;

    /**
     * Skip characters.  This method will block until some characters are
     * available, an I/O error occurs, or the end of the stream is reached.
     *
     * @param  n  The number of characters to skip
     *
     * @return    The number of characters actually skipped
     *
     * @exception  IllegalArgumentException  If n is negative.
     * @exception  IOException  If an I/O error occurs
     */
    public long skip(long n) throws IOException {
	if (n < 0L) 
	    throw new IllegalArgumentException("skip value is negative");
	int nn = (int) Math.min(n, maxSkipBufferSize);
	synchronized (lock) {
	    if ((skipBuffer == null) || (skipBuffer.length < nn))
		skipBuffer = new char[nn];
	    long r = n;
	    while (r > 0) {
		int nc = read(skipBuffer, 0, (int)Math.min(r, nn));
		if (nc == -1)
		    break;
		r -= nc;
	    }
	    return n - r;
	}
    }

    /**
     * Tell whether this stream is ready to be read.
     *
     * @return True if the next read() is guaranteed not to block for input,
     * false otherwise.  Note that returning false does not guarantee that the
     * next read will block.
     *
     * @exception  IOException  If an I/O error occurs
     */
    public boolean ready() throws IOException {
	return false;
    }

    /**
     * Tell whether this stream supports the mark() operation. The default
     * implementation always returns false. Subclasses should override this
     * method.
     *
     * @return true if and only if this stream supports the mark operation.
     */
    public boolean markSupported() {
	return false;
    }

    /**
     * Mark the present position in the stream.  Subsequent calls to reset()
     * will attempt to reposition the stream to this point.  Not all
     * character-input streams support the mark() operation.
     *
     * @param  readAheadLimit  Limit on the number of characters that may be
     *                         read while still preserving the mark.  After
     *                         reading this many characters, attempting to
     *                         reset the stream may fail.
     *
     * @exception  IOException  If the stream does not support mark(),
     *                          or if some other I/O error occurs
     */
    public void mark(int readAheadLimit) throws IOException {
	throw new IOException("mark() not supported");
    }

    /**
     * Reset the stream.  If the stream has been marked, then attempt to
     * reposition it at the mark.  If the stream has not been marked, then
     * attempt to reset it in some way appropriate to the particular stream,
     * for example by repositioning it to its starting point.  Not all
     * character-input streams support the reset() operation, and some support
     * reset() without supporting mark().
     *
     * @exception  IOException  If the stream has not been marked,
     *                          or if the mark has been invalidated,
     *                          or if the stream does not support reset(),
     *                          or if some other I/O error occurs
     */
    public void reset() throws IOException {
	throw new IOException("reset() not supported");
    }

    /**
     * Close the stream.  Once a stream has been closed, further read(),
     * ready(), mark(), or reset() invocations will throw an IOException.
     * Closing a previously-closed stream, however, has no effect.
     *
     * @exception  IOException  If an I/O error occurs
     */
     abstract public void close() throws IOException;

}
why-2.34/lib/java_api/java/io/File.java0000644000175000017500000017435112311670312016222 0ustar  rtusers/*
 * @(#)File.java	1.113 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;

/*KML
import java.net.URI;
import java.net.URL;
import java.net.MalformedURLException;
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.Map;
import java.util.Hashtable;
import java.util.Random;
import java.security.AccessController;
import java.security.AccessControlException;
import sun.security.action.GetPropertyAction;
KML*/

/**
 * An abstract representation of file and directory pathnames.
 *
 * 
     User interfaces and operating systems use system-dependent pathname
 * strings to name files and directories.  This class presents an
 * abstract, system-independent view of hierarchical pathnames.  An
 * abstract pathname has two components:
 *
 * 
      
 * 
    1.  An optional system-dependent prefix string,
 *      such as a disk-drive specifier, "/" for the UNIX root
 *      directory, or "\\" for a Microsoft Windows UNC pathname, and
 * 
    2.  A sequence of zero or more string names.
 * 
    
 *
 * Each name in an abstract pathname except for the last denotes a directory;
 * the last name may denote either a directory or a file.  The empty
 * abstract pathname has no prefix and an empty name sequence.
 *
 * 
     The conversion of a pathname string to or from an abstract pathname is
 * inherently system-dependent.  When an abstract pathname is converted into a
 * pathname string, each name is separated from the next by a single copy of
 * the default separator character.  The default name-separator
 * character is defined by the system property file.separator, and
 * is made available in the public static fields {@link
 * #separator} and {@link #separatorChar} of this class.
 * When a pathname string is converted into an abstract pathname, the names
 * within it may be separated by the default name-separator character or by any
 * other name-separator character that is supported by the underlying system.
 *
 * 
     A pathname, whether abstract or in string form, may be either
 * absolute or relative.  An absolute pathname is complete in
 * that no other information is required in order to locate the file that it
 * denotes.  A relative pathname, in contrast, must be interpreted in terms of
 * information taken from some other pathname.  By default the classes in the
 * java.io package always resolve relative pathnames against the
 * current user directory.  This directory is named by the system property
 * user.dir, and is typically the directory in which the Java
 * virtual machine was invoked.
 *
 * 
     The prefix concept is used to handle root directories on UNIX platforms,
 * and drive specifiers, root directories and UNC pathnames on Microsoft Windows platforms,
 * as follows:
 *
 * 
      
 *
 * 
    •  For UNIX platforms, the prefix of an absolute pathname is always
 * "/".  Relative pathnames have no prefix.  The abstract pathname
 * denoting the root directory has the prefix "/" and an empty
 * name sequence.
 *
 * 
    •  For Microsoft Windows platforms, the prefix of a pathname that contains a drive
 * specifier consists of the drive letter followed by ":" and
 * possibly followed by "\" if the pathname is absolute.  The
 * prefix of a UNC pathname is "\\"; the hostname and the share
 * name are the first two names in the name sequence.  A relative pathname that
 * does not specify a drive has no prefix.
 *
 * 
    
 *
 * 
     Instances of the File class are immutable; that is, once
 * created, the abstract pathname represented by a File object
 * will never change.
 *
 * @version 1.113, 01/23/03
 * @author  unascribed
 * @since   JDK1.0
 */

public class File implements java.io.Serializable, Comparable {

    /**
     * The FileSystem object representing the platform's local file system.
     */
    static private FileSystem fs = FileSystem.getFileSystem();

    /**
     * This abstract pathname's normalized pathname string.  A normalized
     * pathname string uses the default name-separator character and does not
     * contain any duplicate or redundant separators.
     *
     * @serial
     */
    private String path;

    /**
     * The length of this abstract pathname's prefix, or zero if it has no
     * prefix.
     */
    private transient int prefixLength;

    /**
     * Returns the length of this abstract pathname's prefix.
     * For use by FileSystem classes.
     */
    int getPrefixLength() {
	return prefixLength;
    }

    /**
     * The system-dependent default name-separator character.  This field is
     * initialized to contain the first character of the value of the system
     * property file.separator.  On UNIX systems the value of this
     * field is '/'; on Microsoft Windows systems it is '\'.
     *
     * @see     java.lang.System#getProperty(java.lang.String)
     */
    public static final char separatorChar = fs.getSeparator();

    /**
     * The system-dependent default name-separator character, represented as a
     * string for convenience.  This string contains a single character, namely
     * {@link #separatorChar}.
     */
    public static final String separator = "" + separatorChar;

    /**
     * The system-dependent path-separator character.  This field is
     * initialized to contain the first character of the value of the system
     * property path.separator.  This character is used to
     * separate filenames in a sequence of files given as a path list.
     * On UNIX systems, this character is ':'; on Microsoft Windows systems it
     * is ';'.
     *
     * @see     java.lang.System#getProperty(java.lang.String)
     */
    public static final char pathSeparatorChar = fs.getPathSeparator();

    /**
     * The system-dependent path-separator character, represented as a string
     * for convenience.  This string contains a single character, namely
     * {@link #pathSeparatorChar}.
     */
    public static final String pathSeparator = "" + pathSeparatorChar;


    /* -- Constructors -- */

    /**
     * Internal constructor for already-normalized pathname strings.
     */
    private File(String pathname, int prefixLength) {
	this.path = pathname;
	this.prefixLength = prefixLength;
    }

    /**
     * Creates a new File instance by converting the given
     * pathname string into an abstract pathname.  If the given string is
     * the empty string, then the result is the empty abstract pathname.
     *
     * @param   pathname  A pathname string
     * @throws  NullPointerException
     *          If the pathname argument is null
     */
    public File(String pathname) {
	if (pathname == null) {
	    throw new NullPointerException();
	}
	this.path = fs.normalize(pathname);
	this.prefixLength = fs.prefixLength(this.path);
    }

    /* Note: The two-argument File constructors do not interpret an empty
       parent abstract pathname as the current user directory.  An empty parent
       instead causes the child to be resolved against the system-dependent
       directory defined by the FileSystem.getDefaultParent method.  On Unix
       this default is "/", while on Microsoft Windows it is "\\".  This is required for
       compatibility with the original behavior of this class. */

    /**
     * Creates a new File instance from a parent pathname string
     * and a child pathname string.
     *
     * 
     If parent is null then the new
     * File instance is created as if by invoking the
     * single-argument File constructor on the given
     * child pathname string.
     *
     * 
     Otherwise the parent pathname string is taken to denote
     * a directory, and the child pathname string is taken to
     * denote either a directory or a file.  If the child pathname
     * string is absolute then it is converted into a relative pathname in a
     * system-dependent way.  If parent is the empty string then
     * the new File instance is created by converting
     * child into an abstract pathname and resolving the result
     * against a system-dependent default directory.  Otherwise each pathname
     * string is converted into an abstract pathname and the child abstract
     * pathname is resolved against the parent.
     *
     * @param   parent  The parent pathname string
     * @param   child   The child pathname string
     * @throws  NullPointerException
     *          If child is null
     */
    public File(String parent, String child) {
	if (child == null) {
	    throw new NullPointerException();
	}
	if (parent != null) {
	    if (parent.equals("")) {
		this.path = fs.resolve(fs.getDefaultParent(),
				       fs.normalize(child));
	    } else {
		this.path = fs.resolve(fs.normalize(parent),
				       fs.normalize(child));
	    }
	} else {
	    this.path = fs.normalize(child);
	}
	this.prefixLength = fs.prefixLength(this.path);
    }

    /**
     * Creates a new File instance from a parent abstract
     * pathname and a child pathname string.
     *
     * 
     If parent is null then the new
     * File instance is created as if by invoking the
     * single-argument File constructor on the given
     * child pathname string.
     *
     * 
     Otherwise the parent abstract pathname is taken to
     * denote a directory, and the child pathname string is taken
     * to denote either a directory or a file.  If the child
     * pathname string is absolute then it is converted into a relative
     * pathname in a system-dependent way.  If parent is the empty
     * abstract pathname then the new File instance is created by
     * converting child into an abstract pathname and resolving
     * the result against a system-dependent default directory.  Otherwise each
     * pathname string is converted into an abstract pathname and the child
     * abstract pathname is resolved against the parent.
     *
     * @param   parent  The parent abstract pathname
     * @param   child   The child pathname string
     * @throws  NullPointerException
     *          If child is null
     */
    public File(File parent, String child) {
	if (child == null) {
	    throw new NullPointerException();
	}
	if (parent != null) {
	    if (parent.path.equals("")) {
		this.path = fs.resolve(fs.getDefaultParent(),
				       fs.normalize(child));
	    } else {
		this.path = fs.resolve(parent.path,
				       fs.normalize(child));
	    }
	} else {
	    this.path = fs.normalize(child);
	}
	this.prefixLength = fs.prefixLength(this.path);
    }

    /**
     * Creates a new File instance by converting the given
     * file: URI into an abstract pathname.
     *
     * 
     The exact form of a file: URI is system-dependent, hence
     * the transformation performed by this constructor is also
     * system-dependent.
     *
     * 
     For a given abstract pathname f it is guaranteed that
     *
     * 
    
     * new File( f.{@link #toURI() toURI}()).equals( f.{@link #getAbsoluteFile() getAbsoluteFile}())
     * 
    
     *
     * so long as the original abstract pathname, the URI, and the new abstract
     * pathname are all created in (possibly different invocations of) the same
     * Java virtual machine.  This relationship typically does not hold,
     * however, when a file: URI that is created in a virtual machine
     * on one operating system is converted into an abstract pathname in a
     * virtual machine on a different operating system.
     *
     * @param  uri
     *         An absolute, hierarchical URI with a scheme equal to
     *         "file", a non-empty path component, and undefined
     *         authority, query, and fragment components
     *
     * @throws  NullPointerException
     *          If uri is null
     *
     * @throws  IllegalArgumentException
     *          If the preconditions on the parameter do not hold
     *
     * @see #toURI()
     * @see java.net.URI
     * @since 1.4
     */
    public File(URI uri) {

	// Check our many preconditions
	if (!uri.isAbsolute())
	    throw new IllegalArgumentException("URI is not absolute");
	if (uri.isOpaque())
	    throw new IllegalArgumentException("URI is not hierarchical");
	String scheme = uri.getScheme();
	if ((scheme == null) || !scheme.equalsIgnoreCase("file"))
	    throw new IllegalArgumentException("URI scheme is not \"file\"");
	if (uri.getAuthority() != null)
	    throw new IllegalArgumentException("URI has an authority component");
	if (uri.getFragment() != null)
	    throw new IllegalArgumentException("URI has a fragment component");
	if (uri.getQuery() != null)
	    throw new IllegalArgumentException("URI has a query component");
	String p = uri.getPath();
	if (p.equals(""))
	    throw new IllegalArgumentException("URI path component is empty");

	// Okay, now initialize
	p = fs.fromURIPath(p);
	if (File.separatorChar != '/')
	    p = p.replace('/', File.separatorChar);
	this.path = fs.normalize(p);
	this.prefixLength = fs.prefixLength(this.path);
    }


    /* -- Path-component accessors -- */

    /**
     * Returns the name of the file or directory denoted by this abstract
     * pathname.  This is just the last name in the pathname's name
     * sequence.  If the pathname's name sequence is empty, then the empty
     * string is returned.
     *
     * @return  The name of the file or directory denoted by this abstract
     *          pathname, or the empty string if this pathname's name sequence
     *          is empty
     */
    public String getName() {
	int index = path.lastIndexOf(separatorChar);
	if (index < prefixLength) return path.substring(prefixLength);
	return path.substring(index + 1);
    }

    /**
     * Returns the pathname string of this abstract pathname's parent, or
     * null if this pathname does not name a parent directory.
     *
     * 
     The parent of an abstract pathname consists of the
     * pathname's prefix, if any, and each name in the pathname's name
     * sequence except for the last.  If the name sequence is empty then
     * the pathname does not name a parent directory.
     *
     * @return  The pathname string of the parent directory named by this
     *          abstract pathname, or null if this pathname
     *          does not name a parent
     */
    public String getParent() {
	int index = path.lastIndexOf(separatorChar);
	if (index < prefixLength) {
	    if ((prefixLength > 0) && (path.length() > prefixLength))
		return path.substring(0, prefixLength);
	    return null;
	}
	return path.substring(0, index);
    }

    /**
     * Returns the abstract pathname of this abstract pathname's parent,
     * or null if this pathname does not name a parent
     * directory.
     *
     * 
     The parent of an abstract pathname consists of the
     * pathname's prefix, if any, and each name in the pathname's name
     * sequence except for the last.  If the name sequence is empty then
     * the pathname does not name a parent directory.
     *
     * @return  The abstract pathname of the parent directory named by this
     *          abstract pathname, or null if this pathname
     *          does not name a parent
     *
     * @since 1.2
     */
    public File getParentFile() {
	String p = this.getParent();
	if (p == null) return null;
	return new File(p, this.prefixLength);
    }

    /**
     * Converts this abstract pathname into a pathname string.  The resulting
     * string uses the {@link #separator default name-separator character} to
     * separate the names in the name sequence.
     *
     * @return  The string form of this abstract pathname
     */
    public String getPath() {
	return path;
    }


    /* -- Path operations -- */

    /**
     * Tests whether this abstract pathname is absolute.  The definition of
     * absolute pathname is system dependent.  On UNIX systems, a pathname is
     * absolute if its prefix is "/".  On Microsoft Windows systems, a
     * pathname is absolute if its prefix is a drive specifier followed by
     * "\\", or if its prefix is "\\".
     *
     * @return  true if this abstract pathname is absolute,
     *          false otherwise
     */
    public boolean isAbsolute() {
	return fs.isAbsolute(this);
    }

    /**
     * Returns the absolute pathname string of this abstract pathname.
     *
     * 
     If this abstract pathname is already absolute, then the pathname
     * string is simply returned as if by the {@link #getPath}
     * method.  If this abstract pathname is the empty abstract pathname then
     * the pathname string of the current user directory, which is named by the
     * system property user.dir, is returned.  Otherwise this
     * pathname is resolved in a system-dependent way.  On UNIX systems, a
     * relative pathname is made absolute by resolving it against the current
     * user directory.  On Microsoft Windows systems, a relative pathname is made absolute
     * by resolving it against the current directory of the drive named by the
     * pathname, if any; if not, it is resolved against the current user
     * directory.
     *
     * @return  The absolute pathname string denoting the same file or
     *          directory as this abstract pathname
     *
     * @throws  SecurityException
     *          If a required system property value cannot be accessed.
     *
     * @see     java.io.File#isAbsolute()
     */
    public String getAbsolutePath() {
	return fs.resolve(this);
    }

    /**
     * Returns the absolute form of this abstract pathname.  Equivalent to
     * new File(this.{@link #getAbsolutePath}()).
     *
     * @return  The absolute abstract pathname denoting the same file or
     *          directory as this abstract pathname
     *
     * @throws  SecurityException
     *          If a required system property value cannot be accessed.
     *
     * @since 1.2
     */
    public File getAbsoluteFile() {
	return new File(getAbsolutePath());
    }

    /**
     * Returns the canonical pathname string of this abstract pathname.
     *
     * 
     A canonical pathname is both absolute and unique.  The precise
     * definition of canonical form is system-dependent.  This method first
     * converts this pathname to absolute form if necessary, as if by invoking the
     * {@link #getAbsolutePath} method, and then maps it to its unique form in a
     * system-dependent way.  This typically involves removing redundant names
     * such as "." and ".." from the pathname, resolving
     * symbolic links (on UNIX platforms), and converting drive letters to a
     * standard case (on Microsoft Windows platforms).
     *
     * 
     Every pathname that denotes an existing file or directory has a
     * unique canonical form.  Every pathname that denotes a nonexistent file
     * or directory also has a unique canonical form.  The canonical form of
     * the pathname of a nonexistent file or directory may be different from
     * the canonical form of the same pathname after the file or directory is
     * created.  Similarly, the canonical form of the pathname of an existing
     * file or directory may be different from the canonical form of the same
     * pathname after the file or directory is deleted.
     *
     * @return  The canonical pathname string denoting the same file or
     *          directory as this abstract pathname
     *
     * @throws  IOException
     *          If an I/O error occurs, which is possible because the
     *          construction of the canonical pathname may require
     *          filesystem queries
     *
     * @throws  SecurityException
     *          If a required system property value cannot be accessed.
     *
     * @since   JDK1.1
     */
    public String getCanonicalPath() throws IOException {
	return fs.canonicalize(fs.resolve(this));
    }

    /**
     * Returns the canonical form of this abstract pathname.  Equivalent to
     * new File(this.{@link #getCanonicalPath}()).
     *
     * @return  The canonical pathname string denoting the same file or
     *          directory as this abstract pathname
     *
     * @throws  IOException
     *          If an I/O error occurs, which is possible because the
     *          construction of the canonical pathname may require
     *          filesystem queries
     *
     * @throws  SecurityException
     *          If a required system property value cannot be accessed.
     *
     * @since 1.2
     */
    public File getCanonicalFile() throws IOException {
	return new File(getCanonicalPath());
    }

    private static String slashify(String path, boolean isDirectory) {
	String p = path;
	if (File.separatorChar != '/')
	    p = p.replace(File.separatorChar, '/');
	if (!p.startsWith("/"))
	    p = "/" + p;
	if (!p.endsWith("/") && isDirectory)
	    p = p + "/";
	return p;
    }

    /**
     * Converts this abstract pathname into a file: URL.  The
     * exact form of the URL is system-dependent.  If it can be determined that
     * the file denoted by this abstract pathname is a directory, then the
     * resulting URL will end with a slash.
     *
     * 
     Usage note: This method does not automatically escape
     * characters that are illegal in URLs.  It is recommended that new code
     * convert an abstract pathname into a URL by first converting it into a
     * URI, via the {@link #toURI() toURI} method, and then converting the URI
     * into a URL via the {@link java.net.URI#toURL() URI.toURL} method.
     *
     * @return  A URL object representing the equivalent file URL
     *
     * @throws  MalformedURLException
     *          If the path cannot be parsed as a URL
     *
     * @see     #toURI()
     * @see     java.net.URI
     * @see     java.net.URI#toURL()
     * @see     java.net.URL
     * @since   1.2
     */
    public URL toURL() throws MalformedURLException {
	return new URL("file", "", slashify(getAbsolutePath(), isDirectory()));
    }

    /**
     * Constructs a file: URI that represents this abstract pathname.
     *
     * 
     The exact form of the URI is system-dependent.  If it can be
     * determined that the file denoted by this abstract pathname is a
     * directory, then the resulting URI will end with a slash.
     *
     * 
     For a given abstract pathname f, it is guaranteed that
     *
     * 
    
     * new {@link #File(java.net.URI) File}( f.toURI()).equals( f.{@link #getAbsoluteFile() getAbsoluteFile}())
     * 
    
     *
     * so long as the original abstract pathname, the URI, and the new abstract
     * pathname are all created in (possibly different invocations of) the same
     * Java virtual machine.  Due to the system-dependent nature of abstract
     * pathnames, however, this relationship typically does not hold when a
     * file: URI that is created in a virtual machine on one operating
     * system is converted into an abstract pathname in a virtual machine on a
     * different operating system.
     *
     * @return  An absolute, hierarchical URI with a scheme equal to
     *          "file", a path representing this abstract pathname,
     *          and undefined authority, query, and fragment components
     *
     * @see #File(java.net.URI)
     * @see java.net.URI
     * @see java.net.URI#toURL()
     * @since 1.4
     */
    public URI toURI() {
	try {
	    File f = getAbsoluteFile();
	    String sp = slashify(f.getPath(), f.isDirectory());
	    if (sp.startsWith("//"))
		sp = "//" + sp;
	    return new URI("file", null, sp, null);
	} catch (URISyntaxException x) {
	    throw new Error(x);		// Can't happen
	}
    }


    /* -- Attribute accessors -- */

    /**
     * Tests whether the application can read the file denoted by this
     * abstract pathname.
     *
     * @return  true if and only if the file specified by this
     *          abstract pathname exists and can be read by the
     *          application; false otherwise
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkRead(java.lang.String)}
     *          method denies read access to the file
     */
    public boolean canRead() {
	SecurityManager security = System.getSecurityManager();
	if (security != null) {
	    security.checkRead(path);
	}
	return fs.checkAccess(this, false);
    }

    /**
     * Tests whether the application can modify to the file denoted by this
     * abstract pathname.
     *
     * @return  true if and only if the file system actually
     *          contains a file denoted by this abstract pathname and
     *          the application is allowed to write to the file;
     *          false otherwise.
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkWrite(java.lang.String)}
     *          method denies write access to the file
     */
    public boolean canWrite() {
	SecurityManager security = System.getSecurityManager();
	if (security != null) {
	    security.checkWrite(path);
	}
	return fs.checkAccess(this, true);
    }

    /**
     * Tests whether the file or directory denoted by this abstract pathname
     * exists.
     *
     * @return  true if and only if the file or directory denoted
     *          by this abstract pathname exists; false otherwise
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkRead(java.lang.String)}
     *          method denies read access to the file or directory
     */
    public boolean exists() {
	SecurityManager security = System.getSecurityManager();
	if (security != null) {
	    security.checkRead(path);
	}
	return ((fs.getBooleanAttributes(this) & FileSystem.BA_EXISTS) != 0);
    }

    /**
     * Tests whether the file denoted by this abstract pathname is a
     * directory.
     *
     * @return true if and only if the file denoted by this
     *          abstract pathname exists and is a directory;
     *          false otherwise
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkRead(java.lang.String)}
     *          method denies read access to the file
     */
    public boolean isDirectory() {
	SecurityManager security = System.getSecurityManager();
	if (security != null) {
	    security.checkRead(path);
	}
	return ((fs.getBooleanAttributes(this) & FileSystem.BA_DIRECTORY)
		!= 0);
    }

    /**
     * Tests whether the file denoted by this abstract pathname is a normal
     * file.  A file is normal if it is not a directory and, in
     * addition, satisfies other system-dependent criteria.  Any non-directory
     * file created by a Java application is guaranteed to be a normal file.
     *
     * @return  true if and only if the file denoted by this
     *          abstract pathname exists and is a normal file;
     *          false otherwise
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkRead(java.lang.String)}
     *          method denies read access to the file
     */
    public boolean isFile() {
	SecurityManager security = System.getSecurityManager();
	if (security != null) {
	    security.checkRead(path);
	}
	return ((fs.getBooleanAttributes(this) & FileSystem.BA_REGULAR) != 0);
    }

    /**
     * Tests whether the file named by this abstract pathname is a hidden
     * file.  The exact definition of hidden is system-dependent.  On
     * UNIX systems, a file is considered to be hidden if its name begins with
     * a period character ('.').  On Microsoft Windows systems, a file is
     * considered to be hidden if it has been marked as such in the filesystem.
     *
     * @return  true if and only if the file denoted by this
     *          abstract pathname is hidden according to the conventions of the
     *          underlying platform
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkRead(java.lang.String)}
     *          method denies read access to the file
     *
     * @since 1.2
     */
    public boolean isHidden() {
	SecurityManager security = System.getSecurityManager();
	if (security != null) {
	    security.checkRead(path);
	}
	return ((fs.getBooleanAttributes(this) & FileSystem.BA_HIDDEN) != 0);
    }

    /**
     * Returns the time that the file denoted by this abstract pathname was
     * last modified.
     *
     * @return  A long value representing the time the file was
     *          last modified, measured in milliseconds since the epoch
     *          (00:00:00 GMT, January 1, 1970), or 0L if the
     *          file does not exist or if an I/O error occurs
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkRead(java.lang.String)}
     *          method denies read access to the file
     */
    public long lastModified() {
	SecurityManager security = System.getSecurityManager();
	if (security != null) {
	    security.checkRead(path);
	}
	return fs.getLastModifiedTime(this);
    }

    /**
     * Returns the length of the file denoted by this abstract pathname.
     * The return value is unspecified if this pathname denotes a directory.
     *
     * @return  The length, in bytes, of the file denoted by this abstract
     *          pathname, or 0L if the file does not exist
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkRead(java.lang.String)}
     *          method denies read access to the file
     */
    public long length() {
	SecurityManager security = System.getSecurityManager();
	if (security != null) {
	    security.checkRead(path);
	}
	return fs.getLength(this);
    }


    /* -- File operations -- */

    /**
     * Atomically creates a new, empty file named by this abstract pathname if
     * and only if a file with this name does not yet exist.  The check for the
     * existence of the file and the creation of the file if it does not exist
     * are a single operation that is atomic with respect to all other
     * filesystem activities that might affect the file.
     * 
    
     * Note: this method should not be used for file-locking, as
     * the resulting protocol cannot be made to work reliably. The 
     * {@link java.nio.channels.FileLock FileLock}
     * facility should be used instead. 
     *
     * @return  true if the named file does not exist and was
     *          successfully created; false if the named file
     *          already exists
     *
     * @throws  IOException
     *          If an I/O error occurred
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkWrite(java.lang.String)}
     *          method denies write access to the file
     *
     * @since 1.2
     */
    public boolean createNewFile() throws IOException {
	SecurityManager security = System.getSecurityManager();
	if (security != null) security.checkWrite(path);
	return fs.createFileExclusively(path);
    }

    /**
     * Deletes the file or directory denoted by this abstract pathname.  If
     * this pathname denotes a directory, then the directory must be empty in
     * order to be deleted.
     *
     * @return  true if and only if the file or directory is
     *          successfully deleted; false otherwise
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkDelete} method denies
     *          delete access to the file
     */
    public boolean delete() {
	SecurityManager security = System.getSecurityManager();
	if (security != null) {
	    security.checkDelete(path);
	}
	return fs.delete(this);
    }

    /**
     * Requests that the file or directory denoted by this abstract 
     * pathname be deleted when the virtual machine terminates.  
     * Deletion will be attempted only for normal termination of the 
     * virtual machine, as defined by the Java Language Specification. 
     *
     * 
     Once deletion has been requested, it is not possible to cancel the
     * request.  This method should therefore be used with care.
     *
     * 
    
     * Note: this method should not be used for file-locking, as 
     * the resulting protocol cannot be made to work reliably. The 
     * {@link java.nio.channels.FileLock FileLock}
     * facility should be used instead.
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkDelete} method denies
     *          delete access to the file
     *
     * @see #delete
     *
     * @since 1.2
     */
    public void deleteOnExit() {
	SecurityManager security = System.getSecurityManager();
	if (security != null) {
	    security.checkDelete(path);
	}
	fs.deleteOnExit(this);
    }

    /**
     * Returns an array of strings naming the files and directories in the
     * directory denoted by this abstract pathname.
     *
     * 
     If this abstract pathname does not denote a directory, then this
     * method returns null.  Otherwise an array of strings is
     * returned, one for each file or directory in the directory.  Names
     * denoting the directory itself and the directory's parent directory are
     * not included in the result.  Each string is a file name rather than a
     * complete path.
     *
     * 
     There is no guarantee that the name strings in the resulting array
     * will appear in any specific order; they are not, in particular,
     * guaranteed to appear in alphabetical order.
     *
     * @return  An array of strings naming the files and directories in the
     *          directory denoted by this abstract pathname.  The array will be
     *          empty if the directory is empty.  Returns null if
     *          this abstract pathname does not denote a directory, or if an
     *          I/O error occurs.
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkRead(java.lang.String)}
     *          method denies read access to the directory
     */
    public String[] list() {
	SecurityManager security = System.getSecurityManager();
	if (security != null) {
	    security.checkRead(path);
	}
	return fs.list(this);
    }

    /**
     * Returns an array of strings naming the files and directories in the
     * directory denoted by this abstract pathname that satisfy the specified
     * filter.  The behavior of this method is the same as that of the
     * {@link #list()} method, except that the strings in the
     * returned array must satisfy the filter.  If the given
     * filter is null then all names are accepted.
     * Otherwise, a name satisfies the filter if and only if the value
     * true results when the {@link
     * FilenameFilter#accept} method of the filter is invoked on this
     * abstract pathname and the name of a file or directory in the directory
     * that it denotes.
     *
     * @param  filter  A filename filter
     *
     * @return  An array of strings naming the files and directories in the
     *          directory denoted by this abstract pathname that were accepted
     *          by the given filter.  The array will be empty if
     *          the directory is empty or if no names were accepted by the
     *          filter.  Returns null if this abstract pathname
     *          does not denote a directory, or if an I/O error occurs.
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkRead(java.lang.String)}
     *          method denies read access to the directory
     */
    public String[] list(FilenameFilter filter) {
	String names[] = list();
	if ((names == null) || (filter == null)) {
	    return names;
	}
	ArrayList v = new ArrayList();
	for (int i = 0 ; i < names.length ; i++) {
	    if (filter.accept(this, names[i])) {
		v.add(names[i]);
	    }
	}
	return (String[])(v.toArray(new String[0]));
    }

    /**
     * Returns an array of abstract pathnames denoting the files in the
     * directory denoted by this abstract pathname.
     *
     * 
     If this abstract pathname does not denote a directory, then this
     * method returns null.  Otherwise an array of
     * File objects is returned, one for each file or directory in
     * the directory.  Pathnames denoting the directory itself and the
     * directory's parent directory are not included in the result.  Each
     * resulting abstract pathname is constructed from this abstract pathname
     * using the {@link #File(java.io.File, java.lang.String)
     * File(File, String)} constructor.  Therefore if this pathname
     * is absolute then each resulting pathname is absolute; if this pathname
     * is relative then each resulting pathname will be relative to the same
     * directory.
     *
     * 
     There is no guarantee that the name strings in the resulting array
     * will appear in any specific order; they are not, in particular,
     * guaranteed to appear in alphabetical order.
     *
     * @return  An array of abstract pathnames denoting the files and
     *          directories in the directory denoted by this abstract
     *          pathname.  The array will be empty if the directory is
     *          empty.  Returns null if this abstract pathname
     *          does not denote a directory, or if an I/O error occurs.
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkRead(java.lang.String)}
     *          method denies read access to the directory
     *
     * @since 1.2
     */
    public File[] listFiles() {
	String[] ss = list();
	if (ss == null) return null;
	int n = ss.length;
	File[] fs = new File[n];
	for (int i = 0; i < n; i++) {
	    fs[i] = new File(this.path, ss[i]);
	}
	return fs;
    }

    /**
     * Returns an array of abstract pathnames denoting the files and
     * directories in the directory denoted by this abstract pathname that
     * satisfy the specified filter.  The behavior of this method is the
     * same as that of the {@link #listFiles()} method, except
     * that the pathnames in the returned array must satisfy the filter.
     * If the given filter is null then all
     * pathnames are accepted.  Otherwise, a pathname satisfies the filter
     * if and only if the value true results when the
     * {@link FilenameFilter#accept} method of the filter is
     * invoked on this abstract pathname and the name of a file or
     * directory in the directory that it denotes.
     *
     * @param  filter  A filename filter
     *
     * @return  An array of abstract pathnames denoting the files and
     *          directories in the directory denoted by this abstract
     *          pathname.  The array will be empty if the directory is
     *          empty.  Returns null if this abstract pathname
     *          does not denote a directory, or if an I/O error occurs.
     *          
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkRead(java.lang.String)}
     *          method denies read access to the directory
     *
     * @since 1.2
     */
    public File[] listFiles(FilenameFilter filter) {
	String ss[] = list();
	if (ss == null) return null;
	ArrayList v = new ArrayList();
	for (int i = 0 ; i < ss.length ; i++) {
	    if ((filter == null) || filter.accept(this, ss[i])) {
		v.add(new File(this.path, ss[i]));
	    }
	}
	return (File[])(v.toArray(new File[0]));
    }

    /**
     * Returns an array of abstract pathnames denoting the files and
     * directories in the directory denoted by this abstract pathname that
     * satisfy the specified filter.  The behavior of this method is the
     * same as that of the {@link #listFiles()} method, except
     * that the pathnames in the returned array must satisfy the filter.
     * If the given filter is null then all
     * pathnames are accepted.  Otherwise, a pathname satisfies the filter
     * if and only if the value true results when the
     * {@link FileFilter#accept(java.io.File)} method of
     * the filter is invoked on the pathname.
     *
     * @param  filter  A file filter
     *
     * @return  An array of abstract pathnames denoting the files and
     *          directories in the directory denoted by this abstract
     *          pathname.  The array will be empty if the directory is
     *          empty.  Returns null if this abstract pathname
     *          does not denote a directory, or if an I/O error occurs.
     *          
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkRead(java.lang.String)}
     *          method denies read access to the directory
     *
     * @since 1.2
     */
    public File[] listFiles(FileFilter filter) {
	String ss[] = list();
	if (ss == null) return null;
	ArrayList v = new ArrayList();
	for (int i = 0 ; i < ss.length ; i++) {
	    File f = new File(this.path, ss[i]);
	    if ((filter == null) || filter.accept(f)) {
		v.add(f);
	    }
	}
	return (File[])(v.toArray(new File[0]));
    }

    /**
     * Creates the directory named by this abstract pathname.
     *
     * @return  true if and only if the directory was
     *          created; false otherwise
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkWrite(java.lang.String)}
     *          method does not permit the named directory to be created
     */
    public boolean mkdir() {
	SecurityManager security = System.getSecurityManager();
	if (security != null) {
	    security.checkWrite(path);
	}
	return fs.createDirectory(this);
    }

    /**
     * Creates the directory named by this abstract pathname, including any
     * necessary but nonexistent parent directories.  Note that if this
     * operation fails it may have succeeded in creating some of the necessary
     * parent directories.
     *
     * @return  true if and only if the directory was created,
     *          along with all necessary parent directories; false
     *          otherwise
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkWrite(java.lang.String)}
     *          method does not permit the named directory and all necessary
     *          parent directories and to be created
     */
    public boolean mkdirs() {
	if (exists()) {
	    return false;
	}
	if (mkdir()) {
 	    return true;
 	}
        File canonFile = null;
        try {
            canonFile = getCanonicalFile();
        } catch (IOException e) {
            return false;
        }
	String parent = canonFile.getParent();
        return (parent != null) && (new File(parent).mkdirs() &&
                                    canonFile.mkdir());
    }

    /**
     * Renames the file denoted by this abstract pathname.
     * 
     * 
     Whether or not this method can move a file from one filesystem 
     * to another is platform-dependent.  The return value should always 
     * be checked to make sure that the rename operation was successful.
     *
     * @param  dest  The new abstract pathname for the named file
     * 
     * @return  true if and only if the renaming succeeded;
     *          false otherwise
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkWrite(java.lang.String)}
     *          method denies write access to either the old or new pathnames
     * 
     * @throws  NullPointerException  
     *          If parameter dest is null
     */
    public boolean renameTo(File dest) {
	SecurityManager security = System.getSecurityManager();
	if (security != null) {
	    security.checkWrite(path);
	    security.checkWrite(dest.path);
	}
	return fs.rename(this, dest);
    }

    /**
     * Sets the last-modified time of the file or directory named by this
     * abstract pathname.
     *
     * 
     All platforms support file-modification times to the nearest second,
     * but some provide more precision.  The argument will be truncated to fit
     * the supported precision.  If the operation succeeds and no intervening
     * operations on the file take place, then the next invocation of the
     * {@link #lastModified} method will return the (possibly
     * truncated) time argument that was passed to this method.
     *
     * @param  time  The new last-modified time, measured in milliseconds since
     *               the epoch (00:00:00 GMT, January 1, 1970)
     *
     * @return true if and only if the operation succeeded;
     *          false otherwise
     *
     * @throws  IllegalArgumentException  If the argument is negative
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkWrite(java.lang.String)}
     *          method denies write access to the named file
     *
     * @since 1.2
     */
    public boolean setLastModified(long time) {
	if (time < 0) throw new IllegalArgumentException("Negative time");
	SecurityManager security = System.getSecurityManager();
	if (security != null) {
	    security.checkWrite(path);
	}
	return fs.setLastModifiedTime(this, time);
    }

    /**
     * Marks the file or directory named by this abstract pathname so that
     * only read operations are allowed.  After invoking this method the file
     * or directory is guaranteed not to change until it is either deleted or
     * marked to allow write access.  Whether or not a read-only file or
     * directory may be deleted depends upon the underlying system.
     *
     * @return true if and only if the operation succeeded;
     *          false otherwise
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkWrite(java.lang.String)}
     *          method denies write access to the named file
     *
     * @since 1.2
     */
    public boolean setReadOnly() {
	SecurityManager security = System.getSecurityManager();
	if (security != null) {
	    security.checkWrite(path);
	}
	return fs.setReadOnly(this);
    }


    /* -- Filesystem interface -- */

    /**
     * List the available filesystem roots.
     *
     * 
     A particular Java platform may support zero or more
     * hierarchically-organized file systems.  Each file system has a
     * root directory from which all other files in that file
     * system can be reached.  Windows platforms, for example, have a root
     * directory for each active drive; UNIX platforms have a single root
     * directory, namely "/".  The set of available filesystem
     * roots is affected by various system-level operations such the insertion
     * or ejection of removable media and the disconnecting or unmounting of
     * physical or virtual disk drives.
     *
     * 
     This method returns an array of File objects that
     * denote the root directories of the available filesystem roots.  It is
     * guaranteed that the canonical pathname of any file physically present on
     * the local machine will begin with one of the roots returned by this
     * method.
     *
     * 
     The canonical pathname of a file that resides on some other machine
     * and is accessed via a remote-filesystem protocol such as SMB or NFS may
     * or may not begin with one of the roots returned by this method.  If the
     * pathname of a remote file is syntactically indistinguishable from the
     * pathname of a local file then it will begin with one of the roots
     * returned by this method.  Thus, for example, File objects
     * denoting the root directories of the mapped network drives of a Windows
     * platform will be returned by this method, while File
     * objects containing UNC pathnames will not be returned by this method.
     *
     * 
     Unlike most methods in this class, this method does not throw
     * security exceptions.  If a security manager exists and its {@link
     * java.lang.SecurityManager#checkRead(java.lang.String)} method
     * denies read access to a particular root directory, then that directory
     * will not appear in the result.
     *
     * @return  An array of File objects denoting the available
     *          filesystem roots, or null if the set of roots
     *          could not be determined.  The array will be empty if there are
     *          no filesystem roots.
     *
     * @since 1.2
     */
    public static File[] listRoots() {
	return fs.listRoots();
    }


    /* -- Temporary files -- */

    private static final Object tmpFileLock = new Object();

    private static int counter = -1; /* Protected by tmpFileLock */

    private static File generateFile(String prefix, String suffix, File dir)
	throws IOException
    {
	if (counter == -1) {
	    counter = new Random().nextInt() & 0xffff;
	}
	counter++;
	return new File(dir, prefix + Integer.toString(counter) + suffix);
    }

    private static String tmpdir; /* Protected by tmpFileLock */

    private static String getTempDir() {
	if (tmpdir == null) {
	    GetPropertyAction a = new GetPropertyAction("java.io.tmpdir");
	    tmpdir = ((String) AccessController.doPrivileged(a));
	}
	return tmpdir;
    }

    private static boolean checkAndCreate(String filename, SecurityManager sm)
	throws IOException
    {
	if (sm != null) {
	    try {
		sm.checkWrite(filename);
	    } catch (AccessControlException x) {
		/* Throwing the original AccessControlException could disclose
		   the location of the default temporary directory, so we
		   re-throw a more innocuous SecurityException */
		throw new SecurityException("Unable to create temporary file");
	    }
	}
	return fs.createFileExclusively(filename);
    }

    /**
     * 
     Creates a new empty file in the specified directory, using the
     * given prefix and suffix strings to generate its name.  If this method
     * returns successfully then it is guaranteed that:
     *
     * 
      
     * 
    1.  The file denoted by the returned abstract pathname did not exist
     *      before this method was invoked, and
     * 
    2.  Neither this method nor any of its variants will return the same
     *      abstract pathname again in the current invocation of the virtual
     *      machine.
     * 
    
     *
     * This method provides only part of a temporary-file facility.  To arrange
     * for a file created by this method to be deleted automatically, use the
     * {@link #deleteOnExit} method.
     *
     * 
     The prefix argument must be at least three characters
     * long.  It is recommended that the prefix be a short, meaningful string
     * such as "hjb" or "mail".  The
     * suffix argument may be null, in which case the
     * suffix ".tmp" will be used.
     *
     * 
     To create the new file, the prefix and the suffix may first be
     * adjusted to fit the limitations of the underlying platform.  If the
     * prefix is too long then it will be truncated, but its first three
     * characters will always be preserved.  If the suffix is too long then it
     * too will be truncated, but if it begins with a period character
     * ('.') then the period and the first three characters
     * following it will always be preserved.  Once these adjustments have been
     * made the name of the new file will be generated by concatenating the
     * prefix, five or more internally-generated characters, and the suffix.
     *
     * 
     If the directory argument is null then the
     * system-dependent default temporary-file directory will be used.  The
     * default temporary-file directory is specified by the system property
     * java.io.tmpdir.  On UNIX systems the default value of this
     * property is typically "/tmp" or "/var/tmp"; on
     * Microsoft Windows systems it is typically "c:\\temp".  A different
     * value may be given to this system property when the Java virtual machine
     * is invoked, but programmatic changes to this property are not guaranteed
     * to have any effect upon the the temporary directory used by this method.
     *
     * @param  prefix     The prefix string to be used in generating the file's
     *                    name; must be at least three characters long
     *
     * @param  suffix     The suffix string to be used in generating the file's
     *                    name; may be null, in which case the
     *                    suffix ".tmp" will be used
     *
     * @param  directory  The directory in which the file is to be created, or
     *                    null if the default temporary-file
     *                    directory is to be used
     *
     * @return  An abstract pathname denoting a newly-created empty file
     *
     * @throws  IllegalArgumentException
     *          If the prefix argument contains fewer than three
     *          characters
     *
     * @throws  IOException  If a file could not be created
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkWrite(java.lang.String)}
     *          method does not allow a file to be created
     *
     * @since 1.2
     */
    public static File createTempFile(String prefix, String suffix,
				      File directory)
        throws IOException
    {
	if (prefix == null) throw new NullPointerException();
	if (prefix.length() < 3)
	    throw new IllegalArgumentException("Prefix string too short");
	String s = (suffix == null) ? ".tmp" : suffix;
	synchronized (tmpFileLock) {
	    if (directory == null) {
		directory = new File(getTempDir());
	    }
	    SecurityManager sm = System.getSecurityManager();
	    File f;
	    do {
		f = generateFile(prefix, s, directory);
	    } while (!checkAndCreate(f.getPath(), sm));
	    return f;
	}
    }

    /**
     * Creates an empty file in the default temporary-file directory, using
     * the given prefix and suffix to generate its name.  Invoking this method
     * is equivalent to invoking {@link #createTempFile(java.lang.String,
     * java.lang.String, java.io.File)
     * createTempFile(prefix, suffix, null)}.
     *
     * @param  prefix     The prefix string to be used in generating the file's
     *                    name; must be at least three characters long
     *
     * @param  suffix     The suffix string to be used in generating the file's
     *                    name; may be null, in which case the
     *                    suffix ".tmp" will be used
     *
     * @return  An abstract pathname denoting a newly-created empty file
     *
     * @throws  IllegalArgumentException
     *          If the prefix argument contains fewer than three
     *          characters
     *
     * @throws  IOException  If a file could not be created
     *
     * @throws  SecurityException
     *          If a security manager exists and its {@link
     *          java.lang.SecurityManager#checkWrite(java.lang.String)}
     *          method does not allow a file to be created
     *
     * @since 1.2
     */
    public static File createTempFile(String prefix, String suffix)
	throws IOException
    {
	return createTempFile(prefix, suffix, null);
    }


    /* -- Basic infrastructure -- */

    /**
     * Compares two abstract pathnames lexicographically.  The ordering
     * defined by this method depends upon the underlying system.  On UNIX
     * systems, alphabetic case is significant in comparing pathnames; on Microsoft Windows
     * systems it is not.
     *
     * @param   pathname  The abstract pathname to be compared to this abstract
     *                    pathname
     * 
     * @return  Zero if the argument is equal to this abstract pathname, a
     *		value less than zero if this abstract pathname is
     *		lexicographically less than the argument, or a value greater
     *		than zero if this abstract pathname is lexicographically
     *		greater than the argument
     *
     * @since   1.2
     */
    public int compareTo(File pathname) {
	return fs.compare(this, pathname);
    }

    /**
     * Compares this abstract pathname to another object.  If the other object
     * is an abstract pathname, then this function behaves like {@link
     * #compareTo(File)}.  Otherwise, it throws a
     * ClassCastException, since abstract pathnames can only be
     * compared to abstract pathnames.
     *
     * @param   o  The Object to be compared to this abstract
     *             pathname
     *
     * @return  If the argument is an abstract pathname, returns zero
     *          if the argument is equal to this abstract pathname, a value
     *          less than zero if this abstract pathname is lexicographically
     *          less than the argument, or a value greater than zero if this
     *          abstract pathname is lexicographically greater than the
     *          argument
     *
     * @throws  ClassCastException if the argument is not an
     *		abstract pathname
     *
     * @see     java.lang.Comparable
     * @since   1.2
     */
    public int compareTo(Object o) {
	return compareTo((File)o);
    }

    /**
     * Tests this abstract pathname for equality with the given object.
     * Returns true if and only if the argument is not
     * null and is an abstract pathname that denotes the same file
     * or directory as this abstract pathname.  Whether or not two abstract
     * pathnames are equal depends upon the underlying system.  On UNIX
     * systems, alphabetic case is significant in comparing pathnames; on Microsoft Windows
     * systems it is not.
     *
     * @param   obj   The object to be compared with this abstract pathname
     *
     * @return  true if and only if the objects are the same;
     *          false otherwise
     */
    public boolean equals(Object obj) {
	if ((obj != null) && (obj instanceof File)) {
	    return compareTo((File)obj) == 0;
	}
	return false;
    }

    /**
     * Computes a hash code for this abstract pathname.  Because equality of
     * abstract pathnames is inherently system-dependent, so is the computation
     * of their hash codes.  On UNIX systems, the hash code of an abstract
     * pathname is equal to the exclusive or of its pathname string
     * and the decimal value 1234321.  On Microsoft Windows systems, the hash
     * code is equal to the exclusive or of its pathname string,
     * convered to lower case, and the decimal value 1234321.
     *
     * @return  A hash code for this abstract pathname
     */
    public int hashCode() {
	return fs.hashCode(this);
    }

    /**
     * Returns the pathname string of this abstract pathname.  This is just the
     * string returned by the {@link #getPath} method.
     *
     * @return  The string form of this abstract pathname
     */
    public String toString() {
	return getPath();
    }

    /**
     * WriteObject is called to save this filename.
     * The separator character is saved also so it can be replaced
     * in case the path is reconstituted on a different host type.
     */
    private synchronized void writeObject(java.io.ObjectOutputStream s)
        throws IOException
    {
	s.defaultWriteObject();
	s.writeChar(this.separatorChar); // Add the separator character
    }

    /**
     * readObject is called to restore this filename.
     * The original separator character is read.  If it is different
     * than the separator character on this system, then the old seperator
     * is replaced by the local separator.
     */
    private synchronized void readObject(java.io.ObjectInputStream s)
         throws IOException, ClassNotFoundException
    {
	s.defaultReadObject();
	char sep = s.readChar(); // read the previous seperator char
	if (sep != separatorChar)
	    this.path = this.path.replace(sep, separatorChar);
	this.path = fs.normalize(this.path);
	this.prefixLength = fs.prefixLength(this.path);
    }

    /** use serialVersionUID from JDK 1.0.2 for interoperability */
    private static final long serialVersionUID = 301077366599181567L;

}
why-2.34/lib/java_api/java/io/IOException.java0000644000175000017500000000211712311670312017517 0ustar  rtusers/*
 * @(#)IOException.java	1.21 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;

/**
 * Signals that an I/O exception of some sort has occurred. This
 * class is the general class of exceptions produced by failed or
 * interrupted I/O operations.
 *
 * @author  unascribed
 * @version 1.21, 01/23/03
 * @see     java.io.InputStream
 * @see     java.io.OutputStream
 * @since   JDK1.0
 */
public
class IOException extends Exception {
    /**
     * Constructs an IOException with null
     * as its error detail message.
     */
    public IOException() {
	super();
    }

    /**
     * Constructs an IOException with the specified detail
     * message. The error message string s can later be
     * retrieved by the {@link java.lang.Throwable#getMessage}
     * method of class java.lang.Throwable.
     *
     * @param   s   the detail message.
     */
    public IOException(String s) {
	super(s);
    }
}
why-2.34/lib/java_api/java/io/PrintStream.java0000644000175000017500000004332212311670312017604 0ustar  rtusers/*
 * @(#)PrintStream.java	1.25 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;


/**
 * A PrintStream adds functionality to another output stream,
 * namely the ability to print representations of various data values
 * conveniently.  Two other features are provided as well.  Unlike other output
 * streams, a PrintStream never throws an
 * IOException; instead, exceptional situations merely set an
 * internal flag that can be tested via the checkError method.
 * Optionally, a PrintStream can be created so as to flush
 * automatically; this means that the flush method is
 * automatically invoked after a byte array is written, one of the
 * println methods is invoked, or a newline character or byte
 * ('\n') is written.
 *
 * 
     All characters printed by a PrintStream are converted into
 * bytes using the platform's default character encoding.  The {@link
 * PrintWriter} class should be used in situations that require writing
 * characters rather than bytes.
 *
 * @version    1.25, 03/01/23
 * @author     Frank Yellin
 * @author     Mark Reinhold
 * @since      JDK1.0
 */

public class PrintStream extends FilterOutputStream {

    private boolean autoFlush = false;
    private boolean trouble = false;

    /**
     * Track both the text- and character-output streams, so that their buffers
     * can be flushed without flushing the entire stream.
     */
    //KML private BufferedWriter textOut;
    //KML private OutputStreamWriter charOut;

    /**
     * Create a new print stream.  This stream will not flush automatically.
     *
     * @param  out        The output stream to which values and objects will be
     *                    printed
     *
     * @see java.io.PrintWriter#PrintWriter(java.io.OutputStream)
     */
    public PrintStream(OutputStream out) {
	this(out, false);
    }

    /* Initialization is factored into a private constructor (note the swapped
     * parameters so that this one isn't confused with the public one) and a
     * separate init method so that the following two public constructors can
     * share code.  We use a separate init method so that the constructor that
     * takes an encoding will throw an NPE for a null stream before it throws
     * an UnsupportedEncodingException for an unsupported encoding.
     */

    private PrintStream(boolean autoFlush, OutputStream out)
    {
	super(out);
	if (out == null)
	    throw new NullPointerException("Null output stream");
	this.autoFlush = autoFlush;
    }

    private void init(OutputStreamWriter osw) {
	this.charOut = osw;
	this.textOut = new BufferedWriter(osw);
    }

    /**
     * Create a new print stream.
     *
     * @param  out        The output stream to which values and objects will be
     *                    printed
     * @param  autoFlush  A boolean; if true, the output buffer will be flushed
     *                    whenever a byte array is written, one of the
     *                    println methods is invoked, or a newline
     *                    character or byte ('\n') is written
     *
     * @see java.io.PrintWriter#PrintWriter(java.io.OutputStream, boolean)
     */
    public PrintStream(OutputStream out, boolean autoFlush) {
	this(autoFlush, out);
	init(new OutputStreamWriter(this));
    }

    /**
     * Create a new print stream.
     *
     * @param  out        The output stream to which values and objects will be
     *                    printed
     * @param  autoFlush  A boolean; if true, the output buffer will be flushed
     *                    whenever a byte array is written, one of the
     *                    println methods is invoked, or a newline
     *                    character or byte ('\n') is written
     * @param  encoding   The name of a supported
     *                    
     *                    character encoding
     *
     * @exception  UnsupportedEncodingException
     *             If the named encoding is not supported
     */
    public PrintStream(OutputStream out, boolean autoFlush, String encoding)
        throws UnsupportedEncodingException
    {
	this(autoFlush, out);
	init(new OutputStreamWriter(this, encoding));
    }

    /** Check to make sure that the stream has not been closed */
    private void ensureOpen() throws IOException {
	if (out == null)
	    throw new IOException("Stream closed");
    }

    /**
     * Flush the stream.  This is done by writing any buffered output bytes to
     * the underlying output stream and then flushing that stream.
     *
     * @see        java.io.OutputStream#flush()
     */
    public void flush() {
	synchronized (this) {
	    try {
		ensureOpen();
		out.flush();
	    }
	    catch (IOException x) {
		trouble = true;
	    }
	}
    }

    private boolean closing = false; /* To avoid recursive closing */

    /**
     * Close the stream.  This is done by flushing the stream and then closing
     * the underlying output stream.
     *
     * @see        java.io.OutputStream#close()
     */
    public void close() {
	synchronized (this) {
	    if (! closing) {
		closing = true;
		try {
		    textOut.close();
		    out.close();
		}
		catch (IOException x) {
		    trouble = true;
		}
		textOut = null;
		charOut = null;
		out = null;
	    }
	}
    }

    /**
     * Flush the stream and check its error state.  The internal error state
     * is set to true when the underlying output stream throws an
     * IOException other than InterruptedIOException,
     * and when the setError method is invoked.  If an operation
     * on the underlying output stream throws an
     * InterruptedIOException, then the PrintStream
     * converts the exception back into an interrupt by doing:
     * 
         *     Thread.currentThread().interrupt();
     * 
    
     * or the equivalent.
     *
     * @return True if and only if this stream has encountered an
     *         IOException other than
     *         InterruptedIOException, or the
     *         setError method has been invoked
     */
    public boolean checkError() {
	if (out != null)
	    flush();
	return trouble;
    }

    /**
     * Set the error state of the stream to true.
     *
     * @since JDK1.1
     */
    protected void setError() {
	trouble = true;
    }


    /*
     * Exception-catching, synchronized output operations,
     * which also implement the write() methods of OutputStream
     */

    /**
     * Write the specified byte to this stream.  If the byte is a newline and
     * automatic flushing is enabled then the flush method will be
     * invoked.
     *
     * 
     Note that the byte is written as given; to write a character that
     * will be translated according to the platform's default character
     * encoding, use the print(char) or println(char)
     * methods.
     *
     * @param  b  The byte to be written
     * @see #print(char)
     * @see #println(char)
     */
    public void write(int b) {
	try {
	    synchronized (this) {
		ensureOpen();
		out.write(b);
		if ((b == '\n') && autoFlush)
		    out.flush();
	    }
	}
	catch (InterruptedIOException x) {
	    Thread.currentThread().interrupt();
	}
	catch (IOException x) {
	    trouble = true;
	}
    }

    /**
     * Write len bytes from the specified byte array starting at
     * offset off to this stream.  If automatic flushing is
     * enabled then the flush method will be invoked.
     *
     * 
     Note that the bytes will be written as given; to write characters
     * that will be translated according to the platform's default character
     * encoding, use the print(char) or println(char)
     * methods.
     *
     * @param  buf   A byte array
     * @param  off   Offset from which to start taking bytes
     * @param  len   Number of bytes to write
     */
    public void write(byte buf[], int off, int len) {
	try {
	    synchronized (this) {
		ensureOpen();
		out.write(buf, off, len);
		if (autoFlush)
		    out.flush();
	    }
	}
	catch (InterruptedIOException x) {
	    Thread.currentThread().interrupt();
	}
	catch (IOException x) {
	    trouble = true;
	}
    }

    /*
     * The following private methods on the text- and character-output streams
     * always flush the stream buffers, so that writes to the underlying byte
     * stream occur as promptly as with the original PrintStream.
     */

    private void write(char buf[]) {
	try {
	    synchronized (this) {
		ensureOpen();
		textOut.write(buf);
		textOut.flushBuffer();
		charOut.flushBuffer();
		if (autoFlush) {
		    for (int i = 0; i < buf.length; i++)
			if (buf[i] == '\n')
			    out.flush();
		}
	    }
	}
	catch (InterruptedIOException x) {
	    Thread.currentThread().interrupt();
	}
	catch (IOException x) {
	    trouble = true;
	}
    }

    private void write(String s) {
	try {
	    synchronized (this) {
		ensureOpen();
		textOut.write(s);
		textOut.flushBuffer();
		charOut.flushBuffer();
		if (autoFlush && (s.indexOf('\n') >= 0))
		    out.flush();
	    }
	}
	catch (InterruptedIOException x) {
	    Thread.currentThread().interrupt();
	}
	catch (IOException x) {
	    trouble = true;
	}
    }

    private void newLine() {
	try {
	    synchronized (this) {
		ensureOpen();
		textOut.newLine();
		textOut.flushBuffer();
		charOut.flushBuffer();
		if (autoFlush)
		    out.flush();
	    }
	}
	catch (InterruptedIOException x) {
	    Thread.currentThread().interrupt();
	}
	catch (IOException x) {
	    trouble = true;
	}
    }


    /* Methods that do not terminate lines */

    /**
     * Print a boolean value.  The string produced by {@link
     * java.lang.String#valueOf(boolean)} is translated into bytes
     * according to the platform's default character encoding, and these bytes
     * are written in exactly the manner of the
     * {@link #write(int)} method.
     *
     * @param      b   The boolean to be printed
     */
    public void print(boolean b) {
	write(b ? "true" : "false");
    }

    /**
     * Print a character.  The character is translated into one or more bytes
     * according to the platform's default character encoding, and these bytes
     * are written in exactly the manner of the
     * {@link #write(int)} method.
     *
     * @param      c   The char to be printed
     */
    public void print(char c) {
	write(String.valueOf(c));
    }

    /**
     * Print an integer.  The string produced by {@link
     * java.lang.String#valueOf(int)} is translated into bytes
     * according to the platform's default character encoding, and these bytes
     * are written in exactly the manner of the
     * {@link #write(int)} method.
     *
     * @param      i   The int to be printed
     * @see        java.lang.Integer#toString(int)
     */
    public void print(int i) {
	write(String.valueOf(i));
    }

    /**
     * Print a long integer.  The string produced by {@link
     * java.lang.String#valueOf(long)} is translated into bytes
     * according to the platform's default character encoding, and these bytes
     * are written in exactly the manner of the
     * {@link #write(int)} method.
     *
     * @param      l   The long to be printed
     * @see        java.lang.Long#toString(long)
     */
    public void print(long l) {
	write(String.valueOf(l));
    }

    /**
     * Print a floating-point number.  The string produced by {@link
     * java.lang.String#valueOf(float)} is translated into bytes
     * according to the platform's default character encoding, and these bytes
     * are written in exactly the manner of the
     * {@link #write(int)} method.
     *
     * @param      f   The float to be printed
     * @see        java.lang.Float#toString(float)
     */
    public void print(float f) {
	write(String.valueOf(f));
    }

    /**
     * Print a double-precision floating-point number.  The string produced by
     * {@link java.lang.String#valueOf(double)} is translated into
     * bytes according to the platform's default character encoding, and these
     * bytes are written in exactly the manner of the {@link
     * #write(int)} method.
     *
     * @param      d   The double to be printed
     * @see        java.lang.Double#toString(double)
     */
    public void print(double d) {
	write(String.valueOf(d));
    }

    /**
     * Print an array of characters.  The characters are converted into bytes
     * according to the platform's default character encoding, and these bytes
     * are written in exactly the manner of the
     * {@link #write(int)} method.
     *
     * @param      s   The array of chars to be printed
     * 
     * @throws  NullPointerException  If s is null
     */
    public void print(char s[]) {
	write(s);
    }

    /**
     * Print a string.  If the argument is null then the string
     * "null" is printed.  Otherwise, the string's characters are
     * converted into bytes according to the platform's default character
     * encoding, and these bytes are written in exactly the manner of the
     * {@link #write(int)} method.
     *
     * @param      s   The String to be printed
     */
    public void print(String s) {
	if (s == null) {
	    s = "null";
	}
	write(s);
    }

    /**
     * Print an object.  The string produced by the {@link
     * java.lang.String#valueOf(Object)} method is translated into bytes
     * according to the platform's default character encoding, and these bytes
     * are written in exactly the manner of the
     * {@link #write(int)} method.
     *
     * @param      obj   The Object to be printed
     * @see        java.lang.Object#toString()
     */
    public void print(Object obj) {
	write(String.valueOf(obj));
    }


    /* Methods that do terminate lines */

    /**
     * Terminate the current line by writing the line separator string.  The
     * line separator string is defined by the system property
     * line.separator, and is not necessarily a single newline
     * character ('\n').
     */
    public void println() {
	newLine();
    }

    /**
     * Print a boolean and then terminate the line.  This method behaves as
     * though it invokes {@link #print(boolean)} and then
     * {@link #println()}.
     *
     * @param x  The boolean to be printed
     */
    public void println(boolean x) {
	synchronized (this) {
	    print(x);
	    newLine();
	}
    }

    /**
     * Print a character and then terminate the line.  This method behaves as
     * though it invokes {@link #print(char)} and then
     * {@link #println()}.
     *
     * @param x  The char to be printed.
     */
    public void println(char x) {
	synchronized (this) {
	    print(x);
	    newLine();
	}
    }

    /**
     * Print an integer and then terminate the line.  This method behaves as
     * though it invokes {@link #print(int)} and then
     * {@link #println()}.
     *
     * @param x  The int to be printed.
     */
    public void println(int x) {
	synchronized (this) {
	    print(x);
	    newLine();
	}
    }

    /**
     * Print a long and then terminate the line.  This method behaves as
     * though it invokes {@link #print(long)} and then
     * {@link #println()}.
     *
     * @param x  a The long to be printed.
     */
    public void println(long x) {
	synchronized (this) {
	    print(x);
	    newLine();
	}
    }

    /**
     * Print a float and then terminate the line.  This method behaves as
     * though it invokes {@link #print(float)} and then
     * {@link #println()}.
     *
     * @param x  The float to be printed.
     */
    public void println(float x) {
	synchronized (this) {
	    print(x);
	    newLine();
	}
    }

    /**
     * Print a double and then terminate the line.  This method behaves as
     * though it invokes {@link #print(double)} and then
     * {@link #println()}.
     *
     * @param x  The double to be printed.
     */
    public void println(double x) {
	synchronized (this) {
	    print(x);
	    newLine();
	}
    }

    /**
     * Print an array of characters and then terminate the line.  This method
     * behaves as though it invokes {@link #print(char[])} and
     * then {@link #println()}.
     *
     * @param x  an array of chars to print.
     */
    public void println(char x[]) {
	synchronized (this) {
	    print(x);
	    newLine();
	}
    }

    /**
     * Print a String and then terminate the line.  This method behaves as
     * though it invokes {@link #print(String)} and then
     * {@link #println()}.
     *
     * @param x  The String to be printed.
     */
    public void println(String x) {
	synchronized (this) {
	    print(x);
	    newLine();
	}
    }

    /**
     * Print an Object and then terminate the line.  This method behaves as
     * though it invokes {@link #print(Object)} and then
     * {@link #println()}.
     *
     * @param x  The Object to be printed.
     */
    public void println(Object x) {
	synchronized (this) {
	    print(x);
	    newLine();
	}
    }

}
why-2.34/lib/java_api/java/io/InputStream.java0000644000175000017500000003504112311670312017606 0ustar  rtusers/*
 * @(#)InputStream.java	1.40 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;

/**
 * This abstract class is the superclass of all classes representing
 * an input stream of bytes.
 *
 * 
     Applications that need to define a subclass of InputStream
 * must always provide a method that returns the next byte of input.
 *
 * @author  Arthur van Hoff
 * @version 1.40, 01/23/03
 * @see     java.io.BufferedInputStream
 * @see     java.io.ByteArrayInputStream
 * @see     java.io.DataInputStream
 * @see     java.io.FilterInputStream
 * @see     java.io.InputStream#read()
 * @see     java.io.OutputStream
 * @see     java.io.PushbackInputStream
 * @since   JDK1.0
 */
public abstract class InputStream {

    // SKIP_BUFFER_SIZE is used to determine the size of skipBuffer
    private static final int SKIP_BUFFER_SIZE = 2048;
    // skipBuffer is initialized in skip(long), if needed.
    private static byte[] skipBuffer;

    /**
     * Reads the next byte of data from the input stream. The value byte is
     * returned as an int in the range 0 to
     * 255. If no byte is available because the end of the stream
     * has been reached, the value -1 is returned. This method
     * blocks until input data is available, the end of the stream is detected,
     * or an exception is thrown.
     *
     * 
     A subclass must provide an implementation of this method.
     *
     * @return     the next byte of data, or -1 if the end of the
     *             stream is reached.
     * @exception  IOException  if an I/O error occurs.
     */
    public abstract int read() throws IOException;

    /**
     * Reads some number of bytes from the input stream and stores them into
     * the buffer array b. The number of bytes actually read is
     * returned as an integer.  This method blocks until input data is
     * available, end of file is detected, or an exception is thrown.
     *
     * 
     If b is null, a
     * NullPointerException is thrown.  If the length of
     * b is zero, then no bytes are read and 0 is
     * returned; otherwise, there is an attempt to read at least one byte. If
     * no byte is available because the stream is at end of file, the value
     * -1 is returned; otherwise, at least one byte is read and
     * stored into b.
     *
     * 
     The first byte read is stored into element b[0], the
     * next one into b[1], and so on. The number of bytes read is,
     * at most, equal to the length of b. Let k be the
     * number of bytes actually read; these bytes will be stored in elements
     * b[0] through b[k-1],
     * leaving elements b[k] through
     * b[b.length-1] unaffected.
     *
     * 
     If the first byte cannot be read for any reason other than end of
     * file, then an IOException is thrown. In particular, an
     * IOException is thrown if the input stream has been closed.
     *
     * 
     The read(b) method for class InputStream
     * has the same effect as: 
     read(b, 0, b.length) 
    
     *
     * @param      b   the buffer into which the data is read.
     * @return     the total number of bytes read into the buffer, or
     *             -1 is there is no more data because the end of
     *             the stream has been reached.
     * @exception  IOException  if an I/O error occurs.
     * @exception  NullPointerException  if b is null.
     * @see        java.io.InputStream#read(byte[], int, int)
     */
    public int read(byte b[]) throws IOException {
	return read(b, 0, b.length);
    }

    /**
     * Reads up to len bytes of data from the input stream into
     * an array of bytes.  An attempt is made to read as many as
     * len bytes, but a smaller number may be read, possibly
     * zero. The number of bytes actually read is returned as an integer.
     *
     * 
     This method blocks until input data is available, end of file is
     * detected, or an exception is thrown.
     *
     * 
     If b is null, a
     * NullPointerException is thrown.
     *
     * 
     If off is negative, or len is negative, or
     * off+len is greater than the length of the array
     * b, then an IndexOutOfBoundsException is
     * thrown.
     *
     * 
     If len is zero, then no bytes are read and
     * 0 is returned; otherwise, there is an attempt to read at
     * least one byte. If no byte is available because the stream is at end of
     * file, the value -1 is returned; otherwise, at least one
     * byte is read and stored into b.
     *
     * 
     The first byte read is stored into element b[off], the
     * next one into b[off+1], and so on. The number of bytes read
     * is, at most, equal to len. Let k be the number of
     * bytes actually read; these bytes will be stored in elements
     * b[off] through b[off+k-1],
     * leaving elements b[off+k] through
     * b[off+len-1] unaffected.
     *
     * 
     In every case, elements b[0] through
     * b[off] and elements b[off+len] through
     * b[b.length-1] are unaffected.
     *
     * 
     If the first byte cannot be read for any reason other than end of
     * file, then an IOException is thrown. In particular, an
     * IOException is thrown if the input stream has been closed.
     *
     * 
     The read(b, off, len) method
     * for class InputStream simply calls the method
     * read() repeatedly. If the first such call results in an
     * IOException, that exception is returned from the call to
     * the read(b, off, len) method.  If
     * any subsequent call to read() results in a
     * IOException, the exception is caught and treated as if it
     * were end of file; the bytes read up to that point are stored into
     * b and the number of bytes read before the exception
     * occurred is returned.  Subclasses are encouraged to provide a more
     * efficient implementation of this method.
     *
     * @param      b     the buffer into which the data is read.
     * @param      off   the start offset in array b
     *                   at which the data is written.
     * @param      len   the maximum number of bytes to read.
     * @return     the total number of bytes read into the buffer, or
     *             -1 if there is no more data because the end of
     *             the stream has been reached.
     * @exception  IOException  if an I/O error occurs.
     * @exception  NullPointerException  if b is null.
     * @see        java.io.InputStream#read()
     */
    public int read(byte b[], int off, int len) throws IOException {
	if (b == null) {
	    throw new NullPointerException();
	} else if ((off < 0) || (off > b.length) || (len < 0) ||
		   ((off + len) > b.length) || ((off + len) < 0)) {
	    throw new IndexOutOfBoundsException();
	} else if (len == 0) {
	    return 0;
	}

	int c = read();
	if (c == -1) {
	    return -1;
	}
	b[off] = (byte)c;

	int i = 1;
	try {
	    for (; i < len ; i++) {
		c = read();
		if (c == -1) {
		    break;
		}
		if (b != null) {
		    b[off + i] = (byte)c;
		}
	    }
	} catch (IOException ee) {
	}
	return i;
    }

    /**
     * Skips over and discards n bytes of data from this input
     * stream. The skip method may, for a variety of reasons, end
     * up skipping over some smaller number of bytes, possibly 0.
     * This may result from any of a number of conditions; reaching end of file
     * before n bytes have been skipped is only one possibility.
     * The actual number of bytes skipped is returned.  If n is
     * negative, no bytes are skipped.
     *
     * 
     The skip method of InputStream creates a
     * byte array and then repeatedly reads into it until n bytes
     * have been read or the end of the stream has been reached. Subclasses are
     * encouraged to provide a more efficient implementation of this method.
     *
     * @param      n   the number of bytes to be skipped.
     * @return     the actual number of bytes skipped.
     * @exception  IOException  if an I/O error occurs.
     */
    public long skip(long n) throws IOException {

	long remaining = n;
	int nr;
	if (skipBuffer == null)
	    skipBuffer = new byte[SKIP_BUFFER_SIZE];

	byte[] localSkipBuffer = skipBuffer;
		
	if (n <= 0) {
	    return 0;
	}

	while (remaining > 0) {
	    nr = read(localSkipBuffer, 0,
		      (int) Math.min(SKIP_BUFFER_SIZE, remaining));
	    if (nr < 0) {
		break;
	    }
	    remaining -= nr;
	}
	
	return n - remaining;
    }

    /**
     * Returns the number of bytes that can be read (or skipped over) from
     * this input stream without blocking by the next caller of a method for
     * this input stream.  The next caller might be the same thread or or
     * another thread.
     *
     * 
     The available method for class InputStream
     * always returns 0.
     *
     * 
     This method should be overridden by subclasses.
     *
     * @return     the number of bytes that can be read from this input stream
     *             without blocking.
     * @exception  IOException  if an I/O error occurs.
     */
    public int available() throws IOException {
	return 0;
    }

    /**
     * Closes this input stream and releases any system resources associated
     * with the stream.
     *
     * 
     The close method of InputStream does
     * nothing.
     *
     * @exception  IOException  if an I/O error occurs.
     */
    public void close() throws IOException {}

    /**
     * Marks the current position in this input stream. A subsequent call to
     * the reset method repositions this stream at the last marked
     * position so that subsequent reads re-read the same bytes.
     *
     * 
     The readlimit arguments tells this input stream to
     * allow that many bytes to be read before the mark position gets
     * invalidated.
     *
     * 
     The general contract of mark is that, if the method
     * markSupported returns true, the stream somehow
     * remembers all the bytes read after the call to mark and
     * stands ready to supply those same bytes again if and whenever the method
     * reset is called.  However, the stream is not required to
     * remember any data at all if more than readlimit bytes are
     * read from the stream before reset is called.
     *
     * 
     The mark method of InputStream does
     * nothing.
     *
     * @param   readlimit   the maximum limit of bytes that can be read before
     *                      the mark position becomes invalid.
     * @see     java.io.InputStream#reset()
     */
    public synchronized void mark(int readlimit) {}

    /**
     * Repositions this stream to the position at the time the
     * mark method was last called on this input stream.
     *
     * 
     The general contract of reset is:
     *
     * 
      
     *
     * 
    •  If the method markSupported returns
     * true, then:
     *
     *     
      •  If the method mark has not been called since
     *     the stream was created, or the number of bytes read from the stream
     *     since mark was last called is larger than the argument
     *     to mark at that last call, then an
     *     IOException might be thrown.
     *
     *     
      •  If such an IOException is not thrown, then the
     *     stream is reset to a state such that all the bytes read since the
     *     most recent call to mark (or since the start of the
     *     file, if mark has not been called) will be resupplied
     *     to subsequent callers of the read method, followed by
     *     any bytes that otherwise would have been the next input data as of
     *     the time of the call to reset. 
      
     *
     * 
    •  If the method markSupported returns
     * false, then:
     *
     *     
      •  The call to reset may throw an
     *     IOException.
     *
     *     
      •  If an IOException is not thrown, then the stream
     *     is reset to a fixed state that depends on the particular type of the
     *     input stream and how it was created. The bytes that will be supplied
     *     to subsequent callers of the read method depend on the
     *     particular type of the input stream. 
    
     *
     * 
     The method reset for class InputStream
     * does nothing and always throws an IOException.
     *
     * @exception  IOException  if this stream has not been marked or if the
     *               mark has been invalidated.
     * @see     java.io.InputStream#mark(int)
     * @see     java.io.IOException
     */
    public synchronized void reset() throws IOException {
	throw new IOException("mark/reset not supported");
    }

    /**
     * Tests if this input stream supports the mark and
     * reset methods. Whether or not mark and
     * reset are supported is an invariant property of a
     * particular input stream instance. The markSupported method
     * of InputStream returns false.
     *
     * @return  true if this stream instance supports the mark
     *          and reset methods; false otherwise.
     * @see     java.io.InputStream#mark(int)
     * @see     java.io.InputStream#reset()
     */
    public boolean markSupported() {
	return false;
    }

}
why-2.34/lib/java_api/java/io/BufferedWriter.java0000644000175000017500000001570012311670312020252 0ustar  rtusers/*
 * @(#)BufferedWriter.java	1.24 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.io;


/**
 * Write text to a character-output stream, buffering characters so as to
 * provide for the efficient writing of single characters, arrays, and strings.
 *
 * 
     The buffer size may be specified, or the default size may be accepted.
 * The default is large enough for most purposes.
 *
 * 
     A newLine() method is provided, which uses the platform's own notion of
 * line separator as defined by the system property line.separator.
 * Not all platforms use the newline character ('\n') to terminate lines.
 * Calling this method to terminate each output line is therefore preferred to
 * writing a newline character directly.
 *
 * 
     In general, a Writer sends its output immediately to the underlying
 * character or byte stream.  Unless prompt output is required, it is advisable
 * to wrap a BufferedWriter around any Writer whose write() operations may be
 * costly, such as FileWriters and OutputStreamWriters.  For example,
 *
 * 
     * PrintWriter out
 *   = new PrintWriter(new BufferedWriter(new FileWriter("foo.out")));
 * 
    
 *
 * will buffer the PrintWriter's output to the file.  Without buffering, each
 * invocation of a print() method would cause characters to be converted into
 * bytes that would then be written immediately to the file, which can be very
 * inefficient.
 *
 * @see PrintWriter
 * @see FileWriter
 * @see OutputStreamWriter
 *
 * @version 	1.24, 03/01/23
 * @author	Mark Reinhold
 * @since	JDK1.1
 */

public class BufferedWriter extends Writer {

    private Writer out;

    private char cb[];
    private int nChars, nextChar;

    private static int defaultCharBufferSize = 8192;

    /**
     * Line separator string.  This is the value of the line.separator
     * property at the moment that the stream was created.
     */
    private String lineSeparator;

    /**
     * Create a buffered character-output stream that uses a default-sized
     * output buffer.
     *
     * @param  out  A Writer
     */
    public BufferedWriter(Writer out) {
	this(out, defaultCharBufferSize);
    }

    /**
     * Create a new buffered character-output stream that uses an output
     * buffer of the given size.
     *
     * @param  out  A Writer
     * @param  sz   Output-buffer size, a positive integer
     *
     * @exception  IllegalArgumentException  If sz is <= 0
     */
    public BufferedWriter(Writer out, int sz) {
	super(out);
	if (sz <= 0)
	    throw new IllegalArgumentException("Buffer size <= 0");
	this.out = out;
	cb = new char[sz];
	nChars = sz;
	nextChar = 0;

	lineSeparator =	(String) java.security.AccessController.doPrivileged(
               new sun.security.action.GetPropertyAction("line.separator"));
    }

    /** Check to make sure that the stream has not been closed */
    private void ensureOpen() throws IOException {
	if (out == null)
	    throw new IOException("Stream closed");
    }

    /**
     * Flush the output buffer to the underlying character stream, without
     * flushing the stream itself.  This method is non-private only so that it
     * may be invoked by PrintStream.
     */
    void flushBuffer() throws IOException {
	synchronized (lock) {
	    ensureOpen();
	    if (nextChar == 0)
		return;
	    out.write(cb, 0, nextChar);
	    nextChar = 0;
	}
    }

    /**
     * Write a single character.
     *
     * @exception  IOException  If an I/O error occurs
     */
    public void write(int c) throws IOException {
	synchronized (lock) {
	    ensureOpen();
	    if (nextChar >= nChars)
		flushBuffer();
	    cb[nextChar++] = (char) c;
	}
    }

    /**
     * Our own little min method, to avoid loading java.lang.Math if we've run
     * out of file descriptors and we're trying to print a stack trace.
     */
    private int min(int a, int b) {
	if (a < b) return a;
	return b;
    }

    /**
     * Write a portion of an array of characters.
     *
     * 
     Ordinarily this method stores characters from the given array into
     * this stream's buffer, flushing the buffer to the underlying stream as
     * needed.  If the requested length is at least as large as the buffer,
     * however, then this method will flush the buffer and write the characters
     * directly to the underlying stream.  Thus redundant
     * BufferedWriters will not copy data unnecessarily.
     *
     * @param  cbuf  A character array
     * @param  off   Offset from which to start reading characters
     * @param  len   Number of characters to write
     *
     * @exception  IOException  If an I/O error occurs
     */
    public void write(char cbuf[], int off, int len) throws IOException {
	synchronized (lock) {
	    ensureOpen();
            if ((off < 0) || (off > cbuf.length) || (len < 0) ||
                ((off + len) > cbuf.length) || ((off + len) < 0)) {
                throw new IndexOutOfBoundsException();
            } else if (len == 0) {
                return;
            } 

	    if (len >= nChars) {
		/* If the request length exceeds the size of the output buffer,
		   flush the buffer and then write the data directly.  In this
		   way buffered streams will cascade harmlessly. */
		flushBuffer();
		out.write(cbuf, off, len);
		return;
	    }

	    int b = off, t = off + len;
	    while (b < t) {
		int d = min(nChars - nextChar, t - b);
		System.arraycopy(cbuf, b, cb, nextChar, d);
		b += d;
		nextChar += d;
		if (nextChar >= nChars)
		    flushBuffer();
	    }
	}
    }

    /**
     * Write a portion of a String.
     *
     * @param  s     String to be written
     * @param  off   Offset from which to start reading characters
     * @param  len   Number of characters to be written
     *
     * @exception  IOException  If an I/O error occurs
     */
    public void write(String s, int off, int len) throws IOException {
	synchronized (lock) {
	    ensureOpen();

	    int b = off, t = off + len;
	    while (b < t) {
		int d = min(nChars - nextChar, t - b);
		s.getChars(b, b + d, cb, nextChar);
		b += d;
		nextChar += d;
		if (nextChar >= nChars)
		    flushBuffer();
	    }
	}
    }

    /**
     * Write a line separator.  The line separator string is defined by the
     * system property line.separator, and is not necessarily a single
     * newline ('\n') character.
     *
     * @exception  IOException  If an I/O error occurs
     */
    public void newLine() throws IOException {
	write(lineSeparator);
    }

    /**
     * Flush the stream.
     *
     * @exception  IOException  If an I/O error occurs
     */
    public void flush() throws IOException {
	synchronized (lock) {
	    flushBuffer();
	    out.flush();
	}
    }

    /**
     * Close the stream.
     *
     * @exception  IOException  If an I/O error occurs
     */
    public void close() throws IOException {
	synchronized (lock) {
	    if (out == null)
		return;
	    flushBuffer();
	    out.close();
	    out = null;
	    cb = null;
	}
    }

}
why-2.34/tools/0000755000175000017500000000000012311670312011755 5ustar  rtuserswhy-2.34/tools/cvcl_split.mll0000644000175000017500000000662612311670312014637 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(*i $Id: cvcl_split.mll,v 1.13 2010-01-17 16:07:14 bobot Exp $ i*)

{

  open Printf
  open Lexing

  let debug = ref false
  let callback = ref (fun _ _ -> assert false)

  (* we put everything not a goal into [buf] *)
  let buf = Buffer.create 8192
  let buf_goal = Buffer.create 512

  let print_hypo s = Buffer.add_string buf s
  let print_goal s = Buffer.add_string buf_goal s

  let start_file () =
    Buffer.reset buf_goal

  let end_file () =
    !callback "cvcl.cvc" [buf;buf_goal]

}

(* copy everything into [buf] until we find a query *)
rule split = parse
  | "QUERY" 
      { start_file ();
	print_goal "QUERY"; query lexbuf; end_file (); split lexbuf }
  | "%" [^'\n']* '\n' 
      { print_hypo (lexeme lexbuf); split lexbuf }
  | eof 
      { () }
  | _ 
      { print_hypo (lexeme lexbuf); split lexbuf }

(* copy the query up to the semi-colon *)
and query = parse
  | ";" { print_goal ";" }
  | "%" [^'\n']* '\n' 
        { print_goal (lexeme lexbuf); query lexbuf }
  | eof { () }
  | _   { print_goal (lexeme lexbuf); query lexbuf }

{

  let iter cb c =
    callback := cb;
    Buffer.reset buf;
    let lb = from_channel c in
    split lb

}

why-2.34/tools/regtest.ml0000644000175000017500000006205612311670312013775 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(** the options to launch the toplevel with if the test file is not
     annotated with test options *)
let default_options = [ "" ]

(** the list of tests suites to consider *)
let default_suites =
[ "java" ; "c" ]

let () =
(*
  Unix.putenv "FRAMAC_SHARE" (Filename.concat Filename.current_dir_name "share");
*)
  Unix.putenv "OCAMLRUNPARAM" ""

(** the name of the directory-wide configuration file*)
let dir_config_file = "test_config"

(** the files in [suites] whose name matches
    the pattern [test_file_regexp] will be considered as test files *)
let test_file_regexp = ".*\\.\\(java\\|c\\)$"

(** the pattern that ends the parsing of options in a test file *)
let end_comment = Str.regexp ".*\\*/"

let opt_to_byte =
  let opt = Str.regexp "[.]opt$" in
  function toplevel ->
    Str.global_replace opt ".byte" toplevel

let base_path = Filename.current_dir_name
(*    (Filename.concat
        (Filename.dirname Sys.executable_name)
	Filename.parent_dir_name)
*)

let test_path = "tests"

(** Command-line flags *)

type behavior = Examine | Update | Run | Show
let behavior = ref Run
let verbosity = ref 0
let use_byte = ref false
let do_diffs = ref "diff -u"
let n = ref 2    (* the level of parallelism *)
let suites = ref []
(** options given to toplevel for all tests *)
let additional_options = ref ""
(** special configuration, with associated oracles *)
let special_config = ref ""

let m = Mutex.create ()

let lock_fprintf f =
  Mutex.lock m;
  Format.kfprintf (fun _ -> Mutex.unlock m) f

let lock_printf s = lock_fprintf Format.std_formatter s
let lock_eprintf s = lock_fprintf Format.err_formatter s

let make_test_suite s =
  suites := s :: !suites

let () = Arg.parse
  [
    "", Arg.Unit (fun () -> ()) , "" ;
    "-examine", Arg.Unit (fun () -> behavior := Examine) ,
    " Examine the logs that are different from oracles.";
    "-update", Arg.Unit (fun () -> behavior := Update) ,
    " Take the current logs as oracles.";
    "-show", Arg.Unit (fun () -> behavior := Show; use_byte := true) ,
    " Show the results of the tests. Sets -byte.";
    "-run", Arg.Unit (fun () -> behavior := Run) ,
    "(default)  Delete the logs, run the tests, then examine the logs that are different from the oracles.";
    "", Arg.Unit (fun () -> ()) , "" ;
    "-v", Arg.Unit (fun () -> incr verbosity), " Increase verbosity (up to twice)" ;
    "-diff", Arg.String (fun s -> do_diffs := s), "  Use command for diffs" ;
    "-j", Arg.Int (fun i -> if i>=0 then n := i else ( lock_printf "Option -j requires nonnegative argument@."; exit (-1))), "  Use nonnegative integer n for level of parallelism" ;
    "-byte", Arg.Set use_byte, " Use bytecode toplevel";
    "-opt", Arg.Clear use_byte, " Use native toplevel (default)";
    "-config", Arg.Set_string special_config, " Use special configuration \
      and oracles";
    "-add-options", Arg.Set_string additional_options,
    "add additional options to be passed to the toplevels \
     that will be launched";
    "", Arg.Unit (fun () -> ()) ,"\nA test suite can be the name of a directory in ./tests or the path to a file.\n\nExamples:\nregtest\nregtest -diff \"echo diff\" -examine     # see again the list of tests that failed\nregtest misc                           # for a single test suite\nregtest tests/misc/alias.c             # for a single test\nregtest -examine tests/misc/alias.c    # to see the differences again\nregtest -v -j 1                        # to check the time taken by each test\n"
  ]
  make_test_suite
  "usage: ./regtest.opt [options] [names of test suites]"

(* redefine config file if special configuration expected *)
let dir_config_file = 
  if !special_config = "" then dir_config_file else
    dir_config_file ^ "_" ^ !special_config

let make_toplevel_path exec = exec
(*  if Filename.is_relative exec then
    Filename.concat (Filename.concat base_path "bin") exec
  else exec
*)

(* redefine oracle directory if special configuration expected *)
let oracle_dirname = 
  if !special_config = "" then "oracle" else
    "oracle_" ^ !special_config
 
(* redefine result directory if special configuration expected *)
let result_dirname = 
  if !special_config = "" then "result" else
    "result_" ^ !special_config

let gen_make_file s dir file = Filename.concat (Filename.concat dir s) file
let make_result_file = gen_make_file result_dirname
let make_oracle_file = gen_make_file oracle_dirname

let toplevel_path =
  make_toplevel_path (gen_make_file "tests" base_path "regtest.sh")

type execnow =
    {
      ex_cmd: string;      (** command to launch *)
      ex_log: string list; (** log files *)
      ex_bin: string list; (** bin files *)
      ex_dir: string;      (** directory of test suite *)
    }

(** configuration of a directory/test. *)
type config =
    {
      dc_test_regexp: string; (** regexp of test files. *)
      dc_execnow    : execnow option; (** command to be launched before
                                         the toplevel(s)
                                     *)
      dc_toplevel   : string; (** full path of the toplevel used *)
      dc_filter     : string option; (** optional filter to apply to
			      standard output *)
      dc_options    : string list; (** options to launch the toplevel on *)
      dc_dont_run   : bool;
    }

let default_config =
  { dc_test_regexp = test_file_regexp ;
    dc_execnow = None;
    dc_toplevel = toplevel_path ;
    dc_filter = None ;
    dc_options = default_options ;
    dc_dont_run = false;
  }

let launch command_string =
  let result = Unix.system command_string in
  match result with
  | Unix.WEXITED 127 ->
      lock_printf "%% Couldn't execute command `%s'@.Retrying once.@." command_string;
      Thread.delay 0.1;
      ( match Unix.system command_string with
	Unix.WEXITED r when r <> 127 -> r
      | _ -> lock_printf "%% Retry failed, exiting.@."; exit 1 )
  | Unix.WEXITED r -> r
  | Unix.WSIGNALED s ->
      lock_printf "%% SIGNAL %d received while executing command:@\n%s@\nStopping@."
	s command_string ;
      exit 1
  | Unix.WSTOPPED s ->
      lock_printf "%% STOP %d received while executing command:@\n%s@\nStopping@."
	s command_string;
      exit 1

let scan_execnow dir (s:string) =
  let rec aux (s:execnow) =
    try
      Scanf.sscanf s.ex_cmd "%[ ]LOG %[A-Za-z0-9_',+=:.] %s@\n"
	(fun _ name cmd ->
	   aux { s with ex_cmd = cmd; ex_log = name :: s.ex_log })
    with Scanf.Scan_failure _ ->
      try
	Scanf.sscanf s.ex_cmd "%[ ]BIN %[A-Za-z0-9.] %s@\n"
	  (fun _ name cmd ->
	     aux { s with ex_cmd = cmd; ex_bin = name :: s.ex_bin })
      with Scanf.Scan_failure _ ->
	s
  in
  aux { ex_cmd = s; ex_log = []; ex_bin = []; ex_dir = dir }

(* how to process options *)
let config_options =
  [ "CMD",
    (fun _ s (current,rev_opts) ->
       { current with dc_toplevel = make_toplevel_path s}, rev_opts);

    "OPT",
    (fun _ s (current,rev_opts) -> current, (s::rev_opts) );

    "FILEREG",
    (fun _ s (current,rev_opts) ->
       { current with dc_test_regexp = s }, rev_opts );

    "FILTER",
    (fun _ s (current,rev_opts) ->
       { current with dc_filter = Some s }, rev_opts );

    "GCC",
    (fun _ _ acc -> acc);

    "COMMENT",
    (fun _ _ acc -> acc);

    "DONTRUN",
    (fun _ _s (current,rev_opts) ->
       { current with dc_dont_run = true }, rev_opts );

    "EXECNOW",
    (fun dir s (current,rev_opts)->
       let execnow = scan_execnow dir s in
       { current with dc_execnow = Some execnow }, rev_opts);
  ]

let scan_options dir scan_buffer default =
  let r = ref (default, [])  in
  let treat_line s =
    try
      Scanf.sscanf s "%[ *]%[A-Za-z0-9]:%s@\n"
        (fun _ name opt ->
          try
            r := (List.assoc name config_options) dir opt !r
          with Not_found ->
            lock_eprintf "@[unknown configuration option: %s@\n%!@]" name)
    with Scanf.Scan_failure _ ->
      if Str.string_match end_comment s 0
      then raise End_of_file
      else ()
  in
  try
    while true do
      Scanf.bscanf scan_buffer "%s@\n" treat_line
    done;
    assert false
  with
    End_of_file ->
      let rev_options = snd !r in
      let options =
	if rev_options = []
	then default.dc_options
	else List.rev rev_options
      in
      { (fst !r) with dc_options = options }

let scan_test_file default dir f =
  let f = Filename.concat dir f in
  let exists_as_file =
    try
      (Unix.lstat f).Unix.st_kind = Unix.S_REG
    with Unix.Unix_error _ | Sys_error _ -> false
  in
    if exists_as_file then begin
        let scan_buffer = Scanf.Scanning.from_file f in
          try
            Scanf.bscanf scan_buffer "/* run.config%s@\n" (fun _ -> ());
            scan_options dir scan_buffer default
          with
            | End_of_file
            | Scanf.Scan_failure _ ->
                default
      end else
      (* if the file has disappeared, don't try to run it... *)
      { default with dc_dont_run = true }

type toplevel_command =
    { file : string ;
      options : string ;
      toplevel: string ;
      filter : string option ;
      directory : string ;
      n : int }

type command =
  | Toplevel of toplevel_command
  | Target of execnow * command Queue.t

type log = Err | Res

type diff =
  | Command_error of toplevel_command * log
  | Target_error of execnow
  | Log_error of string (** directory *) * string (** file *)

type cmps =
  | Cmp_Toplevel of toplevel_command
  | Cmp_Log of string (** directory *) * string (** file *)

type shared =
    { lock : Mutex.t ;
      lock_target : Mutex.t ;
      commands_empty : Condition.t ;
      work_available : Condition.t ;
      diff_available : Condition.t ;
      mutable commands : command Queue.t ; (* file, options, number *)
      cmps : cmps Queue.t ;
      (* command that has finished its execution *)
      diffs : diff Queue.t ;
      (* cmp that showed some difference *)
      mutable commands_finished : bool ;
      mutable cmp_finished : bool ;
      mutable summary_run : int ;
      mutable summary_ok : int ;
      mutable summary_log : int;
    }

let shared =
  { lock = Mutex.create () ;
    lock_target = Mutex.create () ;
    commands_empty = Condition.create () ;
    work_available = Condition.create () ;
    diff_available = Condition.create () ;
    commands = Queue.create () ;
    cmps = Queue.create () ;
    diffs = Queue.create () ;
    commands_finished = false ;
    cmp_finished = false ;
    summary_run = 0 ;
    summary_ok = 0 ;
    summary_log = 0 }

let unlock () = Mutex.unlock shared.lock

let lock () = Mutex.lock shared.lock

let catenate_number prefix n =
  if n > 0
  then prefix ^ "." ^ (string_of_int n)
  else prefix

let name_without_extension command =
  try
    (Filename.chop_extension command.file)
  with
    Invalid_argument _ ->
      failwith ("Ce nom de fichier de test ne comporte pas d'extension: " ^
		   command.file)

let gen_prefix s cmd =
  let prefix = gen_make_file s cmd.directory (name_without_extension cmd) in
  catenate_number prefix cmd.n

let log_prefix = gen_prefix result_dirname
let oracle_prefix = gen_prefix oracle_dirname

let basic_command_string command =
  command.toplevel ^ " " ^
    command.options ^ " " ^
    !additional_options ^ " " ^
    (Filename.concat command.directory command.file)

let command_string command =
  let log_prefix = log_prefix command in
  let command_string = basic_command_string command in
  let command_string =
    command_string ^ " 2>" ^ log_prefix ^ ".err.log"
  in
  let command_string =
    match command.filter with
      None -> command_string
    | Some filter ->
	command_string ^ " | " ^ filter
  in
  let command_string =
    command_string ^ " >" ^ log_prefix ^ ".res.log"
  in
  command_string

let update_toplevel_command command =
  let log_prefix = log_prefix command in
  let oracle_prefix = oracle_prefix command in
  let command_string =
    "cp " ^
      log_prefix ^ ".res.log " ^
      oracle_prefix ^ ".res.oracle"
  in
  ignore (launch command_string);
 let command_string =
    "cp " ^
      log_prefix ^ ".err.log " ^
      oracle_prefix ^ ".err.oracle"
  in
  ignore (launch command_string)

let update_command = function
    Toplevel cmd -> update_toplevel_command cmd
  | Target _ -> assert false

let update_log_files dir file =
  let command_string =
    "cp " ^ make_result_file dir file ^ " " ^ make_oracle_file dir file
  in
  ignore (launch command_string)

let do_command command =
  match command with
    Toplevel command ->
      (* Update : copy the logs. Do not enqueue any cmp
         Run | Show: launch the command, then enqueue the cmp
         Examine : just enqueue the cmp *)
      if !behavior = Update
      then update_toplevel_command command
      else begin
          (* Run, Show or Examine *)
          if !behavior <> Examine
          then begin
	      let command_string = command_string command in
	      if !verbosity >= 1
	      then lock_printf "%s@." command_string ;
	      ignore (launch command_string)
	    end;
	  lock ();
	  shared.summary_run <- succ shared.summary_run ;
	  shared.summary_log <- shared.summary_log + 2 ;
	  Queue.push (Cmp_Toplevel command) shared.cmps;
	  unlock ()
	end
  | Target (execnow, cmds) ->
      if !behavior = Update then begin
	  List.iter (update_log_files execnow.ex_dir) execnow.ex_log;
          Queue.iter update_command cmds
	end else
        begin
          let res =
            if !behavior <> Examine then begin
		let filenames =
		  List.fold_left
		    (fun s f -> s ^ " " ^ make_result_file execnow.ex_dir f)
		    ""
		    (execnow.ex_bin @ execnow.ex_log)
		in
		(* TODO this should be done with Unix.unlink *)
		ignore (launch ("rm" ^ filenames ^ " 2> /dev/null"));
		Mutex.lock shared.lock_target;
		let r = launch execnow.ex_cmd in
		Mutex.unlock shared.lock_target;
		r
              end else
	      0
          in
          lock();
	  shared.summary_log <- succ shared.summary_log;
          if res = 0
	  then begin
	      shared.summary_ok <- succ shared.summary_ok;
              Queue.transfer shared.commands cmds;
	      shared.commands <- cmds;
              Condition.signal shared.work_available;
	      if !behavior = Examine || !behavior = Run
	      then begin
		  List.iter
		    (fun f -> Queue.push (Cmp_Log(execnow.ex_dir, f)) shared.cmps)
		    execnow.ex_log
		end
            end
	  else begin
	      let treat_cmd = function
		  Toplevel cmd ->
		    shared.summary_run <- shared.summary_run + 1;
		    let log_prefix = log_prefix cmd in
		    begin try
			Unix.unlink (log_prefix ^ ".res.log ")
		      with Unix.Unix_error _ -> ()
		    end;
		| Target _ -> assert false
	      in
	      Queue.iter treat_cmd cmds;
              Queue.push (Target_error execnow) shared.diffs;
              Condition.signal shared.diff_available
            end;
          unlock()
        end

let log_ext = function Res -> ".res" | Err -> ".err"

let compare_one_file cmp log_prefix oracle_prefix log_kind =
  if !behavior = Show
  then begin
    lock();
    Queue.push (Command_error(cmp,log_kind)) shared.diffs;
    Condition.signal shared.diff_available;
    unlock()
  end else
    let ext = log_ext log_kind in
    let log_file = log_prefix ^ ext ^ ".log " in
    let oracle_file = oracle_prefix ^ ext ^ ".oracle" in
    let cmp_string = "cmp -s " ^ log_file ^ oracle_file in
    if !verbosity >= 2 then lock_printf "%% cmp%s (%d) :%s@."
      ext
      cmp.n
      cmp_string;
    match launch cmp_string with
      0 ->
	lock();
	shared.summary_ok <- shared.summary_ok + 1;
	unlock()
    | 1 ->
	lock();
	Queue.push (Command_error (cmp,log_kind)) shared.diffs;
	Condition.signal shared.diff_available;
	unlock()
    | 2 ->
	lock_printf
	  "%% System error while comparing. Maybe one of the files is missing...@\n%s or %s@."
	  log_file oracle_file;
    | _ -> assert false

let compare_one_log_file dir file =
  if !behavior = Show
  then begin
    lock();
    Queue.push (Log_error(dir,file)) shared.diffs;
    Condition.signal shared.diff_available;
    unlock()
  end else
    let log_file = make_result_file dir file in
    let oracle_file = make_oracle_file dir file in
    let cmp_string = "cmp -s " ^ log_file ^ " " ^ oracle_file in
    if !verbosity >= 2 then lock_printf "%% cmplog: %s / %s@." dir file;
    shared.summary_log <- succ shared.summary_log;
    match launch cmp_string with
      0 ->
	lock();
	shared.summary_ok <- shared.summary_ok + 1;
	unlock()
    | 1 ->
	lock();
	Queue.push (Log_error (dir,file)) shared.diffs;
	Condition.signal shared.diff_available;
	unlock()
    | 2 ->
	lock_printf
	  "%% System error while comparing. Maybe one of the files is missing...@\n%s or %s@."
	  log_file oracle_file;
    | _ -> assert false

let do_cmp = function
  | Cmp_Toplevel cmp ->
      let log_prefix = log_prefix cmp in
      let oracle_prefix = oracle_prefix cmp in
      compare_one_file cmp log_prefix oracle_prefix Res;
      compare_one_file cmp log_prefix oracle_prefix Err
  | Cmp_Log(dir, f) ->
      compare_one_log_file dir f

let worker_thread () =
  while true do
    lock () ;
    if (Queue.length shared.commands) + (Queue.length shared.cmps) < !n
    then Condition.signal shared.commands_empty;
    try
      let cmp = Queue.pop shared.cmps in
      unlock () ;
      do_cmp cmp
    with Queue.Empty ->
      try
	let command = Queue.pop shared.commands in
	unlock () ;
	do_command command
      with Queue.Empty ->
	if shared.commands_finished then (unlock () ; Thread.exit ());

	Condition.signal shared.commands_empty;
	(* we still have the lock at this point *)

	Condition.wait shared.work_available shared.lock;
	  (* this atomically releases the lock and suspends
	     the thread on the condition work_available *)

	unlock ();
  done

let do_diff = function
  | Command_error (diff, kind) ->
      let log_prefix = log_prefix diff in
      let log_ext = log_ext kind in
      let command_string = command_string diff in
      lock_printf "Command:@\n%s@." command_string;
      if !behavior = Show
      then ignore (launch ("cat " ^ log_prefix ^ log_ext ^ ".log"))
      else
        let oracle_prefix = oracle_prefix diff in
        let diff_string =
          !do_diffs ^ " " ^
	    oracle_prefix ^ log_ext ^ ".oracle " ^
	    log_prefix ^ log_ext ^ ".log"
        in
        ignore (launch diff_string)
  | Target_error execnow ->
      lock_printf "Custom command failed: %s@\n" execnow.ex_cmd
  | Log_error(dir, file) ->
      let result_file = make_result_file dir file in
      lock_printf "Log of %s:@." result_file;
      if !behavior = Show
      then ignore (launch ("cat " ^ result_file))
      else
        let diff_string =
	  !do_diffs ^ " " ^ make_oracle_file dir file ^ " " ^ result_file
	in
        ignore (launch diff_string)


let diff_thread () =
  lock () ;
  while true do
    try
      let diff = Queue.pop shared.diffs in
      unlock ();
      do_diff diff;
      lock ()
    with Queue.Empty ->
      if shared.cmp_finished then (unlock () ; Thread.exit ());

      Condition.wait shared.diff_available shared.lock
      (* this atomically releases the lock and suspends
	 the thread on the condition cmp_available *)
  done

let test_pattern config =
  let regexp = Str.regexp config.dc_test_regexp in
  fun file ->
    Str.string_match regexp file 0

let files = Queue.create ()

(* test for a possible toplevel configuration. *)
let default_config =
  let general_config_file = Filename.concat test_path dir_config_file in
    if Sys.file_exists general_config_file
    then begin
      let scan_buffer = Scanf.Scanning.from_file general_config_file in
      scan_options Filename.current_dir_name scan_buffer default_config
    end
    else default_config

let () =
  (* enqueue the test files *)
  let suites =
    match !suites with
      [] -> default_suites
    | l -> List.rev l
  in
  List.iter
    (fun suite ->
       if !verbosity >= 2 then lock_printf "%% Now treating test %s\n%!" suite;
      (* the "suite" may be a directory in [test_path] or a single file *)
      let interpret_as_file =
	try
	  ignore (Filename.chop_extension suite);
	  true
	with Invalid_argument _ -> false
      in
      let directory =
	if interpret_as_file
	then
	  Filename.dirname suite
	else
	  Filename.concat test_path suite
      in
      let config = Filename.concat directory dir_config_file in
      let dir_config =
        if Sys.file_exists config
	then begin
	    let scan_buffer = Scanf.Scanning.from_file config in
            scan_options directory scan_buffer default_config
        end
	else default_config
      in
      if interpret_as_file
      then Queue.push (Filename.basename suite, directory, dir_config) files
      else begin
	  let dir_files = Sys.readdir directory in
	  for i = 0 to pred (Array.length dir_files) do
	    let file = dir_files.(i) in
	    assert (Filename.is_relative file);
	    if test_pattern dir_config file
	    then Queue.push (file, directory, dir_config) files;
	  done
	end)
    suites

let dispatcher () =
  try
    while true
    do
      lock ();
      while (Queue.length shared.commands) + (Queue.length shared.cmps) >= !n
      do
	Condition.wait shared.commands_empty shared.lock;
      done;
      (* we have the lock *)
      let file, directory, config = Queue.pop files in
      let config =
        scan_test_file config directory file in
      let toplevel =
	if not !use_byte
	then config.dc_toplevel
	else opt_to_byte config.dc_toplevel
      in
      let i = ref 0 in
      let make_toplevel_cmd option =
        {file=file; options = option; toplevel = toplevel;
         n = !i; directory = directory;
	 filter = config.dc_filter}
      in
      let treat_option q option =
	Queue.push
	  (Toplevel (make_toplevel_cmd option))
	  q;
	incr i
      in
      if not config.dc_dont_run
      then begin
      (match config.dc_execnow with
         | Some s ->
	     let subworkqueue = Queue.create () in
	     List.iter (treat_option subworkqueue) config.dc_options;
             Queue.push
               (Target (s, subworkqueue))
               shared.commands
         | None ->
             List.iter
	       (treat_option shared.commands)
	       config.dc_options);
      Condition.broadcast shared.work_available;
      end;
      unlock () ;
      done
  with Queue.Empty ->
    shared.commands_finished <- true;
    unlock ()

let () =
  let worker_ids = Array.init !n
    (fun _ -> Thread.create worker_thread ())
  in
  let diff_id = Thread.create diff_thread () in

  dispatcher ();
  if !behavior = Run
  then
    lock_printf "%% Dispatch finished, waiting for workers to complete@.";
  ignore (Thread.create
    (fun () ->
      while true do
	Condition.broadcast shared.work_available;
	Thread.delay 0.5;
      done)
    ());
  Array.iter Thread.join worker_ids;

  if !behavior = Run
  then
    lock_printf "%% Comparisons finished, waiting for diffs to complete@.";
  lock();
  shared.cmp_finished <- true;
  unlock();
  ignore (Thread.create
    (fun () ->
      while true do
	Condition.broadcast shared.diff_available;
	Thread.delay 0.5;
      done)
    ());
  Thread.join diff_id;
  if !behavior = Run
  then
    lock_printf "%% Diffs finished. Summary:@\nRun = %d@\nOk  = %d of %d@."
      shared.summary_run shared.summary_ok shared.summary_log;
  exit 0;


(*
Local Variables: 
compile-command: "make -j -C .. regtest.byte"
End: 
*)
why-2.34/tools/dpConfig.mli0000644000175000017500000000672312311670312014221 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)




type prover_id =
    Simplify | Harvey | Cvcl | Zenon | Rvsat | Yices | Ergo | ErgoSelect
  | Cvc3 | SimplifySelect | Z3 | Gappa | GappaSelect
  | Coq | PVS | VeriT | Vampire

type lazy_regexp =
  {
    regexp : string;
    mutable cregexp  : Str.regexp option;
  }

type prover_data =
  {
    name : string;
    is_interactive : bool;
    mutable version: string;
    version_switch : string;
    version_regexp : string;
    versions_ok : string list;
    versions_old : string list;
    mutable command : string;
    command_switches : string;
    valid_regexp : lazy_regexp option;
    undecided_regexp : lazy_regexp;
    stdin_switch : string option;
  }


val alt_ergo : prover_data

val simplify : prover_data

val vampire: prover_data

val z3 : prover_data

val yices : prover_data

val verit: prover_data

val cvc3 : prover_data

(* cvcl is in fact cvc3 with native language *)
val cvcl : prover_data

val gappa : prover_data

val coq : prover_data

val pvs : prover_data

val prover_list : (prover_id * (prover_data * string list)) list
  (** list of all known provers: uniq id, data, list of possible command names *)

val rc_file : unit -> string

val load_rc_file : unit -> unit

val save_rc_file : unit -> unit
why-2.34/tools/simplify_ast.mli0000644000175000017500000000575412311670312015176 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

type term = 
  | Tconst of string (* int constant *)
  | Tapp of string * term list

type trigger = term list

type rel = Eq | Neq | Lt | Le | Gt | Ge

type predicate = 
  | Ptrue
  | Pfalse
  | Prel of term * rel * term
  | Pnot of predicate
  | Pand of predicate list
  | Por of predicate list
  | Pimplies of predicate * predicate
(*
  | Pexplies of predicate * predicate
*)
  | Piff of predicate * predicate
  | Pdistinct of term list
  | Pforall of string list * trigger list * predicate
  | Pexists of string list * trigger list * predicate
  | Plblpos of string * predicate
  | Plblneg of string * predicate

type decl =
  | Axiom of predicate
  | Goal of predicate
  | Defpred of string * string list * predicate

type t = decl list
why-2.34/tools/cvcl_split.mli0000644000175000017500000000471712311670312014633 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* Split a CVC Lite input file into several files, one for each query.
   The function passed is iterated over each sub-file. *)

val iter : (string -> Buffer.t list -> unit) -> in_channel -> unit

why-2.34/tools/simplify_split.mll0000644000175000017500000001024512311670312015534 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(*i $Id: simplify_split.mll,v 1.13 2009-12-27 16:46:36 bobot Exp $ i*)

{

  open Printf
  open Lexing 

  let no_remove = ref false
  let callback = ref (fun _ _ -> assert false)

  (* we put everything not a goal into [buf] *)
  let buf = Buffer.create 8192

  let outc = ref stdout
  let print s = output_string !outc s

  let start_file () =
    let f = Filename.temp_file "simplify" ".sx" in
    outc := open_out f;
    print (Buffer.contents buf);
    f

  let end_file file =
    close_out !outc;
    !callback file [];
    Lib.remove_file ~debug:!no_remove file

}

let space = [' ' '\t' '\n' '\r']
let ident = ['a'-'z' 'A'-'Z']+

rule split = parse
  | ";" [^'\n']* '\n' 
        { Buffer.add_string buf (lexeme lexbuf); split lexbuf }
  | "(" space* ("BG_PUSH" | "DEFPRED")
      { Buffer.add_string buf (lexeme lexbuf); 
	lisp_copy lexbuf; split lexbuf }
  | ident 
      { let file = start_file () in 
	print (lexeme lexbuf); end_file file; split lexbuf }
  | "("
      { let file = start_file () in 
	print (lexeme lexbuf); query lexbuf; end_file file; split lexbuf }
  | eof 
      { () }
  | _ 
      { Buffer.add_string buf (lexeme lexbuf); split lexbuf }

(* copies into [buf] until the end of the S-expression *)
and lisp_copy = parse
  | "(" { Buffer.add_char buf '('; lisp_copy lexbuf; lisp_copy lexbuf }
  | ")" { Buffer.add_char buf ')' }
  | ";" [^'\n']* '\n' 
        { Buffer.add_string buf (lexeme lexbuf); lisp_copy lexbuf }
  | eof { () }
  | _   { Buffer.add_string buf (lexeme lexbuf); lisp_copy lexbuf }

(* prints up to the end of the S-expression *)
and query = parse
  | ")" { print ")" }
  | "(" { print "("; query lexbuf; query lexbuf }
  | ";" [^'\n']* '\n' 
        { print (lexeme lexbuf); query lexbuf }
  | eof { () }
  | _   { print (lexeme lexbuf); query lexbuf }

{

  let iter ~debug cb c =
    callback := cb;
    no_remove := debug;
    Buffer.reset buf;
    let lb = from_channel c in
    split lb

}

why-2.34/tools/whystat.ml0000644000175000017500000001425312311670312014017 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(* Statistics on Why goals *)

open Format
open Pp
open Ident
open Logic
open Ptree

let out = ref ""
let prefix = ref "x"

let spec = []
let usage = "why-stat files..."

let files = Queue.create ()

let rec explain_exception fmt = function
  | Lexer.Lexical_error s -> 
      fprintf fmt "Lexical error: %s" s
  | Parsing.Parse_error -> 
      fprintf fmt "Syntax error"
  | Stream.Error s -> 
      fprintf fmt "Syntax error: %s" s
  | Loc.Located (loc, e) ->
      fprintf fmt "%a%a" Loc.report_position loc explain_exception e
  | e ->
      fprintf fmt "Anomaly: %s" (Printexc.to_string e); raise e

let add_file f =
  try
    let c = open_in f in
    let lb = Lexing.from_channel c in
    lb.Lexing.lex_curr_p <- { lb.Lexing.lex_curr_p with Lexing.pos_fname = f };
    let p = Lexer.parse_file lb in
    Queue.add p files;
    close_in c
  with e -> 
    explain_exception err_formatter e;
    pp_print_newline err_formatter ();
    exit 1

let () = Arg.parse spec add_file usage

(* sets of identifiers *)
module S = struct
  include Idset
  let print fmt s =
    let l = Idset.elements s in
    print_list (fun fmt () -> fprintf fmt ",") Ident.print fmt l
end
(* multisets of sets of identifiers *)
module M = struct
  module MS = Map.Make(S)
  let ms = ref MS.empty
  let add s = 
    try incr (MS.find s !ms) 
    with Not_found -> ms := MS.add s (ref 1) !ms
  let print fmt =
    let l = MS.fold (fun s r l -> (!r,s) :: l) !ms [] in
    let l = List.sort (fun (n1,_) (n2,_) -> compare n2 n1) l in
    List.iter (fun (n,s) -> fprintf fmt "%8d %a@\n" n S.print s) l
end

let ident avoid s id = if not (S.mem id avoid) then S.add id s else s

let rec lexpr avoid s p = match p.pp_desc with
  | PPvar id -> 
      ident avoid s id
  | PPapp (id, l) ->
      let s = ident avoid s id in
      List.fold_left (lexpr avoid) s l
  | PPconst _
  | PPtrue 
  | PPfalse ->
      s
  | PPinfix (a, _, b) ->
      lexpr avoid (lexpr avoid s a) b
  | PPif (a, b, c) -> 
      lexpr avoid (lexpr avoid (lexpr avoid s a) b) c
  | PPprefix (_, a) 
  | PPnamed (_, a) ->
      lexpr avoid s a
  | PPforall (id,_,_,p)
  | PPexists (id,_,p) ->
      let avoid = S.add id avoid in
      lexpr avoid s p
  | PPlet (id, t, p) ->
      lexpr (S.add id avoid) (lexpr avoid s t) p
  | PPmatch(e,l) ->
      let s = lexpr avoid s e in
      List.fold_left 
        (fun s ((id,idl,_loc),e) ->
           let s = ident avoid s id in
           let avoid = 
             List.fold_left (fun avoid id -> S.add id avoid) avoid idl 
           in
           lexpr avoid s e)
        s
        l
                        


let number_of_literals = ref 0


let rec compute_literal_number  pr = 
  match pr.pp_desc with
  | PPinfix (p1,_, p2) ->
      compute_literal_number  p1 ; 
      compute_literal_number  p2 ; 
  | PPif(_,p1,p2) -> 
      compute_literal_number  p1 ; 
      compute_literal_number  p2 ; 
  | PPapp(_) -> 
      number_of_literals := !number_of_literals + 1
  | PPprefix(_,p)
  | PPforall (_, _, _, p)
  | PPexists (_,_,p) 
  | PPnamed(_,p)
  | PPlet (_,_,p) ->
      compute_literal_number  p
  | PPvar(_)   
  | PPconst(_) ->
      number_of_literals := !number_of_literals + 1
  | PPtrue 
  | PPfalse -> ()
  | PPmatch(_e,l) ->
      List.iter
        (fun ((_id,_idl,_loc),p) -> compute_literal_number p)
        l
      
      
      


let decl = function
  | Goal(_,KAxiom,_,_) -> ()
  | Goal (_, _,_, p) ->
      let rec intros avoid p = match p.pp_desc with
	| PPinfix (_, PPimplies, p) -> intros avoid p
	| PPforall (id, _, _, p) -> intros (S.add id avoid) p
	| _ -> lexpr avoid S.empty p
      in
      let s = intros S.empty p in
      M.add s ; 
      compute_literal_number p;
  | Include _
  | Program _
  | Parameter _
  | Exception _
  | Logic _
  | Predicate_def _
  | Inductive_def _
  | Function_def _
  | AlgType _
  | TypeDecl _ ->
      ()

let () = 
  Queue.iter (List.iter decl) files;
  M.print std_formatter;
  Printf.printf  "Goal Literal Number : %d \n" !number_of_literals 

why-2.34/tools/ergo_split.mll0000644000175000017500000000671712311670312014645 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(*i $Id: ergo_split.mll,v 1.9 2009-12-27 16:46:36 bobot Exp $ i*)

{

  open Printf
  open Lexing

  let debug = ref false
  let callback = ref (fun _ _ -> assert false)

  (* we put everything not a goal into [buf] *)
  let buf = Buffer.create 8192
  let buf_goal = Buffer.create 512

  let print_hypo s = Buffer.add_string buf s
  let print_goal s = Buffer.add_string buf_goal s

  let start_file () =
    Buffer.reset buf_goal

  let end_file () =
    !callback "ergo.why" [buf;buf_goal]

}

let letters = ['a'-'z''A'-'Z''_''0'-'9']+

rule split = parse
  | "goal" 
      { start_file (); print_goal "goal"; goal lexbuf }
  | (letters | _) as s
      { print_hypo s; split lexbuf }
  | eof 
      { () }

(* copy the query up to the semi-colon *)
and goal = parse
  | "goal" 
      { end_file (); start_file ();
	print_goal "goal "; goal lexbuf }
  | ("\"" ([^ '\"'] | "\\" _)* "\"") as s
      { print_goal s; goal lexbuf }
  | ("type" | "logic" | "predicate" | "axiom") as k
      { end_file (); print_hypo k; split lexbuf }
  | (letters | _) as s
      { print_goal s; goal lexbuf }
  | eof { end_file () }

{

  let iter cb c =
    callback := cb;
    Buffer.reset buf;
    let lb = from_channel c in
    split lb

}
why-2.34/tools/toolstat_lex.mll0000644000175000017500000001431512311670312015210 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)


(*i $Id: toolstat_lex.mll,v 1.13 2008-11-25 12:44:22 moy Exp $ i*)

{
  open Toolstat_pars
  open Lexing
  open Format
  open Pp

  let debug = ref false
  let debug_more = ref false
  let no_parsing = ref false

  let extract_pos s c =
    let rec aux s acc i =
      try 
	let n = String.index s c in
	aux (String.sub s (n+1) (String.length s - (n+1))) ((i+n)::acc) (i+n+1)
      with Not_found -> acc
    in
    aux s [] 0

  let detailed_result s n1 n2 n3 n4 n5 =
    let valid_pos = extract_pos s '.' in 
    assert (List.length valid_pos = n1);
    let invalid_pos = extract_pos s '*' in
    assert (List.length invalid_pos = n2);
    let unknown_pos = extract_pos s '?' in
    assert (List.length unknown_pos = n3);
    let timeout_pos = extract_pos s '#' in
    assert (List.length timeout_pos = n4);
    let failure_pos = extract_pos s '!' in
    assert (List.length failure_pos = n5);
    (n1, n2, n3, n4, n5),
    (valid_pos, invalid_pos, unknown_pos, timeout_pos, failure_pos)

  let opt_as_float = function 
    | Some t -> float_of_string t 
    | None -> 0.

  let opt_as_int = function 
    | Some t -> int_of_string t 
    | None -> 0

  let as_int = int_of_string 

  let loc lexbuf = (lexeme_start_p lexbuf, lexeme_end_p lexbuf)

  let newline lexbuf =
    let pos = lexbuf.lex_curr_p in
    lexbuf.lex_curr_p <- 
      { pos with pos_lnum = pos.pos_lnum + 1; pos_bol = pos.pos_cnum }

  let num_eq = ref 0
  let num_diseq = ref 0
  let num_ineq = ref 0
}

let ws = [' ' '\t' '\012' '\r']
let backslash_escapes = ['\\' '"' '\'' 'n' 't' 'b' 'r' 'f' ]
let num = ['0'-'9']
let alpha = ['a'-'z' 'A'-'Z' '_' '-']
let alphanum = alpha | num
let id = alphanum*
let filechar = ['.' '/' '\\']
let file = (alphanum | filechar)*
let special = ['.' '*' '?' '#' '!']
let result = special*
let int = num+
let real = num* '.' num* | int

rule token = parse
  | "\nInferring "
      { 
	num_eq := 0;
	num_diseq := 0;
	num_ineq := 0;
	token lexbuf
      }
  | "postcondition" 
      {
	if !debug then printf "post@."; 
	POST
      }
  | "precondition" 
      {
	if !debug then printf "pre@."; 
	PRE
      }
  | "loop invariant" 
      {
	if !debug then printf "loopinv@."; 
	LOOPINV
      }
  | "backward loop invariant" 
      {
	if !debug then printf "bwd_loopinv@."; 
	BWD_LOOPINV
      }
  | "==" | "!=" | "<=" | ">=" | "<" | ">"
      {
	if !debug then printf "relation@."; 
	RELATION
      }
  | "\nDoing " ws* (id as s)
      { 
	newline lexbuf; 
	if !debug then printf "project %s@." s; 
	PROJECT(s)
      }
  | "\nRunning " (id as s) " on proof obligations"
      { 
	newline lexbuf; 
	if !debug then printf "prover %s@." s; 
	PROVER(s)
      }
  | "\n" id "/" (file as f) ("_why." id) ws* ':' ws* 
      { 
	newline lexbuf; 
	if !debug then printf "test %s@." f; 
	TEST(f)
      }
  | "\n" id "/" (file "_po_" int as f) ".why" ws* ':' ws* 
      { 
	newline lexbuf; 
	if !debug then printf "test %s@." f; 
	TEST(f)
      }
  | (result as s) ws*
      '(' (int as n1) '/' (int as n2) 
      '/' (int as n3) '/' (int as n4) '/' (int as n5) ')'  
      { 
	if !debug then printf "result %s@." s; 
	RESULT
	  (detailed_result s 
	     (as_int n1) (as_int n2) (as_int n3) (as_int n4) (as_int n5)) 
      }
  | "\ntotal CPU time" ws* ':' ws*
      ((real as h) " h")* ws* ((real as m) " m")* ws* ((real as s) " sec")* 
      { 
	newline lexbuf; 
	if !debug then printf "time %a h %a m %a s@." (print_option string) h 
	  (print_option string) m (print_option string) s; 
	TIME(opt_as_int h, opt_as_int m, opt_as_float s) 
      }
  | '\n'
      { newline lexbuf; token lexbuf }
  | _                                              
      { 
	if !debug_more then 
	  (printf "other token %s@." (lexeme lexbuf);
	   flush_all ());
	token lexbuf 
      }
  | eof
      { EOF }

{
  let parse lb = 
    try
      if !no_parsing then (Toolstat_pars.all token lb; ([],[]))
      else Toolstat_pars.log token lb
    with Parsing.Parse_error ->
      Format.eprintf "%a@." Loc.gen_report_position (loc lb);
      raise Parsing.Parse_error
}
why-2.34/tools/calldp.mli0000644000175000017500000000767012311670312013731 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* Call external decision procedures on a single input file *)

(* The input files contain only on proof obligation, apart from the case of
   harvey where it may contain several proof obligations (used in dp) *)

type prover_result =
  | Valid of float
  | Invalid of float * string option
  | CannotDecide of float * string option
  | Timeout of float
  | ProverFailure of float * string

val cpulimit : string ref

type prover = ?debug:bool -> ?switch:string -> 
    ?timeout:int -> ?filename:string -> ?buffers:(Buffer.t list) -> unit ->
  prover_result

val gappa : ?debug:bool ->  ?switch:string ->
  ?timeout:int -> filename:string -> unit -> prover_result

val simplify : ?debug:bool ->  ?switch:string -> 
  ?timeout:int -> filename:string -> unit ->prover_result

val vampire : ?debug:bool ->  ?switch:string -> 
  ?timeout:int -> filename:string -> unit -> prover_result

val harvey :
  ?debug:bool ->  ?switch:string -> ?timeout:int -> 
  filename:string -> unit -> prover_result

val zenon :
  ?debug:bool ->  ?switch:string -> ?timeout:int -> 
  filename:string -> unit -> prover_result

val rvsat :
  ?debug:bool ->  ?switch:string -> ?timeout:int -> 
  filename:string -> unit -> prover_result

val yices : prover

val cvc3 : prover

val cvcl : prover

val z3 : prover

val verit: prover

val ergo : select_hypotheses:bool -> prover

val generic_hypotheses_selection :
  ?debug:bool -> ?switch:string ->
  ?timeout:int -> filename:string -> DpConfig.prover_id -> unit -> prover_result

val coq :
  ?debug:bool -> ?switch:string ->
  ?timeout:int -> filename:string -> unit -> prover_result

val pvs :
  ?debug:bool -> ?switch:string ->
  ?timeout:int -> filename:string -> unit -> prover_result
why-2.34/tools/smtlib_split.mll0000644000175000017500000001046112311670312015172 0ustar  rtusers(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(*i $Id: smtlib_split.mll,v 1.14 2010-01-18 14:16:20 marche Exp $ i*)

{

  open Printf
  open Lexing 

  let debug = ref false
  let callback = ref (fun _ _ -> assert false : string -> Buffer.t list -> unit)

  (* we put everything not a goal into [buf] *)
  let buf = Buffer.create 8192
  let buf_goal = Buffer.create 512

  let print_hypo s = Buffer.add_string buf s
  let print_goal s = Buffer.add_string buf_goal s

  let start_file () =
    Buffer.reset buf_goal

  let end_file () =
    !callback "smtlib.smt" [buf;buf_goal]

  let level = ref 0 

}

let space = [' ' '\t' '\n' '\r']
let ident = ['a'-'z' 'A'-'Z' '0'-'9']+

rule split = parse
  | "(" space* "benchmark"
      { print_hypo (lexeme lexbuf); 
	split lexbuf 
      }
  | ":" space* "status"  
      { 
	print_hypo (lexeme lexbuf); 
	split lexbuf }
  | ":" space* ("extrasorts" | "extrafuns" | "assumption")
      { print_hypo (lexeme lexbuf); 
	lisp_copy lexbuf; split lexbuf }
  | ident 
      { 
	print_hypo (lexeme lexbuf);
	split lexbuf } 
  | ":" space* "formula"
      { 
	(*printf "formula: ouverture du fichier %s \n" !file ;*)
        start_file();
	level := 0 ;
        print_goal (lexeme lexbuf);
	query lexbuf;
	print_goal ")" ; (* ends the benchmark bracket *)
	(*printf "formula: fermeture du fichier %s \n" !file ; *)
	end_file ();
	split lexbuf}
  | eof 
      { () }
  | _ 
      { 
      print_hypo (lexeme lexbuf); split lexbuf }




(* copies into [buf] until the end of the S-expression *)
and lisp_copy = parse
  | "(" { Buffer.add_char buf '('; lisp_copy lexbuf; }
  | ")" { Buffer.add_char buf ')' }
  | eof { () }
  | _   { print_hypo (lexeme lexbuf); lisp_copy lexbuf }

(* prints up to the end of the S-expression *)
and query = parse
  | "(" { print_goal "("; 
	  level := !level + 1 ; 
	  query lexbuf;}
  | ")" { print_goal ")" ;
	  level := !level - 1 ;
	  (*printf ")%d" !level ; *)
	  if !level <> 0 then query lexbuf 
	}
  | _   { print_goal (lexeme lexbuf); query lexbuf }

{

  let iter cb c =
    callback := cb;
    Buffer.reset buf;
    let lb = from_channel c in
    split lb

}

why-2.34/tools/cpulimit-win.c0000644000175000017500000000765512311670312014557 0ustar  rtusers/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/


#include 
#include 
#include 

int main(int argc, char *argv[]) {
  STARTUPINFO si;
  PROCESS_INFORMATION pi;
  int i;
  unsigned ex;
  unsigned long s = 0; // length of args after concat
  char * p; // command line parameter
  ZeroMemory(&si, sizeof(si));
  si.cb = sizeof(si);
  ZeroMemory(&pi, sizeof(pi));
  if (argc < 3) {
    printf("Usage: %s 
    \n";
    let lb = from_channel cin in 
    scan lb;
    print "
    \n\n"

  let title = ref None

  let make_title f = match !title with None -> f | Some t -> t

  let translate_file f =
    let fout = f ^ ".html" in
    let c = open_out fout in
    cout := c;
    let cin = open_in f in
    translate_channel (make_title f) cin;
    close_in cin;
    close_out c

  let _ =
    let files = ref [] in
    Arg.parse 
	[ "-title", String (fun s -> title := Some s), 
	  "  specifies a title" ]
	(fun s -> files := s :: !files)
	"usage: why2html [options] files";
    match !files with
      | [] -> translate_channel "" stdin 
      | fl -> List.iter translate_file fl

}
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/tools/whyConfig.ml�������������������������������������������������������������������������0000644�0001750�0001750�00000014075�12311670312�014253� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Format
open DpConfig

let provers_found = ref 0

let prover_tips_info = ref false

let rec detect_prover p cmds =
  match cmds with
    | [] ->
	printf "detection of prover %s failed@." p.name
    | cmd::rem ->
	let out = Filename.temp_file "out" "" in
        let cmd2 = cmd ^ " " ^ p.version_switch in
	let c = cmd2 ^ " > " ^ out in
	let ret = Sys.command c in
	if ret <> 0
          (* was needed for older version of gappa, but is
	     wrong under windows: && not (p == gappa && ret = 1) *)
        then
	  begin
	    printf "command '%s' failed@." cmd2;
	    detect_prover p rem
	  end
	else
	  let s =
            try
              let ch = open_in out in
              let s = ref (input_line ch) in
              while !s = "" do s := input_line ch done;
              close_in ch;
	      Sys.remove out;
              !s
            with Not_found | End_of_file  -> ""
          in
	  let re = Str.regexp p.version_regexp in
	  if Str.string_match re s 0 then
	    let nam = p.name in
	    let ver = Str.matched_group 1 s in
            begin
              if List.mem ver p.versions_ok then
	        printf "Found prover %s version %s, OK.@." nam ver
              else
                begin
                  prover_tips_info := true;
                  if List.mem ver p.versions_old then
                    printf "Warning: prover %s version %s is quite old, please consider upgrading to a newer version.@." nam ver
                  else
                    printf "Warning: prover %s version %s is not known to be supported, use it at your own risk!@." nam ver
                end
            end;
	    p.command <- cmd;
	    p.version <- ver;
            incr provers_found
	  else
	    begin
              prover_tips_info := true;
	      printf "Warning: found prover %s but name/version not recognized by regexp `%s'@." p.name p.version_regexp;
	      printf "Answer was `%s'@." s;
	      p.command <- cmd;
	      p.version <- "?";
	    end


let main () =
  begin
    try
      load_rc_file ()
    with Not_found ->
      printf "rc file not found, using default values for provers@\n@.";
  end;
  printf "starting autodetection...@.";
  List.iter (fun (_,(p,l)) ->
               (* we reset version because it might have been read in .whyrc *)
               p.version <- "";
               let l =
                 if List.mem p.command l then l else l@[p.command]
               in
               detect_prover p l) prover_list;
  printf "detection done.@.";
  if !provers_found = 0 then
    begin
      printf "No provers found! you need to install at least one prover.@.";
      prover_tips_info := true
    end
  else
    begin
      printf "writing rc file `%s'...@\n@." (rc_file());
      save_rc_file ();
      printf "    prover      version              info   invocation@.";
      printf "------------------------------------------------------@.";
      List.iter (fun (_,(p,_)) ->
                   let nam = p.name in
                   let ver = p.version in
                   let morever =
                     if p.version = "" then "not found" else
                       if p.version = "?" then "undetected" else
                         if List.mem p.version p.versions_ok then "" else
                           if List.mem p.version p.versions_old then "(obsolete)" else
                             "(not supported)"
                   in
                   printf "%10s   %10s   %15s   %s@." nam ver morever
                     (if p.version ="" then "" else
                      p.command ^ " " ^ p.command_switches);
                ) prover_list;
      printf "------------------------------------------------------@.";
    end;
  if !prover_tips_info then
    begin
      printf "See web page http://why.lri.fr/provers.en.html for up-to-date information about provers and their versions@."
    end

let () = Printexc.catch main ()




�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/tools/toolstat.ml��������������������������������������������������������������������������0000644�0001750�0001750�00000034552�12311670312�014171� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* Statistics on automatic provers results *)

open Format
open Toolstat_types

let spec = [
  "-d",
  Arg.Set Toolstat_lex.debug,
  "  Set debug mode";
  "-d2",
  Arg.Set Toolstat_lex.debug_more,
  "  Set more debug mode";
  "-no-parse",
  Arg.Set Toolstat_lex.no_parsing,
  "  Only lex file";
]
let msg = "tool-stat file"
let records = ref []
let annots = ref []

let rec explain_exception fmt = function
  | Parsing.Parse_error -> 
      fprintf fmt "Syntax error"
  | Stream.Error s -> 
      fprintf fmt "Syntax error: %s" s
  | Loc.Located (loc, e) ->
      fprintf fmt "%a%a" Loc.report_position loc explain_exception e
  | e ->
      fprintf fmt "Anomaly: %s" (Printexc.to_string e); raise e

let parse_file f =
  try
    let c = open_in f in
    let lb = Lexing.from_channel c in
    lb.Lexing.lex_curr_p <- { lb.Lexing.lex_curr_p with Lexing.pos_fname = f };
    let ann,recs = Toolstat_lex.parse lb in
    annots := ann;
    records := recs;
    close_in c
  with e -> 
    explain_exception err_formatter e;
    pp_print_newline err_formatter ();
    exit 1

let default_detail = ([],[],[],[],[])
let default_time = (0,0,0.)
let default_annot = (0,0,0,0)
    
let add_times (h1,m1,s1) (h2,m2,s2) =
  let h3 = h1 + h2 and m3 = m1 + m2 and s3 = s1 +. s2 in
  let carry = (int_of_float (floor s3)) / 60 in
  let m3 = m3 + carry and s3 = s3 -. (float_of_int (60 * carry)) in
  let carry = m3 / 60 in
  let h3 = h3 + carry and m3 = m3 - (60 * carry) in
  (h3,m3,s3)

let hadd single combine h k v =
  try
    let ls = Hashtbl.find h k in
    Hashtbl.replace h k (combine v ls)
  with Not_found ->
    Hashtbl.replace h k (single v)

let intadd h k v = hadd (fun x -> x) ( + ) h k v
let listadd h k v = hadd (fun x -> [x]) (fun x l -> x::l) h k v
let timeadd = hadd (fun x -> x) add_times

let hfind default h k =
  try Hashtbl.find h k with Not_found -> default

let valid_summary (n1,_n2,_n3,_n4,_n5) = n1
let notvalid_summary (_n1,n2,n3,n4,n5) = n2 + n3 + n4 + n5
let make_summary (s1,s2,s3,s4,s5) =
  List.length s1, List.length s2, List.length s3, List.length s4, List.length s5

let valid_detail (s1,_s2,_s3,_s4,_s5) = s1
let notvalid_detail (_s1,s2,s3,s4,s5) = s2 @ s3 @ s4 @ s5
let combine_details (s1,s2,s3,s4,s5) (t1,t2,t3,t4,t5) =
  let unique = 
    let table = Hashtbl.create 5 in
    function l ->
      List.fold_left 
	(fun acc e ->
	   if Hashtbl.mem table e then acc else 
	     (Hashtbl.replace table e (); e :: acc)
	) [] l
  in
  let u1 = unique (s1 @ t1) in (* Start with valid *)
  let u2 = unique (s2 @ t2) in (* Order of invalid ones unimportant *)
  let u3 = unique (s3 @ t3) in
  let u4 = unique (s4 @ t4) in
  let u5 = unique (s5 @ t5) in
  (u1, u2, u3, u4, u5)

let print_time ?(sec=false) ?(min=false) ?(hour=false) fmt (h,m,s) =
  if sec || min || hour then
    let s = 3600 * h + 60 * m + (int_of_float (floor s)) in
    if sec then 
      fprintf fmt "%d s" s
    else if min then
      fprintf fmt "%.2f m" (float_of_int s /. 60.)
    else  
      fprintf fmt "%.2f h" (float_of_int s /. 3600.)
  else if h = 0 && m = 0 && s = 0. then 
    fprintf fmt "0. s"
  else
    fprintf fmt "%a%a%a"
      (fun fmt h -> if h = 0 then () else fprintf fmt "%d h " h) h
      (fun fmt m -> if m = 0 then () else fprintf fmt "%d m " m) m
      (fun fmt s -> if s = 0. then () else fprintf fmt "%.2f s " s) s

let compare_time (h1,m1,s1) (h2,m2,s2) =
  let c = compare h1 h2 in
  if c <> 0 then c else
    let c = compare m1 m2 in
    if c <> 0 then c else
      compare s1 s2    

let () = 
  Arg.parse spec parse_file msg;
  let records : record list = !records in
  let annots : annotation list = !annots in

  let provers : (prover, unit) Hashtbl.t = Hashtbl.create 5 in
  let tests : (test, unit) Hashtbl.t = Hashtbl.create 5 in
  let error_tests : (test, unit) Hashtbl.t = Hashtbl.create 5 in
  let vc : (project * test * int, unit) Hashtbl.t = Hashtbl.create 5 in
  let vc_count : (project * test * int, int) Hashtbl.t = Hashtbl.create 5 in
  List.iter 
    (fun (completed,project,prover,test,_summary,detail,_time) ->
       (* useful to keep track of tests with 0 VC and tests in error *)
       Hashtbl.replace tests test ();
       if completed then
	 (Hashtbl.replace provers prover ();
	  List.iter
	    (fun i -> 
	       Hashtbl.replace vc (project,test,i) ();
	       intadd vc_count (project,test,i) 1
	    ) (valid_detail detail);
	  List.iter
	    (fun i -> 
	       Hashtbl.replace vc (project,test,i) ()
	    ) (notvalid_detail detail))
       else
	 (* At least one prover was in error on this test *)
	 Hashtbl.replace error_tests test ()
    ) records;

  (* Fill [prover_variants] with pairs of a variant and the original prover,
     for those provers that have variants *)
  let prover_variants : (prover, prover) Hashtbl.t = Hashtbl.create 5 in
  let tests_variants : ((project * prover * test), record list) Hashtbl.t 
      = Hashtbl.create 5 
  in
  let combined_prover prover = prover ^ " (all)" in
  Hashtbl.iter 
    (fun prover1 () ->
       Hashtbl.iter 
	 (fun prover2 () ->
	    if String.length prover1 > String.length prover2 
	      && String.sub prover1 0 (String.length prover2) = prover2 then
		Hashtbl.replace prover_variants prover1 prover2
	 ) provers
    ) provers;
  Hashtbl.iter
    (fun _variant_prover prover ->
       Hashtbl.replace prover_variants prover prover
    ) prover_variants;
  Hashtbl.iter
    (fun variant_prover prover ->
       Hashtbl.replace prover_variants variant_prover (combined_prover prover);
       Hashtbl.replace provers (combined_prover prover) ()
    ) prover_variants;
  List.iter
      (fun (completed,project,prover,test,summary,detail,time) ->
	 try 
	   let combined_prover = Hashtbl.find prover_variants prover in
	   listadd tests_variants (project,combined_prover,test)
	     (completed,project,combined_prover,test,summary,detail,time)  
	 with Not_found -> ()
      ) records;
  let records =
    Hashtbl.fold 
      (fun (project,prover,test) records acc ->
	 let completed,detail,time =
	   List.fold_left 
	     (fun (completed_acc,detail_acc,time_acc) 
		(completed,_project,_prover,_test,_summary,detail,time) ->
		  completed_acc || completed,
		  combine_details detail_acc detail,
		  add_times time_acc time
	     ) (false,default_detail,default_time) records
	 in
	 let summary = make_summary detail in
	 (completed,project,prover,test,summary,detail,time) :: acc
      ) tests_variants records
  in

  printf "@.Best individual provers:@.";
  let provers_valid : (prover, int) Hashtbl.t = Hashtbl.create 17 in
  let provers_notvalid : (prover, int) Hashtbl.t = Hashtbl.create 17 in
  List.iter (fun (completed,_project,prover,_test,summary,_detail,_time) ->
	       if completed then
		 (intadd provers_valid prover (valid_summary summary);
		  intadd provers_notvalid prover (notvalid_summary summary))
	    ) records;
  let provers_data = 
    Hashtbl.fold (fun p () acc ->
		    (p, 
		     hfind 0 provers_valid p, 
		     hfind 0 provers_notvalid p)
		    :: acc
		 ) provers [] 
  in
  let provers_ranking =
    List.sort (fun (_p1,v1,_n1) (_p2,v2,_n2) -> compare v2 v1) provers_data
  in
  ignore (List.fold_left 
	    (fun i (p,v,n) ->
	       printf "%d: %s   \t%d valid \t%d not valid \t%d%% proved@." 
		 i p v n 
		 (if v + i <> 0 then v * 100 / (v + n) else 0);
	       i+1
	    ) 1 provers_ranking);
  
  printf "@.Best combination provers:@.";
  let provers_ahead = Hashtbl.create 17 in
  let provers_behind = Hashtbl.create 17 in
  List.iter (fun (completed,project,prover,test,_summary,detail,_time) ->
	       if completed then
		 (List.iter
		    (fun i ->
		       assert (Hashtbl.mem vc_count (project,test,i));
		       if Hashtbl.find vc_count (project,test,i) = 1 then
			 intadd provers_ahead prover 1
		    ) (valid_detail detail);
		  List.iter
		    (fun i ->
		    if hfind 0 vc_count (project,test,i) > 0 then
		      intadd provers_behind prover 1
		    ) (notvalid_detail detail))
	    ) records;
  let provers_data =
    Hashtbl.fold (fun p () acc ->
		    (p,
		     hfind 0 provers_ahead p,
		     hfind 0 provers_behind p)
		    :: acc
		 ) provers []
  in
  let provers_ranking =
    List.sort (fun (_p1,a1,b1) (_p2,a2,b2) ->
		 let c = compare a2 a1 in
		 if c = 0 then compare b1 b2 else c)
      provers_data
  in
  ignore (List.fold_left
	    (fun i (p,a,b) ->
	       printf "%d: %s   \t%d alone \t%d by others@." i p a b;
	       i+1
	    ) 1 provers_ranking);

  printf "@.Quickest provers:@.";
  let provers_time : (prover, time) Hashtbl.t = Hashtbl.create 17 in
  List.iter (fun (completed,_project,prover,_test,_summary,_detail,time) ->
	       if completed then
		 timeadd provers_time prover time
	    ) records;
  let provers_data = 
    Hashtbl.fold (fun p () acc ->
		    (p, 
		     hfind (0,0,0.) provers_time p)
		    :: acc
		 ) provers [] 
  in
  let provers_ranking =
    List.sort (fun (_p1,t1) (_p2,t2) -> compare_time t1 t2) provers_data
  in
  ignore (List.fold_left 
	    (fun i (p,t) ->
	       printf "%d: %s   \t%a \t%a \t%a \t%a@." 
		 i p (fun fmt -> print_time fmt) t 
		 (fun fmt -> print_time ~sec:true fmt) t
		 (fun fmt -> print_time ~min:true fmt) t
		 (fun fmt -> print_time ~hour:true fmt) t;
	       i+1
	    ) 1 provers_ranking);

  let pre,post,inv,bwd =
    List.fold_left 
      (fun (pre1,post1,inv1,bwd1) (_project,(pre2,post2,inv2,bwd2)) ->
	 (pre1+pre2,post1+post2,inv1+inv2,bwd1+bwd2)
      ) default_annot annots 
  in
  printf "@.Number of relations in annotations generated:@.";
  printf "%d in preconditions@." pre;
  printf "%d in postconditions@." post;
  printf "%d in loop invariants@." inv;
  printf "%d in backward loop invariants@." bwd;
  
  let tests_notproved = Hashtbl.create 17 in
  let projects_notproved = Hashtbl.create 17 in
  Hashtbl.iter (fun (project,test,i) () ->
		  if hfind 0 vc_count (project,test,i) = 0 then
		    (intadd tests_notproved test 1;
		     match project with 
		       | None -> ()
		       | Some project -> intadd projects_notproved project 1)
	       ) vc;
  printf "@.Projects not proved: %d@." (Hashtbl.length projects_notproved);
  Hashtbl.iter (fun project n ->
		  printf "%s \t%d not proved@." project n
	       ) projects_notproved;
  printf "@.Tests not proved: %d@." (Hashtbl.length tests_notproved);
  Hashtbl.iter (fun test n ->
		  printf "%s \t%d not proved@." test n
	       ) tests_notproved;

  let numtests_notproved = Hashtbl.create 17 in
  Hashtbl.iter (fun _project n ->
		  intadd numtests_notproved n 1
	       ) projects_notproved;
  printf "@.Num tests not proved by project:@.";
  let numtests_notproved = 
    Hashtbl.fold (fun n numproj acc -> (n,numproj) :: acc) numtests_notproved []
  in
  let numtests_notproved =
    List.sort (fun (n1,_) (n2,_) -> Pervasives.compare n1 n2) numtests_notproved
  in
  List.iter (fun (n,numproj) ->
	       printf "%d not proved for \t%d projects@." n numproj
	    ) numtests_notproved;

  let tests_proved = Hashtbl.create 17 in
  let projects_proved = Hashtbl.create 17 in
  Hashtbl.iter (fun (project,test,_i) () ->
		  if hfind 0 tests_notproved test = 0 then
		    intadd tests_proved test 1;
		  match project with 
		    | None -> ()
		    | Some project ->
 			if hfind 0 projects_notproved project = 0 then
			  intadd projects_proved project 1
	       ) vc;
  printf "@.Projects proved: %d@." (Hashtbl.length projects_proved);
  Hashtbl.iter (fun project n ->
		  printf "%s \t%d proved@." project n
	       ) projects_proved;
  printf "@.Tests proved: %d@." (Hashtbl.length tests_proved);
  Hashtbl.iter (fun test n ->
		  printf "%s \t%d proved@." test n
	       ) tests_proved;
		  
  let tests_in_error = Hashtbl.create 17 in
  let tests_no_vc = Hashtbl.create 17 in
  Hashtbl.iter (fun test () ->
		  if not (Hashtbl.mem tests_notproved test)
		    && not (Hashtbl.mem tests_proved test) 
		  then
		    if Hashtbl.mem error_tests test then
		      Hashtbl.replace tests_in_error test ()
		    else
		      Hashtbl.replace tests_no_vc test ()		      
	       ) tests;
  printf "@.Tests in error: %d@." (Hashtbl.length tests_in_error);
  Hashtbl.iter (fun test _n ->
		  printf "%s@." test
	       ) tests_in_error;
  printf "@.Tests with no VC: %d@." (Hashtbl.length tests_no_vc);
  Hashtbl.iter (fun test _n ->
		  printf "%s@." test
	       ) tests_no_vc;
		  
  printf "@."

(*
Local Variables:
compile-command: "LC_ALL=C make -C .."
End:
*)
������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/tools/simplify_lexer.mll�������������������������������������������������������������������0000644�0001750�0001750�00000010255�12311670312�015521� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(*i $Id: simplify_lexer.mll,v 1.12 2008-11-05 14:03:19 filliatr Exp $ i*)

{

  open Lexing 
  open Simplify_ast
  open Simplify_parser

  let atoms = Hashtbl.create 1021
  let () = 
    List.iter (fun (s,a) -> Hashtbl.add atoms s a)
      [
    "DEFPRED", DEFPRED;
    "BG_PUSH", BG_PUSH;
    "@true", AT_TRUE;
    "TRUE", TRUE;
    "FALSE", FALSE;
    "AND", AND;
    "IMPLIES", IMPLIES;
    "EXPLIES", EXPLIES;
    "IFF", IFF;
    "FORALL", FORALL;
    "EXISTS", EXISTS;
    "MPAT", MPAT;
    "PATS", PATS;
    "NOPATS", NOPATS;
    "AND", AND;
    "OR", OR;
    "NOT", NOT;
    "LBLPOS", LBLPOS;
    "LBLNEG", LBLNEG;
    "DISTINCT", DISTINCT;
    "EQ", EQ;
    "NEQ", NEQ;
    "+", IDENT "+";
    "-", IDENT "-";
    "*", IDENT "*";
    ">", GT;
    ">=", GE;
    "<", LT;
    "<=", LE;
      ]

  let mk_ident s =
    let is_char_ok i = function
      | 'a'..'z' | 'A'..'Z' | '_' -> true
      | '0'..'9' when i > 0 -> true
      | _ -> false
    in
    for i = 0 to String.length s - 1 do
      if not (is_char_ok i s.[i]) then s.[i] <- 'a'
    done;
    if Hashtbl.mem atoms s then begin
      let rec loop n = 
	let sn = s ^ string_of_int n in
	if Hashtbl.mem atoms sn then loop (n+1) else sn
      in
      loop 0
    end else
      s

  let atom s =
    try
      Hashtbl.find atoms s
    with Not_found ->
      let s' = mk_ident (String.copy s) in
      (* Format.eprintf "atom %s -> %s@." s s'; *)
      let a = IDENT s' in 
      Hashtbl.add atoms s a; a

}

let space = [' ' '\t' '\n' '\r']
let ident = ['a'-'z' 'A'-'Z']+

rule token = parse
  | space+
      { token lexbuf }
  | ";" [^'\n']* '\n' 
      { token lexbuf }
  | "(" 
      { LPAR }
  | ")" 
      { RPAR }
  | eof 
      { EOF }
  | ('-'? ['0'-'9']+) as s
      { INTEGER s }
  | '|' ([^ '|']+ as s) '|'
      { atom s }
  | [^' ' '\t' '\n' '\r' ';' '(' ')']+ as s
      { atom s }
  | _ as c 
      { Format.eprintf  "simplify_lexer: illegal character %c@." c; exit 1 }

{

}

���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/tools/obfuscator.ml������������������������������������������������������������������������0000644�0001750�0001750�00000042675�12311670312�014474� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(* Why code obfuscator *)

open Format
open Pp
open Ident
open Logic
open Ptree

let out = ref ""
let prefix = ref "x"

let spec = ["-o", Arg.Set_string out, "set output file";
	    "-prefix", Arg.Set_string prefix, "set names prefix"]
let usage = "why-obfuscator [options] files...\nOptions are:"

let files = Queue.create ()

let rec explain_exception fmt = function
  | Lexer.Lexical_error s -> 
      fprintf fmt "Lexical error: %s" s
  | Parsing.Parse_error -> 
      fprintf fmt "Syntax error"
  | Stream.Error s -> 
      fprintf fmt "Syntax error: %s" s
  | Loc.Located (loc, e) ->
      fprintf fmt "%a%a" Loc.report_position loc explain_exception e
  | e ->
      fprintf fmt "Anomaly: %s" (Printexc.to_string e); raise e

let add_file f =
  try
    let c = open_in f in
    let lb = Lexing.from_channel c in
    lb.Lexing.lex_curr_p <- { lb.Lexing.lex_curr_p with Lexing.pos_fname = f };
    let p = Lexer.parse_file lb in
    Queue.add p files;
    close_in c
  with e -> 
    explain_exception err_formatter e;
    pp_print_newline err_formatter ();
    exit 1

let () = Arg.parse spec add_file usage

let fmt = 
  if !out = "" then 
    std_formatter
  else
    let c = open_out !out in
    at_exit (fun () -> close_out c);
    formatter_of_out_channel c

let renamings = Hashtbl.create 97

let fresh_id =
  let c = ref 0 in
  fun _id -> incr c; !prefix ^ string_of_int !c

let rename_global id =
  if Hashtbl.mem renamings (Ident.string id) then () else
  Hashtbl.add renamings (Ident.string id) (fresh_id ())

let gident fmt id =
  let s = Ident.string id in
  fprintf fmt "%s" (try Hashtbl.find renamings s with Not_found -> s)

module M = Map.Make(String)

let ident m fmt id =
  let s = Ident.string id in
  fprintf fmt "%s" (try M.find s m with Not_found ->
		      try Hashtbl.find renamings s with Not_found -> s)

let rename m id =
  let id' = fresh_id () in
  M.add (Ident.string id) id' m

let rec pure_type fmt = function
  | PTint -> fprintf fmt "int"
  | PTbool -> fprintf fmt "bool"
  | PTunit -> fprintf fmt "unit"
  | PTreal -> fprintf fmt "real"
  | PTexternal([],id) -> fprintf fmt "%a" gident id
  | PTvar {tag=t; type_val=None} -> fprintf fmt "'a%d" t
  | PTvar {tag=_t; type_val=Some pt} -> pure_type fmt pt
  | PTexternal([t],id) -> 
      fprintf fmt "%a %a" pure_type t gident id
  | PTexternal(l,id) -> fprintf fmt "(%a) %a" 
      (print_list space pure_type) l
      gident id

let rec ppure_type fmt = function
  | PPTint -> fprintf fmt "int"
  | PPTbool -> fprintf fmt "bool"
  | PPTunit -> fprintf fmt "unit"
  | PPTreal -> fprintf fmt "real"
  | PPTexternal ([],id,_) -> fprintf fmt "%a" gident id
  | PPTvarid (id,_) -> fprintf fmt "'%a" Ident.print id
  | PPTexternal ([t],id,_) -> 
      fprintf fmt "%a %a" ppure_type t gident id
  | PPTexternal (l,id,_) -> fprintf fmt "(%a) %a" 
      (print_list comma ppure_type) l gident id

let constant fmt = function
  | ConstInt n -> 
      fprintf fmt "%s" n
  | ConstBool b -> 
      fprintf fmt "%b" b
  | ConstUnit -> 
      fprintf fmt "void" 
  | ConstFloat c -> 
      Print_real.print fmt c

let rec lexpr m fmt p = 
  let lexprm = lexpr m in
  match p.pp_desc with
  | PPconst c ->
      constant fmt c
  | PPvar id -> 
      ident m fmt id
  | PPapp (id, l) ->
      fprintf fmt "%a(%a)" gident id (print_list comma lexprm) l
  | PPtrue ->
      fprintf fmt "true"
  | PPfalse ->
      fprintf fmt "false"
  | PPinfix (a, PPand, b) ->
      fprintf fmt "(@[%a and@ %a@])" lexprm a lexprm b
  | PPinfix (a, PPor, b) ->
      fprintf fmt "(@[%a or@ %a@])" lexprm a lexprm b
  | PPinfix (a, PPimplies, b) -> 
      fprintf fmt "(@[%a ->@ %a@])" lexprm a lexprm b
  | PPinfix (a, PPiff, b) -> 
      fprintf fmt "(@[%a <->@ %a@])" lexprm a lexprm b
  | PPinfix (a, PPdiv, b) -> 
      fprintf fmt "(@[%a /@ %a@])" lexprm a lexprm b
  | PPinfix (a, PPmul, b) -> 
      fprintf fmt "(@[%a *@ %a@])" lexprm a lexprm b
  | PPinfix (a, PPsub, b) -> 
      fprintf fmt "(@[%a -@ %a@])" lexprm a lexprm b
  | PPinfix (a, PPadd, b) -> 
      fprintf fmt "(@[%a +@ %a@])" lexprm a lexprm b
  | PPinfix (a, PPneq, b) -> 
      fprintf fmt "(@[%a <>@ %a@])" lexprm a lexprm b
  | PPinfix (a, PPeq, b) -> 
      fprintf fmt "(@[%a =@ %a@])" lexprm a lexprm b
  | PPinfix (a, PPge, b) -> 
      fprintf fmt "(@[%a >=@ %a@])" lexprm a lexprm b
  | PPinfix (a, PPgt, b) -> 
      fprintf fmt "(@[%a >@ %a@])" lexprm a lexprm b
  | PPinfix (a, PPle, b) -> 
      fprintf fmt "(@[%a <=@ %a@])" lexprm a lexprm b
  | PPinfix (a, PPlt, b) -> 
      fprintf fmt "(@[%a <@ %a@])" lexprm a lexprm b
  | PPif (a, b, c) -> 
      fprintf fmt "(@[if %a then@ %a else@ %a@])" 
	lexprm a lexprm b lexprm c
  | PPprefix (PPnot, a) ->
      fprintf fmt "(not %a)" lexprm a
  | PPprefix (PPneg, a) ->
      fprintf fmt "(-(%a))" lexprm a
  | PPforall (id,v,tl,p) ->
      let m = rename m id in
      fprintf fmt "@[<hov 2>(forall %a:%a%a.@ %a)@]" 
	(ident m) id ppure_type v (triggers m) tl (lexpr m) p
  | PPexists (id,v,p) ->
      let m = rename m id in
      fprintf fmt "@[<hov 2>(exists %a:%a.@ %a)@]" 
	(ident m) id ppure_type v (lexpr m) p
  | PPnamed (_, p) ->
      lexprm fmt p
  | PPlet (id,t,p) ->
      let m = rename m id in
      fprintf fmt "@[<hov 2>(let %a = %a in@ %a)@]" (ident m) id 
	(lexpr m) t (lexpr m) p
  | PPmatch(e,l) -> 
      fprintf fmt "@[<hov 2>(match %a with@ %a)@]" lexprm e
	(print_list newline 
	   (fun fmt ((id,idl,_loc),e) -> 
              let m = List.fold_left rename m idl in
              fprintf fmt "| %a(%a) ->@ %a;" gident id 
                (print_list comma (ident m)) idl 
                (lexpr m) e)) l

and triggers m fmt = function
  | [] -> ()
  | tl -> fprintf fmt " [%a]" (print_list alt (trigger m)) tl

and trigger m = print_list space (lexpr m)

let assertion m fmt a = lexpr m fmt a.pa_value

let pre m fmt l = 
  if l <> [] then begin
    fprintf fmt "@[ ";
    print_list semi (assertion m) fmt l;
    fprintf fmt " @]"
  end

let exn m fmt (x,c) = 
  fprintf fmt "| %a => @[%a@]@," Ident.print x (assertion m) c

let post m fmt = function
  | None -> 
      ()
  | Some (c,[]) -> 
      fprintf fmt "@[ %a @]" (assertion m) c
  | Some (c, l) -> 
      fprintf fmt "@[ %a@ %a @]" (assertion m) c (print_list space (exn m)) l

let effect m fmt { pe_reads = r; pe_writes = w; pe_raises = e } =
  fprintf fmt "@[";
  if r <> [] then begin
    fprintf fmt "reads ";
    print_list (fun fmt () -> fprintf fmt ",@ ") (ident m) fmt r;
  end;
  if r <> [] && w <> [] then fprintf fmt "@ ";
  if w <> [] then begin
    fprintf fmt "writes ";
    print_list (fun fmt () -> fprintf fmt ",@ ") (ident m) fmt w;
  end;
  if (r <> [] || w <> []) && e <> [] then fprintf fmt "@ ";
  if e <> [] then begin
    fprintf fmt "raises ";
    print_list (fun fmt () -> fprintf fmt ",@ ") (ident m) fmt e;
  end;
  if r <> [] || w <> [] || e <> [] then fprintf fmt "@ ";
  fprintf fmt "@]"

let rec type_v m fmt = function
  | PVpure pt -> ppure_type fmt pt
  | PVref pt -> fprintf fmt "(%a ref)" ppure_type pt
  | PVarrow (bl,c) ->
      let m = List.fold_left rename m (List.map fst bl) in
      fprintf fmt "@[<hov 2>%a ->@ %a@]" 
	(print_list arrow (type_binder m)) bl (type_c m) c

and type_c m fmt c =
  let id = c.pc_result_name in
  let v = c.pc_result_type in
  let p = c.pc_pre in
  let q = c.pc_post in
  let e = c.pc_effect in
  if e.pe_reads = [] && e.pe_writes = [] && e.pe_raises = [] 
  && p = [] && q = None then
    type_v m fmt v
  else
    fprintf fmt "@[{%a}@ returns %a: %a@ %a@,{%a}@]" 
      (pre m) p Ident.print id (type_v m) v (effect m) e (post m) q

and type_binder m fmt = function
  | id, v when id == Ident.anonymous -> 
      type_v m fmt v
  | id, v ->
      fprintf fmt "@[%a:%a@]" (ident m) id (type_v m) v

let bracket_assertion m fmt a =
  fprintf fmt "{ %a }" (assertion m) a

let binder m fmt (id,v) = 
  fprintf fmt "(%a: %a)" (ident m) id (type_v m) v

let invariant m fmt p =
  fprintf fmt "invariant %a" (assertion m) p

let variant m fmt (t, id) =
  if id == Ident.t_zwf_zero then 
    lexpr m fmt t
  else
    fprintf fmt "%a for %a" (lexpr m) t Ident.print id

let invariant_variant m fmt = function
  | None, None -> 
      ()
  | Some _ as inv, None ->
      fprintf fmt "{ %a }" (print_option (invariant m)) inv
  | inv, Some var -> 
      fprintf fmt "{ %a variant %a }" 
	(print_option (invariant m)) inv (variant m) var 

let opt_variant m fmt = function
  | None -> ()
  | Some var -> fprintf fmt "{ variant %a }" (variant m) var

let is_binop id = 
  id == t_add || id == t_sub || id == t_mul || id == t_div_real
  (* || id == t_mod_int *) || id == t_eq || id == t_neq
  || id == t_lt || id == t_le || id == t_gt || id == t_ge

let binop id = 
  if id == t_add then "+"
  else if id == t_sub then "-"
  else if id == t_mul then "*"
  else if id == t_div_real then "/"
(*
  else if id == t_mod_int then "%"
*)
  else if id == t_eq then "="
  else if id == t_neq then "<>"
  else if id == t_lt then "<"
  else if id == t_le then "<="
  else if id == t_gt then ">"
  else if id == t_ge then ">="
  else assert false

let rec program m fmt p = 
  let progm = program m in
  match p.pdesc with
  | Svar id -> 
      ident m fmt id
  | Sderef id -> 
      fprintf fmt "!%a" (ident m) id
  | Stry ({ pdesc = Sloop (inv, var, { pdesc = Sif (e1, e2, _) })}, _) ->
      fprintf fmt "while %a do@ %a@ %a done"
	progm e1 (invariant_variant m) (inv,var) progm e2
  | Stry (e1, hl) ->
      fprintf fmt "try %a@ with %a end" 
	progm e1 (print_list alt (handler m)) hl
  | Sloop _ -> 
      assert false
  | Sif (e1, e2, e3) ->
      fprintf fmt "(if %a then@ %a else@ %a)" progm e1 progm e2 progm e3
  | Slazy_and (e1, e2) ->
      fprintf fmt "(%a &&@ %a)" progm e1 progm e2
  | Slazy_or (e1, e2) ->
      fprintf fmt "(%a ||@ %a)" progm e1 progm e2
  | Snot e1 ->
      fprintf fmt "(not %a)" progm e1
  | Sapp ({pdesc = Sapp ({ pdesc = Svar id }, e1)}, e2) when is_binop id ->
      fprintf fmt "(%a %s %a)" progm e1 (binop id) progm e2
  | Sapp ({ pdesc = Svar id }, e1) when id == t_neg ->
      fprintf fmt "(-(%a))" progm e1 
  | Sapp (e1, e2) ->
      fprintf fmt "(%a@ %a)" progm e1 progm e2
  | Sletref (id, e1, e2) ->
      let m = rename m id in
      fprintf fmt "(let %a = ref %a in@ %a)" 
	(ident m) id progm e1 (program m) e2
  | Sletin (id, e1, e2) ->
      let m = rename m id in
      fprintf fmt "(let %a = %a in@ %a)" (ident m) id progm e1 (program m) e2
  | Sseq (e1, e2) ->
      fprintf fmt "(%a;@ %a)" progm e1 progm e2
  | Slam (bl, al, e) ->
      let m = List.fold_left rename m (List.map fst bl) in
      fprintf fmt "(fun %a -> %a %a)" (print_list space (binder m)) bl
	(print_list space (bracket_assertion m)) al (program m) e
  | Srec (f, bl, v, var, al, e) ->
      let m = List.fold_left rename m (List.map fst bl) in
      fprintf fmt "(let rec %a %a : %a %a ->@ %a %a)" 
	(ident m) f (print_list space (binder m)) bl
	(type_v m) v (opt_variant m) var
	(print_list space (bracket_assertion m)) al (program m) e
  | Sraise (id, None, None) -> 
      fprintf fmt "(raise %a)" Ident.print id
  | Sraise (id, Some e, None) -> 
      fprintf fmt "(raise (%a %a))" Ident.print id (program m) e
  | Sraise (id, None, Some v) -> 
      fprintf fmt "(raise %a : %a)" Ident.print id (type_v m) v
  | Sraise (id, Some e, Some v) -> 
      fprintf fmt "(raise (%a %a) : %a)" 
	Ident.print id (program m) e (type_v m) v
  | Sconst c ->
      constant fmt c
  | Sabsurd None ->
      fprintf fmt "absurd"
  | Sabsurd (Some v) ->
      fprintf fmt "(absurd: %a)" (type_v m) v
  | Sany c ->
      fprintf fmt "[ %a ]" (type_c m) c
  | Slabel (l, e) ->
      fprintf fmt "(%s: %a)" l progm e
  | Sassert (k,al, e) ->
      fprintf fmt "(%s %a; %a)"
        (match k with `ASSERT -> "assert" | `CHECK -> "check")
	(print_list space (bracket_assertion m)) al (program m) e
  | Spost (e, p, Types.Transparent) ->
      fprintf fmt "(%a { %a })" progm e (post m) (Some p)
  | Spost (e, p, Types.Opaque) ->
      fprintf fmt "(%a {{ %a }})" progm e (post m) (Some p)

and handler m fmt = function
  | (id, None), e ->
      fprintf fmt "%a -> %a" Ident.print id (program m) e
  | (id, Some x), e ->
      let m = rename m x in
      fprintf fmt "%a %a -> %a" Ident.print id (ident m) x (program m) e

let print_external fmt b = if b then fprintf fmt "external "

let type_var fmt id = fprintf fmt "'%a" Ident.print id

let type_parameters fmt = function
  | [] -> ()
  | [id] -> fprintf fmt "%a "type_var id
  | l -> fprintf fmt "(%a) " (print_list comma type_var) l

let logic_binder m fmt (_, id, pt) =
  fprintf fmt "%a: %a" (ident m) id ppure_type pt

let logic_type fmt = function
  | PPredicate ptl -> 
      fprintf fmt "%a -> prop" (print_list comma ppure_type) ptl
  | PFunction (ptl, pt) -> 
      fprintf fmt "%a -> %a" (print_list comma ppure_type) ptl ppure_type pt

let str_of_goal_kind = function
  | KAxiom -> "axiom"
  | KLemma -> "lemma"
  | KGoal -> "goal"

let decl fmt = function
  | Include (_,s) ->
      fprintf fmt "@[<hov 2>include@ \"%S\"@]" s
  | Program (_,id, p) -> 
      rename_global id;
      fprintf fmt "@[<hov 2>let %a =@ %a@]" gident id (program M.empty) p
  | Parameter (_, e, ids, v) -> 
      List.iter rename_global ids;
      fprintf fmt "@[<hov 2>%aparameter %a:@ %a@]" print_external e
	(print_list comma gident) ids (type_v M.empty) v
  | Exception (_, id, None) -> 
      fprintf fmt "exception %a" Ident.print id
  | Exception (_, id, Some pt) -> 
      fprintf fmt "exception %a of %a" Ident.print id ppure_type pt
  | Logic (_, e, ids, lt) -> 
      List.iter rename_global ids;
      fprintf fmt "%alogic %a : %a" print_external e 
	(print_list comma gident) ids logic_type lt
  | Goal (_, k, id, p) ->
      rename_global id;
      fprintf fmt "%s %a : %a" (str_of_goal_kind k) 
        gident id (lexpr M.empty) p
  | Predicate_def (_, id, bl, p) ->
      rename_global id;
      let m = List.fold_left rename M.empty (List.map (fun (_,x,_) -> x) bl) in
      fprintf fmt "@[<hov 2>predicate %a(%a) =@ %a@]" gident id 
	(print_list comma (logic_binder m)) bl (lexpr m) p
  | Inductive_def(_,id, bl, l) ->
      rename_global id;
      fprintf fmt "@[<hov 2>predicate %a: @[%a@] {@\n  @[<v 0>%a@]@\n}@\n@]" 
	gident id 
	logic_type bl 
	(print_list newline 
	   (fun fmt (_,id,p) -> 
	      fprintf fmt "%a: %a;" gident id (lexpr M.empty) p)) l
  | Function_def (_, id, bl, pt, e) ->
      rename_global id;
      let m = List.fold_left rename M.empty (List.map (fun (_,x,_) -> x) bl) in
      fprintf fmt "@[<hov 2>function %a(%a) : %a =@ %a@]" gident id
	(print_list comma (logic_binder m)) bl ppure_type pt (lexpr m) e
  | TypeDecl (_, e, pl, id) ->
      rename_global id;
      fprintf fmt "%atype %a%a" print_external e type_parameters pl gident id
  | AlgType ls ->
      let print_single fmt (_, pl, id, td) =
        fprintf fmt "[@%a%a@] =@\n  @[%a@]"
          type_parameters pl
          gident id
          (print_list newline
            (fun fmt (_,cid,cty) ->
                rename_global cid;
                match cty with
                | [] -> fprintf fmt "| %a" gident cid
                | _  -> fprintf fmt "| %a (%a)" gident cid
                    (print_list comma ppure_type) cty)) td
      in
      List.iter (fun (_,_,id,_) -> rename_global id) ls;
      let andsep fmt () = fprintf fmt "@\n and " in
      fprintf fmt "@[type %a@]" (print_list andsep print_single) ls

let file = print_list newline decl

let () = 
  fprintf fmt "@[";
  Queue.iter (file fmt) files;
  fprintf fmt "@]@."

�������������������������������������������������������������������why-2.34/tools/ergo_split.mli�����������������������������������������������������������������������0000644�0001750�0001750�00000004713�12311670312�014634� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* Split a Ergo input file into several files, one for each query.
   The function passed is iterated over each sub-file. *)

val iter : (string -> Buffer.t list -> unit) -> in_channel -> unit

�����������������������������������������������������why-2.34/tools/toolstat_pars.mly��������������������������������������������������������������������0000644�0001750�0001750�00000012364�12311670312�015404� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* $Id: toolstat_pars.mly,v 1.11 2009-12-01 11:51:37 marche Exp $ */

%{
  open Format
  open Parsing
  open Toolstat_types
    
  let default_prover = ""
  let default_test = let count = ref 0 in function () ->
    incr count; "Unknown" ^ (string_of_int !count)
  let default_summary = (0,0,0,0,0)
  let default_detail = ([],[],[],[],[])
  let default_time = (0,0,0.)
  let div_time (h,m,s) n =
    if n = 0 then (h,m,s) else
      let s = float_of_int (3600 * h + 60 * m) +. s in
      let s = s /. float_of_int n in
      let h = int_of_float s / 3600 in
      let m = int_of_float s / 60 - 60 * h in
      let s = s -. float_of_int (3600 * h + 60 * m) in
      (h,m,s)
  let default_annot = (0,0,0,0)
%}

%token < string > PROJECT
%token < Toolstat_types.prover > PROVER
%token < Toolstat_types.test > TEST
%token < Toolstat_types.result > RESULT
%token < Toolstat_types.time > TIME 

%token PRE POST LOOPINV BWD_LOOPINV RELATION

%token EOF
%type < unit > all
%type < Toolstat_types.annotation list * Toolstat_types.record list > log
%start log all

%%

all:
| any all { }
| EOF { }
;

any: 
| PROJECT { }
| PROVER { }
| TEST { }
| RESULT { }
| TIME { }
| PRE { }
| POST { }
| LOOPINV { }
| BWD_LOOPINV { }
;

log: 
| project_record_list
    { $1 }
| subrecord_list
    { [], $1 }
| EOF 
    { [],[] }
;

project_record_list:
| project_record project_record_list 
    { 
      let annot1,rec1 = $1 in
      let annot2,rec2 = $2 in
      annot1 @ annot2, rec1 @ rec2
    }
| project_record
    { $1 }
;

project_record:
| PROJECT annot_list subrecord_list
    { ([ ($1,$2) ],
       List.map (fun (completed,_project,prover,test,summary,detail,time) ->
		   let test = $1 ^ ":" ^ test in
		   (completed,Some $1,prover,test,summary,detail,time)
		) $3)
    }
| PROJECT annot_list
    { (* Error case *)
      ([ ($1,$2) ],
       [ (false,Some $1,default_prover,$1,default_summary,
	  default_detail,default_time) ])
    }
;

annot_list:
| annot annot_list 
    { 
      let (pre1,post1,inv1,bwd1) = $1 in
      let (pre2,post2,inv2,bwd2) = $2 in
      (pre1+pre2,post1+post2,inv1+inv2,bwd1+bwd2)
    }
|   { default_annot }
	

annot:
| PRE count
    { ($2,0,0,0) }
| POST count
    { (0,$2,0,0) }
| LOOPINV count
    { (0,0,$2,0) }
| BWD_LOOPINV count
    { (0,0,0,$2) }
;

count:
| RELATION count 
    { 1 + $2 }
|   { 0 }
;

subrecord_list:
| subrecord subrecord_list 
    { $1 @ $2 }
| subrecord  
    { $1 }
;

subrecord:
| PROVER tests TIME
    { let n = List.length $2 in
      List.map (fun (test,result) ->
		  let summary,detail = result in
		  (true,None,$1,test,summary,detail,div_time $3 n)
	       ) $2 }
| PROVER TEST RESULT
    { (* Case for no VC *)
      let summary,detail = $3 in [ (true,None,$1,$2,summary,detail,default_time) ] }
| PROVER TEST
    { (* Error case *)
      [ (false,None,$1,$2,default_summary,default_detail,default_time) ] }
| PROVER
    { (* Error case *)
      [ (false,None,$1,default_test (),default_summary,default_detail,default_time) ] }
;

tests:
| TEST RESULT tests
    { ($1,$2) :: $3 }
|   { [] }
;
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/tools/make_float_model.ml������������������������������������������������������������������0000644�0001750�0001750�00000025771�12311670312�015605� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)


open Format


(*

  t : name of the float type
  p : precision
  e : minimal exponent (2^e is the smallest subnormal number

eg:

  t = "double", p = 53, e = -1074

  t = "single", p = 24, e = -149

*)

let rec hex_of_precision p =
  match p with
    | 0 -> ""
    | 1 -> "8"
    | 2 -> "C"
    | 3 -> "E"
    | _ -> "F" ^ hex_of_precision (p-4)

let output_common_part fmt t p e =

  fprintf fmt "include \"real.why\"@.@.";

  fprintf fmt "(* the different rounding modes *)

type mode 

logic nearest_even, to_zero, up, down, nearest_away : mode

axiom no_other_mode : forall m:mode. 
     m = nearest_even or m = to_zero or m = up or m = down or m = nearest_away
axiom mode_distinct : 
     nearest_even <> to_zero and nearest_even <> up and nearest_even <> down 
     and nearest_even <> nearest_away and  to_zero <> up and to_zero <> down 
     and to_zero <> nearest_away and up <> down and up <> nearest_away and 
     down <> nearest_away

parameter current_rounding_mode : mode ref
@.@.";

  fprintf fmt "(* About the %s format *)
type %s@.@." t t;
  
  fprintf fmt "logic round_%s : mode, real -> real@.@." t;
  fprintf fmt "logic round_%s_logic : mode, real -> %s@.@." t t;

  fprintf fmt "logic %s_value : %s -> real
logic %s_exact : %s -> real
logic %s_model : %s -> real@.@." t t t t t t;

 
  fprintf fmt "function %s_round_error(x:%s) : real = 
	 abs_real(%s_value(x) - %s_exact(x))
function %s_total_error(x:%s) : real = 
	 abs_real(%s_value(x) - %s_model(x))@.@." t t t t t t t t;

fprintf fmt "parameter %s_set_model : x:%s ref -> y:real ->
  { } 
  unit writes x
  { %s_value(x) = %s_value(x@@)
    and %s_exact(x) = %s_exact(x@@)
    and %s_model(x) = y }@.@." t t t t t t t;

  fprintf fmt "function max_%s() : real = 0x1.%sp%d@.@." t (hex_of_precision (p-1)) (-p-e+2) ;

  fprintf fmt "predicate no_overflow_%s(m:mode,x:real) = 
	  abs_real(round_%s(m,x)) <= max_%s@.@." t t t;

  fprintf fmt "(* About rounding *)@.";
  fprintf fmt "axiom bounded_real_no_overflow_%s : forall m:mode. forall x:real. 
      abs_real(x) <= max_%s -> no_overflow_%s(m,x)@." t t t;
  fprintf fmt "axiom round_%s_down_le: forall x:real. 
      round_%s(down,x) <= x
axiom round_up_%s_ge: forall x:real. 
      round_%s(up,x) >= x
axiom round_down_%s_neg: forall x:real. 
     round_%s(down,-x) = -round_%s(up,x)
axiom round_up_%s_neg: forall x:real. 
     round_%s(up,-x) = -round_%s(down,x)
axiom round_%s_idempotent:
      forall m1:mode. forall m2:mode. forall x:real. 
      round_%s(m1,round_%s(m2,x)) = round_%s(m2,x)@.@." t t t t t t t t t t t t t t;

  fprintf fmt "(* Specification of operations (from the strict model) *)@.";
  fprintf fmt "predicate %s_of_real_post(m:mode,x:real,res:%s) =
    %s_value(res) = round_%s(m,x)
    and
    %s_exact(res) = x
    and
    %s_model(res) = x@.@." t t t t t t;

 fprintf fmt "predicate add_%s_post(m:mode,x:%s,y:%s,res:%s) =
    %s_value(res) = round_%s(m,%s_value(x) + %s_value(y))
    and 
    %s_exact(res) = %s_exact(x) + %s_exact(y)
    and 
    %s_model(res) = %s_model(x) + %s_model(y)@.@." t t t t t t t t t t t t t t;

 fprintf fmt "predicate sub_%s_post(m:mode,x:%s,y:%s,res:%s) =
    %s_value(res) = round_%s(m,%s_value(x) - %s_value(y))
    and 
    %s_exact(res) = %s_exact(x) - %s_exact(y)
    and 
    %s_model(res) = %s_model(x) - %s_model(y)@.@." t t t t t t t t t t t t t t;

 fprintf fmt "predicate mul_%s_post(m:mode,x:%s,y:%s,res:%s) =
    %s_value(res) = round_%s(m,%s_value(x) * %s_value(y))
    and 
    %s_exact(res) = %s_exact(x) * %s_exact(y)
    and 
    %s_model(res) = %s_model(x) * %s_model(y)@.@." t t t t t t t t t t t t t t;

 fprintf fmt "predicate div_%s_post(m:mode,x:%s,y:%s,res:%s) =
    %s_value(res) = round_%s(m,%s_value(x) / %s_value(y))
    and 
    %s_exact(res) = %s_exact(x) / %s_exact(y)
    and 
    %s_model(res) = %s_model(x) / %s_model(y)@.@." t t t t t t t t t t t t t t;

 fprintf fmt "predicate sqrt_%s_post(m:mode,x:%s,res:%s) =
    %s_value(res) = round_%s(m,sqrt_real(%s_value(x)))
    and 
    %s_exact(res) = sqrt_real(%s_exact(x))
    and 
    %s_model(res) = sqrt_real(%s_model(x))@.@."  t t t t t t t t t t;

 fprintf fmt "predicate neg_%s_post(x:%s,res:%s) =
    %s_value(res) = -%s_value(x)
    and 
    %s_exact(res) = -%s_exact(x)
    and 
    %s_model(res) = -%s_model(x)@.@."  t t t t t t t t t;

 fprintf fmt "predicate abs_%s_post(x:%s,res:%s) =
    %s_value(res) = abs_real(%s_value(x))
    and 
    %s_exact(res) = abs_real(%s_exact(x))
    and 
    %s_model(res) = abs_real(%s_model(x))@.@."  t t t t t t t t t;

();;

(* Strict  model *)

let output_strict_part fmt t _p _e =
  fprintf fmt "include \"%s_model.why\"@.@." t;
  fprintf fmt "(* Parameters for the strict model for %s format *)@.@." t;

  fprintf fmt "parameter %s_of_real : m:mode -> x:real ->
  { no_overflow_%s(m,x) }
  %s
  { %s_of_real_post(m,x,result) }@." t t t t;
  fprintf fmt "parameter %s_of_real_safe : m:mode -> x:real ->
  { }
  %s
  { no_overflow_%s(m,x) and
    %s_of_real_post(m,x,result) }@.@." t t t t;

  fprintf fmt "parameter add_%s : m:mode -> x:%s -> y:%s -> 
  { no_overflow_%s(m,%s_value(x) + %s_value(y)) }
  %s
  { add_%s_post(m,x,y,result) }@." t t t t t t t t;
  fprintf fmt "parameter add_%s_safe : m:mode -> x:%s -> y:%s -> 
  { }
  %s
  { no_overflow_%s(m,%s_value(x) + %s_value(y)) and
    add_%s_post(m,x,y,result) }@.@." t t t t t t t t;

  fprintf fmt "parameter sub_%s : m:mode -> x:%s -> y:%s -> 
  { no_overflow_%s(m,%s_value(x) - %s_value(y)) }
  %s
  { sub_%s_post(m,x,y,result) }@." t t t t t t t t;
  fprintf fmt "parameter sub_%s_safe : m:mode -> x:%s -> y:%s -> 
  { }
  %s
  { no_overflow_%s(m,%s_value(x) - %s_value(y)) and
    sub_%s_post(m,x,y,result) }@.@." t t t t t t t t;

  fprintf fmt "parameter mul_%s : m:mode -> x:%s -> y:%s -> 
  { no_overflow_%s(m,%s_value(x) * %s_value(y)) }
  %s
  { mul_%s_post(m,x,y,result) }@." t t t t t t t t;
  fprintf fmt "parameter mul_%s_safe : m:mode -> x:%s -> y:%s -> 
  { }
  %s
  { no_overflow_%s(m,%s_value(x) * %s_value(y)) and
    mul_%s_post(m,x,y,result) }@.@." t t t t t t t t;

  fprintf fmt "parameter div_%s : m:mode -> x:%s -> y:%s -> 
  { %s_value(y) <> 0.0 
    and
    no_overflow_%s(m,%s_value(x) / %s_value(y)) }
  %s
  { div_%s_post(m,x,y,result) }@." t t t t t t t t t;
  fprintf fmt "parameter div_%s_safe : m:mode -> x:%s -> y:%s -> 
  { }
  %s
  { %s_value(y) <> 0.0  and
    no_overflow_%s(m,%s_value(x) / %s_value(y)) and
    div_%s_post(m,x,y,result) }@.@." t t t t t t t t t;

  fprintf fmt "parameter sqrt_%s : m:mode -> x:%s -> 
  { %s_value(x) >= 0.0 }
  %s
  { sqrt_%s_post(m,x,result) }@." t t t t t;
  fprintf fmt "parameter sqrt_%s_safe : m:mode -> x:%s ->
  { }
  %s
  { %s_value(x) >= 0.0  and
    sqrt_%s_post(m,x,result) }@.@." t t t t t;

  fprintf fmt "parameter neg_%s : x:%s -> 
  { }
  %s
  { neg_%s_post(x,result) }@." t t t t;

  fprintf fmt "parameter abs_%s : x:%s -> 
  { }
  %s
  { abs_%s_post(x,result) }@." t t t t;

  fprintf fmt "(* Comparisons for the strict model for %s format *)@.@." t;
  fprintf fmt "parameter lt_%s : x:%s -> y:%s -> 
  {} bool { if result then %s_value(x) < %s_value(y) 
            else %s_value(x) >= %s_value(y) }@." t t t t t t t;
  fprintf fmt "parameter le_%s : x:%s -> y:%s -> 
  {} bool { if result then %s_value(x) <= %s_value(y) 
            else %s_value(x) > %s_value(y) }@." t t t t t t t;
  fprintf fmt "parameter gt_%s : x:%s -> y:%s -> 
  {} bool { if result then %s_value(x) > %s_value(y) 
            else %s_value(x) <= %s_value(y) }@." t t t t t t t;
  fprintf fmt "parameter ge_%s : x:%s -> y:%s -> 
  {} bool { if result then %s_value(x) >= %s_value(y) 
            else %s_value(x) < %s_value(y) }@." t t t t t t t;
  fprintf fmt "parameter eq_%s : x:%s -> y:%s -> 
  {} bool { if result then %s_value(x) = %s_value(y) 
            else %s_value(x) <> %s_value(y) }@." t t t t t t t;
  fprintf fmt "parameter neq_%s : x:%s -> y:%s -> 
  {} bool { if result then %s_value(x) <> %s_value(y) 
            else %s_value(x) = %s_value(y) }@.@." t t t t t t t;

fprintf fmt "(* Any %s *)
  parameter any_%s : { } %s { }" t t t;

();;

(* Coq  model *)

let output_coq_model fmt t p e =
  fprintf fmt "(* Coq model for float type '%s'
 * with precision = %d and min exponent = %d 
 *)@.@." t p e;

();;

(* main program *)

let type_name = Sys.argv.(1)

let precision = int_of_string Sys.argv.(2)

let exponent = int_of_string Sys.argv.(3)

let main = 
  let f = "lib/why/" ^ type_name ^ "_model.why" in
  let c = open_out f in
  output_common_part (formatter_of_out_channel c) type_name precision exponent;
  close_out c;

  let f = "lib/why/" ^ type_name ^ "_strict.why" in
  let c = open_out f in
  output_strict_part (formatter_of_out_channel c) type_name precision exponent;
  close_out c;

  let f = "lib/coq/" ^ type_name ^ "_model.v" in
  let c = open_out f in
  output_coq_model (formatter_of_out_channel c) type_name precision exponent;
  close_out c;




  
�������why-2.34/tools/simplify_split.mli�������������������������������������������������������������������0000644�0001750�0001750�00000004735�12311670312�015540� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* Split a Simplify input file into several files, one for each query.
   The function passed is iterated over each sub-file. *)

val iter : debug:bool -> (string -> Buffer.t list -> unit) -> in_channel -> unit

�����������������������������������why-2.34/tools/rv_merge.ml��������������������������������������������������������������������������0000644�0001750�0001750�00000006146�12311670312�014124� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(* merge several haRVey files into a single one *)

open Printf

let usage () =
  eprintf "usage: rv_merge file1.rv ... filen.rv\n";
  exit 1

let queue = Queue.create ()

let () =
  for i = 1 to Array.length Sys.argv - 1 do
    let f = Sys.argv.(i) in
    if not (Filename.check_suffix f ".rv") then usage ();
    Queue.add (open_in f) queue
  done

let copy_theory c =
  ignore (input_line c); (* skip first line : ( ;; BEGIN THEORY ) *)
  try
    while true do
      let s = input_line c in
      if s = ") ;; END THEORY" then raise Exit;
      printf "%s\n" s
    done
  with Exit -> 
    ()

let copy_goals c =
  try
    while true do let s = input_line c in printf "%s\n" s done
  with End_of_file -> 
    close_in c;
    printf "\n\n"

let () =
  printf "(\n";
  Queue.iter copy_theory queue;
  printf ") ;; END THEORY\n\n";
  Queue.iter copy_goals queue

��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/tools/cadlog.ml����������������������������������������������������������������������������0000644�0001750�0001750�00000006630�12311670312�013545� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Format
open Unix

let usage_string = "cadlog [options] file"

let usage () =
  eprintf "usage: %s@." usage_string;
  exit 1

let file = ref ""

let def_file s =
  if !file="" then file := s
  else usage () 
  
let jessie = ref false

let krakatoa = ref false

let _ = 
  Arg.parse 
      [ "-jc", Arg.Set jessie, "  Jessie bench";
	"-java", Arg.Set krakatoa, "  Krakatoa bench";
      ]
      def_file usage_string

let file = if !file ="" then usage() else !file

let c = open_out file

let fmt = formatter_of_out_channel c

let tool = 
  if !jessie then "Jessie" else 
  if !krakatoa then "Krakatoa" else 
    "Caduceus"

let version,date =
  if !jessie || !krakatoa 
  then Version.version, Version.date else 
    Cversion.version, Cversion.date

let d,m,y =
  let tm = localtime (time ()) in
    tm.tm_mday, 1+tm.tm_mon, 1900+tm.tm_year

let () =
  fprintf fmt "%8s version         : %s@." tool version;
  fprintf fmt "%8s compilation date: %s@." tool date;
  fprintf fmt "Bench execution date     : %d/%d/%d@." d m y;
  try
    while true do
      let s = read_line () in
	print_endline s;
	fprintf fmt "%s@." s
    done
  with End_of_file ->
    close_out c
��������������������������������������������������������������������������������������������������������why-2.34/tools/rv_split.mll�������������������������������������������������������������������������0000644�0001750�0001750�00000010176�12311670312�014332� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

{

  open Printf
  open Lexing 

  let no_remove = ref false
  let callback = ref (fun _ _ -> assert false : string -> Buffer.t list -> unit)

  (* we put everything not a goal into [buf] *)
  let buf = Buffer.create 8192

  let outc = ref stdout
  let file = ref ""
  let level = ref 0 

  let print s = 
    output_string !outc s

  let end_file file =
    close_out !outc;
    !callback file [];
    Lib.remove_file ~debug:!no_remove file

}

let space = [' ' '\t' '\n' '\r']
let ident = ['a'-'z' 'A'-'Z' '0'-'9']+

rule split = parse
  | "(" space* "(theory" space* "(extends)"
      { 
	Buffer.add_string buf (lexeme lexbuf) ;
	split lexbuf 
      }
  | ";;" space*"Why axiom"  
      {
	Buffer.add_string buf ";;"  ;
	splitAxiom lexbuf;
	split lexbuf
      }

  | "))" space* ")" space*";;" space*  "END THEORY" 
      { 
	Buffer.add_string buf (lexeme lexbuf);
	split lexbuf 
      }
  | ";;" space* "Why obligation" 
      {
	file := Filename.temp_file "rv" ".rv"; 
	level := 0 ;
	outc := open_out !file;
	print (Buffer.contents buf);
	print (lexeme lexbuf); 
	query lexbuf;
	end_file !file;
	split lexbuf
      }
  | eof {()}
  |_ 
      {
	Buffer.add_string buf (lexeme lexbuf) ;
       split lexbuf}
      

and splitAxiom = parse
  | "(" { Buffer.add_char buf '('; 
	  level := !level + 1 ; 
	  splitAxiom lexbuf;
	}
  | ")" { Buffer.add_char buf ')'; 
	  level := !level - 1 ;
	  if !level <> 0 then splitAxiom lexbuf 
	}
  | _   { Buffer.add_string buf (lexeme lexbuf); 
	  splitAxiom lexbuf }

and query = parse
  | "(" { print "(";
	  level := !level + 1 ; 
	  query lexbuf;}
  | ")" { print ")" ;
	  level := !level - 1 ;
	  if !level <> 0 then query lexbuf 
	}
  | _   { print (lexeme lexbuf); query lexbuf }

{

  let iter ~debug cb f =
    callback := cb;
    no_remove := debug;
    Buffer.reset buf;
    let c = open_in f in
    let lb = from_channel c in
    split lb;
    close_in c

}

��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/tools/dp.ml��������������������������������������������������������������������������������0000644�0001750�0001750�00000031524�12311670312�012717� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* script to call automatic provers *)

open Format
open Calldp

let timeout = ref 10
let eclauses = ref 2000 (* E prover max nb of clauses *)
let debug = ref false
let batch = ref false
let simple = ref false
let split = ref false
let timings = ref true (* print timings *)
let basename = ref false
let listing = ref false
let select_hypotheses = ref false
let files = Queue.create ()
let prover = ref None
let extra_switch = ref ""

type smt_solver = Yices | CVC3 | Z3 | VeriT
let smt_solver = ref Z3
let set_smt_solver = function
  | "yices" -> smt_solver := Yices
  | "cvc3" -> smt_solver := CVC3
  | "z3" -> smt_solver := Z3
  | "verit" -> smt_solver:= VeriT
  | s -> eprintf "unknown SMT solver %s@." s; exit 1

let spec =
  [ "-timeout", Arg.Int ((:=) timeout), "<int>  set the timeout (in seconds) (0 no timeout)";
    "-eclauses", Arg.Int ((:=) eclauses),
    "<int>  set the max nb of clauses for the E prover";
    "-debug", Arg.Set debug, "set the debug flag";
    "-batch", Arg.Set batch, "run in batch mode";
    "-no-timings", Arg.Clear timings, "do not display timings";
    "-smt-solver", Arg.String set_smt_solver,
      "<solver id> (yices, cvc3, z3 or verit)";
    "-basename", Arg.Set basename, "prints only file basenames";
    "-listing", Arg.Set listing, "argument file only lists real argument files";
    "-select", Arg.Set select_hypotheses,
    "applies some selection of hypotheses (only Alt-Ergo)";
    "-extra-switch", Arg.Set_string extra_switch,
    "adds additional switches to selected prover";
    "-simple", Arg.Set simple, "Print only Valid, I don't know, Invalid, Fail, Timeout";
    "-split", Arg.Set split, "Create a directory wich contains all the goal split in different file";
    "-prover", Arg.Symbol (
      ["Alt-Ergo";"CVC3";"CVCL";"Z3";"Yices";"Simplify";"Vampire"; "VeriT"],(fun s -> prover := Some s)), "Select the prover to use"
  ]

let () =
  let d = Filename.dirname Sys.argv.(0) in
  if not (Filename.is_relative d) then
    Calldp.cpulimit := Filename.concat d "why-cpulimit"

let usage = "usage: why-dp [options] [files.{why,rv,znn,cvc,cvc.all,sx,sx.all,smt,smt.all,vp,vp.all}]"
let () =
  Arg.parse spec
    (fun s ->
       if !listing then
	 let c = open_in s in
	 let rec push_file () =
	   let line = input_line c in
	   let flist = Str.split (Str.regexp "[ \t]+") line in
	   List.iter (fun f -> Queue.push f files) flist;
	   push_file ()
	 in
	 (try push_file () with End_of_file -> ());
	 close_in c
       else
	 Queue.push s files) usage

let () = if !split then simple := true

let switch = !extra_switch

(* stats *)

let nvalid = ref 0
let tvalid = ref 0.0
let tmaxvalid = ref 0.0

let ninvalid = ref 0
let tinvalid = ref 0.0
let tmaxinvalid = ref 0.0

let nunknown = ref 0
let tunknown = ref 0.0
let tmaxunknown = ref 0.0

let ntimeout = ref 0
let ttimeout = ref 0.0

let nfailure = ref 0
let tfailure = ref 0.0

let is_valid t =
  printf ".@?"; incr nvalid;
  tvalid := !tvalid +. t;
  tmaxvalid := max !tmaxvalid t

let is_invalid t =
  printf "*@?"; incr ninvalid;
  tinvalid := !tinvalid +. t;
  tmaxinvalid := max !tmaxinvalid t

let is_unknown t =
  printf "?@?"; incr nunknown;
  tunknown := !tunknown +. t;
  tmaxunknown := max !tmaxunknown t

let is_timeout t =
  printf "#@?"; incr ntimeout;
  ttimeout := !ttimeout +. t

let is_failure t =
  printf "!@?"; incr nfailure;
  tfailure := !tfailure +. t


let wrapper_complete r =
  begin match r with
    | Valid t -> is_valid t
    | Invalid(t,_) -> is_invalid t
    | CannotDecide (t,_) -> is_unknown t
    | Timeout t -> is_timeout t
    | ProverFailure(t,_) -> is_failure t
  end;
  flush stdout

let wrapper_batch r =
  begin match r with
    | Valid _t -> exit 0
    | Invalid(_t,_) -> exit 2
    | CannotDecide (_t,_) -> exit 3
    | Timeout _t -> exit 4
    | ProverFailure(_t,_) -> exit 5
  end

let wrapper_simple r =
  begin match r with
    | Valid t -> printf "Valid %f@." t
    | Invalid(t,_) -> printf "Invalid %f@." t
    | CannotDecide (t,_) -> printf "I don't know %f@." t
    | Timeout t -> printf "Timeout %f@." t
    | ProverFailure(t,s) -> printf "Fail %f@." t; eprintf "%s@." s
  end;
  flush stdout

let wrapper =
  if !batch then wrapper_batch
  else if !simple then wrapper_simple
  else wrapper_complete

let debug = !debug

let call_ergo f b =
  wrapper (Calldp.ergo ~debug ~switch ~timeout:!timeout
	     ~select_hypotheses:!select_hypotheses ~filename:f ~buffers:b ())
let call_cvcl f b =
  wrapper (Calldp.cvcl ~debug ~switch 
             ~timeout:!timeout ~filename:f ~buffers:b ())
let call_simplify f _ =
  wrapper (Calldp.simplify ~debug ~switch ~timeout:!timeout ~filename:f ())
let call_vampire f _ =
  wrapper (Calldp.vampire ~debug ~switch ~timeout:!timeout ~filename:f ())
let call_yices f b =
  wrapper (Calldp.yices ~debug ~switch 
             ~timeout:!timeout ~filename:f ~buffers:b ())
let call_cvc3 f b =
  wrapper (Calldp.cvc3 ~debug ~switch 
             ~timeout:!timeout ~filename:f ~buffers:b ())
let call_z3 f b =
  wrapper (Calldp.z3 ~debug ~switch 
             ~timeout:!timeout ~filename:f ~buffers:b ())
let call_rvsat f _ =
  wrapper (Calldp.rvsat ~debug ~switch ~timeout:!timeout ~filename:f ())
let call_zenon f _ =
  wrapper (Calldp.zenon ~debug ~switch ~timeout:!timeout ~filename:f ())
let call_harvey f _ =
  wrapper (Calldp.harvey ~debug ~switch ~timeout:!timeout ~filename:f ())
let call_verit f b =
  wrapper (Calldp.verit ~debug ~switch 
             ~timeout:!timeout ~filename:f ~buffers:b ())

let new_num =
  let c = ref (-1) in
  (fun () -> incr c;!c)

let dir_name f = (Filename.chop_extension f)^".split"

let call_split callback dir_name suffixe =
  if !split then (fun f b ->
                    let dest = (sprintf "%s/goal%i%s" dir_name (new_num ()) suffixe) in
                    match b with
                      | [] -> Lib.file_copy f dest
                      | buffers ->
                          let cout = open_out dest in
                          List.iter (Buffer.output_buffer cout) buffers;
                          close_out cout;
                 )
  else callback


let call_smt_solver = match !smt_solver with
  | Yices -> call_yices
  | CVC3 -> call_cvc3
  | Z3 -> call_z3
  | VeriT -> call_verit

let dispatch_prover_by_name cin = function
  | "Alt-Ergo" -> Ergo_split.iter call_ergo cin
  | "CVC3" -> Smtlib_split.iter call_cvc3 cin
  | "CVCL" -> Cvcl_split.iter call_cvcl cin
  | "Z3" -> Smtlib_split.iter call_z3 cin
  | "Yices" -> Smtlib_split.iter call_yices cin
  | "Simplify" -> Simplify_split.iter ~debug call_simplify cin
    (* Vampire uses Simplify's syntax. *)
  | "Vampire" -> Simplify_split.iter ~debug call_vampire cin
  | "VeriT" -> Smtlib_split.iter call_verit cin
  | _ -> assert false


let dispatch_prover_by_extension dir_name f =
  let cin = open_in f in
  if Filename.check_suffix f ".smt"  || Filename.check_suffix f ".smt.all" then
    begin
      Smtlib_split.iter (call_split call_smt_solver dir_name ".smt") cin
    end
  else
  if Filename.check_suffix f ".why" then
    begin
      Ergo_split.iter (call_split call_ergo dir_name ".why") cin
    end
  else
  if Filename.check_suffix f ".cvc"  || Filename.check_suffix f ".cvc.all" then
    Cvcl_split.iter (call_split call_cvcl dir_name ".cvc") cin
  else
  if Filename.check_suffix f ".sx" ||
     Filename.check_suffix f ".sx.all" ||
     Filename.check_suffix f ".simplify"
  then
    Simplify_split.iter ~debug (call_split call_simplify dir_name ".sx") cin
  else
  if Filename.check_suffix f ".vp" ||
     Filename.check_suffix f ".vp.all"
  then
    Simplify_split.iter ~debug (call_split call_vampire dir_name ".vp") cin
  else
  if Filename.check_suffix f ".znn" || Filename.check_suffix f ".znn.all" then
    Zenon_split.iter ~debug (call_split call_zenon dir_name ".znn") f (* TODO: Zenon_split *)
  else
  if Filename.check_suffix f ".rv" then
    begin
      Rv_split.iter ~debug (call_split call_harvey dir_name ".rv") f
    end
  else
    begin Arg.usage spec usage; exit 1 end;
  close_in cin


let split f =
  let dir_name = dir_name f in
  if !split && not (Sys.file_exists dir_name) then Unix.mkdir dir_name 0o740;
  if not !batch && not !simple then printf "%-30s: "
    (if !basename then Filename.basename f else f);
  let oldv = !nvalid in
  let oldi = !ninvalid in
  let oldt = !ntimeout in
  let oldu = !nunknown in
  let oldf = !nfailure in
  (match !prover with
    | None -> dispatch_prover_by_extension dir_name f;
    | Some p -> let cin = open_in f in
      dispatch_prover_by_name cin p;
      close_in cin);
  if not !simple then
    printf
      " (%d/%d/%d/%d/%d)@." (!nvalid - oldv) (!ninvalid - oldi) (!nunknown - oldu) (!ntimeout - oldt) (!nfailure - oldf)

let print_time fmt f =
  if f < 60.0 then fprintf fmt "%.2f sec" f else
    let t = int_of_float f in
    let m = t / 60 in
    let s = t mod 60 in
    if f < 3600.0 then fprintf fmt "%d m %02d sec" m s else
      let h = m / 60 in
      let m = m mod 60 in
      fprintf fmt "%d h %02d m %02d sec" h m s


let main () =
  begin
    try
      DpConfig.load_rc_file ()
    with Not_found ->
      print_endline "Why config file not found, please run why-config first.";
      exit 1
  end;
  let wctime0 = Unix.gettimeofday() in
  if not !batch && not !simple then printf "(. = valid * = invalid ? = unknown # = timeout ! = failure)@.";
  if Queue.is_empty files then
    match !prover with
      | None -> eprintf "Can't use stdin without the option -prover@.";
          Arg.usage spec usage;exit 1
      | Some p -> dispatch_prover_by_name stdin p
  else Queue.iter split files;
  let wctime = Unix.gettimeofday() -. wctime0 in
  let n = !nvalid + !ninvalid + !ntimeout + !nunknown + !nfailure in
  if n = 0 then exit 0;
  let pvalid = 100. *. float !nvalid /. float n in
  let pinvalid = 100. *. float !ninvalid /. float n in
  let ptimeout = 100. *. float !ntimeout /. float n in
  let punknown = 100. *. float !nunknown /. float n in
  let pfailure = 100. *. float !nfailure /. float n in
  printf
"total   : %3d
valid   : %3d (%3.0f%%)
invalid : %3d (%3.0f%%)
unknown : %3d (%3.0f%%)
timeout : %3d (%3.0f%%)
failure : %3d (%3.0f%%)\n" n
    !nvalid pvalid !ninvalid pinvalid !nunknown punknown
    !ntimeout ptimeout !nfailure pfailure;
  if !timings then printf
"total wallclock time : %a
total CPU time       : %a
valid VCs:
    average CPU time : %.2f
    max CPU time     : %.2f
invalid VCs:
    average CPU time : %.2f
    max CPU time     : %.2f
unknown VCs:
    average CPU time : %.2f
    max CPU time     : %.2f\n"
    print_time wctime
    print_time  (!tvalid +. !tinvalid +. !tunknown +. !ttimeout +. !tfailure)
    (!tvalid /. float !nvalid)
    !tmaxvalid
    (!tinvalid /. float !ninvalid)
    !tmaxinvalid
      (!tunknown /. float !nunknown)
    !tmaxunknown

let () = Printexc.catch main ()
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/tools/toolstat_types.mli�������������������������������������������������������������������0000644�0001750�0001750�00000005252�12311670312�015561� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



type project = string option
type prover = string
type test = string
type summary = int * int * int * int * int
type detail = int list * int list * int list * int list * int list
type result = summary * detail
type time = int * int * float
type completed = bool
type annot = int * int * int * int

type annotation =
    string * annot

type record = 
    completed * project * prover * test * summary * detail * time
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/.depend������������������������������������������������������������������������������������0000644�0001750�0001750�00000245461�12311670312�012071� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������src/annot.cmo : src/util.cmi src/types.cmi src/options.cmi src/misc.cmi \
    src/logic.cmi src/ident.cmi src/env.cmi src/effect.cmi src/ast.cmi \
    src/annot.cmi
src/annot.cmx : src/util.cmx src/types.cmi src/options.cmx src/misc.cmx \
    src/logic.cmi src/ident.cmx src/env.cmx src/effect.cmx src/ast.cmi \
    src/annot.cmi
src/coq.cmo : src/vcg.cmi src/util.cmi src/types.cmi src/report.cmi \
    src/regen.cmi src/print_real.cmo src/pp.cmi src/options.cmi src/misc.cmi \
    src/logic_decl.cmi src/logic.cmi src/loc.cmi src/ident.cmi src/error.cmi \
    src/env.cmi src/cc.cmi src/coq.cmi
src/coq.cmx : src/vcg.cmx src/util.cmx src/types.cmi src/report.cmx \
    src/regen.cmx src/print_real.cmx src/pp.cmx src/options.cmx src/misc.cmx \
    src/logic_decl.cmi src/logic.cmi src/loc.cmx src/ident.cmx src/error.cmi \
    src/env.cmx src/cc.cmi src/coq.cmi
src/cvcl.cmo : src/vcg.cmi src/util.cmi src/report.cmi src/print_real.cmo \
    src/pp.cmi src/options.cmi src/misc.cmi src/ltyping.cmi \
    src/logic_decl.cmi src/logic.cmi src/loc.cmi src/ident.cmi src/error.cmi \
    src/env.cmi src/encoding_mono_inst.cmi src/encoding.cmi src/cc.cmi \
    src/cvcl.cmi
src/cvcl.cmx : src/vcg.cmx src/util.cmx src/report.cmx src/print_real.cmx \
    src/pp.cmx src/options.cmx src/misc.cmx src/ltyping.cmx \
    src/logic_decl.cmi src/logic.cmi src/loc.cmx src/ident.cmx src/error.cmi \
    src/env.cmx src/encoding_mono_inst.cmx src/encoding.cmx src/cc.cmi \
    src/cvcl.cmi
src/dispatcher.cmo : src/zenon.cmi src/vcg.cmi src/theory_filtering.cmo \
    src/smtlib.cmi src/simplify.cmi src/pvs.cmi src/pretty.cmi \
    src/options.cmi src/logic_decl.cmi src/logic.cmi src/lib.cmi \
    src/harvey.cmi src/gappa.cmi src/env.cmi tools/dpConfig.cmi src/cvcl.cmi \
    src/coq.cmi src/cc.cmi tools/calldp.cmi src/dispatcher.cmi
src/dispatcher.cmx : src/zenon.cmx src/vcg.cmx src/theory_filtering.cmx \
    src/smtlib.cmx src/simplify.cmx src/pvs.cmx src/pretty.cmx \
    src/options.cmx src/logic_decl.cmi src/logic.cmi src/lib.cmx \
    src/harvey.cmx src/gappa.cmx src/env.cmx tools/dpConfig.cmx src/cvcl.cmx \
    src/coq.cmx src/cc.cmi tools/calldp.cmx src/dispatcher.cmi
src/effect.cmo : src/ident.cmi src/effect.cmi
src/effect.cmx : src/ident.cmx src/effect.cmi
src/encoding.cmo : src/predDefExpansor.cmi src/options.cmi src/monomorph.cmi \
    src/logic_decl.cmi src/ident.cmi src/encoding_strat.cmi \
    src/encoding_rec.cmi src/encoding_pred.cmi src/encoding_mono_inst.cmi \
    src/encoding_mono.cmo src/encoding.cmi
src/encoding.cmx : src/predDefExpansor.cmx src/options.cmx src/monomorph.cmx \
    src/logic_decl.cmi src/ident.cmx src/encoding_strat.cmx \
    src/encoding_rec.cmx src/encoding_pred.cmx src/encoding_mono_inst.cmx \
    src/encoding_mono.cmx src/encoding.cmi
src/encoding_mono.cmo : src/util.cmi src/predDefExpansor.cmi src/misc.cmi \
    src/logic_decl.cmi src/logic.cmi src/loc.cmi src/ident.cmi src/env.cmi \
    src/cc.cmi
src/encoding_mono.cmx : src/util.cmx src/predDefExpansor.cmx src/misc.cmx \
    src/logic_decl.cmi src/logic.cmi src/loc.cmx src/ident.cmx src/env.cmx \
    src/cc.cmi
src/encoding_mono2.cmo : src/util.cmi src/misc.cmi src/logic_decl.cmi \
    src/logic.cmi src/loc.cmi src/ident.cmi src/env.cmi src/cc.cmi
src/encoding_mono2.cmx : src/util.cmx src/misc.cmx src/logic_decl.cmi \
    src/logic.cmi src/loc.cmx src/ident.cmx src/env.cmx src/cc.cmi
src/encoding_mono_inst.cmo : src/util.cmi src/predDefExpansor.cmi src/pp.cmi \
    src/options.cmi src/mapenv.cmo src/logic_decl.cmi src/logic.cmi \
    src/loc.cmi src/ident.cmi src/env.cmi src/cc.cmi \
    src/encoding_mono_inst.cmi
src/encoding_mono_inst.cmx : src/util.cmx src/predDefExpansor.cmx src/pp.cmx \
    src/options.cmx src/mapenv.cmx src/logic_decl.cmi src/logic.cmi \
    src/loc.cmx src/ident.cmx src/env.cmx src/cc.cmi \
    src/encoding_mono_inst.cmi
src/encoding_pred.cmo : src/logic_decl.cmi src/logic.cmi src/loc.cmi \
    src/ident.cmi src/env.cmi src/cc.cmi src/encoding_pred.cmi
src/encoding_pred.cmx : src/logic_decl.cmi src/logic.cmi src/loc.cmx \
    src/ident.cmx src/env.cmx src/cc.cmi src/encoding_pred.cmi
src/encoding_rec.cmo : src/options.cmi src/logic_decl.cmi src/logic.cmi \
    src/loc.cmi src/ident.cmi src/env.cmi src/cc.cmi src/encoding_rec.cmi
src/encoding_rec.cmx : src/options.cmx src/logic_decl.cmi src/logic.cmi \
    src/loc.cmx src/ident.cmx src/env.cmx src/cc.cmi src/encoding_rec.cmi
src/encoding_strat.cmo : src/util.cmi src/logic_decl.cmi src/logic.cmi \
    src/loc.cmi src/ident.cmi src/env.cmi src/cc.cmi src/encoding_strat.cmi
src/encoding_strat.cmx : src/util.cmx src/logic_decl.cmi src/logic.cmi \
    src/loc.cmx src/ident.cmx src/env.cmx src/cc.cmi src/encoding_strat.cmi
src/env.cmo : src/types.cmi src/report.cmi src/misc.cmi src/logic.cmi \
    src/loc.cmi src/ident.cmi src/error.cmi src/effect.cmi src/cc.cmi \
    src/ast.cmi src/env.cmi
src/env.cmx : src/types.cmi src/report.cmx src/misc.cmx src/logic.cmi \
    src/loc.cmx src/ident.cmx src/error.cmi src/effect.cmx src/cc.cmi \
    src/ast.cmi src/env.cmi
src/explain.cmo : src/logic_decl.cmi src/logic.cmi src/explain.cmi
src/explain.cmx : src/logic_decl.cmi src/logic.cmi src/explain.cmi
src/fastwp.cmo : src/wp.cmi src/util.cmi src/types.cmi src/misc.cmi \
    src/logic.cmi src/ident.cmi src/env.cmi src/effect.cmi src/cc.cmi \
    src/ast.cmi src/fastwp.cmi
src/fastwp.cmx : src/wp.cmx src/util.cmx src/types.cmi src/misc.cmx \
    src/logic.cmi src/ident.cmx src/env.cmx src/effect.cmx src/cc.cmi \
    src/ast.cmi src/fastwp.cmi
src/fpi.cmo : src/pp.cmi src/misc.cmi src/logic.cmi src/loc.cmi \
    src/ident.cmi src/cc.cmi src/fpi.cmi
src/fpi.cmx : src/pp.cmx src/misc.cmx src/logic.cmi src/loc.cmx \
    src/ident.cmx src/cc.cmi src/fpi.cmi
src/gappa.cmo : src/predDefExpansor.cmi src/pp.cmi src/options.cmi \
    src/misc.cmi src/logic_decl.cmi src/logic.cmi src/ident.cmi src/error.cmi \
    src/env.cmi src/cc.cmi src/gappa.cmi
src/gappa.cmx : src/predDefExpansor.cmx src/pp.cmx src/options.cmx \
    src/misc.cmx src/logic_decl.cmi src/logic.cmi src/ident.cmx src/error.cmi \
    src/env.cmx src/cc.cmi src/gappa.cmi
src/graphviz.cmo : src/graphviz.cmi
src/graphviz.cmx : src/graphviz.cmi
src/harvey.cmo : src/util.cmi src/print_real.cmo src/pp.cmi src/options.cmi \
    src/misc.cmi src/logic_decl.cmi src/logic.cmi src/loc.cmi src/ident.cmi \
    src/error.cmi src/env.cmi src/encoding.cmi src/cc.cmi src/harvey.cmi
src/harvey.cmx : src/util.cmx src/print_real.cmx src/pp.cmx src/options.cmx \
    src/misc.cmx src/logic_decl.cmi src/logic.cmi src/loc.cmx src/ident.cmx \
    src/error.cmi src/env.cmx src/encoding.cmx src/cc.cmi src/harvey.cmi
src/hol4.cmo : src/vcg.cmi src/util.cmi src/print_real.cmo src/pp.cmi \
    src/misc.cmi src/logic_decl.cmi src/logic.cmi src/ident.cmi src/error.cmi \
    src/env.cmi src/cc.cmi src/hol4.cmi
src/hol4.cmx : src/vcg.cmx src/util.cmx src/print_real.cmx src/pp.cmx \
    src/misc.cmx src/logic_decl.cmi src/logic.cmi src/ident.cmx src/error.cmi \
    src/env.cmx src/cc.cmi src/hol4.cmi
src/holl.cmo : src/vcg.cmi src/util.cmi src/print_real.cmo src/pp.cmi \
    src/misc.cmi src/logic_decl.cmi src/logic.cmi src/ident.cmi src/error.cmi \
    src/env.cmi src/cc.cmi src/holl.cmi
src/holl.cmx : src/vcg.cmx src/util.cmx src/print_real.cmx src/pp.cmx \
    src/misc.cmx src/logic_decl.cmi src/logic.cmi src/ident.cmx src/error.cmi \
    src/env.cmx src/cc.cmi src/holl.cmi
src/hypotheses_filtering.cmo : src/util.cmi src/pp.cmi src/options.cmi \
    src/misc.cmi src/logic_decl.cmi src/logic.cmi src/ident.cmi src/error.cmi \
    src/env.cmi src/cc.cmi
src/hypotheses_filtering.cmx : src/util.cmx src/pp.cmx src/options.cmx \
    src/misc.cmx src/logic_decl.cmi src/logic.cmi src/ident.cmx src/error.cmi \
    src/env.cmx src/cc.cmi
src/ident.cmo : src/ident.cmi
src/ident.cmx : src/ident.cmi
src/isabelle.cmo : src/vcg.cmi src/util.cmi src/regen.cmi src/print_real.cmo \
    src/pp.cmi src/options.cmi src/misc.cmi src/logic_decl.cmi src/logic.cmi \
    src/loc.cmi src/ident.cmi src/error.cmi src/env.cmi src/cc.cmi \
    src/isabelle.cmi
src/isabelle.cmx : src/vcg.cmx src/util.cmx src/regen.cmx src/print_real.cmx \
    src/pp.cmx src/options.cmx src/misc.cmx src/logic_decl.cmi src/logic.cmi \
    src/loc.cmx src/ident.cmx src/error.cmi src/env.cmx src/cc.cmi \
    src/isabelle.cmi
src/lexer.cmo : src/parser.cmi src/logic.cmi src/loc.cmi src/lexer.cmi
src/lexer.cmx : src/parser.cmx src/logic.cmi src/loc.cmx src/lexer.cmi
src/lib.cmo : src/lib.cmi
src/lib.cmx : src/lib.cmi
src/linenum.cmo : src/linenum.cmi
src/linenum.cmx : src/linenum.cmi
src/loc.cmo : src/loc.cmi
src/loc.cmx : src/loc.cmi
src/ltyping.cmo : src/util.cmi src/types.cmi src/report.cmi src/ptree.cmi \
    src/options.cmi src/misc.cmi src/logic.cmi src/ident.cmi src/error.cmi \
    src/env.cmi src/effect.cmi src/ast.cmi src/ltyping.cmi
src/ltyping.cmx : src/util.cmx src/types.cmi src/report.cmx src/ptree.cmi \
    src/options.cmx src/misc.cmx src/logic.cmi src/ident.cmx src/error.cmi \
    src/env.cmx src/effect.cmx src/ast.cmi src/ltyping.cmi
src/main.cmo : src/zenon.cmi src/z3.cmi src/wp.cmi src/why3.cmi src/vcg.cmi \
    src/util.cmi src/typing.cmi src/types.cmi src/smtlib.cmi src/simplify.cmi \
    src/report.cmi src/red.cmi src/rc.cmi src/pvs.cmi src/ptree.cmi \
    src/pretty.cmi src/predDefExpansor.cmi src/pp.cmi src/options.cmi \
    src/ocaml.cmi src/monomorph.cmi src/monad.cmi src/mlize.cmi src/mizar.cmi \
    src/misc.cmi src/ltyping.cmi src/logic_decl.cmi src/logic.cmi src/loc.cmi \
    src/lexer.cmi src/isabelle.cmi src/ident.cmi src/hypotheses_filtering.cmo \
    src/holl.cmi src/hol4.cmi src/harvey.cmi src/gappa.cmi src/fastwp.cmi \
    src/error.cmi src/env.cmi src/effect.cmi src/dispatcher.cmi src/cvcl.cmi \
    src/coq.cmi src/cc.cmi src/ast.cmi
src/main.cmx : src/zenon.cmx src/z3.cmx src/wp.cmx src/why3.cmx src/vcg.cmx \
    src/util.cmx src/typing.cmx src/types.cmi src/smtlib.cmx src/simplify.cmx \
    src/report.cmx src/red.cmx src/rc.cmx src/pvs.cmx src/ptree.cmi \
    src/pretty.cmx src/predDefExpansor.cmx src/pp.cmx src/options.cmx \
    src/ocaml.cmx src/monomorph.cmx src/monad.cmx src/mlize.cmx src/mizar.cmx \
    src/misc.cmx src/ltyping.cmx src/logic_decl.cmi src/logic.cmi src/loc.cmx \
    src/lexer.cmx src/isabelle.cmx src/ident.cmx src/hypotheses_filtering.cmx \
    src/holl.cmx src/hol4.cmx src/harvey.cmx src/gappa.cmx src/fastwp.cmx \
    src/error.cmi src/env.cmx src/effect.cmx src/dispatcher.cmx src/cvcl.cmx \
    src/coq.cmx src/cc.cmi src/ast.cmi
src/mapenv.cmo : src/misc.cmi src/logic.cmi src/ident.cmi
src/mapenv.cmx : src/misc.cmx src/logic.cmi src/ident.cmx
src/misc.cmo : src/types.cmi src/ptree.cmi src/options.cmi \
    src/option_misc.cmi src/logic.cmi src/loc.cmi src/ident.cmi \
    src/effect.cmi src/cc.cmi src/ast.cmi src/misc.cmi
src/misc.cmx : src/types.cmi src/ptree.cmi src/options.cmx \
    src/option_misc.cmx src/logic.cmi src/loc.cmx src/ident.cmx \
    src/effect.cmx src/cc.cmi src/ast.cmi src/misc.cmi
src/mizar.cmo : src/vcg.cmi src/util.cmi src/regen.cmi src/pp.cmi \
    src/options.cmi src/misc.cmi src/logic_decl.cmi src/logic.cmi src/loc.cmi \
    src/ident.cmi src/error.cmi src/env.cmi src/cc.cmi src/mizar.cmi
src/mizar.cmx : src/vcg.cmx src/util.cmx src/regen.cmx src/pp.cmx \
    src/options.cmx src/misc.cmx src/logic_decl.cmi src/logic.cmi src/loc.cmx \
    src/ident.cmx src/error.cmi src/env.cmx src/cc.cmi src/mizar.cmi
src/mlize.cmo : src/util.cmi src/typing.cmi src/types.cmi src/rename.cmi \
    src/monadSig.cmi src/monad.cmi src/misc.cmi src/logic.cmi src/ident.cmi \
    src/env.cmi src/cc.cmi src/ast.cmi src/mlize.cmi
src/mlize.cmx : src/util.cmx src/typing.cmx src/types.cmi src/rename.cmx \
    src/monadSig.cmi src/monad.cmx src/misc.cmx src/logic.cmi src/ident.cmx \
    src/env.cmx src/cc.cmi src/ast.cmi src/mlize.cmi
src/monad.cmo : src/util.cmi src/typing.cmi src/types.cmi src/rename.cmi \
    src/misc.cmi src/logic.cmi src/loc.cmi src/ident.cmi src/env.cmi \
    src/effect.cmi src/cc.cmi src/ast.cmi src/monad.cmi
src/monad.cmx : src/util.cmx src/typing.cmx src/types.cmi src/rename.cmx \
    src/misc.cmx src/logic.cmi src/loc.cmx src/ident.cmx src/env.cmx \
    src/effect.cmx src/cc.cmi src/ast.cmi src/monad.cmi
src/monomorph.cmo : src/vcg.cmi src/pp.cmi src/options.cmi src/misc.cmi \
    src/logic_decl.cmi src/logic.cmi src/ident.cmi src/env.cmi src/cc.cmi \
    src/monomorph.cmi
src/monomorph.cmx : src/vcg.cmx src/pp.cmx src/options.cmx src/misc.cmx \
    src/logic_decl.cmi src/logic.cmi src/ident.cmx src/env.cmx src/cc.cmi \
    src/monomorph.cmi
src/ocaml.cmo : src/util.cmi src/types.cmi src/pp.cmi src/options.cmi \
    src/misc.cmi src/logic.cmi src/ident.cmi src/env.cmi src/ast.cmi \
    src/ocaml.cmi
src/ocaml.cmx : src/util.cmx src/types.cmi src/pp.cmx src/options.cmx \
    src/misc.cmx src/logic.cmi src/ident.cmx src/env.cmx src/ast.cmi \
    src/ocaml.cmi
src/option_misc.cmo : src/option_misc.cmi
src/option_misc.cmx : src/option_misc.cmi
src/options.cmo : src/version.cmo src/rc.cmi src/lib.cmi src/options.cmi
src/options.cmx : src/version.cmx src/rc.cmx src/lib.cmx src/options.cmi
src/parser.cmo : src/types.cmi src/ptree.cmi src/logic.cmi src/loc.cmi \
    src/ident.cmi src/error.cmi src/parser.cmi
src/parser.cmx : src/types.cmi src/ptree.cmi src/logic.cmi src/loc.cmx \
    src/ident.cmx src/error.cmi src/parser.cmi
src/pp.cmo : src/pp.cmi
src/pp.cmx : src/pp.cmi
src/predDefExpansor.cmo : src/util.cmi src/types.cmi src/options.cmi \
    src/misc.cmi src/ltyping.cmi src/logic_decl.cmi src/logic.cmi \
    src/ident.cmi src/env.cmi src/cc.cmi src/predDefExpansor.cmi
src/predDefExpansor.cmx : src/util.cmx src/types.cmi src/options.cmx \
    src/misc.cmx src/ltyping.cmx src/logic_decl.cmi src/logic.cmi \
    src/ident.cmx src/env.cmx src/cc.cmi src/predDefExpansor.cmi
src/pretty.cmo : src/util.cmi src/project.cmi src/print_real.cmo src/pp.cmi \
    src/options.cmi src/misc.cmi src/logic_decl.cmi src/logic.cmi src/loc.cmi \
    src/ident.cmi src/explain.cmi src/env.cmi src/encoding.cmi src/cc.cmi \
    src/pretty.cmi
src/pretty.cmx : src/util.cmx src/project.cmx src/print_real.cmx src/pp.cmx \
    src/options.cmx src/misc.cmx src/logic_decl.cmi src/logic.cmi src/loc.cmx \
    src/ident.cmx src/explain.cmx src/env.cmx src/encoding.cmx src/cc.cmi \
    src/pretty.cmi
src/print_real.cmo : src/logic.cmi
src/print_real.cmx : src/logic.cmi
src/project.cmo : src/xml.cmi src/rc.cmi src/logic_decl.cmi src/logic.cmi \
    src/loc.cmi src/explain.cmi src/project.cmi
src/project.cmx : src/xml.cmx src/rc.cmx src/logic_decl.cmi src/logic.cmi \
    src/loc.cmx src/explain.cmx src/project.cmi
src/pvs.cmo : src/vcg.cmi src/util.cmi src/types.cmi src/print_real.cmo \
    src/predDefExpansor.cmi src/pp.cmi src/options.cmi src/misc.cmi \
    src/logic_decl.cmi src/logic.cmi src/loc.cmi src/ident.cmi src/env.cmi \
    src/cc.cmi src/pvs.cmi
src/pvs.cmx : src/vcg.cmx src/util.cmx src/types.cmi src/print_real.cmx \
    src/predDefExpansor.cmx src/pp.cmx src/options.cmx src/misc.cmx \
    src/logic_decl.cmi src/logic.cmi src/loc.cmx src/ident.cmx src/env.cmx \
    src/cc.cmi src/pvs.cmi
src/rc.cmo : src/rc.cmi
src/rc.cmx : src/rc.cmi
src/red.cmo : src/util.cmi src/misc.cmi src/logic.cmi src/ident.cmi \
    src/cc.cmi src/ast.cmi src/red.cmi
src/red.cmx : src/util.cmx src/misc.cmx src/logic.cmi src/ident.cmx \
    src/cc.cmi src/ast.cmi src/red.cmi
src/regen.cmo : src/vcg.cmi src/pp.cmi src/options.cmi src/misc.cmi \
    src/logic_decl.cmi src/logic.cmi src/loc.cmi src/env.cmi src/cc.cmi \
    src/regen.cmi
src/regen.cmx : src/vcg.cmx src/pp.cmx src/options.cmx src/misc.cmx \
    src/logic_decl.cmi src/logic.cmi src/loc.cmx src/env.cmx src/cc.cmi \
    src/regen.cmi
src/rename.cmo : src/report.cmi src/pp.cmi src/misc.cmi src/ident.cmi \
    src/error.cmi src/rename.cmi
src/rename.cmx : src/report.cmx src/pp.cmx src/misc.cmx src/ident.cmx \
    src/error.cmi src/rename.cmi
src/report.cmo : src/types.cmi src/misc.cmi src/logic.cmi src/loc.cmi \
    src/lexer.cmi src/ident.cmi src/error.cmi src/effect.cmi src/ast.cmi \
    src/report.cmi
src/report.cmx : src/types.cmi src/misc.cmx src/logic.cmi src/loc.cmx \
    src/lexer.cmx src/ident.cmx src/error.cmi src/effect.cmx src/ast.cmi \
    src/report.cmi
src/simplify.cmo : src/util.cmi src/report.cmi src/predDefExpansor.cmi \
    src/pp.cmi src/options.cmi src/misc.cmi src/logic_decl.cmi src/logic.cmi \
    src/loc.cmi src/ident.cmi src/error.cmi src/env.cmi src/encoding.cmi \
    src/cc.cmi src/simplify.cmi
src/simplify.cmx : src/util.cmx src/report.cmx src/predDefExpansor.cmx \
    src/pp.cmx src/options.cmx src/misc.cmx src/logic_decl.cmi src/logic.cmi \
    src/loc.cmx src/ident.cmx src/error.cmi src/env.cmx src/encoding.cmx \
    src/cc.cmi src/simplify.cmi
src/smtlib.cmo : src/print_real.cmo src/pp.cmi src/options.cmi src/misc.cmi \
    src/logic_decl.cmi src/logic.cmi src/loc.cmi src/ident.cmi src/error.cmi \
    src/env.cmi src/encoding.cmi src/cc.cmi src/smtlib.cmi
src/smtlib.cmx : src/print_real.cmx src/pp.cmx src/options.cmx src/misc.cmx \
    src/logic_decl.cmi src/logic.cmi src/loc.cmx src/ident.cmx src/error.cmi \
    src/env.cmx src/encoding.cmx src/cc.cmi src/smtlib.cmi
src/theory_filtering.cmo : src/unionfind.cmo src/pp.cmi src/options.cmi \
    src/misc.cmi src/logic_decl.cmi src/logic.cmi src/ident.cmi src/error.cmi \
    src/env.cmi src/cc.cmi
src/theory_filtering.cmx : src/unionfind.cmx src/pp.cmx src/options.cmx \
    src/misc.cmx src/logic_decl.cmi src/logic.cmi src/ident.cmx src/error.cmi \
    src/env.cmx src/cc.cmi
src/theoryreducer.cmo : src/unionfind.cmo src/pp.cmi src/options.cmi \
    src/misc.cmi src/logic_decl.cmi src/logic.cmi src/ident.cmi src/error.cmi \
    src/env.cmi src/cc.cmi
src/theoryreducer.cmx : src/unionfind.cmx src/pp.cmx src/options.cmx \
    src/misc.cmx src/logic_decl.cmi src/logic.cmi src/ident.cmx src/error.cmi \
    src/env.cmx src/cc.cmi
src/typing.cmo : src/util.cmi src/types.cmi src/report.cmi src/rename.cmi \
    src/ptree.cmi src/options.cmi src/misc.cmi src/ltyping.cmi src/logic.cmi \
    src/loc.cmi src/ident.cmi src/error.cmi src/env.cmi src/effect.cmi \
    src/ast.cmi src/typing.cmi
src/typing.cmx : src/util.cmx src/types.cmi src/report.cmx src/rename.cmx \
    src/ptree.cmi src/options.cmx src/misc.cmx src/ltyping.cmx src/logic.cmi \
    src/loc.cmx src/ident.cmx src/error.cmi src/env.cmx src/effect.cmx \
    src/ast.cmi src/typing.cmi
src/unionfind.cmo :
src/unionfind.cmx :
src/util.cmo : src/types.cmi src/rename.cmi src/rc.cmi src/ptree.cmi \
    src/print_real.cmo src/pp.cmi src/options.cmi src/misc.cmi \
    src/logic_decl.cmi src/logic.cmi src/loc.cmi src/ident.cmi \
    src/explain.cmi src/env.cmi src/effect.cmi src/cc.cmi src/ast.cmi \
    src/util.cmi
src/util.cmx : src/types.cmi src/rename.cmx src/rc.cmx src/ptree.cmi \
    src/print_real.cmx src/pp.cmx src/options.cmx src/misc.cmx \
    src/logic_decl.cmi src/logic.cmi src/loc.cmx src/ident.cmx \
    src/explain.cmx src/env.cmx src/effect.cmx src/cc.cmi src/ast.cmi \
    src/util.cmi
src/vcg.cmo : src/util.cmi src/types.cmi src/pp.cmi src/options.cmi \
    src/misc.cmi src/logic_decl.cmi src/logic.cmi src/log.cmi src/ident.cmi \
    src/cc.cmi src/ast.cmi src/vcg.cmi
src/vcg.cmx : src/util.cmx src/types.cmi src/pp.cmx src/options.cmx \
    src/misc.cmx src/logic_decl.cmi src/logic.cmi src/log.cmi src/ident.cmx \
    src/cc.cmi src/ast.cmi src/vcg.cmi
src/version.cmo :
src/version.cmx :
src/why.cmo : src/report.cmi src/main.cmo
src/why.cmx : src/report.cmx src/main.cmx
src/why3.cmo : src/why3_kw.cmi src/util.cmi src/print_real.cmo src/pp.cmi \
    src/options.cmi src/misc.cmi src/logic_decl.cmi src/logic.cmi \
    src/ident.cmi src/explain.cmi src/env.cmi src/encoding.cmi src/cc.cmi \
    src/why3.cmi
src/why3.cmx : src/why3_kw.cmx src/util.cmx src/print_real.cmx src/pp.cmx \
    src/options.cmx src/misc.cmx src/logic_decl.cmi src/logic.cmi \
    src/ident.cmx src/explain.cmx src/env.cmx src/encoding.cmx src/cc.cmi \
    src/why3.cmi
src/why3_kw.cmo : src/why3_kw.cmi
src/why3_kw.cmx : src/why3_kw.cmi
src/whyweb.cmo : src/wserver.cmi src/version.cmo src/project.cmi src/pp.cmi \
    src/logic_decl.cmi src/explain.cmi
src/whyweb.cmx : src/wserver.cmx src/version.cmx src/project.cmx src/pp.cmx \
    src/logic_decl.cmi src/explain.cmx
src/wp.cmo : src/util.cmi src/typing.cmi src/types.cmi src/report.cmi \
    src/options.cmi src/option_misc.cmi src/misc.cmi src/logic.cmi \
    src/loc.cmi src/ident.cmi src/error.cmi src/env.cmi src/effect.cmi \
    src/cc.cmi src/ast.cmi src/wp.cmi
src/wp.cmx : src/util.cmx src/typing.cmx src/types.cmi src/report.cmx \
    src/options.cmx src/option_misc.cmx src/misc.cmx src/logic.cmi \
    src/loc.cmx src/ident.cmx src/error.cmi src/env.cmx src/effect.cmx \
    src/cc.cmi src/ast.cmi src/wp.cmi
src/wserver.cmo : src/wserver.cmi
src/wserver.cmx : src/wserver.cmi
src/xml.cmo : src/rc.cmi src/xml.cmi
src/xml.cmx : src/rc.cmx src/xml.cmi
src/z3.cmo : src/print_real.cmo src/pp.cmi src/options.cmi src/misc.cmi \
    src/logic_decl.cmi src/logic.cmi src/loc.cmi src/ident.cmi src/error.cmi \
    src/env.cmi src/encoding_mono_inst.cmi src/encoding.cmi src/cc.cmi \
    src/z3.cmi
src/z3.cmx : src/print_real.cmx src/pp.cmx src/options.cmx src/misc.cmx \
    src/logic_decl.cmi src/logic.cmi src/loc.cmx src/ident.cmx src/error.cmi \
    src/env.cmx src/encoding_mono_inst.cmx src/encoding.cmx src/cc.cmi \
    src/z3.cmi
src/zenon.cmo : src/vcg.cmi src/util.cmi src/report.cmi src/print_real.cmo \
    src/pp.cmi src/options.cmi src/misc.cmi src/ltyping.cmi \
    src/logic_decl.cmi src/logic.cmi src/loc.cmi src/ident.cmi src/error.cmi \
    src/env.cmi src/encoding.cmi src/cc.cmi src/zenon.cmi
src/zenon.cmx : src/vcg.cmx src/util.cmx src/report.cmx src/print_real.cmx \
    src/pp.cmx src/options.cmx src/misc.cmx src/ltyping.cmx \
    src/logic_decl.cmi src/logic.cmi src/loc.cmx src/ident.cmx src/error.cmi \
    src/env.cmx src/encoding.cmx src/cc.cmi src/zenon.cmi
src/annot.cmi : src/types.cmi src/logic.cmi src/env.cmi src/ast.cmi
src/ast.cmi : src/types.cmi src/ptree.cmi src/logic.cmi src/loc.cmi \
    src/ident.cmi src/cc.cmi
src/cc.cmi : src/logic.cmi src/loc.cmi src/ident.cmi
src/coq.cmi : src/vcg.cmi src/logic_decl.cmi src/logic.cmi src/ident.cmi \
    src/cc.cmi
src/cvcl.cmi : src/logic_decl.cmi src/cc.cmi
src/dispatcher.cmi : src/options.cmi src/logic_decl.cmi src/loc.cmi \
    src/env.cmi tools/dpConfig.cmi src/cc.cmi tools/calldp.cmi
src/effect.cmi : src/logic.cmi src/ident.cmi
src/encoding.cmi : src/logic_decl.cmi src/logic.cmi src/ident.cmi src/cc.cmi
src/encoding_mono_inst.cmi : src/logic_decl.cmi
src/encoding_pred.cmi : src/logic_decl.cmi src/cc.cmi
src/encoding_rec.cmi : src/logic_decl.cmi src/cc.cmi
src/encoding_strat.cmi : src/logic_decl.cmi src/cc.cmi
src/env.cmi : src/types.cmi src/logic.cmi src/loc.cmi src/ident.cmi \
    src/effect.cmi src/cc.cmi src/ast.cmi
src/error.cmi : src/ident.cmi src/effect.cmi
src/explain.cmi : src/logic_decl.cmi src/loc.cmi
src/fastwp.cmi : src/logic.cmi src/env.cmi
src/fpi.cmi : src/cc.cmi
src/gappa.cmi : src/logic_decl.cmi src/cc.cmi
src/graphviz.cmi :
src/harvey.cmi : src/vcg.cmi src/logic_decl.cmi src/cc.cmi
src/hol4.cmi : src/vcg.cmi src/logic_decl.cmi src/cc.cmi
src/holl.cmi : src/vcg.cmi src/logic_decl.cmi src/cc.cmi
src/ident.cmi :
src/isabelle.cmi : src/logic_decl.cmi src/cc.cmi
src/lexer.cmi : src/ptree.cmi src/parser.cmi
src/lib.cmi :
src/linenum.cmi :
src/loc.cmi :
src/log.cmi :
src/logic.cmi : src/ident.cmi
src/logic_decl.cmi : src/logic.cmi src/loc.cmi src/ident.cmi src/env.cmi \
    src/cc.cmi
src/ltyping.cmi : src/types.cmi src/ptree.cmi src/logic.cmi src/loc.cmi \
    src/ident.cmi src/env.cmi src/effect.cmi src/ast.cmi
src/misc.cmi : src/types.cmi src/ptree.cmi src/logic.cmi src/loc.cmi \
    src/ident.cmi src/cc.cmi src/ast.cmi
src/mizar.cmi : src/logic_decl.cmi src/cc.cmi
src/mlize.cmi : src/rename.cmi src/logic.cmi src/env.cmi src/cc.cmi \
    src/ast.cmi
src/monad.cmi : src/monadSig.cmi
src/monadSig.cmi : src/types.cmi src/rename.cmi src/logic.cmi src/loc.cmi \
    src/ident.cmi src/env.cmi src/cc.cmi src/ast.cmi
src/monomorph.cmi : src/logic_decl.cmi src/logic.cmi src/ident.cmi
src/ocaml.cmi : src/types.cmi src/ident.cmi src/env.cmi
src/option_misc.cmi :
src/options.cmi : src/rc.cmi src/project.cmi
src/parser.cmi : src/ptree.cmi src/logic.cmi
src/pp.cmi :
src/predDefExpansor.cmi : src/logic_decl.cmi src/logic.cmi src/ident.cmi \
    src/env.cmi
src/pretty.cmi : src/project.cmi src/logic_decl.cmi
src/project.cmi : src/logic_decl.cmi src/loc.cmi
src/ptree.cmi : src/types.cmi src/logic.cmi src/loc.cmi src/ident.cmi
src/purify.cmi : src/env.cmi
src/pvs.cmi : src/vcg.cmi src/logic_decl.cmi src/cc.cmi
src/rc.cmi :
src/red.cmi : src/logic.cmi src/cc.cmi
src/regen.cmi : src/vcg.cmi src/logic_decl.cmi src/logic.cmi src/loc.cmi \
    src/env.cmi src/cc.cmi
src/rename.cmi : src/ident.cmi
src/report.cmi : src/loc.cmi src/error.cmi
src/simplify.cmi : src/logic_decl.cmi src/cc.cmi
src/smtlib.cmi : src/logic_decl.cmi src/cc.cmi
src/types.cmi : src/logic.cmi src/ident.cmi src/effect.cmi
src/typing.cmi : src/types.cmi src/ptree.cmi src/loc.cmi src/env.cmi \
    src/ast.cmi
src/util.cmi : src/types.cmi src/rename.cmi src/ptree.cmi src/misc.cmi \
    src/logic_decl.cmi src/logic.cmi src/loc.cmi src/ident.cmi src/env.cmi \
    src/effect.cmi src/cc.cmi src/ast.cmi
src/vcg.cmi : src/types.cmi src/logic_decl.cmi src/logic.cmi src/log.cmi \
    src/loc.cmi src/ident.cmi src/cc.cmi src/ast.cmi
src/why3.cmi : src/logic_decl.cmi
src/why3_kw.cmi :
src/wp.cmi : src/logic.cmi src/env.cmi src/ast.cmi
src/wserver.cmi :
src/xml.cmi : src/rc.cmi
src/z3.cmi : src/logic_decl.cmi src/cc.cmi
src/zenon.cmi : src/logic_decl.cmi src/cc.cmi
jc/jc_ai.cmi : src/loc.cmi jc/jc_fenv.cmo jc/jc_ast.cmi
jc/jc_ast.cmi : src/loc.cmi jc/jc_stdlib.cmo jc/jc_region.cmo jc/jc_env.cmi
jc/jc_callgraph.cmi : src/loc.cmi jc/jc_pervasives.cmi jc/jc_fenv.cmo \
    jc/jc_constructors.cmi
jc/jc_common_options.cmi : jc/jc_env.cmi
jc/jc_constructors.cmi : src/loc.cmi jc/jc_fenv.cmo jc/jc_env.cmi \
    jc/jc_ast.cmi
jc/jc_env.cmi :
jc/jc_envset.cmi : jc/jc_stdlib.cmo jc/jc_env.cmi
jc/jc_frame.cmi : jc/output.cmi jc/jc_fenv.cmo jc/jc_ast.cmi
jc/jc_interp.cmi : jc/output.cmi src/loc.cmi jc/jc_typing.cmi \
    jc/jc_type_var.cmi jc/jc_region.cmo jc/jc_fenv.cmo jc/jc_envset.cmi \
    jc/jc_env.cmi jc/jc_ast.cmi
jc/jc_interp_misc.cmi : jc/output.cmi jc/jc_region.cmo jc/jc_pervasives.cmi \
    jc/jc_fenv.cmo jc/jc_envset.cmi jc/jc_env.cmi jc/jc_ast.cmi
jc/jc_iterators.cmi : src/loc.cmi jc/jc_fenv.cmo jc/jc_envset.cmi \
    jc/jc_env.cmi jc/jc_constructors.cmi jc/jc_ast.cmi
jc/jc_lexer.cmi : src/loc.cmi jc/jc_parser.cmi jc/jc_ast.cmi
jc/jc_norm.cmi : jc/jc_fenv.cmo jc/jc_env.cmi jc/jc_ast.cmi
jc/jc_options.cmi : src/rc.cmi jc/output.cmi src/loc.cmi jc/jc_stdlib.cmo \
    jc/jc_env.cmi
jc/jc_parser.cmi : jc/jc_ast.cmi
jc/jc_pervasives.cmi : jc/jc_stdlib.cmo jc/jc_fenv.cmo jc/jc_envset.cmi \
    jc/jc_env.cmi jc/jc_ast.cmi
jc/jc_struct_tools.cmi : jc/jc_env.cmi
jc/jc_type_var.cmi : src/loc.cmi jc/jc_fenv.cmo jc/jc_env.cmi jc/jc_ast.cmi
jc/jc_typing.cmi : src/loc.cmi jc/jc_stdlib.cmo jc/jc_pervasives.cmi \
    jc/jc_fenv.cmo jc/jc_env.cmi jc/jc_constructors.cmi jc/jc_ast.cmi
jc/numconst.cmi :
jc/output.cmi : src/loc.cmi jc/jc_env.cmi
jc/jc_ai.cmo : jc/jc_ai.cmi
jc/jc_ai.cmx : jc/jc_ai.cmi
jc/jc_annot_fail.cmo :
jc/jc_annot_fail.cmx :
jc/jc_annot_inference.cmo : src/pp.cmi src/parser.cmi jc/output.cmi \
    src/option_misc.cmi src/loc.cmi jc/jc_typing.cmi jc/jc_stdlib.cmo \
    jc/jc_separation.cmo jc/jc_region.cmo jc/jc_pervasives.cmi \
    jc/jc_output.cmo jc/jc_options.cmi jc/jc_norm.cmi jc/jc_iterators.cmi \
    jc/jc_fenv.cmo jc/jc_envset.cmi jc/jc_env.cmi jc/jc_effect.cmo \
    jc/jc_constructors.cmi jc/jc_ast.cmi
jc/jc_annot_inference.cmx : src/pp.cmx src/parser.cmx jc/output.cmx \
    src/option_misc.cmx src/loc.cmx jc/jc_typing.cmx jc/jc_stdlib.cmx \
    jc/jc_separation.cmx jc/jc_region.cmx jc/jc_pervasives.cmx \
    jc/jc_output.cmx jc/jc_options.cmx jc/jc_norm.cmx jc/jc_iterators.cmx \
    jc/jc_fenv.cmx jc/jc_envset.cmx jc/jc_env.cmi jc/jc_effect.cmx \
    jc/jc_constructors.cmx jc/jc_ast.cmi
jc/jc_callgraph.cmo : src/pp.cmi src/option_misc.cmi src/loc.cmi \
    jc/jc_typing.cmi jc/jc_stdlib.cmo jc/jc_pervasives.cmi jc/jc_options.cmi \
    jc/jc_iterators.cmi jc/jc_fenv.cmo jc/jc_env.cmi jc/jc_ast.cmi \
    jc/jc_callgraph.cmi
jc/jc_callgraph.cmx : src/pp.cmx src/option_misc.cmx src/loc.cmx \
    jc/jc_typing.cmx jc/jc_stdlib.cmx jc/jc_pervasives.cmx jc/jc_options.cmx \
    jc/jc_iterators.cmx jc/jc_fenv.cmx jc/jc_env.cmi jc/jc_ast.cmi \
    jc/jc_callgraph.cmi
jc/jc_common_options.cmo : jc/jc_env.cmi jc/jc_common_options.cmi
jc/jc_common_options.cmx : jc/jc_env.cmi jc/jc_common_options.cmi
jc/jc_constructors.cmo : src/loc.cmi jc/jc_region.cmo jc/jc_fenv.cmo \
    jc/jc_env.cmi jc/jc_ast.cmi jc/jc_constructors.cmi
jc/jc_constructors.cmx : src/loc.cmx jc/jc_region.cmx jc/jc_fenv.cmx \
    jc/jc_env.cmi jc/jc_ast.cmi jc/jc_constructors.cmi
jc/jc_control_flow.cmo : jc/jc_ast.cmi
jc/jc_control_flow.cmx : jc/jc_ast.cmi
jc/jc_effect.cmo : src/pp.cmi src/option_misc.cmi jc/jc_typing.cmi \
    jc/jc_struct_tools.cmi jc/jc_stdlib.cmo jc/jc_region.cmo \
    jc/jc_pervasives.cmi jc/jc_output_misc.cmo jc/jc_output.cmo \
    jc/jc_options.cmi jc/jc_name.cmo jc/jc_iterators.cmi jc/jc_fenv.cmo \
    jc/jc_envset.cmi jc/jc_env.cmi jc/jc_constructors.cmi jc/jc_ast.cmi
jc/jc_effect.cmx : src/pp.cmx src/option_misc.cmx jc/jc_typing.cmx \
    jc/jc_struct_tools.cmx jc/jc_stdlib.cmx jc/jc_region.cmx \
    jc/jc_pervasives.cmx jc/jc_output_misc.cmx jc/jc_output.cmx \
    jc/jc_options.cmx jc/jc_name.cmx jc/jc_iterators.cmx jc/jc_fenv.cmx \
    jc/jc_envset.cmx jc/jc_env.cmi jc/jc_constructors.cmx jc/jc_ast.cmi
jc/jc_envset.cmo : jc/jc_stdlib.cmo jc/jc_env.cmi jc/jc_envset.cmi
jc/jc_envset.cmx : jc/jc_stdlib.cmx jc/jc_env.cmi jc/jc_envset.cmi
jc/jc_fenv.cmo : jc/jc_stdlib.cmo jc/jc_region.cmo jc/jc_envset.cmi \
    jc/jc_env.cmi jc/jc_ast.cmi
jc/jc_fenv.cmx : jc/jc_stdlib.cmx jc/jc_region.cmx jc/jc_envset.cmx \
    jc/jc_env.cmi jc/jc_ast.cmi
jc/jc_frame.cmo : src/pp.cmi jc/output.cmi jc/jc_typing.cmi \
    jc/jc_struct_tools.cmi jc/jc_stdlib.cmo jc/jc_separation.cmo \
    jc/jc_region.cmo jc/jc_pervasives.cmi jc/jc_pattern.cmo jc/jc_options.cmi \
    jc/jc_name.cmo jc/jc_invariants.cmo jc/jc_interp_misc.cmi \
    jc/jc_interp.cmi jc/jc_frame_notin.cmo jc/jc_fenv.cmo jc/jc_envset.cmi \
    jc/jc_env.cmi jc/jc_effect.cmo jc/jc_constructors.cmi jc/jc_ast.cmi \
    jc/jc_frame.cmi
jc/jc_frame.cmx : src/pp.cmx jc/output.cmx jc/jc_typing.cmx \
    jc/jc_struct_tools.cmx jc/jc_stdlib.cmx jc/jc_separation.cmx \
    jc/jc_region.cmx jc/jc_pervasives.cmx jc/jc_pattern.cmx jc/jc_options.cmx \
    jc/jc_name.cmx jc/jc_invariants.cmx jc/jc_interp_misc.cmx \
    jc/jc_interp.cmx jc/jc_frame_notin.cmx jc/jc_fenv.cmx jc/jc_envset.cmx \
    jc/jc_env.cmi jc/jc_effect.cmx jc/jc_constructors.cmx jc/jc_ast.cmi \
    jc/jc_frame.cmi
jc/jc_frame_notin.cmo : src/pp.cmi jc/output.cmi jc/jc_typing.cmi \
    jc/jc_type_var.cmi jc/jc_struct_tools.cmi jc/jc_stdlib.cmo \
    jc/jc_separation.cmo jc/jc_region.cmo jc/jc_pervasives.cmi \
    jc/jc_pattern.cmo jc/jc_name.cmo jc/jc_invariants.cmo \
    jc/jc_interp_misc.cmi jc/jc_fenv.cmo jc/jc_envset.cmi jc/jc_env.cmi \
    jc/jc_effect.cmo jc/jc_constructors.cmi jc/jc_ast.cmi
jc/jc_frame_notin.cmx : src/pp.cmx jc/output.cmx jc/jc_typing.cmx \
    jc/jc_type_var.cmx jc/jc_struct_tools.cmx jc/jc_stdlib.cmx \
    jc/jc_separation.cmx jc/jc_region.cmx jc/jc_pervasives.cmx \
    jc/jc_pattern.cmx jc/jc_name.cmx jc/jc_invariants.cmx \
    jc/jc_interp_misc.cmx jc/jc_fenv.cmx jc/jc_envset.cmx jc/jc_env.cmi \
    jc/jc_effect.cmx jc/jc_constructors.cmx jc/jc_ast.cmi
jc/jc_interp.cmo : src/rc.cmi src/pp.cmi jc/output.cmi src/option_misc.cmi \
    jc/numconst.cmi src/loc.cmi jc/jc_typing.cmi jc/jc_type_var.cmi \
    jc/jc_struct_tools.cmi jc/jc_stdlib.cmo jc/jc_separation.cmo \
    jc/jc_region.cmo jc/jc_pervasives.cmi jc/jc_pattern.cmo jc/jc_options.cmi \
    jc/jc_name.cmo jc/jc_iterators.cmi jc/jc_invariants.cmo \
    jc/jc_interp_misc.cmi jc/jc_fenv.cmo jc/jc_envset.cmi jc/jc_env.cmi \
    jc/jc_effect.cmo jc/jc_constructors.cmi jc/jc_ast.cmi jc/jc_interp.cmi
jc/jc_interp.cmx : src/rc.cmx src/pp.cmx jc/output.cmx src/option_misc.cmx \
    jc/numconst.cmx src/loc.cmx jc/jc_typing.cmx jc/jc_type_var.cmx \
    jc/jc_struct_tools.cmx jc/jc_stdlib.cmx jc/jc_separation.cmx \
    jc/jc_region.cmx jc/jc_pervasives.cmx jc/jc_pattern.cmx jc/jc_options.cmx \
    jc/jc_name.cmx jc/jc_iterators.cmx jc/jc_invariants.cmx \
    jc/jc_interp_misc.cmx jc/jc_fenv.cmx jc/jc_envset.cmx jc/jc_env.cmi \
    jc/jc_effect.cmx jc/jc_constructors.cmx jc/jc_ast.cmi jc/jc_interp.cmi
jc/jc_interp_misc.cmo : src/pp.cmi jc/output.cmi src/option_misc.cmi \
    jc/numconst.cmi jc/jc_typing.cmi jc/jc_type_var.cmi \
    jc/jc_struct_tools.cmi jc/jc_stdlib.cmo jc/jc_region.cmo \
    jc/jc_pervasives.cmi jc/jc_options.cmi jc/jc_name.cmo jc/jc_fenv.cmo \
    jc/jc_envset.cmi jc/jc_env.cmi jc/jc_effect.cmo jc/jc_constructors.cmi \
    jc/jc_ast.cmi jc/jc_interp_misc.cmi
jc/jc_interp_misc.cmx : src/pp.cmx jc/output.cmx src/option_misc.cmx \
    jc/numconst.cmx jc/jc_typing.cmx jc/jc_type_var.cmx \
    jc/jc_struct_tools.cmx jc/jc_stdlib.cmx jc/jc_region.cmx \
    jc/jc_pervasives.cmx jc/jc_options.cmx jc/jc_name.cmx jc/jc_fenv.cmx \
    jc/jc_envset.cmx jc/jc_env.cmi jc/jc_effect.cmx jc/jc_constructors.cmx \
    jc/jc_ast.cmi jc/jc_interp_misc.cmi
jc/jc_invariants.cmo : jc/output.cmi src/loc.cmi jc/jc_typing.cmi \
    jc/jc_struct_tools.cmi jc/jc_stdlib.cmo jc/jc_region.cmo \
    jc/jc_pervasives.cmi jc/jc_options.cmi jc/jc_name.cmo jc/jc_iterators.cmi \
    jc/jc_interp_misc.cmi jc/jc_fenv.cmo jc/jc_envset.cmi jc/jc_env.cmi \
    jc/jc_constructors.cmi jc/jc_common_options.cmi jc/jc_ast.cmi
jc/jc_invariants.cmx : jc/output.cmx src/loc.cmx jc/jc_typing.cmx \
    jc/jc_struct_tools.cmx jc/jc_stdlib.cmx jc/jc_region.cmx \
    jc/jc_pervasives.cmx jc/jc_options.cmx jc/jc_name.cmx jc/jc_iterators.cmx \
    jc/jc_interp_misc.cmx jc/jc_fenv.cmx jc/jc_envset.cmx jc/jc_env.cmi \
    jc/jc_constructors.cmx jc/jc_common_options.cmx jc/jc_ast.cmi
jc/jc_iterators.cmo : src/option_misc.cmi jc/jc_fenv.cmo jc/jc_envset.cmi \
    jc/jc_constructors.cmi jc/jc_ast.cmi jc/jc_iterators.cmi
jc/jc_iterators.cmx : src/option_misc.cmx jc/jc_fenv.cmx jc/jc_envset.cmx \
    jc/jc_constructors.cmx jc/jc_ast.cmi jc/jc_iterators.cmi
jc/jc_lexer.cmo : jc/jc_pervasives.cmi jc/jc_parser.cmi jc/jc_options.cmi \
    jc/jc_env.cmi jc/jc_ast.cmi jc/jc_lexer.cmi
jc/jc_lexer.cmx : jc/jc_pervasives.cmx jc/jc_parser.cmx jc/jc_options.cmx \
    jc/jc_env.cmi jc/jc_ast.cmi jc/jc_lexer.cmi
jc/jc_main.cmo : src/pp.cmi jc/output.cmi src/option_misc.cmi src/loc.cmi \
    src/lib.cmi jc/jc_typing.cmi jc/jc_stdlib.cmo jc/jc_separation.cmo \
    jc/jc_region.cmo jc/jc_poutput.cmo jc/jc_pervasives.cmi jc/jc_options.cmi \
    jc/jc_norm.cmi jc/jc_make.cmo jc/jc_lexer.cmi jc/jc_invariants.cmo \
    jc/jc_interp_misc.cmi jc/jc_interp.cmi jc/jc_frame.cmi jc/jc_fenv.cmo \
    jc/jc_env.cmi jc/jc_effect.cmo jc/jc_callgraph.cmi jc/jc_ast.cmi \
    jc/jc_ai.cmi
jc/jc_main.cmx : src/pp.cmx jc/output.cmx src/option_misc.cmx src/loc.cmx \
    src/lib.cmx jc/jc_typing.cmx jc/jc_stdlib.cmx jc/jc_separation.cmx \
    jc/jc_region.cmx jc/jc_poutput.cmx jc/jc_pervasives.cmx jc/jc_options.cmx \
    jc/jc_norm.cmx jc/jc_make.cmx jc/jc_lexer.cmx jc/jc_invariants.cmx \
    jc/jc_interp_misc.cmx jc/jc_interp.cmx jc/jc_frame.cmx jc/jc_fenv.cmx \
    jc/jc_env.cmi jc/jc_effect.cmx jc/jc_callgraph.cmx jc/jc_ast.cmi \
    jc/jc_ai.cmx
jc/jc_make.cmo : src/pp.cmi jc/jc_options.cmi
jc/jc_make.cmx : src/pp.cmx jc/jc_options.cmx
jc/jc_name.cmo : jc/output.cmi jc/jc_region.cmo jc/jc_pervasives.cmi \
    jc/jc_env.cmi jc/jc_common_options.cmi jc/jc_ast.cmi
jc/jc_name.cmx : jc/output.cmx jc/jc_region.cmx jc/jc_pervasives.cmx \
    jc/jc_env.cmi jc/jc_common_options.cmx jc/jc_ast.cmi
jc/jc_norm.cmo : src/pp.cmi src/option_misc.cmi jc/jc_pervasives.cmi \
    jc/jc_options.cmi jc/jc_iterators.cmi jc/jc_fenv.cmo jc/jc_envset.cmi \
    jc/jc_env.cmi jc/jc_constructors.cmi jc/jc_ast.cmi jc/jc_norm.cmi
jc/jc_norm.cmx : src/pp.cmx src/option_misc.cmx jc/jc_pervasives.cmx \
    jc/jc_options.cmx jc/jc_iterators.cmx jc/jc_fenv.cmx jc/jc_envset.cmx \
    jc/jc_env.cmi jc/jc_constructors.cmx jc/jc_ast.cmi jc/jc_norm.cmi
jc/jc_noutput.cmo : src/pp.cmi jc/jc_pervasives.cmi jc/jc_output_misc.cmo \
    jc/jc_ast.cmi
jc/jc_noutput.cmx : src/pp.cmx jc/jc_pervasives.cmx jc/jc_output_misc.cmx \
    jc/jc_ast.cmi
jc/jc_options.cmo : src/version.cmo src/rc.cmi jc/output.cmi src/loc.cmi \
    jc/jc_stdlib.cmo jc/jc_env.cmi jc/jc_common_options.cmi jc/jc_options.cmi
jc/jc_options.cmx : src/version.cmx src/rc.cmx jc/output.cmx src/loc.cmx \
    jc/jc_stdlib.cmx jc/jc_env.cmi jc/jc_common_options.cmx jc/jc_options.cmi
jc/jc_output.cmo : src/pp.cmi src/option_misc.cmi jc/jc_type_var.cmi \
    jc/jc_poutput.cmo jc/jc_pervasives.cmi jc/jc_output_misc.cmo \
    jc/jc_fenv.cmo jc/jc_env.cmi jc/jc_constructors.cmi jc/jc_ast.cmi
jc/jc_output.cmx : src/pp.cmx src/option_misc.cmx jc/jc_type_var.cmx \
    jc/jc_poutput.cmx jc/jc_pervasives.cmx jc/jc_output_misc.cmx \
    jc/jc_fenv.cmx jc/jc_env.cmi jc/jc_constructors.cmx jc/jc_ast.cmi
jc/jc_output_misc.cmo : src/pp.cmi jc/jc_pervasives.cmi jc/jc_env.cmi \
    jc/jc_ast.cmi
jc/jc_output_misc.cmx : src/pp.cmx jc/jc_pervasives.cmx jc/jc_env.cmi \
    jc/jc_ast.cmi
jc/jc_parser.cmo : src/loc.cmi jc/jc_pervasives.cmi jc/jc_options.cmi \
    jc/jc_env.cmi jc/jc_constructors.cmi jc/jc_ast.cmi src/error.cmi \
    jc/jc_parser.cmi
jc/jc_parser.cmx : src/loc.cmx jc/jc_pervasives.cmx jc/jc_options.cmx \
    jc/jc_env.cmi jc/jc_constructors.cmx jc/jc_ast.cmi src/error.cmi \
    jc/jc_parser.cmi
jc/jc_pattern.cmo : jc/output.cmi jc/jc_region.cmo jc/jc_pervasives.cmi \
    jc/jc_name.cmo jc/jc_interp_misc.cmi jc/jc_env.cmi jc/jc_effect.cmo \
    jc/jc_ast.cmi
jc/jc_pattern.cmx : jc/output.cmx jc/jc_region.cmx jc/jc_pervasives.cmx \
    jc/jc_name.cmx jc/jc_interp_misc.cmx jc/jc_env.cmi jc/jc_effect.cmx \
    jc/jc_ast.cmi
jc/jc_pervasives.cmo : src/pp.cmi src/option_misc.cmi src/loc.cmi \
    jc/jc_stdlib.cmo jc/jc_region.cmo jc/jc_fenv.cmo jc/jc_envset.cmi \
    jc/jc_env.cmi jc/jc_constructors.cmi jc/jc_ast.cmi jc/jc_pervasives.cmi
jc/jc_pervasives.cmx : src/pp.cmx src/option_misc.cmx src/loc.cmx \
    jc/jc_stdlib.cmx jc/jc_region.cmx jc/jc_fenv.cmx jc/jc_envset.cmx \
    jc/jc_env.cmi jc/jc_constructors.cmx jc/jc_ast.cmi jc/jc_pervasives.cmi
jc/jc_poutput.cmo : src/pp.cmi src/option_misc.cmi jc/jc_pervasives.cmi \
    jc/jc_output_misc.cmo jc/jc_fenv.cmo jc/jc_env.cmi jc/jc_ast.cmi
jc/jc_poutput.cmx : src/pp.cmx src/option_misc.cmx jc/jc_pervasives.cmx \
    jc/jc_output_misc.cmx jc/jc_fenv.cmx jc/jc_env.cmi jc/jc_ast.cmi
jc/jc_region.cmo : src/pp.cmi jc/jc_stdlib.cmo jc/jc_envset.cmi \
    jc/jc_env.cmi jc/jc_common_options.cmi
jc/jc_region.cmx : src/pp.cmx jc/jc_stdlib.cmx jc/jc_envset.cmx \
    jc/jc_env.cmi jc/jc_common_options.cmx
jc/jc_separation.cmo : src/pp.cmi src/option_misc.cmi jc/jc_typing.cmi \
    jc/jc_stdlib.cmo jc/jc_region.cmo jc/jc_pervasives.cmi jc/jc_options.cmi \
    jc/jc_iterators.cmi jc/jc_fenv.cmo jc/jc_envset.cmi jc/jc_env.cmi \
    jc/jc_constructors.cmi jc/jc_ast.cmi
jc/jc_separation.cmx : src/pp.cmx src/option_misc.cmx jc/jc_typing.cmx \
    jc/jc_stdlib.cmx jc/jc_region.cmx jc/jc_pervasives.cmx jc/jc_options.cmx \
    jc/jc_iterators.cmx jc/jc_fenv.cmx jc/jc_envset.cmx jc/jc_env.cmi \
    jc/jc_constructors.cmx jc/jc_ast.cmi
jc/jc_stdlib.cmo :
jc/jc_stdlib.cmx :
jc/jc_stdlib_ge312.cmo :
jc/jc_stdlib_ge312.cmx :
jc/jc_stdlib_ge40.cmo :
jc/jc_stdlib_ge40.cmx :
jc/jc_stdlib_ge400.cmo :
jc/jc_stdlib_ge400.cmx :
jc/jc_stdlib_lt312.cmo :
jc/jc_stdlib_lt312.cmx :
jc/jc_struct_tools.cmo : jc/jc_pervasives.cmi jc/jc_output_misc.cmo \
    jc/jc_options.cmi jc/jc_name.cmo jc/jc_envset.cmi jc/jc_env.cmi \
    jc/jc_struct_tools.cmi
jc/jc_struct_tools.cmx : jc/jc_pervasives.cmx jc/jc_output_misc.cmx \
    jc/jc_options.cmx jc/jc_name.cmx jc/jc_envset.cmx jc/jc_env.cmi \
    jc/jc_struct_tools.cmi
jc/jc_type_var.cmo : src/pp.cmi src/loc.cmi jc/jc_pervasives.cmi \
    jc/jc_iterators.cmi jc/jc_envset.cmi jc/jc_env.cmi jc/jc_constructors.cmi \
    jc/jc_type_var.cmi
jc/jc_type_var.cmx : src/pp.cmx src/loc.cmx jc/jc_pervasives.cmx \
    jc/jc_iterators.cmx jc/jc_envset.cmx jc/jc_env.cmi jc/jc_constructors.cmx \
    jc/jc_type_var.cmi
jc/jc_typing.cmo : src/pp.cmi src/option_misc.cmi src/loc.cmi \
    jc/jc_type_var.cmi jc/jc_struct_tools.cmi jc/jc_stdlib.cmo \
    jc/jc_region.cmo jc/jc_pervasives.cmi jc/jc_output_misc.cmo \
    jc/jc_output.cmo jc/jc_options.cmi jc/jc_noutput.cmo jc/jc_norm.cmi \
    jc/jc_iterators.cmi jc/jc_fenv.cmo jc/jc_envset.cmi jc/jc_env.cmi \
    jc/jc_constructors.cmi jc/jc_common_options.cmi jc/jc_ast.cmi \
    jc/jc_typing.cmi
jc/jc_typing.cmx : src/pp.cmx src/option_misc.cmx src/loc.cmx \
    jc/jc_type_var.cmx jc/jc_struct_tools.cmx jc/jc_stdlib.cmx \
    jc/jc_region.cmx jc/jc_pervasives.cmx jc/jc_output_misc.cmx \
    jc/jc_output.cmx jc/jc_options.cmx jc/jc_noutput.cmx jc/jc_norm.cmx \
    jc/jc_iterators.cmx jc/jc_fenv.cmx jc/jc_envset.cmx jc/jc_env.cmi \
    jc/jc_constructors.cmx jc/jc_common_options.cmx jc/jc_ast.cmi \
    jc/jc_typing.cmi
jc/numconst.cmo : jc/numconst.cmi
jc/numconst.cmx : jc/numconst.cmi
jc/output.cmo : src/why3_kw.cmi src/pp.cmi src/option_misc.cmi src/loc.cmi \
    jc/jc_env.cmi jc/output.cmi
jc/output.cmx : src/why3_kw.cmx src/pp.cmx src/option_misc.cmx src/loc.cmx \
    jc/jc_env.cmi jc/output.cmi
c/cast.cmi : src/loc.cmi c/info.cmi c/ctypes.cmi c/clogic.cmi c/cconst.cmi
c/cast_misc.cmi : c/cast.cmi
c/cconst.cmi : src/loc.cmi
c/ceffect.cmi : jc/output.cmi src/loc.cmi c/info.cmi c/clogic.cmi c/cast.cmi
c/cenv.cmi : src/loc.cmi src/lib.cmi c/info.cmi c/ctypes.cmi c/cast.cmi
c/cerror.cmi : c/ctypes.cmi
c/cgraph.cmi : c/info.cmi c/cast.cmi
c/cinit.cmi : src/loc.cmi c/info.cmi c/cast.cmi
c/cinterp.cmi : jc/output.cmi c/cast.cmi
c/clogic.cmi : src/loc.cmi c/info.cmi
c/clparser.cmi : c/clogic.cmi c/cast.cmi
c/cltyping.cmi : src/loc.cmi src/env.cmi c/clogic.cmi c/cenv.cmi c/cast.cmi
c/cmake.cmi :
c/cnorm.cmi : c/info.cmi c/ctypes.cmi c/clogic.cmi c/cast.cmi
c/coptions.cmi :
c/cparser.cmi : c/clogic.cmi c/cast.cmi
c/cpp.cmi :
c/cprint.cmi : c/clogic.cmi c/cast.cmi
c/cprint_graph.cmi :
c/cptr.cmi : c/info.cmi c/cenv.cmi c/cast.cmi
c/creport.cmi : src/loc.cmi c/ctypes.cmi c/cerror.cmi
c/cseparation.cmi : src/loc.cmi c/info.cmi c/ctypes.cmi c/clogic.cmi \
    c/cast.cmi
c/ctypes.cmi :
c/ctyping.cmi : c/ctypes.cmi c/cast.cmi
c/cutil.cmi :
c/info.cmi : jc/output.cmi c/ctypes.cmi
c/invariant.cmi : c/info.cmi c/ctypes.cmi c/creport.cmi c/cnorm.cmi \
    c/clogic.cmi c/cenv.cmi c/cast.cmi
c/cabsint.cmo : src/loc.cmi c/info.cmi c/cutil.cmi c/ctypes.cmi c/cprint.cmi \
    c/coptions.cmi c/clogic.cmi c/cenv.cmi c/ceffect.cmi c/cast.cmi
c/cabsint.cmx : src/loc.cmx c/info.cmx c/cutil.cmx c/ctypes.cmx c/cprint.cmx \
    c/coptions.cmx c/clogic.cmi c/cenv.cmx c/ceffect.cmx c/cast.cmi
c/cast_misc.cmo : c/ctypes.cmi c/cast.cmi c/cast_misc.cmi
c/cast_misc.cmx : c/ctypes.cmx c/cast.cmi c/cast_misc.cmi
c/cconst.cmo : c/creport.cmi c/cconst.cmi
c/cconst.cmx : c/creport.cmx c/cconst.cmi
c/ceffect.cmo : src/pp.cmi jc/output.cmi src/loc.cmi c/info.cmi c/ctypes.cmi \
    c/cseparation.cmi c/creport.cmi c/coptions.cmi c/cnorm.cmi c/clogic.cmi \
    c/cinit.cmi c/cenv.cmi c/cast.cmi c/ceffect.cmi
c/ceffect.cmx : src/pp.cmx jc/output.cmx src/loc.cmx c/info.cmx c/ctypes.cmx \
    c/cseparation.cmx c/creport.cmx c/coptions.cmx c/cnorm.cmx c/clogic.cmi \
    c/cinit.cmx c/cenv.cmx c/cast.cmi c/ceffect.cmi
c/cenv.cmo : jc/output.cmi src/loc.cmi src/lib.cmi c/info.cmi c/cutil.cmi \
    c/ctypes.cmi c/creport.cmi c/coptions.cmi c/cast.cmi c/cenv.cmi
c/cenv.cmx : jc/output.cmx src/loc.cmx src/lib.cmx c/info.cmx c/cutil.cmx \
    c/ctypes.cmx c/creport.cmx c/coptions.cmx c/cast.cmi c/cenv.cmi
c/cgraph.cmo : c/info.cmi c/coptions.cmi c/clogic.cmi c/cenv.cmi c/cast.cmi \
    c/cgraph.cmi
c/cgraph.cmx : c/info.cmx c/coptions.cmx c/clogic.cmi c/cenv.cmx c/cast.cmi \
    c/cgraph.cmi
c/cinit.cmo : src/loc.cmi c/info.cmi c/ctyping.cmi c/ctypes.cmi \
    c/coptions.cmi c/cltyping.cmi c/clogic.cmi c/cenv.cmi c/cast.cmi \
    c/cinit.cmi
c/cinit.cmx : src/loc.cmx c/info.cmx c/ctyping.cmx c/ctypes.cmx \
    c/coptions.cmx c/cltyping.cmx c/clogic.cmi c/cenv.cmx c/cast.cmi \
    c/cinit.cmi
c/cinterp.cmo : src/pp.cmi jc/output.cmi src/option_misc.cmi src/loc.cmi \
    c/invariant.cmi c/info.cmi c/ctypes.cmi c/cseparation.cmi c/creport.cmi \
    c/coptions.cmi c/cnorm.cmi c/clogic.cmi c/cinit.cmi c/cerror.cmi \
    c/cenv.cmi c/ceffect.cmi c/cconst.cmi c/cast.cmi c/cinterp.cmi
c/cinterp.cmx : src/pp.cmx jc/output.cmx src/option_misc.cmx src/loc.cmx \
    c/invariant.cmx c/info.cmx c/ctypes.cmx c/cseparation.cmx c/creport.cmx \
    c/coptions.cmx c/cnorm.cmx c/clogic.cmi c/cinit.cmx c/cerror.cmi \
    c/cenv.cmx c/ceffect.cmx c/cconst.cmx c/cast.cmi c/cinterp.cmi
c/clexer.cmo : c/ctypes.cmi c/creport.cmi c/cparser.cmi c/clogic.cmi \
    c/cllexer.cmo c/cerror.cmi c/cast.cmi
c/clexer.cmx : c/ctypes.cmx c/creport.cmx c/cparser.cmx c/clogic.cmi \
    c/cllexer.cmx c/cerror.cmi c/cast.cmi
c/cllexer.cmo : src/loc.cmi c/creport.cmi c/clparser.cmi c/clogic.cmi \
    c/cerror.cmi
c/cllexer.cmx : src/loc.cmx c/creport.cmx c/clparser.cmx c/clogic.cmi \
    c/cerror.cmi
c/clparser.cmo : src/loc.cmi c/info.cmi c/ctypes.cmi c/creport.cmi \
    c/clogic.cmi c/cast_misc.cmi c/cast.cmi c/clparser.cmi
c/clparser.cmx : src/loc.cmx c/info.cmx c/ctypes.cmx c/creport.cmx \
    c/clogic.cmi c/cast_misc.cmx c/cast.cmi c/clparser.cmi
c/cltyping.cmo : src/loc.cmi c/info.cmi src/env.cmi c/ctypes.cmi \
    c/creport.cmi c/coptions.cmi c/clogic.cmi c/cerror.cmi c/cenv.cmi \
    c/cconst.cmi c/cast.cmi c/cltyping.cmi
c/cltyping.cmx : src/loc.cmx c/info.cmx src/env.cmx c/ctypes.cmx \
    c/creport.cmx c/coptions.cmx c/clogic.cmi c/cerror.cmi c/cenv.cmx \
    c/cconst.cmx c/cast.cmi c/cltyping.cmi
c/cmain.cmo : src/pp.cmi jc/output.cmi src/loc.cmi src/lib.cmi \
    c/invariant.cmi c/info.cmi c/ctyping.cmi c/cseparation.cmi c/creport.cmi \
    c/cptr.cmi c/cprint_graph.cmi c/cprint.cmi c/cpp.cmi c/coptions.cmi \
    c/cnorm.cmi c/cmake.cmi c/clexer.cmo c/cinterp.cmi c/cinit.cmi \
    c/cgraph.cmi c/cerror.cmi c/cenv.cmi c/ceffect.cmi
c/cmain.cmx : src/pp.cmx jc/output.cmx src/loc.cmx src/lib.cmx \
    c/invariant.cmx c/info.cmx c/ctyping.cmx c/cseparation.cmx c/creport.cmx \
    c/cptr.cmx c/cprint_graph.cmx c/cprint.cmx c/cpp.cmx c/coptions.cmx \
    c/cnorm.cmx c/cmake.cmx c/clexer.cmx c/cinterp.cmx c/cinit.cmx \
    c/cgraph.cmx c/cerror.cmi c/cenv.cmx c/ceffect.cmx
c/cmake.cmo : src/pp.cmi c/coptions.cmi c/cmake.cmi
c/cmake.cmx : src/pp.cmx c/coptions.cmx c/cmake.cmi
c/cnorm.cmo : jc/output.cmi src/option_misc.cmi src/loc.cmi c/info.cmi \
    c/ctyping.cmi c/ctypes.cmi c/creport.cmi c/cprint.cmi c/coptions.cmi \
    c/cltyping.cmi c/clogic.cmi c/cenv.cmi c/cconst.cmi c/cast.cmi \
    c/cnorm.cmi
c/cnorm.cmx : jc/output.cmx src/option_misc.cmx src/loc.cmx c/info.cmx \
    c/ctyping.cmx c/ctypes.cmx c/creport.cmx c/cprint.cmx c/coptions.cmx \
    c/cltyping.cmx c/clogic.cmi c/cenv.cmx c/cconst.cmx c/cast.cmi \
    c/cnorm.cmi
c/coptions.cmo : src/version.cmo c/cversion.cmo c/coptions.cmi
c/coptions.cmx : src/version.cmx c/cversion.cmx c/coptions.cmi
c/cparser.cmo : src/ptree.cmi src/loc.cmi c/ctypes.cmi c/creport.cmi \
    c/coptions.cmi c/clogic.cmi c/cerror.cmi c/cast_misc.cmi c/cast.cmi \
    c/cparser.cmi
c/cparser.cmx : src/ptree.cmi src/loc.cmx c/ctypes.cmx c/creport.cmx \
    c/coptions.cmx c/clogic.cmi c/cerror.cmi c/cast_misc.cmx c/cast.cmi \
    c/cparser.cmi
c/cpp.cmo : c/coptions.cmi c/cpp.cmi
c/cpp.cmx : c/coptions.cmx c/cpp.cmi
c/cprint.cmo : src/pp.cmi c/info.cmi c/cutil.cmi c/ctypes.cmi c/clogic.cmi \
    c/cenv.cmi c/cconst.cmi c/cast.cmi c/cprint.cmi
c/cprint.cmx : src/pp.cmx c/info.cmx c/cutil.cmx c/ctypes.cmx c/clogic.cmi \
    c/cenv.cmx c/cconst.cmx c/cast.cmi c/cprint.cmi
c/cprint_annot.cmo : src/pp.cmi c/info.cmi c/ctypes.cmi c/clogic.cmi \
    c/cenv.cmi c/cast.cmi
c/cprint_annot.cmx : src/pp.cmx c/info.cmx c/ctypes.cmx c/clogic.cmi \
    c/cenv.cmx c/cast.cmi
c/cprint_graph.cmo : c/info.cmi c/cenv.cmi c/cprint_graph.cmi
c/cprint_graph.cmx : c/info.cmx c/cenv.cmx c/cprint_graph.cmi
c/cptr.cmo : src/loc.cmi c/info.cmi c/cutil.cmi c/ctypes.cmi c/coptions.cmi \
    c/clogic.cmi c/cenv.cmi c/cast.cmi c/cabsint.cmo c/cptr.cmi
c/cptr.cmx : src/loc.cmx c/info.cmx c/cutil.cmx c/ctypes.cmx c/coptions.cmx \
    c/clogic.cmi c/cenv.cmx c/cast.cmi c/cabsint.cmx c/cptr.cmi
c/creport.cmo : src/loc.cmi c/ctypes.cmi c/coptions.cmi c/cerror.cmi \
    c/creport.cmi
c/creport.cmx : src/loc.cmx c/ctypes.cmx c/coptions.cmx c/cerror.cmi \
    c/creport.cmi
c/cseparation.cmo : jc/output.cmi src/loc.cmi c/info.cmi c/ctypes.cmi \
    c/creport.cmi c/coptions.cmi c/cnorm.cmi c/clogic.cmi c/cenv.cmi \
    c/cast.cmi c/cseparation.cmi
c/cseparation.cmx : jc/output.cmx src/loc.cmx c/info.cmx c/ctypes.cmx \
    c/creport.cmx c/coptions.cmx c/cnorm.cmx c/clogic.cmi c/cenv.cmx \
    c/cast.cmi c/cseparation.cmi
c/csymbol.cmo : src/pp.cmi c/ctypes.cmi c/cprint.cmi c/coptions.cmi \
    c/clogic.cmi c/cabsint.cmo
c/csymbol.cmx : src/pp.cmx c/ctypes.cmx c/cprint.cmx c/coptions.cmx \
    c/clogic.cmi c/cabsint.cmx
c/ctypes.cmo : src/lib.cmi c/coptions.cmi c/ctypes.cmi
c/ctypes.cmx : src/lib.cmx c/coptions.cmx c/ctypes.cmi
c/ctyping.cmo : src/pp.cmi src/option_misc.cmi src/loc.cmi src/lib.cmi \
    c/info.cmi src/env.cmi c/ctypes.cmi c/creport.cmi c/coptions.cmi \
    c/cltyping.cmi c/clogic.cmi c/cerror.cmi c/cenv.cmi c/cconst.cmi \
    c/cast.cmi c/ctyping.cmi
c/ctyping.cmx : src/pp.cmx src/option_misc.cmx src/loc.cmx src/lib.cmx \
    c/info.cmx src/env.cmx c/ctypes.cmx c/creport.cmx c/coptions.cmx \
    c/cltyping.cmx c/clogic.cmi c/cerror.cmi c/cenv.cmx c/cconst.cmx \
    c/cast.cmi c/ctyping.cmi
c/cutil.cmo : c/cutil.cmi
c/cutil.cmx : c/cutil.cmi
c/cversion.cmo :
c/cversion.cmx :
c/info.cmo : jc/output.cmi c/ctypes.cmi c/creport.cmi c/coptions.cmi \
    c/info.cmi
c/info.cmx : jc/output.cmx c/ctypes.cmx c/creport.cmx c/coptions.cmx \
    c/info.cmi
c/invariant.cmo : src/loc.cmi c/info.cmi c/ctypes.cmi c/cseparation.cmi \
    c/creport.cmi c/cprint.cmi c/coptions.cmi c/cnorm.cmi c/clogic.cmi \
    c/cenv.cmi c/cast.cmi c/invariant.cmi
c/invariant.cmx : src/loc.cmx c/info.cmx c/ctypes.cmx c/cseparation.cmx \
    c/creport.cmx c/cprint.cmx c/coptions.cmx c/cnorm.cmx c/clogic.cmi \
    c/cenv.cmx c/cast.cmi c/invariant.cmi
java/java_ast.cmi : src/loc.cmi java/java_env.cmi
java/java_callgraph.cmi : java/java_typing.cmi java/java_tast.cmi \
    java/java_env.cmi
java/java_env.cmi : src/loc.cmi
java/java_parser.cmi : java/java_ast.cmi
java/java_tast.cmi : src/loc.cmi java/java_env.cmi java/java_ast.cmi
java/java_typing.cmi : src/loc.cmi java/java_tast.cmi java/java_env.cmi \
    java/java_ast.cmi
java/java_abstract.cmo : src/pp.cmi java/java_env.cmi java/java_ast.cmi
java/java_abstract.cmx : src/pp.cmx java/java_env.cmi java/java_ast.cmi
java/java_analysis.cmo : src/option_misc.cmi java/java_typing.cmi \
    java/java_tast.cmi java/java_pervasives.cmo java/java_options.cmo \
    java/java_env.cmi java/java_ast.cmi
java/java_analysis.cmx : src/option_misc.cmx java/java_typing.cmx \
    java/java_tast.cmi java/java_pervasives.cmx java/java_options.cmx \
    java/java_env.cmi java/java_ast.cmi
java/java_callgraph.cmo : src/pp.cmi src/option_misc.cmi \
    java/java_typing.cmi java/java_tast.cmi java/java_options.cmo \
    java/java_env.cmi java/java_callgraph.cmi
java/java_callgraph.cmx : src/pp.cmx src/option_misc.cmx \
    java/java_typing.cmx java/java_tast.cmi java/java_options.cmx \
    java/java_env.cmi java/java_callgraph.cmi
java/java_interp.cmo : jc/output.cmi src/option_misc.cmi src/loc.cmi \
    jc/jc_pervasives.cmi jc/jc_output.cmo jc/jc_fenv.cmo jc/jc_env.cmi \
    jc/jc_constructors.cmi jc/jc_ast.cmi java/java_typing.cmi \
    java/java_tast.cmi java/java_pervasives.cmo java/java_options.cmo \
    java/java_env.cmi java/java_ast.cmi java/java_analysis.cmo
java/java_interp.cmx : jc/output.cmx src/option_misc.cmx src/loc.cmx \
    jc/jc_pervasives.cmx jc/jc_output.cmx jc/jc_fenv.cmx jc/jc_env.cmi \
    jc/jc_constructors.cmx jc/jc_ast.cmi java/java_typing.cmx \
    java/java_tast.cmi java/java_pervasives.cmx java/java_options.cmx \
    java/java_env.cmi java/java_ast.cmi java/java_analysis.cmx
java/java_lexer.cmo : jc/jc_env.cmi java/java_pervasives.cmo \
    java/java_parser.cmi java/java_options.cmo java/java_env.cmi \
    java/java_ast.cmi
java/java_lexer.cmx : jc/jc_env.cmi java/java_pervasives.cmx \
    java/java_parser.cmx java/java_options.cmx java/java_env.cmi \
    java/java_ast.cmi
java/java_main.cmo : src/pp.cmi jc/output.cmi src/option_misc.cmi \
    src/loc.cmi jc/jc_poutput.cmo jc/jc_constructors.cmi java/java_typing.cmi \
    java/java_syntax.cmo java/java_options.cmo java/java_interp.cmo \
    java/java_env.cmi java/java_callgraph.cmi java/java_ast.cmi \
    java/java_analysis.cmo java/java_abstract.cmo
java/java_main.cmx : src/pp.cmx jc/output.cmx src/option_misc.cmx \
    src/loc.cmx jc/jc_poutput.cmx jc/jc_constructors.cmx java/java_typing.cmx \
    java/java_syntax.cmx java/java_options.cmx java/java_interp.cmx \
    java/java_env.cmi java/java_callgraph.cmx java/java_ast.cmi \
    java/java_analysis.cmx java/java_abstract.cmx
java/java_options.cmo : src/version.cmo src/loc.cmi jc/jc_env.cmi \
    java/java_env.cmi
java/java_options.cmx : src/version.cmx src/loc.cmx jc/jc_env.cmi \
    java/java_env.cmi
java/java_parser.cmo : src/loc.cmi java/java_pervasives.cmo \
    java/java_options.cmo java/java_env.cmi java/java_ast.cmi \
    java/java_parser.cmi
java/java_parser.cmx : src/loc.cmx java/java_pervasives.cmx \
    java/java_options.cmx java/java_env.cmi java/java_ast.cmi \
    java/java_parser.cmi
java/java_pervasives.cmo : src/loc.cmi java/java_tast.cmi java/java_env.cmi \
    java/java_ast.cmi
java/java_pervasives.cmx : src/loc.cmx java/java_tast.cmi java/java_env.cmi \
    java/java_ast.cmi
java/java_syntax.cmo : src/option_misc.cmi src/loc.cmi \
    java/java_pervasives.cmo java/java_parser.cmi java/java_options.cmo \
    java/java_lexer.cmo java/java_ast.cmi
java/java_syntax.cmx : src/option_misc.cmx src/loc.cmx \
    java/java_pervasives.cmx java/java_parser.cmx java/java_options.cmx \
    java/java_lexer.cmx java/java_ast.cmi
java/java_typing.cmo : src/pp.cmi src/option_misc.cmi jc/numconst.cmi \
    src/loc.cmi java/java_tast.cmi java/java_syntax.cmo \
    java/java_pervasives.cmo java/java_options.cmo java/java_env.cmi \
    java/java_ast.cmi java/java_typing.cmi
java/java_typing.cmx : src/pp.cmx src/option_misc.cmx jc/numconst.cmx \
    src/loc.cmx java/java_tast.cmi java/java_syntax.cmx \
    java/java_pervasives.cmx java/java_options.cmx java/java_env.cmi \
    java/java_ast.cmi java/java_typing.cmi
intf/astnprinter.cmo : src/util.cmi intf/tools.cmo intf/tags.cmo \
    src/print_real.cmo src/pp.cmi src/misc.cmi src/logic.cmi src/ident.cmi \
    src/cc.cmi intf/astprinter.cmo
intf/astnprinter.cmx : src/util.cmx intf/tools.cmx intf/tags.cmx \
    src/print_real.cmx src/pp.cmx src/misc.cmx src/logic.cmi src/ident.cmx \
    src/cc.cmi intf/astprinter.cmx
intf/astpprinter.cmo : intf/tools.cmo intf/tags.cmo src/print_real.cmo \
    src/pp.cmi src/misc.cmi src/logic.cmi src/ident.cmi src/cc.cmi \
    intf/astprinter.cmo
intf/astpprinter.cmx : intf/tools.cmx intf/tags.cmx src/print_real.cmx \
    src/pp.cmx src/misc.cmx src/logic.cmi src/ident.cmx src/cc.cmi \
    intf/astprinter.cmx
intf/astprinter.cmo : intf/tags.cmo src/pp.cmi src/misc.cmi src/logic.cmi \
    src/ident.cmi src/coq.cmi src/cc.cmi
intf/astprinter.cmx : intf/tags.cmx src/pp.cmx src/misc.cmx src/logic.cmi \
    src/ident.cmx src/coq.cmx src/cc.cmi
intf/cache.cmo : src/options.cmi src/logic.cmi src/env.cmi src/cc.cmi
intf/cache.cmx : src/options.cmx src/logic.cmi src/env.cmx src/cc.cmi
intf/colors.cmo : intf/colors.cmi
intf/colors.cmx : intf/colors.cmi
intf/config.cmo : intf/tools.cmo src/rc.cmi intf/model.cmi intf/colors.cmi \
    intf/cache.cmo
intf/config.cmx : intf/tools.cmx src/rc.cmx intf/model.cmx intf/colors.cmx \
    intf/cache.cmx
intf/gConfig.cmo : intf/tools.cmo src/rc.cmi intf/model.cmi \
    tools/dpConfig.cmi intf/colors.cmi intf/gConfig.cmi
intf/gConfig.cmx : intf/tools.cmx src/rc.cmx intf/model.cmx \
    tools/dpConfig.cmx intf/colors.cmx intf/gConfig.cmi
intf/hilight.cmo : intf/tags.cmo intf/colors.cmi
intf/hilight.cmx : intf/tags.cmx intf/colors.cmx
intf/model.cmo : src/util.cmi intf/tools.cmo src/options.cmi \
    src/logic_decl.cmi src/explain.cmi tools/dpConfig.cmi src/dispatcher.cmi \
    intf/model.cmi
intf/model.cmx : src/util.cmx intf/tools.cmx src/options.cmx \
    src/logic_decl.cmi src/explain.cmx tools/dpConfig.cmx src/dispatcher.cmx \
    intf/model.cmi
intf/navig.cmo : intf/navig.cmi
intf/navig.cmx : intf/navig.cmi
intf/pprinter.cmo : intf/whyhilight.cmo src/version.cmo src/vcg.cmi \
    intf/tools.cmo intf/tagsplit.cmo intf/tags.cmo src/options.cmi \
    src/misc.cmi src/logic.cmi src/loc.cmi src/ident.cmi intf/hilight.cmo \
    src/env.cmi intf/colors.cmi src/cc.cmi intf/astprinter.cmo \
    intf/astpprinter.cmo intf/astnprinter.cmo intf/pprinter.cmi
intf/pprinter.cmx : intf/whyhilight.cmx src/version.cmx src/vcg.cmx \
    intf/tools.cmx intf/tagsplit.cmx intf/tags.cmx src/options.cmx \
    src/misc.cmx src/logic.cmi src/loc.cmx src/ident.cmx intf/hilight.cmx \
    src/env.cmx intf/colors.cmx src/cc.cmi intf/astprinter.cmx \
    intf/astpprinter.cmx intf/astnprinter.cmx intf/pprinter.cmi
intf/preferences.cmo : intf/tools.cmo intf/colors.cmi
intf/preferences.cmx : intf/tools.cmx intf/colors.cmx
intf/stat.cmo : src/util.cmi intf/tools.cmo intf/tags.cmo src/report.cmi \
    intf/pprinter.cmi src/options.cmi intf/model.cmi src/main.cmo \
    src/logic_decl.cmi intf/gConfig.cmi src/explain.cmi src/env.cmi \
    tools/dpConfig.cmi src/dispatcher.cmi intf/colors.cmi tools/calldp.cmi \
    intf/cache.cmo src/ast.cmi
intf/stat.cmx : src/util.cmx intf/tools.cmx intf/tags.cmx src/report.cmx \
    intf/pprinter.cmx src/options.cmx intf/model.cmx src/main.cmx \
    src/logic_decl.cmi intf/gConfig.cmx src/explain.cmx src/env.cmx \
    tools/dpConfig.cmx src/dispatcher.cmx intf/colors.cmx tools/calldp.cmx \
    intf/cache.cmx src/ast.cmi
intf/tags.cmo : intf/colors.cmi
intf/tags.cmx : intf/colors.cmx
intf/tagsplit.cmo : intf/tags.cmo intf/colors.cmi
intf/tagsplit.cmx : intf/tags.cmx intf/colors.cmx
intf/tools.cmo : intf/tags.cmo src/options.cmi intf/colors.cmi
intf/tools.cmx : intf/tags.cmx src/options.cmx intf/colors.cmx
intf/viewer.cmo : src/util.cmi intf/tags.cmo src/report.cmi src/options.cmi \
    intf/navig.cmi src/main.cmo src/log.cmi src/loc.cmi intf/hilight.cmo \
    src/env.cmi src/ast.cmi
intf/viewer.cmx : src/util.cmx intf/tags.cmx src/report.cmx src/options.cmx \
    intf/navig.cmx src/main.cmx src/log.cmi src/loc.cmx intf/hilight.cmx \
    src/env.cmx src/ast.cmi
intf/whyhilight.cmo : intf/tags.cmo intf/colors.cmi
intf/whyhilight.cmx : intf/tags.cmx intf/colors.cmx
intf/colors.cmi :
intf/gConfig.cmi :
intf/model.cmi : src/options.cmi src/logic_decl.cmi src/loc.cmi src/env.cmi \
    tools/dpConfig.cmi src/cc.cmi
intf/navig.cmi :
intf/pprinter.cmi : intf/tags.cmo src/logic_decl.cmi src/logic.cmi \
    src/env.cmi src/cc.cmi
tools/calldp.cmi : tools/dpConfig.cmi
tools/cvcl_split.cmi :
tools/dpConfig.cmi :
tools/ergo_split.cmi :
tools/simplify_ast.cmi :
tools/simplify_parser.cmi : tools/simplify_ast.cmi
tools/simplify_split.cmi :
tools/toolstat_pars.cmi : tools/toolstat_types.cmi
tools/toolstat_types.cmi :
tools/zenon_split.cmi :
tools/cadlog.cmo : src/version.cmo c/cversion.cmo
tools/cadlog.cmx : src/version.cmx c/cversion.cmx
tools/calldp.cmo : src/lib.cmi tools/dpConfig.cmi tools/calldp.cmi
tools/calldp.cmx : src/lib.cmx tools/dpConfig.cmx tools/calldp.cmi
tools/cvcl_split.cmo : tools/cvcl_split.cmi
tools/cvcl_split.cmx : tools/cvcl_split.cmi
tools/dp.cmo : tools/zenon_split.cmi tools/smtlib_split.cmo \
    tools/simplify_split.cmi tools/rv_split.cmo src/lib.cmi \
    tools/ergo_split.cmi tools/dpConfig.cmi tools/cvcl_split.cmi \
    tools/calldp.cmi
tools/dp.cmx : tools/zenon_split.cmx tools/smtlib_split.cmx \
    tools/simplify_split.cmx tools/rv_split.cmx src/lib.cmx \
    tools/ergo_split.cmx tools/dpConfig.cmx tools/cvcl_split.cmx \
    tools/calldp.cmx
tools/dpConfig.cmo : src/rc.cmi tools/dpConfig.cmi
tools/dpConfig.cmx : src/rc.cmx tools/dpConfig.cmi
tools/ergo_split.cmo : tools/ergo_split.cmi
tools/ergo_split.cmx : tools/ergo_split.cmi
tools/make_float_model.cmo :
tools/make_float_model.cmx :
tools/obfuscator.cmo : src/types.cmi src/ptree.cmi src/print_real.cmo \
    src/pp.cmi src/logic.cmi src/loc.cmi src/lexer.cmi src/ident.cmi
tools/obfuscator.cmx : src/types.cmi src/ptree.cmi src/print_real.cmx \
    src/pp.cmx src/logic.cmi src/loc.cmx src/lexer.cmx src/ident.cmx
tools/regtest.cmo :
tools/regtest.cmx :
tools/rv_merge.cmo :
tools/rv_merge.cmx :
tools/rv_split.cmo : src/lib.cmi
tools/rv_split.cmx : src/lib.cmx
tools/simplify_lexer.cmo : tools/simplify_parser.cmi tools/simplify_ast.cmi
tools/simplify_lexer.cmx : tools/simplify_parser.cmx tools/simplify_ast.cmi
tools/simplify_parser.cmo : tools/simplify_ast.cmi tools/simplify_parser.cmi
tools/simplify_parser.cmx : tools/simplify_ast.cmi tools/simplify_parser.cmi
tools/simplify_split.cmo : src/lib.cmi tools/simplify_split.cmi
tools/simplify_split.cmx : src/lib.cmx tools/simplify_split.cmi
tools/simplify_towhy.cmo : tools/simplify_parser.cmi \
    tools/simplify_lexer.cmo tools/simplify_ast.cmi src/pp.cmi
tools/simplify_towhy.cmx : tools/simplify_parser.cmx \
    tools/simplify_lexer.cmx tools/simplify_ast.cmi src/pp.cmx
tools/smtlib_split.cmo :
tools/smtlib_split.cmx :
tools/toolstat.cmo : tools/toolstat_types.cmi tools/toolstat_lex.cmo \
    src/loc.cmi
tools/toolstat.cmx : tools/toolstat_types.cmi tools/toolstat_lex.cmx \
    src/loc.cmx
tools/toolstat_lex.cmo : tools/toolstat_pars.cmi src/pp.cmi src/loc.cmi
tools/toolstat_lex.cmx : tools/toolstat_pars.cmx src/pp.cmx src/loc.cmx
tools/toolstat_pars.cmo : tools/toolstat_types.cmi tools/toolstat_pars.cmi
tools/toolstat_pars.cmx : tools/toolstat_types.cmi tools/toolstat_pars.cmi
tools/why2html.cmo :
tools/why2html.cmx :
tools/whyConfig.cmo : tools/dpConfig.cmi
tools/whyConfig.cmx : tools/dpConfig.cmx
tools/whystat.cmo : src/ptree.cmi src/pp.cmi src/logic.cmi src/loc.cmi \
    src/lexer.cmi src/ident.cmi
tools/whystat.cmx : src/ptree.cmi src/pp.cmx src/logic.cmi src/loc.cmx \
    src/lexer.cmx src/ident.cmx
tools/zenon_split.cmo : src/lib.cmi tools/zenon_split.cmi
tools/zenon_split.cmx : src/lib.cmx tools/zenon_split.cmi
mix/mix_ast.cmi :
mix/mix_cfg.cmi :
mix/mix_parser.cmi : mix/mix_ast.cmi
mix/mix_cfg.cmo : mix/mix_cfg.cmi
mix/mix_cfg.cmx : mix/mix_cfg.cmi
mix/mix_interp.cmo : src/pp.cmi mix/mix_seq.cmo mix/mix_ast.cmi
mix/mix_interp.cmx : src/pp.cmx mix/mix_seq.cmx mix/mix_ast.cmi
mix/mix_lexer.cmo : mix/mix_parser.cmi mix/mix_ast.cmi
mix/mix_lexer.cmx : mix/mix_parser.cmx mix/mix_ast.cmi
mix/mix_main.cmo : src/pp.cmi mix/mix_seq.cmo mix/mix_parser.cmi \
    mix/mix_lexer.cmo mix/mix_interp.cmo mix/mix_ast.cmi
mix/mix_main.cmx : src/pp.cmx mix/mix_seq.cmx mix/mix_parser.cmx \
    mix/mix_lexer.cmx mix/mix_interp.cmx mix/mix_ast.cmi
mix/mix_parser.cmo : mix/mix_ast.cmi mix/mix_parser.cmi
mix/mix_parser.cmx : mix/mix_ast.cmi mix/mix_parser.cmi
mix/mix_seq.cmo : mix/mix_cfg.cmi mix/mix_ast.cmi
mix/mix_seq.cmx : mix/mix_cfg.cmx mix/mix_ast.cmi
mix/test.cmo :
mix/test.cmx :
ml/ml_constant.cmo : ml/ml_misc.cmo jc/jc_env.cmi jc/jc_ast.cmi
ml/ml_constant.cmx : ml/ml_misc.cmx jc/jc_env.cmi jc/jc_ast.cmi
ml/ml_env.cmo : ml/ml_misc.cmo jc/jc_pervasives.cmi jc/jc_fenv.cmo \
    jc/jc_env.cmi ml/ml_env.cmi
ml/ml_env.cmx : ml/ml_misc.cmx jc/jc_pervasives.cmx jc/jc_fenv.cmx \
    jc/jc_env.cmi ml/ml_env.cmi
ml/ml_interp.cmo : ml/ml_type.cmi ml/ml_pattern.cmi ml/ml_misc.cmo \
    ml/ml_env.cmi ml/ml_constant.cmo src/loc.cmi jc/jc_pervasives.cmi \
    jc/jc_output.cmo jc/jc_fenv.cmo jc/jc_env.cmi jc/jc_ast.cmi
ml/ml_interp.cmx : ml/ml_type.cmx ml/ml_pattern.cmx ml/ml_misc.cmx \
    ml/ml_env.cmx ml/ml_constant.cmx src/loc.cmx jc/jc_pervasives.cmx \
    jc/jc_output.cmx jc/jc_fenv.cmx jc/jc_env.cmi jc/jc_ast.cmi
ml/ml_main.cmo : ml/ml_type.cmi ml/ml_pervasives.cmo ml/ml_options.cmi \
    ml/ml_misc.cmo ml/ml_interp.cmo jc/jc_output.cmo
ml/ml_main.cmx : ml/ml_type.cmx ml/ml_pervasives.cmx ml/ml_options.cmx \
    ml/ml_misc.cmx ml/ml_interp.cmx jc/jc_output.cmx
ml/ml_misc.cmo : src/loc.cmi jc/jc_region.cmo jc/jc_pervasives.cmi \
    jc/jc_output.cmo jc/jc_fenv.cmo jc/jc_env.cmi jc/jc_ast.cmi
ml/ml_misc.cmx : src/loc.cmx jc/jc_region.cmx jc/jc_pervasives.cmx \
    jc/jc_output.cmx jc/jc_fenv.cmx jc/jc_env.cmi jc/jc_ast.cmi
ml/ml_options.cmo : ml/ml_options.cmi
ml/ml_options.cmx : ml/ml_options.cmi
ml/ml_pattern.cmo : ml/ml_type.cmi ml/ml_misc.cmo ml/ml_env.cmi \
    ml/ml_constant.cmo src/loc.cmi jc/jc_env.cmi jc/jc_ast.cmi \
    ml/ml_pattern.cmi
ml/ml_pattern.cmx : ml/ml_type.cmx ml/ml_misc.cmx ml/ml_env.cmx \
    ml/ml_constant.cmx src/loc.cmx jc/jc_env.cmi jc/jc_ast.cmi \
    ml/ml_pattern.cmi
ml/ml_pervasives.cmo : ml/ml_env.cmi src/env.cmi
ml/ml_pervasives.cmx : ml/ml_env.cmx src/env.cmx
ml/ml_type.cmo : ml/ml_misc.cmo jc/jc_output.cmo jc/jc_fenv.cmo \
    jc/jc_env.cmi jc/jc_ast.cmi ml/ml_type.cmi
ml/ml_type.cmx : ml/ml_misc.cmx jc/jc_output.cmx jc/jc_fenv.cmx \
    jc/jc_env.cmi jc/jc_ast.cmi ml/ml_type.cmi
ml/ml_env.cmi : jc/jc_fenv.cmo jc/jc_env.cmi
ml/ml_options.cmi :
ml/ml_pattern.cmi : ml/ml_env.cmi jc/jc_env.cmi jc/jc_ast.cmi
ml/ml_type.cmi : jc/jc_output.cmo jc/jc_fenv.cmo jc/jc_env.cmi jc/jc_ast.cmi
ml/parsing/lexer.cmo : ml/utils/warnings.cmi ml/parsing/parser.cmi \
    ml/utils/misc.cmi ml/parsing/location.cmi ml/parsing/lexer.cmi
ml/parsing/lexer.cmx : ml/utils/warnings.cmx ml/parsing/parser.cmx \
    ml/utils/misc.cmx ml/parsing/location.cmx ml/parsing/lexer.cmi
ml/parsing/linenum.cmo : ml/utils/misc.cmi ml/parsing/linenum.cmi
ml/parsing/linenum.cmx : ml/utils/misc.cmx ml/parsing/linenum.cmi
ml/parsing/location.cmo : ml/utils/warnings.cmi ml/utils/terminfo.cmi \
    ml/parsing/linenum.cmi ml/parsing/location.cmi
ml/parsing/location.cmx : ml/utils/warnings.cmx ml/utils/terminfo.cmx \
    ml/parsing/linenum.cmx ml/parsing/location.cmi
ml/parsing/longident.cmo : ml/utils/misc.cmi ml/parsing/longident.cmi
ml/parsing/longident.cmx : ml/utils/misc.cmx ml/parsing/longident.cmi
ml/parsing/parser.cmo : ml/parsing/syntaxerr.cmi ml/parsing/parsetree.cmi \
    ml/parsing/longident.cmi ml/parsing/location.cmi ml/parsing/asttypes.cmi \
    ml/parsing/parser.cmi
ml/parsing/parser.cmx : ml/parsing/syntaxerr.cmx ml/parsing/parsetree.cmi \
    ml/parsing/longident.cmx ml/parsing/location.cmx ml/parsing/asttypes.cmi \
    ml/parsing/parser.cmi
ml/parsing/syntaxerr.cmo : ml/parsing/location.cmi ml/parsing/syntaxerr.cmi
ml/parsing/syntaxerr.cmx : ml/parsing/location.cmx ml/parsing/syntaxerr.cmi
ml/parsing/asttypes.cmi :
ml/parsing/lexer.cmi : ml/parsing/parser.cmi ml/parsing/location.cmi
ml/parsing/linenum.cmi :
ml/parsing/location.cmi : ml/utils/warnings.cmi
ml/parsing/longident.cmi :
ml/parsing/parser.cmi : ml/parsing/parsetree.cmi
ml/parsing/parsetree.cmi : ml/parsing/longident.cmi ml/parsing/location.cmi \
    ml/parsing/asttypes.cmi
ml/parsing/syntaxerr.cmi : ml/parsing/location.cmi
ml/typing/btype.cmo : ml/typing/types.cmi ml/typing/path.cmi \
    ml/utils/misc.cmi ml/typing/btype.cmi
ml/typing/btype.cmx : ml/typing/types.cmx ml/typing/path.cmx \
    ml/utils/misc.cmx ml/typing/btype.cmi
ml/typing/ctype.cmo : ml/typing/types.cmi ml/typing/subst.cmi \
    ml/typing/path.cmi ml/utils/misc.cmi ml/parsing/longident.cmi \
    ml/typing/ident.cmi ml/typing/env.cmi ml/utils/clflags.cmi \
    ml/typing/btype.cmi ml/parsing/asttypes.cmi ml/typing/ctype.cmi
ml/typing/ctype.cmx : ml/typing/types.cmx ml/typing/subst.cmx \
    ml/typing/path.cmx ml/utils/misc.cmx ml/parsing/longident.cmx \
    ml/typing/ident.cmx ml/typing/env.cmx ml/utils/clflags.cmx \
    ml/typing/btype.cmx ml/parsing/asttypes.cmi ml/typing/ctype.cmi
ml/typing/datarepr.cmo : ml/typing/types.cmi ml/typing/predef.cmi \
    ml/typing/path.cmi ml/utils/misc.cmi ml/parsing/asttypes.cmi \
    ml/typing/datarepr.cmi
ml/typing/datarepr.cmx : ml/typing/types.cmx ml/typing/predef.cmx \
    ml/typing/path.cmx ml/utils/misc.cmx ml/parsing/asttypes.cmi \
    ml/typing/datarepr.cmi
ml/typing/env.cmo : ml/typing/types.cmi ml/utils/tbl.cmi ml/typing/subst.cmi \
    ml/typing/predef.cmi ml/typing/path.cmi ml/utils/misc.cmi \
    ml/parsing/longident.cmi ml/typing/ident.cmi ml/typing/datarepr.cmi \
    ml/utils/consistbl.cmi ml/utils/config.cmi ml/utils/clflags.cmi \
    ml/typing/btype.cmi ml/parsing/asttypes.cmi ml/typing/env.cmi
ml/typing/env.cmx : ml/typing/types.cmx ml/utils/tbl.cmx ml/typing/subst.cmx \
    ml/typing/predef.cmx ml/typing/path.cmx ml/utils/misc.cmx \
    ml/parsing/longident.cmx ml/typing/ident.cmx ml/typing/datarepr.cmx \
    ml/utils/consistbl.cmx ml/utils/config.cmx ml/utils/clflags.cmx \
    ml/typing/btype.cmx ml/parsing/asttypes.cmi ml/typing/env.cmi
ml/typing/ident.cmo : ml/typing/ident.cmi
ml/typing/ident.cmx : ml/typing/ident.cmi
ml/typing/includeclass.cmo : ml/typing/types.cmi ml/typing/printtyp.cmi \
    ml/typing/ctype.cmi ml/typing/includeclass.cmi
ml/typing/includeclass.cmx : ml/typing/types.cmx ml/typing/printtyp.cmx \
    ml/typing/ctype.cmx ml/typing/includeclass.cmi
ml/typing/includecore.cmo : ml/typing/types.cmi ml/typing/typedtree.cmi \
    ml/typing/predef.cmi ml/typing/path.cmi ml/utils/misc.cmi \
    ml/typing/ctype.cmi ml/typing/btype.cmi ml/parsing/asttypes.cmi \
    ml/typing/includecore.cmi
ml/typing/includecore.cmx : ml/typing/types.cmx ml/typing/typedtree.cmx \
    ml/typing/predef.cmx ml/typing/path.cmx ml/utils/misc.cmx \
    ml/typing/ctype.cmx ml/typing/btype.cmx ml/parsing/asttypes.cmi \
    ml/typing/includecore.cmi
ml/typing/includemod.cmo : ml/typing/types.cmi ml/typing/typedtree.cmi \
    ml/utils/tbl.cmi ml/typing/subst.cmi ml/typing/printtyp.cmi \
    ml/typing/path.cmi ml/typing/mtype.cmi ml/utils/misc.cmi \
    ml/typing/includecore.cmi ml/typing/includeclass.cmi ml/typing/ident.cmi \
    ml/typing/env.cmi ml/typing/ctype.cmi ml/typing/includemod.cmi
ml/typing/includemod.cmx : ml/typing/types.cmx ml/typing/typedtree.cmx \
    ml/utils/tbl.cmx ml/typing/subst.cmx ml/typing/printtyp.cmx \
    ml/typing/path.cmx ml/typing/mtype.cmx ml/utils/misc.cmx \
    ml/typing/includecore.cmx ml/typing/includeclass.cmx ml/typing/ident.cmx \
    ml/typing/env.cmx ml/typing/ctype.cmx ml/typing/includemod.cmi
ml/typing/mtype.cmo : ml/typing/types.cmi ml/typing/subst.cmi \
    ml/typing/path.cmi ml/typing/ident.cmi ml/typing/env.cmi \
    ml/typing/ctype.cmi ml/typing/btype.cmi ml/typing/mtype.cmi
ml/typing/mtype.cmx : ml/typing/types.cmx ml/typing/subst.cmx \
    ml/typing/path.cmx ml/typing/ident.cmx ml/typing/env.cmx \
    ml/typing/ctype.cmx ml/typing/btype.cmx ml/typing/mtype.cmi
ml/typing/oprint.cmo : ml/typing/outcometree2.cmi ml/parsing/asttypes.cmi \
    ml/typing/oprint.cmi
ml/typing/oprint.cmx : ml/typing/outcometree2.cmi ml/parsing/asttypes.cmi \
    ml/typing/oprint.cmi
ml/typing/parmatch.cmo : ml/utils/warnings.cmi ml/typing/types.cmi \
    ml/typing/typedtree.cmi ml/typing/predef.cmi ml/typing/path.cmi \
    ml/utils/misc.cmi ml/parsing/location.cmi ml/typing/ident.cmi \
    ml/typing/env.cmi ml/typing/datarepr.cmi ml/typing/ctype.cmi \
    ml/typing/btype.cmi ml/parsing/asttypes.cmi ml/typing/parmatch.cmi
ml/typing/parmatch.cmx : ml/utils/warnings.cmx ml/typing/types.cmx \
    ml/typing/typedtree.cmx ml/typing/predef.cmx ml/typing/path.cmx \
    ml/utils/misc.cmx ml/parsing/location.cmx ml/typing/ident.cmx \
    ml/typing/env.cmx ml/typing/datarepr.cmx ml/typing/ctype.cmx \
    ml/typing/btype.cmx ml/parsing/asttypes.cmi ml/typing/parmatch.cmi
ml/typing/path.cmo : ml/typing/ident.cmi ml/typing/path.cmi
ml/typing/path.cmx : ml/typing/ident.cmx ml/typing/path.cmi
ml/typing/predef.cmo : ml/typing/types.cmi ml/typing/path.cmi \
    ml/typing/ident.cmi ml/typing/btype.cmi ml/parsing/asttypes.cmi \
    ml/typing/predef.cmi
ml/typing/predef.cmx : ml/typing/types.cmx ml/typing/path.cmx \
    ml/typing/ident.cmx ml/typing/btype.cmx ml/parsing/asttypes.cmi \
    ml/typing/predef.cmi
ml/typing/primitive.cmo : ml/utils/misc.cmi ml/typing/primitive.cmi
ml/typing/primitive.cmx : ml/utils/misc.cmx ml/typing/primitive.cmi
ml/typing/printtyp.cmo : ml/typing/types.cmi ml/typing/primitive.cmi \
    ml/typing/predef.cmi ml/typing/path.cmi ml/typing/outcometree2.cmi \
    ml/typing/oprint.cmi ml/utils/misc.cmi ml/parsing/longident.cmi \
    ml/typing/ident.cmi ml/typing/env.cmi ml/typing/ctype.cmi \
    ml/utils/clflags.cmi ml/typing/btype.cmi ml/parsing/asttypes.cmi \
    ml/typing/printtyp.cmi
ml/typing/printtyp.cmx : ml/typing/types.cmx ml/typing/primitive.cmx \
    ml/typing/predef.cmx ml/typing/path.cmx ml/typing/outcometree2.cmi \
    ml/typing/oprint.cmx ml/utils/misc.cmx ml/parsing/longident.cmx \
    ml/typing/ident.cmx ml/typing/env.cmx ml/typing/ctype.cmx \
    ml/utils/clflags.cmx ml/typing/btype.cmx ml/parsing/asttypes.cmi \
    ml/typing/printtyp.cmi
ml/typing/stypes.cmo : ml/typing/typedtree.cmi ml/typing/printtyp.cmi \
    ml/parsing/location.cmi ml/utils/clflags.cmi ml/typing/stypes.cmi
ml/typing/stypes.cmx : ml/typing/typedtree.cmx ml/typing/printtyp.cmx \
    ml/parsing/location.cmx ml/utils/clflags.cmx ml/typing/stypes.cmi
ml/typing/subst.cmo : ml/typing/types.cmi ml/utils/tbl.cmi \
    ml/typing/path.cmi ml/utils/misc.cmi ml/typing/ident.cmi \
    ml/typing/btype.cmi ml/typing/subst.cmi
ml/typing/subst.cmx : ml/typing/types.cmx ml/utils/tbl.cmx \
    ml/typing/path.cmx ml/utils/misc.cmx ml/typing/ident.cmx \
    ml/typing/btype.cmx ml/typing/subst.cmi
ml/typing/typeclass.cmo : ml/utils/warnings.cmi ml/typing/typetexp.cmi \
    ml/typing/types.cmi ml/typing/typedtree.cmi ml/typing/typedecl.cmi \
    ml/typing/typecore.cmi ml/typing/subst.cmi ml/typing/stypes.cmi \
    ml/typing/printtyp.cmi ml/typing/predef.cmi ml/typing/path.cmi \
    ml/parsing/parsetree.cmi ml/typing/parmatch.cmi ml/utils/misc.cmi \
    ml/parsing/longident.cmi ml/parsing/location.cmi \
    ml/typing/includeclass.cmi ml/typing/ident.cmi ml/typing/env.cmi \
    ml/typing/ctype.cmi ml/utils/clflags.cmi ml/typing/btype.cmi \
    ml/parsing/asttypes.cmi ml/typing/typeclass.cmi
ml/typing/typeclass.cmx : ml/utils/warnings.cmx ml/typing/typetexp.cmx \
    ml/typing/types.cmx ml/typing/typedtree.cmx ml/typing/typedecl.cmx \
    ml/typing/typecore.cmx ml/typing/subst.cmx ml/typing/stypes.cmx \
    ml/typing/printtyp.cmx ml/typing/predef.cmx ml/typing/path.cmx \
    ml/parsing/parsetree.cmi ml/typing/parmatch.cmx ml/utils/misc.cmx \
    ml/parsing/longident.cmx ml/parsing/location.cmx \
    ml/typing/includeclass.cmx ml/typing/ident.cmx ml/typing/env.cmx \
    ml/typing/ctype.cmx ml/utils/clflags.cmx ml/typing/btype.cmx \
    ml/parsing/asttypes.cmi ml/typing/typeclass.cmi
ml/typing/typecore.cmo : ml/utils/warnings.cmi ml/typing/typetexp.cmi \
    ml/typing/types.cmi ml/typing/typedtree.cmi ml/typing/stypes.cmi \
    ml/typing/printtyp.cmi ml/typing/primitive.cmi ml/typing/predef.cmi \
    ml/typing/path.cmi ml/parsing/parsetree.cmi ml/typing/parmatch.cmi \
    ml/utils/misc.cmi ml/parsing/longident.cmi ml/parsing/location.cmi \
    ml/typing/ident.cmi ml/typing/env.cmi ml/typing/ctype.cmi \
    ml/utils/clflags.cmi ml/typing/btype.cmi ml/parsing/asttypes.cmi \
    ml/typing/typecore.cmi
ml/typing/typecore.cmx : ml/utils/warnings.cmx ml/typing/typetexp.cmx \
    ml/typing/types.cmx ml/typing/typedtree.cmx ml/typing/stypes.cmx \
    ml/typing/printtyp.cmx ml/typing/primitive.cmx ml/typing/predef.cmx \
    ml/typing/path.cmx ml/parsing/parsetree.cmi ml/typing/parmatch.cmx \
    ml/utils/misc.cmx ml/parsing/longident.cmx ml/parsing/location.cmx \
    ml/typing/ident.cmx ml/typing/env.cmx ml/typing/ctype.cmx \
    ml/utils/clflags.cmx ml/typing/btype.cmx ml/parsing/asttypes.cmi \
    ml/typing/typecore.cmi
ml/typing/typedecl.cmo : ml/typing/typetexp.cmi ml/typing/types.cmi \
    ml/typing/typedtree.cmi ml/typing/subst.cmi ml/typing/printtyp.cmi \
    ml/typing/primitive.cmi ml/typing/predef.cmi ml/typing/path.cmi \
    ml/parsing/parsetree.cmi ml/utils/misc.cmi ml/parsing/longident.cmi \
    ml/parsing/location.cmi ml/typing/includecore.cmi ml/typing/ident.cmi \
    ml/typing/env.cmi ml/typing/ctype.cmi ml/utils/config.cmi \
    ml/utils/clflags.cmi ml/typing/btype.cmi ml/parsing/asttypes.cmi \
    ml/typing/typedecl.cmi
ml/typing/typedecl.cmx : ml/typing/typetexp.cmx ml/typing/types.cmx \
    ml/typing/typedtree.cmx ml/typing/subst.cmx ml/typing/printtyp.cmx \
    ml/typing/primitive.cmx ml/typing/predef.cmx ml/typing/path.cmx \
    ml/parsing/parsetree.cmi ml/utils/misc.cmx ml/parsing/longident.cmx \
    ml/parsing/location.cmx ml/typing/includecore.cmx ml/typing/ident.cmx \
    ml/typing/env.cmx ml/typing/ctype.cmx ml/utils/config.cmx \
    ml/utils/clflags.cmx ml/typing/btype.cmx ml/parsing/asttypes.cmi \
    ml/typing/typedecl.cmi
ml/typing/typedtree.cmo : ml/typing/types.cmi ml/typing/primitive.cmi \
    ml/typing/path.cmi ml/utils/misc.cmi ml/parsing/location.cmi \
    ml/typing/ident.cmi ml/typing/env.cmi ml/parsing/asttypes.cmi \
    ml/typing/typedtree.cmi
ml/typing/typedtree.cmx : ml/typing/types.cmx ml/typing/primitive.cmx \
    ml/typing/path.cmx ml/utils/misc.cmx ml/parsing/location.cmx \
    ml/typing/ident.cmx ml/typing/env.cmx ml/parsing/asttypes.cmi \
    ml/typing/typedtree.cmi
ml/typing/typemod.cmo : ml/typing/typetexp.cmi ml/typing/types.cmi \
    ml/typing/typedtree.cmi ml/typing/typedecl.cmi ml/typing/typecore.cmi \
    ml/typing/typeclass.cmi ml/typing/subst.cmi ml/typing/stypes.cmi \
    ml/typing/printtyp.cmi ml/typing/path.cmi ml/parsing/parsetree.cmi \
    ml/typing/mtype.cmi ml/utils/misc.cmi ml/parsing/longident.cmi \
    ml/parsing/location.cmi ml/typing/includemod.cmi ml/typing/ident.cmi \
    ml/typing/env.cmi ml/typing/ctype.cmi ml/utils/config.cmi \
    ml/utils/clflags.cmi ml/typing/btype.cmi ml/parsing/asttypes.cmi \
    ml/typing/typemod.cmi
ml/typing/typemod.cmx : ml/typing/typetexp.cmx ml/typing/types.cmx \
    ml/typing/typedtree.cmx ml/typing/typedecl.cmx ml/typing/typecore.cmx \
    ml/typing/typeclass.cmx ml/typing/subst.cmx ml/typing/stypes.cmx \
    ml/typing/printtyp.cmx ml/typing/path.cmx ml/parsing/parsetree.cmi \
    ml/typing/mtype.cmx ml/utils/misc.cmx ml/parsing/longident.cmx \
    ml/parsing/location.cmx ml/typing/includemod.cmx ml/typing/ident.cmx \
    ml/typing/env.cmx ml/typing/ctype.cmx ml/utils/config.cmx \
    ml/utils/clflags.cmx ml/typing/btype.cmx ml/parsing/asttypes.cmi \
    ml/typing/typemod.cmi
ml/typing/types.cmo : ml/typing/primitive.cmi ml/typing/path.cmi \
    ml/utils/misc.cmi ml/typing/ident.cmi ml/parsing/asttypes.cmi \
    ml/typing/types.cmi
ml/typing/types.cmx : ml/typing/primitive.cmx ml/typing/path.cmx \
    ml/utils/misc.cmx ml/typing/ident.cmx ml/parsing/asttypes.cmi \
    ml/typing/types.cmi
ml/typing/typetexp.cmo : ml/utils/warnings.cmi ml/typing/types.cmi \
    ml/utils/tbl.cmi ml/typing/printtyp.cmi ml/typing/path.cmi \
    ml/parsing/parsetree.cmi ml/utils/misc.cmi ml/parsing/longident.cmi \
    ml/parsing/location.cmi ml/typing/env.cmi ml/typing/ctype.cmi \
    ml/utils/clflags.cmi ml/typing/btype.cmi ml/typing/typetexp.cmi
ml/typing/typetexp.cmx : ml/utils/warnings.cmx ml/typing/types.cmx \
    ml/utils/tbl.cmx ml/typing/printtyp.cmx ml/typing/path.cmx \
    ml/parsing/parsetree.cmi ml/utils/misc.cmx ml/parsing/longident.cmx \
    ml/parsing/location.cmx ml/typing/env.cmx ml/typing/ctype.cmx \
    ml/utils/clflags.cmx ml/typing/btype.cmx ml/typing/typetexp.cmi
ml/typing/unused_var.cmo : ml/utils/warnings.cmi ml/parsing/parsetree.cmi \
    ml/parsing/longident.cmi ml/parsing/location.cmi ml/parsing/asttypes.cmi \
    ml/typing/unused_var.cmi
ml/typing/unused_var.cmx : ml/utils/warnings.cmx ml/parsing/parsetree.cmi \
    ml/parsing/longident.cmx ml/parsing/location.cmx ml/parsing/asttypes.cmi \
    ml/typing/unused_var.cmi
ml/typing/btype.cmi : ml/typing/types.cmi ml/typing/path.cmi \
    ml/parsing/asttypes.cmi
ml/typing/ctype.cmi : ml/typing/types.cmi ml/typing/path.cmi \
    ml/typing/ident.cmi ml/typing/env.cmi ml/parsing/asttypes.cmi
ml/typing/datarepr.cmi : ml/typing/types.cmi ml/typing/path.cmi \
    ml/parsing/asttypes.cmi
ml/typing/env.cmi : ml/typing/types.cmi ml/typing/path.cmi \
    ml/parsing/longident.cmi ml/typing/ident.cmi ml/utils/consistbl.cmi
ml/typing/ident.cmi :
ml/typing/includeclass.cmi : ml/typing/types.cmi ml/typing/typedtree.cmi \
    ml/typing/env.cmi ml/typing/ctype.cmi
ml/typing/includecore.cmi : ml/typing/types.cmi ml/typing/typedtree.cmi \
    ml/typing/ident.cmi ml/typing/env.cmi
ml/typing/includemod.cmi : ml/typing/types.cmi ml/typing/typedtree.cmi \
    ml/typing/path.cmi ml/typing/ident.cmi ml/typing/env.cmi \
    ml/typing/ctype.cmi
ml/typing/mtype.cmi : ml/typing/types.cmi ml/typing/path.cmi \
    ml/typing/ident.cmi ml/typing/env.cmi
ml/typing/oprint.cmi : ml/typing/outcometree2.cmi
ml/typing/outcometree2.cmi : ml/parsing/asttypes.cmi
ml/typing/parmatch.cmi : ml/typing/types.cmi ml/typing/typedtree.cmi \
    ml/parsing/location.cmi ml/typing/env.cmi
ml/typing/path.cmi : ml/typing/ident.cmi
ml/typing/predef.cmi : ml/typing/types.cmi ml/typing/path.cmi \
    ml/typing/ident.cmi
ml/typing/primitive.cmi :
ml/typing/printtyp.cmi : ml/typing/types.cmi ml/typing/path.cmi \
    ml/typing/outcometree2.cmi ml/parsing/longident.cmi ml/typing/ident.cmi
ml/typing/stypes.cmi : ml/typing/typedtree.cmi ml/parsing/location.cmi
ml/typing/subst.cmi : ml/typing/types.cmi ml/typing/path.cmi \
    ml/typing/ident.cmi
ml/typing/typeclass.cmi : ml/typing/types.cmi ml/typing/typedtree.cmi \
    ml/parsing/parsetree.cmi ml/parsing/longident.cmi ml/parsing/location.cmi \
    ml/typing/ident.cmi ml/typing/env.cmi ml/typing/ctype.cmi \
    ml/parsing/asttypes.cmi
ml/typing/typecore.cmi : ml/typing/types.cmi ml/typing/typedtree.cmi \
    ml/typing/path.cmi ml/parsing/parsetree.cmi ml/parsing/longident.cmi \
    ml/parsing/location.cmi ml/typing/ident.cmi ml/typing/env.cmi \
    ml/parsing/asttypes.cmi
ml/typing/typedecl.cmi : ml/typing/types.cmi ml/typing/path.cmi \
    ml/parsing/parsetree.cmi ml/parsing/longident.cmi ml/parsing/location.cmi \
    ml/typing/ident.cmi ml/typing/env.cmi
ml/typing/typedtree.cmi : ml/typing/types.cmi ml/typing/primitive.cmi \
    ml/typing/path.cmi ml/parsing/location.cmi ml/typing/ident.cmi \
    ml/typing/env.cmi ml/parsing/asttypes.cmi
ml/typing/typemod.cmi : ml/typing/types.cmi ml/typing/typedtree.cmi \
    ml/parsing/parsetree.cmi ml/parsing/longident.cmi ml/parsing/location.cmi \
    ml/typing/includemod.cmi ml/typing/ident.cmi ml/typing/env.cmi
ml/typing/types.cmi : ml/typing/primitive.cmi ml/typing/path.cmi \
    ml/typing/ident.cmi ml/parsing/asttypes.cmi
ml/typing/typetexp.cmi : ml/typing/types.cmi ml/typing/path.cmi \
    ml/parsing/parsetree.cmi ml/parsing/longident.cmi ml/parsing/location.cmi \
    ml/typing/env.cmi
ml/typing/unused_var.cmi : ml/parsing/parsetree.cmi
ml/utils/clflags.cmo : ml/utils/config.cmi ml/utils/clflags.cmi
ml/utils/clflags.cmx : ml/utils/config.cmx ml/utils/clflags.cmi
ml/utils/config.cmo : ml/utils/config.cmi
ml/utils/config.cmx : ml/utils/config.cmi
ml/utils/consistbl.cmo : ml/utils/consistbl.cmi
ml/utils/consistbl.cmx : ml/utils/consistbl.cmi
ml/utils/misc.cmo : ml/utils/misc.cmi
ml/utils/misc.cmx : ml/utils/misc.cmi
ml/utils/tbl.cmo : ml/utils/tbl.cmi
ml/utils/tbl.cmx : ml/utils/tbl.cmi
ml/utils/terminfo.cmo : ml/utils/terminfo.cmi
ml/utils/terminfo.cmx : ml/utils/terminfo.cmi
ml/utils/warnings.cmo : ml/utils/warnings.cmi
ml/utils/warnings.cmx : ml/utils/warnings.cmi
ml/utils/clflags.cmi :
ml/utils/config.cmi :
ml/utils/consistbl.cmi :
ml/utils/misc.cmi :
ml/utils/tbl.cmi :
ml/utils/terminfo.cmi :
ml/utils/warnings.cmi :
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/����������������������������������������������������������������������������������������0000755�0001750�0001750�00000000000�12311670312�011211� 5����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_frame.ml�����������������������������������������������������������������������������0000644�0001750�0001750�00000277143�12311670312�013327� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)


open Jc_stdlib
open Jc_env
open Jc_envset
open Jc_region
open Jc_ast
open Jc_fenv

open Jc_name
open Jc_constructors
open Jc_pervasives
open Jc_separation
open Jc_struct_tools
open Jc_effect
open Jc_interp_misc
open Jc_invariants
open Jc_pattern

open Output
open Format
open Pp

open Jc_interp

open Jc_frame_notin

(*****)

let test_correct_logic f =
  if List.length f.jc_logic_info_labels <> 1 then
    failwith "Separation predicate generation :
 Logic must have only one label"
  else
    MemoryMap.iter
      (fun (mc,_distr) _labs -> 
        match mc with 
          | JCmem_field _ -> ()
          | _ -> failwith "Separation predicate generation :
 Only simple memory model"         
      )
      f.jc_logic_info_effects.jc_effect_memories

let test_correct = function
  | `Logic (f,_,_) -> test_correct_logic f      
  | `Pointer _g -> ()

let if_in_restr restr e = 
  match restr with [] -> true | _ ->
    match e with
      | JCmem_field field -> List.mem field.jc_field_info_name restr
      | _ ->  assert false (* checked by test_correct *)

let inter_memory (m1,restr1) (m2,restr2) = 
  let m1 = m1.jc_logic_info_effects.jc_effect_memories in
  let m2 = m2.jc_logic_info_effects.jc_effect_memories in
  (*let log int m restr =
  Jc_options.lprintf "@[inter_memory %i:@[@.m : %a@.restr : %a@]@]"
    int
    (print_list semi (print_pair Jc_output_misc.memory_class nothing))
       (MemoryMap.keys m)
    (print_list semi string) restr;assert false in
  log 1 m1 restr1;
  log 2 m2 restr2;*)
  let filter m restr = 
    MemoryMap.filter (fun (e,_) _ -> if_in_restr restr e) m in
  let m1 = filter m1 restr1 in
  let m2 = filter m2 restr2 in
  MemoryMap.inter_merge_option 
    (fun lab1 lab2 ->
       (* These sets should have only one element has their 
          functions have only one label (see test_correct) *)
       let l1 = LogicLabelSet.choose lab1 in
       let l2 = LogicLabelSet.choose lab2 in
       Some (l1,l2)
    )
    m1 m2
(*  MemoryMap.fold
    (fun a _ acc ->
       if MemoryMap.mem a m2 
       then MemorySet.add a acc
       else acc) 
    m1 MemorySet.empty*)

let is_same_field (mc,region) var =
  let b1 = InternalRegion.equal region var.jc_var_info_region in
  let b2 = match mc with
    | JCmem_field field -> 
        Jc_typing.comparable_types field.jc_field_info_type
          var.jc_var_info_type
    | _ -> false in
  b1 && b2
  
let is_same_field_2var var1 var2 =
  InternalRegion.equal var1.jc_var_info_region var2.jc_var_info_region
  && var1.jc_var_info_type = var2.jc_var_info_type

let separation_between queue kind acc a b =
  match a,b with
    | `Logic (finfo,frestr,fparams), `Logic (ginfo,grestr,gparams) -> 
        let f = (finfo,fparams) and g = (ginfo,gparams) in
        let mems = inter_memory (finfo,frestr) (ginfo,grestr) in
        MemoryMap.fold
          (fun mem (labf,labg) acc ->
             let memlf = NotIn.from_memory false (mem,labf) in
             let memlg = NotIn.from_memory false (mem,labg) in
             let disj acc = 
               Queue.add (finfo,(`Disj ,memlf)) queue;
               Queue.add (ginfo,(`Disj ,memlg)) queue;
               (`Disj ((g,memlg),(f,memlf)))::acc in
             match kind with
               | `Sep -> disj acc
               | `Inc -> assert false (* Not Done anymore *)
               | `Cni -> assert false (* Not Done anymore *)
          )
          mems acc
    | (`Logic (finfo,frestr,fparams), `Pointer pa) 
    | (`Pointer pa, `Logic (finfo,frestr,fparams)) ->
        let f = (finfo,fparams) in
        MemoryMap.fold
          (fun mem lab acc ->
             let lab = LogicLabelSet.choose lab in
             if is_same_field mem pa && if_in_restr frestr (fst mem)
             then 
               let meml = NotIn.from_memory false (mem,lab) in
               let inn acc = 
                 Queue.add (finfo,(`In, meml))  queue;
                 (`In(pa,f,meml))::acc in
               match kind, a with
                 | `Sep, _ -> inn acc
                 | `Inc, `Logic _ -> assert false (* Not Done anymore *)
                 | `Inc, `Pointer _ -> assert false (* Not Done anymore *)
                 | `Cni, `Logic _ -> assert false (* Not Done anymore *)
                 | `Cni, `Pointer _ -> assert false (* Not Done anymore *)
             else acc)
          finfo.jc_logic_info_effects.jc_effect_memories acc
    | `Pointer a, `Pointer b ->
        if is_same_field_2var a b 
        then`Diff (a,b)::acc
        else acc

let rec fold_exp f acc l = 
  let f = fun a acc b -> f acc a b in
  let rec aux acc = function
    | [] -> acc
    | a::l -> aux (List.fold_left (f a) acc l) l in
  aux acc l

let make_args ?(uniquify_usual=false) ?parameters f = 
  (* From tr_logic_fun_aux *)
  let lab = 
    match f.jc_logic_info_labels with [lab] -> lab | _ -> LabelHere
  in
  let params =
    match parameters with
      | None -> f.jc_logic_info_parameters 
      | Some params -> params in 
  let params = List.map (tparam ~label_in_name:true lab) params in  
  let params = 
    if uniquify_usual 
    then List.map (fun (n,v,ty) -> (n^"_JC"^(id_uniq ()),v,ty)) params
    else params in
  let model_params = 
    tmodel_parameters ~label_in_name:true f.jc_logic_info_effects 
  in
  let params = params @ model_params in
  let params = List.map (fun (n,_v,ty') -> (n,ty')) params in
  params
(*
let ft_name mem f = 
  let mem_name = memory_name mem in
  f.jc_logic_info_final_name^mem_name^ft_suffix

let ftpt_name mem f = 
  let mem_name = (memory_name mem)^"_elt" in  
  f.jc_logic_info_final_name^mem_name^ft_suffix

let notin_name mem f = 
  let mem_name = memory_name mem in  
  f.jc_logic_info_final_name^mem_name^notin_suffix
*)

let in_name2 mem f = 
  let mem_name = memory_name mem in  
  f.jc_logic_info_final_name^mem_name^in_suffix


let mk_tvar a = new term a.jc_var_info_type (JCTvar a)

let frame_between_name = "frame_between"

let frame_between ftin notin labels =
  let pid = make_pred frame_between_name in
  pid.jc_logic_info_final_name <- frame_between_name; (* ugly *)
  let var = Jc_pervasives.var (NotIn.jc_ty notin) "a" in
  pid.jc_logic_info_parameters <- [var];
  let ef = {empty_effects with jc_effect_memories =
      MemoryMap.add notin.NotIn.mem 
        (LogicLabelSet.of_list labels) MemoryMap.empty} in
  pid.jc_logic_info_effects <- ef;
  pid.jc_logic_info_labels <- labels;
  let app = { jc_app_fun = pid;
              jc_app_args = [ftin];
              jc_app_region_assoc = [];
              jc_app_label_assoc = List.combine labels labels} in
  new assertion (JCAapp app)


let compute_predicate_framed () =
  let aux tag (pi, info,params1,params2,kind) =
      test_correct_logic info;
      let params1 = List.map mk_tvar params1 in
      let params2 = List.map mk_tvar params2 in
      let label1,label2 = match pi.jc_logic_info_labels with
        | [label1;label2] -> label1,label2
        | _ -> assert false in
      let mems = info.jc_logic_info_effects.jc_effect_memories in
      let apps = Jc_region.MemoryMap.fold
        (fun mem labs acc -> 
          let lab = Jc_envset.LogicLabelSet.choose labs in
          let notin = NotIn.from_memory false (mem,lab) in
          let app = app_in_logic info params1 label1 notin in
          let app2 = app_in_logic info params2 label2 notin in
          let app2 = MyBag.make_jc_sub [app2;app] in
          match kind with
            | `Frame ->
              let app1 = frame_between app notin pi.jc_logic_info_labels in
              app2::app1::acc
            | `Sub   -> app2::acc
        ) mems [] in
      let ass = new assertion (JCAand apps) in
      IntHashtblIter.replace Jc_typing.logic_functions_table tag
        (pi,JCAssertion ass) in
  Hashtbl.iter aux Jc_typing.pragma_gen_frame

let user_predicate_code queue id kind pred =
  let (logic,_) = IntHashtblIter.find Jc_typing.logic_functions_table id in
  Jc_options.lprintf "Generate code of %s with %i params@." 
    logic.jc_logic_info_name (List.length pred);
  let code = fold_exp (separation_between queue kind) [] pred in
  let lab = match logic.jc_logic_info_labels with 
      [lab] -> lab | _ -> LabelHere in
  let trad_code = function
    | `Diff (a,b) -> 
      new assertion (JCArelation (mk_tvar a,(`Bneq,`Pointer),mk_tvar b))
    | `In (a,(f,fparams),mem) -> 
        let params = List.map mk_tvar fparams in
        (*(make_args ~parameters:fparams f)*)
        let app = app_in_logic f params lab mem in
        let app = MyBag.make_jc_in [mk_tvar a;app] in
        new assertion (JCAnot app)
    | `Disj (((f,fparams),memf),((g,gparams),memg)) -> 
      let fparams = List.map mk_tvar fparams in
      let gparams = List.map mk_tvar gparams in
        (*(make_args ~parameters:fparams f)*)
      let fapp = app_in_logic f fparams lab memf in
      let gapp = app_in_logic g gparams lab memg in
      MyBag.make_jc_disj [fapp;gapp] in
  let code = List.map trad_code code in
  let code = new assertion (JCAand code) in
  IntHashtblIter.replace
    Jc_typing.logic_functions_table id (logic,JCAssertion code)

let pragma_gen_sep = Jc_typing.pragma_gen_sep

let predicates_to_generate = Hashtbl.create 10

let compute_needed_predicates () = 
  let queue = Queue.create () in
  Hashtbl.iter (fun key (kind,preds) -> 
    user_predicate_code queue key kind preds)
    pragma_gen_sep;
  (* use the call graph to add the others needed definitions*)
  while not (Queue.is_empty queue) do
    let (f,((_,mem) as e)) = Queue.pop queue in
    let tag = f.jc_logic_info_tag in
    let l = Hashtbl.find_all predicates_to_generate tag in
    if not (List.mem e l) 
    then 
      begin 
        if MemoryMap.mem mem.NotIn.mem
          f.jc_logic_info_effects.jc_effect_memories
        then
          begin
            begin
              match e with
                | `In, mem -> ignore (get_in_logic f mem)
                | `Disj, _ -> ()
            end;
            Hashtbl.add predicates_to_generate tag e;
            (* The user predicate has a particular traitement *)
            if not (Hashtbl.mem pragma_gen_sep f.jc_logic_info_tag) then
              List.iter (fun called -> Queue.add (called,e) queue)
                f.jc_logic_info_calls
          end
      end;
  done;
  compute_predicate_framed ()
                        
(*****)


(*****************************************************************************)
(*                              Logic functions                              *)
(*****************************************************************************)

(* let tr_logic_const vi init acc = *)
(*   let decl = *)
(*     Logic (false, vi.jc_var_info_final_name, [], 
       tr_base_type vi.jc_var_info_type) :: acc *)
(*   in *)
(*     match init with *)
(*       | None -> decl *)
(*       | Some(t,ty) -> *)
(*           let t' = term ~type_safe ~global_assertion:true ~relocate:false
             LabelHere LabelHere t in *)
(*           let vi_ty = vi.jc_var_info_type in *)
(*           let t_ty = t#typ in *)
(*           (\* eprintf "logic const: max type = %a@." print_type ty; *\) *)
(*           let pred = *)
(*             LPred ( *)
(*               "eq", *)
(*               [term_coerce Loc.dummy_position ty vi_ty t 
                 (LVar vi.jc_var_info_name);  *)
(*                term_coerce t#pos ty t_ty t t']) *)
(*           in *)
(*         let ax = *)
(*           Axiom( *)
(*             vi.jc_var_info_final_name ^ "_value_axiom", *)
(*             bind_pattern_lets pred *)
(*           ) *)
(*         in *)
(*         ax::decl *)

let fun_def f ta fa ft term_coerce params = 
  (* Function definition *)
    match f.jc_logic_info_result_type, ta with
      | None, JCAssertion a -> (* Predicate *)
          let body = fa a in
          [Predicate(false, id_no_loc f.jc_logic_info_final_name, 
		     params, body)]
      | Some ty, JCTerm t -> (* Function *)
          let ty' = tr_base_type ty in
          let t' = ft t in
	  let t' = term_coerce t#pos ty t#typ t t' in
          if List.mem f f.jc_logic_info_calls then
            let logic = Logic(false, id_no_loc f.jc_logic_info_final_name, 
			      params, ty') 
            in 
            let fstparams = List.map (fun (s,_) -> LVar s) params in
            let app = (LApp(f.jc_logic_info_final_name,fstparams)) in
            let axiom =
              Goal(KAxiom,id_no_loc (jc_axiom^f.jc_logic_info_final_name),
                    make_forall_list params [[LPatT app]]
                      (make_eq app t')) in
            [logic;axiom]
          else
            [Function(false, id_no_loc f.jc_logic_info_final_name, 
		      params, ty', t')]
      | ty_opt, (JCNone | JCReads _) -> (* Logic *)
          let ty' = match ty_opt with
	    | None -> simple_logic_type prop_type
	    | Some ty -> tr_base_type ty
          in
          [Logic(false, id_no_loc f.jc_logic_info_final_name, 
		 params, ty')]
      | None, JCInductive l  ->
	  [Inductive(false, id_no_loc f.jc_logic_info_final_name, 
		     params,  
		    List.map 
		      (fun (id,_labels,a) ->
			 let ef = Jc_effect.assertion empty_effects a in
			 let a' = fa a in
			 let params = 
			   tmodel_parameters ~label_in_name:true ef 
			 in
			 let a' = 
			   List.fold_right 
			     (fun (n,_v,ty') a' -> LForall(n,ty',[],a')) 
                             params a' 
			 in 
			 (get_unique_name id#name, a')) l)]
      | Some _, JCInductive _ -> assert false
      | None, JCTerm _ -> assert false 
      | Some _, JCAssertion _ -> assert false

let gen_no_update_axioms f ta _fa _ft _term_coerce params acc =
    match ta with 
      |	JCAssertion _ | JCTerm _ | JCInductive _ -> acc 
      | JCNone -> acc 
      | JCReads pset ->
    let memory_params_reads = 
      tmemory_detailed_params ~label_in_name:true f.jc_logic_info_effects
    in
    let params_names = List.map fst params in
    let normal_params = List.map (fun name -> LVar name) params_names in
    snd (List.fold_left
      (fun (count,acc) param ->
	 let paramty = snd param in
         (* Pourquoi parcourir params et tester au lieu de parcourir
            params_memory*)
	 if not (is_memory_type paramty) then count,acc else
	   let (mc,r),_ = (* Recover which memory it is exactly *)
	     List.find (fun ((_mc,_r),(n,_v,_ty')) -> n = fst param) 
	       memory_params_reads
	   in
	   let zonety,basety = deconstruct_memory_type_args paramty in
	   let pset = 
	     reads ~type_safe:false ~global_assertion:true pset (mc,r) 
	   in
	   let sepa = LNot(LPred("in_pset",[LVar "tmp";pset])) in
	   let update_params = 
             List.map (fun name ->
			 if name = fst param then
			   LApp("store",[LVar name;LVar "tmp";LVar "tmpval"])
			 else LVar name
		      ) params_names
	   in
	   let a = 
             match f.jc_logic_info_result_type with
	       | None ->
		   LImpl(
                     sepa,
                     LIff(
		       LPred(f.jc_logic_info_final_name,normal_params),
		       LPred(f.jc_logic_info_final_name,update_params)))
	       | Some _rety ->
		   LImpl(
                     sepa,
                     LPred("eq",[
			     LApp(f.jc_logic_info_final_name,normal_params);
			     LApp(f.jc_logic_info_final_name,update_params)]))
	   in
	   let a = 
             List.fold_left (fun a (name,ty) -> LForall(name,ty,[],a)) a params
	   in
	   let a = 
             LForall(
	       "tmp",raw_pointer_type zonety,[],
	       LForall(
		 "tmpval",basety,[],
		 a))
	   in
	   let name = 
	     "no_update_" ^ f.jc_logic_info_name ^ "_" ^ string_of_int count
	   in
	   count + 1, Goal(KAxiom,id_no_loc name,a) :: acc
      ) (0,acc) params)

let gen_no_assign_axioms f ta _fa _ft _term_coerce params acc =
(* TODO: when JCNone, use computed effects instead *)
    match ta with 
      | JCAssertion _ | JCTerm _ | JCInductive _ -> acc 
      | JCNone -> acc 
      | JCReads pset ->
    let memory_params_reads = 
      tmemory_detailed_params ~label_in_name:true f.jc_logic_info_effects
    in
    let params_names = List.map fst params in
    let normal_params = List.map (fun name -> LVar name) params_names in
    snd (List.fold_left
      (fun (count,acc) param ->
	 let paramty = snd param in
	 if not (is_memory_type paramty) then count,acc else
	   let (mc,r),_ = (* Recover which memory it is exactly *)
	     List.find (fun ((_mc,_r),(n,_v,_ty')) -> n = fst param) 
	       memory_params_reads
	   in
	   let zonety,_basety = deconstruct_memory_type_args paramty in
	   let pset = 
	     reads ~type_safe:false ~global_assertion:true pset (mc,r) 
	   in
	   let sepa = LPred("pset_disjoint",[LVar "tmp";pset]) in
	   let upda = 
	     LPred("not_assigns",[LVar "tmpalloc"; LVar (fst param);
				  LVar "tmpmem"; LVar "tmp"])
	   in
	   let update_params = 
             List.map (fun name ->
			 if name = fst param then LVar "tmpmem"
			 else LVar name
		      ) params_names
	   in
	   let a = 
             match f.jc_logic_info_result_type with
	       | None ->
		   LImpl(
                     make_and sepa upda,
                     LIff(
		       LPred(f.jc_logic_info_final_name,normal_params),
		       LPred(f.jc_logic_info_final_name,update_params)))
	       | Some _rety ->
		   LImpl(
                     make_and sepa upda,
                     LPred("eq",[
			     LApp(f.jc_logic_info_final_name,normal_params);
			     LApp(f.jc_logic_info_final_name,update_params)]))
	   in
	   let a = 
             List.fold_left (fun a (name,ty) -> LForall(name,ty,[],a)) a params
	   in
	   let a = 
             LForall(
	       "tmp",raw_pset_type zonety,[],
               LForall(
		 "tmpmem",paramty,[],
		 LForall(
		   "tmpalloc",raw_alloc_table_type zonety,[],
		 a)))
	   in
	   let name = 
	     "no_assign_" ^ f.jc_logic_info_name ^ "_" ^ string_of_int count
	   in
	   count + 1, Goal(KAxiom,id_no_loc name,a) :: acc
      ) (0,acc) params) (* memory_param_reads ? *)

let gen_alloc_extend_axioms f ta _fa _ft _term_coerce params acc = 
(* TODO: use computed effects instead*)
    match ta with 
      | JCAssertion _ | JCTerm _ | JCInductive _ -> acc 
      | JCNone -> acc
      | JCReads ps ->
    let alloc_params_reads = 
      talloc_table_params ~label_in_name:true f.jc_logic_info_effects
    in
    let params_names = List.map fst params in
    let normal_params = List.map (fun name -> LVar name) params_names in
    snd (List.fold_left
      (fun (count,acc) (n,_v,paramty) ->
	 assert (is_alloc_table_type paramty);
	 let exta = 
	   LPred("alloc_extends",[LVar n; LVar "tmpalloc"])
	 in
	 let ps = 
	   List.map 
	     (collect_pset_locations ~type_safe:false ~global_assertion:true) 
             ps
	 in
	 let ps = location_list' ps in
	 let valida =
	   LPred("valid_pset",[LVar n; ps])
	 in
	 let update_params = 
           List.map (fun name ->
		       if name = n then LVar "tmpalloc"
		       else LVar name
		    ) params_names
	 in
	 let a = 
           match f.jc_logic_info_result_type with
	     | None ->
		 LImpl(
                   make_and exta valida,
                   LIff(
		     LPred(f.jc_logic_info_final_name,normal_params),
		     LPred(f.jc_logic_info_final_name,update_params)))
	     | Some _rety ->
		 LImpl(
                   make_and exta valida,
                   LPred("eq",[
			   LApp(f.jc_logic_info_final_name,normal_params);
			   LApp(f.jc_logic_info_final_name,update_params)]))
	 in
	 let a = 
           List.fold_left (fun a (name,ty) -> LForall(name,ty,[],a)) a params
	 in
	 let a = 
	   LForall(
	     "tmpalloc",paramty,[],
	     a)
	 in
	 let name = 
	   "alloc_extend_" ^ f.jc_logic_info_name ^ "_" ^ string_of_int count
	 in
	 count + 1, Goal(KAxiom,id_no_loc name,a) :: acc
      ) (0,acc) alloc_params_reads)

let reduce f = function
  | [] -> assert false
  | a::l -> List.fold_left f a l

let (|>) x y = y x

let select_name = "select"

let push_not e = 
  let rec pos = function
    | LTrue| LFalse as f -> f
    | LAnd(a,b) -> LAnd(pos a,pos b)
    | LOr(a,b) -> LOr(pos a,pos b)
    | LNot a -> neg a
    | LImpl _ | LIff _ | LIf _  | LLet _ as e -> trad pos e
    | LForall (s,ty,tll,a) -> LForall(s,ty,tll,pos a)
    | LExists (s,ty,tll,a) -> LExists(s,ty,tll,pos a)
    | LPred _ as a -> a
    | LNamed (s,a) -> LNamed(s,pos a)
  and neg = function
    | LTrue -> LFalse
    | LFalse -> LTrue
    | LAnd(a,b) -> LOr(neg a,neg b)
    | LOr(a,b) -> LAnd(neg a,neg b)
    | LNot a -> pos a
    | LImpl _ | LIff _ | LIf _  | LLet _ as e -> trad neg e
    | LForall (s,ty,tll,a) -> LExists(s,ty,tll,neg a)
    | LExists (s,ty,tll,a) -> LForall(s,ty,tll,neg a)
    | LPred _ as a -> LNot a
    | LNamed (s,a) -> LNamed(s,neg a) 
  and trad f = function
    | LImpl(a,b) -> f (LOr(LNot a,b))
    | LIff(a,b) -> trad f (LAnd (LImpl(a,b),LImpl(b,a)))
    | LIf(_t,_a,_b) -> assert false (* How to trad this? t is a term *)
    | LLet _ -> assert false (* More difficult *)
    | LTrue | LFalse |LAnd _ |LOr _ | LNot _ 
    | LForall _ | LExists _ | LPred _ | LNamed _ -> assert false in
  pos e

(*module Def_ft_pred : 
sig  val def_ft_pred : for_one:bool -> 'a ->
       NotIn.t -> 
       Output.why_decl list -> Output.why_decl list -> Output.why_decl list
     val ft_name : NotIn.t -> string -> string
     val ft_name_elt : NotIn.t -> string -> string
     val ft_for_ft : Jc_fenv.logic_info ->
       (string * Output.logic_type) list ->
       NotIn.t ->
       (Jc_fenv.logic_info * (string * 'e) list) list ->
       Output.why_decl list -> Output.why_decl list
end
  =
struct
  let ft_name notin s = s^(NotIn.mem_name2 notin)^ft_suffix
  let ft_name_elt notin s = s^(NotIn.mem_name2 notin)^"_elt"^ft_suffix
      
  let add_args notin args =
    (NotIn.var notin)::args

  let add_decl_args notin args =
    (NotIn.name notin,NotIn.ty notin)::args
      
  let conv_app_pred notin s lt =
    let ft_name = ft_name notin s in
    LPred (ft_name,add_args notin lt)

  let trad_app notin e =
    match e with
      | LApp (s,[memory;elt]) when s = select_name -> 
          if NotIn.is_memory_var notin memory
          then 
            if NotIn.for_one notin
            then LNot (make_eq elt (NotIn.var notin))
            else MyBag.make_in elt (NotIn.var notin)
          else LTrue
      | LApp (s,[]) when s = select_name ->  assert false (*really impossible*)
      | LApp (s,lt) -> 
          if List.exists (NotIn.is_memory_var notin) lt
          then (conv_app_pred notin s lt)
          else LTrue
      | _ -> assert false

  let trad_pred notin e =
    match e with
      | LPred (s,lt) ->
          if List.exists (NotIn.is_memory_var notin) lt 
          then (conv_app_pred notin s lt)
          else LTrue
      | _ -> assert false

  let rec term_extract_effect notin acc e =
    match e with
      | LConst _ | LVar _ | LVarAtLabel _ -> acc
      | Tnamed (_,t) -> term_extract_effect notin acc t
      | LApp (_,lt) -> (trad_app notin e)::
          (List.fold_left (term_extract_effect notin) acc lt)
      | TIf _ -> assert false
      | TLet _ -> assert false

  let rec conv_to_ft notin e = 
    match e with
      | LTrue | LFalse as f -> f
      | LAnd(a,b) -> LAnd (conv_to_ft notin a,conv_to_ft notin b)
      | LOr(a,b) -> LAnd (LImpl(a,conv_to_ft notin a),
                          LImpl(b,conv_to_ft notin b))
      | LExists (s,ty,tll,a) -> LForall (s,ty,tll,LImpl(a,conv_to_ft notin a))
      | LForall (s,ty,tll,a) -> LForall (s,ty,tll,conv_to_ft notin a)
      | LImpl _ | LIff _ | LNot _ -> assert false
      | LPred (_,lt) as e -> 
          let acc = List.fold_left 
            (term_extract_effect notin) [] lt in
          let acc = trad_pred notin e::acc in
          let acc = remove_double compare acc in
          make_and_list acc
      | LNamed (s,a) ->  LNamed(s,conv_to_ft notin a)
      | LLet _ | LIf _ -> assert false

  let generic_axiom_for_ft ~do_rem:do_rem f_name notin params acc =
    let axiom_name = "axiom"^"_"^(NotIn.mem_name notin) in
    let vars = params
        |> List.map (fun (s,_) -> LVar s) in
    let ft a = LPred (ft_name notin f_name,a::vars) in
    let ft_p a = LPred (ft_name_elt notin f_name,a::vars) in
    (* ft with rem *)
    let acc = if do_rem then
      let mb = "mb"^mybag_suffix in
      let mb_ty = NotIn.ty notin in
      let p = "p"^tmp_suffix in
      let p_ty = MyBag.ty_elt (NotIn.ty notin) in
      let assertion = LForall (mb,mb_ty,[],
                               LForall (p,p_ty,[],
                                        let mb = LVar mb in
                                        let p = LVar p in
                                        make_impl (ft mb) (make_impl (ft_p p)
                                          (ft (MyBag.make_rem p mb))))) in
      let acc = Axiom (axiom_name^"1a", 
                       make_forall_list params [] assertion)::acc in
      (* inverse *)
       let assertion = 
         let asser = 
           let mb = LVar mb in
           let p = LVar p in
           make_impl (ft (MyBag.make_rem p mb)) (ft mb) in
         LForall (mb,mb_ty,[], LForall (p,p_ty,[],asser)) in
      let acc = 
        Axiom (axiom_name^"1b", make_forall_list params [] assertion)::acc in
      let assertion = 
        let asser =
          let mb = LVar mb in
          let p = LVar p in
          make_impl (ft (MyBag.make_rem p mb)) (ft_p p) in
        LForall (mb,mb_ty,[], LForall (p,p_ty,[],asser)) in
      let acc = Axiom (axiom_name^"1c", 
                       make_forall_list params [] assertion)::acc in
      acc
    else acc in
    (* ft with inter *)
    let acc =         
      let mb1 = "mb1"^mybag_suffix in
      let mb2 = "mb2"^mybag_suffix in
      let mb_ty = NotIn.ty notin in
      let assertion = 
        let asser =
          let mb1 = LVar mb1 in
          let mb2 = LVar mb2 in
          make_equiv (make_and (ft mb1) (ft mb2))
            (ft (MyBag.make_inter mb1 mb2)) in
        LForall (mb1,mb_ty,[], LForall (mb2,mb_ty,[],asser)) in
      Axiom (axiom_name^"2", make_forall_list params [] assertion)::acc in
    (* ft with all *)
    let acc =         
      let assertion = ft MyBag.all in
      Axiom (axiom_name^"3", make_forall_list params [] assertion)::acc in
    acc

  let rec def_ft_pred ~for_one _f notin ta_conv acc = 
    match ta_conv with 
        (* Devrait peut-être utiliser la vrai 
           transformation d'inductif en 1 unique axiom*)
      | [Inductive (_,f_name,params,l)] -> begin 
          let params = List.map (fun (s,ty) -> ("_JC_"^s,ty)) params in
          let name = ft_name notin f_name in
          Jc_options.lprintf "Generate logic ft : %s :@." name;
          let acc = Logic(false,
                          name,
                          add_decl_args notin params,
                          simple_logic_type prop_type)::acc in

          let rec gen_one_neg acc = function
            | LNot _a -> assert false (*gen_one_neg notin acc a*)
            | LPred (_id,lt) as e -> 
                (*Jc_options.lprintf "term_extract_effect %s@." id;*)
                let acc = List.fold_left 
                  (term_extract_effect notin) acc lt in
                (trad_pred notin e)::acc
            | LNamed (_,a) -> gen_one_neg acc a
            | LAnd (a,b) ->
                gen_one_neg (gen_one_neg acc b) a
            | _ -> assert false in
          let rec gen_one_pos ~impl acc = function
            | LNamed (_,a) -> gen_one_pos ~impl acc a
            | LPred (s,lt) -> (* Normalement le predicat inductif défini *)
                let asser = make_and_list acc in
                impl s lt asser
            | _ -> assert false in
          let rec gen_one ~impl acc = function
            | LForall(s,ty,tr,a) ->
                LForall(s,ty,tr,gen_one ~impl acc a)
            | LImpl (a1,a2) ->
                let acc = gen_one_neg acc a1 in
                make_impl a1 (gen_one ~impl acc a2)
            | LNamed (_,a) -> gen_one ~impl acc a
            | (LAnd _ | LOr _) -> assert false 
            | a -> gen_one_pos ~impl acc a in

          (*let acc = 
            if not for_one 
            then generic_axiom_for_ft ~do_rem f_name notin params acc 
            else acc in*)
          let acc = List.fold_left 
            (fun acc (ident,assertion) ->
               let axiom_name = 
                 "axiom"^"_ft_"^(NotIn.mem_name2 notin)^f_name^ident in
               Jc_options.lprintf "Generate axiom ft : %s :@." axiom_name;
               let impl s lt asser = 
                 make_impl (conv_app_pred notin s lt) asser in
               let asser = gen_one ~impl [] assertion in
               let asser = LForall (NotIn.name notin,
                                    NotIn.ty notin ,[],asser) in
               let asser = Axiom (axiom_name,asser) in
               asser::acc
            ) acc l in
          let conjs = List.map
            (fun (_ident,assertion) ->
               let impl _s lt asser = 
                 let eqs = List.map2 
                   (fun (x,_) y -> make_eq (LVar x) y) params lt in
                 make_impl (make_and_list eqs) asser in
               gen_one ~impl [] assertion) l in
          let conjs = make_and_list conjs in
          let asser = make_impl conjs 
            (conv_app_pred notin f_name 
               (List.map (fun (x,_) -> LVar x) params)) in
          let par = (NotIn.name notin,NotIn.ty notin)::params in
          let asser = make_forall_list par [] asser in
          let axiom_name = "axiom"^"_ft_"^(NotIn.mem_name2 notin)^f_name in
          let asser = Axiom (axiom_name,asser) in
          asser::acc
        end
      | [Predicate (bool,f_name,params,assertion)] ->
          let name = ft_name notin f_name in
          Jc_options.lprintf "Generate logic ft : %s :@." name;
          let new_pred = Predicate (bool,
                                    name,
                                    add_decl_args notin params,
                                    conv_to_ft notin assertion) in
          new_pred::acc
      | [Function (_bool,f_name,params,_ltype,term)] ->
          let name = ft_name notin f_name in
          Jc_options.lprintf "Generate logic ft: %s :@." name;
          let acc = Logic(false,
                          name,
                          add_decl_args notin params,
                          simple_logic_type prop_type)::acc in

          let rec gen_one acc term =
              match term with
                | TIf(_if,_then,_else) ->
                    let acc = term_extract_effect notin acc _if in
                    LIf(_if,gen_one acc _then,gen_one acc _else)
                | e -> 
                    let acc = term_extract_effect notin acc e in
                    make_and_list acc in
          let axiom_name = "axiom"^"_ft_"^(NotIn.mem_name2 notin)^f_name in
          Jc_options.lprintf "Generate axiom ft: %s :@." axiom_name;
          let asser = gen_one [] term in
          let asser = make_equiv asser 
            (conv_app_pred notin f_name 
               (List.map (fun (x,_) -> LVar x) params)) in
          let par = (NotIn.name notin,NotIn.ty notin)::params in
          let asser = make_forall_list par [] asser in
          let asser = Axiom (axiom_name,asser) in
          asser::acc
            (* Was a reccursive function definition *)
      | [Logic(_bool,f_name,params,_ltype);
         Axiom(_,ax_asser)] ->
          let rec extract_term = function
            | LForall (_,_,_,asser) -> extract_term asser
            | LPred("eq", [ _; b ]) -> b
            | _ -> assert false (* constructed by tr_fun_def *) in
          let term = extract_term ax_asser in
          let ta_conv = [Function (_bool,f_name,params,_ltype,term)] in
          def_ft_pred ~for_one _f notin ta_conv acc
      | _ -> Jc_options.lprintf "@[<hov 3>I can't translate that :@\n%a" 
          (Pp.print_list Pp.newline fprintf_why_decl) ta_conv;acc


  let ft_for_ft f args notin framed acc =
    let conjs = List.map 
      (fun (f,params) ->
         (conv_app_pred notin f.jc_logic_info_name
            (List.map (fun (x,_) -> LVar x) params)))
      framed in
    let code = make_and_list conjs in
    let args = add_decl_args notin args in
    let ft_name = ft_name notin f.jc_logic_info_name in
    Predicate(false,ft_name,args,code)::acc          
end
*)


let tr_params_usual_model_aux f =
    let lab = 
    match f.jc_logic_info_labels with [lab] -> lab | _ -> LabelHere
  in
    let usual_params =
      List.map (tparam ~label_in_name:true lab) f.jc_logic_info_parameters
    in  
    let model_params = 
      tmodel_parameters ~label_in_name:true f.jc_logic_info_effects 
    in
    let _3to2 = List.map (fun (n,_v,ty') -> (n,ty')) in
    let usual_params = _3to2 usual_params in
    let model_params = _3to2 model_params in
    usual_params,model_params

(*
module Def_in :
sig  val def_in : 'a ->  NotIn.t ->
       Output.why_decl list -> Output.why_decl list ->
       Jc_fenv.logic_info * NotIn.t
       -> Output.why_decl list
     val def_disj : string -> bool -> (string * Output.logic_type) list ->
       Output.why_decl list -> NotIn.t  -> Output.why_decl list
     val def_frame_in :
        string -> NotIn.t ->
       (string * Output.logic_type) list ->
       Output.why_decl list -> NotIn.t -> Output.why_decl list
     val notin_for_notin :  Jc_fenv.logic_info ->
       (string * Output.logic_type) list ->
       NotIn.t ->
       Jc_fenv.logic_info * NotIn.t ->
       (Jc_fenv.logic_info * (string * 'n) list) list ->
       Output.why_decl list -> Output.why_decl list

end
  =
struct
  
  let notin_name notin s = s^(NotIn.mem_name2 notin)^in_suffix
  (* let gen_ft_name notin s = s^(NotIn.mem_name2 notin)^ft_suffix *)
  (* let gen_ft_name_elt notin s = s^(NotIn.mem_name2 notin)^"_elt"^ft_suffix
   *)

  let conv_app_pred var_in notin s lt =
    let notin_name = notin_name notin s in
    LPred(disj_name,[LApp (notin_name,lt);var_in])

  let conv_app_pred_pt var_in elt =
    LNot (LPred(in_pred,[elt;var_in]))

  let trad_app var_in notin e =
    match e with
      | LApp (s,[memory;elt]) when s = select_name -> 
          if NotIn.is_memory_var notin memory
          then conv_app_pred_pt var_in elt
          else LTrue
      | LApp (s,_) when s = select_name ->  assert false (*really impossible*)
      | LApp (s,lt) -> 
          if List.exists (NotIn.is_memory_var notin) lt
          then conv_app_pred var_in notin s lt
          else LTrue
      | _ -> assert false

  let trad_pred ft notin e =
    match e with
      | LPred (s,lt) ->
          if List.exists (NotIn.is_memory_var notin) lt 
          then conv_app_pred ft notin s lt
          else LTrue
      | _ -> assert false

  let rec term_extract_effect notin acc e =
    match e with
      | LConst _ | LVar _ | LVarAtLabel _ -> acc
      | Tnamed (_,t) -> term_extract_effect notin acc t
      | LApp (_,lt) -> (trad_app notin e)::
          (List.fold_left (term_extract_effect notin) acc lt)
      | TIf _ -> assert false
      | TLet _ -> assert false

  let gen axiom_name f_name gen_framed notin_update params framed_params = 
    let elt = "elt"^tmp_suffix in
    let elt_val = "elt_val"^tmp_suffix in
    let framed_normal_params = framed_params
      |> List.map fst in
    let framed_update_params = 
      List.map (fun name ->
		  if name = NotIn.mem_name notin_update then
		    LApp("store",[LVar name;LVar elt;LVar elt_val])
		  else LVar name
	       ) framed_normal_params in
    let framed_normal_params = framed_normal_params
      |> List.map make_var in
    let params = params
      |> List.map fst 
      |> List.map make_var in
    let sepa = 
      MyBag.make_in (LVar elt) 
        (LApp (notin_name notin_update f_name,params)) in
    let a,trig = 
      match gen_framed with
        | `Pred gen_framed ->
            let pred_normal = gen_framed framed_normal_params in
            let pred_update = gen_framed framed_update_params in
            LImpl(pred_normal,pred_update),LPatP pred_update
        | `Term gen_framed ->
            let term_normal = gen_framed framed_normal_params in
            let term_update = gen_framed framed_update_params in
            make_eq term_normal term_update, LPatT term_update in
    let a = LImpl(sepa,a) in
    let a = make_forall_list framed_params [[trig]] a in
    let a = LForall (elt,NotIn.ty_elt notin_update,[],
                     LForall (elt_val,NotIn.ty_elt_val notin_update,[],a)) in
    let axiom_name = "axiom"^"_no_update_"^axiom_name^
      (NotIn.mem_name notin_update) in
    Axiom(axiom_name,a)

  (*let def_no_update f_name notin_update params prop =
    gen f_name f_name prop notin_update params []*)
(*
  let def_frame_ft f_name notin params acc notin_update =
    let ft_name = Def_ft_pred.ft_name notin f_name in
    let p = (NotIn.name notin,NotIn.ty notin) in 
    let gen_framed params = LPred(ft_name,params) in
    (gen ft_name f_name (`Pred gen_framed) notin_update params 
       (p::params))::acc

  let def_frame_ft_elt f_name notin params  acc notin_update =
    let ft_name = Def_ft_pred.ft_name_elt notin f_name in
    let p = ("p"^tmp_suffix,NotIn.ty_elt notin) in
    let gen_framed params = LPred(ft_name,params) in
    let ax = gen ft_name f_name (`Pred gen_framed) notin_update params 
      (p::params) in
    ax::acc
*)
  let def_frame_notin f_name notin params acc notin_update =
    let notin_name = notin_name notin f_name in
    let gen_framed params = LApp(notin_name,params) in
    (gen notin_name f_name (`Term gen_framed) notin_update params params)::acc

  let def_frame f_name is_pred params acc notin_update =
    let gen_framed =
      if is_pred
      then `Pred (fun params -> LPred(f_name,params))
      else `Term (fun params -> LApp(f_name,params)) in
    (gen f_name f_name gen_framed notin_update params params)::acc
(*
  let gen_frame2 (f_name,notin,params) (ft_name,ft_notin,ft_params)
      acc (notin_notin_update, ft_notin_update) =
    let forall_params = remove_double Pervasives.compare
      (ft_params @ params) in
    let params = List.map fst params in
    let ft_params = List.map fst ft_params in
    let elt = "elt"^tmp_suffix in
    let elt_val = "elt_val"^tmp_suffix in
    let notin_update =
      match notin_notin_update, ft_notin_update with
        | None, None -> assert false
        | Some m, None | None, Some m -> m
        | Some m1, Some m2 ->
            assert (NotIn.mem_name m1 = NotIn.mem_name m2);
            assert (NotIn.ty_elt m1 = NotIn.ty_elt m2);
            assert (NotIn.ty_elt_val m1 = NotIn.ty_elt_val m2);
            m1 in
    let to_update =
      List.map (fun name ->
		  if name = NotIn.mem_name notin_update then
                    LApp("store",[LVar name;LVar elt;LVar elt_val])
		  else LVar name) in
    let params_update = to_update params in
    let ft_params_update = to_update ft_params in
    let params = List.map make_var params in
    let ft_params = List.map make_var ft_params in
    let sepa notin_update f_name params =
      match notin_update with
        | Some notin_update ->
            MyBag.make_in (LVar elt)
              (LApp ((notin_name notin_update f_name),params))
        | None -> LTrue in
    let notin_notin_update_sepa =
      sepa notin_notin_update f_name params in
    let ft_notin_update_sepa =
      sepa ft_notin_update ft_name ft_params in
    let body = conv_app_pred (ft_name,ft_notin,ft_params)
      notin f_name params in
    let body_update = conv_app_pred (ft_name,ft_notin,ft_params_update)
      notin f_name params_update in
    let body =
      make_impl notin_notin_update_sepa
        (make_impl ft_notin_update_sepa
           (make_impl body body_update)) in
    let body = make_forall_list forall_params [[LPatP body_update]] body in
    let body =
      LForall (elt,NotIn.ty_elt notin_update,[],
               LForall (elt_val,NotIn.ty_elt_val notin_update,[],body)) in
    let axiom_name = "axiom"^"_no_update_ftn_"^ft_name^f_name^
      (NotIn.mem_name notin_update)^(id_uniq ()) in
    Axiom(axiom_name,body)::acc

  let def_frame_ft_notin (f_name,notin,params) (ft,ft_notin) acc
      notin_notin_updates =
    (** which notin *)
    let ft_notin_updates =
      let todos = 
        Hashtbl.find_all predicates_to_generate ft.jc_logic_info_tag in
      let filter_notin acc = function
        | ((`Notin _| `Notin_pt) , mem) -> (NotIn.from_memory false mem)::acc
        | _ -> acc in
      (* notin_updates is used to create the frames axioms *)
      List.fold_left filter_notin [] todos in
    let of_list =
      List.fold_left (fun m x ->NotInMap.add x x m) NotInMap.empty in
    let notin_updates =
      NotInSet.union
        (NotInSet.of_list notin_notin_updates)
        (NotInSet.of_list ft_notin_updates) in
    let notin_notin_updates = of_list notin_notin_updates in
    let ft_notin_updates = of_list ft_notin_updates in
    let add notin acc =
      ((try Some (NotInMap.find notin notin_notin_updates)
      with Not_found -> None),
      (try Some (NotInMap.find notin ft_notin_updates)
      with Not_found -> None))::acc in
    let notin_updates = NotInSet.fold add notin_updates [] in
    (** params *)
    let ft_name = ft.jc_logic_info_name in
    let ft_params_usual,ft_params_model = tr_params_usual_model_aux ft in
    let ft_params_usual =
      List.map (fun (x,ty) -> "_JC_ft_"^x,ty)  ft_params_usual in
    let ft_params_model = List.map (fun (x,ty) -> x,ty)
      ft_params_model in
    let ft_params = ft_params_usual @ ft_params_model in
    let ft = (ft_name,ft_notin,ft_params) in
    List.fold_left (gen_frame2 (f_name,notin,params) ft) acc notin_updates
*)
  let rec def_notin _f notin ta_conv acc =
    match ta_conv with 
        (* Devrait peut-être utiliser la vrai transformation 
           d'inductif en 1 unique axiom*)
      | [Inductive (_,f_name,params,l)] -> begin 
          let rec gen_one_neg notin acc = function
            | LNot _a -> assert false (*gen_one_neg notin acc a*)
            | LPred (_,lt) as e -> 
                let acc = List.fold_left 
                  (term_extract_effect notin) acc lt in
                (trad_pred notin e)::acc
            | LNamed (_,a) -> gen_one_neg notin acc a
            | LAnd (a,b) ->
                gen_one_neg notin (gen_one_neg notin acc b) a
            | _ -> assert false in
          let rec gen_one_pos ~impl notin acc = function
            | LNamed (_,a) -> gen_one_pos ~impl notin acc a
            | LPred (s,lt) -> 
                (* Normalement le predicat inductif défini *)
                let asser = make_and_list acc in
                impl notin s lt asser
            | _ -> assert false in
          let rec gen_one ~impl notin acc = function
            | LForall(s,ty,tr,a) ->
                LForall(s,ty,tr,gen_one ~impl notin acc a)
            | LImpl (a1,a2) ->
                let acc = gen_one_neg notin acc a1 in
                make_impl a1 (gen_one ~impl notin acc a2)
            | LNamed (_,a) -> gen_one ~impl notin acc a
            | (LAnd _ | LOr _) -> assert false 
            | a -> gen_one_pos ~impl notin acc a in
          
          let name = (notin_name notin f_name) in
          Jc_options.lprintf "Generate logic notin : %s :@." name;
          let acc = Logic(false,
                          name,
                          params,
                          NotIn.ty notin)::acc in
          let acc = List.fold_left 
            (fun acc (ident,assertion) ->
               let impl notin s lt asser =
                 make_impl (conv_app_pred ft notin s lt) asser in
               let asser = gen_one ~impl notin [] assertion in
               let asser = make_forall_list ft_params_usual [] asser in
               let axiom_name = 
                 "axiom"^"_notin_"^(NotIn.mem_name notin) ^ident^f_name in
                 Jc_options.lprintf "Generate axiom notin : %s@." axiom_name;
               (*let asser = LForall (NotIn.name notin,
                                    NotIn.ty notin ,[],asser) in*)
               let asser = Axiom (axiom_name,asser) in
               asser::acc
            ) acc l in
          (* The other side *)
          let params = List.map (fun (s,ty) -> ("_JC_"^s,ty)) params in
          let conjs = List.map
            (fun (_ident,assertion) ->
               let impl _ _s lt asser = 
                 let eqs = List.map2 
                   (fun (x,_) y -> make_eq (LVar x) y) params lt in
                 make_impl (make_and_list eqs) asser in
               gen_one ~impl notin [] assertion) l in
          let conjs = make_and_list conjs in
          let ft_params_model = List.map (fun (x,ty) -> "_JC_"^x,ty)
            ft_params_model in
          let ft = (ft_name,ft_notin,
                    List.map (fun (x,_) -> LVar x)
                      (ft_params_usual @ ft_params_model)) in
          let conclu = conv_app_pred ft notin f_name 
            (List.map (fun (x,_) -> LVar x) params) in
          let asser = make_impl conjs conclu in
          (*let forall_params = remove_double Pervasives.compare
            (ft_params_usual @ ft_params_model @ params) in*)
          let forall_params = ft_params_usual @ params in
          let asser = make_forall_list forall_params [[LPatP conclu]] asser in
          let axiom_name = "axiom"^"_notin_"^(NotIn.mem_name2 notin)^f_name in
          let asser = Axiom (axiom_name,asser) in
          asser::acc
        end
      | [Predicate (_,f_name,params,assertion)] ->
          let name = (gen_ft_name ft_notin ft_name) ^
            (notin_name notin f_name) in
          Jc_options.lprintf "Generate logic notin (pred): %s :@." name;
          let rec gen_one_neg notin acc = function
            | LNot _a -> assert false (*gen_one_neg notin acc a*)
            | LPred (_,lt) as e -> 
                let acc = List.fold_left 
                  (term_extract_effect ft notin) acc lt in
                (trad_pred ft notin e)::acc
            | LNamed (_,a) -> gen_one_neg notin acc a
            | LAnd (a,b) ->
                gen_one_neg notin (gen_one_neg notin acc b) a
            | _ -> assert false in
          let asser = gen_one_neg notin [] assertion in
          let asser = make_and_list asser in
          let lt = List.map (fun (x,_) -> LVar x) params in
          let asser = make_impl (conv_app_pred ft notin f_name lt) asser in
          let asser = make_forall_list params [] asser in
          let new_pred = Axiom (name,make_forall_list 
                                  ft_params_usual [] asser) in
          new_pred::acc
      | [Function (_bool,f_name,params,_ltype,term)] ->
          let name = (gen_ft_name ft_notin ft_name) 
            ^ (notin_name notin f_name) in
          Jc_options.lprintf "Generate logic notin (fun): %s :@." name;
          let acc = Logic(false,
                          name,
                          params,
                          NotIn.ty notin)::acc in
          let rec gen_one acc term =
              match term with
                | TIf(_if,_then,_else) ->
                    let acc = term_extract_effect ft notin acc _if in
                    LIf(_if,gen_one acc _then,gen_one acc _else)
                | e -> 
                    let acc = term_extract_effect ft notin acc e in
                    let acc = make_and_list acc in
                    acc in
          let axiom_name = "axiom"^"_notin_"^(NotIn.mem_name2 notin)^f_name in
          Jc_options.lprintf "Generate axiom notin : %s :@." axiom_name;
          let asser = gen_one [] term in
          let conclu = conv_app_pred ft notin f_name 
            (List.map (fun (x,_) -> LVar x) params) in
          let asser = make_equiv asser conclu in
          let par = params in
          let asser = make_forall_list par [] asser in
          let asser = make_forall_list  ft_params_usual [] asser in
          let asser = Axiom (axiom_name,asser) in
          asser::acc
      | [Logic(_bool,f_name,params,_ltype);
         Axiom(_,ax_asser)] ->
          let rec extract_term = function
            | LForall (_,_,_,asser) -> extract_term asser
            | LPred("eq", [ _; b ]) -> b
            | _ -> assert false (* constructed by tr_fun_def *) in
          let term = extract_term ax_asser in
          let ta_conv = [Function (_bool,f_name,params,_ltype,term)] in
          def_notin _f notin ta_conv acc ft_o
      | _ -> Jc_options.lprintf "@[<hov 3>I can't translate that :@\n%a" 
          (Pp.print_list Pp.newline fprintf_why_decl) ta_conv;acc

  let rec def_notin_logic notin ta_conv acc = 
    match ta_conv with 
        (* Devrait peut-être utiliser la vrai transformation 
           d'inductif en 1 unique axiom*)
      | [Inductive (_,f_name,params,_)] -> begin         
          let name = notin_name notin f_name in
          Jc_options.lprintf "Generate logic notin : %s :@." name;
          let acc = Logic(false,
                          name,
                          params,
                          NotIn.ty notin)::acc in
          acc
        end
      | [Predicate (_,f_name,params,_)] ->
          let name = notin_name notin f_name in
          Jc_options.lprintf "Generate logic notin : %s :@." name;
          let acc = Logic(false,
                          name,
                          params,
                          NotIn.ty notin)::acc in
          acc
      | [Function (_bool,f_name,params,_ltype,_)] ->
          let name = notin_name notin f_name in
          Jc_options.lprintf "Generate logic notin: %s :@." name;
          let acc = Logic(false,
                          name,
                          params,
                          NotIn.ty notin)::acc in
          acc
      | [Logic(_bool,f_name,params,_ltype);
         Axiom(_,ax_asser)] ->
          let rec extract_term = function
            | LForall (_,_,_,asser) -> extract_term asser
            | LPred("eq", [ _; b ]) -> b
            | _ -> assert false (* constructed by tr_fun_def *) in
          let term = extract_term ax_asser in
          let ta_conv = [Function (_bool,f_name,params,_ltype,term)] in
          def_notin_logic notin ta_conv acc
      | _ -> Jc_options.lprintf "@[<hov 3>I can't translate that :@\n%a" 
          (Pp.print_list Pp.newline fprintf_why_decl) ta_conv;acc

  let notin_for_notin f args notin (ft,ft_notin) framed acc =
    let ft_name = ft.jc_logic_info_name in
    let ft_params_usual,ft_params_model = tr_params_usual_model_aux ft in
    let ft_params_usual = 
      List.map (fun (x,ty) -> "_JC_ft_"^x,ty)  ft_params_usual in
    let ft_params_model = List.map (fun (x,ty) -> x,ty) ft_params_model in
    let ft = (ft_name,ft_notin,
              List.map (fun (x,_) -> LVar x)
                (ft_params_usual @ ft_params_model)) in
    let name = (notin_name notin f.jc_logic_info_name) in
    Jc_options.lprintf "Generate logic notin_notin : %s :@." name;
    let acc = Logic(false,
                    name,
                    args,
                    NotIn.ty notin)::acc in
    let axiom_name = "axiom"^"_notin_"^(NotIn.mem_name2 notin)
      ^f.jc_logic_info_name in
    Jc_options.lprintf "Generate axiom notin : %s :@." axiom_name;
    let conjs = List.map 
      (fun (f,params) ->
         (conv_app_pred ft notin f.jc_logic_info_name
            (List.map (fun (x,_) -> LVar x) params)))
      framed in
    let code = make_and_list conjs in
    let conclu = conv_app_pred ft notin f.jc_logic_info_name
      (List.map (fun (x,_) -> LVar x) args) in
    let asser = make_equiv code conclu in
    let asser = make_forall_list args [] asser in
    let asser = make_forall_list  ft_params_usual [] asser in
    let asser = Axiom (axiom_name,asser) in
    asser::acc


end
*)

module InDisj :
sig

  type define = NotIn.t -> why_decl list -> why_decl list -> why_decl list

  val define_In    : define
  val define_disj  : define
  val define_frame_between : define
  val define_x_sub : define
  val define_sub_x : define
  val define_sub   : define
  
  val def_frame_in :  string -> NotIn.t -> (string * Output.logic_type) list ->
    Output.why_decl list -> NotIn.t list -> Output.why_decl list
  val def_frame : string -> bool -> string ->
    (string * Output.logic_type) list ->
    Output.why_decl list -> NotIn.t list -> Output.why_decl list

  type for_in = string -> (string * logic_type) list ->
    NotIn.t -> (Jc_fenv.logic_info * (string * logic_type) list) list ->
    why_decl list -> why_decl list

  val in_for_in    : for_in
  val disj_for_in  : for_in
  val x_sub_for_in : for_in
  val sub_x_for_in : for_in

end =
struct

  type define = NotIn.t ->
    Output.why_decl list ->
    Output.why_decl list -> Output.why_decl list

  type for_in = string -> (string * logic_type) list ->
    NotIn.t -> (Jc_fenv.logic_info * (string * logic_type) list) list ->
    why_decl list -> why_decl list


  let trad_app s lt = (s,lt)

  let rec term_extract_application acc e =
    match e with
      | LConst _ | LVar _ | LDeref _ | LDerefAtLabel _ -> acc
      | Tnamed (_,t) -> term_extract_application acc t
      | LApp (s,lt) -> (trad_app s lt)::
          (List.fold_left term_extract_application acc lt)
      | TIf _ -> assert false
      | TLet _ -> assert false

  let pred_extract_effect s lt acc =
    (trad_app s lt)::(List.fold_left term_extract_application acc lt)

  let inductive_extract_effect ass = 
    let rec iee e acc =
      match e with
        | LTrue | LFalse -> acc
        | LImpl(f1,f2) -> (iee f2) (neg f1 acc)
        | LPred(_) -> acc
        | _ -> failwith "Inductive must be forall x,.. Pn -> ... -> P1"
    and neg e acc =
      match e with
        | LTrue | LFalse -> acc
        | LAnd (f1,f2) -> neg f1 (neg f2 acc)
        | LPred(s,lt) -> pred_extract_effect s lt acc
        | _ -> failwith "Inductive must be forall x,.. (Pn && Pj) -> ... -> P1"
    and rq = function
        | LForall (_,_,_,f) -> rq f
        | e -> iee e [] in
    let effects = rq ass in
    remove_double Pervasives.compare effects

  let rec rewrite_inductive_case rw = function
    | LForall (s,ty,_,f) -> LForall(s,ty,[],rewrite_inductive_case rw f)
    | LTrue | LFalse as e -> e
    | LImpl(f1,f2) -> LImpl(f1,rewrite_inductive_case rw f2)
    | LPred(s,lt) -> rw s lt
    | _ -> failwith "Inductive must be forall x,.. Pn -> ... -> P1"
    

  let rec term_interp_or interp t =
    let fnT = term_interp_or interp in
    match t with
      | TIf(if_,then_,else_) ->
        LIf(if_,make_or (fnT if_) (fnT then_),
            make_or (fnT if_) (fnT else_))
      | LConst _ -> LFalse
      | LApp (s,lt) -> List.fold_left (fun acc e -> make_or acc (fnT e)) 
        (interp s lt) lt
      | LVar _ -> LFalse
      | Tnamed (_,t) -> term_interp_or interp t
      | LDerefAtLabel _ -> 
        failwith "Not implemented, how to do that? Show me the example!!! thx"
      | _ -> failwith "Not implemented"

  let rec term_interp_and interp t =
    let fnT = term_interp_and interp in
    match t with
      | TIf(if_,then_,else_) ->
        LIf(if_,make_and (fnT if_) (fnT then_),
            make_and (fnT if_) (fnT else_))
      | LConst _ -> LTrue
      | LApp (s,lt) -> List.fold_left (fun acc e -> make_and acc (fnT e)) 
        (interp s lt) lt
      | LVar _ -> LTrue
      | Tnamed (_,t) -> term_interp_and interp t
      | LDerefAtLabel _ -> 
        failwith "Not implemented, how to do that? Show me the example!!! thx"
      | _ -> failwith "Not implemented"

  let rec pred_interp_or interp e =
    let fnT = term_interp_or interp in
    let fnF = pred_interp_or interp in
    match e with
    | LTrue | LFalse -> LFalse
    | LAnd(f1,f2) -> make_or (fnF f1) (fnF f2)
    | LOr(f1,f2) -> make_or (make_and f1 (fnF f1)) (make_and f2 (fnF f2))
    | LForall (s,lt,_,f) -> LExists(s,lt,[],fnF f)
    | LExists (s,lt,_,f) -> LExists(s,lt,[],make_and f (fnF f))
    | LPred(s,lt) -> List.fold_left (fun acc e -> make_or acc (fnT e)) 
        (interp s lt) lt
    | _ -> failwith "Not Implemented, not in formula"


  let rec pred_interp_and interp e =
    let fnT = term_interp_and interp in
    let fnF = pred_interp_and interp in
    match e with
    | LTrue | LFalse -> LTrue
    | LAnd(f1,f2) -> make_and (fnF f1) (fnF f2)
    | LOr(f1,f2) -> make_and (make_impl f1 (fnF f1)) (make_impl f2 (fnF f2))
    | LForall (s,lt,_,f) -> LForall(s,lt,[],fnF f)
    | LExists (s,lt,_,f) -> LForall(s,lt,[],make_impl f (fnF f))
    | LPred(s,lt) -> List.fold_left (fun acc e -> LAnd(acc,fnT e)) 
        (interp s lt) lt
    | _ -> failwith "Not Implemented, not in formula"

  let in_interp_app var notin s lt =
    if s = select_name then
      match lt with
        | [_;p] -> make_eq (LVar (fst var)) p
        | _ -> assert false
    else
    LPred(in_pred,[LVar (fst var);LApp(in_name notin s, lt)])

  let disj_interp_app var notin s lt =
    if s = select_name then
      match lt with
        | [_;p] -> LNot (LPred(in_pred,[p;LVar (fst var)]))
        | _ -> assert false
    else
    LPred(disj_pred,[LVar (fst var);LApp(in_name notin s, lt)])

  let frame_between_interp_app var_mem notin s lt =
    assert (s <> select_name);
    LPred(frame_between_name, [LApp(in_name notin s, lt);
                               LVar (fst var_mem);
                               LVar (NotIn.mem_name notin)])

  let sub_interp_app x1 notin x2 =
    match x1,x2 with
      | `Var var1,`Var var2 -> LPred(sub_pred,[LVar (fst var1); 
                                               LVar (fst var2)])
      (* This case must be in fact var1 is a singleton *)
      | `Var _, `App (s,[_;_]) when s = select_name -> assert false
      | `App (s,[_;p]), `Var var when s = select_name ->
        LPred(in_pred,[p;LVar (fst var)])
      | `Var var, `App (s,lt) -> 
        LPred(sub_pred,[LVar (fst var);LApp(in_name notin s, lt)])
      | `App (s,lt), `Var var -> 
        LPred(sub_pred,[LApp(in_name notin s, lt);LVar (fst var)])
      (* two app *)
      | `App(s1,[_;p1]), `App(s2,[_;p2]) 
        when s1 = select_name && s2 = select_name ->
        make_eq p1 p2
      (* This case must be in fact app2 is a singleton *)
      | `App _, `App(s2,[_;_]) when s2 = select_name -> assert false
      | `App(s1,[_;p1]), `App(s2,lt2) when s1 = select_name -> 
        LPred(in_pred,[p1;LApp(in_name notin s2, lt2)])
      | `App(s1,lt1), `App(s2,lt2) ->
        LPred(sub_pred,[LApp(in_name notin s1,lt1);LApp(in_name notin s2,lt2)])

  let mem_are_compatible notin (_,lt) =
    List.exists (NotIn.is_memory_var notin) lt
(*
  let inductive_to_axioms name (pname,var,fname,lt) l acc =
    let constr acc (ident,assertion) = 
      Axiom (name^fname^ident,assertion)::acc in
    let acc = List.fold_left constr acc l in
    let var = ((fst var)^tmp_suffix,snd var) in
    let lt = List.map (fun (s,ty) -> (s^tmp_suffix,ty)) lt in 
    let rec rewrite = function
      | LForall(v,t,_,a) -> LExists(v,t,[],rewrite a)
      | LImpl(f1,f2) -> LAnd(f1,rewrite f2)
      | LPred(_,[var2;LApp(_,lt2)]) -> 
        let eqs = (var,var2) :: (List.combine lt lt2) in
        let eqs = List.map (fun (a1,a2) -> make_eq (LVar (fst a1)) a2) eqs in
        make_and_list eqs
      | _ -> assert false in
    let assertions = List.map (fun (_,a) -> rewrite a) l in
    let assertions = make_or_list assertions in
    let pred = LPred(pname,
                     [LVar (fst var);
                      LApp(fname,List.map (fun var -> LVar (fst var)) lt)]) in
    let assertion = LImpl(pred,assertions) in
    let assertion = make_forall_list (var::lt) [] assertion in
    Axiom ("axiom_"^name^pname^"_"^fname,assertion) :: acc
    *)
  let match_pred p1 p2 =
    match p1,p2 with
      | LPred(s1,lt1), LPred(s2,lt2) when s1 = s2 ->
        List.fold_left2 match_term [] lt1 lt2
      | _ -> invalid_arg "match_pred p1 is not a valid context for p2" 

  (* bindvars must be fresh variables... *)
  let inductive_to_axioms name pred bindvars l acc =
    let constr acc (ident,assertion) = 
      Goal(KAxiom,id_no_loc (name^ident),assertion)::acc in
    let acc = List.fold_left constr acc l in
    let rec rewrite = function
      | LForall(v,t,_,a) -> LExists(v,t,[],rewrite a)
      | LImpl(f1,f2) -> LAnd(f1,rewrite f2)
      | LPred _ as p2 ->
        let eqs = match_pred pred p2 in
        let eqs = List.map (fun (a1,a2) -> make_eq (LVar a1) a2) eqs in
        make_and_list eqs
      | _ -> assert false in
    let assertions = List.map (fun (_,a) -> rewrite a) l in
    let assertions = make_or_list assertions in
    let assertion = LImpl(pred,assertions) in
    let assertion = make_forall_list bindvars [] assertion in
    Goal(KAxiom,id_no_loc ("axiom_"^name),assertion) :: acc


  let rec define_In notin ta_conv acc = 
    match ta_conv with 
        (* Devrait peut-être utiliser la vrai transformation 
           d'inductif en 1 unique axiom*)
      | [Inductive (_,f_name,params,l)] -> 
        let name = (in_name notin f_name.name) in
        Jc_options.lprintf "Define logic in : %s :@." name;
        (* let acc = Logic(false, name, params, NotIn.ty notin)::acc in *)
        let var = ("jc_var",NotIn.ty_elt notin) in
        let gen_case acc (ident,assertion) =
          let effects = inductive_extract_effect assertion in
          let effects = List.filter (mem_are_compatible notin) effects in
          let rw seff lteff s lt =
            LImpl(in_interp_app var notin seff lteff,
                  in_interp_app var notin s lt) in
          let nb = ref 0 in
          let rewrite acc (seff,lteff) = 
            incr nb;
            let assertion =
              LForall(fst var,snd var,[],
                      rewrite_inductive_case (rw seff lteff) assertion) in
            (ident^(string_of_int !nb), assertion) :: acc in
          List.fold_left rewrite acc effects in
        let l = List.fold_left gen_case [] l in
        let var = ((fst var)^tmp_suffix,snd var) in
        let lt = List.map (fun (s,ty) -> (s^tmp_suffix,ty)) params in 
        let pred = in_interp_app var notin f_name.name 
          (List.map (fun x -> LVar (fst x)) lt) in
          inductive_to_axioms ("In"^name) pred (var::lt) l acc
      | [Function (_,f_name,params,_,term)] ->
          let name = in_name notin f_name.name in
          Jc_options.lprintf "Generate logic notin (fun): %s :@." name;
          let acc = Logic(false,
                          {f_name with name = name},
                          params,
                          NotIn.ty notin)::acc in
          let axiom_name = "axiom"^"_in_"^(NotIn.mem_name2 notin)^f_name.name in
          Jc_options.lprintf "Generate axiom notin : %s :@." axiom_name;
          let var = ("jc_var",NotIn.ty_elt notin) in
          let interp s lt = 
            if mem_are_compatible notin (s,lt)
            then in_interp_app var notin s lt
            else LFalse in
          let asser = term_interp_or interp term in
          let conclu = in_interp_app var notin f_name.name
            (List.map (fun (x,_) -> LVar x) params) in
          let asser = make_equiv asser conclu in
          let params = var::params in
          let asser = make_forall_list params [] asser in
          let asser = Goal(KAxiom,id_no_loc axiom_name,asser) in
          asser::acc
      | [Logic(_bool,f_name,params,_ltype);
         Goal(KAxiom,_,ax_asser)] ->
          let rec extract_term = function
            | LForall (_,_,_,asser) -> extract_term asser
            | LPred("eq", [ _; b ]) -> b
            | _ -> assert false (* constructed by tr_fun_def *) in
          let term = extract_term ax_asser in
          let ta_conv = [Function (_bool,f_name,params,_ltype,term)] in
          define_In notin ta_conv acc
      | _ -> Jc_options.lprintf "@[<hov 3>I can't translate that :@\n%a" 
          (Pp.print_list Pp.newline fprintf_why_decl) ta_conv;assert false

  let rec define_disj notin ta_conv acc = 
    match ta_conv with 
      (* Devrait peut-être utiliser la vrai transformation 
         d'inductif en 1 unique axiom*)
      | [Inductive (_,f_name,params,l)] -> 
        let name = (in_name notin f_name.name) in
        let var = ("jc_var",NotIn.ty notin) in
        let gen_case acc (ident,assertion) =
          let effects = inductive_extract_effect assertion in
          let effects = List.filter (mem_are_compatible notin) effects in
          let rw s lt =
            List.fold_left (fun acc (seff,lteff) ->
              LImpl(disj_interp_app var notin seff lteff,acc))
              (disj_interp_app var notin s lt) effects in
          let rewrite acc = 
            let assertion =
              LForall(fst var,snd var,[],
                      rewrite_inductive_case rw assertion) in
            (ident, assertion) :: acc in
          rewrite acc in
        let l = List.fold_left gen_case [] l in
        let var = ((fst var)^tmp_suffix,snd var) in
        let lt = List.map (fun (s,ty) -> (s^tmp_suffix,ty)) params in 
        let pred = disj_interp_app var notin f_name.name 
          (List.map (fun s -> LVar (fst s)) lt) in
        inductive_to_axioms ("disj"^name) pred (var::lt) l acc
      | [Function (_,f_name,params,_,term)] ->
        let axiom_name = "axiom"^"_disj_"^(NotIn.mem_name2 notin)^f_name.name in
        Jc_options.lprintf "Generate axiom disj : %s :@." axiom_name;
        let var = ("jc_var",NotIn.ty notin) in
        let interp s lt = 
          if mem_are_compatible notin (s,lt)
          then disj_interp_app var notin s lt
          else LTrue in
        let asser = term_interp_and interp term in
        let conclu = disj_interp_app var notin f_name.name
          (List.map (fun (x,_) -> LVar x) params) in
        let asser = make_equiv asser conclu in
        let params = var::params in
        let asser = make_forall_list params [] asser in
        let asser = Goal(KAxiom,id_no_loc axiom_name,asser) in
        asser::acc
      | [Logic(_bool,f_name,params,_ltype);
         Goal(KAxiom,_,ax_asser)] ->
          let rec extract_term = function
            | LForall (_,_,_,asser) -> extract_term asser
            | LPred("eq", [ _; b ]) -> b
            | _ -> assert false (* constructed by tr_fun_def *) in
          let term = extract_term ax_asser in
          let ta_conv = [Function (_bool,f_name,params,_ltype,term)] in
          define_disj notin ta_conv acc
      | _ -> Jc_options.lprintf "@[<hov 3>I can't translate that :@\n%a" 
          (Pp.print_list Pp.newline fprintf_why_decl) ta_conv;assert false

  let rec add_triggers tr = function
    | LForall(vn,vt,[],(LForall _ as t)) -> LForall(vn,vt,[],add_triggers tr t)
    | LForall(vn,vt,trs,t) -> LForall(vn,vt,tr::trs,t)
    | _ -> assert false

  let rec define_frame_between notin ta_conv acc = 
    match ta_conv with 
        (* Devrait peut-être utiliser la vrai transformation 
           d'inductif en 1 unique axiom*)
      | [Inductive (_,f_name,_,l)] -> 
        let name = (in_name notin f_name.name) in
        Jc_options.lprintf "Define logic in : %s :@." name;
        (* let acc = Logic(false, name, params, NotIn.ty notin)::acc in *)
        let var = ("jc_mem", notin.NotIn.ty_mem) in
        let gen_case acc (ident,assertion) =
          let effects = inductive_extract_effect assertion in
          let effects = 
            List.filter (fun (s,_) -> not (s = select_name)) effects in
          let effects = List.filter (mem_are_compatible notin) effects in
          let nb = ref 0 in
          let rewrite acc (seff,lteff) =
            incr nb;
            let frameeff = frame_between_interp_app var notin seff lteff in
            let rw s lt =
              make_impl frameeff (frame_between_interp_app var notin s lt) in
            let assertion =
              LForall(fst var,snd var,[],
                      rewrite_inductive_case rw assertion) in
            let assertion = add_triggers [LPatP frameeff] assertion in
            (ident^(string_of_int !nb), assertion) :: acc in
          List.fold_left rewrite acc effects in
        let l = List.fold_left gen_case [] l in
        let constr acc (ident,assertion) = 
          Goal(KAxiom,id_no_loc (frame_between_name^f_name.name^ident),
	       assertion)::acc in
        List.fold_left constr acc l
      | [Function (_,f_name,params,_,term)] ->
          let name = in_name notin f_name.name in
          Jc_options.lprintf "Generate logic notin (fun): %s :@." name;
          let acc = Logic(false,
                          {f_name with name = name},
                          params,
                          NotIn.ty notin)::acc in
          let axiom_name = "axiom"^"_in_"^(NotIn.mem_name2 notin)^f_name.name in
          Jc_options.lprintf "Generate axiom notin : %s :@." axiom_name;
          let var = ("jc_mem",NotIn.ty notin) in
          let interp s lt = 
            if mem_are_compatible notin (s,lt) && s <> select_name
            then frame_between_interp_app var notin s lt
            else LFalse in
          let asser = term_interp_or interp term in
          let conclu = frame_between_interp_app var notin f_name.name 
            (List.map (fun (x,_) -> LVar x) params) in
          let asser = make_equiv asser conclu in
          let params = var::params in
          let asser = make_forall_list params [] asser in
          let asser = Goal(KAxiom,id_no_loc axiom_name,asser) in
          asser::acc
      | [Logic(_bool,f_name,params,_ltype);
         Goal(KAxiom,_,ax_asser)] ->
          let rec extract_term = function
            | LForall (_,_,_,asser) -> extract_term asser
            | LPred("eq", [ _; b ]) -> b
            | _ -> assert false (* constructed by tr_fun_def *) in
          let term = extract_term ax_asser in
          let ta_conv = [Function (_bool,f_name,params,_ltype,term)] in
          define_frame_between notin ta_conv acc
      | _ -> Jc_options.lprintf "@[<hov 3>I can't translate that :@\n%a" 
          (Pp.print_list Pp.newline fprintf_why_decl) ta_conv;assert false


  let rec define_sub notin ta_conv acc = 
    match ta_conv with 
        (* Devrait peut-être utiliser la vrai transformation 
           d'inductif en 1 unique axiom*)
      | [Inductive (_,f_name,_,l)] -> 
        let name = (in_name notin f_name.name) in
        let var = ("jc_var",NotIn.ty notin) in
        let gen_case acc (ident,assertion) =
          let effects = inductive_extract_effect assertion in
          let effects = 
            List.filter (fun (s,_) -> not (s = select_name)) effects in
          let effects = List.filter (mem_are_compatible notin) effects in
          let rw seff lteff s lt =
            sub_interp_app (`App (seff,lteff)) notin (`App (s,lt)) in
          let nb = ref 0 in
          let rewrite acc (seff,lteff) = 
            incr nb;
            let assertion =
              LForall(fst var,snd var,[],
                      rewrite_inductive_case (rw seff lteff) assertion) in
            (ident^(string_of_int !nb), assertion) :: acc in
          List.fold_left rewrite acc effects in
        let name = ("Sub"^name) in
        let l = List.fold_left gen_case [] l in
        let constr acc (ident,assertion) = 
          Goal(KAxiom,id_no_loc (name^ident),assertion)::acc in
        let acc = List.fold_left constr acc l in
        acc
      | [Function (_,f_name,params,_,term)] ->
          let name = in_name notin f_name.name in
          Jc_options.lprintf "Generate logic notin (fun): %s :@." name;
          let acc = Logic(false,
                          id_no_loc name,
                          params,
                          NotIn.ty notin)::acc in
          let axiom_name = "axiom"^"_in_"^(NotIn.mem_name2 notin)^f_name.name in
          Jc_options.lprintf "Generate axiom notin : %s :@." axiom_name;
          let var = ("jc_var",NotIn.ty_elt notin) in
          let interp s lt = 
            if mem_are_compatible notin (s,lt)
            then in_interp_app var notin s lt
            else LFalse in
          let asser = term_interp_or interp term in
          let conclu = in_interp_app var notin f_name.name
            (List.map (fun (x,_) -> LVar x) params) in
          let asser = make_equiv asser conclu in
          let params = var::params in
          let asser = make_forall_list params [] asser in
          let asser = Goal(KAxiom,id_no_loc axiom_name,asser) in
          asser::acc
      | [Logic(_bool,f_name,params,_ltype);
         Goal(KAxiom,_,ax_asser)] ->
          let rec extract_term = function
            | LForall (_,_,_,asser) -> extract_term asser
            | LPred("eq", [ _; b ]) -> b
            | _ -> assert false (* constructed by tr_fun_def *) in
          let term = extract_term ax_asser in
          let ta_conv = [Function (_bool,f_name,params,_ltype,term)] in
          define_sub notin ta_conv acc
      | _ -> Jc_options.lprintf "@[<hov 3>I can't translate that :@\n%a" 
          (Pp.print_list Pp.newline fprintf_why_decl) ta_conv;assert false
            
  let rec define_x_sub notin ta_conv acc = 
    match ta_conv with 
        (* Devrait peut-être utiliser la vrai transformation 
           d'inductif en 1 unique axiom*)
      | [Inductive (_,f_name,_,l)] -> 
        let name = (in_name notin f_name.name) in
        Jc_options.lprintf "Define logic in : %s :@." name;
        (* let acc = Logic(false, name, params, NotIn.ty notin)::acc in *)
        let var = ("jc_var",NotIn.ty notin) in
        let gen_case acc (ident,assertion) =
          let effects = inductive_extract_effect assertion in
          let effects = 
            List.filter (fun (s,_) -> not (s = select_name)) effects in
          let effects = List.filter (mem_are_compatible notin) effects in
          let rw seff lteff s lt =
            LImpl(sub_interp_app (`Var var) notin (`App (seff,lteff)),
                  sub_interp_app (`Var var) notin (`App (s,lt))) in
          let nb = ref 0 in
          let rewrite acc (seff,lteff) = 
            incr nb;
            let assertion =
              LForall(fst var,snd var,[],
                      rewrite_inductive_case (rw seff lteff) assertion) in
            (ident^(string_of_int !nb), assertion) :: acc in
          List.fold_left rewrite acc effects in
        let name = ("X_Sub"^name) in
        let l = List.fold_left gen_case [] l in
        let constr acc (ident,assertion) = 
          Goal(KAxiom,id_no_loc (name^ident),assertion)::acc in
        let acc = List.fold_left constr acc l in
        acc
      | [Function (_,f_name,params,_,term)] ->
          let name = in_name notin f_name.name in
          Jc_options.lprintf "Generate logic notin (fun): %s :@." name;
          let acc = Logic(false,
                          {f_name with name = name},
                          params,
                          NotIn.ty notin)::acc in
          let axiom_name = "axiom"^"_in_"^(NotIn.mem_name2 notin)^f_name.name in
          Jc_options.lprintf "Generate axiom notin : %s :@." axiom_name;
          let var = ("jc_var",NotIn.ty_elt notin) in
          let interp s lt = 
            if mem_are_compatible notin (s,lt)
            then in_interp_app var notin s lt
            else LFalse in
          let asser = term_interp_or interp term in
          let conclu = in_interp_app var notin f_name.name 
            (List.map (fun (x,_) -> LVar x) params) in
          let asser = make_equiv asser conclu in
          let params = var::params in
          let asser = make_forall_list params [] asser in
          let asser = Goal(KAxiom,id_no_loc axiom_name,asser) in
          asser::acc
      | [Logic(_bool,f_name,params,_ltype);
         Goal(KAxiom,_,ax_asser)] ->
          let rec extract_term = function
            | LForall (_,_,_,asser) -> extract_term asser
            | LPred("eq", [ _; b ]) -> b
            | _ -> assert false (* constructed by tr_fun_def *) in
          let term = extract_term ax_asser in
          let ta_conv = [Function (_bool,f_name,params,_ltype,term)] in
          define_x_sub notin ta_conv acc
      | _ -> Jc_options.lprintf "@[<hov 3>I can't translate that :@\n%a" 
          (Pp.print_list Pp.newline fprintf_why_decl) ta_conv;assert false

  let rec define_sub_x notin ta_conv acc = 
    match ta_conv with 
      (* Devrait peut-être utiliser la vrai transformation 
         d'inductif en 1 unique axiom*)
      | [Inductive (_,f_name,_,l)] -> 
        let name = (in_name notin f_name.name) in
        let var = ("jc_var",NotIn.ty notin) in
        let gen_case acc (ident,assertion) =
          let effects = inductive_extract_effect assertion in
          let effects = List.filter (mem_are_compatible notin) effects in
          let rw s lt =
            List.fold_left (fun acc (seff,lteff) ->
              LImpl(sub_interp_app (`App (seff,lteff)) notin (`Var var),acc))
              (sub_interp_app  (`App (s,lt)) notin (`Var var)) effects in
          let rewrite acc = 
            let assertion =
              LForall(fst var,snd var,[],
                      rewrite_inductive_case rw assertion) in
            (ident, assertion) :: acc in
          rewrite acc in
        let name = ("Sub_X"^name) in
        let l = List.fold_left gen_case [] l in
        let constr acc (ident,assertion) = 
          Goal(KAxiom,id_no_loc (name^ident),assertion)::acc in
        let acc = List.fold_left constr acc l in
        acc
      | [Function (_,f_name,params,_,term)] ->
        let axiom_name = "axiom"^"_disj_"^(NotIn.mem_name2 notin)^f_name.name in
        Jc_options.lprintf "Generate axiom disj : %s :@." axiom_name;
        let var = ("jc_var",NotIn.ty notin) in
        let interp s lt = 
          if mem_are_compatible notin (s,lt)
          then disj_interp_app var notin s lt
          else LTrue in
        let asser = term_interp_and interp term in
        let conclu = disj_interp_app var notin f_name.name 
          (List.map (fun (x,_) -> LVar x) params) in
        let asser = make_equiv asser conclu in
        let params = var::params in
        let asser = make_forall_list params [] asser in
        let asser = Goal(KAxiom,id_no_loc axiom_name,asser) in
        asser::acc
      | [Logic(_bool,f_name,params,_ltype);
         Goal(KAxiom,_,ax_asser)] ->
          let rec extract_term = function
            | LForall (_,_,_,asser) -> extract_term asser
            | LPred("eq", [ _; b ]) -> b
            | _ -> assert false (* constructed by tr_fun_def *) in
          let term = extract_term ax_asser in
          let ta_conv = [Function (_bool,f_name,params,_ltype,term)] in
          define_sub_x notin ta_conv acc
      | _ -> Jc_options.lprintf "@[<hov 3>I can't translate that :@\n%a" 
          (Pp.print_list Pp.newline fprintf_why_decl) ta_conv;assert false

  let gen axiom_name f_name gen_framed in_update params framed_params =
    (* frame for one update *)
    let elt = "elt"^tmp_suffix in
    let elt_val = "elt_val"^tmp_suffix in
    let framed_normal_params = framed_params
      |> List.map fst in
    let framed_update_params = 
      let notin_mem_name = NotIn.mem_name in_update in
      List.map (fun name ->
	if name = notin_mem_name then
	  LApp("store",[LVar name;LVar elt;LVar elt_val])
	else LVar name
      ) framed_normal_params in
    let framed_normal_params = framed_normal_params
      |> List.map make_var in
    let params = params
      |> List.map fst 
      |> List.map make_var in
    let sepa = 
      LNot (MyBag.make_in (LVar elt) 
              (LApp (in_name in_update f_name,params))) in
    let a,trig = 
      match gen_framed with
        | `Pred gen_framed ->
            let pred_normal = gen_framed framed_normal_params in
            let pred_update = gen_framed framed_update_params in
            LImpl(pred_normal,pred_update),LPatP pred_update
        | `Term gen_framed ->
            let term_normal = gen_framed framed_normal_params in
            let term_update = gen_framed framed_update_params in
            make_eq term_normal term_update, LPatT term_update in
    let a = LImpl(sepa,a) in
    let a = make_forall_list framed_params [[trig]] a in
    let a = LForall (elt,NotIn.ty_elt in_update,[],
                     LForall (elt_val,NotIn.ty_elt_val in_update,[],a)) in
    let axiom_name = "axiom"^"_no_update_"^axiom_name^
      (NotIn.mem_name in_update) in
    Goal(KAxiom,id_no_loc axiom_name,a)

  let gen_many axiom_name f_name gen_framed notins params framed_params =
    (* frame for many update *)
    let mems = List.map (fun notin ->
      let mem_name = NotIn.mem_name notin in
      let ft = "ft"^mem_name^tmp_suffix in
      let mem1 = mem_name in
      let mem2 = mem_name^"2" in
      (ft,mem1,mem2,notin)) notins in
    let framed_normal_params = framed_params
      |> List.map fst in
    let rec assoc_default mem default = function
      | [] -> default
      | (_,mem1,mem2,_)::_ when mem = mem1 -> mem2
      | _::l -> assoc_default mem default l in
    let framed_update_params = 
      List.map (fun name -> LVar (assoc_default name name mems))
        framed_normal_params in
    let framed_normal_params = framed_normal_params
      |> List.map make_var in
    let params = params
      |> List.map fst 
      |> List.map make_var in
    let make_hyp (ft,mem1,mem2,notin) =
      let sepa1 = LPred(frame_between_name, [LVar ft;
                                             LVar mem2;
                                             LVar mem1]) in
      let sepa2 = LPred(disj_pred,[LVar ft; 
                                   LApp(in_name notin f_name,params)]) in
      (sepa1,sepa2) in
    let hyps = List.map make_hyp mems in
    let impls = List.fold_left 
      (fun acc (sepa1,sepa2) -> sepa1::sepa2::acc) [] hyps in
    let conclu,trig = 
      match gen_framed with
        | `Pred gen_framed ->
            let pred_normal = gen_framed framed_normal_params in
            let pred_update = gen_framed framed_update_params in
            LImpl(pred_normal,pred_update),LPatP pred_update
        | `Term gen_framed ->
            let term_normal = gen_framed framed_normal_params in
            let term_update = gen_framed framed_update_params in
            make_eq term_normal term_update, LPatT term_update in
    let a = make_impl_list conclu impls  in
    let trigs = List.fold_left 
      (fun acc (sepa1,_) -> (LPatP sepa1)::acc) [trig] hyps in
    let a = make_forall_list framed_params [trigs] a in
    let make_foralls acc (ft,_,mem2,notin) =
      (ft,NotIn.ty notin)::(mem2,notin.NotIn.ty_mem)::acc in
    let foralls = List.fold_left make_foralls [] mems in
    let a = make_forall_list foralls [] a in
    let axiom_name = "axiom"^"_no_frame_"^axiom_name^
      (String.concat "_"
         (List.map (fun (_,_,_,notin) -> NotIn.mem_name notin) mems))
    in
    Goal(KAxiom,id_no_loc axiom_name,a)

    

  let def_frame_in f_name notin params acc notin_updates =
    let in_name = in_name notin f_name in
    let gen_framed = `Term (fun params -> LApp(in_name,params)) in
    let acc = List.fold_left 
        (fun acc notin_update -> 
         (gen in_name f_name gen_framed notin_update params params) ::acc)
        acc notin_updates in
    let acc = List.fold_all_part 
      (fun acc part -> match part with | [] -> acc (* trivial axiom *)
        | notin_updates ->
          gen_many in_name f_name gen_framed notin_updates params params ::acc)
      acc notin_updates in
    acc

  (** framed_name must have the same param than f_name *)
  let def_frame framed_name is_pred f_name params acc notin_updates =
    let gen_framed =
      if is_pred
      then `Pred (fun params -> LPred(framed_name,params))
      else `Term (fun params -> LApp(framed_name,params)) in
    let acc = List.fold_left
      (fun acc notin_update ->
        (gen framed_name f_name gen_framed notin_update params params)::acc) 
      acc notin_updates in
    let acc = List.fold_all_part 
      (fun acc part -> match part with | [] -> acc (* trivial axiom *)
        | notin_updates ->
          gen_many framed_name f_name gen_framed notin_updates params params ::acc)
      acc notin_updates in
    acc
       
  let in_for_in f_name args notin framed acc =
    let name = in_name notin f_name in
    let acc = Logic(false, id_no_loc name, args, NotIn.ty notin)::acc in
    let var = ("jc_var",NotIn.ty_elt notin) in
    let conjs = List.map 
      (fun (f,params) ->
         (in_interp_app var notin f.jc_logic_info_name
            (List.map (fun (x,_) -> LVar x) params)))
      framed in
    let code = make_and_list conjs in
    let conclu = in_interp_app var notin f_name
      (List.map (fun (x,_) -> LVar x) args) in
    let code = make_equiv code conclu in
    let code = make_forall_list (var::args) [] code in
    let axiom_name = name^"_def" in
    Goal(KAxiom,id_no_loc axiom_name,code)::acc          

  let disj_for_in f_name args notin framed acc =
    let name = in_name notin f_name in
    let var = ("jc_var",NotIn.ty notin) in
    let conjs = List.map 
      (fun (f,params) ->
         (disj_interp_app var notin f.jc_logic_info_name
            (List.map (fun (x,_) -> LVar x) params)))
      framed in
    let code = make_and_list conjs in
    let conclu = disj_interp_app var notin f_name
      (List.map (fun (x,_) -> LVar x) args) in
    let code = make_equiv code conclu in
    let code = make_forall_list (var::args) [] code in
    let axiom_name = name^"_disj_def" in
    Goal(KAxiom,id_no_loc axiom_name,code)::acc          

  let x_sub_for_in f_name args notin framed acc =
    let name = in_name notin f_name in
    let var = ("jc_var",NotIn.ty notin) in
    let conjs = List.map 
      (fun (f,params) ->
         (sub_interp_app (`Var var) notin (`App (f.jc_logic_info_name,
            (List.map (fun (x,_) -> LVar x) params)))))
      framed in
    let code = make_and_list conjs in
    let conclu = sub_interp_app (`Var var) notin (`App (f_name,
      (List.map (fun (x,_) -> LVar x) args))) in
    let code = make_equiv code conclu in
    let code = make_forall_list (var::args) [] code in
    let axiom_name = name^"_x_sub_def" in
    Goal(KAxiom,id_no_loc axiom_name,code)::acc          

  let sub_x_for_in f_name args notin framed acc =
    let name = in_name notin f_name in
    let var = ("jc_var",NotIn.ty notin) in
    let conjs = List.map 
      (fun (f,params) ->
         (sub_interp_app  (`App (f.jc_logic_info_name,
            (List.map (fun (x,_) -> LVar x) params)))) notin (`Var var))
      framed in
    let code = make_and_list conjs in
    let conclu = sub_interp_app (`App (f_name,
      (List.map (fun (x,_) -> LVar x) args))) notin (`Var var) in
    let code = make_equiv code conclu in
    let code = make_forall_list (var::args) [] code in
    let axiom_name = name^"_sub_x_def" in
    Goal(KAxiom,id_no_loc axiom_name,code)::acc 


end

let lemma_disjoint_cases ta_conv acc =
  match ta_conv with
    | [Inductive (_,f_name,params,l)] ->
      let rec link_by_implication args cases = function
        | LForall (s,ty,_,f) ->
          LForall(s,ty,[],link_by_implication args cases f)
        | LImpl(f1,f2) -> LImpl(f1,link_by_implication args cases f2)
        | LPred(s,lt) when f_name.name = s ->
          let equalities = List.map2 (fun (a1,_) a2 -> make_eq (LVar a1) a2)
            args lt in
          LImpl (make_and_list equalities,each_case args cases)
        | _ -> failwith "Inductive must be forall x,.. Pn -> ... -> P1"
      and each_case args = function
        | [] -> LFalse
        | (_,assertion)::cases -> link_by_implication args cases assertion in
      let args = List.map (fun (s,ty) -> (s^tmp_suffix,ty)) params in
      let condition = make_forall_list args [] (each_case args l) in
      let goal_name = f_name.name^"_disjoint_case" in
      Goal(KGoal,id_no_loc goal_name,condition)::acc
    | _ -> Jc_options.lprintf "@[<hov 3>I can't translate that :@\n%a"
      (Pp.print_list Pp.newline fprintf_why_decl) ta_conv;assert false


        

    
let tr_params_usual_model f =
  let usual_params,model_params = tr_params_usual_model_aux f in
  let params = usual_params @ model_params in
  params
 
let tr_logic_fun_aux f ta acc =

  if Jc_options.debug then
    Format.printf "[interp] logic function %s@." f.jc_logic_info_final_name;

  let lab = 
    match f.jc_logic_info_labels with [lab] -> lab | _ -> LabelHere
  in     

  let fa = 
    assertion ~type_safe:false ~global_assertion:true ~relocate:false lab lab 
  in
  let ft =
    term ~type_safe:false ~global_assertion:true ~relocate:false lab lab 
  in
  let term_coerce = term_coerce ~type_safe:false ~global_assertion:true lab in

  let params = tr_params_usual_model f in
  (* definition of the function *)
  let fun_def = fun_def f ta fa ft term_coerce params in
  let acc = fun_def@acc in

  (* no_update axioms *)
  let acc = gen_no_update_axioms f ta fa ft term_coerce params acc in

  (* no_assign axioms *)
  let acc = gen_no_assign_axioms f ta fa ft term_coerce params acc in

  (* alloc_extend axioms *)
  (*let acc = gen_alloc_extend_axioms f ta fa ft term_coerce params acc in*)

  (* generation of ft *)
  let acc =
    if Jc_options.gen_frame_rule_with_ft 
    then
      let acc = if Hashtbl.mem pragma_gen_sep f.jc_logic_info_tag
      then begin
        (* use_predicate *)
        let (_,which) = Hashtbl.find pragma_gen_sep f.jc_logic_info_tag in
        let todos =
          Hashtbl.find_all predicates_to_generate f.jc_logic_info_tag in
        let fold acc = function
          | `Logic (f,_,params) -> (f,make_args ~parameters:params f) ::acc
          | `Pointer _ -> acc in
        let framed = List.fold_left fold [] which in
        let args = make_args f in
        let print_todo fmt = function
          | (`In,_) -> fprintf fmt "in"
          | (`Disj,_) -> fprintf fmt "disj" in
        Jc_options.lprintf "user predicate %s asks to generate : %a@."
          f.jc_logic_info_name (Pp.print_list Pp.comma print_todo) todos;
        let make_todo acc (todo,notin) =
          match todo with
            | `In ->
              let fname = f.jc_logic_info_name in
              let acc = 
                InDisj.in_for_in fname args notin framed acc in
              let acc = 
                InDisj.x_sub_for_in fname args notin framed acc in
              let acc = 
                InDisj.sub_x_for_in fname args notin framed acc in
              acc
            | `Disj ->
              InDisj.disj_for_in f.jc_logic_info_name args notin framed acc in
        let acc = List.fold_left make_todo acc todos in
        acc
      end
      else begin 
        let f_name = f.jc_logic_info_final_name in
        let todos = 
          Hashtbl.find_all predicates_to_generate f.jc_logic_info_tag in
        let filter_notin acc = function
          | (`In , notin) -> notin::acc
          | _ -> acc in
        (* notin_updates is used to create the frames axioms *)
        let notin_updates = List.fold_left filter_notin [] todos in
        let print_todo fmt = function
           | (`Disj,_) -> fprintf fmt "disj"
           | (`In,_) -> fprintf fmt "in" in
        Jc_options.lprintf "%s asks to generate : %a@." 
          f_name (Pp.print_list Pp.comma print_todo) todos;
        let acc = if todos = [] then acc else
            lemma_disjoint_cases fun_def acc in
        let make_todo acc (todo,notin) =
          match todo with
            | `In -> 
                let acc = InDisj.define_In notin fun_def acc in
                let acc = InDisj.define_frame_between notin fun_def acc in
                let acc = InDisj.define_sub notin fun_def acc in
                let acc = InDisj.define_x_sub notin fun_def acc in
                let acc = InDisj.define_sub_x notin fun_def acc in
                let acc = InDisj.define_sub notin fun_def acc in
                let acc = 
                  InDisj.def_frame_in f_name notin params acc notin_updates in
                acc
            | `Disj -> 
                let acc = InDisj.define_disj notin fun_def acc  in
                acc in
        let acc = List.fold_left make_todo acc todos in
        let is_pred = f.jc_logic_info_result_type = None in
        InDisj.def_frame f_name is_pred f_name params acc notin_updates
      end in
      if Hashtbl.mem Jc_typing.pragma_gen_same f.jc_logic_info_tag then
        let f_name = f.jc_logic_info_final_name in
        let mirror =
          Hashtbl.find Jc_typing.pragma_gen_same f.jc_logic_info_tag in
        let mirror_name = mirror.jc_logic_info_final_name in
        let todos =
          Hashtbl.find_all predicates_to_generate mirror.jc_logic_info_tag in
        let filter_notin acc = function
          | (`In , notin) -> notin::acc
          | _ -> acc in
        (* notin_updates is used to create the frames axioms *)
        let notin_updates = List.fold_left filter_notin [] todos in
        Jc_options.lprintf "Frame of %s using footprint of %s@."
          f_name mirror_name;
        let is_pred = f.jc_logic_info_result_type = None in
        InDisj.def_frame f_name is_pred mirror_name params acc notin_updates
      else acc
    else acc in
  acc


(*   (\* full_separated axioms. *\) *)
(*   let sep_preds =  *)
(*     List.fold_left (fun acc vi -> *)
(*       match vi.jc_var_info_type with *)
(*         | JCTpointer(st,_,_) ->  *)
(*             LPred("full_separated",[LVar "tmp"; 
               LVar vi.jc_var_info_final_name]) *)
(*             :: acc *)
(*         | _ -> acc *)
(*     ) [] li.jc_logic_info_parameters *)
(*   in *)
(*   if List.length sep_preds = 0 then acc else *)
(*     let params_names = List.map fst params_reads in *)
(*     let normal_params = List.map (fun name -> LVar name) params_names in *)
(*     MemoryMap.fold (fun (mc,r) labels acc -> *)
(*       let update_params =  *)
(*         List.map (fun name -> *)
(*           if name = memory_name(mc,r) then *)
(*             LApp("store",[LVar name;LVar "tmp";LVar "tmpval"]) *)
(*           else LVar name *)
(*         ) params_names *)
(*       in *)
(*       let a =  *)
(*         match li.jc_logic_info_result_type with *)
(*           | None -> *)
(*               LImpl( *)
(*                 make_and_list sep_preds, *)
(*                 LIff( *)
(*                   LPred(li.jc_logic_info_final_name,normal_params), *)
(*                   LPred(li.jc_logic_info_final_name,update_params))) *)
(*           | Some rety -> *)
(*               LImpl( *)
(*                 make_and_list sep_preds, *)
(*                 LPred("eq",[ *)
(*                   LApp(li.jc_logic_info_final_name,normal_params); *)
(*                   LApp(li.jc_logic_info_final_name,update_params)])) *)
(*       in *)
(*       let a =  *)
(*         List.fold_left (fun a (name,ty) -> LForall(name,ty,a)) 
           a params_reads *)
(*       in *)
(*       let structty = match mc with  *)
(*         | FVfield fi -> JCtag(fi.jc_field_info_struct, []) *)
(*         | FVvariant vi -> JCvariant vi *)
(*       in *)
(*       let basety = match mc with *)
(*         | FVfield fi -> tr_base_type fi.jc_field_info_type *)
(*         | FVvariant vi ->  *)
(*             if integral_union vi then why_integer_type else *)
(*               simple_logic_type (union_memory_type_name vi) *)
(*       in *)
(*       let a =  *)
(*         LForall( *)
(*           "tmp",pointer_type structty, *)
(*           LForall( *)
(*             "tmpval",basety, *)
(*             a)) *)
(*       in *)
(*       let mcname = match mc with *)
(*         | FVfield fi -> fi.jc_field_info_name *)
(*         | FVvariant vi -> vi.jc_root_info_name *)
(*       in *)
(*       Axiom( *)
(*         "full_separated_" ^ li.jc_logic_info_name ^ "_" ^ mcname, *)
(*         a) :: acc *)
(*     ) li.jc_logic_info_effects.jc_effect_memories acc *)


let tr_logic_fun ft ta acc = tr_logic_fun_aux ft ta acc

(*
  Local Variables: 
  compile-command: "unset LANG; make -C .. bin/jessie.byte"
  End: 
*)
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_callgraph.mli������������������������������������������������������������������������0000644�0001750�0001750�00000006040�12311670312�014325� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

val compute_logic_calls : 
  Jc_fenv.logic_info -> Jc_fenv.term_or_assertion -> unit
(** (compute_logic_calls f t) adds to the set of known calls of logic function 
    f the logic calls that occur in t
*)

val compute_calls : 
  Jc_fenv.fun_info -> Jc_fenv.fun_spec -> Jc_constructors.expr -> unit
(** (compute_calls f spec body) adds to the set of known calls of
     program f the logic calls that occur in spec and the program
     calls that occur in body
*)

val compute_logic_components :   
  (Jc_fenv.logic_info * Jc_fenv.term_or_assertion)
  Jc_pervasives.IntHashtblIter.t 
  -> Jc_fenv.logic_info list array

val compute_components :   
  (Jc_fenv.fun_info * Loc.position * Jc_fenv.fun_spec * Jc_fenv.expr option) 
  Jc_pervasives.IntHashtblIter.t 
  -> Jc_fenv.fun_info list array
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_frame.mli����������������������������������������������������������������������������0000644�0001750�0001750�00000005070�12311670312�013464� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)


(** {1 Frame ??} *)

val compute_needed_predicates: unit -> unit

val tr_logic_fun :
  Jc_fenv.logic_info ->
  Jc_fenv.logic_info Jc_ast.term_or_assertion ->
  Output.why_decl list -> Output.why_decl list


(*
  Local Variables: 
  compile-command: "unset LANG; make -j -C .. bin/jessie.byte"
  End: 
*)
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_annot_fail.ml������������������������������������������������������������������������0000644�0001750�0001750�00000004651�12311670312�014337� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

let fail _ = failwith "Not compiled with --enable-apron."

let normalize_expr = fail

let code_function = fail

let main_function = fail

let is_recursive = fail
���������������������������������������������������������������������������������������why-2.34/jc/jc_type_var.mli�������������������������������������������������������������������������0000644�0001750�0001750�00000010414�12311670312�014221� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Jc_env

(** Type variables: unification, generalization, ... *)

(** The type of type variables. *)
type t = type_var_info

(** Obtain a fresh type variable. *)
val type_var_from_string: ?univ:bool -> string -> t
(** Univ set if the variable is universally quantified (prenex)
    The argument is the name of the variable.
It can be anything, it shall only be used for pretty-printing purposes. *)

(** Unique ID of a variable, different for each variable, even if it is
quantified. *)
val uid: t -> int

(** The name of a variable, which should only be used for
pretty-printing purposes. *)
val name: t -> string

(** The unique name of a variable, which is composed of its name and its UID. *)
val uname: t -> string

(** The environnement of unification *)
type env

(** The type of function used in case of unification error *)
type typing_error = {f : 'a. Loc.position -> ('a, Format.formatter, unit, unit) format4 -> 'a}

val create : typing_error -> env
val reset : env -> unit

(** Add a universally quantified type var to substitute with the string
    invalid_argument is raised if the string is yet bind *)
val add_type_var : env -> string -> t

(** Try to get a universally quantified var from a string 
    Not_found is raised if there is no binding*)
val find_type_var : env -> string -> t

(** Add an equality for unification of logic type variable*)
val add : ?subtype:bool -> env ->  Loc.position -> jc_type -> jc_type -> unit

val subst : env -> jc_type -> jc_type

(** Get instances of a list of type variables, 
    return a substitution function *)
val instance : t list -> (jc_type -> jc_type)

(** Print the set of universally quantified type variables,
    and the set of equalities *)
val print : Format.formatter -> env -> unit

(** Substitute in an assertion the type variable which are in
    the environnement env *)
val subst_type_in_assertion : 
  env -> 
  Jc_fenv.logic_info Jc_ast.assertion -> 
  Jc_fenv.logic_info Jc_ast.assertion

(*
Local Variables: 
compile-command: "unset LANG ; make -C .. byte"
End: 
*)
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_struct_tools.ml����������������������������������������������������������������������0000644�0001750�0001750�00000022553�12311670312�014772� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Jc_name
open Jc_pervasives
open Jc_env
open Jc_envset

let alloc_class_of_mem_class = function
  | JCmem_field fi -> JCalloc_root (struct_root fi.jc_field_info_struct)
  | JCmem_plain_union vi -> JCalloc_root vi
  | JCmem_bitvector -> JCalloc_bitvector

let alloc_class_of_pointer_class = function
  | JCtag(st,_) -> JCalloc_root (struct_root st)
  | JCroot vi -> JCalloc_root vi

let variant_of_alloc_class = function
  | JCalloc_root vi -> vi
  | JCalloc_bitvector -> assert false (* no variant *)

let variant_of_mem_class = variant_of_alloc_class $ alloc_class_of_mem_class

(* keep the pointers only and return their pointer_class *)
let fields_pointer_class = List.flatten $
  (List.map
     (fun fi -> match fi.jc_field_info_type with
	| JCTpointer(pc, _, _) -> [pc]
	| _ -> []))

let embedded_field fi = 
  match fi.jc_field_info_type with
    | JCTpointer(_fpc, Some _fa, Some _fb) -> true
    | _ -> false

(* TODO !!!!!!!!!!!!!
   add fields of parent 
*)

let field_offset fi =
  let st = fi.jc_field_info_struct in
  let off,counting = 
    List.fold_left (fun (off,counting) fi' ->
		      if counting then
			if fi.jc_field_info_tag = fi'.jc_field_info_tag then
			  off,false
			else
			  off + (match fi'.jc_field_info_bitsize 
				 with Some v -> v
				   | None -> assert false)
				   , counting
		      else
			off,counting
		   ) (0,true) st.jc_struct_info_fields
  in 
  assert (not counting);
  off

let field_offset_in_bytes fi =
  let off = field_offset fi in
  if off mod 8 = 0 then Some(off/8) else None

let field_type_has_bitvector_representation fi =
  match fi.jc_field_info_type with
    | JCTenum _ 
    | JCTpointer _ -> true
    | JCTnative _
    | JCTlogic _
    | JCTnull
    | JCTany
    | JCTtype_var _ -> false

let struct_fields st =
  let rec aux acc st =
    let acc = st.jc_struct_info_fields @ acc in
    match st.jc_struct_info_parent with
      | None -> acc
      | Some(st',_) -> aux acc st'
  in
  aux [] st

let struct_has_size st =
  not (List.exists 
	 (fun fi -> fi.jc_field_info_bitsize = None) 
	 (struct_fields st))

let struct_size st =
  match List.rev st.jc_struct_info_fields with
    | [] -> 0
    | last_fi::_ -> 
	match last_fi.jc_field_info_bitsize with
	  | None -> assert false
	  | Some fi_siz -> field_offset last_fi + fi_siz

let struct_size_in_bytes st =
  let s = struct_size st in
  assert (s mod 8 = 0);
  s/8

let rec all_fields acc = function
  | JCroot _vi -> acc
  | JCtag ({ jc_struct_info_parent = Some(p, pp) } as st, _) ->
      all_fields (st.jc_struct_info_fields @ acc) (JCtag(p, pp))
  | JCtag ({ jc_struct_info_parent = None } as st, _) ->
      st.jc_struct_info_fields @ acc

let all_fields = all_fields []

let rec all_memories select forbidden acc pc =
  match pc with
    | JCtag(st,_) as pc ->
	if StringSet.mem st.jc_struct_info_name forbidden then
	  acc
	else
	  let fields = List.filter select (all_fields pc) in
	  let mems = List.map (fun fi -> JCmem_field fi) fields in
	  (* add the fields to our list *)
	  let acc = 
	    List.fold_left
	      (fun acc mc -> StringMap.add (memory_class_name mc) mc acc)
	      acc mems
	  in
	  (* continue recursively on the fields *)
	  let forbidden = StringSet.add st.jc_struct_info_name forbidden in
	  List.fold_left
	    (all_memories select forbidden) acc (fields_pointer_class fields)
    | JCroot rt ->
	match rt.jc_root_info_kind with
	  | Rvariant -> acc
	  | RdiscrUnion ->
	      List.fold_left
		(all_memories select forbidden) acc
		(List.map (fun st -> JCtag(st,[])) rt.jc_root_info_hroots)
	  | RplainUnion ->
	      let mc = JCmem_plain_union rt in
	      StringMap.add (memory_class_name mc) mc acc

let all_memories ?(select = fun _ -> true) pc =
  Jc_options.lprintf "all_memories(%s):@." (Jc_output_misc.pointer_class pc);
  let map = all_memories select StringSet.empty StringMap.empty pc in
  let list = List.rev (StringMap.fold (fun _ ty acc -> ty::acc) map []) in
  Jc_options.lprintf "  Found %n memories.@." (List.length list);
  list

let rec all_types select forbidden acc pc =
  Jc_options.lprintf "  all_types(%s)@." (Jc_output_misc.pointer_class pc);
  match pc with
    | JCtag(st, _) as pc ->
	if StringSet.mem st.jc_struct_info_name forbidden then
	  acc
	else
	  let vi = struct_root st in
	  let forbidden = StringSet.add st.jc_struct_info_name forbidden in
	  List.fold_left
	    (all_types select forbidden)
	    (StringMap.add vi.jc_root_info_name vi acc)
	    (fields_pointer_class (List.filter select (all_fields pc)))
    | JCroot vi ->
	StringMap.add vi.jc_root_info_name vi acc

let all_types ?(select = fun _ -> true) pc =
  Jc_options.lprintf "all_types(%s):@." (Jc_output_misc.pointer_class pc);
  let map = all_types select StringSet.empty StringMap.empty pc in
  let list = List.rev (StringMap.fold (fun _ ty acc -> ty::acc) map []) in
  Jc_options.lprintf "  Found %n types.@." (List.length list);
  list

let fully_allocated fi =
  match fi.jc_field_info_type with
    | JCTpointer(_, Some _, Some _) -> true
    | JCTpointer(_, None, Some _)
    | JCTpointer(_, Some _, None)
    | JCTpointer(_, None, None)
    | JCTnull
    | JCTenum _
    | JCTlogic _
    | JCTnative _
    | JCTany -> false
    | JCTtype_var _ -> assert false (* TODO: need environment *)

let rec all_allocs select forbidden acc pc =
  match pc with
    | JCtag(st,_) as pc ->
	if StringSet.mem st.jc_struct_info_name forbidden then
	  acc
	else
	  let ac = JCalloc_root (struct_root st) in
	  let forbidden = StringSet.add st.jc_struct_info_name forbidden in
	  List.fold_left
	    (all_allocs select forbidden)
	    (StringMap.add (alloc_class_name ac) ac acc)
	    (fields_pointer_class (List.filter select (all_fields pc)))
    | JCroot rt ->
	let ac = JCalloc_root rt in
	let acc = StringMap.add (alloc_class_name ac) ac acc in
	match rt.jc_root_info_kind with
	  | Rvariant 
	  | RplainUnion -> acc
	  | RdiscrUnion -> 
	      List.fold_left
		(all_allocs select forbidden) acc
		(List.map (fun st -> JCtag(st,[])) rt.jc_root_info_hroots)

let all_allocs ?(select = fun _ -> true) pc =
  Jc_options.lprintf "all_allocs(%s):@." (Jc_output_misc.pointer_class pc);
  let map = 
    all_allocs select StringSet.empty StringMap.empty pc
  in
  let list = List.rev (StringMap.fold (fun _ ty acc -> ty::acc) map []) in
  Jc_options.lprintf "  Found %n allocs.@." (List.length list);
  list

let rec all_tags select forbidden acc pc =
  match pc with
    | JCtag(st,_) as pc ->
	if StringSet.mem st.jc_struct_info_name forbidden then
	  acc
	else
	  let vi = struct_root st in
	  let forbidden = StringSet.add st.jc_struct_info_name forbidden in
	  List.fold_left
	    (all_tags select forbidden)
	    (StringMap.add vi.jc_root_info_name vi acc)
	    (fields_pointer_class (List.filter select (all_fields pc)))
    | JCroot vi ->
	StringMap.add vi.jc_root_info_name vi acc

let all_tags ?(select = fun _ -> true) pc =
  Jc_options.lprintf "all_tags(%s):@." (Jc_output_misc.pointer_class pc);
  let map = 
    all_tags select StringSet.empty StringMap.empty pc
  in
  let list = List.rev (StringMap.fold (fun _ ty acc -> ty::acc) map []) in
  Jc_options.lprintf "  Found %n tags.@." (List.length list);
  list


(*
Local Variables: 
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End: 
*)

�����������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_envset.ml����������������������������������������������������������������������������0000644�0001750�0001750�00000021570�12311670312�013530� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Jc_stdlib
open Jc_env

module type OrderedType =
sig
  type t
  val equal : t -> t -> bool
  val compare : t -> t -> int
end

module type OrderedHashedType =
sig
  type t
  val equal : t -> t -> bool
  val compare : t -> t -> int
  val hash : t -> int
end

module ChoiceOrd(A : OrderedHashedType)(B : OrderedHashedType) =
struct
  type t = A of A.t | B of B.t
  let equal = function
    | A a1,A a2 -> A.equal a1 a2
    | B b1,B b2 -> B.equal b1 b2
    | _ -> false
  let compare = function
    | A a1,A a2 -> A.compare a1 a2
    | B b1,B b2 -> B.compare b1 b2
    | A _,_ -> 1
    | B _,_ -> -1
  let hash = function
    | A a -> A.hash a
    | B b -> B.hash b
end

module StringSet = Set.Make(String)

module StringMap = Map.Make(String)

(* used names (in order to rename identifiers when necessary) *)
let used_names = Hashtbl.create 97

let mark_as_used x = 
  Hashtbl.add used_names x ()

let () = 
  List.iter mark_as_used 
    [ (* Why keywords *)
      "absurd"; "and"; "array"; "as"; "assert"; "axiom"; "begin";
      "bool"; "do"; "done"; "else"; "end"; "exception"; "exists";
      "external"; "false"; "for"; "forall"; "fun"; "function"; "goal";
      "if"; "in"; "int"; "invariant"; "label"; "let"; "logic"; "not";
      "of"; "or"; "parameter"; "predicate"; "prop"; "raise"; "raises";
      "reads"; "real"; "rec"; "ref"; "result"; "returns"; "then"; "true"; "try";
      "type"; "unit"; "variant"; "void"; "while"; "with"; "writes"; "init";
      (* Why prelude *)
      "exp" ; "log" ; "sin" ; "cos" ; "tan" ; "sqr_real" ; "atan" ; 
      (* jessie generated names *)
      "shift"
      (* "global" ; "alloc"  *)
    ]

let is_used_name n = Hashtbl.mem used_names n

let use_name ?local_names n = 
  if is_used_name n then raise Exit; 
  begin match local_names with 
    | Some h -> if StringSet.mem n h then raise Exit 
    | None -> () 
  end;
  mark_as_used n;
  n

let rec next_name ?local_names n i = 
  let n_i = n ^ "_" ^ string_of_int i in
  try use_name ?local_names n_i 
  with Exit -> next_name ?local_names n (succ i)

let get_unique_name ?local_names n = 
  try use_name ?local_names n 
  with Exit -> next_name ?local_names n 0

let is_pointer_type t =
  match t with
    | JCTnull -> true
    | JCTpointer _ -> true
    | _ -> false

let is_nonnull_pointer_type t =
  match t with
    | JCTpointer _ -> true
    | _ -> false

let is_integral_type = function
  | JCTnative Tinteger -> true
  | JCTenum _ -> true 
  | JCTnative _ | JCTlogic _ | JCTpointer _ | JCTnull | JCTany
  | JCTtype_var _ -> false

let is_embedded_field fi =
  match fi.jc_field_info_type with
    | JCTpointer(_,Some _,Some _) -> true
    | _ -> false

module type Tag =
  sig
    type t
    val tag_of_val : t -> int
  end

module OrderedHashedTypeOfTag (X:Tag) : OrderedHashedType with type t = X.t =
struct
  type t = X.t
  let compare v1 v2 = Pervasives.compare (X.tag_of_val v1) (X.tag_of_val v2)
  let equal v1 v2 = (X.tag_of_val v1) = (X.tag_of_val v2)
  let hash v = Hashtbl.hash (X.tag_of_val v)
end

module VarOrd = OrderedHashedTypeOfTag 
  (struct type t = var_info
          let tag_of_val x = x.jc_var_info_tag
   end)

module VarSet = Set.Make(VarOrd)

module VarMap = Map.Make(VarOrd)

module StructOrd =
  struct type t = struct_info
	 let compare st1 st2 = 
	   Pervasives.compare 
	     st1.jc_struct_info_name st2.jc_struct_info_name
	 let equal st1 st2 =
	   st1.jc_struct_info_name = st2.jc_struct_info_name
	 let hash st =
	   Hashtbl.hash st.jc_struct_info_name 
  end

module StructSet = Set.Make(StructOrd)

module StructMap = Map.Make(StructOrd)

module VariantOrd = struct
  type t = root_info
  let compare v1 v2 = 
    Pervasives.compare v1.jc_root_info_name v2.jc_root_info_name
  let equal v1 v2 =
    v1.jc_root_info_name = v2.jc_root_info_name
  let hash v =
    Hashtbl.hash v.jc_root_info_name 
end

module VariantSet = Set.Make(VariantOrd)

module VariantMap = Map.Make(VariantOrd)

module FieldOrd =  OrderedHashedTypeOfTag 
  (struct type t = field_info
          let tag_of_val x = x.jc_field_info_tag
   end)

module FieldSet = Set.Make(FieldOrd)

module FieldMap = Map.Make(FieldOrd)
module FieldTable = Hashtbl.Make(FieldOrd)

module MemClass = 
struct
  type t = mem_class
  let equal fv1 fv2 = match fv1,fv2 with
    | JCmem_field a1,JCmem_field a2 -> FieldOrd.equal a1 a2
    | JCmem_plain_union b1,JCmem_plain_union b2 -> VariantOrd.equal b1 b2
    | JCmem_bitvector,JCmem_bitvector -> true
    | _ -> false
  let compare fv1 fv2 = match fv1,fv2 with
    | JCmem_field a1,JCmem_field a2 -> FieldOrd.compare a1 a2
    | JCmem_plain_union b1,JCmem_plain_union b2 -> VariantOrd.compare b1 b2
    | JCmem_bitvector,JCmem_bitvector -> 0
    | JCmem_field _,_ -> 1
    | _,JCmem_field _ -> -1
    | JCmem_plain_union _,_ -> 1
    | _,JCmem_plain_union _ -> -1
  let hash = function
    | JCmem_field a -> FieldOrd.hash a
    | JCmem_plain_union b -> VariantOrd.hash b
    | JCmem_bitvector -> 0
end

module MemClassSet = Set.Make(MemClass)

module AllocClass = 
struct
  type t = alloc_class
  let equal fv1 fv2 = match fv1,fv2 with
    | JCalloc_root st1,JCalloc_root st2 -> VariantOrd.equal st1 st2
    | JCalloc_bitvector,JCalloc_bitvector -> true
    | _ -> false
  let compare fv1 fv2 = match fv1,fv2 with
    | JCalloc_root a1,JCalloc_root a2 -> VariantOrd.compare a1 a2
    | JCalloc_bitvector,JCalloc_bitvector -> 0
    | JCalloc_root _,_ -> 1
    | _,JCalloc_root _ -> -1
  let hash = function
    | JCalloc_root a -> VariantOrd.hash a
    | JCalloc_bitvector -> 0
end

(* TODO: take into account type parameters *)
module PointerClass = 
struct
  type t = pointer_class
  let equal fv1 fv2 = match fv1,fv2 with
    | JCtag(st1,_),JCtag(st2,_) -> StructOrd.equal st1 st2
    | JCroot vi1,JCroot vi2 -> VariantOrd.equal vi1 vi2
    | _ -> false
  let compare fv1 fv2 = match fv1,fv2 with
    | JCtag(a1,_),JCtag(a2,_) -> StructOrd.compare a1 a2
    | JCroot b1,JCroot b2 -> VariantOrd.compare b1 b2
    | JCtag _,_ -> 1
    | _,JCtag _ -> -1
  let hash = function
    | JCtag(a,_) -> StructOrd.hash a
    | JCroot b -> VariantOrd.hash b
end

module ExceptionOrd =  OrderedHashedTypeOfTag 
  (struct type t = exception_info
          let tag_of_val x = x.jc_exception_info_tag
   end)  

module ExceptionSet = Set.Make(ExceptionOrd)

module ExceptionMap = Map.Make(ExceptionOrd)

module LogicLabelOrd =
  struct type t = label
	 let compare = (Pervasives.compare : label -> label -> int)
  end

module LogicLabelSet = Set.Make(LogicLabelOrd)

module TypeVarOrd = OrderedHashedTypeOfTag 
  (struct type t = type_var_info
          let tag_of_val x = x.jc_type_var_info_tag
   end)

module TypeVarMap = Map.Make(TypeVarOrd)

(*
Local Variables: 
compile-command: "LC_ALL=C make -C .. bin/jessie.byte"
End: 
*)
����������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_control_flow.ml����������������������������������������������������������������������0000644�0001750�0001750�00000011024�12311670312�014724� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)


(* control-flow graph *)

open Jc_ast

type node_info =
    | Statement of expr
    | FunctionExit

type node =
    {
      node_label : int;
      node_statement : node_info;
    }


module NodeComp =
struct
  type t = node
  let compare n1 n2 = Pervasives.compare n1.node_label n2.node_label 
  let hash n = n.node_label
  let equal n1 n2 = n1.node_label = n2.node_label
end

module EdgeOrd =
struct
  type t = Forward | BackEdge
  let compare = Pervasives.compare
  let default = Forward
end

module G = 
  Graph.Imperative.Digraph.ConcreteLabeled(NodeComp)(EdgeOrd)

let node_counter = ref 0

let new_node_gen s =
  incr node_counter;
  { node_label = !node_counter; 
    node_statement = s }

let new_node s = new_node_gen (Statement s)

let rec statement g fun_exit_node s =
  match s.jc_statement_node with
    | JCSreturn_void
    | JCSreturn _ -> 
	let n = new_node s in
	G.add_vertex g n;
	G.add_edge g n fun_exit_node;
	n,[]
    | JCSif (e, s1, s2) ->
	let n = new_node s in
	G.add_vertex g n;
	let entry1,exits1 = statement g fun_exit_node s1 in
	let entry2,exits2 = statement g fun_exit_node s2 in
	G.add_edge g n entry1;
	G.add_edge g n entry2;
	n,exits1@exits2
    | JCSloop (inv, s1) ->
	let n = new_node s in
	G.add_vertex g n;
	let entry1,exits1 = statement g fun_exit_node s1 in
	List.iter (fun v -> G.add_edge g v n) exits1;
	n,[n]	
    | JCSmatch(e, psl) ->
	assert false (* TODO *)
    | JCSassign_heap (_, _, _)
    | JCSassign_var (_, _)
    | JCScall (_, _, _)
    | JCSunpack (_, _, _)
    | JCSpack (_, _, _)
    | JCSthrow (_, _)
    | JCSlabel _
    | JCStry (_, _, _)
    | JCSdecl (_, _, _)
    | JCSassert _
    | JCSblock _ -> assert false

and statement_list g fun_exit_node l =
  match l with
    | [] -> assert false
    | [s] -> statement g fun_exit_node s 
    | s::r ->
	let entry,exits = statement g fun_exit_node s in
	let entry',exits' = statement_list g fun_exit_node r in
	List.iter (fun v -> G.add_edge g v entry') exits;
	entry,exits'
	  
	
let make l =
  let g = G.create () in
  let fun_exit_node = new_node_gen FunctionExit in 
  let entry_node,exits = statement_list g fun_exit_node l in
  List.iter (fun v -> G.add_edge g v fun_exit_node) exits;
  g,entry_node,fun_exit_node


  
(*
Local Variables: 
compile-command: "LC_ALL=C make -C .. bin/jessie.byte"
End: 
*)
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_region.ml����������������������������������������������������������������������������0000644�0001750�0001750�00000035763�12311670312�013520� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Jc_stdlib
open Jc_env
open Jc_envset

open Format
open Pp

let string_explode s = 
  let rec next acc i = 
    if i >= 0 then next (s.[i] :: acc) (i-1) else acc
  in
  next [] (String.length s - 1)

let string_implode ls =
  let s = String.create (List.length ls) in
  ignore (List.fold_left (fun i c -> s.[i] <- c; i + 1) 0 ls);
  s

let filter_alphanumeric s =
  let alphanum c = 
    String.contains "abcdefghijklmnopqrstuvwxyz" c
    || String.contains "ABCDEFGHIJKLMNOPQRSTUVWXYZ" c
    || String.contains "0123456789" c
    || c = '_'
  in
  string_implode (List.filter alphanum (string_explode s))

let dummy_region = 
  {
    jc_reg_variable = false;
    jc_reg_bitwise = false;
    jc_reg_id = 0;
    jc_reg_name = "dummy_region";
    jc_reg_final_name = "dummy_region";
    jc_reg_type = JCTnull; (* Type does not matter. *)
  }

let is_dummy_region r = r.jc_reg_id = 0

module InternalRegion = struct

  type t = region

  let equal r1 r2 = r1.jc_reg_id = r2.jc_reg_id

  let compare r1 r2 = Pervasives.compare r1.jc_reg_id r2.jc_reg_id

  let hash r = r.jc_reg_id      

  let prefer r1 r2 = 
    if r1.jc_reg_variable && not r2.jc_reg_variable then 1 
    else if r2.jc_reg_variable && not r1.jc_reg_variable then -1
    else r1.jc_reg_id - r2.jc_reg_id

end

(* By default, elements should become representant only if they are 
 * "preferred" according to function [prefer]. Otherwise, decided by ranking.
 *)
module UnionFind
  (Elem : 
    sig type t 
	val equal : t -> t -> bool 
	val prefer : t -> t -> int 
    end)
  (ElemTable : Hashtbl.S with type key = Elem.t) =
struct
  
  let table = ElemTable.create 73
  let ranks = ElemTable.create 73

  let rec repr e = 
    try 
      let r = repr(ElemTable.find table e) in
      ElemTable.replace table e r;
      r
    with Not_found -> e

  let rank e =
    try ElemTable.find ranks e with Not_found -> 0

  let unify e1 e2 =
    let r1 = repr e1 and r2 = repr e2 in
    if Elem.equal r1 r2 then ()
    else 
      (* Start with preference as defined by function [prefer]. *)
      let pref = Elem.prefer r1 r2 in
      let k1 = rank r1 and k2 = rank r2 in
      if pref < 0 then
	begin
	  ElemTable.replace table r2 r1;
	  if k1 <= k2 then ElemTable.replace ranks r1 (k2 + 1)
	end
      else if pref > 0 then
	begin
	  ElemTable.replace table r1 r2;
	  if k2 <= k1 then ElemTable.replace ranks r2 (k1 + 1)
	end
      else
	(* If no definite preference, resolve to classical ranking. *)
	if k1 < k2 then
	  ElemTable.replace table r1 r2
	else if k2 < k1 then
	  ElemTable.replace table r2 r1
	else 
	  begin
	    ElemTable.replace table r1 r2;
	    ElemTable.replace ranks r2 (k2 + 1)
	  end

end

module RegionTable = Hashtbl.Make(InternalRegion)

module PairOrd(A : Set.OrderedType)(B : Set.OrderedType) =
struct
  type t = A.t * B.t
  let compare (a1,b1) (a2,b2) =
    let res1 = A.compare a1 a2 in
    if res1 <> 0 then res1 else B.compare b1 b2
  let equal (a1,b1) (a2,b2) =
    compare (a1,b1) (a2,b2) = 0
end

module RegionUF = UnionFind(InternalRegion)(RegionTable)

module RegionSet = struct 
  module S = Set.Make(InternalRegion)
  let empty = S.empty
  let mem r s = S.mem (RegionUF.repr r) s
  let add r s = S.add (RegionUF.repr r) s
  let of_list ls =
    List.fold_left (fun s e -> add e s) empty ls
  let to_list s =
    S.fold (fun e acc -> e :: acc) s []
  let singleton = S.singleton
end

(* Sets should be computed after unification takes place, so that operations
 * can maintain easily the invariant that only representative regions are used.
 *)
module PairRegionSet
  (T : sig type t end)(P : Set.OrderedType with type t = T.t * region) = 
struct
  module S = Set.Make(P)
  let empty = S.empty
  let mem (fi,r) s = S.mem (fi,RegionUF.repr r) s
  let add (fi,r) s = S.add (fi,RegionUF.repr r) s
  let singleton (fi,r) = S.singleton (fi,RegionUF.repr r)
  let remove (fi,r) s = S.remove (fi,RegionUF.repr r) s
  let split (fi,r) s = S.split (fi,RegionUF.repr r) s
  let elements = S.elements
  let exists = S.exists
  let union = S.fold add
    (* Added w.r.t. standard Set. *)
  let of_list ls =
    List.fold_left (fun s e -> add e s) empty ls
  let to_list s =
    S.fold (fun e acc -> e :: acc) s []
  let fold = S.fold
  let filter = S.filter
  let map_repr s = 
    S.fold (fun (fi,r) acc -> S.add (fi,RegionUF.repr r) acc) s S.empty
  let find_region r s =
    S.filter (fun (_fi,r') -> 
		InternalRegion.equal (RegionUF.repr r) (RegionUF.repr r')) s
  let mem_region r s =
    S.exists (fun (_fi,r') -> 
		InternalRegion.equal (RegionUF.repr r) (RegionUF.repr r')) s
end

(* Maps should be computed after unification takes place, so that operations
 * can maintain easily the invariant that only representative regions are used.
 *)
module PairRegionMap
  (T : sig type t end)(P : Set.OrderedType with type t = T.t * region) = 
struct
  module M = Map.Make(P)
  include M
  let add (fi,r) s = M.add (fi,RegionUF.repr r) s
  let find (fi,r) s = M.find (fi,RegionUF.repr r) s
  let remove (fi,r) s = M.remove (fi,RegionUF.repr r) s
  let mem (fi,r) s = M.mem (fi,RegionUF.repr r) s
  let add_merge f (k,r) v m = add_merge f (k,RegionUF.repr r) v m
end

let global_region_table : (InternalRegion.t FieldTable.t) RegionTable.t 
    = RegionTable.create 73


module Region =
struct

  include InternalRegion

  let name r = (RegionUF.repr r).jc_reg_final_name

  let representative = RegionUF.repr

  let polymorphic r = 
    let r = RegionUF.repr r in r.jc_reg_variable

  let count = ref 1 
  let next_count () = let tmp = !count in incr count; tmp

  let make_const ty name =
    let name = filter_alphanumeric name in
    if !Jc_common_options.separation_sem = SepNone then dummy_region
    else if not(is_pointer_type ty) then dummy_region else
      let id = next_count () in
      {
	jc_reg_variable = false;
	jc_reg_bitwise = false;
	jc_reg_id = id;
	jc_reg_name = name;
	jc_reg_final_name = name ^ "_" ^ (string_of_int id);
	jc_reg_type = ty;
      }

  let make_var ty name =
    let name = filter_alphanumeric name in
    if !Jc_common_options.separation_sem = SepNone then dummy_region
    else if not(is_pointer_type ty) then dummy_region else
      let id = next_count () in
      {
	jc_reg_variable = true;
	jc_reg_bitwise = false;
	jc_reg_id = id;
	jc_reg_name = name;
	jc_reg_final_name = name ^ "_" ^ (string_of_int id);
	jc_reg_type = ty;
      }

  let print fmt r =
    fprintf fmt "%s" r.jc_reg_final_name

  let print_assoc fmt assocl =
    fprintf fmt "%a" (print_list comma 
      (fun fmt (r1,r2) -> fprintf fmt "%a->%a" print r1 print r2)) assocl

  let bitwise r = (RegionUF.repr r).jc_reg_bitwise

  let equal r1 r2 =
    InternalRegion.equal (RegionUF.repr r1) (RegionUF.repr r2)

  let some_bitwise_region = ref false

  let exists_bitwise () = !some_bitwise_region

  let rec make_bitwise r =
    some_bitwise_region := true;
    if bitwise r then () else
      let rep = RegionUF.repr r in
      if !Jc_common_options.separation_sem = SepNone then 
	(* Potentially all pointers may be aliased *)
	(assert (is_dummy_region rep);
	 rep.jc_reg_bitwise <- true)
      else
	rep.jc_reg_bitwise <- true;
      try 
	let t = RegionTable.find global_region_table rep in
	begin match FieldTable.choose t with
	  | Some(_,r1) ->
	      make_bitwise r1;
	      FieldTable.iter (fun _fi ri -> unify r1 ri) t
	  | None -> ()
	end
      with Not_found -> ()
	
  and unify ?(poly=true) r1 r2 = 
    if is_dummy_region r1 && is_dummy_region r2 then ()
    else if is_dummy_region r1 || is_dummy_region r2 then
      let r,dr = if is_dummy_region r1 then r2, r1 else r1, r2 in
      Format.printf "unifying a dummy region %a with a non dummy region %a@."
	print dr print r;
      assert false
    else if equal r1 r2 then () else
      let rep1 = RegionUF.repr r1 and rep2 = RegionUF.repr r2 in
      RegionUF.unify r1 r2;
      let t1 = 
	try RegionTable.find global_region_table rep1 
	with Not_found -> FieldTable.create 0 
      in
      let t2 = 
	try RegionTable.find global_region_table rep2
	with Not_found -> FieldTable.create 0 
      in
      (* If polymorphic argument is false, then current unification is
	 a field unification coming from parents being unified, with one
	 parent being a constant region. Then its field region must be
	 constant too. 
      *)
      assert (poly || not (polymorphic r1 && polymorphic r2));
      let poly = 
	poly && polymorphic r1 && polymorphic r2 
      in
      (* Recursively make field regions constant if top region is constant *)
      let rec mkconst r = 
	let rep = RegionUF.repr r in
	if polymorphic rep then
	  begin
	    rep.jc_reg_variable <- false;
	    try
	      let t = RegionTable.find global_region_table rep in
	      FieldTable.iter (fun _fi ri -> mkconst ri) t
	    with Not_found -> ()
	  end
      in
      FieldTable.iter 
	(fun fi r1 ->
	  try 
	    begin 
	      let r2 = FieldTable.find t2 fi in
	      unify ~poly r1 r2
	    end
	  with Not_found -> 
	    if not poly then mkconst r1;
	    FieldTable.add t2 fi r1
	) t1;
      FieldTable.iter 
	(fun fi r2 ->
	  try ignore(FieldTable.find t1 fi)
	  with Not_found -> 
	    if not poly then mkconst r2
	) t2;
      (* Recursively make region bitwise if necessary *)
      let rep = RegionUF.repr r1 in
      if rep1.jc_reg_bitwise || rep2.jc_reg_bitwise then
	make_bitwise rep;
      (* Update with correct field table *)
      RegionTable.replace global_region_table rep t2

  let make_field r fi =
    let r = RegionUF.repr r in
(*     assert (not r.jc_reg_bitwise); *)
    if !Jc_common_options.separation_sem = SepNone then dummy_region
    else if not(is_pointer_type fi.jc_field_info_type) then dummy_region else
      try 
	let t = RegionTable.find global_region_table r in
	try FieldTable.find t fi
	with Not_found -> 
	  let fr =
	    if is_embedded_field fi then
	      r
	    else if r.jc_reg_variable then
	      make_var fi.jc_field_info_type fi.jc_field_info_name 
	    else
	      make_const fi.jc_field_info_type (* fi.jc_field_info_name *)
		r.jc_reg_name
	  in
	  FieldTable.replace t fi fr;
	  fr
      with Not_found ->
	let fr = 
	  if is_embedded_field fi then
	    r
	  else if r.jc_reg_variable then
	    make_var fi.jc_field_info_type fi.jc_field_info_name 
	  else
	    make_const fi.jc_field_info_type (* fi.jc_field_info_name *)
	      r.jc_reg_name
	in
	let t = FieldTable.create 5 in
	FieldTable.replace t fi fr;
	RegionTable.replace global_region_table r t;
	fr

end

module RegionList =
struct

  let rec assoc r assocl = 
    if is_dummy_region r then dummy_region else
      match assocl with
	| [] -> raise Not_found
	| (r1,r2)::ls -> 
	    if Region.equal r r1 then RegionUF.repr r2 else assoc r ls

  let rec assoc' r assocl = 
    match assocl with
      | [] -> raise Not_found
      | (r1,v)::ls -> 
	  if Region.equal r r1 then v else assoc' r ls
	    
  let rec mem r = function
    | [] -> false
    | r1::ls -> Region.equal r r1 || mem r ls

  (* Do not duplicate the bitwise field of regions *)
  let duplicate rls =
    let assocl = 
      List.fold_left (fun acc r ->
	if is_dummy_region r then acc 
	else (r,Region.make_var r.jc_reg_type r.jc_reg_name) :: acc
      ) [] rls
    in
    List.iter (fun (r1,r2) ->
      try
	let r1 = RegionUF.repr r1 in
	let t = FieldTable.copy(RegionTable.find global_region_table r1) in
	FieldTable.iter (fun fi r -> 
	  try
	    FieldTable.replace t fi (assoc r assocl)
	  with Not_found -> ()
	) t;
	RegionTable.replace global_region_table r2 t
      with Not_found -> ()
    ) assocl;
    assocl

  let reachable rls =
    let rec collect acc r =
      if is_dummy_region r then acc else
	let r = RegionUF.repr r in
	if mem r acc then acc else
	  let acc = r :: acc in
	  try
	    let t = RegionTable.find global_region_table r in
	    FieldTable.fold (fun _fi fr acc -> collect acc fr) t acc
	  with Not_found -> acc
    in
    List.fold_left collect [] rls

end

module Alloc = PairOrd(AllocClass)(InternalRegion)

module AllocSet = PairRegionSet(AllocClass)(Alloc)

module AllocMap = PairRegionMap(AllocClass)(Alloc)

module AllocList =
struct

  let rec mem (a,r) = function
    | [] -> false
    | (a',r')::rest -> 
	a = a' && Region.equal r r' || mem (a,r) rest

end

module Tag = PairOrd(VariantOrd)(InternalRegion)

module TagSet = PairRegionSet(VariantOrd)(Tag)

module TagMap = PairRegionMap(VariantOrd)(Tag)

module TagList =
struct

  let rec mem (a,r) = function
    | [] -> false
    | (a',r')::rest -> 
	a = a' && Region.equal r r' || mem (a,r) rest

end

module Memory = PairOrd(MemClass)(InternalRegion)

module MemorySet = 
  PairRegionSet(MemClass)(Memory)

module MemoryMap = 
  PairRegionMap(MemClass)(Memory)

module MemoryList =
struct

  let rec mem (fi,r) = function
    | [] -> false
    | (fi',r')::rest -> 
	MemClass.equal fi fi' && Region.equal r r' || mem (fi,r) rest

end

module Pointer = PairOrd(PointerClass)(InternalRegion)

module PointerSet = PairRegionSet(PointerClass)(Pointer)



(*
Local Variables: 
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End: 
*)
�������������why-2.34/jc/jc_typing.ml����������������������������������������������������������������������������0000644�0001750�0001750�00000373271�12311670312�013546� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Jc_stdlib
open Jc_env
open Jc_envset
open Jc_region
open Jc_ast
open Jc_fenv

open Jc_constructors
open Jc_pervasives
(*
open Jc_iterators
*)
open Jc_struct_tools

open Format

exception Typing_error of Loc.position * string

let typing_error l =
  Format.kfprintf
    (fun _fmt -> raise (Typing_error(l, flush_str_formatter())))
    str_formatter

let uenv = Jc_type_var.create {Jc_type_var.f = typing_error}

let reset_uenv () = Jc_type_var.reset uenv
let print_uenv () = Format.printf "%a" Jc_type_var.print uenv
let add_poly_args poly_args = List.map (fun e -> Jc_type_var.add_type_var uenv e) poly_args

let logic_type_table = StringHashtblIter.create 97

let exceptions_table = StringHashtblIter.create 97

let enum_types_table = StringHashtblIter.create 97

let structs_table = StringHashtblIter.create 97

let roots_table = StringHashtblIter.create 97

let mutable_fields_table = Hashtbl.create 97 (* structure name (string) -> field info *)
let committed_fields_table = Hashtbl.create 97 (* structure name (string) -> field info *)

let logic_functions_table = IntHashtblIter.create 97
let logic_functions_env = Hashtbl.create 97
let logic_constants_table = Hashtbl.create 97
let logic_constants_env = Hashtbl.create 97
let functions_table = IntHashtblIter.create 97
let functions_env = Hashtbl.create 97
let variables_table = IntHashtblIter.create 97
let variables_env = Hashtbl.create 97

(* Store the generated user predicates *)
let pragma_gen_sep = Hashtbl.create 10
let pragma_gen_frame = Hashtbl.create 10
let pragma_gen_same = Hashtbl.create 10

(* Keep the pragma which are defined
   before one of its argument *)
let pragma_before_def = Hashtbl.create 10

let () =
  List.iter
    (fun (ty,x,whyid,pl) ->
       let pi = match ty with
	 | None -> make_pred x
	 | Some ty -> make_logic_fun x ty
       in
       let pl = List.map
	 (fun ty -> var ~formal:true ty "_") pl
       in
       pi.jc_logic_info_parameters <- pl;
       pi.jc_logic_info_final_name <- whyid;
       Hashtbl.add logic_functions_env x pi)
    Jc_pervasives.builtin_logic_symbols;
  List.iter
    (fun (ty,x,whyid,pl,treat) ->
       let pi = make_fun_info x ty in
       let pl = List.map
	 (fun ty -> (true,var ~formal:true ty "_")) pl
       in
       pi.jc_fun_info_parameters <- pl;
       pi.jc_fun_info_final_name <- whyid;
       pi.jc_fun_info_builtin_treatment <- treat;
       Hashtbl.add functions_env x pi)
    Jc_pervasives.builtin_function_symbols

let real_of_integer =
  let fi =
    Hashtbl.find logic_functions_env "\\real_of_integer"
  in
(*
  eprintf "\\real_of_integer.jc_logic_fun_info_tag = %d@." fi.jc_logic_info_tag;
*)
  fi



type axiomatic_decl =
  | ABaxiom of Loc.position * string * Jc_env.label list * Jc_constructors.assertion

type axiomatic_data =
    {
      mutable axiomatics_defined_ids : logic_info list;
      mutable axiomatics_decls : axiomatic_decl list;
    }

let axiomatics_table = StringHashtblIter.create 17

let field_tag_counter = ref 0

let create_mutable_field st =
  incr field_tag_counter;
  let name = "committed_"^st.jc_struct_info_name in
  let fi = {
    jc_field_info_tag = !field_tag_counter;
    jc_field_info_name = name;
    jc_field_info_final_name = Jc_envset.get_unique_name name;
    jc_field_info_type = boolean_type;
    jc_field_info_hroot = st.jc_struct_info_hroot;
    jc_field_info_struct = st;
    jc_field_info_rep = false;
    jc_field_info_abstract = false;
    jc_field_info_bitsize = None;
  } in
  Hashtbl.add committed_fields_table st.jc_struct_info_name fi

let find_struct_info loc id =
  try
    let st,_ = StringHashtblIter.find structs_table id in st
  with Not_found ->
    typing_error loc "undeclared structure %s" id

let find_struct_root st =
  match st.jc_struct_info_hroot.jc_struct_info_root with
    | None -> raise Not_found
    | Some vi -> vi

let is_type_var = function
    | JCTtype_var _ -> true
    | _ -> false

let cast_needed pos ty =
  typing_error pos "At this point we need to know exactly the type, can you add a cast?( I have %a)" print_type ty

let not_the_good_type pos ty s =
  if is_type_var ty then
    cast_needed pos ty
  else
    typing_error pos s

let must_be_subtypable pos ty =
  if is_type_var ty then
    cast_needed pos ty


let is_real t =
  match t with
    | JCTnative Treal -> true
    | _ -> false

let is_double t =
  match t with
    | JCTnative (Tgenfloat `Double) -> true
    | _ -> false

let is_float t =
  match t with
    | JCTnative (Tgenfloat `Float) -> true
    | _ -> false

let is_gen_float t =
  match t with
    | JCTnative (Tgenfloat _) -> true
    | _ -> false


let is_boolean t =
  match t with
    | JCTnative Tboolean -> true
    | _ -> false

let is_numeric t =
  match t with
    | JCTnative (Tinteger | Treal) -> true
    | JCTenum _ -> true
    | _ -> false

let is_integer t =
  match t with
    | JCTnative Tinteger -> true
    | JCTenum _ -> true
    | _ -> false

let is_root_struct st =
  match st.jc_struct_info_parent with None -> true | Some _ -> false

let lub_numeric_types t1 t2 =
  match t1,t2 with
    | JCTnative (Tgenfloat _), JCTnative (Tgenfloat _) when
	!Jc_options.float_instruction_set = FISx87 ->
	Tgenfloat `Binary80
    | JCTnative (Tgenfloat `Float), JCTnative (Tgenfloat `Float) -> (Tgenfloat `Float)
    | JCTnative (Tgenfloat _), JCTnative (Tgenfloat _) -> Tgenfloat `Double
	(* note: there is an invariant that when not in FISx87, `Binary80 never occurs *)
    | JCTnative Treal,_ | _,JCTnative Treal -> Treal
    | _ -> Tinteger

let rec substruct st = function
  | (JCtag(st', _)) as pc ->
      if st == st' then true else
        let vi = struct_root st and vi' = struct_root st' in
        (vi == vi' && (root_is_union vi))
        ||
        begin match st.jc_struct_info_parent with
          | None -> false
          | Some(p, []) -> substruct p pc
          | Some(_p, _) -> assert false (* TODO *)
        end
  | JCroot vi ->
      struct_root st == vi

let rec superstruct st = function
  | JCtag(st', _) ->
      let vi' = struct_root st' in
      not (root_is_union vi') && substruct st' (JCtag(st,[]))
  | JCroot _vi ->
      false

let same_hierarchy st1 st2 =
  let vi1 = pointer_class_root st1 in
  let vi2 = pointer_class_root st2 in
  vi1 == vi2

let subtype ?(allow_implicit_cast=true) t1 t2 =
  match t1,t2 with
    | JCTnative t1, JCTnative t2 ->
        t1=t2 ||
         (* integer is subtype of real *)
        (match t1,t2 with
           | Tinteger, Treal -> true
	   | _ -> false)
    | JCTenum ri1, JCTenum ri2 ->
        allow_implicit_cast ||
          (Num.ge_num ri1.jc_enum_info_min ri2.jc_enum_info_min &&
             Num.le_num ri1.jc_enum_info_max ri2.jc_enum_info_max)
    | JCTenum _, JCTnative Tinteger ->
        true
    | JCTnative Tinteger, JCTenum _ ->
        allow_implicit_cast
    | JCTlogic s1, JCTlogic s2 ->
        s1=s2
    | JCTpointer(JCtag(s1, []), _, _), JCTpointer(pc, _, _) ->
        substruct s1 pc
    | JCTpointer(JCroot v1, _, _), JCTpointer(JCroot v2, _, _) ->
        v1 == v2
    | JCTnull, (JCTnull | JCTpointer _) ->
        true
    | _ ->
        false

let subtype_strict = subtype ~allow_implicit_cast:false

let mintype loc t1 t2 =
  try match t1,t2 with
    | JCTnative Tinteger, JCTnative Treal
    | JCTnative Treal, JCTnative Tinteger ->
        JCTnative Treal
    | JCTnative n1, JCTnative n2 ->
        if n1=n2 then t1 else raise Not_found
          (* TODO: integer is subtype of real *)
    | JCTenum e1, JCTenum e2 ->
        if e1=e2 then t1 else  Jc_pervasives.integer_type
    | (JCTenum _ | JCTnative Tinteger), (JCTenum _| JCTnative Tinteger) ->
        Jc_pervasives.integer_type
    | JCTlogic s1, JCTlogic s2 ->
        if s1=s2 then t1 else raise Not_found
    | JCTpointer(JCtag(s1, []), _, _), JCTpointer(pc, _, _)
        when substruct s1 pc ->
        t2
    | JCTpointer(pc, _, _), JCTpointer(JCtag(s1, []), _, _)
        when substruct s1 pc ->
        t1
    | JCTpointer(JCroot v1, _, _), JCTpointer(JCroot v2, _, _) ->
        if v1 == v2 then t1 else raise Not_found
    | JCTnull, JCTnull -> JCTnull
    | JCTnull, JCTpointer _ -> t2
    | JCTpointer _, JCTnull -> t1
    | JCTany, t | t, JCTany -> t
    | JCTpointer(JCtag(_, _::_), _, _), JCTpointer _
    | JCTpointer _, JCTpointer(JCtag(_, _::_), _, _) -> assert false
        (* TODO: parameterized type *)
    | _ -> raise Not_found
  with Not_found ->
    typing_error loc "incompatible types: %a and %a"
      print_type t1 print_type t2

let unit_expr e =
  if e#typ = unit_type then e else
    new expr_with ~typ:unit_type ~region:dummy_region ~original_type:e#typ e

let rec same_type_no_coercion t1 t2 =
  match t1,t2 with
    | JCTnative t1, JCTnative t2 -> t1=t2
    | JCTenum ei1, JCTenum ei2 ->
      ei1.jc_enum_info_name = ei2.jc_enum_info_name
    | JCTlogic (name1, args1), JCTlogic (name2, args2) ->
      name1=name2 && List.for_all2 same_type_no_coercion args1 args2
    | JCTpointer(pc1,_,_), JCTpointer(pc2,_,_) ->
        pointer_class_root pc1 == pointer_class_root pc2
    | JCTnull, JCTnull -> true
    | JCTnull, JCTpointer _
    | JCTpointer _, JCTnull -> true
    | _ -> false

let comparable_types t1 t2 =
  match t1,t2 with
    | JCTnative Tinteger, JCTnative Treal -> true
    | JCTnative Treal, JCTnative Tinteger -> true
    | JCTnative t1, JCTnative t2 -> t1=t2
    | JCTenum _, JCTenum _ -> true
    | JCTenum _, JCTnative Tinteger -> true
    | JCTnative Tinteger, JCTenum _ -> true
    | JCTlogic s1, JCTlogic s2 -> s1=s2
    | JCTpointer(pc1,_,_), JCTpointer(pc2,_,_) ->
        pointer_class_root pc1 == pointer_class_root pc2
    | JCTnull, JCTnull -> true
    | JCTnull, JCTpointer _
    | JCTpointer _, JCTnull -> true
    | _ -> false


let rec list_assoc_name f id l =
  match l with
    | [] -> raise Not_found
    | fi::r ->
        if (f fi) = id then fi
        else list_assoc_name f id r


let rec find_field_struct loc st allow_mutable = function
  | ("mutable" | "committed") as x ->
      if allow_mutable && !Jc_common_options.inv_sem = InvOwnership then
        let table =
          if x = "mutable" then mutable_fields_table
          else committed_fields_table
        in
        Hashtbl.find table (root_name st)
      else typing_error loc "field %s cannot be used here" x
  | f ->
      try
        list_assoc_name
          (fun f -> f.jc_field_info_name) f st.jc_struct_info_fields
      with Not_found ->
        match st.jc_struct_info_parent with
          | None ->
              raise Not_found
(*              typing_error loc "no field %s in structure %s"
                f st.jc_struct_info_name*)
          | Some(st, _) -> find_field_struct loc st allow_mutable f
let find_field_struct loc st allow_mutable f =
  try find_field_struct loc st allow_mutable f
  with Not_found ->
    typing_error loc "no field %s in structure %s" f st.jc_struct_info_name

let find_field loc ty f allow_mutable =
  match ty with
    | JCTpointer(JCtag(st, _), _, _) -> find_field_struct loc st allow_mutable f
    | JCTpointer(JCroot _, _, _)
    | JCTnative _
    | JCTenum _
    | JCTlogic _
    | JCTnull
    | JCTany -> typing_error loc "not a structure type"
    | JCTtype_var _ -> cast_needed loc ty

let find_fun_info id = Hashtbl.find functions_env id

let find_logic_info id = Hashtbl.find logic_functions_env id

(* types *)

let rec type_type t =
  match t#node with
    | JCPTnative n -> JCTnative n
    | JCPTpointer (id, _, a, b) ->
        (* first we try the most precise type (the tag) *)
        begin try
          let st, _ = StringHashtblIter.find structs_table id in
          JCTpointer(JCtag(st, []), a, b)
        with Not_found ->
          try
            let vi = StringHashtblIter.find roots_table id in
            JCTpointer(JCroot vi, a, b)
          with Not_found ->
            typing_error t#pos "unknown type or tag: %s" id
        end
    | JCPTidentifier (id,l) ->
        try
          JCTtype_var (Jc_type_var.find_type_var uenv id)
        with Not_found ->
          try
            let l = List.map type_type l in
            let _,lp = StringHashtblIter.find logic_type_table id in
            let len_l = List.length l in
            let len_lp = List.length lp in
            if not (len_l = len_lp) then
              typing_error t#pos "Here the type %s is used with %i arguments instead of %i " id len_l len_lp;
            JCTlogic (id,l)
          with Not_found ->
            try
              let ri = StringHashtblIter.find enum_types_table id in
              JCTenum ri
            with Not_found ->
              typing_error t#pos "unknown type %s" id

let unary_op (t: [< operator_type]) (op: [< unary_op]) = op, t

let bin_op (t: [< operator_type]) (op: [< bin_op]) = op, t

(******************************************************************************)
(*                                  Patterns                                  *)
(******************************************************************************)

(* constants *)

let const c =
  match c with
    | JCCvoid -> unit_type,dummy_region,c
    | JCCinteger _ -> integer_type,dummy_region,c
    | JCCreal _ -> real_type,dummy_region,c
    | JCCboolean _ -> boolean_type, dummy_region, c
    | JCCnull -> null_type,Region.make_var JCTnull "null",c
    | JCCstring _ -> string_type,dummy_region,c


let valid_pointer_type st =
  JCTpointer(st, Some (Num.num_of_int 0), Some (Num.num_of_int 0))

(* ety = expected type *)
(* env: the variables already bound *)
(* vars: the var_info to use if encountering a given variable *)
(* Return: (vars, pat) where:
     vars is the environment of the binders of the pattern
     pat is the typed pattern. *)
let rec pattern env vars pat ety =
  let get_var ety id =
    let id = id#name in
    if List.mem_assoc id env then
      typing_error pat#pos
        "the variable %s appears twice in the pattern" id;
    try
      StringMap.find id vars
    with Not_found ->
      let vi = var ety id in
      vi.jc_var_info_assigned <- true;
      vi
  in
  let tpn, ty, newenv = match pat#node with
    | JCPPstruct(id, lpl) ->
        let pc = match ety with
          | JCTpointer(pc, _, _) -> pc
          | JCTnative _ | JCTenum _ | JCTlogic _ | JCTnull | JCTany
          | JCTtype_var _ ->
              not_the_good_type pat#pos ety
                "this pattern doesn't match a structure nor a variant"
        in
        (* tag *)
        let st = find_struct_info id#pos id#name in
        if not (substruct st pc) then
          typing_error id#pos
            "tag %s is not a subtag of %s"
            st.jc_struct_info_name (Jc_output_misc.pointer_class pc);
        (* fields *)
        let env, tlpl = List.fold_left
          (fun (env, acc) (l, p) ->
             let fi = find_field_struct l#pos st false l#name in
             let env, tp = pattern env vars p fi.jc_field_info_type in
             env, (fi, tp)::acc)
          (env, []) lpl
        in
        JCPstruct(st, List.rev tlpl), valid_pointer_type (JCtag(st, [])), env
    | JCPPvar id ->
        let vi = get_var ety id in
        JCPvar vi, ety, (id#name, vi)::env
    | JCPPor(p1, p2) ->
        let _, tp1 = pattern env vars p1 ety in
        let vars = pattern_vars vars tp1 in
        let env, tp2 = pattern env vars p2 ety in
        JCPor(tp1, tp2), ety, env
    | JCPPas(p, id) ->
        let env, tp = pattern env vars p ety in
        let vi = get_var (tp#typ) id in
        JCPas(tp, vi), ety, (id#name, vi)::env
    | JCPPany ->
        JCPany, ety, env
    | JCPPconst c ->
        let ty, _, c = const c in
        Jc_type_var.add uenv pat#pos ty ety;
        JCPconst c, ety, env
  in newenv, new pattern ~typ:ty ~pos:pat#pos tpn
let pattern = pattern [] StringMap.empty

(******************************************************************************)
(*                                   Terms                                    *)
(******************************************************************************)

let num_op (op: [< `Badd | `Bsub | `Bmul | `Bdiv | `Bmod]) = op, Tinteger

let num_un_op t (op: [< `Uminus | `Ubw_not | `Unot]) e =
  match op with
    | `Unot
    | `Uminus
    | `Ubw_not -> JCTunary((unary_op t op :> unary_op * 'a),e)

let make_logic_unary_op loc (op : Jc_ast.unary_op) e2 =
  let t2 = e2#typ in
  match op with
    | `Unot ->
        Jc_type_var.add uenv loc (JCTnative Tboolean) t2;
	  t2, dummy_region, num_un_op (operator_of_native Tboolean) op  e2
    | ((`Uminus | `Ubw_not) as x) ->
        must_be_subtypable loc t2;
        if is_numeric t2 then
          let t = lub_numeric_types t2 t2 in
          JCTnative t,dummy_region,num_un_op (operator_of_native t) x e2
        else
          typing_error loc "numeric type expected"
(*    | `Upostfix_dec | `Upostfix_inc | `Uprefix_dec | `Uprefix_inc ->
        typing_error loc "pre/post incr/decr not allowed as logical term"*)

(* [term_coerce t1 t2 e] applies coercion to expr e of type t1 to t2 *)
let term_coerce t1 t2 e =
  let tn1 =
    match t1 with
      | JCTenum _ri -> Tinteger
      | JCTnative t -> t
      | _ -> assert false
  in
  match tn1,t2 with
    | Tinteger, Treal ->
	begin
	  match e#node with
	    | JCTconst (JCCinteger n) ->
		new term
		  ~typ:real_type
		  ~region:e#region
		  ~mark:e#mark
		  ~pos:e#pos
		  (JCTconst(JCCreal (n^".0")))
	    | _ ->
		let app = {
		  jc_app_fun = real_of_integer;
		  jc_app_args = [e];
		  jc_app_region_assoc = [];
		  jc_app_label_assoc = [];
		} in
		new term
		  ~typ:real_type
		  ~region:e#region
		  ~mark:e#mark
		  ~pos:e#pos
		  (JCTapp app)
	end
    | _ -> e

let logic_bin_op (t : [< operator_type ]) (op : [< bin_op]) : term_bin_op =
  bin_op t op
(*
  match t,op with
    | _, BPgt -> gt_int
    | _, BPlt -> lt_int
    | _, BPge -> ge_int
    | _, BPle -> le_int
    | _, BPeq -> eq
    | _, BPneq -> neq
    | Tinteger, BPadd -> add_int
    | Treal, BPadd -> add_real
    | _, BPsub -> sub_int
    | _, BPmul -> mul_int
    | _, BPdiv -> div_int
    | _, BPmod -> mod_int
    | Tboolean, BPland -> band
    | Tboolean, BPlor -> bor
        (* not allowed as expression op *)
    | _,BPimplies -> assert false
    | Tunit,_ -> assert false
    | _ -> assert false
*)

let make_logic_bin_op loc (op: bin_op) e1 e2 =
  let t1 = e1#typ and t2 = e2#typ in
  (** Test only if t1 t2 are not a type variable,
      thus they can contain type variable*)
  must_be_subtypable loc t1;
  must_be_subtypable loc t2;
  match op with
    | `Bgt | `Blt | `Bge | `Ble ->
        if is_numeric t1 && is_numeric t2 then
          let t = lub_numeric_types t1 t2 in
          boolean_type,dummy_region,
          JCTbinary(term_coerce t1 t e1, logic_bin_op (operator_of_native t) op,
                    term_coerce t2 t e2)
        else
          typing_error loc "numeric types expected for >, <, >= and <="
    | `Beq | `Bneq ->
        if is_numeric t1 && is_numeric t2 then
          let t = lub_numeric_types t1 t2 in
          boolean_type,dummy_region,
          JCTbinary(term_coerce t1 t e1, logic_bin_op (operator_of_native t) op,
                     term_coerce t2 t e2)
        else if is_pointer_type t1 && is_pointer_type t2
	  && (comparable_types t1 t2)
	then
          boolean_type,dummy_region,
          JCTbinary(e1,logic_bin_op `Pointer op,e2)
        else
          typing_error loc "numeric or pointer types expected for == and !="
    | `Badd ->
        if is_pointer_type t1 && is_integer t2 then
          t1, e1#region, JCTshift(e1, term_coerce t2 Tinteger e2)
        else if is_numeric t1 && is_numeric t2 then
          let t = lub_numeric_types t1 t2 in
          (JCTnative t,dummy_region,
           JCTbinary(term_coerce t1 t e1,
                     logic_bin_op (operator_of_native t) op,
                     term_coerce t2 t e2))
        else
          typing_error loc "unexpected types for +"
    | `Bsub ->
        if is_pointer_type t1 && is_integer t2 then
          let _, _, te = make_logic_unary_op loc `Uminus e2 in
          let e2 = new term_with ~node:te e2 in
          t1,e1#region,JCTshift(e1, term_coerce t2 Tinteger e2)
        else if
          is_pointer_type t1 && is_pointer_type t2
          && comparable_types t1 t2
        then
          (integer_type,dummy_region,
           JCTbinary(e1, bin_op `Pointer `Bsub, e2))
        else if is_numeric t1 && is_numeric t2 then
          let t = lub_numeric_types t1 t2 in
          (JCTnative t,
           dummy_region,
           JCTbinary(term_coerce t1 t e1,
                     logic_bin_op (operator_of_native t) op,
                     term_coerce t2 t e2))
        else
          typing_error loc "unexpected types for -"
    | `Bmul | `Bdiv | `Bmod | `Bbw_and | `Bbw_or | `Bbw_xor
    | `Blogical_shift_right | `Barith_shift_right | `Bshift_left ->
        if is_numeric t1 && is_numeric t2 then
          let t = lub_numeric_types t1 t2 in
          (JCTnative t,dummy_region,
           JCTbinary(term_coerce t1 t e1,
                     logic_bin_op (operator_of_native t) op,
                     term_coerce t2 t e2))
        else typing_error loc "numeric types expected for *, / and %%"
    | `Bland | `Blor ->
        let t=
          match (t1,t2) with
            | JCTnative t1, JCTnative t2 ->
                begin
                  match (t1,t2) with
                    | Tboolean,Tboolean -> Tboolean
                    | _ -> assert false (* TODO *)
                end
            | _ ->
                typing_error loc "booleans expected"
        in
        JCTnative t,
        dummy_region,
        JCTbinary(e1, logic_bin_op (operator_of_native t) op, e2)

        (* not allowed as term op *)
    | `Bimplies | `Biff -> assert false
    | `Bconcat -> assert false (* TODO *)


(** Check that used logic labels appear in the environment,
and add the current [label] to the node in [jc_nexpr_label].
[env] is the list of valid labels.
[result_label] is the expected label for [\result].
However, [label] might be changed by the "\at" construction. *)
let rec type_labels env ~result_label label e =
  let check e x =
    if not (List.mem x env) then
      typing_error e#pos "label `%a' not found" Jc_output_misc.label x
  in
  let iter_subs ?(env=env) label =
    List.iter
      (fun e -> ignore (type_labels env ~result_label label e))
      (Jc_iterators.INExpr.subs e)
  in
  e#set_label label;
(*
  (match label with
    | None -> assert false
    | Some l ->
	eprintf "setting label %a to expr %a@." Jc_output_misc.label l Jc_noutput.expr e);
*)
  match e#node with
    | JCNEconst _ | JCNEderef _ | JCNEbinary _
    | JCNEunary _ | JCNEassign _ | JCNEinstanceof _ | JCNEcast _
    | JCNEif _ | JCNEoffset _ | JCNEaddress _ | JCNEbase_block _ | JCNEfresh _
    | JCNEalloc _ | JCNEfree _ | JCNElet _
    | JCNEassert _ | JCNEloop _ | JCNEreturn _ | JCNEtry _
    | JCNEthrow _ | JCNEpack _ | JCNEunpack _ | JCNEmatch _ | JCNEquantifier _
    | JCNEmutable _ | JCNEeqtype _ | JCNEsubtype _ | JCNErange _ ->
        iter_subs label;
        env
    | JCNEvar id ->
	if id = "\\result" then
	  begin match label,result_label with
	    | Some lab1, Some lab2 ->
		if lab1 <> lab2 then
		  typing_error e#pos "\\result not allowed here (lab1 = %a, lab2= %a)" Jc_output_misc.label lab1 Jc_output_misc.label lab2
	    | None, _
	    | _, None -> typing_error e#pos "\\result not allowed here"
	  end;
	env
    | JCNEcontract(req,dec,behs,e) ->
	ignore (type_labels_opt env ~result_label:None (Some LabelHere) req);
	Option_misc.iter
	  (fun (dec,_) ->
	     ignore (type_labels env ~result_label:None (Some LabelHere) dec)) dec;
	List.iter (behavior_labels env) behs;
	type_labels env ~result_label None e
    | JCNEapp(_, l, _) ->
        List.iter (check e) l;
        iter_subs label;
        env
    | JCNEold _ ->
        check e LabelOld;
        iter_subs (Some LabelOld);
        env
    | JCNEat(_, l) ->
        check e l;
        iter_subs (Some l);
        env
    | JCNEblock el ->
        List.fold_left
          (fun env e -> type_labels env ~result_label label e)
          env el
    | JCNElabel(lab, _) ->
        let lab = {
          label_info_name = lab;
          label_info_final_name = lab;
          times_used = 0;
        } in
        let env = (LabelName lab)::env in
        iter_subs ~env label;
        env

and type_labels_opt env ~result_label label e =
  match e with
    | None -> env
    | Some e -> type_labels env ~result_label label e

and behavior_labels env
    (_loc,_id,_throws,assumes,requires,assigns,allocates,ensures) =
  let here = Some LabelHere in
  let _ = type_labels_opt env ~result_label:None here assumes in
  let _ = type_labels_opt env ~result_label:None here requires in
  let env = LabelOld :: LabelPost :: env in
  Option_misc.iter
    (fun (_,a) ->
       List.iter
	 (fun e ->
	    ignore(type_labels env
		     ~result_label:(Some LabelPost) (Some LabelOld) e)) a)
    assigns;
  Option_misc.iter
    (fun (_,a) ->
       List.iter
	 (fun e ->
	    ignore(type_labels env
		     ~result_label:(Some LabelHere) (Some LabelHere) e)) a)
    allocates;
  let _ = type_labels env ~result_label:here here ensures in
  ()

let type_labels env ~result_label label e =
  ignore (type_labels env ~result_label label e)

let get_label e =
  match e#label with
    | None -> typing_error e#pos "a memory state is needed here (\\at missing?)"
    | Some l -> l

let label_assoc loc id cur_label fun_labels effective_labels =
  match cur_label, fun_labels, effective_labels with
    | Some l, [lf], [] -> [lf,l]
    | _ ->
	try
	  List.map2
	    (fun l1 l2 -> (l1,l2))
	    fun_labels effective_labels
	with Invalid_argument _ ->
	  typing_error loc
	    "wrong number of labels for %s (expected %d, got %d)" id (List.length fun_labels) (List.length effective_labels)

let rec term env e =
  let ft = term env in
  let lab = ref "" in
  let label () = get_label e in
  let t, tr, te = match e#node with
    | JCNEconst c ->
        let t, tr, c = const c in t, tr, JCTconst c
    | JCNElabel(l, e1) ->
        let te1 = ft e1 in
        lab := l;
        te1#typ, te1#region, te1#node
    | JCNEvar id ->
	begin try
          let vi =
            try List.assoc id env
	    with Not_found -> Hashtbl.find variables_env id
          in
          vi.jc_var_info_type, vi.jc_var_info_region, JCTvar vi
	with Not_found ->
          (* François : Où teste-t-on que pi n'a pas d'argument? *)
	  let pi =
            try Hashtbl.find logic_functions_env id with Not_found ->
              typing_error e#pos "unbound term identifier %s" id
	  in
          let app = {
            jc_app_fun = pi;
            jc_app_args = [];
            jc_app_region_assoc = [];
            jc_app_label_assoc = [];
          } in
	  let ty =
	    match pi.jc_logic_info_result_type with
	      | Some t -> t
	      | None -> assert false (* check it is a function *)
	  in
          let ty = (Jc_type_var.instance pi.jc_logic_info_poly_args) ty in
	  ty, Region.make_var ty pi.jc_logic_info_name, JCTapp app
	end
    | JCNEderef(e1, f) ->
        let te1 = ft e1 in
        let fi = find_field e#pos te1#typ f true in
        fi.jc_field_info_type,
        Region.make_field te1#region fi,
        JCTderef(te1, label (), fi)
    | JCNEbinary(e1, op, e2) ->
        make_logic_bin_op e#pos op (ft e1) (ft e2)
    | JCNEunary(op, e1) ->
        make_logic_unary_op e#pos op (ft e1)
    | JCNEapp(id, labs, args) ->
        begin try
(* Yannick: no need for different rule for const logic *)
(*           if List.length args = 0 then *)
(*             let vi = Hashtbl.find logic_constants_env id in *)
(*             vi.jc_var_info_type, vi.jc_var_info_region, JCTvar vi *)
(*           else *)
	    begin
            let pi = find_logic_info id in
            let subst = Jc_type_var.instance pi.jc_logic_info_poly_args in
            let tl =
              try
                List.map2
                  (fun vi e ->
                     let ty = subst vi.jc_var_info_type in
                     let te = ft e in
                     Jc_type_var.add uenv te#pos te#typ ty;
                     te)
                   pi.jc_logic_info_parameters args
              with  Invalid_argument _ ->
                typing_error e#pos
                  "wrong number of arguments for %s" id
            in
            let ty = match pi.jc_logic_info_result_type with
              | None ->
                  typing_error e#pos
                    "the logic info %s is a predicate; it should be \
used as an assertion, not as a term" pi.jc_logic_info_name
              | Some ty -> ty
	    in
            let ty = Jc_type_var.subst uenv (subst ty) in
            let label_assoc =
	      label_assoc e#pos id e#label pi.jc_logic_info_labels labs
	    in
            let app = {
              jc_app_fun = pi;
              jc_app_args = tl;
              jc_app_region_assoc = [];
              jc_app_label_assoc = label_assoc;
            } in
            ty, Region.make_var ty pi.jc_logic_info_name, JCTapp app
          end
        with Not_found ->
          typing_error e#pos "unbound logic function identifier %s" id
        end
    | JCNEinstanceof(e1, t) ->
        boolean_type,
        dummy_region,
        JCTinstanceof(ft e1, label (), find_struct_info e#pos t)
    | JCNEcast(e1, t) ->
        let te1 = ft e1 in
	let ty = type_type t in
	begin match ty with
	  | JCTnative Tinteger ->
	      (*if is_real te1#typ then
		integer_type, te1#region, JCTreal_cast(te1,Real_to_integer)
	      else*) if is_integer te1#typ then
		integer_type, te1#region, te1#node
	      else
                not_the_good_type e#pos ty "bad cast to integer"
		  (*typing_error e#pos "bad cast to integer"*)
	  | JCTnative Treal ->
	      if is_integer te1#typ then
		real_type, te1#region, JCTreal_cast(te1,Integer_to_real)
	      else if is_real te1#typ then
		real_type, te1#region, te1#node
	      else if is_double te1#typ then
		real_type, te1#region, JCTreal_cast(te1,Double_to_real)
	      else if is_float te1#typ then
		real_type, te1#region, JCTreal_cast(te1,Float_to_real)
	      else
		 not_the_good_type e#pos te1#typ "bad cast to real"
		  (*typing_error e#pos "bad cast to real"*)
	  | JCTnative (Tgenfloat f) ->
	       if is_real te1#typ || is_integer te1#typ then
                JCTnative (Tgenfloat f), te1#region, JCTreal_cast(te1, Round (f,Round_nearest_even))
	       else
		 begin
		   match te1#typ with
		     | JCTnative (Tgenfloat f1) ->
			 let e =
			   match (f1,f) with
			     | `Binary80,`Binary80 -> te1#node
			     | `Double,`Double -> te1#node
			     | `Float,`Float -> te1#node
			     | _ ->
				 JCTreal_cast(te1, Round(f,Round_nearest_even))
			 in
			   JCTnative (Tgenfloat f), te1#region, e
		     | _ -> not_the_good_type e#pos te1#typ "bad cast to floating-point number"
		  (*typing_error e#pos "bad cast to floating-point number"*)
		 end

(*
	  | JCTnative (Tgenfloat `Double) ->
              if is_real te1#typ || is_integer te1#typ then
                double_type, te1#region, JCTreal_cast(te1, Round_double Round_nearest_even)
	      else if is_double te1#typ then
		double_type, te1#region, te1#node
	      else if is_float te1#typ then
		double_type, te1#region, te1#node
	      else
		typing_error e#pos "bad cast to double"
	  | JCTnative Tfloat ->
              if is_real te1#typ || is_double te1#typ || is_integer te1#typ then
                float_type, te1#region, JCTreal_cast(te1, Round_float Round_nearest_even)
	      else if is_float te1#typ then
		float_type, te1#region, te1#node
	      else
		typing_error e#pos "bad cast to float"
*)
	  | JCTnative _ -> assert false (* TODO *)
	  | JCTenum ri ->
	      if is_integer te1#typ then
		JCTenum ri, dummy_region, JCTrange_cast(te1, ri)
	      else
		(* CM je ne comprends pas ce cast de real vers enum
		   if is_real te1#typ then
		let cast = NExpr.mkcast ~expr:e1 ~typ:integer_type () in
		let t = ft cast in
		  JCTenum ri, te1#region, JCTrange_cast(t, ri)
	      else
		*)
		not_the_good_type e#pos te1#typ "integer type expected"
		  (*typing_error e#pos "integer type expected"*)
	  | JCTpointer(JCtag(st,_),_,_) ->
	      begin match te1#typ with
		| JCTpointer(st1, a, b) ->
		    if superstruct st st1 then
		      (te1#typ,
		       te1#region,
		       te1#node)
		    else if substruct st st1 then
		      (JCTpointer(JCtag(st, []), a, b),
		       te1#region,
		       JCTcast(te1, label (), st))
		    else if same_hierarchy (JCtag(st, [])) st1 then
		      typing_error e#pos "invalid cast"
		    else
		      (* bitwise cast *)
		      (Region.make_bitwise te1#region;
		       JCTpointer(JCtag(st, []), a, b),
		       te1#region,
		       JCTbitwise_cast(te1, label(), st))
		| JCTnull ->
		    (* bitwise cast *)
		    (Region.make_bitwise te1#region;
		     JCTpointer(JCtag(st,[]),None,None),
		     te1#region,
		     JCTbitwise_cast(te1, label(), st))
		| JCTnative _ | JCTlogic _ | JCTenum _ | JCTany
		| JCTtype_var _ -> not_the_good_type e#pos te1#typ "only structures can be cast"

	      end
	  | JCTpointer (JCroot _, _, _)  -> assert false (* TODO *)
	  | JCTtype_var _|JCTlogic _|JCTany|JCTnull -> assert false (* TODO *)
	end
    | JCNEif(e1, e2, e3) ->
        let te1 = ft e1 and te2 = ft e2 and te3 = ft e3 in
        Jc_type_var.add uenv e#pos (JCTnative Tboolean) te1#typ;
        let t =
          let t2 = te2#typ and t3 = te3#typ in
          if subtype_strict t2 t3 then t3 else
            if subtype_strict t3 t2 then t2 else
              (Jc_type_var.add uenv e#pos t2 t3;
               Jc_type_var.subst uenv t2)
		(* typing_error e#pos "incompatible result types"*)
              in
        t, te1#region, JCTif(te1, te2, te3)
    | JCNEoffset(k, e1) ->
        let te1 = ft e1 in
        begin match te1#typ with
          | JCTpointer(JCtag(st, _), _, _) ->
              integer_type, dummy_region, JCToffset(k, te1, st)
          | JCTpointer(JCroot _, _, _) ->
              assert false (* TODO *)
          | JCTnative _ | JCTlogic _ | JCTenum _ | JCTnull | JCTany -> typing_error e#pos "pointer expected"
          | JCTtype_var _ -> cast_needed te1#pos te1#typ

        end
    | JCNEaddress(Addr_absolute,e1) ->
        let te1 = ft e1 in
        if is_integer te1#typ then
	  JCTnull, dummy_region, JCTaddress(Addr_absolute,te1)
	else
          not_the_good_type te1#pos te1#typ "integer expected"
    | JCNEaddress(Addr_pointer,e1) ->
        let te1 = ft e1 in
        begin match te1#typ with
          | JCTpointer(JCtag(_st, _), _, _) ->
              integer_type, dummy_region, JCTaddress(Addr_pointer,te1)
          | JCTpointer(JCroot _, _, _) ->
              assert false (* TODO *)
          | JCTnative _ | JCTlogic _ | JCTenum _ | JCTnull | JCTany -> typing_error e#pos "pointer expected"
          | JCTtype_var _ -> cast_needed te1#pos te1#typ

        end
    | JCNEbase_block(e1) ->
        let te1 = ft e1 in
        if is_pointer_type te1#typ then
	  JCTnull, dummy_region, JCTbase_block(te1)
	else
          not_the_good_type te1#pos te1#typ "pointer expected"
          (*typing_error e#pos "pointer expected"*)
    | JCNElet(pty, id, Some e1, e2) ->
        let te1 = ft e1 in
        let ty = match pty with
          | None -> te1#typ
          | Some pty ->
              let ty = type_type pty in
              Jc_type_var.add uenv e1#pos te1#typ ty;
              Jc_type_var.subst uenv ty
        in
        let vi = var ty id in
        let te2 = term ((id, vi)::env) e2 in
        te2#typ, te2#region, JCTlet(vi,te1,te2)
    | JCNElet(_ (* Some pty *), _id, None, _e2) ->
        typing_error e#pos "let without initial value"
(*
        let vi = var (type_type pty) id in
        let te2 = term ((id, vi)::env) e2 in
        te2#typ, te2#region, JCTlet(vi,None,te2)
    | JCNElet(None, _, None, _) ->
        typing_error e#pos "let with no initial value must have a type"
*)
    | JCNEmatch(arg, pel) ->
        let targ = ft arg in
        let rty, tpel = match pel with
          | [] -> assert false (* should not be allowed by the parser *)
          | (p1, e1)::rem ->
              (* type the first item *)
              let penv, tp1 = pattern p1 targ#typ in
              let te1 = term (penv @ env) e1 in
              (* type the remaining items *)
              List.fold_left
                (fun (accrty, acctpel) (p, e2) ->
                   let penv, tp = pattern p targ#typ in
                   let te2 = term (penv @ env) e2 in
                   mintype e#pos accrty te2#typ,
                   (tp, te2)::acctpel)
                (te1#typ, [tp1, te1])
                (List.rev rem)
        in
        rty, targ#region, JCTmatch(targ, List.rev tpel)
    | JCNEold e1 ->
        let te1 = ft e1 in
        te1#typ, te1#region, JCTold te1
    | JCNEat(e1, lab) ->
        let te1 = ft e1 in
        te1#typ, te1#region, JCTat(te1, lab)
    | JCNEmutable(_e, _t) -> assert false (* TODO *)
    | JCNErange(Some e1, Some e2) ->
        let e1 = ft e1 and e2 = ft e2 in
        let t1 = e1#typ and t2 = e2#typ in
        assert (is_numeric t1 && is_numeric t2);
        let t = lub_numeric_types t1 t2 in
        JCTnative t, dummy_region,
        JCTrange(Some (term_coerce t1 t e1),Some (term_coerce t2 t e2))
    | JCNErange(Some e, None) ->
        let e = ft e in
        let t = e#typ in
        assert (is_numeric t);
        t, dummy_region,JCTrange(Some e,None)
    | JCNErange(None, Some e) ->
        let e = ft e in
        let t = e#typ in
        assert (is_numeric t);
        t,dummy_region, JCTrange(None,Some e)
    | JCNErange(None, None) ->
        integer_type, dummy_region,JCTrange(None,None)
    (* Not terms: *)
    | JCNEassign _ | JCNEalloc _ | JCNEfree _ | JCNEblock _ | JCNEassert _ | JCNEfresh _
    | JCNEloop _ | JCNEreturn _ | JCNEtry _ | JCNEthrow _ | JCNEpack _
    | JCNEunpack _ | JCNEquantifier _ | JCNEcontract _
    | JCNEeqtype _ | JCNEsubtype _ ->
	typing_error e#pos "construction %a not allowed in logic terms"
	  Jc_noutput.expr e
  in
  new term
    ~typ: t
    ~region: tr
    ~mark: !lab
    ?label: e#label
    ~pos: e#pos
    te

(******************************************************************************)
(*                                 Assertions                                 *)
(******************************************************************************)

(*
let term label_env label env e =
  type_labels label_env label e;
  term env e
*)

(*
let rel_unary_op loc op t =
  match op with
    | `Unot | `Ubw_not -> assert false
    | `Uminus | `Uplus ->
        typing_error loc "not a proposition"
    | `Upostfix_dec | `Upostfix_inc | `Uprefix_dec | `Uprefix_inc ->
        typing_error loc "pre/post incr/decr not allowed as logical term"
*)

let rel_bin_op t (op: [< comparison_op]) =
  (bin_op t op :> pred_rel_op)
(*
  match t,op with
    | Tinteger,BPgt -> gt_int
    | Tinteger,BPlt -> lt_int
    | Tinteger,BPge -> ge_int
    | Tinteger,BPle -> le_int
    | _,BPeq -> eq
    | _,BPneq -> neq
    | _,(BPadd | BPsub | BPmul | BPdiv | BPmod) -> assert false
    | _,(BPland | BPlor | BPimplies | BPiff) -> assert false
    | _ -> assert false  (* TODO *)
*)

let make_and a1 a2 =
  match (a1#node, a2#node) with
    | (JCAtrue,_) -> a2
    | (_,JCAtrue) -> a1
(*
    | (LFalse,_) -> LFalse
    | (_,LFalse) -> LFalse
*)
    | (JCAand l1 , JCAand l2) -> new assertion(JCAand(l1@l2))
    | (JCAand l1 , _ ) -> new assertion(JCAand(l1@[a2]))
    | (_ , JCAand l2) -> new assertion(JCAand(a1::l2))
    | _ -> new assertion(JCAand [a1;a2])

let rec make_and_list l =
  match l with
    | [] -> assert false
    | [a] -> a
    | f::r -> make_and f (make_and_list r)

let make_or a1 a2 =
  match (a1#node, a2#node) with
    | (JCAfalse,_) -> a2
    | (_,JCAfalse) -> a1
(*
    | (LFalse,_) -> LFalse
    | (_,LFalse) -> LFalse
*)
    | (JCAor l1 , JCAor l2) -> new assertion(JCAor(l1@l2))
    | (JCAor l1 , _ ) -> new assertion(JCAor(l1@[a2]))
    | (_ , JCAor l2) -> new assertion(JCAor(a1::l2))
    | _ -> new assertion(JCAor [a1;a2])

let make_rel_bin_op loc (op: [< comparison_op]) e1 e2 =
  let t1 = e1#typ and t2 = e2#typ in
  must_be_subtypable e1#pos t1;
  must_be_subtypable e2#pos t2;
  match op with
    | `Bgt | `Blt | `Bge | `Ble ->
        if is_numeric t1 && is_numeric t2 then
          let t = lub_numeric_types t1 t2 in
          JCArelation(term_coerce t1 t e1,
                      rel_bin_op (operator_of_native t) op,
                      term_coerce t2 t e2)
        else
          typing_error loc "numeric types expected for >, <, >= and <="
    | `Beq | `Bneq ->
(**)
        if is_numeric t1 && is_numeric t2 then
          let t = lub_numeric_types t1 t2 in
          JCArelation(term_coerce t1 t e1,
                      rel_bin_op (operator_of_native t) op,
                      term_coerce t2 t e2)
        else
(**)
          let t = eq_operator_of_type (mintype loc t1 t2) in
          if comparable_types t1 t2 then
            JCArelation(e1, rel_bin_op t op, e2)
          else
            typing_error loc "terms should have the same type for == and !="

let tag env hierarchy t =
  let check_hierarchy loc st =
    if hierarchy <> "" &&
      root_name st != hierarchy then
        typing_error loc
          "this is in the hierarchy of %s, while it should be in the hierarchy \
of %s"
          (root_name st) hierarchy
  in
  let tt = match t#node with
    | JCPTtag id ->
        let st = find_struct_info id#pos id#name in
        check_hierarchy id#pos st;
        JCTtag st
    | JCPTbottom -> JCTbottom
    | JCPTtypeof tof ->
        let ttof = term env tof in
        match ttof#typ with
          | JCTpointer(JCtag(st, _), _, _) ->
              check_hierarchy tof#pos st;
              JCTtypeof (ttof, st)
          | _ -> not_the_good_type tof#pos ttof#typ "tag pointer expression expected"
  in
  new tag ~pos:t#pos tt

let rec assertion env e =
  let fa = assertion env in
  let ft = term env in
  let lab = ref "" in
  let label () = get_label e in
  let struct_for_tags ttag1 ttag2 =
    match ttag1#node, ttag2#node with
      | JCTbottom, JCTbottom -> None
      | JCTbottom, JCTtag st
      | JCTtag st, JCTbottom
      | JCTbottom, JCTtypeof(_, st)
      | JCTtypeof(_, st), JCTbottom -> Some st
      | JCTtag st1, JCTtag st2
      | JCTtypeof(_, st1), JCTtag st2
      | JCTtag st1, JCTtypeof(_, st2)
      | JCTtypeof(_, st1), JCTtypeof(_, st2) ->
          if st1.jc_struct_info_hroot != st2.jc_struct_info_hroot then
            typing_error e#pos "the hierarchy %s and %s are different"
              (root_name st1)
              (root_name st2)
          else
            Some st1.jc_struct_info_hroot
  in
  let ta = match e#node with
    | JCNElabel(l, e) ->
        let te = fa e in
        lab := l;
        te#node
    | JCNEbinary(e1, (`Bland | `Blor | `Bimplies | `Biff as op), e2) ->
        let a1 = fa e1 and a2 = fa e2 in
        begin match op with
          | `Bland -> (make_and a1 a2)#node
          | `Blor -> (make_or a1 a2)#node
          | `Bimplies -> JCAimplies(a1, a2)
          | `Biff -> JCAiff(a1, a2)
        end
    | JCNEbinary(e1, (#comparison_op as op), e2) ->
        make_rel_bin_op e#pos op (ft e1) (ft e2)
    | JCNEunary(`Unot, e1) ->
        JCAnot(fa e1)
    | JCNEapp (id, labs, args) ->
        begin try
          let pi = find_logic_info id in
          let subst = Jc_type_var.instance pi.jc_logic_info_poly_args in
          let tl = try
            List.map2
              (fun vi e ->
                 let ty = subst vi.jc_var_info_type in
                 let te = ft e in
                 Jc_type_var.add uenv te#pos te#typ ty;
                 te)
              pi.jc_logic_info_parameters args
          with Invalid_argument _ ->
            typing_error e#pos "wrong number of arguments for %s" id
          in
	  let label_assoc =
		label_assoc e#pos id e#label pi.jc_logic_info_labels labs
	      in
          let app = {
            jc_app_fun = pi;
            jc_app_args = tl;
            jc_app_region_assoc = [];
            jc_app_label_assoc = label_assoc;
          } in
          JCAapp app
        with Not_found ->
          typing_error e#pos "unbound predicate identifier %s" id
        end
    | JCNEinstanceof(e1, t) ->
        JCAinstanceof(ft e1, label (), find_struct_info e#pos t)
    | JCNEcast _ -> assert false (* TODO *)
    | JCNEif(e1,e2,e3) ->
        let te1 = ft e1 and te2 = fa e2 and te3 = fa e3 in
        Jc_type_var.add uenv e1#pos te1#typ (JCTnative Tboolean);
        JCAif(te1,te2,te3)
    | JCNElet(ty,id,Some e1,e2) ->
	let te1 = ft e1 in
	let ty1 =
	  match ty with
	    | None -> te1#typ
	    | Some ty ->
		let ty = type_type ty in
		if comparable_types ty te1#typ then ty
		else not_the_good_type e1#pos te1#typ
		  "type not compatible with declared type"
	in
        let vi = var ty1 id in
        let env = (id, vi) :: env in
	let te2 = assertion env e2 in
	JCAlet(vi,te1,te2)
    | JCNElet(_ty,_id,None,_e2) ->
	assert false (* TODO *)
    | JCNEmatch(arg, pel) ->
        let targ = ft arg in
        let tpal = List.map
          (fun (pat, body) ->
             let vars, tpat = pattern pat targ#typ in
             let tbody = assertion (vars @ env) body in
             tpat, tbody)
          pel
        in
        JCAmatch(targ, tpal)
    | JCNEquantifier(q, ty, idl, trigs, e1) ->
        let ty = type_type ty in
        (make_quantifier q e#pos ty idl env trigs e1)#node
    | JCNEold e1 ->
        JCAold(fa e1)
    | JCNEat(e1, lab) ->
        JCAat(fa e1, lab)
    | JCNEmutable(e, t) ->
        let te = ft e in
        let te_st = match te#typ with
          | JCTpointer(JCtag(st, _), _, _) -> st
          | _ -> not_the_good_type e#pos te#typ "tag pointer expression expected"
        in
        let tt = tag env (root_name te_st) t in
        JCAmutable(te, te_st, tt)
    | JCNEeqtype(tag1, tag2) ->
        let ttag1 = tag env "" tag1 in
        let ttag2 = tag env "" tag2 in
	let st = struct_for_tags ttag1 ttag2 in
        JCAeqtype(ttag1, ttag2, st)
    | JCNEsubtype(tag1, tag2) ->
        let ttag1 = tag env "" tag1 in
        let ttag2 = tag env "" tag2 in
	let st = struct_for_tags ttag1 ttag2 in
        JCAsubtype(ttag1, ttag2, st)
    (* Boolean terms: *)
    | JCNEconst _ | JCNEvar _ | JCNEderef _ ->
        let t = ft e in
        begin match t#typ with
          | JCTnative Tboolean -> JCAbool_term t
          | _ -> typing_error e#pos "non boolean expression"
        end
    | JCNEfresh e1 -> 
        let te1 = ft e1 in
        if is_pointer_type te1#typ then JCAfresh(te1)
	else
          not_the_good_type te1#pos te1#typ "pointer expected"
    (* Not assertions: *)
    | JCNEoffset _ | JCNEaddress _ | JCNEbase_block _
    | JCNErange _ | JCNEassign _ | JCNEalloc _ | JCNEfree _
    | JCNEassert _ | JCNEblock _ | JCNEloop _ | JCNEreturn _ | JCNEtry _
    | JCNEthrow _ | JCNEpack _ | JCNEunpack _ | JCNEbinary _ | JCNEunary _
    | JCNEcontract _ ->
        typing_error e#pos "construction not allowed in logic assertions"
  in
  new assertion
    ~mark: !lab
    ?label: e#label
    ~pos: e#pos
    ta

and make_quantifier q loc ty idl env trigs e : assertion =
  match idl with
    | [] -> assertion env e (*Here the triggers disappear if idl start empty*)
    | id :: r ->
        let vi = var ty id#name in
        let env = ((id#name, vi) :: env) in
        let trigs_id,trigs_r =
          match r with
            | [] -> (*id is the last variable,
                      the trigger should stay here*)
                triggers env trigs,[]
            | _ -> [],trigs in
        let f =
          JCAquantifier (q, vi, trigs_id, make_quantifier q loc ty r env trigs_r e)
        in
        new assertion ~pos:loc f

and triggers env l =
  let pat e =
    match e#node with
    | JCNEapp (id,_,_) ->
        let pi = find_logic_info id in
        (match pi.jc_logic_info_result_type with
          | None ->   JCAPatP (assertion env e)
          | Some _ -> JCAPatT (term env e))
    | _ ->  typing_error e#pos "IllformedPattern" in
  List.map (List.map pat) l

(******************************************************************************)
(*                                Expressions                                 *)
(******************************************************************************)

let loop_annot =
  let cnt = ref 0 in
  fun ~behaviors ~free_invariant ~variant ->
    incr cnt;
    {
      jc_loop_tag = !cnt;
      jc_loop_behaviors = behaviors;
      jc_free_loop_invariant = free_invariant;
      jc_loop_variant = variant;
    }

let rec location_set env e =
  let ty,r,locs_node = match e#node with
    | JCNElabel(_l,_e) ->
        assert false (* TODO *)
    | JCNEvar id ->
        let vi =
          try List.assoc id env with Not_found ->
            try Hashtbl.find variables_env id with Not_found ->
              typing_error e#pos "unbound identifier %s" id
        in
        begin match vi.jc_var_info_type with
          | JCTpointer _ ->
              vi.jc_var_info_type, vi.jc_var_info_region, JCLSvar vi
          | _ -> assert false
        end
    | JCNEbinary(e, `Badd, i) ->
	begin try
          let ty,tr,te = location_set env e in
	  let ti = term env i in
          begin match ty, ti#typ with
            | JCTpointer(_st,_,_), t2 when is_integer t2 ->
                begin match ti#node with
                  | JCTrange(t1,t2) -> ty,tr,JCLSrange(te,t1,t2)
                  | _ -> ty,tr,JCLSrange(te,Some ti,Some ti)
		      (* TODO ?
			 | _ -> ty,tr,JCLSshift(te,ti)
		      *)
                end
            | JCTpointer _, _ ->
                typing_error i#pos "integer expected, %a found"
                  print_type ti#typ
            | _ ->
                typing_error e#pos "pointer expected"
          end
	with Typing_error _ ->
          let t1 = term env e in
          let ty, tr, te = t1#typ, t1#region, t1 in
	  let ti = term env i in
          begin match ty, ti#typ with
            | JCTpointer(_st,_,_), t2 when is_integer t2 ->
                begin match ti#node with
                  | JCTrange(t1,t2) -> ty,tr,JCLSrange_term(te,t1,t2)
                  | _ -> ty,tr,JCLSrange_term(te,Some ti,Some ti)
		      (* TODO ?
			 | _ -> ty,tr,JCLSshift(te,ti)
		      *)
                end
            | JCTpointer _, _ ->
                typing_error i#pos "integer expected, %a found"
                  print_type ti#typ
            | _ ->
                typing_error e#pos "pointer expected"
          end
	end
    | JCNEbinary _ ->
        assert false
    | JCNEderef(ls, f) ->
        let t,tr,tls = location_set env ls in
        let fi = find_field e#pos t f false in
        let fr = Region.make_field tr fi in
        fi.jc_field_info_type, fr, JCLSderef(tls, get_label e, fi, fr)
    | JCNEat(ls, lab) ->
	let t,tr,tls = location_set env ls in
	t,tr,JCLSat(tls,lab)
    | JCNEfresh _ 
    | JCNErange _ | JCNEeqtype _ | JCNEmutable _ | JCNEold _
    | JCNEquantifier _ | JCNEmatch _ | JCNEunpack _ | JCNEpack _ | JCNEthrow _
    | JCNEtry _ |JCNEreturn _ | JCNEloop _ |JCNEblock _ | JCNEassert _
    | JCNElet _ |JCNEfree _ | JCNEalloc _ | JCNEoffset _ | JCNEaddress _
    | JCNEif _ | JCNEcast _ | JCNEbase_block _
    | JCNEinstanceof _ | JCNEassign _ | JCNEapp _ | JCNEunary _
    | JCNEconst _ | JCNEcontract _ | JCNEsubtype _ ->
        typing_error e#pos "invalid memory location"
  in
  let locs =
    new location_set
      ~pos: e#pos
      ~typ:ty
      ~region:r
      ?label: e#label
      locs_node
  in ty,r,locs

let rec location env e =
  let ty,r,loc_node = match e#node with
    | JCNElabel(_l, _e) ->
        assert false (* TODO *)
    | JCNEvar id ->
        let vi =
          try List.assoc id env with Not_found ->
            try Hashtbl.find variables_env id with Not_found ->
              typing_error e#pos "unbound identifier %s" id
        in
        vi.jc_var_info_type, vi.jc_var_info_region, JCLvar vi
    | JCNEderef(ls, f) ->
(*
	begin try
*)
          let t, tr, tls = location_set env ls in
          let fi = find_field e#pos t f false in
          let fr = Region.make_field tr fi in
          fi.jc_field_info_type, fr, JCLderef(tls, get_label e, fi, fr)
(*
	with Typing_error _ ->
          let t1 = term env ls in
          let fi = find_field e#pos t1#typ f false in
          let fr = Region.make_field t1#region fi in
          fi.jc_field_info_type, fr, JCLderef_term(t1, fi)
	end
*)
    | JCNEat(e, lab) ->
        let t, tr, tl = location env e in
        t, tr, JCLat(tl, lab)
    | JCNErange _ | JCNEeqtype _ | JCNEmutable _ | JCNEold _
    | JCNEquantifier _ | JCNEmatch _ | JCNEunpack _ | JCNEpack _ | JCNEthrow _
    | JCNEtry _ | JCNEreturn _ | JCNEloop _ | JCNEblock _ | JCNEassert _
    | JCNElet _ | JCNEfree _ | JCNEalloc _ | JCNEoffset _ | JCNEaddress _
    | JCNEif _ | JCNEcast _ | JCNEbase_block _
    | JCNEinstanceof _ | JCNEassign _ | JCNEapp _ | JCNEunary _ | JCNEbinary _
    | JCNEconst _ | JCNEcontract _ | JCNEsubtype _ | JCNEfresh _ ->
        typing_error e#pos "invalid memory location"
  in
  let loc =
    new location
      ~pos: e#pos
      ~typ:ty
      ~region:r
      ?label: e#label
      loc_node
  in ty,r,loc

let behavior env vi_result (loc, id, throws, assumes, _requires, assigns, allocates, ensures) =
  let throws,env_result =
    match throws with
      | None -> None, (vi_result.jc_var_info_name,vi_result)::env
      | Some id ->
          try
            let ei =
              StringHashtblIter.find exceptions_table id#name
            in
            let tei = match ei.jc_exception_info_type with
              | Some tei -> tei
              | None -> typing_error id#pos
                  "exception without value"
            in
            let vi = var tei "\\result" in
            vi.jc_var_info_final_name <- "result";
            Some ei, (vi.jc_var_info_name,vi)::env
          with Not_found ->
            typing_error id#pos
              "undeclared exception %s" id#name
  in
  let assumes = Option_misc.map (assertion env) assumes in
  (*
    let requires = Option_misc.map (assertion (Some "Here") env) requires in
  *)
  let assigns =
    Option_misc.map
      (fun (loc, l) ->
         (loc, List.map
            (fun a -> let _,_,tl = location env_result a in
             (match tl#node with
                | JCLvar vi -> vi.jc_var_info_assigned <- true
                | _ -> ());
             tl)
            l))
      assigns
  in
  let allocates =
    Option_misc.map
      (fun (loc, l) ->
         (loc, List.map
            (fun a -> let _,_,tl = location env_result a in
             (match tl#node with
                | JCLvar vi -> vi.jc_var_info_assigned <- true
                | _ -> ());
             tl)
            l))
      allocates
  in
  let b = {
    jc_behavior_throws = throws;
    jc_behavior_assumes = assumes;
    (*
      jc_behavior_requires = requires;
    *)
    jc_behavior_assigns = assigns;
    jc_behavior_allocates = allocates;
    jc_behavior_ensures = assertion env_result ensures;
    jc_behavior_free_ensures = Assertion.mktrue () }
  in
  (*
    eprintf "lab,loc for ensures: \"%s\", %a@."
    b.jc_behavior_ensures.jc_assertion_label
    Loc.gen_report_position b.jc_behavior_ensures.jc_assertion_loc;
  *)
  (loc,id,b)


let loopbehavior env (names,inv,ass) =
  (names,Option_misc.map (assertion env) inv,
     Option_misc.map
       (fun (_p,locs) ->
	  List.map
	    (fun l ->
	       let _,_,tl = location env l in tl) locs) ass)

let make_unary_op loc (op : Jc_ast.unary_op) e2 =
  let t2 = e2#typ in
  match op with
(*    | `Uprefix_inc | `Upostfix_inc | `Uprefix_dec | `Upostfix_dec (*as op*) ->
        begin
          let t = if is_pointer_type t2 then t2 else
            JCTnative (lub_numeric_types t2 t2) in
          match e2#node with
            | JCEvar v ->
                v.jc_var_info_assigned <- true;
                t, v.jc_var_info_region,
                assert false (* JCEincr_local(incr_op op, v) *)
            | JCEderef(e,f) ->
                t, e2#region,
                assert false (* JCEincr_heap(incr_op op, e, f) *)
            | _ -> typing_error e2#pos "not an lvalue"
        end*)
    | `Unot as op ->
        let t=
          match t2 with
            | JCTnative t2 ->
                begin
                  match t2 with
                    | Tboolean -> Tboolean
                    | _ -> assert false (* TODO *)
                end
            | _ ->
                typing_error loc "boolean expected"
        in (JCTnative t,dummy_region,
            JCEunary(unary_op (operator_of_native t) op, e2))
    | `Uminus ->
        if is_numeric t2 || is_gen_float t2 then
          let t = lub_numeric_types t2 t2 in
          (JCTnative t,dummy_region,
           JCEunary(unary_op (operator_of_native t) op, e2))
        else
          typing_error loc "numeric type expected"
    | `Ubw_not ->
        if is_numeric t2 then
          let t = lub_numeric_types t2 t2 in
          (JCTnative t,dummy_region,
           JCEunary(unary_op (operator_of_native t) op, e2))
        else
          typing_error loc "numeric type expected"

let coerce t1 t2 e =
  let tn1 =
    match t1 with
      | JCTenum _ri -> Tinteger
      | JCTnative t -> t
      | _ -> assert false
  in
  match tn1, t2 with
    | Tinteger,Treal ->
	begin
	  match e#node with
	    | JCEconst (JCCinteger n) ->
		new expr
		  ~typ:real_type
		  ~region:e#region
		  ~pos:e#pos
		  (JCEconst(JCCreal (n^".0")))
	    | _ ->
		new expr
		  ~typ: real_type
		  ~pos: e#pos
		  (JCEapp{
		     jc_call_fun = JClogic_fun real_of_integer;
		     jc_call_args = [e];
		     jc_call_region_assoc = [];
		     jc_call_label_assoc = [];
		   })
	end
    | _ -> e

let make_bin_op loc (op: operational_op) e1 e2 =
  let t1 = e1#typ and t2 = e2#typ in
  match op with
    | `Bgt | `Blt | `Bge | `Ble ->
        if is_numeric t1 && is_numeric t2
	  || is_gen_float t1 && is_gen_float t2
	then
          let t = lub_numeric_types t1 t2 in
          (boolean_type, dummy_region,
           JCEbinary(coerce t1 t e1,
                     bin_op (operator_of_native t) op,
                     coerce t2 t e2))
        else
          typing_error loc "numeric types expected for <, >, <= and >="
    | `Beq | `Bneq as op ->
        if is_numeric t1 && is_numeric t2
	  || is_gen_float t1 && is_gen_float t2
	then
          let t = lub_numeric_types t1 t2 in
          (boolean_type, dummy_region,
           JCEbinary(coerce t1 t e1,
                     bin_op (operator_of_native t) op,
                     coerce t2 t e2))
        else
          if t1 = boolean_type && t2 = boolean_type then
            (boolean_type, dummy_region, JCEbinary (e1, bin_op `Boolean op, e2))
          else
            if is_pointer_type t1 && is_pointer_type t2 &&
              comparable_types t1 t2 then
                (boolean_type, dummy_region,
                 JCEbinary(e1, bin_op `Pointer op, e2))
            else
              typing_error loc
                "numeric, boolean or pointer types expected for == and !="
    | `Badd as op  ->
        if is_pointer_type t1 && is_integer t2 then
          t1, e1#region, JCEshift(e1, coerce t2 Tinteger e2)
        else if is_numeric t1 && is_numeric t2
	  || is_gen_float t1 && is_gen_float t2
	then
          let t = lub_numeric_types t1 t2 in
          (JCTnative t,
           dummy_region,
           JCEbinary(coerce t1 t e1,
                     bin_op (operator_of_native t) op,
                     coerce t2 t e2))
        else
          typing_error loc "unexpected types for +"
    | `Bsub as op  ->
        if is_pointer_type t1 && is_integer t2 then
          let _,_,te = make_unary_op loc `Uminus e2 in
          let e2 = new expr_with ~node:te e2 in
          t1, e1#region, JCEshift(e1, coerce t2 Tinteger e2)
        else if
          is_pointer_type t1 && is_pointer_type t2
          && comparable_types t1 t2
        then
          (integer_type, dummy_region,
           JCEbinary(e1, bin_op `Pointer `Bsub, e2))
        else if is_numeric t1 && is_numeric t2
	  || is_gen_float t1 && is_gen_float t2
	then
          let t = lub_numeric_types t1 t2 in
          (JCTnative t, dummy_region,
           JCEbinary(coerce t1 t e1,
                     bin_op (operator_of_native t) op,
                     coerce t2 t e2))
	else
          typing_error loc "unexpected types for -"
    | `Bmul | `Bdiv | `Bmod ->
        if is_numeric t1 && is_numeric t2
	  || is_gen_float t1 && is_gen_float t2
	then
          let t = lub_numeric_types t1 t2 in
          (JCTnative t,dummy_region,
           JCEbinary(coerce t1 t e1,
                     bin_op (operator_of_native t) op,
                     coerce t2 t e2))
        else
	  typing_error loc "numeric types expected for multiplicative operators"
    | `Bbw_and | `Bbw_or | `Bbw_xor ->
        if is_numeric t1 && is_numeric t2 then
          let t = lub_numeric_types t1 t2 in
          (JCTnative t,dummy_region,
           JCEbinary(coerce t1 t e1,
                     bin_op (operator_of_native t) op,
                     coerce t2 t e2))
        else if is_boolean t1 && is_boolean t2 then
          (boolean_type, dummy_region,
           JCEbinary(e1,
                     bin_op (operator_of_native Tboolean) op,
                     e2))
        else
	  typing_error loc "numeric types expected for bitwise operators"
    | `Blogical_shift_right | `Barith_shift_right | `Bshift_left as op  ->
        if is_numeric t1 && is_numeric t2 then
          let t = lub_numeric_types t1 t2 in
          (JCTnative t,dummy_region,
           JCEbinary(coerce t1 t e1,
                     bin_op (operator_of_native t) op,
                     coerce t2 t e2))
        else
	  typing_error loc "numeric types expected for shift operators"
    | `Bland | `Blor as op ->
        let t = match (t1, t2) with
          | JCTnative t1, JCTnative t2 ->
              begin match (t1, t2) with
                | Tboolean, Tboolean -> Tboolean
                | _ -> assert false (* TODO *)
              end
          | _ -> typing_error loc "booleans expected"
        in
        (JCTnative t,
         dummy_region,
         JCEbinary(e1, bin_op (operator_of_native t) op, e2))
    | `Bconcat -> assert false (* TODO *)


let reset_return_label, set_return_label, get_return_label =
  let has_label = ref false in
  (fun () -> has_label := false),
  (fun () -> has_label := true),
  (fun () -> !has_label)

let rec expr env e =
  let fe = expr env in
  let ft = term env in
  let lab = ref "" in
  let ty, region, typed_e = match e#node with
    (* old expressions *)
    | JCNEconst c ->
        let t, tr, tc = const c in t, tr, JCEconst tc
    | JCNElabel(l, e1) ->
        let te1 = fe e1 in
        lab := l;
        te1#typ, te1#region, te1#node
    | JCNEvar id ->
	begin try
          let vi =
            try List.assoc id env
	    with Not_found -> Hashtbl.find variables_env id
          in vi.jc_var_info_type, vi.jc_var_info_region, JCEvar vi
	with Not_found ->
          let pi =
	    try Hashtbl.find logic_functions_env id with Not_found ->
              typing_error e#pos "unbound identifier %s" id
	  in
          let app = {
            jc_call_fun = JClogic_fun pi;
            jc_call_args = [];
            jc_call_region_assoc = [];
            jc_call_label_assoc = [];
          } in
	  let ty =
	    match pi.jc_logic_info_result_type with
	      | Some r -> r
	      | None -> assert false (* check it is a function *)
	  in
	  ty, Region.make_var ty pi.jc_logic_info_name, JCEapp app
	end

    | JCNEderef(e1, f) ->
        let te1 = fe e1 in
        let fi = find_field e#pos te1#typ f false in
        fi.jc_field_info_type,
        Region.make_field te1#region fi,
        JCEderef(te1, fi)
    | JCNEbinary(e1, (#logical_op as op), e2) ->
        let te1 = fe e1 and te2 = fe e2 in
	(* boolean_type, dummy_region,  *)
	  begin match op with
	  | `Bland ->
	      (*
              JCEif(
                te1,
                te2,
                new expr ~typ:boolean_type (JCEconst(JCCboolean false))
              )
	      *)
	      make_bin_op e#pos `Bland te1 te2
          | `Blor ->
              (*
		JCEif(
                te1,
                new expr ~typ:boolean_type (JCEconst(JCCboolean true)),
                te2
              )
	      *)
	      make_bin_op e#pos `Blor te1 te2
	  | `Bimplies | `Biff ->
	      typing_error e#pos "unexpected operator in expression"
	end
    | JCNEbinary(e1, (#operational_op as op), e2) ->
        make_bin_op e#pos op (fe e1) (fe e2)
    | JCNEunary(op, e1) ->
        make_unary_op e#pos op (fe e1)
    | JCNEapp(id, labs, args) ->
        begin try
          let fi = find_fun_info id in
          assert (labs = []);
          let tl = try
            List.map2
              (fun (_valid,vi) e ->
                 let ty = vi.jc_var_info_type in
                 let te = fe e in
                 if subtype te#typ ty then te
                 else
                   typing_error e#pos "type %a expected instead of %a"
                     print_type ty print_type te#typ)
              fi.jc_fun_info_parameters args
          with Invalid_argument _ ->
            typing_error e#pos "wrong number of arguments for %s" id
          in
          let ty = fi.jc_fun_info_result.jc_var_info_type in
          ty,
          Region.make_var ty fi.jc_fun_info_name,
          JCEapp {
            jc_call_fun = JCfun fi;
            jc_call_args = tl;
            jc_call_region_assoc = [];
            jc_call_label_assoc = [];
          }
        with Not_found -> try
(* Yannick: no need for different rule for const logic *)
(*           if List.length args = 0 then *)
(*             let vi = Hashtbl.find logic_constants_env id in *)
(*             vi.jc_var_info_type, vi.jc_var_info_region, JCEvar vi *)
(*           else *)
	  begin
            let pi = find_logic_info id in
            let tl =
              try
                List.map2
                  (fun vi e ->
                     let ty = vi.jc_var_info_type in
                     let te = fe e in
                     if subtype_strict te#typ ty then te
                     else
                       typing_error e#pos
                         "type %a expected instead of %a"
                         print_type ty print_type te#typ)
                  pi.jc_logic_info_parameters args
              with  Invalid_argument _ ->
                typing_error e#pos
                  "wrong number of arguments for %s" id
            in
            let ty = match pi.jc_logic_info_result_type with
              | None ->
                  typing_error e#pos
                    "the logic info %s is a predicate; it should be \
used as an assertion, not as a term" pi.jc_logic_info_name
              | Some ty -> ty
            in
            let label_assoc =
              match e#label, pi.jc_logic_info_labels, labs with
                | Some l, [lf], [] -> [lf,l]
                | _ ->
                    try
                      List.map2
                        (fun l1 l2 -> (l1,l2))
                        pi.jc_logic_info_labels labs
                    with Invalid_argument _ ->
                      typing_error e#pos
                        "wrong number of labels for %s" id
            in
            let app = {
              jc_call_fun = JClogic_fun pi;
              jc_call_args = tl;
              jc_call_region_assoc = [];
              jc_call_label_assoc = label_assoc;
            } in
            ty, Region.make_var ty pi.jc_logic_info_name, JCEapp app
          end
        with Not_found ->
          typing_error e#pos "unbound function or logic function identifier %s" id
        end
    | JCNEassign(e1, e2) ->
        let te1 = fe e1 and te2 = fe e2 in
        let t1 = te1#typ and t2 = te2#typ in
	let te2 =
          if subtype t2 t1 then
	    match t2 with
	      | JCTnull -> new expr_with ~typ:t1 te2
	      | _ -> te2
	  else
	    (* particular case for floats: implicit cast *)
	    begin
	      match (t1,t2) with
		| JCTnative (Tgenfloat f1), JCTnative (Tgenfloat f2) ->
		    begin
		      match (f2,f1) with
			| `Binary80,`Binary80 -> te2
			| `Double,`Double -> te2
			| `Float,`Float -> te2
			| _ ->
			    new expr ~typ:t1 ~pos:te2#pos
			      (JCEreal_cast(te2, Round(f1,Round_nearest_even)))
		    end
		| _ ->
		    typing_error e2#pos
		      "type '%a' expected in assignment instead of '%a'"
		      print_type t1 print_type t2
	    end
	in
          begin
	    match te1#node with
              | JCEvar v ->
                  v.jc_var_info_assigned <- true;
                  t1, te2#region, JCEassign_var(v, te2)
              | JCEderef(e, f) ->
                  t1, te2#region, JCEassign_heap(e, f, te2)
              | _ -> typing_error e1#pos "not an lvalue"
	  end
    | JCNEinstanceof(e1, t) ->
        let te1 = fe e1 in
        let st = find_struct_info e#pos t in
        boolean_type, dummy_region, JCEinstanceof(te1, st)
    | JCNEcast(e1, t) ->
       let te1 = fe e1 in
	let ty = type_type t in
	begin match ty with
	  | JCTnative Tinteger ->
	      (* if is_real te1#typ then
		integer_type, te1#region, JCEreal_cast(te1,Real_to_integer)
	      else*) if is_integer te1#typ then
		integer_type, te1#region, te1#node
	      else
		typing_error e#pos "bad cast to integer"
	  | JCTnative Treal ->
	      if is_integer te1#typ then
		real_type, te1#region, JCEreal_cast(te1,Integer_to_real)
	      else if is_real te1#typ then
		real_type, te1#region, te1#node
	      else if is_double te1#typ then
		real_type, te1#region, JCEreal_cast(te1,Double_to_real)
	      else if is_float te1#typ then
		real_type, te1#region, JCEreal_cast(te1,Float_to_real)
	      else
		typing_error e#pos "bad cast to real"
	  | JCTnative (Tgenfloat f) ->
	       if is_real te1#typ || is_integer te1#typ then
                JCTnative (Tgenfloat f), te1#region, JCEreal_cast(te1, Round (f,Round_nearest_even))
	       else
		 begin
		   match te1#typ with
		     | JCTnative (Tgenfloat f1) ->
			 let e =
			   match (f1,f) with
			     | `Binary80,`Binary80 -> te1#node
			     | `Double,`Double -> te1#node
			     | `Float,`Float -> te1#node
			     | _ ->
				 JCEreal_cast(te1, Round(f,Round_nearest_even))
			 in
			   JCTnative (Tgenfloat f), te1#region, e
		     | _ -> typing_error e#pos "bad cast to floating-point number"
		 end
(*
	  | JCTnative Tdouble ->
              if is_real te1#typ || is_integer te1#typ then
                double_type, te1#region, JCEreal_cast(te1,Round_double Round_nearest_even)
              else if is_float te1#typ then
                double_type, te1#region, te1#node
	      else
		typing_error e#pos "bad cast to double"
	  | JCTnative Tfloat ->
              if is_real te1#typ || is_double te1#typ || is_integer te1#typ then
                float_type, te1#region, JCEreal_cast(te1,Round_float Round_nearest_even)
	      else
		typing_error e#pos "bad cast to float"
*)
	  | JCTnative _ -> assert false (* TODO *)
	  | JCTenum ri ->
	      if is_integer te1#typ then
		JCTenum ri, dummy_region, JCErange_cast(te1, ri)
	      else
		(* CM je ne comprends pas ce cast de real vers enum
		   if is_real te1#typ then
		let cast = NExpr.mkcast ~expr:e1 ~typ:integer_type () in
		let t = ft cast in
		  JCTenum ri, te1#region, JCErange_cast(t, ri)
	      else
		*)
		typing_error e#pos "integer type expected"
	  | JCTpointer(JCtag(st,_),_,_) ->
	      begin match te1#typ with
		| JCTpointer(st1, a, b) ->
		    if superstruct st st1 then
		      (te1#typ,
		       te1#region,
		       te1#node)
		    else if substruct st st1 then
		      (JCTpointer(JCtag(st, []), a, b),
		       te1#region,
		       JCEcast(te1, st))
		    else if same_hierarchy (JCtag(st, [])) st1 then
		      typing_error e#pos "invalid cast"
		    else
		      (* bitwise cast *)
		      (Region.make_bitwise te1#region;
		       JCTpointer(JCtag(st, []), a, b),
		       te1#region,
		       JCEbitwise_cast(te1, st))
		| JCTnull ->
		    (* bitwise cast *)
		    (Region.make_bitwise te1#region;
		     JCTpointer(JCtag(st,[]),None,None),
		     te1#region,
		     JCEbitwise_cast(te1, st))
		| JCTnative _ | JCTlogic _ | JCTenum _ | JCTany
		| JCTtype_var _ ->
		    typing_error e#pos "only structures can be cast"
	      end
	  | JCTpointer (JCroot _, _, _)  -> assert false (* TODO *)
	  | JCTtype_var _|JCTlogic _|JCTany|JCTnull -> assert false (* TODO *)
	end
    | JCNEif(e1,e2,e3) ->
        let te1 = fe e1 and te2 = fe e2 and te3 = fe e3 in
        begin match te1#typ with
          | JCTnative Tboolean ->
	      let te2,te3 =
		if same_type_no_coercion te2#typ te3#typ then
		  te2,te3
		else
		  unit_expr te2, unit_expr te3
	      in
              let t = mintype e#pos
                te2#typ
                te3#typ
              in
              t, te2#region, JCEif(te1, te2, te3)
          | _ -> typing_error e1#pos "boolean expression expected"
        end
    | JCNEoffset(k, e1) ->
        let te1 = fe e1 in
        begin match te1#typ with
          | JCTpointer(JCtag(st, _), _, _) ->
              integer_type, dummy_region, JCEoffset(k, te1, st)
          | JCTpointer(JCroot _, _, _) ->
              assert false (* TODO *)
          | _ -> typing_error e#pos "pointer expected"
        end
    | JCNEaddress(Addr_absolute,e1) ->
        let te1 = fe e1 in
	if is_integer  te1#typ then
          JCTnull, dummy_region, JCEaddress(Addr_absolute,te1)
	else
	  typing_error e#pos "integer expected"
    | JCNEaddress(Addr_pointer,e1) ->
        let te1 = fe e1 in
        begin match te1#typ with
          | JCTpointer(JCtag(_st, _), _, _) ->
              integer_type, dummy_region, JCEaddress(Addr_pointer,te1)
          | JCTpointer(JCroot _, _, _) ->
              assert false (* TODO *)
          | _ -> typing_error e#pos "pointer expected"
        end
    | JCNEbase_block(e1) ->
        let te1 = fe e1 in
	if is_pointer_type te1#typ then
          JCTnull, dummy_region, JCEbase_block(te1)
	else
	  typing_error e#pos "pointer expected"
    | JCNEalloc(e1, t) ->
        let st = find_struct_info e#pos t in
        let ty = JCTpointer(JCtag(st, []), Some zero, None) in
        ty, Region.make_var ty "alloc", JCEalloc (fe e1, st)
    | JCNEfree e1 ->
        unit_type, dummy_region, JCEfree (fe e1)
    | JCNElet(tyo, id, e1o, e2) ->
        let ty, te1o = match tyo, e1o with
          | None, None ->
              typing_error e#pos "let with no initial value must have a type"
          | Some ty, None ->
              type_type ty, None
          | None, Some e1 ->
              let te1 = fe e1 in
              te1#typ, Some te1
          | Some ty, Some e1 ->
              let te1 = fe e1 in
              let tty = type_type ty in
              if subtype te1#typ tty then
                tty, Some te1
              else
                typing_error e#pos
                  "inferred type is not a subtype of declared type"
        in
        let vi = var ty id in
        let te2 = expr ((id, vi)::env) e2 in
        te2#typ,
        te2#region,
        JCElet(vi, te1o, te2)
    (* old statements *)
    | JCNEassert(behav,asrt,e1) ->
        unit_type, dummy_region, JCEassert(behav,asrt,assertion env e1)
    | JCNEcontract(req,dec,behs,e) ->
	let requires = Option_misc.map (assertion env) req in
	let decreases = Option_misc.map (fun (t,rel) -> term env t,rel) dec in
	let e = expr env e in
	let vi_result = var (e#typ) "\\result" in
	let behs = List.map (behavior env vi_result) behs in
	e#typ,e#region,JCEcontract(requires,decreases,vi_result,behs,e)
    | JCNEblock el ->
        (* No warning when a value is ignored. *)
        let tel = List.map fe el in
        begin match List.rev tel with
          | [] ->
              unit_type, dummy_region, JCEconst JCCvoid
          | last::but_last ->
	      let but_last = List.map unit_expr but_last in
              last#typ, last#region, JCEblock(List.rev(last::but_last))
        end
    | JCNEloop(behs, vo, body) ->
        let behaviors = List.map (loopbehavior env) behs in
        let variant =
          Option_misc.map
            (fun (v,r) ->
               let r = Option_misc.map
                 (fun id -> find_logic_info id#name) r
               in
               (ft v,r))
            vo
        in
        (unit_type,
         dummy_region,
         JCEloop(
          loop_annot ~behaviors
            ~free_invariant:(Assertion.mktrue ())
            ~variant,
           fe body))
    | JCNEreturn None ->
        unit_type, dummy_region, JCEreturn_void
    | JCNEreturn(Some e1) ->
        let te1 = fe e1 in
        let vi = List.assoc "\\result" env in
        if subtype te1#typ vi.jc_var_info_type then
          (unit_type,
           te1#region,
           JCEreturn(vi.jc_var_info_type, te1))
        else
          typing_error e#pos "type `%a' expected in return instead of `%a'"
            print_type vi.jc_var_info_type print_type te1#typ
    | JCNEtry(body, catches, finally) ->
        let tbody = unit_expr (fe body) in
        let tfinally = unit_expr (fe finally) in
        let tcatches = List.map begin function (id, v, cbody) ->
	  if id#name = Jc_norm.return_label#name then set_return_label ();
          let ei = try
            StringHashtblIter.find exceptions_table id#name
          with Not_found ->
            typing_error id#pos "undeclared exception: %s" id#name
          in
          match ei.jc_exception_info_type with
            | Some tei ->
		let vi = var tei v in
		ei, Some vi, unit_expr (expr ((v, vi) :: env) cbody)
            | None -> ei, None, unit_expr (fe cbody)
        end catches in
          tbody#typ,
        tbody#region,
        JCEtry(tbody, tcatches, tfinally)
    | JCNEthrow(id, e1o) ->
        let ei = try
          StringHashtblIter.find exceptions_table id#name
        with Not_found ->
          typing_error id#pos "undeclared exception %s" id#name
        in
        let region, te1o = match e1o with
          | None -> dummy_region, None
          | Some e1 ->
              let te1 = fe e1 in
              let tei = match ei.jc_exception_info_type with
                | Some tei -> tei
                | None -> typing_error e#pos "this exception has no argument"
              in
              if subtype te1#typ tei then
                te1#region, Some te1
              else
                typing_error e#pos "type `%a' expected instead of `%a'"
                  print_type tei print_type te1#typ
        in
        Jc_pervasives.any_type, region, JCEthrow(ei, te1o)
    | JCNEpack(e1, t) ->
        let te1 = fe e1 in
        begin match te1#typ with
          | JCTpointer(JCtag(st, _), _, _) ->
              let as_t = match t with
                | Some t -> find_struct_info t#pos t#name
                | None -> st
              in
              unit_type, te1#region, JCEpack(st, te1, as_t)
          | _ -> typing_error e#pos "only structures can be packed"
        end
    | JCNEunpack(e1, t) ->
        let te1 = fe e1 in
        begin match te1#typ with
          | JCTpointer(JCtag(st, []), _, _) ->
              let from_t = match t with
                | Some t -> find_struct_info t#pos t#name
                | None ->
                    let rec res = {
                      jc_struct_info_params = [];
                      jc_struct_info_name = "bottom";
                      jc_struct_info_parent = None;
                      jc_struct_info_hroot = res;
                      jc_struct_info_fields = [];
                      jc_struct_info_root = None;
                    }
                    in res
              in
              unit_type, te1#region, JCEunpack(st, te1, from_t)
          | _ -> typing_error e#pos "only structures can be unpacked"
        end
    | JCNEmatch(arg, pel) ->
        let targ = fe arg in
        let rty, tpel = match pel with
          | [] -> assert false (* should not be allowed by the parser *)
          | (p1, e1)::rem ->
              (* type the first item *)
              let penv, tp1 = pattern p1 targ#typ in
              let te1 = expr (penv @ env) e1 in
              (* type the remaining items *)
              List.fold_left
                (fun (accrty, acctpel) (p, e2) ->
                   let penv, tp = pattern p targ#typ in
                   let te2 = expr (penv @ env) e2 in
                   mintype e#pos accrty te2#typ,
                   (tp, te2)::acctpel)
                (te1#typ, [tp1, te1])
                rem
        in
        rty, targ#region, JCEmatch(targ, List.rev tpel)
    (* logic only *)
    | JCNEquantifier _ | JCNEold _ | JCNEat _ | JCNEmutable _
    | JCNEeqtype _ | JCNErange _ | JCNEsubtype _ | JCNEfresh _ ->
        typing_error e#pos "construction not allowed in expressions"
  in
(*
  if !lab = "L2" then
    Format.eprintf "Jc_typing.expr: adding label L2@.";
*)
  new expr
    ~pos: e#pos
    ~typ: ty
    ~region: region
    ~mark: !lab
    typed_e

(*******************************************************************************)
(*                                  Declarations                               *)
(*******************************************************************************)



let default_label l =
  match l with
    | [l] -> Some l
    | _ -> None

(** Apply [type_labels] in all expressions of a normalized clause,
with the correct label environment. *)
let type_labels_in_clause = function
  | JCCrequires e | JCCdecreases(e,_) ->
      type_labels [LabelHere] ~result_label:None (Some LabelHere) e
  | JCCbehavior(_, _, _, assumes, requires, assigns, allocates, ensures) ->
      Option_misc.iter
	(type_labels [LabelHere] ~result_label:None (Some LabelHere)) assumes;
      Option_misc.iter
	(type_labels [LabelHere] ~result_label:None (Some LabelHere)) requires;
      Option_misc.iter
        (fun (_, x) ->
           List.iter
             (type_labels [LabelOld; LabelPre; LabelPost]
		~result_label:(Some LabelPost) (Some LabelOld)) x)
        assigns;
      Option_misc.iter
        (fun (_, x) ->
           List.iter
             (type_labels [LabelOld; LabelPre; LabelPost]
(* warning: allocates L: L evaluated in the post-state *)
		~result_label:(Some LabelHere) (Some LabelHere)) x)
        allocates;
      type_labels [LabelOld; LabelPre; LabelHere]
	~result_label:(Some LabelHere) (Some LabelHere) ensures

(** Apply [type_labels] in all expressions of a normalized declaration,
with the correct label environment. *)
let rec type_labels_in_decl d = match d#node with
  | JCDvar(_, _, init) ->
      Option_misc.iter (type_labels [] ~result_label:None None) init
  | JCDfun(_, _, _, clauses, body) ->
      Option_misc.iter
        (type_labels [LabelHere; LabelPre] ~result_label:None (Some LabelHere))
        body;
      List.iter type_labels_in_clause clauses
  | JCDtag(_, _, _, _, invs) ->
      List.iter
        (fun (_, _, e) ->
	   type_labels [LabelHere] ~result_label:None (Some LabelHere) e) invs
  | JCDlemma(_, _, _, labels, body) ->
(*
      let labels = match labels with [] -> [ LabelHere ] | _ -> labels in
*)
      type_labels labels ~result_label:None (default_label labels) body
  | JCDlogic(_, _, _, _labels, _, JCnone) -> ()
  | JCDlogic(_, _, _, labels, _, JCreads el) ->
(*
      let labels = match labels with [] -> [ LabelHere ] | _ -> labels in
*)
      List.iter
	(type_labels labels
	   ~result_label:(Some LabelPost) (default_label labels)) el
  | JCDlogic(_, _, _, labels, _, JCexpr e) ->
(*
      let labels = match labels with [] -> [ LabelHere ] | _ -> labels in
*)
      type_labels labels  ~result_label:None (default_label labels) e
  | JCDlogic(_, _, _, _labels, _, JCinductive l) ->
(*
      let _labels = match labels with [] -> [ LabelHere ] | _ -> labels in
*)
      List.iter (fun (_,labels,e) ->
		   type_labels labels
		     ~result_label:None (default_label labels) e) l
  | JCDglobal_inv(_, body) ->
      type_labels [LabelHere] ~result_label:None (Some LabelHere) body
  | JCDvariant_type _ | JCDunion_type _ | JCDenum_type _ | JCDlogic_type _
  | JCDexception _ | JCDinvariant_policy _ | JCDseparation_policy _
  | JCDannotation_policy _ | JCDabstract_domain _ | JCDint_model _
  | JCDtermination_policy _ | JCDlogic_var _ ->
      ()
  | JCDaxiomatic(_id,l) -> List.iter type_labels_in_decl l
  | JCDpragma_gen_sep _ | JCDpragma_gen_frame _ | JCDpragma_gen_sub _
  | JCDpragma_gen_same _ -> ()


(* <====== A partir d'ici, c'est pas encore fait *)



let clause env vi_result c acc =
  match c with
    | JCCrequires e ->
        { acc with
          jc_fun_requires =
            make_and (assertion env e) acc.jc_fun_requires; }
    | JCCdecreases(e,r) ->
	assert (acc.jc_fun_decreases = None);
	let pi = Option_misc.map
	  (fun id ->
             let pi =
	       try Hashtbl.find logic_functions_env id#name
	       with Not_found ->
		 typing_error e#pos "unbound ordering relation %s" id#name
	     in pi)
	  r
	in
        { acc with jc_fun_decreases = Some(term env e,pi) }

    | JCCbehavior b ->
	let (loc,id,b) = behavior env vi_result b in
	if id = "default" then
	  { acc with jc_fun_default_behavior = loc,id,b }
	else
          { acc with jc_fun_behavior = (loc,id,b)::acc.jc_fun_behavior }

let param (t,id) =
  let ty = type_type t in
  let vi = var ~formal:true ty id in
  (id,vi)

let fun_param (v,t,id) =
  let ty = type_type t in
  let vi = var ~formal:true ty id in
  (v,id,vi)

let assertion_true = new assertion JCAtrue

let field st root ((rep,abs), t, id, bitsize) =
  let ty = type_type t in
  incr field_tag_counter;
  let name = st.jc_struct_info_name ^ "_" ^ id in
  let fi = {
    jc_field_info_tag = !field_tag_counter;
    jc_field_info_name = id ;
    jc_field_info_final_name = Jc_envset.get_unique_name name;
    jc_field_info_type = ty;
    jc_field_info_hroot = root;
    jc_field_info_struct = st;
    jc_field_info_rep = rep || (not (is_pointer_type ty));
    jc_field_info_abstract = abs;
    jc_field_info_bitsize = bitsize;
  } in
  fi

let lemmas_table = StringHashtblIter.create 17
let global_invariants_table = IntHashtblIter.create 17

(*let add_typedecl d (id, parent) =
  let root,par =
    match parent with
      | None ->
          (None, None)
      | Some p ->
          let st = find_struct_info d.jc_pdecl_loc p in
          (Some st.jc_struct_info_hroot, Some st)
  in
  let struct_info, root =
    try
      let struct_info,_ = Hashtbl.find structs_table id in
      let root = match root with
        | Some x -> x
        | None -> struct_info
      in
      struct_info.jc_struct_info_hroot <- root;
      struct_info.jc_struct_info_parent <- par;
      struct_info, root
    with Not_found ->
      assert false (* cannot happen, thanks to the function decl_declare *)
(*      let rec struct_info =
        { jc_struct_info_name = id;
          jc_struct_info_fields = [];
          jc_struct_info_parent = par;
          jc_struct_info_hroot = struct_info;
          jc_struct_info_root = None;
        }
      in
      (* adding structure name in global environment before typing
         the fields, because of possible recursive definition *)
      Hashtbl.replace structs_table id (struct_info,[]);
      struct_info, struct_info*)
  in
  root, struct_info*)

let add_vardecl (ty,id) =
  let ty = type_type ty in
  let vi = var ~static:true ty id in
  Hashtbl.add variables_env id vi

let get_vardecl id =
  Hashtbl.find variables_env id

let get_fundecl id =
  let fi = Hashtbl.find functions_env id in
  let param_env =
    List.map
      (fun (_valid,v) -> (v.jc_var_info_name, v))
      fi.jc_fun_info_parameters
  in
  param_env, fi

let add_fundecl (ty,_loc,id,pl) =
  try
    let param_env,fi = get_fundecl id in
    Format.eprintf
      "FIXME: Warning: ignoring second declaration of function %s@." id;
    param_env, fi
  with Not_found ->
    let params = List.map fun_param pl in
    let param_env = List.map (fun (_,t,x) -> (t,x)) params in
    let ty = type_type ty in
    let fi = make_fun_info id ty in
    fi.jc_fun_info_parameters <- List.map (fun (v,_,x) -> (v,x)) params;
    Hashtbl.replace functions_env id fi;
    param_env, fi

let add_logic_fundecl (ty,id,poly_args,labels,pl) =
  try
    let pi = Hashtbl.find logic_functions_env id in
    let ty = pi.jc_logic_info_result_type in
    let param_env =
      List.map (fun v -> v.jc_var_info_name, v) pi.jc_logic_info_parameters
    in
    param_env, ty, pi
  with Not_found ->
    let poly_args = add_poly_args poly_args in
    let param_env = List.map param pl in
    let ty = Option_misc.map type_type ty in
    let pi = match ty with
      | None -> make_pred id
      | Some ty -> make_logic_fun id ty
    in
    pi.jc_logic_info_parameters <- List.map snd param_env;
    pi.jc_logic_info_poly_args <- poly_args;
    pi.jc_logic_info_labels <- labels;
    Hashtbl.replace logic_functions_env id pi;
    param_env, ty, pi


(* let add_logic_constdecl (ty, id) = *)
(*   try *)
(*     let vi = Hashtbl.find logic_constants_env id in *)
(*       vi.jc_var_info_type, vi  *)
(*   with Not_found -> *)
(*     let ty = type_type ty in *)
(*     let vi = var ~static:true ty id in *)
(*       Hashtbl.add logic_constants_env id vi; *)
(*       ty, vi *)

let type_range_of_term ty t =
  match ty with
    | JCTenum ri ->
        let mint =
          new term ~pos:t#pos ~typ:integer_type
            (JCTconst(JCCinteger (Num.string_of_num ri.jc_enum_info_min)))
        in
        let mina = new assertion (JCArelation(mint,(`Ble,`Integer),t)) in
        let maxt =
          new term ~pos:t#pos ~typ:integer_type
            (JCTconst(JCCinteger (Num.string_of_num ri.jc_enum_info_max)))
        in
        let maxa = new assertion (JCArelation(t,(`Ble,`Integer),maxt)) in
	new assertion (JCAand [ mina; maxa ])
    | JCTpointer (JCtag(st, _), _n1opt, n2opt) ->
(*      let instanceofcstr = new assertion (JCAinstanceof (t, st)) in *)
(*      let mincstr = match n1opt with
          | None -> true_assertion
          | Some n1 ->
              let mint =
                term_no_loc (JCToffset (Offset_min, t, st)) integer_type in
              let n1t =
                term_no_loc (JCTconst (JCCinteger (Num.string_of_num n1)))
                  integer_type
              in
              new assertion (JCArelation (mint, Beq_int, n1t))
        in *)
        let maxcstr = match n2opt with
          | None -> Assertion.mktrue ()
          | Some n2 ->
              let maxt =
                new term
                  ~pos: t#pos
                  ~typ: integer_type
                  (JCToffset (Offset_max, t, st))
              in
              let n2t =
                new term
                  ~pos: t#pos
                  ~typ: integer_type
                  (JCTconst (JCCinteger (Num.string_of_num n2)))
              in
              new assertion (JCArelation (maxt, (`Beq, `Integer), n2t))
        in
          maxcstr
(*        if is_root_struct st then *)
(*        Jc_pervasives.make_and [mincstr; maxcstr] *)
(*        else
          Jc_pervasives.make_and [instanceofcstr; mincstr; maxcstr] *)
    | JCTpointer (JCroot _vi, _, _) ->
        assert false (* TODO, but need to change JCToffset before *)
    | _ -> Assertion.mktrue ()

(* First pass: declare everything with no typing
 * (use dummy values that will be replaced by "decl")
 * (declare identifiers so that previous definitions can (possibly recursively)
 * use them) *)
(*let rec decl_declare d =
  match d.jc_pdecl_node with
    | JCPDtag(id, parent, fields, inv) ->
        (* declare structure name *)
        let rec struct_info = {
          jc_struct_info_name = id;
          jc_struct_info_fields = [];
          jc_struct_info_parent = None;
          jc_struct_info_hroot = struct_info;
          jc_struct_info_root = None;
        } in
        Hashtbl.add structs_table id (struct_info, []);
        (* declare mutable field (if needed) *)
        if parent = None && !Jc_common_options.inv_sem = InvOwnership then
          create_mutable_field struct_info;
        (* TODO: declare fields *)
        (* TODO: declare invariants *)
        Hashtbl.replace structs_table id (struct_info, [])
    | JCPDvarianttype(id, _) ->
        Hashtbl.replace variants_table id {
          jc_root_info_name = id;
          jc_root_info_roots = [];
        }
    | JCPDvar _
    | JCPDfun _
    | JCPDrecfuns _
    | JCPDenumtype _
    | JCPDlogictype _
    | JCPDaxiom _
    | JCPDexception _
    | JCPDlogic _
    | JCPDglobinv _ ->
        () (* TODO *)
*)

(** [check_positivity pi a] checks whether the assertion [a] as exactly one positive occurrence of pi in a *)

let rec signed_occurrences pi a =
match a#node with
  | JCArelation _ | JCAtrue | JCAfalse -> (0,0)
  | JCAapp app -> ((if app.jc_app_fun == pi then 1 else 0),0)
  | JCAquantifier (Forall, _vi, _, p) -> signed_occurrences pi p
  | JCAquantifier (Exists, _vi, _, _p) -> assert false (* TODO *)
  | JCAimplies (p1, p2) ->
      let (pos1,neg1) = signed_occurrences pi p1 in
      let (pos2,neg2) = signed_occurrences pi p2 in
      (neg1+pos2,pos1+neg2)
  | JCAand l ->
      List.fold_left
	(fun (p,n) a ->
	   let (pos1,neg1) = signed_occurrences pi a in
	   (p+pos1,n+neg1)) (0,0) l
  | JCAor _ -> assert false (* TODO *)
  | JCAat (p, _) | JCAold p -> signed_occurrences pi p
  | JCAnot p ->
      let (pos,neg) = signed_occurrences pi p in
      (neg,pos)
  | JCAiff (_, _) -> assert false (* TODO *)
  | JCAsubtype (_, _, _) -> assert false (* TODO *)
  | JCAeqtype (_, _, _) -> assert false (* TODO *)
  | JCAmutable (_, _, _) -> assert false (* TODO *)
  | JCAif (_, _, _) -> assert false (* TODO *)
  | JCAbool_term _ -> assert false (* TODO *)
  | JCAinstanceof (_, _, _) -> assert false (* TODO *)
  | JCAlet (_, _,_) -> assert false (* TODO *)
  | JCAmatch (_, _) -> assert false (* TODO *)
  | JCAfresh _ -> assert false (* TODO *)

let check_positivity loc pi a =
  let (pos,_neg) = signed_occurrences pi a in
  if pos = 0 then
    typing_error loc "predicate has no positive occurrence in this case";
  if pos > 1 then
    typing_error loc "predicate has too many positive occurrences in this case"



(** [check_consistency id data] attempt to detect trivial inconsistency cases in axiomatics

    pis = data.axiomatics_defined_ids is the set of logic ids defined in this axiomatic

    check 1:
      for each lemma: check that at least one pi of pis occurs

    check 2:
      for each lemma with labels l1,..,lk: for each li, there should be at least one occurrence
      of some pi of pis applied to label li.

*)

let rec term_occurrences table t =
  match t#node with
    | JCTconst _
    | JCTvar _ -> ()
    | JCTrange_cast (t, _)
    | JCTat (t, _)
    | JCTunary (_, t)
    | JCToffset (_, t, _)
    | JCTderef (t, _, _) -> term_occurrences table t
    | JCTbinary (t1, _, t2)
    | JCTshift (t1, t2) ->
	term_occurrences table t1; term_occurrences table t2
    | JCTapp app ->
      begin
        List.iter (term_occurrences table) app.jc_app_args;
	try
	  let l = Hashtbl.find table app.jc_app_fun.jc_logic_info_tag in
	  Hashtbl.replace table app.jc_app_fun.jc_logic_info_tag (app.jc_app_label_assoc::l)
	with Not_found -> ()
      end
    | JCTlet (_, _, _) -> assert false (* TODO *)
    | JCTmatch (_, _) -> assert false (* TODO *)
    | JCTrange (_, _) -> assert false (* TODO *)
    | JCTif (_, _, _) -> assert false (* TODO *)
    | JCTreal_cast (t, _) -> term_occurrences table t
    | JCTbitwise_cast (_, _, _) -> assert false (* TODO *)
    | JCTcast (_, _, _) -> assert false (* TODO *)
    | JCTinstanceof (_, _, _) -> assert false (* TODO *)
    | JCTbase_block t -> term_occurrences table t
    | JCTaddress (_, _) -> assert false (* TODO *)
    | JCTold _ -> assert false (* TODO *)

let rec occurrences table a =
  match a#node with
  | JCAtrue | JCAfalse -> ()
  | JCAapp app ->
      begin
        List.iter (term_occurrences table) app.jc_app_args;
	try
	  let l = Hashtbl.find table app.jc_app_fun.jc_logic_info_tag in
	  Hashtbl.replace table app.jc_app_fun.jc_logic_info_tag (app.jc_app_label_assoc::l)
	with Not_found -> ()
      end
  | JCAnot p
  | JCAquantifier (_, _, _, p) -> occurrences table p
  | JCAiff (p1, p2)
  | JCAimplies (p1, p2) ->
      occurrences table p1; occurrences table p2
  | JCAand l | JCAor l ->
      List.iter (occurrences table) l
  | JCArelation(t1,_op,t2) ->
      term_occurrences table t1; term_occurrences table t2
  | JCAsubtype (_, _, _) -> assert false (* TODO *)
  | JCAeqtype (_, _, _) -> assert false (* TODO *)
  | JCAmutable (_, _, _) -> assert false (* TODO *)
  | JCAif (_, _, _) -> assert false (* TODO *)
  | JCAbool_term _ -> assert false (* TODO *)
  | JCAinstanceof (_, _, _) -> assert false (* TODO *)
  | JCAold p
  | JCAat (p, _) -> occurrences table p
  | JCAlet (_, _, _) -> assert false (* TODO *)
  | JCAmatch (_, _) -> assert false (* TODO *)
  | JCAfresh _ -> assert false (* TODO *)

let rec list_assoc_data lab l =
  match l with
    | [] -> false
    | (_,d):: r ->
	d=lab || list_assoc_data lab r

let check_consistency id data =
  let pis = data.axiomatics_defined_ids in
  List.iter
    (fun (ABaxiom(loc,axid,labels,a)) ->
       let h = Hashtbl.create 17 in
       List.iter
	 (fun pi -> Hashtbl.add h pi.jc_logic_info_tag [])
	 pis;
       occurrences h a;
       Jc_options.lprintf "@[<v 2>occurrences table for axiom %s in axiomatic %s:@\n" axid id;
       Hashtbl.iter
	 (fun pi l ->
	    Jc_options.lprintf "%d: @[" pi;
	    List.iter
	      (fun label_assoc ->
		 Jc_options.lprintf "%a ;"
		   (Pp.print_list Pp.comma (fun fmt (_l1,l2) -> Jc_output_misc.label fmt l2)) label_assoc)
	      l;
	    Jc_options.lprintf "@]@\n")
	 h;
       Jc_options.lprintf "@]@.";
       if Hashtbl.fold (fun _pi l acc -> acc && l=[]) h true then
	 typing_error loc
	   "axiom %s should contain at least one occurrence of a symbol declared in axiomatic %s" axid id;
       List.iter
	 (fun lab ->
	    if not (Hashtbl.fold (fun _pi l acc -> acc || List.exists (list_assoc_data lab) l) h false) then
	      typing_error loc
		"there should be at least one declared symbol depending on label %a in this axiom" Jc_output_misc.label lab)
	 labels
    )
    data.axiomatics_decls

let update_axiomatic axiomatic pi =
  match axiomatic with
    | Some(id,data) ->
	pi.jc_logic_info_axiomatic <- Some id;
	data.axiomatics_defined_ids <- pi :: data.axiomatics_defined_ids
    | None -> ()

exception Identifier_Not_found of string

let create_pragma_gen_frame_sub frame_or_sub loc id logic =
  let info = 
    try 
      find_logic_info logic
    with Not_found -> typing_error loc "logic unknown %s" logic in
  let params1 = info.jc_logic_info_parameters in
  let params2 = List.map (fun v -> var ~unique:true v.jc_var_info_type 
    (v.jc_var_info_name^"_dest"))
    info.jc_logic_info_parameters in
  let pi = make_pred id in
  pi.jc_logic_info_parameters <- params1@params2;
  let label1 = LabelName { 
    label_info_name = "L1";
    label_info_final_name = "L1";
    times_used = 0;
  } in
  let label2 = LabelName { 
    label_info_name = "L2";
    label_info_final_name = "L2";
    times_used = 0;
  } in
  pi.jc_logic_info_labels <- [label1;label2];
  Hashtbl.replace logic_functions_env id pi;
  let def = 
    let params param = List.map 
      (fun x -> new term ~pos:loc ~typ:x.jc_var_info_type (JCTvar x))
      param in
    begin
      match info.jc_logic_info_result_type with
        | None ->
          let app label param = new assertion (JCAapp {jc_app_fun = info;
                             jc_app_args = params param;
                             jc_app_region_assoc = [];
                             jc_app_label_assoc = 
              label_assoc loc "bug in the generation" 
                (Some label) info.jc_logic_info_labels []
                 }) in
          make_and (app label1 params1) (app label2 params2)
        | Some ty -> 
          let term label param = new term ~pos:loc ~typ:ty
            (JCTapp {jc_app_fun = info;
                     jc_app_args = params param;
                     jc_app_region_assoc = [];
                     jc_app_label_assoc = 
                label_assoc loc "bug in the generation" 
                  (Some label) info.jc_logic_info_labels []}) in
          new assertion (make_rel_bin_op loc `Beq
                           (term label1 params1) (term label2 params2))
    end in
  let def = JCAssertion def in
  IntHashtblIter.add logic_functions_table pi.jc_logic_info_tag (pi, def);
  Hashtbl.add pragma_gen_frame pi.jc_logic_info_tag
    (pi,info,params1,params2,frame_or_sub)


let create_pragma_gen_sep_logic_aux loc kind id li =
  let translate_param (p,restr) =
    match p#node,restr with
      | JCPTnative _,_ ->
          typing_error loc "A Separation pragma can't reference \"pure\" type"
      | JCPTidentifier (s,[]),_ -> (* Should be the identifier of a logic *)
          let info =
            try
              find_logic_info s
            with Not_found -> raise (Identifier_Not_found s)
          in `Logic (info,restr)
      | JCPTidentifier (_s,_l),_ ->
          typing_error loc "A Separation pragma can't reference a logic type"
      | JCPTpointer (_,[],None,None),[] ->
          let ty = type_type p in
          `Pointer (newvar ty)
      | JCPTpointer _, _::_ ->
          typing_error loc
            "In a separation pragma pointer can't\
             be at that time restreint to some field"
      | JCPTpointer _,_ ->
          failwith "TODO : sorry I'm lazy. But what have you done?" in
  let change_var_name = function
    |`Logic (info,restr) ->
       let params = info.jc_logic_info_parameters in
       let new_params = List.map copyvar params in
       `Logic (info,restr,new_params)
    |`Pointer _ as e -> e in
  let to_param = function
    | `Logic (_,_,new_params) -> new_params
    | `Pointer var -> [var]
  in
  let params = List.map translate_param li in
  let params = List.map change_var_name params in
  let param_env = List.concat (List.map to_param params) in
  let pi = make_pred id in
  pi.jc_logic_info_parameters <- param_env;
  let cur_label = LabelName {
    label_info_name = "L";
    label_info_final_name = "L";
    times_used = 0;
  } in
  pi.jc_logic_info_labels <- [cur_label];
  Hashtbl.replace logic_functions_env id pi;
  (* create a dumb definition with the correct effect
     which will be replace by the correcte one at the end *)
  let to_def = function
    | `Logic (info,_,params) ->
        let param = List.map
          (fun x -> new term ~pos:loc ~typ:x.jc_var_info_type (JCTvar x))
          params in
        new assertion begin
          match info.jc_logic_info_result_type with
            | None ->
                JCAapp {jc_app_fun = info;
                        jc_app_args = param;
                        jc_app_region_assoc = [];
                        jc_app_label_assoc =
                    label_assoc loc "bug in the generation"
                      (Some cur_label) info.jc_logic_info_labels []
                       }
            | Some ty ->
                let term = new term ~pos:loc
                  ~typ:ty
                  (JCTapp {jc_app_fun = info;
                           jc_app_args = param;
                           jc_app_region_assoc = [];
                           jc_app_label_assoc = []}) in
                make_rel_bin_op loc `Beq term term
        end
    | `Pointer var ->
        let t = new term ~pos:loc ~typ:var.jc_var_info_type (JCTvar var) in
        new assertion (make_rel_bin_op loc `Beq t t) in
  let def = JCAssertion (make_and_list (List.map to_def params)) in
  IntHashtblIter.add logic_functions_table pi.jc_logic_info_tag (pi, def);
  Hashtbl.add pragma_gen_sep pi.jc_logic_info_tag
    (kind,params)


let create_pragma_gen_sep_logic loc kind id li =
  try
    create_pragma_gen_sep_logic_aux loc kind id li
  with Identifier_Not_found ident ->
    Hashtbl.add pragma_before_def ident (loc,kind,id,li)

let create_if_pragma_before ident =
  List.iter (fun (loc,kind,id,li) ->
               create_pragma_gen_sep_logic loc kind id li)
    (Hashtbl.find_all pragma_before_def ident);
    (Hashtbl.remove_all pragma_before_def ident)

let test_if_pragma_notdefined () =
  if not (Hashtbl.is_empty pragma_before_def) then
    Hashtbl.iter (fun ident (loc,_kind,id,_li) ->
    typing_error loc "The pragma %s has not been defined because
%s appeared nowhere" id ident) pragma_before_def


(*let test_*)


let rec decl_aux ~only_types ~axiomatic acc d =
  reset_uenv ();
  let loc = d#pos in
  let in_axiomatic = axiomatic <> None in
  match d#node with
    | JCDvar (_ty, id, init) ->
	if not only_types then
	  begin
	    if in_axiomatic then
	      typing_error loc "not allowed inside axiomatic specification";
            let e = Option_misc.map (expr []) init in
            let vi = get_vardecl id in
            IntHashtblIter.add variables_table vi.jc_var_info_tag (vi, e);
	    acc
	  end
	else
	  acc
    | JCDfun (_ty, id, _pl, specs, body) ->
	if not only_types then
	  begin
	    if in_axiomatic then
	      typing_error loc "not allowed inside axiomatic specification";
            let loc = match Jc_options.position_of_label id#name with
	      | Some loc -> loc
	      | None -> id#pos
	    in
            let param_env, fi = get_fundecl id#name in
            let vi = fi.jc_fun_info_result in
            let s = List.fold_right
              (clause param_env vi) specs
              { jc_fun_requires = assertion_true;
                jc_fun_free_requires = assertion_true;
		jc_fun_decreases = None;
                jc_fun_default_behavior =
		  Loc.dummy_position ,"default", default_behavior;
                jc_fun_behavior = [] }
            in
	    reset_return_label ();
            let b = Option_misc.map
	      (unit_expr $ expr (("\\result",vi)::param_env)) body
	    in
	    fi.jc_fun_info_has_return_label <- get_return_label ();
            IntHashtblIter.add functions_table fi.jc_fun_info_tag (fi,loc,s,b);
	    acc
	  end
	else
	  acc
    | JCDenum_type(id,min,max) ->
	if only_types then
	  begin
	    if in_axiomatic then
	      typing_error loc "not allowed inside axiomatic specification";
	    begin
	      try
	        let _ = StringHashtblIter.find enum_types_table id in
	        typing_error d#pos "duplicate range type `%s'" id
	      with Not_found ->
                let ri =
                  { jc_enum_info_name = id;
		    jc_enum_info_min = min;
		    jc_enum_info_max = max;
                  }
                in
                StringHashtblIter.add enum_types_table id ri;
	        acc
	    end
	  end
	else
	  acc
    | JCDtag(id, _, _parent, _fields, inv) ->
	if not only_types then
	  begin
	    Jc_options.lprintf "Typing tag %s@." id;
	    if in_axiomatic then
	      typing_error loc "not allowed inside axiomatic specification";
            let struct_info, _ = StringHashtblIter.find structs_table id in
            (* declare invariants as logical functions *)
            let invariants =
              List.fold_left
                (fun acc (id, x, e) ->
                   if !Jc_common_options.inv_sem = InvNone then
                     typing_error id#pos
                       "use of structure invariants requires declaration \
of an invariant policy";
                   let vi =
                     var (JCTpointer (JCtag(struct_info, []), Some zero,
                                      Some zero)) x in
                   let p = assertion [(x, vi)] e in
                   let pi = make_pred id#name in
                   pi.jc_logic_info_parameters <- [vi];
                   pi.jc_logic_info_labels <- [LabelHere];
                   eprintf "generating logic fun %s with one default label@."
                     pi.jc_logic_info_name;
                   IntHashtblIter.replace logic_functions_table
                     pi.jc_logic_info_tag (pi, JCAssertion p);
                   Hashtbl.replace logic_functions_env id#name pi;
                   (pi, p) :: acc)
                []
                inv
            in
            StringHashtblIter.replace
              structs_table id (struct_info, invariants);
	    acc
	  end
	else
	  acc

    | JCDvariant_type(_id, _tags) -> acc
    | JCDunion_type(_id,_discr,_tags) -> acc

    (*    | JCDrectypes(pdecls) ->
    (* first pass: adding structure names *)
          List.iter (fun d -> match d.jc_pdecl_node with
          | JCDstructtype(id,_,_,_) ->
    (* parent type may not be declared yet *)
          ignore (add_typedecl d (id,None))
          | _ -> assert false
          ) pdecls;
    (* second pass: adding structure fields *)
          List.iter (fun d -> match d.jc_pdecl_node with
          | JCDstructtype(id,parent,fields,_) ->
          let root,struct_info = add_typedecl d (id,parent) in
          let env = List.map (field struct_info root) fields in
          struct_info.jc_struct_info_fields <- env;
          Hashtbl.replace structs_table id (struct_info,[])
          | _ -> assert false
          ) pdecls;
    (* third pass: typing invariants *)
          List.iter decl pdecls*)

    | JCDlogic_type(id,l) ->
	if only_types then
	  begin
	    Jc_options.lprintf "Typing logic type declaration %s@." id;
            begin
              try
                let _ = StringHashtblIter.find logic_type_table id in
                typing_error d#pos "duplicate logic type `%s'" id
              with Not_found ->
                let l = List.map Jc_type_var.type_var_from_string l in
                StringHashtblIter.add logic_type_table id (id,l);
	        acc
            end
	  end
	else
	  acc
    | JCDlemma(id,is_axiom,poly_args,labels,e) ->
	if not only_types then
	  begin
	    Jc_options.lprintf "Typing lemma/axiom %s@." id;
	    if is_axiom && not in_axiomatic then
	      typing_error loc "allowed only inside axiomatic specification";
            (*
	      let labels = match labels with [] -> [ LabelHere ] | _ -> labels in
            *)
            let poly_args = add_poly_args poly_args in
            let te = assertion [] e in
            let te = Jc_type_var.subst_type_in_assertion uenv te in
            if in_axiomatic && is_axiom then
	      (ABaxiom(d#pos,id,labels,te))::acc
	    else
	      begin
	        StringHashtblIter.add
                  lemmas_table id (d#pos,is_axiom,poly_args,labels,te);
	        acc
	      end
	  end
	else
	  acc
    | JCDglobal_inv(id, e) ->
	if not only_types then
	  begin
	    if in_axiomatic then
	      typing_error loc "not allowed inside axiomatic specification";
            let a = assertion [] e in
            let li = make_pred id in
            let idx = li.jc_logic_info_tag in
            if !Jc_common_options.inv_sem = InvArguments then
              IntHashtblIter.replace logic_functions_table
                idx (li, JCAssertion a);
            IntHashtblIter.add global_invariants_table idx (li, a);
	    acc
	  end
	else
	  acc
    | JCDexception(id,tyopt) ->
	if not only_types then
	  begin
	    if in_axiomatic then
	      typing_error loc "not allowed inside axiomatic specification";
            let tt = Option_misc.map type_type tyopt in
            StringHashtblIter.add exceptions_table id (exception_info tt id);
	    acc
	  end
	else
	  acc
    | JCDlogic_var (_ty, _id, _body) -> assert false
        (*         let ty, vi = add_logic_constdecl (ty, id) in *)
        (*         let t = Option_misc.map  *)
        (* 	  (function body -> *)
        (* 	     let t = term [] body in *)
        (*              if not (subtype t#typ ty) then *)
        (*                typing_error d#pos *)
        (*                  "inferred type differs from declared type" *)
        (*              else (t,mintype t#pos t#typ ty) *)
        (* 	  ) body *)
        (*         in *)
        (*         Hashtbl.add logic_constants_table vi.jc_var_info_tag (vi, t) *)
    | JCDlogic (None, id, poly_args, labels, pl, body) ->
	if not only_types then
	  begin
            (*
	      let labels = match labels with [] -> [ LabelHere ] | _ -> labels in
            *)
            let param_env,_ty,pi = add_logic_fundecl (None,id,poly_args,labels,pl) in
            create_if_pragma_before id;
            let p = match body with
              | JCnone ->
	          if not in_axiomatic then
		    typing_error loc "allowed only inside axiomatic specification";
                  JCNone
              | JCreads reads ->
	          if not in_axiomatic then
		    typing_error loc "allowed only inside axiomatic specification";
                  JCReads (
                    (List.map
                       (fun a ->
                          let _,_,tl =
                            location param_env a
                          in tl)) reads)
              | JCexpr body ->
                  JCAssertion(assertion param_env body)
		    (*
		      | JCaxiomatic l ->
		      JCAxiomatic(List.map (fun (id,e) -> (id,assertion param_env e)) l)
		    *)
	      | JCinductive l ->
	          JCInductive(List.map
			        (fun (id,labels,e) ->
                                   (*
			             let labels = match labels with
				     [] -> [ LabelHere ]
				     | _ -> labels
			             in
                                   *)
			           let a = assertion param_env e in
				   check_positivity a#pos pi a;
			           (id,labels,a))
			        l)
            in
	    update_axiomatic axiomatic pi;
            IntHashtblIter.add
              logic_functions_table pi.jc_logic_info_tag (pi, p);
	    acc
	  end
	else
	  acc
    | JCDlogic (Some ty, id, poly_args, labels, pl, body) ->
	if not only_types then
	  begin
            (*
	      let labels = match labels with [] -> [ LabelHere ] | _ -> labels in
            *)
            let param_env, ty, pi = add_logic_fundecl (Some ty,id,poly_args,labels,pl) in
            create_if_pragma_before id;
            let ty = match ty with Some ty -> ty | None -> assert false in
            let t = match body with
              | JCnone -> JCNone
              | JCreads reads ->
		  if not in_axiomatic then
		    typing_error loc "allowed only inside axiomatic specification";
		  JCReads (
                    (List.map
                       (fun a ->
			  let _,_,tl = location param_env a
			  in tl)) reads)
              | JCexpr body ->
		  let t = term param_env body in
		  if pl = [] && not (subtype t#typ ty)
		    || pl <> [] && not (subtype_strict t#typ ty) then
		      typing_error d#pos
			"inferred type differs from declared type"
		  else
		    begin
		      if pl = [] then
			(* constant *)
			Hashtbl.add logic_constants_table pi.jc_logic_info_tag (pi, t);
		      JCTerm t
		    end
		      (*
			| JCaxiomatic l ->
			JCAxiomatic(List.map (fun (id,e) -> (id,assertion param(_env e)) l)
		      *)
	      | JCinductive _ ->
		  typing_error d#pos
                    "only predicates can be inductively defined"
            in
	    update_axiomatic axiomatic pi;
            IntHashtblIter.add
              logic_functions_table pi.jc_logic_info_tag (pi, t);
	    acc
	  end
	else
	  acc
    | JCDint_model _|JCDabstract_domain _|JCDannotation_policy _
    | JCDseparation_policy _
    | JCDtermination_policy _
    | JCDinvariant_policy _ -> assert false
    | JCDpragma_gen_sep (kind,id,li) ->
        if Jc_options.gen_frame_rule_with_ft && not only_types then
	  begin
            let kind = match kind,li with
              | "",_ -> `Sep
              | "inc", [_;_] -> `Inc
              | "cni", [_;_] -> `Cni

              | ("inc"|"cni"), _ ->
                  typing_error loc
                    "A Gen_separation inc or cni pragma should \
                     have 2 arguments (%i given)" (List.length li)
              | _ -> typing_error loc
                  "I don't know that kind of Gen_separation pragma : %s" 
                kind in
            create_pragma_gen_sep_logic loc kind id li
          end;
	acc
    | JCDpragma_gen_frame(name,logic) -> 
        if Jc_options.gen_frame_rule_with_ft && not only_types then
	  begin
            create_pragma_gen_frame_sub `Frame loc name logic
          end;
      acc
    | JCDpragma_gen_sub(name,logic) -> 
        if Jc_options.gen_frame_rule_with_ft && not only_types then
	  begin
            create_pragma_gen_frame_sub `Sub loc name logic
          end;
      acc
    | JCDpragma_gen_same(name,logic) -> 
        if Jc_options.gen_frame_rule_with_ft && not only_types then
	  begin
            let logic_info =
              try
                find_logic_info name
              with Not_found -> raise (Identifier_Not_found name) in
            let pred_info =
              try
                find_logic_info logic
              with Not_found -> raise (Identifier_Not_found logic) in
            (** TODO test that the arguments are the same *)
            Hashtbl.add pragma_gen_same
              logic_info.jc_logic_info_tag pred_info
          end;
      acc
    | JCDaxiomatic(id,l) ->
	Jc_options.lprintf "Typing axiomatic %s@." id;
	let data =
	  {
	    axiomatics_defined_ids = [];
	    axiomatics_decls = [];
	  }
	in
	data.axiomatics_decls <- List.fold_left
          (decl_aux ~only_types ~axiomatic:(Some (id,data))) [] l;
	if not only_types then
	  begin
	    check_consistency id data;
	    StringHashtblIter.add axiomatics_table id data
	  end;
	acc

let decl ~only_types d =
  ignore (decl_aux ~only_types ~axiomatic:None [] d)

let declare_struct_info d = match d#node with
  | JCDtag(id, _, parent, _, _) ->
      let rec si = {
        jc_struct_info_params = [];
        jc_struct_info_name = id;
        jc_struct_info_fields = [];
        jc_struct_info_parent = None;
        jc_struct_info_hroot = si;
        jc_struct_info_root = None;
      } in
      StringHashtblIter.add structs_table id (si, []);
      (* declare the "mutable" field (if needed) *)
      if parent = None && !Jc_common_options.inv_sem = InvOwnership then
        create_mutable_field si
  | _ -> ()

let rec declare_function d =
  reset_uenv ();
  match d#node with
  | JCDfun(ty,id,pl,_specs,_body) ->
      ignore
        (add_fundecl (ty,id#pos,id#name,pl))
(*   | JCDlogic(Some ty,id,labels,[],_body) -> *)
(*       ignore  *)
(* 	(add_logic_constdecl (ty,id)) *)
  | JCDlogic(ty,id,poly_args,labels,pl,_body) ->
(*
      let labels = match labels with [] -> [ LabelHere ] | _ -> labels in
*)
      ignore (add_logic_fundecl (ty,id,poly_args,labels,pl))
  | JCDaxiomatic(_id,l) ->
      List.iter declare_function l
  | _ -> ()

let declare_variable d = match d#node with
  | JCDvar(ty,id,_init) ->
      add_vardecl (ty,id)
  | _ -> ()

let compute_struct_info_parent d = match d#node with
  | JCDtag(id, _, Some(parent, _), _, _) ->
      let si, _ = StringHashtblIter.find structs_table id in
      let psi = find_struct_info d#pos parent in
      si.jc_struct_info_parent <- Some(psi, [])
  | _ -> ()

let fixpoint_struct_info_roots () =
  let modified = ref false in
  StringHashtblIter.iter
    (fun _ (si, _) ->
       match si.jc_struct_info_parent with
         | Some(psi, _) ->
             if si.jc_struct_info_hroot != psi.jc_struct_info_hroot then begin
               si.jc_struct_info_hroot <- psi.jc_struct_info_hroot;
               modified := true
             end
         | None -> ())
    structs_table;
  !modified

let type_variant d = match d#node with
  | JCDvariant_type(id, tags) | JCDunion_type(id,_,tags) ->
      (* declare the variant *)
      let vi = {
        jc_root_info_name = id;
        jc_root_info_hroots = [];
        jc_root_info_kind =
	  (match d#node with
             | JCDvariant_type _ -> Rvariant
	     | JCDunion_type(_,true,_) ->
                 Region.some_bitwise_region := true;
                 RdiscrUnion
	     | JCDunion_type(_,false,_) ->
                 Region.some_bitwise_region := true;
                 RplainUnion
	     | _ -> assert false
	  );
	jc_root_info_union_size_in_bytes = 0;
      } in
      StringHashtblIter.add roots_table id vi;
      (* tags *)
      let roots = List.map
        (fun tag ->
           (* find the structure *)
           let st, _ = try
             StringHashtblIter.find structs_table tag#name
           with Not_found ->
             typing_error tag#pos
               "undefined tag: %s" tag#name
           in
           (* the structure must be root *)
           if st.jc_struct_info_parent <> None then
             typing_error tag#pos
               "the tag %s is not root" tag#name;
           (* the structure must not be used by another variant *)
           match st.jc_struct_info_root with
             | None ->
                 (* update the structure variant and return the root *)
                 st.jc_struct_info_root <- Some vi;
                 st
             | Some prev -> typing_error tag#pos
                 "tag %s is already used by type %s" tag#name
                   prev.jc_root_info_name)
        tags
      in
      if root_is_union vi then
	let size =
	  List.fold_left
	    (fun size st -> max size (struct_size_in_bytes st)) 0 roots
	in
	vi.jc_root_info_union_size_in_bytes <- size
      else ();
      (* update the variant *)
      vi.jc_root_info_hroots <- roots
  | _ -> ()

let declare_tag_fields d = match d#node with
  | JCDtag(id, _, _, fields, _inv) ->
      let struct_info, _ = StringHashtblIter.find structs_table id in
      let root = struct_info.jc_struct_info_hroot in
      let fields = List.map (field struct_info root) fields in
      struct_info.jc_struct_info_fields <- fields;
      StringHashtblIter.replace structs_table id (struct_info, [])
  | _ -> ()

let check_struct d = match d#node with
  | JCDtag(id, _, _, _, _) ->
      let loc = d#pos in
      let st = find_struct_info loc id in
      if st.jc_struct_info_hroot.jc_struct_info_root = None then
        typing_error loc "the tag %s is not used by any type"
          st.jc_struct_info_name
  | _ -> ()

(* type declarations in the right order *)
let type_file ast =
(*
  (* 1. logic types *)
  let is_logic_type d =
    match d#node with JCDlogic_type _ -> true | _ -> false
  in
  let logic_types,ast = List.partition is_logic_type ast in
  List.iter decl logic_types;
  (* 2. enumerations *)
  let is_enum d =
    match d#node with JCDenum_type _ -> true | _ -> false
  in
  let enums,ast = List.partition is_enum ast in
  List.iter decl enums;
*)
  List.iter (decl ~only_types:true) ast;
  (* 3. records and variants *)
  List.iter declare_struct_info ast;
  List.iter compute_struct_info_parent ast;
  while fixpoint_struct_info_roots () do () done;
  List.iter type_variant ast;
  List.iter declare_tag_fields ast;
  List.iter check_struct ast;
  (* 4. declaring global variables *)
  List.iter declare_variable ast;
  (* 5. declaring coding and logic functions *)
  List.iter declare_function ast;
  (* 6. remaining declarations *)
  List.iter (decl ~only_types:false) ast;
  (* 7. test if all the pragma have been defined *)
  test_if_pragma_notdefined ()

let print_file fmt () =
  let functions =
    IntHashtblIter.fold
      (fun _ (finfo,_,fspec,slist) f ->
         Jc_output.JCfun_def
           (finfo.jc_fun_info_result.jc_var_info_type,finfo.jc_fun_info_name,
            finfo.jc_fun_info_parameters,fspec,slist)
         :: f
      ) functions_table []
  in
  let logic_functions =
    IntHashtblIter.fold
      (fun _ (linfo,tora) f ->
         Jc_output.JClogic_fun_def
           (linfo.jc_logic_info_result_type,linfo.jc_logic_info_name,
            linfo.jc_logic_info_poly_args,
            linfo.jc_logic_info_labels,
            linfo.jc_logic_info_parameters, tora)
         :: f
      ) logic_functions_table []
  in
(*  let logic_constants =
    Hashtbl.fold
      (fun _ (vi,t) f ->
         Jc_output.JClogic_const_def
           (vi.jc_var_info_type, vi.jc_var_info_name, Option_misc.map fst t)
        :: f
      ) logic_constants_table []
  in *)
  let logic_types =
    StringHashtblIter.fold
      (fun _ (s,l) f -> Jc_output.JClogic_type_def (s,l) :: f)
      logic_type_table
      []
  in
  let variables =
    IntHashtblIter.fold
      (fun _ (vinfo,vinit) f ->
         Jc_output.JCvar_def
           (vinfo.jc_var_info_type,vinfo.jc_var_info_name,vinit)
         :: f
      ) variables_table []
  in
  let structs =
    StringHashtblIter.fold
      (fun name (sinfo,_) f ->
         let super = match sinfo.jc_struct_info_parent with
           | None -> None
           | Some(st, _) -> Some st.jc_struct_info_name
         in
         Jc_output.JCstruct_def
           (name,super,sinfo.jc_struct_info_fields,[])
         :: f
      ) structs_table []
  in
  let variants =
    StringHashtblIter.fold
      (fun name vinfo f ->
        let tags =
          List.map (fun sinfo -> sinfo.jc_struct_info_name)
            vinfo.jc_root_info_hroots
        in
        Jc_output.JCvariant_type_def (name,tags)
        :: f
      ) roots_table []
  in
  let enums =
    StringHashtblIter.fold
      (fun name rinfo f ->
         Jc_output.JCenum_type_def
           (name,rinfo.jc_enum_info_min,rinfo.jc_enum_info_max)
         :: f
      ) enum_types_table []
  in
  let axioms =
    StringHashtblIter.fold
      (fun name (_loc,is_axiom,poly_args,labels, a) f ->
         Jc_output.JClemma_def (name,is_axiom, poly_args, labels,a)
         :: f
      ) lemmas_table []
  in
  let global_invariants =
    IntHashtblIter.fold
      (fun _ (li, a) f ->
         Jc_output.JCglobinv_def (li.jc_logic_info_name,a) :: f)
      global_invariants_table
      []
  in
  let exceptions =
    StringHashtblIter.fold
      (fun name ei f ->
         Jc_output.JCexception_def (name,ei)
         :: f
      ) exceptions_table []
  in
  (* make all structured types mutually recursive.
     make all functions mutually recursive.
     make all logic functions and constants mutually recursive.
  *)
  let tfile =
    (List.rev enums)
    @ (List.rev structs)
    @ (List.rev variants)
    @ (List.rev exceptions)
    @ (List.rev variables)
    @ (List.rev logic_types)
    @ (Jc_output.JCrec_fun_defs
      (* (List.rev logic_constants @*) (List.rev logic_functions))
    :: (List.rev axioms)
    @ (List.rev global_invariants)
    @ [Jc_output.JCrec_fun_defs (List.rev functions)]
  in
  Jc_output.print_decls fmt tfile;

(*
Local Variables:
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End:
*)
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_stdlib_ge40.ml�����������������������������������������������������������������������0000644�0001750�0001750�00000016614�12311670312�014327� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



module List = struct
  include List

  let cons e l = e::l

  let as_singleton = function
    | [e] -> e
    | _ -> failwith "as_singleton"

  let mem_assoc_eq f k l =
    fold_left (fun v_opt (k',v') ->
		 match v_opt with
		   | None ->
		       if f k k' then Some v' else None
		   | Some v -> Some v
	      ) None l

  let all_pairs l =
    let rec aux acc = function
      | e :: l ->
	  let acc = fold_left (fun acc e' -> (e,e') :: acc) acc l in
	  aux acc l
      | [] -> acc
    in
    aux [] l

  let map_fold f acc l =
    let (rev,acc) = List.fold_left
      (fun (rev,acc) e -> let (e,acc) = (f acc e) in (e::rev,acc))
      ([],acc) l in
    (List.rev rev,acc)

  let fold_all_part f acc =
    let rec aux acc part = function
    | [] -> f acc part
    | a::l -> aux (aux acc (a::part) l) part l in
    aux acc []

end

module Set = struct

  module type OrderedType = Set.OrderedType

  module type S = sig
    include Set.S
    val of_list: elt list -> t
    val to_list: t -> elt list
  end

  module Make(Ord : OrderedType) : S with type elt = Ord.t = struct
    include Set.Make(Ord)

    let of_list ls =
      List.fold_left (fun s e -> add e s) empty ls

    let to_list s =
      fold (fun e acc -> e :: acc) s []

  end
end

module Map = struct

  module type OrderedType = Map.OrderedType

  module type S = sig
    include Map.S
    val elements: 'a t -> (key * 'a) list
    val keys: 'a t -> key list
    val values: 'a t -> 'a list
    val to_list: 'a t -> (key * 'a) list
    val find_or_default: key -> 'a -> 'a t -> 'a
    val find_or_none: key -> 'a t -> 'a option
    val merge: ('a -> 'a -> 'a) -> 'a t -> 'a t -> 'a t
    val add_merge: ('a -> 'a -> 'a) -> key -> 'a -> 'a t -> 'a t
    val diff_merge: ('a -> 'a -> 'a) -> ('a -> bool) -> 'a t -> 'a t -> 'a t
    val inter_merge: ('a -> 'a -> 'a) -> ('a -> bool) -> 'a t -> 'a t -> 'a t
    val inter_merge_option: ('a -> 'b -> 'c option) -> 'a t -> 'b t -> 'c t
  end

  module Make(Ord : OrderedType) : S with type key = Ord.t = struct
    include Map.Make(Ord)

    let elements m =
      fold (fun k v acc -> (k,v) :: acc) m []

    let keys m =
      fold (fun k _v acc -> k :: acc) m []

    let values m =
      fold (fun _k v acc -> v :: acc) m []

    let to_list m =
      fold (fun k v acc -> (k,v) :: acc) m []

    let find_or_default k v m =
      try find k m with Not_found -> v

    let find_or_none k m =
      try Some(find k m) with Not_found -> None

    let merge f m1 m2 =
      fold (fun k v1 m ->
	      try
		let v2 = find k m2 in
		add k (f v1 v2) m
	      with Not_found ->
		add k v1 m
	   ) m1 m2

    let add_merge f k v m =
      let v =
	try f v (find k m)
	with Not_found -> v
      in
      add k v m

    let diff_merge f g m1 m2 =
      fold (fun k v1 m ->
	      try
		let v2 = find k m2 in
		let v = f v1 v2 in
		if g v then m else add k v m
	      with Not_found ->
		add k v1 m
	   ) m1 empty

    let inter_merge f g m1 m2 =
      fold (fun k v1 m ->
	      try
		let v2 = find k m2 in
		let v = f v1 v2 in
		if g v then m else add k v m
	      with Not_found -> m
	   ) m1 empty

    let inter_merge_option f m1 m2 =
      fold (fun k v1 m ->
	      try
		let v2 = find k m2 in
		match f v1 v2 with
                  | Some v -> add k v m
                  | None -> m
	      with Not_found -> m
	   ) m1 empty

  end
end

module StdHashtbl = Hashtbl

module Hashtbl = struct

  module type HashedType = Hashtbl.HashedType

  module type S = sig
    include Hashtbl.S
    val keys: 'a t -> key list
    val values: 'a t -> 'a list
    val choose: 'a t -> (key * 'a) option
    val remove_all : 'a t -> key -> unit
    val is_empty : 'a t -> bool
  end

  module type Std = sig
    type ('a, 'b) t
    val create : ?random:bool -> int -> ('a, 'b) t
    val clear : ('a, 'b) t -> unit
    val add : ('a, 'b) t -> 'a -> 'b -> unit
    val copy : ('a, 'b) t -> ('a, 'b) t
    val find : ('a, 'b) t -> 'a -> 'b
    val find_all : ('a, 'b) t -> 'a -> 'b list
    val mem : ('a, 'b) t -> 'a -> bool
    val remove : ('a, 'b) t -> 'a -> unit
    val replace : ('a, 'b) t -> 'a -> 'b -> unit
    val iter : ('a -> 'b -> unit) -> ('a, 'b) t -> unit
    val fold : ('a -> 'b -> 'c -> 'c) -> ('a, 'b) t -> 'c -> 'c
    val length : ('a, 'b) t -> int
    val hash : 'a -> int
    val hash_param : int -> int -> 'a -> int
  end

  include (Hashtbl : Std)

  module Make(H : HashedType) : S with type key = H.t = struct
    include Hashtbl.Make(H)

    let keys t =
      fold (fun k _v acc -> k :: acc) t []

    let values t =
      fold (fun _k v acc -> v :: acc) t []

    let choose t =
      let p = ref None in
      begin try
	iter (fun k v -> p := Some(k,v); failwith "Hashtbl.choose") t
      with Failure "Hashtbl.choose" -> () end;
      !p

    let remove_all t p =
      List.iter (fun _ -> remove t p) (find_all t p)

    let is_empty t =
      try
        iter (fun _ _ ->  raise Not_found) t;
        true
      with Not_found -> false
  end

  let remove_all t p =
    List.iter (fun _ -> remove t p) (find_all t p)

  let is_empty t =
    try
      iter (fun _ _ ->  raise Not_found) t;
      true
    with Not_found -> false

end

(*
Local Variables:
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End:
*)
��������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_stdlib_ge312.ml����������������������������������������������������������������������0000644�0001750�0001750�00000016574�12311670312�014416� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



module List = struct
  include List

  let cons e l = e::l

  let as_singleton = function
    | [e] -> e
    | _ -> failwith "as_singleton"

  let mem_assoc_eq f k l =
    fold_left (fun v_opt (k',v') ->
		 match v_opt with
		   | None ->
		       if f k k' then Some v' else None
		   | Some v -> Some v
	      ) None l

  let all_pairs l =
    let rec aux acc = function
      | e :: l ->
	  let acc = fold_left (fun acc e' -> (e,e') :: acc) acc l in
	  aux acc l
      | [] -> acc
    in
    aux [] l

  let map_fold f acc l =
    let (rev,acc) = List.fold_left
      (fun (rev,acc) e -> let (e,acc) = (f acc e) in (e::rev,acc))
      ([],acc) l in
    (List.rev rev,acc)

  let fold_all_part f acc =
    let rec aux acc part = function
    | [] -> f acc part
    | a::l -> aux (aux acc (a::part) l) part l in
    aux acc []

end

module Set = struct

  module type OrderedType = Set.OrderedType

  module type S = sig
    include Set.S
    val of_list: elt list -> t
    val to_list: t -> elt list
  end

  module Make(Ord : OrderedType) : S with type elt = Ord.t = struct
    include Set.Make(Ord)

    let of_list ls =
      List.fold_left (fun s e -> add e s) empty ls

    let to_list s =
      fold (fun e acc -> e :: acc) s []

  end
end

module Map = struct

  module type OrderedType = Map.OrderedType

  module type S = sig
    include Map.S
    val elements: 'a t -> (key * 'a) list
    val keys: 'a t -> key list
    val values: 'a t -> 'a list
    val to_list: 'a t -> (key * 'a) list
    val find_or_default: key -> 'a -> 'a t -> 'a
    val find_or_none: key -> 'a t -> 'a option
    val merge: ('a -> 'a -> 'a) -> 'a t -> 'a t -> 'a t
    val add_merge: ('a -> 'a -> 'a) -> key -> 'a -> 'a t -> 'a t
    val diff_merge: ('a -> 'a -> 'a) -> ('a -> bool) -> 'a t -> 'a t -> 'a t
    val inter_merge: ('a -> 'a -> 'a) -> ('a -> bool) -> 'a t -> 'a t -> 'a t
    val inter_merge_option: ('a -> 'b -> 'c option) -> 'a t -> 'b t -> 'c t
  end

  module Make(Ord : OrderedType) : S with type key = Ord.t = struct
    include Map.Make(Ord)

    let elements m =
      fold (fun k v acc -> (k,v) :: acc) m []

    let keys m =
      fold (fun k _v acc -> k :: acc) m []

    let values m =
      fold (fun _k v acc -> v :: acc) m []

    let to_list m =
      fold (fun k v acc -> (k,v) :: acc) m []

    let find_or_default k v m =
      try find k m with Not_found -> v

    let find_or_none k m =
      try Some(find k m) with Not_found -> None

    let merge f m1 m2 =
      fold (fun k v1 m ->
	      try
		let v2 = find k m2 in
		add k (f v1 v2) m
	      with Not_found ->
		add k v1 m
	   ) m1 m2

    let add_merge f k v m =
      let v =
	try f v (find k m)
	with Not_found -> v
      in
      add k v m

    let diff_merge f g m1 m2 =
      fold (fun k v1 m ->
	      try
		let v2 = find k m2 in
		let v = f v1 v2 in
		if g v then m else add k v m
	      with Not_found ->
		add k v1 m
	   ) m1 empty

    let inter_merge f g m1 m2 =
      fold (fun k v1 m ->
	      try
		let v2 = find k m2 in
		let v = f v1 v2 in
		if g v then m else add k v m
	      with Not_found -> m
	   ) m1 empty

    let inter_merge_option f m1 m2 =
      fold (fun k v1 m ->
	      try
		let v2 = find k m2 in
		match f v1 v2 with
                  | Some v -> add k v m
                  | None -> m
	      with Not_found -> m
	   ) m1 empty

  end
end

module StdHashtbl = Hashtbl

module Hashtbl = struct

  module type HashedType = Hashtbl.HashedType

  module type S = sig
    include Hashtbl.S
    val keys: 'a t -> key list
    val values: 'a t -> 'a list
    val choose: 'a t -> (key * 'a) option
    val remove_all : 'a t -> key -> unit
    val is_empty : 'a t -> bool
  end

  module type Std = sig
    type ('a, 'b) t
    val create : int -> ('a, 'b) t
    val clear : ('a, 'b) t -> unit
    val add : ('a, 'b) t -> 'a -> 'b -> unit
    val copy : ('a, 'b) t -> ('a, 'b) t
    val find : ('a, 'b) t -> 'a -> 'b
    val find_all : ('a, 'b) t -> 'a -> 'b list
    val mem : ('a, 'b) t -> 'a -> bool
    val remove : ('a, 'b) t -> 'a -> unit
    val replace : ('a, 'b) t -> 'a -> 'b -> unit
    val iter : ('a -> 'b -> unit) -> ('a, 'b) t -> unit
    val fold : ('a -> 'b -> 'c -> 'c) -> ('a, 'b) t -> 'c -> 'c
    val length : ('a, 'b) t -> int
    val hash : 'a -> int
    val hash_param : int -> int -> 'a -> int
  end

  include (Hashtbl : Std)

  module Make(H : HashedType) : S with type key = H.t = struct
    include Hashtbl.Make(H)

    let keys t =
      fold (fun k _v acc -> k :: acc) t []

    let values t =
      fold (fun _k v acc -> v :: acc) t []

    let choose t =
      let p = ref None in
      begin try
	iter (fun k v -> p := Some(k,v); failwith "Hashtbl.choose") t
      with Failure "Hashtbl.choose" -> () end;
      !p

    let remove_all t p =
      List.iter (fun _ -> remove t p) (find_all t p)

    let is_empty t =
      try
        iter (fun _ _ ->  raise Not_found) t;
        true
      with Not_found -> false
  end

  let remove_all t p =
    List.iter (fun _ -> remove t p) (find_all t p)

  let is_empty t =
    try
      iter (fun _ _ ->  raise Not_found) t;
      true
    with Not_found -> false

end

(*
Local Variables:
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End:
*)
������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_interp.ml����������������������������������������������������������������������������0000644�0001750�0001750�00000454601�12311670312�013532� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*
open Jc_stdlib
*)
open Jc_env
open Jc_envset
open Jc_region
open Jc_ast
open Jc_fenv

open Jc_name
open Jc_constructors
open Jc_pervasives
open Jc_separation
open Jc_struct_tools
open Jc_effect
open Jc_interp_misc
open Jc_invariants
open Jc_pattern

open Output
open Format
open Num
open Pp

let unsupported = Jc_typing.typing_error

(******************************************************************************)
(*                            source positioning                              *)
(******************************************************************************)

let abs_fname f =
  if Filename.is_relative f then
    Filename.concat (Unix.getcwd ()) f
  else f

type source_ref =
    {
      in_mark: string;
      pos: Loc.position
    }

type gui_elem =
    {
      out_mark: string;
      kind: kind option;
      name: string option;
      beh: string option
    }

let reg_pos sce gui =
  if gui.out_mark <> "" && false (* Jc_stdlib.StdHashtbl.mem Output.my_pos_table gui.out_mark *) then 
    begin
      (* If GUI element already refered to in output table, do not
       * reference it twice. This is the case in particular for generated
       * annotations. *)
      gui.out_mark
    end
  else
    (* Generate a new mark if not fixed in GUI element *)
    let mark =
      if gui.out_mark = "" then
	Jc_pervasives.new_label_name()
      else gui.out_mark
    in
    let (n,f,l,b,e,k) =
      if sce.in_mark <> "" && Jc_stdlib.Hashtbl.mem Jc_options.pos_table sce.in_mark then
	(* If source location present in input table, copy information to
	 * output table. *)
	let (f,l,b,e,k,o) = Jc_stdlib.Hashtbl.find Jc_options.pos_table sce.in_mark in
	let n =
	  try match List.assoc "name" o with
            | Rc.RCident s | Rc.RCstring s -> Some s
            | _ -> raise Not_found
	  with Not_found -> gui.name
	in
	(n,f,l,b,e,k)
      else
        begin
	  (* By default, refer to the Jessie source file *)
	  let b,e = sce.pos in
	  let f = abs_fname b.Lexing.pos_fname in
	  let l = b.Lexing.pos_lnum in
	  let fc = b.Lexing.pos_cnum - b.Lexing.pos_bol in
	  let lc = e.Lexing.pos_cnum - b.Lexing.pos_bol in
	  (gui.name,f,l,fc,lc,None)
        end
    in
    (* If present, always prefer new kind *)
    let k = match gui.kind with None -> k | Some k -> Some k in
    my_add_pos mark (k,n,gui.beh,f,l,b,e);
    mark

let reg_check ?mark ?kind pos =
  let sce =
    { in_mark = Option_misc.map_default (fun x -> x) "" mark; pos = pos; }
  in
  let gui = { out_mark = ""; kind = kind; name = None; beh = None; } in
  reg_pos sce gui

let reg_decl ~in_mark ~out_mark ~name ~beh pos =
  let sce = { in_mark = in_mark; pos = pos; } in
  let gui =
    { out_mark = out_mark; kind = None; name = Some name; beh = Some beh; }
  in
  ignore (reg_pos sce gui)

let make_check ?mark ?kind pos e' =
  let mark = reg_check ?mark ?kind pos in
(*
  eprintf "Jc_interp.make_check: adding label %s@." mark;
*)
  make_label mark e'

let make_guarded_app ~mark kind pos f args =
  make_check ~mark ~kind pos (make_app f args)

(*
let print_locs fmt =
  Hashtbl.iter
    (fun id (kind,name,beh,(f,l,b,e)) ->
(*
       let f = b.Lexing.pos_fname in
       let l = b.Lexing.pos_lnum in
       let fc = b.Lexing.pos_cnum - b.Lexing.pos_bol in
       let lc = e.Lexing.pos_cnum - b.Lexing.pos_bol in
*)
       fprintf fmt "[%s]@\n" id;
       Option_misc.iter
         (fun k -> fprintf fmt "kind = %a@\n" print_kind k) kind;
       Option_misc.iter
         (fun n -> fprintf fmt "name = \"%s\"@\n" n) name;
       Option_misc.iter
	 (fun b -> fprintf fmt "behavior = \"%s\"@\n" b) beh;
       fprintf fmt "file = \"%s\"@\n" (String.escaped f);
       fprintf fmt "line = %d@\n" l;
       fprintf fmt "begin = %d@\n" b;
       fprintf fmt "end = %d@\n@\n" e)
    Output.pos_table
  *)

(******************************************************************************)
(*                                 Operators                                  *)
(******************************************************************************)

let native_operator_type op = match snd op with
  | `Unit -> Jc_pervasives.unit_type
  | `Boolean -> Jc_pervasives.boolean_type
  | `Integer -> Jc_pervasives.integer_type
  | `Real -> Jc_pervasives.real_type
  | `Double -> Jc_pervasives.double_type
  | `Float -> Jc_pervasives.float_type
  | `Binary80 -> JCTnative (Tgenfloat `Binary80)

let unary_op: expr_unary_op -> string = function
  | `Uminus, `Integer -> "neg_int"
  | `Uminus, `Real -> "neg_real"
  | `Unot, `Boolean -> "not"
  | `Ubw_not, `Integer -> "bw_compl"
  | _ -> assert false (* not proper type *)

let term_unary_op: expr_unary_op -> string = function
  | `Uminus, `Integer -> "neg_int"
  | `Uminus, `Real -> "neg_real"
  | `Unot, `Boolean -> "bool_not"
  | `Ubw_not, `Integer -> "bw_compl"
  | _ -> assert false (* not proper type *)

let float_model_has_safe_functions () =
  match !Jc_options.float_model with
    | FMdefensive | FMmultirounding -> true
    | FMmath | FMfull -> false


let float_format f =
  match f with
    | `Double -> "double"
    | `Float -> "single"
    | `Binary80 -> "binary80"

let float_operator f t =
  let s =
    match f with
      | `Badd -> "add_"
      | `Bsub -> "sub_"
      | `Bmul -> "mul_"
      | `Bdiv -> "div_"
      | `Uminus -> "neg_"
      | `Bmod -> assert false
  in
  if float_model_has_safe_functions() && (not (safety_checking()))
  then s ^ (float_format t) ^"_safe" else s^ (float_format t)



let logic_current_rounding_mode () =
  match !Jc_options.current_rounding_mode with
    | FRMNearestEven -> LVar "nearest_even"
    | FRMDown -> LVar "down"
    | FRMUp -> LVar "up"
    | FRMToZero -> LVar "to_zero"
    | FRMNearestAway -> LVar "nearest_away"

let current_rounding_mode () =
  match !Jc_options.current_rounding_mode with
    | FRMNearestEven -> mk_var "nearest_even"
    | FRMDown -> mk_var "down"
    | FRMUp -> mk_var "up"
    | FRMToZero -> mk_var "to_zero"
    | FRMNearestAway -> mk_var "nearest_away"

let bin_op: expr_bin_op -> string = function
    (* integer *)
  | `Bgt, `Integer -> "gt_int_"
  | `Blt, `Integer -> "lt_int_"
  | `Bge, `Integer -> "ge_int_"
  | `Ble, `Integer -> "le_int_"
  | `Beq, `Integer -> "eq_int_"
  | `Bneq, `Integer -> "neq_int_"
  | `Badd, `Integer -> "add_int"
  | `Bsub, `Integer -> "sub_int"
  | `Bmul, `Integer -> "mul_int"
  | `Bdiv, `Integer ->
      if safety_checking () then "computer_div_" else "computer_div"
  | `Bmod, `Integer ->
      if safety_checking () then "computer_mod_" else "computer_mod"
      (* pointer *)
  | `Beq, `Pointer ->
      if safety_checking () then "eq_pointer" else "safe_eq_pointer"
  | `Bneq, `Pointer ->
      if safety_checking () then "neq_pointer" else "safe_neq_pointer"
  | `Bsub, `Pointer ->
      if safety_checking () then "sub_pointer_" else "safe_sub_pointer_"
      (* real *)
  | `Bgt, `Real -> "gt_real_"
  | `Blt, `Real -> "lt_real_"
  | `Bge, `Real -> "ge_real_"
  | `Ble, `Real -> "le_real_"
  | `Beq, `Real -> "eq_real_"
  | `Bneq, `Real -> "neq_real_"
  | `Bgt, `Float -> "gt_single_"
  | `Blt, `Float -> "lt_single_"
  | `Bge, `Float -> "ge_single_"
  | `Ble, `Float -> "le_single_"
  | `Beq, `Float -> "eq_single_"
  | `Bneq,`Float -> "ne_single_"
  | `Bgt, `Double -> "gt_double_"
  | `Blt, `Double -> "lt_double_"
  | `Bge, `Double -> "ge_double_"
  | `Ble, `Double -> "le_double_"
  | `Beq, `Double -> "eq_double_"
  | `Bneq, `Double -> "ne_double_"
  | `Badd, `Real -> "add_real"
  | `Bsub, `Real -> "sub_real"
  | `Bmul, `Real -> "mul_real"
  | `Bdiv, `Real ->
      if safety_checking () then "div_real_" else "div_real"
      (* bool *)
  | `Beq, `Boolean -> "eq_bool_"
  | `Bneq, `Boolean -> "neq_bool_"
      (* bitwise *)
  | `Bbw_and, `Integer -> "bw_and"
  | `Bbw_or, `Integer -> "bw_or"
  | `Bbw_xor, `Integer -> "bw_xor"
  | `Bbw_and, `Boolean -> "bool_and"
  | `Bbw_or, `Boolean -> "bool_or"
  | `Bbw_xor, `Boolean -> "bool_xor"
      (* shift *)
  | `Bshift_left, `Integer -> "lsl"
  | `Blogical_shift_right, `Integer -> "lsr"
  | `Barith_shift_right, `Integer -> "asr"
  | `Bland, _ -> assert false
  | `Blor, _ -> assert false
  | `Bconcat, _ -> "string_concat"
  | op, opty ->
      Jc_typing.typing_error Loc.dummy_position
        "Can't use operator %s with type %s in expressions"
        (string_of_op op) (string_of_op_type opty)

let term_bin_op: term_bin_op -> string = function
    (* integer *)
  | `Bgt, `Integer -> "gt_int_bool"
  | `Blt, `Integer -> "lt_int_bool"
  | `Bge, `Integer -> "ge_int_bool"
  | `Ble, `Integer -> "le_int_bool"
  | `Beq, `Integer -> "eq_int_bool"
  | `Bneq, `Integer -> "neq_int_bool"
  | `Badd, `Integer -> "add_int"
  | `Bsub, `Integer -> "sub_int"
  | `Bmul, `Integer -> "mul_int"
  | `Bdiv, `Integer -> "computer_div"
  | `Bmod, `Integer -> "computer_mod"
      (* pointer *)
  | `Beq, `Pointer -> "eq_pointer_bool"
  | `Bneq, `Pointer -> "neq_pointer_bool"
  | `Bsub, `Pointer -> "sub_pointer"
      (* logic *)
  | `Beq, `Logic -> "eq"
  | `Bneq, `Logic -> "neq"
      (* real *)
  | `Bgt, `Real -> "gt_real_bool"
  | `Blt, `Real -> "lt_real_bool"
  | `Bge, `Real -> "ge_real_bool"
  | `Ble, `Real -> "le_real_bool"
  | `Beq, `Real -> "eq_real_bool"
  | `Bneq, `Real -> "neq_real_bool"
  | `Badd, `Real -> "add_real"
  | `Bsub, `Real -> "sub_real"
  | `Bmul, `Real -> "mul_real"
  | `Bdiv, `Real -> "div_real"
      (* bool *)
(*  | `Beq_bool, `Boolean -> "eq_bool"
  | `Bneq_bool, `Boolean -> "neq_bool"*)
      (* bitwise *)
  | `Bbw_and, `Integer -> "bw_and"
  | `Bbw_or, `Integer -> "bw_or"
  | `Bbw_xor, `Integer -> "bw_xor"
  | `Bshift_left, `Integer -> "lsl"
  | `Blogical_shift_right, `Integer -> "lsr"
  | `Barith_shift_right, `Integer -> "asr"
      (* logical *)
  | `Blor, `Boolean -> "bool_or"
  | `Bland, `Boolean ->  "bool_and"
  | `Biff, _ | `Bimplies, _ ->
      assert false (* TODO *)
  | op, opty ->
      Jc_typing.typing_error Loc.dummy_position
        "Can't use operator %s with type %s in terms"
        (string_of_op op) (string_of_op_type opty)

let pred_bin_op: pred_bin_op -> string = function
    (* integer *)
  | `Bgt, `Integer -> "gt_int"
  | `Blt, `Integer -> "lt_int"
  | `Bge, `Integer -> "ge_int"
  | `Ble, `Integer -> "le_int"
  | `Beq, `Integer -> "eq"
  | `Bneq, `Integer -> "neq"
      (* pointer *)
  | `Beq, (`Pointer | `Logic) -> "eq"
  | `Bneq, (`Pointer | `Logic) -> "neq"
      (* real *)
  | `Beq, `Real -> "eq"
  | `Bneq, `Real -> "neq"
  | `Bgt, `Real -> "gt_real"
  | `Blt, `Real -> "lt_real"
  | `Bge, `Real -> "ge_real"
  | `Ble, `Real -> "le_real"
      (* logical *)
  | `Blor, `Boolean -> "bor"
  | `Bland, `Boolean -> "band"
  | `Biff, `Boolean
  | `Bimplies, `Boolean -> assert false (* TODO *)
      (* boolean *)
  | `Beq, `Boolean -> "eq"
  | `Bneq, `Boolean -> "neq"
  | op, opty ->
      Jc_typing.typing_error Loc.dummy_position
        "Can't use operator %s with type %s in assertions"
        (string_of_op op) (string_of_op_type opty)


(******************************************************************************)
(*                                   types                                    *)
(******************************************************************************)

let has_equality_op = function
  | JCTnative Tunit -> false
  | JCTnative Tboolean -> true
  | JCTnative Tinteger -> true
  | JCTnative Treal -> true
  | JCTnative (Tgenfloat _) -> true
  | JCTnative Tstring -> true
  | JCTlogic _s -> (* TODO *) false
  | JCTenum _ei -> true
  | JCTpointer _
  | JCTnull ->  true
  | JCTany -> false
  | JCTtype_var _ -> false (* TODO ? *)

let equality_op_for_type = function
  | JCTnative Tunit -> assert false
  | JCTnative Tboolean -> "eq_bool"
  | JCTnative Tinteger -> "eq_int"
  | JCTnative Treal -> "eq_real"
  | JCTnative (Tgenfloat f) -> ("eq_"^(float_format f))
  | JCTnative Tstring -> "eq"
  | JCTlogic _s -> (* TODO *) assert false
  | JCTenum ei -> eq_of_enum ei
  | JCTpointer _
  | JCTnull ->  "eq"
  | JCTany -> assert false
  | JCTtype_var _ -> assert false (* TODO ? *)


(******************************************************************************)
(*                                 Structures                                 *)
(******************************************************************************)

let tr_struct st acc =
  let tagid_type = tag_id_type (struct_root st) in
    (* Declarations of field memories. *)
  let acc =
    if !Jc_options.separation_sem = SepRegions then acc else
      if struct_of_plain_union st then acc else
        List.fold_left
          (fun acc fi ->
             let mem = memory_type (JCmem_field fi) in
             Param(
               false,
               id_no_loc (field_memory_name fi),
               Ref_type(Base_type mem))::acc)
          acc st.jc_struct_info_fields
  in
  (* Declarations of translation functions for union *)
(*
  let vi = struct_root st in
  let acc =
    if not (root_is_union vi) then acc else
      if integral_union vi then acc else
        let uty = bitvector_type in
        List.fold_left
          (fun acc fi ->
	     if has_equality_op fi.jc_field_info_type then
               Logic(false,id_no_loc (logic_field_of_union fi),
                     [("",uty)],tr_base_type fi.jc_field_info_type)
               :: Logic(false,id_no_loc (logic_union_of_field fi),
			[("",tr_base_type fi.jc_field_info_type)],uty)
               :: Goal(KAxiom,id_no_loc ((logic_field_of_union fi)^"_of_"^(logic_union_of_field fi)),
			LForall("x",tr_base_type fi.jc_field_info_type, [],
				LPred(equality_op_for_type fi.jc_field_info_type,
                                      [LApp(logic_field_of_union fi,
                                            [LApp(logic_union_of_field fi,
                                                  [LVar "x"])]);
                                       LVar "x"])))
               :: acc
	     else acc)
          acc st.jc_struct_info_fields
  in
*)
  (* declaration of the tag_id *)
  let acc =
    Logic(false,id_no_loc (tag_name st),[],tagid_type)::acc
  in

  let acc =
    if struct_of_union st then acc
    else
      let pc = JCtag(st,[]) in
      let ac = alloc_class_of_pointer_class pc in
      let in_param = false in
	(* Validity parameters *)
	make_valid_pred ~in_param ~equal:true ac pc
	:: make_valid_pred ~in_param ~equal:false ac pc
	:: make_valid_pred ~in_param ~equal:false ~right:false ac pc
	:: make_valid_pred ~in_param ~equal:false ~left:false ac pc
(*
	:: make_valid_pred ~in_param ~equal:true (* TODO ? *) JCalloc_bitvector pc
*)
	  (* Allocation parameters *)
	:: make_alloc_param ~check_size:true ac pc
	:: make_alloc_param ~check_size:false ac pc
(*
	:: make_alloc_param ~check_size:true JCalloc_bitvector pc
	:: make_alloc_param ~check_size:false JCalloc_bitvector pc
*)
	:: (if Region.exists_bitwise () then make_conversion_params pc else [])
        @ acc
  in

  match st.jc_struct_info_parent with
    | None ->
        (* axiom for parenttag *)
        let name = st.jc_struct_info_name ^ "_parenttag_bottom" in
        let p = LPred("parenttag", [ LVar (tag_name st); LVar "bottom_tag" ]) in
        Goal(KAxiom,id_no_loc name, p)::acc
    | Some(p, _) ->
        (* axiom for parenttag *)
        let name =
          st.jc_struct_info_name ^ "_parenttag_" ^ p.jc_struct_info_name
        in
        let p =
          LPred("parenttag", [ LVar (tag_name st); LVar (tag_name p) ])
        in
        Goal(KAxiom,id_no_loc name, p)::acc


(******************************************************************************)
(*                                 Coercions                                  *)
(******************************************************************************)

let float_of_real f x =
  (* TODO: Mpfr.settofr etc *)
  if Str.string_match (Str.regexp "\\([0-9]+\\)\\.0*$") x 0 then
    let s = Str.matched_group 1 x in
    match f with
      | `Float ->
          if String.length s <= 7 (* x < 10^7 < 2^24 *) then x
          else
            (*
              Format.eprintf"real constant: %s@." x;
            *)
            raise Not_found
     | `Double ->
          if String.length s <= 15 (* x < 10^15 < 2^53 *) then x
          else
            (*
              Format.eprintf"real constant: %s@." x;
            *)
            raise Not_found
     | `Binary80 -> raise Not_found
  else
    match f,x with
      | _ , "0.5" -> x
      | `Float, "0.1" -> "0x1.99999ap-4"
      | `Double, "0.1" -> "0x1.999999999999ap-4"
      | _ -> raise Not_found

let rec term_coerce ~type_safe ~global_assertion lab ?(cast=false) pos
    ty_dst ty_src e e' =
  let rec aux a b =
    match a,b with
      | JCTlogic (t,tl), JCTlogic (u,ul) when t = u -> List.for_all2 aux tl ul
      | JCTtype_var _, JCTtype_var _ -> true (*jc_typing take care of that*)
      | (JCTtype_var _, _) | (_,JCTtype_var _) -> true
      | JCTpointer (JCroot rt1,_,_), JCTpointer (JCroot rt2,_,_) -> rt1 == rt2
      | _ -> false
  in
  match ty_dst, ty_src with
      (* identity *)
    | JCTnative t, JCTnative u when t = u -> e'
    | (JCTlogic _|JCTtype_var _), (JCTlogic _|JCTtype_var _)
      when aux ty_dst ty_src -> e'
    | (JCTtype_var _, JCTpointer _) -> e'
    | JCTpointer _, JCTpointer _ when aux ty_dst ty_src -> e'
    | JCTany, JCTany -> e'
      (* between integer/enum and real *)
    | JCTnative Treal, JCTnative Tinteger ->
	begin match e' with
	  | LConst(Prim_int n) ->
	      LConst(Prim_real(n ^ ".0"))
	  | _ ->
	      LApp("real_of_int",[ e' ])
	end
    | JCTnative Treal, JCTenum ri ->
	begin match e' with
	  | LConst(Prim_int n) ->
	      LConst(Prim_real(n ^ ".0"))
	  | _ ->
	      let e' = LApp(logic_int_of_enum ri,[ e' ]) in
	      LApp("real_of_int",[ e' ])
	end
    | JCTnative Treal, JCTnative (Tgenfloat f) ->
	begin
	  match e' with
	    | LApp (f,[LConst (Prim_real _) as c])
		when f = "single_of_real_exact" || f = "single_of_real_exact" ->
		c
	    | _ -> LApp((float_format f)^"_value",[ e' ])
	end
    | JCTnative (Tgenfloat f), JCTnative Treal ->
	begin
          try
	    match e' with
	      | LConst (Prim_real x) ->
		  LApp ((float_format f)^"_of_real_exact",
		        [LConst (Prim_real (float_of_real f x))])
	      | _ -> raise Not_found
          with Not_found ->
	    LApp ("round_"^(float_format f)^"_logic",
		  [ logic_current_rounding_mode () ; e' ])
	end
    | JCTnative (Tgenfloat _f), (JCTnative Tinteger | JCTenum _) ->
        term_coerce ~type_safe ~global_assertion lab pos ty_dst (JCTnative Treal) e
          (term_coerce ~type_safe ~global_assertion lab pos (JCTnative Treal) ty_src e e')
    | JCTnative Tinteger, JCTnative Treal ->
	assert false (* LApp("int_of_real",[ e' ]) *)
      (* between enums and integer *)
    | JCTenum ri1, JCTenum ri2
	when ri1.jc_enum_info_name = ri2.jc_enum_info_name -> e'
    | JCTenum ri1, JCTenum ri2 ->
        assert cast; (* Typing should have inserted an explicit cast *)
        let e' = LApp(logic_int_of_enum ri2,[ e' ]) in
        LApp(logic_enum_of_int ri1,[ e' ])
    | JCTnative Tinteger, JCTenum ri ->
        LApp(logic_int_of_enum ri,[ e' ])
    | JCTenum ri, JCTnative Tinteger ->
        LApp(logic_enum_of_int ri,[ e' ])
      (* between pointers and null *)
    | JCTpointer _ , JCTnull -> e'
    | JCTpointer(pc1,_,_), JCTpointer(JCtag(st2,_),_,_)
        when Jc_typing.substruct st2 pc1 -> e'
    | JCTpointer(JCtag(st1,_),_,_), JCTpointer _ ->
	let tag =
	  ttag_table_var ~label_in_name:global_assertion lab
	    (struct_root st1,e#region)
	in
        LApp("downcast", [ tag; e'; LVar (tag_name st1) ])
    |  _ ->
         Jc_typing.typing_error pos
           "can't (term_)coerce type %a to type %a"
           print_type ty_src print_type ty_dst

let eval_integral_const e =
  let rec eval e =
    match e#node with
      | JCEconst(JCCinteger s) -> Numconst.integer s
      | JCErange_cast(e,_ri2) -> eval e
      | JCEunary(op,e) ->
          let v = eval e in
          begin match op with
            | `Uminus, `Integer -> minus_num v
            | `Uminus, (`Real | `Binary80 | `Double | `Float | `Boolean | `Unit)
            | `Unot, _
            | `Ubw_not, _ -> raise Exit
          end
      | JCEbinary(e1,op,e2) ->
          let v1 = eval e1 in
          let v2 = eval e2 in
          begin match op with
            | `Badd, `Integer -> v1 +/ v2
            | `Bsub, `Integer -> v1 -/ v2
            | `Bmul, `Integer -> v1 */ v2
            | `Bdiv, `Integer ->
                if eq_num (mod_num v1 v2) Numconst.zero then quo_num v1 v2 else raise Exit
            | `Bmod, `Integer ->
                mod_num v1 v2
            | (`Badd | `Barith_shift_right | `Bbw_and | `Bbw_or | `Bbw_xor
              | `Bdiv | `Beq | `Bge | `Bgt | `Ble | `Blogical_shift_right
              | `Blt | `Bmod | `Bmul | `Bneq | `Bshift_left | `Bsub), _ ->
		raise Exit
	    | `Bconcat, _ -> raise Exit
	    | `Bland, _ -> raise Exit
	    | `Blor, _ -> raise Exit
          end
      | JCEif(_e1,_e2,_e3) ->
          (* TODO: write [eval_boolean_const] *)
          raise Exit
      | JCEconst _ | JCEvar _ | JCEshift _ | JCEderef _
      | JCEinstanceof _ | JCEcast _ | JCEbitwise_cast _ | JCEreal_cast _
      | JCEoffset _ | JCEbase_block _
      | JCEaddress _
      | JCEalloc _ | JCEfree _ | JCEmatch _ |JCEunpack _ |JCEpack _
      | JCEthrow _ | JCEtry _ | JCEreturn _ | JCEloop _ | JCEblock _
      | JCEcontract _ | JCEassert _ | JCEfresh _ 
      | JCElet _ | JCEassign_heap _ | JCEassign_var _ | JCEapp _
      | JCEreturn_void -> raise Exit

  in
  try Some(eval e) with Exit | Division_by_zero -> None

let rec fits_in_enum ri e =
  match eval_integral_const e with
    | Some c -> ri.jc_enum_info_min <=/ c && c <=/ ri.jc_enum_info_max
    | None -> false

let rec coerce ~check_int_overflow mark pos ty_dst ty_src e e' =
  match ty_dst, ty_src with
      (* identity *)
    | JCTnative t, JCTnative u when t = u -> e'
    | JCTlogic t, JCTlogic u when t = u -> e'
    | JCTany, JCTany -> e'
      (* between integer/enum and real *)
    | JCTnative Treal, JCTnative Tinteger ->
	begin match e'.expr_node with
	  | Cte(Prim_int n) ->
	      { e' with expr_node = Cte(Prim_real(n ^ ".0")) }
	  | _ ->
	      make_app "real_of_int" [ e' ]
	end
    | JCTnative Treal, JCTenum ri ->
	begin match e'.expr_node with
	  | Cte(Prim_int n) ->
	      { e' with expr_node = Cte(Prim_real(n ^ ".0")) }
	  | _ ->
	      make_app "real_of_int" [ make_app (logic_int_of_enum ri) [ e' ] ]
	end
    | JCTnative Tinteger, JCTnative Treal ->
	assert false (* make_app "int_of_real" [ e' ] *)
    | JCTnative (Tgenfloat _), (JCTnative Tinteger | JCTenum _) ->
        coerce ~check_int_overflow mark pos ty_dst (JCTnative Treal) e
          (coerce ~check_int_overflow mark pos (JCTnative Treal) ty_src e e')
    | JCTnative (Tgenfloat f1), JCTnative (Tgenfloat f2) ->
        let enlarge =
          match f2, f1 with
          | `Float, _ -> true
          | _, `Float -> false
          | `Double, _ -> true
          | _, _ -> false in
        let name = (float_format f1)^"_of_"^(float_format f2) in
        if enlarge then
          make_app name [ e' ]
        else if check_int_overflow then
          make_guarded_app ~mark FPoverflow pos name
            [ current_rounding_mode () ; e' ]
        else
          make_app (name^"_safe") [ current_rounding_mode () ; e' ]
    | JCTnative (Tgenfloat f), JCTnative Treal ->
	begin
          try
	    match e'.expr_node with
	      | Cte (Prim_real x) ->
		  let s = float_of_real f x in
		  make_app ((float_format f)^"_of_real_exact")
		  [ { e' with expr_node = Cte (Prim_real s) } ]
	      | _ -> raise Not_found
          with Not_found ->
	    if check_int_overflow then
	      make_guarded_app ~mark FPoverflow pos
	        ((float_format f)^"_of_real")
	        [ current_rounding_mode () ; e' ]
	    else
	      make_app ((float_format f)^"_of_real_safe")
	        [ current_rounding_mode () ; e' ]
	end
    | JCTnative Treal, JCTnative (Tgenfloat f) ->
	make_app ((float_format f)^"_value") [ e' ]
      (* between enums and integer *)
    | JCTenum ri1, JCTenum ri2
	when ri1.jc_enum_info_name = ri2.jc_enum_info_name -> e'
    | JCTenum ri1, JCTenum ri2 ->
        let e' = make_app (logic_int_of_enum ri2) [ e' ] in
        if not check_int_overflow || fits_in_enum ri1 e then
          make_app (safe_fun_enum_of_int ri1) [ e' ]
        else
          make_guarded_app ~mark ArithOverflow pos (fun_enum_of_int ri1) [ e' ]
    | JCTnative Tinteger, JCTenum ri ->
        make_app (logic_int_of_enum ri) [ e' ]
    | JCTenum ri, JCTnative Tinteger ->
        if not check_int_overflow || fits_in_enum ri e then
          make_app (safe_fun_enum_of_int ri) [ e' ]
        else
          make_guarded_app ~mark ArithOverflow pos (fun_enum_of_int ri) [ e' ]
      (* between pointers and null *)
    | JCTpointer _ , JCTnull -> e'
    | JCTpointer(pc1,_,_), JCTpointer(JCtag(st2,_),_,_)
        when Jc_typing.substruct st2 pc1 -> e'
    | JCTpointer(JCtag(st1,_),_,_), JCTpointer _  ->
	let downcast_fun =
	  if safety_checking () then "downcast_" else "safe_downcast_"
	in
	let tag = tag_table_var(struct_root st1,e#region) in
        make_guarded_app ~mark DownCast pos downcast_fun
          [ tag; e'; mk_var(tag_name st1) ]
    | _ ->
        Jc_typing.typing_error pos
          "can't coerce type %a to type %a"
          print_type ty_src print_type ty_dst


(******************************************************************************)
(*                                   terms                                    *)
(******************************************************************************)

(* [pattern_lets] is a list of (id, value), which should be binded
 * at the assertion level. *)
let pattern_lets = ref []
let concat_pattern_lets lets = pattern_lets := lets @ !pattern_lets
let bind_pattern_lets body =
  let binds =
    List.fold_left
      (fun body bind ->
	 match bind with
	   | JCforall(id, ty) -> LForall(id, ty, [], body)
	   | JClet(id, value) -> LLet(id, value, body))
      body (List.rev !pattern_lets)
  in
  pattern_lets := [];
  binds

let is_base_block t = match t#node with
  | JCTbase_block _ -> true
  | _ -> false

let rec term ?(subst=VarMap.empty) ~type_safe ~global_assertion ~relocate lab oldlab t =
  let ft = term ~subst ~type_safe ~global_assertion ~relocate lab oldlab in
  let term_coerce = term_coerce ~type_safe ~global_assertion lab in
  let t' = match t#node with
    | JCTconst JCCnull -> LVar "null"
    | JCTvar v ->
        begin
          try VarMap.find v subst
          with Not_found -> tvar ~label_in_name:global_assertion lab v
        end
    | JCTconst c -> LConst(const c)
    | JCTunary(op,t1) ->
        let t1'= ft t1 in
        LApp(term_unary_op op,
	     [ term_coerce t#pos (native_operator_type op) t1#typ t1 t1' ])
(*     | JCTbinary(t1,(`Bsub,`Pointer),t2) -> *)
(*         let t1' = LApp("address",[ ft t1 ]) in *)
(*         let t2' = LApp("address",[ ft t2 ]) in *)
(* 	let st = pointer_struct t1#typ in *)
(* 	let s = string_of_int (struct_size_in_bytes st) in *)
(*         LApp( *)
(* 	  term_bin_op (`Bdiv,`Integer), *)
(* 	  [ LApp(term_bin_op (`Bsub,`Integer), [ t1'; t2' ]); *)
(* 	    LConst(Prim_int s) ]) *)
    | JCTbinary(t1,(_,(`Pointer | `Logic) as op),t2) ->
        let t1' = ft t1 in
        let t2' = ft t2 in
        LApp(term_bin_op op, [ t1'; t2' ])
    | JCTbinary(t1,(_, #native_operator_type as op),t2) ->
        let t1' = ft t1 in
        let t2' = ft t2 in
        let ty = native_operator_type op in
        LApp(term_bin_op op,
             [ term_coerce t1#pos ty t1#typ t1 t1';
               term_coerce t2#pos ty t2#typ t2 t2' ])
    | JCTshift(t1,t2) ->
        let t1' = ft t1 in
        let t2' = ft t2 in
        LApp("shift",[ t1'; term_coerce t2#pos integer_type t2#typ t2 t2' ])
    | JCTif(t1,t2,t3) ->
        let t1' = ft t1 in
        let t2' = ft t2 in
        let t3' = ft t3 in
        TIf(t1',
            (** type of t2 and t3 are equal or one is the subtype of
                the other *)
            term_coerce t2#pos t#typ t2#typ t2 t2',
            term_coerce t3#pos t#typ t3#typ t3 t3')
    | JCTlet(vi,t1,t2) ->
        let t1' = ft t1 in
        let t2' = ft t2 in
        TLet(vi.jc_var_info_final_name, t1', t2')
    | JCToffset(k,t1,st) ->
	let ac = tderef_alloc_class ~type_safe t1 in
        let _,alloc =
	  talloc_table_var ~label_in_name:global_assertion lab (ac,t1#region)
	in
	begin match ac with
	  | JCalloc_root _ ->
              let f = match k with
		| Offset_min -> "offset_min"
		| Offset_max -> "offset_max"
              in
              let t1' = ft t1 in
              LApp(f,[alloc; t1' ])
	  | JCalloc_bitvector ->
              let f = match k with
		| Offset_min -> "offset_min_bytes"
		| Offset_max -> "offset_max_bytes"
              in
              let t1' = ft t1 in
	      let s = string_of_int (struct_size_in_bytes st) in
              LApp(f,[ alloc; t1'; LConst(Prim_int s) ])
	end
    | JCTaddress(Addr_absolute,t1) ->
        LApp("absolute_address",[ ft t1 ])
    | JCTaddress(Addr_pointer,t1) ->
        LApp("address",[ ft t1 ])
    | JCTbase_block(t1) ->
        LApp("base_block",[ ft t1 ])
    | JCTinstanceof(t1,lab',st) ->
      let lab = if relocate && lab' = LabelHere then lab else lab' in
        let t1' = ft t1 in
	let tag =
	  ttag_table_var ~label_in_name:global_assertion lab
	    (struct_root st,t1#region)
	in
        LApp("instanceof_bool",[ tag; t1'; LVar (tag_name st) ])
    | JCTcast(t1,lab',st) ->
      let lab = if relocate && lab' = LabelHere then lab else lab' in
        if struct_of_union st then
	  ft t1
	else
          let t1' = ft t1 in
	  let tag =
	    ttag_table_var ~label_in_name:global_assertion lab
	      (struct_root st,t1#region)
	  in
          LApp("downcast",[ tag; t1'; LVar (tag_name st) ])
    | JCTbitwise_cast(t1,_lab,_st) ->
	ft t1
    | JCTrange_cast(t1,ri) ->
(*         eprintf "range_cast in term: from %a to %a@."  *)
(*           print_type t1#typ print_type (JCTenum ri); *)
        let t1' = ft t1 in
        term_coerce ~cast:true t1#pos (JCTenum ri) t1#typ t1 t1'
    | JCTreal_cast(t1,rc) ->
        let t1' = ft t1 in
        begin match rc with
          | Integer_to_real ->
              term_coerce t1#pos real_type t1#typ t1 t1'
          | Double_to_real ->
              term_coerce t1#pos real_type t1#typ t1 t1'
	  | Float_to_real ->
	      term_coerce t1#pos real_type t1#typ t1 t1'
(*
          | Real_to_integer ->
              term_coerce t1#pos integer_type t1#typ t1 t1'
*)
	  | Round(f,_rm) ->
              term_coerce t1#pos (JCTnative (Tgenfloat f)) t1#typ t1 t1'
	end
    | JCTderef(t1,lab',fi) ->
	let lab = if relocate && lab' = LabelHere then lab else lab' in
	let mc,_ufi_opt = tderef_mem_class ~type_safe t1 fi in
	begin match mc with
	  | JCmem_field fi' ->
	      assert (fi.jc_field_info_tag = fi'.jc_field_info_tag);
              let t1' = ft t1 in
              let mem =
		tmemory_var ~label_in_name:global_assertion lab
		  (JCmem_field fi,t1#region)
	      in
              LApp("select",[ mem; t1' ])
	  | JCmem_plain_union vi ->
	      let t1,off = tdestruct_union_access t1 (Some fi) in
	      (* Retrieve bitvector *)
              let t1' = ft t1 in
              let mem =
		tmemory_var ~label_in_name:global_assertion lab
		  (JCmem_plain_union vi,t1#region)
	      in
              let e' = LApp("select",[ mem; t1' ]) in
	      (* Retrieve subpart of bitvector for specific subfield *)
	      let off = match off with
		| Int_offset s -> s
		| _ -> assert false (* TODO *)
	      in
	      let size =
		match fi.jc_field_info_bitsize with
		  | Some x -> x / 8
		  | None -> assert false
	      in
	      let off = string_of_int off and size = string_of_int size in
	      let e' =
		LApp("extract_bytes",
		     [ e'; LConst(Prim_int off); LConst(Prim_int size) ])
	      in
	      (* Convert bitvector into appropriate type *)
	      begin match fi.jc_field_info_type with
		| JCTenum ri -> LApp(logic_enum_of_bitvector ri,[e'])
		| JCTnative Tinteger -> LApp(logic_integer_of_bitvector,[e'])
                | JCTnative _ -> assert false (* TODO ? *)
                | JCTtype_var _ -> assert false (* TODO ? *)
                | JCTpointer (_, _, _) -> assert false (* TODO ? *)
                | JCTlogic _ -> assert false (* TODO ? *)
                | JCTany -> assert false (* TODO ? *)
                | JCTnull -> assert false (* TODO ? *)
	      end
	  | JCmem_bitvector ->
	      (* Retrieve bitvector *)
              let t1' = ft t1 in
	      let mem =
		tmemory_var ~label_in_name:global_assertion lab
		  (JCmem_bitvector,t1#region)
	      in
	      let off =
		match field_offset_in_bytes fi with
		  | Some x -> x
		  | None -> assert false
	      in
	      let size =
		match fi.jc_field_info_bitsize with
		  | Some x -> x / 8
		  | None -> assert false
	      in
	      let off = string_of_int off and size = string_of_int size in
	      let e' =
		LApp("select_bytes",
		     [ mem; t1'; LConst(Prim_int off); LConst(Prim_int size) ])
	      in
	      (* Convert bitvector into appropriate type *)
	      begin match fi.jc_field_info_type with
		| JCTenum ri -> LApp(logic_enum_of_bitvector ri,[e'])
		| _ty -> assert false (* TODO *)
	      end
	end
    | JCTapp app ->
        let f = app.jc_app_fun in
        let args =
	  List.fold_right (fun arg acc -> (ft arg) :: acc) app.jc_app_args []
        in
        let args =
          try List.map2 (fun e e' -> (e,e')) app.jc_app_args args
          with Invalid_argument _ -> assert false
        in
        let args =
          try
            List.map2
              (fun v (t,t') -> term_coerce t#pos v.jc_var_info_type t#typ t t')
              f.jc_logic_info_parameters args
          with Invalid_argument _ ->
            eprintf "fun = %s, len pars = %d, len args' = %d@."
              f.jc_logic_info_name
              (List.length f.jc_logic_info_parameters)
              (List.length args);
            assert false
        in
	let relab (lab1,lab2) =
	  (lab1, if lab2 = LabelHere then lab else lab2)
	in
	let label_assoc =
	  if relocate then
	    (LabelHere,lab) :: List.map relab app.jc_app_label_assoc
	  else app.jc_app_label_assoc
	in
        make_logic_fun_call ~label_in_name:global_assertion
	  ~region_assoc:app.jc_app_region_assoc
	  ~label_assoc:label_assoc
	  f args
    | JCTold t1 ->
	let lab = if relocate && oldlab = LabelHere then lab else oldlab in
	term ~type_safe ~global_assertion ~relocate lab oldlab t1
    | JCTat(t1,lab') ->
	let lab = if relocate && lab' = LabelHere then lab else lab' in
	term ~type_safe ~global_assertion ~relocate lab oldlab t1
    | JCTrange(_t1,_t2) -> Jc_typing.typing_error t#pos "Unsupported range in term, sorry" (* TODO ? *)
    | JCTmatch(t, ptl) ->
        let t' = ft t in
        (* TODO: use a temporary variable for t' *)
        (* if the pattern-matching is incomplete, default value is true *)
        let ptl',lets =
          pattern_list_term ft t' t#typ ptl (LConst(Prim_bool true)) in
	concat_pattern_lets lets;
        ptl'
  in
  (if t#mark <> "" then
     Tnamed(reg_check ~mark:t#mark t#pos,t')
   else
     t')

let () = ref_term := term

let named_term ~type_safe ~global_assertion ~relocate lab oldlab t =
  let t' = term ~type_safe ~global_assertion ~relocate lab oldlab t in
  match t' with
    | Tnamed _ -> t'
    | _ ->
        let n = reg_check ~mark:t#mark t#pos in
        Tnamed(n,t')


(******************************************************************************)
(*                                assertions                                  *)
(******************************************************************************)

let tag ~type_safe ~global_assertion ~relocate lab oldlab tag=
  match tag#node with
    | JCTtag st -> LVar (tag_name st)
    | JCTbottom -> LVar "bottom_tag"
    | JCTtypeof(t,st) ->
	let t' = term ~type_safe ~global_assertion ~relocate lab oldlab t in
	make_typeof st t#region t'

let rec assertion ~type_safe ~global_assertion ~relocate lab oldlab a =
  let fa = assertion ~type_safe ~global_assertion ~relocate lab oldlab in
  let ft = term ~type_safe ~global_assertion ~relocate lab oldlab in
  let ftag = tag ~type_safe ~global_assertion ~relocate lab oldlab in
  let term_coerce = term_coerce ~type_safe ~global_assertion lab in
  let a' = match a#node with
    | JCAtrue -> LTrue
    | JCAfalse -> LFalse
    | JCAif(t1,a2,a3) ->
        let t1' = ft t1 in
	let a2' = fa a2 in
	let a3' = fa a3 in
        LIf(t1',a2',a3')
    | JCAand al -> make_and_list (List.map fa al)
    | JCAor al -> make_or_list (List.map fa al)
    | JCAimplies(a1,a2) ->
	let a1' = fa a1 in
	let a2' = fa a2 in
	make_impl a1' a2'
    | JCAiff(a1,a2) ->
	let a1' = fa a1 in
	let a2' = fa a2 in
	make_equiv a1' a2'
    | JCAnot a1 ->
	let a1' = fa a1 in
	LNot a1'
    | JCArelation(t1,((`Beq | `Bneq as op),_),t2)
	when is_base_block t1 && is_base_block t2 ->
	let t1 =
	  match t1#node with JCTbase_block t1' -> t1' | _ -> assert false
	in
	let t2 =
	  match t2#node with JCTbase_block t2' -> t2' | _ -> assert false
	in
        let t1' = ft t1 in
        let t2' = ft t2 in
        let p = LPred("same_block", [ t1'; t2' ]) in
	begin match op with
	  | `Beq -> p
	  | `Bneq -> LNot p
	  | _ -> assert false
	end
    | JCArelation(t1,(_,(`Pointer | `Logic) as op),t2) ->
        let t1' = ft t1 in
        let t2' = ft t2 in
        LPred (pred_bin_op (op :> pred_bin_op),[ t1'; t2' ])
(* disabled because cause other problems

  o [Jessie] removed some superfluous conversion on enums which
    prevented some proofs by rewriting

    | JCArelation(t1, (((`Beq | `Bneq), _)as op),t2) ->

(* 	if Jc_options.debug then printf "%a@." Jc_output.assertion a; *)
        let t1' = ft t1 in
        let t2' = ft t2 in
        LPred(pred_bin_op (op), [ t1'; t2' ])
*)
    | JCArelation(t1,(_, #native_operator_type as op),t2) ->
(* 	if Jc_options.debug then printf "%a@." Jc_output.assertion a; *)
        let t1' = ft t1 in
        let t2' = ft t2 in
        let ty = native_operator_type op in
        LPred(pred_bin_op (op :> pred_bin_op),
              [ term_coerce t1#pos ty t1#typ t1 t1';
                term_coerce t2#pos ty t2#typ t2 t2' ])
    | JCAapp app ->
        let f = app.jc_app_fun in
        let args =
	  List.fold_right (fun arg acc -> (ft arg) :: acc) app.jc_app_args []
        in
        let args =
          try List.map2 (fun e e' -> (e,e')) app.jc_app_args args
          with Invalid_argument _ -> assert false
        in
        let args =
          try
            List.map2
              (fun v (t,t') -> term_coerce t#pos v.jc_var_info_type t#typ t t')
              f.jc_logic_info_parameters args
          with Invalid_argument _ ->
            eprintf "fun = %s, len pars = %d, len args' = %d@."
              f.jc_logic_info_name
              (List.length f.jc_logic_info_parameters)
              (List.length args);
            assert false
        in
	let label_assoc =
	  if relocate then
	    let relab (lab1,lab2) =
	      (lab1, if lab2 = LabelHere then lab else lab2)
	    in
	    (LabelHere,lab) :: List.map relab app.jc_app_label_assoc
	  else app.jc_app_label_assoc
	in
        make_logic_pred_call
	  ~label_in_name:global_assertion
	  ~region_assoc:app.jc_app_region_assoc
	  ~label_assoc:label_assoc
	  f args
    | JCAquantifier(Forall,v,trigs,a1) ->
        LForall(v.jc_var_info_final_name,
                tr_var_base_type v,
                triggers fa ft trigs,
                fa a1)
    | JCAquantifier(Exists,v,trigs, a1) ->
        LExists(v.jc_var_info_final_name,
                tr_var_base_type v,
                triggers fa ft trigs,
                fa a1)
    | JCAold a1 ->
	let lab = if relocate && oldlab = LabelHere then lab else oldlab in
	assertion ~type_safe ~global_assertion ~relocate lab oldlab a1
    | JCAat(a1,lab') ->
	let lab = if relocate && lab' = LabelHere then lab else lab' in
	assertion ~type_safe ~global_assertion ~relocate lab oldlab a1
    | JCAfresh t1 ->
	let ac = tderef_alloc_class ~type_safe t1 in
	let lab = if relocate && oldlab = LabelHere then lab else oldlab in
	let _,alloc =
	  talloc_table_var ~label_in_name:global_assertion lab (ac,t1#region)
	in
        let valid =
	  begin match ac with
	    | JCalloc_root _ ->
              let f = "valid" in
              let t1' = ft t1 in
              LPred(f,[alloc; t1' ])
	    | JCalloc_bitvector ->
              let f = "valid_bytes" in
              let t1' = ft t1 in
              LPred(f,[ alloc; t1'])
	  end
        in
        LNot valid
    | JCAbool_term t1 ->
        let t1' = ft t1 in
        LPred("eq",[ t1'; LConst(Prim_bool true) ])
    | JCAinstanceof(t1,lab',st) ->
	let lab = if relocate && lab' = LabelHere then lab else lab' in
        let t1' = ft t1 in
	let tag =
	  ttag_table_var ~label_in_name:global_assertion lab
	    (struct_root st,t1#region)
	in
        LPred("instanceof",[ tag; t1'; LVar (tag_name st) ])
    | JCAmutable(te, st, ta) ->
        let te' = ft te in
        let tag = ftag ta in
        let mutable_field = LVar (mutable_name (JCtag(st, []))) in
        LPred("eq", [ LApp("select", [ mutable_field; te' ]); tag ])
    | JCAeqtype(tag1,tag2,_st_opt) ->
        let tag1' = ftag tag1 in
        let tag2' = ftag tag2 in
        LPred("eq", [ tag1'; tag2' ])
    | JCAsubtype(tag1,tag2,_st_opt) ->
        let tag1' = ftag tag1 in
        let tag2' = ftag tag2 in
        LPred("subtag", [ tag1'; tag2' ])
    | JCAlet(vi,t,p) ->
	LLet(vi.jc_var_info_final_name,ft t, fa p)
    | JCAmatch(arg, pal) ->
        let arg' = ft arg in
        (* TODO: use a temporary variable for arg' *)
        let pal', _ = pattern_list_assertion fa arg' arg#typ
          pal LTrue in
        pal'
  in
  let a' = bind_pattern_lets a' in
  if a#mark = "" then a' else LNamed(reg_check ~mark:a#mark a#pos, a')

and triggers fa ft trigs =
  let pat = function
    | JCAPatT t -> LPatT (ft t)
    | JCAPatP a -> LPatP (fa a) in
  List.map (List.map pat) trigs

let mark_assertion pos a' =
  match a' with
    | LNamed _ -> a'
    | _ -> LNamed(reg_check pos, a')

let named_assertion ~type_safe ~global_assertion ~relocate lab oldlab a =
  let a' =
    assertion ~type_safe ~global_assertion ~relocate lab oldlab a
  in
  mark_assertion a#pos a'


(******************************************************************************)
(*                                  Locations                                 *)
(******************************************************************************)

let rec pset ~type_safe ~global_assertion before loc =
  let fpset = pset ~type_safe ~global_assertion before in
  let ft = term ~type_safe ~global_assertion ~relocate:false before before in
  let term_coerce = term_coerce ~type_safe ~global_assertion before in
  match loc#node with
    | JCLSderef(locs,lab,fi,_r) ->
        let m = tmemory_var ~label_in_name:global_assertion lab
	  (JCmem_field fi,locs#region) in
        (*begin
          match locs#node with
              (* reduce the pset_deref of a singleton *)
            | JCLSvar vi ->
                let v = tvar ~label_in_name:global_assertion before vi in
                LApp("pset_singleton",[LApp("select", [m;v])])
            | _ ->*) LApp("pset_deref", [m;fpset locs])
        (*end*)
    | JCLSvar vi ->
        let m = tvar ~label_in_name:global_assertion before vi in
        LApp("pset_singleton", [m])
    | JCLSrange(ls,None,None) ->
        let ls = fpset ls in
        LApp("pset_all", [ls])
    | JCLSrange(ls,None,Some b) ->
        let ls = fpset ls in
        let b' = ft b in
        LApp("pset_range_left",
             [ls;
              term_coerce b#pos integer_type b#typ b b'])
    | JCLSrange(ls,Some a,None) ->
        let ls = fpset ls in
        let a' = ft a in
        LApp("pset_range_right",
             [ls;
              term_coerce a#pos integer_type a#typ a a'])
    | JCLSrange(ls,Some a,Some b) ->
        let ls = fpset ls in
        let a' = ft a in
        let b' = ft b in
        LApp("pset_range",
             [ls;
              term_coerce a#pos integer_type a#typ a a';
              term_coerce b#pos integer_type b#typ b b'])
    | JCLSrange_term(ls,None,None) ->
        let ls = LApp("pset_singleton",[ ft ls ]) in
        LApp("pset_all", [ls])
    | JCLSrange_term(ls,None,Some b) ->
        let ls = LApp("pset_singleton",[ ft ls ]) in
        let b' = ft b in
        LApp("pset_range_left",
             [ls;
              term_coerce b#pos integer_type b#typ b b'])
    | JCLSrange_term(ls,Some a,None) ->
        let ls = LApp("pset_singleton",[ ft ls ]) in
        let a' = ft a in
        LApp("pset_range_right",
             [ls;
              term_coerce a#pos integer_type a#typ a a'])
    | JCLSrange_term(ls,Some a,Some b) ->
        let ls = LApp("pset_singleton",[ ft ls ]) in
        let a' = ft a in
        let b' = ft b in
        LApp("pset_range",
             [ls;
              term_coerce a#pos integer_type a#typ a a';
              term_coerce b#pos integer_type b#typ b b'])
    | JCLSat(locs,_) -> fpset locs

let rec collect_locations ~type_safe ~global_assertion before (refs,mems) loc =
(*
  let ft = term ~type_safe ~global_assertion ~relocate:false before before in
*)
  match loc#node with
    | JCLderef(e,lab,fi,_fr) ->
        let iloc = pset ~type_safe ~global_assertion lab e in
        let mc =
(*           if field_of_union fi then FVvariant (union_of_field fi) else *)
	  JCmem_field fi
        in
        let l =
          try
            let l = MemoryMap.find (mc,location_set_region e) mems in
            iloc::l
          with Not_found -> [iloc]
        in
        (refs, MemoryMap.add (mc,location_set_region e) l mems)
    | JCLderef_term(_t1,_fi) ->
	assert false
(*
        let iloc = LApp("pset_singleton",[ ft t1 ]) in
        let mc = JCmem_field fi in
        let l =
          try
            let l = MemoryMap.find (mc,t1#region) mems in
            iloc::l
          with Not_found -> [iloc]
        in
        (refs, MemoryMap.add (mc,t1#region) l mems)
*)
    | JCLvar vi ->
        let var = vi.jc_var_info_final_name in
        (StringMap.add var true refs,mems)
    | JCLat(loc,_lab) ->
        collect_locations ~type_safe ~global_assertion before (refs,mems) loc

let rec collect_pset_locations ~type_safe ~global_assertion loc =
  let ft = term ~type_safe ~global_assertion ~relocate:false in
  match loc#node with
    | JCLderef(e,lab,_fi,_fr) ->
        pset ~type_safe ~global_assertion lab e
    | JCLderef_term(t1,_fi) ->
	let lab = match t1#label with Some l -> l | None -> assert false in
	LApp("pset_singleton",[ ft lab lab t1 ])
    | JCLvar _vi ->
	LVar "pset_empty"
    | JCLat(loc,_lab) ->
        collect_pset_locations ~type_safe ~global_assertion loc

let assigns ~type_safe ?region_list before ef locs loc =
  match locs with
    | None -> LTrue
    | Some locs ->
  let refs =
    (* HeapVarSet.fold
            (fun v m ->
               if Ceffect.is_alloc v then m
               else StringMap.add (heap_var_name v) (Reference false) m)
            assigns.Ceffect.assigns_var
    *)
    VarMap.fold
      (fun v _labs m -> StringMap.add v.jc_var_info_final_name false m)
      ef.jc_writes.jc_effect_globals StringMap.empty
  in
  let mems =
    MemoryMap.fold
      (fun (fi,r) _labs acc ->
	 if (* TODO: bug some assigns \nothing clauses are not translated e.g. in Purse.java (perhaps when no region is used). The first test resolve the problem but may hide another bug : What must be region_list when --no-region is used? *)
	   !Jc_options.separation_sem = SepNone || Option_misc.map_default (RegionList.mem r) true region_list then
	   begin
(*
	     eprintf "ASSIGNS FOR FIELD %s@."
	       (match fi with JCmem_field f -> f.jc_field_info_name
		  | _ -> "??");
*)
             MemoryMap.add (fi,r) [] acc
	   end
	 else
	   begin
(*
	     eprintf "IGNORING ASSIGNS FOR FIELD %s@."
	       (match fi with JCmem_field f -> f.jc_field_info_name
		  | _ -> "??");
*)
             MemoryMap.add (fi,r) [] acc
	   end
      ) ef.jc_writes.jc_effect_memories MemoryMap.empty
  in
  let refs,mems =
    List.fold_left (collect_locations ~type_safe ~global_assertion:false before) (refs,mems) locs
  in
  let a =
    StringMap.fold
      (fun v p acc ->
        if p then acc else
          make_and acc (LPred("eq", [LVar v; lvar ~constant:false (* <<- CHANGE THIS *) ~label_in_name:false before v])))
      refs LTrue
  in
  MemoryMap.fold
    (fun (mc,r) p acc ->
       let v = memory_name(mc,r) in
       let ac = alloc_class_of_mem_class mc in
       let _,alloc = talloc_table_var ~label_in_name:false before (ac,r) in

       make_and acc
	 (let a = LPred("not_assigns",
                [alloc;
                 lvar ~constant:false (* <<- CHANGE THIS *)
                   ~label_in_name:false before v;
                 LDeref v; location_list' p]) in
	  LNamed(reg_check loc,a))
    ) mems a

let reads ~type_safe ~global_assertion locs (mc,r) =
  let refs = StringMap.empty
  in
  let mems = MemoryMap.empty
  in
  let _refs,mems =
    List.fold_left (collect_locations ~type_safe ~global_assertion LabelOld) (refs,mems) locs
  in
  let p = try MemoryMap.find (mc,r) mems with Not_found -> [] in
  location_list' p


(******************************************************************************)
(*                                Expressions                                 *)
(******************************************************************************)

let bounded lb rb s =
  let n = Num.num_of_int s in Num.le_num lb n && Num.le_num n rb

let lbounded lb s =
  let n = Num.num_of_int s in Num.le_num lb n

let rbounded rb s =
  let n = Num.num_of_int s in Num.le_num n rb

let rec const_int_term t =
  match t # node with
    | JCTconst (JCCinteger s) -> Some (Numconst.integer s)
    | JCTvar vi ->
	begin
	  try
	    let _, init =
	      Jc_stdlib.Hashtbl.find
		Jc_typing.logic_constants_table
		vi.jc_var_info_tag
	    in
	      const_int_term init
	  with Not_found -> None
	end
    | JCTapp app ->
	begin
	  try
	    let _, init =
	      Jc_stdlib.Hashtbl.find
		Jc_typing.logic_constants_table
		app.jc_app_fun.jc_logic_info_tag
	    in
	      const_int_term init
	  with Not_found -> None
	end
    | JCTunary (uop, t) ->
	let no = const_int_term t in
	  Option_misc.fold
	    (fun n _ -> match uop with
	       | `Uminus, `Integer -> Some (Num.minus_num n)
	       | _ -> None)
	    no None
    | JCTbinary (t1, bop, t2) ->
	let no1 = const_int_term t1 in
	let no2 = const_int_term t2 in
	  begin match no1, no2 with
	    | Some n1, Some n2 ->
		begin match bop with
		  | `Badd, `Integer -> Some (n1 +/ n2)
		  | `Bsub, `Integer -> Some (n1 -/ n2)
		  | `Bmul, `Integer -> Some (n1 */ n2)
		  | `Bdiv, `Integer ->
		      let n = n1 // n2 in
			if Num.is_integer_num n then
			  Some n
			else
			  None
		  | `Bmod, `Integer -> Some (Num.mod_num n1 n2)
		  | _ -> None
		end
	    | _ -> None
	  end
    | JCTrange_cast (t, _) -> const_int_term t
    | JCTconst _ | JCTshift _ | JCTderef _
    | JCTold _ | JCTat _
    | JCToffset _ | JCTaddress _ | JCTinstanceof _ | JCTbase_block _
    | JCTreal_cast _ | JCTif _ | JCTrange _
    | JCTcast _ | JCTmatch _ | JCTlet _ | JCTbitwise_cast _ ->
	assert false

let rec const_int_expr e =
  match e # node with
    | JCEconst (JCCinteger s) -> Some (Numconst.integer s)
    | JCEvar vi ->
	begin
	  try
	    let _, init =
	      Jc_stdlib.Hashtbl.find
		Jc_typing.logic_constants_table
		vi.jc_var_info_tag
	    in
	      const_int_term init
	  with Not_found -> None
	end
    | JCEapp call ->
	begin match call.jc_call_fun with
	  | JClogic_fun li ->
	      begin
		try
		  let _, init =
		    Jc_stdlib.Hashtbl.find
		      Jc_typing.logic_constants_table
		      li.jc_logic_info_tag
		  in
		    const_int_term init
		with Not_found -> None
	      end
	  | JCfun _ -> None
	end
    | JCErange_cast (e, _) -> const_int_expr e
    | JCEunary (uop, e) ->
	let no = const_int_expr e in
	  Option_misc.fold
	    (fun n _ -> match uop with
	       | `Uminus, `Integer -> Some (Num.minus_num n)
	       | _ -> None)
	    no None
    | JCEbinary (e1, bop, e2) ->
	let no1 = const_int_expr e1 in
	let no2 = const_int_expr e2 in
	  begin match no1, no2 with
	    | Some n1, Some n2 ->
		begin match bop with
		  | `Badd, `Integer -> Some (n1 +/ n2)
		  | `Bsub, `Integer -> Some (n1 -/ n2)
		  | `Bmul, `Integer -> Some (n1 */ n2)
		  | `Bdiv, `Integer ->
		      let n = n1 // n2 in
			if Num.is_integer_num n then
			  Some n
			else
			  None
		  | `Bmod, `Integer -> Some (Num.mod_num n1 n2)
		  | _ -> None
		end
	    | _ -> None
	  end
    | JCEderef _ | JCEoffset _ | JCEbase_block _
    | JCEaddress _ | JCElet _ | JCEassign_var _
    | JCEassign_heap _ ->
	None
    | JCEif _ ->
	None (* TODO *)
    | JCEconst _ | JCEinstanceof _ | JCEreal_cast _
    | JCEalloc _ | JCEfree _ | JCEassert _
    | JCEcontract _ | JCEblock _ | JCEloop _
    | JCEreturn_void | JCEreturn _ | JCEtry _
    | JCEthrow _ | JCEpack _ | JCEunpack _
    | JCEcast _ | JCEmatch _ | JCEshift _
    | JCEbitwise_cast _ | JCEfresh _ ->
	assert false

let destruct_pointer e =
  let ptre, off = match e # node with
    | JCEshift (e1, e2) ->
	e1,
	(match const_int_expr e2 with
	   | Some n -> Int_offset (Num.int_of_num n)
           | None -> Expr_offset e2)
    | _ -> e, Int_offset 0
  in
    match ptre # typ with
      | JCTpointer (_, lb, rb) -> ptre, off, lb, rb
      | _ -> assert false

let rec make_lets l e =
  match l with
    | [] -> e
    | (tmp,a)::l -> mk_expr (Let(tmp,a,make_lets l e))

let old_to_pre = function
  | LabelOld -> LabelPre
  | lab -> lab

let old_to_pre_term =
  Jc_iterators.map_term
    (fun t -> match t#node with
       | JCTold t'
       | JCTat(t',LabelOld) ->
	   new term_with
	     ~node:(JCTat(t',LabelPre)) t
       | JCTderef(t',LabelOld,fi) ->
	   new term_with
	     ~node:(JCTderef(t',LabelPre,fi)) t
       | _ -> t)

let rec old_to_pre_lset lset =
  match lset#node with
    | JCLSvar _ -> lset
    | JCLSderef(lset,lab,fi,_region) ->
	new location_set_with
          ~typ:lset#typ
	  ~node:(JCLSderef(old_to_pre_lset lset, old_to_pre lab, fi, lset#region))
	  lset
    | JCLSrange(lset,t1,t2) ->
	new location_set_with
          ~typ:lset#typ
	  ~node:(JCLSrange(old_to_pre_lset lset,
			   Option_misc.map old_to_pre_term t1,
			   Option_misc.map old_to_pre_term t2))
	  lset
    | JCLSrange_term(lset,t1,t2) ->
	new location_set_with
          ~typ:lset#typ
	  ~node:(JCLSrange_term(old_to_pre_term lset,
				Option_misc.map old_to_pre_term t1,
				Option_misc.map old_to_pre_term t2))
	  lset
    | JCLSat(lset,lab) ->
	new location_set_with
          ~typ:lset#typ
	  ~node:(JCLSat(old_to_pre_lset lset,old_to_pre lab))
	  lset

let rec old_to_pre_loc loc =
  match loc#node with
    | JCLvar _ -> loc
    | JCLat(l,lab) ->
	new location_with
          ~typ:loc#typ
	  ~node:(JCLat(old_to_pre_loc l, old_to_pre lab))
	  loc
    | JCLderef(lset,lab,fi,_region) ->
	new location_with
          ~typ:loc#typ
	  ~node:(JCLderef(old_to_pre_lset lset,old_to_pre lab, fi, lset#region))
	  loc
    | JCLderef_term(t1,fi) ->
	new location_with
          ~typ:loc#typ
	  ~node:(JCLderef_term(old_to_pre_term t1,fi))
	  loc

let assumption al a' =
  let ef = List.fold_left Jc_effect.assertion empty_effects al in
  let read_effects =
    local_read_effects ~callee_reads:ef ~callee_writes:empty_effects
  in
  mk_expr (BlackBox(Annot_type(LTrue, unit_type, read_effects, [], a', [])))

let check al a' =
  let ef = List.fold_left Jc_effect.assertion empty_effects al in
  let read_effects =
    local_read_effects ~callee_reads:ef ~callee_writes:empty_effects
  in
  mk_expr (BlackBox(Annot_type(a', unit_type, read_effects, [], LTrue, [])))

(* decreases clauses: stored in global table for later use at each call sites *)

let decreases_clause_table = Hashtbl.create 17

let term_zero = new term ~typ:integer_type (JCTconst(JCCinteger "0"))

let dummy_measure = (term_zero, None)

let get_measure_for f =
  match !Jc_options.termination_policy with
    | TPalways ->
        (try
          Hashtbl.find decreases_clause_table (f.jc_fun_info_tag)
        with Not_found ->
          Hashtbl.add decreases_clause_table (f.jc_fun_info_tag) dummy_measure;
          eprintf
            "Warning: generating dummy decrease variant for recursive \
             function %s. Please provide a real variant or set \
             termination policy to user or never\n%!" f.jc_fun_info_name;
          dummy_measure)
    | TPuser ->
        (try
          Hashtbl.find decreases_clause_table (f.jc_fun_info_tag)
         with Not_found -> raise Exit)
    | TPnever -> raise Exit




(* Translate the heap update `e1.fi = tmp2'

   essentially we want

   let tmp1 = [e1] in
   fi := upd(fi,tmp1,tmp2)

   special cases are considered to avoid statically known safety properties:
   if e1 has the form p + i then we build

   let tmpp = p in
   let tmpi = i in
   let tmp1 = shift(tmpp, tmpi) in
    // depending on type of p and value of i
   ...
*)
(*
let rec make_upd_simple mark pos e1 fi tmp2 =
  (* Temporary variables to avoid duplicating code *)
  let tmpp = tmp_var_name () in
  let tmpi = tmp_var_name () in
  let tmp1 = tmp_var_name () in
  (* Define memory and allocation table *)
  let mc,_ufi_opt = deref_mem_class ~type_safe:false e1 fi in
  let mem = plain_memory_var (mc,e1#region) in
  let ac = alloc_class_of_mem_class mc in
  let alloc = alloc_table_var (ac,e1#region) in
  let lets, e' =
    if safety_checking () then
      let p,off,lb,rb = destruct_pointer e1 in
      let p' = expr p in
      let i' = offset off in
      let letspi =
	[ (tmpp,p') ; (tmpi,i') ;
	  (tmp1,make_app "shift" [Var tmpp; Var tmpi])]
      in
      match off, lb, rb with
	| Int_offset s, Some lb, Some rb when bounded lb rb s ->
            let e1' = expr e1 in
	    [ (tmp1, e1') ],
            make_app "safe_upd_" [ mem; Var tmp1; Var tmp2 ]
	| Int_offset s, Some lb, _ when lbounded lb s ->
	    letspi,
            make_guarded_app ~mark IndexBounds pos "lsafe_lbound_upd_"
              [ alloc; mem; Var tmpp; Var tmpi; Var tmp2 ]
	| Int_offset s, _, Some rb when rbounded rb s ->
	    letspi,
            make_guarded_app ~mark IndexBounds pos "rsafe_rbound_upd_"
              [ alloc; mem; Var tmpp; Var tmpi; Var tmp2 ]
	| Int_offset s, None, None when s = 0 ->
	    [ (tmp1, p') ],
            make_guarded_app ~mark PointerDeref pos "upd_"
              [ alloc; mem ; Var tmp1; Var tmp2 ]
	| _ ->
	    letspi,
            make_guarded_app ~mark PointerDeref pos "offset_upd_"
              [ alloc; mem ; Var tmpp; Var tmpi; Var tmp2 ]
    else
      let e1' = expr e1 in
      [ (tmp1,e1') ],
      make_app "safe_upd_" [ mem; Var tmp1; Var tmp2 ]
  in
  tmp1, lets, e'
*)



let rec make_upd_simple mark pos e1 fi tmp2 =
  (* Temporary variables to avoid duplicating code *)
  let tmpp = tmp_var_name () in
(*
  eprintf "make_upd_simple: tmp_var_name for tmpp is %s@." tmpp;
*)
  let tmpi = tmp_var_name () in
(*
  eprintf "make_upd_simple: tmp_var_name for tmpi is %s@." tmpi;
*)
  let tmp1 = tmp_var_name () in
(*
  eprintf "make_upd_simple: tmp_var_name for tmp1 is %s@." tmp1;
*)
  (* Define memory and allocation table *)
  let mc,_ufi_opt = deref_mem_class ~type_safe:false e1 fi in
  let mem = match (plain_memory_var (mc,e1#region)).expr_node with
    | Var v -> v
    | _ -> assert false
  in
  let ac = alloc_class_of_mem_class mc in
(*
  let alloc_var = alloc_table_name (ac,e1#region) in
*)
  let alloc = alloc_table_var (ac,e1#region) in
  let is_ref,talloc = talloc_table_var ~label_in_name:true LabelHere (ac,e1#region) in
  let p,off,lb,rb = destruct_pointer e1 in
  let p' = expr p in
  let i' = offset off in
  let letspi =
    [ (tmpp,p') ; (tmpi,i') ;
      (tmp1,make_app "shift" [mk_var tmpp; mk_var tmpi])]
  in
  try
    let s,b1,b2 =
      match off, lb, rb with
        | Int_offset s, Some lb, Some rb when bounded lb rb s ->
            (*
              make_app "safe_upd_" [ mem; mk_var tmp1; mk_var tmp2 ]
            *)
            s,true,true
        | Int_offset s, Some lb, _ when lbounded lb s ->
	    (*
              make_guarded_app ~mark IndexBounds pos "lsafe_lbound_upd_"
              [ alloc; mem; mk_var tmpp; mk_var tmpi; mk_var tmp2 ]
            *)
            s, true, false
        | Int_offset s, _, Some rb when rbounded rb s ->
	    (*
              make_guarded_app ~mark IndexBounds pos "rsafe_rbound_upd_"
              [ alloc; mem; mk_var tmpp; mk_var tmpi; mk_var tmp2 ]
            *)
            s, false, true
              (*
	        | Int_offset s, None, None when int_of_string s = 0 ->
	        [ (tmp1, p') ],
              (*
                make_guarded_app ~mark PointerDeref pos "upd_"
                [ alloc; mem ; mk_var tmp1; mk_var tmp2 ]
              *)
                Upd(alloc, mem , mk_var tmp1, mk_var tmp2)
              *)
        | Int_offset s, None, None ->
	    (*
              make_guarded_app ~mark PointerDeref pos "upd_"
              [ alloc; mem ; mk_var tmp1; mk_var tmp2 ]
            *)
            s, false, false
        | _ ->
            raise Exit
    in
(*    Format.eprintf "found constant update let %s = %a in (%s + %d).%s = ...@." tmpp Output.fprintf_expr p' tmpp s mem;
*)
    let letspi = if s = 0 then [ (tmpp,p') ] else letspi in
    tmp1, [],
    mk_expr (MultiAssign(mark,pos,letspi, is_ref, talloc, alloc, tmpp, p', mem, [s, b1, b2, tmp2]))
 with Exit ->
   tmp1,letspi,
   if (safety_checking()) then
     make_guarded_app ~mark PointerDeref pos "offset_upd_"
	       [ alloc; mk_var mem ; mk_var tmpp; mk_var tmpi; mk_var tmp2 ]
   else
     make_app "safe_upd_" [ mk_var mem; mk_var tmp1; mk_var tmp2 ]


and make_upd_union mark pos off e1 fi tmp2 =
  let e1' = expr e1 in
  (* Convert value assigned into bitvector *)
  let e2' = match fi.jc_field_info_type with
    | JCTenum ri -> make_app (logic_bitvector_of_enum ri) [mk_var tmp2]
    | JCTnative Tinteger -> make_app logic_bitvector_of_integer [mk_var tmp2]
    | JCTnative _ -> assert false (* TODO ? *)
    | JCTtype_var _ -> assert false (* TODO ? *)
    | JCTpointer (_, _, _) -> assert false (* TODO ? *)
    | JCTlogic _ -> assert false (* TODO ? *)
    | JCTany -> assert false (* TODO ? *)
    | JCTnull -> assert false (* TODO ? *)
  in
  (* Temporary variables to avoid duplicating code *)
  let tmp1 = tmp_var_name () in
  let tmp2 = tmp_var_name () in
  let v1 = Jc_pervasives.var e1#typ tmp1 in
  let e1 = new expr_with ~node:(JCEvar v1) e1 in
  let size =
    match fi.jc_field_info_bitsize with
      | Some x -> x / 8
      | None -> assert false
  in
  let union_size =
    (union_type e1#typ).jc_root_info_union_size_in_bytes
  in
  let e2' =
    if size = union_size then
      (* TODO: deal with offset which should be null *)
      e2'
    else
      (* Retrieve bitvector for access to union *)
      let deref = make_deref_simple mark pos e1 fi in
      (* Replace subpart of bitvector for specific subfield *)
      let off = match off with
	| Int_offset s -> s
	| _ -> assert false (* TODO *)
      in
      let off = string_of_int off and size = string_of_int size in
      make_app "replace_bytes"
	[ deref; mk_expr (Cte(Prim_int off)); mk_expr (Cte(Prim_int size)); e2' ]
  in
  let lets = [ (tmp1,e1'); (tmp2,e2') ] in
  let tmp1, lets', e' = make_upd_simple mark pos e1 fi tmp2 in
  tmp1, lets @ lets', e'

and make_upd_bytes mark pos e1 fi tmp2 =
  let e1' = expr e1 in
  (* Convert value assigned into bitvector *)
  let e2' = match fi.jc_field_info_type with
    | JCTenum ri -> make_app (logic_bitvector_of_enum ri) [mk_var tmp2]
    | _ty -> assert false (* TODO *)
  in
  (* Temporary variables to avoid duplicating code *)
  let tmp1 = tmp_var_name () in
  let v1 = Jc_pervasives.var e1#typ tmp1 in
  let e1 = new expr_with ~node:(JCEvar v1) e1 in
  (* Define memory and allocation table *)
  let mem = plain_memory_var (JCmem_bitvector,e1#region) in
  let alloc = alloc_table_var (JCalloc_bitvector,e1#region) in
  (* Store bitvector *)
  let off =
    match field_offset_in_bytes fi with
      | Some x -> x
      | None -> assert false
  in
  let size =
    match fi.jc_field_info_bitsize with
      | Some x ->  x / 8
      | None -> assert false
  in
  let off = string_of_int off and size = string_of_int size in
  let e' =
    if safety_checking () then
      make_guarded_app ~mark PointerDeref pos "upd_bytes_"
        [ alloc; mem; mk_var tmp1;
          mk_expr (Cte(Prim_int off)); mk_expr (Cte(Prim_int size));
	  mk_var tmp2 ]
    else
      make_app "safe_upd_bytes_"
	[ mem; mk_var tmp1; mk_expr (Cte(Prim_int off));
          mk_expr (Cte(Prim_int size)); mk_var tmp2 ]
  in
  let lets = [ (tmp1,e1'); (tmp2,e2') ] in
  tmp1, lets, e'

and make_upd mark pos e1 fi e2 =
  (* Value assigned stored in temporary at that point *)
  let v2 = match e2#node with JCEvar v2 -> v2 | _ -> assert false in
  let tmp2 = v2.jc_var_info_name in
  (* Dispatch depending on kind of memory *)
  let mc,ufi_opt = deref_mem_class ~type_safe:false e1 fi in
  match mc,ufi_opt with
    | JCmem_field fi', None ->
	assert (fi.jc_field_info_tag = fi'.jc_field_info_tag);
	make_upd_simple mark pos e1 fi tmp2
    | JCmem_field fi', Some ufi ->
	assert (fi.jc_field_info_tag = fi'.jc_field_info_tag);
        let tmp1, lets, e1' = make_upd_simple mark pos e1 fi tmp2 in
	let mems = overlapping_union_memories ufi in
	let ef =
	  List.fold_left
	    (fun ef mc -> add_memory_effect LabelHere ef (mc,e1#region))
	    empty_effects mems
	in
	let write_effects =
	  local_write_effects ~callee_reads:empty_effects ~callee_writes:ef
	in
	let e2' =
	  mk_expr(BlackBox(Annot_type(LTrue, unit_type, [], write_effects, LTrue, [])) )
	in
	tmp1, lets, append e1' e2'
    | JCmem_plain_union _vi, _ ->
	let e1,off = destruct_union_access e1 (Some fi) in
	make_upd_union mark pos off e1 fi tmp2
    | JCmem_bitvector, _ ->
	make_upd_bytes mark pos e1 fi tmp2

(* Translate the heap access `e.fi'

   special cases are considered to avoid statically known safety properties:
   if e1 has the form p + i then we build an access that depends on the
   type of p and the value of i
*)
and make_deref_simple mark pos e fi =
  (* Define memory and allocation table *)
  let mc,_ufi_opt = deref_mem_class ~type_safe:false e fi in
  let mem = memory_var (mc,e#region) in
  let ac = alloc_class_of_mem_class mc in
  let alloc = alloc_table_var (ac,e#region) in
  let e' =
    if safety_checking() then
      match destruct_pointer e with
	| _, Int_offset s, Some lb, Some rb when bounded lb rb s ->
            make_app "safe_acc_"
              [ mem ; expr e ]
	| p, (Int_offset s as off), Some lb, _ when lbounded lb s ->
            make_guarded_app ~mark IndexBounds pos "lsafe_lbound_acc_"
              [ alloc; mem; expr p; offset off ]
	| p, (Int_offset s as off), _, Some rb when rbounded rb s ->
            make_guarded_app ~mark IndexBounds pos "rsafe_rbound_acc_"
              [ alloc; mem; expr p; offset off ]
	| p, Int_offset s, None, None when s = 0 ->
            make_guarded_app ~mark PointerDeref pos "acc_"
              [ alloc; mem ; expr p ]
	| p, off, _, _ ->
            make_guarded_app ~mark PointerDeref pos "offset_acc_"
              [ alloc; mem ; expr p; offset off ]
    else
      make_app "safe_acc_" [ mem; expr e ]
  in e'

and make_deref_union mark pos off e fi =
  (* Retrieve bitvector *)
  let e' = make_deref_simple mark pos e fi in
  (* Retrieve subpart of bitvector for specific subfield *)
  let off = match off with
    | Int_offset s -> s
    | _ -> assert false (* TODO *)
  in
  let size =
    match fi.jc_field_info_bitsize with
      | Some x -> x / 8
      | None -> assert false
  in
  let off = string_of_int off and size = string_of_int size in
  let e' =
    make_app "extract_bytes" [ e'; mk_expr (Cte(Prim_int off)); mk_expr(Cte(Prim_int size)) ]
  in
  (* Convert bitvector into appropriate type *)
  match fi.jc_field_info_type with
    | JCTenum ri -> make_app (logic_enum_of_bitvector ri) [e']
    | _ty -> assert false (* TODO *)

and make_deref_bytes mark pos e fi =
  (* Define memory and allocation table *)
  let mem = memory_var (JCmem_bitvector,e#region) in
  let alloc = alloc_table_var (JCalloc_bitvector,e#region) in
  (* Retrieve bitvector *)
  let off =
    match field_offset_in_bytes fi with
      | Some x -> x
      | None -> assert false
  in
  let size =
    match fi.jc_field_info_bitsize with
      | Some x ->  x / 8
      | None -> assert false
  in
  let off = string_of_int off and size = string_of_int size in
  let e' =
    if safety_checking () then
      make_guarded_app ~mark PointerDeref pos "acc_bytes_"
        [ alloc; mem; expr e; mk_expr (Cte(Prim_int off));
          mk_expr (Cte(Prim_int size)) ]
    else
      make_app "safe_acc_bytes_"
	[ mem; expr e; mk_expr (Cte(Prim_int off));
          mk_expr (Cte(Prim_int size)) ]
  in
  (* Convert bitvector into appropriate type *)
  match fi.jc_field_info_type with
    | JCTenum ri -> make_app (logic_enum_of_bitvector ri) [e']
    | JCTnative t ->
	begin
	  match t with
	    | Treal  ->
		unsupported pos "bit-dependent cast over real numbers"
	    | Tgenfloat _ ->
		unsupported pos "bit-dependent cast over floating-point values"
	    | Tstring ->
		unsupported pos "bit-dependent cast over strings"
	    | Tinteger ->
		unsupported pos "bit-dependent cast over integers"
	    | Tboolean ->
		unsupported pos "bit-dependent cast over booleans"
	    | Tunit  ->
		unsupported pos "bit-dependent cast over type unit"
	end
    | JCTtype_var _ -> assert false (* TODO *)
    | JCTpointer (_, _, _) -> assert false (* TODO *)
    | JCTlogic _ -> assert false (* TODO *)
    | JCTany -> assert false (* TODO *)
    | JCTnull -> assert false (* TODO *)

(*
    | ty ->
	Format.eprintf "%a@." print_type ty;
	assert false (* TODO *)
*)

and make_deref mark pos e1 fi =
  (* Dispatch depending on kind of memory *)
  let mc,_uif_opt = deref_mem_class ~type_safe:false e1 fi in
  match mc with
    | JCmem_field _ ->
	make_deref_simple mark pos e1 fi
    | JCmem_plain_union _vi ->
	let e1,off = destruct_union_access e1 (Some fi) in
	make_deref_union mark pos off e1 fi
    | JCmem_bitvector ->
	make_deref_bytes mark pos e1 fi

and offset = function
  | Int_offset s -> mk_expr (Cte (Prim_int (string_of_int s)))
  | Expr_offset e ->
      coerce ~check_int_overflow:(safety_checking())
        e#mark e#pos integer_type e#typ e
        (expr e)
  | Term_offset _ -> assert false

and type_assert tmp ty e =
  let offset k e1 ty tmp =
    let ac = deref_alloc_class ~type_safe:false e1 in
    let _,alloc =
      talloc_table_var ~label_in_name:false LabelHere (ac,e1#region)
    in
    match ac with
      | JCalloc_root _ ->
          let f = match k with
	    | Offset_min -> "offset_min"
	    | Offset_max -> "offset_max"
          in
	  LApp(f,[alloc; LVar tmp])
      | JCalloc_bitvector ->
	  let st = pointer_struct ty in
          let f = match k with
	    | Offset_min -> "offset_min_bytes"
	    | Offset_max -> "offset_max_bytes"
          in
	  let s = string_of_int (struct_size_in_bytes st) in
	  LApp(f,[alloc; LVar tmp; LConst(Prim_int s)])
  in
  let a = match ty with
    | JCTpointer(_pc,n1o,n2o) ->
	let offset_mina n =
	  LPred ("le_int",
		 [offset Offset_min e ty tmp;
		  LConst (Prim_int (Num.string_of_num n))])
	in
	let offset_maxa n =
	  LPred ("ge_int",
		 [offset Offset_max e ty tmp;
		  LConst (Prim_int (Num.string_of_num n))])
	in
	begin match e#typ with
	  | JCTpointer (_si', n1o', n2o') ->
	      begin match n1o, n2o with
		| None, None -> LTrue
		| Some n, None ->
		    begin match n1o' with
		      | Some n' when Num.le_num n' n
                          && not Jc_options.verify_all_offsets
                          -> LTrue
		      | _ -> offset_mina n
		    end
		| None, Some n ->
		    begin match n2o' with
		      | Some n' when Num.ge_num n' n
                          && not Jc_options.verify_all_offsets
                          -> LTrue
		      | _ -> offset_maxa n
		    end
		| Some n1, Some n2 ->
		    begin match n1o', n2o' with
		      | None, None -> make_and (offset_mina n1) (offset_maxa n2)
		      | Some n1', None ->
			  if Num.le_num n1' n1 && not Jc_options.verify_all_offsets then
			    offset_maxa n2
			  else
			    make_and (offset_mina n1) (offset_maxa n2)
		      | None, Some n2' ->
			  if Num.ge_num n2' n2 && not Jc_options.verify_all_offsets then
			    offset_mina n1
			  else
			    make_and (offset_mina n1) (offset_maxa n2)
		      | Some n1', Some n2' ->
			  if Jc_options.verify_all_offsets then
			    make_and (offset_mina n1) (offset_maxa n2)
			  else
			    if Num.le_num n1' n1 then
			      if Num.ge_num n2' n2 then LTrue
                              else
				offset_maxa n2
			    else
			      if Num.ge_num n2' n2 then
				offset_mina n1
                              else
				make_and (offset_mina n1) (offset_maxa n2)
		    end
	      end
	  | JCTnull ->
	      begin match n1o, n2o with
		| None, None -> LTrue
		| Some n, None -> offset_mina n
		| None, Some n -> offset_maxa n
		| Some n1, Some n2 -> make_and (offset_mina n1) (offset_maxa n2)
	      end
	  | _ -> LTrue
	end
    | _ -> LTrue
  in
  (coerce ~check_int_overflow:(safety_checking())
    e#mark e#pos ty
    e#typ e (expr e),
   a)

and list_type_assert vi e (lets, params) =
  let ty = vi.jc_var_info_type in
  let tmp = tmp_var_name() (* vi.jc_var_info_name *) in
  let e,a = type_assert tmp ty e in
  (tmp, e, a) :: lets , (mk_var tmp) :: params

and value_assigned mark pos ty e =
    let tmp = tmp_var_name () in
    let e,a = type_assert tmp ty e in
    if a <> LTrue && safety_checking() then
      mk_expr (Let(tmp,e,make_check ~mark ~kind:IndexBounds pos
            (mk_expr (Assert(`ASSERT,a,mk_var tmp)))))
    else e

and expr e =
  let infunction = get_current_function () in
  let e' = match e#node with
    | JCEconst JCCnull -> mk_var "null"
    | JCEconst c -> mk_expr (Cte(const c))
    | JCEvar v -> var v
    | JCEunary((`Uminus,(`Double|`Float as format)),e2) ->
        let e2' = expr e2 in
        if !Jc_options.float_model <> FMmultirounding then
          make_guarded_app
            ~mark:e#mark FPoverflow e#pos
            ("neg_" ^ float_format format)
            [ e2' ]
        else
          make_guarded_app
            ~mark:e#mark FPoverflow e#pos
 	    (float_operator `Uminus format)
 	    [current_rounding_mode () ; e2' ]

    | JCEunary(op,e1) ->
        let e1' = expr e1 in
        make_app (unary_op op)
          [ coerce ~check_int_overflow:(safety_checking())
              e#mark e#pos (native_operator_type op) e1#typ e1 e1' ]
(*     | JCEbinary(e1,(`Bsub,`Pointer),e2) -> *)
(*         let e1' = make_app "address" [ expr e1 ] in *)
(*         let e2' = make_app "address" [ expr e2 ] in *)
(* 	let st = pointer_struct e1#typ in *)
(* 	let s = string_of_int (struct_size_in_bytes st) in *)
(*         make_app *)
(* 	  (bin_op (`Bdiv,`Integer)) *)
(* 	  [ make_app (bin_op (`Bsub,`Integer)) [ e1'; e2' ]; *)
(* 	    Cte(Prim_int s) ] *)
    | JCEbinary(e1,(_,(`Pointer | `Logic) as op),e2) ->
        let e1' = expr e1 in
        let e2' = expr e2 in
        make_app (bin_op op) [e1'; e2']
    | JCEbinary(e1,(`Bland,_),e2) ->
        let e1' = expr e1 in
        let e2' = expr e2 in
        (* lazy conjunction *)
        mk_expr (And(e1',e2'))
    | JCEbinary(e1,(`Blor,_),e2) ->
        let e1' = expr e1 in
        let e2' = expr e2 in
        (* lazy disjunction *)
        mk_expr (Or(e1',e2'))
    | JCEbinary(e1,(#arithmetic_op as op,(`Double|`Float|`Binary80 as format)),e2) ->
	let e1' = expr e1 in
        let e2' = expr e2 in
        make_guarded_app
	  ~mark:e#mark FPoverflow e#pos
	  (float_operator op format)
	  [current_rounding_mode () ; e1' ; e2' ]
    | JCEbinary(e1,(_,#native_operator_type as op),e2) ->
        let e1' = expr e1 in
        let e2' = expr e2 in
        let ty = native_operator_type op in
        let mk = match fst op with
          | `Bdiv | `Bmod -> make_guarded_app ~mark:e#mark DivByZero e#pos
          | _ -> make_app ?ty:None
	in
        mk (bin_op op)
          [coerce ~check_int_overflow:(safety_checking())
             e1#mark e1#pos ty e1#typ e1 e1';
           coerce ~check_int_overflow:(safety_checking())
             e2#mark e2#pos ty e2#typ e2 e2']
    | JCEshift(e1,e2) ->
	(* TODO: bitwise !!!!!!!!!!!!!!!!!!!!! *)
        let e1' = expr e1 in
        let e2' = expr e2 in
        make_app "shift"
          [e1';
	   coerce ~check_int_overflow:(safety_checking())
             e2#mark e2#pos integer_type e2#typ e2 e2']
    | JCEif(e1,e2,e3) ->
        let e1' = expr e1 in
        let e2' = expr e2 in
        let e3' = expr e3 in
        mk_expr (If(e1',e2',e3'))
    | JCEoffset(k,e1,st) ->
	let ac = deref_alloc_class ~type_safe:false e1 in
        let alloc = alloc_table_var (ac,e1#region) in
	begin match ac with
	  | JCalloc_root _ ->
              let f = match k with
		| Offset_min -> "offset_min"
		| Offset_max -> "offset_max"
              in
	      make_app f [alloc; expr e1]
	  | JCalloc_bitvector ->
              let f = match k with
		| Offset_min -> "offset_min_bytes"
		| Offset_max -> "offset_max_bytes"
              in
	      let s = string_of_int (struct_size_in_bytes st) in
	      make_app f [alloc; expr e1; mk_expr (Cte(Prim_int s))]
	end
    | JCEaddress(Addr_absolute,e1) ->
        make_app "absolute_address" [ expr e1 ]
    | JCEaddress(Addr_pointer,e1) ->
        make_app "address" [ expr e1 ]
    | JCEbase_block(e1) ->
        make_app "base_block" [ expr e1 ]
    | JCEfresh _ -> assert false
    | JCEinstanceof(e1,st) ->
        let e1' = expr e1 in
        let tag = tag_table_var (struct_root st,e1#region) in
        (* always safe *)
        make_app "instanceof_" [ tag; e1'; mk_var(tag_name st) ]
    | JCEcast(e1,st) ->
        if struct_of_union st then
	  expr e1
	else
          let e1' = expr e1 in
          let tmp = tmp_var_name () in
(*
          eprintf "JCEcast: tmp_var_name for tmp is %s@." tmp;
*)
          let tag = tag_table_var (struct_root st,e1#region) in
	  let downcast_fun =
	    if safety_checking () then "downcast_" else "safe_downcast_"
	  in
          let call =
            make_guarded_app e#mark DownCast e#pos downcast_fun
	      [ tag; mk_var tmp; mk_var(tag_name st) ]
          in
          mk_expr (Let(tmp,e1',call)) (* Yannick: why a temporary here? *)
    | JCEbitwise_cast(e1,_st) ->
	expr e1
    | JCErange_cast(e1,ri) ->
        let e1' = expr e1 in
        coerce ~check_int_overflow:(safety_checking())
          e#mark e#pos (JCTenum ri) e1#typ e1 e1'
    | JCEreal_cast(e1,rc) ->
        let e1' = expr e1 in
        begin match rc with
          | Integer_to_real ->
              coerce ~check_int_overflow:(safety_checking())
                e#mark e#pos real_type e1#typ e1 e1'
          | Double_to_real ->
              coerce ~check_int_overflow:(safety_checking())
                e#mark e#pos real_type e1#typ e1 e1'
	  | Float_to_real ->
              coerce ~check_int_overflow:(safety_checking())
                e#mark e#pos real_type e1#typ e1 e1'
          | Round(f,_rm) ->
              coerce ~check_int_overflow:(safety_checking()
					    (* no safe version in the full model*)
	      || not (float_model_has_safe_functions ()))
                e#mark e#pos (JCTnative (Tgenfloat f)) e1#typ e1 e1'
        end
    | JCEderef(e1,fi) ->
  	make_deref e#mark e#pos e1 fi
    | JCEalloc(e1,st) ->
	let e1' = expr e1 in
	let ac = deref_alloc_class ~type_safe:false e in
        let alloc = plain_alloc_table_var (ac,e#region) in
	let pc = JCtag(st,[]) in
	let args = alloc_arguments (ac,e#region) pc in
        if !Jc_options.inv_sem = InvOwnership then
          let tag = plain_tag_table_var (struct_root st,e#region) in
          let mut = mutable_name pc in
          let com = committed_name pc in
          make_app "alloc_parameter_ownership"
            [alloc; mk_var mut; mk_var com; tag; mk_var (tag_name st);
             coerce ~check_int_overflow:(safety_checking())
	       e1#mark e1#pos integer_type
	       e1#typ e1 e1']
	else
          make_guarded_app e#mark
            AllocSize e#pos
            (alloc_param_name ~check_size:(safety_checking()) ac pc)
            (coerce ~check_int_overflow:(safety_checking())
	       e1#mark e1#pos integer_type
	       e1#typ e1 e1'
             :: args)
    | JCEfree e1 ->
	let e1' = expr e1 in
	let ac = deref_alloc_class ~type_safe:false e1 in
        let alloc = plain_alloc_table_var (ac,e1#region) in
        if !Jc_options.inv_sem = InvOwnership then
	  let pc = pointer_class e1#typ in
	  let com = committed_name pc in
	  make_app "free_parameter_ownership"
	    [alloc; mk_var com; e1']
        else
	  let free_fun =
	    if safety_checking () then "free_parameter"
	    else "safe_free_parameter"
	  in
	  make_app free_fun [alloc; e1']


    | JCEapp call ->
	begin match call.jc_call_fun with
          | JClogic_fun f ->
              let arg_types_asserts, args =
		try match f.jc_logic_info_parameters with
		  | [] -> [], []
		  | params ->
(*
		      let param_types =
			List.map (fun v -> v.jc_var_info_type) params
		      in
*)
		      List.fold_right2 list_type_assert
			params call.jc_call_args ([],[])
		with Invalid_argument _ -> assert false
              in
	      let param_assoc =
		List.map2 (fun param arg -> param,arg)
		  f.jc_logic_info_parameters call.jc_call_args
	      in
	      let with_body =
		try
                  let _f,body =
		    IntHashtblIter.find 
                      Jc_typing.logic_functions_table
		      f.jc_logic_info_tag
		  in
		  match body with
		    | JCTerm _ -> true
		    | JCNone | JCReads _ -> false
		    | JCAssertion _ | JCInductive _ -> assert false
                with Not_found -> false
	      in
	      let pre, fname, locals, prolog, epilog, args =
		make_arguments
                  ~callee_reads: f.jc_logic_info_effects
                  ~callee_writes: empty_effects
                  ~region_assoc: call.jc_call_region_assoc
		  ~param_assoc ~with_globals:true ~with_body
		  f.jc_logic_info_final_name args
	      in
	      assert (pre = LTrue);
	      assert (fname = f.jc_logic_info_final_name);
              let call = make_logic_app fname args in
              let new_arg_types_assert =
		List.fold_right
		  (fun opt acc ->
		     match opt with
                       | (_tmp,_e,a) -> make_and a acc)
		  arg_types_asserts LTrue
              in
              let call =
		if new_arg_types_assert = LTrue || not (safety_checking()) then
		  call
		else
		  mk_expr (Assert(`ASSERT,new_arg_types_assert,call))
              in
              let call =
		List.fold_right
		  (fun opt c ->
		     match opt with
                       | (tmp,e,_ass) -> mk_expr (Let(tmp,e,c)))
		  arg_types_asserts call
              in
	      let call = append prolog call in
	      let call =
		if epilog.expr_node = Void then call else
		  let tmp = tmp_var_name () in
		  mk_expr (Let(tmp,call,append epilog (mk_var tmp)))
	      in
              define_locals ~writes:locals call

          | JCfun f ->

              let arg_types_asserts, args =
		try match f.jc_fun_info_parameters with
		  | [] -> [], []
		  | params ->
		      let params =
			List.map (fun (_,v) -> v) params
		      in
		      List.fold_right2 list_type_assert
			params call.jc_call_args ([],[])
		with Invalid_argument _ -> assert false
              in
	      let args =
		List.fold_right2
		  (fun e e' acc ->
		     let e' =
		       if is_pointer_type e#typ && Region.bitwise e#region then
			 let st = pointer_struct e#typ in
			 let vi = struct_root st in
			 make_app (of_pointer_address_name vi) [ e' ]
		       else e'
		     in
		     e' :: acc
		  ) call.jc_call_args args []
	      in
	      let param_assoc =
		List.map2 (fun (_,param) arg -> param,arg)
		  f.jc_fun_info_parameters call.jc_call_args
	      in
	      let fname =
		if safety_checking () then
		  f.jc_fun_info_final_name ^ "_requires"
		else f.jc_fun_info_final_name
	      in
	      let with_body =
		try
		  let _f,_loc,_s,body =
                    IntHashtblIter.find 
                      Jc_typing.functions_table f.jc_fun_info_tag
		  in
		  body <> None
                with Not_found ->
                  (*
                    eprintf "Fatal error: tag for %s not found@." f.jc_fun_info_name;
                    assert false
                  *)
                  false
	      in
	      let args =
		match f.jc_fun_info_builtin_treatment with
		  | TreatNothing -> args
		  | TreatGenFloat format ->
		      (mk_var (float_format format))::(current_rounding_mode ())::args
	      in
	      let pre, fname, locals, prolog, epilog, new_args =
		make_arguments
                  ~callee_reads: f.jc_fun_info_effects.jc_reads
                  ~callee_writes: f.jc_fun_info_effects.jc_writes
                  ~region_assoc: call.jc_call_region_assoc
		  ~param_assoc ~with_globals:false ~with_body
		  fname args
	      in
	      let call = make_guarded_app e#mark UserCall e#pos fname new_args in
	      let call =
		if is_pointer_type e#typ && Region.bitwise e#region then
		  make_app "pointer_address" [ call ]
		else call
	      in
	      (* decreases *)

	      let this_comp = f.jc_fun_info_component in
	      let current_comp = (get_current_function()).jc_fun_info_component in
	      let call =
		if safety_checking() && this_comp = current_comp then
                  try
		  let cur_measure,cur_r = get_measure_for (get_current_function()) in
                  let cur_measure_why =
                    term ~type_safe:true ~global_assertion:true
                      ~relocate:false LabelPre LabelPre cur_measure
                  in
		  let this_measure,this_r = get_measure_for f in
                  let subst =
                    List.fold_left2
                      (fun acc (_,vi) (tmp,_,_) ->
(*
                         Format.eprintf "subst: %s -> %s@."
                           vi.jc_var_info_name tmp;
*)
                         VarMap.add vi (LVar tmp) acc)
                      VarMap.empty f.jc_fun_info_parameters arg_types_asserts
                  in
                  let this_measure_why =
                    term ~subst ~type_safe:true ~global_assertion:true
                      ~relocate:false LabelHere LabelHere this_measure
                  in
		  let r,ty =
		    assert (this_r = cur_r);
		    match this_r with
		      | None -> "zwf_zero", integer_type
		      | Some li ->
                          match li.jc_logic_info_parameters with
                              v1::_ -> li.jc_logic_info_name,v1.jc_var_info_type
                            | _ -> assert false
		  in
                  let this_measure_why =
                    term_coerce
                      ~type_safe:false ~global_assertion:false
                      LabelHere this_measure#pos ty this_measure#typ this_measure this_measure_why
                  in
                  let cur_measure_why =
                    term_coerce
                      ~type_safe:false ~global_assertion:false
                      LabelHere cur_measure#pos ty cur_measure#typ cur_measure cur_measure_why
                  in
		  let pre =
		    LPred(r,[this_measure_why;cur_measure_why])
		  in
		  make_check ~mark:e#mark ~kind:VarDecr e#pos
                    (* Francois mardi 29 juin 2010 : `ASSERT -> `CHECK
                       if this_measure_why = 0 and cur_measure_why = 0 then this assert is not
                       false (0>0) so all the remaining goal are trivial. *)
                    (mk_expr (Assert(`CHECK,pre,call)))
                  with Exit -> call
		else call
	      in
	      (* separation assertions *)
	      let call =
		if pre = LTrue || not (safety_checking()) then
		  call
		else
		  make_check ~mark:e#mark (* ~kind:Separation *) e#pos
		    (mk_expr (Assert(`ASSERT,pre,call)))
	      in
              let arg_types_assert =
		List.fold_right
		  (fun opt acc ->
		     match opt with
                       | (_tmp,_e,a) -> make_and a acc)
		  arg_types_asserts LTrue
              in
              let call =
		if arg_types_assert = LTrue || not (safety_checking()) then
		  call
		else
		  make_check ~mark:e#mark ~kind:IndexBounds e#pos
		    (mk_expr (Assert(`ASSERT,arg_types_assert,call)))
              in
              let call =
		List.fold_right
		  (fun opt c ->
		     match opt with
                       | (tmp,e,_ass) -> mk_expr (Let(tmp,e,c)))
		  arg_types_asserts call
              in
	      let call = append prolog call in
	      let call =
		if epilog.expr_node = Void then call else
		  let tmp = tmp_var_name () in
		  mk_expr (Let(tmp,call,append epilog (mk_var tmp)))
	      in
              define_locals ~writes:locals call
	end
    | JCEassign_var(v,e1) ->
(*
        begin
          match e#mark with
            | "" -> ()
            | l -> Format.eprintf "met assign_var with label %s@." l
        end;
*)
	let e1' = value_assigned e#mark e#pos v.jc_var_info_type e1 in
	let e' = mk_expr (Assign(v.jc_var_info_final_name,e1')) in
	if e#typ = Jc_pervasives.unit_type then
          begin
(*
            eprintf "JCEassign(%s,..) : has type unit@." v.jc_var_info_name;
*)
            e'
          end
        else
          begin
(*
            eprintf "JCEassign(%s,..) : DOES NOT have type unit@." v.jc_var_info_name;
*)
            append e' (var v)
          end
    | JCEassign_heap(e1,fi,e2) ->
	let e2' = value_assigned e#mark e#pos fi.jc_field_info_type e2 in
	(* Define temporary variable for value assigned *)
	let tmp2 = tmp_var_name () in
(*
        eprintf "JCEassign_heap: tmp_var_name for tmp2 is %s@." tmp2;
*)
	let v2 = Jc_pervasives.var fi.jc_field_info_type tmp2 in
	let e2 =
	  new expr_with ~typ:fi.jc_field_info_type ~node:(JCEvar v2) e2
	in
	(* Translate assignment *)
        let tmp1, lets, e' = make_upd e#mark e#pos e1 fi e2 in
        let e' =
	  if (safety_checking()) && !Jc_options.inv_sem = InvOwnership then
            append (assert_mutable (LVar tmp1) fi) e'
	  else e'
	in
	let lets = (tmp2,e2') :: lets in
        let e' =
          if e#typ = Jc_pervasives.unit_type then
	    match e'.expr_node with
              | MultiAssign(m,p,lets',isrefa,ta,a,tmpe,e,f,l) ->
(*
                eprintf "multiassign for a unit type !@.";
                eprintf "length lets = %d, length lets' = %d@."
                  (List.length lets) (List.length lets');
*)
                  { e' with expr_node =
                      MultiAssign(m,p,lets@lets',isrefa,ta,a,tmpe,e,f,l)}
              | _ ->
                  make_lets lets e'
          else
            begin
(*
              eprintf "multiassign but not a unit type !@.";
*)
              make_lets lets (append e' (mk_var tmp2))
            end
        in
        if !Jc_options.inv_sem = InvOwnership then
          append e' (assume_field_invariants fi)
        else e'

    | JCEblock el ->
        List.fold_right append (List.map expr el) void
    | JCElet(v,e1,e2) ->
        let e1' = match e1 with
          | None ->
              any_value v.jc_var_info_region v.jc_var_info_type
          | Some e1 ->
	      value_assigned e#mark e#pos v.jc_var_info_type e1
	in
	let e2' = expr e2 in
        if v.jc_var_info_assigned then
	  mk_expr (Let_ref(v.jc_var_info_final_name,e1',e2'))
        else
	  mk_expr (Let(v.jc_var_info_final_name,e1',e2'))
    | JCEreturn_void -> mk_expr (Raise(jessie_return_exception,None))
    | JCEreturn(ty,e1) ->
	let e1' = value_assigned e#mark e#pos ty e1 in
	let e' = mk_expr (Assign(jessie_return_variable,e1')) in
	append e' (mk_expr (Raise(jessie_return_exception,None)))
    | JCEunpack(st,e1,as_st) ->
        let e1' = expr e1 in
        make_guarded_app e#mark Unpack e#pos
          (unpack_name st) [ e1'; mk_var (tag_name as_st) ]
    | JCEpack(st,e1,from_st) ->
        let e1' = expr e1 in
        make_guarded_app e#mark Pack e#pos
          (pack_name st) [ e1'; mk_var (tag_name from_st) ]
    | JCEassert(b,asrt,a) ->
(*
        Format.eprintf "assertion meet, kind %a for behaviors: %a@."
          Jc_output_misc.asrt_kind asrt
          (print_list comma Jc_output.identifier) b;
*)
	let a' =
	  named_assertion
	    ~type_safe:false ~global_assertion:false ~relocate:false
	    LabelHere LabelPre a
	in
(*
        Format.eprintf "assertion to check ?@.";
*)
	begin match asrt with
	  | Aassert | Ahint ->
	      if in_current_behavior b then
		mk_expr (Assert(`ASSERT,a',void))
	      else if in_default_behavior b then
		assumption [ a ] a'
              else
                void
	  | Aassume ->
	      if in_current_behavior b || in_default_behavior b then
		assumption [ a ] a'
	      else void
          | Acheck ->
(*
              (match b with
                 | [] -> Format.eprintf "check for no behavior@."
                 | b::_ -> Format.eprintf "check for behavior %s,...@." b#name);
*)
              if in_current_behavior b then
		mk_expr (Assert(`CHECK,a',void))
	      else void
	end
    | JCEloop(la,e1) ->
	let inv,assume_from_inv =
	  List.fold_left
	    (fun ((invariants,assumes) as acc) (names,inv,_) ->
	       match inv with
		 | Some i ->
		     if in_current_behavior names
		     then (i::invariants,assumes)
		     else
		       if List.exists
			 (fun behav -> behav#name = "default")
			 names
		       then
			 (invariants,i::assumes)
		       else
			 (invariants,assumes)
		 | None -> acc)
	    ([],[])
	    la.jc_loop_behaviors
	in
        let inv' =
	  make_and_list
	    (List.map
	       (named_assertion
		  ~type_safe:false ~global_assertion:false ~relocate:false
		  LabelHere LabelPre) inv)
	in
        let assume_from_inv' =
	  make_and_list
	    (List.map
	       (named_assertion
		  ~type_safe:false ~global_assertion:false ~relocate:false
		  LabelHere LabelPre) assume_from_inv)
	in
	(* free invariant: trusted or not *)
	let free_inv = la.jc_free_loop_invariant in
        let free_inv' =
	  named_assertion
	    ~type_safe:false ~global_assertion:false ~relocate:false
	    LabelHere LabelPre free_inv
        in
        let inv' =
	  if Jc_options.trust_ai then inv' else make_and inv' free_inv'
	in
	(* loop assigns

	   By default, the assigns clause for the function should be
	   taken

	   Yannick: wrong, as function's assigns clause does not deal
	   with newly allocated memory, nor local variables, which may
	   be assigned in the loop.

	   Claude: it is not wrong if we take care: the implicit loop
	   assigns generated from the function's assigns should relate
	   the state Pre (for the function) and current state. Whereas an
	   explicit loop assigns relates the state before entering the
	   loop and the current state. example:


	   int t[10];
	   //@ assigns t[0..9]
	   f() { int i;
	   int u[] = new int [10];
	   //@ loop assigns t[0..i], u[0..i]
	   for (i=0; i < 10; i++) {
	   t[i] = ...; u[i] = ...
	   }

	   the Why code should be

	   f() { let i = ref any_int() in
	   let u = alloc_array(10) // writes alloc
	   in
	   loop_init:
	   i := 0;
	   while (!i < 10) do
	     invariant
	        // from loop assigns
	        assigns(alloc@loop_init,intP@loop_init,intP,
	                    t[0..i] union u[0..i])
	        and
	        // from function's assigns
	        assigns(alloc@,intP@,intP, t[0..9])
	     intP := store(intP,t+!i,...);
	     intP := store(intP,u+!i,...);
	     i := !i + 1;
	   done;

	*)


	(* loop assigns from function's loop assigns *)

	let loop_assigns_from_function =
	  let s = get_current_spec () in
	  List.fold_left
	    (fun acc (_pos,id,b) ->
	       if is_current_behavior id then
		 match b.jc_behavior_assigns with
		   | None -> acc
		   | Some(_pos,loclist) ->
		       let loclist = List.map old_to_pre_loc loclist in
		       match acc with
			 | None -> Some loclist
			 | Some loclist' -> Some (loclist @ loclist')
	       else acc
	    ) None (s.jc_fun_default_behavior::s.jc_fun_behavior)
	in

	(* This is the code producing the Why invariant from the user's loop assigns

   a loop assigns for behavior b should be

   - taken as an invariant if current behavior is b

   - taken as an assumption at loop entrance if current behavior is not b
     and b is "default"

     WARNING: this is UNSOUND if the defautl behavior has an assumes clause!!!
       -> temporarily disabled

   - otherwise ignored

*)


	let loop_assigns =
	  List.fold_left
	    (fun acc (names,_inv,ass) ->
	       match ass with
		 | Some i ->
		     if in_current_behavior names
		     then
		       match acc with
			 | None -> Some i
			 | Some l -> Some (i@l)
		     else
		       (*
			 if List.exists
			 (fun behav -> behav#name = "default")
			 names
			 then
			 (invariants,i::assumes)
		       else
			 (invariants,assumes)
		       *)
		       acc
		 | None -> acc)
	    None
	    la.jc_loop_behaviors
	in

	let loop_label = fresh_loop_label() in

	let ass =
	  assigns ~type_safe:false
	    (LabelName loop_label) infunction.jc_fun_info_effects loop_assigns
	    e#pos
	in

	let ass_from_fun =
	  assigns ~type_safe:false
	    LabelPre infunction.jc_fun_info_effects loop_assigns_from_function
	    e#pos
	in

        let inv' =
	  make_and inv' (make_and (mark_assertion e#pos ass)
			   (mark_assertion e#pos ass_from_fun))
	in
	(* loop body *)
        let body = expr e1 in
	let add_assume s =
          let s = append (assumption assume_from_inv assume_from_inv') s in
          if Jc_options.trust_ai then
            append (assumption [ free_inv ] free_inv') s
          else s
        in
	let body = [ add_assume body ] in
	(* loop variant *)
	let loop_variant =
          match la.jc_loop_variant with
            | Some (t,r) when variant_checking () &&
                !Jc_options.termination_policy <> TPnever ->
		let variant =
		  named_term
		    ~type_safe:false ~global_assertion:false ~relocate:false
		    LabelHere LabelPre t
	        in
                let variant,r = match r with
                  | None ->
		      term_coerce
                        ~type_safe:false ~global_assertion:false
                        LabelHere t#pos integer_type t#typ t variant, None
                  | Some id -> variant, Some id.jc_logic_info_name
                in
                Some (variant,r)
            | None when variant_checking () &&
                !Jc_options.termination_policy = TPalways ->
                eprintf
                  "Warning, generating a dummy variant for loop. \
                   Please provide a real variant or set termination policy \
                   to user or never\n%!";
                Some (LConst(Prim_int "0"),None)
            | _ -> None
        in
(*
        eprintf "Jc_interp.expr: adding loop label %s@." loop_label.label_info_final_name;
*)
        make_label loop_label.label_info_final_name
	  (mk_expr (While((mk_expr (Cte(Prim_bool true)),
                           inv', loop_variant, body))))

    | JCEcontract(req,dec,vi_result,behs,e) ->
	let r =
          match req with
            | Some a ->
                assertion
	          ~type_safe:false ~global_assertion:false ~relocate:false
	          LabelHere LabelPre a
            | _ -> LTrue
        in
        assert (dec = None);
        let ef = Jc_effect.expr Jc_pervasives.empty_fun_effect e in
	begin match behs with
	  | [_pos,id,b] ->
	      assert (b.jc_behavior_throws = None);
	      assert (b.jc_behavior_assumes = None);
	      let a =
		assertion
		  ~type_safe:false ~global_assertion:false ~relocate:false
		  LabelHere LabelPre b.jc_behavior_ensures
	      in
              let post = match b.jc_behavior_assigns with
                | None -> a
                | Some(_,locs) ->
                    make_and a
	              (assigns ~type_safe:false
	                 LabelPre
                         ef (* infunction.jc_fun_info_effects*) (Some locs)
	                 e#pos)
              in
              if safety_checking () then
                begin
                  let tmp = tmp_var_name () in
                  mk_expr (Let(tmp,
                               mk_expr (Triple(true,r,expr e,LTrue,[])),
                               append
                                 (mk_expr
                                    (BlackBox(Annot_type(LTrue,unit_type,[],[],post,[]))))
                                 (mk_expr (Var tmp))))
                end
              else if is_current_behavior id then
                if r = LTrue
                then
                  mk_expr (Triple(true,LTrue,expr e,post,[]))
                else
                  append
                    (mk_expr (BlackBox(Annot_type(LTrue,unit_type,[],[],r,[]))))
                    (mk_expr (Triple(true,LTrue,expr e,post,[])))
              else
(*
                let reads = read_effects
                  ~callee_reads:ef.jc_reads
                  ~callee_writes:ef.jc_writes ~params:[] ~region_list:[]
                in
                let _writes = write_effects
                  ~callee_reads:ef.jc_reads
                  ~callee_writes:ef.jc_writes ~params:[] ~region_list:[]
                in
*)
                append
                  (mk_expr (BlackBox(Annot_type(LTrue,unit_type,[],[],r,[]))))
                  (*
                  (mk_expr (BlackBox(Annot_type(LTrue, tr_var_type vi_result,reads, writes, post, []))))
                  *)
                  (let tmp = tmp_var_name () in
                   mk_expr (Let(tmp,
                                (mk_expr (Triple(true,LTrue,expr e,LTrue,[]))),
                                (mk_expr (BlackBox(Annot_type(LTrue, tr_var_type vi_result,[], [], post, [])))))))
	  | _ -> assert false
	end
    | JCEthrow(exc,Some e1) ->
        let e1' = expr e1 in
        mk_expr (Raise(exception_name exc,Some e1'))
    | JCEthrow(exc, None) ->
        mk_expr (Raise(exception_name exc,None))
    | JCEtry (s, catches, _finally) ->
(*      assert (finally.jc_statement_node = JCEblock []); (\* TODO *\) *)
        let catch (s,excs) (ei,v_opt,st) =
          if ExceptionSet.mem ei excs then
            (mk_expr (Try(s,
                 exception_name ei,
                 Option_misc.map (fun v -> v.jc_var_info_final_name) v_opt,
                 expr st)),
             ExceptionSet.remove ei excs)
          else
            begin
(* YMo: too many questions about warning due to generated Jessie *)
(*               eprintf "Warning: exception %s cannot be thrown@." *)
(*                 ei.jc_exception_info_name; *)
              (s,excs)
            end
        in
        let ef = Jc_effect.expr empty_fun_effect s in
        let (s,_) =
          List.fold_left catch (expr s,ef.jc_raises) catches
        in s
    | JCEmatch (e, psl) ->
        let tmp = tmp_var_name () in
        let body = pattern_list_expr expr (LVar tmp) e#region
          e#typ psl in
        mk_expr (Let(tmp, expr e, body))
  in
  let e' =
    (* Ideally, only labels used in logical annotations should be kept *)
    let lab = e#mark in
    if lab = "" then e' else
      begin
        match e' with
            (*
              | MultiAssign _ -> assert false
            *)
          | _ ->
(*
              if lab = "L2" then eprintf "Jc_interp.expr: adding label %s to expr %a@." lab Output.fprintf_expr e';
*)
              make_label e#mark e'
      end
  in
  let e' =
    if e#typ = Jc_pervasives.unit_type then
      if match e#original_type with
        | JCTany | JCTnative Tunit -> false
        | _ -> true
      then
        match e'.expr_node with
          | MultiAssign _ -> e'
          | _ ->
	      (* Create dummy temporary *)
	      let tmp = tmp_var_name () in
	      mk_expr (Let(tmp,e',void))
      else e'
    else
      match e'.expr_node with
        | MultiAssign _ -> assert false
        | _ -> e'
  in
(*
  begin
    match e' with
      | MultiAssign _ -> eprintf "Jc_interp.expr produces MultiAssign@.";
      | _ -> ()
  end;
*)
  e'



(*****

finalization: removing MultiAssign expressions

***)

let make_old_style_update ~mark ~pos alloc tmpp tmpshift mem i b1 b2 tmp2 =
  if safety_checking() then
    match b1,b2 with
      | true,true ->
          make_app "safe_upd_" [ mk_var mem; mk_var tmpshift; mk_var tmp2 ]
      | true,false ->
          make_guarded_app ~mark IndexBounds pos "lsafe_lbound_upd_"
            [ alloc; mk_var mem; mk_var tmpp; mk_expr (Cte i); mk_var tmp2 ]
      | false,true ->
          make_guarded_app ~mark IndexBounds pos "rsafe_rbound_upd_"
            [ alloc; mk_var mem; mk_var tmpp; mk_expr (Cte i); mk_var tmp2 ]
      | false,false ->
          make_guarded_app ~mark PointerDeref pos "upd_"
            [ alloc; mk_var mem ; mk_var tmpshift; mk_var tmp2 ]
  else
    make_app "safe_upd_" [ mk_var mem; mk_var tmpshift; mk_var tmp2 ]

let make_old_style_update_no_shift ~mark ~pos alloc tmpp mem b1 b2 tmp2 =
  if safety_checking() then
    match b1,b2 with
      | true,true ->
          make_app "safe_upd_" [ mk_var mem; mk_var tmpp; mk_var tmp2 ]
      | true,false ->
          make_guarded_app ~mark IndexBounds pos "lsafe_lbound_upd_"
            [ alloc; mk_var mem; mk_var tmpp; mk_expr (Cte (Prim_int "0")); mk_var tmp2 ]
      | false,true ->
          make_guarded_app ~mark IndexBounds pos "rsafe_rbound_upd_"
            [ alloc; mk_var mem; mk_var tmpp; mk_expr (Cte (Prim_int "0")); mk_var tmp2 ]
      | false,false ->
          make_guarded_app ~mark PointerDeref pos "upd_"
            [ alloc; mk_var mem ; mk_var tmpp; mk_var tmp2 ]
  else
    make_app "safe_upd_" [ mk_var mem; mk_var tmpp; mk_var tmp2 ]

let make_not_assigns talloc mem t l =
  let l = List.map (fun (i,_,_,_) -> i) l in
  let l = List.sort Pervasives.compare l in
  let rec merge l acc =
    match l,acc with
      | [],_ -> acc
      | i::r, [] -> merge r [(i,i)]
      | i::r, (a,b)::acc' ->
          if i=b+1 then merge r ((a,i)::acc')
          else merge r ((i,i)::acc)
  in
  let i,l = match merge l []
  with [] -> assert false
    | i::l -> i,l
  in
  let pset_of_interval (a,b) =
    if a=b then LApp("pset_singleton",[
                       LApp("shift",[LVar t;
                                     LConst (Prim_int (string_of_int a))])])
    else LApp("pset_range",[
                LApp("pset_singleton", [LVar t]);
                LConst(Prim_int (string_of_int a));
                LConst(Prim_int (string_of_int b))])
  in
  let pset = List.fold_left
    (fun acc i ->
       LApp("pset_union",[pset_of_interval i; acc]))
    (pset_of_interval i)
    l
  in
  LPred("not_assigns",[talloc;LDerefAtLabel(mem,"") ; LDeref mem ; pset])





let rec finalize e =
  match e.expr_node with
    | Absurd | Void | Cte _ | Var _ | BlackBox _ | Assert _ | Deref _
    | Raise(_, None) -> e
    | Triple(opaque,pre,e1,post,posts) ->
      { e with expr_node = Triple(opaque,pre,finalize e1,post,posts) }
    | Loc (l, e1) -> {e with expr_node = Loc(l,finalize e1) }
(*
    | Label (l, e) -> Label(l,finalize e)
*)
    | Fun (_, _, _, _, _) -> assert false
    | Try (e1, exc, arg, e2) ->
        {e with expr_node = Try(finalize e1, exc, arg, finalize e2)}
    | Raise (id, Some e1) ->
        {e with expr_node = Raise(id, Some(finalize e1))}
    | App (e1, e2, ty) ->
        {e with expr_node = App(finalize e1, finalize e2, ty)}
    | Let_ref (x, e1, e2) ->
        {e with expr_node = Let_ref(x, finalize e1, finalize e2)}
    | Let (x, e1, e2) ->
        {e with expr_node = Let(x, finalize e1, finalize e2)}
    | Assign (x, e1) ->
        {e with expr_node = Assign(x, finalize e1) }
    | Block(l) ->
        {e with expr_node = Block(List.map finalize l) }
    | While (e1, inv, var, l) ->
        {e with expr_node = While(finalize e1, inv, var, List.map finalize l)}
    | If (e1, e2, e3) ->
        {e with expr_node = If(finalize e1, finalize e2, finalize e3)}
    | Not e1 ->
        {e with expr_node = Not(finalize e1)}
    | Or (e1, e2) ->
        {e with expr_node = Or(finalize e1, finalize e2) }
    | And (e1, e2) ->
        {e with expr_node = And(finalize e1, finalize e2) }
    | MultiAssign(mark,pos,lets,isrefalloc,talloc,alloc,tmpe,_e,mem,l) ->
(*
        eprintf "finalizing a MultiAssign@.";
*)
        match l with
          | [] -> assert false
          | [(i,b1,b2,e')] ->
(*
            eprintf "MultiAssign is only for one update@.";
*)
              if i=0 then
                 make_lets lets
                   (make_old_style_update_no_shift ~mark ~pos alloc tmpe mem b1 b2 e')
              else
                let tmpshift = tmp_var_name () in
(*
                eprintf "Jc_interp.finalize: tmp_var_name for tmpshift is %s@." tmpshift;
*)
                let i = Prim_int (string_of_int i) in
                make_lets lets
                  (make_lets [tmpshift,make_app "shift" [mk_var tmpe; mk_expr (Cte i)]]
                     (make_old_style_update ~mark ~pos alloc tmpe tmpshift mem i b1 b2 e'))
         | _ ->
(*
            eprintf "MultiAssign is for several updates !@.";
*)
              let pre =
                if safety_checking() then
                  make_and_list
                    (List.fold_left
                       (fun acc (i,b1,b2,_) ->
                          (* valid e+i *)
                          let i = LConst (Prim_int (string_of_int i)) in
                          (if b1 then LTrue else
                             (* offset_min(alloc,e) <= i *)
	                     LPred ("le_int",
		                    [LApp("offset_min",
                                          [talloc; LVar tmpe]);
                                     i])) ::
                            (if b2 then LTrue else
                               (* i <= offset_max(alloc,e) *)
	                       LPred ("le_int",
		                      [i ;
                                       LApp("offset_max",
                                            [talloc; LVar tmpe])]))
                          ::acc
                       )
                       []
                       l)
                else LTrue
              in
              let post =
                make_and_list
                  (make_not_assigns talloc mem tmpe l ::
                     List.map
                     (fun (i,_,_,e') ->
                        (* (e+i).f == e' *)
                        LPred("eq",
                              [ LApp("select",
                                     [ LDeref mem;
                                       LApp("shift",
                                            [ LVar tmpe ; LConst (Prim_int (string_of_int i))] )]);
                                LVar e'])) l)
              in
              let reads = if isrefalloc then
                match talloc with
                  | LVar v -> [v;mem]
                  | LDeref v -> [v;mem]
                  | _ -> assert false
              else
                [mem]
              in
              make_lets lets
                (mk_expr (BlackBox (Annot_type(pre,unit_type,reads,[mem],post,[]))))


let expr e = finalize (expr e)


(*****************************)
(* axioms, lemmas, goals   *)
(**************************)

let tr_axiom loc id ~is_axiom labels a acc =

  if Jc_options.debug then
    Format.printf "[interp] axiom %s@." id;

  let lab = match labels with [lab] -> lab | _ -> LabelHere in
  let ef = Jc_effect.assertion empty_effects a in
  let a' =
    assertion ~type_safe:false ~global_assertion:true ~relocate:false lab lab a
  in
  let params = tmodel_parameters ~label_in_name:true ef in
  let new_id = get_unique_name id in
  reg_decl
    ~out_mark:new_id
    ~in_mark:id
    ~name:id
    ~beh:(if is_axiom then "axiom" else "lemma")
    loc;
  let a' =
    List.fold_right (fun (n,_v,ty') a' -> LForall(n,ty',[],a')) params a'
  in
  Goal((if is_axiom then KAxiom else KLemma),
       {Output.name = new_id; loc = Loc.extract loc},a') :: acc




(***********************************)
(*             axiomatic decls     *)
(***********************************)


let tr_axiomatic_decl acc d =
  match d with
    | Jc_typing.ABaxiom(loc,id,labels,p) ->
	tr_axiom loc ~is_axiom:true id labels p acc

(******************************************************************************)
(*                                 Functions                                  *)
(******************************************************************************)

let excep_posts_for_others exc_opt excep_behaviors =
  ExceptionMap.fold
    (fun exc _bl acc ->
       match exc_opt with
         | Some exc' ->
	     if exc.jc_exception_info_tag = exc'.jc_exception_info_tag then
	       acc
	     else
	       (exception_name exc, LTrue) :: acc
         | None -> (exception_name exc, LTrue) :: acc
    ) excep_behaviors []

let fun_parameters ~type_safe params write_params read_params =
  let write_params =
    List.map (fun (n,ty') -> (n,Ref_type(Base_type ty'))) write_params
  in
  let read_params =
    List.map (fun (n,ty') -> (n,Base_type ty')) read_params
  in
  let params =
    List.map (fun v ->
		let n,ty' = param ~type_safe v in
		(n, Base_type ty')
	     ) params
  in
  let params = params @ write_params @ read_params in
  match params with
    | [] -> [ ("tt", unit_type) ]
    | _ -> params

let annot_fun_parameters params write_params read_params annot_type =
  let params = fun_parameters ~type_safe:true params write_params read_params in
  List.fold_right (fun (n,ty') acc -> Prod_type(n, ty', acc))
    params annot_type

let function_body _f spec behavior_name body =
  set_current_behavior behavior_name;
  set_current_spec spec;
  let e' = expr body in
  reset_current_behavior ();
  reset_current_spec ();
  e'

(* Only used for internal function, hence type-safe parameter set to false *)
let assume_in_precondition b pre =
  match b.jc_behavior_assumes with
    | None -> pre
    | Some a ->
	let a' =
	  assertion ~type_safe:false ~global_assertion:false ~relocate:false
	    LabelHere LabelHere a
	in
	make_and a' pre

(* Only used for external prototype, hence type-safe parameter set to true *)
let assume_in_postcondition b post =
  match b.jc_behavior_assumes with
    | None -> post
    | Some a ->
	let a' =
	  assertion ~type_safe:true ~global_assertion:false ~relocate:true
	    LabelOld LabelOld a
	in
	make_impl a' post

let function_prototypes = Hashtbl.create 7

let get_valid_pred_app ~in_param vi =
  match vi.jc_var_info_type with
    | JCTpointer (pc, n1o, n2o) ->
	(* TODO: what about bitwise? *)
	let v' =
          term ~type_safe:false ~global_assertion:false ~relocate:false
	    LabelHere LabelHere (new term_var vi)
	in
	  begin match n1o, n2o with
            | None, None -> LTrue
	    | Some n, None ->
		let ac = alloc_class_of_pointer_class pc in
                let a' =
		  make_valid_pred_app ~in_param ~equal:false
		    (ac, vi.jc_var_info_region) pc
                    v' (Some (const_of_num n)) None
                in
		  bind_pattern_lets a'
	    | None, Some n ->
		let ac = alloc_class_of_pointer_class pc in
                let a' =
		  make_valid_pred_app ~in_param ~equal:false
		    (ac, vi.jc_var_info_region) pc
                    v' None (Some (const_of_num n))
                in
		  bind_pattern_lets a'
            | Some n1, Some n2 ->
		let ac = alloc_class_of_pointer_class pc in
                let a' =
		  make_valid_pred_app  ~in_param ~equal:false (ac, vi.jc_var_info_region) pc
                    v' (Some (const_of_num n1)) (Some (const_of_num n2))
                in
		  bind_pattern_lets a'
	  end
    | JCTnative _ | JCTlogic _ | JCTenum _ | JCTnull | JCTany
    | JCTtype_var _ -> LTrue


let pre_tr_fun f _funpos spec _body acc =
  begin
    match spec.jc_fun_decreases with
      | None -> ()
      | Some(t,r) ->
	  Hashtbl.add decreases_clause_table f.jc_fun_info_tag (t,r)
  end;
  acc


let tr_fun f funpos spec body acc =

  if Jc_options.debug then
    Format.printf "[interp] function %s@." f.jc_fun_info_name;
  Jc_options.lprintf "Jc_interp: function %s@." f.jc_fun_info_name;

  (* handle parameters that are assigned in the body *)

  let assigned_params =
    List.fold_left
      (fun acc (_,v) ->
         if v.jc_var_info_assigned then
           begin
             v.jc_var_info_assigned <- false;
             v :: acc
           end
         else
           acc)
      [] f.jc_fun_info_parameters
  in

  (* global variables valid predicates *)
  let variables_valid_pred_apps = LTrue
(* Yannick: commented out because not taken into account in effects
    Hashtbl.fold
      (fun _ (vi, _) acc ->
         let req = get_valid_pred_app vi in
	   make_and req acc)
      Jc_typing.variables_table LTrue
*)
  in

  (* precondition for calling the function and extra one for analyzing it *)

  let external_requires =
    named_assertion ~type_safe:true ~global_assertion:false ~relocate:false
      LabelHere LabelHere spec.jc_fun_requires
  in
  let external_requires =
    if Jc_options.trust_ai then
      external_requires
    else
      let free_requires =
	named_assertion ~type_safe:true ~global_assertion:false ~relocate:false
	  LabelHere LabelHere spec.jc_fun_free_requires
      in
	make_and external_requires free_requires
  in

  let internal_requires =
    named_assertion ~type_safe:false ~global_assertion:false ~relocate:false
      LabelHere LabelHere spec.jc_fun_requires
  in
  let free_requires =
    named_assertion ~type_safe:false ~global_assertion:false ~relocate:false
      LabelHere LabelHere spec.jc_fun_free_requires
  in
  let free_requires = make_and variables_valid_pred_apps free_requires in
  let internal_requires = make_and internal_requires free_requires in
  let internal_requires =
    List.fold_left
      (fun acc (_,v) ->
         let req = get_valid_pred_app  ~in_param:true v in
	   make_and req acc)
      internal_requires f.jc_fun_info_parameters
  in


  (* partition behaviors as follows:
     - (optional) 'safety' behavior (if Arguments Invariant Policy is selected)
     - (optional) 'inferred' behaviors (computed by analysis)
     - user defined behaviors *)

  let behaviors = spec.jc_fun_default_behavior :: spec.jc_fun_behavior in
  let (safety_behavior,
       normal_behaviors_inferred, normal_behaviors,
       excep_behaviors_inferred, excep_behaviors) =
    List.fold_left
      (fun (safety,normal_inferred,normal,excep_inferred,excep) (pos,id,b) ->
	 let make_post ~type_safe ~internal =
	   let post =
	     if internal && Jc_options.trust_ai then
	       b.jc_behavior_ensures
	     else
	       Assertion.mkand [ b.jc_behavior_ensures;
				 b.jc_behavior_free_ensures ] ()
	   in
	   let post =
	     named_assertion
	       ~type_safe ~global_assertion:false ~relocate:false
	       LabelPost LabelOld post
	   in
           let post = match b.jc_behavior_assigns with
             | None ->
		 Jc_options.lprintf
		   "Jc_interp: behavior '%s' has no assigns@." id;
		 post
             | Some(assigns_pos,loclist) ->
		 Jc_options.lprintf
		   "Jc_interp: behavior '%s' has assigns clause with %d elements@."
		   id (List.length loclist);
		 let assigns_post =
                   mark_assertion assigns_pos
                     (assigns ~type_safe
			~region_list:f.jc_fun_info_param_regions
			LabelOld f.jc_fun_info_effects (Some loclist) funpos)
		 in
		 mark_assertion pos (make_and post assigns_post)
	   in post
	 in
	 let internal_post = make_post ~type_safe:false ~internal:true in
	 let external_post = make_post ~type_safe:true ~internal:false in
	 let behav = (id,b,internal_post,external_post) in
         match b.jc_behavior_throws with
           | None ->
               begin match id with
                 | "safety" ->
		     assert (b.jc_behavior_assumes = None);
		     let internal_post =
		       make_and variables_valid_pred_apps internal_post
		     in
		     let external_post =
		       make_and variables_valid_pred_apps external_post
		     in
                     (id, b, internal_post, external_post) :: safety,
                     normal_inferred, normal, excep_inferred, excep
                 | "inferred" ->
		     assert (b.jc_behavior_assumes = None);
                     safety, behav :: normal_inferred,
                     (if Jc_options.trust_ai then normal else behav :: normal),
                     excep_inferred, excep
                 | _ ->
                     safety, normal_inferred, behav :: normal,
                     excep_inferred, excep
               end
           | Some exc ->
               if id = "inferred" then
		 begin
		   assert (b.jc_behavior_assumes = None);
                   safety, normal_inferred, normal,
		   ExceptionMap.add_merge
		     List.append exc [behav] excep_inferred,
		   if Jc_options.trust_ai then excep else
                     ExceptionMap.add_merge List.append exc [behav] excep
		 end
               else
                 safety, normal_inferred, normal, excep_inferred,
                 ExceptionMap.add_merge List.append exc [behav] excep)
      ([], [], [], ExceptionMap.empty, ExceptionMap.empty)
      behaviors
  in
  let user_excep_behaviors = excep_behaviors in
  let excep_behaviors =
    ExceptionSet.fold
      (fun exc acc ->
         if ExceptionMap.mem exc acc then acc else
           let b =
             { default_behavior with
                 jc_behavior_throws = Some exc;
		 jc_behavior_ensures = (new assertion JCAtrue); }
           in
           ExceptionMap.add
	     exc [exc.jc_exception_info_name ^ "_b", b, LTrue, LTrue] acc)
      f.jc_fun_info_effects.jc_raises
      excep_behaviors
  in

  (* Effects, parameters and locals *)

  let params = List.map snd f.jc_fun_info_parameters in

  let external_write_effects =
    write_effects
      ~callee_reads:f.jc_fun_info_effects.jc_reads
      ~callee_writes:f.jc_fun_info_effects.jc_writes
      ~region_list:f.jc_fun_info_param_regions
      ~params
  in
  let external_read_effects =
    read_effects
      ~callee_reads:f.jc_fun_info_effects.jc_reads
      ~callee_writes:f.jc_fun_info_effects.jc_writes
      ~region_list:f.jc_fun_info_param_regions
      ~params
  in
  let external_write_params =
    write_parameters
      ~type_safe:true
      ~callee_reads:f.jc_fun_info_effects.jc_reads
      ~callee_writes:f.jc_fun_info_effects.jc_writes
      ~region_list:f.jc_fun_info_param_regions
      ~params
  in
  let internal_write_params =
    write_parameters
      ~type_safe:false
      ~callee_reads:f.jc_fun_info_effects.jc_reads
      ~callee_writes:f.jc_fun_info_effects.jc_writes
      ~region_list:f.jc_fun_info_param_regions
      ~params
  in
  let external_read_params =
    read_parameters
      ~type_safe:true
      ~callee_reads:f.jc_fun_info_effects.jc_reads
      ~callee_writes:f.jc_fun_info_effects.jc_writes
      ~region_list:f.jc_fun_info_param_regions
      ~params
      ~already_used:(List.map fst external_write_params)
  in
  let internal_read_params =
    read_parameters
      ~type_safe:false
      ~callee_reads:f.jc_fun_info_effects.jc_reads
      ~callee_writes:f.jc_fun_info_effects.jc_writes
      ~region_list:f.jc_fun_info_param_regions
      ~params
      ~already_used:(List.map fst internal_write_params)
  in
  let internal_write_locals =
    write_locals
      ~callee_reads:f.jc_fun_info_effects.jc_reads
      ~callee_writes:f.jc_fun_info_effects.jc_writes
      ~region_list:f.jc_fun_info_param_regions
      ~params
  in
  let internal_read_locals =
    read_locals
      ~callee_reads:f.jc_fun_info_effects.jc_reads
      ~callee_writes:f.jc_fun_info_effects.jc_writes
      ~region_list:f.jc_fun_info_param_regions
      ~params
  in
  let define_locals e' =
    define_locals ~reads:internal_read_locals ~writes:internal_write_locals e'
  in

  (* Postcondition *)

  let add_modif_postcondition
      ~internal f (_id,b,internal_post,external_post) acc =
    let post = if internal then internal_post else external_post in
    make_and (f b post) acc
  in
  let add_postcondition ~internal =
    add_modif_postcondition ~internal (fun _b post -> post)
  in
  let internal_safety_post =
    List.fold_right (add_postcondition ~internal:true) safety_behavior LTrue
  in
  let external_safety_post =
    List.fold_right (add_postcondition ~internal:false) safety_behavior LTrue
  in
  let normal_post =
    List.fold_right
      (add_modif_postcondition ~internal:false assume_in_postcondition)
      normal_behaviors LTrue
  in
  let normal_post_inferred =
    List.fold_right (add_postcondition ~internal:false)
      normal_behaviors_inferred LTrue
  in
  let excep_posts =
    ExceptionMap.fold
      (fun exc bl acc ->
         let a' =
	   List.fold_right (add_postcondition ~internal:false) bl LTrue
	 in
         (exception_name exc, a') :: acc
      ) excep_behaviors []
  in
  let excep_posts_inferred =
    ExceptionMap.fold
      (fun exc bl acc ->
         let a' =
           List.fold_right
	     (add_modif_postcondition ~internal:false assume_in_postcondition)
	     bl LTrue
         in
	 (exception_name exc, a') :: acc
      ) excep_behaviors_inferred []
  in

  (* Function type *)

  let ret_type = tr_var_type f.jc_fun_info_result in
  let fparams = List.map snd f.jc_fun_info_parameters in
  let param_normal_post =
    if is_purely_exceptional_fun spec then LFalse else
      make_and_list [external_safety_post; normal_post; normal_post_inferred]
  in
  let param_excep_posts = excep_posts @ excep_posts_inferred in
  let acc =
    let annot_type = (* function declaration with precondition *)
      Annot_type(external_requires, ret_type,
                 external_read_effects, external_write_effects,
		 param_normal_post, param_excep_posts)
    in
    let fun_type =
      annot_fun_parameters fparams
	external_write_params external_read_params annot_type
    in
    let newid = f.jc_fun_info_final_name ^ "_requires" in
    Hashtbl.add function_prototypes newid fun_type;
    Param(false, id_no_loc newid, fun_type) :: acc
  in
  let acc = (* function declaration without precondition *)
    let annot_type =
      Annot_type(LTrue, ret_type,
                 external_read_effects, external_write_effects,
		 param_normal_post, param_excep_posts)
    in
    let fun_type =
      annot_fun_parameters fparams
	external_write_params external_read_params annot_type
    in
    let newid = f.jc_fun_info_final_name in
    Hashtbl.add function_prototypes newid fun_type;
    Param(false, id_no_loc newid, fun_type) :: acc
  in


  (* restore assigned status for parameters assigned in the body *)

  List.iter
    (fun v -> v.jc_var_info_assigned <- true)
    assigned_params;

  (* Function body *)

  match body with
    | None -> acc (* function was only declared *)
    | Some body ->
        if Jc_options.verify <> [] &&
          not (List.mem f.jc_fun_info_name Jc_options.verify)
        then
          acc (* function is not in the list of functions to verify *)
        else
          let () =
	    printf "Generating Why function %s@." f.jc_fun_info_final_name
	  in

	  (* parameters *)
	  let params =
	    fun_parameters ~type_safe:false fparams
	      internal_write_params internal_read_params
	  in

	  let wrap_body f spec bname body =
	    (* rename formals after parameters are computed and before body
	       is treated *)
	    let list_of_refs =
	      List.fold_right
		(fun id bl ->
		   if id.jc_var_info_assigned
		   then
		     let n = id.jc_var_info_final_name in
		     let newn = "mutable_" ^ n in
		     id.jc_var_info_final_name <- newn;
		     (newn, n) :: bl
		   else bl)
		fparams []
	    in
            let body = function_body f spec bname body in
	    let body =
	      if !Jc_options.inv_sem = InvOwnership then
		append (assume_all_invariants fparams) body
	      else body
	    in
	    let body = define_locals body in
	    let body = match f.jc_fun_info_result.jc_var_info_type with
	      | JCTnative Tunit ->
		  mk_expr (Try(append body (mk_expr (Raise(jessie_return_exception,None))),
		               jessie_return_exception, None, void))
	      | _ ->
                  let result = f.jc_fun_info_result in
		  let e' = any_value
                    result.jc_var_info_region result.jc_var_info_type in
		  mk_expr (Let_ref(jessie_return_variable, e',
			           mk_expr (Try(append body (mk_expr Absurd),
			                        jessie_return_exception, None,
			                        mk_expr (Deref jessie_return_variable)))))
	    in
	    let body = make_label "init" body in
	    let body =
	      List.fold_right
		(fun (mut_id,id) e' ->
                   mk_expr (Let_ref(mut_id, plain_var id, e')))
		list_of_refs body
	    in
	    (* FS#393: restore parameter real names *)
	    List.iter
	      (fun v ->
		 let n = v.jc_var_info_final_name in
		 if List.mem_assoc n list_of_refs then
		   v.jc_var_info_final_name <- List.assoc n list_of_refs
	      ) fparams;
	    body
	  in

          (* safety behavior *)
	  let acc =
	    if Jc_options.verify_behavior "safety" ||
               Jc_options.verify_behavior "variant" then
              let behav = if Jc_options.verify_behavior "safety"
                then "safety" else "variant" in
              let safety_body = wrap_body f spec behav body in
              let newid = f.jc_fun_info_name ^ "_safety" in
              reg_decl
		~out_mark:newid
		~in_mark:f.jc_fun_info_name
		~name:("function " ^ f.jc_fun_info_name)
		~beh:"Safety"
		funpos;
              if is_purely_exceptional_fun spec then acc else
		if Jc_options.verify_invariants_only then acc else
                  Def(
                    id_no_loc newid,
                    !Jc_options.termination_policy <> TPalways,
                    (* false = we require termination proofs *)
                    mk_expr (Fun(
                      params,
                      internal_requires,
                      safety_body,
                      internal_safety_post,
                      excep_posts_for_others None excep_behaviors)))
		  :: acc
	    else acc
	  in

          (* normal behaviors *)
          let acc =
            List.fold_right
              (fun (id,b,internal_post,_) acc ->
		 if Jc_options.verify_behavior id then
                   let normal_body = wrap_body f spec id body in
                   let newid = f.jc_fun_info_name ^ "_ensures_" ^ id in
                   let beh =
                     if id="default" then "default behavior" else
		       "Behavior `"^id^"'"
                   in
                   reg_decl
                     ~out_mark:newid
                     ~in_mark:f.jc_fun_info_name
                     ~name:("function " ^ f.jc_fun_info_name)
                     ~beh
                     funpos;
                   Def(
                     id_no_loc newid,
                     true, (* we do not require termination *)
                     mk_expr (Fun(
		       params,
		       assume_in_precondition b internal_requires,
		       normal_body,
		       internal_post,
		       excep_posts_for_others None excep_behaviors)))
		   :: acc
		 else acc
              ) normal_behaviors acc
          in

          (* exceptional behaviors *)
          let acc =
            ExceptionMap.fold
              (fun exc bl acc ->
                 List.fold_right
                   (fun (id,b,internal_post,_) acc ->
		      if Jc_options.verify_behavior id then
			let except_body = wrap_body f spec id body in
                        let newid = f.jc_fun_info_name ^ "_exsures_" ^ id in
                        reg_decl
                          ~out_mark:newid
                          ~in_mark:f.jc_fun_info_name
                          ~name:("function " ^ f.jc_fun_info_name)
                          ~beh:("Behavior `" ^ id ^ "'")
                          funpos;
                        Def(id_no_loc newid,
                            true, (* we do not require termination *)
                            mk_expr (Fun(
			      params,
			      assume_in_precondition b internal_requires,
			      except_body,
			      LTrue,
			      (exception_name exc, internal_post) ::
                                excep_posts_for_others (Some exc)
				excep_behaviors)))
                        :: acc
		      else acc
		   ) bl acc
	      ) user_excep_behaviors acc
          in
          acc

let tr_fun f funpos spec body acc =
  set_current_function f;
  let acc = tr_fun f funpos spec body acc in
  reset_current_function ();
  acc

let tr_specialized_fun n fname param_name_assoc acc =

  let rec modif_why_type = function
    | Prod_type(n,t1,t2) ->
	if StringMap.mem n param_name_assoc then
	  modif_why_type t2
	else Prod_type(n,t1,modif_why_type t2)
    | Base_type b -> Base_type b
    | Ref_type(t) -> Ref_type (modif_why_type t)
    | Annot_type (pre,t,reads,writes,post,signals) ->
	Annot_type (modif_assertion pre, modif_why_type t,
		    modif_namelist reads,
		    modif_namelist writes,
		    modif_assertion post,
		    List.map (fun (x,a) -> (x,modif_assertion a)) signals)

  and modif_assertion a =
    match a with
      | LTrue
      | LFalse -> a
      | LAnd(a1,a2) -> LAnd(modif_assertion a1,modif_assertion a2)
      | LOr(a1,a2) -> LOr(modif_assertion a1,modif_assertion a2)
      | LIff(a1,a2) -> LIff(modif_assertion a1,modif_assertion a2)
      | LNot(a1) -> LNot(modif_assertion a1)
      | LImpl(a1,a2) -> LImpl(modif_assertion a1,modif_assertion a2)
      | LIf(t,a1,a2) -> LIf(modif_term t,modif_assertion a1,modif_assertion a2)
      | LLet(id,t,a) -> LLet(id,modif_term t,modif_assertion a)
      | LForall(id,t,trigs,a) -> LForall(id,t,triggers trigs,modif_assertion a)
      | LExists(id,t,trigs,a) -> LExists(id,t,triggers trigs,modif_assertion a)
      | LPred(id,l) -> LPred(id,List.map modif_term l)
      | LNamed (n, a) -> LNamed (n, modif_assertion a)

  and triggers trigs =
    let pat = function
      | LPatT t -> LPatT (modif_term t)
      | LPatP a -> LPatP (modif_assertion a) in
    List.map (List.map pat) trigs

  and modif_term t =
    match t with
      | LConst(_c) -> t
      | LApp(id,l) -> LApp(id,List.map modif_term l)
      | LVar(id) ->
	  let id = StringMap.find_or_default id id param_name_assoc in
	  LVar id
      | LDeref(id) ->
	  let id = StringMap.find_or_default id id param_name_assoc in
	  LDeref id
      | LDerefAtLabel(id,l) ->
	  let id = StringMap.find_or_default id id param_name_assoc in
	  LDerefAtLabel(id,l)
      | Tnamed(n,t) -> Tnamed(n,modif_term t)
      | TIf(t1,t2,t3) ->
	  TIf(modif_term t1,modif_term t2,modif_term t3)
      | TLet(id,t1,t2) ->
	  let id = StringMap.find_or_default id id param_name_assoc in
	  TLet(id,modif_term t1,modif_term t2)

  and modif_namelist names =
    fst (List.fold_right
	   (fun id (acc,set) ->
	      let id = StringMap.find_or_default id id param_name_assoc in
	      id :: acc, StringSet.add id set
	   ) names ([],StringSet.empty))
  in

  let fun_type = Hashtbl.find function_prototypes fname in
  let new_fun_type = modif_why_type fun_type in
  Param(false, id_no_loc n, new_fun_type) :: acc


(******************************************************************************)
(*                               Logic entities                               *)
(******************************************************************************)

let tr_logic_type (id,l) acc = Type(id_no_loc id,List.map Jc_type_var.name l) :: acc


let tr_exception ei acc =
  Jc_options.lprintf "producing exception '%s'@." ei.jc_exception_info_name;
  let typ = match ei.jc_exception_info_type with
    | Some tei -> Some (tr_base_type tei)
    | None -> None
  in
  Exception(id_no_loc (exception_name ei), typ) :: acc

(* let tr_native_type nty acc = *)
(*   let lt = tr_base_type (JCTnative nty) in *)
(*   Logic(false,logic_bitvector_of_native nty,["",lt],bitvector_type) *)
(*   :: Logic(false,logic_native_of_bitvector nty,["",bitvector_type],lt) *)
(*   :: Axiom((logic_native_of_bitvector nty)^"_of_"^(logic_bitvector_of_native nty), *)
(* 	   LForall("x",lt, *)
(* 		   LPred(equality_op_for_type (JCTnative nty), *)
(*                          [LApp(logic_native_of_bitvector nty, *)
(*                                [LApp(logic_bitvector_of_native nty,  *)
(*                                      [LVar "x"])]); *)
(*                           LVar "x"]))) *)
(*   :: Axiom((logic_bitvector_of_native nty)^"_of_"^(logic_native_of_bitvector nty), *)
(* 	   LForall("x",bitvector_type, *)
(* 		   LPred("eq", (\* TODO: equality for bitvectors ? *\) *)
(*                          [LApp(logic_bitvector_of_native nty, *)
(*                                [LApp(logic_native_of_bitvector nty,  *)
(*                                      [LVar "x"])]); *)
(*                           LVar "x"]))) *)
(*   :: acc *)

let range_of_enum ri =
  Num.add_num (Num.sub_num ri.jc_enum_info_max ri.jc_enum_info_min) (Num.Int 1)

let tr_enum_type ri (* to_int of_int *) acc =
  let name = ri.jc_enum_info_name in
  let min = Num.string_of_num ri.jc_enum_info_min in
  let max = Num.string_of_num ri.jc_enum_info_max in
  let width = Num.string_of_num (range_of_enum ri) in
  let lt = simple_logic_type name in
  let in_bounds x =
    LAnd(LPred("le_int",[LConst(Prim_int min); x]),
         LPred("le_int",[x; LConst(Prim_int max)]))
  in
  let safe_of_int_type =
    let post =
      LPred("eq_int",
            [LApp(logic_int_of_enum ri,[LVar "result"]);
             if !Jc_options.int_model = IMbounded then LVar "x"
             else LApp(mod_of_enum ri,[LVar "x"])])
    in
    Prod_type("x", Base_type(why_integer_type),
              Annot_type(LTrue,
                         Base_type lt,
                         [],[],post,[]))
  in
  let of_int_type =
    let pre =
      if !Jc_options.int_model = IMbounded then in_bounds (LVar "x") else LTrue
    in
    let post =
      LPred("eq_int",
            [LApp(logic_int_of_enum ri,[LVar "result"]);
             if !Jc_options.int_model = IMbounded then LVar "x"
             else LApp(mod_of_enum ri,[LVar "x"])])
    in
    Prod_type("x", Base_type(why_integer_type),
              Annot_type(pre,Base_type lt,[],[],post,[]))
  in
  let any_type =
    Prod_type("", Base_type(simple_logic_type "unit"),
              Annot_type(LTrue,Base_type lt,[],[],LTrue,[]))
  in
  let bv_conv =
    if !Region.some_bitwise_region then
      [Logic(false,id_no_loc (logic_bitvector_of_enum ri),
	     ["",lt],bitvector_type) ;
       Logic(false,id_no_loc (logic_enum_of_bitvector ri),
	     ["",bitvector_type],lt) ;
       Goal(KAxiom,id_no_loc ((logic_enum_of_bitvector ri)^"_of_"^
				(logic_bitvector_of_enum ri)),
	    LForall("x",lt, [],
		    LPred(equality_op_for_type (JCTenum ri),
                         [LApp(logic_enum_of_bitvector ri,
                               [LApp(logic_bitvector_of_enum ri,
                                     [LVar "x"])]);
                          LVar "x"])));
       Goal(KAxiom,id_no_loc ((logic_bitvector_of_enum ri)^"_of_"^
				(logic_enum_of_bitvector ri)),
	   LForall("x",bitvector_type, [],
		   LPred("eq", (* TODO: equality for bitvectors ? *)
                         [LApp(logic_bitvector_of_enum ri,
                               [LApp(logic_enum_of_bitvector ri,
                                     [LVar "x"])]);
                          LVar "x"]))) ]
    else []
  in
  Type(id_no_loc name,[])
  :: Logic(false,id_no_loc (logic_int_of_enum ri),
           [("",lt)],why_integer_type)
  :: Logic(false,id_no_loc (logic_enum_of_int ri),
           [("",why_integer_type)],lt)
  :: Predicate(false,id_no_loc (eq_of_enum ri),[("x",lt);("y",lt)],
               LPred("eq_int",[LApp(logic_int_of_enum ri,[LVar "x"]);
                               LApp(logic_int_of_enum ri,[LVar "y"])]))
  :: (if !Jc_options.int_model = IMmodulo then
        let width = LConst (Prim_int width) in
        let fmod t = LApp (mod_of_enum ri, [t]) in
        [Logic (false, id_no_loc (mod_of_enum ri),
                ["x", simple_logic_type "int"], simple_logic_type "int");
         Goal(KAxiom,id_no_loc (name ^ "_mod_def"),
                LForall ("x", simple_logic_type "int", [],
                         LPred ("eq_int", [LApp (mod_of_enum ri, [LVar "x"]);
                                           LApp (logic_int_of_enum ri,
                                                 [LApp (logic_enum_of_int ri,
                                                        [LVar "x"])])])));
         Goal(KAxiom,id_no_loc (name ^ "_mod_lb"),
                LForall ("x", simple_logic_type "int", [],
                         LPred ("ge_int", [LApp (mod_of_enum ri, [LVar "x"]);
                                           LConst (Prim_int min)])));
         Goal(KAxiom,id_no_loc (name ^ "_mod_gb"),
                LForall ("x", simple_logic_type "int", [],
                         LPred ("le_int", [LApp (mod_of_enum ri, [LVar "x"]);
                                           LConst (Prim_int max)])));
         Goal(KAxiom,id_no_loc (name ^ "_mod_id"),
                LForall ("x", simple_logic_type "int", [],
                         LImpl (in_bounds (LVar "x"),
                                LPred ("eq_int", [LApp (mod_of_enum ri,
                                                        [LVar "x"]);
                                                  LVar "x"]))));
         Goal(KAxiom,id_no_loc (name ^ "_mod_lt"),
                LForall ("x", simple_logic_type "int", [],
                         LImpl (LPred ("lt_int", [LVar "x";
                                                  LConst (Prim_int min)]),
                                LPred ("eq_int", [fmod (LVar "x");
                                                  fmod (LApp ("add_int",
                                                              [LVar "x";
                                                               width]))]))));
         Goal(KAxiom,id_no_loc (name ^ "_mod_gt"),
                LForall ("x", simple_logic_type "int", [],
                         LImpl (LPred ("gt_int", [LVar "x";
                                                  LConst (Prim_int max)]),
                                LPred ("eq_int", [fmod (LVar "x");
                                                  fmod (LApp ("sub_int",
                                                              [LVar "x";
                                                               width]))]))));
        ]
      else [])
  @ Param(false,id_no_loc (fun_enum_of_int ri),of_int_type)
  :: Param(false,id_no_loc (safe_fun_enum_of_int ri),safe_of_int_type)
  :: Param(false,id_no_loc (fun_any_enum ri),any_type)
  :: Goal(KAxiom,id_no_loc (name^"_range"),
           LForall("x",lt, [],in_bounds
                     (LApp(logic_int_of_enum ri,[LVar "x"]))))
  :: Goal(KAxiom,id_no_loc (name^"_coerce"),
           LForall("x",why_integer_type, [],
                   LImpl(in_bounds (LVar "x"),
                         LPred("eq_int",
                               [LApp(logic_int_of_enum ri,
                                     [LApp(logic_enum_of_int ri,
                                           [LVar "x"])]) ;
                                LVar "x"]))))
(*
  :: Goal(KAxiom,id_no_loc (name^"_extensionality"),
           LForall("x",lt, [],
           LForall("y",lt, [ (* [LPatP(LPred(eq_of_enum ri,
                                         [LVar "x"; LVar "y"]))] *) ],
                   LImpl(LPred(eq_of_enum ri,[LVar "x"; LVar "y"]),
                         LPred("eq",[LVar "x"; LVar "y"])
                         ))))
*)
  :: Goal(KAxiom,id_no_loc (name^"_extensionality"),
           LForall("x",lt, [],
           LForall("y",lt, [ [LPatP(LPred("eq_int",
                               [LApp(logic_int_of_enum ri, [LVar "x"]);
                                LApp(logic_int_of_enum ri, [LVar "y"])]))] ],
                   LImpl(LPred("eq_int",
                               [LApp(logic_int_of_enum ri, [LVar "x"]);
                                LApp(logic_int_of_enum ri, [LVar "y"])]),
                         LPred("eq",[LVar "x"; LVar "y"])
                         ))))
  :: bv_conv
  @ acc

let tr_enum_type_pair ri1 ri2 acc =
  (* Information from first enum *)
  let name1 = ri1.jc_enum_info_name in
  let min1 = ri1.jc_enum_info_min in
  let max1 = ri1.jc_enum_info_max in
  (* Information from second enum *)
  let name2 = ri2.jc_enum_info_name in
  let min2 = ri2.jc_enum_info_min in
  let max2 = ri2.jc_enum_info_max in
  if not (!Jc_options.int_model = IMmodulo) then acc else
    if max1 </ min2 || max2 </ min1 then acc else
      (* Compute intersection of ranges *)
      let min = if min1 <=/ min2 && min2 <=/ max1 then min2 else min1 in
      let max = if min1 <=/ max2 && max2 <=/ max1 then max2 else max1 in
      let in_bounds x =
        LAnd(LPred("le_int",[LConst(Prim_int (Num.string_of_num min)); x]),
             LPred("le_int",[x; LConst(Prim_int (Num.string_of_num max))]))
      in
      (* Integer model is modulo and enum ranges intersect. Produce useful
       * axioms that relate both modulos when they coincide.
       *)
      let range1 = range_of_enum ri1 in
      let range2 = range_of_enum ri2 in
      let mod_coincide smallri bigri smallname bigname =
        (* When modulo the big range is in the intersection of the ranges,
         * both modulos coincide.
         *)
        let modsmall = LApp(mod_of_enum smallri,[LVar "x"]) in
        let modbig = LApp(mod_of_enum bigri,[LVar "x"]) in
        Goal(KAxiom,id_no_loc (smallname ^ "_" ^ bigname ^ "_mod_coincide"),
              LForall("x",why_integer_type, [],
                      LImpl(in_bounds modbig,
                            LPred("eq_int",[modsmall;modbig]))))
      in
      if range1 </ range2 then
        mod_coincide ri1 ri2 name1 name2 :: acc
      else if range2 </ range1 then
        mod_coincide ri2 ri1 name2 name1 :: acc
      else
        mod_coincide ri1 ri2 name1 name2
        :: mod_coincide ri2 ri1 name2 name1 :: acc

let tr_variable vi _e acc =
  if vi.jc_var_info_assigned then
    let t = Ref_type(tr_var_type vi) in
      Param(false,id_no_loc vi.jc_var_info_final_name,t)::acc
  else
    let t = tr_base_type vi.jc_var_info_type in
      Logic(false,id_no_loc vi.jc_var_info_final_name,[],t)::acc

let tr_region r acc =
  Type(id_no_loc r.jc_reg_final_name,[]) :: acc

let tr_memory (mc,r) acc =
  Param(
    false,id_no_loc (memory_name(mc,r)),
    Ref_type(Base_type(memory_type mc))) :: acc

let tr_alloc_table (pc,r) acc =
  Param(
    false,id_no_loc (alloc_table_name(pc,r)),
    Ref_type(Base_type(alloc_table_type pc))) :: acc

let tr_tag_table (rt,r) acc =
  Param(
    false,id_no_loc (tag_table_name(rt,r)),
    Ref_type(Base_type(tag_table_type rt))) :: acc


(******************************************************************************)
(*                                  Roots                                     *)
(******************************************************************************)

let tr_root rt acc =
  let pc = JCroot rt in
  let ac = alloc_class_of_pointer_class pc in
  let acc =
    if root_is_union rt then
      (* Declarations of field memories. *)
      let acc =
	if root_is_plain_union rt && !Jc_options.separation_sem = SepRegions
        then acc
        else
            let mem = bitvector_type in
            Param(false,id_no_loc (union_memory_name rt),
		  Ref_type(Base_type mem)) :: acc
      in
      let in_param = false in
	(* Validity parameters *)
	make_valid_pred ~in_param ~equal:true ac pc
	:: make_valid_pred ~in_param ~equal:false ac pc
	:: make_valid_pred ~in_param ~equal:false ~right:false ac pc
	:: make_valid_pred ~in_param ~equal:false ~left:false ac pc
(*
        :: make_valid_pred ~in_param ~equal:false (* TODO ? *) JCalloc_bitvector pc
*)
	  (* Allocation parameter *)
	:: make_alloc_param ~check_size:true ac pc
	:: make_alloc_param ~check_size:false ac pc
(*
	:: make_alloc_param ~check_size:true JCalloc_bitvector pc
	:: make_alloc_param ~check_size:false JCalloc_bitvector pc
*)
	:: acc
    else
      make_valid_pred ~in_param:false ~equal:true ac pc
      :: make_valid_pred ~in_param:false ~equal:false ac pc
      :: acc
  in
  let of_ptr_addr =
    Logic(false, id_no_loc (of_pointer_address_name rt),
	  [ ("",raw_pointer_type why_unit_type) ], pointer_type ac pc)
  in
  let addr_axiom =
    let p = "p" in
    Goal(KAxiom,id_no_loc ("pointer_addr_of_" ^ (of_pointer_address_name rt)),
	  LForall(p, raw_pointer_type why_unit_type, [],
		  make_eq_pred (JCTpointer(pc,None,None))
		    (LVar p)
		    (LApp("pointer_address",
			  [ LApp(of_pointer_address_name rt,
				 [ LVar p ])]))))
  in
  let rev_addr_axiom =
    let p = "p" in
    Goal(KAxiom,id_no_loc ((of_pointer_address_name rt) ^ "_of_pointer_addr"),
	  LForall(p, pointer_type ac pc, [],
		  make_eq_pred (JCTpointer(pc,None,None))
		    (LVar p)
		    (LApp(of_pointer_address_name rt,
			  [ LApp("pointer_address",
				 [ LVar p ])]))))
  in
  let lt = tr_base_type (JCTpointer(pc,None,None)) in
  let conv =
    if !Region.some_bitwise_region then
    [Logic(false,id_no_loc (logic_bitvector_of_variant rt),
	   ["",lt],bitvector_type);
     Logic(false,id_no_loc (logic_variant_of_bitvector rt),
	   ["",bitvector_type],lt);
     Goal(KAxiom,id_no_loc ((logic_variant_of_bitvector rt)^"_of_"^
			      (logic_bitvector_of_variant rt)),
	   LForall("x",lt, [],
		   LPred(equality_op_for_type (JCTpointer (pc,None,None)),
                         [LApp(logic_variant_of_bitvector rt,
			       [LApp(logic_bitvector_of_variant rt,
                                     [LVar "x"])]);
                          LVar "x"])));
     Goal(KAxiom,id_no_loc ((logic_bitvector_of_variant rt)^"_of_"^
			      (logic_variant_of_bitvector rt)),
	   LForall("x",bitvector_type, [],
		   LPred("eq", (* TODO: equality for bitvectors ? *)
                         [LApp(logic_bitvector_of_variant rt,
			       [LApp(logic_variant_of_bitvector rt,
                                       [LVar "x"])]);
                          LVar "x"])))
    ]
    else
      []
  in
  let tag_table =
    Param(
      false,
      id_no_loc (variant_tag_table_name rt),
      Ref_type(
        Base_type {
          logic_type_name = tag_table_type_name;
          logic_type_args = [root_model_type rt];
        }))
  in
  let alloc_table =
    Param(
      false,
      id_no_loc (variant_alloc_table_name rt),
      Ref_type(
        Base_type {
          logic_type_name = alloc_table_type_name;
          logic_type_args = [root_model_type rt];
        }))
  in
  let type_def = Type(id_no_loc (root_type_name rt), []) in
  (* Axiom: the variant can only have the given tags *)
  let axiom_variant_has_tag =
    let v = "x" in
    let tag_table = generic_tag_table_name rt in
    Goal(KAxiom,
      id_no_loc (variant_axiom_on_tags_name rt),
      LForall(
        v,
        pointer_type ac pc, [],
        LForall(
          tag_table,
          tag_table_type rt, [],
          make_or_list
            (List.map
               (make_instanceof (LVar tag_table) (LVar v))
               rt.jc_root_info_hroots)
      )))
  in
  (* Axioms: int_of_tag(T1) = 1, ... *)
  let (acc, _) = List.fold_left
    (fun (acc, index) st ->
       let axiom =
         Goal(KAxiom,
           id_no_loc (axiom_int_of_tag_name st),
           make_eq
             (make_int_of_tag st)
             (LConst(Prim_int(string_of_int index)))
         )
       in axiom::acc, index+1)
    (acc, 1)
    rt.jc_root_info_hroots
  in
  let acc =
    type_def::alloc_table::tag_table::axiom_variant_has_tag
    :: of_ptr_addr :: addr_axiom :: rev_addr_axiom
    :: conv @ acc
  in
  acc

(*
  Local Variables:
  compile-command: "unset LANG; make -j -C .. bin/jessie.byte"
  End:
*)
�������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_parser.mly���������������������������������������������������������������������������0000644�0001750�0001750�00000074120�12311670312�013710� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������/**************************************************************************/
/*                                                                        */
/*  The Why platform for program certification                            */
/*                                                                        */
/*  Copyright (C) 2002-2014                                               */
/*                                                                        */
/*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   */
/*    Claude MARCHE, INRIA & Univ. Paris-sud                              */
/*    Yannick MOY, Univ. Paris-sud                                        */
/*    Romain BARDOU, Univ. Paris-sud                                      */
/*                                                                        */
/*  Secondary contributors:                                               */
/*                                                                        */
/*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        */
/*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             */
/*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           */
/*    Sylvie BOLDO, INRIA              (floating-point support)           */
/*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     */
/*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          */
/*                                                                        */
/*  This software is free software; you can redistribute it and/or        */
/*  modify it under the terms of the GNU Lesser General Public            */
/*  License version 2.1, with the special exception on linking            */
/*  described in file LICENSE.                                            */
/*                                                                        */
/*  This software is distributed in the hope that it will be useful,      */
/*  but WITHOUT ANY WARRANTY; without even the implied warranty of        */
/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  */
/*                                                                        */
/**************************************************************************/

/* $Id: jc_parser.mly,v 1.140 2010-02-11 08:05:24 marche Exp $ */

%{

  open Format
  open Jc_env
  open Jc_ast
  open Jc_pervasives
  open Parsing
  open Error
  open Jc_constructors

  let pos () = (symbol_start_pos (), symbol_end_pos ())
  let pos_i i = (rhs_start_pos i, rhs_end_pos i)

  let locate n = new node_positioned ~pos:(pos ()) n
  let locate_identifier n = new identifier ~pos:(pos ()) n

  let skip = locate (JCPEconst JCCvoid)

  let label s = match s with
    | "Pre" -> LabelPre
    | "Old" -> LabelOld
    | "Here" -> LabelHere
    | "Post" -> LabelPost
    | _ -> 
	LabelName { 
	  label_info_name = s; 
	  label_info_final_name = s;
	  times_used = 0;
	}

  let lparams =
    List.map
      (fun (v,t,x) ->
	 if v then (t,x) else
	   Jc_options.parsing_error
	     Loc.dummy_position
	     "logic params cannot not be in invalid state")
%}

%token <string> IDENTIFIER
%token <Jc_ast.const> CONSTANT
%token <string> STRING_LITERAL 
%token NULL

/* ( ) () { } [ ] .. ... */
%token LPAR RPAR LPARRPAR LBRACE RBRACE LSQUARE RSQUARE DOTDOT DOTDOTDOT

/* ; ;; , : . ? */
%token SEMICOLON SEMISEMI COMMA COLON DOT QUESTION

/* - -- + ++ * / % */
%token MINUS MINUSMINUS PLUS PLUSPLUS STAR SLASH PERCENT
 
/* = <= >= > < == != <: :> */
%token EQ LTEQ GTEQ GT LT EQEQ BANGEQ LTCOLON COLONGT

/* += -= *= /= %= */
%token PLUSEQ MINUSEQ STAREQ SLASHEQ PERCENTEQ

/* && || => <=> ! */
%token AMPAMP BARBAR EQEQGT LTEQEQGT EXCLAM

/* if then else return while break for fo break continue case switch default goto */
%token IF THEN ELSE RETURN WHILE FOR DO BREAK CONTINUE CASE SWITCH DEFAULT GOTO LOOP

/* exception of throw try catch finally new free let in var */
%token EXCEPTION OF THROW TRY CATCH FINALLY NEW FREE LET IN VAR

/* pack unpack assert */
%token ABSTRACT PACK UNPACK ASSERT ASSUME HINT CHECK

/* type invariant logic axiomatic with variant and axiom tag */
%token TYPE INVARIANT LOGIC PREDICATE AXIOMATIC WITH VARIANT 
%token AND AXIOM LEMMA TAG

/* integer boolean real double unit void rep */
%token INTEGER BOOLEAN REAL DOUBLE FLOAT UNIT REP

/* assigns allocates assumes behavior ensures requires decreases throws reads */
%token ASSIGNS ALLOCATES ASSUMES BEHAVIOR ENSURES REQUIRES DECREASES THROWS READS

/* \forall \exists \offset_max \offset_min \address \old \result \mutable \typeof \bottom \typeeq \absolute_address */
%token BSFORALL BSEXISTS BSOFFSET_MAX BSOFFSET_MIN BSADDRESS BSOLD BSAT BSFRESH
%token BSRESULT BSMUTABLE BSTYPEOF BSBOTTOM BSTYPEEQ BSABSOLUTE_ADDRESS
%token BSBASE_BLOCK

/* \nothing */
%token BSNOTHING

/* as _ match -> end */
%token AS UNDERSCORE MATCH MINUSGT END

/* & ~ ^ | << >> >>> */
%token AMP TILDE HAT PIPE LSHIFT LRSHIFT ARSHIFT
/* | with greater priority */
%token ALT

/* |= &= ^= */
%token BAREQ AMPEQ CARETEQ

/* @ (string concat) */
%token AT

%token PRAGMA_GEN_SEP PRAGMA_GEN_FRAME PRAGMA_GEN_SUB  PRAGMA_GEN_SAME

%token EOF
%type <Jc_ast.pexpr Jc_ast.decl list> file
%start file

/* precedences on expressions (from lowest to highest) */

%nonassoc PRECLOOPANNOT
%nonassoc FOR

%nonassoc PRECIF THEN
%nonassoc ELSE

%nonassoc PRECTRY
%nonassoc FINALLY

%nonassoc PRECLOGIC
%nonassoc EQ

%nonassoc PRECTYPE
/* and */
%right AND

/* precedences on expressions  */

%nonassoc RETURN ASSERT ASSUME THROW HINT precwhile CHECK
%nonassoc COLON
%nonassoc PRECFORALL 
/* <=> */
%right LTEQEQGT
/* => */
%right EQEQGT 
%left QUESTION ASSIGNOP
%left BARBAR
%left AMPAMP
%left PIPE
%left pipe_trigger
%left ALT
%left AS
%left HAT
%left AMP
%left LT GT LTEQ GTEQ EQEQ BANGEQ LTCOLON COLONGT
%nonassoc DOTDOT
/* unary -, unary +, ++, --, ! ~ */
%nonassoc UMINUS UPLUS PLUSPLUS MINUSMINUS EXCLAM TILDE
/* . */
%nonassoc DOT



%%

/****************************************/
/* a file is a sequence of declarations */
/****************************************/

file: 
| decl file 
    { $1::$2 }
| tag_and_type_decl file
    { let tag, ty = $1 in tag::ty::$2 }
| EOF 
    { [] }
;

decl: 
| variable_definition
    { $1 }
| function_definition
    { $1 }
| tag_definition
    { $1 }
| type_definition
    { $1 }
/*
| axiom_definition
    { $1 }
*/
| global_invariant_definition
    { $1 }
| exception_definition
    { $1 }
| logic_definition
    { $1 }
| pragma_gen_sep 
    { $1 }
/*
| error
    { Jc_options.parsing_error (pos ()) "'type' or type expression expected" }
*/
;


/*******************/
/* type definition */	      
/*******************/

type_definition:
| TYPE IDENTIFIER EQ int_constant DOTDOT int_constant
    { locate (JCDenum_type($2,$4,$6)) }
/*
| LOGIC TYPE IDENTIFIER
    { locate (JCDlogic_type($3)) }
*/
| TYPE IDENTIFIER EQ LSQUARE variant_tag_list RSQUARE
    { locate (JCDvariant_type($2, $5)) }
| TYPE IDENTIFIER EQ LSQUARE union_tag_list RSQUARE
    { locate (JCDunion_type($2,false,$5)) }
| TYPE IDENTIFIER EQ LSQUARE discr_union_tag_list RSQUARE
    { locate (JCDunion_type($2,true,$5)) }
;

int_constant:
| CONSTANT 
    { num_of_constant (pos_i 1)$1 }
| MINUS CONSTANT
    { Num.minus_num (num_of_constant (pos_i 2) $2) }
;

variant_tag_list:
| identifier PIPE variant_tag_list
    { $1::$3 }
| identifier
    { [ $1 ] }
;

union_tag_list:
| identifier AMP union_tag_list
    { $1::$3 }
| identifier AMP identifier
    { [ $1; $3 ] }
;

discr_union_tag_list:
| identifier HAT discr_union_tag_list
    { $1::$3 }
| identifier HAT identifier
    { [ $1; $3 ] }
;

/******************/
/* tag definition */
/******************/

tag_definition:
| TAG IDENTIFIER LT type_parameter_names GT EQ
    extends LBRACE field_declaration_list RBRACE
    { let (f,i) = $9 in locate (JCDtag($2,$4,$7,f,i)) }
| TAG IDENTIFIER EQ
    extends LBRACE field_declaration_list RBRACE
    { let (f,i) = $6 in locate (JCDtag($2,[],$4,f,i)) }
;

type_parameter_names:
| IDENTIFIER COMMA type_parameter_names
    { $1::$3 }
| IDENTIFIER
    { [$1] }
;

extends:
| /* epsilon */
    { None }
| IDENTIFIER WITH
    { Some($1, []) }
| IDENTIFIER LT type_parameters GT WITH
    { Some($1, $3) }
;

field_declaration_list:
| /* epsilon */
    { ([],[]) }
| field_declaration field_declaration_list
    { let (f,i) = $2 in ($1::f,i) }
| invariant field_declaration_list
    { let (f,i) = $2 in (f,$1::i) }
;

field_declaration:
| field_modifier type_expr IDENTIFIER SEMICOLON
    { ($1, $2, $3, None) }
| field_modifier type_expr IDENTIFIER COLON int_constant SEMICOLON
    { ($1, $2, $3, Some (Num.int_of_num $5)) }
;

field_modifier:
| /* epsilon */
    { (false,false) }
| REP
    { (true,false) }
| ABSTRACT
    { (true,true) }
;        

invariant:
| INVARIANT identifier LPAR IDENTIFIER RPAR EQ expression SEMICOLON
    { ($2,$4,$7) }
;

/********************************/
/* tag and type syntactic suger */
/********************************/

tag_and_type_decl:
| TYPE IDENTIFIER EQ extends LBRACE field_declaration_list RBRACE
    { let (f,i) = $6 in
      let id = locate_identifier $2 in
      locate (JCDtag($2, [], $4, f, i)),
      locate (JCDvariant_type($2, [id])) }
| TYPE IDENTIFIER LT type_parameter_names GT EQ
    extends LBRACE field_declaration_list RBRACE
    { let (f,i) = $9 in
      let id = locate_identifier $2 in
      locate (JCDtag($2, $4, $7, f, i)),
      locate (JCDvariant_type($2, [id])) }
;

/***********************/
/* Function definition */
/***********************/


parameters:
| LPARRPAR
    { [] }
| LPAR RPAR
    { [] }
| LPAR parameter_comma_list RPAR
    { $2 } 
;

parameter_comma_list: 
| parameter_declaration 
    { [$1] }
| parameter_declaration COMMA parameter_comma_list 
    { $1 :: $3 }
;

parameter_declaration:
| type_expr IDENTIFIER
    { (true,$1,$2) }
| EXCLAM type_expr IDENTIFIER
    { (false,$2,$3) }
;


type_expr:
| INTEGER
    { locate (JCPTnative Tinteger) }
| BOOLEAN
    { locate (JCPTnative Tboolean) }
| REAL
    { locate (JCPTnative Treal) }
| DOUBLE
    { locate (JCPTnative (Tgenfloat `Double)) }
| FLOAT
    { locate (JCPTnative (Tgenfloat `Float)) }
| UNIT
    { locate (JCPTnative Tunit) }
| IDENTIFIER 
    { locate (JCPTidentifier ($1,[])) }
| IDENTIFIER  LT type_parameters GT
    { locate (JCPTidentifier ($1,$3)) }
| IDENTIFIER LSQUARE DOTDOT RSQUARE
    { locate (JCPTpointer($1,[],None,None)) }
| IDENTIFIER LSQUARE int_constant RSQUARE
    { let n = $3 in
      locate (JCPTpointer($1,[],Some n,Some n)) }
| IDENTIFIER LSQUARE int_constant DOTDOT RSQUARE
    { let n = $3 in
      locate (JCPTpointer($1,[],Some n,None)) }
| IDENTIFIER LSQUARE int_constant DOTDOT int_constant RSQUARE
    { let n, m = $3, $5 in
      locate (JCPTpointer($1,[],Some n,Some m)) }
| IDENTIFIER LSQUARE DOTDOT int_constant RSQUARE
    { let m = $4 in
      locate (JCPTpointer($1,[],None,Some m)) }

| IDENTIFIER LT type_parameters GT LSQUARE DOTDOT RSQUARE
    { locate (JCPTpointer($1,$3,None,None)) }
| IDENTIFIER LT type_parameters GT LSQUARE int_constant RSQUARE
    { let n = $6 in
      locate (JCPTpointer($1,$3,Some n,Some n)) }
| IDENTIFIER LT type_parameters GT LSQUARE int_constant DOTDOT RSQUARE
    { let n = $6 in
      locate (JCPTpointer($1,$3,Some n,None)) }
| IDENTIFIER LT type_parameters GT
    LSQUARE int_constant DOTDOT int_constant RSQUARE
    { let n, m = $6, $8 in
      locate (JCPTpointer($1,$3,Some n,Some m)) }
| IDENTIFIER LT type_parameters GT LSQUARE DOTDOT int_constant RSQUARE
    { let m = $7 in
      locate (JCPTpointer($1,$3,None,Some m)) }
;

type_parameters:
| type_expr COMMA type_parameters
    { $1::$3 }
| type_expr
    { [$1] }
;

function_specification:
| /* epsilon */ 
    { [] }
| spec_clause function_specification 
    { $1::$2 }
;

spec_clause:
| REQUIRES expression SEMICOLON
    { JCCrequires($2) }
| DECREASES expression SEMICOLON
    { JCCdecreases($2,None) }
| DECREASES expression FOR identifier SEMICOLON
    { JCCdecreases($2,Some $4) }
| behavior
  { JCCbehavior $1 }
;

behavior:
| BEHAVIOR ident_or_default COLON throws assumes requires assigns_opt
  allocates_opt ENSURES expression SEMICOLON
    { (pos_i 2,$2,$4,$5,$6,$7,$8,$10) }
;

ident_or_default:
| IDENTIFIER { $1 }
| DEFAULT { "default" }

throws:
| /* epsilon */
    { None }
| THROWS identifier SEMICOLON
    { Some $2 }
;

assumes:
| /* epsilon */
    { None }
| ASSUMES expression SEMICOLON
    { Some $2 }
;

requires:
| /* epsilon */
    { None }
| REQUIRES expression SEMICOLON
    { Some $2 }
;

assigns_opt:
| /* epsilon */
    { None }
| assigns
    { $1 }
;

assigns:
| ASSIGNS argument_expression_list SEMICOLON
    { Some(pos_i 2,$2) }
| ASSIGNS BSNOTHING SEMICOLON
    { Some (pos_i 2,[]) }
;

allocates_opt:
| /* epsilon */
    { None }
| allocates
    { $1 }
;

allocates:
| ALLOCATES argument_expression_list SEMICOLON
    { Some(pos_i 2,$2) }
| ALLOCATES BSNOTHING SEMICOLON
    { Some (pos_i 2,[]) }
;

reads:
| 
    { JCnone }
| READS argument_expression_list SEMICOLON
    { JCreads $2 }
| READS BSNOTHING SEMICOLON
    { JCreads [] }
;

function_definition: 
| type_expr identifier parameters function_specification compound_expr
    { locate (JCDfun($1, $2, $3, $4, Some $5)) }
| type_expr identifier parameters function_specification SEMICOLON
    { locate (JCDfun($1, $2, $3, $4, None)) }
;


/******************************/
/* Global variable definition */
/******************************/

variable_definition:
| type_expr IDENTIFIER EQ expression SEMICOLON
    { locate (JCDvar($1,$2,Some $4)) }
| type_expr IDENTIFIER SEMICOLON
    { locate (JCDvar($1,$2,None)) }
;

/********************/
/* global invariant */
/********************/

global_invariant_definition:
| INVARIANT IDENTIFIER COLON expression
    { locate( JCDglobal_inv($2,$4)) }
;


/*************************/
/* exception definitions */
/*************************/

exception_definition:
| EXCEPTION IDENTIFIER OF type_expr
    { locate (JCDexception($2,Some $4)) }
;


/***************/
/* expressions */
/***************/

primary_expression: 
| IDENTIFIER 
    { locate (JCPEvar $1) }
| BSRESULT
    { locate (JCPEvar "\\result") }
| CONSTANT 
    { locate (JCPEconst $1) }
| LPARRPAR 
    { locate (JCPEconst JCCvoid) }
| NULL 
    { locate (JCPEconst JCCnull) }
| STRING_LITERAL 
    { locate (JCPEconst (JCCstring $1)) }
| LPAR expression COLONGT type_expr RPAR
    { locate (JCPEcast($2, $4)) }
| LPAR expression RPAR 
    { $2 }
| LPAR IDENTIFIER COLON expression RPAR
    { locate (JCPElabel($2,$4)) }
;

postfix_expression: 
| primary_expression 
    { $1 }
| IDENTIFIER label_binders LPAR argument_expression_list_opt RPAR 
    { locate (JCPEapp($1, $2, $4)) }
| IDENTIFIER label_binders LPARRPAR 
    { locate (JCPEapp($1, $2, [])) }
| BSFRESH LPAR expression RPAR 
    { locate (JCPEfresh($3)) }
| BSOLD LPAR expression RPAR 
    { locate (JCPEold($3)) }
| BSAT LPAR expression COMMA IDENTIFIER RPAR 
    { locate (JCPEat($3,label $5)) }
| BSOFFSET_MAX LPAR expression RPAR 
    { locate (JCPEoffset(Offset_max,$3)) }
| BSOFFSET_MIN LPAR expression RPAR 
    { locate (JCPEoffset(Offset_min,$3)) }
| BSADDRESS LPAR expression RPAR 
    { locate (JCPEaddress(Addr_pointer,$3)) }
| BSABSOLUTE_ADDRESS LPAR expression RPAR 
    { locate (JCPEaddress(Addr_absolute,$3)) }
| BSBASE_BLOCK LPAR expression RPAR 
    { locate (JCPEbase_block($3)) }
| postfix_expression DOT IDENTIFIER
    { locate (JCPEderef ($1, $3)) }
| postfix_expression PLUSPLUS 
    { locate (JCPEunary (`Upostfix_inc, $1)) }
| postfix_expression MINUSMINUS
    { locate (JCPEunary (`Upostfix_dec, $1)) }
| PLUSPLUS postfix_expression 
    { locate (JCPEunary (`Uprefix_inc, $2)) }
| MINUSMINUS postfix_expression 
    { locate (JCPEunary (`Uprefix_dec, $2)) }
| PLUS postfix_expression %prec UPLUS
    { locate (JCPEunary (`Uplus, $2)) }
| MINUS postfix_expression %prec UMINUS
    { locate (JCPEunary (`Uminus, $2)) }
| TILDE postfix_expression 
    { locate (JCPEunary (`Ubw_not, $2)) }
| EXCLAM postfix_expression 
    { locate (JCPEunary (`Unot, $2)) }
| LSQUARE expression DOTDOT expression RSQUARE
    { locate (JCPErange(Some $2,Some $4)) }
| LSQUARE DOTDOT expression RSQUARE 
    { locate (JCPErange(None,Some $3)) }
| LSQUARE expression DOTDOT RSQUARE 
    { locate (JCPErange(Some $2,None)) }
| LSQUARE DOTDOT RSQUARE 
    { locate (JCPErange(None,None)) }
;

label_binders:
| /* epsilon */ { [] }
| LBRACE IDENTIFIER label_list_end RBRACE { (label $2)::$3 }
;

label_list_end:
| /* epsilon */ { [] }
| COMMA IDENTIFIER label_list_end { (label $2)::$3 }
;

argument_expression_list: 
| expression 
    { [$1] }
| expression COMMA argument_expression_list 
    { $1::$3 }
;

argument_expression_list_opt: 
| /* $\varepsilon$ */
    { [] }
| argument_expression_list 
    { $1 }
;


multiplicative_expression: 
| postfix_expression 
    { $1 }
| multiplicative_expression STAR postfix_expression 
    { locate (JCPEbinary ($1, `Bmul, $3)) }
| multiplicative_expression SLASH postfix_expression 
    { locate (JCPEbinary ($1, `Bdiv, $3)) }
| multiplicative_expression PERCENT postfix_expression 
    { locate (JCPEbinary ($1, `Bmod, $3)) }
;

additive_expression: 
| multiplicative_expression 
    { $1 }
| additive_expression PLUS multiplicative_expression 
    { locate (JCPEbinary ($1, `Badd, $3)) }
| additive_expression MINUS multiplicative_expression 
    { locate (JCPEbinary ($1, `Bsub, $3)) }
| additive_expression AT multiplicative_expression 
    { locate (JCPEbinary ($1, `Bconcat, $3)) }
;

shift_expression: 
| additive_expression 
    { $1 }
| shift_expression LSHIFT additive_expression 
    { locate (JCPEbinary ($1, `Bshift_left, $3)) }
| shift_expression LRSHIFT additive_expression 
    { locate (JCPEbinary ($1, `Blogical_shift_right, $3)) }
| shift_expression ARSHIFT additive_expression 
    { locate (JCPEbinary ($1, `Barith_shift_right, $3)) }
;

assignment_operator: 
| EQ { `Aeq }
| PLUSEQ { `Aadd }
| MINUSEQ { `Asub }
| STAREQ { `Amul }
| SLASHEQ { `Adiv }
| PERCENTEQ { `Amod }
/*
| LEFT_ASSIGN { Aleft }
| RIGHT_ASSIGN { Aright }
*/
| AMPEQ { `Aand }
| CARETEQ { `Axor }
| BAREQ { `Aor }
;


expression: 
| compound_expr
    { $1 }
| ASSERT FOR identifier_list COLON expression %prec FOR
    { locate (JCPEassert($3,Aassert,$5)) }
| ASSERT expression 
    { locate (JCPEassert([],Aassert,$2)) }
| HINT FOR identifier_list COLON expression %prec FOR
    { locate (JCPEassert($3,Ahint,$5)) }
| HINT expression 
    { locate (JCPEassert([],Ahint,$2)) }
| ASSUME FOR identifier_list COLON expression %prec FOR
    { locate (JCPEassert($3,Aassume,$5)) }
| ASSUME expression 
    { locate (JCPEassert([],Aassume,$2)) }
| CHECK FOR identifier_list COLON expression %prec FOR
    { locate (JCPEassert($3,Acheck,$5)) }
| CHECK expression 
    { locate (JCPEassert([],Acheck,$2)) }
| requires behavior compound_expr
    { locate (JCPEcontract($1,None,[$2],$3)) } 
| iteration_expression 
    { $1 }
| jump_expression 
    { $1 }
| declaration
    { $1 }
/*
| SPEC expression { locate (CSspec ($1,$2)) }
*/
| pack_expression { $1 }
| exception_expression { $1 }
| shift_expression 
    { $1 }
| SWITCH LPAR expression RPAR LBRACE switch_block RBRACE
    { locate (JCPEswitch ($3, $6)) }

| NEW IDENTIFIER LSQUARE expression RSQUARE
    { locate (JCPEalloc ($4, $2)) }
| FREE LPAR expression RPAR
    { locate (JCPEfree $3) }
| expression LT expression 
    { locate (JCPEbinary ($1, `Blt, $3)) }
| expression GT expression
    { locate (JCPEbinary ($1, `Bgt, $3)) }
| expression LTEQ expression
    { locate (JCPEbinary ($1, `Ble, $3)) }
| expression GTEQ expression
    { locate (JCPEbinary ($1, `Bge, $3)) }
| expression LTCOLON IDENTIFIER
    { locate (JCPEinstanceof($1, $3)) }
| expression EQEQ expression 
    { locate (JCPEbinary ($1, `Beq, $3)) }
| expression BANGEQ expression 
    { locate (JCPEbinary ($1, `Bneq, $3)) }
| expression AMP expression 
    { locate (JCPEbinary ($1, `Bbw_and, $3)) }
| expression HAT expression 
    { locate (JCPEbinary ($1, `Bbw_xor, $3)) }
| expression PIPE expression
    { locate (JCPEbinary ($1, `Bbw_or, $3)) }
| expression AMPAMP expression 
    { locate (JCPEbinary($1, `Bland, $3)) }
| expression BARBAR expression 
    { locate (JCPEbinary($1, `Blor, $3)) }
| IF expression THEN expression ELSE expression
    { locate (JCPEif ($2, $4, $6)) }
| IF expression THEN expression
    { locate (JCPEif ($2, $4, skip)) }
| LET IDENTIFIER EQ expression IN expression %prec PRECFORALL
    { locate (JCPElet (None, $2, Some $4, $6)) }
| LET type_expr IDENTIFIER EQ expression IN expression %prec PRECFORALL
    { locate (JCPElet (Some $2, $3, Some $5, $7)) }
| postfix_expression assignment_operator expression %prec ASSIGNOP
    { let a  =
	match $2 with
		| `Aeq -> JCPEassign ($1, $3)
		| `Aadd -> JCPEassign_op ($1, `Badd, $3)
		| `Asub -> JCPEassign_op ($1, `Bsub, $3)
		| `Amul -> JCPEassign_op ($1, `Bmul, $3)
		| `Adiv -> JCPEassign_op ($1, `Bdiv, $3)
		| `Amod -> JCPEassign_op ($1, `Bmod, $3)
		| `Aand -> JCPEassign_op ($1, `Bbw_and, $3)
		| `Axor -> JCPEassign_op ($1, `Bbw_xor, $3)
		| `Aor -> JCPEassign_op ($1, `Bbw_or, $3)
(*
		| Aleft -> CEassign_op ($1, `Bshift_left, $3)
		| Aright -> CEassign_op ($1, `Bshift_right, $3)
*)
      in locate a }

| BSFORALL type_expr identifier_list triggers SEMICOLON expression 
    %prec PRECFORALL
    { locate (JCPEquantifier(Forall,$2,$3,$4,$6)) }
| BSEXISTS type_expr identifier_list triggers SEMICOLON expression 
    %prec PRECFORALL
    { locate (JCPEquantifier(Exists,$2,$3,$4,$6)) }
| expression EQEQGT expression
    { locate (JCPEbinary($1,`Bimplies,$3)) }
| expression LTEQEQGT expression
    { locate (JCPEbinary($1,`Biff,$3)) }
/*
| expression COMMA assignment_expression { locate (CEseq ($1, $3)) }
*/
| BSMUTABLE LPAR expression COMMA tag RPAR
    { locate (JCPEmutable($3, $5)) }
| BSMUTABLE LPAR expression RPAR
    { locate (JCPEmutable($3, locate JCPTbottom)) }
| BSTYPEEQ LPAR tag COMMA tag RPAR
    { locate (JCPEeqtype($3, $5)) }
| MATCH expression WITH pattern_expression_list END
    { locate (JCPEmatch($2, $4)) }
;

tag:
| identifier
    { locate (JCPTtag $1) }
| BSBOTTOM
    { locate JCPTbottom }
| BSTYPEOF LPAR expression RPAR
    { locate (JCPTtypeof $3) }
;

identifier_list: 
| identifier 
    { [$1] }
| identifier COMMA identifier_list 
    { $1 :: $3 }
;

identifier:
| DEFAULT
    { locate_identifier "default" }
| IDENTIFIER
    { locate_identifier $1 }
;

triggers:
| /* epsilon */ { [] }
| LSQUARE list1_trigger_sep_bar RSQUARE { $2 }
;

list1_trigger_sep_bar:
| trigger { [$1] }
| trigger PIPE list1_trigger_sep_bar  %prec pipe_trigger { $1 :: $3 }
;

trigger:
  argument_expression_list { $1 }
;

/****************/
/* declarations */
/****************/


declaration: 
| VAR type_expr IDENTIFIER
    { locate (JCPEdecl($2, $3, None)) }
| VAR type_expr IDENTIFIER EQ expression
    { locate (JCPEdecl($2, $3, Some $5)) }
;


/**************/
/* expressions */
/**************/

compound_expr:
| LBRACE expression_list RBRACE
    { locate (JCPEblock $2) }
;

expression_list: 
| expression SEMICOLON
    { [$1] }
| expression
    { [$1] }
| expression SEMICOLON expression_list 
    { $1 :: $3 }
;

switch_block: 
| /* $\varepsilon$ */
    { [] }
| switch_labels 
    { [($1, locate (JCPEblock []))] }
| switch_labels expression_list switch_block
    { ($1, locate (JCPEblock $2))::$3 }
;

switch_labels:
| switch_label
    { [$1] }
| switch_label switch_labels
    { $1::$2 }
;

switch_label:
| CASE expression COLON
    { Some($2) }
| DEFAULT COLON
    { None }
;

iteration_expression: 
| loop_annot WHILE LPAR expression RPAR expression %prec precwhile
    { let (i,v) = $1 in 
      locate (JCPEwhile ($4, i, v, $6)) }
| loop_annot DO expression WHILE LPAR expression RPAR
    { assert false (* TODO locate (JCPEdowhile ($1, $3, $6)) *) }
| loop_annot FOR LPAR argument_expression_list_opt SEMICOLON expression SEMICOLON 
    argument_expression_list_opt RPAR expression %prec precwhile
    { let (i,v) = $1 in 
      (*
	let i = match i with 
	| [] -> locate (JCPEconst(JCCboolean true))
	| [_,p] -> p
	|  _ -> assert false
      in
      *)
      locate (JCPEfor($4, $6, $8, i, v, $10)) }
;


loop_behavior:
| INVARIANT expression SEMICOLON assigns_opt
    { (Some $2,$4) }
| assigns
    { (None,$1) }
;

loop_for_behavior_list:
| BEHAVIOR identifier_list COLON loop_behavior loop_for_behavior_list
    { let (i,a) = $4 in ($2,i,a) :: $5 }
| /* epsilon */
    { [] }
;

loop_behaviors:
| loop_behavior loop_for_behavior_list
    { let (i,a) = $1 in ([],i,a)::$2 }
| loop_for_behavior_list
    { $1 }
;

loop_annot:
| LOOP loop_behaviors VARIANT expression SEMICOLON
    { ($2, Some ($4,None)) }
| LOOP loop_behaviors VARIANT expression FOR identifier SEMICOLON
    { ($2, Some ($4, Some $6)) }
| LOOP loop_behaviors
    { ($2, None) }
;

jump_expression: 
| GOTO identifier
    { locate (JCPEgoto $2#name) }
/*
| CONTINUE SEMICOLON { locate CScontinue }
*/
| BREAK
    { locate (JCPEbreak "") }
| RETURN expression
    { locate (JCPEreturn $2) }
;

pack_expression:
| PACK LPAR expression COMMA identifier RPAR
    { locate (JCPEpack ($3, Some $5)) }
| PACK LPAR expression RPAR
    { locate (JCPEpack ($3, None)) }
| UNPACK LPAR expression COMMA identifier RPAR
    { locate (JCPEunpack ($3, Some $5)) }
| UNPACK LPAR expression RPAR
    { locate (JCPEunpack ($3, None)) }
;

catch_expression: 
| CATCH identifier IDENTIFIER expression
    { ($2, $3, $4) }
;

catch_expression_list:
| catch_expression
    { [$1] }
| catch_expression catch_expression_list 
    { $1 :: $2 }
;

exception_expression:
| THROW identifier expression
   { locate (JCPEthrow($2,$3)) }
| TRY expression catch_expression_list END
   { locate (JCPEtry($2, $3, skip)) }
| TRY expression catch_expression_list FINALLY expression END
   { locate (JCPEtry($2, $3, $5)) }
;

/**********************************/
/* Logic functions and predicates */
/**********************************/

logic_definition:
/* constants def */
| LOGIC type_expr IDENTIFIER logic_type_arg EQ expression
    { locate (JCDlogic(Some $2, $3, $4, [], [], JCexpr $6)) }
/* constants no def */
| LOGIC type_expr IDENTIFIER logic_type_arg
    { locate (JCDlogic(Some $2, $3, $4 , [], [], JCreads [])) }
/* logic fun def */
| LOGIC type_expr IDENTIFIER logic_type_arg label_binders parameters EQ expression
    { let p = lparams $6 in
      locate (JCDlogic(Some $2, $3, $4 , $5, p, JCexpr $8)) }
/* logic pred def */
| PREDICATE IDENTIFIER logic_type_arg label_binders parameters EQ expression
    { let p = lparams $5 in
      locate (JCDlogic(None, $2, $3  ,$4, p, JCexpr $7)) }
/* logic fun reads */
/*
| LOGIC type_expr IDENTIFIER logic_type_arg label_binders parameters reads %prec PRECLOGIC
    { locate (JCDlogic(Some $2, $3, $4 ,$5, $6, JCreads $7)) }
*/
/* logic pred reads */
/*
| PREDICATE IDENTIFIER logic_type_arg label_binders parameters reads %prec PRECLOGIC
    { locate (JCDlogic(None, $2, $3 ,$4, $5, JCreads $6)) }
*/
/* logic fun axiomatic def */
/*
| LOGIC type_expr IDENTIFIER logic_type_arg label_binders parameters LBRACE axioms RBRACE
    { locate (JCDlogic(Some $2, $3, $4 ,$5, $6, JCaxiomatic $8)) }
*/
/* logic pred axiomatic def */
/*
| PREDICATE IDENTIFIER logic_type_arg label_binders parameters LBRACE axioms RBRACE
    { locate (JCDlogic(None, $2, $3, $4, $5, JCaxiomatic $7)) }
*/
/* logic pred inductive def */
| PREDICATE IDENTIFIER logic_type_arg label_binders parameters LBRACE indcases RBRACE
    { let p = lparams $5 in
      locate (JCDlogic(None, $2, $3 ,$4 , p, JCinductive $7)) }
| AXIOMATIC IDENTIFIER LBRACE logic_declarations RBRACE
    { locate (JCDaxiomatic($2,$4)) } 
| LEMMA IDENTIFIER logic_type_arg label_binders COLON expression
    { locate( JCDlemma($2,false,$3,$4,$6)) }
;




logic_declarations:
| logic_declaration
    { [$1] }
| logic_declaration logic_declarations
    { $1::$2 }
;

string_list:
| IDENTIFIER {[$1]}
| IDENTIFIER COMMA string_list {$1::$3}

logic_type_arg:
| {[]}
| LT string_list GT {$2}

logic_declaration:
| logic_definition
    { $1 }
| LOGIC TYPE IDENTIFIER logic_type_arg
    { locate (JCDlogic_type($3,$4)) }
/* remove this comment if removed from logic_definition
| LOGIC type_expr IDENTIFIER 
    { locate (JCDlogic(Some $2, $3, [], [], JCnone)) }
*/
| PREDICATE IDENTIFIER logic_type_arg label_binders parameters reads
    { let p = lparams $5 in
      locate (JCDlogic(None, $2, $3, $4, p, $6)) }
| LOGIC type_expr IDENTIFIER logic_type_arg label_binders parameters reads
	{ let p = lparams $6 in
	  locate (JCDlogic(Some $2, $3, $4, $5, p, $7)) }
| AXIOM identifier logic_type_arg label_binders COLON expression
    { locate( JCDlemma($2#name,true,$3,$4,$6)) }
;

indcases:
| /* epsilon */
    { [] }
| CASE identifier label_binders COLON expression SEMICOLON indcases
    { ($2,$3,$5)::$7 }
;

/************/
/* patterns */
/************/

pattern:
| identifier LBRACE field_patterns RBRACE
    { locate (JCPPstruct($1, $3)) }
| identifier
    { locate (JCPPvar $1) }
| LPAR pattern RPAR
    { $2 }
| pattern PIPE pattern
    { locate (JCPPor($1, $3)) }
| pattern AS identifier
    { locate (JCPPas($1, $3)) }
| UNDERSCORE
    { locate JCPPany }
| CONSTANT 
    { locate (JCPPconst $1) }
| LPARRPAR 
    { locate (JCPPconst JCCvoid) }
| NULL 
    { locate (JCPPconst JCCnull) }
;

field_patterns:
| identifier EQ pattern SEMICOLON field_patterns
    { ($1, $3)::$5 }
|
    { [] }
;

/*Multiply defined : Does ocamlyacc take the last. In fact it seems to take the first (cf. variant.jc)*/
pattern_expression_list:
| pattern MINUSGT expression SEMICOLON pattern_expression_list
    { ($1, $3)::$5 }
| pattern MINUSGT expression SEMICOLON
    { [$1, $3] }
;


/*pattern_expression_list:
| pattern MINUSGT compound_expr pattern_expression_list
    { ($1, $3)::$4 }
| pattern MINUSGT compound_expr
    { [$1, $3] }
;*/

/**************/
/* pragma_gen_sep */
/**************/
pragma_gen_sep:
| PRAGMA_GEN_SEP IDENTIFIER type_expr_parameters
    { locate (JCDpragma_gen_sep("",$2, $3)) }
| PRAGMA_GEN_SEP IDENTIFIER IDENTIFIER type_expr_parameters
    { locate (JCDpragma_gen_sep($2,$3, $4)) }
| PRAGMA_GEN_FRAME IDENTIFIER IDENTIFIER
    { locate (JCDpragma_gen_frame($2,$3)) }
| PRAGMA_GEN_SUB IDENTIFIER IDENTIFIER
    { locate (JCDpragma_gen_sub($2,$3)) }
| PRAGMA_GEN_SAME IDENTIFIER IDENTIFIER
    { locate (JCDpragma_gen_same($2,$3)) }
;

type_expr_parameters:
| LPARRPAR
    { [] }
| LPAR RPAR
    { [] }
| LPAR type_expr_comma_list RPAR
    { $2 } 
;

type_expr_restreint:
|type_expr {$1,[]}
|type_expr PIPE LPAR type_parameter_names RPAR {$1,$4}

type_expr_comma_list: 
| type_expr_restreint
    { [$1] }
| type_expr_restreint COMMA type_expr_comma_list
    { $1 :: $3 }
;

/*
Local Variables: 
compile-command: "LC_ALL=C make -C .. byte"
End: 
*/
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_invariants.ml������������������������������������������������������������������������0000644�0001750�0001750�00000135337�12311670312�014411� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Jc_stdlib
open Jc_env
open Jc_envset
open Jc_region
open Jc_ast
open Jc_fenv

open Jc_name
open Jc_constructors
open Jc_pervasives
(*
open Jc_iterators
*)
open Jc_interp_misc
open Jc_struct_tools

open Output

(* other modifications for this extension can be found in:
     ast, typing, norm, interp: about pack / unpack, and mutable
     jc_main.ml
       phase 3.5
       production phase 5
     jc_interp.ml
       function tr_fun: 2 calls to "assume_all_invariants"
       function statement
         JCSassign_heap: call to "assume_field_invariants"
     jc_typing.ml
       hashtbl mutable_fields_table
       hashtbl committed_fields_table
       function create_mutable_field
       function find_field_struct: "mutable" and "committed" cases (and the parameter allow_mutable)
       function decl: JCPDstructtype: call to create_mutable_field
       function statement: call to "assert_mutable"

TODOs:
     Maybe generate assocs (or global invariant) when doing unpack or pack, as it modifies
mutable and committed.
     Arrays and global invariant.
*)

let prop_type = simple_logic_type "prop"


(* returns (inv, reads) where i is the assertion of the invariants of the structure
and r is a StringSet of the "reads" needed by these invariants *)
let invariant_for_struct this st =
  let (_, invs) =
    StringHashtblIter.find Jc_typing.structs_table st.jc_struct_info_name
  in
  let inv =
    make_and_list
      (List.map 
	 (fun (li, _) -> 
	    make_logic_pred_call ~label_in_name:false ~region_assoc:[] ~label_assoc:[] li [this]) invs)
  in
  let reads =
    List.fold_left
      (fun acc (li, _) -> logic_info_reads acc li)
      StringSet.empty
      invs
  in
  (inv, reads)

let make_assume reads assume =
  mk_expr (BlackBox (Annot_type (LTrue, unit_type, reads, [], assume, [])))

let fully_packed pc e =
  LPred(
    fully_packed_name,
    [ LVar (generic_tag_table_name (pointer_class_root pc));
      LVar (mutable_name pc);
      e ])
(*
let type_structure = function
  | JCTpointer(JCtag st, _, _) -> st
  | _ -> failwith "type_structure"
*)

let type_pc = function
  | JCTpointer(pc, _, _) -> pc
  | _ -> raise (Invalid_argument "type_pc")

let range_min = function
  | JCTpointer(_, x, _) -> x
  | _ -> raise (Invalid_argument "range_min")

let range_max = function
  | JCTpointer(_, _, x) -> x
  | _ -> raise (Invalid_argument "range_max")

(*let mutable_instance_of_name root_structure_name =
  (mutable_name root_structure_name)^"_instance_of"*)

let omin_omax alloc basep min max =
  let omin = match min with
    | None -> LApp("offset_min", [ alloc; basep ])
    | Some n -> LConst(Prim_int(Num.string_of_num n))
  in
  let omax = match max with
    | None -> LApp("offset_max", [ alloc; basep ])
    | Some n -> LConst(Prim_int(Num.string_of_num n))
  in
  omin, omax

let make_range index omin omax =
  if omin = omax then
    LPred("eq", [ index; omin ])
  else
    make_and
      (LPred("ge_int", [ index; omin ]))
      (LPred("le_int", [ index; omax ]))

let pset_singleton p =
  LApp("pset_singleton", [ p ])

let pset_union a b =
  LApp("pset_union", [ a; b ])

let pset_union_list = function
  | [] -> LVar "pset_empty"
  | hd::tl -> List.fold_left pset_union hd tl

let pset_range s a b =
  LApp("pset_range", [ s; a; b ])

let make_shift p i =
  LApp("shift", [ p; i ])

let make_not_assigns alloc old_mem new_mem pset =
  LPred("not_assigns", [ alloc; old_mem; new_mem; pset ])

let make_bool b = LConst(Prim_bool b)

(************************************)
(* Checking an invariant definition *)
(************************************)

(* Typing imposes non pointer fields to have the flag "rep" *)
let field this pos fi =
  if not fi.jc_field_info_rep then
    Jc_typing.typing_error pos "this term is not a rep field of %s"
      this.jc_var_info_name

(*let rec check_rep ?(must_deref=false) this pos t =
  match t.jc_term_node with
    | JCTvar vi when vi == this && not must_deref -> ()
    | JCTderef (t, lab, fi) ->
	field fi this pos;
	check_rep ~must_deref:false this pos t
    | JCTcast (t, _, _) -> assert false (* TODO *)
    | JCTshift (t, _) ->
	(* t must not be this, but might be a field of this if it is a table *)
	(* (? TODO) *)
	check_rep ~must_deref:true this pos t
    | _ ->
	Jc_typing.typing_error pos "this term is not a rep field of %s"
	  this.jc_var_info_name*)

(* A pattern may hide some dereferencing. *)
let pattern this p =
  Jc_iterators.iter_pattern
    (fun p -> match p#node with
       | JCPstruct(_, fipl) ->
	   List.iter (field this p#pos) (List.map fst fipl)
       | _ -> ())
    p

(* When typing the body of the invariant, the only pointer in the environment
is the argument of the pointer. Thus, it is sufficient to check that all
dereferencing is done on a rep field AND that all applications do not read
any memory (else one could hide dereferencing in logic functions). *)
let term this t =
  Jc_iterators.ITerm.iter
    (fun t -> match t#node with
       | JCTapp app ->
	   let id = app.jc_app_fun in
	   if not (MemoryMap.is_empty
		     id.jc_logic_info_effects.jc_effect_memories) then
	     Jc_typing.typing_error t#pos
	       "this call is not allowed in structure invariant"
       | JCTderef(_, _, fi) ->
	   field this t#pos fi
       | JCTmatch(_, ptl) ->
	   List.iter (pattern this) (List.map fst ptl)
       | _ -> ())
    t

(*let term this t =
  iter_term
    (fun t -> match t.jc_term_node with
       | JCTconst _
       | JCTvar _
       | JCTrange(None, None) -> ()
       | JCTbinary(t1, _, t2)
       | JCTrange(Some t1, Some t2) ->
	   term this t1;
	   term this t2
       | JCTunary(_, t)
       | JCTold t
       | JCTat(t, _)
       | JCToffset(_, t, _)
       | JCTinstanceof(t, _, _)
       | JCTcast(t, _, _)
       | JCTrange(Some t, None)
       | JCTrange(None, Some t) ->
	   term this t
       | JCTif(t1, t2, t3) ->
	   term this t1
	   term this t2
	   term this t3
       | JCTmatch of term * (pattern * term) list
       | JCTshift(t1, t2) ->
       | JCTsub_pointer(t1, t2) ->
       | JCTderef(t, _, fi) ->
       | JCTapp app ->
	   let id = app.jc_app_fun in
	   if not (FieldRegionMap.is_empty
		     id.jc_logic_info_effects.jc_effect_memories) then
	     Jc_typing.typing_error t.jc_term_loc
	       "this call is not allowed in structure invariant"
       | JCTderef _ ->
	   check_rep this t.jc_term_loc t
       | _ -> ()
    ) t*)

let tag this t =
  match t#node with
    | JCTtag _
    | JCTbottom -> ()
    | JCTtypeof(t, _) -> term this t

let rec assertion this p =
  match p#node with
    | JCAtrue | JCAfalse -> ()
    | JCAif (_, _, _) -> assert false (* TODO *)
    | JCAinstanceof(t,_,_)
    | JCAfresh t 
    | JCAbool_term t -> term this t
    | JCAold p -> assertion this p
    | JCAat(p,_) -> assertion this p
    | JCAquantifier(_,_id, _, p) -> assertion this p
    | JCAapp app ->
	let id = app.jc_app_fun in
	if MemoryMap.is_empty id.jc_logic_info_effects.jc_effect_memories
	then List.iter (term this) app.jc_app_args
	else
	  Jc_typing.typing_error p#pos
	    "this call is not allowed in structure invariant"
    | JCAnot p -> assertion this p
    | JCAiff (p1, p2)
    | JCAimplies (p1, p2) -> assertion this p1; assertion this p2
    | JCArelation (t1,_, t2) -> term this t1; term this t2
    | JCAand l | JCAor l -> List.iter (assertion this) l
    | JCAmutable _ ->
	Jc_typing.typing_error p#pos
	  "\\mutable is not allowed in structure invariant"
    | JCAeqtype(t1, t2, _) | JCAsubtype(t1, t2, _) ->
	tag this t1;
	tag this t2
    | JCAlet(_vi,t, p) ->
	term this t;
	assertion this p
    | JCAmatch(t, pal) ->
	term this t;
	List.iter (fun (_, a) -> assertion this a) pal

let check invs =
  List.iter
    (fun (li,p) -> 
       Jc_options.lprintf
	 "    Checking invariant: %s@." li.jc_logic_info_name;
       match li.jc_logic_info_parameters with
	 | [this] -> assertion this p
	 | _ -> assert false)
    invs

(***********************************)
(* Tools for structure definitions *)
(***********************************)

let rec term_memories aux t = 
  Jc_iterators.fold_term 
    (fun aux t -> match t#node with
    | JCTderef(_t, _lab, fi) ->
	let m = fi.jc_field_info_final_name in
	StringSet.add m aux
    | _ -> aux
    ) aux t

let tag_memories aux t = match t#node with
  | JCTtag _ | JCTbottom -> aux
  | JCTtypeof(t, _) -> term_memories aux t

let rec assertion_memories aux a = match a#node with
  | JCAtrue
  | JCAfalse -> aux
  | JCAand l
  | JCAor l -> List.fold_left assertion_memories aux l
  | JCAimplies(a1, a2)
  | JCAiff(a1, a2) -> assertion_memories (assertion_memories aux a1) a2
  | JCArelation(t1,_,t2) -> term_memories (term_memories aux t1) t2
  | JCAnot a
  | JCAold a
  | JCAat(a,_)
  | JCAquantifier(_,_, _, a) -> assertion_memories aux a
  | JCAapp app -> List.fold_left term_memories aux app.jc_app_args
  | JCAinstanceof(t, _, _ )
  | JCAfresh t
  | JCAbool_term t -> term_memories aux t
  | JCAif(t, a1, a2) -> assertion_memories (assertion_memories (term_memories aux t) a1) a2
  | JCAmutable(t, _, _) -> term_memories aux t
  | JCAeqtype(t1, t2, _) | JCAsubtype(t1, t2, _) -> 
      tag_memories (tag_memories aux t2) t1
  | JCAlet(_vi,t,p) ->
      term_memories (assertion_memories aux p) t
  | JCAmatch(t, pal) ->
      term_memories (List.fold_left assertion_memories aux (List.map snd pal)) t

(* Returns (as a StringSet.t) every structure name that can be reached from st.
Assumes the structures whose name is in acc have already been visited
and won't be visited again. *)
let rec all_structures st acc =
  if StringSet.mem st.jc_struct_info_name acc then acc else
    List.fold_left
      (fun acc fi ->
	 match fi.jc_field_info_type with
	   | JCTpointer(JCtag(st, _), _, _) -> all_structures st acc
	   | _ -> acc)
      (StringSet.add st.jc_struct_info_name acc)
      st.jc_struct_info_fields   

(* Returns all memories used by the structure invariants. *)
let struct_inv_memories acc st =
  let _, invs = StringHashtblIter.find Jc_typing.structs_table st in
  List.fold_left
    (fun acc (_, a) -> assertion_memories acc a)
    acc
    invs

(* Returns the parameters needed by an invariant, "this" not included *)
(* TODO: factorize using Jc_interp_misc.logic_params *)
let invariant_params acc li =
  let acc =
    MemoryMap.fold
      (fun (mc,r) _labels acc -> 
	 (memory_name(mc,r), memory_type mc)::acc)
      li.jc_logic_info_effects.jc_effect_memories
      acc
  in
  let acc =
    AllocMap.fold
      (fun (ac,r) _labs acc -> 
	 (alloc_table_name (ac, r),
	  alloc_table_type (ac))::acc)
      li.jc_logic_info_effects.jc_effect_alloc_tables
      acc
  in
  let acc =
    TagMap.fold
      (fun (v,r) _labels acc -> 
	 let t = { logic_type_args = [root_model_type v];
		   logic_type_name = "tag_table" }
	 in
	 (tag_table_name (v,r), t)::acc)
      li.jc_logic_info_effects.jc_effect_tag_tables
      acc
  in
    acc

(* Returns the parameters needed by the invariants of a structure, "this" not included *)
let invariants_params acc st =
  let (_, invs) =
    StringHashtblIter.find Jc_typing.structs_table st.jc_struct_info_name
  in
  List.fold_left (fun acc (li, _) -> invariant_params acc li) acc invs

(* Returns the structure and its parents, up to its root *)
let rec parents acc st =
  match st.jc_struct_info_parent with
    | None -> acc
    | Some(p, _) -> parents (st::acc) p
let parents = parents []

(* Returns every structure (name) that can be used by a function,
given its parameters *)
let function_structures params =
  let structures = List.fold_left
    (fun acc vi ->
       match vi.jc_var_info_type with
	 | JCTpointer(JCtag(st, _), _, _) ->
	     all_structures st acc
	 | JCTpointer(JCroot vi, _, _) ->
	     List.fold_right all_structures vi.jc_root_info_hroots acc
	 | _ -> acc)
    StringSet.empty
    params
  in
  StringSet.elements structures

let hierarchy_structures h =
  StringHashtblIter.fold
    (fun _ (st, _) acc ->
       (* don't use equality directly on st and h, as it might not terminate *)
       (* we could use == instead though *)
       if root_name st = root_name h then st::acc else acc)
    Jc_typing.structs_table
    []
  
let hierarchies () =
  let h =
    StringHashtblIter.fold
      (fun _ (st, _) acc ->
         StringMap.add (root_name st) st.jc_struct_info_hroot acc)
      Jc_typing.structs_table
      StringMap.empty
  in
  StringMap.fold
    (fun _ st acc -> st::acc)
    h
    []

let is_pointer = function
  | JCTpointer _ -> true
  | _ -> false

(* Returns every rep pointer fields of a structure *)
let rep_fields st =
  List.filter
    (fun fi -> fi.jc_field_info_rep && is_pointer fi.jc_field_info_type)
    st.jc_struct_info_fields

(* Returns every rep fields of a hierarchy *)
let hierarchy_rep_fields root =
  List.flatten (List.map rep_fields (hierarchy_structures root))

(*********)
(* assoc *)
(*********)

(*let program_point_type = simple_logic_type "int"

let fresh_program_point =
  let c = ref 0 in fun () ->
  c := !c + 1; string_of_int !c

let assoc_declaration =
  (* logic assoc: int, ('a, 'b) memory -> prop *)
  Logic(
    false,
    "assoc",
    [ "", program_point_type;
      "", memory_type "'a" (simple_logic_type "'b") ],
    prop_type)

let make_assoc pp m =
  LPred("assoc", [LConst(Prim_int pp); LVar m])

let make_assoc_list pp mems =
  make_and_list (List.map (make_assoc pp) mems)

let make_assume_assocs pp mems =
  let assocs = make_assoc_list pp mems in
  make_assume mems assocs

(* List of each memory m that appears in an invariant
which can be broken by the modification of the field fi *)
let field_assocs fi =
  let _, invs = Hashtbl.find Jc_typing.structs_table fi.jc_field_info_root in
  let mems = List.fold_left
    (fun aux (_, a) ->
       let amems = assertion_memories StringSet.empty a in
       if StringSet.mem fi.jc_field_info_final_name amems then
         StringSet.union amems aux
       else
	 aux
    ) (StringSet.singleton (mutable_name fi.jc_field_info_root)) invs in
  StringSet.elements mems

(* Assume all assocs needed after a field has been modified *)
let make_assume_field_assocs pp fi =
  make_assume_assocs pp (field_assocs fi)

(* Returns a list of all memories which need an "assoc"
(calculated from a function parameter list) *)
let all_assocs pp params =
  let structures = function_structures params in
  (* memories used by these structures' invariants *)
  let memories = List.fold_left
    struct_inv_memories
    StringSet.empty
    structures
  in
  (* mutable fields *)
  let mutable_fields = List.map (fun s -> mutable_name s) structures in
  StringSet.elements memories@mutable_fields

(* Assume all assocs needed at the start of a fonction *)
let make_assume_all_assocs pp params =
  make_assume_assocs pp (all_assocs pp params)*)

(***********)
(* mutable *)
(***********)

let mutable_memory_type pc =
  raw_memory_type (pointer_class_model_type pc)
    (tag_id_type (pointer_class_root pc))

let committed_memory_type pc =
  raw_memory_type (pointer_class_model_type pc) (simple_logic_type "bool")

let mutable_declaration st acc =
  if st.jc_struct_info_parent = None then
    let st = JCtag(st, []) in
    (* mutable_T: T tag_id *)
    Param(
      false,
      id_no_loc (mutable_name st),
      Ref_type(Base_type (mutable_memory_type st)))
    (* committed_T: bool *)
    ::Param(
      false,
      id_no_loc (committed_name st),
      Ref_type(Base_type (committed_memory_type st)))
    ::acc
  else
    acc

(* Assert the condition under which a field update statement can be executed.
The object must be "sufficiently unpacked", that is: its "mutable" field is
a strict superclass of the class in which the field is defined.
  And the object must not be committed. *)
(* assert ((st.jc_struct_info_parent <: e.mutable || e.mutable = bottom_tag) && e.committed = false) *)
(* Actually, the "not committed" part is meta-implied by the
condition on mutable. *)
let assert_mutable e fi =
  if fi.jc_field_info_rep then
    begin
      let st = fi.jc_field_info_struct in
      let mutable_name = mutable_name (JCtag(st, [])) in
      (*let committed_name = committed_name st.jc_struct_info_hroot in*)
      let e_mutable = LApp("select", [LVar mutable_name; e]) in
      (*let e_committed = LApp("select", [LVar committed_name; e]) in*)
      let parent_tag = match st.jc_struct_info_parent with
	| None -> LVar "bottom_tag"
	| Some(parent, _) -> LVar (tag_name parent)
      in
      let sub = make_subtag parent_tag e_mutable in
      (*let not_committed =
	LPred(
	  "eq",
	  [ e_committed;
	    LConst (Prim_bool false) ])
      in
      Assert(`ASSERT,make_and sub not_committed, Void)*)
      mk_expr (Assert(`ASSERT,sub, void))
    end
  else
    void

(********************)
(* Invariant axioms *)
(********************)

(*let invariant_axiom st acc (li, a) =
  let params = invariant_params [] li in
  
  (* this *)
  let this = "this" in
  let this_ty =
    { logic_type_name = "pointer";
      logic_type_args = [simple_logic_type st.jc_struct_info_hroot] } in

  (* program point *)
  let pp = "program_point" in
  let pp_ty = simple_logic_type "int" in

  (* assoc memories with program point => not this.mutable => this.invariant *)
  let mutable_ty = mutable_memory_type st.jc_struct_info_hroot in
  let mutable_is_false =
    LPred(
      "eq",
      [ LConst(Prim_bool false);
	LApp("select", [LVar "mutable"; LVar this]) ]) in
  let assoc_memories = StringSet.fold
    (fun mem acc ->
       LPred("assoc", [LVar pp; LVar mem])::acc)
    (assertion_memories
       (StringSet.singleton "mutable")
       a)
    [] in
  let invariant = make_logic_pred_call li [LVar this] in
  let axiom_impl = List.fold_left (fun acc assoc -> LImpl(assoc, acc))
    (LImpl(mutable_is_false, invariant))
    assoc_memories in

  (* quantifiers *)
  let quantified_vars = params in
  let quantified_vars = ("mutable", mutable_ty)::quantified_vars in
  let quantified_vars = (pp, pp_ty)::quantified_vars in
  let quantified_vars = (this, this_ty)::quantified_vars in
  let axiom =
    List.fold_left (fun acc (id, ty) -> LForall(id, ty, acc))
      axiom_impl quantified_vars in
  Axiom("axiom_"^li.jc_logic_info_name, axiom)::acc

let invariants_axioms st acc =
  let _, invs = Hashtbl.find Jc_typing.structs_table st.jc_struct_info_name in
  List.fold_left (invariant_axiom st) acc invs*)

(******************************************)
(* Invariant assumes (axioms pre-applied) *)
(******************************************)

(* hierarchy root (string) -> hierarchy invariant parameters ((string * logic_type) list) *)
let hierarchy_invariants = Hashtbl.create 97

(* List of each invariant that can be broken by modifying a given field *)
let field_invariants fi =
  if not fi.jc_field_info_rep then [] else (* small optimisation, it is not needed *)
    (* List of all structure * invariant *)
    let invs =
      StringHashtblIter.fold
        (fun _ (st, invs) acc -> (List.map (fun inv -> st, inv) invs)@acc)
        Jc_typing.structs_table
        []
    in
    (* Only keep the invariants which uses the field *)
    List.fold_left
      (fun aux ((_, (_, a)) as x) ->
	 let amems = assertion_memories StringSet.empty a in
	 if StringSet.mem fi.jc_field_info_final_name amems then
           x::aux
	 else
	 aux)
      []
      invs

(* this.mutable <: st => invariant *)
(* (the invariant li must be declared in st) *)
let not_mutable_implies_invariant this st (li, _) =
  let params = invariant_params [] li in
  
  (* this.mutable <: st *)
  let mutable_name = mutable_name (JCtag(st, [])) in
  let mutable_io = make_subtag
    (LApp("select", [ LVar mutable_name; LVar this ]))
    (LVar (tag_name st))
  in

  (* invariant *)
  let invariant = 
    make_logic_pred_call ~label_in_name:false ~region_assoc:[] ~label_assoc:[] li [LVar this]
  in

  (* implies *)
  let impl = LImpl(mutable_io, invariant) in

  (* params *)
  let params = (mutable_name, mutable_memory_type (JCtag(st, [])))::params in
  let params = (generic_tag_table_name (struct_root st),
                tag_table_type (struct_root st))::params in

  params, impl

(* this.mutable <: st => this.fields.committed *)
let not_mutable_implies_fields_committed this st =
  let fields = rep_fields st in

  (* this.mutable <: st *)
  let mutable_name = mutable_name (JCtag(st, [])) in
  let mutable_io = make_subtag
    (LApp("select", [ LVar mutable_name; LVar this ]))
    (LVar (tag_name st))
  in

  (* fields committed *)
  let fields_pc = List.fold_left
    (fun acc fi ->
       match fi.jc_field_info_type with
	 | JCTpointer(fi_pc, min, max) ->
	     let n = fi.jc_field_info_final_name in
	     let index = "jc_index" in
	     let committed_name = committed_name fi_pc in
	     let fi_ac = alloc_class_of_pointer_class fi_pc in
	     let alloc = generic_alloc_table_name fi_ac in
	     let params =
	       [ n, memory_type (JCmem_field fi);
		 committed_name, committed_memory_type fi_pc;
		 alloc, alloc_table_type fi_ac; ]
	     in
	     let this_fi = make_select (LVar n) (LVar this) in
	     let f = make_shift this_fi (LVar index) in
	     let eq = make_eq (make_select_committed fi_pc f)
	       (make_bool true)
	     in
	     let omin, omax = omin_omax (LVar alloc) this_fi min max in
	     let range = make_range (LVar index) omin omax in
	     let pred =
	       LForall(
		 index, simple_logic_type "int", [],
		 LImpl(range, eq))
	     in
	     (params, pred)::acc
	 | _ -> acc)
    [] fields
  in
  let params, coms = List.flatten (List.map fst fields_pc),
    make_and_list (List.map snd fields_pc) in

  (* additional params *)
  let params = (mutable_name, mutable_memory_type (JCtag(st, [])))::params in
  let params = (generic_tag_table_name (struct_root st),
                tag_table_type (struct_root st))::params in

  (* implies *)
  let impl = LImpl(mutable_io, coms) in

  params, impl

(* this.committed => fully_packed(this) *)
let committed_implies_fully_packed this root =
  let committed_name = committed_name root in
  let committed_type = committed_memory_type root in
  let mutable_name = mutable_name root in
  let mutable_type = mutable_memory_type root in
  let tag_table = generic_tag_table_name (pointer_class_root root) in
  let tag_table_type = tag_table_type (pointer_class_root root) in

  (* this.committed = true *)
  let com = LPred(
    "eq",
    [ LApp(
	"select",
	[ LVar committed_name;
	  LVar this ]);
      LConst(Prim_bool true) ])
  in

  (* fully_packed(this) *)
  let packed = LPred(
    fully_packed_name,
    [ LVar tag_table;
      LVar mutable_name;
      LVar this ])
  in

  (* implies *)
  let impl = LImpl(com, packed) in

  (* params *)
  let params = [
    tag_table, tag_table_type;
    committed_name, committed_type;
    mutable_name, mutable_type;
  ] in

  params, impl

let lex2 (a1, b1) (a2, b2) =
  let c = compare a1 a2 in
  if c = 0 then compare b1 b2 else c

(* forall x, ((meta) forall rep field f),
   this.f = x.f /\ this.f.committed -> this = y *)
let owner_unicity this root =
  let reps = hierarchy_rep_fields root in

  (* x name and type *)
  let x_name = this^"_2" in
  let pc = JCtag(root, []) in
  let ac = alloc_class_of_pointer_class pc in
  let x_type = pointer_type ac pc in

  (* shift indexes *)
  let index1 = "jc_index" in
  let index2 = "jc_index_2" in

  (* big "or" on all rep fields *)
  let eq_and_com_list = List.map
    (fun fi ->
       try
	 let name = fi.jc_field_info_final_name in
	 Printf.printf "***** FIELD %s *****\n%!" name;
	 let fi_pc = type_pc fi.jc_field_info_type in
	 let committed_name = committed_name fi_pc in
	 let this_dot_f = make_select (LVar name) (LVar this) in
	 let x_dot_f = make_select (LVar name) (LVar x_name) in

	 (* indexes, ranges *)
	 let fi_ac = alloc_class_of_pointer_class fi_pc in
	 let alloc = generic_alloc_table_name fi_ac in
	 let omin1, omax1 = omin_omax (LVar alloc) this_dot_f
	   (range_min fi.jc_field_info_type)
	   (range_max fi.jc_field_info_type)
	 in
	 let omin2, omax2 = omin_omax (LVar alloc) x_dot_f
	   (range_min fi.jc_field_info_type)
	   (range_max fi.jc_field_info_type)
	 in
	 let range1 = make_range (LVar index1) omin1 omax1 in
	 let range2 = make_range (LVar index2) omin2 omax2 in
	 let shift1 = make_shift this_dot_f (LVar index1) in
	 let shift2 = make_shift this_dot_f (LVar index2) in

	 let eq = make_eq shift1 shift2 in

	 let com = make_eq
	   (make_select (LVar committed_name) shift1)
	   (make_bool true)
	 in

	 make_and_list [ range1; range2; eq; com ]
       with Failure "type_structure" ->
	 LFalse)
    reps
  in
  let big_or = make_or_list eq_and_com_list in

  let impl = LImpl(big_or, make_eq (LVar this) (LVar x_name)) in

  let forall =
    LForall(
      index1, simple_logic_type "int", [],
      LForall(
	index2, simple_logic_type "int", [],
	LForall(x_name, x_type, [], impl)))
  in

  (* params *)
  let params = List.map
    (fun fi ->
       let ac = JCalloc_root (struct_root fi.jc_field_info_struct) in
       [ fi.jc_field_info_final_name, memory_type (JCmem_field fi);
	 committed_name (JCtag(fi.jc_field_info_hroot, [])),
	 committed_memory_type (JCtag(fi.jc_field_info_hroot, []));
	 generic_alloc_table_name ac,
	 alloc_table_type ac ])
    reps
  in
  let params = List.flatten params in

  params, forall

let make_hierarchy_global_invariant acc root =
  (* this *)
  let this = "this" in
  let pc = JCtag(root, []) in
  let ac = alloc_class_of_pointer_class pc in
  let this_ty = pointer_type ac pc in

  (* not mutable => invariant, and their parameters *)
  let structs = hierarchy_structures root in
  let mut_inv = List.map
    (fun st ->
       let _, invs =
	 StringHashtblIter.find
           Jc_typing.structs_table st.jc_struct_info_name
       in
       List.map (fun inv -> not_mutable_implies_invariant this st inv) invs)
    structs
  in
  let mut_inv = List.flatten mut_inv in
  let params, mut_inv = List.map fst mut_inv, List.map snd mut_inv in
  let mut_inv = make_and_list mut_inv in

  (* not mutable for T => fields defined in T committed *)
  let params, mut_com = List.fold_left
    (fun (params, coms) st ->
       let p, c = not_mutable_implies_fields_committed this st in
       p@params, make_and c coms)
    (List.flatten params, LTrue)
    structs
  in

  (* committed => fully packed *)
  let params_cfp, com_fp = committed_implies_fully_packed this
    (JCtag(root, [])) in
  let params = params_cfp@params in

  (* unicity of the owner: x.f == y.f && x.f.committed ==> x == y *)
  let params_ou, owner_unicity = owner_unicity this root in
  let params = params_ou@params in

  (* predicate body, quantified on "this" *)
  let body = LForall(this, this_ty, [], make_and_list [ mut_inv; mut_com; com_fp; owner_unicity ]) in

  (* sort the parameters and only keep one of each *)
  let params = List.fold_left
    (fun acc (n, t) -> StringMap.add n t acc)
    StringMap.empty
    params
  in
  let params = StringMap.fold (fun n t acc -> (n, t)::acc) params [] in
  let params = List.sort lex2 params in

  (* fill hash table *)
  Hashtbl.add hierarchy_invariants root.jc_struct_info_name params;

  (* return the predicate *)
  match params with
    | [] -> acc (* Not supposed to happen though *)
    | _ -> Predicate(false, id_no_loc (hierarchy_invariant_name root),
		     params, body)::acc

let make_global_invariants acc =
  let h = hierarchies () in
  List.fold_left make_hierarchy_global_invariant acc h

let assume_global_invariant st =
  let params =
    try
      Hashtbl.find hierarchy_invariants (root_name st)
    with Not_found ->
      failwith
	("Jc_invariants.assume_global_invariant: "^
	   (root_name st)^" not found")
  in
  match params with
    | [] -> void
    | _ ->
	let reads = List.map fst params in
	let params = List.map (fun (n, _) -> LVar n) params in
	let inv = LPred(hierarchy_invariant_name st, params) in
	make_assume reads inv

let assume_global_invariants hl =
  List.fold_left append void (List.map assume_global_invariant hl)

(* Given a field that has just been modified, assume all potentially
useful invariant for all objects that is not mutable *)
let assume_field_invariants fi =
  let invs = field_invariants fi in
  (* keep hierarchies only once *)
  let hl = List.fold_left
    (fun acc (st, _) ->
       StringMap.add (root_name st) st.jc_struct_info_hroot acc)
    StringMap.empty
    invs
  in
  assume_global_invariants (StringMap.values hl)

(* Given the parameters of a function, assume all potentially useful
forall this: st, not this.mutable => invariant *)
let assume_all_invariants params =
  let structures = function_structures params in
  (* keep hierarchies only once *)
  let hl = List.fold_left
    (fun acc st ->
       StringSet.add (root_name (find_struct st)) acc)
    StringSet.empty
    structures
  in
  let roots = List.map find_struct (StringSet.elements hl) in
  assume_global_invariants roots

(*(* Given a field that has just been modified, assume all potentially
useful invariant for all objects that is not mutable *)
let assume_field_invariants fi =
  (* structure in which the field is defined *)
  let st, _ = Hashtbl.find Jc_typing.structs_table fi.jc_field_info_struct in
  let assumes = List.map (fun inv -> forall_mutable_invariant st inv) (field_invariants fi) in (* FAUX (st n'est pas forcément la bonne structure !) *)
  let assumes = List.map (fun (params, inv) -> make_assume (List.map fst params) inv) assumes in
  List.fold_left append Void assumes

let rec flatten_snd = function
  | [] -> []
  | (a, l)::tl -> (List.map (fun b -> a, b) l)@(flatten_snd tl)

(* Given the parameters of a function, assume all potentially useful
forall this: st, not this.mutable => invariant *)
let assume_all_invariants params =
  let structures = function_structures params in
  let st_invs =
    List.map
      (fun id -> Hashtbl.find Jc_typing.structs_table id)
      structures
  in
  let st_invs = flatten_snd st_invs in
  let assumes = List.map (fun (st, inv) -> forall_mutable_invariant st inv) st_invs in
  let assumes = List.map (fun (params, inv) -> make_assume (List.map fst params) inv) assumes in
  List.fold_left append Void assumes*)

(*****************)
(* pack / unpack *)
(*****************)

(* return fields that are both pointers and rep fields *)
let components st =
  List.fold_left
    (fun acc fi ->
       if fi.jc_field_info_rep then
	 match fi.jc_field_info_type with
	   | JCTpointer(pc, _, _) -> (fi, pc)::acc
	   | _ -> acc
       else acc)
    []
    st.jc_struct_info_fields

let components_by_type st =
  let compare_pcs s t =
    compare (pointer_class_type_name s) (pointer_class_type_name t) in
  let comps = components st in
  let comps =
    List.sort
      (fun (_, s) (_, t) -> compare_pcs s t)
      comps
  in
  let rec part prev acc = function
    | [] -> [prev, acc]
    | (fi, si)::tl ->
	if compare_pcs si prev = 0 then
	  part prev (fi::acc) tl
	else
	  (prev, acc)::(part si [fi] tl)
  in
  let part = function
    | [] -> []
    | (fi, si)::tl -> part si [fi] tl
  in
  part comps

(* return a post-condition stating that the committed
field of each component of "this" (in "fields") of the
hierarchy "root" has been set to "value", and only them *)
let hierarchy_committed_postcond this root fields value =
  let com = committed_name root in
  let ac = alloc_class_of_pointer_class root in
  let alloc = generic_alloc_table_name ac in
  (* fields information and range *)
  let fields = List.map
    (fun fi ->
       let this_fi = make_select_fi fi this in
       let omin, omax = omin_omax (LVar alloc) this_fi
	 (range_min fi.jc_field_info_type)
	 (range_max fi.jc_field_info_type)
       in
       fi, this_fi, omin, omax)
    fields
  in
  (* pset of pointers that have been modified *)
  let pset_list = List.map
    (fun (_fi, this_fi, omin, omax) ->
       (pset_range (pset_singleton this_fi) omin omax))
    fields
  in
  let pset = pset_union_list pset_list in
  (* "not_assigns" saying that only the pointers of pset
     have been modified *)
  let not_assigns = make_not_assigns (LDeref alloc)
    (LDerefAtLabel(com, ""))
    (LDeref com)
    pset
  in
  (* new values for the fields in their ranges *)
  let com_values = List.map
    (fun (fi, this_fi, omin, omax) ->
       let fi_pc = type_pc fi.jc_field_info_type in
       let index = "jc_index" in
       let range = make_range (LVar index) omin omax in
       let new_value = make_eq
	 (make_select_committed fi_pc
	    (make_shift this_fi (LVar index)))
	 (LConst(Prim_bool value))
       in
       LForall(index, simple_logic_type "int", [], LImpl(range, new_value)))
    fields
  in
  (* result *)
  make_and_list (not_assigns::com_values)

(* all components have "committed" = committed *)
let make_components_postcond this st reads writes committed =
  let comps = components_by_type st in
  let writes =
    List.fold_left
      (fun acc (pc, _) -> StringSet.add (committed_name pc) acc)
      writes
      comps
  in
  let reads =
    List.fold_left
      (fun acc (_, fields) ->
	 List.fold_left
	   (fun acc fi -> StringSet.add fi.jc_field_info_final_name acc)
	   acc
	   fields)
      reads
      comps
  in
  let reads = StringSet.union reads writes in
  let reads = List.fold_left
    (fun acc (pc, _fields) -> StringSet.add
       (generic_alloc_table_name (alloc_class_of_pointer_class pc)) acc)
    reads comps
  in
  let postcond =
    make_and_list
      (* for each hierarchy... *)
      (List.map
	 (fun (pc, fields) -> hierarchy_committed_postcond
	    this pc fields committed)
	 comps)
  in
  postcond, reads, writes  

(* all components must have mutable = committed = false (for pack) *)
let make_components_precond this st reads =
  let comps = components st in
  let reads =
    List.fold_left
      (fun acc (fi, _) -> StringSet.add fi.jc_field_info_final_name acc)
      reads
      comps
  in
  let l, reads = List.fold_left
    (fun (l, reads) (fi, si) ->
       let index_name = "jc_index" in
       let mutable_name = mutable_name si in
       let committed_name = committed_name si in
       (* x.f *)
       let base_field =
	 LApp("select", [LVar fi.jc_field_info_final_name; this])
       in
       (* x.f+i *)
       let this_field =
	 LApp("shift", [ base_field; LVar index_name ])
       in
       let fi_pc = type_pc fi.jc_field_info_type in
       let fi_ac = alloc_class_of_pointer_class fi_pc in
       let alloc = generic_alloc_table_name fi_ac in
       let reads = StringSet.add (generic_tag_table_name (pointer_class_root fi_pc)) reads in
       let reads = StringSet.add alloc reads in
       let reads = StringSet.add mutable_name reads in
       (* pre-condition: forall i, valid(x.f+i) => fp(x.f+i) /\ not committed(x.f+i) *)
       let body = make_and
	 (fully_packed fi_pc this_field)
	 (LPred(
	    "eq",
	    [ LApp("select", [LVar committed_name; this_field]);
	      LConst(Prim_bool false) ]))
       in
       let omin, omax = omin_omax (LVar alloc) base_field
	 (range_min fi.jc_field_info_type)
	 (range_max fi.jc_field_info_type)
       in
       let range = make_range (LVar index_name) omin omax in
       let valid_impl = LImpl(range, body) in
       let forall = LForall(index_name, simple_logic_type "int", [], valid_impl) in
       forall::l, reads)
    ([], reads)
    (components st)
  in
  make_and_list l, reads

let pack_declaration st acc =
  let this = "this" in
  let pc = JCtag(st, []) in
  let ac = alloc_class_of_pointer_class pc in
  let this_type = pointer_type ac pc in
  let tag = "tag" in
  let tag_type = tag_id_type (struct_root st) in
  let mutable_name = mutable_name (JCtag(st, [])) in
  let inv, reads = invariant_for_struct (LVar this) st in
  let writes = StringSet.empty in
  let components_post, reads, writes = make_components_postcond (LVar this) st reads writes true in
  let components_pre, reads = make_components_precond (LVar this) st reads in
  let reads = StringSet.add mutable_name reads in
  let writes = StringSet.add mutable_name writes in
  let requires =
    make_and_list [
      (LPred(
	 "parenttag",
	 [ LVar tag;
	   LApp("select", [LVar mutable_name; LVar this]) ]));
      inv;
      components_pre
    ]
  in
  let ensures =
    make_and
      (LPred(
	 "eq",
	 [ LVar mutable_name;
	   LApp(
	     "store",
	     [ LDerefAtLabel(mutable_name, "");
	       LVar this;
	       LVar tag ])]))
      components_post
  in
  let annot_type =
    Annot_type(
      requires,
      Base_type (simple_logic_type "unit"),
      StringSet.elements reads,
      StringSet.elements writes,
      ensures,
      []
    )
  in
  if st.jc_struct_info_parent = None then
    Param(
      false,
      id_no_loc (pack_name st),
      Prod_type(
	this,
	Base_type this_type,
	Prod_type(
	  tag,
	  Base_type tag_type,
	  annot_type
	)
      )
    )::acc
  else
    acc

(* Unlike Boogie, Jessie has "unpack to S" instead of "unpack from T" *)
let unpack_declaration st acc =
  let this = "this" in
  let pc = JCtag(st, []) in
  let ac = alloc_class_of_pointer_class pc in
  let this_type = pointer_type ac pc in
  let tag = "tag" in
  let tag_type = tag_id_type (struct_root st) in
  let mutable_name = mutable_name (JCtag(st, [])) in
  let committed_name = committed_name (JCtag(st, [])) in
  let reads = StringSet.singleton mutable_name in
  let writes = StringSet.singleton mutable_name in
  let reads = StringSet.add committed_name reads in
  let components_post, reads, writes = make_components_postcond (LVar this) st reads writes false in
  let requires =
    (* unpack this as tag: requires parenttag(this.mutable, tag) and not this.committed *)
    make_and
      (LPred(
	 "parenttag",
	 [ LApp("select", [LVar mutable_name; LVar this]);
	   LVar tag ]))
      (LPred(
	 "eq",
	 [ LConst(Prim_bool false);
	   LApp("select", [LVar committed_name; LVar this]) ]))
  in
  let ensures =
    make_and
      (LPred(
	 "eq",
	 [ LDeref mutable_name;
	   LApp(
	     "store",
	     [ LDerefAtLabel(mutable_name, "");
	       LVar this;
	       LVar tag ])]))
      components_post
  in
  let annot_type =
    Annot_type(
      requires,
      Base_type (simple_logic_type "unit"),
      StringSet.elements reads,
      StringSet.elements writes,
      ensures,
      []
    )
  in
  if st.jc_struct_info_parent = None then
    Param(
      false,
      id_no_loc ("unpack_"^(root_name st)),
      Prod_type(
	this,
	Base_type this_type,
	Prod_type(
	  tag,
	  Base_type tag_type,
	  annot_type
	)
      )
    )::acc
  else
    acc

(*********************************************************************)
(*               Using a recursively-defined predicate               *)
(*********************************************************************)
(*let valid_inv_name st = st.jc_struct_info_name ^ "_inv"

let valid_inv_axiom_name st = st.jc_struct_info_name ^ "_inv_sem"

let rec struct_depends st acc mem =
  let name = st.jc_struct_info_name in
  if StringSet.mem name mem then acc, mem else
  let acc, mem = List.fold_left (fun (acc, mem) (_, fi) -> match fi.jc_field_info_type with
      | JCTpointer(st, _, _) -> struct_depends st acc mem
      | JCTnull -> assert false
      | JCTnative _ | JCTlogic _ | JCTrange _ -> acc, mem)
    (st::acc, StringSet.add name mem) st.jc_struct_info_fields
  in
  match st.jc_struct_info_parent with
    None -> acc, mem
  | Some pst -> struct_depends pst acc mem

let struct_depends =
  let table = Hashtbl.create 97 in fun st ->
  let name = st.jc_struct_info_name in
  try Hashtbl.find table name with Not_found ->
  let result = fst (struct_depends st [] StringSet.empty) in
  Hashtbl.add table name result;
  result

(* "this" is not returned in the list of parameters of valid_inv_params *)
let valid_inv_params st =
  let deps = struct_depends st in
  let memories = List.fold_left (fun acc st ->
    List.fold_left (fun acc (_, fi) ->
      (fi.jc_field_info_final_name, memory_field fi)::acc) acc st.jc_struct_info_fields)
    [] deps in
  let params = List.fold_left invariants_params memories deps in
  let params = List.sort (fun (name1, _) (name2, _) ->
    compare name2 name1) params in
  let rec only_one prev acc = function
    [] -> acc
  | ((name, _) as x)::tl ->
      if name = prev then only_one prev acc tl
      else only_one name (x::acc) tl in
  let params = only_one "" [] params in
    params

(* generate valid_inv predicate and its axiom *)
let tr_valid_inv st acc =
  let params = valid_inv_params st in

  (**** valid_inv predicate declaration ****)
  let valid_inv_type = simple_logic_type "prop" in
  let vi_this = "???",
    { logic_type_name = "pointer" ;
      logic_type_args = [simple_logic_type st.jc_struct_info_hroot] } in
  let logic = Logic(false, valid_inv_name st, vi_this::params,
    valid_inv_type) in
  let acc = logic::acc in

  (**** valid_inv_sem axiom ****)
  let this = "inv_this" in
  let this_var = LVar this in
  let this_ty =
    { logic_type_name = "pointer";
      logic_type_args = [simple_logic_type st.jc_struct_info_hroot] } in
  let fields_valid_inv = List.map (fun (_, fi) ->
    match fi.jc_field_info_type with
    | JCTpointer(st, _, _) ->
        let params = valid_inv_params st in
        let params_var = List.map (fun (name, _) -> LVar name) params in
        LPred(valid_inv_name st,
          LApp("select", [LVar fi.jc_field_info_final_name; this_var])::params_var)
    | JCTnull -> assert false
    | JCTnative _
    | JCTlogic _
    | JCTrange _ -> LTrue) st.jc_struct_info_fields in
  let params_var = List.map (fun (name, _) -> LVar name) params in
  let sem = LIff(LPred(valid_inv_name st, this_var::params_var),
    LImpl(LPred("neq", [LVar this; LVar "null"]),
      make_and (make_and_list fields_valid_inv) (invariant_for_struct this_var st))) in
  (* parent invariant *)
  let sem = match st.jc_struct_info_parent with
    None -> sem
  | Some pst ->
      let parent_params = valid_inv_params pst in
      let parent_params_var = List.map (fun (name, _) -> LVar name) parent_params in
      make_and sem (LPred(valid_inv_name pst, this_var::parent_params_var))
  in
  (* quantifiers *)
  let sem = List.fold_left (fun acc (id, ty) ->
    LForall(id, ty, acc)) sem ((this, this_ty)::params) in
  Axiom(valid_inv_axiom_name st, sem)::acc*)

let rec invariant_for_struct ?pos this si =
  let _, invs = 
    StringHashtblIter.find Jc_typing.structs_table si.jc_struct_info_name 
  in
  let invs = Assertion.mkand ?pos
    ~conjuncts:(List.map 
		  (fun (li, _) -> 
		     let a = { jc_app_fun = li;
			       jc_app_args = [this];
			       jc_app_label_assoc = [];
			       jc_app_region_assoc = [] }
		     in
		       new assertion ?pos (JCAapp a)) invs) 
    ()
  in
    match si.jc_struct_info_parent with
      | None -> invs
      | Some(si, _) -> (* add invariants from the type hierarchy *)
	  let this =
	    match this#typ with
	      | JCTpointer (_, a, b) ->
		  new term_with ~typ:(JCTpointer (JCtag(si, []), a, b)) this
	      | _ -> assert false (* never happen *)
	  in
	    Assertion.mkand ?pos
	      ~conjuncts:[invs; (invariant_for_struct ?pos this si)]
	      ()
	      
let code_function (fi, pos, fs, _sl) vil =
  begin
    match !Jc_common_options.inv_sem with
      | InvArguments ->  (* apply arguments invariant policy *)
	  (* Calculate global invariants. *)
	  let _vitl = 
	    List.map 
	      (fun vi -> Term.mkvar ~var:vi ()) vil 
	  in
	  let global_invariants =
	    IntHashtblIter.fold
	      (fun _ (li, _) acc -> 
		 (* li.jc_logic_info_parameters <- vil; *)
		 let a = { jc_app_fun = li;
			   jc_app_args = (* vitl *)[];
			   jc_app_label_assoc = [];
			   jc_app_region_assoc = [] }
		 in
		 (new assertion ~mark:(Jc_pervasives.new_label_name ())
		    ~pos (JCAapp a)) :: acc)
	      Jc_typing.global_invariants_table []
	  in
	  let global_invariants = 
	    Assertion.mkand ~pos ~conjuncts:global_invariants ()
	  in
	  (* Calculate invariants for each parameter. *)
	  let pre_invariants,post_invariants =
	    List.fold_left
	      (fun (acc1,acc2) (valid,vi) ->
		 match vi.jc_var_info_type with
		   | JCTpointer (JCtag (st, []), _, _) ->
		       let inv = 
			 invariant_for_struct ~pos
			   (Term.mkvar ~var:vi ()) st
		       in
		       ((if valid then
			   Assertion.mkand ~pos
			     ~conjuncts: [acc1; inv] ()
			 else acc1),
			Assertion.mkand ~pos
			  ~conjuncts: [acc2; inv] ())
		   | _ -> (acc1,acc2))
	      (global_invariants,global_invariants)
	      fi.jc_fun_info_parameters
	  in
	  (* add invariants to the function precondition *)
	  fs.jc_fun_requires <- 
	    Assertion.mkand ~pos 
	    ~conjuncts:[fs.jc_fun_requires; pre_invariants] ();
	  (* add invariants to the function postcondition *)
	  if is_purely_exceptional_fun fs then () else
	    let safety_exists = ref false in
	    let post = post_invariants in
	    List.iter
	      (fun (_, s, b) ->
		 if s = "safety" then safety_exists := true;
		 b.jc_behavior_ensures <- 
		   Assertion.mkand ~pos ~conjuncts:[b.jc_behavior_ensures; post] ())
	      fs.jc_fun_behavior;
	    (* add the 'safety' spec if it does not exist 
	       (it could exist e.g. from Krakatoa) *)
	    if not !safety_exists then
	      if Jc_options.verify_invariants_only then
		let invariants_b = { default_behavior with jc_behavior_ensures = post } in
		fs.jc_fun_behavior <- 
		  (Loc.dummy_position, "invariants", invariants_b) :: fs.jc_fun_behavior;
	      else
		let safety_b = { default_behavior with jc_behavior_ensures = post } in
		fs.jc_fun_behavior <- 
		  (Loc.dummy_position, "safety", safety_b) :: fs.jc_fun_behavior;
      | _ -> ()
  end;


(*
Local Variables: 
compile-command: "unset LANG; make -C .. bin/jessie.byte"
End: 
*)
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_interp.mli���������������������������������������������������������������������������0000644�0001750�0001750�00000012365�12311670312�013700� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)


(** {1 Main translation functions} *)


(** {2 effects} *)
val reads :
  type_safe:bool ->
  global_assertion:bool ->
  Jc_fenv.logic_info Jc_ast.location list ->
  Jc_env.mem_class * Jc_env.region -> Output.term

val collect_pset_locations :
  type_safe:bool ->
  global_assertion:bool ->
  Jc_fenv.logic_info Jc_ast.location -> Output.term

(** {2 types} *)

val tr_logic_type :
  string * Jc_type_var.t list ->
  Output.why_decl list -> Output.why_decl list

val tr_struct :
  Jc_env.struct_info -> Output.why_decl list -> Output.why_decl list

val tr_root :
  Jc_env.root_info -> Output.why_decl list -> Output.why_decl list

val tr_enum_type :
  Jc_env.enum_info -> Output.why_decl list -> Output.why_decl list

val tr_enum_type_pair :
  Jc_env.enum_info ->
  Jc_env.enum_info -> Output.why_decl list -> Output.why_decl list

(** {2 variables and heap} *)

val tr_variable :
  Jc_env.var_info ->
  'a -> Output.why_decl list -> Output.why_decl list

val tr_region :
  Jc_env.region -> Output.why_decl list -> Output.why_decl list

val tr_memory :
  Jc_env.mem_class * Jc_env.region ->
  Output.why_decl list -> Output.why_decl list

val tr_alloc_table :
  Jc_env.alloc_class * Jc_env.region ->
  Output.why_decl list -> Output.why_decl list

val tr_tag_table :
  Jc_env.root_info * Jc_env.region ->
  Output.why_decl list -> Output.why_decl list

(** {2 exceptions} *)


val tr_exception :
  Jc_env.exception_info ->
  Output.why_decl list -> Output.why_decl list

  
(** {2 terms and propositions} *)

val term_coerce :
  type_safe:'a ->
  global_assertion:bool ->
  Jc_env.label ->
  ?cast:bool ->
  Loc.position ->
  Jc_env.jc_type ->
  Jc_env.jc_type ->
  < region : Jc_region.RegionTable.key; .. > -> 
    Output.term -> Output.term

val term :
  ?subst:Output.term Jc_envset.VarMap.t ->
  type_safe:bool ->
  global_assertion:bool ->
  relocate:bool ->
  Jc_env.label ->
  Jc_env.label ->
  Jc_fenv.logic_info Jc_ast.term -> Output.term

val assertion :
  type_safe:bool ->
  global_assertion:bool ->
  relocate:bool ->
  Jc_env.label ->
  Jc_env.label ->
  Jc_fenv.logic_info Jc_ast.assertion -> Output.assertion


(** {2 theories} *)

val tr_axiom :
  Loc.position ->
  string ->
  is_axiom:bool ->
  Jc_env.label list ->
  Jc_fenv.logic_info Jc_ast.assertion ->
  Output.why_decl list -> Output.why_decl list

val tr_axiomatic_decl :
  Output.why_decl list ->
  Jc_typing.axiomatic_decl -> Output.why_decl list

(** {2 functions} *)

val pre_tr_fun :
  Jc_fenv.fun_info ->
  'a -> Jc_fenv.logic_info Jc_ast.fun_spec -> 'b -> 'c -> 'c

val tr_fun :
  Jc_fenv.fun_info ->
  Loc.position ->
  Jc_fenv.fun_spec ->
  (Jc_fenv.logic_info, Jc_fenv.fun_info) Jc_ast.expr option ->
  Output.why_decl list -> Output.why_decl list

val tr_specialized_fun :
  string ->
  string ->
  string Jc_envset.StringMap.t ->
  Output.why_decl list -> Output.why_decl list

(** {2 locations and explanations} *)

(*
val print_locs : Format.formatter -> unit
  *)

(*
  Local Variables: 
  compile-command: "unset LANG; make -j -C .. bin/jessie.byte"
  End: 
*)
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_pattern.ml���������������������������������������������������������������������������0000644�0001750�0001750�00000016454�12311670312�013706� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Jc_pervasives
open Jc_name
open Jc_ast
open Jc_env
open Jc_interp_misc
open Output

module type TAssertionMaker = sig
  type t
  val make_subtag: term -> struct_info -> t
  val make_or: t -> t -> t
  val make_and: t -> t -> t
  val make_not: t -> t
  val make_false: t
  val make_true: t
  val make_eq: jc_type -> term -> term -> t
end

module Pattern(AM: TAssertionMaker) = struct
  (** [pattern arg ty pat] translates the pattern [pat] applied to the term
    [arg] which have a [jc_type] of [ty].
    Returns [notcond, cond, vars] where:
    [notcond] is an assertion equivalent to "the pattern cannot be applied";
    [cond] is an assertion equivalent to "the pattern can be applied" and giving
      the values of each binded variable;
    [vars] is a list of [name, user_name, ty] where [user_name] is a variable
      binded by the pattern, [name] its unique name used in [cond], and
      [ty] its [jc_type]. *)
  let rec pattern arg ty pat = match pat#node with
    | JCPstruct(st, fpl) ->
	let subtag = AM.make_subtag arg st in
	List.fold_left
	  (fun (accnotcond, acccond, accvars) (fi, pat) ->
	     let arg = make_select_fi fi arg in
	     let ty = fi.jc_field_info_type in
	     let notcond, cond, vars = pattern arg ty pat in
	     AM.make_or accnotcond notcond,
	     AM.make_and acccond cond,
	     accvars @ vars)
	  (AM.make_not subtag, subtag, [])
	  fpl
    | JCPvar vi ->
	AM.make_false,
	AM.make_eq ty (LVar vi.jc_var_info_final_name) arg,
	[vi.jc_var_info_final_name, ty]
    | JCPor(p1, p2) ->
      (* typing ensures that both patterns bind the same variables *)
	let notcond1, cond1, vars = pattern arg ty p1 in
	let notcond2, cond2, _ = pattern arg ty p2 in
	AM.make_and notcond1 notcond2,
	AM.make_or cond1 cond2,
	vars
    | JCPas(p, vi) ->
	let notcond, cond, vars = pattern arg ty p in
	notcond,
	AM.make_and
	  cond
	  (AM.make_eq ty (LVar vi.jc_var_info_final_name) arg),
	(vi.jc_var_info_final_name, ty)::vars
    | JCPany | JCPconst JCCvoid ->
	AM.make_false,
	AM.make_true,
	[]
    | JCPconst c ->
	let eq = AM.make_eq ty arg (LConst (const c)) in
	AM.make_not eq,
	eq,
	[]
end

module MakeAssertion = struct
  type t = Output.assertion

  let make_subtag x st =
    let r = Jc_region.dummy_region in
    make_subtag (make_typeof st r x) (LVar (tag_name st))
  let make_or a b = LOr(a, b)
  let make_and a b = LAnd(a, b)
  let make_not a = LNot a
  let make_false = LFalse
  let make_true = LTrue
  let make_eq _ = make_eq
end
module PatternAssertion = Pattern(MakeAssertion)

module MakeTerm = struct
  type t = Output.term

  let make_subtag x st =
    let r = Jc_region.dummy_region in
    make_subtag_bool (make_typeof st r x) (LVar (tag_name st))
  let make_or = make_or_term
  let make_and = make_and_term
  let make_not = make_not_term
  let make_false = LConst(Prim_bool false)
  let make_true = LConst(Prim_bool false)
  let make_eq = make_eq_term
end
module PatternTerm = Pattern(MakeTerm)

let make_blackbox_annot pre ty reads writes post exn_posts =
  mk_expr(BlackBox(Annot_type(pre, ty, reads, writes, post, exn_posts)))

let pattern_list_expr translate_body arg region ty pbl =
  List.fold_left
    (fun accbody (pat, body) ->
       let notcond, cond, vars = PatternAssertion.pattern arg ty pat in
       let body = translate_body body in
       let reads =
	 let ef = Jc_effect.pattern empty_effects (*LabelHere region*) pat in
	 all_effects ef
       in
       let writes = List.map fst vars in
       let post = LIf(LVar "result", cond, notcond) in
       let bbox = make_blackbox_annot LTrue bool_type reads writes post [] in
       let branch = List.fold_left
	 (fun acc (name, ty) ->
           mk_expr (Let_ref(name, any_value region ty, acc)))
         (mk_expr (If(bbox, body, accbody)))
	 vars
       in
       branch)
    (mk_expr Absurd)
    (List.rev pbl)

let pattern_list_term translate_body arg ty pbl default =
  (* Right now, all binders are put at the predicate level, so there might
     be problems (though variables are renamed so it should be ok).
     Will be better when (if) Why has Let binders at the term level. *)
  List.fold_left
    (fun (accbody, _acclets) (pat, body) ->
       let _, cond, vars = PatternTerm.pattern arg ty pat in
       let body = translate_body body in
       let body = make_if_term cond body accbody in
       let lets = List.map
	 (fun (n, ty) -> JCforall(n, tr_base_type ty))
	 vars
       in
       body, lets)
    (default, [])
    (List.rev pbl)

let pattern_list_assertion translate_body arg ty pbl default =
  List.fold_left
    (fun (accbody, accnotcond) (pat, body) ->
       (* not previous case => (forall vars, arg matches pattern => body) *)
       let notcond, cond, vars = PatternAssertion.pattern arg ty pat in
       let body = translate_body body in
       let case =
	 List.fold_left
	   (fun acc (n, ty) -> LForall(n, tr_base_type ty, [], acc))
	   (LImpl(cond, body))
	   vars
       in
       let full_case = LImpl(accnotcond, case) in
       LAnd(accbody, full_case), LAnd(accnotcond, notcond))
    (default, LTrue)
    pbl

(*
  Local Variables: 
  compile-command: "unset LANG; make -j -C .. bin/jessie.byte"
  End:
*)
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/numconst.mll����������������������������������������������������������������������������0000644�0001750�0001750�00000015701�12311670312�013571� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(*i $Id: numconst.mll,v 1.7 2008-11-05 14:03:16 filliatr Exp $ i*)

(* evaluation of integer literals *)

{

  open Lexing
  open Num

  let zero = num_of_int 0
  let eight = num_of_int 8
  let ten = num_of_int 10
  let sixteen = num_of_int 16

  let val_char = function
    | '0' -> 0
    | '1' -> 1
    | '2' -> 2
    | '3' -> 3
    | '4' -> 4
    | '5' -> 5
    | '6' -> 6
    | '7' -> 7
    | '8' -> 8
    | '9' -> 9
    | 'a' | 'A' -> 10
    | 'b' | 'B' -> 11
    | 'c' | 'C' -> 12
    | 'd' | 'D' -> 13
    | 'e' | 'E' -> 14
    | 'f' | 'F' -> 15
    | _ -> assert false

  let val_char c = num_of_int (val_char c)

(*
  let check_bounds loc hexa accu suffix =
    match String.lowercase suffix with
      | "" ->
	  if accu > 0x7FFFFFFFL then 
	     if hexa then warning loc "Constant too large for a int"
                     else raise Constant_too_large
          else
	    if accu > 0x7FFFL then 
	      warning loc
		"this constant overflows if sizeof(int)<=16";
	  accu 
      | "u" ->
	  if accu > 0xFFFFFFFFL then raise Constant_too_large;
	  if accu > 0xFFFFL then 
	    warning loc
	      "this constant overflows if sizeof(int)<=16";
	  accu 
      | "l" ->
	  if accu > 0x7FFFFFFFL then raise Constant_too_large else accu 
      | "ul" | "lu" ->
	  if accu > 0xFFFFFFFFL then raise Constant_too_large else accu 
      | "ll" ->
	  if accu > 0x7FFFFFFFFFFFFFFFL then raise Constant_too_large else accu
      | "ull" | "llu" -> accu 
      | _ ->
	  raise (Invalid ("suffix '" ^ suffix ^ "' on integer constant")) 
*)

}

let rD =	['0'-'9']
let rL = ['a'-'z' 'A'-'Z' '_']
let rH = ['a'-'f' 'A'-'F' '0'-'9']
(*
let rE = ['E''e']['+''-']? rD+
let rFS	= ('f'|'F'|'l'|'L')
*)
let rIS = ('u'|'U'|'l'|'L')

(*
  | '0'['x''X'] rH+ rIS?    { CONSTANT (IntConstant (lexeme lexbuf)) }
  | '0' rD+ rIS?            { CONSTANT (IntConstant (lexeme lexbuf)) }
  | rD+ rIS?                { CONSTANT (IntConstant (lexeme lexbuf)) }
  | 'L'? "'" [^ '\n' '\'']+ "'"     { CONSTANT (IntConstant (lexeme lexbuf)) }
*)

rule eval_int = parse

  | '0'['x''X']  { eval_hexa zero lexbuf }
  | "'" { eval_char lexbuf }
  | '0' { eval_octa zero lexbuf}
  | ['1'-'9'] as d { eval_deci (val_char d) lexbuf}
  | "-" { minus_num(eval_int lexbuf) }
  | 'L' { invalid_arg "extended characters not yet implemented" } 
  | eof { invalid_arg "empty literal" }
  | _   { invalid_arg ("Illegal character " ^ lexeme lexbuf) }

and eval_hexa accu = parse
  | rH as d { (* if accu >= 0x10000000L then raise Constant_too_large; *)
	  let accu = add_num (mult_num sixteen accu) (val_char d) in 
	  eval_hexa accu lexbuf }
  | eof { (* check_bounds loc true *) accu (*""*) }
  | rIS+ as _s { (*check_bounds loc true *) accu (* s *) }
  | _ { invalid_arg ("digit '" ^ (lexeme lexbuf) ^ 
		       "' in hexadecimal constant") }

and eval_deci accu = parse
  | rD as c 
      { (* if accu >= 0x10000000L then raise Constant_too_large; *)
	let accu = add_num (mult_num ten accu) (val_char c) in 
	eval_deci accu lexbuf }
  | eof 
      { (* check_bounds loc false *) accu (* "" *) }
  | rIS+ as _s
      { (* check_bounds loc false *) accu (* s *) }
  | _ 
      { invalid_arg ("digit '" ^ (lexeme lexbuf) ^ 
			"' in decimal constant") }

and eval_octa accu = parse
  | ['0'-'7'] as d
      { (* if accu >= 0x10000000L then raise Constant_too_large; *)
	let accu = add_num (mult_num eight accu) (val_char d) in 
	eval_octa accu lexbuf }
  | eof { (* check_bounds loc false *) accu (* "" *) }
  | rIS+ as _s { (* check_bounds loc false *) accu (* s *) }
  | _ { invalid_arg ("digit '" ^ (lexeme lexbuf) ^ 
			"' in octal constant") }

and eval_char = parse
  | "\\n'" { num_of_int (Char.code '\n') }
  | "\\t'" { num_of_int (Char.code '\t') }
  | "\\v'" { num_of_int 11 }
  | "\\a'" { num_of_int 7 }
  | "\\b'" { num_of_int (Char.code '\b') }
  | "\\r'" { num_of_int (Char.code '\r') }
  | "\\f'" { num_of_int 12 }
  | "\\\\'" { num_of_int (Char.code '\\') }
  | "\\?'" { num_of_int (Char.code '?') }
  | "\\''" { num_of_int (Char.code '\'') }
  | "\\\"'" { num_of_int (Char.code '"') }
  | "\\" (['0'-'7'] ['0'-'7']? ['0'-'7']? as s) "'" 
      { num_of_int (int_of_string ("0o" ^ s)) }
  | "\\" (['0'-'9'] ['0'-'9']? ['0'-'9']? as s) "'" 
      { invalid_arg ("digits '" ^ s ^ "' in octal constant") }
  | "\\x" (rH rH? as s) "'" { num_of_int (int_of_string ("0x" ^ s)) }
  | "\\u" (rH rH rH rH as s) "'" { num_of_int (int_of_string ("0x" ^ s)) }
  | (_ as c) "'" { num_of_int (Char.code c) }
  | [^'\'']* as s "'"  
      { invalid_arg ("cannot evaluate char constant '" ^ s ^"'") }

{

  let integer s =
(*
    try
*)
      let lb = Lexing.from_string s in
      eval_int lb
(*
    with
      | Constant_too_large -> error loc "constant too large"
      | Invalid msg -> error loc "invalid constant: %s" msg
*)

    
}
���������������������������������������������������������������why-2.34/jc/jc_stdlib_lt312.ml����������������������������������������������������������������������0000644�0001750�0001750�00000017247�12311670312�014440� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



module List = struct
  include List

  let cons e l = e::l

  let as_singleton = function
    | [e] -> e
    | _ -> failwith "as_singleton"

  let mem_assoc_eq f k l =
    fold_left (fun v_opt (k',v') -> 
		 match v_opt with
		   | None ->
		       if f k k' then Some v' else None
		   | Some v -> Some v
	      ) None l

  let all_pairs l =
    let rec aux acc = function
      | e :: l ->
	  let acc = fold_left (fun acc e' -> (e,e') :: acc) acc l in
	  aux acc l
      | [] -> acc
    in
    aux [] l

  let map_fold f acc l =
    let (rev,acc) = List.fold_left 
      (fun (rev,acc) e -> let (e,acc) = (f acc e) in (e::rev,acc)) 
      ([],acc) l in
    (List.rev rev,acc)

  let fold_all_part f acc =
    let rec aux acc part = function
    | [] -> f acc part
    | a::l -> aux (aux acc (a::part) l) part l in
    aux acc []

end

module Set = struct

  module type OrderedType = Set.OrderedType

  module type S = sig
    include Set.S
    val of_list: elt list -> t
    val to_list: t -> elt list
  end

  module Make(Ord : OrderedType) : S with type elt = Ord.t = struct
    include Set.Make(Ord)

    let of_list ls =
      List.fold_left (fun s e -> add e s) empty ls

    let to_list s =
      fold (fun e acc -> e :: acc) s []

  end
end

module Map = struct

  module type OrderedType = Map.OrderedType

  module type S = sig
    include Map.S
    val elements: 'a t -> (key * 'a) list
    val keys: 'a t -> key list
    val values: 'a t -> 'a list
    val to_list: 'a t -> (key * 'a) list
    val exists: (key -> 'a -> bool) -> 'a t -> bool
    val filter: (key -> 'a -> bool) -> 'a t -> 'a t
    val find_or_default: key -> 'a -> 'a t -> 'a
    val find_or_none: key -> 'a t -> 'a option
    val merge: ('a -> 'a -> 'a) -> 'a t -> 'a t -> 'a t
    val add_merge: ('a -> 'a -> 'a) -> key -> 'a -> 'a t -> 'a t
    val diff_merge: ('a -> 'a -> 'a) -> ('a -> bool) -> 'a t -> 'a t -> 'a t
    val inter_merge: ('a -> 'a -> 'a) -> ('a -> bool) -> 'a t -> 'a t -> 'a t
    val inter_merge_option: ('a -> 'b -> 'c option) -> 'a t -> 'b t -> 'c t
  end

  module Make(Ord : OrderedType) : S with type key = Ord.t = struct
    include Map.Make(Ord)

    let elements m =
      fold (fun k v acc -> (k,v) :: acc) m []

    let keys m = 
      fold (fun k _v acc -> k :: acc) m []

    let values m = 
      fold (fun _k v acc -> v :: acc) m []

    let to_list m =
      fold (fun k v acc -> (k,v) :: acc) m []

    let exists f m =
      fold (fun k v b -> b || f k v) m false

    let filter f m =
      fold (fun k v m ->
	      if f k v then add k v m else m
	   ) m empty

    let find_or_default k v m =
      try find k m with Not_found -> v

    let find_or_none k m =
      try Some(find k m) with Not_found -> None

    let merge f m1 m2 =
      fold (fun k v1 m ->
	      try
		let v2 = find k m2 in
		add k (f v1 v2) m
	      with Not_found ->
		add k v1 m
	   ) m1 m2

    let add_merge f k v m =
      let v = 
	try f v (find k m)
	with Not_found -> v
      in 
      add k v m

    let diff_merge f g m1 m2 =
      fold (fun k v1 m ->
	      try
		let v2 = find k m2 in
		let v = f v1 v2 in
		if g v then m else add k v m
	      with Not_found ->
		add k v1 m
	   ) m1 empty

    let inter_merge f g m1 m2 =
      fold (fun k v1 m ->
	      try
		let v2 = find k m2 in
		let v = f v1 v2 in
		if g v then m else add k v m
	      with Not_found -> m
	   ) m1 empty

    let inter_merge_option f m1 m2 =
      fold (fun k v1 m ->
	      try
		let v2 = find k m2 in
		match f v1 v2 with
                  | Some v -> add k v m
                  | None -> m
	      with Not_found -> m
	   ) m1 empty
	
  end
end

module StdHashtbl = Hashtbl

module Hashtbl = struct

  module type HashedType = Hashtbl.HashedType

  module type S = sig 
    include Hashtbl.S
    val keys: 'a t -> key list
    val values: 'a t -> 'a list
    val choose: 'a t -> (key * 'a) option
    val remove_all : 'a t -> key -> unit
    val is_empty : 'a t -> bool
  end

  module type Std = sig
    type ('a, 'b) t
    val create : int -> ('a, 'b) t
    val clear : ('a, 'b) t -> unit
    val add : ('a, 'b) t -> 'a -> 'b -> unit
    val copy : ('a, 'b) t -> ('a, 'b) t
    val find : ('a, 'b) t -> 'a -> 'b
    val find_all : ('a, 'b) t -> 'a -> 'b list
    val mem : ('a, 'b) t -> 'a -> bool
    val remove : ('a, 'b) t -> 'a -> unit
    val replace : ('a, 'b) t -> 'a -> 'b -> unit
    val iter : ('a -> 'b -> unit) -> ('a, 'b) t -> unit
    val fold : ('a -> 'b -> 'c -> 'c) -> ('a, 'b) t -> 'c -> 'c
    val length : ('a, 'b) t -> int
    val hash : 'a -> int
    val hash_param : int -> int -> 'a -> int
  end

  include (Hashtbl : Std)

  module Make(H : HashedType) : S with type key = H.t = struct
    include Hashtbl.Make(H)

    let keys t = 
      fold (fun k _v acc -> k :: acc) t []

    let values t = 
      fold (fun _k v acc -> v :: acc) t []

    let choose t =
      let p = ref None in
      begin try
	iter (fun k v -> p := Some(k,v); failwith "Hashtbl.choose") t
      with Failure "Hashtbl.choose" -> () end;
      !p

    let remove_all t p =
      List.iter (fun _ -> remove t p) (find_all t p)

    let is_empty t =
      try
        iter (fun _ _ ->  raise Not_found) t;
        true
      with Not_found -> false          
  end

  let remove_all t p =
    List.iter (fun _ -> remove t p) (find_all t p)
      
  let is_empty t =
    try
      iter (fun _ _ ->  raise Not_found) t;
      true
    with Not_found -> false

end

(*
Local Variables: 
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End: 
*)
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_norm.mli�����������������������������������������������������������������������������0000644�0001750�0001750�00000004723�12311670312�013351� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Jc_env
open Jc_fenv
open Jc_ast

val decls : pexpr decl list -> nexpr decl list

val return_label : identifier

(*
Local Variables: 
compile-command: "LC_ALL=C make -C .. bin/jessie.byte"
End: 
*)
���������������������������������������������why-2.34/jc/jc_constructors.ml����������������������������������������������������������������������0000644�0001750�0001750�00000053077�12311670312�015003� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Jc_env
open Jc_region
open Jc_ast 
open Jc_fenv

class positioned ~pos =
object
  method pos: Loc.position = 
    match pos with None -> Loc.dummy_position | Some pos -> pos 
end

class typed ~typ =
object
  method typ: jc_type = typ
end

class labeled ~label =
object
  val mutable llab: label option = label
  method label = llab
  method set_label lab = llab <- lab
end

class marked ~mark =
object
  method mark: string = mark
end

class regioned ~region =
object
  val mutable r: region = region
  method region = r
  method set_region x = r <- x
end

class identifier ?pos name = 
object
  inherit positioned pos
  method name: string = name
end

class ['a] node_positioned ?pos node = 
object
  inherit positioned pos
  method node: 'a = node
end

class ptype ?(pos = Loc.dummy_position) node = 
object
  inherit [ptype_node] node_positioned ~pos node
end

class pexpr ?(pos = Loc.dummy_position) node =
object
  inherit [pexpr_node] node_positioned ~pos node
end

class pexpr_with ?pos ?node e =
  let pos = match pos with None -> e#pos | Some pos -> pos in
  let node = match node with None -> e#node | Some node -> node in
  pexpr ~pos node

class nexpr ?(pos = Loc.dummy_position) ?label node =
object
  inherit labeled label
  inherit [nexpr_node] node_positioned ~pos node
end

class nexpr_with ?pos ?node e =
  let pos = match pos with None -> e#pos | Some pos -> pos in
  let node = match node with None -> e#node | Some node -> node in
  let llab = e#label in
  nexpr ~pos ~label:llab node

class pattern ?(pos = Loc.dummy_position) ~typ node =
object
  inherit typed typ
  inherit [pattern_node] node_positioned ~pos node
end

class pattern_with ?pos ?node ?typ p =
  let pos = match pos with None -> p#pos | Some pos -> pos in
  let node = match node with None -> p#node | Some node -> node in
  let typ = match typ with None -> p#typ | Some typ -> typ in
  pattern ~pos ~typ node

class term ?(pos = Loc.dummy_position) ~typ ?(mark="") ?label ?region node =
  let region = 
    match region with None -> dummy_region | Some region -> region 
  in
object
  inherit typed typ
  inherit regioned region
  inherit marked mark
  inherit labeled label
  inherit [term_node] node_positioned ~pos node
end

class term_with ?pos ?typ ?mark ?region ?node t =
  let pos = match pos with None -> t#pos | Some pos -> pos in
  let typ = match typ with None -> t#typ | Some typ -> typ in
  let mark = 
    match mark with None -> t#mark | Some mark -> mark 
  in
  let llab = t#label in
  let region = match region with None -> t#region | Some region -> region in
  let node = match node with None -> t#node | Some node -> node in
  term ~pos ~typ ~mark ?label:llab ~region node

class term_var ?(pos = Loc.dummy_position) ?(mark="") v =
  term ~pos ~typ:v.jc_var_info_type ~mark ~region:v.jc_var_info_region
    (JCTvar v)

class location ?(pos = Loc.dummy_position) ~typ ?label ?region node =
  let region = 
    match region with None -> dummy_region | Some region -> region 
  in
object
  inherit typed typ
  inherit regioned region
  inherit labeled label
  inherit [location_node] node_positioned ~pos node
end

(* ignore argument's label *)
class location_with ?pos ~typ ?label ?region ~node t =
  let pos = match pos with None -> t#pos | Some pos -> pos in
  let region = match region with None -> t#region | Some region -> region in
  location ~pos ~typ ?label ~region node

class location_set ?(pos = Loc.dummy_position) ~typ ?label ?region node =
  let region = 
    match region with None -> dummy_region | Some region -> region 
  in
object
  inherit typed typ
  inherit regioned region
  inherit labeled label
  inherit [location_set_node] node_positioned ~pos node
end

(* ignore argument's label *)
class location_set_with ?pos ~typ ?label ?region ~node t =
  let pos = match pos with None -> t#pos | Some pos -> pos in
  let region = match region with None -> t#region | Some region -> region in
  location_set ~pos ~typ ?label ~region node

class expr ?(pos = Loc.dummy_position) ~typ ?(mark="") ?region
  ?original_type node =
  let region = 
    match region with None -> dummy_region | Some region -> region 
  in
object
  inherit typed typ
  inherit regioned region
  inherit marked mark
  inherit [expr_node] node_positioned ~pos node
  method original_type = 
    match original_type with None -> typ | Some original_type -> original_type
end

class expr_with ?pos ?typ ?mark ?region ?node ?original_type e =
  let pos = match pos with None -> e#pos | Some pos -> pos in
  let typ = match typ with None -> e#typ | Some typ -> typ in
  let mark = 
    match mark with None -> e#mark | Some mark -> mark 
  in
  let region = match region with None -> e#region | Some region -> region in
  let node = match node with None -> e#node | Some node -> node in
  let original_type = match original_type with
    | None -> e#original_type
    | Some original_type -> original_type
  in
  expr ~pos ~typ ~mark ~region ~original_type node

class assertion ?(mark="") ?label ?(pos = Loc.dummy_position) node =
object
  inherit marked mark
  inherit labeled label
  inherit [assertion_node] node_positioned ~pos node
end

class assertion_with ?pos ?mark ?node a =
  let pos = match pos with None -> a#pos | Some pos -> pos in
  let mark = 
    match mark with None -> a#mark | Some mark -> mark 
  in
  let llab = a#label in
  let node = match node with None -> a#node | Some node -> node in
  assertion ~pos ~mark ?label:llab node

class ['expr] ptag ?(pos = Loc.dummy_position) node =
object
  inherit ['expr ptag_node] node_positioned ~pos node
end

class ['expr] ptag_with ?pos ?node t =
  let pos = match pos with None -> t#pos | Some pos -> pos in
  let node = match node with None -> t#node | Some node -> node in
  ['expr] ptag ~pos node

class tag ?(pos = Loc.dummy_position) node =
object
  inherit [tag_node] node_positioned ~pos node
end

class tag_with ?pos ?node t =
  let pos = match pos with None -> t#pos | Some pos -> pos in
  let node = match node with None -> t#node | Some node -> node in
  tag ~pos node

class ['expr] decl ?(pos = Loc.dummy_position) node =
object
  inherit ['expr decl_node] node_positioned ~pos node
end

class ['expr] decl_with ?pos ?node t =
  let pos = match pos with None -> t#pos | Some pos -> pos in
  let node = match node with None -> t#node | Some node -> node in
  ['expr] decl ~pos node

(*******************************************************************************)
(*                             constant constructors                           *)
(*******************************************************************************)

(* These functions also exist in the other constructor modules such as PExpr. *)
module Const = struct
  let mkvoid = JCCvoid
  let mknull = JCCnull
  let mkboolean value = JCCboolean value
  let mkint ?value ?valuestr () =
    match value, valuestr with
      | Some value, None -> JCCinteger (string_of_int value)
      | None, Some valuestr -> JCCinteger valuestr
      | _ -> failwith "Jc_constructors.Const.mkint: use with ~value OR \
~valuestr only"
  let mkreal ?value ?valuestr () =
    match value, valuestr with
      | Some value, None -> JCCreal (string_of_float value)
      | None, Some valuestr -> JCCreal(valuestr)
      | _ -> failwith "Jc_constructors.Const.mkint: use with ~value OR \
~valuestr only"
end

(*******************************************************************************)
(*                               pexpr constructors                            *)
(*******************************************************************************)

let oo a b = match a with
  | None -> b
  | Some a -> a

module PExpr = struct
  let mk ?pos ~node () = new pexpr ?pos node

  let mkconst ~const = mk ~node:(JCPEconst const)
  let mkvoid = mkconst ~const:Const.mkvoid
  let mknull = mkconst ~const:Const.mknull
  let mkboolean ~value = mkconst ~const:(Const.mkboolean value)
  let mkint ?value ?valuestr = mkconst ~const:(Const.mkint ?value ?valuestr ())
  let mkreal ?value ?valuestr = mkconst ~const:(Const.mkreal ?value ?valuestr ())

  let mkbinary ~expr1 ~op ~expr2 = mk ~node:(JCPEbinary(expr1, op, expr2))
  let mkbinary_list ~default ~op ?expr1 ?expr2 ?list ?pos
      () =
    match expr1, expr2, list with
      | None, None, Some el ->
	  begin
	    match el with
	      | [] -> default
	      | e::el ->
            List.fold_left
              (fun expr2 expr1 -> mkbinary ?pos ~expr1 ~expr2 ~op ())
              e el
	  end
      | Some expr1, Some expr2, None -> mkbinary ~expr1 ~op ~expr2 ?pos ()
      | _ -> failwith "Jc_constructors.PExpr.mkbinary_list should be used \
either with (~expr1 AND ~expr2) OR ~list only."
  let mkand = mkbinary_list ~default:(mkboolean ~value:true ()) ~op:`Bland
  let mkor = mkbinary_list ~default:(mkboolean ~value:false ()) ~op:`Blor
  let mkadd = mkbinary_list ~default:(mkint ~value:0 ()) ~op:`Badd

  let mklabel ~label ~expr = mk ~node:(JCPElabel(label, expr))
  let mkvar ~name = mk ~node:(JCPEvar name)
  let mkderef ~expr ~field = mk ~node:(JCPEderef(expr, field))
  let mkunary ~expr ~op = mk ~node:(JCPEunary(op, expr))
  let mkapp ~fun_name ?(labels = []) ?(args = []) =
    mk ~node:(JCPEapp(fun_name, labels, args))
  let mkassign ~location ~value ?field ?op =
    let location = match field with
      | None -> location
      | Some field -> mkderef ~expr:location ~field:field ()
    in
    match op with
      | None -> mk ~node:(JCPEassign(location, value))
      | Some op -> mk ~node:(JCPEassign_op(location, op, value))
  let mkinstanceof ~expr ~typ = mk ~node:(JCPEinstanceof(expr, typ))
  let mkcast ~expr ~typ = mk ~node:(JCPEcast(expr, typ))
  let mkquantifier ~quantifier ~typ ~vars ?(triggers=[]) ~body =
    mk ~node:(JCPEquantifier(quantifier, typ, vars, triggers, body))
  let mkforall = mkquantifier ~quantifier:Forall
  let mkexists = mkquantifier ~quantifier:Exists
  let mkold ~expr = mk ~node:(JCPEold expr)
  let mkat ~expr ~label = mk ~node:(JCPEat(expr, label))
  let mkfresh ~expr = mk ~node:(JCPEfresh(expr))
  let mkoffset ~kind ~expr = mk ~node:(JCPEoffset(kind, expr))
  let mkoffset_min = mkoffset ~kind:Offset_min
  let mkoffset_max = mkoffset ~kind:Offset_max
  let mkif ~condition ~expr_then ?(expr_else = mkvoid ()) =
    mk ~node:(JCPEif(condition, expr_then, expr_else))
  let mkblock ~exprs = mk ~node:(JCPEblock exprs)
  let mkdecl ~typ ~var ?init = mk ~node:(JCPEdecl(typ, var, init))
  let mklet ?typ ~var ?init ~body ?pos () =
    match typ with
      | None -> mk ~node:(JCPElet(typ, var, init, body)) ?pos ()
      | Some typ ->
	  mkblock ~exprs:[
	    mkdecl ~typ ~var ?init ?pos ();
	    body
	  ] ?pos ()
  let mklet_nodecl ?typ ~var ?init ~body =
    mk ~node:(JCPElet(typ, var, init, body))
  let mkrange ?left ?right ?locations ?pos () =
    let r = mk ~node:(JCPErange(left, right)) ?pos () in
    match locations with
      | None -> r
      | Some l -> mkadd ~expr1:l ~expr2:r ?pos ()
  let mkalloc ?(count = mkint ~value:1 ()) ~typ =
    mk ~node:(JCPEalloc(count, typ))
  let mkfree ~expr = mk ~node:(JCPEfree expr)
  let mkmutable ~expr ~tag = mk ~node:(JCPEmutable(expr, tag))
  let mktag_equality ~tag1 ~tag2 = mk ~node:(JCPEeqtype(tag1, tag2))
  let mkmatch ~expr ~cases = mk ~node:(JCPEmatch(expr, cases))
  let mkassert ?(behs=[]) ~expr = 
    mk ~node:(JCPEassert (behs,Aassert,expr))
  let mkwhile ?(condition = mkboolean ~value:true ())
      ?(behaviors = []) ?variant ~body =
    mk ~node:(JCPEwhile(condition, behaviors, variant, body))
  let mkfor ?(inits = []) ?(condition = mkboolean ~value:true ())
      ?(updates = []) ?(behaviors = []) ?variant ~body =
    mk ~node:(JCPEfor(inits, condition, updates, behaviors, variant, body))
  let mkreturn ?(expr = mkvoid ()) = mk ~node:(JCPEreturn expr)
  let mkbreak ?(label = "") = mk ~node:(JCPEbreak label)
  let mkcontinue ?(label = "") = mk ~node:(JCPEcontinue label)
  let mkgoto ~label = mk ~node:(JCPEgoto label)
  let mktry ~expr ?(catches = []) ?(finally = mkvoid ()) =
    mk ~node:(JCPEtry(expr, catches, finally))
  let mkthrow ~exn ?(argument = mkvoid ()) = mk ~node:(JCPEthrow(exn, argument))
  let mkpack ~expr ?tag = mk ~node:(JCPEpack(expr, tag))
  let mkunpack ~expr ?tag = mk ~node:(JCPEunpack(expr, tag))
  let mkswitch ~expr ?(cases = []) = mk ~node:(JCPEswitch(expr, cases))

  let mkcatch ~exn ?(name = "") ?body ?pos () =
    exn, name, (match body with None -> mkvoid ?pos () | Some body -> body)

  let mkshift ~expr ~offset = mkadd ~expr1:expr ~expr2:offset
  let mknot = mkunary ~op:`Unot
  let mkeq = mkbinary ~op:`Beq
  let mkimplies = mkbinary ~op:`Bimplies
  let mkiff = mkbinary ~op:`Biff
  let mkincr_heap ~expr ~field ?(op = `Upostfix_inc) =
    mkunary ~op ~expr:(mkderef ~expr ~field ())

  let mkcontract ~requires ~decreases ~behaviors ~expr =
    mk ~node:(JCPEcontract(requires, decreases, behaviors, expr))
end

module PDecl = struct
  open PExpr

  let mk ?pos ~node () =
    new node_positioned ?pos node
  let mkfun_def ?(result_type = new ptype (JCPTnative Tunit)) ~name
      ?(params = []) ?(clauses = []) ?body =
    mk ~node:(JCDfun(result_type, name, params, clauses, body))
  let mklemma_def ~name ?(axiom = false) ?(poly_args=[]) ?(labels = []) ~body =
    mk ~node:(JCDlemma(name, axiom, poly_args, labels, body))
  let mklogic_var_def ~typ ~name ?body =
    mk ~node:(JCDlogic_var(typ, name, body))
  let mklogic_def ?typ ~name ?(poly_args = []) ?(labels = []) ?(params = []) 
      ?reads ?body ?inductive = 
    let roe = match reads, body, inductive with
      | None, None, None -> JCnone
      | Some r, None, None -> JCreads r
      | None, Some b, None -> JCexpr b
      | None, None, Some l -> JCinductive l 
      | _ ->
          raise
            (Invalid_argument "mklogic_def: cannot use both ~reads and ~body and ~inductive")
    in
    mk ~node:(JCDlogic(typ, name, poly_args, labels, params, roe))
      
  let mkaxiomatic ~name ~decls =
    mk ~node:(JCDaxiomatic(name,decls))
  let mklogic_type ?(args = []) ~name =
    mk ~node:(JCDlogic_type(name,args))
  let mkvar_def ~typ ~name ?init =
    mk ~node:(JCDvar(typ, name, init))
  let mkglobal_inv_def ~name ~body =
    mk ~node:(JCDglobal_inv(name, body))
  let mktag_def ~name ?(params = []) ?super ?(fields = []) ?(invariants = []) =
    mk ~node:(JCDtag(name, params, super, fields, invariants))
  let mkenum_type_def ~name ~left ~right =
    mk ~node:(JCDenum_type(name, left, right))
  let mkexception_def ~name ?arg_type =
    mk ~node:(JCDexception(name, arg_type))
  let mkvariant_type_def ~name ?(tags = []) =
    mk ~node:(JCDvariant_type(name, tags))

  let mkinvariant_policy_def ~value = mk ~node:(JCDinvariant_policy value)
  let mkseparation_policy_def ~value = mk ~node:(JCDseparation_policy value)
  let mktermination_policy_def ~value = mk ~node:(JCDtermination_policy value)
  let mkannotation_policy_def ~value = mk ~node:(JCDannotation_policy value)
  let mkabstract_domain_def ~value = mk ~node:(JCDabstract_domain value)
  let mkint_model_def ~value = mk ~node:(JCDint_model value)

  let mkbehavior ?(pos = Loc.dummy_position) ~name ?throws ?assumes ?requires
      ?assigns ?allocates ?(ensures = mkboolean ~value:true ()) () =
    (pos, name, throws, assumes, requires, assigns, allocates, ensures)

  let mkrequires_clause expr = JCCrequires expr

  let mkdecreases_clause ?measure expr = JCCdecreases(expr,measure)

  let mkbehavior_clause ?(pos = Loc.dummy_position) ~name ?throws ?assumes ?requires
      ?assigns ?allocates ?(ensures = mkboolean ~value:true ()) () =
      JCCbehavior (mkbehavior ~pos ~name ?throws ?assumes ?requires ?assigns ?allocates ~ensures ())

  let mkbehavior_clause_with ?pos ?name ?throws ?assumes ?requires ?assigns ?allocates ?ensures =
    function
      | JCCbehavior(pos', name', throws', assumes', requires', assigns',
                    allocates', ensures') ->
          JCCbehavior(
            oo pos pos',
            oo name name',
            oo throws throws',
            oo assumes assumes',
            oo requires requires',
            oo assigns assigns',
            oo allocates allocates',
            oo ensures ensures'
          )
      | _ -> raise (Invalid_argument "mkbehavior_with")
  let mkassigns ?(pos = Loc.dummy_position) ?(locations = []) () =
    pos, locations

  let mktag_invariant ~name ~var ~body = name, var, body

  let behavior_ensures = function
    | JCCbehavior(_, _, _, _, _, _, _, e) -> e
    | _ -> raise (Invalid_argument "behavior_ensures")
end


(******************************************************************************)
(*                              nexpr constructors                            *)
(******************************************************************************)

module NExpr = struct
  let mk ?pos ~node () = new nexpr ?pos node

  let mkcast ~expr ~typ = mk ~node:(JCNEcast(expr, typ))
end


(*******************************************************************************)
(*                               expr constructors                             *)
(*******************************************************************************)

module Expr = struct
  let mk ?pos ~typ ?mark ?region ?original_type ~node () =
    new expr ?pos ~typ ?mark ?region ?original_type node

  let mkconst ~const = mk ~typ:(JCTnative Tinteger) ~node:(JCEconst const)
  let mkint ?value ?valuestr = mkconst ~const:(Const.mkint ?value ?valuestr ())
  let mkbinary ~expr1 ~op ~expr2 = mk ~node:(JCEbinary(expr1, op, expr2))

  let mklet ~var ?init ~body =
    mk ~typ:var.jc_var_info_type ~node:(JCElet(var, init, body))
  let mkvar ~var = 
    mk ~typ:var.jc_var_info_type ~node:(JCEvar var)

  let is_app e = match e#node with JCEapp _ -> true | _ -> false
end

(*******************************************************************************)
(*                               term constructors                             *)
(*******************************************************************************)

module Term = struct
  let mk ?pos ~typ ?mark ?region ~node () =
    new term ?pos ~typ ?mark ?region node

  let mkconst ~const = mk ~typ:(JCTnative Tinteger) ~node:(JCTconst const)
  let mkint ?value ?valuestr = mkconst ~const:(Const.mkint ?value ?valuestr ())
  let mkbinary ~term1 ~op ~term2 = mk ~node:(JCTbinary(term1, op, term2))

  let mkvar ~var = 
    mk ~typ:var.jc_var_info_type ~node:(JCTvar var)
end

(*******************************************************************************)
(*                           assertion constructors                            *)
(*******************************************************************************)

module Assertion = struct
  let mk ?pos ?mark ~node () =
    new assertion ?pos ?mark node

  let fake ?pos:_ ?mark:_ ~value () = 
    value

  let is_true a = 
    match a#node with 
      | JCAtrue -> true
      | JCAbool_term t when t#node = JCTconst(JCCboolean true) -> true
      | _ -> false
    
  let is_false a =
    match a#node with 
      | JCAfalse -> true
      | JCAbool_term t when t#node = JCTconst(JCCboolean false) -> true
      | _ -> false

  let mktrue = mk ~node:JCAtrue
  let mkfalse = mk ~node:JCAfalse

  let mkand ~conjuncts =
    (* optimization *)
    let conjuncts = List.filter (fun a -> not (is_true a)) conjuncts in
    match conjuncts with
      | [] -> mktrue
      | [a] -> fake ~value:a
      | alist -> mk ~node:(JCAand alist)

  let mkor ~disjuncts = 
    (* optimization *)
    let disjuncts = List.filter (fun a -> not (is_false a)) disjuncts in
    match disjuncts with
      | [] -> mkfalse
      | [a] -> fake ~value:a
      | alist -> mk ~node:(JCAor alist)

  let mknot ~asrt:a = mk ~node:(JCAnot a)
end

(*
Local Variables: 
compile-command: "LC_ALL=C nice make -j -C .. byte"
End: 
*)
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_annot_inference.ml�������������������������������������������������������������������0000644�0001750�0001750�00000431765�12311670312�015374� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Jc_stdlib
open Jc_env
open Jc_envset
open Jc_region
open Jc_ast
open Jc_fenv

open Jc_options
open Jc_constructors
open Jc_pervasives
open Jc_separation

open Pp
open Format

open Apron
open Coeff
open Interval
open Lincons1
open Num


(*****************************************************************************)
(*                Transfomations of terms and assertions                     *)
(*****************************************************************************)

let rec mem_term_in_assertion t a =
  Jc_iterators.fold_term_in_assertion (fun acc t' -> acc || TermOrd.equal t t') false a

let rec mem_any_term_in_assertion tset a =
  Jc_iterators.fold_term_in_assertion (fun acc t -> acc || TermSet.mem t tset) false a

let rec replace_term_in_term ~source:srct ~target:trgt t =
  Jc_iterators.map_term (fun t -> if TermOrd.equal srct t then trgt else t) t

let rec replace_term_in_assertion ~source:srct ~target:trgt a =
  Jc_iterators.map_term_in_assertion
    (fun t -> if TermOrd.equal srct t then trgt else t) a

let rec replace_var_in_assertion ~source:srcv ~target:trgt a =
  let srct = new term ~typ:srcv.jc_var_info_type (JCTvar srcv) in
  replace_term_in_assertion srct trgt a

let replace_var_by_var_in_assertion v v' a =
  replace_var_in_assertion v (new term_var v') a

let forget_var_in_assertion v a =
  let v' = newvar v.jc_var_info_type in
  replace_var_by_var_in_assertion v v' a

let unfolding_of_app app =
  let f = app.jc_app_fun in
  let _, term_or_assertion =
    try IntHashtblIter.find Jc_typing.logic_functions_table f.jc_logic_info_tag
    with Not_found -> assert false
  in
  match term_or_assertion with
    | JCAssertion a ->
	let a =
	  List.fold_left2 (fun a v t -> replace_var_in_assertion v t a)
	    a f.jc_logic_info_parameters app.jc_app_args
	in
	Some a
    | _ -> None

let rec conjuncts a =
  match a#node with
    | JCAand al -> List.flatten(List.map conjuncts al)
    | JCAapp app ->
	begin match unfolding_of_app app with
	  | Some a -> conjuncts a
	  | None -> [ a ]
	end
    | JCAnot a1 ->
	List.map (fun a -> new assertion_with ~node:(JCAnot a) a)
	  (disjuncts a1)
    | _ -> [ a ]
and disjuncts a =
  match a#node with
    | JCAor al -> List.flatten(List.map disjuncts al)
    | JCAapp app ->
	begin match unfolding_of_app app with
	  | Some a -> disjuncts a
	  | None -> [ a ]
	end
    | JCAnot a1 ->
	List.map (fun a -> new assertion_with ~node:(JCAnot a) a)
	  (conjuncts a1)
    | _ -> [ a ]

(* No real CNF construction, rather a presentation as conjunction
   of disjuncts *)
let implicit_cnf a =
  let conjuncts = conjuncts a in
  let disjuncts = List.map disjuncts conjuncts in
  new assertion_with
    ~node:(JCAand (List.map
		     (fun disjunct ->
			new assertion_with
			  ~node:(JCAor disjunct) a) disjuncts)) a

(* Deconstruct a pointer term into a base pointer term and an integer offset *)
let rec destruct_pointer t =
  match t#node with
(*     | JCTconst JCCnull -> *)
(*         (\* Before changing this, make sure [pointer_struct] is not called on *)
(*            a null term *\) *)
(*         None,None *)
    | JCTshift(t1,t2) ->
	begin match destruct_pointer t1 with
	  | None -> Some (t1,t2)
	  | Some(tptr,offt) ->
	      let tnode = JCTbinary(offt,(`Badd,`Integer),t2) in
	      let offt = new term ~typ:integer_type tnode in
	      Some(tptr,offt)
	end
    | JCTvar _ | JCTderef _ | JCTapp _ | JCTold _ | JCTat _ | JCTif _ 
    | JCTrange _ | JCTmatch _ | JCTaddress _ | JCTbase_block _ | JCTlet _
    | JCTconst _ | JCTbinary _ | JCTunary _ | JCToffset _ | JCTinstanceof _ 
    | JCTreal_cast _ | JCTrange_cast _ | JCTbitwise_cast _ | JCTcast _ ->
	None

let equality_operator_of_type ty = `Beq, operator_of_type ty

let rec unique_term_name =
  let unique_table = Hashtbl.create 17 in
  let name_table = Hashtbl.create 17 in
  fun t s ->
    try
      let t2 = Hashtbl.find unique_table s in
      if TermOrd.compare t t2 = 0 then
	s
      else
	let n = Hashtbl.find name_table s in
	let s = s ^ "_" ^ (string_of_int n) in
	unique_term_name t s
    with Not_found ->
      Hashtbl.replace name_table s 1;
      Hashtbl.replace unique_table s t; s

let rec unique_assertion_name =
  let unique_table = Hashtbl.create 17 in
  let name_table = Hashtbl.create 17 in
  fun a s ->
    try
      let a2 = Hashtbl.find unique_table s in
      if AssertionOrd.compare a a2 = 0 then
	s
      else
	let n = Hashtbl.find name_table s in
	let s = s ^ "_" ^ (string_of_int n) in
	unique_assertion_name a s
    with Not_found ->
      Hashtbl.replace name_table s 1;
      Hashtbl.replace unique_table s a; s

let string_explode s =
  let rec next acc i =
    if i >= 0 then next (s.[i] :: acc) (i-1) else acc
  in
  next [] (String.length s - 1)

let string_implode ls =
  let s = String.create (List.length ls) in
  ignore (List.fold_left (fun i c -> s.[i] <- c; i + 1) 0 ls);
  s

let filter_alphanumeric s =
  let alphanum c =
    String.contains "abcdefghijklmnopqrstuvwxyz" c
    || String.contains "ABCDEFGHIJKLMNOPQRSTUVWXYZ" c
    || String.contains "0123456789" c
    || c = '_'
  in
  let mkalphanum c = if alphanum c then c else '_' in
  string_implode (List.map mkalphanum (string_explode s))

let name_of_term t =
  ignore (Format.flush_str_formatter ());
  Format.fprintf str_formatter "%a" Jc_output.term t;
  let s = Format.flush_str_formatter () in
  let s = filter_alphanumeric s in
  "T" ^ unique_term_name t s

let name_of_assertion a =
  ignore (Format.flush_str_formatter ());
  Format.fprintf str_formatter "%a" Jc_output.assertion a;
  let s = Format.flush_str_formatter () in
  let s = filter_alphanumeric s in
  "A" ^ unique_assertion_name a s

(* support of <new> (Nicolas) *)
let rec destruct_alloc t =
  match t#node with
    | JCTconst (JCCinteger _str) -> None, Some t
    | JCTvar vi -> Some vi, None
    | JCTbinary (t1, (`Bsub,`Integer), t2) ->
	begin
	  match destruct_alloc t1 with
	    | None, None ->
		None, Some
		  (new term ~typ:integer_type
		     (JCTunary ((`Uminus,`Integer),
				new term ~typ:integer_type
				  (JCTconst (JCCinteger "-1"))))
		  )
	    | Some vi, None ->
		None, Some
		  (new term ~typ:integer_type
		     (JCTbinary	(new term ~typ:integer_type (JCTvar vi),
				 (`Bsub,`Integer),
				 new term ~typ:integer_type
				   (JCTconst (JCCinteger "-1"))))
		  )
	    | vio, Some offt ->
		let t3 = JCTbinary (offt, (`Bsub,`Integer), t2) in
		let offt = new term ~typ:integer_type t3 in
		vio, Some offt
	end
    | _ -> assert false

(*****************************************************************************)
(* Specific iterators on terms.                                              *)
(*****************************************************************************)


let raw_sub_term subt t =
  Jc_iterators.fold_term (fun acc t -> acc || TermOrd.equal subt t) false t

let raw_sub_term_in_assertion subt a =
  Jc_iterators.fold_term_in_assertion (fun acc t -> acc || TermOrd.equal subt t) false a

let raw_strict_sub_term subt t =
  TermOrd.compare subt t <> 0 && raw_sub_term subt t



(********************)

let rec term_syntactic_dependence ~of_term:t1 ~on_term:t2 =
  raw_sub_term t2 t1

let rec assertion_syntactic_dependence ~of_asrt:a ~on_term:t =
  raw_sub_term_in_assertion t a

let rec assignment_semantic_dependence ~of_term:t1 ~on_term:t2 ~at_field:fi =
  let mc,_ufi_opt = Jc_effect.tderef_mem_class ~type_safe:true t2 fi in
  let mem = mc, t2#region in
  let ef = Jc_effect.term empty_effects t1 in
  Jc_effect.has_memory_effect ef mem

let normalize_expr e =
  let name_app (e : expr) = match e#node with
    | JCEapp _ ->
	if e#typ = Jc_pervasives.unit_type then e else
	  let name = tmp_var_name () in
	  let vi = Jc_pervasives.var e#typ name in
	  Expr.mklet
	    ~pos:e#pos
	    ~var:vi
	    ~init:e
	    ~body:(Expr.mkvar ~pos:e#pos ~var:vi ())
	    ()
    | _ -> e
  in
  Jc_iterators.map_expr
    ~after:(fun e -> match e#node with
	      | JCElet(_vi,e1,e2) ->
		  let elist =
		    Option_misc.fold (fun e1 l -> e1::l) e1 [name_app e2]
		  in
		  Jc_iterators.replace_sub_expr e elist
	      | _ ->
		  let elist = Jc_iterators.IExpr.subs e in
		  let elist = List.map name_app elist in
		  Jc_iterators.replace_sub_expr e elist
	   ) e

let asrt_of_expr e =
  let err () = failwith "asrt_of_expr" in
  let rec aux e =
    let anode = match e#node with
      | JCEconst(JCCboolean true) -> JCAtrue
      | JCEconst(JCCboolean false) -> JCAfalse
      | JCEbinary(e1,(#comparison_op,_ as bop), e2) ->
	  begin match Jc_effect.term_of_expr e1, Jc_effect.term_of_expr e2 with
	    | Some t1, Some t2 -> JCArelation(t1,bop,t2)
	    | _ -> err ()
	  end
      | JCEbinary (e1,(bop,_),e2) ->
	  begin match bop with
	    | `Bland -> JCAand [ aux e1; aux e2 ]
	    | `Blor -> JCAor [ aux e1; aux e2 ]
	    | _ -> err ()
	  end
      | JCEunary((uop,_),e1) ->
	  begin match uop with
	    | `Unot -> JCAnot(aux e1)
	    | _ -> err ()
	  end
      | JCEinstanceof(e1,st) ->
	  begin match Jc_effect.term_of_expr e1 with
	    | Some t1 -> JCAinstanceof(t1,LabelHere,st)
	    | None -> err ()
	  end
      | JCEif(e1,e2,e3) ->
	  begin match Jc_effect.term_of_expr e1 with
	    | Some t1 -> JCAif(t1,aux e2,aux e3)
	    | None -> err ()
	  end
      | JCEcast _ | JCErange_cast _ | JCEreal_cast _ | JCEshift _
      | JCEconst _ | JCEvar _ | JCEderef _ | JCEoffset _ | JCEalloc _
      | JCEfree _ | JCEmatch _ | JCEunpack _ | JCEpack _ | JCEthrow _
      | JCEtry _ | JCEreturn _ | JCEloop _ | JCEblock _ | JCEcontract _
      | JCEassert _ | JCElet _ | JCEaddress _ | JCEbitwise_cast _
      | JCEassign_heap _ | JCEassign_var _ | JCEapp _ |JCEreturn_void
      | JCEbase_block _ | JCEfresh _ ->
	  err ()
    in
    new assertion ~mark:e#mark ~pos:e#pos anode
  in
  try Some (aux e) with Failure "asrt_of_expr" -> None


(*****************************************************************************)
(*                                  Types                                    *)
(*****************************************************************************)

type offset_kind = Offset_min_kind | Offset_max_kind

(* Assertion to be checked at some program point. *)
type target_assertion = {
  jc_target_expr : expr;
  jc_target_hint : bool;
  jc_target_location : Loc.position;
  mutable jc_target_assertion : assertion;
  mutable jc_target_regular_invariant : assertion;
  mutable jc_target_propagated_invariant : assertion;
}

(* Abstract value made up of 2 parts:
 * - regular abstract value
 * - abstract value refined by previous assertions on the execution path
 * Both are mutable in order to get in place widening.
 *)
type 'a abstract_value = {
  mutable jc_absval_regular : 'a Abstract1.t;
  mutable jc_absval_propagated : 'a Abstract1.t;
}

(* Type of current invariant in abstract interpretation, made up of 3 parts:
 * - abstract value at current program point
 * - associative list of exceptions and abstract values obtained after throwing
 *   an exception of this type. It is mutable so that it can be changed in
 *   place.
 * - abstract value after returning from the function. It is a reference so that
 *   it can be shared among all abstract invariants in a function.
 *)
type 'a abstract_invariants = {
  jc_absinv_normal : 'a abstract_value;
  jc_absinv_exceptional : (exception_info * 'a abstract_value) list;
  jc_absinv_return : (expr,'a abstract_value) Hashtbl.t;
}

(* Parameters of an abstract interpretation. *)
type 'a abstract_interpreter = {
  jc_absint_manager : 'a Manager.t;
  jc_absint_function_environment : Environment.t;
  jc_absint_function : fun_info;
  jc_absint_widening_threshold : int;
  jc_absint_loops : (int,expr) Hashtbl.t;
  jc_absint_loop_invariants : (int,'a abstract_invariants) Hashtbl.t;
  jc_absint_loop_initial_invariants : (int,'a abstract_invariants) Hashtbl.t;
  jc_absint_loop_iterations : (int,int) Hashtbl.t;
  jc_absint_loop_entry_invs : (int, 'a abstract_invariants) Hashtbl.t;
  jc_absint_target_assertions : target_assertion list;
}

(* Parameters of an interprocedural abstract interpretation. *)
type 'a interprocedural_ai = {
  jc_interai_manager : 'a Manager.t;
  jc_interai_function_preconditions : (int, 'a Abstract1.t) Hashtbl.t;
  jc_interai_function_postconditions : (int, 'a Abstract1.t) Hashtbl.t;
  jc_interai_function_exceptional :
    (int, (exception_info * 'a Abstract1.t) list)  Hashtbl.t;
  jc_interai_function_nb_iterations : (int, int) Hashtbl.t;
  jc_interai_function_init_pre : (int, 'a Abstract1.t) Hashtbl.t;
  jc_interai_function_abs : (int, 'a abstract_interpreter) Hashtbl.t;
}

(* Type of current postcondition in weakest precondition computation:
 * - postcondition at current program point
 * - associative list of exceptions and postconditions that should be satisfied
 *   when an exception of this type is caught
 * - stack of sets of modified variables, each set except the first one
 *   corresponding to an enclosed loop
 *)
type weakest_postconditions = {
  jc_post_normal : assertion option;
  jc_post_exceptional : (exception_info * assertion) list;
  jc_post_inflexion_vars : VarSet.t ref;
  jc_post_modified_vars : VarSet.t list;
}

type weakest_precondition_computation = {
  jc_weakpre_function: fun_info;
  jc_weakpre_loops : (int,expr) Hashtbl.t;
  jc_weakpre_loop_invariants : (int,assertion) Hashtbl.t;
}


(*****************************************************************************)
(*                                  Debug                                    *)
(*****************************************************************************)

let print_abstract_value fmt absval =
  fprintf fmt "@[<v 2>{regular: %a@\npropagated: %a@\n}@]"
    Abstract1.print absval.jc_absval_regular
    Abstract1.print absval.jc_absval_propagated

let print_abstract_invariants fmt invs =
  fprintf fmt "@[<v 2>{@\nnormal: %a@\nexceptional: %a@\nreturn: %a@\n}@]"
    print_abstract_value invs.jc_absinv_normal
    (print_list comma (fun fmt (ei,absval) ->
			 fprintf fmt "(%s,%a)" ei.jc_exception_info_name
			   print_abstract_value absval))
    invs.jc_absinv_exceptional
    (fun fmt returns ->
       Hashtbl.iter (fun _ absval -> print_abstract_value fmt absval) returns)
    invs.jc_absinv_return

let print_modified_vars fmt posts =
  fprintf fmt "modified vars: %a"
    (print_list comma (fun fmt vi -> fprintf fmt "%s" vi.jc_var_info_name))
    (VarSet.elements (List.hd posts.jc_post_modified_vars))


(*****************************************************************************)
(*                    Logging annotations inferred                           *)
(*****************************************************************************)

let reg_annot ?id ?kind ?name ~pos ~anchor a =
  let (f,l,b,e) =
    try
      let (f,l,b,e,_,_) = Hashtbl.find Jc_options.pos_table anchor in
      (f,l,b,e)
    with Not_found -> Loc.extract pos
  in
  let pos = Lexing.dummy_pos in
  let pos = { pos with
		Lexing.pos_fname = f;
		Lexing.pos_lnum = l;
		Lexing.pos_bol = 0; }
  in
  let loc =
    { pos with Lexing.pos_cnum = b; },
    { pos with Lexing.pos_cnum = e; }
  in
  Format.fprintf Format.str_formatter "%a" Jc_output.assertion a;
  let formula = Format.flush_str_formatter () in
  let lab = Output.old_reg_pos "G" ?id ?kind ?name ~formula (Loc.extract loc) in
  new assertion_with ~mark:lab a


(*****************************************************************************)
(*           Translation between terms/assertions and ATP formulas           *)
(*****************************************************************************)

module Vwp : sig
  val variable_for_term : term -> string
  val term : string -> term option
  val variable_for_assertion: assertion -> string
  val assertion: string -> assertion
  val is_variable_for_assertion: string -> bool
end = struct

  let term_table = Hashtbl.create 17
  let assertion_table = Hashtbl.create 17

  let variable_for_term t =
    let check_name s =
      try
	(* Check unicity of name, which [name_of_term] should guarantee *)
	let t2 = Hashtbl.find term_table s in
	assert (TermOrd.compare t t2 = 0)
      with Not_found ->
	Hashtbl.add term_table s t
    in
    let s = name_of_term t in check_name s; s

  let term s =
    try Some (Hashtbl.find term_table s)
    with Not_found -> ignore (Hashtbl.find assertion_table s); None

  let variable_for_assertion a =
    let check_name s =
      try
	(* Check unicity of name, which [name_of_assertion] should guarantee *)
	let a2 = Hashtbl.find assertion_table s in
	assert (AssertionOrd.compare a a2 = 0)
      with Not_found ->
	Hashtbl.add assertion_table s a
    in
    match a#node with
      | JCAnot a1 -> let s = name_of_assertion a1 in check_name s; s
      | _ -> let s = name_of_assertion a in check_name s; s

  let assertion s = Hashtbl.find assertion_table s

  let is_variable_for_assertion s = Hashtbl.mem assertion_table s
end

let binop_atp =
  [
    (`Blt,`Integer), "<";
    (`Bgt,`Integer), ">";
    (`Ble,`Integer), "<=";
    (`Bge,`Integer), ">=";
    (`Beq,`Integer), "=";
    (`Badd,`Integer), "+";
    (`Bsub,`Integer), "-";
    (`Bmul,`Integer), "*";
    (`Bdiv,`Integer), "/";
  ]

let atp_binop = List.map (fun (op,r) -> (r,op)) binop_atp

let atp_of_binop (op : basic_op * [> `Integer ]) =
  try List.assoc op binop_atp with Not_found -> assert false

let binop_of_atp r =
  try List.assoc r atp_binop with Not_found -> assert false

let binrel_of_atp s =
  let op,ty = binop_of_atp s in
  match op with
    | #comparison_op as op1 -> op1,ty
    | _ -> assert false

let unop_atp =
  [
    (`Uminus,`Integer), "-";
  ]

let atp_unop = List.map (fun (op,r) -> (r,op)) unop_atp

let atp_of_unop op =
  try List.assoc op unop_atp with Not_found -> assert false

let unop_of_atp r =
  try List.assoc r atp_unop with Not_found -> assert false

let rec atp_of_term t =
  let err () = failwith "atp_of_term" in
  let is_constant_term t =
    match t#node with JCTconst _ -> true | _ -> false
  in
  match t#node with
    | JCTconst c ->
	begin match c with
	  | JCCinteger s -> Atp.Fn(s,[])
	  | JCCnull | JCCboolean _ | JCCvoid | JCCreal _ | JCCstring _ ->
	      err ()
	end
    | JCTbinary(t1,((`Badd,`Integer) | (`Bsub,`Integer) as bop),t2) ->
	Atp.Fn(atp_of_binop bop, List.map atp_of_term [t1;t2])
    | JCTbinary(t1,(`Bmul,`Integer as bop),t2)
	when (is_constant_term t1 || is_constant_term t2) ->
	Atp.Fn(atp_of_binop bop, List.map atp_of_term [t1;t2])
    | JCTbinary(t1,(`Bdiv,`Integer as bop),t2) when (is_constant_term t2) ->
	Atp.Fn(atp_of_binop bop, List.map atp_of_term [t1;t2])
    | JCTbinary(_t1,_bop,_t2) ->
	Atp.Var (Vwp.variable_for_term t)
    | JCTunary((`Uminus,`Integer as uop),t1) ->
	Atp.Fn(atp_of_unop uop, [atp_of_term t1])
    | JCTvar _ | JCTderef _ | JCTapp _ | JCToffset _ ->
	Atp.Var (Vwp.variable_for_term t)
    | JCTshift _ | JCTold _ | JCTat _ | JCTmatch _ | JCTinstanceof _
    | JCTcast _ | JCTrange_cast _ | JCTbitwise_cast _ | JCTreal_cast _
    | JCTaddress _ | JCTif _ | JCTrange _ | JCTunary _ | JCTbase_block _ 
    | JCTlet _ ->
	err ()

let rec term_of_atp tm =
  try
    match tm with
      | Atp.Var s -> (match Vwp.term s with Some t -> t | None -> assert false)
      | Atp.Fn(s,[tm1;tm2]) ->
	  let tnode =
	    JCTbinary(term_of_atp tm1,binop_of_atp s,term_of_atp tm2)
	  in
	  new term ~typ:integer_type tnode
      | Atp.Fn(s,[tm1]) ->
	  let tnode = JCTunary(unop_of_atp s,term_of_atp tm1) in
	  new term ~typ:integer_type tnode
      | Atp.Fn(s,[]) ->
	  let tnode = JCTconst(JCCinteger s) in
	  new term ~typ:integer_type tnode
      | _tm -> assert false
  with Assert_failure _ ->
    printf "[Jc_annot_inference.term_of_atp] unexpected ATP term %a@."
      (fun _fmt tm -> Atp.printert tm) tm;
    assert false

let term_of_atp_with_variable_for_assertion tm =
  try
    let rec aux tm =
      match tm with
	| Atp.Var s -> (Some (Vwp.assertion s),0)
	| Atp.Fn("+",[tm1;tm2]) ->
	    let a1,c1 = aux tm1 in
	    let a2,c2 = aux tm2 in
	    let a = match a1,a2 with
	      | Some _,Some _ -> assert false
	      | Some a,None | None,Some a -> Some a
	      | None,None -> None
	    in
	    a, c1 + c2
	| Atp.Fn("*",[tm1;tm2]) ->
	    let a1,c1 = aux tm1 in
	    let a2,c2 = aux tm2 in
	    assert (c1 >= 0 && c2 >= 0);
	    let a = match a1,a2 with
	      | Some _,Some _ -> assert false
	      | Some a,None | None,Some a -> Some a
	      | None,None -> None
	    in
	    a, 0
	| Atp.Fn("-",[tm1]) ->
	    let a1,c1 = aux tm1 in
	    assert (a1 = None);
	    None, - c1
	| Atp.Fn(s,[]) ->
	    None, int_of_string s
	| _tm -> assert false
    in aux tm
  with Assert_failure _ ->
    printf "[Jc_annot_inference.term_of_atp_with_variable_for_assertion] unexpected ATP term %a@."
      (fun _fmt tm -> Atp.printert tm) tm;
    assert false

let atp_of_asrt a =
  let err () = failwith "atp_of_asrt" in
  let rec aux a =
    try match a#node with
      | JCAtrue -> Atp.True
      | JCAfalse -> Atp.False
      | JCArelation(t1,(`Bneq,`Integer),t2) ->
	  Atp.Not(Atp.Atom(Atp.R("=",List.map atp_of_term [t1;t2])))
      | JCArelation(t1,(bop,`Integer),t2) ->
	  Atp.Atom(Atp.R(atp_of_binop ((bop :> basic_op),`Integer),
			 List.map atp_of_term [t1;t2]))
      | JCAand al ->
	  let rec mkand = function
	    | [] -> Atp.True
	    | [a] -> aux a
	    | a :: al -> Atp.And (aux a, mkand al)
	  in
	  mkand al
      | JCAor al ->
	  let rec mkor = function
	    | [] -> Atp.False
	    | [a] -> aux a
	    | a :: al -> Atp.Or (aux a, mkor al)
	  in
	  mkor al
      | JCAimplies(a1,a2) ->
	  Atp.Imp(aux a1,aux a2)
      | JCAiff(a1,a2) ->
	  Atp.And (Atp.Imp(aux a1,aux a2), Atp.Imp(aux a2,aux a1))
      | JCAnot a ->
	  Atp.Not(aux a)
      | JCAquantifier(q,v,_trig,a) ->
	  let f = aux a in
	  let fvars = Atp.fv f in
	  let tv = new term_var v in
	  (* Add to the set of variables quantifieds all those variables that
	     syntactically depend on [v] *)
	  let vars =
	    List.fold_left
	      (fun acc va ->
		 let depend = match Vwp.term va with
		   | Some t ->
		       term_syntactic_dependence ~of_term:t ~on_term:tv
		   | None ->
		       let a = Vwp.assertion va in
		       assertion_syntactic_dependence ~of_asrt:a ~on_term:tv
		 in
		 if depend then StringSet.add va acc else acc
	      ) (StringSet.singleton (Vwp.variable_for_term tv)) fvars
	  in
	  let vars = StringSet.elements vars in
	  let rec quant f = function
	    | [] -> f
	    | v::r ->
		match q with
		  | Forall -> quant (Atp.Forall(v,f)) r
		  | Exists -> quant (Atp.Exists(v,f)) r
	  in
	  quant f vars
      | JCAapp app ->
	  begin match unfolding_of_app app with
	    | Some a -> aux a
	    | None -> err ()
	  end
      | JCArelation _ | JCAold _ | JCAat _ | JCAinstanceof _ | JCAbool_term _
      | JCAif _ | JCAmutable _ | JCAeqtype _ | JCAlet _
      | JCAmatch _ | JCAsubtype _ | JCAfresh _ ->
	  err ()
    with Failure "atp_of_asrt" | Failure "atp_of_term" ->
      let s = Vwp.variable_for_assertion a in
      let fm = Atp.Atom(Atp.R("<=",[Atp.Fn("0",[]);Atp.Var s])) in
      match a#node with
	| JCAnot _a1 -> Atp.Not fm
	| _ -> fm
  in aux a

let has_variable_for_assertion fm =
  let vars = Atp.fv fm in
  List.exists Vwp.is_variable_for_assertion vars

let asrt_of_atp_with_variable_for_assertion fm =
  try match fm with
    | Atp.Atom(Atp.R(r,[tm1;tm2])) ->
	let a1,_c1 = term_of_atp_with_variable_for_assertion tm1 in
	let a2,_c2 = term_of_atp_with_variable_for_assertion tm2 in
	begin match a1,a2 with
	  | Some _,Some _
	  | None,None -> assert false
	  | Some a,None ->
	      begin match r with
		| ">=" | ">" -> a#node
		| "<=" | "<" -> JCAnot a
		| _ -> assert false
	      end
	  | None,Some a ->
	      begin match r with
		| ">=" | ">" -> JCAnot a
		| "<=" | "<" -> a#node
		| _ -> assert false
	      end
	end
    | _ -> assert false
  with Assert_failure _ ->
    printf "[Jc_annot_inference.asrt_of_atp_with_variable_for_assertion] unexpected ATP formula %a@."
      (fun _fmt fm -> Atp.printer fm) fm;
    assert false

let rec asrt_of_atp fm =
  let anode = match fm with
    | Atp.False ->
	JCAfalse
    | Atp.True ->
	JCAtrue
    | Atp.Atom _ when has_variable_for_assertion fm ->
	asrt_of_atp_with_variable_for_assertion fm
    | Atp.Atom(Atp.R(r,[tm1;tm2])) ->
	JCArelation(term_of_atp tm1,binrel_of_atp r,term_of_atp tm2)
    | Atp.Atom _ ->
	printf "[Jc_annot_inference.term_of_atp] unexpected ATP atom %a@."
	  (fun _fmt fm -> Atp.printer fm) fm;
	assert false
    | Atp.Not fm ->
	JCAnot(asrt_of_atp fm)
    | Atp.And(fm1,fm2) ->
	JCAand [asrt_of_atp fm1;asrt_of_atp fm2]
    | Atp.Or(fm1,fm2) ->
	JCAor [asrt_of_atp fm1;asrt_of_atp fm2]
    | Atp.Imp(fm1,fm2) ->
	JCAimplies(asrt_of_atp fm1,asrt_of_atp fm2)
    | Atp.Iff(fm1,fm2) ->
	JCAiff(asrt_of_atp fm1,asrt_of_atp fm2)
    | Atp.Forall _ | Atp.Exists _ ->
	printf
	  "[Jc_annot_inference.term_of_atp] unexpected ATP quantification %a@."
	  (fun _fmt fm -> Atp.printer fm) fm;
	assert false
  in
  new assertion anode


(*****************************************************************************)
(*               Abstract variables naming and creation                      *)
(*****************************************************************************)

module Vai : sig
  val integer_variable : term -> Var.t
  val offset_min_variable : term -> Var.t
  val offset_max_variable : term -> Var.t
  val all_variables : term -> Var.t list
  val term : Var.t -> term
end = struct

  let term_table = Hashtbl.create 17

  let integer_variable t =
    let check_name s =
      try
	(* Check unicity of name, which [name_of_term] should guarantee *)
	let t2 = Hashtbl.find term_table s in
	assert (TermOrd.compare t t2 = 0)
      with Not_found ->
	Hashtbl.add term_table s t
    in
    let s = name_of_term t in check_name s; Var.of_string s

  let offset_min_variable t =
    let st = pointer_struct t#typ in
    let tmin = new term ~typ:integer_type (JCToffset(Offset_min,t,st)) in
    integer_variable tmin

  let offset_max_variable t =
    let st = pointer_struct t#typ in
    let tmax = new term ~typ:integer_type (JCToffset(Offset_max,t,st)) in
    integer_variable tmax

  let all_variables t =
    if is_integral_type t#typ then [ integer_variable t ]
    else if is_pointer_type t#typ then
      [ offset_min_variable t; offset_max_variable t ]
    else []

  let term va = Hashtbl.find term_table (Var.to_string va)
end

let empty mgr val1 =
  Abstract1.bottom mgr (Abstract1.env val1)

let extend mgr env val1 =
  let env = Environment.lce env (Abstract1.env val1) in
  Abstract1.change_environment mgr val1 env false

let is_eq mgr val1 val2 =
  let env = Environment.lce (Abstract1.env val1) (Abstract1.env val2) in
  let val1 = Abstract1.change_environment mgr val1 env false in
  let val2 = Abstract1.change_environment mgr val2 env false in
  Abstract1.is_eq mgr val1 val2

let forget mgr val1 vls =
  let vls = List.filter (Environment.mem_var (Abstract1.env val1)) vls in
  let varr = Array.of_list vls in
  Abstract1.forget_array mgr val1 varr false

let meet mgr val1 val2 =
  let env = Environment.lce (Abstract1.env val1) (Abstract1.env val2) in
  let val1 = Abstract1.change_environment mgr val1 env false in
  let val2 = Abstract1.change_environment mgr val2 env false in
  Abstract1.meet mgr val1 val2

let join mgr val1 val2 =
  (* Uncomment following line to possibly get more precision *)
  (*   let val1 = Abstract1.closure mgr val1 in *)
  (*   let val2 = Abstract1.closure mgr val2 in *)
  let env = Environment.lce (Abstract1.env val1) (Abstract1.env val2) in
  let val1 = Abstract1.change_environment mgr val1 env false in
  let val2 = Abstract1.change_environment mgr val2 env false in
  Abstract1.join mgr val1 val2

let widening mgr val1 val2 =
  let env = Environment.lce (Abstract1.env val1) (Abstract1.env val2) in
  let val1 = Abstract1.change_environment mgr val1 env false in
  let val2 = Abstract1.change_environment mgr val2 env false in
  (* Join before widening so that arguments are in increasing order. *)
  let val2 = Abstract1.join mgr val2 val1 in
  (* Perform widening between values in increasing order. *)
  Abstract1.widening mgr val1 val2

let stronger mgr val1 val2 =
  let env = Environment.lce (Abstract1.env val1) (Abstract1.env val2) in
  let val1 = Abstract1.change_environment mgr val1 env false in
  let val2 = Abstract1.change_environment mgr val2 env false in
  Abstract1.is_leq mgr val1 val2

let strictly_stronger mgr val1 val2 =
  stronger mgr val1 val2 && not (stronger mgr val2 val1)

let empty_abstract_value mgr pair1 =
  {
    jc_absval_regular =
      empty mgr pair1.jc_absval_regular;
    jc_absval_propagated =
      empty mgr pair1.jc_absval_propagated
  }

let bottom_abstract_value mgr env =
  {
    jc_absval_regular = Abstract1.bottom mgr env;
    jc_absval_propagated = Abstract1.bottom mgr env;
  }

let top_abstract_value mgr env =
  {
    jc_absval_regular = Abstract1.top mgr env;
    jc_absval_propagated = Abstract1.top mgr env;
  }

let eq_abstract_value mgr absval1 absval2 =
  is_eq mgr absval1.jc_absval_regular absval2.jc_absval_regular
  && is_eq mgr absval1.jc_absval_propagated absval2.jc_absval_propagated

let forget_abstract_value mgr absval vls =
  {
    jc_absval_regular =
      forget mgr absval.jc_absval_regular vls;
    jc_absval_propagated =
      forget mgr absval.jc_absval_propagated vls
  }

let join_abstract_value mgr pair1 pair2 =
  {
    jc_absval_regular =
      join mgr pair1.jc_absval_regular pair2.jc_absval_regular;
    jc_absval_propagated =
      join mgr pair1.jc_absval_propagated pair2.jc_absval_propagated
  }

let widening_abstract_value mgr pair1 pair2 =
  {
    jc_absval_regular =
      widening mgr pair1.jc_absval_regular pair2.jc_absval_regular;
    jc_absval_propagated =
      widening mgr pair1.jc_absval_propagated pair2.jc_absval_propagated
  }

let eq_invariants mgr invs1 invs2 =
  let eq_exclists postexcl1 postexcl2 =
    List.length postexcl1 = List.length postexcl2 &&
    List.fold_right (fun (ei,post1) acc ->
		       acc &&
			 try
			   let post2 = List.assoc ei postexcl2 in
			   eq_abstract_value mgr post1 post2
			 with Not_found -> false
		    ) postexcl1 true
  in
  assert (invs1.jc_absinv_return == invs2.jc_absinv_return);
  eq_abstract_value mgr invs1.jc_absinv_normal invs2.jc_absinv_normal
  && eq_exclists invs1.jc_absinv_exceptional invs2.jc_absinv_exceptional

let forget_invariants mgr invs vls =
  {
    jc_absinv_normal =
      forget_abstract_value mgr invs.jc_absinv_normal vls;
    jc_absinv_exceptional =
      List.map (fun (ei,post) -> (ei,forget_abstract_value mgr post vls))
	invs.jc_absinv_exceptional;
    jc_absinv_return =
      invs.jc_absinv_return
  }

let join_invariants mgr invs1 invs2 =
(*   if Jc_options.debug then *)
(*     printf "@[<v 2>[join]@\n%a@\nand@\n%a@]@."  *)
(*       print_abstract_invariants invs1 print_abstract_invariants invs2; *)
  let join_exclists postexcl1 postexcl2 =
    let join1 =
      List.fold_right
	(fun (ei, post1) acc ->
	   try
	     let post2 = List.assoc ei postexcl2 in
	     let post1 = join_abstract_value mgr post1 post2 in
	     (ei, post1) :: acc
	   with Not_found -> (ei, post1) :: acc
	) postexcl1 []
    in
    List.fold_right
      (fun (ei, post2) acc ->
	 if List.mem_assoc ei join1 then acc
	 else (ei, post2) :: acc
      ) postexcl2 join1
  in
  assert (invs1.jc_absinv_return == invs2.jc_absinv_return);
  {
    jc_absinv_normal =
      join_abstract_value mgr invs1.jc_absinv_normal invs2.jc_absinv_normal;
    jc_absinv_exceptional =
      join_exclists invs1.jc_absinv_exceptional invs2.jc_absinv_exceptional;
    jc_absinv_return =
      invs1.jc_absinv_return
  }

let widen_invariants mgr invs1 invs2 =
(*   if Jc_options.debug then *)
(*     printf "@[<v 2>[widening]@\n%a@\nand@\n%a@]@."  *)
(*       print_abstract_invariants invs1 print_abstract_invariants invs2; *)
  let widen_exclists postexcl1 postexcl2 =
    let widen1 =
      List.fold_right
	(fun (ei,post1) acc ->
	   try
	     let post2 = List.assoc ei postexcl2 in
	     let post1 = widening_abstract_value mgr post1 post2 in
	     (ei, post1) :: acc
	   with Not_found -> (ei,post1) :: acc
	) postexcl1 []
    in
    List.fold_right (fun (ei,post2) acc ->
		       if List.mem_assoc ei widen1 then acc
		       else (ei, post2) :: acc
		    ) postexcl2 widen1
  in
  assert (invs1.jc_absinv_return == invs2.jc_absinv_return);
  {
    jc_absinv_normal =
      widening_abstract_value mgr invs1.jc_absinv_normal invs2.jc_absinv_normal;
    jc_absinv_exceptional =
      widen_exclists invs1.jc_absinv_exceptional invs2.jc_absinv_exceptional;
    jc_absinv_return =
      invs1.jc_absinv_return
  }


(*****************************************************************************)
(*                                 DNF form                                  *)
(*****************************************************************************)

module Dnf = struct

  type dnf = string list list

  let false_ = []
  let true_ = [[]]

  let is_false = function [] -> true | _ -> false
  let is_true = function [[]] -> true | _ -> false

  let num_disjuncts (dnf : dnf) = List.length dnf

  let rec make_and =
    let pair_and dnf1 dnf2 =
      if is_false dnf1 || is_false dnf2 then
	false_
      else
	List.fold_left
	  (fun acc conj1 ->
	     List.fold_left (fun acc conj2 ->
			       (conj1 @ conj2) :: acc
			    ) acc dnf2
	  ) [] dnf1
    in
    function
      | [] -> true_
      | dnf::r -> pair_and dnf (make_and r)

  let make_or = List.concat

  let print fmt dnf =
    fprintf fmt "dnf : %a"
      (fun fmt disj ->
	 fprintf fmt "[%a]"
	   (print_list comma
	      (fun fmt conj -> fprintf fmt "[%a]"
		 (print_list comma (fun fmt s -> fprintf fmt "%s" s))
		 conj)) disj) dnf

  let test mgr pre dnf =
    if debug then printf "[Dnf.test] %a@." Abstract1.print pre;
    if debug then printf "[Dnf.test] %a@." print dnf;
    let env = Abstract1.env pre in
    if is_false dnf then Abstract1.bottom mgr env
    else if is_true dnf then pre
    else
      let test_conj conj =
	let lincons =
	  try Parser.lincons1_of_lstring env conj
	  with Parser.Error msg ->
	    printf
	      "[Jc_annot_inference.Dnf.test] %s@." msg;
	    assert false
	in
	Abstract1.meet_lincons_array mgr pre lincons
      in
      (* Test each disjunct separately and then join them. *)
      let copy_list = List.map test_conj dnf in
      match copy_list with
	| pre :: rest -> List.fold_left (Abstract1.join mgr) pre rest
	| _ -> assert false
end


(*****************************************************************************)
(*    Extracting linear expressions and constraints from AST expressions     *)
(*****************************************************************************)

let linearize t =
  let err () = failwith "linearize" in
  let rec aux t =
    try match t#node with
      | JCTconst c ->
	  begin match c with
	    | JCCinteger s -> (TermMap.empty, num_of_string s)
	    | JCCboolean _ | JCCvoid | JCCnull | JCCreal _ | JCCstring _ ->
		err ()
	  end
      | JCTbinary(t1,(#arithmetic_op as bop,`Integer),t2) ->
	  let coeffs1, cst1 = aux t1 in
	  let coeffs2, cst2 = aux t2 in
          begin match bop with
	    | `Badd ->
		let coeffs = TermMap.fold
		  (fun vt1 c1 acc ->
		     try
		       let c2 = TermMap.find vt1 coeffs2 in
		       TermMap.add vt1 (c1 +/ c2) acc
		     with Not_found -> TermMap.add vt1 c1 acc
		  ) coeffs1 TermMap.empty
		in
		let coeffs = TermMap.fold
		  (fun vt2 c2 acc ->
		     if TermMap.mem vt2 coeffs then acc
		     else TermMap.add vt2 c2 acc
		  ) coeffs2 coeffs
		in
		(coeffs, cst1 +/ cst2)
	    | `Bsub ->
		let coeffs = TermMap.fold
		  (fun vt1 c1 acc ->
		     try
		       let c2 = TermMap.find vt1 coeffs2 in
		       TermMap.add vt1 (c1 -/ c2) acc
		     with Not_found -> TermMap.add vt1 c1 acc
		  ) coeffs1 TermMap.empty
		in
		let coeffs = TermMap.fold
		  (fun vt2 c2 acc ->
		     if TermMap.mem vt2 coeffs then acc
		     else TermMap.add vt2 (minus_num c2) acc
		  ) coeffs2 coeffs
		in
		(coeffs, cst1 -/ cst2)
	    | `Bmul when TermMap.is_empty coeffs1 || TermMap.is_empty coeffs2 ->
		let coeffs =
		  if TermMap.is_empty coeffs1 then
		    TermMap.map (fun c -> c */ cst1) coeffs2
		  else
		    TermMap.map (fun c -> c */ cst2) coeffs1
		in
		(coeffs, cst1 */ cst2)
	    | `Bmul
	    | `Bdiv
	    | `Bmod -> err ()
	  end
      | JCTbinary(t1,(#bitwise_op as bop,`Integer),t2) ->
	  let coeffs1, cst1 = aux t1 in
	  if coeffs1 = TermMap.empty && cst1 =/ Int 0 then
	    match bop with
	      | `Bbw_and
	      | `Bshift_left
	      | `Blogical_shift_right
	      | `Barith_shift_right -> TermMap.empty, Int 0
	      | `Bbw_or
	      | `Bbw_xor -> aux t2
	      | _ -> err ()
	  else
	    (* Consider non-linear term as abstract variable. *)
	    (TermMap.add t (Int 1) TermMap.empty, Int 0)
      | JCTunary((uop,`Integer),t1) ->
	  let coeffs1,cst1 = aux t1 in
	  begin match uop with
	    | `Uminus ->
		let coeffs = TermMap.map (fun c -> minus_num c) coeffs1 in
		(coeffs, minus_num cst1)
	    | _ -> err ()
	  end
      | JCTvar _ | JCTderef _ | JCToffset _ | JCTapp _ | JCTbinary _
      | JCTunary _ | JCTshift _ | JCTinstanceof _ | JCTmatch _
      | JCTold _ | JCTat _ | JCTcast _ | JCTbitwise_cast _
      | JCTrange_cast _ | JCTreal_cast _ | JCTaddress _ | JCTbase_block _
      | JCTrange _ | JCTif _ | JCTlet _ ->
	  err ()
    with Failure "linearize" ->
      (TermMap.add t (Int 1) TermMap.empty, Int 0)
  in aux t

let linstr_of_term env t =
  let mkmulstr = function
    | (_va, Int 0) -> ""
    | (va, c) -> string_of_num c ^ " * " ^ va
  in
  let rec mkaddstr = function
    | [] -> ""
    | [va,c] -> mkmulstr (va,c)
    | (va,c) :: r ->
	match mkmulstr (va,c), mkaddstr r with
	  | "","" -> ""
	  | s,"" | "",s -> s
	  | s1,s2 -> s1 ^ " + " ^ s2
  in
  let coeffs, cst = linearize t in
  let env = TermMap.fold
    (fun t _ env  ->
       let va = Vai.integer_variable t in
       if Environment.mem_var env va then env
       else Environment.add env [|va|] [||]
    ) coeffs env
  in
  let coeffs =
    TermMap.fold
      (fun t c acc ->
	 let va = Vai.integer_variable t in (Var.to_string va,c)::acc
      ) coeffs []
  in
  env, mkaddstr coeffs, cst

let offset_linstr_of_term env ok t =
  let ptrt, offt = match destruct_pointer t with
    | None -> t, None
    | Some(ptrt,offt) -> ptrt, Some offt
  in
  let st = pointer_struct ptrt#typ in
  let minmaxt = match ok with
    | Offset_min_kind ->
	new term ~typ:integer_type (JCToffset(Offset_min,ptrt,st))
    | Offset_max_kind ->
	new term ~typ:integer_type (JCToffset(Offset_max,ptrt,st))
  in
  let t = match offt with None -> minmaxt | Some offt ->
    new term ~typ:integer_type (JCTbinary(minmaxt,(`Bsub,`Integer),offt))
  in
  linstr_of_term env t

let rec not_asrt a =
  let anode = match a#node with
    | JCAtrue -> JCAfalse
    | JCAfalse -> JCAtrue
    | JCArelation(t1,(bop,`Integer),t2) ->
	begin match bop with
	  | `Blt -> JCArelation (t1, (`Bge,`Integer), t2)
	  | `Bgt -> JCArelation (t1, (`Ble,`Integer), t2)
	  | `Ble -> JCArelation (t1, (`Bgt,`Integer), t2)
	  | `Bge -> JCArelation (t1, (`Blt,`Integer), t2)
	  | `Beq -> JCArelation (t1, (`Bneq,`Integer), t2)
	  | `Bneq -> JCArelation (t1, (`Beq,`Integer), t2)
	end
    | JCAnot a -> a#node
    | JCAand _ | JCAor _ | JCAimplies _ | JCAiff _ | JCAapp _ | JCArelation _
    | JCAquantifier _ | JCAold _ | JCAat _ | JCAinstanceof _ | JCAbool_term _
    | JCAif _ | JCAmutable _ | JCAeqtype _ | JCAsubtype _ | JCAlet _
    | JCAmatch _ | JCAfresh _ ->
	JCAnot a
  in
  new assertion_with ~node:anode a

(* Should be applied to atomic assertions in a DNF form. Otherwise returns
   an overapproximating true assertion.
   Returns a result in dnf string format. *)
let rec linstr_of_assertion env a =
  match a#node with
    | JCAtrue -> env, Dnf.true_
    | JCAfalse -> env, Dnf.false_
    | JCArelation(t1,(bop,`Integer),t2) ->
	let subt =
	  new term ~typ:integer_type (JCTbinary(t1,(`Bsub,`Integer),t2))
	in
	let env,str,cst = linstr_of_term env subt in
	if str = "" then
	  let ncst = minus_num cst in
	  let is_true = match bop with
	    | `Blt -> Int 0 </ ncst
	    | `Bgt -> Int 0 >/ ncst
	    | `Ble -> Int 0 <=/ ncst
	    | `Bge -> Int 0 >=/ ncst
	    | `Beq -> Int 0 =/ ncst
	    | `Bneq -> Int 0 <>/ ncst
	  in
	  env, if is_true then Dnf.true_ else Dnf.false_
	else
	  let cstr = string_of_num (minus_num cst) in
	  (* Do not use < and > with APRON, due to bugs in some versions.
	     Convert to equivalent non-strict. *)
	  let str = match bop with
	    | `Blt -> [[str ^ " <= " ^
			  (string_of_num (pred_num (minus_num cst)))]]
	    | `Bgt -> [[str ^ " >= " ^
			  (string_of_num (succ_num (minus_num cst)))]]
	    | `Ble -> [[str ^ " <= " ^ cstr]]
	    | `Bge -> [[str ^ " >= " ^ cstr]]
	    | `Beq -> [[str ^ " = " ^ cstr]]
	    | `Bneq ->
		[[str ^ " <= " ^
		    (string_of_num (pred_num (minus_num cst)))];
		 [str ^ " >= " ^
		    (string_of_num (succ_num (minus_num cst)))]]
	  in
	  env, str
    | JCAnot a ->
	let nota = not_asrt a in
	begin match nota#node with
	  | JCAnot _ -> env, Dnf.true_
	  | _ -> linstr_of_assertion env nota
	end
    | JCArelation _ | JCAand _ | JCAor _ | JCAimplies _ | JCAiff _ | JCAapp _
    | JCAquantifier _ | JCAold _ | JCAat _ | JCAinstanceof _ | JCAbool_term _
    | JCAif _ | JCAmutable _ | JCAeqtype _ | JCAsubtype _ | JCAmatch _
    | JCAlet _ | JCAfresh _ ->
	env, Dnf.true_

let linstr_of_expr env e =
  match Jc_effect.term_of_expr e with None -> None | Some t ->
    let env,str,cst = linstr_of_term env t in
    if str = "" then Some (env, string_of_num cst)
    else Some (env, str ^ " + " ^ (string_of_num cst))

let offset_linstr_of_expr env ok e =
  match e#node with
    | JCEalloc _ ->
	if ok = Offset_min_kind then Some (env, "0")
	else
	  begin match Jc_effect.term_of_expr e with None -> None | Some t ->
	    let env,str,cst = linstr_of_term env t in
	    if str = "" then Some (env,string_of_num cst)
	    else Some (env,str ^ " + " ^ (string_of_num cst))
	  end
    | _ ->
	if is_nonnull_pointer_type e#typ then
	  match Jc_effect.term_of_expr e with None -> None | Some t ->
	    let env,str,cst = offset_linstr_of_term env ok t in
	    if str = "" then Some (env,string_of_num cst)
	    else Some (env,str ^ " + " ^ (string_of_num cst))
	else None


(*****************************************************************************)
(*             Building assertions from inferred invariants                  *)
(*****************************************************************************)

let mkterm linexpr =
  let vars =
    Array.to_list (fst (Environment.vars (Linexpr1.get_env linexpr)))
  in
  let rec add_term t va =
    match Linexpr1.get_coeff linexpr va with
      | Scalar s ->
	  let vt = match Scalar.to_string s with
	    | "0." | "0" -> None
	    | "1" -> Some (Vai.term va)
	    | "-1" ->
		let tnode = JCTunary ((`Uminus,`Integer), Vai.term va) in
		let t = new term ~typ:integer_type tnode in
		Some t
	    | s ->
		let ctnode = JCTconst (JCCinteger s) in
		let ct = new term ~typ:integer_type ctnode in
		let tnode = JCTbinary (ct, (`Bmul,`Integer), Vai.term va) in
		let t = new term ~typ:integer_type tnode in
		Some t
	  in
	  begin match t,vt with
	    | None,vt -> vt
	    | t,None -> t
	    | Some t,Some vt ->
		let tnode = JCTbinary (t, (`Badd,`Integer), vt) in
		let t = new term ~typ:integer_type tnode in
		Some t
	  end
      | Interval _ -> assert false
  in
  let cst = match Linexpr1.get_cst linexpr with
    | Scalar s ->
	begin match Scalar.to_string s with
	  | "0." | "0" -> None
	  | s ->
	      let ctnode = JCTconst (JCCinteger s) in
	      let ct = new term ~typ:integer_type ctnode in
	      Some ct
	end
    | Interval _ -> assert false
  in
  match List.fold_left add_term cst vars with
    | None -> assert false
    | Some t -> t

let mkassertion lincons =
  let t1 = mkterm (Lincons1.get_linexpr1 lincons) in
  let op,c2 = match Lincons1.get_typ lincons with
    | EQ -> (`Beq,`Integer), JCCinteger "0"
    | SUPEQ -> (`Bge,`Integer), JCCinteger "0"
    | SUP -> (`Bgt,`Integer), JCCinteger "0"
    | DISEQ -> (`Bneq,`Integer), JCCinteger "0"
    | EQMOD _scalar ->
	(* If using a new domain that generates such modulo equalities,
	   add support for those *)
	assert false
  in
  let t2 = new term ~typ:integer_type (JCTconst c2) in
  new assertion (JCArelation(t1,op,t2))

let rec linterms_of_term t =
  let mkmulterm (t,c) =
    if c =/ Int 0 then None
    else if c =/ Int 1 then Some t
    else if c =/ Int (-1) then
      Some(new term ~typ:integer_type (JCTunary((`Uminus,`Integer),t)))
    else
      let c =
	new term ~typ:integer_type (JCTconst(JCCinteger(string_of_num c)))
      in
      Some(new term ~typ:integer_type (JCTbinary(c,(`Bmul,`Integer),t)))
  in
  let rec mkaddterm = function
    | [] -> None
    | [t,c] -> mkmulterm (t,c)
    | (t,c) :: r ->
	match mkmulterm (t,c), mkaddterm r with
	  | None,None -> None
	  | Some t,None | None,Some t -> Some t
	  | Some t1,Some t2 ->
	      Some(new term ~typ:integer_type
		     (JCTbinary(t1,(`Badd,`Integer),t2)))
  in
  let coeffs,cst = linearize t in
  let posl,negl =
    TermMap.fold (fun t c (pl,nl) ->
		    if c >/ Int 0 then (t,c) :: pl, nl
		    else if c </ Int 0 then pl, (t,minus_num c) :: nl
		    else pl, nl
		 ) coeffs ([],[])
  in
  let cstt =
    new term ~typ:integer_type
      (JCTconst(JCCinteger(string_of_num(abs_num cst))))
  in
  let post = match mkaddterm posl with
    | None ->
	if cst >/ Int 0 then cstt
	else new term ~typ:integer_type (JCTconst(JCCinteger "0"))
    | Some t ->
	if cst >/ Int 0 then
	  new term ~typ:integer_type (JCTbinary(t,(`Badd,`Integer),cstt))
	else t
  in
  let negt = match mkaddterm negl with
    | None ->
	if cst </ Int 0 then cstt
	else new term ~typ:integer_type (JCTconst(JCCinteger "0"))
    | Some t ->
	if cst </ Int 0 then
	  new term ~typ:integer_type (JCTbinary(t,(`Badd,`Integer),cstt))
	else t
  in
  post,negt

let mkpresentable a =
  let rec linasrt_of_assertion a =
    match a#node with
      | JCArelation(t1,bop,t2) ->
	  let subt =
	    new term ~typ:integer_type (JCTbinary(t1,(`Bsub,`Integer),t2))
	  in
	  let post,negt = linterms_of_term subt in
	  (* Make all terms appear with a positive coefficient *)
	  new assertion(JCArelation(post,bop,negt))
      | JCAnot a ->
	  let nota = not_asrt a in
	  begin match nota#node with
	    | JCAnot _ -> a
	    | _ -> linasrt_of_assertion nota
	  end
      | JCAtrue | JCAfalse | JCAand _ | JCAor _ | JCAimplies _ | JCAiff _
      | JCAapp _ | JCAquantifier _ | JCAold _ | JCAat _ | JCAinstanceof _
      | JCAbool_term _ | JCAfresh _
      | JCAif _ | JCAmutable _ | JCAeqtype _ | JCAsubtype _ | JCAmatch _
      | JCAlet _ -> a
  in
  linasrt_of_assertion a

let mkconsistent a =
  let cannot_have_lower_bound t =
    match t#node with
      | JCToffset(Offset_min,_,_) -> true
      | JCTapp app when app.jc_app_fun.jc_logic_info_name = "strlen" -> true
      | _ -> false
  in
  let cannot_have_upper_bound t =
    match t#node with
      | JCToffset(Offset_max,_,_) -> true
      | _ -> false
  in
  let rec aux a =
    match a#node with
      | JCArelation(t1,(op,_ty),t2) ->
	  let subt =
	    new term ~typ:integer_type (JCTbinary(t1,(`Bsub,`Integer),t2))
	  in
	  let coeffs,_ = linearize subt in
	  let posl,negl =
	    TermMap.fold
	      (fun t c (pl,nl) ->
		 if c >/ Int 0 then t :: pl, nl
		 else if c </ Int 0 then pl, t :: nl
		 else pl, nl
	      ) coeffs ([],[])
	  in
	  let lbounds,ubounds = match op with
	    | `Ble | `Blt -> posl,negl
	    | `Bge | `Bgt -> negl,posl
	    | `Beq | `Bneq -> posl@negl,posl@negl
	  in
	  if List.exists cannot_have_upper_bound lbounds
	    || List.exists cannot_have_lower_bound ubounds then None
	  else Some a
      | JCAnot _
      | JCAtrue | JCAfalse | JCAand _ | JCAor _ | JCAimplies _ | JCAiff _
      | JCAapp _ | JCAquantifier _ | JCAold _ | JCAat _ | JCAinstanceof _
      | JCAbool_term _ | JCAfresh _
      | JCAif _ | JCAmutable _ | JCAeqtype _ | JCAsubtype _ | JCAmatch _
      | JCAlet _ ->
	  Some a
  in
  let conjuncts = conjuncts a in
  let cnf = List.map disjuncts conjuncts in
  let conjuncts =
    List.map
      (fun conjunct ->
	 let disjuncts =
	   List.map
	     (fun disjunct -> match aux disjunct with
		| None -> Assertion.mkfalse ()
		| Some a -> a
	     ) conjunct
	 in
	 let conjunct = Assertion.mkor disjuncts () in
	 if Assertion.is_false conjunct then Assertion.mktrue () else conjunct
      ) cnf
  in
  Assertion.mkand conjuncts ()

let mkinvariant mgr absval =
  if Abstract1.is_top mgr absval then
    Assertion.mktrue ()
  else if Abstract1.is_bottom mgr absval then
    Assertion.mkfalse ()
  else
    let linconsarr = Abstract1.to_lincons_array mgr absval in
    let rec mkrec acc i =
      if i >= 0 then
	mkrec (mkassertion (Lincons1.array_get linconsarr i) :: acc) (i-1)
      else acc
    in
    let asserts = mkrec [] (Lincons1.array_length linconsarr - 1) in
    Assertion.mkand (List.map mkpresentable asserts) ()


(*****************************************************************************)
(*                          Simplifying formulas                             *)
(*****************************************************************************)

let variables_and_dnf a =
  let atp = atp_of_asrt a in
  let dnf = Atp.dnf atp in
  let vars = Atp.fv dnf in
  let vars =
    List.fold_left
      (fun acc s ->
	 Option_misc.map_default (fun t -> t :: acc) acc (Vwp.term s)
      ) [] vars
  in
  let vars = List.map Vai.integer_variable vars in
  let env = Environment.make (Array.of_list vars) [||] in
  let disjuncts = Atp.disjuncts dnf in
  let disjuncts = List.map Atp.conjuncts disjuncts in
  let disjuncts = List.map (List.map asrt_of_atp) disjuncts in
  env, disjuncts

(* For scaling, this could be replaced by a call to [contradictory] which
   does not involve quantifier elimination *)
let tautology a =
  let qf = Atp.generalize (atp_of_asrt a) in
(*   if Jc_options.debug then *)
(*     printf "@[<v 2>Before quantifier elimination@\n%a@]@." *)
(*       (fun fmt fm -> Atp.printer fm) qf; *)
(*   let dnf = Atp.dnf qf in *)
(*   if Jc_options.debug then *)
(*     printf "@[<v 2>After dnf@\n%a@]@." *)
(*       (fun fmt fm -> Atp.printer fm) dnf; *)
(*   if debug then printf "[before integer_qelim]@."; *)
  let qe = Atp.fourier_qelim qf in
(*   if debug then printf "[after integer_qelim]@."; *)
  let qe = asrt_of_atp qe in
  qe#node = JCAtrue

let contradictory =
  let mgr = Polka.manager_alloc_strict () in
  fun a b ->
    if Jc_options.debug then
      printf "@[<v 2>[contradictory]@\n%a@\n%a@]@."
	Jc_output.assertion a Jc_output.assertion b;
    let env,disjuncts = variables_and_dnf (Assertion.mkand [a;b] ()) in
    assert(List.length disjuncts > 0);
    let res = List.fold_left
      (fun acc conjunct -> acc &&
	 try
	   let cstrs = List.map (linstr_of_assertion env) conjunct in
	   let cstrs = List.map snd cstrs in
	   let dnf = Dnf.make_and cstrs in
	   let absval = Abstract1.top mgr env in
	   let absval = Dnf.test mgr absval dnf in
	   Abstract1.is_bottom mgr absval
	 with Parser.Error _ | Failure _ -> false
      ) true disjuncts
    in
(*     if debug then  *)
(*       printf "@[<v 2>[contradictory] %b@]@." res; *)
    res

let abstract_overapprox mgr env a =
  let conjuncts = conjuncts a in
  List.fold_left
    (fun (absval,acc) conjunct ->
       try
	 let dnf = snd (linstr_of_assertion env conjunct) in
	 let absval' = Dnf.test mgr (Abstract1.top mgr env)  dnf in
	 if Abstract1.is_top mgr absval' then
	   absval, conjunct :: acc
	 else
	   meet mgr absval absval', acc
       with Parser.Error _ | Failure _ ->
	 absval, conjunct :: acc
    ) (Abstract1.top mgr env,[]) conjuncts

let minimize mgr =
  (* Use polyhedral domain to get a minimization function *)
  let polmgr = Polka.manager_alloc_strict () in
  fun val1 ->
    let env = Abstract1.env val1 in
    let a = mkinvariant mgr val1 in
    let conjuncts = conjuncts a in
    let dnf =
      Dnf.make_and (List.map (snd $ linstr_of_assertion env) conjuncts)
    in
    let absval = Dnf.test polmgr (Abstract1.top polmgr env) dnf in
    mkinvariant polmgr absval

let simplify =
  (* Use polyhedral domain for precision and to get a minimization function *)
  let mgr = Polka.manager_alloc_strict () in
  fun ?inva inita ->
    if Jc_options.debug then
      printf "@[<v 2>[simplify]@\n%a@]@." Jc_output.assertion inita;
    let simpla = (* if tautology inita then (Assertion.mktrue ()) else *)
      let env,disjuncts = variables_and_dnf inita in
      if Jc_options.debug then
	printf "@[<v 2>[simplify] dnf@\n%a@]@."
	  (print_list semi
	     (print_list simple_comma Jc_output.assertion)) disjuncts;

      let invapprox = match inva with
	| None -> Abstract1.top mgr env
	| Some inva -> fst (abstract_overapprox mgr env inva)
      in
      let disjuncts = match inva with
	| None -> disjuncts
	| Some inva ->
	    List.filter
	      (fun conjunct ->
		 not(contradictory (Assertion.mkand conjunct ()) inva)
	      ) disjuncts
      in

      let abstract_disjuncts,other_disjuncts =
	List.fold_right
	  (fun conjunct (abstractl,otherl) ->
	     try
	       if Jc_options.debug then
		 printf "asrt conjunct : %a@."
		   (Pp.print_list (fun _fmt () -> printf " /\\ ")
		      Jc_output.assertion)
		   conjunct;
	       let absval,other_conjuncts =
		 abstract_overapprox mgr env (Assertion.mkand conjunct ())
	       in
	       if Jc_options.debug then
		 printf "abstract conjunct : %a@." Abstract1.print absval;
	       if Abstract1.is_bottom mgr absval then
		 abstractl, otherl
	       else
		 (absval,other_conjuncts) :: abstractl, otherl
	     with Parser.Error _ | Failure _ ->
	       abstractl,
	       Assertion.mkand (List.map mkpresentable conjunct) () :: otherl
	  ) disjuncts ([],[])
      in
      let abstract_disjuncts =
	List.fold_right
	  (fun (absval,other_conjuncts) acc ->
	     (* Do not consider conjunct if less precise than [inva] *)
	     let skip =
	       other_conjuncts = [] && stronger mgr invapprox absval
	     in
	     if skip then acc else
	       (* Remove conjuncts that are stronger than current one *)
	       let acc =
		 List.filter
		   (fun (av,oc) -> not (oc = [] && stronger mgr av absval)) acc
	       in
	       (* Do not add current conjunct if stronger than another one *)
	       if other_conjuncts = [] &&
		 List.exists (fun (av,_oc) -> stronger mgr absval av) acc
	       then acc
	       else (absval,other_conjuncts) :: acc
	  ) abstract_disjuncts []
      in
      List.iter (Abstract1.minimize mgr $ fst) abstract_disjuncts;
      let abstract_disjuncts =
	List.map (fun (absval,other_conjuncts) ->
		    Assertion.mkand (mkinvariant mgr absval :: other_conjuncts) ()
		 ) abstract_disjuncts
      in
      let disjuncts = abstract_disjuncts @ other_disjuncts in
      if List.length disjuncts > 5 then (* Arbitrary threshold for clarity *)
	inita
      else
	Assertion.mkor disjuncts ()
    in
    if debug then
      printf "@[<v 2>[simplify] initial:@\n%a@]@." Jc_output.assertion inita;
    if debug then
      printf "@[<v 2>[simplify] w.r.t. invariant:@\n%a@]@."
	(print_option Jc_output.assertion) inva;
    if debug then
      printf "@[<v 2>[simplify] final:@\n%a@]@." Jc_output.assertion simpla;
    simpla

let quantif_eliminate qf finv =
(*   if Jc_options.debug then *)
(*     printf "@[<v 2>Raw precondition@\n%a@]@." Jc_output.assertion qf;  *)
  let qf = atp_of_asrt qf in
(*   if Jc_options.debug then *)
(*     printf "@[<v 2>Before quantifier elimination@\n%a@]@."  *)
(*       (fun fmt fm -> Atp.printer fm) qf;  *)
  let qf = Atp.pnf qf in
  match qf with
    | Atp.Forall _ | Atp.Exists _ ->
	let qe = Atp.fourier_qelim qf in
(* 	if Jc_options.debug then *)
(* 	  printf "@[<v 2>After quantifier elimination@\n%a@]@."  *)
(* 	    (fun fmt fm -> Atp.printer fm) qe;  *)
	begin match qe with
(* 	  | Atp.Not nqe -> *)
(* 	      let qe = (Atp.dnf nqe) in *)
(* (\* 	      if Jc_options.debug then *\) *)
(* (\* 		printf "@[<v 2>After negative disjunctive normal form@\n%a@]@."  *\) *)
(* (\* 		  (fun fmt fm -> Atp.printer fm) qe; *\) *)
(* 	      let res = simplify (asrt_of_atp qe) in *)
(* 	      let finv = asrt_of_atp (Atp.dnf (atp_of_asrt finv)) in *)
(* 	      simplify ~inva:finv (Assertion.mknot res ()) *)
	  | _ ->
	      let qe = (Atp.dnf qe) in
(* 	      if Jc_options.debug then *)
(* 		printf "@[<v 2>After disjunctive normal form@\n%a@]@."  *)
(* 		  (fun fmt fm -> Atp.printer fm) qe; *)
	      let finv = asrt_of_atp (Atp.dnf (atp_of_asrt finv)) in
	      simplify ~inva:finv (asrt_of_atp qe)
	end
    | q ->
	let finv = asrt_of_atp (Atp.dnf (atp_of_asrt finv)) in
	simplify ~inva:finv (asrt_of_atp q)


(*****************************************************************************)
(* Computing weakest preconditions.                                          *)
(*****************************************************************************)

let is_function_level posts =
  List.length posts.jc_post_modified_vars = 1

let add_modified_var posts v =
  let vars = match posts.jc_post_modified_vars with
    | vs :: r -> VarSet.add v vs :: r
    | [] -> assert false
  in
  { posts with jc_post_modified_vars = vars; }

let add_modified_vars posts vs =
  let vars = match posts.jc_post_modified_vars with
    | vs2 :: r -> VarSet.union vs vs2 :: r
    | [] -> assert false
  in
  { posts with jc_post_modified_vars = vars; }

let add_inflexion_var posts v =
  posts.jc_post_inflexion_vars :=
    VarSet.add v !(posts.jc_post_inflexion_vars)

let remove_modified_var posts v =
  let vars = match posts.jc_post_modified_vars with
    | vs :: r -> VarSet.remove v vs :: r
    | [] -> assert false
  in
  { posts with jc_post_modified_vars = vars; }

let push_modified_vars posts =
  let vars = posts.jc_post_modified_vars in
  { posts with jc_post_modified_vars = VarSet.empty :: vars; }

let pop_modified_vars posts =
  let vs,vars = match posts.jc_post_modified_vars with
    | vs :: r -> vs,r
    | [] -> assert false
  in
  vs,{ posts with jc_post_modified_vars = vars; }

let collect_free_vars a =
  let all_vars, quant_vars =
    Jc_iterators.fold_term_and_assertion
      (fun (vars,qvars as acc) t -> match t#node with
	 | JCTvar vi -> VarSet.add vi vars, qvars
	 | _ -> acc)
      (fun (vars,qvars as acc) a -> match a#node with
	 | JCAquantifier(_,vi,_trig,_a) -> vars, VarSet.add vi qvars
	 | _ -> acc)
      (VarSet.empty,VarSet.empty) a
  in
  VarSet.diff all_vars quant_vars

let initialize_target curposts target =
  (* Collect all sub-terms not natively understood by underlying abstract
     domain. By default, collect all non linear arithmetic terms. *)
  let collect_sub_terms =
    Jc_iterators.fold_term_in_assertion
      (fun acc t -> match t#node with
	 | JCTvar _
	 | JCTbinary(_,((`Badd,`Integer) | (`Bsub,`Integer)),_)
	 | JCTunary((`Uminus,`Integer),_) -> acc
	 | _ -> TermSet.add t acc
      ) TermSet.empty
  in
  let vs1 = collect_free_vars target.jc_target_regular_invariant in
  let vs2 = collect_free_vars target.jc_target_assertion in
  let vs = VarSet.union vs1 vs2 in
  let ts1 = collect_sub_terms target.jc_target_regular_invariant in
  let ts2 = collect_sub_terms target.jc_target_assertion in
  let ts = TermSet.union ts1 ts2 in
  (* Avoid potential blowup in WP caused by many disjunctions in initial
     formula by replacing it by a set of equalities between variables and
     their current inflexion, and the same for terms that mention these
     variables *)
  VarSet.fold
    (fun vi a ->
       let vit = new term_var vi in
       let copyvi = copyvar vi in
       add_inflexion_var curposts copyvi;
       let t1 = new term_var copyvi in
       target.jc_target_regular_invariant <-
	 replace_term_in_assertion vit t1 target.jc_target_regular_invariant;
       target.jc_target_assertion <-
	 replace_term_in_assertion vit t1 target.jc_target_assertion;
       let eqs =
	 if is_integral_type vit#typ then
	   let bop = equality_operator_of_type vit#typ in
	   [ new assertion (JCArelation(t1,bop,vit)) ]
	 else []
       in
       let eqs =
	 TermSet.fold
	   (fun t acc ->
	      if is_integral_type t#typ && raw_strict_sub_term vit t then
		let t2 = replace_term_in_term ~source:vit ~target:t1 t in
		let bop = equality_operator_of_type t#typ in
		let eq = new assertion(JCArelation(t2,bop,t)) in
		eq::acc
	      else acc
	   ) ts eqs
       in
       Assertion.mkand(a::eqs) ()
    ) vs (Assertion.mktrue ())

let finalize_target ~is_function_level ~pos ~anchor curposts target inva =
  if Jc_options.debug then
    printf "@[<v 2>[finalize_target]@\nfunction level? %b@]@."
      is_function_level;
  if Jc_options.debug then
    printf "@[<v 2>[finalize_target]@\n%a@]@." Jc_output.assertion inva;
  let annot_name =
    if is_function_level then "precondition" else "loop invariant"
  in
  let vs,curposts = pop_modified_vars curposts in
  let vs = VarSet.union vs !(curposts.jc_post_inflexion_vars) in
  if is_function_level then assert(curposts.jc_post_modified_vars = []);
  match curposts.jc_post_normal with
    | None -> (* assert target.jc_target_hint; *) None
    | Some wpa ->
    (* [wpa] is the formula obtained by weakest precondition from some
     * formula at the assertion point.
     *)
    (* [patha] is the path formula. It characterizes the states from which
     * it is possible to reach the assertion point.
     *)
    let patha =
      if target.jc_target_hint then
	wpa
      else
	Assertion.mkand[wpa;target.jc_target_regular_invariant] ()
    in
    (* [impla] is the implication formula, that guarantees the assertion holds
     * when the assertion point is reached.
     *)
    let impla = new assertion(JCAimplies(patha,target.jc_target_assertion)) in
    (* [quanta] is the quantified formula. It quantifies [impla] over the
     * variables modified.
     *)
    let quanta =
      VarSet.fold
	(fun vi a -> new assertion (JCAquantifier(Forall,vi,[],a))) vs impla
    in
    (* [elima] is the quantifier free version of [quanta].
    *)
    if debug then
      printf "@[<v 2>[finalize_target] quantified formula@\n%a@]@."
	Jc_output.assertion quanta;
    let elima = quantif_eliminate quanta inva in
    if debug then
      printf "@[<v 2>[finalize_target] quantifier-free formula@\n%a@]@."
	Jc_output.assertion elima;
    let finala = mkconsistent elima in
    if contradictory finala patha then
      begin
	if Jc_options.debug then
	  printf "%a@[<v 2>No inferred %s@."
	    Loc.report_position target.jc_target_location annot_name;
	None
      end
    else
      begin
	if Jc_options.debug then
	  printf "%a@[<v 2>Inferring %s@\n%a@]@."
	    Loc.report_position target.jc_target_location
	    annot_name Jc_output.assertion finala;
	let finala = reg_annot ~pos ~anchor finala in
	Some finala
      end

let forget_mem_in_assertion curposts e1 fi dereft a =
  let mc,_ufi_opt = Jc_effect.deref_mem_class ~type_safe:true e1 fi in
  let mem = mc, e1#region in
  Jc_iterators.map_term_in_assertion
    (fun t ->
       if TermOrd.equal dereft t then t
       else
	 let ef = Jc_effect.term empty_effects t in
	 if Jc_effect.has_memory_effect ef mem then
	   let tmp = newvar t#typ in
	   add_inflexion_var curposts tmp;
	   new term_var tmp
	 else t
    ) a

let rec wp_expr weakpre =
  let var_of_term = Hashtbl.create 0 in
  (* Terms should be raw only. *)
  let unique_var_for_term t ty =
    try Hashtbl.find var_of_term t
    with Not_found ->
      let vi = Jc_pervasives.var ty (name_of_term t) in
      Hashtbl.add var_of_term t vi;
      vi
  in
  fun target e curposts ->
    let wp = wp_expr weakpre target in
    (* Do not let hints propagate too far *)
    let block_hint curposts =
      if target.jc_target_hint then
	{ curposts with jc_post_normal = None }
      else curposts
    in
(*     if debug then  *)
(*       printf "[wp_expr] %a@\n%a@\nfor stat %a@." Loc.report_position e#pos *)
(* 	(print_option Jc_output.assertion) curposts.jc_post_normal *)
(* 	Jc_output.expr target.jc_target_expr; *)
(*     if debug then  *)
(*       printf "[wp_expr] curposts is None? %b@."  *)
(* 	(curposts.jc_post_normal = None); *)
    let curposts = match e#node with
      | JCElet(v,e1opt,e2) ->
	  let curposts = wp e2 curposts in
	  let post =
	    match curposts.jc_post_normal, e1opt with
	      | None, _ -> None
	      | Some a, None -> Some a
	      | Some a, Some e1 ->
		  match Jc_effect.term_of_expr e1 with None -> Some a | Some t1 ->
		    let tv = new term_var v in
		    if !Jc_options.annotation_sem = AnnotWeakPre
		      || (!Jc_options.annotation_sem = AnnotStrongPre
			  && mem_term_in_assertion tv a)
		    then
		      let bop =
			equality_operator_of_type v.jc_var_info_type
		      in
		      let eq = new assertion (JCArelation(tv,bop,t1)) in
		      Some (Assertion.mkand [ eq; a ] ())
		    else Some a
	  in
	  let curposts = add_modified_var curposts v in
	  let curposts = { curposts with jc_post_normal = post } in
	  begin match e1opt with
	    | None -> curposts
	    | Some e1 -> wp e1 curposts
	  end
      | JCEassign_var(v,e1) ->
	  let tv = new term_var v in
	  let copyv = copyvar v in
	  let tv1 = new term_var copyv in
	  let post =
	    match curposts.jc_post_normal with None -> None | Some a ->
	      if !Jc_options.annotation_sem = AnnotWeakPre
		|| (!Jc_options.annotation_sem = AnnotStrongPre
		    && mem_term_in_assertion tv a)
	      then
		let a = replace_term_in_assertion tv tv1 a in
		match Jc_effect.term_of_expr e1 with None -> Some a | Some t1 ->
		  let bop = equality_operator_of_type v.jc_var_info_type in
		  let eq = new assertion (JCArelation(tv1,bop,t1)) in
		  Some (Assertion.mkand [ eq; a ] ())
	      else Some a
	  in
	  add_inflexion_var curposts copyv;
	  let curposts =
	    if is_function_level curposts || target.jc_target_hint then
	      curposts
	    else
	      (* Also add regular variable, for other branches in loop. *)
	      add_modified_var curposts v
	  in
	  let curposts = { curposts with jc_post_normal = post } in
	  wp e1 curposts
      | JCEassign_heap(e1,fi,e2) ->
	  let curposts = match Jc_effect.term_of_expr e1 with
	    | None -> curposts (* TODO *)
	    | Some t1 ->
		let dereft =
		  new term ~typ:fi.jc_field_info_type
		    (JCTderef(t1,LabelHere,fi))
		in
		let v = unique_var_for_term dereft fi.jc_field_info_type in
		let copyv = copyvar v in
		let tv1 = new term_var copyv in
		let post =
		  match curposts.jc_post_normal with None -> None | Some a ->
		    if !Jc_options.annotation_sem = AnnotWeakPre
		      || (!Jc_options.annotation_sem = AnnotStrongPre
			  && mem_term_in_assertion dereft a)
		    then
		      let a = forget_mem_in_assertion curposts e1 fi dereft a in
		      let a = replace_term_in_assertion dereft tv1 a in
		      match Jc_effect.term_of_expr e2 with
			| None -> Some a
			| Some t2 ->
			    let bop =
			      equality_operator_of_type fi.jc_field_info_type
			    in
			    let eq = new assertion (JCArelation(tv1,bop,t2)) in
			    Some (Assertion.mkand [ eq; a ] ())
		    else Some a
		in
		add_inflexion_var curposts copyv;
		let curposts =
		  if is_function_level curposts || target.jc_target_hint then
		    curposts
		  else
		    (* Also add regular variable, for other branches in loop. *)
		    add_modified_var curposts v
		in
		{ curposts with jc_post_normal = post }
	  in
	  wp e1 (wp e2 curposts)
(*       | JCEassert(_behav,Ahint,a) ->  *)
(* 	  (\* Hints are not to be used in wp computation, only added to help. *\) *)
(* 	  curposts *)
      | JCEassert(_behav,_asrt,a1) ->
(* 	  if target.jc_target_hint then *)
(* 	    curposts *)
(* 	  else *)
	    let f = atp_of_asrt a1 in
	    let fvars = Atp.fv f in
	    let varsets =
	      List.fold_left
		(fun acc s ->
		   Option_misc.map_default (fun t -> t :: acc) acc (Vwp.term s)
		) [] fvars
	    in
	    let varsets = TermSet.of_list varsets in
	    let post =
	      match curposts.jc_post_normal with None -> None | Some a ->
		if !Jc_options.annotation_sem = AnnotWeakPre
		  || (!Jc_options.annotation_sem = AnnotStrongPre
		      && mem_any_term_in_assertion varsets a)
		then
		  Some (Assertion.mkand [ a1; a ] ())
		else Some a
	    in
	    { curposts with jc_post_normal = post }
      | JCEblock sl ->
	  List.fold_right wp sl curposts
      | JCEif(test,etrue,efalse) ->
	  let curposts = block_hint curposts in
	  let tposts = wp etrue curposts in
	  let ta = asrt_of_expr test in
	  let tf = Option_misc.map_default atp_of_asrt Atp.True ta in
	  let fvars = Atp.fv tf in
	  let varsets =
	    List.fold_left
	      (fun acc s ->
		 Option_misc.map_default (fun t -> t :: acc) acc (Vwp.term s)
	      ) [] fvars
	  in
	  let varsets = TermSet.of_list varsets in

	  let tpost =
	    match tposts.jc_post_normal with None -> None | Some a ->
	      if !Jc_options.annotation_sem = AnnotWeakPre
		|| (!Jc_options.annotation_sem = AnnotStrongPre
		    && mem_any_term_in_assertion varsets a)
	      then
		match ta with None -> Some a | Some ta ->
		  Some (Assertion.mkand [ ta; a ] ())
	      else Some a
	  in
	  let fposts = wp efalse curposts in
	  let fpost =
	    match fposts.jc_post_normal with None -> None | Some a ->
	      let fa = Option_misc.map (fun a -> Assertion.mknot a ()) ta in
	      if !Jc_options.annotation_sem = AnnotWeakPre
		|| (!Jc_options.annotation_sem = AnnotStrongPre
		    && mem_any_term_in_assertion varsets a)
	      then
		match fa with None -> Some a | Some fa ->
		  Some (Assertion.mkand [ fa; a ] ())
	      else Some a
	  in
	  let post = match tpost,fpost with
	    | None,opta | opta,None -> opta
		(* TODO: add loc variable v with ta and not v with fa
		   to correctly implement wp *)
	    | Some ta,Some fa -> Some (Assertion.mkor [ta;fa] ())
	  in
	  let tvs,_ = pop_modified_vars tposts in
	  let fvs,_ = pop_modified_vars fposts in
	  let vs = VarSet.union tvs fvs in
	  let curposts = add_modified_vars curposts vs in
	  let curposts = { curposts with jc_post_normal = post } in
	  let curposts = wp test curposts in
	  block_hint curposts
      | JCEreturn_void ->
	  { curposts with jc_post_normal = None; }
      | JCEreturn(_ty,e1) ->
	  let curposts = { curposts with jc_post_normal = None } in
	  wp e1 curposts
      | JCEthrow(ei,e1opt) -> (* TODO: link with value caught *)
	  let post =
	    try Some (List.assoc ei curposts.jc_post_exceptional)
	    with Not_found -> None
	  in
	  let curposts = { curposts with jc_post_normal = post } in
	  begin match e1opt with None -> curposts | Some e1 ->
	    wp e1 curposts
	  end
      | JCEtry(body,handlers,_finally) ->
	  (* TODO: apply finally stmt to all paths. *)
	  let handlpostexcl,handlvs =
	    List.fold_left
	      (fun (curpostexcl,curvs) (ei,_vio,ehandler) ->
		 let excposts = wp ehandler curposts in
		 let curpostexcl = match excposts.jc_post_normal with
		   | None -> curpostexcl
		   | Some a -> (ei,a) :: curpostexcl
		 in
		 let excvs,_ = pop_modified_vars excposts in
		 let curvs = VarSet.union curvs excvs in
		 (curpostexcl,curvs)
	      ) ([],VarSet.empty) handlers
	  in
	  let curpostexcl =
	    List.filter
	      (fun (ei,_) ->
		 not (List.exists
			(fun (ej,_,_) ->
			   ei.jc_exception_info_tag = ej.jc_exception_info_tag
			) handlers)
	      ) curposts.jc_post_exceptional
	  in
	  let curpostexcl = handlpostexcl @ curpostexcl in
	  let tmpposts =
	    { curposts with jc_post_exceptional = curpostexcl; }
	  in
	  let bodyposts = wp body tmpposts in
	  let bodyvs,_ = pop_modified_vars bodyposts in
	  let vs = VarSet.union handlvs bodyvs in
	  let curposts = add_modified_vars curposts vs in
	  { curposts with jc_post_normal = bodyposts.jc_post_normal; }
      | JCEloop(annot,body) ->
	  let curposts = block_hint curposts in
	  let loops = weakpre.jc_weakpre_loops in
	  let loop_invariants = weakpre.jc_weakpre_loop_invariants in
	  Hashtbl.replace loops annot.jc_loop_tag e;
	  let curposts = { curposts with jc_post_normal = None } in
	  let loopposts = push_modified_vars curposts in
	  let loopposts =
	    match curposts.jc_post_normal with
	      | None -> wp body loopposts
	      | Some _ -> curposts
	  in
	  let inva =
	    Assertion.mkand
	      (List.fold_left
		 (fun acc (_,inv,_) ->
		    match inv with
		      | None -> acc
		      | Some a -> a :: acc)
		 [annot.jc_free_loop_invariant] annot.jc_loop_behaviors)
	      ()
	  in
	  let post =
	    match finalize_target
	      ~is_function_level:false ~pos:e#pos ~anchor:e#mark
	      loopposts target inva
	    with
	      | None -> None
	      | Some infera ->
		  target.jc_target_regular_invariant <- inva;
		  target.jc_target_assertion <- infera;
		  begin try
		    let a = Hashtbl.find loop_invariants annot.jc_loop_tag in
		    Hashtbl.replace loop_invariants annot.jc_loop_tag
		      (Assertion.mkand [a; infera] ())
		  with Not_found ->
		    Hashtbl.add loop_invariants annot.jc_loop_tag infera
		  end;
		  let inita = initialize_target loopposts target in
		  Some inita
	  in
	  let curposts = { curposts with jc_post_normal = post; } in
	  block_hint curposts

	    (*       | JCEapp call ->  *)
	    (* 	  let curposts = wp_expr weakpre target s curposts in *)
	    (* 	  let vit = new term_var vi in *)
	    (* 	  let copyvi = copyvar vi in *)
	    (* 	  let t1 = new term_var copyvi in *)
	    (* 	  let post = match curposts.jc_post_normal with *)
	    (* 	    | None -> None *)
	    (* 	    | Some a -> Some(replace_term_in_assertion vit t1 a) *)
	    (* 	  in *)
	    (* 	  add_inflexion_var curposts copyvi; *)
	    (* 	  let curposts =  *)
	    (* 	    if is_function_level curposts then curposts *)
	    (* 	    else *)
	    (* 	      (\* Also add regular variable, for other branches in loop. *\) *)
	    (* 	      add_modified_var curposts vi  *)
	    (* 	  in *)
	    (* 	  { curposts with jc_post_normal = post; } *)
      | JCEapp _call ->
(* 	  let curposts = wp e curposts in *)
	  curposts
      | JCEvar _
      | JCEconst _ ->
	  curposts
      | JCEderef(e1,_)
      | JCEunary(_,e1)
      | JCEalloc(e1,_)
      | JCEaddress(_,e1)
      | JCEoffset(_,e1,_)
      | JCEbase_block(e1)
      | JCEreal_cast(e1,_)
      | JCErange_cast(e1,_)
      | JCEbitwise_cast(e1,_)
      | JCEinstanceof(e1,_)
      | JCEcast(e1,_)
      | JCEunpack(_,e1,_)
      | JCEpack(_,e1,_)
      | JCEfree e1 ->
	  wp e1 curposts
      | JCEshift(e1,e2)
      | JCEbinary(e1,_,e2) ->
	  wp e1 (wp e2 curposts)
      | JCEfresh _ -> assert false
      | JCEcontract _ -> assert false (* TODO *)
      | JCEmatch _ -> assert false (* TODO *)
    in
    if e == target.jc_target_expr then
      let inita = initialize_target curposts target in
      assert (curposts.jc_post_normal = None);
      if debug then
	printf "[wp_expr] found target %a@\n%a@." Loc.report_position e#pos
	  Jc_output.assertion inita;
      { curposts with jc_post_normal = Some inita; }
    else curposts

and record_wp_loop_invariants weakpre =
  let loop_invariants = weakpre.jc_weakpre_loop_invariants in
  Hashtbl.iter
    (fun _tag e ->
       let annot = match e#node with
	 | JCEloop(annot,_body) -> annot
	 | _ -> assert false
       in
       begin try
	 let a = Hashtbl.find loop_invariants annot.jc_loop_tag in
	 let a = simplify a in
	   (* 	   nb_conj_atoms_inferred := !nb_conj_atoms_inferred + nb_conj_atoms a; *)
	   (* 	   incr nb_loop_inv; *)
	 printf
	  "%a@[<v 2>Inferring backward loop invariant for function %s:@\n%a@]@."
	   Loc.report_position e#pos
	   weakpre.jc_weakpre_function.jc_fun_info_name
	   Jc_output.assertion a;
	 (* Register loop invariant as such *)
	 let a = reg_annot ~pos:e#pos ~anchor:e#mark a in
	 annot.jc_loop_behaviors <-
	   ([], Some a, None) :: annot.jc_loop_behaviors;
       with Not_found -> () end
    ) weakpre.jc_weakpre_loops

let wp_function targets funpre (f,pos,spec,body) =
  if debug then printf "[wp_function] %s@." f.jc_fun_info_name;
  let weakpre = {
    jc_weakpre_function = f;
    jc_weakpre_loops = Hashtbl.create 3;
    jc_weakpre_loop_invariants = Hashtbl.create 3;
  } in
  let infer_req = ref [] in
  List.iter
    (fun target ->
       if Jc_options.debug then
	 printf "%a@[<v 2>Infer precondition for assertion:@\n%a@]\
@\n@[<v 2>under invariant:@\n%a@\nand:@\n%a@]@."
	   Loc.report_position target.jc_target_location
	   Jc_output.assertion target.jc_target_assertion
	   Jc_output.assertion target.jc_target_regular_invariant
	   Jc_output.assertion target.jc_target_propagated_invariant;
       let initposts = {
	 jc_post_normal = None;
	 jc_post_exceptional = [];
	 jc_post_modified_vars = [];
	 jc_post_inflexion_vars = ref VarSet.empty;
       } in
       let initposts = push_modified_vars initposts in
       let posts = match !Jc_options.annotation_sem with
	 | AnnotNone | AnnotInvariants ->
	     assert false (* [wp_function] should not be called *)
	 | AnnotElimPre ->
	     if target.jc_target_hint then
	       initposts
	     else
	       (* Directly eliminate modified variables *)
	       let vs1 =
		 collect_free_vars target.jc_target_regular_invariant
	       in
	       let vs2 = collect_free_vars target.jc_target_assertion in
	       let vs = VarSet.union vs1 vs2 in
	       let qvs =
		 VarSet.filter
		   (fun v ->
		      (not (v.jc_var_info_static || v.jc_var_info_formal))
		      || v.jc_var_info_assigned
		   ) vs
	       in
	       let curposts = add_modified_vars initposts qvs in
	       let inita = initialize_target curposts target in
	       { curposts with jc_post_normal = Some inita }
	 | AnnotWeakPre | AnnotStrongPre ->
	     (* Compute weakest precondition of formula *)
	     wp_expr weakpre target body initposts
       in
       match finalize_target ~is_function_level:true ~pos
	 ~anchor:f.jc_fun_info_name posts target funpre
       with
	 | None -> () (* precondition inconsistant or redundant *)
	 | Some infera -> (* valid precondition *)
	     infer_req := infera :: !infer_req
    ) targets;
  record_wp_loop_invariants weakpre;
  (* Remove redundancy in precondition inferred *)
  let inferred = simplify (Assertion.mkand !infer_req ()) in
  if Assertion.is_false inferred then () else
    begin
      spec.jc_fun_requires <-
	Assertion.mkand [ spec.jc_fun_requires; inferred ] ();
      printf "@[<v 2>Inferring precondition for function %s:@\n%a@]@."
	f.jc_fun_info_name Jc_output.assertion inferred
    end


(*****************************************************************************)
(* Collecting assertions.                                                    *)
(*****************************************************************************)

let target_of_assertion ?(hint=false) s loc a =
  {
    jc_target_expr = s;
    jc_target_hint = hint;
    jc_target_location = loc;
    jc_target_assertion = a;
    jc_target_regular_invariant = Assertion.mkfalse ();
    jc_target_propagated_invariant = Assertion.mkfalse ();
  }

(* Collect safety assertions from the evaluation of expression [e].
 * Currently, 3 kinds of assertions are collected, that check for:
 * - memory safety
 * - no integer overflows
 * - no division by zero
 *)
let collect_expr_targets e =

  (* Normalization applied on targets to make them more amenable to
     annotation inference. As such, no invariant can be deduced from these
     modified targets, so any heuristic can be applied here to transform
     the target assertions *)
  let normalize_term t =
    Jc_iterators.map_term
      (fun t ->
	 let tnode = match t#node with
	   | JCToffset(off,t',st) ->
	       begin match destruct_pointer t' with
		 | None ->
		     JCToffset(off,t',st)
		 | Some(t1,t2) ->
		     let offt1 =
		       new term_with ~node:(JCToffset(off,t1,st)) t
		     in
		     JCTbinary(offt1,(`Bsub,`Integer),t2)
	       end
	   | JCTapp app as tnode ->
	       if app.jc_app_fun.jc_logic_info_name = "strlen" then
		 let t1 = match app.jc_app_args with
		   | [t1] -> t1
		   | _ -> assert false
		 in
		 match destruct_pointer t1 with
		   | None -> tnode
		   | Some(tptr,offt) ->
		       let app = { app with jc_app_args = [tptr] } in
		       let tapp = new term_with ~node:(JCTapp app) t in
		       JCTbinary(tapp,(`Bsub,`Integer),offt)
	       else tnode
	   | tnode -> tnode
	 in
	 new term_with ~node:tnode t) t
  in
  let normalize_target a =
    let a = Jc_iterators.map_term_in_assertion normalize_term a in
    implicit_cnf a
  in

  (* Collect memory safety assertions. *)
  let collect_memory_access e1 _fi =
    match Jc_effect.term_of_expr e1 with None -> [] | Some t1 ->
      let ptrt, offt = match destruct_pointer t1 with
	| None -> t1, None
	| Some(ptrt,offt) -> ptrt, Some offt
      in
      let offt = match offt with
	| None -> new term ~typ:integer_type (JCTconst(JCCinteger"0"))
	| Some offt -> offt
      in
      let st = pointer_struct ptrt#typ in
      let mint = new term ~typ:integer_type (JCToffset(Offset_min,ptrt,st)) in
      let maxt = new term ~typ:integer_type (JCToffset(Offset_max,ptrt,st)) in
      let mina = new assertion(JCArelation(mint,(`Ble,`Integer),offt)) in
      let maxa = new assertion(JCArelation(offt,(`Ble,`Integer),maxt)) in
      [mina;maxa]
  in
  (* Collect absence of integer overflow assertions. *)
  let collect_integer_overflow ei e1 =
    match Jc_effect.term_of_expr e1 with None -> [] | Some t1 ->
      let mint = new term ~typ:integer_type
	(JCTconst (JCCinteger (Num.string_of_num ei.jc_enum_info_min)))
      in
      let maxt = new term ~typ:integer_type
	(JCTconst(JCCinteger (Num.string_of_num ei.jc_enum_info_max)))
      in
      let mina = new assertion (JCArelation (mint, (`Ble,`Integer), t1)) in
      let maxa = new assertion (JCArelation (t1, (`Ble,`Integer), maxt)) in
      [mina; maxa]
  in
  (* Collect absence of division by zero assertions. *)
  let collect_zero_division e =
    match Jc_effect.term_of_expr e with None -> [] | Some t ->
      let zero = new term ~typ:integer_type (JCTconst(JCCinteger "0")) in
      [new assertion(JCArelation(t,(`Bneq,`Integer),zero))]
  in
  let collect_asserts e =
    let asrts = match e#node with
      | JCEderef(e1,fi) -> collect_memory_access e1 fi
      | JCErange_cast(e1,ei) ->
	  if !Jc_options.int_model = IMbounded then
	    collect_integer_overflow ei e1
	  else []
      | JCEbinary(_,(`Bdiv,`Integer),e2) -> collect_zero_division e2
      | JCEapp call ->
	  let fi = match call.jc_call_fun with
	    | JCfun f -> f
	    | _ -> assert false
	  in
	  let els = call.jc_call_args in
	  let _,_,fs,_ =
            IntHashtblIter.find Jc_typing.functions_table fi.jc_fun_info_tag
          in
          (* Collect preconditions of functions called. *)
          let reqa = fs.jc_fun_requires in
          let reqa =
	    List.fold_left2
	      (fun a (_,param) arg ->
		 match Jc_effect.term_of_expr arg with
		   | None -> Assertion.mktrue ()
		   | Some targ ->
		       replace_term_in_assertion (new term_var param) targ a
	      ) reqa fi.jc_fun_info_parameters els
          in
	  let reqa = regionalize_assertion reqa call.jc_call_region_assoc in
          conjuncts reqa
      | JCEassert(_,Ahint, _a) ->
	  (* Hints are not to be proved by abstract interpretation,
	     only added to help it. *)
	  []
      | JCEassert(_,_, a) ->
	  (* Consider separately each conjunct in a conjunction. *)
	  conjuncts a
      | JCEassign_heap (e1, fi, _e2) ->
	  collect_memory_access e1 fi
      | JCElet(_,None,_) | JCEblock _ | JCEif _ | JCEtry _ | JCEloop _
      | JCEreturn_void | JCEreturn _ | JCEthrow _
      | JCElet _ | JCEassign_var _ | JCEfresh _ 
      | JCEpack _ | JCEunpack _ | JCEshift _ | JCEmatch _ | JCEfree _
      | JCEalloc _ | JCEoffset _ | JCEreal_cast _ | JCEinstanceof _
      | JCEunary _ | JCEvar _ | JCEconst _ | JCEcast _ | JCEbinary _
      | JCEbitwise_cast _ | JCEaddress _ | JCEbase_block _ ->
	  []
      | JCEcontract _ -> assert false (* TODO *)
    in
    let asrts = List.filter (fun a -> not (is_constant_assertion a)) asrts in
    let asrts = List.map normalize_target asrts in
    List.map (target_of_assertion e e#pos) asrts
  in
  let collect_hints e =
    let asrts = match e#node with
      | JCEassert(_,Ahint, a) -> [ a ]
      | _ -> []
    in
    let asrts = List.map normalize_target asrts in
    List.map (target_of_assertion ~hint:true e e#pos) asrts
  in
  let collect e = collect_asserts e @ collect_hints e in
  Jc_iterators.IExpr.fold_left (fun acc e -> collect e @ acc) [] e

let rec collect_targets filter_asrt _targets s =
  let candidates = List.rev (collect_expr_targets s) in
  List.filter (fun target -> filter_asrt target.jc_target_assertion) candidates


let pointer_terms_table = ref (Hashtbl.create 0)

let set_equivalent_terms t1 t2 =
  let tl =
    try
      Hashtbl.find !pointer_terms_table t2#node
    with Not_found -> []
  in
  let tl = List.filter (fun t -> t <> t1) tl in
  Hashtbl.replace !pointer_terms_table t1#node (t2 :: tl)


(*****************************************************************************)
(* Augmenting loop invariants.                                               *)
(*****************************************************************************)

let collect_immediate_targets targets s =
  (* Special version of [fold_expr] different from the one
   * in [Jc_iterators] in that fpost is called after the body expr
   * of the try block.
   *)
  let rec fold_expr fpre fpost acc s =
    let ite = fold_expr fpre fpost in
    let acc = fpre acc s in
    let acc = match s#node with
      | JCEconst _
      | JCEvar _
      | JCEreturn_void ->
	  acc
      | JCEthrow(_exc,e1_opt) ->
	  Option_misc.fold_left ite acc e1_opt
      | JCEbinary(e1,_,e2)
      | JCEshift(e1,e2)
      | JCEassign_heap(e1,_,e2) ->
	  let acc = ite acc e1 in
	  ite acc e2
      | JCEunary(_,e1)
      | JCEderef(e1,_)
      | JCEoffset(_,e1,_)
      | JCEaddress(_,e1)
      | JCEbase_block(e1)
      | JCEcast(e1,_)
      | JCEbitwise_cast(e1,_)
      | JCErange_cast(e1,_)
      | JCEinstanceof(e1,_)
      | JCEreal_cast(e1,_)
      | JCEunpack(_,e1,_)
      | JCEpack(_,e1,_)
      | JCEassign_var(_,e1)
      | JCEalloc(e1,_)
      | JCEfree e1
      | JCEfresh e1
      | JCEreturn(_,e1) ->
	  ite acc e1
      | JCElet(_,e1_opt,e2) ->
	  let acc = Option_misc.fold_left ite acc e1_opt in
	  ite acc e2
      | JCEapp call ->
	  List.fold_left ite acc call.jc_call_args
      | JCEif(e1,e2,e3) ->
	  let acc = ite acc e1 in
	  let acc = ite acc e2 in
	  ite acc e3
      | JCEmatch(e, ptl) ->
	  let acc = ite acc e in
	  List.fold_left (fun acc (_, e) -> ite acc e) acc ptl
      | JCEblock el ->
	  List.fold_left ite acc el
      | JCEtry(e1,catches,finally) ->
	  let acc = ite acc e1 in
	  let acc =
	    List.fold_left (fun acc (_exc,_vi_opt,e) -> ite acc e) acc catches
	  in
	  ite acc finally
      | JCEassert(_behav,_asrt,_a) ->
	  acc
      | JCEloop(_la,e1) ->
	  ite acc e1
      | JCEcontract(_a_opt,_t_opt,_v,_behavs,e) ->
	  ite acc e
    in
    fpost acc s
  in

  (* First checks at start of function should be selected *)
  let in_select_zone = ref true in

  let select_pre acc s =
    match s#node with
      | JCEassert(_behav,Ahint,a) ->
  	  if debug then printf "[select_pre] consider target@.";
  	  if debug then printf "[select_pre] in zone ? %b@." !in_select_zone;
  	  if !in_select_zone then
	    let al =
	      List.filter (fun a -> not (is_constant_assertion a)) (conjuncts a)
	    in
  	    let targets = List.map (target_of_assertion s s#pos) al in
  	    if debug then printf "[select_pre] adding in_zone target@.";
  	    targets@acc
  	  else acc
      | JCEloop _ ->
  	  if debug then printf "[select_pre] in_zone true@.";
  	  in_select_zone := true; acc
      | JCEassert _ | JCEshift _ |JCEcontract _ | JCEfree _ | JCEalloc _
      | JCEaddress _ | JCEoffset _ | JCEreal_cast _ | JCErange_cast _
      | JCEbitwise_cast _ | JCEcast _ | JCEinstanceof _ | JCEunary _
      | JCEbinary _ | JCEderef _ | JCEvar _ |JCEconst _
      | JCElet _ | JCEblock _ | JCEassign_var _
      | JCEassign_heap _ | JCEpack _ | JCEunpack _ | JCEtry _
      | JCEfresh _ 
      | JCEbase_block _ ->
          (* Allowed with [JCEtry] thanks to patched [fold_expr]. *)
  	  acc
      | JCEapp _ | JCEif _ | JCEreturn _ | JCEthrow _
      | JCEreturn_void | JCEmatch _ ->
  	  if debug then printf "[select_pre] in_zone false@.";
  	  in_select_zone := false; acc
  in

  let select_post acc s =
    match s#node with
      | JCEloop _ ->
  	  if debug then printf "[select_post] in_zone false@.";
  	  in_select_zone := false; acc
      | _ -> acc
  in
  fold_expr select_pre select_post targets s

let rec backprop_expr target s curpost =
  if debug then
    printf "[backprop_expr] %a@." Loc.report_position s#pos;
  let curpost = match s#node with
    | JCElet(vi,eo,s) ->
	let curpost = backprop_expr target s curpost in
	begin match curpost with None -> None | Some a ->
	  match eo with None -> Some a | Some e ->
	    match Jc_effect.term_of_expr e with None -> Some a | Some t2 ->
	      let t1 = new term_var vi in
	      Some(replace_term_in_assertion t1 t2 a)
	end
    | JCEassign_var(vi,e) ->
	begin match curpost with None -> None | Some a ->
	  match Jc_effect.term_of_expr e with None -> Some a | Some t2 ->
	    let t1 = new term_var vi in
	    Some(replace_term_in_assertion t1 t2 a)
	end
    | JCEblock sl ->
	List.fold_right (backprop_expr target) sl curpost
    | JCEreturn_void | JCEreturn _ | JCEthrow _ ->
	assert (curpost = None); curpost
    | JCEtry(s,hl,fs) ->
	assert (curpost = None);
	let curpost = backprop_expr target fs None in
	assert (curpost = None);
        List.iter (fun (_,_,s) ->
  		     let curpost = backprop_expr target s None in
		     assert (curpost = None);
		  ) hl;
	backprop_expr target s None
    | JCEloop(la,ls) ->
	let curpost = backprop_expr target ls curpost in
	begin
          match curpost with None -> () | Some propa ->
	    let inva =
	      Assertion.mkand
		(List.fold_left
		   (fun acc (_,inv,_) ->
		      match inv with
			| None -> acc
			| Some a -> a :: acc)
		   [] la.jc_loop_behaviors)
		()
	    in
	    if not (contradictory propa inva) then
              begin
                if Jc_options.debug then
                  printf
	            "%a@[<v 2>Back-propagating loop invariant@\n%a@]@."
                    Loc.report_position s#pos
                    Jc_output.assertion propa;
	        la.jc_loop_behaviors <-
		  ([],Some propa, None) :: la.jc_loop_behaviors
              end
	end;
	None
	  (*     | JCEcall(_,_,s) -> *)
	  (* 	assert (curpost = None); *)
	  (* 	let curpost = backprop_expr target s None in *)
	  (* 	assert (curpost = None); curpost *)
    | JCEif(_,ts,fs) ->
	assert (curpost = None);
	let curpost = backprop_expr target ts None in
	assert (curpost = None);
	let curpost = backprop_expr target fs None in
	assert (curpost = None); None
    | JCEassign_heap _ | JCEassert _ | JCEpack _ | JCEunpack _
    | JCEshift _ |JCEcontract _ | JCEfree _ | JCEalloc _
    | JCEaddress _ | JCEoffset _ | JCEreal_cast _ | JCErange_cast _
    | JCEbitwise_cast _ | JCEcast _ | JCEinstanceof _ | JCEunary _
    | JCEfresh _ 
    | JCEbinary _ | JCEderef _ | JCEvar _ |JCEconst _ | JCEbase_block _ ->
	curpost
    | JCEmatch _ | JCEapp _ ->
	assert (curpost = None);
	curpost
  in
  if s == target.jc_target_expr then
    begin
      assert (curpost = None);
      Some target.jc_target_assertion
    end
  else curpost

let backprop_function targets (_fi,_fs,sl) =
  if debug then printf "[backprop_function]@.";
  List.iter (fun target ->
	       ignore(backprop_expr target sl None)
	    ) targets


(*****************************************************************************)
(* Performing abstract interpretation.                                       *)
(*****************************************************************************)

let apply_to_current_invariant ?(propagated=false) f curinvs =
  let normal = curinvs.jc_absinv_normal in
  let prop = normal.jc_absval_propagated in
  (* Always apply transformation to propagated invariant *)
  let curinvs =
    { curinvs with jc_absinv_normal =
	{ normal with jc_absval_propagated = f prop } }
  in
  (* Selectively apply transformation to regular invariant *)
  if propagated then curinvs else
    let normal = curinvs.jc_absinv_normal in
    let pre = normal.jc_absval_regular in
    { curinvs with jc_absinv_normal =
	{ normal with jc_absval_regular = f pre } }

let simple_test_assertion mgr a pre =
  let env = Abstract1.env pre in
  let rec extract_environment_and_dnf env a =
    match a#node with
      | JCAtrue -> env,Dnf.true_
      | JCAfalse -> env,Dnf.false_
      | _ when is_constant_assertion a ->
	  (* 'constant' assertions (eg: 0 <= 1) do not have to be tested
	     (Nicolas) *)
	  env,Dnf.true_
      | JCArelation (t1, (`Bneq,`Integer), t2) ->
	  let infa = new assertion (JCArelation(t1, (`Blt,`Integer), t2)) in
	  let supa = new assertion (JCArelation(t1, (`Bgt,`Integer), t2)) in
	  let env, dnf1 = extract_environment_and_dnf env infa in
	  let env, dnf2 = extract_environment_and_dnf env supa in
	  env, Dnf.make_or [dnf1; dnf2]
      | JCArelation (t1, bop, t2) ->
	  if bop = (`Beq,`Pointer) then set_equivalent_terms t1 t2;
	  let env, dnf = linstr_of_assertion env a in
	  if debug then
	    Format.printf "Dnf %a@." Dnf.print dnf;
	  env, dnf
      | JCAand al ->
	  List.fold_left
	    (fun (env,dnf1) a ->
	       let env,dnf2 = extract_environment_and_dnf env a in
	       env,Dnf.make_and [dnf1;dnf2]
	    ) (env,Dnf.true_) al
      | JCAor al ->
	  List.fold_left
	    (fun (env,dnf1) a ->
	       let env,dnf2 = extract_environment_and_dnf env a in
	       env,Dnf.make_or [dnf1;dnf2]
	    ) (env,Dnf.false_) al
      | JCAnot a ->
	  let nota = not_asrt a in
	  begin match nota#node with
	    | JCAnot _ -> env, Dnf.true_
	    | _ -> extract_environment_and_dnf env nota
	  end
      | JCAapp app ->
	  begin match unfolding_of_app app with
	    | Some a -> extract_environment_and_dnf env a
	    | None -> env, Dnf.true_
	  end
      | JCAimplies _ | JCAiff _
      | JCAquantifier _ | JCAold _ | JCAat _ | JCAinstanceof _ | JCAbool_term _
      | JCAif _ | JCAmutable _ | JCAeqtype _ | JCAsubtype _ | JCAmatch _
      | JCAlet _ | JCAfresh _ -> env,Dnf.true_
  in
  let env, dnf = extract_environment_and_dnf env a in
  let pre = Abstract1.change_environment mgr pre env false in
  Dnf.test mgr pre dnf

let test_expr ~(neg:bool) mgr e pre =
  match asrt_of_expr e with None -> pre | Some a ->
    let a = if neg then not_asrt a else a in
    simple_test_assertion mgr a pre

(* Assigns expression [e] to abstract variable [va] in abstract value [pre]. *)
let assign_integer_variable mgr t e pre =
  let va = Vai.integer_variable t in
  let env0 = Abstract1.env pre in
  let env =
    if Environment.mem_var env0 va then env0
    else Environment.add env0 [|va|] [||]
  in
  match linstr_of_expr env e with
    | Some (env, str) ->
	if debug then printf "[assign_variable] str %s@." str;
	(* Assignment can be treated precisely. *)
	let lin =
	  try Parser.linexpr1_of_string env str
	  with Parser.Error msg -> printf "%s@." msg; assert false
	in
	let pre = Abstract1.change_environment mgr pre env false in
	Abstract1.assign_linexpr mgr pre va lin None
    | None ->
	if debug then printf "[assign_variable] no str@.";
	(* Try over-approximate treatment of assignment. *)
	let pre =
	  if Environment.mem_var env0 va then
	    Abstract1.forget_array mgr pre [|va|] false
	  else pre
	in
	match Jc_effect.term_of_expr e with
	  | Some te ->
	      (* Assignment treated as an equality test. *)
	      let t = Vai.term va in
	      let a = new assertion(JCArelation(t,(`Beq,`Integer),te)) in
	      simple_test_assertion mgr a pre
	  | None ->
	      (* Assignment treated as a forget operation. *)
	      pre

let assign_offset_variable mgr va ok e pre =
  let env0 = Abstract1.env pre in
  let env =
    if Environment.mem_var env0 va then env0
    else Environment.add env0 [|va|] [||]
  in
  let forget_vars = [] in
  let forget_vars = Array.of_list forget_vars in
  let pre = Abstract1.forget_array mgr pre forget_vars false in
  match offset_linstr_of_expr env ok e with
    | Some(env,str) ->
	(* Assignment can be treated precisely. *)
	let lin =
	  try Parser.linexpr1_of_string env str
	  with Parser.Error msg -> printf "%s@." msg; assert false
	in
	let pre = Abstract1.change_environment mgr pre env false in
	Abstract1.assign_linexpr mgr pre va lin None
    | None ->
	(* Assignment treated as a forget operation. *)
	if Environment.mem_var env0 va then
	  Abstract1.forget_array mgr pre [|va|] false
	else pre

let assign_pointer_variables mgr t e pre =
  let vmin = Vai.offset_min_variable t in
  let vmax = Vai.offset_max_variable t in
  let pre = assign_offset_variable mgr vmin Offset_min_kind e pre in
  assign_offset_variable mgr vmax Offset_max_kind e pre

let assign_expr mgr t e pre =
  (* Choice: terms that depend on the term assigned to are removed from
     the abstract value -before- treating the assignment. *)
  let env = Abstract1.env pre in
  let integer_vars = Array.to_list (fst (Environment.vars env)) in
  let forget_vars = List.filter
    (fun va' ->
       let t' = Vai.term va' in
       (not (TermOrd.equal t t'))
       && term_syntactic_dependence ~of_term:t' ~on_term:t
    ) integer_vars
  in
  let forget_vars = Array.of_list forget_vars in
  let pre = Abstract1.forget_array mgr pre forget_vars false in
  (* Propagate knowledge on abstract variables on the rhs of the assignment
     to equivalent abstract variables on the lhs. *)
  let pre = match Jc_effect.term_of_expr e with
    | None -> pre
    | Some te ->
	let constr_vars = List.filter
	  (fun va ->
	     not (Abstract1.is_variable_unconstrained mgr pre va)
	  ) integer_vars
	in
	List.fold_left
	  (fun pre va' ->
	     let t' = Vai.term va' in
	     if raw_strict_sub_term te t' then
	       let lhst =
		 replace_term_in_term ~source:te ~target:t t'
	       in
	       let a = new assertion (JCArelation (lhst, (`Beq,`Integer), t')) in
	       simple_test_assertion mgr a pre
	     else pre
	  ) pre constr_vars
  in
  (* special case: t1 : pointer = t2 : pointer *)
(*   begin *)
(*     try  *)
(*       let t1 = t in *)
(*       let t2 = Jc_effect.term_of_expr e in *)
(*       match t1#typ, t2#typ with *)
(* 	| JCTpointer _, JCTpointer _ ->  *)
(* 	    set_equivalent_terms t1 t2 *)
(* 	| _ -> () *)
(*     with _ -> ()  *)
(*   end; *)
  (* Assign abstract variables. *)
  let pre =
    if is_integral_type t#typ then
      assign_integer_variable mgr t e pre
    else if is_pointer_type t#typ then
      assign_pointer_variables mgr t e pre
    else pre
  in pre

let assign_heap mgr e1 fi pre =
  if debug then
    printf "[assign_heap]%a@." Region.print e1#region;
  if !Jc_options.separation_sem = SepRegions then
    assert (not (is_dummy_region e1#region));
  let env = Abstract1.env pre in
  let integer_vars = Array.to_list (fst (Environment.vars env)) in

  let mc,_ufi_opt = Jc_effect.deref_mem_class ~type_safe:true e1 fi in
  let mem = mc, e1#region in

  let forget_vars = List.filter
    (fun va ->
       let t = Vai.term va in
(*        let is_deref_field t = match t#node with *)
(* 	 | JCTderef(_,_,fi') -> FieldOrd.equal fi fi' *)
(* 	 | _ -> false *)
(*        in *)
(*        let rec has_memory acc t = *)
(* 	 if acc ||  *)
(* 	   (is_deref_field t && *)
(* 	      (not (!Jc_options.separation_sem = SepRegions) *)
(* 	       || Region.equal t#region r)) then *)
(* 	     (\* cont = *\)false,(\* acc = *\)true *)
(* 	 else *)
(* 	   match t#node with *)
(* 	     | JCToffset(_,t',_) -> false,has_sub_memory acc t' *)
(* 	     | _ -> true,acc *)
(*        and has_sub_memory acc t = *)
(* 	 fold_sub_term fold_rec_term has_memory acc t *)
(*        in *)
(*        let res = fold_rec_term has_memory false t in *)
       let ef = Jc_effect.term empty_effects t in
       let res = Jc_effect.has_memory_effect ef mem in
       if debug then
	 printf "[assign_heap]%a:%b@." Var.print va res;
       res
    ) integer_vars
  in
  let forget_vars = Array.of_list forget_vars in
  Abstract1.forget_array mgr pre forget_vars false

let test_assertion ?propagated mgr a curinvs =
  apply_to_current_invariant ?propagated (simple_test_assertion mgr a) curinvs

let test_expr ~(neg:bool) mgr e curinvs =
  apply_to_current_invariant (test_expr ~neg mgr e) curinvs

let assign_integer_variable mgr t e curinvs =
  apply_to_current_invariant (assign_integer_variable mgr t e) curinvs

let assign_pointer_variables mgr t e curinvs =
  apply_to_current_invariant (assign_pointer_variables mgr t e) curinvs

let assign_expr mgr t e curinvs =
  apply_to_current_invariant (assign_expr mgr t e) curinvs

let assign_heap mgr e1 fi _topt curinvs =
  apply_to_current_invariant (assign_heap mgr e1 fi) curinvs

let keep_extern mgr fi post =
  let integer_vars =
    Array.to_list (fst (Environment.vars (Abstract1.env post)))
  in
  let to_duplicate t =
    Jc_iterators.fold_term
      (fun (acc1, acc2) t -> try
	 let tl = Hashtbl.find !pointer_terms_table t#node in
	 t :: acc1, tl :: acc2
       with Not_found -> acc1, acc2)
      ([], []) t
  in
  let integer_vars, strl =
    List.fold_left
      (fun (acc1, acc2) va ->
	 try
	   let t = Vai.term va in
	   let tl1, tl2 = to_duplicate t in
	   let tl = List.fold_left2
	     (fun acc t1 tl ->
		if t1 == t then acc else
		  (List.map (fun t2 -> replace_term_in_term t1 t2 t) tl) @ acc)
	     [] tl1 tl2
	   in
	   let vars = List.map Vai.integer_variable tl in
	   let vars = List.filter (fun va -> not (List.mem va acc1)) vars in
	   let vars = List.fold_left
	     (fun acc va -> if (List.mem va acc) then acc else va :: acc)
	     [] vars
	   in
	   let strl = List.map
	     (fun v -> (Var.to_string v) ^ "=" ^ (Var.to_string va))
	     vars
	   in
	   vars @ acc1, strl @ acc2
	 with Not_found -> acc1, acc2)
      (integer_vars, []) integer_vars
  in
  let env = try Environment.make (Array.of_list integer_vars) [||]
  with Failure msg -> printf "%s@." msg; assert false in
  let post = Abstract1.change_environment mgr post env false in
  let lincons = Parser.lincons1_of_lstring env strl in
  let post = meet mgr post (Abstract1.of_lincons_array mgr env lincons) in
  let term_has_local_var t =
    Jc_iterators.fold_term
      (fun acc t -> match t#node with
	 | JCTvar vi ->
	     acc || (not vi.jc_var_info_static  &&
		       not (vi == fi.jc_fun_info_result) &&
		       not (List.exists (fun (_,v) -> vi == v) fi.jc_fun_info_parameters))
	 | _ -> acc
      ) false t
  in
  let extern_vars =
    List.filter (fun va ->
		   let t = Vai.term va in not (term_has_local_var t)
		) integer_vars
  in
  let extern_vars = Array.of_list extern_vars in
  let extern_env = Environment.make extern_vars [||] in
  Abstract1.change_environment mgr post extern_env false

let find_target_assertions targets e =
  List.fold_left
    (fun acc target ->
       if target.jc_target_expr == e then target :: acc else acc
    ) [] targets

let return_abstract_value mgr postret e absval1 =
  let key = e in
  try
    let absval2 = Hashtbl.find postret key in
    let absval = join_abstract_value mgr absval2 absval1 in
    Hashtbl.replace postret key absval
  with Not_found ->
    Hashtbl.replace postret key absval1

let rec ai_inter_function_call _mgr _iai _abs _pre _fi _loc _fs _sl _el =
  assert false
    (*   let pre,formal_vars = *)
    (*     List.fold_left2 *)
    (*       (fun (pre,acc) vi e -> *)
    (* 	 let t = new term_var vi in *)
    (* 	 let pre,acc = if Vai.has_variable t then *)
    (* 	   let va = Vai.variable t in *)
    (* 	   assign_variable mgr va e pre, *)
    (* 	   va :: acc else pre,acc  *)
    (* 	 in *)
    (* 	 let pre,acc = if Vai.has_offset_min_variable t then *)
    (* 	   let va = Vai.offset_min_variable t in *)
    (* 	     assign_offset_variable mgr va Offset_min_kind e pre, *)
    (* 	     va :: acc else pre,acc  *)
    (* 	 in *)
    (* 	 let pre,acc = if Vai.has_offset_max_variable t then *)
    (* 	   let va = Vai.offset_max_variable t in *)
    (* 	     assign_offset_variable mgr va Offset_max_kind e pre, *)
    (* 	   va :: acc else pre,acc  *)
    (* 	 in *)
    (*          pre,acc) *)
    (*       (pre,[]) fi.jc_fun_info_parameters el *)
    (*   in *)
    (*   let formal_vars = List.filter (fun v -> not (Environment.mem_var (Abstract1.env pre) v)) formal_vars in *)
    (*   let formal_vars = Array.of_list formal_vars in *)
    (*   let env = try Environment.add (Abstract1.env pre) formal_vars [||] with _ -> assert false in *)
    (*   let pre = keep_extern mgr fi pre in *)
    (*   let pre = try Abstract1.change_environment mgr pre env false with _ -> assert false in *)
    (*   let function_pre =  *)
    (*     try Hashtbl.find iai.jc_interai_function_preconditions fi.jc_fun_info_tag  *)
    (*     with Not_found -> Abstract1.bottom mgr (Abstract1.env pre)  *)
    (*   in *)
    (*     begin *)
    (*       let old_pre = Abstract1.copy mgr function_pre in *)
    (*       let function_pre, fixpoint_reached =  *)
    (* 	if fi.jc_fun_info_is_recursive then *)
    (* 	  let num =  *)
    (* 	    try Hashtbl.find iai.jc_interai_function_nb_iterations fi.jc_fun_info_tag *)
    (* 	    with Not_found -> 0 *)
    (* 	  in *)
    (* 	    Hashtbl.replace iai.jc_interai_function_nb_iterations fi.jc_fun_info_tag  *)
    (* 	      (num + 1); *)
    (* 	    if num < abs.jc_absint_widening_threshold then *)
    (* 	      begin *)
    (* 		let function_pre = join mgr function_pre pre in *)
    (* 		if num = 0 then  *)
    (* 		  Hashtbl.replace iai.jc_interai_function_init_pre  *)
    (* 		    fi.jc_fun_info_tag function_pre; *)
    (* 		function_pre, false *)
    (* 	      end *)
    (* 	    else *)
    (* 	      begin *)
    (* 		let copy_pre = Abstract1.copy mgr pre in *)
    (* 		let function_pre = widening mgr function_pre copy_pre in *)
    (* 		  if is_eq mgr old_pre function_pre then *)
    (* 		    begin *)
    (* 		      let init_pre =  *)
    (* 			Hashtbl.find iai.jc_interai_function_init_pre fi.jc_fun_info_tag in *)
    (* 		      let function_pre = join mgr function_pre init_pre in *)
    (* 			(\* Hashtbl.replace iai.jc_interai_function_preconditions fi.jc_fun_info_tag function_pre;*\) *)
    (* 			function_pre, true *)
    (* 		    end *)
    (* 		  else *)
    (* 		      function_pre, false *)
    (* 	      end *)
    (* 	else *)
    (* 	  begin *)
    (* 	    let function_pre = join mgr function_pre pre in *)
    (* 	    function_pre, false; *)
    (* 	  end *)
    (*       in *)
    (*       let pre_has_changed = not (is_eq mgr old_pre function_pre) in *)
    (* 	if pre_has_changed then *)
    (* 	  Hashtbl.replace iai.jc_interai_function_preconditions fi.jc_fun_info_tag function_pre; *)
    (* 	let inspected = List.mem fi.jc_fun_info_tag !inspected_functions in *)
    (* 	  if not inspected || pre_has_changed then *)
    (* 	    ai_function mgr (Some iai) [] (fi, loc, fs, sl); *)
    (*     end *)

(* External function to call to perform abstract interpretation [abs]
 * on expr [e], starting from invariants [curinvs].
 * It sets the initial value of invariants before treating a loop.
 *)
and ai_expr iaio abs curinvs e =
(*   if debug then *)
(*     printf "[ai_expr] %a on %a@." print_abstract_invariants curinvs *)
(*       Jc_output.expr e; *)
  let loops = abs.jc_absint_loops in
  let loop_initial_invariants = abs.jc_absint_loop_initial_invariants in
  let loop_invariants = abs.jc_absint_loop_invariants in
  let loop_iterations = abs.jc_absint_loop_iterations in
  match e#node with
    | JCEloop(annot,_body) ->
	(* Reinitialize the loop iteration count and the loop invariant.
	 * This is useful to get precise results for inner loops.
	 * Comment those lines to gain in scaling, at the cost of precision.
	 *)
	Hashtbl.replace loops annot.jc_loop_tag e;
	Hashtbl.replace loop_iterations annot.jc_loop_tag 0;
	Hashtbl.remove loop_invariants annot.jc_loop_tag;
	(* Set the initial value of invariants when entering the loop from
	 * the outside.
	 *)
	Hashtbl.replace loop_initial_invariants annot.jc_loop_tag curinvs;
	intern_ai_expr iaio abs curinvs e
    | _ -> intern_ai_expr iaio abs curinvs e

(* Internal function called when computing a fixpoint for a loop. It does not
 * modify the initial value of invariants for the loop considered, so that
 * narrowing is possible.
 *)
and intern_ai_expr iaio abs curinvs e =
  let mgr = abs.jc_absint_manager in
  let ai = ai_expr iaio abs in

  (* Define common shortcuts. *)
  let normal = curinvs.jc_absinv_normal in
  let pre = normal.jc_absval_regular in
  let prop = normal.jc_absval_propagated in
  let postexcl = curinvs.jc_absinv_exceptional in
  let postret = curinvs.jc_absinv_return in

  (* Record invariant at assertion points. *)
  let targets = find_target_assertions abs.jc_absint_target_assertions e in
  List.iter
    (fun target ->
       target.jc_target_regular_invariant <- mkinvariant mgr pre;
       target.jc_target_propagated_invariant <- mkinvariant mgr prop
    ) targets;

  (* Apply appropriate transition function. *)
  let curinvs = match e#node with
    | JCElet(_v,None,e1) ->
	ai curinvs e1
    | JCElet(v,Some e1,e2) when Expr.is_app e1 ->
	let curinvs = ai_call iaio abs curinvs (Some v) e1 in
	ai curinvs e2
    | JCElet(v,Some e1,e2) ->
	let tv = new term_var v in
	let curinvs = match e1#node with
	  | JCEapp _call ->
	      ai_call iaio abs curinvs (Some v) e1
	  | _ ->
	      (* TODO: precise case of allocation *)
	      let curinvs = ai curinvs e1 in
	      assign_expr mgr tv e1 curinvs
	in
	let curinvs = ai curinvs e2 in
        (* To keep information on variable [v], declaration should be
	   turned into assignment before analysis. *)
        forget_invariants mgr curinvs (Vai.all_variables tv)
    | JCEassign_var(v,e1) ->
	let tv = new term_var v in
	let curinvs = match e1#node with
	  | JCEapp _call ->
	      ai_call iaio abs curinvs (Some v) e1
	  | _ ->
	      (* TODO: precise case of allocation *)
	      let curinvs = ai curinvs e1 in
	      assign_expr mgr tv e1 curinvs
	in
	curinvs
    | JCEassign_heap(e1,fi,e2) ->
	let curinvs = ai curinvs e1 in
	let curinvs = ai curinvs e2 in
	begin match Jc_effect.term_of_expr e1 with
	  | None -> assign_heap mgr e1 fi None curinvs
	  | Some t1 ->
	      let dereft =
		new term ~typ:fi.jc_field_info_type (JCTderef(t1,LabelHere,fi))
	      in
	      let curinvs =
		assign_heap mgr e1 fi (Some dereft) curinvs
	      in
	      assign_expr mgr dereft e2 curinvs
	end
    | JCEassert(_behav,Ahint,a) ->
	test_assertion ~propagated:true mgr a curinvs
    | JCEassert(_behav,_asrt,a) ->
	test_assertion mgr a curinvs
    | JCEblock sl ->
	List.fold_left ai curinvs sl
    | JCEif(e1,etrue,efalse) ->
	let curinvs = ai curinvs e1 in
	(* Treat "then" branch. *)
	let trueinvs = test_expr ~neg:false mgr e1 curinvs in
	let trueinvs = ai trueinvs etrue in
	(* Treat "else" branch. *)
	let falseinvs = test_expr ~neg:true mgr e1 curinvs in
	let falseinvs = ai falseinvs efalse in
	(* Join both branches. *)
	join_invariants mgr trueinvs falseinvs
    | JCEreturn_void ->
	(* For CIL, rather store return value before merge *)
	if not abs.jc_absint_function.jc_fun_info_has_return_label then
	  return_abstract_value mgr postret e normal;
	{ curinvs with jc_absinv_normal = empty_abstract_value mgr normal }
    | JCEreturn(_ty,e1) ->
	let result = abs.jc_absint_function.jc_fun_info_result in
	let resultt = new term_var result in
	let apply_return curinvs =
	  let curinvs = ai curinvs e1 in
	  assign_expr mgr resultt e1 curinvs
	in
	Hashtbl.iter
	  (fun e absval ->
	     let curinvs = { curinvs with jc_absinv_normal = absval } in
	     let curinvs = apply_return curinvs in
	     Hashtbl.replace postret e curinvs.jc_absinv_normal
	  ) postret;
	let curinvs = apply_return curinvs in
	let normal = curinvs.jc_absinv_normal in
	(* For CIL, rather store return value before merge *)
	if not abs.jc_absint_function.jc_fun_info_has_return_label then
	  return_abstract_value mgr postret e normal;
	{ curinvs with jc_absinv_normal = empty_abstract_value mgr normal }
    | JCEthrow(ei,e1opt) ->
	let curinvs = match e1opt with
	  | None -> curinvs
	  | Some e1 -> ai curinvs e1
	in
	if ei.jc_exception_info_name = Jc_norm.return_label#name then
	  let normal = curinvs.jc_absinv_normal in
	  return_abstract_value mgr postret e normal;
	  { curinvs with jc_absinv_normal = empty_abstract_value mgr normal }
	else
	  (* TODO: add thrown value as abstract variable. *)
	  let thrown =
	    try join_abstract_value mgr normal (List.assoc ei postexcl)
	    with Not_found -> normal
	  in
	  let postexcl = (ei,thrown) :: (List.remove_assoc ei postexcl) in
	  let curinvs = { curinvs with jc_absinv_exceptional = postexcl } in
	  { curinvs with jc_absinv_normal = empty_abstract_value mgr normal }
    | JCEtry(body,handlers,finally) ->
	let curinvs = ai curinvs body in
	let postexcl = curinvs.jc_absinv_exceptional in
	(* Filter out exceptions present in [handlers]. *)
	let curpostexcl =
	  List.filter
	    (fun (ei,_invs) ->
	       not (List.exists
		      (fun (ej,_vopt,_e) ->
			 ei.jc_exception_info_tag = ej.jc_exception_info_tag
		      ) handlers)
	    ) postexcl
	in
	let curinvs = { curinvs with jc_absinv_exceptional  = curpostexcl } in
	(* Consider each handler in turn. *)
	let curinvs = List.fold_left
	  (fun curinvs (ei,_vopt,ehandler) ->
	     try
	       let postexc = List.assoc ei postexcl in
	       let excinvs = {
		 jc_absinv_normal = postexc;
		 jc_absinv_exceptional = [];
		 jc_absinv_return = postret;
	       } in
	       let excinvs = ai excinvs ehandler in
	       join_invariants mgr curinvs excinvs
	     with Not_found -> curinvs
	  ) curinvs handlers
	in
	begin match finally#node with
	  | JCEblock []
	  | JCEconst JCCvoid -> curinvs
	  | JCEblock [e1] when e1#node = JCEblock [] -> curinvs
	  | JCEblock [e1] when e1#node = JCEconst JCCvoid -> curinvs
	  | _ -> assert false (* TODO: apply finally stmt to all paths. *)
	end
    | JCEloop(annot,body) ->
	let loop_invariants = abs.jc_absint_loop_invariants in
	let loop_initial_invariants = abs.jc_absint_loop_initial_invariants in
	let loop_iterations = abs.jc_absint_loop_iterations in
	let num =
	  try Hashtbl.find loop_iterations annot.jc_loop_tag
	  with Not_found -> 0
	in
	Hashtbl.replace loop_iterations annot.jc_loop_tag (num + 1);

	if num < abs.jc_absint_widening_threshold then
	  (* Perform one step of propagation through the loop body. *)
	  let nextinvs = ai curinvs body in
	  let curinvs = join_invariants mgr curinvs nextinvs in
	  (* Perform fixpoint computation on the loop. *)
	  intern_ai_expr iaio abs curinvs e
	else
	  begin try
	    let loopinvs = Hashtbl.find loop_invariants annot.jc_loop_tag in
	    let wideninvs = widen_invariants mgr loopinvs curinvs in
	    if eq_invariants mgr loopinvs wideninvs then
	      begin
		(* Fixpoint reached through widening. Perform narrowing now. *)
		let initinvs =
		  Hashtbl.find loop_initial_invariants annot.jc_loop_tag
		in
		let wideninvs =
		  { wideninvs with jc_absinv_exceptional = [] }
		in
		(* TODO: be more precise on return too. *)
		let wideninvs = ai wideninvs body in
		let wideninvs = join_invariants mgr wideninvs initinvs in
		Hashtbl.replace loop_invariants annot.jc_loop_tag wideninvs;
		let wideninvs =
		  { wideninvs with jc_absinv_exceptional =
		      initinvs.jc_absinv_exceptional }
		in
		let wideninvs = ai wideninvs body in
		(* This is an infinite loop, whose only exit is through
		   return or throwing exceptions. *)
		let curinvs =
		  { curinvs with jc_absinv_normal =
		      empty_abstract_value mgr normal }
		in
		{ curinvs with
		    jc_absinv_exceptional = wideninvs.jc_absinv_exceptional }
	      end
	    else
	      begin
		Hashtbl.replace
		  loop_invariants annot.jc_loop_tag wideninvs;
		(* Perform one step of propagation through the loop body. *)
		let wideninvs = ai wideninvs body in
		(* Perform fixpoint computation on the loop. *)
		let wideninvs = intern_ai_expr iaio abs wideninvs e in
		(* Propagate changes to [curinvs]. *)
		let curinvs =
		  { curinvs with jc_absinv_normal =
		      empty_abstract_value mgr normal }
		in
		let normal =
		  join_abstract_value mgr normal wideninvs.jc_absinv_normal
		in
		{ curinvs with
		    jc_absinv_normal = normal;
		    jc_absinv_exceptional = wideninvs.jc_absinv_exceptional }
	      end
	  with Not_found ->
	    Hashtbl.replace
	      loop_invariants annot.jc_loop_tag curinvs;
	    (* Perform one step of propagation through the loop body. *)
	    let curinvs = ai curinvs body in
	    (* Perform fixpoint computation on the loop. *)
	    intern_ai_expr iaio abs curinvs e
	  end
    | JCEapp _call ->
	ai_call iaio abs curinvs None e
    | JCEconst _
    | JCEvar _ ->
	curinvs
    | JCEunary(_,e1)
    | JCEderef(e1,_)
    | JCEoffset(_,e1,_)
    | JCEaddress(_,e1)
    | JCEbase_block(e1)
    | JCEcast(e1,_)
    | JCEbitwise_cast(e1,_)
    | JCErange_cast(e1,_)
    | JCEinstanceof(e1,_)
    | JCEreal_cast(e1,_)
    | JCEunpack(_,e1,_)
    | JCEpack(_,e1,_)
    | JCEalloc(e1,_)
    | JCEfresh e1
    | JCEfree e1 ->
	ai curinvs e1
    | JCEbinary(e1,_,e2)
    | JCEshift(e1,e2) ->
	ai (ai curinvs e1) e2
    | JCEcontract _ -> assert false (* TODO *)
    | JCEmatch _ -> assert false (* TODO *)
  in

  (* Propagate assertions. *)
  List.fold_left
    (fun curinvs target ->
       test_assertion ~propagated:true mgr target.jc_target_assertion curinvs
    ) curinvs targets


and ai_call iaio abs curinvs vio e =
  let mgr = abs.jc_absint_manager in

  (* Define common shortcuts. *)
  let normal = curinvs.jc_absinv_normal in
  let pre = normal.jc_absval_regular in
  let prop = normal.jc_absval_propagated in

  (* Record invariant at assertion points. *)
  let targets = find_target_assertions abs.jc_absint_target_assertions e in
  List.iter
    (fun target ->
       target.jc_target_regular_invariant <- mkinvariant mgr pre;
       target.jc_target_propagated_invariant <- mkinvariant mgr prop
    ) targets;

  let call = match e#node with JCEapp call -> call | _ -> assert false in
  let f = match call.jc_call_fun with JCfun f -> f | _ -> assert false in
  let args = call.jc_call_args in

  (* Compute abstract value at function call *)
  let curinvs = List.fold_left (ai_expr iaio abs) curinvs args in
  let _f, _pos, spec, _body =
    IntHashtblIter.find Jc_typing.functions_table f.jc_fun_info_tag
  in
(*   begin match body with None -> () | Some body -> *)
(*     if Jc_options.interprocedural then *)
(*       match iaio with *)
(* 	| None -> () (\* intraprocedural analysis only *\) *)
(* 	| Some iai ->  *)
(* 	    let copy_pre = Abstract1.copy mgr pre in *)
(* 	    ai_inter_function_call mgr iai abs copy_pre fi loc fs sl args; *)
(*   end; *)

  (* Add precondition as checks *)
  (* Replace formal by actual parameters and result by actual variable *)
  let pre =
    List.fold_left2
      (fun a e (_,v) ->
	 let t = Jc_effect.term_of_expr e in
	 match t with
	   | None -> forget_var_in_assertion v a
	   | Some t -> replace_var_in_assertion v t a
      ) spec.jc_fun_requires args f.jc_fun_info_parameters
  in
  let curinvs = test_assertion ~propagated:true mgr pre curinvs in

  let compulsory_behavior b =
    match b.jc_behavior_assumes with
      | None -> true
      | Some a when Assertion.is_true a -> true
      | _ -> false
  in

  (* Compute normal postcondition *)
  let normal_post =
    List.fold_left
      (fun acc (_pos,_name,b) ->
	 (* TODO : handle 'assumes' clauses precisely *)
	 if b.jc_behavior_throws = None && compulsory_behavior b then
	   Assertion.mkand [ b.jc_behavior_ensures; acc ] ()
	 else acc
      ) (Assertion.mktrue ())
      (spec.jc_fun_default_behavior :: spec.jc_fun_behavior)
  in

(*   let normal_behavior = *)
(*     match iaio with *)
(*       | None -> normal_behavior *)
(*       | Some iai ->  *)
(* 	  let inferred_post = *)
(* 	    try *)
(* 	      Hashtbl.find iai.jc_interai_function_postconditions f.jc_fun_info_tag *)
(* 	    with Not_found -> Abstract1.top mgr (Abstract1.env pre) *)
(* 	  in *)
(* 	  make_and [normal_behavior; (mkinvariant mgr inferred_post)] *)
(*   in *)

  (* Add typing constraints on result *)
  let normal_post =
    match vio with
      | None -> normal_post
      | Some _v ->
  	  let result = f.jc_fun_info_result in
  	  let cstrs =
	    Jc_typing.type_range_of_term result.jc_var_info_type
	      (new term_var result)
  	  in
  	  Assertion.mkand [ normal_post; cstrs ] ()
  in

  (* Replace formal by actual parameters and result by actual variable *)
  let normal_post =
    List.fold_left2
      (fun a e (_,v) ->
	 let t = Jc_effect.term_of_expr e in
	 match t with
	   | None -> forget_var_in_assertion v a
	   | Some t -> replace_var_in_assertion v t a
      ) normal_post args f.jc_fun_info_parameters
  in
  let normal_post =
    match vio with
      | None -> forget_var_in_assertion f.jc_fun_info_result normal_post
      | Some v ->
	  replace_var_by_var_in_assertion f.jc_fun_info_result v normal_post
  in

(*   let exceptional_behaviors = *)
(*     List.fold_left *)
(*       (fun acc (_, _, b) -> *)
(* 	 (\* TODO : handle 'assumes' clauses correctly *\) *)
(* 	 match b.jc_behavior_throws with *)
(* 	   | None -> acc  *)
(* 	   | Some ei -> *)
(* 	       if b.jc_behavior_assumes = None then *)
(* 		 (ei, b.jc_behavior_ensures) :: acc else acc) *)
(*       [] fs.jc_fun_behavior *)
(*   in *)
(*   let exceptional_behaviors = *)
(*     List.map *)
(*       (fun (ei, a) ->  *)
(* 	 ei, List.fold_left2  *)
(* 	   (fun a e vi ->  *)
(* 	      let t = Jc_effect.term_of_expr e in *)
(* 	      match t with *)
(* 		| None -> assert false *)
(* 		| Some t -> replace_var_in_assertion vi t a) *)
(* 	   a args f.jc_fun_info_parameters) *)
(*       exceptional_behaviors *)
(*   in *)
(*   let postexcl =  *)
(*     List.map  *)
(*       (fun (ei, a) ->  *)
(* 	 let copy_normal = copy_abstract_value mgr normal in *)
(* 	 let copy_pre = copy_normal.jc_absval_regular in *)
(* 	 let copy_pre = simple_test_assertion mgr normal_behavior  copy_pre in *)
(* 	 let copy_normal = { copy_normal with jc_absval_regular = copy_pre } in *)
(* 	 ei, copy_normal) *)
(*       exceptional_behaviors *)
(*   in *)
(*   let curinvs = { curinvs with jc_absinv_exceptional = postexcl } in *)
(*   if (is_purely_exceptional_fun fs) then *)
(*     { curinvs with jc_absinv_normal = empty_abstract_value mgr normal } *)
(*   else *)
(*     begin *)

  let fi_writes = f.jc_fun_info_effects.jc_writes.jc_effect_globals in
  let vars_writes =
    VarMap.fold
      (fun vi _labs acc -> Vai.all_variables (new term_var vi) @ acc)
      fi_writes []
  in
  let assigns absval =
    Abstract1.forget_array mgr absval (Array.of_list vars_writes) false
  in
  let curinvs = apply_to_current_invariant assigns curinvs in
  test_assertion mgr normal_post curinvs

and prepare_invariant mgr abs ~pos ~what absval =
  let a = minimize mgr absval in
  if Assertion.is_true a then
    None
  else
    let a = simplify a in
    if Assertion.is_true a then
      None
    else
      (printf
	 "%a@[<v 2>Inferring %s for function %s:@\n%a@]@."
	 Loc.report_position pos what
	 abs.jc_absint_function.jc_fun_info_name
	 Jc_output.assertion a;
       Some a)

and record_ai_loop_invariants abs =
  let mgr = abs.jc_absint_manager in
  let loop_invariants = abs.jc_absint_loop_invariants in
  Hashtbl.iter
    (fun _tag e ->
       let annot = match e#node with
	 | JCEloop(annot,_body) -> annot
	 | _ -> assert false
       in
       begin try
	 let loopinvs = Hashtbl.find loop_invariants annot.jc_loop_tag in
	 (* Update loop invariant *)
	 let loopinv =
	   meet mgr
	     loopinvs.jc_absinv_normal.jc_absval_regular
	     loopinvs.jc_absinv_normal.jc_absval_propagated
	 in
	 match
	   prepare_invariant mgr abs ~pos:e#pos ~what:"loop invariant" loopinv
	 with
	   | None -> ()
	   | Some a ->
	       (* Register loop invariant as such *)
	       let a = reg_annot ~pos:e#pos ~anchor:e#mark a in
	       if Jc_options.trust_ai then
		 annot.jc_free_loop_invariant <- a
	       else
		 annot.jc_loop_behaviors <-  ([], Some a, None) :: annot.jc_loop_behaviors;
       with Not_found -> () end
    ) abs.jc_absint_loops

and ai_function mgr iaio targets funpre (f,pos,spec,body) =
  try
    let env = Environment.make [||] [||] in

    (* Add global variables as abstract variables in [env]. *)
    let globvars =
      IntHashtblIter.fold (fun _tag (vi,_e) acc ->
			   Vai.all_variables (new term_var vi) @ acc
			  ) Jc_typing.variables_table []
    in
    let env = Environment.add env (Array.of_list globvars) [||] in

    (* Add \result as abstract variable in [env] if any. *)
    let result = f.jc_fun_info_result in
    let return_type = result.jc_var_info_type in
    let env =
      if return_type <> JCTnative Tunit then
	let result = Vai.all_variables (new term_var result) in
	Environment.add env (Array.of_list result) [||]
      else env
    in

    (* Add parameters as abstract variables in [env]. *)
    let params =
      List.fold_left
	(fun acc (_,v) -> Vai.all_variables (new term_var v) @ acc)
	[] f.jc_fun_info_parameters
    in
    let env = Environment.add env (Array.of_list params) [||] in

    let abs = {
      jc_absint_manager                 = mgr;
      jc_absint_function_environment    = env;
      jc_absint_function                = f;
      jc_absint_widening_threshold      = 1;
      jc_absint_loops                   = Hashtbl.create 0;
      jc_absint_loop_invariants         = Hashtbl.create 0;
      jc_absint_loop_initial_invariants = Hashtbl.create 0;
      jc_absint_loop_iterations         = Hashtbl.create 0;
      jc_absint_loop_entry_invs         = Hashtbl.create 0;
      jc_absint_target_assertions       = targets;
    } in

    (* Take the function precondition as initial constraints *)
    let initabs =
      simple_test_assertion mgr funpre (Abstract1.top mgr env)
    in
    let initpre =
      {  jc_absval_regular = initabs; jc_absval_propagated = initabs }
    in

    (* Add the currently inferred pre for [f] in pre *)
(*     let initpre = match iaio with *)
(*       | None -> initpre *)
(*       | Some iai -> *)
(* 	  let inferred_pre = *)
(* 	    try Hashtbl.find iai.jc_interai_function_preconditions f.jc_fun_info_tag  *)
(* 	    with Not_found -> Abstract1.top mgr env (\* for main function *\) in *)
(* 	  { initpre with jc_absval_regular = *)
(* 	      meet mgr initpre.jc_absval_regular inferred_pre } *)
(*     in *)

    pointer_terms_table := Hashtbl.create 0;

    (* Annotation inference on the function body. *)
    let initinvs = {
      jc_absinv_normal = initpre;
      jc_absinv_exceptional = [];
      jc_absinv_return = Hashtbl.create 3;
    } in
    let finalinvs = ai_expr iaio abs initinvs body in
    begin match iaio with
      | None -> record_ai_loop_invariants abs
      | Some iai ->
	  Hashtbl.replace iai.jc_interai_function_abs f.jc_fun_info_tag abs
    end;
    List.iter
      (fun target ->
	 if Jc_options.debug then
	   printf
	     "%a@[<v 2>Inferring assert invariant@\n%a@]@."
	     Loc.report_position target.jc_target_location
	     Jc_output.assertion
	     (Assertion.mkand [ target.jc_target_regular_invariant;
				target.jc_target_propagated_invariant ] ())
      ) targets;

(*     let initpre = *)
(*       match iaio with *)
(* 	| None -> initpre *)
(* 	| Some iai -> (\* Interprocedural analysis *\)  *)
(* 	    inspected_functions := f.jc_fun_info_tag :: !inspected_functions; *)
(* 	    incr nb_nodes; *)
(* 	    (\* Take the currently inferred pre for [fi] if any *\) *)
(* 	    try *)
(* 	      let inferred_pre =  *)
(* 		Hashtbl.find iai.jc_interai_function_preconditions f.jc_fun_info_tag *)
(* 	      in *)
(* 	      { initpre with jc_absval_regular = *)
(* 		  Abstract1.copy mgr inferred_pre } *)
(* 	    with Not_found -> initpre *)
(*     in *)
(*     pointer_terms_table := Hashtbl.create 0; *)

    (* Update the return postcondition for procedure with no last return. *)
    if return_type = JCTnative Tunit then
      return_abstract_value mgr finalinvs.jc_absinv_return
	body finalinvs.jc_absinv_normal;

    (* record the postcondition inferred *)
    let defpos,defid,defbehav = spec.jc_fun_default_behavior in
    let known_post =
      Assertion.mkand [ defbehav.jc_behavior_free_ensures;
			defbehav.jc_behavior_ensures ] ()
    in
    let cstrs =
      List.fold_left
 	(fun acc (_,v) ->
	   let cstr =
	     Jc_typing.type_range_of_term v.jc_var_info_type (new term_var v)
	   in
	   cstr :: acc
	) [] ((false,f.jc_fun_info_result) :: f.jc_fun_info_parameters)
    in
    let known_post = Assertion.mkand (known_post :: cstrs) () in

    let acc =
      Hashtbl.fold
	(fun _e absval acc ->
	   let post =
	     meet mgr absval.jc_absval_regular absval.jc_absval_propagated
	   in
	   let post = Abstract1.change_environment mgr post env false in
	   let a =
	     match
	       prepare_invariant mgr abs ~pos ~what:"postcondition case" post
	     with
	       | None -> Assertion.mktrue ()
	       | Some a -> simplify ~inva:known_post a
	   in a :: acc
	) finalinvs.jc_absinv_return []
    in
    let post = Assertion.mkor acc () in
    (* Register postcondition as such *)
    let post = reg_annot ~pos ~anchor:f.jc_fun_info_name post in
    let defbehav =
      if Jc_options.trust_ai then
	{ defbehav with jc_behavior_free_ensures =
	    Assertion.mkand [ defbehav.jc_behavior_free_ensures; post ] () }
      else
	{ defbehav with jc_behavior_ensures =
	    Assertion.mkand [ defbehav.jc_behavior_ensures; post ] () }
    in
    spec.jc_fun_default_behavior <- defpos,defid,defbehav;

(*     match iaio with  *)
(*       | None -> () *)
(*       | Some iai -> *)
(* 	  let old_post =  *)
(* 	    try *)
(* 	      Hashtbl.find iai.jc_interai_function_postconditions f.jc_fun_info_tag *)
(* 	    with Not_found -> Abstract1.top mgr env *)
(* 	  in *)
(* 	  let returnabs = keep_extern mgr fi !(invs.jc_absinv_return).jc_absval_regular in *)
(* 	  if not (is_eq mgr old_post returnabs) then *)
(* 	    Hashtbl.replace iai.jc_interai_function_postconditions f.jc_fun_info_tag returnabs; *)
(* 	  let old_excep =  *)
(* 	    try *)
(* 	      Hashtbl.find iai.jc_interai_function_exceptional f.jc_fun_info_tag *)
(* 	    with Not_found -> [] *)
(* 	  in *)
(* 	  let excabsl = *)
(* 	    List.fold_left *)
(* 	      (fun acc (exc, va) -> (exc, va.jc_absval_regular) :: acc) *)
(* 	      [] invs.jc_absinv_exceptional  *)
(* 	  in *)
(* 	  let excabsl = List.map (fun (exc, va) -> exc, keep_extern mgr fi va) excabsl in *)
(* 	  if (List.length old_excep = List.length excabsl) then *)
(* 	    let annot_inferred =  *)
(* 	      List.fold_left2 *)
(* 		(fun acc (ei1, va1) (ei2, va2) -> *)
(* 		   if ei1.jc_exception_info_tag <> ei2.jc_exception_info_tag || *)
(* 		     not (is_eq mgr va1 va2) then true else acc) false old_excep excabsl *)
(* 	    in *)
(* 	    if annot_inferred then *)
(* 	      Hashtbl.replace iai.jc_interai_function_exceptional f.jc_fun_info_tag excabsl; *)

  with Manager.Error exc ->
    Manager.print_exclog std_formatter exc;
    printf "@.";
    exit 1


(*****************************************************************************)
(* Modular generation of annotations for a function.                         *)
(*****************************************************************************)

let prepare_target target =
  target.jc_target_regular_invariant <-
    simplify target.jc_target_regular_invariant;
  (* Build the most precise invariant known at the current assertion point:
   * it is the conjunction of the regular invariant (from forward abstract
   * interpretation) and the propagated invariant (from propagated assertions).
   *)
  let inv =
    Assertion.mkand [ target.jc_target_regular_invariant;
		      target.jc_target_propagated_invariant ] ()
  in
  (* Check whether the target assertion is a consequence of the most
   * precise invariant.
   *)
  let impl = new assertion (JCAimplies(inv,target.jc_target_assertion)) in
  if tautology impl then
    (if debug then
       printf "%a[code_function] proof of %a discharged@."
	 Loc.report_position target.jc_target_location
	 Jc_output.assertion target.jc_target_assertion;
     None)
  else
    (if debug then
       printf "%a[code_function] precondition needed for %a@."
	 Loc.report_position target.jc_target_location
	 Jc_output.assertion target.jc_target_assertion;
     (* Adding target to the list. *)
     Some target)

let code_function (f,pos,spec,body) =
  match body with None -> () | Some body ->
    let wp_filter _canda =
      (* Only propagate candidate assertions for targets if Atp can make
       * sense of them.
       *)
      (* TODO : make sure ident on common logic formulas. *)
      (*         raw_assertion_equal canda (asrt_of_atp(atp_of_asrt canda)) *)
      true
    in

    (* Add parameters specs to the function precondition *)
    let cstrs =
      List.fold_left
 	(fun acc (_,v) ->
	   let cstr =
	     Jc_typing.type_range_of_term v.jc_var_info_type (new term_var v)
	   in
	   cstr :: acc
	) [] f.jc_fun_info_parameters
    in
(*     let consists = *)
(*       List.fold_left *)
(*  	(fun acc v ->  *)
(* 	   (\* This is not an precondition, as a pointer parameter may be null, *)
(* 	      but rather a consistency formula for the generated precondition, *)
(* 	      that should not assert nullity of a parameter this way *\) *)
(* 	   let consist = *)
(* 	     if is_nonnull_pointer_type v.jc_var_info_type then *)
(* 	       let tv = new term_var v in *)
(* 	       let st = pointer_struct tv#typ in *)
(* 	       let tmin =  *)
(* 		 new term ~typ:integer_type (JCToffset(Offset_min,tv,st))  *)
(* 	       in *)
(* 	       let tmax =  *)
(* 		 new term ~typ:integer_type (JCToffset(Offset_max,tv,st))  *)
(* 	       in *)
(* 	       [ new assertion (JCArelation (tmin,(`Ble,`Integer),tmax)) ] *)
(* 	     else [] *)
(* 	   in *)
(* 	   consist @ acc *)
(* 	) [] f.jc_fun_info_parameters *)
(*     in *)
    let funpre =
      Assertion.mkand
	(spec.jc_fun_requires :: spec.jc_fun_free_requires :: cstrs) ()
    in
(*     let funconsist = Assertion.mkand (funpre :: consists) () in *)

    begin match !Jc_options.annotation_sem with
      | AnnotNone -> ()
      | AnnotInvariants | AnnotElimPre | AnnotWeakPre | AnnotStrongPre ->

	  (* Collect checks *)
	  let targets = collect_targets wp_filter [] body in

	  (* Generate invariants by forward abstract interpretation *)
	  begin match !Jc_options.ai_domain with
	    | AbsNone ->
		assert false
	    | AbsBox ->
		let mgr = Box.manager_alloc () in
		ai_function mgr None targets funpre (f,pos,spec,body)
	    | AbsOct ->
		let mgr = Oct.manager_alloc () in
		ai_function mgr None targets funpre (f,pos,spec,body)
	    | AbsPol ->
		let mgr = Polka.manager_alloc_strict () in
		ai_function mgr None targets funpre (f,pos,spec,body)
	  end;

	  (* Generate preconditions by quantifier elimination and
	     weakest preconditions *)
	  begin match !Jc_options.annotation_sem with
	    | AnnotNone -> assert false
	    | AnnotInvariants	-> ()
	    | AnnotElimPre | AnnotWeakPre | AnnotStrongPre ->
 		let targets =
		  List.fold_right
		    (fun target acc ->
		       match prepare_target target with
			 | None -> acc
			 | Some a -> a :: acc
		    ) targets []
		in
		wp_function targets funpre (f,pos,spec,body)
	  end;

	  (* Collect checks that directly follow function beginning or
	     loop beginning *)
	  let targets = collect_immediate_targets [] body in
	  backprop_function targets (f,spec,body)

    end


(*****************************************************************************)
(* Interprocedural analysis.                                                 *)
(*****************************************************************************)

(* Variables used in the interprocedural analysis *)
let inspected_functions = ref []
let nb_conj_atoms_inferred = ref 0
let nb_nodes = ref 0
let nb_loop_inv = ref 0
let nb_fun_pre = ref 0
let nb_fun_post = ref 0
let nb_fun_excep_post = ref 0

let rec nb_conj_atoms a = match a#node with
  | JCAand al -> List.fold_left (fun acc a -> nb_conj_atoms a + acc) 0 al
  | JCAtrue | JCAfalse | JCArelation _ | JCAapp _
  | JCAimplies _ | JCAiff _ | JCAquantifier _ | JCAinstanceof _
  | JCAbool_term _ | JCAif _ | JCAmutable _ | JCAeqtype _ | JCAmatch _
  | JCAlet _ | JCAfresh _ 
  | JCAor _ | JCAnot _ | JCAold _ | JCAat _ | JCAsubtype _ -> 1


let rec record_ai_inter_annotations mgr iai fi pos fs _sl =
  let env = Environment.make [||] [||] in
  inspected_functions := fi.jc_fun_info_tag :: !inspected_functions;
  (* record inferred precondition for [fi] *)
  let pre =
    try
      Hashtbl.find iai.jc_interai_function_preconditions fi.jc_fun_info_tag
    with Not_found -> Abstract1.top mgr env
  in
  let a = mkinvariant mgr pre in
  let a = reg_annot ~pos ~anchor:fi.jc_fun_info_name a in
  nb_conj_atoms_inferred := !nb_conj_atoms_inferred + nb_conj_atoms a;
  incr nb_fun_pre;
  if Jc_options.verbose then
    printf
      "@[<v 2>Inferring precondition for function %s@\n%a@]@."
      fi.jc_fun_info_name Jc_output.assertion a;
  fs.jc_fun_free_requires <- Assertion.mkand [fs.jc_fun_free_requires; a] ();
  (* record loop invariants for [fi] *)
  let abs =
    try
      Hashtbl.find iai.jc_interai_function_abs fi.jc_fun_info_tag
    with Not_found -> assert false
  in
  record_ai_loop_invariants abs;
  (* record inferred postconditions for [fi] *)
  let post =
    try
      Hashtbl.find iai.jc_interai_function_postconditions fi.jc_fun_info_tag
    with Not_found -> Abstract1.top mgr env
  in
  let returna = mkinvariant mgr post in
  let vi_result = fi.jc_fun_info_result in
  let post = Assertion.mkand
    [returna; Jc_typing.type_range_of_term vi_result.jc_var_info_type
       (new term_var vi_result)] ()
  in
  let normal_behavior = { default_behavior with jc_behavior_ensures = post } in
  let exceptional =
    try
      Hashtbl.find iai.jc_interai_function_exceptional fi.jc_fun_info_tag
    with Not_found -> []
  in
  let excl, excabsl =
    List.fold_left
      (fun (acc1, acc2) (exc, va) -> (exc :: acc1, va :: acc2))
      ([], []) exceptional in
  let excabsl = List.map (fun va -> keep_extern mgr fi va) excabsl in
  let excabsl = List.map
    (fun va -> if Abstract1.is_bottom mgr va then
       Abstract1.top mgr env else va) excabsl in
  let excal = List.map (mkinvariant mgr) excabsl in

  let post = reg_annot ~pos ~anchor:fi.jc_fun_info_name post in
  nb_conj_atoms_inferred := !nb_conj_atoms_inferred + nb_conj_atoms post;
  incr nb_fun_post;
  let excal = List.map (reg_annot ~pos ~anchor:fi.jc_fun_info_name) excal in

  let exc_behaviors =
    List.map2
      (fun exc va ->
	 (Loc.dummy_position, "inferred",
	  { default_behavior with
	      jc_behavior_throws = Some exc;
	      jc_behavior_ensures = va }))
      excl excal
  in
  if Jc_options.verbose then
    begin
      printf
	"@[<v 2>Inferring postcondition for function %s@\n%a@]@."
	fi.jc_fun_info_name
	Jc_output.assertion post;
      List.iter2
	(fun exc exca ->
	   nb_conj_atoms_inferred := !nb_conj_atoms_inferred + nb_conj_atoms exca;
	   incr nb_fun_excep_post;
	   printf
	     "@[<v 2>Inferring exceptional postcondition (for exception %s) for function %s@\n%a@]@."
	     exc.jc_exception_info_name
	     fi.jc_fun_info_name
	     Jc_output.assertion exca) excl excal;
    end;
  begin
    if is_purely_exceptional_fun fs then () else
      fs.jc_fun_behavior <-
	(Loc.dummy_position,"inferred", normal_behavior) :: fs.jc_fun_behavior
  end;
  fs.jc_fun_behavior <- exc_behaviors @ fs.jc_fun_behavior;
  (* iterate on the call graph *)
  List.iter
    (fun fi ->
       let fi, _, fs, slo =
	 try
	   IntHashtblIter.find Jc_typing.functions_table fi.jc_fun_info_tag
	 with Not_found -> assert false (* should never happen *)
       in
       match slo with
	 | None -> ()
	 | Some b ->
	     if not (List.mem fi.jc_fun_info_tag !inspected_functions) then
	       record_ai_inter_annotations mgr iai fi pos fs b)
    fi.jc_fun_info_calls


let ai_interprocedural mgr (fi, loc, fs, sl) =
  let iai = {
    jc_interai_manager = mgr;
    jc_interai_function_preconditions = Hashtbl.create 0;
    jc_interai_function_postconditions = Hashtbl.create 0;
    jc_interai_function_exceptional = Hashtbl.create 0;
    jc_interai_function_nb_iterations = Hashtbl.create 0;
    jc_interai_function_init_pre = Hashtbl.create 0;
    jc_interai_function_abs = Hashtbl.create 0;
  } in
  let time = Unix.gettimeofday () in
  ignore (ai_function mgr (Some iai) [] (Assertion.mktrue ()) (fi, loc, fs, sl));
  inspected_functions := [];
  record_ai_inter_annotations mgr iai fi loc fs sl;
  let time = Unix.gettimeofday () -. time in
  if Jc_options.verbose then
    printf "Interprocedural analysis stats: \
@.    %d function preconditions inferred \
@.    %d function postconditions inferred \
@.    %d function exceptional postconditions inferred \
@.    %d loop invariants inferred \
@.    %d conjonction atoms inferred \
@.    %d nodes \
@.    %f seconds@."
      !nb_fun_pre !nb_fun_post !nb_fun_excep_post !nb_loop_inv
      !nb_conj_atoms_inferred !nb_nodes time


let main_function = function
  | _fi, _loc, _fs, None -> ()
  | fi, loc, fs, Some sl ->
      begin match !Jc_options.ai_domain with
	| AbsBox ->
	    let mgr = Box.manager_alloc () in
	    ai_interprocedural mgr (fi, loc, fs, sl)
	| AbsOct ->
	    let mgr = Oct.manager_alloc () in
	    ai_interprocedural mgr (fi, loc, fs, sl)
	| AbsPol ->
	    let mgr = Polka.manager_alloc_strict () in
	    ai_interprocedural mgr (fi, loc, fs, sl)
	| AbsNone -> assert false
      end

(*
let rec is_recursive_rec fi fil =
  List.exists
    (fun fi' ->
       inspected_functions := fi'.jc_fun_info_tag :: !inspected_functions;
       fi.jc_fun_info_tag = fi'.jc_fun_info_tag ||
	   (not (List.mem fi'.jc_fun_info_tag !inspected_functions) &&
	      is_recursive_rec fi fi'.jc_fun_info_calls))
    fil

let is_recursive fi =
  inspected_functions := [];
  let r = is_recursive_rec fi fi.jc_fun_info_calls in
  inspected_functions := [];
  r
*)

(*
  Local Variables:
  compile-command: "LC_ALL=C make -C .. bin/jessie.byte"
  End:
*)
�����������why-2.34/jc/output.ml�������������������������������������������������������������������������������0000644�0001750�0001750�00000161602�12311670312�013111� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Lexing
open Format
open Pp

let why3syntax = ref false

type constant =
  | Prim_void
  | Prim_int of string
  | Prim_real of string
  | Prim_bool of bool
(*
  | Prim_string of string
*)

let fprintf_constant form e =
  match e with
    | Prim_void ->
        if !why3syntax then
          fprintf form "()"
        else
          fprintf form "void"
    | Prim_int(n) ->
          fprintf form "(%s)" n
    | Prim_real(f) -> fprintf form "%s" f
    | Prim_bool(b) ->
        if !why3syntax then
          fprintf form "%s" (if b then "Bool.True" else "Bool.False")
        else
          fprintf form "%b" b
(*
    | Prim_string s -> fprintf form "\"%s\"" s
*)

type term =
  | LConst of constant
  | LApp of string * term list
  | LVar of string                  (*r immutable logic var *)
  | LDeref of string                     (*r !r *)
  | LDerefAtLabel of string * string     (*r x@L *)
  | Tnamed of string * term
  | TIf of term * term * term
  | TLet of string * term * term

let rec iter_term f t =
  match t with
  | LConst(_c) -> ()
  | LApp(id,l) -> f id; List.iter (iter_term f) l
  | LVar id | LDeref id | LDerefAtLabel(id,_) -> f id
  | Tnamed(_,t) -> iter_term f t
  | TIf(t1,t2,t3) ->
      iter_term f t1; iter_term f t2; iter_term f t3
  | TLet(id,t1,t2) ->
      f id; iter_term f t1; iter_term f t2

let rec match_term acc t1 t2 =
  match t1, t2 with
    | LVar id, _ -> (id,t2)::acc
    | LApp(id1,l1), LApp(id2,l2) when id1 = id2 ->
      List.fold_left2 match_term acc l1 l2
    | _ -> invalid_arg "match_term : t1 is not a valid context"

let why3id s =
  match s.[0] with
  | 'A'..'Z' -> "_" ^ s
  | _ ->
      if Why3_kw.is_why3_keyword s then s ^ "_why3" else s


let why3constr s =
  match s.[0] with
  | 'A'..'Z' -> s
  | 'a'..'z' -> String.capitalize s
  | _ -> "U_" ^ s

let why3id_if s =
  if !why3syntax then why3id s else s

let why3ident s =
  match s with
        (* booleans *)
    | "not" -> "not"
    | "bool_and" -> "Bool.andb"
    | "bool_or" -> "Bool.orb"
    | "bool_xor" -> "Bool.xorb"
    | "bool_not" -> "Bool.notb"
        (* integers *)
    | "le_int" -> "Int.(<=)"
    | "le_int_" -> "Int.(<=)"
    | "le_int_bool" -> "Int.(<=)"
    | "ge_int" -> "Int.(>=)"
    | "ge_int_" -> "Int.(>=)"
    | "ge_int_bool" -> "Int.(>=)"
    | "lt_int" -> "Int.(<)"
    | "lt_int_" -> "Int.(<)"
    | "lt_int_bool" -> "Int.(<)"
    | "gt_int" -> "Int.(>)"
    | "gt_int_" -> "Int.(>)"
    | "gt_int_bool" -> "Int.(>)"
    | "add_int" -> "Int.(+)"
    | "sub_int" -> "Int.(-)"
    | "neg_int" -> "Int.(-_)"
    | "mul_int" -> "Int.(*)"
    | "computer_div" -> "ComputerDivision.div"
    | "computer_mod" -> "ComputerDivision.mod"
    | "int_min" -> "IntMinMax.min"
    | "int_max" -> "IntMinMax.max"
        (* reals *)
    | "le_real" -> "Real.(<=)"
    | "le_real_" -> "Real.(<=)"
    | "le_real_bool" -> "Real.(<=)"
    | "ge_real" -> "Real.(>=)"
    | "ge_real_" -> "Real.(>=)"
    | "ge_real_bool" -> "Real.(>=)"
    | "lt_real" -> "Real.(<)"
    | "lt_real_" -> "Real.(<)"
    | "lt_real_bool" -> "Real.(<)"
    | "gt_real" -> "Real.(>)"
    | "gt_real_" -> "Real.(>)"
    | "gt_real_bool" -> "Real.(>)"
    | "add_real" -> "Real.(+)"
    | "sub_real" -> "Real.(-)"
    | "neg_real" -> "Real.(-_)"
    | "mul_real" -> "Real.(*)"
    | "div_real" -> "Real.(/)"
        (* real functions *)
    | "real_of_int" -> "FromInt.from_int"
    | "truncate_real_to_int" -> "Truncate.truncate"
    | "real_min" -> "RealMinMax.min"
    | "real_max" -> "RealMinMax.max"
    | "abs_int" -> "AbsInt.abs"
    | "abs_real" -> "AbsReal.abs"
    | "sqrt_real" -> "Square.sqrt"
    | "pow_int" -> "Power.power"
    | "pow_real" -> "PowerReal.pow"
    | "pow_real_int" -> "PowerInt.power"
    | "exp" -> "ExpLog.exp"
    | "log" -> "ExpLog.log"
    | "cos" -> "Trigonometry.cos"
    | "sin" -> "Trigonometry.sin"
    | "tan" -> "Trigonometry.tan"
    | "atan" -> "Trigonometry.atan"
        (* floats *)
    | "nearest_even" -> "Rounding.NearestTiesToEven"
    | "down" -> "Rounding.Down"
    | "single_value" -> "Single.value"
    | "single_exact" -> "Single.exact"
    | "single_round_error" -> "Single.round_error"
    | "round_single" -> "Single.round"
    | "round_single_logic" -> "Single.round_logic"
    | "no_overflow_single" -> "Single.no_overflow"
    | "double_value" -> "Double.value"
    | "double_exact" -> "Double.exact"
    | "double_round_error" -> "Double.round_error"
    | "round_double" -> "Double.round"
    | "round_double_logic" -> "Double.round_logic"
    | "no_overflow_double" -> "Double.no_overflow"
        (* floats full *)
    | "le_double_full" -> "Double.le"
    | "lt_double_full" -> "Double.lt"
    | "ge_double_full" -> "Double.ge"
    | "gt_double_full" -> "Double.gt"
    | "eq_double_full" -> "Double.eq"
    | "ne_double_full" -> "Double.ne"
    | "double_is_finite" -> "Double.is_finite"
    | "double_is_infinite" -> "Double.is_infinite"
    | "double_is_plus_infinity" -> "Double.is_plus_infinity"
    | "double_is_minus_infinity" -> "Double.is_minus_infinity"
    | "double_is_NaN" -> "Double.is_NaN"
    | "double_sign" -> "Double.sign"
    | "Positive" -> "SpecialValues.Pos"
    | "Negative" -> "SpecialValues.Neg"
    | _ -> why3id s

let why3ident_if s =
  if !why3syntax then why3ident s else s

let why3param s =
  match s with
    | "le_int_" -> "Int.(<=)"
    | "ge_int_" -> "Int.(>=)"
    | "lt_int_" -> "Int.(<)"
    | "gt_int_" -> "Int.(>)"
        (* reals *)
    | "le_real_" -> "Real.(<=)"
    | "ge_real_" -> "Real.(>=)"
    | "lt_real_" -> "Real.(<)"
    | "gt_real_" -> "Real.(>)"
    | _ -> why3ident s



let why3_ComputerDivision = ref false
let why3_IntMinMax = ref false
let why3_reals = ref false
let why3_FromInt = ref false
let why3_Truncate = ref false
let why3_Square = ref false
let why3_Power = ref false
let why3_PowerInt = ref false
let why3_PowerReal = ref false
let why3_RealMinMax = ref false
let why3_AbsInt = ref false
let why3_AbsReal = ref false
let why3_ExpLog = ref false
let why3_Trigonometry = ref false

let compute_why3_dependencies f =
  match f with
    | "computer_div"
    | "computer_mod" -> why3_ComputerDivision := true
    | "int_min"
    | "int_max" -> why3_IntMinMax := true
    | "add_real"
    | "sub_real"
    | "neg_real"
    | "mul_real"
    | "div_real" -> why3_reals := true
    | "sqrt_real" -> why3_Square := true
    | "pow_int" -> why3_Power := true
    | "pow_real_int" -> why3_PowerInt := true
    | "pow_real" -> why3_PowerReal := true
    | "real_of_int" -> why3_FromInt := true
    | "truncate_real_to_int" -> why3_Truncate := true
    | "real_min"
    | "real_max" -> why3_RealMinMax := true
    | "abs_int" -> why3_AbsInt := true
    | "abs_real" -> why3_AbsReal := true
    | "exp" | "log" -> why3_ExpLog := true
    | "cos"
    | "sin"
    | "tan"
    | "atan" -> why3_Trigonometry := true
    | _ -> ()


(* localization *)

type kind =
  | VarDecr
  | ArithOverflow
  | DownCast
  | IndexBounds
  | PointerDeref
  | UserCall
  | DivByZero
  | AllocSize
  | Pack
  | Unpack
  | FPoverflow


(*
let pos_table :
    (string, (kind option * string option * string option *
             string * int * int * int))
    Hashtbl.t
    = Hashtbl.create 97
*)

let old_pos_table = Hashtbl.create 97

let name_counter = ref 0

let old_reg_pos prefix ?id ?kind ?name ?formula pos =
  let id = match id with
    | None ->
	incr name_counter;
	prefix ^ "_" ^ string_of_int !name_counter
    | Some n -> n
  in
  Hashtbl.add old_pos_table id (kind,name,formula,pos);
  id

let print_kind fmt k =
  fprintf fmt "%s"
    (match k with
       | VarDecr -> "VarDecr"
       | Pack -> "Pack"
       | Unpack -> "Unpack"
       | DivByZero -> "DivByZero"
       | AllocSize -> "AllocSize"
       | UserCall -> "UserCall"
       | PointerDeref -> "PointerDeref"
       | IndexBounds -> "IndexBounds"
       | DownCast -> "DownCast"
       | ArithOverflow -> "ArithOverflow"
       | FPoverflow -> "FPOverflow")

let print_kind_why3 fmt k =
  fprintf fmt "%s"
    (match k with
       | VarDecr -> "variant decreases"
       | Pack -> "pack"
       | Unpack -> "unpack"
       | DivByZero -> "division by zero"
       | AllocSize -> "allocation size"
       | UserCall -> "precondition for call"
       | PointerDeref -> "pointer dereference"
       | IndexBounds -> "index bounds"
       | DownCast -> "downcast"
       | ArithOverflow -> "arithmetic overflow"
       | FPoverflow -> "floating-point overflow")

let abs_fname f =
  if Filename.is_relative f then
    Filename.concat (Unix.getcwd ()) f
  else f

(*
let print_pos fmt =
  Hashtbl.iter
    (fun id (kind,name,formula,f,l,fc,lc) ->
       fprintf fmt "[%s]@\n" id;
       Option_misc.iter
	 (fun k -> fprintf fmt "kind = %a@\n" print_kind k) kind;
       Option_misc.iter
	 (fun n -> fprintf fmt "name = \"%s\"@\n" n) name;
       Option_misc.iter
	 (fun n -> fprintf fmt "formula = \"%s\"@\n" n) formula;
(*
       let f = b.Lexing.pos_fname in
*)
       fprintf fmt "file = \"%s\"@\n"
         (String.escaped (abs_fname f));
(*
       let l = b.Lexing.pos_lnum in
       let fc = b.Lexing.pos_cnum - b.Lexing.pos_bol in
       let lc = e.Lexing.pos_cnum - b.Lexing.pos_bol in
*)
       fprintf fmt "line = %d@\n" l;
       fprintf fmt "begin = %d@\n" fc;
       fprintf fmt "end = %d@\n@\n" lc)
    pos_table
*)

let old_print_pos fmt =
  Hashtbl.iter
    (fun id (kind,name,formula,(f,l,fc,lc)) ->
       fprintf fmt "[%s]@\n" id;
       Option_misc.iter
	 (fun k -> fprintf fmt "kind = %a@\n" print_kind k) kind;
       Option_misc.iter
	 (fun n -> fprintf fmt "name = \"%s\"@\n" n) name;
       Option_misc.iter
	 (fun n -> fprintf fmt "formula = \"%s\"@\n" n) formula;
       fprintf fmt "file = \"%s\"@\n"
         (String.escaped (abs_fname f));
       fprintf fmt "line = %d@\n" l;
       fprintf fmt "begin = %d@\n" fc;
       fprintf fmt "end = %d@\n@\n" lc)
    old_pos_table


let my_pos_table :
    (string, (kind option * string option * string option *
             string * int * int * int))
    Hashtbl.t
    = Hashtbl.create 97

let my_add_pos m pos = Hashtbl.add my_pos_table m pos

let my_print_locs fmt =
  Hashtbl.iter
    (fun id (kind,name,beh,f,l,fc,lc) ->
       fprintf fmt "[%s]@\n" id;
       Option_misc.iter
         (fun k -> fprintf fmt "kind = %a@\n" print_kind k) kind;
       Option_misc.iter
         (fun n -> fprintf fmt "name = \"%s\"@\n" n) name;
       Option_misc.iter
	 (fun b -> fprintf fmt "behavior = \"%s\"@\n" b) beh;
       fprintf fmt "file = \"%s\"@\n" (String.escaped f);
       fprintf fmt "line = %d@\n" l;
       fprintf fmt "begin = %d@\n" fc;
       fprintf fmt "end = %d@\n@\n" lc)
    my_pos_table

let why3_prloc fmt (f,l,fc,lc) =
  fprintf fmt "#\"%s\" %d %d %d#" f l (max fc 0) (max lc 0)

let why3loc ~prog fmt lab =
  try
    let (k,n,beh,f,l,fc,lc) = Hashtbl.find my_pos_table lab in
    begin
      match n,beh,k with
        | Some n, None,_ -> fprintf fmt "\"expl:%s\"@ " n
        | Some n, Some b,_ -> fprintf fmt "\"expl:%s, %s\"@ " n b
        | None, _, Some k -> fprintf fmt "\"expl:%a\"@ " print_kind_why3 k
        | _ -> ()
    end;
(*
    Option_misc.iter (fun n -> fprintf fmt "\"fun:%s\"@ " n) n;
    Option_misc.iter (fun b -> fprintf fmt "\"beh:%s\"@ " b) beh;
    Option_misc.iter (fun k -> fprintf fmt "\"expl:%a\"@ " print_kind_why3 k) k;
*)
    why3_prloc fmt (f,l,fc,lc)
  with
      Not_found ->
        if prog then
          fprintf fmt "'%s: " (why3constr lab)
        else
          fprintf fmt "\"%s\"" lab

let why3_locals = Hashtbl.create 97

let is_why3_local id = Hashtbl.mem why3_locals id

let add_why3_local id = Hashtbl.add why3_locals id ()

let () = add_why3_local "result"

let remove_why3_local id = Hashtbl.remove why3_locals id

type logic_type =
    { logic_type_name : string;
      logic_type_args : logic_type list;
    }
(*r int, float, int list, ... *)

let is_prop t = t.logic_type_name = "prop"

let logic_type_var s = { logic_type_name = "'"^s;
                   logic_type_args = [];
                 }

let rec iter_logic_type f t =
  f t.logic_type_name;
  List.iter (iter_logic_type f) t.logic_type_args

type assertion =
  | LTrue | LFalse
  | LAnd of assertion * assertion
  | LOr of assertion * assertion
  | LIff of assertion * assertion
  | LNot of assertion
  | LImpl of assertion * assertion
  | LIf of term * assertion * assertion
  | LLet of string * term * assertion
      (*r warning: only for Coq assertions *)
  | LForall of string * logic_type * trigger list list * assertion
      (*r forall x:t.a *)
  | LExists of string * logic_type * trigger list list * assertion
      (*r exists x:t.a *)
  | LPred of string * term list
  | LNamed of string * assertion
and trigger =
  |LPatP of assertion
  |LPatT of term


let rec unname a =
  match a with
    | LNamed(_,a) -> unname a
    | _ -> a

let is_not_true a =
  match unname a with
    | LTrue -> false
    | _ -> true

let make_var s = LVar s

let make_not a1 =
  match unname a1 with
    | LTrue -> LFalse
    | LFalse -> LTrue
    | _ -> LNot a1

let make_or a1 a2 =
  match (unname a1,unname a2) with
    | (LTrue,_) -> LTrue
    | (_,LTrue) -> LTrue
    | (LFalse,_) -> a2
    | (_,LFalse) -> a1
    | (_,_) -> LOr(a1,a2)

let make_and a1 a2 =
  match (unname a1,unname a2) with
    | (LTrue, _) -> a2
    | (_,LTrue) -> a1
    | (LFalse,_) -> LFalse
    | (_,LFalse) -> LFalse
    | (_,_) -> LAnd(a1,a2)

let rec make_and_list l =
  match l with
    | [] -> LTrue
    | f::r -> make_and f (make_and_list r)

let rec make_or_list l =
  match l with
    | [] -> LFalse
    | f::r -> make_or f (make_or_list r)

let rec make_forall_list l triggers assertion =
  match l with
    | [] -> assertion
    | [s,ty] -> LForall(s,ty,triggers,assertion)
    | (s,ty)::l -> LForall(s,ty,[],make_forall_list l triggers assertion)

let make_impl a1 a2 =
  match (unname a1,unname a2) with
    | (LTrue,_) -> a2
    | (_,LTrue) -> LTrue
    | (LFalse,_) -> LTrue
    | (_,LFalse) -> LNot(a1)
    | (_,_) -> LImpl(a1,a2)

let rec make_impl_list conclu = function
  | [] -> conclu
  | a::l -> LImpl(a,make_impl_list conclu l)

let make_equiv a1 a2 =
  match (unname a1,unname a2) with
    | (LTrue,_) -> a2
    | (_,LTrue) -> a1
    | (LFalse,_) -> make_not a2
    | (_,LFalse) -> make_not a1
    | (_,_) -> LIff(a1,a2)

let rec iter_assertion f a =
  match a with
  | LTrue -> ()
  | LFalse -> ()
  | LAnd(a1,a2) -> iter_assertion f a1; iter_assertion f a2
  | LOr(a1,a2) -> iter_assertion f a1; iter_assertion f a2
  | LIff(a1,a2) -> iter_assertion f a1; iter_assertion f a2
  | LNot(a1) -> iter_assertion f a1
  | LImpl(a1,a2) -> iter_assertion f a1; iter_assertion f a2
  | LIf(t,a1,a2) ->
      iter_term f t; iter_assertion f a1; iter_assertion f a2
  | LLet(_id,t,a) -> iter_term f t; iter_assertion f a
  | LForall(_id,t,trigs,a) -> iter_logic_type f t;
      iter_triggers f trigs;
      iter_assertion f a
  | LExists(_id,t,trigs,a) -> iter_logic_type f t;
      iter_triggers f trigs;
      iter_assertion f a
  | LPred(id,l) -> f id; List.iter (iter_term f) l
  | LNamed (_, a) -> iter_assertion f a

and iter_triggers f trigs =
  List.iter (List.iter
               (function
                  | LPatP a -> iter_assertion f a
                  | LPatT t -> iter_term f t)) trigs


let logic_type_name t =
  if !why3syntax then
    match t.logic_type_name with
      | "unit" -> "()"
      | "bool" -> "Bool.bool"
      | s -> why3ident s
  else
    t.logic_type_name

let rec fprintf_logic_type form t =
  match t.logic_type_args with
    | [] -> fprintf form "%s" (logic_type_name t)
    | [x] ->
        if !why3syntax then
	  fprintf form "(%s %a)" (logic_type_name t) fprintf_logic_type x
        else
	  fprintf form "%a %s" fprintf_logic_type x t.logic_type_name
    | l ->
        if !why3syntax then
	  fprintf form "(%s %a)"
	    (logic_type_name t)
	    (print_list space fprintf_logic_type) l
        else
	  fprintf form "(%a) %s"
	    (print_list simple_comma fprintf_logic_type) l
	    t.logic_type_name

let rec bool_to_prop t =
  match t with
    | LConst (Prim_bool true) -> LTrue
    | LConst (Prim_bool false) -> LFalse
    | LApp("bool_not",[t1]) -> LNot(bool_to_prop t1)
    | LApp("bool_and",[t1;t2]) -> LAnd(bool_to_prop t1,bool_to_prop t2)
    | LApp("bool_or",[t1;t2]) -> LOr(bool_to_prop t1,bool_to_prop t2)
    | LApp("lt_int_bool",[t1;t2]) -> LPred("lt_int",[t1;t2])
    | LApp("le_int_bool",[t1;t2]) -> LPred("le_int",[t1;t2])
    | LApp("gt_int_bool",[t1;t2]) -> LPred("gt_int",[t1;t2])
    | LApp("ge_int_bool",[t1;t2]) -> LPred("ge_int",[t1;t2])
    | LApp("lt_real_bool",[t1;t2]) -> LPred("lt_real",[t1;t2])
    | LApp("le_real_bool",[t1;t2]) -> LPred("le_real",[t1;t2])
    | LApp("gt_real_bool",[t1;t2]) -> LPred("gt_real",[t1;t2])
    | LApp("ge_real_bool",[t1;t2]) -> LPred("ge_real",[t1;t2])
      (** by default *)
    | _ -> LPred("eq",[t;LConst(Prim_bool true)])

let is_why3_poly_eq, is_why3_poly_neq =
  let eqs = ["eq_int"; "eq_bool"; "eq_real"; "eq_int_"; "eq_bool_"; "eq_real_"] in
  ListLabels.mem ~set:eqs, ListLabels.mem ~set:(List.map ((^) "n") eqs)

let rec fprintf_term form t =
  match t with
  | LConst(c) -> fprintf_constant form c
  | LApp("eq_pointer",[t1;t2]) ->
      fprintf form "@[(%a=%a)@]"
	fprintf_term t1
	fprintf_term t2
  | LApp("ne_pointer",[t1;t2]) ->
      fprintf form "@[(%a<>%a)@]"
	fprintf_term t1
	fprintf_term t2
  | LApp(id,t::tl) ->
      if !why3syntax then
        begin
          fprintf form "@[(%s@ %a" (why3ident id) fprintf_term t;
          List.iter (fun t -> fprintf form "@ %a" fprintf_term t) tl;
          fprintf form ")@]"
        end
      else
        begin
          fprintf form "@[%s(%a" id fprintf_term t;
          List.iter (fun t -> fprintf form ",@ %a" fprintf_term t) tl;
          fprintf form ")@]"
        end
  | LApp(id,[]) ->
      fprintf form "%s" (why3ident_if id)
  | LVar id ->
      fprintf form "%s" (why3ident_if id)
  | LDeref id ->
      if !why3syntax then
        if is_why3_local id then
          fprintf form "%s" (why3ident_if id)
        else
          fprintf form "!%s" (why3ident id)
      else
        fprintf form "%s" id
  | LDerefAtLabel(id,l) ->
      if !why3syntax then
        if l="" then
          fprintf form "(old !%s)" (why3ident id)
        else
          fprintf form "(at !%s '%s)" (why3ident id) (why3constr l)
      else
        fprintf form "%s@@%s" id l
  | Tnamed(lab,t) ->
      if !why3syntax then
        fprintf form "(%a %a)" (why3loc ~prog:false) lab fprintf_term t
      else
        fprintf form "(%s : %a)" lab fprintf_term t
  | TIf(t1,t2,t3) ->
    if !why3syntax then
      let f = bool_to_prop t1 in
      fprintf form "@[<hov 1>(if %a@ then %a@ else %a)@]"
        fprintf_assertion f fprintf_term t2 fprintf_term t3
    else
      fprintf form "@[<hov 1>(if %a@ then %a@ else %a)@]"
        fprintf_term t1 fprintf_term t2 fprintf_term t3
  | TLet(v,t1,t2) ->
      fprintf form "@[<hov 1>(let %s@ = %a@ in %a)@]" v
	fprintf_term t1 fprintf_term t2

and fprintf_assertion form a =
  match a with
  | LTrue -> fprintf form "true"
  | LFalse -> fprintf form "false"
  | LAnd(a1,a2) ->
      fprintf form "@[(%a@ %s %a)@]"
	fprintf_assertion a1
        (if !why3syntax then "/\\" else "and")
	fprintf_assertion a2
  | LOr(a1,a2) ->
      fprintf form "@[(%a@ %s %a)@]"
	fprintf_assertion a1
        (if !why3syntax then "\\/" else "or")
	fprintf_assertion a2
  | LIff(a1,a2) ->
      fprintf form "@[(%a@ <-> %a)@]"
	fprintf_assertion a1
	fprintf_assertion a2
  | LNot(a1) ->
      fprintf form "@[(not %a)@]"
	fprintf_assertion a1
  | LImpl(a1,a2) ->
      fprintf form "@[<hov 1>(%a ->@ %a)@]"
	fprintf_assertion a1 fprintf_assertion a2
  | LIf(t,a1,a2) when !why3syntax ->
      fprintf form "@[<hov 1>(if %a@ = True@ then %a@ else %a)@]"
	fprintf_term t fprintf_assertion a1 fprintf_assertion a2
  | LIf(t,a1,a2) ->
      fprintf form "@[<hov 1>(if %a@ then %a@ else %a)@]"
	fprintf_term t fprintf_assertion a1 fprintf_assertion a2
  | LLet(id,t,a) ->
      fprintf form "@[<hov 1>(let @[<hov 1>%s =@ %a in@]@ %a)@]" id
	fprintf_term t fprintf_assertion a
  | LForall(id,t,trigs,a) when !why3syntax ->
      fprintf form "@[<hov 1>(forall@ %s:@,%a@,%a@,.@ %a)@]"
	(why3ident id) fprintf_logic_type t
        fprintf_triggers trigs fprintf_assertion a
  | LForall(id,t,trigs,a) ->
      fprintf form "@[<hov 1>(forall@ %s:@,%a@,%a@,.@ %a)@]"
	id fprintf_logic_type t fprintf_triggers trigs fprintf_assertion a
  | LExists(id,t,trigs,a) ->
      fprintf form "@[<hov 1>(exists %s:%a%a.@ %a)@]"
	id fprintf_logic_type t fprintf_triggers trigs fprintf_assertion a
(*
  | LPred(id,[t1;t2]) when is_eq id->
      fprintf form "@[(%a = %a)@]"
	fprintf_term t1
	fprintf_term t2
*)
  | LPred("le",[t1;t2]) ->
      fprintf form "@[(%a <= %a)@]"
	fprintf_term t1
	fprintf_term t2
  | LPred("ge",[t1;t2]) ->
      fprintf form "@[(%a >= %a)@]"
	fprintf_term t1
	fprintf_term t2
  | LPred(id,[t1;t2]) when id = "eq" || !why3syntax && is_why3_poly_eq id ->
      fprintf form "@[(%a = %a)@]"
	fprintf_term t1
	fprintf_term t2
  | LPred("neq",[t1;t2]) ->
      fprintf form "@[(%a <> %a)@]"
	fprintf_term t1
	fprintf_term t2
  | LPred(id,t::tl) ->
      if !why3syntax then
        begin
          fprintf form "@[(%s@ %a" (why3ident id) fprintf_term t;
          List.iter (fun t -> fprintf form "@ %a" fprintf_term t) tl;
          fprintf form ")@]"
        end
      else
        begin
          fprintf form "@[%s(%a" id fprintf_term t;
          List.iter (fun t -> fprintf form ",@ %a" fprintf_term t) tl;
          fprintf form ")@]"
        end
  | LPred (id, []) ->
      fprintf form "%s" (why3ident_if id)
  | LNamed (n, a) ->
      if !why3syntax then
        fprintf form "@[(%a@ %a)@]" (why3loc ~prog:false) n fprintf_assertion a
      else
        fprintf form "@[(%s:@ %a)@]" n fprintf_assertion a

and fprintf_triggers fmt trigs =
  let pat fmt = function
    | LPatT t -> fprintf_term fmt t
    | LPatP p -> fprintf_assertion fmt p in
  print_list_delim lsquare rsquare alt (print_list comma pat) fmt trigs

(*s types *)


type why_type =
  | Prod_type of string * why_type * why_type      (*r (x:t1)->t2 *)
  | Base_type of logic_type
  | Ref_type of why_type
  | Annot_type of
      assertion * why_type *
      string list * string list * assertion * ((string * assertion) list)
	(*r { P } t reads r writes w { Q | E => R } *)
;;

let base_type s = Base_type { logic_type_name = s ; logic_type_args = [] }
let int_type = base_type "int"
let bool_type = base_type "bool"
let unit_type = base_type "unit"

let option_iter f x =
  match x with
    | None -> ()
    | Some y -> f y
;;


let rec iter_why_type f t =
  match t with
    | Prod_type(_,t1,t2) ->
	iter_why_type f t1; iter_why_type f t2
    | Base_type b -> iter_logic_type f b
    | Ref_type(t) -> iter_why_type f t
    | Annot_type (pre,t,reads,writes,post,signals) ->
	iter_assertion f pre;
	iter_why_type f t;
	List.iter f reads;
	List.iter f writes;
	iter_assertion f post;
	List.iter (fun (id,a) -> f id; iter_assertion f a) signals
;;


let rec fprint_comma_string_list form l =
  match l with
    | [] -> ()
    | x::l ->
	fprintf form ",%s" x;
	fprint_comma_string_list form l
;;

let rec fprintf_type ~need_colon anon form t =
  match t with
    | Prod_type(id,t1,t2) ->
	  if !why3syntax then
            let id = if id="" || anon then "_anonymous" else id in
            fprintf form "@[<hov 1>(%s:%a)@ %a@]" (why3ident id)
	    (fprintf_type ~need_colon:false anon) t1
              (fprintf_type ~need_colon anon) t2
          else
	    if id="" || anon then
	      fprintf form "@[<hov 1>%a ->@ %a@]"
	        (fprintf_type ~need_colon:false anon) t1
                (fprintf_type ~need_colon anon) t2
	    else
	      fprintf form "@[<hov 1>%s:%a ->@ %a@]" id
	        (fprintf_type ~need_colon:false anon) t1
                (fprintf_type ~need_colon anon) t2
    | Base_type t  ->
        if need_colon then fprintf form ": ";
	fprintf_logic_type form t
    | Ref_type(t) ->
        if need_colon then fprintf form ": ";
	if !why3syntax then
          fprintf form "ref %a" (fprintf_type ~need_colon:false anon) t
        else
          fprintf form "%a ref" (fprintf_type ~need_colon:false anon) t
    | Annot_type(p,t,reads,writes,q,signals) ->
	begin
          if need_colon then fprintf form ": ";
          if !why3syntax then
            begin
	      fprintf form "%a@ " (fprintf_type ~need_colon:false anon) t;
	      fprintf form "@[@[<hov 2>requires { %a }@]@ "
                fprintf_assertion p;
            end
          else
            begin
	      fprintf form "@[@[<hov 2>{ ";
	      if is_not_true p
	      then fprintf_assertion form p;
	      fprintf form "}@]@ %a@ " (fprintf_type ~need_colon:false anon) t
            end;
	  begin
	    match List.sort compare reads with
	      | [] -> ()
	      | r::l as reads ->
                  if !why3syntax then
		    fprintf form "reads@ { %a } @ "
                      (print_list comma
                         (fun form r -> fprintf form "%s" (why3ident r))) reads
                  else
		  fprintf form "reads %s%a@ " r fprint_comma_string_list l
	  end;
	  begin
	    match List.sort compare writes with
	      | [] -> ()
	      | r::l as writes ->
                  if !why3syntax then
		    fprintf form "writes@ { %a }@ "
                      (print_list comma
                         (fun form r -> fprintf form "%s" (why3ident r))) writes
                  else
		    fprintf form "writes %s%a@ " r fprint_comma_string_list l
	  end;
	  begin
	    match signals with
	      | [] ->
                  if !why3syntax then
		    fprintf form "@[<hov 2> ensures { %a }@]@]" fprintf_assertion q
                  else
		    fprintf form "@[<hov 2>{ %a }@]@]" fprintf_assertion q
	      | l ->
                  if !why3syntax then
		    begin
                      fprintf form "@[<hov 2> ensures { %a@ }@]@ "
		        fprintf_assertion q;
		      List.iter
                         (fun (e,r) ->
			    fprintf form "@[<hov 2>raises { %s result ->@ %a }@]" e
			      fprintf_assertion r)
		        l
                    end
                  else
		    fprintf form
		      "raises%a@ @[<hov 2>{ %a@ | %a }@]@]"
		      (print_list comma (fun fmt (e,_r) -> fprintf fmt " %s" e))
		      l
		      fprintf_assertion q
		      (print_list alt (fun fmt (e,r) ->
				         fprintf fmt "@[<hov 2>%s =>@ %a@]" e
					   fprintf_assertion r))
		      l
	  end

	end
;;


(*s expressions *)

type variant = term * string option

type opaque = bool

type assert_kind = [`ASSERT | `CHECK]

type expr_node =
  | Cte of constant
  | Var of string
  | And of expr * expr
  | Or of expr * expr
  | Not of expr
  | Void
  | Deref of string
  | If of expr * expr * expr
  | While of
      expr (* loop condition *)
      * assertion (* invariant *)
      * variant option (* variant *)
      * expr list (* loop body *)
  | Block of expr list
  | Assign of string * expr
  | MultiAssign of string * Loc.position * (string * expr) list *
      bool * term * expr * string * expr * string *
      (int * bool * bool * string) list
  | Let of string * expr * expr
  | Let_ref of string * expr * expr
 (* optionaly give the return type to enforce *)
  | App of expr * expr * why_type option
  | Raise of string * expr option
  | Try of expr * string * string option * expr
  | Fun of (string * why_type) list *
      assertion * expr * assertion * ((string * assertion) list)
  | Triple of opaque *
      assertion * expr * assertion * ((string * assertion) list)
  | Assert of assert_kind * assertion * expr
  | BlackBox of why_type
  | Absurd
  | Loc of Lexing.position * expr

and expr =
    { expr_labels : string list;
      expr_loc_labels : string list;
      expr_node : expr_node;
    }
;;

let mk_expr e = { expr_labels = []; expr_loc_labels = []; expr_node = e }
let mk_var s = mk_expr (Var s)
let void = mk_expr Void

let rec iter_expr f e =
  match e.expr_node with
    | Cte(_c) -> ()
    | Var(id) -> f id
    | And(e1,e2) -> iter_expr f e1; iter_expr f e2
    | Or(e1,e2) -> iter_expr f e1; iter_expr f e2
    | Not(e1) -> iter_expr f e1
    | Void -> ()
    | Deref(id) -> f id
    | If(e1,e2,e3) ->
	iter_expr f e1; iter_expr f e2; iter_expr f e3
    | While(e1,inv,var,e2) ->
	iter_expr f e1;
	iter_assertion f inv;
	option_iter (fun (var,r) -> iter_term f var;
                       match r with
                         | None -> ()
                         | Some id -> f id
                    ) var;
	List.iter (iter_expr f) e2
    | Block(el) -> List.iter (iter_expr f) el
    | Assign(id,e) -> f id; iter_expr f e
    | MultiAssign _ ->
        eprintf "Fatal error: Output.iter_expr should not be called on MultiAssign@.";
        assert false
    | Let(_id,e1,e2) -> iter_expr f e1; iter_expr f e2
    | Let_ref(_id,e1,e2) -> iter_expr f e1; iter_expr f e2
    | App(e1,e2,_) -> iter_expr f e1; iter_expr f e2
    | Raise (_, None) -> ()
    | Raise(_id,Some e) -> iter_expr f e
    | Try(e1,_exc,_id,e2) -> iter_expr f e1; iter_expr f e2
    | Fun(_params,pre,body,post,signals) ->
	iter_assertion f pre;
	iter_expr f body;
	iter_assertion f post;
	List.iter (fun (_,a) -> iter_assertion f a) signals
    | Triple(_,pre,e,post,exceps) ->
	iter_assertion f pre;
	iter_expr f e;
	iter_assertion f post;
	List.iter (fun (_,a) -> iter_assertion f a) exceps
    | Assert(_,p, e) -> iter_assertion f p; iter_expr f e
    | Loc (_,e) -> iter_expr f e
    | BlackBox(ty) -> iter_why_type f ty
    | Absurd -> ()


let fprintf_variant form = function
  | None -> ()
  | Some (t, None) ->
      if !why3syntax then
        fprintf form "variant { %a }" fprintf_term t
      else
        fprintf form "variant %a" fprintf_term t
  | Some (t, Some r) ->
      if !why3syntax then
        fprintf form "variant { %a } with %s" fprintf_term t r
      else
        fprintf form "variant %a for %s" fprintf_term t r

let rec fprintf_expr_node in_app form e =
  match e with
    | Cte(c) -> fprintf_constant form c
    | Var(id) ->
        fprintf form "%s" (if !why3syntax then why3param id else id)
    | And(e1,e2) ->
	fprintf form "@[(%a && %a)@]"
	  fprintf_expr e1 fprintf_expr e2
    | Or(e1,e2) ->
	fprintf form "@[(%a || %a)@]"
	  fprintf_expr e1 fprintf_expr e2
    | Not(e1) ->
	fprintf form "@[(not %a)@]"
	  fprintf_expr e1
    | Void ->
        if !why3syntax then
          fprintf form "()"
        else
          fprintf form "void"
    | Deref(id) ->
        fprintf form "!%s" (why3id_if id)
    | If(e1,e2,e3) ->
	fprintf form
	  "@[<hov 0>(if %a@ @[<hov 1>then@ %a@]@ @[<hov 1>else@ %a@])@]"
	  fprintf_expr e1 fprintf_expr e2 fprintf_expr e3
    | While(e1,inv,var,e2) when !why3syntax && e1.expr_node = Cte (Prim_bool true) ->
	fprintf form
	  "@[<hov 0>loop@ @[<hov 1>@[<hov 2>@[<hov 2>invariant@ { %a }@]@ @[<hov 2>%a@]@]@ %a@]@ end@]"
	  fprintf_assertion inv
	  fprintf_variant var
	  fprintf_expr_list e2
    | While(e1,inv,var,e2) when !why3syntax ->
	fprintf form
	  "@[<hov 0>while %a do@ @[<hov 1>@[<hov 2>@[<hov 2>invariant@ { %a }@]@ @[<hov 2>%a@]@]@ %a@]@ done@]"
	  fprintf_expr e1
	  fprintf_assertion inv
	  fprintf_variant var
	  fprintf_expr_list e2
    | While(e1,inv,var,e2) ->
	fprintf form
	  "@[<hov 0>while %a do@ @[<hov 1>@[<hov 2>{ @[<hov 2>invariant@ %a@]@ @[<hov 2>%a@] }@]@ %a@]@ done@]"
	  fprintf_expr e1
	  fprintf_assertion inv
	  fprintf_variant var
	  fprintf_expr_list e2
    | Block([]) ->
	fprintf form "void"
    | Block(el) ->
	fprintf form "@[<hov 0>begin@ @[<hov 1>  %a@]@ end@]" fprintf_expr_list el
    | Assign(id,e) ->
        fprintf form "@[<hov 1>(%s := %a)@]" (why3id_if id) fprintf_expr e
    | MultiAssign _ ->
	fprintf form "@[<hov 1>(MultiAssign ...)@]"
    | Let(id,e1,e2) ->
        fprintf form "@[<hov 0>(let %s =@ %a in@ %a)@]" (why3id_if id)
	  fprintf_expr e1 fprintf_expr e2
    | Let_ref(id,e1,e2) ->
        fprintf form "@[<hov 0>(let %s =@ ref %a in@ %a)@]" (why3id_if id)
	  fprintf_expr e1 fprintf_expr e2
    | App({expr_node = App({expr_node = Var id},e1,_)},e2,_)
        when !why3syntax && is_why3_poly_eq id ->
	fprintf form "@[<hov 1>(%a = %a)@]" fprintf_expr e1 fprintf_expr e2
    | App({expr_node = App({expr_node = Var id},e1,_)},e2,_)
        when !why3syntax && is_why3_poly_neq id ->
	fprintf form "@[<hov 1>(%a <> %a)@]" fprintf_expr e1 fprintf_expr e2
    | App(e1,e2,ty) when !why3syntax ->
        if in_app then
	  fprintf form "@[<hov 1>%a %a@]"
            (fprintf_expr_gen true) e1 fprintf_expr e2
        else
	  fprintf form "@[<hov 1>(%a %a%a)@]"
            (fprintf_expr_gen true) e1 fprintf_expr e2
            (Pp.print_option (fprintf_type ~need_colon:true false)) ty
    | App(e1,e2,_) ->
	fprintf form "@[<hov 1>(%a %a)@]" fprintf_expr e1 fprintf_expr e2
    | Raise(id,None) ->
	fprintf form "@[<hov 1>(raise@ %s)@]" id
    | Raise(id,Some e) ->
	fprintf form "@[<hov 1>(raise@ (%s@ %a))@]" id fprintf_expr e
    | Try(e1,exc,None,e2) ->
	fprintf form "@[<hov 1>try@ %a@ with@ %s ->@ %a end@]"
	  fprintf_expr e1 exc fprintf_expr e2
    | Try(e1,exc,Some id,e2) ->
	fprintf form "@[<hov 1>try@ %a@ with@ %s %s ->@ %a end@]"
	  fprintf_expr e1 exc id fprintf_expr e2
    | Fun(params,pre,body,post,signals) ->
	fprintf form "@[<hov 1>fun @[";
	List.iter
	  (fun (x,t) ->
             (match t with
               | Ref_type _ -> ()
               | _ -> add_why3_local x);
             fprintf form "(%s : %a) " (why3id_if x)
               (fprintf_type ~need_colon:false false) t)
	  params;
        if !why3syntax then
          begin
	    fprintf form "@]->@ @[<hov 0>requires { %a  }@ "
              fprintf_assertion pre;
            begin
	    match signals with
	      | [] ->
		  fprintf form "@[<hov 2>ensures { %a }@]@]" fprintf_assertion post
	      | l ->
		    fprintf form "@[<hov 2> ensures { %a@ } %a @]"
		      fprintf_assertion post
		      (print_list alt
		         (fun fmt (e,r) ->
			    fprintf fmt "@[<hov 2>raises { %s result ->@ %a }@]" e
			      fprintf_assertion r))
		      l
            end;
	    fprintf form "%a@]@ " fprintf_expr body;
          end
        else
          begin
	    fprintf form "@]->@ @[<hov 0>{ ";
	    if pre <> LTrue
	    then fprintf_assertion form pre;
	    fprintf form " }@ %a@]@ " fprintf_expr body;
	    match signals with
	      | [] ->
		  fprintf form "@[<hov 2>{ %a }@]@]" fprintf_assertion post
	      | l ->
		  fprintf form "@[<hov 2>{ %a@ | %a }@]"
		    fprintf_assertion post
		    (print_list alt
		       (fun fmt (e,r) ->
			  fprintf fmt "@[<hov 2>%s =>@ %a@]" e
			    fprintf_assertion r))
		    l
	  end;
        List.iter
	  (fun (x,t) ->
             (match t with
               | Ref_type _ -> ()
               | _ -> remove_why3_local x))
	  params;

    | Triple(_,pre,e,LTrue,[]) ->
	fprintf form "@[<hov 0>(assert { %a };@ (%a))@]"
	  fprintf_assertion pre
	  fprintf_expr e
    | Triple(o,pre,e,post,exceps) ->
      fprintf form "@[<hov 0>(assert { %a };@ " fprintf_assertion pre;
      if !why3syntax then
        if o then
          begin
            fprintf form "abstract@ ensures {@ %a }@ "
	      fprintf_assertion post;
            List.iter
              (fun (e,r) ->
                fprintf form "@[<hov 2>raises { %s ->@ %a }@]" e fprintf_assertion r)
              exceps;
            fprintf form "@ %a@ end"
              fprintf_expr e
          end
        else
          begin
            match exceps with
	      | [] ->
                fprintf form "let _ = %a in assert { %a }"
                  fprintf_expr e
		  fprintf_assertion post
              | _ -> assert false (* TODO *)
        end
      else
	begin
          fprintf form "(%a)@ " fprintf_expr e;
	  match exceps with
	    | [] ->
		(if o then
                    fprintf form "{{ %a }}" else fprintf form "{ %a }")
		  fprintf_assertion post
	    | l ->
		(if o then
		   fprintf form "@[<hov 2>{{ %a@ | %a }}@]"
		 else
		   fprintf form "@[<hov 2>{ %a@ | %a }@]")
		  fprintf_assertion post
		  (print_list alt
		  (fun fmt (e,r) ->
		     fprintf fmt "@[<hov 2>%s =>@ %a@]" e
		       fprintf_assertion r))
		  l
	end;
      fprintf form ")@]"
    | Assert(k,p, e) ->
	fprintf form "@[<hov 0>(%s@ { %a };@ %a)@]"
          (match k with `ASSERT -> "assert" | `CHECK -> "check")
	  fprintf_assertion p fprintf_expr e
    | BlackBox(t) ->
	if !why3syntax then
          fprintf form "@[<hov 0>any %a @]"
	    (fprintf_type ~need_colon:false false) t
        else
	  fprintf form "@[<hov 0>[ %a ]@]"
	    (fprintf_type ~need_colon:false false) t
    | Absurd ->
	fprintf form "@[<hov 0>absurd@ @]"
    | Loc (_l, e) ->
	fprintf_expr form e
	(*
	fprintf form "@[#%S %d %d#%a@]" l.pos_fname l.pos_lnum
	  (l.pos_cnum - l.pos_bol) fprintf_expr e
	*)

and fprintf_expr_gen in_app form e =
  let rec aux l =
    match l with
      | [] -> fprintf_expr_node in_app form e.expr_node
      | s::l ->
(*
          if s="L2" then Format.eprintf "Output.fprintf_expr: printing label %s for expression %a@." s fprintf_expr_node e.expr_node;
*)
          if !why3syntax then
            fprintf form "@[<hov 0>(%a@ " (why3loc ~prog:true) s
          else
            fprintf form "@[<hov 0>(%s:@ " s;
          aux l;
          fprintf form ")@]"
  in aux e.expr_labels

and fprintf_expr form e = fprintf_expr_gen false form e

and fprintf_expr_list form l =
  match l with
    | [] -> ()
    | e::l ->
	fprintf form "%a" fprintf_expr e;
	fprintf_expr_end_list form l

and fprintf_expr_end_list form l =
  match l with
    | [] -> ()
    | e::l ->
	fprintf form ";@ %a" fprintf_expr e;
	fprintf_expr_end_list form l
;;

let make_or_expr a1 a2 =
  match (a1.expr_node,a2.expr_node) with
    | (Cte (Prim_bool true),_) -> a1
    | (_,Cte (Prim_bool true)) -> a2
    | (Cte (Prim_bool false),_) -> a2
    | (_,Cte (Prim_bool false)) -> a1
    | (_,_) -> mk_expr (Or(a1,a2))

let make_and_expr a1 a2 =
  match (a1.expr_node,a2.expr_node) with
    | (Cte (Prim_bool true),_) -> a2
    | (_,Cte (Prim_bool true)) -> a1
    | (Cte (Prim_bool false),_) -> a1
    | (_,Cte (Prim_bool false)) -> a2
    | (_,_) -> mk_expr (And(a1,a2))


let make_app_rec ~logic f l =
  let rec make_rec accu = function
    | [] -> accu
    | e::r -> make_rec (mk_expr (App(accu,e,None))) r
  in
  match l with
    | [] -> if logic then make_rec f [] else make_rec f [void]
    | l -> make_rec f l
;;

let app_add_ty ?ty e =
  match ty,e.expr_node with
  | None,_ -> e
  | Some _, App(e1,e2,None) -> { e with expr_node = App(e1,e2,ty)}
  | Some _, _ ->
    invalid_arg "Output.app_add_ty: type coercion for constant. To correct."

let make_app ?ty id l =
  let app = make_app_rec ~logic:false (mk_var id) l in
  app_add_ty ?ty app

let make_logic_app ?ty id l =
  let app = make_app_rec ~logic:true (mk_var id) l in
  app_add_ty ?ty app

let make_app_e ?ty e l =
  let app = make_app_rec ~logic:false e l in
  app_add_ty ?ty app

let make_while cond inv var e =
  let body =
    match e.expr_node with
      | Block(l) -> l
      | _ -> [e]
  in mk_expr (While(cond,inv,var,body))

let make_label label e =
(*
  if label = "L2" then Format.eprintf "Output.make_label: adding label %s@." label;
*)
  assert (String.length label > 0);
  if label.[0] = '_' then
  { e with expr_loc_labels = label :: e.expr_loc_labels }
  else
  { e with expr_labels = label :: e.expr_labels }

let make_pre pre e =  mk_expr (Triple(false,pre,e,LTrue,[]))




let compare_parallel_assign (i,_,_,_) (j,_,_,_) =
  let c = Pervasives.compare i j in
  if c = 0 then raise Exit else c


let append_list e l =
(*
  Format.eprintf "Entering append_list@.";
*)
  match l with
    | [] -> [e]
    | e'::rem ->
        match e.expr_node,e'.expr_node with
          | MultiAssign(mark1,pos1,lets1,isrefa1,ta1,a1,tmpe1,e1,f1,l1),
            MultiAssign(_,_,lets2,_isrefa2,_ta2,a2,_tmpe2,e2,f2,l2)
            when e'.expr_labels = [] ->
              (*
                Format.eprintf
                "Found multi-assigns: a1=%a, a2=%a, e1=%a, e2=%a, f1=%s,f2=%s@."
                fprintf_expr a1 fprintf_expr a2
                fprintf_expr e1 fprintf_expr e2 f1 f2;
              *)
              if a1 = a2 && e1 = e2 && f1 = f2 then
                begin
                  try
                    let l = List.merge compare_parallel_assign l1 l2 in
                    (*
                      Format.eprintf "append_list, merge successful!@.";
                    *)
                    { expr_labels = e.expr_labels;
                      expr_loc_labels = e.expr_loc_labels @ e'.expr_loc_labels;
                      expr_node =
                        MultiAssign(mark1,pos1,lets1@lets2,isrefa1,ta1,a1,tmpe1,e1,f1,l) }
                    ::rem
                  with Exit ->
                    (*
                      Format.eprintf "append_list, merge failed...@.";
                    *)
                    e::l
                end
              else
                begin
                  (*
                    Format.eprintf "do not match@.";
                  *)
                  e::l
                end
          | MultiAssign _, _e' ->
              (*
                Format.eprintf "MultiAssign not followed by MultiAssign but by %a@."
                fprintf_expr e';
              *)
              e::l
          | _, MultiAssign _ ->
              (*
                Format.eprintf "MultiAssign not preceeded by MultiAssign@.";
              *)
              e::l
          | _ ->
              (*
                Format.eprintf "no MultiAssign at all@.";
              *)
              e::l


let make_block labels loc_labels l =
  match l with
      | [] -> assert false
      | [e] -> {e with expr_labels = labels @ e.expr_labels ; 
                       expr_loc_labels = loc_labels @ e.expr_loc_labels }
      | _ -> { expr_labels = labels ; expr_loc_labels = loc_labels ; expr_node = Block l }

(** Try hard to keep the labels visible by all the instructions that follow
    but also to remove unneeded block

    The principle is to push e2 inside e1 such that every labels visible for
    the last instruction (not a block) of e1 can be visible for e2
 *)
let rec append' e1 e2 =
  match e1.expr_node,e2.expr_node with
    | Void,_ -> (* assert (e1.expr_labels = []);*) [e2]
    | _,Void -> assert (e2.expr_labels = []); [e1]
    | Block(_),Block([]) -> [e1]
    | Block(l1),_ ->
      [make_block e1.expr_labels e1.expr_loc_labels (concat l1 e2)]
    | _,Block(l2) ->
      begin match e1.expr_labels, e2.expr_labels with
        | [], [] -> append_list e1 l2
        | labels1, [] ->
          [make_block labels1 e1.expr_loc_labels (append_list {e1 with expr_labels = []} l2)]
        | labels1, _ ->
          [make_block labels1 e1.expr_loc_labels (append_list {e1 with expr_labels = []} [e2])]
      end
    | _ ->
      if e1.expr_labels = [] then
        append_list e1 [e2]
      else
        let e1' = {e1 with expr_labels = []} in
        [make_block e1.expr_labels [] (append_list e1' [e2])]

and concat l1 e2 =
  match l1 with
  | [] -> [e2]
  | [a1] -> append' a1 e2
  | a1::l1 -> a1::(concat l1 e2)

let append e1 e2 =
  make_block [] [] (append' e1 e2)

type goal_kind = KAxiom | KLemma | KGoal

type why_id = { name : string ; loc : Loc.floc }

let id_no_loc s = { name = s; loc = Loc.dummy_floc }

type why_decl =
  | Param of bool * why_id * why_type         (*r parameter in why *)
  | Def of why_id * bool * expr               (*r global let in why *)
  | Logic of bool * why_id * (string * logic_type) list * logic_type    (*r logic decl in why *)
  | Predicate of bool * why_id * (string * logic_type) list * assertion
  | Inductive of bool * why_id * (string * logic_type) list *
      (string * assertion) list (*r inductive definition *)
  | Goal of goal_kind * why_id * assertion         (*r Goal *)
  | Function of bool * why_id * (string * logic_type) list * logic_type * term
  | Type of why_id * string list
  | Exception of why_id * logic_type option



let get_why_id d =
  match d with
    | Param(_,id,_)
    | Logic(_,id,_,_)
    | Def(id,_,_)
    | Goal(_,id,_)
    | Predicate(_,id,_,_)
    | Function(_,id,_,_,_)
    | Inductive(_,id,_,_)
    | Type (id,_)
    | Exception(id,_) -> id

let iter_why_decl f d =
  match d with
    | Param(_,_,t) -> iter_why_type f t
    | Def(_id,_,t) -> iter_expr f t
    | Logic(_,_id,args,t) ->
	List.iter (fun (_,t) -> iter_logic_type f t) args;
	iter_logic_type f t
    | Inductive(_,_id,args,cases) ->
	List.iter (fun (_,t) -> iter_logic_type f t) args;
	List.iter (fun (_,a) -> iter_assertion f a) cases
    | Predicate(_,_id,args,p) ->
	List.iter (fun (_,t) -> iter_logic_type f t) args;
	iter_assertion f p
    | Goal(_,_id,t) -> iter_assertion f t
    | Function(_,_id,args,t,p) ->
	List.iter (fun (_,t) -> iter_logic_type f t) args;
	iter_logic_type f t;
	iter_term f p
    | Type(_t,args) -> List.iter f args
    | Exception(_,t) -> Option_misc.iter (iter_logic_type f) t



type state = [`TODO | `RUNNING | `DONE ];;

type 'a decl = { mutable state : state; decl : 'a };;

module StringMap = Map.Make(String);;

(*
exception Recursion;;
*)

let rec do_topo decl_map iter_fun output_fun id d =
  match d.state with
    | `DONE -> ()
    | `RUNNING ->
	eprintf "Warning: recursive definition of %s in generated file@." id
    | `TODO ->
	d.state <- `RUNNING;
	iter_fun
	  (fun id ->
	     try
	       let s = StringMap.find id decl_map in
	       do_topo decl_map iter_fun output_fun id s
	     with
		 Not_found -> ())
	  d.decl;
	output_fun d.decl;
	d.state <- `DONE
;;

let compare_ids
    { name = id1; loc = (_,l1,_,_)}
    { name = id2; loc = (_,l2,_,_)} =
  let c = Pervasives.compare l1 l2 in
  if c = 0 then Pervasives.compare id1 id2 else c

let build_map get_id decl_list =
  let m =
    List.fold_left
      (fun acc decl ->
	 let id = get_id decl in
	 let d = { state = `TODO ; decl = decl } in
	 StringMap.add id.name (id,d) acc)
      StringMap.empty
      decl_list
  in
  let m,l = StringMap.fold
    (fun name (id,d) (m,l) ->
       (StringMap.add name d m, (id,d)::l))
    m (StringMap.empty,[])
  in
  m, List.sort (fun (id1,_) (id2,_) ->
		  compare_ids id1 id2) l
;;

let fprint_logic_arg form (id,t) =
  if !why3syntax then
    fprintf form "(%s:%a)" (why3ident id) fprintf_logic_type t
  else
    fprintf form "%s:%a" id fprintf_logic_type t

let str_of_goal_kind = function
  | KAxiom -> "axiom"
  | KLemma -> "lemma"
  | KGoal -> "goal"

let fprintf_why_decl form d =
  match d with
    | Param(b,id,t) when !why3syntax ->
	fprintf form "@[<hov 1>%sval %s@ %a@]@.@."
	(if b then "external " else "") (why3ident id.name)
	  (fprintf_type ~need_colon:true false) t
    | Param(b,id,t) ->
	fprintf form "@[<hov 1>%sparameter %s :@ %a@]@\n@."
	(if b then "external " else "") id.name
	  (fprintf_type ~need_colon:false false) t
    | Logic(b,id,args,t) when !why3syntax ->
        if is_prop t then
	  fprintf form "@[<hov 1>%spredicate %s %a @.@."
	    (if b then "external " else "")
            (why3ident id.name)
	    (print_list space (fun fmt (_id,t) -> fprintf_logic_type fmt t)) args
        else
	  fprintf form "@[<hov 1>%sfunction %s %a : %a@.@."
	    (if b then "external " else "")
            (why3ident id.name)
	    (print_list space (fun fmt (_id,t) -> fprintf_logic_type fmt t)) args
	    fprintf_logic_type t

    | Logic(b,id,args,t) ->
	fprintf form "@[<hov 1>%slogic %s: %a -> %a@.@."
	  (if b then "external " else "") id.name
	  (print_list comma (fun fmt (_id,t) -> fprintf_logic_type fmt t)) args
	  fprintf_logic_type t
    | Inductive(b,id,args,cases) when !why3syntax ->
	fprintf form "@[<hov 1>%sinductive %s @[%a@] =@\n@[<v 0>%a@]@\n@."
	  (if b then "external " else "") (why3ident id.name)
	  (print_list space (fun fmt (_id,t) -> fprintf_logic_type fmt t)) args
	  (print_list newline
	     (fun _fmt (id,a) ->
		fprintf form "| %s: @[%a@]" id fprintf_assertion a))
	  cases
    | Inductive(b,id,args,cases) ->
	fprintf form "@[<hov 1>%sinductive %s: @[%a -> prop@] =@\n@[<v 0>%a@]@\n@."
	  (if b then "external " else "") id.name
	  (print_list comma (fun fmt (_id,t) -> fprintf_logic_type fmt t)) args
	  (print_list newline
	     (fun _fmt (id,a) ->
		fprintf form "| %s: @[%a@]" id fprintf_assertion a))
	  cases
    | Goal(k,id,p) when !why3syntax ->
	fprintf form "@[<hov 1>%s %s %a:@ %a@]@.@." (str_of_goal_kind k)
          (why3id id.name)
          (why3loc ~prog:false) id.name
	  fprintf_assertion p
    | Goal(k,id,p) ->
	fprintf form "@[<hov 1>%s %s :@ %a@]@.@." (str_of_goal_kind k)
          id.name
	  fprintf_assertion p
    | Def(id,diverges,e) when !why3syntax ->
        fprintf form "@[<hov 1>let %s%s %a=@ %a@]@.@."
          (why3id id.name)
          (if diverges then " \"W:diverges:N\"" else "")
          (why3loc ~prog:false) id.name
          fprintf_expr e
    | Def(id,_,e) ->
        fprintf form "@[<hov 1>let %s =@ %a@]@.@." (why3id_if id.name)
          fprintf_expr e
    | Predicate (b, id, args, p) when !why3syntax ->
        List.iter (fun (id,_) -> add_why3_local id) args;
	fprintf form "@[<hov 1>%spredicate %s%a =@ %a@]@.@."
	  (if b then "external " else "") (why3ident id.name)
	  (print_list space fprint_logic_arg) args
	  fprintf_assertion p;
        List.iter (fun (id,_) -> remove_why3_local id) args
    | Predicate (b, id, args, p) ->
	fprintf form "@[<hov 1>%spredicate %s(%a) =@ %a@]@.@."
	  (if b then "external " else "") id.name
	  (print_list comma fprint_logic_arg) args
	  fprintf_assertion p
    | Function(b,id,args,t,e) when !why3syntax ->
        List.iter (fun (id,_) -> add_why3_local id) args;
	fprintf form "@[<hov 1>%sfunction %s%a : %a =@ %a@]@.@."
	  (if b then "external " else "") (why3ident id.name)
	  (print_list space fprint_logic_arg) args
	  fprintf_logic_type t
	  fprintf_term e;
        List.iter (fun (id,_) -> remove_why3_local id) args
    | Function(b,id,args,t,e) ->
	fprintf form "@[<hov 1>%sfunction %s(%a) : %a =@ %a@]@.@."
	  (if b then "external " else "") id.name
	  (print_list comma fprint_logic_arg) args
	  fprintf_logic_type t
	  fprintf_term e
    | Type (id, []) when !why3syntax ->
	fprintf form "@[type %s@]@.@." (why3ident id.name)
    | Type (id, []) ->
	fprintf form "@[type %s@]@.@." id.name
    | Type (id, [t]) ->
	fprintf form "@[type '%s %s@]@.@." t id.name
    | Type (id, t::l) ->
	fprintf form "@[type ('%s" t;
	List.iter (fun t -> fprintf form ", '%s" t) l;
	fprintf form ") %s@]@.@." id.name
    | Exception(id, None) ->
	fprintf form "@[exception %s@]@.@." id.name
    | Exception(id, Some t) ->
        if !why3syntax then
	  fprintf form "@[exception %s %a@]@.@." id.name
            fprintf_logic_type t
        else
          fprintf form "@[exception %s of %a@]@.@." id.name fprintf_logic_type t


let output_decls get_id iter_decl output_decl decls =
  let map, l = build_map get_id decls in
  List.iter
    (fun (id,decl) ->
       do_topo map iter_decl output_decl id.name decl)
    l

let output_why3_imports form use_floats float_model =
  fprintf form "use import int.Int@\n@\n";
  fprintf form "use bool.Bool@\n@\n";
  if !why3_IntMinMax then
    fprintf form "use int.MinMax as IntMinMax@\n@\n";
  if !why3_ComputerDivision then
    fprintf form "use int.ComputerDivision@\n@\n";
  if !why3_reals then
    fprintf form "use import real.RealInfix@\n@\n";
  if !why3_FromInt then
    fprintf form "use real.FromInt@\n@\n";
  if !why3_Truncate then
    fprintf form "use real.Truncate@\n@\n";
  if !why3_Square then
    fprintf form "use real.Square@\n@\n";
  if !why3_Power then
    fprintf form "use int.Power@\n@\n";
  if !why3_PowerInt then
    fprintf form "use real.PowerInt@\n@\n";
  if !why3_PowerReal then
    fprintf form "use real.PowerReal@\n@\n";
  if !why3_RealMinMax then
    fprintf form "use real.MinMax as RealMinMax@\n@\n";
  if !why3_AbsInt then
    fprintf form "use int.Abs as AbsInt@\n@\n";
  if !why3_AbsReal then
    fprintf form "use real.Abs as AbsReal@\n@\n";
  if !why3_ExpLog then
    fprintf form "use real.ExpLog@\n@\n";
  if !why3_Trigonometry then
    fprintf form "use real.Trigonometry@\n@\n";
  if use_floats then
    begin
      match float_model with
        | Jc_env.FMfull ->
          fprintf form "use import floating_point.SingleFull as Single@\n";
          fprintf form "use import floating_point.DoubleFull as Double@\n@\n"
        | Jc_env.FMdefensive ->
          fprintf form "use import floating_point.Single@\n";
          fprintf form "use import floating_point.Double@\n@\n"
        | Jc_env.FMmultirounding ->
          (* fprintf form "use import floating_point.Single@\n"; *)
          fprintf form "use import floating_point.DoubleMultiRounding as Double@\n@\n"
        | Jc_env.FMmath ->
          assert false (* TODO *)
    end;
  fprintf form "use import jessie3theories.Jessie_memory_model@\n@\n"


let fprintf_why_decls ?(why3=false) ?(use_floats=false)
    ~float_model form decls =
  why3syntax := why3;
  (* Why do we need a partition ?
     because one may have a type and a logic/parameter with the same name,
     and the computation of dependencies is confused in that case

     Type may depend on nothing
     Logic may depend on Type, Logic and Predicate
     Predicate may depend on Type, Predicate and Logic
     Axiom may depend on Type, Predicate and Logic
     Parameter may depend on Type, Predicate and Logic
     Def may depend on Type, Parameter, Predicate, Logic, and Def

     - Claude, 16 nov 2006

  *)

(*
  let (types, defs, others) =
    List.fold_left
      (fun (t,d,o) decl ->
	 match decl with
	   | Type _ -> (decl::t,d,o)
	   | Def _ -> (t,decl::d,o)
	   | _ -> (t,d,decl::o))
      ([],[],[]) decls
  in
    output_decls get_why_id iter_why_decl (fprintf_why_decl form) types;
    output_decls get_why_id iter_why_decl (fprintf_why_decl form) others;
    output_decls get_why_id iter_why_decl (fprintf_why_decl form) defs
*)

  if why3 then List.iter (iter_why_decl compute_why3_dependencies) decls;

  (*
    Additional rules :

    Exception may depend on Type
    Parameter may depend on Exception

    - Nicolas R., 8 nov 2007

  *)

  let (types, params, defs, others) =
    List.fold_left
      (fun (t, p, d, o) decl ->
	 match decl with
	   | Type _ -> (decl::t, p, d, o)
	   | Exception _ | Param _ -> (t, decl::p, d, o)
	   | Def _ -> (t, p, decl::d, o)
	   | _ -> (t, p, d, decl::o))
      ([], [], [], []) decls
  in
  if why3 then
    begin
      fprintf form "theory Jessie_model@\n@\n";
      output_why3_imports form use_floats float_model
    end;
  output_decls get_why_id iter_why_decl (fprintf_why_decl form) types;
  output_decls get_why_id iter_why_decl (fprintf_why_decl form) others;
  if why3 then
    begin
      fprintf form "end@\n@\n";
      fprintf form "module Jessie_program@\n@\n";
      output_why3_imports form use_floats float_model;
      fprintf form "use import Jessie_model@\n@\n";
      fprintf form "use import ref.Ref@\n@\n";
      fprintf form "use import jessie3.JessieDivision@\n@\n";
      if use_floats then
        begin
          fprintf form "use import floating_point.Rounding@\n@\n";
          match float_model with
            | Jc_env.FMfull ->
              fprintf form "use import jessie3.JessieFloatsFull@\n@\n"
            | Jc_env.FMdefensive ->
              fprintf form "use import jessie3.JessieFloats@\n@\n"
            | Jc_env.FMmultirounding ->
              fprintf form "use import jessie3.JessieFloatsMultiRounding@\n@\n"
            | Jc_env.FMmath -> assert false (* TODO *)
        end;
      fprintf form "use import jessie3.Jessie_memory_model_parameters@\n@\n";
      fprintf form "use import jessie3_integer.Integer@\n@\n";
    end;
  output_decls get_why_id iter_why_decl (fprintf_why_decl form) params;
  output_decls get_why_id iter_why_decl (fprintf_why_decl form) defs;
  if why3 then fprintf form "end@\n@\n"



(*
  Local Variables:
  compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
  End:
*)
������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_envset.mli���������������������������������������������������������������������������0000644�0001750�0001750�00000010256�12311670312�013700� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



module type OrderedType =
sig
  type t
  val equal : t -> t -> bool
  val compare : t -> t -> int
end

module type OrderedHashedType =
sig
  type t
  val equal : t -> t -> bool
  val compare : t -> t -> int
  val hash : t -> int
end

open Jc_env
open Jc_stdlib

module StringSet : Set.S with type elt = string

module StringMap : Map.S with type key = string 

val get_unique_name : ?local_names:StringSet.t -> string -> string

val is_pointer_type : Jc_env.jc_type -> bool
val is_nonnull_pointer_type : Jc_env.jc_type -> bool
val is_integral_type: jc_type -> bool

val is_embedded_field : Jc_env.field_info -> bool

module VarOrd : OrderedHashedType with type t = var_info

module VarSet : Set.S with type elt = var_info

module VarMap : Map.S with type key = var_info

module StructSet : Set.S with type elt = struct_info

module StructMap : Map.S with type key = struct_info

module VariantSet : Set.S with type elt = root_info

module VariantMap : Map.S with type key = root_info

module ExceptionSet : Set.S with type elt = exception_info

module ExceptionMap : Map.S with type key = exception_info

module StructOrd : OrderedHashedType with type t = struct_info

module VariantOrd : OrderedHashedType with type t = root_info

module FieldOrd : OrderedHashedType with type t = field_info

module FieldSet : Set.S with type elt = field_info

module FieldMap : Map.S with type key = field_info

module FieldTable : Hashtbl.S with type key = field_info

module MemClass : OrderedHashedType with type t = mem_class

module MemClassSet : Set.S with type elt = mem_class

module AllocClass : OrderedHashedType with type t = alloc_class

module PointerClass : OrderedHashedType with type t = pointer_class

module LogicLabelSet : Set.S with type elt = label

module TypeVarOrd : OrderedHashedType with type t = type_var_info
module TypeVarMap : Map.S with type key = type_var_info

(*
Local Variables: 
compile-command: "make -C .. bin/jessie.byte"
End: 
*)

��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_effect.ml����������������������������������������������������������������������������0000644�0001750�0001750�00000156726�12311670312�013474� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)




open Jc_stdlib
open Jc_env
open Jc_envset
open Jc_region
open Jc_ast
open Jc_fenv

open Jc_name
open Jc_constructors
open Jc_pervasives
(*
open Jc_iterators
*)
open Jc_struct_tools

open Format
open Pp

type precision_mode = MApprox | MPrecise
let current_mode = ref MApprox

(* Constant memories *)
let constant_memories = StringHashtblIter.create 17

(* Constant allocation tables *)
let constant_alloc_tables = StringHashtblIter.create 17

(* Constant allocation tables *)
let constant_tag_tables = StringHashtblIter.create 17

let add_constant_memory (mc,r) =
  StringHashtblIter.add constant_memories (memory_name (mc,r)) (mc,r)

let add_constant_alloc_table (ac,r) =
  StringHashtblIter.add constant_alloc_tables (alloc_table_name (ac,r)) (ac,r)

let add_constant_tag_table (vi,r) =
  StringHashtblIter.add constant_tag_tables (tag_table_name (vi,r)) (vi,r)

(* Transposition for calls *)

let transpose_labels ~label_assoc labs =
  match label_assoc with
    | None -> labs
    | Some assoc ->
	LogicLabelSet.fold
	  (fun lab acc ->
	     let lab = try List.assoc lab assoc with Not_found -> lab in
	     LogicLabelSet.add lab acc)
	  labs LogicLabelSet.empty

let transpose_region ~region_assoc r =
  if Region.polymorphic r then
    try Some (RegionList.assoc r region_assoc)
    with Not_found -> None (* Local region *)
  else Some r

(* TODO: complete for recursive *)
let make_region_mem_assoc ~params =
  let rec aux acc r ty =
    if Region.bitwise r then
      match ty with
	| JCTpointer(pc,_,_) ->
	    let all_mems = all_memories pc in
	    List.fold_left (fun acc mc -> MemorySet.add (mc,r) acc) acc all_mems
	| JCTnative _ | JCTlogic _ | JCTenum _ | JCTnull | JCTany -> acc
	| JCTtype_var _ -> assert false
    else acc
  in
  List.fold_left
    (fun acc v -> aux acc v.jc_var_info_region v.jc_var_info_type)
    MemorySet.empty params

let transpose_alloc_table ~region_mem_assoc (ac,r) =
  if Region.bitwise r then
    try
      (* Translate bitwise allocation table into typed ones *)
      let mems = MemorySet.find_region r region_mem_assoc in
      MemorySet.fold (fun (mc,r) acc ->
		       let ac = alloc_class_of_mem_class mc in
		       AllocSet.add (ac,r) acc
		    ) mems AllocSet.empty
    with Not_found ->
      (* No possible effect on caller types *)
      AllocSet.empty
  else AllocSet.singleton (ac,r)

let transpose_tag_table ~region_mem_assoc (vi,r) =
  if Region.bitwise r then
    try
      (* Translate bitwise tag table into typed ones *)
      let mems = MemorySet.find_region r region_mem_assoc in
      MemorySet.fold (fun (mc,r) acc ->
		       let vi = variant_of_mem_class mc in
		       TagSet.add (vi,r) acc
		     ) mems TagSet.empty
    with Not_found ->
      (* No possible effect on caller types *)
      TagSet.empty
  else TagSet.singleton (vi,r)

let transpose_memory ~region_mem_assoc (mc,r) =
  if Region.bitwise r then
    try
      (* Translate bitwise memories into typed ones *)
      MemorySet.find_region r region_mem_assoc
    with Not_found ->
      (* No possible effect on caller types *)
      MemorySet.empty
  else MemorySet.singleton (mc,r)

let has_alloc_table (ac,r) alloc_effect =
  let allocs = AllocSet.of_list (AllocMap.keys alloc_effect) in
  if Region.bitwise r then AllocSet.mem_region r allocs
  else AllocSet.mem (ac,r) allocs

let has_memory (mc,r) mem_effect =
  let mems = MemorySet.of_list (MemoryMap.keys mem_effect) in
  if Region.bitwise r then MemorySet.mem_region r mems
  else MemorySet.mem (mc,r) mems

(* Printing effects *)

let print_list_assoc_label pr fmt ls =
  fprintf fmt "%a"
    (print_list comma
       (fun fmt (k,labs) ->
	  fprintf fmt "%a (%a)"
	    pr k
	    (print_list comma Jc_output_misc.label)
	    (LogicLabelSet.elements labs))
    ) ls

let print_alloc_table fmt (ac,r) =
  fprintf fmt "(%a,%a)" Jc_output_misc.alloc_class ac Region.print r

let print_tag_table fmt (vi,r) =
  fprintf fmt "(%s,%a)" vi.jc_root_info_name Region.print r

let print_memory fmt (mc,r) =
  fprintf fmt "(%a,%a)" Jc_output_misc.memory_class mc Region.print r

let print_location fmt (loc,(mc,r)) =
  fprintf fmt "(%a,%a)" Jc_output.location loc print_memory (mc,r)

let print_variable fmt v =
  fprintf fmt "%s" v.jc_var_info_name

let print_exception fmt exc =
  fprintf fmt "%s" exc.jc_exception_info_name

let print_effect fmt ef =
  fprintf fmt
"@[@[ alloc_table: @[%a@]@]@\n\
@[ tag_table: @[%a@]@]@\n\
@[ memories: @[%a@]@]@\n\
@[ raw memories: @[%a@]@]@\n\
@[ precise memories: @[%a@]@]@\n\
@[ globals: @[%a@]@]@\n\
@[ locals: @[%a@]@]@]@."
    (print_list_assoc_label print_alloc_table)
    (AllocMap.elements ef.jc_effect_alloc_tables)
    (print_list_assoc_label print_tag_table)
    (TagMap.elements ef.jc_effect_tag_tables)
    (print_list_assoc_label print_memory)
    (MemoryMap.elements ef.jc_effect_memories)
    (print_list_assoc_label print_memory)
    (MemoryMap.elements ef.jc_effect_raw_memories)
    (print_list_assoc_label print_location)
    (LocationMap.elements ef.jc_effect_precise_memories)
    (print_list_assoc_label print_variable)
    (VarMap.elements ef.jc_effect_globals)
    (print_list_assoc_label print_variable)
    (VarMap.elements ef.jc_effect_locals)

(* Operations on effects *)

let ef_union ef1 ef2 =
  {
    jc_effect_alloc_tables =
      AllocMap.merge LogicLabelSet.union
	ef1.jc_effect_alloc_tables ef2.jc_effect_alloc_tables;
    jc_effect_tag_tables =
      TagMap.merge LogicLabelSet.union
	ef1.jc_effect_tag_tables ef2.jc_effect_tag_tables;
    jc_effect_raw_memories =
      MemoryMap.merge LogicLabelSet.union
	ef1.jc_effect_raw_memories ef2.jc_effect_raw_memories;
    jc_effect_precise_memories =
      LocationMap.merge LogicLabelSet.union
	ef1.jc_effect_precise_memories ef2.jc_effect_precise_memories;
    jc_effect_memories =
      MemoryMap.merge LogicLabelSet.union
	ef1.jc_effect_memories ef2.jc_effect_memories;
    jc_effect_globals =
      VarMap.merge LogicLabelSet.union
	ef1.jc_effect_globals ef2.jc_effect_globals;
    jc_effect_locals =
      VarMap.merge LogicLabelSet.union
	ef1.jc_effect_locals ef2.jc_effect_locals;
    jc_effect_mutable =
      StringSet.union
	ef1.jc_effect_mutable ef2.jc_effect_mutable;
    jc_effect_committed =
      StringSet.union
	ef1.jc_effect_committed ef2.jc_effect_committed;
  }

let ef_filter_labels ~label_assoc ef =
  let filter_labels labs =
    List.fold_left
      (fun acc (l1,l2) ->
	 if LogicLabelSet.mem l2 labs then LogicLabelSet.add l1 acc else acc)
      LogicLabelSet.empty label_assoc
  in
  { ef with
      jc_effect_memories =
        MemoryMap.fold
	  (fun m labs acc ->
	     MemoryMap.add m (filter_labels labs) acc
	  ) ef.jc_effect_memories MemoryMap.empty;
  }

let ef_assoc ?label_assoc ~region_assoc ~region_mem_assoc ef =
  { ef with
      jc_effect_alloc_tables =
        AllocMap.fold
	  (fun (ac,distr) labs acc ->
	     let labs = transpose_labels ~label_assoc labs in
	     match transpose_region ~region_assoc distr with
	       | None -> acc
	       | Some locr ->
		   let allocs =
		     transpose_alloc_table ~region_mem_assoc (ac,distr)
		   in
		   AllocSet.fold
		     (fun (ac,_r) acc ->
			if not (Region.polymorphic locr) then
			  add_constant_alloc_table (ac,locr);
			AllocMap.add (ac,locr) labs acc
		     ) allocs acc
	  ) ef.jc_effect_alloc_tables AllocMap.empty;
      jc_effect_tag_tables =
        TagMap.fold
	  (fun (vi,distr) labs acc ->
	     let labs = transpose_labels ~label_assoc labs in
	     match transpose_region ~region_assoc distr with
	       | None -> acc
	       | Some locr ->
		   let tags =
		     transpose_tag_table ~region_mem_assoc (vi,distr)
		   in
		   TagSet.fold
		     (fun (vi,_r) acc ->
			if not (Region.polymorphic locr) then
			  add_constant_tag_table (vi,locr);
			TagMap.add (vi,locr) labs acc
		     ) tags acc
	  ) ef.jc_effect_tag_tables TagMap.empty;
      jc_effect_raw_memories =
        MemoryMap.fold
	  (fun (mc,distr) labs acc ->
	     let labs = transpose_labels ~label_assoc labs in
	     match transpose_region ~region_assoc distr with
	       | None -> acc
	       | Some locr ->
		   let mems =
		     transpose_memory ~region_mem_assoc (mc,distr)
		   in
		   MemorySet.fold
		     (fun (mc,_r) acc ->
			if not (Region.polymorphic locr) then
			  add_constant_memory (mc,locr);
			MemoryMap.add (mc,locr) labs acc
		     ) mems acc
	  ) ef.jc_effect_raw_memories MemoryMap.empty;
      jc_effect_memories =
        MemoryMap.fold
	  (fun (mc,distr) labs acc ->
	     let labs = transpose_labels ~label_assoc labs in
	     match transpose_region ~region_assoc distr with
	       | None -> acc
	       | Some locr ->
		   let mems =
		     transpose_memory ~region_mem_assoc (mc,distr)
		   in
		   MemorySet.fold
		     (fun (mc,_r) acc ->
			if not (Region.polymorphic locr) then
			  add_constant_memory (mc,locr);
			MemoryMap.add (mc,locr) labs acc
		     ) mems acc
	  ) ef.jc_effect_memories MemoryMap.empty;
      jc_effect_globals =
        VarMap.fold
	  (fun v labs acc ->
	     VarMap.add v (transpose_labels ~label_assoc labs) acc
	  ) ef.jc_effect_globals VarMap.empty;
      jc_effect_locals = VarMap.empty;
  }

let same_effects ef1 ef2 =
  let eq = LogicLabelSet.equal in
  AllocMap.equal eq ef1.jc_effect_alloc_tables ef2.jc_effect_alloc_tables
  && TagMap.equal eq ef1.jc_effect_tag_tables ef2.jc_effect_tag_tables
  && MemoryMap.equal eq ef1.jc_effect_raw_memories ef2.jc_effect_raw_memories
  && LocationMap.equal eq
    ef1.jc_effect_precise_memories ef2.jc_effect_precise_memories
  && MemoryMap.equal eq ef1.jc_effect_memories ef2.jc_effect_memories
  && VarMap.equal eq ef1.jc_effect_globals ef2.jc_effect_globals
  && VarMap.equal eq ef1.jc_effect_locals ef2.jc_effect_locals
  && StringSet.equal ef1.jc_effect_mutable ef2.jc_effect_mutable
  && StringSet.equal ef1.jc_effect_committed ef2.jc_effect_committed

(* Operations on function effects *)

let fef_reads ef =
  {
    jc_reads = ef;
    jc_writes = empty_effects;
    jc_raises = ExceptionSet.empty;
  }

let fef_union fef1 fef2 =
  {
    jc_reads = ef_union fef1.jc_reads fef2.jc_reads;
    jc_writes = ef_union fef1.jc_writes fef2.jc_writes;
    jc_raises = ExceptionSet.union fef1.jc_raises fef2.jc_raises;
  }

let fef_assoc ~region_assoc ~region_mem_assoc fef =
  {
    jc_reads = ef_assoc ~region_assoc ~region_mem_assoc fef.jc_reads;
    jc_writes = ef_assoc ~region_assoc ~region_mem_assoc fef.jc_writes;
    jc_raises = fef.jc_raises;
  }

let same_feffects fef1 fef2 =
  same_effects fef1.jc_reads fef2.jc_reads
  && same_effects fef1.jc_writes fef2.jc_writes
  && ExceptionSet.equal fef1.jc_raises fef2.jc_raises

(* Query of a single effect *)

let has_memory_effect ef (mc,r) =
  try
    ignore (MemoryMap.find (mc,r) ef.jc_effect_memories);
    true
  with Not_found ->
    try
      ignore (MemoryMap.find (mc,r) ef.jc_effect_raw_memories);
      true
    with Not_found ->
      let locs =
	LocationMap.filter
	  (fun (_loc,mem) _ -> Memory.equal mem (mc,r))
	  ef.jc_effect_precise_memories
      in
      not (LocationMap.is_empty locs)

(* Addition of a single effect *)

let add_alloc_effect lab ef (ac, r) =
  if not (Region.polymorphic r) then add_constant_alloc_table (ac,r);
  let labs = LogicLabelSet.singleton lab in
  { ef with jc_effect_alloc_tables =
      AllocMap.add_merge LogicLabelSet.union
	(ac,r) labs ef.jc_effect_alloc_tables }

let add_tag_effect lab ef (vi,r) =
  if not (Region.polymorphic r) then add_constant_tag_table (vi,r);
  let labs = LogicLabelSet.singleton lab in
  { ef with jc_effect_tag_tables =
      TagMap.add_merge LogicLabelSet.union
	(vi,r) labs ef.jc_effect_tag_tables }

let add_memory_effect lab ef (mc,r) =
  if not (Region.polymorphic r) then add_constant_memory (mc,r);
  let labs = LogicLabelSet.singleton lab in
  match !current_mode with
    | MApprox ->
	{ ef with jc_effect_memories =
	    MemoryMap.add_merge LogicLabelSet.union
	      (mc,r) labs ef.jc_effect_memories }
    | MPrecise ->
	{ ef with jc_effect_raw_memories =
	    MemoryMap.add_merge LogicLabelSet.union
	      (mc,r) labs ef.jc_effect_raw_memories }

let add_precise_memory_effect lab ef (loc,(mc,r)) =
  let labs = LogicLabelSet.singleton lab in
  { ef with jc_effect_precise_memories =
      LocationMap.add_merge LogicLabelSet.union
	(loc,(mc,r)) labs ef.jc_effect_precise_memories }

let add_global_effect lab ef v =
  let labs = LogicLabelSet.singleton lab in
  { ef with jc_effect_globals =
      VarMap.add_merge LogicLabelSet.union v labs ef.jc_effect_globals }

let add_local_effect lab ef v =
  let labs = LogicLabelSet.singleton lab in
  { ef with jc_effect_locals =
      VarMap.add_merge LogicLabelSet.union v labs ef.jc_effect_locals }

let add_mutable_effect ef pc =
  { ef with jc_effect_mutable = StringSet.add
      (pointer_class_type_name pc) ef.jc_effect_mutable }

let add_committed_effect ef pc =
  { ef with jc_effect_committed = StringSet.add
      (pointer_class_type_name pc) ef.jc_effect_committed }

(* Addition of a single read *)

let add_alloc_reads lab fef (ac,r) =
  { fef with jc_reads = add_alloc_effect lab fef.jc_reads (ac,r) }

let add_tag_reads lab fef (vi,r) =
  { fef with jc_reads = add_tag_effect lab fef.jc_reads (vi,r) }

let add_memory_reads lab fef (mc,r) =
  { fef with jc_reads = add_memory_effect lab fef.jc_reads (mc,r) }

let add_precise_memory_reads lab fef (loc,(mc,r)) =
  { fef with jc_reads =
      add_precise_memory_effect lab fef.jc_reads (loc,(mc,r)) }

let add_global_reads lab fef v =
  { fef with jc_reads = add_global_effect lab fef.jc_reads v }

let add_local_reads lab fef v =
  { fef with jc_reads = add_local_effect lab fef.jc_reads v }

let add_mutable_reads fef pc =
  { fef with jc_reads = add_mutable_effect fef.jc_reads pc }

let add_committed_reads fef pc =
  { fef with jc_reads = add_committed_effect fef.jc_reads pc }

(* Addition of a single write *)

let add_alloc_writes lab fef (ac,r) =
  { fef with jc_writes = add_alloc_effect lab fef.jc_writes (ac,r) }

let add_tag_writes lab fef (vi,r) =
  { fef with jc_writes = add_tag_effect lab fef.jc_writes (vi,r) }

let add_memory_writes lab fef (mc,r) =
  { fef with jc_writes = add_memory_effect lab fef.jc_writes (mc,r) }

let add_precise_memory_writes lab fef (loc,(mc,r)) =
  { fef with jc_writes =
      add_precise_memory_effect lab fef.jc_writes (loc,(mc,r)) }

let add_global_writes lab fef vi =
  { fef with jc_writes = add_global_effect lab fef.jc_writes vi }

let add_local_writes lab fef vi =
  { fef with jc_writes = add_local_effect lab fef.jc_writes vi }

let add_mutable_writes fef pc =
  { fef with jc_writes = add_mutable_effect fef.jc_writes pc }

let add_committed_writes fef pc =
  { fef with jc_writes = add_committed_effect fef.jc_writes pc }

(* Addition of a single exception *)

let add_exception_effect fef exc =
  { fef with jc_raises = ExceptionSet.add exc fef.jc_raises }


(*****************************************************************************)
(*                                  Unions                                   *)
(*****************************************************************************)

type shift_offset =
  | Int_offset of int
  | Expr_offset of Jc_fenv.expr
  | Term_offset of Jc_fenv.term

let offset_of_expr e =
  match e#node with
    | JCEconst (JCCinteger s) -> 
        (try
           Int_offset (int_of_string s)
         with Failure _ -> Expr_offset e)
    | _ -> Expr_offset e

let offset_of_term t =
  match t#node with
    | JCTconst (JCCinteger s) -> 
        (try
           Int_offset (int_of_string s)
         with Failure _ -> Term_offset t)
    | _ -> Term_offset t

let offset_of_field fi =
  match field_offset_in_bytes fi with
    | None ->
        Format.eprintf "Jc_effect.offset_of_field: fi=%s@."
          fi.jc_field_info_name;
        assert false
    | Some off -> Int_offset off

let mult_offset i off =
  match off with
    | Int_offset j -> Int_offset (i * j)
    | Expr_offset e ->
	let ie = Expr.mkint ~value:i ()  in
	let mule =
	  Expr.mkbinary
	    ~expr1:ie ~op:(`Bmul,`Integer) ~expr2:e ~typ:integer_type ()
	in
	Expr_offset mule
    | Term_offset t ->
	let it = Term.mkint ~value:i ()  in
	let mult =
	  Term.mkbinary
	    ~term1:it ~op:(`Bmul,`Integer) ~term2:t ~typ:integer_type ()
	in
	Term_offset mult

let add_offset off1 off2 =
  match off1,off2 with
    | Int_offset i, Int_offset j ->
	let k = i + j in
	Int_offset k
    | Expr_offset e1, Expr_offset e2 ->
	let adde =
	  Expr.mkbinary
	    ~expr1:e1 ~op:(`Badd,`Integer) ~expr2:e2 ~typ:integer_type ()
	in
	Expr_offset adde
    | Expr_offset e, Int_offset i
    | Int_offset i, Expr_offset e ->
	let ie = Expr.mkint ~value:i ()  in
	let adde =
	  Expr.mkbinary
	    ~expr1:ie ~op:(`Badd,`Integer) ~expr2:e ~typ:integer_type ()
	in
	Expr_offset adde
    | Term_offset t1, Term_offset t2 ->
	let addt =
	  Term.mkbinary
	    ~term1:t1 ~op:(`Badd,`Integer) ~term2:t2 ~typ:integer_type ()
	in
	Term_offset addt
    | Term_offset t, Int_offset i
    | Int_offset i, Term_offset t ->
	let it = Term.mkint ~value:i ()  in
	let addt =
	  Term.mkbinary
	    ~term1:it ~op:(`Badd,`Integer) ~term2:t ~typ:integer_type ()
	in
	Term_offset addt
    | Expr_offset _, Term_offset _
    | Term_offset _, Expr_offset _ -> assert false

let possible_union_type = function
  | JCTpointer(pc,_,_) ->
      let rt = pointer_class_root pc in
      if root_is_union rt then Some rt else None
  | _ -> None

let union_type ty =
  match possible_union_type ty with Some rt -> rt | None -> assert false

let type_is_union ty =
  match possible_union_type ty with Some _rt -> true | None -> false

let overlapping_union_memories fi =
  let st = fi.jc_field_info_struct in
  let rt = struct_root st in
  let stlist =
    List.filter
      (fun st' -> not (st.jc_struct_info_name = st'.jc_struct_info_name))
      rt.jc_root_info_hroots
  in
  let mems =
    List.flatten
      (List.map
	 (fun st -> all_memories ~select:fully_allocated (JCtag(st,[])))
	 stlist)
  in
  MemClassSet.to_list (MemClassSet.of_list mems)

let possible_union_access e fi_opt =
  let fieldoffbytes fi =
    match field_offset_in_bytes fi with
      | None -> assert false
      | Some off -> Int_offset off
  in
  (* Count offset in bytes before last field access in union *)
  let rec access e =
    match e#node with
      | JCEderef(e,fi) when embedded_field fi ->
	  begin match access e with
	    | Some(e,off) ->
		Some (e, add_offset off (fieldoffbytes fi))
	    | None ->
		if type_is_union e#typ then
		  Some (e, fieldoffbytes fi)
		else None
	  end
      | JCEshift(e1,e2) ->
	  begin match access e1 with
	    | Some(e,off1) ->
		let off2 = offset_of_expr e2 in
		let siz = struct_size_in_bytes (pointer_struct e1#typ) in
		let off2 = mult_offset siz off2 in
		Some (e, add_offset off1 off2)
	    | None -> None
	  end
      | JCEalloc(_e1,st) ->
	  if struct_of_union st then
	    Some(e,Int_offset 0)
	  else None
      | _ ->
	  if type_is_union e#typ then
	    Some (e,Int_offset 0)
	  else None
  in
  match fi_opt with
    | None -> access e
    | Some fi ->
	match access e with
	  | Some(e,off) -> Some (e, add_offset off (fieldoffbytes fi))
	  | None ->
	      if type_is_union e#typ then Some (e, fieldoffbytes fi) else None

(* Optionally returns a triple of
   1) a prefix [ue] of type union
   2) the field of the union [ue] accessed
   3) the offset from the address of [ue] to the final field
*)
let possible_union_deref e fi =
  let rec access e fi =
    match e#node with
      | JCEderef(e1,fi1) when embedded_field fi1 ->
	  begin match access e1 fi1 with
	    | Some(e2,fi2,off) ->
		Some(e2,fi2,add_offset off (offset_of_field fi))
	    | None ->
		if type_is_union e1#typ then
		  Some(e1,fi,offset_of_field fi)
		else None
	  end
      | JCEshift(e1,_e2) ->
	  begin match access e1 fi with
	    | Some(e2,fi2,off1) ->
		let off2 = offset_of_expr e2 in
		let siz = struct_size_in_bytes (pointer_struct e1#typ) in
		let off2 = mult_offset siz off2 in
		Some(e2,fi2,add_offset off1 off2)
	    | None -> None
	  end
      | _ -> None
  in
  match access e fi with
    | Some(e1,fi1,off) -> Some(e1,fi1,add_offset off (offset_of_field fi))
    | None ->
	if type_is_union e#typ then Some(e,fi,offset_of_field fi) else None

let destruct_union_access e fi_opt =
  match possible_union_access e fi_opt with
    | Some x -> x
    | None -> assert false

let tpossible_union_access t fi_opt =
  let fieldoffbytes fi =
    match field_offset_in_bytes fi with
      | None -> assert false
      | Some off -> Int_offset off
  in
  (* Count offset in bytes before last field access in union *)
  let rec access t =
    match t#node with
      | JCTderef(t,_lab,fi) when embedded_field fi ->
	  begin match access t with
	    | Some(t,off) ->
		Some (t, add_offset off (fieldoffbytes fi))
	    | None ->
		if type_is_union t#typ then
		  Some (t, fieldoffbytes fi)
		else None
	  end
      | JCTshift(t1,t2) ->
	  begin match access t1 with
	    | Some(t3,off1) ->
		let off2 = offset_of_term t2 in
		let siz = struct_size_in_bytes (pointer_struct t1#typ) in
		let off2 = mult_offset siz off2 in
		Some (t3, add_offset off1 off2)
	    | None -> None
	  end
      | _ ->
	  if type_is_union t#typ then
	    Some (t,Int_offset 0)
	  else None
  in

  match fi_opt with
    | None ->
	access t
    | Some fi ->
(* 	let fieldoff fi = Int_offset (string_of_int (field_offset fi)) in *)
	match access t with
	  | Some(t,off) ->
	      Some (t, add_offset off (fieldoffbytes fi))
	  | None ->
	      if type_is_union t#typ then
		Some (t, fieldoffbytes fi)
	      else None

let tpossible_union_deref t fi =
  let rec access t fi =
    match t#node with
      | JCTderef(t1,_lab,fi1) when embedded_field fi1 ->
	  begin match access t1 fi1 with
	    | Some(t2,fi2,off) ->
		Some(t2,fi2,add_offset off (offset_of_field fi))
	    | None ->
		if type_is_union t1#typ then
		  Some(t1,fi,offset_of_field fi)
		else None
	  end
      | JCTshift(t1,_t2) ->
	  begin match access t1 fi with
	    | Some(t2,fi2,off1) ->
		let off2 = offset_of_term t2 in
		let siz = struct_size_in_bytes (pointer_struct t1#typ) in
		let off2 = mult_offset siz off2 in
		Some(t2,fi2,add_offset off1 off2)
	    | None -> None
	  end
      | _ -> None
  in
  match access t fi with
    | Some(t1,fi1,off) -> Some(t1,fi1,add_offset off (offset_of_field fi))
    | None ->
	if type_is_union t#typ then Some(t,fi,offset_of_field fi) else None

let tdestruct_union_access t fi_opt =
  match tpossible_union_access t fi_opt with
    | Some x -> x
    | None -> assert false

let lpossible_union_access _t _fi = None (* TODO *)

let lpossible_union_deref _t _fi = None (* TODO *)

let ldestruct_union_access loc fi_opt =
  match lpossible_union_access loc fi_opt with
    | Some x -> x
    | None -> assert false

let foreign_union _e = [] (* TODO: subterms of union that are not in union *)
let tforeign_union _t = []

let common_deref_alloc_class ~type_safe union_access e =
  if not type_safe && Region.bitwise e#region then
    JCalloc_bitvector
  else match union_access e None with
    | None -> JCalloc_root (struct_root (pointer_struct e#typ))
    | Some(e,_off) -> JCalloc_root (union_type e#typ)

let deref_alloc_class ~type_safe e =
  common_deref_alloc_class ~type_safe possible_union_access e

let tderef_alloc_class ~type_safe t =
  common_deref_alloc_class ~type_safe tpossible_union_access t

let lderef_alloc_class ~type_safe locs =
  common_deref_alloc_class ~type_safe lpossible_union_access locs

let common_deref_mem_class ~type_safe union_deref e fi =
  if not type_safe && Region.bitwise e#region then
    JCmem_bitvector, None
  else match union_deref e fi with
    | None ->
	assert (not (root_is_union (struct_root fi.jc_field_info_struct)));
	JCmem_field fi, None
    | Some(e1,fi1,_off) ->
	let rt = union_type e1#typ in
	if root_is_plain_union rt then JCmem_plain_union rt, Some fi1
	else JCmem_field fi, Some fi1

let deref_mem_class ~type_safe e fi =
  common_deref_mem_class ~type_safe possible_union_deref e fi

let tderef_mem_class ~type_safe t fi =
  common_deref_mem_class ~type_safe tpossible_union_deref t fi

let lderef_mem_class ~type_safe locs fi =
  common_deref_mem_class ~type_safe lpossible_union_deref locs fi


(******************************************************************************)
(*                                  patterns                                  *)
(******************************************************************************)

(* TODO: check the use of "label" and "r" *)
let rec pattern ef (*label r*) p =
  let r = dummy_region in
  match p#node with
    | JCPstruct(st, fpl) ->
	let ef = add_tag_effect (*label*)LabelHere ef (struct_root st,r) in
	List.fold_left
	  (fun ef (fi, pat) ->
	     let mc = JCmem_field fi in
	     let ef = add_memory_effect (*label*)LabelHere ef (mc,r) in
	     pattern ef (*label r*) pat)
	  ef fpl
    | JCPor(p1, p2) ->
	pattern (pattern ef (*label r*) p1) (*label r*) p2
    | JCPas(p, _) ->
	pattern ef (*label r*) p
    | JCPvar _
    | JCPany
    | JCPconst _ ->
	ef


(******************************************************************************)
(*                              environment                                   *)
(******************************************************************************)

let current_function = ref None
let set_current_function f = current_function := Some f
let reset_current_function () = current_function := None
let get_current_function () =
  match !current_function with None -> assert false | Some f -> f

(******************************************************************************)
(*                             immutable locations                            *)
(******************************************************************************)

let term_of_expr e =
  let rec term e =
    let tnode = match e#node with
      | JCEconst c -> JCTconst c
      | JCEvar vi -> JCTvar vi
      | JCEbinary (e1, (bop,opty), e2) ->
	  JCTbinary (term e1, ((bop :> bin_op),opty), term e2)
      | JCEunary (uop, e1) -> JCTunary (uop, term e1)
      | JCEshift (e1, e2) -> JCTshift (term e1, term e2)
      | JCEderef (e1, fi) -> JCTderef (term e1, LabelHere, fi)
      | JCEinstanceof (e1, st) -> JCTinstanceof (term e1, LabelHere, st)
      | JCEcast (e1, st) -> JCTcast (term e1, LabelHere, st)
      | JCErange_cast(e1,_) | JCEreal_cast(e1,_) ->
	  (* range does not modify term value *)
	  (term e1)#node
      | JCEif (e1, e2, e3) -> JCTif (term e1, term e2, term e3)
      | JCEoffset (off, e1, st) -> JCToffset (off, term e1, st)
      | JCEalloc (e, _) -> (* Note: \offset_max(t) = length(t) - 1 *)
	  JCTbinary (term e, (`Bsub,`Integer), new term ~typ:integer_type (JCTconst (JCCinteger "1")) )
      | JCEfree _ -> failwith "Not a term"
      | _ -> failwith "Not a term"
(*       | JCEmatch (e, pel) -> *)
(* 	  let ptl = List.map (fun (p, e) -> (p, term_of_expr e)) pel in *)
(* 	    JCTmatch (term_of_expr e, ptl) *)
    in
      new term ~typ:e#typ ~region:e#region tnode
  in
    try Some (term e) with Failure _ -> None

let rec location_of_expr e =
  try
    let loc_node = match e#node with
      | JCEvar v ->
	  JCLvar v
      | JCEderef(e1,fi) ->
	  JCLderef(location_set_of_expr e1, LabelHere, fi, e#region)
      | _ -> failwith "No location for expr"
    in
    Some(new location_with ~typ:e#typ ~node:loc_node e)
  with Failure "No location for expr" -> None

and location_set_of_expr e =
  let locs_node = match e#node with
    | JCEvar v ->
	JCLSvar v
    | JCEderef(e1,fi) ->
	JCLSderef(location_set_of_expr e1, LabelHere, fi, e#region)
    | JCEshift(e1,e2) ->
	let t2_opt = term_of_expr e2 in
	JCLSrange(location_set_of_expr e1, t2_opt, t2_opt)
    | _ -> failwith "No location for expr"
  in
  new location_set_with ~typ:e#typ ~node:locs_node e

let location_set_of_expr e =
  try Some(location_set_of_expr e) with Failure "No location for expr" -> None

let rec location_of_term t =
  try
    let node = match t#node with
      | JCTvar v ->
	  JCLvar v
      | JCTderef(t1,_lab,fi) ->
	  JCLderef(location_set_of_term t1, LabelHere, fi, t#region)
      | JCTat(t1,lab) ->
          (match location_of_term t1 with
               None -> failwith "No location for term"
             | Some l1 -> JCLat(l1,lab))
      | _ -> failwith "No location for term"
    in
    Some(new location_with ~typ:t#typ ~node t)
  with Failure "No location for term" -> None

and location_set_of_term t =
  let locs_node = match t#node with
    | JCTvar v ->
	JCLSvar v
    | JCTderef(t1,_lab,fi) ->
	JCLSderef(location_set_of_term t1, LabelHere, fi, t#region)
    | JCTat (t1,lab) -> JCLSat(location_set_of_term t1,lab)
    | _ -> failwith "No location for term"
  in
  new location_set_with ~typ:t#typ ~node:locs_node t


(* last location can be mutated *)
let rec immutable_location fef loc =
  match loc#node with
    | JCLvar _v -> true
    | JCLderef(locs,_lab,_fi,_r) ->
	immutable_location_set fef locs
    | JCLat(l1,_lab) -> immutable_location fef l1
    | _ -> false

and immutable_location_set fef locs =
  match locs#node with
    | JCLSvar v -> not v.jc_var_info_assigned
    | JCLSderef(locs,_lab,fi,_r) ->
	let mc,_fi_opt = lderef_mem_class ~type_safe:true locs fi in
	immutable_location_set fef locs
	&& not (MemoryMap.mem (mc,locs#region) fef.jc_writes.jc_effect_memories)
    | JCLSat(l1,_lab) -> immutable_location_set fef l1
    | _ -> false

let expr_immutable_location e =
  match !current_mode with
    | MApprox -> None
    | MPrecise ->
	match !current_function with
	  | None -> None
	  | Some f ->
	      let fef = f.jc_fun_info_effects in
	      match location_of_expr e with
		| None -> None
		| Some loc ->
		    if immutable_location fef loc then
		      Some loc
		    else None

let term_immutable_location t =
  match !current_mode with
    | MApprox -> None
    | MPrecise ->
	match !current_function with
	  | None -> None
	  | Some f ->
	      let fef = f.jc_fun_info_effects in
	      match location_of_term t with
		| None -> None
		| Some loc ->
		    if immutable_location fef loc then
		      Some loc
		    else None

(* let immutable_heap_location fef ~full_expr e1 fi = *)
(*   match !current_mode with *)
(*     | MApprox -> None *)
(*     | MPrecise -> *)
(* 	match e1#node with *)
(* 	  | JCEvar v -> *)
(* 	      if v.jc_var_info_assigned then  *)
(* 		None *)
(* 	      else *)
(* 		Some(new location_with ~node:(JCLvar v) full_expr) *)
(* 	  | _ -> None *)

(* let timmutable_heap_location ef ~full_term t1 fi = (\* TODO: fef *\) *)
(*   match !current_mode with *)
(*     | MApprox -> None *)
(*     | MPrecise -> *)
(* 	match t1#node with *)
(* 	  | JCTvar v -> *)
(* 	      if v.jc_var_info_assigned then  *)
(* 		None *)
(* 	      else *)
(* 		Some(new location_with ~node:(JCLvar v) full_term) *)
(* 	  | _ -> None *)


(******************************************************************************)
(*                             terms and assertions                           *)
(******************************************************************************)

let rec single_term ef t =
  let lab =
    match t#label with None -> LabelHere | Some lab -> lab
  in
  match t#node with
    | JCTvar vi ->
	true,
	if vi.jc_var_info_assigned then
	  if vi.jc_var_info_static then
	    add_global_effect lab ef vi
	  else
	    add_local_effect lab ef vi
	else ef
    | JCToffset(_k,t,_st) ->
        let ac = tderef_alloc_class ~type_safe:true t in
	true,
	add_alloc_effect lab ef (ac,t#region)
    | JCTapp app ->
	let region_mem_assoc =
	  make_region_mem_assoc app.jc_app_fun.jc_logic_info_parameters
	in
	let ef_app =
	  ef_assoc
	    ~label_assoc:app.jc_app_label_assoc
	    ~region_assoc:app.jc_app_region_assoc
	    ~region_mem_assoc
	    app.jc_app_fun.jc_logic_info_effects
	in
	(if app.jc_app_fun.jc_logic_info_name = "content" then
	   Format.eprintf "**Effects for logic application content(): %a@."
	   print_effect ef_app);
	true,
	ef_union ef_app ef
    | JCTderef(t1,lab,fi) ->
	let mc,ufi_opt = tderef_mem_class ~type_safe:true t1 fi in
	let mem = mc, t1#region in
	begin match term_immutable_location t with
	  | Some loc ->
	      let ef = add_precise_memory_effect lab ef (loc,mem) in
	      (* TODO: treat union *)
	      true, ef
	  | None ->
	      let ef = add_memory_effect lab ef mem in
	      begin match mc,ufi_opt with
		| JCmem_plain_union _vi, _ ->
		    false, (* do not call on sub-terms of union *)
		    List.fold_left term ef (tforeign_union t1)
		| JCmem_field _, _
		| JCmem_bitvector, _ ->
		    true, ef
	      end
	end
    | JCTcast(t,lab,st)
    | JCTinstanceof(t,lab,st) ->
	true,
	add_tag_effect lab ef (struct_root st,t#region)
    | JCTmatch(_t,ptl) ->
	true,
	List.fold_left pattern ef (List.map fst ptl)
    | JCTconst _ | JCTrange _ | JCTbinary _ | JCTunary _
    | JCTshift _ | JCTold _ | JCTat _ | JCTaddress _ | JCTbase_block _
    | JCTbitwise_cast _ | JCTrange_cast _ | JCTreal_cast _ | JCTif _ | JCTlet _ ->
	true, ef

and term ef t =
  Jc_iterators.fold_rec_term single_term ef t

let tag ef lab _t vi_opt r =
  match vi_opt with
    | None -> ef
    | Some vi -> add_tag_effect lab ef (vi,r)

let single_assertion ef a =
  let lab =
    match a#label with None -> LabelHere | Some lab -> lab
  in
  match a#node with
    | JCAfresh(t) ->
        let ac = tderef_alloc_class ~type_safe:true t in
	true,
	add_alloc_effect lab ef (ac,t#region)
    | JCAinstanceof(t,lab,st) ->
	true,
	add_tag_effect lab ef (struct_root st,t#region)
    | JCAapp app ->
	let region_mem_assoc =
	  make_region_mem_assoc app.jc_app_fun.jc_logic_info_parameters
	in
	let ef_app =
	  ef_assoc
	    ~label_assoc:app.jc_app_label_assoc
	    ~region_assoc:app.jc_app_region_assoc
	    ~region_mem_assoc
	    app.jc_app_fun.jc_logic_info_effects
	in
	true,
	ef_union ef_app ef
    | JCAmutable(t,st,ta) ->
	true,
	add_mutable_effect
	  (tag ef lab ta (* Yannick: really effect on tag here? *)
	     (Some (struct_root st)) t#region)
	  (JCtag(st, []))
    | JCAlet(_vi,_t,_p) ->
	true,ef
    | JCAmatch(_t,pal) ->
	true,
	List.fold_left pattern ef (List.map fst pal)
    | JCAtrue | JCAfalse | JCAif _ | JCAbool_term _ | JCAnot _
    | JCAold _ | JCAat _ | JCAquantifier _ | JCArelation _
    | JCAand _ | JCAor _ | JCAiff _ | JCAimplies _
    | JCAeqtype _ | JCAsubtype _ ->
	true, ef

let assertion ef a =
  Jc_iterators.fold_rec_term_and_assertion single_term single_assertion ef a


(******************************************************************************)
(*                                locations                                   *)
(******************************************************************************)

let single_term fef t =
  let cont,ef = single_term fef.jc_reads t in
  cont,{ fef with jc_reads = ef }

let single_assertion fef a =
  let cont,ef = single_assertion fef.jc_reads a in
  cont,{ fef with jc_reads = ef }

type assign_alloc_clause = Assigns | Allocates | Reads

let rec single_location ~in_clause fef 
    (loc : Jc_fenv.logic_info Jc_ast.location) =
  let lab =
    match loc#label with None -> LabelHere | Some lab -> lab
  in
  let fef = match loc#node with
    | JCLvar v ->
        let fef =
	  if v.jc_var_info_assigned then
	    if v.jc_var_info_static then
              begin
	        match in_clause with
                  | Assigns -> add_global_writes lab fef v
                  | Allocates -> 
                      let ac = lderef_alloc_class ~type_safe:true loc in
	              add_alloc_writes lab fef (ac,loc#region)
	          | Reads -> add_global_reads lab fef v
              end
	    else fef
	  else fef
        in
        fef
        
    | JCLderef(locs,lab,fi,_r) ->
	let add_mem ~only_writes fef mc =
	  match in_clause with
            | Assigns ->
	      let fef = add_memory_writes lab fef (mc,locs#region) in
	      if only_writes then fef else
	      (* Add effect on allocation table for [not_assigns] predicate *)
	        let ac = alloc_class_of_mem_class mc in
	        add_alloc_reads lab fef (ac,locs#region)
            | Allocates ->
                (* wrong !
                  let fef =
                  if only_writes then fef else
	            let ac = alloc_class_of_mem_class mc in
	            add_alloc_writes lab fef (ac,locs#region)
                in
                *)
                fef
            | Reads ->
	        if only_writes then fef else
	          add_memory_reads lab fef (mc,locs#region)
	in
	let mc,ufi_opt = lderef_mem_class ~type_safe:true locs fi in
	let fef = add_mem ~only_writes:false fef mc in
	let fef =
          begin match mc,ufi_opt with
	    | JCmem_field _fi, Some ufi ->
	        let mems = overlapping_union_memories ufi in
	        List.fold_left (add_mem ~only_writes:true) fef mems
	    | JCmem_field _, None
	    | JCmem_plain_union _, _
	    | JCmem_bitvector, _ -> fef
	  end
        in
        fef
    | JCLderef_term(t1,fi) ->
	let add_mem ~only_writes fef mc =
	  match in_clause with
            | Assigns ->
	      let fef = add_memory_writes lab fef (mc,t1#region) in
	      if only_writes then fef else
	      (* Add effect on allocation table for [not_assigns] predicate *)
	        let ac = alloc_class_of_mem_class mc in
	        add_alloc_reads lab fef (ac,t1#region)
            | Allocates -> 
(* wrong !
	      if only_writes then fef else
	        let ac = alloc_class_of_mem_class mc in
	        add_alloc_writes lab fef (ac,t1#region)
*)
                fef
	    | Reads ->
	        if only_writes then fef else
	          add_memory_reads lab fef (mc,t1#region)
	in
	let mc,ufi_opt = tderef_mem_class ~type_safe:true t1 fi in
	let fef = add_mem ~only_writes:false fef mc in
	begin match mc,ufi_opt with
	  | JCmem_field _fi, Some ufi ->
	      let mems = overlapping_union_memories ufi in
	      List.fold_left (add_mem ~only_writes:true) fef mems
	  | JCmem_field _, None
	  | JCmem_plain_union _, _
	  | JCmem_bitvector, _ -> fef
	end
    | JCLat(loc,lab) -> 
      assert (loc#label = Some lab);
      snd (single_location ~in_clause fef loc)
  in true, fef

let rec single_location_set fef locs =
  let lab =
    match locs#label with None -> LabelHere | Some lab -> lab
  in
  let fef = match locs#node with
    | JCLSvar v ->
	if v.jc_var_info_assigned then
	  if v.jc_var_info_static then
	    add_global_reads lab fef v
	  else fef
	else fef
    | JCLSderef(locs,lab,fi,_r) ->
	let mc,_ufi_opt = lderef_mem_class ~type_safe:true locs fi in
	add_memory_reads lab fef (mc,locs#region)
    | JCLSrange(_,_,_)
    | JCLSrange_term(_,_,_) ->
	fef
    | JCLSat(locs,_) -> snd (single_location_set fef locs)
  in true, fef

let location ~in_clause fef loc =
  let fef =
    Jc_iterators.fold_rec_location single_term
      (single_location ~in_clause) single_location_set fef loc
  in
  fef


(******************************************************************************)
(*                                expressions                                 *)
(******************************************************************************)

let rec expr fef e =
  Jc_iterators.fold_rec_expr_and_term_and_assertion
    single_term single_assertion
    (single_location ~in_clause:Assigns) single_location_set
    (fun (fef : fun_effect) e -> match e#node with
       | JCEvar v ->
	   true,
	   if v.jc_var_info_assigned then
	     if v.jc_var_info_static then
	       add_global_reads LabelHere fef v
	     else
	       add_local_reads LabelHere fef v
	   else fef
       | JCEassign_var(v,_e) ->
	   true,
	   if v.jc_var_info_assigned then
	     if v.jc_var_info_static then
	       add_global_writes LabelHere fef v
	     else
	       add_local_writes LabelHere fef v
	   else fef
       | JCEoffset(_k,e,_st) ->
	   let ac = deref_alloc_class ~type_safe:true e in
	   true,
	   add_alloc_reads LabelHere fef (ac,e#region)
       | JCEapp app ->
	   let fef_call = match app.jc_call_fun with
	     | JClogic_fun f ->
		 let region_mem_assoc =
		   make_region_mem_assoc f.jc_logic_info_parameters
		 in
		 fef_reads
		   (ef_assoc
		      ~label_assoc:app.jc_call_label_assoc
		      ~region_assoc:app.jc_call_region_assoc
		      ~region_mem_assoc
		      f.jc_logic_info_effects)
	     | JCfun f ->
		 let region_mem_assoc =
		   make_region_mem_assoc (List.map snd f.jc_fun_info_parameters)
		 in
		 fef_assoc
		   ~region_assoc:app.jc_call_region_assoc f.jc_fun_info_effects
		   ~region_mem_assoc
	   in
	   true,
	   fef_union fef_call fef
       | JCEderef(e1,fi) ->
	   let mc,ufi_opt = deref_mem_class ~type_safe:true e1 fi in
	   let ac = alloc_class_of_mem_class mc in
	   let mem = mc, e1#region in
	   begin match expr_immutable_location e with
	     | Some loc ->
		 let fef =
		   add_precise_memory_reads LabelHere fef (loc,mem)
		 in
		 let fef = add_alloc_reads LabelHere fef (ac,e1#region) in
		 (* TODO: treat union *)
		 true, fef
	     | None ->
		 let fef = add_memory_reads LabelHere fef mem in
		 let fef = add_alloc_reads LabelHere fef (ac,e1#region) in
		 begin match mc,ufi_opt with
		   | JCmem_plain_union _vi, _ ->
		       false, (* do not call on sub-expressions of union *)
		       List.fold_left expr fef (foreign_union e1)
		   | JCmem_field _, _
		   | JCmem_bitvector, _ ->
		       true, fef
		 end
	   end
       | JCEassign_heap(e1,fi,_e2) ->
	   let mc,ufi_opt = deref_mem_class ~type_safe:true e1 fi in
	   let ac = alloc_class_of_mem_class mc in
	   let deref = new expr_with ~node:(JCEderef(e1,fi)) e in
	   let mem = mc, e1#region in
	   begin match expr_immutable_location deref with
	     | Some loc ->
		 let fef =
		   add_precise_memory_writes LabelHere fef (loc,mem)
		 in
		 (* allocation table is read *)
		 let fef = add_alloc_reads LabelHere fef (ac,e1#region) in
		 (* TODO: treat union *)
		 true, fef
	     | None ->
		 let fef = add_memory_writes LabelHere fef mem in
		 (* allocation table is read *)
		 let fef = add_alloc_reads LabelHere fef (ac,e1#region) in
		 begin match mc,ufi_opt with
		   | JCmem_plain_union _vi, _ ->
		       false, (* do not call on sub-expressions of union *)
		       List.fold_left expr fef (foreign_union e1)
		   | JCmem_field _fi, Some ufi ->
		       let mems = overlapping_union_memories ufi in
		       true,
		       List.fold_left
			 (fun fef mc ->
			    add_memory_writes LabelHere fef (mc,e1#region))
			 fef mems
		   | JCmem_field _, None | JCmem_bitvector, _ ->
		       true, fef
		 end
	   end
       | JCEcast(e,st)
       | JCEinstanceof(e,st) ->
	   true,
	   add_tag_reads LabelHere fef (struct_root st,e#region)
       | JCEalloc(_e1,st) ->
	   let pc = JCtag(st,[]) in
	   let ac = deref_alloc_class ~type_safe:true e in
	   let all_allocs = match ac with
	     | JCalloc_bitvector -> [ ac ]
	     | JCalloc_root rt ->
		 match rt.jc_root_info_kind with
		   | Rvariant -> all_allocs ~select:fully_allocated pc
		   | RdiscrUnion -> 
                       Jc_typing.typing_error e#pos "Unsupported discriminated union, sorry" (* TODO *)
		   | RplainUnion -> [ ac ]
	   in
	   let all_mems = match ac with
	     | JCalloc_bitvector -> []
	     | JCalloc_root rt ->
		 match rt.jc_root_info_kind with
		   | Rvariant -> all_memories ~select:fully_allocated pc
		   | RdiscrUnion -> assert false (* TODO *)
		   | RplainUnion -> []
	   in
	   let all_tags = match ac with
	     | JCalloc_bitvector -> [ struct_root st ]
	     | JCalloc_root rt ->
		 match rt.jc_root_info_kind with
		   | Rvariant -> all_tags ~select:fully_allocated pc
		   | RdiscrUnion -> assert false (* TODO *)
		   | RplainUnion -> [ struct_root st ]
	   in
	   let fef =
	     List.fold_left
	       (fun fef mc ->
		  add_memory_writes LabelHere fef (mc,e#region)
	       ) fef all_mems
	   in
(**)
	   let fef =
	     List.fold_left
	       (fun fef ac -> add_alloc_writes LabelHere fef (ac,e#region))
	       fef all_allocs
	   in
(**)
	   true,
	   List.fold_left
	     (fun fef vi -> add_tag_writes LabelHere fef (vi,e#region))
	     fef all_tags
       | JCEfree e ->
	   let pc = pointer_class e#typ in
	   let ac = alloc_class_of_pointer_class pc in
	   true,
	   add_alloc_writes LabelHere fef (ac,e#region)
       | JCEpack(st,e,_st) ->
	   (* Assert the invariants of the structure
	      => need the reads of the invariants *)
	   let (_, invs) =
	     StringHashtblIter.find
               Jc_typing.structs_table st.jc_struct_info_name
	   in
	   let fef =
	     List.fold_left
	       (fun fef (li, _) ->
		  { fef with jc_reads =
		      ef_union fef.jc_reads li.jc_logic_info_effects })
	       fef
	       invs
	   in
	   (* Fields *)
	   let fef = List.fold_left
	     (fun fef fi ->
		match fi.jc_field_info_type with
		  | JCTpointer(pc, _, _) ->
	              (* Assert fields fully mutable
			 => need mutable and tag_table (of field) as reads *)
		      let fef = add_mutable_reads fef pc in
		      let fef =
			add_tag_reads LabelHere fef
			  (pointer_class_root pc,e#region)
		      in
	              (* Modify field's "committed" field
			 => need committed (of field) as reads and writes *)
		      let fef = add_committed_reads fef pc in
		      let fef = add_committed_writes fef pc in
		      (* ...and field as reads *)
		      add_memory_reads LabelHere fef (JCmem_field fi,e#region)
		  | _ -> fef)
	     fef
	     st.jc_struct_info_fields in
	   (* Change structure mutable => need mutable as reads and writes *)
	   let fef = add_mutable_reads fef (JCtag(st, [])) in
	   let fef = add_mutable_writes fef (JCtag(st, [])) in
           (* And that's all *)
	   true, fef
       | JCEunpack(st,e,_st) ->
	   (* Change structure mutable => need mutable as reads and writes *)
	   let fef = add_mutable_reads fef (JCtag(st, [])) in
	   let fef = add_mutable_writes fef (JCtag(st, [])) in
	   (* Fields *)
	   let fef = List.fold_left
	     (fun fef fi ->
		match fi.jc_field_info_type with
		  | JCTpointer(st, _, _) ->
	              (* Modify field's "committed" field
			 => need committed (of field) as reads and writes *)
		      let fef = add_committed_reads fef st in
		      let fef = add_committed_writes fef st in
		      (* ...and field as reads *)
		      add_memory_reads LabelHere fef (JCmem_field fi,e#region)
		  | _ -> fef)
	     fef
	     st.jc_struct_info_fields in
	   (* And that's all *)
	   true, fef
       | JCEthrow(exc,_e_opt) ->
	   true,
	   add_exception_effect fef exc
       | JCEtry(s,catches,finally) ->
	   let fef = expr fef s in
	   let fef =
	     List.fold_left
	       (fun fef (exc,_vi_opt,_s) ->
		  { fef with
		      jc_raises = ExceptionSet.remove exc fef.jc_raises }
	       ) fef catches
	   in
	   let fef =
	     List.fold_left
	       (fun fef (_exc,_vi_opt,s) -> expr fef s) fef catches
	   in
	   false, (* do not recurse on try-block due to catches *)
	   expr fef finally
       | JCEmatch(_e, psl) ->
	   let pef = List.fold_left pattern empty_effects (List.map fst psl) in
	   true,
	   { fef with jc_reads = ef_union fef.jc_reads pef }
       | JCEloop _ | JCElet _ | JCEassert _ | JCEcontract _ | JCEblock _
       | JCEconst _  | JCEshift _ | JCEif _ | JCErange_cast _
       | JCEreal_cast _ | JCEunary _ | JCEaddress _ | JCEbinary _
       | JCEreturn_void  | JCEreturn _ | JCEbitwise_cast _ | JCEbase_block _ | JCEfresh _ ->
	   true, fef
    ) fef e

let behavior fef (_pos,_id,b) =
  let ita = 
    Jc_iterators.fold_rec_term_and_assertion single_term single_assertion 
  in
  let itl = 
    Jc_iterators.fold_rec_location single_term
      (single_location ~in_clause:Assigns) single_location_set
  in
  let itl_alloc = 
    Jc_iterators.fold_rec_location single_term
      (single_location ~in_clause:Allocates) single_location_set
  in
  let fef = Option_misc.fold_left ita fef b.jc_behavior_assumes in
  let fef =
    Option_misc.fold_left
      (fun fef (_,locs) -> List.fold_left itl fef locs)
      fef b.jc_behavior_assigns
  in
  let fef =
    Option_misc.fold_left
      (fun fef (_,locs) -> 
        List.fold_left itl_alloc fef locs)
      fef b.jc_behavior_allocates
  in
  let fef = ita fef b.jc_behavior_ensures in
  let fef = ita fef b.jc_behavior_free_ensures in
  Option_misc.fold_left add_exception_effect fef b.jc_behavior_throws




let spec fef s =
  let fef =
    List.fold_left behavior fef
      (s.jc_fun_default_behavior :: s.jc_fun_behavior)
  in
  let fef = { fef with jc_reads = assertion fef.jc_reads s.jc_fun_requires } in
  { fef with jc_reads = assertion fef.jc_reads s.jc_fun_free_requires }




(* Type invariant added to precondition for pointer parameters with bounds.
   Therefore, add allocation table to reads. *)
let parameter fef v =
  match v.jc_var_info_type with
    | JCTpointer(pc,Some _i,Some _j) ->
	let ac = alloc_class_of_pointer_class pc in
	add_alloc_reads LabelOld fef (ac,v.jc_var_info_region)
    | _ -> fef


(******************************************************************************)
(*                                 fix-point                                  *)
(******************************************************************************)

let fixpoint_reached = ref false

let axiomatic_decl_effect ef d =
  match d with
    | Jc_typing.ABaxiom(_,_,_,a) -> assertion ef a

let effects_from_app fi ax_effects acc app =
  Jc_options.lprintf "@[Jc_effect.effects_from_app, fi = %s, app = %s@]@."
    fi.jc_logic_info_name
    app.jc_app_fun.jc_logic_info_name;
  Jc_options.lprintf "fi == app.jc_app_fun ? %b@." (fi == app.jc_app_fun);
  if fi == app.jc_app_fun then
    begin
      Jc_options.lprintf
	"@[fi labels = @[{%a}@] ; app label_assoc = @[{%a}@]@]@."
	(print_list comma Jc_output_misc.label)
	fi.jc_logic_info_labels
	(print_list comma
	   (fun fmt (l1,l2) ->
	      Format.fprintf fmt "%a -> %a"
		Jc_output_misc.label l1
		Jc_output_misc.label l2))
	app.jc_app_label_assoc;
      ef_union
	(ef_filter_labels app.jc_app_label_assoc ax_effects)
	acc
    end
  else
    acc

let effects_from_term_app fi ax_effects acc t =
  match t#node with
    | JCTapp app -> effects_from_app fi ax_effects acc app
    | _ -> acc

let effects_from_pred_app fi ax_effects acc a =
  match a#node with
    | JCAapp app -> effects_from_app fi ax_effects acc app
    | _ -> acc

let effects_from_assertion fi ax_effects acc a =
  Jc_iterators.fold_term_and_assertion
    (effects_from_term_app fi ax_effects)
    (effects_from_pred_app fi ax_effects) acc a

let effects_from_decl fi ax_effects acc d =
  match d with
    | Jc_typing.ABaxiom(_,_,_,a) -> effects_from_assertion fi ax_effects acc a

let effects_from_axiomatic fi ax acc =
  try
    let l = StringHashtblIter.find Jc_typing.axiomatics_table ax in
    let ef = List.fold_left axiomatic_decl_effect empty_effects l.Jc_typing.axiomatics_decls in
    List.fold_left (effects_from_decl fi ef) acc l.Jc_typing.axiomatics_decls
  with Not_found -> assert false

let logic_fun_effects f =
  let f,ta =
    IntHashtblIter.find Jc_typing.logic_functions_table f.jc_logic_info_tag
  in
  let ef = f.jc_logic_info_effects in
  let ef = match ta with
    | JCTerm t -> term ef t
    | JCAssertion a -> assertion ef a
    | JCInductive l ->
	let ax_effects =
	  List.fold_left
	    (fun ef (_id,_labels,a) -> assertion ef a) empty_effects l
	in
	List.fold_left (fun acc (_id,_labels,a) ->
			  effects_from_assertion f ax_effects acc a) ef l
    | JCNone ->
	begin match f.jc_logic_info_axiomatic with
	  | Some a ->
	      (* axiomatic def in a *)
	      effects_from_axiomatic f a ef
	  | None -> assert false
	      (* not allowed outside axiomatics *)
	end
    | JCReads loclist ->
	List.fold_left
	  (fun ef loc ->
	     let fef = location ~in_clause:Reads empty_fun_effect loc in
	     ef_union ef fef.jc_reads
	  ) ef loclist
  in
  if same_effects ef f.jc_logic_info_effects then () else
    (fixpoint_reached := false;
     f.jc_logic_info_effects <- ef)

let fun_effects f =
  let (f,_pos,s,e_opt) =
    IntHashtblIter.find Jc_typing.functions_table f.jc_fun_info_tag
  in
  let fef = f.jc_fun_info_effects in
  let fef = spec fef s in
  let fef = Option_misc.fold_left expr fef e_opt in
  let fef =
    List.fold_left parameter fef (List.map snd f.jc_fun_info_parameters)
  in
  if same_feffects fef f.jc_fun_info_effects then () else
    (fixpoint_reached := false;
     f.jc_fun_info_effects <- fef)

let fun_effects f =
  set_current_function f;
  fun_effects f;
  reset_current_function ()

let logic_effects funs =

  List.iter (fun f -> f.jc_logic_info_effects <- empty_effects) funs;

  fixpoint_reached := false;
  while not !fixpoint_reached do
    fixpoint_reached := true;
    Jc_options.lprintf "Effects: doing one iteration...@.";
    List.iter logic_fun_effects funs
  done;
  Jc_options.lprintf "Effects: fixpoint reached@.";
  List.iter
    (fun f ->
       Jc_options.lprintf "Effects for logic function %s:@\n%a@."
	 f.jc_logic_info_name print_effect f.jc_logic_info_effects
    ) funs

let function_effects funs =

  List.iter (fun f -> f.jc_fun_info_effects <- empty_fun_effect) funs;

  let iterate () =
    fixpoint_reached := false;
    while not !fixpoint_reached do
      fixpoint_reached := true;
      Jc_options.lprintf "Effects: doing one iteration...@.";
      List.iter fun_effects funs
    done
  in

  (* Compute raw effects to bootstrap *)
  current_mode := MApprox;
  iterate ();
  (* Compute precise effects *)
  current_mode := MPrecise;
  iterate ();
  (* Reset mode to raw effects for individual calls *)
  current_mode := MApprox;

  Jc_options.lprintf "Effects: fixpoint reached@.";

  (* Global variables that are only read are translated into logic
     functions in Why, and thus they should not appear in effects. *)
  Jc_options.lprintf "Effects: removing global reads w/o writes@.";
  List.iter
    (fun f ->
       let fef = f.jc_fun_info_effects in
       let efr = fef.jc_reads.jc_effect_globals in
       let efw = fef.jc_writes.jc_effect_globals in
       let ef =
	 VarMap.filter
	   (fun v _labs -> VarMap.mem v efw || v.jc_var_info_assigned) efr
       in
       let ef = { fef.jc_reads with jc_effect_globals = ef } in
       f.jc_fun_info_effects <- { fef with jc_reads = ef }
    ) funs;

  List.iter
    (fun f ->
       Jc_options.lprintf
	 "Effects for function %s:@\n\
@[ reads: %a@]@\n\
@[ writes: %a@]@\n\
@[ raises: %a@]@."
	 f.jc_fun_info_name
	 print_effect f.jc_fun_info_effects.jc_reads
	 print_effect f.jc_fun_info_effects.jc_writes
	 (print_list comma print_exception)
	 (ExceptionSet.elements f.jc_fun_info_effects.jc_raises)
    ) funs


(*
Local Variables:
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End:
*)
������������������������������������������why-2.34/jc/jc_struct_tools.mli���������������������������������������������������������������������0000644�0001750�0001750�00000010427�12311670312�015140� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Jc_env

(** Convert class or memory to class of allocation. *)
val alloc_class_of_mem_class: mem_class -> alloc_class

(** Convert class or pointer to class of allocation. *)
val alloc_class_of_pointer_class: pointer_class -> alloc_class

(** Convert a class of allocation into the corresponding variant. *)
val variant_of_alloc_class: alloc_class -> root_info

val variant_of_mem_class: mem_class -> root_info

(** Return whether a field is embedded or not. *)
val embedded_field: field_info -> bool

(** Return the bit offset of a field. *)
val field_offset: field_info -> int

(** Return the byte offset of a field, if any. *)
val field_offset_in_bytes: field_info -> int option

val field_type_has_bitvector_representation: field_info -> bool

(** Return the size in bytes of a structure. *)
val struct_size_in_bytes: struct_info -> int

(** Return whether the structure has a size. *)
val struct_has_size: struct_info -> bool

(** Return all the fields of a structure or a variant.
A variant has no field.
A structure has its fields and the fields of its ancestors. *)
val all_fields: pointer_class -> field_info list

(** Selects fully allocated fields. *)
val fully_allocated: field_info -> bool

(** Return all the memories used by a structure, i.e.: its fields,
the fields of its ancestors, and recursively the fields of its fields.
The "select" argument can be used to ignore specific fields. *)
val all_memories: 
  ?select:(field_info -> bool) -> pointer_class -> mem_class list

(** Return all the variants used by a structure, i.e.: the type of all
pointers returned by all_memories. *)
val all_types: ?select:(field_info -> bool) -> pointer_class ->
  root_info list

(** Return all the classes of allocation used by a structure *)
val all_allocs: 
  ?select:(field_info -> bool) -> pointer_class -> alloc_class list

(** Return all the variant info used by a structure *)
val all_tags: 
  ?select:(field_info -> bool) -> pointer_class -> root_info list


(*
Local Variables: 
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End: 
*)
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_lexer.mli����������������������������������������������������������������������������0000644�0001750�0001750�00000004732�12311670312�013515� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Jc_ast

exception Lexical_error of Loc.position * string

(*
exception Syntax_error of Loc.position
*)

val token : Lexing.lexbuf -> Jc_parser.token

val parse  : string -> in_channel -> pexpr decl list

��������������������������������������why-2.34/jc/jc_separation.ml������������������������������������������������������������������������0000644�0001750�0001750�00000033663�12311670312�014377� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Jc_stdlib
open Jc_env
open Jc_envset
open Jc_region
open Jc_ast
open Jc_fenv

open Jc_constructors
open Jc_pervasives
(*
open Jc_iterators
*)

open Format
open Pp

let current_logic_component = ref None
let set_current_logic_component comp = current_logic_component := Some comp
let reset_current_logic_component () = current_logic_component := None
let in_current_logic_component f1 =
  match !current_logic_component with
    | None -> false
    | Some comp ->
	List.exists
	  (fun f2 -> f1.jc_logic_info_tag == f2.jc_logic_info_tag) comp

let current_component = ref None
let set_current_component comp = current_component := Some comp
let reset_current_component () = current_component := None
let in_current_component f1 =
  match !current_component with
    | None -> false
    | Some comp ->
	List.exists
	  (fun f2 -> f1.jc_fun_info_tag == f2.jc_fun_info_tag) comp

let single_term rresult t =
  match t#node with
       | JCTvar vi ->
	   if vi.jc_var_info_name = "\\result" then
	     Region.unify rresult vi.jc_var_info_region
       | JCTbinary(t1,(_,`Pointer),t2) | JCTif(_,t1,t2) ->
	   Region.unify t1#region t2#region
       | JCTmatch(_, (_, t1)::rem) ->
	   List.iter
	     (fun (_, t2) -> Region.unify t1#region t2#region)
	     rem
       | JCTmatch(_, []) ->
	   ()
       | JCTlet _ -> ()
       | JCTapp app ->
	   let li = app.jc_app_fun in
	   let param_regions,result_region =
	     if in_current_logic_component li then
	       (* No generalization here, plain unification *)
	       List.map (fun vi -> vi.jc_var_info_region)
		 li.jc_logic_info_parameters,
	     li.jc_logic_info_result_region
	     else
	       (* Apply generalization before unification *)
	       let regions = li.jc_logic_info_param_regions in
	       let assoc = RegionList.duplicate regions in
	       app.jc_app_region_assoc <- assoc;
	       let param_regions =
		 List.map
                   (fun vi ->
		      if is_dummy_region vi.jc_var_info_region then dummy_region else
			try RegionList.assoc vi.jc_var_info_region assoc
			with Not_found ->
                   	  Jc_options.jc_error t#pos "Unable to complete region analysis, aborting. Consider using #pragma SeparationPolicy(none)";
)
		   li.jc_logic_info_parameters
	       in
	       let result_region =
		 try RegionList.assoc li.jc_logic_info_result_region assoc
		 with Not_found -> assert false
	       in
	       param_regions,result_region
	   in
	   let arg_regions =
	     List.map (fun t -> t#region) app.jc_app_args
	   in
	   Jc_options.lprintf "param:%a@." (print_list comma Region.print) param_regions;
	   Jc_options.lprintf "arg:%a@." (print_list comma Region.print) arg_regions;
	   List.iter2 Region.unify param_regions arg_regions;
	   Jc_options.lprintf "param:%a@." Region.print result_region;
	   Jc_options.lprintf "arg:%a@." Region.print t#region;
	   Region.unify result_region t#region
       | JCTconst _ | JCTrange(None,None) | JCTbinary _ | JCTshift _
       | JCTrange _ | JCTunary _ | JCTderef _ | JCTold _ | JCTat _
       | JCToffset _ | JCTbase_block _
       | JCTaddress _ | JCTinstanceof _ | JCTcast _ | JCTbitwise_cast _
       | JCTrange_cast _ | JCTreal_cast _ ->
	   ()

let term rresult t = Jc_iterators.iter_term (single_term rresult) t

let single_assertion _rresult a =
  match a#node with
    | JCArelation(t1,(_,`Pointer),t2) ->
	Region.unify t1#region t2#region
    | JCArelation _ -> ()
    | JCAapp app ->
	let li = app.jc_app_fun in
	let param_regions =
	  if in_current_logic_component li then
	    (* No generalization here, plain unification *)
	    List.map (fun vi -> vi.jc_var_info_region)
	      li.jc_logic_info_parameters
	  else
	    (* Apply generalization before unification *)
	    let regions = li.jc_logic_info_param_regions in
	    let assoc = RegionList.duplicate regions in
	    app.jc_app_region_assoc <- assoc;
	    List.map (fun vi ->
			if is_dummy_region vi.jc_var_info_region then dummy_region else
			  try RegionList.assoc vi.jc_var_info_region assoc
			  with Not_found -> assert false)
	      li.jc_logic_info_parameters
	in
	let arg_regions =
	  List.map (fun t -> t#region) app.jc_app_args
	in
	Jc_options.lprintf "param:%a@." (print_list comma Region.print) param_regions;
	Jc_options.lprintf "arg:%a@." (print_list comma Region.print) arg_regions;
	List.iter2 Region.unify param_regions arg_regions
    | JCAtrue | JCAfalse | JCAeqtype _
    | JCAinstanceof _ | JCAbool_term _ | JCAmutable _ | JCAfresh _
    | JCAand _ | JCAor _ | JCAimplies _ | JCAiff _ | JCAif _
    | JCAlet _ | JCAmatch _
    | JCAnot _ | JCAquantifier _ | JCAold _ | JCAat _ | JCAsubtype _ ->
	()

let assertion rresult a =
  Jc_iterators.iter_term_and_assertion
    (single_term rresult) (single_assertion rresult) a

let single_location = ignore

let single_location_set = ignore

let location rresult loc =
  Jc_iterators.iter_location
    (single_term rresult) single_location single_location_set loc

let single_expr rresult e =
  match e#node with
       | JCEbinary(e1,_,e2) | JCEif(_,e1,e2) ->
	   Region.unify e1#region e2#region
       | JCEmatch(_, (_, e1)::rem) ->
	   List.iter
	     (fun (_, e2) -> Region.unify e1#region e2#region)
	     rem
       | JCEmatch(_, []) ->
	   ()
       | JCEconst _ | JCEvar _ | JCEshift _ | JCEunary _
       | JCEderef _ | JCEoffset _ | JCEaddress _ | JCEinstanceof _ | JCEcast _
       | JCEbitwise_cast _ | JCEbase_block _ | JCEfresh _
       | JCErange_cast _ | JCEreal_cast _ | JCEalloc _ | JCEfree _
       | JCElet(_,None,_) ->
	   ()
       | JCElet(vi,Some e,_) | JCEassign_var(vi,e) ->
	   Region.unify vi.jc_var_info_region e#region
    | JCEassign_heap(e1,fi,e2) ->
	let fr = Region.make_field e1#region fi in
	Region.unify fr e2#region
    | JCEthrow(ei,_) ->
	begin match ei.jc_exception_info_type with None -> () | Some ty ->
	  assert(not(is_pointer_type ty)) (* TODO *)
	end
    | JCEapp call ->
(*	let f = call.jc_call_fun in*)
	let in_current_comp = match call.jc_call_fun with
	  | JClogic_fun _f -> false
	  | JCfun f -> in_current_component f
	in
	let params = match call.jc_call_fun with
	  | JClogic_fun f -> f.jc_logic_info_parameters
	  | JCfun f -> List.map snd f.jc_fun_info_parameters
	in
	let rregion = match call.jc_call_fun with
	  | JClogic_fun f -> f.jc_logic_info_result_region
	  | JCfun f -> f.jc_fun_info_return_region
	in
	let param_regions,result_region =
	  if in_current_comp then
	    (* No generalization here, plain unification *)
	    List.map (fun vi -> vi.jc_var_info_region) params,
	    rregion
	  else
	    (* Apply generalization before unification *)
	    let regions = match call.jc_call_fun with
	      | JClogic_fun f -> f.jc_logic_info_param_regions
	      | JCfun f -> f.jc_fun_info_param_regions
	    in
	    let assoc = RegionList.duplicate regions in
	    call.jc_call_region_assoc <- assoc;
	    let param_regions =
	      List.map (fun vi ->
			  if is_dummy_region vi.jc_var_info_region then dummy_region else
			    try RegionList.assoc vi.jc_var_info_region assoc
			    with Not_found -> assert false)
		params
	    in
	    let result_region =
	      if is_dummy_region rregion then dummy_region
	      else
		try RegionList.assoc rregion assoc
		with Not_found -> assert false
	    in
	    param_regions,result_region
	in
	let arg_regions =
	  List.map (fun e -> e#region) call.jc_call_args
	in
	Jc_options.lprintf "param:%a@." (print_list comma Region.print) param_regions;
	Jc_options.lprintf "arg:%a@." (print_list comma Region.print) arg_regions;
	List.iter2 Region.unify param_regions arg_regions;
	Jc_options.lprintf "param:%a@." Region.print result_region;
	Jc_options.lprintf "arg:%a@." Region.print e#region;
	if e#typ = unit_type then
	  () (* Result of call discarded *)
	else Region.unify result_region e#region
    | JCEreturn(_ty,e) ->
	Region.unify rresult e#region
    | JCEassert(_behav,_asrt,a) ->
	assertion rresult a
    | JCEcontract(req,dec,_vi_result,_behs,_e) ->
        (* TODO: decreases, behaviors, etc. *)
        assert (dec = None);
	Option_misc.iter (assertion rresult) req

    | JCEloop(_la,_) -> ()
    | JCEblock _ | JCEtry _
    | JCEreturn_void | JCEpack _ | JCEunpack _ ->
	()

let expr rresult e =
  Jc_iterators.iter_expr_and_term_and_assertion
    (single_term rresult)
    (single_assertion rresult) single_location single_location_set
    (single_expr rresult) e

(* let location rresult loc = *)
(*   fold_location  *)
(*     (fold_unit (term rresult)) (fold_unit ignore) (fold_unit ignore) () loc *)

let axiomatic_decl d =
  match d with
    | Jc_typing.ABaxiom(_,_,_,a) -> assertion dummy_region a

let axiomatic a =
  try
    let l = StringHashtblIter.find Jc_typing.axiomatics_table a in
    List.iter axiomatic_decl l.Jc_typing.axiomatics_decls
  with Not_found -> assert false

let logic_function f =
  let (f, ta) =
    IntHashtblIter.find Jc_typing.logic_functions_table f.jc_logic_info_tag
  in
  let rresult = f.jc_logic_info_result_region in
  begin match ta with
    | JCNone -> ()
    | JCTerm t ->
	begin
	  term rresult t;
	  Region.unify rresult t#region
	end
    | JCAssertion a -> assertion rresult a
    | JCReads r -> List.iter (location rresult) r
    | JCInductive l ->
	List.iter (fun (_,_,a) -> assertion rresult a) l
  end;
  Option_misc.iter axiomatic f.jc_logic_info_axiomatic

let generalize_logic_function f =
  let param_regions =
    List.map (fun vi -> vi.jc_var_info_region) f.jc_logic_info_parameters in
  let fun_regions = f.jc_logic_info_result_region :: param_regions in
  f.jc_logic_info_param_regions <- RegionList.reachable fun_regions

let logic_component fls =
  (* Perform plain unification on component *)
  set_current_logic_component fls;
  List.iter logic_function fls;
  reset_current_logic_component ();
  (* Generalize regions accessed *)
  List.iter generalize_logic_function fls;
  (* Fill in association table at each call site *)
  List.iter logic_function fls

let funspec rresult spec =
  Jc_iterators.iter_funspec
    (single_term rresult) (single_assertion rresult) single_location
    single_location_set spec

let code_function f =
  let (f, _, spec, body) =
    IntHashtblIter.find Jc_typing.functions_table f.jc_fun_info_tag
  in
  Jc_options.lprintf "Separation: treating function %s@." f.jc_fun_info_name;
  let rresult = f.jc_fun_info_return_region in
  funspec rresult spec;
  Option_misc.iter (expr rresult) body

let generalize_code_function f =
  let param_regions =
    List.map (fun (_,vi) -> vi.jc_var_info_region) f.jc_fun_info_parameters in
  let fun_regions = f.jc_fun_info_return_region :: param_regions in
  f.jc_fun_info_param_regions <- RegionList.reachable fun_regions

let code_component fls =
  (* Perform plain unification on component *)
  set_current_component fls;
  List.iter code_function fls;
  reset_current_component ();
  (* Generalize regions accessed *)
  List.iter generalize_code_function fls;
  (* Fill in association table at each call site *)
  List.iter code_function fls

let axiom _id (_loc,_is_axiom,_,_labels,a) = assertion (* labels *) dummy_region a

let regionalize_assertion a assoc =
  Jc_iterators.map_term_in_assertion (fun t ->
    let t = match t#node with
      | JCTapp app ->
	  let app_assoc =
	    List.map (fun (rdist,rloc) ->
	      try (rdist,RegionList.assoc rloc assoc) with Not_found -> (rdist,rloc)
	    ) app.jc_app_region_assoc
	  in
	  let tnode = JCTapp { app with jc_app_region_assoc = app_assoc; } in
	  new term_with ~node:tnode t
      | JCTconst _ | JCTvar _ | JCTshift _
      | JCTderef _ | JCTbinary _ | JCTunary _ | JCTold _ | JCTat _ | JCToffset _
      | JCTaddress _ | JCTbase_block _
      | JCTinstanceof _ | JCTcast _ | JCTbitwise_cast _ | JCTrange_cast _ | JCTreal_cast _ | JCTif _ | JCTmatch _ | JCTrange _ | JCTlet _ -> t

    in
    try new term_with ~region:(RegionList.assoc t#region assoc) t
    with Not_found -> t
  ) a

(*
Local Variables:
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End:
*)
�����������������������������������������������������������������������������why-2.34/jc/jc_iterators.mli������������������������������������������������������������������������0000644�0001750�0001750�00000015603�12311670312�014411� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(* {1 substitution in logic} *)

type term_subst = Jc_fenv.term Jc_envset.VarMap.t

val subst_term : term_subst -> Jc_fenv.term -> Jc_fenv.term

(* {2 miscellaneous} *)

(* spec ? *)
val fold_term :
 ('a -> 'b Jc_ast.term -> 'a) -> 'a -> 'b Jc_ast.term -> 'a

(* spec ? *)
val fold_term_in_assertion :
  ('a -> 'b Jc_ast.term -> 'a) -> 'a -> 'b Jc_ast.assertion -> 'a

(* spec ? *)
val iter_term : ('a Jc_ast.term -> unit) -> 'a Jc_ast.term -> unit

(* spec ? *)
val iter_term_and_assertion : 
  ('a Jc_ast.term -> unit) ->  ('a Jc_ast.assertion -> unit) 
  -> 'a Jc_ast.assertion -> unit

(* spec ? *)
val iter_location : 
  ('a Jc_ast.term -> unit) ->
  ('a Jc_ast.location -> unit) ->
  ('a Jc_ast.location_set -> unit) -> 'a Jc_ast.location -> unit

(* spec ? *)
val iter_expr_and_term_and_assertion :
  ('a Jc_ast.term -> unit) ->
  ('a Jc_ast.assertion -> unit) ->
  ('a Jc_ast.location -> unit) ->
  ('a Jc_ast.location_set -> unit) ->
  (('a, 'b) Jc_ast.expr -> unit) -> ('a, 'b) Jc_ast.expr -> unit
  

(* used only once in Jc_separation *)
val iter_funspec : 
  ('a Jc_ast.term -> unit) ->
  ('a Jc_ast.assertion -> unit) ->
  ('a Jc_ast.location -> unit) ->
  ('a Jc_ast.location_set -> unit) -> 'a Jc_ast.fun_spec -> unit

(* spec ? *)
val iter_pattern: (Jc_ast.pattern -> 'a) -> Jc_ast.pattern -> unit

(* spec ? *)
val map_term :
  (Jc_constructors.term_with -> Jc_fenv.logic_info Jc_ast.term) ->
  Jc_fenv.logic_info Jc_ast.term -> Jc_fenv.logic_info Jc_ast.term

(* spec ? *)
val map_term_in_assertion :
  (Jc_constructors.term_with -> Jc_fenv.logic_info Jc_ast.term) ->
  Jc_fenv.logic_info Jc_ast.assertion ->
  Jc_fenv.logic_info Jc_ast.assertion

(* spec ? *)
val fold_term : 
  ('a -> 'b Jc_ast.term -> 'a) -> 'a -> 'b Jc_ast.term -> 'a

(* spec ? *)
val fold_term_and_assertion :
  ('a -> 'b Jc_ast.term -> 'a) ->
  ('a -> 'b Jc_ast.assertion -> 'a) -> 'a -> 'b Jc_ast.assertion -> 'a

(* spec ? *)
val fold_rec_term : 
  ('a -> 'b Jc_ast.term -> bool * 'a) -> 'a -> 'b Jc_ast.term -> 'a

(* spec ? *)
val fold_rec_term_and_assertion :
  ('a -> 'b Jc_ast.term -> bool * 'a) ->
  ('a -> 'b Jc_ast.assertion -> bool * 'a) ->
  'a -> 'b Jc_ast.assertion -> 'a

(* spec ? *)
val fold_rec_location : 
  ('a -> 'b Jc_ast.term -> bool * 'a) ->
  ('a -> 'b Jc_ast.location -> bool * 'a) ->
  ('a -> 'b Jc_ast.location_set -> bool * 'a) ->
  'a -> 'b Jc_ast.location -> 'a

val fold_rec_expr_and_term_and_assertion : 
  ('a -> 'b Jc_ast.term -> bool * 'a) ->
  ('a -> 'b Jc_ast.assertion -> bool * 'a) ->
  ('a -> 'b Jc_ast.location -> bool * 'a) ->
  ('a -> 'b Jc_ast.location_set -> bool * 'a) ->
  ('a -> ('b, 'c) Jc_ast.expr -> bool * 'a) ->
  'a -> ('b, 'c) Jc_ast.expr -> 'a

(*
val fold_rec_behavior: 
  ('a -> 'b Jc_ast.term -> bool * 'a) ->
  ('a -> 'b Jc_ast.assertion -> bool * 'a) ->
  ('a -> 'b Jc_ast.location -> bool * 'a) ->
  ('a -> 'b Jc_ast.location_set -> bool * 'a) ->
  'a -> 'b Jc_ast.behavior -> 'a
*)

module IPExpr : sig

  (* spec ?
     This function is used only once, in Jc_norm 
     -> should be erased
  *)
  val fold_left : ('a -> Jc_ast.pexpr -> 'a) -> 'a -> Jc_ast.pexpr -> 'a

  (* Used twice in Jc_norm. spec ? *) 
  val subs : Jc_ast.pexpr -> Jc_ast.pexpr list

end

(* spec ? *)
val replace_sub_pexpr : 
    < node : Jc_ast.pexpr_node; pos : Loc.position; .. > ->
    Jc_ast.pexpr list -> Jc_constructors.pexpr_with

(* spec ?
   This function is used only once, in Jc_norm 
   -> should be erased
*)
val map_pexpr : 
  ?before:(Jc_ast.pexpr -> Jc_ast.pexpr) ->
  ?after:(Jc_constructors.pexpr_with -> Jc_constructors.pexpr_with) ->
  Jc_ast.pexpr -> Jc_ast.pexpr


(* spec ?
   This function is used only once, in Jc_annot_inference
   -> should be erased
*)
val map_expr :
  ?before:((Jc_fenv.logic_info, Jc_fenv.fun_info) Jc_ast.expr ->
             (Jc_fenv.logic_info, Jc_fenv.fun_info) Jc_ast.expr) ->
  ?after:(Jc_constructors.expr_with -> Jc_constructors.expr_with) ->
  (Jc_fenv.logic_info, Jc_fenv.fun_info) Jc_ast.expr ->
  (Jc_fenv.logic_info, Jc_fenv.fun_info) Jc_ast.expr

val replace_sub_expr :
  < mark : string; node : Jc_fenv.expr_node;
  original_type : Jc_env.jc_type; pos : Loc.position;
  region : Jc_env.region; typ : Jc_env.jc_type; .. > ->
    (Jc_fenv.logic_info, Jc_fenv.fun_info) Jc_ast.expr list ->
    Jc_constructors.expr_with


module ITerm : sig
  type t = Jc_constructors.term
  val iter : (t -> unit) -> t -> unit
end

module INExpr : sig

  (* spec ? *)
  val subs: Jc_ast.nexpr -> Jc_ast.nexpr list
end

module IExpr : sig

  type t = Jc_constructors.expr

  (* spec ? *)
  val fold_left : ('a -> t -> 'a) -> 'a -> t -> 'a

  val subs : t -> t list 

end


(*
Local Variables: 
compile-command: "LC_ALL=C make -C .. bin/jessie.byte"
End: 
*)
�����������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_noutput.ml���������������������������������������������������������������������������0000644�0001750�0001750�00000015530�12311670312�013741� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

(** Ouput the normalized AST. Useful for debugging. Not parsable. *)

open Jc_pervasives
open Jc_output_misc
open Jc_ast
open Format
open Pp


let identifier fmt id =
  fprintf fmt "%s" id#name

let rec expr fmt e =
  let out x = fprintf fmt x in
  match e#node with
    | JCNEconst c ->
        const fmt c
    | JCNElabel(id, e1) ->
        out "(@[<hv 2>%s:@ %a@])" id expr e1
    | JCNEvar id ->
        out "%s" id
    | JCNEderef(e1, id) ->
        out "%a.%s" expr e1 id
    | JCNEbinary(e1, op, e2) ->
        out "(@[<hv 2>%a %s@ %a@])" expr e1 (string_of_op op) expr e2
    | JCNEunary(op, e1) ->
        out "(%s %a)" (string_of_op op) expr e1
    | JCNEapp(id, labs, el) ->
        out "@[<hv 2>%s@,{%a}@,(%a)@]" id (print_list comma label)
          labs (print_list comma expr) el
    | JCNEassign(e1, e2) ->
        out "(@[<hv 2>%a =@ %a@])" expr e1 expr e2
    | JCNEinstanceof(_e1, _id) ->
        out "(TODO instanceof)"
    | JCNEcast(_e1, _id) ->
        out "(TODO cast)"
    | JCNEif(_e1, _e2, _e3) ->
        out "(TODO if)"
    | JCNEoffset(k, e1) ->
        out "(\\offset_m%a(%a))" offset_kind k expr e1
    | JCNEaddress(absolute,e1) ->
        out "(\\%aaddress(%a))" address_kind absolute expr e1
    | JCNEbase_block(e1) ->
        out "(\\base_block(%a))" expr e1
    | JCNEfresh(e1) ->
        out "(\\fresh(%a))" expr e1
    | JCNEalloc(_e1, _id) ->
        out "(TODO alloc)"
    | JCNEfree _e1 ->
        out "(TODO free)"
    | JCNElet(Some pty, id, Some e1, e2) ->
        out "(@[<hv 2>let %a %s = %a in@ %a@])" ptype pty id expr e1 expr e2
    | JCNElet(Some pty, id, None, e1) ->
        out "(@[<hv 2>let %a %s in@ %a@])" ptype pty id expr e1
    | JCNElet(None, id, Some e1, e2) ->
        out "(@[<hv 2>let %s = %a in@ %a@])" id expr e1 expr e2
    | JCNElet(None, id, None, e1) ->
        out "(@[<hv 2>let %s in@ %a@])" id expr e1
    | JCNEassert (behav,asrt,e1) ->
        out "(%a %a%a)" 
	  asrt_kind asrt
	  (print_list_delim 
	     (constant_string "for ") (constant_string ": ") 
	     comma identifier)
	  behav
	  expr e1
    | JCNEcontract _ -> assert false (* TODO *)
    | JCNEblock el ->
        out "{@ @[<hv 2>%a@]@ }" (print_list semi expr) el
    | JCNEloop(_inv, Some _e2, _e3) ->
	out "(some loop)" (* TODO *)
	  (*
        out "@[<hv 2>%a@ variant %a;@ %a done@]" 
	  (print_list nothing 
	     (fun fmt (behav,inv) -> out "@\ninvariant %a%a;"
		(print_list_delim 
		   (constant_string "for ") (constant_string ": ") 
		   comma string)
		behav
		expr inv))
	  inv
	  expr e2
          expr e3
	  *)
    | JCNEloop(_inv, None, _e2) ->
        out "(some loop)" (* TODO *)
	  (*
	    out "@[<hv 2>%a@ %a done@]" 
	  (print_list nothing 
	     (fun fmt (behav,inv) -> out "@\ninvariant %a%a;"
		(print_list_delim 
		   (constant_string "for ") (constant_string ": ") 
		   comma string)
		behav
		expr inv))
	  inv
	  expr e2
	  *)
    | JCNEreturn(Some e1) ->
        out "(return %a)" expr e1
    | JCNEreturn None ->
        out "(return)"
    | JCNEtry(e1, l, e2) ->
        out "(@[<hv 2>try %a with@ %a@ | default -> %a@])" expr e1
          (print_list space
             (fun fmt (id, s, e3) ->
                fprintf fmt "| %s %s -> %a" id#name s expr e3))
          l expr e2
    | JCNEthrow(id, Some e1) ->
        out "(throw %s %a)" id#name expr e1
    | JCNEthrow(id, None) ->
        out "(throw %s)" id#name
    | JCNEpack(_e1, _ido) ->
        out "(TODO pack)"
    | JCNEunpack(_e1, _ido) ->
        out "(TODO unpack)"
    | JCNEmatch(_e1, _pel) ->
        out "(TODO match)"
    | JCNEquantifier(Forall, pty, idl, trigs, e1) ->
        out "(@[<hv 2>\\forall %a %a %a,@ %a@])" ptype pty
          (print_list space identifier) idl
          triggers trigs expr e1
    | JCNEquantifier(Exists, pty, idl, trigs, e1) ->
        out "(@[<hv 2>\\exists %a %a%a,@ %a@])" ptype pty
          (print_list space identifier) idl 
           triggers trigs expr e1
    | JCNEold _e1 ->
        out "(TODO old)"
    | JCNEat(e1, lab) ->
        out "\\at(%a,@ %a)" expr e1 label lab
    | JCNEmutable(_e1, _tag) ->
        out "(TODO mutable)"
    | JCNEeqtype(_tag1, _tag2) ->
        out "(TODO eqtype)"
    | JCNEsubtype(_tag1, _tag2) ->
        out "(TODO subtype)"
    | JCNErange(Some e1, Some e2) ->
        out "(%a .. %a)" expr e1 expr e2
    | JCNErange(Some e1, None) ->
        out "(%a ..)" expr e1
    | JCNErange(None, Some e1) ->
        out "(.. %a)" expr e1
    | JCNErange(None, None) ->
        out "(..)"

and triggers fmt trigs = 
  print_list_delim lsquare rsquare alt (print_list comma expr) fmt trigs

(*
Local Variables: 
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End: 
*)
������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_common_options.ml��������������������������������������������������������������������0000644�0001750�0001750�00000005023�12311670312�015262� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*s command-line options *)

open Jc_env

let debug = ref false
let verbose = ref false
let werror = ref false

let inv_sem = ref InvNone
let separation_sem = ref SepNone

(*
  Local Variables: 
  compile-command: "unset LANG; make -C .. bin/jessie.byte"
  End: 
*)
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_pervasives.mli�����������������������������������������������������������������������0000644�0001750�0001750�00000016617�12311670312�014572� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Jc_stdlib
open Jc_env
open Jc_envset
open Jc_ast
open Jc_fenv

val ( $ ): ('b -> 'c) -> ('a -> 'b) -> 'a -> 'c

(*
exception Error of Loc.position * string

val error: Loc.position -> ('a, Format.formatter, unit, 'b) format4 -> 'a
*)

val zero: Num.num
val one: Num.num
val two: Num.num
val eight: Num.num
val is_power_of_two: Num.num -> bool
val log2: Num.num -> Num.num

(* labels *)

val new_label_name: unit -> string

(* types *)

val operator_of_native: native_type -> [> native_operator_type] 
val operator_of_type: jc_type -> [> operator_type] 
val eq_operator_of_type: jc_type -> [> operator_type] 

val integer_type : Jc_env.jc_type
val boolean_type : Jc_env.jc_type
val real_type : Jc_env.jc_type
val double_type : Jc_env.jc_type
val float_type : Jc_env.jc_type
val unit_type : Jc_env.jc_type
val null_type : Jc_env.jc_type
val string_type : Jc_env.jc_type
val any_type: jc_type

val string_of_native: Jc_env.native_type -> string
val print_type : Format.formatter -> Jc_env.jc_type -> unit
val print_type_var : Format.formatter -> Jc_env.type_var_info -> unit

val struct_of_union: Jc_env.struct_info -> bool
val struct_of_plain_union : Jc_env.struct_info -> bool
val struct_of_discr_union : Jc_env.struct_info -> bool
val union_of_field: Jc_env.field_info -> Jc_env.root_info
val integral_union: Jc_env.root_info -> bool
val root_is_plain_union : Jc_env.root_info -> bool
val root_is_discr_union : Jc_env.root_info -> bool
val root_is_union : Jc_env.root_info -> bool

val struct_has_bytesize: Jc_env.struct_info -> bool
val struct_bitsize: Jc_env.struct_info -> int
val struct_bytesize: Jc_env.struct_info -> int
val possible_struct_bytesize: Jc_env.struct_info -> int option

(* constants *)

val zero: Num.num
val num_of_constant : 'a -> const -> Num.num

(* environment infos *)

val var : ?unique:bool -> ?static:bool -> ?formal:bool -> 
  Jc_env.jc_type -> string -> Jc_env.var_info
val copyvar : Jc_env.var_info -> Jc_env.var_info

val tmp_var_name : unit -> string
val newvar : Jc_env.jc_type -> Jc_env.var_info
val newrefvar : Jc_env.jc_type -> Jc_env.var_info

val exception_info :  
  Jc_env.jc_type option -> string -> Jc_env.exception_info

val make_fun_info : string -> Jc_env.jc_type -> Jc_fenv.fun_info

val make_pred : string -> Jc_fenv.logic_info

val make_logic_fun : string -> Jc_env.jc_type -> Jc_fenv.logic_info

val location_set_region : location_set -> Jc_env.region
(*
val direct_embedded_struct_fields : Jc_env.struct_info -> Jc_env.field_info list
val embedded_struct_fields : Jc_env.struct_info -> Jc_env.field_info list
*)
val field_sinfo : Jc_env.field_info -> Jc_env.struct_info
val field_bounds : Jc_env.field_info -> Num.num * Num.num
(* destruct a pointer type. *)
val pointer_struct: jc_type -> struct_info
val pointer_class: jc_type -> pointer_class
(*val embedded_struct_roots : Jc_env.struct_info -> string list*)

val root_name : Jc_env.struct_info -> string
val field_root_name : Jc_env.field_info -> string
val struct_root : Jc_env.struct_info -> Jc_env.root_info
val pointer_class_root : pointer_class -> Jc_env.root_info

(* predefined functions *)

val any_string : Jc_fenv.logic_info
(*
val real_of_integer : Jc_fenv.logic_info
val real_of_integer_ : Jc_fenv.fun_info
*)
val full_separated : Jc_fenv.logic_info

val default_behavior : behavior

val empty_fun_effect : Jc_fenv.fun_effect
val empty_effects : Jc_fenv.effect

(* assertions *)

val skip_term_shifts :  term -> term
val skip_shifts : expr -> expr
val skip_tloc_range : location_set -> location_set

val select_option : 'a option -> 'a -> 'a
val is_constant_assertion : assertion -> bool

(* fun specs *)

val contains_normal_behavior : fun_spec -> bool
val contains_exceptional_behavior : fun_spec -> bool
val is_purely_exceptional_fun : fun_spec -> bool

(* patterns *)

(** The set of variables bound by a pattern. *)
val pattern_vars : Jc_env.var_info Jc_envset.StringMap.t -> pattern ->
  Jc_env.var_info Jc_envset.StringMap.t

(* operators *)

val string_of_op: [< bin_op | unary_op] -> string
val string_of_op_type: [< operator_type] -> string

(* builtin_logic_symbols *)

val builtin_logic_symbols :
  (Jc_env.jc_type option * string * string * Jc_env.jc_type list) list

val builtin_function_symbols :
  (Jc_env.jc_type * string * string * Jc_env.jc_type list * Jc_fenv.builtin_treatment) list

module TermOrd : OrderedHashedType with type t = term

module TermSet : Set.S with type elt = term

module TermMap : Map.S with type key = term

module TermTable : Hashtbl.S with type key = term

module AssertionOrd : OrderedType with type t = assertion

module StringHashtblIter:
sig
  type 'a t
  val create: int -> 'a t
  val add: 'a t -> string -> 'a -> unit
  val replace: 'a t -> string -> 'a -> unit
  val find: 'a t -> string -> 'a 
  val fold: (string -> 'a -> 'b -> 'b) -> 'a t -> 'b -> 'b
  val iter: (string -> 'a -> unit) -> 'a t -> unit
end

module IntHashtblIter:
sig
  type 'a t
  val create: int -> 'a t
  val add: 'a t -> int -> 'a -> unit
  val replace: 'a t -> int -> 'a -> unit
  val find: 'a t -> int -> 'a 
  val fold: (int -> 'a -> 'b -> 'b) -> 'a t -> 'b -> 'b
  val iter: (int -> 'a -> unit) -> 'a t -> unit
end

(*
Local Variables: 
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End: 
*)
�����������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_typing.mli���������������������������������������������������������������������������0000644�0001750�0001750�00000011354�12311670312�013706� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Jc_stdlib
open Jc_env
open Jc_ast
open Jc_fenv
open Jc_pervasives

val default_label : label list -> label option
 
val typing_error : 
    Loc.position -> ('a, Format.formatter, unit, 'b) format4 -> 'a

val is_root_struct : struct_info -> bool

val substruct : struct_info -> pointer_class -> bool

val logic_type_table : (string * type_var_info list) StringHashtblIter.t

val logic_constants_table : 
  (int, logic_info * Jc_fenv.logic_info Jc_ast.term) Hashtbl.t

val logic_functions_table:
  (logic_info * term_or_assertion) IntHashtblIter.t

val functions_table : 
  (fun_info * Loc.position * fun_spec * expr option) IntHashtblIter.t

val variables_table : (var_info * expr option) IntHashtblIter.t

val structs_table:
  (struct_info * (logic_info * assertion) list) StringHashtblIter.t

val roots_table: (root_info) StringHashtblIter.t

val enum_types_table: enum_info StringHashtblIter.t

(*
val enum_conversion_functions_table : (fun_info, string) Hashtbl.t
val enum_conversion_logic_functions_table : (logic_info, string) Hashtbl.t
*)

val lemmas_table : 
  (Loc.position * bool * type_var_info list * label list * assertion)
  StringHashtblIter.t

type axiomatic_decl =
  | ABaxiom of Loc.position * string * Jc_env.label list * Jc_constructors.assertion

type axiomatic_data = private
    {
      mutable axiomatics_defined_ids : logic_info list;
      mutable axiomatics_decls : axiomatic_decl list;
    }

val axiomatics_table : axiomatic_data StringHashtblIter.t

val global_invariants_table : 
  (logic_info * assertion) IntHashtblIter.t

val exceptions_table: exception_info StringHashtblIter.t

exception Typing_error of Loc.position * string

val coerce : jc_type -> native_type -> expr -> expr

val type_range_of_term : jc_type -> term -> assertion

val find_struct_root : Jc_env.struct_info -> Jc_env.root_info

val type_file : nexpr decl list -> unit

val print_file : Format.formatter -> unit -> unit

val type_labels_in_decl : nexpr decl -> unit

val pragma_gen_sep :  (int,
   [ `Sep | `Inc | `Cni] *
   [ `Logic of Jc_fenv.logic_info * string list * Jc_env.var_info list
   | `Pointer of Jc_env.var_info ] list) Jc_stdlib.Hashtbl.t

val pragma_gen_frame : 
  (int, Jc_fenv.logic_info * Jc_fenv.logic_info 
    * Jc_env.var_info list * Jc_env.var_info list *
      [ `Frame | `Sub ]) Jc_stdlib.Hashtbl.t

val pragma_gen_same :
  (int, Jc_fenv.logic_info) Jc_stdlib.Hashtbl.t

val comparable_types : jc_type -> jc_type -> bool

(*
Local Variables: 
compile-command: "make -C .. bin/jessie.byte"
End: 
*)
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_poutput.ml���������������������������������������������������������������������������0000644�0001750�0001750�00000041016�12311670312�013741� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Format
open Jc_env
open Jc_fenv
open Jc_pervasives
open Jc_ast
open Jc_output_misc
open Pp


let is_not_true (p : Jc_ast.pexpr) =
  match p#node with
    | JCPEconst (JCCboolean true) -> false
    | _ -> true

let bin_op = function
  | `Blt -> "<"
  | `Bgt -> ">"
  | `Ble -> "<="
  | `Bge -> ">="
  | `Beq -> "=="
  | `Bneq -> "!="
  | `Badd -> "+"
  | `Bsub -> "-"
  | `Bmul -> "*"
  | `Bdiv -> "/"
  | `Bmod -> "%"
  | `Bland -> "&&"
  | `Blor -> "||"
  | `Bimplies -> "==>"
  | `Biff -> "<==>"
  | `Bbw_and -> "&"
  | `Bbw_or -> "|"
  | `Bbw_xor -> "^"
  | `Blogical_shift_right -> ">>"
  | `Barith_shift_right -> ">>>"
  | `Bshift_left -> "<<"
  | `Bconcat -> "@"

let unary_op = function
  | `Uplus -> "+"
  | `Uminus -> "-"
  | `Unot -> "!"
  | `Upostfix_inc | `Uprefix_inc -> "++"
  | `Upostfix_dec | `Uprefix_dec -> "--"
  | `Ubw_not -> "~"

let rec ppattern fmt p =
  match p#node with
    | JCPPstruct(st, lbls) ->
	fprintf fmt "@[<hv 2>%s{@ " st#name;
	List.iter
	  (fun (lbl, pat) ->
	     fprintf fmt "%s = %a;@ " lbl#name ppattern pat)
          lbls;
	fprintf fmt "}@]"
    | JCPPvar vi ->
	fprintf fmt "%s" vi#name
    | JCPPor(p1, p2) ->
	fprintf fmt "(%a)@ | (%a)" ppattern p1 ppattern p2
    | JCPPas(pat, vi) ->
	fprintf fmt "(%a as %s)" ppattern pat vi#name
    | JCPPany ->
	fprintf fmt "_"
    | JCPPconst c ->
	fprintf fmt "%a" const c

let quantifier fmt = function
  | Forall -> fprintf fmt "forall"
  | Exists -> fprintf fmt "exists"

let identifier fmt id =
  fprintf fmt "%s" id#name

let rec pexpr fmt e =
  match e#node with
    | JCPElabel(lab,e) ->
	assert (lab <> "");
	fprintf fmt "@[(%s : %a)@]" lab pexpr e
    | JCPEconst c -> const fmt c
    | JCPEvar vi ->
	fprintf fmt "%s" vi
    | JCPEbinary (e1, op, e2) ->
	fprintf fmt "@[<hv 2>(%a %s@ %a)@]" pexpr e1 (bin_op op) pexpr e2
    | JCPEunary((`Upostfix_dec | `Upostfix_inc) as op,e1) ->
	fprintf fmt "@[(%a %s)@]" pexpr e1 (unary_op op)
    | JCPEunary(op,e1) ->
	fprintf fmt "@[(%s %a)@]" (unary_op op) pexpr e1
    | JCPEif (e1,e2,e3) ->
	fprintf fmt "@[(if %a then %a else %a)@]" pexpr e1 pexpr e2 pexpr e3
    | JCPElet(Some ty,vi,Some e1,e2) ->
	fprintf fmt "@[(let %a %s =@ %a@ in %a)@]"
          ptype ty vi pexpr e1 pexpr e2
    | JCPElet(None,vi,Some e1,e2) ->
	fprintf fmt "@[(let %s =@ %a@ in %a)@]"
          vi pexpr e1 pexpr e2
    | JCPElet(_ty,_vi,None,_e2) -> assert false
    | JCPEassign (v, e) ->
	fprintf fmt "(%a = %a)" pexpr v pexpr e
    | JCPEassign_op (v, op, e) ->
	fprintf fmt "%a %s= %a" pexpr v (bin_op op) pexpr e
    | JCPEcast (e, si) ->
	fprintf fmt "(%a :> %a)" pexpr e ptype si
    | JCPEalloc (e, si) ->
	fprintf fmt "(new %s[%a])" si pexpr e
    | JCPEfree (e) ->
	fprintf fmt "(free(%a))" pexpr e
    | JCPEoffset(k,e) ->
	fprintf fmt "\\offset_m%a(%a)" offset_kind k pexpr e
    | JCPEaddress(absolute,e) ->
	fprintf fmt "\\%aaddress(%a)" address_kind absolute pexpr e
    | JCPEbase_block(e) ->
	fprintf fmt "\\base_block(%a)" pexpr e
    | JCPEfresh(e) ->
	fprintf fmt "\\fresh(%a)" pexpr e
    | JCPEinstanceof (e, si) ->
	fprintf fmt "(%a <: %s)" pexpr e si
    | JCPEderef (e, fi) ->
	fprintf fmt "%a.%s" pexpr e fi
    | JCPEmatch (e, pel) ->
	fprintf fmt "@[<v 2>match %a with@ " pexpr e;
	List.iter
	  (fun (p, e) -> fprintf fmt "  @[<v 2>%a ->@ %a;@]@ "
	     ppattern p pexpr e) pel;
	fprintf fmt "end@]"
    | JCPEold t -> fprintf fmt "@[\\old(%a)@]" pexpr t
    | JCPEat(t,lab) -> fprintf fmt "@[\\at(%a,%a)@]" pexpr t label lab
    | JCPEapp(f,labs,args) ->
	fprintf fmt "%s%a(@[%a@])" f
	  (fun fmt labs -> if List.length labs = 0 then () else
	    fprintf fmt "%a" (print_list_delim lbrace rbrace comma label) labs) labs
	  (print_list comma pexpr) args
    | JCPErange(t1,t2) ->
	fprintf fmt "@[[%a..%a]@]" (print_option pexpr) t1 (print_option pexpr) t2
    | JCPEquantifier (q,ty,vil,trigs, a)->
	fprintf fmt "@[<hv 2>(\\%a %a %a%a;@\n%a)@]"
	  quantifier q
	  ptype ty
	  (print_list comma identifier) vil
	  triggers trigs pexpr a
    | JCPEmutable _ ->
        fprintf fmt "\\mutable(TODO)"
    | JCPEeqtype(tag1,tag2) ->
	fprintf fmt "\\typeeq(%a,%a)" ptag tag1 ptag tag2
    | JCPEsubtype(tag1,tag2) ->
	fprintf fmt "(%a <: %a)" ptag tag1 ptag tag2
    | JCPEreturn (e) ->
	fprintf fmt "@\n(return %a)" pexpr e
    | JCPEunpack _ ->
        fprintf fmt "unpack(TODO)"
    | JCPEpack _ ->
        fprintf fmt "pack(TODO)"
    | JCPEthrow (ei, eo) ->
	fprintf fmt "@\n(throw %s %a)"
	  ei#name
	  pexpr eo
    | JCPEtry (s, hl, fs) ->
	fprintf fmt
	  "@\n@[<v 2>try %a@]%a@\n@[<v 2>finally%a@ end@]"
	  pexpr s
	  (print_list nothing handler) hl
	  pexpr fs
    | JCPEgoto lab ->
	fprintf fmt "@\n(goto %s)" lab
    | JCPEcontinue lab ->
	fprintf fmt "@\n(continue %s)" lab
    | JCPEbreak lab ->
	fprintf fmt "@\n(break %s)" lab
    | JCPEwhile (e, behaviors, variant, s)->
	fprintf fmt "@\n@[loop %a%a@\nwhile (%a)%a@]"
	  (print_list nothing loop_behavior) behaviors
	  (print_option
             (fun fmt (t,r) ->
                match r with
                  | None ->
                      fprintf fmt "@\nvariant %a;" pexpr t
                  | Some r ->
                      fprintf fmt "@\nvariant %a for %a;" pexpr t identifier r
             ))
	  variant
	  pexpr e block [s]
    | JCPEfor (inits, cond, updates, behaviors, variant, body)->
	fprintf fmt "@\n@[loop %a@\n%a@\nfor (%a ; %a ; %a)%a@]"
	  (print_list nothing loop_behavior) behaviors
	  (print_option
             (fun fmt (t,r) ->
                match r with
                  | None ->
                      fprintf fmt "@\nvariant %a;" pexpr t
                  | Some r ->
                      fprintf fmt "@\nvariant %a for %a;" pexpr t identifier r
             ))
	  variant
	  (print_list comma pexpr) inits
	  pexpr cond (print_list comma pexpr) updates
	  block [body]
    | JCPEdecl (ty,vi, None)->
	fprintf fmt "@\n(var %a %s)" ptype ty vi
    | JCPEdecl (ty,vi, Some e)->
	fprintf fmt "@\n(var %a %s = %a)"
	  ptype ty vi pexpr e
    | JCPEassert(behav,asrt,a)->
	fprintf fmt "@\n(%a %a%a)"
	  asrt_kind asrt
	  (print_list_delim
	     (constant_string "for ") (constant_string ": ")
	     comma identifier)
	  behav
	  pexpr a
    | JCPEcontract(req,dec,behs,e) ->
	fprintf fmt "@\n@[<v 2>( ";
	Option_misc.iter
	  (fun e -> if is_not_true e then
	     fprintf fmt "requires %a;@\n" pexpr e) req;
	Option_misc.iter
	  (fun (t,r) -> match r with
	     | None -> fprintf fmt "decreases %a;@\n" pexpr t
	     | Some r -> fprintf fmt "decreases %a for %a;@\n"
		 pexpr t identifier r)
	  dec;
	List.iter (behavior fmt) behs;
	fprintf fmt "@\n{ %a@ })@]" pexpr e
    | JCPEblock l -> block fmt l
    | JCPEswitch (e, csl) ->
	fprintf fmt "@\n@[<v 2>switch (%a) {%a@]@\n}"
	  pexpr e (print_list nothing case) csl

and triggers fmt trigs =
  print_list_delim lsquare rsquare alt (print_list comma pexpr) fmt trigs

and ptag fmt tag =
  match tag#node with
    | JCPTtag id -> string fmt id#name
    | JCPTbottom -> string fmt "\\bottom"
    | JCPTtypeof e -> fprintf fmt "\\typeof(%a)" pexpr e

and handler fmt (ei,vio,s) =
  fprintf fmt "@\n@[<v 2>catch %s %s %a@]"
    ei#name vio
    pexpr s

and pexprs fmt l = print_list semi pexpr fmt l

and block fmt b =
  match b with
    | [] -> fprintf fmt "{()}"
    | _::_ ->
        fprintf fmt "@\n@[<v 0>{@[<v 2>  ";
        pexprs fmt b;
        fprintf fmt "@]@\n}@]"

and case fmt (c,sl) =
  let onecase fmt = function
    | Some c ->
	fprintf fmt "@\ncase %a:" pexpr c
    | None ->
	fprintf fmt "@\ndefault:"
  in
  fprintf fmt "%a%a" (print_list nothing onecase) c pexpr sl

and behavior fmt (_loc,id,throws,assumes,requires,assigns,allocates,ensures) =
  fprintf fmt "@\n@[<v 2>behavior %s:" id;
  Option_misc.iter
    (fun a ->
(*       Format.eprintf "Jc_poutput: assumes %a@." pexpr a;*)
       if is_not_true a then
         fprintf fmt "@\nassumes %a;" pexpr a) assumes;
  Option_misc.iter (fprintf fmt "@\nrequires %a;" pexpr) requires;
  Option_misc.iter
    (fun id -> fprintf fmt "@\nthrows %s;" id#name) throws;
  Option_misc.iter
    (fun (_,locs) -> fprintf fmt "@\nassigns %a;"
       (print_list_or_default "\\nothing" comma pexpr) locs)
    assigns;
  Option_misc.iter
    (fun (_,locs) -> fprintf fmt "@\nallocates %a;"
       (print_list_or_default "\\nothing" comma pexpr) locs)
    allocates;
  fprintf fmt "@\nensures %a;@]" pexpr ensures

and loop_behavior fmt (ids,inv,ass) =
  fprintf fmt "@\n@[<v 2>behavior %a:@\n"
    (print_list comma (fun fmt id -> fprintf fmt "%s" id#name)) ids;
  Option_misc.iter
    (fun i -> fprintf fmt "invariant %a;" pexpr i) inv;
  Option_misc.iter
    (fun (_,locs) -> fprintf fmt "@\nassigns %a;"
       (print_list_or_default "\\nothing" comma pexpr) locs)
    ass;
  fprintf fmt "@]"



let pclause fmt = function
  | JCCrequires e ->
      if is_not_true e then
	fprintf fmt "@\n@[<v 2>  requires @[%a@];@]" pexpr e
  | JCCdecreases(e,None) ->
      fprintf fmt "@\n@[<v 2>  decreases @[%a@];@]" pexpr e
  | JCCdecreases(e,Some r) ->
      fprintf fmt "@\n@[<v 2>  decreases @[%a@] for %a;@]"
	pexpr e identifier r
  | JCCbehavior b -> behavior fmt b

let param fmt (ty,vi) =
  fprintf fmt "%a %s" ptype ty vi

let fun_param fmt (valid,ty,vi) =
  fprintf fmt "%s%a %s" (if valid then "" else "! ") ptype ty vi

let field fmt (modifier,ty,fi,bitsize) =
  let (rep,abstract) = modifier in
  fprintf fmt "@\n";
  if abstract then
    fprintf fmt "abstract "
  else
    if rep then
      fprintf fmt "rep ";
  fprintf fmt "%a %s"
    ptype ty fi;
  match bitsize with
    | Some bitsize ->
	fprintf fmt ": %d;" bitsize
    | None ->
	fprintf fmt ";"

let invariant fmt (id, vi, a) =
  fprintf fmt "@\n@[<hv 2>invariant %s(%s) =@ %a;@]"
    id#name vi pexpr a

let reads_or_expr fmt = function
  | JCnone -> ()
  | JCreads [] ->
      fprintf fmt "@ reads \\nothing;"
  | JCreads el ->
      fprintf fmt "@ reads %a;" (print_list comma pexpr) el
  | JCexpr e ->
      fprintf fmt " =@\n%a" pexpr e
  | JCinductive l ->
      fprintf fmt " {@\n@[<v 2>%a@]@\n}"
	(print_list newline
	   (fun fmt (id,labels,e) ->
	      fprintf fmt "case %s@[%a@]: %a;@\n" id#name
		(print_list_delim lbrace rbrace comma label) labels
		pexpr e)) l

let type_params_decl fmt l = print_list_delim lchevron rchevron comma Pp.string fmt l

let type_params fmt = function
  | [] -> ()
  | l -> fprintf fmt "<%a>" (print_list comma ptype) l

let super_option fmt = function
  | None -> ()
  | Some(s, p) -> fprintf fmt "%s%a with " s type_params p

let rec pdecl fmt d =
  match d#node with
    | JCDfun(ty,id,params,clauses,body) ->
	fprintf fmt "@\n@[%a %s(@[%a@])%a%a@]@\n" ptype ty id#name
	  (print_list comma fun_param) params
	  (print_list nothing pclause) clauses
	  (print_option_or_default "\n;" pexpr) body
    | JCDenum_type(id,min,max) ->
	fprintf fmt "@\n@[type %s = %s..%s@]@\n"
	  id (Num.string_of_num min) (Num.string_of_num max)
    | JCDvariant_type(id, tags) ->
	fprintf fmt "@\n@[type %s = [" id;
	print_list
	  (fun fmt () -> fprintf fmt " | ")
	  (fun fmt tag -> fprintf fmt "%s" tag#name)
	  fmt tags;
	fprintf fmt "]@]@\n"
    | JCDunion_type(id,discriminated,tags) ->
	fprintf fmt "@\n@[type %s = [" id;
	print_list
	  (fun fmt () -> fprintf fmt " %c "
	     (if discriminated then '^' else '&'))
	  (fun fmt tag -> fprintf fmt "%s" tag#name)
	  fmt tags;
	fprintf fmt "]@]@\n"
    | JCDtag(id, params, super, fields, invs) ->
	fprintf fmt "@\n@[<v 2>tag %s%a = %a{%a%a@]@\n}@\n"
          id
          type_params_decl params
          super_option super
          (print_list space field) fields
	  (print_list space invariant) invs
    | JCDvar(ty,id,init) ->
	fprintf fmt "@\n@[%a %s%a;@]@\n" ptype ty id
	  (print_option (fun fmt e -> fprintf fmt " = %a" pexpr e)) init
    | JCDlemma(id,is_axiom,poly_args,lab,a) ->
	fprintf fmt "@\n@[%s %s@[%a@]@[%a@] :@\n%a@]@\n"
          (if is_axiom then "axiom" else "lemma") id
	  (print_list_delim lchevron rchevron comma string) poly_args
	  (print_list_delim lbrace rbrace comma label) lab
	  pexpr a
    | JCDglobal_inv(id,a) ->
	fprintf fmt "@\n@[invariant %s :@\n%a@]@\n" id pexpr a
    | JCDexception(id,tyopt) ->
	fprintf fmt "@\n@[exception %s of %a@]@\n" id
	  (print_option ptype) tyopt
    | JCDlogic_var (ty, id, body) ->
	fprintf fmt "@\n@[logic %a %s %a@]@\n"
	  ptype ty id
	  (print_option (fun fmt e -> fprintf fmt "=@\n%a" pexpr e)) body
    | JCDlogic (None, id, poly_args, labels, params, body) ->
	fprintf fmt "@\n@[predicate %s@[%a@]@[%a@](@[%a@])%a@]@\n"
	  id
          (print_list_delim lchevron rchevron comma string) poly_args
          (print_list_delim lbrace rbrace comma label) labels
	  (print_list comma param) params
	  reads_or_expr body
    | JCDlogic (Some ty, id, poly_args, labels, params, body) ->
	fprintf fmt "@\n@[logic %a %s@[%a@]@[%a@](@[%a@])%a@]@\n"
	  ptype ty id
          (print_list_delim lchevron rchevron comma string) poly_args
          (print_list_delim lbrace rbrace comma label) labels
	  (print_list comma param) params
	  reads_or_expr body
    | JCDlogic_type (id,args) ->
	fprintf fmt "@\n@[logic type %s%a@]@\n" id (print_list_delim lchevron rchevron comma string) args
    | JCDinvariant_policy p ->
        fprintf fmt "# InvariantPolicy = %s@\n" (string_of_invariant_policy p)
    | JCDseparation_policy p ->
        fprintf fmt "# SeparationPolicy = %s@\n" (string_of_separation_policy p)
    | JCDtermination_policy p ->
        fprintf fmt "# TerminationPolicy = %s@\n" (string_of_termination_policy p)
    | JCDannotation_policy p ->
        fprintf fmt "# AnnotationPolicy = %s@\n" (string_of_annotation_policy p)
    | JCDabstract_domain p ->
        fprintf fmt "# AbstractDomain = %s@\n" (string_of_abstract_domain p)
    | JCDint_model p ->
        fprintf fmt "# IntModel = %s@\n" (string_of_int_model p)
    | JCDpragma_gen_sep (kind,s,l) ->
        let print_ptype_r =
          print_pair ptype (print_list semi string) in
        fprintf fmt "# Gen_Separation %s %s(%a)\n" kind s
          (print_list comma print_ptype_r) l
    | JCDpragma_gen_frame (name,logic) ->
      fprintf fmt "# Gen_Frame %s %s" name logic
    | JCDpragma_gen_sub (name,logic) ->
      fprintf fmt "# Gen_Sub %s %s" name logic
    | JCDpragma_gen_same (name,logic) ->
      fprintf fmt "# Gen_Same_Footprint %s %s" name logic
    | JCDaxiomatic(id,l) ->
	fprintf fmt "@\n@[axiomatic %s {@\n@[<v 2>%a@]@\n}@]@\n" id
	  (print_list space pdecl) l

and pdecls fmt (l : pexpr decl list) =
  match l with
    | [] -> ()
    | d::r -> pdecl fmt d; pdecls fmt r

(*
Local Variables:
compile-command: "LC_ALL=C make -j -C .. byte"
End:
*)
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_options.ml���������������������������������������������������������������������������0000644�0001750�0001750�00000023644�12311670312�013723� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Jc_stdlib
open Format
open Jc_env
open Jc_common_options

(*s The log file *)

let c = ref stdout

let log =
  c := open_out "jessie.log";
  Format.formatter_of_out_channel !c

let lprintf s = Format.fprintf log s

let close_log () =
  lprintf "End of log.@.";
  close_out !c;
  c := stdout

(*s environment variables *)

let libdir =
  try
    let v = Sys.getenv "WHYLIB" in
    lprintf "WHYLIB is set to %s@." v;
    v
  with Not_found ->
    let p = Version.libdir in
    lprintf "WHYLIB is not set, using %s as default@." p;
    p

let has_floats = ref false

let float_model : float_model ref = ref FMdefensive

let float_instruction_set : float_instruction_set ref = ref FISstrictIEEE754

let libfiles = ref []

let add_to_libfiles s = libfiles := s :: !libfiles
let get_libfiles () = List.rev !libfiles

(*s command-line options *)

let parse_only = ref false
let type_only = ref false
let user_annot_only = ref false
let print_graph = ref false
let why_opt = ref ""
let why3_opt = ref ""

let verify_all_offsets = ref false
let verify_invariants_only = ref false
let verify = ref []
let behavior = ref []

let why3_backend = ref false

let add_why_opt s = why_opt := !why_opt ^ " " ^ s
let add_why3_opt s = why3_opt := !why3_opt ^ " " ^ s

let annotation_sem = ref AnnotNone
let ai_domain = ref AbsNone

let current_rounding_mode = ref FRMNearestEven

let termination_policy = ref Jc_env.TPalways

let int_model = ref IMbounded
let interprocedural = ref false
let main = ref ""
let trust_ai = ref false
let fast_ai = ref false

let gen_frame_rule_with_ft = ref false

let files_ = ref []
let add_file f = files_ := f :: !files_
let files () = List.rev !files_

let pos_files = ref []
let pos_table = Hashtbl.create 97

let version () =
  Printf.printf "This is Jessie version %s, compiled on %s
Copyright (c) 2006-2014 - CNRS/INRIA/Univ Paris-Sud
This is free software with ABSOLUTELY NO WARRANTY (use option -warranty)
" Version.version Version.date;
  exit 0

let usage = "jessie [options] files"

let _ =
  Arg.parse
      [ "-parse-only", Arg.Set parse_only,
	  "  stops after parsing";
        "-type-only", Arg.Set type_only,
	  "  stops after typing";
        "-user-annot-only", Arg.Set user_annot_only,
	  "  check only user-defined annotations (i.e. safety is assumed)";
        "-print-call-graph", Arg.Set print_graph,
	  "  stops after call graph and print call graph";
        "-d", Arg.Set debug,
          "  debugging mode";
	"-locs", Arg.String (fun f -> pos_files := f :: !pos_files),
	  "  <f> reads source locations from file f" ;
        "-behavior", Arg.String (fun s -> behavior := s::!behavior),
	  "  verify only specified behavior (safety, variant, default or user-defined behavior)";

        "-why3ml", Arg.Set why3_backend,
          "  (experimental) produce a program in why3ml syntax" ;

        "-why-opt", Arg.String add_why_opt,
	  "  <why options>  passes options to Why";
        "-why3-opt", Arg.String add_why3_opt,
	  "  <why options>  passes options to Why3";
	"-v", Arg.Set verbose,
          "  verbose mode";
	"-q", Arg.Clear verbose,
          "  quiet mode (default)";
(* 	"-ai", Arg.Tuple [ *)
(* 	  Arg.String (fun s -> ai_domain := s);  *)
(* 	  Arg.Set annot_infer], *)
(*           "  <box,oct,pol,wp,boxwp,octwp,polwp> performs annotation inference" *)
(*           ^ " with abstract interpretation using the Box, Octagon" *)
(*           ^ " or Polyhedron domain, or with weakest preconditions or with both"; *)
	"-main", Arg.Tuple [Arg.Set interprocedural; Arg.Set_string main],
	  "  main function for interprocedural abstract interpretation (needs -ai <domain>)";
	"-fast-ai", Arg.Set fast_ai,
	  "  fast ai (needs -ai <domain> and -main <function>)";
	"-trust-ai", Arg.Set trust_ai,
	  "  verify inferred annotations (needs -ai <domain>)";
	"-separation", Arg.Unit (fun () -> separation_sem := SepRegions),
	  "  apply region-based separation on pointers";
	"--werror", Arg.Set werror,
          "  treats warnings as errors";
	"--version", Arg.Unit version,
          "  prints version and exit";
(*
	"-inv-sem", Arg.String
	  (function
	     | "none" -> inv_sem := InvNone
	     | "ownership" -> inv_sem := InvOwnership
	     | "arguments" -> inv_sem := InvArguments
	     | s -> raise (Arg.Bad ("Unknown mode: "^s))),
	  "  <kind>  sets the semantics of invariants (available modes: none, ownership, arguments)";
*)
	"-all-offsets", Arg.Set verify_all_offsets,
	  "  generate vcs for all pointer offsets";
	"-invariants-only", Arg.Set verify_invariants_only,
	  "  verify invariants only (Arguments policy)";
	"-verify", Arg.String (function s -> verify := s::!verify),
	  "  verify only these functions";
        "-gen_frame_rule_with_ft", Arg.Set gen_frame_rule_with_ft,
        "Experimental : Generate frame rule for predicates and logic functions using only their definitions";
      ]
      add_file usage

let () =
  if !trust_ai && !int_model = IMmodulo then
    (Format.eprintf "cannot trust abstract interpretation \
in modulo integer model";
     assert false)

let usage () =
  eprintf "usage: %s@." usage;
  exit 2

let parse_only = !parse_only
let type_only = !type_only
let user_annot_only = !user_annot_only
let print_graph = !print_graph
let debug = !debug
let verbose = !verbose
let werror = !werror
let why3_backend = !why3_backend
let why_opt = !why_opt
let why3_opt = !why3_opt
let inv_sem = inv_sem
let separation_sem = separation_sem
let trust_ai = !trust_ai
let fast_ai = !fast_ai

let verify_all_offsets = !verify_all_offsets
let verify_invariants_only = !verify_invariants_only
let verify = !verify
let interprocedural = !interprocedural
let main = !main
let behavior = !behavior

let gen_frame_rule_with_ft = !gen_frame_rule_with_ft
let () = if gen_frame_rule_with_ft then libfiles := "mybag.why"::!libfiles

let verify_behavior s =
  behavior = [] || List.mem s behavior

let set_int_model im =
  if im = IMmodulo && trust_ai then
    (Format.eprintf "cannot trust abstract interpretation \
in modulo integer model";
     assert false)
  else
    int_model := im

let set_float_model fm = float_model := fm


(*s error handling *)

exception Jc_error of Loc.position * string

let jc_error l f =
  Format.ksprintf
    (fun s -> raise (Jc_error(l, s))) f

let parsing_error l f =
  Format.ksprintf
    (fun s ->
       let s = if s="" then s else " ("^s^")" in
       raise (Jc_error(l, "syntax error" ^ s))) f

(*s pos table *)

let kind_of_ident = function
  | "ArithOverflow" -> Output.ArithOverflow
  | "DownCast" -> Output.DownCast
  | "IndexBounds" -> Output.IndexBounds
  | "PointerDeref" -> Output.PointerDeref
  | "UserCall" -> Output.UserCall
  | "DivByZero" -> Output.DivByZero
  | "AllocSize" -> Output.AllocSize
  | "Pack" ->  Output.Pack
  | "Unpack" -> Output.Unpack
  | _ -> raise Not_found

let () =
  List.iter
    (fun f ->
       let l = Rc.from_file f in
       List.iter
	 (fun (id,fs) ->
	    let (f,l,b,e,k,o) =
	      List.fold_left
		(fun (f,l,b,e,k,o) v ->
		   match v with
		     | "file", Rc.RCstring f -> (f,l,b,e,k,o)
		     | "line", Rc.RCint l -> (f,l,b,e,k,o)
		     | "begin", Rc.RCint b -> (f,l,b,e,k,o)
		     | "end", Rc.RCint e -> (f,l,b,e,k,o)
		     | "kind", Rc.RCident s ->
			 let k =
			   try
			     Some (kind_of_ident s)
			   with Not_found -> None
			 in
			 (f,l,b,e,k,o)
		     | _ -> (f,l,b,e,k,v::o))
		("",0,0,0,None,[]) fs
	    in
	    Hashtbl.add pos_table id (f,l,b,e,k,o))
	 l)
    !pos_files

let position_of_label name =
  let position f l c = {
    Lexing.pos_fname = f;
    Lexing.pos_lnum = l;
    Lexing.pos_bol = 0;
    Lexing.pos_cnum = c;
  } in
  try
    let (f,l,b,e,_k,_o) = Hashtbl.find pos_table name in
    Some (position f l b, position f l e)
  with Not_found -> None


(*
Local Variables:
compile-command: "unset LANG; make -C .. bin/jessie.byte"
End:
*)
��������������������������������������������������������������������������������������������why-2.34/jc/jc_env.mli������������������������������������������������������������������������������0000644�0001750�0001750�00000014303�12311670312�013161� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)


type termination_policy = TPalways | TPnever | TPuser

type float_format = [ `Double | `Float | `Binary80 ]

type native_type = 
    Tunit | Tboolean | Tinteger | Treal | Tgenfloat of float_format | Tstring

type inv_sem = InvNone | InvOwnership | InvArguments

type separation_sem = SepNone | SepRegions

type annotation_sem = 
    AnnotNone | AnnotInvariants | AnnotElimPre | AnnotStrongPre | AnnotWeakPre

type abstract_domain = AbsNone | AbsBox | AbsOct | AbsPol

type int_model = IMbounded | IMmodulo

type float_model = FMmath | FMdefensive | FMfull | FMmultirounding

type float_rounding_mode = 
    FRMDown | FRMNearestEven | FRMUp | FRMToZero | FRMNearestAway

type float_instruction_set = FISstrictIEEE754 | FISx87

type root_kind = Rvariant | RplainUnion | RdiscrUnion

type jc_type =
  | JCTnative of native_type
  | JCTlogic of (string * jc_type list)
  | JCTenum of enum_info
  | JCTpointer of pointer_class * Num.num option * Num.num option
  | JCTnull
  | JCTany (* used when typing (if ... then raise E else ...): 
              raise E is any *)
  | JCTtype_var of type_var_info

and type_var_info =  { jc_type_var_info_name : string;
                       jc_type_var_info_tag : int;
                       jc_type_var_info_univ : bool} 
(* The variable is universally quantified *)

and pointer_class =
  | JCtag of struct_info * jc_type list (* struct_info, type parameters *)
  | JCroot of root_info

and enum_info =
    { 
      jc_enum_info_name : string;
      jc_enum_info_min : Num.num;
      jc_enum_info_max : Num.num;
    }

and struct_info =
    { 
              jc_struct_info_params : type_var_info list;
              jc_struct_info_name : string;
      mutable jc_struct_info_parent : (struct_info * jc_type list) option;
      mutable jc_struct_info_hroot : struct_info;
      mutable jc_struct_info_fields : field_info list;
      mutable jc_struct_info_root : root_info option;
        (* only valid for root structures *)
    }

and root_info =
    {
      jc_root_info_name : string;
(*      mutable jc_root_info_tags : struct_info list;*)
      mutable jc_root_info_hroots : struct_info list;
(*      jc_root_info_open : bool;*)
      jc_root_info_kind : root_kind;
      mutable jc_root_info_union_size_in_bytes: int;
    }

and field_info =
    {
      jc_field_info_tag : int;
      jc_field_info_name : string;
      jc_field_info_final_name : string;
      jc_field_info_type : jc_type;
      jc_field_info_struct: struct_info;
        (* The structure in which the field is defined *)
      jc_field_info_hroot : struct_info;
        (* The root of the structure in which the field is defined *)
      jc_field_info_rep : bool; (* "rep" flag *)
      jc_field_info_abstract : bool; (* "abstract" flag *)
      jc_field_info_bitsize : int option;
        (* Size of the field in bits, optional *)
    }

type region = 
    {
      mutable jc_reg_variable : bool;
      mutable jc_reg_bitwise : bool;
      jc_reg_id : int;
      jc_reg_name : string;
      jc_reg_final_name : string;
      jc_reg_type : jc_type;
    }

type var_info = {
    jc_var_info_tag : int;
    jc_var_info_name : string;
    mutable jc_var_info_final_name : string;
    mutable jc_var_info_type : jc_type;
    mutable jc_var_info_region : region;
    mutable jc_var_info_formal : bool;
    mutable jc_var_info_assigned : bool;
    jc_var_info_static : bool;
  }

type exception_info =
    {
      jc_exception_info_tag : int;
      jc_exception_info_name : string;
      jc_exception_info_type : jc_type option;
    }

type label_info =
    { 
      label_info_name : string;
      label_info_final_name : string;
      mutable times_used : int;
    }

type label = 
  | LabelName of label_info
  | LabelHere
  | LabelPost
  | LabelPre
  | LabelOld

type alloc_class =
  | JCalloc_root of root_info
  | JCalloc_bitvector

type mem_class =
  | JCmem_field of field_info 
  | JCmem_plain_union of root_info
  | JCmem_bitvector

(*
Local Variables: 
compile-command: "unset LANG ; make -C .. byte"
End: 
*)
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/numconst.mli����������������������������������������������������������������������������0000644�0001750�0001750�00000005564�12311670312�013574� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(* Evaluation of constant literals: superset of C and Java

  general rule: case insensitive

  decimal constants:
    . regexp 0 | [1-9][0-9]*

  octal constants:
    . regexp 0[0-7]+

  hexadecimal constants:
    . regexp 0x[0-9a-f]+

  for each of the three above: suffix allowed =  (u|l)*

  characters: between single quotes, with either 
    . ASCII chars
    . octal chars: \[0-7]^3 
    . unicode chars a la Java: \'u'+[0-9a-f]^4 (TODO) 
    . special chars \n, \r, \t, etc. (TODO: give exact list)   

  extended chars a la C: 'L''"'[^'"']*'"' (TODO)

*)

val zero : Num.num

val integer : string -> Num.num


��������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_interp_misc.ml�����������������������������������������������������������������������0000644�0001750�0001750�00000244736�12311670312�014553� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Jc_stdlib
open Jc_env
open Jc_envset
open Jc_region
open Jc_ast
open Jc_fenv

open Jc_name
open Jc_constructors
open Jc_pervasives
open Jc_struct_tools
open Jc_effect

open Output
open Pp
open Format

(* The following functions should be eliminated eventually, but before,
 * effect.ml must be redone.
 * They are here, and not in Jc_name, so that Krakatoa do not depends on
 * Jc_typing. *)

let find_struct a =
(*
  Format.printf "[find_struct] %s@." a;
*)
  fst (StringHashtblIter.find Jc_typing.structs_table a)

let find_variant a =
  StringHashtblIter.find Jc_typing.roots_table a

let find_pointer_class a =
  try
    JCtag (find_struct a, []) (* TODO: fill parameters ? *)
  with Not_found ->
    JCroot (find_variant a)

let mutable_name2 a =
  mutable_name (JCtag (find_struct a, []))

let committed_name2 a =
  committed_name (JCtag (find_struct a, []))

let logic_enum_of_int ri = ri.jc_enum_info_name ^ "_of_integer"
let safe_fun_enum_of_int ri = "safe_" ^ ri.jc_enum_info_name ^ "_of_integer_"
(* Yannick: why have both logic_enum_of_int and safe_fun_enum_of_int? *)
let fun_enum_of_int ri = ri.jc_enum_info_name ^ "_of_integer_"
let logic_int_of_enum ri = "integer_of_" ^ ri.jc_enum_info_name
let mod_of_enum ri = "mod_" ^ ri.jc_enum_info_name ^ "_of_integer"
let fun_any_enum ri = "any_" ^ ri.jc_enum_info_name
let eq_of_enum ri = "eq_" ^ ri.jc_enum_info_name


let logic_bitvector_of_enum ri = "bitvector_of_" ^ ri.jc_enum_info_name
let logic_enum_of_bitvector ri = ri.jc_enum_info_name  ^ "_of_bitvector"

let logic_integer_of_bitvector = "integer_of_bitvector"
let logic_bitvector_of_integer = "bitvector_of_integer"
let logic_real_of_bitvector = "real_of_bitvector"

let native_name = function
  | Tunit -> "unit"
  | Tboolean -> "boolean"
  | Tinteger -> "integer"
  | Treal -> "real"
  | Tgenfloat `Double -> "double"
  | Tgenfloat `Float -> "single"
  | Tgenfloat `Binary80 -> "binary80"
  | Tstring -> "string"

(* let logic_bitvector_of_native nty = "bitvector_of_" ^ (native_name nty) *)
(* let logic_native_of_bitvector nty = (native_name nty) ^ "_of_bitvector" *)

let logic_bitvector_of_variant vi = "bitvector_of_" ^ vi.jc_root_info_name
let logic_variant_of_bitvector vi = vi.jc_root_info_name ^ "_of_bitvector"

let logic_union_of_field fi = "bitvector_of_" ^ fi.jc_field_info_name
let logic_field_of_union fi = fi.jc_field_info_name ^ "_of_bitvector"


let why_name_of_format = function
  | `Float -> "Single"
  | `Double -> "Double"
  | `Binary80 -> "Binary80"


(* functions to make Why expressions *)

let make_if_term cond a b =
  LApp("ite", [ cond; a; b ])

let make_eq_term ty a b =
  let eq = match ty with
    | JCTpointer _ | JCTnull -> "eq_pointer_bool"
    | JCTenum _ | JCTlogic _ | JCTany -> assert false
    | JCTnative Tunit -> "eq_unit_bool"
    | JCTnative Tboolean -> "eq_bool_bool"
    | JCTnative Tinteger -> "eq_int_bool"
    | JCTnative Treal -> "eq_real_bool"
    | JCTnative (Tgenfloat f) -> ("eq_"^(native_name (Tgenfloat f)))
    | JCTnative Tstring -> "eq_string_bool"
    | JCTtype_var _ -> assert false (* TODO: need environment *)
  in
  LApp(eq, [a; b])

let make_eq_pred ty a b =
  let eq = match ty with
    | JCTpointer _ | JCTnull -> "eq"
    | JCTenum ri -> eq_of_enum ri
    | JCTlogic _ | JCTany -> assert false
    | JCTnative Tunit -> "eq_unit"
    | JCTnative Tboolean -> "eq_bool"
    | JCTnative Tinteger -> "eq_int"
    | JCTnative Treal -> "eq_real"
    | JCTnative (Tgenfloat f) -> ("eq_"^(native_name (Tgenfloat f)))
    | JCTnative Tstring -> "eq_string"
    | JCTtype_var _ -> assert false (* TODO: need environment *)
  in
  LPred(eq, [a; b])

let make_and_term a b =
  make_if_term a b (LConst(Prim_bool false))

let make_or_term a b =
  make_if_term a (LConst(Prim_bool true)) b

let make_not_term a =
  make_if_term a (LConst(Prim_bool false)) (LConst(Prim_bool true))

let make_eq a b =
  LPred("eq", [ a; b ])

let make_le a b =
  LPred("le", [ a; b ])

let make_ge a b =
  LPred("ge", [ a; b ])

let make_select f this =
  LApp("select", [ f; this ])

let make_select_fi fi =
  make_select (LVar (field_memory_name fi))

let make_select_committed pc =
  make_select (LVar (committed_name pc))

let make_typeof_vi (vi,r) x =
  LApp("typeof", [ LVar (tag_table_name (vi,r)); x ])

let make_typeof st r x =
  make_typeof_vi (struct_root st,r) x

let make_subtag t u =
  LPred("subtag", [ t; u ])

let make_subtag_bool t u =
  LApp("subtag_bool", [ t; u ])

let make_instanceof tt p st =
  LPred("instanceof", [ tt; p; LVar (tag_name st) ])

let make_offset_min ac p =
  LApp("offset_min", [LVar(generic_alloc_table_name ac); p])

let make_offset_max ac p =
  LApp("offset_max", [LVar(generic_alloc_table_name ac); p])

let make_int_of_tag st =
  LApp("int_of_tag", [LVar(tag_name st)])



let pc_of_name name = JCtag (find_struct name, []) (* TODO: parameters *)


let const c =
  match c with
    | JCCvoid -> Prim_void
    | JCCnull -> assert false
    | JCCreal s -> Prim_real s
    | JCCinteger s -> Prim_int (Num.string_of_num (Numconst.integer s))
    | JCCboolean b -> Prim_bool b
    | JCCstring _s -> assert false (* TODO *)

type forall_or_let =
  | JCforall of string * Output.logic_type
  | JClet of string * Output.term


(******************************************************************************)
(*                              environment                                   *)
(******************************************************************************)

let current_behavior : string option ref = ref None
let set_current_behavior behav = current_behavior := Some behav
let reset_current_behavior () = current_behavior := None
let get_current_behavior () =
  match !current_behavior with None -> assert false | Some behav -> behav
let safety_checking () = get_current_behavior () = "safety"
let variant_checking () =
  let behv = get_current_behavior () in
  behv = "safety" || behv = "variant"

let is_current_behavior id = id = get_current_behavior ()

let in_behavior b lb =
  match lb with
    | [] -> b = "default"
    | _ -> List.exists (fun behav -> behav#name = b) lb

let in_current_behavior b = in_behavior (get_current_behavior ()) b

let in_default_behavior b = in_behavior "default" b



let current_spec : fun_spec option ref = ref None
let set_current_spec s = current_spec := Some s
let reset_current_spec () = current_spec := None
let get_current_spec () =
  match !current_spec with None -> assert false | Some s -> s

(*
let current_fun : fun_info option ref = ref None
let set_current_fun s = current_fun := Some s
let reset_current_fun () = current_fun := None
let get_current_fun () =
  match !current_fun with None -> assert false | Some s -> s
*)

let fresh_loop_label =
  let c = ref 0 in
  fun () -> incr c;
    let n = "loop_" ^ string_of_int !c in
    { label_info_name = n;
      label_info_final_name = n;
      times_used = 1 }

(******************************************************************************)
(*                                   types                                    *)
(******************************************************************************)

(* basic model types *)

let why_integer_type = simple_logic_type "int"
let why_unit_type = simple_logic_type "unit"

let root_model_type vi =
  simple_logic_type (root_type_name vi)

let struct_model_type st =
  root_model_type (struct_root st)

let pointer_class_model_type pc =
  root_model_type (pointer_class_root pc)

let bitvector_type = simple_logic_type bitvector_type_name

let alloc_class_type = function
  | JCalloc_root vi -> root_model_type vi
  | JCalloc_bitvector -> why_unit_type

let memory_class_type mc =
  alloc_class_type (alloc_class_of_mem_class mc)

(* raw types *)

let raw_pointer_type ty' =
  { logic_type_name = pointer_type_name;
    logic_type_args = [ty']; }

let raw_pset_type ty' =
  { logic_type_name = pset_type_name;
    logic_type_args = [ty']; }

let raw_alloc_table_type ty' =
  { logic_type_name = alloc_table_type_name;
    logic_type_args = [ty']; }

let raw_tag_table_type ty' =
  { logic_type_name = tag_table_type_name;
    logic_type_args = [ty']; }

let raw_tag_id_type ty' =
  { logic_type_name = tag_id_type_name;
    logic_type_args = [ty']; }

let raw_memory_type ty1' ty2' =
  { logic_type_name = memory_type_name;
    logic_type_args = [ty1';ty2'] }

(* pointer model types *)

let pointer_type ac pc =
  match ac with
    | JCalloc_root _ ->
	raw_pointer_type (pointer_class_model_type pc)
    | JCalloc_bitvector ->
	raw_pointer_type why_unit_type

(* translation *)

let tr_native_type = function
  | Tunit -> "unit"
  | Tboolean -> "bool"
  | Tinteger -> "int"
  | Treal -> "real"
  | Tgenfloat `Double -> "double"
  | Tgenfloat `Float -> "single"
  | Tgenfloat `Binary80 -> "binary80"
  | Tstring -> "string"

let rec tr_base_type ?region = function
  | JCTnative ty ->
      simple_logic_type (tr_native_type ty)
  | JCTlogic (s,l) ->
      { logic_type_name = s;
        logic_type_args = List.map (tr_base_type ?region)  l;
      }
  | JCTenum ri ->
      simple_logic_type ri.jc_enum_info_name
  | JCTpointer(pc, _, _) ->
      let ac = match region with
	| None ->
	    alloc_class_of_pointer_class pc
	| Some r ->
	    if Region.bitwise r then JCalloc_bitvector
	    else alloc_class_of_pointer_class pc
      in
      pointer_type ac pc
  | JCTnull | JCTany -> assert false
  | JCTtype_var t -> logic_type_var (Jc_type_var.uname t)

let tr_type ~region ty = Base_type (tr_base_type ~region ty)

let tr_var_base_type v =
  tr_base_type ~region:v.jc_var_info_region v.jc_var_info_type

let tr_var_type v =
  tr_type ~region:v.jc_var_info_region v.jc_var_info_type

let any_value region t =
  match t with
    | JCTnative ty ->
        begin match ty with
	  | Tunit -> void
	  | Tboolean -> make_app "any_bool" [void]
	  | Tinteger -> make_app "any_int" [void]
	  | Treal -> make_app "any_real" [void]
	  | Tgenfloat _ -> make_app ("any_"^(native_name ty)) [void]
	  | Tstring -> make_app "any_string" [void]
        end
    | JCTnull
    | JCTpointer _ -> make_app ~ty:(tr_type ~region t) "any_pointer" [void]
    | JCTenum ri -> make_app (fun_any_enum ri) [void]
    | JCTlogic _ as ty ->
        let t =
          Annot_type(LTrue, Base_type (tr_base_type ty), [], [], LTrue, [])
        in mk_expr (BlackBox t)
    | JCTany -> assert false
    | JCTtype_var _ -> assert false (* TODO: need environment *)

(* model types *)

let pset_type ac = raw_pset_type (alloc_class_type ac)

let alloc_table_type ac = raw_alloc_table_type (alloc_class_type ac)

let tag_table_type vi = raw_tag_table_type (root_model_type vi)

let tag_id_type vi = raw_tag_id_type (root_model_type vi)

let memory_type mc =
  let value_type = match mc with
    | JCmem_field fi -> tr_base_type fi.jc_field_info_type
    | JCmem_plain_union _
    | JCmem_bitvector -> bitvector_type
  in
  raw_memory_type (memory_class_type mc) value_type

(* query model types *)

let is_alloc_table_type ty' = ty'.logic_type_name = alloc_table_type_name

let is_tag_table_type ty' = ty'.logic_type_name = tag_table_type_name

let is_memory_type ty' = ty'.logic_type_name = memory_type_name

let deconstruct_memory_type_args ty =
  match ty.logic_type_args with [t;v] -> t,v | _ -> assert false

let any_value' ty' =
  let anyfun =
    if is_alloc_table_type ty' then "any_alloc_table"
    else if is_tag_table_type ty' then "any_tag_table"
    else if is_memory_type ty' then "any_memory"
    else assert false
  in
  make_app ~ty:(Base_type ty') anyfun [void]


(******************************************************************************)
(*                                 variables                                  *)
(******************************************************************************)

let transpose_label ~label_assoc lab =
  match label_assoc with
    | None -> lab
    | Some l ->  try List.assoc lab l with Not_found -> lab

let lvar_name ~label_in_name ?label_assoc lab n =
  let lab = transpose_label ~label_assoc lab in
  if label_in_name then
    match lab with
      | LabelHere -> n
      | LabelOld -> assert false
      | LabelPre -> n ^ "_at_Pre"
      | LabelPost -> n ^ "_at_Post"
      | LabelName lab -> n ^ "_at_" ^ lab.label_info_final_name
  else n

let lvar ~constant ~label_in_name lab n =
  let n = lvar_name ~label_in_name lab n in
  if constant then
    LVar n
  else if label_in_name then
    LDeref n
  else match lab with
    | LabelHere -> LDeref n
    | LabelOld -> LDerefAtLabel(n,"")
    | LabelPre -> LDerefAtLabel(n,"init")
    | LabelPost -> LDeref n
    | LabelName lab -> LDerefAtLabel(n,lab.label_info_final_name)

(* simple variables *)

let plain_var n = mk_var n
let deref_var n = mk_expr (Deref n)

let var_name' e = match e.expr_node with
  | Var n | Deref n -> n
  | _ -> assert false

let var v =
  if v.jc_var_info_assigned
  then deref_var v.jc_var_info_final_name
  else plain_var v.jc_var_info_final_name

let param ~type_safe v =
  v.jc_var_info_final_name,
  if type_safe then
    tr_base_type v.jc_var_info_type
  else
    tr_base_type ~region:v.jc_var_info_region v.jc_var_info_type

let tvar_name ~label_in_name lab v =
  let constant = not v.jc_var_info_assigned in
  lvar_name ~label_in_name:(label_in_name && not constant)
    lab v.jc_var_info_final_name


let tvar ~label_in_name lab v =
  let constant = not v.jc_var_info_assigned in
  lvar ~constant ~label_in_name:(label_in_name && not constant)
    lab v.jc_var_info_final_name

let tparam ~label_in_name lab v =
  tvar_name ~label_in_name lab v,
  tvar ~label_in_name lab v,
  tr_base_type v.jc_var_info_type

let local_of_parameter (v',ty') = (var_name' v',ty')
let effect_of_parameter (v',_ty') = var_name' v'
let wparam_of_parameter (v',ty') = (v',Ref_type(Base_type ty'))
let rparam_of_parameter (v',ty') = (v',Base_type ty')

(* model variables *)

let mutable_memory infunction (mc,r) =
  if Region.polymorphic r then
    if Region.bitwise r then
      MemoryMap.exists (fun (_mc',r') _labs -> Region.equal r r')
	infunction.jc_fun_info_effects.jc_writes.jc_effect_memories
    else
      MemoryMap.mem (mc,r)
	infunction.jc_fun_info_effects.jc_writes.jc_effect_memories
  else true

let mutable_alloc_table infunction (ac,r) =
  if Region.polymorphic r then
    if Region.bitwise r then
      AllocMap.exists (fun (_ac',r') _labs -> Region.equal r r')
	infunction.jc_fun_info_effects.jc_writes.jc_effect_alloc_tables
    else
      AllocMap.mem (ac,r)
	infunction.jc_fun_info_effects.jc_writes.jc_effect_alloc_tables
  else true

let mutable_tag_table infunction (vi,r) =
  if Region.polymorphic r then
    if Region.bitwise r then
      TagMap.exists (fun (_vi',r') _labs -> Region.equal r r')
	infunction.jc_fun_info_effects.jc_writes.jc_effect_tag_tables
    else
      TagMap.mem (vi,r)
	infunction.jc_fun_info_effects.jc_writes.jc_effect_tag_tables
  else true

let plain_memory_var (mc,r) = mk_var (memory_name (mc,r))
let deref_memory_var (mc,r) = mk_expr (Deref (memory_name (mc,r)))

let memory_var ?(test_current_function=false) (mc,r) =
  if test_current_function && !current_function = None then
    plain_memory_var (mc,r)
  else if mutable_memory (get_current_function ()) (mc,r) then
    deref_memory_var (mc,r)
  else plain_memory_var (mc,r)

let tmemory_var ~label_in_name lab (mc,r) =
  let mem = memory_name (mc,r) in
  let constant = match !current_function with
    | None -> true
    | Some infunction -> not (mutable_memory infunction (mc,r))
  in
  lvar ~constant ~label_in_name lab mem

let tmemory_param ~label_in_name lab (mc,r) =
  let mem = memory_name (mc,r) in
  let constant = match !current_function with
    | None -> true
    | Some infunction -> not (mutable_memory infunction (mc,r))
  in
  let n = lvar_name (* ~constant *) ~label_in_name lab mem in
  let v = lvar ~constant ~label_in_name lab mem in
  let ty' = memory_type mc in
  n, v, ty'

let plain_alloc_table_var (ac,r) = mk_var (alloc_table_name (ac,r))
let deref_alloc_table_var (ac,r) = mk_expr (Deref (alloc_table_name (ac,r)))

let alloc_table_var ?(test_current_function=false) (ac,r) =
  if test_current_function && !current_function = None then
    plain_alloc_table_var (ac,r)
  else if mutable_alloc_table (get_current_function ()) (ac,r) then
    deref_alloc_table_var (ac,r)
  else plain_alloc_table_var (ac,r)

let talloc_table_var ~label_in_name lab (ac,r) =
  let alloc = alloc_table_name (ac,r) in
  let constant = match !current_function with
    | None -> true
    | Some infunction -> not (mutable_alloc_table infunction (ac,r))
  in
  not constant,lvar ~constant ~label_in_name lab alloc


let talloc_table_param ~label_in_name lab (ac,r) =
  let alloc = alloc_table_name (ac,r) in
  let constant = match !current_function with
    | None -> true
    | Some infunction -> not (mutable_alloc_table infunction (ac,r))
  in
  let n = lvar_name (* ~constant *) ~label_in_name lab alloc in
  let v = lvar ~constant ~label_in_name lab alloc in
  let ty' = alloc_table_type ac in
  n, v, ty'

let plain_tag_table_var (vi,r) = mk_var (tag_table_name (vi,r))
let deref_tag_table_var (vi,r) = mk_expr (Deref (tag_table_name (vi,r)))

let tag_table_var (vi,r) =
  if mutable_tag_table (get_current_function ()) (vi,r) then
    deref_tag_table_var (vi,r)
  else plain_tag_table_var (vi,r)

let ttag_table_var ~label_in_name lab (vi,r) =
  let tag = tag_table_name (vi,r) in
  let constant = match !current_function with
    | None -> true
    | Some infunction -> not (mutable_tag_table infunction (vi,r))
  in
  lvar ~constant ~label_in_name lab tag

let ttag_table_param ~label_in_name lab (vi,r) =
  let tag = tag_table_name (vi,r) in
  let constant = match !current_function with
    | None -> true
    | Some infunction -> not (mutable_tag_table infunction (vi,r))
  in
  let n = lvar_name (* ~constant *) ~label_in_name lab tag in
  let v = lvar ~constant ~label_in_name lab tag in
  let ty' = tag_table_type vi in
  n, v, ty'


(******************************************************************************)
(*                           locations and separation                         *)
(******************************************************************************)

let ref_term : (?subst:(Output.term Jc_envset.VarMap.t) ->
                 type_safe:bool -> global_assertion:bool -> relocate:bool
		 -> label -> label -> Jc_fenv.term -> Output.term) ref
    = ref (fun ?(subst=VarMap.empty) ~type_safe:_ ~global_assertion:_
             ~relocate:_ _ _ _ ->
               assert (VarMap.is_empty subst);
               assert false)

let rec location ~type_safe ~global_assertion lab loc =
  let flocs = location_set ~type_safe ~global_assertion lab in
  let ft = !ref_term ~type_safe ~global_assertion ~relocate:false lab lab in
  match loc#node with
    | JCLvar _v ->
	LVar "pset_empty"
    | JCLderef(locs,_lab,_fi,_r) ->
	flocs locs
    | JCLderef_term(t1,_fi) ->
	LApp("pset_singleton",[ ft t1 ])
    | _ -> assert false (* TODO *)

and location_set ~type_safe ~global_assertion lab locs =
  let flocs = location_set ~type_safe ~global_assertion lab in
  let ft = !ref_term ~type_safe ~global_assertion ~relocate:false lab lab in
  match locs#node with
    | JCLSvar v ->
	LApp("pset_singleton",[ tvar ~label_in_name:global_assertion lab v ])
    | JCLSderef(locs,lab,fi,_r) ->
	let mc,_fi_opt = lderef_mem_class ~type_safe locs fi in
        let mem =
	  tmemory_var ~label_in_name:global_assertion lab (mc,locs#region)
	in
	LApp("pset_deref",[ mem; flocs locs ])
    | JCLSrange(locs,Some t1,Some t2) ->
	LApp("pset_range",[ flocs locs; ft t1; ft t2 ])
    | JCLSrange(locs,None,Some t2) ->
	LApp("pset_range_left",[ flocs locs; ft t2 ])
    | JCLSrange(locs,Some t1,None) ->
	LApp("pset_range_right",[ flocs locs; ft t1 ])
    | JCLSrange(locs,None,None) ->
	LApp("pset_all",[ flocs locs ])
    | JCLSrange_term(locs,Some t1,Some t2) ->
	LApp("pset_range",[ LApp("pset_singleton", [ ft locs ]); ft t1; ft t2 ])
    | JCLSrange_term(locs,None,Some t2) ->
	LApp("pset_range_left",[ LApp("pset_singleton", [ ft locs ]); ft t2 ])
    | JCLSrange_term(locs,Some t1,None) ->
	LApp("pset_range_right",[ LApp("pset_singleton", [ ft locs ]); ft t1 ])
    | JCLSrange_term(locs,None,None) ->
	LApp("pset_all",[ LApp("pset_singleton", [ ft locs ]) ])
    | JCLSat(locs,_lab) -> flocs locs


let rec location_list' = function
  | [] -> LVar "pset_empty"
  | [e'] -> e'
  | e' :: el' -> LApp("pset_union",[ e'; location_list' el' ])

let separation_condition loclist loclist' =
  let floc = location ~type_safe:false ~global_assertion:false LabelHere in
  let pset = location_list' (List.map floc loclist) in
  let pset' = location_list' (List.map floc loclist') in
  LPred("pset_disjoint",[ pset; pset' ])

type memory_effect = RawMemory of Memory.t | PreciseMemory of Location.t

exception NoRegion

let rec transpose_location ~region_assoc ~param_assoc (loc,(mc,rdist)) =
  match transpose_region ~region_assoc rdist with
    | None -> None
    | Some rloc ->
	try
	  let rec mk_node loc = match loc#node with
	    | JCLvar v ->
		if v.jc_var_info_static then
		  JCLvar v
		else
		  begin match List.mem_assoc_eq VarOrd.equal v param_assoc with
		    | None -> (* Local variable *)
			raise NoRegion
		    | Some e ->
			match location_of_expr e with
			  | None -> raise NoRegion
			  | Some loc' -> loc'#node
		  end
	    | JCLderef(locs,lab,fi,r) ->
		let locs =
		  transpose_location_set ~region_assoc ~param_assoc locs
		in
		JCLderef(locs,lab,fi,r) (* TODO: remove useless lab & r *)
            | JCLat(loc,lab) ->
                let node = mk_node loc in
                JCLat(new location_with ~typ:loc#typ ~region:rloc ~node loc,lab)
	    | _ -> assert false (* TODO *)
	  in
          let node = mk_node loc in
	  let loc = new location_with ~typ:loc#typ ~region:rloc ~node loc in
	  Some(PreciseMemory(loc,(mc,rloc)))
	with NoRegion ->
	  Some(RawMemory(mc,rloc))

and transpose_location_set ~region_assoc ~param_assoc locs =
  match transpose_region ~region_assoc locs#region with
    | None -> raise NoRegion
    | Some rloc ->
	let node = match locs#node with
	  | JCLSvar v ->
	      if v.jc_var_info_static then
		JCLSvar v
	      else
		begin match List.mem_assoc_eq VarOrd.equal v param_assoc with
		  | None -> (* Local variable *)
		      raise NoRegion
		  | Some e ->
		      match location_set_of_expr e with
			| None -> raise NoRegion
			| Some locs' -> locs'#node
	      end
	  | JCLSderef(locs',lab,fi,r) ->
	      let locs' =
		transpose_location_set ~region_assoc ~param_assoc locs'
	      in
	      JCLSderef(locs',lab,fi,r) (* TODO: remove useless lab & r *)
          | JCLSat(locs',lab) ->
              let locs' =
                transpose_location_set ~region_assoc ~param_assoc locs'
              in JCLSat(locs',lab)
	  | _ -> assert false (* TODO *)
	in
	new location_set_with ~typ:locs#typ  ~region:rloc ~node locs

let transpose_location_set ~region_assoc ~param_assoc locs _w =
  try Some(transpose_location_set ~region_assoc ~param_assoc locs)
  with NoRegion -> None

let transpose_location_list
    ~region_assoc ~param_assoc rw_raw_mems rw_precise_mems (mc,distr) =
  if MemorySet.mem (mc,distr) rw_raw_mems then
    begin
(*
	Format.eprintf "** Jc_interp_misc.transpose_location_list: TODO: parameters **@.";
	Format.eprintf "memory %a@\nin memory set %a@."
	  print_memory (mc,distr)
	  (print_list comma print_memory) (MemorySet.elements rw_raw_mems);
	assert false
*)
        []
(*
        MemorySet.fold
          (fun (mc,r) acc ->
             if Region.equal r distr then
               let r' =
	         match
                   transpose_region ~region_assoc r
                 with
                   | None -> None
                   | Some rloc -> Some(RawMemory(mc,rloc))
               in
                 failwith "what to do ?"
             else acc) rw_raw_mems []
*)
     end

    else
      LocationSet.fold
	(fun ((_,(_,r)) as x) acc ->
           if Region.equal r distr then
	     match
               transpose_location ~region_assoc ~param_assoc x
             with
	       | None -> acc
	       | Some(RawMemory _) -> assert false
	       | Some(PreciseMemory(loc,(_mc,_rloc))) -> loc :: acc
           else acc) rw_precise_mems []

let write_read_separation_condition
    ~callee_reads ~callee_writes ~region_assoc ~param_assoc
    inter_names writes reads =
  List.fold_left
    (fun acc ((mc,distr),(v,_ty')) ->
       let n = var_name' v in
       if StringSet.mem n inter_names then
	 (* There is a read/write interference on this memory *)
	 List.fold_left
	   (fun acc ((mc',distr'),(v',_ty')) ->
	      let n' = var_name' v' in
	      if n = n' then
		let rw_raw_mems =
		  MemorySet.of_list
		    (MemoryMap.keys callee_reads.jc_effect_raw_memories
		     @ MemoryMap.keys callee_writes.jc_effect_raw_memories)
		in
		let rw_precise_mems =
		  LocationSet.of_list
		    (LocationMap.keys callee_reads.jc_effect_precise_memories
		     @
		     LocationMap.keys callee_writes.jc_effect_precise_memories)
		in
		let loclist =
		  transpose_location_list ~region_assoc ~param_assoc
		    rw_raw_mems rw_precise_mems (mc,distr)
		in
		let loclist' =
		  transpose_location_list ~region_assoc ~param_assoc
		    rw_raw_mems rw_precise_mems (mc',distr')
		in
		if loclist <> [] && loclist' <> [] then
		  let pre = separation_condition loclist loclist' in
		  make_and pre acc
                else acc
	      else acc
	   ) acc writes
       else acc
    ) LTrue reads

let write_write_separation_condition
    ~callee_reads ~callee_writes ~region_assoc ~param_assoc
    ww_inter_names writes _reads =
  let writes =
    List.filter
      (fun ((_mc,_distr),(v,_ty)) ->
	 let n = var_name' v in
	 StringSet.mem n ww_inter_names
      ) writes
  in
  let write_pairs = List.all_pairs writes in
  List.fold_left
    (fun acc (((mc,distr),(v,_ty)), ((mc',distr'),(v',_ty'))) ->
       let n = var_name' v in
       let n' = var_name' v' in
       if n = n' then
	 (* There is a write/write interference on this memory *)
	 let rw_raw_mems =
	   MemorySet.of_list
	     (MemoryMap.keys callee_reads.jc_effect_raw_memories
	      @ MemoryMap.keys callee_writes.jc_effect_raw_memories)
	 in
	 let rw_precise_mems =
	   LocationSet.of_list
	     (LocationMap.keys callee_reads.jc_effect_precise_memories
	      @
	      LocationMap.keys callee_writes.jc_effect_precise_memories)
	 in
	 let loclist =
	   transpose_location_list ~region_assoc ~param_assoc
	     rw_raw_mems rw_precise_mems (mc,distr)
	 in
	 let loclist' =
	   transpose_location_list ~region_assoc ~param_assoc
	     rw_raw_mems rw_precise_mems (mc',distr')
	 in
	 if loclist <> [] && loclist' <> [] then
	   let pre = separation_condition loclist loclist' in
	   make_and pre acc
         else acc
       else acc
    ) LTrue write_pairs


(******************************************************************************)
(*                                  effects                                   *)
(******************************************************************************)

let rec all_possible_memory_effects acc r ty =
  match ty with
    | JCTpointer(pc,_,_) ->
	begin match pc with
	  | JCroot _ -> acc (* TODO *)
	  | JCtag(st,_) ->
	      List.fold_left
		(fun acc fi ->
		   let mc = JCmem_field fi in
		   let mem = mc,r in
		   if MemorySet.mem mem acc then
		     acc
		   else
		     all_possible_memory_effects
		       (MemorySet.add mem acc) r fi.jc_field_info_type
		) acc st.jc_struct_info_fields
	end
    | JCTnative _
    | JCTnull
    | JCTenum _
    | JCTlogic _
    | JCTany -> acc
    | JCTtype_var _ -> assert false (* TODO: need environment *)


let rewrite_effects ~type_safe ~params ef =
  let all_mems =
    List.fold_left
      (fun acc v ->
	 all_possible_memory_effects acc v.jc_var_info_region v.jc_var_info_type
      ) MemorySet.empty params
  in
  if not type_safe then ef else
    { ef with
	jc_effect_memories =
	MemoryMap.fold
	  (fun (mc,r) labs acc ->
	     match mc with
	       | JCmem_field _ | JCmem_plain_union _ ->
		   MemoryMap.add (mc,r) labs acc
	       | JCmem_bitvector ->
		   MemorySet.fold
		     (fun (mc',r') acc ->
			if Region.equal r r' then
			  MemoryMap.add (mc',r') labs acc
			else acc
		     ) all_mems acc
	  ) ef.jc_effect_memories MemoryMap.empty
    }


(******************************************************************************)
(*                                 Structures                                 *)
(******************************************************************************)

let const_of_num n = LConst(Prim_int(Num.string_of_num n))

let define_locals ?(reads=[]) ?(writes=[]) e' =
  let e' =
    List.fold_left
      (fun acc (n,ty') -> mk_expr (Let(n,any_value' ty',acc)))
      e' reads
  in
  let e' =
    List.fold_left
      (fun acc (n,ty') -> mk_expr (Let_ref(n,any_value' ty',acc)))
      e' writes
  in
  e'

(* Validity *)

let make_valid_pred_app ~in_param ~equal (ac, r) pc p ao bo =
  assert (in_param = in_param);
  let all_allocs = match ac with
    | JCalloc_bitvector -> [ ac ]
    | JCalloc_root rt ->
	match rt.jc_root_info_kind with
	  | Rvariant
	  | RdiscrUnion -> all_allocs ~select:fully_allocated pc
	  | RplainUnion -> [ ac ]
  in
  let allocs =
    List.map (fun ac ->
                (*
                  let v = alloc_table_name(ac,r) in
                  if in_param then LDeref v else LVar v
                *)
                let is_not_cte,v =
                  talloc_table_var ~label_in_name:false LabelHere (ac,r)
                in
                match v with
                  | LDeref x ->
                      assert is_not_cte;
                      assert in_param;
                      if is_not_cte then v else LVar x
                  | LVar x ->
                      assert (not is_not_cte);
                     (*  assert (not in_param); *)
                      (* if in_param then *) LDeref x (* else v *)
                  | _ -> assert false
             ) all_allocs
  in
  let all_mems = match ac with
    | JCalloc_bitvector -> []
    | JCalloc_root rt ->
	match rt.jc_root_info_kind with
	  | Rvariant
	  | RdiscrUnion -> all_memories ~select:fully_allocated pc
	  | RplainUnion -> []
  in
  let mems =
    List.map (fun mc ->
                tmemory_var ~label_in_name:false LabelHere (mc,r))
      all_mems
  in
  let params = allocs @ mems in
  let f x acc = x :: acc in
  let params = Option_misc.fold f bo params in
  let params = Option_misc.fold f ao params in
  LPred (valid_pred_name ~equal ~left:(ao <> None) ~right:(bo <> None) ac pc, p :: params)

(*
If T is a structure:
   valid_T(p, a, b, allocs ...) =
     if T is root:
       offset_min(alloc_i, p) == a &&
       offset_max(alloc_i, p) == b
     else if S is the direct superclass of T:
       valid_S(p, a, b, allocs ...)
     and for all field (T'[a'..b'] f) of p,
       valid_T'(p.f, a', b', allocs ...)
If T is a variant, then we only have the condition on offset_min and max.
*)
let make_valid_pred ~in_param ~equal ?(left=true) ?(right=true) ac pc =
  let p = "p" in
  let a = "a" in
  let b = "b" in
  let params =
    let all_allocs = match ac with
      | JCalloc_bitvector -> [ ac ]
      | JCalloc_root rt ->
	  match rt.jc_root_info_kind with
	    | Rvariant
	    | RdiscrUnion -> all_allocs ~select:fully_allocated pc
	    | RplainUnion -> [ ac ]
    in
    let allocs =
      List.map (fun ac -> generic_alloc_table_name ac,alloc_table_type ac)
	all_allocs
    in
    let all_mems = match ac with
      | JCalloc_bitvector -> []
      | JCalloc_root rt ->
	  match rt.jc_root_info_kind with
	    | Rvariant
	    | RdiscrUnion -> all_memories ~select:fully_allocated pc
	    | RplainUnion -> []
    in
    let mems =
      List.map (fun mc -> generic_memory_name mc,memory_type mc) all_mems
    in
    let p = p, pointer_type ac pc in
    let a = a, why_integer_type in
    let b = b, why_integer_type in
    let params = allocs @ mems in
    let params = if right then b :: params else params in
    let params = if left then a :: params else params in
      p :: params
  in
  let validity =
    let omin, omax, super_valid = match pc with
      | JCtag ({ jc_struct_info_parent = Some(st, pp) }, _) ->
          LTrue,
          LTrue,
          make_valid_pred_app ~in_param ~equal
	    (ac,dummy_region) (JCtag(st, pp)) (LVar p)
	    (if left then Some (LVar a) else None)
	    (if right then Some (LVar b) else None)
      | JCtag ({ jc_struct_info_parent = None }, _)
      | JCroot _ ->
          (if equal then make_eq else make_le) (make_offset_min ac (LVar p)) (LVar a),
          (if equal then make_eq else make_ge) (make_offset_max ac (LVar p)) (LVar b),
          LTrue
    in
    let fields_valid = match ac with
      | JCalloc_bitvector -> [ LTrue ]
      | JCalloc_root rt ->
	  match rt.jc_root_info_kind with
	    | Rvariant ->
		begin match pc with
		  | JCtag(st,_) ->
		      List.map
			(function
			   | { jc_field_info_type =
				 JCTpointer(fpc, Some fa, Some fb) } as fi ->
			       make_valid_pred_app ~in_param ~equal (ac,dummy_region) fpc
				 (make_select_fi fi (LVar p))
				 (if left then Some (const_of_num fa) else None)
				 (if right then Some (const_of_num fb) else None)
			   | _ ->
			       LTrue)
			st.jc_struct_info_fields
		  | JCroot _ -> [ LTrue ]
		end
	    | RdiscrUnion
	    | RplainUnion -> [ LTrue ]
    in
    let validity = super_valid :: fields_valid in
    let validity = if right then omax :: validity else validity in
    let validity = if left then omin :: validity else validity in
      make_and_list validity
  in
  Predicate(false, id_no_loc (valid_pred_name ~equal ~left ~right ac pc),
	    params, validity)

(* Allocation *)

let alloc_write_parameters (ac,r) pc =
  let all_allocs = match ac with
    | JCalloc_bitvector -> [ ac ]
    | JCalloc_root rt ->
	match rt.jc_root_info_kind with
	  | Rvariant
	  | RdiscrUnion -> all_allocs ~select:fully_allocated pc
	  | RplainUnion -> [ ac ]
  in
  let allocs =
    List.map (fun ac -> plain_alloc_table_var (ac,r), alloc_table_type ac)
      all_allocs
  in
  let all_tags = match ac with
    | JCalloc_bitvector -> []
    | JCalloc_root rt ->
	match rt.jc_root_info_kind with
	  | Rvariant
	  | RdiscrUnion -> [ rt ]
	  | RplainUnion -> []
  in
  let tags =
    List.map (fun vi -> plain_tag_table_var (vi,r), tag_table_type vi)
      all_tags
  in
  allocs @ tags

let alloc_read_parameters (ac,r) pc =
  let all_mems = match ac with
    | JCalloc_bitvector -> []
    | JCalloc_root rt ->
	match rt.jc_root_info_kind with
	  | Rvariant
	  | RdiscrUnion -> all_memories ~select:fully_allocated pc
	  | RplainUnion -> []
  in
  let mems =
    List.map
      (fun mc ->
	 memory_var ~test_current_function:true (mc,r), memory_type mc)
      all_mems
  in
  mems

let alloc_arguments (ac,r) pc =
  let writes = alloc_write_parameters (ac,r) pc in
  let reads = alloc_read_parameters (ac,r) pc in
  List.map fst writes @ List.map fst reads

let make_alloc_param ~check_size ac pc =
  let n = "n" in
  let alloc = generic_alloc_table_name ac in
  (* parameters and effects *)
  let writes = alloc_write_parameters (ac,dummy_region) pc in
  let write_effects =
    List.map (function ({ expr_node = Var n},_ty') -> n | _ -> assert false) writes
  in
  let write_params =
    List.map (fun (n,ty') -> (n,Ref_type(Base_type ty'))) writes
  in
  let reads = alloc_read_parameters (ac,dummy_region) pc in
  let read_params =
    List.map (fun (n,ty') -> (n,Base_type ty')) reads
  in
  let params = [ (mk_var n,Base_type why_integer_type) ] in
  let params = params @ write_params @ read_params in
  let params =
    List.map (function ({expr_node = Var n},ty') -> (n,ty') | _ -> assert false) params
  in
  (* precondition *)
  let pre =
    if check_size then LPred("ge_int",[LVar n;LConst(Prim_int "0")])
    else LTrue
  in
  (* postcondition *)
  let instanceof_post = match ac with
    | JCalloc_bitvector -> []
    | JCalloc_root rt ->
	match rt.jc_root_info_kind with
	  | Rvariant ->
	      begin match pc with
		| JCtag(st,_) ->
		    let tag = generic_tag_table_name (struct_root st) in
		    (* [instanceof(tagtab,result,tag_st)] *)
		    [ LPred("instanceof",
			    [LDeref tag;LVar "result";LVar(tag_name st)]) ]
		| JCroot _ -> []
	      end
	  | RdiscrUnion
	  | RplainUnion -> []
  in
  let alloc_type =
    Annot_type(
      (* [n >= 0] *)
      pre,
      (* argument pointer type *)
      Base_type(pointer_type ac pc),
      (* reads and writes *)
      [], write_effects,
      (* normal post *)
      make_and_list (
	[
          (* [valid_st(result,0,n-1,alloc...)] *)
          make_valid_pred_app ~in_param:true ~equal:true (ac,dummy_region) pc
            (LVar "result")
            (Some (LConst(Prim_int "0")))
            (Some (LApp("sub_int",[LVar n; LConst(Prim_int "1")])));
          (* [alloc_extends(old(alloc),alloc)] *)
          LPred("alloc_extends",[LDerefAtLabel(alloc,"");LDeref alloc]);
          (* [alloc_fresh(old(alloc),result,n)] *)
          LPred("alloc_fresh",[LDerefAtLabel(alloc,"");LVar "result";LVar n])
	]
	@ instanceof_post ),
      (* no exceptional post *)
      [])
  in
  let alloc_type =
    List.fold_right (fun (n,ty') acc -> Prod_type(n, ty', acc))
      params alloc_type
  in
  let name = alloc_param_name ~check_size ac pc in
  Param(false,id_no_loc name,alloc_type)

(* Conversion to and from bitvector *)

let make_param ~name ~writes ~reads ~pre ~post ~return_type =
  (* parameters and effects *)
  let write_effects = List.map effect_of_parameter writes in
  let write_params = List.map wparam_of_parameter writes in
  let read_params = List.map rparam_of_parameter reads in
  let params = write_params @ read_params in
  let params = List.map local_of_parameter params in
  (* type *)
  let annot_type =
    Annot_type(
      pre,
      Base_type return_type,
      (* reads and writes *)
      [], write_effects,
      (* normal post *)
      post,
      (* no exceptional post *)
      [])
  in
  let annot_type =
    List.fold_right (fun (n,ty') acc -> Prod_type(n, ty', acc))
      params annot_type
  in
  Param(false,id_no_loc name,annot_type)

let conv_bw_alloc_parameters ~deref r _pc =
  let ac = JCalloc_bitvector in
  let allocv =
    if deref then
      alloc_table_var ~test_current_function:true (ac,r)
    else
      plain_alloc_table_var (ac,r)
  in
  let alloc = (allocv, alloc_table_type ac) in
  [ alloc ]

let conv_bw_mem_parameters ~deref r _pc =
  let mc = JCmem_bitvector in
  let memv =
    if deref then
      memory_var ~test_current_function:true (mc,r)
    else
      plain_memory_var (mc,r)
  in
  let mem = (memv, memory_type mc) in
  [ mem ]

(* let conv_bw_mem_tparameters r pc = *)
(*   let mc = JCmem_bitvector in *)
(*   let memv = tmemory_var ~label_in_name:global_assertion lab (mc,locs#region)  *)
(* tmemory_var ~test_current_function:true (mc,r) *)
(*     else  *)
(*       plain_memory_var (mc,r) *)
(*   in *)
(*   let mem = (memv, memory_type mc) in *)
(*   [ mem ] *)

let conv_typ_alloc_parameters r pc =
  match pc with
    | JCtag _ ->
	let ac = alloc_class_of_pointer_class pc in
	let alloc = (plain_alloc_table_var (ac,r), alloc_table_type ac) in
	[ alloc ]
    | JCroot vi ->
	let ac = JCalloc_root vi in
	let alloc = (plain_alloc_table_var (ac,r), alloc_table_type ac) in
	[ alloc ]

let conv_typ_mem_parameters ~deref r pc =
  let memvar = if deref then deref_memory_var else plain_memory_var in
  match pc with
    | JCtag _ ->
	let all_mems = all_memories pc in
	let mems =
	  List.map
	    (fun mc -> memvar (mc,r), memory_type mc) all_mems
	in
	mems
    | JCroot rt ->
	match rt.jc_root_info_kind with
	  | Rvariant -> []
	  | RdiscrUnion -> assert false (* TODO *)
	  | RplainUnion ->
	      let mc = JCmem_plain_union rt in
	      let mem = (memvar (mc,r), memory_type mc) in
	      [ mem ]

let make_ofbit_alloc_param_app r pc =
  let writes = conv_typ_alloc_parameters r pc in
  let reads = conv_bw_alloc_parameters ~deref:true r pc in
  let args = List.map fst writes @ List.map fst reads in
  let app = match pc with
    | JCtag _ ->
	make_app (alloc_of_bitvector_param_name pc) args
    | JCroot rt ->
	match rt.jc_root_info_kind with
	  | Rvariant -> void
	  | RdiscrUnion -> assert false (* TODO *)
	  | RplainUnion -> assert false (* TODO *)
  in
  let locals = List.map local_of_parameter writes in
  locals, app

let make_ofbit_mem_param_app r pc =
  let writes = conv_typ_mem_parameters ~deref:false r pc in
  let reads = conv_bw_mem_parameters ~deref:true r pc in
  let args = List.map fst writes @ List.map fst reads in
  let app = match pc with
    | JCtag _ ->
	make_app (mem_of_bitvector_param_name pc) args
    | JCroot rt ->
	match rt.jc_root_info_kind with
	  | Rvariant -> void
	  | RdiscrUnion -> assert false (* TODO *)
	  | RplainUnion -> assert false (* TODO *)
  in
  let locals = List.map local_of_parameter writes in
  locals, app

let make_tobit_alloc_param_app r pc =
  let writes = conv_bw_alloc_parameters ~deref:false r pc in
  let reads = conv_typ_alloc_parameters r pc in
  let args = List.map fst writes @ List.map fst reads in
  let app = match pc with
    | JCtag _ ->
	make_app (alloc_to_bitvector_param_name pc) args
    | JCroot rt ->
	match rt.jc_root_info_kind with
	  | Rvariant -> void
	  | RdiscrUnion -> assert false (* TODO *)
	  | RplainUnion -> assert false (* TODO *)
  in
  app

let make_tobit_mem_param_app r pc =
  let writes = conv_bw_mem_parameters ~deref:false r pc in
  let reads = conv_typ_mem_parameters ~deref:true r pc in
  let args = List.map fst writes @ List.map fst reads in
  let app = match pc with
    | JCtag _ ->
	make_app (mem_to_bitvector_param_name pc) args
    | JCroot rt ->
	match rt.jc_root_info_kind with
	  | Rvariant -> void
	  | RdiscrUnion -> assert false (* TODO *)
	  | RplainUnion -> assert false (* TODO *)
  in
  app

let make_of_bitvector_app fi e' =
  (* Convert bitvector into appropriate type *)
  match fi.jc_field_info_type with
    | JCTenum ri -> LApp(logic_enum_of_bitvector ri,[e'])
(*     | JCTnative nty -> LApp(logic_native_of_bitvector nty,[e']) *)
    | JCTpointer(pc,_,_) ->
	LApp(logic_variant_of_bitvector (pointer_class_root pc),[e'])
    | _ty -> assert false (* TODO *)

let make_conversion_params pc =
  let p = "p" in
  let bv_mem = generic_memory_name JCmem_bitvector in
  let bv_alloc = generic_alloc_table_name JCalloc_bitvector in

  (* postcondition *)
  let post_alloc = match pc with
    | JCtag(st,_) ->
	if struct_has_size st then
	  let post_alloc =
	    let ac = alloc_class_of_pointer_class pc in
	    let alloc = generic_alloc_table_name ac in
	    let s = string_of_int (struct_size_in_bytes st) in
	    let post_min =
	      make_eq_pred integer_type
		(LApp("offset_min",[ LVar alloc; LVar p ]))
		(LApp("offset_min_bytes",[ LVar bv_alloc;
					   LApp("pointer_address",[ LVar p ]);
					   LConst(Prim_int s)]))
	    in
	    let post_max =
	      make_eq_pred integer_type
		(LApp("offset_max",[ LVar alloc; LVar p ]))
		(LApp("offset_max_bytes",[ LVar bv_alloc;
					   LApp("pointer_address",[ LVar p ]);
					   LConst(Prim_int s)]))
	    in
	    let ty' = pointer_type ac pc in
	    let post = make_and post_min post_max in
	    LForall(p,ty',[],post)
	  in
	  post_alloc
	else LTrue
    | JCroot _ -> assert false (* TODO *)
  in
  let post_mem = match pc with
    | JCtag(st,_) ->
	if struct_has_size st then
	  let fields = all_fields pc in
	  let post_mem,_ =
	    List.fold_left
	      (fun (acc,i) fi ->
		 if field_type_has_bitvector_representation fi then
		   let pi = p ^ (string_of_int i) in
		   let mc = JCmem_field fi in
		   let ac = alloc_class_of_mem_class mc in
		   let mem =
		     tmemory_var ~label_in_name:true LabelHere
		       (mc,dummy_region)
		   in
		   let off =
		     match field_offset_in_bytes fi with
		       | Some x -> x
		       | None ->  assert false
		   in
		   let size =
		     match fi.jc_field_info_bitsize with
		       | Some x -> x / 8
		       | None -> assert false
		   in
		   let off = string_of_int off and size = string_of_int size in
		   let posti =
		     make_eq_pred fi.jc_field_info_type
		       (LApp("select",[ mem; LVar pi ]))
		       (make_of_bitvector_app fi
			  (LApp("select_bytes",
				[ LVar bv_mem;
				  LApp("pointer_address",[ LVar pi ]);
				  LConst(Prim_int off); LConst(Prim_int size) ])))
		   in
		   let ty' = pointer_type ac pc in (* Correct pc *)
		   let posti = LForall(pi,ty',[],posti) in
		   make_and acc posti, i+1
		 else acc, i
	      ) (LTrue,0) fields
	  in
	  post_mem
	else LTrue
    | JCroot _ -> assert false (* TODO *)
  in

  (* Invariant linking typed and byte views *)

(*   let mem_logic = *)
(*     Logic(false, mem_bitvector_logic_name pc, params, result_ty')  *)
(*   in *)

  (* Conversion from bitvector *)
  let writes = conv_typ_alloc_parameters dummy_region pc in
  let reads = conv_bw_alloc_parameters ~deref:true dummy_region pc in
  let name = alloc_of_bitvector_param_name pc in
  let alloc_ofbit_param =
    make_param ~name ~writes ~reads ~pre:LTrue ~post:post_alloc
      ~return_type:why_unit_type
  in

  let writes = conv_typ_mem_parameters ~deref:false dummy_region pc in
  let reads = conv_bw_mem_parameters ~deref:true dummy_region pc in
  let name = mem_of_bitvector_param_name pc in
  let mem_ofbit_param =
    make_param ~name ~writes ~reads ~pre:LTrue ~post:post_mem
      ~return_type:why_unit_type
  in

  (* Conversion to bitvector *)
  let writes = conv_bw_alloc_parameters ~deref:false dummy_region pc in
  let reads = conv_typ_alloc_parameters dummy_region pc in
  let name = alloc_to_bitvector_param_name pc in
  let alloc_tobit_param =
    make_param ~name ~writes ~reads ~pre:LTrue ~post:post_alloc
      ~return_type:why_unit_type
  in

  let writes = conv_bw_mem_parameters ~deref:false dummy_region pc in
  let reads = conv_typ_mem_parameters ~deref:true dummy_region pc in
  let name = mem_to_bitvector_param_name pc in
  let mem_tobit_param =
    make_param ~name ~writes ~reads ~pre:LTrue ~post:post_mem
      ~return_type:why_unit_type
  in

  [ alloc_ofbit_param; mem_ofbit_param; alloc_tobit_param; mem_tobit_param ]


(******************************************************************************)
(*                               call arguments                               *)
(******************************************************************************)

type param_mode = [ `MAppParam | `MFunParam ]
type effect_mode = [ `MEffect | `MLocalEffect ]
type param_or_effect_mode = [ param_mode | effect_mode ]
type param_or_local_mode = [ param_mode | `MLocal ]
type param_or_effect_or_local_mode = [ param_or_effect_mode | `MLocal ]

let remove_duplicates ~already_used entries =
  fst (List.fold_left
	 (fun (acc,already_used) entry ->
	    (* Accumulate entry only if not already present *)
	    let n = var_name' (fst (snd entry)) in
	    if StringSet.mem n already_used then
	      acc, already_used
	    else
	      entry :: acc, StringSet.add n already_used
	 ) ([],already_used) entries)

let check_no_duplicates ~already_used entries =
  ignore (List.fold_left
	    (fun already_used entry ->
	       (* Check entry not already present *)
	       let n = var_name' (fst (snd entry)) in
	       assert (not (StringSet.mem n already_used));
	       StringSet.add n already_used
	    ) already_used entries)

let add_alloc_table_argument
    ~mode ~type_safe ~no_deref (ac,distr as alloc) ?region_assoc acc =
  let allocvar =
    if no_deref then plain_alloc_table_var
    else alloc_table_var ~test_current_function:false
  in
  let ty' = alloc_table_type ac in
  if Region.polymorphic distr then
    try
      (* Polymorphic allocation table. Both passed in argument by the caller,
	 and counted as effect. *)
      let locr =
	Option_misc.map_default (RegionList.assoc distr) distr region_assoc
      in
      match mode with
	| `MAppParam ->
	    if Region.bitwise locr && not no_deref then
	      (* Anticipate generation of local ref from bitwise *)
	      ((alloc,locr), (deref_alloc_table_var (ac,locr), ty')) :: acc
	    else
	      ((alloc,locr), (allocvar (ac,locr), ty')) :: acc
	| `MFunParam | #effect_mode ->
	    if Region.bitwise locr && not type_safe then
	      (* Bitwise allocation table in the caller.
		 Translate the allocation class. *)
	      let ac = JCalloc_bitvector in
	      let ty' = alloc_table_type ac in
	      ((alloc,locr), (allocvar (ac,locr), ty')) :: acc
	    else
	      ((alloc,locr), (allocvar (ac,locr), ty')) :: acc
	| `MLocal -> acc
    with Not_found ->
      (* MLocal allocation table. Neither passed in argument by the caller,
	 nor counted as effect. *)
      match mode with
	| #param_or_effect_mode -> acc
	| `MLocal ->
	    if Region.bitwise distr && not type_safe then
	      (* Bitwise allocation table. Translate the allocation class. *)
	      let ac = JCalloc_bitvector in
	      let ty' = alloc_table_type ac in
	      ((alloc,distr), (allocvar (ac,distr), ty')) :: acc
	    else
	      ((alloc,distr), (allocvar (ac,distr), ty')) :: acc
  else
    (* Constant allocation table. Not passed in argument by the caller,
       but counted as effect. *)
    match mode with
      | #param_or_local_mode -> acc
      | #effect_mode -> ((alloc,distr), (allocvar (ac,distr), ty')) :: acc

let translate_alloc_table_effects ~region_mem_assoc alloc_effect =
  AllocMap.fold
    (fun (ac,r) labs acc ->
       let allocs = transpose_alloc_table ~region_mem_assoc (ac,r) in
       AllocSet.fold
	 (fun (ac,_r) acc -> AllocMap.add (ac,r) labs acc) allocs acc
    ) alloc_effect AllocMap.empty

(* let translate_external_alloc_tables ~no_deref ~region_mem_assoc ~already_used *)
(*     allocs = *)
(*   let already_used = StringSet.of_list already_used in *)
(*   let allocvar =  *)
(*     if no_deref then plain_alloc_table_var  *)
(*     else alloc_table_var ~test_current_function:false *)
(*   in *)
(*   let allocs = *)
(*     List.fold_left *)
(*       (fun acc ((alloc,locr),(v',ty') as entry) -> *)
(* 	 if Region.bitwise locr then *)
(* 	   (\* Translate bitwise allocation table into typed ones *\) *)
(* 	   try *)
(* 	     let mems = MemorySet.find_region locr region_mem_assoc in *)
(* 	     let allocs =  *)
(* 	       List.map *)
(* 		 (fun (mc,_r) -> *)
(* 		    let ac = alloc_class_of_mem_class mc in *)
(* 		    let ty' = alloc_table_type ac in *)
(* 		    ((alloc,locr), (allocvar (ac,locr), ty')) *)
(* 		 ) (MemorySet.elements mems) *)
(* 	     in allocs @ acc *)
(* 	   with Not_found -> *)
(* 	     (\* No possible effect on caller types *\) *)
(* 	     acc *)
(* 	 else entry :: acc *)
(*       ) [] allocs *)
(*   in *)
(*   remove_duplicates ~already_used allocs *)

let alloc_table_detailed_writes ~mode ~type_safe ~callee_writes ?region_assoc
    ~region_mem_assoc =
  let write_effects = callee_writes.jc_effect_alloc_tables in
  let write_effects =
    if type_safe then
      match mode with
	| #param_mode | `MEffect ->
	    translate_alloc_table_effects ~region_mem_assoc write_effects
      | `MLocalEffect | `MLocal -> write_effects
    else write_effects
  in
  let writes =
    AllocMap.fold
      (fun (ac,distr) _labs acc ->
	 add_alloc_table_argument
	   ~mode ~type_safe ~no_deref:true (ac,distr) ?region_assoc acc
      ) write_effects []
  in
  if type_safe then
    writes
  else
    remove_duplicates ~already_used:StringSet.empty writes

let alloc_table_writes ~mode ~type_safe ~callee_writes ?region_assoc
    ~region_mem_assoc =
  List.map snd
    (alloc_table_detailed_writes ~mode ~type_safe ~callee_writes ?region_assoc
       ~region_mem_assoc)

let alloc_table_detailed_reads ~mode ~type_safe ~callee_writes ~callee_reads
    ?region_assoc ~region_mem_assoc ~already_used =
  let read_effects = callee_reads.jc_effect_alloc_tables in
  let read_effects =
    if type_safe then
      match mode with
	| #param_mode | `MEffect ->
	    translate_alloc_table_effects ~region_mem_assoc read_effects
	| `MLocalEffect | `MLocal -> read_effects
    else read_effects
  in
  let reads =
    AllocMap.fold
      (fun (ac,distr) _labs acc ->
	 if has_alloc_table (ac,distr) callee_writes.jc_effect_alloc_tables then
	   (* Allocation table is written, thus it is already taken care of
	      as a parameter. *)
	   match mode with
	     | #param_or_local_mode -> acc
	     | #effect_mode ->
		 add_alloc_table_argument
		   ~mode ~type_safe ~no_deref:false (ac,distr) ?region_assoc acc
	 else if mutable_alloc_table (get_current_function ()) (ac,distr) then
	   add_alloc_table_argument
	     ~mode ~type_safe ~no_deref:false (ac,distr) ?region_assoc acc
	 else
	   (* Allocation table is immutable, thus it is not passed by
	      reference. As such, it cannot be counted in effects. *)
	   match mode with
	     | #param_or_local_mode ->
		 add_alloc_table_argument
		   ~mode ~type_safe ~no_deref:false (ac,distr) ?region_assoc acc
	     | #effect_mode -> acc
      ) read_effects []
  in
  if type_safe then
    reads
  else
    let already_used = StringSet.of_list already_used in
    remove_duplicates ~already_used reads

let alloc_table_reads ~mode ~type_safe ~callee_writes ~callee_reads
    ?region_assoc ~region_mem_assoc ~already_used =
  List.map snd
    (alloc_table_detailed_reads ~mode ~type_safe ~callee_writes ~callee_reads
       ?region_assoc ~region_mem_assoc ~already_used)

let add_tag_table_argument ~mode ~no_deref (vi,distr) ?region_assoc acc =
  let tagvar = if no_deref then plain_tag_table_var else tag_table_var in
  let ty' = tag_table_type vi in
  if Region.polymorphic distr then
    try
      (* Polymorphic tag table. Both passed in argument by the caller,
	 and counted as effect. *)
      let locr =
	Option_misc.map_default (RegionList.assoc distr) distr region_assoc
      in
      match mode with
	| #param_or_effect_mode -> (tagvar (vi,locr), ty') :: acc
	| `MLocal -> acc
    with Not_found ->
      (* MLocal tag table. Neither passed in argument by the caller,
	 nor counted as effect. *)
      match mode with
	| #param_or_effect_mode -> acc
	| `MLocal -> (tagvar (vi,distr), ty') :: acc
  else
    (* Constant tag table. Not passed in argument by the caller,
       but counted as effect. *)
    match mode with
      | #param_or_local_mode -> acc
      | #effect_mode -> (tagvar (vi,distr), ty') :: acc

let tag_table_writes ~mode ~callee_writes ?region_assoc () =
  TagMap.fold
    (fun (vi,distr) _labs acc ->
       add_tag_table_argument
	 ~mode ~no_deref:true (vi,distr) ?region_assoc acc
    ) callee_writes.jc_effect_tag_tables []

let tag_table_reads ~mode ~callee_writes ~callee_reads ?region_assoc () =
  TagMap.fold
    (fun (vi,distr) _labs acc ->
       if TagMap.mem (vi,distr) callee_writes.jc_effect_tag_tables then
	 (* Tag table is written, thus it is already taken care of
	    as a parameter. *)
	 match mode with
	   | #param_or_local_mode -> acc
	   | #effect_mode ->
	       add_tag_table_argument
		 ~mode ~no_deref:false (vi,distr) ?region_assoc acc
       else if mutable_tag_table (get_current_function ()) (vi,distr) then
	 add_tag_table_argument
	   ~mode ~no_deref:false (vi,distr) ?region_assoc acc
       else
	 (* Tag table is immutable, thus it is not passed by
	    reference. As such, it cannot be counted in effects. *)
	 match mode with
	   | #param_or_local_mode ->
	       add_tag_table_argument
		 ~mode ~no_deref:false (vi,distr) ?region_assoc acc
	   | #effect_mode -> acc
    ) callee_reads.jc_effect_tag_tables []

let add_memory_argument
    ~mode ~type_safe ~no_deref (mc,distr as mem) ?region_assoc acc =
  let memvar =
    if no_deref then plain_memory_var
    else memory_var ~test_current_function:false
  in
  let ty' = memory_type mc in
  if Region.polymorphic distr then
    try
      (* Polymorphic memory. Both passed in argument by the caller,
	 and counted as effect. *)
      let locr =
	Option_misc.map_default (RegionList.assoc distr) distr region_assoc
      in
      match mode with
	| `MAppParam ->
	    if Region.bitwise locr && not no_deref then
	      (* Anticipate generation of local ref from bitwise *)
	      ((mem,locr), (deref_memory_var (mc,locr), ty')) :: acc
	    else
	      ((mem,locr), (memvar (mc,locr), ty')) :: acc
	| `MFunParam | #effect_mode ->
	    if Region.bitwise locr && not type_safe then
	      (* Bitwise memory in the caller.
		 Translate the memory class. *)
	      let mc = JCmem_bitvector in
	      let ty' = memory_type mc in
	      ((mem,locr), (memvar (mc,locr), ty')) :: acc
	    else
	      ((mem,locr), (memvar (mc,locr), ty')) :: acc
	| `MLocal -> acc
    with Not_found ->
      (* MLocal memory. Neither passed in argument by the caller,
	 nor counted as effect. *)
      match mode with
	| #param_or_effect_mode -> acc
	| `MLocal ->
	    if Region.bitwise distr && not type_safe then
	      (* Bitwise memory. Translate the memory class. *)
	      let mc = JCmem_bitvector in
	      let ty' = memory_type mc in
	      ((mem,distr), (memvar (mc,distr), ty')) :: acc
	    else
	      ((mem,distr), (memvar (mc,distr), ty')) :: acc
  else
    (* Constant memory. Not passed in argument by the caller,
       but counted as effect. *)
    match mode with
      | #param_or_local_mode -> acc
      | #effect_mode -> ((mem,distr), (memvar (mc,distr), ty')) :: acc

(* let translate_external_memories ~no_deref ~region_mem_assoc ~already_used mems = *)
(*   let already_used = StringSet.of_list already_used in *)
(*   let memvar =  *)
(*     if no_deref then plain_memory_var  *)
(*     else memory_var ~test_current_function:false *)
(*   in *)
(*   let mems = *)
(*     List.fold_left *)
(*       (fun acc ((mem,locr),(v',ty') as entry) -> *)
(* 	 if Region.bitwise locr then *)
(* 	   try *)
(* 	     (\* Translate bitwise memories into typed ones *\) *)
(* 	     let mems = MemorySet.find_region locr region_mem_assoc in *)
(* 	     let mems =  *)
(* 	       List.map *)
(* 		 (fun (mc,_r) -> *)
(* 		    let ty' = memory_type mc in *)
(* 		    ((mem,locr), (memvar (mc,locr), ty')) *)
(* 		 ) (MemorySet.elements mems) *)
(* 	     in mems @ acc *)
(* 	   with Not_found -> *)
(* 	     (\* No possible effect on caller types *\) *)
(* 	     acc *)
(* 	 else entry :: acc *)
(*       ) [] mems *)
(*   in *)
(*   remove_duplicates ~already_used mems *)

let translate_memory_effects ~region_mem_assoc mem_effect =
  MemoryMap.fold
    (fun (mc,r) labs acc ->
       let mems = transpose_memory ~region_mem_assoc (mc,r) in
       MemorySet.fold
	 (fun (mc,_r) acc -> MemoryMap.add (mc,r) labs acc) mems acc
    ) mem_effect MemoryMap.empty

let memory_detailed_writes
    ~mode ~type_safe ~callee_writes ?region_assoc ~region_mem_assoc =
  let write_effects = callee_writes.jc_effect_memories in
  let write_effects =
    if type_safe then
      match mode with
	| #param_mode | `MEffect ->
	    translate_memory_effects ~region_mem_assoc write_effects
	| `MLocalEffect | `MLocal -> write_effects
    else write_effects
  in
  let writes =
    MemoryMap.fold
      (fun (mc,distr) _labs acc ->
	 add_memory_argument
	   ~mode ~type_safe ~no_deref:true (mc,distr) ?region_assoc acc
      ) write_effects []
  in
  if type_safe then
    (* non-interference precondition added later on *)
(*     let () = check_no_duplicates ~already_used:StringSet.empty writes in *)
    writes
  else
    remove_duplicates ~already_used:StringSet.empty writes

let memory_writes
    ~mode ~type_safe ~callee_writes ?region_assoc ~region_mem_assoc =
  List.map snd
    (memory_detailed_writes ~mode ~type_safe ~callee_writes
       ?region_assoc ~region_mem_assoc)

let memory_detailed_reads ~mode ~type_safe ~callee_writes ~callee_reads
    ?region_assoc ~region_mem_assoc ~already_used =
  let read_effects = callee_reads.jc_effect_memories in
  let read_effects =
    if type_safe then
      match mode with
	| #param_mode | `MEffect ->
	    translate_memory_effects ~region_mem_assoc read_effects
	| `MLocalEffect | `MLocal -> read_effects
    else read_effects
  in
  let write_effects = callee_writes.jc_effect_memories in
  let write_effects =
    if type_safe then
      match mode with
	| #param_mode | `MEffect ->
	    translate_memory_effects ~region_mem_assoc write_effects
	| `MLocalEffect | `MLocal -> write_effects
    else write_effects
  in
  let reads =
    MemoryMap.fold
      (fun (mc,distr) _labs acc ->
	 if has_memory (mc,distr) write_effects then
	   (* Memory is written, thus it is already taken care of
	      as a parameter. *)
	   match mode with
	     | #param_or_local_mode -> acc
	     | #effect_mode ->
		 add_memory_argument
		   ~mode ~type_safe ~no_deref:false (mc,distr) ?region_assoc acc
	 else if mutable_memory (get_current_function ()) (mc,distr) then
	   add_memory_argument
	     ~mode ~type_safe ~no_deref:false (mc,distr) ?region_assoc acc
	 else
	   (* Memory is immutable, thus it is not passed by
	      reference. As such, it cannot be counted in effects. *)
	   match mode with
	     | #param_or_local_mode ->
		 add_memory_argument
		   ~mode ~type_safe ~no_deref:false (mc,distr) ?region_assoc acc
	     | #effect_mode -> acc
      ) read_effects []
  in
  let already_used = StringSet.of_list already_used in
  if type_safe then
    (* non-interference precondition added later on *)
(*     let () = check_no_duplicates ~already_used reads in *)
    reads
  else
    remove_duplicates ~already_used reads

let memory_reads ~mode ~type_safe ~callee_writes ~callee_reads
    ?region_assoc ~region_mem_assoc ~already_used =
  List.map snd
    (memory_detailed_reads ~mode ~type_safe ~callee_writes ~callee_reads
       ?region_assoc ~region_mem_assoc ~already_used)

let global_writes ~callee_writes =
  VarMap.fold
    (fun v _labs acc ->
       let n,ty' = param ~type_safe:false v in
       (plain_var n,ty') :: acc
    ) callee_writes.jc_effect_globals []

let global_reads ~callee_reads =
  VarMap.fold
    (fun v _labs acc ->
       let n,ty' = param ~type_safe:false v in
       (plain_var n,ty') :: acc
    ) callee_reads.jc_effect_globals []

let local_reads ~callee_reads =
  VarMap.fold
    (fun v _labs acc ->
       let n,ty' = param ~type_safe:false v in
       (plain_var n,ty') :: acc
    ) callee_reads.jc_effect_locals []

(* Yannick: change this to avoid recovering the real type from its name
   in mutable and committed effects *)

let write_mutable callee_writes =
  StringSet.fold
    (fun v acc -> (mutable_name2 v)::acc) callee_writes.jc_effect_mutable []

let read_mutable callee_reads =
  StringSet.fold
    (fun v acc -> (mutable_name2 v)::acc) callee_reads.jc_effect_mutable []

let write_committed callee_writes =
  StringSet.fold
    (fun v acc -> (committed_name2 v)::acc) callee_writes.jc_effect_committed []

let read_committed callee_reads =
  StringSet.fold
    (fun v acc -> (committed_name2 v)::acc) callee_reads.jc_effect_committed []

let make_region_assoc region_list =
  List.map (fun r -> (r,r)) region_list

let write_model_parameters
    ~type_safe ~mode ~callee_reads ~callee_writes ?region_list ~params () =
  assert (Jc_effect.same_effects callee_reads callee_reads);
  let region_assoc = Option_misc.map make_region_assoc region_list in
  let region_mem_assoc = make_region_mem_assoc ~params in
  let callee_writes = rewrite_effects ~type_safe ~params callee_writes in
  let write_allocs =
    alloc_table_writes ~mode ~type_safe ~callee_writes
      ?region_assoc ~region_mem_assoc
  in
  let write_tags =
    tag_table_writes ~mode ~callee_writes ?region_assoc ()
  in
  let write_mems =
    memory_writes ~mode ~type_safe ~callee_writes
      ?region_assoc ~region_mem_assoc
  in
  let write_globs = match mode with
    | #param_or_local_mode -> []
    | #effect_mode -> global_writes ~callee_writes
  in
  (* TODO: add mutable and committed effects *)
  write_allocs @ write_tags @ write_mems @ write_globs

let write_parameters
    ~type_safe ~region_list ~callee_reads ~callee_writes ~params =
  let vars' =
    write_model_parameters ~type_safe ~mode:`MFunParam
      ~callee_reads ~callee_writes ~region_list ~params ()
  in
  List.map (function ({expr_node = Var n},ty') -> (n,ty') | _ -> assert false) vars'

let write_locals ~region_list ~callee_reads ~callee_writes ~params =
  let vars' =
    write_model_parameters ~type_safe:false ~mode:`MLocal
      ~callee_reads ~callee_writes ~region_list ~params ()
  in
  List.map (function ({expr_node = Var n},ty') -> (n,ty') | _ -> assert false) vars'

let write_effects ~callee_reads ~callee_writes ~region_list ~params =
  let vars' =
    write_model_parameters ~type_safe:true ~mode:`MEffect
      ~callee_reads ~callee_writes ~region_list ~params ()
  in
  List.map (function ({expr_node = Var n},_ty') -> n | _ -> assert false) vars'

let local_write_effects ~callee_reads ~callee_writes =
  let vars' =
    write_model_parameters ~type_safe:false ~mode:`MLocalEffect
      ~callee_reads ~callee_writes ~params:[] ()
  in
  List.map (var_name' $ fst) vars'

let read_model_parameters ~type_safe ~mode ~callee_reads ~callee_writes
    ?region_list ~params ~already_used () =
  let region_assoc = Option_misc.map make_region_assoc region_list in
  let region_mem_assoc = make_region_mem_assoc ~params in
  let callee_reads = rewrite_effects ~type_safe ~params callee_reads in
  let callee_writes = rewrite_effects ~type_safe ~params callee_writes in
  let read_allocs =
    alloc_table_reads ~mode ~type_safe ~callee_reads ~callee_writes
      ?region_assoc ~region_mem_assoc ~already_used
  in
  let read_tags =
    tag_table_reads ~mode ~callee_reads ~callee_writes ?region_assoc ()
  in
  let read_mems =
    memory_reads ~mode ~type_safe ~callee_reads ~callee_writes
      ?region_assoc ~region_mem_assoc ~already_used
  in
  let read_globs = match mode with
    | #param_or_local_mode -> []
    | #effect_mode -> global_reads ~callee_reads
  in
  let read_locs = match mode with
    | #param_or_local_mode | `MEffect -> []
    | `MLocalEffect -> local_reads ~callee_reads
  in
  (* TODO: add mutable and committed effects *)
  read_allocs @ read_tags @ read_mems @ read_globs @ read_locs

let read_parameters
    ~type_safe ~region_list ~callee_reads ~callee_writes ~params ~already_used =
  let vars' =
    read_model_parameters ~type_safe ~mode:`MFunParam
      ~callee_reads ~callee_writes ~region_list ~params ~already_used ()
  in
  List.map (function ({expr_node = Var n},ty') -> (n,ty') | _ -> assert false) vars'

let read_locals ~region_list ~callee_reads ~callee_writes ~params =
  let vars' =
    read_model_parameters ~type_safe:false ~mode:`MLocal
      ~callee_reads ~callee_writes ~region_list ~params ~already_used:[] ()
  in
  List.map (function ({expr_node = Var n},ty') -> (n,ty')
              | ({expr_node = Deref n},ty') ->
	          printf "Deref %s with type %a@." n Output.fprintf_logic_type ty';
	          assert false
	      | _ -> assert false
	   ) vars'

let read_effects ~callee_reads ~callee_writes ~region_list ~params =
  let vars' =
    read_model_parameters ~type_safe:true ~mode:`MEffect
      ~callee_reads ~callee_writes ~region_list ~params ~already_used:[] ()
  in
  List.map (var_name' $ fst) vars'

let local_read_effects ~callee_reads ~callee_writes =
  let vars' =
    read_model_parameters ~type_safe:false ~mode:`MLocalEffect
      ~callee_reads ~callee_writes ~params:[] ~already_used:[] ()
  in
  List.map (var_name' $ fst) vars'

let alloc_table_arguments ~callee_reads ~callee_writes ~region_assoc
    ~region_mem_assoc =
  let writes =
    alloc_table_detailed_writes
      ~mode:`MAppParam ~type_safe:true ~callee_writes
      ~region_assoc ~region_mem_assoc
  in
  let reads =
    alloc_table_detailed_reads
      ~mode:`MAppParam ~type_safe:true ~callee_reads ~callee_writes
      ~region_assoc ~region_mem_assoc ~already_used:[]
  in
  let pointer_of_parameter = function
      (((ac,_distr),locr),(_v',_ty')) ->
	let pc = match ac with
	  | JCalloc_root vi -> JCroot vi
	  | JCalloc_bitvector -> assert false
	in
	(pc,locr)
  in
  let wpointers = List.map pointer_of_parameter writes in
  let rpointers = List.map pointer_of_parameter reads in
  let write_arguments = List.map (fst $ snd) writes in
  let read_arguments = List.map (fst $ snd) reads in
  wpointers, rpointers, write_arguments, read_arguments

let tag_table_arguments ~callee_reads ~callee_writes ~region_assoc =
  let writes =
    tag_table_writes ~mode:`MAppParam ~callee_writes ~region_assoc ()
  in
  let reads =
    tag_table_reads
      ~mode:`MAppParam ~callee_reads ~callee_writes ~region_assoc ()
  in
  (List.map fst writes), (List.map fst reads)

let specialized_functions = StringHashtblIter.create 0

let memory_arguments ~callee_reads ~callee_writes ~region_assoc
    ~region_mem_assoc ~param_assoc ~with_body fname =
  let writes =
    memory_detailed_writes
      ~mode:`MAppParam ~type_safe:true ~callee_writes
      ~region_assoc ~region_mem_assoc
  in
  let reads =
    memory_detailed_reads
      ~mode:`MAppParam ~type_safe:true ~callee_reads ~callee_writes
      ~region_assoc ~region_mem_assoc ~already_used:[]
  in
  let pointer_of_parameter = function
      (((mc,_distr),locr),(_v',_ty')) ->
	let pc = match mc with
	  | JCmem_field fi -> JCtag(fi.jc_field_info_struct,[])
	  | JCmem_plain_union vi -> JCroot vi
	  | JCmem_bitvector -> assert false
	in
	(pc,locr)
  in
  let wpointers = List.map pointer_of_parameter writes in
  let rpointers = List.map pointer_of_parameter reads in
  let remove_local effects =
    List.map (fun ((mem,_locr),(v',ty')) -> (mem,(v',ty'))) effects
  in
  let writes' = remove_local writes and reads' = remove_local reads in
  (* Check if there are duplicates between reads and writes *)
  let write_names = List.map (var_name' $ fst $ snd) writes in
  let read_names = List.map (var_name' $ fst $ snd) reads in
  let rw_inter_names =
    StringSet.inter
      (StringSet.of_list write_names) (StringSet.of_list read_names)
  in
  let rw_pre =
    if StringSet.is_empty rw_inter_names then
      LTrue (* no read/write interference *)
    else if not with_body then
      LTrue (* no body in which region assumptions must be verified *)
    else
      write_read_separation_condition
	~callee_reads ~callee_writes ~region_assoc ~param_assoc
	rw_inter_names writes' reads'
  in
  (* TODO: rewrite postcondition to assert it after the call, when
     there is an interference. see, e.g., example [separation.c] in Jessie
     tests.
  *)
  (* Check if there are duplicates between writes *)
  let ww_inter_names =
    snd (List.fold_left
	   (fun (first_occur,next_occur) n ->
	      if StringSet.mem n first_occur then
		first_occur, StringSet.add n next_occur
	      else StringSet.add n first_occur, next_occur
	   ) (StringSet.empty,StringSet.empty) write_names)
  in
  let ww_pre =
    if StringSet.is_empty ww_inter_names then
      LTrue (* no write/write interference *)
    else if not with_body then
      LTrue (* no body in which region assumptions must be verified *)
    else
      write_write_separation_condition
	~callee_reads ~callee_writes ~region_assoc ~param_assoc
	ww_inter_names writes' reads'
  in
  let pre = make_and rw_pre ww_pre in
  if pre = LTrue then
    let writes = List.map (fst $ snd) writes in
    let reads = List.map (fst $ snd) reads in
    LTrue, fname, wpointers, rpointers, writes, reads
  else
    (* Presence of interferences. Function must be specialized. *)
    let new_fname = unique_name (fname ^ "_specialized") in
    let writes, name_assoc, already_used_names =
      List.fold_right
	(fun ((mc,distr),(v,_ty)) (acc,name_assoc,already_used_names) ->
	   let n = var_name' v in
	   if StringMap.mem n already_used_names then
	     let ndest = StringMap.find n already_used_names in
	     let nsrc = memory_name (mc,distr) in
	     acc, StringMap.add nsrc ndest name_assoc, already_used_names
	   else
	     let ndest = memory_name (mc,distr) in
	     v :: acc, name_assoc, StringMap.add n ndest already_used_names
	) writes' ([], StringMap.empty, StringMap.empty)
    in
    let reads, name_assoc, _ =
      List.fold_right
	(fun ((mc,distr),(v,_ty)) (acc,name_assoc,already_used_names) ->
	   let n = var_name' v in
	   if StringMap.mem n already_used_names then
	     let ndest = StringMap.find n already_used_names in
	     let nsrc = memory_name (mc,distr) in
	     acc, StringMap.add nsrc ndest name_assoc, already_used_names
	   else
	     let ndest = memory_name (mc,distr) in
	     v :: acc, name_assoc, StringMap.add n ndest already_used_names
	) reads' ([], name_assoc, already_used_names)
    in
    StringHashtblIter.add specialized_functions new_fname (fname,name_assoc);
    pre, new_fname, wpointers, rpointers, writes, reads

let global_arguments ~callee_reads ~callee_writes ~region_assoc:_ =
  let writes = global_writes ~callee_writes in
  let reads = global_reads ~callee_reads in
  (List.map fst writes), (List.map fst reads)

(* Identify bitwise arguments and generate appropriate typed ones *)
let make_bitwise_arguments alloc_wpointers alloc_rpointers
    mem_wpointers mem_rpointers =
  let bw_pointers pointers =
    PointerSet.of_list (List.filter (Region.bitwise $ snd) pointers)
  in
  let bw_alloc_wpointers = bw_pointers alloc_wpointers in
  let bw_alloc_rpointers = bw_pointers alloc_rpointers in
  let bw_alloc_pointers =
    PointerSet.union bw_alloc_wpointers bw_alloc_rpointers
  in
  let bw_mem_wpointers = bw_pointers mem_wpointers in
  let bw_mem_rpointers = bw_pointers mem_rpointers in
  let bw_mem_pointers =
    PointerSet.union bw_mem_wpointers bw_mem_rpointers
  in
  let bw_pointers =
    PointerSet.union bw_alloc_pointers bw_mem_pointers
  in

  let locals,prolog,epilog =
    List.fold_left
      (fun (acc,pro,epi) (pc,r as pointer) ->
	 let alloc_locals,alloc_ofapp =
	   if PointerSet.mem_region r bw_alloc_pointers then
	     make_ofbit_alloc_param_app r pc
	   else [], void
	 in
	 let mem_locals,mem_ofapp =
	   if PointerSet.mem pointer bw_mem_pointers then
	     make_ofbit_mem_param_app r pc
	   else [], void
	 in
	 let alloc_toapp =
	   if PointerSet.mem_region r bw_alloc_wpointers then
	     make_tobit_alloc_param_app r pc
	   else void
	 in
	 let mem_toapp =
	   if PointerSet.mem pointer bw_mem_wpointers then
	     make_tobit_mem_param_app r pc
	   else void
	 in
	 let locals = alloc_locals @ mem_locals in
	 let ofapp = append alloc_ofapp mem_ofapp in
	 let toapp = append alloc_toapp mem_toapp in
	 locals @ acc, append ofapp pro, append toapp epi
      ) ([],void,void) (PointerSet.to_list bw_pointers)
  in
  let locals =
    fst (List.fold_left
	   (fun (acc,already_used) entry ->
	      (* Accumulate entry only if not already present *)
	      let n = fst entry in
	      if StringSet.mem n already_used then
		acc, already_used
	      else
		entry :: acc, StringSet.add n already_used
	   ) ([],StringSet.empty) locals)
  in
  locals,prolog,epilog

let make_arguments
    ~callee_reads ~callee_writes ~region_assoc ~param_assoc
    ~with_globals ~with_body fname args =
  let params = List.map fst param_assoc in
  let region_mem_assoc = make_region_mem_assoc ~params in
  let alloc_wpointers, alloc_rpointers, write_allocs, read_allocs =
    alloc_table_arguments ~callee_reads ~callee_writes ~region_assoc
      ~region_mem_assoc
  in
  let write_tags, read_tags =
    tag_table_arguments ~callee_reads ~callee_writes ~region_assoc
  in
  let pre_mems, fname, mem_wpointers, mem_rpointers, write_mems, read_mems =
    memory_arguments ~callee_reads ~callee_writes ~region_assoc
      ~region_mem_assoc ~param_assoc ~with_body fname
  in
  let write_globs, read_globs =
    if with_globals then
      global_arguments ~callee_reads ~callee_writes ~region_assoc
    else
      [], []
  in
  let locals, prolog, epilog =
    make_bitwise_arguments alloc_wpointers alloc_rpointers
      mem_wpointers mem_rpointers
  in
  (* Return complete list of arguments *)
  (* TODO: add mutable and committed effects *)
  let args =
    args
    @ write_allocs @ write_tags @ write_mems @ write_globs
    @ read_allocs @ read_tags @ read_mems @ read_globs
  in
  pre_mems, fname, locals, prolog, epilog, args

let tmemory_detailed_params ~label_in_name ?region_assoc ?label_assoc reads =
  MemoryMap.fold
    (fun (mc,distr) labs acc ->
       let locr = match region_assoc with
	 | None -> distr
	 | Some region_assoc ->
	     match transpose_region ~region_assoc distr with
	       | Some r -> r
	       | None -> failwith "Unexpected internal region in logic"
       in
       LogicLabelSet.fold
	 (fun lab acc ->
	    let lab = transpose_label ~label_assoc lab in
	    let param = tmemory_param ~label_in_name lab (mc,locr) in
	    ((mc,locr), param) :: acc
	 ) labs acc
    ) reads.jc_effect_memories []

let tmemory_params ~label_in_name ?region_assoc ?label_assoc reads =
  List.map snd
    (tmemory_detailed_params ~label_in_name ?region_assoc ?label_assoc reads)

let talloc_table_detailed_params
    ~label_in_name ?region_assoc ?label_assoc reads =
  AllocMap.fold
    (fun (ac,distr) labs acc ->
       let locr = match region_assoc with
	 | None -> distr
	 | Some region_assoc ->
	     match transpose_region ~region_assoc distr with
	       | Some r -> r
	       | None -> failwith "Unexpected internal region in logic"
       in
       LogicLabelSet.fold
	 (fun lab acc ->
	    let lab = transpose_label ~label_assoc lab in
	    let param = talloc_table_param ~label_in_name lab (ac,locr) in
	    ((ac,locr), param) :: acc
	 ) labs acc
    ) reads.jc_effect_alloc_tables []

let talloc_table_params ~label_in_name ?region_assoc ?label_assoc reads =
  List.map snd
    (talloc_table_detailed_params
       ~label_in_name ?region_assoc ?label_assoc reads)

let ttag_table_detailed_params ~label_in_name ?region_assoc ?label_assoc reads =
  TagMap.fold
    (fun (vi,distr) labs acc ->
       let locr = match region_assoc with
	 | None -> distr
	 | Some region_assoc ->
	     match transpose_region ~region_assoc distr with
	       | Some r -> r
	       | None -> failwith "Unexpected internal region in logic"
       in
       LogicLabelSet.fold
	 (fun lab acc ->
	    let lab = transpose_label ~label_assoc lab in
	    let param = ttag_table_param ~label_in_name lab (vi,locr) in
	    ((vi,locr), param) :: acc
	 ) labs acc
    ) reads.jc_effect_tag_tables []

let ttag_table_params ~label_in_name ?region_assoc ?label_assoc reads =
  List.map snd
    (ttag_table_detailed_params
       ~label_in_name ?region_assoc ?label_assoc reads)

let tglob_detailed_params ~label_in_name ?region_assoc:_ ?label_assoc reads =
  VarMap.fold
    (fun v labs acc ->
       LogicLabelSet.fold
	 (fun lab acc ->
	    let lab = transpose_label ~label_assoc lab in
	    let param = tparam ~label_in_name lab v in
	    (v, param) :: acc
	 ) labs acc
    ) reads.jc_effect_globals []

let tglob_params ~label_in_name ?region_assoc ?label_assoc reads =
  List.map snd
    (tglob_detailed_params ~label_in_name ?region_assoc ?label_assoc reads)

let tmodel_parameters ~label_in_name ?region_assoc ?label_assoc reads =
  let allocs =
    talloc_table_params ~label_in_name ?region_assoc ?label_assoc reads
  in
  let tags =
    ttag_table_params ~label_in_name ?region_assoc ?label_assoc reads
  in
  let mems =
    tmemory_params ~label_in_name ?region_assoc ?label_assoc reads
  in
  let globs =
    tglob_params ~label_in_name ?region_assoc ?label_assoc reads
  in
  allocs @ tags @ mems @ globs

let make_logic_arguments ~label_in_name ~region_assoc ~label_assoc f args =
  let model_params =
    tmodel_parameters ~label_in_name ~region_assoc ~label_assoc
      f.jc_logic_info_effects
  in
  let model_args = List.map (fun (_n,v,_ty') -> v) model_params in
  args @ model_args

let make_logic_fun_call ~label_in_name ~region_assoc ~label_assoc f args =
  if Jc_options.debug then printf "logic call to %s@." f.jc_logic_info_name;
  let args =
    make_logic_arguments ~label_in_name ~region_assoc ~label_assoc f args
  in
  LApp(f.jc_logic_info_final_name, args)

let make_logic_pred_call ~label_in_name ~region_assoc ~label_assoc f args =
  if Jc_options.debug then printf "logic pred call to %s@." f.jc_logic_info_name;
  let args =
    make_logic_arguments ~label_in_name ~region_assoc ~label_assoc f args
  in
  LPred(f.jc_logic_info_final_name, args)


(* *)
let logic_info_reads acc li =
  let acc =
    MemoryMap.fold
      (fun (mc,r) _ acc ->
	 StringSet.add (memory_name(mc,r)) acc)
      li.jc_logic_info_effects.jc_effect_memories
      acc
  in
  let acc =
    AllocMap.fold
      (fun (ac,r) _labs acc ->
	 StringSet.add (alloc_table_name (ac, r)) acc)
      li.jc_logic_info_effects.jc_effect_alloc_tables
      acc
  in
  TagMap.fold
    (fun v _ acc -> StringSet.add (tag_table_name v) acc)
    li.jc_logic_info_effects.jc_effect_tag_tables
    acc


(* fold all effects into a list *)
let all_effects ef =
  let res =
    MemoryMap.fold
      (fun (mc,r) _labels acc ->
	let mem = memory_name(mc,r) in
	if Region.polymorphic r then
(*	  if RegionList.mem r f.jc_fun_info_param_regions then
	    if FieldRegionMap.mem (fi,r)
	      f.jc_fun_info_effects.jc_writes.jc_effect_memories
	    then mem::acc
	    else acc
	  else acc*)
	  assert false (* TODO *)
	else mem::acc)
      ef.jc_effect_memories
      []
  in
  let res =
    VarMap.fold
      (fun v _labs acc -> v.jc_var_info_final_name::acc)
      ef.jc_effect_globals
      res
  in
  let res =
    AllocMap.fold
      (fun (a,r) _labs acc ->
	let alloc = alloc_table_name(a,r) in
	if Region.polymorphic r then
(*	  if RegionList.mem r f.jc_fun_info_param_regions then
	    if AllocSet.mem (a,r)
	      f.jc_fun_info_effects.jc_writes.jc_effect_alloc_tables
	    then alloc::acc
	    else acc
	  else acc*)
	  assert false (* TODO *)
	else alloc::acc)
      ef.jc_effect_alloc_tables
      res
  in
  let res =
    TagMap.fold
      (fun v _ acc -> (tag_table_name v)::acc)
      ef.jc_effect_tag_tables
      res
  in
  let res =
    StringSet.fold
      (fun v acc -> (mutable_name2 v)::acc)
      ef.jc_effect_mutable
      res
  in
  let res =
    StringSet.fold
      (fun v acc -> (committed_name2 v)::acc)
      ef.jc_effect_committed
      res
  in
  res


(*
Local Variables:
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End:
*)
����������������������������������why-2.34/jc/jc_ast.mli������������������������������������������������������������������������������0000644�0001750�0001750�00000050355�12311670312�013167� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Jc_stdlib
open Jc_env
open Jc_region

class type positioned =
object
  method pos: Loc.position
end

class type typed =
object
  method typ: jc_type
end

class type labeled =
object
  method label: label option
  method set_label: label option -> unit
end

class type marked =
object
  method mark: string
end

class type regioned =
object
  method region: region
  method set_region: region -> unit
end

type const =
  | JCCvoid
  | JCCnull
  | JCCboolean of bool
  | JCCinteger of string
  | JCCreal of string
  | JCCstring of string

class type identifier =
object
  inherit positioned
  method name: string
end

class type ['a] node_positioned =
object
  inherit positioned
  method node: 'a
end

(***************)
(* parse trees *)
(***************)

type ptype_node =
  | JCPTnative of native_type
  | JCPTidentifier of string * ptype list
  | JCPTpointer of string * ptype list * Num.num option * Num.num option

and ptype = ptype_node node_positioned

type comparison_op = [ `Blt | `Bgt | `Ble | `Bge | `Beq | `Bneq ]
type arithmetic_op = [ `Badd | `Bsub | `Bmul | `Bdiv | `Bmod ]
type logical_op = [ `Bland | `Blor | `Bimplies | `Biff ]
type bitwise_op =
    [ `Bbw_and | `Bbw_or | `Bbw_xor
    | `Bshift_left | `Blogical_shift_right | `Barith_shift_right ]

type basic_op = [ comparison_op | arithmetic_op ]
type operational_op = [ basic_op | bitwise_op | `Bconcat | `Bland | `Blor ]
type bin_op = [ operational_op | logical_op ]

type pre_unary_op = [ `Uprefix_inc | `Uprefix_dec ]
type post_unary_op = [ `Upostfix_inc | `Upostfix_dec ]
type pm_unary_op = [ pre_unary_op | post_unary_op | `Uplus ]
type unary_op = [ `Uminus | `Unot | `Ubw_not ]

type pexpr_unary_op = [ pm_unary_op | unary_op ]

type native_operator_type = [ `Unit | `Boolean | `Integer | `Real | float_format ]
type operator_type = [ native_operator_type | `Pointer | `Logic ]

type pred_bin_op = [comparison_op | logical_op] * operator_type
type expr_unary_op = unary_op * native_operator_type
type term_unary_op = expr_unary_op
type expr_bin_op = operational_op * operator_type
type term_bin_op = bin_op * operator_type
type pred_rel_op = comparison_op * operator_type

type offset_kind = Offset_max | Offset_min

type address_kind = Addr_absolute | Addr_pointer

type quantifier = Forall | Exists

type asrt_kind =
  | Aassert (* Assertion to prove *)
  | Ahint   (* Assertion to help in proofs,
	       can be either discarded or both used and proved *)
  | Aassume (* Assertion that can be relied on without proof *)
  | Acheck  (* Assertion to prove but which is not used after *)

type rounding_mode =
  | Round_nearest_even | Round_to_zero | Round_up | Round_down
  | Round_nearest_away

type real_conversion =
  | Integer_to_real
  | Double_to_real
  | Float_to_real
  | Round of float_format * rounding_mode

type ppattern_node =
  | JCPPstruct of identifier * (identifier * ppattern) list
  | JCPPvar of identifier
  | JCPPor of ppattern * ppattern
  | JCPPas of ppattern * identifier
  | JCPPany
  | JCPPconst of const

and ppattern = ppattern_node node_positioned

type 'expr pbehavior =
    Loc.position * string * identifier option * 'expr option
    * 'expr option * (Loc.position * 'expr list) option * 
    (Loc.position * 'expr list) option * 'expr
      (*r loc, name, throws, assumes,requires,assigns,allocates, ensures *)

and 'expr loopbehavior =
    identifier list
    * 'expr option * (Loc.position * 'expr list) option
      (*r idents, invariant, assigns *)

and pexpr_node =
  | JCPEconst of const
  | JCPElabel of string * pexpr
  | JCPEvar of string
  | JCPEderef of pexpr * string
  | JCPEbinary of pexpr * bin_op * pexpr
  | JCPEunary of pexpr_unary_op * pexpr
  | JCPEapp of string * label list * pexpr list
  | JCPEassign of pexpr * pexpr
  | JCPEassign_op of pexpr * bin_op * pexpr
  | JCPEinstanceof of pexpr * string
  | JCPEcast of pexpr * ptype
  | JCPEquantifier of quantifier * ptype * identifier list * pexpr list list * pexpr
  | JCPEfresh of pexpr
  | JCPEold of pexpr
  | JCPEat of pexpr * label
  | JCPEoffset of offset_kind * pexpr
  | JCPEaddress of address_kind * pexpr
      (* expression is of integer type for an absolute address, and of
	 pointer type for a pointer address *)
  | JCPEbase_block of pexpr
  | JCPEif of pexpr * pexpr * pexpr
  | JCPElet of ptype option * string * pexpr option * pexpr
  | JCPEdecl of ptype * string * pexpr option
  | JCPErange of pexpr option * pexpr option
  | JCPEalloc of pexpr * string
  | JCPEfree of pexpr
  | JCPEmutable of pexpr * pexpr ptag
  | JCPEeqtype of pexpr ptag * pexpr ptag
  | JCPEsubtype of pexpr ptag * pexpr ptag
  | JCPEmatch of pexpr * (ppattern * pexpr) list
  | JCPEblock of pexpr list
  | JCPEassert of identifier list * asrt_kind * pexpr
  | JCPEcontract of
      pexpr option * (pexpr * identifier option) option *
	pexpr pbehavior list * pexpr
	(* requires, decreases, behaviors, expression *)
  | JCPEwhile of
      pexpr * pexpr loopbehavior list *
	(pexpr * identifier option) option * pexpr
	(*r condition, behaviors, variant, body *)
  | JCPEfor of
      pexpr list * pexpr * pexpr list * pexpr loopbehavior list
      * (pexpr * identifier option) option * pexpr
	(*r inits, condition, updates, behaviors, variant, body *)
  | JCPEreturn of pexpr
  | JCPEbreak of string
  | JCPEcontinue of string
  | JCPEgoto of string
  | JCPEtry of pexpr * (identifier * string * pexpr) list * pexpr
  | JCPEthrow of identifier * pexpr
  | JCPEpack of pexpr * identifier option
  | JCPEunpack of pexpr * identifier option
  | JCPEswitch of pexpr * (pexpr option list * pexpr) list

and pexpr = pexpr_node node_positioned

and 'a ptag_node =
  | JCPTtag of identifier
  | JCPTbottom
  | JCPTtypeof of 'a

and 'a ptag = 'a ptag_node node_positioned

type 'expr clause =
  | JCCrequires of 'expr
  | JCCdecreases of 'expr * identifier option
  | JCCbehavior of 'expr pbehavior

type 'expr reads_or_expr =
  | JCnone
  | JCreads of 'expr list
  | JCexpr of 'expr
  | JCinductive of (identifier * label list * 'expr) list

type field_modifiers = bool * bool

type 'expr decl_node =
  | JCDvar of ptype * string * 'expr option
  | JCDfun of ptype * identifier * (bool * ptype * string) list * 'expr clause list
      * 'expr option
  | JCDtag of
      string (* name of the tag *)
      * string list (* type parameters *)
      * (string * ptype list) option (* parent tag, applied type parameters *)
      * (field_modifiers * ptype * string * int option) list (* fields *)
      * (identifier * string * 'expr) list (* invariants *)
  | JCDvariant_type of string * identifier list
  | JCDunion_type of string * bool * identifier list
    (* name, discriminated, structure names *)
  | JCDenum_type of string * Num.num * Num.num
  | JCDlogic_type of string * string list
  | JCDlemma of string * bool * string list * label list * 'expr
    (* 2nd arg is true if it is an axiom *)
  | JCDexception of string * ptype option
    (* logic functions and predicates (return type: None if predicate) *)
  | JCDlogic of ptype option * string * string list * label list * (ptype * string) list
      * 'expr reads_or_expr
  | JCDlogic_var of ptype * string * 'expr option
  (* global invariant *)
  | JCDglobal_inv of string * 'expr
  (* "pragma" options and policies *)
  | JCDinvariant_policy of Jc_env.inv_sem
  | JCDseparation_policy of Jc_env.separation_sem
  | JCDtermination_policy of Jc_env.termination_policy
  | JCDannotation_policy of Jc_env.annotation_sem
  | JCDabstract_domain of Jc_env.abstract_domain
  | JCDint_model of Jc_env.int_model
  | JCDpragma_gen_sep of string * string * (ptype * string list) list
  | JCDpragma_gen_frame of string * string
  | JCDpragma_gen_sub of string * string
  | JCDpragma_gen_same of string * string
  | JCDaxiomatic of string * 'expr decl list


and 'expr decl = 'expr decl_node node_positioned

type pdecl = pexpr decl

class type ['expr_node] c_nexpr =
object
  inherit labeled
  inherit ['expr_node] node_positioned
end

(** Normalized expressions. Not typed yet, but without gotos. *)
type nexpr_node =
  | JCNEconst of const
  | JCNElabel of string * nexpr
  | JCNEvar of string
  | JCNEderef of nexpr * string
  | JCNEbinary of nexpr * bin_op * nexpr
  | JCNEunary of unary_op * nexpr
  | JCNEapp of string * label list * nexpr list
  | JCNEassign of nexpr * nexpr
  | JCNEinstanceof of nexpr * string
  | JCNEcast of nexpr * ptype
  | JCNEif of nexpr * nexpr * nexpr
  | JCNEoffset of offset_kind * nexpr
  | JCNEaddress of address_kind * nexpr
  | JCNEfresh of nexpr
  | JCNEbase_block of nexpr
  | JCNEalloc of nexpr * string
  | JCNEfree of nexpr
  | JCNElet of ptype option * string * nexpr option * nexpr
  | JCNEassert of identifier list * asrt_kind * nexpr
  | JCNEcontract of
      nexpr option * (nexpr * identifier option) option *
	nexpr pbehavior list * nexpr
	(* requires, decreases, behaviors, expression *)
  | JCNEblock of nexpr list
  | JCNEloop of nexpr loopbehavior list *
      (nexpr * identifier option) option * nexpr
      (*r behaviors, variant, body *)
  | JCNEreturn of nexpr option
  | JCNEtry of nexpr * (identifier * string * nexpr) list * nexpr
  | JCNEthrow of identifier * nexpr option
  | JCNEpack of nexpr * identifier option
  | JCNEunpack of nexpr * identifier option
  | JCNEmatch of nexpr * (ppattern * nexpr) list
  (* Assertions only *)
  | JCNEquantifier of quantifier * ptype * identifier list * nexpr list list * nexpr
  | JCNEold of nexpr
  | JCNEat of nexpr * label
  | JCNEmutable of nexpr * nexpr ptag
  | JCNEeqtype of nexpr ptag * nexpr ptag
  | JCNEsubtype of nexpr ptag * nexpr ptag
  (* Locations only *)
  | JCNErange of nexpr option * nexpr option

and nexpr = nexpr_node c_nexpr


(*************)
(* typed ast *)
(*************)

class type ['pattern_node] c_pattern =
object
  inherit typed
  inherit ['pattern_node] node_positioned
end

type pattern_node =
  | JCPstruct of struct_info * (field_info * pattern) list
  | JCPvar of var_info
  | JCPor of pattern * pattern
  | JCPas of pattern * var_info
  | JCPany
  | JCPconst of const

and pattern = pattern_node c_pattern

class type ['node] c_term =
object
  inherit typed
  inherit regioned
  inherit marked
  inherit labeled
  inherit ['node] node_positioned
end

type 'li app =
    {
      jc_app_fun : 'li;
      jc_app_args : 'li term list;
      mutable jc_app_region_assoc : (region * region) list;
      jc_app_label_assoc : (label * label) list;
    }

and 'li term_node =
  | JCTconst of const
  | JCTvar of var_info
  | JCTshift of 'li term * 'li term
  | JCTderef of 'li term * label * field_info
  | JCTbinary of 'li term * term_bin_op * 'li term
  | JCTunary of term_unary_op * 'li term
  | JCTapp of 'li app
  | JCTold of 'li term
  | JCTat of 'li term * label
  | JCToffset of offset_kind * 'li term * struct_info
  | JCTaddress of address_kind * 'li term
  | JCTbase_block of 'li term
  | JCTinstanceof of 'li term * label * struct_info
  | JCTcast of 'li term * label * struct_info
  | JCTbitwise_cast of 'li term * label * struct_info
  | JCTrange_cast of 'li term * enum_info
  | JCTreal_cast of 'li term * real_conversion
  | JCTif of 'li term * 'li term * 'li term
  | JCTrange of 'li term option * 'li term option
  | JCTlet of var_info * 'li term * 'li term
  | JCTmatch of 'li term * (pattern * 'li term) list

and 'li term = 'li term_node c_term

type 'li tag = 'li tag_node node_positioned

and 'li tag_node =
  | JCTtag of struct_info
  | JCTbottom
  | JCTtypeof of 'li term * struct_info

class type ['node] c_location =
object
  inherit typed
  inherit regioned
  inherit labeled
  inherit ['node] node_positioned
end

type 'li location_set_node =
  | JCLSvar of var_info
  | JCLSderef of 'li location_set * label * field_info * region
(* TODO ?
  | JCLSshift of location_set * term
*)
  | JCLSrange of 'li location_set * 'li term option * 'li term option
  | JCLSrange_term of 'li term * 'li term option * 'li term option
  | JCLSat of 'li location_set * label

and 'li location_node =
  | JCLvar of var_info
  | JCLderef of 'li location_set * label * field_info * region
  | JCLderef_term of 'li term * field_info
  | JCLat of 'li location * label

and 'li location_set = 'li location_set_node c_location

and 'li location = 'li location_node c_location

class type ['assertion_node] c_assertion =
object
  inherit marked
  inherit labeled
  inherit ['assertion_node] node_positioned
end

type 'li assertion_node =
  | JCAtrue
  | JCAfalse
  | JCArelation of 'li term * pred_rel_op * 'li term
  | JCAand of 'li assertion list
  | JCAor of 'li assertion list
  | JCAimplies of 'li assertion * 'li assertion
  | JCAiff of 'li assertion * 'li assertion
  | JCAnot of 'li assertion
  | JCAapp of 'li app
  | JCAquantifier of quantifier * var_info * 'li trigger list * 'li assertion
  | JCAold of 'li assertion
  | JCAat of 'li assertion * label
  | JCAinstanceof of 'li term * label * struct_info
  | JCAbool_term of 'li term
  | JCAfresh of 'li term
  | JCAif of 'li term * 'li assertion * 'li assertion
  | JCAmutable of 'li term * struct_info * 'li tag
  | JCAeqtype of 'li tag * 'li tag * struct_info option
  | JCAsubtype of 'li tag * 'li tag * struct_info option
  | JCAlet of var_info * 'li term * 'li assertion
  | JCAmatch of 'li term * (pattern * 'li assertion) list

and 'li assertion = 'li assertion_node c_assertion

and 'li tpattern = JCAPatT of 'li term | JCAPatP of 'li assertion
and 'li trigger = 'li tpattern list

type 'li term_or_assertion =
  | JCAssertion of 'li assertion
  | JCTerm of 'li term
  | JCNone
  | JCReads of 'li location list
  | JCInductive of (identifier * label list * 'li assertion) list

type 'li loop_annot =
    {
      jc_loop_tag : int;
      mutable jc_loop_behaviors :
	(identifier list *
	   'li assertion option *
	   'li location list option) list;
      mutable jc_free_loop_invariant : 'li assertion;
      jc_loop_variant : ('li term * 'li option) option;
    }


type 'li behavior =
    {
      jc_behavior_throws : exception_info option ;
      jc_behavior_assumes : 'li assertion option ;
      jc_behavior_assigns : (Loc.position * 'li location list) option ;
      jc_behavior_allocates : (Loc.position * 'li location list) option ;
      mutable jc_behavior_ensures : 'li assertion;
      (* "free" postcondition, proved by static analysis. It can be used
	 as the postcondition of a call without being checked in the function
	 body, if static analysis is trusted (option [-trust-ai]) *)
      mutable jc_behavior_free_ensures : 'li assertion;
    }

type 'li fun_spec =
    {
      mutable jc_fun_requires : 'li assertion;
      (* "free" precondition, proved by static analysis. It can be used
	 to prove the function correctness without being checked at
	 calls, if static analysis is trusted (option [-trust-ai]) *)
      mutable jc_fun_free_requires : 'li assertion;
      mutable jc_fun_decreases : ('li term * 'li option) option;
      (* special behavior without [assumes] clause, on which all annotations
	 not specifically attached to a behavior are checked *)
      mutable jc_fun_default_behavior : Loc.position * string * 'li behavior;
      mutable jc_fun_behavior : (Loc.position * string * 'li behavior) list;
    }


(******************)
(*    typed ast   *)
(******************)

class type ['node] c_expr =
object
  inherit typed
  inherit regioned
  inherit marked
  inherit ['node] node_positioned
  method original_type: jc_type
end

(* application, increment and assignment are statements.
   special assignment with operation disappears.
 *)
type ('li,'fi) expr_node =
  | JCEconst of const
  | JCEvar of var_info
  | JCEderef of ('li,'fi) expr * field_info
  | JCEbinary of ('li,'fi) expr * expr_bin_op * ('li,'fi) expr
  | JCEunary of expr_unary_op * ('li,'fi) expr
  | JCEapp of ('li,'fi) call
  | JCEassign_var of var_info * ('li,'fi) expr
  | JCEassign_heap of ('li,'fi) expr * field_info * ('li,'fi) expr
  | JCEinstanceof of ('li,'fi) expr * struct_info
  | JCEcast of ('li,'fi) expr * struct_info
  | JCEbitwise_cast of ('li,'fi) expr * struct_info
  | JCErange_cast of ('li,'fi) expr * enum_info
  | JCEreal_cast of ('li,'fi) expr * real_conversion
  | JCEif of ('li,'fi) expr * ('li,'fi) expr * ('li,'fi) expr
  | JCEoffset of offset_kind * ('li,'fi) expr * struct_info
  | JCEaddress of address_kind * ('li,'fi) expr
  | JCEbase_block of ('li,'fi) expr
  | JCEalloc of ('li,'fi) expr * struct_info
  | JCEfree of ('li,'fi) expr
  | JCEfresh of ('li,'fi) expr
  | JCElet of var_info * ('li,'fi) expr option * ('li,'fi) expr
  | JCEassert of identifier list * asrt_kind * 'li assertion
  | JCEcontract of 'li assertion option *
      ('li term * identifier option) option * var_info *
      (Loc.position * string * 'li behavior) list * ('li,'fi) expr
      (* requires, decreases, vi of \result, behaviors, expression *)
  | JCEblock of ('li,'fi) expr list
  | JCEloop of 'li loop_annot * ('li,'fi) expr
  | JCEreturn_void
  | JCEreturn of jc_type * ('li,'fi) expr (*r expected return type *)
  | JCEtry of ('li,'fi) expr
      * (exception_info * var_info option * ('li,'fi) expr) list * ('li,'fi) expr
  | JCEthrow of exception_info * ('li,'fi) expr option
  | JCEpack of struct_info * ('li,'fi) expr * struct_info
  | JCEunpack of struct_info * ('li,'fi) expr * struct_info
  | JCEmatch of ('li,'fi) expr * (pattern * ('li,'fi) expr) list
  | JCEshift of ('li,'fi) expr * ('li,'fi) expr

and ('li,'fi) expr = ('li,'fi) expr_node c_expr

and ('li,'fi) callee =
    JClogic_fun of 'li | JCfun of 'fi

and ('li,'fi) call =
    {
      jc_call_fun : ('li,'fi) callee;
      jc_call_args : ('li,'fi) expr list;
      mutable jc_call_region_assoc : (region * region) list;
      jc_call_label_assoc : (label * label) list;
    }


(*type incr_op = Stat_inc | Stat_dec*)

(* application, increment and assignment are exprs.
   expressions (without any of the above) are not exprs anymore.
   break, continue, goto are translated with exceptions.
*)


(*
type behavior =
    {
      jc_behavior_throws : exception_info option ;
      jc_behavior_assumes : assertion option ;
(*
      jc_behavior_requires : assertion option ;
*)
      jc_behavior_assigns : location list option ;
      jc_behavior_ensures : assertion;
    }
*)

(*
type fun_spec =
    {
      jc_fun_requires : assertion;
      jc_fun_behavior : (string * behavior) list;
    }
*)



(*
Local Variables:
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End:
*)
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_options.mli��������������������������������������������������������������������������0000644�0001750�0001750�00000010166�12311670312�014067� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Jc_stdlib
open Jc_env

(*s environment variables *)

val has_floats : bool ref
val libdir : string
(*val float_lib : string list*)
val get_libfiles : unit -> string list
(*val libfiles : string list ref*)
val add_to_libfiles : string -> unit

(*s command-line options *)

val parse_only : bool
val type_only : bool
val print_graph : bool
val debug : bool
val verbose : bool
val werror : bool
val why3_backend : bool
val why_opt : string
val why3_opt : string

val verify_all_offsets : bool
val verify_invariants_only : bool
val verify : string list
val behavior : string list

val interprocedural : bool
val main : string

val files : unit -> string list 
val usage : unit -> unit

val inv_sem: Jc_env.inv_sem ref
val separation_sem : Jc_env.separation_sem ref
val annotation_sem : Jc_env.annotation_sem ref
val termination_policy : Jc_env.termination_policy ref
val ai_domain : Jc_env.abstract_domain ref
val int_model : Jc_env.int_model ref
val float_model : Jc_env.float_model ref
val float_instruction_set : Jc_env.float_instruction_set ref
val trust_ai : bool
val fast_ai : bool

val gen_frame_rule_with_ft : bool

val current_rounding_mode : Jc_env.float_rounding_mode ref

val verify_behavior: string -> bool

val set_int_model: int_model -> unit

val set_float_model: float_model -> unit

(*s The log file *)

val log : Format.formatter
val lprintf : ('a, Format.formatter, unit) format -> 'a
val close_log : unit -> unit

(*s error handling *)

exception Jc_error of Loc.position * string

val jc_error : Loc.position -> ('a, unit, string, 'b) format4 -> 'a

val parsing_error : Loc.position -> ('a, unit, string, 'b) format4 -> 'a

val pos_table : 
  (string, (string * int * int * int * Output.kind option * (string * Rc.rc_value) list)) 
     Hashtbl.t

val position_of_label: string -> Loc.position option

(*
Local Variables: 
compile-command: "make -C .. bin/jessie.byte"
End: 
*)
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_norm.ml������������������������������������������������������������������������������0000644�0001750�0001750�00000061257�12311670312�013205� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Jc_env
open Jc_envset
open Jc_fenv
open Jc_pervasives
open Jc_constructors
open Jc_ast
open Format
(*
open Jc_iterators
*)
open Jc_constructors.PExpr


(** Normalization: transforms the parsed AST in order to reduce the number of
    constructs. As it works on untyped expressions, the transformations are
    all syntax-oriented:
    - transform switch into sequence of ifs with exceptions
    - transform while and for into loop with gotos
    - transform op-assign into normal assign and op
    - transform gotos into exceptions *)


(**************************************************************************)
(* Globals to add to the list of declarations                             *)
(**************************************************************************)

let name_for_loop_exit = Jc_envset.get_unique_name "Loop_exit"
let name_for_loop_continue = Jc_envset.get_unique_name "Loop_continue"
let name_for_return_label = get_unique_name "Return_label"

let loop_exit = new identifier name_for_loop_exit
let loop_continue = new identifier name_for_loop_continue
let return_label = new identifier name_for_return_label

let label_to_exception = Hashtbl.create 17

let goto_exception_for_label lab =
  (* CIL defines a label "return_label" to go to before returning.
     It is recognized here so that static analysis recognizes these returns
     and avoids merging all returns together. *)
  if lab = "return_label" then return_label else
    try
      Hashtbl.find label_to_exception lab
    with Not_found ->
      let excname = Jc_envset.get_unique_name ("Goto_" ^ lab) in
      let exc = new identifier excname in
      Hashtbl.add label_to_exception lab exc;
      exc


(**************************************************************************)
(* Transformations                                                        *)
(**************************************************************************)

(** Transform switch *)
let normalize_switch pos e caselist =
  (* Give a temporary name to the switch expression, so that modifying
   * a variable on which this expression depends does not interfere
   * with the control-flow, when its value is tested.
   *)
  let epos = e#pos in
  let tmpname = tmp_var_name () in
  let tmpvar = mkvar ~pos:epos ~name:tmpname () in
  let has_default c = List.exists (fun c -> c = None) c in
  (* Test for case considered *)
  let test_one_case ~(neg:bool) c =
    let op = if neg then `Bneq else `Beq in
    mkbinary ~pos:epos ~expr1:tmpvar ~op ~expr2:c ()
  in
  (* Collect negative tests for [default] case *)
  let all_neg_cases () =
    let collect_neg_case c =
      List.fold_right (fun c l -> match c with
			 | Some c -> test_one_case ~neg:true c :: l
			 | None -> l) c []
    in
    fst (List.fold_left (fun (l,after_default) (c,_)  ->
			   if after_default then
			     collect_neg_case c @ l,after_default
			   else
			     l,has_default c
			) ([],false) caselist)
  in
  let test_one_case_or_default = function
    | Some c -> test_one_case ~neg:false c
    | None -> mkand ~pos:epos ~list:(all_neg_cases ()) ()
  in
  let test_case_or_default c =
    mkor ~pos:epos ~list:(List.map test_one_case_or_default c) ()
  in
  let rec cannot_fall_trough e =
    match e#node with
      | JCPEblock [] ->
	  false
      | JCPEblock elist ->
	  cannot_fall_trough (List.hd (List.rev elist))
      | JCPEthrow _ | JCPEreturn _ | JCPEwhile _ | JCPEfor _ ->
	  true
      | JCPEif(_,te,fe) ->
	  cannot_fall_trough te && cannot_fall_trough fe
      | _ -> false
  in
  let rec fold_case (previous_c,acc) =
    function [] -> List.rev acc | (c,e) :: next_cases ->
      (* No need to test on previous values if default present *)
      let current_c = if has_default c then c else previous_c @ c in
      let teste = test_case_or_default current_c in
      (* Case translated into if-statement *)
      if cannot_fall_trough e then
	let nexte = start_fold_case next_cases in
	let ife =
          mkif ~pos:epos ~condition:teste ~expr_then:e ~expr_else:nexte () in
	List.rev (ife :: acc)
      else
	let ife = mkif ~pos:epos ~condition:teste ~expr_then:e () in
	fold_case (current_c, ife :: acc) next_cases
  and start_fold_case caselist =
    let iflist = fold_case ([],[]) caselist in
    mkblock ~pos ~exprs:iflist ()
  in
  let iflist = fold_case ([],[]) caselist in
  let switche = mkblock ~pos ~exprs:iflist () in
  let catche = [mkcatch ~pos ~name:(tmp_var_name()) ~exn:loop_exit ()] in
  let trye = mktry ~pos ~expr:switche ~catches:catche () in
  mklet_nodecl ~var:tmpname ~init:e ~body:trye ()

(** Transform while-loop *)
let normalize_while pos test behs var body =
  let body = match test#node with
    | JCPEconst(JCCboolean true) -> body
	(* Special case of an infinite loop [while(true)].
	 * Then, no condition needs to be tested. This form is expected
	 * for some assertions to be recognized as loop invariants
	 * later on, in annotation inference. *)
    | _ ->
	let exit_ = mkthrow ~pos ~exn:loop_exit () in
	mkif ~pos ~condition:test ~expr_then:body ~expr_else:exit_ ()
  in
  mktry ~pos
    ~expr:
    (mkwhile ~pos ~behaviors:behs ?variant:var
       ~body:
       (mktry ~pos
          ~expr:
          (mkblock ~pos ~exprs:[body; mkthrow ~pos ~exn:loop_continue ()] ())
	  ~catches: [mkcatch ~pos ~name:(tmp_var_name()) ~exn:loop_continue ()]
          ())
       ())
    ~catches:
    [mkcatch ~pos ~name:(tmp_var_name()) ~exn:loop_exit ()]
    ()

(** Transform for-loop *)
let normalize_for pos inits test updates behs var body =
  mkblock ~pos
    ~exprs:(inits
	    @ [mktry ~pos
                 ~expr:
		 (mkwhile ~pos ~behaviors:behs ?variant:var
                    ~body:
		    (mktry ~pos
                       ~expr:
		       (mkblock ~pos ~exprs:[
			  mkif ~pos ~condition:test ~expr_then:body
                            ~expr_else:(mkthrow ~pos ~exn:loop_exit ()) ();
			  mkthrow ~pos ~exn:loop_continue ()] ())
                       ~catches:
		       [mkcatch ~pos ~name:(tmp_var_name()) ~exn:loop_continue
                          ~body:(mkblock ~pos ~exprs:updates ()) ()] ())
                    ())
                 ~catches:
		 [mkcatch ~pos ~name:(tmp_var_name()) ~exn:loop_exit ()]
                 ()
	      ])
    ()

let duplicable =
  Jc_iterators.IPExpr.fold_left
    (fun acc e -> acc && match e#node with
       | JCPEconst _ | JCPEvar _ | JCPErange _ | JCPEderef _ | JCPEfresh _
       | JCPEunary _ | JCPEoffset _ | JCPEaddress _ | JCPEold _ | JCPEat _
       | JCPEbinary _ | JCPEcast _ | JCPEsubtype _ | JCPEbase_block _ ->
	   true
       | JCPEassert _ | JCPEthrow _ | JCPEreturn _ | JCPEeqtype _
       | JCPEbreak _ | JCPEcontinue _  | JCPEgoto _  | JCPEdecl _
       | JCPElabel _ | JCPEinstanceof _ | JCPEalloc _
       | JCPEfree _ | JCPElet _ | JCPEpack _ | JCPEunpack _
       | JCPEquantifier _ | JCPEmutable _ | JCPEassign _
       | JCPEassign_op _ | JCPEif _ | JCPEwhile _ | JCPEblock _
       | JCPEapp _ | JCPEtry _ | JCPEmatch _ | JCPEfor _
       | JCPEswitch _ | JCPEcontract _ ->
	   false
    ) true

(** Transform assign-op *)
let normalize_assign_op pos e1 op e2 =
  if duplicable e1 then
    mkassign
      ~pos
      ~location:e1
      ~value:(mkbinary ~pos ~expr1:e1 ~op ~expr2:e2 ())
      ()
  else
    match e1#node with
      | JCPEderef(e3,f) ->
	  let tmpname = tmp_var_name () in
	  let tmpvar = mkvar ~pos ~name:tmpname () in
	  let e4 = mkderef ~pos ~expr:tmpvar ~field:f () in
	  mklet_nodecl
            ~var:tmpname
            ~init:e3
	    ~body:
            (mkassign
               ~pos
               ~location:e4
               ~value:(mkbinary ~pos ~expr1:e4 ~op ~expr2:e2 ())
               ())
            ()
      | _ -> Jc_options.jc_error pos "Not an lvalue in assignment"

(** Transform unary increment and decrement *)
let normalize_pmunary pos op e =
  let op_of_incdec = function
    | `Uprefix_inc | `Upostfix_inc -> `Badd
    | `Uprefix_dec | `Upostfix_dec -> `Bsub
    | `Uplus -> assert false
  in
  let on_duplicable e =
    match op with
      | `Uprefix_inc | `Uprefix_dec ->
	  (* e = e +/- 1 } *)
	  mkassign
            ~pos
            ~location: e
            ~value:
            (mkbinary
               ~pos
               ~expr1: e
               ~op: (op_of_incdec op)
               ~expr2: (mkint ~pos ~value:1 ())
               ())
            ()
      | `Upostfix_inc | `Upostfix_dec ->
	  let tmpname = tmp_var_name () in
	  let tmpvar = mkvar ~pos ~name:tmpname () in
	  (* let tmp = e in { e = tmp +/- 1; tmp } *)
	  mklet_nodecl
            ~var: tmpname
            ~init: e
            ~body:
	    (mkblock ~pos ~exprs:[
	       mkassign ~pos ~location:e
		 ~value:
                 (mkbinary
                    ~pos
                    ~expr1:tmpvar
                    ~op:(op_of_incdec op)
                    ~expr2:(mkint ~pos ~value:1 ())
                    ())
                 ();
	       tmpvar
	     ] ())
            ()
      | `Uplus -> assert false
  in
  match op with `Uplus -> e | _ ->
    if duplicable e then on_duplicable e else
      match e#node with
	| JCPEderef(e1,f) ->
	    let tmpname = tmp_var_name () in
	    let tmpvar = mkvar ~pos ~name:tmpname () in
	    let e2 = mkderef ~pos ~expr:tmpvar ~field:f () in
	    mklet_nodecl ~var:tmpname ~init:e1 ~body:(on_duplicable e2) ()
	| _ -> Jc_options.jc_error pos "Not an lvalue in assignment"

(** Transform local variable declarations *)
let normalize_locvardecl pos elist =
  mkblock ~pos
    ~exprs:
    (List.fold_right
       (fun e acc ->
	  match e#node with
	    | JCPEdecl(ty,name,initopt) ->
		[mklet_nodecl ~pos:e#pos ~typ:ty ~var:name ?init:initopt
                   ~body:(mkblock ~pos ~exprs:acc ()) ()]
	    | JCPElabel(lab, e1) ->
		(* the scope of lab is indeed extended to the end of that block, so that e.g.
		   { (L: e1); ... ; assert ... \at(x,L) ... }

		   is valid
		*)
		[mklabel
                  ~pos:e#pos
                  ~label:lab
		  (* CAUTION ! shouldn't we recurse normalize on e1 ??? *)
                  ~expr:(mkblock ~pos ~exprs:(e1::acc) ())
		  ()]
		(*
                begin match e1#node with
                  | JCPEdecl(ty,name,initopt) ->
                      [mklabel
                         ~pos:e#pos
                         ~label:lab (*(mkskip e#pos);*)
                         ~expr:
                         (mklet_nodecl
                            ~pos: e#pos
                            ~typ: ty
                            ~var: name
                            ?init: initopt
                            ~body: (mkblock ~pos ~exprs:acc ())
                            ())
                         ()]
                  | _ -> e::acc
                end
		*)
	    | _ -> e::acc
       ) elist []
    )
    ()

let normalize_postaction pos elist =
  let pre_of_post = function
    | `Upostfix_inc -> `Uprefix_inc
    | `Upostfix_dec -> `Uprefix_dec
  in
  mkblock ~pos
    ~exprs:
    (match List.rev elist with [] -> elist | last::elist' ->
       (* Only transform into pre increment/decrement those post increment/
	* decrement whose value is discarded, like all expressions in a block
	* but the last one.
	*)
       (List.fold_left (fun acc e -> match e#node with
			  | JCPEunary(#post_unary_op as op,e') ->
			      new pexpr_with
				~node:(JCPEunary(pre_of_post op,e')) e
			      :: acc
			  | _ -> e :: acc
		       ) [last] elist'
       ))
    ()

(** Apply normalizations recursively *)
let normalize =
  Jc_iterators.map_pexpr
    ~before:(fun e -> match e#node with
	       | JCPEblock elist ->
		   normalize_postaction e#pos elist
	       | _ -> e
	    )
    ~after:(fun e -> match e#node with
	      | JCPEassign_op(e1,op,e2) ->
		  normalize_assign_op e#pos e1 op e2
	      | JCPEunary(#pm_unary_op as op,e') ->
		  normalize_pmunary e#pos op e'
	      | JCPEswitch(e',caselist) ->
		  normalize_switch e#pos e' caselist
	      | JCPEwhile(test,inv,var,body) ->
		  normalize_while e#pos test inv var body
	      | JCPEfor(inits,test,updates,behs,var,body) ->
		  normalize_for e#pos inits test updates behs var body
	      | JCPEbreak lab ->
		  assert (lab = ""); (* TODO for Java *)
		  mkthrow ~pos:e#pos ~exn:loop_exit ()
	      | JCPEcontinue lab ->
		  assert (lab = ""); (* TODO for Java *)
		  mkthrow ~pos:e#pos ~exn:loop_continue ()
	      | JCPEblock elist ->
		  normalize_locvardecl e#pos elist
	      | _ -> e
	   )

(** Transform gotos *)
(* Build the structure of labels in a function body, using Huet's
   zipper, so as to identify 'structured' gotos, i.e., those gotos that
   go forward and do not enter scopes.
*)

let label_used = Hashtbl.create 17

type label_tree =
  | LabelItem of string
  | LabelBlock of label_tree list

let rec printf_label_tree fmt lt =
  match lt with
    | LabelItem s -> fprintf fmt "%s" s
    | LabelBlock l ->
	fprintf fmt "{ %a }" (Pp.print_list Pp.space printf_label_tree ) l

let rec in_label_tree lab = function
  | LabelItem l -> l=lab
  | LabelBlock l -> in_label_tree_list lab l

and in_label_tree_list lab = function
  | [] -> false
  | h::r ->
      in_label_tree lab h || in_label_tree_list lab r

let rec in_label_upper_tree_list lab = function
  | [] -> false
  | LabelItem l :: _ when l=lab -> true
  | _ :: r -> in_label_upper_tree_list lab r

let build_label_tree e : label_tree list =
  (* [acc] is the tree of labels for the list of statements that follow
     the current one, in the same block.
     [fwdacc] is the tree of labels for all the statements that follow
     the current one to the end of the function. It is used to identify
     unused labels.
  *)
  let rec build_bwd e (acc,fwdacc) =
    match e#node with
      | JCPEgoto lab ->
	  (* Count number of forward gotos. Labels with 0 count will
	     not be considered in generated try-catch. *)
	  if in_label_upper_tree_list lab fwdacc then
	    Hashtbl.add label_used lab ()
	  else
	    Jc_options.jc_error e#pos "unsupported goto (backward or to some inner block)";
	  acc,fwdacc
      | JCPElabel (lab, e) ->
	  let l,fwdl = build_bwd e ([],fwdacc) in
	  (LabelItem lab) :: (LabelBlock l) :: acc, (LabelItem lab) :: fwdl
      | JCPEblock sl ->
	  let l,fwdl = List.fold_right build_bwd sl ([],fwdacc) in
	  (LabelBlock l) :: acc, fwdl
      | _ ->
	  let elist = Jc_iterators.IPExpr.subs e in
	  LabelBlock
	    (List.map (fun e -> LabelBlock(fst (build_bwd e ([],fwdacc)))) elist)
	  :: acc, fwdacc
  in
  fst (build_bwd e ([],[]))

let goto_block pos el =
  let rec label_block el =
    match el with [] -> [],[] | e1::r ->
      let elr,labelr = label_block r in
      match e1#node with
	| JCPElabel(lab,e2) when Hashtbl.mem label_used lab ->
	    let e3 = mkblock ~pos ~exprs:(e2::elr) () in
	    let e4 = mklabel ~pos ~label:lab ~expr:e3 () in
	    [],(lab,[e4])::labelr
	| _ -> e1::elr,labelr
  in
  let el,labels = label_block el in
  let el = List.fold_left (fun acc (lab,el) ->
		    let id = goto_exception_for_label lab in
		    (* Throw expression in case of fall-through *)
		    let throw = mkthrow ~pos ~exn:id () in
		    [mktry ~pos
                       ~expr:(mkblock ~pos ~exprs:(acc@[throw]) ())
		       ~catches:
                       [mkcatch ~pos ~name:(tmp_var_name()) ~exn:id
			  ~body:(mkblock ~pos ~exprs:el ()) ()]
                       ()
		    ]
		 ) el labels
  in
  mkblock ~pos ~exprs:el ()

let rec goto e lz =
  let pos = e#pos in
  let enode,lz2 = match e#node with
    | JCPEgoto lab ->
	let id = goto_exception_for_label lab in
	JCPEthrow(id, mkvoid ()), lz
    | JCPElabel (lab,e1) ->
	let lz1 = match lz with
	  | LabelItem lab'::LabelBlock b1::after ->
	      assert (lab=lab');
	      b1@after
	  | _ -> assert false
	in
	let e2, lz2 = goto e1 lz1 in
	JCPElabel(lab,e2), lz2
    | JCPEblock el ->
	let lz1,lz2 = match lz with
	  | LabelBlock b1::after ->
	      b1@after,after
	  | _ -> assert false
	in
	let el,_ =
	  List.fold_left (fun (acc,lz1) e1 ->
			    let e2,lz2 = goto e1 lz1 in e2::acc,lz2
			 ) ([],lz1) el
	in
	let el = List.rev el in
	(goto_block pos el)#node, lz2
    | _ ->
	let elist = Jc_iterators.IPExpr.subs e in
	let lz1list,lz2 = match lz with
	  | LabelBlock b1::after ->
	      List.map
		(function LabelBlock b -> b@after | _ -> assert false) b1,
	      after
	  | _ -> assert false
	in
	let elist,_ = List.split (List.map2 goto elist lz1list) in
	(Jc_iterators.replace_sub_pexpr e elist)#node, lz2
  in new pexpr_with ~node:enode e, lz2


(**************************************************************************)
(* Translation                                                            *)
(**************************************************************************)

(** From parsed expression to normalized expression *)
let rec expr e =
  let enode = match e#node with
    | JCPEconst c -> JCNEconst c
    | JCPElabel(id,e) -> JCNElabel(id,expr e)
    | JCPEvar id -> JCNEvar id
    | JCPEderef(e,id) -> JCNEderef(expr e,id)
    | JCPEbinary(e1,op,e2) -> JCNEbinary(expr e1,op,expr e2)
    | JCPEunary(#unary_op as op,e) -> JCNEunary(op,expr e)
    | JCPEunary _ -> assert false
    | JCPEapp(id,lablist,elist) -> JCNEapp(id,lablist,List.map expr elist)
    | JCPEassign(e1,e2) -> JCNEassign(expr e1,expr e2)
    | JCPEassign_op _ -> assert false
    | JCPEinstanceof(e,id) -> JCNEinstanceof(expr e,id)
    | JCPEcast(e,id) -> JCNEcast(expr e,id)
    | JCPEquantifier(q,ty,idlist,trigs,e) ->
        JCNEquantifier(q,ty,idlist,List.map (List.map expr) trigs,expr e)
    | JCPEold e -> JCNEold(expr e)
    | JCPEat(e,lab) -> JCNEat(expr e,lab)
    | JCPEoffset(off,e) -> JCNEoffset(off,expr e)
    | JCPEfresh e -> JCNEfresh(expr e)
    | JCPEaddress(absolute,e) -> JCNEaddress(absolute,expr e)
    | JCPEbase_block(e) -> JCNEbase_block(expr e)
    | JCPEif(e1,e2,e3) -> JCNEif(expr e1,expr e2,expr e3)
    | JCPElet(tyopt,id,e1,e2) ->
	JCNElet(tyopt,id,Option_misc.map expr e1,expr e2)
    | JCPEdecl _ ->
	assert false
	(* (ty,name,initopt) ->  *)
(* 	JCNElet(Some ty,name,Option_misc.map expr initopt,expr (mkvoid())) *)
    | JCPErange(e1opt,e2opt) ->
	JCNErange(Option_misc.map expr e1opt,Option_misc.map expr e2opt)
    | JCPEalloc(e,id) -> JCNEalloc(expr e,id)
    | JCPEfree e -> JCNEfree(expr e)
    | JCPEmutable(e,tag) -> JCNEmutable(expr e,tag_ tag)
    | JCPEeqtype(tag1,tag2) -> JCNEeqtype(tag_ tag1,tag_ tag2)
    | JCPEsubtype(tag1,tag2) -> JCNEsubtype(tag_ tag1,tag_ tag2)
    | JCPEmatch(e,pelist) ->
	JCNEmatch(expr e,List.map (fun (pat,e) -> (pat,expr e)) pelist)
    | JCPEblock elist -> JCNEblock(List.map expr elist)
    | JCPEassert(behav,asrt,e) -> JCNEassert(behav,asrt,expr e)
    | JCPEcontract(req,dec,behs,e) ->
	JCNEcontract(Option_misc.map expr req,
		     Option_misc.map
		       (fun (t,r) -> (expr t,r)) dec,
		     List.map behavior behs,
		     expr e)
    | JCPEwhile(_,behs,vareopt,e) ->
	let behs = List.map loopbehavior behs in
	JCNEloop(behs,Option_misc.map (fun (v,r) -> (expr v,r)) vareopt,expr e)
    | JCPEfor _ -> assert false
    | JCPEreturn e ->
        begin match e#node with
          | JCPEconst JCCvoid -> JCNEreturn None
          | _ -> JCNEreturn(Some(expr e))
        end
    | JCPEbreak _ -> assert false
    | JCPEcontinue _ -> assert false
    | JCPEgoto _ -> assert false
    | JCPEtry(e,hlist,fe) ->
	let hlist = List.map (fun (id1,id2,e) -> (id1,id2,expr e)) hlist in
	JCNEtry(expr e,hlist,expr fe)
    | JCPEthrow(id, e) ->
	JCNEthrow(id, Some(expr e))
    | JCPEpack(e,idopt) -> JCNEpack(expr e,idopt)
    | JCPEunpack(e,idopt) -> JCNEunpack(expr e,idopt)
    | JCPEswitch _ -> assert false
  in
  new nexpr ~pos:e#pos enode

and tag_ tag =
  let tagnode = match tag#node with
    | JCPTtypeof e -> JCPTtypeof (expr e)
    | JCPTtag _ | JCPTbottom as tagnode -> tagnode
  in
  new ptag ~pos:tag#pos tagnode

and behavior (pos,id,idopt,e1opt,e2opt,asslist,alloclist,e3) =
  (pos,id,idopt,
   Option_misc.map expr e1opt,
   Option_misc.map expr e2opt,
   Option_misc.map (fun (pos,elist) -> pos,List.map expr elist) asslist,
   Option_misc.map (fun (pos,elist) -> pos,List.map expr elist) alloclist,
   expr e3)

and loopbehavior (ids,inv,asslist) =
  (ids,Option_misc.map expr inv,
   Option_misc.map (fun (pos,elist) -> pos,List.map expr elist) asslist)

let expr e =
  let e,_ = goto e (build_label_tree e) in
  let e = expr (normalize e) in
  (*
    let fmt = Format.std_formatter in
    Format.fprintf fmt "Normalized expression:@\n%a@\n@."
    Jc_noutput.expr e;
  *)
  e

(** From parsed clause to normalized clause *)
let clause = function
  | JCCrequires e -> JCCrequires(expr e)
  | JCCdecreases(e,r) -> JCCdecreases(expr e,r)
  | JCCbehavior b -> JCCbehavior(behavior b)


(** From parsed reads-or-expr to normalized reads-or-expr *)
let reads_or_expr = function
  | JCnone -> JCnone
  | JCreads elist -> JCreads(List.map expr elist)
  | JCexpr e -> JCexpr(expr e)
(*
  | JCaxiomatic l -> JCaxiomatic(List.map (fun (id,e) -> (id, expr e)) l)
*)
  | JCinductive l -> JCinductive(List.map (fun (id,labels,e) -> (id, labels, expr e)) l)

(** From parsed declaration to normalized declaration *)
let rec decl d =
  let dnode = match d#node with
    | JCDfun(ty,id,params,clauses,body) ->
	JCDfun(ty,id,params,List.map clause clauses,Option_misc.map expr body)
    | JCDenum_type(id,min,max) ->
	JCDenum_type(id,min,max)
    | JCDvariant_type(id, tags) ->
	JCDvariant_type(id, tags)
    | JCDunion_type(id,discr,tags) ->
	JCDunion_type(id,discr,tags)
    | JCDtag (id, params, extends, fields, invs) ->
	JCDtag (id, params, extends, fields,
		List.map (fun (id,name,e) -> id,name,expr e) invs)
    | JCDvar(ty,id,init) ->
	JCDvar(ty,id,Option_misc.map expr init)
    | JCDlemma(id,is_axiom,poly_args,lab,a) ->
	JCDlemma(id,is_axiom,poly_args,lab,expr a)
    | JCDglobal_inv(id,a) ->
	JCDglobal_inv(id,expr a)
    | JCDexception(id,ty) ->
	JCDexception(id,ty)
    | JCDlogic_var (ty, id, body) ->
	JCDlogic_var (ty, id, Option_misc.map expr body)
    | JCDlogic (ty, id, poly_args, labels, params, body) ->
	JCDlogic (ty, id, poly_args, labels, params, reads_or_expr body)
    | JCDaxiomatic(id,l) -> JCDaxiomatic(id,List.map decl l)
    | JCDlogic_type _
    | JCDint_model _
    | JCDabstract_domain _
    | JCDtermination_policy _
    | JCDannotation_policy _
    | JCDseparation_policy _
    | JCDinvariant_policy _
    | JCDpragma_gen_sep _
    | JCDpragma_gen_frame _
    | JCDpragma_gen_sub _
    | JCDpragma_gen_same _ as e -> e


  in new decl ~pos:d#pos dnode

let decls dlist =
  let unit_type = new ptype (JCPTnative Tunit) in
  [
    new decl (JCDexception(name_for_loop_exit,Some unit_type));
    new decl (JCDexception(name_for_loop_continue,Some unit_type));
    new decl (JCDexception(name_for_return_label,Some unit_type));
  ]
  @ Hashtbl.fold (fun _ exc acc ->
		    new decl (JCDexception(exc#name,Some unit_type))
		    :: acc
		 ) label_to_exception []
  @ List.map decl dlist

(*
  Local Variables:
  compile-command: "LC_ALL=C make -C .. bin/jessie.byte"
  End:
*)
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_stdlib_ge400.ml����������������������������������������������������������������������0000644�0001750�0001750�00000016646�12311670312�014414� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



module List = struct
  include List

  let cons e l = e::l

  let as_singleton = function
    | [e] -> e
    | _ -> failwith "as_singleton"

  let mem_assoc_eq f k l =
    fold_left (fun v_opt (k',v') ->
		 match v_opt with
		   | None ->
		       if f k k' then Some v' else None
		   | Some v -> Some v
	      ) None l

  let all_pairs l =
    let rec aux acc = function
      | e :: l ->
	  let acc = fold_left (fun acc e' -> (e,e') :: acc) acc l in
	  aux acc l
      | [] -> acc
    in
    aux [] l

  let map_fold f acc l =
    let (rev,acc) = List.fold_left
      (fun (rev,acc) e -> let (e,acc) = (f acc e) in (e::rev,acc))
      ([],acc) l in
    (List.rev rev,acc)

  let fold_all_part f acc =
    let rec aux acc part = function
    | [] -> f acc part
    | a::l -> aux (aux acc (a::part) l) part l in
    aux acc []

end

module Set = struct

  module type OrderedType = Set.OrderedType

  module type S = sig
    include Set.S
    val of_list: elt list -> t
    val to_list: t -> elt list
  end

  module Make(Ord : OrderedType) : S with type elt = Ord.t = struct
    include Set.Make(Ord)

    let of_list ls =
      List.fold_left (fun s e -> add e s) empty ls

    let to_list s =
      fold (fun e acc -> e :: acc) s []

  end
end

module Map = struct

  module type OrderedType = Map.OrderedType

  module type S = sig
    include Map.S
    val elements: 'a t -> (key * 'a) list
    val keys: 'a t -> key list
    val values: 'a t -> 'a list
    val to_list: 'a t -> (key * 'a) list
    val find_or_default: key -> 'a -> 'a t -> 'a
    val find_or_none: key -> 'a t -> 'a option
    val merge: ('a -> 'a -> 'a) -> 'a t -> 'a t -> 'a t
    val add_merge: ('a -> 'a -> 'a) -> key -> 'a -> 'a t -> 'a t
    val diff_merge: ('a -> 'a -> 'a) -> ('a -> bool) -> 'a t -> 'a t -> 'a t
    val inter_merge: ('a -> 'a -> 'a) -> ('a -> bool) -> 'a t -> 'a t -> 'a t
    val inter_merge_option: ('a -> 'b -> 'c option) -> 'a t -> 'b t -> 'c t
  end

  module Make(Ord : OrderedType) : S with type key = Ord.t = struct
    include Map.Make(Ord)

    let elements m =
      fold (fun k v acc -> (k,v) :: acc) m []

    let keys m =
      fold (fun k _v acc -> k :: acc) m []

    let values m =
      fold (fun _k v acc -> v :: acc) m []

    let to_list m =
      fold (fun k v acc -> (k,v) :: acc) m []

    let find_or_default k v m =
      try find k m with Not_found -> v

    let find_or_none k m =
      try Some(find k m) with Not_found -> None

    let merge f m1 m2 =
      fold (fun k v1 m ->
	      try
		let v2 = find k m2 in
		add k (f v1 v2) m
	      with Not_found ->
		add k v1 m
	   ) m1 m2

    let add_merge f k v m =
      let v =
	try f v (find k m)
	with Not_found -> v
      in
      add k v m

    let diff_merge f g m1 m2 =
      fold (fun k v1 m ->
	      try
		let v2 = find k m2 in
		let v = f v1 v2 in
		if g v then m else add k v m
	      with Not_found ->
		add k v1 m
	   ) m1 empty

    let inter_merge f g m1 m2 =
      fold (fun k v1 m ->
	      try
		let v2 = find k m2 in
		let v = f v1 v2 in
		if g v then m else add k v m
	      with Not_found -> m
	   ) m1 empty

    let inter_merge_option f m1 m2 =
      fold (fun k v1 m ->
	      try
		let v2 = find k m2 in
		match f v1 v2 with
                  | Some v -> add k v m
                  | None -> m
	      with Not_found -> m
	   ) m1 empty

  end
end

module StdHashtbl = Hashtbl

module Hashtbl = struct

  module type HashedType = Hashtbl.HashedType

  module type S = sig
    include Hashtbl.S
    val keys: 'a t -> key list
    val values: 'a t -> 'a list
    val choose: 'a t -> (key * 'a) option
    val remove_all : 'a t -> key -> unit
    val is_empty : 'a t -> bool
  end

  module type Std = sig
    type ('a, 'b) t
    val create : int -> ('a, 'b) t
    val clear : ('a, 'b) t -> unit
    val add : ('a, 'b) t -> 'a -> 'b -> unit
    val copy : ('a, 'b) t -> ('a, 'b) t
    val find : ('a, 'b) t -> 'a -> 'b
    val find_all : ('a, 'b) t -> 'a -> 'b list
    val mem : ('a, 'b) t -> 'a -> bool
    val remove : ('a, 'b) t -> 'a -> unit
    val replace : ('a, 'b) t -> 'a -> 'b -> unit
    val iter : ('a -> 'b -> unit) -> ('a, 'b) t -> unit
    val fold : ('a -> 'b -> 'c -> 'c) -> ('a, 'b) t -> 'c -> 'c
    val length : ('a, 'b) t -> int
    val hash : 'a -> int
    val hash_param : int -> int -> 'a -> int
  end

  include (struct include Hashtbl let create x = create x end: Std)

  module Make(H : HashedType) : S with type key = H.t = struct
    include Hashtbl.Make(H)

    let keys t =
      fold (fun k _v acc -> k :: acc) t []

    let values t =
      fold (fun _k v acc -> v :: acc) t []

    let choose t =
      let p = ref None in
      begin try
	iter (fun k v -> p := Some(k,v); failwith "Hashtbl.choose") t
      with Failure "Hashtbl.choose" -> () end;
      !p

    let remove_all t p =
      List.iter (fun _ -> remove t p) (find_all t p)

    let is_empty t =
      try
        iter (fun _ _ ->  raise Not_found) t;
        true
      with Not_found -> false
  end

  let remove_all t p =
    List.iter (fun _ -> remove t p) (find_all t p)

  let is_empty t =
    try
      iter (fun _ _ ->  raise Not_found) t;
      true
    with Not_found -> false

end

(*
Local Variables:
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End:
*)
������������������������������������������������������������������������������������������why-2.34/jc/jc_common_options.mli�������������������������������������������������������������������0000644�0001750�0001750�00000005004�12311670312�015432� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*s command-line options *)

open Jc_env

val debug : bool ref
val verbose : bool ref
val werror : bool ref

val inv_sem: inv_sem ref
val separation_sem : separation_sem ref

(*
Local Variables: 
compile-command: "make -C .. bin/jessie.byte"
End: 
*)
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_output_misc.ml�����������������������������������������������������������������������0000644�0001750�0001750�00000013254�12311670312�014577� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Jc_pervasives
open Jc_env
open Jc_ast
open Format
open Pp

let string_of_termination_policy p =
  match p with
    | Jc_env.TPalways -> "always"
    | Jc_env.TPuser -> "user"
    | Jc_env.TPnever -> "never"

let string_of_invariant_policy p =
  match p with
    | InvNone -> "None"
    | InvArguments -> "Arguments"
    | InvOwnership -> "Ownership"

let string_of_separation_policy p =
  match p with
    | SepNone -> "None"
    | SepRegions -> "Regions"

let string_of_annotation_policy p =
  match p with
    | AnnotNone -> "None"
    | AnnotInvariants -> "Invariants"
    | AnnotElimPre -> "ElimPre"
    | AnnotStrongPre -> "StrongPre"
    | AnnotWeakPre -> "WeakPre"
 
let string_of_abstract_domain p =
  match p with
    | AbsNone -> "None"
    | AbsBox -> "Box"
    | AbsOct -> "Oct"
    | AbsPol -> "Pol"

let string_of_int_model p =
  match p with
    | IMbounded -> "bounded"
    | IMmodulo -> "modulo"

let float_suffix fmt = function
  | `Single -> fprintf fmt "f"
  | `Double -> fprintf fmt "d"
  | `Real -> fprintf fmt ""

let const fmt c =
  match c with
    | JCCinteger s -> fprintf fmt "%s" s
    | JCCreal s -> fprintf fmt "%s" s 
    | JCCboolean b -> fprintf fmt "%B" b
    | JCCnull -> fprintf fmt "null"
    | JCCvoid -> fprintf fmt "()"
    | JCCstring s -> fprintf fmt "\"%s\"" s

let label fmt l =
  match l with
    | LabelName s -> fprintf fmt "%s" s.label_info_name
    | LabelHere -> fprintf fmt "Here" 
    | LabelPre -> fprintf fmt "Pre" 
    | LabelOld -> fprintf fmt "Old" 
    | LabelPost -> fprintf fmt "Post" 

let rec ptype fmt t =
  match t#node with
    | JCPTnative n -> fprintf fmt "%s" (string_of_native n)
    | JCPTidentifier (s,args) -> fprintf fmt "%s%a" s (print_list_delim lchevron rchevron comma ptype) args
    | JCPTpointer (name,params,ao, bo) ->
	begin match ao, bo with
	  | None, None ->
	      fprintf fmt "%s%a[..]" name ptype_params params
	  | Some a, None ->
	      fprintf fmt "%s%a[%s..]" name ptype_params params
                (Num.string_of_num a)
	  | None, Some b ->
	      fprintf fmt "%s%a[..%s]" name ptype_params params
                (Num.string_of_num b)
	  | Some a, Some b ->
	      if Num.eq_num a b then
		fprintf fmt "%s%a[%s]" name ptype_params params
                  (Num.string_of_num a)
	      else
		fprintf fmt "%s%a[%s..%s]" name ptype_params params
		  (Num.string_of_num a) (Num.string_of_num b)
	end

and ptype_params fmt l = print_list_delim lchevron rchevron comma ptype fmt l

let offset_kind fmt k =
  match k with
    | Offset_max -> fprintf fmt "ax"
    | Offset_min -> fprintf fmt "in"

and asrt_kind fmt = function
  | Aassert -> fprintf fmt "assert"
  | Ahint -> fprintf fmt "hint"
  | Aassume -> fprintf fmt "assume"
  | Acheck -> fprintf fmt "check"

and address_kind fmt = function
  | Addr_absolute -> fprintf fmt "absolute_"
  | Addr_pointer -> fprintf fmt ""

let alloc_class fmt = function
  | JCalloc_root vi -> fprintf fmt "alloc-root(%s)" vi.jc_root_info_name
  | JCalloc_bitvector -> fprintf fmt "alloc-bitvector"

let memory_class fmt = function
  | JCmem_field fi -> fprintf fmt "mem-field(%s)" fi.jc_field_info_name
  | JCmem_plain_union vi -> 
      fprintf fmt "mem-plain-union(%s)" vi.jc_root_info_name
  | JCmem_bitvector -> fprintf fmt "mem-bitvector"

let pointer_class = function
  | JCtag(st, _) -> "tag "^st.jc_struct_info_name
  | JCroot vi -> "root "^vi.jc_root_info_name

(*
Local Variables: 
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End: 
*)
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_ai.mli�������������������������������������������������������������������������������0000644�0001750�0001750�00000005240�12311670312�012762� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)


open Jc_ast
open Jc_fenv

val normalize_expr: expr -> expr

(* intraprocedural analysis *)
val code_function : fun_info * Loc.position * fun_spec * expr option -> unit


(* interprocedural analysis *)
val main_function : fun_info * Loc.position * fun_spec * expr option -> unit


(*
val is_recursive : fun_info -> bool
*)

(*
Local Variables: 
compile-command: "LC_ALL=C make -C .. bin/jessie.byte"
End: 
*)
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_main.ml������������������������������������������������������������������������������0000644�0001750�0001750�00000042344�12311670312�013152� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Jc_stdlib
open Jc_env
open Jc_region
open Jc_ast
open Jc_fenv
open Jc_pervasives

open Format

let parse_file f =
  try
    let c = open_in f in
    let d = Jc_lexer.parse f c in
    close_in c; d
  with
    | Jc_lexer.Lexical_error(l,s) ->
	eprintf "%a: lexical error: %s@." Loc.gen_report_position l s;
	exit 1

let compute_regions logic_components components =
  if !Jc_options.separation_sem = SepRegions then begin
    Jc_options.lprintf "Computation of regions@.";
    (* Preserve order between following calls *)
    Array.iter Jc_separation.logic_component logic_components;
    StringHashtblIter.iter Jc_separation.axiom Jc_typing.lemmas_table;
    StringHashtblIter.iter
      (fun _id data ->
	 List.iter
	   (function Jc_typing.ABaxiom(pos,id,labs,a) ->
	      Jc_separation.axiom id (pos,(* is_axiom = *)true,[],labs,a)
	   ) data.Jc_typing.axiomatics_decls
      ) Jc_typing.axiomatics_table;
    Array.iter Jc_separation.code_component components
  end

let compute_effects logic_components components =
  Jc_options.lprintf "Computation of effects@.";
  (* Preserve order between following calls *)
  Array.iter Jc_effect.logic_effects logic_components;
  Array.iter Jc_effect.function_effects components

let main () =
  let files = Jc_options.files () in
  try match files with [file] ->
    let filename = Filename.chop_extension file in

    (*************************************************************************)
    (*                          PART 1: PARSING                              *)
    (*************************************************************************)

    (* phase 1: parsing *)
    Jc_options.lprintf "Parsing@.";
    let ast = parse_file file in

    if Jc_options.debug then
      Format.printf "@\nAST AFTER PARSING:@\n%a@." Jc_poutput.pdecls ast;

    (*************************************************************************)
    (*                          PART 2: ANALYSIS                             *)
    (*************************************************************************)

    (* phase 2: normalization *)
    Jc_options.lprintf "Normalization@.";
    let ast = Jc_norm.decls ast in

    (* phase 3: typing *)

    (* phase 3.1: type logic labels *)
    Jc_options.lprintf "Typing logic labels@.";
    List.iter Jc_typing.type_labels_in_decl ast;

    (* phase 3.2: type code *)
    Jc_options.lprintf "Typing code@.";
    Jc_typing.type_file ast;

    if Jc_options.debug then
      Format.printf "@\nAST AFTER TYPING:@\n%a@." Jc_typing.print_file ();

    (* phase 4: computation of call graph *)
    Jc_options.lprintf "Computation of call graph@.";
    IntHashtblIter.iter (fun _ (f,t) -> Jc_callgraph.compute_logic_calls f t)
      Jc_typing.logic_functions_table;
    IntHashtblIter.iter
      (fun _ (f,_loc,s,b) ->
	 Option_misc.iter (Jc_callgraph.compute_calls f s) b
      ) Jc_typing.functions_table;

    let logic_components =
      Jc_callgraph.compute_logic_components Jc_typing.logic_functions_table
    in
    let components =
      Jc_callgraph.compute_components Jc_typing.functions_table
    in

    (* update field "component" of functions *)
    Array.iteri
      (fun i l -> List.iter (fun fi -> fi.jc_fun_info_component <- i) l)
      components;

    (* (optional) phase 5: inference of annotations *)
    if !Jc_options.annotation_sem <> AnnotNone then
      begin
	(* phase 5.1: pre-computation of regions *)
	compute_regions logic_components components;

	(* phase 5.2: pre-computation of effects *)
	compute_effects logic_components components;

	(* phase 5.3: inter- or intraprocedural inference of annotations *)
	Jc_options.lprintf "Inference of annotations@.";
	if Jc_options.interprocedural then
	  begin
	    (* interprocedural analysis over the call graph +
	       intraprocedural analysis of each function called *)
	    IntHashtblIter.iter
	      (fun _ (fi, loc, fs, sl) ->
		 if fi.jc_fun_info_name = Jc_options.main then
		   Jc_ai.main_function (fi, loc, fs, sl)
	      ) Jc_typing.functions_table;
	  end
	else
	  (* intraprocedural inference of annotations otherwise *)
	  IntHashtblIter.iter
	    (fun _ (f, loc, s, b) -> Jc_ai.code_function (f, loc, s, b))
	    Jc_typing.functions_table;
      end;

    (* phase 6: add invariants *)
    Jc_options.lprintf "Adding invariants@.";
    let vil =
      IntHashtblIter.fold (fun _tag (vi, _eo) acc -> vi :: acc)
	Jc_typing.variables_table []
    in
    IntHashtblIter.iter
      (fun _tag (f,loc,s,b) -> Jc_invariants.code_function (f, loc, s, b) vil)
      Jc_typing.functions_table;

    (* phase 7: computation of regions *)
    compute_regions logic_components components;

    (* phase 8: computation of effects *)
    compute_effects logic_components components;

    (* (optional)
       generation of the separation predicates : compute the needed
       generated predicates *)
    if Jc_options.gen_frame_rule_with_ft then
      (Jc_options.lprintf "Compute needed predicates@.";
       Jc_frame.compute_needed_predicates ());


    (* (optional) phase 9: checking structure invariants *)
    begin match !Jc_options.inv_sem with
      | InvOwnership ->
	  Jc_options.lprintf "Adding structure invariants@.";
	  StringHashtblIter.iter
            (fun _name (_,invs) -> Jc_invariants.check invs)
	    Jc_typing.structs_table
      | InvNone
      | InvArguments -> ()
    end;

    (*************************************************************************)
    (*                    PART 3: GENERATION OF WHY CODE                     *)
    (*************************************************************************)

    let push_decls, fold_decls, pop_decls =
      let decls = ref [] in
      (fun f -> decls := f !decls),
      (fun f acc -> let d,acc = f (!decls,acc) in decls := d; acc),
      (fun () -> !decls)
    in

    (* production phase 1: generation of Why types *)

    (* production phase 1.1: translate logic types *)
    Jc_options.lprintf "Translate logic types@.";
    push_decls
      (StringHashtblIter.fold 
         (fun _ id acc -> Jc_interp.tr_logic_type id acc)
	 Jc_typing.logic_type_table);

    (* production phase 1.2: translate coding types *)
    Jc_options.lprintf "Translate structures@.";
    push_decls
      (StringHashtblIter.fold (fun _ (st, _) acc -> Jc_interp.tr_struct st acc)
	 Jc_typing.structs_table);

    Jc_options.lprintf "Translate variants@.";
    push_decls
      (StringHashtblIter.fold
         (fun _ -> Jc_interp.tr_root) Jc_typing.roots_table);

    (* production phase 2: generation of Why variables *)

    (* production phase 2.1: translate coding variables *)
    Jc_options.lprintf "Translate variables@.";
    push_decls
      (IntHashtblIter.fold (fun _ (v,e) acc -> Jc_interp.tr_variable v e acc)
	 Jc_typing.variables_table);

    (* production phase 2.2: translate memories *)
    Jc_options.lprintf "Translate memories@.";
    let regions =
      fold_decls
	(StringHashtblIter.fold
	   (fun _ (fi,r) (acc,regions) ->
	      let r = Region.representative r in
	      let acc =
		if RegionSet.mem r regions then acc else
		  Jc_interp.tr_region r acc
	      in
	      Jc_interp.tr_memory (fi,r) acc,RegionSet.add r regions)
	   Jc_effect.constant_memories
	) (RegionSet.singleton dummy_region)
    in

    (* production phase 2.3: translate allocation tables *)
    Jc_options.lprintf "Translate allocation tables@.";
    let regions =
      fold_decls
	(StringHashtblIter.fold
	   (fun _ (a,r) (acc,regions) ->
	      let r = Region.representative r in
	      let acc =
		if RegionSet.mem r regions then acc else
		  Jc_interp.tr_region r acc
	      in
	      Jc_interp.tr_alloc_table (a,r) acc, RegionSet.add r regions)
	   Jc_effect.constant_alloc_tables
	) regions
    in

    (* production phase 2.4: translate tag tables *)
    Jc_options.lprintf "Translate tag tables@.";
    let _ =
      fold_decls
	(StringHashtblIter.fold
	   (fun _ (a,r) (acc,regions) ->
	      let r = Region.representative r in
	      let acc =
		if RegionSet.mem r regions then acc else
		  Jc_interp.tr_region r acc
	      in
	      Jc_interp.tr_tag_table (a,r) acc, RegionSet.add r regions)
	   Jc_effect.constant_tag_tables
	) regions
    in

    (* production phase 3: generation of Why exceptions *)
    Jc_options.lprintf "Translate exceptions@.";
    push_decls
      (StringHashtblIter.fold (fun _ ei acc -> Jc_interp.tr_exception ei acc)
	 Jc_typing.exceptions_table);

    (* production phase 3.1: translate enumerated types *)
    (* Yannick: why here and not together with translation of types? *)
    Jc_options.lprintf "Translate enumerated types@.";
    push_decls
      (StringHashtblIter.fold
	 (fun _ ri acc -> Jc_interp.tr_enum_type ri acc)
	 Jc_typing.enum_types_table);
    let enumlist =
      StringHashtblIter.fold
        (fun _ ri acc -> ri::acc) Jc_typing.enum_types_table []
    in
    let rec treat_enum_pairs pairs acc =
      match pairs with
	| [] -> acc
	| ri1 :: rest ->
	    let acc =
	      List.fold_left
		(fun acc ri2 ->
		   Jc_interp.tr_enum_type_pair ri1 ri2 acc) acc rest
	    in
	    treat_enum_pairs rest acc
    in
    push_decls (treat_enum_pairs enumlist);


    (* production phase 4.1: generation of Why logic functions *)
    Jc_options.lprintf "Translate logic functions@.";
    push_decls
      (IntHashtblIter.fold
	 (fun _ (li, p) acc ->
	    Jc_options.lprintf "Logic function %s@." li.jc_logic_info_name;
	    Jc_frame.tr_logic_fun li p acc)
	 Jc_typing.logic_functions_table );

    (* production phase 4.2: generation of axiomatic logic decls*)
    Jc_options.lprintf "Translate axiomatic declarations@.";
    push_decls
      (StringHashtblIter.fold
	 (fun a data acc ->
	    Jc_options.lprintf "Axiomatic %s@." a;
	    List.fold_left Jc_interp.tr_axiomatic_decl acc 
              data.Jc_typing.axiomatics_decls)
	 Jc_typing.axiomatics_table);


    (* production phase 4.3: generation of lemmas *)
    Jc_options.lprintf "Translate lemmas@.";
    push_decls
      (StringHashtblIter.fold
	 (fun id (loc,is_axiom,_,labels,p) acc ->
	    Jc_interp.tr_axiom loc id is_axiom labels p acc)
	 Jc_typing.lemmas_table);

    (* (optional) production phase 6: generation of global invariants *)
    if !Jc_options.inv_sem = InvOwnership then
      (Jc_options.lprintf "Generation of global invariants@.";
       push_decls Jc_invariants.make_global_invariants);

    (* production phase 7: generation of Why functions *)
    Jc_options.lprintf "Translate functions@.";
    push_decls
      (IntHashtblIter.fold
	 (fun _ (f,loc,s,b) acc ->
	    Jc_options.lprintf
              "Pre-treatement Function %s@." f.jc_fun_info_name;
	    Jc_interp.pre_tr_fun f loc s b acc)
	 Jc_typing.functions_table);
    push_decls
      (IntHashtblIter.fold
	 (fun _ (f,loc,s,b) acc ->
	    Jc_options.lprintf "Function %s@." f.jc_fun_info_name;
	    Jc_interp.tr_fun f loc s b acc)
	 Jc_typing.functions_table);
    push_decls
      (StringHashtblIter.fold
	 (fun n (fname,param_name_assoc) acc ->
	    Jc_interp.tr_specialized_fun n fname param_name_assoc acc)
	 Jc_interp_misc.specialized_functions);

    (* (optional) production phase 8: generation of global invariants *)
    if !Jc_options.inv_sem = InvOwnership then
      begin
	(* production phase 8.1: "mutable" and "committed" declarations *)
	Jc_options.lprintf "Translate mutable and committed declarations@.";
	push_decls
	  (StringHashtblIter.fold
	     (fun _ (st, _) acc -> Jc_invariants.mutable_declaration st acc)
	     Jc_typing.structs_table);

	(* production phase 8.2: pack *)
	Jc_options.lprintf "Translate pack@.";
	push_decls
	  (StringHashtblIter.fold
	     (fun _ (st, _) acc -> Jc_invariants.pack_declaration st acc)
	     Jc_typing.structs_table);

	(* production phase 8.3: unpack *)
	Jc_options.lprintf "Translate unpack@.";
	push_decls
	  (StringHashtblIter.fold
	     (fun _ (st, _) acc -> Jc_invariants.unpack_declaration st acc)
	     Jc_typing.structs_table)
      end;

    (*************************************************************************)
    (*                       PART 5: OUTPUT FILES                            *)
    (*************************************************************************)

    (* union and pointer casts: disabled *)
    if !Region.some_bitwise_region then
      begin
        eprintf "Jessie support for unions and pointer casts is disabled@.";
        exit 1
      end;

    let decls = pop_decls () in

    (* output phase 1: produce Why file *)
    if Jc_options.why3_backend then
      begin
        Jc_options.lprintf "Produce Why3ml file@.";
        Pp.print_in_file
          (fun fmt -> fprintf fmt "%a@."
             (Output.fprintf_why_decls ~why3:true
                ~use_floats:!Jc_options.has_floats
                ~float_model:!Jc_options.float_model
             ) decls)
          (filename ^ ".mlw");
        (* not used by why3, but useful for debugging traceability *)
        let cout_locs,fmt_locs =
          Pp.open_file_and_formatter (Lib.file_subdir "." (filename ^ ".loc"))
        in
        Output.my_print_locs fmt_locs;
        Pp.close_file_and_formatter (cout_locs,fmt_locs);
      end
    else
      begin
        Jc_options.lprintf "Produce Why file@.";
        Pp.print_in_file
          (fun fmt -> fprintf fmt "%a@."
             (Output.fprintf_why_decls ~why3:false
                ~use_floats:!Jc_options.has_floats
                ~float_model:!Jc_options.float_model
             ) decls)
          (Lib.file_subdir "why" (filename ^ ".why"));

        (* output phase 2: produce locs file *)
        Jc_options.lprintf "Produce locs file@.";
        let cout_locs,fmt_locs =
          Pp.open_file_and_formatter (Lib.file_subdir "." (filename ^ ".loc"))
        in
        Output.my_print_locs fmt_locs;
(*
        Output.old_print_pos fmt_locs; (* Generated annotations. *)
*)
        Pp.close_file_and_formatter (cout_locs,fmt_locs);
      end;

    (* output phase 3: produce makefile *)
    Jc_options.lprintf "Produce makefile@.";
    (*
      we first have to update Jc_options.libfiles depending on the current
      pragmas
    *)
    Jc_options.add_to_libfiles
      (if !Region.some_bitwise_region then
         "jessie_bitvectors.why" else "jessie.why");
    if !Jc_options.has_floats then
      begin
        match !Jc_options.float_model with
	  | Jc_env.FMmath -> ()
	  | Jc_env.FMdefensive ->
	      Jc_options.add_to_libfiles "floats_strict.why"
	  | Jc_env.FMfull ->
	      Jc_options.add_to_libfiles "floats_full.why"
	  |  Jc_env.FMmultirounding ->
	       Jc_options.add_to_libfiles "floats_multi_rounding.why"
    end;
    Jc_make.makefile filename

    | _ -> Jc_options.usage ()
  with
    | Jc_typing.Typing_error(l,s) when not Jc_options.debug ->
        eprintf "%a: typing error: %s@." Loc.gen_report_position l s;
        exit 1
    | Jc_options.Jc_error(l,s) when not Jc_options.debug ->
	eprintf "%a: %s@." Loc.gen_report_position l s;
	exit 1
    | Assert_failure(f,l,c) as exn when not Jc_options.debug ->
 	eprintf "%a:@." Loc.gen_report_line (f,l,c,c);
 	raise exn

let _ =
  Sys.catch_break true;
  (* Yannick: [Printexc.catch] deprecated, normal system error seems ok,
     remove call? *)
  if Jc_options.debug then main () else Printexc.catch main ()


(*
  Local Variables:
  compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
  End:
*)
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_constructors.mli���������������������������������������������������������������������0000644�0001750�0001750�00000052340�12311670312�015144� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Jc_env
open Jc_ast
open Jc_fenv

(*
class positioned :
  pos:Loc.position option -> object method pos : Loc.position end
class typed : typ:Jc_env.jc_type -> object method typ : Jc_env.jc_type end
class labeled :
  label:Jc_env.label option ->
  object
    val mutable llab : Jc_env.label option
    method label : Jc_env.label option
    method set_label : Jc_env.label option -> unit
  end
class marked :
  mark:string -> object method mark : string end
class regioned :
  region:Jc_env.region ->
  object
    val mutable r : Jc_env.region
    method region : Jc_env.region
    method set_region : Jc_env.region -> unit
  end
*)


class identifier :
  ?pos:Loc.position ->
  string -> object method pos : Loc.position method name : string end

class ['a] node_positioned :
  ?pos:Loc.position ->
  'a -> object method pos : Loc.position method node : 'a end

class ptype :
  ?pos:Loc.position ->
  ptype_node ->
  object method pos : Loc.position method node : ptype_node end

class pexpr :
  ?pos:Loc.position ->
  pexpr_node ->
  object method pos : Loc.position method node : pexpr_node end

class pexpr_with :
  ?pos:Loc.position ->
  ?node:pexpr_node ->
  < pos : Loc.position; node : pexpr_node; .. > -> pexpr

class nexpr :
  ?pos:Loc.position ->
  ?label:label ->
  nexpr_node ->
  object
    val mutable llab : label option
    method pos : Loc.position
    method label : label option
    method node : nexpr_node
    method set_label : label option -> unit
  end

(*
class nexpr_with :
  ?pos:Loc.position ->
  ?node:nexpr_node ->
  < pos : Loc.position; label : label;
    node : nexpr_node; .. > ->
  nexpr
*)

class pattern :
  ?pos:Loc.position ->
  typ:jc_type ->
  pattern_node ->
  object
    method pos : Loc.position
    method node : pattern_node
    method typ : jc_type
  end

(*
class pattern_with :
  ?pos:Loc.position ->
  ?node:pattern_node ->
  ?typ:jc_type ->
  < pos : Loc.position; node : pattern_node; typ : jc_type;
    .. > ->
  pattern
*)


class term :
  ?pos:Loc.position ->
  typ:jc_type ->
  ?mark:string ->
  ?label:label ->
  ?region:region ->
  term_node ->
  object
    val mutable r : region
    method pos : Loc.position
    method mark : string
    method node : term_node
    method region : region
    method set_region : region -> unit
    method label : label option
    method set_label : label option -> unit
    method typ : jc_type
  end

class term_with :
  ?pos:Loc.position ->
  ?typ:jc_type ->
  ?mark:string ->
  ?region:region ->
  ?node:term_node ->
  < pos : Loc.position; mark : string; node : term_node;
    label: label option; 
    region : region; typ : jc_type; .. > ->
  term

class term_var :
  ?pos:Loc.position -> ?mark:string -> var_info -> term

class location :
  ?pos:Loc.position ->
  typ:jc_type ->
  ?label:label ->
  ?region:region ->
  location_node ->
  object
    val mutable r : region
    method pos : Loc.position
    method typ : jc_type
    method node : location_node
    method region : region
    method set_region : region -> unit
    method label : label option
    method set_label : label option -> unit
  end

class location_with :
  ?pos:Loc.position ->
  typ:jc_type ->
  ?label:label ->
  ?region:region ->
  node:location_node ->
  < pos : Loc.position; region : region; .. > ->
  location

class location_set :
  ?pos:Loc.position ->
  typ:jc_type ->
  ?label:label ->
  ?region:region ->
  location_set_node ->
  object
    val mutable r : region
    method pos : Loc.position
    method typ : jc_type
    method node : location_set_node
    method region : region
    method set_region : region -> unit
    method label : label option
    method set_label : label option -> unit
  end

class location_set_with :
  ?pos:Loc.position ->
  typ:jc_type ->
  ?label:label ->
  ?region:region ->
  node:location_set_node ->
  < pos : Loc.position; region : region; .. > ->
  location_set

class expr :
  ?pos:Loc.position ->
  typ:jc_type ->
  ?mark:string ->
  ?region:region ->
  ?original_type:jc_type ->
  expr_node ->
  object
    val mutable r : region
    method pos : Loc.position
    method mark : string
    method node : expr_node
    method original_type : jc_type
    method region : region
    method set_region : region -> unit
    method typ : jc_type
  end
class expr_with :
  ?pos:Loc.position ->
  ?typ:jc_type ->
  ?mark:string ->
  ?region:region ->
  ?node:expr_node ->
  ?original_type:jc_type ->
  < pos : Loc.position; mark : string; node : expr_node;
    original_type : jc_type; region : region;
    typ : jc_type; .. > ->
  expr


class assertion :
  ?mark:string ->
  ?label:label ->
  ?pos:Loc.position ->
  assertion_node ->
  object
    method pos : Loc.position
    method mark : string
    method label : label option
    method set_label : label option -> unit
    method node : assertion_node
  end


class assertion_with :
  ?pos:Loc.position ->
  ?mark:string ->
  ?node:assertion_node ->
  < pos : Loc.position; mark : string; node : assertion_node;
    label: label option;
    .. > ->
  assertion

class ['a] ptag :
  ?pos:Loc.position ->
  'a ptag_node ->
  object method pos : Loc.position method node : 'a ptag_node end

class ['a] ptag_with :
  ?pos:Loc.position ->
  ?node:'a ptag_node ->
  < pos : Loc.position; node : 'a ptag_node; .. > -> ['a] ptag

class tag :
  ?pos:Loc.position ->
  tag_node ->
  object method pos : Loc.position method node : tag_node end

class tag_with :
  ?pos:Loc.position ->
  ?node:tag_node ->
  < pos : Loc.position; node : tag_node; .. > -> tag

class ['a] decl :
  ?pos:Loc.position ->
  'a decl_node ->
  object method pos : Loc.position method node : 'a decl_node end

(*

class ['a] decl_with :
  ?pos:Loc.position ->
  ?node:'a decl_node ->
  < pos : Loc.position; node : 'a decl_node; .. > -> ['a] decl
module Const :
  sig
    val mkvoid : const
    val mknull : const
    val mkboolean : bool -> const
    val mkint : ?value:int -> ?valuestr:string -> unit -> const
    val mkreal : ?value:float -> ?valuestr:string -> unit -> const
  end
val oo : 'a option -> 'a -> 'a
*)

module PExpr :
  sig
(*
    val mk : ?pos:Loc.position -> node:pexpr_node -> unit -> pexpr
*)
    val mkconst : const:const -> ?pos:Loc.position -> unit -> pexpr

    val mkvoid : ?pos:Loc.position -> unit -> pexpr

    val mknull : ?pos:Loc.position -> unit -> pexpr

    val mkboolean : value:bool -> ?pos:Loc.position -> unit -> pexpr

    val mkint :
      ?value:int -> ?valuestr:string -> ?pos:Loc.position -> unit -> pexpr

(*
    val mkreal :
      ?value:float -> ?valuestr:string -> ?pos:Loc.position -> unit -> pexpr
*)
    val mkbinary :
      expr1:pexpr ->
      op:bin_op ->
      expr2:pexpr -> ?pos:Loc.position -> unit -> pexpr
(*
    val mkbinary_list :
      default:pexpr ->
      op:bin_op ->
      ?expr1:pexpr ->
      ?expr2:pexpr ->
      ?list:pexpr list -> ?pos:Loc.position -> unit -> pexpr
*)
    val mkand :
      ?expr1:pexpr ->
      ?expr2:pexpr ->
      ?list:pexpr list -> ?pos:Loc.position -> unit -> pexpr

    val mkor :
      ?expr1:pexpr ->
      ?expr2:pexpr ->
      ?list:pexpr list -> ?pos:Loc.position -> unit -> pexpr

    val mkadd :
      ?expr1:pexpr ->
      ?expr2:pexpr ->
      ?list:pexpr list -> ?pos:Loc.position -> unit -> pexpr

    val mklabel :
      label:string -> expr:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkvar : name:string -> ?pos:Loc.position -> unit -> pexpr

    val mkderef :
      expr:pexpr -> field:string -> ?pos:Loc.position -> unit -> pexpr

    val mkunary :
      expr:pexpr ->
      op:pexpr_unary_op -> ?pos:Loc.position -> unit -> pexpr

    val mkapp :
      fun_name:string ->
      ?labels:label list ->
      ?args:pexpr list -> ?pos:Loc.position -> unit -> pexpr

    val mkassign :
      location:pexpr ->
      value:pexpr ->
      ?field:string ->
      ?op:bin_op -> ?pos:Loc.position -> unit -> pexpr

    val mkinstanceof :
      expr:pexpr -> typ:string -> ?pos:Loc.position -> unit -> pexpr

    val mkcast :
      expr:pexpr -> typ:ptype -> ?pos:Loc.position -> unit -> pexpr

    val mkquantifier :
      quantifier:quantifier ->
      typ:ptype ->
      vars:identifier list ->
      ?triggers:pexpr list list ->
      body:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkforall :
      typ:ptype ->
      vars:identifier list ->
      ?triggers:pexpr list list ->
      body:pexpr -> ?pos:Loc.position -> unit -> pexpr

(*
    val mkexists :
      typ:ptype ->
      vars:string list ->
      body:pexpr -> ?pos:Loc.position -> unit -> pexpr
    val mkold : expr:pexpr -> ?pos:Loc.position -> unit -> pexpr
*)

    val mkat :
      expr:pexpr ->
      label:label -> ?pos:Loc.position -> unit -> pexpr

(*
    val mkoffset :
      kind:offset_kind ->
      expr:pexpr -> ?pos:Loc.position -> unit -> pexpr
    val mkoffset_min :
      expr:pexpr -> ?pos:Loc.position -> unit -> pexpr
*)

    val mkoffset_max :
      expr:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkfresh :
      expr:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkif :
      condition:pexpr ->
      expr_then:pexpr ->
      ?expr_else:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkblock :
      exprs:pexpr list -> ?pos:Loc.position -> unit -> pexpr

(*
    val mkdecl :
      typ:ptype ->
      var:string -> ?init:pexpr -> ?pos:Loc.position -> unit -> pexpr
*)
    val mklet :
      ?typ:ptype ->
      var:string ->
      ?init:pexpr ->
      body:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mklet_nodecl :
      ?typ:ptype ->
      var:string ->
      ?init:pexpr ->
      body:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkrange :
      ?left:pexpr ->
      ?right:pexpr ->
      ?locations:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkalloc :
      ?count:pexpr -> typ:string -> ?pos:Loc.position -> unit -> pexpr

(*
    val mkfree : expr:pexpr -> ?pos:Loc.position -> unit -> pexpr
    val mkmutable :
      expr:pexpr ->
      tag:pexpr ptag -> ?pos:Loc.position -> unit -> pexpr
    val mktag_equality :
      tag1:pexpr ptag ->
      tag2:pexpr ptag -> ?pos:Loc.position -> unit -> pexpr
    val mkmatch :
      expr:pexpr ->
      cases:(ppattern * pexpr) list ->
      ?pos:Loc.position -> unit -> pexpr
*)

    val mkassert : ?behs:identifier list -> expr:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkwhile :
      ?condition:pexpr ->
      ?behaviors:pexpr loopbehavior list ->
      ?variant:(pexpr * identifier option) ->
      body:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkfor :
      ?inits:pexpr list ->
      ?condition:pexpr ->
      ?updates:pexpr list ->
      ?behaviors:pexpr loopbehavior list ->
      ?variant:(pexpr * identifier option) ->
      body:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkreturn : ?expr:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkbreak : ?label:string -> ?pos:Loc.position -> unit -> pexpr

    val mkcontinue : ?label:string -> ?pos:Loc.position -> unit -> pexpr

(*
    val mkgoto : label:string -> ?pos:Loc.position -> unit -> pexpr

*)

    val mktry :
      expr:pexpr ->
      ?catches:(identifier * string * pexpr) list ->
      ?finally:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkthrow :
      exn:identifier ->
      ?argument:pexpr -> ?pos:Loc.position -> unit -> pexpr

(*
    val mkpack :
      expr:pexpr ->
      ?tag:identifier -> ?pos:Loc.position -> unit -> pexpr
    val mkunpack :
      expr:pexpr ->
      ?tag:identifier -> ?pos:Loc.position -> unit -> pexpr
*)

    val mkswitch :
      expr:pexpr ->
      ?cases:(pexpr option list * pexpr) list ->
      ?pos:Loc.position -> unit -> pexpr

    val mkcatch :
      exn:'a ->
      ?name:string ->
      ?body:pexpr -> ?pos:Loc.position -> unit -> 'a * string * pexpr

    val mkshift :
      expr:pexpr ->
      offset:pexpr ->
      ?list:pexpr list -> ?pos:Loc.position -> unit -> pexpr

    val mknot : expr:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkeq :
      expr1:pexpr ->
      expr2:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkimplies :
      expr1:pexpr ->
      expr2:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkiff :
      expr1:pexpr ->
      expr2:pexpr -> ?pos:Loc.position -> unit -> pexpr

    val mkincr_heap :
      expr:pexpr ->
      field:string ->
      ?op:pexpr_unary_op -> ?pos:Loc.position -> unit -> pexpr

    val mkcontract : 
      requires:pexpr option ->
      decreases:(pexpr * Jc_ast.identifier option) option ->
      behaviors:pexpr pbehavior list ->
      expr:pexpr -> ?pos:Loc.position -> unit -> pexpr

  end

module NExpr :
  sig
    val mkcast :
      expr:nexpr -> typ:ptype -> ?pos:Loc.position -> unit -> nexpr
  end

module PDecl :
  sig
(*
    val mk : ?pos:Loc.position -> node:'a -> unit -> 'a node_positioned
*)
    val mkfun_def :
      ?result_type:ptype ->
      name:identifier ->
      ?params:(bool * ptype * string) list ->
      ?clauses:'a clause list ->
      ?body:'a ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

    val mklemma_def :
      name:string ->
      ?axiom:bool ->
      ?poly_args:string list ->
      ?labels:label list ->
      body:'a ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

    val mklogic_var_def :
      typ:ptype ->
      name:string ->
      ?body:'a ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

    val mklogic_def :
      ?typ:ptype ->
      name:string ->
      ?poly_args:string list ->
      ?labels:label list ->
      ?params:(ptype * string) list ->
      ?reads:'a list ->
      ?body:'a ->
      ?inductive:(identifier * label list * 'a) list ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

    val mkaxiomatic :
      name:string ->
      decls:'a Jc_ast.decl list -> 
      ?pos:Loc.position -> 
      unit -> 'a decl_node node_positioned

    val mklogic_type :
      ?args:string list ->
      name:string ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

    val mkvar_def :
      typ:ptype ->
      name:string ->
      ?init:'a ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

    val mkglobal_inv_def :
      name:string ->
      body:'a ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

    val mktag_def :
      name:string ->
      ?params:string list ->
      ?super:string * ptype list ->
      ?fields:(field_modifiers * ptype * string * int option) list ->
      ?invariants:(identifier * string * 'a) list ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

    val mkenum_type_def :
      name:string ->
      left:Num.num ->
      right:Num.num ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

    val mkexception_def :
      name:string ->
      ?arg_type:ptype ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

    val mkvariant_type_def :
      name:string ->
      ?tags:identifier list ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

    val mkinvariant_policy_def :
      value:inv_sem ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

    val mktermination_policy_def :
      value:termination_policy ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

    val mkseparation_policy_def :
      value:separation_sem ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

    val mkannotation_policy_def :
      value:annotation_sem ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

    val mkabstract_domain_def :
      value:abstract_domain ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

(*

    val mkint_model_def :
      value:int_model ->
      ?pos:Loc.position -> unit -> 'a decl_node node_positioned

*)

    val mkbehavior :
      ?pos:Loc.position ->
      name:string ->
      ?throws:identifier ->
      ?assumes:pexpr ->
      ?requires:pexpr ->
      ?assigns:Loc.position * pexpr list ->
      ?allocates:Loc.position * pexpr list ->
      ?ensures:pexpr -> unit -> pexpr pbehavior

    val mkrequires_clause : 'a -> 'a clause

    val mkdecreases_clause : ?measure:identifier -> 'a -> 'a clause

    val mkbehavior_clause :
      ?pos:Loc.position ->
      name:string ->
      ?throws:identifier ->
      ?assumes:pexpr ->
      ?requires:pexpr ->
      ?assigns:Loc.position * pexpr list ->
      ?allocates:Loc.position * pexpr list ->
      ?ensures:pexpr -> unit -> pexpr clause

(*
    val mkbehavior_with :
      ?pos:Loc.position ->
      ?name:string ->
      ?throws:identifier option ->
      ?assumes:'a option ->
      ?requires:'a option ->
      ?assigns:(Loc.position * 'a list) option ->
      ?ensures:'a -> 'a clause -> 'a clause
*)

    val mkassigns :
      ?pos:Loc.position ->
      ?locations:'a list -> unit -> Loc.position * 'a list

(*
    val mktag_invariant : name:'a -> var:'b -> body:'c -> 'a * 'b * 'c
    val behavior_ensures : 'a clause -> 'a
*)
  end


module Expr :
  sig
    val mk :
      ?pos:Loc.position ->
      typ:jc_type ->
      ?mark:string ->
      ?region:region ->
      ?original_type:jc_type -> node:expr_node -> unit -> expr
    val mkint :
      ?value: int ->
      ?valuestr:string ->
      ?pos:Loc.position ->
      ?mark:string ->
      ?region:region ->
      ?original_type:jc_type -> unit -> expr
    val mkbinary :
      expr1:expr ->
      op:expr_bin_op ->
      expr2:expr -> 
      ?pos:Loc.position ->
      typ:jc_type ->
      ?mark:string ->
      ?region:region ->
      ?original_type:jc_type -> unit -> expr
    val mklet :
      var:var_info ->
      ?init:expr ->
      body:expr ->
      ?pos:Loc.position ->
      ?mark:string ->
      ?region:region -> ?original_type:jc_type -> unit -> expr
    val mkvar :
      var:var_info ->
      ?pos:Loc.position ->
      ?mark:string ->
      ?region:region -> ?original_type:jc_type -> unit -> expr
    val is_app : < node : expr_node; .. > -> bool
  end



module Term :
  sig
(*
    val mk :
      ?pos:Loc.position ->
      typ:jc_type ->
      ?mark:string ->
      ?region:region -> node:term_node -> unit -> term
*)

    val mkint :
      ?value: int ->
      ?valuestr:string ->
      ?pos:Loc.position ->
      ?mark:string ->
      ?region:region -> unit -> term
    val mkbinary :
      term1:term ->
      op:term_bin_op ->
      term2:term -> 
      ?pos:Loc.position ->
      typ:jc_type ->
      ?mark:string ->
      ?region:region -> unit -> term
    val mkvar :
      var:var_info ->
      ?pos:Loc.position ->
      ?mark:string -> ?region:region -> unit -> term
  end

module Assertion :
  sig
(*
    val mk :
      ?pos:Loc.position ->
      ?mark:string -> node:assertion_node -> unit -> assertion
    val fake : ?pos:'a -> ?mark:'b -> value:'c -> unit -> 'c
*)

    val is_true : assertion -> bool
    val is_false : assertion -> bool

    val mktrue : ?pos:Loc.position -> ?mark:string -> unit -> assertion

    val mkfalse :
      ?pos:Loc.position -> ?mark:string -> unit -> assertion

    val mkand :
      conjuncts:assertion list ->
      ?pos:Loc.position -> ?mark:string -> unit -> assertion

    val mkor :
      disjuncts:assertion list ->
      ?pos:Loc.position -> ?mark:string -> unit -> assertion

    val mknot :
      asrt:assertion ->
      ?pos:Loc.position -> ?mark:string -> unit -> assertion

  end

(*
Local Variables: 
compile-command: "LC_ALL=C nice make -j -C .. byte"
End: 
*)
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/output.mli������������������������������������������������������������������������������0000644�0001750�0001750�00000022432�12311670312�013257� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



type constant =
  | Prim_void
  | Prim_int of string
  | Prim_real of string
  | Prim_bool of bool
(*
  | Prim_string of string
*)

type logic_type =
    { logic_type_name : string;
      logic_type_args : logic_type list;
    }

val logic_type_var : string -> logic_type

val fprintf_logic_type : Format.formatter -> logic_type -> unit


type term =
  | LConst of constant
  | LApp of string * term list
  | LVar of string                  (*r immutable logic var *)
  | LDeref of string                     (*r !r *) 
  | LDerefAtLabel of string * string     (*r x@L *)
  | Tnamed of string * term
  | TIf of term * term * term
  | TLet of string * term * term

val match_term : (string * term) list -> term -> term -> (string * term) list

val fprintf_term : Format.formatter -> term -> unit

type assertion =
  | LTrue | LFalse
  | LAnd of assertion * assertion
  | LOr of assertion * assertion
  | LIff of assertion * assertion
  | LNot of assertion
  | LImpl of assertion * assertion
  | LIf of term * assertion * assertion
  | LLet of string * term * assertion
  | LForall of string * logic_type * trigger list list * assertion
      (*r forall x:t.a *)
  | LExists of string * logic_type * trigger list list * assertion
      (*r exists x:t.a *)
  | LPred of string * term list
  | LNamed of string * assertion

and trigger =
  | LPatP of assertion
  | LPatT of term

val make_var : string -> term


val make_or : assertion -> assertion -> assertion
val make_and : assertion -> assertion -> assertion
val make_or_list : assertion list -> assertion
val make_and_list : assertion list -> assertion
val make_forall_list : (string * logic_type) list -> trigger list list
  -> assertion -> assertion
val make_impl : assertion -> assertion -> assertion
val make_impl_list : assertion -> assertion list -> assertion
val make_equiv : assertion -> assertion -> assertion

val fprintf_assertion : Format.formatter -> assertion -> unit

type why_type =
  | Prod_type of string * why_type * why_type (*r (x:t1)->t2 *)
  | Base_type of logic_type
  | Ref_type of why_type
  | Annot_type of
      assertion * why_type *
      string list * string list * assertion * ((string * assertion) list)
	(*r { P } t reads r writes w raises E { Q | E => R } *)
;;

val int_type : why_type
val bool_type : why_type
val unit_type : why_type
val base_type : string -> why_type

type variant = term * string option

type opaque = bool

type assert_kind = [`ASSERT | `CHECK]

type expr_node =
  | Cte of constant
  | Var of string
  | And of expr * expr
  | Or of expr * expr
  | Not of expr
  | Void
  | Deref of string
  | If of expr * expr * expr
  | While of
      expr (* loop condition *)
      * assertion (* invariant *)
      * variant option (* variant *)
      * expr list (* loop body *)
  | Block of expr list
  | Assign of string * expr
  | MultiAssign of string * Loc.position * (string * expr) list *
      bool * term * expr * string * expr * string *
      (int * bool * bool * string) list
      (*

         this construction is not in Why, but a temporary construction
         used by jessie to denote "parallel updates"

         [MultiAssign(mark,pos,lets,talloc,alloc,tmpe,e,f,l)] where [l]
         is a list of pair (i,b1,b2,e') for distincts i, denotes the
         parallel updates (lets) let tmpe = e in (tmpe+i).f = e'

         booleans [b1] and [b2] indicates whether it is safe to ignore
         bound checking on the left resp on the right

         [alloc] is the allocation table for safety conditions
         [lets] is a sequence of local bindings for expressions e'
      *)
  | Let of string * expr * expr
  | Let_ref of string * expr * expr
  | App of expr * expr * why_type option
  | Raise of string * expr option
  | Try of expr * string * string option * expr
  | Fun of (string * why_type) list *
      assertion * expr * assertion * ((string * assertion) list)
  | Triple of opaque *
      assertion * expr * assertion * ((string * assertion) list)
  | Assert of assert_kind * assertion * expr
(*
  | Label of string * expr
*)
  | BlackBox of why_type
  | Absurd
  | Loc of Lexing.position * expr

and expr = 
    { expr_labels : string list;
      expr_loc_labels : string list;
      expr_node : expr_node;
    }

;;

val mk_expr : expr_node -> expr
val mk_var : string -> expr
val void : expr

(*
val make_block : string list -> string list -> expr list -> expr
*)

val fprintf_expr : Format.formatter -> expr -> unit

val make_or_expr : expr -> expr -> expr
val make_and_expr : expr -> expr -> expr


(*

  [make_app id [e1;..;en])] builds
  App(...(App(Var(id),e1),...,en)

*)

val make_app : ?ty:why_type -> string -> expr list -> expr
val make_logic_app : ?ty:why_type -> string -> expr list -> expr
val make_app_e : ?ty:why_type -> expr -> expr list -> expr

(*

  [make_label l e] adds label l to e

  In the case of a block, add it to the first instruction of the block, if there
  is one.
*)

val make_label : string -> expr -> expr;;

(*

  [make_while cond inv dec e] builds

  while cond do { invariant inv variant dec } e

  applying simplifications if possible

*)
val make_while : expr -> assertion -> variant option -> expr -> expr;;

val make_pre : assertion -> expr -> expr;;

val append : expr -> expr -> expr

type why_id = { name : string ; loc : Loc.floc }

val id_no_loc : string -> why_id

type goal_kind = KAxiom | KLemma | KGoal

type why_decl =
  | Param of bool * why_id * why_type         (*r parameter in why *)
  | Def of why_id * bool *     (* "diverges" flag *)
            expr               (*r global let in why *)
  | Logic of bool * why_id * (string * logic_type) list * logic_type    (*r logic decl in why *)
  | Predicate of bool * why_id * (string * logic_type) list * assertion
  | Inductive of bool * why_id * (string * logic_type) list *
      (string * assertion) list (*r inductive definition *)
  | Goal of goal_kind * why_id * assertion         (*r Goal *)
  | Function of bool * why_id * (string * logic_type) list * logic_type * term
  | Type of why_id * string list
  | Exception of why_id * logic_type option

val fprintf_why_decl : Format.formatter -> why_decl -> unit;;

val fprintf_why_decls : ?why3:bool -> ?use_floats:bool -> 
  float_model:Jc_env.float_model -> Format.formatter -> why_decl list -> unit

type kind =
  | VarDecr
  | ArithOverflow
  | DownCast
  | IndexBounds
  | PointerDeref
  | UserCall
  | DivByZero
  | AllocSize
  | Pack
  | Unpack
  | FPoverflow

val print_kind : Format.formatter -> kind -> unit

(*
val pos_table :
    (string, (kind option * string option * string option *
                string * int * int * int))
    Hashtbl.t
*)

(*
val my_pos_table :
    (string, (kind option * string option * string option *
                string * int * int * int))
    Hashtbl.t
*)

val my_add_pos :
  string -> (kind option * string option * string option *
               string * int * int * int) -> unit

val my_print_locs : Format.formatter -> unit

(* backward compatibility for Krakatoa and Jessie plugin *)

val old_reg_pos : string -> ?id:string -> ?kind:kind -> ?name:string
  -> ?formula:string -> Loc.floc -> string

val old_print_pos : Format.formatter -> unit


��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_fenv.ml������������������������������������������������������������������������������0000644�0001750�0001750�00000017432�12311670312�013164� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Jc_stdlib
open Jc_env
open Jc_envset
open Jc_region
open Jc_ast

module rec LocationOrd
  : Map.OrderedType with type t = Effect.logic_info location =
struct
  type t = Effect.logic_info location
  let compare loc1 loc2 = 
    match loc1#node,loc2#node with
      | JCLvar v1, JCLvar v2 -> VarOrd.compare v1 v2
      | JCLvar _v, _ -> 1
      | _, JCLvar _v -> -1
      | _,_ -> 0
	  (* TODO: complete def of Location *)
end

and Location
  : Map.OrderedType with type t = Effect.logic_info location * Memory.t =
  PairOrd(LocationOrd)(Memory)

and LocationSet : Set.S with type elt = Location.t = Set.Make(Location)

and LocationMap : Map.S with type key = Location.t = Map.Make(Location)

and Effect : 
sig 
  type effect =
      {
	jc_effect_alloc_tables: LogicLabelSet.t AllocMap.t;
	jc_effect_tag_tables: LogicLabelSet.t TagMap.t;
	jc_effect_raw_memories: LogicLabelSet.t MemoryMap.t;
	jc_effect_precise_memories: LogicLabelSet.t LocationMap.t;
	jc_effect_memories: LogicLabelSet.t MemoryMap.t;
	jc_effect_globals: LogicLabelSet.t VarMap.t;
	jc_effect_locals: LogicLabelSet.t VarMap.t;
	jc_effect_mutable: StringSet.t;
	jc_effect_committed: StringSet.t;
      }

  type fun_effect =
      {
	jc_reads : effect;
	jc_writes : effect;
	jc_raises : ExceptionSet.t;
      }

  type logic_info =
      {
	jc_logic_info_tag : int;
	jc_logic_info_name : string;
	mutable jc_logic_info_final_name : string;
	mutable jc_logic_info_result_type : jc_type option;
	mutable jc_logic_info_result_region : region;
        mutable jc_logic_info_poly_args : type_var_info list;
	mutable jc_logic_info_parameters : var_info list;
	mutable jc_logic_info_param_regions : region list;
	mutable jc_logic_info_effects : effect;
	mutable jc_logic_info_calls : logic_info list;
	mutable jc_logic_info_axiomatic : string option;
	mutable jc_logic_info_labels : label list;
      }

  type builtin_treatment =
    | TreatNothing
    | TreatGenFloat of float_format

  type fun_info = 
      {
	jc_fun_info_tag : int;
	jc_fun_info_name : string;
	mutable jc_fun_info_final_name : string;
	mutable jc_fun_info_builtin_treatment : builtin_treatment; 
	jc_fun_info_result : var_info;
	jc_fun_info_return_region : region;
	(* If function has a label "return_label", this is a label denoting
	   the return statement of the function, to be used by static 
	   analysis to avoid merging contexts *)
	mutable jc_fun_info_has_return_label : bool;
	mutable jc_fun_info_parameters : (bool * var_info) list;
	mutable jc_fun_info_param_regions : region list;
	mutable jc_fun_info_calls : fun_info list;
	mutable jc_fun_info_component : int;
	mutable jc_fun_info_logic_apps : logic_info list;
	mutable jc_fun_info_effects : fun_effect;
      }
  end =
struct
  type effect =
      {
	jc_effect_alloc_tables: LogicLabelSet.t AllocMap.t;
	jc_effect_tag_tables: LogicLabelSet.t TagMap.t;
	jc_effect_raw_memories: LogicLabelSet.t MemoryMap.t;
	jc_effect_precise_memories: LogicLabelSet.t LocationMap.t;
	jc_effect_memories: LogicLabelSet.t MemoryMap.t;
	jc_effect_globals: LogicLabelSet.t VarMap.t;
	jc_effect_locals: LogicLabelSet.t VarMap.t;
	jc_effect_mutable: StringSet.t;
	jc_effect_committed: StringSet.t;
      }

  type fun_effect =
      {
	jc_reads : effect;
	jc_writes : effect;
	jc_raises : ExceptionSet.t;
      }

  type logic_info =
      {
	jc_logic_info_tag : int;
	jc_logic_info_name : string;
	mutable jc_logic_info_final_name : string;
	mutable jc_logic_info_result_type : jc_type option;
        (*r None for predicates *)
	mutable jc_logic_info_result_region : region;
        mutable jc_logic_info_poly_args : type_var_info list;
	mutable jc_logic_info_parameters : var_info list;
	mutable jc_logic_info_param_regions : region list;
	mutable jc_logic_info_effects : effect;
	mutable jc_logic_info_calls : logic_info list;
(* obsolete
	mutable jc_logic_info_is_recursive : bool;
*)
	mutable jc_logic_info_axiomatic : string option;
	mutable jc_logic_info_labels : label list;
      }

  type builtin_treatment =
    | TreatNothing
    | TreatGenFloat of float_format

  type fun_info = 
      {
	jc_fun_info_tag : int;
	jc_fun_info_name : string;
	mutable jc_fun_info_final_name : string;
	mutable jc_fun_info_builtin_treatment : builtin_treatment; 
	jc_fun_info_result : var_info;
	jc_fun_info_return_region : region;
	mutable jc_fun_info_has_return_label : bool;
	mutable jc_fun_info_parameters : (bool * var_info) list;
	mutable jc_fun_info_param_regions : region list;
	mutable jc_fun_info_calls : fun_info list;
	mutable jc_fun_info_component : int;
	mutable jc_fun_info_logic_apps : logic_info list;
	mutable jc_fun_info_effects : fun_effect;
      }
end

include Effect

type app = logic_info Jc_ast.app
type term_node = logic_info Jc_ast.term_node
type term = logic_info Jc_ast.term
type tag_node = logic_info Jc_ast.tag_node
type tag = logic_info Jc_ast.tag
type location_set_node = logic_info Jc_ast.location_set_node
type location_set = logic_info Jc_ast.location_set
type location_node = logic_info Jc_ast.location_node
type location = logic_info Jc_ast.location
type assertion = logic_info Jc_ast.assertion
type assertion_node = logic_info Jc_ast.assertion_node
type term_or_assertion = logic_info Jc_ast.term_or_assertion
type loop_annot = logic_info Jc_ast.loop_annot
type behavior = logic_info Jc_ast.behavior
type fun_spec = logic_info Jc_ast.fun_spec

type expr_node = (logic_info,fun_info) Jc_ast.expr_node
type expr = (logic_info,fun_info) Jc_ast.expr
type callee = (logic_info,fun_info) Jc_ast.callee
type call = (logic_info,fun_info) Jc_ast.call

(*
  Local Variables: 
  compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
  End: 
*)
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_output.ml����������������������������������������������������������������������������0000644�0001750�0001750�00000062077�12311670312�013573� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Format
open Jc_env
open Jc_ast
open Jc_fenv
open Jc_pervasives
open Jc_constructors
open Jc_output_misc
open Pp

type jc_decl =
  | JCfun_def of jc_type * string * (bool * var_info) list *
      fun_spec * expr option
  | JCenum_type_def of string * Num.num * Num.num
  | JCvariant_type_def of string * string list
  | JCunion_type_def of string * string list
  | JCstruct_def of string * string option * field_info list *
      (string * var_info * assertion) list
  | JCrec_struct_defs of jc_decl list
      (* deprecated, all tag definitions of a file are mutually recursive *)
  | JCrec_fun_defs of jc_decl list
  | JCvar_def of jc_type * string * expr option
  | JClemma_def of string * bool * type_var_info list * label list * assertion
  | JClogic_fun_def of jc_type option * string * type_var_info list * label list 
      * var_info list * term_or_assertion      
  | JCexception_def of string * exception_info
  | JCglobinv_def of string * assertion
  | JClogic_const_def of jc_type * string * type_var_info list * term option
  | JClogic_type_def of string * type_var_info list
  | JCinvariant_policy of Jc_env.inv_sem
  | JCseparation_policy of Jc_env.separation_sem
  | JCannotation_policy of Jc_env.annotation_sem
  | JCabstract_domain of Jc_env.abstract_domain 
  | JCint_model of Jc_env.int_model      
  | JCfloat_rounding_mode of Jc_env.float_rounding_mode      
  | JCfloat_model of Jc_env.float_model 
  | JCfloat_instruction_set of string
  | JCtermination_policy of Jc_env.termination_policy

(*
let lbin_op op =
  if op == Jc_pervasives.ge_int then ">=" else
  if op == Jc_pervasives.le_int then "<=" else
  if op == Jc_pervasives.gt_int then ">" else
  if op == Jc_pervasives.lt_int then "<" else
  if op == Jc_pervasives.eq then "==" else
  if op == Jc_pervasives.neq then "!=" else
  if op == Jc_pervasives.add_int then "+" else
  if op == Jc_pervasives.sub_int then "-" else
  if op == Jc_pervasives.mul_int then "*" else
  if op == Jc_pervasives.div_int then "/" else
  if op == Jc_pervasives.mod_int then "%" else
  if op == Jc_pervasives.shift then "+" else
  raise Not_found
*)

let identifier fmt id =
  fprintf fmt "%s" id#name

let type_var_info fmt x = fprintf fmt "%s" (Jc_type_var.uname x)

let bin_op (op, _) = match op with
  | `Blt -> "<"
  | `Bgt -> ">"
  | `Ble -> "<="
  | `Bge -> ">="
  | `Beq -> "=="
  | `Bneq -> "!="
  | `Badd -> "+"
  | `Bsub -> "-"
  | `Bmul -> "*"
  | `Bdiv -> "/"
  | `Bmod -> "%"
  | `Bland -> "&&"
  | `Blor -> "||"
  | `Bimplies -> "==>"
  | `Biff -> "<==>"
  | `Bbw_and -> "&"
  | `Bbw_or -> "|"
  | `Bbw_xor -> "^"
  | `Blogical_shift_right -> ">>"
  | `Barith_shift_right -> ">>>"
  | `Bshift_left -> "<<"
  | `Bconcat -> "@"

let unary_op (op, _) = match op with
  | `Uminus -> "-"
  | `Unot -> "!"
  | `Ubw_not -> "~"

let real_conversion fmt rc =
  match rc with
    | Integer_to_real -> fprintf fmt "real"
    | Double_to_real -> fprintf fmt "double_value"
    | Float_to_real -> fprintf fmt "single_value"
    | Round(_f,_m) -> (* fprintf fmt "r_to_s" ou "r_to_" *)
         (* TODO ? parameter rounding mode *)
	assert false

let rec pattern fmt p =
  match p#node with
    | JCPstruct(st, lbls) ->
	fprintf fmt "@[<hv 2>%s{@ " st.jc_struct_info_name;
	List.iter
	  (fun (lbl, pat) ->
	     fprintf fmt "%s = %a;@ " lbl.jc_field_info_name pattern pat)
	  lbls;
	fprintf fmt "}@]"
    | JCPvar vi ->
	fprintf fmt "%s" vi.jc_var_info_name
    | JCPor(p1, p2) ->
	fprintf fmt "(%a)@ | (%a)" pattern p1 pattern p2
    | JCPas(pat, vi) ->
	fprintf fmt "(%a as %s)" pattern pat vi.jc_var_info_name
    | JCPany ->
	fprintf fmt "_"
    | JCPconst c ->
	fprintf fmt "%a" const c

let rec term fmt t =
  if t#mark <> "" then
    fprintf fmt "@[(%s : %a)@]" 
      t#mark term (new term_with ~mark:"" t)
  else
  match t#node with
    | JCTvar vi -> fprintf fmt "%s" vi.jc_var_info_name
    | JCTbinary(t1,op,t2) ->
	fprintf fmt "@[(%a %s %a)@]" term t1 (bin_op op) term t2
    | JCTunary(op,t1) ->
	fprintf fmt "@[(%s %a)@]" (unary_op op) term t1
    | JCTif (t1,t2,t3) -> 
	fprintf fmt "@[(%a ? %a : %a)@]" term t1 term t2 term t3
    | JCTlet (vi,t1,t2) -> 
	fprintf fmt "@[(let %s = %a in %a)@]" 
          vi.jc_var_info_name term t1 term t2 
    | JCTcast (t, _, si)
    | JCTbitwise_cast (t, _, si) ->
	fprintf fmt "(%a :> %s)" term t si.jc_struct_info_name
    | JCTrange_cast (t, ei) ->
	fprintf fmt "(%a :> %s)" term t ei.jc_enum_info_name
    | JCTreal_cast (t, rc) ->
	fprintf fmt "(%a :> %a)" term t real_conversion rc
    | JCTinstanceof (t, _, si) ->
	fprintf fmt "(%a <: %s)" term t si.jc_struct_info_name
    | JCToffset (k,t,_)->
	fprintf fmt "@[\\offset_m%a(%a)@]" offset_kind k term t
    | JCTaddress(absolute,t) ->
	fprintf fmt "@[\\%aaddress(%a)@]" address_kind absolute term t
    | JCTbase_block (t)->
	fprintf fmt "@[\\base_block(%a)@]" term t
    | JCTold t -> fprintf fmt "@[\\old(%a)@]" term t
    | JCTat(t,lab) -> fprintf fmt "@[\\at(%a,%a)@]" term t label lab
(*
    | JCTapp app when List.length app.jc_app_args = 1 ->
	let op = app.jc_app_fun in
	let t1 = List.hd app.jc_app_args in
	begin try 
	  ignore 
	    (Hashtbl.find Jc_typing.enum_conversion_logic_functions_table op);
	  (* conversion due to enumeration. Ignore it. *)
	  term fmt t1
	with Not_found ->
	  fprintf fmt "%s(@[%a@])" op.jc_logic_info_name term t1
	end
    | JCTapp app when List.length app.jc_app_args = 2 ->
	let op = app.jc_app_fun in
	let l = app.jc_app_args in
	  begin try
	  let s = lbin_op op in
	  fprintf fmt "@[(%a %s %a)@]" term t1 s term t2
	with Not_found ->
	  fprintf fmt "@[%s(%a)@]" op.jc_logic_info_name
	    (print_list comma term) l 
	end
*)
    | JCTapp app ->
	let op = app.jc_app_fun and l = app.jc_app_args in
	fprintf fmt "%s(@[%a@])" op.jc_logic_info_name
	  (print_list comma term) l 
    | JCTderef (t, _label, fi)-> 
	fprintf fmt "@[%a.%s@]" term t fi.jc_field_info_name	
    | JCTshift (t1, t2) -> 
	fprintf fmt "@[(%a + %a)@]" term t1 term t2
    | JCTconst c -> const fmt c
    | JCTrange (t1,t2) -> 
	fprintf fmt "@[[%a..%a]@]" (print_option term) t1 (print_option term) t2
    | JCTmatch (t, ptl) ->
	fprintf fmt "@[<v 2>match %a with@ " term t;
	List.iter
	  (fun (p, t) -> fprintf fmt "  @[<v 2>%a ->@ %a;@]@ "
	     pattern p term t) ptl;
	fprintf fmt "end@]"

let quantifier = Jc_poutput.quantifier

let rec assertion fmt a =
  if a#mark <> "" then
    fprintf fmt "@[(%s : %a)@]" 
      (a#mark) assertion
      (new assertion_with ~mark:"" a)
  else
  match a#node with
    | JCAtrue -> fprintf fmt "true"
    | JCAif (t, a1, a2) ->
	fprintf fmt "@[(%a ? %a : %a)@]" term t assertion a1 assertion a2
    | JCAbool_term t -> term fmt t
    | JCAinstanceof (t, _lab, st) ->
	fprintf fmt "(%a <: %s)" term t st.jc_struct_info_name
    | JCAfresh t -> fprintf fmt "\\fresh(%a)" term t
    | JCAold a -> fprintf fmt "\\old(%a)" assertion a
    | JCAat(a,lab) -> fprintf fmt "\\at(%a,%a)" assertion a label lab
    | JCAquantifier (q,vi, trigs, a)-> 
	fprintf fmt "@[(\\%a %a %s%a;@\n%a)@]"
	  quantifier q
	  print_type vi.jc_var_info_type
	  vi.jc_var_info_name
          triggers trigs
	  assertion a
    | JCArelation (t1, op, t2) ->
	fprintf fmt "@[(%a %s %a)@]" term t1 (bin_op op) term t2
    | JCAapp app ->
	 fprintf fmt "@[%s(%a)@]" app.jc_app_fun.jc_logic_info_name
	      (print_list comma term) app.jc_app_args 
    | JCAnot a1 ->
	fprintf fmt "@[(!@ %a)@]" assertion a1
    | JCAiff (a1, a2)-> 
	fprintf fmt "@[(%a <==>@ %a)@]" assertion a1 assertion a2
    | JCAimplies (a1, a2)-> 
	fprintf fmt "@[(%a ==>@ %a)@]" assertion a1 assertion a2
    | JCAor [] -> assert false
    | JCAor (a::l) -> 
	fprintf fmt "@[(%a" assertion a;
	List.iter
	  (fun a -> fprintf fmt " ||@ %a" assertion a)
	  l;
	fprintf fmt ")@]"
    | JCAand [] -> assert false
    | JCAand (a::l) -> 
	fprintf fmt "@[(%a" assertion a;
	List.iter
	  (fun a -> fprintf fmt " &&@ %a" assertion a)
	  l;
	fprintf fmt ")@]"
    | JCAfalse -> fprintf fmt "false"
    | JCAmutable _ -> 
        fprintf fmt "mutable(TODO)"
    | JCAeqtype _ -> assert false (* TODO *)
    | JCAsubtype _ -> assert false (* TODO *)
    | JCAlet (vi, t, p) ->
	fprintf fmt "@[<v 2>let %s =@ %a in@ %a@]" vi.jc_var_info_name
          term t
	  assertion p
    | JCAmatch (t, pal) ->
	fprintf fmt "@[<v 2>match %a with@ " term t;
	List.iter
	  (fun (p, a) -> fprintf fmt "  @[<v 2>%a ->@ %a;@]@ "
	     pattern p assertion a) pal;
	fprintf fmt "end@]"

and triggers fmt trigs = 
  let pat fmt = function
  | JCAPatT t -> term fmt t
  | JCAPatP p -> assertion fmt p in
  print_list_delim lsquare rsquare alt (print_list comma pat) fmt trigs	


let rec location_set fmt locs = 
  match locs#node with
    | JCLSvar vi-> 
	fprintf fmt "%s" vi.jc_var_info_name
    | JCLSderef (locs, _, fi, _) ->
	fprintf fmt "%a.%s" location_set locs fi.jc_field_info_name
    | JCLSrange (locset, t1, t2) ->
	fprintf fmt "(%a + [%a..%a])" location_set locset 
	  (print_option term) t1 (print_option term) t2
    | JCLSrange_term (locset, t1, t2) ->
	fprintf fmt "(%a + [%a..%a])" term locset 
	  (print_option term) t1 (print_option term) t2
    | JCLSat(locset,lab) ->
	fprintf fmt "\\at(%a, %a)" location_set locset label lab

let rec location fmt loc = 
  match loc#node with
    | JCLvar vi -> 
	fprintf fmt "%s" vi.jc_var_info_name
    | JCLderef (locs, _, fi,_) ->
	fprintf fmt "%a.%s" location_set locs fi.jc_field_info_name
    | JCLderef_term (t1, fi) ->
	fprintf fmt "%a.%s" term t1 fi.jc_field_info_name
    | JCLat (loc, lab) ->
	fprintf fmt "\\at(%a,%a)" location loc label lab

let behavior fmt (_loc,id,b) =
  fprintf fmt "@\n@[<v 2>behavior %s:" id;
  Option_misc.iter
    (fun a -> fprintf fmt "@\nassumes %a;" assertion a) 
    b.jc_behavior_assumes;
  Option_misc.iter
  (fun a -> fprintf fmt "@\nthrows %s;" a.jc_exception_info_name) 
    b.jc_behavior_throws;    
  Option_misc.iter 
    (fun (_,locs) -> fprintf fmt "@\nassigns %a;" 
       (print_list_or_default "\\nothing" comma location) locs)
    b.jc_behavior_assigns;
  fprintf fmt "@\nensures %a;@]" assertion b.jc_behavior_ensures
  
let print_spec fmt s =
  fprintf fmt "@\n@[<v 2>  requires @[%a@];" assertion s.jc_fun_requires;
  Option_misc.iter 
    (fun (t,r) -> match r with
       | None -> fprintf fmt "@\n@[<v 2>  decreases @[%a@];" term t
       | Some li -> fprintf fmt "@\n@[<v 2>  decreases @[%a@] for %s;" 
	   term t li.jc_logic_info_name) 
    s.jc_fun_decreases;
  List.iter (behavior fmt) (s.jc_fun_default_behavior :: s.jc_fun_behavior);
  fprintf fmt "@]"

let call_bin_op _op =
(*
  if op == Jc_pervasives.shift_ then "+" else
*)
  raise Not_found

let rec expr fmt e =
  if e#mark <> "" then
    fprintf fmt "@[(%s : %a)@]" 
      e#mark expr (new expr_with ~mark:"" e)
  else
    match e#node with
      | JCEconst c -> const fmt c
      | JCEvar vi -> 
	  fprintf fmt "%s" vi.jc_var_info_name
      | JCEderef(e, fi) -> 
	  fprintf fmt "%a.%s" expr e fi.jc_field_info_name 
      | JCEbinary(e1, op, e2) ->
	  fprintf fmt "@[(%a %s %a)@]" expr e1 (bin_op op) expr e2
      | JCEunary(op,e1) ->
	  fprintf fmt "@[(%s %a)@]" (unary_op op) expr e1
      | JCEassign_var(v, e) -> 
	  fprintf fmt "(%s = %a)" v.jc_var_info_name expr e
      | JCEassign_heap(e1, fi, e2) -> 
	  fprintf fmt "%a.%s = %a" expr e1 fi.jc_field_info_name expr e2
      | JCEinstanceof(e, si) ->
	  fprintf fmt "(%a <: %s)" expr e si.jc_struct_info_name
      | JCEcast(e, si)
      | JCEbitwise_cast(e, si) ->
	  fprintf fmt "(%a :> %s)" expr e si.jc_struct_info_name
      | JCErange_cast(e, ri) ->
	  fprintf fmt "(%a :> %s)" expr e ri.jc_enum_info_name
      | JCEreal_cast(e, rc) ->
	  fprintf fmt "(%a :> %a)" expr e real_conversion rc
      | JCEif(e1,e2,e3) -> 
	  fprintf fmt "@[(%a ? %a : %a)@]" expr e1 expr e2 expr e3
      | JCEoffset(k,e, _) ->
	  fprintf fmt "\\offset_m%a(%a)" offset_kind k expr e
      | JCEaddress(absolute,e) ->
	  fprintf fmt "\\%aaddress(%a)" address_kind absolute expr e
      | JCEbase_block(e) ->
	  fprintf fmt "\\base_block(%a)" expr e
      | JCEfresh(e) ->
	  fprintf fmt "\\fresh(%a)" expr e
      | JCEalloc(e, si) ->
	  fprintf fmt "(new %s[%a])" si.jc_struct_info_name expr e
      | JCEfree e ->
	  fprintf fmt "(free(%a))" expr e
      | JCElet(vi,Some e1,e2) -> 
	  fprintf fmt "@[(let %s =@ %a@ in %a)@]" 
	    vi.jc_var_info_name expr e1 expr e2
      | JCElet(vi,None,e2) -> 
	  fprintf fmt "@[%a %s; %a@]"  
	    print_type vi.jc_var_info_type vi.jc_var_info_name expr e2
      | JCEassert(behav,asrt,a) -> 
	  fprintf fmt "@\n%a %a%a;" 
	    asrt_kind asrt
	    (print_list_delim 
	       (constant_string "for ") (constant_string ": ") 
	       comma identifier)
	    behav
	    assertion a
      | JCEcontract(_req,_dec,_vi_result,_behs,_e) ->
	  assert false (* TODO *)
      | JCEblock l ->
          block fmt l
      | JCEreturn_void ->
	  fprintf fmt "@\nreturn;"
      | JCEreturn(_, e) ->
	  fprintf fmt "@\nreturn %a;" expr e
      | JCEtry(s, hl, fs) ->
	  fprintf fmt
	    "@\n@[<v 2>try %a@]%a@\n@[<v 2>finally%a@]"
	    expr s
	    (print_list nothing handler) hl
	    expr fs
      | JCEthrow(ei, eo) ->
	  fprintf fmt "@\nthrow %s %a;"
	    ei.jc_exception_info_name
	    (print_option_or_default "()" expr) eo
      | JCEpack _ ->
          fprintf fmt "pack(TODO)"
      | JCEunpack _ ->
          fprintf fmt "unpack(TODO)"
      | JCEmatch(e, pel) ->
	  fprintf fmt "@[<v 2>match %a with@ " expr e;
	  List.iter
	    (fun (p, e) -> fprintf fmt "  @[<v 2>%a ->@ %a;@]@ "
	       pattern p expr e) pel;
	  fprintf fmt "end@]"
      | JCEshift(e1, e2) -> 
	  fprintf fmt "@[(%a + %a)@]" expr e1 expr e2
      | JCEloop(la, e) ->
          fprintf fmt "@\n@[%a%a@\nwhile (true)%a@]"
	  (print_list nothing loop_behavior) 
(*
	     (fun fmt (behav,inv) -> fprintf fmt "@\ninvariant %a%a;"
		(print_list_delim 
		   (constant_string "for ") (constant_string ": ") 
		   comma string)
		behav
		assertion inv))
*)
	    la.jc_loop_behaviors
            (print_option 
               (fun fmt (t,r) -> 
                  match r with
                    | None -> fprintf fmt "@\nvariant %a;" term t
                    | Some r -> fprintf fmt "@\nvariant %a for %s;" term t
                        r.jc_logic_info_name
               ))
            la.jc_loop_variant
            expr e
      | JCEapp{ jc_call_fun = (JClogic_fun{ jc_logic_info_final_name = name }
                | JCfun{ jc_fun_info_final_name = name });
                jc_call_args = args } ->
          fprintf fmt "@[%s(%a)@]" name
            (print_list comma expr) args
	
and loop_behavior fmt (ids,inv,ass) =        
  fprintf fmt "@\n@[<v 2>behavior %a:@\n"
    (print_list comma (fun fmt id -> fprintf fmt "%s" id#name)) ids;
  Option_misc.iter
    (fun i -> fprintf fmt "invariant %a;" assertion i) inv;
  Option_misc.iter 
    (fun locs -> fprintf fmt "@\nassigns %a;" 
       (print_list_or_default "\\nothing" comma location) locs)
    ass;
  fprintf fmt "@]"

and case fmt (c,sl) =
  let onecase fmt = function
    | Some c ->
	fprintf fmt "@\ncase %a:" expr c
    | None ->
	fprintf fmt "@\ndefault:"
  in
  fprintf fmt "%a%a" (print_list nothing onecase) c block sl

and handler fmt (ei,vio,s) =
  fprintf fmt "@\n@[<v 2>catch %s %a %a@]"
    ei.jc_exception_info_name 
    (print_option_or_default "__dummy"
      (fun fmt vi -> fprintf fmt "%s" vi.jc_var_info_name)) vio
    expr s

and statements fmt l = List.iter (expr fmt) l

and block fmt b =
  fprintf fmt "@\n@[<v 0>{@[<v 2>  ";
  statements fmt b;
  fprintf fmt "@]@\n}@]"


let param fmt vi =
  fprintf fmt "%a %s" print_type vi.jc_var_info_type vi.jc_var_info_name

let fun_param fmt (valid,vi) =
  fprintf fmt "%s%a %s" 
    (if valid then "" else "!")
    print_type vi.jc_var_info_type vi.jc_var_info_name

let field fmt fi =
  fprintf fmt "@\n";
  if fi.jc_field_info_rep then
    fprintf fmt "rep ";
  fprintf fmt "%a %s" 
    print_type fi.jc_field_info_type fi.jc_field_info_name;
  match fi.jc_field_info_bitsize with
    | Some bitsize ->
	fprintf fmt ": %d;" bitsize
    | None -> 
	fprintf fmt ";"

let invariant fmt (id, vi, a) =
  fprintf fmt "@\n@[invariant %s(%s) =@ %a;@]"
    id vi.jc_var_info_name assertion a

let term_or_assertion fmt = function
  | JCAssertion a -> 
      fprintf fmt "=@\n%a" assertion a
  | JCTerm t ->
      fprintf fmt "=@\n%a" term t
  | JCNone -> 
      fprintf fmt ";"
  | JCReads [] -> 
      fprintf fmt "reads \\nothing;"
  | JCReads locs -> 
      fprintf fmt "reads %a;" (print_list comma location) locs
  | JCInductive l ->
      fprintf fmt "{@\n@[<v 2>%a@]@\n}" 
	(print_list newline 
	   (fun fmt (id,labels,e) -> 
	      fprintf fmt "case %s" id#name ;
	      if labels <> [] then
		fprintf fmt "%a" 
		  (print_list_delim lbrace rbrace comma label) labels;	      
	      fprintf fmt ": %a;@\n" 
		assertion e)) l

  

let print_super fmt = function
  | None -> ()
  | Some id -> fprintf fmt "%s with " id

(*
let string_of_invariant_policy p =
  match p with
    | Jc_env.InvNone -> "None"
    | Jc_env.InvArguments -> "Arguments"
    | Jc_env.InvOwnership -> "Ownership"

let string_of_separation_policy p =
  match p with
    | Jc_env.SepNone -> "None"
    | Jc_env.SepRegions -> "Regions"

let string_of_annotation_policy p =
  match p with
    | Jc_env.AnnotNone -> "None"
    | Jc_env.AnnotInvariants -> "Invariants"
    | Jc_env.AnnotElimPre -> "ElimPre"
    | Jc_env.AnnotStrongPre -> "StrongPre"
    | Jc_env.AnnotWeakPre -> "WeakPre"
 
let string_of_abstract_domain p =
  match p with
    | Jc_env.AbsNone -> "None"
    | Jc_env.AbsBox -> "Box"
    | Jc_env.AbsOct -> "Oct"
    | Jc_env.AbsPol -> "Pol"

let string_of_int_model p =
  match p with
    | Jc_env.IMbounded -> "bounded"
    | Jc_env.IMmodulo -> "modulo"
*)

let string_of_float_rounding_mode p =
  match p with
    | Jc_env.FRMNearestEven -> "nearesteven"
    | Jc_env.FRMDown -> "down"
    | Jc_env.FRMUp -> "up"
    | Jc_env.FRMToZero -> "tozero"
    | Jc_env.FRMNearestAway -> "nearestaway"

let string_of_float_model p =
  match p with
    | Jc_env.FMmath -> "math"
    | Jc_env.FMdefensive -> "defensive"
    | Jc_env.FMfull-> "full"
    | Jc_env.FMmultirounding-> "multirounding"

let rec print_decl fmt d =
  match d with
    | JCinvariant_policy p ->
        fprintf fmt "# InvariantPolicy = %s@\n" (string_of_invariant_policy p)  
    | JCseparation_policy p ->
        fprintf fmt "# SeparationPolicy = %s@\n" (string_of_separation_policy p)
    | JCannotation_policy p ->
        fprintf fmt "# AnnotationPolicy = %s@\n" (string_of_annotation_policy p)
    | JCtermination_policy p ->
        fprintf fmt "# TerminationPolicy = %s@\n" (string_of_termination_policy p)
    | JCabstract_domain p ->
        fprintf fmt "# AbstractDomain = %s@\n" (string_of_abstract_domain p)
    | JCint_model p ->
        fprintf fmt "# IntModel = %s@\n" (string_of_int_model p)
    | JCfloat_model p ->
        fprintf fmt "# FloatModel = %s@\n" (string_of_float_model p)
    | JCfloat_rounding_mode p ->
        fprintf fmt "# FloatRoundingMode = %s@\n" (string_of_float_rounding_mode p)
    | JCfloat_instruction_set p ->
        fprintf fmt "# FloatInstructionSet = %s@\n" p
    | JCfun_def(ty,id,params,spec,body) ->
	fprintf fmt "@\n@[%a %s(@[%a@])%a%a@]@." print_type ty id
	  (print_list comma fun_param) params 
	  print_spec spec 
	  (print_option_or_default "\n;" expr) body
    | JCenum_type_def(id,min,max) ->
	fprintf fmt "@\n@[type %s = %s..%s@]@."
	  id (Num.string_of_num min) (Num.string_of_num max)
    | JCvariant_type_def(id, tags) ->
	fprintf fmt "@\n@[type %s = [" id;
	print_list
	  (fun fmt () -> fprintf fmt " | ")
	  (fun fmt tag -> fprintf fmt "%s" tag)
	  fmt tags;
	fprintf fmt "]@]@."
    | JCunion_type_def(id, tags) ->
	fprintf fmt "@\n@[type %s = [" id;
	print_list
	  (fun fmt () -> fprintf fmt " & ")
	  (fun fmt tag -> fprintf fmt "%s" tag)
	  fmt tags;
	fprintf fmt "]@]@."
    | JCstruct_def (id, extends, fields, invs) ->
	fprintf fmt "@\n@[<v 2>tag %s = %a{%a%a@]@\n}@."
	  id print_super extends (print_list space field) fields 
	  (print_list space invariant) invs
    | JCrec_struct_defs dlist | JCrec_fun_defs dlist ->
	print_list (fun _fmt () -> ()(*fprintf fmt "@\nand"*))
	  print_decl fmt dlist
    | JCvar_def(ty,id,init) ->
	fprintf fmt "@\n@[%a %s%a;@]@." print_type ty id
	  (print_option (fun fmt e -> fprintf fmt " = %a" expr e)) init
    | JClemma_def(id,is_axiom,poly_args,lab,a) ->
	fprintf fmt "@\n@[%s %s%a%a :@\n%a@]@." 
          (if is_axiom then "axiom" else "lemma") id
          (print_list_delim lchevron rchevron comma type_var_info) poly_args
          (print_list_delim lbrace rbrace comma label) lab
          assertion a
    | JCglobinv_def(id,a) ->
	fprintf fmt "@\n@[invariant %s :@\n%a@]@." id assertion a
    | JCexception_def(id,ei) ->
	fprintf fmt "@\n@[exception %s of %a@]@." id
	  (print_option_or_default "unit" print_type)
	  ei.jc_exception_info_type
    | JClogic_const_def(ty,id,poly_args,None) ->
	fprintf fmt "@\n@[logic %a %s%a@]@." print_type ty id 
          (print_list_delim lchevron rchevron comma type_var_info) poly_args
          
    | JClogic_const_def(ty,id,poly_args,Some t) ->
	fprintf fmt "@\n@[logic %a %s%a = %a@]@." print_type ty id
          (print_list_delim lchevron rchevron comma type_var_info) poly_args
	  term t
    | JClogic_fun_def(None,id,poly_args,labels,[],JCReads l) ->
	assert (l=[]);
	assert (labels=[]);
	fprintf fmt "@\n@[predicate %s@[%a@]@]@." 
	  id
          (print_list_delim lchevron rchevron comma type_var_info) poly_args
    | JClogic_fun_def(Some ty,id,poly_args,labels,[],JCReads l) ->
	assert (l=[]);
	assert (labels=[]);
	fprintf fmt "@\n@[logic %a %s@[%a@]@]@." 
	  print_type ty id
          (print_list_delim lchevron rchevron comma type_var_info) poly_args
(* Yannick: no need for different rule for const logic *)
(*     | JClogic_fun_def(ty,id,labels,[],JCTerm t) -> *)
(* 	assert (labels=[]); *)
(* 	fprintf fmt "@\n@[logic %a %s = %a@]@."  *)
(* 	  (print_option print_type) ty id term t *)
(*    | JClogic_fun_def(ty,id,poly_args,[],params,body) ->
	fprintf fmt "@\n@[logic %a %s@[%a@](@[%a@]) %a@]@." 
	  (print_option print_type) ty id 
          (print_list_delim lchevron rchevron comma type_var_info) poly_args
          (print_list comma param) params
	  term_or_assertion body *)
    | JClogic_fun_def (None, id, poly_args, labels, params, body) ->
	fprintf fmt "@\n@[predicate %s%a%a(@[%a@]) %a@]@." 
	  id 
          (print_list_delim lchevron rchevron comma type_var_info) poly_args
          (print_list_delim lbrace rbrace comma label) labels
	  (print_list comma param) params
	  term_or_assertion body 
    | JClogic_fun_def (Some ty, id, poly_args, labels, params, body) ->
	fprintf fmt "@\n@[logic %a %s%a%a(@[%a@]) %a@]@." 
	  print_type ty id
          (print_list_delim lchevron rchevron comma type_var_info) poly_args
          (print_list_delim lbrace rbrace comma label) labels
	  (print_list comma param) params
	  term_or_assertion body 
    | JClogic_type_def (id,args) ->
	fprintf fmt "@\n@[logic type %s%a@]@." id
          (print_list_delim lchevron rchevron comma type_var_info) args
   
let rec print_decls fmt d =
  match d with
    | [] -> ()
    | d::r -> print_decl fmt d; print_decls fmt r


(*
Local Variables: 
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte bin/krakatoa.byte"
End: 
*)
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_name.ml������������������������������������������������������������������������������0000644�0001750�0001750�00000017160�12311670312�013144� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Jc_env
open Jc_ast
open Jc_region
open Jc_pervasives
open Output

let alloc_table_type_name = "alloc_table"
let tag_table_type_name = "tag_table"
let pointer_type_name = "pointer"
let pset_type_name = "pset"
let memory_type_name = "memory"
let tag_id_type_name = "tag_id"
let bitvector_type_name = "bitvector"

let simple_logic_type s =
  { logic_type_name = s; logic_type_args = [] }

let root_type_name vi = vi.jc_root_info_name

let struct_type_name st = root_type_name (struct_root st)

let pointer_class_type_name = function
  | JCtag(st, _) -> struct_type_name st
  | JCroot vi -> root_type_name vi

let alloc_class_name = function
  | JCalloc_root vi -> root_type_name vi
  | JCalloc_bitvector -> bitvector_type_name

let memory_class_name = function
  | JCmem_field fi -> fi.jc_field_info_final_name
  | JCmem_plain_union vi -> root_type_name vi
  | JCmem_bitvector -> bitvector_type_name

let variant_alloc_table_name vi = vi.jc_root_info_name ^ "_alloc_table"

let variant_tag_table_name vi = vi.jc_root_info_name ^ "_tag_table"

let variant_axiom_on_tags_name vi = vi.jc_root_info_name ^ "_tags"

let axiom_int_of_tag_name st = st.jc_struct_info_name ^ "_int"

let tag_name st = st.jc_struct_info_name ^ "_tag"

let of_pointer_address_name vi = 
  vi.jc_root_info_name ^ "_of_pointer_address"

let generic_tag_table_name vi =
  (root_type_name vi) ^ "_tag_table"

let tag_table_name (vi,r) =
  if !Jc_common_options.separation_sem = SepRegions && not (is_dummy_region r) 
  then 
    (root_type_name vi) ^ "_" ^ (Region.name r) ^ "_tag_table"
  else
    (root_type_name vi) ^ "_tag_table"

let generic_alloc_table_name ac =
  (alloc_class_name ac) ^ "_alloc_table"

let alloc_table_name (ac,r) = 
  if !Jc_common_options.separation_sem = SepRegions && not (is_dummy_region r) 
  then 
    (alloc_class_name ac) ^ "_" ^ (Region.name r) ^ "_alloc_table"
  else
    (alloc_class_name ac) ^ "_alloc_table"

let field_memory_name fi = 
  let rt = struct_root fi.jc_field_info_struct in
  if root_is_plain_union rt then
    rt.jc_root_info_name ^ "_fields"
  else
    fi.jc_field_info_final_name

let field_region_memory_name (fi,r) = 
  if !Jc_common_options.separation_sem = SepRegions && not (is_dummy_region r) 
  then 
    (field_memory_name fi) ^ "_" ^ (Region.name r)
  else field_memory_name fi

let union_memory_name vi =
  vi.jc_root_info_name ^ "_fields"

let union_region_memory_name (vi,r) = 
  if !Jc_common_options.separation_sem = SepRegions && not (is_dummy_region r) 
  then 
    (union_memory_name vi) ^ "_" ^ (Region.name r)
  else union_memory_name vi

let bitvector_region_memory_name r = 
  if !Jc_common_options.separation_sem = SepRegions && not (is_dummy_region r) 
  then 
    bitvector_type_name ^ "_" ^ (Region.name r)
  else bitvector_type_name

let union_memory_type_name vi = 
  vi.jc_root_info_name ^ "_union"

let generic_memory_name mc =
  memory_class_name mc

let memory_name (mc,r) =
  match mc with
    | JCmem_field fi -> field_region_memory_name (fi,r)
    | JCmem_plain_union vi -> union_region_memory_name (vi,r)
    | JCmem_bitvector -> bitvector_region_memory_name r

let pointer_class_name = function
  | JCtag(st, _) -> 
      if struct_of_union st then
	"root_" ^ (struct_root st).jc_root_info_name
      else
	"struct_" ^ st.jc_struct_info_name
  | JCroot vi -> "root_" ^ vi.jc_root_info_name

let valid_pred_name ~equal ~left ~right ac pc = 
  let prefix = match ac with
    | JCalloc_root _ -> 
	if equal then "strict_valid" else 
	  begin match left, right with
	    | false, false -> assert false
	    | false, true -> "right_valid"
	    | true, false -> "left_valid"
	    | true, true -> "valid"
	  end
    | JCalloc_bitvector -> "valid_bitvector" (* TODO ? *)
  in
  prefix ^ "_" ^ (pointer_class_name pc)

let alloc_param_name ~check_size ac pc = 
  let prefix = match ac with
    | JCalloc_root _ -> "alloc"
    | JCalloc_bitvector -> "alloc_bitvector"
  in
  let n = prefix ^ "_" ^ (pointer_class_name pc) in
  if check_size then n ^ "_requires" else n

let alloc_bitvector_logic_name pc =
  (pointer_class_name pc) ^ "_alloc_bitvector"

let mem_bitvector_logic_name pc =
  (pointer_class_name pc) ^ "_mem_bitvector"

let alloc_of_bitvector_param_name pc = 
  (pointer_class_name pc) ^ "_alloc_of_bitvector"

let mem_of_bitvector_param_name pc = 
  (pointer_class_name pc) ^ "_mem_of_bitvector"

let alloc_to_bitvector_param_name pc = 
  (pointer_class_name pc) ^ "_alloc_to_bitvector"

let mem_to_bitvector_param_name pc = 
  (pointer_class_name pc) ^ "_mem_to_bitvector"

let jessie_return_variable = "return"
let jessie_return_exception = "Return"

let exception_name ei =
  ei.jc_exception_info_name ^ "_exc"

let mutable_name pc =
  "mutable_"^(pointer_class_type_name pc)

let committed_name pc =
  "committed_"^(pointer_class_type_name pc)

let fully_packed_name st =
  "fully_packed_"^(root_name st)

let hierarchy_invariant_name st =
  "global_invariant_"^(root_name st)

let pack_name st =
  "pack_"^(root_name st)

let unpack_name st =
  "unpack_"^(root_name st)

let fully_packed_name = "fully_packed"

let unique_name =
  let unique_names = Hashtbl.create 127 in
  function s ->
    try
      let s = if s = "" then "unnamed" else s in
      let count = Hashtbl.find unique_names s in
      incr count;
      s ^ "_" ^ (string_of_int !count)
    with Not_found ->
      Hashtbl.add unique_names s (ref 0); s


(*
Local Variables: 
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End: 
*)
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_pervasives.ml������������������������������������������������������������������������0000644�0001750�0001750�00000113704�12311670312�014414� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Jc_stdlib
open Jc_env
open Jc_envset
open Jc_region
open Jc_ast
open Jc_fenv

open Jc_constructors

open Format
open Num

let ( $ ) = fun f g x -> f(g x)

exception Error of Loc.position * string

let error l =
  Format.kfprintf
    (fun _fmt -> raise (Error(l, flush_str_formatter())))
    str_formatter

let zero = Num.Int 0
let one = Num.Int 1
let two = Num.Int 2
let eight = Num.Int 8

let rec is_power_of_two i =
  if i <=/ zero then
    false
  else
    i =/ one || mod_num i two =/ zero && is_power_of_two (i // two)

let rec log2 i =
  assert (i >/ zero);
  if i =/ one then zero else one +/ log2 (i // two)

let operator_of_format (f : float_format) =
  match f with
    | `Float -> `Float
    | `Double -> `Double
    | `Binary80 -> `Binary80

let operator_of_native t =
  match t with
  | Tunit -> `Unit
  | Tboolean -> `Boolean
  | Tinteger -> `Integer
  | Treal -> `Real
  | Tgenfloat f -> operator_of_format f
  | Tstring -> assert false

let operator_of_type = function
  | JCTnative n -> operator_of_native n
  | JCTenum _ -> `Integer
  | JCTlogic _ -> `Logic
  | JCTany | JCTtype_var _ -> assert false (* TODO? *)
  | JCTnull | JCTpointer _ -> `Pointer

let eq_operator_of_type = function
  | JCTnative n -> operator_of_native n
  | JCTenum _ | JCTlogic _ -> `Logic
  | JCTany | JCTtype_var _ -> assert false (* TODO? *)
  | JCTnull | JCTpointer _ -> `Pointer

let new_label_name =
  let label_name_counter = ref 0 in function () ->
    incr label_name_counter;
    "JC_" ^ string_of_int !label_name_counter

let root_name st =
  st.jc_struct_info_hroot.jc_struct_info_name

let field_root_name fi =
  fi.jc_field_info_hroot.jc_struct_info_name

let string_of_format f =
  match f with
    | `Double -> "double"
    | `Float -> "float"
    | `Binary80 -> "binary80"

let string_of_native t =
  match t with
    | Tunit -> "unit"
    | Tinteger -> "integer"
    | Treal -> "real"
    | Tgenfloat f -> string_of_format f
    | Tboolean -> "boolean"
    | Tstring -> "string"

let print_type_var fmt v = fprintf fmt "(var_%s_%d)" v.jc_type_var_info_name v.jc_type_var_info_tag

let rec print_type fmt t =
  match t with
    | JCTnative n -> fprintf fmt "%s" (string_of_native n)
    | JCTlogic (s,l) -> fprintf fmt "%s%a" s (Pp.print_list_delim Pp.lchevron Pp.rchevron Pp.comma print_type) l
    | JCTenum ri -> fprintf fmt "%s" ri.jc_enum_info_name
    | JCTpointer(pc, ao, bo) ->
        begin match pc with
          | JCtag({ jc_struct_info_name = name }, [])
          | JCroot { jc_root_info_name = name } ->
              fprintf fmt "%s" name
          | JCtag({ jc_struct_info_name = name }, params) ->
              fprintf fmt "%s<%a>" name
                (Pp.print_list Pp.comma print_type) params
        end;
	begin match ao, bo with
	  | None, None ->
	      fprintf fmt "[..]"
	  | Some a, None ->
	      fprintf fmt "[%s..]" (Num.string_of_num a)
	  | None, Some b ->
	      fprintf fmt "[..%s]" (Num.string_of_num b)
	  | Some a, Some b ->
	      if Num.eq_num a b then
		fprintf fmt "[%s]" (Num.string_of_num a)
	      else
		fprintf fmt "[%s..%s]"
		  (Num.string_of_num a) (Num.string_of_num b)
	end
    | JCTnull -> fprintf fmt "(nulltype)"
    | JCTany -> fprintf fmt "(anytype)"
    | JCTtype_var v -> print_type_var fmt v

let num_of_constant _loc c =
    match c with
      | JCCinteger n ->
	  (try Num.num_of_string n
	   with _ -> assert false)
      | _ -> invalid_arg ""

let zero = Num.num_of_int 0
let minus_one = Num.num_of_int (-1)

let rec location_set_region locs =
  match locs#node with
    | JCLSvar vi -> vi.jc_var_info_region
    | JCLSderef(_,_,_,r) -> r
    | JCLSrange(ls,_,_) -> location_set_region ls
    | JCLSrange_term(t1,_,_) -> t1#region
    | JCLSat(ls,_) -> location_set_region ls

type location =
  | JCLvar of var_info
  | JCLderef of location_set * field_info * region

(* operators *)

let is_relation_binary_op = function
  | `Blt | `Bgt | `Ble | `Bge | `Beq | `Bneq -> true
  | _ -> false

let is_logical_binary_op = function
  | `Bland | `Blor | `Bimplies | `Biff -> true
  | _ -> false

let is_arithmetic_binary_op = function
  | `Badd | `Bsub | `Bmul | `Bdiv | `Bmod -> true
  | _ -> false

let is_bitwise_binary_op = function
  | `Bbw_and | `Bbw_or | `Bbw_xor
  | `Bshift_left | `Blogical_shift_right | `Barith_shift_right -> true
  | _ -> false

let is_logical_unary_op = function
  | `Unot -> true
  | _ -> false

let is_arithmetic_unary_op = function
  | `Uminus -> true
  | _ -> false

let is_bitwise_unary_op = function
  | `Ubw_not -> true
  | _ -> false

(* native types *)

let unit_type = JCTnative Tunit
let boolean_type = JCTnative Tboolean
let integer_type = JCTnative Tinteger
let real_type = JCTnative Treal
let double_type = JCTnative (Tgenfloat `Double)
let float_type = JCTnative (Tgenfloat `Float)
let null_type = JCTnull
let string_type = JCTnative Tstring
let any_type = JCTany

(* temporary variables *)

let tempvar_count = ref 0
(* let reset_tmp_var () = tempvar_count := 0 *)
let tmp_var_name () =
  incr tempvar_count; "_jessie_" ^ string_of_int !tempvar_count

(* variables *)

let var_tag_counter = ref 0

let var ?(unique=true) ?(static=false) ?(formal=false) ty id =
  incr var_tag_counter;
  let vi = {
    jc_var_info_tag = !var_tag_counter;
    jc_var_info_name = id;
    jc_var_info_final_name =
      if unique then Jc_envset.get_unique_name id else id;
    jc_var_info_region =
      if static then Region.make_const ty id else Region.make_var ty id;
    jc_var_info_type = ty;
    jc_var_info_formal = formal;
    jc_var_info_assigned = false;
    jc_var_info_static = static;
  }
  in vi

let newvar ty = var ty (tmp_var_name())

let newrefvar ty =
  let vi = newvar ty in
    vi.jc_var_info_assigned <- true;
    vi

let copyvar vi =
  incr var_tag_counter;
  { vi with
    jc_var_info_tag = !var_tag_counter;
    jc_var_info_name =
      "__jc_" ^ (string_of_int !var_tag_counter) ^ vi.jc_var_info_name;
    jc_var_info_final_name =
      "__jc_" ^ (string_of_int !var_tag_counter) ^ vi.jc_var_info_final_name;
  }

(* exceptions *)

let exception_tag_counter = ref 0

let exception_info ty id =
  incr exception_tag_counter;
  let ei = {
    jc_exception_info_tag = !exception_tag_counter;
    jc_exception_info_name = id;
    jc_exception_info_type = ty;
  }
  in ei


(* logic functions *)

let empty_effects =
  { jc_effect_alloc_tables = AllocMap.empty;
    jc_effect_tag_tables = TagMap.empty;
    jc_effect_raw_memories = MemoryMap.empty;
    jc_effect_precise_memories = LocationMap.empty;
    jc_effect_memories = MemoryMap.empty;
    jc_effect_globals = VarMap.empty;
    jc_effect_locals = VarMap.empty;
    jc_effect_mutable = StringSet.empty;
    jc_effect_committed = StringSet.empty;
  }

let empty_logic_info =
  {
    jc_logic_info_tag = 0;
    jc_logic_info_name = "";
    jc_logic_info_final_name = "";
    jc_logic_info_result_type = None;
    jc_logic_info_result_region = dummy_region; (* TODO *)
    jc_logic_info_poly_args = [];
    jc_logic_info_parameters = [];
    jc_logic_info_param_regions = [];
    jc_logic_info_effects = empty_effects;
    jc_logic_info_calls = [];
(*
    jc_logic_info_is_recursive = false;
*)
    jc_logic_info_axiomatic = None;
    jc_logic_info_labels = [];
  }

let logic_fun_tag_counter = ref 0

let make_logic_fun name ty =
  incr logic_fun_tag_counter;
  { jc_logic_info_tag = !logic_fun_tag_counter;
    jc_logic_info_name = name;
    jc_logic_info_final_name = Jc_envset.get_unique_name name;
    jc_logic_info_result_type = Some ty;
    jc_logic_info_result_region = Region.make_var ty name;
    jc_logic_info_poly_args = [];
    jc_logic_info_parameters = [];
    jc_logic_info_param_regions = [];
    jc_logic_info_effects = empty_effects;
    jc_logic_info_calls = [];
(*
    jc_logic_info_is_recursive = false;
*)
    jc_logic_info_axiomatic = None;
    jc_logic_info_labels = [];
  }

let any_string = make_logic_fun "any_string" string_type

(*
let () =
  let vi = var ~formal:true integer_type "n" in
  real_of_integer.jc_logic_info_parameters <- [vi]
*)

let full_separated = make_logic_fun "full_separated" null_type

(* logic predicates *)

let make_pred name =
  incr logic_fun_tag_counter;
  { jc_logic_info_tag = !logic_fun_tag_counter;
    jc_logic_info_name = name;
    jc_logic_info_final_name = Jc_envset.get_unique_name name;
    jc_logic_info_result_type = None;
    jc_logic_info_result_region = dummy_region;
    jc_logic_info_poly_args = [];
    jc_logic_info_parameters = [];
    jc_logic_info_param_regions = [];
    jc_logic_info_effects = empty_effects;
    jc_logic_info_calls = [];
(*
    jc_logic_info_is_recursive = false;
*)
    jc_logic_info_labels = [];
    jc_logic_info_axiomatic = None;
  }


(* programs *)

let empty_fun_effect =
  { jc_reads = empty_effects;
    jc_writes = empty_effects;
    jc_raises = ExceptionSet.empty ;
  }

let fun_tag_counter = ref 0

let make_fun_info name ty =
  incr fun_tag_counter;
  let vi = var ty "\\result" in
  vi.jc_var_info_final_name <- "result";
  { jc_fun_info_tag = !fun_tag_counter;
    jc_fun_info_name = name;
    jc_fun_info_final_name = Jc_envset.get_unique_name name;
    jc_fun_info_builtin_treatment = TreatNothing;
    jc_fun_info_parameters = [];
    jc_fun_info_result = vi;
    jc_fun_info_return_region = Region.make_var ty name;
    jc_fun_info_has_return_label = false;
    jc_fun_info_param_regions = [];
    jc_fun_info_calls = [];
    jc_fun_info_component = -1;
    jc_fun_info_logic_apps = [];
    jc_fun_info_effects = empty_fun_effect;
  }


let option_compare comp opt1 opt2 = match opt1,opt2 with
  | None,None -> 0
  | None,Some _ -> -1
  | Some _,None -> 1
  | Some x,Some y -> comp x y

let rec list_compare comp ls1 ls2 = match ls1,ls2 with
  | [],[] -> 0
  | [],_ -> -1
  | _,[] -> 1
  | x1::r1,x2::r2 ->
      let compx = comp x1 x2 in
      if compx = 0 then list_compare comp r1 r2 else compx



(* terms *)

let rec is_constant_term t =
  match t#node with
    | JCTrange (None, None) (* CORRECT ? *)
    | JCTconst _ -> true
    | JCTvar _ | JCTshift _ | JCTderef _
    | JCTapp _ | JCTold _ | JCTat _ | JCToffset _ | JCTaddress _
    | JCTbase_block _
    | JCTinstanceof _ | JCTcast _ | JCTbitwise_cast _ | JCTrange_cast _
    | JCTreal_cast _ | JCTif _ | JCTlet _ | JCTmatch _ -> false
    | JCTbinary (t1, _, t2) | JCTrange (Some t1, Some t2) ->
	is_constant_term t1 && is_constant_term t2
    | JCTunary (_, t) | JCTrange (Some t, None) | JCTrange (None, Some t) ->
	is_constant_term t

(* Comparison based only on term structure, not types not locations. *)
module TermOrd = struct
  type t = term

  let term_num t = match t#node with
    | JCTconst _ -> 1
    | JCTvar _ -> 3
    | JCTbinary _ -> 5
    | JCTshift _ -> 7
    | JCTunary _ -> 13
    | JCTderef _ -> 17
    | JCTold _ -> 19
    | JCToffset _ -> 23
    | JCTaddress _ -> 25
    | JCTinstanceof _ -> 31
    | JCTcast _ -> 37
    | JCTbitwise_cast _ -> 39
    | JCTrange _ -> 41
    | JCTapp _ -> 43
    | JCTif _ -> 47
    | JCTat _ -> 53
    | JCTmatch _ -> 59
    | JCTrange_cast _ -> 61
    | JCTreal_cast _ -> 67
    | JCTbase_block _ -> 71
    | JCTlet _ -> 73

  let rec compare t1 t2 =
    match t1#node, t2#node with
      | JCTconst c1,JCTconst c2 ->
	  Pervasives.compare c1 c2
      | JCTvar v1,JCTvar v2 ->
	  Pervasives.compare v1.jc_var_info_tag v2.jc_var_info_tag
      | JCTbinary(t11,op1,t12),JCTbinary(t21,op2,t22) ->
	  let compop = Pervasives.compare op1 op2 in
	  if compop = 0 then
	    let comp1 = compare t11 t21 in
	    if comp1 = 0 then compare t12 t22 else comp1
	  else compop
      | JCTshift(t11,t12),JCTshift(t21,t22) ->
	  let comp1 = compare t11 t21 in
	  if comp1 = 0 then compare t12 t22 else comp1
      | JCTunary(op1,t11),JCTunary(op2,t21) ->
	  let compop = Pervasives.compare op1 op2 in
	  if compop = 0 then compare t11 t21 else compop
      | JCTold t11,JCTold t21 ->
	  compare t11 t21
      | JCTaddress(absolute1,t11),JCTaddress(absolute2,t21) ->
	  let compabs = Pervasives.compare absolute1 absolute2 in
	  if compabs = 0 then
	    compare t11 t21
	  else compabs
      | JCTderef(t11,_,fi1),JCTderef(t21,_,fi2) ->
	  let compfi =
	    Pervasives.compare fi1.jc_field_info_tag fi2.jc_field_info_tag
	  in
	  if compfi = 0 then compare t11 t21 else compfi
      | JCToffset(ok1,t11,st1),JCToffset(ok2,t21,st2) ->
	  let compok = Pervasives.compare ok1 ok2 in
	  if compok = 0 then
	    let compst =
	      Pervasives.compare st1.jc_struct_info_name st2.jc_struct_info_name
	    in
	    if compst = 0 then compare t11 t21 else compst
	  else compok
      | JCTinstanceof(t11,lab1,st1),JCTinstanceof(t21,lab2,st2)
      | JCTcast(t11,lab1,st1),JCTcast(t21,lab2,st2)
      | JCTbitwise_cast(t11,lab1,st1),JCTbitwise_cast(t21,lab2,st2) ->
	  let compst =
	    Pervasives.compare st1.jc_struct_info_name st2.jc_struct_info_name
	  in
	  if compst <> 0 then compst else
	    let compst =
	      Pervasives.compare lab1 lab2
	    in
	    if compst <> 0 then compst else
	      compare t11 t21
      | JCTreal_cast(t11,conv1),JCTreal_cast(t21,conv2) ->
	  let comp =
	    Pervasives.compare conv1 conv2
	  in
	  if comp <> 0 then comp else
	    compare t11 t21
      | JCTrange_cast(t11,ri1),JCTrange_cast(t21,ri2) ->
	  let comp =
	    Pervasives.compare ri1.jc_enum_info_name ri2.jc_enum_info_name
	  in
	  if comp <> 0 then comp else
	    compare t11 t21
      | JCTrange(t11opt,t12opt),JCTrange(t21opt,t22opt) ->
	  let comp1 = option_compare compare t11opt t21opt in
	  if comp1 = 0 then
	    option_compare compare t12opt t22opt
	  else comp1
      | JCTapp app1,JCTapp app2 ->
	  let li1 = app1.jc_app_fun and ts1 = app1.jc_app_args in
	  let li2 = app2.jc_app_fun and ts2 = app2.jc_app_args in
	  let compli =
	    Pervasives.compare li1.jc_logic_info_tag li2.jc_logic_info_tag
	  in
	  if compli = 0 then
	    list_compare compare ts1 ts2
	  else compli
      | JCTif(t11,t12,t13),JCTif(t21,t22,t23) ->
	  let comp1 = compare t11 t21 in
	  if comp1 = 0 then
	    let comp2 = compare t12 t22 in
	    if comp2 = 0 then compare t13 t23 else comp2
	  else comp1
      |JCTat(t11,lab1),JCTat(t21,lab2) ->
	 let compst =
	   Pervasives.compare lab1 lab2
	 in
	 if compst <> 0 then compst else
	   compare t11 t21
      | JCTmatch _, JCTmatch _ -> assert false (* TODO *)
      | JCTbase_block t11, JCTbase_block t21 ->
	  compare t11 t21
      | _ ->
	  (* Terms should have different constructors *)
	  assert (term_num t1 <> term_num t2);
	  term_num t2 - term_num t1

  let equal t1 t2 = compare t1 t2 = 0

  let rec hash t =
    let h = match t#node with
      | JCTconst c1 ->
	  Hashtbl.hash c1
      | JCTvar v1 ->
	  Hashtbl.hash v1.jc_var_info_tag
      | JCTbinary(t11,op1,t12) ->
	  Hashtbl.hash op1 * hash t11 * hash t12
      | JCTshift(t11,t12) ->
	  hash t11 * hash t12
      | JCTunary(op1,t11) ->
	  Hashtbl.hash op1 * hash t11
      | JCTold t11 ->
	  hash t11
      | JCTaddress(absolute1,t11) ->
	  Hashtbl.hash absolute1 * hash t11
      | JCTderef(t11,_,fi1) ->
	  Hashtbl.hash fi1.jc_field_info_tag * hash t11
      | JCToffset(ok1,t11,st1) ->
	  Hashtbl.hash ok1 * hash t11
	  * Hashtbl.hash st1.jc_struct_info_name
      | JCTinstanceof(t11,_,_)
      | JCTcast(t11,_,_)
      | JCTbase_block(t11)
      | JCTbitwise_cast(t11,_,_)
      | JCTreal_cast(t11,_)
      | JCTrange_cast(t11,_)
      | JCTat(t11,_) ->
	  hash t11
      | JCTrange(t11opt,t12opt) ->
	  Option_misc.map_default hash 1 t11opt
	  * Option_misc.map_default hash 1 t12opt
      | JCTapp app1 ->
	  let li1 = app1.jc_app_fun and ts1 = app1.jc_app_args in
	  List.fold_left
	    (fun h arg -> h * hash arg)
	    (Hashtbl.hash li1.jc_logic_info_tag) ts1
      | JCTif(t11,t12,t13) ->
	  hash t11 * hash t12 * hash t13
      | JCTmatch (_, _) -> assert false (* TODO *)
      | JCTlet(_,t1,t2) -> hash t1 * hash t2
    in
    Hashtbl.hash (term_num t) * h

end

module TermTable = Hashtbl.Make(TermOrd)
module TermSet = Set.Make(TermOrd)
module TermMap = Map.Make(TermOrd)


let tag_num tag = match tag#node with
  | JCTtag _ -> 1
  | JCTbottom -> 3
  | JCTtypeof _ -> 5

let raw_tag_compare tag1 tag2 =
  match tag1#node,tag2#node with
    | JCTtag st1,JCTtag st2 ->
        Pervasives.compare st1.jc_struct_info_name st2.jc_struct_info_name
    | JCTbottom,JCTbottom -> 0
    | JCTtypeof(t1,st1),JCTtypeof(t2,st2) ->
        let compst =
	  Pervasives.compare st1.jc_struct_info_name st2.jc_struct_info_name
        in
        if compst = 0 then TermOrd.compare t1 t2 else compst
  | _ -> tag_num tag2 - tag_num tag1


(* Comparison based only on assertion structure, not locations. *)
module AssertionOrd = struct
  type t = assertion

  let assertion_num a = match a#node with
	(* are these supposed to be prime numbers ? *)
    | JCAtrue -> 1
    | JCAfalse -> 3
    | JCArelation _ -> 5
    | JCAand _ -> 7
    | JCAor _ -> 11
    | JCAimplies _ -> 13
    | JCAiff _ -> 17
    | JCAnot _ -> 19
    | JCAapp _ -> 23
    | JCAquantifier _ -> 31
    | JCAold _ -> 37
    | JCAinstanceof  _ -> 41
    | JCAbool_term _ -> 43
    | JCAif _ -> 47
    | JCAmutable _ -> 53
    | JCAeqtype _ -> 59
    | JCAat _ -> 61
    | JCAlet _ -> 67
    | JCAmatch _ -> 71
    | JCAsubtype _ -> 73
    | JCAfresh _ -> 79

  let rec compare a1 a2 =
    match a1#node, a2#node with
      | JCAtrue,JCAtrue | JCAfalse,JCAfalse -> 0
      | JCArelation(t11,op1,t12),JCArelation(t21,op2,t22) ->
          let compop = Pervasives.compare op1 op2 in
          if compop = 0 then
	    let comp1 = TermOrd.compare t11 t21 in
	    if comp1 = 0 then TermOrd.compare t12 t22 else comp1
          else compop
      | JCAand als1,JCAand als2 | JCAor als1,JCAor als2 ->
	  list_compare compare als1 als2
      | JCAimplies(a11,a12),JCAimplies(a21,a22)
      | JCAiff(a11,a12),JCAiff(a21,a22) ->
          let comp1 = compare a11 a21 in
          if comp1 = 0 then compare a12 a22 else comp1
      | JCAnot a1,JCAnot a2 | JCAold a1,JCAold a2 ->
          compare a1 a2
      | JCAapp app1, JCAapp app2 ->
	  let li1 = app1.jc_app_fun in
	  let li2 = app2.jc_app_fun in
          let compli =
	    Pervasives.compare li1.jc_logic_info_tag li2.jc_logic_info_tag
          in
          if compli = 0 then
	    let tls1 = app1.jc_app_args in
	    let tls2 = app2.jc_app_args in
  	    list_compare TermOrd.compare tls1 tls2
          else compli
      | JCAquantifier(q1,vi1,trigs1,a1),JCAquantifier(q2,vi2,trigs2,a2) ->
          let compq = Pervasives.compare q1 q2 in
          if compq = 0 then
	    let compvi = Pervasives.compare vi1 vi2 in
	    if compvi = 0 then
              let comptrigs = list_compare (list_compare compare_pat)
                trigs1 trigs2 in
              if comptrigs = 0 then compare a1 a2
              else comptrigs
            else compvi
          else compq
      | JCAinstanceof(t1,_,st1),JCAinstanceof(t2,_,st2) ->
          let compst =
	    Pervasives.compare st1.jc_struct_info_name st2.jc_struct_info_name
          in
          if compst = 0 then TermOrd.compare t1 t2 else compst
      | JCAbool_term t1,JCAbool_term t2 ->
          TermOrd.compare t1 t2
      | JCAif(t1,a11,a12),JCAif(t2,a21,a22) ->
          let comp0 = TermOrd.compare t1 t2 in
          if comp0 = 0 then
	    let comp1 = compare a11 a21 in
	    if comp1 = 0 then compare a12 a22 else comp1
          else comp0
      | JCAmutable(t1,st1,tag1),JCAmutable(t2,st2,tag2) ->
          let compst =
	    Pervasives.compare st1.jc_struct_info_name st2.jc_struct_info_name
          in
          if compst = 0 then
	    let comptag = raw_tag_compare tag1 tag2 in
	    if comptag = 0 then TermOrd.compare t1 t2 else comptag
          else compst
      | JCAeqtype(tag11,tag12,so1),JCAeqtype(tag21,tag22,so2) ->
          let compso = option_compare Pervasives.compare so1 so2 in
          if compso = 0 then
	    let comptag = raw_tag_compare tag11 tag21 in
	    if comptag = 0 then raw_tag_compare tag12 tag22 else comptag
          else compso
      | _ ->
	  (* Assertions should have different constructors *)
	  assert (assertion_num a1 <> assertion_num a2);
	  assertion_num a1 - assertion_num a2
  and compare_pat pat1 pat2 =
    match pat1,pat2 with
      | JCAPatT t1,JCAPatT t2 -> TermOrd.compare t1 t2
      | JCAPatT _, _ -> 1
      | _,JCAPatT _ -> -1
      | JCAPatP p1, JCAPatP p2 -> compare p1 p2
  let equal a1 a2 = compare a1 a2 = 0
end

let rec is_numeric_term t =
  match t#node with
    | JCTconst _ -> true
    | JCTvar _ | JCTshift _ | JCTderef _
    | JCToffset _ | JCTaddress _ | JCTinstanceof _ | JCTrange _ -> false
    | JCTbinary (t1, _, t2) -> is_numeric_term t1 && is_numeric_term t2
    | JCTunary (_, t) | JCTold t | JCTat(t,_) | JCTcast (t, _, _)
    | JCTbitwise_cast (t, _, _) | JCTbase_block t
    | JCTrange_cast (t, _) | JCTreal_cast (t, _) -> is_numeric_term t
    | JCTapp _ -> false (* TODO ? *)
    | JCTif _ | JCTlet _ | JCTmatch _ -> false (* TODO ? *)


(* assertions *)

let rec is_constant_assertion a =
  match a#node with
    | JCAtrue | JCAfalse -> true
    | JCArelation (t1, _, t2) ->
	is_constant_term t1 && is_constant_term t2
    | JCAand al | JCAor al ->
	List.for_all is_constant_assertion al
    | JCAimplies (a1, a2) | JCAiff (a1, a2) ->
	is_constant_assertion a1 && is_constant_assertion a2
    | JCAnot a | JCAquantifier (_, _, _, a) | JCAold a | JCAat(a,_)
	-> is_constant_assertion a
    | JCAapp _ | JCAinstanceof _ | JCAmutable _ | JCAeqtype _
    | JCAsubtype _ | JCAfresh _
	-> false
    | JCAbool_term t -> is_constant_term t
    | JCAif (t, a1, a2) ->
	is_constant_term t &&
	  is_constant_assertion a1 &&
	  is_constant_assertion a2
    | JCAlet(_vi,t, p) ->
	is_constant_term t && is_constant_assertion p
    | JCAmatch (t, pal) ->
	is_constant_term t &&
	  (List.fold_left (fun acc (_, a) -> acc && is_constant_assertion a)
	     true pal)

(* fun specs *)

let default_behavior = {
  jc_behavior_throws = None;
  jc_behavior_assumes = None;
  jc_behavior_assigns = None;
  jc_behavior_allocates = None;
  jc_behavior_ensures = new assertion JCAtrue;
  jc_behavior_free_ensures = new assertion JCAtrue;
}

let contains_normal_behavior fs =
  List.exists
    (fun (_, _, b) -> b.jc_behavior_throws = None)
    (fs.jc_fun_default_behavior :: fs.jc_fun_behavior)

let contains_exceptional_behavior fs =
  List.exists
    (fun (_, _, b) -> b.jc_behavior_throws <> None)
    (fs.jc_fun_default_behavior :: fs.jc_fun_behavior)

let is_purely_exceptional_fun fs =
  not (contains_normal_behavior fs) &&
    contains_exceptional_behavior fs


let rec skip_shifts e = match e#node with
  | JCEshift(e,_) -> skip_shifts e
  | _ -> e

let rec skip_term_shifts t = match t#node with
  | JCTshift(t,_) -> skip_term_shifts t
  | _ -> t

let rec skip_tloc_range locs = match locs#node with
  | JCLSrange(t,_,_) -> skip_tloc_range t
  | _ -> locs

(* option *)

let select_option opt default = match opt with Some v -> v | None -> default

(*
let direct_embedded_struct_fields st =
  List.fold_left
    (fun acc fi ->
      match fi.jc_field_info_type with
	| JCTpointer(JCtag st', Some _, Some _) ->
	    assert (st.jc_struct_info_name <> st'.jc_struct_info_name);
	    fi :: acc
	| JCTpointer(JCvariant st', Some _, Some _) ->
	    assert false (* TODO *)
	| _ -> acc
    ) [] st.jc_struct_info_fields

let embedded_struct_fields st =
  let rec collect forbidden_set st =
    let forbidden_set = StringSet.add st.jc_struct_info_name forbidden_set in
    let fields = direct_embedded_struct_fields st in
    let fstructs =
      List.fold_left
	(fun acc fi -> match fi.jc_field_info_type with
	  | JCTpointer (JCtag st', Some _, Some _) ->
	      assert
		(not (StringSet.mem st'.jc_struct_info_name forbidden_set));
	      st' :: acc
	   | JCTpointer (JCvariant vi, Some _, Some _) ->
	       assert false (* TODO *)
	   | _ -> assert false (* bug ? pas acc plutot ? *)
	       (* en plus c'est un pattern-matching fragile *)
	) [] fields
    in
    fields @ List.flatten (List.map (collect forbidden_set) fstructs)
  in
  let fields = collect (StringSet.singleton st.jc_struct_info_name) st in
  let fields =
    List.fold_left (fun acc fi -> FieldSet.add fi acc) FieldSet.empty fields
  in
  FieldSet.elements fields
*)
let field_sinfo fi =
  match fi.jc_field_info_type with
    | JCTpointer(JCtag(st, _), _, _) -> st
    | _ -> assert false

let field_bounds fi =
  match fi.jc_field_info_type with
    | JCTpointer(_,Some a,Some b) -> a,b | _ -> assert false

let pointer_struct = function
  | JCTpointer(JCtag(st, []), _, _) -> st
  | ty ->
      Format.printf "%a@." print_type ty;
      assert false

let pointer_class = function
  | JCTpointer(pc, _, _) -> pc
  | ty ->
      Format.printf "%a@." print_type ty;
      assert false

let map_elements map =
  StringMap.fold (fun _ i acc -> i::acc) map []

(*
let embedded_struct_roots st =
  let fields = embedded_struct_fields st in
  let structs =
    List.fold_left (fun acc fi -> StructSet.add (field_sinfo fi) acc)
      StructSet.empty fields
  in
  let structs = StructSet.elements structs in
  let roots =
    List.fold_left
      (fun acc st -> StringSet.add (root_name st) acc)
      StringSet.empty structs
  in
  StringSet.elements roots
*)
let struct_root st =
  match st.jc_struct_info_hroot.jc_struct_info_root with
    | Some vi -> vi
    | None ->
	raise (Invalid_argument
		 ("struct_root in jc_pervasives.ml ("
		  ^st.jc_struct_info_name^", "
		  ^st.jc_struct_info_hroot.jc_struct_info_name^")"))
	(* don't use struct_root before checking that every tag is used
         * in a type *)

let pointer_class_root = function
  | JCtag(st, _) -> struct_root st
  | JCroot vi -> vi

let rec pattern_vars acc pat =
  match pat#node with
    | JCPstruct(_, fpl) ->
	List.fold_left
	  (fun acc (_, pat) -> pattern_vars acc pat)
	  acc fpl
    | JCPvar vi ->
	StringMap.add vi.jc_var_info_name vi acc
    | JCPor(pat, _) ->
	pattern_vars acc pat
    | JCPas(pat, vi) ->
	pattern_vars (StringMap.add vi.jc_var_info_name vi acc) pat
    | JCPany | JCPconst _ ->
	acc

let root_is_plain_union rt = rt.jc_root_info_kind = RplainUnion
let root_is_discr_union rt = rt.jc_root_info_kind = RdiscrUnion
let root_is_union rt = root_is_plain_union rt || root_is_discr_union rt

let struct_of_plain_union st =
  let vi = struct_root st in vi.jc_root_info_kind = RplainUnion

let struct_of_discr_union st =
  let vi = struct_root st in vi.jc_root_info_kind = RdiscrUnion

let struct_of_union st =
  let vi = struct_root st in root_is_union vi

let union_of_field fi =
  let st = fi.jc_field_info_struct in
  let vi = struct_root st in
  assert (root_is_union vi);
  vi

let integral_union vi =
  assert (root_is_union vi);
  List.fold_left (fun acc st -> acc &&
		    match st.jc_struct_info_fields with
		      | [fi] -> is_integral_type fi.jc_field_info_type
		      | _ -> false
		 ) true vi.jc_root_info_hroots

let struct_has_bytesize st =
  List.fold_left
    (fun acc fi -> acc &&
       match fi.jc_field_info_bitsize with None -> false | Some _ -> true)
    true st.jc_struct_info_fields

let struct_bitsize st =
  List.fold_left
    (fun acc fi ->
       match fi.jc_field_info_bitsize with
	 | Some x -> acc + x
	 | None -> assert false)
    0 st.jc_struct_info_fields

let struct_bytesize st =
  struct_bitsize st / 8

let possible_struct_bytesize st =
  if struct_has_bytesize st then Some (struct_bytesize st) else None

(* These are only used by error messages, so feel free to change the strings. *)
let string_of_op = function
  | `Blt -> "<"
  | `Bgt -> ">"
  | `Ble -> "<="
  | `Bge -> ">="
  | `Beq -> "=="
  | `Bneq -> "!="
  | `Badd -> "+"
  | `Bsub -> "-"
  | `Bmul -> "*"
  | `Bdiv -> "/"
  | `Bmod -> "%"
  | `Bland -> "&&"
  | `Blor -> "||"
  | `Bimplies -> "==>"
  | `Biff -> "<=>"
  | `Bbw_and -> "&"
  | `Bbw_or -> "|"
  | `Bbw_xor -> "xor"
  | `Bshift_left -> "shift_left"
  | `Blogical_shift_right -> "logical_shift_right"
  | `Barith_shift_right -> "arith_shift_right"
  | `Uprefix_inc -> "prefix ++"
  | `Uprefix_dec -> "prefix --"
  | `Upostfix_inc -> "postfix ++"
  | `Upostfix_dec -> "prefix --"
  | `Uplus -> "unary +"
  | `Uminus -> "unary -"
  | `Unot -> "not"
  | `Ubw_not -> "bw not"
  | `Bconcat -> "strcat"

let string_of_op_type = function
  | `Integer -> "integer"
  | `Unit -> "unit"
  | `Real -> "real"
  | `Double -> "double"
  | `Float -> "single"
  | `Binary80 -> "binary80"
  | `Boolean -> "boolean"
  | `Pointer -> "pointer"
  | `Logic -> "<some logic type>"

let sign = JCTlogic ("sign",[])
let float_format = JCTlogic ("float_format",[])
let rounding_mode = JCTlogic ("rounding_mode",[])

(* Note: jessie does not support overloading. The right practice is
   to add suffixes to make precise the type of arguments

   TODO: rename integer_max to max_integer, real_abs to abs_real, etc.

*)


let builtin_logic_symbols =
  (* return type, jessie name, why name, parameter types *)
  [ Some real_type, "\\real_of_integer", "real_of_int", [integer_type] ;
    Some integer_type, "\\integer_max", "int_max", [integer_type; integer_type] ;
    Some integer_type, "\\integer_min", "int_min", [integer_type; integer_type] ;
    Some real_type, "\\real_max", "real_max", [real_type; real_type] ;
    Some real_type, "\\real_min", "real_min", [real_type; real_type] ;

    Some integer_type, "\\integer_abs", "abs_int", [integer_type] ;
    Some real_type, "\\real_abs", "abs_real", [real_type] ;
    Some integer_type, "\\truncate_real_to_int", "truncate_real_to_int", [real_type] ;

    Some integer_type, "\\int_pow", "pow_int", [integer_type; integer_type];

    Some real_type, "\\real_sqrt", "sqrt_real", [real_type];
    Some real_type, "\\real_pow", "pow_real", [real_type; real_type];
    Some real_type, "\\real_int_pow", "pow_real_int", [real_type; integer_type];

    Some real_type, "\\single_exact", "single_exact", [float_type];
    Some real_type, "\\double_exact", "double_exact", [double_type];
    Some real_type, "\\single_model", "single_model", [float_type];
    Some real_type, "\\double_model", "double_model", [double_type];



    Some real_type, "\\single_round_error", "single_round_error", [float_type];
   Some real_type, "\\double_round_error", "double_round_error", [double_type];
   Some real_type, "\\double_total_error", "double_total_error", [double_type];
    Some real_type, "\\single_total_error", "single_total_error", [float_type];
(*    Some real_type, "\\double_relative_error", "gen_relative_error", [double_type];
    Some real_type, "\\single_relative_error", "gen_relative_error", [float_type];
*)
    Some sign, "\\single_sign", "single_sign", [float_type];
    Some sign, "\\double_sign", "double_sign", [double_type];

    Some (JCTnative Tboolean), "\\single_is_finite", "single_is_finite", [float_type];
    Some (JCTnative Tboolean), "\\double_is_finite", "double_is_finite", [double_type];

    Some (JCTnative Tboolean), "\\single_is_infinite", "single_is_infinite", [float_type];
    Some (JCTnative Tboolean), "\\double_is_infinite", "double_is_infinite", [double_type];

    Some (JCTnative Tboolean), "\\single_is_NaN", "single_is_NaN", [float_type];
    Some (JCTnative Tboolean), "\\double_is_NaN", "double_is_NaN", [double_type];

    Some (JCTnative Tboolean), "\\single_is_minus_infinity", "single_is_minus_infinity", [float_type];
    Some (JCTnative Tboolean), "\\double_is_minus_infinity", "double_is_minus_infinity", [double_type];

    Some (JCTnative Tboolean), "\\single_is_plus_infinity", "single_is_plus_infinity", [float_type];
    Some (JCTnative Tboolean), "\\double_is_plus_infinity", "double_is_plus_infinity", [double_type];

    Some real_type, "\\exp", "exp", [real_type] ;
    Some real_type, "\\log", "log", [real_type] ;
    Some real_type, "\\log10", "log10", [real_type] ;

    Some real_type, "\\cos", "cos", [real_type] ;
    Some real_type, "\\sin", "sin", [real_type] ;
    Some real_type, "\\tan", "tan", [real_type] ;
    Some real_type, "\\pi", "pi", [] ;
    Some real_type, "\\cosh", "cosh", [real_type] ;
    Some real_type, "\\sinh", "sinh", [real_type] ;
    Some real_type, "\\tanh", "tanh", [real_type] ;
    Some real_type, "\\acos", "acos", [real_type] ;
    Some real_type, "\\asin", "asin", [real_type] ;
    Some real_type, "\\atan", "atan", [real_type] ;
    Some real_type, "\\atan2", "atan2", [real_type; real_type] ;
    Some real_type, "\\hypot", "hypot", [real_type; real_type] ;
    Some real_type, "\\round_float", "round_float", [float_format; rounding_mode; real_type];
    None, "\\no_overflow_single", "no_overflow_single", [rounding_mode; real_type];
    None, "\\no_overflow_double", "no_overflow_double", [rounding_mode; real_type];

    Some real_type, "\\round_single", "round_single", [rounding_mode; real_type];
    Some real_type, "\\round_double", "round_double", [rounding_mode; real_type];

    Some float_format, "\\Single", "Single", [];
    Some float_format, "\\Double", "Double", [];
    Some float_format, "\\Quad", "Quad", [];

    Some rounding_mode, "\\Down", "down", [];
    Some rounding_mode, "\\Up", "up", [];
    Some rounding_mode, "\\ToZero", "to_zero", [];
    Some rounding_mode, "\\NearestEven", "nearest_even", [];
    Some rounding_mode, "\\NearestAway", "nearest_away", [];

    Some sign, "\\Positive", "Positive", [];
    Some sign, "\\Negative", "Negative", [];

    Some (JCTnative Tboolean), "\\le_float", "le_single_full", [float_type;float_type];
    Some (JCTnative Tboolean), "\\le_double", "le_double_full", [double_type;double_type];

    Some (JCTnative Tboolean), "\\lt_float", "lt_single_full", [float_type;float_type];
    Some (JCTnative Tboolean), "\\lt_double", "lt_double_full", [double_type;double_type];

    Some (JCTnative Tboolean), "\\ge_float", "ge_single_full", [float_type;float_type];
    Some (JCTnative Tboolean), "\\ge_double", "ge_double_full", [double_type;double_type];

    Some (JCTnative Tboolean), "\\gt_float", "gt_single_full", [float_type;float_type];
    Some (JCTnative Tboolean), "\\gt_double", "gt_double_full", [double_type;double_type];

    Some (JCTnative Tboolean), "\\eq_float", "eq_single_full", [float_type;float_type];
    Some (JCTnative Tboolean), "\\eq_double", "eq_double_full", [double_type;double_type];

    Some (JCTnative Tboolean), "\\ne_float", "ne_single_full", [float_type;float_type];
    Some (JCTnative Tboolean), "\\ne_double", "ne_double_full", [double_type;double_type];
]

let treatdouble = TreatGenFloat (`Double :> float_format)

let treatfloat = TreatGenFloat (`Float :> float_format)

let builtin_function_symbols =
  (* return type, jessie name, why name, parameter types, special treatment *)
  [
    real_type, "\\real_of_integer", "real_of_int", [integer_type], TreatNothing ;
    double_type, "\\double_sqrt", "sqrt_double", [double_type], treatdouble ;
    float_type, "\\float_sqrt", "sqrt_single", [float_type], treatfloat ;
    double_type, "\\double_abs", "abs_double", [double_type], treatdouble ;
    float_type, "\\float_abs", "abs_single", [float_type], treatfloat ;
    double_type, "\\neg_double", "neg_double", [double_type], treatdouble ;
    float_type, "\\neg_float", "neg_single", [float_type], treatfloat ;
]

module StringSet = Set.Make(String)

module IntSet = Set.Make(struct type t = int let compare = compare end)

module StringHashtblIter =
struct
  type 'a t = (string, 'a) Hashtbl.t * StringSet.t ref
  let create x = (Hashtbl.create x, ref StringSet.empty)
  let add (tbl, keys) x infos =
    Hashtbl.add tbl x infos;
    keys:=StringSet.add x !keys
  let replace (tbl, keys) x infos =
    Hashtbl.replace tbl x infos;
    keys:=StringSet.add x !keys
  let find (tbl,_) x = Hashtbl.find tbl x
  let fold f (tbl,keys) init =
    let apply s acc =
      try
        let infos = Hashtbl.find tbl s in f s infos acc
      with Not_found -> assert false
    in StringSet.fold apply !keys init
  let iter f t = fold (fun s i () -> f s i) t ()
end

module IntHashtblIter =
struct
  type 'a t = (int, 'a) Hashtbl.t * IntSet.t ref
  let create x = (Hashtbl.create x, ref IntSet.empty)
  let add (tbl, keys) x infos =
    Hashtbl.add tbl x infos;
    keys:=IntSet.add x !keys
  let replace (tbl, keys) x infos =
    Hashtbl.replace tbl x infos;
    keys:=IntSet.add x !keys
  let find (tbl,_) x = Hashtbl.find tbl x
  let fold f (tbl,keys) init =
    let apply s acc =
      try
        let infos = Hashtbl.find tbl s in f s infos acc
      with Not_found -> assert false
    in IntSet.fold apply !keys init
  let iter f t = fold (fun n i () -> f n i) t ()
end


(*
Local Variables:
compile-command: "LC_ALL=C make -j -C .. bin/jessie.byte"
End:
*)

������������������������������������������������������������why-2.34/jc/jc_iterators.ml�������������������������������������������������������������������������0000644�0001750�0001750�00000124422�12311670312�014240� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Jc_ast
open Jc_constructors

open Jc_envset

(*
open Format
open Jc_env
open Jc_fenv
open Jc_fenv
open Jc_pervasives

*)

module type TAst = sig
  type t
  val subs: t -> t list
end

module type TIterators = sig
  type t

  val subs: t -> t list
  val iter: (t -> unit) -> t -> unit

  (* Parcours en profondeur d'abord, mais l'accumulateur obtenu est ensuite
     passé aussi en largeur. *)
  val fold_left: ('a -> t -> 'a) -> 'a -> t -> 'a
  val fold_right: (t -> 'a -> 'a) -> t -> 'a -> 'a

  (* Parcours en profondeur avec accumulateur (le même pour tous les fils). *)
  val iter_deep_left: ('a -> t -> 'a) -> 'a -> t -> unit
  val iter_deep_right: (t -> 'a -> 'a) -> t -> 'a -> unit
end

module Iterators(X: TAst): TIterators with type t = X.t = struct
  type t = X.t
  let subs = X.subs
  let rec iter f x = f x; List.iter (iter f) (subs x)
  let rec fold_left f a x =
    let a = f a x in
    List.fold_left (fold_left f) a (subs x)
  let rec fold_right f x a =
    let a = f x a in
    List.fold_right (fold_right f) (subs x) a
  let rec iter_deep_left f a x =
    let a = f a x in
    List.iter (iter_deep_left f a) (subs x)
  let rec iter_deep_right f x a =
    let a = f x a in
    List.iter (fun x -> iter_deep_right f x a) (subs x)
end

(*****************************************************************************)
(* General iterators on parsed expressions.                                  *)
(*****************************************************************************)


let replace_sub_pexpr e el =
  let as1 = function [e1] -> e1 | _ -> assert false in
  let as2 = function [e1;e2] -> e1,e2 | _ -> assert false in
  let as3 = function [e1;e2;e3] -> e1,e2,e3 | _ -> assert false in
  let pop = function e1::r -> e1,r | _ -> assert false in
  let popopt el = function 
    | None -> None,el 
    | Some _ -> let e1,r = pop el in Some e1,r
  in
  let rec popn n el = 
    if n > 0 then 
      let e,r = pop el in
      let el1,el2 = popn (n-1) r in
      e :: el1, el2
    else [],el
  in
  let replace_sub_tag tag el =
    let tag_node,el = match tag#node with
      | JCPTtag _ | JCPTbottom as tag_node -> tag_node,el
      | JCPTtypeof _e -> 
	  let e1,el = pop el in
	  JCPTtypeof e1,el
    in
    new ptag_with ~node:tag_node tag,el
  in
  let enode = match e#node with
    | JCPEconst _ | JCPEvar _ | JCPEbreak _
    | JCPEcontinue _ | JCPEgoto _ as enode -> enode
    | JCPEeqtype(tag1,tag2) ->
	let tag1,el = replace_sub_tag tag1 el in
	let tag2,el = replace_sub_tag tag2 el in
	assert (el == []);
	JCPEeqtype(tag1,tag2)
    | JCPEsubtype(tag1,tag2) ->
	let tag1,el = replace_sub_tag tag1 el in
	let tag2,el = replace_sub_tag tag2 el in
	assert (el == []);
	JCPEsubtype(tag1,tag2)
    | JCPElabel(lab,_e1) -> 
	let e1 = as1 el in JCPElabel(lab,e1)
    | JCPEbinary(_e1,bop,_e2) ->
	let e1,e2 = as2 el in JCPEbinary(e1,bop,e2) 
    | JCPEunary(uop,_e1) ->
	let e1 = as1 el in JCPEunary(uop,e1)
    | JCPEassign(_e1,_e2) ->
	let e1,e2 = as2 el in JCPEassign(e1,e2)
    | JCPEassign_op(_e1,op,_e2) ->
	let e1,e2 = as2 el in JCPEassign_op(e1,op,e2)
    | JCPEderef(_e1,fi) ->
	let e1 = as1 el in JCPEderef(e1,fi)
    | JCPEapp(fi,labs,_args) ->
	JCPEapp(fi,labs,el)
    | JCPEquantifier(q,ty,labs,trigs,_e) ->
	let e1 = as1 el in JCPEquantifier(q,ty,labs,trigs,e1)
    | JCPEfresh _e ->
	let e1 = as1 el in JCPEfresh(e1)
    | JCPEold _e ->
	let e1 = as1 el in JCPEold(e1)
    | JCPEat(_e,lab) ->
	let e1 = as1 el in JCPEat(e1,lab)
    | JCPEoffset(off,_e) ->
	let e1 = as1 el in JCPEoffset(off,e1)
    | JCPEaddress(absolute,_e) ->
	let e1 = as1 el in JCPEaddress(absolute,e1)
    | JCPEbase_block(_e) ->
	let e1 = as1 el in JCPEbase_block(e1)
    | JCPEinstanceof(_e,st) ->
	let e1 = as1 el in JCPEinstanceof(e1,st)
    | JCPEcast(_e,st) ->
	let e1 = as1 el in JCPEcast(e1,st)
    | JCPEif(_e1,_e2,_e3) ->
	let e1,e2,e3 = as3 el in JCPEif(e1,e2,e3)
    | JCPErange(e1opt,e2opt) ->
	let e1opt,el = popopt el e1opt in
	let e2opt,el = popopt el e2opt in
	assert (el = []);
	JCPErange(e1opt,e2opt)
    | JCPEmatch(_e1,ptl) ->
	let e1,el = pop el in
	let ptl = List.map2 (fun (p,_e) e -> p,e) ptl el in
	JCPEmatch(e1,ptl)
    | JCPElet(tyopt,name,eopt,_e) ->
	let eopt,el = popopt el eopt in
	let e1 = as1 el in JCPElet(tyopt,name,eopt,e1)
    | JCPEdecl(ty,name,eopt) ->
	let eopt,el = popopt el eopt in
	assert (el = []);
	JCPEdecl(ty,name,eopt)
    | JCPEalloc(_e,name) ->
	let e1 = as1 el in JCPEalloc(e1,name)
    | JCPEfree _e ->
	let e1 = as1 el in JCPEfree e1
    | JCPEmutable(_e,tag) ->
	let e1 = as1 el in JCPEmutable(e1,tag)
    | JCPEblock elist ->
	assert (List.length elist = List.length el);
	JCPEblock el
    | JCPEassert(behav,asrt,_e) ->
	let e1 = as1 el in JCPEassert(behav,asrt,e1)
    | JCPEcontract(req,dec,behs,_e) ->
	let e1 = as1 el in JCPEcontract(req,dec,behs,e1)
    | JCPEwhile(_test,behs,variant,_body) ->
	let test,el = pop el in
	let behs,el =
	  List.fold_right
	    (fun (names,inv,ass) (b,el) ->
	       let inv,el = popopt el inv in
	       ((names,inv,ass)::b,el)) 
	    behs
	    ([],el)
	in        
	let variant,el = 
          match variant with
            | None -> None,el
            | Some(_v,r) -> let v,el = pop el in Some(v,r),el
        in
	let body = as1 el in 
	JCPEwhile(test,behs,variant,body)
    | JCPEfor(inits,_test,updates,behs,var,_body) ->
	let inits,el = popn (List.length inits) el in
	let test,el = pop el in
	let updates,el = popn (List.length updates) el in
	let behs,el =
	  List.fold_right
	    (fun (names,inv,ass) (b,el) ->
	       let inv,el = popopt el inv in
	       ((names,inv,ass)::b,el)) 
	    behs
	    ([],el)
	in
	let var,el = 
          match var with
            | None -> None,el
            | Some(_var,r) -> let v,el = pop el in Some(v,r),el
        in
	let body = as1 el in 
	JCPEfor(inits,test,updates,behs,var,body)
    | JCPEreturn _ ->
	let e1 = as1 el in JCPEreturn e1
    | JCPEtry(_body,catches,_finally) ->
	let body,el = pop el in
	let catches,el = 
	  List.fold_left (fun (acc,el) (id,name,_e) -> 
			    let e1,el = pop el in (id,name,e1)::acc,el
			 ) ([],el) catches
	in
	let catches = List.rev catches in
	let finally = as1 el in
	JCPEtry(body,catches,finally)
    | JCPEthrow(id,_) ->
        let e1 = as1 el in JCPEthrow(id,e1)
    | JCPEpack(_e,id) ->
	let e1 = as1 el in JCPEpack(e1,id)
    | JCPEunpack(_e,id) ->
	let e1 = as1 el in JCPEunpack(e1,id)
    | JCPEswitch(_e,cases) ->
	let e1,el = pop el in
	let cases,el = 
	  List.fold_left 
	    (fun (acc,el) (caselist,_e) ->
	       let caselist,el = 
		 List.fold_left 
		   (fun (acc,el) eopt ->
		      let eopt,el = popopt el eopt in
		      eopt::acc,el
		   ) ([],el) caselist
	       in
	       let caselist = List.rev caselist in
	       let e1,el = pop el in
	       (caselist,e1)::acc,el
	    ) ([],el) cases 
	in
	let cases = List.rev cases in	
	assert (el = []);
	JCPEswitch(e1,cases)
  in
  new pexpr_with ~node:enode e

module PExprAst = struct
  type t = pexpr
  let subtags tag = 
    match tag#node with
      | JCPTtag _ | JCPTbottom -> []
      | JCPTtypeof e -> [e]
  let subs e =
    match e#node with
      | JCPEconst _
      | JCPEvar _
      | JCPEbreak _
      | JCPEcontinue _ 
      | JCPEgoto _ 
      | JCPErange(None,None)
      | JCPEdecl(_,_,None) ->
          []
      | JCPEeqtype(tag1,tag2) | JCPEsubtype(tag1,tag2) ->
	  subtags tag1 @ subtags tag2
      | JCPEassert(_,_,e)
      | JCPElabel(_, e)
      | JCPEderef(e, _)
      | JCPEunary(_, e)
      | JCPEinstanceof(e, _)
      | JCPEcast(e, _)
      | JCPEoffset(_, e)
      | JCPEaddress(_,e)
      | JCPEbase_block(e)
      | JCPEalloc(e, _)
      | JCPEfree e
      | JCPElet(_, _,None, e)
      | JCPEreturn e
      | JCPEthrow(_, e)
      | JCPEpack(e, _)
      | JCPEunpack(e, _)
      | JCPEfresh e
      | JCPEold e
      | JCPEat(e,_)
      | JCPErange(Some e,None)
      | JCPErange(None,Some e)
      | JCPEdecl(_,_,Some e)
      | JCPEmutable(e,_) ->
          [e]
      | JCPEbinary(e1, _, e2)
      | JCPEassign(e1, e2)
      | JCPEassign_op(e1, _, e2)
      | JCPElet(_, _, Some e1, e2)
      | JCPErange(Some e1,Some e2) ->
          [e1; e2]
      | JCPEif(e1, e2, e3) ->
	  [e1; e2; e3]
      | JCPEcontract(_,_,_,e) -> [e]
      | JCPEwhile(e1,behs,variant,body) ->
	  let acc =
	    List.fold_right
	      (fun (_,inv,_ass) acc ->
		 Option_misc.fold (fun x l -> x::l) inv acc
		   (* TODO : ass *))
	      behs
	      (Option_misc.fold (fun (x,_) l -> x::l) variant [body])
	  in e1::acc
      | JCPEfor(inits,cond,update,behs,variant,body) ->
	  let acc =
	    List.fold_right
	      (fun (_,inv,_ass) acc ->
		 Option_misc.fold (fun x l -> x::l) inv acc
		   (* TODO : ass *))
	      behs
	      (Option_misc.fold (fun (x,_) l -> x::l) variant [body])
	  in inits @ cond :: update @ acc
      | JCPEblock el
      | JCPEapp(_,_,el) ->
	  el
      | JCPEquantifier(_,_,_,_trigs,e) -> [e](*::(List.concat trigs)*)
      | JCPEtry(e1, l, e2) ->
          e1 :: List.map (fun (_, _, e) -> e) l @ [ e2 ]
      | JCPEmatch(e, pel) ->
          e :: List.map snd pel
      | JCPEswitch(e,cases) ->
	  let case c = 
	    List.flatten (List.map (function None -> [] | Some e -> [e]) c)
	  in
	  e :: List.flatten (List.map (fun (cases,e) -> case cases @ [e]) cases)
end

module IPExpr = Iterators(PExprAst)

let rec map_pexpr ?(before = fun x -> x) ?(after = fun x -> x) e =
  let e = before e in
  let elist = List.map (map_pexpr ~before ~after) (PExprAst.subs e) in
  after (replace_sub_pexpr e elist)


(*****************************************************************************)
(* General iterators on terms.                                               *)
(*****************************************************************************)

type term_subst = Jc_fenv.term Jc_envset.VarMap.t

let rec subst_term (subst : term_subst) t =
  let f = subst_term subst in
  let n = match t#node with
    | JCTconst _ as t1 -> t1
    | JCTvar v as t1 ->
        begin
          try (VarMap.find v subst)#node
          with Not_found -> t1
        end          
    | JCTbinary(t1,op,t2) -> JCTbinary(f t1,op,f t2)
    | JCTshift(t1,t2) -> JCTshift(f t1, f t2)
    | JCTrange(t1,t2) -> JCTrange(Option_misc.map f t1, Option_misc.map f t2)
    | JCTunary(op,t1) -> JCTunary(op, f t1)
    | JCTderef(t1,lab,fi) -> JCTderef(f t1,lab,fi)
    | JCTold(t1) -> JCTold(f t1)  
    | JCTat(t1,lab) -> JCTat(f t1,lab) 
    | JCToffset(kind,t1,st) -> JCToffset(kind,f t1,st) 
    | JCTaddress(kind,t1) -> JCTaddress(kind,f t1) 
    | JCTbase_block(t1) -> JCTbase_block(f t1)
    | JCTinstanceof(t1,lab,st) -> JCTinstanceof(f t1,lab,st) 
    | JCTcast(t1,lab,st) -> JCTcast(f t1,lab,st) 
    | JCTbitwise_cast(t1,lab,st) -> JCTbitwise_cast(f t1,lab,st) 
    | JCTrange_cast(t1,ei) -> JCTrange_cast(f t1,ei)
    | JCTreal_cast(t1,rconv) -> JCTreal_cast(f t1,rconv)
    | JCTapp app -> 
        JCTapp({app with jc_app_args = List.map f app.jc_app_args})
    | JCTif(t1,t2,t3) -> JCTif(f t1, f t2, f t3)
    | JCTlet(_vi,_t1,_t2) -> 
        assert false (* TODO, beware of variable capture *)
    | JCTmatch(_t, _ptl) -> 
        assert false (* TODO, beware of variable capture *)
          (* JCTmatch(f t,List.map f ptl) *)
  in
  new term_with ~node:n t 

module TermAst = struct
  type t = term
  let subs t = 
    match t#node with
      | JCTconst _ | JCTvar _ | JCTrange(None,None) -> 
	  []
      | JCTbinary(t1,_,t2) | JCTshift(t1,t2) 
      | JCTrange(Some t1,Some t2) ->
	  [t1;t2]
      | JCTunary(_,t1) | JCTderef(t1,_,_) | JCTold t1 | JCTat(t1,_) 
      | JCToffset(_,t1,_) | JCTaddress(_,t1) | JCTbase_block(t1)
      | JCTinstanceof(t1,_,_) | JCTcast(t1,_,_) | JCTbitwise_cast(t1,_,_) 
      | JCTrange_cast(t1,_) 
      | JCTreal_cast(t1,_) | JCTrange(Some t1,None)
      | JCTrange(None,Some t1) ->
	  [t1]
      | JCTapp app ->
	  app.jc_app_args 
      | JCTif(t1,t2,t3) ->
	  [t1;t2;t3]
      | JCTmatch(t, ptl) ->
	  t :: List.map snd ptl
      | JCTlet(_, t1,t2) ->
	  [t1;t2]
end

module ITerm = Iterators(TermAst)


let fold_sub_term it f acc t =
  let it = it f in
  match t#node with
    | JCTconst _ 
    | JCTvar _ -> 
	acc
    | JCTbinary(t1,_,t2)
    | JCTshift(t1,t2) ->
	let acc = it acc t1 in
	it acc t2
    | JCTrange(t1_opt,t2_opt) ->
	let acc = Option_misc.fold_left it acc t1_opt in
	Option_misc.fold_left it acc t2_opt
    | JCTunary(_,t1) 
    | JCTderef(t1,_,_)
    | JCTold t1
    | JCToffset(_,t1,_)
    | JCTaddress(_,t1)
    | JCTbase_block(t1)
    | JCTinstanceof(t1,_,_) 
    | JCTcast(t1,_,_) 
    | JCTbitwise_cast(t1,_,_) 
    | JCTreal_cast(t1,_) 
    | JCTrange_cast(t1,_) 
    | JCTat(t1,_) ->
	it acc t1
    | JCTapp app ->
	let tl = app.jc_app_args in
	List.fold_left it acc tl
    | JCTif(t1,t2,t3) ->
	let acc = it acc t1 in
	let acc = it acc t2 in
	it acc t3
    | JCTlet(_,t1,t2) ->
	let acc = it acc t1 in
	it acc t2
    | JCTmatch(t, ptl) ->
	let acc = it acc t in
	List.fold_left (fun acc (_, t) -> it acc t) acc ptl

let rec fold_term f acc t =
  let acc = f acc t in
  fold_sub_term fold_term f acc t

let rec fold_rec_term f acc t =
  let cont,acc = f acc t in
  if cont then fold_sub_term fold_rec_term f acc t else acc

let fold_unit f () = f

let iter_term ft t = fold_term (fold_unit ft) () t

let rec map_term f t =
  let tnode = match t#node with
    | JCTconst _ | JCTvar _ | JCTrange (None, None) as tnode -> tnode
    | JCTbinary(t1,bop,t2) ->
	JCTbinary(map_term f t1,bop,map_term f t2) 
    | JCTunary(uop,t1) ->
	JCTunary(uop,map_term f t1)
    | JCTshift(t1,t2) ->
	JCTshift(map_term f t1,map_term f t2)
    | JCTderef(t1,lab,fi) ->
	JCTderef(map_term f t1,lab,fi)
    | JCTapp app ->
	let tl = app.jc_app_args in
	JCTapp { app with jc_app_args = List.map (map_term f) tl; }
    | JCTold t ->
	JCTold(map_term f t)
    | JCTat(t,lab) ->
	JCTat(map_term f t,lab)
    | JCToffset(off,t,st) ->
	JCToffset(off,map_term f t,st)
    | JCTaddress(absolute,t) ->
	JCTaddress (absolute,map_term f t)
    | JCTbase_block(t) ->
	JCTbase_block (map_term f t)
    | JCTinstanceof(t,lab,st) ->
	JCTinstanceof(map_term f t,lab,st)
    | JCTcast(t,lab,st) ->
	JCTcast(map_term f t,lab,st)
    | JCTbitwise_cast(t,lab,st) ->
	JCTbitwise_cast(map_term f t,lab,st)
    | JCTrange_cast(t,ei) ->
	JCTrange_cast(map_term f t,ei)
    | JCTreal_cast(t,rc) ->
	JCTreal_cast(map_term f t,rc)
    | JCTif(t1,t2,t3) ->
	JCTif(map_term f t1,map_term f t2,map_term f t3)
    | JCTlet(vi,t1,t2) ->
	JCTlet(vi,map_term f t1,map_term f t2)
    | JCTrange(Some t1,Some t2) ->
	JCTrange(Some (map_term f t1),Some (map_term f t2))
    | JCTrange(Some t1,None) ->
	JCTrange(Some (map_term f t1),None)
    | JCTrange(None,Some t2) ->
	JCTrange(None,Some (map_term f t2))
    | JCTmatch(t, ptl) ->
	JCTmatch(map_term f t, List.map (fun (p, t) -> p, map_term f t) ptl)
  in
  f (new term_with ~node:tnode t)


(*****************************************************************************)
(* General iterators on assertions.                                          *)
(*****************************************************************************)

let rec iter_term_and_assertion ft fa a =
  let iter_tag tag = 
    match tag#node with
      | JCTtag _ | JCTbottom -> ()
      | JCTtypeof(t,_st) -> (* ITerm.iter *) iter_term ft t
  in
  fa a;
  match a#node with
    | JCAtrue | JCAfalse -> ()
    | JCAeqtype(tag1,tag2,_st) | JCAsubtype(tag1,tag2,_st) ->
	iter_tag tag1; 
	iter_tag tag2
    | JCArelation(t1,_,t2) -> 
	(* ITerm.iter *) iter_term ft t1;
	(* ITerm.iter *) iter_term ft t2
    | JCAapp app ->
	List.iter (iter_term ft) app.jc_app_args
    | JCAfresh t1
    | JCAinstanceof(t1,_,_) | JCAbool_term t1 | JCAmutable(t1,_,_) ->
	iter_term ft t1
    | JCAand al | JCAor al ->
	List.iter (iter_term_and_assertion ft fa) al
    | JCAimplies(a1,a2) | JCAiff(a1,a2) ->
	iter_term_and_assertion ft fa a1;
	iter_term_and_assertion ft fa a2
    | JCAif(t1,a1,a2) ->
	iter_term ft t1;
	iter_term_and_assertion ft fa a1;
	iter_term_and_assertion ft fa a2
    | JCAnot a1 | JCAold a1 | JCAat(a1,_) ->
	iter_term_and_assertion ft fa a1
    | JCAquantifier(_,_,trigs, a1) ->
        List.iter (List.iter (function 
                                | JCAPatT t -> iter_term ft t
                                | JCAPatP a -> iter_term_and_assertion ft fa a))
          trigs;
        iter_term_and_assertion ft fa a1
    | JCAlet(_vi,t,p) ->
	iter_term ft t;
	iter_term_and_assertion ft fa p
    | JCAmatch(t, pal) ->
	iter_term ft t;
	List.iter (fun (_, a) -> iter_term_and_assertion ft fa a) pal

(*
let iter_term_and_assertion_in_loop_annot ft fa la =
  List.iter (fun (_behav,inv) ->
	       iter_term_and_assertion ft fa inv) la.jc_loop_invariant;
  iter_term_and_assertion ft fa la.jc_free_loop_invariant;
  Option_misc.iter (ITerm.iter ft) la.jc_loop_variant

let iter_term_and_assertion_in_behavior ft fa bv =
  Option_misc.iter (iter_term_and_assertion ft fa) bv.jc_behavior_assumes;
  (* TODO: assigns *)
  iter_term_and_assertion ft fa bv.jc_behavior_ensures;
  iter_term_and_assertion ft fa bv.jc_behavior_free_ensures

let iter_term_and_assertion_in_fun_spec ft fa spec =
  iter_term_and_assertion ft fa spec.jc_fun_requires;
  List.iter (fun (_,_,bv) -> iter_term_and_assertion_in_behavior ft fa bv)
    (spec.jc_fun_default_behavior :: spec.jc_fun_behavior)

let rec fold_assertion f acc a =
  let acc = f acc a in
  match a#node with
    | JCAtrue | JCAfalse | JCArelation _ | JCAapp _ | JCAeqtype _ 
    | JCAinstanceof _ | JCAbool_term _ | JCAmutable _ | JCAsubtype _ -> 
	acc
    | JCAand al | JCAor al ->
	List.fold_left (fold_assertion f) acc al
    | JCAimplies(a1,a2) | JCAiff(a1,a2) | JCAif(_,a1,a2) ->
	let acc = fold_assertion f acc a1 in
	fold_assertion f acc a2
    | JCAnot a1 | JCAquantifier(_,_,a1) | JCAold a1 | JCAat(a1,_) ->
	fold_assertion f acc a1
    | JCAmatch(_, pal) ->
	List.fold_left (fun acc (_, a) -> fold_assertion f acc a) acc pal
	  
(* let fold_term_in_tag f acc tag =  *)
(*   match tag#node with *)
(*     | JCTtag _ | JCTbottom -> acc *)
(*     | JCTtypeof(t,_st) -> fold_term f acc t *)

*)

let fold_sub_term_in_tag it f acc tag = 
  match tag#node with
    | JCTtag _ | JCTbottom -> acc
    | JCTtypeof(t,_st) -> it f acc t

let fold_term_in_tag f acc tag =
  fold_sub_term_in_tag fold_term f acc tag

(*

let fold_rec_term_in_tag f acc tag =
  fold_sub_term_in_tag fold_rec_term f acc tag

*)
let rec fold_term_in_assertion f acc a =
  match a#node with
    | JCAtrue | JCAfalse -> acc
    | JCAeqtype(tag1,tag2,_st) | JCAsubtype(tag1,tag2,_st) ->
	let acc = fold_term_in_tag f acc tag1 in
	fold_term_in_tag f acc tag2
    | JCArelation(t1,_,t2) -> 
	let acc = fold_term f acc t1 in
	fold_term f acc t2
    | JCAapp app ->
	List.fold_left (fold_term f) acc app.jc_app_args
    | JCAfresh t1
    | JCAinstanceof(t1,_,_) | JCAbool_term t1 | JCAmutable(t1,_,_) ->
	fold_term f acc t1
    | JCAand al | JCAor al ->
	List.fold_left (fold_term_in_assertion f) acc al
    | JCAimplies(a1,a2) | JCAiff(a1,a2) ->
	let acc = fold_term_in_assertion f acc a1 in
	fold_term_in_assertion f acc a2
    | JCAif(t1,a1,a2) ->
	let acc = fold_term f acc t1 in
	let acc = fold_term_in_assertion f acc a1 in
	fold_term_in_assertion f acc a2
    | JCAnot a1 | JCAquantifier(_,_,_,a1) | JCAold a1 | JCAat(a1,_) ->
	fold_term_in_assertion f acc a1
    | JCAlet(_vi,t, p) ->
	let acc = fold_term f acc t in
	fold_term_in_assertion f acc p
    | JCAmatch(t, pal) ->
	let acc = fold_term f acc t in
	List.fold_left (fun acc (_, a) -> fold_term_in_assertion f acc a)
	  acc pal

(* let rec fold_term_and_assertion ft fa acc a = *)
(*   let acc = match a#node with *)
(*     | JCAtrue | JCAfalse -> acc *)
(*     | JCAeqtype(tag1,tag2,_st) | JCAsubtype(tag1,tag2,_st) -> *)
(* 	let acc = fold_term_in_tag ft acc tag1 in *)
(* 	fold_term_in_tag ft acc tag2 *)
(*     | JCArelation(t1,_,t2) ->  *)
(* 	let acc = fold_term ft acc t1 in *)
(* 	fold_term ft acc t2 *)
(*     | JCAapp app -> *)
(* 	List.fold_left (fold_term ft) acc app.jc_app_args *)
(*     | JCAinstanceof(t1,_,_) | JCAbool_term t1 | JCAmutable(t1,_,_) -> *)
(* 	fold_term ft acc t1 *)
(*     | JCAand al | JCAor al -> *)
(* 	List.fold_left (fold_term_and_assertion ft fa) acc al *)
(*     | JCAimplies(a1,a2) | JCAiff(a1,a2) -> *)
(* 	let acc = fold_term_and_assertion ft fa acc a1 in *)
(* 	fold_term_and_assertion ft fa acc a2 *)
(*     | JCAif(t1,a1,a2) -> *)
(* 	let acc = fold_term ft acc t1 in *)
(* 	let acc = fold_term_and_assertion ft fa acc a1 in *)
(* 	fold_term_and_assertion ft fa acc a2 *)
(*     | JCAnot a1 | JCAquantifier(_,_,a1) | JCAold a1 | JCAat(a1,_) -> *)
(* 	fold_term_and_assertion ft fa acc a1 *)
(*     | JCAmatch(t, pal) -> *)
(* 	let acc = fold_term ft acc t in *)
(* 	List.fold_left (fun acc (_, a) -> fold_term_and_assertion ft fa acc a) *)
(* 	  acc pal *)
(*   in *)
(*   fa acc a *)


let rec fold_sub_term_and_assertion itt ita ft fa acc a =
  match a#node with
    | JCAtrue | JCAfalse -> acc
    | JCAeqtype(tag1,tag2,_st) | JCAsubtype(tag1,tag2,_st) ->
	let acc = fold_sub_term_in_tag itt ft acc tag1 in
	fold_sub_term_in_tag itt ft acc tag2
    | JCArelation(t1,_,t2) -> 
	let acc = itt ft acc t1 in
	itt ft acc t2
    | JCAapp app ->
	List.fold_left (itt ft) acc app.jc_app_args
    | JCAfresh t1
    | JCAinstanceof(t1,_,_) | JCAbool_term t1 | JCAmutable(t1,_,_) ->
	itt ft acc t1
    | JCAand al | JCAor al ->
	List.fold_left (ita ft fa) acc al
    | JCAimplies(a1,a2) | JCAiff(a1,a2) ->
	let acc = ita ft fa acc a1 in
	ita ft fa acc a2
    | JCAif(t1,a1,a2) ->
	let acc = itt ft acc t1 in
	let acc = ita ft fa acc a1 in
	ita ft fa acc a2
    | JCAnot a1 | JCAold a1 | JCAat(a1,_) ->
	ita ft fa acc a1
    | JCAquantifier(_,_,trigs,a1) ->
        let pat acc = function
          | JCAPatT t -> itt ft acc t
          | JCAPatP a -> ita ft fa acc a in
        let acc = List.fold_left (List.fold_left pat) acc trigs in
        ita ft fa acc a1
    | JCAlet(_vi,t, p) ->
	let acc = itt ft acc t in
	ita ft fa acc p
    | JCAmatch(t, pal) ->
	let acc = itt ft acc t in
	List.fold_left (fun acc (_, a) -> ita ft fa acc a)
	  acc pal

let rec fold_term_and_assertion ft fa acc a =
  let acc = fa acc a in
  fold_sub_term_and_assertion fold_term fold_term_and_assertion ft fa acc a

let rec fold_rec_term_and_assertion ft fa acc a =
  let cont,acc = fa acc a in
  if cont then 
    fold_sub_term_and_assertion 
      fold_rec_term fold_rec_term_and_assertion ft fa acc a 
  else acc

(*
let iter_term_and_assertion ft fa a = 
  fold_term_and_assertion (fold_unit ft) (fold_unit fa) () a
*)

let fold_sub_location_set itt itls ft fls acc locs =
  let itt = itt ft and itls = itls ft fls in
  match locs#node with
    | JCLSvar _vi ->
	acc
    | JCLSderef(locs,_lab,_fi,_r) ->
	itls acc locs
    | JCLSrange(locs,t1_opt,t2_opt) ->
	let acc = itls acc locs in
	let acc = Option_misc.fold_left itt acc t1_opt in
	Option_misc.fold_left itt acc t2_opt 
   | JCLSrange_term(t0,t1_opt,t2_opt) ->
	let acc = itt acc t0 in
	let acc = Option_misc.fold_left itt acc t1_opt in
	Option_misc.fold_left itt acc t2_opt 
   | JCLSat(ls,_lab) -> itls acc ls

let rec fold_location_set ft fls acc locs =
  let acc = fls acc locs in
  fold_sub_location_set fold_term fold_location_set ft fls acc locs
  
let rec fold_rec_location_set ft fls acc locs =
  let cont,acc = fls acc locs in
  if cont then 
    fold_sub_location_set fold_rec_term fold_rec_location_set ft fls acc locs 
  else acc

(*  
let iter_location_set ft fls loc =
  fold_location_set (fold_unit ft) (fold_unit fls) () loc
*)

let fold_sub_location itt itl itls ft fl fls acc loc =
  let itt = itt ft and itl = itl ft fl fls and itls = itls ft fls in
  match loc#node with
    | JCLvar _vi ->
	acc
    | JCLderef(locs,_lab,_fi,_r) ->
	itls acc locs
    | JCLderef_term(locs,_fi) ->
	itt acc locs
    | JCLat(loc,_lab) ->
	itl acc loc

let rec fold_location ft fl fls acc loc =
  let acc = fl acc loc in
  fold_sub_location fold_term fold_location fold_location_set ft fl fls acc loc

let rec fold_rec_location ft fl fls acc loc =
  let cont,acc = fl acc loc in
  if cont then 
    fold_sub_location fold_rec_term fold_rec_location fold_rec_location_set
      ft fl fls acc loc 
  else acc

let iter_location ft fl fls loc =
  fold_location (fold_unit ft) (fold_unit fl) (fold_unit fls) () loc

let fold_sub_behavior _itt ita itl _itls ft fa fl fls acc b =
  let ita = ita ft fa and itl = itl ft fl fls in
  let acc = Option_misc.fold_left ita acc b.jc_behavior_assumes in
  let acc =
    Option_misc.fold_left
      (fun acc (_,locs) -> List.fold_left itl acc locs)
      acc b.jc_behavior_assigns
  in
  let acc = ita acc b.jc_behavior_ensures in
  ita acc b.jc_behavior_free_ensures

let rec fold_behavior ft fa fl fls acc e =
  fold_sub_behavior 
    fold_term fold_term_and_assertion fold_location fold_location_set
    ft fa fl fls acc e

(*
let rec fold_rec_behavior ft fa fl fls acc e =
  fold_sub_behavior
    fold_rec_term fold_rec_term_and_assertion fold_rec_location
    fold_rec_location_set
    ft fa fl fls acc e 
*)

(*
let iter_behavior ft fa fl fls b =
  fold_behavior (fold_unit ft) (fold_unit fa) (fold_unit fl) (fold_unit fls) 
    () b
*)

let fold_sub_funspec itb _itt ita _itl _itls ft fa fl fls acc spec =
  let ita = ita ft fa and itb = itb ft fa fl fls in
  let acc = ita acc spec.jc_fun_requires in
  let acc = ita acc spec.jc_fun_free_requires in
  List.fold_left
    (fun acc (_pos,_id,behav) -> itb acc behav)
    acc (spec.jc_fun_default_behavior :: spec.jc_fun_behavior)

let fold_funspec ft fa fl fls acc spec =
  fold_sub_funspec 
    fold_behavior fold_term fold_term_and_assertion fold_location 
    fold_location_set ft fa fl fls acc spec

(*
let rec fold_rec_funspec ft fa fl fls acc spec =
  fold_sub_funspec
    fold_rec_behavior fold_rec_term fold_rec_term_and_assertion 
    fold_rec_location fold_rec_location_set ft fa fl fls acc spec

*)
let iter_funspec ft fa fl fls spec =
  fold_funspec (fold_unit ft) (fold_unit fa) (fold_unit fl) (fold_unit fls) 
    () spec

(*

let rec map_assertion f a =
  let anode = match a#node with
    | JCAtrue | JCAfalse | JCArelation _ | JCAapp _ | JCAeqtype _ 
    | JCAinstanceof _ | JCAbool_term _ | JCAmutable _ 
    | JCAsubtype _ as anode -> 
	anode
    | JCAand al ->
	JCAand(List.map (map_assertion f) al)
    | JCAor al ->
	JCAor(List.map (map_assertion f) al)
    | JCAimplies(a1,a2) ->
	JCAimplies(map_assertion f a1,map_assertion f a2)
    | JCAiff(a1,a2) ->
	JCAiff(map_assertion f a1,map_assertion f a2)
    | JCAif(t,a1,a2) ->
	JCAif(t,map_assertion f a1,map_assertion f a2)
    | JCAnot a1 ->
	JCAnot(map_assertion f a1)
    | JCAquantifier(q,vi,a1) ->
	JCAquantifier(q,vi,map_assertion f a1)
    | JCAold a1 ->
	JCAold(map_assertion f a1)
    | JCAat(a1,lab) ->
	JCAat(map_assertion f a1,lab)
    | JCAmatch(t, pal) ->
	JCAmatch(t, List.map (fun (p, a) -> p, map_assertion f a) pal)
  in
  f (new assertion_with ~node:anode a)

*)

let map_term_in_tag f tag = 
  let tag_node = match tag#node with
    | JCTtag _ | JCTbottom as tag_node -> tag_node
    | JCTtypeof(t,st) -> 
	JCTtypeof(map_term f t,st)
  in
  new tag_with ~node:tag_node tag


let rec map_term_in_assertion f a =
  let anode = match a#node with
    | JCAtrue | JCAfalse as anode -> anode
    | JCAeqtype(tag1,tag2,st) ->
	JCAeqtype(map_term_in_tag f tag1,map_term_in_tag f tag2,st)
    | JCAsubtype(tag1,tag2,st) ->
	JCAsubtype(map_term_in_tag f tag1,map_term_in_tag f tag2,st)
    | JCArelation(t1,op,t2) -> 
	JCArelation(map_term f t1,op,map_term f t2)
    | JCAapp app ->
	JCAapp { app with jc_app_args = List.map (map_term f) app.jc_app_args }
    | JCAinstanceof(t1,lab,st) ->
	JCAinstanceof(map_term f t1,lab,st)
    | JCAbool_term t1 ->
	JCAbool_term(map_term f t1)
    | JCAfresh t1 ->
	JCAfresh(map_term f t1)
    | JCAmutable(t1,st,tag) ->
	JCAmutable(map_term f t1,st,tag)
    | JCAand al ->
	JCAand(List.map (map_term_in_assertion f) al)
    | JCAor al ->
	JCAor(List.map (map_term_in_assertion f) al)
    | JCAimplies(a1,a2) ->
	JCAimplies
	  (map_term_in_assertion f a1,map_term_in_assertion f a2)
    | JCAiff(a1,a2) ->
	JCAiff
	  (map_term_in_assertion f a1,map_term_in_assertion f a2)
    | JCAif(t1,a1,a2) ->
	JCAif(
	  map_term f t1,
	  map_term_in_assertion f a1,
	  map_term_in_assertion f a2)
    | JCAnot a1 ->
	JCAnot(map_term_in_assertion f a1)
    | JCAquantifier(q,vi,trigs,a1) ->
        let pat = function
          | JCAPatT t -> JCAPatT (map_term f t)
          | a -> a in
        let trigs = List.map (List.map pat) trigs in
	JCAquantifier(q,vi,trigs,map_term_in_assertion f a1)
    | JCAold a1 ->
	JCAold(map_term_in_assertion f a1)
    | JCAat(a1,lab) ->
	JCAat(map_term_in_assertion f a1,lab)
    | JCAlet(vi, t, p) ->
	JCAlet(vi,map_term f t,map_term_in_assertion f p)
    | JCAmatch(t, pal) ->
	JCAmatch(map_term f t,
		 List.map (fun (p, a) -> p, map_term_in_assertion f a) pal)
  in
  new assertion_with ~node:anode a

(*
let rec map_term_and_assertion fa ft a =
  let anode = match a#node with
    | JCAtrue | JCAfalse as anode -> anode
    | JCAeqtype(tag1,tag2,st) ->
	JCAeqtype(map_term_in_tag ft tag1,map_term_in_tag ft tag2,st)
    | JCAsubtype(tag1,tag2,st) ->
	JCAsubtype(map_term_in_tag ft tag1,map_term_in_tag ft tag2,st)
    | JCArelation(t1,op,t2) -> 
	JCArelation(map_term ft t1,op,map_term ft t2)
    | JCAapp app ->
	JCAapp { app with jc_app_args = List.map (map_term ft) app.jc_app_args }
    | JCAinstanceof(t1,lab,st) ->
	JCAinstanceof(map_term ft t1,lab,st)
    | JCAbool_term t1 ->
	JCAbool_term(map_term ft t1)
    | JCAmutable(t1,st,tag) ->
	JCAmutable(map_term ft t1,st,tag)
    | JCAand al ->
	JCAand(List.map (map_term_and_assertion fa ft) al)
    | JCAor al ->
	JCAor(List.map (map_term_and_assertion fa ft) al)
    | JCAimplies(a1,a2) ->
	JCAimplies
	  (map_term_and_assertion fa ft a1,map_term_and_assertion fa ft a2)
    | JCAiff(a1,a2) ->
	JCAiff
	  (map_term_and_assertion fa ft a1,map_term_and_assertion fa ft a2)
    | JCAif(t1,a1,a2) ->
	JCAif(
	  map_term ft t1,
	  map_term_and_assertion fa ft a1,
	  map_term_and_assertion fa ft a2)
    | JCAnot a1 ->
	JCAnot(map_term_and_assertion fa ft a1)
    | JCAquantifier(q,vi,a1) ->
	JCAquantifier(q,vi,map_term_and_assertion fa ft a1)
    | JCAold a1 ->
	JCAold(map_term_and_assertion fa ft a1)
    | JCAat(a1,lab) ->
	JCAat(map_term_and_assertion fa ft a1,lab)
    | JCAmatch(t, pal) ->
	JCAmatch(map_term ft t,
		 List.map (fun (p, a) -> p, map_term_and_assertion fa ft a) pal)
  in
  fa (new assertion_with ~node:anode a)

*)

(*****************************************************************************)
(* General iterators on patterns.                                            *)
(*****************************************************************************)


let rec iter_pattern f p =
  f p;
  match p#node with
    | JCPstruct(_, fipl) ->
	List.iter (iter_pattern f) (List.map snd fipl)
    | JCPor(p1, p2) ->
	iter_pattern f p1;
	iter_pattern f p2
    | JCPas(p, _) ->
	iter_pattern f p
    | JCPvar _
    | JCPany
    | JCPconst _ -> ()

(*
let rec fold_pattern f acc p =
  let acc = f acc p in
  match p#node with
    | JCPstruct(_, fipl) ->
	List.fold_left (fold_pattern f) acc (List.rev (List.map snd fipl))
    | JCPor(p1, p2) ->
	let acc = fold_pattern f acc p1 in
	fold_pattern f acc p2
    | JCPas(p, _) ->
	fold_pattern f acc p
    | JCPvar _
    | JCPany
    | JCPconst _ -> ()
*)

(*****************************************************************************)
(* General iterators on expressions.                                         *)
(*****************************************************************************)

let replace_sub_expr e el =
  let as1 = function [e1] -> e1 | _ -> assert false in
  let as2 = function [e1;e2] -> e1,e2 | _ -> assert false in
  let as3 = function [e1;e2;e3] -> e1,e2,e3 | _ -> assert false in
  let pop = function e1::r -> e1,r | _ -> assert false in
  let popopt el = function 
    | None -> None,el 
    | Some _ -> let e1,r = pop el in Some e1,r
  in
(* dead code
  let rec popn n el = 
    if n > 0 then 
      let e,r = pop el in
      let el1,el2 = popn (n-1) r in
      e :: el1, el2
    else [],el
  in
*)
  let enode = match e#node with
    | JCEconst _ | JCEvar _ | JCEassert _ | JCEreturn_void as enode -> enode
    | JCEcontract(req,dec,vi_result,behs,_e) ->
	let e1 = as1 el in JCEcontract(req,dec,vi_result,behs,e1)
    | JCEbinary(_e1,bop,_e2) ->
	let e1,e2 = as2 el in JCEbinary(e1,bop,e2) 
    | JCEshift(_e1,_e2) ->
	let e1,e2 = as2 el in JCEshift(e1,e2) 
    | JCEunary(uop,_e1) ->
	let e1 = as1 el in JCEunary(uop,e1)
    | JCEassign_var(vi,_e2) ->
	let e2 = as1 el in JCEassign_var(vi,e2)
    | JCEassign_heap(_e1,fi,_e2) ->
	let e1,e2 = as2 el in JCEassign_heap(e1,fi,e2)
    | JCEderef(_e1,fi) ->
	let e1 = as1 el in JCEderef(e1,fi)
    | JCEapp call ->
	JCEapp { call with jc_call_args = el }
    | JCEoffset(off,_e,st) ->
	let e1 = as1 el in JCEoffset(off,e1,st)
    | JCEfresh(_e) ->
	let e1 = as1 el in JCEfresh(e1)
    | JCEaddress(absolute,_e) ->
	let e1 = as1 el in JCEaddress(absolute,e1)
    | JCEbase_block(_e) ->
	let e1 = as1 el in JCEbase_block(e1)
    | JCEinstanceof(_e,st) ->
	let e1 = as1 el in JCEinstanceof(e1,st)
    | JCEcast(_e,st) ->
	let e1 = as1 el in JCEcast(e1,st)
    | JCEbitwise_cast(_e,st) ->
	let e1 = as1 el in JCEbitwise_cast(e1,st)
    | JCEreal_cast(_e,st) ->
	let e1 = as1 el in JCEreal_cast(e1,st)
    | JCErange_cast(_e,st) ->
	let e1 = as1 el in JCErange_cast(e1,st)
    | JCEif(_e1,_e2,_e3) ->
	let e1,e2,e3 = as3 el in JCEif(e1,e2,e3)
    | JCEmatch(_e1,ptl) ->
	let e1,el = pop el in
	let ptl = List.map2 (fun (p,_e) e -> p,e) ptl el in
	JCEmatch(e1,ptl)
    | JCElet(vi,eopt,_e) ->
	let eopt,el = popopt el eopt in
	let e1 = as1 el in JCElet(vi,eopt,e1)
    | JCEalloc(_e,name) ->
	let e1 = as1 el in JCEalloc(e1,name)
    | JCEfree _e ->
	let e1 = as1 el in JCEfree e1
    | JCEblock elist ->
	assert (List.length elist = List.length el);
	JCEblock el
    | JCEloop(annot,_body) ->
	let body = as1 el in 
	JCEloop(annot,body)
    | JCEreturn(ty,_e) ->
	let e1 = as1 el in JCEreturn(ty,e1)
    | JCEtry(_body,catches,_finally) ->
	let body,el = pop el in
	let catches,el = 
	  List.fold_left (fun (acc,el) (id,name,_e) -> 
			    let e1,el = pop el in (id,name,e1)::acc,el
			 ) ([],el) catches
	in
	let catches = List.rev catches in
	let finally = as1 el in
	JCEtry(body,catches,finally)
    | JCEthrow(id,eopt) ->
	let eopt,_el = popopt el eopt in
        JCEthrow(id,eopt)
    | JCEpack(st1,_e,st2) ->
	let e1 = as1 el in JCEpack(st1,e1,st2)
    | JCEunpack(st1,_e,st2) ->
	let e1 = as1 el in JCEunpack(st1,e1,st2)
  in
  new expr_with ~node:enode e

module ExprAst = struct
  type t = Jc_constructors.expr
  let subs e =
    match e#node with
      | JCEconst _
      | JCEvar _
      | JCEassert _
      | JCEreturn_void 
      | JCEthrow(_, None) ->
          []
      | JCEderef(e, _)
      | JCEunary(_, e)
      | JCEassign_var(_, e)
      | JCEinstanceof(e, _)
      | JCEcast(e, _)
      | JCEbitwise_cast(e, _)
      | JCErange_cast(e, _)
      | JCEreal_cast(e, _)
      | JCEoffset(_, e, _)
      | JCEaddress(_,e)
      | JCEfresh(e)
      | JCEbase_block(e)
      | JCEalloc(e, _)
      | JCEfree e
      | JCElet(_, None, e)
      | JCEloop(_, e)
      | JCEreturn(_, e)
      | JCEthrow(_, Some e)
      | JCEpack(_, e, _)
      | JCEunpack(_, e, _) 
      | JCEcontract(_,_,_,_,e) -> [e]
      | JCEbinary(e1, _, e2)
      | JCEassign_heap(e1, _, e2)
      | JCElet(_, Some e1, e2)
      | JCEshift(e1, e2) ->
          [e1; e2]
      | JCEif(e1, e2, e3) ->
          [e1; e2; e3]
      | JCEblock el ->
          el
      | JCEapp call ->
	  call.jc_call_args
      | JCEtry(e1, l, e2) ->
          e1 :: List.map (fun (_, _, e) -> e) l @ [ e2 ]
      | JCEmatch(e, pel) ->
          e :: List.map snd pel
end

module IExpr = Iterators(ExprAst)

let rec map_expr ?(before = fun x -> x) ?(after = fun x -> x) e =
  let e = before e in
  let elist = List.map (map_expr ~before ~after) (ExprAst.subs e) in
  after (replace_sub_expr e elist)

let fold_sub_expr_and_term_and_assertion 
    itt ita itl itls ite ft fa fl fls fe acc e =
  let fold_sub_behavior = fold_sub_behavior itt ita itl itls ft fa fl fls in
  let ite = ite ft fa fl fls fe and ita = ita ft fa and itt = itt ft in
  match e#node with
    | JCEconst _ 
    | JCEvar _ 
    | JCEreturn_void ->
       acc
    | JCEthrow(_exc,e1_opt) ->
	Option_misc.fold_left ite acc e1_opt
    | JCEbinary(e1,_,e2) 
    | JCEshift(e1,e2)
    | JCEassign_heap(e1,_,e2) ->
	let acc = ite acc e1 in
	ite acc e2
    | JCEunary(_,e1)
    | JCEderef(e1,_)
    | JCEoffset(_,e1,_)
    | JCEaddress(_,e1)
    | JCEbase_block(e1)
    | JCEfresh(e1)
    | JCEcast(e1,_)
    | JCEbitwise_cast(e1,_) 
    | JCErange_cast(e1,_) 
    | JCEinstanceof(e1,_) 
    | JCEreal_cast(e1,_)
    | JCEunpack(_,e1,_)
    | JCEpack(_,e1,_)
    | JCEassign_var(_,e1) 
    | JCEalloc(e1,_) 
    | JCEfree e1 
    | JCEreturn(_,e1) ->
	ite acc e1
    | JCElet(_,e1_opt,e2) ->
	let acc = Option_misc.fold_left ite acc e1_opt in
	ite acc e2
    | JCEapp call ->
	List.fold_left ite acc call.jc_call_args
    | JCEif(e1,e2,e3) ->
	let acc = ite acc e1 in
	let acc = ite acc e2 in
	ite acc e3
    | JCEmatch(e, ptl) ->
	let acc = ite acc e in
	List.fold_left (fun acc (_, e) -> ite acc e) acc ptl
    | JCEblock el ->
	List.fold_left ite acc el
    | JCEtry(e1,catches,finally) ->
	let acc = ite acc e1 in
	let acc = 
	  List.fold_left (fun acc (_exc,_vi_opt,e) -> ite acc e) acc catches
	in
	ite acc finally
    | JCEassert(_behav,_asrt,a) ->
	ita acc a
    | JCEloop(la,e1) ->
	let acc = ite acc e1 in
	let acc = 
	  List.fold_left 
	    (fun acc (_id,inv,_assigns) -> 
	       let acc = Option_misc.fold_left ita acc inv in
	       acc (* TODO: fold on assigns *)
	    ) acc la.jc_loop_behaviors
	in
	let acc = ita acc la.jc_free_loop_invariant in
	Option_misc.fold_left (fun acc (t,_) -> itt acc t) acc la.jc_loop_variant
    | JCEcontract(a_opt,t_opt,_v,behavs,e) ->
	let acc = Option_misc.fold_left ita acc a_opt in
	let acc = Option_misc.fold_left (fun acc (t,_) -> itt acc t) acc t_opt in
	let acc = 
	  List.fold_left 
	    (fun acc (_loc,_name,behav) ->
	       fold_sub_behavior acc behav
	    ) acc behavs
	in
	ite acc e


let rec fold_expr_and_term_and_assertion ft fa fl fls fe acc e =
  let acc = fe acc e in
  fold_sub_expr_and_term_and_assertion 
    fold_term fold_term_and_assertion fold_location fold_location_set
    fold_expr_and_term_and_assertion 
    ft fa fl fls fe acc e


let rec fold_rec_expr_and_term_and_assertion ft fa fl fls fe acc e =
  let cont,acc = fe acc e in
  if cont then 
    fold_sub_expr_and_term_and_assertion
      fold_rec_term fold_rec_term_and_assertion fold_rec_location
      fold_rec_location_set fold_rec_expr_and_term_and_assertion 
      ft fa fl fls fe acc e 
  else acc

let iter_expr_and_term_and_assertion ft fa fl fls fe e =
  fold_expr_and_term_and_assertion (fold_unit ft) (fold_unit fa) 
    (fold_unit fl) (fold_unit fls) (fold_unit fe) () e


module NExprAst = struct
  type t = nexpr
  let subtags tag = 
    match tag#node with
      | JCPTtag _ | JCPTbottom -> []
      | JCPTtypeof e -> [e]
  let subs e =
    match e#node with
      | JCNEconst _
      | JCNEvar _
      | JCNEreturn None
      | JCNEthrow(_, None)
      | JCNErange(None, None) ->
          []
      | JCNEeqtype(tag1,tag2) | JCNEsubtype(tag1,tag2) ->
	  subtags tag1 @ subtags tag2
      | JCNElabel(_, e)
      | JCNEderef(e, _)
      | JCNEunary(_, e)
      | JCNEinstanceof(e, _)
      | JCNEcast(e, _)
      | JCNEoffset(_, e)
      | JCNEaddress(_,e)
      | JCNEfresh(e)
      | JCNEbase_block(e)
      | JCNEalloc(e, _)
      | JCNEfree e
      | JCNElet(_, _, None, e)
      | JCNEassert(_,_,e)
      | JCNEreturn(Some e)
      | JCNEthrow(_, Some e)
      | JCNEpack(e, _)
      | JCNEunpack(e, _)
      | JCNEold e
      | JCNEat(e, _)
      | JCNEmutable(e, _)
      | JCNErange(Some e, None)
      | JCNErange(None, Some e) ->
          [e]
      | JCNEbinary(e1, _, e2)
      | JCNEassign(e1, e2)
      | JCNElet(_, _, Some e1, e2)
      | JCNErange(Some e1, Some e2) ->
          [e1; e2]
      | JCNEcontract(_,_,_,e) -> 
	  [e]
      | JCNEif(e1, e2, e3) ->
          [e1; e2; e3]
      | JCNEloop(behs, variant, e2) ->
	  List.fold_right
	    (fun (_,inv,ass) acc ->
	       let acc = 
		 Option_misc.fold (fun x l -> x::l) inv acc
	       in
		 Option_misc.fold 
		   (fun (_,locs) l -> locs@l) 
		   ass acc)
	    behs
	    (Option_misc.fold (fun (x,_) l -> x::l) variant [e2])
      | JCNEapp(_, _, el)
      | JCNEblock el ->
          el
      | JCNEquantifier(_, _, _, el, e) -> e::(List.concat el)
      | JCNEmatch(e, pel) ->
          e :: List.map snd pel
      | JCNEtry(e1, l, e2) ->
          e1 :: List.map (fun (_, _, e) -> e) l @ [e2]
end

module INExpr = Iterators(NExprAst)

(*
Local Variables: 
compile-command: "LC_ALL=C make -C .. bin/jessie.byte"
End: 
*)
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_type_var.ml��������������������������������������������������������������������������0000644�0001750�0001750�00000017344�12311670312�014061� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Jc_env
open Jc_envset
open Jc_pervasives

type t = type_var_info

let type_var_from_string = let c = ref 0 in fun ?(univ=false) n -> incr c; 
  { jc_type_var_info_name = n;
    jc_type_var_info_tag = !c;
    jc_type_var_info_univ = univ}

let uid x = x.jc_type_var_info_tag

let name x = x.jc_type_var_info_name

let uname x =
  name x ^ string_of_int (uid x)

type typing_error = {f : 'a. Loc.position -> ('a, Format.formatter, unit, unit) format4 -> 'a}

type env = { typing_error : typing_error;
             mutable smap : t StringMap.t;
             mutable vmap : jc_type TypeVarMap.t}

let create x = {typing_error = x;
                smap = StringMap.empty;
                vmap = TypeVarMap.empty}

let reset env = env.smap <- StringMap.empty;env.vmap <- TypeVarMap.empty
  

(** Add substitution from string to type *)
let add_type_var env s = 
  if StringMap.mem s env.smap 
  then invalid_arg ("The same identifier appear twice as polymorphic variable in a function")
  else 
    (let n = (type_var_from_string ~univ:true s) in
    env.smap <- StringMap.add s n env.smap;
    n)

(*                    if subtype_strict te#typ ty then te
                     else
                       typing_error e#pos 
                         "type %a expected instead of %a" 
                         print_type ty print_type te#typ*)

let find_type_var env s = StringMap.find s env.smap

exception Not_subtype of jc_type * jc_type

let rec substruct st = function
  | (JCtag(st', _)) as pc ->
      if st == st' then true else
        let vi = struct_root st and vi' = struct_root st' in
        (vi == vi' && (root_is_union vi))
        || 
        begin match st.jc_struct_info_parent with
          | None -> false
          | Some(p, []) -> substruct p pc
          | Some(_p, _) -> assert false (* TODO *)
        end
  | JCroot vi ->
      struct_root st == vi

let rec dec_type ~subtype acc t1 t2 =
  let accorraise b = if b then acc else raise (Not_subtype (t1,t2)) in
  match t1,t2 with
    | JCTnative t1, JCTnative t2 ->
        accorraise (t1=t2 ||
         (* integer is subtype of real *)
            (subtype && match t1,t2 with 
               | Tinteger, Treal -> true
	       | _ -> false))
    | JCTenum ri1, JCTenum ri2 -> 
        accorraise (subtype && Num.ge_num ri1.jc_enum_info_min ri2.jc_enum_info_min &&
                      Num.le_num ri1.jc_enum_info_max ri2.jc_enum_info_max) 
    | JCTenum _, JCTnative (Tinteger | Treal) ->
        accorraise subtype
    | JCTnative Tinteger, JCTenum _ -> 
        accorraise false
    | JCTpointer(JCtag(s1, []), _, _), JCTpointer(pc, _, _) -> 
        accorraise (substruct s1 pc)
    | JCTpointer(JCroot v1, _, _), JCTpointer(JCroot v2, _, _) ->
         accorraise (v1 == v2)
    | JCTnull, (JCTnull | JCTpointer _) ->
        accorraise subtype
    | JCTlogic (s1,l1), JCTlogic (s2,l2) ->
        if s1=s2 then List.fold_left2 (dec_type ~subtype) acc l1 l2
        else raise (Not_subtype (t1,t2))
          (* No subtyping for this case, the equality is strict *)
    | JCTtype_var {jc_type_var_info_tag = t1}, 
        JCTtype_var {jc_type_var_info_tag = t2} when t1=t2-> acc
    | (JCTtype_var ({jc_type_var_info_univ = false} as tvar),t) 
    | (t,JCTtype_var ({jc_type_var_info_univ = false} as tvar)) -> (tvar,t)::acc
    | _ -> accorraise false

let rec subst_aux vmap a =
  match a with
    | JCTtype_var tvar -> 
        (try TypeVarMap.find tvar vmap
        with Not_found -> a)
    | JCTlogic (s,l) -> JCTlogic (s,List.map (subst_aux vmap) l)
    | a -> a

let subst env a = subst_aux env.vmap a

let rec occur_check tvar t =
  match t with
    | JCTlogic (_s,l) -> List.exists (occur_check tvar) l
    | JCTtype_var tvar2 -> TypeVarOrd.equal tvar tvar2
    | _ -> false

let rec add_subst env (tvar,t) = 
  assert (not tvar.jc_type_var_info_univ);
  let t = subst_aux env.vmap t in
  try
    let t2 = TypeVarMap.find tvar env.vmap in
    add_aux ~subtype:false env t2 t
  with Not_found ->     
    if occur_check tvar t then raise (Not_subtype (JCTtype_var tvar,t))
    else env.vmap <- TypeVarMap.add tvar t env.vmap
          
and add_aux ~subtype env t1 t2 =
  let acc = dec_type ~subtype [] t1 t2 in
  List.iter (add_subst env) acc

(*let subtype_strict = subtype ~allow_implicit_cast:false*)

(** Add an equality for unification *)
let add ?(subtype=true) env pos x y = 
  (*Format.printf "%a=%a@." print_type x print_type y;*)
  try
    add_aux ~subtype env x y
  with Not_subtype (t1,t2) -> 
    env.typing_error.f pos "%a and %a can't be unified" print_type t1 print_type t2

(** Get instances of a list of type variables, 
    return a substitution function *)
let instance l =
  let aux acc e =
    (* Only universally quantified variable can be instantiate *)
    assert e.jc_type_var_info_univ;
    let e_fresh = (type_var_from_string ~univ:false e.jc_type_var_info_name) in
    TypeVarMap.add e (JCTtype_var e_fresh) acc in
  let vmap = List.fold_left aux TypeVarMap.empty l in
  subst_aux vmap

open Pp
let print_smap fmt a = print_list comma (print_pair string print_type_var) fmt (StringMap.to_list a)

let print_vmap fmt a = print_list comma (print_pair print_type_var print_type) fmt (TypeVarMap.to_list a)

let print fmt uenv = Format.fprintf fmt "uenv : smap : %a@.vmap : %a@." print_smap uenv.smap print_vmap uenv.vmap

let subst_type_in_assertion uenv =
  Jc_iterators.map_term_in_assertion
    (fun t -> new Jc_constructors.term_with ~typ:(subst uenv t#typ) t)                                   
    
(*
Local Variables: 
compile-command: "unset LANG ; make -C .. byte"
End: 
*)
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_callgraph.ml�������������������������������������������������������������������������0000644�0001750�0001750�00000020052�12311670312�014153� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Jc_stdlib
open Jc_env
open Jc_ast
open Jc_fenv

open Jc_pervasives

let rec term acc t =
  Jc_iterators.fold_term 
    (fun acc t -> match t#node with
    | JCTapp app -> app.jc_app_fun::acc
    | _ -> acc
    ) acc t

let tag acc t = match t#node with
  | JCTtag _ | JCTbottom -> acc
  | JCTtypeof(t, _) -> term acc t

let rec assertion acc p =
  match p#node with
  | JCAtrue 
  | JCAfalse -> acc
  | JCArelation(t1,_op,t2) ->
      term (term acc t1) t2
  | JCAapp app -> app.jc_app_fun :: (List.fold_left term acc app.jc_app_args)
  | JCAand(pl) | JCAor(pl) -> List.fold_left assertion acc pl
  | JCAimplies (p1,p2) | JCAiff(p1,p2) -> 
      assertion (assertion acc p1) p2
  | JCAif(t1,p2,p3) -> 
      assertion (assertion (term acc t1) p2) p3
  | JCAnot p | JCAold p | JCAat(p,_) ->
      assertion acc p
  | JCAquantifier (_,_,trigs,p) -> triggers (assertion acc p) trigs
  | JCAinstanceof(t,_,_)
  | JCAfresh(t)
  | JCAmutable(t,_,_)
  | JCAbool_term t -> term acc t
  | JCAeqtype(t1, t2, _) | JCAsubtype(t1, t2, _) ->
      tag (tag acc t1) t2
  | JCAlet(_,t, p) ->
      assertion (term acc t) p
  | JCAmatch(t, pal) ->
      term (List.fold_left (fun acc (_, a) -> assertion acc a) acc pal) t

and triggers acc trigs =
  List.fold_left (List.fold_left 
    (fun acc pat -> match pat with
       | JCAPatT t -> term acc t
       | JCAPatP p -> assertion acc p)) acc trigs

(*
let spec s = 
  begin
  match s.requires with
    | None -> []
    | Some p -> 
	predicate p
  end @
  begin
  match s.assigns with
    | None -> []
    | Some l -> List.fold_left (fun acc t -> (term t) @acc)  [] l
  end @
  begin
    match s.ensures with
      | None -> []
      | Some p -> predicate p
  end @
  begin
    match s.decreases with
      | None -> []
      | Some (t,_) -> term t
  end
*)

let loop_annot acc la = 
  let acc = 
    List.fold_left 
      (fun acc (_id,inv,_assigns) -> 
	 (* TODO : traverse assigns clause *)
	 Option_misc.fold_left assertion acc inv)
      acc la.jc_loop_behaviors 
  in
  match la.jc_loop_variant with
  | None -> acc
  | Some (t,None) -> term acc t
  | Some (t,Some ri) -> term (ri::acc) t

let expr = 
  Jc_iterators.IExpr.fold_left 
    (fun acc e -> match e#node with  
       | JCEapp call ->
	   let f = call.jc_call_fun in
	   let (a,b)=acc in
	   begin match f with
	     | JCfun f -> (a,f::b)
	     | JClogic_fun f -> (f::a,b)
	   end
       | JCEloop(spec,_s) ->
	   let (a,b) = acc in (loop_annot a spec,b)
       | _ -> acc
    )

let axiomatic_calls_table = Hashtbl.create 17

let compute_axiomatic_decl_call acc d =
  match d with
    | Jc_typing.ABaxiom(_,_,_,a) -> assertion acc a

let compute_axiomatic_calls a =
  try
    Hashtbl.find axiomatic_calls_table a
  with Not_found ->
    try
      let l = StringHashtblIter.find Jc_typing.axiomatics_table a in
      let c = List.fold_left compute_axiomatic_decl_call [] l.Jc_typing.axiomatics_decls in
      Hashtbl.add axiomatic_calls_table a c;
      c
    with
	Not_found -> assert false

let compute_logic_calls f t = 
  let calls =
    match t with
      | JCNone -> []
      | JCTerm t -> term [] t 
      | JCAssertion a -> assertion [] a 
      | JCReads _r -> 
	  begin
	    match f.jc_logic_info_axiomatic with
	      | None -> []
	      | Some a -> compute_axiomatic_calls a 
	  end
      | JCInductive l -> 
	  List.fold_left (fun acc (_,_,a) -> assertion acc a) [] l
  in
  f.jc_logic_info_calls <- calls

let compute_calls f _s b = 
  let (_a,b) = expr ([],[]) b in
  f.jc_fun_info_calls <- b
      
module LogicCallGraph = struct 
  type t = (Jc_fenv.logic_info * Jc_fenv.term_or_assertion) IntHashtblIter.t 
  module V = struct
    type t = logic_info
    let compare f1 f2 = Pervasives.compare f1.jc_logic_info_tag f2.jc_logic_info_tag
    let hash f = f.jc_logic_info_tag
    let equal f1 f2 = f1 == f2
  end
  let iter_vertex iter =
    IntHashtblIter.iter (fun _ (f,_a) -> iter f) 
  let iter_succ iter _ f =
    List.iter iter f.jc_logic_info_calls 
  end

module LogicCallComponents = Graph.Components.Make(LogicCallGraph)

module CallGraph = struct 
  type t = (fun_info * Loc.position * fun_spec * expr option) IntHashtblIter.t
  module V = struct
    type t = fun_info
    let compare f1 f2 = Pervasives.compare f1.jc_fun_info_tag f2.jc_fun_info_tag
    let hash f = f.jc_fun_info_tag
    let equal f1 f2 = f1 == f2
  end
  let iter_vertex iter =
    IntHashtblIter.iter (fun _ (f,_loc,_spec,_b) -> iter f) 
  let iter_succ iter _ f =
    List.iter iter f.jc_fun_info_calls 
  end

module CallComponents = Graph.Components.Make(CallGraph)

open Format
open Pp

let compute_logic_components ltable =
  let tab_comp = LogicCallComponents.scc_array ltable in
  Jc_options.lprintf "***********************************\n";
  Jc_options.lprintf "Logic call graph: has %d components\n" 
    (Array.length tab_comp);
  Jc_options.lprintf "***********************************\n";
  Array.iteri 
    (fun i l -> 
       Jc_options.lprintf "Component %d:\n%a@." i
	 (print_list newline 
	    (fun fmt f -> fprintf fmt " %s calls: %a\n" f.jc_logic_info_name
		 (print_list comma 
		    (fun fmt f -> fprintf fmt "%s" f.jc_logic_info_name))
		 f.jc_logic_info_calls))
	 l)
    tab_comp;
  tab_comp


let compute_components table = 
  (* see above *)
  let tab_comp = CallComponents.scc_array table in
  Jc_options.lprintf "******************************\n";
  Jc_options.lprintf "Call graph: has %d components\n" (Array.length tab_comp);
  Jc_options.lprintf "******************************\n";
  Array.iteri 
    (fun i l -> 
      Jc_options.lprintf "Component %d:\n%a@." i
	(print_list newline 
	   (fun fmt f -> fprintf fmt " %s calls: %a\n" f.jc_fun_info_name
	       (print_list comma 
		  (fun fmt f -> fprintf fmt "%s" f.jc_fun_info_name))
	       f.jc_fun_info_calls))
	l)
    tab_comp;
  tab_comp
    
    


(*
Local Variables: 
compile-command: "LC_ALL=C make -C .. bin/jessie.byte"
End: 
*)
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_lexer.mll����������������������������������������������������������������������������0000644�0001750�0001750�00000036265�12311670312�013526� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)


(*i $Id: jc_lexer.mll,v 1.95 2010-02-19 15:51:08 marche Exp $ i*)

{
  open Jc_ast
  open Jc_parser
  open Lexing

  type location = Lexing.position * Lexing.position

  let loc lexbuf : location = (lexeme_start_p lexbuf, lexeme_end_p lexbuf)

  exception Lexical_error of location * string
(*
  exception Syntax_error of location
*)

  let lex_error lexbuf s =
    raise (Lexical_error(loc lexbuf,s))

  let buf = Buffer.create 1024

  let newline lexbuf =
    let pos = lexbuf.lex_curr_p in
    lexbuf.lex_curr_p <- 
      { pos with pos_lnum = pos.pos_lnum + 1; pos_bol = pos.pos_cnum }

  (* Update the current location with file name and line number. *)

  let update_loc lexbuf file line absolute chars =
    let pos = lexbuf.lex_curr_p in
    let new_file = match file with
      | None -> pos.pos_fname
      | Some s -> s
    in
    lexbuf.lex_curr_p <- 
      { pos with
	  pos_fname = new_file;
	  pos_lnum = if absolute then line else pos.pos_lnum + line;
	  pos_bol = pos.pos_cnum - chars;
      }

  let builtins_table =
    let table = Hashtbl.create 17 in
    List.iter
      (fun (_ty,id,_whyid,_params) -> Hashtbl.add table id ())
      Jc_pervasives.builtin_logic_symbols;
    List.iter
      (fun (_ty,id,_whyid,_params,_) -> Hashtbl.add table id ())
      Jc_pervasives.builtin_function_symbols;
    table

  let special_id lexbuf s =
    try
      let () = Hashtbl.find builtins_table s in
      IDENTIFIER s
    with
	Not_found ->
	  lex_error lexbuf ("unknown special symbol "^s)

  exception Dotdot of string

  let pragma lexbuf id v =
    match id with
      | "InvariantPolicy" ->
	  begin
	    Jc_options.inv_sem :=
	      match v with	  
		| "None" -> Jc_env.InvNone
		| "Arguments" -> Jc_env.InvArguments
		| "Ownership" -> Jc_env.InvOwnership
		| _ -> lex_error lexbuf ("unknown invariant policy " ^ v)
	  end  
      | "SeparationPolicy" ->
	  begin
	    Jc_options.separation_sem :=
	      match v with
		| "None" -> Jc_env.SepNone
		| "Regions" -> Jc_env.SepRegions
		| _ -> lex_error lexbuf ("unknown separation policy " ^ v)
	  end  
      | "AnnotationPolicy" ->
	  begin
	    Jc_options.annotation_sem :=
	      match v with
		| "None" -> Jc_env.AnnotNone
		| "Invariants" -> Jc_env.AnnotInvariants
		| "ElimPre" -> Jc_env.AnnotElimPre
		| "StrongPre" -> Jc_env.AnnotStrongPre
		| "WeakPre" -> Jc_env.AnnotWeakPre
		| _ -> lex_error lexbuf ("unknown annotation policy " ^ v)
	  end  
      | "AbstractDomain" ->
	  begin
	    Jc_options.ai_domain :=
	      match v with
		| "None" -> Jc_env.AbsNone 
		| "Box" -> Jc_env.AbsBox 
		| "Oct" -> Jc_env.AbsOct 
		| "Pol" -> Jc_env.AbsPol 
		| _ -> lex_error lexbuf ("unknown abstract domain " ^ v)
	  end  
      | "IntModel" ->
	  begin
	    Jc_options.set_int_model
	      (match v with
		 | "bounded" -> Jc_env.IMbounded
		 | "modulo" -> Jc_env.IMmodulo 
		 | _ -> lex_error lexbuf ("unknown int model " ^ v))
	  end  
      | "FloatModel" ->
	  begin
	    Jc_options.float_model := 
	      (match v with
	         | "math" -> Jc_env.FMmath
		 | "defensive" -> Jc_env.FMdefensive
		 | "full" -> Jc_env.FMfull
		 | "multirounding" -> Jc_env.FMmultirounding
		 | _ -> lex_error lexbuf ("unknown float model " ^ v))
	  end  
      | "FloatRoundingMode" ->
	  begin
	    Jc_options.current_rounding_mode :=
	      (match v with
		 | "nearestEven" -> Jc_env.FRMNearestEven
		 | "down" -> Jc_env.FRMDown
		 | "up" -> Jc_env.FRMUp
		 | "toZero" -> Jc_env.FRMToZero
		 | "nearestAway" -> Jc_env.FRMNearestAway 
		 | _ -> lex_error lexbuf ("unknown float rounding mode " ^ v))
	  end 
      | "FloatInstructionSet" ->
	  begin
	    Jc_options.float_instruction_set :=
	      (match v with
		 | "x87" -> Jc_env.FISx87
		 | "ieee754" -> Jc_env.FISstrictIEEE754
		 | _ -> lex_error lexbuf ("unknown float instruction set " ^ v))
	  end 
      | "TerminationPolicy" ->
	  begin
	    Jc_options.termination_policy :=
	      (match v with
		 | "always" -> Jc_env.TPalways
		 | "never" -> Jc_env.TPnever
		 | "user" -> Jc_env.TPuser
		 | _ -> lex_error lexbuf ("unknown termination policy " ^ v))
	  end 
      | _ -> lex_error lexbuf ("unknown pragma " ^ id)

 let float_suffix = function
    | None -> `Real
    | Some('f' | 'F') -> `Single
    | Some('d' | 'D') -> `Double
    | _ -> assert false

}

let space = [' ' '\t' '\012' '\r']
let backslash_escapes =
  ['\\' '"' '\'' 'n' 't' 'b' 'r' 'f' ]
let rD = ['0'-'9']
let rL = ['a'-'z' 'A'-'Z' '_']
let rH = ['a'-'f' 'A'-'F' '0'-'9']
let rE = ['E''e']['+''-']? rD+
let rP = ['P''p']['+''-']? rD+
(*
 let rFS	= ('f'|'F'|'l'|'L')
*)
let rIS = ('u'|'U'|'l'|'L')*

rule token = parse
  | [' ' '\t' '\012' '\r']+ { token lexbuf }
  | '\n'                    { newline lexbuf; token lexbuf }
  | "/*@" | "//@"           { lex_error lexbuf "annotations should not be in @ comments" }
  | "/*"                    { comment lexbuf; token lexbuf }
  | "//" [^ '\n']* '\n'     { newline lexbuf; token lexbuf }
  | "abstract"              { ABSTRACT }
  | "allocates"             { ALLOCATES }
  | "and"                   { AND }
  | "as"                    { AS }
  | "assert"                { ASSERT }
  | "assigns"               { ASSIGNS }
  | "assumes"               { ASSUMES }
  | "axiom"                 { AXIOM }
  | "axiomatic"             { AXIOMATIC }
  | "behavior"              { BEHAVIOR }
  | "boolean"               { BOOLEAN }
  | "break"                 { BREAK }
  | "case"                  { CASE }
  | "catch"                 { CATCH }
  | "check"                 { CHECK }
  | "continue"              { CONTINUE }
  | "decreases"             { DECREASES }
  | "default"               { DEFAULT }
  | "do"                    { DO }
  | "double"                { Jc_options.has_floats := true; DOUBLE }
  | "else"                  { ELSE }
  | "end"                   { END }
  | "ensures"               { ENSURES }
  | "exception"             { EXCEPTION }
  | "false"                 { CONSTANT (JCCboolean false) }
  | "finally"               { FINALLY }
  | "float"                 { Jc_options.has_floats := true; FLOAT }
  | "for"                   { FOR }
  | "free"                  { FREE }
  | "goto"                  { GOTO }
  | "hint"                  { HINT }
  | "if"                    { IF }
  | "in"                    { IN }
  | "integer"               { INTEGER }
  | "invariant"             { INVARIANT }
  | "lemma"                 { LEMMA }
  | "let"                   { LET }
  | "logic"                 { LOGIC }
  | "loop"                  { LOOP }
  | "match"                 { MATCH }
  | "new"                   { NEW }
  | "null"                  { NULL }
  | "of"                    { OF }
  | "pack"                  { PACK }
  | "predicate"             { PREDICATE }
  | "reads"                 { READS }
  | "real"                  { REAL}
  | "rep"                   { REP }
  | "requires"              { REQUIRES }
  | "return"                { RETURN }
  | "switch"                { SWITCH }
  | "tag"                   { TAG }
  | "then"                  { THEN }
  | "throw"                 { THROW }
  | "throws"                { THROWS }
  | "true"                  { CONSTANT (JCCboolean true) }
  | "try"                   { TRY }
  | "type"                  { TYPE }
  | "unit"                  { UNIT }
  | "unpack"                { UNPACK }
  | "var"                   { VAR }
  | "variant"               { VARIANT }
  | "while"                 { WHILE }
  | "with"                  { WITH }
  | "\\absolute_address"    { BSABSOLUTE_ADDRESS }
  | "\\address"             { BSADDRESS }
  | "\\at"                  { BSAT }
  | "\\base_block"          { BSBASE_BLOCK }
  | "\\bottom"              { BSBOTTOM }
  | "\\exists"              { BSEXISTS }
  | "\\forall"              { BSFORALL }
  | "\\fresh"               { BSFRESH }
  | "\\mutable"             { BSMUTABLE }
  | "\\nothing"             { BSNOTHING }
  | "\\offset_max"          { BSOFFSET_MAX }
  | "\\offset_min"          { BSOFFSET_MIN }
  | "\\old"                 { BSOLD }
  | "\\result"              { BSRESULT }
  | "\\typeeq"              { BSTYPEEQ }
  | "\\typeof"              { BSTYPEOF }
  | "\\" rL (rL | rD)* as s { special_id lexbuf s }
(*
  | "#" [' ' '\t']* (['0'-'9']+ as num) [' ' '\t']*
        ("\"" ([^ '\010' '\013' '"' ] * as name) "\"")?
        [^ '\010' '\013'] * '\n'
      { update_loc lexbuf name (int_of_string num) true 0;
        token lexbuf }
  | '#' [^'\n']* '\n'       { newline lexbuf; token lexbuf }
*)
  | '#' space* ((rL | rD)+ as id) space* "=" 
        space* ((rL | rD)+ as v) space* '\n'
      { pragma lexbuf id v; newline lexbuf; token lexbuf } 
  | '#' ' '* "Gen_Separation" { PRAGMA_GEN_SEP }
  | '#' ' '* "Gen_Frame" { PRAGMA_GEN_FRAME }
  | '#' ' '* "Gen_Sub" { PRAGMA_GEN_SUB }
  | '#' ' '* "Gen_Same_Footprint" { PRAGMA_GEN_SAME }
  | rL (rL | rD)*           { match lexeme lexbuf with
				| "_" -> UNDERSCORE
				| s -> IDENTIFIER s }

  | '0'['x''X'] rH+ rIS?    { CONSTANT (JCCinteger (lexeme lexbuf)) }
  | '0' rD+ rIS?            { CONSTANT (JCCinteger (lexeme lexbuf)) }
  | rD+ rIS?                { CONSTANT (JCCinteger (lexeme lexbuf)) }
  | 'L'? "'" [^ '\n' '\'']+ "'"     { CONSTANT (JCCinteger (lexeme lexbuf)) }

  | ('0'['x''X'] rH+ '.' rH* rP) as pre
  | ('0'['x''X'] rH* '.' rH+ rP) as pre
  | ('0'['x''X'] rH+ rP) as pre
  | (rD+ rE) as pre  
  | (rD* "." rD+ (rE)?) as pre  
  | (rD+ "." rD* (rE)?) as pre   
      { CONSTANT (JCCreal pre) }

      (* trick to deal with intervals like 0..10 *)

  | (rD+ as n) ".."         { raise (Dotdot n) }

      (* character constants *)

  | '"'                     { Buffer.clear buf; STRING_LITERAL(string lexbuf) }

(*
  | ">>="                   { RIGHT_ASSIGN }
  | "<<="                   { LEFT_ASSIGN }
*)
  | "+="                    { PLUSEQ }
  | "-="                    { MINUSEQ }
  | "*="                    { STAREQ }
  | "/="                    { SLASHEQ }
  | "%="                    { PERCENTEQ }
  | "&="                    { AMPEQ }
  | "^="                    { CARETEQ }
  | "|="                    { BAREQ }
  | ">>>"                   { ARSHIFT }
  | ">>"                    { LRSHIFT }
  | "<<"                    { LSHIFT }
  | "++"                    { PLUSPLUS }
  | "--"                    { MINUSMINUS }
  | "&&"                    { AMPAMP }
  | "||"                    { BARBAR }
  | "==>"                   { EQEQGT }
  | "<==>"                  { LTEQEQGT }
  | "<="                    { LTEQ }
  | ">="                    { GTEQ }
  | "=="                    { EQEQ }
  | "!="                    { BANGEQ }
  | ";"                     { SEMICOLON }
  | ";;"                    { SEMISEMI }
  | "{"                     { LBRACE }
  | "}"                     { RBRACE }
  | ","                     { COMMA }
  | ":"                     { COLON }
  | "="                     { EQ }
  | "()"                    { LPARRPAR }
  | "("                     { LPAR }
  | ")"                     { RPAR }
  | "["                     { LSQUARE }
  | "]"                     { RSQUARE }
  | "."                     { DOT }
  | ".."                    { DOTDOT }
  | "..."                   { DOTDOTDOT }
  | "<:"                    { LTCOLON } 
  | ":>"                    { COLONGT } 
  | "&"                     { AMP }
  | "!"                     { EXCLAM }
  | "~"                     { TILDE }
  | "-"                     { MINUS }
  | "+"                     { PLUS }
  | "*"                     { STAR }
  | "/"                     { SLASH }
  | "%"                     { PERCENT }
  | "<"                     { LT }
  | ">"                     { GT }
  | "^"                     { HAT }
  | "|"                     { PIPE }
  | "?"                     { QUESTION }
  | "@"                     { AT }
  | "->"                    { MINUSGT }
  | eof { EOF }
  | '"' { lex_error lexbuf "unterminated string" }
  | _   { lex_error lexbuf ("illegal character " ^ lexeme lexbuf) }

and comment = parse
  | "*/" { () }
  | "/*" { comment lexbuf ; comment lexbuf }
  | eof  { lex_error lexbuf "unterminated comment" }
  | '\n' { newline lexbuf; comment lexbuf }
  | _    { comment lexbuf }

and string = parse
  | '"'
      { Buffer.contents buf }
  | '\\' backslash_escapes
      { Buffer.add_string buf (lexeme lexbuf);
	string lexbuf }
  | '\\' _ 
      { lex_error lexbuf "unknown escape sequence in string" }
  | ['\n' '\r']
      { (* no \n anymore in strings since java 1.4 *)
	lex_error lexbuf "string not terminated"; }
  | [^ '\n' '\\' '"']+ 
      { Buffer.add_string buf (lexeme lexbuf); string lexbuf }
  | eof
      { lex_error lexbuf "string not terminated" }

      
{

let dotdot_mem = ref false
 
let next_token lexbuf =
  if !dotdot_mem then
    begin
      dotdot_mem := false;
      DOTDOT
    end
  else
    begin
      try
	token lexbuf
      with
	Dotdot(n) ->
	  dotdot_mem := true;
	  CONSTANT(JCCinteger n)
    end

  let parse f c =
    let lb = from_channel c in
    lb.lex_curr_p <- { lb.lex_curr_p with pos_fname = f };
    try
      Jc_parser.file next_token lb
    with Parsing.Parse_error ->
      Jc_options.parsing_error (loc lb) ""
	
}


(*
Local Variables: 
compile-command: "make -C .. bin/jessie.byte"
End: 
*)

�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_make.ml������������������������������������������������������������������������������0000644�0001750�0001750�00000027670�12311670312�013150� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Format
open Pp

(*
let files = Hashtbl.create 97

let add ~file ~f =
  let l = try Hashtbl.find files file with Not_found -> [] in
  Hashtbl.replace files file (f :: l)
*)

let simplify fmt f = fprintf fmt "simplify/%s_why.sx" f
let vampire fmt f = fprintf fmt "vampire/%s_why.vp" f
let coq_v fmt f = fprintf fmt "coq/%s_why.v" f
let coq_vo fmt f = fprintf fmt "coq/%s_why.vo" f
let pvs fmt f = fprintf fmt "pvs/%s_why.pvs" f
let cvcl fmt f = fprintf fmt "cvcl/%s_why.cvc" f
let harvey fmt f = fprintf fmt "harvey/%s_why.rv" f
let zenon fmt f = fprintf fmt "zenon/%s_why.znn" f
let smtlib fmt f = fprintf fmt "smtlib/%s_why.smt" f
let smtlib_v1 fmt f = fprintf fmt "smtlib-v1/%s_why.smt" f
let ergo fmt f = fprintf fmt "why/%s_why.why" f
let gappa fmt f = fprintf fmt "gappa/%s_why.gappa" f
let why_goals fmt f = fprintf fmt "why/%s_ctx.why" f
let wpr fmt f = fprintf fmt "why/%s.wpr" f
let isabelle fmt f = fprintf fmt "isabelle/%s_why.thy" f

let print_files = print_list (fun fmt () -> fprintf fmt "\\@\n  ")

let generic full f targets =
  print_in_file
    (fun fmt ->
       let out x = fprintf fmt x in
       out "# this makefile was automatically generated; do not edit @\n@\n";
       out "TIMEOUT ?= 10@\n@\n";
       out "DP ?= why-dp -timeout $(TIMEOUT)@\n";
       out "WHYEXEC ?= why@\n";
       out "GWHYEXEC ?= gwhy-bin@\n";
       out "WHYLIB ?= %s@\n@\n" (String.escaped Jc_options.libdir);
       out "USERWHYTWOOPT=%s@\n"  (Jc_options.why_opt);
       out "USERWHYTHREEOPT=%s@\n"  (Jc_options.why3_opt);
       out "WHY=WHYLIB=$(WHYLIB) $(WHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs %s.loc@\n@\n" f;
       out "GWHY=WHYLIB=$(WHYLIB) $(GWHYEXEC) $(WHYOPT) $(USERWHYTWOOPT) -explain -locs %s.loc@\n@\n"  f;
       out "JESSIELIBFILES ?=";
       List.iter (fun s ->
		    out " %s"
		      (String.escaped (Filename.concat "$(WHYLIB)"
					 (Filename.concat "why" s))))
	 (Jc_options.get_libfiles ());
       out "@\n";
       out "JESSIE3CONF ?= $(WHYLIB)/why3/why3.conf@\n@\n";
       out "COQDEP = coqdep@\n@\n";

       out ".PHONY: all coq pvs simplify vampire cvcl harvey smtlib zenon@\n@\n";
       out "all: %a@\n@\n"
	 (print_files simplify) targets;

       out "project: %a@\n@\n" (print_files wpr) targets;
       out "why/%%.wpr:  WHYOPT=--project -dir why@\n";
       out "why/%%.wpr: why/%%.why@\n";
       out "\t@@echo 'why --project [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why@\n@\n";

       out "goals: %a@\n@\n" (print_files why_goals) targets;
       out "why/%%_ctx.why: WHYOPT=--multi-why -dir why@\n";
       out "why/%%_ctx.why: why/%%.why@\n";
       out "\t@@echo 'why --multi-why [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why@\n@\n";

       out "coq: %a@\n@\n" (print_files coq_vo) targets;

       out "coq/%s_why.v: WHYOPT=-coq -dir coq -coq-preamble \"Require Export jessie_why.\" -coq-tactic \"intuition\"@\n" f;
       out "coq/%s_why.v: why/%s.why@\n" f f;
       out "\t@@echo 'why -coq [...] why/%s.why' && $(WHY) $(JESSIELIBFILES) why/%s.why && rm -f coq/jessie_why.v@\n@\n" f f;

       out "coq-goals: goals coq/%s_ctx_why.vo@\n" f;
       out "\tfor f in why/*_po*.why; do make -f %s.makefile coq/`basename $$f .why`_why.v ; done@\n@\n" f;


       out "coq/%s_ctx_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble \"Require Export jessie_why.\" -coq-tactic \"intuition\"@\n" f;
       out "coq/%s_ctx_why.v: why/%s_ctx.why@\n" f f;
       out "\t@@echo 'why -coq [...] why/%s_ctx.why' && $(WHY) why/%s_ctx.why@\n@\n" f f;
       out "coq/%%_why.v: WHYOPT=-no-pervasives -coq -dir coq -coq-preamble \"Require Export %s_ctx_why.\" -coq-tactic \"intuition\"@\n" f;
       out "coq/%%_why.v: why/%%.why@\n";
       out "\t@@echo 'why -coq [...] why/$*.why' && $(WHY) why/%s_ctx.why why/$*.why@\n@\n" f;
       out "coq/%%.vo: coq/%%.v@\n\tcoqc -I coq $<@\n";
       out "coq/%%_po_why.vo: coq/%s_ctx_why.vo@\n@\n" f;

       out "pvs: %a@\n@\n" (print_files pvs) targets;

       out "pvs/%%_why.pvs: WHYOPT=-pvs -dir pvs -pvs-preamble \"IMPORTING why@@jessie\"@\n";
       out "pvs/%%_why.pvs: why/%%.why@\n";
       out "\t$(WHY) $(JESSIELIBFILES) why/$*.why@\n@\n";

       out "pvs/jessie_why.pvs:WHYOPT=-pvs -dir pvs -pvs-preamble \"IMPORTING why@@why\"@\n";
       out "pvs/jessie_why.pvs:@\n";
       out "\t$(WHY) $(JESSIELIBFILES)@\n@\n";

       out "isabelle: %a@\n@\n" (print_files isabelle) targets;

       out "isabelle/%%_why.thy: WHYOPT=-isabelle -dir isabelle -isabelle-base-theory jessie_why@\n";
       out "isabelle/%%_why.thy: why/%%.why@\n";
       out "\t$(WHY) $(JESSIELIBFILES) why/$*.why@\n";
       out "\tcp -f %s/isabelle/jessie_why.thy isabelle/@\n@\n"
	 Jc_options.libdir;

       out "simplify: %a@\n" (print_files simplify) targets;
       out "\t@@echo 'Running Simplify on proof obligations' && ($(DP) $^)@\n@\n";
       out "simplify/%%_why.sx: WHYOPT=-simplify -dir simplify@\n";
       out "simplify/%%_why.sx: why/%%.why@\n";
       out "\t@@echo 'why -simplify [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why@\n@\n";

       out "vampire: %a@\n" (print_files vampire) targets;
       out "\t@@echo 'Running Vampire on proof obligations' && ($(DP) $^)@\n@\n";
       out "vampire/%%_why.vp: WHYOPT=-vampire -dir vampire@\n";
       out "vampire/%%_why.vp: why/%%.why@\n";
       out "\t@@echo 'why -vampire [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why@\n@\n";

       out "alt-ergo ergo: %a@\n" (print_files ergo) targets;
       out "\t@@echo 'Running Alt-Ergo on proof obligations' && ($(DP) $^)@\n@\n";
       out "why/%%_why.why: WHYOPT=-alt-ergo -dir why@\n";
       out "why/%%_why.why: why/%%.why@\n";
       out "\t@@echo 'why -alt-ergo [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why@\n@\n";

       out "gappa: %a@\n" (print_files gappa) targets;
       out "\t@@echo 'Running Gappa on proof obligations' && ($(DP) $^)@\n@\n";
       out "gappa/%%_why.gappa: WHYOPT=-gappa -dir gappa@\n";
       out "gappa/%%_why.gappa: why/%%.why@\n";
       out "\t@@echo 'why -gappa [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why@\n@\n";

       out "cvcl: %a@\n@\n" (print_files cvcl) targets;
       out "\t@@echo 'Running CVC Lite on proof obligations' && ($(DP) $^)@\n@\n";
       out "cvcl/%%_why.cvc: WHYOPT=-cvcl -dir cvcl@\n";
       out "cvcl/%%_why.cvc: why/%%.why@\n";
       out "\t@@echo 'why -cvcl [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why@\n@\n";

       out "harvey: %a@\n" (print_files harvey) targets;
       out "\t@@echo 'Running haRVey on proof obligations' && ($(DP) $^)@\n@\n";
       out "harvey/%%_why.rv: WHYOPT=-harvey -dir harvey@\n";
       out "harvey/%%_why.rv: why/%%.why@\n";
       out "\t@@echo 'why -harvey [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why@\n@\n";

       out "zenon: %a@\n" (print_files zenon) targets;
       out "\t@@echo 'Running Zenon on proof obligations' && ($(DP) $^)@\n@\n";
       out "zenon/%%_why.znn: WHYOPT=-zenon -dir zenon@\n";
       out "zenon/%%_why.znn: why/%%.why@\n";
       out "\t@@echo 'why -zenon [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why@\n@\n";

       out "smtlib: %a@\n" (print_files smtlib) targets;
       out "\t@@echo 'Running Z3 on proof obligations' && ($(DP) $^)@\n@\n";
       out "smtlib/%%_why.smt:  WHYOPT=-smtlib --encoding sstrat --exp goal -dir smtlib@\n";
       out "smtlib/%%_why.smt: why/%%.why@\n";
       out "\t@@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why@\n@\n";

       out "z3: %a@\n" (print_files smtlib) targets;
       out "\t@@echo 'Running Z3 on proof obligations' && ($(DP) -smt-solver z3 $^)@\n@\n";

       out "yices: %a@\n" (print_files smtlib) targets;
       out "\t@@echo 'Running Yices on proof obligations' && ($(DP) -smt-solver yices $^)@\n@\n";

       out "cvc3: %a@\n" (print_files smtlib) targets;
       out "\t@@echo 'Running CVC3 on proof obligations' && ($(DP) -smt-solver cvc3 $^)@\n@\n";

       out "smtlib-v1: %a@\n" (print_files smtlib_v1) targets;
       out "smtlib-v1/%%_why.smt:  WHYOPT=-smtlib --smtlib-v1 --encoding sstrat --exp goal -dir smtlib-v1@\n";
       out "smtlib-v1/%%_why.smt: why/%%.why@\n";
       out "\t@@echo 'why -smtlib [...] why/$*.why' && $(WHY) $(JESSIELIBFILES) why/$*.why@\n@\n";

       out "verit: %a@\n" (print_files smtlib_v1) targets;
       out "\t@@echo 'Running VeriT on proof obligations' && ($(DP) -smt-solver verit $^)@\n@\n";


       out "gui stat: %s@\n"
	 (match targets with f::_ -> f^".stat" | [] -> "");
       out "@\n";
       out "%%.stat: why/%%.why@\n";
       out "\t@@echo 'gwhy-bin [...] why/$*.why' && $(GWHY) $(JESSIELIBFILES) why/$*.why@\n@\n";

       let why3_target =
	 (match targets with f::_ -> f^"_why3.why" | [] -> "")
       in
       out "why3: why/%s@\n" why3_target;

       out "why/%%_why3.why:  WHYOPT=-why3@\n";
       out "why/%%_why3.why: why/%%.why@\n";
       out "\t@@echo 'why -why3 [...] why/$*.why' \
            && $(WHY) $(JESSIELIBFILES) why/$*.why@\n";

       let why3ml_target =
	 (match targets with f::_ -> f^".mlw" | [] -> "")
       in
       out "why3ml: %s@\n" why3ml_target;
       out "\t why3 $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<@\n@\n";

       out "why3ide: %s@\n" why3ml_target;
       out "\t why3ide $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<@\n@\n";

       out "why3replay: %s@\n" why3ml_target;
       out "\t why3replayer $(USERWHYTHREEOPT) --extra-config $(JESSIE3CONF) $<@\n@\n";

       out "-include %s.depend@\n@\n" f;
       out "depend: %a@\n" (print_files coq_v) targets;
       out "\t-$(COQDEP) -I coq coq/%s*_why.v > %s.depend@\n@\n" f f;

       out "clean:@\n";
       out "\trm -f coq/*.vo@\n@\n";
    )
    (full ^ ".makefile")

let makefile f =
  let c = Filename.basename f in
  generic f c [c]



(*
Local Variables:
compile-command: "make -C .. bin/jessie.byte"
End:
*)
������������������������������������������������������������������������why-2.34/jc/jc_frame_notin.ml�����������������������������������������������������������������������0000644�0001750�0001750�00000023070�12311670312�014522� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Jc_stdlib
open Jc_env
open Jc_envset
open Jc_region
open Jc_ast
open Jc_fenv

open Jc_name
open Jc_constructors
open Jc_pervasives
open Jc_separation
open Jc_struct_tools
open Jc_effect
open Jc_interp_misc
open Jc_invariants
open Jc_pattern

open Output
open Format
open Pp

let prop_type = "prop"
(*let ft_suffix = "_ft"
let notin_suffix = "_notin"*)
let in_pred = "in_mybag"
let in_suffix = "_in"
let disj_pred = "disj_mybag"
let sub_pred = "sub_mybag"
let mybag_suffix = "mybag"
let tmp_suffix = "_tmp_name"

let jc_axiom = "_jc_axiom_"

let id_uniq = let c = ref 0 in fun () -> incr c; string_of_int !c

let remove_double compare l =
  match List.fast_sort compare l with
    | [] -> []
    | ele::l ->
        let rec aux ele = function
          | [] -> []
          | a::l when compare ele a = 0 -> aux ele l
          | a::l -> a::(aux a l) in
        ele::(aux ele l)

(** Petits Modules bien utiles *)
module MyBag =
struct
  let add_suffix s = s^"_"^mybag_suffix

  let nin = in_pred
  let ndisj = disj_pred
  let nrem = add_suffix "rem"
  let ninter = add_suffix "inter"

  let nempty = add_suffix "empty"
  let nall = add_suffix "all"

  let make_in elt set =
    LPred (nin,[elt;set])

  let empty = LVar nempty
  let all = LVar nall

  let make_rem elt set =
    if set == empty
    then empty
    else LApp(nrem,[elt;set])


  let make_inter set1 set2 =
    match set1 == all, set1, set2 == all, set2 with
      | true , _ , _ , set | _ , set, true, _ -> set
      | _ ->  LApp(ninter,[set1;set2])

  let jc_ty ty = JCTlogic (mybag_suffix,[ty])


  let ty ty = { logic_type_name = mybag_suffix;
                logic_type_args = [ty]
              }

  let ty_elt = function
    | {logic_type_args = [ty]} -> ty
    | _ -> assert false

  let iin =
    let pid = make_pred nin in
    let tvar = Jc_type_var.type_var_from_string ~univ:true "a_in" in
    pid.jc_logic_info_poly_args <- [tvar];
    let tvar = JCTtype_var tvar in
    pid.jc_logic_info_parameters <- [Jc_pervasives.var tvar "x";
                                     Jc_pervasives.var (jc_ty tvar) "s"];
    pid

  let make_jc_in l =
    new assertion (JCAapp
                     {
                       jc_app_fun = iin;
                       jc_app_args = l;
                       jc_app_region_assoc = [];
                       jc_app_label_assoc = []
                     })

  let idisj =
    let pid = make_pred ndisj in
    let tvar = Jc_type_var.type_var_from_string ~univ:true "a" in
    pid.jc_logic_info_poly_args <- [tvar];
    let tvar = JCTtype_var tvar in
    pid.jc_logic_info_parameters <- [Jc_pervasives.var (jc_ty tvar) "s1";
                                     Jc_pervasives.var (jc_ty tvar) "s2"];
    pid

  let make_jc_disj l =
    new assertion (JCAapp
                     {
                       jc_app_fun = idisj;
                       jc_app_args = l;
                       jc_app_region_assoc = [];
                       jc_app_label_assoc = []
                     })


  let isub =
    let pid = make_pred sub_pred in
    let tvar = Jc_type_var.type_var_from_string ~univ:true "a" in
    pid.jc_logic_info_poly_args <- [tvar];
    let tvar = JCTtype_var tvar in
    pid.jc_logic_info_parameters <- [Jc_pervasives.var (jc_ty tvar) "s1";
                                     Jc_pervasives.var (jc_ty tvar) "s2"];
    pid

  let make_jc_sub l =
    new assertion (JCAapp
                     {
                       jc_app_fun = isub;
                       jc_app_args = l;
                       jc_app_region_assoc = [];
                       jc_app_label_assoc = []
                     })




  type elt_set =
      [ `Empty | `All | `MyBag of term
      | `Elt of term]

  (* this order is important *)
  let num = function
    | `Empty -> 1
    | `All -> 2
    | `Elt _ -> 3
    | `MyBag _ -> 4

  let compare e1 e2 =
    let c = compare (num e1) (num e2) in
    if c <> 0 then c else compare e1 e2

  let print fmt : elt_set -> unit = function
    | `Empty -> fprintf fmt "empty"
    | `All -> fprintf fmt "all"
    | `MyBag s -> fprintf fmt "mybag(%a)" Output.fprintf_term s
    | `Elt s -> fprintf fmt "elt(%a)" Output.fprintf_term s

 (* let make_inter_rem_list (l:elt_set list) =
    let rec aux  = function
    | [] -> all
    | `Empty::_ -> empty
    | `All::l -> aux l
    | `MyBag s::l -> make_inter s (aux l)
    | `Elt e::l -> make_rem e (aux l) in
    let l_s = remove_double compare l in
    Jc_options.lprintf "make_inter_rem : %a" (print_list comma print) l_s;
    aux l_s
 *)
end



module NotIn =
struct
  type t = {
    for_one : bool; (*true if its not a bag but one element (a singleton) *)
    mem : Memory.t;
    label : label;
    mem_name : string;
    name : string;
    ty_mem : logic_type;
  }

  let compare t1 t2 = Memory.compare t1.mem t2.mem

  let from_memory for_one (((mc,_distr) as m),label) =
    let (s,_,_) = tmemory_param ~label_in_name:true label m
      (*memory_name (mc,distr)*) in
    if for_one
    then
      {for_one = true;
       mem = m;
       label = label;
       mem_name = s;
       name = s^in_suffix^"_elt";
       ty_mem = memory_type mc}
    else
      {for_one = false;
       mem = m;
       label = label;
       mem_name = s;
       name = s^in_suffix;
       ty_mem = memory_type mc}

  let is_memory t m =
    (*Jc_options.lprintf "is_memory : %s = %s@." m t.mem_name;*)
    m = t.mem_name
  let is_memory_var t = function
    | LVar m -> is_memory t m
    | _ -> false

  let notin_args t = LVar (t.name)

  let for_one t = t.for_one
  let name t = t.name
  let var t = LVar t.name
  let ty_elt t = raw_pointer_type (fst (deconstruct_memory_type_args t.ty_mem))
  let ty_elt_val t = snd (deconstruct_memory_type_args t.ty_mem)

  let jc_ty_elt t =
    let root = match alloc_class_of_mem_class (fst t.mem) with
      | JCalloc_root r -> r
      | JCalloc_bitvector -> assert false in
    JCTpointer(JCroot root,None,None)

  let jc_ty t = MyBag.jc_ty (jc_ty_elt t)

  let ty t =
    let ty = ty_elt t in
    if t.for_one
    then ty
    else MyBag.ty ty

  let mem_name t = t.mem_name
  let mem_name2 t =
    let mem_name = memory_name t.mem in
    if t.for_one
    then mem_name^"_elt"
    else mem_name
end

module NotInSet = Set.Make(NotIn)
module NotInMap = Map.Make(NotIn)


let in_name notin s = s^(NotIn.mem_name2 notin)^in_suffix

let get_in_logic =
  let memo = Hashtbl.create 10 in
  fun f notin ->
    try
      Hashtbl.find memo (f.jc_logic_info_tag,notin)
    with Not_found ->
      let fin = make_logic_fun (in_name notin f.jc_logic_info_name)
        (NotIn.jc_ty notin) in
      fin.jc_logic_info_result_region <- f.jc_logic_info_result_region;
      fin.jc_logic_info_poly_args <- f.jc_logic_info_poly_args;
      fin.jc_logic_info_parameters <- f.jc_logic_info_parameters;
      fin.jc_logic_info_param_regions <- f.jc_logic_info_param_regions;
      fin.jc_logic_info_effects <- f.jc_logic_info_effects;
      fin.jc_logic_info_labels <- f.jc_logic_info_labels;
      IntHashtblIter.add Jc_typing.logic_functions_table fin.jc_logic_info_tag
        (fin,JCNone);
      Hashtbl.add memo (f.jc_logic_info_tag,notin) fin;
      fin

let app_in_logic f fparams label notin =
  let fin = get_in_logic f notin in
  let app = {jc_app_fun = fin;
             jc_app_args = fparams;
             jc_app_region_assoc = [];
             jc_app_label_assoc =
      List.map (fun e -> (e,label)) fin.jc_logic_info_labels} in
  new term (NotIn.jc_ty notin) (JCTapp app)
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/jc/jc_interp_misc.mli����������������������������������������������������������������������0000644�0001750�0001750�00000034021�12311670312�014704� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(** {1 Preliminaries} *)

val find_struct : string -> Jc_env.struct_info


type forall_or_let = 
  | JCforall of string * Output.logic_type
  | JClet of string * Output.term

val logic_int_of_enum : Jc_env.enum_info -> string
val logic_enum_of_int : Jc_env.enum_info -> string
val safe_fun_enum_of_int : Jc_env.enum_info -> string
val fun_enum_of_int : Jc_env.enum_info -> string

val logic_enum_of_bitvector : Jc_env.enum_info -> string
val logic_bitvector_of_enum : Jc_env.enum_info -> string

val mod_of_enum : Jc_env.enum_info -> string

val fun_any_enum : Jc_env.enum_info -> string

val logic_real_of_bitvector : string
val logic_integer_of_bitvector : string
val logic_bitvector_of_integer : string

val logic_bitvector_of_variant : Jc_env.root_info -> string
val logic_variant_of_bitvector : Jc_env.root_info -> string





(** {1 Environment} *)

val safety_checking : unit -> bool

val variant_checking : unit -> bool

val in_current_behavior : < name : string; .. > list -> bool

val in_default_behavior : < name : string; .. > list -> bool

val is_current_behavior : string -> bool

val set_current_behavior : string -> unit

val reset_current_behavior : unit -> unit

val get_current_spec : unit -> Jc_fenv.fun_spec

val set_current_spec : Jc_fenv.fun_spec -> unit

val reset_current_spec : unit -> unit

(*
val get_current_fun : unit -> Jc_fenv.fun_info

val set_current_fun : Jc_fenv.fun_info -> unit

val reset_current_fun : unit -> unit
  *)
val fresh_loop_label : unit -> Jc_env.label_info




(** {1 helpers for Output module} *)

val make_subtag : Output.term -> Output.term -> Output.assertion

val make_eq : Output.term -> Output.term -> Output.assertion
(** builds eq(t1,t2) *)

val make_select: Output.term -> Output.term -> Output.term
(** builds select(t1,t2) *)

val make_or_term : Output.term -> Output.term -> Output.term

val make_and_term : Output.term -> Output.term -> Output.term

val make_not_term : Output.term -> Output.term

val make_eq_term : Jc_env.jc_type -> Output.term -> Output.term -> Output.term

val make_eq_pred : Jc_env.jc_type -> Output.term -> Output.term -> Output.assertion


val make_if_term : Output.term -> Output.term -> Output.term -> Output.term



(** {1 Types} *)

val why_unit_type : Output.logic_type
val why_integer_type : Output.logic_type

val tr_base_type : ?region:Jc_region.RegionTable.key ->
           Jc_env.jc_type -> Output.logic_type

val tr_var_base_type : Jc_env.var_info -> Output.logic_type

val tr_var_type : Jc_env.var_info -> Output.why_type

val raw_pset_type : Output.logic_type -> Output.logic_type

val raw_memory_type : 
  Output.logic_type -> Output.logic_type -> Output.logic_type

val memory_type : Jc_env.mem_class -> Output.logic_type

val is_memory_type : Output.logic_type -> bool

val tmemory_param : label_in_name:bool ->
           Jc_env.label ->
           Jc_envset.MemClass.t * Jc_region.RegionTable.key ->
           string * Output.term * Output.logic_type

val deconstruct_memory_type_args : Output.logic_type -> Output.logic_type * Output.logic_type

val pointer_class_model_type : Jc_env.pointer_class -> Output.logic_type

val tag_id_type : Jc_env.root_info -> Output.logic_type

val tag_table_type : Jc_env.root_info -> Output.logic_type

val raw_alloc_table_type : Output.logic_type -> Output.logic_type

val alloc_table_type : Jc_env.alloc_class -> Output.logic_type

val is_alloc_table_type : Output.logic_type -> bool




(**  {1 Variables} *)





(** {1 others} *)

(* horror... *)
val ref_term : 
  (?subst:(Output.term Jc_envset.VarMap.t) -> 
    type_safe:bool ->
    global_assertion:bool ->
    relocate:bool ->
    Jc_env.label -> Jc_env.label -> Jc_fenv.term -> Output.term)
  ref

val any_value : Jc_env.region -> Jc_env.jc_type -> Output.expr

val eq_of_enum : Jc_env.enum_info -> string

val make_valid_pred : in_param:bool -> equal:bool ->
           ?left:bool ->
           ?right:bool ->
           Jc_env.alloc_class -> Jc_env.pointer_class -> Output.why_decl

val make_valid_pred_app : in_param:bool -> equal:bool ->
           Jc_env.alloc_class * Jc_region.RegionTable.key ->
           Jc_env.pointer_class ->
           Output.term ->
           Output.term option -> Output.term option -> Output.assertion

val make_alloc_param : check_size:bool ->
           Jc_env.alloc_class -> Jc_env.pointer_class -> Output.why_decl

val make_conversion_params : Jc_env.pointer_class -> Output.why_decl list

val param : type_safe:bool -> Jc_env.var_info -> string * Output.logic_type

val tparam : label_in_name:bool ->
           Jc_env.label ->
           Jc_env.var_info -> string * Output.term * Output.logic_type

val tmodel_parameters : label_in_name:bool ->
           ?region_assoc:(Jc_region.RegionTable.key *
                          Jc_region.RegionTable.key)
                         list ->
           ?label_assoc:(Jc_envset.LogicLabelSet.elt *
                         Jc_envset.LogicLabelSet.elt)
                        list ->
           Jc_fenv.effect -> (string * Output.term * Output.logic_type) list

val tmemory_detailed_params : label_in_name:bool ->
           ?region_assoc:(Jc_region.RegionTable.key *
                          Jc_region.RegionTable.key)
                         list ->
           ?label_assoc:(Jc_envset.LogicLabelSet.elt *
                         Jc_envset.LogicLabelSet.elt)
                        list ->
           Jc_fenv.effect ->
           ((Jc_envset.MemClass.t * Jc_region.InternalRegion.t) *
            (string * Output.term * Output.logic_type))
           list

val tag_table_var : Jc_envset.VariantOrd.t * Jc_region.RegionTable.key -> Output.expr

val tvar : label_in_name:bool ->
           Jc_env.label -> Jc_env.var_info -> Output.term

val var: Jc_env.var_info -> Output.expr

val plain_var : string -> Output.expr

val ttag_table_var : label_in_name:bool ->
           Jc_env.label ->
           Jc_envset.VariantOrd.t * Jc_region.RegionTable.key -> Output.term

val talloc_table_var : label_in_name:bool ->
  Jc_env.label ->
  Jc_envset.AllocClass.t * Jc_region.RegionTable.key -> 
  bool * Output.term

val tmemory_var : label_in_name:bool ->
           Jc_env.label ->
           Jc_envset.MemClass.t * Jc_region.RegionTable.key -> Output.term

val lvar : constant:bool ->
           label_in_name:bool -> Jc_env.label -> string -> Output.term

val plain_memory_var : Jc_env.mem_class * Jc_region.RegionTable.key -> Output.expr

val memory_var : ?test_current_function:bool ->
           Jc_envset.MemClass.t * Jc_region.RegionTable.key -> Output.expr

val alloc_table_var : ?test_current_function:bool ->
           Jc_envset.AllocClass.t * Jc_region.RegionTable.key -> Output.expr

val plain_alloc_table_var : Jc_env.alloc_class * Jc_region.RegionTable.key -> Output.expr

val alloc_arguments : Jc_env.alloc_class * Jc_region.RegionTable.key ->
           Jc_env.pointer_class -> Output.expr list

val plain_tag_table_var : Jc_env.root_info * Jc_region.RegionTable.key -> Output.expr

val make_arguments : callee_reads:Jc_fenv.effect ->
           callee_writes:Jc_fenv.effect ->
           region_assoc:(Jc_region.RegionTable.key *
                         Jc_region.RegionTable.key)
                        list ->
           param_assoc:(Jc_envset.VarOrd.t * ('a, 'b) Jc_ast.expr) list ->
           with_globals:bool ->
           with_body:bool ->
           string ->
           Output.expr list ->
           Output.assertion * string *
           (Jc_envset.StringSet.elt * Output.logic_type) list * Output.expr *
           Output.expr * Output.expr list

val define_locals : ?reads:(string * Output.logic_type) list ->
           ?writes:(string * Output.logic_type) list ->
           Output.expr -> Output.expr




val talloc_table_params : label_in_name:bool ->
           ?region_assoc:(Jc_region.RegionTable.key *
                          Jc_region.RegionTable.key)
                         list ->
           ?label_assoc:(Jc_envset.LogicLabelSet.elt *
                         Jc_envset.LogicLabelSet.elt)
                        list ->
           Jc_fenv.effect -> (string * Output.term * Output.logic_type) list

val root_model_type : Jc_env.root_info -> Output.logic_type

val pointer_type : 
  Jc_env.alloc_class -> Jc_env.pointer_class -> Output.logic_type

val raw_pointer_type : Output.logic_type -> Output.logic_type

val bitvector_type : Output.logic_type

val logic_field_of_union : Jc_env.field_info -> string

val logic_union_of_field : Jc_env.field_info -> string

(** {2 building output terms} *)

val const_of_num :  Num.num -> Output.term
val const : Jc_ast.const -> Output.constant
(** constant *)


val make_select_fi : Jc_env.field_info -> Output.term -> Output.term
(** dereferencing, builds select(f.name,t) *)

val make_select_committed : Jc_env.pointer_class -> Output.term -> Output.term
(** builds select("committed",t) *)

val make_subtag_bool : Output.term -> Output.term -> Output.term

val make_logic_pred_call : 
  label_in_name:bool ->
  region_assoc:(Jc_region.RegionTable.key *
                  Jc_region.RegionTable.key) list ->
  label_assoc:(Jc_envset.LogicLabelSet.elt *
                 Jc_envset.LogicLabelSet.elt) list ->
  Jc_fenv.logic_info -> 
  Output.term list -> Output.assertion
(** call logic predicate, handling regions and labels *)

val make_logic_fun_call : label_in_name:bool ->
           region_assoc:(Jc_region.RegionTable.key *
                         Jc_region.RegionTable.key)
                        list ->
           label_assoc:(Jc_envset.LogicLabelSet.elt *
                        Jc_envset.LogicLabelSet.elt)
                       list ->
           Jc_fenv.logic_info -> Output.term list -> Output.term

val make_int_of_tag : Jc_env.struct_info -> Output.term

val make_typeof : Jc_env.struct_info ->
           Jc_region.RegionTable.key -> Output.term -> Output.term
(** typeof expression in logic *)

val make_instanceof : Output.term ->
  Output.term -> Jc_env.struct_info -> Output.assertion



(** {2 helpers for effects information} *)

val logic_info_reads : Jc_envset.StringSet.t ->
           Jc_fenv.logic_info -> Jc_envset.StringSet.t
(** effects of a predicate of logic function *)

val all_effects : Jc_fenv.effect -> string list


val location_list' : Output.term list -> Output.term

val local_read_effects : callee_reads:Jc_fenv.effect ->
           callee_writes:Jc_fenv.effect -> string list

val local_write_effects : callee_reads:Jc_fenv.effect ->
           callee_writes:Jc_fenv.effect -> string list

val write_effects : 
  callee_reads:Jc_fenv.effect ->
  callee_writes:Jc_fenv.effect ->
  region_list:Jc_region.RegionTable.key list ->
  params:Jc_env.var_info list -> string list
  
val read_effects : 
  callee_reads:Jc_fenv.effect ->
  callee_writes:Jc_fenv.effect ->
  region_list:Jc_region.RegionTable.key list ->
  params:Jc_env.var_info list -> string list

val write_parameters :  type_safe:bool ->
           region_list:Jc_region.RegionTable.key list ->
           callee_reads:Jc_fenv.effect ->
           callee_writes:Jc_fenv.effect ->
           params:Jc_env.var_info list -> (string * Output.logic_type) list

val read_parameters : type_safe:bool ->
           region_list:Jc_region.RegionTable.key list ->
           callee_reads:Jc_fenv.effect ->
           callee_writes:Jc_fenv.effect ->
           params:Jc_env.var_info list ->
           already_used:Jc_envset.StringSet.elt list ->
           (string * Output.logic_type) list

val write_locals : region_list:Jc_region.RegionTable.key list ->
           callee_reads:Jc_fenv.effect ->
           callee_writes:Jc_fenv.effect ->
           params:Jc_env.var_info list -> (string * Output.logic_type) list

val read_locals : region_list:Jc_region.RegionTable.key list ->
           callee_reads:Jc_fenv.effect ->
           callee_writes:Jc_fenv.effect ->
           params:Jc_env.var_info list -> (string * Output.logic_type) list



(** {1 Misc} *)

val specialized_functions: 
  (string * string Jc_envset.StringMap.t) Jc_pervasives.StringHashtblIter.t
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/configure.in�������������������������������������������������������������������������������0000644�0001750�0001750�00000045363�12311670312�013141� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������##########################################################################
#                                                                        #
#  The Why platform for program certification                            #
#                                                                        #
#  Copyright (C) 2002-2014                                               #
#                                                                        #
#    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   #
#    Claude MARCHE, INRIA & Univ. Paris-sud                              #
#    Yannick MOY, Univ. Paris-sud                                        #
#    Romain BARDOU, Univ. Paris-sud                                      #
#                                                                        #
#  Secondary contributors:                                               #
#                                                                        #
#    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        #
#    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             #
#    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           #
#    Sylvie BOLDO, INRIA              (floating-point support)           #
#    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     #
#    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          #
#                                                                        #
#  This software is free software; you can redistribute it and/or        #
#  modify it under the terms of the GNU Lesser General Public            #
#  License version 2.1, with the special exception on linking            #
#  described in file LICENSE.                                            #
#                                                                        #
#  This software is distributed in the hope that it will be useful,      #
#  but WITHOUT ANY WARRANTY; without even the implied warranty of        #
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  #
#                                                                        #
##########################################################################


#
# autoconf input for Objective Caml programs
# Copyright (C) 2001 Jean-Christophe Filliâtre
#   from a first script by Georges Mariano
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Library General Public
# License version 2, as published by the Free Software Foundation.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# See the GNU Library General Public License version 2 for more details
# (enclosed in the file LGPL).

# the script generated by autoconf from this input will set the following
# variables:
#   OCAMLC        "ocamlc" if present in the path, or a failure
#                 or "ocamlc.opt" if present with same version number as ocamlc
#   OCAMLOPT      "ocamlopt" (or "ocamlopt.opt" if present), or "no"
#   OCAMLBEST     either "byte" if no native compiler was found,
#                 or "opt" otherwise
#   OCAMLDEP      "ocamldep"
#   OCAMLLEX      "ocamllex"
#   OCAMLYACC     "ocamlyac"
#   OCAMLLIB      the path to the ocaml standard library
#   OCAMLVERSION  the ocaml version number
#   LABLGTK2	  "yes" is available, "no" otherwise
#   OCAMLWEB      "ocamlweb" (not mandatory)


# check for one particular file of the sources
# ADAPT THE FOLLOWING LINE TO YOUR SOURCES!
AC_INIT(src/monad.mli)

# verbosemake feature

AC_ARG_ENABLE(verbosemake,[  --enable-verbosemake    verbose makefile commands],VERBOSEMAKE=yes,VERBOSEMAKE=no)
if test "$VERBOSEMAKE" = yes ; then
	AC_MSG_RESULT(Make will be verbose.)
fi

AC_ARG_ENABLE(local,
  [  --enable-local          use Jessie in the build directory (no installation)],,
  enable_local=no)


# Check for Ocaml compilers

# we first look for ocamlc in the path; if not present, we fail
AC_CHECK_PROG(OCAMLC,ocamlc,ocamlc,no)
if test "$OCAMLC" = no ; then
	AC_MSG_ERROR(Cannot find ocamlc.)
fi

# we extract Ocaml version number
OCAMLVERSION=`$OCAMLC -v | sed -n -e 's|.*version* *\(.*\)$|\1|p' `
echo "ocaml version is $OCAMLVERSION"

case $OCAMLVERSION in
  0.*|1.*|2.00|3.00*|3.01*|3.02*|3.03*|3.04*|3.05*|3.06*|3.07*)
        AC_MSG_ERROR(You need Objective 3.08 or later);;
  3.08.2)
	FORPACK=""
	OCAMLV=3082;;
  3.08*)
	FORPACK=""
	OCAMLV=308;;
  *)
	FORPACK="-for-pack Graph";;
esac

# Ocaml library path
# old way: OCAMLLIB=`$OCAMLC -v | tail -1 | cut -f 4 -d ' ' | tr -d '\\r'`
OCAMLLIB=`$OCAMLC -where | tr -d '\\r'`
echo "ocaml library path is $OCAMLLIB"


## Where are the library we need
# we look for ocamlfind; if not present, we just don't use it to find
# libraries
AC_CHECK_PROG(USEOCAMLFIND,ocamlfind,yes,no)

if test "$USEOCAMLFIND" = yes; then
   OCAMLFINDLIB=$(ocamlfind printconf stdlib)
   OCAMLFIND=$(which ocamlfind)
   if test "$OCAMLFINDLIB" != "$OCAMLLIB"; then
   USEOCAMLFIND=no;
   echo "but your ocamlfind is not compatible with your ocamlc:"
   echo "ocamlfind : $OCAMLFINDLIB, ocamlc : $OCAMLLIB"
   fi
fi



# Check for arch/OS

AC_MSG_CHECKING(OS dependent settings)
OSTYPE=`echo 'prerr_endline Sys.os_type;;' | ocaml 2>&1 > /dev/null | tr -d '\\r' `
case $OSTYPE in
  Win32)
    EXE=.exe
    STRIP='echo "no strip "'
    CPULIMIT=cpulimit-win
    AC_MSG_RESULT(Win32)
    ;;
  Cygwin)
    EXE=.exe
    STRIP=strip
    CPULIMIT=cpulimit-win
    AC_MSG_RESULT(Cygwin)
    ;;
  Unix)
    EXE=
    STRIP=strip
    CPULIMIT=cpulimit
    AC_MSG_RESULT(Unix)
    ;;
  *) AC_MSG_ERROR(Unknown OS type: $OSTYPE)
    ;;
esac


# then we look for ocamlopt; if not present, we issue a warning
# if the version is not the same, we also discard it
# we set OCAMLBEST to "opt" or "byte", whether ocamlopt is available or not
AC_CHECK_PROG(OCAMLOPT,ocamlopt,ocamlopt,no)
OCAMLBEST=byte
if test "$OCAMLOPT" = no ; then
	AC_MSG_WARN(Cannot find ocamlopt; bytecode compilation only.)
else
	AC_MSG_CHECKING(ocamlopt version)
	TMPVERSION=`$OCAMLOPT -v | sed -n -e 's|.*version* *\(.*\)$|\1|p' `
	if test "$TMPVERSION" != "$OCAMLVERSION" ; then
	    AC_MSG_RESULT(differs from ocamlc; ocamlopt discarded.)
	    OCAMLOPT=no
	else
	    AC_MSG_RESULT(ok)
	    OCAMLBEST=opt
	fi
fi

# checking for ocamlc.opt
AC_CHECK_PROG(OCAMLCDOTOPT,ocamlc.opt,ocamlc.opt,no)
if test "$OCAMLCDOTOPT" != no ; then
	AC_MSG_CHECKING(ocamlc.opt version)
	TMPVERSION=`$OCAMLCDOTOPT -v | sed -n -e 's|.*version* *\(.*\)$|\1|p' `
	if test "$TMPVERSION" != "$OCAMLVERSION" ; then
	    AC_MSG_RESULT(differs from ocamlc; ocamlc.opt discarded.)
	else
	    AC_MSG_RESULT(ok)
	    OCAMLC=$OCAMLCDOTOPT
	fi
fi

# checking for ocamlopt.opt
if test "$OCAMLOPT" != no ; then
    AC_CHECK_PROG(OCAMLOPTDOTOPT,ocamlopt.opt,ocamlopt.opt,no)
    if test "$OCAMLOPTDOTOPT" != no ; then
	AC_MSG_CHECKING(ocamlc.opt version)
	TMPVER=`$OCAMLOPTDOTOPT -v | sed -n -e 's|.*version* *\(.*\)$|\1|p' `
	if test "$TMPVER" != "$OCAMLVERSION" ; then
	    AC_MSG_RESULT(differs from ocamlc; ocamlopt.opt discarded.)
	else
	    AC_MSG_RESULT(ok)
	    OCAMLOPT=$OCAMLOPTDOTOPT
	fi
    fi
fi

# ocamldep, ocamllex and ocamlyacc should also be present in the path
AC_CHECK_PROG(OCAMLDEP,ocamldep,ocamldep,no)
if test "$OCAMLDEP" = no ; then
   AC_MSG_ERROR(Cannot find ocamldep.)
else
   AC_CHECK_PROG(OCAMLDEPDOTOPT,ocamldep.opt,ocamldep.opt,no)
   if test "$OCAMLDEPDOTOPT" != no ; then
      OCAMLDEP=$OCAMLDEPDOTOPT
   fi
fi

AC_CHECK_PROG(OCAMLLEX,ocamllex,ocamllex,no)
if test "$OCAMLLEX" = no ; then
	AC_MSG_ERROR(Cannot find ocamllex.)
else
    AC_CHECK_PROG(OCAMLLEXDOTOPT,ocamllex.opt,ocamllex.opt,no)
    if test "$OCAMLLEXDOTOPT" != no ; then
	OCAMLLEX=$OCAMLLEXDOTOPT
    fi
fi

AC_CHECK_PROG(OCAMLYACC,ocamlyacc,ocamlyacc,no)
if test "$OCAMLYACC" = no ; then
	AC_MSG_ERROR(Cannot find ocamlyacc.)
fi

AC_CHECK_PROG(OCAMLDOC,ocamldoc,ocamldoc,true)
if test "$OCAMLDOC" = true ; then
    AC_MSG_WARN(Cannot find ocamldoc)
else
    AC_CHECK_PROG(OCAMLDOCOPT,ocamldoc.opt,ocamldoc.opt,no)
    if test "$OCAMLDOCOPT" != no ; then
	OCAMLDOC=$OCAMLDOCOPT
    fi
fi


#looking for ocamlgraph library

LOCALOCAMLGRAPH=no

if test "$USEOCAMLFIND" = yes; then
  OCAMLGRAPHLIB=$(ocamlfind query ocamlgraph)
fi
if test -n "$OCAMLGRAPHLIB"; then
   echo "ocamlfind found ocamlgraph in $OCAMLGRAPHLIB"
      OCAMLGRAPHLIB="-I $OCAMLGRAPHLIB"
      OCAMLGRAPHVER=" found by ocamlfind"
 else
 AC_CHECK_FILE($OCAMLLIB/ocamlgraph/graph.cmi,OCAMLGRAPH=yes,OCAMLGRAPH=no)
 if test "$OCAMLGRAPH" = no ; then
    AC_CHECK_FILE(ocamlgraph/src/sig.mli,OCAMLGRAPH=yes,OCAMLGRAPH=no)
    if test "$OCAMLGRAPH" = no ; then
      AC_MSG_ERROR(Cannot find ocamlgraph library. Please install the *libocamlgraph-ocaml-dev* Debian package - or use the GODI caml package system *http://godi.ocaml-programming.de/* - or compile from sources *http://ocamlgraph.lri.fr/*)
    else
      OCAMLGRAPHLIB="-I ocamlgraph"
      OCAMLGRAPHVER=" in local subdir ocamlgraph"
      LOCALOCAMLGRAPH=yes
    fi
 else
    OCAMLGRAPHLIB="-I +ocamlgraph"
    OCAMLGRAPHVER=" in Ocaml lib, subdir ocamlgraph"
 fi
fi

# checking local ocamlgraph compilation

if test "$LOCALOCAMLGRAPH" = yes; then
   AC_MSG_CHECKING(ocamlgraph compilation)
   if (cd ocamlgraph; ./configure && make) > /dev/null 2>&1; then
      AC_MSG_RESULT(ok)
   else
      AC_MSG_ERROR(cannot compile ocamlgraph in ocamlgraph)
   fi
fi

# checking for lablgtk2
if test "$USEOCAMLFIND" = yes; then
   LABLGTKSV2LIB=$(ocamlfind query lablgtk2.sourceview2)
   if test -z "$LABLGTKSV2LIB"; then
      LABLGTKSV2LIB=$(ocamlfind query lablgtksourceview2)
   fi
fi
if test -n "$LABLGTKSV2LIB";then
   echo "ocamlfind found lablgtksourceview2 in $LABLGTKSV2LIB"
   INCLUDEGTK2="-I $LABLGTKSV2LIB"
   LABLGTK2=yes
else
  AC_CHECK_FILE($OCAMLLIB/lablgtk2/lablgtk.cma,LABLGTK2=yes,LABLGTK2=no)
  # AC_CHECK_PROG(LABLGTK2,lablgtk2,yes,no) not always available (Win32)
  if test "$LABLGTK2" = yes ; then
        INCLUDEGTK2="-I +lablgtk2"
  fi
fi


AC_CHECK_PROG(OCAMLWEB,ocamlweb,ocamlweb,true)

# apron library
default_apron=no
APRONLIBS=
AC_ARG_ENABLE(apron,[  --enable-apron=[no/yes]  use APRON library for abstract interpretation [default=yes]],,enable_apron=$default_apron)

if test "$enable_apron" = "yes" ; then
   AC_CHECK_FILE($OCAMLLIB/apron/apron.cmxa,APRONLIB="-I +apron -I +gmp",APRONLIB=no)
   if test "$APRONLIB" = no ; then
      AC_CHECK_FILE(/usr/lib/apron.cmxa,APRONLIB="-I /usr/lib -I /usr/local/lib",APRONLIB=no)
      if test "$APRONLIB" = no ; then
	 AC_MSG_WARN(Cannot find APRON library.)
	 enable_apron="no (APRON library cannot be found, see above)"
      fi
   fi
fi

if test "$enable_apron" = "yes" ; then
   APRONLIBS="-cclib ' -lpolkaMPQ_caml -lpolkaMPQ -loctMPQ_caml -loctMPQ -lboxMPQ_caml -lboxMPQ -lapron_caml -lapron -lgmp_caml -lmpfr -lgmp -lbigarray -lcamlidl' bigarray.cmxa gmp.cmxa apron.cmxa box.cmxa polka.cmxa"
   ATPCMO=atp/atp.cmo
else
   APRONLIB=""
fi

# Frama-C
TESTFRAMAC=yes

if test "$TESTFRAMAC" = no ; then
   FRAMACPLUGIN=no
   FRAMACMSG="Disabled on user request"
else
   AC_CHECK_PROG(FRAMAC,frama-c,frama-c,no)
   if test "$FRAMAC" = no ; then
	AC_MSG_WARN(Cannot find frama-c.)
	FRAMACPLUGIN=no
        FRAMACMSG="Cannot find Frama-C"
   else
      # we extract Ocaml version number
      AC_MSG_CHECKING(Frama-c version)
      FRAMACVERSION=`$FRAMAC -version | sed -n -e 's|Version: *\(.*\)$|\1|p' `
      AC_MSG_RESULT($FRAMACVERSION)
      case $FRAMACVERSION in
        Neon-rc1|Neon-rc2|Neon-rc3|Neon-rc4|Neon-20140301)
           FRAMACPLUGIN=yes
           ;;
        Neon-*)
	   FRAMACMSG="Found unknown variant of Frama-C Neon (hope this works)"
           AC_MSG_WARN($FRAMACMSG)
           FRAMACPLUGIN=yes
           ;;
        *) FRAMACMSG="you need Frama-C version Neon"
           FRAMACPLUGIN=no
           AC_MSG_WARN($FRAMACMSG)
           ;;
      esac
   fi
fi

# camlp4
AC_CHECK_PROG(CAMLP4O,camlp4o,camlp4o,no)
if test "$CAMLP4O" = no ; then
     AC_MSG_ERROR(Cannot find camlp4o.)
fi
CAMLP4LIB=`camlp4o -where`
CAMLP4VERSION=`$CAMLP4O -v 2>&1 | sed -n -e 's|.*version *\(.*\)$|\1|p'`
AC_MSG_CHECKING(camlp4 version)
if test "$CAMLP4VERSION" != "$OCAMLVERSION" ; then
     AC_MSG_ERROR(differs from ocaml version)
else
     AC_MSG_RESULT(ok)
fi

# Why3

AC_CHECK_PROG(WHY3,why3,yes,no)
if test "$WHY3" = no ; then
  WHY3MSG="command 'why3' not found"
  AC_MSG_WARN($WHY3MSG)
else
  AC_MSG_CHECKING(Why3 version)
  WHY3VERSION=`why3 --version | sed -n -e 's|.*version \([[^ ]]\+\) .*$|\1|p'`
  case $WHY3VERSION in
  0.83)
      AC_MSG_RESULT($WHY3VERSION)
      ;;
  0.82+git|0.83+git)
      AC_MSG_RESULT($WHY3VERSION)
      WHY3MSG="(version not guaranteed to be supported, hope this works)"
      AC_MSG_WARN($WHY3MSG)
      ;;
  0.6*|0.7*|0.8*)
      AC_MSG_RESULT($WHY3VERSION)
      WHY3="no"
      WHY3MSG="version $WHY3VERSION too old, why3 support discarded"
      AC_MSG_WARN($WHY3MSG)
      ;;
  *)
      AC_MSG_RESULT($WHY3VERSION)
      WHY3="no"
      WHY3MSG="unknown version $WHY3VERSION, why3 support discarded"
      AC_MSG_WARN($WHY3MSG)
      ;;
  esac
fi


WHYFLOATS=

# Coq
AC_CHECK_PROG(COQC,coqc,coqc,no)
if test "$COQC" = no ; then
    COQ=no
    AC_MSG_WARN(Cannot find coqc.)
else
    COQ=yes
    AC_CHECK_PROG(COQDEP,coqdep,coqdep,true)
    if test "$COQDEP" = true ; then
	AC_MSG_ERROR(Cannot find coqdep.)
    fi
    COQLIB=`$COQC -where | sed -e 's|\\\|/|g' -e 's| |\\ |g'`
    AC_MSG_CHECKING(Coq version)
    COQVERSION=`$COQC -v | sed -n -e 's|.*version \([[^ ]]\+\) .*$|\1|p' `

    case $COQVERSION in
    7.4*)
	AC_MSG_RESULT($COQVERSION)
	COQC7=$COQC
	COQVER=v7
	WHYLIBCOQ=lib/coq-v7
	cp -f lib/coq-v7/WhyCoqDev.v lib/coq-v7/WhyCoqCompat.v;;
    8.*)
	AC_MSG_RESULT($COQVERSION)
	COQC7="$COQC -v7"
	COQC8=$COQC
	COQVER=v8
	WHYLIBCOQ=lib/coq
	cp -f lib/coq-v7/WhyCoqDev.v lib/coq-v7/WhyCoqCompat.v
	case $COQVERSION in
	8.1*|8.2*|8.3*|8.4*|trunk)
	  JESSIELIBCOQ=lib/coq/jessie_why.vo
	  cp -f lib/coq/WhyCoqDev.v lib/coq/WhyCoqCompat.v
          # useful ??? [VP] Yes, the hack for making the output compliant with
          # Dp needs >= v8.1
          COQVER=v8.1
          ;;
	*)
	  JESSIELIBCOQ=
	  cp -f lib/coq/WhyCoq8.v lib/coq/WhyCoqCompat.v;;
        esac
	AC_MSG_CHECKING(Coq floating-point library)
	if test -f "$COQLIB/user-contrib/Flocq/Core/Fcore.vo"; then
	  AC_MSG_RESULT(yes)
	  WHYFLOATS="lib/coq/WhyFloats.vo lib/coq/WhyFloatsStrict.vo"
	  COQFLOATSMSG=yes
	else
	  AC_MSG_RESULT(no)
	  COQFLOATSMSG="no (Coq library Flocq/Core/Fcore.vo not found)"
	fi
	AC_MSG_CHECKING(Coq legacy floating-point library)
	if test -f "$COQLIB/user-contrib/AllFloat.vo" || test -f "$COQLIB/user-contrib/Float/AllFloat.vo"; then
	  AC_MSG_RESULT(yes)
	  WHYFLOATS="$WHYFLOATS lib/coq/WhyFloatsStrictLegacy.vo"
	  COQFLOATSLEGACYMSG=yes
	else
	  AC_MSG_RESULT(no)
	  COQFLOATSLEGACYMSG="no (Coq library AllFloat.vo not found)"
	fi

	if test "$WHY3" != no ; then
	  AC_MSG_CHECKING(Coq realizations for Why3)
	  WHY3COQPATH=`why3 --print-libdir`/coq
	  if test -f "$WHY3COQPATH/int/Int.vo"; then
	    AC_MSG_RESULT(yes)
	    JESSIEWHY3LIBCOQ="lib/coq/Jessie_memory_model.vo"
	  else
	    AC_MSG_RESULT(no)
	  fi
	fi
	;;
    *)
	COQ=no
	AC_MSG_WARN(You need Coq 7.4 or later; Coq support discarded);;
    esac
fi

# Alt-ergo
dnl AC_CHECK_PROG(ALTERGO,alt-ergo,alt-ergo,no)
dnl if test "$ALTERGO" = no ; then
dnl    AC_CHECK_PROG(ERGO,ergo,ergo,no)
dnl    if test "$ERGO" = no ; then
dnl      ERGOBIN=alt-ergo
dnl    else
dnl      ERGOBIN=ergo
dnl    fi
dnl else
dnl    ERGOBIN=alt-ergo
dnl fi

# PVS
AC_PATH_PROG(PVSC,pvs,no)
if test "$PVSC" = no ; then
    PVS=no
    AC_MSG_WARN(Cannot find PVS.)
else
    PVS=yes
    PVSLIB=`pvs -where`/lib
    if test "$PVSLIB" = /lib; then
       AC_MSG_WARN(PVS found but pvs -where did not work)
       PVS=no;
    fi
fi

# Mizar
AC_CHECK_PROG(MIZF,mizf,mizf,no)
if test "$MIZF" = no; then
    MIZAR=no
    AC_MSG_WARN(Cannot find Mizar.)
else
    MIZAR=yes
    AC_MSG_CHECKING(Mizar library)
    if test -d "$MIZFILES"; then
	MIZARLIB=$MIZFILES
	AC_MSG_RESULT($MIZARLIB)
    else if test -d /usr/local/lib/mizar; then
	MIZARLIB=$MIZFILES
	AC_MSG_RESULT($MIZARLIB)
    else
	AC_MSG_WARN(Cannot find Mizar library; please set \$MIZFILES)
	MIZAR=no
    fi
    fi
fi

# substitutions to perform
AC_SUBST(VERBOSEMAKE)
AC_SUBST(EXE)
AC_SUBST(STRIP)
AC_SUBST(CPULIMIT)

AC_SUBST(OCAMLC)
AC_SUBST(OCAMLOPT)
AC_SUBST(OCAMLDEP)
AC_SUBST(OCAMLLEX)
AC_SUBST(OCAMLYACC)
AC_SUBST(OCAMLDOC)
AC_SUBST(OCAMLBEST)
AC_SUBST(OCAMLVERSION)
AC_SUBST(OCAMLV)
AC_SUBST(OCAMLLIB)
AC_SUBST(OCAMLGRAPHLIB)
AC_SUBST(LABLGTK2)
AC_SUBST(INCLUDEGTK2)
AC_SUBST(OCAMLWEB)
# AC_SUBST(CAMLP4O)
# AC_SUBST(CAMLP4LIB)

AC_SUBST(enable_apron)
AC_SUBST(APRONLIB)
AC_SUBST(APRONLIBS)
AC_SUBST(FRAMAC)
AC_SUBST(FRAMACPLUGIN)
AC_SUBST(ATPCMO)

AC_SUBST(COQ)
AC_SUBST(COQC7)
AC_SUBST(COQC8)
AC_SUBST(COQDEP)
AC_SUBST(COQLIB)
AC_SUBST(COQVER)
AC_SUBST(WHYLIBCOQ)
AC_SUBST(WHYFLOATS)
AC_SUBST(JESSIELIBCOQ)
AC_SUBST(JESSIEWHY3LIBCOQ)
AC_SUBST(WHY3COQPATH)

AC_SUBST(enable_local)

AC_SUBST(PVS)
AC_SUBST(PVSC)
AC_SUBST(PVSLIB)

AC_SUBST(MIZAR)
AC_SUBST(MIZF)
AC_SUBST(MIZARLIB)

AC_SUBST(FORPACK)

# Finally create the Makefile from Makefile.in
AC_OUTPUT(Makefile bench/bench)
chmod a-w Makefile bench/bench
chmod a+x bench/bench

# Summary

echo
echo "                 Summary"
echo "-----------------------------------------"
echo "OCaml version            : $OCAMLVERSION"
echo "OCaml library path       : $OCAMLLIB"
echo "OcamlGraph lib           : $OCAMLGRAPHVER"
echo "Verbose make             : $VERBOSEMAKE"
echo "Inference of annotations : $enable_apron"
if test "$enable_apron" = "yes" ; then
   echo "    APRON lib            : $APRONLIB"
fi
echo "Why3 support             : $WHY3"
if test "$WHY3" = "yes" ; then
   echo "    Version              : $WHY3VERSION"
fi
if test -n "$WHY3MSG" ; then
   echo "    $WHY3MSG"
fi
echo "Frama-C plugin           : $FRAMACPLUGIN"
if test "$FRAMACPLUGIN" = "yes" ; then
   echo "    Frama-C version      : $FRAMACVERSION"
   if test -n "$FRAMACMSG" ; then
      echo "    $FRAMACMSG"
   fi
else
   echo "    $FRAMACMSG"
fi
echo "GWhy                     : $LABLGTK2"
echo "Coq support              : $COQ"
if test "$COQ" = "yes" ; then
   echo "    Version              : $COQVER ($COQVERSION)"
   if test "$JESSIELIBCOQ" = ""; then
      echo "                         : (Jessie/Why2 Coq proofs disabled, requires >= 8.1)"
   fi
   if test "$JESSIEWHY3LIBCOQ" = ""; then
      echo "                         : (Jessie/Why3 Coq proofs disabled, requires Coq realizations for Why3)"
   fi
   echo "    Lib                  : $COQLIB"
   echo "    FP lib (Flocq)       : $COQFLOATSMSG"
   echo "    FP lib (Float)       : $COQFLOATSLEGACYMSG"
fi
echo "PVS support              : $PVS"
if test "$PVS" = "yes" ; then
   echo "    Bin                  : $PVSC"
   echo "    Lib                  : $PVSLIB"
fi
echo "Mizar support            : $MIZAR"
echo "Other provers support    : at run-time (use why-config to configure)"
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/intf/��������������������������������������������������������������������������������������0000755�0001750�0001750�00000000000�12311670312�011555� 5����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/intf/tags.ml�������������������������������������������������������������������������������0000755�0001750�0001750�00000007652�12311670312�013062� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Colors

type loc = { file:string; line:string; sp:string; ep:string }

let last_colored = ref [(GText.tag ())]
let tag = ref 0

let gtktags = Hashtbl.create 57 (* tag id -> gtk tag *)
let loctags = Hashtbl.create 57 (* tag id -> loc *)

let tag_ref = !tag

let new_tag (l:loc) =
  incr tag;
  let mytag = string_of_int !tag in
  Hashtbl.add loctags mytag l;
  mytag

let get_tag t = 
  try 
    Hashtbl.find loctags t
  with Not_found -> 
    assert false

let add_gtktag (index:string) (tag:GText.tag) = 
  Hashtbl.add gtktags index tag

let get_gtktag index = 
  try 
    Hashtbl.find gtktags index
  with Not_found -> 
    assert false

let reset_last_colored () = 
  List.iter 
    (fun tag ->
       tag#set_properties 
	 [`BACKGROUND (get_bc_predicate ()); 
	  `FOREGROUND (get_fc_predicate ())])
    !last_colored;
  last_colored := [GText.tag ()]

let refresh_last_colored tag = 
  reset_last_colored ();
  last_colored := tag

module IntHashtbl = 
  Hashtbl.Make(struct 
                 type t = int 
                 let hash = Hashtbl.hash 
                 let equal = (=) 
               end)
module StringSet = Set.Make(String)
let tag_names = IntHashtbl.create 17
let make_tag (buffer:< tag_table : Gtk.text_tag_table;
              create_tag : ?name:string -> GText.tag_property list -> GText.tag ; .. >)
    ~name l 
    = 
  match GtkText.TagTable.lookup buffer#tag_table name with
  | None -> 
      let oid = Oo.id buffer in
      let old_set = 
        try IntHashtbl.find tag_names oid 
        with Not_found -> StringSet.empty 
      in
      IntHashtbl.replace tag_names oid (StringSet.add name old_set);
      buffer#create_tag ~name l
  | Some t -> new GText.tag t
��������������������������������������������������������������������������������������why-2.34/intf/stat.ml�������������������������������������������������������������������������������0000644�0001750�0001750�00000113377�12311670312�013076� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Format
open Options
open Ast
open Env
open Cache
open Pprinter

let _ = gui := true
let debug = ref Options.debug

(*
let is_caduceus = 
  List.exists (fun f -> Filename.basename f = "caduceus.why") Options.files 
*)

(*
let get_files fl = 
  let files = 
    List.map (fun f -> Filename.chop_extension (Filename.basename f)) fl 
  in
  List.fold_left
    (fun l f -> 
       let file = (Filename.concat (Sys.getcwd ()) f) ^ ".c" in
       if Sys.file_exists file then file :: l else l)
    fl files
*)

let () =
  try
    Format.eprintf "Computation of VCs...@.";
    Main.main ();
    Format.eprintf "Computation of VCs done.@."
  with e ->
    Report.explain_exception Format.err_formatter e;
    Format.pp_print_newline Format.err_formatter ();
    exit 1

(* GTK *)

(* config in .gwhyrc *)
(*
let set_loaded_config () =
  let l = [("cache", Cache.set_active) ; 
	   ("hard_proof", Cache.set_hard_proof) ; 
	   ("live_update", Tools.set_live)] 
  in
  List.iter 
    (fun (k,f) -> 
       let v = 
	 try bool_of_string (Config.get_value k)
	 with _ -> begin
	   prerr_endline ("     [...] .gwhyrc : invalid value for " ^ k); 
	   true 
	 end
       in
       (f v))
    l;
  Tools.set_timeout 
    (try int_of_string (Config.get_value "timeout")
     with _ -> begin
       prerr_endline ("     [...] .gwhyrc : invalid value for timeout"); 
       10 
     end);
  (try Model.set_default_prover (Model.get_prover (Config.get_value "prover"))
   with Not_found -> 
     prerr_endline ("     [...] .gwhyrc : invalid value for prover"));
  List.iter
    (fun (k,f,def) ->
       let v = 
	 try int_of_string (Config.get_value k)
	 with _ -> begin
	   prerr_endline ("     [...] .gwhyrc : invalid value for " ^ k); 
	   def
	 end
       in
       f := v)
    [("window_width", Colors.window_width, 1024) ;
     ("window_height", Colors.window_height, 768);
     ("font_size", Colors.font_size, 10) ];
  Colors.set_all_colors (Config.get_colors ())
*)

let () =
  Format.eprintf "Reading GWhy configuration...@.";
  ignore (GtkMain.Main.init ());
(*
  Config.create_default_config ();
*)
  GConfig.load ();
(*
  set_loaded_config ();
*)
  Format.eprintf "GWhy configuration loaded...@."

let modifiable_font_views = ref []

let change_font () =
  Tools.resize_images (!Colors.font_size * 2 - 4);
  let f = 
    Pango.Font.from_string 
      (Colors.font_family ^ " " ^ string_of_int !Colors.font_size)
  in
  List.iter (fun v -> v#modify_font f) !modifiable_font_views

let enlarge_font () =
  incr Colors.font_size; 
  change_font ();
  GConfig.save ()

let reduce_font () =
  decr Colors.font_size; 
  change_font ();
  GConfig.save ()

let display_info = ref (function _s -> failwith "not ready")
let flash_info = ref (function _s -> failwith "not ready")

let cache_check = ref (GButton.toggle_button ())
let hard_proof_check = ref (GButton.toggle_button ())
let pretty_printer_check = ref (GButton.toggle_button ())
let live_update_check = ref (GButton.toggle_button ())
let timeout_spin = ref (GEdit.spin_button ())

let out_some = function None -> assert false | Some f -> f

let try_convert s = 
  try
    if Glib.Utf8.validate s then s else 
      Glib.Convert.locale_to_utf8 s
  with _ -> failwith ("Fatal error: wrong encoding in string \""^s^"\"")

let path_of_int i = 
  GtkTree.TreePath.from_string (string_of_int (if i < 0 then 0 else i))

let to_refresh reference e = 
  let n = Filename.chop_extension reference ^ e in
  not (Sys.file_exists n) ||
  ((Unix.stat reference).Unix.st_mtime > (Unix.stat n).Unix.st_mtime)

module View = struct

  open GtkTree
  open Model

  let () = 
    Format.eprintf "Creating GWhy Tree view...@."

  let renderer = GTree.cell_renderer_text [`XALIGN 0.] 
  let first_col = GTree.view_column ~title:"Proof obligations " 
    ~renderer:(renderer, ["text", Model.name]) () 
  let last_col = GTree.view_column ~title:"Statistics" 
    ~renderer:(renderer, ["text", Model.stat]) ()

  let () = 
    first_col#set_resizable true;
    first_col#set_max_width 400;
    last_col#set_resizable true
 
  let add_columns ~(view : GTree.view) ~_model =
    (* let renderer = GTree.cell_renderer_text [`XALIGN 0.] in *)
    let icon_renderer = GTree.cell_renderer_pixbuf [ `STOCK_SIZE `BUTTON ] in
    let image_renderer = GTree.cell_renderer_pixbuf [ ] in
    let _n : int = view#append_column first_col in
    let l = 
      List.map
	(fun (p,_state) ->
	   let vc_stock = 
	     GTree.view_column ~title:(prover_name_with_version_and_enc p) 
	       ~renderer:(icon_renderer, ["stock_id", p.pr_icon]) 
               ()
	   in
	   vc_stock#set_resizable true;
	   vc_stock#set_visible false;
	   let vc_image = 
	     GTree.view_column ~title:(prover_name_with_version_and_enc p) 
	       ~renderer:(image_renderer, ["pixbuf", p.pr_image]) 
               ()
	   in
	   vc_image#set_resizable true;
	   vc_image#set_visible false;
	   p.pr_viewcol <- Some (vc_stock, vc_image);
	   if p.pr_info.DpConfig.version <> "" then begin
             vc_stock#set_clickable true;
             vc_image#set_clickable true;
           end;
	   let _n : int = view#append_column vc_stock in
	   let _n : int = view#append_column vc_image in
	   p, vc_stock, vc_image)
	(Model.get_prover_states ())
    in
    let _n : int = view#append_column last_col 
    in l

  let () = 
    Format.eprintf "GWhy Tree view created...@.";

end

let update_buffer tv =
  let buf = GText.buffer () in
  tv#set_buffer buf;
  buf

open Logic_decl

let show_xpl (loc,xpl) (_tv:GText.view) =
  match loc with
    | (s,l,b,e) ->
	let loc = 
	  { Tags.file=s; 
	    Tags.line= string_of_int l; 
	    Tags.sp = string_of_int b; 
	    Tags.ep = string_of_int e} in
	Pprinter.move_to_loc loc;
	let msg =
	  match xpl.vc_kind with
	    | EKLemma -> "Lemma"
	    | k -> "VC: " ^ Explain.msg_of_kind k
	in
	!display_info ("file: " ^ (Filename.basename s) ^ " " ^ msg)

let select_obligs (model:GTree.tree_store) (tv:GText.view) 
                  (tv_s:GText.view) selected_rows = 
  List.iter
    (fun p ->
       let row = model#get_iter p in
       let s = model#get ~row ~column:Model.fullname in
       try
	 let (loc,_,xpl,_,_) as o = Model.find_oblig s in
	 let buf = update_buffer tv in
	 buf#set_text "";
	 Pprinter.text_of_obligation tv o;
	 let mark = `MARK (tv#buffer#create_mark tv#buffer#end_iter) in
	 tv#scroll_to_mark ~use_align:true mark;
	 show_xpl (loc,xpl) tv_s
       with Not_found -> 
	 try
	   let (id,beh,(f,l,b,e)) = Hashtbl.find Util.program_locs s in
	   let loc = 
	     { Tags.file=f; 
	       Tags.line= string_of_int l; 
	       Tags.sp = string_of_int b; 
	       Tags.ep = string_of_int e} in
	   Pprinter.move_to_loc loc;
	   !display_info ("file: " ^ (Filename.basename f) ^ " " ^ beh ^" of "^id);
	 with Not_found ->
	   Pprinter.move_to_source None;	 
	   !display_info "(nothing selected ??)";
	 
    )
    selected_rows

let prove fct = 
  ignore (Thread.create fct ())

(*
let get_statistics (model:GTree.tree_store) row = 
  let sl = 
    List.map 
      (fun p -> (string_of_int (model#get ~row ~column:p.Model.pr_result)))
      (Model.get_provers ())
  in
  "[" ^ String.concat "|" sl ^ "]"
*)

let get_all_results f (model:GTree.tree_store) = 
  let mychildren = Model.find_fobligs f in
  Queue.fold
    (fun nb row -> 
       let result = model#get ~row ~column:Model.result in
       result + nb)
    0
    mychildren

let update_statistics (model:GTree.tree_store) row f children =
(*
  let statistics = get_statistics model row in
*)
  let total = string_of_int (get_all_results f model) in
(*
  let name =
    if f="" then "User goals" else
    try
      let (id,beh,(_f,_l,_b,_e)) = Hashtbl.find Util.program_locs f in
      beh ^ "\nof " ^ id
    with Not_found -> "unknown function " ^ f
  in
  model#set 
    ~row ~column:Model.name name
*)
  model#set 
    ~row ~column:Model.stat (total^"/"^(string_of_int children))

let build_statistics (model:GTree.tree_store) f = 
  try
    let row = Model.find_fct f
    and children = ref 0 in
    List.iter 
      (fun (p,s) -> 
	 if s then model#set ~row ~column:p.Model.pr_result 0) 
      (Model.get_prover_states ());
    Model.iter_fobligs
      f
      (fun r -> 
	 incr children;
	 List.iter 
	   (fun (p,s) -> 
	      if s then
		let r = model#get ~row:r ~column:p.Model.pr_result 
		and u = model#get ~row ~column:p.Model.pr_result in
		model#set ~row ~column:p.Model.pr_result (u+r)) 
	   (Model.get_prover_states ()));
    update_statistics model row f !children
      (*
    let statistics = get_statistics model row in
    let total = string_of_int (get_all_results f model) 
    and children = string_of_int !children in
    let name =
      try
	let (id,beh,(f,l,b,e)) = Hashtbl.find Util.program_locs f in
	beh ^ " of " ^ id
      with Not_found -> "unknown function " ^ f
    in
    model#set 
      ~row ~column:Model.name (name^" "^" "^total^"/"^children)
    *)
  with e -> 
    begin 
      print_endline ("     [...] Error: unexcepted exception: " ^ 
		       Printexc.to_string e);
      flush stdout 
    end  

let collapse_row (view:GTree.view) path bench = 
  if not bench then begin
    view#collapse_row path
  end

let expand_row (view:GTree.view) path bench = 
  if not bench then begin
    view#expand_row path
  end

(*
 * Should i proove this obligation again ?
 *)
let try_proof oblig =
  (Cache.hard_proof ())
    || not (Cache.is_enabled ())
    || (Cache.is_enabled () && not (in_cache (Cache.clean oblig))) 


(* 
 * run a prover on an obligation and update the model 
 *)
let run_prover_child p (_view:GTree.view) (model:GTree.tree_store) 
                     o bench alone = 
  let column_p = p.Model.pr_icon in
  let column_i = p.Model.pr_image in
  let (_, _, _, oblig, seq) = o in
  if bench || (try_proof seq) then
    try 
      let row = 
	try Hashtbl.find Model.orows oblig 
	with Not_found -> 
	  print_endline 
	    ("     [...] Error : obligation \""^oblig^"\" not found !"); 
	  flush stdout;
	  raise Exit
      in
      model#set ~row ~column:column_p `EXECUTE;
      model#set ~row ~column:column_i !Tools.image_running;
      if !debug then Format.eprintf "oblig : %s@." oblig;
      let r = 
	Dispatcher.call_prover 
	  ~debug:!debug ~encoding:p.Model.pr_enc
	  ~obligation:oblig ~timeout:(Tools.get_timeout ())  p.Model.pr_id
      in
      let get_result = function
	| Calldp.Valid _ -> 
	    if Cache.is_enabled () then Cache.add seq (Model.prover_id p);
	    model#set ~row ~column:column_p `YES ; 
	    model#set ~row ~column:column_i !Tools.image_valid ; 1
	| Calldp.Timeout _ -> 
	    model#set ~row ~column:column_p `CUT; 
	    model#set ~row ~column:column_i !Tools.image_timeout; 0
	| Calldp.CannotDecide _ -> 
	    model#set ~row ~column:column_p `DIALOG_QUESTION; 
	    model#set ~row ~column:column_i !Tools.image_unknown; 0
	| Calldp.Invalid(_,so) -> 
	    begin match so with
	      | None -> ()
	      | Some s -> 
		  let name = model#get ~row ~column:Model.fullname in 
		  Model.add_failure name p s
	    end;
	    model#set ~row ~column:column_p `NO; 
	    model#set ~row ~column:column_i !Tools.image_invalid; 0
	| Calldp.ProverFailure(_,so) -> 
	      let name = model#get ~row ~column:Model.fullname in 
	      Model.add_failure name p so;
	      model#set ~row ~column:column_p `PREFERENCES; 
	      model#set ~row ~column:column_i !Tools.image_failure; 0
      in
      let result = get_result r in
      model#set ~row ~column:p.Model.pr_result result;
      model#set ~row ~column:Model.result 
	(max result (model#get ~row ~column:Model.result));
      if alone || (Tools.live_update ())then begin 
	build_statistics model (model#get ~row ~column:Model.parent)
      end;
      result
    with Exit -> 
      0
  else begin
    !flash_info "No need to prove these obligations";
    1
  end

let run_prover_oblig p (view:GTree.view) (model:GTree.tree_store) 
                     s bench alone () = 
  try 
    let oblig = Hashtbl.find Model.obligs s in
    let _ = run_prover_child p view model oblig bench alone in
    ()
  with Not_found -> begin
    print_endline ("     [...] Error : obligation \""^s^"\" not found !"); 
    flush stdout;
  end

(*
 * run a prover on a function and update the model 
 *)
let run_prover_fct p (view:GTree.view) (model:GTree.tree_store) f bench () = 
  let column_p = p.Model.pr_icon in
  let column_i = p.Model.pr_image in
  try
    let row = Model.find_fct f in
    model#set ~row ~column:Model.total 0;
    model#set ~row ~column:column_p `GO_DOWN;
    model#set ~row ~column:column_i !Tools.image_down;
    let n = model#iter_n_children (Some(row)) in
    let mychildren = Model.find_fobligs f in
    let succeed = 
      Queue.fold
	(fun nb row -> 
	   let s = model#get ~row ~column:Model.fullname in
	   let oblig = Model.find_oblig s in
	   let result = run_prover_child p view model oblig bench false in
	   result + nb)
	0
	mychildren 
    in
    if succeed = n then begin 
      model#set ~row ~column:column_p `APPLY;
      model#set ~row ~column:column_i !Tools.image_yes;
      let path = model#get_path row in
      collapse_row view path bench
    end else begin 
      model#set ~row ~column:column_p `CANCEL;
      model#set ~row ~column:column_i !Tools.image_no;
      let path = model#get_path row in
      expand_row view path bench
    end;
    if not (Tools.live_update ()) then begin 
      build_statistics model f
    end 
  with Not_found -> 
    begin 
      print_endline ("     [...] Error : function \""^f^"\" not found !"); 
      flush stdout 
    end

(*
 * run a prover on all obligations and update the model 
 *)
let run_prover_all p (view:GTree.view) (model:GTree.tree_store) bench () =
  Queue.iter 
    (fun f -> run_prover_fct p view model f bench ()) 
    Model.fq

let run_benchmark_fct (view:GTree.view) (model:GTree.tree_store) f () =
  try
    let row = Model.find_fct f in
    model#set ~row ~column:Model.total 0;
    let _n = model#iter_n_children (Some row) in
    let mychildren = Model.find_fobligs f in
    Queue.iter
      (fun row -> 
	let s = model#get ~row ~column:Model.fullname in
	let oblig = Model.find_oblig s in
	let rec try_prover = function
	  | [] -> 
	      ()
	  | (p,s) :: pl ->
	      
	      let result = 
		if s then run_prover_child p view model oblig true false 
		else 0
	      in
	      if result = 0 then try_prover pl
	in
	try_prover (Model.get_prover_states ()))
      mychildren;
    if not (Tools.live_update ()) then begin 
      build_statistics model f
    end 
  with Not_found -> 
    begin 
      print_endline ("     [...] Error : function \""^f^"\" not found !"); 
      flush stdout 
    end

let run_benchmark (view:GTree.view) (model:GTree.tree_store) () =
  Queue.iter (fun f -> run_benchmark_fct view model f ()) Model.fq

let main () = 
  Format.eprintf "Creating GWhy views...@.";
  let w = GWindow.window 
	    ~allow_grow:true ~allow_shrink:true
	    ~width:!Colors.window_width ~height:!Colors.window_height 
	    ~title:"gWhy: a verification conditions viewer" ()
  in
  ignore (w#misc#connect#size_allocate 
	    (let old_w = ref 0 
	     and old_h = ref 0 in
	     fun {Gtk.width=w;Gtk.height=h} -> 
	       if !old_w <> w || !old_h <> h then begin
		 old_h := h;
		 old_w := w;
		 Colors.window_height := h;
		 Colors.window_width := w;
		 GConfig.save ()
	       end));
  let _ = w#connect#destroy ~callback:(fun () -> exit 0) in
  let vbox = GPack.vbox ~homogeneous:false ~packing:w#add () in

  (* Menu *)
  let menubar = GMenu.menu_bar ~packing:vbox#pack () in
  let factory = new GMenu.factory menubar in
  let accel_group = factory#accel_group in
  let file_menu = factory#add_submenu "_File" in
  let file_factory = new GMenu.factory file_menu ~accel_group in
  (*
  let _ = 
    file_factory#add_image_item (*~stock:`REFRESH*) ~label:"_Refresh"
      ~key:GdkKeysyms._R () 
  in
  let _ = file_factory#add_separator () in
  *)
  let _ = 
    file_factory#add_image_item ~key:GdkKeysyms._Q ~label:"_Quit" 
      ~callback:(fun () -> GConfig.save(); exit 0) () 
  in
  (* configuration menu *)
  let configuration_menu = factory#add_submenu "_Configuration" in
  let configuration_factory = 
    new GMenu.factory configuration_menu ~accel_group 
  in
(* should not be needed anymore
  let _ =
    configuration_factory#add_item ~key:GdkKeysyms._S
      ~callback:(fun () -> GConfig.save ()) "Save preferences" in
*)
(*
  let i =
    configuration_factory#add_item 
      ~callback:(fun () -> Preferences.show Tools.Color (fun () -> ()) ()) 
      "Customize colors" 
  in
  i#set_active false; HOW DO TO THIS IN LABLGTK ?
*)
  let _ = 
    configuration_factory#add_item ~key:GdkKeysyms._plus
      ~callback:enlarge_font "Enlarge font" 
  in
  let _ = 
    configuration_factory#add_item ~key:GdkKeysyms._minus
      ~callback:reduce_font "Reduce font" 
  in
  let set_boomy b =
    List.iter
      (fun (p,active) -> 
         begin
           match p.Model.pr_viewcol with
           | Some (vc1,vc2) -> 
               if b then (vc2#set_visible active ; vc1#set_visible false)
               else (vc1#set_visible active ; vc2#set_visible false)
           | None -> () (* might be empty if prover does not exist *)
         end)
      (Model.get_prover_states ());
    Tools.set_boomy b;
    GConfig.save ()
  in
  let i = configuration_factory#add_check_item 
    ~callback:(fun b -> set_boomy b) "Boomy icons" in
  let _ = i#set_active (Tools.is_boomy ()) in

  (* horizontal paned *)
  let hp = GPack.paned `HORIZONTAL  ~border_width:3 ~packing:vbox#add () in
(*
  let vtable = 
    GPack.table ~row_spacings:5 ~homogeneous:false ~packing:hp#add () 
  in
*)
(*
  let table = GPack.table ~col_spacings:15 ~homogeneous:false () in
  let _ = vtable#attach ~left:0 ~top:0 table#coerce in
*)

  let model = Model.create_model () in

  (* function list *)
(*
  let files = List.map 
    (fun f -> 
       if Filename.is_relative f 
       then Filename.concat (Sys.getcwd ()) f
       else f)
    Options.files 
  in
  let files_label = GMisc.label ~text:"Opened files" () in
  table#attach ~left:0 ~top:0 files_label#coerce;
  let files_combo = 
    GEdit.combo ~allow_empty:false ~popdown_strings:(get_files files)
      ~value_in_list:true () 
  in
  table#attach ~left:1 ~top:0 ~expand:`BOTH files_combo#coerce;
  let _ = files_combo#entry#set_editable false in
*)
  
  (* left tree of proof obligations *)
  let scrollview = 
    GBin.scrolled_window ~hpolicy:`AUTOMATIC ~vpolicy:`AUTOMATIC 
    ~width:(!Colors.window_width / 2) ~packing:hp#add () 
  in
  let _ = scrollview#set_shadow_type `ETCHED_OUT in

  let view = GTree.view ~model ~packing:scrollview#add () in
  modifiable_font_views := view#misc :: !modifiable_font_views;
  let _ = view#selection#set_mode `SINGLE in
  let _ = view#set_rules_hint true in
  let vc_provers = View.add_columns ~view ~_model:model in
  
  (* cache and view menu *)
  let _ = configuration_factory#add_separator () in
  let _ = 
    configuration_factory#add_image_item ~key:GdkKeysyms._E 
      ~label:"Expand all" ~callback:(fun () -> view#expand_all ()) () 
  in
  let _ = 
    configuration_factory#add_image_item ~key:GdkKeysyms._C 
      ~label:"Collapse all" ~callback:(fun () -> view#collapse_all ()) () 
  in
  let _ = 
    configuration_factory#add_image_item ~key:GdkKeysyms._Z 
      ~label:"Expand function" 
      ~callback:(fun () -> match view#selection#get_selected_rows with
		   | [] -> ()
		   | p::_ -> 
		       let iter = model#get_iter p in
		       try 
			 let parent = 
			   model#get ~row:iter ~column:Model.parent 
			 in
			 let row = 
			   model#get_path (Hashtbl.find Model.frows parent) 
			 in
			 view#expand_row row
		       with Not_found -> ()) () 
  in
  let _ = 
    configuration_factory#add_image_item ~key:GdkKeysyms._X 
      ~label:"Collapse function" 
      ~callback:(fun () -> match view#selection#get_selected_rows with
		   | [] -> ()
		   | p::_ -> 
		       let iter = model#get_iter p in
		       try 
			 let parent = 
			   model#get ~row:iter ~column:Model.parent 
			 in
			 let row = 
			   model#get_path (Hashtbl.find Model.frows parent) 
			 in
			 view#collapse_row row
		       with Not_found -> ()) () 
  in
  (* menus for selected povers *)
  let _ = configuration_factory#add_separator ()  in
  let _ = 
    List.iter
      (fun (p,active) -> 
         begin
           match p.Model.pr_viewcol with
           | Some (vc1,vc2) -> 
               if Tools.is_boomy () then vc2#set_visible active else vc1#set_visible active
           | None -> assert false
         end;
	 let m = configuration_factory#add_check_item 
	   ~active (Model.prover_id p)
	 in 
	 ignore(m#connect#toggled  
		  ~callback:(fun () -> 
			       if m#active then 
				 begin
				   Model.select_prover p;
				   match p.Model.pr_viewcol with
				     | Some (vc1,vc2) ->
                                         if Tools.is_boomy () then 
                                           vc2#set_visible true
                                         else vc1#set_visible true
				     | None -> assert false
				 end
			       else 
				 begin
				   Model.deselect_prover p;
				   match p.Model.pr_viewcol with
				     | Some (vc1,vc2) ->
                                         if Tools.is_boomy () then 
                                           vc2#set_visible false
                                         else 
                                           vc1#set_visible false
				     | None -> assert false
				 end;
			       GConfig.save ())))
      (Model.get_prover_states ())
  in 
  let _ = configuration_factory#add_separator ()  in
  let cache = configuration_factory#add_check_item 
    ~callback:(fun b -> Cache.set_active b) "Cache _enabled" in
  let _ = cache#set_active (Cache.is_enabled ()) in
  let _ = configuration_factory#add_image_item ~label:"Clear cache" 
    (*~stock:`CLEAR*) ~key:GdkKeysyms._K
    ~callback:(fun () -> 
		 Cache.clear ();
		 !flash_info "Cache cleared"
	      ) () 
  in 
  
  (* proof menu *)
  let proof_menu = factory#add_submenu "_Proof" in
  let proof_factory = new GMenu.factory proof_menu ~accel_group in 
  let _ = 
    proof_factory#add_image_item ~label:"Start _benchmark" 
      ~key:GdkKeysyms._B 
      ~callback:(fun () -> prove (run_benchmark view model))
                (***
                (fun () -> 
		   List.iter
		     (fun p -> prove (run_prover_all p view model true))
		     (Model.get_provers ())) ***) () 
  in
  let fct_callback bench () = 
    List.iter 
      (fun p -> 
	 let row = model#get_iter p in
	 let s = model#get ~row ~column:Model.fullname in 
	 if model#iter_has_child row then
	   prove (run_prover_fct (Model.get_default_prover ()) 
		    view model s bench)
	 else 
	   let name = model#get ~row ~column:Model.parent in 
	   prove (run_prover_fct (Model.get_default_prover ()) 
		    view model name bench))
      view#selection#get_selected_rows 
  in
  let _ = 
    proof_factory#add_image_item 
      ~label:"Start benchmark _on selected function" 
      ~key:GdkKeysyms._P 
      ~callback:(fun () -> 
		   let row = 
		     model#get_iter (List.hd view#selection#get_selected_rows) 
		   in
		   let s = 
		     if model#iter_has_child row 
		     then model#get ~row ~column:Model.fullname 
		     else model#get ~row ~column:Model.parent
		   in
		   prove (run_benchmark_fct view model s))
      (***
		   List.iter
		     (fun p -> prove (run_prover_fct p view model s true))
		     (Model.get_provers())) ***)  ()
  in
  let _ = 
    proof_factory#add_image_item ~label:"Prove _all obligations" 
      ~key:GdkKeysyms._A 
      ~callback:(fun () -> 
                   let p = Model.get_default_prover () in
                   Format.eprintf "Running prover '%s' on all VCs@." p.Model.pr_info.DpConfig.name;
		   prove (run_prover_all p
			    view model false)) () 
  in
  let _ = 
    proof_factory#add_image_item ~label:"Prove selected _function" 
      ~key:GdkKeysyms._F ~callback:(fct_callback false) ()
  in
  let oblig_callback () =
    List.iter 
      (fun p -> 
	 let row = model#get_iter p in
	 let s = model#get ~row ~column:Model.fullname in 
	 if model#iter_has_child row then
	   let row = Queue.peek (Model.find_fobligs s) in
	   let s = model#get ~row ~column:Model.fullname in
	   prove (run_prover_oblig (Model.get_default_prover ()) 
		    view model s false true)
	 else 
	   prove (run_prover_oblig (Model.get_default_prover ()) 
		    view model s false true))
      view#selection#get_selected_rows 
  in
  let _ = 
    proof_factory#add_image_item ~label:"Prove selected _obligation" 
      ~key:GdkKeysyms._O ~callback:oblig_callback () 
  in
  (* menus for provers *)
  let _ = proof_factory#add_separator ()  in
  (* to work around bug that callback is called immediately 
     (BTS Frama-C 0037) 
  *)
  let prover_selection_active = ref false in
  let select_prover p = 
    if !prover_selection_active then begin
      (try !flash_info ((Model.prover_id p) ^" selected for default mode !")
       with _ -> ());
(*
      Format.eprintf "select_prover: Selecting '%s' as default prover@." p.Model.pr_info.DpConfig.name;    
*)
      Model.set_default_prover p;
      GConfig.save()
    end
  in
(*
  Format.eprintf "creating radio button list@.";  
*)
  let provers_m =
    let name = Model.prover_id (Model.get_default_prover ()) in
(*
    Format.eprintf "radio_button selected on %s@." name;
*)
    let pp = fst (List.hd (Model.get_prover_states ())) in
    let n = Model.prover_id pp in
    let fm = proof_factory#add_radio_item ~active:(name = n) n in
    let group = fm#group in
    ignore((*Format.eprintf "Calling fm#connect#toggled for '%s'@."
             pp.Model.pr_info.DpConfig.name;*)
           fm#connect#toggled  
	     ~callback:(fun () -> 
                 (*         Format.eprintf "Call(1) select_prover '%s'@." 
                            pp.Model.pr_info.DpConfig.name;*)
                          select_prover pp));
    let l = List.fold_left
      (fun acc (p,s) -> 
	 if s then
	   let n = Model.prover_id p in
	   let m = proof_factory#add_radio_item 
	     ~active:(name = n) ~group n 
	   in 
	   ignore(m#connect#toggled  
		    ~callback:(fun () -> 
                                 Format.eprintf "Call(2) select_prover '%s'@." 
                                   p.Model.pr_info.DpConfig.name;
                                 select_prover p));
	   (p,m)::acc
	 else acc)
      []
      (List.tl (Model.get_prover_states ()))
    in (pp, fm) :: (List.rev l)
  in 
(*
  Format.eprintf "radio button list created@.";  
*)
  prover_selection_active := true;
  let switch_next_prover () =     
    let current_prover = Model.get_default_prover () in
    let rec find_next = function
      | [] -> assert false
      | [p',_] -> 
	  assert (current_prover == p'); 
	  let prems = (List.hd provers_m) in
          Format.eprintf "Call(3) select_prover '%s'@." 
            (fst prems).Model.pr_info.DpConfig.name;
	  select_prover (fst prems);
	  (snd prems)#set_active true
      | (p',_) :: (p'',m) :: _ when current_prover == p' -> 
          Format.eprintf "Call(5) select_prover '%s'@." 
            p''.Model.pr_info.DpConfig.name;
	  select_prover p'';
	  m#set_active true
      | _ :: r -> find_next r
    in
    ignore (find_next provers_m)
  in 
  let _ = proof_factory#add_separator ()  in
  let _ = 
    proof_factory#add_image_item ~key:GdkKeysyms._N 
      ~label:"_Switch to next prover" ~callback:switch_next_prover () 
  in
  let _ = proof_factory#add_separator () in
  let hardproof = proof_factory#add_check_item 
    ~callback:(fun b -> Cache.set_hard_proof b) "_Hard proof" in
  let _ = hardproof#set_active (Cache.hard_proof ()) in
  let liveupd = proof_factory#add_check_item 
    ~callback:(fun b -> Tools.set_live b) "_Live update" in
  let _ = liveupd#set_active (Tools.live_update ()) in
  let debugd = proof_factory#add_check_item 
    ~callback:(fun b -> debug := b) "_Debug mode" in
  let _ = debugd#set_active !debug in

  (* run provers on all proof obligations *)
  List.iter
    (fun (p,vc1,vc2) -> 
       let _ =
	 vc1#connect#clicked 
	   ~callback:(fun () -> 
	      prove (run_prover_all p view model false))
       in
       let _ =
	 vc2#connect#clicked 
	   ~callback:(fun () -> 
	      prove (run_prover_all p view model false))
       in
       ())
    vc_provers;

  let _ = view#misc#connect#realize ~callback:view#expand_all in

  (* vertical paned *)
  let hb = GPack.paned `VERTICAL  ~border_width:0 ~packing:hp#add2 () in
  let _ = hb#misc#connect#realize
	  ~callback:(fun _ ->hb#set_position (!Colors.window_height*6/10 ) ) in
  let _ = hb#set_position (!Colors.window_height*9/10 ) in

  (* upper frame *)
  let fr1 = GBin.frame ~shadow_type:`ETCHED_OUT ~packing:hb#add1 () in 
  let sw1 = GBin.scrolled_window
	    ~vpolicy:`AUTOMATIC 
	    ~hpolicy:`AUTOMATIC
	    ~packing:fr1#add () 
  in

  (* lower frame *)
  let fr2 = GBin.frame ~shadow_type:`ETCHED_OUT ~packing:hb#add2 () in 
  let sw2 = GBin.scrolled_window 
	    ~vpolicy:`AUTOMATIC 
	    ~hpolicy:`AUTOMATIC
	    ~packing:(fr2#add) () 
  in

  (* bottom line *)
  let hbox = GPack.hbox ~packing:vbox#pack () in

  (* lower text view: source code *)
  let tv2 = GText.view ~packing:(sw2#add) () in
  let _ = tv2#set_editable false in
  let _ = tv2#set_wrap_mode `WORD in
  let _ = Pprinter.set_tvsource tv2 in

  (* upper text view: obligation *)
  let buf1 = GText.buffer () in 
  let tv1 = GText.view ~buffer:buf1 ~packing:(sw1#add) () in
  let _ = tv1#set_editable false in
  let _ = tv1#set_wrap_mode `WORD in
 
  modifiable_font_views := tv1#misc :: tv2#misc :: !modifiable_font_views;
  change_font ();
  (* timeout set *)
  let _ = GMisc.label ~text:" Timeout" ~xalign:0. ~packing:hbox#pack () in
  let timeout_b = GEdit.spin_button ~digits:0 ~packing:hbox#pack () in
  timeout_spin := timeout_b;
  timeout_b#adjustment#set_bounds ~lower:1. ~upper:max_float ~step_incr:1. ();
  timeout_b#adjustment#set_value (float_of_int (Tools.get_timeout ()));
  let _ = 
    timeout_b#connect#value_changed ~callback:
      (fun () -> Tools.set_timeout timeout_b#value_as_int)
  in
  (* pretty printer  *)
  let mypprint = GButton.check_button ~label:"Pretty Printer | " 
    ~active:(Pprinter.is_active ()) ~packing:hbox#pack() in
  let _ = mypprint#connect#toggled 
    ~callback:(fun () -> Pprinter.swap_active ();
		 let list = view#selection#get_selected_rows in
		 if list = [] then 
		   !flash_info "No row selected" 
		 else select_obligs model tv1 tv2 list
	      ) in

  (* status bar *)
  let status_bar = 
    GMisc.statusbar ~packing:(hbox#pack ~fill:true ~expand:true) () 
  in
(* no effect
  status_bar#misc#modify_font !statusbar_font ;
*)
  let status_context = status_bar#new_context "messages" in
  (*ignore (status_context#push "Welcome to the Why GUI");*)
  display_info := (fun s -> 
		     status_context#pop ();
		     ignore (status_context#push s));
  flash_info := (fun s -> status_context#flash ~delay:2000 s);
  
  (* for text components *)
  let _ = GtkBase.Widget.add_events tv1#as_widget
    [`ENTER_NOTIFY; `POINTER_MOTION] in
  let _ = 
    tv1#event#connect#motion_notify ~callback:
    (fun e -> 
       let win = match tv1#get_window `WIDGET with
	 | None -> assert false
	 | Some w -> w
       in
       let x,y = Gdk.Window.get_pointer_location win in
       let b_x,b_y = tv1#window_to_buffer_coords ~tag:`WIDGET ~x ~y in
       let it = tv1#get_iter_at_location ~x:b_x ~y:b_y in
       let tags = it#tags in
       if tags = [] then 
	 Tags.reset_last_colored () 
       else
	 List.iter 
	   (fun t ->
	      Tags.reset_last_colored ();
	      ignore (GtkText.Tag.event t#as_tag tv2#as_widget e it#as_iter))
	   tags;
       false)
  in
  
  (*
   * obligation selection 
   *)
  let _ =
    view#selection#connect#after#changed ~callback:
      begin fun () ->
	let list = view#selection#get_selected_rows in
        select_obligs model tv1 tv2 list
      end
  in

  (*
   * function selection 
   *)
(*
  let _ =
    files_combo#entry#event#connect#after#focus_in ~callback:
      begin fun _ev -> 
	Pprinter.move_to_source None;
	Pprinter.reset_last_file (); (* ?? pourquoi ?? *)
	false
      end
  in
*)

  (*
   * Running obligation 
   *)
  ignore 
    (view#connect#row_activated ~callback:
       (fun p col -> 
	  let row = model#get_iter p in
          let prover = 
	    match List.filter 
	      (fun (p,s) -> 
		 if s then
		   match p.Model.pr_viewcol with
		     | None -> assert false
		     | Some (vc1,_vc2) -> vc1#title = col#title
		  (* WHY c == col is not enough ???? *)
		 else false) 
	      (Model.get_prover_states ()) 
	    with
		| [p, _] -> (* case double-click in a prover column *)
                    p
		| [] -> (* case double-click in the VC explanation column *)
                    Model.get_default_prover ()
		| _ -> assert false (* should never happen *)
(*
            try Model.get_prover name 
            with Model.No_such_prover -> Model.get_default_prover ()
*)
         in
	  let s = model#get ~row ~column:Model.fullname in
	  (if model#iter_has_child row then
	     prove (run_prover_fct prover 
		      view model s false)
	   else 
	     prove (run_prover_oblig prover
		      view model s false true));
       )
    );

  (*
   * Remove default pango menu for textviews 
   *)
  ignore (tv1#event#connect#button_press ~callback:
	    (fun ev -> GdkEvent.Button.button ev = 3));
  ignore (tv2#event#connect#button_press ~callback:
	    (fun ev -> GdkEvent.Button.button ev = 3));
  (*
   * Obligations : failed with ...
   *)
  ignore 
    (tv2#event#connect#button_release ~callback:
       (fun ev -> if (GdkEvent.Button.button ev) = 3 then 
	  (match view#selection#get_selected_rows with
	     | [] -> ()
	     | p::_ ->
		 let row = model#get_iter p in
		 if not (model#iter_has_child row) then
		   try
		     let name = model#get ~row ~column:Model.fullname in
		     let failed_with = Hashtbl.find Model.fwrows name 
		     and buffer = Buffer.create 1024 in
		     Hashtbl.iter
		       (fun p m -> 
			  Buffer.add_string buffer 
			    (Model.prover_id p ^ ": \n" ^ m ^" \n\n"))
		       failed_with;
		     let tbuf = GText.buffer () in
		     tv2#set_buffer tbuf;
		     tbuf#set_text (Buffer.contents buffer);
		     Pprinter.reset_last_file ();
		     Buffer.clear buffer
		   with Not_found -> ()); 
	  false));
  
  (*
   * Startup configuration 
   *)
  (* shows first obligation *)
  let _ = 
    match !Model.first_row with
      | None -> () 
      | Some row -> 
	  let path = model#get_path row in
	  view#selection#select_path path;
	  select_obligs model tv1 tv2 [path]; 
  in

  (* Setting special icons for proved obligation in cache *)
  if Cache.is_enabled () then begin
    load_cache ();
    if not (Cache.is_empty ()) then 
      Hashtbl.iter 
	(fun _s (_,_,_,o,seq) -> 
	   let cleaned = Cache.clean seq in
	   if in_cache cleaned then begin 
	     let row = Hashtbl.find Model.orows o in
	     try 
	       Queue.iter 
		 (fun p -> 
		    try 
		      let zecol = Model.get_prover p 
		      and parent = model#get ~row ~column:Model.parent in
		      let parent = Model.find_fct parent in
		      let r = 
			model#get ~row:parent ~column:zecol.Model.pr_result 
		      in
		      model#set ~row ~column:zecol.Model.pr_icon `HARDDISK;
		      model#set ~row ~column:zecol.Model.pr_image !Tools.image_default;
		      model#set ~row ~column:zecol.Model.pr_result 1;
		      model#set ~row ~column:Model.result 1;
		      model#set ~row:parent ~column:zecol.Model.pr_result (r+1)
		    with Not_found -> ()
		 )
		 (Cache.find cleaned)
	     with Not_found -> 
	       begin 
		 print_endline ("sequent not found for "^o);
		 flush stdout
	       end
	   end
	) 
	Model.obligs;
  end;

  (* update statistics for functions *)
    Hashtbl.iter 
      (fun k row -> 
	 update_statistics model row k (model#iter_n_children (Some row)))
      Model.frows;
  w#add_accel_group accel_group;
  w#show ();
  Format.eprintf "GWhy views created.@."



(* Main *)
let _ = 
  begin
    try
      DpConfig.load_rc_file ()
    with Not_found ->
      print_endline "Why config file not found, please run why-config first.";
      exit 1
  end;
(*
  if not is_caduceus then Pprinter.desactivate ();
*)
  main ();
  GtkThread.main ()

	   
(*
Local Variables: 
compile-command: "unset LANG; make -C .. bin/gwhy.byte"
End: 
*)
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/intf/tagsplit.mll��������������������������������������������������������������������������0000755�0001750�0001750�00000007620�12311670312�014122� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

{ 
  open Lexing
  open Format
  open Colors

  let current_tags = ref []

  let buf = Buffer.create 1024

  let is_num = 
    let r_num = Str.regexp "\\([0-9]+\\)" in
    fun tag ->
      Str.string_match r_num tag 0
	  
  let used_tags = Hashtbl.create 97

  let insert_tagged_text (tbuf:GText.buffer) (tag:string) text = 
    Hashtbl.replace used_tags tag ();
    let it = tbuf#end_iter in
    let new_tag = Tags.get_gtktag tag in 
    tbuf#insert ~tags:[new_tag] ~iter:it text

  let insert_text (tbuf:GText.buffer) tag text = 
    let (fc, bc) = get_color tag 
    and it = tbuf#end_iter in
    let new_tag = tbuf#create_tag [`BACKGROUND bc; `FOREGROUND fc] in
    tbuf#insert ~tags:[new_tag] ~iter:it text

  let output tbuf () =
    let s = Buffer.contents buf in
    Buffer.reset buf;
    match !current_tags with
      | [] -> 
	  insert_text tbuf "" s
      | p :: _ -> 
	  if Hashtbl.mem Tags.gtktags p
	  then insert_tagged_text tbuf p s
	  else insert_text tbuf p s

}

let tag = ['a'-'z' 'A'-'Z' '0'-'9' '_']+

rule split tbuf = parse
  | "<" (tag as t) ">" 
      {
	output tbuf ();
	current_tags := t :: !current_tags; 
	split tbuf lexbuf 
      }
  | "</" (tag as t) ">" 
      { 
	output tbuf ();
	match !current_tags with
	  | t' :: ct -> 
	      assert (t' = t); 
	      current_tags := ct; 
	      split tbuf lexbuf 
	  | [] -> 
	      assert false 
      }
  | [^ '<']* as s
      { Buffer.add_string buf s; split tbuf lexbuf  }
  | _ as c
      { Buffer.add_char buf c; split tbuf lexbuf }
  | eof 
      { output tbuf () }


{
  let split buf lb =
    Hashtbl.clear used_tags;
    split buf lb;
    Hashtbl.fold (fun t _ l -> t :: l) used_tags []
}
����������������������������������������������������������������������������������������������������������������why-2.34/intf/tools.ml������������������������������������������������������������������������������0000644�0001750�0001750�00000011467�12311670312�013260� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Tags

type window = 
  | Color
  | About
  | Help

let grab_infos = 
  let r_loc = Str.regexp "File \"\\(.+\\)\", line \\([0-9]+\\), characters \\([0-9]+\\)-\\([0-9]+\\)" in
  fun s -> 
    if Str.string_match r_loc s 0 then 
      let source = Filename.concat (Sys.getcwd ()) (Str.matched_group 1 s) in
      Some({file=source;
            line=(Str.matched_group 2 s);
            sp=(Str.matched_group 3 s);
            ep=(Str.matched_group 4 s)})
    else None

let decomp_name =
  let r = Str.regexp "\\(.*\\)_po_\\([0-9]+\\)" in
  fun s ->
    if Str.string_match r s 0 then
      Str.matched_group 1 s, Str.matched_group 2 s
    else
      "", s

(*
 * Live update
 *)
let live = ref true
let swap_live () = live := not !live
let set_live v = live := v
let live_update () = !live

(* 
 * Timeout 
 *)
let timeout = ref 10
let set_timeout v = timeout := v
let get_timeout () = !timeout


(* 

images, icons

*)

(* todo: size should adapt to current font_size ! *)
let image ?size f =
  let name =
    if !Colors.colorblind then f^"-bw.png" else f^"32.png" 
  in
  let n = Filename.concat Options.lib_dir (Filename.concat "images" name)
  in
  match size with
    | None ->
        GdkPixbuf.from_file n
    | Some s ->
        GdkPixbuf.from_file_at_size ~width:s ~height:s n

let boomy = ref false

let set_boomy b = boomy := b

let is_boomy () = !boomy 


let iconname_default = "pause"
let iconname_running = "play"
let iconname_valid = "accept"
let iconname_unknown = "help"
let iconname_invalid = "delete"
let iconname_timeout = "clock"
let iconname_failure = "bug"
let iconname_yes = "accept"
let iconname_no = "delete"
let iconname_down = "play"

let image_default = ref (image ~size:32 iconname_default)
let image_running = ref !image_default
let image_valid = ref !image_default
let image_unknown = ref !image_default
let image_invalid = ref !image_default
let image_timeout = ref !image_default
let image_failure = ref !image_default
let image_yes = ref !image_default
let image_no = ref !image_default
let image_down = ref !image_default

let resize_images size =
  image_default := image ~size iconname_default;
  image_running := image ~size iconname_running;
  image_valid := image ~size iconname_valid;
  image_unknown := image ~size iconname_unknown;
  image_invalid := image ~size iconname_invalid;
  image_timeout := image ~size iconname_timeout;
  image_failure := image ~size iconname_failure;
  image_yes := image ~size iconname_yes;
  image_no := image ~size iconname_no;
  image_down := image ~size iconname_down


let () = resize_images (!Colors.font_size * 2 - 4)
  
  
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/intf/cache.ml������������������������������������������������������������������������������0000755�0001750�0001750�00000012711�12311670312�013157� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Options
open Marshal
open Digest
open Logic
open Cc

let flags = []
let max_size = ref 5000 (* maximum cache size *)
let cache = ref (Hashtbl.create 97)
let source_file = "gwhy.cache"
let active = ref false
let obligs = ref true
let ok = ref true

let enable () = active := true
let disable () = active := false
let set_active v = active := v
let swap_active () = active := not !active
let is_enabled () = !active

let swap_hard_proof () = obligs := not !obligs
let set_hard_proof v = obligs := v
let hard_proof () = !obligs

let exists p o = 
  try 
    Queue.iter 
      (fun pr -> if p = pr then raise Exit) 
      (Hashtbl.find !cache o); 
    false
  with Exit -> true

let read_cache () = 
  try
    let in_channel = open_in_bin source_file in
    cache := from_channel in_channel
  with 
    | Sys_error s -> 
	print_endline ("     [...] Sys_error : "^s); 
	flush stdout
    | End_of_file -> 
	print_endline ("     [...] cache empty !"); 
	flush stdout
    | _ -> 
	print_endline ("     [...] error while loading cache !"); 
	flush stdout

let clean seq =
  let (ctx, p) = seq.Env.scheme_type in
  let rec clean0 = function 
    | Pvar _ | Papp (_, _, _) | Ptrue | Pfalse as p -> p
    | Pimplies (i, p1, p2) -> 
	Pimplies (i, clean0 p1, clean0 p2)
    | Pif (t, p1, p2) ->
      Pif (t, clean0 p1, clean0 p2)
    | Pand (wp, sym, p1, p2) ->
	Pand (wp, sym, clean0 p1, clean0 p2)
    | Por (p1, p2) ->
	Por (clean0 p1, clean0 p2)
    | Piff (p1, p2) ->
	Piff (clean0 p1, clean0 p2)
    | Pnot p ->
	Pnot (clean0 p)
    | Forall (wp, id1, id2, pt, tl, p) ->
	Forall (wp, id1, id2, pt, tl, clean0 p)
    | Forallb (wp, p1, p2) ->
	Forallb (wp, clean0 p1, clean0 p2)
    | Exists (id1, id2, pt, p) ->
	Exists (id1, id2, pt, clean0 p)
    | Plet (x, n, pt, t, p) ->
	Plet (x, n, pt, t, clean0 p)
    | Pnamed (_, p) ->
	clean0 p
  and clean1 = function 
    | Svar _ as c -> c
    | Spred (id, p) -> Spred (id, clean0 p)
  in 
  (List.map clean1 ctx, clean0 p)
	  
let fool () = Hashtbl.length !cache > !max_size 
  (* i mean fool ... cache doesn't want to do his job *)
let is_full = ref false

let load_cache () =
  if not (Sys.file_exists source_file) then
    begin
      let xc = Sys.command ("touch " ^ source_file) in
      if xc <> 0 then
	begin
	  ok := false;
	  print_endline ("     [...] Error : cannot create cache file "^source_file^" !"); 
	  flush stdout;
	end
    end;
  if !ok then read_cache ();
  is_full := fool ()
    
let save () = 
  let out_channel = open_out_bin source_file in
  to_channel out_channel !cache flags;
  close_out out_channel

let clear () = 
  Hashtbl.clear !cache;
  save ()

let remove x = Hashtbl.remove !cache x
let in_cache x = Hashtbl.mem !cache x
let find x = Hashtbl.find !cache x
let is_empty () = Hashtbl.length !cache = 0
let o_in_cache o = let (_,_,seq) = o in in_cache seq

let add (seq:Cc.sequent Env.scheme) (prover:string) = 
  let o = clean seq in
  if not !is_full then begin
    if in_cache o then
      begin 
	if not (exists prover o) then
	  Queue.add prover (Hashtbl.find !cache o) 
      end
    else
      begin 
	let q = Queue.create () in
	let _ = Queue.add prover q in
	Hashtbl.add !cache o q;
	is_full := fool ()
      end
  end;
  save () (* actually, must be done when exiting gui *)

�������������������������������������������������������why-2.34/intf/pprinter.ml���������������������������������������������������������������������������0000755�0001750�0001750�00000031653�12311670312�013765� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Options
open Misc
open Vcg
open Logic
open Cc
open Format
open Colors
open Tagsplit
open Tags

let obligs = Hashtbl.create 5501
let pprinter = Hashtbl.create 5501
let files = Hashtbl.create 10
let last_fct = ref ""
let last_line = ref 0
let last_file = ref ""
let pwd = Sys.getcwd ()
let source = ref ""
let tv_source = ref (GText.view ())

let active = ref false
let desactivate () = active := false
let activate () = active := true
let swap_active () = active := not !active
let is_active () = !active

let set_tvsource tvs = tv_source := tvs

let reset_last_file () = 
  last_file := ""

let print_loc = function 
  | None -> "\"nowhere\""
  | Some {file=f; line=l; sp=s; ep=e} ->
      let ff = if Filename.is_relative f then Filename.concat pwd f else f in
      ("file \""^ff^"\", line "^l^", characters "^s^" - "^e)

let is_cfile f = 
  Filename.check_suffix f ".c" || Filename.check_suffix f ".h"
  (* otherwise it's .why *)

let read_file = function 
  | None -> ()
  | Some {file=f} ->
      try
	let in_channel = open_in f in
	begin 
	  try
            let lexbuf = Lexing.from_channel in_channel 
	    and hilight = 
	      if is_cfile f then Hilight.token else Whyhilight.scan 
	    in
            while true do hilight !tv_source#buffer lexbuf done
	  with Hilight.Eof | Whyhilight.Eof -> ()
	end;
      with Sys_error s -> 
	begin
	  print_endline ("     [...] Sys_error : "^s); flush stdout;
	  !tv_source#buffer#set_text "" 
	end

let hypo = (* Model : HW_11 *)
  let r_hyp = Str.regexp "\\HW_\\([0-9]+\\)" in
  fun s ->
    if Str.string_match r_hyp s 0 then
      (Str.matched_group 1 s)
    else
      s

let hypothesis s = 
  "H"^(hypo s)

let grab_infos = 
  let r_loc = Str.regexp "File \"\\(.+\\)\", line \\([0-9]+\\), characters \\([0-9]+\\)-\\([0-9]+\\)" in
  fun s -> 
    if Str.string_match r_loc s 0 then 
      let source = Filename.concat pwd (Str.matched_group 1 s) in
      Some({file=source;
            line=(Str.matched_group 2 s);
            sp=(Str.matched_group 3 s);
            ep=(Str.matched_group 4 s)})
    else None
      
let is_localised = function 
  | None -> false
  | Some _ -> true

let move_to_line line = 
  if line <= !tv_source#buffer#line_count && line <> 0 then begin
    let it = !tv_source#buffer#get_iter (`LINE line) in 
    let mark = `MARK (!tv_source#buffer#create_mark it) 
    (* and y = if !tv_source#buffer#line_count < 20 then 0.23 else 0.1  *)
    in
    !tv_source#scroll_to_mark ~use_align:true ~yalign:0.5 mark;
    if debug then
      begin 
	print_endline ("     [...] Moving to line n "^(string_of_int line)); 
	flush stdout 
      end
  end

let color_tag_table = Hashtbl.create 17

let color_loc file (tv:GText.view) l b e =
  let buf = tv#buffer in
  let orange_bg = 
    try
      Hashtbl.find color_tag_table file
    with Not_found ->
      let t = buf#create_tag ~name:"orange_bg" [`BACKGROUND "orange"] in
      Hashtbl.add color_tag_table file t;
      t
  in
  buf#remove_tag orange_bg ~start:buf#start_iter ~stop:buf#end_iter;
  let top = buf#start_iter in
  let start = top#forward_lines (l-1) in
  let start = start#forward_chars b in
  let stop = start#forward_chars (e-b) in
  buf#apply_tag ~start ~stop orange_bg
  

let banner () =
"

Welcome to GWhy (the Graphical VC viewer for the Why platform)
This is Why version " ^ Version.version ^ 
", compiled on " ^ Version.date ^ "
Copyright (c) 2002-2010 ProVal team, INRIA
This is free software with ABSOLUTELY NO WARRANTY (use option -warranty)"

let move_to_source = function
  | None -> 
      last_file := "";
      begin
	try
	  !tv_source#set_buffer (Hashtbl.find files "")
	with Not_found ->
	  !tv_source#set_buffer (GText.buffer ());
	  let b = !tv_source#buffer in
	  b#set_text (banner());
	  begin
	    try
	      let why_logo = Tools.image "why-logo-1" in
	      b#insert_pixbuf ~iter:b#start_iter ~pixbuf:why_logo 
	    with _ -> 
	      b#insert ~iter:b#start_iter "(Why logo: image not found)"	      
	  end;
	  b#insert ~iter:b#start_iter "\n\t";
	  Hashtbl.add files "" b
      end
  | Some loc ->
      let line = int_of_string loc.line
      and file = loc.file in
      last_line := line;
      if !last_file = file then 
	move_to_line line
      else begin 
	last_file := file;
	if (Hashtbl.mem files file) && (not (Colors.has_changed ())) then 
	  !tv_source#set_buffer (Hashtbl.find files file)
	else begin
	  !tv_source#set_buffer (GText.buffer ());
	  read_file (Some loc);
	  Hashtbl.add files file !tv_source#buffer;
	  Hashtbl.remove color_tag_table file;
	end;
	move_to_line line
      end

 
let move_to_loc loc =
  move_to_source (Some loc);
  color_loc loc.file !tv_source (int_of_string loc.line) 
    (int_of_string loc.sp) (int_of_string loc.ep)

let rec intros ctx = function 
  | Forall (true, id, n, t, _, p) ->
      let id' = Ident.next_away id (predicate_vars p) in
      let p' = subst_in_predicate (subst_onev n id') p in
      let ctx', concl' = intros (Svar (id', t) :: ctx) p' in
      ctx', concl'
  | Pimplies (true, a, b) -> 
      let h = fresh_hyp () in 
      let ctx', concl' = intros (Spred (h, a) :: ctx) b in
      ctx', concl'
  (* TODO: Pnamed ? *)
  | c -> 
      ctx, c

let create_tag (tbuf:GText.buffer) t loc = 
  if not (Hashtbl.mem gtktags t) then begin
    let (fc, bc) = get_color "lpredicate" in
    let new_tag = 
      Tags.make_tag tbuf ~name:(bc^fc) [`BACKGROUND fc; `FOREGROUND bc]
    in
    ignore(
      new_tag#connect#event ~callback:
	(fun ~origin:_ ev _it ->
	   if GdkEvent.get_type ev = `BUTTON_PRESS then 
	     move_to_source (Some loc)
	   else if GdkEvent.get_type ev = `MOTION_NOTIFY then begin
	     Tags.refresh_last_colored [new_tag];
	     new_tag#set_properties 
	       [`BACKGROUND (get_bc "pr_hilight"); 
		`FOREGROUND (get_fc "pr_hilight")]
	   end;
	   false));
    add_gtktag t new_tag
  end

let create_all_tags (tbuf:GText.buffer) = 
  Hashtbl.iter (create_tag tbuf) Tags.loctags

let print_oblig fmt (ctx,concl) = 
  let print_pure_type, print_predicate = 
    if is_active () 
    then Astprinter.print_pure_type, Astpprinter.print_predicate
    else Astprinter.print_pure_type, Astnprinter.print_predicate
  in 
  let ctx, _concl = intros ctx concl in
  let rec print_list print = function
    | [] -> ()
    | p::r -> print p; fprintf fmt "@\n"; print_list print r 
  and print_name fmt id =
    let hypo_nb = hypo (Ident.string id) in
    fprintf fmt "%s" (hypothesis hypo_nb)
  and print_hyp fmt = function
    | Svar (id, t) ->
	fprintf fmt "@[@{<var>%a:@}@ @{<cc_type>%a@}@]" 
	  Ident.print id print_pure_type t
    | Spred (id, p) ->
	fprintf fmt "@[@{<hypothesis>%a:@} @{<predicate>%a@}@]" 
	  print_name id print_predicate p
  in
  print_list (print_hyp fmt) ctx

let is_buffer_saved = 
  Hashtbl.mem obligs

let save_buffer s (tbuf:GText.buffer) pprint = 
  Hashtbl.replace obligs s tbuf;
  Hashtbl.replace pprinter s pprint

let get_buffer = 
  Hashtbl.find obligs

let color_lines tags =
  let buf = !tv_source#buffer in
  let top = buf#start_iter in
  let orange_bg = Tags.make_tag buf ~name:"orange_bg" [`BACKGROUND "orange"] in
  (*
  buf#remove_tag_by_name ~start:buf#start_iter ~stop:buf#end_iter "orange_bg";
  *)
  let color_one t = 
    let loc = Hashtbl.find loctags t in
    let l = int_of_string loc.line in
    let start = top#forward_lines l in
    let stop = start#forward_line in
    buf#apply_tag ~start ~stop orange_bg
  in
  List.iter color_one tags
  
let print_all (tbuf:GText.buffer) s p = 
  insert_text tbuf "title" (s^"\n\n");
  (* 1. we print the text in a string, which fills the table loctags *)
  let fmt = Format.str_formatter in
  pp_set_tags fmt true;
  let str = 
    fprintf fmt "@[%a@]" print_oblig p;
    flush_str_formatter ()
  in
  (* 2. then we create the GTK tags and map them to the tag names *)
  create_all_tags tbuf;
  (* 3. then we fill the GTK text buffer using Tagsplit.split *)
  let _utags = split tbuf (Lexing.from_string str) in
  let (_,concl) = p in
  let fc = get_fc "separator" in
  let bc = get_bc "separator" in
  let mytag = 
    Tags.make_tag tbuf
      ~name:("s"^fc^bc)
      [`UNDERLINE `SINGLE;
       `FOREGROUND fc; 
       `BACKGROUND bc] 
  in
  tbuf#insert ~tags:[mytag] ~iter:tbuf#end_iter 
    "              \n\n";
  let conclusion = 
    let print_predicate = 
      if is_active () 
      then Astpprinter.print_predicate
      else Astnprinter.print_predicate
    in 
    fprintf fmt "@[@{<conclusion>%a@}@]" print_predicate concl;
    create_all_tags tbuf;
    flush_str_formatter () 
  in
  let _utags' = split tbuf (Lexing.from_string conclusion) in
  (*color_lines (utags @ utags');*)
  ()

let unchanged s pprint = 
  (not (Colors.has_changed ())) &&
  (is_buffer_saved s) 
  && (try 
	(Hashtbl.find pprinter s) = pprint
      with Not_found -> pprint)

let is_ident_char s = String.length s = 1 && match s.[0] with
  | 'a'..'z' | 'A'..'Z' | '_' | '0'..'9' -> true
  | _ -> false

let show_definition (tv:GText.view) (_tv_s:GText.view) = 
  let buf = tv#buffer in
  let find_backward (it:GText.iter) = 
    let rec find start stop = 
      if start = buf#start_iter then
	start 
      else
	let c = buf#get_text ~start ~stop () in
	if is_ident_char c then find (start#backward_char) start else stop
    in 
    find (it#backward_char) it
  in
  let find_forward (it:GText.iter) = 
    let rec find start stop = 
      if stop = buf#end_iter then
	stop
      else
	let c = buf#get_text ~start ~stop () in
	if is_ident_char c then find stop (stop#forward_char) else start
    in 
    find it (it#forward_char)
  in
  let buf = tv#buffer in
  let win = match tv#get_window `WIDGET with
    | None -> assert false
    | Some w -> w
  in
  let x,y = Gdk.Window.get_pointer_location win in
  let b_x,b_y = tv#window_to_buffer_coords ~tag:`WIDGET ~x ~y in
  let it = tv#get_iter_at_location ~x:b_x ~y:b_y in
  let start = if (it = buf#start_iter) then it else find_backward it in
  let stop = if (it = buf#end_iter) then it else find_forward it in
  let text = buf#get_text ~start ~stop () in
  if start <> stop && text <> "" then begin
    try 
      let (f,l,b,e) = Loc.ident text in
      let loc = {file=f; 
		 line=(string_of_int l); 
		 sp=(string_of_int b); 
		 ep=(string_of_int e)} 
      in 
      (*
       * print_endline (text ^ "  " ^ (print_loc (Some(loc)))); 
       * flush stdout;
       *)
      move_to_source (Some loc)
    with Not_found -> ()
  end
    
let text_of_obligation (tv:GText.view) (_o,_,_expl,s,p) = 
  let p = p.Env.scheme_type in
  last_fct := s;
  if (unchanged s (is_active ())) then 
    tv#set_buffer (get_buffer s)
  else begin
    let tbuf = GText.buffer () in
    tv#set_buffer tbuf;
    let _ = 
      tv#event#connect#button_release 
	~callback:(fun ev -> 
		     if GdkEvent.Button.button ev = 3 then
		       show_definition tv !tv_source; 
		     false)
    in
    print_all tbuf s p;
    save_buffer s tbuf (is_active ());
  end
�������������������������������������������������������������������������������������why-2.34/intf/astpprinter.ml������������������������������������������������������������������������0000755�0001750�0001750�00000017506�12311670312�014476� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Logic
open Cc
open Ident
open Format
open Misc
open Pp
open Tags
open Astprinter

let print_term fmt t = 
  let rec print0 fmt t =
    print1 fmt t
  and print1 fmt = function
    | Tapp (id, [a;b], _) when id == t_add_int || id == t_add_real ->
	fprintf fmt "%a +@ %a" print1 a print2 b
    | Tapp (id, [a;b], _) when id == t_sub_int || id == t_sub_real ->
	fprintf fmt "%a -@ %a" print1 a print2 b
    | t ->
	print2 fmt t
  and print2 fmt = function
    | Tapp (id, [a;b], _) when id == t_mul_int || id == t_mul_real ->
	fprintf fmt "%a *@ %a" print2 a print3 b
    | Tapp (id, [a;b], _) when (* id == t_div_int || *) id == t_div_real ->
	fprintf fmt "@[%a /@ %a@]" print2 a print3 b
(*
    | Tapp (id, [a;b], _) when id == t_mod_int ->
	fprintf fmt "@[%a@ %%@ %a@]" print2 a print3 b
*)
    | t ->
	print3 fmt t
  and print3 fmt = function
    | Tconst (ConstInt n) -> 
	fprintf fmt "%s" n
    | Tconst (ConstBool b) -> 
	fprintf fmt "%b" b
    | Tconst ConstUnit -> 
	fprintf fmt "tt" 
    | Tconst (ConstFloat c) -> 
	Print_real.print fmt c
    | Tvar id when id == implicit ->
	fprintf fmt "<?>"
    | Tvar id when id == t_zwf_zero ->
	fprintf fmt "<Zwf(0)>"
    | Tvar id | Tapp (id, [], _) -> 
	Ident.print fmt id
    | Tderef _ ->
	assert false
    | Tapp (id, _, _) as t when Ident.string id = "acc" ->
	print_fct_acc fmt t
    | Tapp (id, _, _) as t when Ident.string id = "shift" ->
	print_fct_shift fmt t
    | Tapp (id, [t], _) when id == t_neg_int || id == t_neg_real ->
	fprintf fmt "(- %a)" print3 t
    | Tapp (id, [_;_], _) as t when is_int_arith_binop id ->
	fprintf fmt "@[(%a)@]" print0 t
    | Tapp (id, [a; b; c], _) when id == if_then_else -> 
	fprintf fmt "(@[if %a then@ %a else@ %a@])" print0 a print0 b print0 c
    | Tapp (id, tl, _) -> 
	fprintf fmt "@[%s(%a)@]" (Ident.string id) print_terms tl
    | Tnamed (User n, t) ->
	(match (Tools.grab_infos n) with
	   | None -> fprintf fmt "@[%a@]" print3 t
	   | Some l ->
	       let n = new_tag l in
	       pp_open_tag fmt n;
	       fprintf fmt "@[%a@]" print3 t;
	       pp_close_tag fmt ()
	)
    | Tnamed (Internal _n, t) ->
	fprintf fmt "@[%a@]" print3 t
  and print_terms fmt tl =
    print_list comma print3 fmt tl
  and is_shift = function 
    | Tapp (id, _, _) when (Ident.string id = "shift") -> true
    | _ -> false
  and print_fct_acc fmt = function
	| Tapp (_id, [m; term], _) -> 
	    if (is_shift term) 
	    then fprintf fmt "%a{%a}" print_fct_acc_shift term print3 m
	    else fprintf fmt "%a{%a}" print3 term print3 m
	| t -> print3 fmt t
  and print_fct_acc_shift fmt = function 
    | Tapp (_id, [p; offset], _) -> fprintf fmt "%a[%a]" print3 p print3 offset;
    | t -> print3 fmt t
  and print_fct_shift fmt = function
	 | Tapp (_id, [p; offset], _) -> 
	     fprintf fmt "%a + %a" print3 p print3 offset
	 | t -> print3 fmt t
  in
  print1 fmt t

let pprefix_id id =
  if id == t_lt || id == t_lt_int || id == t_lt_real then "<" 
  else if id == t_le || id == t_le_int || id == t_le_real then "<="
  else if id == t_gt || id == t_gt_int || id == t_gt_real then ">"
  else if id == t_ge || id == t_ge_int || id == t_ge_real then ">="
  else if is_eq id then "=="
  else if is_neq id then "!="
  else assert false

let print_predicate fmt p =
  let rec print0 fmt = function
    | Pif (a, b, c) -> 
	fprintf fmt "(@[if %a@ then %a@ else %a@])"
	  print_term a print0 b print0 c
    | Pimplies (_, a, b) -> 
	fprintf fmt "@[%a =>@ %a@]" print1 a print0 b
    | Piff (a, b) -> 
	fprintf fmt "@[%a <=>@ %a@]" print1 a print0 b
    | p -> print1 fmt p
  and print1 fmt = function
    | Por (a, b) -> fprintf fmt "@[%a ||@ %a@]" print2 a print1 b
    | p -> print2 fmt p
  and print2 fmt = function
    | Pand (_, _, a, b) -> 
	fprintf fmt "@[%a &&@ %a@]" print3 a print2 b
    | Forallb (_, a, b) -> 
        fprintf fmt "@[%a &&@ %a@]" print3 a print2 b
    | p -> print3 fmt p
  and print3 fmt = function
    | Ptrue -> 
	fprintf fmt "\\true"
    | Pvar id when id == Ident.default_post ->
	fprintf fmt "\\true"
    | Pfalse -> 
	fprintf fmt "\\false"
    | Pvar id -> 
	Ident.print fmt id
    | Papp (id, [t], _) when id == well_founded ->
	fprintf fmt "@[well_founded(%a)@]" print_term t
    | Papp (id, [a;b], _) when id == t_zwf_zero -> 
	fprintf fmt "(@[0 <= %a && %a < %a@])" 
	  print_term b print_term a print_term b
    | Papp (id, [a;b], _) when is_relation id ->
	fprintf fmt "@[%a %s@ %a@]" 
	  print_term a (pprefix_id id) print_term b
    | Papp (id, l, _) ->
	fprintf fmt "@[%a(%a)@]" Ident.print id
	  (print_list comma print_term) l
    | Pnot p -> 
	fprintf fmt "! %a" print3 p
    | Forall (_,id,n,t,_,p) -> 
	let id' = next_away id (predicate_vars p) in
	let p' = subst_in_predicate (subst_onev n id') p in
	fprintf fmt "(@[\\forall %a %s;@ %a@])" 
	  print_pure_type t (Ident.string id') print0 p'
    | Exists (id,n,t,p) -> 
	let id' = next_away id (predicate_vars p) in
	let p' = subst_in_predicate (subst_onev n id') p in
	fprintf fmt "(@[\\exists %a %s;@ %a@])"
	  print_pure_type t (Ident.string id') print0 p'
    | Plet (id,n,_, t,p) -> 
	let id' = next_away id (predicate_vars p) in
	let p' = subst_in_predicate (subst_onev n id') p in
	fprintf fmt "(@[let %s = %a in@ %a@])"
	  (Ident.string id') print_term t print0 p'
    | Pnamed (User n, p) ->
	(match (Tools.grab_infos n) with
	   | None -> fprintf fmt "@[%a@]" print3 p
	   | Some l ->
	       let n = new_tag l in
	       pp_open_tag fmt n;
	       fprintf fmt "@[%a@]" print3 p;
	       pp_close_tag fmt ()
	)
    | Pnamed (Internal _n, p) ->
	fprintf fmt "@[%a@]" print3 p
    | (Por _ | Piff _ | Pand _ | Pif _ | Pimplies _ | Forallb _) as p -> 
	fprintf fmt "@[(%a)@]" print0 p
  in
  print0 fmt p
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/intf/whyhilight.mll������������������������������������������������������������������������0000644�0001750�0001750�00000010223�12311670312�014441� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

{
  open Lexing
  open Colors

  exception Eof
  
  let insert_text (tbuf:GText.buffer) ty s = 
    let it = tbuf#end_iter in
    let (fc, bc) = get_color ty in
    let new_tag = 
      Tags.make_tag tbuf ~name:(fc^bc) [`BACKGROUND bc; `FOREGROUND fc] 
    in
    tbuf#insert ~tags:[new_tag] ~iter:it s 

  let insert_string (tbuf:GText.buffer) s =
    let it = tbuf#end_iter in
    tbuf#insert ~iter:it s 

  let buffer = Buffer.create 1024
}

let keyw = "goal" | "external" | "parameter" | "logic" | "predicate" | "axiom" |
    "let" | "in" | "begin" | "end" | "if" | "then" | "else" | "of" |
    "ref" | "array" | "while" | "do" | "done" | "assert" | "label" | 
    "fun" | "rec" | "forall" | "and" | "->" | "type" | "exception"
let alpha = ['a'-'z' 'A'-'Z']
let digit = ['0'-'9']
let ident = (alpha | '_' | digit)+

rule scan tbuf = parse
  | "(*"  { let t = Buffer.contents buffer in
	    insert_string tbuf t; 
	    Buffer.clear buffer;
	    insert_text tbuf "comment" "(*";
	    comment tbuf lexbuf; 
	    scan tbuf lexbuf }
  | "{"   { let t = Buffer.contents buffer in
	    insert_string tbuf t; 
	    Buffer.clear buffer;
	    insert_text tbuf "predicate" "{";
	    annotation tbuf lexbuf; 
	    scan tbuf lexbuf }
  | keyw  { insert_text tbuf "keyword" (lexeme lexbuf);
	    scan tbuf lexbuf }
  | eof   { raise Eof }
  | ident { insert_string tbuf (lexeme lexbuf); 
	    scan tbuf lexbuf }
  | _     { insert_string tbuf (lexeme lexbuf); 
	    scan tbuf lexbuf }

and comment tbuf = parse
  | "(*" { insert_text tbuf "comment" "(*"; 
	   comment tbuf lexbuf; 
	   comment tbuf lexbuf }
  | "*)" { insert_text tbuf "comment" "*)" }
  | eof  { () }
  | [^ '*']*
  | _    { insert_text tbuf "comment" (lexeme lexbuf); 
	   comment tbuf lexbuf }

and annotation tbuf = parse
  | "}"  { insert_text tbuf "predicate" "}" }
  | eof  { () }
  | _    { insert_text tbuf "predicate" (lexeme lexbuf); 
	   annotation tbuf lexbuf }
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/intf/astnprinter.ml������������������������������������������������������������������������0000755�0001750�0001750�00000017026�12311670312�014471� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Logic
open Cc
open Ident
open Format
open Misc
open Pp
open Tags
open Astprinter

let print_term fmt t = 
  let rec print0 fmt t = 
    print1 fmt t
  and print1 fmt = function
    | Tapp (id, [a;b], _) when id == t_add_int || id == t_add_real ->
	fprintf fmt "@[%a +@ %a@]" print1 a print2 b
    | Tapp (id, [a;b], _) when id == t_sub_int || id == t_sub_real ->
	fprintf fmt "@[%a -@ %a@]" print1 a print2 b
    | t ->
	print2 fmt t
  and print2 fmt = function
    | Tapp (id, [a;b], _) when id == t_mul_int || id == t_mul_real ->
	fprintf fmt "@[%a *@ %a@]" print2 a print3 b
    | Tapp (id, [a;b], _) when (* id == t_div_int || *) id == t_div_real ->
	fprintf fmt "@[%a /@ %a@]" print2 a print3 b
(*
    | Tapp (id, [a;b], _) when id == t_mod_int ->
	fprintf fmt "@[%a %%@ %a@]" print2 a print3 b
*)
    | t ->
	print3 fmt t
  and print3 fmt = function
    | Tconst (ConstInt n) -> 
	fprintf fmt "%s" n
    | Tconst (ConstBool b) -> 
	fprintf fmt "%b" b
    | Tconst ConstUnit -> 
	fprintf fmt "void" 
    | Tconst (ConstFloat c) ->
	Print_real.print fmt c
    | Tvar id when id == implicit ->
	fprintf fmt "<?>" (* should not happen *)
    | Tvar id when id == t_zwf_zero ->
	fprintf fmt "<Zwf(0)>" (* should not happen *)
    | Tvar id | Tapp (id, [], _) -> 
	Ident.print fmt id
    | Tderef _ ->
	assert false
    | Tapp (id, [t], _) when id == t_neg_int || id == t_neg_real ->
	fprintf fmt "-%a" print3 t
    | Tapp (id, [_;_], _) as t when is_arith_binop id ->
	fprintf fmt "@[(%a)@]" print0 t
    | Tapp (id, [a; b; c], _) when id == if_then_else -> 
	fprintf fmt "(@[if %a then@ %a else@ %a@])" print0 a print0 b print0 c
    | Tapp (id, tl, _) -> 
	fprintf fmt "@[%s(%a)@]" (Ident.string id) print_terms tl
    | Tnamed (User n, t) ->
	(match (Tools.grab_infos n) with
	   | None -> 
	       fprintf fmt "@[%a@]" print3 t
	   | Some l ->
	       let n = new_tag l in
	       pp_open_tag fmt n;
	       fprintf fmt "@[%a@]" print3 t;
	       pp_close_tag fmt ()
	)
    | Tnamed (Internal n, t) ->
	begin
	  try
	    let _xpl = Hashtbl.find Util.explanation_table n in
	    (* TODO *)
	    (* let n = new_tag xpl in
	    pp_open_tag fmt n;
	    *)
	    fprintf fmt "@[%a@]" print3 t;
	    (* pp_close_tag fmt () *)
	    
	  with
	      Not_found -> fprintf fmt "@[%a@]" print3 t
	end
  and print_terms fmt tl =
    print_list comma print3 fmt tl
  in
  print1 fmt t

let pprefix_id id =
  if id == t_lt || id == t_lt_int || id == t_lt_real then "<" 
  else if id == t_le || id == t_le_int || id == t_le_real then "<="
  else if id == t_gt || id == t_gt_int || id == t_gt_real then ">"
  else if id == t_ge || id == t_ge_int || id == t_ge_real then ">="
  else if is_eq id then "="
  else if is_neq id then "<>"
  else assert false

let print_predicate fmt p =
  let rec print0 fmt = function
    | Pif (a, b, c) -> 
	fprintf fmt "(@[if %a@ then %a@ else %a@])"
	  print_term a print0 b print0 c
    | Pimplies (_, a, b) -> 
	fprintf fmt "@[%a ->@ %a@]" print1 a print0 b
    | Piff (a, b) -> 
	fprintf fmt "@[%a <->@ %a@]" print1 a print0 b
    | p -> print1 fmt p
  and print1 fmt = function
    | Por (a, b) -> fprintf fmt "@[%a or@ %a@]" print2 a print1 b
    | p -> print2 fmt p
  and print2 fmt = function
    | Pand (_, _, a, b) | Forallb (_, a, b) -> 
        fprintf fmt "@[%a and@ %a@]" print3 a print2 b
    | p -> print3 fmt p
  and print3 fmt = function
    | Ptrue -> 
	fprintf fmt "true"
    | Pvar id when id == Ident.default_post ->
	fprintf fmt "true"
    | Pfalse -> 
	fprintf fmt "false"
    | Pvar id -> 
	Ident.print fmt id
    | Papp (id, [t], _) when id == well_founded ->
	fprintf fmt "@[well_founded(%a)@]" print_term t
    | Papp (id, [a;b], _) when id == t_zwf_zero ->
	fprintf fmt "zwf(0, %a, %a)" print_term a print_term b
    | Papp (id, [a;b], _) when is_relation id ->
	fprintf fmt "@[%a %s %a@]" 
	print_term a (pprefix_id id) print_term b
    | Papp (id, l, _) ->
	fprintf fmt "@[@[%a(%a@])@]" Ident.print id
	  (print_list comma print_term) l
    | Pnot p -> 
	fprintf fmt "not %a" print3 p
    | Forall (_,id,n,t,_,p) -> 
	let id' = next_away id (predicate_vars p) in
	let p' = subst_in_predicate (subst_onev n id') p in
	fprintf fmt "(@[forall %s:%a.@ %a@])" (Ident.string id')
	  print_pure_type t print0 p'
    | Exists (id,n,t,p) -> 
	let id' = next_away id (predicate_vars p) in
	let p' = subst_in_predicate (subst_onev n id') p in
	fprintf fmt "(@[exists %s:%a,@ %a@])" (Ident.string id')
	  print_pure_type t print0 p'
    | Plet (id,n,_, t,p) -> 
	let id' = next_away id (predicate_vars p) in
	let p' = subst_in_predicate (subst_onev n id') p in
	fprintf fmt "(@[let %s = %a in@ %a@])" (Ident.string id')
	  print_term t print0 p'
    | Pnamed (User n, p) ->
	(match (Tools.grab_infos n) with
	   | None -> 
	       fprintf fmt "@[%a@]" print3 p
	   | Some l ->
	       let n = new_tag l in
	       pp_open_tag fmt n;
	       fprintf fmt "@[%a@]" print3 p;
	       pp_close_tag fmt ()
	)
    | Pnamed (Internal n, p) ->
	begin
	  try
	    let _xpl = Hashtbl.find Util.explanation_table n in
	    (* TODO *)
	    (* let n = new_tag xpl in
	    pp_open_tag fmt n;
	    *)
	    fprintf fmt "@[%a@]" print3 p;
	    (* pp_close_tag fmt () *)
	    
	  with
	      Not_found -> fprintf fmt "@[%a@]" print3 p
	end
    | (Por _ | Piff _ | Pand _ | Pif _ | Pimplies _ | Forallb _) as p -> 
	fprintf fmt "@[(%a)@]" print0 p
  in
  print0 fmt p
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/intf/viewer.ml�����������������������������������������������������������������������������0000644�0001750�0001750�00000032567�12311670312�013425� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



open Format
open Options
open Ast
open Env

let _ = gui := true

let typed_progs = ref []

let deal_file f =
  Loc.set_file f;
  Main.reset ();
  let cin = open_in f in 
  (*c_file := Filename.check_suffix f ".c";*)
  let parsef = (*if !c_file then Main.c_parser else *) Main.why_parser in
  let p = parsef cin in
  if parse_only then exit 0;
  List.iter Main.interp_decl p;
  typed_progs := (f, List.rev !Main.typed_progs) :: !typed_progs;
  close_in cin

let _ =
  if prelude then Main.load_prelude ();
  if files = [] then begin eprintf "usage: gwhy files@."; exit 1 end;
  try
    List.iter deal_file Options.files;
    typed_progs := List.rev !typed_progs
  with e ->
    Report.explain_exception err_formatter e;
    pp_print_newline err_formatter ();
    exit 1

module Tree = struct

  type t = typed_program
	     
  type info = Loc.t * string

  let info = 
    let buf = Buffer.create 1024 in
    let fmt = formatter_of_buffer buf in
    fun x -> 
      fprintf fmt "%a@." Util.print_typing_info x.info;
      let s = Buffer.contents buf in
      Buffer.reset buf;
      let loc = 
	let (b,e) = x.info.t_loc in b.Lexing.pos_cnum, e.Lexing.pos_cnum 
      in
      loc, s

  let show_info_ref = ref (fun i -> ())
  let show_info i = !show_info_ref i

  let rec statements = function
    | [] -> []
    | Statement x :: bl -> x :: statements bl
    | _ :: bl -> statements bl

  let children x = match x.desc with
    | Lam (_, e)
    | Rec (_, _, _, _, e)
    | Loop (_,_,e)
    | Raise (_, Some e) -> [e]
    | LetIn (_, e1, e2)
    | LetRef (_, e1, e2) -> [e1; e2]
    | App (e1, Term e2, _) -> [e2; e1]
    | App (e, _, _) -> [e]
    | If (e1, e2, e3) -> [e1; e2; e3]
    | Seq bl -> statements bl
    | Try (e, pl) -> e :: List.map snd pl
    | Raise _ 
    | Var _ | Expression _ | Absurd | Any _ -> []

end

module NavTree = Navig.MakeNavTree(Tree)
module Nav = Navig.MakeNavigator(NavTree)
let navigation = ref false

(* load source files and store them in an array *)

type source_file = { 
  filename : string;
  text : Hilight.token list;
  asts : typed_program list
}

open Hilight

let load_source file = 
  try
    let ic = open_in_bin file in 
    let lb = Lexing.from_channel ic in
    let s = 
      if Filename.check_suffix file ".c" 
      then Hilight.next_code_c lb else Hilight.next_code lb
    in
    close_in ic;
    s
  with _ -> 
    eprintf "warning: couldn't load %s\n" file;
    []

let source_files : source_file array =
  let a = Array.create (List.length !typed_progs) 
	    { filename = ""; text = []; asts = [] }
  in
  let rec fill i = function
    | [] -> 
	()
    | (f, al) :: r -> 
	a.(i) <- { filename = f; text = load_source f; asts = al };
	fill (succ i) r
  in
  fill 0 !typed_progs;
  a

let nb_files = Array.length source_files
let current_source = ref 0

(* GTK *)

let window_width = 800
let window_height = 900
let show_discharged = ref false

(*
let monospace_font = ref (Pango.Font.from_string "Monospace 15")
let general_font = ref (Pango.Font.from_string "Monospace 15")

let lower_view_general_font = general_font
let upper_view_general_font = general_font
let statusbar_font = ref !general_font
let proved_lemma_font = ref !monospace_font
let to_prove_lemma_font = ref !monospace_font
let discharged_lemma_font = ref !monospace_font
*)
let display_info = ref (function s -> failwith "not ready")
let flash_info = ref (function s -> failwith "not ready")

let out_some = function None -> assert false | Some f -> f

let try_convert s = 
  try
    if Glib.Utf8.validate s then s else 
      Glib.Convert.locale_to_utf8 s
  with _ -> failwith ("Fatal error: wrong encoding in string \""^s^"\"")

let path_of_int i = 
  GtkTree.TreePath.from_string (string_of_int (if i < 0 then 0 else i))

let to_refresh reference e = 
  let n = Filename.chop_extension reference ^ e in
  not (Sys.file_exists n) ||
  ((Unix.stat reference).Unix.st_mtime > (Unix.stat n).Unix.st_mtime)


let rec insert_user_annotation
  (tb:GText.buffer) (output:GText.buffer) s it 
  (old_tag_props,new_tag_props) (infos,message) =
  let new_tag = tb#create_tag new_tag_props in
  tb#insert ~tags:[new_tag] ~iter:it s

let insert_chunk (tb:GText.buffer) (output:GText.buffer) c = match c with
  | Code s -> tb#insert (try_convert s)
  | Annotation s ->
      let t = tb#end_iter in
      insert_user_annotation tb output (try_convert s) t
	([`BACKGROUND "darkgreen"],
	 [`FOREGROUND "darkgreen"])
	([],"User obligation")
 
let create_mark_at (tb:GText.buffer) pos =
  tb#create_mark (tb#get_iter_at_char pos)

let insert_obligations (tb:GText.buffer) (output:GText.buffer) 
  (obligations:Log.t) =
  let marks =
    List.map 
      (function (pos,_,_) as o ->  `MARK (create_mark_at tb pos),o ) 
      obligations
  in 
  ()

let display_source (b:GText.buffer) (tb2:GText.buffer) =
  b#set_text "";  
  tb2#set_text "";
  let source = source_files.(!current_source) in
  List.iter (insert_chunk b tb2) source.text;
  match source.asts with
    | [] -> navigation := false
    | _ -> navigation := true; Nav.set (NavTree.create source.asts)

let next_source (b:GText.buffer) (tb2:GText.buffer) () =
  if !current_source < nb_files - 1 then begin
    incr current_source; display_source b tb2
  end

let previous_source (b:GText.buffer) (tb2:GText.buffer) () =
  if !current_source > 0 then begin
    decr current_source; display_source b tb2
  end

let main () = 
  let w = GWindow.window 
	    ~allow_grow:true ~allow_shrink:true
	    ~width:window_width ~height:window_height ~title:"Why viewer" ()
  in
  w#misc#modify_font !general_font;
  let accel_group = GtkData.AccelGroup.create () in
  let _ = w#connect#destroy ~callback:(fun () -> exit 0) in
  let vbox = GPack.vbox ~homogeneous:false ~packing:w#add () in

  (* Menu *)
  let menubar = GMenu.menu_bar ~packing:vbox#pack () in
  let factory = new GMenu.factory menubar in
  let accel_group = factory#accel_group in
  let file_menu = factory#add_submenu "File" in
  let file_factory = new GMenu.factory file_menu ~accel_group in
  let quit_m = file_factory#add_item "Quit" ~key:GdkKeysyms._Q
	       ~callback:(fun () -> exit 0) in
  let refresh_m = file_factory#add_item "Refresh" ~key:GdkKeysyms._R in
  let configuration_menu = factory#add_submenu "Configuration" in
  let configuration_factory = new GMenu.factory configuration_menu ~accel_group
  in
  let show_discharged_m = configuration_factory#add_check_item 
			    "Show discharged proof" 
			  ~key:GdkKeysyms._D
			  ~callback:(fun b -> show_discharged := b) 
  in
  let customize_colors_m =
    configuration_factory#add_item "Customize colors"
    ~callback:(fun () -> !flash_info "Not implemented")
  in
  let customize_fonts_m = 
    configuration_factory#add_item "Customize fonts"
    ~callback:(fun () -> !flash_info "Not implemented")
  in
  let _ = file_factory#add_item "Up" ~key:GdkKeysyms._Up
	  ~callback:(fun () -> if !navigation then Nav.up ()) in
  let _ = file_factory#add_item "Down" ~key:GdkKeysyms._Down
	  ~callback:(fun () -> if !navigation then Nav.down ()) in
  let _ = file_factory#add_item "Left" ~key:GdkKeysyms._Left
	  ~callback:(fun () -> if !navigation then Nav.left ()) in
  let _ = file_factory#add_item "Right" ~key:GdkKeysyms._Right
	  ~callback:(fun () -> if !navigation then Nav.right ()) in
  let _ = file_factory#add_item "Next" ~key:GdkKeysyms._space
	  ~callback:(fun () -> if !navigation then Nav.next ()) in

  (* horizontal paned *)
  let hp = GPack.paned `HORIZONTAL  ~border_width:3 ~packing:vbox#add () in

  (* left list of source files *)
  let cols = new GTree.column_list in
  let filename_col = cols#add Gobject.Data.string in
  let model = GTree.list_store cols in
  Array.iteri 
    (fun i sf ->     
       let row = model#append () in
       model#set ~row ~column:filename_col (Filename.basename sf.filename)) 
    source_files;
  let view = GTree.view ~model ~packing:hp#add1 () in
  let _ = view#selection#set_mode `SINGLE in
  let _ = view#set_rules_hint true in
  let col = GTree.view_column ~title:"Source files" ()
	      ~renderer:(GTree.cell_renderer_text [], ["text",filename_col]) in
  let _ = view#append_column col in

  (* vertical paned *)
  let hb = GPack.paned `VERTICAL  ~border_width:3 ~packing:hp#add2 () in
  let _ = hb#misc#connect#realize
	  ~callback:(fun _ ->hb#set_position (window_height*6/10 ) ) in
  let _ = hb#set_position (window_height*9/10 ) in

  (* upper frame *)
  let fr1 = GBin.frame ~shadow_type:`ETCHED_OUT ~packing:hb#add1 () in 
  let sw1 = GBin.scrolled_window
	    ~vpolicy:`AUTOMATIC 
	    ~hpolicy:`AUTOMATIC
	    ~packing:fr1#add () 
  in

  (* lower frame *)
  let fr2 = GBin.frame ~shadow_type:`ETCHED_OUT ~packing:hb#add2 () in 
  let sw2 = GBin.scrolled_window 
	    ~vpolicy:`AUTOMATIC 
	    ~hpolicy:`AUTOMATIC
	    ~packing:(fr2#add) () 
  in

  (* status bar (at bottom) *)
  let status_bar = GMisc.statusbar ~packing:vbox#pack () in
  status_bar#misc#modify_font !statusbar_font ;
  let status_context = status_bar#new_context "messages" in
  ignore (status_context#push "Ready");
  ignore (status_context#push "Ready");
  display_info := (fun s -> 
		     status_context#pop ();
		     ignore (status_context#push s));
  flash_info := !display_info (* fun s -> status_context#flash ~delay:10 s *);

  (* lower text view: annotations *)
  let tv2 = GText.view ~packing:(sw2#add) () in
  let _ = tv2#misc#modify_font !lower_view_general_font in
  let _ = tv2#set_editable false in
  let tb2 = tv2#buffer in

  (* upper text view: source code *)
  let buf1 = GText.buffer () in 
  let tv1 = GText.view ~buffer:buf1 ~packing:(sw1#add) () in
  let _ = tv1#misc#modify_font !upper_view_general_font in
  let _ = tv1#set_editable false in

  (* hook for navigator *)
  let bgtag = Tags.make_tag ~name:"lblue" buf1 [`BACKGROUND "light blue"] in
  Tree.show_info_ref := 
  (fun ((b,e),s) -> 
     buf1#remove_tag bgtag ~start:buf1#start_iter ~stop:buf1#end_iter;
     buf1#apply_tag bgtag 
     ~start:(buf1#get_iter (`OFFSET b)) 
     ~stop:(buf1#get_iter (`OFFSET e));
     buf1#place_cursor (buf1#get_iter (`OFFSET b));
     tv1#scroll_to_mark ~use_align:true ~yalign:0.25 `INSERT;
     tb2#set_text s
  );
  let _ = file_factory#add_item "Next file" ~key:GdkKeysyms._Page_Down
	  ~callback:(fun () -> view#selection#select_path 
			 (path_of_int (succ !current_source))) in
  let _ = file_factory#add_item "Previous file" ~key:GdkKeysyms._Page_Up
	  ~callback:(fun () -> 
		       view#selection#select_path 
			 (path_of_int (pred !current_source))) in
  w#add_accel_group accel_group;

  let _ = view#selection#connect#changed ~callback:
	    (fun () ->
	       List.iter 
		 (fun path ->
		    let pt = GtkTree.TreePath.to_string path in
		    let i = int_of_string pt in
		    current_source := i;
		    display_source buf1 tb2)
		 view#selection#get_selected_rows)
  in
  
  (* Remove default pango menu for textviews *)
  ignore (tv1#event#connect#button_press ~callback:
	    (fun ev -> GdkEvent.Button.button ev = 3));
  ignore (tv2#event#connect#button_press ~callback:
	    (fun ev -> GdkEvent.Button.button ev = 3));

  (* startup configuration *)
  buf1#place_cursor ~where:buf1#start_iter;
  let _ =  refresh_m#connect#activate 
	   ~callback:(fun () -> display_source buf1 tb2) 
  in
  w#show ();
  display_source buf1 tb2



let _ = 
  ignore (GtkMain.Main.init ());
  main () ;
  GMain.Main.main ()
�����������������������������������������������������������������������������������������������������������������������������������������why-2.34/intf/preferences.ml������������������������������������������������������������������������0000755�0001750�0001750�00000010107�12311670312�014412� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Tools
open Colors

exception Save

let set_window_settings w = 
  let _ = w#event#connect#key_press ~callback:
    (fun k -> if GdkEvent.Key.keyval k = GdkKeysyms._Escape then w#destroy ();false)
  in
  w#set_modal true;
  w#set_skip_pager_hint true;
  w#set_skip_pager_hint true

let colors r () =
  let w = GWindow.window 
    ~allow_grow:false ~allow_shrink:true
    ~border_width:20
    ~title:"Colors" () in
  let quit result () = 
    List.iter
      (fun (k, tf, tb) -> Colors.replace_color k (tf#text) (tb#text))
      result;
    w#destroy ();
    r ()
  in
  let vbox = GPack.vbox ~homogeneous:false ~packing:w#add () in
  let table = GPack.table ~homogeneous:true ~packing:vbox#add () in
  (* colors *)
  let colors_l = GMisc.label ~text:"Colors (forecolor, backcolor)" () in
  table#attach ~left:0 ~top:0 ~right:3 (colors_l#coerce);
  let r = ref 2 in
  let result = 
    List.map
      (fun {key=k; name=n; fc=f; bc=b} -> 
	 let l = GMisc.label ~text:n () in
	 let tf = GEdit.entry ~text:f () in
	 let tb = GEdit.entry ~text:b () in
	 table#attach ~left:0 ~top:!r (l#coerce);
	 table#attach ~left:1 ~top:!r (tf#coerce);
	 table#attach ~left:2 ~top:!r (tb#coerce);
	 incr r;
	 (k, tf, tb))
      (Colors.get_all_colors ()) in
  
  let hbox = GPack.hbox ~homogeneous:true ~packing:vbox#add () in
  let button_ok = GButton.button ~label:"OK" ~stock:`OK ~packing:hbox#add () in
  let _ = button_ok#connect#clicked ~callback:(quit result) in
  let button_cancel = GButton.button ~label:"Cancel" ~stock:`CANCEL ~packing:hbox#add () in
  let _ = button_cancel#connect#clicked ~callback:(w#destroy) in
  
  (* window settings *)
  set_window_settings w;
  w#show ()
  

(* Main *)
let show window_type refresh () = 
  ignore (GtkMain.Main.init ());
  (match window_type with
     | Color -> colors refresh ()
     | _ -> ());
  GtkThread.main ()
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/intf/gConfig.mli���������������������������������������������������������������������������0000644�0001750�0001750�00000004467�12311670312�013647� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)


val load: unit -> unit

val save: unit -> unit
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/intf/pprinter.mli��������������������������������������������������������������������������0000755�0001750�0001750�00000005325�12311670312�014133� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

val desactivate : unit -> unit
val activate : unit -> unit
val swap_active : unit -> unit
val is_active : unit -> bool

val set_tvsource : GText.view -> unit

val reset_last_file : unit -> unit

val read_file : Tags.loc option -> unit
val move_to_source : Tags.loc option -> unit
val move_to_loc : Tags.loc -> unit

val text_of_obligation :
  GText.view -> 'a * bool * Logic_decl.vc_expl * string * (Cc.context_element list * Logic.predicate) Env.scheme -> unit
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/intf/colors.mli����������������������������������������������������������������������������0000755�0001750�0001750�00000005560�12311670312�013572� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)


val window_width : int ref
val window_height : int ref

val colorblind : bool ref
val font_size : int ref
val font_family : string

type color = {
  key : string;
  name : string;
  fc : string;
  bc : string;
}

val get_fc : string -> string
val get_bc : string -> string
val get_color : string -> string * string

val get_fc_predicate : unit -> string
val get_bc_predicate : unit -> string

val color_exists : string -> bool

val get_all_colors : unit -> color list
val set_all_colors : (string * string * string) list -> unit
val replace_color : string -> string -> string -> unit

val has_changed : unit -> bool
������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/intf/navig.ml������������������������������������������������������������������������������0000644�0001750�0001750�00000010647�12311670312�013223� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



module type Tree = sig

  type t
  val children : t -> t list

  type info
  val info : t -> info
  val show_info : info -> unit

end

module type NavTree = sig

  type tree
  type t

  val create : tree list -> t

  exception NoMove
  val down : t -> t
  val up : t -> t
  val left : t -> t
  val right : t -> t

  type info
  val info : t -> info
  val show_info : info -> unit

end

module MakeNavTree (T : Tree) = struct

  type tree = T.t

  type t = T.t * move_up * move_left * move_right
  and move_up = Up of (unit -> t)
  and move_left = Left of (unit -> t)
  and move_right = Right of (unit -> t)

  exception NoMove

  let no_move () = raise NoMove

  let up (_, Up f, _, _) = f ()
  let left (_, _, Left f, _) = f ()
  let right (_, _, _, Right f) = f ()

  let rec first_child t = function
    | [] ->
	raise NoMove
    | x :: l ->
	let rec self =
	  x, Up (fun () -> t), Left no_move, 
	  Right (fun () -> sibling (fun () -> t) self l)
	in
	self

  and sibling up ls = function
    | [] ->
	raise NoMove
    | x :: l -> 
	let rec self =
	  x, Up up, Left (fun () -> ls), 
	  Right (fun () -> sibling up self l)
	in
	self

  let down ((x, _, _, _) as t) = first_child t (T.children x)

  let create = function
    | [] ->
	invalid_arg "NavTree.create"
    | x :: l -> 
	let rec self =
	  x, Up no_move, Left no_move, Right (fun () -> sibling no_move self l)
	in
	self

  type info = T.info
  let info (x,_,_,_) = T.info x
  let show_info = T.show_info

end

module MakeNavigator (T : NavTree) = struct

  open T

  let tree = ref None

  let option_iter f = function
    | None -> ()
    | Some t -> f t

  let update () = option_iter (fun t -> show_info (info t)) !tree

  let set t = tree := Some t; update ()

  let move f () = 
    option_iter (fun t -> try set (f t) with NoMove -> ()) !tree

  let down = move T.down
  let up = move T.up
  let left = move T.left
  let right = move T.right

  let next () = 
    let rec really_right t =
      try set (T.right t) with NoMove -> really_right (T.up t)
    in
    option_iter 
      (fun t -> 
	 try set (T.down t) with NoMove -> 
         try set (T.right t) with NoMove ->
	 try really_right (T.up t) with NoMove -> ()) 
      !tree

end
�����������������������������������������������������������������������������������������why-2.34/intf/astprinter.ml�������������������������������������������������������������������������0000755�0001750�0001750�00000006241�12311670312�014310� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Logic
open Cc
open Ident
open Format
open Misc
open Pp
open Tags

let rec print_pure_type fmt = function
  | PTint -> fprintf fmt "int"
  | PTbool -> fprintf fmt "bool"
  | PTunit -> fprintf fmt "unit"
  | PTreal -> fprintf fmt "real"
  | PTexternal ([v], id) when id == farray -> 
      fprintf fmt "@[%a array@]" print_pure_type v
  | PTexternal([],id) -> Ident.print fmt id
  | PTexternal([l],id) -> 
      fprintf fmt "@[%a %a@]"
	print_pure_type l
	Ident.print id
  | PTexternal(l,id) -> 
      fprintf fmt "@[(%a) %a@]"
	(print_list comma print_pure_type) l
	Ident.print id
  | PTvar { type_val = Some t} -> 
      fprintf fmt "%a" print_pure_type t      
  | PTvar v ->
      fprintf fmt "A%d" v.tag

let print_binder = Coq.print_binder_v8
let print_binder_type = Coq.print_binder_type_v8

let rec print_cc_type fmt = function
  | TTpure pt -> 
      print_pure_type fmt pt
  | t -> Coq.print_cc_type_v8 fmt t
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/intf/model.mli�����������������������������������������������������������������������������0000644�0001750�0001750�00000011162�12311670312�013361� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)


(** {2 columns of the model} *)

val name : string GTree.column
val stat : string GTree.column
val fullname : string GTree.column
val result : int GTree.column
val parent : string GTree.column
val total : int GTree.column

(** {2 prover data} *)

type prover = {
  pr_id : DpConfig.prover_id;
  pr_info : DpConfig.prover_data;
  pr_result : int GTree.column;
  pr_icon : GtkStock.id GTree.column;
  pr_image : GdkPixbuf.pixbuf GTree.column ;
  mutable pr_viewcol : (GTree.view_column * GTree.view_column) option;
  pr_enc : Options.encoding;
}
    (** type of a prover description in the model *)

val ergo : prover
val simplify : prover
val verit: prover
val z3SS : prover
val yicesSS : prover
val cvc3SS : prover
val gappa: prover
val gappa_select: prover

val prover_id : prover -> string
  (** return a prover identifier with name and encoding, e.g. "Z3(SS)",
      which can be used for indexing *)

val prover_name_with_version_and_enc : prover -> string
  (** return a printable prover name under the form "prover_id\nversion\n(encoding)" *)

(** {2 provers with their current selected/deselected status} *)

val get_prover_states : unit -> (prover*bool) list
  (** returns the list of known provers
      with there current state: selected or not *)

val select_prover : prover -> unit
  (* sets prover state to selected *)

val deselect_prover : prover -> unit
  (* sets prover state to deselected *)

val get_prover : string -> prover
  (** search for an existing prover from its unique id (see [prover_id]
      above). raises Not_found if no prover of this id exist *)

val get_default_prover : unit -> prover

val set_default_prover : prover -> unit

(** {3 not documented} *)

val fq : string Queue.t
(* queue of functions in the model *)

val create_model : unit -> GTree.tree_store

val frows : (string, Gtk.tree_iter) Hashtbl.t
val fwrows : (string, (prover, string) Hashtbl.t) Hashtbl.t
val first_row : Gtk.tree_iter option ref



val find_fct : string -> Gtk.tree_iter

val iter_fobligs : string -> (Gtk.tree_iter -> unit) -> unit

val orows : (string, Gtk.tree_iter) Hashtbl.t

val add_failure : string -> prover -> string -> unit


val find_oblig :
  string -> Loc.floc * bool * Logic_decl.vc_expl * string * Cc.sequent Env.scheme
val find_fobligs : string -> Gtk.tree_iter Queue.t
val obligs :
  (string, Loc.floc * bool * Logic_decl.vc_expl * string * Cc.sequent Env.scheme)
  Hashtbl.t
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/intf/colors.ml�����������������������������������������������������������������������������0000755�0001750�0001750�00000010657�12311670312�013424� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



let window_width = ref 1024
let window_height = ref 768

let colorblind = ref false

let font_size = ref 10
let font_family = "Monospace"

type color = {
  key : string;
  name : string;
  fc : string;
  bc : string;
}

let changed = ref false

let colors = [
  {key="title"; name="Title"; fc="brown"; bc="lightgreen"};
  {key="comment"; name="Commentary"; fc="red"; bc="white"};
  {key="keyword"; name="Keyword"; fc="darkgreen"; bc="white"};
  {key="var"; name="Variable"; fc="darkgreen"; bc="white"};
  {key="predicate"; name="Predicate"; fc="blue"; bc="white"};
  {key="lpredicate"; name="Predicate (localised)"; fc="blue"; bc="lightyellow"};
  {key="pr_hilight"; name="Predicate (Hilight)"; fc="red"; bc="lightgreen"};
  {key="separator"; name="Separator"; fc="red"; bc="white"};
  {key="hypothesis"; name="Hypothesis"; fc="orange"; bc="white"};
  {key="conclusion"; name="Conclusion"; fc="blue"; bc="white"};
  {key="hilight"; name="Hilight"; fc="black"; bc="yellow"};
  {key="cc_type"; name="Type"; fc="darkgreen"; bc="white"}]

let fcolors = Hashtbl.create 13
let bcolors = Hashtbl.create 13
let kcolors = Hashtbl.create 13

let add_color k item fc bc = 
  Hashtbl.add kcolors k item;
  if fc <> "black" then begin 
    Hashtbl.add fcolors k fc 
  end;  
  if bc <> "white" then begin 
    Hashtbl.add bcolors k bc 
  end  

let _ = 
  List.iter
    (fun c -> add_color c.key c.name c.fc c.bc)
    colors

let get_fc ty = 
  (try Hashtbl.find fcolors ty with Not_found -> "black")

let get_bc ty = 
  (try Hashtbl.find bcolors ty with Not_found -> "white")

let get_color ty = 
  (get_fc ty) , (get_bc ty)

let get_fc_predicate () = 
  get_fc "lpredicate"

let get_bc_predicate () = 
  get_bc "lpredicate"

let color_exists ty = 
  (Hashtbl.mem fcolors ty) || (Hashtbl.mem bcolors ty)

let get_all_colors () = 
  List.map 
    (fun {key=k; name=n; fc=_; bc=_} -> 
       {key=k; name=n; fc=(get_fc k); bc=(get_bc k)})
    colors

let set_all_colors l = 
  List.iter 
    (fun (k, f, b) -> 
       Hashtbl.replace fcolors k f;
       Hashtbl.replace bcolors k b)
    l

let replace_color k f b = 
  changed := true;
  Hashtbl.replace fcolors k f;
  Hashtbl.replace bcolors k b

let has_changed () = !changed
���������������������������������������������������������������������������������why-2.34/intf/navig.mli�����������������������������������������������������������������������������0000644�0001750�0001750�00000006375�12311670312�013377� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)



(*s trees *)

module type Tree = sig

  type t
  val children : t -> t list

  type info
  val info : t -> info
  val show_info : info -> unit

end

(*s trees equipped with navigation functions *)

module type NavTree = sig

  type tree (* type of trees *)
  type t    (* type of navigable trees *)

  val create : tree list -> t

  (* functions to navigate in the tree; 
     must raise [NoMove] when the move is not possible *)
  exception NoMove
  val down : t -> t
  val up : t -> t
  val left : t -> t
  val right : t -> t

  type info
  val info : t -> info
  val show_info : info -> unit

end

(*s functor to add navigation fuctions to a tree *)

module MakeNavTree (T : Tree) : 
  NavTree with type tree = T.t and type info = T.info 

(*s functor to build a navigator *)

module MakeNavigator (T : NavTree) : sig

  val set : T.t -> unit

  val down : unit -> unit
  val up : unit -> unit
  val left : unit -> unit
  val right : unit -> unit

  (* depth-first traversal *)
  val next : unit -> unit

end
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/intf/config.mll����������������������������������������������������������������������������0000644�0001750�0001750�00000023044�12311670312�013533� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

{

  open Lexing
  open Tools
  open Colors

  exception Lexical_error of string
  exception Eof 

  let config_file = Filename.concat (Rc.get_home_dir ()) ".gwhyrc"

  let key = Buffer.create 128
  let string_buffer = Buffer.create 128
  let vals = Queue.create ()
  let config = Hashtbl.create 13
  let colors = Hashtbl.create 13

  let create_default_config () = 
    if not (Sys.file_exists config_file) then begin
      let out_channel = open_out config_file in
      output_string out_channel "prover = \"Simplify\"\n";
      output_string out_channel "cache = \"true\"\n";
      output_string out_channel "timeout = \"10\"\n";
      output_string out_channel "hard_proof = \"true\"\n";
      output_string out_channel "live_update = \"false\"\n";
      try close_out out_channel
      with Sys_error s -> prerr_string s
    end

  let get_values () = 
    Hashtbl.fold
      (fun k v t -> (k,v) :: t)
      config
      []

  let get_colors () =
      Hashtbl.fold 
      (fun k (fc, bc) t -> (k, fc, bc)::t)
      colors
      []

  let write_config () = 
    let out_channel = open_out config_file in
    seek_out out_channel (out_channel_length out_channel);
    output_string out_channel "# \n";
    output_string out_channel "# Configuration file auto-generated by gWhy\n";
    output_string out_channel "# \n\n";
    output_string out_channel "# Parameters \n";
    List.iter 
      (fun (k,v) -> output_string out_channel (k^ " = \""^ v ^ "\"\n"))
      [("prover", Model.prover_id (Model.get_default_prover ()));
       ("cache", string_of_bool (Cache.is_enabled ()));
       ("timeout", string_of_int (Tools.get_timeout ()));
       ("hard_proof", string_of_bool (Cache.hard_proof ()));
       ("live_update", string_of_bool (Tools.live_update ()))];
    output_string out_channel "\n# Selected provers : \"prover1\" \"prover2\" ...  \n";
    output_string out_channel "# It must be contain at least one prover. Otherwise, all valid provers will be selected.\n";
    output_string out_channel "provers = ";
    List.iter 
      (fun (p,s) -> 
	 if s then output_string out_channel ("\""^(Model.prover_id p)^"\" "))
      (Model.get_prover_states ());


    output_string out_channel "\n\n# window parameters\n";
    List.iter 
      (fun (k,v) -> 
	 output_string out_channel (k^" = \"" ^ string_of_int(v) ^ "\"\n"))
      [ "window_width", !window_width ;
	"window_height", !window_height ; 
	"font_size", !font_size ];
	   
    output_string out_channel "\n\n# Colors : color_key = \"forecolor\" \"backcolor\" \n";
    output_string out_channel "# key = {title, comment, keyword, var, ";
    output_string out_channel " predicate, lpredicate, pr_hilight, separator, ";
    output_string out_channel "hypothesis, conclusion, hilight, cc_type} \n";
    List.iter
      (fun {key=k; name=_n; fc=f; bc=b} -> output_string out_channel 
	 ("color_" ^ k ^ " = \"" ^ f ^ "\" \"" ^ b ^ "\" \n"))
      (get_all_colors ());
    try close_out out_channel; None
    with Sys_error s -> Some(s)

  let save () = 
    let w = GWindow.message_dialog 
      ~message:(match write_config () with 
		  | Some s -> s
		  | _  -> "Operation done with success !") 
      ~message_type:`INFO ~buttons:GWindow.Buttons.ok
      ~title:"Saving preferences" ~allow_grow:false
      ~modal:true ~resizable:false ()
    in ignore(w#connect#response ~callback:(fun _t -> w#destroy ()));
    ignore(w#show ())
    

  let get_value key = 
    try Hashtbl.find config key 
    with Not_found -> ""

  let is_key =
    let h = Hashtbl.create 97 in
    List.iter 
      (fun s -> Hashtbl.add h s ())
      [ "provers" ; "prover"; "cache"; "hard_proof"; "timeout"; "live_update"; "window_width"; "window_height" ; "font_size"];
    fun s -> 
      Hashtbl.mem h s

  let get_color = 
    let r_color = Str.regexp "\\color_\\([a-z]+\\)" in
    fun s -> 
      if (Str.string_match r_color s 0)
      then Some(Str.matched_group 1 s)
      else None
	
  let is_color id = match get_color id with
    | None -> false
    | _ -> true
}

let space = [' ' '\010' '\013' '\009' '\012']
let char = ['A'-'Z' 'a'-'z' '_' '0'-'9']
let ident = char+

rule token = parse
  | space+        
      { token lexbuf }
  | '#' [^ '\n']* 
      { token lexbuf }
  | ident as id
      { let ckey = Buffer.contents key in
	(if ckey = "" then 
	   () (* not needed : Buffer.add_string key id *)
	 else 
	   if ckey = "provers" then
	     if Queue.length vals = 0 then
	       () (* Model.add_all_provers () *)
	     else if Queue.length vals <> 0 then
	       Queue.iter 
		 (fun pr -> 
		      let p = Model.get_prover pr in
		      Model.select_prover p)
		 vals
	     else raise (Lexical_error "no provers selected")
	   else if Queue.length vals = 1 then
	     let p = Queue.pop vals in
	     Hashtbl.add config ckey p
	 else if Queue.length vals = 2 then
	   let fst = Queue.pop vals in
	   let snd = Queue.pop vals in
	   (match get_color ckey with 
	      | Some s -> Hashtbl.add colors s (fst, snd)
	      | None -> Format.eprintf ".gwhyrc : unknown color : %s@." ckey)
	 else Format.eprintf ".gwhyrc : invalid parameters for key (%s)@." ckey);
	Buffer.reset key;
	Queue.clear vals;
	if is_key id or is_color id then
	  Buffer.add_string key id
	else 
	  (Format.eprintf ".gwhyrc : invalid key (%s)@." id;
	   raise (Lexical_error "invalid key"))
      }
  | '='   
      { token lexbuf }
  | '"'   
      { string lexbuf }
  | _     
      { let c = lexeme_start lexbuf in
	Format.eprintf ".gwhyrc: invalid character (%d)@." c; 
	raise Eof }
  | eof   
      { let ckey = Buffer.contents key in
	(if ckey <> "" then 
	   if ckey = "provers" then
	     if Queue.length vals = 0 then
	       () (* Model.add_all_provers ()  *)
	     else if Queue.length vals <> 0 then
	        Queue.iter 
		 (fun pr -> 
		      let p = Model.get_prover pr in
		      Model.select_prover p)
		 vals
	     else raise (Lexical_error "no provers selected")
	   else if Queue.length vals = 1 then
	     let p = Queue.pop vals in
	     Hashtbl.add config ckey p
	   else if Queue.length vals = 2 then
	     let fst = Queue.pop vals in
	     let snd = Queue.pop vals in
	     (match get_color ckey with 
		| Some s -> Hashtbl.add colors s (fst, snd)
		| None -> Format.eprintf ".gwhyrc : unknown color : %s@." ckey)
	   else 
	     Format.eprintf ".gwhyrc : invalid parameters for key (%s)@." ckey);
	raise Eof }

and string = parse
  | space+ 
      { string lexbuf }
  | '"'  
      { Queue.add (Buffer.contents string_buffer) vals;
	Buffer.reset string_buffer;
	token lexbuf }
  | '\\' '"' | _ 
	{ Buffer.add_string string_buffer (lexeme lexbuf); 
	  string lexbuf }
  | eof  
      { Format.eprintf ".gwhyrc: unterminated string@.";
	raise Eof}

{

  let load () = 
    try
      let in_channel = open_in config_file in
      begin
        try
          let lexbuf = Lexing.from_channel in_channel in
          while true do
            token lexbuf;
          done
        with
	  | Eof -> ()
	  | Lexical_error s -> 
	      let w = GWindow.message_dialog 
		~message:("Invalid parameters in .gwhyrc file ("^s^") !")
		~message_type:`ERROR ~buttons:GWindow.Buttons.ok
		~title:"Saving preferences" ~allow_grow:false
		~modal:true ~resizable:false ()
	      in ignore(w#connect#response ~callback:(fun _t -> w#destroy ()));
	      ignore(w#show ())
      end;
      close_in in_channel;
    with Sys_error s ->
      begin
        print_endline ("     [...] Sys_error : "^s); flush stdout;
      end

}
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/intf/model.ml������������������������������������������������������������������������������0000755�0001750�0001750�00000032145�12311670312�013217� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Gobject.Data
open Options

(* columns of the model *)

let cols = new GTree.column_list
let name = cols#add string
let fullname = cols#add string
let parent = cols#add string
let total = cols#add int
let result = cols#add int
let stat = cols#add string

let first_row = ref None


type prover = {
  pr_id : DpConfig.prover_id;
  pr_info : DpConfig.prover_data;
  pr_result : int GTree.column;
  pr_icon : GtkStock.id GTree.column;
  pr_image : GdkPixbuf.pixbuf GTree.column ;
  mutable pr_viewcol : (GTree.view_column * GTree.view_column) option;
  pr_enc : Options.encoding;
}

let enc_name ~nl n p =
  let nl x = if nl then "\n" ^ x else x in
  match p.pr_enc with
    | NoEncoding ->
	begin match p.pr_id with
	  | DpConfig.SimplifySelect
	  | DpConfig.GappaSelect
	  | DpConfig.ErgoSelect -> n ^ nl "(Select)"
	  | _ -> n ^ nl ""
	end
    | SortedStratified -> n ^ nl "(SS)"
    | Monomorph -> n ^ nl "(mono)"
    | Recursive -> n ^ nl "(rec)"
    | Stratified -> n ^ nl "(Strat)"
    | Predicates -> n ^ nl "(pred)"
    | MonoInst -> n ^ nl "(monoinst)"

let prover_id p =
  enc_name ~nl:false p.pr_info.DpConfig.name p

let prover_name_with_version_and_enc p =
  let v = p.pr_info.DpConfig.version in
  let n = p.pr_info.DpConfig.name in
  let n = if v <> "" then n ^ "\n" ^ v else n ^ "\n(uninstalled)" in
  enc_name ~nl:true n p


let simplify = {
  pr_id = DpConfig.Simplify;
  pr_info = DpConfig.simplify;
  pr_result = cols#add int;
  pr_icon = cols#add GtkStock.conv;
  pr_image = cols#add Gobject.Data.gobject;
  pr_viewcol = None;
  pr_enc = NoEncoding;
  }

let simplify_select = {
  pr_id = DpConfig.SimplifySelect;
  pr_info = DpConfig.simplify;
  pr_result = cols#add int;
  pr_icon = cols#add GtkStock.conv;
  pr_image = cols#add Gobject.Data.gobject;
  pr_viewcol = None;
  pr_enc = NoEncoding;
  }

let simplify_pred = {
  pr_id = DpConfig.Simplify;
  pr_info = DpConfig.simplify;
  pr_result = cols#add int;
  pr_icon = cols#add GtkStock.conv;
  pr_image = cols#add Gobject.Data.gobject;
  pr_viewcol = None;
  pr_enc = Predicates;
  }
let simplify_strat = {
  pr_id = DpConfig.Simplify;
  pr_info = DpConfig.simplify;
  pr_result = cols#add int;
  pr_icon = cols#add GtkStock.conv;
  pr_image = cols#add Gobject.Data.gobject;
  pr_viewcol = None;
  pr_enc = Stratified;
  }
let simplify_sstrat = {
  pr_id = DpConfig.Simplify;
  pr_info = DpConfig.simplify;
  pr_result = cols#add int;
  pr_icon = cols#add GtkStock.conv;
  pr_image = cols#add Gobject.Data.gobject;
  pr_viewcol = None;
  pr_enc = SortedStratified;
  }
let simplify_rec = {
  pr_id = DpConfig.Simplify;
  pr_info = DpConfig.simplify;
  pr_result = cols#add int;
  pr_icon = cols#add GtkStock.conv;
  pr_image = cols#add Gobject.Data.gobject;
  pr_viewcol = None;
  pr_enc = Recursive;
  }

let vampire = {
  pr_id = DpConfig.Vampire;
  pr_info = DpConfig.vampire;
  pr_result = cols#add int;
  pr_icon = cols#add GtkStock.conv;
  pr_image = cols#add Gobject.Data.gobject;
  pr_viewcol = None;
  pr_enc = NoEncoding;
  }

let gappa = {
  pr_id = DpConfig.Gappa;
  pr_info = DpConfig.gappa;
  pr_result = cols#add int;
  pr_icon = cols#add GtkStock.conv;
  pr_image = cols#add Gobject.Data.gobject;
  pr_viewcol = None;
  pr_enc = NoEncoding;
  }

let gappa_select = {
  pr_id = DpConfig.GappaSelect;
  pr_info = DpConfig.gappa;
  pr_result = cols#add int;
  pr_icon = cols#add GtkStock.conv;
  pr_image = cols#add Gobject.Data.gobject;
  pr_viewcol = None;
  pr_enc = NoEncoding;
  }

(*
let zenon = {
  pr_name = "Zenon";
  pr_result = cols#add int;
  pr_icon = cols#add GtkStock.conv;
  pr_image = cols#add Gobject.Data.gobject;
  pr_id = Dispatcher.Zenon;
  pr_enc = NoEncoding;
}
let zenon_pred = {
  pr_name = "Zenon(P)";
  pr_result = cols#add int;
  pr_icon = cols#add GtkStock.conv;
  pr_image = cols#add Gobject.Data.gobject;
  pr_id = Dispatcher.Zenon;
  pr_enc = Predicates;
}
let zenon_strat = {
  pr_name = "Zenon(S)";
  pr_result = cols#add int;
  pr_icon = cols#add GtkStock.conv;
  pr_image = cols#add Gobject.Data.gobject;
  pr_id = Dispatcher.Zenon;
  pr_enc = Stratified;
}
let zenon_rec = {
  pr_name = "Zenon(R)";
  pr_result = cols#add int;
  pr_icon = cols#add GtkStock.conv;
  pr_image = cols#add Gobject.Data.gobject;
  pr_id = Dispatcher.Zenon;
  pr_enc = Recursive;
}
let harvey = {
  pr_name = "haRVey";
  pr_result = cols#add int;
  pr_icon = cols#add GtkStock.conv;
  pr_image = cols#add Gobject.Data.gobject;
  pr_id = Dispatcher.Harvey;
  pr_enc = NoEncoding;
}
let cvcl = {
  pr_name = "CVCL";
  pr_result = cols#add int;
  pr_icon = cols#add GtkStock.conv;
  pr_image = cols#add Gobject.Data.gobject;
  pr_id = Dispatcher.Cvcl;
  pr_enc = SortedStratified;
}
let rvsat = {
  pr_name = "rv-sat";
  pr_result = cols#add int;
  pr_icon = cols#add GtkStock.conv;
  pr_image = cols#add Gobject.Data.gobject;
  pr_id = Dispatcher.Rvsat;
  pr_enc = SortedStratified;
  }
*)
let yices = {
  pr_id = DpConfig.Yices;
  pr_info = DpConfig.yices;
  pr_result = cols#add int;
  pr_icon = cols#add GtkStock.conv;
  pr_image = cols#add Gobject.Data.gobject;
  pr_viewcol = None;
  pr_enc = Monomorph;
  }
let yicesSS = {
  pr_id = DpConfig.Yices;
  pr_info = DpConfig.yices;
  pr_result = cols#add int;
  pr_icon = cols#add GtkStock.conv;
  pr_image = cols#add Gobject.Data.gobject;
  pr_viewcol = None;
  pr_enc = SortedStratified;
  }
let ergo = {
  pr_id = DpConfig.Ergo;
  pr_info = DpConfig.alt_ergo;
  pr_result = cols#add int;
  pr_icon = cols#add GtkStock.conv;
  pr_image = cols#add Gobject.Data.gobject;
  pr_viewcol = None;
  pr_enc = NoEncoding;
  }
let ergo_select = {
  pr_id = DpConfig.ErgoSelect;
  pr_info = DpConfig.alt_ergo;
  pr_result = cols#add int;
  pr_icon = cols#add GtkStock.conv;
  pr_image = cols#add Gobject.Data.gobject;
  pr_viewcol = None;
  pr_enc = NoEncoding;
  }
let ergoSS = {
  pr_id = DpConfig.Ergo;
  pr_info = DpConfig.alt_ergo;
  pr_result = cols#add int;
  pr_icon = cols#add GtkStock.conv;
  pr_image = cols#add Gobject.Data.gobject;
  pr_viewcol = None;
  pr_enc = SortedStratified;
  }
let verit =
  { pr_id = DpConfig.VeriT;
    pr_info = DpConfig.verit;
    pr_result = cols#add int;
    pr_icon = cols#add GtkStock.conv;
    pr_image = cols#add Gobject.Data.gobject;
    pr_viewcol = None;
    pr_enc = SortedStratified;
  }

let cvc3SS = {
  pr_id = DpConfig.Cvc3;
  pr_info = DpConfig.cvc3;
  pr_result = cols#add int;
  pr_icon = cols#add GtkStock.conv;
  pr_image = cols#add Gobject.Data.gobject;
  pr_viewcol = None;
  pr_enc = SortedStratified;
  }
let z3SS = {
  pr_id = DpConfig.Z3;
  pr_info = DpConfig.z3;
  pr_result = cols#add int;
  pr_icon = cols#add GtkStock.conv;
  pr_image = cols#add Gobject.Data.gobject;
  pr_viewcol = None;
  pr_enc = SortedStratified;
  }

let cvc3MI = {
  pr_id = DpConfig.Cvc3;
  pr_info = DpConfig.cvc3;
  pr_result = cols#add int;
  pr_icon = cols#add GtkStock.conv;
  pr_image = cols#add Gobject.Data.gobject;
  pr_viewcol = None;
  pr_enc = MonoInst;
  }
let z3MI = {
  pr_id = DpConfig.Z3;
  pr_info = DpConfig.z3;
  pr_result = cols#add int;
  pr_icon = cols#add GtkStock.conv;
  pr_image = cols#add Gobject.Data.gobject;
  pr_viewcol = None;
  pr_enc = MonoInst;
  }


let coq = {
  pr_id = DpConfig.Coq;
  pr_info = DpConfig.coq;
  pr_result = cols#add int;
  pr_icon = cols#add GtkStock.conv;
  pr_image = cols#add Gobject.Data.gobject;
  pr_viewcol = None;
  pr_enc = NoEncoding;
}


(***********

all provers


******)

let all_known_provers = [
  ergo;
  ergo_select;
  (*ergoSS;*)
  simplify;
  simplify_select;
  vampire;
  z3SS ;
  yicesSS;
  cvc3SS;
  z3MI;
  cvc3MI;
  (*simplify_sstrat;*)
(*
  simplify_strat;
*)
  yices;
  gappa ;
  gappa_select ;
  verit
(*
  coq ;
*)
  (* rvsat; *)
  (* zenon; zenon_pred; zenon_strat; zenon_rec;*)
  (* harvey; cvcl *)]

let prover_states = List.map (fun x -> (x,ref false)) all_known_provers

let get_prover_states () =
  List.map (fun (x,y) -> (x,!y)) prover_states

let default_prover = ref (List.hd all_known_provers)

let get_default_prover () = !default_prover

let set_default_prover p =
  default_prover := p

let select_prover p =
  let s = List.assq p prover_states in s:= true

let deselect_prover p =
  let s = List.assq p prover_states in s:= false

  let get_prover s =
  let rec next = function
    | [] ->
	raise Not_found
    | (p',_) :: r ->
	if prover_id p' = s then p' else next r
  in next prover_states


(* all obligations *)
let obligs = Hashtbl.create 97
let find_oblig = Hashtbl.find obligs

(* obligation name -> its model row *)
let orows = Hashtbl.create 97
(* obligation name -> its failure messages *)
let fwrows = Hashtbl.create 97

(* function -> its model row *)
let frows = Hashtbl.create 17
let find_fct = Hashtbl.find frows

(* function -> list of its obligations *)
let fobligs = Hashtbl.create 97
let find_fobligs = Hashtbl.find fobligs
let iter_fobligs fct f = Queue.iter f (Hashtbl.find fobligs fct)

(* functions *)
let fq = Queue.create ()

let add_failure row (p:prover) (message:string) =
  try
    let messages = Hashtbl.find fwrows row in
    if Hashtbl.mem messages p then
      Hashtbl.replace messages p message
    else Hashtbl.add messages p message
  with Not_found -> begin
    let h = Hashtbl.create 97 in
    Hashtbl.add h p message;
    Hashtbl.add fwrows row h
  end

let _ =
  let h = Hashtbl.create 1 in
  Hashtbl.add h simplify "";
  Hashtbl.add fwrows " " h;
  Hashtbl.clear h;
  Hashtbl.clear fwrows

let create_model () =
  let model = GTree.tree_store cols in
  Dispatcher.iter
    (fun ((_loc,_is_lemma, expl,s,_seq) as o) ->
       Hashtbl.add obligs s o;
       let f,n = Tools.decomp_name s in
       let row =
	 try
	   Hashtbl.find frows f
	 with Not_found ->
	   let row = model#append () in
	   Queue.add f fq;
	   Hashtbl.add frows f row;
	   Hashtbl.add fobligs f (Queue.create ());
	   let fname =
	     if f="" then "User goals" else
	       try
		 let (id,beh,(_f,_l,_b,_e)) = Hashtbl.find Util.program_locs f in
		 id ^ "\n" ^ beh
	       with Not_found -> "why " ^ f
	   in
	   model#set ~row ~column:name fname;
	   model#set ~row ~column:fullname f;
	   model#set ~row ~column:parent f;
	   model#set ~row ~column:total 0;
	   List.iter
	     (fun p -> model#set ~row ~column:p.pr_result 0)
	     all_known_provers;
	   row
       in
       let row_n = model#append ~parent:row () in
       (match !first_row with None -> first_row := Some(row_n) | Some _ -> ());
       Hashtbl.add orows s row_n;
       Queue.add row_n (Hashtbl.find fobligs f);
       let msg =
	 match expl.Logic_decl.vc_kind with
	   | Logic_decl.EKLemma -> "Lemma " ^ expl.Logic_decl.lemma_or_fun_name
	   | k -> Explain.msg_of_kind k
       in
       model#set ~row:row_n ~column:name (if f="" then msg else (n^". "^msg));
       model#set ~row:row_n ~column:fullname s;
       model#set ~row:row_n ~column:parent f;
       model#set ~row:row_n ~column:result 0;
       List.iter
	 (fun p ->
            model#set ~row:row_n ~column:p.pr_icon `REMOVE;
            model#set ~row:row_n ~column:p.pr_image !Tools.image_default;
            ()
         )
	 all_known_provers
    );
  model
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/intf/gConfig.ml����������������������������������������������������������������������������0000644�0001750�0001750�00000014135�12311670312�013467� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

open Format
open DpConfig

let rc_file () =
  let home = Rc.get_home_dir () in
  Filename.concat home ".gwhyrc"

(** saving config  *)

let save_main fmt =
  fprintf fmt "[main]@.";
  fprintf fmt "timeout = %d@." (Tools.get_timeout ());
  fprintf fmt "default_prover = %s@."
    (Model.prover_id (Model.get_default_prover ()));
  fprintf fmt "window_width = %d@." !Colors.window_width;
  fprintf fmt "window_height = %d@." !Colors.window_height;
  fprintf fmt "font_size = %d@." !Colors.font_size;
  fprintf fmt "boomy_icons = %b@." (Tools.is_boomy ());
  fprintf fmt "colorblind = %b@." (!Colors.colorblind);
  fprintf fmt "@."

let save_prover_setting fmt (p,s) =
  fprintf fmt "%s = %b@." (Model.prover_id p) s

let save_provers fmt l=
  fprintf fmt "[provers]@.";
  List.iter (save_prover_setting fmt) l;
  fprintf fmt "@."

let save () =
  printf "Saving .gwhyrc config file@.";
  let ch = open_out (rc_file ()) in
  let fmt = Format.formatter_of_out_channel ch in
  save_main fmt;
  save_provers fmt (Model.get_prover_states ());
  close_out ch



(** loading config *)

let set_main_setting (key,arg) =
  match key with
    | "timeout" -> Tools.set_timeout (Rc.int arg)
    | "default_prover" ->
        begin
          let n = Rc.string arg in
          try
            let p = Model.get_prover n in
            Model.set_default_prover p
          with Not_found ->
            printf "Unknown default prover id `%s' in section [main] of rc file@." n
        end
    | "window_width" -> Colors.window_width := Rc.int arg
    | "window_height" -> Colors.window_height := Rc.int arg
    | "font_size" -> Colors.font_size := Rc.int arg
    | "boomy_icons" -> Tools.set_boomy (Rc.bool arg)
    | "colorblind" -> Colors.colorblind := Rc.bool arg
    | _ ->
	printf "Unknown field `%s' in section [main] of rc file@." key

let set_prover_setting (key,arg) =
  try
    let b = Rc.bool arg in
    let p = Model.get_prover key in
    if b then Model.select_prover p else Model.deselect_prover p
  with Not_found ->
    printf "Unknown prover id `%s' in section [provers] of rc file@." key


let load_default_config () =
  (try
     DpConfig.load_rc_file ()
   with Not_found ->
      print_endline "Why config file not found, please run why-config first.";
      exit 1);
  List.iter
    (fun (pid,(pdata,_)) ->
       if pdata.version <> "" then
	 try
	   let pr =
	     match pid with
	       | Ergo -> Model.ergo
	       | Simplify -> Model.simplify
	       | Vampire -> Model.simplify
               | Z3 -> Model.z3SS
	       | Cvc3 -> Model.cvc3SS
	       | Yices -> Model.yicesSS
	       | Gappa -> Model.gappa
               | VeriT -> Model.verit
	       | Coq -> raise Exit (* not yet supported in GWhy *)
	       | PVS -> raise Exit (* not yet supported in GWhy *)
               | Cvcl -> raise Exit (* not yet supported in GWhy *)
               | Zenon -> raise Exit (* not yet supported in GWhy *)
               | Rvsat -> raise Exit (* not yet supported in GWhy *)
               | Harvey -> raise Exit (* not yet supported in GWhy *)
	       | SimplifySelect | ErgoSelect | GappaSelect ->
		   assert false (* not handled by dpConfig *)
	   in
	   printf "installed prover '%s' selected@." pdata.name;
	   Model.select_prover pr
	 with Exit -> ())
    DpConfig.prover_list;
  save ()


let load () =
  printf "Loading .gwhyrc config file@.";
  let rc_file = rc_file () in
  try
    let rc = Rc.from_file rc_file in
    List.iter
      (fun (key,args) ->
	 match key with
	   | "main" -> List.iter set_main_setting args
	   | "provers" -> List.iter set_prover_setting args
	   | _ ->
	       printf "Unknown section [%s] in config file '%s'@." key rc_file)
      rc
  with
    | Not_found ->
	printf "Config file '%s' does not exists, using default config@." rc_file;
	load_default_config ()
    | Failure msg ->
	printf "Reading '%s' failed (%s), using default config@." rc_file msg;
	load_default_config ()
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why-2.34/intf/hilight.mll���������������������������������������������������������������������������0000644�0001750�0001750�00000013360�12311670312�013716� 0����������������������������������������������������������������������������������������������������ustar  �rt������������������������������users������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������(**************************************************************************)
(*                                                                        *)
(*  The Why platform for program certification                            *)
(*                                                                        *)
(*  Copyright (C) 2002-2014                                               *)
(*                                                                        *)
(*    Jean-Christophe FILLIATRE, CNRS & Univ. Paris-sud                   *)
(*    Claude MARCHE, INRIA & Univ. Paris-sud                              *)
(*    Yannick MOY, Univ. Paris-sud                                        *)
(*    Romain BARDOU, Univ. Paris-sud                                      *)
(*                                                                        *)
(*  Secondary contributors:                                               *)
(*                                                                        *)
(*    Thierry HUBERT, Univ. Paris-sud  (former Caduceus front-end)        *)
(*    Nicolas ROUSSET, Univ. Paris-sud (on Jessie & Krakatoa)             *)
(*    Ali AYAD, CNRS & CEA Saclay      (floating-point support)           *)
(*    Sylvie BOLDO, INRIA              (floating-point support)           *)
(*    Jean-Francois COUCHOT, INRIA     (sort encodings, hyps pruning)     *)
(*    Mehdi DOGGUY, Univ. Paris-sud    (Why GUI)                          *)
(*                                                                        *)
(*  This software is free software; you can redistribute it and/or        *)
(*  modify it under the terms of the GNU Lesser General Public            *)
(*  License version 2.1, with the special exception on linking            *)
(*  described in file LICENSE.                                            *)
(*                                                                        *)
(*  This software is distributed in the hope that it will be useful,      *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                  *)
(*                                                                        *)
(**************************************************************************)

{

  open Lexing
  open Colors

  exception Lexical_error of string
  exception Eof 

  let insert_text (tbuf:GText.buffer) ty s = 
    let it = tbuf#end_iter in
    let (fc, bc) = get_color ty in
    let new_tag = 
      Tags.make_tag tbuf ~name:(fc^bc) [`BACKGROUND bc; `FOREGROUND fc]
    in
    tbuf#insert ~tags:[new_tag] ~iter:it s 

  let insert_string (tbuf:GText.buffer) s =
    let it = tbuf#end_iter in
    tbuf#insert ~iter:it s 

  let id_or_keyword =
    let h = Hashtbl.create 97 in
    List.iter 
      (fun s -> Hashtbl.add h s ())
      [ "typedef" ; "for"; "if"; "else"; "while"; "and"; "do"; "not"; "real"; 
	"var"; "begin"; "or"; "to"; "end"; "int"; "true"; "false";
	"type"; "function"; "of"; "then"; "break"; "void"; "struct";
	"return"; "include"];
    fun tbuf s -> 
      if Hashtbl.mem h s then
	insert_text tbuf "keyword" s
      else 
	insert_string tbuf s

  let comment = Buffer.create 1024


  (* Try to convert a source file either as UTF-8 or as locale. 
   * (borrowed from Frama-C sources src/gui/source_manager.ml) 
   *)
  let try_convert s =
    try
      if Glib.Utf8.validate s then s else
	Glib.Convert.locale_to_utf8 s
    with Glib.Convert.Error _ -> 
      try 
	Glib.Convert.convert_with_fallback 
          ~fallback:"#neither UTF-8 nor locale nor ISO-8859-15#"
          ~to_codeset:"UTF-8"
          ~from_codeset:"ISO_8859-15"
          s
      with Glib.Convert.Error _ as e -> Printexc.to_string e

}

let alpha = ['a'-'z' 'A'-'Z']
let digit = ['0'-'9']
let ident = alpha (alpha | '_' | digit)*
let exponent = ('e' | 'E') ('+' | '-')? digit+
let float = digit+ '.' digit+ exponent?
  | digit+ exponent

rule token tbuf = parse
  | "//@"
      { Buffer.add_string comment "//@"; comment3 tbuf lexbuf; token tbuf lexbuf }
  | "//"
      { Buffer.add_string comment "//"; comment4 tbuf lexbuf; token tbuf lexbuf }
  | "/*@"
      { Buffer.add_string comment "/*@"; comment2 tbuf lexbuf; token tbuf lexbuf }
  | "/*"   
      { Buffer.add_string comment "/*"; comment1 tbuf lexbuf; token tbuf lexbuf }
  | ident  
      { id_or_keyword tbuf (lexeme lexbuf) }
  | '\r' 
         { token tbuf lexbuf }
  | digit+ 
  | float
  | _ as s 
      { insert_string tbuf s }
  | eof
      { raise Eof }

and comment1 tbuf = parse
  | "*/" { Buffer.add_string comment "*/";
	   let s = Buffer.contents comment in
	   insert_text tbuf "comment" (try_convert s);
	   Buffer.clear comment }
  | '\r' 
         { comment1 tbuf lexbuf }
  | _    { Buffer.add_string  comment (lexeme lexbuf); 
	   comment1 tbuf lexbuf }
  | eof  { () }

and comment2 tbuf = parse
  | "@*/" | "*/" as s 
	{ Buffer.add_string comment s;
	  let t = Buffer.contents comment in
	  insert_text tbuf "predicate" (try_convert t); 
	  Buffer.clear comment }
  | '\r' 
        { comment2 tbuf lexbuf }
  | _   { Buffer.add_string  comment (lexeme lexbuf); 
	  comment2 tbuf lexbuf }
  | eof { () }

and comment3 tbuf = parse 
  | "\n" { Buffer.add_string comment "\n";
	   let t = Buffer.contents comment in
	   insert_text tbuf "predicate" (try_convert t); 
	   Buffer.clear comment }
  | '\r' 
         { comment3 tbuf lexbuf }
  | _    { Buffer.add_string  comment (lexeme lexbuf); 
	   comment3 tbuf lexbuf}
  | eof  { () }

and comment4 tbuf = parse 
  | "\n" { Buffer.add_string comment "\n";
	   let t = Buffer.contents comment in
	   insert_text tbuf "comment" (try_convert t); 
	   Buffer.clear comment }
  | '\r' 
         { comment4 tbuf lexbuf }
  | _    { Buffer.add_string  comment (lexeme lexbuf); 
	   comment4 tbuf lexbuf}
  | eof  { () }
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������